From 084d360254a0a7400ad7527cdd14e2f9679de1f3 Mon Sep 17 00:00:00 2001
From: erjosito <erjosito@users.noreply.github.com>
Date: Mon, 24 Jun 2024 12:34:37 +0000
Subject: [PATCH] [create-pull-request] automated change

---
 checklists/checklist.en.master.json           | 56229 ++++++++--------
 checklists/security_checklist.en.json         |  3338 +-
 checklists/security_checklist.es.json         |  2995 +-
 checklists/security_checklist.ja.json         |  2995 +-
 checklists/security_checklist.ko.json         |  2995 +-
 checklists/security_checklist.pt.json         |  2995 +-
 checklists/security_checklist.zh-Hant.json    |  1669 +
 checklists/waf_checklist.en.json              | 12672 ++--
 checklists/waf_checklist.es.json              |  6948 +-
 checklists/waf_checklist.ja.json              |  8708 +--
 checklists/waf_checklist.ko.json              | 11232 +--
 checklists/waf_checklist.pt.json              |  8842 +--
 checklists/waf_checklist.zh-Hant.json         |  9104 +--
 .../macrofree/checklist.en.master.xlsx        |   Bin 520716 -> 499920 bytes
 .../macrofree/security_checklist.en.xlsx      |   Bin 34519 -> 33750 bytes
 .../macrofree/security_checklist.es.xlsx      |   Bin 35641 -> 34881 bytes
 .../macrofree/security_checklist.ja.xlsx      |   Bin 38380 -> 36987 bytes
 .../macrofree/security_checklist.ko.xlsx      |   Bin 37313 -> 36529 bytes
 .../macrofree/security_checklist.pt.xlsx      |   Bin 35657 -> 34861 bytes
 .../macrofree/security_checklist.zh-Hant.xlsx |   Bin 0 -> 35587 bytes
 spreadsheet/macrofree/waf_checklist.en.xlsx   |   Bin 189336 -> 189483 bytes
 spreadsheet/macrofree/waf_checklist.es.xlsx   |   Bin 175894 -> 176105 bytes
 spreadsheet/macrofree/waf_checklist.ja.xlsx   |   Bin 193236 -> 193031 bytes
 spreadsheet/macrofree/waf_checklist.ko.xlsx   |   Bin 187996 -> 187442 bytes
 spreadsheet/macrofree/waf_checklist.pt.xlsx   |   Bin 177593 -> 177020 bytes
 .../macrofree/waf_checklist.zh-Hant.xlsx      |   Bin 181244 -> 181339 bytes
 ...hecklist.en_network_counters_workbook.json |   184 +-
 ...en_network_counters_workbook_template.json |     2 +-
 ...elivery_checklist.en_network_workbook.json |   168 +-
 ...hecklist.en_network_workbook_template.json |     2 +-
 30 files changed, 65984 insertions(+), 65094 deletions(-)
 create mode 100644 checklists/security_checklist.zh-Hant.json
 create mode 100644 spreadsheet/macrofree/security_checklist.zh-Hant.xlsx

diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json
index 4503f44ae..e1f464776 100644
--- a/checklists/checklist.en.master.json
+++ b/checklists/checklist.en.master.json
@@ -2,223 +2,48 @@
     "items": [
         {
             "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "checklist": "Stream Analytics Review Checklist",
+            "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx",
             "services": [],
             "severity": "High",
-            "subcategory": "High Availablity",
-            "text": "Enable 2 replicas to have 99.9% availability for read operations",
+            "subcategory": "High Availablity ",
+            "text": "Leverage FTA Resiliency  Handbook for Stream Analytics",
             "waf": "Reliability"
         },
         {
             "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "checklist": "Stream Analytics Review Checklist",
+            "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�",
+            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+            "link": "https://azure.microsoft.com/en-in/products/stream-analytics",
             "services": [],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+            "subcategory": "High Availablity ",
+            "text": "Understand High Availability 99% SLA and use it to plan your DR strategy",
             "waf": "Reliability"
         },
         {
             "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
+            "checklist": "Stream Analytics Review Checklist",
+            "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.",
+            "guid": "fc833934-8b26-42d6-ac5f-512925498e6d",
+            "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
             "services": [],
-            "severity": "High",
-            "subcategory": "High Availablity",
-            "text": "Leverage Availability Zones by enabling read and/or write replicas",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
-            "services": [
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Georeplication",
-            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
-            "services": [
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Georeplication",
-            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
-            "services": [
-                "TrafficManager"
-            ],
-            "severity": "Medium",
-            "subcategory": "Georeplication",
-            "text": "Use Azure Traffic Manager to coordinate requests",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
-            "services": [
-                "Backup",
-                "Storage",
-                "ASR"
-            ],
-            "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "Entra ID",
-            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "AAD B2C",
-            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "AAD B2C",
-            "text": "Custom brand assets should be hosted on a CDN",
-            "waf": "Performance"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Low",
-            "subcategory": "AAD B2C",
-            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "services": [
-                "Entra",
-                "VM"
-            ],
-            "severity": "Medium",
-            "subcategory": "Windows Server AD",
-            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "Windows Server AD",
-            "text": "Don't replicate! Replication can create issues with directory synchronization",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "Windows Server AD",
-            "text": "Have active-active for multi-regions",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
             "severity": "Medium",
-            "subcategory": "Entra Domain Services",
-            "text": "Add Azure AD Domain service stamps to additional regions and locations",
+            "subcategory": "Geo Redundancy",
+            "text": "Plan for Geo Redudancy of the service",
             "waf": "Reliability"
         },
         {
             "category": "Operations Management",
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
+            "checklist": "Stream Analytics Review Checklist",
+            "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a",
+            "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Entra Domain Services",
-            "text": "Use Replica Sets for DR",
+            "subcategory": "Geo Redundancy",
+            "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ",
             "waf": "Reliability"
         },
         {
@@ -301,42481 +126,40513 @@
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "High",
-            "text": "Enable 2 replicas to have 99.9% availability for read operations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Microsoft Entra ID Tenants",
+            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "Medium",
-            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Microsoft Entra ID Tenants",
+            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones by enabling read and/or write replicas",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Microsoft Entra ID Tenants",
+            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "services": [
-                "ACR",
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
-            "waf": "Reliability"
+            "subcategory": "Cloud Solution Provider",
+            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations",
             "services": [
-                "ACR",
-                "WAF"
+                "Entra"
             ],
-            "severity": "Medium",
-            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Cloud Solution Provider",
+            "text": "Discuss support request and escalation process with CSP partner",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "32952499-58c8-4e6f-ada5-972e67893d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "TrafficManager",
-                "WAF"
+                "Entra",
+                "Cost"
             ],
             "severity": "Medium",
-            "text": "Use Azure Traffic Manager to coordinate requests",
-            "waf": "Reliability"
+            "subcategory": "Cloud Solution Provider",
+            "text": "Setup Cost Reporting and Views with Azure Cost Management",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "services": [
-                "Backup",
-                "Storage",
-                "WAF"
+                "Entra",
+                "LoadBalancer"
             ],
-            "severity": "High",
-            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Enterprise Agreement",
+            "text": "Configure Notification Contacts to a group mailbox",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
                 "Entra",
-                "WAF"
+                "TrafficManager"
             ],
-            "severity": "Medium",
-            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Enterprise Agreement",
+            "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
-                "WAF"
+                "Entra",
+                "Cost"
             ],
             "severity": "Medium",
-            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
-            "waf": "Reliability"
+            "subcategory": "Enterprise Agreement",
+            "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
-                "WAF"
+                "Entra",
+                "Subscriptions",
+                "Cost"
             ],
-            "severity": "Medium",
-            "text": "Custom brand assets should be hosted on a CDN",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Enterprise Agreement",
+            "text": "Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "WAF"
+                "Entra"
             ],
             "severity": "Low",
-            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
-            "waf": "Reliability"
+            "subcategory": "Microsoft Customer Agreement",
+            "text": "Configure Agreement billing account notification contact email",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90e87802-602f-4dfb-acea-67c60689f1d7",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
             "services": [
-                "VM",
-                "WAF"
+                "Storage",
+                "Entra",
+                "Cost"
             ],
-            "severity": "Medium",
-            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Microsoft Customer Agreement",
+            "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "WAF"
+                "Entra",
+                "Cost"
             ],
-            "severity": "Medium",
-            "text": "Don't replicate! Replication can create issues with directory synchronization",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Microsoft Customer Agreement",
+            "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "category": "Azure Billing and Microsoft Entra ID Tenants",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "WAF"
+                "Entra",
+                "RBAC"
             ],
             "severity": "Medium",
-            "text": "Have active-active for multi-regions",
-            "waf": "Reliability"
+            "subcategory": "Microsoft Customer Agreement",
+            "text": "Periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "ammp": true,
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
             "service": "Entra",
             "services": [
+                "ACR",
                 "Entra",
-                "WAF"
+                "RBAC",
+                "Subscriptions"
             ],
-            "severity": "Medium",
-            "text": "Add Azure AD Domain service stamps to additional regions and locations",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "ammp": true,
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4348bf81-7573-4512-8f46-9061cc198fea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "Medium",
-            "text": "Use Replica Sets for DR",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Microsoft Entra ID and Hybrid Identity",
+            "text": "Use managed identities instead of service principals for authentication to Azure services. You can check for existing service principals via Entra ID > Sign in Logs > Service principal logins.",
+            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
-            "service": "Cognitive Services",
-            "services": [
-                "WAF"
+            "ammp": true,
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
+            "services": [
+                "Entra"
             ],
-            "severity": "Medium",
-            "text": "Leverage FTA HandBook for Cognitive Services",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
-            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
-            "service": "Cognitive Services",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
             "services": [
-                "Backup",
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Backup Your Prompts",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
-            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
-            "service": "Cognitive Services",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
             "services": [
-                "ASR",
-                "WAF"
+                "Entra",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
-            "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
-            "service": "Cognitive Services",
+            "ammp": true,
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
             "services": [
-                "Backup",
-                "WAF"
+                "Entra"
             ],
-            "severity": "Medium",
-            "text": "Backup Your ChatGPT conversations",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
-            "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
-            "service": "Cognitive Services",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
             "services": [
-                "WAF"
+                "Entra",
+                "RBAC"
             ],
             "severity": "Medium",
-            "text": "CI/CD for custom speech",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3687a046-7a1f-4893-9bda-43324f248116",
-            "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
-            "service": "Cognitive Services",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "Low",
-            "text": "Move a knowledge base using export-import",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations",
             "services": [
-                "WAF"
+                "Entra",
+                "ACR",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Follow reliability support recommendations in Azure Bot Service",
+            "subcategory": "Identity",
+            "text": "When deploying Active Directory on Windows Server, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f5664b5e-984a-4859-a773-e7d261623a76",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
             "services": [
-                "WAF"
+                "ACR",
+                "Entra",
+                "RBAC",
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Deploying bots with local data residency and regional compliance",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "Use Azure custom RBAC roles for the following key roles to provide fine-grain access across your ALZ: Azure platform owner, network management, security operations, subscription owner, application owner. Align these roles to teams and responsibilities within your business.",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
-            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra",
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Leverage FTA Resillency Handbook",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
             "severity": "High",
-            "text": "Plan for Data Center level outage",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
-            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94",
+            "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
             "services": [
-                "WAF"
+                "ASR",
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Practice Failover for BCDR",
+            "subcategory": "Microsoft Entra ID",
+            "text": "When deploying an Microsoft Entra Connect, leverage a staging sever for high availability / Disaster recovery",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
             "services": [
-                "Backup",
-                "WAF"
+                "Entra",
+                "RBAC"
             ],
-            "severity": "High",
-            "text": "Plan a backup strategy and take regular backups",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
-            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
             "services": [
-                "EventHubs",
-                "WAF"
+                "Entra"
             ],
-            "severity": "Low",
-            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
-            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
             "services": [
-                "WAF"
+                "VNet",
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Follow Purview accounts architectures and deployment best practices",
-            "waf": "Reliability"
+            "subcategory": "Landing zones",
+            "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).",
+            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
             "services": [
-                "WAF"
+                "Storage",
+                "Entra",
+                "RBAC",
+                "AKV",
+                "ACR"
             ],
             "severity": "Medium",
-            "text": "Follow Collection Architectures and best practices",
-            "waf": "Reliability"
+            "subcategory": "Landing zones",
+            "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Key Vault, Storage Account and Database Services.",
+            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
-            "service": "Purview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
             "services": [
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Follow Assest lifecycle best practices",
-            "waf": "Reliability"
+            "subcategory": "Landing zones",
+            "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool",
+            "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Naming and tagging",
+            "text": "It is recommended to follow Microsoft Best Practice Naming Standards",
+            "waf": "Security"
+        },
+        {
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)",
+            "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
             "services": [
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Follow automation best practices",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce reasonably flat management group hierarchy with no more than four levels.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "667313b4-f566-44b5-b984-a859c773e7d2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
             "services": [
-                "Backup",
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Follow Backup and Migration Best practices",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure",
+            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "61623a76-5a91-47e1-b348-ef254c27d42e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
             "services": [
-                "WAF"
+                "RBAC",
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Follow Purview Glossary Best Practices",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment",
+            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
-            "link": "https://learn.microsoft.com/purview/concept-workflow",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
             "services": [
-                "WAF"
+                "DNS",
+                "Subscriptions",
+                "ExpressRoute",
+                "VWAN"
             ],
-            "severity": "Low",
-            "text": "Leverage Workflows ",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Subscriptions",
+            "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.",
+            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)",
+            "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34",
+            "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group",
             "services": [
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Follow Purview Security Best Practices",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce no subscriptions are placed under the root management group",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19",
+            "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
             "services": [
-                "WAF"
+                "RBAC",
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Follow Purview Data Lineage Best Practices",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "92481607-d5d1-4e4e-9146-58d3558fd772",
+            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
             "services": [
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Follow Best Practices for Scanning Registered Sources",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "49b82111-2df2-47ee-912e-7f983f630472",
+            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
             "services": [
-                "WAF"
+                "RBAC",
+                "Subscriptions",
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "Medium",
-            "text": "Follow Classification Best Practices in Governance Portal",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
-            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "services": [
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Perform Sensitivity Labelling in the Purview Data Map",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
-            "link": "https://learn.microsoft.com/purview/concept-data-share",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c68e1d76-6673-413b-9f56-64b5e984a859",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations",
             "services": [
-                "Storage",
-                "WAF"
+                "VM",
+                "Subscriptions",
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "Low",
-            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.",
+            "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity",
             "services": [
-                "WAF"
+                "Monitor",
+                "Subscriptions"
             ],
-            "severity": "Low",
-            "text": "Leverage Data Estate Insights",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
-            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
-            "service": "Purview",
-            "services": [
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "Use Data stewardship and Catalog adoption",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels",
+            "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
+            "ammp": true,
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview",
             "services": [
-                "WAF"
+                "Subscriptions",
+                "Cost"
             ],
-            "severity": "Low",
-            "text": "Use Inventory and Ownership",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Enforce a process for cost management",
+            "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
-            "link": "https://learn.microsoft.com/purview/glossary-insights",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de",
+            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
             "services": [
-                "WAF"
+                "Entra",
+                "Subscriptions"
             ],
-            "severity": "Low",
-            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Subscriptions",
+            "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services. Make sure that resources are set to use the domain controllers available in their region.",
+            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
-            "link": "https://learn.microsoft.com/purview/compliance-manager",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant",
+            "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs",
             "services": [
-                "WAF"
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "Medium",
-            "text": "Generate assessment scores",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "Ensure tags are used for billing and cost management",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
-            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6cc0ea22-42bb-441e-a345-804ab0a09666",
+            "link": "https://github.com/Azure/sovereign-landing-zone/blob/main/docs/02-Architecture.md",
             "services": [
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "text": "Profiling- get summaries of data content",
-            "waf": "Reliability"
+            "subcategory": "Subscriptions",
+            "text": "For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online' management group directly under the 'landing zones' MG.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
-            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "Cost"
             ],
-            "severity": "Low",
-            "text": "Follow Microsoft Purview Data Owner access policies",
+            "severity": "High",
+            "subcategory": "Regions",
+            "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements",
+            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
-            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
-            "service": "Purview",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions#operate-in-multiple-geographic-regions",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "ASR"
             ],
-            "severity": "Low",
-            "text": "Follow Self-service access policies",
+            "severity": "Medium",
+            "subcategory": "Regions",
+            "text": "Consider a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint",
+            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
-            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
-            "service": "Purview",
-            "services": [
-                "AzurePolicy",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "Follow DevOps policies",
+            "category": "Resource Organization",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Regions",
+            "text": "Ensure required services and features are available within the chosen deployment regions",
+            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery",
             "services": [
-                "SAP",
-                "WAF"
+                "FrontDoor",
+                "AppGW"
             ],
             "severity": "Medium",
-            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "subcategory": "App delivery",
+            "text": "Develop a plan for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door.  You can use the Application Delivery checklist to for recommendations.",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "services": [
-                "SAP",
-                "WAF"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
-            "training": "https://github.com/Azure/sap-automation",
-            "waf": "Operations"
+            "subcategory": "Hub and spoke",
+            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
-            "service": "SAP",
-            "services": [
-                "SAP",
-                "WAF"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "services": [],
             "severity": "Medium",
-            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
-            "waf": "Reliability"
+            "subcategory": "App delivery",
+            "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
             "services": [
-                "Backup",
-                "WAF"
+                "VNet",
+                "Entra",
+                "DNS",
+                "ExpressRoute",
+                "Firewall",
+                "VPN",
+                "NVA"
             ],
-            "severity": "Medium",
-            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Hub and spoke",
+            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "services": [
-                "ASR",
-                "SAP",
-                "Backup",
-                "SQL",
-                "Storage",
-                "WAF"
+                "DDoS"
             ],
-            "severity": "High",
-            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "App delivery",
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "services": [
-                "SAP",
-                "WAF"
+                "NVA"
             ],
             "severity": "Medium",
-            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "subcategory": "Hub and spoke",
+            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
             "services": [
-                "ExpressRoute",
                 "VPN",
-                "ASR",
-                "WAF"
+                "ARS",
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Hub and spoke",
+            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
             "services": [
-                "AKV",
-                "ACR",
-                "WAF"
+                "VNet",
+                "ARS"
             ],
             "severity": "Low",
-            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
-            "waf": "Reliability"
+            "subcategory": "Hub and spoke",
+            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
             "services": [
-                "ASR",
                 "VNet",
-                "SAP",
-                "WAF"
+                "ACR"
             ],
             "severity": "Medium",
-            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
-            "waf": "Reliability"
+            "subcategory": "Hub and spoke",
+            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "Monitor"
             ],
-            "severity": "Low",
-            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hub and spoke",
+            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "services": [
-                "WAF"
+                "VNet",
+                "Entra",
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Hub and spoke",
+            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "services": [
-                "VNet",
-                "WAF"
+                "Storage"
             ],
-            "severity": "High",
-            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Hub and spoke",
+            "text": "Consider the limit of routes per route table (400).",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
             "services": [
-                "Entra",
-                "ASR",
-                "VM",
-                "WAF"
+                "VNet"
             ],
             "severity": "High",
-            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "subcategory": "Hub and spoke",
+            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption",
+            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "VPN",
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Encryption",
+            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
             "services": [
-                "VM",
-                "Storage",
-                "WAF"
+                "VNet",
+                "ACR"
             ],
             "severity": "High",
-            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
-            "waf": "Reliability"
+            "subcategory": "IP plan",
+            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "VNet"
             ],
-            "severity": "High",
-            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "IP plan",
+            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "services": [
-                "SAP",
-                "WAF"
+                "VNet"
             ],
             "severity": "High",
-            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "IP plan",
+            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
             "services": [
-                "LoadBalancer",
-                "SAP",
-                "WAF"
+                "VNet"
             ],
             "severity": "High",
-            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "subcategory": "IP plan",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "VNet",
+                "DNS"
             ],
-            "severity": "High",
-            "text": "Make sure the Floating IP is enabled on the Load balancer",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "IP plan",
+            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
             "services": [
-                "WAF"
+                "VNet",
+                "ACR",
+                "DNS"
             ],
-            "severity": "High",
-            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "IP plan",
+            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "services": [
-                "Entra",
-                "VM",
-                "SAP",
-                "WAF"
+                "VNet",
+                "DNS"
             ],
-            "severity": "High",
-            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "IP plan",
+            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
             "services": [
-                "Entra",
-                "VM",
-                "RBAC",
-                "WAF"
+                "VNet",
+                "DNS",
+                "VM"
             ],
             "severity": "High",
-            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "IP plan",
+            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "services": [
-                "WAF"
+                "Bastion"
             ],
             "severity": "Medium",
-            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "services": [
-                "VM",
+                "VNet",
+                "Bastion"
+            ],
+            "severity": "Medium",
+            "subcategory": "Internet",
+            "text": "Use Azure Bastion in a subnet /26 or larger.",
+            "waf": "Security"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
+            "services": [
+                "FrontDoor",
+                "ACR",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Internet",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "services": [
-                "Entra",
-                "SAP",
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
+            ],
+            "severity": "Low",
+            "subcategory": "Internet",
+            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
+        },
+        {
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "services": [
+                "VNet",
                 "WAF"
             ],
             "severity": "High",
-            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "services": [
-                "SAP",
-                "ACR",
-                "WAF"
+                "DDoS",
+                "VNet"
             ],
             "severity": "High",
-            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+            "subcategory": "Internet",
+            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
+        },
+        {
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Internet",
+            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "DDoS"
             ],
             "severity": "High",
-            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "VM",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "services": [
-                "VM",
-                "Storage",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
+            "subcategory": "Hybrid",
+            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "VPN",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
             "services": [
-                "Storage",
-                "WAF"
+                "ExpressRoute",
+                "Cost"
             ],
             "severity": "High",
-            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "ExpressRoute",
+                "Cost"
             ],
             "severity": "High",
-            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "severity": "Medium",
+            "subcategory": "Hybrid",
+            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hybrid",
+            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
             "services": [
-                "Cost",
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Automate SAP System Start-Stop to manage costs.",
-            "waf": "Cost"
+            "subcategory": "Hybrid",
+            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
             "services": [
-                "SAP",
-                "Cost",
-                "Storage",
-                "VM",
-                "WAF"
+                "VPN"
             ],
-            "severity": "Low",
-            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Hybrid",
+            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "services": [
-                "SAP",
-                "Cost",
-                "Storage",
-                "VM",
-                "WAF"
+                "VPN"
             ],
-            "severity": "Low",
-            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Hybrid",
+            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "services": [
-                "RBAC",
-                "Subscriptions",
-                "WAF"
+                "ExpressRoute",
+                "Cost"
             ],
             "severity": "High",
-            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "45911475-e39e-4530-accc-d979366bcda2",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "subcategory": "Hybrid",
+            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
-            "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
+            "services": [
+                "Monitor",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "ACR",
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "VPN",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "services": [
-                "AKV",
-                "SAP",
-                "WAF"
+                "Storage",
+                "VNet"
             ],
-            "severity": "Medium",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Hybrid",
+            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
-            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "services": [
-                "AKV",
-                "SAP",
-                "WAF"
+                "ACR",
+                "ExpressRoute"
             ],
-            "severity": "Medium",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Hybrid",
+            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
-            "service": "SAP",
-            "services": [
-                "SAP",
-                "WAF"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
+            "services": [],
             "severity": "Medium",
-            "text": "Implement SSO to SAP HANA",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "ExpressRoute"
             ],
-            "severity": "Medium",
-            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Hybrid",
+            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
-            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "WAF"
+                "VNet",
+                "Monitor",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "VNet",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
-            "waf": "Security"
+            "subcategory": "Hybrid",
+            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "WAF"
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "Implement SSO to SAP BTP",
+            "severity": "High",
+            "subcategory": "Firewall",
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "ACR",
+                "RBAC",
+                "AzurePolicy",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+            "subcategory": "Firewall",
+            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
             "services": [
-                "AzurePolicy",
-                "SAP",
-                "Subscriptions",
-                "WAF"
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "enforce existing Management Group policies to SAP Subscriptions",
-            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Firewall",
+            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "Subscriptions",
-                "WAF"
+                "DNS",
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "services": [
-                "Subscriptions",
-                "WAF"
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
-            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Use Azure Firewall Premium for additional security and protection.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
-            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "services": [
-                "VM",
-                "Subscriptions",
-                "WAF"
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
-            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
-            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "Firewall"
             ],
-            "severity": "Low",
-            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Firewall",
+            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
-            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
             "services": [
-                "VM",
-                "Subscriptions",
-                "WAF"
+                "Storage",
+                "VNet",
+                "VWAN",
+                "Firewall",
+                "NVA"
             ],
             "severity": "High",
-            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "Storage",
+                "Firewall"
             ],
-            "severity": "High",
-            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Firewall",
+            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
             "services": [
-                "Cost",
-                "TrafficManager",
-                "WAF"
+                "AzurePolicy",
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "severity": "Important",
+            "subcategory": "Firewall",
+            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
             "services": [
-                "Backup",
-                "WAF"
+                "VNet",
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Help protect your HANA database by using the Azure Backup service.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Segmentation",
+            "text": "Use a /26 prefix for your Azure Firewall subnets.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "services": [
-                "Entra",
-                "VM",
-                "Storage",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
-            "waf": "Reliability"
+            "subcategory": "Firewall",
+            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "WAF"
+                "Storage"
             ],
-            "severity": "High",
-            "text": "Ensure time-zone matches between the operating system and the SAP system.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Firewall",
+            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
-            "service": "SAP",
-            "services": [
-                "Entra",
-                "WAF"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
+            "services": [],
             "severity": "Medium",
-            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Firewall",
+            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
-            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
-            "service": "SAP",
-            "services": [
-                "Cost",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
-            "waf": "Cost"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
-            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
             "services": [
-                "Entra",
-                "SAP",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
-            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
-            "service": "SAP",
-            "services": [
-                "VM",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
-            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
-            "waf": "Operations"
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Firewall",
+            "text": "Enable TLS Inspection",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "WAF"
+                "ServiceBus"
             ],
             "severity": "Low",
-            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Use web categories to allow or deny outbound access to specific topics.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
-            "service": "SAP",
-            "services": [
-                "SAP",
-                "SQL",
-                "Monitor",
-                "WAF"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
+            "services": [],
             "severity": "Medium",
-            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "Monitor",
-                "Entra",
-                "VM",
-                "WAF"
+                "DNS",
+                "Firewall"
             ],
-            "severity": "High",
-            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
-            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Firewall",
+            "text": "Enable Azure Firewall DNS proxy configuration ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "VM",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "subcategory": "Firewall",
+            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
             "services": [
-                "SAP",
-                "NetworkWatcher",
                 "Monitor",
-                "WAF"
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+            "severity": "Low",
+            "subcategory": "Firewall",
+            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "services": [
-                "VM",
-                "SAP",
-                "WAF"
+                "Backup"
             ],
-            "severity": "Medium",
-            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+            "severity": "Low",
+            "subcategory": "Firewall",
+            "text": "Implement backups for your firewall rules",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
             "services": [
-                "SAP",
-                "Subscriptions",
-                "WAF"
+                "VNet"
             ],
             "severity": "High",
-            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
-            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "waf": "Performance"
+            "subcategory": "PaaS",
+            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
             "services": [
-                "ASR",
-                "Storage",
-                "WAF"
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
-            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
-            "waf": "Reliability"
+            "subcategory": "PaaS",
+            "text": "Use Private Link, where available, for shared Azure PaaS services.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
-            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "services": [
-                "SAP",
-                "Sentinel",
-                "Monitor",
-                "WAF"
+                "ExpressRoute",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
-            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "subcategory": "PaaS",
+            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
             "services": [
-                "Cost",
-                "WAF"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
-            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
-            "waf": "Operations"
+            "subcategory": "PaaS",
+            "text": "Don't enable virtual network service endpoints by default on all subnets.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "services": [
-                "VM",
-                "Monitor",
-                "WAF"
+                "DNS",
+                "NVA",
+                "PrivateLink",
+                "Firewall"
             ],
-            "severity": "Low",
-            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "PaaS",
+            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
             "services": [
-                "ASR",
-                "SAP",
-                "Monitor",
-                "WAF"
+                "VPN",
+                "VNet",
+                "ExpressRoute"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "Use at least a /27 prefix for your Gateway subnets",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
-            "waf": "Performance"
+            "subcategory": "Segmentation",
+            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
-            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
             "services": [
-                "SAP",
-                "WAF"
+                "VNet"
             ],
-            "severity": "Low",
-            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Segmentation",
+            "text": "Delegate subnet creation to the landing zone owner.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
             "services": [
-                "Storage",
-                "SAP",
-                "WAF"
+                "VNet",
+                "ACR"
             ],
             "severity": "Medium",
-            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
-            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
-            "waf": "Performance"
+            "subcategory": "Segmentation",
+            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
             "services": [
-                "SQL",
-                "SAP",
-                "WAF"
+                "VNet",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
-            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
-            "waf": "Performance"
+            "subcategory": "Segmentation",
+            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "services": [
-                "ASR",
-                "SAP",
-                "Monitor",
-                "WAF"
+                "VNet",
+                "Entra",
+                "NVA"
             ],
-            "severity": "High",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Segmentation",
+            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "services": [
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "VNet",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "subcategory": "Segmentation",
+            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "services": [
-                "VM",
-                "DNS",
-                "SAP",
-                "WAF"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "Operations"
+            "subcategory": "Segmentation",
+            "text": "Consider the limit of NSG rules per NSG (1000).",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
             "services": [
-                "VNet",
-                "DNS",
-                "SAP",
-                "WAF"
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "subcategory": "Virtual WAN",
+            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
-                "SAP",
-                "VNet",
                 "ACR",
-                "WAF"
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
-            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
-            "waf": "Reliability"
+            "subcategory": "Virtual WAN",
+            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
-                "NVA",
-                "SAP",
-                "WAF"
+                "ACR",
+                "VWAN"
             ],
-            "severity": "High",
-            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
-            "training": "https://me.sap.com/notes/2731110",
+            "severity": "Low",
+            "subcategory": "Virtual WAN",
+            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
             "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
-            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
-                "SAP",
                 "VWAN",
-                "ACR",
-                "WAF"
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "waf": "Operations"
+            "subcategory": "Virtual WAN",
+            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
             "services": [
-                "VNet",
-                "NVA",
-                "WAF"
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
-            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
-            "waf": "Operations"
+            "subcategory": "Virtual WAN",
+            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
             "services": [
-                "VNet",
-                "SAP",
-                "VWAN",
-                "NVA",
-                "WAF"
+                "Monitor",
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "subcategory": "Virtual WAN",
+            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
             "services": [
-                "VM",
-                "SAP",
-                "WAF"
+                "VWAN"
             ],
-            "severity": "High",
-            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Virtual WAN",
+            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
-            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
             "services": [
-                "ASR",
-                "WAF"
+                "VPN",
+                "ExpressRoute",
+                "VWAN"
             ],
-            "severity": "High",
-            "text": "Consider reserving IP address on DR side when configuring ASR",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Virtual WAN",
+            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "services": [
-                "WAF"
+                "VWAN"
             ],
-            "severity": "High",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Virtual WAN",
+            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "services": [
-                "VNet",
-                "Storage",
-                "WAF"
+                "VWAN"
             ],
-            "severity": "Medium",
-            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
-            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Virtual WAN",
+            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "Firewall",
-                "WAF"
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "severity": "High",
+            "subcategory": "Governance",
+            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "AppGW",
-                "SAP",
-                "WAF"
+                "RBAC",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "subcategory": "Governance",
+            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "ACR",
-                "WAF"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+            "subcategory": "Governance",
+            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "subcategory": "Governance",
+            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
             "services": [
-                "LoadBalancer",
-                "AppGW",
-                "WAF"
+                "Subscriptions",
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "severity": "Low",
+            "subcategory": "Governance",
+            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "SAP",
-                "VWAN",
-                "ACR",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
-            "waf": "Performance"
+            "subcategory": "Governance",
+            "text": "Use built-in policies where possible to minimize operational overhead.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "services": [
-                "VNet",
-                "Backup",
-                "PrivateLink",
-                "Storage",
-                "ACR",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "subcategory": "Governance",
+            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
-            "service": "SAP",
-            "services": [
-                "VM",
-                "SAP",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "Performance"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
-            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "subcategory": "Governance",
+            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "services": [
-                "VNet",
-                "VM",
-                "SAP",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
-            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+            "subcategory": "Governance",
+            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
             "services": [
-                "VNet",
-                "SAP",
-                "WAF"
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Governance",
+            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
             "services": [
-                "SAP",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
-            "waf": "Performance"
+            "subcategory": "Governance",
+            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
             "services": [
-                "SAP",
-                "WAF"
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Governance",
+            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "category": "Governance",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "29fd366b-a180-452b-9bd7-954b7700c667",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
             "services": [
-                "Cost",
-                "VNet",
-                "SAP",
-                "WAF"
+                "TrafficManager",
+                "Monitor",
+                "Cost"
             ],
-            "severity": "High",
-            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "severity": "Medium",
+            "subcategory": "Optimize your cloud investment",
+            "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.",
             "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AzurePolicy",
+                "Monitor"
             ],
-            "severity": "High",
-            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
             "services": [
-                "VNet",
-                "SAP",
-                "WAF"
+                "Storage",
+                "ARS",
+                "AzurePolicy",
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
             "services": [
-                "Backup",
                 "VM",
-                "SAP",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Review SAP HANA database backups for Azure VMs.",
-            "waf": "Cost"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
-            "services": [
-                "ASR",
-                "SAP",
                 "Monitor",
-                "WAF"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
-            "waf": "Cost"
+            "subcategory": "Monitoring",
+            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
-            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "services": [
-                "SAP",
-                "Monitor",
-                "WAF"
+                "VM"
             ],
-            "severity": "High",
-            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+            "severity": "Medium",
+            "subcategory": "Operational compliance",
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "services": [
-                "Backup",
-                "VM",
-                "WAF"
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+            "subcategory": "Operational compliance",
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
-            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
             "services": [
-                "SQL",
-                "Storage",
-                "WAF"
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+            "subcategory": "Monitoring",
+            "text": "Use Network Watcher to proactively monitor traffic flows",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "541acdce-9793-477b-adb3-751ab2ab13ad",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
             "services": [
-                "Backup",
-                "VM",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Review the use of Automated Backup v2 for Azure VMs.",
+            "subcategory": "Monitoring",
+            "text": "Use resource locks to prevent accidental deletion of critical shared services.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "WAF"
+                "RBAC",
+                "AzurePolicy",
+                "Monitor"
             ],
-            "severity": "High",
-            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
+            "severity": "Low",
+            "subcategory": "Monitoring",
+            "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
             "services": [
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Test availability zone latency.",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
-            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
             "services": [
-                "SAP",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e3ab3693-829e-47e3-8618-3687a0477a20",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
             "services": [
-                "SAP",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
-            "training": "https://me.sap.com/notes/0002879613",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
             "services": [
-                "SQL",
-                "Monitor",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Review SQL Server performance monitoring using CCMS.",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Use Azure Monitor Logs for insights and reporting.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
-            "link": "https://me.sap.com/notes/500235",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "619e8a13-f988-4795-85d6-26886d70ba6c",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
             "services": [
-                "VM",
-                "SAP",
-                "WAF"
+                "Storage",
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
-            "training": "https://me.sap.com/notes/1100926/E",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
-            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
             "services": [
-                "SAP",
-                "Monitor",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Review SAP HANA studio alerts.",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
-            "link": "https://me.sap.com/notes/1969700",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "859c3900-4514-41eb-b010-475d695abd74",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
             "services": [
-                "SAP",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
             "services": [
-                "VM",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
-            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor",
             "services": [
-                "SAP",
-                "WAF"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
-            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Establish monitoring for platform components of your landing zone, AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy",
+            "training": "https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
-            "services": [
-                "SQL",
-                "SAP",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
-            "waf": "Security"
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Protection",
+            "text": "Consider cross-region replication in Azure for BCDR with paired regions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
             "services": [
-                "SQL",
-                "WAF"
+                "Backup"
             ],
-            "severity": "High",
-            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
-            "training": "https://me.sap.com/notes/3019299/E",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Data Protection",
+            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
             "services": [
-                "SAP",
-                "Backup",
-                "SQL",
-                "Storage",
-                "WAF"
+                "VM",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "severity": "Medium",
+            "subcategory": "Operational compliance",
+            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
             "services": [
-                "Storage",
-                "WAF"
+                "VM",
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
-            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "subcategory": "Operational compliance",
+            "text": "Monitor VM security configuration drift via Azure Policy.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "services": [
-                "AKV",
-                "WAF"
+                "ASR",
+                "ACR",
+                "VM"
             ],
-            "severity": "High",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Protect and Recover",
+            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "Subscriptions",
-                "WAF"
+                "ASR"
             ],
             "severity": "Medium",
-            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
-            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
-            "waf": "Security"
+            "subcategory": "Protect and Recover",
+            "text": "Ensure to use and test native PaaS service disaster recovery capabilities.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
             "services": [
-                "AzurePolicy",
-                "AKV",
-                "WAF"
+                "Backup"
             ],
             "severity": "Medium",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "subcategory": "Protect and Recover",
+            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "WAF"
+                "VM"
             ],
             "severity": "High",
-            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
-            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
-            "waf": "Security"
+            "subcategory": "Fault Tolerance",
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
             "services": [
-                "Defender",
-                "Storage",
-                "SAP",
-                "WAF"
+                "VM"
             ],
             "severity": "High",
-            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
-            "waf": "Security"
+            "subcategory": "Fault Tolerance",
+            "text": "Avoid running a production workload on a single VM.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "services": [
-                "Defender",
-                "RBAC",
-                "SAP",
-                "WAF"
+                "ACR",
+                "LoadBalancer",
+                "AppGW"
             ],
-            "severity": "High",
-            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
-            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Fault Tolerance",
+            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
             "services": [
-                "SAP",
-                "WAF"
+                "FrontDoor",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Low",
-            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
-            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "App delivery",
+            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
-            "service": "SAP",
+            "category": "Management",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
             "services": [
-                "AKV",
-                "WAF"
+                "AppGW",
+                "FrontDoor",
+                "WAF",
+                "Sentinel"
             ],
             "severity": "Medium",
-            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "subcategory": "App delivery",
+            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b86ad884-08e3-4727-94b8-75ba18f20459",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Access control",
+            "text": "Determine the incident response plan for Azure services before allowing it into production.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
-            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
-            "service": "SAP",
-            "services": [
-                "AKV",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "01365d38-e43f-49cc-ad86-8266abca264f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Access control",
+            "text": "Implement a zero-trust approach for access to the Azure platform, where appropriate.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
-            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
-            "service": "SAP",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
             "services": [
-                "AKV",
-                "SAP",
-                "WAF"
+                "AKV"
             ],
             "severity": "High",
-            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
-            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+            "subcategory": "Encryption and keys",
+            "text": "Use Azure Key Vault to store your secrets and credentials",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
-            "service": "SAP",
-            "services": [
-                "RBAC",
-                "SAP",
-                "Subscriptions",
-                "WAF"
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
+            "services": [
+                "AKV"
             ],
-            "severity": "High",
-            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
-            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
-            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "PrivateLink",
-                "NVA",
-                "SAP",
-                "WAF"
+                "AKV",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
-            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
-            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "VM",
-                "Storage",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AKV"
             ],
-            "severity": "Low",
-            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
-            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "Defender",
-                "WAF"
+                "AKV"
             ],
-            "severity": "Low",
-            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
-            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "VNet",
-                "SAP",
-                "WAF"
+                "AKV"
             ],
-            "severity": "High",
-            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Establish an automated process for key and certificate rotation.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "SAP",
-                "WAF"
+                "VNet",
+                "AKV",
+                "PrivateLink"
             ],
-            "severity": "Low",
-            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
-            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
             "services": [
-                "SAP",
-                "AKV",
+                "Entra",
                 "Monitor",
-                "WAF"
+                "AKV"
             ],
             "severity": "Medium",
-            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "subcategory": "Encryption and keys",
+            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
-            "service": "Container Apps",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "WAF"
+                "AKV",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
-            "service": "Container Apps",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "16183687-a047-47a2-8994-5bda43334f24",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest",
             "services": [
-                "WAF"
+                "AKV"
             ],
-            "severity": "High",
-            "text": "Use more than one replica and enable Zone Redundancy.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "WAF"
+                "AKV"
             ],
-            "severity": "High",
-            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "FrontDoor",
-                "TrafficManager",
-                "WAF"
+                "ASR",
+                "ACR",
+                "AKV"
             ],
-            "severity": "High",
-            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
             "services": [
-                "WAF"
+                "AKV"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption and keys",
+            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
-            "severity": "High",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Operations",
+            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Device Update for IoT Hub",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal",
             "services": [
-                "WAF"
+                "Storage",
+                "ARS",
+                "Monitor"
             ],
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Operations",
+            "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Device Update for IoT Hub",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "services": [
-                "AppSvc",
-                "WAF"
+                "Subscriptions",
+                "Defender"
             ],
             "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "AKV",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
-            "waf": "Operations"
+            "subcategory": "Operations",
+            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "services": [
-                "AppGW",
-                "WAF"
+                "Subscriptions",
+                "Defender"
             ],
-            "severity": "Medium",
-            "text": "Ensure you are using Application Gateway v2 SKU",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "severity": "High",
+            "subcategory": "Operations",
+            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "Subscriptions",
+                "Defender"
             ],
-            "severity": "Medium",
-            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+            "severity": "High",
+            "subcategory": "Operations",
+            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
-            "services": [
-                "LoadBalancer",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Operations",
+            "text": "Enable Endpoint Protection on IaaS Servers.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
             "services": [
-                "VNet",
-                "AppGW",
-                "WAF"
+                "Monitor",
+                "Defender"
             ],
             "severity": "Medium",
-            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "subcategory": "Operations",
+            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "services": [
-                "VNet",
-                "Subscriptions",
                 "Entra",
-                "NVA",
-                "AppGW",
-                "WAF"
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "subcategory": "Operations",
+            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
             "services": [
-                "DDoS",
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Operations",
+            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
             "services": [
-                "WAF"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Configure autoscaling with a minimum amount of instances of two.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Reliability"
+            "subcategory": "Operations",
+            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "874a748b-662d-46d1-9051-2a66498f6dfe",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
             "services": [
-                "AppGW",
-                "ACR",
-                "WAF"
+                "Monitor"
             ],
-            "severity": "Medium",
-            "text": "Deploy Application Gateway across Availability Zones",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Operations",
+            "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "WAF"
+                "Storage"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "High",
+            "subcategory": "Overview",
+            "text": "Secure transfer to storage accounts should be enabled",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "ammp": true,
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "Storage"
             ],
-            "severity": "Medium",
-            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "High",
+            "subcategory": "Overview",
+            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
             "waf": "Security"
         },
         {
             "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "WAF checklist",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6f704104-85c1-441f-96d3-c9819911645e",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning",
             "services": [
-                "TrafficManager",
-                "WAF"
+                "Entra"
             ],
             "severity": "High",
-            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Reliability"
+            "subcategory": "Secure privileged access",
+            "text": "Separate privileged admin accounts for Azure administrative tasks.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "services": [
-                "Entra",
-                "AVD",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Service enablement framework",
+            "text": "Plan how new azure services will be implemented",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "services": [
-                "Entra",
-                "WAF"
-            ],
+            "category": "Security",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework",
+            "services": [],
             "severity": "Medium",
-            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "subcategory": "Service enablement framework",
+            "text": "Plan how service request will be fulfilled for Azure services",
             "waf": "Security"
         },
         {
             "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops",
+            "services": [],
             "severity": "High",
-            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
-            "waf": "Security"
+            "subcategory": "DevOps Team Topologies",
+            "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "634146bf-7085-4419-a7b5-f96d2726f6da",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "DevOps Team Topologies",
+            "text": "Aim to define functions for Azure Landing Zone Platform team.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations",
             "services": [
-                "FrontDoor",
-                "TrafficManager",
-                "WAF"
+                "RBAC"
             ],
-            "severity": "High",
-            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "DevOps Team Topologies",
+            "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.",
+            "waf": "Operations"
         },
         {
             "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "165eb5e9-b434-448a-9e24-178632186212",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "services": [],
             "severity": "High",
-            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
-            "waf": "Security"
+            "subcategory": "DevOps Team Topologies",
+            "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
-            "waf": "Performance"
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "DevOps Team Topologies",
+            "text": "Include unit tests for IaC and application code as part of your build process.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "ammp": true,
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "VM",
+                "AKV"
             ],
-            "severity": "Medium",
-            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "DevOps Team Topologies",
+            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "Subscriptions"
             ],
             "severity": "Low",
-            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
-            "waf": "Performance"
+            "subcategory": "DevOps Team Topologies",
+            "text": "Implement automation for new landing zone for applications and workloads through subscription vending",
+            "waf": "Operations"
         },
         {
             "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
-            "services": [
-                "LoadBalancer",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "services": [],
             "severity": "High",
-            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
-            "waf": "Reliability"
+            "subcategory": "Development Lifecycle",
+            "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "AKV",
-                "Cost",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Development Lifecycle",
+            "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle",
+            "services": [],
             "severity": "Medium",
-            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "subcategory": "Development Lifecycle",
+            "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2676ae46-65ca-444e-8695-fdddeace4cb1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform",
+            "services": [],
             "severity": "Medium",
-            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
-            "waf": "Security"
+            "subcategory": "Development Lifecycle",
+            "text": "Establish a process for using code to implement quick fixes. Always register quick fixes in your team's backlog so each fix can be reworked at a later point, and you can limit technical debt.",
+            "waf": "Operations"
         },
         {
             "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "services": [],
             "severity": "High",
-            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
-            "waf": "Security"
+            "subcategory": "Development Strategy",
+            "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.",
+            "waf": "Operations"
         },
         {
             "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Platform Automation and DevOps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure",
+            "services": [],
             "severity": "High",
-            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
-            "waf": "Security"
+            "subcategory": "Security",
+            "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "WAF"
-            ],
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware",
+            "services": [],
             "severity": "High",
-            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
-            "waf": "Security"
+            "subcategory": "Replication",
+            "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "67b23587-05a1-4652-aded-fa8a488cdec4",
+            "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "ASR",
+                "VM",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
-            "waf": "Security"
+            "subcategory": "Replication",
+            "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7",
+            "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "VM"
             ],
-            "severity": "High",
-            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Replication",
+            "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "437b1736-db55-4f67-a613-334bd09dc234",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault",
+            "services": [],
             "severity": "Medium",
-            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
-            "waf": "Security"
+            "subcategory": "Data Protection",
+            "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "19db6128-1265-404b-a47a-493a08042729",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+            "services": [],
             "severity": "Medium",
-            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
-            "waf": "Security"
+            "subcategory": "Data Protection",
+            "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
+            "category": "Operations Management",
+            "checklist": "Recovery Services Vault Checklist",
+            "guid": "4798b158-8b31-4aa5-9ceb-54445135a227",
+            "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "Storage"
             ],
             "severity": "Medium",
-            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
-            "waf": "Security"
+            "subcategory": "Redudancy",
+            "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
-            "services": [
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Device Update Review",
+            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Device Update Review",
+            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
-            "services": [
-                "AppGW",
-                "WAF"
-            ],
+            "category": "BC and DR",
+            "checklist": "Device Update Review",
+            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Device Update for IoT Hub",
+            "services": [],
             "severity": "High",
-            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
+            "category": "BC and DR",
+            "checklist": "Device Update Review",
+            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Device Update for IoT Hub",
             "services": [
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.",
+            "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
+            "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/",
             "services": [
-                "AppGW",
-                "WAF"
+                "ASR",
+                "Subscriptions",
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
-            "waf": "Security"
+            "subcategory": "Compute",
+            "text": "Determine the expected High Availability SLA for applications/desktops published through AVD",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.",
+            "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr",
             "services": [
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "ASR",
+                "Storage",
+                "VM",
+                "AVD"
+            ],
+            "severity": "Medium",
+            "subcategory": "Compute",
+            "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
+            "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "services": [
+                "ASR",
+                "AVD"
+            ],
+            "severity": "Low",
+            "subcategory": "Compute",
+            "text": "Separate critical applications in different AVD Host Pools",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.",
+            "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262",
+            "services": [
+                "ASR",
+                "ACR",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
-            "waf": "Security"
+            "subcategory": "Compute",
+            "text": "Plan the best resiliency option for AVD Host Pool deployment",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.",
+            "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AppGW",
-                "WAF"
+                "ASR",
+                "VM",
+                "Backup",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
-            "waf": "Security"
+            "subcategory": "Compute",
+            "text": "Assess the requirement to backup AVD Session Host VMs",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.",
+            "guid": "5da58639-ca3a-4961-890b-29663c5e10d",
+            "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery",
             "services": [
-                "AppGW",
-                "WAF"
+                "Backup",
+                "Cost",
+                "ASR",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
-            "waf": "Security"
+            "subcategory": "Compute",
+            "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.",
+            "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery",
             "services": [
-                "WAF"
+                "Storage",
+                "ASR",
+                "ACR",
+                "VM",
+                "AVD"
             ],
             "severity": "Low",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
-            "waf": "Security"
+            "subcategory": "Dependencies",
+            "text": "Plan for Golden Image cross-region availability",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
+            "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AppGW",
-                "WAF"
+                "ASR",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
-            "waf": "Security"
+            "subcategory": "Dependencies",
+            "text": "Assess Infrastructure & Application dependencies ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).",
+            "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
+            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
             "services": [
-                "AppGW",
-                "WAF"
+                "Storage",
+                "ASR",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "Assess which data need to be protected in the Profile and Office Containers",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
+            "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AppGW",
-                "WAF"
+                "Storage",
+                "Backup",
+                "ASR",
+                "AzurePolicy",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
-            "waf": "Operations"
+            "subcategory": "Storage",
+            "text": "Build a backup protection strategy for Profile and Office Containers",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
+            "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "Storage",
+                "ASR",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
-            "waf": "Operations"
+            "subcategory": "Storage",
+            "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.",
+            "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
+            "link": "https://docs.microsoft.com/azure/backup/backup-afs",
             "services": [
-                "Sentinel",
-                "AppGW",
-                "WAF"
+                "Storage",
+                "ASR",
+                "Backup",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "subcategory": "Storage",
+            "text": "Review Azure Files disaster recovery strategy",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ",
+            "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
+            "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage",
             "services": [
-                "FrontDoor",
-                "Sentinel",
-                "WAF"
+                "Storage",
+                "ASR",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.",
+            "guid": "23429db7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering",
             "services": [
-                "AppGW",
-                "WAF"
+                "Storage",
+                "Backup",
+                "ASR",
+                "ACR",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
-            "waf": "Operations"
+            "subcategory": "Storage",
+            "text": "Review Azure NetApp Files disaster recovery strategy",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.",
+            "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Use WAF Policies instead of the legacy WAF configuration.",
+            "severity": "High",
+            "subcategory": "Golden Images",
+            "text": "Determine how applications will be deployed in AVD Host Pools",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.",
+            "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
             "services": [
-                "VNet",
-                "ExpressRoute",
-                "VPN",
-                "AppGW",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
-            "waf": "Security"
+            "subcategory": "Golden Images",
+            "text": "Estimate the number of golden images that will be required",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
+            "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
-            "waf": "Security"
+            "subcategory": "Golden Images",
+            "text": "Determine which OS image/s you will use for Host Pool deployment",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.",
+            "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries",
             "services": [
-                "WAF"
+                "Storage",
+                "VM",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "You should encrypt traffic to the backend servers.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Golden Images",
+            "text": "Select the proper store for custom images",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.",
+            "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates",
             "services": [
-                "WAF"
+                "AVD"
             ],
-            "severity": "High",
-            "text": "You should use a Web Application Firewall.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Golden Images",
+            "text": "Design your build process for custom images",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.",
+            "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
             "services": [
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Redirect HTTP to HTTPS",
-            "waf": "Security"
+            "subcategory": "Golden Images",
+            "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.",
+            "guid": "ed5c9027-dd1a-4343-86ca-52b199223186",
+            "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix",
             "services": [
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Golden Images",
+            "text": "Include the latest version of FSLogix in the golden image update process",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
+            "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
+            "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
             "services": [
-                "WAF"
+                "RBAC",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Golden Images",
+            "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.",
+            "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode",
             "services": [
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "Low",
-            "text": "Create custom error pages to display a personalized user experience",
+            "subcategory": "Golden Images",
+            "text": "Determine if Microsoft OneDrive will be part of AVD deployment",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.",
+            "guid": "b5887953-5d22-4788-9d30-b66c67be5951",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
             "services": [
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Golden Images",
+            "text": "Determine if Microsoft Teams will be part of AVD deployment",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.",
+            "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs",
             "services": [
-                "FrontDoor",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Golden Images",
+            "text": "Assess the requirement to support multiple languages",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
+            "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
             "services": [
-                "WAF"
+                "Storage",
+                "Cost",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use transport layer load balancing",
+            "subcategory": "MSIX & AppAttach",
+            "text": "Do not use the same storage account/share as FSLogix profiles",
             "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
+            "guid": "241addce-5793-477b-adb3-751ab2ac1fad",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
             "services": [
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
-            "waf": "Security"
+            "subcategory": "MSIX & AppAttach",
+            "text": "Review performance considerations for MSIX",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
+            "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
             "services": [
-                "Entra",
-                "WAF"
+                "Storage",
+                "RBAC",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+            "subcategory": "MSIX & AppAttach",
+            "text": "Check proper session host permissions for MSIX share",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
+            "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
             "services": [
-                "AppGW",
-                "WAF"
+                "AVD"
             ],
             "severity": "Low",
-            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
-            "waf": "Security"
+            "subcategory": "MSIX & AppAttach",
+            "text": "MSIX packages for 3rd-party applications",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "services": [
-                "WAF"
-            ],
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.",
+            "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+            "services": [
+                "AVD"
+            ],
             "severity": "Low",
-            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
-            "waf": "Reliability"
+            "subcategory": "MSIX & AppAttach",
+            "text": "Disable auto-update for MSIX packages",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.",
+            "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
             "services": [
-                "Backup",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+            "subcategory": "MSIX & AppAttach",
+            "text": "Review operating systems support",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
+            "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
+            "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2",
             "services": [
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Session Host",
+            "text": "Evaluate the usage of Gen2 VM for Host Pool deployment",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "category": "Compute",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.",
+            "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection",
             "services": [
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Implement health checks",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Session Host",
+            "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.",
+            "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools",
             "services": [
-                "AppSvc",
-                "Backup",
-                "WAF"
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Refer to backup and restore best practices for Azure App Service",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "Determine the Host Pool type to use",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.",
+            "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools",
             "services": [
-                "AppSvc",
-                "WAF"
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Implement Azure App Service reliability best practices",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "Estimate the number of different Host Pools to deploy ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.",
+            "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
             "services": [
-                "AppSvc",
-                "WAF"
+                "AVD"
             ],
             "severity": "Low",
-            "text": "Familiarize with how to move an App Service app to another region During a disaster",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "For Personal Host Pool type, select the proper assignment type",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.",
+            "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
             "services": [
-                "AppSvc",
-                "WAF"
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Familiarize with reliability support in Azure App Service",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Capacity Planning",
+            "text": "For Pooled Host Pool type, select the best load balancing method",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host",
+            "guid": "b3724959-4943-4577-a3a9-e10ff6345f24",
+            "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
             "services": [
-                "AppSvc",
-                "WAF"
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.",
+            "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups",
             "services": [
-                "AppSvc",
-                "Monitor",
-                "WAF"
+                "Storage",
+                "AVD"
+            ],
+            "severity": "High",
+            "subcategory": "Capacity Planning",
+            "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users",
+            "waf": "Security"
+        },
+        {
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.",
+            "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits",
+            "services": [
+                "Entra",
+                "ACR",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Monitor App Service instances using Health checks",
+            "subcategory": "Capacity Planning",
+            "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.",
+            "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
             "services": [
-                "Monitor",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+            "severity": "Low",
+            "subcategory": "Capacity Planning",
+            "text": "Estimate the number of Applications for each Application Group",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.",
+            "guid": "38b19ab6-0693-4992-9394-5590883916ec",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop",
             "services": [
-                "Monitor",
-                "WAF"
+                "Storage",
+                "VM",
+                "AVD"
             ],
             "severity": "Low",
-            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+            "subcategory": "Capacity Planning",
+            "text": "Evaluate the usage of FSLogix for Personal Host Pools",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)",
+            "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
+            "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
             "services": [
-                "AppSvc",
-                "AKV",
-                "WAF"
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Use Key Vault to store secrets",
-            "waf": "Security"
+            "subcategory": "Capacity Planning",
+            "text": "Run workload performance test to determine the best Azure VM SKU and size to use",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ",
+            "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
             "services": [
-                "Entra",
-                "AKV",
-                "AppSvc",
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Use Managed Identity to connect to Key Vault",
-            "waf": "Security"
+            "subcategory": "Capacity Planning",
+            "text": "Verify AVD scalability limits for the environment",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Store the App Service TLS certificate in Key Vault.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.",
+            "guid": "c936667e-13c0-4056-94b1-e945a459837e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
             "services": [
-                "AppSvc",
-                "AKV",
-                "WAF"
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Use Key Vault to store TLS certificate.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Capacity Planning",
+            "text": "Determine if  Session Hosts will require GPU",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.",
+            "guid": "b47a393a-0803-4272-a479-8b1578b219a4",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
             "services": [
-                "AppSvc",
-                "Subscriptions",
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Isolate systems that process sensitive information",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Capacity Planning",
+            "text": "Use Azure VM SKUs able to leverage Accelerated Networking",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.",
+            "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
             "services": [
-                "AppSvc",
-                "TrafficManager",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Do not store sensitive data on local disk",
-            "waf": "Security"
+            "subcategory": "Clients & Users",
+            "text": "Assess how many users will connect to AVD and from which regions",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
+            "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json",
             "services": [
-                "Entra",
-                "AppSvc",
-                "WAF"
+                "VPN",
+                "Storage",
+                "ExpressRoute",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use an established Identity Provider for authentication",
-            "waf": "Security"
+            "subcategory": "Clients & Users",
+            "text": "Assess external dependencies for each Host Pool",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.",
+            "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows",
             "services": [
-                "AppSvc",
-                "WAF"
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Deploy from a trusted environment",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Clients & Users",
+            "text": "Review user client OS used and AVD client type",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.",
+            "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e",
+            "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/",
             "services": [
-                "Entra",
-                "WAF"
+                "AVD"
             ],
             "severity": "High",
-            "text": "Disable basic authentication",
-            "waf": "Security"
+            "subcategory": "Clients & Users",
+            "text": "Run a PoC to validate end-to-end user experience and impact of network latency",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.",
+            "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
             "services": [
-                "Entra",
-                "AKV",
-                "WAF"
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Use Managed Identity to connect to resources",
+            "severity": "Low",
+            "subcategory": "Clients & Users",
+            "text": "Assess and document RDP settings for all user groups",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.",
+            "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9",
+            "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop",
             "services": [
-                "Entra",
-                "ACR",
-                "WAF"
+                "AVD"
             ],
             "severity": "High",
-            "text": "Pull containers using a Managed Identity",
-            "waf": "Security"
+            "subcategory": "General",
+            "text": "Determine in which Azure regions AVD Host Pools will be deployed.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.",
+            "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
             "services": [
-                "AppSvc",
-                "Entra",
-                "Monitor",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Send App Service runtime logs to Log Analytics",
-            "waf": "Security"
+            "subcategory": "General",
+            "text": "Determine metadata location for AVD service",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "category": "Foundation",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.",
+            "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
+            "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "services": [
-                "AppSvc",
-                "Entra",
-                "Monitor",
-                "WAF"
+                "Storage",
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Send App Service activity logs to Log Analytics",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "General",
+            "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.",
+            "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
+            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
             "services": [
+                "Storage",
                 "VNet",
-                "Monitor",
-                "Firewall",
-                "NVA",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Outbound network access should be controlled",
-            "waf": "Security"
+            "subcategory": "Active Directory",
+            "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
+            "guid": "6db55f57-9603-4334-adf9-cc23418db612",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
             "services": [
-                "VNet",
-                "Firewall",
-                "PrivateLink",
-                "Storage",
-                "NVA",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
-            "severity": "Low",
-            "text": "Ensure a stable IP for outbound communications towards internet addresses",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "services": [
-                "AppSvc",
-                "PrivateLink",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Inbound network access should be controlled",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Active Directory",
+            "text": "Create a specific OU in Active Directory for each Host Pool",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
+            "guid": "7126504b-b47a-4393-a080-327294798b15",
+            "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
             "services": [
-                "Monitor",
-                "FrontDoor",
-                "AppSvc",
-                "AppGW",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Use a WAF in front of App Service",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Active Directory",
+            "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column",
+            "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f",
+            "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates",
             "services": [
-                "PrivateLink",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Avoid for WAF to be bypassed",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Active Directory",
+            "text": "Configure FSLogix settings using the built-in provided GPO ADMX template",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.",
+            "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts",
             "services": [
-                "AppSvc",
-                "AzurePolicy",
-                "WAF"
+                "Entra",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Set minimum TLS policy to 1.2",
+            "subcategory": "Active Directory",
+            "text": "Create a dedicated user account with only permissions to join VM to the domain",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ",
+            "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
             "services": [
-                "AppSvc",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
-            "severity": "High",
-            "text": "Use HTTPS only",
+            "severity": "Medium",
+            "subcategory": "Active Directory",
+            "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
+            "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
+            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
             "services": [
                 "Storage",
-                "WAF"
+                "Entra",
+                "AzurePolicy",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Wildcards must not be used for CORS",
+            "subcategory": "Active Directory",
+            "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
+            "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
             "services": [
-                "WAF"
+                "Entra",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Turn off remote debugging",
-            "waf": "Security"
+            "subcategory": "Active Directory",
+            "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.",
+            "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338",
+            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable",
             "services": [
-                "AppSvc",
-                "Defender",
-                "WAF"
+                "Storage",
+                "Entra",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Enable Defender for Cloud - Defender for App Service",
+            "subcategory": "Microsoft Entra ID",
+            "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.",
+            "guid": "6ceb5443-5125-4922-9442-93bb628537a5",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
             "services": [
-                "EventHubs",
                 "VNet",
-                "DDoS",
-                "NVA",
-                "AppGW",
-                "WAF"
+                "Entra",
+                "Subscriptions",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Enable DDOS Protection Standard on the WAF VNet",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Requirements",
+            "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.",
+            "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication",
             "services": [
-                "PrivateLink",
-                "VNet",
-                "ACR",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Pull containers over a Virtual Network",
+            "severity": "High",
+            "subcategory": "Requirements",
+            "text": "Review and document your identity scenario",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.",
+            "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
             "services": [
-                "WAF"
+                "Entra",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Conduct a penetration test",
+            "subcategory": "Requirements",
+            "text": "Assess User Account types and requirements",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.",
+            "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso",
             "services": [
-                "WAF"
+                "Entra",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Deploy validated code",
-            "waf": "Security"
+            "subcategory": "Requirements",
+            "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.",
+            "guid": "ea962a15-9394-46da-a7cc-3923266b2258",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
             "services": [
-                "WAF"
+                "Entra",
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "subcategory": "Requirements",
+            "text": "Select the proper AVD Session Host domain join type",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
+            "category": "Identity",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)",
+            "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
+            "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
+            "services": [
+                "Entra",
+                "AVD"
+            ],
+            "severity": "Low",
+            "subcategory": "Requirements",
+            "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.",
+            "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template",
             "services": [
+                "Entra",
                 "Monitor",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Use built-in provided administrative templates for AVD settings configuration",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.",
+            "guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/management",
             "services": [
-                "Backup",
-                "WAF"
+                "Monitor",
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "check backup instances with the underlying datasource not found",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Plan AVD Session Hosts configuration management strategy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.",
+            "guid": "63a08be1-6004-4b4a-a79b-f3239faae113",
+            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop",
             "services": [
-                "WAF"
+                "Monitor",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Evaluate Intune for AVD Session Hosts management",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.",
+            "guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios",
             "services": [
-                "Backup",
-                "Storage",
-                "ASR",
-                "WAF"
+                "Monitor",
+                "VM",
+                "Cost",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Assess the requirements for host pool auto-scaling capability",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.",
+            "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect",
             "services": [
                 "Monitor",
-                "WAF"
+                "VM",
+                "Cost",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Consider the usage of Start VM on Connect for Personal Host Pools",
             "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.",
+            "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them",
             "services": [
+                "Cost",
+                "Monitor",
+                "VM",
                 "AzurePolicy",
-                "Storage",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts",
             "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ",
+            "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources",
             "services": [
-                "Backup",
                 "Storage",
-                "WAF"
+                "VWAN",
+                "DNS",
+                "ExpressRoute",
+                "Cost",
+                "VPN",
+                "Monitor",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop",
             "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
+            "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "WAF"
+                "Entra",
+                "Monitor",
+                "Cost",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Periodically check Azure Advisor recommendations for AVD",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.",
+            "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
+            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session",
             "services": [
-                "VM",
-                "WAF"
+                "Monitor",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Make sure advisor is configured for VM right sizing ",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Plan for a Session Host emergency patching and update strategy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "check by searching the Meter Category Licenses in the Cost analysys",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.",
+            "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Cost",
-                "WAF"
+                "Monitor",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Configure the Scheduled Agent Updates feature",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
+            "guid": "d1e8c38e-c936-4667-913c-005674b1e944",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "Monitor",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Create a validation (canary) Host Pool",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.",
+            "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops",
             "services": [
+                "Monitor",
                 "VM",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Determine Host Pool deployment strategy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
+            "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
             "services": [
-                "Cost",
-                "ARS",
+                "Monitor",
                 "VM",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Turn on Session Host VMs at least every 90 days for token refresh",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.",
+            "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/insights",
             "services": [
-                "WAF"
+                "Monitor",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Only larger disks can be reserved => 1 TiB -",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Enable monitoring for AVD",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions.  Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
+            "guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
             "services": [
-                "WAF"
+                "Monitor",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "After the right-sizing optimization",
-            "waf": "Cost"
+            "subcategory": "Monitoring",
+            "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
+            "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
+            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
             "services": [
-                "AzurePolicy",
-                "SQL",
-                "Cost",
-                "WAF"
+                "Storage",
+                "Monitor",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
-            "waf": "Cost"
+            "subcategory": "Monitoring",
+            "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
+            "category": "Monitoring and Management",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
+            "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
             "services": [
-                "VM",
-                "WAF"
+                "Monitor",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
-            "waf": "Cost"
+            "subcategory": "Monitoring",
+            "text": "Configure Azure Service Health for AVD alerts ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ",
+            "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
+            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
             "services": [
-                "VM",
-                "WAF"
+                "VPN",
+                "ExpressRoute",
+                "NVA",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Consider using a VMSS to match demand rather than flat sizing",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Determine if hybrid connectivity is required to connect to on-premises environment",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "WAF checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.",
+            "guid": "c8639648-a652-4d6c-85e5-02965388e5de",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity",
             "services": [
-                "AKS",
-                "WAF"
+                "VNet",
+                "VWAN",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ",
+            "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
+            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
             "services": [
-                "WAF"
+                "VPN",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Move recovery points to vault-archive where applicable (Validate)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Assess which on-premises resources are required from AVD Host Pools",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.",
+            "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
+            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
             "services": [
-                "VM",
-                "LoadBalancer",
-                "WAF"
+                "VNet",
+                "Firewall",
+                "NVA",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Need to control/restrict Internet outbound traffic for AVD hosts?",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.",
+            "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
             "services": [
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Functions - Reuse connections",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "Ensure AVD control plane endpoints are accessible",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.",
+            "guid": "73676ae4-6691-4e88-95ad-a42223e13810",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide",
             "services": [
-                "WAF"
+                "Defender",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Functions - Cache data locally",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.",
+            "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
+            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
             "services": [
-                "Storage",
-                "WAF"
+                "VNet",
+                "Firewall",
+                "NVA",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Networking",
+            "text": "Review custom UDR and NSG for AVD Host Pool subnets",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.",
+            "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support",
             "services": [
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Functions - Keep your functions warm",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
+            "guid": "516785c6-fa96-4c96-ad88-408f372734c8",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth",
             "services": [
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Networking",
+            "text": "Check the network bandwidth required for each user and in total for the VM SKU",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).",
+            "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
+            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints",
             "services": [
-                "WAF"
+                "Storage",
+                "VNet",
+                "Cost",
+                "PrivateLink",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Evaluate usage Private Endpoint for Azure Files share",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
+            "category": "Networking",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.",
+            "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath",
             "services": [
-                "WAF"
+                "VPN",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "Cost"
+            "subcategory": "Networking",
+            "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.",
+            "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies",
             "services": [
-                "FrontDoor",
-                "EventHubs",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
-            "waf": "Cost"
+            "subcategory": "Active Directory",
+            "text": "Review Active Directory GPO to secure RDP sessions",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
+            "guid": "b1172576-9ef6-4691-a483-5ac932223ece",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus",
             "services": [
-                "AppSvc",
-                "FrontDoor",
-                "WAF"
+                "Defender",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Host Configuration",
+            "text": "Ensure anti-virus and anti-malware solutions are used",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
+            "guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
             "services": [
-                "WAF"
+                "Storage",
+                "VM",
+                "AKV",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Consider archiving tiers for less used data",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Host Configuration",
+            "text": "Assess disk encryption requirements for AVD Session Hosts",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.",
+            "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch",
             "services": [
-                "WAF"
+                "Monitor",
+                "VM",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
-            "waf": "Cost"
+            "subcategory": "Host Configuration",
+            "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.",
+            "guid": "135d3899-4b31-44d3-bc8f-028871a359d8",
+            "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements",
             "services": [
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Host Configuration",
+            "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.",
+            "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection",
             "services": [
-                "Storage",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Host Configuration",
+            "text": "Consider enabling screen capture protection to prevent sensitive information from being captured",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.",
+            "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts",
             "services": [
-                "ASR",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
-            "waf": "Cost"
+            "subcategory": "Host Configuration",
+            "text": "Restrict device redirection and drive mapping",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.",
+            "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
             "services": [
-                "Storage",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Storage accounts: check hot tier and/or GRS necessary",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "When possible, prefer Remote Apps over Full Desktops (DAG)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.",
+            "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
             "services": [
-                "WAF"
+                "Defender",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Need to control/restrict user Internet navigation from AVD session hosts?",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.",
+            "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
             "services": [
-                "EventHubs",
-                "Cost",
-                "Monitor",
-                "WAF"
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Management",
+            "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.",
+            "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud",
             "services": [
-                "Cost",
                 "Storage",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Export cost data to a storage account for additional data analysis.",
-            "waf": "Cost"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "services": [
-                "Cost",
-                "SQL",
-                "WAF"
+                "Subscriptions",
+                "AKV",
+                "VM",
+                "Defender",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ",
+            "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs",
             "services": [
-                "WAF"
+                "Entra",
+                "Monitor",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Enable diagnostic and audit logging",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.",
+            "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
             "services": [
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Create multiple Apache Spark pool definitions of various sizes.",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Assess the requirement to use custom RBAC roles for AVD management",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ",
+            "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control",
             "services": [
-                "Cost",
-                "WAF"
+                "Defender",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "subcategory": "Management",
+            "text": "Restrict users from installing un-authorized applications",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
+            "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
             "services": [
-                "Cost",
-                "VM",
-                "WAF"
+                "Entra",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "subcategory": "Microsoft Entra ID",
+            "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "category": "Security",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.",
+            "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43",
+            "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd",
             "services": [
-                "VM",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Right-sizing all VMs",
-            "waf": "Cost"
+            "subcategory": "Zero Trust",
+            "text": "Review and Apply Zero Trust principles and guidance",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.",
+            "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop",
             "services": [
-                "VM",
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Swap VM sized with normalized and most recent sizes",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "subcategory": "Azure Files",
+            "text": "Check best-practices for Azure Files",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.",
+            "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369",
+            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance",
             "services": [
-                "VM",
-                "Monitor",
-                "WAF"
+                "Storage",
+                "ACR",
+                "Cost",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Azure Files",
+            "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "If a second region is required for DR purposes verify NetApp availability in there as well.",
+            "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3",
+            "link": "https://azure.microsoft.com/global-infrastructure/services/",
             "services": [
-                "VM",
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Containerizing an application can improve VM density and save money on scaling it",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Cost"
+            "subcategory": "Azure NetApp Files",
+            "text": "If NetApp Files storage is required, check storage service availability in your specific region.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
-            "service": "PostgreSQL",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.",
+            "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container",
             "services": [
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Leverage Flexible Server",
+            "subcategory": "Azure NetApp Files",
+            "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
-            "service": "PostgreSQL",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
+            "guid": "6647e977-db49-48a8-bc35-743f17499d42",
+            "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections",
             "services": [
-                "WAF"
+                "Storage",
+                "VNet",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "31b67c67-be59-4519-8083-845d587cb391",
-            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
-            "service": "PostgreSQL",
-            "services": [
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Leverage cross-region read replicas for BCDR",
+            "subcategory": "Azure NetApp Files",
+            "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ",
+            "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
+            "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
             "services": [
-                "WAF"
+                "Storage",
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "Determine which type of managed disk will be used for the Session Hosts",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.",
+            "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
             "services": [
-                "WAF"
+                "Storage",
+                "VM",
+                "AVD"
             ],
             "severity": "High",
-            "text": "Use zone redundant pipelines in regions that support Availability Zones",
-            "waf": "Reliability"
+            "subcategory": "Capacity Planning",
+            "text": "Determine which storage backend solution will be used for FSLogix Profiles",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.",
+            "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
             "services": [
-                "Backup",
-                "WAF"
+                "Storage",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Capacity Planning",
+            "text": "Do not share storage and profiles between different Host Pools",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.",
+            "guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
+            "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-",
             "services": [
-                "VM",
-                "WAF"
+                "Storage",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+            "severity": "High",
+            "subcategory": "Capacity Planning",
+            "text": "Verify storage scalability limits and Host Pool requirements",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
+            "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
+            "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
             "services": [
-                "VNet",
-                "WAF"
+                "Storage",
+                "Cost",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Capacity Planning",
+            "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
+            "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
+            "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers",
             "services": [
-                "AKV",
-                "WAF"
+                "Storage",
+                "ASR",
+                "AVD"
             ],
-            "severity": "Low",
-            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+            "severity": "High",
+            "subcategory": "FSLogix",
+            "text": "Do not use Office Containers (ODFC) if not strictly required and justified",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.",
+            "guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
+            "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions",
             "services": [
                 "Storage",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Consider the 'Azure security baseline for storage'",
+            "subcategory": "FSLogix",
+            "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
+            "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
+            "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
             "services": [
-                "PrivateLink",
                 "Storage",
-                "WAF"
+                "AVD"
             ],
             "severity": "High",
-            "text": "Consider using private endpoints for Azure Storage",
-            "waf": "Security"
+            "subcategory": "FSLogix",
+            "text": "Review and confirm configured maximum profile size in FSLogix",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.",
+            "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
+            "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples",
             "services": [
-                "RBAC",
                 "Storage",
-                "Subscriptions",
-                "WAF"
+                "ACR",
+                "AKV",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Ensure older storage accounts are not using 'classic deployment model'",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "FSLogix",
+            "text": "Review FSLogix registry keys and determine which ones to apply",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.",
+            "guid": "5e985b85-9c77-43e7-b261-623b775a917e",
+            "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections",
             "services": [
-                "Defender",
                 "Storage",
-                "WAF"
+                "AVD"
             ],
             "severity": "High",
-            "text": "Enable Microsoft Defender for all of your storage accounts",
-            "waf": "Security"
+            "subcategory": "FSLogix",
+            "text": "Avoid usage of concurrent or multiple connections",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ",
+            "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
+            "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
             "services": [
                 "Storage",
-                "WAF"
+                "VM",
+                "AVD"
             ],
-            "severity": "Medium",
-            "text": "Enable 'soft delete' for blobs",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "FSLogix",
+            "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
+            "category": "Storage",
+            "checklist": "Azure Virtual Desktop Review",
+            "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
+            "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
+            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
             "services": [
                 "Storage",
-                "WAF"
+                "AVD"
             ],
             "severity": "Medium",
-            "text": "Disable 'soft delete' for blobs",
-            "waf": "Security"
+            "subcategory": "FSLogix",
+            "text": "Review the usage of FSLogix redirection.",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "category": "BCDR",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.",
+            "guid": "676f6951-0368-49e9-808d-c33a692c9a64",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data",
             "services": [
-                "WAF"
+                "Backup",
+                "AKV",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Enable 'soft delete' for containers",
+            "severity": "Medium",
+            "subcategory": "Azure Key Vault",
+            "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "category": "BCDR",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.",
+            "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups",
             "services": [
                 "Storage",
-                "WAF"
+                "Backup",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Disable 'soft delete' for containers",
+            "subcategory": "Backup",
+            "text": "Configure Azure SQL Database automated backups",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
+            "category": "BCDR",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.",
+            "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy",
             "services": [
                 "Storage",
-                "WAF"
+                "Backup",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Enable resource locks on storage accounts",
+            "severity": "Low",
+            "subcategory": "Backup",
+            "text": "Enable geo-redundant backup storage to protect against single region failure and data loss",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
+            "category": "Code",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.",
+            "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "Subscriptions",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Consider immutable blobs",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "services": [
-                "Storage",
-                "WAF"
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+            "severity": "Medium",
+            "subcategory": "Source Control and Code Review",
+            "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
+            "category": "Data Discovery and Classification",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.",
+            "guid": "d401509b-2629-4484-9a7f-af0d29a7778f",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities",
             "services": [
-                "Storage",
-                "WAF"
+                "SQL"
             ],
-            "severity": "High",
-            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+            "severity": "Low",
+            "subcategory": "Data Discovery and Classification",
+            "text": "Plan and configure Data Discovery & Classification to protect the sensitive data",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
+            "category": "Data Masking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.",
+            "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview",
             "services": [
-                "Storage",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+            "severity": "Low",
+            "subcategory": "Data Masking",
+            "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
+            "category": "Defender",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.",
+            "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
             "services": [
-                "Entra",
-                "Storage",
-                "WAF"
+                "EventHubs",
+                "Defender",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+            "subcategory": "Advanced Threat Protection",
+            "text": "Review and complete Advanced Threat Protection (ATP) configuration",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "category": "Defender",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.",
+            "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ",
             "services": [
-                "RBAC",
-                "WAF"
+                "Subscriptions",
+                "Defender",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Least privilege in IaM permissions",
+            "severity": "High",
+            "subcategory": "Defender for Azure SQL",
+            "text": "Enable Microsoft Defender for Azure SQL",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
+            "category": "Defender",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.",
+            "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
             "services": [
-                "Entra",
-                "Storage",
-                "WAF"
+                "Monitor",
+                "Defender",
+                "SQL"
             ],
             "severity": "High",
-            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+            "subcategory": "Defender for Azure SQL",
+            "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
+            "category": "Defender",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.",
+            "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
             "services": [
                 "Monitor",
-                "AKV",
-                "Storage",
-                "Entra",
-                "WAF"
+                "Defender",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+            "subcategory": "Vulnerability Assessment",
+            "text": "Configure Vulnerability Assessment (VA) findings and review recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "category": "Defender",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.",
+            "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql",
             "services": [
-                "Monitor",
-                "AzurePolicy",
-                "AKV",
-                "Storage",
-                "WAF"
+                "Defender",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+            "subcategory": "Vulnerability Assessment",
+            "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "category": "Encryption",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.",
+            "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277",
+            "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves",
             "services": [
-                "AzurePolicy",
-                "AKV",
-                "Storage",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+            "subcategory": "Always Encrypted",
+            "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
+            "category": "Encryption",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.",
+            "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "Storage",
+                "AKV",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Consider configuring an SAS expiration policy",
+            "severity": "Low",
+            "subcategory": "Column Encryption",
+            "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "category": "Encryption",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.",
+            "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
             "services": [
-                "AzurePolicy",
-                "AKV",
                 "Storage",
-                "WAF"
+                "Backup",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Consider linking SAS to a stored access policy",
+            "severity": "High",
+            "subcategory": "Transparent Data Encryption",
+            "text": "Ensure Transparent Data Encryption (TDE) is kept enabled",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
+            "category": "Encryption",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.",
+            "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview",
             "services": [
                 "AKV",
-                "Storage",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+            "subcategory": "Transparent Data Encryption",
+            "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
+            "category": "Encryption",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.",
+            "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version",
             "services": [
-                "Entra",
-                "Storage",
-                "WAF"
+                "SQL"
             ],
             "severity": "High",
-            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+            "subcategory": "Transport Layer Security",
+            "text": "Enforce minimum TLS version to the latest available",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "category": "Identity",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.",
+            "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "WAF"
+                "Entra",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Strive for short validity periods for ad-hoc SAS",
+            "severity": "Medium",
+            "subcategory": "Azure Active Directory",
+            "text": "Leverage Azure AD authentication for connections to Azure SQL Databases",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "category": "Identity",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each  logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
+            "guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities",
             "services": [
-                "WAF"
+                "Entra",
+                "Monitor",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Apply a narrow scope to a SAS",
+            "subcategory": "Azure Active Directory",
+            "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
+            "category": "Identity",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.",
+            "guid": "df3a09ee-03bb-4198-8637-d141acf5f289",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications",
             "services": [
-                "WAF"
+                "Entra",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+            "subcategory": "Azure Active Directory",
+            "text": "Minimize the use of password-based authentication for applications",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
+            "category": "Identity",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.",
+            "guid": "69891194-5074-4e30-8f69-4efc3c580900",
+            "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
             "services": [
-                "Storage",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AKV",
+                "SQL",
+                "ACR"
             ],
             "severity": "Low",
-            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+            "subcategory": "Managed Identities",
+            "text": "Assign Azure SQL Database a managed identity for outbound resource access",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
+            "category": "Identity",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).",
+            "guid": "88287d4a-8bb8-4640-ad78-03f51354d003",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication",
             "services": [
                 "Entra",
-                "RBAC",
-                "Storage",
-                "WAF"
+                "SQL"
             ],
-            "severity": "High",
-            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+            "severity": "Medium",
+            "subcategory": "Passwords",
+            "text": "Minimize the use of password-based authentication for users",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "category": "Ledger",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.",
+            "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage",
             "services": [
-                "WAF"
+                "Storage",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+            "subcategory": "Database Digest",
+            "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
+            "category": "Ledger",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.",
+            "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a",
+            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management",
             "services": [
-                "AzurePolicy",
                 "Storage",
-                "WAF"
+                "AzurePolicy",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Avoid overly broad CORS policies",
+            "severity": "Medium",
+            "subcategory": "Database Digest",
+            "text": "If Azure storage account is used to store database digests, ensure security is properly configured",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
+            "category": "Ledger",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.",
+            "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420",
+            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification",
             "services": [
                 "Storage",
-                "WAF"
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+            "severity": "Medium",
+            "subcategory": "Integrity",
+            "text": "Schedule the Ledger verification process regularly to verify data integrity",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "category": "Ledger",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.",
+            "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2",
+            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview",
             "services": [
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Determine which/if platform encryption should be used.",
+            "subcategory": "Ledger",
+            "text": "If cryptographic proof of data integrity  is a critical requirement, Ledger feature should be considered",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "category": "Ledger",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.",
+            "guid": "804fc554-6554-4842-91c1-713b32f99902",
+            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering",
             "services": [
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Determine which/if client-side encryption should be used.",
+            "subcategory": "Recovery",
+            "text": "Prepare a response plan to investigate and repair a database after a tampering event",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.",
+            "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
                 "Storage",
-                "WAF"
+                "AzurePolicy",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+            "severity": "Medium",
+            "subcategory": "Auditing",
+            "text": "Ensure that Azure SQL Database Auditing is enabled at the server level",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ",
+            "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
                 "Storage",
-                "WAF"
+                "Entra",
+                "Backup",
+                "EventHubs",
+                "SQL",
+                "Monitor"
             ],
-            "severity": "High",
-            "text": "Leverage a storagev2 account type for better performance and reliability",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Auditing",
+            "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
+            "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
                 "Storage",
-                "WAF"
+                "Subscriptions",
+                "EventHubs",
+                "SQL",
+                "Monitor"
             ],
-            "severity": "High",
-            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Auditing",
+            "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Forward any logs from Azure SQL to your  Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
+            "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
-                "WAF"
+                "Monitor",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "For write operation after failover, use customer-Managed Failover ",
-            "waf": "Reliability"
+            "subcategory": "SIEM/SOAR",
+            "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Forward any logs from Azure SQL to your  Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
+            "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
-                "WAF"
+                "Monitor",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Understand Microsoft-Managed Failover details",
-            "waf": "Reliability"
+            "subcategory": "SIEM/SOAR",
+            "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
-            "service": "Azure Storage",
+            "category": "Logging",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.",
+            "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
-                "WAF"
+                "EventHubs",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Enable Soft Delete",
-            "waf": "Reliability"
+            "subcategory": "SIEM/SOAR",
+            "text": "Ensure that you have response plans for malicious or aberrant audit logging events",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.",
+            "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "PrivateLink",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Implement an error handling policy at the global level",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Connectivity",
+            "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.",
+            "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture",
             "services": [
                 "AzurePolicy",
-                "WAF"
+                "PrivateLink",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Ensure all APIs policies include a <base/> element.",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Connectivity",
+            "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.",
+            "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
             "services": [
-                "AzurePolicy",
-                "ACR",
-                "WAF"
+                "Subscriptions",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Connectivity",
+            "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.",
+            "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
+            "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql",
             "services": [
-                "WAF"
+                "EventHubs",
+                "APIM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
-            "services": [
-                "Monitor",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
-            "waf": "Operations"
+            "subcategory": "Outbound Control",
+            "text": "Block or restrict outbound REST API calls to external endpoints",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.",
+            "guid": "a566dd3d-314e-4a94-9378-102c42d82b38",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview",
             "services": [
-                "WAF"
+                "Storage",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Enable Application Insights for more detailed telemetry",
-            "waf": "Operations"
+            "subcategory": "Outbound Control",
+            "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.",
+            "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
             "services": [
+                "VNet",
+                "Firewall",
+                "SQL",
                 "Monitor",
-                "WAF"
+                "PrivateLink"
             ],
-            "severity": "High",
-            "text": "Configure alerts on the most critical metrics",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Private Access",
+            "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.",
+            "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
             "services": [
-                "AKV",
-                "WAF"
+                "VNet",
+                "PrivateLink",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+            "subcategory": "Private Access",
+            "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.",
+            "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints",
             "services": [
-                "Entra",
-                "WAF"
+                "VNet",
+                "PrivateLink",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+            "severity": "Medium",
+            "subcategory": "Private Access",
+            "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.",
+            "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview",
             "services": [
-                "Entra",
-                "WAF"
+                "VNet",
+                "ExpressRoute",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+            "subcategory": "Private Access",
+            "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.",
+            "guid": "55187443-6852-4fbd-99c6-ce303597ca7f",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules",
             "services": [
-                "WAF"
+                "VNet",
+                "AzurePolicy",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Create appropriate groups to control the visibility of the products",
+            "severity": "High",
+            "subcategory": "Public Access",
+            "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.",
+            "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
             "services": [
-                "WAF"
+                "Storage",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use Backends feature to eliminate redundant API backend configurations",
-            "waf": "Operations"
+            "subcategory": "Public Access",
+            "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.",
+            "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "Storage",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use Named Values to store common values that can be used in policies",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Public Access",
+            "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.",
+            "guid": "b8435656-143e-41a8-9922-61d34edb751a",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
             "services": [
-                "ACR",
-                "WAF"
+                "VNet",
+                "AzurePolicy",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Public Access",
+            "text": "Do not enable Azure SQL Managed Instance public endpoint",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "category": "Networking",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.",
+            "guid": "057dd298-8726-4aa6-b590-1f81d2e30421",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
             "services": [
-                "WAF"
+                "VNet",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Public Access",
+            "text": "Restrict access if Azure SQL Managed Instance public endpoint is required",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "category": "Privileged Access",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests.  In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.",
+            "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
             "services": [
-                "Backup",
-                "WAF"
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Ensure there is an automated backup routine",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Lockbox",
+            "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "category": "Privileged Access",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.",
+            "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
-            "waf": "Reliability"
+            "subcategory": "Permissions",
+            "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
+            "category": "Privileged Access",
+            "checklist": "Azure SQLDB Security Checklist (Preview)",
+            "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function.  A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities.  Instead, they should each have their own tightly scoped SPN.",
+            "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access",
             "services": [
-                "EventHubs",
-                "AzurePolicy",
-                "WAF"
+                "Entra",
+                "SQL"
             ],
             "severity": "Low",
-            "text": "If you need to log at high performance levels, consider Event Hubs policy",
-            "waf": "Operations"
+            "subcategory": "Permissions",
+            "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "Storage",
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "text": "Apply throttling policies to control the number of requests per second",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "Performance"
+            "subcategory": "Backup",
+            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Microsoft backup service",
+            "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
-                "WAF"
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "text": "Configure autoscaling to scale out the number of instances when the load increases",
-            "waf": "Performance"
+            "subcategory": "Business Continuity",
+            "text": "Use MABS as your backup solution",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Best practice - this is Backup, not disaster recovery",
+            "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae",
+            "link": "Best practice to deploy backup in the same region as your AVS deployment",
             "services": [
-                "WAF"
+                "ASR",
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
-            "waf": "Performance"
+            "subcategory": "Business Continuity",
+            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Best practice - in case AVS is unavailable",
+            "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use the premium tier for production workloads.",
+            "subcategory": "Business Continuity",
+            "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+            "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0",
+            "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
+            "subcategory": "Business Continuity",
+            "text": "Escalation process with Microsoft in the event of a regional DR",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Compare SRM with HCX",
+            "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager",
             "services": [
-                "Entra",
-                "APIM",
-                "WAF"
+                "ASR",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Be aware of APIM's limits",
+            "severity": "Medium",
+            "subcategory": "Disaster Recovery",
+            "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Recovery into Azure instead of Vmware solution",
+            "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19",
+            "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
             "services": [
-                "WAF"
+                "ASR",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Ensure that the self-hosted gateway deployments are resilient.",
+            "severity": "Medium",
+            "subcategory": "Disaster Recovery",
+            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Avoid manual tasks as much as possible",
+            "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9",
+            "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
             "services": [
-                "Entra",
-                "FrontDoor",
-                "APIM",
-                "WAF"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
-            "waf": "Performance"
+            "subcategory": "Disaster Recovery",
+            "text": "Use Automated recovery plans with either of the Disaster solutions,",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Any other datacenter in the same region",
+            "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region",
             "services": [
-                "VNet",
-                "WAF"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Deploy the service within a Virtual Network (VNet)",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Configure a secondary disaster recovery environment",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
-            "services": [
-                "APIM",
-                "VNet",
-                "Monitor",
-                "Entra",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+            "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
             "services": [
-                "APIM",
-                "VNet",
-                "PrivateLink",
-                "Entra",
-                "WAF"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Assign IP ranges unique to each region",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or  routing must be done through network virtual appliances?",
+            "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c",
+            "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.",
             "services": [
-                "WAF"
+                "ASR",
+                "AVS",
+                "ExpressRoute",
+                "NVA"
             ],
-            "severity": "High",
-            "text": "Disable Public Network Access",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Disaster Recovery",
+            "text": "Use Global Reach between DR regions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections",
+            "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
             "services": [
-                "WAF"
+                "AVS",
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Simplify management with PowerShell automation scripts",
-            "waf": "Operations"
+            "subcategory": "Direct (no vWAN, no H&S)",
+            "text": "Global Reach to ExR circuit - no Azure resources",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use ExR to connect on-premises (other) location to Azure",
+            "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
             "services": [
-                "Entra",
-                "APIM",
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
-            "waf": "Operations"
+            "subcategory": "ExpressRoute",
+            "text": "Connect to Azure using ExR",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use the migration assesment tool and timeline to determine bandwidth required",
+            "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction",
             "services": [
-                "Entra",
-                "APIM",
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
-            "waf": "Operations"
+            "subcategory": "ExpressRoute",
+            "text": "Bandwidth sizing",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "What traffic is routed through a firewall, what goes directly into Azure",
+            "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
             "services": [
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Implement DevOps and CI/CD in your workflow",
-            "waf": "Operations"
+            "subcategory": "ExpressRoute",
+            "text": "Traffic routing ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "AVS to ExR circuit, no traffic inspection",
+            "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
             "services": [
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Secure APIs using client certificate authentication",
-            "waf": "Security"
+            "subcategory": "ExpressRoute",
+            "text": "Global Reach ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Name of the vNet and a unique address space /24 minimum",
+            "guid": "91f7a87b-21ac-d712-959c-8df2ba034253",
+            "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal",
             "services": [
-                "WAF"
+                "VNet",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Secure backend services using client certificate authentication",
-            "waf": "Security"
+            "subcategory": "Hub & Spoke",
+            "text": "VNet  name & address space",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Subnet must be called GatewaySubnet",
+            "guid": "58a027e2-f37f-b540-45d5-e44843aba26b",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "WAF"
+                "VPN",
+                "VNet",
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
-            "waf": "Security"
+            "subcategory": "Hub & Spoke",
+            "text": "Gateway subnet",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Create a VPN gateway on the hub Gateway subnet",
+            "guid": "d4806549-0913-3e79-b580-ac2d3706e65a",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "WAF"
+                "VPN",
+                "VNet",
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
-            "waf": "Security"
+            "subcategory": "Hub & Spoke",
+            "text": "VPN Gateway",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Create an ExR Gateway in the hub Gateway subnet.",
+            "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "WAF"
+                "VPN",
+                "VNet",
+                "AVS",
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Hub & Spoke",
+            "text": "ExR Gateway",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?",
+            "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access",
             "services": [
-                "AKV",
-                "WAF"
+                "AVS",
+                "NVA"
             ],
-            "severity": "High",
-            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Internet",
+            "text": "Egress point",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX",
+            "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f",
+            "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
             "services": [
-                "Entra",
-                "WAF"
+                "AVS",
+                "Bastion"
             ],
             "severity": "Medium",
-            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
-            "waf": "Security"
+            "subcategory": "Jumpbox & Bastion",
+            "text": "Remote connectivity to AVS",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Name the jumpbox and identify the subnet where it will be hosted",
+            "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857",
+            "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal",
             "services": [
-                "Entra",
-                "APIM",
-                "AppGW",
-                "WAF"
+                "VNet",
+                "AVS",
+                "Bastion"
             ],
-            "severity": "High",
-            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Jumpbox & Bastion",
+            "text": "Configure a jumbox and Azure Bastion",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.",
+            "guid": "ba430d58-4541-085c-3641-068c00be9bc5",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
             "services": [
-                "WAF"
+                "AVS",
+                "VM",
+                "Bastion"
             ],
             "severity": "Medium",
-            "text": "FTA Resiliency Playbook",
-            "waf": "Reliability"
+            "subcategory": "Jumpbox & Bastion",
+            "text": "Security measure allowing RDP access via the portal",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)",
+            "guid": "9988598f-2a9f-6b12-9b46-488415ceb325",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway",
             "services": [
-                "WAF"
+                "VPN",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "VPN",
+            "text": "Connect to Azure using a VPN",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)",
+            "guid": "956ce5e9-a862-fe2b-a50d-a22923569357",
+            "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.",
             "services": [
-                "WAF"
+                "VPN",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Run multiple replicas of the database (>1 ) in Prod",
-            "waf": "Reliability"
+            "subcategory": "VPN",
+            "text": "Bandwidth sizing",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
-            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "What traffic is routed through a firewall, what goes directly into Azure",
+            "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
             "services": [
-                "ACR",
-                "WAF"
+                "VPN",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Leverage Multi-Region Writes",
-            "waf": "Reliability"
+            "subcategory": "VPN",
+            "text": "Traffic routing ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Span Cosmos account across two or more regions with multi-region writes",
-            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Name and unique address space for the vWAN, name for the vWAN hub",
+            "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan",
             "services": [
-                "ACR",
-                "WAF"
+                "AVS",
+                "VWAN"
             ],
             "severity": "Medium",
-            "text": "Distribute your data globally",
-            "waf": "Reliability"
+            "subcategory": "vWAN hub",
+            "text": "vWAN name, hub name and address space",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
-            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Select either boh or the appropriate connection type.",
+            "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal",
             "services": [
-                "WAF"
+                "VPN",
+                "AVS",
+                "VWAN"
             ],
-            "severity": "High",
-            "text": "Choose from several well-defined consistency models",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "vWAN hub",
+            "text": "ExR and/or VPN gateway provisioned",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
-            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
-            "service": "CosmosDB",
+            "category": "Connectivity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Add Azure firewall to vWAN (recommended)",
+            "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal",
             "services": [
-                "CosmosDB",
-                "WAF"
+                "AVS",
+                "VWAN",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "Enable Service managed failover",
-            "waf": "Reliability"
+            "subcategory": "vWAN hub",
+            "text": "Secure vWAN",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
-            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
-            "service": "CosmosDB",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Active directory or other identity provider servers",
+            "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
             "services": [
-                "Backup",
-                "CosmosDB",
-                "Storage",
-                "WAF"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Enable Automatic Backups",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Reliability"
+            "subcategory": "Access",
+            "text": "External Identity (user accounts)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
-            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
-            "service": "CosmosDB",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Not required for LDAPS, required for Kerberos",
+            "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
             "services": [
-                "Backup",
-                "WAF"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Perform Periodic Backups",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Reliability"
+            "subcategory": "Access",
+            "text": "If using AD domain, ensure Sites & Services has been configured",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
-            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
-            "service": "CosmosDB",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Authentication for users, must be secure.",
+            "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
             "services": [
-                "Backup",
-                "CosmosDB",
-                "WAF"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Reliability"
+            "subcategory": "Access",
+            "text": "Use LDAPS not ldap ( vCenter)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Authentication for users, must be secure.",
+            "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t",
             "services": [
-                "WAF"
+                "Entra",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Access",
+            "text": "Use LDAPS not ldap (NSX-T)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "CN or SAN names, no wildcards, contains private key - CER or PFX",
+            "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c",
+            "link": "https://youtu.be/4jvfbsrhnEs",
             "services": [
-                "WAF"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Security certificate installed on LDAPS servers ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "services": [
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "services": [
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Learn how to trigger a manual failover.",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "services": [
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Learn how to fail back after a failover.",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
-            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
-            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
-            "service": "ACR",
-            "services": [
-                "ACR",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Disable Azure Container Registry image export",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
-            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
-            "service": "ACR",
-            "services": [
-                "AzurePolicy",
-                "ACR",
-                "WAF"
-            ],
-            "severity": "High",
-            "text": "Enable Azure Policies for Azure Container Registry",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
-            "guid": "d345293c-7639-4637-a551-c5c04e401955",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Standard Azure Roles Based Access Controls",
+            "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity",
             "services": [
-                "AKV",
-                "ACR",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Sign and Verify containers with notation (Notary v2)",
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "RBAC applied to Azure roles",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
-            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
-            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Create roles in vCenter required to meet minimum viable access guidelines",
+            "guid": "b04ca129-83a9-3494-7512-347dd2d766db",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges",
             "services": [
-                "AKV",
-                "ACR",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Encrypt registry with a customer managed key",
+            "subcategory": "Security",
+            "text": "RBAC model in vCenter",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
-            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+            "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb",
+            "link": "Best practice",
             "services": [
                 "Entra",
                 "RBAC",
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Use Managed Identities to connect instead of Service Principals",
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "CloudAdmin role usage",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
-            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+            "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
+                "Entra",
                 "RBAC",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Disable local authentication for management plane access",
+            "severity": "Medium",
+            "subcategory": "Security ",
+            "text": "Is Privileged Identity Management implemented",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
-            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "For the Azure VMware Solution PIM roles",
+            "guid": "0842d45f-41a8-8274-1155-2f6ed554d315",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
                 "Entra",
                 "RBAC",
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+            "severity": "Medium",
+            "subcategory": "Security ",
+            "text": "Is Privileged Identity Management audit reporting implemented",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Disable anonymous pull/push access",
-            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
-            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Best practice, also see Monitoring/Alerts",
+            "guid": "915cbcd7-0640-eb7c-4162-9f33775de559",
+            "link": "Best practice",
             "services": [
-                "WAF"
+                "Entra",
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Disable Anonymous pull access",
+            "subcategory": "Security ",
+            "text": "Limit use of CloudAdmin account to emergency access only",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
-            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
-            "service": "ACR",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Operational procedure",
+            "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal",
             "services": [
                 "Entra",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Disable repository-scoped access tokens",
+            "severity": "Medium",
+            "subcategory": "Security ",
+            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
-            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
-            "service": "ACR",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+            "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82",
+            "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview",
             "services": [
-                "EventHubs",
-                "PrivateLink",
-                "ACR",
-                "WAF"
+                "AVS",
+                "VM",
+                "Arc"
             ],
-            "severity": "High",
-            "text": "Deploy images from a trusted environment",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Operations",
+            "text": "AVS VM Management (Azure Arc)",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
-            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
-            "service": "ACR",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0",
+            "link": "https://docs.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "ACR",
-                "WAF"
+                "Monitor",
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Disable Azure ARM audience tokens for authentication",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Azure policy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
-            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
-            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
-            "service": "ACR",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+            "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db",
+            "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks",
             "services": [
-                "Entra",
-                "ACR",
-                "Monitor",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Enable diagnostics logging",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Resource locks",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
-            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
-            "service": "ACR",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "For manual deployments, all configuration and deployments must be documented",
+            "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e",
+            "link": "Make sure to create your own runbook on the deployment of AVS.",
             "services": [
-                "Firewall",
-                "PrivateLink",
-                "VNet",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Control inbound network access with Private Link",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Run books",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Disable public network access if inbound network access is secured using Private Link",
-            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
-            "service": "ACR",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+            "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
             "services": [
-                "PrivateLink",
-                "WAF"
+                "AVS",
+                "AKV"
             ],
             "severity": "Medium",
-            "text": "Disable Public Network access",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Naming conventions for auth keys",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Only the ACR Premium SKU supports Private Link access",
-            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
-            "service": "ACR",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
             "services": [
-                "PrivateLink",
-                "ACR",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
-            "waf": "Security"
+            "subcategory": "Alerts",
+            "text": "Create warning alerts for critical thresholds ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
-            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
-            "service": "ACR",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "guid": "6d02f159-627d-79bf-a931-fab6d947eda2",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
             "services": [
-                "Defender",
-                "ACR",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Alerts",
+            "text": "Create critical alert vSAN consumption",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
-            "service": "ACR",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Provides platform alerts (generated by Microsoft)",
+            "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951",
+            "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/",
             "services": [
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Deploy validated container images",
-            "waf": "Security"
+            "subcategory": "Alerts",
+            "text": "Configured for Azure Service Health alerts and notifications",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
-            "service": "ACR",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+            "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
-                "WAF"
+                "AVS",
+                "Backup",
+                "Monitor",
+                "VM",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Backup policy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Keep in mind the lead time for requesting new nodes",
+            "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
             "services": [
-                "EventHubs",
-                "WAF"
+                "Monitor",
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Capacity",
+            "text": "Policy around ESXi host density and efficiency",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ",
+            "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern",
             "services": [
-                "EventHubs",
-                "WAF"
+                "Monitor",
+                "AVS",
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "Medium",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "subcategory": "Costs",
+            "text": "Ensure a good cost management process is in place for Azure VMware Solution - ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+            "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74",
+            "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards",
             "services": [
-                "RBAC",
-                "EventHubs",
-                "TrafficManager",
-                "AzurePolicy",
-                "Entra",
-                "WAF"
+                "Monitor",
+                "AVS",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Security"
+            "subcategory": "Dashboard",
+            "text": "Connection monitor dashboard",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)",
+            "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
             "services": [
-                "EventHubs",
-                "AKV",
                 "Storage",
-                "Entra",
-                "VM",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Logs & Metrics",
+            "text": "Configure Azure VMware Solution logging ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Must be on-premises, implement if available",
+            "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6",
+            "link": "Is vROPS or vRealize Network Insight going to be used? ",
             "services": [
-                "RBAC",
-                "EventHubs",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Logs & Metrics",
+            "text": "vRealize Operations",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
             "services": [
-                "EventHubs",
-                "VNet",
                 "Monitor",
-                "WAF"
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
-        },
-        {
-            "checklist": "WAF checklist",
-            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
-            "services": [
-                "EventHubs",
-                "PrivateLink",
-                "VNet",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Logs & Metrics",
+            "text": "AVS VM logging",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Between on-premises to Azure are monitored using 'connection monitor'",
+            "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
             "services": [
-                "EventHubs",
-                "WAF"
+                "AVS",
+                "ExpressRoute",
+                "VPN",
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "subcategory": "Network",
+            "text": "Monitor ExpressRoute and/or VPN connections ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)",
+            "guid": "99209143-60fe-19f0-5633-8b5671277ba5",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
             "services": [
-                "WAF"
+                "Monitor",
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "text": "Leverage FTA Resillency HandBook",
-            "waf": "Reliability"
+            "subcategory": "Network",
+            "text": "Monitor from an Azure native resource to an Azure VMware Solution VM",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "To monitor end-to-end, on-premises to AVS workloads",
+            "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
             "services": [
-                "EventHubs",
-                "ACR",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Network",
+            "text": "Monitor  from an on-premises resource to an Azure VMware Solution VM",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads",
+            "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962",
+            "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)",
             "services": [
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Auditing and logging is implemented for inbound internet ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
+            "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
             "services": [
-                "EventHubs",
-                "ASR",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Session monitoring  ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Enable Diagnostic and metric logging on Azure VMware Solution",
+            "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
             "services": [
-                "EventHubs",
-                "ASR",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "For Business Critical Applications, use Active Active configuration",
-            "waf": "Reliability"
+            "subcategory": "VMWare",
+            "text": "Logging and diagnostics",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "category": "Monitoring",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Monitor AVS workloads (each VM in AVS)",
+            "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a",
+            "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard",
             "services": [
-                "EventHubs",
-                "WAF"
+                "Monitor",
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Design Resilient Event Hubs",
-            "waf": "Reliability"
+            "subcategory": "VMware",
+            "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
-            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
-            "service": "VMSS",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Decision on traffic flow",
+            "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
             "services": [
-                "VM",
-                "WAF"
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hub & Spoke",
+            "text": "North/South routing through Az Firewall or 3rd party ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
-            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
+            "guid": "29a8a499-ec31-f336-3266-0895f035e379",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
             "services": [
-                "Backup",
-                "VM",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hub & Spoke",
+            "text": "East West (Internal to Azure)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
-            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)",
+            "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
             "services": [
-                "VM",
-                "WAF"
+                "ARS",
+                "AVS",
+                "NVA"
             ],
-            "severity": "High",
-            "text": "Use Premium or Ultra disks for production VMs",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hub & Spoke",
+            "text": "ExR without Global Reach",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
-            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
+            "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506",
+            "link": "https://learn.microsoft.com/azure/route-server/route-server-faq",
             "services": [
-                "VM",
-                "WAF"
+                "ARS",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Ensure Managed Disks are used for all VMs",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Hub & Spoke",
+            "text": "Route server ",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
-            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP",
+            "guid": "a4070dad-3def-818d-e9f7-be440d10e7de",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access",
             "services": [
-                "SQL",
-                "VM",
-                "Storage",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Egress point(s)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
-            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ",
+            "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937",
+            "link": "Research and choose optimal solution for each application",
             "services": [
-                "VM",
-                "Storage",
-                "ACR",
-                "WAF"
+                "AVS",
+                "FrontDoor",
+                "NVA",
+                "AppGW"
             ],
             "severity": "Medium",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Internet facing applications",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
-            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
+            "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37",
+            "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits",
             "services": [
-                "VM",
-                "WAF"
+                "ARS",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
-            "waf": "Reliability"
+            "subcategory": "Routing",
+            "text": "When route server Route limit understood? ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
-            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)",
+            "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a",
+            "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection",
             "services": [
-                "ASR",
+                "VNet",
+                "AVS",
+                "ExpressRoute",
+                "LoadBalancer",
+                "VPN",
                 "VM",
-                "WAF"
+                "DDoS",
+                "FrontDoor",
+                "AppGW"
             ],
-            "severity": "High",
-            "text": "Avoid running a production workload on a single VM",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Is DDoS standard protection of public facing IP addresses?  ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
-            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+            "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32",
+            "link": "Best practice: Bastion or 3rd party tool",
             "services": [
-                "ASR",
-                "AVS",
-                "VM",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Use a dedicated privileged access workstation (PAW)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
-            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use NSX-T for inter-vmware-traffic inspection",
+            "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f",
+            "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Traffic Inspection",
+            "text": "East West (Internal to AVS)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
-            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
-            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach",
+            "guid": "3f621543-dfac-c471-54a6-7b2849b6909a",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
             "services": [
-                "ASR",
-                "VM",
-                "WAF"
+                "AVS",
+                "VWAN",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "Increase quotas in DR region before testing failover with ASR",
-            "waf": "Reliability"
+            "subcategory": "Virtual WAN",
+            "text": "Use Secure Hub (Azure Firewall or 3rd party)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
-            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
-            "service": "VM",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
+            "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network",
             "services": [
-                "VM",
-                "WAF"
+                "AVS",
+                "VWAN"
             ],
-            "severity": "Low",
-            "text": "Utilize Scheduled Events to prepare for VM maintenance",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Virtual WAN",
+            "text": "East West (Internal to Azure)",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
-            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+            "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal",
             "services": [
-                "Storage",
-                "WAF"
+                "Subscriptions",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
-            "waf": "Reliability"
+            "subcategory": "Automated Scale",
+            "text": "Scale out operations planning",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
-            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+            "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
             "services": [
                 "Storage",
-                "WAF"
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Automated Scale",
+            "text": "Scale in operations planning",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+            "guid": "3233e49e-62ce-97f3-8737-8230e771b694",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
             "services": [
-                "Storage",
-                "WAF"
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Enable soft delete for Storage Account Containers",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Automated Scale",
+            "text": "Scale serialized operations planning",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "guid": "68161d66-5707-319b-e77d-9217da892593",
+            "link": "Best practice (testing)",
             "services": [
-                "Storage",
-                "WAF"
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Enable soft delete for blobs",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Automated Scale",
+            "text": "Scale rd operations planning",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
-            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
-            "service": "Azure Backup",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Define and enforce scale in/out maximum limits for your environment in the automations",
+            "guid": "c32cb953-e860-f204-957a-c79d61202669",
+            "link": "Operational planning - understand workload requirements",
             "services": [
-                "Backup",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
-            "waf": "Reliability"
+            "subcategory": "Automated Scale",
+            "text": "Scale maximum operations planning",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
-            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
-            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
-            "service": "Azure Backup",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+            "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857",
+            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring",
             "services": [
-                "Backup",
-                "WAF"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Automated Scale",
+            "text": "Monitor scaling operations ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
-            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
-            "service": "Azure Backup",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Consider the use of Azure Private-Link when using other Azure Native Services",
+            "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
             "services": [
-                "Backup",
-                "Storage",
-                "WAF"
+                "AVS",
+                "PrivateLink"
             ],
-            "severity": "Low",
-            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Private link",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
-            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
-            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
-            "service": "DNS",
+            "category": "Other Services/Operations",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+            "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2",
+            "link": "Best practice",
             "services": [
-                "ASR",
-                "DNS",
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Provisioning Vmware VLANs",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
-            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
-            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
-            "service": "Data Gateways",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "In which region will AVS be deployed",
+            "guid": "04e3a2f9-83b7-968a-1044-2811811a924b",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
             "services": [
-                "ACR",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+            "subcategory": "Pre-deployment",
+            "text": "Region selected",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
-            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Are there regulatory or compliance policies in play",
+            "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b",
+            "link": "Internal policy or regulatory compliance",
             "services": [
-                "NVA",
-                "WAF"
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Data residency compliant with selected regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Request through the support blade",
+            "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b",
+            "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation",
             "services": [
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Leverage Flexible Server",
+            "subcategory": "Pre-deployment",
+            "text": "Request for number of AVS hosts submitted ",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "PG approval for deployment",
+            "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa",
+            "link": "Support request through portal or get help from Account Team",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable",
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Region and number of AVS nodes approved",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Portal/subscription/resource providers/ Microsoft.AVS",
+            "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa",
+            "link": "Done through the subscription/resource providers/ AVS  register in the portal",
             "services": [
-                "WAF"
+                "Subscriptions",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Leverage Data-in replication for cross-region DR scenarios",
+            "subcategory": "Pre-deployment",
+            "text": "Resource provider for AVS registered",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Connectivity, subscription & governanace model",
+            "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone",
             "services": [
-                "ServiceBus",
-                "WAF"
+                "Subscriptions",
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Landing zone architecture",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
-            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "The name of the RG where AVS will exist",
+            "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal",
             "services": [
-                "ServiceBus",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "Resource group name selected",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Each resource created as part of the deployment will also utilize this prefix in the name",
+            "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6",
+            "link": "Best practice - naming standards",
             "services": [
-                "RBAC",
-                "TrafficManager",
-                "ServiceBus",
-                "AzurePolicy",
-                "Entra",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "Deployment prefix selected",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
-            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "/22 unique non-overlapping  IPv4 address space",
+            "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations",
             "services": [
-                "ServiceBus",
-                "AKV",
-                "Storage",
-                "AppSvc",
-                "Entra",
-                "VM",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "Network space for AVS management layer",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
-            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "vNets used by workloads running in AVS (non-stretched)",
+            "guid": "0c87f999-e517-21ef-f355-f210ad4134d2",
+            "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html",
             "services": [
-                "RBAC",
-                "ServiceBus",
-                "Subscriptions",
-                "Storage",
-                "WAF"
+                "VNet",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Network space for AVS NSX-T segments",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
-            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Choose AV36, AV36P, AV52, AV36T  (AV36T = Trial)",
+            "guid": "946c8966-f902-6f53-4f37-00847e8895c2",
+            "link": "https://azure.microsoft.com/pricing/details/azure-vmware/",
             "services": [
-                "ServiceBus",
-                "VNet",
-                "Monitor",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "AVS SKU (region dependent)",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)",
+            "guid": "31833808-26ba-9c31-416f-d54a89a17f5d",
+            "link": "https://learn.microsoft.com/azure/migrate/how-to-assess",
             "services": [
-                "ServiceBus",
-                "PrivateLink",
-                "VNet",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "Number of hosts to be deployed",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
-            "service": "Service Bus",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Understand how and if you should be using reserved instances (cost control)",
+            "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f",
+            "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20",
             "services": [
-                "ServiceBus",
-                "WAF"
+                "AVS",
+                "Cost"
             ],
             "severity": "Medium",
-            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "subcategory": "Pre-deployment",
+            "text": "Reserverd Instances",
+            "waf": "Cost"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+            "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
             "services": [
-                "WAF"
+                "ASR",
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Capacity ",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Identify which of the networking scenarios make ",
+            "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "Networking & Connectivity See docs describing scenrario  1 through 5",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
+            "category": "Planning",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+            "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9",
+            "link": "Please Check Partner Ecosystem",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "severity": "Medium",
+            "subcategory": "Pre-deployment",
+            "text": "3rd party application compatibility ",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+            "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646",
+            "link": "General recommendation for storing encryption keys.",
             "services": [
-                "AppSvc",
-                "WAF"
+                "AVS",
+                "AKV"
             ],
-            "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption",
+            "text": "Use Azure Key Vault with in-guest encryption ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+            "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption",
             "services": [
-                "WAF"
+                "AVS",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
-            "waf": "Operations"
+            "subcategory": "Encryption",
+            "text": "Use in-guest encryption",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
-            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
-            "service": "Azure Data Explorer",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+            "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e",
+            "link": "https://docs.microsoft.com/azure/key-vault/general/authentication",
             "services": [
-                "Cost",
-                "Storage",
-                "WAF"
+                "ExpressRoute",
+                "AVS",
+                "AKV"
             ],
-            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Encryption",
+            "text": "Keyvault use for secrets",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
-            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
-            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
-            "service": "Azure Data Explorer",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Older OS security patching  configured for workloads running on Azure VMware Solution are eligible for ESU",
+            "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08",
+            "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy",
             "services": [
-                "Storage",
-                "WAF"
+                "AVS"
             ],
-            "text": "To share data, explore Leader-follower cluster configuration",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Extended support",
+            "text": "Ensure extended security update support ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
-            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
-            "service": "Azure Data Explorer",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Use a SIEM/SOAR",
+            "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a",
+            "link": "https://learn.microsoft.com/azure/sentinel/overview",
             "services": [
-                "ASR",
-                "WAF"
+                "AVS",
+                "Sentinel"
             ],
-            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Investigation",
+            "text": "Enable Azure Sentinel or 3rd party SIEM ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
-            "service": "Azure Data Explorer",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "MS Defender For Cloud,  for workloads running on Azure VMware Solution",
+            "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites",
             "services": [
-                "RBAC",
-                "Storage",
-                "WAF"
+                "AVS",
+                "Defender"
             ],
-            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Enable Advanced Threat Detection ",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
-            "service": "Azure Data Explorer",
+            "category": "Security",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Are the applicable policies enabled (compliance baselines added to MDfC)",
+            "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b",
+            "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration",
             "services": [
-                "WAF"
+                "AVS",
+                "AzurePolicy"
             ],
-            "text": "Ingest data into each cluster in parallel",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Policy & Regulatory Compliance",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
-            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure",
+            "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7",
+            "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.",
             "services": [
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Firewalls",
+            "text": "Azure / 3rd party firewall",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
-            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "To allow HCX appliance to connect/sync",
+            "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27",
+            "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html",
             "services": [
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "text": "For critical applications, create Active-Active configuration in two paired regions",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Firewalls",
+            "text": "Firewalls allow for East/West traffic inside AVS",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
-            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)",
+            "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46",
+            "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "HCX and/or SRM",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
-            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Read up on requirements for Service Mesh requirements and how HCX ",
+            "guid": "be2ced52-da08-d366-cf7c-044c19e29509",
+            "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html",
             "services": [
-                "ASR",
-                "Cost",
-                "AzurePolicy",
-                "Storage",
-                "WAF"
+                "AVS"
             ],
-            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Configuring and Managing the HCX Interconnect",
             "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
-            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements",
+            "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37",
+            "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "AVS"
             ],
-            "text": "Wrap DevOps and source control around all your code",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Restrictions and limitations for network extensions",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Do workloads require MoN?",
+            "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Mobility optimized networking",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Operating system level of Vmware environment",
+            "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca",
+            "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix",
             "services": [
-                "WAF"
+                "AVS"
             ],
-            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "On-premises pre-requisites",
+            "text": "Support matrix (OS versions etc).",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Required that all switches are dynamic",
+            "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf",
+            "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20",
             "services": [
-                "ACR",
-                "WAF"
+                "AVS"
             ],
-            "severity": "High",
-            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "On-premises pre-requisites",
+            "text": "Standard switches converted to dynamic switches",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "See sections on sizing and capacity in the link.",
+            "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment",
             "services": [
-                "Storage",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
-            "waf": "Reliability"
+            "subcategory": "On-premises pre-requisites",
+            "text": "Capacity for HCX appliance",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Check hardware restrictions to ensure compatibility with AVS/OS ",
+            "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9",
+            "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows",
             "services": [
-                "Storage",
-                "WAF"
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
-            "waf": "Reliability"
+            "subcategory": "On-premises pre-requisites",
+            "text": "Hardware compatibility",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Need to be converted",
+            "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7",
+            "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html",
             "services": [
-                "ASR",
-                "WAF"
+                "Storage",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
-            "waf": "Reliability"
+            "subcategory": "Storage",
+            "text": "VSAN RDM disks are converted - not supported.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Need to be converted",
+            "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611",
+            "link": "3rd-Party tools",
             "services": [
-                "Entra",
-                "WAF"
+                "Storage",
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+            "subcategory": "Storage",
+            "text": "VM with SCSI shared bus are not supported",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Remove Direct IO before migration",
+            "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381",
+            "link": "Contact VMware",
             "services": [
-                "Entra",
-                "WAF"
+                "Storage",
+                "AVS",
+                "VM"
             ],
-            "severity": "Low",
-            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "VM with Direct IO require removing DirectPath device",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Cannot migrate clusters ",
+            "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266",
+            "link": "Contact VMware",
             "services": [
-                "WAF"
+                "Storage",
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Shared VMDK files are not supported",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Convert to a different format",
+            "guid": "ab6c89cd-a26f-b894-fe59-61863975458e",
+            "link": "Contact VMware",
             "services": [
-                "WAF"
+                "Storage",
+                "AVS"
             ],
             "severity": "Medium",
-            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
-            "waf": "Cost"
+            "subcategory": "Storage",
+            "text": "RDM with 'physical compatibility mode' are not supported.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning",
+            "guid": "7628d446-6b10-9678-9cec-f407d990de43",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
             "services": [
-                "RBAC",
-                "ACR",
-                "Subscriptions",
-                "WAF"
+                "Storage",
+                "VM",
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Default storage policy",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.",
+            "guid": "37fef358-7ab9-43a9-542c-22673955200e",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy",
             "services": [
-                "WAF"
+                "Storage",
+                "AVS",
+                "VM",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Ensure that the appropriate VM template storage policy is used",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
             "services": [
-                "Entra",
-                "WAF"
+                "Storage",
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "Failure to tolerate policy",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
+            "category": "VMware",
+            "checklist": "Azure VMware Solution Implementation Checklist",
+            "description": "ANF can be used to extend storage for Azure VMware Solution,",
+            "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863",
+            "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "WAF"
+                "Storage",
+                "AVS"
             ],
-            "severity": "Low",
-            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Use ANF for external storage",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
             "services": [
-                "WAF"
+                "AppSvc"
             ],
-            "severity": "High",
-            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "High Availability",
+            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "WAF"
+                "Backup",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "WAF"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
+            "category": "Operations",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "services": [
-                "Entra",
                 "Monitor",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Implement health checks",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "category": "Operations",
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
             "services": [
-                "WAF"
+                "Backup",
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Multi-tenant service",
+            "text": "Refer to backup and restore best practices for Azure App Service",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "RBAC",
-                "WAF"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Implement Azure App Service reliability best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "WAF"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "High Availability",
+            "text": "Familiarize with how to move an App Service app to another region During a disaster",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Security"
-        },
-        {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
-            "services": [
-                "VNet",
-                "Firewall",
-                "ExpressRoute",
-                "DNS",
-                "VPN",
-                "Entra",
-                "NVA",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
-            "waf": "Cost"
+            "subcategory": "High Availability",
+            "text": "Familiarize with reliability support in Azure App Service",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "category": "BC and DR",
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
             "services": [
-                "DDoS",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "category": "Operations",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "services": [
-                "NVA",
-                "WAF"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
+            "subcategory": "Monitoring",
+            "text": "Monitor App Service instances using Health checks",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
+            "category": "Operations",
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "ARS",
-                "VPN",
-                "WAF"
+                "Monitor",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
+            "category": "Operations",
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
             "services": [
-                "ARS",
-                "VNet",
-                "WAF"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Low",
-            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+            "waf": "Reliability"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "ACR",
-                "WAF"
+                "AKV",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Use Key Vault to store secrets",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "services": [
-                "Monitor",
-                "WAF"
+                "Entra",
+                "AKV",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Use Managed Identity to connect to Key Vault",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Store the App Service TLS certificate in Key Vault.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "ExpressRoute",
-                "VNet",
-                "WAF"
+                "AKV",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Use Key Vault to store TLS certificate.",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "services": [
-                "Storage",
-                "WAF"
+                "Subscriptions",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Consider the limit of routes per route table (400).",
-            "waf": "Reliability"
+            "subcategory": "Data Protection",
+            "text": "Isolate systems that process sensitive information",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "WAF"
+                "TrafficManager",
+                "AppSvc"
             ],
-            "severity": "High",
-            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Data Protection",
+            "text": "Do not store sensitive data on local disk",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "Entra",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+            "subcategory": "Identity and Access Control",
+            "text": "Use an established Identity Provider for authentication",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "VPN",
-                "WAF"
+                "Entra",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "severity": "High",
+            "subcategory": "Identity and Access Control",
+            "text": "Deploy from a trusted environment",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
             "services": [
-                "ACR",
-                "WAF"
+                "Entra",
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "subcategory": "Identity and Access Control",
+            "text": "Disable basic authentication",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
             "services": [
-                "WAF"
+                "Entra",
+                "AKV",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "severity": "High",
+            "subcategory": "Identity and Access Control",
+            "text": "Use Managed Identity to connect to resources",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "WAF"
+                "Entra",
+                "ACR",
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Performance"
+            "subcategory": "Identity and Access Control",
+            "text": "Pull containers using a Managed Identity",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "services": [
-                "WAF"
+                "Entra",
+                "Monitor",
+                "AppSvc"
             ],
-            "severity": "High",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Logging and Monitoring",
+            "text": "Send App Service runtime logs to Log Analytics",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
             "services": [
-                "DNS",
-                "WAF"
+                "Entra",
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
+            "subcategory": "Logging and Monitoring",
+            "text": "Send App Service activity logs to Log Analytics",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
             "services": [
-                "DNS",
-                "ACR",
-                "WAF"
+                "VNet",
+                "Firewall",
+                "Monitor",
+                "NVA",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "subcategory": "Network Security",
+            "text": "Outbound network access should be controlled",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
             "services": [
-                "DNS",
-                "WAF"
+                "Storage",
+                "VNet",
+                "Firewall",
+                "NVA",
+                "PrivateLink",
+                "AppSvc"
             ],
             "severity": "Low",
-            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
-            "waf": "Operations"
+            "subcategory": "Network Security",
+            "text": "Ensure a stable IP for outbound communications towards internet addresses",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "VM",
-                "DNS",
-                "WAF"
+                "PrivateLink",
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
+            "subcategory": "Network Security",
+            "text": "Inbound network access should be controlled",
+            "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
             "services": [
-                "Bastion",
-                "WAF"
+                "WAF",
+                "Monitor",
+                "AppSvc",
+                "FrontDoor",
+                "AppGW"
             ],
-            "severity": "Medium",
-            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "severity": "High",
+            "subcategory": "Network Security",
+            "text": "Use a WAF in front of App Service",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "Bastion",
-                "WAF"
+                "PrivateLink",
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Bastion in a subnet /26 or larger.",
+            "severity": "High",
+            "subcategory": "Network Security",
+            "text": "Avoid for WAF to be bypassed",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "services": [
-                "FrontDoor",
                 "AzurePolicy",
-                "ACR",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "subcategory": "Network Security",
+            "text": "Set minimum TLS policy to 1.2",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "severity": "High",
+            "subcategory": "Network Security",
+            "text": "Use HTTPS only",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "services": [
-                "VNet",
-                "WAF"
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
+            "services": [
+                "Storage",
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "subcategory": "Network Security",
+            "text": "Wildcards must not be used for CORS",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
             "services": [
-                "VNet",
-                "DDoS",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Network Security",
+            "text": "Turn off remote debugging",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "services": [
-                "WAF"
+                "Defender",
+                "AppSvc"
             ],
-            "severity": "High",
-            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Network Security",
+            "text": "Enable Defender for Cloud - Defender for App Service",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "services": [
+                "VNet",
+                "EventHubs",
+                "WAF",
+                "AppGW",
+                "NVA",
                 "DDoS",
-                "WAF"
+                "AppSvc"
             ],
-            "severity": "High",
-            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "Medium",
+            "subcategory": "Network Security",
+            "text": "Enable DDOS Protection Standard on the WAF VNet",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "VNet",
+                "ACR",
+                "PrivateLink",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Network Security",
+            "text": "Pull containers over a Virtual Network",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "Penetration Testing",
+            "text": "Conduct a penetration test",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "VPN",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "Medium",
-            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Vulnerability Management",
+            "text": "Deploy validated code",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure App Service Review",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
             "services": [
-                "ExpressRoute",
-                "Cost",
-                "WAF"
+                "AppSvc"
             ],
             "severity": "High",
-            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
-            "waf": "Cost"
+            "subcategory": "Vulnerability Management",
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.",
+            "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687",
+            "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16",
             "services": [
-                "ExpressRoute",
-                "Cost",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
-            "waf": "Cost"
+            "subcategory": "VM Size",
+            "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.",
+            "guid": "e04abe1f-8d39-4fda-9776-8424c116775c",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "VM Size",
+            "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.",
+            "guid": "2ea55b56-ad48-4408-be72-734b476ba18f",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "Storage",
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "subcategory": "Storage",
+            "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.",
             "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.",
+            "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "Storage",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Place data, log, and tempdb files on separate drives",
             "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio",
+            "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "VPN",
-                "WAF"
+                "Storage",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "WAF checklist",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.",
+            "guid": "25659d35-58fd-4772-99c9-31112d027fe4",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "VPN",
-                "WAF"
+                "Storage",
+                "Cost",
+                "SQL"
+            ],
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks",
+            "waf": "Performance"
+        },
+        {
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.",
+            "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "services": [
+                "Storage",
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Reliability"
+            "subcategory": "Storage",
+            "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output",
+            "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "ExpressRoute",
-                "Cost",
-                "WAF"
+                "Storage",
+                "VM",
+                "SQL"
             ],
             "severity": "High",
-            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Cost"
+            "subcategory": "Storage",
+            "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.",
+            "guid": "05674b5e-985b-4859-a773-e7e261623b77",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "Storage",
+                "AzurePolicy",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Set host caching to read-only for data file disks and none for log file disks.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.",
+            "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "ExpressRoute",
-                "Monitor",
-                "WAF"
+                "Storage",
+                "VM",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Provision the storage account in the same region as the SQL Server VM",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.",
+            "guid": "155abb91-63e9-4908-ae28-c84c33b6b780",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "ACR",
-                "NetworkWatcher",
-                "Monitor",
-                "WAF"
+                "Storage",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.",
+            "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "subcategory": "HADR",
+            "text": "Determine HA/DR requirements for each VM to be migrated.",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.",
+            "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set",
             "services": [
-                "ExpressRoute",
-                "VPN",
-                "WAF"
+                "VM",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+            "severity": "High",
+            "subcategory": "HADR",
+            "text": "Place your VMs in an availability set or different availability zones.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.",
+            "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli",
             "services": [
                 "VNet",
-                "Storage",
-                "WAF"
+                "VM",
+                "LoadBalancer",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
+            "severity": "Medium",
+            "subcategory": "HADR",
+            "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.",
+            "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration",
             "services": [
-                "ExpressRoute",
-                "ACR",
-                "WAF"
+                "ASR",
+                "SQL"
             ],
             "severity": "High",
-            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
+            "subcategory": "HADR",
+            "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Ensure that quorum is set correct for the number of instances deployed.",
+            "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "severity": "High",
+            "subcategory": "HADR",
+            "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.",
+            "guid": "667313c4-0567-44b5-b985-b859c773e7e2",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb",
             "services": [
-                "WAF"
+                "VNet",
+                "VM",
+                "LoadBalancer",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "severity": "High",
+            "subcategory": "HADR",
+            "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.",
+            "guid": "61623b77-5a91-47e1-b348-ef354c27d42e",
+            "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16",
             "services": [
-                "ExpressRoute",
-                "WAF"
+                "Storage",
+                "SQL"
+            ],
+            "severity": "Low",
+            "subcategory": "SQL Server",
+            "text": "Enable database page compression where appropriate.",
+            "waf": "Performance"
+        },
+        {
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.",
+            "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c",
+            "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16",
+            "services": [
+                "Storage",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "SQL Server",
+            "text": "Enable instant file initialization for data files.",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Recommended for best performance and availability migrate all databases to data and log disks",
+            "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34",
+            "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "Monitor",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "subcategory": "SQL Server",
+            "text": "Move all databases to data disks, including system databases.",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "b824546c-e1ae-4e34-93ae-c8239248725d",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "WAF"
+                "Storage",
+                "VM",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "SQL Server",
+            "text": "Move SQL Server error log and trace file directories to data disks.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6",
+            "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-",
             "services": [
-                "Firewall",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "subcategory": "SQL Server",
+            "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6",
+            "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows",
             "services": [
-                "RBAC",
-                "Firewall",
-                "AzurePolicy",
-                "ACR",
-                "WAF"
+                "VM",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "SQL Server",
+            "text": "Enable lock pages in memory.",
+            "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c",
+            "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store",
             "services": [
-                "Firewall",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "Low",
-            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "subcategory": "SQL Server",
+            "text": "Enable Query Store on all production SQL Server databases following best practices.",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d",
+            "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server",
             "services": [
-                "Firewall",
-                "DNS",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
-            "waf": "Security"
+            "subcategory": "SQL Server",
+            "text": "Ensure that all tempdb best practices are followed.",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479",
+            "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
             "services": [
-                "Firewall",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use Azure Firewall Premium for additional security and protection.",
-            "waf": "Security"
+            "subcategory": "SQL Server",
+            "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+            "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c",
+            "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
             "services": [
-                "Firewall",
-                "WAF"
+                "VM",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "SQL Server",
+            "text": "Limit autogrowth of the database and Disable autoshrink",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth",
+            "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu",
             "services": [
-                "Firewall",
-                "WAF"
+                "Storage",
+                "VM",
+                "Cost",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost Optimization",
+            "text": "Optimize SQL Server License cost with Constrained vCPU VM's",
+            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y",
+            "guid": "7ed67178-b824-4546-ae1a-ee3453aec823",
+            "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/",
             "services": [
-                "VNet",
-                "Firewall",
-                "Storage",
-                "VWAN",
-                "NVA",
-                "WAF"
+                "Cost",
+                "SQL"
             ],
-            "severity": "High",
-            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost Optimization",
+            "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.",
+            "guid": "9248725d-d68c-45b5-a292-5394a69a9d27",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli",
             "services": [
-                "Firewall",
-                "Storage",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Azure",
+            "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies",
+            "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
             "services": [
-                "AzurePolicy",
-                "Firewall",
-                "WAF"
+                "VM",
+                "SQL"
             ],
-            "severity": "Important",
-            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "High",
+            "subcategory": "Azure",
+            "text": "Ensure Accelerated Networking is enabled on the virtual machine.",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
+            "category": "SQL Server on Azure VM",
+            "checklist": "SQL Migration Review",
+            "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.",
+            "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
             "services": [
-                "Firewall",
-                "VNet",
-                "WAF"
+                "VM",
+                "Defender",
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use a /26 prefix for your Azure Firewall subnets.",
+            "subcategory": "Azure",
+            "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
-            "services": [
-                "AzurePolicy",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
-            "waf": "Performance"
-        },
-        {
-            "checklist": "WAF checklist",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.",
+            "guid": "78ee293c-1bc3-452b-aaab-7571849ab809",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql",
             "services": [
-                "Storage",
-                "WAF"
+                "EventHubs",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Review the major differences between SQL Server and Managed Instance",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.",
+            "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35",
+            "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits",
             "services": [
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Review capacity limits for SQL MI",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.",
+            "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442",
+            "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08",
             "services": [
-                "Monitor",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features",
+            "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5",
+            "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend",
             "services": [
-                "WAF"
+                "SQL"
             ],
             "severity": "High",
-            "text": "Enable TLS Inspection",
-            "waf": "Performance"
+            "subcategory": "Pre Migration",
+            "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.",
+            "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378",
+            "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
             "services": [
-                "ServiceBus",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Low",
-            "text": "Use web categories to allow or deny outbound access to specific topics.",
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Performance"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment",
+            "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8",
+            "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
             "services": [
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Review and address the issues highlighted in DMA/Azure Data Studio",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.",
+            "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance",
             "services": [
-                "Firewall",
                 "DNS",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Enable Azure Firewall DNS proxy configuration ",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Plan for connection string changes as changing a managed instance name is not supported",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.",
+            "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "WAF"
+                "VNet",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
-            "waf": "Security"
+            "subcategory": "Pre Migration",
+            "text": "Review managed instance VNet requirements",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.",
+            "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi",
             "services": [
-                "Firewall",
-                "Monitor",
-                "WAF"
+                "VNet",
+                "SQL"
             ],
-            "severity": "Low",
-            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
+            "severity": "High",
+            "subcategory": "Deployment",
+            "text": "Ensure managed instance subnet has sufficient IP addresses available",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
             "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.",
+            "guid": "c8defc4d-721d-431d-850f-b707ae9eab40",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics",
             "services": [
-                "Backup",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Low",
-            "text": "Implement backups for your firewall rules",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Pre Migration",
+            "text": "Plan between General Purpose and Business Critical tiers of MI",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.",
+            "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell",
             "services": [
-                "VNet",
-                "WAF"
+                "SQL"
             ],
             "severity": "High",
-            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Security"
+            "subcategory": "Pre Migration",
+            "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.",
+            "guid": "5d226886-d30b-466c-97be-595190f83845",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
             "services": [
-                "ExpressRoute",
-                "PrivateLink",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Pre Migration",
+            "text": "Review the Connectivity Design between Database and Application, test & validate it",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Compare migration options to choose the path that's appropriate to your business needs.",
+            "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce",
+            "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools",
             "services": [
-                "VNet",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Don't enable virtual network service endpoints by default on all subnets.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Security"
+            "subcategory": "Pre Migration",
+            "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.",
+            "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d",
+            "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover",
             "services": [
-                "Firewall",
-                "PrivateLink",
-                "DNS",
-                "NVA",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Security"
+            "subcategory": "Pre Migration",
+            "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.",
+            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC",
+            "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN",
-                "WAF"
+                "SQL"
             ],
             "severity": "High",
-            "text": "Use at least a /27 prefix for your Gateway subnets",
-            "waf": "Security"
+            "subcategory": "Deployment",
+            "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.",
+            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.",
+            "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693",
+            "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16",
             "services": [
-                "VNet",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Deployment",
+            "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.",
+            "guid": "829e3eec-2183-4687-a007-7a2b5945bda4",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell",
             "services": [
-                "VNet",
-                "ACR",
-                "WAF"
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
+            "subcategory": "Deployment",
+            "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.",
+            "guid": "3334fdf9-1c23-4418-8b65-275269440b4b",
+            "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore",
             "services": [
-                "VNet",
-                "VM",
-                "WAF"
+                "Backup",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Migration",
+            "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.",
+            "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e",
             "services": [
-                "Entra",
-                "VNet",
-                "NVA",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Migration",
+            "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.",
+            "guid": "b5887952-5d22-4688-9d30-b66c57be5951",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
             "services": [
-                "VNet",
-                "NetworkWatcher",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Security"
+            "subcategory": "Migration",
+            "text": "Test Application Connectivity to MI and Databases",
+            "waf": "Operations"
         },
         {
-            "checklist": "WAF checklist",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.",
+            "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql",
             "services": [
-                "VNet",
-                "WAF"
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Consider the limit of NSG rules per NSG (1000).",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "severity": "High",
+            "subcategory": "Post Migration",
+            "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.",
+            "guid": "141acdce-5793-477b-adb3-751ab2ac1fad",
+            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover",
             "services": [
-                "VWAN",
-                "WAF"
+                "EventHubs",
+                "LoadBalancer",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Post Migration",
+            "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "This provides more dedicated disk IOPS and throughput",
+            "guid": "aa359272-8e6e-4205-8726-76ae46691e88",
+            "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525",
             "services": [
-                "ACR",
-                "VWAN",
-                "WAF"
+                "Storage",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
+            "severity": "High",
+            "subcategory": "Post Migration",
+            "text": "Optimize Storage Performance for General Purpose Managed Instance",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.",
+            "guid": "35ad9422-23e1-4381-8523-081a94174158",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk",
             "services": [
-                "ACR",
-                "WAF"
+                "AzurePolicy",
+                "AKV",
+                "Backup",
+                "SQL"
             ],
             "severity": "Low",
-            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
-            "waf": "Performance"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "services": [
-                "Firewall",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Post Migration",
+            "text": "Enable Customer managed TDE for taking your own copy only full backups",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
-            "services": [
-                "VWAN",
-                "WAF"
-            ],
-            "severity": "Medium",
-            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.",
+            "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql",
             "services": [
-                "VWAN",
-                "Monitor",
-                "WAF"
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
+            "subcategory": "Post Migration",
+            "text": "Plan for Azure maintenance events",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.",
+            "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi",
             "services": [
-                "VWAN",
-                "WAF"
+                "Storage",
+                "ARS",
+                "Backup",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "severity": "Low",
+            "subcategory": "Post Migration",
+            "text": "Configure Long Term backup retention, view backups and restore from backups",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.",
+            "guid": "ad88408f-3727-434c-a76b-a28021459014",
+            "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview",
             "services": [
-                "ExpressRoute",
-                "VPN",
-                "WAF"
+                "Cost",
+                "SQL"
             ],
-            "severity": "Medium",
-            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Post Migration",
+            "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "category": "SQL Managed Instance",
+            "checklist": "SQL Migration Review",
+            "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.",
+            "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1",
+            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql",
             "services": [
-                "VWAN",
-                "WAF"
+                "Defender",
+                "SQL"
             ],
             "severity": "Medium",
-            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
-            "waf": "Reliability"
+            "subcategory": "Post Migration",
+            "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
             "services": [
-                "WAF"
+                "EventHubs"
             ],
-            "severity": "High",
-            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Data Protection",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "WAF checklist",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "EventHubs"
             ],
-            "severity": "High",
-            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
+            "severity": "Medium",
+            "subcategory": "Data Protection",
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
             "services": [
+                "TrafficManager",
+                "Entra",
                 "RBAC",
-                "AzurePolicy",
-                "WAF"
+                "EventHubs",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
+            "subcategory": "Identity and Access Management",
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "Subscriptions",
-                "WAF"
+                "Storage",
+                "Entra",
+                "EventHubs",
+                "AKV",
+                "VM"
             ],
             "severity": "Medium",
-            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
+            "subcategory": "Identity and Access Management",
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "EventHubs",
+                "Entra",
+                "RBAC"
             ],
-            "severity": "Medium",
-            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
+            "severity": "High",
+            "subcategory": "Identity and Access Management",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "Subscriptions",
-                "WAF"
+                "EventHubs",
+                "VNet",
+                "Monitor"
             ],
-            "severity": "Low",
-            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "WAF"
+                "EventHubs",
+                "VNet",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "text": "Use built-in policies where possible to minimize operational overhead.",
+            "subcategory": "Networking",
+            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
+            "category": "Security",
+            "checklist": "Azure Event Hub Review",
+            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
             "services": [
-                "RBAC",
-                "Subscriptions",
-                "AzurePolicy",
-                "Entra",
-                "WAF"
+                "EventHubs"
             ],
             "severity": "Medium",
-            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
+            "subcategory": "Networking",
+            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "checklist": "WAF checklist",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
             "services": [
-                "AzurePolicy",
-                "Subscriptions",
-                "WAF"
+                "EventHubs"
             ],
             "severity": "Medium",
-            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Leverage FTA Resillency HandBook",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
+            "services": [
+                "EventHubs",
+                "ACR"
+            ],
+            "severity": "High",
+            "subcategory": "Zone Redudancy",
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
+            "services": [
+                "EventHubs"
+            ],
+            "severity": "Medium",
+            "subcategory": "Best Practices",
+            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
+            "services": [
+                "EventHubs",
+                "ASR"
+            ],
+            "severity": "High",
+            "subcategory": "Geo Redudancy",
+            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
+            "services": [
+                "EventHubs",
+                "ASR"
+            ],
+            "severity": "Medium",
+            "subcategory": "Geo Redudancy",
+            "text": "For Business Critical Applications, use Active Active configuration",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
+            "services": [
+                "EventHubs"
+            ],
+            "severity": "Medium",
+            "subcategory": "Reliability",
+            "text": "Design Resilient Event Hubs",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "severity": "High",
+            "text": "Disable Azure Container Registry image export",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
+            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+            "service": "ACR",
             "services": [
+                "ACR",
                 "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+            "severity": "High",
+            "text": "Enable Azure Policies for Azure Container Registry",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
+            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+            "guid": "d345293c-7639-4637-a551-c5c04e401955",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
+                "ACR",
+                "AKV",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+            "severity": "High",
+            "text": "Sign and Verify containers with notation (Notary v2)",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
+            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
+                "ACR",
+                "AKV",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+            "text": "Encrypt registry with a customer managed key",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
             "services": [
-                "RBAC",
-                "Monitor",
-                "AzurePolicy",
+                "ACR",
                 "Entra",
+                "RBAC",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Use Managed Identities to connect instead of Service Principals",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
+            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
-                "ARS",
-                "Storage",
+                "RBAC",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Disable local authentication for management plane access",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
+            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Monitor",
+                "ACR",
+                "Entra",
+                "RBAC",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "description": "Disable anonymous pull/push access",
+            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+            "service": "ACR",
             "services": [
-                "VM",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operations"
+            "text": "Disable Anonymous pull access",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+            "service": "ACR",
             "services": [
-                "VM",
+                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in outside of Azure using Azure Arc.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Disable repository-scoped access tokens",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+            "service": "ACR",
             "services": [
-                "Monitor",
-                "NetworkWatcher",
+                "EventHubs",
+                "PrivateLink",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Network Watcher to proactively monitor traffic flows",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Deploy images from a trusted environment",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
+            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+            "service": "ACR",
             "services": [
-                "Monitor",
+                "Entra",
+                "ACR",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure Monitor Logs for insights and reporting.",
-            "waf": "Operations"
+            "text": "Disable Azure ARM audience tokens for authentication",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+            "service": "ACR",
             "services": [
                 "Monitor",
+                "Entra",
+                "ACR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
-            "waf": "Operations"
+            "text": "Enable diagnostics logging",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
+            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "service": "ACR",
             "services": [
-                "Monitor",
-                "WAF"
+                "VNet",
+                "PrivateLink",
+                "WAF",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
-            "waf": "Operations"
+            "text": "Control inbound network access with Private Link",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "description": "Disable public network access if inbound network access is secured using Private Link",
+            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+            "service": "ACR",
             "services": [
-                "Backup",
+                "PrivateLink",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
-            "waf": "Reliability"
+            "text": "Disable Public Network access",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
+            "description": "Only the ACR Premium SKU supports Private Link access",
+            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
-                "VM",
+                "PrivateLink",
+                "ACR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
+            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
+            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "service": "ACR",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Monitor",
+                "Defender",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Monitor VM security configuration drift via Azure Policy.",
+            "severity": "Low",
+            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+            "service": "ACR",
             "services": [
-                "ASR",
-                "VM",
-                "ACR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
-            "waf": "Operations"
+            "text": "Deploy validated container images",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+            "service": "ACR",
             "services": [
-                "Backup",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
             "services": [
-                "VM",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
+            "severity": "Medium",
+            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "services": [
-                "VM",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Avoid running a production workload on a single VM.",
+            "text": "Use zone redundant pipelines in regions that support Availability Zones",
             "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
             "services": [
-                "AppGW",
-                "LoadBalancer",
-                "ACR",
+                "Backup",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
+            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "services": [
-                "FrontDoor",
-                "AppGW",
+                "VM",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "services": [
-                "FrontDoor",
-                "Sentinel",
-                "AppGW",
+                "VNet",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
-            "waf": "Operations"
+            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
+            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
             "services": [
                 "AKV",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
+            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKV",
+                "Storage",
+                "Cost",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
-            "waf": "Security"
+            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+            "service": "Azure Data Explorer",
             "services": [
-                "AzurePolicy",
-                "AKV",
+                "Storage",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "waf": "Security"
+            "text": "To share data, explore Leader-follower cluster configuration",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+            "service": "Azure Data Explorer",
             "services": [
-                "Entra",
-                "AKV",
-                "RBAC",
+                "ASR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
-            "waf": "Security"
+            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+            "service": "Azure Data Explorer",
             "services": [
+                "Storage",
+                "RBAC",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
-            "waf": "Security"
+            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+            "service": "Azure Data Explorer",
             "services": [
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Establish an automated process for key and certificate rotation.",
-            "waf": "Security"
+            "text": "Ingest data into each cluster in parallel",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "PrivateLink",
-                "AKV",
-                "VNet",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
-            "waf": "Security"
+            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
+            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "Entra",
-                "AKV",
-                "Monitor",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
-            "waf": "Security"
+            "text": "For critical applications, create Active-Active configuration in two paired regions",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "AzurePolicy",
-                "AKV",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
-            "waf": "Security"
+            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKV",
-                "WAF"
+                "Storage",
+                "Cost",
+                "WAF",
+                "ASR",
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "waf": "Security"
+            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
             "services": [
-                "ASR",
-                "AKV",
-                "ACR",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
-            "waf": "Security"
+            "text": "Wrap DevOps and source control around all your code",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
+            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKV",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
-            "waf": "Security"
+            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
+            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
             "services": [
-                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
-            "waf": "Security"
+            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "Subscriptions",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "Subscriptions",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use KEDA if running event-driven workloads",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "Subscriptions",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use Dapr to ease microservice development",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Enable Endpoint Protection on IaaS Servers.",
-            "waf": "Security"
+            "text": "Use the SLA-backed AKS offering",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "Monitor",
+                "Cost",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use Disruption Budgets in your pod and deployment definitions",
+            "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "services": [
-                "Entra",
-                "Monitor",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If using a private registry, configure region replication to store images in multiple regions",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
             "services": [
-                "Entra",
+                "Cost",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use an external application such as kubecost to allocate costs to different users",
+            "waf": "Cost"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
             "services": [
-                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use scale down mode to delete/deallocate nodes",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "services": [
-                "Storage",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Secure transfer to storage accounts should be enabled",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
             "services": [
-                "Storage",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "services": [
-                "VM",
-                "AKV",
+                "AKS",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
-            "waf": "Reliability"
+            "text": "Separate applications from the control plane with user/system node pools",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
-                "FrontDoor",
-                "TrafficManager",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "Add taint to your system nodepool to make it dedicated",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "services": [
                 "ACR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
-            "waf": "Reliability"
+            "text": "Use a private registry for your images, such as ACR",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "services": [
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use more than 1 app instance for your apps",
-            "waf": "Reliability"
+            "text": "Scan your images for vulnerabilities",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "services": [
-                "Monitor",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Define app separation requirements (namespace/nodepool/cluster)",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "services": [
+                "AKV",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Set up autoscaling in Spring Cloud Gateway",
-            "waf": "Reliability"
+            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
-            "waf": "Reliability"
+            "text": "If required add Key Management Service etcd encryption",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "Subscriptions",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+            "severity": "Low",
+            "text": "If required consider using Confidential Compute for AKS",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "Defender",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+            "text": "Consider using Defender for Containers",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+            "text": "Use managed identities instead of Service Principals",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+            "text": "Integrate authentication with AAD (using the managed integration)",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
             "services": [
                 "Entra",
+                "RBAC",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+            "severity": "Medium",
+            "text": "Integrate authorization with AAD RBAC",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "services": [
                 "RBAC",
-                "AVS",
+                "AKS",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "WAF checklist",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
+            "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Has an RBAC model been created for use within VMware vSphere",
+            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "services": [
-                "RBAC",
+                "AKS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+            "text": "For AKS non-interactive logins use kubelogin (preview)",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "AVS",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+            "severity": "Medium",
+            "text": "Disable AKS local accounts",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "RBAC",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+            "severity": "Low",
+            "text": "Configure if required Just-in-time cluster access",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "Entra",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Configure if required AAD conditional access for AKS",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "ExpressRoute",
-                "NetworkWatcher",
-                "VPN",
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "If required for Windows AKS workloads configure gMSA ",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "ExpressRoute",
-                "NetworkWatcher",
-                "AVS",
-                "VM",
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
-            "waf": "Operations"
+            "text": "For finer control consider using a managed Kubelet Identity",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "NetworkWatcher",
-                "AVS",
-                "VM",
-                "WAF"
+                "ACR",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
-            "waf": "Operations"
+            "text": "If using AGIC, do not share an AppGW across clusters",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
             "services": [
-                "ARS",
+                "AKS",
                 "WAF"
             ],
             "severity": "High",
-            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
-            "waf": "Operations"
+            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AVS",
-                "RBAC",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "For Windows workloads use Accelerated Networking",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AVS",
-                "RBAC",
+                "LoadBalancer",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
-            "waf": "Security"
+            "text": "Use the standard ALB (as opposed to the basic one)",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AVS",
+                "VNet",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+            "text": "If using Azure CNI, consider using different Subnets for NodePools",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
             "services": [
+                "VNet",
+                "PrivateLink",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Limit use of CloudAdmin account to emergency access only",
+            "severity": "Medium",
+            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "RBAC",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
+                "VNet",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AVS",
-                "VM",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
-            "waf": "Security"
+            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
+            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
             "services": [
+                "VNet",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Is East-West traffic filtering implemented within NSX-T",
+            "severity": "Low",
+            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Firewall",
-                "AVS",
-                "AppGW",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
-            "waf": "Security"
+            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
+            "severity": "Low",
+            "text": "If required add your own CNI plugin",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "Monitor",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "If required configure Public IP per node in AKS",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "services": [
-                "VNet",
-                "ExpressRoute",
-                "VPN",
-                "DDoS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
-            "waf": "Security"
+            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
-            "waf": "Security"
+            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+            "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "services": [
-                "Arc",
-                "AVS",
+                "NVA",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+            "severity": "High",
+            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "SQL",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+            "severity": "Medium",
+            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
             "services": [
-                "AKV",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+            "severity": "High",
+            "text": "Use private clusters if your requirements mandate it",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "AKS",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
             "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
+                "AKS",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
-            "waf": "Reliability"
+            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "AzurePolicy",
-                "Storage",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
-            "waf": "Reliability"
+            "text": "Use Kubernetes network policies to increase intra-cluster security",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "ASR",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
-            "waf": "Reliability"
+            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "services": [
+                "DDoS",
+                "VNet",
+                "AKS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
-            "waf": "Operations"
+            "text": "Use DDoS Standard in the AKS Virtual Network",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "If required add company HTTP Proxy",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "services": [
-                "Cost",
-                "AVS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
-            "waf": "Cost"
+            "text": "Consider using a service mesh for advanced microservice communication management",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
             "services": [
-                "Cost",
-                "AVS",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
             "services": [
+                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Check regularly Azure Advisor for recommendations on your cluster",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Enable AKS auto-certificate rotation",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS",
-                "VM",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "services": [
-                "Arc",
-                "AVS",
-                "VM",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "VM",
-                "Monitor",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+            "severity": "Low",
+            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AzurePolicy",
-                "AVS",
-                "VM",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+            "severity": "Low",
+            "text": "Consider using AKS command invoke on private clusters",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS",
-                "Monitor",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "For planned events consider using Node Auto Drain",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "services": [
-                "Defender",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use custom Node RG (aka 'Infra RG') name",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Taint Windows nodes",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+            "severity": "Low",
+            "text": "Keep windows containers patch level in sync with host patch level",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
+            "description": "Via Diagnostic Settings at the cluster level",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "severity": "Low",
+            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "If required use nodePool snapshots",
+            "waf": "Cost"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
             "services": [
-                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+            "severity": "Low",
+            "text": "Consider spot node pools for non time-sensitive workloads",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "AVS",
-                "Storage",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+            "severity": "Low",
+            "text": "Consider AKS virtual node for quick bursting",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+            "severity": "High",
+            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Storage",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "services": [
+                "Monitor",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+            "text": "Monitor CPU and memory utilization of the nodes",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "Storage",
+                "Monitor",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
+            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "services": [
-                "Arc",
-                "AVS",
-                "WAF"
+                "Storage",
+                "EventHubs",
+                "ServiceBus",
+                "WAF",
+                "Monitor"
             ],
             "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+            "text": "Monitor OS disk queue depth in nodes",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "Monitor",
+                "NVA",
+                "LoadBalancer",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "AKS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
+            "text": "Subscribe to resource health notifications for your AKS cluster",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "AVS",
-                "Monitor",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "severity": "High",
+            "text": "Configure requests and limits in your pod specs",
             "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
-            "waf": "Security"
+            "text": "Enforce resource quotas for namespaces",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "services": [
-                "Backup",
+                "Subscriptions",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Ensure your subscription has enough quota to scale out your nodepools",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
+            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Configure Liveness and Readiness probes for all deployments",
+            "waf": "Operations"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "ASR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
-            "waf": "Reliability"
+            "text": "Use the Cluster Autoscaler",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "Customize node configuration for AKS node pools",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "ASR",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
-            "waf": "Reliability"
+            "text": "Use the Horizontal Pod Autoscaler when required",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
+            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
             "services": [
                 "WAF"
             ],
             "severity": "High",
-            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
-            "waf": "Reliability"
+            "text": "Consider an appropriate node size, not too large or too small",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "AVS",
-                "NVA",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
             "services": [
-                "Backup",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "Consider subscribing to EventGrid Events for AKS automation",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AVS",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "For long running operation on an AKS cluster consider event termination",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
             "services": [
-                "Backup",
+                "AKS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Deploy your backup solution outside of vSan, on Azure native components",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "services": [
-                "AVS",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Use ephemeral OS disks",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
             "services": [
+                "AKS",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "For manual deployments, all configuration and deployments must be documented",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
             "services": [
-                "AVS",
+                "Storage",
+                "AKS",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
-            "waf": "Operations"
+            "text": "For hyper performance storage option use Ultra Disks on AKS",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "services": [
-                "WAF"
+                "Storage",
+                "WAF",
+                "SQL"
             ],
-            "severity": "Low",
-            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "services": [
+                "Storage",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+            "waf": "Performance"
         },
         {
+            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
+                "Storage",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+            "waf": "Performance"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
             "services": [
-                "AKV",
+                "Entra",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+            "severity": "Medium",
+            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
             "waf": "Operations"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
-            "services": [
-                "ExpressRoute",
-                "AVS",
-                "AKV",
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
             "waf": "Operations"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
             "services": [
-                "AVS",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
+            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
             "waf": "Operations"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
+            "waf": "Cost"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
             "services": [
-                "AVS",
+                "ACR",
+                "RBAC",
                 "Subscriptions",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
             "services": [
-                "AzurePolicy",
-                "Storage",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
             "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
-            "waf": "Performance"
+            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
             "services": [
+                "Entra",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Security"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
             "services": [
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "services": [
-                "Monitor",
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
-            "waf": "Operations"
+            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "services": [
-                "VM",
+                "Entra",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "services": [
+                "Entra",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
+            "waf": "Security"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
             "services": [
-                "VPN",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
             "services": [
+                "Entra",
+                "RBAC",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
-            "waf": "Performance"
+            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
             "services": [
+                "Entra",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
-            "waf": "Reliability"
+            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "services": [
-                "AVS",
-                "VM",
-                "Storage",
+                "VNet",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
-            "waf": "Reliability"
+            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
             "services": [
+                "VNet",
+                "Entra",
+                "DNS",
                 "ExpressRoute",
-                "Storage",
-                "WAF"
+                "WAF",
+                "Firewall",
+                "VPN",
+                "NVA"
             ],
-            "severity": "Medium",
-            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
+            "waf": "Cost"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "services": [
-                "ExpressRoute",
-                "Storage",
+                "DDoS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
-            "waf": "Reliability"
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "services": [
-                "ASR",
+                "NVA",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+            "severity": "Medium",
+            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
             "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
             "services": [
+                "VPN",
+                "ARS",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
             "services": [
-                "ExpressRoute",
+                "VNet",
+                "ARS",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
             "services": [
-                "ExpressRoute",
+                "VNet",
+                "ACR",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "Performance"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
             "services": [
+                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "Operations"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "services": [
-                "Backup",
-                "AKV",
+                "VNet",
+                "Entra",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+            "severity": "Medium",
+            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
             "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Key Vault",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "services": [
-                "AKV",
-                "ACR",
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+            "text": "Consider the limit of routes per route table (400).",
             "waf": "Reliability"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
-            "service": "Key Vault",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
             "services": [
-                "AKV",
+                "VNet",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+            "severity": "High",
+            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
             "waf": "Reliability"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
-            "service": "Key Vault",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "services": [
-                "AzurePolicy",
-                "AKV",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
-            "waf": "Reliability"
+            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+            "waf": "Security"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
-            "service": "Key Vault",
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "services": [
-                "Backup",
-                "Subscriptions",
-                "AKV",
-                "Storage",
+                "VPN",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
             "services": [
-                "AKV",
+                "ACR",
                 "WAF"
             ],
             "severity": "High",
-            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
-            "waf": "Reliability"
+            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "services": [
-                "AKV",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
-            "waf": "Reliability"
+            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "services": [
-                "Backup",
-                "AKV",
+                "VNet",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Performance"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
             "services": [
-                "Backup",
-                "AKV",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+            "severity": "High",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
-            "service": "Key Vault",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "services": [
-                "EventHubs",
-                "AKV",
+                "DNS",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
-            "waf": "Reliability"
+            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
             "services": [
-                "AKS",
+                "ACR",
+                "DNS",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required for AKS Windows workloads HostProcess containers can be used",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "services": [
+                "DNS",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "Use KEDA if running event-driven workloads",
-            "waf": "Performance"
+            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
             "services": [
+                "VNet",
+                "DNS",
+                "VM",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Use Dapr to ease microservice development",
+            "severity": "High",
+            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "services": [
-                "AKS",
-                "WAF"
+                "WAF",
+                "Bastion"
             ],
-            "severity": "High",
-            "text": "Use the SLA-backed AKS offering",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "severity": "Medium",
+            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "waf": "Security"
+        },
+        {
             "checklist": "WAF checklist",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "services": [
-                "Cost",
-                "WAF"
+                "VNet",
+                "WAF",
+                "Bastion"
             ],
-            "severity": "Low",
-            "text": "Use Disruption Budgets in your pod and deployment definitions",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Azure Bastion in a subnet /26 or larger.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
             "services": [
+                "FrontDoor",
                 "ACR",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using a private registry, configure region replication to store images in multiple regions",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "services": [
-                "Cost",
-                "WAF"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Low",
-            "text": "Use an external application such as kubecost to allocate costs to different users",
-            "waf": "Cost"
+            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "services": [
+                "VNet",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Use scale down mode to delete/deallocate nodes",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "services": [
-                "AKS",
+                "DDoS",
+                "VNet",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "services": [
-                "AKS",
-                "AzurePolicy",
+                "DDoS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+            "severity": "High",
+            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Separate applications from the control plane with user/system node pools",
-            "waf": "Security"
+            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Add taint to your system nodepool to make it dedicated",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "services": [
-                "ACR",
+                "VPN",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use a private registry for your images, such as ACR",
-            "waf": "Security"
+            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
             "services": [
-                "WAF"
+                "ExpressRoute",
+                "WAF",
+                "Cost"
             ],
-            "severity": "Medium",
-            "text": "Scan your images for vulnerabilities",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
             "services": [
-                "WAF"
+                "ExpressRoute",
+                "WAF",
+                "Cost"
             ],
             "severity": "High",
-            "text": "Define app separation requirements (namespace/nodepool/cluster)",
-            "waf": "Security"
+            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "services": [
-                "AKV",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
-            "waf": "Security"
+            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If required add Key Management Service etcd encryption",
-            "waf": "Security"
+            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/vpnGateways",
             "checklist": "WAF checklist",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
             "services": [
-                "AKS",
+                "VPN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required consider using Confidential Compute for AKS",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/vpnGateways",
             "checklist": "WAF checklist",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "services": [
-                "Defender",
+                "VPN",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Consider using Defender for Containers",
-            "waf": "Security"
+            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "WAF"
+                "ExpressRoute",
+                "WAF",
+                "Cost"
             ],
             "severity": "High",
-            "text": "Use managed identities instead of Service Principals",
-            "waf": "Security"
+            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Integrate authentication with AAD (using the managed integration)",
+            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
             "services": [
+                "Monitor",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
-            "waf": "Security"
+            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
-                "RBAC",
-                "WAF"
+                "Monitor",
+                "ACR",
+                "WAF",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "text": "Integrate authorization with AAD RBAC",
-            "waf": "Security"
+            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
-                "RBAC",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
+                "VPN",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
-            "waf": "Security"
+            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
+                "Storage",
+                "VNet",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "For AKS non-interactive logins use kubelogin (preview)",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
+                "ACR",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Disable AKS local accounts",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Configure if required Just-in-time cluster access",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
-                "Entra",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Configure if required AAD conditional access for AKS",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required for Windows AKS workloads configure gMSA ",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "services": [
-                "Entra",
+                "VNet",
+                "Monitor",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "For finer control consider using a managed Kubelet Identity",
-            "waf": "Security"
+            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
             "services": [
-                "AppGW",
-                "ACR",
+                "VNet",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If using AGIC, do not share an AppGW across clusters",
-            "waf": "Reliability"
+            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "services": [
-                "AKS",
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
-            "waf": "Reliability"
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "RBAC",
+                "WAF",
+                "Firewall",
+                "ACR",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "For Windows workloads use Accelerated Networking",
-            "waf": "Performance"
+            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
             "services": [
-                "LoadBalancer",
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
-            "severity": "High",
-            "text": "Use the standard ALB (as opposed to the basic one)",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
             "services": [
-                "VNet",
-                "WAF"
+                "DNS",
+                "WAF",
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "If using Azure CNI, consider using different Subnets for NodePools",
+            "severity": "High",
+            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "services": [
-                "PrivateLink",
-                "VNet",
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
-            "severity": "Medium",
-            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+            "severity": "High",
+            "text": "Use Azure Firewall Premium for additional security and protection.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
             "severity": "High",
-            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
-            "waf": "Reliability"
+            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
             "services": [
-                "VNet",
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
             "severity": "High",
-            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
-            "waf": "Performance"
+            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "Storage",
+                "VNet",
+                "VWAN",
+                "WAF",
+                "Firewall",
+                "NVA"
             ],
             "severity": "High",
-            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
-            "waf": "Performance"
+            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
             "services": [
-                "AKS",
-                "VNet",
-                "WAF"
+                "Storage",
+                "WAF",
+                "Firewall"
             ],
-            "severity": "Low",
-            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "AzurePolicy",
+                "WAF",
+                "Firewall"
             ],
-            "severity": "High",
-            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
-            "waf": "Reliability"
+            "severity": "Important",
+            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "VNet",
+                "WAF",
+                "Firewall"
             ],
-            "severity": "Low",
-            "text": "If required add your own CNI plugin",
+            "severity": "High",
+            "text": "Use a /26 prefix for your Azure Firewall subnets.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "services": [
-                "AKS",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required configure Public IP per node in AKS",
+            "severity": "Medium",
+            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
             "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
             "services": [
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
-            "waf": "Reliability"
+            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
             "services": [
+                "Monitor",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
-            "waf": "Reliability"
+            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
             "services": [
-                "NVA",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
-            "waf": "Security"
+            "text": "Enable TLS Inspection",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "services": [
+                "ServiceBus",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use web categories to allow or deny outbound access to specific topics.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
             "services": [
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use private clusters if your requirements mandate it",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
             "services": [
-                "AKS",
-                "AzurePolicy",
-                "WAF"
+                "DNS",
+                "WAF",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "text": "Enable Azure Firewall DNS proxy configuration ",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
             "services": [
-                "AKS",
+                "VM",
                 "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "severity": "Medium",
+            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
             "services": [
-                "AKS",
-                "AzurePolicy",
+                "Monitor",
+                "WAF",
+                "Firewall"
+            ],
+            "severity": "Low",
+            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "WAF checklist",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
+            "services": [
+                "Backup",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use Kubernetes network policies to increase intra-cluster security",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Implement backups for your firewall rules",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
             "services": [
+                "VNet",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "services": [
-                "AKS",
-                "VNet",
-                "DDoS",
+                "PrivateLink",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use DDoS Standard in the AKS Virtual Network",
+            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
             "services": [
+                "VNet",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required add company HTTP Proxy",
+            "severity": "Medium",
+            "text": "Don't enable virtual network service endpoints by default on all subnets.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "services": [
-                "WAF"
+                "DNS",
+                "WAF",
+                "Firewall",
+                "NVA",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "text": "Consider using a service mesh for advanced microservice communication management",
+            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
             "services": [
-                "Monitor",
+                "VPN",
+                "VNet",
+                "ExpressRoute",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
-            "waf": "Operations"
+            "text": "Use at least a /27 prefix for your Gateway subnets",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
             "services": [
-                "Entra",
+                "VNet",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Check regularly Azure Advisor for recommendations on your cluster",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
             "services": [
-                "AKS",
+                "VNet",
+                "ACR",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Enable AKS auto-certificate rotation",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
             "services": [
-                "AKS",
+                "VNet",
+                "VM",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "services": [
+                "VNet",
+                "Entra",
+                "NVA",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "services": [
-                "WAF"
+                "VNet",
+                "WAF",
+                "NetworkWatcher"
             ],
-            "severity": "High",
-            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "services": [
+                "VNet",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
-            "waf": "Operations"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "WAF checklist",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "WAF"
-            ],
-            "severity": "Low",
-            "text": "Consider using AKS command invoke on private clusters",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Consider the limit of NSG rules per NSG (1000).",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
             "services": [
+                "VWAN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "For planned events consider using Node Auto Drain",
+            "severity": "Medium",
+            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
+                "ACR",
+                "VWAN",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
+                "ACR",
                 "WAF"
             ],
             "severity": "Low",
-            "text": "Use custom Node RG (aka 'Infra RG') name",
-            "waf": "Operations"
+            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "services": [
-                "AKS",
-                "WAF"
+                "WAF",
+                "Firewall"
             ],
             "severity": "Medium",
-            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
-            "waf": "Operations"
+            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
             "services": [
+                "VWAN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Taint Windows nodes",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
             "services": [
+                "Monitor",
+                "VWAN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Keep windows containers patch level in sync with host patch level",
+            "severity": "Medium",
+            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "description": "Via Diagnostic Settings at the cluster level",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
             "services": [
-                "Monitor",
+                "VWAN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
             "services": [
+                "VPN",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required use nodePool snapshots",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "services": [
+                "VWAN",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Consider spot node pools for non time-sensitive workloads",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "services": [
-                "AKS",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Consider AKS virtual node for quick bursting",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "Monitor",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
-            "waf": "Operations"
+            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
+                "RBAC",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "Monitor",
+                "Subscriptions",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Monitor CPU and memory utilization of the nodes",
-            "waf": "Operations"
+            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "Monitor",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
-            "waf": "Operations"
+            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
             "services": [
-                "EventHubs",
-                "Monitor",
-                "ServiceBus",
-                "Storage",
+                "Subscriptions",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Monitor OS disk queue depth in nodes",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
-                "NVA",
-                "LoadBalancer",
-                "Monitor",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
-            "waf": "Operations"
+            "text": "Use built-in policies where possible to minimize operational overhead.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "services": [
-                "AKS",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "Subscriptions",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "text": "Subscribe to resource health notifications for your AKS cluster",
-            "waf": "Operations"
+            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "services": [
+                "Subscriptions",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Configure requests and limits in your pod specs",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "services": [
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Enforce resource quotas for namespaces",
-            "waf": "Operations"
+            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
             "services": [
-                "Subscriptions",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure your subscription has enough quota to scale out your nodepools",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
-            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
-            "service": "AKS",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
             "services": [
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Configure Liveness and Readiness probes for all deployments",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
             "services": [
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use the Cluster Autoscaler",
-            "waf": "Performance"
+            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "services": [
-                "AKS",
-                "WAF"
+                "Entra",
+                "RBAC",
+                "WAF",
+                "Monitor",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "text": "Customize node configuration for AKS node pools",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
             "services": [
+                "Storage",
+                "ARS",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Use the Horizontal Pod Autoscaler when required",
-            "waf": "Performance"
+            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
             "services": [
+                "VM",
+                "Monitor",
+                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Consider an appropriate node size, not too large or too small",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "services": [
-                "AKS",
+                "VM",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "services": [
-                "AKS",
+                "VM",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Consider subscribing to EventGrid Events for AKS automation",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
             "services": [
-                "AKS",
-                "WAF"
+                "Monitor",
+                "WAF",
+                "NetworkWatcher"
             ],
-            "severity": "Low",
-            "text": "For long running operation on an AKS cluster consider event termination",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use Network Watcher to proactively monitor traffic flows",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
             "services": [
-                "AKS",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use Azure Monitor Logs for insights and reporting.",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
             "services": [
+                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Use ephemeral OS disks",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
             "services": [
-                "AKS",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
             "services": [
-                "AKS",
-                "Storage",
+                "Backup",
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "For hyper performance storage option use Ultra Disks on AKS",
-            "waf": "Performance"
-        },
+            "severity": "Medium",
+            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+            "waf": "Reliability"
+        },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
             "services": [
-                "SQL",
-                "Storage",
+                "VM",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
-            "waf": "Performance"
+            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
+            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
             "services": [
-                "Storage",
+                "VM",
+                "Monitor",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
-            "waf": "Performance"
+            "text": "Monitor VM security configuration drift via Azure Policy.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
             "checklist": "WAF checklist",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "services": [
-                "Storage",
+                "ASR",
+                "ACR",
+                "VM",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
-            "waf": "Performance"
+            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
+            "waf": "Operations"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
             "services": [
+                "Backup",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
+            "waf": "Operations"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "services": [
+                "VM",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
             "waf": "Reliability"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
             "services": [
+                "VM",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "text": "Avoid running a production workload on a single VM.",
             "waf": "Reliability"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "services": [
-                "AppSvc",
-                "WAF"
+                "ACR",
+                "LoadBalancer",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "severity": "Medium",
+            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
             "waf": "Reliability"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
             "services": [
-                "WAF"
+                "FrontDoor",
+                "WAF",
+                "AppGW"
+            ],
+            "severity": "High",
+            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "WAF checklist",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
+            "services": [
+                "AppGW",
+                "FrontDoor",
+                "WAF",
+                "Sentinel"
             ],
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
             "waf": "Operations"
         },
         {
+            "ammp": true,
             "checklist": "WAF checklist",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
             "services": [
+                "AKV",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Select the right Function hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
+            "text": "Use Azure Key Vault to store your secrets and credentials",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
             "services": [
+                "AKV",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
+                "AKV",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "AppSvc",
+                "Entra",
+                "RBAC",
+                "AKV",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "AppSvc",
                 "WAF"
             ],
-            "severity": "High",
-            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
-            "waf": "Reliability"
+            "text": "Establish an automated process for key and certificate rotation.",
+            "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
+                "VNet",
+                "PrivateLink",
+                "AKV",
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
-            "waf": "Operations"
+            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
+            "services": [
+                "Entra",
+                "Monitor",
+                "AKV",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Follow reliability support recommendations in Azure Bot Service",
-            "waf": "Reliability"
+            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "services": [
+                "AKV",
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Deploying bots with local data residency and regional compliance",
-            "waf": "Reliability"
+            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "services": [
+                "AKV",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
-            "waf": "Reliability"
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
-            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "services": [
+                "ASR",
+                "ACR",
+                "AKV",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage FTA Resillency Handbook",
-            "waf": "Reliability"
+            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
             "services": [
-                "ASR"
+                "AKV",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Plan for Data Center level outage",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
-            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
             "services": [
-                "ASR"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Practice Failover for BCDR",
-            "waf": "Reliability"
+            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "services": [
-                "Backup"
+                "Defender",
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Backup and Restore ",
-            "text": "Plan a backup strategy and take regular backups",
-            "waf": "Reliability"
+            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
-            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
-            "service": "Purview",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "services": [
-                "EventHubs"
+                "Defender",
+                "Subscriptions",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Purview Accounts Replications",
-            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
-            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Purview accounts architectures and deployment best practices",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
+            "services": [
+                "Defender",
+                "Subscriptions",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Collection Architectures and best practices",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
+            "services": [
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Enable Endpoint Protection on IaaS Servers.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
+            "services": [
+                "Defender",
+                "Monitor",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Assest lifecycle best practices",
-            "waf": "Reliability"
+            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
+            "services": [
+                "Entra",
+                "Monitor",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow automation best practices",
-            "waf": "Reliability"
+            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
             "services": [
-                "Backup"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Backup and Migration Best practices",
-            "waf": "Reliability"
+            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
+            "services": [
+                "Entra",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Purview Glossary Best Practices",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
-            "link": "https://learn.microsoft.com/purview/concept-workflow",
-            "service": "Purview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Data catalog",
-            "text": "Leverage Workflows ",
-            "waf": "Reliability"
+            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data catalog",
-            "text": "Follow Purview Security Best Practices",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
+            "services": [
+                "Storage",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Secure transfer to storage accounts should be enabled",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data Map",
-            "text": "Follow Purview Data Lineage Best Practices",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
+            "services": [
+                "Storage",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data Map",
-            "text": "Follow Best Practices for Scanning Registered Sources",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
+            "services": [
+                "VM",
+                "AKV",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
+            "services": [
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data Map",
-            "text": "Follow Classification Best Practices in Governance Portal",
-            "waf": "Reliability"
+            "text": "Implement an error handling policy at the global level",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
-            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
-            "service": "Purview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "services": [
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data Map",
-            "text": "Perform Sensitivity Labelling in the Purview Data Map",
-            "waf": "Reliability"
+            "text": "Ensure all APIs policies include a <base/> element.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
-            "link": "https://learn.microsoft.com/purview/concept-data-share",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
             "services": [
-                "Storage"
+                "ACR",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Data Sharing",
-            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Data Estate",
-            "text": "Leverage Data Estate Insights",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
-            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
-            "service": "Purview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Data Estate",
-            "text": "Use Data stewardship and Catalog adoption",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "services": [
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Data Estate",
-            "text": "Use Inventory and Ownership",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
+            "services": [
+                "Monitor",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
-            "link": "https://learn.microsoft.com/purview/glossary-insights",
-            "service": "Purview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Data Estate",
-            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
+            "services": [
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "Enable Application Insights for more detailed telemetry",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
-            "link": "https://learn.microsoft.com/purview/compliance-manager",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data Quality ",
-            "text": "Generate assessment scores",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
+            "services": [
+                "Monitor",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Configure alerts on the most critical metrics",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
-            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
-            "service": "Purview",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data Quality ",
-            "text": "Profiling- get summaries of data content",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
+            "services": [
+                "AKV",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
-            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
             "services": [
-                "AzurePolicy"
+                "Entra",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Data Policy",
-            "text": "Follow Microsoft Purview Data Owner access policies",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
-            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
             "services": [
-                "AzurePolicy"
+                "Entra",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Data Policy",
-            "text": "Follow Self-service access policies",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+            "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
-            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
-            "service": "Purview",
+            "checklist": "WAF checklist",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
             "services": [
-                "AzurePolicy"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Data Policy",
-            "text": "Follow DevOps policies",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Create appropriate groups to control the visibility of the products",
+            "waf": "Security"
         },
         {
-            "category": "Automation",
-            "checklist": "SAP Checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
             "services": [
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "ACSS",
-            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "text": "Use Backends feature to eliminate redundant API backend configurations",
             "waf": "Operations"
         },
         {
-            "category": "Automation",
-            "checklist": "SAP Checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
             "services": [
-                "SAP"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "SDAF",
-            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
-            "training": "https://github.com/Azure/sap-automation",
+            "text": "Use Named Values to store common values that can be used in policies",
             "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
             "services": [
-                "Backup",
-                "ASR",
-                "SAP"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Backup and restore",
-            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "Backup",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster recovery",
-            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP",
                 "Backup",
-                "SQL",
-                "Storage"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Disaster recovery",
-            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "text": "Ensure there is an automated backup routine",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster recovery",
-            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "ExpressRoute",
-                "VPN",
-                "SAP"
+                "EventHubs",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Disaster recovery",
-            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "If you need to log at high performance levels, consider Event Hubs policy",
+            "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "ACR",
-                "AKV",
-                "SAP"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Disaster recovery",
-            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Apply throttling policies to control the number of requests per second",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "Performance"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "VNet",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster recovery",
-            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
-            "waf": "Reliability"
+            "text": "Configure autoscaling to scale out the number of instances when the load increases",
+            "waf": "Performance"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Disaster recovery",
-            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+            "waf": "Performance"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Disaster recovery",
-            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "severity": "Medium",
+            "text": "Use the premium tier for production workloads.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "VNet",
-                "SAP"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Disaster recovery",
-            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "severity": "Medium",
+            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "services": [
                 "Entra",
-                "ASR",
-                "VM",
-                "SAP"
+                "APIM",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Disaster recovery",
-            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "text": "Be aware of APIM's limits",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High availability",
-            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "text": "Ensure that the self-hosted gateway deployments are resilient.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "Entra",
+                "APIM",
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+            "waf": "Performance"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "VM",
-                "Storage",
-                "SAP"
+                "VNet",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Deploy the service within a Virtual Network (VNet)",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "VNet",
+                "Entra",
+                "WAF",
+                "Monitor",
+                "APIM"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "VNet",
+                "Entra",
+                "WAF",
+                "APIM",
+                "PrivateLink"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "LoadBalancer",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High availability",
-            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "Reliability"
+            "text": "Disable Public Network Access",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "LoadBalancer",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "Make sure the Floating IP is enabled on the Load balancer",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Simplify management with PowerShell automation scripts",
+            "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "Entra",
+                "APIM",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+            "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "services": [
                 "Entra",
-                "ASR",
-                "VM",
-                "SAP"
+                "APIM",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+            "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
             "services": [
-                "RBAC",
-                "ASR",
-                "SAP",
-                "Entra",
-                "VM"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Implement DevOps and CI/CD in your workflow",
+            "waf": "Operations"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "High availability",
-            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "waf": "Reliability"
+            "text": "Secure APIs using client certificate authentication",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "VM",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Secure backend services using client certificate authentication",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
             "services": [
-                "Entra",
-                "ASR",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High availability",
-            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "ACR",
-                "SAP"
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
+            "waf": "Security"
+        },
+        {
+            "checklist": "WAF checklist",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "services": [
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High availability",
-            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
-            "waf": "Reliability"
+            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
             "services": [
-                "Entra",
-                "ASR",
-                "SAP"
+                "AKV",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High availability",
-            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
             "services": [
                 "Entra",
-                "ASR",
-                "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "High availability",
-            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
             "services": [
-                "ASR",
-                "VM",
-                "Storage",
-                "SAP"
+                "Entra",
+                "APIM",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Medium",
-            "subcategory": "High availability",
-            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+            "waf": "Security"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
             "services": [
-                "ASR",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "High availability",
-            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "severity": "Low",
+            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "severity": "Medium",
+            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "severity": "Medium",
+            "text": "Implement health checks",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "SAP Checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
             "services": [
-                "ASR",
-                "Storage",
-                "SAP"
+                "Backup",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+            "text": "Refer to backup and restore best practices for Azure App Service",
             "waf": "Reliability"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "SAP Checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "services": [
-                "Cost",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Automate SAP System Start-Stop to manage costs.",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Implement Azure App Service reliability best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "SAP Checklist",
-            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
             "services": [
-                "Cost",
-                "VM",
-                "Storage",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Low",
-            "subcategory": "&nbsp",
-            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
-            "waf": "Cost"
+            "text": "Familiarize with how to move an App Service app to another region During a disaster",
+            "waf": "Reliability"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "SAP Checklist",
-            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "services": [
-                "Cost",
-                "VM",
-                "Storage",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "subcategory": "&nbsp",
-            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Familiarize with reliability support in Azure App Service",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
             "services": [
-                "RBAC",
-                "Entra",
-                "Subscriptions",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "45911475-e39e-4530-accc-d979366bcda2",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "Monitor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
-            "waf": "Security"
+            "text": "Monitor App Service instances using Health checks",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
-            "waf": "Security"
+            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "Monitor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "AKV",
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "severity": "High",
+            "text": "Use Key Vault to store secrets",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "AKV",
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "severity": "High",
+            "text": "Use Managed Identity to connect to Key Vault",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Store the App Service TLS certificate in Key Vault.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
             "services": [
-                "Entra",
                 "AKV",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+            "severity": "High",
+            "text": "Use Key Vault to store TLS certificate.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
-            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "AKV",
-                "SAP"
+                "Subscriptions",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "text": "Isolate systems that process sensitive information",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "TrafficManager",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+            "text": "Do not store sensitive data on local disk",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO to SAP HANA",
+            "text": "Use an established Identity Provider for authentication",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+            "severity": "High",
+            "text": "Deploy from a trusted environment",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
-            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+            "severity": "High",
+            "text": "Disable basic authentication",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "AKV",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+            "severity": "High",
+            "text": "Use Managed Identity to connect to resources",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "ACR",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Implement SSO to SAP BTP",
+            "severity": "High",
+            "text": "Pull containers using a Managed Identity",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access",
-            "checklist": "SAP Checklist",
-            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "services": [
                 "Entra",
-                "SAP"
+                "Monitor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+            "text": "Send App Service runtime logs to Log Analytics",
             "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
             "services": [
-                "AzurePolicy",
-                "Subscriptions",
-                "SAP"
+                "Entra",
+                "Monitor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "enforce existing Management Group policies to SAP Subscriptions",
-            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
-            "waf": "Operations"
+            "text": "Send App Service activity logs to Log Analytics",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
             "services": [
-                "Subscriptions",
-                "SAP"
+                "VNet",
+                "WAF",
+                "Firewall",
+                "Monitor",
+                "NVA"
             ],
-            "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Outbound network access should be controlled",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
             "services": [
-                "Subscriptions",
-                "SAP"
+                "Storage",
+                "VNet",
+                "WAF",
+                "Firewall",
+                "NVA",
+                "PrivateLink"
             ],
-            "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
-            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "Ensure a stable IP for outbound communications towards internet addresses",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
-            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "services": [
-                "VM",
-                "Subscriptions",
-                "SAP"
+                "PrivateLink",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
-            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "waf": "Operations"
-        },
-        {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
-            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
-            "service": "SAP",
-            "services": [
-                "Subscriptions",
-                "SAP"
-            ],
-            "severity": "Low",
-            "subcategory": "Subscriptions",
-            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
-            "waf": "Operations"
+            "text": "Inbound network access should be controlled",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
-            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
             "services": [
-                "VM",
-                "Subscriptions",
-                "SAP"
+                "WAF",
+                "Monitor",
+                "AppSvc",
+                "FrontDoor",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
-            "waf": "Operations"
+            "text": "Use a WAF in front of App Service",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "services": [
-                "Subscriptions",
-                "SAP"
+                "PrivateLink",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
-            "waf": "Operations"
+            "text": "Avoid for WAF to be bypassed",
+            "waf": "Security"
         },
         {
-            "category": "Management Group and Subscriptions",
-            "checklist": "SAP Checklist",
-            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "services": [
-                "Cost",
-                "Subscriptions",
-                "TrafficManager",
-                "SAP"
+                "AzurePolicy",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
+            "text": "Set minimum TLS policy to 1.2",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
             "services": [
-                "Backup",
-                "Monitor",
-                "SAP"
+                "WAF",
+                "AppSvc"
             ],
             "severity": "High",
-            "subcategory": "BCDR",
-            "text": "Help protect your HANA database by using the Azure Backup service.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Reliability"
+            "text": "Use HTTPS only",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
             "services": [
-                "Monitor",
-                "SAP",
                 "Storage",
-                "Entra",
-                "VM"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "BCDR",
-            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Wildcards must not be used for CORS",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
             "services": [
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Management",
-            "text": "Ensure time-zone matches between the operating system and the SAP system.",
-            "waf": "Operations"
+            "text": "Turn off remote debugging",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "Monitor",
-                "SAP"
+                "Defender",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Reliability"
+            "text": "Enable Defender for Cloud - Defender for App Service",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
-            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "services": [
-                "Cost",
-                "Monitor",
-                "SAP"
+                "VNet",
+                "EventHubs",
+                "WAF",
+                "NVA",
+                "DDoS",
+                "AppGW"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Enable DDOS Protection Standard on the WAF VNet",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
-            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
             "services": [
-                "Entra",
-                "Monitor",
-                "SAP"
+                "VNet",
+                "PrivateLink",
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
-            "waf": "Operations"
+            "text": "Pull containers over a Virtual Network",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
-            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
             "services": [
-                "VM",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
-            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
-            "waf": "Operations"
+            "text": "Conduct a penetration test",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "services": [
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Deploy validated code",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
             "services": [
-                "SQL",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
             "services": [
                 "Entra",
-                "VM",
-                "Monitor",
-                "SAP"
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
-            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
-            "waf": "Operations"
+            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Monitor",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "NetworkWatcher",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
             "services": [
-                "VM",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
-            "waf": "Operations"
+            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "Subscriptions",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
-            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
             "services": [
-                "ASR",
-                "Monitor",
-                "Storage",
-                "SAP"
+                "Entra",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
-            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
-            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
             "services": [
-                "Sentinel",
-                "Monitor",
-                "SAP"
+                "RBAC",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
-            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "text": "Has an RBAC model been created for use within VMware vSphere",
             "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "services": [
-                "Cost",
-                "Monitor",
-                "SAP"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
-            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
-            "waf": "Operations"
+            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
             "services": [
-                "VM",
-                "Monitor",
-                "SAP"
+                "RBAC",
+                "AVS",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Performance",
-            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
             "services": [
-                "ASR",
-                "Monitor",
-                "SAP"
+                "RBAC",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "Storage",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
+            "severity": "High",
+            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
             "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
-            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
             "services": [
+                "ExpressRoute",
+                "WAF",
+                "VPN",
                 "Monitor",
-                "SAP"
+                "NetworkWatcher"
             ],
-            "severity": "Low",
-            "subcategory": "Performance",
-            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+            "waf": "Operations"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "services": [
+                "AVS",
+                "ExpressRoute",
+                "WAF",
                 "Monitor",
-                "Storage",
-                "SAP"
+                "VM",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
-            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
-            "waf": "Performance"
+            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+            "waf": "Operations"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "services": [
-                "SQL",
+                "AVS",
+                "WAF",
                 "Monitor",
-                "SAP"
+                "VM",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
-            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
-            "waf": "Performance"
+            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+            "waf": "Operations"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "SAP Checklist",
-            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
             "services": [
-                "ASR",
-                "Monitor",
-                "SAP"
+                "ARS",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
             "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
             "services": [
-                "AppGW",
-                "AzurePolicy",
-                "SAP",
+                "Entra",
+                "RBAC",
+                "AVS",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "severity": "High",
+            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
             "services": [
-                "VM",
-                "DNS",
-                "SAP"
+                "Entra",
+                "RBAC",
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "DNS",
-            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "DNS",
-                "SAP"
+                "Entra",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "DNS",
-            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "Operations"
+            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
             "services": [
-                "ACR",
-                "VNet",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
-            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Limit use of CloudAdmin account to emergency access only",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "services": [
-                "NVA",
-                "SAP"
+                "RBAC",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
-            "training": "https://me.sap.com/notes/2731110",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
-            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "services": [
-                "ACR",
-                "VWAN",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "waf": "Operations"
+            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "NVA",
-                "SAP"
+                "Entra",
+                "AVS",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
-            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "NVA",
-                "VWAN",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
-            "waf": "Operations"
+            "text": "Is East-West traffic filtering implemented within NSX-T",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "VM",
-                "SAP"
+                "AppGW",
+                "AVS",
+                "WAF",
+                "Firewall"
             ],
             "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
-            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
             "services": [
-                "ASR",
-                "VNet",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Consider reserving IP address on DR side when configuring ASR",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Operations"
+            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "SAP"
+                "Monitor",
+                "AVS",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "services": [
                 "VNet",
-                "Storage",
-                "SAP"
+                "ExpressRoute",
+                "WAF",
+                "VPN",
+                "DDoS"
             ],
             "severity": "Medium",
-            "subcategory": "IP plan",
-            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
-            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
-            "waf": "Operations"
+            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "services": [
-                "SAP",
-                "Firewall"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "services": [
-                "AppGW",
-                "SAP",
+                "Defender",
+                "AVS",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "services": [
-                "SAP",
-                "FrontDoor",
-                "AzurePolicy",
-                "ACR",
+                "Arc",
+                "AVS",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
             "services": [
-                "SAP",
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
+                "AVS",
+                "WAF",
+                "SQL"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "severity": "Low",
+            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
             "services": [
-                "AppGW",
-                "LoadBalancer",
-                "SAP",
+                "AKV",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "severity": "Low",
+            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "services": [
-                "ACR",
-                "VWAN",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
-            "waf": "Performance"
+            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "SAP",
-                "Backup",
-                "PrivateLink",
-                "Storage",
-                "ACR"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "services": [
-                "VM",
-                "SAP"
+                "Storage",
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "Performance"
+            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "services": [
-                "LoadBalancer",
-                "SAP"
+                "ASR",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
-            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
-            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
-            "waf": "Security"
+            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "SAP"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "AVS",
+                "Cost",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
-            "waf": "Performance"
+            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "AVS",
+                "Cost",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "services": [
-                "Cost",
-                "VNet",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "services": [
-                "LoadBalancer",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
             "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "SAP Checklist",
-            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "SAP"
+                "Defender",
+                "AVS",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
             "waf": "Security"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "services": [
-                "Backup",
+                "Arc",
+                "AVS",
                 "VM",
-                "SAP"
-            ],
-            "severity": "High",
-            "subcategory": "&nbsp",
-            "text": "Review SAP HANA database backups for Azure VMs.",
-            "waf": "Cost"
-        },
-        {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
-            "services": [
-                "ASR",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
-            "waf": "Cost"
+            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+            "waf": "Security"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
-            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "&nbsp",
-            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
             "waf": "Operations"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
             "services": [
-                "Backup",
+                "Monitor",
+                "AVS",
                 "VM",
-                "SAP"
-            ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
-            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
-            "service": "SAP",
-            "services": [
-                "SQL",
-                "Storage",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
             "waf": "Operations"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
             "services": [
+                "AVS",
                 "Backup",
+                "WAF",
                 "VM",
-                "SAP"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review the use of Automated Backup v2 for Azure VMs.",
+            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
             "waf": "Operations"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "SAP Checklist",
-            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "Defender",
+                "Monitor",
+                "AVS",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "&nbsp",
-            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+            "waf": "Security"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "Defender",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Test availability zone latency.",
-            "waf": "Performance"
+            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+            "waf": "Security"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
-            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+            "waf": "Security"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
-            "training": "https://me.sap.com/notes/0002879613",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+            "waf": "Security"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
             "services": [
-                "SQL",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review SQL Server performance monitoring using CCMS.",
-            "waf": "Performance"
+            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+            "waf": "Security"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
-            "link": "https://me.sap.com/notes/500235",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "services": [
-                "VM",
-                "SAP"
+                "Monitor",
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
-            "training": "https://me.sap.com/notes/1100926/E",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+            "waf": "Operations"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
-            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
             "services": [
                 "Monitor",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Review SAP HANA studio alerts.",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "waf": "Operations"
         },
         {
-            "category": "Performant",
-            "checklist": "SAP Checklist",
-            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
-            "link": "https://me.sap.com/notes/1969700",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "Monitor",
+                "AVS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "&nbsp",
-            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
             "services": [
-                "VM",
-                "SAP"
+                "Monitor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
-            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "services": [
-                "SAP"
+                "Storage",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
-            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
-            "waf": "Security"
+            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
             "services": [
-                "SQL",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Governance",
-            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
-            "waf": "Security"
+            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
             "services": [
-                "SQL",
-                "SAP"
+                "Storage",
+                "VM",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Governance",
-            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
-            "training": "https://me.sap.com/notes/3019299/E",
-            "waf": "Security"
+            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
             "services": [
-                "SAP",
-                "Backup",
-                "SQL",
-                "AKV",
-                "Storage"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
             "services": [
-                "AKV",
                 "Storage",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
-            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
-            "waf": "Security"
+            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "SAP"
+                "Arc",
+                "AVS",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
             "services": [
-                "RBAC",
-                "SAP",
-                "Subscriptions",
-                "AzurePolicy",
-                "AKV"
+                "Monitor",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
-            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
-            "waf": "Security"
+            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "AKV",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "services": [
-                "RBAC",
+                "Monitor",
+                "AVS",
                 "AzurePolicy",
-                "AKV",
-                "SAP"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
-            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
             "services": [
                 "Defender",
-                "AKV",
-                "Storage",
-                "SAP"
+                "AVS",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "severity": "Medium",
+            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
             "waf": "Security"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "services": [
-                "Defender",
-                "AKV",
-                "RBAC",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
-            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Secrets",
-            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
-            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "SAP"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
-            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Secrets",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
-            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "SAP"
+                "ASR",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
-            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
             "services": [
-                "RBAC",
-                "Subscriptions",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
-            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
-            "waf": "Security"
+            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
-            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
             "services": [
-                "PrivateLink",
                 "NVA",
-                "SAP"
+                "AVS",
+                "ExpressRoute",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
-            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
-            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
             "services": [
-                "VM",
-                "Storage",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
-            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
             "services": [
-                "Defender",
-                "SAP"
+                "AVS",
+                "Backup",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
-            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Deploy your backup solution outside of vSan, on Azure native components",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
             "services": [
-                "SAP",
+                "AVS",
                 "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Security",
-            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
-            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
-            "waf": "Security"
+            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "SAP Checklist",
-            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "WAF checklist",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "services": [
-                "AKV",
-                "Monitor",
-                "SAP"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Security"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Container Apps Review",
-            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
-            "service": "Container Apps",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Container Apps Review",
-            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
-            "service": "Container Apps",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Use more than one replica and enable Zone Redundancy.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "For manual deployments, all configuration and deployments must be documented",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Container Apps Review",
-            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
+            "services": [
+                "AVS",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Container Apps Review",
-            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
+            "checklist": "WAF checklist",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "TrafficManager"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "fda1dae2-dc95-4d48-a6c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore#geo-backups-and-disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
             "services": [
-                "Backup"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Enable Geo Backup ",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "89e558b9-37d4-4974-b111-2dbd7baf12e7",
-            "link": "https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse/ba-p/2248060",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "DevOps",
-            "text": "Integrate with Azure DevOps to deploy Multiple environments",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "services": [
+                "AzurePolicy",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "b94ef6e0-47d2-4da2-a82b-1cd6d2f54b29",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "services": [],
-            "severity": "High",
-            "subcategory": "DR",
-            "text": "BCDR for Azure Synapse pipelines ",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
+            "services": [
+                "AKV",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "769e3a69-1e88-438a-a936-667e13c00567",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "services": [],
-            "severity": "High",
-            "subcategory": "DR",
-            "text": "Use Zone Redudant pipelines in regions supporting Availablity Zones",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
+            "services": [
+                "ExpressRoute",
+                "AVS",
+                "AKV",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "4b1e944a-4598-437e-b7ad-6c6d3b365a5c",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/cicd/source-control",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "services": [
+                "AVS",
+                "WAF"
+            ],
             "severity": "Low",
-            "subcategory": "DevOps",
-            "text": "Create Scripts for all DLL Statements and save in Git Repository ",
-            "waf": "Reliability"
+            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "7acbe48a-be54-4cd7-af2e-87768358c559",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-development-using-notebooks",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
+            "services": [
+                "WAF"
+            ],
             "severity": "Low",
-            "subcategory": "DevOps",
-            "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps",
-            "waf": "Reliability"
+            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
+            "services": [
+                "Subscriptions",
+                "AVS",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Use Dedicated pools",
-            "waf": "Reliability"
+            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
+            "services": [
+                "Storage",
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "DR",
-            "text": "Use Database restore points for Azure Synapse",
-            "waf": "Reliability"
+            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
+            "services": [
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Use Serverless Pools when required",
-            "waf": "Reliability"
+            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd",
-            "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces",
+            "checklist": "WAF checklist",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "services": [
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "DevOps",
-            "text": "Use Infrastructure as a Code template to do repeatable deployments",
-            "waf": "Reliability"
+            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Synapse Review Checklist",
-            "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
+            "services": [
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availablity",
-            "text": "Make sure to re-eshtablish any Synapse Links",
-            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
-            "waf": "Reliability"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Device Update Review",
-            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
-            "waf": "Reliability"
+            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+            "waf": "Performance"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Update Review",
-            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
+            "services": [
+                "Monitor",
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Update Review",
-            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Device Update for IoT Hub",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "services": [
+                "VM",
+                "WAF"
+            ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Update Review",
-            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Device Update for IoT Hub",
+            "checklist": "WAF checklist",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "services": [
-                "AppSvc"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "AKV"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
-            "waf": "Operations"
+            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
+            "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
+            "services": [
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
+            "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
             "services": [
-                "AppGW"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Ensure you are using Application Gateway v2 SKU",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
+            "checklist": "WAF checklist",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
             "services": [
-                "LoadBalancer"
+                "Storage",
+                "AVS",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Load Balancer",
-            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
-            "waf": "Security"
+            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "checklist": "WAF checklist",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
             "services": [
-                "LoadBalancer"
+                "Storage",
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Load Balancer",
-            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
-            "waf": "Security"
+            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "AppGW"
+                "Storage",
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "Subscriptions",
-                "Entra",
-                "NVA",
-                "AppGW",
+                "ASR",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
             "services": [
-                "DDoS"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Configure autoscaling with a minimum amount of instances of two.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
             "services": [
-                "AppGW",
-                "ACR"
+                "ExpressRoute",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Deploy Application Gateway across Availability Zones",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
+                "ExpressRoute",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
+            "checklist": "WAF checklist",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "services": [
-                "TrafficManager"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Traffic Manager",
-            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Select the right Function hosting plan based on your business & SLO requirements",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "WAF checklist",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "services": [
-                "Entra",
-                "AVD"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "App delivery",
-            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "WAF checklist",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
             "services": [
-                "Entra"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Security"
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "WAF"
+                "WAF",
+                "AppSvc"
             ],
             "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
-            "waf": "Security"
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
             "services": [
-                "FrontDoor",
-                "TrafficManager"
+                "WAF",
+                "AppSvc"
             ],
             "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
-            "waf": "Security"
+            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
             "services": [
-                "FrontDoor"
+                "Storage",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Front Door",
-            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+            "text": "Follow reliability support recommendations in Azure Bot Service",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Front Door",
-            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Deploying bots with local data residency and regional compliance",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
+            "checklist": "WAF checklist",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
             "services": [
-                "LoadBalancer"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Load Balancer",
-            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
+            "severity": "Medium",
+            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor",
-                "AKV",
-                "Cost"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
             "services": [
+                "TrafficManager",
                 "FrontDoor",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
-            "waf": "Operations"
+            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor"
+                "ACR",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
-            "waf": "Security"
+            "text": "Use more than 1 app instance for your apps",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor",
+                "Monitor",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Set up autoscaling in Spring Cloud Gateway",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
             "services": [
-                "FrontDoor",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
+                "Storage",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Front Door",
-            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+            "severity": "Medium",
+            "text": "Consider the 'Azure security baseline for storage'",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "services": [
-                "FrontDoor",
-                "WAF"
+            "checklist": "WAF checklist",
+            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "PrivateLink",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Consider using private endpoints for Azure Storage",
+            "waf": "Security"
+        },
+        {
+            "checklist": "WAF checklist",
+            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "RBAC",
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "text": "Ensure older storage accounts are not using 'classic deployment model'",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
+                "Storage",
+                "Defender",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Enable Microsoft Defender for all of your storage accounts",
+            "waf": "Security"
+        },
+        {
+            "checklist": "WAF checklist",
+            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "text": "Enable 'soft delete' for blobs",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "text": "Disable 'soft delete' for blobs",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Front Door",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+            "severity": "High",
+            "text": "Enable 'soft delete' for containers",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+            "text": "Disable 'soft delete' for containers",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
+            "text": "Enable resource locks on storage accounts",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
             "services": [
+                "Storage",
+                "Subscriptions",
                 "AzurePolicy",
-                "AppGW",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
+            "text": "Consider immutable blobs",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
+            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
             "services": [
-                "AzurePolicy",
-                "AppGW",
+                "Storage",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
+            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
+                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "severity": "High",
+            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "App Gateway",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+            "checklist": "WAF checklist",
+            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
+            "services": [
+                "RBAC",
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "Least privilege in IaM permissions",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
+                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+            "severity": "High",
+            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
-                "WAF"
+                "Storage",
+                "Entra",
+                "AKV",
+                "WAF",
+                "Monitor"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "severity": "High",
+            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
-                "WAF"
+                "Storage",
+                "AKV",
+                "WAF",
+                "Monitor",
+                "AzurePolicy"
+            ],
+            "severity": "High",
+            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+            "waf": "Security"
+        },
+        {
+            "checklist": "WAF checklist",
+            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "AKV",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
-            "waf": "Operations"
+            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
-            "waf": "Operations"
+            "text": "Consider configuring an SAS expiration policy",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
             "services": [
-                "Sentinel",
-                "AppGW",
+                "Storage",
+                "AKV",
+                "AzurePolicy",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "text": "Consider linking SAS to a stored access policy",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor",
-                "Sentinel",
+                "Storage",
+                "AKV",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "services": [
-                "AppGW",
+                "Storage",
+                "Entra",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "services": [
+                "Storage",
                 "AzurePolicy",
                 "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use WAF Policies instead of the legacy WAF configuration.",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Strive for short validity periods for ad-hoc SAS",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN",
-                "AppGW"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+            "text": "Apply a narrow scope to a SAS",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Front Door",
-            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
+            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "You should encrypt traffic to the backend servers.",
+            "checklist": "WAF checklist",
+            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
             "services": [
+                "Storage",
+                "Entra",
+                "RBAC",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "You should use a Web Application Firewall.",
+            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
+            "services": [
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Redirect HTTP to HTTPS",
+            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
-            "waf": "Operations"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
-            "services": [],
+            "checklist": "WAF checklist",
+            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "High",
-            "subcategory": "App Gateway",
-            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
+            "text": "Avoid overly broad CORS policies",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "App Gateway",
-            "text": "Create custom error pages to display a personalized user experience",
-            "waf": "Operations"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+            "checklist": "WAF checklist",
+            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "services": [
-                "FrontDoor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
-            "waf": "Performance"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Use transport layer load balancing",
-            "waf": "Performance"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+            "text": "Determine which/if platform encryption should be used.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
             "services": [
-                "Entra"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App Gateway",
-            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+            "text": "Determine which/if client-side encryption should be used.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
+            "checklist": "WAF checklist",
+            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
             "services": [
-                "AppGW"
+                "Storage",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "App Gateway",
-            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
+            "severity": "High",
+            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
             "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+            "service": "Azure Storage",
             "services": [
-                "AppSvc"
+                "Storage",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "High Availability",
-            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+            "severity": "High",
+            "text": "Leverage a storagev2 account type for better performance and reliability",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
             "services": [
-                "AppSvc",
-                "Backup"
+                "Storage",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+            "severity": "High",
+            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+            "service": "Azure Storage",
             "services": [
-                "AppSvc"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+            "severity": "Medium",
+            "text": "For write operation after failover, use customer-Managed Failover ",
             "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+            "service": "Azure Storage",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Implement health checks",
+            "text": "Understand Microsoft-Managed Failover details",
             "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+            "service": "Azure Storage",
             "services": [
-                "AppSvc",
-                "Backup"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Multi-tenant service",
-            "text": "Refer to backup and restore best practices for Azure App Service",
+            "severity": "Medium",
+            "text": "Enable Soft Delete",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Implement Azure App Service reliability best practices",
+            "text": "Enable 2 replicas to have 99.9% availability for read operations",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "High Availability",
-            "text": "Familiarize with how to move an App Service app to another region During a disaster",
+            "severity": "Medium",
+            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Familiarize with reliability support in Azure App Service",
+            "text": "Leverage Availability Zones by enabling read and/or write replicas",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
             "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor App Service instances using Health checks",
+            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
             "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "TrafficManager",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+            "text": "Use Azure Traffic Manager to coordinate requests",
             "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "Storage",
+                "Backup",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Monitoring",
-            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+            "severity": "High",
+            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
             "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "AKV"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Use Key Vault to store secrets",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Leverage FTA HandBook for Cognitive Services",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "Entra",
-                "AKV"
+                "Backup",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Use Managed Identity to connect to Key Vault",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Backup Your Prompts",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Store the App Service TLS certificate in Key Vault.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "AKV"
+                "ASR",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Use Key Vault to store TLS certificate.",
-            "waf": "Security"
+            "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+            "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "Subscriptions"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Isolate systems that process sensitive information",
-            "waf": "Security"
+            "text": "Backup Your ChatGPT conversations",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+            "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "TrafficManager"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Do not store sensitive data on local disk",
-            "waf": "Security"
+            "text": "CI/CD for custom speech",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+            "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+            "service": "Cognitive Services",
             "services": [
-                "AppSvc",
-                "Entra"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity and Access Control",
-            "text": "Use an established Identity Provider for authentication",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Move a knowledge base using export-import",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+            "service": "Container Apps",
             "services": [
-                "AppSvc",
-                "Entra"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Deploy from a trusted environment",
-            "waf": "Security"
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+            "service": "Container Apps",
             "services": [
-                "AppSvc",
-                "Entra"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Disable basic authentication",
-            "waf": "Security"
+            "text": "Use more than one replica and enable Zone Redundancy.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
             "services": [
-                "AppSvc",
-                "Entra",
-                "AKV"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Use Managed Identity to connect to resources",
-            "waf": "Security"
+            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
             "services": [
-                "AppSvc",
-                "Entra",
-                "ACR"
+                "TrafficManager",
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Pull containers using a Managed Identity",
-            "waf": "Security"
+            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc",
-                "Entra",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Logging and Monitoring",
-            "text": "Send App Service runtime logs to Log Analytics",
-            "waf": "Security"
+            "text": "FTA Resiliency Playbook",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc",
-                "Entra",
-                "Monitor"
-            ],
-            "severity": "Medium",
-            "subcategory": "Logging and Monitoring",
-            "text": "Send App Service activity logs to Log Analytics",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
-            "services": [
-                "VNet",
-                "Monitor",
-                "Firewall",
-                "AppSvc",
-                "NVA"
-            ],
-            "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Outbound network access should be controlled",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "services": [
-                "VNet",
-                "Firewall",
-                "PrivateLink",
-                "Storage",
-                "AppSvc",
-                "NVA"
-            ],
-            "severity": "Low",
-            "subcategory": "Network Security",
-            "text": "Ensure a stable IP for outbound communications towards internet addresses",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "services": [
-                "AppSvc",
-                "PrivateLink"
-            ],
-            "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Inbound network access should be controlled",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
-            "services": [
-                "Monitor",
-                "FrontDoor",
-                "AppSvc",
-                "AppGW",
                 "WAF"
             ],
             "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Use a WAF in front of App Service",
-            "waf": "Security"
+            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc",
-                "PrivateLink",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Avoid for WAF to be bypassed",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
-            "services": [
-                "AppSvc",
-                "AzurePolicy"
-            ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Set minimum TLS policy to 1.2",
-            "waf": "Security"
+            "text": "Run multiple replicas of the database (>1 ) in Prod",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc",
+                "ACR",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Use HTTPS only",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
-            "services": [
-                "AppSvc",
-                "Storage"
-            ],
-            "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Wildcards must not be used for CORS",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "services": [
-                "AppSvc"
-            ],
-            "severity": "High",
-            "subcategory": "Network Security",
-            "text": "Turn off remote debugging",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
-            "services": [
-                "AppSvc",
-                "Defender"
-            ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Enable Defender for Cloud - Defender for App Service",
-            "waf": "Security"
+            "text": "Leverage Multi-Region Writes",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "Span Cosmos account across two or more regions with multi-region writes",
+            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
             "services": [
-                "EventHubs",
-                "VNet",
-                "DDoS",
-                "AppSvc",
-                "NVA",
-                "AppGW",
+                "ACR",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Enable DDOS Protection Standard on the WAF VNet",
-            "waf": "Security"
+            "text": "Distribute your data globally",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc",
-                "PrivateLink",
-                "VNet",
-                "ACR"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Pull containers over a Virtual Network",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Choose from several well-defined consistency models",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc"
+                "CosmosDB",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Penetration Testing",
-            "text": "Conduct a penetration test",
-            "waf": "Security"
+            "text": "Enable Service managed failover",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc"
+                "Storage",
+                "Backup",
+                "WAF",
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Vulnerability Management",
-            "text": "Deploy validated code",
-            "waf": "Security"
+            "text": "Enable Automatic Backups",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure App Service Review",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
+            "checklist": "WAF checklist",
+            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+            "service": "CosmosDB",
             "services": [
-                "AppSvc"
+                "Backup",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Vulnerability Management",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
-            "waf": "Security"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Stream Analytics Review Checklist",
-            "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availablity ",
-            "text": "Leverage FTA Resiliency  Handbook for Stream Analytics",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Stream Analytics Review Checklist",
-            "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�",
-            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
-            "link": "https://azure.microsoft.com/en-in/products/stream-analytics",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "High Availablity ",
-            "text": "Understand High Availability 99% SLA and use it to plan your DR strategy",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Stream Analytics Review Checklist",
-            "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.",
-            "guid": "fc833934-8b26-42d6-ac5f-512925498e6d",
-            "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
-            "services": [],
             "severity": "Medium",
-            "subcategory": "Geo Redundancy",
-            "text": "Plan for Geo Redudancy of the service",
+            "text": "Perform Periodic Backups",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Stream Analytics Review Checklist",
-            "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a",
-            "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
-            "services": [],
+            "checklist": "WAF checklist",
+            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+            "service": "CosmosDB",
+            "services": [
+                "CosmosDB",
+                "WAF",
+                "Backup"
+            ],
             "severity": "Medium",
-            "subcategory": "Geo Redundancy",
-            "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ",
+            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
             "waf": "Reliability"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
             "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Azure Monitor - enforce data collection rules",
             "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
             "training": "https://azure.microsoft.com/pricing/reservations/",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "45901365-d38e-443f-abcb-d868266abca2",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
             "service": "Azure Backup",
             "services": [
-                "Cost",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
             "text": "check backup instances with the underlying datasource not found",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
             "service": "VM",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Delete/archive",
             "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "659d3958-fd77-4289-a835-556df2bfe456",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "services": [
-                "Cost"
-            ],
-            "severity": "Medium",
-            "subcategory": "Delete/archive",
-            "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)",
-            "waf": "Cost"
-        },
-        {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "services": [
-                "Cost",
-                "Storage",
-                "Backup"
-            ],
-            "severity": "Medium",
-            "subcategory": "Delete/archive",
-            "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)",
-            "waf": "Cost"
-        },
-        {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "service": "Azure Backup",
             "services": [
-                "ASR",
-                "Cost",
                 "Storage",
-                "Backup"
+                "ASR",
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Delete/archive",
             "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
             "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Log Analytics retention for workspaces",
             "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
             "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
+                "Storage",
                 "AzurePolicy",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Policy",
             "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
             "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "services": [
-                "Cost"
-            ],
-            "severity": "Medium",
-            "subcategory": "Run orphaned resources workbook - delete or snooze ghost items",
-            "text": "https://github.com/dolevshor/azure-orphan-resources",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
-            "waf": "Cost"
-        },
-        {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "services": [
-                "Cost"
-            ],
-            "severity": "Medium",
-            "subcategory": "Shutdown/deallocate",
-            "text": "Shutdown underutilized instances",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges",
-            "waf": "Cost"
-        },
-        {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM",
                 "Storage",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "stopped/deallocated VMs: check disks",
             "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
             "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
+            "checklist": "WAF checklist",
             "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Storage",
             "services": [
-                "Cost",
+                "Storage",
                 "AzurePolicy",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "storage accounts lifecycle policy",
             "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
             "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
             "waf": "Cost"
         },
         {
-            "category": "Cleanup",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "checklist": "WAF checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
             "services": [
-                "Cost"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Tagging",
-            "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup",
+            "text": "Make sure advisor is configured for VM right sizing ",
             "waf": "Cost"
         },
         {
-            "category": "DB/App tuning",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
+            "checklist": "WAF checklist",
+            "description": "check by searching the Meter Category Licenses in the Cost analysys",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
             "services": [
+                "VM",
+                "AzurePolicy",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "DB optimization",
-            "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)",
+            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
             "waf": "Cost"
         },
         {
-            "category": "DB/APP tuning",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "checklist": "WAF checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
             "services": [
-                "Cost"
+                "LoadBalancer",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App modernization",
-            "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack",
+            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
             "waf": "Cost"
         },
         {
-            "category": "DB/APP tuning",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "checklist": "WAF checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
             "services": [
-                "Cost",
                 "VM",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "DB optimization",
-            "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs",
+            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
             "waf": "Cost"
         },
         {
-            "category": "DB/APP tuning",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "checklist": "WAF checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
             "services": [
+                "ARS",
+                "VM",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Demand shaping",
-            "text": "Using demand shaping on PaaS services will optimize costs and performances",
+            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging",
+            "checklist": "WAF checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
             "services": [
-                "Entra",
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Advisor",
-            "text": "Start from the Azure Advisor page suggestions.",
+            "text": "Only larger disks can be reserved => 1 TiB -",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "checklist": "WAF checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Advisor",
-            "text": "Make sure advisor is configured for VM right sizing ",
+            "text": "After the right-sizing optimization",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "checklist": "WAF checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
             "services": [
+                "SQL",
+                "AzurePolicy",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process",
+            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b835556d-f2bf-4e45-93b0-d834a348726d",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "checklist": "WAF checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
             "services": [
-                "Cost",
-                "Monitor"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)",
+            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "checklist": "WAF checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
             "services": [
-                "Cost"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ",
+            "text": "Consider using a VMSS to match demand rather than flat sizing",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "WAF checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
             "services": [
-                "Cost"
+                "AKS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Run orphaned resources workbook",
+            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "checklist": "WAF checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
             "services": [
-                "Cost",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Baseline",
-            "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)",
+            "text": "Move recovery points to vault-archive where applicable (Validate)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "checklist": "WAF checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "LoadBalancer",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Baseline",
-            "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW",
+            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a",
-            "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config",
+            "checklist": "WAF checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Baseline",
-            "text": "Organize resources to maximize cost insights and accountability",
+            "text": "Functions - Reuse connections",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
+            "checklist": "WAF checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Budgets",
-            "text": "Create budgets",
+            "text": "Functions - Cache data locally",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
+            "checklist": "WAF checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Cost Analysis",
-            "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders",
+            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834",
-            "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
+            "checklist": "WAF checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Cost Analysis",
-            "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)",
+            "text": "Functions - Keep your functions warm",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "checklist": "WAF checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Cost Analysis",
-            "text": "Automate cost retrieval for deep analysis or integration",
+            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "checklist": "WAF checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
             "services": [
-                "Cost",
-                "ACR"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Free services",
-            "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ",
+            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "checklist": "WAF checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Tagging",
-            "text": "Tag shared resources",
+            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
             "waf": "Cost"
         },
         {
-            "category": "Process Administration",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "checklist": "WAF checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
             "services": [
-                "Cost"
+                "EventHubs",
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Tagging",
-            "text": "Consider using tags to all services for cost allocation",
+            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
             "waf": "Cost"
         },
         {
-            "category": "reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "checklist": "WAF checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
             "services": [
-                "Cost"
+                "FrontDoor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "automation",
-            "text": "Consider Reservation automation to track and promptly react to changes",
+            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "description": "check by searching the Meter Category Licenses in the Cost analysys",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
             "services": [
-                "SQL",
-                "Cost",
-                "VM",
-                "AzurePolicy"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL",
-            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
+            "text": "Consider archiving tiers for less used data",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "checklist": "WAF checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
             "service": "VM",
             "services": [
-                "Cost",
-                "LoadBalancer"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Check Red Hat Licences if applicable",
-            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "checklist": "WAF checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
             "services": [
-                "AppSvc",
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Saving plans will provide 17% on select app service plans",
+            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
             "services": [
-                "Cost",
-                "VM"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Planning",
-            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
             "services": [
-                "Cost",
-                "ARS",
-                "VM"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Reservations/savings plans",
-            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
+            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886",
-            "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/",
+            "checklist": "WAF checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
             "services": [
-                "Cost"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Reservations/savings plans",
-            "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility",
+            "text": "Storage accounts: check hot tier and/or GRS necessary",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "checklist": "WAF checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Reservations/savings plans",
-            "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much",
+            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
             "services": [
+                "EventHubs",
+                "Monitor",
                 "Cost",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Reserve storage",
-            "text": "Only larger disks can be reserved => 1 TiB -",
+            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
             "services": [
+                "Storage",
                 "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Reserve VMs with normalized and rationalized sizes",
-            "text": "After the right-sizing optimization",
+            "text": "Export cost data to a storage account for additional data analysis.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
+            "checklist": "WAF checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
             "services": [
                 "Cost",
-                "SQL",
-                "AzurePolicy"
+                "WAF",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "SQL Database AHUB",
-            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
             "services": [
-                "SQL",
-                "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "SQL Database Reservations",
-            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
+            "checklist": "WAF checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Tracking",
-            "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.",
+            "text": "Create multiple Apache Spark pool definitions of various sizes.",
             "waf": "Cost"
         },
         {
-            "category": "Reservations",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
+            "checklist": "WAF checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
             "services": [
                 "Cost",
-                "AzurePolicy"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Tracking",
-            "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation",
+            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
+            "checklist": "WAF checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "VM",
+                "WAF",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Plan and enforce a On/Off policy for production services, where possible",
+            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "checklist": "WAF checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible",
+            "text": "Right-sizing all VMs",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "checklist": "WAF checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Autoscale",
-            "text": "Consider using a VMSS to match demand rather than flat sizing",
+            "text": "Swap VM sized with normalized and most recent sizes",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "services": [
-                "AKS",
-                "Cost"
-            ],
+                "Monitor",
+                "VM",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Autoscale",
-            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "93665720-2bff-4456-9b0d-934a359c363e",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "checklist": "WAF checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "services": [
-                "Cost"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Autoscale",
-            "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling",
+            "text": "Containerizing an application can improve VM density and save money on scaling it",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Cost"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "checklist": "WAF checklist",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
             "services": [
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Autoscale",
-            "text": "Plan for demand shaping where applicable",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b",
+            "checklist": "WAF checklist",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
             "services": [
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Autoscale",
-            "text": "Consider implementing a service re-scaling logic within the application",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
+            "checklist": "WAF checklist",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
             "services": [
-                "Cost",
-                "Backup"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Move recovery points to vault-archive where applicable (Validate)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
+            "checklist": "WAF checklist",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "services": [
-                "Cost",
-                "VM",
-                "LoadBalancer"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Databricks",
-            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Functions - Reuse connections",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "Cost"
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "waf": "Operations"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
             "services": [
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Functions - Cache data locally",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
             "services": [
-                "Cost",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Device Update for IoT Hub",
             "services": [
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Functions - Keep your functions warm",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Device Update for IoT Hub",
             "services": [
-                "Cost"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
             "services": [
-                "Cost"
+                "EventHubs",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
-            "waf": "Cost"
+            "severity": "Low",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
+            "checklist": "WAF checklist",
+            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
             "services": [
-                "Cost"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Functions",
-            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "Cost"
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4",
-            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "checklist": "WAF checklist",
+            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
             "services": [
-                "Cost"
+                "Entra",
+                "TrafficManager",
+                "RBAC",
+                "EventHubs",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data",
-            "waf": "Cost"
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "services": [
+                "Storage",
+                "Entra",
                 "EventHubs",
-                "Cost",
-                "FrontDoor"
+                "AKV",
+                "WAF",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
-            "waf": "Cost"
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
+            "checklist": "WAF checklist",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
             "services": [
-                "AppSvc",
-                "Cost",
-                "FrontDoor"
+                "EventHubs",
+                "RBAC",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
+            "checklist": "WAF checklist",
+            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
             "services": [
-                "Cost"
+                "EventHubs",
+                "VNet",
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "PaaS",
-            "text": "Consider using free tiers where applicable for all non-production environments",
-            "waf": "Cost"
+            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b9de39ac-0e7c-428d-a936-657202bff456",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "checklist": "WAF checklist",
+            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
             "services": [
-                "Cost"
+                "EventHubs",
+                "VNet",
+                "PrivateLink",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Serverless",
-            "text": "Using serverless patterns for spikes can help keeping costs down",
-            "waf": "Cost"
+            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
+            "checklist": "WAF checklist",
+            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Consider archiving tiers for less used data",
-            "waf": "Cost"
+            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
-            "waf": "Cost"
+            "text": "Leverage FTA Resillency HandBook",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
+            "checklist": "WAF checklist",
+            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "EventHubs",
+                "ACR",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
+            "checklist": "WAF checklist",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
-            "waf": "Cost"
+            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
+            "checklist": "WAF checklist",
+            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage",
-                "ASR"
+                "ASR",
+                "WAF",
+                "EventHubs"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
+            "checklist": "WAF checklist",
+            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "EventHubs",
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "storage",
-            "text": "Storage accounts: check hot tier and/or GRS necessary",
-            "waf": "Cost"
+            "text": "For Business Critical Applications, use Active Active configuration",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
             "services": [
-                "Cost",
-                "Storage"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
-            "waf": "Cost"
+            "text": "Design Resilient Event Hubs",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "services": [
-                "EventHubs",
-                "Cost",
-                "Monitor"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
-            "waf": "Cost"
+            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
             "services": [
-                "Cost",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Export cost data to a storage account for additional data analysis.",
-            "waf": "Cost"
+            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "services": [
-                "Cost",
-                "SQL"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
-            "waf": "Cost"
+            "text": "Custom brand assets should be hosted on a CDN",
+            "waf": "Performance"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
             "services": [
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
-            "waf": "Cost"
+            "severity": "Low",
+            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "Cost"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Create multiple Apache Spark pool definitions of various sizes.",
-            "waf": "Cost"
+            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
+            "checklist": "WAF checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Synapse",
-            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Don't replicate! Replication can create issues with directory synchronization",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "VM",
-            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Have active-active for multi-regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "services": [
-                "Cost",
-                "VM"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "VM",
-            "text": "Right-sizing all VMs",
-            "waf": "Cost"
+            "text": "Add Azure AD Domain service stamps to additional regions and locations",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "services": [
-                "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "VM",
-            "text": "Swap VM sized with normalized and most recent sizes",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Use Replica Sets for DR",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
             "services": [
-                "Cost",
-                "VM",
-                "Monitor"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "VM",
-            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
+            "waf": "Reliability"
         },
         {
-            "category": "Right-sizing",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "checklist": "WAF checklist",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "services": [
-                "Cost",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "VM",
-            "text": "Containerizing an application can improve VM density and save money on scaling it",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Cost"
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
-            "service": "PostgreSQL",
+            "checklist": "WAF checklist",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
             "services": [
-                "SQL"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage Flexible Server",
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
-            "service": "PostgreSQL",
+            "checklist": "WAF checklist",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "services": [
-                "SQL"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Leverage Availability Zones where regionally applicable",
+            "text": "Learn how to trigger a manual failover.",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "31b67c67-be59-4519-8083-845d587cb391",
-            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
-            "service": "PostgreSQL",
+            "checklist": "WAF checklist",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
             "services": [
-                "SQL"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage cross-region read replicas for BCDR",
+            "severity": "High",
+            "text": "Learn how to fail back after a failover.",
             "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "The AKS Checklist",
-            "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
+            "checklist": "WAF checklist",
+            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "AKV",
+                "WAF",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Development",
-            "text": "Use canary or blue/green deployments",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+            "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "The AKS Checklist",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "ACR",
+                "AKV",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "severity": "Medium",
+            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
             "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "The AKS Checklist",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "AKV",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "Use KEDA if running event-driven workloads",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+            "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "The AKS Checklist",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "AKV",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "Use Dapr to ease microservice development",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "The AKS Checklist",
-            "guid": "3acbe04b-be20-49d3-afda-47778424d116",
-            "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
+            "checklist": "WAF checklist",
+            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "Storage",
+                "Subscriptions",
+                "Backup",
+                "AKV",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Infrastructure as Code",
-            "text": "Use automation through ARM/TF to create your Azure resources",
-            "waf": "Operations"
+            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
             "services": [
-                "AKS",
-                "ASR"
+                "AKV",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Schedule and perform DR tests regularly",
+            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "checklist": "WAF checklist",
+            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
             "services": [
-                "AKS",
-                "FrontDoor",
-                "LoadBalancer",
-                "TrafficManager"
+                "AKV",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
+            "severity": "Low",
+            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
-            "guid": "578a219a-46be-4b54-9350-24922634292b",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones",
+            "checklist": "WAF checklist",
+            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "AKV",
+                "WAF",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Availability Zones if they are supported in your Azure region",
+            "severity": "Low",
+            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
             "services": [
-                "AKS"
+                "AKV",
+                "WAF",
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Use the SLA-backed AKS offering",
+            "severity": "Low",
+            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+            "service": "Key Vault",
             "services": [
-                "AKS",
-                "Cost"
+                "EventHubs",
+                "AKV",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "High Availability",
-            "text": "Use Disruption Budgets in your pod and deployment definitions",
+            "severity": "Medium",
+            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
+            "checklist": "WAF checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
             "services": [
-                "AKS",
-                "ACR"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If using a private registry, configure region replication to store images in multiple regions",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "checklist": "WAF checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
             "services": [
-                "AKS",
-                "ASR",
-                "Storage"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "The AKS Checklist",
-            "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Requirements",
-            "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
             "waf": "Reliability"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "The AKS Checklist",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
             "services": [
-                "AKS",
-                "Cost"
+                "WAF",
+                "AppSvc"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Use an external application such as kubecost to allocate costs to different users",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "The AKS Checklist",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "services": [
-                "AKS",
-                "Cost"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Use scale down mode to delete/deallocate nodes",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "waf": "Operations"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "The AKS Checklist",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
             "services": [
-                "AKS",
-                "Cost"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Cost",
-            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
-            "waf": "Cost"
+            "text": "Leverage Flexible Server",
+            "waf": "Reliability"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "The AKS Checklist",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "services": [
-                "AKS",
-                "Cost"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
-            "waf": "Cost"
+            "severity": "High",
+            "text": "Leverage Availability Zones where regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "AzurePolicy"
-            ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
-            "waf": "Security"
-        },
-        {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Separate applications from the control plane with user/system node pools",
-            "waf": "Security"
+            "text": "Leverage Data-in replication for cross-region DR scenarios",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "AKV",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Add taint to your system nodepool to make it dedicated",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+            "waf": "Operations"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "ACR"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use a private registry for your images, such as ACR",
+            "text": "Ensure you are using Application Gateway v2 SKU",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "checklist": "WAF checklist",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
             "services": [
-                "AKS"
+                "LoadBalancer",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Scan your images for vulnerabilities",
+            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "cc639637-a652-42ac-89e8-06965388e9de",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "checklist": "WAF checklist",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
             "services": [
-                "AKS",
-                "Defender"
+                "LoadBalancer",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use Azure Security Center to detect security posture vulnerabilities",
+            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
+            "checklist": "WAF checklist",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "VNet",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "If required configure FIPS",
+            "severity": "Medium",
+            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "VNet",
+                "Entra",
+                "Subscriptions",
+                "WAF",
+                "NVA",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Define app separation requirements (namespace/nodepool/cluster)",
+            "severity": "Medium",
+            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AKV"
+                "DDoS",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AKV"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Secrets",
-            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Configure autoscaling with a minimum amount of instances of two.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AKV"
+                "ACR",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "If required add Key Management Service etcd encryption",
-            "waf": "Security"
+            "text": "Deploy Application Gateway across Availability Zones",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "AKV"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Secrets",
-            "text": "If required consider using Confidential Compute for AKS",
+            "severity": "Medium",
+            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "The AKS Checklist",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Defender",
-                "AKV"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Consider using Defender for Containers",
+            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "WAF checklist",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
             "services": [
-                "AKS",
-                "Entra"
+                "TrafficManager",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Use managed identities instead of Service Principals",
-            "waf": "Security"
+            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "WAF",
+                "AVD"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Integrate authentication with AAD (using the managed integration)",
+            "severity": "Low",
+            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
+            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra",
-                "RBAC"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Integrate authorization with AAD RBAC",
+            "severity": "High",
+            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra",
-                "RBAC"
+                "TrafficManager",
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+            "severity": "High",
+            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For AKS non-interactive logins use kubelogin (preview)",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Disable AKS local accounts",
-            "waf": "Security"
+            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Identity",
-            "text": "Configure if required Just-in-time cluster access",
-            "waf": "Security"
+            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
             "services": [
-                "AKS",
-                "Entra"
+                "LoadBalancer",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "Configure if required AAD conditional access for AKS",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "AKV",
+                "WAF",
+                "Cost"
             ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "If required for Windows AKS workloads configure gMSA ",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "The AKS Checklist",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Entra"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For finer control consider using a managed Kubelet Identity",
-            "waf": "Security"
+            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "AppGW",
-                "ACR"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "If using AGIC, do not share an AppGW across clusters",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
             "services": [
-                "AKS"
-            ],
-            "severity": "High",
-            "subcategory": "Best practices",
-            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
-            "services": [
-                "AKS"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "For Windows workloads use Accelerated Networking",
-            "waf": "Performance"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "LoadBalancer"
-            ],
-            "severity": "High",
-            "subcategory": "Best practices",
-            "text": "Use the standard ALB (as opposed to the basic one)",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "VNet"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "If using Azure CNI, consider using different Subnets for NodePools",
+            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Cost",
-                "PrivateLink",
-                "VNet"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Cost",
-            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+            "severity": "High",
+            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "services": [
-                "AKS",
-                "VPN"
-            ],
-            "severity": "Medium",
-            "subcategory": "HA",
-            "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
-            "waf": "Reliability"
+            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "VNet"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
-            "waf": "Performance"
+            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
-            "waf": "Performance"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "VNet"
-            ],
-            "severity": "Low",
-            "subcategory": "IPAM",
-            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
+            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
-            "waf": "Reliability"
+            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Operations",
-            "text": "If required add your own CNI plugin",
+            "severity": "Medium",
+            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Operations",
-            "text": "If required configure Public IP per node in AKS",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
-            "waf": "Reliability"
+            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
-            "waf": "Reliability"
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
-            "waf": "Reliability"
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "NVA"
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "severity": "High",
+            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Use private clusters if your requirements mandate it",
+            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "WAF checklist",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "severity": "High",
+            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "severity": "Medium",
+            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Use Kubernetes network policies to increase intra-cluster security",
+            "severity": "Medium",
+            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
             "services": [
-                "AKS",
                 "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "severity": "Low",
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "VNet",
-                "DDoS"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Use DDoS Standard in the AKS Virtual Network",
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "If required add company HTTP Proxy",
+            "severity": "Medium",
+            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "The AKS Checklist",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Consider using a service mesh for advanced microservice communication management",
-            "waf": "Security"
+            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
             "services": [
-                "AKS",
-                "Monitor"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Alerting",
-            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+            "severity": "Medium",
+            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "Entra"
+                "AppGW",
+                "WAF",
+                "Sentinel"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Check regularly Azure Advisor for recommendations on your cluster",
+            "severity": "Medium",
+            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF",
+                "Sentinel"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Enable AKS auto-certificate rotation",
+            "severity": "Medium",
+            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+            "severity": "Medium",
+            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+            "severity": "Medium",
+            "text": "Use WAF Policies instead of the legacy WAF configuration.",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "VNet",
+                "ExpressRoute",
+                "WAF",
+                "VPN",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
             "services": [
-                "AKS"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Consider using AKS command invoke on private clusters",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "You should encrypt traffic to the backend servers.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "For planned events consider using Node Auto Drain",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "You should use a Web Application Firewall.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Redirect HTTP to HTTPS",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Use custom Node RG (aka 'Infra RG') name",
+            "severity": "Medium",
+            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Taint Windows nodes",
+            "text": "Create custom error pages to display a personalized user experience",
             "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Keep windows containers patch level in sync with host patch level",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "description": "Via Diagnostic Settings at the cluster level",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "Monitor"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+            "waf": "Performance"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "If required use nodePool snapshots",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Use transport layer load balancing",
+            "waf": "Performance"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "Cost"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Consider spot node pools for non time-sensitive workloads",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "Cost"
+                "Entra",
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+            "waf": "Security"
+        },
+        {
+            "checklist": "WAF checklist",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
+            "services": [
+                "WAF",
+                "AppGW"
             ],
             "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Consider AKS virtual node for quick bursting",
-            "waf": "Operations"
+            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+            "service": "PostgreSQL",
             "services": [
-                "AKS",
-                "Monitor"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Leverage Flexible Server",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+            "service": "PostgreSQL",
             "services": [
-                "AKS",
-                "Monitor"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
-            "waf": "Operations"
+            "text": "Leverage Availability Zones where regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "31b67c67-be59-4519-8083-845d587cb391",
+            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+            "service": "PostgreSQL",
             "services": [
-                "AKS",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor CPU and memory utilization of the nodes",
-            "waf": "Operations"
+            "text": "Leverage cross-region read replicas for BCDR",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
-            "waf": "Operations"
+            "text": "Leverage FTA Resillency Handbook",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "EventHubs",
-                "Monitor",
-                "ServiceBus",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor OS disk queue depth in nodes",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Plan for Data Center level outage",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "NVA",
-                "LoadBalancer",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
-            "waf": "Operations"
+            "text": "Practice Failover for BCDR",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Monitor"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Subscribe to resource health notifications for your AKS cluster",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Plan a backup strategy and take regular backups",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "EventHubs",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Resources",
-            "text": "Configure requests and limits in your pod specs",
-            "waf": "Operations"
+            "severity": "Low",
+            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Resources",
-            "text": "Enforce resource quotas for namespaces",
-            "waf": "Operations"
+            "text": "Follow Purview accounts architectures and deployment best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Subscriptions"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Resources",
-            "text": "Ensure your subscription has enough quota to scale out your nodepools",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Follow Collection Architectures and best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
-            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Resources",
-            "text": "Configure Liveness and Readiness probes for all deployments",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Follow Assest lifecycle best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use the Cluster Autoscaler",
-            "waf": "Performance"
+            "text": "Follow automation best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Customize node configuration for AKS node pools",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Follow Backup and Migration Best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use the Horizontal Pod Autoscaler when required",
-            "waf": "Performance"
+            "text": "Follow Purview Glossary Best Practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+            "link": "https://learn.microsoft.com/purview/concept-workflow",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Scalability",
-            "text": "Consider an appropriate node size, not too large or too small",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Leverage Workflows ",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Follow Purview Security Best Practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Consider subscribing to EventGrid Events for AKS automation",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Follow Purview Data Lineage Best Practices",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "For long running operation on an AKS cluster consider event termination",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Follow Best Practices for Scanning Registered Sources",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+            "service": "Purview",
             "services": [
-                "AKS"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Follow Classification Best Practices in Governance Portal",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Storage"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "Use ephemeral OS disks",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Perform Sensitivity Labelling in the Purview Data Map",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+            "link": "https://learn.microsoft.com/purview/concept-data-share",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Storage"
+                "Storage",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Storage"
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Storage",
-            "text": "For hyper performance storage option use Ultra Disks on AKS",
-            "waf": "Performance"
+            "text": "Leverage Data Estate Insights",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "SQL",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Use Data stewardship and Catalog adoption",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Use Inventory and Ownership",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "The AKS Checklist",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "WAF checklist",
+            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+            "link": "https://learn.microsoft.com/purview/glossary-insights",
+            "service": "Purview",
             "services": [
-                "AKS",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+            "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.",
-            "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
-            "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/",
+            "checklist": "WAF checklist",
+            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+            "link": "https://learn.microsoft.com/purview/compliance-manager",
+            "service": "Purview",
             "services": [
-                "AVD",
-                "VM",
-                "Subscriptions",
-                "ASR"
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Compute",
-            "text": "Determine the expected High Availability SLA for applications/desktops published through AVD",
+            "severity": "Medium",
+            "text": "Generate assessment scores",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.",
-            "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr",
+            "checklist": "WAF checklist",
+            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+            "service": "Purview",
             "services": [
-                "AVD",
-                "VM",
-                "Storage",
-                "ASR"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Compute",
-            "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools",
+            "text": "Profiling- get summaries of data content",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
-            "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+            "service": "Purview",
             "services": [
-                "AVD",
-                "ASR"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Compute",
-            "text": "Separate critical applications in different AVD Host Pools",
+            "text": "Follow Microsoft Purview Data Owner access policies",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.",
-            "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
-            "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262",
+            "checklist": "WAF checklist",
+            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+            "service": "Purview",
             "services": [
-                "AVD",
-                "ACR",
-                "ASR"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Compute",
-            "text": "Plan the best resiliency option for AVD Host Pool deployment",
+            "severity": "Low",
+            "text": "Follow Self-service access policies",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.",
-            "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+            "service": "Purview",
             "services": [
-                "ASR",
-                "AVD",
-                "VM",
-                "Backup"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Compute",
-            "text": "Assess the requirement to backup AVD Session Host VMs",
+            "severity": "Low",
+            "text": "Follow DevOps policies",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.",
-            "guid": "5da58639-ca3a-4961-890b-29663c5e10d",
-            "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
             "services": [
-                "AVD",
-                "ASR",
-                "Backup",
-                "Cost",
-                "VM"
+                "ACR",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Compute",
-            "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts",
+            "severity": "High",
+            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.",
-            "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery",
+            "checklist": "WAF checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
             "services": [
-                "AVD",
-                "ASR",
                 "Storage",
-                "VM",
-                "ACR"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Dependencies",
-            "text": "Plan for Golden Image cross-region availability",
+            "severity": "Medium",
+            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
-            "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "checklist": "WAF checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
             "services": [
-                "AVD",
-                "ASR"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Dependencies",
-            "text": "Assess Infrastructure & Application dependencies ",
+            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).",
-            "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
-            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
+            "checklist": "WAF checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
             "services": [
-                "AVD",
-                "Storage",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Assess which data need to be protected in the Profile and Office Containers",
+            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
-            "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "checklist": "WAF checklist",
+            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+            "service": "VMSS",
             "services": [
-                "ASR",
-                "AVD",
-                "Backup",
-                "AzurePolicy",
-                "Storage"
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Build a backup protection strategy for Profile and Office Containers",
+            "severity": "Low",
+            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
-            "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+            "checklist": "WAF checklist",
+            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+            "service": "VM",
             "services": [
-                "AVD",
-                "Storage",
-                "ASR"
+                "VM",
+                "WAF",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose",
+            "severity": "High",
+            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.",
-            "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
-            "link": "https://docs.microsoft.com/azure/backup/backup-afs",
+            "checklist": "WAF checklist",
+            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "VM",
             "services": [
-                "Backup",
-                "AVD",
-                "Storage",
-                "ASR"
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Review Azure Files disaster recovery strategy",
+            "severity": "High",
+            "text": "Use Premium or Ultra disks for production VMs",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ",
-            "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
-            "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage",
+            "checklist": "WAF checklist",
+            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+            "service": "VM",
             "services": [
-                "AVD",
-                "Storage",
-                "ASR"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency",
+            "text": "Ensure Managed Disks are used for all VMs",
             "waf": "Reliability"
         },
         {
-            "category": "Business Continuity and Disaster Recovery",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.",
-            "guid": "23429db7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering",
+            "checklist": "WAF checklist",
+            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+            "service": "VM",
             "services": [
-                "AVD",
-                "ASR",
-                "Backup",
                 "Storage",
-                "ACR"
+                "VM",
+                "WAF",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Review Azure NetApp Files disaster recovery strategy",
+            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.",
-            "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+            "checklist": "WAF checklist",
+            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "services": [
-                "AVD"
+                "Storage",
+                "ACR",
+                "VM",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Golden Images",
-            "text": "Determine how applications will be deployed in AVD Host Pools",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.",
-            "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+            "checklist": "WAF checklist",
+            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "VM",
             "services": [
-                "AVD"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Golden Images",
-            "text": "Estimate the number of golden images that will be required",
-            "waf": "Operations"
+            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
-            "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses",
+            "checklist": "WAF checklist",
+            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
             "services": [
-                "AVD"
+                "ASR",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Golden Images",
-            "text": "Determine which OS image/s you will use for Host Pool deployment",
+            "severity": "High",
+            "text": "Avoid running a production workload on a single VM",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.",
-            "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries",
+            "checklist": "WAF checklist",
+            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "services": [
-                "AVD",
+                "ASR",
+                "AVS",
                 "VM",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Select the proper store for custom images",
+            "severity": "High",
+            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.",
-            "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates",
+            "checklist": "WAF checklist",
+            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+            "service": "VM",
             "services": [
-                "AVD"
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Design your build process for custom images",
-            "waf": "Operations"
+            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.",
-            "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+            "checklist": "WAF checklist",
+            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+            "service": "VM",
             "services": [
-                "AVD"
+                "ASR",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Golden Images",
-            "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image",
-            "waf": "Operations"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.",
-            "guid": "ed5c9027-dd1a-4343-86ca-52b199223186",
-            "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix",
-            "services": [
-                "AVD"
-            ],
-            "severity": "High",
-            "subcategory": "Golden Images",
-            "text": "Include the latest version of FSLogix in the golden image update process",
+            "text": "Increase quotas in DR region before testing failover with ASR",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
-            "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
-            "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
+            "checklist": "WAF checklist",
+            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+            "service": "VM",
             "services": [
-                "RBAC",
-                "AVD"
+                "VM",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
-            "waf": "Performance"
+            "text": "Utilize Scheduled Events to prepare for VM maintenance",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.",
-            "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode",
+            "checklist": "WAF checklist",
+            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
             "services": [
-                "AVD",
-                "Storage"
+                "Storage",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Determine if Microsoft OneDrive will be part of AVD deployment",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.",
-            "guid": "b5887953-5d22-4788-9d30-b66c67be5951",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
+            "checklist": "WAF checklist",
+            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "services": [
-                "AVD"
+                "Storage",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Determine if Microsoft Teams will be part of AVD deployment",
-            "waf": "Performance"
+            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.",
-            "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs",
+            "checklist": "WAF checklist",
+            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "services": [
-                "AVD"
+                "Storage",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Golden Images",
-            "text": "Assess the requirement to support multiple languages",
+            "text": "Enable soft delete for Storage Account Containers",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
-            "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+            "checklist": "WAF checklist",
+            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "services": [
-                "AVD",
                 "Storage",
-                "Cost"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "MSIX & AppAttach",
-            "text": "Do not use the same storage account/share as FSLogix profiles",
-            "waf": "Performance"
+            "severity": "Low",
+            "text": "Enable soft delete for blobs",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
-            "guid": "241addce-5793-477b-adb3-751ab2ac1fad",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+            "checklist": "WAF checklist",
+            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+            "service": "Azure Backup",
             "services": [
-                "AVD"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "MSIX & AppAttach",
-            "text": "Review performance considerations for MSIX",
-            "waf": "Performance"
+            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
-            "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+            "checklist": "WAF checklist",
+            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+            "service": "Azure Backup",
             "services": [
-                "RBAC",
-                "AVD",
-                "VM",
-                "Storage"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "MSIX & AppAttach",
-            "text": "Check proper session host permissions for MSIX share",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
-            "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+            "checklist": "WAF checklist",
+            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+            "service": "Azure Backup",
             "services": [
-                "AVD"
+                "Storage",
+                "Backup",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "MSIX & AppAttach",
-            "text": "MSIX packages for 3rd-party applications",
-            "waf": "Cost"
+            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.",
-            "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+            "checklist": "WAF checklist",
+            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+            "service": "DNS",
             "services": [
-                "AVD"
+                "ASR",
+                "ACR",
+                "DNS",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "MSIX & AppAttach",
-            "text": "Disable auto-update for MSIX packages",
-            "waf": "Operations"
+            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.",
-            "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+            "checklist": "WAF checklist",
+            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+            "service": "Data Gateways",
             "services": [
-                "AVD"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "MSIX & AppAttach",
-            "text": "Review operating systems support",
+            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
             "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
-            "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
-            "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2",
+            "checklist": "WAF checklist",
+            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "services": [
-                "AVD",
-                "VM"
+                "NVA",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Session Host",
-            "text": "Evaluate the usage of Gen2 VM for Host Pool deployment",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+            "waf": "Reliability"
         },
         {
-            "category": "Compute",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.",
-            "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection",
+            "checklist": "WAF checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Session Host",
-            "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.",
-            "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools",
+            "checklist": "WAF checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Determine the Host Pool type to use",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "Operations"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.",
-            "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools",
+            "checklist": "WAF checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Estimate the number of different Host Pools to deploy ",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.",
-            "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
+            "checklist": "WAF checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "For Personal Host Pool type, select the proper assignment type",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.",
-            "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
+            "checklist": "WAF checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Storage",
+                "Backup",
+                "WAF",
+                "SQL",
+                "ASR",
+                "SAP"
             ],
-            "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "For Pooled Host Pool type, select the best load balancing method",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host",
-            "guid": "b3724959-4943-4577-a3a9-e10ff6345f24",
-            "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
+            "checklist": "WAF checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Capacity Planning",
-            "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores",
-            "waf": "Performance"
+            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.",
-            "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups",
+            "checklist": "WAF checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "VPN",
+                "ASR",
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users",
-            "waf": "Security"
+            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.",
-            "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits",
+            "checklist": "WAF checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "ACR"
+                "ACR",
+                "AKV",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Capacity Planning",
-            "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant",
+            "severity": "Low",
+            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
             "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.",
-            "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
+            "checklist": "WAF checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "ASR",
+                "VNet",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "Estimate the number of Applications for each Application Group",
+            "severity": "Medium",
+            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
             "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.",
-            "guid": "38b19ab6-0693-4992-9394-5590883916ec",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop",
+            "checklist": "WAF checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Storage"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "Evaluate the usage of FSLogix for Personal Host Pools",
+            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
             "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)",
-            "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
-            "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
+            "checklist": "WAF checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Run workload performance test to determine the best Azure VM SKU and size to use",
-            "waf": "Performance"
+            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ",
-            "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
+            "checklist": "WAF checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "VNet",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Verify AVD scalability limits for the environment",
+            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.",
-            "guid": "c936667e-13c0-4056-94b1-e945a459837e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
+            "checklist": "WAF checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
             "services": [
-                "AVD"
-            ],
-            "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "Determine if  Session Hosts will require GPU",
-            "waf": "Performance"
-        },
-        {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.",
-            "guid": "b47a393a-0803-4272-a479-8b1578b219a4",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "services": [
-                "AVD",
-                "VM"
+                "ASR",
+                "Entra",
+                "VM",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Capacity Planning",
-            "text": "Use Azure VM SKUs able to leverage Accelerated Networking",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.",
-            "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
+            "checklist": "WAF checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Clients & Users",
-            "text": "Assess how many users will connect to AVD and from which regions",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
-            "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json",
+            "checklist": "WAF checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VPN",
-                "Storage",
-                "ExpressRoute"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Clients & Users",
-            "text": "Assess external dependencies for each Host Pool",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.",
-            "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows",
+            "checklist": "WAF checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Storage",
+                "VM",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Clients & Users",
-            "text": "Review user client OS used and AVD client type",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.",
-            "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e",
-            "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/",
+            "checklist": "WAF checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Clients & Users",
-            "text": "Run a PoC to validate end-to-end user experience and impact of network latency",
-            "waf": "Performance"
+            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.",
-            "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
+            "checklist": "WAF checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Clients & Users",
-            "text": "Assess and document RDP settings for all user groups",
-            "waf": "Security"
+            "severity": "High",
+            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.",
-            "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9",
-            "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop",
+            "checklist": "WAF checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "LoadBalancer",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "General",
-            "text": "Determine in which Azure regions AVD Host Pools will be deployed.",
-            "waf": "Performance"
+            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.",
-            "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
+            "checklist": "WAF checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "LoadBalancer",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "General",
-            "text": "Determine metadata location for AVD service",
+            "severity": "High",
+            "text": "Make sure the Floating IP is enabled on the Load balancer",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.",
-            "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
-            "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "checklist": "WAF checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Storage"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "General",
-            "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions",
+            "severity": "High",
+            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.",
-            "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
-            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "checklist": "WAF checklist",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVD",
-                "VNet",
-                "Storage"
+                "SAP",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool",
+            "severity": "High",
+            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
             "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
-            "guid": "6db55f57-9603-4334-adf9-cc23418db612",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
+            "checklist": "WAF checklist",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVD"
+                "RBAC",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Create a specific OU in Active Directory for each Host Pool",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
-            "guid": "7126504b-b47a-4393-a080-327294798b15",
-            "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
+            "checklist": "WAF checklist",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities",
-            "waf": "Operations"
+            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column",
-            "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f",
-            "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates",
+            "checklist": "WAF checklist",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Configure FSLogix settings using the built-in provided GPO ADMX template",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.",
-            "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts",
+            "checklist": "WAF checklist",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVD",
-                "VM"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Create a dedicated user account with only permissions to join VM to the domain",
-            "waf": "Security"
+            "severity": "High",
+            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ",
-            "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
+            "checklist": "WAF checklist",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "ACR",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
-            "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
-            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
+            "checklist": "WAF checklist",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVD",
-                "AzurePolicy",
-                "Storage"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Active Directory",
-            "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration",
-            "waf": "Security"
+            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
-            "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
+            "checklist": "WAF checklist",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVD"
+                "VM",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Active Directory",
-            "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID",
+            "severity": "Medium",
+            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.",
-            "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338",
-            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable",
+            "checklist": "WAF checklist",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "Storage"
+                "Storage",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Microsoft Entra ID",
-            "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario",
-            "waf": "Security"
+            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.",
-            "guid": "6ceb5443-5125-4922-9442-93bb628537a5",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
+            "checklist": "WAF checklist",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "VNet",
-                "Subscriptions"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Requirements",
-            "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked",
+            "severity": "Medium",
+            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.",
-            "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication",
+            "checklist": "WAF checklist",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "Storage",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Requirements",
-            "text": "Review and document your identity scenario",
-            "waf": "Security"
+            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.",
-            "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
+            "checklist": "WAF checklist",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Requirements",
-            "text": "Assess User Account types and requirements",
-            "waf": "Security"
+            "severity": "High",
+            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.",
-            "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso",
+            "checklist": "WAF checklist",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "Storage",
+                "SAP",
+                "ASR",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Requirements",
-            "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites",
+            "severity": "High",
+            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
             "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.",
-            "guid": "ea962a15-9394-46da-a7cc-3923266b2258",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
+            "checklist": "WAF checklist",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "VM"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Requirements",
-            "text": "Select the proper AVD Session Host domain join type",
-            "waf": "Security"
+            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)",
-            "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
-            "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
+            "checklist": "WAF checklist",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "SAP",
+                "Cost",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Requirements",
-            "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Automate SAP System Start-Stop to manage costs.",
+            "waf": "Cost"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.",
-            "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template",
+            "checklist": "WAF checklist",
+            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "Monitor"
+                "Storage",
+                "WAF",
+                "Cost",
+                "VM",
+                "SAP"
             ],
             "severity": "Low",
-            "subcategory": "Management",
-            "text": "Use built-in provided administrative templates for AVD settings configuration",
-            "waf": "Operations"
+            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+            "waf": "Cost"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.",
-            "guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/management",
+            "checklist": "WAF checklist",
+            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
             "services": [
-                "AVD",
+                "Storage",
+                "WAF",
+                "Cost",
                 "VM",
-                "Monitor"
+                "SAP"
             ],
             "severity": "Low",
-            "subcategory": "Management",
-            "text": "Plan AVD Session Hosts configuration management strategy",
-            "waf": "Operations"
+            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+            "waf": "Cost"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.",
-            "guid": "63a08be1-6004-4b4a-a79b-f3239faae113",
-            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop",
+            "checklist": "WAF checklist",
+            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor"
+                "RBAC",
+                "Subscriptions",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Evaluate Intune for AVD Session Hosts management",
-            "waf": "Operations"
+            "severity": "High",
+            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.",
-            "guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios",
+            "checklist": "WAF checklist",
+            "guid": "45911475-e39e-4530-accc-d979366bcda2",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Cost",
-                "Monitor"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Assess the requirements for host pool auto-scaling capability",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.",
-            "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect",
-            "services": [
-                "AVD",
-                "VM",
-                "Cost",
-                "Monitor"
-            ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Consider the usage of Start VM on Connect for Personal Host Pools",
-            "waf": "Cost"
-        },
-        {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.",
-            "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them",
-            "services": [
-                "AVD",
-                "Monitor",
-                "Cost",
-                "AzurePolicy",
-                "VM"
-            ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts",
-            "waf": "Cost"
+            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ",
-            "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources",
+            "checklist": "WAF checklist",
+            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor",
-                "ExpressRoute",
-                "Cost",
-                "DNS",
-                "VPN",
-                "Storage",
-                "VWAN"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
-            "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations",
+            "checklist": "WAF checklist",
+            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "Cost",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Periodically check Azure Advisor recommendations for AVD",
-            "waf": "Operations"
+            "severity": "Medium",
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.",
-            "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
-            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session",
+            "checklist": "WAF checklist",
+            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Plan for a Session Host emergency patching and update strategy",
-            "waf": "Operations"
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.",
-            "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates",
+            "checklist": "WAF checklist",
+            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Configure the Scheduled Agent Updates feature",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
-            "guid": "d1e8c38e-c936-4667-913c-005674b1e944",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
+            "checklist": "WAF checklist",
+            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Monitor"
+                "SAP",
+                "AKV",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Create a validation (canary) Host Pool",
-            "waf": "Operations"
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.",
-            "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops",
+            "checklist": "WAF checklist",
+            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Monitor"
+                "SAP",
+                "AKV",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Determine Host Pool deployment strategy",
-            "waf": "Operations"
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
-            "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
+            "checklist": "WAF checklist",
+            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Turn on Session Host VMs at least every 90 days for token refresh",
-            "waf": "Operations"
+            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.",
-            "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/insights",
+            "checklist": "WAF checklist",
+            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Enable monitoring for AVD",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Implement SSO to SAP HANA",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions.  Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
-            "guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
+            "checklist": "WAF checklist",
+            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Monitor"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace",
-            "waf": "Reliability"
+            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
-            "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
-            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
+            "checklist": "WAF checklist",
+            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage",
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
-            "waf": "Reliability"
+            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring and Management",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
-            "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
+            "checklist": "WAF checklist",
+            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Monitor"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Configure Azure Service Health for AVD alerts ",
-            "waf": "Reliability"
+            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ",
-            "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
-            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
+            "checklist": "WAF checklist",
+            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VPN",
-                "NVA",
-                "ExpressRoute"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Determine if hybrid connectivity is required to connect to on-premises environment",
-            "waf": "Reliability"
+            "text": "Implement SSO to SAP BTP",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.",
-            "guid": "c8639648-a652-4d6c-85e5-02965388e5de",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity",
+            "checklist": "WAF checklist",
+            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VNet",
-                "VWAN"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool",
-            "waf": "Performance"
+            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ",
-            "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
-            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
+            "checklist": "WAF checklist",
+            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VPN"
+                "Subscriptions",
+                "SAP",
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Assess which on-premises resources are required from AVD Host Pools",
-            "waf": "Reliability"
+            "text": "enforce existing Management Group policies to SAP Subscriptions",
+            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.",
-            "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
-            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
+            "checklist": "WAF checklist",
+            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VNet",
-                "NVA",
-                "Firewall"
+                "Subscriptions",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Need to control/restrict Internet outbound traffic for AVD hosts?",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.",
-            "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
+            "checklist": "WAF checklist",
+            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Networking",
-            "text": "Ensure AVD control plane endpoints are accessible",
-            "waf": "Reliability"
+            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.",
-            "guid": "73676ae4-6691-4e88-95ad-a42223e13810",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide",
+            "checklist": "WAF checklist",
+            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "AVD"
+                "Subscriptions",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.",
-            "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
-            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
+            "checklist": "WAF checklist",
+            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VNet",
-                "NVA",
-                "Firewall"
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Networking",
-            "text": "Review custom UDR and NSG for AVD Host Pool subnets",
-            "waf": "Security"
+            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.",
-            "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support",
+            "checklist": "WAF checklist",
+            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "Subscriptions",
+                "VM",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Networking",
-            "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic",
-            "waf": "Reliability"
+            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
-            "guid": "516785c6-fa96-4c96-ad88-408f372734c8",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth",
+            "checklist": "WAF checklist",
+            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Networking",
-            "text": "Check the network bandwidth required for each user and in total for the VM SKU",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).",
-            "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
-            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints",
+            "checklist": "WAF checklist",
+            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VNet",
+                "TrafficManager",
                 "Cost",
-                "PrivateLink",
-                "Storage"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Evaluate usage Private Endpoint for Azure Files share",
-            "waf": "Security"
+            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.",
-            "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath",
+            "checklist": "WAF checklist",
+            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VPN"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks",
-            "waf": "Performance"
+            "severity": "High",
+            "text": "Help protect your HANA database by using the Azure Backup service.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.",
-            "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies",
+            "checklist": "WAF checklist",
+            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Storage",
+                "Entra",
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Active Directory",
-            "text": "Review Active Directory GPO to secure RDP sessions",
-            "waf": "Security"
+            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
-            "guid": "b1172576-9ef6-4691-a483-5ac932223ece",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus",
+            "checklist": "WAF checklist",
+            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "AVD"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Host Configuration",
-            "text": "Ensure anti-virus and anti-malware solutions are used",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
-            "guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
-            "services": [
-                "AVD",
-                "VM",
-                "Storage",
-                "AKV"
-            ],
-            "severity": "Low",
-            "subcategory": "Host Configuration",
-            "text": "Assess disk encryption requirements for AVD Session Hosts",
-            "waf": "Security"
+            "text": "Ensure time-zone matches between the operating system and the SAP system.",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.",
-            "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch",
+            "checklist": "WAF checklist",
+            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Monitor"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Host Configuration",
-            "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts",
-            "waf": "Security"
+            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.",
-            "guid": "135d3899-4b31-44d3-bc8f-028871a359d8",
-            "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements",
+            "checklist": "WAF checklist",
+            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM"
+                "Cost",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Host Configuration",
-            "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.",
-            "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection",
+            "checklist": "WAF checklist",
+            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Host Configuration",
-            "text": "Consider enabling screen capture protection to prevent sensitive information from being captured",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.",
-            "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts",
+            "checklist": "WAF checklist",
+            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Host Configuration",
-            "text": "Restrict device redirection and drive mapping",
-            "waf": "Security"
+            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.",
-            "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
+            "checklist": "WAF checklist",
+            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Management",
-            "text": "When possible, prefer Remote Apps over Full Desktops (DAG)",
-            "waf": "Security"
+            "severity": "Low",
+            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.",
-            "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
+            "checklist": "WAF checklist",
+            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "AVD"
+                "Monitor",
+                "SAP",
+                "WAF",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Need to control/restrict user Internet navigation from AVD session hosts?",
-            "waf": "Security"
+            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.",
-            "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
+            "checklist": "WAF checklist",
+            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Entra",
+                "WAF",
+                "Monitor",
+                "VM",
+                "SAP"
             ],
             "severity": "High",
-            "subcategory": "Management",
-            "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts",
-            "waf": "Security"
+            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.",
-            "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud",
+            "checklist": "WAF checklist",
+            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Subscriptions",
-                "Defender",
-                "AKV",
-                "Storage",
-                "VM"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture",
-            "waf": "Security"
+            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ",
-            "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs",
+            "checklist": "WAF checklist",
+            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD",
-                "Monitor"
+                "Monitor",
+                "SAP",
+                "WAF",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Enable diagnostic and audit logging",
-            "waf": "Security"
+            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.",
-            "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
+            "checklist": "WAF checklist",
+            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+            "service": "SAP",
             "services": [
-                "RBAC",
-                "AVD",
-                "Entra"
+                "SAP",
+                "VM",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Management",
-            "text": "Assess the requirement to use custom RBAC roles for AVD management",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ",
-            "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control",
+            "checklist": "WAF checklist",
+            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "AVD"
+                "Subscriptions",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Restrict users from installing un-authorized applications",
-            "waf": "Security"
+            "severity": "High",
+            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "waf": "Performance"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
-            "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
+            "checklist": "WAF checklist",
+            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVD"
+                "Storage",
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Microsoft Entra ID",
-            "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users",
-            "waf": "Security"
+            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.",
-            "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43",
-            "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd",
+            "checklist": "WAF checklist",
+            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+            "service": "SAP",
             "services": [
-                "AVD"
+                "Monitor",
+                "SAP",
+                "WAF",
+                "Sentinel"
             ],
             "severity": "Medium",
-            "subcategory": "Zero Trust",
-            "text": "Review and Apply Zero Trust principles and guidance",
+            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.",
-            "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop",
+            "checklist": "WAF checklist",
+            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "Cost",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Azure Files",
-            "text": "Check best-practices for Azure Files",
-            "waf": "Performance"
+            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.",
-            "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369",
-            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance",
+            "checklist": "WAF checklist",
+            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage",
-                "ACR",
-                "Cost"
+                "Monitor",
+                "VM",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Azure Files",
-            "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.",
+            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
             "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "If a second region is required for DR purposes verify NetApp availability in there as well.",
-            "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3",
-            "link": "https://azure.microsoft.com/global-infrastructure/services/",
+            "checklist": "WAF checklist",
+            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "ASR",
+                "Monitor",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Azure NetApp Files",
-            "text": "If NetApp Files storage is required, check storage service availability in your specific region.",
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.",
-            "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container",
+            "checklist": "WAF checklist",
+            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Azure NetApp Files",
-            "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency",
-            "waf": "Reliability"
+            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
+            "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
-            "guid": "6647e977-db49-48a8-bc35-743f17499d42",
-            "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections",
+            "checklist": "WAF checklist",
+            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VNet",
-                "Storage"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Azure NetApp Files",
-            "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration",
-            "waf": "Reliability"
+            "severity": "Low",
+            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+            "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ",
-            "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
-            "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
+            "checklist": "WAF checklist",
+            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "Storage",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Capacity Planning",
-            "text": "Determine which type of managed disk will be used for the Session Hosts",
+            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
             "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.",
-            "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
+            "checklist": "WAF checklist",
+            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Storage"
+                "SAP",
+                "WAF",
+                "SQL"
             ],
-            "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Determine which storage backend solution will be used for FSLogix Profiles",
+            "severity": "Medium",
+            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
             "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.",
-            "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
+            "checklist": "WAF checklist",
+            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "ASR",
+                "Monitor",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Do not share storage and profiles between different Host Pools",
-            "waf": "Performance"
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.",
-            "guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
-            "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-",
+            "checklist": "WAF checklist",
+            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "Verify storage scalability limits and Host Pool requirements",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
-            "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
-            "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
+            "checklist": "WAF checklist",
+            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage",
-                "Cost"
+                "DNS",
+                "SAP",
+                "VM",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
-            "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
-            "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers",
+            "checklist": "WAF checklist",
+            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage",
-                "ASR"
-            ],
-            "severity": "High",
-            "subcategory": "FSLogix",
-            "text": "Do not use Office Containers (ODFC) if not strictly required and justified",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.",
-            "guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
-            "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions",
-            "services": [
-                "AVD",
-                "Storage"
+                "VNet",
+                "DNS",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "FSLogix",
-            "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).",
-            "waf": "Security"
+            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
-            "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
-            "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
+            "checklist": "WAF checklist",
+            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "VNet",
+                "ACR",
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "FSLogix",
-            "text": "Review and confirm configured maximum profile size in FSLogix",
-            "waf": "Cost"
+            "severity": "Medium",
+            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.",
-            "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
-            "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples",
+            "checklist": "WAF checklist",
+            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "AKV",
-                "Storage",
-                "ACR"
+                "NVA",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "FSLogix",
-            "text": "Review FSLogix registry keys and determine which ones to apply",
-            "waf": "Reliability"
+            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+            "training": "https://me.sap.com/notes/2731110",
+            "waf": "Performance"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.",
-            "guid": "5e985b85-9c77-43e7-b261-623b775a917e",
-            "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections",
+            "checklist": "WAF checklist",
+            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "ACR",
+                "SAP",
+                "VWAN",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "FSLogix",
-            "text": "Avoid usage of concurrent or multiple connections",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ",
-            "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
-            "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
+            "checklist": "WAF checklist",
+            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "VM",
-                "Storage"
+                "VNet",
+                "NVA",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "FSLogix",
-            "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Virtual Desktop Review",
-            "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
-            "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
-            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
+            "checklist": "WAF checklist",
+            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "service": "SAP",
             "services": [
-                "AVD",
-                "Storage"
+                "VNet",
+                "VWAN",
+                "WAF",
+                "NVA",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "FSLogix",
-            "text": "Review the usage of FSLogix redirection.",
-            "waf": "Cost"
+            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
-            "waf": "Reliability"
+            "checklist": "WAF checklist",
+            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
+            "services": [
+                "SAP",
+                "VM",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "service": "SAP",
+            "services": [
+                "ASR",
+                "WAF"
+            ],
             "severity": "High",
-            "subcategory": "Availablity Zone",
-            "text": "Use zone redundant pipelines in regions that support Availability Zones",
-            "waf": "Reliability"
+            "text": "Consider reserving IP address on DR side when configuring ASR",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "checklist": "WAF checklist",
+            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "DevOps Integration",
-            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
-            "waf": "Reliability"
+            "severity": "High",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "WAF checklist",
+            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+            "service": "SAP",
             "services": [
-                "VM"
+                "Storage",
+                "VNet",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Network",
-            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
-            "waf": "Reliability"
+            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "WAF checklist",
+            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+            "service": "SAP",
             "services": [
-                "VNet"
+                "WAF",
+                "Firewall"
             ],
             "severity": "Medium",
-            "subcategory": "Network",
-            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
-            "waf": "Reliability"
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
+            "checklist": "WAF checklist",
+            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+            "service": "SAP",
             "services": [
-                "AKV"
+                "SAP",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Low",
-            "subcategory": "Integration",
-            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
+            "checklist": "WAF checklist",
+            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "services": [
-                "RBAC",
-                "Entra"
+                "FrontDoor",
+                "ACR",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Create a service principal and its role assignments before creating the ARO clusters.",
+            "severity": "Medium",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "7879424d-6267-486d-90b9-6c97be985190",
-            "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui",
+            "checklist": "WAF checklist",
+            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Use AAD to authenticate users in your ARO cluster.",
+            "severity": "Medium",
+            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15",
-            "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html",
+            "checklist": "WAF checklist",
+            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "LoadBalancer",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "When using AAD authentication, remove kubeadmin user from the cluster.",
+            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "483835c9-86bb-4291-8155-a11475e39f54",
-            "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
+            "checklist": "WAF checklist",
+            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "SAP",
             "services": [
-                "RBAC",
-                "Entra"
+                "ACR",
+                "SAP",
+                "VWAN",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
-            "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
+            "checklist": "WAF checklist",
+            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "SAP",
             "services": [
-                "RBAC",
-                "Entra"
+                "Storage",
+                "VNet",
+                "Backup",
+                "WAF",
+                "ACR",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.",
+            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "checklist": "WAF checklist",
+            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AKV"
+                "SAP",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Minimize the number of users who have administrator rights and secrets access.",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "checklist": "WAF checklist",
+            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "RBAC"
+                "LoadBalancer",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.",
+            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "aa369282-9e7e-4216-8836-87af467a1f89",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "checklist": "WAF checklist",
+            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "SAP",
             "services": [
                 "VNet",
-                "Firewall",
-                "Subscriptions",
-                "DDoS",
-                "Entra",
+                "SAP",
+                "VM",
                 "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "DDoS",
-            "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription",
+            "severity": "Medium",
+            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "35bda433-24f1-4481-8533-182aa5174269",
-            "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "services": [
+                "VNet",
+                "SAP",
+                "WAF"
+            ],
             "severity": "High",
-            "subcategory": "Encryption",
-            "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.",
-            "waf": "Security"
+            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "checklist": "WAF checklist",
+            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
-                "FrontDoor",
+                "SAP",
                 "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.",
-            "waf": "Security"
+            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+            "waf": "Performance"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "9e8a03f9-7879-4424-b626-786d60b96c97",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door",
+            "checklist": "WAF checklist",
+            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "services": [
-                "FrontDoor",
-                "PrivateLink"
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.",
-            "waf": "Security"
+            "severity": "High",
+            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "be985190-4838-435c-a86b-b2912155a114",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
+            "checklist": "WAF checklist",
+            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "NVA",
-                "Firewall"
+                "VNet",
+                "SAP",
+                "Cost",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.",
-            "waf": "Security"
+            "severity": "High",
+            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Cost"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x",
+            "checklist": "WAF checklist",
+            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+            "service": "SAP",
             "services": [
-                "AzurePolicy"
+                "LoadBalancer",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Private access",
-            "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.",
-            "waf": "Security"
+            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "category": "Network topology and connectivity",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "checklist": "WAF checklist",
+            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+            "service": "SAP",
             "services": [
-                "PrivateLink",
-                "ACR"
+                "VNet",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Private access",
-            "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.",
+            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
             "waf": "Security"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
+            "checklist": "WAF checklist",
+            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
             "services": [
-                "Monitor"
+                "SAP",
+                "VM",
+                "WAF",
+                "Backup"
             ],
             "severity": "High",
-            "subcategory": "Operations",
-            "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "16f154e3-aa36-4928-89e7-e216183687af",
-            "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "467a1f89-35bd-4a43-924f-14811533182a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Operations",
-            "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.",
-            "waf": "Operations"
+            "text": "Review SAP HANA database backups for Azure VMs.",
+            "waf": "Cost"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass",
+            "checklist": "WAF checklist",
+            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "ASR",
+                "Monitor",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Operations",
-            "text": "Use RWX storage with inbuilt Azure Files storage class.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "Use pod requests and limits to manage the compute resources within a cluster.",
-            "waf": "Performance"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7",
-            "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html",
-            "services": [],
             "severity": "Medium",
-            "subcategory": "Performance",
-            "text": "Enforce resource quotas on projects.",
-            "waf": "Performance"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "87ab177a-db59-4f6b-a613-334fd09dc234",
-            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Performance",
-            "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.",
-            "waf": "Performance"
+            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+            "waf": "Cost"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "19db6128-1269-4040-a4ba-4d3e0804276d",
-            "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes",
+            "checklist": "WAF checklist",
+            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+            "service": "SAP",
             "services": [
-                "VM"
+                "Monitor",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227",
-            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.",
-            "waf": "Reliability"
+            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts",
+            "checklist": "WAF checklist",
+            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+            "service": "SAP",
             "services": [
-                "Monitor"
+                "VM",
+                "WAF",
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9",
-            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html",
+            "checklist": "WAF checklist",
+            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+            "service": "SAP",
             "services": [
-                "AKS"
+                "Storage",
+                "WAF",
+                "SQL"
             ],
-            "severity": "Low",
-            "subcategory": "Reliability",
-            "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots",
+            "checklist": "WAF checklist",
+            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+            "service": "SAP",
             "services": [
+                "VM",
+                "WAF",
                 "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Reliability",
-            "text": "Create application backup and plan for restore and include persistent volumes in the backup.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Reliability",
-            "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.",
-            "waf": "Reliability"
+            "text": "Review the use of Automated Backup v2 for Azure VMs.",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784",
-            "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html",
+            "checklist": "WAF checklist",
+            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+            "service": "SAP",
             "services": [
-                "AzurePolicy"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.",
-            "waf": "Security"
+            "severity": "High",
+            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
+            "waf": "Operations"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "checklist": "WAF checklist",
+            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "service": "SAP",
             "services": [
-                "ACR"
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.",
-            "waf": "Security"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html",
-            "services": [],
             "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.",
+            "text": "Test availability zone latency.",
             "waf": "Performance"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3",
-            "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html",
+            "checklist": "WAF checklist",
+            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+            "service": "SAP",
             "services": [
-                "Monitor"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Scale pods to meet demand using horizontal pod autoscaler.",
-            "waf": "Reliability"
+            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "waf": "Performance"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring",
+            "checklist": "WAF checklist",
+            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+            "service": "SAP",
             "services": [
-                "Cost"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.",
-            "waf": "Reliability"
+            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+            "training": "https://me.sap.com/notes/0002879613",
+            "waf": "Performance"
         },
         {
-            "category": "Operations management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "2829e2ed-b217-4367-9aff-6791b4935ada",
-            "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+            "service": "SAP",
+            "services": [
+                "Monitor",
+                "WAF",
+                "SQL"
+            ],
             "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.",
-            "waf": "Reliability"
+            "text": "Review SQL Server performance monitoring using CCMS.",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575",
-            "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+            "link": "https://me.sap.com/notes/500235",
+            "service": "SAP",
+            "services": [
+                "SAP",
+                "VM",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Availablity",
-            "text": "Leverage Current ARO SLA - 99.95 into BCDR planning",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a",
-            "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Cluster Design",
-            "text": "Run user workloads on the worker nodes, not the control plane nodes",
-            "waf": "Reliability"
+            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+            "training": "https://me.sap.com/notes/1100926/E",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines",
-            "guid": "76af4a69-1e88-439a-ba46-667e13c10567",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets",
+            "checklist": "WAF checklist",
+            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+            "service": "SAP",
             "services": [
-                "AKS",
-                "VNet"
+                "Monitor",
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Cluster Design",
-            "text": "Isolate workloads into worker nodes running in individual subnets as needed",
-            "waf": "Reliability"
+            "text": "Review SAP HANA studio alerts.",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b",
-            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup",
+            "checklist": "WAF checklist",
+            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+            "link": "https://me.sap.com/notes/1969700",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Backup a cluster state for stateful workload scenarios to a paired region",
-            "waf": "Reliability"
+            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a",
-            "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs",
+            "checklist": "WAF checklist",
+            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "ACR"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Data Store",
-            "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning",
-            "waf": "Reliability"
+            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc",
-            "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
+            "services": [
+                "SAP",
+                "WAF"
+            ],
             "severity": "Medium",
-            "subcategory": "Data Store",
-            "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Platform Automation",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "42324ece-81c1-4231-a1a6-417415833fb4",
-            "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Workload",
-            "text": "Consider blue/green or canary strategies to deploy new releases of application.",
-            "waf": "Operations"
+            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0",
-            "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html",
-            "services": [],
+            "checklist": "WAF checklist",
+            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
+            "services": [
+                "SAP",
+                "WAF",
+                "SQL"
+            ],
             "severity": "Low",
-            "subcategory": "Workload",
-            "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "da577784-24d2-4167-a5d2-fa56c56ad484",
-            "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Control plane",
-            "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.",
+            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
-            "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
+            "checklist": "WAF checklist",
+            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
             "services": [
-                "AKS",
-                "Arc"
+                "WAF",
+                "SQL"
             ],
             "severity": "High",
-            "subcategory": "Control plane",
-            "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.",
+            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+            "training": "https://me.sap.com/notes/3019299/E",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9",
-            "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Encryption",
-            "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.",
+            "checklist": "WAF checklist",
+            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "services": [
+                "Storage",
+                "Backup",
+                "WAF",
+                "SQL",
+                "SAP"
+            ],
+            "severity": "High",
+            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "checklist": "WAF checklist",
+            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "SAP",
             "services": [
-                "AKS",
-                "Defender",
-                "Arc"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Posture",
-            "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.",
+            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
-            "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
+            "checklist": "WAF checklist",
+            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "SAP",
             "services": [
-                "AKS",
                 "AKV",
-                "Arc"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.",
+            "severity": "High",
+            "text": "Use Azure Key Vault to store your secrets and credentials",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791",
-            "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.",
-            "waf": "Security"
+            "checklist": "WAF checklist",
+            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "SAP",
+            "services": [
+                "RBAC",
+                "Subscriptions",
+                "AzurePolicy",
+                "WAF"
+            ],
+            "severity": "Medium",
+            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "b4935ada-4232-44ec-b81c-123181a64174",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
+            "checklist": "WAF checklist",
+            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "SAP",
             "services": [
+                "AKV",
                 "AzurePolicy",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Workload",
-            "text": "Monitor and enforce configuration by using the Azure Policy Extension.",
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "checklist": "WAF checklist",
+            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+            "service": "SAP",
             "services": [
-                "Defender"
+                "RBAC",
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Workload",
-            "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.",
+            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Red Hat OpenShift",
-            "guid": "e209d4a0-da57-4778-924d-216785d2fa56",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "checklist": "WAF checklist",
+            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "ACR",
-                "Subscriptions"
+                "Storage",
+                "Defender",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Workload",
-            "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.",
+            "severity": "High",
+            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "Defender",
+                "RBAC",
+                "SAP",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": " Overview",
-            "text": "Consider the 'Azure security baseline for storage'",
+            "severity": "High",
+            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "PrivateLink",
-                "Storage"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Networking",
-            "text": "Consider using private endpoints for Azure Storage",
+            "severity": "Low",
+            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+            "service": "SAP",
             "services": [
-                "RBAC",
-                "Storage",
-                "Subscriptions"
+                "AKV",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Ensure older storage accounts are not using 'classic deployment model'",
+            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "Storage"
+                "AKV",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Governance",
-            "text": "Enable Microsoft Defender for all of your storage accounts",
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "SAP",
+                "AKV",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Data Availability",
-            "text": "Enable 'soft delete' for blobs",
+            "severity": "High",
+            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "SAP",
+                "RBAC",
+                "Subscriptions",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Confidentiality",
-            "text": "Disable 'soft delete' for blobs",
+            "severity": "High",
+            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "PrivateLink",
+                "SAP",
+                "NVA",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Data Availability",
-            "text": "Enable 'soft delete' for containers",
+            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "Storage",
+                "VM",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Confidentiality",
-            "text": "Disable 'soft delete' for containers",
+            "severity": "Low",
+            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "Defender",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Data Availability",
-            "text": "Enable resource locks on storage accounts",
+            "severity": "Low",
+            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "Subscriptions"
+                "VNet",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Data Availability, Compliance",
-            "text": "Consider immutable blobs",
+            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "SAP",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Networking",
-            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+            "severity": "Low",
+            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "Monitor",
+                "SAP",
+                "AKV",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Networking",
-            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+            "severity": "Medium",
+            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+            "service": "Service Bus",
             "services": [
-                "Storage"
+                "ServiceBus",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+            "severity": "Low",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+            "service": "Service Bus",
             "services": [
-                "Entra",
-                "Storage"
+                "ServiceBus",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+            "severity": "Medium",
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+            "service": "Service Bus",
             "services": [
                 "Entra",
+                "TrafficManager",
                 "RBAC",
-                "Storage"
+                "ServiceBus",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Least privilege in IaM permissions",
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+            "service": "Service Bus",
             "services": [
+                "Storage",
                 "Entra",
-                "Storage"
+                "AKV",
+                "WAF",
+                "ServiceBus",
+                "VM",
+                "AppSvc"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+            "severity": "Medium",
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+            "service": "Service Bus",
             "services": [
-                "Entra",
-                "AKV",
                 "Storage",
-                "Monitor"
+                "RBAC",
+                "Subscriptions",
+                "ServiceBus",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+            "service": "Service Bus",
             "services": [
-                "AzurePolicy",
-                "AKV",
-                "Storage",
-                "Monitor"
+                "VNet",
+                "Monitor",
+                "ServiceBus",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+            "severity": "Medium",
+            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+            "service": "Service Bus",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "AKV",
-                "Storage"
+                "VNet",
+                "PrivateLink",
+                "ServiceBus",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "WAF checklist",
+            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+            "service": "Service Bus",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "Storage"
+                "ServiceBus",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider configuring an SAS expiration policy",
+            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "category": "BC and DR",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "AKV",
-                "Storage"
+                "ACR"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider linking SAS to a stored access policy",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
+            "category": "BC and DR",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
             "services": [
-                "AKV",
                 "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "CI/CD",
-            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
+            "category": "BC and DR",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
             "services": [
-                "Entra",
                 "Storage"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "category": "BC and DR",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "Storage"
+                "ASR"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Strive for short validity periods for ad-hoc SAS",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "services": [
-                "Entra",
-                "Storage"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Apply a narrow scope to a SAS",
-            "waf": "Security"
+            "subcategory": "High Availablity",
+            "text": "Follow reliability support recommendations in Azure Bot Service",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
-            "services": [
-                "Entra",
-                "Storage"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
-            "waf": "Security"
+            "subcategory": "High Availablity",
+            "text": "Deploying bots with local data residency and regional compliance",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
+            "category": "Operations management",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "High Availablity",
+            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
             "services": [
-                "Entra",
-                "Storage"
+                "SQL"
             ],
-            "severity": "Low",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Best Practices",
+            "text": "Leverage Flexible Server",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
+            "category": "Operations Management",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "services": [
-                "Entra",
-                "RBAC",
-                "Storage"
+                "SQL"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Leverage Availability Zones where regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "category": "Operations Management",
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "services": [
-                "Entra",
-                "Storage"
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Leverage Data-in replication for cross-region DR scenarios",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
-            "services": [
-                "AzurePolicy",
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
+            "services": [],
             "severity": "High",
-            "subcategory": "Networking",
-            "text": "Avoid overly broad CORS policies",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
-            "services": [
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
+            "services": [],
             "severity": "High",
-            "subcategory": "Confidentiality and Encryption",
-            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "category": "BC and DR",
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
             "services": [
-                "Storage"
+                "AppSvc"
             ],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Application Deployment",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Confidentiality and Encryption",
-            "text": "Determine which/if platform encryption should be used.",
-            "waf": "Security"
+            "subcategory": "CI/CD",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
             "services": [
-                "Storage"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Confidentiality and Encryption",
-            "text": "Determine which/if client-side encryption should be used.",
-            "waf": "Security"
+            "subcategory": "Azure Monitor - enforce data collection rules",
+            "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
             "services": [
-                "Entra",
-                "Storage"
+                "Backup",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "check backup instances with the underlying datasource not found",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
             "services": [
-                "Storage"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Platform Version",
-            "text": "Leverage a storagev2 account type for better performance and reliability",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Delete/archive",
+            "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "659d3958-fd77-4289-a835-556df2bfe456",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Storage"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Availablity",
-            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Delete/archive",
+            "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Storage"
+                "Storage",
+                "Backup",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Failover",
-            "text": "For write operation after failover, use customer-Managed Failover ",
-            "waf": "Reliability"
+            "subcategory": "Delete/archive",
+            "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
             "services": [
-                "Storage"
+                "Storage",
+                "ASR",
+                "Backup",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Failover",
-            "text": "Understand Microsoft-Managed Failover details",
-            "waf": "Reliability"
+            "subcategory": "Delete/archive",
+            "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
-            "service": "Azure Storage",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
             "services": [
-                "Storage"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Enable Soft Delete",
-            "waf": "Reliability"
+            "subcategory": "Log Analytics retention for workspaces",
+            "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "Storage",
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Development best practices",
-            "text": "Implement an error handling policy at the global level",
-            "waf": "Operations"
+            "subcategory": "Policy",
+            "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Development best practices",
-            "text": "Ensure all APIs policies include a <base/> element.",
-            "waf": "Operations"
+            "subcategory": "Run orphaned resources workbook - delete or snooze ghost items",
+            "text": "https://github.com/dolevshor/azure-orphan-resources",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
-                "APIM",
-                "AzurePolicy",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Development best practices",
-            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
-            "waf": "Operations"
+            "subcategory": "Shutdown/deallocate",
+            "text": "Shutdown underutilized instances",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
             "services": [
-                "APIM"
+                "Storage",
+                "VM",
+                "Backup",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Monetization",
-            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
-            "waf": "Operations"
+            "subcategory": "stopped/deallocated VMs: check disks",
+            "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
             "services": [
-                "APIM",
-                "Monitor"
+                "Storage",
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "storage accounts lifecycle policy",
+            "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
+            "category": "Cleanup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "APIM",
-                "Monitor"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Enable Application Insights for more detailed telemetry",
-            "waf": "Operations"
+            "subcategory": "Tagging",
+            "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
+            "category": "DB/App tuning",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
             "services": [
-                "APIM",
-                "Monitor"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Configure alerts on the most critical metrics",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "DB optimization",
+            "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
+            "category": "DB/APP tuning",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Entra",
-                "APIM",
-                "AKV"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data protection",
-            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "App modernization",
+            "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "category": "DB/APP tuning",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Entra",
-                "APIM"
+                "Storage",
+                "VM",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "DB optimization",
+            "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "category": "DB/APP tuning",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "Entra",
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
-            "waf": "Security"
+            "subcategory": "Demand shaping",
+            "text": "Using demand shaping on PaaS services will optimize costs and performances",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging",
             "services": [
                 "Entra",
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Privileged access",
-            "text": "Create appropriate groups to control the visibility of the products",
-            "waf": "Security"
+            "subcategory": "Advisor",
+            "text": "Start from the Azure Advisor page suggestions.",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
             "services": [
-                "APIM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "Use Backends feature to eliminate redundant API backend configurations",
-            "waf": "Operations"
+            "subcategory": "Advisor",
+            "text": "Make sure advisor is configured for VM right sizing ",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "Use Named Values to store common values that can be used in policies",
-            "waf": "Operations"
+            "subcategory": "Automation",
+            "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b835556d-f2bf-4e45-93b0-d834a348726d",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "ASR",
-                "APIM",
-                "ACR"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
-            "waf": "Reliability"
+            "subcategory": "Automation",
+            "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
             "services": [
-                "APIM",
-                "ASR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
-            "waf": "Reliability"
+            "subcategory": "Automation",
+            "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "ASR",
-                "APIM",
-                "Backup"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Ensure there is an automated backup routine",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Automation",
+            "text": "Run orphaned resources workbook",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Failover and Caching",
-            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
-            "waf": "Reliability"
+            "subcategory": "Baseline",
+            "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Performance and scalability",
-            "text": "Consider using a external cache policy for APIs that can benefit from caching",
-            "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/"
+            "subcategory": "Baseline",
+            "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a",
+            "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config",
             "services": [
-                "EventHubs",
-                "APIM",
-                "AzurePolicy"
+                "Cost"
             ],
-            "severity": "Low",
-            "subcategory": "Performance and scalability",
-            "text": "If you need to log at high performance levels, consider Event Hubs policy",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Baseline",
+            "text": "Organize resources to maximize cost insights and accountability",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Performance and scalability",
-            "text": "Apply throttling policies to control the number of requests per second",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "Performance"
+            "subcategory": "Budgets",
+            "text": "Create budgets",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
             "services": [
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Performance and scalability",
-            "text": "Configure autoscaling to scale out the number of instances when the load increases",
-            "waf": "Performance"
+            "subcategory": "Cost Analysis",
+            "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834",
+            "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
             "services": [
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Performance and scalability",
-            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
-            "waf": "Performance"
+            "subcategory": "Cost Analysis",
+            "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
             "services": [
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Premium Tier",
-            "text": "Use the premium tier for production workloads.",
-            "waf": "Reliability"
+            "subcategory": "Cost Analysis",
+            "text": "Automate cost retrieval for deep analysis or integration",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
             "services": [
-                "APIM",
-                "AzurePolicy"
+                "ACR",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Request Routing",
-            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
-            "waf": "Reliability"
+            "subcategory": "Free services",
+            "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
             "services": [
-                "Entra",
-                "APIM"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Resource Limits",
-            "text": "Be aware of APIM's limits",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Tagging",
+            "text": "Tag shared resources",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "category": "Process Administration",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
             "services": [
-                "APIM"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Self-Hosted",
-            "text": "Ensure that the self-hosted gateway deployments are resilient.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Tagging",
+            "text": "Consider using tags to all services for cost allocation",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "category": "reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
             "services": [
-                "Entra",
-                "APIM",
-                "FrontDoor"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Connectivity",
-            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
-            "waf": "Performance"
+            "subcategory": "automation",
+            "text": "Consider Reservation automation to track and promptly react to changes",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "description": "check by searching the Meter Category Licenses in the Cost analysys",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
             "services": [
-                "APIM",
-                "VNet"
+                "VM",
+                "AzurePolicy",
+                "Cost",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Deploy the service within a Virtual Network (VNet)",
-            "waf": "Security"
+            "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL",
+            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
             "services": [
-                "Entra",
-                "APIM",
-                "VNet",
-                "Monitor"
+                "LoadBalancer",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
-            "waf": "Security"
+            "subcategory": "Check Red Hat Licences if applicable",
+            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
             "services": [
-                "Entra",
-                "APIM",
-                "VNet",
-                "PrivateLink"
+                "Cost",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
-            "waf": "Security"
+            "subcategory": "Functions",
+            "text": "Saving plans will provide 17% on select app service plans",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
             "services": [
-                "APIM"
+                "VM",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Disable Public Network Access",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Planning",
+            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "Cost"
         },
         {
-            "category": "Platform automation and DevOps",
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
             "services": [
-                "APIM"
+                "ARS",
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Automation",
-            "text": "Simplify management with PowerShell automation scripts",
-            "waf": "Operations"
+            "subcategory": "Reservations/savings plans",
+            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
+            "waf": "Cost"
         },
         {
-            "category": "Platform automation and DevOps",
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886",
+            "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/",
             "services": [
-                "Entra",
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
-            "waf": "Operations"
+            "subcategory": "Reservations/savings plans",
+            "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility",
+            "waf": "Cost"
         },
         {
-            "category": "Platform automation and DevOps",
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
             "services": [
-                "Entra",
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
-            "waf": "Operations"
+            "subcategory": "Reservations/savings plans",
+            "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much",
+            "waf": "Cost"
         },
         {
-            "category": "Platform automation and DevOps",
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
             "services": [
-                "APIM"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "DevOps",
-            "text": "Implement DevOps and CI/CD in your workflow",
-            "waf": "Operations"
+            "subcategory": "Reserve storage",
+            "text": "Only larger disks can be reserved => 1 TiB -",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
             "services": [
-                "APIM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "APIs",
-            "text": "Secure APIs using client certificate authentication",
-            "waf": "Security"
+            "subcategory": "Reserve VMs with normalized and rationalized sizes",
+            "text": "After the right-sizing optimization",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
             "services": [
-                "APIM"
+                "AzurePolicy",
+                "Cost",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "APIs",
-            "text": "Secure backend services using client certificate authentication",
-            "waf": "Security"
+            "subcategory": "SQL Database AHUB",
+            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
             "services": [
-                "APIM"
+                "VM",
+                "Cost",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "APIs",
-            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
-            "waf": "Security"
+            "subcategory": "SQL Database Reservations",
+            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
             "services": [
-                "APIM"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "APIs",
-            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
-            "waf": "Security"
+            "subcategory": "Tracking",
+            "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
+            "category": "Reservations",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
             "services": [
-                "APIM"
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Ciphers",
-            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Tracking",
+            "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
             "services": [
-                "APIM",
-                "AKV"
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data protection",
-            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Automation",
+            "text": "Plan and enforce a On/Off policy for production services, where possible",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "services": [
-                "Entra",
-                "APIM"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identities",
-            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
-            "waf": "Security"
+            "subcategory": "Automation",
+            "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
             "services": [
-                "Entra",
-                "APIM",
-                "AppGW",
-                "WAF"
+                "VM",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Network",
-            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Autoscale",
+            "text": "Consider using a VMSS to match demand rather than flat sizing",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
             "services": [
-                "CosmosDB"
+                "AKS",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "FTA Resiliency Playbook",
-            "waf": "Reliability"
+            "subcategory": "Autoscale",
+            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "93665720-2bff-4456-9b0d-934a359c363e",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
             "services": [
-                "CosmosDB"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Autoscale",
+            "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "services": [
-                "CosmosDB"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Run multiple replicas of the database (>1 ) in Prod",
-            "waf": "Reliability"
+            "subcategory": "Autoscale",
+            "text": "Plan for demand shaping where applicable",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
-            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b",
             "services": [
-                "CosmosDB",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Leverage Multi-Region Writes",
-            "waf": "Reliability"
+            "subcategory": "Autoscale",
+            "text": "Consider implementing a service re-scaling logic within the application",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Span Cosmos account across two or more regions with multi-region writes",
-            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
             "services": [
-                "CosmosDB",
-                "ACR"
+                "Backup",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Distribute your data globally",
-            "waf": "Reliability"
+            "subcategory": "Backup",
+            "text": "Move recovery points to vault-archive where applicable (Validate)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
-            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
             "services": [
-                "CosmosDB"
+                "LoadBalancer",
+                "VM",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Choose from several well-defined consistency models",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Databricks",
+            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
-            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
             "services": [
-                "CosmosDB"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Enable Service managed failover",
-            "waf": "Reliability"
+            "subcategory": "Functions",
+            "text": "Functions - Reuse connections",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
-            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
             "services": [
-                "Backup",
-                "CosmosDB",
-                "Storage"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Backup Strategy",
-            "text": "Enable Automatic Backups",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Reliability"
+            "subcategory": "Functions",
+            "text": "Functions - Cache data locally",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
-            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
             "services": [
-                "Backup",
-                "CosmosDB"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Backup Strategy",
-            "text": "Perform Periodic Backups",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Reliability"
+            "subcategory": "Functions",
+            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Cost"
         },
         {
-            "category": "Operations Management",
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
-            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
-            "service": "CosmosDB",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
             "services": [
-                "Backup",
-                "CosmosDB"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Backup Strategy",
-            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Reliability"
+            "subcategory": "Functions",
+            "text": "Functions - Keep your functions warm",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
-            "waf": "Reliability"
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Functions",
+            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "services": [],
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "services": [
+                "Cost"
+            ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "subcategory": "Functions",
+            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Functions",
+            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Learn how to trigger a manual failover.",
-            "waf": "Reliability"
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data",
+            "waf": "Cost"
         },
         {
-            "category": "BC and DR",
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Learn how to fail back after a failover.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
-            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
-            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
             "services": [
-                "ACR"
+                "EventHubs",
+                "FrontDoor",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Disable Azure Container Registry image export",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
-            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
             "services": [
-                "AzurePolicy",
-                "ACR"
+                "FrontDoor",
+                "Cost",
+                "AppSvc"
             ],
-            "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Enable Azure Policies for Azure Container Registry",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
-            "guid": "d345293c-7639-4637-a551-c5c04e401955",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
             "services": [
-                "AKV",
-                "ACR"
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data Protection",
-            "text": "Sign and Verify containers with notation (Notary v2)",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "PaaS",
+            "text": "Consider using free tiers where applicable for all non-production environments",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
-            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
-            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b9de39ac-0e7c-428d-a936-657202bff456",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
             "services": [
-                "AKV",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Encrypt registry with a customer managed key",
-            "waf": "Security"
+            "subcategory": "Serverless",
+            "text": "Using serverless patterns for spikes can help keeping costs down",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
-            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
             "services": [
-                "Entra",
-                "RBAC",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Use Managed Identities to connect instead of Service Principals",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Consider archiving tiers for less used data",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
-            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
             "services": [
-                "Entra",
-                "RBAC",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Disable local authentication for management plane access",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
-            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
             "services": [
-                "Entra",
-                "RBAC",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable anonymous pull/push access",
-            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
-            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
             "services": [
-                "Entra",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Control",
-            "text": "Disable Anonymous pull access",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
-            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
             "services": [
-                "Entra",
-                "ACR"
+                "ASR",
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Disable repository-scoped access tokens",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
-            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
             "services": [
-                "Entra",
-                "EventHubs",
-                "PrivateLink",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Identity and Access Control",
-            "text": "Deploy images from a trusted environment",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "storage",
+            "text": "Storage accounts: check hot tier and/or GRS necessary",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
-            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "ACR"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Control",
-            "text": "Disable Azure ARM audience tokens for authentication",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
-            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
-            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
             "services": [
-                "Entra",
+                "EventHubs",
                 "Monitor",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Logging and Monitoring",
-            "text": "Enable diagnostics logging",
-            "waf": "Security"
+            "subcategory": "Synapse",
+            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
-            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
             "services": [
-                "VNet",
-                "PrivateLink",
-                "ACR",
-                "Firewall"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Control inbound network access with Private Link",
-            "waf": "Security"
+            "subcategory": "Synapse",
+            "text": "Export cost data to a storage account for additional data analysis.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable public network access if inbound network access is secured using Private Link",
-            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
             "services": [
-                "PrivateLink",
-                "ACR"
+                "Cost",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Disable Public Network access",
-            "waf": "Security"
+            "subcategory": "Synapse",
+            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Only the ACR Premium SKU supports Private Link access",
-            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
             "services": [
-                "PrivateLink",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Network Security",
-            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
-            "waf": "Security"
+            "subcategory": "Synapse",
+            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
-            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
             "services": [
-                "Defender",
-                "ACR"
+                "Cost"
             ],
-            "severity": "Low",
-            "subcategory": "Network Security",
-            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Synapse",
+            "text": "Create multiple Apache Spark pool definitions of various sizes.",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
             "services": [
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Vulnerability Management",
-            "text": "Deploy validated container images",
-            "waf": "Security"
+            "subcategory": "Synapse",
+            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
-            "service": "ACR",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
             "services": [
-                "ACR"
+                "VM",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Vulnerability Management",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "VM",
+            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "services": [
-                "EventHubs"
+                "VM",
+                "Cost"
             ],
-            "severity": "Low",
-            "subcategory": "Data Protection",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "VM",
+            "text": "Right-sizing all VMs",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
             "services": [
-                "EventHubs"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "subcategory": "VM",
+            "text": "Swap VM sized with normalized and most recent sizes",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "services": [
-                "RBAC",
-                "EventHubs",
-                "TrafficManager",
-                "AzurePolicy",
-                "Entra"
+                "Monitor",
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Security"
+            "subcategory": "VM",
+            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "category": "Right-sizing",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "services": [
-                "EventHubs",
-                "AKV",
-                "Storage",
-                "Entra",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "VM",
+            "text": "Containerizing an application can improve VM density and save money on scaling it",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
-            "services": [
-                "RBAC",
-                "EventHubs",
-                "Entra"
-            ],
+            "category": "Operations Management",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Best Practices",
+            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "services": [],
             "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Security"
+            "subcategory": "Availablity Zone",
+            "text": "Use zone redundant pipelines in regions that support Availability Zones",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
+            "category": "Operations Management",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
             "services": [
-                "EventHubs",
-                "VNet",
-                "Monitor"
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
+            "subcategory": "DevOps Integration",
+            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "services": [
+                "VM"
+            ],
+            "severity": "Medium",
+            "subcategory": "Network",
+            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "services": [
-                "EventHubs",
-                "PrivateLink",
                 "VNet"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "subcategory": "Network",
+            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
+            "services": [
+                "AKV"
+            ],
+            "severity": "Low",
+            "subcategory": "Integration",
+            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
+            "services": [
+                "AKV",
+                "FrontDoor"
+            ],
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+            "waf": "Operations"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App delivery",
+            "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Event Hub Review",
-            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
             "services": [
-                "EventHubs"
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "subcategory": "App Gateway",
+            "text": "Ensure you are using Application Gateway v2 SKU",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
             "services": [
-                "EventHubs"
+                "LoadBalancer"
             ],
             "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage FTA Resillency HandBook",
-            "waf": "Reliability"
+            "subcategory": "Load Balancer",
+            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
             "services": [
-                "EventHubs",
-                "ACR"
+                "LoadBalancer"
             ],
-            "severity": "High",
-            "subcategory": "Zone Redudancy",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Load Balancer",
+            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
             "services": [
-                "EventHubs"
+                "VNet",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
-            "waf": "Reliability"
+            "subcategory": "App Gateway",
+            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "services": [
-                "EventHubs",
-                "ASR"
+                "VNet",
+                "Entra",
+                "Subscriptions",
+                "WAF",
+                "NVA",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Geo Redudancy",
-            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "services": [
-                "EventHubs",
-                "ASR"
+                "DDoS"
             ],
             "severity": "Medium",
-            "subcategory": "Geo Redudancy",
-            "text": "For Business Critical Applications, use Active Active configuration",
+            "subcategory": "App Gateway",
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Configure autoscaling with a minimum amount of instances of two.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
             "services": [
-                "EventHubs"
+                "ACR",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Reliability",
-            "text": "Design Resilient Event Hubs",
+            "subcategory": "App Gateway",
+            "text": "Deploy Application Gateway across Availability Zones",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Reliability"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Implement branching policy in Azure DevOps",
-            "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465",
-            "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
             "services": [
-                "AzurePolicy"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Branching Policy",
-            "text": "Branch Policies",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Understand branch strategy such as GitFlow or GitHub Flow",
-            "guid": "bc288bec-6a16-4ca7-8444-51e1add34529",
-            "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
             "services": [
-                "AzurePolicy"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Branching Policy",
-            "text": "Branching strategy",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "App delivery",
+            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Understand how teams work with git",
-            "guid": "ec723823-7a15-41c5-ab4e-401914387e5c",
-            "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
             "services": [
-                "AzurePolicy"
+                "TrafficManager"
             ],
             "severity": "High",
-            "subcategory": "Branching Policy",
-            "text": "Understand GitFlow Branch Strategy",
-            "waf": "Operations"
+            "subcategory": "Traffic Manager",
+            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Reliability"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Merge into higher branches after two or more reviewers in a PR",
-            "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899",
-            "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "services": [
-                "AzurePolicy"
+                "Entra",
+                "AVD"
             ],
-            "severity": "High",
-            "subcategory": "Branching Policy",
-            "text": "Pull Request Review",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "App delivery",
+            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Implement access control to the branches",
-            "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e",
-            "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "services": [
-                "AzurePolicy"
+                "Entra"
             ],
             "severity": "Medium",
-            "subcategory": "Branching Policy",
-            "text": "Access Control to the Branch",
-            "waf": "Operations"
+            "subcategory": "App delivery",
+            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Perform SAST code scan",
-            "guid": "adfd27bd-e187-401a-a252-baa9b68a088c",
-            "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/",
-            "services": [],
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
+            "services": [
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
+            ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Code Scan",
+            "subcategory": "Front Door",
+            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
             "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Understand TFVC as Code Repo",
-            "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e",
-            "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Practice",
-            "text": "TFVC as Code Repository",
-            "waf": "Operations"
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
+            "services": [
+                "TrafficManager",
+                "FrontDoor"
+            ],
+            "severity": "High",
+            "subcategory": "Front Door",
+            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
+            "waf": "Security"
         },
         {
-            "category": "Version Control",
-            "checklist": "Azure DevOps",
-            "description": "Compare Git vs TFVC for your project",
-            "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d",
-            "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Practice",
-            "text": "Choose Right version control",
-            "waf": "Operations"
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
+            "services": [
+                "FrontDoor"
+            ],
+            "severity": "High",
+            "subcategory": "Front Door",
+            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
+            "waf": "Security"
         },
         {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Set up your team management",
-            "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f",
-            "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Team Planning",
-            "text": "Configure your teams",
-            "waf": "Operations"
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "services": [
+                "FrontDoor"
+            ],
+            "severity": "Low",
+            "subcategory": "Front Door",
+            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Start scheduling sprints",
-            "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac",
-            "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops",
-            "services": [],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
+            "services": [
+                "FrontDoor"
+            ],
             "severity": "Medium",
-            "subcategory": "Team Planning",
-            "text": "Configure your sprints",
-            "waf": "Operations"
+            "subcategory": "Front Door",
+            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Set up your work item heirarchy",
-            "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5",
-            "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Team Planning",
-            "text": "Choose Work Item types",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "WIT Processes available in Azure DevOps",
-            "guid": "c1e43a18-658d-4285-aed6-7179b825546d",
-            "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Team Planning",
-            "text": "Select a WIT Process",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Use Azure Boards with GitHub",
-            "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c",
-            "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Tool Integration",
-            "text": "GitHub Integration",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Understand the methologies",
-            "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665",
-            "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Process Planning",
-            "text": "Understand Agile Vs Scrum",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Create Dashboard and PowerBI reports",
-            "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1",
-            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Reporting",
-            "text": "Dashboard",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Set up backlog",
-            "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca",
-            "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Reporting",
-            "text": "Refine your backlog",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Boards",
-            "checklist": "Azure DevOps",
-            "description": "Link your work items",
-            "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37",
-            "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Reporting",
-            "text": "Visualize Relationships",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "View the velocity report",
-            "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863",
-            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Reporting",
-            "text": "Review Team Velocity",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Create your first pipeline",
-            "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Integration",
-            "text": "Set up pipeline",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Specify events that trigger pipelines",
-            "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Integration",
-            "text": "Set Build triggers",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Use YAML to create build pipeline",
-            "guid": "b825546d-f2ae-4e45-93af-c8339248726d",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Continuous Integration",
-            "text": "Customize YAML Pipeline",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Use classic GUI editor to set up pipeline",
-            "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Integration",
-            "text": "Use GUI for pipeline",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set up templates, parameters and expressions",
-            "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Integration",
-            "text": "Configure Templates",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set up  jobs, stages and dependencies",
-            "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Integration",
-            "text": "Jobs",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set up conditions and Demands",
-            "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Integration",
-            "text": "Conditions and Demands",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Define Variables",
-            "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Integration",
-            "text": "Variables",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set up your deployment pipeline",
-            "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Deployment",
-            "text": "Deployment Pipeline",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Select correct branches to deploy from",
-            "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Deployment",
-            "text": "Release branch",
-            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "use relevant template to deploy to azure",
-            "guid": "8ed67179-b825-4546-bf2a-ee4553afc833",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Deployment",
-            "text": "Deploy to Azure",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Define Release Approvals and pre deployment checks",
-            "guid": "9248726d-d68c-45b5-a292-5394b69b9d37",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Deployment",
-            "text": "Approvals and Checks",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Define Gates and post deployment checks",
-            "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Deployment",
-            "text": "Gates",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Define Azure Function and REST API Checks",
-            "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Continuous Deployment",
-            "text": "Azure Function Checks",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Review pipeline reports",
-            "guid": "78ee293c-1bd3-463c-aaab-7571949ab919",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Continuous Deployment",
-            "text": "Pipline Reports",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "configure Trend Result widget",
-            "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35",
-            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Analytics",
-            "text": "Pipeline Result Trend",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Connect with WIT to visualize work",
-            "guid": "478d447a-826c-4286-9c00-f1cac699ef1d",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Analytics",
-            "text": "Work Tracking with Pipeline",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Understand agent pools",
-            "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Continuous Deployment",
-            "text": " Agents and agent pools",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Understand and provision Deployment Groups when required",
-            "guid": "8658d285-8ed6-4717-ab82-5546df2aee45",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Continuous Deployment",
-            "text": "Deployment Groups",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Understand Kubernetes Deployment",
-            "guid": "53afc833-9248-4726-bd68-c5b5c2925394",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops",
-            "services": [
-                "AKS"
-            ],
-            "severity": "Low",
-            "subcategory": "Continuous Deployment",
-            "text": "Deploy to Kubernetes",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Perform Dynamic Security Testing",
-            "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44",
-            "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "DAST Scan",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Manage Service Connections",
-            "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Service Connections",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set data retention policies for CI and CD",
-            "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml",
-            "services": [
-                "AzurePolicy"
-            ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Retention Policies",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set up and pay for concurrent pipelines",
-            "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Administration",
-            "text": "Parallel Pipelines",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Set pipeline permissions",
-            "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Pipeline Permissions",
-            "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Pipelines",
-            "checklist": "Azure DevOps",
-            "description": "Add users to pipeline",
-            "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Security",
-            "text": "Pipeline Users",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Configure Artifacts",
-            "guid": "5c1e43a1-8658-4d28-98ed-67179b825546",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Configuration",
-            "text": "Artifact In Pipeline",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Publish and consume artifact in pipeline",
-            "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Configuration",
-            "text": "Publish and download Artifact",
-            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Publish NuGet packages with artifacts",
-            "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Configuration",
-            "text": "NuGet",
-            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Publish Maven packages with artifacts",
-            "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Configuration",
-            "text": "Maven",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Publish NPM packages with artifacts",
-            "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c",
-            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Configuration",
-            "text": "NPM",
-            "waf": "Operations"
-        },
-        {
-            "category": "Azure Artifact",
-            "checklist": "Azure DevOps",
-            "description": "Best Practices to work with Azure Artifact",
-            "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3",
-            "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Configuration",
-            "text": "Best Practices",
-            "waf": "Operations"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "What is monitoring?",
-            "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286",
-            "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring",
-            "services": [
-                "Monitor"
-            ],
-            "severity": "High",
-            "subcategory": "Practice",
-            "text": "What to monitor?",
-            "waf": "Operations"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Progressive Exposure Strategy",
-            "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8",
-            "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Practice",
-            "text": "Safe Deployment Practices",
-            "waf": "Operations"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Microsoft runs reliable systems with DevOps",
-            "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717",
-            "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Practice",
-            "text": "Case Study",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "Operations"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Security in DevOps",
-            "guid": "9b825546-df2a-4ee4-953a-fc8339248726",
-            "link": "https://learn.microsoft.com/devops/operate/security-in-devops",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Practice",
-            "text": "DevSecOps",
-            "waf": "Security"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Enable DevSecops with Azure And GitHub",
-            "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc",
-            "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Practice",
-            "text": "DevSecops",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Security"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Mirror RBAC in DevOps",
-            "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance",
-            "services": [
-                "RBAC"
-            ],
-            "severity": "Low",
-            "subcategory": "Practice",
-            "text": "Secure DevOps Govenance",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Security"
-        },
-        {
-            "category": "DevOps Practice",
-            "checklist": "Azure DevOps",
-            "description": "Governance when using CI/CD",
-            "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Practice",
-            "text": "Azure DevOps Governance",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "a96b96ad-8840-48f3-9273-4c876ba28021",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
-            "services": [
-                "VNet",
-                "DNS"
-            ],
-            "severity": "High",
-            "subcategory": "Azure Private DNS",
-            "text": "Verify that Zones are linked to Vnets in multiple regions",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "45901465-d38e-453f-accb-d969266acca2",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
-            "services": [
-                "DNS"
-            ],
-            "severity": "High",
-            "subcategory": "Azure Private DNS",
-            "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json",
-            "services": [
-                "ASR",
-                "DNS",
-                "TrafficManager"
-            ],
-            "severity": "Medium",
-            "subcategory": "Azure DNS",
-            "text": "Plan for disaster recovery with Azure DNS and Traffic Manager",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012",
-            "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones",
-            "services": [
-                "DNS"
-            ],
-            "severity": "Medium",
-            "subcategory": "Azure DNS Resolver",
-            "text": "Enable availability zones with Private Resolver",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517",
-            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
-            "services": [
-                "ASR",
-                "DNS"
-            ],
-            "severity": "Medium",
-            "subcategory": "Azure DNS Resolver",
-            "text": "Plan for failover with Private Resolvers in a Disaster Recovery",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "2676ae46-691e-4883-9ad9-42223e138105",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph",
-            "services": [
-                "VM",
-                "DNS"
-            ],
-            "severity": "Medium",
-            "subcategory": "VM Based DNS Service",
-            "text": "Follow VM Guidance for resillency of VM",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DNS Review Checklist",
-            "guid": "23081a94-1741-4583-9ff7-ad7c6d373316",
-            "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html",
-            "services": [
-                "Entra",
-                "VM",
-                "DNS"
-            ],
-            "severity": "Medium",
-            "subcategory": "VM Based DNS Service",
-            "text": "IF AD based DNS, follow the Identity -> Windows Server AD path",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
-            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
-            "service": "VMSS",
-            "services": [
-                "VM"
-            ],
-            "severity": "Low",
-            "subcategory": "VM Scale Sets",
-            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
-            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
-            "service": "VM",
-            "services": [
-                "Backup",
-                "VM"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Machines",
-            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
-            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "VM",
-            "services": [
-                "VM"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Machines",
-            "text": "Use Premium or Ultra disks for production VMs",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
-            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
-            "service": "VM",
-            "services": [
-                "VM"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Machines",
-            "text": "Ensure Managed Disks are used for all VMs",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
-            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
-            "service": "VM",
-            "services": [
-                "SQL",
-                "VM",
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Virtual Machines",
-            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
-            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "services": [
-                "VM",
-                "Storage",
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Virtual Machines",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
-            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "VM",
-            "services": [
-                "VM"
-            ],
-            "severity": "Medium",
-            "subcategory": "Virtual Machines",
-            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
-            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
-            "services": [
-                "ASR",
-                "VM"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Machines",
-            "text": "Avoid running a production workload on a single VM",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
-            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
-            "services": [
-                "ASR",
-                "VM",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Machines",
-            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
-            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
-            "service": "VM",
-            "services": [
-                "VM"
-            ],
-            "severity": "Low",
-            "subcategory": "Virtual Machines",
-            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
-            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
-            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
-            "service": "VM",
-            "services": [
-                "ASR",
-                "VM"
-            ],
-            "severity": "Medium",
-            "subcategory": "Virtual Machines",
-            "text": "Increase quotas in DR region before testing failover with ASR",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Compute",
-            "checklist": "Resiliency Review",
-            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
-            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
-            "service": "VM",
-            "services": [
-                "VM"
-            ],
-            "severity": "Low",
-            "subcategory": "Virtual Machines",
-            "text": "Utilize Scheduled Events to prepare for VM maintenance",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Data",
-            "checklist": "Resiliency Review",
-            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
-            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Storage Accounts",
-            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Data",
-            "checklist": "Resiliency Review",
-            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
-            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Storage Accounts",
-            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Data",
-            "checklist": "Resiliency Review",
-            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Storage Accounts",
-            "text": "Enable soft delete for Storage Account Containers",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Data",
-            "checklist": "Resiliency Review",
-            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Storage Accounts",
-            "text": "Enable soft delete for blobs",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
-            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
-            "service": "Azure Backup",
-            "services": [
-                "Backup"
-            ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
-            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
-            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
-            "service": "Azure Backup",
-            "services": [
-                "Backup"
-            ],
-            "severity": "Low",
-            "subcategory": "Backup",
-            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
-            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
-            "service": "Azure Backup",
-            "services": [
-                "Backup",
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Backup",
-            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.",
-            "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery",
-            "services": [
-                "ASR"
-            ],
-            "severity": "High",
-            "subcategory": "Design",
-            "text": "Define business continuity and disaster recovery requirements",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.",
-            "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/architecture/reliability/architect",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Design",
-            "text": "Implement reliability best practices in Azure architectures",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.",
-            "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa",
-            "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure",
-            "services": [
-                "RBAC",
-                "ASR"
-            ],
-            "severity": "Medium",
-            "subcategory": "DevOps",
-            "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery",
-            "waf": "Reliability"
-        },
-        {
-            "category": "General",
-            "checklist": "Resiliency Review",
-            "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.",
-            "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "services": [
-                "ASR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Multi-region",
-            "text": "Plan for cross-region recovery by leveraging region pairs",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.",
-            "guid": "93c76286-37a5-451c-9b04-e4f1854387e5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability",
-            "services": [
-                "AppGW"
-            ],
-            "severity": "Medium",
-            "subcategory": "Application Gateways",
-            "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.",
-            "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "services": [
-                "Storage",
-                "AppGW"
-            ],
-            "severity": "High",
-            "subcategory": "Application Gateways",
-            "text": "Deploy Azure Application Gateway v2 for zone redundancy support",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ",
-            "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door",
-            "services": [
-                "FrontDoor"
-            ],
-            "severity": "Low",
-            "subcategory": "Azure Front Door",
-            "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.",
-            "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a",
-            "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager",
-            "services": [
-                "ASR",
-                "Monitor",
-                "DNS",
-                "TrafficManager"
-            ],
-            "severity": "Low",
-            "subcategory": "DNS",
-            "text": "Plan for automated failover using Traffic Manager for DNS Traffic",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
-            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
-            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
-            "service": "DNS",
-            "services": [
-                "ASR",
-                "DNS",
-                "ACR"
-            ],
-            "severity": "Low",
-            "subcategory": "DNS",
-            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
-            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
-            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
-            "service": "Data Gateways",
-            "services": [
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Data Gateways",
-            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.",
-            "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "services": [
-                "ExpressRoute"
-            ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.",
-            "guid": "a359c373-e7dd-4616-83a3-64a907ebae48",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "services": [
-                "ExpressRoute",
-                "Backup"
-            ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.",
-            "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d",
-            "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
-            "services": [
-                "ExpressRoute",
-                "VPN",
-                "Cost",
-                "Backup"
-            ],
-            "severity": "Low",
-            "subcategory": "ExpressRoute",
-            "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.",
-            "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3",
-            "link": "https://learn.microsoft.com/azure/load-balancer/skus",
-            "services": [
-                "LoadBalancer"
-            ],
-            "severity": "Medium",
-            "subcategory": "Load Balancers",
-            "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ",
-            "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "services": [
-                "VM",
-                "LoadBalancer"
-            ],
-            "severity": "Low",
-            "subcategory": "Load Balancers",
-            "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.",
-            "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance",
-            "services": [
-                "LoadBalancer",
-                "Monitor"
-            ],
-            "severity": "Low",
-            "subcategory": "Load Balancers",
-            "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
-            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
-            "services": [
-                "NVA"
-            ],
-            "severity": "High",
-            "subcategory": "NVAs",
-            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.",
-            "guid": "927139b8-2110-42db-b6ea-f11e6f843e53",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "services": [
-                "VPN",
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "VPN Gateways",
-            "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Network",
-            "checklist": "Resiliency Review",
-            "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.",
-            "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways",
-            "services": [
-                "VPN"
-            ],
-            "severity": "Medium",
-            "subcategory": "VPN Gateways",
-            "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
-            "services": [
-                "SQL"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage Flexible Server",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
-            "services": [
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Leverage Availability Zones where regionally applicable",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
-            "services": [
-                "SQL"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage Data-in replication for cross-region DR scenarios",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "974a759c-763e-47d2-9161-3a7649907e0e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Leverage FTA Handbook",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration",
-            "guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
-            "services": [
-                "ServiceBus",
-                "ACR"
-            ],
-            "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.",
-            "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
-            "services": [
-                "ServiceBus",
-                "ASR",
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Geo-Disaster Recovery",
-            "text": "Plan for Metadata replication during regional failure",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces",
-            "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
-            "services": [
-                "ServiceBus",
-                "ASR",
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Geo-Disaster Recovery",
-            "text": "Plan for Message replication during regional failure",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created",
-            "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
-            "services": [
-                "ServiceBus",
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "For applications which require high throughput, use Patritioning ",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "14658d24-58ed-4671-99b8-21102df26ee4",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Evaluate Premier-tier benefits of Azure Service Bus",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Ensure that Service Bus Messaging Exceptions are handled properly",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
-            "services": [
-                "ServiceBus",
-                "PrivateLink",
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "f4564b4d-974a-4759-a763-e7d261613a76",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Review the Best Practices for performance improvements using Service Bus Messaging",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
-            "services": [
-                "ServiceBus",
-                "ASR",
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Implement high availability for the Service Bus namespace",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Ensure related messages are delivered in guaranteed order",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Low",
-            "subcategory": "Best Practices",
-            "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
             "services": [
-                "ServiceBus"
+                "FrontDoor"
             ],
             "severity": "Low",
-            "subcategory": "Best Practices",
-            "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities",
-            "waf": "Reliability"
+            "subcategory": "Front Door",
+            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+            "waf": "Performance"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Service Bus Review Checklist",
-            "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
             "services": [
-                "ServiceBus"
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "Best Practices",
-            "text": "Implement resilience for transient fault handling when sending or receiving messages",
+            "severity": "High",
+            "subcategory": "Load Balancer",
+            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
             "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
-            "service": "Service Bus",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Low",
-            "subcategory": "Data Protection",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
-            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
-            "service": "Service Bus",
-            "services": [
-                "ServiceBus"
-            ],
-            "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
-            "service": "Service Bus",
-            "services": [
-                "RBAC",
-                "TrafficManager",
-                "ServiceBus",
-                "AzurePolicy",
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
-            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
-            "service": "Service Bus",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
             "services": [
-                "ServiceBus",
                 "AKV",
-                "Storage",
-                "AppSvc",
-                "Entra",
-                "VM"
-            ],
-            "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
-            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
-            "service": "Service Bus",
-            "services": [
-                "RBAC",
-                "ServiceBus",
-                "Subscriptions",
-                "Storage",
-                "Entra"
+                "FrontDoor",
+                "Cost"
             ],
             "severity": "High",
-            "subcategory": "Identity and Access Management",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
-            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
-            "service": "Service Bus",
-            "services": [
-                "ServiceBus",
-                "VNet",
-                "Monitor"
-            ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
-            "service": "Service Bus",
-            "services": [
-                "ServiceBus",
-                "PrivateLink",
-                "VNet"
-            ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Front Door",
+            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Service Bus Review Checklist",
-            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
-            "service": "Service Bus",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
             "services": [
-                "ServiceBus"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
-        },
-        {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
-            "services": [
-                "Defender",
-                "Subscriptions"
-            ],
-            "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Security Center/Defender enable in all subscriptions",
-            "waf": "Security"
+            "subcategory": "Front Door",
+            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "waf": "Operations"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
             "services": [
-                "Defender",
-                "Monitor"
+                "FrontDoor"
             ],
             "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Security Center/Defender enabled on all Log Analytics workspaces",
+            "subcategory": "Front Door",
+            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor"
             ],
             "severity": "Medium",
-            "subcategory": "Pricing & Settings",
-            "text": "Data collection set to 'Common'",
+            "subcategory": "Front Door",
+            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Defender for Cloud enhanced security features are all enabled",
-            "waf": "Security"
-        },
-        {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
-            "services": [
-                "Defender",
-                "AzurePolicy"
-            ],
-            "severity": "Medium",
-            "subcategory": "Pricing & Settings",
-            "text": "Auto-provisioning enabled as per company policy (policy must exist)",
-            "waf": "Security"
-        },
-        {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
-            "services": [
-                "Defender",
-                "AzurePolicy"
-            ],
-            "severity": "Low",
-            "subcategory": "Pricing & Settings",
-            "text": "Email notifications enabled as per company policy (policy must exist)",
-            "waf": "Security"
-        },
-        {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
-            "services": [
-                "Defender"
-            ],
-            "severity": "Medium",
-            "subcategory": "Pricing & Settings",
-            "text": "Enable integrations options are selected ",
+            "subcategory": "Front Door",
+            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
-            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
-            "services": [
-                "Defender"
-            ],
-            "severity": "Medium",
-            "subcategory": "Pricing & Settings",
-            "text": "CI/CD integration is configured",
-            "waf": "Operations"
-        },
-        {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
             "services": [
-                "Defender",
-                "EventHubs"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Continuous export 'Event Hub' is enabled if using 3rd party SIEM",
+            "subcategory": "Front Door",
+            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
             "services": [
-                "Defender",
-                "Sentinel",
-                "Monitor"
+                "FrontDoor",
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Pricing & Settings",
-            "text": "Continuous export 'Log Analytics Workspace' is enabled if not using Azure Sentinel",
+            "severity": "High",
+            "subcategory": "Front Door",
+            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Cloud connector enabled for AWS",
+            "subcategory": "Front Door",
+            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Pricing & Settings",
-            "text": "Cloud connector enabled for GCP",
+            "subcategory": "Front Door",
+            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
             "services": [
-                "Entra",
-                "Defender",
-                "Monitor"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "Low",
-            "subcategory": "Pricing & Settings",
-            "text": "If using Azure AD Application proxy, consider integrating with Microsoft Defender for Cloud Apps to monitor application access in real-time and apply advanced security controls.",
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Recommendations",
-            "text": "All recommendations remediated or disabled if not required.",
+            "subcategory": "Front Door",
+            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Microsoft minimum target for all customers is 70%",
-            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Recommendations",
-            "text": "Security Score>70%",
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
             "services": [
-                "Defender",
-                "Monitor"
+                "FrontDoor"
             ],
-            "severity": "Medium",
-            "subcategory": "Security Alerts",
-            "text": "Security Alerts contain only those generated in the past 24 hours (remediate or disable older security alerts)",
+            "severity": "Low",
+            "subcategory": "Front Door",
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
             "services": [
-                "Defender"
+                "FrontDoor",
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "Workbooks",
-            "text": "If continuous export is enabled, default workbooks published to custom security dashboard",
+            "subcategory": "Front Door",
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
             "services": [
-                "Defender"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "Medium",
-            "subcategory": "Community",
-            "text": "Customer is aware of the value of the 'Community' page and has a regular cadence set up to review",
+            "severity": "High",
+            "subcategory": "App Gateway",
+            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer Operational best practice - Transparency",
-            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
             "services": [
-                "Defender",
-                "Subscriptions"
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Secure Score",
-            "text": "All subscriptions protected by Security Center are shown (no subscription filter set)",
+            "subcategory": "App Gateway",
+            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
             "services": [
-                "Defender"
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Regulatory Compliance",
-            "text": "Compliance controls are green for any required compliance requirements",
+            "subcategory": "App Gateway",
+            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer Operational best practice - verify",
-            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "ammp": true,
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
             "services": [
-                "Defender",
-                "VM"
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Azure Defender",
-            "text": "High severity VM vulnerabilities is zero (empty)",
+            "subcategory": "App Gateway",
+            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
-            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
             "services": [
-                "Defender",
-                "Firewall"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall Manager",
-            "text": "Hubs are protected by an Azure Firewall",
+            "subcategory": "App Gateway",
+            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer Operational best practice - verify",
-            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
             "services": [
-                "Defender",
-                "VNet",
-                "Firewall"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall Manager",
-            "text": "Virtual Networks are protected by a Firewall",
+            "subcategory": "App Gateway",
+            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
-            "services": [
-                "Defender",
-                "DDoS",
-                "Firewall"
-            ],
-            "severity": "Medium",
-            "subcategory": "Firewall Manager",
-            "text": "DDoS Standard enabled",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "App Gateway",
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
             "waf": "Security"
         },
         {
-            "category": "Defender For Cloud",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
             "services": [
-                "Defender",
-                "Subscriptions"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Coverage",
-            "text": "Verify that all subscriptions are covered (see pricing and settings to modify)",
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
             "services": [
-                "VNet",
-                "VM"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Public IPs",
-            "text": "VM's with public IPs should be protected by NSG ",
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice -  verify",
-            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
             "services": [
-                "EventHubs",
-                "VM",
-                "Firewall"
+                "WAF",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Public IPs",
-            "text": "VMs with public IPs are moved  behind Azure Firewall Premium",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
             "services": [
-                "VM"
+                "FrontDoor",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "Public IPs",
-            "text": "VM's that don't need public IPs do not have public IPs (i.e. internal RDP only)",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
             "services": [
-                "RBAC",
-                "VNet"
+                "AppGW",
+                "WAF",
+                "Sentinel"
             ],
             "severity": "Medium",
-            "subcategory": "NSG",
-            "text": "NSG RBAC is used to restrict access to network security team",
-            "waf": "Security"
+            "subcategory": "App Gateway",
+            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
             "services": [
-                "VNet"
+                "FrontDoor",
+                "WAF",
+                "Sentinel"
             ],
-            "severity": "High",
-            "subcategory": "NSG",
-            "text": "NSG Inbound security rules do not contain a * (wildcard) in Source field",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Front Door",
+            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "services": [
-                "VNet"
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "NSG",
-            "text": "NSG outbound security rules are used to control traffic to specific IP addresses for traffic not routed through a Firewall",
-            "waf": "Security"
+            "subcategory": "App Gateway",
+            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
             "services": [
-                "VNet"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "High",
-            "subcategory": "NSG",
-            "text": "NSG do not have Source as a * (wildcard) in place.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Use WAF Policies instead of the legacy WAF configuration.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
             "services": [
+                "VPN",
                 "VNet",
-                "Sentinel"
+                "ExpressRoute",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "NSG",
-            "text": "NSG Diagnostics send NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter traffic to Sentinel LAW",
+            "subcategory": "App Gateway",
+            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
             "services": [
-                "RBAC",
-                "VNet"
+                "FrontDoor"
             ],
             "severity": "Medium",
-            "subcategory": "UDR",
-            "text": "UDR RBAC is used to restrict access to the network security team",
+            "subcategory": "Front Door",
+            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "services": [
-                "VNet",
-                "Firewall"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
+            "services": [],
             "severity": "High",
-            "subcategory": "UDR",
-            "text": "If Zero Trust, then UDR's are used to send all traffic to the Azure Firewall Premium",
+            "subcategory": "App Gateway",
+            "text": "You should encrypt traffic to the backend servers.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
             "services": [
-                "VNet"
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "UDR",
-            "text": "UDR's that do not send all traffic to AzureFirewallPremium are known and documented.",
+            "severity": "High",
+            "subcategory": "App Gateway",
+            "text": "You should use a Web Application Firewall.",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
-            "services": [
-                "VNet"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "Customer is familiar with Azure networking defaults / SDN default routing in Azure",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Redirect HTTP to HTTPS",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer operational best practice - verify",
-            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
-            "services": [
-                "RBAC",
-                "VNet"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Virtual Networks",
-            "text": "VNet RBAC is used to restrict access to the network security team",
-            "waf": "Security"
+            "subcategory": "App Gateway",
+            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
-            "services": [
-                "VNet"
-            ],
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
+            "services": [],
             "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Security recommendations are remediated and there are no 'At-risk' VNets ",
+            "subcategory": "App Gateway",
+            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "services": [
-                "VNet"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Peering connections are understood and expected traffic flows are documented",
-            "waf": "Security"
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "App Gateway",
+            "text": "Create custom error pages to display a personalized user experience",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
-            "services": [
-                "VNet"
-            ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Service Endpoints are in use, no legacy Public Service Endpoints exist",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
             "services": [
-                "PrivateLink",
-                "VNet"
+                "FrontDoor"
             ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Private Endpoints are in use to allow access from on-premises environments, no legacy public endpoints exist",
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+            "waf": "Performance"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Use transport layer load balancing",
+            "waf": "Performance"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
             "services": [
-                "VNet",
-                "Monitor"
+                "Entra"
             ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Monitoring enabled",
+            "severity": "Medium",
+            "subcategory": "App Gateway",
+            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
-            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
             "services": [
-                "AKS",
-                "AzurePolicy",
-                "VNet"
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)",
+            "severity": "Low",
+            "subcategory": "App Gateway",
+            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
             "waf": "Security"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "category": "Application Deployment",
+            "checklist": "Azure AKS Review",
+            "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
             "services": [
-                "VNet",
-                "NVA"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet NVA (appliances) customer follows published architecture pattern",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Development",
+            "text": "Use canary or blue/green deployments",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "category": "Application Deployment",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
             "services": [
-                "VNet",
-                "Sentinel",
-                "Monitor"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Virtual Networks",
-            "text": "VNet Diagnostic settings are enabled and sending VMProtectionAlerts to the Azure Sentinel LAW",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "category": "Application Deployment",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "VPN"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Connectivity",
-            "text": "Use ExpressRoute or VPN to access Azure resources from on-premises environments",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "Use KEDA if running event-driven workloads",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "category": "Application Deployment",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "VWAN"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Virtual WAN",
-            "text": "VWAN RBAC is used to restrict access to the network security team",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "Use Dapr to ease microservice development",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "category": "Application Deployment",
+            "checklist": "Azure AKS Review",
+            "guid": "3acbe04b-be20-49d3-afda-47778424d116",
+            "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
             "services": [
-                "VWAN",
-                "Monitor"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Virtual WAN",
-            "text": "VWAN Customer is using Secure Hub or external Firewall to route and monitor traffic.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Infrastructure as Code",
+            "text": "Use automation through ARM/TF to create your Azure resources",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
             "services": [
-                "RBAC",
-                "AppGW"
+                "ASR",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Application Gateway",
-            "text": "AppGW RBAC is used to restrict access to the network security team",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Schedule and perform DR tests regularly",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
             "services": [
-                "EventHubs",
-                "AppGW",
-                "WAF"
+                "TrafficManager",
+                "AKS",
+                "FrontDoor",
+                "LoadBalancer"
             ],
-            "severity": "High",
-            "subcategory": "Application Gateway",
-            "text": "AppGW All external facing web services are behind Application Gateways with WAF enabled ",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
+            "guid": "578a219a-46be-4b54-9350-24922634292b",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones",
             "services": [
-                "EventHubs",
-                "AppGW",
-                "WAF"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Application Gateway",
-            "text": "AppGW All internal facing web services are behind Application Gateways with WAF enabled ",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Use Availability Zones if they are supported in your Azure region",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "services": [
-                "AppGW"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Application Gateway",
-            "text": "AppGW - External facing has TLS/SSL enabled and redirects all traffic to 443 (no port 80 traffic)",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Use the SLA-backed AKS offering",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "FrontDoor"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "FrontDoor",
-            "text": "Front Door RBAC is used to restrict access to the network security team",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "High Availability",
+            "text": "Use Disruption Budgets in your pod and deployment definitions",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "WAF"
+                "ACR",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "FrontDoor",
-            "text": "Front Door is associated with a WAF policy",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "If using a private registry, configure region replication to store images in multiple regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
             "services": [
-                "FrontDoor",
-                "AzurePolicy"
+                "Storage",
+                "AKS",
+                "ASR"
             ],
             "severity": "High",
-            "subcategory": "FrontDoor",
-            "text": "Front Door TLS/SSL policy is configured",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "category": "BC and DR",
+            "checklist": "Azure AKS Review",
+            "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
             "services": [
-                "FrontDoor"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "FrontDoor",
-            "text": "Front Door redirect port 80 to port 443 is configured (listeners)",
-            "waf": "Security"
+            "subcategory": "Requirements",
+            "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "category": "Cost Governance",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
             "services": [
-                "FrontDoor",
-                "Sentinel"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "FrontDoor",
-            "text": "Front Door diagnostics logs send ApplicationGatewayAccessLog &ApplicationGateway FirewallLog to Sentinel LAW",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Use an external application such as kubecost to allocate costs to different users",
+            "waf": "Cost"
         },
         {
-            "category": "Azure Networking",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "category": "Cost Governance",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
             "services": [
-                "DDoS"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "DDOS Protection",
-            "text": "Enabled for Firewall public  IP's  (all public IPs)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Use scale down mode to delete/deallocate nodes",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "category": "Cost Governance",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Tenant",
-            "text": "Establish a single enterprise directory for managing identities of full-time employees and enterprise resources.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Cost",
+            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "category": "Cost Governance",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Tenant",
-            "text": "Synchronize your cloud identity with your existing identity systems.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "subcategory": "Tenant",
-            "text": "Use cloud identity services to host non-employee accounts such as vendors, partners, and customers, rather than rather than including them in your on-premises directory.",
+            "severity": "Medium",
+            "subcategory": "Compliance",
+            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Tenant",
-            "text": "Disable insecure legacy protocols for internet-facing services.",
+            "severity": "Medium",
+            "subcategory": "Compliance",
+            "text": "Separate applications from the control plane with user/system node pools",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Tenant",
-            "text": "Enable single sign-on",
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Add taint to your system nodepool to make it dedicated",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "ACR",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Privileged administration",
-            "text": "Don�t synchronize accounts with the highest privilege access to on-premises resources as you synchronize your enterprise identity systems with cloud directories.",
+            "severity": "Medium",
+            "subcategory": "Compliance",
+            "text": "Use a private registry for your images, such as ACR",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "services": [
-                "Entra"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Privileged administration",
-            "text": "Limit the number of Global Administrators to less than 5",
+            "severity": "Medium",
+            "subcategory": "Compliance",
+            "text": "Scan your images for vulnerabilities",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "cc639637-a652-42ac-89e8-06965388e9de",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
             "services": [
-                "Entra",
-                "RBAC"
+                "AKS",
+                "Defender"
             ],
-            "severity": "High",
-            "subcategory": "Privileged administration",
-            "text": "Use groups for Azure AD role assignments and delegate the role assignment",
+            "severity": "Medium",
+            "subcategory": "Compliance",
+            "text": "Use Azure Security Center to detect security posture vulnerabilities",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Privileged administration",
-            "text": "Ensure all critical impact admins are managed by enterprise directory to follow organizational policy enforcement.",
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "If required configure FIPS",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Privileged administration",
-            "text": "Configure recurring access reviews to revoke unneeded permissions over time",
+            "subcategory": "Compliance",
+            "text": "Define app separation requirements (namespace/nodepool/cluster)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "Monitor"
+                "AKS",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Privileged administration",
-            "text": "Ensure critical impact admins use a workstation with elevated security protections and monitoring",
+            "subcategory": "Secrets",
+            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "AKV"
             ],
             "severity": "High",
-            "subcategory": "External Identities",
-            "text": "Identity Providers: Verify external identity providers are known",
+            "subcategory": "Secrets",
+            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "AKV"
             ],
-            "severity": "High",
-            "subcategory": "External Identities",
-            "text": "External Collaboration Settings: Guest user access set to 'Guest user access is restricted?'",
+            "severity": "Medium",
+            "subcategory": "Secrets",
+            "text": "If required add Key Management Service etcd encryption",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "Entra"
+                "AKS",
+                "AKV"
             ],
-            "severity": "High",
-            "subcategory": "External Identities",
-            "text": "External Collaboration Settings: Guest invite settings set to  'Only users assigned to specific admin roles'",
+            "severity": "Low",
+            "subcategory": "Secrets",
+            "text": "If required consider using Confidential Compute for AKS",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "category": "Governance and Security",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS",
+                "AKV",
+                "Defender"
             ],
-            "severity": "High",
-            "subcategory": "External Identities",
-            "text": "External Collaboration Settings: Enable guest self-service sign up via flows set  to 'Disabled' ",
+            "severity": "Medium",
+            "subcategory": "Secrets",
+            "text": "Consider using Defender for Containers",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "External Identities",
-            "text": "External Collaboration Settings: Collaboration restrictions set to 'Allow invitations to the specified domains'",
+            "subcategory": "Identity",
+            "text": "Use managed identities instead of Service Principals",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "External Identities",
-            "text": "Access Reviews: Enabled for all groups",
+            "subcategory": "Identity",
+            "text": "Integrate authentication with AAD (using the managed integration)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Enterprise Applications",
-            "text": "Consent & Permissions: Allow user consent for apps from verified publishers",
+            "subcategory": "Identity",
+            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "RBAC",
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Enterprise Applications",
-            "text": "Consent & Permissions: Allow group owner consent for selected group owners ",
+            "subcategory": "Identity",
+            "text": "Integrate authorization with AAD RBAC",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "RBAC",
+                "Entra",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Custom Domains",
-            "text": "Only validated customer domains are registered",
+            "subcategory": "Identity",
+            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "services": [
                 "Entra",
-                "AzurePolicy"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Password Reset",
-            "text": "Self-service password reset policy requirement verified compliant.",
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Password Reset",
-            "text": "Set number of days before users are asked to re-confirm authentication information is not set to zero",
+            "subcategory": "Identity",
+            "text": "For AKS non-interactive logins use kubelogin (preview)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Password Reset",
-            "text": "Set number of methods required to reset password are selected",
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Disable AKS local accounts",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "User Setting",
-            "text": "Disable 'Users can register applications'",
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "Configure if required Just-in-time cluster access",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "User Setting",
-            "text": "Restrict access to Administrative portal (portal.azure.com) to administrators only",
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "Configure if required AAD conditional access for AKS",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "Entra",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "User Setting",
-            "text": "Disable 'LinkedIn account connection'",
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "If required for Windows AKS workloads configure gMSA ",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "category": "Identity and Access Management",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "services": [
                 "Entra",
-                "Sentinel",
-                "Monitor"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Diagnostic Settings",
-            "text": "Enabled and send to Log Analytics workspace with Sentinel",
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "For finer control consider using a managed Kubelet Identity",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "ACR",
+                "AKS",
+                "AppGW"
             ],
-            "severity": "High",
-            "subcategory": "PIM enabled",
-            "text": "Privileged Identity Management enabled",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Best practices",
+            "text": "If using AGIC, do not share an AppGW across clusters",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "PIM enabled",
-            "text": "Implement 'just in time' (JIT) access to further lower the exposure time for privileged accounts (reduce standing access)",
-            "waf": "Security"
+            "subcategory": "Best practices",
+            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
+            "services": [
+                "AKS"
+            ],
+            "severity": "Medium",
+            "subcategory": "Best practices",
+            "text": "For Windows workloads use Accelerated Networking",
+            "waf": "Performance"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AKS",
+                "LoadBalancer"
             ],
             "severity": "High",
-            "subcategory": "Conditional Access Policies",
-            "text": "Configure conditional access policies / Access Controls",
-            "waf": "Security"
+            "subcategory": "Best practices",
+            "text": "Use the standard ALB (as opposed to the basic one)",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "VNet",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Conditional Access Policies",
-            "text": "Conditions: Restricted Locations",
+            "subcategory": "Best practices",
+            "text": "If using Azure CNI, consider using different Subnets for NodePools",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "VNet",
+                "AKS",
+                "Cost",
+                "PrivateLink"
             ],
-            "severity": "High",
-            "subcategory": "Conditional Access Policies",
-            "text": "Access Controls:  MFA enabled for all users",
+            "severity": "Medium",
+            "subcategory": "Cost",
+            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "VPN",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Conditional Access Policies",
-            "text": "Access Controls:  Require MFA for Administrators",
-            "waf": "Security"
+            "subcategory": "HA",
+            "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Conditional Access Policies",
-            "text": "Access Controls:  Require MFA for Azure Management ",
-            "waf": "Security"
+            "subcategory": "IPAM",
+            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "VNet",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Conditional Access Policies",
-            "text": "Access Controls:  Block Legacy Protocols",
-            "waf": "Security"
+            "subcategory": "IPAM",
+            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+            "waf": "Performance"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Conditional Access Policies",
-            "text": "Access Controls: Require devices to be marked as compliant",
-            "waf": "Security"
+            "subcategory": "IPAM",
+            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+            "waf": "Performance"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "description": "Customer documented policy",
-            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "VNet",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Guest users",
-            "text": "Is there a policy to track guest user accounts (i.e. usage/delete/disable)?",
+            "severity": "Low",
+            "subcategory": "IPAM",
+            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Entra"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Identity Secure Score",
-            "text": "Implement Identity Secure Score based on best practices in your industry",
-            "waf": "Security"
+            "subcategory": "IPAM",
+            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Break Glass Accounts",
-            "text": "At least two break glass accounts have been created and policy around their use exists",
+            "severity": "Low",
+            "subcategory": "Operations",
+            "text": "If required add your own CNI plugin",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "VM"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Access Control",
-            "text": "Control VM Access leveraging Azure Policy",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Operations",
+            "text": "If required configure Public IP per node in AKS",
+            "waf": "Performance"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Access Control",
-            "text": "Reduce variability in your setup and deployment of VMs by leveraging templates",
-            "waf": "Security"
+            "subcategory": "Scalability",
+            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+            "waf": "Reliability"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Access Control",
-            "text": "Secure privileged access to deploy VMS by reducing who has access to Resources through Governance",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+            "waf": "Reliability"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability ",
-            "text": "Use multiple VMs for your workloads for better availability ",
+            "subcategory": "Scalability",
+            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
             "waf": "Reliability"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "VM"
+                "AKS",
+                "NVA"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability ",
-            "text": "Deploy and test a disaster recovery solution ",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability ",
-            "text": "Availability sets",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability ",
-            "text": "Availability Zones",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Use private clusters if your requirements mandate it",
+            "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability ",
-            "text": "Regional fault tolerance ",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Protect against malware",
-            "text": "Install antimalware solutions",
+            "subcategory": "Security",
+            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "VM"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Protect against malware",
-            "text": "Integrate antimalware solution with Security Center",
+            "subcategory": "Security",
+            "text": "Use Kubernetes network policies to increase intra-cluster security",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS",
+                "WAF"
             ],
             "severity": "High",
-            "subcategory": "Manage VM Updates",
-            "text": "Keep VMs up to date using Update Management with Azure Automation",
+            "subcategory": "Security",
+            "text": "Use a WAF for web workloads (UIs or APIs)",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "services": [
-                "VM"
+                "DDoS",
+                "VNet",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Manage VM Updates",
-            "text": "Ensure Windows images for deployment have the most recent level of updates ",
+            "subcategory": "Security",
+            "text": "Use DDoS Standard in the AKS Virtual Network",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "02145901-465d-438e-9309-ccbd979266bc",
-            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "VM"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Manage VM Updates",
-            "text": "Rapidly apply security updates to VMs using Microsoft Defender for Cloud",
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "If required add company HTTP Proxy",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Encrypt your VHDs",
-            "text": "Enable encryption on your VMs",
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Consider using a service mesh for advanced microservice communication management",
             "waf": "Security"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS",
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Encrypt your VHDs",
-            "text": "Add Key Encryption Key (KEK) for added layer of security for encryption ",
-            "waf": "Security"
+            "subcategory": "Alerting",
+            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
             "services": [
-                "VM",
-                "LoadBalancer"
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Encrypt your VHDs",
-            "text": "Take a snapshot of disks before encryption for rollback purposes",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Check regularly Azure Advisor for recommendations on your cluster",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5173676a-e466-491e-a835-ad942223e138",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "VM"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Ensure only the central networking group has permissions to networking resources ",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Enable AKS auto-certificate rotation",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "VM"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Identity and remediate exposed VMs that allow access from 'ANY' source IP address",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Restrict management ports (RDP, SSH) using Just-in-Time Access",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "services": [
-                "VM"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Remove internet access and implement jump servers for RDP",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
             "services": [
-                "VM",
-                "VPN"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Remove direct logging into servers using RDP/SSH from internet and implement VPN or express route",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+            "waf": "Operations"
         },
         {
-            "category": "VM Security Checks",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
             "services": [
-                "VM",
-                "Bastion"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Restrict direct internet connection ",
-            "text": "Leverage Azure Bastion as your RDP/SSH broker for added security and reduction in footprint",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Consider using AKS command invoke on private clusters",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
             "services": [
-                "Sentinel",
-                "Monitor"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Architecture ",
-            "text": "All tenants contain have Sentinel enabled on at least one Log Analytics workspace",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "For planned events consider using Node Auto Drain",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Architecture ",
-            "text": "Customer understands Sentinel architecture",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "services": [
-                "ACR",
-                "Sentinel",
-                "Monitor"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Architecture ",
-            "text": "Customer knows how to monitor Incidents across multiple Sentinel instances",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Use custom Node RG (aka 'Infra RG') name",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
-            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Overview",
-            "text": "No Incidents open more than 24 hours",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "News & Guides",
-            "text": "Customer have been shown the News & Guides tab",
-            "waf": "Security"
+            "subcategory": "Compliance",
+            "text": "Taint Windows nodes",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "UEBA ",
-            "text": "UEBA Configured (Sentinel/Settings/Settings/Configure UEBA)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Keep windows containers patch level in sync with host patch level",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "description": "Via Diagnostic Settings at the cluster level",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "Sentinel"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Azure Active Directory in configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
             "services": [
-                "Entra",
-                "Sentinel"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Azure Active Directory Identity Protection is configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "If required use nodePool snapshots",
+            "waf": "Cost"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Azure Activity is configured is configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Consider spot node pools for non time-sensitive workloads",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "Sentinel"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Microsoft Defender for Cloud is configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Consider AKS virtual node for quick bursting",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "services": [
-                "Sentinel",
-                "Firewall"
+                "AKS",
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Azure Firewall is configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Windows Firewall is configured and 'Last Log Received' shows today",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Security Events is configured with AMA and 'Last Log Received' shows today",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor CPU and memory utilization of the nodes",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Security Events - verify Azure computers are connected and sending data to the workspace",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "Storage",
+                "EventHubs",
+                "AKS",
+                "ServiceBus",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Security Events - verify non-Azure computers are connected and sending data to the workspace",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor OS disk queue depth in nodes",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "NVA",
+                "LoadBalancer",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Connector for AWS",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Data Connectors",
-            "text": "Connector for GCP",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Subscribe to resource health notifications for your AKS cluster",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Analytics Rules",
-            "text": "Customer has enabled Analytics rules and configured Incidents ",
-            "waf": "Security"
+            "subcategory": "Resources",
+            "text": "Configure requests and limits in your pod specs",
+            "waf": "Operations"
         },
         {
-            "category": "Sentinel",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "Sentinel"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Settings",
-            "text": "Customer does not have a daily cap enabled",
-            "waf": "Security"
+            "subcategory": "Resources",
+            "text": "Enforce resource quotas for namespaces",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "AKS",
+                "Subscriptions"
             ],
             "severity": "High",
-            "subcategory": "Configuration",
-            "text": "Azure Firewall Premium deployed",
-            "waf": "Security"
+            "subcategory": "Resources",
+            "text": "Ensure your subscription has enough quota to scale out your nodepools",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Configuration",
-            "text": "Quad zero/force tunning enabled through Azure Firewall",
-            "waf": "Security"
+            "subcategory": "Resources",
+            "text": "Configure Liveness and Readiness probes for all deployments",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "Firewall"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Access Control",
-            "text": "RBAC set to enable only authorized users",
-            "waf": "Security"
+            "subcategory": "Scalability",
+            "text": "Use the Cluster Autoscaler",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Diagnostic Settings",
-            "text": "Diagnostics enabled and sending metrics to a Log Analytics workspace ",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "Customize node configuration for AKS node pools",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "VNet",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Hubs and virtual networks are protected or connected through Firewall Premium",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Scalability",
+            "text": "Use the Horizontal Pod Autoscaler when required",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "Firewall"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: Access controls are configured (RBAC)",
-            "waf": "Security"
+            "subcategory": "Scalability",
+            "text": "Consider an appropriate node size, not too large or too small",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: Parent policy is configured ",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: Rule collections are defined",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "Consider subscribing to EventGrid Events for AKS automation",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: DNAT policies are defined",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "For long running operation on an AKS cluster consider event termination",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: Network rules are defined",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "Storage",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Policy: Application rules are defined",
-            "waf": "Security"
-        },
-        {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "services": [
-                "DNS",
-                "Firewall"
-            ],
-            "severity": "Medium",
-            "subcategory": "Firewall Manager",
-            "text": "DNS: Feature understood and applied or not applied",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "Use ephemeral OS disks",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "Storage",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Threat Intelligence: Set to Alert & Deny",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "Storage",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "Threat Intelligence: Allowed list (justify if they are being used - ie performance)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Storage",
+            "text": "For hyper performance storage option use Ultra Disks on AKS",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "Storage",
+                "AKS",
+                "SQL"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "TLS enabled",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "Storage",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "IDPS enabled",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "category": "Operations",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "services": [
-                "Firewall"
+                "Storage",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall Manager",
-            "text": "SNAT: Configured ",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+            "waf": "Performance"
         },
         {
-            "category": "Azure Firewall",
-            "checklist": "Azure Security Review Checklist",
-            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "fda1dae2-dc95-4d48-a6c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore#geo-backups-and-disaster-recovery",
             "services": [
-                "DDoS",
-                "Firewall"
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "DDOS Protection",
-            "text": "Enabled for Firewall public  IP's",
-            "waf": "Security"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+            "subcategory": "Backup",
+            "text": "Enable Geo Backup ",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "89e558b9-37d4-4974-b111-2dbd7baf12e7",
+            "link": "https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse/ba-p/2248060",
             "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "severity": "Medium",
+            "subcategory": "DevOps",
+            "text": "Integrate with Azure DevOps to deploy Multiple environments",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "b94ef6e0-47d2-4da2-a82b-1cd6d2f54b29",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
             "services": [],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "subcategory": "DR",
+            "text": "BCDR for Azure Synapse pipelines ",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
-            "services": [
-                "AppSvc"
-            ],
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "769e3a69-1e88-438a-a936-667e13c00567",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "services": [],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "subcategory": "DR",
+            "text": "Use Zone Redudant pipelines in regions supporting Availablity Zones",
             "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "4b1e944a-4598-437e-b7ad-6c6d3b365a5c",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/cicd/source-control",
             "services": [],
-            "severity": "Medium",
-            "subcategory": "CI/CD",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
-            "waf": "Operations"
-        },
-        {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview",
-            "services": [
-                "Entra"
-            ],
-            "severity": "High",
-            "subcategory": "Business",
-            "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "DevOps",
+            "text": "Create Scripts for all DLL Statements and save in Git Repository ",
+            "waf": "Reliability"
         },
         {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "7acbe48a-be54-4cd7-af2e-87768358c559",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-development-using-notebooks",
             "services": [],
-            "severity": "High",
-            "subcategory": "Business",
-            "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+            "severity": "Low",
+            "subcategory": "DevOps",
+            "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore",
             "services": [],
-            "severity": "High",
-            "subcategory": "Business",
-            "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "High Availablity",
+            "text": "Use Dedicated pools",
+            "waf": "Reliability"
         },
         {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "331e84a6-2d65-4359-92ff-a1870b062995",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Business",
-            "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.",
-            "waf": "Operations"
+            "subcategory": "DR",
+            "text": "Use Database restore points for Azure Synapse",
+            "waf": "Reliability"
         },
         {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Business",
-            "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.",
-            "waf": "Operations"
+            "subcategory": "High Availablity",
+            "text": "Use Serverless Pools when required",
+            "waf": "Reliability"
         },
         {
-            "category": "Business",
-            "checklist": "Multitenant architecture",
-            "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9",
-            "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd",
+            "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces",
             "services": [
-                "Entra"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Business",
-            "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.",
+            "subcategory": "DevOps",
+            "text": "Use Infrastructure as a Code template to do repeatable deployments",
             "waf": "Reliability"
         },
         {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
-            "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
+            "category": "Operations Management",
+            "checklist": "Azure Synapse Review Checklist",
+            "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link",
             "services": [],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.",
+            "severity": "Medium",
+            "subcategory": "High Availablity",
+            "text": "Make sure to re-eshtablish any Synapse Links",
+            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
             "waf": "Reliability"
         },
         {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview",
-            "services": [],
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
+            "services": [
+                "APIM",
+                "AzurePolicy"
+            ],
             "severity": "Medium",
-            "subcategory": "Reliability",
-            "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.",
-            "waf": "Reliability"
+            "subcategory": "Development best practices",
+            "text": "Implement an error handling policy at the global level",
+            "waf": "Operations"
         },
         {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics",
-            "services": [],
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "services": [
+                "APIM",
+                "AzurePolicy"
+            ],
             "severity": "Medium",
-            "subcategory": "Reliability",
-            "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.",
-            "waf": "Reliability"
+            "subcategory": "Development best practices",
+            "text": "Ensure all APIs policies include a <base/> element.",
+            "waf": "Operations"
         },
         {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Reliability",
-            "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.",
-            "waf": "Reliability"
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
+            "services": [
+                "ACR",
+                "APIM",
+                "AzurePolicy"
+            ],
+            "severity": "Medium",
+            "subcategory": "Development best practices",
+            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+            "waf": "Operations"
         },
         {
-            "category": "Reliability",
-            "checklist": "Multitenant architecture",
-            "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
-            "services": [],
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "services": [
+                "APIM"
+            ],
             "severity": "Medium",
-            "subcategory": "Reliability",
-            "text": "Apply chaos engineering principles to test the reliability of your solution.",
-            "waf": "Reliability"
+            "subcategory": "Monetization",
+            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
-            "link": "https://learn.microsoft.com/security/zero-trust",
-            "services": [],
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
+            "services": [
+                "Monitor",
+                "APIM"
+            ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "92160e00-6894-4102-97e0-615d4ed93c01",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests",
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
             "services": [
-                "Entra"
+                "Monitor",
+                "APIM"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Enable Application Insights for more detailed telemetry",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Perform ongoing penetration testing and security code reviews.",
-            "waf": "Security"
+            "category": "Governance",
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
+            "services": [
+                "Monitor",
+                "APIM"
+            ],
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Configure alerts on the most critical metrics",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance",
-            "services": [],
+            "category": "Identity and Access Management",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
+            "services": [
+                "Entra",
+                "APIM",
+                "AKV"
+            ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.",
+            "subcategory": "Data protection",
+            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names",
+            "category": "Identity and Access Management",
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
             "services": [
-                "DNS"
+                "Entra",
+                "APIM"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.",
+            "subcategory": "Identity",
+            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Multitenant architecture",
-            "guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview",
-            "services": [],
+            "category": "Identity and Access Management",
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
+            "services": [
+                "Entra",
+                "APIM"
+            ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Follow service-specific guidance for multitenancy.",
+            "subcategory": "Identity",
+            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
             "waf": "Security"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "Multitenant architecture",
-            "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist",
+            "category": "Identity and Access Management",
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
             "services": [
-                "Cost"
+                "Entra",
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Cost Optimization",
-            "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
-            "waf": "Cost"
+            "subcategory": "Privileged access",
+            "text": "Create appropriate groups to control the visibility of the products",
+            "waf": "Security"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "Multitenant architecture",
-            "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
             "services": [
-                "Cost"
+                "APIM"
             ],
-            "severity": "High",
-            "subcategory": "Cost Optimization",
-            "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Best practices",
+            "text": "Use Backends feature to eliminate redundant API backend configurations",
+            "waf": "Operations"
         },
         {
-            "category": "Cost Optimization",
-            "checklist": "Multitenant architecture",
-            "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
             "services": [
-                "Cost",
-                "Monitor"
+                "APIM",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Cost Optimization",
-            "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.",
-            "waf": "Cost"
-        },
-        {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407",
-            "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Operational Excellence",
-            "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
+            "subcategory": "Best practices",
+            "text": "Use Named Values to store common values that can be used in policies",
             "waf": "Operations"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle",
-            "services": [],
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "services": [
+                "ASR",
+                "ACR",
+                "APIM"
+            ],
             "severity": "Medium",
-            "subcategory": "Operational Excellence",
-            "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.",
-            "waf": "Operations"
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
+            "waf": "Reliability"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates",
-            "services": [],
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "services": [
+                "ASR",
+                "APIM"
+            ],
             "severity": "Medium",
-            "subcategory": "Operational Excellence",
-            "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.",
-            "waf": "Operations"
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
+            "waf": "Reliability"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
             "services": [
-                "Monitor"
+                "ASR",
+                "APIM",
+                "Backup"
             ],
             "severity": "High",
-            "subcategory": "Operational Excellence",
-            "text": "Monitor the health of the overall system, as well as each tenant.",
-            "waf": "Operations"
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Ensure there is an automated backup routine",
+            "waf": "Reliability"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
             "services": [
-                "Monitor"
+                "APIM",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Operational Excellence",
-            "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.",
-            "waf": "Operations"
+            "subcategory": "Failover and Caching",
+            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
+            "waf": "Reliability"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Operational Excellence",
-            "text": "Organize your Azure resources for isolation and scale.",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external",
+            "services": [
+                "APIM",
+                "AzurePolicy"
+            ],
+            "severity": "Medium",
+            "subcategory": "Performance and scalability",
+            "text": "Consider using a external cache policy for APIs that can benefit from caching",
+            "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/"
+        },
+        {
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
+            "services": [
+                "EventHubs",
+                "APIM",
+                "AzurePolicy"
+            ],
+            "severity": "Low",
+            "subcategory": "Performance and scalability",
+            "text": "If you need to log at high performance levels, consider Event Hubs policy",
             "waf": "Operations"
         },
         {
-            "category": "Operational Excellence",
-            "checklist": "Multitenant architecture",
-            "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration",
-            "services": [],
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
+            "services": [
+                "APIM",
+                "AzurePolicy"
+            ],
             "severity": "Medium",
-            "subcategory": "Operational Excellence",
-            "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.",
-            "waf": "Operations"
+            "subcategory": "Performance and scalability",
+            "text": "Apply throttling policies to control the number of requests per second",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "Performance"
         },
         {
-            "category": "Performance Efficiency",
-            "checklist": "Multitenant architecture",
-            "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Performance Efficiency",
-            "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
+            "services": [
+                "APIM"
+            ],
+            "severity": "Medium",
+            "subcategory": "Performance and scalability",
+            "text": "Configure autoscaling to scale out the number of instances when the load increases",
             "waf": "Performance"
         },
         {
-            "category": "Performance Efficiency",
-            "checklist": "Multitenant architecture",
-            "guid": "18911c4c-934c-49a8-839a-60c092afce30",
-            "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Performance Efficiency",
-            "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
+            "services": [
+                "APIM"
+            ],
+            "severity": "Medium",
+            "subcategory": "Performance and scalability",
+            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
             "waf": "Performance"
         },
         {
-            "category": "Performance Efficiency",
-            "checklist": "Multitenant architecture",
-            "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
             "services": [
-                "Storage"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Performance Efficiency",
-            "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.",
-            "waf": "Performance"
+            "subcategory": "Premium Tier",
+            "text": "Use the premium tier for production workloads.",
+            "waf": "Reliability"
         },
         {
-            "category": "Performance Efficiency",
-            "checklist": "Multitenant architecture",
-            "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Performance Efficiency",
-            "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.",
-            "waf": "Performance"
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
+            "services": [
+                "APIM",
+                "AzurePolicy"
+            ],
+            "severity": "Medium",
+            "subcategory": "Request Routing",
+            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "Define a resource group structure for placement of Azure Arc-enabled servers resources",
-            "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "services": [
-                "Arc"
+                "Entra",
+                "APIM"
             ],
             "severity": "High",
-            "subcategory": "Capacity Planning",
-            "text": "One or more resource groups is required for onboarding servers into Azure",
-            "waf": "Operations"
+            "subcategory": "Resource Limits",
+            "text": "Be aware of APIM's limits",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "guid": "aa359271-8e6e-4205-8725-769e46691e88",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
+            "category": "Management",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra"
+                "APIM"
             ],
-            "severity": "Medium",
-            "subcategory": "Capacity Planning",
-            "text": "Take Azure Active Directory object limitations into account",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Self-Hosted",
+            "text": "Ensure that the self-hosted gateway deployments are resilient.",
+            "waf": "Reliability"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "The following resource providers needs to be registered: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity",
-            "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Subscriptions"
+                "Entra",
+                "APIM",
+                "FrontDoor"
             ],
-            "severity": "High",
-            "subcategory": "General",
-            "text": "Has the Resource providers required been registered in all subscriptions",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Connectivity",
+            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+            "waf": "Performance"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "Aligning with an existing or creating an Azure tagging strategy is recommended. Resource tags allow you to quickly locate it, automate operational tasks amd more. ",
-            "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "services": [
-                "Arc"
+                "VNet",
+                "APIM"
             ],
-            "severity": "Low",
-            "subcategory": "General",
-            "text": "Has a tagging strategy for Azure Arc-enabled servers been defined",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Deploy the service within a Virtual Network (VNet)",
+            "waf": "Security"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "Installation of the connected machine agent is supported on most newer Windows and Linux operative systems, review the link to se the latest list",
-            "guid": "7778424c-5167-475c-9fa9-5b96ad88408e",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
             "services": [
-                "Arc"
+                "VNet",
+                "Entra",
+                "Monitor",
+                "APIM"
             ],
-            "severity": "High",
-            "subcategory": "General",
-            "text": "What operating systems need to be Azure Arc-enabled",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+            "waf": "Security"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "There are software requirements to the agent installation. Some might require a system reboot after installation, review to link",
-            "guid": "372734b8-76ba-428f-8145-901365d38e53",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
             "services": [
-                "Arc"
+                "VNet",
+                "Entra",
+                "APIM",
+                "PrivateLink"
             ],
-            "severity": "High",
-            "subcategory": "General",
-            "text": "Are required software installed on Windows and Linux servers to support the installation",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+            "waf": "Security"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc&regions=all",
+            "category": "Network Topology and Connectivity",
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
             "services": [
-                "Arc"
+                "APIM"
             ],
             "severity": "High",
-            "subcategory": "General",
-            "text": "Make sure to use a supported Azure region",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Disable Public Network Access",
+            "waf": "Security"
         },
         {
-            "category": "Foundation",
-            "checklist": "Azure Arc Review",
-            "description": "The scope include organization into management groups, subscriptions, and resource groups.",
-            "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies",
+            "category": "Platform automation and DevOps",
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Subscriptions"
+                "APIM"
             ],
-            "severity": "Low",
-            "subcategory": "Organization",
-            "text": "Define the structure for Azure management of resources",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Automation",
+            "text": "Simplify management with PowerShell automation scripts",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "Define RBAC rules to the servers / resource groups as required for servers management, the 'Azure Connected Machine Resource Administrator' or 'Hybrid Server Resource Administrator' role would be sufficient for management of the Azure Arc-enabled servers resources in Azure",
-            "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control",
+            "category": "Platform automation and DevOps",
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
             "services": [
-                "Arc",
                 "Entra",
-                "RBAC"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Access",
-            "text": "Assign RBAC rights to Azure AD user/group access for managing Azure Arc-enabled servers",
-            "waf": "Security"
+            "subcategory": "Best practices",
+            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e",
-            "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad",
+            "category": "Platform automation and DevOps",
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "services": [
-                "Arc",
                 "Entra",
-                "AKV"
+                "APIM"
             ],
-            "severity": "Low",
-            "subcategory": "Access",
-            "text": "Consider using managed identities for applications to access Azure resources like Key Vault example in link",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Best practices",
+            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "An Azure subscription must be parented to the same Azure AD tenant",
-            "guid": "35ac9322-23e1-4380-8523-081a94174158",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
+            "category": "Platform automation and DevOps",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra",
-                "Subscriptions"
+                "APIM"
             ],
-            "severity": "High",
-            "subcategory": "Requirements",
-            "text": "An Azure Active Directory tenant must be available with at least one subscription",
+            "severity": "Medium",
+            "subcategory": "DevOps",
+            "text": "Implement DevOps and CI/CD in your workflow",
             "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "Users (or SPs) need the 'Azure Connected Machine Onboarding' or 'Contributor' role to onboarding of servers",
-            "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra",
-                "RBAC"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Requirements",
-            "text": "Define which users (AAD user/groups) has access to onboard Azure Arc-enabled servers",
+            "subcategory": "APIs",
+            "text": "Secure APIs using client certificate authentication",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "Ensure to only add the rights to users or groups that is required to perform their role",
-            "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra",
-                "RBAC"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Use the principle of least privileged",
+            "subcategory": "APIs",
+            "text": "Secure backend services using client certificate authentication",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "A service principle with the 'Azure Connected Machine Onboarding' role is required for at-scale onboarding of servers, consider more SP's if onboarding is done by different teams/decentralized management",
-            "guid": "ad88408e-3727-434b-a76b-a28f21459013",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra",
-                "RBAC"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "How many Service Principals are needed for onboarding Arc-enabled servers into Azure",
+            "subcategory": "APIs",
+            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure Arc Review",
-            "description": "Consider assigning the rights for the 'Azure Connected Machine Onboarding' role at the resource group level, to control the resource creation",
-            "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Entra",
-                "RBAC"
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Limit the rights to onboard Azure Arc-enabled servers to the desired resource groups",
+            "subcategory": "APIs",
+            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
             "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Plan for agent deployments at scale",
-            "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Monitor"
+                "APIM"
             ],
-            "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Define a strategy for agent provisioning",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Ciphers",
+            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Use Microsoft Update to ensure that the connected machine agent is always up-to-date",
-            "guid": "c78e1d76-6673-457c-9496-74c5ed85b859",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Monitor"
+                "APIM",
+                "AKV"
             ],
             "severity": "High",
-            "subcategory": "Management",
-            "text": "Define a strategy for agent updates",
-            "waf": "Operations"
+            "subcategory": "Data protection",
+            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Recommendation is to use Azure Policy, or another automation tool like Azure DevOps - important is to avoid configuration drift.",
-            "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "AzurePolicy",
-                "Monitor"
+                "Entra",
+                "APIM"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Define a strategy for extension installation",
-            "waf": "Operations"
+            "subcategory": "Identities",
+            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Use automatic upgrades where available and define an update strategy for all extensions not supporting automatic upgrades.",
-            "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal",
+            "category": "Security",
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
             "services": [
-                "Arc",
-                "Monitor"
+                "Entra",
+                "APIM",
+                "WAF",
+                "AppGW"
             ],
             "severity": "High",
-            "subcategory": "Management",
-            "text": "Define a strategy for extension updates",
-            "waf": "Operations"
+            "subcategory": "Network",
+            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Azure Automanage help implement Microsoft best-practices for servers management in Azure",
-            "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de",
-            "link": "https://learn.microsoft.com/azure/automanage/automanage-arc",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "9f519499-5820-4060-88fe-cab4538c9dd0",
+            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Consider using Azure Automanage to control settings and avoid configuration drift on servers",
-            "waf": "Operations"
+            "subcategory": "Physical",
+            "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)",
+            "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage",
+                "ACR"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Monitor for unresponsive agents",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Physical",
+            "text": "Disks are symmetrical across all nodes",
+            "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Design a monitoring strategy to send metrics and logs to an Log Analytics workspace",
-            "waf": "Operations"
+            "subcategory": "S2D",
+            "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)",
+            "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782",
-            "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8a705965-9840-43cc-93b3-06d089406bb4",
+            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments",
+            "services": [
+                "Storage"
+            ],
+            "severity": "Medium",
+            "subcategory": "S2D",
+            "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e",
+            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation",
+            "services": [
+                "Storage"
+            ],
+            "severity": "Low",
+            "subcategory": "S2D",
+            "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use notification in Activity logs to receive notification on unexpected changes to the resources",
-            "waf": "Operations"
+            "subcategory": "S2D",
+            "text": "CSVs are created in multiples of node count",
+            "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "guid": "89c93555-6d02-4bfe-9564-b0d834a34872",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Azure Monitor for compliance and operational monitoring",
-            "waf": "Operations"
+            "subcategory": "S2D",
+            "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives",
+            "waf": "Performance"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent",
-            "waf": "Operations"
+            "subcategory": "S2D",
+            "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk",
+            "waf": "Reliability"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Arc Review",
-            "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) functionality to ensure update management of servers",
-            "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment",
+            "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c",
+            "link": "https://github.com/microsoft/diskspd/wiki/VMFleet",
             "services": [
-                "Arc",
-                "Monitor"
+                "Storage"
             ],
             "severity": "Low",
-            "subcategory": "Security",
-            "text": "Use Azure Arc-enabled servers to control software updates deployments to servers",
-            "waf": "Operations"
+            "subcategory": "S2D",
+            "text": "VMFleet has been run prior to workload deployment to baseline storage performance",
+            "waf": "Performance"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)",
-            "guid": "f6e043d2-aa35-4927-88e6-e2050725769e",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5",
             "services": [
-                "Arc"
+                "Storage"
             ],
-            "severity": "High",
-            "subcategory": "Networking",
-            "text": "Define a connectivity method from the server to Azure",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Host OS",
+            "text": "OS drives use a dedicated storage controller",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.",
-            "guid": "46691e88-35ac-4932-823e-13800523081a",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings",
+            "category": "Storage",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache",
             "services": [
-                "Arc"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Is a proxy server a required for communication over the Public Internet",
-            "waf": "Operations"
+            "subcategory": "Host OS",
+            "text": "CSV in-memory read caching is enabled and properly configured",
+            "waf": "Performance"
         },
         {
             "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection",
-            "guid": "94174158-33ee-47ad-9c6d-3733165c7acb",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set",
             "services": [
-                "Arc",
-                "ExpressRoute",
-                "PrivateLink",
-                "VPN"
+                "ACR"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Is a private (not public Internet) connection required?",
-            "waf": "Operations"
+            "subcategory": "Host",
+            "text": "NICs are symmetrical across nodes",
+            "waf": "Reliability"
         },
         {
             "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required",
-            "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19",
             "services": [
-                "Arc"
+                "Storage"
             ],
             "severity": "High",
-            "subcategory": "Networking",
-            "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?",
-            "waf": "Security"
+            "subcategory": "Host",
+            "text": "Storage networking is redundant",
+            "waf": "Reliability"
         },
         {
             "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "Use available automation tool for the system in question to regularly update the Azure endpoints",
-            "guid": "6fa95b96-ad88-4408-b372-734b876ba28f",
-            "link": "https://www.microsoft.com/download/details.aspx?id=56519",
-            "services": [
-                "Arc"
-            ],
-            "severity": "Low",
-            "subcategory": "Networking",
-            "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change",
-            "waf": "Security"
+            "checklist": "Azure Stack HCI Review",
+            "guid": "15d976c5-e267-49a1-8b00-62010bfa5188",
+            "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Host",
+            "text": "Host networking configuration is managed by Network ATC and intents are healthy",
+            "waf": "Reliability"
         },
         {
             "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2",
-            "guid": "21459013-65d3-48e5-9f9c-cbd868266abc",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol",
-            "services": [
-                "Arc"
-            ],
-            "severity": "High",
-            "subcategory": "Networking",
-            "text": "Always use secure communication for Azure where possible",
-            "waf": "Security"
+            "checklist": "Azure Stack HCI Review",
+            "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Host",
+            "text": "Network HUD has been configured",
+            "waf": "Reliability"
         },
         {
             "category": "Networking",
-            "checklist": "Azure Arc Review",
-            "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.",
-            "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements",
             "services": [
-                "Arc",
-                "PrivateLink",
-                "Monitor"
+                "Storage",
+                "VNet"
             ],
-            "severity": "Low",
-            "subcategory": "Networking",
-            "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Host",
+            "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c",
-            "link": "https://learn.microsoft.com/azure/governance/policy/",
-            "services": [
-                "Arc",
-                "AzurePolicy"
-            ],
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74",
+            "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Use Azure Policy to implement a governance model for hybrid connected servers",
-            "waf": "Security"
+            "subcategory": "Host",
+            "text": "For switchless designs, dual link full mesh connectivity has been implemented",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0",
+            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless",
             "services": [
-                "Arc"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Consider using Machine configurations for in guest OS configurations",
-            "waf": "Operations"
+            "subcategory": "Host",
+            "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "667357c4-4967-44c5-bd85-b859c7733be2",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a",
             "services": [
-                "Arc",
-                "AzurePolicy"
+                "Storage"
             ],
-            "severity": "Medium",
-            "subcategory": "Management",
-            "text": "Evaluate the need for custom Guest Configuration policies",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Host",
+            "text": "RDMA is enabled on the Storage networking",
+            "waf": "Performance"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77",
-            "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview",
-            "services": [
-                "Arc",
-                "Monitor"
-            ],
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6",
+            "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Consider using change tracking for tracking changes made on the servers",
-            "waf": "Operations"
+            "subcategory": "Host",
+            "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration",
+            "waf": "Performance"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "description": "This ensures that Management traffic is not exposed to the VM traffic",
+            "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0",
+            "link": "",
             "services": [
-                "Arc"
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Requirements",
-            "text": "Make sure to use an Azure region for storing the metadata approved by the organization",
+            "subcategory": "Host",
+            "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID",
             "waf": "Security"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.",
+            "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0",
             "services": [
-                "Arc",
-                "AKV"
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Use Azure Key Vault for certificate management on servers",
-            "waf": "Security"
+            "subcategory": "SDN",
+            "text": "There are at least 3 Network Controller VMs deployed",
+            "waf": "Reliability"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "description": "Consider using a short-lived Azure AD service principal client secrets.",
-            "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b",
-            "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8bc78c85-6028-4a43-af2d-082a0a344909",
+            "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore",
             "services": [
-                "Arc",
-                "Entra",
-                "AKV",
-                "Storage"
+                "Backup"
             ],
             "severity": "High",
-            "subcategory": "Secrets",
-            "text": "What is the acceptable life time of the secret used by SP's",
-            "waf": "Security"
+            "subcategory": "SDN",
+            "text": "Backups of SDN infrastructure are configured and tested",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "description": "A private key is saved to the disk, ensure this is protected using disk encryption",
-            "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d",
             "services": [
-                "Arc",
-                "AKV"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Secure the public key for Azure Arc-enabled Servers",
-            "waf": "Security"
+            "subcategory": "Cluster",
+            "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems",
-            "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "831f5aca-99ef-41e7-8263-9509f5093b43",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts",
             "services": [
-                "Arc"
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Ensure there is local administrator access for executing the agent installation",
-            "waf": "Security"
+            "subcategory": "Cluster",
+            "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.",
-            "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
             "services": [
-                "Arc"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Limit the amount of users with local administrator rights to the servers",
-            "waf": "Security"
+            "subcategory": "Cluster",
+            "text": "Insights has been enabled at the cluster level and all nodes are reporting data",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
             "services": [
-                "Arc",
-                "Entra"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Consider using and restricting access to managed identities for applications.",
-            "waf": "Security"
+            "subcategory": "Cluster",
+            "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints",
-            "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868",
-            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98",
             "services": [
-                "Arc",
-                "Defender"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats",
-            "waf": "Security"
+            "subcategory": "Hardware",
+            "text": "Relevant hardware monitoring has been configured",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview",
             "services": [
-                "Arc"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Define controls to detect security misconfigurations and track compliance",
-            "waf": "Security"
+            "subcategory": "Hardware",
+            "text": "Relevant hardware alerting has been configured",
+            "waf": "Operations"
         },
         {
-            "category": "Security, Governance and Compliance",
-            "checklist": "Azure Arc Review",
-            "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c",
-            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323",
             "services": [
-                "Arc"
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "VM Management - Resource Bridge",
+            "text": "The Azure CLI has been installed on every node to enable RB management from WAC",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
-            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
-            "service": "Azure Data Explorer",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863",
             "services": [
-                "Cost",
-                "Storage"
+                "VM"
             ],
-            "subcategory": "Replication",
-            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "VM Management - Resource Bridge",
+            "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
-            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
-            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
-            "service": "Azure Data Explorer",
+            "category": "Backup and Disaster Recovery",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "074541e3-fe08-458a-8062-32d13dcc10c6",
+            "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines",
             "services": [
-                "Storage"
+                "ASR",
+                "VM",
+                "Backup"
             ],
-            "subcategory": "Replication",
-            "text": "To share data, explore Leader-follower cluster configuration",
+            "severity": "High",
+            "subcategory": "VM",
+            "text": "Backups of HCI VMs have been configured using MABS or a third-party solution",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Cluster Configuration",
+            "text": "Cluster configuration or a configuration script has been documented and maintained",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Cluster Configuration",
+            "text": "A cluster witness has been configured for clusters with less than 5 nodes",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
-            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Cluster Configuration",
+            "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470",
+            "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Cluster Configuration",
+            "text": "Cluster validation has been run against the configured cluster",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "81693af0-5638-4aa2-a153-1d6189df30a7",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
             "services": [
-                "ASR"
+                "VM"
             ],
-            "subcategory": "Replication",
-            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+            "severity": "Medium",
+            "subcategory": "Cluster Configuration",
+            "text": "Azure Benefits has been enabled at the cluster and VM levels",
+            "waf": "Cost"
+        },
+        {
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8c967ee8-8170-4537-a28d-33431cd3632a",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Cluster Configuration",
+            "text": "The Environment Checker module has been run to validate the environment",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "43ffbfab-766e-4950-a102-78b479136e4d",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
             "services": [
-                "RBAC",
-                "Storage"
+                "AzurePolicy"
             ],
-            "subcategory": "Replication",
-            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Cluster Configuration",
+            "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027",
             "services": [],
-            "subcategory": "Replication",
-            "text": "Ingest data into each cluster in parallel",
+            "severity": "Medium",
+            "subcategory": "Cluster Configuration",
+            "text": "WAC is on the latest release and configured to automatically upgrade extensions",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
-            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
-            "service": "Azure Data Explorer",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020",
+            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr",
             "services": [
-                "ACR"
+                "Entra"
             ],
-            "subcategory": "DR Configuration",
-            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Stretch Clustering",
+            "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD",
+            "waf": "Performance"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
-            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
-            "service": "Azure Data Explorer",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "3277558e-3155-4088-b49a-78594cb4ce1a",
             "services": [
-                "ACR"
+                "Storage",
+                "VNet"
             ],
-            "subcategory": "DR Configuration",
-            "text": "For critical applications, create Active-Active configuration in two paired regions",
+            "severity": "High",
+            "subcategory": "Stretch Clustering",
+            "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
-            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "baed6066-8531-44ba-bd94-38cbabbf4099",
             "services": [],
-            "subcategory": "DR Configuration",
-            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Stretch Clustering",
+            "text": "There is a plan detailed for site failure and recovery",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
-            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
-            "service": "Azure Data Explorer",
+            "category": "Networking",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4",
             "services": [
-                "Cost",
-                "AzurePolicy",
-                "Storage",
-                "ASR"
+                "ACR"
             ],
-            "subcategory": "DR Configuration",
-            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+            "severity": "Medium",
+            "subcategory": "Stretch Clustering",
+            "text": "Separate vLANs and networks are used for each replication network across both sites",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
-            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5",
+            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
             "services": [
-                "AzurePolicy"
+                "Storage"
             ],
-            "subcategory": "IaC",
-            "text": "Wrap DevOps and source control around all your code",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
-            "services": [],
-            "subcategory": "IaC",
-            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+            "severity": "High",
+            "subcategory": "Stretch Clustering",
+            "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6",
+            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
             "services": [],
-            "subcategory": "IaC",
-            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "severity": "High",
+            "subcategory": "Stretch Clustering",
+            "text": "When using data deduplication, only enable it on the primary/source volumes",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.",
-            "guid": "676f6951-0368-49e9-808d-c33a692c9a64",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data",
+            "category": "Operations",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "ac527887-f6f4-40a3-b883-e04d704f013b",
+            "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network",
             "services": [
-                "Backup",
-                "SQL",
-                "AKV"
+                "Storage"
             ],
-            "severity": "Medium",
-            "subcategory": "Azure Key Vault",
-            "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Stretch Clustering",
+            "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage",
+            "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.",
-            "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups",
+            "category": "Backup and Disaster Recovery",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc",
+            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery",
             "services": [
-                "Backup",
-                "SQL",
-                "Storage"
+                "ASR",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Configure Azure SQL Database automated backups",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Azure Site Recovery has been considered for DR purposes",
+            "waf": "Operations"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.",
-            "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy",
-            "services": [
-                "Backup",
-                "SQL",
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Backup",
-            "text": "Enable geo-redundant backup storage to protect against single region failure and data loss",
+            "category": "Security",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52",
+            "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Host",
+            "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate",
             "waf": "Security"
         },
         {
-            "category": "Code",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.",
-            "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
-            "services": [
-                "SQL"
-            ],
+            "category": "Security",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be",
+            "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Source Control and Code Review",
-            "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database",
+            "subcategory": "Host",
+            "text": "SMB encryption has been enabled, where appropriate",
             "waf": "Security"
         },
         {
-            "category": "Data Discovery and Classification",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.",
-            "guid": "d401509b-2629-4484-9a7f-af0d29a7778f",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities",
+            "category": "Security",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "8f03437a-5068-4486-9a78-0402ce771298",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server",
             "services": [
-                "SQL"
+                "Defender"
             ],
-            "severity": "Low",
-            "subcategory": "Data Discovery and Classification",
-            "text": "Plan and configure Data Discovery & Classification to protect the sensitive data",
+            "severity": "Medium",
+            "subcategory": "Host",
+            "text": "Microsoft Defender Antivirus has been enabled on all nodes",
             "waf": "Security"
         },
         {
-            "category": "Data Masking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.",
-            "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview",
-            "services": [
-                "SQL"
-            ],
-            "severity": "Low",
-            "subcategory": "Data Masking",
-            "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible",
+            "category": "Security",
+            "checklist": "Azure Stack HCI Review",
+            "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e",
+            "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Host",
+            "text": "Credential Guard has been configured, where appropriate",
             "waf": "Security"
         },
         {
-            "category": "Defender",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.",
-            "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
-            "services": [
-                "Defender",
-                "EventHubs",
-                "SQL"
-            ],
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "services": [],
             "severity": "High",
-            "subcategory": "Advanced Threat Protection",
-            "text": "Review and complete Advanced Threat Protection (ATP) configuration",
-            "waf": "Security"
+            "subcategory": "High Availablity",
+            "text": "Enable 2 replicas to have 99.9% availability for read operations",
+            "waf": "Reliability"
         },
         {
-            "category": "Defender",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.",
-            "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ",
-            "services": [
-                "Defender",
-                "SQL",
-                "Subscriptions"
-            ],
-            "severity": "High",
-            "subcategory": "Defender for Azure SQL",
-            "text": "Enable Microsoft Defender for Azure SQL",
-            "waf": "Security"
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "High Availablity",
+            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+            "waf": "Reliability"
         },
         {
-            "category": "Defender",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.",
-            "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
-            "services": [
-                "Defender",
-                "SQL",
-                "Monitor"
-            ],
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
+            "services": [],
             "severity": "High",
-            "subcategory": "Defender for Azure SQL",
-            "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts",
-            "waf": "Security"
+            "subcategory": "High Availablity",
+            "text": "Leverage Availability Zones by enabling read and/or write replicas",
+            "waf": "Reliability"
         },
         {
-            "category": "Defender",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.",
-            "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "services": [
-                "Defender",
-                "SQL",
-                "Monitor"
+                "ACR"
             ],
-            "severity": "High",
-            "subcategory": "Vulnerability Assessment",
-            "text": "Configure Vulnerability Assessment (VA) findings and review recommendations",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Georeplication",
+            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Defender",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.",
-            "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql",
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
             "services": [
-                "Defender",
-                "SQL"
+                "ACR"
             ],
-            "severity": "High",
-            "subcategory": "Vulnerability Assessment",
-            "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Georeplication",
+            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+            "waf": "Reliability"
         },
         {
-            "category": "Encryption",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.",
-            "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277",
-            "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves",
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "services": [
-                "SQL"
+                "TrafficManager"
             ],
             "severity": "Medium",
-            "subcategory": "Always Encrypted",
-            "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves",
-            "waf": "Security"
+            "subcategory": "Georeplication",
+            "text": "Use Azure Traffic Manager to coordinate requests",
+            "waf": "Reliability"
         },
         {
-            "category": "Encryption",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.",
-            "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption",
+            "category": "Operations Management",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
             "services": [
-                "SQL",
                 "Storage",
-                "AKV"
+                "ASR",
+                "Backup"
             ],
-            "severity": "Low",
-            "subcategory": "Column Encryption",
-            "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Disaster Recovery",
+            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+            "waf": "Reliability"
         },
         {
-            "category": "Encryption",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.",
-            "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
-            "services": [
-                "Backup",
-                "SQL",
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "services": [],
             "severity": "High",
-            "subcategory": "Transparent Data Encryption",
-            "text": "Ensure Transparent Data Encryption (TDE) is kept enabled",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Select the right Function hosting plan based on your business & SLO requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Encryption",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.",
-            "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview",
-            "services": [
-                "SQL",
-                "AKV"
-            ],
-            "severity": "Medium",
-            "subcategory": "Transparent Data Encryption",
-            "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+            "waf": "Reliability"
         },
         {
-            "category": "Encryption",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.",
-            "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version",
-            "services": [
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Transport Layer Security",
-            "text": "Enforce minimum TLS version to the latest available",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.",
-            "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview",
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
             "services": [
-                "Entra",
-                "SQL"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Azure Active Directory",
-            "text": "Leverage Azure AD authentication for connections to Azure SQL Databases",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each  logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
-            "guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities",
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
             "services": [
-                "Entra",
-                "SQL",
-                "Monitor"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Azure Active Directory",
-            "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.",
-            "guid": "df3a09ee-03bb-4198-8637-d141acf5f289",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications",
+            "category": "BC and DR",
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
             "services": [
-                "Entra",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Azure Active Directory",
-            "text": "Minimize the use of password-based authentication for applications",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.",
-            "guid": "69891194-5074-4e30-8f69-4efc3c580900",
-            "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
-            "services": [
-                "RBAC",
-                "SQL",
-                "AKV",
-                "Entra",
-                "ACR"
-            ],
-            "severity": "Low",
-            "subcategory": "Managed Identities",
-            "text": "Assign Azure SQL Database a managed identity for outbound resource access",
-            "waf": "Security"
+            "category": "Application Deployment",
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "CI/CD",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).",
-            "guid": "88287d4a-8bb8-4640-ad78-03f51354d003",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "974a759c-763e-47d2-9161-3a7649907e0e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx",
             "services": [
-                "Entra",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Passwords",
-            "text": "Minimize the use of password-based authentication for users",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Leverage FTA Handbook",
+            "waf": "Reliability"
         },
         {
-            "category": "Ledger",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.",
-            "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration",
+            "guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
             "services": [
-                "SQL",
-                "Storage"
+                "ACR",
+                "ServiceBus"
             ],
-            "severity": "Medium",
-            "subcategory": "Database Digest",
-            "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Best Practices",
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "Ledger",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.",
-            "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a",
-            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.",
+            "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
             "services": [
-                "AzurePolicy",
-                "SQL",
-                "Storage"
+                "ASR",
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Database Digest",
-            "text": "If Azure storage account is used to store database digests, ensure security is properly configured",
-            "waf": "Security"
+            "subcategory": "Geo-Disaster Recovery",
+            "text": "Plan for Metadata replication during regional failure",
+            "waf": "Reliability"
         },
         {
-            "category": "Ledger",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.",
-            "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420",
-            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces",
+            "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
             "services": [
-                "SQL",
-                "Storage"
+                "ASR",
+                "ACR",
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Integrity",
-            "text": "Schedule the Ledger verification process regularly to verify data integrity",
-            "waf": "Security"
+            "subcategory": "Geo-Disaster Recovery",
+            "text": "Plan for Message replication during regional failure",
+            "waf": "Reliability"
         },
         {
-            "category": "Ledger",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.",
-            "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2",
-            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created",
+            "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
             "services": [
-                "SQL"
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Ledger",
-            "text": "If cryptographic proof of data integrity  is a critical requirement, Ledger feature should be considered",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "For applications which require high throughput, use Patritioning ",
+            "waf": "Reliability"
         },
         {
-            "category": "Ledger",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.",
-            "guid": "804fc554-6554-4842-91c1-713b32f99902",
-            "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "14658d24-58ed-4671-99b8-21102df26ee4",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters",
             "services": [
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Recovery",
-            "text": "Prepare a response plan to investigate and repair a database after a tampering event",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Evaluate Premier-tier benefits of Azure Service Bus",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.",
-            "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions",
             "services": [
-                "AzurePolicy",
-                "SQL",
-                "Storage"
+                "ServiceBus"
             ],
-            "severity": "Medium",
-            "subcategory": "Auditing",
-            "text": "Ensure that Azure SQL Database Auditing is enabled at the server level",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Best Practices",
+            "text": "Ensure that Service Bus Messaging Exceptions are handled properly",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ",
-            "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "EventHubs",
-                "Monitor",
-                "Backup",
-                "SQL",
                 "Storage",
-                "Entra"
+                "ServiceBus",
+                "PrivateLink"
             ],
-            "severity": "Low",
-            "subcategory": "Auditing",
-            "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Best Practices",
+            "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
-            "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "f4564b4d-974a-4759-a763-e7d261613a76",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2",
             "services": [
-                "EventHubs",
-                "Monitor",
-                "Subscriptions",
-                "SQL",
-                "Storage"
+                "ServiceBus"
             ],
-            "severity": "Medium",
-            "subcategory": "Auditing",
-            "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Best Practices",
+            "text": "Review the Best Practices for performance improvements using Service Bus Messaging",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Forward any logs from Azure SQL to your  Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
-            "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence",
             "services": [
-                "SQL",
-                "Monitor"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "SIEM/SOAR",
-            "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Forward any logs from Azure SQL to your  Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
-            "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "SQL",
-                "Monitor"
+                "Storage",
+                "ASR",
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "SIEM/SOAR",
-            "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.",
+            "waf": "Reliability"
         },
         {
-            "category": "Logging",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.",
-            "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "EventHubs",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "SIEM/SOAR",
-            "text": "Ensure that you have response plans for malicious or aberrant audit logging events",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Implement high availability for the Service Bus namespace",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.",
-            "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "PrivateLink",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "High",
-            "subcategory": "Connectivity",
-            "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Ensure related messages are delivered in guaranteed order",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.",
-            "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "AzurePolicy",
-                "PrivateLink",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Low",
-            "subcategory": "Connectivity",
-            "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.",
-            "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "SQL",
-                "Subscriptions"
+                "ServiceBus"
             ],
-            "severity": "High",
-            "subcategory": "Connectivity",
-            "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Best Practices",
+            "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.",
-            "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
-            "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql",
+            "category": "Operations Management",
+            "checklist": "Service Bus Review Checklist",
+            "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "EventHubs",
-                "APIM",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Outbound Control",
-            "text": "Block or restrict outbound REST API calls to external endpoints",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "Implement resilience for transient fault handling when sending or receiving messages",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.",
-            "guid": "a566dd3d-314e-4a94-9378-102c42d82b38",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+            "service": "Service Bus",
             "services": [
-                "SQL",
-                "Storage"
+                "ServiceBus"
             ],
-            "severity": "Medium",
-            "subcategory": "Outbound Control",
-            "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature",
+            "severity": "Low",
+            "subcategory": "Data Protection",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.",
-            "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+            "service": "Service Bus",
             "services": [
-                "VNet",
-                "Monitor",
-                "Firewall",
-                "PrivateLink",
-                "SQL"
+                "ServiceBus"
             ],
             "severity": "Medium",
-            "subcategory": "Private Access",
-            "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists",
+            "subcategory": "Data Protection",
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.",
-            "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+            "service": "Service Bus",
             "services": [
-                "PrivateLink",
-                "SQL",
-                "VNet"
+                "TrafficManager",
+                "Entra",
+                "RBAC",
+                "ServiceBus",
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "subcategory": "Private Access",
-            "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity",
+            "severity": "Medium",
+            "subcategory": "Identity and Access Management",
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.",
-            "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2",
-            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+            "service": "Service Bus",
             "services": [
-                "PrivateLink",
-                "SQL",
-                "VNet"
+                "Storage",
+                "Entra",
+                "AKV",
+                "ServiceBus",
+                "VM",
+                "AppSvc"
             ],
             "severity": "Medium",
-            "subcategory": "Private Access",
-            "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges",
+            "subcategory": "Identity and Access Management",
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.",
-            "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+            "service": "Service Bus",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "SQL"
+                "Storage",
+                "Entra",
+                "RBAC",
+                "Subscriptions",
+                "ServiceBus"
             ],
-            "severity": "Medium",
-            "subcategory": "Private Access",
-            "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet",
+            "severity": "High",
+            "subcategory": "Identity and Access Management",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.",
-            "guid": "55187443-6852-4fbd-99c6-ce303597ca7f",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+            "service": "Service Bus",
             "services": [
-                "AzurePolicy",
                 "VNet",
-                "SQL"
+                "Monitor",
+                "ServiceBus"
             ],
-            "severity": "High",
-            "subcategory": "Public Access",
-            "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks",
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.",
-            "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+            "service": "Service Bus",
             "services": [
-                "SQL",
-                "Storage"
+                "VNet",
+                "ServiceBus",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "Public Access",
-            "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall",
+            "subcategory": "Networking",
+            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.",
-            "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure",
+            "category": "Security",
+            "checklist": "Service Bus Review Checklist",
+            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+            "service": "Service Bus",
             "services": [
-                "SQL",
-                "Storage"
+                "ServiceBus"
             ],
-            "severity": "Low",
-            "subcategory": "Public Access",
-            "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules",
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.",
-            "guid": "b8435656-143e-41a8-9922-61d34edb751a",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
+            "category": "Automation",
+            "checklist": "SAP Checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "VNet",
-                "SQL"
+                "SAP"
             ],
-            "severity": "High",
-            "subcategory": "Public Access",
-            "text": "Do not enable Azure SQL Managed Instance public endpoint",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "ACSS",
+            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.",
-            "guid": "057dd298-8726-4aa6-b590-1f81d2e30421",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
+            "category": "Automation",
+            "checklist": "SAP Checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "services": [
-                "VNet",
-                "SQL"
+                "SAP"
             ],
-            "severity": "High",
-            "subcategory": "Public Access",
-            "text": "Restrict access if Azure SQL Managed Instance public endpoint is required",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "SDAF",
+            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "Operations"
         },
         {
-            "category": "Privileged Access",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests.  In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.",
-            "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
             "services": [
-                "SQL"
+                "ASR",
+                "SAP",
+                "Backup"
             ],
-            "severity": "Low",
-            "subcategory": "Lockbox",
-            "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Backup and restore",
+            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+            "waf": "Reliability"
         },
         {
-            "category": "Privileged Access",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.",
-            "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
             "services": [
-                "SQL"
+                "ASR",
+                "SAP",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Permissions",
-            "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions",
-            "waf": "Security"
+            "subcategory": "Disaster recovery",
+            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+            "waf": "Reliability"
         },
         {
-            "category": "Privileged Access",
-            "checklist": "Azure SQLDB Security Checklist (Preview)",
-            "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function.  A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities.  Instead, they should each have their own tightly scoped SPN.",
-            "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "SQL"
+                "Storage",
+                "Backup",
+                "SQL",
+                "ASR",
+                "SAP"
             ],
-            "severity": "Low",
-            "subcategory": "Permissions",
-            "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Disaster recovery",
+            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
-            "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "services": [
-                "Backup",
-                "Storage",
-                "AVS"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+            "subcategory": "Disaster recovery",
+            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Microsoft backup service",
-            "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
             "services": [
-                "Backup",
-                "AVS"
+                "VPN",
+                "ExpressRoute",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Use MABS as your backup solution",
+            "severity": "High",
+            "subcategory": "Disaster recovery",
+            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Best practice - this is Backup, not disaster recovery",
-            "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae",
-            "link": "Best practice to deploy backup in the same region as your AVS deployment",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
             "services": [
-                "Backup",
                 "ASR",
-                "AVS"
+                "ACR",
+                "SAP",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+            "severity": "Low",
+            "subcategory": "Disaster recovery",
+            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Best practice - in case AVS is unavailable",
-            "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "ASR",
+                "VNet",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS",
+            "subcategory": "Disaster recovery",
+            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
-            "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0",
-            "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Escalation process with Microsoft in the event of a regional DR",
+            "severity": "Low",
+            "subcategory": "Disaster recovery",
+            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Compare SRM with HCX",
-            "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "services": [
                 "ASR",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution",
+            "severity": "High",
+            "subcategory": "Disaster recovery",
+            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Recovery into Azure instead of Vmware solution",
-            "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19",
-            "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
             "services": [
                 "ASR",
-                "AVS"
+                "VNet",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+            "severity": "High",
+            "subcategory": "Disaster recovery",
+            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Avoid manual tasks as much as possible",
-            "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9",
-            "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
             "services": [
                 "ASR",
-                "AVS"
+                "Entra",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Automated recovery plans with either of the Disaster solutions,",
+            "severity": "High",
+            "subcategory": "Disaster recovery",
+            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Any other datacenter in the same region",
-            "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
                 "ASR",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Configure a secondary disaster recovery environment",
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
-            "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
             "services": [
                 "ASR",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Assign IP ranges unique to each region",
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or  routing must be done through network virtual appliances?",
-            "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c",
-            "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "services": [
+                "Storage",
                 "ASR",
-                "NVA",
-                "ExpressRoute",
-                "AVS"
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Global Reach between DR regions",
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
             "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections",
-            "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
             "services": [
-                "VWAN",
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "Direct (no vWAN, no H&S)",
-            "text": "Global Reach to ExR circuit - no Azure resources",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use ExR to connect on-premises (other) location to Azure",
-            "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "ASR",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "Connect to Azure using ExR",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use the migration assesment tool and timeline to determine bandwidth required",
-            "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "ASR",
+                "SAP",
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "Bandwidth sizing",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "What traffic is routed through a firewall, what goes directly into Azure",
-            "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "ASR",
+                "SAP",
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "Traffic routing ",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Make sure the Floating IP is enabled on the Load balancer",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "AVS to ExR circuit, no traffic inspection",
-            "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "ASR",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "ExpressRoute",
-            "text": "Global Reach ",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Name of the vNet and a unique address space /24 minimum",
-            "guid": "91f7a87b-21ac-d712-959c-8df2ba034253",
-            "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "SAP",
             "services": [
-                "VNet",
-                "AVS"
+                "ASR",
+                "Entra",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "VNet  name & address space",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Subnet must be called GatewaySubnet",
-            "guid": "58a027e2-f37f-b540-45d5-e44843aba26b",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN",
-                "AVS"
+                "Entra",
+                "RBAC",
+                "ASR",
+                "VM",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "Gateway subnet",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Create a VPN gateway on the hub Gateway subnet",
-            "guid": "d4806549-0913-3e79-b580-ac2d3706e65a",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN",
-                "AVS"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "VPN Gateway",
-            "waf": "Performance"
+            "subcategory": "High availability",
+            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Create an ExR Gateway in the hub Gateway subnet.",
-            "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN",
-                "AVS"
+                "ASR",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "ExR Gateway",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?",
-            "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
-                "NVA",
-                "AVS"
+                "ASR",
+                "Entra",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Egress point",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX",
-            "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f",
-            "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
-                "Bastion",
-                "AVS"
+                "ASR",
+                "ACR",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Jumpbox & Bastion",
-            "text": "Remote connectivity to AVS",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Name the jumpbox and identify the subnet where it will be hosted",
-            "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857",
-            "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
-                "VNet",
-                "Bastion",
-                "AVS"
+                "ASR",
+                "Entra",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Jumpbox & Bastion",
-            "text": "Configure a jumbox and Azure Bastion",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "High availability",
+            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.",
-            "guid": "ba430d58-4541-085c-3641-068c00be9bc5",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+            "service": "SAP",
             "services": [
-                "VM",
-                "Bastion",
-                "AVS"
+                "ASR",
+                "Entra",
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Jumpbox & Bastion",
-            "text": "Security measure allowing RDP access via the portal",
-            "waf": "Performance"
+            "subcategory": "High availability",
+            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)",
-            "guid": "9988598f-2a9f-6b12-9b46-488415ceb325",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "services": [
-                "VPN",
-                "AVS"
+                "Storage",
+                "ASR",
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "VPN",
-            "text": "Connect to Azure using a VPN",
-            "waf": "Performance"
+            "subcategory": "High availability",
+            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)",
-            "guid": "956ce5e9-a862-fe2b-a50d-a22923569357",
-            "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+            "service": "SAP",
             "services": [
-                "VPN",
-                "AVS"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "VPN",
-            "text": "Bandwidth sizing",
-            "waf": "Performance"
+            "subcategory": "High availability",
+            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "What traffic is routed through a firewall, what goes directly into Azure",
-            "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "services": [
-                "VPN",
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "VPN",
-            "text": "Traffic routing ",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Name and unique address space for the vWAN, name for the vWAN hub",
-            "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+            "service": "SAP",
             "services": [
-                "VWAN",
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "vWAN hub",
-            "text": "vWAN name, hub name and address space",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Select either boh or the appropriate connection type.",
-            "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+            "service": "SAP",
             "services": [
-                "VPN",
-                "VWAN",
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "vWAN hub",
-            "text": "ExR and/or VPN gateway provisioned",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Connectivity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Add Azure firewall to vWAN (recommended)",
-            "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal",
+            "category": "Business Continuity and Disaster Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
             "services": [
-                "Firewall",
-                "VWAN",
-                "AVS"
+                "Storage",
+                "SAP",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "vWAN hub",
-            "text": "Secure vWAN",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Active directory or other identity provider servers",
-            "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
+            "category": "Cost Optimization",
+            "checklist": "SAP Checklist",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVS"
+                "SAP",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Access",
-            "text": "External Identity (user accounts)",
-            "waf": "Security"
+            "subcategory": "&nbsp",
+            "text": "Automate SAP System Start-Stop to manage costs.",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Not required for LDAPS, required for Kerberos",
-            "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997",
-            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
+            "category": "Cost Optimization",
+            "checklist": "SAP Checklist",
+            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVS"
+                "Storage",
+                "SAP",
+                "VM",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Access",
-            "text": "If using AD domain, ensure Sites & Services has been configured",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "&nbsp",
+            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Authentication for users, must be secure.",
-            "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
+            "category": "Cost Optimization",
+            "checklist": "SAP Checklist",
+            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "AVS"
+                "Storage",
+                "SAP",
+                "VM",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Access",
-            "text": "Use LDAPS not ldap ( vCenter)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "&nbsp",
+            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+            "waf": "Cost"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Authentication for users, must be secure.",
-            "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVS"
+                "RBAC",
+                "SAP",
+                "Subscriptions"
             ],
-            "severity": "Medium",
-            "subcategory": "Access",
-            "text": "Use LDAPS not ldap (NSX-T)",
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "CN or SAN names, no wildcards, contains private key - CER or PFX",
-            "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c",
-            "link": "https://youtu.be/4jvfbsrhnEs",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "45911475-e39e-4530-accc-d979366bcda2",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Security certificate installed on LDAPS servers ",
+            "subcategory": "Identity",
+            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Standard Azure Roles Based Access Controls",
-            "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "services": [
-                "RBAC",
                 "Entra",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "RBAC applied to Azure roles",
+            "subcategory": "Identity",
+            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Create roles in vCenter required to meet minimum viable access guidelines",
-            "guid": "b04ca129-83a9-3494-7512-347dd2d766db",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "services": [
-                "RBAC",
                 "Entra",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "RBAC model in vCenter",
+            "subcategory": "Identity",
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
-            "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb",
-            "link": "Best practice",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+            "service": "SAP",
             "services": [
-                "RBAC",
                 "Entra",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "CloudAdmin role usage",
+            "subcategory": "Identity",
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
-            "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "RBAC",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security ",
-            "text": "Is Privileged Identity Management implemented",
+            "subcategory": "Identity",
+            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "For the Azure VMware Solution PIM roles",
-            "guid": "0842d45f-41a8-8274-1155-2f6ed554d315",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "RBAC",
-                "AVS"
+                "SAP",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Security ",
-            "text": "Is Privileged Identity Management audit reporting implemented",
+            "subcategory": "Identity",
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Best practice, also see Monitoring/Alerts",
-            "guid": "915cbcd7-0640-eb7c-4162-9f33775de559",
-            "link": "Best practice",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "Monitor",
-                "AVS"
+                "SAP",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Security ",
-            "text": "Limit use of CloudAdmin account to emergency access only",
+            "subcategory": "Identity",
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Operational procedure",
-            "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+            "service": "SAP",
             "services": [
                 "Entra",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security ",
-            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
+            "subcategory": "Identity",
+            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
             "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
-            "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82",
-            "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+            "service": "SAP",
             "services": [
-                "Arc",
-                "VM",
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "AVS VM Management (Azure Arc)",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Implement SSO to SAP HANA",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
-            "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0",
-            "link": "https://docs.microsoft.com/azure/governance/policy/overview",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "Monitor",
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Azure policy",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
-            "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db",
-            "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Resource locks",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "For manual deployments, all configuration and deployments must be documented",
-            "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e",
-            "link": "Make sure to create your own runbook on the deployment of AVS.",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Run books",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
-            "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+            "service": "SAP",
             "services": [
-                "AKV",
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Naming conventions for auth keys",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Implement SSO to SAP BTP",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
-            "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+            "category": "Identity and Access",
+            "checklist": "SAP Checklist",
+            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "AVS"
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Alerts",
-            "text": "Create warning alerts for critical thresholds ",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+            "waf": "Security"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
-            "guid": "6d02f159-627d-79bf-a931-fab6d947eda2",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "AVS"
+                "Subscriptions",
+                "SAP",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Alerts",
-            "text": "Create critical alert vSAN consumption",
+            "subcategory": "Subscriptions",
+            "text": "enforce existing Management Group policies to SAP Subscriptions",
+            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Provides platform alerts (generated by Microsoft)",
-            "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951",
-            "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "AVS"
+                "Subscriptions",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Alerts",
-            "text": "Configured for Azure Service Health alerts and notifications",
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
-            "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "Backup",
-                "AzurePolicy",
-                "AVS",
-                "VM"
+                "Subscriptions",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Backup policy",
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Keep in mind the lead time for requesting new nodes",
-            "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "Monitor",
-                "AVS"
+                "Subscriptions",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Capacity",
-            "text": "Policy around ESXi host density and efficiency",
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ",
-            "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+            "service": "SAP",
             "services": [
-                "Cost",
                 "Subscriptions",
-                "Monitor",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Costs",
-            "text": "Ensure a good cost management process is in place for Azure VMware Solution - ",
+            "severity": "Low",
+            "subcategory": "Subscriptions",
+            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Create dashboards to enable core Azure VMware Solution monitoring insights",
-            "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74",
-            "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "NetworkWatcher",
-                "AVS"
+                "Subscriptions",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Dashboard",
-            "text": "Connection monitor dashboard",
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)",
-            "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "Monitor",
-                "AVS"
+                "Subscriptions",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Logs & Metrics",
-            "text": "Configure Azure VMware Solution logging ",
+            "severity": "High",
+            "subcategory": "Subscriptions",
+            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Must be on-premises, implement if available",
-            "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6",
-            "link": "Is vROPS or vRealize Network Insight going to be used? ",
+            "category": "Management Group and Subscriptions",
+            "checklist": "SAP Checklist",
+            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "AVS"
+                "TrafficManager",
+                "Subscriptions",
+                "SAP",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Logs & Metrics",
-            "text": "vRealize Operations",
+            "subcategory": "Subscriptions",
+            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
-            "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
             "services": [
-                "VM",
                 "Monitor",
-                "AVS"
+                "SAP",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Logs & Metrics",
-            "text": "AVS VM logging",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "BCDR",
+            "text": "Help protect your HANA database by using the Azure Backup service.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Between on-premises to Azure are monitored using 'connection monitor'",
-            "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+            "service": "SAP",
             "services": [
+                "Storage",
+                "Entra",
                 "Monitor",
-                "ExpressRoute",
-                "NetworkWatcher",
-                "VPN",
-                "AVS"
+                "VM",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Network",
-            "text": "Monitor ExpressRoute and/or VPN connections ",
-            "waf": "Operations"
+            "subcategory": "BCDR",
+            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+            "waf": "Reliability"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)",
-            "guid": "99209143-60fe-19f0-5633-8b5671277ba5",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
                 "Monitor",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Network",
-            "text": "Monitor from an Azure native resource to an Azure VMware Solution VM",
+            "severity": "High",
+            "subcategory": "Management",
+            "text": "Ensure time-zone matches between the operating system and the SAP system.",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "To monitor end-to-end, on-premises to AVS workloads",
-            "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+            "service": "SAP",
             "services": [
+                "Entra",
                 "Monitor",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Network",
-            "text": "Monitor  from an on-premises resource to an Azure VMware Solution VM",
-            "waf": "Operations"
+            "subcategory": "Management",
+            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads",
-            "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962",
-            "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+            "service": "SAP",
             "services": [
                 "Monitor",
-                "AVS"
+                "SAP",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Auditing and logging is implemented for inbound internet ",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+            "waf": "Cost"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
-            "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+            "service": "SAP",
             "services": [
+                "Entra",
                 "Monitor",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Session monitoring  ",
+            "subcategory": "Management",
+            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Enable Diagnostic and metric logging on Azure VMware Solution",
-            "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+            "service": "SAP",
             "services": [
                 "Monitor",
-                "AVS"
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "VMWare",
-            "text": "Logging and diagnostics",
+            "subcategory": "Management",
+            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
             "waf": "Operations"
         },
         {
-            "category": "Monitoring",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Monitor AVS workloads (each VM in AVS)",
-            "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a",
-            "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+            "service": "SAP",
             "services": [
-                "VM",
                 "Monitor",
-                "AVS"
-            ],
-            "severity": "Medium",
-            "subcategory": "VMware",
-            "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads",
+                "SAP"
+            ],
+            "severity": "Low",
+            "subcategory": "Management",
+            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
             "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Decision on traffic flow",
-            "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "North/South routing through Az Firewall or 3rd party ",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
-            "guid": "29a8a499-ec31-f336-3266-0895f035e379",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Entra",
+                "Monitor",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "East West (Internal to Azure)",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)",
-            "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "SAP",
             "services": [
-                "ARS",
-                "NVA",
-                "AVS"
+                "Monitor",
+                "SAP",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "ExR without Global Reach",
+            "subcategory": "Monitoring",
+            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
-            "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506",
-            "link": "https://learn.microsoft.com/azure/route-server/route-server-faq",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+            "service": "SAP",
             "services": [
-                "ARS",
-                "AVS"
+                "Monitor",
+                "SAP",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "subcategory": "Hub & Spoke",
-            "text": "Route server ",
+            "subcategory": "Monitoring",
+            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
             "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP",
-            "guid": "a4070dad-3def-818d-e9f7-be440d10e7de",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Egress point(s)",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ",
-            "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937",
-            "link": "Research and choose optimal solution for each application",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "services": [
-                "FrontDoor",
-                "NVA",
-                "AppGW",
-                "AVS"
+                "Subscriptions",
+                "SAP",
+                "Monitor"
             ],
-            "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Internet facing applications",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "waf": "Performance"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
-            "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37",
-            "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+            "service": "SAP",
             "services": [
-                "ARS",
-                "AVS"
+                "Storage",
+                "Monitor",
+                "SAP",
+                "ASR"
             ],
             "severity": "Medium",
-            "subcategory": "Routing",
-            "text": "When route server Route limit understood? ",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)",
-            "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a",
-            "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+            "service": "SAP",
             "services": [
-                "VNet",
-                "ExpressRoute",
-                "FrontDoor",
-                "VPN",
-                "LoadBalancer",
-                "DDoS",
-                "AVS",
-                "VM",
-                "AppGW"
+                "Monitor",
+                "SAP",
+                "Sentinel"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Is DDoS standard protection of public facing IP addresses?  ",
+            "subcategory": "Monitoring",
+            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
-            "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32",
-            "link": "Best practice: Bastion or 3rd party tool",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Use a dedicated privileged access workstation (PAW)",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use NSX-T for inter-vmware-traffic inspection",
-            "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f",
-            "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Traffic Inspection",
-            "text": "East West (Internal to AVS)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Performance",
+            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+            "waf": "Performance"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach",
-            "guid": "3f621543-dfac-c471-54a6-7b2849b6909a",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "services": [
-                "Firewall",
-                "VWAN",
-                "AVS"
+                "ASR",
+                "Monitor",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Use Secure Hub (Azure Firewall or 3rd party)",
-            "waf": "Security"
+            "subcategory": "Performance",
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
-            "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "services": [
-                "VWAN",
-                "AVS"
+                "Storage",
+                "Monitor",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "East West (Internal to Azure)",
-            "waf": "Security"
+            "subcategory": "Performance",
+            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
+            "waf": "Performance"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
-            "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+            "service": "SAP",
             "services": [
-                "Subscriptions",
-                "AVS"
+                "Monitor",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scale out operations planning",
+            "severity": "Low",
+            "subcategory": "Performance",
+            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
             "waf": "Performance"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
-            "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
                 "Storage",
-                "AVS"
+                "Monitor",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scale in operations planning",
+            "subcategory": "Performance",
+            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
             "waf": "Performance"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
-            "guid": "3233e49e-62ce-97f3-8737-8230e771b694",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scale serialized operations planning",
+            "subcategory": "Performance",
+            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
             "waf": "Performance"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
-            "guid": "68161d66-5707-319b-e77d-9217da892593",
-            "link": "Best practice (testing)",
+            "category": "Management and Monitoring",
+            "checklist": "SAP Checklist",
+            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "ASR",
+                "Monitor",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scale rd operations planning",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Define and enforce scale in/out maximum limits for your environment in the automations",
-            "guid": "c32cb953-e860-f204-957a-c79d61202669",
-            "link": "Operational planning - understand workload requirements",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "AzurePolicy",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scale maximum operations planning",
-            "waf": "Performance"
+            "subcategory": "App delivery",
+            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "waf": "Security"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
-            "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857",
-            "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "services": [
-                "Monitor",
-                "AVS"
+                "DNS",
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Monitor scaling operations ",
-            "waf": "Performance"
+            "subcategory": "DNS",
+            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Consider the use of Azure Private-Link when using other Azure Native Services",
-            "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "services": [
-                "PrivateLink",
-                "AVS"
+                "VNet",
+                "DNS",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Private link",
-            "waf": "Performance"
+            "subcategory": "DNS",
+            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "category": "Other Services/Operations",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
-            "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2",
-            "link": "Best practice",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "VNet",
+                "ACR",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Provisioning Vmware VLANs",
-            "waf": "Performance"
+            "subcategory": "Hybrid",
+            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "In which region will AVS be deployed",
-            "guid": "04e3a2f9-83b7-968a-1044-2811811a924b",
-            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "NVA"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Region selected",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Hybrid",
+            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+            "training": "https://me.sap.com/notes/2731110",
+            "waf": "Performance"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Are there regulatory or compliance policies in play",
-            "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b",
-            "link": "Internal policy or regulatory compliance",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "ACR",
+                "SAP",
+                "VWAN"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Data residency compliant with selected regions",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "waf": "Operations"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Request through the support blade",
-            "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b",
-            "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "VNet",
+                "SAP",
+                "NVA"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Request for number of AVS hosts submitted ",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "PG approval for deployment",
-            "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa",
-            "link": "Support request through portal or get help from Account Team",
+            "subcategory": "Hybrid",
+            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+            "waf": "Operations"
+        },
+        {
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "VNet",
+                "SAP",
+                "VWAN",
+                "NVA"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Region and number of AVS nodes approved",
-            "waf": "Reliability"
+            "subcategory": "Hybrid",
+            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Portal/subscription/resource providers/ Microsoft.AVS",
-            "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa",
-            "link": "Done through the subscription/resource providers/ AVS  register in the portal",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "services": [
-                "Subscriptions",
-                "AVS"
+                "VNet",
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Resource provider for AVS registered",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "IP plan",
+            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Connectivity, subscription & governanace model",
-            "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "service": "SAP",
             "services": [
-                "Subscriptions",
-                "AVS"
+                "ASR",
+                "VNet",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Landing zone architecture",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "IP plan",
+            "text": "Consider reserving IP address on DR side when configuring ASR",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "The name of the RG where AVS will exist",
-            "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "VNet",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Resource group name selected",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "IP plan",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Each resource created as part of the deployment will also utilize this prefix in the name",
-            "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6",
-            "link": "Best practice - naming standards",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Storage",
+                "VNet",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Deployment prefix selected",
-            "waf": "Reliability"
+            "subcategory": "IP plan",
+            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "/22 unique non-overlapping  IPv4 address space",
-            "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "Firewall"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Network space for AVS management layer",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "vNets used by workloads running in AVS (non-stretched)",
-            "guid": "0c87f999-e517-21ef-f355-f210ad4134d2",
-            "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+            "service": "SAP",
             "services": [
-                "VNet",
-                "AVS"
+                "SAP",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Network space for AVS NSX-T segments",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Choose AV36, AV36P, AV52, AV36T  (AV36T = Trial)",
-            "guid": "946c8966-f902-6f53-4f37-00847e8895c2",
-            "link": "https://azure.microsoft.com/pricing/details/azure-vmware/",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "WAF",
+                "ACR",
+                "AzurePolicy",
+                "SAP",
+                "FrontDoor"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "AVS SKU (region dependent)",
-            "waf": "Performance"
+            "subcategory": "Internet",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)",
-            "guid": "31833808-26ba-9c31-416f-d54a89a17f5d",
-            "link": "https://learn.microsoft.com/azure/migrate/how-to-assess",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "WAF",
+                "AzurePolicy",
+                "SAP",
+                "FrontDoor",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Number of hosts to be deployed",
-            "waf": "Performance"
+            "subcategory": "Internet",
+            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Understand how and if you should be using reserved instances (cost control)",
-            "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f",
-            "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "services": [
-                "Cost",
-                "AVS"
+                "LoadBalancer",
+                "SAP",
+                "WAF",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Reserverd Instances",
-            "waf": "Cost"
+            "subcategory": "Internet",
+            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
-            "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "SAP",
             "services": [
-                "ASR",
-                "AVS"
+                "ACR",
+                "SAP",
+                "VWAN"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Capacity ",
+            "subcategory": "Internet",
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
             "waf": "Performance"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Identify which of the networking scenarios make ",
-            "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Storage",
+                "VNet",
+                "Backup",
+                "ACR",
+                "SAP",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "Networking & Connectivity See docs describing scenrario  1 through 5",
-            "waf": "Reliability"
+            "subcategory": "Internet",
+            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Planning",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
-            "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9",
-            "link": "Please Check Partner Ecosystem",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre-deployment",
-            "text": "3rd party application compatibility ",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
-            "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646",
-            "link": "General recommendation for storing encryption keys.",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+            "service": "SAP",
             "services": [
-                "AKV",
-                "AVS"
+                "SAP",
+                "LoadBalancer"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption",
-            "text": "Use Azure Key Vault with in-guest encryption ",
+            "subcategory": "Segmentation",
+            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
-            "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "SAP",
             "services": [
-                "SQL",
-                "AVS"
+                "VNet",
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption",
-            "text": "Use in-guest encryption",
+            "subcategory": "Segmentation",
+            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
-            "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e",
-            "link": "https://docs.microsoft.com/azure/key-vault/general/authentication",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "services": [
-                "ExpressRoute",
-                "AKV",
-                "AVS"
+                "VNet",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Encryption",
-            "text": "Keyvault use for secrets",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Older OS security patching  configured for workloads running on Azure VMware Solution are eligible for ESU",
-            "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08",
-            "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Extended support",
-            "text": "Ensure extended security update support ",
-            "waf": "Security"
+            "subcategory": "Segmentation",
+            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+            "waf": "Performance"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Use a SIEM/SOAR",
-            "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a",
-            "link": "https://learn.microsoft.com/azure/sentinel/overview",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "services": [
-                "Sentinel",
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Investigation",
-            "text": "Enable Azure Sentinel or 3rd party SIEM ",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "MS Defender For Cloud,  for workloads running on Azure VMware Solution",
-            "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "services": [
-                "Defender",
-                "AVS"
+                "VNet",
+                "SAP",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Enable Advanced Threat Detection ",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Cost"
         },
         {
-            "category": "Security",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Are the applicable policies enabled (compliance baselines added to MDfC)",
-            "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b",
-            "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "SAP",
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Policy & Regulatory Compliance",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Segmentation",
+            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure",
-            "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7",
-            "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.",
+            "category": "Network Topology and Connectivity",
+            "checklist": "SAP Checklist",
+            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "VNet",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Firewalls",
-            "text": "Azure / 3rd party firewall",
+            "subcategory": "Segmentation",
+            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
             "waf": "Security"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "To allow HCX appliance to connect/sync",
-            "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27",
-            "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "VM",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Firewalls",
-            "text": "Firewalls allow for East/West traffic inside AVS",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "&nbsp",
+            "text": "Review SAP HANA database backups for Azure VMs.",
+            "waf": "Cost"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)",
-            "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46",
-            "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "ASR",
+                "Monitor",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "HCX and/or SRM",
-            "waf": "Reliability"
+            "subcategory": "&nbsp",
+            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+            "waf": "Cost"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Read up on requirements for Service Mesh requirements and how HCX ",
-            "guid": "be2ced52-da08-d366-cf7c-044c19e29509",
-            "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Monitor",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Configuring and Managing the HCX Interconnect",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "&nbsp",
+            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+            "waf": "Operations"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements",
-            "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37",
-            "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "VM",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Restrictions and limitations for network extensions",
-            "waf": "Performance"
+            "subcategory": "&nbsp",
+            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+            "waf": "Operations"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Do workloads require MoN?",
-            "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "Storage",
+                "SAP",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "Mobility optimized networking",
-            "waf": "Performance"
+            "subcategory": "&nbsp",
+            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+            "waf": "Operations"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Operating system level of Vmware environment",
-            "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca",
-            "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP",
+                "VM",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "On-premises pre-requisites",
-            "text": "Support matrix (OS versions etc).",
+            "subcategory": "&nbsp",
+            "text": "Review the use of Automated Backup v2 for Azure VMs.",
             "waf": "Operations"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Required that all switches are dynamic",
-            "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf",
-            "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20",
+            "category": "Operational Excellence",
+            "checklist": "SAP Checklist",
+            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "On-premises pre-requisites",
-            "text": "Standard switches converted to dynamic switches",
+            "severity": "High",
+            "subcategory": "&nbsp",
+            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
             "waf": "Operations"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "See sections on sizing and capacity in the link.",
-            "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "On-premises pre-requisites",
-            "text": "Capacity for HCX appliance",
+            "subcategory": "&nbsp",
+            "text": "Test availability zone latency.",
             "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Check hardware restrictions to ensure compatibility with AVS/OS ",
-            "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9",
-            "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+            "service": "SAP",
             "services": [
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "On-premises pre-requisites",
-            "text": "Hardware compatibility",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Need to be converted",
-            "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7",
-            "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "VSAN RDM disks are converted - not supported.",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+            "training": "https://me.sap.com/notes/0002879613",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Need to be converted",
-            "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611",
-            "link": "3rd-Party tools",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+            "service": "SAP",
             "services": [
-                "VM",
-                "Storage",
-                "AVS"
+                "Monitor",
+                "SAP",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "VM with SCSI shared bus are not supported",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Review SQL Server performance monitoring using CCMS.",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Remove Direct IO before migration",
-            "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381",
-            "link": "Contact VMware",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+            "link": "https://me.sap.com/notes/500235",
+            "service": "SAP",
             "services": [
-                "VM",
-                "Storage",
-                "AVS"
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "VM with Direct IO require removing DirectPath device",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+            "training": "https://me.sap.com/notes/1100926/E",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Cannot migrate clusters ",
-            "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266",
-            "link": "Contact VMware",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "AVS"
+                "Monitor",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Shared VMDK files are not supported",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Review SAP HANA studio alerts.",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Convert to a different format",
-            "guid": "ab6c89cd-a26f-b894-fe59-61863975458e",
-            "link": "Contact VMware",
+            "category": "Performant",
+            "checklist": "SAP Checklist",
+            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+            "link": "https://me.sap.com/notes/1969700",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "RDM with 'physical compatibility mode' are not supported.",
-            "waf": "Operations"
+            "subcategory": "&nbsp",
+            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+            "waf": "Performance"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning",
-            "guid": "7628d446-6b10-9678-9cec-f407d990de43",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Storage",
-                "AVS"
+                "SAP",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Default storage policy",
-            "waf": "Operations"
+            "subcategory": "Governance",
+            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "waf": "Security"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.",
-            "guid": "37fef358-7ab9-43a9-542c-22673955200e",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Storage",
-                "AVS"
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Ensure that the appropriate VM template storage policy is used",
-            "waf": "Operations"
+            "subcategory": "Governance",
+            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+            "waf": "Security"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
-            "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "AVS"
+                "SAP",
+                "SQL"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Failure to tolerate policy",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Governance",
+            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+            "waf": "Security"
         },
         {
-            "category": "VMware",
-            "checklist": "Azure VMware Solution Implementation Checklist",
-            "description": "ANF can be used to extend storage for Azure VMware Solution,",
-            "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863",
-            "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
             "services": [
-                "Storage",
-                "AVS"
+                "SAP",
+                "SQL"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Use ANF for external storage",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "65285269-440c-44be-9d3e-0844276d4bdc",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx",
-            "services": [],
             "severity": "High",
-            "subcategory": "Best Practices",
-            "text": "Reference Databricks HA/DR playbook",
-            "waf": "Reliability"
+            "subcategory": "Governance",
+            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+            "training": "https://me.sap.com/notes/3019299/E",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6",
-            "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "Storage",
+                "Backup",
+                "AKV",
+                "SQL",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Secrets",
+            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
-            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "SAP",
             "services": [
-                "Backup",
-                "ACR"
+                "Storage",
+                "SAP",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "769e3969-0e78-428a-a936-657d03b0f466",
-            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "SAP",
             "services": [
-                "ASR",
-                "Backup"
+                "SAP",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Secrets",
+            "text": "Use Azure Key Vault to store your secrets and credentials",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b",
-            "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "RBAC",
+                "Subscriptions",
+                "AKV",
+                "AzurePolicy",
+                "SAP"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Backup your data with deep and shallow clones",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account",
-            "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559",
-            "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "SAP",
             "services": [
-                "Backup",
-                "Storage"
+                "AKV",
+                "SAP",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Backup your data to Azure Storage RA-GRS",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a",
-            "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "AKV",
+                "RBAC",
+                "SAP",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Backup",
-            "text": "Backup your code with DevOps",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a",
-            "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "ASR"
+                "Storage",
+                "SAP",
+                "AKV",
+                "Defender"
             ],
             "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace",
-            "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc",
-            "link": "https://github.com/databrickslabs/migrate",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+            "service": "SAP",
             "services": [
-                "Backup"
+                "RBAC",
+                "SAP",
+                "AKV",
+                "Defender"
             ],
-            "severity": "Medium",
-            "subcategory": "Migration",
-            "text": "Use Databricks Migration tools",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Secrets",
+            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "DataBricks Review Checklist",
-            "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd",
-            "link": "https://github.com/databrickslabs/databricks-sync",
-            "services": [],
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "services": [
+                "SAP",
+                "AKV"
+            ],
             "severity": "Low",
-            "subcategory": "Migration",
-            "text": "Use Databricks Sync",
-            "waf": "Reliability"
+            "subcategory": "Secrets",
+            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+            "service": "SAP",
             "services": [
-                "ACR"
+                "SAP",
+                "AKV"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Secrets",
+            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "SAP",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Secrets",
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+            "service": "SAP",
             "services": [
-                "Storage"
+                "SAP",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Secrets",
+            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "service": "SAP",
             "services": [
-                "ASR"
+                "RBAC",
+                "SAP",
+                "Subscriptions"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "NVA",
+                "SAP",
+                "PrivateLink"
             ],
-            "severity": "Medium",
-            "subcategory": "Microsoft Entra ID Tenants",
-            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "Storage",
+                "SAP",
+                "VM"
             ],
             "severity": "Low",
-            "subcategory": "Microsoft Entra ID Tenants",
-            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
-            "waf": "Operations"
+            "subcategory": "Security",
+            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "SAP",
+                "Defender"
             ],
             "severity": "Low",
-            "subcategory": "Microsoft Entra ID Tenants",
-            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
-            "waf": "Operations"
+            "subcategory": "Security",
+            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "VNet",
+                "SAP"
             ],
-            "severity": "Medium",
-            "subcategory": "Cloud Solution Provider",
-            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "services": [
-                "Entra"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
-            "subcategory": "Cloud Solution Provider",
-            "text": "Discuss support request and escalation process with CSP partner",
-            "waf": "Cost"
+            "subcategory": "Security",
+            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "32952499-58c8-4e6f-ada5-972e67893d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "category": "Security, Governance and Compliance",
+            "checklist": "SAP Checklist",
+            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+            "service": "SAP",
             "services": [
-                "Entra",
-                "Cost"
+                "Monitor",
+                "SAP",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Cloud Solution Provider",
-            "text": "Setup Cost Reporting and Views with Azure Cost Management",
-            "waf": "Cost"
+            "subcategory": "Security",
+            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview",
             "services": [
-                "Entra",
-                "LoadBalancer"
+                "Entra"
             ],
-            "severity": "Medium",
-            "subcategory": "Enterprise Agreement",
-            "text": "Configure Notification Contacts to a group mailbox",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Business",
+            "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "services": [
-                "Entra",
-                "TrafficManager"
-            ],
-            "severity": "Low",
-            "subcategory": "Enterprise Agreement",
-            "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.",
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Business",
+            "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Business",
+            "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.",
             "waf": "Cost"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "services": [
-                "Entra",
-                "Cost"
-            ],
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "331e84a6-2d65-4359-92ff-a1870b062995",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Enterprise Agreement",
-            "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.",
-            "waf": "Security"
+            "subcategory": "Business",
+            "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "services": [
-                "Entra",
-                "Cost",
-                "Subscriptions"
-            ],
-            "severity": "Low",
-            "subcategory": "Enterprise Agreement",
-            "text": "Make use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads",
-            "waf": "Cost"
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Business",
+            "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "category": "Business",
+            "checklist": "Multitenant architecture",
+            "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9",
+            "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer",
             "services": [
                 "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "Microsoft Customer Agreement",
-            "text": "Configure Agreement billing account notification contact email",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Business",
+            "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.",
+            "waf": "Operations"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "90e87802-602f-4dfb-acea-67c60689f1d7",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
-            "services": [
-                "Entra",
-                "Cost",
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Microsoft Customer Agreement",
-            "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management",
-            "waf": "Cost"
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "services": [
-                "Entra",
-                "Cost"
-            ],
-            "severity": "Low",
-            "subcategory": "Microsoft Customer Agreement",
-            "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads",
-            "waf": "Cost"
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
+            "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.",
+            "waf": "Reliability"
         },
         {
-            "category": "Azure Billing and Microsoft Entra ID Tenants",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "services": [
-                "RBAC",
-                "Entra"
-            ],
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Microsoft Customer Agreement",
-            "text": "Periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account",
-            "waf": "Cost"
+            "subcategory": "Reliability",
+            "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
-            "services": [
-                "RBAC",
-                "Entra",
-                "ACR",
-                "Subscriptions"
-            ],
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Reliability",
+            "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+            "services": [],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "subcategory": "Reliability",
+            "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4348bf81-7573-4512-8f46-9061cc198fea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
-            "services": [
-                "Entra"
-            ],
+            "category": "Reliability",
+            "checklist": "Multitenant architecture",
+            "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Reliability",
+            "text": "Apply chaos engineering principles to test the reliability of your solution.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
+            "link": "https://learn.microsoft.com/security/zero-trust",
+            "services": [],
             "severity": "High",
-            "subcategory": "Microsoft Entra ID and Hybrid Identity",
-            "text": "Use managed identities instead of service principals for authentication to Azure services. You can check for existing service principals via Entra ID > Sign in Logs > Service principal logins.",
-            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+            "subcategory": "Security",
+            "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "92160e00-6894-4102-97e0-615d4ed93c01",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests",
             "services": [
                 "Entra"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "subcategory": "Security",
+            "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "subcategory": "Security",
+            "text": "Perform ongoing penetration testing and security code reviews.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
-            "services": [
-                "Entra",
-                "AzurePolicy"
-            ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names",
             "services": [
-                "Entra"
+                "DNS"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "subcategory": "Security",
+            "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "services": [
-                "Entra",
-                "RBAC"
-            ],
+            "category": "Security",
+            "checklist": "Multitenant architecture",
+            "guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "subcategory": "Security",
+            "text": "Follow service-specific guidance for multitenancy.",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
+            "category": "Cost Optimization",
+            "checklist": "Multitenant architecture",
+            "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist",
             "services": [
-                "Entra"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Cost Optimization",
+            "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations",
+            "category": "Cost Optimization",
+            "checklist": "Multitenant architecture",
+            "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption",
             "services": [
-                "Entra",
-                "VM",
-                "ACR"
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "When deploying Active Directory on Windows Server, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Cost Optimization",
+            "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.",
+            "waf": "Cost"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f5664b5e-984a-4859-a773-e7d261623a76",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "category": "Cost Optimization",
+            "checklist": "Multitenant architecture",
+            "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation",
             "services": [
-                "RBAC",
-                "Entra",
-                "ACR",
-                "Subscriptions"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Use Azure custom RBAC roles for the following key roles to provide fine-grain access across your ALZ: Azure platform owner, network management, security operations, subscription owner, application owner. Align these roles to teams and responsibilities within your business.",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Security"
+            "subcategory": "Cost Optimization",
+            "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Operational Excellence",
+            "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity and Access Management",
-            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Security"
+            "subcategory": "Operational Excellence",
+            "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
-            "services": [
-                "Entra",
-                "Monitor"
-            ],
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
-            "waf": "Security"
+            "subcategory": "Operational Excellence",
+            "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2",
             "services": [
-                "Entra"
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "subcategory": "Operational Excellence",
+            "text": "Monitor the health of the overall system, as well as each tenant.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94",
-            "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411",
             "services": [
-                "Entra",
-                "ASR"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Microsoft Entra ID",
-            "text": "When deploying an Microsoft Entra Connect, leverage a staging sever for high availability / Disaster recovery",
-            "waf": "Reliability"
+            "subcategory": "Operational Excellence",
+            "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
-            "services": [
-                "Entra",
-                "RBAC"
-            ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "Security"
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Operational Excellence",
+            "text": "Organize your Azure resources for isolation and scale.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
+            "category": "Operational Excellence",
+            "checklist": "Multitenant architecture",
+            "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Security"
+            "subcategory": "Operational Excellence",
+            "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
-            "services": [
-                "Entra",
-                "VNet"
-            ],
-            "severity": "Medium",
-            "subcategory": "Landing zones",
-            "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).",
-            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
-            "waf": "Security"
+            "category": "Performance Efficiency",
+            "checklist": "Multitenant architecture",
+            "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Performance Efficiency",
+            "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
-            "services": [
-                "RBAC",
-                "AKV",
-                "Storage",
-                "Entra",
-                "ACR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Landing zones",
-            "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.G - Data Operations across Key Vault, Storage Account and Database Services.",
-            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "waf": "Security"
+            "category": "Performance Efficiency",
+            "checklist": "Multitenant architecture",
+            "guid": "18911c4c-934c-49a8-839a-60c092afce30",
+            "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Performance Efficiency",
+            "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
+            "category": "Performance Efficiency",
+            "checklist": "Multitenant architecture",
+            "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
             "services": [
-                "Entra"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Landing zones",
-            "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.",
-            "waf": "Security"
+            "subcategory": "Performance Efficiency",
+            "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool",
-            "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming",
+            "category": "Performance Efficiency",
+            "checklist": "Multitenant architecture",
+            "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
             "services": [],
             "severity": "High",
-            "subcategory": "Naming and tagging",
-            "text": "It is recommended to follow Microsoft Best Practice Naming Standards",
-            "waf": "Security"
+            "subcategory": "Performance Efficiency",
+            "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.",
+            "waf": "Performance"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)",
-            "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "category": "Governance",
+            "checklist": "Azure Key Vault",
+            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "services": [
-                "Subscriptions"
+                "AKV",
+                "Backup"
+            ],
+            "severity": "High",
+            "subcategory": "Deployment best practices",
+            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure Key Vault",
+            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Key Vault",
+            "services": [
+                "ACR",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce reasonably flat management group hierarchy with no more than four levels.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "667313b4-f566-44b5-b984-a859c773e7d2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
+            "category": "BC and DR",
+            "checklist": "Azure Key Vault",
+            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+            "service": "Key Vault",
             "services": [
-                "Subscriptions"
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure",
-            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "61623a76-5a91-47e1-b348-ef254c27d42e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
+            "category": "BC and DR",
+            "checklist": "Azure Key Vault",
+            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+            "service": "Key Vault",
             "services": [
-                "RBAC",
                 "AzurePolicy",
-                "Subscriptions"
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment",
-            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+            "service": "Key Vault",
             "services": [
-                "ExpressRoute",
+                "Storage",
                 "Subscriptions",
-                "DNS",
-                "VWAN"
+                "Backup",
+                "AKV",
+                "ASR"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.",
-            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
-            "waf": "Security"
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)",
-            "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34",
-            "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
             "services": [
-                "Subscriptions"
+                "ASR",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce no subscriptions are placed under the root management group",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19",
-            "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
             "services": [
-                "RBAC",
-                "Subscriptions"
+                "ASR",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "92481607-d5d1-4e4e-9146-58d3558fd772",
-            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
             "services": [
-                "Subscriptions"
+                "ASR",
+                "AKV",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "49b82111-2df2-47ee-912e-7f983f630472",
-            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "Cost",
-                "Subscriptions"
+                "ASR",
+                "AKV",
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "category": "Management",
+            "checklist": "Azure Key Vault",
+            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+            "service": "Key Vault",
             "services": [
-                "Subscriptions"
+                "EventHubs",
+                "ASR",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.",
-            "waf": "Security"
+            "subcategory": "Business continuity and disaster recovery",
+            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c68e1d76-6673-413b-9f56-64b5e984a859",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Cost",
-                "Subscriptions"
+                "Entra",
+                "RBAC"
             ],
             "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions. Enforce the use of purchased Reserved Instance VM SKUs via Azure Policy.",
-            "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/",
+            "subcategory": "Identity",
+            "text": "Create a service principal and its role assignments before creating the ARO clusters.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "7879424d-6267-486d-90b9-6c97be985190",
+            "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui",
             "services": [
-                "Subscriptions",
-                "Monitor"
+                "Entra"
             ],
             "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a dashboard, workbook, or manual process to monitor used capacity levels",
-            "training": "https://learn.microsoft.com/learn/paths/monitor-usage-performance-availability-resources-azure-monitor/",
+            "subcategory": "Identity",
+            "text": "Use AAD to authenticate users in your ARO cluster.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/cost-management-billing-overview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15",
+            "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html",
             "services": [
-                "Cost",
-                "Subscriptions"
+                "Entra"
             ],
-            "severity": "High",
-            "subcategory": "Subscriptions",
-            "text": "Enforce a process for cost management",
-            "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/",
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "When using AAD authentication, remove kubeadmin user from the cluster.",
             "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de",
-            "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "483835c9-86bb-4291-8155-a11475e39f54",
+            "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
             "services": [
                 "Entra",
-                "Subscriptions"
+                "RBAC"
             ],
-            "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services. Make sure that resources are set to use the domain controllers available in their region.",
-            "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.",
             "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant",
-            "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
+            "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
             "services": [
-                "Cost",
-                "Subscriptions"
+                "Entra",
+                "RBAC"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "Ensure tags are used for billing and cost management",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "subcategory": "Identity",
+            "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.",
             "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6cc0ea22-42bb-441e-a345-804ab0a09666",
-            "link": "https://github.com/Azure/sovereign-landing-zone/blob/main/docs/02-Architecture.md",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "services": [
-                "Subscriptions"
+                "Entra",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Subscriptions",
-            "text": "For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online' management group directly under the 'landing zones' MG.",
+            "subcategory": "Identity",
+            "text": "Minimize the number of users who have administrator rights and secrets access.",
             "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions",
+            "category": "Identity and Access Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
-                "Cost"
+                "Entra",
+                "RBAC"
             ],
-            "severity": "High",
-            "subcategory": "Regions",
-            "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements",
-            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.",
+            "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions#operate-in-multiple-geographic-regions",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "aa369282-9e7e-4216-8836-87af467a1f89",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "services": [
-                "ASR"
+                "VNet",
+                "Entra",
+                "Subscriptions",
+                "WAF",
+                "Firewall",
+                "DDoS"
             ],
-            "severity": "Medium",
-            "subcategory": "Regions",
-            "text": "Consider a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint",
-            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "DDoS",
+            "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription",
+            "waf": "Security"
         },
         {
-            "category": "Resource Organization",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "35bda433-24f1-4481-8533-182aa5174269",
+            "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html",
             "services": [],
-            "severity": "Medium",
-            "subcategory": "Regions",
-            "text": "Ensure required services and features are available within the chosen deployment regions",
-            "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Encryption",
+            "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
             "services": [
                 "FrontDoor",
-                "AppGW"
+                "WAF"
             ],
             "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "Develop a plan for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front door.  You can use the Application Delivery checklist to for recommendations.",
-            "waf": "Operations"
+            "subcategory": "Internet",
+            "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "9e8a03f9-7879-4424-b626-786d60b96c97",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door",
             "services": [
-                "VNet"
+                "FrontDoor",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "subcategory": "Internet",
+            "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6138a720-0f1c-4e16-bd30-1d6e872e52e3",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "services": [],
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "be985190-4838-435c-a86b-b2912155a114",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
+            "services": [
+                "AzurePolicy",
+                "NVA",
+                "Firewall"
+            ],
             "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "subcategory": "Internet",
+            "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x",
             "services": [
-                "VNet",
-                "Firewall",
-                "ExpressRoute",
-                "DNS",
-                "VPN",
-                "Entra",
-                "NVA"
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Hub and spoke",
-            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
-            "waf": "Cost"
+            "subcategory": "Private access",
+            "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "category": "Network topology and connectivity",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
             "services": [
-                "DDoS"
+                "ACR",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Private access",
+            "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
             "services": [
-                "NVA"
+                "Monitor"
             ],
+            "severity": "High",
+            "subcategory": "Operations",
+            "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "16f154e3-aa36-4928-89e7-e216183687af",
+            "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
-            "waf": "Reliability"
+            "subcategory": "Operations",
+            "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
-            "services": [
-                "ExpressRoute",
-                "ARS",
-                "VPN"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "467a1f89-35bd-4a43-924f-14811533182a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services",
+            "services": [],
             "severity": "Low",
-            "subcategory": "Hub and spoke",
-            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass",
             "services": [
-                "ARS",
-                "VNet"
+                "Storage"
             ],
             "severity": "Low",
-            "subcategory": "Hub and spoke",
-            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Use RWX storage with inbuilt Azure Files storage class.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
-            "services": [
-                "VNet",
-                "ACR"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "subcategory": "Performance",
+            "text": "Use pod requests and limits to manage the compute resources within a cluster.",
             "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
-            "services": [
-                "Monitor"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7",
+            "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Operations"
+            "subcategory": "Performance",
+            "text": "Enforce resource quotas on projects.",
+            "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "87ab177a-db59-4f6b-a613-334fd09dc234",
+            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Performance",
+            "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "19db6128-1269-4040-a4ba-4d3e0804276d",
+            "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes",
             "services": [
-                "Entra",
-                "ExpressRoute",
-                "VNet"
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "services": [
-                "Storage"
-            ],
-            "severity": "Medium",
-            "subcategory": "Hub and spoke",
-            "text": "Consider the limit of routes per route table (400).",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227",
+            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts",
             "services": [
-                "VNet"
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Hub and spoke",
-            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
+            "subcategory": "Reliability",
+            "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Reliability",
+            "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9",
+            "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html",
             "services": [
-                "ExpressRoute"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Encryption",
-            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Reliability",
+            "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots",
             "services": [
-                "ExpressRoute",
-                "VPN"
+                "Backup"
             ],
+            "severity": "Medium",
+            "subcategory": "Reliability",
+            "text": "Create application backup and plan for restore and include persistent volumes in the backup.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html",
+            "services": [],
             "severity": "Low",
-            "subcategory": "Encryption",
-            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
+            "subcategory": "Reliability",
+            "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784",
+            "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html",
             "services": [
-                "VNet",
-                "ACR"
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
             "services": [
-                "VNet"
-            ],
-            "severity": "Low",
-            "subcategory": "IP plan",
-            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+                "ACR"
+            ],
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "services": [
-                "VNet"
-            ],
-            "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Workload",
+            "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.",
             "waf": "Performance"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3",
+            "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html",
             "services": [
-                "VNet"
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "severity": "Medium",
+            "subcategory": "Workload",
+            "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.",
             "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "services": [
-                "VNet",
-                "DNS"
-            ],
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "IP plan",
-            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
+            "subcategory": "Workload",
+            "text": "Scale pods to meet demand using horizontal pod autoscaler.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring",
             "services": [
-                "VNet",
-                "DNS",
-                "ACR"
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "IP plan",
-            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
-            "waf": "Security"
+            "subcategory": "Workload",
+            "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "services": [
-                "VNet",
-                "DNS"
-            ],
-            "severity": "Low",
-            "subcategory": "IP plan",
-            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
-            "waf": "Operations"
+            "category": "Operations management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "2829e2ed-b217-4367-9aff-6791b4935ada",
+            "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Workload",
+            "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
-            "services": [
-                "VNet",
-                "VM",
-                "DNS"
-            ],
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575",
+            "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Availablity",
+            "text": "Leverage Current ARO SLA - 99.95 into BCDR planning",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a",
+            "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf",
+            "services": [],
             "severity": "High",
-            "subcategory": "IP plan",
-            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
+            "subcategory": "Cluster Design",
+            "text": "Run user workloads on the worker nodes, not the control plane nodes",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines",
+            "guid": "76af4a69-1e88-439a-ba46-667e13c10567",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets",
             "services": [
-                "Bastion"
+                "VNet",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Consider using Azure Bastion to securely connect to your network.",
-            "waf": "Security"
+            "subcategory": "Cluster Design",
+            "text": "Isolate workloads into worker nodes running in individual subnets as needed",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b",
+            "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup",
             "services": [
-                "VNet",
-                "Bastion"
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Azure Bastion in a subnet /26 or larger.",
-            "waf": "Security"
+            "subcategory": "Backup",
+            "text": "Backup a cluster state for stateful workload scenarios to a paired region",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a",
+            "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs",
             "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "ACR",
-                "WAF"
+                "Storage",
+                "ACR"
             ],
             "severity": "Medium",
-            "subcategory": "Internet",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "subcategory": "Data Store",
+            "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "services": [
-                "FrontDoor",
-                "AzurePolicy",
-                "AppGW",
-                "WAF"
-            ],
+            "category": "Operations Management",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc",
+            "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Store",
+            "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Platform Automation",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "42324ece-81c1-4231-a1a6-417415833fb4",
+            "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html",
+            "services": [],
             "severity": "Low",
-            "subcategory": "Internet",
-            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Security"
+            "subcategory": "Workload",
+            "text": "Consider blue/green or canary strategies to deploy new releases of application.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "services": [
-                "VNet",
-                "WAF"
-            ],
+            "category": "Platform Automation",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0",
+            "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Workload",
+            "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.",
+            "waf": "Operations"
+        },
+        {
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "da577784-24d2-4167-a5d2-fa56c56ad484",
+            "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle",
+            "services": [],
             "severity": "High",
-            "subcategory": "Internet",
-            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "subcategory": "Control plane",
+            "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
+            "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
             "services": [
-                "VNet",
-                "DDoS"
+                "AKS",
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Internet",
-            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Control plane",
+            "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9",
+            "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html",
             "services": [],
-            "severity": "High",
-            "subcategory": "Internet",
-            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Encryption",
+            "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
             "services": [
-                "DDoS"
+                "Defender",
+                "AKS",
+                "Arc"
             ],
-            "severity": "High",
-            "subcategory": "Internet",
-            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "Medium",
+            "subcategory": "Posture",
+            "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
+            "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
             "services": [
-                "ExpressRoute"
+                "AKS",
+                "AKV",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Secrets",
+            "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "services": [
-                "ExpressRoute"
-            ],
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791",
+            "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "Workload",
+            "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "b4935ada-4232-44ec-b81c-123181a64174",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
             "services": [
-                "ExpressRoute",
-                "VPN"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Workload",
+            "text": "Monitor and enforce configuration by using the Azure Policy Extension.",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
             "services": [
-                "ExpressRoute",
-                "Cost"
+                "Defender"
             ],
             "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
-            "waf": "Cost"
+            "subcategory": "Workload",
+            "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "category": "Security",
+            "checklist": "Azure Red Hat OpenShift",
+            "guid": "e209d4a0-da57-4778-924d-216785d2fa56",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
             "services": [
-                "ExpressRoute",
-                "Cost"
+                "ACR",
+                "Subscriptions"
             ],
-            "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
-            "waf": "Cost"
+            "severity": "Low",
+            "subcategory": "Workload",
+            "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "Subscriptions",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Identity",
+            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
             "services": [
-                "VPN"
-            ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Reliability"
+                "Entra",
+                "AVS"
+            ],
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
             "services": [
-                "VPN"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Reliability"
+            "subcategory": "Identity",
+            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "Cost"
+                "Entra",
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Cost"
+            "subcategory": "Identity",
+            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "subcategory": "Identity",
+            "text": "Has an RBAC model been created for use within VMware vSphere",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "Monitor"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
             "services": [
-                "ACR",
-                "NetworkWatcher",
-                "Monitor"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
+            "category": "Identity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "VPN"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Architecture",
+            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
+            "waf": "Performance"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "Storage"
+                "AVS",
+                "ExpressRoute",
+                "VPN",
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "services": [
+                "AVS",
                 "ExpressRoute",
-                "ACR"
+                "Monitor",
+                "VM",
+                "NetworkWatcher"
             ],
-            "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Monitor",
+                "AVS",
+                "VM",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "category": "Networking",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
+            "services": [
+                "ARS",
+                "AVS"
+            ],
+            "severity": "High",
+            "subcategory": "Routing",
+            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
             "services": [
-                "ExpressRoute"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Hybrid",
-            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "subcategory": "Security (identity)",
+            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "Monitor"
+                "Entra",
+                "RBAC",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Security (identity)",
+            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "VNet"
+                "Entra",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Hybrid",
-            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "subcategory": "Security (identity)",
+            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
             "services": [
-                "Firewall"
+                "Entra",
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Security (identity)",
+            "text": "Limit use of CloudAdmin account to emergency access only",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "services": [
+                "Entra",
                 "RBAC",
-                "AzurePolicy",
-                "ACR",
-                "Firewall"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "subcategory": "Security (identity)",
+            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "services": [
-                "Firewall"
+                "Entra",
+                "AVS"
             ],
-            "severity": "Low",
-            "subcategory": "Firewall",
-            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "severity": "Medium",
+            "subcategory": "Security (identity)",
+            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
             "services": [
-                "DNS",
-                "Firewall"
+                "Entra",
+                "AVS",
+                "VM"
             ],
             "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
+            "subcategory": "Security (identity)",
+            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "services": [
-                "Firewall"
+                "AVS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Use Azure Firewall Premium for additional security and protection.",
+            "severity": "Medium",
+            "subcategory": "Security (network)",
+            "text": "Is East-West traffic filtering implemented within NSX-T",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
             "services": [
+                "AppGW",
+                "AVS",
                 "Firewall"
             ],
             "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
+            "subcategory": "Security (network)",
+            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
             "services": [
-                "Firewall"
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
+            "subcategory": "Security (network)",
+            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "Firewall",
-                "Storage",
-                "VWAN",
-                "NVA"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "High",
-            "subcategory": "Firewall",
-            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+            "severity": "Medium",
+            "subcategory": "Security (network)",
+            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "services": [
-                "Storage",
-                "Firewall"
+                "VNet",
+                "AVS",
+                "ExpressRoute",
+                "VPN",
+                "DDoS"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operations"
+            "subcategory": "Security (network)",
+            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Firewall"
+                "AVS"
             ],
-            "severity": "Important",
-            "subcategory": "Firewall",
-            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Security (network)",
+            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "Firewall"
+                "AVS",
+                "Defender"
             ],
-            "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "Use a /26 prefix for your Azure Firewall subnets.",
+            "severity": "Medium",
+            "subcategory": "Security (guest/VM)",
+            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "AVS",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
-            "waf": "Performance"
+            "subcategory": "Security (guest/VM)",
+            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
             "services": [
-                "Storage"
+                "AVS",
+                "SQL"
             ],
-            "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Security (guest/VM)",
+            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
-            "waf": "Performance"
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "services": [
+                "AVS",
+                "AKV"
+            ],
+            "severity": "Low",
+            "subcategory": "Security (guest/VM)",
+            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
-            "waf": "Performance"
+            "subcategory": "Security (guest/VM)",
+            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
-            "services": [],
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
+            "services": [
+                "AVS"
+            ],
             "severity": "High",
-            "subcategory": "Firewall",
-            "text": "Enable TLS Inspection",
-            "waf": "Performance"
+            "subcategory": "Governance (platform)",
+            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "services": [
-                "ServiceBus"
+                "Storage",
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "subcategory": "Firewall",
-            "text": "Use web categories to allow or deny outbound access to specific topics.",
-            "waf": "Performance"
-        },
-        {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Governance (platform)",
+            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "services": [
-                "DNS",
-                "Firewall"
+                "ASR",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Enable Azure Firewall DNS proxy configuration ",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Governance (platform)",
+            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+            "waf": "Reliability"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "VM"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Firewall",
-            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
-            "waf": "Security"
+            "subcategory": "Governance (platform)",
+            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "Firewall"
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "subcategory": "Firewall",
-            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
+            "severity": "Medium",
+            "subcategory": "Governance (platform)",
+            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
             "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "services": [
-                "Backup"
+                "AVS",
+                "Cost"
             ],
-            "severity": "Low",
-            "subcategory": "Firewall",
-            "text": "Implement backups for your firewall rules",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Governance (platform)",
+            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
             "services": [
-                "VNet"
+                "AVS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "PaaS",
-            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Governance (platform)",
+            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+            "waf": "Cost"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "services": [
-                "PrivateLink"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "PaaS",
-            "text": "Use Private Link, where available, for shared Azure PaaS services.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "subcategory": "Governance (platform)",
+            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "PrivateLink"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "PaaS",
-            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Governance (platform)",
+            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+            "waf": "Performance"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "services": [
-                "VNet"
+                "AVS",
+                "VM",
+                "Defender"
             ],
             "severity": "Medium",
-            "subcategory": "PaaS",
-            "text": "Don't enable virtual network service endpoints by default on all subnets.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "subcategory": "Governance (guest/VM)",
+            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "services": [
-                "PrivateLink",
-                "NVA",
-                "DNS",
-                "Firewall"
+                "AVS",
+                "VM",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "PaaS",
-            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "subcategory": "Governance (guest/VM)",
+            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "VNet",
-                "VPN"
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Segmentation",
-            "text": "Use at least a /27 prefix for your Gateway subnets",
-            "waf": "Security"
+            "subcategory": "Governance (guest/VM)",
+            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
             "services": [
-                "VNet"
+                "Monitor",
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
-            "waf": "Security"
+            "subcategory": "Governance (guest/VM)",
+            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
             "services": [
-                "VNet"
+                "VM",
+                "AVS",
+                "AzurePolicy",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Delegate subnet creation to the landing zone owner.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "subcategory": "Governance (guest/VM)",
+            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "ACR"
+                "Monitor",
+                "AVS",
+                "Defender"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "subcategory": "Compliance",
+            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "VM"
+                "AVS",
+                "Defender"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "subcategory": "Compliance",
+            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "services": [
-                "Entra",
-                "VNet",
-                "NVA"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "severity": "High",
+            "subcategory": "Compliance",
+            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
             "services": [
-                "VNet",
-                "NetworkWatcher"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "severity": "High",
+            "subcategory": "Compliance",
+            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
+            "category": "Governance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
             "services": [
-                "VNet"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Segmentation",
-            "text": "Consider the limit of NSG rules per NSG (1000).",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "services": [
-                "VWAN"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
             "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
             "services": [
-                "ACR",
-                "VWAN"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "services": [
-                "VWAN",
-                "ACR"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Low",
-            "subcategory": "Virtual WAN",
-            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
             "services": [
-                "VWAN",
-                "Firewall"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "services": [
-                "VWAN"
+                "Storage",
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
             "services": [
-                "VWAN",
-                "Monitor"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
+            "severity": "Low",
+            "subcategory": "Monitoring",
+            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
             "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
             "services": [
-                "VWAN"
+                "Storage",
+                "AVS",
+                "VM",
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Operations",
+            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
             "services": [
-                "ExpressRoute",
-                "VPN",
-                "VWAN"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
-            "waf": "Reliability"
+            "subcategory": "Operations",
+            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
             "services": [
-                "VWAN"
+                "Storage",
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Virtual WAN",
-            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
-            "waf": "Reliability"
+            "subcategory": "Operations",
+            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "services": [
-                "VWAN"
+                "AVS",
+                "Arc"
             ],
-            "severity": "High",
-            "subcategory": "Virtual WAN",
-            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Operations",
+            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "Monitor",
+                "AVS"
             ],
-            "severity": "High",
-            "subcategory": "Governance",
-            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Operations",
+            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
             "services": [
-                "RBAC",
-                "AzurePolicy"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "Monitor",
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
-            "waf": "Security"
+            "subcategory": "Operations",
+            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "Management",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "AVS",
+                "Defender"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
+            "subcategory": "Security",
+            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "AVS",
+                "Backup"
             ],
-            "severity": "Low",
-            "subcategory": "Governance",
-            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Use built-in policies where possible to minimize operational overhead.",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "Subscriptions",
-                "Entra"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "ASR",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Disaster Recovery",
+            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "ASR",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "ASR",
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Disaster Recovery",
+            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "ASR",
+                "AVS",
+                "ExpressRoute",
+                "NVA"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
-            "waf": "Security"
+            "subcategory": "Disaster Recovery",
+            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
             "services": [
-                "AzurePolicy"
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Governance",
-            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
-            "waf": "Security"
+            "subcategory": "Business Continuity",
+            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "29fd366b-a180-452b-9bd7-954b7700c667",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
             "services": [
-                "Cost",
-                "TrafficManager",
-                "Monitor"
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Optimize your cloud investment",
-            "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.",
-            "waf": "Cost"
+            "subcategory": "Business Continuity",
+            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "services": [
-                "Entra",
-                "AzurePolicy",
-                "RBAC",
-                "Monitor"
+                "AVS",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "Operations"
+            "subcategory": "Business Continuity",
+            "text": "Deploy your backup solution outside of vSan, on Azure native components",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
+            "category": "BCDR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "ARS",
-                "Storage",
-                "Monitor"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Business Continuity",
+            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Monitor"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "severity": "Low",
+            "subcategory": "Deployment strategy",
+            "text": "For manual deployments, all configuration and deployments must be documented",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
             "services": [
-                "VM"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Operational compliance",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "severity": "Low",
+            "subcategory": "Deployment strategy",
+            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
             "services": [
-                "VM"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Operational compliance",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "severity": "Low",
+            "subcategory": "Automated Deployment",
+            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
             "services": [
-                "Monitor",
-                "NetworkWatcher"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Network Watcher to proactively monitor traffic flows",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "severity": "Low",
+            "subcategory": "Automated Deployment",
+            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "541acdce-9793-477b-adb3-751ab2ab13ad",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS",
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use resource locks to prevent accidental deletion of critical shared services.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "severity": "Low",
+            "subcategory": "Automated Deployment",
+            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
             "services": [
-                "RBAC",
-                "AzurePolicy",
-                "Monitor"
+                "AVS",
+                "AKV"
             ],
             "severity": "Low",
-            "subcategory": "Monitoring",
-            "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.",
+            "subcategory": "Automated Connectivity",
+            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "ExpressRoute",
+                "AVS",
+                "AKV"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.",
+            "severity": "Low",
+            "subcategory": "Automated Connectivity",
+            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned",
+            "severity": "Low",
+            "subcategory": "Automated Connectivity",
+            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e3ab3693-829e-47e3-8618-3687a0477a20",
-            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.",
+            "severity": "Low",
+            "subcategory": "Automated Connectivity",
+            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "Subscriptions",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Azure Monitor Logs for insights and reporting.",
-            "waf": "Operations"
+            "subcategory": "Automated Scale",
+            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "619e8a13-f988-4795-85d6-26886d70ba6c",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "services": [
                 "Storage",
-                "Monitor"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.",
-            "waf": "Operations"
+            "subcategory": "Automated Scale",
+            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
-            "waf": "Operations"
+            "subcategory": "Automated Scale",
+            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "859c3900-4514-41eb-b010-475d695abd74",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied",
-            "waf": "Operations"
+            "subcategory": "Automated Scale",
+            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
             "services": [
-                "Monitor"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
-            "waf": "Operations"
+            "subcategory": "Automated Scale",
+            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor",
+            "category": "Platform Automation",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "Monitor"
+                "Monitor",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Establish monitoring for platform components of your landing zone, AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy",
-            "training": "https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/",
+            "subcategory": "Automated Scale",
+            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
             "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Consider cross-region replication in Azure for BCDR with paired regions",
+            "category": "Migration",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "services": [
+                "AVS",
+                "VM"
+            ],
+            "severity": "High",
+            "subcategory": "Architecture",
+            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "category": "Migration",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "services": [
-                "Backup"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+            "severity": "High",
+            "subcategory": "Architecture",
+            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
+            "category": "Migration",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "VM"
+                "VPN",
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Operational compliance",
-            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
-            "waf": "Security"
+            "subcategory": "Networking",
+            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
+            "category": "Migration",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Monitor"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Operational compliance",
-            "text": "Monitor VM security configuration drift via Azure Policy.",
-            "waf": "Security"
+            "subcategory": "Networking",
+            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
+            "waf": "Performance"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "category": "Migration",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
             "services": [
-                "ASR",
-                "VM",
-                "ACR"
+                "AVS"
             ],
             "severity": "Medium",
-            "subcategory": "Protect and Recover",
-            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
-            "waf": "Operations"
+            "subcategory": "Process",
+            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "category": "Data Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
             "services": [
-                "ASR"
+                "Storage",
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Protect and Recover",
-            "text": "Ensure to use and test native PaaS service disaster recovery capabilities.",
-            "waf": "Operations"
+            "subcategory": "Architecture",
+            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
+            "category": "Data Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
             "services": [
-                "Backup"
+                "Storage",
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "Medium",
-            "subcategory": "Protect and Recover",
-            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
-            "waf": "Operations"
+            "subcategory": "Architecture",
+            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
+            "category": "Data Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
             "services": [
-                "VM"
+                "Storage",
+                "AVS",
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "subcategory": "Fault Tolerance",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
+            "severity": "Medium",
+            "subcategory": "Architecture",
+            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "category": "Stretched Cluster",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
             "services": [
-                "VM"
+                "ASR",
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Fault Tolerance",
-            "text": "Avoid running a production workload on a single VM.",
+            "subcategory": "Architecture",
+            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
             "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "category": "Stretched Cluster",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
             "services": [
-                "AppGW",
-                "LoadBalancer",
-                "ACR"
+                "AVS"
             ],
-            "severity": "Medium",
-            "subcategory": "Fault Tolerance",
-            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
+            "severity": "High",
+            "subcategory": "Architecture",
+            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
+            "category": "Stretched Cluster",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "AppGW",
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
             "severity": "High",
-            "subcategory": "App delivery",
-            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
-            "waf": "Operations"
+            "subcategory": "Architecture",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
+            "waf": "Reliability"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "category": "Stretched Cluster",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
             "services": [
-                "FrontDoor",
-                "Sentinel",
-                "AppGW",
-                "WAF"
+                "AVS",
+                "ExpressRoute"
             ],
-            "severity": "Medium",
-            "subcategory": "App delivery",
-            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
-            "waf": "Operations"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b86ad884-08e3-4727-94b8-75ba18f20459",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Access control",
-            "text": "Determine the incident response plan for Azure services before allowing it into production.",
-            "waf": "Security"
-        },
-        {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "01365d38-e43f-49cc-ad86-8266abca264f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Access control",
-            "text": "Implement a zero-trust approach for access to the Azure platform, where appropriate.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Architecture",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
+            "category": "Stretched Cluster",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
             "services": [
-                "AKV"
+                "AVS"
             ],
             "severity": "High",
-            "subcategory": "Encryption and keys",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "waf": "Security"
+            "subcategory": "Architecture",
+            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
-            "services": [
-                "AKV"
-            ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "services": [
-                "AzurePolicy",
-                "AKV"
-            ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "services": [
-                "Entra",
-                "AKV",
-                "RBAC"
-            ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
-            "waf": "Security"
+            "category": "BC and DR",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "BC and DR",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "services": [
-                "AKV"
+                "AppSvc"
             ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "services": [
-                "AKV"
-            ],
+            "category": "Application Deployment",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Establish an automated process for key and certificate rotation.",
-            "waf": "Security"
+            "subcategory": "CI/CD",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+            "service": "CosmosDB",
             "services": [
-                "PrivateLink",
-                "AKV",
-                "VNet"
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
-            "waf": "Security"
+            "subcategory": "Best Practices",
+            "text": "FTA Resiliency Playbook",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
             "services": [
-                "Entra",
-                "AKV",
-                "Monitor"
+                "CosmosDB"
             ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+            "service": "CosmosDB",
             "services": [
-                "AzurePolicy",
-                "AKV"
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Run multiple replicas of the database (>1 ) in Prod",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "16183687-a047-47a2-8994-5bda43334f24",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+            "service": "CosmosDB",
             "services": [
-                "AKV"
+                "ACR",
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Leverage Multi-Region Writes",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Span Cosmos account across two or more regions with multi-region writes",
+            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
             "services": [
-                "AKV"
+                "ACR",
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Distribute your data globally",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+            "service": "CosmosDB",
             "services": [
-                "ASR",
-                "AKV",
-                "ACR"
+                "CosmosDB"
             ],
-            "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Choose from several well-defined consistency models",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+            "service": "CosmosDB",
             "services": [
-                "AKV"
+                "CosmosDB"
             ],
             "severity": "Medium",
-            "subcategory": "Encryption and keys",
-            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Enable Service managed failover",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+            "service": "CosmosDB",
             "services": [
-                "Entra"
+                "Storage",
+                "CosmosDB",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
-            "waf": "Security"
+            "subcategory": "Backup Strategy",
+            "text": "Enable Automatic Backups",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Reliability"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+            "service": "CosmosDB",
             "services": [
-                "ARS",
-                "Storage",
-                "Monitor"
+                "CosmosDB",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.",
-            "waf": "Security"
+            "subcategory": "Backup Strategy",
+            "text": "Perform Periodic Backups",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
+            "category": "Operations Management",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+            "service": "CosmosDB",
             "services": [
-                "Defender",
-                "Subscriptions"
+                "CosmosDB",
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Operations",
-            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Backup Strategy",
+            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Implement branching policy in Azure DevOps",
+            "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465",
+            "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops",
             "services": [
-                "Defender",
-                "Subscriptions"
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Operations",
-            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
-            "waf": "Security"
+            "subcategory": "Branching Policy",
+            "text": "Branch Policies",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Understand branch strategy such as GitFlow or GitHub Flow",
+            "guid": "bc288bec-6a16-4ca7-8444-51e1add34529",
+            "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops",
             "services": [
-                "Defender",
-                "Subscriptions"
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Operations",
-            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
-            "waf": "Security"
-        },
-        {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Operations",
-            "text": "Enable Endpoint Protection on IaaS Servers.",
-            "waf": "Security"
+            "subcategory": "Branching Policy",
+            "text": "Branching strategy",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Understand how teams work with git",
+            "guid": "ec723823-7a15-41c5-ab4e-401914387e5c",
+            "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow",
             "services": [
-                "Defender",
-                "Monitor"
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Branching Policy",
+            "text": "Understand GitFlow Branch Strategy",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Merge into higher branches after two or more reviewers in a PR",
+            "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899",
+            "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser",
             "services": [
-                "Entra",
-                "Monitor"
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Branching Policy",
+            "text": "Pull Request Review",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Implement access control to the branches",
+            "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e",
+            "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops",
             "services": [
-                "Entra"
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
-            "waf": "Security"
+            "subcategory": "Branching Policy",
+            "text": "Access Control to the Branch",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
-            "services": [
-                "Entra"
-            ],
-            "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Perform SAST code scan",
+            "guid": "adfd27bd-e187-401a-a252-baa9b68a088c",
+            "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Code Scan",
             "waf": "Security"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "874a748b-662d-46d1-9051-2a66498f6dfe",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-            "services": [
-                "Monitor"
-            ],
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Understand TFVC as Code Repo",
+            "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e",
+            "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops",
+            "services": [],
             "severity": "Low",
-            "subcategory": "Operations",
-            "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts",
-            "waf": "Security"
-        },
-        {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "High",
-            "subcategory": "Overview",
-            "text": "Secure transfer to storage accounts should be enabled",
-            "waf": "Security"
+            "subcategory": "Practice",
+            "text": "TFVC as Code Repository",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
-            "services": [
-                "Storage"
-            ],
-            "severity": "High",
-            "subcategory": "Overview",
-            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
-            "waf": "Security"
+            "category": "Version Control",
+            "checklist": "Azure DevOps",
+            "description": "Compare Git vs TFVC for your project",
+            "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d",
+            "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Practice",
+            "text": "Choose Right version control",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6f704104-85c1-441f-96d3-c9819911645e",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning",
-            "services": [
-                "Entra"
-            ],
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Set up your team management",
+            "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f",
+            "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops",
+            "services": [],
             "severity": "High",
-            "subcategory": "Secure privileged access",
-            "text": "Separate privileged admin accounts for Azure administrative tasks.",
-            "waf": "Security"
+            "subcategory": "Team Planning",
+            "text": "Configure your teams",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Start scheduling sprints",
+            "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac",
+            "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Service enablement framework",
-            "text": "Plan how new azure services will be implemented",
-            "waf": "Security"
+            "subcategory": "Team Planning",
+            "text": "Configure your sprints",
+            "waf": "Operations"
         },
         {
-            "category": "Security",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Set up your work item heirarchy",
+            "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5",
+            "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops",
             "services": [],
-            "severity": "Medium",
-            "subcategory": "Service enablement framework",
-            "text": "Plan how service request will be fulfilled for Azure services",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Team Planning",
+            "text": "Choose Work Item types",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "WIT Processes available in Azure DevOps",
+            "guid": "c1e43a18-658d-4285-aed6-7179b825546d",
+            "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process",
             "services": [],
             "severity": "High",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.",
+            "subcategory": "Team Planning",
+            "text": "Select a WIT Process",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "634146bf-7085-4419-a7b5-f96d2726f6da",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Use Azure Boards with GitHub",
+            "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c",
+            "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops",
             "services": [],
             "severity": "Low",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Aim to define functions for Azure Landing Zone Platform team.",
+            "subcategory": "Tool Integration",
+            "text": "GitHub Integration",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations",
-            "services": [
-                "RBAC"
-            ],
-            "severity": "Low",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Understand the methologies",
+            "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665",
+            "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Process Planning",
+            "text": "Understand Agile Vs Scrum",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "165eb5e9-b434-448a-9e24-178632186212",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Create Dashboard and PowerBI reports",
+            "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1",
+            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops",
             "services": [],
-            "severity": "High",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.",
+            "severity": "Medium",
+            "subcategory": "Reporting",
+            "text": "Dashboard",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Set up backlog",
+            "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca",
+            "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops",
             "services": [],
             "severity": "Medium",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Include unit tests for IaC and application code as part of your build process.",
+            "subcategory": "Reporting",
+            "text": "Refine your backlog",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
-            "services": [
-                "VM",
-                "AKV"
-            ],
-            "severity": "High",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+            "category": "Azure Boards",
+            "checklist": "Azure DevOps",
+            "description": "Link your work items",
+            "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37",
+            "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Reporting",
+            "text": "Visualize Relationships",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending",
-            "services": [
-                "Subscriptions"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "View the velocity report",
+            "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863",
+            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context",
+            "services": [],
             "severity": "Low",
-            "subcategory": "DevOps Team Topologies",
-            "text": "Implement automation for new landing zone for applications and workloads through subscription vending",
+            "subcategory": "Reporting",
+            "text": "Review Team Velocity",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Create your first pipeline",
+            "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser",
             "services": [],
             "severity": "High",
-            "subcategory": "Development Lifecycle",
-            "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.",
+            "subcategory": "Continuous Integration",
+            "text": "Set up pipeline",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Specify events that trigger pipelines",
+            "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Continuous Integration",
+            "text": "Set Build triggers",
+            "waf": "Operations"
+        },
+        {
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Use YAML to create build pipeline",
+            "guid": "b825546d-f2ae-4e45-93af-c8339248726d",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops",
             "services": [],
             "severity": "Low",
-            "subcategory": "Development Lifecycle",
-            "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.",
+            "subcategory": "Continuous Integration",
+            "text": "Customize YAML Pipeline",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Use classic GUI editor to set up pipeline",
+            "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Development Lifecycle",
-            "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.",
+            "subcategory": "Continuous Integration",
+            "text": "Use GUI for pipeline",
             "waf": "Operations"
         },
         {
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2676ae46-65ca-444e-8695-fdddeace4cb1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set up templates, parameters and expressions",
+            "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Development Lifecycle",
-            "text": "Establish a process for using code to implement quick fixes. Always register quick fixes in your team's backlog so each fix can be reworked at a later point, and you can limit technical debt.",
+            "subcategory": "Continuous Integration",
+            "text": "Configure Templates",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set up  jobs, stages and dependencies",
+            "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml",
             "services": [],
             "severity": "High",
-            "subcategory": "Development Strategy",
-            "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.",
+            "subcategory": "Continuous Integration",
+            "text": "Jobs",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "category": "Platform Automation and DevOps",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set up conditions and Demands",
+            "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages",
             "services": [],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.",
+            "severity": "Medium",
+            "subcategory": "Continuous Integration",
+            "text": "Conditions and Demands",
             "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Define Variables",
+            "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch",
             "services": [],
-            "severity": "Medium",
-            "subcategory": "DevOps",
-            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Continuous Integration",
+            "text": "Variables",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
-            "services": [
-                "FrontDoor",
-                "TrafficManager",
-                "ASR"
-            ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
-            "waf": "Reliability"
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set up your deployment pipeline",
+            "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Continuous Deployment",
+            "text": "Deployment Pipeline",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
-            "services": [
-                "ACR"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Select correct branches to deploy from",
+            "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
-            "waf": "Reliability"
+            "subcategory": "Continuous Deployment",
+            "text": "Release branch",
+            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "use relevant template to deploy to azure",
+            "guid": "8ed67179-b825-4546-bf2a-ee4553afc833",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops",
             "services": [],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use more than 1 app instance for your apps",
-            "waf": "Reliability"
+            "subcategory": "Continuous Deployment",
+            "text": "Deploy to Azure",
+            "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
-            "services": [
-                "Monitor"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Define Release Approvals and pre deployment checks",
+            "guid": "9248726d-d68c-45b5-a292-5394b69b9d37",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
-            "waf": "Reliability"
+            "subcategory": "Continuous Deployment",
+            "text": "Approvals and Checks",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Define Gates and post deployment checks",
+            "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml",
             "services": [],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Set up autoscaling in Spring Cloud Gateway",
-            "waf": "Reliability"
+            "subcategory": "Continuous Deployment",
+            "text": "Gates",
+            "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Define Azure Function and REST API Checks",
+            "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops",
             "services": [],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
-            "waf": "Reliability"
+            "subcategory": "Continuous Deployment",
+            "text": "Azure Function Checks",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Review pipeline reports",
+            "guid": "78ee293c-1bd3-463c-aaab-7571949ab919",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops",
             "services": [],
-            "severity": "Medium",
-            "subcategory": "Support",
-            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "Subscriptions",
-                "AVS"
-            ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
-            "waf": "Security"
+            "subcategory": "Continuous Deployment",
+            "text": "Pipline Reports",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "configure Trend Result widget",
+            "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35",
+            "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
-            "waf": "Security"
-        },
-        {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
-            "waf": "Security"
+            "subcategory": "Analytics",
+            "text": "Pipeline Result Trend",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Connect with WIT to visualize work",
+            "guid": "478d447a-826c-4286-9c00-f1cac699ef1d",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
-            "waf": "Security"
+            "subcategory": "Analytics",
+            "text": "Work Tracking with Pipeline",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Understand agent pools",
+            "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
-            "waf": "Security"
+            "subcategory": "Continuous Deployment",
+            "text": " Agents and agent pools",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
-            "waf": "Security"
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Understand and provision Deployment Groups when required",
+            "guid": "8658d285-8ed6-4717-ab82-5546df2aee45",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Continuous Deployment",
+            "text": "Deployment Groups",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Operations"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Understand Kubernetes Deployment",
+            "guid": "53afc833-9248-4726-bd68-c5b5c2925394",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops",
             "services": [
-                "RBAC",
-                "Entra",
-                "AVS"
+                "AKS"
             ],
+            "severity": "Low",
+            "subcategory": "Continuous Deployment",
+            "text": "Deploy to Kubernetes",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Operations"
+        },
+        {
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Perform Dynamic Security Testing",
+            "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Has an RBAC model been created for use within VMware vSphere",
+            "subcategory": "Security",
+            "text": "DAST Scan",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
-            "services": [
-                "RBAC",
-                "Entra",
-                "AVS"
-            ],
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Manage Service Connections",
+            "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+            "subcategory": "Security",
+            "text": "Service Connections",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set data retention policies for CI and CD",
+            "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml",
             "services": [
-                "RBAC",
-                "Entra",
-                "AVS"
+                "AzurePolicy"
             ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Retention Policies",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
             "waf": "Security"
         },
         {
-            "category": "Identity",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
-            "services": [
-                "RBAC",
-                "Entra",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Identity",
-            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
-            "waf": "Security"
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set up and pay for concurrent pipelines",
+            "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Administration",
+            "text": "Parallel Pipelines",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
-            "services": [
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Architecture",
-            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
-            "waf": "Performance"
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Set pipeline permissions",
+            "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Pipeline Permissions",
+            "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
-            "services": [
-                "Monitor",
-                "ExpressRoute",
-                "NetworkWatcher",
-                "VPN",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
-            "waf": "Operations"
+            "category": "Azure Pipelines",
+            "checklist": "Azure DevOps",
+            "description": "Add users to pipeline",
+            "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "Pipeline Users",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
-            "services": [
-                "Monitor",
-                "ExpressRoute",
-                "NetworkWatcher",
-                "AVS",
-                "VM"
-            ],
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Configure Artifacts",
+            "guid": "5c1e43a1-8658-4d28-98ed-67179b825546",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+            "subcategory": "Configuration",
+            "text": "Artifact In Pipeline",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
             "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
-            "services": [
-                "VM",
-                "Monitor",
-                "NetworkWatcher",
-                "AVS"
-            ],
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Publish and consume artifact in pipeline",
+            "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+            "subcategory": "Configuration",
+            "text": "Publish and download Artifact",
+            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
             "waf": "Operations"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
-            "services": [
-                "ARS",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Routing",
-            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Publish NuGet packages with artifacts",
+            "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Configuration",
+            "text": "NuGet",
+            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
             "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "RBAC",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Security (identity)",
-            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
-            "waf": "Security"
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Publish Maven packages with artifacts",
+            "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Configuration",
+            "text": "Maven",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "RBAC",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Security (identity)",
-            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
-            "waf": "Security"
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Publish NPM packages with artifacts",
+            "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c",
+            "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Configuration",
+            "text": "NPM",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
+            "category": "Azure Artifact",
+            "checklist": "Azure DevOps",
+            "description": "Best Practices to work with Azure Artifact",
+            "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3",
+            "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Security (identity)",
-            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
-            "waf": "Security"
+            "subcategory": "Configuration",
+            "text": "Best Practices",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "What is monitoring?",
+            "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286",
+            "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring",
             "services": [
-                "Entra",
-                "AVS"
+                "Monitor"
             ],
             "severity": "High",
-            "subcategory": "Security (identity)",
-            "text": "Limit use of CloudAdmin account to emergency access only",
-            "waf": "Security"
+            "subcategory": "Practice",
+            "text": "What to monitor?",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
-            "services": [
-                "RBAC",
-                "Entra",
-                "AVS"
-            ],
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Progressive Exposure Strategy",
+            "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8",
+            "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Security (identity)",
-            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
-            "waf": "Security"
+            "subcategory": "Practice",
+            "text": "Safe Deployment Practices",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "AVS"
-            ],
-            "severity": "Medium",
-            "subcategory": "Security (identity)",
-            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
-            "waf": "Security"
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Microsoft runs reliable systems with DevOps",
+            "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717",
+            "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Practice",
+            "text": "Case Study",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
-            "services": [
-                "Entra",
-                "VM",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Security (identity)",
-            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Security in DevOps",
+            "guid": "9b825546-df2a-4ee4-953a-fc8339248726",
+            "link": "https://learn.microsoft.com/devops/operate/security-in-devops",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Practice",
+            "text": "DevSecOps",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
-            "services": [
-                "AVS"
-            ],
-            "severity": "Medium",
-            "subcategory": "Security (network)",
-            "text": "Is East-West traffic filtering implemented within NSX-T",
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Enable DevSecops with Azure And GitHub",
+            "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc",
+            "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Practice",
+            "text": "DevSecops",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Mirror RBAC in DevOps",
+            "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance",
             "services": [
-                "Firewall",
-                "AppGW",
-                "AVS"
+                "RBAC"
             ],
-            "severity": "High",
-            "subcategory": "Security (network)",
-            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
+            "severity": "Low",
+            "subcategory": "Practice",
+            "text": "Secure DevOps Govenance",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
-            "services": [
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Security (network)",
-            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
+            "category": "DevOps Practice",
+            "checklist": "Azure DevOps",
+            "description": "Governance when using CI/CD",
+            "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Practice",
+            "text": "Azure DevOps Governance",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
+            "category": "Application Deployment",
+            "checklist": "The AKS Checklist",
+            "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
             "services": [
-                "Monitor",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Security (network)",
-            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
-            "waf": "Security"
+            "subcategory": "Development",
+            "text": "Use canary or blue/green deployments",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
+            "category": "Application Deployment",
+            "checklist": "The AKS Checklist",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
             "services": [
-                "VNet",
-                "ExpressRoute",
-                "VPN",
-                "DDoS",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Security (network)",
-            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
+            "category": "Application Deployment",
+            "checklist": "The AKS Checklist",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Security (network)",
-            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "Use KEDA if running event-driven workloads",
+            "waf": "Performance"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
+            "category": "Application Deployment",
+            "checklist": "The AKS Checklist",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Security (guest/VM)",
-            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Development",
+            "text": "Use Dapr to ease microservice development",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "category": "Application Deployment",
+            "checklist": "The AKS Checklist",
+            "guid": "3acbe04b-be20-49d3-afda-47778424d116",
+            "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
             "services": [
-                "Arc",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Security (guest/VM)",
-            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
-            "waf": "Security"
-        },
-        {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
+            "subcategory": "Infrastructure as Code",
+            "text": "Use automation through ARM/TF to create your Azure resources",
+            "waf": "Operations"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
             "services": [
-                "SQL",
-                "AVS"
+                "ASR",
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Security (guest/VM)",
-            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Disaster Recovery",
+            "text": "Schedule and perform DR tests regularly",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
             "services": [
-                "AKV",
-                "AVS"
+                "TrafficManager",
+                "AKS",
+                "FrontDoor",
+                "LoadBalancer"
             ],
-            "severity": "Low",
-            "subcategory": "Security (guest/VM)",
-            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
+            "guid": "578a219a-46be-4b54-9350-24922634292b",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Security (guest/VM)",
-            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
-            "waf": "Security"
+            "subcategory": "High Availability",
+            "text": "Use Availability Zones if they are supported in your Azure region",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+            "subcategory": "High Availability",
+            "text": "Use the SLA-backed AKS offering",
             "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "AVS"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "severity": "Low",
+            "subcategory": "High Availability",
+            "text": "Use Disruption Budgets in your pod and deployment definitions",
             "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "services": [
-                "ASR",
-                "AVS"
+                "ACR",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+            "subcategory": "High Availability",
+            "text": "If using a private registry, configure region replication to store images in multiple regions",
             "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
             "services": [
-                "AVS"
+                "Storage",
+                "AKS",
+                "ASR"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Disaster Recovery",
+            "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
+            "category": "BC and DR",
+            "checklist": "The AKS Checklist",
+            "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Requirements",
+            "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
+            "waf": "Reliability"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
+            "category": "Cost Governance",
+            "checklist": "The AKS Checklist",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
             "services": [
-                "Cost",
-                "AVS"
+                "AKS",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Use an external application such as kubecost to allocate costs to different users",
             "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
+            "category": "Cost Governance",
+            "checklist": "The AKS Checklist",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
             "services": [
-                "Cost",
-                "AVS"
+                "AKS",
+                "Cost"
             ],
             "severity": "Low",
-            "subcategory": "Governance (platform)",
-            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+            "subcategory": "Cost",
+            "text": "Use scale down mode to delete/deallocate nodes",
             "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
+            "category": "Cost Governance",
+            "checklist": "The AKS Checklist",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS",
+                "Cost"
             ],
             "severity": "Medium",
-            "subcategory": "Governance (platform)",
-            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
-            "waf": "Security"
+            "subcategory": "Cost",
+            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "category": "Cost Governance",
+            "checklist": "The AKS Checklist",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Governance (platform)",
-            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+            "waf": "Cost"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "VM",
-                "AVS"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Governance (guest/VM)",
-            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
+            "subcategory": "Compliance",
+            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
-                "Arc",
-                "VM",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance (guest/VM)",
-            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+            "subcategory": "Compliance",
+            "text": "Separate applications from the control plane with user/system node pools",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
-            "services": [
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Governance (guest/VM)",
-            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
-            "waf": "Operations"
-        },
-        {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "services": [
-                "VM",
-                "Monitor",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Governance (guest/VM)",
-            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Add taint to your system nodepool to make it dedicated",
+            "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "VM",
-                "AzurePolicy",
-                "AVS"
+                "ACR",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Governance (guest/VM)",
-            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
-            "waf": "Operations"
+            "subcategory": "Compliance",
+            "text": "Use a private registry for your images, such as ACR",
+            "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "services": [
-                "Defender",
-                "Monitor",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Compliance",
-            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+            "text": "Scan your images for vulnerabilities",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "cc639637-a652-42ac-89e8-06965388e9de",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
             "services": [
-                "Defender",
-                "AVS"
+                "AKS",
+                "Defender"
             ],
             "severity": "Medium",
             "subcategory": "Compliance",
-            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+            "text": "Use Azure Security Center to detect security posture vulnerabilities",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "High",
+            "severity": "Low",
             "subcategory": "Compliance",
-            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+            "text": "If required configure FIPS",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Compliance",
-            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+            "text": "Define app separation requirements (namespace/nodepool/cluster)",
             "waf": "Security"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+            "subcategory": "Secrets",
+            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
             "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "services": [
-                "Monitor",
-                "AVS"
-            ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
-            "waf": "Operations"
-        },
-        {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "AVS"
+                "AKS",
+                "AKV"
             ],
             "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
-            "waf": "Operations"
+            "subcategory": "Secrets",
+            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "AVS"
+                "AKS",
+                "AKV"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Secrets",
+            "text": "If required add Key Management Service etcd encryption",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "AVS"
+                "AKS",
+                "AKV"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Secrets",
+            "text": "If required consider using Confidential Compute for AKS",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "category": "Governance and Security",
+            "checklist": "The AKS Checklist",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "services": [
-                "Storage",
-                "Monitor",
-                "AVS"
+                "AKS",
+                "AKV",
+                "Defender"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
-            "waf": "Operations"
-        },
-        {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
-            "services": [
-                "Monitor",
-                "AVS"
-            ],
-            "severity": "Low",
-            "subcategory": "Monitoring",
-            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
-            "waf": "Operations"
+            "subcategory": "Secrets",
+            "text": "Consider using Defender for Containers",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "VM",
-                "Storage",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Operations",
-            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Use managed identities instead of Service Principals",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Integrate authentication with AAD (using the managed integration)",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "Storage",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
             "services": [
-                "Arc",
-                "AVS"
+                "RBAC",
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "Integrate authorization with AAD RBAC",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "AVS"
+                "RBAC",
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Identity",
+            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Monitor",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Operations",
-            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
-            "waf": "Operations"
+            "subcategory": "Identity",
+            "text": "For AKS non-interactive logins use kubelogin (preview)",
+            "waf": "Security"
         },
         {
-            "category": "Management",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "services": [
-                "Defender",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+            "subcategory": "Identity",
+            "text": "Disable AKS local accounts",
             "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Backup",
-            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "Configure if required Just-in-time cluster access",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "Configure if required AAD conditional access for AKS",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Identity",
+            "text": "If required for Windows AKS workloads configure gMSA ",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
+            "category": "Identity and Access Management",
+            "checklist": "The AKS Checklist",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity",
+            "text": "For finer control consider using a managed Kubelet Identity",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "ACR",
+                "AKS",
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+            "subcategory": "Best practices",
+            "text": "If using AGIC, do not share an AppGW across clusters",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+            "subcategory": "Best practices",
+            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "NVA",
-                "ASR",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
-            "waf": "Reliability"
+            "subcategory": "Best practices",
+            "text": "For Windows workloads use Accelerated Networking",
+            "waf": "Performance"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AVS"
+                "AKS",
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+            "severity": "High",
+            "subcategory": "Best practices",
+            "text": "Use the standard ALB (as opposed to the basic one)",
             "waf": "Reliability"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AVS"
+                "VNet",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
-            "waf": "Reliability"
+            "subcategory": "Best practices",
+            "text": "If using Azure CNI, consider using different Subnets for NodePools",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AVS"
+                "VNet",
+                "AKS",
+                "Cost",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "Business Continuity",
-            "text": "Deploy your backup solution outside of vSan, on Azure native components",
-            "waf": "Reliability"
+            "subcategory": "Cost",
+            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+            "waf": "Security"
         },
         {
-            "category": "BCDR",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "services": [
-                "AVS"
+                "VPN",
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Business Continuity",
-            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+            "severity": "Medium",
+            "subcategory": "HA",
+            "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
             "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
-            "services": [
-                "AVS"
-            ],
-            "severity": "Low",
-            "subcategory": "Deployment strategy",
-            "text": "For manual deployments, all configuration and deployments must be documented",
-            "waf": "Operations"
-        },
-        {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Deployment strategy",
-            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "IPAM",
+            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+            "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "VNet",
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Automated Deployment",
-            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "IPAM",
+            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+            "waf": "Performance"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Automated Deployment",
-            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "IPAM",
+            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+            "waf": "Performance"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "VNet",
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Automated Deployment",
-            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
-            "waf": "Operations"
+            "subcategory": "IPAM",
+            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "AKV",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Automated Connectivity",
-            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "IPAM",
+            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+            "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "AKV",
-                "AVS"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Automated Connectivity",
-            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
-            "waf": "Operations"
+            "subcategory": "Operations",
+            "text": "If required add your own CNI plugin",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Automated Connectivity",
-            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
-            "waf": "Operations"
+            "subcategory": "Operations",
+            "text": "If required configure Public IP per node in AKS",
+            "waf": "Performance"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Automated Connectivity",
-            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Scalability",
+            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+            "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "services": [
-                "Subscriptions",
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+            "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "Storage",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
-            "waf": "Performance"
+            "subcategory": "Scalability",
+            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+            "waf": "Reliability"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS",
+                "NVA"
             ],
-            "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
-            "waf": "Performance"
+            "subcategory": "Security",
+            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Use private clusters if your requirements mandate it",
+            "waf": "Security"
         },
         {
-            "category": "Platform Automation",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
-                "Monitor",
-                "AVS"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Automated Scale",
-            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
-            "waf": "Operations"
+            "subcategory": "Security",
+            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "waf": "Security"
         },
         {
-            "category": "Migration",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "services": [
-                "VM",
-                "AVS"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Architecture",
-            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "waf": "Security"
         },
         {
-            "category": "Migration",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS",
+                "AzurePolicy"
             ],
             "severity": "High",
-            "subcategory": "Architecture",
-            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Use Kubernetes network policies to increase intra-cluster security",
+            "waf": "Security"
         },
         {
-            "category": "Migration",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "services": [
-                "VPN",
-                "AVS"
+                "AKS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Security",
+            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "waf": "Security"
         },
         {
-            "category": "Migration",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "DDoS",
+                "VNet",
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Networking",
-            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
-            "waf": "Performance"
+            "subcategory": "Security",
+            "text": "Use DDoS Standard in the AKS Virtual Network",
+            "waf": "Security"
         },
         {
-            "category": "Migration",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Process",
-            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "If required add company HTTP Proxy",
+            "waf": "Security"
         },
         {
-            "category": "Data Storage",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
+            "category": "Network Topology and Connectivity",
+            "checklist": "The AKS Checklist",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "services": [
-                "VM",
-                "Storage",
-                "AVS"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Architecture",
-            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
-            "waf": "Reliability"
+            "subcategory": "Security",
+            "text": "Consider using a service mesh for advanced microservice communication management",
+            "waf": "Security"
         },
         {
-            "category": "Data Storage",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "Storage",
-                "AVS"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "Medium",
-            "subcategory": "Architecture",
-            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Alerting",
+            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+            "waf": "Operations"
         },
         {
-            "category": "Data Storage",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "Storage",
-                "AVS"
+                "Entra",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Architecture",
-            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Check regularly Azure Advisor for recommendations on your cluster",
+            "waf": "Operations"
         },
         {
-            "category": "Stretched Cluster",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AVS"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Architecture",
-            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Enable AKS auto-certificate rotation",
+            "waf": "Operations"
         },
         {
-            "category": "Stretched Cluster",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Architecture",
-            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+            "waf": "Operations"
         },
         {
-            "category": "Stretched Cluster",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Architecture",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+            "waf": "Operations"
         },
         {
-            "category": "Stretched Cluster",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "services": [
-                "ExpressRoute",
-                "AVS"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Architecture",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+            "waf": "Operations"
         },
         {
-            "category": "Stretched Cluster",
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
             "services": [
-                "AVS"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Architecture",
-            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+            "waf": "Operations"
         },
         {
-            "category": "Governance",
-            "checklist": "Azure Key Vault",
-            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AKV"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Deployment best practices",
-            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Consider using AKS command invoke on private clusters",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Key Vault",
-            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
             "services": [
-                "AKV",
-                "ACR"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "For planned events consider using Node Auto Drain",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Key Vault",
-            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "services": [
-                "AKV"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Compliance",
+            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Key Vault",
-            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "services": [
-                "AzurePolicy",
-                "AKV"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Use custom Node RG (aka 'Infra RG') name",
+            "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "Backup",
-                "Subscriptions",
-                "AKV",
-                "Storage"
+                "AKS"
             ],
             "severity": "Medium",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
+            "subcategory": "Compliance",
+            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+            "waf": "Operations"
+        },
+        {
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AKV"
+                "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Compliance",
+            "text": "Taint Windows nodes",
+            "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
             "services": [
-                "ASR",
-                "AKV"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Keep windows containers patch level in sync with host patch level",
+            "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "description": "Via Diagnostic Settings at the cluster level",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AKV",
-                "ASR"
+                "AKS",
+                "Monitor"
             ],
             "severity": "Low",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+            "waf": "Operations"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
             "services": [
-                "Backup",
-                "AKV",
-                "ASR"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
-            "waf": "Reliability"
+            "subcategory": "Compliance",
+            "text": "If required use nodePool snapshots",
+            "waf": "Cost"
         },
         {
-            "category": "Management",
-            "checklist": "Azure Key Vault",
-            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
-            "service": "Key Vault",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
             "services": [
-                "EventHubs",
-                "AKV",
-                "ASR"
+                "AKS",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Business continuity and disaster recovery",
-            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Consider spot node pools for non time-sensitive workloads",
+            "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure AKS Review",
-            "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Cost"
             ],
-            "severity": "Medium",
-            "subcategory": "Development",
-            "text": "Use canary or blue/green deployments",
+            "severity": "Low",
+            "subcategory": "Cost",
+            "text": "Consider AKS virtual node for quick bursting",
             "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
             "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "If required for AKS Windows workloads HostProcess containers can be used",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+            "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
             "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "Use KEDA if running event-driven workloads",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+            "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
             "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Monitor"
             ],
-            "severity": "Low",
-            "subcategory": "Development",
-            "text": "Use Dapr to ease microservice development",
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor CPU and memory utilization of the nodes",
             "waf": "Operations"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Azure AKS Review",
-            "guid": "3acbe04b-be20-49d3-afda-47778424d116",
-            "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "Infrastructure as Code",
-            "text": "Use automation through ARM/TF to create your Azure resources",
+            "subcategory": "Monitoring",
+            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
             "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "services": [
+                "Storage",
+                "EventHubs",
                 "AKS",
-                "ASR"
+                "ServiceBus",
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Schedule and perform DR tests regularly",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor OS disk queue depth in nodes",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "services": [
                 "AKS",
-                "FrontDoor",
+                "NVA",
                 "LoadBalancer",
-                "TrafficManager"
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
-            "guid": "578a219a-46be-4b54-9350-24922634292b",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "services": [
-                "AKS"
+                "AKS",
+                "Monitor"
             ],
             "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Use Availability Zones if they are supported in your Azure region",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Subscribe to resource health notifications for your AKS cluster",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
             "service": "AKS",
             "services": [
                 "AKS"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Use the SLA-backed AKS offering",
-            "waf": "Reliability"
+            "subcategory": "Resources",
+            "text": "Configure requests and limits in your pod specs",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Cost"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "High Availability",
-            "text": "Use Disruption Budgets in your pod and deployment definitions",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Resources",
+            "text": "Enforce resource quotas for namespaces",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "services": [
                 "AKS",
-                "ACR"
+                "Subscriptions"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If using a private registry, configure region replication to store images in multiple regions",
-            "waf": "Reliability"
+            "subcategory": "Resources",
+            "text": "Ensure your subscription has enough quota to scale out your nodepools",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+            "service": "AKS",
             "services": [
-                "AKS",
-                "ASR",
-                "Storage"
+                "AKS"
             ],
             "severity": "High",
-            "subcategory": "Disaster Recovery",
-            "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
-            "waf": "Reliability"
+            "subcategory": "Resources",
+            "text": "Configure Liveness and Readiness probes for all deployments",
+            "waf": "Operations"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure AKS Review",
-            "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "services": [
                 "AKS"
             ],
-            "severity": "High",
-            "subcategory": "Requirements",
-            "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Scalability",
+            "text": "Use the Cluster Autoscaler",
+            "waf": "Performance"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Cost"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Use an external application such as kubecost to allocate costs to different users",
-            "waf": "Cost"
+            "subcategory": "Scalability",
+            "text": "Customize node configuration for AKS node pools",
+            "waf": "Performance"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Cost"
+                "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Use scale down mode to delete/deallocate nodes",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Scalability",
+            "text": "Use the Horizontal Pod Autoscaler when required",
+            "waf": "Performance"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Cost"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Cost",
-            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Scalability",
+            "text": "Consider an appropriate node size, not too large or too small",
+            "waf": "Performance"
         },
         {
-            "category": "Cost Governance",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Cost"
+                "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Cost",
-            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
-            "waf": "Cost"
+            "subcategory": "Scalability",
+            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "Consider subscribing to EventGrid Events for AKS automation",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
             "service": "AKS",
             "services": [
                 "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Separate applications from the control plane with user/system node pools",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Scalability",
+            "text": "For long running operation on an AKS cluster consider event termination",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
             "service": "AKS",
             "services": [
                 "AKS"
             ],
             "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Add taint to your system nodepool to make it dedicated",
-            "waf": "Security"
+            "subcategory": "Scalability",
+            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
             "service": "AKS",
             "services": [
-                "AKS",
-                "ACR"
+                "Storage",
+                "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use a private registry for your images, such as ACR",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "Use ephemeral OS disks",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
+            "services": [
+                "Storage",
+                "AKS"
+            ],
+            "severity": "High",
+            "subcategory": "Storage",
+            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
             "services": [
+                "Storage",
                 "AKS"
             ],
-            "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Scan your images for vulnerabilities",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Storage",
+            "text": "For hyper performance storage option use Ultra Disks on AKS",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "cc639637-a652-42ac-89e8-06965388e9de",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "services": [
+                "Storage",
                 "AKS",
-                "Defender"
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Use Azure Security Center to detect security posture vulnerabilities",
-            "waf": "Security"
+            "subcategory": "Storage",
+            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "services": [
+                "Storage",
                 "AKS"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "If required configure FIPS",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "category": "Operations",
+            "checklist": "The AKS Checklist",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
             "service": "AKS",
             "services": [
+                "Storage",
                 "AKS"
             ],
+            "severity": "Medium",
+            "subcategory": "Storage",
+            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+            "waf": "Performance"
+        },
+        {
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "Define a resource group structure for placement of Azure Arc-enabled servers resources",
+            "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2",
+            "services": [
+                "Arc"
+            ],
             "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Define app separation requirements (namespace/nodepool/cluster)",
-            "waf": "Security"
+            "subcategory": "Capacity Planning",
+            "text": "One or more resource groups is required for onboarding servers into Azure",
+            "waf": "Operations"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "guid": "aa359271-8e6e-4205-8725-769e46691e88",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
             "services": [
-                "AKS",
-                "AKV"
+                "Entra",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
-            "waf": "Security"
+            "subcategory": "Capacity Planning",
+            "text": "Take Azure Active Directory object limitations into account",
+            "waf": "Performance"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "The following resource providers needs to be registered: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity",
+            "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers",
             "services": [
-                "AKS",
-                "AKV"
+                "Subscriptions",
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Secrets",
-            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
-            "waf": "Security"
+            "subcategory": "General",
+            "text": "Has the Resource providers required been registered in all subscriptions",
+            "waf": "Operations"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "Aligning with an existing or creating an Azure tagging strategy is recommended. Resource tags allow you to quickly locate it, automate operational tasks amd more. ",
+            "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/",
             "services": [
-                "AKS",
-                "AKV"
+                "Arc"
             ],
-            "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "If required add Key Management Service etcd encryption",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "General",
+            "text": "Has a tagging strategy for Azure Arc-enabled servers been defined",
+            "waf": "Cost"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "Installation of the connected machine agent is supported on most newer Windows and Linux operative systems, review the link to se the latest list",
+            "guid": "7778424c-5167-475c-9fa9-5b96ad88408e",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems",
             "services": [
-                "AKS",
-                "AKV"
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Secrets",
-            "text": "If required consider using Confidential Compute for AKS",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "General",
+            "text": "What operating systems need to be Azure Arc-enabled",
+            "waf": "Operations"
         },
         {
-            "category": "Governance and Security",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "There are software requirements to the agent installation. Some might require a system reboot after installation, review to link",
+            "guid": "372734b8-76ba-428f-8145-901365d38e53",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements",
             "services": [
-                "AKS",
-                "Defender",
-                "AKV"
+                "Arc"
             ],
-            "severity": "Medium",
-            "subcategory": "Secrets",
-            "text": "Consider using Defender for Containers",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "General",
+            "text": "Are required software installed on Windows and Linux servers to support the installation",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc&regions=all",
             "services": [
-                "AKS",
-                "Entra"
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Use managed identities instead of Service Principals",
-            "waf": "Security"
+            "subcategory": "General",
+            "text": "Make sure to use a supported Azure region",
+            "waf": "Reliability"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "category": "Foundation",
+            "checklist": "Azure Arc Review",
+            "description": "The scope include organization into management groups, subscriptions, and resource groups.",
+            "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies",
             "services": [
-                "AKS",
-                "Entra"
+                "Subscriptions",
+                "Arc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Integrate authentication with AAD (using the managed integration)",
-            "waf": "Security"
+            "severity": "Low",
+            "subcategory": "Organization",
+            "text": "Define the structure for Azure management of resources",
+            "waf": "Performance"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "Define RBAC rules to the servers / resource groups as required for servers management, the 'Azure Connected Machine Resource Administrator' or 'Hybrid Server Resource Administrator' role would be sufficient for management of the Azure Arc-enabled servers resources in Azure",
+            "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
+            "subcategory": "Access",
+            "text": "Assign RBAC rights to Azure AD user/group access for managing Azure Arc-enabled servers",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e",
+            "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad",
             "services": [
-                "AKS",
                 "Entra",
-                "RBAC"
+                "AKV",
+                "Arc"
             ],
-            "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Integrate authorization with AAD RBAC",
+            "severity": "Low",
+            "subcategory": "Access",
+            "text": "Consider using managed identities for applications to access Azure resources like Key Vault example in link",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "An Azure subscription must be parented to the same Azure AD tenant",
+            "guid": "35ac9322-23e1-4380-8523-081a94174158",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
             "services": [
-                "AKS",
                 "Entra",
-                "RBAC"
+                "Subscriptions",
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Identity",
-            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
-            "waf": "Security"
+            "subcategory": "Requirements",
+            "text": "An Azure Active Directory tenant must be available with at least one subscription",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "Users (or SPs) need the 'Azure Connected Machine Onboarding' or 'Contributor' role to onboarding of servers",
+            "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+            "subcategory": "Requirements",
+            "text": "Define which users (AAD user/groups) has access to onboard Azure Arc-enabled servers",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "Ensure to only add the rights to users or groups that is required to perform their role",
+            "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For AKS non-interactive logins use kubelogin (preview)",
+            "subcategory": "Security",
+            "text": "Use the principle of least privileged",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "A service principle with the 'Azure Connected Machine Onboarding' role is required for at-scale onboarding of servers, consider more SP's if onboarding is done by different teams/decentralized management",
+            "guid": "ad88408e-3727-434b-a76b-a28f21459013",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "Disable AKS local accounts",
+            "subcategory": "Security",
+            "text": "How many Service Principals are needed for onboarding Arc-enabled servers into Azure",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "category": "Identity",
+            "checklist": "Azure Arc Review",
+            "description": "Consider assigning the rights for the 'Azure Connected Machine Onboarding' role at the resource group level, to control the resource creation",
+            "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
             "services": [
-                "AKS",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "Configure if required Just-in-time cluster access",
+            "severity": "Medium",
+            "subcategory": "Security",
+            "text": "Limit the rights to onboard Azure Arc-enabled servers to the desired resource groups",
             "waf": "Security"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Plan for agent deployments at scale",
+            "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment",
             "services": [
-                "AKS",
-                "Entra"
+                "Monitor",
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "Configure if required AAD conditional access for AKS",
-            "waf": "Security"
+            "severity": "Medium",
+            "subcategory": "Management",
+            "text": "Define a strategy for agent provisioning",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Use Microsoft Update to ensure that the connected machine agent is always up-to-date",
+            "guid": "c78e1d76-6673-457c-9496-74c5ed85b859",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent",
             "services": [
-                "AKS",
-                "Entra"
+                "Monitor",
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Identity",
-            "text": "If required for Windows AKS workloads configure gMSA ",
-            "waf": "Security"
+            "severity": "High",
+            "subcategory": "Management",
+            "text": "Define a strategy for agent updates",
+            "waf": "Operations"
         },
         {
-            "category": "Identity and Access Management",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Recommendation is to use Azure Policy, or another automation tool like Azure DevOps - important is to avoid configuration drift.",
+            "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions",
             "services": [
-                "AKS",
-                "Entra"
+                "Monitor",
+                "AzurePolicy",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Identity",
-            "text": "For finer control consider using a managed Kubelet Identity",
-            "waf": "Security"
+            "subcategory": "Management",
+            "text": "Define a strategy for extension installation",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Use automatic upgrades where available and define an update strategy for all extensions not supporting automatic upgrades.",
+            "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal",
             "services": [
-                "AKS",
-                "AppGW",
-                "ACR"
+                "Monitor",
+                "Arc"
+            ],
+            "severity": "High",
+            "subcategory": "Management",
+            "text": "Define a strategy for extension updates",
+            "waf": "Operations"
+        },
+        {
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Azure Automanage help implement Microsoft best-practices for servers management in Azure",
+            "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de",
+            "link": "https://learn.microsoft.com/azure/automanage/automanage-arc",
+            "services": [
+                "Monitor",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "If using AGIC, do not share an AppGW across clusters",
-            "waf": "Reliability"
+            "subcategory": "Management",
+            "text": "Consider using Azure Automanage to control settings and avoid configuration drift on servers",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
             "services": [
-                "AKS"
+                "Monitor",
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Best practices",
-            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Monitor for unresponsive agents",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected",
             "services": [
-                "AKS"
+                "Monitor",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "For Windows workloads use Accelerated Networking",
-            "waf": "Performance"
+            "subcategory": "Monitoring",
+            "text": "Design a monitoring strategy to send metrics and logs to an Log Analytics workspace",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782",
+            "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide",
             "services": [
-                "AKS",
-                "LoadBalancer"
-            ],
-            "severity": "High",
-            "subcategory": "Best practices",
-            "text": "Use the standard ALB (as opposed to the basic one)",
-            "waf": "Reliability"
+                "Monitor",
+                "Arc"
+            ],
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Use notification in Activity logs to receive notification on unexpected changes to the resources",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "guid": "89c93555-6d02-4bfe-9564-b0d834a34872",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights",
             "services": [
-                "AKS",
-                "VNet"
+                "Monitor",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Best practices",
-            "text": "If using Azure CNI, consider using different Subnets for NodePools",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Use Azure Monitor for compliance and operational monitoring",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
             "services": [
-                "AKS",
-                "Cost",
-                "PrivateLink",
-                "VNet"
+                "Monitor",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Cost",
-            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
-            "waf": "Security"
+            "subcategory": "Monitoring",
+            "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "category": "Management and Monitoring",
+            "checklist": "Azure Arc Review",
+            "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) functionality to ensure update management of servers",
+            "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management",
             "services": [
-                "AKS",
-                "VPN"
+                "Monitor",
+                "Arc"
             ],
-            "severity": "Medium",
-            "subcategory": "HA",
-            "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
-            "waf": "Reliability"
+            "severity": "Low",
+            "subcategory": "Security",
+            "text": "Use Azure Arc-enabled servers to control software updates deployments to servers",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)",
+            "guid": "f6e043d2-aa35-4927-88e6-e2050725769e",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details",
             "services": [
-                "AKS"
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
-            "waf": "Reliability"
+            "subcategory": "Networking",
+            "text": "Define a connectivity method from the server to Azure",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.",
+            "guid": "46691e88-35ac-4932-823e-13800523081a",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings",
             "services": [
-                "AKS",
-                "VNet"
+                "Arc"
             ],
-            "severity": "High",
-            "subcategory": "IPAM",
-            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Is a proxy server a required for communication over the Public Internet",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection",
+            "guid": "94174158-33ee-47ad-9c6d-3733165c7acb",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security",
             "services": [
-                "AKS"
+                "VPN",
+                "PrivateLink",
+                "ExpressRoute",
+                "Arc"
+            ],
+            "severity": "Medium",
+            "subcategory": "Networking",
+            "text": "Is a private (not public Internet) connection required?",
+            "waf": "Operations"
+        },
+        {
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required",
+            "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags",
+            "services": [
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
-            "waf": "Performance"
+            "subcategory": "Networking",
+            "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "Use available automation tool for the system in question to regularly update the Azure endpoints",
+            "guid": "6fa95b96-ad88-4408-b372-734b876ba28f",
+            "link": "https://www.microsoft.com/download/details.aspx?id=56519",
             "services": [
-                "AKS",
-                "VNet"
+                "Arc"
             ],
             "severity": "Low",
-            "subcategory": "IPAM",
-            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
+            "subcategory": "Networking",
+            "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2",
+            "guid": "21459013-65d3-48e5-9f9c-cbd868266abc",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol",
             "services": [
-                "AKS"
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "IPAM",
-            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
-            "waf": "Reliability"
+            "subcategory": "Networking",
+            "text": "Always use secure communication for Azure where possible",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
+            "category": "Networking",
+            "checklist": "Azure Arc Review",
+            "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.",
+            "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method",
             "services": [
-                "AKS"
+                "PrivateLink",
+                "Monitor",
+                "Arc"
             ],
             "severity": "Low",
-            "subcategory": "Operations",
-            "text": "If required add your own CNI plugin",
+            "subcategory": "Networking",
+            "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c",
+            "link": "https://learn.microsoft.com/azure/governance/policy/",
             "services": [
-                "AKS"
+                "AzurePolicy",
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Operations",
-            "text": "If required configure Public IP per node in AKS",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Management",
+            "text": "Use Azure Policy to implement a governance model for hybrid connected servers",
+            "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
             "services": [
-                "AKS"
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
-            "waf": "Reliability"
+            "subcategory": "Management",
+            "text": "Consider using Machine configurations for in guest OS configurations",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "667357c4-4967-44c5-bd85-b859c7733be2",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create",
             "services": [
-                "AKS"
+                "AzurePolicy",
+                "Arc"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Management",
+            "text": "Evaluate the need for custom Guest Configuration policies",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77",
+            "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview",
             "services": [
-                "AKS"
+                "Monitor",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Consider using change tracking for tracking changes made on the servers",
+            "waf": "Operations"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency",
             "services": [
-                "AKS",
-                "NVA"
+                "Arc"
             ],
-            "severity": "High",
-            "subcategory": "Security",
-            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "severity": "Medium",
+            "subcategory": "Requirements",
+            "text": "Make sure to use an Azure region for storing the metadata approved by the organization",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts",
             "services": [
-                "AKS"
+                "AKV",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "subcategory": "Secrets",
+            "text": "Use Azure Key Vault for certificate management on servers",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "description": "Consider using a short-lived Azure AD service principal client secrets.",
+            "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b",
+            "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret",
             "services": [
-                "AKS"
+                "Storage",
+                "Entra",
+                "AKV",
+                "Arc"
             ],
             "severity": "High",
-            "subcategory": "Security",
-            "text": "Use private clusters if your requirements mandate it",
+            "subcategory": "Secrets",
+            "text": "What is the acceptable life time of the secret used by SP's",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "description": "A private key is saved to the disk, ensure this is protected using disk encryption",
+            "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AKV",
+                "Arc"
             ],
             "severity": "Medium",
-            "subcategory": "Security",
-            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "subcategory": "Secrets",
+            "text": "Secure the public key for Azure Arc-enabled Servers",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems",
+            "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "Arc"
             ],
             "severity": "High",
             "subcategory": "Security",
-            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "text": "Ensure there is local administrator access for executing the agent installation",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.",
+            "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "Arc"
             ],
-            "severity": "High",
+            "severity": "Medium",
             "subcategory": "Security",
-            "text": "Use Kubernetes network policies to increase intra-cluster security",
+            "text": "Limit the amount of users with local administrator rights to the servers",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication",
             "services": [
-                "AKS",
-                "WAF"
+                "Entra",
+                "Arc"
             ],
-            "severity": "High",
+            "severity": "Medium",
             "subcategory": "Security",
-            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "text": "Consider using and restricting access to managed identities for applications.",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints",
+            "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
             "services": [
-                "AKS",
-                "VNet",
-                "DDoS"
+                "Defender",
+                "Arc"
             ],
             "severity": "Medium",
             "subcategory": "Security",
-            "text": "Use DDoS Standard in the AKS Virtual Network",
+            "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c",
             "services": [
-                "AKS"
+                "Arc"
             ],
-            "severity": "Low",
+            "severity": "Medium",
             "subcategory": "Security",
-            "text": "If required add company HTTP Proxy",
+            "text": "Define controls to detect security misconfigurations and track compliance",
             "waf": "Security"
         },
         {
-            "category": "Network Topology and Connectivity",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "category": "Security, Governance and Compliance",
+            "checklist": "Azure Arc Review",
+            "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c",
+            "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists",
             "services": [
-                "AKS"
+                "Arc"
             ],
             "severity": "Medium",
             "subcategory": "Security",
-            "text": "Consider using a service mesh for advanced microservice communication management",
+            "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers",
             "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "Monitor"
-            ],
-            "severity": "High",
-            "subcategory": "Alerting",
-            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "Entra"
-            ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Check regularly Azure Advisor for recommendations on your cluster",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
-            "services": [
-                "AKS"
-            ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Enable AKS auto-certificate rotation",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "Storage",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
-            "waf": "Operations"
+            "subcategory": "Replication",
+            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+            "waf": "Reliability"
         },
-        {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
+        {
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "Storage"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
-            "waf": "Operations"
+            "subcategory": "Replication",
+            "text": "To share data, explore Leader-follower cluster configuration",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "ASR"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
-            "waf": "Operations"
+            "subcategory": "Replication",
+            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "Storage",
+                "RBAC"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
-            "waf": "Operations"
+            "subcategory": "Replication",
+            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+            "service": "Azure Data Explorer",
+            "services": [],
+            "subcategory": "Replication",
+            "text": "Ingest data into each cluster in parallel",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "ACR"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Consider using AKS command invoke on private clusters",
-            "waf": "Operations"
+            "subcategory": "DR Configuration",
+            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "ACR"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "For planned events consider using Node Auto Drain",
-            "waf": "Operations"
+            "subcategory": "DR Configuration",
+            "text": "For critical applications, create Active-Active configuration in two paired regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+            "service": "Azure Data Explorer",
+            "services": [],
+            "subcategory": "DR Configuration",
+            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "Storage",
+                "ASR",
+                "AzurePolicy",
+                "Cost"
             ],
-            "severity": "High",
-            "subcategory": "Compliance",
-            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
-            "waf": "Operations"
+            "subcategory": "DR Configuration",
+            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
             "services": [
-                "AKS"
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Use custom Node RG (aka 'Infra RG') name",
-            "waf": "Operations"
+            "subcategory": "IaC",
+            "text": "Wrap DevOps and source control around all your code",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
+            "services": [],
+            "subcategory": "IaC",
+            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
+            "services": [],
+            "subcategory": "IaC",
+            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "services": [
-                "AKS"
+                "Entra"
             ],
             "severity": "Medium",
-            "subcategory": "Compliance",
-            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
-            "waf": "Operations"
+            "subcategory": "Entra ID",
+            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
             "services": [
-                "AKS"
+                "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Taint Windows nodes",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "AAD B2C",
+            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "services": [
-                "AKS"
+                "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Keep windows containers patch level in sync with host patch level",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "AAD B2C",
+            "text": "Custom brand assets should be hosted on a CDN",
+            "waf": "Performance"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "description": "Via Diagnostic Settings at the cluster level",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
             "services": [
-                "AKS",
-                "Monitor"
+                "Entra"
             ],
             "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
-            "waf": "Operations"
+            "subcategory": "AAD B2C",
+            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "AKS"
+                "Entra",
+                "VM"
             ],
-            "severity": "Low",
-            "subcategory": "Compliance",
-            "text": "If required use nodePool snapshots",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Windows Server AD",
+            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "AKS",
-                "Cost"
+                "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Consider spot node pools for non time-sensitive workloads",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Windows Server AD",
+            "text": "Don't replicate! Replication can create issues with directory synchronization",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "services": [
-                "AKS",
-                "Cost"
+                "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "Cost",
-            "text": "Consider AKS virtual node for quick bursting",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Windows Server AD",
+            "text": "Have active-active for multi-regions",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "services": [
-                "AKS",
-                "Monitor"
+                "Entra"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Entra Domain Services",
+            "text": "Add Azure AD Domain service stamps to additional regions and locations",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "category": "Operations Management",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "services": [
-                "AKS",
-                "Monitor"
+                "Entra"
             ],
-            "severity": "High",
-            "subcategory": "Monitoring",
-            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Entra Domain Services",
+            "text": "Use Replica Sets for DR",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+            "service": "VMSS",
             "services": [
-                "AKS",
-                "Monitor"
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor CPU and memory utilization of the nodes",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "VM Scale Sets",
+            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+            "service": "VM",
             "services": [
-                "AKS",
-                "Monitor"
+                "VM",
+                "Backup"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Virtual Machines",
+            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "VM",
             "services": [
-                "AKS",
-                "EventHubs",
-                "Monitor",
-                "ServiceBus",
-                "Storage"
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Monitor OS disk queue depth in nodes",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Virtual Machines",
+            "text": "Use Premium or Ultra disks for production VMs",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+            "service": "VM",
             "services": [
-                "AKS",
-                "NVA",
-                "LoadBalancer",
-                "Monitor"
+                "VM"
             ],
-            "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Virtual Machines",
+            "text": "Ensure Managed Disks are used for all VMs",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+            "service": "VM",
             "services": [
-                "AKS",
-                "Monitor"
+                "Storage",
+                "VM",
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Monitoring",
-            "text": "Subscribe to resource health notifications for your AKS cluster",
-            "waf": "Operations"
+            "subcategory": "Virtual Machines",
+            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "services": [
-                "AKS"
+                "Storage",
+                "ACR",
+                "VM"
             ],
-            "severity": "High",
-            "subcategory": "Resources",
-            "text": "Configure requests and limits in your pod specs",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Virtual Machines",
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "VM",
             "services": [
-                "AKS"
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Resources",
-            "text": "Enforce resource quotas for namespaces",
-            "waf": "Operations"
+            "subcategory": "Virtual Machines",
+            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
             "services": [
-                "AKS",
-                "Subscriptions"
+                "ASR",
+                "VM"
             ],
             "severity": "High",
-            "subcategory": "Resources",
-            "text": "Ensure your subscription has enough quota to scale out your nodepools",
-            "waf": "Operations"
+            "subcategory": "Virtual Machines",
+            "text": "Avoid running a production workload on a single VM",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
-            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "services": [
-                "AKS"
+                "ASR",
+                "AVS",
+                "VM"
             ],
             "severity": "High",
-            "subcategory": "Resources",
-            "text": "Configure Liveness and Readiness probes for all deployments",
-            "waf": "Operations"
+            "subcategory": "Virtual Machines",
+            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+            "service": "VM",
             "services": [
-                "AKS"
+                "VM"
+            ],
+            "severity": "Low",
+            "subcategory": "Virtual Machines",
+            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+            "service": "VM",
+            "services": [
+                "ASR",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use the Cluster Autoscaler",
-            "waf": "Performance"
+            "subcategory": "Virtual Machines",
+            "text": "Increase quotas in DR region before testing failover with ASR",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
+            "category": "Compute",
+            "checklist": "Resiliency Review",
+            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+            "service": "VM",
             "services": [
-                "AKS"
+                "VM"
             ],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Customize node configuration for AKS node pools",
-            "waf": "Performance"
+            "subcategory": "Virtual Machines",
+            "text": "Utilize Scheduled Events to prepare for VM maintenance",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "category": "Data",
+            "checklist": "Resiliency Review",
+            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
             "services": [
-                "AKS"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Scalability",
-            "text": "Use the Horizontal Pod Autoscaler when required",
-            "waf": "Performance"
+            "subcategory": "Storage Accounts",
+            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
+            "category": "Data",
+            "checklist": "Resiliency Review",
+            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "services": [
-                "AKS"
+                "Storage"
             ],
-            "severity": "High",
-            "subcategory": "Scalability",
-            "text": "Consider an appropriate node size, not too large or too small",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Storage Accounts",
+            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
+            "category": "Data",
+            "checklist": "Resiliency Review",
+            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "services": [
-                "AKS"
+                "Storage"
             ],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
-            "waf": "Performance"
+            "subcategory": "Storage Accounts",
+            "text": "Enable soft delete for Storage Account Containers",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
+            "category": "Data",
+            "checklist": "Resiliency Review",
+            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "services": [
-                "AKS"
+                "Storage"
             ],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "Consider subscribing to EventGrid Events for AKS automation",
-            "waf": "Performance"
+            "subcategory": "Storage Accounts",
+            "text": "Enable soft delete for blobs",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+            "service": "Azure Backup",
             "services": [
-                "AKS"
+                "Backup"
             ],
-            "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "For long running operation on an AKS cluster consider event termination",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+            "service": "Azure Backup",
             "services": [
-                "AKS"
+                "Backup"
             ],
             "severity": "Low",
-            "subcategory": "Scalability",
-            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
-            "waf": "Performance"
+            "subcategory": "Backup",
+            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+            "service": "Azure Backup",
             "services": [
-                "AKS",
-                "Storage"
+                "Storage",
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "Use ephemeral OS disks",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Backup",
+            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.",
+            "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery",
             "services": [
-                "AKS",
-                "Storage"
+                "ASR"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
-            "waf": "Performance"
+            "subcategory": "Design",
+            "text": "Define business continuity and disaster recovery requirements",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "services": [
-                "AKS",
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "Storage",
-            "text": "For hyper performance storage option use Ultra Disks on AKS",
-            "waf": "Performance"
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.",
+            "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/architecture/reliability/architect",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Design",
+            "text": "Implement reliability best practices in Azure architectures",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.",
+            "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa",
+            "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure",
             "services": [
-                "AKS",
-                "SQL",
-                "Storage"
+                "ASR",
+                "RBAC"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
-            "waf": "Performance"
+            "subcategory": "DevOps",
+            "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
+            "category": "General",
+            "checklist": "Resiliency Review",
+            "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.",
+            "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
             "services": [
-                "AKS",
-                "Storage"
+                "ASR"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
-            "waf": "Performance"
+            "subcategory": "Multi-region",
+            "text": "Plan for cross-region recovery by leveraging region pairs",
+            "waf": "Reliability"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.",
+            "guid": "93c76286-37a5-451c-9b04-e4f1854387e5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability",
             "services": [
-                "AKS",
-                "Storage"
+                "AppGW"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
-            "waf": "Performance"
+            "subcategory": "Application Gateways",
+            "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime",
+            "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "services": [],
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.",
+            "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "services": [
+                "Storage",
+                "AppGW"
+            ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+            "subcategory": "Application Gateways",
+            "text": "Deploy Azure Application Gateway v2 for zone redundancy support",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ",
+            "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door",
+            "services": [
+                "FrontDoor"
+            ],
+            "severity": "Low",
+            "subcategory": "Azure Front Door",
+            "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.",
+            "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a",
+            "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager",
+            "services": [
+                "ASR",
+                "TrafficManager",
+                "DNS",
+                "Monitor"
+            ],
+            "severity": "Low",
+            "subcategory": "DNS",
+            "text": "Plan for automated failover using Traffic Manager for DNS Traffic",
             "waf": "Reliability"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+            "service": "DNS",
             "services": [
-                "AppSvc"
+                "ASR",
+                "ACR",
+                "DNS"
             ],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "severity": "Low",
+            "subcategory": "DNS",
+            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
             "waf": "Reliability"
         },
         {
-            "category": "Application Deployment",
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
-            "services": [],
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+            "service": "Data Gateways",
+            "services": [
+                "ACR"
+            ],
             "severity": "Medium",
-            "subcategory": "CI/CD",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
-            "waf": "Operations"
+            "subcategory": "Data Gateways",
+            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.",
-            "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687",
-            "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.",
+            "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
             "services": [
-                "VM",
-                "SQL"
+                "ExpressRoute"
             ],
-            "severity": "High",
-            "subcategory": "VM Size",
-            "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "ExpressRoute",
+            "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.",
+            "guid": "a359c373-e7dd-4616-83a3-64a907ebae48",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "services": [
+                "ExpressRoute",
+                "Backup"
+            ],
+            "severity": "Medium",
+            "subcategory": "ExpressRoute",
+            "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.",
+            "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d",
+            "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "services": [
+                "VPN",
+                "ExpressRoute",
+                "Cost",
+                "Backup"
+            ],
+            "severity": "Low",
+            "subcategory": "ExpressRoute",
+            "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.",
-            "guid": "e04abe1f-8d39-4fda-9776-8424c116775c",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.",
+            "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3",
+            "link": "https://learn.microsoft.com/azure/load-balancer/skus",
             "services": [
-                "VM",
-                "SQL"
+                "LoadBalancer"
             ],
             "severity": "Medium",
-            "subcategory": "VM Size",
-            "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.",
-            "waf": "Performance"
+            "subcategory": "Load Balancers",
+            "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.",
-            "guid": "2ea55b56-ad48-4408-be72-734b476ba18f",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ",
+            "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
             "services": [
                 "VM",
-                "SQL",
-                "Storage"
+                "LoadBalancer"
             ],
-            "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Load Balancers",
+            "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.",
-            "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.",
+            "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance",
             "services": [
-                "SQL",
-                "Storage"
+                "Monitor",
+                "LoadBalancer"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "Place data, log, and tempdb files on separate drives",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Load Balancers",
+            "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio",
-            "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "services": [
-                "SQL",
-                "Storage"
+                "NVA"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support",
-            "waf": "Performance"
+            "subcategory": "NVAs",
+            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.",
-            "guid": "25659d35-58fd-4772-99c9-31112d027fe4",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.",
+            "guid": "927139b8-2110-42db-b6ea-f11e6f843e53",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
             "services": [
-                "Cost",
-                "SQL",
-                "Storage"
+                "VPN",
+                "ACR"
             ],
-            "severity": "High",
-            "subcategory": "Storage",
-            "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "VPN Gateways",
+            "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.",
-            "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "category": "Network",
+            "checklist": "Resiliency Review",
+            "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.",
+            "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways",
             "services": [
-                "VM",
-                "SQL",
-                "Storage"
+                "VPN"
             ],
             "severity": "Medium",
-            "subcategory": "Storage",
-            "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.",
-            "waf": "Performance"
+            "subcategory": "VPN Gateways",
+            "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output",
-            "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
-            "services": [
-                "VM",
-                "SQL",
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Container Apps Review",
+            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+            "service": "Container Apps",
+            "services": [],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.",
-            "guid": "05674b5e-985b-4859-a773-e7e261623b77",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
-            "services": [
-                "AzurePolicy",
-                "SQL",
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Container Apps Review",
+            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+            "service": "Container Apps",
+            "services": [],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Set host caching to read-only for data file disks and none for log file disks.",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "Use more than one replica and enable Zone Redundancy.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.",
-            "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
-            "services": [
-                "VM",
-                "SQL",
-                "Storage"
-            ],
+            "category": "BC and DR",
+            "checklist": "Container Apps Review",
+            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
+            "services": [],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Provision the storage account in the same region as the SQL Server VM",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.",
-            "guid": "155abb91-63e9-4908-ae28-c84c33b6b780",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+            "category": "BC and DR",
+            "checklist": "Container Apps Review",
+            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
             "services": [
-                "SQL",
-                "Storage"
+                "TrafficManager",
+                "FrontDoor"
             ],
             "severity": "High",
-            "subcategory": "Storage",
-            "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.",
-            "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions",
-            "services": [
-                "VM",
-                "SQL"
-            ],
+            "category": "Application Deployment",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "HADR",
-            "text": "Determine HA/DR requirements for each VM to be migrated.",
+            "subcategory": "DevOps",
+            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.",
-            "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set",
+            "category": "BC and DR",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
             "services": [
-                "VM",
-                "SQL"
+                "ASR",
+                "TrafficManager",
+                "FrontDoor"
             ],
-            "severity": "High",
-            "subcategory": "HADR",
-            "text": "Place your VMs in an availability set or different availability zones.",
+            "severity": "Medium",
+            "subcategory": "Disaster Recovery",
+            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.",
-            "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli",
+            "category": "BC and DR",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
             "services": [
-                "VM",
-                "VNet",
-                "SQL",
-                "LoadBalancer"
+                "ACR"
             ],
             "severity": "Medium",
-            "subcategory": "HADR",
-            "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)",
+            "subcategory": "High Availability",
+            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.",
-            "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration",
-            "services": [
-                "ASR",
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "HADR",
-            "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)",
+            "category": "BC and DR",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Use more than 1 app instance for your apps",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Ensure that quorum is set correct for the number of instances deployed.",
-            "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting",
+            "category": "Operations",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
             "services": [
-                "SQL"
+                "Monitor"
             ],
-            "severity": "High",
-            "subcategory": "HADR",
-            "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)",
+            "severity": "Medium",
+            "subcategory": "Monitoring",
+            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.",
-            "guid": "667313c4-0567-44b5-b985-b859c773e7e2",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb",
-            "services": [
-                "VM",
-                "VNet",
-                "SQL",
-                "LoadBalancer"
-            ],
-            "severity": "High",
-            "subcategory": "HADR",
-            "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)",
+            "category": "Operations",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Scalability",
+            "text": "Set up autoscaling in Spring Cloud Gateway",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.",
-            "guid": "61623b77-5a91-47e1-b348-ef354c27d42e",
-            "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16",
-            "services": [
-                "SQL",
-                "Storage"
-            ],
+            "category": "Operations",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
+            "services": [],
             "severity": "Low",
-            "subcategory": "SQL Server",
-            "text": "Enable database page compression where appropriate.",
-            "waf": "Performance"
+            "subcategory": "Scalability",
+            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.",
-            "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c",
-            "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16",
-            "services": [
-                "SQL",
-                "Storage"
-            ],
-            "severity": "High",
-            "subcategory": "SQL Server",
-            "text": "Enable instant file initialization for data files.",
-            "waf": "Operations"
+            "category": "Operations",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Support",
+            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Recommended for best performance and availability migrate all databases to data and log disks",
-            "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34",
-            "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16",
-            "services": [
-                "SQL"
-            ],
-            "severity": "Medium",
-            "subcategory": "SQL Server",
-            "text": "Move all databases to data disks, including system databases.",
-            "waf": "Operations"
+            "category": "BC and DR",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "b824546c-e1ae-4e34-93ae-c8239248725d",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features",
-            "services": [
-                "VM",
-                "SQL",
-                "Storage"
-            ],
-            "severity": "Low",
-            "subcategory": "SQL Server",
-            "text": "Move SQL Server error log and trace file directories to data disks.",
-            "waf": "Operations"
+            "category": "BC and DR",
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "High Availability",
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6",
-            "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-",
-            "services": [
-                "VM",
-                "SQL"
-            ],
+            "category": "BC and DR",
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
+            "services": [],
             "severity": "High",
-            "subcategory": "SQL Server",
-            "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6",
-            "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows",
-            "services": [
-                "VM",
-                "SQL"
-            ],
+            "category": "BC and DR",
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "services": [],
             "severity": "High",
-            "subcategory": "SQL Server",
-            "text": "Enable lock pages in memory.",
-            "waf": "Performance"
+            "subcategory": "High Availability",
+            "text": "Learn how to trigger a manual failover.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c",
-            "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store",
-            "services": [
-                "VM",
-                "SQL"
-            ],
-            "severity": "Low",
-            "subcategory": "SQL Server",
-            "text": "Enable Query Store on all production SQL Server databases following best practices.",
-            "waf": "Performance"
+            "category": "BC and DR",
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
+            "services": [],
+            "severity": "High",
+            "subcategory": "High Availability",
+            "text": "Learn how to fail back after a failover.",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d",
-            "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "a96b96ad-8840-48f3-9273-4c876ba28021",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
             "services": [
-                "VM",
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "SQL Server",
-            "text": "Ensure that all tempdb best practices are followed.",
-            "waf": "Performance"
+                "VNet",
+                "DNS"
+            ],
+            "severity": "High",
+            "subcategory": "Azure Private DNS",
+            "text": "Verify that Zones are linked to Vnets in multiple regions",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479",
-            "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "45901465-d38e-453f-accb-d969266acca2",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
             "services": [
-                "VM",
-                "SQL"
+                "DNS"
             ],
             "severity": "High",
-            "subcategory": "SQL Server",
-            "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.",
-            "waf": "Operations"
+            "subcategory": "Azure Private DNS",
+            "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
-            "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c",
-            "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json",
             "services": [
-                "VM",
-                "SQL"
+                "ASR",
+                "TrafficManager",
+                "DNS"
             ],
             "severity": "Medium",
-            "subcategory": "SQL Server",
-            "text": "Limit autogrowth of the database and Disable autoshrink",
-            "waf": "Operations"
+            "subcategory": "Azure DNS",
+            "text": "Plan for disaster recovery with Azure DNS and Traffic Manager",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth",
-            "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012",
+            "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones",
             "services": [
-                "VM",
-                "SQL",
-                "Cost",
-                "Storage"
+                "DNS"
             ],
-            "severity": "Low",
-            "subcategory": "Cost Optimization",
-            "text": "Optimize SQL Server License cost with Constrained vCPU VM's",
-            "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Azure DNS Resolver",
+            "text": "Enable availability zones with Private Resolver",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y",
-            "guid": "7ed67178-b824-4546-ae1a-ee3453aec823",
-            "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517",
+            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
             "services": [
-                "Cost",
-                "SQL"
+                "ASR",
+                "DNS"
             ],
-            "severity": "Low",
-            "subcategory": "Cost Optimization",
-            "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud",
-            "waf": "Cost"
+            "severity": "Medium",
+            "subcategory": "Azure DNS Resolver",
+            "text": "Plan for failover with Private Resolvers in a Disaster Recovery",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.",
-            "guid": "9248725d-d68c-45b5-a292-5394a69a9d27",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "2676ae46-691e-4883-9ad9-42223e138105",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph",
             "services": [
-                "VM",
-                "SQL"
+                "DNS",
+                "VM"
             ],
             "severity": "Medium",
-            "subcategory": "Azure",
-            "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Operations"
+            "subcategory": "VM Based DNS Service",
+            "text": "Follow VM Guidance for resillency of VM",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies",
-            "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "category": "Operations Management",
+            "checklist": "DNS Review Checklist",
+            "guid": "23081a94-1741-4583-9ff7-ad7c6d373316",
+            "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html",
             "services": [
-                "VM",
-                "SQL"
+                "Entra",
+                "DNS",
+                "VM"
             ],
-            "severity": "High",
-            "subcategory": "Azure",
-            "text": "Ensure Accelerated Networking is enabled on the virtual machine.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "VM Based DNS Service",
+            "text": "IF AD based DNS, follow the Identity -> Windows Server AD path",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Server on Azure VM",
-            "checklist": "SQL Migration Review",
-            "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.",
-            "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
-            "services": [
-                "Defender",
-                "VM",
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Azure",
-            "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Best Practices",
+            "text": "Leverage FTA Resillency Handbook",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.",
-            "guid": "78ee293c-1bc3-452b-aaab-7571849ab809",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "EventHubs",
-                "SQL"
+                "ASR"
             ],
             "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Review the major differences between SQL Server and Managed Instance",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Operations"
+            "subcategory": "Disaster Recovery",
+            "text": "Plan for Data Center level outage",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.",
-            "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35",
-            "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "ASR"
             ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Review capacity limits for SQL MI",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Disaster Recovery",
+            "text": "Practice Failover for BCDR",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.",
-            "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442",
-            "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "Backup"
             ],
             "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Performance"
+            "subcategory": "Backup and Restore ",
+            "text": "Plan a backup strategy and take regular backups",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features",
-            "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5",
-            "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "EventHubs"
             ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Purview Accounts Replications",
+            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.",
-            "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378",
-            "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
-            "services": [
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Performance"
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Purview accounts architectures and deployment best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment",
-            "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8",
-            "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
-            "services": [
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Review and address the issues highlighted in DMA/Azure Data Studio",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Operations"
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Collection Architectures and best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.",
-            "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance",
-            "services": [
-                "SQL",
-                "DNS"
-            ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Plan for connection string changes as changing a managed instance name is not supported",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Operations"
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Assest lifecycle best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.",
-            "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi",
-            "services": [
-                "VNet",
-                "SQL"
-            ],
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+            "service": "Purview",
+            "services": [],
             "severity": "Medium",
-            "subcategory": "Pre Migration",
-            "text": "Review managed instance VNet requirements",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Operations"
+            "subcategory": "Data catalog",
+            "text": "Follow automation best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.",
-            "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "services": [
-                "VNet",
-                "SQL"
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Deployment",
-            "text": "Ensure managed instance subnet has sufficient IP addresses available",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Backup and Migration Best practices",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.",
-            "guid": "c8defc4d-721d-431d-850f-b707ae9eab40",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Purview Glossary Best Practices",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+            "link": "https://learn.microsoft.com/purview/concept-workflow",
+            "service": "Purview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data catalog",
+            "text": "Leverage Workflows ",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data catalog",
+            "text": "Follow Purview Security Best Practices",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Map",
+            "text": "Follow Purview Data Lineage Best Practices",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Map",
+            "text": "Follow Best Practices for Scanning Registered Sources",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Map",
+            "text": "Follow Classification Best Practices in Governance Portal",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Map",
+            "text": "Perform Sensitivity Labelling in the Purview Data Map",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+            "link": "https://learn.microsoft.com/purview/concept-data-share",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "Storage"
             ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Plan between General Purpose and Business Critical tiers of MI",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Performance"
+            "severity": "Low",
+            "subcategory": "Data Sharing",
+            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data Estate",
+            "text": "Leverage Data Estate Insights",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+            "service": "Purview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data Estate",
+            "text": "Use Data stewardship and Catalog adoption",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data Estate",
+            "text": "Use Inventory and Ownership",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+            "link": "https://learn.microsoft.com/purview/glossary-insights",
+            "service": "Purview",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data Estate",
+            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+            "link": "https://learn.microsoft.com/purview/compliance-manager",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Quality ",
+            "text": "Generate assessment scores",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.",
-            "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell",
-            "services": [
-                "SQL"
-            ],
-            "severity": "High",
-            "subcategory": "Pre Migration",
-            "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+            "service": "Purview",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Quality ",
+            "text": "Profiling- get summaries of data content",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.",
-            "guid": "5d226886-d30b-466c-97be-595190f83845",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "AzurePolicy"
             ],
             "severity": "Low",
-            "subcategory": "Pre Migration",
-            "text": "Review the Connectivity Design between Database and Application, test & validate it",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Operations"
+            "subcategory": "Data Policy",
+            "text": "Follow Microsoft Purview Data Owner access policies",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Compare migration options to choose the path that's appropriate to your business needs.",
-            "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce",
-            "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre Migration",
-            "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "Operations"
+            "severity": "Low",
+            "subcategory": "Data Policy",
+            "text": "Follow Self-service access policies",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.",
-            "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d",
-            "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover",
+            "category": "Operations management",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+            "service": "Purview",
             "services": [
-                "SQL"
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Pre Migration",
-            "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.",
-            "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
+            "severity": "Low",
+            "subcategory": "Data Policy",
+            "text": "Follow DevOps policies",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC",
-            "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone",
-            "services": [
-                "SQL"
-            ],
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "65285269-440c-44be-9d3e-0844276d4bdc",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx",
+            "services": [],
             "severity": "High",
-            "subcategory": "Deployment",
-            "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.",
-            "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "waf": "Operations"
+            "subcategory": "Best Practices",
+            "text": "Reference Databricks HA/DR playbook",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.",
-            "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693",
-            "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6",
+            "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes",
             "services": [
-                "SQL"
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Deployment",
-            "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.",
-            "guid": "829e3eec-2183-4687-a007-7a2b5945bda4",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757",
             "services": [
-                "VM",
-                "SQL"
+                "ACR",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Deployment",
-            "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore",
-            "waf": "Operations"
+            "subcategory": "Backup",
+            "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.",
-            "guid": "3334fdf9-1c23-4418-8b65-275269440b4b",
-            "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "769e3969-0e78-428a-a936-657d03b0f466",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581",
             "services": [
-                "Backup",
-                "SQL"
+                "ASR",
+                "Backup"
             ],
-            "severity": "Low",
-            "subcategory": "Migration",
-            "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.",
-            "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b",
+            "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html",
             "services": [
-                "SQL"
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Migration",
-            "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Backup",
+            "text": "Backup your data with deep and shallow clones",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.",
-            "guid": "b5887952-5d22-4688-9d30-b66c57be5951",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account",
+            "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559",
+            "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750",
             "services": [
-                "SQL"
+                "Storage",
+                "Backup"
             ],
             "severity": "Medium",
-            "subcategory": "Migration",
-            "text": "Test Application Connectivity to MI and Databases",
-            "waf": "Operations"
+            "subcategory": "Backup",
+            "text": "Backup your data to Azure Storage RA-GRS",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.",
-            "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a",
+            "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd",
             "services": [
-                "SQL"
+                "Backup"
             ],
             "severity": "High",
-            "subcategory": "Post Migration",
-            "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "subcategory": "Backup",
+            "text": "Backup your code with DevOps",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.",
-            "guid": "141acdce-5793-477b-adb3-751ab2ac1fad",
-            "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a",
+            "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery",
             "services": [
-                "EventHubs",
-                "SQL",
-                "LoadBalancer"
+                "ASR"
             ],
             "severity": "High",
-            "subcategory": "Post Migration",
-            "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback",
+            "subcategory": "Disaster Recovery",
+            "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration",
             "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "This provides more dedicated disk IOPS and throughput",
-            "guid": "aa359272-8e6e-4205-8726-76ae46691e88",
-            "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525",
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace",
+            "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc",
+            "link": "https://github.com/databrickslabs/migrate",
             "services": [
-                "SQL",
-                "Storage"
+                "Backup"
             ],
-            "severity": "High",
-            "subcategory": "Post Migration",
-            "text": "Optimize Storage Performance for General Purpose Managed Instance",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Performance"
+            "severity": "Medium",
+            "subcategory": "Migration",
+            "text": "Use Databricks Migration tools",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.",
-            "guid": "35ad9422-23e1-4381-8523-081a94174158",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk",
-            "services": [
-                "Backup",
-                "SQL",
-                "AzurePolicy",
-                "AKV"
-            ],
+            "category": "Operations Management",
+            "checklist": "DataBricks Review Checklist",
+            "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd",
+            "link": "https://github.com/databrickslabs/databricks-sync",
+            "services": [],
             "severity": "Low",
-            "subcategory": "Post Migration",
-            "text": "Enable Customer managed TDE for taking your own copy only full backups",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Security"
+            "subcategory": "Migration",
+            "text": "Use Databricks Sync",
+            "waf": "Reliability"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.",
-            "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+            "service": "ACR",
             "services": [
-                "SQL"
+                "ACR"
             ],
-            "severity": "Medium",
-            "subcategory": "Post Migration",
-            "text": "Plan for Azure maintenance events",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Disable Azure Container Registry image export",
+            "waf": "Security"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.",
-            "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+            "service": "ACR",
             "services": [
-                "Backup",
-                "ARS",
-                "SQL",
-                "Storage"
+                "ACR",
+                "AzurePolicy"
             ],
-            "severity": "Low",
-            "subcategory": "Post Migration",
-            "text": "Configure Long Term backup retention, view backups and restore from backups",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Reliability"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Enable Azure Policies for Azure Container Registry",
+            "waf": "Security"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.",
-            "guid": "ad88408f-3727-434c-a76b-a28021459014",
-            "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+            "guid": "d345293c-7639-4637-a551-c5c04e401955",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+            "service": "ACR",
             "services": [
-                "Cost",
-                "SQL"
+                "ACR",
+                "AKV"
             ],
-            "severity": "Low",
-            "subcategory": "Post Migration",
-            "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Cost"
+            "severity": "High",
+            "subcategory": "Data Protection",
+            "text": "Sign and Verify containers with notation (Notary v2)",
+            "waf": "Security"
         },
         {
-            "category": "SQL Managed Instance",
-            "checklist": "SQL Migration Review",
-            "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.",
-            "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1",
-            "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+            "service": "ACR",
             "services": [
-                "Defender",
-                "SQL"
+                "ACR",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Post Migration",
-            "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "subcategory": "Data Protection",
+            "text": "Encrypt registry with a customer managed key",
             "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Select the right Function hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "services": [],
-            "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
-            "waf": "Reliability"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
-        },
-        {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
             "services": [
-                "AppSvc"
+                "RBAC",
+                "Entra",
+                "ACR"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Control",
+            "text": "Use Managed Identities to connect instead of Service Principals",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
             "services": [
-                "AppSvc"
+                "RBAC",
+                "Entra",
+                "ACR"
             ],
             "severity": "High",
-            "subcategory": "High Availability",
-            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Control",
+            "text": "Disable local authentication for management plane access",
+            "waf": "Security"
         },
         {
-            "category": "BC and DR",
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "RBAC",
+                "Entra",
+                "ACR"
             ],
-            "severity": "Medium",
-            "subcategory": "High Availability",
-            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Application Deployment",
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "CI/CD",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Identity and Access Control",
+            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "9f519499-5820-4060-88fe-cab4538c9dd0",
-            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable anonymous pull/push access",
+            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "Entra",
+                "ACR"
             ],
             "severity": "Medium",
-            "subcategory": "Physical",
-            "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)",
-            "waf": "Performance"
+            "subcategory": "Identity and Access Control",
+            "text": "Disable Anonymous pull access",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+            "service": "ACR",
             "services": [
-                "Storage",
+                "Entra",
                 "ACR"
             ],
-            "severity": "Medium",
-            "subcategory": "Physical",
-            "text": "Disks are symmetrical across all nodes",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Identity and Access Control",
+            "text": "Disable repository-scoped access tokens",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+            "service": "ACR",
             "services": [
-                "Backup",
-                "Storage"
+                "EventHubs",
+                "Entra",
+                "ACR",
+                "PrivateLink"
             ],
-            "severity": "Medium",
-            "subcategory": "S2D",
-            "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Identity and Access Control",
+            "text": "Deploy images from a trusted environment",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8a705965-9840-43cc-93b3-06d089406bb4",
-            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "Entra",
+                "ACR",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "S2D",
-            "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Control",
+            "text": "Disable Azure ARM audience tokens for authentication",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e",
-            "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "Entra",
+                "ACR",
+                "Monitor"
             ],
-            "severity": "Low",
-            "subcategory": "S2D",
-            "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Logging and Monitoring",
+            "text": "Enable diagnostics logging",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "VNet",
+                "ACR",
+                "PrivateLink",
+                "Firewall"
             ],
             "severity": "Medium",
-            "subcategory": "S2D",
-            "text": "CSVs are created in multiples of node count",
-            "waf": "Performance"
+            "subcategory": "Network Security",
+            "text": "Control inbound network access with Private Link",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable public network access if inbound network access is secured using Private Link",
+            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "ACR",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "S2D",
-            "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives",
-            "waf": "Performance"
+            "subcategory": "Network Security",
+            "text": "Disable Public Network access",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Only the ACR Premium SKU supports Private Link access",
+            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "ACR",
+                "PrivateLink"
             ],
             "severity": "Medium",
-            "subcategory": "S2D",
-            "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk",
-            "waf": "Reliability"
+            "subcategory": "Network Security",
+            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment",
-            "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c",
-            "link": "https://github.com/microsoft/diskspd/wiki/VMFleet",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "ACR",
+                "Defender"
             ],
             "severity": "Low",
-            "subcategory": "S2D",
-            "text": "VMFleet has been run prior to workload deployment to baseline storage performance",
-            "waf": "Performance"
+            "subcategory": "Network Security",
+            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "ACR"
             ],
             "severity": "Medium",
-            "subcategory": "Host OS",
-            "text": "OS drives use a dedicated storage controller",
-            "waf": "Reliability"
+            "subcategory": "Vulnerability Management",
+            "text": "Deploy validated container images",
+            "waf": "Security"
         },
         {
-            "category": "Storage",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache",
+            "category": "Security",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+            "service": "ACR",
             "services": [
-                "Storage"
+                "ACR"
             ],
-            "severity": "Medium",
-            "subcategory": "Host OS",
-            "text": "CSV in-memory read caching is enabled and properly configured",
-            "waf": "Performance"
+            "severity": "High",
+            "subcategory": "Vulnerability Management",
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set",
+            "category": "Operations Management",
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+            "service": "PostgreSQL",
             "services": [
-                "ACR"
+                "SQL"
             ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "NICs are symmetrical across nodes",
+            "subcategory": "Best Practices",
+            "text": "Leverage Flexible Server",
             "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19",
+            "category": "Operations Management",
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+            "service": "PostgreSQL",
             "services": [
-                "Storage"
+                "SQL"
             ],
             "severity": "High",
-            "subcategory": "Host",
-            "text": "Storage networking is redundant",
+            "subcategory": "Best Practices",
+            "text": "Leverage Availability Zones where regionally applicable",
             "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "15d976c5-e267-49a1-8b00-62010bfa5188",
-            "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc",
-            "services": [],
+            "category": "Operations Management",
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "31b67c67-be59-4519-8083-845d587cb391",
+            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+            "service": "PostgreSQL",
+            "services": [
+                "SQL"
+            ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "Host networking configuration is managed by Network ATC and intents are healthy",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview",
-            "services": [],
-            "severity": "Low",
-            "subcategory": "Host",
-            "text": "Network HUD has been configured",
+            "subcategory": "Best Practices",
+            "text": "Leverage cross-region read replicas for BCDR",
             "waf": "Reliability"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "services": [
-                "VNet",
                 "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs",
-            "waf": "Reliability"
+            "subcategory": " Overview",
+            "text": "Consider the 'Azure security baseline for storage'",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74",
-            "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Host",
-            "text": "For switchless designs, dual link full mesh connectivity has been implemented",
-            "waf": "Reliability"
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "PrivateLink"
+            ],
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "Consider using private endpoints for Azure Storage",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0",
-            "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "services": [
-                "Storage"
+                "Storage",
+                "RBAC",
+                "Subscriptions"
             ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented",
-            "waf": "Reliability"
+            "subcategory": "Governance",
+            "text": "Ensure older storage accounts are not using 'classic deployment model'",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "services": [
-                "Storage"
+                "Storage",
+                "Defender"
             ],
             "severity": "High",
-            "subcategory": "Host",
-            "text": "RDMA is enabled on the Storage networking",
-            "waf": "Performance"
-        },
-        {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6",
-            "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Host",
-            "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration",
-            "waf": "Performance"
+            "subcategory": "Governance",
+            "text": "Enable Microsoft Defender for all of your storage accounts",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "description": "This ensures that Management traffic is not exposed to the VM traffic",
-            "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0",
-            "link": "",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
             "services": [
-                "VM"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID",
+            "subcategory": "Data Availability",
+            "text": "Enable 'soft delete' for blobs",
             "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.",
-            "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "services": [
-                "VM"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "SDN",
-            "text": "There are at least 3 Network Controller VMs deployed",
-            "waf": "Reliability"
+            "subcategory": "Confidentiality",
+            "text": "Disable 'soft delete' for blobs",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8bc78c85-6028-4a43-af2d-082a0a344909",
-            "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
             "services": [
-                "Backup"
+                "Storage"
             ],
             "severity": "High",
-            "subcategory": "SDN",
-            "text": "Backups of SDN infrastructure are configured and tested",
-            "waf": "Operations"
+            "subcategory": "Data Availability",
+            "text": "Enable 'soft delete' for containers",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Cluster",
-            "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios",
-            "waf": "Operations"
+            "subcategory": "Confidentiality",
+            "text": "Disable 'soft delete' for containers",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "831f5aca-99ef-41e7-8263-9509f5093b43",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage"
             ],
             "severity": "High",
-            "subcategory": "Cluster",
-            "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution",
-            "waf": "Operations"
+            "subcategory": "Data Availability",
+            "text": "Enable resource locks on storage accounts",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage",
+                "Subscriptions",
+                "AzurePolicy"
             ],
-            "severity": "Medium",
-            "subcategory": "Cluster",
-            "text": "Insights has been enabled at the cluster level and all nodes are reporting data",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Data Availability, Compliance",
+            "text": "Consider immutable blobs",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage"
             ],
-            "severity": "Medium",
-            "subcategory": "Cluster",
-            "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage"
             ],
-            "severity": "Medium",
-            "subcategory": "Hardware",
-            "text": "Relevant hardware monitoring has been configured",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+            "waf": "Security"
         },
         {
-            "category": "Management and Monitoring",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "services": [
-                "Monitor"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Hardware",
-            "text": "Relevant hardware alerting has been configured",
-            "waf": "Operations"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323",
-            "services": [
-                "VM"
-            ],
-            "severity": "Low",
-            "subcategory": "VM Management - Resource Bridge",
-            "text": "The Azure CLI has been installed on every node to enable RB management from WAC",
-            "waf": "Operations"
+            "subcategory": "Networking",
+            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
             "services": [
-                "VM"
+                "Storage",
+                "Entra"
             ],
-            "severity": "Low",
-            "subcategory": "VM Management - Resource Bridge",
-            "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure",
-            "waf": "Operations"
+            "severity": "High",
+            "subcategory": "Identity and Access Management",
+            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+            "waf": "Security"
         },
         {
-            "category": "Backup and Disaster Recovery",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "074541e3-fe08-458a-8062-32d13dcc10c6",
-            "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
             "services": [
-                "Backup",
-                "VM",
-                "ASR"
+                "Storage",
+                "Entra",
+                "RBAC"
             ],
-            "severity": "High",
-            "subcategory": "VM",
-            "text": "Backups of HCI VMs have been configured using MABS or a third-party solution",
-            "waf": "Operations"
+            "severity": "Medium",
+            "subcategory": "Identity and Access Management",
+            "text": "Least privilege in IaM permissions",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra"
+            ],
             "severity": "High",
-            "subcategory": "Cluster Configuration",
-            "text": "Cluster configuration or a configuration script has been documented and maintained",
-            "waf": "Operations"
+            "subcategory": "Identity and Access Management",
+            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra",
+                "Monitor",
+                "AKV"
+            ],
             "severity": "High",
-            "subcategory": "Cluster Configuration",
-            "text": "A cluster witness has been configured for clusters with less than 5 nodes",
-            "waf": "Reliability"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Cluster Configuration",
-            "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)",
-            "waf": "Operations"
+            "subcategory": "Identity and Access Management",
+            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470",
-            "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Monitor",
+                "AKV",
+                "AzurePolicy"
+            ],
             "severity": "High",
-            "subcategory": "Cluster Configuration",
-            "text": "Cluster validation has been run against the configured cluster",
-            "waf": "Reliability"
+            "subcategory": "Monitoring",
+            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "81693af0-5638-4aa2-a153-1d6189df30a7",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
             "services": [
-                "VM"
+                "Storage",
+                "Entra",
+                "AKV",
+                "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Cluster Configuration",
-            "text": "Azure Benefits has been enabled at the cluster and VM levels",
-            "waf": "Cost"
-        },
-        {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8c967ee8-8170-4537-a28d-33431cd3632a",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Cluster Configuration",
-            "text": "The Environment Checker module has been run to validate the environment",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "43ffbfab-766e-4950-a102-78b479136e4d",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
             "services": [
+                "Storage",
+                "Entra",
                 "AzurePolicy"
             ],
             "severity": "Medium",
-            "subcategory": "Cluster Configuration",
-            "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)",
-            "waf": "Operations"
+            "subcategory": "Identity and Access Management",
+            "text": "Consider configuring an SAS expiration policy",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra",
+                "AKV",
+                "AzurePolicy"
+            ],
             "severity": "Medium",
-            "subcategory": "Cluster Configuration",
-            "text": "WAC is on the latest release and configured to automatically upgrade extensions",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "Consider linking SAS to a stored access policy",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020",
-            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
             "services": [
-                "Entra"
+                "Storage",
+                "AKV"
             ],
             "severity": "Medium",
-            "subcategory": "Stretch Clustering",
-            "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD",
-            "waf": "Performance"
+            "subcategory": "CI/CD",
+            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "3277558e-3155-4088-b49a-78594cb4ce1a",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "services": [
-                "VNet",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
-            "subcategory": "Stretch Clustering",
-            "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "baed6066-8531-44ba-bd94-38cbabbf4099",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra",
+                "AzurePolicy"
+            ],
             "severity": "High",
-            "subcategory": "Stretch Clustering",
-            "text": "There is a plan detailed for site failure and recovery",
-            "waf": "Operations"
+            "subcategory": "Identity and Access Management",
+            "text": "Strive for short validity periods for ad-hoc SAS",
+            "waf": "Security"
         },
         {
-            "category": "Networking",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "services": [
-                "ACR"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
-            "subcategory": "Stretch Clustering",
-            "text": "Separate vLANs and networks are used for each replication network across both sites",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "Apply a narrow scope to a SAS",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5",
-            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
             "services": [
-                "Storage"
+                "Storage",
+                "Entra"
             ],
-            "severity": "High",
-            "subcategory": "Stretch Clustering",
-            "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes",
-            "waf": "Reliability"
+            "severity": "Medium",
+            "subcategory": "Identity and Access Management",
+            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6",
-            "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
-            "services": [],
-            "severity": "High",
-            "subcategory": "Stretch Clustering",
-            "text": "When using data deduplication, only enable it on the primary/source volumes",
-            "waf": "Reliability"
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra"
+            ],
+            "severity": "Low",
+            "subcategory": "Identity and Access Management",
+            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+            "waf": "Security"
         },
         {
-            "category": "Operations",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "ac527887-f6f4-40a3-b883-e04d704f013b",
-            "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
             "services": [
-                "Storage"
+                "Storage",
+                "Entra",
+                "RBAC"
             ],
             "severity": "High",
-            "subcategory": "Stretch Clustering",
-            "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+            "waf": "Security"
         },
         {
-            "category": "Backup and Disaster Recovery",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc",
-            "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery",
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
             "services": [
-                "ASR",
-                "Backup"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
-            "subcategory": "Disaster Recovery",
-            "text": "Azure Site Recovery has been considered for DR purposes",
-            "waf": "Operations"
+            "subcategory": "Identity and Access Management",
+            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+            "waf": "Security"
         },
         {
             "category": "Security",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52",
-            "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Host",
-            "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "AzurePolicy"
+            ],
+            "severity": "High",
+            "subcategory": "Networking",
+            "text": "Avoid overly broad CORS policies",
             "waf": "Security"
         },
         {
             "category": "Security",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be",
-            "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security",
-            "services": [],
-            "severity": "Medium",
-            "subcategory": "Host",
-            "text": "SMB encryption has been enabled, where appropriate",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
+            "services": [
+                "Storage"
+            ],
+            "severity": "High",
+            "subcategory": "Confidentiality and Encryption",
+            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
             "waf": "Security"
         },
         {
             "category": "Security",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "8f03437a-5068-4486-9a78-0402ce771298",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "services": [
-                "Defender"
+                "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "Microsoft Defender Antivirus has been enabled on all nodes",
+            "subcategory": "Confidentiality and Encryption",
+            "text": "Determine which/if platform encryption should be used.",
             "waf": "Security"
         },
         {
             "category": "Security",
-            "checklist": "Azure Stack HCI Review",
-            "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e",
-            "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage",
-            "services": [],
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
+            "services": [
+                "Storage"
+            ],
             "severity": "Medium",
-            "subcategory": "Host",
-            "text": "Credential Guard has been configured, where appropriate",
+            "subcategory": "Confidentiality and Encryption",
+            "text": "Determine which/if client-side encryption should be used.",
             "waf": "Security"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware",
-            "services": [],
+            "category": "Security",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
+            "services": [
+                "Storage",
+                "Entra"
+            ],
             "severity": "High",
-            "subcategory": "Replication",
-            "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover",
-            "waf": "Reliability"
+            "subcategory": "Identity and Access Management",
+            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+            "waf": "Security"
         },
         {
             "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "67b23587-05a1-4652-aded-fa8a488cdec4",
-            "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+            "service": "Azure Storage",
             "services": [
-                "ASR",
-                "VM",
-                "AzurePolicy"
+                "Storage"
             ],
             "severity": "High",
-            "subcategory": "Replication",
-            "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR",
+            "subcategory": "Platform Version",
+            "text": "Leverage a storagev2 account type for better performance and reliability",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7",
-            "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview",
+            "category": "BC and DR",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
             "services": [
-                "VM"
+                "Storage"
             ],
-            "severity": "Medium",
-            "subcategory": "Replication",
-            "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time",
+            "severity": "High",
+            "subcategory": "Availablity",
+            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
             "waf": "Reliability"
         },
         {
-            "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "437b1736-db55-4f67-a613-334bd09dc234",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault",
-            "services": [],
+            "category": "BC and DR",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+            "service": "Azure Storage",
+            "services": [
+                "Storage"
+            ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry",
+            "subcategory": "Failover",
+            "text": "For write operation after failover, use customer-Managed Failover ",
             "waf": "Reliability"
         },
         {
             "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "19db6128-1265-404b-a47a-493a08042729",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
-            "services": [],
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+            "service": "Azure Storage",
+            "services": [
+                "Storage"
+            ],
             "severity": "Medium",
-            "subcategory": "Data Protection",
-            "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads",
+            "subcategory": "Failover",
+            "text": "Understand Microsoft-Managed Failover details",
             "waf": "Reliability"
         },
         {
             "category": "Operations Management",
-            "checklist": "Recovery Services Vault Checklist",
-            "guid": "4798b158-8b31-4aa5-9ceb-54445135a227",
-            "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+            "service": "Azure Storage",
             "services": [
                 "Storage"
             ],
             "severity": "Medium",
-            "subcategory": "Redudancy",
-            "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources",
+            "subcategory": "Data Protection",
+            "text": "Enable Soft Delete",
             "waf": "Reliability"
         }
     ],
     "metadata": {
         "name": "Master checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
diff --git a/checklists/security_checklist.en.json b/checklists/security_checklist.en.json
index c208015d0..a50f04989 100644
--- a/checklists/security_checklist.en.json
+++ b/checklists/security_checklist.en.json
@@ -1,1669 +1,1669 @@
-{
-  "items": [
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Security Center/Defender enable in all subscriptions",
-      "waf": "Security",
-      "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-      "id": "A01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Security Center/Defender enabled on all Log Analytics workspaces",
-      "waf": "Security",
-      "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-      "id": "A01.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Data collection set to 'Common'",
-      "waf": "Security",
-      "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-      "id": "A01.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Defender for Cloud enhanced security features are all enabled",
-      "waf": "Security",
-      "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-      "id": "A01.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Auto-provisioning enabled as per company policy (policy must exist)",
-      "waf": "Security",
-      "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-      "id": "A01.05",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Email notifications enabled as per company policy (policy must exist)",
-      "waf": "Security",
-      "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-      "id": "A01.06",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Enable integrations options are selected ",
-      "waf": "Security",
-      "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-      "id": "A01.07",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "CI/CD integration is configured",
-      "waf": "Operations",
-      "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
-      "id": "A01.08",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Continuous export 'Event Hub' is enabled if using 3rd party SIEM",
-      "waf": "Security",
-      "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-      "id": "A01.09",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Continuous export 'Log Analytics Workspace' is enabled if not using Azure Sentinel",
-      "waf": "Security",
-      "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-      "id": "A01.10",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Cloud connector enabled for AWS",
-      "waf": "Security",
-      "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-      "id": "A01.11",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "Cloud connector enabled for GCP",
-      "waf": "Security",
-      "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-      "id": "A01.12",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Pricing & Settings",
-      "text": "If using Azure AD Application proxy, consider integrating with Microsoft Defender for Cloud Apps to monitor application access in real-time and apply advanced security controls.",
-      "waf": "Security",
-      "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-      "id": "A01.13",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Recommendations",
-      "text": "All recommendations remediated or disabled if not required.",
-      "waf": "Security",
-      "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-      "id": "A02.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Recommendations",
-      "text": "Security Score>70%",
-      "description": "Microsoft minimum target for all customers is 70%",
-      "waf": "Security",
-      "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-      "id": "A02.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Security Alerts",
-      "text": "Security Alerts contain only those generated in the past 24 hours (remediate or disable older security alerts)",
-      "waf": "Security",
-      "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-      "id": "A03.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Workbooks",
-      "text": "If continuous export is enabled, default workbooks published to custom security dashboard",
-      "waf": "Security",
-      "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-      "id": "A04.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Community",
-      "text": "Customer is aware of the value of the 'Community' page and has a regular cadence set up to review",
-      "waf": "Security",
-      "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-      "id": "A05.01",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Secure Score",
-      "text": "All subscriptions protected by Security Center are shown (no subscription filter set)",
-      "description": "Customer Operational best practice - Transparency",
-      "waf": "Security",
-      "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-      "id": "A06.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Regulatory Compliance",
-      "text": "Compliance controls are green for any required compliance requirements",
-      "waf": "Security",
-      "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-      "id": "A07.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Azure Defender",
-      "text": "High severity VM vulnerabilities is zero (empty)",
-      "description": "Customer Operational best practice - verify",
-      "waf": "Security",
-      "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-      "id": "A08.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Firewall Manager",
-      "text": "Hubs are protected by an Azure Firewall",
-      "waf": "Security",
-      "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
-      "id": "A09.01",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Firewall Manager",
-      "text": "Virtual Networks are protected by a Firewall",
-      "description": "Customer Operational best practice - verify",
-      "waf": "Security",
-      "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-      "id": "A09.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Firewall Manager",
-      "text": "DDoS Standard enabled",
-      "waf": "Security",
-      "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-      "id": "A09.03",
-      "severity": "Medium",
-      "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
-    },
-    {
-      "category": "Defender For Cloud",
-      "subcategory": "Coverage",
-      "text": "Verify that all subscriptions are covered (see pricing and settings to modify)",
-      "waf": "Security",
-      "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-      "id": "A10.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Public IPs",
-      "text": "VM's with public IPs should be protected by NSG ",
-      "waf": "Security",
-      "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
-      "id": "B01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Public IPs",
-      "text": "VMs with public IPs are moved  behind Azure Firewall Premium",
-      "description": "Customer operational best practice -  verify",
-      "waf": "Security",
-      "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-      "id": "B01.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Public IPs",
-      "text": "VM's that don't need public IPs do not have public IPs (i.e. internal RDP only)",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-      "id": "B01.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG RBAC is used to restrict access to network security team",
-      "waf": "Security",
-      "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-      "id": "B02.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG Inbound security rules do not contain a * (wildcard) in Source field",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-      "id": "B02.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG outbound security rules are used to control traffic to specific IP addresses for traffic not routed through a Firewall",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-      "id": "B02.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG do not have Source as a * (wildcard) in place.",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-      "id": "B02.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG Diagnostics send NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter traffic to Sentinel LAW",
-      "waf": "Security",
-      "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-      "id": "B02.05",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "UDR RBAC is used to restrict access to the network security team",
-      "waf": "Security",
-      "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-      "id": "B03.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "If Zero Trust, then UDR's are used to send all traffic to the Azure Firewall Premium",
-      "waf": "Security",
-      "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-      "id": "B03.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "UDR's that do not send all traffic to AzureFirewallPremium are known and documented.",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-      "id": "B03.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "Customer is familiar with Azure networking defaults / SDN default routing in Azure",
-      "waf": "Security",
-      "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-      "id": "B04.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet RBAC is used to restrict access to the network security team",
-      "description": "Customer operational best practice - verify",
-      "waf": "Security",
-      "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-      "id": "B04.02",
-      "severity": "Medium",
-      "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Security recommendations are remediated and there are no 'At-risk' VNets ",
-      "waf": "Security",
-      "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-      "id": "B04.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Peering connections are understood and expected traffic flows are documented",
-      "waf": "Security",
-      "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-      "id": "B04.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Service Endpoints are in use, no legacy Public Service Endpoints exist",
-      "waf": "Security",
-      "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-      "id": "B04.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Private Endpoints are in use to allow access from on-premises environments, no legacy public endpoints exist",
-      "waf": "Security",
-      "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-      "id": "B04.06",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Monitoring enabled",
-      "waf": "Security",
-      "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-      "id": "B04.07",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)",
-      "waf": "Security",
-      "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
-      "id": "B04.08",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet NVA (appliances) customer follows published architecture pattern",
-      "waf": "Security",
-      "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-      "id": "B04.09",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual Networks",
-      "text": "VNet Diagnostic settings are enabled and sending VMProtectionAlerts to the Azure Sentinel LAW",
-      "waf": "Security",
-      "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-      "id": "B04.10",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Connectivity",
-      "text": "Use ExpressRoute or VPN to access Azure resources from on-premises environments",
-      "waf": "Security",
-      "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-      "id": "B05.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual WAN",
-      "text": "VWAN RBAC is used to restrict access to the network security team",
-      "waf": "Security",
-      "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-      "id": "B06.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual WAN",
-      "text": "VWAN Customer is using Secure Hub or external Firewall to route and monitor traffic.",
-      "waf": "Security",
-      "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-      "id": "B06.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Application Gateway",
-      "text": "AppGW RBAC is used to restrict access to the network security team",
-      "waf": "Security",
-      "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-      "id": "B07.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Application Gateway",
-      "text": "AppGW All external facing web services are behind Application Gateways with WAF enabled ",
-      "waf": "Security",
-      "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-      "id": "B07.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Application Gateway",
-      "text": "AppGW All internal facing web services are behind Application Gateways with WAF enabled ",
-      "waf": "Security",
-      "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-      "id": "B07.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Application Gateway",
-      "text": "AppGW - External facing has TLS/SSL enabled and redirects all traffic to 443 (no port 80 traffic)",
-      "waf": "Security",
-      "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-      "id": "B07.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "FrontDoor",
-      "text": "Front Door RBAC is used to restrict access to the network security team",
-      "waf": "Security",
-      "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-      "id": "B08.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/frontdoor/"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "FrontDoor",
-      "text": "Front Door is associated with a WAF policy",
-      "waf": "Security",
-      "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-      "id": "B08.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "FrontDoor",
-      "text": "Front Door TLS/SSL policy is configured",
-      "waf": "Security",
-      "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-      "id": "B08.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "FrontDoor",
-      "text": "Front Door redirect port 80 to port 443 is configured (listeners)",
-      "waf": "Security",
-      "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-      "id": "B08.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "FrontDoor",
-      "text": "Front Door diagnostics logs send ApplicationGatewayAccessLog &ApplicationGateway FirewallLog to Sentinel LAW",
-      "waf": "Security",
-      "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-      "id": "B08.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "DDOS Protection",
-      "text": "Enabled for Firewall public  IP's  (all public IPs)",
-      "waf": "Security",
-      "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-      "id": "B09.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Tenant",
-      "text": "Establish a single enterprise directory for managing identities of full-time employees and enterprise resources.",
-      "waf": "Security",
-      "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-      "id": "C01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Tenant",
-      "text": "Synchronize your cloud identity with your existing identity systems.",
-      "waf": "Security",
-      "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-      "id": "C01.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Tenant",
-      "text": "Use cloud identity services to host non-employee accounts such as vendors, partners, and customers, rather than rather than including them in your on-premises directory.",
-      "waf": "Security",
-      "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-      "id": "C01.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Tenant",
-      "text": "Disable insecure legacy protocols for internet-facing services.",
-      "waf": "Security",
-      "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-      "id": "C01.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Tenant",
-      "text": "Enable single sign-on",
-      "waf": "Security",
-      "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-      "id": "C01.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Don�t synchronize accounts with the highest privilege access to on-premises resources as you synchronize your enterprise identity systems with cloud directories.",
-      "waf": "Security",
-      "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-      "id": "C02.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Limit the number of Global Administrators to less than 5",
-      "waf": "Security",
-      "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-      "id": "C02.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Use groups for Azure AD role assignments and delegate the role assignment",
-      "waf": "Security",
-      "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-      "id": "C02.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Ensure all critical impact admins are managed by enterprise directory to follow organizational policy enforcement.",
-      "waf": "Security",
-      "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-      "id": "C02.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Configure recurring access reviews to revoke unneeded permissions over time",
-      "waf": "Security",
-      "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-      "id": "C02.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Privileged administration",
-      "text": "Ensure critical impact admins use a workstation with elevated security protections and monitoring",
-      "waf": "Security",
-      "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-      "id": "C02.06",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "Identity Providers: Verify external identity providers are known",
-      "waf": "Security",
-      "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-      "id": "C03.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "External Collaboration Settings: Guest user access set to 'Guest user access is restricted?'",
-      "waf": "Security",
-      "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-      "id": "C03.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "External Collaboration Settings: Guest invite settings set to  'Only users assigned to specific admin roles'",
-      "waf": "Security",
-      "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-      "id": "C03.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "External Collaboration Settings: Enable guest self-service sign up via flows set  to 'Disabled' ",
-      "waf": "Security",
-      "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-      "id": "C03.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "External Collaboration Settings: Collaboration restrictions set to 'Allow invitations to the specified domains'",
-      "waf": "Security",
-      "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-      "id": "C03.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "External Identities",
-      "text": "Access Reviews: Enabled for all groups",
-      "waf": "Security",
-      "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-      "id": "C03.06",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Enterprise Applications",
-      "text": "Consent & Permissions: Allow user consent for apps from verified publishers",
-      "waf": "Security",
-      "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-      "id": "C04.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Enterprise Applications",
-      "text": "Consent & Permissions: Allow group owner consent for selected group owners ",
-      "waf": "Security",
-      "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-      "id": "C04.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Custom Domains",
-      "text": "Only validated customer domains are registered",
-      "waf": "Security",
-      "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-      "id": "C05.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Password Reset",
-      "text": "Self-service password reset policy requirement verified compliant.",
-      "waf": "Security",
-      "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-      "id": "C06.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Password Reset",
-      "text": "Set number of days before users are asked to re-confirm authentication information is not set to zero",
-      "waf": "Security",
-      "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-      "id": "C06.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Password Reset",
-      "text": "Set number of methods required to reset password are selected",
-      "waf": "Security",
-      "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-      "id": "C06.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "User Setting",
-      "text": "Disable 'Users can register applications'",
-      "waf": "Security",
-      "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-      "id": "C07.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "User Setting",
-      "text": "Restrict access to Administrative portal (portal.azure.com) to administrators only",
-      "waf": "Security",
-      "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-      "id": "C07.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "User Setting",
-      "text": "Disable 'LinkedIn account connection'",
-      "waf": "Security",
-      "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-      "id": "C07.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Diagnostic Settings",
-      "text": "Enabled and send to Log Analytics workspace with Sentinel",
-      "waf": "Security",
-      "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-      "id": "C08.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "PIM enabled",
-      "text": "Privileged Identity Management enabled",
-      "waf": "Security",
-      "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-      "id": "C09.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "PIM enabled",
-      "text": "Implement 'just in time' (JIT) access to further lower the exposure time for privileged accounts (reduce standing access)",
-      "waf": "Security",
-      "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-      "id": "C09.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Configure conditional access policies / Access Controls",
-      "waf": "Security",
-      "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
-      "id": "C10.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Conditions: Restricted Locations",
-      "waf": "Security",
-      "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-      "id": "C10.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Access Controls:  MFA enabled for all users",
-      "waf": "Security",
-      "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-      "id": "C10.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Access Controls:  Require MFA for Administrators",
-      "waf": "Security",
-      "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-      "id": "C10.04",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Access Controls:  Require MFA for Azure Management ",
-      "waf": "Security",
-      "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-      "id": "C10.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Access Controls:  Block Legacy Protocols",
-      "waf": "Security",
-      "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-      "id": "C10.06",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Conditional Access Policies",
-      "text": "Access Controls: Require devices to be marked as compliant",
-      "waf": "Security",
-      "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-      "id": "C10.07",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Guest users",
-      "text": "Is there a policy to track guest user accounts (i.e. usage/delete/disable)?",
-      "description": "Customer documented policy",
-      "waf": "Security",
-      "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-      "id": "C11.01",
-      "severity": "Medium",
-      "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Identity Secure Score",
-      "text": "Implement Identity Secure Score based on best practices in your industry",
-      "waf": "Security",
-      "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-      "id": "C12.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
-    },
-    {
-      "category": "Identity",
-      "subcategory": "Break Glass Accounts",
-      "text": "At least two break glass accounts have been created and policy around their use exists",
-      "waf": "Security",
-      "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-      "id": "C13.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Access Control",
-      "text": "Control VM Access leveraging Azure Policy",
-      "waf": "Security",
-      "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-      "id": "D01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/governance/policy/overview"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Access Control",
-      "text": "Reduce variability in your setup and deployment of VMs by leveraging templates",
-      "waf": "Security",
-      "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
-      "id": "D01.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Access Control",
-      "text": "Secure privileged access to deploy VMS by reducing who has access to Resources through Governance",
-      "waf": "Security",
-      "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-      "id": "D01.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "High Availability ",
-      "text": "Use multiple VMs for your workloads for better availability ",
-      "waf": "Reliability",
-      "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-      "id": "D02.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "High Availability ",
-      "text": "Deploy and test a disaster recovery solution ",
-      "waf": "Reliability",
-      "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-      "id": "D02.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "High Availability ",
-      "text": "Availability sets",
-      "waf": "Reliability",
-      "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-      "id": "D02.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "High Availability ",
-      "text": "Availability Zones",
-      "waf": "Reliability",
-      "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-      "id": "D02.04",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "High Availability ",
-      "text": "Regional fault tolerance ",
-      "waf": "Reliability",
-      "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-      "id": "D02.05",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Protect against malware",
-      "text": "Install antimalware solutions",
-      "waf": "Security",
-      "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-      "id": "D03.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Protect against malware",
-      "text": "Integrate antimalware solution with Security Center",
-      "waf": "Security",
-      "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-      "id": "D03.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Manage VM Updates",
-      "text": "Keep VMs up to date using Update Management with Azure Automation",
-      "waf": "Security",
-      "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-      "id": "D04.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Manage VM Updates",
-      "text": "Ensure Windows images for deployment have the most recent level of updates ",
-      "waf": "Security",
-      "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-      "id": "D04.02",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Manage VM Updates",
-      "text": "Rapidly apply security updates to VMs using Microsoft Defender for Cloud",
-      "waf": "Security",
-      "guid": "02145901-465d-438e-9309-ccbd979266bc",
-      "id": "D04.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Encrypt your VHDs",
-      "text": "Enable encryption on your VMs",
-      "waf": "Security",
-      "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-      "id": "D05.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Encrypt your VHDs",
-      "text": "Add Key Encryption Key (KEK) for added layer of security for encryption ",
-      "waf": "Security",
-      "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-      "id": "D05.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Encrypt your VHDs",
-      "text": "Take a snapshot of disks before encryption for rollback purposes",
-      "waf": "Security",
-      "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-      "id": "D05.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Ensure only the central networking group has permissions to networking resources ",
-      "waf": "Security",
-      "guid": "5173676a-e466-491e-a835-ad942223e138",
-      "id": "D06.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Identity and remediate exposed VMs that allow access from 'ANY' source IP address",
-      "waf": "Security",
-      "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-      "id": "D06.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Restrict management ports (RDP, SSH) using Just-in-Time Access",
-      "waf": "Security",
-      "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-      "id": "D06.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Remove internet access and implement jump servers for RDP",
-      "waf": "Security",
-      "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-      "id": "D06.04",
-      "severity": "High",
-      "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Remove direct logging into servers using RDP/SSH from internet and implement VPN or express route",
-      "waf": "Security",
-      "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-      "id": "D06.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
-    },
-    {
-      "category": "VM Security Checks",
-      "subcategory": "Restrict direct internet connection ",
-      "text": "Leverage Azure Bastion as your RDP/SSH broker for added security and reduction in footprint",
-      "waf": "Security",
-      "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-      "id": "D06.06",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Architecture ",
-      "text": "All tenants contain have Sentinel enabled on at least one Log Analytics workspace",
-      "waf": "Security",
-      "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-      "id": "E01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Architecture ",
-      "text": "Customer understands Sentinel architecture",
-      "waf": "Security",
-      "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-      "id": "E01.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Architecture ",
-      "text": "Customer knows how to monitor Incidents across multiple Sentinel instances",
-      "waf": "Security",
-      "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-      "id": "E01.03",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Overview",
-      "text": "No Incidents open more than 24 hours",
-      "waf": "Security",
-      "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
-      "id": "E02.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "News & Guides",
-      "text": "Customer have been shown the News & Guides tab",
-      "waf": "Security",
-      "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-      "id": "E03.01",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "UEBA ",
-      "text": "UEBA Configured (Sentinel/Settings/Settings/Configure UEBA)",
-      "waf": "Security",
-      "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-      "id": "E04.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Azure Active Directory in configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-      "id": "E05.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Azure Active Directory Identity Protection is configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-      "id": "E05.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Azure Activity is configured is configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-      "id": "E05.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Microsoft Defender for Cloud is configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-      "id": "E05.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Azure Firewall is configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-      "id": "E05.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Windows Firewall is configured and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-      "id": "E05.06",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Security Events is configured with AMA and 'Last Log Received' shows today",
-      "waf": "Security",
-      "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-      "id": "E05.07",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Security Events - verify Azure computers are connected and sending data to the workspace",
-      "waf": "Security",
-      "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-      "id": "E05.08",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Security Events - verify non-Azure computers are connected and sending data to the workspace",
-      "waf": "Security",
-      "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-      "id": "E05.09",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Connector for AWS",
-      "waf": "Security",
-      "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-      "id": "E05.10",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Data Connectors",
-      "text": "Connector for GCP",
-      "waf": "Security",
-      "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-      "id": "E05.11",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Analytics Rules",
-      "text": "Customer has enabled Analytics rules and configured Incidents ",
-      "waf": "Security",
-      "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-      "id": "E06.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
-    },
-    {
-      "category": "Sentinel",
-      "subcategory": "Settings",
-      "text": "Customer does not have a daily cap enabled",
-      "waf": "Security",
-      "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-      "id": "E07.01",
-      "severity": "Medium",
-      "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuration",
-      "text": "Azure Firewall Premium deployed",
-      "waf": "Security",
-      "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-      "id": "F01.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuration",
-      "text": "Quad zero/force tunning enabled through Azure Firewall",
-      "waf": "Security",
-      "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-      "id": "F01.02",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Access Control",
-      "text": "RBAC set to enable only authorized users",
-      "waf": "Security",
-      "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-      "id": "F02.01",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Diagnostic Settings",
-      "text": "Diagnostics enabled and sending metrics to a Log Analytics workspace ",
-      "waf": "Security",
-      "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-      "id": "F03.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Hubs and virtual networks are protected or connected through Firewall Premium",
-      "waf": "Security",
-      "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-      "id": "F04.01",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: Access controls are configured (RBAC)",
-      "waf": "Security",
-      "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-      "id": "F04.02",
-      "severity": "High",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: Parent policy is configured ",
-      "waf": "Security",
-      "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-      "id": "F04.03",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: Rule collections are defined",
-      "waf": "Security",
-      "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-      "id": "F04.04",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: DNAT policies are defined",
-      "waf": "Security",
-      "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-      "id": "F04.05",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: Network rules are defined",
-      "waf": "Security",
-      "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-      "id": "F04.06",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Policy: Application rules are defined",
-      "waf": "Security",
-      "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-      "id": "F04.07",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "DNS: Feature understood and applied or not applied",
-      "waf": "Security",
-      "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-      "id": "F04.08",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/firewall/dns-details"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Threat Intelligence: Set to Alert & Deny",
-      "waf": "Security",
-      "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-      "id": "F04.09",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "Threat Intelligence: Allowed list (justify if they are being used - ie performance)",
-      "waf": "Security",
-      "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-      "id": "F04.10",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "TLS enabled",
-      "waf": "Security",
-      "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-      "id": "F04.11",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "IDPS enabled",
-      "waf": "Security",
-      "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-      "id": "F04.12",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Firewall Manager",
-      "text": "SNAT: Configured ",
-      "waf": "Security",
-      "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-      "id": "F04.13",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "DDOS Protection",
-      "text": "Enabled for Firewall public  IP's",
-      "waf": "Security",
-      "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-      "id": "F05.01",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    }
-  ],
-  "categories": [
-    {
-      "name": "Defender For Cloud"
-    },
-    {
-      "name": "Azure Networking"
-    },
-    {
-      "name": "Identity"
-    },
-    {
-      "name": "VM Security Checks"
-    },
-    {
-      "name": "Sentinel"
-    },
-    {
-      "name": "Azure Firewall"
-    }
-  ],
-  "waf": [
-    {
-      "name": "Reliability"
-    },
-    {
-      "name": "Security"
-    },
-    {
-      "name": "Cost"
-    },
-    {
-      "name": "Operations"
-    },
-    {
-      "name": "Performance"
-    }
-  ],
-  "yesno": [
-    {
-      "name": "Yes"
-    },
-    {
-      "name": "No"
-    }
-  ],
-  "status": [
-    {
-      "name": "Not verified",
-      "description": "This check has not been looked at yet"
-    },
-    {
-      "name": "Open",
-      "description": "There is an action item associated to this check"
-    },
-    {
-      "name": "Fulfilled",
-      "description": "This check has been verified, and there are no further action items associated to it"
-    },
-    {
-      "name": "Not required",
-      "description": "Recommendation understood, but not needed by current requirements"
-    },
-    {
-      "name": "N/A",
-      "description": "Not applicable for current design"
-    }
-  ],
-  "severities": [
-    {
-      "name": "High"
-    },
-    {
-      "name": "Medium"
-    },
-    {
-      "name": "Low"
-    }
-  ],
-  "metadata": {
-    "name": "Azure Security Review Checklist",
-    "state": "Deprecated",
-    "timestamp": "12/15/2023 12:00:24"
-  }
-}
+{
+    "items": [
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Security Center/Defender enable in all subscriptions",
+            "waf": "Security",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Security Center/Defender enabled on all Log Analytics workspaces",
+            "waf": "Security",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Data collection set to 'Common'",
+            "waf": "Security",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Defender for Cloud enhanced security features are all enabled",
+            "waf": "Security",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Auto-provisioning enabled as per company policy (policy must exist)",
+            "waf": "Security",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Email notifications enabled as per company policy (policy must exist)",
+            "waf": "Security",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Enable integrations options are selected ",
+            "waf": "Security",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "CI/CD integration is configured",
+            "waf": "Operations",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Continuous export 'Event Hub' is enabled if using 3rd party SIEM",
+            "waf": "Security",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Continuous export 'Log Analytics Workspace' is enabled if not using Azure Sentinel",
+            "waf": "Security",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Cloud connector enabled for AWS",
+            "waf": "Security",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "Cloud connector enabled for GCP",
+            "waf": "Security",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Pricing & Settings",
+            "text": "If using Azure AD Application proxy, consider integrating with Microsoft Defender for Cloud Apps to monitor application access in real-time and apply advanced security controls.",
+            "waf": "Security",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Recommendations",
+            "text": "All recommendations remediated or disabled if not required.",
+            "waf": "Security",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Recommendations",
+            "text": "Security Score>70%",
+            "description": "Microsoft minimum target for all customers is 70%",
+            "waf": "Security",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Security Alerts",
+            "text": "Security Alerts contain only those generated in the past 24 hours (remediate or disable older security alerts)",
+            "waf": "Security",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Workbooks",
+            "text": "If continuous export is enabled, default workbooks published to custom security dashboard",
+            "waf": "Security",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Community",
+            "text": "Customer is aware of the value of the 'Community' page and has a regular cadence set up to review",
+            "waf": "Security",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Secure Score",
+            "text": "All subscriptions protected by Security Center are shown (no subscription filter set)",
+            "description": "Customer Operational best practice - Transparency",
+            "waf": "Security",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Regulatory Compliance",
+            "text": "Compliance controls are green for any required compliance requirements",
+            "waf": "Security",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Azure Defender",
+            "text": "High severity VM vulnerabilities is zero (empty)",
+            "description": "Customer Operational best practice - verify",
+            "waf": "Security",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Firewall Manager",
+            "text": "Hubs are protected by an Azure Firewall",
+            "waf": "Security",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Firewall Manager",
+            "text": "Virtual Networks are protected by a Firewall",
+            "description": "Customer Operational best practice - verify",
+            "waf": "Security",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Firewall Manager",
+            "text": "DDoS Standard enabled",
+            "waf": "Security",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "severity": "Medium",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
+        },
+        {
+            "category": "Defender For Cloud",
+            "subcategory": "Coverage",
+            "text": "Verify that all subscriptions are covered (see pricing and settings to modify)",
+            "waf": "Security",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Public IPs",
+            "text": "VM's with public IPs should be protected by NSG ",
+            "waf": "Security",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Public IPs",
+            "text": "VMs with public IPs are moved  behind Azure Firewall Premium",
+            "description": "Customer operational best practice -  verify",
+            "waf": "Security",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Public IPs",
+            "text": "VM's that don't need public IPs do not have public IPs (i.e. internal RDP only)",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "NSG",
+            "text": "NSG RBAC is used to restrict access to network security team",
+            "waf": "Security",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "NSG",
+            "text": "NSG Inbound security rules do not contain a * (wildcard) in Source field",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "NSG",
+            "text": "NSG outbound security rules are used to control traffic to specific IP addresses for traffic not routed through a Firewall",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "NSG",
+            "text": "NSG do not have Source as a * (wildcard) in place.",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "NSG",
+            "text": "NSG Diagnostics send NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter traffic to Sentinel LAW",
+            "waf": "Security",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "UDR",
+            "text": "UDR RBAC is used to restrict access to the network security team",
+            "waf": "Security",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "UDR",
+            "text": "If Zero Trust, then UDR's are used to send all traffic to the Azure Firewall Premium",
+            "waf": "Security",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "UDR",
+            "text": "UDR's that do not send all traffic to AzureFirewallPremium are known and documented.",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "Customer is familiar with Azure networking defaults / SDN default routing in Azure",
+            "waf": "Security",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet RBAC is used to restrict access to the network security team",
+            "description": "Customer operational best practice - verify",
+            "waf": "Security",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "severity": "Medium",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Security recommendations are remediated and there are no 'At-risk' VNets ",
+            "waf": "Security",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Peering connections are understood and expected traffic flows are documented",
+            "waf": "Security",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Service Endpoints are in use, no legacy Public Service Endpoints exist",
+            "waf": "Security",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Private Endpoints are in use to allow access from on-premises environments, no legacy public endpoints exist",
+            "waf": "Security",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Monitoring enabled",
+            "waf": "Security",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)",
+            "waf": "Security",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet NVA (appliances) customer follows published architecture pattern",
+            "waf": "Security",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual Networks",
+            "text": "VNet Diagnostic settings are enabled and sending VMProtectionAlerts to the Azure Sentinel LAW",
+            "waf": "Security",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Connectivity",
+            "text": "Use ExpressRoute or VPN to access Azure resources from on-premises environments",
+            "waf": "Security",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual WAN",
+            "text": "VWAN RBAC is used to restrict access to the network security team",
+            "waf": "Security",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Virtual WAN",
+            "text": "VWAN Customer is using Secure Hub or external Firewall to route and monitor traffic.",
+            "waf": "Security",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Application Gateway",
+            "text": "AppGW RBAC is used to restrict access to the network security team",
+            "waf": "Security",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Application Gateway",
+            "text": "AppGW All external facing web services are behind Application Gateways with WAF enabled ",
+            "waf": "Security",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Application Gateway",
+            "text": "AppGW All internal facing web services are behind Application Gateways with WAF enabled ",
+            "waf": "Security",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "Application Gateway",
+            "text": "AppGW - External facing has TLS/SSL enabled and redirects all traffic to 443 (no port 80 traffic)",
+            "waf": "Security",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "FrontDoor",
+            "text": "Front Door RBAC is used to restrict access to the network security team",
+            "waf": "Security",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/frontdoor/"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "FrontDoor",
+            "text": "Front Door is associated with a WAF policy",
+            "waf": "Security",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "FrontDoor",
+            "text": "Front Door TLS/SSL policy is configured",
+            "waf": "Security",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "FrontDoor",
+            "text": "Front Door redirect port 80 to port 443 is configured (listeners)",
+            "waf": "Security",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "FrontDoor",
+            "text": "Front Door diagnostics logs send ApplicationGatewayAccessLog &ApplicationGateway FirewallLog to Sentinel LAW",
+            "waf": "Security",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
+        },
+        {
+            "category": "Azure Networking",
+            "subcategory": "DDOS Protection",
+            "text": "Enabled for Firewall public  IP's  (all public IPs)",
+            "waf": "Security",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Tenant",
+            "text": "Establish a single enterprise directory for managing identities of full-time employees and enterprise resources.",
+            "waf": "Security",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Tenant",
+            "text": "Synchronize your cloud identity with your existing identity systems.",
+            "waf": "Security",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Tenant",
+            "text": "Use cloud identity services to host non-employee accounts such as vendors, partners, and customers, rather than rather than including them in your on-premises directory.",
+            "waf": "Security",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Tenant",
+            "text": "Disable insecure legacy protocols for internet-facing services.",
+            "waf": "Security",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Tenant",
+            "text": "Enable single sign-on",
+            "waf": "Security",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Don\ufffdt synchronize accounts with the highest privilege access to on-premises resources as you synchronize your enterprise identity systems with cloud directories.",
+            "waf": "Security",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Limit the number of Global Administrators to less than 5",
+            "waf": "Security",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Use groups for Azure AD role assignments and delegate the role assignment",
+            "waf": "Security",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Ensure all critical impact admins are managed by enterprise directory to follow organizational policy enforcement.",
+            "waf": "Security",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Configure recurring access reviews to revoke unneeded permissions over time",
+            "waf": "Security",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Privileged administration",
+            "text": "Ensure critical impact admins use a workstation with elevated security protections and monitoring",
+            "waf": "Security",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "Identity Providers: Verify external identity providers are known",
+            "waf": "Security",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "External Collaboration Settings: Guest user access set to 'Guest user access is restricted?'",
+            "waf": "Security",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "External Collaboration Settings: Guest invite settings set to  'Only users assigned to specific admin roles'",
+            "waf": "Security",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "External Collaboration Settings: Enable guest self-service sign up via flows set  to 'Disabled' ",
+            "waf": "Security",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "External Collaboration Settings: Collaboration restrictions set to 'Allow invitations to the specified domains'",
+            "waf": "Security",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "External Identities",
+            "text": "Access Reviews: Enabled for all groups",
+            "waf": "Security",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Enterprise Applications",
+            "text": "Consent & Permissions: Allow user consent for apps from verified publishers",
+            "waf": "Security",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Enterprise Applications",
+            "text": "Consent & Permissions: Allow group owner consent for selected group owners ",
+            "waf": "Security",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Custom Domains",
+            "text": "Only validated customer domains are registered",
+            "waf": "Security",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Password Reset",
+            "text": "Self-service password reset policy requirement verified compliant.",
+            "waf": "Security",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Password Reset",
+            "text": "Set number of days before users are asked to re-confirm authentication information is not set to zero",
+            "waf": "Security",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Password Reset",
+            "text": "Set number of methods required to reset password are selected",
+            "waf": "Security",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "User Setting",
+            "text": "Disable 'Users can register applications'",
+            "waf": "Security",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "User Setting",
+            "text": "Restrict access to Administrative portal (portal.azure.com) to administrators only",
+            "waf": "Security",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "User Setting",
+            "text": "Disable 'LinkedIn account connection'",
+            "waf": "Security",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Diagnostic Settings",
+            "text": "Enabled and send to Log Analytics workspace with Sentinel",
+            "waf": "Security",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "PIM enabled",
+            "text": "Privileged Identity Management enabled",
+            "waf": "Security",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "PIM enabled",
+            "text": "Implement 'just in time' (JIT) access to further lower the exposure time for privileged accounts (reduce standing access)",
+            "waf": "Security",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Configure conditional access policies / Access Controls",
+            "waf": "Security",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Conditions: Restricted Locations",
+            "waf": "Security",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Access Controls:  MFA enabled for all users",
+            "waf": "Security",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Access Controls:  Require MFA for Administrators",
+            "waf": "Security",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Access Controls:  Require MFA for Azure Management ",
+            "waf": "Security",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Access Controls:  Block Legacy Protocols",
+            "waf": "Security",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Conditional Access Policies",
+            "text": "Access Controls: Require devices to be marked as compliant",
+            "waf": "Security",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Guest users",
+            "text": "Is there a policy to track guest user accounts (i.e. usage/delete/disable)?",
+            "description": "Customer documented policy",
+            "waf": "Security",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "severity": "Medium",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Identity Secure Score",
+            "text": "Implement Identity Secure Score based on best practices in your industry",
+            "waf": "Security",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
+        },
+        {
+            "category": "Identity",
+            "subcategory": "Break Glass Accounts",
+            "text": "At least two break glass accounts have been created and policy around their use exists",
+            "waf": "Security",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Access Control",
+            "text": "Control VM Access leveraging Azure Policy",
+            "waf": "Security",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Access Control",
+            "text": "Reduce variability in your setup and deployment of VMs by leveraging templates",
+            "waf": "Security",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Access Control",
+            "text": "Secure privileged access to deploy VMS by reducing who has access to Resources through Governance",
+            "waf": "Security",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "High Availability ",
+            "text": "Use multiple VMs for your workloads for better availability ",
+            "waf": "Reliability",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "High Availability ",
+            "text": "Deploy and test a disaster recovery solution ",
+            "waf": "Reliability",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "High Availability ",
+            "text": "Availability sets",
+            "waf": "Reliability",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "High Availability ",
+            "text": "Availability Zones",
+            "waf": "Reliability",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "High Availability ",
+            "text": "Regional fault tolerance ",
+            "waf": "Reliability",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Protect against malware",
+            "text": "Install antimalware solutions",
+            "waf": "Security",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Protect against malware",
+            "text": "Integrate antimalware solution with Security Center",
+            "waf": "Security",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Manage VM Updates",
+            "text": "Keep VMs up to date using Update Management with Azure Automation",
+            "waf": "Security",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Manage VM Updates",
+            "text": "Ensure Windows images for deployment have the most recent level of updates ",
+            "waf": "Security",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Manage VM Updates",
+            "text": "Rapidly apply security updates to VMs using Microsoft Defender for Cloud",
+            "waf": "Security",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Encrypt your VHDs",
+            "text": "Enable encryption on your VMs",
+            "waf": "Security",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Encrypt your VHDs",
+            "text": "Add Key Encryption Key (KEK) for added layer of security for encryption ",
+            "waf": "Security",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Encrypt your VHDs",
+            "text": "Take a snapshot of disks before encryption for rollback purposes",
+            "waf": "Security",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Ensure only the central networking group has permissions to networking resources ",
+            "waf": "Security",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Identity and remediate exposed VMs that allow access from 'ANY' source IP address",
+            "waf": "Security",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Restrict management ports (RDP, SSH) using Just-in-Time Access",
+            "waf": "Security",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Remove internet access and implement jump servers for RDP",
+            "waf": "Security",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "severity": "High",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Remove direct logging into servers using RDP/SSH from internet and implement VPN or express route",
+            "waf": "Security",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
+        },
+        {
+            "category": "VM Security Checks",
+            "subcategory": "Restrict direct internet connection ",
+            "text": "Leverage Azure Bastion as your RDP/SSH broker for added security and reduction in footprint",
+            "waf": "Security",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Architecture ",
+            "text": "All tenants contain have Sentinel enabled on at least one Log Analytics workspace",
+            "waf": "Security",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Architecture ",
+            "text": "Customer understands Sentinel architecture",
+            "waf": "Security",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Architecture ",
+            "text": "Customer knows how to monitor Incidents across multiple Sentinel instances",
+            "waf": "Security",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Overview",
+            "text": "No Incidents open more than 24 hours",
+            "waf": "Security",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "News & Guides",
+            "text": "Customer have been shown the News & Guides tab",
+            "waf": "Security",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "UEBA ",
+            "text": "UEBA Configured (Sentinel/Settings/Settings/Configure UEBA)",
+            "waf": "Security",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Azure Active Directory in configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Azure Active Directory Identity Protection is configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Azure Activity is configured is configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Microsoft Defender for Cloud is configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Azure Firewall is configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Windows Firewall is configured and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Security Events is configured with AMA and 'Last Log Received' shows today",
+            "waf": "Security",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Security Events - verify Azure computers are connected and sending data to the workspace",
+            "waf": "Security",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Security Events - verify non-Azure computers are connected and sending data to the workspace",
+            "waf": "Security",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Connector for AWS",
+            "waf": "Security",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Data Connectors",
+            "text": "Connector for GCP",
+            "waf": "Security",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Analytics Rules",
+            "text": "Customer has enabled Analytics rules and configured Incidents ",
+            "waf": "Security",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
+        },
+        {
+            "category": "Sentinel",
+            "subcategory": "Settings",
+            "text": "Customer does not have a daily cap enabled",
+            "waf": "Security",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "severity": "Medium",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Configuration",
+            "text": "Azure Firewall Premium deployed",
+            "waf": "Security",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Configuration",
+            "text": "Quad zero/force tunning enabled through Azure Firewall",
+            "waf": "Security",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Access Control",
+            "text": "RBAC set to enable only authorized users",
+            "waf": "Security",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Diagnostic Settings",
+            "text": "Diagnostics enabled and sending metrics to a Log Analytics workspace ",
+            "waf": "Security",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Hubs and virtual networks are protected or connected through Firewall Premium",
+            "waf": "Security",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: Access controls are configured (RBAC)",
+            "waf": "Security",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "severity": "High",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: Parent policy is configured ",
+            "waf": "Security",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: Rule collections are defined",
+            "waf": "Security",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: DNAT policies are defined",
+            "waf": "Security",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: Network rules are defined",
+            "waf": "Security",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Policy: Application rules are defined",
+            "waf": "Security",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/features"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "DNS: Feature understood and applied or not applied",
+            "waf": "Security",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Threat Intelligence: Set to Alert & Deny",
+            "waf": "Security",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "Threat Intelligence: Allowed list (justify if they are being used - ie performance)",
+            "waf": "Security",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "TLS enabled",
+            "waf": "Security",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "IDPS enabled",
+            "waf": "Security",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "Firewall Manager",
+            "text": "SNAT: Configured ",
+            "waf": "Security",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
+        },
+        {
+            "category": "Azure Firewall",
+            "subcategory": "DDOS Protection",
+            "text": "Enabled for Firewall public  IP's",
+            "waf": "Security",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
+        }
+    ],
+    "categories": [
+        {
+            "name": "Defender For Cloud"
+        },
+        {
+            "name": "Azure Networking"
+        },
+        {
+            "name": "Identity"
+        },
+        {
+            "name": "VM Security Checks"
+        },
+        {
+            "name": "Sentinel"
+        },
+        {
+            "name": "Azure Firewall"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Reliability"
+        },
+        {
+            "name": "Security"
+        },
+        {
+            "name": "Cost"
+        },
+        {
+            "name": "Operations"
+        },
+        {
+            "name": "Performance"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Yes"
+        },
+        {
+            "name": "No"
+        }
+    ],
+    "status": [
+        {
+            "name": "Not verified",
+            "description": "This check has not been looked at yet"
+        },
+        {
+            "name": "Open",
+            "description": "There is an action item associated to this check"
+        },
+        {
+            "name": "Fulfilled",
+            "description": "This check has been verified, and there are no further action items associated to it"
+        },
+        {
+            "name": "Not required",
+            "description": "Recommendation understood, but not needed by current requirements"
+        },
+        {
+            "name": "N/A",
+            "description": "Not applicable for current design"
+        }
+    ],
+    "severities": [
+        {
+            "name": "High"
+        },
+        {
+            "name": "Medium"
+        },
+        {
+            "name": "Low"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    }
+}
\ No newline at end of file
diff --git a/checklists/security_checklist.es.json b/checklists/security_checklist.es.json
index 35f3dba70..7d6c9183a 100644
--- a/checklists/security_checklist.es.json
+++ b/checklists/security_checklist.es.json
@@ -1,1328 +1,1669 @@
 {
-  "metadata": {
-    "name": "Lista de comprobación de revisión de seguridad de Azure"
-  },
-  "items": [
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Habilitación de Security Center/Defender en todas las suscripciones",
-      "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Security Center/Defender habilitado en todos los espacios de trabajo de Log Analytics",
-      "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Conjunto de recopilación de datos en 'Común'",
-      "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Las funciones de seguridad mejoradas de Defender for Cloud están habilitadas",
-      "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Aprovisionamiento automático habilitado según la directiva de la empresa (la directiva debe existir)",
-      "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Notificaciones por correo electrónico habilitadas según la directiva de la empresa (la directiva debe existir)",
-      "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-      "severity": "Bajo",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Se seleccionan las opciones Habilitar integraciones ",
-      "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "La integración de CI/CD está configurada",
-      "guid": "5b7bae4-4º-45e8-a79e-2e86667313c5",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "La exportación continua 'Event Hub' está habilitada si se utiliza SIEM de 3ª parte",
-      "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "La exportación continua 'Log Analytics Workspace' está habilitada si no se usa Azure Sentinel",
-      "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Conector en la nube habilitado para AWS",
-      "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Conector en la nube habilitado para GCP",
-      "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Precios y configuración",
-      "text": "Si usa el proxy de aplicación de Azure AD, considere la posibilidad de integrarse con Microsoft Defender for Cloud Apps para supervisar el acceso a las aplicaciones en tiempo real y aplicar controles de seguridad avanzados.",
-      "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-      "severity": "Bajo",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Recomendaciones",
-      "text": "Todas las recomendaciones remediadas o deshabilitadas si no es necesario.",
-      "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Recomendaciones",
-      "text": "Puntuación de seguridad>70%",
-      "description": "El objetivo mínimo de Microsoft para todos los clientes es del 70 %",
-      "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Alertas de seguridad",
-      "text": "Las alertas de seguridad contienen solo las generadas en las últimas 24 horas (corregir o deshabilitar las alertas de seguridad más antiguas)",
-      "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Libros",
-      "text": "Si la exportación continua está habilitada, los libros predeterminados se publican en el panel de seguridad personalizado",
-      "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Comunidad",
-      "text": "El cliente es consciente del valor de la página 'Comunidad' y tiene una cadencia regular configurada para revisar",
-      "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-      "severity": "Medio",
-      "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Puntuación segura",
-      "text": "Se muestran todas las suscripciones protegidas por Security Center (sin filtro de suscripción establecido)",
-      "description": "Mejores prácticas operativas del cliente - Transparencia",
-      "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Cumplimiento normativo",
-      "text": "Los controles de cumplimiento son ecológicos para cualquier requisito de cumplimiento requerido",
-      "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Azure Defender",
-      "text": "Las vulnerabilidades de VM de alta gravedad son cero (vacías)",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Los concentradores están protegidos por un Firewall de Azure",
-      "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
-      "severity": "Medio",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Las redes virtuales están protegidas por un firewall",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "DDoS Standard habilitado",
-      "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-      "severity": "Medio",
-      "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
-    },
-    {
-      "category": "Defender para la nube",
-      "subcategory": "Cobertura",
-      "text": "Verifique que todas las suscripciones estén cubiertas (consulte los precios y la configuración para modificar)",
-      "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "IP públicas",
-      "text": "Las máquinas virtuales con IP públicas deben estar protegidas por NSG ",
-      "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "IP públicas",
-      "text": "Las máquinas virtuales con direcciones IP públicas se mueven detrás de Azure Firewall Premium",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "IP públicas",
-      "text": "Las máquinas virtuales que no necesitan DIRECCIONES IP públicas no tienen IP públicas (es decir, solo RDP interno)",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG RBAC se utiliza para restringir el acceso al equipo de seguridad de red",
-      "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "Las reglas de seguridad de entrada de NSG no contienen un * (comodín) en el campo Origen",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "Las reglas de seguridad salientes de NSG se utilizan para controlar el tráfico a direcciones IP específicas para el tráfico no enrutado a través de un firewall",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "NSG no tiene Source como * (comodín) en su lugar.",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "NSG",
-      "text": "Los diagnósticos de NSG envían el tráfico NetworkSecurityGroupEvent y NetworkSecurityGroupRuleCounter a Sentinel LAW",
-      "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "UDR RBAC se utiliza para restringir el acceso al equipo de seguridad de red",
-      "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "Si Zero Trust, los UDR se usan para enviar todo el tráfico a Azure Firewall Premium",
-      "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "Los UDR que no envían todo el tráfico a AzureFirewallPremium son conocidos y documentados.",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "El cliente está familiarizado con los valores predeterminados de red de Azure / enrutamiento predeterminado de SDN en Azure",
-      "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "RBAC de red virtual se usa para restringir el acceso al equipo de seguridad de red",
-      "description": "Mejores prácticas operativas del cliente: verificar",
-      "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-      "severity": "Medio",
-      "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Las recomendaciones de seguridad de la red virtual se han corregido y no hay redes virtuales \"en riesgo\" ",
-      "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Se comprenden las conexiones de emparejamiento de red virtual y se documentan los flujos de tráfico esperados",
-      "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Los extremos de servicio de red virtual están en uso, no existen extremos de servicio público heredados",
-      "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Los puntos de conexión privados de red virtual están en uso para permitir el acceso desde entornos locales, no existen puntos de enlace públicos heredados",
-      "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Supervisión de red virtual habilitada",
-      "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "Proteger el tráfico entre pods mediante directivas de red en Azure Kubernetes Service (AKS)",
-      "guid": "2055b29b-ade4-4th-8e8c-39ec94666731",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "El cliente de VNet NVA (dispositivos) sigue el patrón de arquitectura publicado",
-      "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Redes virtuales",
-      "text": "La configuración de diagnóstico de red virtual está habilitada y envía VMProtectionAlerts a Azure Sentinel LAW",
-      "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Conectividad",
-      "text": "Usar ExpressRoute o VPN para acceder a los recursos de Azure desde entornos locales",
-      "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual WAN",
-      "text": "VWAN RBAC se utiliza para restringir el acceso al equipo de seguridad de red",
-      "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Virtual WAN",
-      "text": "El cliente de VWAN está utilizando Secure Hub o Firewall externo para enrutar y monitorear el tráfico.",
-      "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta de enlace de aplicaciones",
-      "text": "AppGW RBAC se utiliza para restringir el acceso al equipo de seguridad de red",
-      "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta de enlace de aplicaciones",
-      "text": "AppGW Todos los servicios web externos están conectados a Application Gateways con WAF habilitado ",
-      "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta de enlace de aplicaciones",
-      "text": "AppGW Todos los servicios web internos están integrados en Application Gateways con WAF habilitado ",
-      "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta de enlace de aplicaciones",
-      "text": "AppGW - La cara externa tiene TLS / SSL habilitado y redirige todo el tráfico a 443 (sin tráfico del puerto 80)",
-      "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta frontal",
-      "text": "Front Door RBAC se utiliza para restringir el acceso al equipo de seguridad de red",
-      "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta frontal",
-      "text": "Front Door está asociado a una política WAF",
-      "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta frontal",
-      "text": "La directiva TLS/SSL de puerta principal está configurada",
-      "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta frontal",
-      "text": "El puerto de redirección de la puerta principal 80 al puerto 443 está configurado (oyentes)",
-      "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Puerta frontal",
-      "text": "Los registros de diagnóstico de Front Door envían ApplicationGatewayAccessLog &ApplicationGateway FirewallLog a Sentinel LAW",
-      "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "Protección DDOS",
-      "text": "Habilitado para IP públicas de Firewall (todas las IP públicas)",
-      "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Arrendatario",
-      "text": "Establezca un directorio empresarial único para administrar las identidades de los empleados a tiempo completo y los recursos empresariales.",
-      "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Arrendatario",
-      "text": "Sincronice su identidad en la nube con sus sistemas de identidad existentes.",
-      "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Arrendatario",
-      "text": "Use los servicios de identidad en la nube para hospedar cuentas que no sean de empleados, como proveedores, socios y clientes, en lugar de incluirlos en su directorio local.",
-      "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Arrendatario",
-      "text": "Deshabilite los protocolos heredados inseguros para los servicios orientados a Internet.",
-      "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Arrendatario",
-      "text": "Habilitar el inicio de sesión único",
-      "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "No sincronice cuentas con el acceso con privilegios más altos a los recursos locales mientras sincroniza sus sistemas de identidad empresarial con directorios en la nube.",
-      "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "Limitar el número de administradores globales a menos de 5",
-      "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "Usar grupos para asignaciones de roles de Azure AD y delegar la asignación de roles",
-      "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "Asegúrese de que todos los administradores de impacto crítico sean administrados por el directorio empresarial para seguir la aplicación de las políticas de la organización.",
-      "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "Configurar revisiones de acceso recurrentes para revocar permisos innecesarios a lo largo del tiempo",
-      "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Administración privilegiada",
-      "text": "Garantice que los administradores de impacto crítico utilicen una estación de trabajo con protecciones de seguridad y supervisión elevadas",
-      "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Proveedores de identidad: verifique que los proveedores de identidad externos sean conocidos",
-      "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Configuración de colaboración externa: ¿El acceso de usuario invitado se establece en '¿El acceso de usuario invitado está restringido?'",
-      "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Configuración de colaboración externa: la configuración de invitación de invitado se establece en 'Solo usuarios asignados a roles de administrador específicos'",
-      "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Configuración de colaboración externa: habilite el registro de autoservicio de invitados a través de flujos establecidos en 'Deshabilitado' ",
-      "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Configuración de colaboración externa: restricciones de colaboración establecidas en 'Permitir invitaciones a los dominios especificados'",
-      "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Identidades externas",
-      "text": "Revisiones de acceso: habilitado para todos los grupos",
-      "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Aplicaciones empresariales",
-      "text": "Consentimiento y permisos: permitir el consentimiento del usuario para aplicaciones de editores verificados",
-      "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Aplicaciones empresariales",
-      "text": "Consentimiento y permisos: Permitir el consentimiento del propietario del grupo para los propietarios de grupos seleccionados ",
-      "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Dominios personalizados",
-      "text": "Solo se registran los dominios de clientes validados",
-      "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Restablecimiento de contraseña",
-      "text": "Requisito de directiva de restablecimiento de contraseña de autoservicio verificado conforme.",
-      "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Restablecimiento de contraseña",
-      "text": "Establecer el número de días antes de que se pida a los usuarios que vuelvan a confirmar que la información de autenticación no se establece en cero",
-      "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Restablecimiento de contraseña",
-      "text": "Se selecciona el número establecido de métodos necesarios para restablecer la contraseña",
-      "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Configuración de usuario",
-      "text": "Deshabilitar 'Los usuarios pueden registrar aplicaciones'",
-      "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Configuración de usuario",
-      "text": "Restringir el acceso al portal administrativo (portal.azure.com) solo a los administradores",
-      "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Configuración de usuario",
-      "text": "Deshabilite la 'conexión de la cuenta de LinkedIn'",
-      "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Configuración de diagnóstico",
-      "text": "Habilitado y enviar al área de trabajo de Log Analytics con Sentinel",
-      "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "PIM habilitado",
-      "text": "Administración de identidades privilegiada habilitada",
-      "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "PIM habilitado",
-      "text": "Implementar el acceso \"justo a tiempo\" (JIT) para reducir aún más el tiempo de exposición de las cuentas privilegiadas (reducir el acceso permanente)",
-      "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Configurar directivas de acceso condicional / Controles de acceso",
-      "guid": "6e6a8dc4-a20e-427b-9e29-711b1352estado",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Condiciones: Ubicaciones restringidas",
-      "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Controles de acceso: MFA habilitado para todos los usuarios",
-      "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Controles de acceso: Requerir MFA para administradores",
-      "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Controles de acceso: requerir MFA para Azure Management ",
-      "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Controles de acceso: Bloquear protocolos heredados",
-      "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Directivas de acceso condicional",
-      "text": "Controles de acceso: requieren que los dispositivos estén marcados como compatibles",
-      "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Usuarios invitados",
-      "text": "¿Existe una política para rastrear las cuentas de usuario invitado (es decir, usar/eliminar/deshabilitar)?",
-      "description": "Política documentada del cliente",
-      "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-      "severity": "Medio",
-      "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Puntuación segura de identidad",
-      "text": "Implemente Identity Secure Score basado en las mejores prácticas de su sector",
-      "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
-    },
-    {
-      "category": "Identidad",
-      "subcategory": "Cuentas de Break Glass",
-      "text": "Se han creado al menos dos cuentas de break glass y existe una política en torno a su uso.",
-      "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Control de acceso",
-      "text": "Control del acceso a máquinas virtuales mediante la directiva de Azure",
-      "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/governance/policy/overview"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Control de acceso",
-      "text": "Reduzca la variabilidad en la configuración e implementación de máquinas virtuales aprovechando las plantillas",
-      "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Control de acceso",
-      "text": "Acceso privilegiado seguro para implementar VMS al reducir quién tiene acceso a los recursos a través de la gobernanza",
-      "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Alta disponibilidad ",
-      "text": "Use varias máquinas virtuales para sus cargas de trabajo para una mejor disponibilidad ",
-      "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Alta disponibilidad ",
-      "text": "Implementar y probar una solución de recuperación ante desastres ",
-      "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Alta disponibilidad ",
-      "text": "Conjuntos de disponibilidad",
-      "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Alta disponibilidad ",
-      "text": "Zonas de disponibilidad",
-      "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Alta disponibilidad ",
-      "text": "Tolerancia a fallos regional ",
-      "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Protección contra el malware",
-      "text": "Instalar soluciones antimalware",
-      "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Protección contra el malware",
-      "text": "Integre la solución antimalware con Security Center",
-      "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Administrar actualizaciones de máquinas virtuales",
-      "text": "Mantenga actualizadas las máquinas virtuales mediante La administración de actualizaciones con Automatización de Azure",
-      "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Administrar actualizaciones de máquinas virtuales",
-      "text": "Asegúrese de que las imágenes de Windows para la implementación tengan el nivel más reciente de actualizaciones ",
-      "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Administrar actualizaciones de máquinas virtuales",
-      "text": "Aplique rápidamente actualizaciones de seguridad a las máquinas virtuales con Microsoft Defender para la nube",
-      "guid": "02145901-465d-438e-9309-ccbd979266bc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Cifre sus VHD",
-      "text": "Habilite el cifrado en sus máquinas virtuales",
-      "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Cifre sus VHD",
-      "text": "Agregar clave de cifrado de clave (KEK) para una capa adicional de seguridad para el cifrado ",
-      "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Cifre sus VHD",
-      "text": "Tome una instantánea de los discos antes del cifrado para fines de reversión",
-      "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Asegúrese de que solo el grupo de red central tiene permisos para los recursos de red ",
-      "guid": "5173676a-e466-491e-a835-ad942223E138",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Identifique y corrija las máquinas virtuales expuestas que permiten el acceso desde 'CUALQUIER' complemento de IP de origen",
-      "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Restringir los puertos de administración (RDP, SSH) mediante el acceso justo a tiempo",
-      "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Quitar el acceso a Internet e implementar servidores de salto para RDP",
-      "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-      "severity": "Alto",
-      "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Elimine el inicio de sesión directo en los servidores que usan RDP / SSH de Internet e implemente VPN o ruta rápida",
-      "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
-    },
-    {
-      "category": "Comprobaciones de seguridad de VM",
-      "subcategory": "Restringir la conexión directa a Internet ",
-      "text": "Aproveche Azure Bastion como su agente RDP/SSH para mayor seguridad y reducción de la huella",
-      "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Arquitectura ",
-      "text": "Todos los inquilinos que contienen Sentinel tiene habilitado en al menos un área de trabajo de Log Analytics",
-      "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Arquitectura ",
-      "text": "El cliente entiende la arquitectura de Sentinel",
-      "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Arquitectura ",
-      "text": "El cliente sabe cómo supervisar los incidentes en varias instancias de Sentinel",
-      "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Visión general",
-      "text": "No Hay incidencias abierto más de 24 horas",
-      "guid": "8989579e-76b8-497e-910A-7Da7be9966E1",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Noticias y Guías",
-      "text": "A los clientes se les ha mostrado la pestaña Noticias y guías",
-      "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-      "severity": "Bajo",
-      "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "UEBA ",
-      "text": "UEBA configurado (Sentinel/Settings/Settings/Configure UEBA)",
-      "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Azure Active Directory en configurado y 'Último registro recibido' se muestra hoy",
-      "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Azure Active Directory Identity Protection está configurado y 'Último registro recibido' se muestra hoy",
-      "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Azure Activity está configurado y 'Último registro recibido' se muestra hoy",
-      "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Microsoft Defender para Cloud está configurado y 'Last Log Received' se muestra hoy",
-      "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Azure Firewall está configurado y 'Último registro recibido' se muestra hoy",
-      "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Firewall de Windows está configurado y 'Último registro recibido' se muestra hoy",
-      "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Security Events está configurado con AMA y 'Last Log Received' se muestra hoy",
-      "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Eventos de seguridad: compruebe que los equipos de Azure están conectados y envían datos al área de trabajo",
-      "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Eventos de seguridad: compruebe que los equipos que no son de Azure están conectados y envían datos al área de trabajo",
-      "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Conector para AWS",
-      "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Conectores de datos",
-      "text": "Conector para GCP",
-      "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Reglas de análisis",
-      "text": "El cliente ha habilitado las reglas de Analytics y ha configurado incidentes ",
-      "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
-    },
-    {
-      "category": "Centinela",
-      "subcategory": "Configuración",
-      "text": "El cliente no tiene un límite diario habilitado",
-      "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-      "severity": "Medio",
-      "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuración",
-      "text": "Implementación de Azure Firewall Premium",
-      "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuración",
-      "text": "Ajuste de cuatro cero/fuerza habilitado a través de Azure Firewall",
-      "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Control de acceso",
-      "text": "RBAC establecido para habilitar solo usuarios autorizados",
-      "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-      "severity": "Medio",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuración de diagnóstico",
-      "text": "Diagnóstico habilitado y envío de métricas a un área de trabajo de Log Analytics ",
-      "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Los concentradores y las redes virtuales están protegidos o conectados a través de Firewall Premium",
-      "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Directiva: Los controles de acceso están configurados (RBAC)",
-      "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-      "severity": "Alto",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Directiva: la directiva principal está configurada ",
-      "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Directiva: se definen las colecciones de reglas",
-      "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Política: Se definen las políticas de DNAT",
-      "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Directiva: Se definen las reglas de red",
-      "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Directiva: Se definen las reglas de aplicación",
-      "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "DNS: Característica entendida y aplicada o no aplicada",
-      "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/firewall/dns-details"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Inteligencia de amenazas: Configurado para alertar y denegar",
-      "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "Inteligencia de amenazas: Lista permitida (justifique si se están utilizando, es decir, rendimiento)",
-      "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "TLS habilitado",
-      "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "IDPS habilitados",
-      "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Administrador de cortafuegos",
-      "text": "SNAT: Configurado ",
-      "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Protección DDOS",
-      "text": "Habilitado para IP públicas de Firewall",
-      "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-      "severity": "Medio",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    }
-  ],
-  "severities": [
-    {
-      "name": "Alto"
-    },
-    {
-      "name": "Medio"
-    },
-    {
-      "name": "Bajo"
-    }
-  ],
-  "status": [
-    {
-      "name": "No verificado",
-      "description": "Esta comprobación aún no se ha analizado"
-    },
-    {
-      "name": "Abrir",
-      "description": "Hay un elemento de acción asociado a esta comprobación"
-    },
-    {
-      "name": "Cumplido",
-      "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella"
-    },
-    {
-      "name": "No es necesario",
-      "description": "Recomendación entendida, pero no necesaria por los requisitos actuales"
-    },
-    {
-      "name": "N/A",
-      "description": "No aplicable para el diseño actual"
-    }
-  ],
-  "categories": [
-    {
-      "name": "Defender para la nube"
-    },
-    {
-      "name": "Azure Networking"
-    },
-    {
-      "name": "Identidad"
-    },
-    {
-      "name": "Comprobaciones de seguridad de VM"
-    },
-    {
-      "name": "Centinela"
-    },
-    {
-      "name": "Azure Firewall"
-    }
-  ]
-}
+    "categories": [
+        {
+            "name": "Defender For Cloud"
+        },
+        {
+            "name": "Redes de Azure"
+        },
+        {
+            "name": "Identidad"
+        },
+        {
+            "name": "Comprobaciones de seguridad de VM"
+        },
+        {
+            "name": "Centinela"
+        },
+        {
+            "name": "Azure Firewall"
+        }
+    ],
+    "items": [
+        {
+            "category": "Defender For Cloud",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "Habilitación de Security Center/Defender en todas las suscripciones",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "Security Center/Defender habilitado en todas las áreas de trabajo de Log Analytics",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "severity": "Medio",
+            "subcategory": "Precios y configuración",
+            "text": "Recopilación de datos establecida en 'Común'",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "Las características de seguridad mejoradas de Defender for Cloud están habilitadas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
+            "severity": "Medio",
+            "subcategory": "Precios y configuración",
+            "text": "Aprovisionamiento automático habilitado según la directiva de la empresa (la directiva debe existir)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
+            "severity": "Bajo",
+            "subcategory": "Precios y configuración",
+            "text": "Notificaciones por correo electrónico habilitadas según la política de la empresa (la directiva debe existir)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
+            "severity": "Medio",
+            "subcategory": "Precios y configuración",
+            "text": "Se seleccionan las opciones de habilitación de integraciones ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
+            "severity": "Medio",
+            "subcategory": "Precios y configuración",
+            "text": "La integración de CI/CD está configurada",
+            "waf": "Operaciones"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "La exportación continua \"Centro de eventos\" está habilitada si se usa SIEM de terceros",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "Medio",
+            "subcategory": "Precios y configuración",
+            "text": "La exportación continua \"Área de trabajo de Log Analytics\" está habilitada si no se usa Azure Sentinel",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "Conector en la nube habilitado para AWS",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "severity": "Alto",
+            "subcategory": "Precios y configuración",
+            "text": "Conector en la nube habilitado para GCP",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "severity": "Bajo",
+            "subcategory": "Precios y configuración",
+            "text": "Si usa el proxy de aplicación de Azure AD, considere la posibilidad de integrarse con Microsoft Defender for Cloud Apps para supervisar el acceso a las aplicaciones en tiempo real y aplicar controles de seguridad avanzados.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "severity": "Medio",
+            "subcategory": "Recomendaciones",
+            "text": "Todas las recomendaciones se corrigen o deshabilitan si no son necesarias.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "El objetivo mínimo de Microsoft para todos los clientes es del 70 %",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "severity": "Alto",
+            "subcategory": "Recomendaciones",
+            "text": "Puntuación de seguridad>70%",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "severity": "Medio",
+            "subcategory": "Alertas de seguridad",
+            "text": "Las alertas de seguridad contienen solo las generadas en las últimas 24 horas (corrija o deshabilite las alertas de seguridad más antiguas)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "severity": "Medio",
+            "subcategory": "Libros",
+            "text": "Si la exportación continua está habilitada, los libros de trabajo predeterminados se publican en el panel de seguridad personalizado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "severity": "Medio",
+            "subcategory": "Comunidad",
+            "text": "El cliente es consciente del valor de la página \"Comunidad\" y tiene una cadencia regular configurada para revisar",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "Mejores prácticas operativas para el cliente - Transparencia",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "severity": "Alto",
+            "subcategory": "Puntuación segura",
+            "text": "Se muestran todas las suscripciones protegidas por Security Center (sin establecer filtros de suscripción)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "severity": "Alto",
+            "subcategory": "Cumplimiento normativo",
+            "text": "Los controles de cumplimiento son ecológicos para cualquier requisito de cumplimiento requerido",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "severity": "Alto",
+            "subcategory": "Azure Defender",
+            "text": "Las vulnerabilidades de VM de alta gravedad son cero (vacías)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "severity": "Medio",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Los centros están protegidos por Azure Firewall",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "severity": "Medio",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Las redes virtuales están protegidas por un firewall",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
+            "severity": "Medio",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "DDoS Standard habilitado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "Alto",
+            "subcategory": "Cobertura",
+            "text": "Compruebe que todas las suscripciones están cubiertas (consulte los precios y la configuración para modificar)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "Alto",
+            "subcategory": "IPs públicas",
+            "text": "Las máquinas virtuales con direcciones IP públicas deben protegerse mediante un grupo de seguridad de red ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "Alto",
+            "subcategory": "IPs públicas",
+            "text": "Las máquinas virtuales con direcciones IP públicas se mueven detrás de Azure Firewall Premium",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "severity": "Alto",
+            "subcategory": "IPs públicas",
+            "text": "Las máquinas virtuales que no necesitan direcciones IP públicas no tienen direcciones IP públicas (es decir, solo RDP interno)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Medio",
+            "subcategory": "Grupo de seguridad de red",
+            "text": "RBAC de grupo de seguridad de red se usa para restringir el acceso al equipo de seguridad de red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Alto",
+            "subcategory": "Grupo de seguridad de red",
+            "text": "Las reglas de seguridad de entrada del grupo de seguridad de red no contienen un * (comodín) en el campo Origen",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Medio",
+            "subcategory": "Grupo de seguridad de red",
+            "text": "Las reglas de seguridad de salida de grupo de seguridad de red se usan para controlar el tráfico a direcciones IP específicas para el tráfico que no se enruta a través de un firewall",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Alto",
+            "subcategory": "Grupo de seguridad de red",
+            "text": "El grupo de seguridad de red no tiene Source como * (comodín) en su lugar.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "severity": "Medio",
+            "subcategory": "Grupo de seguridad de red",
+            "text": "Los diagnósticos de NSG envían tráfico NetworkSecurityGroupEvent y NetworkSecurityGroupRuleCounter a Sentinel LAW",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Medio",
+            "subcategory": "UDR",
+            "text": "RBAC de UDR se usa para restringir el acceso al equipo de seguridad de red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Alto",
+            "subcategory": "UDR",
+            "text": "Si es Confianza cero, se usan UDR para enviar todo el tráfico a Azure Firewall Premium",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Medio",
+            "subcategory": "UDR",
+            "text": "Las UDR que no envían todo el tráfico a AzureFirewallPremium son conocidas y están documentadas.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "El cliente está familiarizado con los valores predeterminados de red de Azure o el enrutamiento predeterminado de SDN en Azure",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "description": "Prácticas recomendadas para el cliente: verificación",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
+            "severity": "Medio",
+            "subcategory": "Redes virtuales",
+            "text": "RBAC de red virtual se usa para restringir el acceso al equipo de seguridad de red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Se corrigen las recomendaciones de seguridad de red virtual y no hay redes virtuales \"en riesgo\" ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Se comprenden las conexiones de emparejamiento de red virtual y se documentan los flujos de tráfico esperados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Los puntos de conexión de servicio de red virtual están en uso, no existen puntos de conexión de servicio público heredados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Los puntos de conexión privados de red virtual están en uso para permitir el acceso desde entornos locales, no existen puntos de conexión públicos heredados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Supervisión de red virtual habilitada",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "Protección del tráfico entre pods mediante directivas de red en Azure Kubernetes Service (AKS)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "El cliente de NVA de red virtual (dispositivos) sigue el patrón de arquitectura publicado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "Alto",
+            "subcategory": "Redes virtuales",
+            "text": "La configuración de diagnóstico de red virtual está habilitada y envía VMProtectionAlerts a Azure Sentinel LAW",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "severity": "Alto",
+            "subcategory": "Conectividad",
+            "text": "Uso de ExpressRoute o VPN para acceder a los recursos de Azure desde entornos locales",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "severity": "Alto",
+            "subcategory": "Virtual WAN",
+            "text": "VWAN RBAC se utiliza para restringir el acceso al equipo de seguridad de la red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "severity": "Alto",
+            "subcategory": "Virtual WAN",
+            "text": "El cliente de VWAN utiliza Secure Hub o un firewall externo para enrutar y supervisar el tráfico.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "severity": "Alto",
+            "subcategory": "Application Gateway",
+            "text": "AppGW RBAC se utiliza para restringir el acceso al equipo de seguridad de la red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "Alto",
+            "subcategory": "Application Gateway",
+            "text": "AppGW Todos los servicios web externos están detrás de Application Gateways con WAF habilitado ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "Alto",
+            "subcategory": "Application Gateway",
+            "text": "AppGW Todos los servicios web internos están detrás de Application Gateways con WAF habilitado ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "severity": "Alto",
+            "subcategory": "Application Gateway",
+            "text": "AppGW: la orientación externa tiene TLS/SSL habilitado y redirige todo el tráfico a 443 (sin tráfico de puerto 80)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "severity": "Alto",
+            "subcategory": "Puerta frontal",
+            "text": "RBAC de Front Door se usa para restringir el acceso al equipo de seguridad de red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "severity": "Alto",
+            "subcategory": "Puerta frontal",
+            "text": "Front Door está asociado a una directiva de WAF",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "severity": "Alto",
+            "subcategory": "Puerta frontal",
+            "text": "La directiva TLS/SSL de Front Door está configurada",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "severity": "Alto",
+            "subcategory": "Puerta frontal",
+            "text": "Se configura el puerto de redireccionamiento de Front Door 80 al puerto 443 (agentes de escucha)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "severity": "Alto",
+            "subcategory": "Puerta frontal",
+            "text": "Los registros de diagnóstico de Front Door envían ApplicationGatewayAccessLog y ApplicationGateway FirewallLog a Sentinel LAW",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Redes de Azure",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "Alto",
+            "subcategory": "Protección DDoS",
+            "text": "Habilitado para IP públicas de firewall (todas las IP públicas)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "severity": "Alto",
+            "subcategory": "Arrendatario",
+            "text": "Establezca un único directorio empresarial para administrar las identidades de los empleados a tiempo completo y los recursos de la empresa.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "severity": "Alto",
+            "subcategory": "Arrendatario",
+            "text": "Sincronice su identidad en la nube con sus sistemas de identidad existentes.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "severity": "Alto",
+            "subcategory": "Arrendatario",
+            "text": "Use los servicios de identidad en la nube para hospedar cuentas que no sean de empleados, como proveedores, asociados y clientes, en lugar de incluirlas en el directorio local.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "severity": "Alto",
+            "subcategory": "Arrendatario",
+            "text": "Deshabilite los protocolos heredados inseguros para los servicios orientados a Internet.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "severity": "Alto",
+            "subcategory": "Arrendatario",
+            "text": "Habilitar el inicio de sesión único",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "severity": "Alto",
+            "subcategory": "Administración privilegiada",
+            "text": "No sincronice las cuentas con el acceso con los privilegios más altos a los recursos locales a medida que sincroniza los sistemas de identidad de la empresa con los directorios en la nube.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "severity": "Alto",
+            "subcategory": "Administración privilegiada",
+            "text": "Limitar el número de administradores globales a menos de 5",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "severity": "Alto",
+            "subcategory": "Administración privilegiada",
+            "text": "Uso de grupos para asignaciones de roles de Azure AD y delegación de la asignación de roles",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "severity": "Alto",
+            "subcategory": "Administración privilegiada",
+            "text": "Asegúrese de que todos los administradores de impacto crítico estén administrados por el directorio de la empresa para seguir la aplicación de las políticas de la organización.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "severity": "Alto",
+            "subcategory": "Administración privilegiada",
+            "text": "Configurar revisiones de acceso recurrentes para revocar permisos innecesarios a lo largo del tiempo",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "severity": "Medio",
+            "subcategory": "Administración privilegiada",
+            "text": "Asegúrese de que los administradores de impacto crítico utilicen una estación de trabajo con protecciones de seguridad y supervisión elevadas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Proveedores de identidades: compruebe que se conocen los proveedores de identidades externos",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configuración de colaboración externa: el acceso de los usuarios invitados está establecido en \"¿El acceso de los usuarios invitados está restringido?\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configuración de colaboración externa: la configuración de invitación de invitados se establece en \"Solo usuarios asignados a roles de administrador específicos\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configuración de colaboración externa: habilite el registro de autoservicio de invitados a través de flujos establecidos en \"Deshabilitado\" ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configuración de colaboración externa: Restricciones de colaboración establecidas en \"Permitir invitaciones a los dominios especificados\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "severity": "Medio",
+            "subcategory": "Identidades externas",
+            "text": "Acceder a las revisiones: Habilitado para todos los grupos",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "severity": "Medio",
+            "subcategory": "Aplicaciones empresariales",
+            "text": "Consentimiento y permisos: Permitir el consentimiento del usuario para aplicaciones de editores verificados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "severity": "Medio",
+            "subcategory": "Aplicaciones empresariales",
+            "text": "Consentimiento y permisos: Permitir el consentimiento del propietario del grupo para los propietarios del grupo seleccionados ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "severity": "Alto",
+            "subcategory": "Dominios personalizados",
+            "text": "Solo se registran los dominios de clientes validados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "severity": "Alto",
+            "subcategory": "Restablecimiento de contraseña",
+            "text": "Se ha verificado el requisito de directiva de restablecimiento de contraseña de autoservicio.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "Medio",
+            "subcategory": "Restablecimiento de contraseña",
+            "text": "Establecer el número de días antes de que se pida a los usuarios que vuelvan a confirmar la información de autenticación no está establecido en cero",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "Alto",
+            "subcategory": "Restablecimiento de contraseña",
+            "text": "Se selecciona el número de métodos necesarios para restablecer la contraseña",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "severity": "Alto",
+            "subcategory": "Configuración de usuario",
+            "text": "Deshabilite 'Los usuarios pueden registrar aplicaciones'",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "severity": "Alto",
+            "subcategory": "Configuración de usuario",
+            "text": "Restrinja el acceso al portal administrativo (portal.azure.com) solo a los administradores",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "severity": "Alto",
+            "subcategory": "Configuración de usuario",
+            "text": "Desactivar la 'Conexión de la cuenta de LinkedIn'",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "severity": "Alto",
+            "subcategory": "Configuración de diagnóstico",
+            "text": "Habilitado y envío al área de trabajo de Log Analytics con Sentinel",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "severity": "Alto",
+            "subcategory": "PIM habilitado",
+            "text": "Privileged Identity Management habilitado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "severity": "Alto",
+            "subcategory": "PIM habilitado",
+            "text": "Implementar el acceso \"justo a tiempo\" (JIT) para reducir aún más el tiempo de exposición de las cuentas privilegiadas (reducir el acceso permanente)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "severity": "Alto",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Configuración de directivas de acceso condicional / Controles de acceso",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "severity": "Medio",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Condiciones: Ubicaciones restringidas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "severity": "Alto",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Controles de acceso: MFA habilitado para todos los usuarios",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "severity": "Medio",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Controles de acceso: Requerir MFA para los administradores",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "severity": "Alto",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Controles de acceso: Requerir MFA para la administración de Azure ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "severity": "Alto",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Controles de acceso: Bloquear protocolos heredados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "severity": "Alto",
+            "subcategory": "Directivas de acceso condicional",
+            "text": "Controles de acceso: requieren que los dispositivos se marquen como compatibles",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "description": "Política documentada por el cliente",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "severity": "Medio",
+            "subcategory": "Usuarios invitados",
+            "text": "¿Existe una política para realizar un seguimiento de las cuentas de usuario invitado (es decir, uso/eliminación/deshabilitación)?",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "severity": "Alto",
+            "subcategory": "Puntuación de seguridad de identidad",
+            "text": "Implemente la puntuación de seguridad de identidad en función de las mejores prácticas de su sector",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Identidad",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "severity": "Medio",
+            "subcategory": "Cuentas de Break Glass",
+            "text": "Se han creado al menos dos cuentas de ruptura y existe una política en torno a su uso",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "severity": "Alto",
+            "subcategory": "Control de acceso",
+            "text": "Control del acceso a máquinas virtuales mediante Azure Policy",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "severity": "Medio",
+            "subcategory": "Control de acceso",
+            "text": "Reduzca la variabilidad en la configuración e implementación de máquinas virtuales aprovechando las plantillas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "severity": "Medio",
+            "subcategory": "Control de acceso",
+            "text": "Proteja el acceso privilegiado para implementar VMS reduciendo quién tiene acceso a los recursos a través de la gobernanza",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "severity": "Medio",
+            "subcategory": "Alta disponibilidad ",
+            "text": "Use varias máquinas virtuales para sus cargas de trabajo para una mejor disponibilidad ",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "severity": "Medio",
+            "subcategory": "Alta disponibilidad ",
+            "text": "Implementación y prueba de una solución de recuperación ante desastres ",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "severity": "Medio",
+            "subcategory": "Alta disponibilidad ",
+            "text": "Conjuntos de disponibilidad",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "severity": "Medio",
+            "subcategory": "Alta disponibilidad ",
+            "text": "Zonas de disponibilidad",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "severity": "Medio",
+            "subcategory": "Alta disponibilidad ",
+            "text": "Tolerancia a fallos regionales ",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "severity": "Alto",
+            "subcategory": "Protéjase contra el malware",
+            "text": "Instalación de soluciones antimalware",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "Alto",
+            "subcategory": "Protéjase contra el malware",
+            "text": "Integración de la solución antimalware con Security Center",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "severity": "Alto",
+            "subcategory": "Administrar actualizaciones de máquinas virtuales",
+            "text": "Mantenga las máquinas virtuales actualizadas con Update Management con Azure Automation",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "severity": "Medio",
+            "subcategory": "Administrar actualizaciones de máquinas virtuales",
+            "text": "Asegúrese de que las imágenes de Windows para la implementación tengan el nivel más reciente de actualizaciones ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "severity": "Alto",
+            "subcategory": "Administrar actualizaciones de máquinas virtuales",
+            "text": "Aplique rápidamente actualizaciones de seguridad a las máquinas virtuales mediante Microsoft Defender for Cloud",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "severity": "Alto",
+            "subcategory": "Cifre de los discos duros virtuales",
+            "text": "Habilitación del cifrado en las máquinas virtuales",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "severity": "Alto",
+            "subcategory": "Cifre de los discos duros virtuales",
+            "text": "Agregue la clave de cifrado de claves (KEK) para agregar una capa de seguridad para el cifrado ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "severity": "Medio",
+            "subcategory": "Cifre de los discos duros virtuales",
+            "text": "Tome una instantánea de los discos antes del cifrado con fines de reversión",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Asegúrese de que solo el grupo de redes central tenga permisos para los recursos de red ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Identifique y corrija las máquinas virtuales expuestas que permiten el acceso desde \"CUALQUIER\" dirección IP de origen",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Restrinja los puertos de administración (RDP, SSH) mediante el acceso Just-In-Time",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Eliminar el acceso a Internet e implementar servidores de salto para RDP",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Elimine el inicio de sesión directo en servidores que utilizan RDP/SSH desde Internet e implemente VPN o ruta rápida",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Comprobaciones de seguridad de VM",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "severity": "Alto",
+            "subcategory": "Restringir la conexión directa a Internet ",
+            "text": "Aproveche Azure Bastion como agente RDP/SSH para aumentar la seguridad y reducir el espacio ocupado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "severity": "Alto",
+            "subcategory": "Arquitectura ",
+            "text": "Todos los inquilinos contienen Sentinel habilitado en al menos un área de trabajo de Log Analytics",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "severity": "Alto",
+            "subcategory": "Arquitectura ",
+            "text": "El cliente entiende la arquitectura de Sentinel",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "severity": "Medio",
+            "subcategory": "Arquitectura ",
+            "text": "El cliente sabe cómo supervisar los incidentes en varias instancias de Sentinel",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "severity": "Medio",
+            "subcategory": "Visión general",
+            "text": "No hay incidencias abiertas más de 24 horas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "severity": "Bajo",
+            "subcategory": "Noticias y Guías",
+            "text": "Al cliente se le ha mostrado la pestaña Noticias y guías",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "severity": "Medio",
+            "subcategory": "UEBA ",
+            "text": "UEBA configurada (Sentinel/Ajustes/Ajustes/Configurar UEBA)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Azure Active Directory está configurado y \"Último registro recibido\" se muestra hoy",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Azure Active Directory Identity Protection está configurado y se muestra hoy el mensaje \"Último registro recibido\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "La actividad de Azure está configurada, se configura y se muestra \"Último registro recibido\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Microsoft Defender for Cloud está configurado y se muestra hoy el \"Último registro recibido\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Azure Firewall está configurado y se muestra \"Último registro recibido\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "El Firewall de Windows está configurado y se muestra hoy \"Último registro recibido\"",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Los eventos de seguridad se configuran con AMA y el \"Último registro recibido\" se muestra hoy",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Eventos de seguridad: compruebe que los equipos de Azure están conectados y envían datos al área de trabajo",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Eventos de seguridad: compruebe que los equipos que no son de Azure están conectados y envían datos al área de trabajo",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Conector para AWS",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de datos",
+            "text": "Conector para GCP",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "severity": "Alto",
+            "subcategory": "Reglas de análisis",
+            "text": "El cliente ha habilitado las reglas de Analytics y ha configurado los incidentes ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Centinela",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "severity": "Medio",
+            "subcategory": "Configuración",
+            "text": "El cliente no tiene habilitado un límite diario",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "severity": "Alto",
+            "subcategory": "Configuración",
+            "text": "Implementación de Azure Firewall Premium",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "severity": "Alto",
+            "subcategory": "Configuración",
+            "text": "Ajuste cuádruple cero/forzado habilitado a través de Azure Firewall",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "Medio",
+            "subcategory": "Control de acceso",
+            "text": "RBAC configurado para habilitar solo usuarios autorizados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "severity": "Medio",
+            "subcategory": "Configuración de diagnóstico",
+            "text": "Diagnósticos habilitados y envío de métricas a un área de trabajo de Log Analytics ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Los centros y las redes virtuales están protegidos o conectados a través de Firewall Premium",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Directiva: Se configuran los controles de acceso (RBAC)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Directiva: se configura la directiva principal ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Directiva: se definen las colecciones de reglas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Política: se definen las políticas DNAT",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Directiva: Se definen las reglas de red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Directiva: Se definen las reglas de aplicación",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "severity": "Medio",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "DNS: Característica entendida y aplicada o no aplicada",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Inteligencia de amenazas: Establecer en Alerta y denegación",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "Inteligencia de amenazas: Lista permitida (justifique si se están utilizando, es decir, rendimiento)",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "TLS habilitado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "IDPS habilitado",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "severity": "Alto",
+            "subcategory": "Administrador de cortafuegos",
+            "text": "SNAT: Configurado ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "Medio",
+            "subcategory": "Protección DDoS",
+            "text": "Habilitado para IP públicas de Firewall",
+            "waf": "Seguridad"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    },
+    "severities": [
+        {
+            "name": "Alto"
+        },
+        {
+            "name": "Medio"
+        },
+        {
+            "name": "Bajo"
+        }
+    ],
+    "status": [
+        {
+            "description": "Esta comprobación aún no se ha examinado",
+            "name": "No verificado"
+        },
+        {
+            "description": "Hay un elemento de acción asociado a esta comprobación",
+            "name": "Abrir"
+        },
+        {
+            "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella",
+            "name": "Cumplido"
+        },
+        {
+            "description": "Recomendación entendida, pero no necesaria por los requisitos actuales",
+            "name": "No es necesario"
+        },
+        {
+            "description": "No aplicable para el diseño actual",
+            "name": "N/A"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Fiabilidad"
+        },
+        {
+            "name": "Seguridad"
+        },
+        {
+            "name": "Costar"
+        },
+        {
+            "name": "Operaciones"
+        },
+        {
+            "name": "Rendimiento"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Sí"
+        },
+        {
+            "name": "No"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/security_checklist.ja.json b/checklists/security_checklist.ja.json
index 234eaaa05..a33d2ff17 100644
--- a/checklists/security_checklist.ja.json
+++ b/checklists/security_checklist.ja.json
@@ -1,1328 +1,1669 @@
 {
-  "metadata": {
-    "name": "Azure セキュリティ レビュー チェックリスト"
-  },
-  "items": [
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "セキュリティ センター/ディフェンダーは、すべてのサブスクリプションで有効にします。",
-      "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "セキュリティ センター/ディフェンダーがすべてのログ分析ワークスペースで有効",
-      "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "データ収集は「共通」に設定",
-      "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "Defender for Cloud の強化されたセキュリティ機能はすべて有効になっています",
-      "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "会社のポリシーに従って自動プロビジョニングを有効にする (ポリシーが存在する必要があります)",
-      "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "会社のポリシーに従って有効な電子メール通知 (ポリシーが存在する必要があります)",
-      "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-      "severity": "低い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "統合を有効にするオプションが選択されている",
-      "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "CI/CD 統合が構成されている",
-      "guid": "5b7bae4-4th-45e8-a79e-2e86667313c5",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "連続エクスポート「イベントハブ」は、サードパーティのSIEMを使用している場合に有効になります",
-      "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "継続的なエクスポート 'Log Analytics Workspace' は、Azure Sentinel を使用していない場合に有効になります。",
-      "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "AWS で有効になっているクラウドコネクタ",
-      "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "GCP で有効なクラウドコネクタ",
-      "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "価格と設定",
-      "text": "Azure AD アプリケーション プロキシを使用する場合は、Microsoft Defender for Cloud Apps との統合を検討して、アプリケーションのアクセスをリアルタイムで監視し、高度なセキュリティ制御を適用することを検討してください。",
-      "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-      "severity": "低い",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "推奨 事項",
-      "text": "すべての推奨事項は、必要でない場合は修復または無効にされました。",
-      "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "推奨 事項",
-      "text": "セキュリティスコア>70%",
-      "description": "マイクロソフトのすべてのお客様の最小目標は 70% です。",
-      "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "セキュリティアラート",
-      "text": "セキュリティ警告には、過去 24 時間以内に生成されたもののみが含まれます (古いセキュリティ警告を修復または無効にする)",
-      "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "ブック",
-      "text": "継続的エクスポートが有効になっている場合、カスタム セキュリティ ダッシュボードにパブリッシュされた既定のブック",
-      "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "コミュニティ",
-      "text": "お客様は「コミュニティ」ページの価値を認識しており、レビュー用に定期的なリズムを設定しています。",
-      "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-      "severity": "中程度",
-      "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "セキュアスコア",
-      "text": "Security Center によって保護されているすべてのサブスクリプションが表示されます (サブスクリプション フィルター セットなし)",
-      "description": "お客様の運用のベストプラクティス - 透明性",
-      "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "法規制の遵守",
-      "text": "コンプライアンスコントロールは、必要なコンプライアンス要件に対して緑色です",
-      "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "Azure Defender",
-      "text": "重大度の高い VM の脆弱性はゼロ (空) です。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ハブは Azure ファイアウォールによって保護されています。",
-      "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
-      "severity": "中程度",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "仮想ネットワークはファイアウォールで保護されています",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "DDoS 標準が有効",
-      "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-      "severity": "中程度",
-      "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
-    },
-    {
-      "category": "クラウド用ディフェンダー",
-      "subcategory": "カバレッジ",
-      "text": "すべてのサブスクリプションがカバーされていることを確認します (変更する価格と設定を参照)。",
-      "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "パブリック IP アドレス",
-      "text": "パブリック IP を持つ VM は NSG によって保護される必要があります。",
-      "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "パブリック IP アドレス",
-      "text": "パブリック IP を持つ VM は、Azure Firewall Premium の背後に移動されます。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "パブリック IP アドレス",
-      "text": "パブリックIPを必要としないVMにはパブリックIPがありません(つまり、内部RDPのみ)",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "NSG RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます。",
-      "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "NSG インバウンド セキュリティ規則に [ソース] フィールドに * (ワイルドカード) が含まれていません",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "NSG アウトバウンド セキュリティ ルールは、ファイアウォール経由でルーティングされないトラフィックの特定の IP アドレスへのトラフィックを制御するために使用されます。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "NSG には、ソースを * (ワイルドカード) として配置していません。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "NSG Diagnostics が NetworkSecurityGroupEvent および NetworkSecurityGroupRuleCounter トラフィックを Sentinel LAW に送信する",
-      "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "UDR RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます。",
-      "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "ゼロ トラストの場合、UDR を使用してすべてのトラフィックが Azure Firewall Premium に送信されます。",
-      "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "ティッカー",
-      "text": "すべてのトラフィックを AzureFirewallPremium に送信しない UDR は既知であり、文書化されています。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "お客様は、Azure ネットワークの既定値 / Azure での SDN の既定のルーティングに精通している",
-      "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます。",
-      "description": "お客様の運用上のベスト・プラクティス - 検証",
-      "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-      "severity": "中程度",
-      "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet セキュリティの推奨事項は修復され、「危険にさらされている」VNet はありません。",
-      "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet ピアリング接続が理解され、予想されるトラフィック フローが文書化されている",
-      "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet サービス エンドポイントが使用中であり、従来のパブリック サービス エンドポイントは存在しません",
-      "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet プライベート エンドポイントはオンプレミス環境からのアクセスを許可するために使用されており、従来のパブリック エンドポイントは存在しません",
-      "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet 監視が有効になりました",
-      "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "Azure Kubernetes Service (AKS) のネットワーク ポリシーを使用したポッド間のトラフィックのセキュリティ保護",
-      "guid": "2055b29b-ade4-4th-8e8c-39ec94666731",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet NVA(アプライアンス)のお客様は、公開されたアーキテクチャ パターンに従っています",
-      "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想ネットワーク",
-      "text": "VNet 診断設定が有効で、VMProtectionAlert を Azure Sentinel LAW に送信している",
-      "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "接続",
-      "text": "ExpressRoute または VPN を使用してオンプレミス環境から Azure リソースにアクセスする",
-      "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想WAN",
-      "text": "VWAN RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます。",
-      "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "仮想WAN",
-      "text": "VWAN のお客様は、セキュアハブまたは外部ファイアウォールを使用してトラフィックをルーティングおよび監視しています。",
-      "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "アプリケーションゲートウェイ",
-      "text": "AppGW RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます。",
-      "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "アプリケーションゲートウェイ",
-      "text": "AppGW すべての外部向け Web サービスが、WAF が有効になっているアプリケーション ゲートウェイに依存しています。",
-      "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "アプリケーションゲートウェイ",
-      "text": "AppGW すべての内部向け Web サービスが、WAF が有効になっているアプリケーション ゲートウェイに依存しています。",
-      "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "アプリケーションゲートウェイ",
-      "text": "AppGW - 外部フェーシングでは TLS/SSL が有効になっており、すべてのトラフィックを 443 にリダイレクトします (ポート 80 トラフィックなし)",
-      "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "フロントドア",
-      "text": "フロントドアRBACは、ネットワークセキュリティチームへのアクセスを制限するために使用されます",
-      "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/frontdoor/"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "フロントドア",
-      "text": "フロント ドアは WAF ポリシーに関連付けられています。",
-      "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "フロントドア",
-      "text": "フロント ドア TLS/SSL ポリシーが構成されている",
-      "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "フロントドア",
-      "text": "Front Door リダイレクト ポート 80 からポート 443 が設定されています (リスナー)",
-      "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "フロントドア",
-      "text": "Front Door diagnostics logs send ApplicationGatewayAccessLog &ApplicationGateway FirewallLog to Sentinel LAW",
-      "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "DDOS保護",
-      "text": "ファイアウォールのパブリック IP (すべてのパブリック IP) に対して有効",
-      "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "テナント",
-      "text": "フルタイムの従業員とエンタープライズ リソースの ID を管理するための単一のエンタープライズ ディレクトリを確立します。",
-      "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "テナント",
-      "text": "クラウド ID を既存の ID システムと同期します。",
-      "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "テナント",
-      "text": "クラウド ID サービスを使用して、ベンダー、パートナー、顧客などの従業員以外のアカウントを、オンプレミスのディレクトリに含めるのではなく、ホストします。",
-      "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "テナント",
-      "text": "インターネットに接続するサービスの安全でないレガシ プロトコルを無効にします。",
-      "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "テナント",
-      "text": "シングルサインオンの有効化",
-      "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "エンタープライズ ID システムをクラウド ディレクトリと同期するときに、オンプレミスのリソースへの最高の特権アクセスを持つアカウントを同期しないでください。",
-      "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "グローバル管理者の数を 5 人未満に制限する",
-      "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "Azure AD ロールの割り当てにグループを使用し、ロールの割り当てを委任する",
-      "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "すべての重大な影響の管理者がエンタープライズディレクトリによって管理され、組織のポリシーの適用に従うようにします。",
-      "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "定期的なアクセス レビューを構成して、不要なアクセス許可を時間の経過と共に取り消す",
-      "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "特権管理",
-      "text": "重大な影響を被る管理者が、セキュリティ保護と監視を強化したワークステーションを使用するようにする",
-      "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "ID プロバイダー: 外部 ID プロバイダーが既知であることを確認する",
-      "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "外部コラボレーション設定: ゲスト ユーザー アクセスが [ゲスト ユーザー アクセスが制限されています?] に設定されています。",
-      "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "外部コラボレーション設定: ゲスト招待の設定が [特定の管理者ロールに割り当てられているユーザーのみ] に設定されています。",
-      "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "外部コラボレーション設定: [無効] に設定されたフロー経由のゲストセルフサービス サインアップを有効にする",
-      "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "外部コラボレーション設定: コラボレーションの制限が [指定したドメインへの招待を許可する] に設定されています。",
-      "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "外部アイデンティティ",
-      "text": "アクセスレビュー: すべてのグループで有効",
-      "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "エンタープライズアプリケーション",
-      "text": "同意とアクセス許可: 確認済みの発行元からのアプリのユーザーの同意を許可する",
-      "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "エンタープライズアプリケーション",
-      "text": "同意と権限: 選択したグループ所有者にグループ所有者の同意を許可する",
-      "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "カスタムドメイン",
-      "text": "検証済みの顧客ドメインのみが登録されます。",
-      "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "パスワードのリセット",
-      "text": "セルフサービスのパスワードリセットポリシー要件に準拠していることが確認されました。",
-      "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "パスワードのリセット",
-      "text": "ユーザーに認証情報の再確認を求めるまでの日数の設定がゼロに設定されていない",
-      "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "パスワードのリセット",
-      "text": "パスワードのリセットに必要なメソッドの設定数が選択されている",
-      "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "ユーザー設定",
-      "text": "「ユーザーがアプリケーションを登録できる」を無効にする",
-      "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "ユーザー設定",
-      "text": "管理ポータル (portal.azure.com) へのアクセスを管理者のみに制限する",
-      "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "ユーザー設定",
-      "text": "「LinkedInアカウント接続」を無効にする",
-      "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "診断設定",
-      "text": "有効にし、Sentinelでログ分析ワークスペースに送信する",
-      "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "PIM が有効",
-      "text": "特権 ID 管理が有効",
-      "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "PIM が有効",
-      "text": "「ジャストインタイム」(JIT)アクセスを実装して、特権アカウントの公開時間をさらに短縮(常設アクセスの削減)",
-      "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "条件付きアクセスポリシー/アクセス制御の構成",
-      "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "条件: 制限された場所",
-      "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "アクセス制御: すべてのユーザーに対して MFA が有効",
-      "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "アクセス制御: 管理者に MFA を要求する",
-      "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "アクセス制御: Azure 管理に MFA を要求する",
-      "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "アクセス制御: ブロック レガシー プロトコル",
-      "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "条件付きアクセス ポリシー",
-      "text": "アクセス制御: デバイスを準拠としてマークする必要がある",
-      "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "ゲスト ユーザー",
-      "text": "ゲストユーザーアカウントを追跡するポリシー(つまり、使用状況/削除/無効化)はありますか?",
-      "description": "お客様が文書化したポリシー",
-      "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-      "severity": "中程度",
-      "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "アイデンティティセキュアスコア",
-      "text": "業界のベストプラクティスに基づくIDセキュアスコアの実装",
-      "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
-    },
-    {
-      "category": "同一性",
-      "subcategory": "ガラスのアカウントを破る",
-      "text": "少なくとも 2 つの非常口アカウントが作成され、その使用に関するポリシーが存在します。",
-      "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "アクセス制御",
-      "text": "Azure Policy を活用して VM アクセスを制御する",
-      "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/governance/policy/overview"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "アクセス制御",
-      "text": "テンプレートを活用して VM のセットアップとデプロイのばらつきを軽減",
-      "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "アクセス制御",
-      "text": "ガバナンスを通じてリソースにアクセスできるユーザーを減らすことにより、VMS を展開するための特権アクセスをセキュリティで保護",
-      "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "高可用性",
-      "text": "ワークロードに複数の VM を使用して可用性を向上させる",
-      "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "高可用性",
-      "text": "災害復旧ソリューションの展開とテスト",
-      "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "高可用性",
-      "text": "可用性セット",
-      "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "高可用性",
-      "text": "アベイラビリティーゾーン",
-      "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "高可用性",
-      "text": "地域のフォールトトレランス",
-      "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "マルウェアからの保護",
-      "text": "マルウェア対策ソリューションのインストール",
-      "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "マルウェアからの保護",
-      "text": "マルウェア対策ソリューションをセキュリティセンターと統合する",
-      "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VM の更新の管理",
-      "text": "Azure オートメーションによる更新管理を使用して VM を最新の状態に保つ",
-      "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VM の更新の管理",
-      "text": "展開する Windows イメージに最新のレベルの更新プログラムが適用されていることを確認する",
-      "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VM の更新の管理",
-      "text": "Microsoft Defender for Cloud を使用して VM にセキュリティ更新プログラムを迅速に適用する",
-      "guid": "02145901-465d-438e-9309-ccbd979266bc",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VHD を暗号化する",
-      "text": "VM で暗号化を有効にする",
-      "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VHD を暗号化する",
-      "text": "暗号化のためのセキュリティ層を追加するためのキー暗号化キー (KEK) の追加",
-      "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "VHD を暗号化する",
-      "text": "ロールバックの目的で暗号化の前にディスクのスナップショットを作成する",
-      "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "中央ネットワーク グループのみがネットワーク リソースに対するアクセス許可を持っていることを確認する",
-      "guid": "5173676a-e466-491e-a835-ad942223E138",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "「ANY」ソースIPアデスからのアクセスを許可する公開されたVMを識別して修復する",
-      "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "ジャストインタイムアクセスを使用した管理ポート(RDP、SSH)の制限",
-      "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "インターネット アクセスを削除し、RDP 用のジャンプ サーバーを実装する",
-      "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-      "severity": "高い",
-      "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "インターネットからRDP / SSHを使用してサーバーへの直接ログインを削除し、VPNまたは高速ルートを実装する",
-      "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
-    },
-    {
-      "category": "VM セキュリティ チェック",
-      "subcategory": "直接インターネット接続を制限する",
-      "text": "Azure Bastion を RDP/SSH ブローカーとして活用して、セキュリティの強化とフットプリントの削減を実現",
-      "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "建築",
-      "text": "すべてのテナントで、少なくとも1つのLog AnalyticsワークスペースでSentinelが有効になっている",
-      "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "建築",
-      "text": "お客様がSentinelアーキテクチャを理解している",
-      "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "建築",
-      "text": "お客様は、複数のSentinelインスタンスにわたるインシデントを監視する方法を熟知しています。",
-      "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "概要",
-      "text": "24時間以上オープンするインシデントはありません",
-      "guid": "8989579e-76b8-497e-910A-7Da7be9966E1",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "ニュースとガイド",
-      "text": "お客様には[ニュースとガイド]タブが表示されている。",
-      "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-      "severity": "低い",
-      "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "UEBA",
-      "text": "UEBA Configured (Sentinel/Settings/Settings/Configure UEBA)",
-      "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Azure Active Directory in configured and 'Last Received Log Received' が今日表示される",
-      "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Azure Active Directory ID Protection が構成され、\"最後に受信したログ\" が今日表示されます。",
-      "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Azure アクティビティが構成され、\"前回受信したログ\" が今日表示されます",
-      "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Microsoft Defender for Cloud が構成され、「最後に受信したログ」が本日表示される",
-      "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Azure ファイアウォールが構成され、\"最後に受信したログ\" が今日表示されます。",
-      "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "Windows ファイアウォールが構成され、[最後に受信したログ] が今日表示されます。",
-      "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "セキュリティ イベントは AMA で構成されており、\"最後に受信したログ\" は今日表示されます。",
-      "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "セキュリティ イベント - Azure コンピューターが接続され、ワークスペースにデータが送信されていることを確認します。",
-      "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "セキュリティ イベント - Azure 以外のコンピューターが接続され、ワークスペースにデータが送信されていることを確認します。",
-      "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "AWS のコネクタ",
-      "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "データコネクタ",
-      "text": "GCP用コネクタ",
-      "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "分析ルール",
-      "text": "お客様がアナリティクスルールを有効にし、インシデントを設定しました",
-      "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
-    },
-    {
-      "category": "番兵",
-      "subcategory": "設定",
-      "text": "お客様は日次上限を有効にしていません",
-      "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-      "severity": "中程度",
-      "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "構成",
-      "text": "Azure Firewall Premium がデプロイされました",
-      "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "構成",
-      "text": "Azure ファイアウォール経由で有効なクワッド ゼロ/強制チューニング",
-      "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "アクセス制御",
-      "text": "許可されたユーザーのみを使用可能にするように設定された RBAC",
-      "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-      "severity": "中程度",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "診断設定",
-      "text": "診断が有効になり、メトリックが Log Analytics ワークスペースに送信される",
-      "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ハブと仮想ネットワークは、ファイアウォールプレミアムを介して保護または接続されています",
-      "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: アクセス制御が構成されている (RBAC)",
-      "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-      "severity": "高い",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: 親ポリシーが構成されている",
-      "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: ルール コレクションが定義されている",
-      "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: DNAT ポリシーが定義されている",
-      "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: ネットワークルールが定義されている",
-      "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "ポリシー: アプリケーション ルールが定義されている",
-      "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "DNS:機能が理解され、適用されているか、または適用されていないか",
-      "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/firewall/dns-details"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "脅威インテリジェンス: アラートと拒否に設定",
-      "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "脅威インテリジェンス:許可リスト(使用されているかどうかを正当化する - つまりパフォーマンス)",
-      "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "TLS が有効",
-      "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "IDPS が有効",
-      "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "ファイアウォールマネージャ",
-      "text": "SNAT: 設定済み",
-      "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-      "severity": "高い",
-      "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "DDOS保護",
-      "text": "ファイアウォールのパブリックIPに対して有効",
-      "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-      "severity": "中程度",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    }
-  ],
-  "severities": [
-    {
-      "name": "高い"
-    },
-    {
-      "name": "中程度"
-    },
-    {
-      "name": "低い"
-    }
-  ],
-  "status": [
-    {
-      "name": "未検証",
-      "description": "このチェックはまだ見ていません"
-    },
-    {
-      "name": "開ける",
-      "description": "このチェックに関連付けられているアクションアイテムがあります"
-    },
-    {
-      "name": "達成",
-      "description": "このチェックは検証済みであり、それに関連付けられたアクションアイテムはこれ以上ありません。"
-    },
-    {
-      "name": "必須ではありません",
-      "description": "推奨事項は理解しているが、現在の要件では必要ではない"
-    },
-    {
-      "name": "該当なし",
-      "description": "現在の設計には適用されません"
-    }
-  ],
-  "categories": [
-    {
-      "name": "クラウド用ディフェンダー"
-    },
-    {
-      "name": "Azure Networking"
-    },
-    {
-      "name": "同一性"
-    },
-    {
-      "name": "VM セキュリティ チェック"
-    },
-    {
-      "name": "番兵"
-    },
-    {
-      "name": "Azure Firewall"
-    }
-  ]
-}
+    "categories": [
+        {
+            "name": "Defender For Cloud"
+        },
+        {
+            "name": "Azure ネットワーク"
+        },
+        {
+            "name": "同一性"
+        },
+        {
+            "name": "VM セキュリティチェック"
+        },
+        {
+            "name": "番兵"
+        },
+        {
+            "name": "Azure Firewall"
+        }
+    ],
+    "items": [
+        {
+            "category": "Defender For Cloud",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "すべてのサブスクリプションで Security Center/Defender を有効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "すべての Log Analytics ワークスペースで Security Center/Defender が有効になっている",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "severity": "中程度",
+            "subcategory": "価格と設定",
+            "text": "データ コレクションを 'Common' に設定",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "Defender for Cloud の強化されたセキュリティ機能がすべて有効になっている",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
+            "severity": "中程度",
+            "subcategory": "価格と設定",
+            "text": "会社のポリシーに従って自動プロビジョニングを有効にする (ポリシーが存在する必要があります)",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
+            "severity": "低い",
+            "subcategory": "価格と設定",
+            "text": "会社のポリシーに従って有効になっている電子メール通知 (ポリシーが存在する必要があります)",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
+            "severity": "中程度",
+            "subcategory": "価格と設定",
+            "text": "統合オプションを有効にする が選択されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
+            "severity": "中程度",
+            "subcategory": "価格と設定",
+            "text": "CI/CD 統合が構成されている",
+            "waf": "オペレーションズ"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "連続エクスポートの \"Event Hub\" は、サード パーティの SIEM を使用している場合に有効になります",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "中程度",
+            "subcategory": "価格と設定",
+            "text": "連続エクスポート \"Log Analytics ワークスペース\" は、Azure Sentinel を使用していない場合に有効になります",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "AWSで有効なクラウドコネクタ",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "severity": "高い",
+            "subcategory": "価格と設定",
+            "text": "GCPに対応したクラウドコネクタ",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "severity": "低い",
+            "subcategory": "価格と設定",
+            "text": "Azure AD アプリケーション プロキシを使用する場合は、Microsoft Defender for Cloud Apps と統合して、アプリケーション アクセスをリアルタイムで監視し、高度なセキュリティ制御を適用することを検討してください。",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "severity": "中程度",
+            "subcategory": "推奨 事項",
+            "text": "すべての推奨事項は、不要な場合は修復または無効化されます。",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "すべてのお客様に対する Microsoft の最小目標は 70% です",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "severity": "高い",
+            "subcategory": "推奨 事項",
+            "text": "セキュリティスコア>70%",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "severity": "中程度",
+            "subcategory": "セキュリティ アラート",
+            "text": "セキュリティ アラートには、過去 24 時間以内に生成されたもののみが含まれます (古いセキュリティ アラートを修復または無効にします)",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "severity": "中程度",
+            "subcategory": "ブック",
+            "text": "連続エクスポートが有効になっている場合、既定のワークブックはカスタム セキュリティ ダッシュボードにパブリッシュされます",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "severity": "中程度",
+            "subcategory": "コミュニティ",
+            "text": "お客様は「コミュニティ」ページの価値を認識しており、定期的に確認するように設定されています",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "お客様の運用のベストプラクティス - 透明性",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "severity": "高い",
+            "subcategory": "セキュリティ スコア",
+            "text": "Security Center によって保護されているすべてのサブスクリプションが表示されます (サブスクリプション フィルターは設定されていません)",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "severity": "高い",
+            "subcategory": "法規制の遵守",
+            "text": "コンプライアンス制御は、必要なコンプライアンス要件に対して緑色です",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "severity": "高い",
+            "subcategory": "Azure Defender",
+            "text": "重大度の高い VM の脆弱性は 0 (空) です",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "severity": "中程度",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ハブは Azure Firewall によって保護されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "severity": "中程度",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "仮想ネットワークはファイアウォールによって保護されています",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
+            "severity": "中程度",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "DDoS Standard 対応",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "高い",
+            "subcategory": "カバレッジ",
+            "text": "すべてのサブスクリプションが対象であることを確認します (変更するには、「価格と設定」を参照してください)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "高い",
+            "subcategory": "パブリック IP",
+            "text": "パブリック IP を持つ VM は NSG によって保護する必要がある",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "高い",
+            "subcategory": "パブリック IP",
+            "text": "パブリック IP を持つ VM は、Azure Firewall Premium の背後に移動されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "severity": "高い",
+            "subcategory": "パブリック IP",
+            "text": "パブリック IP を必要としない VM にはパブリック IP がありません (つまり、内部 RDP のみ)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "中程度",
+            "subcategory": "NSGの",
+            "text": "NSG RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "高い",
+            "subcategory": "NSGの",
+            "text": "NSG 受信セキュリティ規則の [ソース] フィールドに * (ワイルドカード) が含まれていません",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "中程度",
+            "subcategory": "NSGの",
+            "text": "NSG 送信セキュリティ規則は、ファイアウォール経由でルーティングされないトラフィックの特定の IP アドレスへのトラフィックを制御するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "高い",
+            "subcategory": "NSGの",
+            "text": "NSG には、ソースが * (ワイルドカード) として設定されていません。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "severity": "中程度",
+            "subcategory": "NSGの",
+            "text": "NSG 診断によって NetworkSecurityGroupEvent トラフィックと NetworkSecurityGroupRuleCounter トラフィックが Sentinel LAW に送信される",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "中程度",
+            "subcategory": "UDR (UDR)",
+            "text": "UDR RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "高い",
+            "subcategory": "UDR (UDR)",
+            "text": "ゼロ トラストの場合、UDR を使用してすべてのトラフィックが Azure Firewall Premium に送信されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "中程度",
+            "subcategory": "UDR (UDR)",
+            "text": "すべてのトラフィックを AzureFirewallPremium に送信しない UDR は既知であり、文書化されています。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "お客様は、Azure での Azure ネットワークの既定値と SDN の既定のルーティングに精通しています",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "description": "お客様の運用のベスト プラクティス - 確認",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
+            "severity": "中程度",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet のセキュリティに関する推奨事項が修復され、\"リスクのある\" VNet がない",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet ピアリング接続が認識され、予想されるトラフィック フローが文書化されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet サービス エンドポイントが使用中であり、レガシ パブリック サービス エンドポイントが存在しない",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet プライベート エンドポイントは、オンプレミス環境からのアクセスを許可するために使用されており、レガシ パブリック エンドポイントは存在しません",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet 監視が有効",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "Azure Kubernetes Service (AKS) のネットワーク ポリシーを使用してポッド間のトラフィックをセキュリティで保護するSecure traffic between pods using network policies in Azure Kubernetes Service (AKS)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet NVA (アプライアンス) のお客様は、公開されているアーキテクチャ パターンに従います",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "高い",
+            "subcategory": "仮想ネットワーク",
+            "text": "VNet 診断設定が有効になっていて、VMProtectionAlerts が Azure Sentinel LAW に送信されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "severity": "高い",
+            "subcategory": "接続",
+            "text": "ExpressRoute または VPN を使用してオンプレミス環境から Azure リソースにアクセスする",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "severity": "高い",
+            "subcategory": "仮想WAN",
+            "text": "VWAN RBACは、ネットワークセキュリティチームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "severity": "高い",
+            "subcategory": "仮想WAN",
+            "text": "VWANカスタマーは、Secure Hubまたは外部ファイアウォールを使用してトラフィックのルーティングと監視を行っています。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "severity": "高い",
+            "subcategory": "アプリケーション ゲートウェイ",
+            "text": "AppGW RBACは、ネットワークセキュリティチームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "高い",
+            "subcategory": "アプリケーション ゲートウェイ",
+            "text": "AppGW: すべての外部向け Web サービスは、WAF が有効になっている Application Gateway の背後にあります",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "高い",
+            "subcategory": "アプリケーション ゲートウェイ",
+            "text": "AppGW: すべての内部向け Web サービスは、WAF が有効になっている Application Gateway の背後にあります",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "severity": "高い",
+            "subcategory": "アプリケーション ゲートウェイ",
+            "text": "AppGW - 外部向けで TLS/SSL が有効になっており、すべてのトラフィックが 443 にリダイレクトされます (ポート 80 トラフィックなし)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "severity": "高い",
+            "subcategory": "フロントドア",
+            "text": "Front Door RBAC は、ネットワーク セキュリティ チームへのアクセスを制限するために使用されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "severity": "高い",
+            "subcategory": "フロントドア",
+            "text": "Front Door は WAF ポリシーに関連付けられています",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "severity": "高い",
+            "subcategory": "フロントドア",
+            "text": "Front Door TLS/SSL ポリシーが構成されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "severity": "高い",
+            "subcategory": "フロントドア",
+            "text": "Front Door リダイレクト ポート 80 からポート 443 が構成されている (リスナー)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "severity": "高い",
+            "subcategory": "フロントドア",
+            "text": "Front Door 診断ログから ApplicationGatewayAccessLog と ApplicationGateway FirewallLog が Sentinel LAW に送信される",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure ネットワーク",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "高い",
+            "subcategory": "DDOSプロテクション",
+            "text": "ファイアウォールのパブリック IP (すべてのパブリック IP) に対して有効",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "severity": "高い",
+            "subcategory": "テナント",
+            "text": "フルタイムの従業員とエンタープライズ リソースの ID を管理するための単一のエンタープライズ ディレクトリを確立します。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "severity": "高い",
+            "subcategory": "テナント",
+            "text": "クラウド ID を既存の ID システムと同期します。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "severity": "高い",
+            "subcategory": "テナント",
+            "text": "クラウド ID サービスを使用して、ベンダー、パートナー、顧客などの従業員以外のアカウントをオンプレミスのディレクトリに含めるのではなく、ホストします。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "severity": "高い",
+            "subcategory": "テナント",
+            "text": "インターネットに接続するサービスの安全でないレガシ プロトコルを無効にします。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "severity": "高い",
+            "subcategory": "テナント",
+            "text": "シングルサインオンを有効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "severity": "高い",
+            "subcategory": "特権管理",
+            "text": "エンタープライズ ID システムをクラウド ディレクトリと同期するときに、オンプレミス リソースへの最高の特権アクセス権を持つアカウントを同期しないでください。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "severity": "高い",
+            "subcategory": "特権管理",
+            "text": "グローバル管理者の数を 5 人未満に制限する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "severity": "高い",
+            "subcategory": "特権管理",
+            "text": "Azure AD ロールの割り当てにグループを使用し、ロールの割り当てを委任する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "severity": "高い",
+            "subcategory": "特権管理",
+            "text": "すべての重大な影響のある管理者がエンタープライズ ディレクトリによって管理され、組織のポリシーの適用に従うようにします。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "severity": "高い",
+            "subcategory": "特権管理",
+            "text": "定期的なアクセス レビューを構成して、時間の経過と共に不要なアクセス許可を取り消す",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "severity": "中程度",
+            "subcategory": "特権管理",
+            "text": "重大な影響の管理者が、高度なセキュリティ保護と監視を備えたワークステーションを使用できるようにする",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "severity": "高い",
+            "subcategory": "外部 ID",
+            "text": "ID プロバイダー: 外部 ID プロバイダーが既知であることを確認する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高い",
+            "subcategory": "外部 ID",
+            "text": "外部コラボレーション設定: ゲスト ユーザー アクセスが [ゲスト ユーザー アクセスが制限されていますか?] に設定",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高い",
+            "subcategory": "外部 ID",
+            "text": "外部コラボレーション設定: ゲスト招待設定を [特定の管理者ロールに割り当てられたユーザーのみ] に設定",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高い",
+            "subcategory": "外部 ID",
+            "text": "外部コラボレーション設定: [無効] に設定されたフローによるゲストのセルフサービス サインアップを有効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高い",
+            "subcategory": "外部 ID",
+            "text": "外部コラボレーション設定: コラボレーションの制限を [指定したドメインへの招待を許可する] に設定",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "severity": "中程度",
+            "subcategory": "外部 ID",
+            "text": "アクセス レビュー: すべてのグループに対して有効",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "severity": "中程度",
+            "subcategory": "エンタープライズ アプリケーション",
+            "text": "同意とアクセス許可: 検証済みの発行元からのアプリに対するユーザーの同意を許可します",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "severity": "中程度",
+            "subcategory": "エンタープライズ アプリケーション",
+            "text": "同意と権限: 選択したグループ所有者のグループ所有者の同意を許可します",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "severity": "高い",
+            "subcategory": "カスタムドメイン",
+            "text": "検証済みの顧客ドメインのみが登録されます",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "severity": "高い",
+            "subcategory": "パスワードのリセット",
+            "text": "セルフサービス パスワード リセット ポリシー要件に準拠していることが確認されました。",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "中程度",
+            "subcategory": "パスワードのリセット",
+            "text": "[ユーザーが認証情報の再確認を求められるまでの日数を設定する] が 0 に設定されていない",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "高い",
+            "subcategory": "パスワードのリセット",
+            "text": "パスワードのリセットに必要な方法の数を設定します",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "severity": "高い",
+            "subcategory": "ユーザー設定",
+            "text": "「ユーザーはアプリケーションを登録できます」を無効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "severity": "高い",
+            "subcategory": "ユーザー設定",
+            "text": "管理ポータル (portal.azure.com) へのアクセスを管理者のみに制限する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "severity": "高い",
+            "subcategory": "ユーザー設定",
+            "text": "「LinkedInアカウント接続」を無効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "severity": "高い",
+            "subcategory": "診断設定",
+            "text": "有効で、Sentinel を使用して Log Analytics ワークスペースに送信する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "severity": "高い",
+            "subcategory": "PIM 有効",
+            "text": "Privileged Identity Management が有効",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "severity": "高い",
+            "subcategory": "PIM 有効",
+            "text": "「ジャストインタイム」(JIT)アクセスを実装して、特権アカウントの公開時間をさらに短縮します(継続的なアクセスを減らします)",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "severity": "高い",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "条件付きアクセス ポリシー/アクセス制御を構成する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "severity": "中程度",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "条件:制限付き地域",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "severity": "高い",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "アクセス制御: すべてのユーザーに対して MFA が有効",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "severity": "中程度",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "アクセス制御: 管理者に MFA を要求する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "severity": "高い",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "アクセス制御: Azure 管理に MFA を要求する",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "severity": "高い",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "アクセス制御:レガシープロトコルのブロック",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "severity": "高い",
+            "subcategory": "条件付きアクセス ポリシー",
+            "text": "アクセス制御: デバイスを準拠としてマークする必要があります",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "description": "顧客文書化ポリシー",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "severity": "中程度",
+            "subcategory": "ゲスト ユーザー",
+            "text": "ゲスト ユーザー アカウントを追跡するポリシー (つまり、使用/削除/無効化) はありますか?",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "severity": "高い",
+            "subcategory": "ID セキュリティ スコア",
+            "text": "業界のベストプラクティスに基づくIDセキュリティスコアの実装",
+            "waf": "安全"
+        },
+        {
+            "category": "同一性",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "severity": "中程度",
+            "subcategory": "非常用アカウント",
+            "text": "少なくとも 2 つの非常用アカウントが作成されており、その使用に関するポリシーが存在します",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "severity": "高い",
+            "subcategory": "アクセス制御",
+            "text": "Azure Policy を利用した VM アクセスの制御",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "severity": "中程度",
+            "subcategory": "アクセス制御",
+            "text": "テンプレートを活用して VM のセットアップとデプロイのばらつきを減らす",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "severity": "中程度",
+            "subcategory": "アクセス制御",
+            "text": "ガバナンスを通じてリソースにアクセスできるユーザーを減らすことで、VMS をデプロイするための特権アクセスをセキュリティで保護します",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "severity": "中程度",
+            "subcategory": "高可用性",
+            "text": "ワークロードに複数の VM を使用して可用性を向上させる",
+            "waf": "確実"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "severity": "中程度",
+            "subcategory": "高可用性",
+            "text": "ディザスター リカバリー ソリューションのデプロイとテスト",
+            "waf": "確実"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "severity": "中程度",
+            "subcategory": "高可用性",
+            "text": "可用性セット",
+            "waf": "確実"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "severity": "中程度",
+            "subcategory": "高可用性",
+            "text": "アベイラビリティーゾーン",
+            "waf": "確実"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "severity": "中程度",
+            "subcategory": "高可用性",
+            "text": "地域フォールトトレランス",
+            "waf": "確実"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "severity": "高い",
+            "subcategory": "マルウェアからの保護",
+            "text": "マルウェア対策ソリューションをインストールする",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "高い",
+            "subcategory": "マルウェアからの保護",
+            "text": "マルウェア対策ソリューションと Security Center の統合",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "severity": "高い",
+            "subcategory": "VM の更新を管理する",
+            "text": "Update Management と Azure Automation を使用して VM を最新の状態に保つ",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "severity": "中程度",
+            "subcategory": "VM の更新を管理する",
+            "text": "展開用の Windows イメージに最新レベルの更新プログラムがあることを確認する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "severity": "高い",
+            "subcategory": "VM の更新を管理する",
+            "text": "Microsoft Defender for Cloud を使用して VM にセキュリティ更新プログラムを迅速に適用する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "severity": "高い",
+            "subcategory": "VHD を暗号化する",
+            "text": "VM で暗号化を有効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "severity": "高い",
+            "subcategory": "VHD を暗号化する",
+            "text": "暗号化のセキュリティ層を追加するためのキー暗号化キー(KEK)の追加",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "severity": "中程度",
+            "subcategory": "VHD を暗号化する",
+            "text": "ロールバックのために暗号化する前にディスクのスナップショットを作成する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "中央ネットワーク・グループのみがネットワーク・リソースへのアクセス許可を持っていることを確認する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "\"ANY\" ソース IP アドレスからのアクセスを許可する公開されている VM を特定して修復する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "ジャストインタイムアクセスを使用した管理ポート(RDP、SSH)の制限",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "インターネット アクセスを削除し、RDP 用のジャンプ サーバーを実装する",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "インターネットからRDP/SSHを使用してサーバーへの直接ログインを削除し、VPNまたはExpressルートを実装します",
+            "waf": "安全"
+        },
+        {
+            "category": "VM セキュリティチェック",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "severity": "高い",
+            "subcategory": "インターネットへの直接接続を制限する",
+            "text": "Azure Bastion を RDP/SSH ブローカーとして活用して、セキュリティを強化し、フットプリントを削減",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "severity": "高い",
+            "subcategory": "建築",
+            "text": "すべてのテナントに、少なくとも 1 つの Log Analytics ワークスペースで Sentinel が有効になっていることが含まれている",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "severity": "高い",
+            "subcategory": "建築",
+            "text": "お客様がSentinelのアーキテクチャを理解している",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "severity": "中程度",
+            "subcategory": "建築",
+            "text": "お客様は、複数のSentinelインスタンスにわたってインシデントを監視する方法を知っている",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "severity": "中程度",
+            "subcategory": "概要",
+            "text": "24 時間以上オープンするインシデントはありません",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "severity": "低い",
+            "subcategory": "ニュース&ガイド",
+            "text": "お客様には「News & Guides」タブが表示されました",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "severity": "中程度",
+            "subcategory": "UEBA(欧州経済共同体)",
+            "text": "UEBA設定済み(Sentinel/Settings/Settings/Configure UEBA)",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "構成済みの Azure Active Directory と \"Last Log Received\" が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "Azure Active Directory Identity Protection が構成され、\"最後に受信したログ\" が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "Azure アクティビティが構成され、構成され、\"最後に受信したログ\" が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "Microsoft Defender for Cloud が構成され、\"最後に受信したログ\" が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "Azure Firewall が構成され、\"最後に受信したログ\" が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "Windows ファイアウォールが構成され、「最後に受信したログ」が今日表示される",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "セキュリティイベントはAMAで設定され、「Last Log Received」が今日表示されます",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "セキュリティ イベント - Azure コンピューターが接続され、ワークスペースにデータを送信していることを確認します",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "セキュリティ イベント - Azure 以外のコンピューターが接続され、ワークスペースにデータを送信していることを確認します",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "AWS用コネクタ",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高い",
+            "subcategory": "通信用コネクタ",
+            "text": "GCP用コネクタ",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "severity": "高い",
+            "subcategory": "分析ルール",
+            "text": "お客様が分析ルールを有効にし、インシデントを構成しました",
+            "waf": "安全"
+        },
+        {
+            "category": "番兵",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "severity": "中程度",
+            "subcategory": "設定",
+            "text": "お客様が日次上限を有効にしていない",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "severity": "高い",
+            "subcategory": "構成",
+            "text": "Azure Firewall Premium のデプロイ",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "severity": "高い",
+            "subcategory": "構成",
+            "text": "クワッド ゼロ/フォース チューニングを Azure Firewall で有効にする",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "中程度",
+            "subcategory": "アクセス制御",
+            "text": "許可されたユーザーのみを有効にするように設定された RBAC",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "severity": "中程度",
+            "subcategory": "診断設定",
+            "text": "診断が有効で、Log Analytics ワークスペースにメトリックを送信する",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ハブと仮想ネットワークは、Firewall Premium を介して保護または接続されます",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: アクセス制御が構成されている (RBAC)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: 親ポリシーが構成されています",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: ルール コレクションが定義されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: DNAT ポリシーが定義されています",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: ネットワーク ルールが定義されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "ポリシー: アプリケーション ルールが定義されている",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "severity": "中程度",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "DNS:機能が認識され、適用されている、または適用されていない",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "脅威インテリジェンス: [アラートと拒否] に設定",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "脅威インテリジェンス:許可リスト(使用されているかどうか、つまりパフォーマンスを正当化します)",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "TLS対応",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "IDPS が有効",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "severity": "高い",
+            "subcategory": "ファイアウォール マネージャー",
+            "text": "SNAT: 構成済み",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "中程度",
+            "subcategory": "DDOSプロテクション",
+            "text": "ファイアウォールのパブリック IP に対して有効",
+            "waf": "安全"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    },
+    "severities": [
+        {
+            "name": "高い"
+        },
+        {
+            "name": "中程度"
+        },
+        {
+            "name": "低い"
+        }
+    ],
+    "status": [
+        {
+            "description": "このチェックはまだ検討されていません",
+            "name": "未確認"
+        },
+        {
+            "description": "このチェックにはアクションアイテムが関連付けられています",
+            "name": "開ける"
+        },
+        {
+            "description": "このチェックは検証済みで、これ以上のアクションアイテムは関連付けられていません",
+            "name": "達成"
+        },
+        {
+            "description": "推奨事項は理解されているが、現在の要件では不要",
+            "name": "必要なし"
+        },
+        {
+            "description": "現在のデザインには適用されません",
+            "name": "該当なし"
+        }
+    ],
+    "waf": [
+        {
+            "name": "確実"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "費用"
+        },
+        {
+            "name": "オペレーションズ"
+        },
+        {
+            "name": "パフォーマンス"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "はい"
+        },
+        {
+            "name": "いいえ"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/security_checklist.ko.json b/checklists/security_checklist.ko.json
index 231924a77..8194f11e2 100644
--- a/checklists/security_checklist.ko.json
+++ b/checklists/security_checklist.ko.json
@@ -1,1328 +1,1669 @@
 {
-  "metadata": {
-    "name": "Azure 보안 검토 검사 목록"
-  },
-  "items": [
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "모든 구독에서 보안 센터/수비수 사용",
-      "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "모든 로그 분석 작업 영역에서 보안 센터/수비수 사용",
-      "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "데이터 수집이 '공통'으로 설정됨",
-      "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "Defender for Cloud 강화 보안 기능이 모두 활성화되었습니다.",
-      "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "회사 정책에 따라 자동 프로비저닝 사용(정책이 있어야 함)",
-      "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "회사 정책에 따라 사용하도록 설정된 전자 메일 알림(정책이 있어야 함)",
-      "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-      "severity": "낮다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "통합 사용 옵션이 선택되었습니다. ",
-      "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "CI/CD 통합이 구성됨",
-      "guid": "5b7bae4-4위-45e8-a79e-2e86667313c5",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "제3자 SIEM을 사용하는 경우 '이벤트 허브' 연속 내보내기가 활성화됩니다.",
-      "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "Azure 센티넬을 사용하지 않는 경우 '로그 분석 작업 영역'을 계속 내보낼 수 있습니다.",
-      "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "AWS에 클라우드 커넥터 지원",
-      "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "GCP에 사용할 수 있는 클라우드 커넥터",
-      "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "가격 및 설정",
-      "text": "Azure AD 응용 프로그램 프록시를 사용하는 경우 클라우드 앱용 Microsoft Defender와 통합하여 응용 프로그램 액세스를 실시간으로 모니터링하고 고급 보안 제어를 적용하는 것이 좋습니다.",
-      "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-      "severity": "낮다",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "권장 사항",
-      "text": "필요하지 않은 경우 모든 권장 사항이 수정되거나 비활성화됩니다.",
-      "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "권장 사항",
-      "text": "보안 점수 > 70 %",
-      "description": "모든 고객에 대한 Microsoft 최소 목표는 70%입니다.",
-      "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "보안 경고",
-      "text": "보안 경고에는 지난 24시간 동안 생성된 경고만 포함됩니다(이전 보안 경고 수정 또는 비활성화).",
-      "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "통합 문서",
-      "text": "연속 내보내기를 사용하도록 설정한 경우 기본 통합 문서가 사용자 지정 보안 대시보드에 게시됨",
-      "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "커뮤니티",
-      "text": "고객은 '커뮤니티'페이지의 가치를 알고 있으며 검토를 위해 정기적으로 케이던스를 설정했습니다.",
-      "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-      "severity": "보통",
-      "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "보안 점수",
-      "text": "Security Center에서 보호하는 모든 구독이 표시됩니다(구독 필터가 설정되지 않음).",
-      "description": "고객 운영 모범 사례 - 투명성",
-      "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "규정 준수",
-      "text": "규정 준수 제어는 필요한 규정 준수 요구 사항에 대해 친환경적입니다.",
-      "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "Azure Defender",
-      "text": "심각도가 높은 VM 취약성이 제로(비어 있음)입니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "방화벽 관리자",
-      "text": "허브는 Azure 방화벽에 의해 보호됩니다.",
-      "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
-      "severity": "보통",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "방화벽 관리자",
-      "text": "가상 네트워크는 방화벽에 의해 보호됩니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "방화벽 관리자",
-      "text": "DDoS 표준 사용 가능",
-      "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-      "severity": "보통",
-      "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
-    },
-    {
-      "category": "클라우드를 위한 수비수",
-      "subcategory": "보도",
-      "text": "모든 구독이 적용되는지 확인(가격 및 수정할 설정 참조)",
-      "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "공용 IP",
-      "text": "공용 IP가 있는 VM은 NSG로 보호해야 합니다. ",
-      "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "공용 IP",
-      "text": "공용 IP가 있는 VM은 Azure 방화벽 프리미엄 뒤로 이동됩니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "공용 IP",
-      "text": "공용 IP가 필요하지 않은 VM에는 공용 IP가 없습니다(예: 내부 RDP에만 해당).",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "증권 시세 표시기",
-      "text": "NSG RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "증권 시세 표시기",
-      "text": "NSG 인바운드 보안 규칙에는 원본 필드에 *(와일드카드)가 포함되어 있지 않습니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "증권 시세 표시기",
-      "text": "NSG 아웃바운드 보안 규칙은 방화벽을 통해 라우팅되지 않은 트래픽에 대해 특정 IP 주소에 대한 트래픽을 제어하는 데 사용됩니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "증권 시세 표시기",
-      "text": "NSG에는 소스가 *(와일드카드)로 설정되어 있지 않습니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "증권 시세 표시기",
-      "text": "NSG 진단은 NetworkSecurityGroupEvent 및 NetworkSecurityGroupRuleCounter 트래픽을 Sentinel LAW로 보냅니다.",
-      "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "UDR RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "제로 트러스트인 경우 UDR은 모든 트래픽을 Azure 방화벽 프리미엄으로 보내는 데 사용됩니다.",
-      "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "UDR",
-      "text": "AzureFirewallPremium으로 모든 트래픽을 보내지 않는 UDR은 알려져 있고 문서화되어 있습니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "고객은 Azure의 Azure 네트워킹 기본값/SDN 기본 라우팅에 익숙합니다.",
-      "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "description": "고객 운영 모범 사례 - 확인",
-      "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-      "severity": "보통",
-      "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 보안 권장 사항이 수정되고 '위험' VNet이 없습니다. ",
-      "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 피어링 연결을 이해하고 예상되는 트래픽 흐름이 문서화됩니다.",
-      "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 서비스 끝점이 사용 중이며 레거시 공용 서비스 끝점이 없습니다.",
-      "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 개인 끝점이 온-프레미스 환경에서 액세스를 허용하는 데 사용 중이며 레거시 공용 끝점이 없습니다.",
-      "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 모니터링 사용",
-      "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "AKS(Azure Kubernetes Service)의 네트워크 정책을 사용하여 포드 간의 트래픽 보안",
-      "guid": "2055b29b-ade4-4위-8e8c-39ec94666731",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet NVA(어플라이언스) 고객이 게시된 아키텍처 패턴을 따릅니다.",
-      "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 네트워크",
-      "text": "VNet 진단 설정이 사용하도록 설정되고 VMProtectionAlerts를 Azure Sentinel LAW로 보냅니다.",
-      "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "인터넷",
-      "text": "ExpressRoute 또는 VPN을 사용하여 온-프레미스 환경에서 Azure 리소스에 액세스",
-      "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 WAN",
-      "text": "VWAN RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "가상 WAN",
-      "text": "VWAN 고객은 보안 허브 또는 외부 방화벽을 사용하여 트래픽을 라우팅하고 모니터링합니다.",
-      "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "응용 프로그램 게이트웨이",
-      "text": "AppGW RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "응용 프로그램 게이트웨이",
-      "text": "AppGW 모든 외부 연결 웹 서비스는 WAF가 활성화 된 응용 프로그램 게이트웨이를 호출합니다. ",
-      "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "응용 프로그램 게이트웨이",
-      "text": "AppGW 모든 내부 연결 웹 서비스는 WAF가 활성화 된 응용 프로그램 게이트웨이를 호출합니다. ",
-      "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "응용 프로그램 게이트웨이",
-      "text": "AppGW - 외부 직면이 TLS/SSL을 사용하도록 설정되어 있으며 모든 트래픽을 443(포트 80 트래픽 없음)으로 리디렉션합니다.",
-      "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "프론트도어",
-      "text": "Front Door RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
-      "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/frontdoor/"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "프론트도어",
-      "text": "정문은 WAF 정책과 연결되어 있습니다.",
-      "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "프론트도어",
-      "text": "프런트 도어 TLS/SSL 정책이 구성됨",
-      "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "프론트도어",
-      "text": "전면 도어 리디렉션 포트 80에서 포트 443으로 구성됨(수신기)",
-      "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "프론트도어",
-      "text": "정문 진단 로그는 ApplicationGatewayAccessLog &ApplicationGateway FirewallLog를 Sentinel LAW로 보냅니다.",
-      "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
-    },
-    {
-      "category": "Azure Networking",
-      "subcategory": "DDOS 보호",
-      "text": "방화벽 공용 IP(모든 공용 IP)에 대해 사용",
-      "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    },
-    {
-      "category": "신원",
-      "subcategory": "테 넌 트",
-      "text": "풀 타임 직원 및 엔터프라이즈 리소스의 ID를 관리하기 위한 단일 엔터프라이즈 디렉터리를 설정합니다.",
-      "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
-    },
-    {
-      "category": "신원",
-      "subcategory": "테 넌 트",
-      "text": "클라우드 ID를 기존 ID 시스템과 동기화합니다.",
-      "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
-    },
-    {
-      "category": "신원",
-      "subcategory": "테 넌 트",
-      "text": "클라우드 ID 서비스를 사용하여 온-프레미스 디렉터리에 포함시키지 않고 공급업체, 파트너 및 고객과 같은 직원이 아닌 계정을 호스팅합니다.",
-      "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
-    },
-    {
-      "category": "신원",
-      "subcategory": "테 넌 트",
-      "text": "인터넷 연결 서비스에 대해 안전하지 않은 레거시 프로토콜을 사용하지 않도록 설정합니다.",
-      "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
-    },
-    {
-      "category": "신원",
-      "subcategory": "테 넌 트",
-      "text": "싱글 사인온 사용",
-      "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "엔터프라이즈 ID 시스템을 클라우드 디렉터리와 동기화할 때 온-프레미스 리소스에 대한 가장 높은 권한 액세스 권한으로 계정을 동기화하지 마세요.",
-      "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "전역 관리자 수를 5명 미만으로 제한합니다.",
-      "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "Azure AD 역할 할당에 그룹을 사용하고 역할 할당을 위임합니다.",
-      "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "모든 중요 영향 관리자가 엔터프라이즈 디렉터리에서 관리되어 조직 정책 적용을 따르도록 합니다.",
-      "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "시간이 지남에 따라 불필요한 권한을 해지하도록 반복 액세스 검토 구성",
-      "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
-    },
-    {
-      "category": "신원",
-      "subcategory": "권한 있는 관리",
-      "text": "중대한 영향 관리자가 보안 보호 및 모니터링이 강화된 워크스테이션을 사용하는지 확인",
-      "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "ID 공급자: 외부 ID 공급자가 알려져 있는지 확인",
-      "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "외부 공동 작업 설정: 게스트 사용자 액세스가 '게스트 사용자 액세스가 제한됩니까?'로 설정됩니다.",
-      "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "외부 공동 작업 설정: 게스트 초대 설정이 '특정 관리자 역할에 할당된 사용자만'으로 설정됨",
-      "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "외부 공동 작업 설정: '사용 안 함'으로 설정된 흐름을 통해 게스트 셀프 서비스 가입 사용 ",
-      "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "외부 공동 작업 설정: 공동 작업 제한이 '지정된 도메인에 대한 초대 허용'으로 설정됨",
-      "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "신원",
-      "subcategory": "외부 신원",
-      "text": "액세스 검토: 모든 그룹에 대해 사용 가능",
-      "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
-    },
-    {
-      "category": "신원",
-      "subcategory": "엔터프라이즈 응용 프로그램",
-      "text": "동의 및 권한: 확인된 게시자의 앱에 대한 사용자 동의 허용",
-      "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
-    },
-    {
-      "category": "신원",
-      "subcategory": "엔터프라이즈 응용 프로그램",
-      "text": "동의 및 권한: 선택한 그룹 소유자에 대해 그룹 소유자 동의 허용 ",
-      "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
-    },
-    {
-      "category": "신원",
-      "subcategory": "사용자 지정 도메인",
-      "text": "검증된 고객 도메인만 등록됩니다.",
-      "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
-    },
-    {
-      "category": "신원",
-      "subcategory": "암호 재설정",
-      "text": "셀프 서비스 암호 재설정 정책 요구 사항을 준수하는지 확인했습니다.",
-      "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
-    },
-    {
-      "category": "신원",
-      "subcategory": "암호 재설정",
-      "text": "사용자에게 인증 정보를 다시 확인하라는 메시지가 표시되기까지의 일수를 0으로 설정하지 않음",
-      "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "신원",
-      "subcategory": "암호 재설정",
-      "text": "암호 재설정에 필요한 설정 횟수가 선택되었습니다.",
-      "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "신원",
-      "subcategory": "사용자 설정",
-      "text": "'사용자가 응용 프로그램을 등록 할 수 있습니다'를 비활성화하십시오.",
-      "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
-    },
-    {
-      "category": "신원",
-      "subcategory": "사용자 설정",
-      "text": "portal.azure.com(관리 포털)에 대한 액세스를 관리자로만 제한",
-      "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
-    },
-    {
-      "category": "신원",
-      "subcategory": "사용자 설정",
-      "text": "'LinkedIn 계정 연결' 비활성화",
-      "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
-    },
-    {
-      "category": "신원",
-      "subcategory": "진단 설정",
-      "text": "사용 및 센티넬을 사용하여 로그 분석 작업 영역으로 보내기",
-      "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
-    },
-    {
-      "category": "신원",
-      "subcategory": "PIM 사용 가능",
-      "text": "권한 있는 ID 관리 사용",
-      "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
-    },
-    {
-      "category": "신원",
-      "subcategory": "PIM 사용 가능",
-      "text": "'JIT(Just in Time)' 액세스를 구현하여 권한 있는 계정의 노출 시간을 더욱 단축(스탠딩 액세스 감소)",
-      "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "조건부 액세스 정책 구성 / 액세스 제어",
-      "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "조건: 제한된 위치",
-      "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "액세스 제어: 모든 사용자에 대해 MFA 사용",
-      "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "액세스 제어: 관리자에 대해 MFA 필요",
-      "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "액세스 제어: Azure 관리에 MFA 필요 ",
-      "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "액세스 제어: 레거시 프로토콜 차단",
-      "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
-    },
-    {
-      "category": "신원",
-      "subcategory": "조건부 액세스 정책",
-      "text": "액세스 제어: 장치를 규격으로 표시해야 합니다.",
-      "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
-    },
-    {
-      "category": "신원",
-      "subcategory": "게스트 사용자",
-      "text": "게스트 사용자 계정을 추적하는 정책(예: 사용/삭제/사용 안 함)이 있습니까?",
-      "description": "고객 문서화 정책",
-      "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-      "severity": "보통",
-      "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
-    },
-    {
-      "category": "신원",
-      "subcategory": "ID 보안 점수",
-      "text": "업계 모범 사례를 기반으로 ID 보안 점수 구현",
-      "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
-    },
-    {
-      "category": "신원",
-      "subcategory": "브레이크 글래스 계정",
-      "text": "적어도 두 개의 브레이크 글라스 계정이 만들어졌으며 사용에 관한 정책이 존재합니다.",
-      "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "액세스 제어",
-      "text": "Azure 정책을 활용한 VM 액세스 제어",
-      "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/governance/policy/overview"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "액세스 제어",
-      "text": "템플릿을 활용하여 VM 설정 및 배포의 변동성을 줄입니다.",
-      "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "액세스 제어",
-      "text": "거버넌스를 통해 리소스에 액세스할 수 있는 사용자를 줄임으로써 VMS를 배포하기 위한 권한 있는 액세스 보안",
-      "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "고가용성 ",
-      "text": "더 나은 가용성을 위해 워크로드에 여러 VM 사용 ",
-      "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "고가용성 ",
-      "text": "재해 복구 솔루션 배포 및 테스트 ",
-      "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "고가용성 ",
-      "text": "가용성 세트",
-      "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "고가용성 ",
-      "text": "가용 영역",
-      "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "고가용성 ",
-      "text": "지역 내결함성 ",
-      "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "맬웨어로부터 보호",
-      "text": "맬웨어 방지 솔루션 설치",
-      "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "맬웨어로부터 보호",
-      "text": "맬웨어 방지 솔루션을 보안 센터와 통합",
-      "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VM 업데이트 관리",
-      "text": "Azure 자동화를 사용한 업데이트 관리를 사용하여 VM을 최신 상태로 유지",
-      "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VM 업데이트 관리",
-      "text": "배포용 Windows 이미지에 최신 수준의 업데이트가 있는지 확인 ",
-      "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VM 업데이트 관리",
-      "text": "클라우드용 Microsoft Defender를 사용하여 VM에 보안 업데이트를 신속하게 적용",
-      "guid": "02145901-465d-438e-9309-ccbd979266bc",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VHD 암호화",
-      "text": "VM에서 암호화 사용",
-      "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VHD 암호화",
-      "text": "암호화를 위한 보안 계층을 추가하기 위해 KEK(키 암호화 키) 추가 ",
-      "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "VHD 암호화",
-      "text": "롤백 목적으로 암호화하기 전에 디스크의 스냅숏 만들기",
-      "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "중앙 네트워킹 그룹에만 네트워킹 리소스에 대한 사용 권한이 있는지 확인 ",
-      "guid": "5173676a-e466-491e-a835-ad942223E138",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "'ANY' 원본 IP 추가 기능으로부터의 액세스를 허용하는 노출된 VM을 ID 및 수정합니다.",
-      "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "적시 액세스를 사용하여 관리 포트(RDP, SSH) 제한",
-      "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "인터넷 액세스를 제거하고 RDP용 점프 서버를 구현합니다.",
-      "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-      "severity": "높다",
-      "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "인터넷에서 RDP / SSH를 사용하여 서버에 직접 로그인을 제거하고 VPN 또는 고속 경로를 구현하십시오.",
-      "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
-    },
-    {
-      "category": "VM 보안 검사",
-      "subcategory": "직접 인터넷 연결 제한 ",
-      "text": "Azure 요새를 RDP/SSH 브로커로 활용하여 보안을 강화하고 설치 공간을 줄입니다.",
-      "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "건축학 ",
-      "text": "포함된 모든 테넌트에는 하나 이상의 로그 분석 작업 영역에서 센티넬이 활성화되어 있습니다.",
-      "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "건축학 ",
-      "text": "고객이 센티넬 아키텍처를 이해합니다.",
-      "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "건축학 ",
-      "text": "고객은 여러 센티넬 인스턴스에서 인시던트를 모니터링하는 방법을 알고 있습니다.",
-      "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "개요",
-      "text": "24시간 이상 열리는 인시던트 없음",
-      "guid": "8989579e-76b8-497e-910A-7Da7be9966E1",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "뉴스 및 가이드",
-      "text": "고객에게 뉴스 및 가이드 탭이 표시됨",
-      "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-      "severity": "낮다",
-      "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "UEBA ",
-      "text": "UEBA 구성됨(센티넬/설정/설정/UEBA 구성)",
-      "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "구성된 Azure Active Directory 및 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "Azure Active Directory ID 보호가 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "Azure 활동이 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "클라우드용 Microsoft Defender가 구성되었으며 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "Azure 방화벽이 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "Windows 방화벽이 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "보안 이벤트는 AMA로 구성되며 '마지막으로 받은 로그'가 오늘 표시됩니다.",
-      "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "보안 이벤트 - Azure 컴퓨터가 연결되어 있고 작업 영역으로 데이터를 보내는지 확인",
-      "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "보안 이벤트 - Azure 이외의 컴퓨터가 연결되어 있고 작업 영역으로 데이터를 보내는지 확인",
-      "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "AWS용 커넥터",
-      "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "데이터 커넥터",
-      "text": "GCP용 커넥터",
-      "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "분석 규칙",
-      "text": "고객이 분석 규칙을 사용하도록 설정하고 인시던트를 구성했습니다. ",
-      "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
-    },
-    {
-      "category": "센 티 넬",
-      "subcategory": "설정",
-      "text": "일일 한도가 활성화되어 있지 않은 경우",
-      "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-      "severity": "보통",
-      "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "구성",
-      "text": "Azure 방화벽 프리미엄 배포됨",
-      "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "구성",
-      "text": "쿼드 제로/강제 튜닝은 Azure 방화벽을 통해 사용하도록 설정됨",
-      "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "액세스 제어",
-      "text": "권한이 있는 사용자만 사용하도록 설정된 RBAC",
-      "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-      "severity": "보통",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "진단 설정",
-      "text": "진단을 사용하도록 설정하고 로그 분석 작업 영역에 메트릭을 보냅니다. ",
-      "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "허브와 가상 네트워크는 방화벽 프리미엄을 통해 보호되거나 연결됩니다.",
-      "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: 액세스 제어 구성됨(RBAC)",
-      "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-      "severity": "높다",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: 상위 정책이 구성됨 ",
-      "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: 규칙 컬렉션이 정의됩니다.",
-      "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: DNAT 정책이 정의되어 있습니다.",
-      "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: 네트워크 규칙이 정의됩니다.",
-      "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "정책: 응용 프로그램 규칙이 정의됩니다.",
-      "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "DNS: 이해되고 적용되거나 적용되지 않는 기능",
-      "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/firewall/dns-details"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "위협 인텔리전스: 경고 및 거부로 설정",
-      "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "위협 인텔리전스: 허용된 목록(사용 중인 경우 정당화 - 즉, 성능)",
-      "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "TLS 사용",
-      "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "IDPS 사용 가능",
-      "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "방화벽 관리자",
-      "text": "SNAT: 구성됨 ",
-      "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-      "severity": "높다",
-      "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "DDOS 보호",
-      "text": "방화벽 공용 IP에 대해 사용",
-      "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-      "severity": "보통",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    }
-  ],
-  "severities": [
-    {
-      "name": "높다"
-    },
-    {
-      "name": "보통"
-    },
-    {
-      "name": "낮다"
-    }
-  ],
-  "status": [
-    {
-      "name": "확인되지 않음",
-      "description": "이 검사는 아직 검토되지 않았습니다."
-    },
-    {
-      "name": "열다",
-      "description": "이 검사와 연관된 작업 항목이 있습니다."
-    },
-    {
-      "name": "성취",
-      "description": "이 검사가 확인되었으며 연관된 추가 작업 항목이 없습니다."
-    },
-    {
-      "name": "필요하지 않음",
-      "description": "권장 사항은 이해되었지만 현재 요구 사항에는 필요하지 않습니다."
-    },
-    {
-      "name": "해당 없음",
-      "description": "현재 설계에는 적용되지 않음"
-    }
-  ],
-  "categories": [
-    {
-      "name": "클라우드를 위한 수비수"
-    },
-    {
-      "name": "Azure Networking"
-    },
-    {
-      "name": "신원"
-    },
-    {
-      "name": "VM 보안 검사"
-    },
-    {
-      "name": "센 티 넬"
-    },
-    {
-      "name": "Azure Firewall"
-    }
-  ]
-}
+    "categories": [
+        {
+            "name": "클라우드용 Defender"
+        },
+        {
+            "name": "Azure 네트워킹"
+        },
+        {
+            "name": "신원"
+        },
+        {
+            "name": "VM 보안 검사"
+        },
+        {
+            "name": "센 티 넬"
+        },
+        {
+            "name": "Azure 방화벽"
+        }
+    ],
+    "items": [
+        {
+            "category": "클라우드용 Defender",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "Security Center/Defender는 모든 구독에서 사용하도록 설정합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "모든 Log Analytics 작업 영역에서 Security Center/Defender 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "severity": "보통",
+            "subcategory": "가격 및 설정",
+            "text": "'공통'으로 설정된 데이터 컬렉션",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "클라우드용 Defender 향상된 보안 기능이 모두 활성화됨",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
+            "severity": "보통",
+            "subcategory": "가격 및 설정",
+            "text": "회사 정책에 따라 자동 프로비저닝 사용(정책이 있어야 함)",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
+            "severity": "낮다",
+            "subcategory": "가격 및 설정",
+            "text": "회사 정책에 따라 이메일 알림 사용(정책이 있어야 함)",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
+            "severity": "보통",
+            "subcategory": "가격 및 설정",
+            "text": "통합 활성화 옵션이 선택되어 있습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
+            "severity": "보통",
+            "subcategory": "가격 및 설정",
+            "text": "CI/CD 통합이 구성됨",
+            "waf": "작업"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "3rd party SIEM을 사용하는 경우 연속 내보내기 'Event Hub'가 사용하도록 설정됨",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "보통",
+            "subcategory": "가격 및 설정",
+            "text": "Azure Sentinel을 사용하지 않는 경우 연속 내보내기 'Log Analytics 작업 영역'을 사용할 수 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "AWS에 사용할 수 있는 클라우드 커넥터",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "severity": "높다",
+            "subcategory": "가격 및 설정",
+            "text": "GCP에 사용하도록 설정된 클라우드 커넥터",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "severity": "낮다",
+            "subcategory": "가격 및 설정",
+            "text": "Azure AD 애플리케이션 프록시를 사용하는 경우 Microsoft Defender for Cloud Apps 통합하여 애플리케이션 액세스를 실시간으로 모니터링하고 고급 보안 제어를 적용하는 것이 좋습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "severity": "보통",
+            "subcategory": "권장 사항",
+            "text": "필요하지 않은 경우 모든 권장 사항이 수정되거나 비활성화됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "description": "모든 고객에 대한 Microsoft 최소 목표는 70%입니다.",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "severity": "높다",
+            "subcategory": "권장 사항",
+            "text": "보안 점수>70%",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "severity": "보통",
+            "subcategory": "보안 경고",
+            "text": "보안 경고에는 지난 24시간 동안 생성된 경고만 포함됩니다(이전 보안 경고 수정 또는 사용 안 함).",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "severity": "보통",
+            "subcategory": "통합 문서",
+            "text": "연속 내보내기를 사용하는 경우 기본 통합 문서가 사용자 지정 보안 대시보드에 게시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "severity": "보통",
+            "subcategory": "커뮤니티",
+            "text": "고객은 '커뮤니티' 페이지의 가치를 알고 있으며 검토를 위해 정기적인 주기를 설정했습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "description": "고객 운영 모범 사례 - 투명성",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "severity": "높다",
+            "subcategory": "보안 점수",
+            "text": "Security Center에서 보호하는 모든 구독이 표시됩니다(구독 필터 집합 없음).",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "severity": "높다",
+            "subcategory": "규정 준수",
+            "text": "규정 준수 제어는 필요한 모든 규정 준수 요구 사항에 대해 친환경적입니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "severity": "높다",
+            "subcategory": "Azure 수비수",
+            "text": "심각도가 높은 VM 취약성이 0(비어 있음)",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "severity": "보통",
+            "subcategory": "방화벽 관리자",
+            "text": "허브는 Azure Firewall로 보호됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "severity": "보통",
+            "subcategory": "방화벽 관리자",
+            "text": "가상 네트워크는 방화벽으로 보호됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
+            "severity": "보통",
+            "subcategory": "방화벽 관리자",
+            "text": "DDoS 표준 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "클라우드용 Defender",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "높다",
+            "subcategory": "보도",
+            "text": "모든 구독이 적용되는지 확인합니다(수정할 가격 책정 및 설정 참조).",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "높다",
+            "subcategory": "공용 IP",
+            "text": "공용 IP가 있는 VM은 NSG로 보호해야 합니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "높다",
+            "subcategory": "공용 IP",
+            "text": "공용 IP가 있는 VM은 Azure Firewall 프리미엄 뒤로 이동됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "severity": "높다",
+            "subcategory": "공용 IP",
+            "text": "공용 IP가 필요하지 않은 VM에는 공용 IP가 없습니다(즉, 내부 RDP만 해당).",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "보통",
+            "subcategory": "NSG (뉴사우스웨일스주)",
+            "text": "NSG RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "높다",
+            "subcategory": "NSG (뉴사우스웨일스주)",
+            "text": "NSG 인바운드 보안 규칙의 원본 필드에 *(와일드카드)가 포함되어 있지 않습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "보통",
+            "subcategory": "NSG (뉴사우스웨일스주)",
+            "text": "NSG 아웃바운드 보안 규칙은 방화벽을 통해 라우팅되지 않는 트래픽에 대해 특정 IP 주소에 대한 트래픽을 제어하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "높다",
+            "subcategory": "NSG (뉴사우스웨일스주)",
+            "text": "NSG에는 원본이 *(와일드카드)로 없습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "severity": "보통",
+            "subcategory": "NSG (뉴사우스웨일스주)",
+            "text": "NSG 진단은 NetworkSecurityGroupEvent 및 NetworkSecurityGroupRuleCounter 트래픽을 Sentinel LAW로 보냅니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "보통",
+            "subcategory": "UDR",
+            "text": "UDR RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "높다",
+            "subcategory": "UDR",
+            "text": "제로 트러스트인 경우 UDR은 모든 트래픽을 Azure Firewall 프리미엄으로 보내는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "보통",
+            "subcategory": "UDR",
+            "text": "모든 트래픽을 AzureFirewallPremium으로 보내지 않는 UDR은 알려지고 문서화되어 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "고객은 Azure의 Azure 네트워킹 기본값/SDN 기본 라우팅에 대해 잘 알고 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "description": "고객 운영 모범 사례 - 확인",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
+            "severity": "보통",
+            "subcategory": "가상 네트워크",
+            "text": "VNet RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 보안 권장 사항이 수정되고 '위험한' VNet이 없습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 피어링 연결이 이해되고 예상 트래픽 흐름이 문서화됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 서비스 엔드포인트가 사용 중이며 레거시 공용 서비스 엔드포인트가 없습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 프라이빗 엔드포인트는 온-프레미스 환경에서 액세스를 허용하는 데 사용 중이며 레거시 퍼블릭 엔드포인트는 없습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 모니터링 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "AKS(Azure Kubernetes Service)에서 네트워크 정책을 사용하여 Pod 간 트래픽 보호",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet NVA(어플라이언스) 고객은 게시된 아키텍처 패턴을 따릅니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "높다",
+            "subcategory": "가상 네트워크",
+            "text": "VNet 진단 설정이 사용하도록 설정되고 VMProtectionAlerts를 Azure Sentinel LAW로 보냅니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "severity": "높다",
+            "subcategory": "인터넷",
+            "text": "ExpressRoute 또는 VPN을 사용하여 온-프레미스 환경에서 Azure 리소스에 액세스",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "severity": "높다",
+            "subcategory": "가상 WAN",
+            "text": "VWAN RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "severity": "높다",
+            "subcategory": "가상 WAN",
+            "text": "VWAN 고객이 Secure Hub 또는 외부 방화벽을 사용하여 트래픽을 라우팅하고 모니터링하고 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "severity": "높다",
+            "subcategory": "애플리케이션 게이트웨이",
+            "text": "AppGW RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "높다",
+            "subcategory": "애플리케이션 게이트웨이",
+            "text": "AppGW 모든 외부 연결 웹 서비스는 WAF를 사용하도록 설정된 Application Gateway 뒤에 있습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "높다",
+            "subcategory": "애플리케이션 게이트웨이",
+            "text": "AppGW 모든 내부 연결 웹 서비스는 WAF를 사용하도록 설정된 Application Gateway 뒤에 있습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "severity": "높다",
+            "subcategory": "애플리케이션 게이트웨이",
+            "text": "AppGW - 외부 연결에서 TLS/SSL을 사용하도록 설정하고 모든 트래픽을 443(포트 80 트래픽 없음)으로 리디렉션합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "severity": "높다",
+            "subcategory": "프론트도어",
+            "text": "Front Door RBAC는 네트워크 보안 팀에 대한 액세스를 제한하는 데 사용됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "severity": "높다",
+            "subcategory": "프론트도어",
+            "text": "Front Door는 WAF 정책과 연결되어 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "severity": "높다",
+            "subcategory": "프론트도어",
+            "text": "Front Door TLS/SSL 정책이 구성됨",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "severity": "높다",
+            "subcategory": "프론트도어",
+            "text": "Front Door 리디렉션 포트 80에서 포트 443으로 구성됨(수신기)",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "severity": "높다",
+            "subcategory": "프론트도어",
+            "text": "Front Door 진단 로그는 ApplicationGatewayAccessLog 및 ApplicationGateway FirewallLog를 Sentinel LAW로 보냅니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 네트워킹",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "높다",
+            "subcategory": "디도스 방어",
+            "text": "방화벽 공용 IP(모든 공용 IP)에 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "severity": "높다",
+            "subcategory": "테 넌 트",
+            "text": "정규직 직원 및 Enterprise 자원의 ID를 관리하기 위한 단일 엔터프라이즈 디렉터리를 설정합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "severity": "높다",
+            "subcategory": "테 넌 트",
+            "text": "클라우드 ID를 기존 ID 시스템과 동기화합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "severity": "높다",
+            "subcategory": "테 넌 트",
+            "text": "Cloud ID 서비스를 사용하여 공급업체, 파트너, 고객과 같은 직원이 아닌 계정을 온프레미스 디렉터리에 포함하지 않고 호스팅합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "severity": "높다",
+            "subcategory": "테 넌 트",
+            "text": "인터넷 연결 서비스에 대해 안전하지 않은 레거시 프로토콜을 사용하지 않도록 설정합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "severity": "높다",
+            "subcategory": "테 넌 트",
+            "text": "Single Sign-On 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "severity": "높다",
+            "subcategory": "권한 있는 관리",
+            "text": "엔터프라이즈 ID 시스템을 클라우드 디렉터리와 동기화할 때 온-프레미스 리소스에 대한 가장 높은 권한의 액세스 권한이 있는 계정을 동기화하지 마세요.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "severity": "높다",
+            "subcategory": "권한 있는 관리",
+            "text": "전역 관리자 수를 5명 미만으로 제한",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "severity": "높다",
+            "subcategory": "권한 있는 관리",
+            "text": "Azure AD 역할 할당에 그룹을 사용하고 역할 할당을 위임합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "severity": "높다",
+            "subcategory": "권한 있는 관리",
+            "text": "모든 중요한 영향 관리자가 조직 정책 적용을 따르도록 엔터프라이즈 디렉터리에서 관리되는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "severity": "높다",
+            "subcategory": "권한 있는 관리",
+            "text": "시간이 지남에 따라 불필요한 권한을 취소하도록 반복 액세스 검토 구성",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "severity": "보통",
+            "subcategory": "권한 있는 관리",
+            "text": "중요한 영향 관리자가 강화된 보안 보호 및 모니터링 기능을 갖춘 워크스테이션을 사용하도록 보장",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "severity": "높다",
+            "subcategory": "외부 ID",
+            "text": "ID 공급자: 외부 ID 공급자가 알려져 있는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "높다",
+            "subcategory": "외부 ID",
+            "text": "외부 공동 작업 설정: 게스트 사용자 액세스가 '게스트 사용자 액세스가 제한됨'으로 설정되었습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "높다",
+            "subcategory": "외부 ID",
+            "text": "외부 협업 설정: 게스트 초대 설정을 '특정 관리자 역할에 할당된 사용자만'으로 설정",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "높다",
+            "subcategory": "외부 ID",
+            "text": "외부 공동 작업 설정: '사용 안 함'으로 설정된 흐름을 통해 게스트 셀프 서비스 등록 사용 ",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "높다",
+            "subcategory": "외부 ID",
+            "text": "외부 협업 설정: '특정 도메인 초대 허용'으로 설정된 협업 제한",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "severity": "보통",
+            "subcategory": "외부 ID",
+            "text": "검토 액세스: 모든 그룹에 대해 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "severity": "보통",
+            "subcategory": "기업용 응용 프로그램",
+            "text": "동의 및 권한: 확인된 게시자의 앱에 대한 사용자 동의 허용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "severity": "보통",
+            "subcategory": "기업용 응용 프로그램",
+            "text": "동의 및 권한: 선택한 그룹 소유자에 대한 그룹 소유자 동의 허용 ",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "severity": "높다",
+            "subcategory": "사용자 지정 도메인",
+            "text": "검증된 고객 도메인만 등록됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "severity": "높다",
+            "subcategory": "비밀번호 재설정",
+            "text": "셀프 서비스 암호 재설정 정책 요구 사항을 준수하는 것으로 확인되었습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "보통",
+            "subcategory": "비밀번호 재설정",
+            "text": "사용자에게 인증 정보가 0으로 설정되지 않았는지 다시 확인하도록 요청하기 전의 일 수 설정",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "높다",
+            "subcategory": "비밀번호 재설정",
+            "text": "비밀번호 재설정에 필요한 방법 수 설정이 선택되었습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "severity": "높다",
+            "subcategory": "사용자 설정",
+            "text": "'사용자가 응용 프로그램을 등록할 수 있음' 비활성화",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "severity": "높다",
+            "subcategory": "사용자 설정",
+            "text": "관리 포털(portal.azure.com)에 대한 접근을 관리자로만 제한",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "severity": "높다",
+            "subcategory": "사용자 설정",
+            "text": "'LinkedIn 계정 연결' 비활성화",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "severity": "높다",
+            "subcategory": "진단 설정",
+            "text": "Sentinel을 사용하여 사용하도록 설정하고 Log Analytics 작업 영역으로 보내기",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "severity": "높다",
+            "subcategory": "PIM 사용",
+            "text": "Privileged Identity Management 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "severity": "높다",
+            "subcategory": "PIM 사용",
+            "text": "JIT('Just-In-Time') 액세스를 구현하여 권한 있는 계정에 대한 노출 시간을 더욱 줄입니다(스탠딩 액세스 감소).",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "severity": "높다",
+            "subcategory": "조건부 액세스 정책",
+            "text": "조건부 액세스 정책 구성/액세스 제어",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "severity": "보통",
+            "subcategory": "조건부 액세스 정책",
+            "text": "정황: 제한된 장소",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "severity": "높다",
+            "subcategory": "조건부 액세스 정책",
+            "text": "액세스 제어: 모든 사용자에 대해 MFA 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "severity": "보통",
+            "subcategory": "조건부 액세스 정책",
+            "text": "액세스 제어: 관리자용 MFA 필요",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "severity": "높다",
+            "subcategory": "조건부 액세스 정책",
+            "text": "액세스 제어: Azure Management에 MFA 필요 ",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "severity": "높다",
+            "subcategory": "조건부 액세스 정책",
+            "text": "액세스 제어: 레거시 프로토콜 차단",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "severity": "높다",
+            "subcategory": "조건부 액세스 정책",
+            "text": "액세스 제어: 장치를 규격으로 표시해야 합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "description": "고객 문서화 정책",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "severity": "보통",
+            "subcategory": "게스트 사용자",
+            "text": "게스트 사용자 계정(예: 사용/삭제/사용 안 함)을 추적하는 정책이 있나요?",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "severity": "높다",
+            "subcategory": "ID 보안 점수",
+            "text": "업계의 모범 사례에 따라 ID 보안 점수 구현",
+            "waf": "안전"
+        },
+        {
+            "category": "신원",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "severity": "보통",
+            "subcategory": "Break Glass 계정",
+            "text": "두 개 이상의 비상 계정이 생성되었으며 해당 사용에 대한 정책이 존재합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "severity": "높다",
+            "subcategory": "출입 통제",
+            "text": "Azure Policy를 활용하여 VM 액세스 제어",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "severity": "보통",
+            "subcategory": "출입 통제",
+            "text": "템플릿을 활용하여 VM 설정 및 배포의 가변성 줄이기Reduce variability in your setup and deployment of VM by levering templates",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "severity": "보통",
+            "subcategory": "출입 통제",
+            "text": "거버넌스를 통해 리소스에 액세스할 수 있는 사용자를 줄여 VMS를 배포하기 위한 권한 있는 액세스 보호Secure privileged access to deploy VMS by reducing who have access to Resources through Governance",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "severity": "보통",
+            "subcategory": "고가용성 ",
+            "text": "가용성 향상을 위해 워크로드에 여러 VM 사용 ",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "severity": "보통",
+            "subcategory": "고가용성 ",
+            "text": "재해 복구 솔루션 배포 및 테스트Deploy and test a disaster recovery solution ",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "severity": "보통",
+            "subcategory": "고가용성 ",
+            "text": "가용성 집합",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "severity": "보통",
+            "subcategory": "고가용성 ",
+            "text": "가용 영역",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "severity": "보통",
+            "subcategory": "고가용성 ",
+            "text": "지역별 내결함성 ",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "severity": "높다",
+            "subcategory": "멀웨어로부터 보호",
+            "text": "맬웨어 방지 솔루션 설치Install antimalware solutions",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "높다",
+            "subcategory": "멀웨어로부터 보호",
+            "text": "맬웨어 방지 솔루션을 Security Center와 통합Integrate antimalware solution with Security Center",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "severity": "높다",
+            "subcategory": "VM 업데이트 관리",
+            "text": "Azure Automation에서 업데이트 관리를 사용하여 VM을 최신 상태로 유지",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "severity": "보통",
+            "subcategory": "VM 업데이트 관리",
+            "text": "배포용 Windows 이미지에 최신 수준의 업데이트가 있는지 확인합니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "severity": "높다",
+            "subcategory": "VM 업데이트 관리",
+            "text": "클라우드용 Microsoft Defender를 사용하여 VM에 보안 업데이트를 신속하게 적용",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "severity": "높다",
+            "subcategory": "VHD 암호화",
+            "text": "VM에서 암호화 사용Enable encryption on your VMs",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "severity": "높다",
+            "subcategory": "VHD 암호화",
+            "text": "암호화를 위한 보안 계층 추가를 위한 KEK(키 암호화 키) 추가 ",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "severity": "보통",
+            "subcategory": "VHD 암호화",
+            "text": "롤백을 위해 암호화하기 전에 디스크의 스냅숏을 만듭니다",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "중앙 네트워킹 그룹에만 네트워킹 리소스에 대한 권한이 있는지 확인합니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "'ANY' 원본 IP 주소에서 액세스할 수 있는 노출된 VM을 식별하고 업데이트를 적용합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "Just-in-Time Access를 사용하여 관리 포트(RDP, SSH) 제한Restrict management ports (RDP, SSH) using Just-in-Time Access",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "인터넷 액세스 제거 및 RDP용 점프 서버 구현",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "인터넷에서 RDP/SSH를 사용하여 서버에 직접 로그인하는 것을 제거하고 VPN 또는 Express 경로를 구현합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "VM 보안 검사",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "severity": "높다",
+            "subcategory": "직접 인터넷 연결 제한 ",
+            "text": "Azure Bastion을 RDP/SSH 브로커로 활용하여 보안을 강화하고 공간을 줄입니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "severity": "높다",
+            "subcategory": "건축학 ",
+            "text": "모든 테넌트에는 하나 이상의 Log Analytics 작업 영역에서 Sentinel이 사용하도록 설정되어 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "severity": "높다",
+            "subcategory": "건축학 ",
+            "text": "Sentinel 아키텍처를 이해하는 고객",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "severity": "보통",
+            "subcategory": "건축학 ",
+            "text": "고객은 여러 Sentinel 인스턴스에서 인시던트를 모니터링하는 방법을 알고 있습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "severity": "보통",
+            "subcategory": "개요",
+            "text": "24시간 이상 운영되는 인시던트 없음",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "severity": "낮다",
+            "subcategory": "뉴스 & 가이드",
+            "text": "고객에게 News & Guides 탭이 표시되었습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "severity": "보통",
+            "subcategory": "UEBA (우에바) ",
+            "text": "UEBA 구성됨(Sentinel/설정/설정/UEBA 구성)",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "구성된 Azure Active Directory 및 '마지막으로 받은 로그'가 오늘 표시됨",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "Azure Active Directory ID 보호가 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "Azure 활동이 구성되고 구성되었으며 '마지막으로 받은 로그'가 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "클라우드용 Microsoft Defender가 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "Azure Firewall이 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "Windows 방화벽이 구성되고 '마지막으로 받은 로그'가 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "보안 이벤트는 AMA로 구성되며 '마지막 로그 수신'은 오늘 표시됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "보안 이벤트 - Azure 컴퓨터가 연결되어 있고 작업 영역으로 데이터를 보내고 있는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "보안 이벤트 - 비 Azure 컴퓨터가 연결되어 있고 작업 영역으로 데이터를 보내고 있는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "AWS용 커넥터",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "높다",
+            "subcategory": "데이터 커넥터",
+            "text": "GCP용 커넥터",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "severity": "높다",
+            "subcategory": "분석 규칙",
+            "text": "고객이 Analytics 규칙을 사용하도록 설정하고 인시던트를 구성했습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "센 티 넬",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "severity": "보통",
+            "subcategory": "설정",
+            "text": "고객이 일일 한도를 사용하도록 설정하지 않았습니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "severity": "높다",
+            "subcategory": "구성",
+            "text": "Azure Firewall 프리미엄이 배포됨",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "severity": "높다",
+            "subcategory": "구성",
+            "text": "Azure Firewall을 통해 사용하도록 설정된 쿼드 0/강제 튜닝",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "보통",
+            "subcategory": "출입 통제",
+            "text": "권한 있는 사용자만 사용하도록 설정된 RBAC",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "severity": "보통",
+            "subcategory": "진단 설정",
+            "text": "진단 사용 및 Log Analytics 작업 영역으로 메트릭 보내기 ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "허브 및 가상 네트워크는 Firewall 프리미엄을 통해 보호되거나 연결됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: 액세스 제어가 구성됨(RBAC)",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: 상위 정책이 구성되었습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: 규칙 컬렉션이 정의됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: DNAT 정책이 정의됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: 네트워크 규칙이 정의됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "정책: 응용 프로그램 규칙이 정의됩니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "severity": "보통",
+            "subcategory": "방화벽 관리자",
+            "text": "DNS: 기능 이해 및 적용 또는 적용되지 않음",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "위협 인텔리전스: 경고 및 거부로 설정",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "위협 인텔리전스: 허용 목록(사용 중인 경우 정당화 - 예: 성능)",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "TLS 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "IDPS 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "severity": "높다",
+            "subcategory": "방화벽 관리자",
+            "text": "SNAT: 구성됨 ",
+            "waf": "안전"
+        },
+        {
+            "category": "Azure 방화벽",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "보통",
+            "subcategory": "디도스 방어",
+            "text": "방화벽 공용 IP에 대해 사용",
+            "waf": "안전"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    },
+    "severities": [
+        {
+            "name": "높다"
+        },
+        {
+            "name": "보통"
+        },
+        {
+            "name": "낮다"
+        }
+    ],
+    "status": [
+        {
+            "description": "이 검사는 아직 검토되지 않았습니다",
+            "name": "확인되지 않음"
+        },
+        {
+            "description": "이 검사와 연관된 작업 항목이 있습니다",
+            "name": "열다"
+        },
+        {
+            "description": "이 검사는 확인되었으며 이와 관련된 추가 작업 항목이 없습니다",
+            "name": "성취"
+        },
+        {
+            "description": "권장 사항은 이해되었지만 현재 요구 사항에 필요하지 않음",
+            "name": "필요 없음"
+        },
+        {
+            "description": "현재 설계에는 적용되지 않습니다.",
+            "name": "해당 없음"
+        }
+    ],
+    "waf": [
+        {
+            "name": "신뢰도"
+        },
+        {
+            "name": "안전"
+        },
+        {
+            "name": "비용"
+        },
+        {
+            "name": "작업"
+        },
+        {
+            "name": "공연"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "예"
+        },
+        {
+            "name": "아니요"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/security_checklist.pt.json b/checklists/security_checklist.pt.json
index 1715471f5..422a6782d 100644
--- a/checklists/security_checklist.pt.json
+++ b/checklists/security_checklist.pt.json
@@ -1,1328 +1,1669 @@
 {
-  "metadata": {
-    "name": "Lista de verificação de revisão de segurança do Azure"
-  },
-  "items": [
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Centro de segurança/Defender habilita em todas as assinaturas",
-      "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Centro de segurança/Defender ativado em todos os espaços de trabalho do Log Analytics",
-      "guid": "349f0364-d28d-442e-abbb-c868255abc91",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Coleta de dados definida como 'Comum'",
-      "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Os recursos de segurança aprimorados do Defender for Cloud estão todos habilitados",
-      "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Provisionamento automático habilitado de acordo com a política da empresa (a política deve existir)",
-      "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Notificações por e-mail habilitadas de acordo com a política da empresa (a política deve existir)",
-      "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
-      "severity": "Baixo",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Ativar as opções de integrações são selecionadas ",
-      "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "A integração CI/CD está configurada",
-      "guid": "5b7bae4-4th-45e8-a79e-2e86667313c5",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "O 'Event Hub' de exportação contínua é ativado se usar o SIEM de terceiros",
-      "guid": "05675c5e-985b-4859-a774-f7e371623b87",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "O 'Log Analytics Workspace' de exportação contínua é ativado se não estiver usando o Azure Sentinel",
-      "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Conector de nuvem habilitado para AWS",
-      "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Conector de nuvem habilitado para GCP",
-      "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Preços e Configurações",
-      "text": "Se usar o proxy do aplicativo Azure AD, considere integrar-se ao Microsoft Defender for Cloud Apps para monitorar o acesso de aplicativos em tempo real e aplicar controles de segurança avançados.",
-      "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
-      "severity": "Baixo",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Recomendações",
-      "text": "Todas as recomendações remediadas ou desativadas, se não forem necessárias.",
-      "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Recomendações",
-      "text": "Pontuação de segurança>70%",
-      "description": "A meta mínima da Microsoft para todos os clientes é de 70%",
-      "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Alertas de secuidade",
-      "text": "Os alertas de segurança contêm apenas aqueles gerados nas últimas 24 horas (remediar ou desativar alertas de segurança mais antigos)",
-      "guid": "50259226-4429-42bb-9285-37a55119bf8e",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Pastas",
-      "text": "Se a exportação contínua estiver ativada, as pastas de trabalho padrão são publicadas no painel de segurança personalizado",
-      "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Comunidade",
-      "text": "O cliente está ciente do valor da página 'Comunidade' e tem uma cadência regular configurada para revisar",
-      "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
-      "severity": "Média",
-      "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Pontuação segura",
-      "text": "Todas as assinaturas protegidas pelo Security Center são mostradas (sem conjunto de filtros de assinatura)",
-      "description": "Práticas recomendadas operacionais do cliente - Transparência",
-      "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Conformidade regulatória",
-      "text": "Os controles de conformidade são verdes para quaisquer requisitos de conformidade necessários",
-      "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Azure Defender",
-      "text": "Vulnerabilidades VM de alta gravidade são zero (vazias)",
-      "description": "Práticas recomendadas operacionais do cliente - verificar",
-      "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Gerente de Firewall",
-      "text": "Hubs são protegidos por um Firewall Azure",
-      "guid": "960334b-df9c-4c23-918d-b61171265f4b",
-      "severity": "Média",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Gerente de Firewall",
-      "text": "Redes virtuais são protegidas por um Firewall",
-      "description": "Práticas recomendadas operacionais do cliente - verificar",
-      "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Gerente de Firewall",
-      "text": "Padrão DDoS ativado",
-      "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
-      "severity": "Média",
-      "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/"
-    },
-    {
-      "category": "Defender para nuvem",
-      "subcategory": "Cobertura",
-      "text": "Verifique se todas as assinaturas estão cobertas (veja preços e configurações para modificar)",
-      "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "IPs públicos",
-      "text": "VM's com IPs públicos devem ser protegidos pelo NSG ",
-      "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb2eb0",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "IPs públicos",
-      "text": "VMs com IPs públicos são movidos atrás do Azure Firewall Premium",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "IPs públicos",
-      "text": "VM's que não precisam de IPs públicos não têm IPs públicos (ou seja, somente RDP interno)",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "NSG",
-      "text": "O NSG RBAC é usado para restringir o acesso à equipe de segurança de rede",
-      "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "NSG",
-      "text": "As regras de segurança de entrada do NSG não contêm um * (curinga) no campo Fonte",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "a209939b-da47-4778-b24c-116785c2fa55",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "NSG",
-      "text": "As regras de segurança de saída do NSG são usadas para controlar o tráfego de endereços IP específicos para tráfego não roteado através de um Firewall",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "NSG",
-      "text": "O NSG não tem a Fonte como um curinga no lugar.",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "NSG",
-      "text": "Os diagnósticos NSG enviam o NetworkSecurityGroupEvent e o NetworkSecurityGroupRuleCounter para o Sentinel LAW",
-      "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "UDR",
-      "text": "UDR RBAC é usado para restringir o acesso à equipe de segurança da rede",
-      "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "UDR",
-      "text": "Se o Zero Trust, então os UDR's são usados para enviar todo o tráfego para o Azure Firewall Premium",
-      "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "UDR",
-      "text": "Os UDR's que não enviam todo o tráfego para OzureFirewallPremium são conhecidos e documentados.",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "O cliente está familiarizado com os padrões de rede do Azure / roteamento padrão SDN no Azure",
-      "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "O VNet RBAC é usado para restringir o acesso à equipe de segurança da rede",
-      "description": "Práticas recomendadas operacionais do cliente - verifique",
-      "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
-      "severity": "Média",
-      "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "As recomendações de segurança do VNet são remediadas e não há VNets 'em risco' ",
-      "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "As conexões de peering do VNet são compreendidas e os fluxos de tráfego esperados são documentados",
-      "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "Os endpoints de serviço VNet estão em uso, não existem pontos finais legados do serviço público",
-      "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "Os Endpoints Privados VNet estão em uso para permitir o acesso de ambientes locais, não existem pontos finais públicos legados",
-      "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "Monitoramento do VNet ativado",
-      "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "Tráfego seguro entre pods usando políticas de rede no Azure Kubernetes Service (AKS)",
-      "guid": "2055b29b-ade4-4th-8e8c-39ec94666731",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "Cliente VNet NVA (eletrodomésticos) segue padrão de arquitetura publicado",
-      "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Redes Virtuais",
-      "text": "As configurações do VNet Diagnostic estão habilitadas e enviam VMProtectionAlerts para a LEI do Azure Sentinel",
-      "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Conectividade",
-      "text": "Use o ExpressRoute ou VPN para acessar recursos do Azure a partir de ambientes locais",
-      "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Virtual WAN",
-      "text": "VWAN RBAC é usado para restringir o acesso à equipe de segurança da rede",
-      "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Virtual WAN",
-      "text": "O cliente VWAN está usando o Secure Hub ou firewall externo para rotear e monitorar o tráfego.",
-      "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Gateway de aplicativos",
-      "text": "AppGW RBAC é usado para restringir o acesso à equipe de segurança de rede",
-      "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/web-application-firewall/overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Gateway de aplicativos",
-      "text": "AppGW Todos os serviços web voltados externos estão afer gateways de aplicativos com WAF ativado ",
-      "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Gateway de aplicativos",
-      "text": "AppGW Todos os serviços internos voltados para a Web estão behing Application Gateways com WAF ativado ",
-      "guid": "94666731-3c00-4567-9c1e-945b459c373e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Gateway de aplicativos",
-      "text": "AppGW - Frente externa tem TLS/SSL ativado e redireciona todo o tráfego para 443 (sem tráfego na porta 80)",
-      "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "FrontDoor",
-      "text": "O FRONT Door RBAC é usado para restringir o acesso à equipe de segurança da rede",
-      "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "FrontDoor",
-      "text": "Porta da Frente está associada a uma política WAF",
-      "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "FrontDoor",
-      "text": "A política TLS/SSL da porta frontal está configurada",
-      "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "FrontDoor",
-      "text": "Porta de redirecionamento da porta 80 para porta 443 está configurada (ouvintes)",
-      "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "FrontDoor",
-      "text": "Os registros de diagnósticos da Porta frontal enviam o ApplicationGatewayAccessLog &ApplicationGateway FirewallLog para o Sentinel LAW",
-      "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics"
-    },
-    {
-      "category": "Rede Azure",
-      "subcategory": "Proteção DDOS",
-      "text": "Habilitado para IP's públicos do Firewall (todos os IPs públicos)",
-      "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Inquilino",
-      "text": "Estabeleça um único diretório empresarial para gerenciar identidades de funcionários em tempo integral e recursos corporativos.",
-      "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Inquilino",
-      "text": "Sincronize sua identidade na nuvem com seus sistemas de identidade existentes.",
-      "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Inquilino",
-      "text": "Use serviços de identidade na nuvem para hospedar contas não-funcionários, como fornecedores, parceiros e clientes, em vez de incluí-las em seu diretório local.",
-      "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Inquilino",
-      "text": "Desativar protocolos legados inseguros para serviços voltados à internet.",
-      "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Inquilino",
-      "text": "Habilitar um único login",
-      "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Não sincronize contas com o maior acesso privilegiado aos recursos locais à medida que você sincroniza seus sistemas de identidade corporativa com diretórios em nuvem.",
-      "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Limitar o número de administradores globais a menos de 5",
-      "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Use grupos para atribuições de papéis do Azure AD e delegue a atribuição de função",
-      "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Certifique-se de que todos os administradores de impacto críticos sejam gerenciados pelo diretório corporativo para acompanhar a aplicação da política organizacional.",
-      "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Configure revisões de acesso recorrentes para revogar permissões não precisas ao longo do tempo",
-      "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Administração privilegiada",
-      "text": "Certifique-se de que os administradores de impacto crítico usem uma estação de trabalho com proteções de segurança elevadas e monitoramento",
-      "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Provedores de identidade: Verifique se são conhecidos os provedores de identidade externos",
-      "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Configurações de colaboração externa: o acesso do usuário convidado definido para 'Acesso ao usuário convidado é restrito?'",
-      "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Configurações de colaboração externa: Configurações de convite de hóspedes definidas como 'Somente usuários atribuídos a funções específicas de administração'",
-      "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Configurações de colaboração externa: habilite o autoatendimento do hóspede por meio de fluxos definidos como 'Desativados' ",
-      "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Configurações de colaboração externa: restrições de colaboração definidas como 'Permitir convites para os domínios especificados'",
-      "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Identidades Externas",
-      "text": "Avaliações de acesso: Habilitadas para todos os grupos",
-      "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Aplicações Corporativas",
-      "text": "Consentimento & Permissões: Permitir o consentimento do usuário para aplicativos de editores verificados",
-      "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Aplicações Corporativas",
-      "text": "Consentimento & Permissões: Permitir o consentimento do proprietário do grupo para proprietários de grupos selecionados ",
-      "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Domínios personalizados",
-      "text": "Apenas domínios validados de clientes são registrados",
-      "guid": "bade4aad-1e8c-439e-a946-667313c00567",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Redefinição de senha",
-      "text": "Requisito de política de redefinição de senha de autoatendimento verificado em conformidade.",
-      "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Redefinição de senha",
-      "text": "Definir o número de dias antes que os usuários sejam solicitados a re-confirmar informações de autenticação não está definido como zero",
-      "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Redefinição de senha",
-      "text": "Definir o número de métodos necessários para redefinir a senha são selecionados",
-      "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Configuração do usuário",
-      "text": "Desativar 'Os usuários podem registrar aplicativos'",
-      "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Configuração do usuário",
-      "text": "Restringir o acesso ao portal Administrativo (portal.azure.com) apenas aos administradores",
-      "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Configuração do usuário",
-      "text": "Desativar a 'conexão de conta do LinkedIn'",
-      "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Configurações de diagnóstico",
-      "text": "Ativado e enviado para o espaço de trabalho Log Analytics com o Sentinel",
-      "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "PIM ativado",
-      "text": "Gerenciamento de identidade privilegiado ativado",
-      "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "PIM ativado",
-      "text": "Implementar o acesso 'just in time' (JIT) para reduzir ainda mais o tempo de exposição de contas privilegiadas (reduzir o acesso permanente)",
-      "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Configure políticas de acesso condicional / Controles de Acesso",
-      "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Condições: Locais Restritos",
-      "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Controles de acesso: MFA ativado para todos os usuários",
-      "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Controles de acesso: Exigir MFA para administradores",
-      "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Controles de acesso: Exigir MFA para gerenciamento do Azure ",
-      "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Controles de acesso: bloqueie protocolos legados",
-      "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Políticas de acesso condicional",
-      "text": "Controles de acesso: Exigir que os dispositivos sejam marcados como compatíveis",
-      "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Usuários convidados",
-      "text": "Existe uma política para rastrear contas de usuários de hóspedes (ou seja, uso/exclusão/desativação)?",
-      "description": "Política documentada pelo cliente",
-      "guid": "a7144351-e19d-4d34-929e-b7228137a151",
-      "severity": "Média",
-      "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Pontuação segura de identidade",
-      "text": "Implementar o Score seguro de identidade com base nas melhores práticas do seu setor",
-      "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score"
-    },
-    {
-      "category": "Identidade",
-      "subcategory": "Quebrar contas de vidro",
-      "text": "Pelo menos duas contas de vidro de quebra foram criadas e a política em torno de seu uso existe",
-      "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Controle de acesso",
-      "text": "Controle de acesso VM aproveitando a política do Azure",
-      "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/governance/policy/overview"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Controle de acesso",
-      "text": "Reduza a variabilidade na configuração e implantação de VMs aproveitando modelos",
-      "guid": "0a77e26-e4d5-4aea-a8dc-4e2436bc336d",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Controle de acesso",
-      "text": "Garantir acesso privilegiado para implantar VMS reduzindo quem tem acesso a Recursos através da Governança",
-      "guid": "b5945bda-4333-44fd-b91c-234182b65275",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Alta disponibilidade ",
-      "text": "Use vários VMs para suas cargas de trabalho para melhor disponibilidade ",
-      "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Alta disponibilidade ",
-      "text": "Implantar e testar uma solução de recuperação de desastres ",
-      "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Alta disponibilidade ",
-      "text": "Conjuntos de Availabilty",
-      "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Alta disponibilidade ",
-      "text": "Zonas de disponibilidade",
-      "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Alta disponibilidade ",
-      "text": "Tolerância a falhas regionais ",
-      "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Proteger contra malware",
-      "text": "Instalar soluções antimalware",
-      "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Proteger contra malware",
-      "text": "Integre a solução antimalware com o Security Center",
-      "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Gerenciar atualizações vm",
-      "text": "Mantenha os VMs atualizados usando o Gerenciamento de Atualizações com automação do Azure",
-      "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/automation/update-management/overview"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Gerenciar atualizações vm",
-      "text": "Certifique-se de que as imagens do Windows para implantação tenham o nível mais recente de atualizações ",
-      "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Gerenciar atualizações vm",
-      "text": "Aplique rapidamente atualizações de segurança para VMs usando o Microsoft Defender for Cloud",
-      "guid": "02145901-465d-438e-9309-ccbd979266bc",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/asset-inventory"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Criptografe seus VHDs",
-      "text": "Habilite a criptografia em seus VMs",
-      "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Criptografe seus VHDs",
-      "text": "Adicione a chave de criptografia chave (KEK) para adicionar camada de segurança para criptografia ",
-      "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Criptografe seus VHDs",
-      "text": "Tire um instantâneo de discos antes da criptografia para fins de reversão",
-      "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "Garantir que apenas o grupo central de rede tenha permissões para recursos de rede ",
-      "guid": "5173676a-e466-491e-a835-ad942223e138",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "VMs expostos de identidade e correção que permitem o acesso a partir de adicionas IP de origem 'ANY'",
-      "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "Restringir portas de gerenciamento (RDP, SSH) usando acesso just-in-time",
-      "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "Remova o acesso à internet e implemente servidores de salto para RDP",
-      "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
-      "severity": "Alto",
-      "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "Remova o login direto em servidores usando RDP/SSH da internet e implemente VPN ou rota expressa",
-      "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling"
-    },
-    {
-      "category": "Verificações de segurança VM",
-      "subcategory": "Restringir a conexão direta à internet ",
-      "text": "Aproveite o Azure Bastion como seu corretor RDP/SSH para maior segurança e redução de pegada",
-      "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/bastion/bastion-overview"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Arquitetura ",
-      "text": "Todos os inquilinos contêm sentinela habilitado em pelo menos um espaço de trabalho Log Analytics",
-      "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Arquitetura ",
-      "text": "Cliente entende arquitetura Sentinela",
-      "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Arquitetura ",
-      "text": "O cliente sabe como monitorar incidentes em várias instâncias do Sentinel",
-      "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Visão geral",
-      "text": "Sem Incidentes abertos mais de 24 horas",
-      "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Notícias e Guias",
-      "text": "O cliente foi mostrado na guia Notícias & Guias",
-      "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
-      "severity": "Baixo",
-      "link": "https://learn.microsoft.com/azure/sentinel/whats-new"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "UEBA ",
-      "text": "Configurado pelo UEBA (Sentinel/Configurações/Configurações/Configurar UEBA)",
-      "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Diretório Ativo do Azure em programas configurados e 'Último Log Recebido' hoje",
-      "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "A proteção de identidade do Diretório Ativo do Azure é configurada e 'Último Registro Recebido' é apresentado hoje",
-      "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "A Atividade do Azure está configurada e 'Último Registro Recebido' é apresentado hoje",
-      "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Microsoft Defender for Cloud é configurado e 'Último Log Recebido' mostra hoje",
-      "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "O Azure Firewall está configurado e o 'Último Log Recebido' é apresentado hoje",
-      "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "O Firewall do Windows está configurado e o 'Último Log Recebido' é apresentado hoje",
-      "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Eventos de segurança são configurados com os shows ama e 'Último Log Recebido' hoje",
-      "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Eventos de Segurança - verifique se os computadores do Azure estão conectados e enviando dados para o espaço de trabalho",
-      "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Eventos de Segurança - verifique se computadores não-Azure estão conectados e enviando dados para o espaço de trabalho",
-      "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Conector para AWS",
-      "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Conectores de dados",
-      "text": "Conector para GCP",
-      "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Regras de análise",
-      "text": "O cliente habilitou as regras de análise e configurou incidentes ",
-      "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in"
-    },
-    {
-      "category": "Sentinela",
-      "subcategory": "Configurações",
-      "text": "O cliente não tem um limite diário habilitado",
-      "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
-      "severity": "Média",
-      "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuração",
-      "text": "Azure Firewall Premium implantado",
-      "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configuração",
-      "text": "Tunning quad zero/force ativado através do Firewall Azure",
-      "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Controle de acesso",
-      "text": "RBAC definido para habilitar apenas usuários autorizados",
-      "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
-      "severity": "Média",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Configurações de diagnóstico",
-      "text": "Diagnósticos ativados e envio de métricas para um espaço de trabalho do Log Analytics ",
-      "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Hubs e redes virtuais são protegidos ou conectados através do Firewall Premium",
-      "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: Os controles de acesso são configurados (RBAC)",
-      "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
-      "severity": "Alto",
-      "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: A política dos pais está configurada ",
-      "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: As coleções de regras são definidas",
-      "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: As políticas de DNAT são definidas",
-      "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: As regras da rede são definidas",
-      "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Política: As regras de aplicação são definidas",
-      "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/features"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "DNS: Recurso compreendido e aplicado ou não aplicado",
-      "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/firewall/dns-details"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Inteligência de Ameaças: Definir para Alertar e Negar",
-      "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "Inteligência de Ameaças: Lista permitida (justificar se eles estão sendo usados - ou seja, desempenho)",
-      "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "TLS ativado",
-      "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/premium-certificates"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "IDPS ativado",
-      "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/rule-processing"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Gerente de Firewall",
-      "text": "SNAT: Configurado ",
-      "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
-      "severity": "Alto",
-      "link": "https://learn.microsoft.com/azure/firewall/snat-private-range"
-    },
-    {
-      "category": "Azure Firewall",
-      "subcategory": "Proteção DDOS",
-      "text": "Habilitado para IP's públicos do Firewall",
-      "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
-      "severity": "Média",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices"
-    }
-  ],
-  "severities": [
-    {
-      "name": "Alto"
-    },
-    {
-      "name": "Média"
-    },
-    {
-      "name": "Baixo"
-    }
-  ],
-  "status": [
-    {
-      "name": "Não verificado",
-      "description": "Este cheque ainda não foi examinado."
-    },
-    {
-      "name": "Abrir",
-      "description": "Há um item de ação associado a este cheque"
-    },
-    {
-      "name": "Cumprido",
-      "description": "Esta verificação foi verificada, e não há mais itens de ação associados a ele"
-    },
-    {
-      "name": "Não é necessário",
-      "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais"
-    },
-    {
-      "name": "N/A",
-      "description": "Não é aplicável para o design atual"
-    }
-  ],
-  "categories": [
-    {
-      "name": "Defender para nuvem"
-    },
-    {
-      "name": "Rede Azure"
-    },
-    {
-      "name": "Identidade"
-    },
-    {
-      "name": "Verificações de segurança VM"
-    },
-    {
-      "name": "Sentinela"
-    },
-    {
-      "name": "Azure Firewall"
-    }
-  ]
-}
+    "categories": [
+        {
+            "name": "Defender para nuvem"
+        },
+        {
+            "name": "Rede do Azure"
+        },
+        {
+            "name": "Identidade"
+        },
+        {
+            "name": "Verificações de segurança da VM"
+        },
+        {
+            "name": "Sentinela"
+        },
+        {
+            "name": "Azure Firewall"
+        }
+    ],
+    "items": [
+        {
+            "category": "Defender para nuvem",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "Central de Segurança/Defender habilitado em todas as assinaturas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "Central de Segurança/Defender habilitada em todos os espaços de trabalho do Log Analytics",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "severity": "Média",
+            "subcategory": "Preços & Configurações",
+            "text": "Conjunto de coleta de dados como 'Comum'",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "Os recursos de segurança aprimorados do Defender for Cloud estão todos habilitados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
+            "severity": "Média",
+            "subcategory": "Preços & Configurações",
+            "text": "Provisionamento automático habilitado de acordo com a política da empresa (a política deve existir)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
+            "severity": "Baixo",
+            "subcategory": "Preços & Configurações",
+            "text": "Notificações por e-mail habilitadas de acordo com a política da empresa (a política deve existir)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
+            "severity": "Média",
+            "subcategory": "Preços & Configurações",
+            "text": "As opções de ativação de integrações estão selecionadas ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
+            "severity": "Média",
+            "subcategory": "Preços & Configurações",
+            "text": "A integração CI/CD está configurada",
+            "waf": "Operações"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "A exportação contínua 'Hub de Eventos' está habilitada se estiver usando o SIEM de 3ª parte",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "Média",
+            "subcategory": "Preços & Configurações",
+            "text": "A exportação contínua 'Log Analytics Workspace' está habilitada se não estiver usando o Azure Sentinel",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "Conector de nuvem habilitado para AWS",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "severity": "Alto",
+            "subcategory": "Preços & Configurações",
+            "text": "Conector de nuvem habilitado para GCP",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "severity": "Baixo",
+            "subcategory": "Preços & Configurações",
+            "text": "Se estiver usando o proxy de Aplicativo do Azure AD, considere a integração com o Microsoft Defender for Cloud Apps para monitorar o acesso ao aplicativo em tempo real e aplicar controles de segurança avançados.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "severity": "Média",
+            "subcategory": "Recomendações",
+            "text": "Todas as recomendações corrigidas ou desabilitadas, se não forem necessárias.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "description": "A meta mínima da Microsoft para todos os clientes é de 70%",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "severity": "Alto",
+            "subcategory": "Recomendações",
+            "text": "Pontuação de segurança>70%",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "severity": "Média",
+            "subcategory": "Alertas de Segurança",
+            "text": "Os Alertas de Segurança contêm apenas os gerados nas últimas 24 horas (corrigir ou desativar alertas de segurança mais antigos)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "severity": "Média",
+            "subcategory": "Pastas",
+            "text": "Se a exportação contínua estiver habilitada, as pastas de trabalho padrão serão publicadas no painel de segurança personalizado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "severity": "Média",
+            "subcategory": "Comunidade",
+            "text": "O cliente está ciente do valor da página \"Comunidade\" e tem uma cadência regular configurada para revisar",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "description": "Melhores práticas operacionais do cliente - Transparência",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "severity": "Alto",
+            "subcategory": "Pontuação segura",
+            "text": "Todas as assinaturas protegidas pela Central de Segurança são mostradas (sem filtro de assinatura definido)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "severity": "Alto",
+            "subcategory": "Conformidade regulatória",
+            "text": "Os controles de conformidade são ecológicos para quaisquer requisitos de conformidade exigidos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "severity": "Alto",
+            "subcategory": "Azure Defender",
+            "text": "Vulnerabilidades de VM de alta gravidade são zero (vazias)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "severity": "Média",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Os hubs são protegidos por um Firewall do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "severity": "Média",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "As Redes Virtuais são protegidas por um Firewall",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
+            "severity": "Média",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "DDoS Standard ativado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Defender para nuvem",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "Alto",
+            "subcategory": "Cobertura",
+            "text": "Verifique se todas as assinaturas estão cobertas (consulte preços e configurações para modificar)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "Alto",
+            "subcategory": "IPs públicos",
+            "text": "VMs com IPs públicos devem ser protegidas pelo NSG ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "Alto",
+            "subcategory": "IPs públicos",
+            "text": "As VMs com IPs públicos são movidas para trás do Firewall Premium do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "severity": "Alto",
+            "subcategory": "IPs públicos",
+            "text": "VMs que não precisam de IPs públicos não têm IPs públicos (ou seja, somente RDP interno)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Média",
+            "subcategory": "NSG",
+            "text": "O NSG RBAC é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Alto",
+            "subcategory": "NSG",
+            "text": "As regras de segurança de entrada do NSG não contêm um * (curinga) no campo Origem",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Média",
+            "subcategory": "NSG",
+            "text": "As regras de segurança de saída do NSG são usadas para controlar o tráfego para endereços IP específicos para o tráfego não roteado por meio de um Firewall",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "Alto",
+            "subcategory": "NSG",
+            "text": "O NSG não tem Source como um * (curinga) no lugar.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "severity": "Média",
+            "subcategory": "NSG",
+            "text": "O NSG Diagnostics envia o tráfego NetworkSecurityGroupEvent e NetworkSecurityGroupRuleCounter para o Sentinel LAW",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Média",
+            "subcategory": "UDR",
+            "text": "O UDR RBAC é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Alto",
+            "subcategory": "UDR",
+            "text": "Se Zero Trust, os UDRs serão usados para enviar todo o tráfego para o Firewall do Azure Premium",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Média",
+            "subcategory": "UDR",
+            "text": "Os UDRs que não enviam todo o tráfego para o AzureFirewallPremium são conhecidos e documentados.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "O cliente está familiarizado com os padrões de rede do Azure / roteamento padrão SDN no Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "description": "Práticas recomendadas operacionais do cliente - verificar",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
+            "severity": "Média",
+            "subcategory": "Redes Virtuais",
+            "text": "VNet RBAC é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "As recomendações de segurança da rede virtual são corrigidas e não há redes virtuais \"em risco\" ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "As conexões de emparelhamento de rede virtual são compreendidas e os fluxos de tráfego esperados são documentados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "Os pontos de extremidade de serviço VNet estão em uso, não existem pontos de extremidade de serviço público herdados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "Os pontos de extremidade privados da rede virtual estão em uso para permitir o acesso de ambientes locais, não existem pontos de extremidade públicos herdados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "Monitoramento de rede virtual habilitado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "Tráfego seguro entre pods usando políticas de rede no Serviço de Kubernetes do Azure (AKS)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "O cliente VNet NVA (appliances) segue o padrão de arquitetura publicado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "Alto",
+            "subcategory": "Redes Virtuais",
+            "text": "As configurações de Diagnóstico de Rede Virtual estão habilitadas e enviando VMProtectionAlerts para a LEI do Azure Sentinel",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "severity": "Alto",
+            "subcategory": "Conectividade",
+            "text": "Usar a Rota Expressa ou VPN para acessar recursos do Azure de ambientes locais",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "severity": "Alto",
+            "subcategory": "Virtual WAN",
+            "text": "VWAN RBAC é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "severity": "Alto",
+            "subcategory": "Virtual WAN",
+            "text": "O Cliente VWAN está usando o Secure Hub ou o Firewall externo para rotear e monitorar o tráfego.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "severity": "Alto",
+            "subcategory": "Gateway de aplicativo",
+            "text": "O AppGW RBAC é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "Alto",
+            "subcategory": "Gateway de aplicativo",
+            "text": "AppGW Todos os serviços Web externos estão atrás de gateways de aplicativos com WAF habilitado ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "Alto",
+            "subcategory": "Gateway de aplicativo",
+            "text": "AppGW Todos os serviços Web internos estão atrás de gateways de aplicativos com WAF habilitado ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "severity": "Alto",
+            "subcategory": "Gateway de aplicativo",
+            "text": "AppGW - Externo tem TLS/SSL habilitado e redireciona todo o tráfego para 443 (sem tráfego da porta 80)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "severity": "Alto",
+            "subcategory": "Porta de entrada",
+            "text": "O RBAC Front Door é usado para restringir o acesso à equipe de segurança de rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "severity": "Alto",
+            "subcategory": "Porta de entrada",
+            "text": "Front Door está associado a uma política de WAF",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "severity": "Alto",
+            "subcategory": "Porta de entrada",
+            "text": "A política TLS/SSL da porta da frente está configurada",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "severity": "Alto",
+            "subcategory": "Porta de entrada",
+            "text": "A porta de redirecionamento da porta frontal 80 para a porta 443 está configurada (ouvintes)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "severity": "Alto",
+            "subcategory": "Porta de entrada",
+            "text": "Os logs de diagnóstico do Front Door enviam ApplicationGatewayAccessLog &ApplicationGateway FirewallLog para o Sentinel LAW",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Rede do Azure",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "Alto",
+            "subcategory": "Proteção DDOS",
+            "text": "Habilitado para IPs públicos do Firewall (todos os IPs públicos)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "severity": "Alto",
+            "subcategory": "Inquilino",
+            "text": "Estabeleça um único diretório corporativo para gerenciar identidades de funcionários em tempo integral e recursos da empresa.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "severity": "Alto",
+            "subcategory": "Inquilino",
+            "text": "Sincronize sua identidade de nuvem com seus sistemas de identidade existentes.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "severity": "Alto",
+            "subcategory": "Inquilino",
+            "text": "Use os serviços de identidade na nuvem para hospedar contas de não funcionários, como fornecedores, parceiros e clientes, em vez de incluí-las em seu diretório local.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "severity": "Alto",
+            "subcategory": "Inquilino",
+            "text": "Desative protocolos legados inseguros para serviços voltados para a Internet.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "severity": "Alto",
+            "subcategory": "Inquilino",
+            "text": "Habilitar logon único",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "severity": "Alto",
+            "subcategory": "Administração privilegiada",
+            "text": "Não sincronize contas com o acesso de privilégios mais altos a recursos locais enquanto sincroniza seus sistemas de identidade corporativos com diretórios de nuvem.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "severity": "Alto",
+            "subcategory": "Administração privilegiada",
+            "text": "Limitar o número de administradores globais a menos de 5",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "severity": "Alto",
+            "subcategory": "Administração privilegiada",
+            "text": "Usar grupos para atribuições de função do Azure AD e delegar a atribuição de função",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "severity": "Alto",
+            "subcategory": "Administração privilegiada",
+            "text": "Certifique-se de que todos os administradores de impacto crítico sejam gerenciados pelo diretório corporativo para seguir a imposição da política organizacional.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "severity": "Alto",
+            "subcategory": "Administração privilegiada",
+            "text": "Configurar revisões de acesso recorrentes para revogar permissões desnecessárias ao longo do tempo",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "severity": "Média",
+            "subcategory": "Administração privilegiada",
+            "text": "Garantir que os administradores de impacto crítico usem uma estação de trabalho com proteções de segurança e monitoramento elevados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Provedores de identidade: verifique se os provedores de identidade externos são conhecidos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configurações de colaboração externa: acesso de usuário convidado definido como \"O acesso de usuário convidado é restrito?\"",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configurações de colaboração externa: configurações de convite de convidado definidas como \"Somente usuários atribuídos a funções de administrador específicas\"",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configurações de colaboração externa: habilite a inscrição de autoatendimento de convidado por meio de fluxos definidos como 'Desabilitado' ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "Alto",
+            "subcategory": "Identidades externas",
+            "text": "Configurações de colaboração externa: restrições de colaboração definidas como 'Permitir convites para os domínios especificados'",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "severity": "Média",
+            "subcategory": "Identidades externas",
+            "text": "Revisões de acesso: habilitado para todos os grupos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "severity": "Média",
+            "subcategory": "Aplicativos Corporativos",
+            "text": "Permissões de consentimento e emissão: permitir o consentimento do usuário para aplicativos de editores verificados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "severity": "Média",
+            "subcategory": "Aplicativos Corporativos",
+            "text": "Consentimento & Permissões: Permitir o consentimento do proprietário do grupo para proprietários de grupo selecionados ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "severity": "Alto",
+            "subcategory": "Domínios personalizados",
+            "text": "Somente domínios de clientes validados são registrados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "severity": "Alto",
+            "subcategory": "Redefinição de senha",
+            "text": "Requisito de política de redefinição de senha de autoatendimento verificado em conformidade.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "Média",
+            "subcategory": "Redefinição de senha",
+            "text": "Definir o número de dias antes que os usuários sejam solicitados a confirmar novamente as informações de autenticação não está definido como zero",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "Alto",
+            "subcategory": "Redefinição de senha",
+            "text": "Definir o número de métodos necessários para redefinir a senha está selecionado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "severity": "Alto",
+            "subcategory": "Configuração do usuário",
+            "text": "Desativar 'Os usuários podem registrar aplicativos'",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "severity": "Alto",
+            "subcategory": "Configuração do usuário",
+            "text": "Restringir o acesso ao Portal Administrativo (portal.azure.com) apenas aos administradores",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "severity": "Alto",
+            "subcategory": "Configuração do usuário",
+            "text": "Desativar a \"conexão da conta do LinkedIn\"",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "severity": "Alto",
+            "subcategory": "Configurações de diagnóstico",
+            "text": "Habilitado e enviado para o espaço de trabalho do Log Analytics com o Sentinel",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "severity": "Alto",
+            "subcategory": "PIM habilitado",
+            "text": "Gerenciamento de Identidades Privilegiado habilitado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "severity": "Alto",
+            "subcategory": "PIM habilitado",
+            "text": "Implementar o acesso \"just in time\" (JIT) para reduzir ainda mais o tempo de exposição para contas privilegiadas (reduzir o acesso permanente)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "severity": "Alto",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Configurar políticas de acesso condicional / Controles de acesso",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "severity": "Média",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Condições: Locais Restritos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "severity": "Alto",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Controles de acesso: MFA habilitado para todos os usuários",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "severity": "Média",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Controles de acesso: exigir MFA para administradores",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "severity": "Alto",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Controles de acesso: exigir MFA para o Gerenciamento do Azure ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "severity": "Alto",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Controles de acesso: Bloquear protocolos herdados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "severity": "Alto",
+            "subcategory": "Políticas de acesso condicional",
+            "text": "Controles de acesso: exigem que os dispositivos sejam marcados como compatíveis",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "description": "Política documentada pelo cliente",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "severity": "Média",
+            "subcategory": "Usuários convidados",
+            "text": "Existe uma política para rastrear contas de usuário convidado (ou seja, uso/exclusão/desabilitação)?",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "severity": "Alto",
+            "subcategory": "Pontuação segura de identidade",
+            "text": "Implemente o Identity Secure Score com base nas melhores práticas do seu setor",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Identidade",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "severity": "Média",
+            "subcategory": "Contas Break Glass",
+            "text": "Pelo menos duas contas de quebra de vidro foram criadas e existe uma política em torno de seu uso",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "severity": "Alto",
+            "subcategory": "Controle de acesso",
+            "text": "Controlar o acesso à VM aproveitando a Política do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "severity": "Média",
+            "subcategory": "Controle de acesso",
+            "text": "Reduza a variabilidade na configuração e implantação de VMs aproveitando modelos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "severity": "Média",
+            "subcategory": "Controle de acesso",
+            "text": "Proteja o acesso privilegiado para implantar o VMS, reduzindo quem tem acesso aos recursos por meio da governança",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "severity": "Média",
+            "subcategory": "Alta Disponibilidade ",
+            "text": "Use várias VMs para suas cargas de trabalho para melhor disponibilidade ",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "severity": "Média",
+            "subcategory": "Alta Disponibilidade ",
+            "text": "Implantar e testar uma solução de recuperação de desastres ",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "severity": "Média",
+            "subcategory": "Alta Disponibilidade ",
+            "text": "Conjuntos de disponibilidade",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "severity": "Média",
+            "subcategory": "Alta Disponibilidade ",
+            "text": "Zonas de disponibilidade",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "severity": "Média",
+            "subcategory": "Alta Disponibilidade ",
+            "text": "Tolerância a falhas regionais ",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "severity": "Alto",
+            "subcategory": "Proteja-se contra malware",
+            "text": "Instalar soluções antimalware",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "Alto",
+            "subcategory": "Proteja-se contra malware",
+            "text": "Integre a solução antimalware com a Central de Segurança",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "severity": "Alto",
+            "subcategory": "Gerenciar atualizações de VM",
+            "text": "Mantenha as VMs atualizadas usando o Gerenciamento de Atualizações com a Automação do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "severity": "Média",
+            "subcategory": "Gerenciar atualizações de VM",
+            "text": "Garantir que as imagens do Windows para implantação tenham o nível mais recente de atualizações ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "severity": "Alto",
+            "subcategory": "Gerenciar atualizações de VM",
+            "text": "Aplique rapidamente atualizações de segurança a VMs usando o Microsoft Defender for Cloud",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "severity": "Alto",
+            "subcategory": "Criptografar seus VHDs",
+            "text": "Habilitar a criptografia em suas VMs",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "severity": "Alto",
+            "subcategory": "Criptografar seus VHDs",
+            "text": "Adicionar chave de criptografia (KEK) para camada adicional de segurança para criptografia ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "severity": "Média",
+            "subcategory": "Criptografar seus VHDs",
+            "text": "Fazer um instantâneo dos discos antes da criptografia para fins de reversão",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Verifique se apenas o grupo de rede central tem permissões para recursos de rede ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Identidade e correção de VMs expostas que permitem o acesso a partir de 'QUALQUER' endereço IP de origem",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Restringir portas de gerenciamento (RDP, SSH) usando o Acesso Just-in-Time",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Remover o acesso à Internet e implementar servidores de salto para RDP",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Remova o login direto em servidores usando RDP/SSH da Internet e implemente VPN ou rota expressa",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Verificações de segurança da VM",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "severity": "Alto",
+            "subcategory": "Restringir a conexão direta com a Internet ",
+            "text": "Aproveite o Azure Bastion como seu agente RDP/SSH para maior segurança e redução do espaço ocupado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "severity": "Alto",
+            "subcategory": "Arquitetura ",
+            "text": "Todos os locatários contêm o Sentinel habilitado em pelo menos um espaço de trabalho do Log Analytics",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "severity": "Alto",
+            "subcategory": "Arquitetura ",
+            "text": "O cliente entende a arquitetura do Sentinel",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "severity": "Média",
+            "subcategory": "Arquitetura ",
+            "text": "O cliente sabe como monitorar incidentes em várias instâncias do Sentinel",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "severity": "Média",
+            "subcategory": "Visão geral",
+            "text": "Nenhum incidente aberto mais de 24 horas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "severity": "Baixo",
+            "subcategory": "Notícias & Guias",
+            "text": "O cliente mostrou a guia Notícias e Guias",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "severity": "Média",
+            "subcategory": "UEBA ",
+            "text": "UEBA configurado (Sentinel/Configurações/Configurações/Configurar UEBA)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "O Azure Active Directory em configurado e 'Último Log Recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "O Azure Active Directory Identity Protection está configurado e o 'Último Log Recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "A Atividade do Azure está configurada, está configurada e o 'Último Log Recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "O Microsoft Defender para nuvem está configurado e o 'Último log recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "O Firewall do Azure está configurado e o 'Último Log Recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "O Firewall do Windows está configurado e o 'Último Log Recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "Eventos de segurança é configurado com AMA e 'Último log recebido' é exibido hoje",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "Eventos de segurança - verifique se os computadores do Azure estão conectados e enviando dados para o espaço de trabalho",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "Eventos de segurança - verifique se os computadores que não são do Azure estão conectados e enviando dados para o espaço de trabalho",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "Conector para AWS",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "Alto",
+            "subcategory": "Conectores de dados",
+            "text": "Conector para GCP",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "severity": "Alto",
+            "subcategory": "Regras do Google Analytics",
+            "text": "O cliente habilitou as regras do Google Analytics e configurou os Incidentes ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Sentinela",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "severity": "Média",
+            "subcategory": "Configurações",
+            "text": "O cliente não tem um limite diário habilitado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "severity": "Alto",
+            "subcategory": "Configuração",
+            "text": "Azure Firewall Premium implantado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "severity": "Alto",
+            "subcategory": "Configuração",
+            "text": "Ajuste quádruplo de zero/força habilitado por meio do Firewall do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "Média",
+            "subcategory": "Controle de acesso",
+            "text": "RBAC definido para habilitar apenas usuários autorizados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "severity": "Média",
+            "subcategory": "Configurações de diagnóstico",
+            "text": "Diagnóstico habilitado e envio de métricas para um espaço de trabalho do Log Analytics ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Hubs e redes virtuais são protegidos ou conectados por meio do Firewall Premium",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: os controles de acesso estão configurados (RBAC)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: a política pai está configurada ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: as coleções de regras são definidas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: as políticas do DNAT são definidas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: as regras de rede são definidas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Política: as regras do aplicativo são definidas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "severity": "Média",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "DNS: Recurso compreendido e aplicado ou não aplicado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Inteligência de ameaças: definir como Alertar e Negar",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "Threat Intelligence: Lista de permitidos (justifique se eles estão sendo usados - ou seja, desempenho)",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "TLS habilitado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "IDPS habilitado",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "severity": "Alto",
+            "subcategory": "Gerenciador de Firewall",
+            "text": "SNAT: Configurado ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Azure Firewall",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "Média",
+            "subcategory": "Proteção DDOS",
+            "text": "Habilitado para IPs públicos do Firewall",
+            "waf": "Segurança"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    },
+    "severities": [
+        {
+            "name": "Alto"
+        },
+        {
+            "name": "Média"
+        },
+        {
+            "name": "Baixo"
+        }
+    ],
+    "status": [
+        {
+            "description": "Esta verificação ainda não foi analisada",
+            "name": "Não verificado"
+        },
+        {
+            "description": "Há um item de ação associado a essa verificação",
+            "name": "Abrir"
+        },
+        {
+            "description": "Essa verificação foi verificada e não há outros itens de ação associados a ela",
+            "name": "Cumprido"
+        },
+        {
+            "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais",
+            "name": "Não é necessário"
+        },
+        {
+            "description": "Não aplicável ao projeto atual",
+            "name": "N/A"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Fiabilidade"
+        },
+        {
+            "name": "Segurança"
+        },
+        {
+            "name": "Custar"
+        },
+        {
+            "name": "Operações"
+        },
+        {
+            "name": "Desempenho"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Sim"
+        },
+        {
+            "name": "Não"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/security_checklist.zh-Hant.json b/checklists/security_checklist.zh-Hant.json
new file mode 100644
index 000000000..cceb17dd7
--- /dev/null
+++ b/checklists/security_checklist.zh-Hant.json
@@ -0,0 +1,1669 @@
+{
+    "categories": [
+        {
+            "name": "Defender For Cloud"
+        },
+        {
+            "name": "Azure 網路"
+        },
+        {
+            "name": "身份"
+        },
+        {
+            "name": "虛擬機安全檢查"
+        },
+        {
+            "name": "哨兵"
+        },
+        {
+            "name": "Azure 防火牆"
+        }
+    ],
+    "items": [
+        {
+            "category": "Defender For Cloud",
+            "guid": "54174158-33fb-43ae-9c2d-e743165c3acb",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "在所有訂閱中啟用安全中心/Defender",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "349f0364-d28d-442e-abbb-c868255abc91",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "在所有 Log Analytics 工作區上啟用安全中心/Defender",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "64e9a19a-e28c-484c-93b6-b7818ca0e6c4",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature#what-event-types-are-stored-for-common-and-minimal",
+            "severity": "中等",
+            "subcategory": "定價和設置",
+            "text": "數據收集設置為“通用”",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "2149d414-a923-4c35-94d1-1029bd6aaf11",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "Defender for Cloud 增強的安全功能均已啟用",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7",
+            "id": "A01.05",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection",
+            "severity": "中等",
+            "subcategory": "定價和設置",
+            "text": "根據公司策略啟用自動預配（策略必須存在）",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "25759e35-680e-4782-9ac9-32213d027ff4",
+            "id": "A01.06",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details",
+            "severity": "低",
+            "subcategory": "定價和設置",
+            "text": "根據公司策略啟用電子郵件通知（策略必須存在）",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "12f70993-0631-4583-9ee7-9d6c6d363206",
+            "id": "A01.07",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows",
+            "severity": "中等",
+            "subcategory": "定價和設置",
+            "text": "選擇啟用整合選項",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5b7abae4-4aad-45e8-a79e-2e86667313c5",
+            "id": "A01.08",
+            "link": "https://learn.microsoft.com/azure/security-center/defender-for-container-registries-cicd",
+            "severity": "中等",
+            "subcategory": "定價和設置",
+            "text": "配置 CI/CD 集成",
+            "waf": "操作"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "05675c5e-985b-4859-a774-f7e371623b87",
+            "id": "A01.09",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "如果使用第三方 SIEM，則啟用連續導出“事件中心”",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868",
+            "id": "A01.10",
+            "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+            "severity": "中等",
+            "subcategory": "定價和設置",
+            "text": "如果不使用 Azure Sentinel，則啟用連續匯出“Log Analytics 工作區”",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "255abc91-64e9-4a19-ae28-c84c43b6b781",
+            "id": "A01.11",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-aws?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "為 AWS 啟用了 Cloud Connector",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8ca0e6c4-2149-4d41-9a92-3c3574d11029",
+            "id": "A01.12",
+            "link": "https://learn.microsoft.com/azure/security-center/quickstart-onboard-gcp",
+            "severity": "高",
+            "subcategory": "定價和設置",
+            "text": "為 GCP 啟用了雲端連接器",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652",
+            "id": "A01.13",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security",
+            "severity": "低",
+            "subcategory": "定價和設置",
+            "text": "如果使用 Azure AD 應用程式代理，請考慮與 Microsoft Defender for Cloud Apps 集成，以即時監視應用程式訪問並應用高級安全控制。",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "df9cc234-18db-4611-9126-5f4bb47a393a",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/security-center/secure-score-security-controls",
+            "severity": "中等",
+            "subcategory": "建議",
+            "text": "如果不需要，則修正或禁用所有建議。",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "Microsoft 所有客戶的最低目標是 70%",
+            "guid": "08032729-4798-4b15-98a2-19a46ceb5443",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+            "severity": "高",
+            "subcategory": "建議",
+            "text": "安全評分>70%",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "50259226-4429-42bb-9285-37a55119bf8e",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident",
+            "severity": "中等",
+            "subcategory": "保安警報",
+            "text": "安全警報僅包含過去 24 小時內生成的警報（修正或禁用較舊的安全警報）",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "8f585428-7d9c-4dc1-96cd-072af9b141a8",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/security-center/custom-dashboards-azure-workbooks",
+            "severity": "中等",
+            "subcategory": "練習冊",
+            "text": "如果啟用了連續匯出，則預設工作簿將發佈到自定義安全儀錶板",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "98a535e7-3789-47e7-8ca7-da7be9962a15",
+            "id": "A05.01",
+            "link": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloud",
+            "severity": "中等",
+            "subcategory": "社區",
+            "text": "客戶瞭解「社區」頁面的價值，並設置了定期的審核節奏",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "客戶運營最佳實踐 - 透明度",
+            "guid": "93846da9-7cc3-4923-856b-22586f4a1641",
+            "id": "A06.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security",
+            "severity": "高",
+            "subcategory": "安全分數",
+            "text": "顯示受安全中心保護的所有訂閱（未設定訂閱篩選器）",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "bdddea8a-487c-4deb-9861-bc3bc14aea6e",
+            "id": "A07.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-compliance-dashboard",
+            "severity": "高",
+            "subcategory": "法規遵從性",
+            "text": "對於任何必需的合規性要求，合規性控制都是綠色的",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "65e8d9a3-aec2-418e-9436-b0736db55f57",
+            "id": "A08.01",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm",
+            "severity": "高",
+            "subcategory": "Azure Defender",
+            "text": "高嚴重性 VM 漏洞為零（空）",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "9603334b-df9c-4c23-918d-b61171265f4b",
+            "id": "A09.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679",
+            "severity": "中等",
+            "subcategory": "防火牆管理器",
+            "text": "中心受 Azure 防火牆保護",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "b47a393a-0803-4272-a479-8b1578a219a4",
+            "id": "A09.02",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices",
+            "severity": "中等",
+            "subcategory": "防火牆管理器",
+            "text": "虛擬網路受防火牆保護",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "6ceb5443-5025-4922-9442-92bb628537a5",
+            "id": "A09.03",
+            "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/",
+            "severity": "中等",
+            "subcategory": "防火牆管理器",
+            "text": "已啟用 DDoS 標準",
+            "waf": "安全"
+        },
+        {
+            "category": "Defender For Cloud",
+            "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a",
+            "id": "A10.01",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security",
+            "severity": "高",
+            "subcategory": "覆蓋",
+            "text": "驗證是否涵蓋所有訂閱（請參閱要修改的定價和設置）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0",
+            "id": "B01.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "高",
+            "subcategory": "公共IP",
+            "text": "具有公共IP的 VM 應受 NSG 保護",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c",
+            "id": "B01.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses",
+            "severity": "高",
+            "subcategory": "公共IP",
+            "text": "具有公共IP的 VM 將移到 Azure 防火牆高級版後面",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "a48e5a85-f222-43ec-b8bb-12308ca5017f",
+            "id": "B01.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "severity": "高",
+            "subcategory": "公共IP",
+            "text": "不需要公共 IP 的 VM 沒有公共 IP（即僅限內部 RDP）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7",
+            "id": "B02.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "中等",
+            "subcategory": "核供應國集團",
+            "text": "NSG RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "a209939b-da47-4778-b24c-116785c2fa55",
+            "id": "B02.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "高",
+            "subcategory": "核供應國集團",
+            "text": "NSG 入站安全規則在「源」欄位中不包含 *（通配符）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "b56a9480-08be-47d7-b4c4-76b6d8bdcf59",
+            "id": "B02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "中等",
+            "subcategory": "核供應國集團",
+            "text": "NSG 出站安全規則用於控制發往特定IP位址的流量，以防不通過防火牆路由的流量",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "bce65de8-a13f-4988-9946-8d66a786d60f",
+            "id": "B02.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+            "severity": "高",
+            "subcategory": "核供應國集團",
+            "text": "NSG 沒有將源作為 *（通配符）就位。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215",
+            "id": "B02.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log",
+            "severity": "中等",
+            "subcategory": "核供應國集團",
+            "text": "NSG 診斷將 NetworkSecurityGroupEvent 和 NetworkSecurityGroupRuleCounter 流量發送到 Sentinel LAW",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b",
+            "id": "B03.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "中等",
+            "subcategory": "UDR協定",
+            "text": "UDR RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67",
+            "id": "B03.02",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "高",
+            "subcategory": "UDR協定",
+            "text": "如果為零信任，則使用UDR將所有流量發送到Azure防火牆高級版",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "69af669c-a48e-45a8-9f22-23ece8bb1230",
+            "id": "B03.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "中等",
+            "subcategory": "UDR協定",
+            "text": "不會將所有流量發送到 AzureFirewallPremium 的 UDR 是已知的，並記錄在案。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "8ca5017f-158e-43ea-9a93-c2de7e3165c3",
+            "id": "B04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#default",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "客戶熟悉 Azure 中的 Azure 網路預設值/SDN 預設路由",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "description": "客戶運營最佳實踐 - 驗證",
+            "guid": "a87a04b7-a209-4939-ada4-7778f24c1167",
+            "id": "B04.02",
+            "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672",
+            "severity": "中等",
+            "subcategory": "虛擬網路",
+            "text": "VNet RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "85c2fa55-b56a-4948-808b-e7d7e4c476b6",
+            "id": "B04.03",
+            "link": "https://learn.microsoft.com/azure/virtual-network/policy-reference",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "VNet 安全建議已修正，並且沒有“有風險”的 VNet",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "d8bdcf59-bce6-45de-aa13-f98879468d66",
+            "id": "B04.04",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "瞭解 VNet 對等互連連接並記錄預期的流量",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "a786d60f-a6c9-47be-a955-d04c3c49c986",
+            "id": "B04.05",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "VNet 服務終結點正在使用中，不存在舊版公共服務終結點",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "1f625659-ee55-480a-9824-9c931213dbd7",
+            "id": "B04.06",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "VNet 專用終結點用於允許從本地環境進行訪問，不存在舊版公共終結點",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63",
+            "id": "B04.07",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "已啟用 VNet 監視",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "2055b29b-ade4-4aad-8e8c-39ec94666731",
+            "id": "B04.08",
+            "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "使用 Azure Kubernetes 服務 （AKS） 中的網路策略保護 Pod 之間的流量",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "3c005674-c1e9-445b-959c-373e7ed71623",
+            "id": "B04.09",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "VNet NVA（設備）客戶遵循已發佈的體系結構模式",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc",
+            "id": "B04.10",
+            "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network",
+            "severity": "高",
+            "subcategory": "虛擬網路",
+            "text": "VNet 診斷設置已啟用，並將 VMProtectionAlerts 發送到 Azure Sentinel LAW",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "468155ab-c916-44e9-a09a-ed8c44cf3b2b",
+            "id": "B05.01",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "severity": "高",
+            "subcategory": "連接",
+            "text": "使用 ExpressRoute 或 VPN 從本地環境訪問 Azure 資源",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "bd8ac2aa-ebca-42a4-9da1-dbf3dd992481",
+            "id": "B06.01",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "severity": "高",
+            "subcategory": "虛擬廣域網",
+            "text": "VWAN RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "718d1dca-1f62-4565-aee5-580a38249c93",
+            "id": "B06.02",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture",
+            "severity": "高",
+            "subcategory": "虛擬廣域網",
+            "text": "VWAN 客戶正在使用 Secure Hub 或外部防火牆來路由和監控流量。",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39",
+            "id": "B07.01",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "severity": "高",
+            "subcategory": "應用程式閘道",
+            "text": "AppGW RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec",
+            "id": "B07.02",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "高",
+            "subcategory": "應用程式閘道",
+            "text": "AppGW 所有面向外部的 Web 服務都位於啟用了 WAF 的應用程式閘道後面",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "94666731-3c00-4567-9c1e-945b459c373e",
+            "id": "B07.03",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip",
+            "severity": "高",
+            "subcategory": "應用程式閘道",
+            "text": "AppGW 所有面向內部的 Web 服務都位於啟用了 WAF 的應用程式閘道後面",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "7ed71623-b375-4a91-9ecb-e48fbe64dd7d",
+            "id": "B07.04",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "severity": "高",
+            "subcategory": "應用程式閘道",
+            "text": "AppGW - 面向外部已啟用 TLS/SSL，並將所有流量重定向到 443（沒有埠 80 流量）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c",
+            "id": "B08.01",
+            "link": "https://learn.microsoft.com/azure/frontdoor/",
+            "severity": "高",
+            "subcategory": "前門",
+            "text": "Front Door RBAC 用於限制對網路安全團隊的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923",
+            "id": "B08.02",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json",
+            "severity": "高",
+            "subcategory": "前門",
+            "text": "Front Door 與 WAF 策略相關聯",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3",
+            "id": "B08.03",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https",
+            "severity": "高",
+            "subcategory": "前門",
+            "text": "配置了 Front Door TLS/SSL 策略",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "dd992481-718d-41dc-a1f6-25659ee5580a",
+            "id": "B08.04",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-url-redirect",
+            "severity": "高",
+            "subcategory": "前門",
+            "text": "設定 Front Door 重定向埠 80 到埠 443（偵聽器）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "38249c93-1213-4dbd-9fb0-12f70943f630",
+            "id": "B08.05",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics",
+            "severity": "高",
+            "subcategory": "前門",
+            "text": "Front Door 診斷日誌將 ApplicationGatewayAccessLog 和 ApplicationGateway FirewallLog 發送到 Sentinel LAW",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 網路",
+            "guid": "4722ea39-d2b1-4ce6-9205-5b29bade4aad",
+            "id": "B09.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "高",
+            "subcategory": "DDOS防護",
+            "text": "為防火牆公共IP（所有公共IP）啟用",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "346ad56f-bdb8-44db-8bcd-0a689af63f1e",
+            "id": "C01.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#a-single-enterprise-directory",
+            "severity": "高",
+            "subcategory": "房客",
+            "text": "建立單一的企業目錄，用於管理全職員工的身份和企業資源。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "a46108cd-6a76-4749-ae69-b7bf61410010",
+            "id": "C01.02",
+            "link": "https://learn.microsoft.com/security/compass/identity#synchronized-identity-systems",
+            "severity": "高",
+            "subcategory": "房客",
+            "text": "將雲標識與現有標識系統同步。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "a1ab96ceb-c149-4ce2-bcad-3bd375ebfc7f",
+            "id": "C01.03",
+            "link": "https://learn.microsoft.com/security/compass/identity#cloud-provider-identity-source-for-third-parties",
+            "severity": "高",
+            "subcategory": "房客",
+            "text": "使用雲標識服務託管非員工帳戶，例如供應商、合作夥伴和客戶，而不是將它們包含在本地目錄中。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "343473ec-ed5c-49e1-98f4-cb09524a23cd",
+            "id": "C01.04",
+            "link": "https://learn.microsoft.com/security/compass/identity#block-legacy-authentication",
+            "severity": "高",
+            "subcategory": "房客",
+            "text": "為面向 Internet 的服務禁用不安全的舊協定。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "70dceb23-50c7-4d8d-bf53-8cc104c7dc44",
+            "id": "C01.05",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#enable-single-sign-on",
+            "severity": "高",
+            "subcategory": "房客",
+            "text": "啟用單點登錄",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "87791be1-1eb0-48ed-8003-ad9bcf241b99",
+            "id": "C02.01",
+            "link": "https://learn.microsoft.com/security/compass/identity#no-on-premises-admin-accounts-in-cloud-identity-providers",
+            "severity": "高",
+            "subcategory": "特權管理",
+            "text": "在將企業身份系統與雲目錄同步時，請勿將具有最高許可權訪問許可權的帳戶同步到本地資源。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "9e6efe9d-f28f-463b-9bff-b5080173e9fe",
+            "id": "C02.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5",
+            "severity": "高",
+            "subcategory": "特權管理",
+            "text": "將全域管理員的數量限制為少於5個",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c",
+            "id": "C02.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment",
+            "severity": "高",
+            "subcategory": "特權管理",
+            "text": "使用組進行 Azure AD 角色分配並委派角色分配",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "00350863-4df6-4050-9cf1-cbaa6d58283e",
+            "id": "C02.04",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins",
+            "severity": "高",
+            "subcategory": "特權管理",
+            "text": "確保所有關鍵影響管理員都由企業目錄管理，以遵循組織策略實施。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "eae64d01-0d3a-4ae1-a89d-cc1c2ad3888f",
+            "id": "C02.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#4-configure-recurring-access-reviews-to-revoke-unneeded-permissions-over-time",
+            "severity": "高",
+            "subcategory": "特權管理",
+            "text": "配置定期訪問評審以隨時間推移撤消不需要的許可權",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f",
+            "id": "C02.06",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security",
+            "severity": "中等",
+            "subcategory": "特權管理",
+            "text": "確保關鍵影響管理員使用具有高級安全保護和監控功能的工作站",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "1e8c39ec-9466-4673-83c0-05674c1e945b",
+            "id": "C03.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/compare-with-b2c",
+            "severity": "高",
+            "subcategory": "外部標識",
+            "text": "身份提供程序：驗證外部身份提供程式是否已知",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "459c373e-7ed7-4162-9b37-5a917ecbe48f",
+            "id": "C03.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高",
+            "subcategory": "外部標識",
+            "text": "外部協作設置：訪客使用者訪問許可權設置為「訪客使用者訪問許可權受到限制？",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9",
+            "id": "C03.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高",
+            "subcategory": "外部標識",
+            "text": "外部協作設置：訪客邀請設置設置為“僅分配給特定管理員角色的使用者”",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "909aed8c-44cf-43b2-a381-8bafa2cf2149",
+            "id": "C03.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高",
+            "subcategory": "外部標識",
+            "text": "外部協作設置：通過設置為「已禁用」的流啟用訪客自助註冊",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "d013a923-ce57-44dc-abd8-ac2aaebca2a4",
+            "id": "C03.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations",
+            "severity": "高",
+            "subcategory": "外部標識",
+            "text": "外部協作設置：協作限制設置為“允許向指定域發出邀請”",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "4da1dbf3-dd99-4248-8718-d1dca1f62565",
+            "id": "C03.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews",
+            "severity": "中等",
+            "subcategory": "外部標識",
+            "text": "訪問評審：為所有組啟用",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "9ee5580a-3824-49c9-9121-3dbd7fb012f7",
+            "id": "C04.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent",
+            "severity": "中等",
+            "subcategory": "企業應用程式",
+            "text": "同意和許可權：允許使用者同意來自經過驗證的發佈者的應用",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "0943f630-4722-4ea3-ad2b-1ce632055b29",
+            "id": "C04.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/manage-apps/configure-user-consent-groups",
+            "severity": "中等",
+            "subcategory": "企業應用程式",
+            "text": "同意和許可權：允許組擁有者對選定的組擁有者進行同意",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "bade4aad-1e8c-439e-a946-667313c00567",
+            "id": "C05.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-configure-custom-domain",
+            "severity": "高",
+            "subcategory": "自訂域",
+            "text": "僅註冊經過驗證的客戶域",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "4c1e945b-459c-4373-b7ed-71623b375a91",
+            "id": "C06.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr",
+            "severity": "高",
+            "subcategory": "密碼重置",
+            "text": "驗證符合自助服務密碼重置策略要求。",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "7ecbe48f-be64-4dd7-bf2e-8bbbc468155a",
+            "id": "C06.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "中等",
+            "subcategory": "密碼重置",
+            "text": "在要求使用者重新確認身份驗證資訊之前設置的天數未設置為零",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "bc9164e9-909a-4ed8-a44c-f3b2b3818baf",
+            "id": "C06.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/howto-sspr-deployment",
+            "severity": "高",
+            "subcategory": "密碼重置",
+            "text": "選擇重置密碼所需的設置方法數",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "a2cf2149-d013-4a92-9ce5-74dccbd8ac2a",
+            "id": "C07.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/delegate-app-roles",
+            "severity": "高",
+            "subcategory": "用戶設置",
+            "text": "禁用「用戶可以註冊應用程式」",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "aebca2a4-4da1-4dbf-9dd9-92481718d1dc",
+            "id": "C07.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions",
+            "severity": "高",
+            "subcategory": "用戶設置",
+            "text": "將對管理門戶 （portal.azure.com） 的訪問限制為僅管理員",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "a1f62565-9ee5-4580-a382-49c931213dbd",
+            "id": "C07.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/enterprise-users/linkedin-integration",
+            "severity": "高",
+            "subcategory": "用戶設置",
+            "text": "禁用“LinkedIn帳戶連接”",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6",
+            "id": "C08.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring",
+            "severity": "高",
+            "subcategory": "診斷設置",
+            "text": "使用 Sentinel 啟用併發送到 Log Analytics 工作區",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "21e44a19-a9dd-4399-afd7-b28dc8355562",
+            "id": "C09.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan",
+            "severity": "高",
+            "subcategory": "已啟用 PIM",
+            "text": "已啟用 Privileged Identity Management",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "46f4389a-7f42-4c78-b78c-06a63a21a495",
+            "id": "C09.02",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc",
+            "severity": "高",
+            "subcategory": "已啟用 PIM",
+            "text": "實現「即時」（JIT） 訪問，以進一步降低特權帳戶的暴露時間（減少長期訪問）",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "6e6a8dc4-a20e-427b-9e29-711b1352beee",
+            "id": "C10.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common",
+            "severity": "高",
+            "subcategory": "條件訪問策略",
+            "text": "配置條件訪問策略/訪問控制",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "079b588d-efc4-4972-ac3c-d21bf77036e5",
+            "id": "C10.02",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition",
+            "severity": "中等",
+            "subcategory": "條件訪問策略",
+            "text": "條件：受限地點",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "e6b4bed3-d5f3-4547-a134-7dc56028a71f",
+            "id": "C10.03",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa",
+            "severity": "高",
+            "subcategory": "條件訪問策略",
+            "text": "訪問控制：為所有用戶啟用 MFA",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "fe1bd15d-d2f0-4d5e-972d-41e3611cc57b",
+            "id": "C10.04",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+            "severity": "中等",
+            "subcategory": "條件訪問策略",
+            "text": "訪問控制：要求管理員進行 MFA",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "4a4b1410-d439-4589-ac22-89b3d6b57cfc",
+            "id": "C10.05",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
+            "severity": "高",
+            "subcategory": "條件訪問策略",
+            "text": "訪問控制：需要 MFA 才能進行 Azure 管理",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "645461e1-a3e3-4453-a3c8-639637a552d6",
+            "id": "C10.06",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy",
+            "severity": "高",
+            "subcategory": "條件訪問策略",
+            "text": "訪問控制：阻止傳統協定",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "7ae9eab4-0fd3-4290-998b-c178bdc5a06c",
+            "id": "C10.07",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices",
+            "severity": "高",
+            "subcategory": "條件訪問策略",
+            "text": "訪問控制：要求將設備標記為合規",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "description": "客戶記錄在案的策略",
+            "guid": "a7144351-e19d-4d34-929e-b7228137a151",
+            "id": "C11.01",
+            "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/",
+            "severity": "中等",
+            "subcategory": "來賓使用者",
+            "text": "是否有跟蹤來賓用戶帳戶的策略（即使用/刪除/禁用）？",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "c5bb4e4f-1814-4287-b5ca-8c26c9b32ab5",
+            "id": "C12.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/identity-secure-score",
+            "severity": "高",
+            "subcategory": "身份安全分數",
+            "text": "根據行業中的最佳實踐實施身份安全功能分數",
+            "waf": "安全"
+        },
+        {
+            "category": "身份",
+            "guid": "bcfc6998-a135-4e33-9897-e31c67d68cb6",
+            "id": "C13.01",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "severity": "中等",
+            "subcategory": "Break Glass 帳戶",
+            "text": "至少已經創建了兩個打破玻璃的帳戶，並且存在有關其使用的政策",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "0ac252b9-99a6-48af-a7c9-a8f821b8eb8c",
+            "id": "D01.01",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "severity": "高",
+            "subcategory": "存取控制",
+            "text": "利用 Azure Policy 控制 VM 訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "0aa77e26-e4d5-4aea-a8dc-4e2436bc336d",
+            "id": "D01.02",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/templates/syntax",
+            "severity": "中等",
+            "subcategory": "存取控制",
+            "text": "利用範本減少 VM 設置和部署中的可變性",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "b5945bda-4333-44fd-b91c-234182b65275",
+            "id": "D01.03",
+            "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models",
+            "severity": "中等",
+            "subcategory": "存取控制",
+            "text": "通過治理減少對資源的訪問許可權，從而保護部署 VMS 的特權訪問許可權",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "269440b4-be3d-43e0-a432-76d4bdc015bc",
+            "id": "D02.01",
+            "link": "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service",
+            "severity": "中等",
+            "subcategory": "高可用性",
+            "text": "對工作負載使用多個 VM 以提高可用性",
+            "waf": "可靠性"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "f219e4a1-eb58-4879-935d-227886d30b66",
+            "id": "D02.02",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm",
+            "severity": "中等",
+            "subcategory": "高可用性",
+            "text": "部署和測試災難恢復解決方案",
+            "waf": "可靠性"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "c57be595-1900-4838-95c5-86cb291ec16a",
+            "id": "D02.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "severity": "中等",
+            "subcategory": "高可用性",
+            "text": "可用性集",
+            "waf": "可靠性"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "1d076ef9-f141-4acd-ae57-9377bcdb3751",
+            "id": "D02.04",
+            "link": "https://learn.microsoft.com/azure/availability-zones/az-overview?context=/azure/virtual-machines/context/context",
+            "severity": "中等",
+            "subcategory": "高可用性",
+            "text": "可用區",
+            "waf": "可靠性"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "ab2ac1fa-d66e-415d-9d5a-2adb2c3e2326",
+            "id": "D02.05",
+            "link": "https://learn.microsoft.com/azure/architecture/resiliency/recovery-loss-azure-region",
+            "severity": "中等",
+            "subcategory": "高可用性",
+            "text": "區域容錯",
+            "waf": "可靠性"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "af225ca4-4e16-496f-bdde-ace4cb1deb4c",
+            "id": "D03.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/antimalware",
+            "severity": "高",
+            "subcategory": "防範惡意軟體",
+            "text": "安裝反惡意軟體解決方案",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368",
+            "id": "D03.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "高",
+            "subcategory": "防範惡意軟體",
+            "text": "將反惡意軟體解決方案與安全中心集成",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "7a0177a2-b594-45bd-a433-34fdf91c2341",
+            "id": "D04.01",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "severity": "高",
+            "subcategory": "管理 VM 更新",
+            "text": "使用 Azure 自動化的更新管理使 VM 保持最新狀態",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "c6fa96b9-6ad8-4840-af37-2734c876ba28",
+            "id": "D04.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching",
+            "severity": "中等",
+            "subcategory": "管理 VM 更新",
+            "text": "確保用於部署的 Windows 映像具有最新級別的更新",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "02145901-465d-438e-9309-ccbd979266bc",
+            "id": "D04.03",
+            "link": "https://learn.microsoft.com/azure/security-center/asset-inventory",
+            "severity": "高",
+            "subcategory": "管理 VM 更新",
+            "text": "使用 Microsoft Defender for Cloud 快速將安全更新應用於 VM",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "ca274faa-19bf-439d-a5d4-4c7c8919ca1f",
+            "id": "D05.01",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+            "severity": "高",
+            "subcategory": "加密 VHD",
+            "text": "在 VM 上啟用加密",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "6d5315ae-524b-4a34-b458-5e12139bd7bb",
+            "id": "D05.02",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/disk-encryption-key-vault#set-up-a-key-encryption-key-kek",
+            "severity": "高",
+            "subcategory": "加密 VHD",
+            "text": "添加金鑰加密金鑰 （KEK） 以增加加密安全層",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "012f7b95-e06e-4154-b2aa-3592828e6e20",
+            "id": "D05.03",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk",
+            "severity": "中等",
+            "subcategory": "加密 VHD",
+            "text": "在加密之前拍攝磁碟快照以進行回滾",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "5173676a-e466-491e-a835-ad942223e138",
+            "id": "D06.01",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "確保只有中央網路組才有權訪問網路資源",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "10523081-a941-4741-9833-ff7ad7c6d373",
+            "id": "D06.02",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "標識並修正允許從「ANY」源 IP 位址訪問的公開 VM",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "75a91be1-f388-4f03-a4d2-cd463cbbbc86",
+            "id": "D06.03",
+            "link": "https://learn.microsoft.com/azure/security-center/security-center-just-in-time",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "使用即時存取限制管理埠（RDP、SSH）",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "8295abc9-1a4e-4da0-bae2-cc84c47b6b78",
+            "id": "D06.04",
+            "link": "http://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "刪除 Internet 訪問並實現 RDP 跳轉伺服器",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "1cbafe6c-4658-49d4-98a9-27c3974d1102",
+            "id": "D06.05",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-forced-tunneling",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "從互聯網上刪除使用 RDP/SSH 直接登錄伺服器並實施 VPN 或快速路由",
+            "waf": "安全"
+        },
+        {
+            "category": "虛擬機安全檢查",
+            "guid": "dad6aae1-1e6b-484e-b5df-47d2d92881b1",
+            "id": "D06.06",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "severity": "高",
+            "subcategory": "限制直接 Internet 連接",
+            "text": "利用 Azure Bastion 作為 RDP/SSH 代理，提高安全性並減少佔用空間",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "cd5d1e54-a297-459e-9968-0e78289c9356",
+            "id": "E01.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
+            "severity": "高",
+            "subcategory": "建築",
+            "text": "所有租戶都包含至少在一個Log Analytics工作區上啟用了Sentinel",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "57d02bff-4564-4b0d-a34a-359836ee79d6",
+            "id": "E01.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/best-practices-workspace-architecture",
+            "severity": "高",
+            "subcategory": "建築",
+            "text": "客戶瞭解 Sentinel 架構",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a",
+            "id": "E01.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view",
+            "severity": "中等",
+            "subcategory": "建築",
+            "text": "客戶知道如何跨多個 Sentinel 實例監控事件",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "8989579e-76b8-497e-910a-7da7be9966e1",
+            "id": "E02.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics",
+            "severity": "中等",
+            "subcategory": "概述",
+            "text": "沒有事件開放超過24小時",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "5d3c4ada-97cb-43d1-925a-b225c6f4e068",
+            "id": "E03.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/whats-new",
+            "severity": "低",
+            "subcategory": "新聞 & 指南",
+            "text": "客戶已看到「新聞和指南」選項卡",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "5edddea8-a4b7-4cde-a4c6-1fc3fc14eea6",
+            "id": "E04.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics",
+            "severity": "中等",
+            "subcategory": "UEBA",
+            "text": "UEBA 已配置 （Sentinel/Settings/Settings/Configure UEBA）",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "e69d8d9a-3eec-4218-b687-ab077adb49e5",
+            "id": "E05.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Azure Active Directory 已配置，並且“上次收到的日誌”今天顯示",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "b9603334-fdf8-4cc2-9318-db61171269f4",
+            "id": "E05.02",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Azure Active Directory Identity Protection 已配置，今天將顯示“上次收到的日誌”",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "0b4aa3d3-e070-4327-9d4b-98b15b8a219a",
+            "id": "E05.03",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-activity",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Azure 活動已配置，今天顯示“上次收到的日誌”",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe",
+            "id": "E05.04",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Microsoft Defender for Cloud已配置，今天顯示“上次收到的日誌”",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "9d55d04c-3c49-419c-a1b2-d1215ae114b9",
+            "id": "E05.05",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Azure 防火牆已配置，今天顯示“上次收到的日誌”",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "34df585e-cccd-49bd-9ba0-cdb3b54eb2eb",
+            "id": "E05.06",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "Windows 防火牆已配置，今天顯示“上次收到日誌”",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "03ddaa25-9271-48d2-bdb1-0725769ef669",
+            "id": "E05.07",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "安全事件配置了 AMA，並且「上次收到日誌」今天顯示",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "1a4834ac-9322-423e-ae80-b123081a5417",
+            "id": "E05.08",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "安全事件 - 驗證 Azure 電腦是否已連接並將數據發送到工作區",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "859c773e-7e26-4162-9b77-5a917e1f348e",
+            "id": "E05.09",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "安全事件 - 驗證非 Azure 電腦是否已連接並將數據發送到工作區",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "f354c27d-42e8-4bba-a868-155abb9163e9",
+            "id": "E05.10",
+            "link": "https://learn.microsoft.com/azure/sentinel/connect-aws?tabs=s3",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "適用於 AWS 的連接器",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "909ae28c-84c3-43b6-a780-8bafe6c42149",
+            "id": "E05.11",
+            "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference",
+            "severity": "高",
+            "subcategory": "數據連接器",
+            "text": "GCP 連接器",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "d413a923-c357-44d1-8028-ac6aae01e6a8",
+            "id": "E06.01",
+            "link": "https://learn.microsoft.com/azure/sentinel/detect-threats-built-in",
+            "severity": "高",
+            "subcategory": "分析規則",
+            "text": "客戶已啟用 Analytics 規則並配置了事件",
+            "waf": "安全"
+        },
+        {
+            "category": "哨兵",
+            "guid": "4de5df43-d299-4248-8718-d5d1e5f62565",
+            "id": "E07.01",
+            "link": "https://azure.microsoft.com/updates/controlling-data-volume-and-retention-in-log-analytics-2/",
+            "severity": "中等",
+            "subcategory": "設置",
+            "text": "客戶未啟用每日上限",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "9e3558fd-7724-49c9-9111-2d027fe412f7",
+            "id": "F01.01",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "severity": "高",
+            "subcategory": "配置",
+            "text": "已部署 Azure 防火牆高級版",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "4dc74a74-8b66-433a-b2a0-916a764980ad",
+            "id": "F01.02",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route",
+            "severity": "高",
+            "subcategory": "配置",
+            "text": "通過 Azure 防火牆啟用四重零/強制優化",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "0e278ee2-93c1-4bc3-92ba-aab7571849ab",
+            "id": "F02.01",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "中等",
+            "subcategory": "存取控制",
+            "text": "RBAC 設定為僅啟用授權使用者",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5",
+            "id": "F03.01",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "severity": "中等",
+            "subcategory": "診斷設置",
+            "text": "已啟用診斷並將指標發送到Log Analytics工作區",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "b35478c3-4798-416b-8863-cffe1cac599e",
+            "id": "F04.01",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "中心和虛擬網路通過防火牆高級版進行保護或連接",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4",
+            "id": "F04.02",
+            "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：設定存取控制 （RBAC）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1",
+            "id": "F04.03",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：已配置父策略",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47",
+            "id": "F04.04",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：定義規則集合",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468",
+            "id": "F04.05",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：定義DNAT策略",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c",
+            "id": "F04.06",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：定義網路規則",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9",
+            "id": "F04.07",
+            "link": "https://learn.microsoft.com/azure/firewall/features",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "策略：定義應用程式規則",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "793a6bcd-a3b5-40eb-8eb0-3dd95d58d7c8",
+            "id": "F04.08",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "severity": "中等",
+            "subcategory": "防火牆管理器",
+            "text": "DNS：已理解並應用或未應用的功能",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "d622f54b-29ba-4de3-aad1-e8c28ec93666",
+            "id": "F04.09",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "威脅情報：設置為“警報和拒絕”",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "7313b005-674b-41e9-94a4-59c373e7ed61",
+            "id": "F04.10",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/threat-intelligence-settings#allowlist-addresses",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "威脅情報：允許清單（證明它們是否被使用-即性能）",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "623b365a-917e-4cbe-98eb-d54cd7df2e8b",
+            "id": "F04.11",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-certificates",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "已啟用 TLS",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "bac35715-59ab-4915-9e99-08aed8c44ce3",
+            "id": "F04.12",
+            "link": "https://learn.microsoft.com/azure/firewall/rule-processing",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "已啟用IDPS",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "b2b3808b-9fa1-4cf1-849d-003a923ce474",
+            "id": "F04.13",
+            "link": "https://learn.microsoft.com/azure/firewall/snat-private-range",
+            "severity": "高",
+            "subcategory": "防火牆管理器",
+            "text": "SNAT：已配置",
+            "waf": "安全"
+        },
+        {
+            "category": "Azure 防火牆",
+            "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992",
+            "id": "F05.01",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices",
+            "severity": "中等",
+            "subcategory": "DDOS防護",
+            "text": "為防火牆公共IP啟用",
+            "waf": "安全"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Security Review Checklist",
+        "state": "Deprecated",
+        "timestamp": "June 24, 2024"
+    },
+    "severities": [
+        {
+            "name": "高"
+        },
+        {
+            "name": "中等"
+        },
+        {
+            "name": "低"
+        }
+    ],
+    "status": [
+        {
+            "description": "此檢查尚未查看",
+            "name": "未驗證"
+        },
+        {
+            "description": "有一個與此檢查關聯的操作項",
+            "name": "打開"
+        },
+        {
+            "description": "此檢查已通過驗證，並且沒有與之關聯的進一步操作項",
+            "name": "實現"
+        },
+        {
+            "description": "建議已理解，但當前需求不需要",
+            "name": "不需要"
+        },
+        {
+            "description": "不適用於當前設計",
+            "name": "不適用"
+        }
+    ],
+    "waf": [
+        {
+            "name": "可靠性"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "成本"
+        },
+        {
+            "name": "操作"
+        },
+        {
+            "name": "性能"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "是的"
+        },
+        {
+            "name": "不"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json
index ac84630b8..b4a1fa66a 100644
--- a/checklists/waf_checklist.en.json
+++ b/checklists/waf_checklist.en.json
@@ -1,9103 +1,9103 @@
 {
     "items": [
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
-            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
-            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
-            "service": "ACR",
-            "severity": "High",
-            "text": "Disable Azure Container Registry image export",
-            "waf": "Security"
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+            "service": "Cognitive Services",
+            "severity": "Medium",
+            "text": "Leverage FTA HandBook for Cognitive Services",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
-            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
-            "service": "ACR",
-            "severity": "High",
-            "text": "Enable Azure Policies for Azure Container Registry",
-            "waf": "Security"
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Cognitive Services",
+            "severity": "Medium",
+            "text": "Backup Your Prompts",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
-            "guid": "d345293c-7639-4637-a551-c5c04e401955",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
-            "service": "ACR",
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Cognitive Services",
             "severity": "High",
-            "text": "Sign and Verify containers with notation (Notary v2)",
-            "waf": "Security"
+            "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
-            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
-            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
-            "service": "ACR",
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+            "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+            "service": "Cognitive Services",
             "severity": "Medium",
-            "text": "Encrypt registry with a customer managed key",
-            "waf": "Security"
+            "text": "Backup Your ChatGPT conversations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
-            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
-            "severity": "High",
-            "text": "Use Managed Identities to connect instead of Service Principals",
-            "waf": "Security"
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+            "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+            "service": "Cognitive Services",
+            "severity": "Medium",
+            "text": "CI/CD for custom speech",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
-            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
-            "service": "ACR",
-            "severity": "High",
-            "text": "Disable local authentication for management plane access",
-            "waf": "Security"
+            "checklist": "Cognitive Services Review Checklist",
+            "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+            "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+            "service": "Cognitive Services",
+            "severity": "Low",
+            "text": "Move a knowledge base using export-import",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
-            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
-            "service": "ACR",
-            "severity": "High",
-            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
-            "waf": "Security"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
+            "severity": "Medium",
+            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable anonymous pull/push access",
-            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
-            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
-            "service": "ACR",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "severity": "Low",
+            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
+            "severity": "Low",
+            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Disable Anonymous pull access",
-            "waf": "Security"
+            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
-            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
-            "service": "ACR",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
             "severity": "High",
-            "text": "Disable repository-scoped access tokens",
+            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
-            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
-            "service": "ACR",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
             "severity": "High",
-            "text": "Deploy images from a trusted environment",
+            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
-            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
-            "service": "ACR",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Disable Azure ARM audience tokens for authentication",
+            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
-            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
-            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
-            "service": "ACR",
-            "severity": "Medium",
-            "text": "Enable diagnostics logging",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
+            "severity": "Low",
+            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
-            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
-            "service": "ACR",
-            "severity": "Medium",
-            "text": "Control inbound network access with Private Link",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
+            "severity": "High",
+            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Disable public network access if inbound network access is secured using Private Link",
-            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
-            "service": "ACR",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Disable Public Network access",
+            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Only the ACR Premium SKU supports Private Link access",
-            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
-            "service": "ACR",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
-            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
-            "service": "ACR",
-            "severity": "Low",
-            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
+            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
-            "service": "ACR",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Deploy validated container images",
+            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Container Registry Security Review",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
-            "service": "ACR",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
             "severity": "High",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
-            "waf": "Reliability"
+            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "High",
-            "text": "Use zone redundant pipelines in regions that support Availability Zones",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
+            "severity": "Medium",
+            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "severity": "Medium",
-            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
-            "waf": "Reliability"
+            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
+            "severity": "High",
+            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
+            "waf": "Cost"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "severity": "Medium",
-            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
-            "waf": "Reliability"
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "Medium",
-            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
             "severity": "Low",
-            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
-            "waf": "Reliability"
+            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
-            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
-            "service": "Azure Data Explorer",
-            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
+            "severity": "Low",
+            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
-            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
-            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
-            "service": "Azure Data Explorer",
-            "text": "To share data, explore Leader-follower cluster configuration",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
+            "severity": "Medium",
+            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
-            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
-            "service": "Azure Data Explorer",
-            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
+            "severity": "Medium",
+            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
-            "service": "Azure Data Explorer",
-            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
+            "severity": "Medium",
+            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
-            "service": "Azure Data Explorer",
-            "text": "Ingest data into each cluster in parallel",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
+            "severity": "Medium",
+            "text": "Consider the limit of routes per route table (400).",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
-            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
-            "service": "Azure Data Explorer",
-            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
+            "severity": "High",
+            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
-            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
-            "service": "Azure Data Explorer",
-            "text": "For critical applications, create Active-Active configuration in two paired regions",
-            "waf": "Reliability"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
-            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
-            "service": "Azure Data Explorer",
-            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
-            "waf": "Reliability"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "Low",
+            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
-            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
-            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
-            "service": "Azure Data Explorer",
-            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
-            "waf": "Reliability"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
+            "severity": "High",
+            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
-            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
-            "text": "Wrap DevOps and source control around all your code",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "Low",
+            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
-            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
-            "waf": "Reliability"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "High",
+            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Data Explorer Review Checklist",
-            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
-            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
-            "service": "Azure Data Explorer",
-            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
+            "severity": "High",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Use KEDA if running event-driven workloads",
-            "waf": "Performance"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Use Dapr to ease microservice development",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
+            "severity": "Medium",
+            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Use the SLA-backed AKS offering",
-            "waf": "Reliability"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
+            "severity": "Medium",
+            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "severity": "Low",
-            "text": "Use Disruption Budgets in your pod and deployment definitions",
-            "waf": "Reliability"
+            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
             "severity": "High",
-            "text": "If using a private registry, configure region replication to store images in multiple regions",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Use an external application such as kubecost to allocate costs to different users",
-            "waf": "Cost"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Use scale down mode to delete/deallocate nodes",
-            "waf": "Cost"
+            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "severity": "Medium",
-            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
-            "waf": "Cost"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
-            "waf": "Cost"
+            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "severity": "Medium",
-            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+            "text": "Use Azure Bastion in a subnet /26 or larger.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
             "severity": "Medium",
-            "text": "Separate applications from the control plane with user/system node pools",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "severity": "Low",
-            "text": "Add taint to your system nodepool to make it dedicated",
-            "waf": "Security"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Use a private registry for your images, such as ACR",
+            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
-            "severity": "Medium",
-            "text": "Scan your images for vulnerabilities",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "High",
+            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "severity": "High",
-            "text": "Define app separation requirements (namespace/nodepool/cluster)",
+            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
-            "waf": "Security"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "severity": "High",
+            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "severity": "High",
-            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
+            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "If required add Key Management Service etcd encryption",
-            "waf": "Security"
+            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required consider using Confidential Compute for AKS",
-            "waf": "Security"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "Consider using Defender for Containers",
-            "waf": "Security"
+            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
             "severity": "High",
-            "text": "Use managed identities instead of Service Principals",
-            "waf": "Security"
+            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Integrate authentication with AAD (using the managed integration)",
-            "waf": "Security"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
+            "severity": "High",
+            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
-            "waf": "Security"
+            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "Integrate authorization with AAD RBAC",
-            "waf": "Security"
+            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
-            "waf": "Security"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
             "severity": "Medium",
-            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
-            "waf": "Security"
+            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "severity": "Medium",
-            "text": "For AKS non-interactive logins use kubelogin (preview)",
-            "waf": "Security"
+            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Disable AKS local accounts",
-            "waf": "Security"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "High",
+            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Cost"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Configure if required Just-in-time cluster access",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Configure if required AAD conditional access for AKS",
-            "waf": "Security"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required for Windows AKS workloads configure gMSA ",
-            "waf": "Security"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "For finer control consider using a managed Kubelet Identity",
-            "waf": "Security"
+            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "If using AGIC, do not share an AppGW across clusters",
+            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "severity": "High",
-            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
+            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "For Windows workloads use Accelerated Networking",
-            "waf": "Performance"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "severity": "High",
-            "text": "Use the standard ALB (as opposed to the basic one)",
+            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "If using Azure CNI, consider using different Subnets for NodePools",
-            "waf": "Security"
+            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
             "severity": "Medium",
-            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
-            "waf": "Security"
+            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
             "severity": "High",
-            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "High",
-            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
-            "waf": "Performance"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "High",
-            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
-            "waf": "Security"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "High",
-            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required add your own CNI plugin",
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required configure Public IP per node in AKS",
-            "waf": "Performance"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "Medium",
-            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
-            "waf": "Reliability"
+            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
             "severity": "Low",
-            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
-            "waf": "Reliability"
+            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
             "severity": "High",
-            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "High",
+            "text": "Use Azure Firewall Premium for additional security and protection.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "severity": "High",
-            "text": "Use private clusters if your requirements mandate it",
+            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
+            "severity": "High",
+            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
             "severity": "High",
-            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Use Kubernetes network policies to increase intra-cluster security",
-            "waf": "Security"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
+            "severity": "Important",
+            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Operations"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
             "severity": "High",
-            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "text": "Use a /26 prefix for your Azure Firewall subnets.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "severity": "Medium",
-            "text": "Use DDoS Standard in the AKS Virtual Network",
-            "waf": "Security"
+            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required add company HTTP Proxy",
-            "waf": "Security"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
             "severity": "Medium",
-            "text": "Consider using a service mesh for advanced microservice communication management",
-            "waf": "Security"
+            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Check regularly Azure Advisor for recommendations on your cluster",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
+            "severity": "High",
+            "text": "Enable TLS Inspection",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "severity": "Low",
-            "text": "Enable AKS auto-certificate rotation",
-            "waf": "Operations"
+            "text": "Use web categories to allow or deny outbound access to specific topics.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "Enable Azure Firewall DNS proxy configuration ",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
+            "severity": "Medium",
+            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
             "severity": "Low",
-            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "Low",
-            "text": "Consider using AKS command invoke on private clusters",
+            "text": "Implement backups for your firewall rules",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "For planned events consider using Node Auto Drain",
-            "waf": "Operations"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
+            "severity": "High",
+            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
-            "waf": "Operations"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
+            "severity": "Medium",
+            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Use custom Node RG (aka 'Infra RG') name",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
+            "severity": "Medium",
+            "text": "Don't enable virtual network service endpoints by default on all subnets.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "Medium",
-            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
-            "waf": "Operations"
+            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Taint Windows nodes",
-            "waf": "Operations"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
+            "severity": "High",
+            "text": "Use at least a /27 prefix for your Gateway subnets",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Keep windows containers patch level in sync with host patch level",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "Via Diagnostic Settings at the cluster level",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required use nodePool snapshots",
-            "waf": "Cost"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Consider spot node pools for non time-sensitive workloads",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Consider AKS virtual node for quick bursting",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
-            "waf": "Operations"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
+            "severity": "Medium",
+            "text": "Consider the limit of NSG rules per NSG (1000).",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
+            "severity": "Medium",
+            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "Monitor CPU and memory utilization of the nodes",
-            "waf": "Operations"
+            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
+            "waf": "Performance"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "Low",
+            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
-            "waf": "Operations"
+            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "Monitor OS disk queue depth in nodes",
-            "waf": "Operations"
+            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
             "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "Subscribe to resource health notifications for your AKS cluster",
-            "waf": "Operations"
+            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Configure requests and limits in your pod specs",
-            "waf": "Operations"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
+            "severity": "Medium",
+            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "severity": "Medium",
-            "text": "Enforce resource quotas for namespaces",
-            "waf": "Operations"
+            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "severity": "High",
-            "text": "Ensure your subscription has enough quota to scale out your nodepools",
-            "waf": "Operations"
+            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
-            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "High",
-            "text": "Configure Liveness and Readiness probes for all deployments",
-            "waf": "Operations"
+            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Medium",
-            "text": "Use the Cluster Autoscaler",
-            "waf": "Performance"
+            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
             "severity": "Low",
-            "text": "Customize node configuration for AKS node pools",
-            "waf": "Performance"
+            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Medium",
-            "text": "Use the Horizontal Pod Autoscaler when required",
-            "waf": "Performance"
+            "text": "Use built-in policies where possible to minimize operational overhead.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Consider an appropriate node size, not too large or too small",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "Consider subscribing to EventGrid Events for AKS automation",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "For long running operation on an AKS cluster consider event termination",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "High",
-            "text": "Use ephemeral OS disks",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
+            "severity": "Medium",
+            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
-            "severity": "High",
-            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
+            "severity": "Medium",
+            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "severity": "Low",
-            "text": "For hyper performance storage option use Ultra Disks on AKS",
-            "waf": "Performance"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
+            "severity": "Medium",
+            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
-            "waf": "Performance"
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "Medium",
-            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
-            "waf": "Performance"
+            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
             "severity": "Medium",
-            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
-            "waf": "Performance"
+            "text": "Use Network Watcher to proactively monitor traffic flows",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
             "severity": "Medium",
-            "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+            "text": "Use Azure Monitor Logs for insights and reporting.",
             "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
-            "severity": "Low",
-            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
+            "severity": "Medium",
+            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
             "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
-            "severity": "Low",
-            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
+            "severity": "Medium",
+            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
             "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
             "severity": "Medium",
-            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
-            "waf": "Cost"
+            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
-            "severity": "High",
-            "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
+            "severity": "Medium",
+            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
-            "severity": "High",
-            "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
+            "severity": "Medium",
+            "text": "Monitor VM security configuration drift via Azure Policy.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
+            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
+            "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
-            "severity": "Low",
-            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
+            "severity": "Medium",
+            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
+            "waf": "Operations"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "severity": "High",
-            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
+            "waf": "Reliability"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
-            "severity": "Medium",
-            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
+            "severity": "High",
+            "text": "Avoid running a production workload on a single VM.",
+            "waf": "Reliability"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "If planning to switch from Active Directory Domain Serivces to Entra domain services, evaluate the compatibility of all workloads",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Security"
+            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
+            "waf": "Reliability"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
+            "severity": "High",
+            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
+            "waf": "Operations"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
             "severity": "Medium",
-            "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
-            "waf": "Security"
+            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
+            "waf": "Operations"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
             "severity": "High",
-            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "Use Azure Key Vault to store your secrets and credentials",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
             "waf": "Security"
         },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
-            "severity": "High",
-            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
-            "waf": "Cost"
-        },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
-            "severity": "Low",
-            "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+            "text": "Establish an automated process for key and certificate rotation.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
-            "severity": "Low",
-            "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "Medium",
+            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "Performance"
+            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
+            "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Operations"
+            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
+            "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
-            "waf": "Reliability"
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Consider the limit of routes per route table (400).",
-            "waf": "Reliability"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
-            "severity": "High",
-            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
-            "waf": "Reliability"
+            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
+            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "Low",
-            "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
+            "severity": "Medium",
+            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
             "waf": "Security"
         },
         {
             "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "severity": "High",
-            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "Low",
-            "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
             "waf": "Security"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "severity": "High",
-            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Performance"
+            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
+            "waf": "Security"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
             "severity": "High",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "Medium",
-            "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
-            "severity": "Medium",
-            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
             "waf": "Security"
         },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "Low",
-            "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
-            "waf": "Operations"
-        },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
             "severity": "High",
-            "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operations"
+            "text": "Enable Endpoint Protection on IaaS Servers.",
+            "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "Medium",
-            "text": "Use Azure Bastion in a subnet /26 or larger.",
+            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
             "waf": "Security"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "Low",
-            "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
+            "severity": "Medium",
+            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
             "waf": "Security"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
             "severity": "High",
-            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Secure transfer to storage accounts should be enabled",
             "waf": "Security"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
             "severity": "High",
-            "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
             "waf": "Security"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
             "severity": "High",
-            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
-            "waf": "Reliability"
+            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "checklist": "Device Update Review",
+            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
             "severity": "High",
-            "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "checklist": "Device Update Review",
+            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+            "service": "Device Update for IoT Hub",
+            "severity": "High",
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
+            "checklist": "Device Update Review",
+            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Device Update for IoT Hub",
             "severity": "High",
-            "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
-            "waf": "Cost"
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "checklist": "Device Update Review",
+            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Device Update for IoT Hub",
             "severity": "High",
-            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
-            "waf": "Cost"
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
+            "severity": "Low",
+            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "text": "Implement health checks",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
-            "severity": "Medium",
-            "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Refer to backup and restore best practices for Azure App Service",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "severity": "High",
-            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Cost"
+            "text": "Implement Azure App Service reliability best practices",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Security"
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "Low",
+            "text": "Familiarize with how to move an App Service app to another region During a disaster",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Familiarize with reliability support in Azure App Service",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "text": "Monitor App Service instances using Health checks",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
+            "severity": "Low",
+            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "High",
-            "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
-            "waf": "Reliability"
+            "text": "Use Key Vault to store secrets",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "High",
-            "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
-            "waf": "Reliability"
+            "text": "Use Managed Identity to connect to Key Vault",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "Store the App Service TLS certificate in Key Vault.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Use Key Vault to store TLS certificate.",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "text": "Isolate systems that process sensitive information",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "text": "Do not store sensitive data on local disk",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
+            "severity": "Medium",
+            "text": "Use an established Identity Provider for authentication",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "severity": "High",
-            "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Reliability"
+            "text": "Deploy from a trusted environment",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operations"
+            "checklist": "Azure App Service Review",
+            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Disable basic authentication",
+            "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
-            "severity": "Medium",
-            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Performance"
+            "checklist": "Azure App Service Review",
+            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Use Managed Identity to connect to resources",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
             "severity": "High",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Pull containers using a Managed Identity",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Send App Service runtime logs to Log Analytics",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
-            "severity": "Low",
-            "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "Azure App Service Review",
+            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
+            "severity": "Medium",
+            "text": "Send App Service activity logs to Log Analytics",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
-            "severity": "High",
-            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
+            "checklist": "Azure App Service Review",
+            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
+            "severity": "Medium",
+            "text": "Outbound network access should be controlled",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "High",
-            "text": "Use Azure Firewall Premium for additional security and protection.",
+            "checklist": "Azure App Service Review",
+            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
+            "severity": "Low",
+            "text": "Ensure a stable IP for outbound communications towards internet addresses",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "High",
-            "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
+            "text": "Inbound network access should be controlled",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
             "severity": "High",
-            "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
+            "text": "Use a WAF in front of App Service",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "High",
-            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+            "text": "Avoid for WAF to be bypassed",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operations"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
-            "severity": "Important",
-            "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operations"
+            "text": "Set minimum TLS policy to 1.2",
+            "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
             "severity": "High",
-            "text": "Use a /26 prefix for your Azure Firewall subnets.",
+            "text": "Use HTTPS only",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
-            "severity": "Medium",
-            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
-            "waf": "Performance"
+            "checklist": "Azure App Service Review",
+            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Wildcards must not be used for CORS",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
-            "severity": "Medium",
-            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
-            "waf": "Performance"
+            "checklist": "Azure App Service Review",
+            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Turn off remote debugging",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
-            "waf": "Performance"
+            "text": "Enable Defender for Cloud - Defender for App Service",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
-            "waf": "Performance"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
-            "severity": "High",
-            "text": "Enable TLS Inspection",
-            "waf": "Performance"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
-            "severity": "Low",
-            "text": "Use web categories to allow or deny outbound access to specific topics.",
-            "waf": "Performance"
+            "text": "Enable DDOS Protection Standard on the WAF VNet",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
-            "waf": "Performance"
+            "text": "Pull containers over a Virtual Network",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Enable Azure Firewall DNS proxy configuration ",
+            "text": "Conduct a penetration test",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
+            "checklist": "Azure App Service Review",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "severity": "Medium",
-            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
+            "text": "Deploy validated code",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
-            "severity": "Low",
-            "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
-            "waf": "Operations"
+            "checklist": "Azure App Service Review",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
+            "severity": "High",
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
             "severity": "Low",
-            "text": "Implement backups for your firewall rules",
-            "waf": "Operations"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
-            "severity": "High",
-            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
+            "checklist": "Azure Event Hub Review",
+            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Don't enable virtual network service endpoints by default on all subnets.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "checklist": "Azure Event Hub Review",
+            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
             "severity": "High",
-            "text": "Use at least a /27 prefix for your Gateway subnets",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
+            "text": "Leverage FTA Resillency HandBook",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
+            "severity": "High",
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Security"
+            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
+            "checklist": "Azure Event Hub Review",
+            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
+            "severity": "High",
+            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Consider the limit of NSG rules per NSG (1000).",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "text": "For Business Critical Applications, use Active Active configuration",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
             "severity": "Medium",
-            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "Operations"
+            "text": "Design Resilient Event Hubs",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
+            "severity": "High",
+            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
             "severity": "Medium",
-            "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
-            "waf": "Performance"
+            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "Low",
-            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
-            "waf": "Performance"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
+            "severity": "Medium",
+            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
             "severity": "Medium",
-            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
             "severity": "Medium",
-            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+            "text": "Follow reliability support recommendations in Azure Bot Service",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
             "severity": "Medium",
-            "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
-            "waf": "Operations"
+            "text": "Deploying bots with local data residency and regional compliance",
+            "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
             "severity": "Medium",
-            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
             "severity": "Medium",
-            "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
+            "text": "Leverage Flexible Server",
             "waf": "Reliability"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
+            "severity": "High",
+            "text": "Leverage Availability Zones where regionally applicable",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "severity": "Medium",
-            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+            "text": "Leverage Data-in replication for cross-region DR scenarios",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
             "severity": "High",
-            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
             "severity": "High",
-            "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
-            "waf": "Security"
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "Medium",
-            "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
-            "waf": "Security"
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "Medium",
-            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
-            "waf": "Security"
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
+            "severity": "High",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "severity": "Medium",
-            "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
-            "waf": "Security"
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
-            "severity": "Low",
-            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
-            "waf": "Security"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "severity": "Medium",
+            "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
             "severity": "Medium",
-            "text": "Use built-in policies where possible to minimize operational overhead.",
-            "waf": "Security"
+            "text": "check backup instances with the underlying datasource not found",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
-            "waf": "Security"
+            "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
             "severity": "Medium",
-            "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
-            "waf": "Security"
+            "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
             "severity": "Medium",
-            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "Security"
+            "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
-            "waf": "Security"
+            "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
-            "waf": "Security"
+            "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
-            "waf": "Security"
+            "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "Operations"
+            "text": "Make sure advisor is configured for VM right sizing ",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "description": "check by searching the Meter Category Licenses in the Cost analysys",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "service": "VM",
             "severity": "Medium",
-            "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
+            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
             "service": "VM",
             "severity": "Medium",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operations"
+            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
             "service": "VM",
             "severity": "Medium",
-            "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operations"
+            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Use Network Watcher to proactively monitor traffic flows",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Operations"
+            "text": "Only larger disks can be reserved => 1 TiB -",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Use Azure Monitor Logs for insights and reporting.",
-            "waf": "Operations"
+            "text": "After the right-sizing optimization",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
             "severity": "Medium",
-            "text": "Use Azure Monitor alerts for the generation of operational alerts.",
-            "waf": "Operations"
+            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
             "severity": "Medium",
-            "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
-            "waf": "Operations"
+            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
             "severity": "Medium",
-            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
-            "waf": "Reliability"
+            "text": "Consider using a VMSS to match demand rather than flat sizing",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
-            "waf": "Security"
+            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
             "severity": "Medium",
-            "text": "Monitor VM security configuration drift via Azure Policy.",
-            "waf": "Security"
+            "text": "Move recovery points to vault-archive where applicable (Validate)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
             "severity": "Medium",
-            "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
-            "waf": "Operations"
+            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
-            "waf": "Operations"
+            "text": "Functions - Reuse connections",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "severity": "High",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
-            "waf": "Reliability"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "severity": "Medium",
+            "text": "Functions - Cache data locally",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
-            "severity": "High",
-            "text": "Avoid running a production workload on a single VM.",
-            "waf": "Reliability"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "severity": "Medium",
+            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
-            "waf": "Reliability"
+            "text": "Functions - Keep your functions warm",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
-            "severity": "High",
-            "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
-            "waf": "Operations"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "severity": "Medium",
+            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
-            "waf": "Operations"
+            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
-            "severity": "High",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "waf": "Security"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "severity": "Medium",
+            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
-            "waf": "Security"
+            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "waf": "Security"
+            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
             "severity": "Medium",
-            "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
-            "waf": "Security"
+            "text": "Consider archiving tiers for less used data",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
-            "waf": "Security"
+            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
             "severity": "Medium",
-            "text": "Establish an automated process for key and certificate rotation.",
-            "waf": "Security"
+            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
             "severity": "Medium",
-            "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
-            "waf": "Security"
+            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
             "severity": "Medium",
-            "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
-            "waf": "Security"
+            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
             "severity": "Medium",
-            "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
-            "waf": "Security"
+            "text": "Storage accounts: check hot tier and/or GRS necessary",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "waf": "Security"
+            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
             "severity": "Medium",
-            "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
-            "waf": "Security"
+            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
-            "waf": "Security"
+            "text": "Export cost data to a storage account for additional data analysis.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
             "severity": "Medium",
-            "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
-            "waf": "Security"
+            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
-            "severity": "High",
-            "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
-            "waf": "Security"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "severity": "Medium",
+            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
-            "severity": "High",
-            "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
-            "waf": "Security"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "severity": "Medium",
+            "text": "Create multiple Apache Spark pool definitions of various sizes.",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
-            "severity": "High",
-            "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
-            "waf": "Security"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "severity": "Medium",
+            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
             "service": "VM",
-            "severity": "High",
-            "text": "Enable Endpoint Protection on IaaS Servers.",
-            "waf": "Security"
+            "severity": "Medium",
+            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
             "service": "VM",
             "severity": "Medium",
-            "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
-            "waf": "Security"
+            "text": "Right-sizing all VMs",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
-            "waf": "Security"
+            "text": "Swap VM sized with normalized and most recent sizes",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, transparancy logs is enabled on the Entra ID tenant.",
-            "waf": "Security"
+            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
-            "waf": "Security"
+            "text": "Containerizing an application can improve VM density and save money on scaling it",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Cost"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
-            "severity": "High",
-            "text": "Secure transfer to storage accounts should be enabled",
-            "waf": "Security"
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
+            "severity": "Medium",
+            "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "High",
-            "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
-            "waf": "Security"
+            "text": "Use zone redundant pipelines in regions that support Availability Zones",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
-            "severity": "High",
-            "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
-            "waf": "Operations"
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
+            "severity": "Medium",
+            "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "Medium",
-            "text": "Implement an error handling policy at the global level",
-            "waf": "Operations"
+            "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "Medium",
-            "text": "Ensure all APIs policies include a <base/> element.",
-            "waf": "Operations"
+            "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
-            "waf": "Operations"
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
+            "severity": "Low",
+            "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
-            "severity": "High",
-            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Enable Application Insights for more detailed telemetry",
-            "waf": "Operations"
+            "text": "Ensure you are using Application Gateway v2 SKU",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
-            "severity": "High",
-            "text": "Configure alerts on the most critical metrics",
-            "waf": "Operations"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
+            "severity": "Medium",
+            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
-            "severity": "High",
-            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
+            "severity": "Medium",
+            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
-            "severity": "High",
-            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Create appropriate groups to control the visibility of the products",
+            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Use Backends feature to eliminate redundant API backend configurations",
-            "waf": "Operations"
+            "text": "Configure autoscaling with a minimum amount of instances of two.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Use Named Values to store common values that can be used in policies",
-            "waf": "Operations"
+            "text": "Deploy Application Gateway across Availability Zones",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
-            "waf": "Reliability"
+            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
-            "waf": "Reliability"
+            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
             "severity": "High",
-            "text": "Ensure there is an automated backup routine",
+            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "Low",
+            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
-            "waf": "Reliability"
+            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "Low",
-            "text": "If you need to log at high performance levels, consider Event Hubs policy",
-            "waf": "Operations"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Apply throttling policies to control the number of requests per second",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "Performance"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Configure autoscaling to scale out the number of instances when the load increases",
-            "waf": "Performance"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "severity": "Low",
+            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Use the premium tier for production workloads.",
+            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
+            "severity": "Low",
+            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
             "severity": "High",
-            "text": "Be aware of APIM's limits",
+            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
             "severity": "High",
-            "text": "Ensure that the self-hosted gateway deployments are resilient.",
-            "waf": "Reliability"
+            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
-            "waf": "Performance"
+            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Deploy the service within a Virtual Network (VNet)",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
             "severity": "High",
-            "text": "Disable Public Network Access",
+            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Simplify management with PowerShell automation scripts",
-            "waf": "Operations"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
-            "waf": "Operations"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
-            "waf": "Operations"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
+            "severity": "High",
+            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Implement DevOps and CI/CD in your workflow",
-            "waf": "Operations"
+            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Secure APIs using client certificate authentication",
+            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Secure backend services using client certificate authentication",
+            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
+            "severity": "Low",
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
             "severity": "High",
-            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
             "severity": "High",
-            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
-            "severity": "Medium",
-            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
+            "severity": "High",
+            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
             "severity": "High",
-            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "severity": "Low",
-            "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
-            "waf": "Reliability"
+            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "severity": "Low",
+            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Implement health checks",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Refer to backup and restore best practices for Azure App Service",
-            "waf": "Reliability"
+            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Implement Azure App Service reliability best practices",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
-            "severity": "Low",
-            "text": "Familiarize with how to move an App Service app to another region During a disaster",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Familiarize with reliability support in Azure App Service",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
+            "severity": "Medium",
+            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
-            "waf": "Reliability"
+            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
             "severity": "Medium",
-            "text": "Monitor App Service instances using Health checks",
-            "waf": "Reliability"
+            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
-            "waf": "Reliability"
+            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
-            "severity": "Low",
-            "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
-            "waf": "Reliability"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Use WAF Policies instead of the legacy WAF configuration.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use Azure Key Vault to store any secrets the application needs.  Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Use Key Vault to store secrets",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Use Managed Identity to connect to Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
+            "severity": "Medium",
+            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Store the App Service TLS certificate in Key Vault.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "severity": "High",
-            "text": "Use Key Vault to store TLS certificate.",
+            "text": "You should encrypt traffic to the backend servers.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Systems that process sensitive information should be isolated.  To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
-            "severity": "Medium",
-            "text": "Isolate systems that process sensitive information",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
+            "severity": "High",
+            "text": "You should use a Web Application Firewall.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those.  (For example: D:\\\\Local and %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Do not store sensitive data on local disk",
+            "text": "Redirect HTTP to HTTPS",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C.  Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Use an established Identity Provider for authentication",
-            "waf": "Security"
+            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "severity": "High",
-            "text": "Deploy from a trusted environment",
+            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM.  This disables access to these services and enforces the use of Azure AD secured endpoints for deployment.  Note that the SCM site can also be opened using Azure AD credentials.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Disable basic authentication",
-            "waf": "Security"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "Low",
+            "text": "Create custom error pages to display a personalized user experience",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Where possible use Managed Identity to connect to Azure AD secured resources.  If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Use Managed Identity to connect to resources",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Pull containers using a Managed Identity",
-            "waf": "Security"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
+            "severity": "Medium",
+            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Send App Service runtime logs to Log Analytics",
-            "waf": "Security"
+            "text": "Use transport layer load balancing",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Send App Service activity logs to Log Analytics",
+            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's.  Traffic should be routed to an NVA such as Azure Firewall.  Ensure to monitor the Firewall's logs.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
             "severity": "Medium",
-            "text": "Outbound network access should be controlled",
+            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall.  This allows the receiving party to allow-list based on IP, should that be needed.  Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead.  (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
             "severity": "Low",
-            "text": "Ensure a stable IP for outbound communications towards internet addresses",
+            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Inbound network access should be controlled",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If required for AKS Windows workloads HostProcess containers can be used",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door.  Make sure to monitor the WAF's logs.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Use a WAF in front of App Service",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use KEDA if running event-driven workloads",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF.  Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use Dapr to ease microservice development",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "severity": "High",
-            "text": "Avoid for WAF to be bypassed",
-            "waf": "Security"
+            "text": "Use the SLA-backed AKS offering",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
-            "severity": "Medium",
-            "text": "Set minimum TLS policy to 1.2",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use Disruption Budgets in your pod and deployment definitions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Configure App Service to use HTTPS only.  This causes App Service to redirect from HTTP to HTTPS.  Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "severity": "High",
-            "text": "Use HTTPS only",
-            "waf": "Security"
+            "text": "If using a private registry, configure region replication to store images in multiple regions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Wildcards must not be used for CORS",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use an external application such as kubecost to allocate costs to different users",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Turn off remote debugging",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use scale down mode to delete/deallocate nodes",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Enable Defender for App Service.  This (amongst other threats) detects communications to known malicious IP addresses.  Review the recommendations from Defender for App Service as part of your operations.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Enable Defender for Cloud - Defender for App Service",
-            "waf": "Security"
+            "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Enable DDOS Protection Standard on the WAF VNet",
+            "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Pull containers over a Virtual Network",
+            "text": "Separate applications from the control plane with user/system node pools",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
-            "severity": "Medium",
-            "text": "Conduct a penetration test",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Add taint to your system nodepool to make it dedicated",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Deploy validated code",
+            "text": "Use a private registry for your images, such as ACR",
             "waf": "Security"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
-            "severity": "High",
-            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
+            "severity": "Medium",
+            "text": "Scan your images for vulnerabilities",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+            "text": "Define app separation requirements (namespace/nodepool/cluster)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+            "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+            "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+            "text": "If required add Key Management Service etcd encryption",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If required consider using Confidential Compute for AKS",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+            "text": "Consider using Defender for Containers",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+            "text": "Use managed identities instead of Service Principals",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Has an RBAC model been created for use within VMware vSphere",
+            "text": "Integrate authentication with AAD (using the managed integration)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+            "text": "Limit access to admin kubeconfig (get-credentials --admin)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
-            "severity": "High",
-            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "Integrate authorization with AAD RBAC",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+            "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
-            "waf": "Performance"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
-            "waf": "Operations"
+            "text": "For AKS non-interactive logins use kubelogin (preview)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
-            "waf": "Operations"
+            "text": "Disable AKS local accounts",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
-            "severity": "High",
-            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Configure if required Just-in-time cluster access",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Configure if required AAD conditional access for AKS",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If required for Windows AKS workloads configure gMSA ",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+            "text": "For finer control consider using a managed Kubelet Identity",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Limit use of CloudAdmin account to emergency access only",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "If using AGIC, do not share an AppGW across clusters",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
-            "waf": "Security"
+            "text": "For Windows workloads use Accelerated Networking",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "High",
-            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
-            "waf": "Security"
+            "text": "Use the standard ALB (as opposed to the basic one)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Is East-West traffic filtering implemented within NSX-T",
+            "text": "If using Azure CNI, consider using different Subnets for NodePools",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "High",
-            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
-            "waf": "Security"
+            "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "High",
+            "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "High",
+            "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
             "severity": "Low",
-            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+            "text": "If required add your own CNI plugin",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
             "severity": "Low",
-            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
-            "waf": "Security"
+            "text": "If required configure Public IP per node in AKS",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
-            "waf": "Security"
+            "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
-            "waf": "Reliability"
+            "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
-            "waf": "Operations"
+            "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Use private clusters if your requirements mandate it",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
-            "waf": "Cost"
+            "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
-            "waf": "Cost"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+            "waf": "Security"
         },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Use Kubernetes network policies to increase intra-cluster security",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
-            "waf": "Performance"
+            "text": "Use a WAF for web workloads (UIs or APIs)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
+            "text": "Use DDoS Standard in the AKS Virtual Network",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If required add company HTTP Proxy",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+            "text": "Consider using a service mesh for advanced microservice communication management",
             "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
             "severity": "High",
-            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+            "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Check regularly Azure Advisor for recommendations on your cluster",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Enable AKS auto-certificate rotation",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "severity": "High",
-            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
-            "waf": "Security"
+            "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "severity": "High",
-            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
-            "waf": "Security"
+            "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
-            "waf": "Security"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Consider using AKS command invoke on private clusters",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "For planned events consider using Node Auto Drain",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "severity": "High",
-            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+            "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Use custom Node RG (aka 'Infra RG') name",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+            "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
             "severity": "Low",
-            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+            "text": "Taint Windows nodes",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Keep windows containers patch level in sync with host patch level",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "Via Diagnostic Settings at the cluster level",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "If required use nodePool snapshots",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Consider spot node pools for non time-sensitive workloads",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "Consider AKS virtual node for quick bursting",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "text": "Monitor CPU and memory utilization of the nodes",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
-            "waf": "Security"
+            "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
-            "waf": "Reliability"
+            "text": "Monitor OS disk queue depth in nodes",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
-            "waf": "Reliability"
+            "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
-            "waf": "Reliability"
+            "text": "Subscribe to resource health notifications for your AKS cluster",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "High",
-            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
-            "waf": "Reliability"
+            "text": "Configure requests and limits in your pod specs",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
-            "waf": "Reliability"
+            "text": "Enforce resource quotas for namespaces",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "severity": "High",
-            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
-            "waf": "Reliability"
+            "text": "Ensure your subscription has enough quota to scale out your nodepools",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
-            "waf": "Reliability"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+            "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Configure Liveness and Readiness probes for all deployments",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Deploy your backup solution outside of vSan, on Azure native components",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "For manual deployments, all configuration and deployments must be documented",
-            "waf": "Operations"
+            "text": "Use the Cluster Autoscaler",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
             "severity": "Low",
-            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
-            "waf": "Operations"
+            "text": "Customize node configuration for AKS node pools",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "Medium",
+            "text": "Use the Horizontal Pod Autoscaler when required",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Consider an appropriate node size, not too large or too small",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
             "severity": "Low",
-            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
-            "waf": "Operations"
+            "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
             "severity": "Low",
-            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
-            "waf": "Operations"
+            "text": "Consider subscribing to EventGrid Events for AKS automation",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
             "severity": "Low",
-            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
-            "waf": "Operations"
+            "text": "For long running operation on an AKS cluster consider event termination",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
             "severity": "Low",
-            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
-            "waf": "Operations"
+            "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
-            "severity": "Low",
-            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
-            "waf": "Operations"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "High",
+            "text": "Use ephemeral OS disks",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
+            "severity": "High",
+            "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
+            "severity": "Low",
+            "text": "For hyper performance storage option use Ultra Disks on AKS",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+            "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "severity": "Medium",
-            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+            "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+            "text": "Implement an error handling policy at the global level",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "High",
-            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "High",
-            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
-            "waf": "Performance"
+            "text": "Ensure all APIs policies include a <base/> element.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
-            "waf": "Performance"
+            "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
-            "waf": "Reliability"
+            "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
-            "waf": "Reliability"
+            "text": "Enable Application Insights for more detailed telemetry",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
-            "severity": "Medium",
-            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Configure alerts on the most critical metrics",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
             "severity": "High",
-            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
-            "waf": "Reliability"
+            "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
             "severity": "High",
-            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
-            "waf": "Reliability"
+            "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Create appropriate groups to control the visibility of the products",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Use Backends feature to eliminate redundant API backend configurations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
-            "severity": "High",
-            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Use Named Values to store common values that can be used in policies",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
-            "severity": "High",
-            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "High",
-            "text": "Select the right Function hosting plan based on your business & SLO requirements",
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
             "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+            "text": "Ensure there is an automated backup routine",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
+            "severity": "Low",
+            "text": "If you need to log at high performance levels, consider Event Hubs policy",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "High",
-            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Apply throttling policies to control the number of requests per second",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
-            "waf": "Reliability"
+            "text": "Configure autoscaling to scale out the number of instances when the load increases",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
-            "waf": "Operations"
+            "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Follow reliability support recommendations in Azure Bot Service",
+            "text": "Use the premium tier for production workloads.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Deploying bots with local data residency and regional compliance",
+            "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
-            "severity": "Medium",
-            "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Be aware of APIM's limits",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
-            "severity": "Medium",
-            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Ensure that the self-hosted gateway deployments are resilient.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
-            "waf": "Reliability"
+            "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
-            "waf": "Reliability"
+            "text": "Deploy the service within a Virtual Network (VNet)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Use more than 1 app instance for your apps",
-            "waf": "Reliability"
+            "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
-            "waf": "Reliability"
+            "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Disable Public Network Access",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Set up autoscaling in Spring Cloud Gateway",
-            "waf": "Reliability"
+            "text": "Simplify management with PowerShell automation scripts",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
-            "severity": "Low",
-            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
-            "waf": "Reliability"
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
-            "waf": "Reliability"
+            "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Consider the 'Azure security baseline for storage'",
-            "waf": "Security"
+            "text": "Implement DevOps and CI/CD in your workflow",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Consider using private endpoints for Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Secure APIs using client certificate authentication",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Ensure older storage accounts are not using 'classic deployment model'",
+            "text": "Secure backend services using client certificate authentication",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Enable Microsoft Defender for all of your storage accounts",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
+            "severity": "Medium",
+            "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Enable 'soft delete' for blobs",
+            "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "severity": "Medium",
-            "text": "Disable 'soft delete' for blobs",
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "severity": "High",
+            "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
             "severity": "High",
-            "text": "Enable 'soft delete' for containers",
+            "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
             "severity": "Medium",
-            "text": "Disable 'soft delete' for containers",
+            "text": "Use managed identities to authenticate to other Azure resources whenever possible",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
             "severity": "High",
-            "text": "Enable resource locks on storage accounts",
+            "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "severity": "High",
-            "text": "Consider immutable blobs",
-            "waf": "Security"
+            "text": "Enable 2 replicas to have 99.9% availability for read operations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
-            "waf": "Security"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "Medium",
+            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
             "severity": "High",
-            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
-            "waf": "Security"
+            "text": "Leverage Availability Zones by enabling read and/or write replicas",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "severity": "Medium",
-            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
-            "waf": "Security"
+            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
-            "waf": "Security"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
+            "severity": "Medium",
+            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "severity": "Medium",
-            "text": "Least privilege in IaM permissions",
-            "waf": "Security"
+            "text": "Use Azure Traffic Manager to coordinate requests",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
             "severity": "High",
-            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
-            "waf": "Security"
+            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "severity": "High",
-            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
-            "waf": "Security"
+            "text": "Select the right Function hosting plan based on your business & SLO requirements",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "severity": "High",
-            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
-            "waf": "Security"
+            "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
-            "waf": "Security"
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
-            "severity": "Medium",
-            "text": "Consider configuring an SAS expiration policy",
-            "waf": "Security"
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
+            "severity": "High",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
+            "severity": "High",
+            "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "Consider linking SAS to a stored access policy",
-            "waf": "Security"
+            "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
             "severity": "Medium",
-            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
-            "waf": "Security"
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Strive for short validity periods for ad-hoc SAS",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+            "service": "Service Bus",
+            "severity": "Low",
+            "text": "Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+            "service": "Service Bus",
             "severity": "Medium",
-            "text": "Apply a narrow scope to a SAS",
+            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
+            "checklist": "Service Bus Review Checklist",
+            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
+            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+            "service": "Service Bus",
             "severity": "Medium",
-            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+            "text": "Avoid using root account when it is not necessary",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
-            "severity": "Low",
-            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+            "checklist": "Service Bus Review Checklist",
+            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+            "service": "Service Bus",
+            "severity": "Medium",
+            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
+            "checklist": "Service Bus Review Checklist",
+            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+            "service": "Service Bus",
             "severity": "High",
-            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+            "text": "Use least privilege data plane RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+            "service": "Service Bus",
             "severity": "Medium",
-            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Avoid overly broad CORS policies",
+            "checklist": "Service Bus Review Checklist",
+            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+            "service": "Service Bus",
+            "severity": "Medium",
+            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+            "checklist": "Service Bus Review Checklist",
+            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+            "service": "Service Bus",
+            "severity": "Medium",
+            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "checklist": "SAP Checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Determine which/if platform encryption should be used.",
-            "waf": "Security"
+            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "checklist": "SAP Checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Determine which/if client-side encryption should be used.",
-            "waf": "Security"
+            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
-            "waf": "Security"
+            "checklist": "SAP Checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
-            "service": "Azure Storage",
-            "severity": "High",
-            "text": "Leverage a storagev2 account type for better performance and reliability",
+            "checklist": "SAP Checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
+            "checklist": "SAP Checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
+            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
-            "service": "Azure Storage",
+            "checklist": "SAP Checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "For write operation after failover, use customer-Managed Failover ",
+            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
-            "service": "Azure Storage",
-            "severity": "Medium",
-            "text": "Understand Microsoft-Managed Failover details",
+            "checklist": "SAP Checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Storage Review Checklist",
-            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
-            "service": "Azure Storage",
-            "severity": "Medium",
-            "text": "Enable Soft Delete",
+            "checklist": "SAP Checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
-            "severity": "High",
-            "text": "Enable 2 replicas to have 99.9% availability for read operations",
+            "checklist": "SAP Checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
-            "severity": "Medium",
-            "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+            "checklist": "SAP Checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
+            "checklist": "SAP Checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage Availability Zones by enabling read and/or write replicas",
+            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
-            "severity": "Medium",
-            "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
+            "checklist": "SAP Checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
+            "severity": "High",
+            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
-            "severity": "Medium",
-            "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+            "checklist": "SAP Checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
-            "severity": "Medium",
-            "text": "Use Azure Traffic Manager to coordinate requests",
+            "checklist": "SAP Checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
+            "checklist": "SAP Checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
             "severity": "High",
-            "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
-            "service": "Cognitive Services",
-            "severity": "Medium",
-            "text": "Leverage FTA HandBook for Cognitive Services",
+            "checklist": "SAP Checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
-            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
-            "service": "Cognitive Services",
-            "severity": "Medium",
-            "text": "Backup Your Prompts",
+            "checklist": "SAP Checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
+            "severity": "High",
+            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
-            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
-            "service": "Cognitive Services",
+            "checklist": "SAP Checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
             "severity": "High",
-            "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
+            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
-            "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
-            "service": "Cognitive Services",
-            "severity": "Medium",
-            "text": "Backup Your ChatGPT conversations",
+            "checklist": "SAP Checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
-            "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
-            "service": "Cognitive Services",
-            "severity": "Medium",
-            "text": "CI/CD for custom speech",
+            "checklist": "SAP Checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Make sure the Floating IP is enabled on the Load balancer",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Cognitive Services Review Checklist",
-            "guid": "3687a046-7a1f-4893-9bda-43324f248116",
-            "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
-            "service": "Cognitive Services",
-            "severity": "Low",
-            "text": "Move a knowledge base using export-import",
+            "checklist": "SAP Checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Container Apps Review",
-            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
-            "service": "Container Apps",
+            "checklist": "SAP Checklist",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable",
+            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Container Apps Review",
-            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
-            "service": "Container Apps",
+            "checklist": "SAP Checklist",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "severity": "High",
-            "text": "Use more than one replica and enable Zone Redundancy.",
+            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Container Apps Review",
-            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
+            "checklist": "SAP Checklist",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "severity": "High",
-            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Container Apps Review",
-            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Container Apps",
+            "checklist": "SAP Checklist",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "High",
-            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
-            "service": "CosmosDB",
-            "severity": "Medium",
-            "text": "FTA Resiliency Playbook",
+            "checklist": "SAP Checklist",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Run multiple replicas of the database (>1 ) in Prod",
+            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
-            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Leverage Multi-Region Writes",
+            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Span Cosmos account across two or more regions with multi-region writes",
-            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Distribute your data globally",
+            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
-            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "severity": "High",
-            "text": "Choose from several well-defined consistency models",
+            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
-            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
-            "service": "CosmosDB",
-            "severity": "Medium",
-            "text": "Enable Service managed failover",
+            "checklist": "SAP Checklist",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+            "service": "SAP",
+            "severity": "High",
+            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
-            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
-            "service": "CosmosDB",
-            "severity": "Medium",
-            "text": "Enable Automatic Backups",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "checklist": "SAP Checklist",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
-            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
-            "service": "CosmosDB",
-            "severity": "Medium",
-            "text": "Perform Periodic Backups",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "checklist": "SAP Checklist",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
             "waf": "Reliability"
         },
         {
-            "checklist": "CosmosDB Review Checklist",
-            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
-            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
-            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
-            "service": "CosmosDB",
+            "checklist": "SAP Checklist",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
-            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
-            "waf": "Reliability"
+            "text": "Automate SAP System Start-Stop to manage costs.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "severity": "Medium",
-            "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "checklist": "SAP Checklist",
+            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
             "waf": "Cost"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "severity": "Medium",
-            "text": "check backup instances with the underlying datasource not found",
+            "checklist": "SAP Checklist",
+            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
             "waf": "Cost"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "Security"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "45911475-e39e-4530-accc-d979366bcda2",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
-            "waf": "Cost"
+            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
+            "checklist": "SAP Checklist",
+            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
-            "waf": "Cost"
+            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
+            "checklist": "SAP Checklist",
+            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
-            "waf": "Cost"
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
+            "checklist": "SAP Checklist",
+            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
-            "waf": "Cost"
+            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "Cost"
+            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "Cost"
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Make sure advisor is configured for VM right sizing ",
-            "waf": "Cost"
+            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "check by searching the Meter Category Licenses in the Cost analysys",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
-            "waf": "Cost"
+            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "Cost"
+            "text": "Implement SSO to SAP HANA",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "Cost"
+            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
-            "waf": "Cost"
+            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Only larger disks can be reserved => 1 TiB -",
-            "waf": "Cost"
+            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "After the right-sizing optimization",
-            "waf": "Cost"
+            "text": "Implement SSO to SAP BTP",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
+            "checklist": "SAP Checklist",
+            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
-            "waf": "Cost"
+            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
-            "waf": "Cost"
+            "text": "enforce existing Management Group policies to SAP Subscriptions",
+            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "severity": "Medium",
-            "text": "Consider using a VMSS to match demand rather than flat sizing",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+            "waf": "Operations"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "severity": "Medium",
-            "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "severity": "Medium",
-            "text": "Move recovery points to vault-archive where applicable (Validate)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "severity": "Medium",
-            "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "severity": "Medium",
-            "text": "Functions - Reuse connections",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+            "service": "SAP",
+            "severity": "High",
+            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "severity": "Medium",
-            "text": "Functions - Cache data locally",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
+            "checklist": "SAP Checklist",
+            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Cost"
+            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "severity": "Medium",
-            "text": "Functions - Keep your functions warm",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Help protect your HANA database by using the Azure Backup service.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
+            "checklist": "SAP Checklist",
+            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
-            "waf": "Cost"
+            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "severity": "Medium",
-            "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Ensure time-zone matches between the operating system and the SAP system.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
+            "checklist": "SAP Checklist",
+            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "Cost"
+            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+            "checklist": "SAP Checklist",
+            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
             "waf": "Cost"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
-            "waf": "Cost"
+            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider archiving tiers for less used data",
-            "waf": "Cost"
+            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "severity": "Medium",
-            "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider using standard SSD rather than Premium or Ultra where possible",
-            "waf": "Cost"
+            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "severity": "Medium",
-            "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
+            "checklist": "SAP Checklist",
+            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
-            "waf": "Cost"
+            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Storage accounts: check hot tier and/or GRS necessary",
-            "waf": "Cost"
+            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD  ",
-            "waf": "Cost"
+            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "severity": "Medium",
-            "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
+            "severity": "High",
+            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
+            "checklist": "SAP Checklist",
+            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Export cost data to a storage account for additional data analysis.",
-            "waf": "Cost"
+            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
+            "checklist": "SAP Checklist",
+            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
-            "waf": "Cost"
+            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
+            "checklist": "SAP Checklist",
+            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
-            "waf": "Cost"
+            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "severity": "Medium",
-            "text": "Create multiple Apache Spark pool definitions of various sizes.",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
+            "checklist": "SAP Checklist",
+            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "severity": "Medium",
-            "text": "Right-sizing all VMs",
-            "waf": "Cost"
+            "checklist": "SAP Checklist",
+            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Swap VM sized with normalized and most recent sizes",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Cost"
+            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+            "waf": "Performance"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Containerizing an application can improve VM density and save money on scaling it",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Cost"
+            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "waf": "Security"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
-            "severity": "High",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
-            "severity": "High",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operations"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "checklist": "SAP Checklist",
+            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
             "waf": "Reliability"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
+            "checklist": "SAP Checklist",
+            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+            "service": "SAP",
             "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+            "training": "https://me.sap.com/notes/2731110",
+            "waf": "Performance"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "checklist": "SAP Checklist",
+            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
             "waf": "Operations"
         },
         {
-            "checklist": "Device Update Review",
-            "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
-            "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Device Update Review",
-            "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
-            "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
-            "service": "Device Update for IoT Hub",
-            "severity": "High",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Device Update Review",
-            "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Device Update for IoT Hub",
+            "checklist": "SAP Checklist",
+            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Device Update Review",
-            "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Device Update for IoT Hub",
+            "checklist": "SAP Checklist",
+            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "service": "SAP",
             "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "text": "Consider reserving IP address on DR side when configuring ASR",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
-            "severity": "Low",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Security"
+            "checklist": "SAP Checklist",
+            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Security"
+            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
-        },
-        {
-            "checklist": "Azure Event Hub Review",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
-            "severity": "High",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Leverage FTA Resillency HandBook",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure Event Hub Review",
-            "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
-            "severity": "High",
-            "text": "Leverage Availability Zones if regionally applicable",
-            "waf": "Reliability"
+            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Use the Premium or Dedicated SKUs   for predicable performance",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure Event Hub Review",
-            "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
-            "severity": "High",
-            "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
-            "waf": "Reliability"
+            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
-            "severity": "Medium",
-            "text": "For Business Critical Applications, use Active Active configuration",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Design Resilient Event Hubs",
-            "waf": "Reliability"
+            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
-            "waf": "Reliability"
+            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
-            "severity": "Medium",
-            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "SAP Checklist",
+            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Custom brand assets should be hosted on a CDN",
+            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
             "waf": "Performance"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "Low",
-            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "severity": "High",
+            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Performance"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "severity": "Medium",
-            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "severity": "High",
+            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Cost"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "severity": "Medium",
-            "text": "Don't replicate! Replication can create issues with directory synchronization",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+            "service": "SAP",
+            "severity": "High",
+            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Performance"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "SAP Checklist",
+            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Have active-active for multi-regions",
-            "waf": "Reliability"
+            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+            "waf": "Security"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "severity": "Medium",
-            "text": "Add Azure AD Domain service stamps to additional regions and locations",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Review SAP HANA database backups for Azure VMs.",
+            "waf": "Cost"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Use Replica Sets for DR",
-            "waf": "Reliability"
+            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+            "waf": "Cost"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
-            "waf": "Reliability"
+            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+            "waf": "Operations"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
-            "waf": "Reliability"
+            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+            "waf": "Operations"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+            "waf": "Operations"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "High",
-            "text": "Learn how to trigger a manual failover.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Review the use of Automated Backup v2 for Azure VMs.",
+            "waf": "Operations"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+            "service": "SAP",
             "severity": "High",
-            "text": "Learn how to fail back after a failover.",
-            "waf": "Reliability"
+            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "High",
-            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Test availability zone latency.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
-            "waf": "Reliability"
+            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
-            "waf": "Reliability"
+            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+            "training": "https://me.sap.com/notes/0002879613",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
-            "waf": "Reliability"
+            "text": "Review SQL Server performance monitoring using CCMS.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+            "link": "https://me.sap.com/notes/500235",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
-            "waf": "Reliability"
+            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+            "training": "https://me.sap.com/notes/1100926/E",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
-            "severity": "High",
-            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Review SAP HANA studio alerts.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "Key Vault",
-            "severity": "Low",
-            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+            "link": "https://me.sap.com/notes/1969700",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
-            "severity": "Low",
-            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
-            "service": "Key Vault",
-            "severity": "Low",
-            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Key Vault",
-            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
-            "service": "Key Vault",
-            "severity": "Medium",
-            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+            "waf": "Security"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
             "severity": "High",
-            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "Reliability"
+            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+            "training": "https://me.sap.com/notes/3019299/E",
+            "waf": "Security"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "severity": "High",
-            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
-            "waf": "Reliability"
+            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "waf": "Security"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "High",
-            "text": "Consider a Cross-Region DR strategy for critical workloads",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "SAP",
+            "severity": "Medium",
+            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "SAP",
             "severity": "High",
-            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
-            "waf": "Reliability"
+            "text": "Use Azure Key Vault to store your secrets and credentials",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
-            "waf": "Operations"
+            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
+            "checklist": "SAP Checklist",
+            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Leverage Flexible Server",
-            "waf": "Reliability"
+            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
+            "checklist": "SAP Checklist",
+            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+            "service": "SAP",
             "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
-            "severity": "Medium",
-            "text": "Leverage Data-in replication for cross-region DR scenarios",
-            "waf": "Reliability"
+            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
-            "waf": "Operations"
+            "checklist": "SAP Checklist",
+            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "High",
+            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Ensure you are using Application Gateway v2 SKU",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "SAP Checklist",
+            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
-            "severity": "Medium",
-            "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+            "checklist": "SAP Checklist",
+            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "checklist": "SAP Checklist",
+            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "SAP Checklist",
+            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Use an Azure Key Vault per application per environment per region.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "SAP Checklist",
+            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+            "service": "SAP",
+            "severity": "High",
+            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "SAP Checklist",
+            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Configure autoscaling with a minimum amount of instances of two.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Reliability"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Deploy Application Gateway across Availability Zones",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Reliability"
+            "checklist": "SAP Checklist",
+            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+            "service": "SAP",
+            "severity": "High",
+            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "SAP Checklist",
+            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "SAP Checklist",
+            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+            "service": "SAP",
+            "severity": "Low",
+            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
+            "checklist": "SAP Checklist",
+            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
             "severity": "High",
-            "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Reliability"
+            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "severity": "Low",
-            "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+            "service": "SAP",
             "severity": "Medium",
-            "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
+            "checklist": "Azure Key Vault",
+            "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "High",
-            "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
-            "waf": "Security"
+            "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
-            "waf": "Security"
+            "checklist": "Azure Key Vault",
+            "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Key Vault",
+            "severity": "Medium",
+            "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
-            "waf": "Security"
+            "checklist": "Azure Key Vault",
+            "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+            "service": "Key Vault",
+            "severity": "Medium",
+            "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
-            "severity": "Low",
-            "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
-            "waf": "Performance"
+            "checklist": "Azure Key Vault",
+            "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+            "service": "Key Vault",
+            "severity": "Medium",
+            "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "checklist": "Azure Key Vault",
+            "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+            "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
+            "checklist": "Azure Key Vault",
+            "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
+            "severity": "High",
+            "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Key Vault",
+            "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "Key Vault",
             "severity": "Low",
-            "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
-            "waf": "Performance"
+            "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
-            "severity": "High",
-            "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
+            "checklist": "Azure Key Vault",
+            "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
+            "severity": "Low",
+            "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
-            "waf": "Operations"
+            "checklist": "Azure Key Vault",
+            "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+            "service": "Key Vault",
+            "severity": "Low",
+            "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
+            "checklist": "Azure Key Vault",
+            "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+            "service": "Key Vault",
             "severity": "Medium",
-            "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
-            "waf": "Operations"
+            "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+            "waf": "Reliability"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
             "severity": "High",
-            "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
+            "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
+            "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
             "severity": "High",
-            "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
+            "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
             "severity": "High",
-            "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
+            "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
-            "severity": "High",
-            "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Has an RBAC model been created for use within VMware vSphere",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
+            "severity": "High",
+            "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
-            "severity": "Low",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
-            "waf": "Security"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
+            "waf": "Performance"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
-            "waf": "Security"
+            "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
             "severity": "High",
-            "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
-            "waf": "Security"
+            "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+            "waf": "Operations"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
             "severity": "High",
-            "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
+            "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
             "severity": "High",
-            "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
+            "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
             "waf": "Security"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
             "severity": "High",
-            "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
+            "text": "Limit use of CloudAdmin account to emergency access only",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+            "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+            "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "severity": "Low",
-            "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+            "text": "Is East-West traffic filtering implemented within NSX-T",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+            "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
-            "waf": "Operations"
+            "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
-            "waf": "Operations"
+            "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
-            "waf": "Operations"
+            "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
-            "waf": "Operations"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Use WAF Policies instead of the legacy WAF configuration.",
-            "waf": "Operations"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+            "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
-            "severity": "Medium",
-            "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
-            "waf": "Security"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "severity": "High",
-            "text": "You should encrypt traffic to the backend servers.",
-            "waf": "Security"
+            "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "severity": "High",
-            "text": "You should use a Web Application Firewall.",
-            "waf": "Security"
+            "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Redirect HTTP to HTTPS",
-            "waf": "Security"
+            "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+            "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
             "waf": "Operations"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
-            "severity": "High",
-            "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
-            "waf": "Security"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
             "severity": "Low",
-            "text": "Create custom error pages to display a personalized user experience",
-            "waf": "Operations"
+            "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+            "waf": "Cost"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+            "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
-            "severity": "Medium",
-            "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure all required resource reside within the same Azure availability zone(s)",
             "waf": "Performance"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Use transport layer load balancing",
-            "waf": "Performance"
+            "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
+            "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+            "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
             "waf": "Security"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
-            "waf": "Security"
+            "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+            "waf": "Operations"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
-            "severity": "Low",
-            "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
-            "waf": "Security"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+            "waf": "Operations"
         },
         {
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
-            "service": "PostgreSQL",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Leverage Flexible Server",
-            "waf": "Reliability"
+            "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+            "waf": "Security"
         },
         {
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
-            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
-            "service": "PostgreSQL",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "severity": "High",
-            "text": "Leverage Availability Zones where regionally applicable",
-            "waf": "Reliability"
+            "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+            "waf": "Security"
         },
         {
-            "checklist": "PostgreSQL Review Checklist",
-            "guid": "31b67c67-be59-4519-8083-845d587cb391",
-            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
-            "service": "PostgreSQL",
-            "severity": "Medium",
-            "text": "Leverage cross-region read replicas for BCDR",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+            "waf": "Security"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
-            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Leverage FTA Resillency Handbook",
-            "waf": "Reliability"
+            "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+            "waf": "Security"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "severity": "High",
-            "text": "Plan for Data Center level outage",
-            "waf": "Reliability"
+            "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
-            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
-            "severity": "Medium",
-            "text": "Practice Failover for BCDR",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "severity": "High",
-            "text": "Plan a backup strategy and take regular backups",
-            "waf": "Reliability"
+            "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
-            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
-            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Purview accounts architectures and deployment best practices",
-            "waf": "Reliability"
+            "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
-            "service": "Purview",
-            "severity": "Medium",
-            "text": "Follow Collection Architectures and best practices",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Assest lifecycle best practices",
-            "waf": "Reliability"
+            "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow automation best practices",
-            "waf": "Reliability"
+            "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
-            "link": "https://learn.microsoft.com/purview/disaster-recovery",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Backup and Migration Best practices",
-            "waf": "Reliability"
+            "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Purview Glossary Best Practices",
-            "waf": "Reliability"
+            "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
-            "link": "https://learn.microsoft.com/purview/concept-workflow",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Leverage Workflows ",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Purview Security Best Practices",
-            "waf": "Reliability"
+            "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Purview Data Lineage Best Practices",
-            "waf": "Reliability"
+            "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+            "waf": "Security"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Best Practices for Scanning Registered Sources",
+            "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
-            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Follow Classification Best Practices in Governance Portal",
+            "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
-            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Perform Sensitivity Labelling in the Purview Data Map",
+            "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
-            "link": "https://learn.microsoft.com/purview/concept-data-share",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Leverage Data Estate Insights",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
-            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Use Data stewardship and Catalog adoption",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
-            "link": "https://learn.microsoft.com/purview/concept-insights",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Use Inventory and Ownership",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
-            "link": "https://learn.microsoft.com/purview/glossary-insights",
-            "service": "Purview",
-            "severity": "Low",
-            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
-            "link": "https://learn.microsoft.com/purview/compliance-manager",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Generate assessment scores",
+            "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
-            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Profiling- get summaries of data content",
+            "text": "Deploy your backup solution outside of vSan, on Azure native components",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
-            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
             "severity": "Low",
-            "text": "Follow Microsoft Purview Data Owner access policies",
+            "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
             "waf": "Reliability"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
-            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "severity": "Low",
-            "text": "Follow Self-service access policies",
-            "waf": "Reliability"
+            "text": "For manual deployments, all configuration and deployments must be documented",
+            "waf": "Operations"
         },
         {
-            "checklist": "Microsoft Purview Review Checklist",
-            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
-            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
-            "service": "Purview",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
             "severity": "Low",
-            "text": "Follow DevOps policies",
-            "waf": "Reliability"
+            "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+            "waf": "Operations"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
-            "severity": "High",
-            "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
+            "waf": "Operations"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
-            "severity": "Medium",
-            "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "For automated deployments,  request or reserve quota prior to starting the deployment",
+            "waf": "Operations"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
-            "severity": "Medium",
-            "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
+            "waf": "Operations"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
-            "severity": "Medium",
-            "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+            "waf": "Operations"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
-            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
-            "service": "VMSS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
             "severity": "Low",
-            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
-            "waf": "Reliability"
+            "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+            "waf": "Operations"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
-            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
-            "service": "VM",
-            "severity": "High",
-            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
+            "waf": "Operations"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
-            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "VM",
-            "severity": "High",
-            "text": "Use Premium or Ultra disks for production VMs",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
+            "severity": "Low",
+            "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+            "waf": "Operations"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
-            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
-            "service": "VM",
-            "severity": "High",
-            "text": "Ensure Managed Disks are used for all VMs",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+            "waf": "Performance"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
-            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
-            "service": "VM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
-            "waf": "Reliability"
+            "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+            "waf": "Performance"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
-            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
-            "waf": "Reliability"
+            "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+            "waf": "Performance"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
-            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "VM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+            "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "waf": "Performance"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+            "waf": "Performance"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+            "waf": "Operations"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "severity": "High",
+            "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
-            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "severity": "High",
-            "text": "Avoid running a production workload on a single VM",
+            "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
-            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
-            "severity": "High",
-            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
-            "waf": "Reliability"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
+            "waf": "Performance"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
+            "waf": "Performance"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
-            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
-            "service": "VM",
-            "severity": "Low",
-            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
-            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
-            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
-            "service": "VM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Increase quotas in DR region before testing failover with ASR",
+            "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
-            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
-            "service": "VM",
-            "severity": "Low",
-            "text": "Utilize Scheduled Events to prepare for VM maintenance",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
+            "severity": "Medium",
+            "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
-            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
             "severity": "Medium",
-            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+            "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
-            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "severity": "Low",
-            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
-            "severity": "Low",
-            "text": "Enable soft delete for Storage Account Containers",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
-            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "severity": "Low",
-            "text": "Enable soft delete for blobs",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
-            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
-            "service": "Azure Backup",
-            "severity": "Medium",
-            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
+            "severity": "High",
+            "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
-            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
-            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
-            "service": "Azure Backup",
-            "severity": "Low",
-            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
+            "severity": "High",
+            "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
-            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
-            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
-            "service": "Azure Backup",
-            "severity": "Low",
-            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "High",
+            "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
-            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
-            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
-            "service": "DNS",
-            "severity": "Low",
-            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
+            "severity": "High",
+            "text": "Protect logic apps from region failures with zone redundancy and availability zones",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
-            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
-            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
-            "service": "Data Gateways",
-            "severity": "Medium",
-            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
             "waf": "Reliability"
         },
         {
-            "checklist": "Resiliency Review",
-            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
-            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "severity": "High",
-            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+            "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
-            "service": "SAP",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
             "severity": "Medium",
-            "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
             "waf": "Operations"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
-            "service": "SAP",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+            "service": "CosmosDB",
             "severity": "Medium",
-            "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
-            "training": "https://github.com/Azure/sap-automation",
-            "waf": "Operations"
+            "text": "FTA Resiliency Playbook",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
+            "severity": "High",
+            "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
-            "service": "SAP",
+            "checklist": "CosmosDB Review Checklist",
+            "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+            "service": "CosmosDB",
             "severity": "Medium",
-            "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+            "text": "Run multiple replicas of the database (>1 ) in Prod",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "SAP",
-            "severity": "High",
-            "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+            "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+            "service": "CosmosDB",
+            "severity": "Medium",
+            "text": "Leverage Multi-Region Writes",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Span Cosmos account across two or more regions with multi-region writes",
+            "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+            "service": "CosmosDB",
             "severity": "Medium",
-            "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "text": "Distribute your data globally",
             "waf": "Reliability"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "SAP",
+        },
+        {
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+            "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+            "service": "CosmosDB",
             "severity": "High",
-            "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "text": "Choose from several well-defined consistency models",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+            "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+            "service": "CosmosDB",
+            "severity": "Medium",
+            "text": "Enable Service managed failover",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
-            "service": "SAP",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+            "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+            "service": "CosmosDB",
             "severity": "Medium",
-            "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+            "text": "Enable Automatic Backups",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+            "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+            "service": "CosmosDB",
+            "severity": "Medium",
+            "text": "Perform Periodic Backups",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "checklist": "CosmosDB Review Checklist",
+            "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+            "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+            "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+            "service": "CosmosDB",
+            "severity": "Medium",
+            "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+            "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
-            "service": "SAP",
-            "severity": "High",
-            "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+            "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+            "service": "Azure Data Explorer",
+            "text": "Leverage External Tables and Continuous data export overview to reduce costs",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+            "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+            "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+            "service": "Azure Data Explorer",
+            "text": "To share data, explore Leader-follower cluster configuration",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+            "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+            "service": "Azure Data Explorer",
+            "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
-            "severity": "High",
-            "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+            "service": "Azure Data Explorer",
+            "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+            "service": "Azure Data Explorer",
+            "text": "Ingest data into each cluster in parallel",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
-            "severity": "High",
-            "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+            "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+            "service": "Azure Data Explorer",
+            "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
-            "severity": "High",
-            "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+            "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+            "service": "Azure Data Explorer",
+            "text": "For critical applications, create Active-Active configuration in two paired regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+            "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+            "service": "Azure Data Explorer",
+            "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Make sure the Floating IP is enabled on the Load balancer",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+            "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+            "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+            "service": "Azure Data Explorer",
+            "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+            "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
+            "text": "Wrap DevOps and source control around all your code",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
-            "severity": "High",
-            "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
+            "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "checklist": "Azure Data Explorer Review Checklist",
+            "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+            "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+            "service": "Azure Data Explorer",
+            "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "High",
-            "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
+            "severity": "Medium",
+            "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "High",
-            "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
+            "severity": "Medium",
+            "text": "Custom brand assets should be hosted on a CDN",
+            "waf": "Performance"
+        },
+        {
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
+            "severity": "Low",
+            "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Medium",
+            "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Medium",
+            "text": "Don't replicate! Replication can create issues with directory synchronization",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "Medium",
-            "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "Have active-active for multi-regions",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
+            "text": "Add Azure AD Domain service stamps to additional regions and locations",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Medium",
-            "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "Use Replica Sets for DR",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "checklist": "Resiliency Review",
+            "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+            "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+            "service": "VMSS",
+            "severity": "Low",
+            "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+            "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+            "service": "VM",
             "severity": "High",
-            "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+            "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "VM",
             "severity": "High",
-            "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "text": "Use Premium or Ultra disks for production VMs",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+            "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+            "service": "VM",
             "severity": "High",
-            "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+            "text": "Ensure Managed Disks are used for all VMs",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+            "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Automate SAP System Start-Stop to manage costs.",
-            "waf": "Cost"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
-            "waf": "Cost"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
-            "waf": "Cost"
+            "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+            "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
+            "severity": "Medium",
+            "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45911475-e39e-4530-accc-d979366bcda2",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+            "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "VM",
             "severity": "Medium",
-            "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
-            "waf": "Security"
+            "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+            "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
+            "severity": "High",
+            "text": "Avoid running a production workload on a single VM",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+            "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
+            "severity": "High",
+            "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+            "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+            "service": "VM",
+            "severity": "Low",
+            "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+            "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+            "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+            "service": "VM",
             "severity": "Medium",
-            "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "Security"
+            "text": "Increase quotas in DR region before testing failover with ASR",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+            "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+            "service": "VM",
+            "severity": "Low",
+            "text": "Utilize Scheduled Events to prepare for VM maintenance",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
-            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+            "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
-            "waf": "Security"
+            "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+            "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
+            "severity": "Low",
+            "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO to SAP HANA",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
+            "severity": "Low",
+            "text": "Enable soft delete for Storage Account Containers",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+            "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
+            "severity": "Low",
+            "text": "Enable soft delete for blobs",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
-            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+            "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+            "service": "Azure Backup",
             "severity": "Medium",
-            "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
-            "waf": "Security"
+            "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+            "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+            "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+            "service": "Azure Backup",
+            "severity": "Low",
+            "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement SSO to SAP BTP",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+            "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+            "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+            "service": "Azure Backup",
+            "severity": "Low",
+            "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
-            "waf": "Security"
+            "checklist": "Resiliency Review",
+            "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+            "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+            "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+            "service": "DNS",
+            "severity": "Low",
+            "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+            "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+            "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+            "service": "Data Gateways",
             "severity": "Medium",
-            "text": "enforce existing Management Group policies to SAP Subscriptions",
-            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
-            "waf": "Operations"
+            "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "Resiliency Review",
+            "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+            "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "High",
-            "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
-            "waf": "Operations"
+            "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "Container Apps Review",
+            "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+            "service": "Container Apps",
             "severity": "High",
-            "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
-            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
-            "waf": "Operations"
+            "text": "Leverage Availability Zones if regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
-            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
-            "service": "SAP",
+            "checklist": "Container Apps Review",
+            "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+            "service": "Container Apps",
             "severity": "High",
-            "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
-            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
-            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
-            "waf": "Operations"
+            "text": "Use more than one replica and enable Zone Redundancy.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
-            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
-            "service": "SAP",
+            "checklist": "Container Apps Review",
+            "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
             "severity": "High",
-            "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
-            "waf": "Operations"
+            "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "checklist": "Container Apps Review",
+            "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Container Apps",
             "severity": "High",
-            "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
-            "waf": "Operations"
+            "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Help protect your HANA database by using the Azure Backup service.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+            "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Ensure time-zone matches between the operating system and the SAP system.",
-            "waf": "Operations"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
             "waf": "Reliability"
         },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
-            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
-            "waf": "Cost"
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
+            "severity": "Medium",
+            "text": "Use more than 1 app instance for your apps",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
-            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
-            "waf": "Operations"
+            "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
-            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
-            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
-            "waf": "Operations"
+            "text": "Set up autoscaling in Spring Cloud Gateway",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
             "severity": "Low",
-            "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
-            "waf": "Operations"
+            "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
             "severity": "Medium",
-            "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Operations"
+            "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
-            "service": "SAP",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
             "severity": "High",
-            "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
-            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
-            "waf": "Operations"
+            "text": "Leverage  Availability Zones if regionally applicable (this is automatically enabled)",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "SAP",
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "Medium",
-            "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operations"
+            "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
-            "waf": "Operations"
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
+            "severity": "High",
+            "text": "Consider a Cross-Region DR strategy for critical workloads",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
-            "waf": "Operations"
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "High",
+            "text": "Learn how to trigger a manual failover.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
             "severity": "High",
-            "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
-            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "waf": "Performance"
+            "text": "Learn how to fail back after a failover.",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+            "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
-            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+            "text": "Leverage FTA Resillency Handbook",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
-            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
-            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
-            "waf": "Security"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
+            "severity": "High",
+            "text": "Plan for Data Center level outage",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+            "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
-            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
-            "waf": "Operations"
+            "text": "Practice Failover for BCDR",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
-            "waf": "Performance"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
+            "severity": "High",
+            "text": "Plan a backup strategy and take regular backups",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+            "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+            "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
-            "waf": "Performance"
+            "text": "Follow Purview accounts architectures and deployment best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
-            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
-            "waf": "Performance"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+            "service": "Purview",
+            "severity": "Medium",
+            "text": "Follow Collection Architectures and best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
-            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
-            "waf": "Performance"
+            "text": "Follow Assest lifecycle best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
-            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
-            "waf": "Performance"
+            "text": "Follow automation best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
-            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+            "link": "https://learn.microsoft.com/purview/disaster-recovery",
+            "service": "Purview",
+            "severity": "Medium",
+            "text": "Follow Backup and Migration Best practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
-            "waf": "Security"
+            "text": "Follow Purview Glossary Best Practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+            "link": "https://learn.microsoft.com/purview/concept-workflow",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Leverage Workflows ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "Operations"
+            "text": "Follow Purview Security Best Practices",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
-            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+            "text": "Follow Purview Data Lineage Best Practices",
             "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
-            "service": "SAP",
-            "severity": "High",
-            "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
-            "training": "https://me.sap.com/notes/2731110",
-            "waf": "Performance"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+            "service": "Purview",
+            "severity": "Medium",
+            "text": "Follow Best Practices for Scanning Registered Sources",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
-            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+            "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "waf": "Operations"
+            "text": "Follow Classification Best Practices in Governance Portal",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+            "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
-            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
-            "waf": "Operations"
+            "text": "Perform Sensitivity Labelling in the Purview Data Map",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+            "link": "https://learn.microsoft.com/purview/concept-data-share",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Public IP assignment to VM running SAP Workload is not recommended.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Security"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Leverage Data Estate Insights",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
-            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Consider reserving IP address on DR side when configuring ASR",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+            "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Use Data stewardship and Catalog adoption",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+            "link": "https://learn.microsoft.com/purview/concept-insights",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Use Inventory and Ownership",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
-            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
-            "waf": "Operations"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+            "link": "https://learn.microsoft.com/purview/glossary-insights",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+            "link": "https://learn.microsoft.com/purview/compliance-manager",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
-            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
-            "waf": "Security"
+            "text": "Generate assessment scores",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
-            "service": "SAP",
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+            "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+            "service": "Purview",
             "severity": "Medium",
-            "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
-            "waf": "Security"
+            "text": "Profiling- get summaries of data content",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
-            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
-            "waf": "Security"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+            "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Follow Microsoft Purview Data Owner access policies",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "Security"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+            "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Follow Self-service access policies",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "Security"
+            "checklist": "Microsoft Purview Review Checklist",
+            "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+            "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+            "service": "Purview",
+            "severity": "Low",
+            "text": "Follow DevOps policies",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
-            "waf": "Performance"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+            "service": "ACR",
+            "severity": "High",
+            "text": "Disable Azure Container Registry image export",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+            "service": "ACR",
+            "severity": "High",
+            "text": "Enable Azure Policies for Azure Container Registry",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+            "guid": "d345293c-7639-4637-a551-c5c04e401955",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+            "service": "ACR",
             "severity": "High",
-            "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "Performance"
+            "text": "Sign and Verify containers with notation (Notary v2)",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+            "service": "ACR",
             "severity": "Medium",
-            "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
-            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "text": "Encrypt registry with a customer managed key",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
-            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
+            "severity": "High",
+            "text": "Use Managed Identities to connect instead of Service Principals",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
             "severity": "High",
-            "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "text": "Disable local authentication for management plane access",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
-            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
-            "waf": "Performance"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+            "service": "ACR",
+            "severity": "High",
+            "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
-            "severity": "High",
-            "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Performance"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable anonymous pull/push access",
+            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+            "service": "ACR",
+            "severity": "Medium",
+            "text": "Disable Anonymous pull access",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+            "service": "ACR",
             "severity": "High",
-            "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Cost"
+            "text": "Disable repository-scoped access tokens",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+            "service": "ACR",
             "severity": "High",
-            "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Performance"
+            "text": "Deploy images from a trusted environment",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+            "service": "ACR",
             "severity": "Medium",
-            "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+            "text": "Disable Azure ARM audience tokens for authentication",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Review SAP HANA database backups for Azure VMs.",
-            "waf": "Cost"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+            "service": "ACR",
+            "severity": "Medium",
+            "text": "Enable diagnostics logging",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "service": "ACR",
             "severity": "Medium",
-            "text": "Review Site Recovery built-in monitoring, where used for SAP.",
-            "waf": "Cost"
+            "text": "Control inbound network access with Private Link",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
-            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
-            "waf": "Operations"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Disable public network access if inbound network access is secured using Private Link",
+            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+            "service": "ACR",
+            "severity": "Medium",
+            "text": "Disable Public Network access",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Only the ACR Premium SKU supports Private Link access",
+            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+            "service": "ACR",
             "severity": "Medium",
-            "text": "Review Oracle Database in Azure Linux VM backup strategies.",
-            "waf": "Operations"
+            "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
-            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
-            "waf": "Operations"
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "service": "ACR",
+            "severity": "Low",
+            "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+            "service": "ACR",
             "severity": "Medium",
-            "text": "Review the use of Automated Backup v2 for Azure VMs.",
-            "waf": "Operations"
+            "text": "Deploy validated container images",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
-            "service": "SAP",
+            "checklist": "Azure Container Registry Security Review",
+            "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+            "service": "ACR",
             "severity": "High",
-            "text": "Enabling Write accelerator for M series when using premium disks(V1)",
-            "waf": "Operations"
+            "text": "Use up-to-date platforms, languages, protocols and frameworks",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "service": "SAP",
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+            "service": "PostgreSQL",
             "severity": "Medium",
-            "text": "Test availability zone latency.",
-            "waf": "Performance"
+            "text": "Leverage Flexible Server",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+            "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+            "service": "PostgreSQL",
+            "severity": "High",
+            "text": "Leverage Availability Zones where regionally applicable",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
-            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
-            "service": "SAP",
+            "checklist": "PostgreSQL Review Checklist",
+            "guid": "31b67c67-be59-4519-8083-845d587cb391",
+            "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+            "service": "PostgreSQL",
             "severity": "Medium",
-            "text": "Activate SAP EarlyWatch Alert for all SAP components.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
-            "waf": "Performance"
+            "text": "Leverage cross-region read replicas for BCDR",
+            "waf": "Reliability"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
-            "training": "https://me.sap.com/notes/0002879613",
-            "waf": "Performance"
+            "text": "Consider the 'Azure security baseline for storage'",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Review SQL Server performance monitoring using CCMS.",
-            "waf": "Performance"
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Consider using private endpoints for Azure Storage",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
-            "link": "https://me.sap.com/notes/500235",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
-            "training": "https://me.sap.com/notes/1100926/E",
-            "waf": "Performance"
+            "text": "Ensure older storage accounts are not using 'classic deployment model'",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
-            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Review SAP HANA studio alerts.",
-            "waf": "Performance"
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Enable Microsoft Defender for all of your storage accounts",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
-            "link": "https://me.sap.com/notes/1969700",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
-            "waf": "Performance"
+            "text": "Enable 'soft delete' for blobs",
+            "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
-            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "text": "Disable 'soft delete' for blobs",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
-            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Enable 'soft delete' for containers",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "Disable 'soft delete' for containers",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
-            "training": "https://me.sap.com/notes/3019299/E",
+            "text": "Enable resource locks on storage accounts",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "text": "Consider immutable blobs",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "SAP",
-            "severity": "Medium",
-            "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
-            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Require HTTPS, i.e. disable port 80 on the storage account",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
-            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+            "waf": "Security"
+        },
+        {
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "Least privilege in IaM permissions",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
-            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+            "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
-            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
-            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "When using storage account keys, consider enabling a 'key expiration policy'",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "Consider configuring an SAS expiration policy",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
-            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Use an Azure Key Vault per application per environment per region.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "Consider linking SAS to a stored access policy",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
-            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
-            "service": "SAP",
-            "severity": "High",
-            "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
-            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
-            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+            "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
-            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
-            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "text": "Strive for short validity periods for ad-hoc SAS",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
-            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
-            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "Apply a narrow scope to a SAS",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
-            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
+            "severity": "Medium",
+            "text": "Consider scoping SAS to a specific client IP address, wherever possible",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
-            "severity": "High",
-            "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "severity": "Low",
+            "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
-            "severity": "Low",
-            "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
-            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
             "waf": "Security"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
-            "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
-            "service": "Service Bus",
-            "severity": "Low",
-            "text": "Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Avoid overly broad CORS policies",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
-            "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
-            "service": "Service Bus",
-            "severity": "Medium",
-            "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application.  Using AAD as an authentication provider with RBAC is recommended. ",
-            "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Avoid using root account when it is not necessary",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "text": "Determine which/if platform encryption should be used.",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
-            "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "Determine which/if client-side encryption should be used.",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
-            "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
             "severity": "High",
-            "text": "Use least privilege data plane RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
             "waf": "Security"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus resource logs include operational logs,  virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
-            "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Leverage a storagev2 account type for better performance and reliability",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Azure Storage",
+            "severity": "High",
+            "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
+            "waf": "Reliability"
+        },
+        {
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Security"
+            "text": "For write operation after failover, use customer-Managed Failover ",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
-            "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Security"
+            "text": "Understand Microsoft-Managed Failover details",
+            "waf": "Reliability"
         },
         {
-            "checklist": "Service Bus Review Checklist",
-            "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
-            "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
-            "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
-            "service": "Service Bus",
+            "checklist": "Azure Storage Review Checklist",
+            "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+            "service": "Azure Storage",
             "severity": "Medium",
-            "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Security"
+            "text": "Enable Soft Delete",
+            "waf": "Reliability"
         }
     ],
     "metadata": {
diff --git a/checklists/waf_checklist.es.json b/checklists/waf_checklist.es.json
index afaf229fe..748db30cd 100644
--- a/checklists/waf_checklist.es.json
+++ b/checklists/waf_checklist.es.json
@@ -64,482 +64,697 @@
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Si usa certificados TLS administrados por el cliente con Azure Front Door, use la versión de certificado \"más reciente\". Reduzca el riesgo de interrupciones causadas por la renovación manual de certificados",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Asegúrese de que usa la SKU de Application Gateway v2",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
-            "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
+            "severity": "Medio",
+            "text": "Asegúrese de que usa la SKU estándar para Azure Load Balancers",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
-            "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
+            "severity": "Medio",
+            "text": "Asegúrese de que las direcciones IP de front-end de Load Balancers tengan redundancia de zona (a menos que necesite front-end zonal).",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
-            "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Application Gateways v2 debe implementarse en subredes con prefijos IP iguales o mayores que /24",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
-            "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "description": "La administración de proxies inversos en general y de WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Implemente Azure Application Gateway v2 o aplicaciones virtuales de red de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que están protegiendo.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
-            "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
-            "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Configure el escalado automático con una cantidad mínima de instancias de dos.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
-            "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Implementación de Application Gateway en zonas de disponibilidad",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
-            "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Use Azure Front Door con directivas de WAF para entregar y ayudar a proteger aplicaciones HTTP/S globales que abarcan varias regiones de Azure.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
-            "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Al usar Front Door y Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Front Door. Bloquee Application Gateway para recibir tráfico solo de Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
-            "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "Costar"
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
+            "severity": "Alto",
+            "text": "Use el Administrador de tráfico para entregar aplicaciones globales que abarquen protocolos distintos de HTTP/S.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
-            "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "Bajo",
+            "text": "Si los usuarios solo necesitan acceso a aplicaciones internas, ¿se ha considerado Microsoft Entra ID Application Proxy como una alternativa a Azure Virtual Desktop (AVD)?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
-            "text": "Solo se pueden reservar discos más grandes => 1 TiB -",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "Medio",
+            "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
-            "text": "Después de la optimización del tamaño correcto",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Implemente la directiva de WAF para Front Door en modo de \"prevención\".",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
-            "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Evite combinar Azure Traffic Manager y Azure Front Door.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
-            "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Use el mismo nombre de dominio en Azure Front Door y su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo",
-            "waf": "Costar"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "severity": "Bajo",
+            "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de orígenes de Azure Front Door.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Seleccione puntos de conexión de sondeo de estado correctos para Azure Front Door. Considere la posibilidad de crear puntos de conexión de estado que comprueben todas las dependencias de la aplicación.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
+            "severity": "Bajo",
+            "text": "Use sondeos de estado de HEAD con Azure Front Door para reducir el tráfico que Front Door envía a la aplicación.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "text": "Funciones - Reutilizar conexiones",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
+            "severity": "Alto",
+            "text": "Use Azure NAT Gateway en lugar de reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "text": "Funciones: almacenar datos en caché localmente",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Use certificados TLS administrados con Azure Front Door. Reduzca los costos operativos y el riesgo de interrupciones debido a las renovaciones de certificados.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
-            "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Defina la configuración de WAF de Azure Front Door como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "text": "Funciones - Mantén tus funciones calientes",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Use TLS de un extremo a otro con Azure Front Door. Use TLS para las conexiones de los clientes a Front Door y de Front Door al origen.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
-            "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos automáticamente a una solicitud HTTPS.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite el WAF de Azure Front Door. Proteja su aplicación de una variedad de ataques.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
-            "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo. Reduzca las detecciones de falsos positivos.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
             "service": "Front Door",
-            "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.",
-            "waf": "Costar"
+            "severity": "Alto",
+            "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Front Door.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
             "service": "Front Door",
-            "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.",
-            "waf": "Costar"
+            "severity": "Alto",
+            "text": "Habilite los conjuntos de reglas predeterminados de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean los ataques comunes.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
-            "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite el conjunto de reglas de protección contra bots de Azure Front Door WAF. Las reglas de bots detectan bots buenos y malos.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Front Door. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
-            "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Agregue limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Front Door. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
-            "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
+            "severity": "Bajo",
+            "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
-            "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Front Door. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
-            "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda  ",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Habilitación del conjunto de reglas de protección contra bots de WAF de Azure Application Gateway Las reglas de bots detectan bots buenos y malos.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Application Gateway.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
-            "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Ajuste el WAF de Azure Application Gateway para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.",
-            "waf": "Costar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Implemente la directiva de WAF para Application Gateway en modo de \"prevención\".",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
-            "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Agregue limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
-            "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "severity": "Bajo",
+            "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
-            "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Application Gateway. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "text": "Ajustar el tamaño de todas las máquinas virtuales",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Application Gateway. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
-            "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Application Gateway.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Front Door.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Costar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Envíe registros de WAF de Azure Application Gateway a Microsoft Sentinel.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo",
-            "waf": "Seguridad"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
+            "severity": "Medio",
+            "text": "Envíe registros de WAF de Azure Front Door a Microsoft Sentinel.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "severity": "Medio",
-            "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure",
-            "waf": "Seguridad"
+            "text": "Defina la configuración de WAF de Azure Application Gateway como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"",
-            "waf": "Seguridad"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Utilice directivas de WAF en lugar de la configuración de WAF heredada.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
             "severity": "Medio",
-            "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)",
+            "text": "Filtre el tráfico entrante en los back-end para que solo acepten conexiones de la subred de Application Gateway, por ejemplo, con grupos de seguridad de red.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
             "severity": "Medio",
-            "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)",
+            "text": "Asegúrese de que los orígenes solo toman tráfico de la instancia de Azure Front Door.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "severity": "Alto",
-            "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)",
+            "text": "Debe cifrar el tráfico a los servidores backend.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
-            "severity": "Medio",
-            "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Debe utilizar un firewall de aplicaciones web.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
             "severity": "Medio",
-            "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios",
+            "text": "Redirigir HTTP a HTTPS",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Utilice cookies administradas por puerta de enlace para dirigir el tráfico de una sesión de usuario al mismo servidor para su procesamiento",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planificadas para evitar la pérdida de conexión a los miembros existentes del grupo de back-end",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "Bajo",
+            "text": "Crear páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Edite las solicitudes HTTP y los encabezados de respuesta para facilitar el enrutamiento y el intercambio de información entre el cliente y el servidor",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento del usuario final de primer nivel, así como la confiabilidad a través de una rápida conmutación por error global",
+            "waf": "Rendimiento"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Usar el equilibrio de carga de la capa de transporte",
+            "waf": "Rendimiento"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
+            "severity": "Medio",
+            "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
+            "severity": "Bajo",
+            "text": "Uso de Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
+            "severity": "Medio",
+            "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
+            "severity": "Medio",
+            "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
+            "severity": "Medio",
+            "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
+            "severity": "Medio",
+            "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
+            "severity": "Medio",
+            "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
             "service": "AVS",
             "severity": "Alto",
             "text": "Asegúrese de que todos los roles personalizados tengan el ámbito de las autorizaciones permitidas de CloudAdmin",
@@ -1319,729 +1534,420 @@
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "severity": "Bajo",
-            "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
+            "severity": "Medio",
+            "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
             "severity": "Medio",
-            "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.",
+            "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
+            "severity": "Medio",
+            "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
             "severity": "Medio",
-            "text": "Implementación de comprobaciones de estado",
+            "text": "Usar más de 1 instancia de aplicación para las aplicaciones",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
+            "severity": "Medio",
+            "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
+            "severity": "Medio",
+            "text": "Configuración del escalado automático en Spring Cloud Gateway",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
             "severity": "Bajo",
-            "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service",
+            "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
             "severity": "Medio",
-            "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service",
+            "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
             "severity": "Medio",
-            "text": "Supervisión de instancias de App Service mediante comprobaciones de estado",
-            "waf": "Fiabilidad"
+            "text": "Azure Center for SAP Solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las funcionalidades de administración de los sistemas SAP nuevos y existentes basados en Azure.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "severity": "Medio",
-            "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights",
+            "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
+            "severity": "Medio",
+            "text": "Realice una recuperación a un momento dado de sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador al eliminar datos en la capa DBMS o a través de SAP, por cierto",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
-            "severity": "Bajo",
-            "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web",
+            "checklist": "SAP Checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
+            "severity": "Medio",
+            "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplen con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación.  Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Uso de Key Vault para almacenar secretos",
-            "waf": "Seguridad"
+            "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar las bases de datos o los discos duros virtuales. Las copias de seguridad solo se pueden replicar entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Use una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Uso de la identidad administrada para conectarse a Key Vault",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
+            "severity": "Medio",
+            "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Almacene el certificado TLS de App Service en Key Vault.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Use Key Vault para almacenar el certificado TLS.",
-            "waf": "Seguridad"
+            "text": "Configure conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Los sistemas que procesan información confidencial deben estar aislados.  Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Aísle los sistemas que procesan información confidencial",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
+            "severity": "Bajo",
+            "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos.  (Por ejemplo: D:\\\\Local y %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
             "severity": "Medio",
-            "text": "No almacene datos confidenciales en el disco local",
-            "waf": "Seguridad"
+            "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C.  Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Usar un proveedor de identidades establecido para la autenticación",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
+            "severity": "Bajo",
+            "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Implementación desde un entorno de confianza",
-            "waf": "Seguridad"
+            "text": "Se debe usar la tecnología de replicación de bases de datos nativas para sincronizar la base de datos en un par de alta disponibilidad.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM.  Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación.  Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Deshabilitar la autenticación básica",
-            "waf": "Seguridad"
+            "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD.  Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Uso de la identidad administrada para conectarse a los recursos",
-            "waf": "Seguridad"
+            "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o SBD, ejecutar corosync.conf, etc.).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Extracción de contenedores mediante una identidad administrada",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics",
-            "waf": "Seguridad"
+            "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Envío de registros de actividad de App Service a Log Analytics",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros como SIOS Protection Suite y Veritas InfoScale admiten la conmutación por error.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR.  El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall.  Asegúrese de supervisar los registros del cortafuegos.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "El acceso a la red saliente debe controlarse",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan el almacenamiento de los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principal y secundaria.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall.  Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario.  Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio.  (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "severity": "Bajo",
-            "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet",
-            "waf": "Seguridad"
+            "checklist": "SAP Checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Los datos de DBMS y los archivos de registro de transacciones y puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS o archivos de registro de puesta al día con la carga de trabajo de SAP.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "El acceso a la red entrante debe controlarse",
-            "waf": "Seguridad"
+            "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door.  Asegúrese de supervisar los registros del WAF.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Uso de un WAF delante de App Service",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF.  Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Evite que se omita WAF",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Establezca la directiva TLS mínima en 1.2",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Configure App Service para que use solo HTTPS.  Esto hace que App Service se redirija de HTTP a HTTPS.  Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Usar solo HTTPS",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Los comodines no deben usarse para CORS",
-            "waf": "Seguridad"
+            "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error.  Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de equilibrador de carga estándar).",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Desactivar la depuración remota",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Habilite Defender para App Service.  Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas.  Revise las recomendaciones de Defender para App Service como parte de las operaciones.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Habilitación de Defender for Cloud: Defender for App Service",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Extracción de contenedores a través de una red virtual",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Realizar una prueba de penetración",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
-            "severity": "Medio",
-            "text": "Implementación de código validado",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
+            "checklist": "SAP Checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados",
-            "waf": "Seguridad"
+            "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea realizar la implementación con un conjunto de disponibilidad de Azure o una zona de disponibilidad.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
             "service": "SAP",
-            "severity": "Medio",
-            "text": "Azure Center for SAP Solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las funcionalidades de administración de los sistemas SAP nuevos y existentes basados en Azure.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
-            "waf": "Operaciones"
+            "severity": "Alto",
+            "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para las aplicaciones de los componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.",
+            "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
-            "severity": "Medio",
-            "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.",
-            "training": "https://github.com/Azure/sap-automation",
-            "waf": "Operaciones"
+            "severity": "Alto",
+            "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
             "service": "SAP",
             "severity": "Medio",
-            "text": "Realice una recuperación a un momento dado de sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador al eliminar datos en la capa DBMS o a través de SAP, por cierto",
+            "text": "No se pueden implementar conjuntos de disponibilidad de Azure dentro de una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación de proximidad.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
-            "severity": "Medio",
-            "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplen con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.",
+            "severity": "Alto",
+            "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no puede cambiarlo en línea más adelante.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "severity": "Alto",
-            "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar las bases de datos o los discos duros virtuales. Las copias de seguridad solo se pueden replicar entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Use una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "text": "Cuando se usan grupos de selección con selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo con selección de ubicación de proximidad.",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
-            "severity": "Medio",
-            "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "severity": "Alto",
+            "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "severity": "Alto",
-            "text": "Configure conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
             "service": "SAP",
-            "severity": "Bajo",
-            "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.",
+            "severity": "Medio",
+            "text": "Actualmente, Azure no admite la combinación de ASCS y alta disponibilidad de base de datos en el mismo clúster de Linux Pacemaker; sepáralos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "severity": "Medio",
-            "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.",
+            "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
             "service": "SAP",
-            "severity": "Bajo",
-            "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+            "severity": "Medio",
+            "text": "Azure admite la instalación y configuración de SAP HANA y las instancias de ASCS/SCS y ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
             "service": "SAP",
             "severity": "Alto",
-            "text": "Se debe usar la tecnología de replicación de bases de datos nativas para sincronizar la base de datos en un par de alta disponibilidad.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
             "service": "SAP",
             "severity": "Alto",
-            "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en determinadas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del acelerador de escritura y el uso del almacenamiento premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento es compatible con el DBMS que se ejecuta en la máquina.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
             "service": "SAP",
             "severity": "Alto",
-            "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o SBD, ejecutar corosync.conf, etc.).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
             "service": "SAP",
             "severity": "Alto",
-            "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "text": "Es posible que los diferentes servicios de almacenamiento nativos de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrece en el sitio de recuperación ante desastres.",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "SAP Checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros como SIOS Protection Suite y Veritas InfoScale admiten la conmutación por error.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan el almacenamiento de los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principal y secundaria.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Los datos de DBMS y los archivos de registro de transacciones y puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS o archivos de registro de puesta al día con la carga de trabajo de SAP.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error.  Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de equilibrador de carga estándar).",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea realizar la implementación con un conjunto de disponibilidad de Azure o una zona de disponibilidad.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para las aplicaciones de los componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
-            "severity": "Medio",
-            "text": "No se pueden implementar conjuntos de disponibilidad de Azure dentro de una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación de proximidad.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no puede cambiarlo en línea más adelante.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Cuando se usan grupos de selección con selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo con selección de ubicación de proximidad.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
-            "severity": "Medio",
-            "text": "Actualmente, Azure no admite la combinación de ASCS y alta disponibilidad de base de datos en el mismo clúster de Linux Pacemaker; sepáralos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "Medio",
-            "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
-            "severity": "Medio",
-            "text": "Azure admite la instalación y configuración de SAP HANA y las instancias de ASCS/SCS y ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en determinadas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del acelerador de escritura y el uso del almacenamiento premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento es compatible con el DBMS que se ejecuta en la máquina.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Es posible que los diferentes servicios de almacenamiento nativos de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrece en el sitio de recuperación ante desastres.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
             "service": "SAP",
             "severity": "Medio",
             "text": "Automatice SAP System Start-Stop para gestionar los costes.",
@@ -3150,3637 +3056,3523 @@
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
-            "severity": "Medio",
-            "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
-            "severity": "Bajo",
-            "text": "Asegúrese de que tiene un enfoque de automatización multiinquilino para administrar los inquilinos de Microsoft Entra ID",
-            "waf": "Operaciones"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "Alto",
+            "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
-            "severity": "Bajo",
-            "text": "Aprovechamiento de Azure Lighthouse para la administración multiinquilino",
-            "waf": "Operaciones"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
+            "severity": "Alto",
+            "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
-            "severity": "Medio",
-            "text": "Asegúrese de que el asociado usa Azure Lighthouse para administrar el inquilino",
-            "waf": "Costar"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "severity": "Alto",
-            "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Seguridad"
+            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
-            "severity": "Alto",
-            "text": "Utilice solo el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Seguridad"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
+            "severity": "Medio",
+            "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
-            "severity": "Medio",
-            "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo solo de ID de Entra si ya existe un sistema de administración de grupos.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Seguridad"
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
-            "severity": "Bajo",
-            "text": "Aplicación de directivas de acceso condicional de Microsoft Entra ID para cualquier usuario con derechos en entornos de Azure",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Seguridad"
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
             "severity": "Alto",
-            "text": "Aplicación de la autenticación multifactor para cualquier usuario con derechos en los entornos de Azure",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Seguridad"
+            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
-            "severity": "Medio",
-            "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer el acceso permanente cero y los privilegios mínimos",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Seguridad"
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "severity": "Medio",
-            "text": "Si planea cambiar de servicios de dominio de Active Directory a servicios de dominio de Entra, evalúe la compatibilidad de todas las cargas de trabajo",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "Seguridad"
+            "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
             "severity": "Medio",
-            "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información en torno a los datos de registro y supervisión en Azure, lo que ofrece a las organizaciones opciones nativas en la nube para cumplir los requisitos relacionados con la recopilación y retención de registros.",
-            "waf": "Seguridad"
+            "text": "Aproveche el servidor flexible",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "severity": "Alto",
-            "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Seguridad"
+            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "severity": "Medio",
-            "text": "Evite el uso de cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "Seguridad"
+            "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Cuando sea necesario, use Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas (hospedadas en la nube o en el entorno local).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Blob Storage Review",
+            "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Aproveche un diseño de red basado en la topología de red radial tradicional para escenarios de red que requieren la máxima flexibilidad.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Asegúrese de que los servicios de redes compartidas, incluidas las puertas de enlace de ExpressRoute, las puertas de enlace de VPN y Azure Firewall o las aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servidores DNS.",
-            "waf": "Costar"
+            "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Habilitación de la \"eliminación temporal\" para blobs",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Al implementar tecnologías de redes de asociados o aplicaciones virtuales de red, siga las instrucciones del proveedor de asociados",
-            "waf": "Fiabilidad"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
-            "severity": "Bajo",
-            "text": "Si necesita el tránsito entre ExpressRoute y las puertas de enlace de VPN en escenarios radiales, use Azure Route Server.",
+            "text": "Deshabilitación de la \"eliminación temporal\" de blobs",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
-            "severity": "Bajo",
-            "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.",
+            "checklist": "Azure Blob Storage Review",
+            "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Habilitación de la \"eliminación temporal\" para los contenedores",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "En el caso de las arquitecturas de red con varias topologías en estrella tipo hub-and-spoke en las regiones de Azure, use emparejamientos de red virtual global entre las redes virtuales del centro para conectar las regiones entre sí.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "Rendimiento"
+            "text": "Deshabilitación de la \"eliminación temporal\" para contenedores",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
-            "severity": "Medio",
-            "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes en Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "severity": "Medio",
-            "text": "Al conectar redes virtuales de radio a la red virtual del centro central, tenga en cuenta los límites de emparejamiento de red virtual (500), el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000)",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "severity": "Medio",
-            "text": "Tenga en cuenta el límite de rutas por tabla de rutas (400).",
-            "waf": "Fiabilidad"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual",
-            "waf": "Fiabilidad"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.",
+            "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento",
             "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "Bajo",
-            "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de blobs inmutables",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Asegúrese de que no se usan espacios de direcciones IP superpuestos en las regiones de Azure y las ubicaciones locales",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "Bajo",
-            "text": "Utilice direcciones IP de los rangos de asignación de direcciones para Internet privadas (RFC 1918).",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "Alto",
-            "text": "Asegúrese de que no se desperdicie espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16)",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "Rendimiento"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
+            "severity": "Medio",
+            "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Fiabilidad"
+            "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "En entornos en los que la resolución de nombres en Azure es todo lo que se requiere, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como \"azure.contoso.com\").",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operaciones"
+            "text": "Privilegios mínimos en los permisos de IaM",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
-            "severity": "Medio",
-            "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local, considere la posibilidad de usar Azure DNS Private Resolver.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "Bajo",
-            "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben utilizar su solución DNS preferida.",
-            "waf": "Operaciones"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "Operaciones"
+            "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Considere la posibilidad de usar Azure Bastion para conectarse de forma segura a la red.",
+            "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Use Azure Bastion en una subred /26 o superior.",
+            "text": "Considere la posibilidad de configurar una directiva de expiración de SAS",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Use directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "Bajo",
-            "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
+            "severity": "Medio",
+            "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "La implementación de WAF y otros servidores proxy inversos son necesarios para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Use planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
-            "severity": "Alto",
-            "text": "Evalúe y revise la configuración y la estrategia del tráfico saliente de la red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán las configuraciones de acceso explícitas",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "Medio",
+            "text": "Aplicación de un ámbito limitado a una SAS",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "Alto",
-            "text": "Agregue configuraciones de diagnóstico para guardar registros relacionados con DDoS para todas las direcciones IP públicas protegidas (DDoS IP o Protección de red).",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
+            "severity": "Medio",
+            "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible",
             "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Asegúrese de que ha investigado la posibilidad de usar ExpressRoute como conexión principal a Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Rendimiento"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "severity": "Bajo",
+            "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "description": "Puede usar la anteposición de AS y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos de BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, asegúrese de optimizar el enrutamiento con atributos BGP, si se prefieren determinadas rutas de acceso.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Asegúrese de que usa la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Rendimiento"
+            "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.",
-            "waf": "Costar"
+            "text": "Evite las políticas de CORS demasiado amplias",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de los circuitos admite las regiones de Azure para la SKU local.",
-            "waf": "Costar"
+            "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
+            "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
             "severity": "Medio",
-            "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Rendimiento"
+            "text": "Determine qué cifrado del lado del cliente se debe usar o si.",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure sea superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Rendimiento"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ",
+            "waf": "Seguridad"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
-            "severity": "Medio",
-            "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Fiabilidad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
-            "severity": "Medio",
-            "text": "Use dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "Fiabilidad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
+            "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "Alto",
-            "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
+            "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)",
             "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Cuando se requiere aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use circuitos ExpressRoute diferentes. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
+            "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
+            "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
+            "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, especialmente si solo usa un único circuito ExpressRoute.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
-            "severity": "Alto",
-            "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que las rutas de puerta de enlace se propagan.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
-            "severity": "Alto",
-            "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
+            "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
-            "severity": "Alto",
-            "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Fiabilidad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
+            "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
+            "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Evite el uso de circuitos ExpressRoute para la comunicación de red virtual a red virtual.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
+            "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Use Azure Firewall para controlar el tráfico saliente de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere)",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
+            "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares satisfagan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
+            "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
-            "severity": "Bajo",
-            "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
+            "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de protocolos no admitidos por las reglas de aplicación.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
+            "text": "Solo se pueden reservar discos más grandes => 1 TiB -",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Use Azure Firewall Premium para obtener seguridad y protección adicionales.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
+            "text": "Después de la optimización del tamaño correcto",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Configure el modo de inteligencia sobre amenazas de Azure Firewall en Alerta y denegación para obtener protección adicional.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
+            "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
+            "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "En el caso de las subredes de las redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
+            "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operaciones"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
+            "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
-            "severity": "Importante",
-            "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
+            "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Use un prefijo /26 para las subredes de Azure Firewall.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
+            "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Organice las reglas dentro de la directiva de firewall en grupos de recopilación de reglas y colecciones de reglas en función de su frecuencia de uso",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
+            "text": "Funciones - Reutilizar conexiones",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Utilice grupos de IP o prefijos de IP para reducir el número de reglas de tabla de IP",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "text": "Funciones: almacenar datos en caché localmente",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Evite los comodines como IP de origen para los DNAT, como * o cualquiera, debe especificar las direcciones IP de origen para los DNAT entrantes",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Evite el agotamiento del puerto SNAT mediante la supervisión del uso del puerto SNAT, la evaluación de la configuración de la puerta de enlace NAT y la garantía de una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
+            "text": "Funciones - Mantén tus funciones calientes",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
-            "severity": "Alto",
-            "text": "Habilitar la inspección TLS",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
-            "severity": "Bajo",
-            "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Habilitación de la configuración del proxy DNS de Azure Firewall ",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
+            "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Asegúrese de que haya una asignación de directiva para denegar direcciones IP públicas vinculadas directamente a máquinas virtuales",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
+            "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
-            "severity": "Bajo",
-            "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros del firewall.",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
+            "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
-            "severity": "Bajo",
-            "text": "Implemente copias de seguridad para las reglas de firewall",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
+            "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Asegúrese de que la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual no se interrumpa, por ejemplo, con una ruta 0.0.0.0/0 o una regla de grupo de seguridad de red que bloquee el tráfico del plano de control.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
+            "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
-            "severity": "Medio",
-            "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y emparejamiento privado de ExpressRoute. Este método evita el tránsito a través de la Internet pública.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
+            "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
-            "severity": "Medio",
-            "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
+            "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "Medio",
-            "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una aplicación virtual de red para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permita solo los servicios PaaS necesarios.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
+            "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
-            "severity": "Alto",
-            "text": "Use al menos un prefijo /27 para las subredes de puerta de enlace",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
+            "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda  ",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "No confíe en las reglas predeterminadas de entrada del grupo de seguridad de red que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
+            "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "Use grupos de seguridad de red para ayudar a proteger el tráfico entre subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
+            "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "El equipo de aplicaciones debe usar grupos de seguridad de aplicaciones en los grupos de seguridad de red de nivel de subred para ayudar a proteger las máquinas virtuales de varios niveles dentro de la zona de aterrizaje.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
+            "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.",
+            "waf": "Costar"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evitar el uso de una aplicación virtual de red central para filtrar los flujos de tráfico.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Análisis de tráfico para obtener información sobre los flujos de tráfico internos y externos.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "Seguridad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Costar"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
-            "severity": "Medio",
-            "text": "Tenga en cuenta el límite de reglas de grupo de seguridad de red por grupo de seguridad de red (1000).",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "waf": "Fiabilidad"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
+            "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Considere la posibilidad de utilizar Virtual WAN para simplificar la administración de redes de Azure y asegúrese de que el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "Operaciones"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
+            "text": "Ajustar el tamaño de todas las máquinas virtuales",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje entre sí en las regiones de Azure a través de una instancia global común de Azure Virtual WAN.",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
+            "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "Bajo",
-            "text": "Siga el principio \"el tráfico de Azure permanece en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft",
-            "waf": "Rendimiento"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Asegúrese de que la arquitectura de red está dentro de los límites de Azure Virtual WAN.",
-            "waf": "Fiabilidad"
+            "waf": "Costar"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.",
+            "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.",
             "waf": "Operaciones"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Asegúrese de que las implementaciones de IaC no deshabiliten el tráfico de sucursal a sucursal en Virtual WAN, a menos que estos flujos se bloqueen explícitamente.",
-            "waf": "Fiabilidad"
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "severity": "Bajo",
+            "text": "Asegúrese de que tiene un enfoque de automatización multiinquilino para administrar los inquilinos de Microsoft Entra ID",
+            "waf": "Operaciones"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
-            "severity": "Medio",
-            "text": "Use AS-Path como preferencia de enrutamiento del centro, ya que es más flexible que ExpressRoute o VPN.",
-            "waf": "Fiabilidad"
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
+            "severity": "Bajo",
+            "text": "Aprovechamiento de Azure Lighthouse para la administración multiinquilino",
+            "waf": "Operaciones"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Asegúrese de que las implementaciones de IaC configuran la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.",
-            "waf": "Fiabilidad"
+            "text": "Asegúrese de que el asociado usa Azure Lighthouse para administrar el inquilino",
+            "waf": "Costar"
         },
         {
             "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
             "severity": "Alto",
-            "text": "Asigne suficiente espacio IP a los centros virtuales, idealmente un prefijo /23.",
-            "waf": "Fiabilidad"
+            "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Seguridad"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
             "severity": "Alto",
-            "text": "Aproveche Azure Policy estratégicamente, defina controles para su entorno y use iniciativas de directivas para agrupar directivas relacionadas.",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "Medio",
-            "text": "Asigne los requisitos normativos y de cumplimiento normativo a las definiciones de Azure Policy y a las asignaciones de roles de Azure.",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "Medio",
-            "text": null,
+            "text": "Utilice solo el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Administre las asignaciones de directivas en el nivel más alto adecuado con exclusiones en los niveles inferiores, si es necesario.",
+            "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo solo de ID de Entra si ya existe un sistema de administración de grupos.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
             "severity": "Bajo",
-            "text": "Use Azure Policy para controlar qué servicios pueden aprovisionar los usuarios en el nivel de suscripción o grupo de administración",
+            "text": "Aplicación de directivas de acceso condicional de Microsoft Entra ID para cualquier usuario con derechos en entornos de Azure",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "Medio",
-            "text": null,
-            "waf": null
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "description": "La asignación del rol Colaborador de directivas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las directivas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las directivas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
-            "severity": "Medio",
-            "text": "Asigne el rol integrado Colaborador de directivas de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.",
-            "waf": null
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
+            "severity": "Alto",
+            "text": "Aplicación de la autenticación multifactor para cualquier usuario con derechos en los entornos de Azure",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.",
-            "waf": null
+            "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer el acceso permanente cero y los privilegios mínimos",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Si existen requisitos de soberanía de datos, se pueden implementar directivas de Azure para aplicarlos",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "text": "Si planea cambiar de servicios de dominio de Active Directory a servicios de dominio de Entra, evalúe la compatibilidad de todas las cargas de trabajo",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "En el caso de la Zona de Aterrizaje Soberana, la iniciativa política de referencia de la política de soberanía se despliega y asigna al nivel correcto de MG.",
-            "waf": null
+            "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información en torno a los datos de registro y supervisión en Azure, lo que ofrece a las organizaciones opciones nativas en la nube para cumplir los requisitos relacionados con la recopilación y retención de registros.",
+            "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
-            "severity": null,
-            "text": "En el caso de la Zona de Aterrizaje Soberana, se documentan los objetivos de control soberano para el mapeo de políticas.",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
+            "severity": "Alto",
+            "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "En el caso de la Zona de Aterrizaje Soberana, existe un proceso para el CRUD de \"Objetivos de Control Soberano para el mapeo de políticas\".",
+            "text": "Evite el uso de cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
             "severity": "Medio",
-            "text": null,
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "Operaciones"
+            "text": "Cuando sea necesario, use Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas (hospedadas en la nube o en el entorno local).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "Exporte los registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una directiva de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": null
+            "text": "Aproveche un diseño de red basado en la topología de red radial tradicional para escenarios de red que requieren la máxima flexibilidad.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
-            "severity": "Medio",
-            "text": "Supervise el desfase de configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de la directiva ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Operaciones"
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Asegúrese de que los servicios de redes compartidas, incluidas las puertas de enlace de ExpressRoute, las puertas de enlace de VPN y Azure Firewall o las aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servidores DNS.",
+            "waf": "Costar"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operaciones"
+            "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "Medio",
-            "text": null,
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "Operaciones"
+            "text": "Al implementar tecnologías de redes de asociados o aplicaciones virtuales de red, siga las instrucciones del proveedor de asociados",
+            "waf": "Fiabilidad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
-            "severity": "Medio",
-            "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Operaciones"
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
+            "severity": "Bajo",
+            "text": "Si necesita el tránsito entre ExpressRoute y las puertas de enlace de VPN en escenarios radiales, use Azure Route Server.",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
-            "severity": "Medio",
-            "text": "Use los registros de Azure Monitor para obtener información e informes.",
-            "waf": "Operaciones"
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
+            "severity": "Bajo",
+            "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.",
+            "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
-            "severity": null,
-            "text": null,
-            "waf": "Operaciones"
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
+            "severity": "Medio",
+            "text": "En el caso de las arquitecturas de red con varias topologías en estrella tipo hub-and-spoke en las regiones de Azure, use emparejamientos de red virtual global entre las redes virtuales del centro para conectar las regiones entre sí.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "Rendimiento"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado las regiones admitidas para vincular el área de trabajo de Log Analytics y las cuentas de automatización.",
+            "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes en Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "Operaciones"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "Al usar Azure Backup, tenga en cuenta los diferentes tipos de copia de seguridad (GRS, ZRS Y LRS), ya que la configuración predeterminada es GRS",
+            "text": "Al conectar redes virtuales de radio a la red virtual del centro central, tenga en cuenta los límites de emparejamiento de red virtual (500), el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000)",
             "waf": "Fiabilidad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "Use directivas de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.",
-            "waf": "Seguridad"
+            "text": "Tenga en cuenta el límite de rutas por tabla de rutas (400).",
+            "waf": "Fiabilidad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "description": "Las características de configuración de invitado de Azure Policy pueden auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
-            "severity": "Medio",
-            "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.",
-            "waf": "Seguridad"
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual",
+            "waf": "Fiabilidad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.",
-            "waf": "Operaciones"
+            "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.",
+            "waf": "Seguridad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
-            "severity": "Medio",
-            "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.",
-            "waf": "Operaciones"
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "Bajo",
+            "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "Seguridad"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad para las máquinas virtuales en las regiones en las que se admiten.",
-            "waf": "Fiabilidad"
+            "text": "Asegúrese de que no se usan espacios de direcciones IP superpuestos en las regiones de Azure y las ubicaciones locales",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "Bajo",
+            "text": "Utilice direcciones IP de los rangos de asignación de direcciones para Internet privadas (RFC 1918).",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Seguridad"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "severity": "Alto",
-            "text": "Evite ejecutar una carga de trabajo de producción en una sola máquina virtual.",
-            "waf": "Fiabilidad"
+            "text": "Asegúrese de que no se desperdicie espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16)",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Rendimiento"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "severity": "Medio",
-            "text": "Azure Load Balancer y Application Gateway distribuyen el tráfico de red entrante entre varios recursos.",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
-            "severity": "Alto",
-            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
+            "severity": "Medio",
+            "text": "En entornos en los que la resolución de nombres en Azure es todo lo que se requiere, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como \"azure.contoso.com\").",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Operaciones"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
             "severity": "Medio",
-            "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.",
+            "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local, considere la posibilidad de usar Azure DNS Private Resolver.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
+            "severity": "Bajo",
+            "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben utilizar su solución DNS preferida.",
             "waf": "Operaciones"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
             "severity": "Alto",
-            "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales",
-            "waf": "Seguridad"
+            "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "Operaciones"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "severity": "Medio",
-            "text": "Use diferentes instancias de Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.",
+            "text": "Considere la posibilidad de usar Azure Bastion para conectarse de forma segura a la red.",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "severity": "Medio",
-            "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados.",
+            "text": "Use Azure Bastion en una subred /26 o superior.",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
             "severity": "Medio",
-            "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.",
+            "text": "Use directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Seguridad"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "Medio",
-            "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "Bajo",
+            "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "Medio",
-            "text": "Establezca un proceso automatizado para la rotación de claves y certificados.",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "Alto",
+            "text": "La implementación de WAF y otros servidores proxy inversos son necesarios para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "Medio",
-            "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Use planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Seguridad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
-            "severity": "Medio",
-            "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.",
-            "waf": "Seguridad"
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Evalúe y revise la configuración y la estrategia del tráfico saliente de la red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán las configuraciones de acceso explícitas",
+            "waf": "Fiabilidad"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "Medio",
-            "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y compatible.",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "Alto",
+            "text": "Agregue configuraciones de diagnóstico para guardar registros relacionados con DDoS para todas las direcciones IP públicas protegidas (DDoS IP o Protección de red).",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Seguridad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que ha investigado la posibilidad de usar ExpressRoute como conexión principal a Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Rendimiento"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "description": "Puede usar la anteposición de AS y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos de BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.",
-            "waf": "Seguridad"
+            "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, asegúrese de optimizar el enrutamiento con atributos BGP, si se prefieren determinadas rutas de acceso.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que usa la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Rendimiento"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
-            "severity": "Medio",
-            "text": "Use las funcionalidades de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.",
-            "waf": "Seguridad"
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
+            "severity": "Alto",
+            "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.",
+            "waf": "Costar"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.",
-            "waf": "Seguridad"
+            "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de los circuitos admite las regiones de Azure para la SKU local.",
+            "waf": "Costar"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
-            "severity": "Alto",
-            "text": "Habilite un plan de protección de cargas de trabajo en la nube de Defender para servidores en todas las suscripciones.",
-            "waf": "Seguridad"
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
+            "severity": "Medio",
+            "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
-            "severity": "Alto",
-            "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.",
-            "waf": "Seguridad"
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
+            "severity": "Medio",
+            "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
+            "severity": "Medio",
+            "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure sea superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
+            "severity": "Medio",
+            "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
+            "severity": "Medio",
+            "text": "Use dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "Fiabilidad"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Habilite Endpoint Protection en servidores IaaS.",
-            "waf": "Seguridad"
+            "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Costar"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.",
+            "text": "Cuando se requiere aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use circuitos ExpressRoute diferentes. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Seguridad"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Log Analytics de Azure Monitor.",
-            "waf": "Seguridad"
+            "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operaciones"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "En el caso de la zona de aterrizaje soberana, los registros de transparencia están habilitados en el inquilino de Entra ID.",
-            "waf": "Seguridad"
+            "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Operaciones"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "En el caso de la zona de aterrizaje soberana, la caja de seguridad del cliente está habilitada en el inquilino de Entra ID.",
-            "waf": "Seguridad"
+            "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
-            "severity": "Alto",
-            "text": "La transferencia segura a cuentas de almacenamiento debe estar habilitada",
-            "waf": "Seguridad"
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
+            "severity": "Medio",
+            "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, especialmente si solo usa un único circuito ExpressRoute.",
+            "waf": "Fiabilidad"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Habilite la eliminación temporal del contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.",
-            "waf": "Seguridad"
+            "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que las rutas de puerta de enlace se propagan.",
+            "waf": "Fiabilidad"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Use secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Implementar una política de control de errores a nivel global",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Asegúrese de que todas las políticas de API incluyan un <base/> elemento.",
-            "waf": "Operaciones"
+            "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API",
-            "waf": "Operaciones"
+            "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas",
-            "waf": "Operaciones"
+            "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
             "severity": "Alto",
-            "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor",
-            "waf": "Operaciones"
+            "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Habilitación de Application Insights para obtener telemetría más detallada",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Configurar alertas sobre las métricas más críticas",
+            "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
-            "waf": "Seguridad"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
+            "severity": "Medio",
+            "text": "Evite el uso de circuitos ExpressRoute para la comunicación de red virtual a red virtual.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "Alto",
-            "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD",
+            "text": "Use Azure Firewall para controlar el tráfico saliente de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere)",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores",
+            "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares satisfagan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Crear grupos adecuados para controlar la visibilidad de los productos",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
+            "severity": "Bajo",
+            "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API",
-            "waf": "Operaciones"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas",
-            "waf": "Operaciones"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
+            "severity": "Alto",
+            "text": "Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de protocolos no admitidos por las reglas de aplicación.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %",
-            "waf": "Fiabilidad"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "Alto",
+            "text": "Use Azure Firewall Premium para obtener seguridad y protección adicionales.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %",
-            "waf": "Fiabilidad"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "Alto",
+            "text": "Configure el modo de inteligencia sobre amenazas de Azure Firewall en Alerta y denegación para obtener protección adicional.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
             "severity": "Alto",
-            "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada",
-            "waf": "Fiabilidad"
+            "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
+            "severity": "Alto",
+            "text": "En el caso de las subredes de las redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red",
+            "waf": "Seguridad"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.",
-            "waf": "Fiabilidad"
+            "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "Bajo",
-            "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
+            "severity": "Importante",
+            "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "Rendimiento"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
+            "severity": "Alto",
+            "text": "Use un prefijo /26 para las subredes de Azure Firewall.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga",
+            "text": "Organice las reglas dentro de la directiva de firewall en grupos de recopilación de reglas y colecciones de reglas en función de su frecuencia de uso",
             "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.",
+            "text": "Utilice grupos de IP o prefijos de IP para reducir el número de reglas de tabla de IP",
             "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Use el nivel premium para las cargas de trabajo de producción.",
-            "waf": "Fiabilidad"
+            "text": "Evite los comodines como IP de origen para los DNAT, como * o cualquiera, debe especificar las direcciones IP de origen para los DNAT entrantes",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.",
-            "waf": "Fiabilidad"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Tenga en cuenta los límites de APIM",
-            "waf": "Fiabilidad"
+            "text": "Evite el agotamiento del puerto SNAT mediante la supervisión del uso del puerto SNAT, la evaluación de la configuración de la puerta de enlace NAT y la garantía de una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
             "severity": "Alto",
-            "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.",
-            "waf": "Fiabilidad"
+            "text": "Habilitar la inspección TLS",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
+            "severity": "Bajo",
+            "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.",
             "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Implementación del servicio dentro de una red virtual (VNet)",
-            "waf": "Seguridad"
+            "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.",
+            "text": "Habilitación de la configuración del proxy DNS de Azure Firewall ",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Deshabilitar el acceso a la red pública",
+            "text": "Asegúrese de que haya una asignación de directiva para denegar direcciones IP públicas vinculadas directamente a máquinas virtuales",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Simplifique la administración con scripts de automatización de PowerShell",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
+            "severity": "Bajo",
+            "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros del firewall.",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
+            "severity": "Bajo",
+            "text": "Implemente copias de seguridad para las reglas de firewall",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido",
-            "waf": "Operaciones"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Asegúrese de que la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual no se interrumpa, por ejemplo, con una ruta 0.0.0.0/0 o una regla de grupo de seguridad de red que bloquee el tráfico del plano de control.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "severity": "Medio",
-            "text": "Implemente DevOps y CI/CD en su flujo de trabajo",
-            "waf": "Operaciones"
+            "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y emparejamiento privado de ExpressRoute. Este método evita el tránsito a través de la Internet pública.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
             "severity": "Medio",
-            "text": "API seguras mediante la autenticación de certificados de cliente",
+            "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "Medio",
-            "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente",
+            "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una aplicación virtual de red para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permita solo los servicios PaaS necesarios.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
-            "severity": "Medio",
-            "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
+            "severity": "Alto",
+            "text": "Use al menos un prefijo /27 para las subredes de puerta de enlace",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
             "severity": "Medio",
-            "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end",
+            "text": "No confíe en las reglas predeterminadas de entrada del grupo de seguridad de red que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
+            "severity": "Medio",
+            "text": "Use grupos de seguridad de red para ayudar a proteger el tráfico entre subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
+            "severity": "Medio",
+            "text": "El equipo de aplicaciones debe usar grupos de seguridad de aplicaciones en los grupos de seguridad de red de nivel de subred para ayudar a proteger las máquinas virtuales de varios niveles dentro de la zona de aterrizaje.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "Medio",
-            "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible",
+            "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evitar el uso de una aplicación virtual de red central para filtrar los flujos de tráfico.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
+            "severity": "Medio",
+            "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Análisis de tráfico para obtener información sobre los flujos de tráfico internos y externos.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "severity": "Medio",
-            "text": "Siga las recomendaciones de soporte técnico de confiabilidad en Azure Bot Service",
+            "text": "Tenga en cuenta el límite de reglas de grupo de seguridad de red por grupo de seguridad de red (1000).",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
             "severity": "Medio",
-            "text": "Implementación de bots con residencia de datos local y cumplimiento regional",
-            "waf": "Fiabilidad"
+            "text": "Considere la posibilidad de utilizar Virtual WAN para simplificar la administración de redes de Azure y asegúrese de que el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "severity": "Medio",
-            "text": "Azure Bot Service se ejecuta en modo activo-activo para los servicios globales y regionales. Cuando se produce una interrupción, no es necesario detectar errores ni administrar el servicio. Azure Bot Service realiza automáticamente la conmutación por error y la recuperación automáticas en una arquitectura geográfica de varias regiones. En el caso del servicio regional de bots de la UE, Azure Bot Service proporciona dos regiones completas dentro de Europa con replicación activa/activa para garantizar la redundancia. En el caso del servicio de bot global, todas las regiones o zonas geográficas disponibles se pueden servir como superficie global.",
-            "waf": "Fiabilidad"
+            "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje entre sí en las regiones de Azure a través de una instancia global común de Azure Virtual WAN.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
-            "waf": "Fiabilidad"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "Bajo",
+            "text": "Siga el principio \"el tráfico de Azure permanece en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "Medio",
+            "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
+            "severity": "Medio",
+            "text": "Asegúrese de que la arquitectura de red está dentro de los límites de Azure Virtual WAN.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
+            "severity": "Medio",
+            "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.",
+            "waf": "Operaciones"
+        },
+        {
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
+            "severity": "Medio",
+            "text": "Asegúrese de que las implementaciones de IaC no deshabiliten el tráfico de sucursal a sucursal en Virtual WAN, a menos que estos flujos se bloqueen explícitamente.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
+            "severity": "Medio",
+            "text": "Use AS-Path como preferencia de enrutamiento del centro, ya que es más flexible que ExpressRoute o VPN.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "severity": "Medio",
-            "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
-            "waf": "Operaciones"
+            "text": "Asegúrese de que las implementaciones de IaC configuran la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "severity": "Alto",
-            "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO",
+            "text": "Asigne suficiente espacio IP a los centros virtuales, idealmente un prefijo /23.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)",
-            "waf": "Fiabilidad"
+            "text": "Aproveche Azure Policy estratégicamente, defina controles para su entorno y use iniciativas de directivas para agrupar directivas relacionadas.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
-            "waf": "Fiabilidad"
+            "text": "Asigne los requisitos normativos y de cumplimiento normativo a las definiciones de Azure Policy y a las asignaciones de roles de Azure.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "Medio",
+            "text": null,
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "Medio",
+            "text": "Administre las asignaciones de directivas en el nivel más alto adecuado con exclusiones en los niveles inferiores, si es necesario.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
+            "severity": "Bajo",
+            "text": "Use Azure Policy para controlar qué servicios pueden aprovisionar los usuarios en el nivel de suscripción o grupo de administración",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas",
-            "waf": "Fiabilidad"
+            "text": null,
+            "waf": null
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "checklist": "Azure Landing Zone Review",
+            "description": "La asignación del rol Colaborador de directivas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las directivas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las directivas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones",
-            "waf": "Operaciones"
+            "text": "Asigne el rol integrado Colaborador de directivas de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.",
+            "waf": null
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft",
-            "waf": "Fiabilidad"
+            "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.",
+            "waf": null
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos",
-            "waf": "Fiabilidad"
+            "text": "Si existen requisitos de soberanía de datos, se pueden implementar directivas de Azure para aplicarlos",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Los activos de marca personalizados deben estar alojados en una CDN",
-            "waf": "Rendimiento"
+            "text": "En el caso de la Zona de Aterrizaje Soberana, la iniciativa política de referencia de la política de soberanía se despliega y asigna al nivel correcto de MG.",
+            "waf": null
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "Bajo",
-            "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
+            "severity": null,
+            "text": "En el caso de la Zona de Aterrizaje Soberana, se documentan los objetivos de control soberano para el mapeo de políticas.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
             "severity": "Medio",
-            "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)",
-            "waf": "Fiabilidad"
+            "text": "En el caso de la Zona de Aterrizaje Soberana, existe un proceso para el CRUD de \"Objetivos de Control Soberano para el mapeo de políticas\".",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "Medio",
-            "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios",
-            "waf": "Fiabilidad"
+            "text": null,
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
             "severity": "Medio",
-            "text": "Tener activo-activo para varias regiones",
-            "waf": "Fiabilidad"
+            "text": "Exporte los registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una directiva de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": null
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales",
-            "waf": "Fiabilidad"
+            "text": "Supervise el desfase de configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de la directiva ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Uso de conjuntos de réplicas para recuperación ante desastres",
-            "waf": "Fiabilidad"
+            "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Aproveche el servidor flexible",
-            "waf": "Fiabilidad"
+            "text": null,
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
-            "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
+            "severity": "Medio",
+            "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
+            "severity": "Medio",
+            "text": "Use los registros de Azure Monitor para obtener información e informes.",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
+            "severity": null,
+            "text": null,
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
             "severity": "Medio",
-            "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones",
-            "waf": "Fiabilidad"
+            "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado las regiones admitidas para vincular el área de trabajo de Log Analytics y las cuentas de automatización.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
             "severity": "Medio",
-            "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory",
+            "text": "Al usar Azure Backup, tenga en cuenta los diferentes tipos de copia de seguridad (GRS, ZRS Y LRS), ya que la configuración predeterminada es GRS",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "Alto",
-            "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
+            "severity": "Medio",
+            "text": "Use directivas de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "description": "Las características de configuración de invitado de Azure Policy pueden auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ",
-            "waf": "Fiabilidad"
+            "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ",
-            "waf": "Fiabilidad"
+            "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
             "severity": "Medio",
-            "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región",
-            "waf": "Fiabilidad"
+            "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
-            "severity": "Bajo",
-            "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
+            "severity": "Alto",
+            "text": "Aproveche las zonas de disponibilidad para las máquinas virtuales en las regiones en las que se admiten.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
             "severity": "Alto",
-            "text": "Habilite la redundancia de zona para Azure Cache for Redis. Azure Cache for Redis admite configuraciones con redundancia de zona en los niveles Premium y Enterprise. Una caché con redundancia de zona puede colocar sus nodos en diferentes zonas de disponibilidad de Azure en la misma región. Elimina la interrupción del centro de datos o de la zona de disponibilidad como único punto de error y aumenta la disponibilidad general de la memoria caché.",
+            "text": "Evite ejecutar una carga de trabajo de producción en una sola máquina virtual.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Configure la persistencia de datos para una instancia de Azure Cache for Redis. Dado que los datos de caché se almacenan en la memoria, un error poco frecuente y no planeado de varios nodos puede hacer que se eliminen todos los datos. Para evitar la pérdida completa de datos, la persistencia de Redis permite tomar instantáneas periódicas de los datos en memoria y almacenarlas en la cuenta de almacenamiento.",
+            "text": "Azure Load Balancer y Application Gateway distribuyen el tráfico de red entrante entre varios recursos.",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
-            "severity": "Medio",
-            "text": "Use una cuenta de almacenamiento con redundancia geográfica para conservar los datos de Azure Cache for Redis o con redundancia zonal donde la redundancia geográfica no esté disponible",
-            "waf": "Fiabilidad"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
+            "severity": "Alto",
+            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
             "severity": "Medio",
-            "text": "Configure la replicación geográfica pasiva para instancias de Azure Cache for Redis Premium. La replicación geográfica es un mecanismo para vincular dos o más instancias de Azure Cache for Redis, que normalmente abarcan dos regiones de Azure. La replicación geográfica está diseñada principalmente para la recuperación ante desastres entre regiones. Dos instancias de caché de nivel Premium se conectan a través de la replicación geográfica de una manera que proporciona lecturas y escrituras en la caché principal, y esos datos se replican en la caché secundaria.",
-            "waf": "Fiabilidad"
+            "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
             "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)",
-            "waf": "Fiabilidad"
+            "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.",
-            "waf": "Fiabilidad"
+            "text": "Use diferentes instancias de Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "severity": "Alto",
-            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "Medio",
+            "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "Alto",
-            "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "Medio",
+            "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "severity": "Alto",
-            "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "Medio",
+            "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub",
-            "waf": "Fiabilidad"
+            "text": "Establezca un proceso automatizado para la rotación de claves y certificados.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.",
-            "waf": "Fiabilidad"
+            "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.",
-            "waf": "Fiabilidad"
+            "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "Usar más de 1 instancia de aplicación para las aplicaciones",
-            "waf": "Fiabilidad"
+            "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y compatible.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
-            "severity": "Medio",
-            "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "Medio",
+            "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "Medio",
-            "text": "Configuración del escalado automático en Spring Cloud Gateway",
-            "waf": "Fiabilidad"
+            "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
-            "severity": "Bajo",
-            "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.",
-            "waf": "Fiabilidad"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
+            "severity": "Medio",
+            "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.",
-            "waf": "Fiabilidad"
+            "text": "Use las funcionalidades de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
-            "severity": "Medio",
-            "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
+            "severity": "Alto",
+            "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "severity": "Alto",
-            "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage",
+            "text": "Habilite un plan de protección de cargas de trabajo en la nube de Defender para servidores en todas las suscripciones.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
-            "severity": "Medio",
-            "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
+            "severity": "Alto",
+            "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
             "severity": "Alto",
-            "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento",
+            "text": "Habilite Endpoint Protection en servidores IaaS.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
             "severity": "Medio",
-            "text": "Habilitación de la \"eliminación temporal\" para blobs",
+            "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "Medio",
-            "text": "Deshabilitación de la \"eliminación temporal\" de blobs",
+            "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Log Analytics de Azure Monitor.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Habilitación de la \"eliminación temporal\" para los contenedores",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
+            "severity": "Medio",
+            "text": "En el caso de la zona de aterrizaje soberana, los registros de transparencia están habilitados en el inquilino de Entra ID.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Deshabilitación de la \"eliminación temporal\" para contenedores",
+            "text": "En el caso de la zona de aterrizaje soberana, la caja de seguridad del cliente está habilitada en el inquilino de Entra ID.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
             "severity": "Alto",
-            "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento",
+            "text": "La transferencia segura a cuentas de almacenamiento debe estar habilitada",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
             "severity": "Alto",
-            "text": "Considere la posibilidad de blobs inmutables",
+            "text": "Habilite la eliminación temporal del contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
             "severity": "Alto",
-            "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento",
-            "waf": "Seguridad"
+            "text": "Use secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.",
-            "waf": "Seguridad"
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Implementar una política de control de errores a nivel global",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que todas las políticas de API incluyan un <base/> elemento.",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs",
-            "waf": "Seguridad"
+            "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Privilegios mínimos en los permisos de IaM",
-            "waf": "Seguridad"
+            "text": "Habilitación de Application Insights para obtener telemetría más detallada",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.",
-            "waf": "Seguridad"
+            "text": "Configurar alertas sobre las métricas más críticas",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).",
+            "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento",
+            "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"",
+            "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Considere la posibilidad de configurar una directiva de expiración de SAS",
+            "text": "Crear grupos adecuados para controlar la visibilidad de los productos",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada",
-            "waf": "Seguridad"
+            "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.",
-            "waf": "Seguridad"
+            "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)",
-            "waf": "Seguridad"
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Aplicación de un ámbito limitado a una SAS",
-            "waf": "Seguridad"
+            "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
+            "severity": "Bajo",
+            "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs",
+            "waf": "Operaciones"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible",
-            "waf": "Seguridad"
+            "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
-            "severity": "Bajo",
-            "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ",
-            "waf": "Seguridad"
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.",
-            "waf": "Seguridad"
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.",
-            "waf": "Seguridad"
+            "text": "Use el nivel premium para las cargas de trabajo de producción.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Evite las políticas de CORS demasiado amplias",
-            "waf": "Seguridad"
+            "text": "Tenga en cuenta los límites de APIM",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.",
-            "waf": "Seguridad"
+            "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Determine qué cifrado del lado del cliente se debe usar o si.",
+            "text": "Implementación del servicio dentro de una red virtual (VNet)",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
-            "waf": "Fiabilidad"
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
-            "waf": "Fiabilidad"
+            "text": "Deshabilitar el acceso a la red pública",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
-            "waf": "Fiabilidad"
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Simplifique la administración con scripts de automatización de PowerShell",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
-            "waf": "Fiabilidad"
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
+            "severity": "Medio",
+            "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework",
+            "waf": "Operaciones"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
+            "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Si usa certificados TLS administrados por el cliente con Azure Front Door, use la versión de certificado \"más reciente\". Reduzca el riesgo de interrupciones causadas por la renovación manual de certificados",
+            "text": "Implemente DevOps y CI/CD en su flujo de trabajo",
             "waf": "Operaciones"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Asegúrese de que usa la SKU de Application Gateway v2",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "text": "API seguras mediante la autenticación de certificados de cliente",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Asegúrese de que usa la SKU estándar para Azure Load Balancers",
+            "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Asegúrese de que las direcciones IP de front-end de Load Balancers tengan redundancia de zona (a menos que necesite front-end zonal).",
+            "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Application Gateways v2 debe implementarse en subredes con prefijos IP iguales o mayores que /24",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "description": "La administración de proxies inversos en general y de WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Implemente Azure Application Gateway v2 o aplicaciones virtuales de red de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que están protegiendo.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
             "severity": "Medio",
-            "text": "Configure el escalado automático con una cantidad mínima de instancias de dos.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Fiabilidad"
+            "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Implementación de Application Gateway en zonas de disponibilidad",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Fiabilidad"
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
-            "severity": "Medio",
-            "text": "Use Azure Front Door con directivas de WAF para entregar y ayudar a proteger aplicaciones HTTP/S globales que abarcan varias regiones de Azure.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
+            "severity": "Bajo",
+            "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Al usar Front Door y Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Front Door. Bloquee Application Gateway para recibir tráfico solo de Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Seguridad"
+            "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Use el Administrador de tráfico para entregar aplicaciones globales que abarquen protocolos distintos de HTTP/S.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "severity": "Bajo",
-            "text": "Si los usuarios solo necesitan acceso a aplicaciones internas, ¿se ha considerado Microsoft Entra ID Application Proxy como una alternativa a Azure Virtual Desktop (AVD)?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Seguridad"
+            "text": "Implementación de comprobaciones de estado",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Implemente la directiva de WAF para Front Door en modo de \"prevención\".",
-            "waf": "Seguridad"
+            "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Evite combinar Azure Traffic Manager y Azure Front Door.",
-            "waf": "Seguridad"
+            "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "Bajo",
+            "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Use el mismo nombre de dominio en Azure Front Door y su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
-            "waf": "Seguridad"
+            "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
-            "severity": "Bajo",
-            "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de orígenes de Azure Front Door.",
-            "waf": "Rendimiento"
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
+            "severity": "Medio",
+            "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Seleccione puntos de conexión de sondeo de estado correctos para Azure Front Door. Considere la posibilidad de crear puntos de conexión de estado que comprueben todas las dependencias de la aplicación.",
+            "text": "Supervisión de instancias de App Service mediante comprobaciones de estado",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
-            "severity": "Bajo",
-            "text": "Use sondeos de estado de HEAD con Azure Front Door para reducir el tráfico que Front Door envía a la aplicación.",
-            "waf": "Rendimiento"
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
+            "severity": "Medio",
+            "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights",
+            "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
-            "severity": "Alto",
-            "text": "Use Azure NAT Gateway en lugar de reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
+            "severity": "Bajo",
+            "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web",
             "waf": "Fiabilidad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación.  Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Use certificados TLS administrados con Azure Front Door. Reduzca los costos operativos y el riesgo de interrupciones debido a las renovaciones de certificados.",
-            "waf": "Operaciones"
+            "text": "Uso de Key Vault para almacenar secretos",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
-            "severity": "Medio",
-            "text": "Defina la configuración de WAF de Azure Front Door como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
-            "waf": "Operaciones"
+            "checklist": "Azure App Service Review",
+            "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Uso de la identidad administrada para conectarse a Key Vault",
+            "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Almacene el certificado TLS de App Service en Key Vault.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Use TLS de un extremo a otro con Azure Front Door. Use TLS para las conexiones de los clientes a Front Door y de Front Door al origen.",
+            "text": "Use Key Vault para almacenar el certificado TLS.",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Los sistemas que procesan información confidencial deben estar aislados.  Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos automáticamente a una solicitud HTTPS.",
+            "text": "Aísle los sistemas que procesan información confidencial",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
-            "severity": "Alto",
-            "text": "Habilite el WAF de Azure Front Door. Proteja su aplicación de una variedad de ataques.",
+            "checklist": "Azure App Service Review",
+            "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos.  (Por ejemplo: D:\\\\Local y %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
+            "severity": "Medio",
+            "text": "No almacene datos confidenciales en el disco local",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
-            "severity": "Alto",
-            "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo. Reduzca las detecciones de falsos positivos.",
+            "checklist": "Azure App Service Review",
+            "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C.  Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
+            "severity": "Medio",
+            "text": "Usar un proveedor de identidades establecido para la autenticación",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Front Door.",
+            "text": "Implementación desde un entorno de confianza",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM.  Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación.  Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Habilite los conjuntos de reglas predeterminados de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean los ataques comunes.",
+            "text": "Deshabilitar la autenticación básica",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD.  Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Habilite el conjunto de reglas de protección contra bots de Azure Front Door WAF. Las reglas de bots detectan bots buenos y malos.",
+            "text": "Uso de la identidad administrada para conectarse a los recursos",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "severity": "Medio",
-            "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Front Door. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+            "checklist": "Azure App Service Review",
+            "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Extracción de contenedores mediante una identidad administrada",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Agregue limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+            "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Front Door. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
-            "severity": "Bajo",
-            "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+            "text": "Envío de registros de actividad de App Service a Log Analytics",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR.  El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall.  Asegúrese de supervisar los registros del cortafuegos.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Front Door. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+            "text": "El acceso a la red saliente debe controlarse",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Habilitación del conjunto de reglas de protección contra bots de WAF de Azure Application Gateway Las reglas de bots detectan bots buenos y malos.",
+            "checklist": "Azure App Service Review",
+            "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall.  Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario.  Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio.  (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
+            "severity": "Bajo",
+            "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Application Gateway.",
+            "text": "El acceso a la red entrante debe controlarse",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door.  Asegúrese de supervisar los registros del WAF.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Ajuste el WAF de Azure Application Gateway para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
+            "text": "Uso de un WAF delante de App Service",
             "waf": "Seguridad"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF.  Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Implemente la directiva de WAF para Application Gateway en modo de \"prevención\".",
+            "text": "Evite que se omita WAF",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Agregue limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+            "text": "Establezca la directiva TLS mínima en 1.2",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+            "checklist": "Azure App Service Review",
+            "description": "Configure App Service para que use solo HTTPS.  Esto hace que App Service se redirija de HTTP a HTTPS.  Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar solo HTTPS",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "severity": "Bajo",
-            "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+            "checklist": "Azure App Service Review",
+            "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Los comodines no deben usarse para CORS",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Application Gateway. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+            "checklist": "Azure App Service Review",
+            "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Desactivar la depuración remota",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Habilite Defender para App Service.  Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas.  Revise las recomendaciones de Defender para App Service como parte de las operaciones.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Application Gateway. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+            "text": "Habilitación de Defender for Cloud: Defender for App Service",
             "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Application Gateway.",
-            "waf": "Operaciones"
+            "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Front Door.",
-            "waf": "Operaciones"
+            "text": "Extracción de contenedores a través de una red virtual",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Envíe registros de WAF de Azure Application Gateway a Microsoft Sentinel.",
-            "waf": "Operaciones"
+            "text": "Realizar una prueba de penetración",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "severity": "Medio",
-            "text": "Envíe registros de WAF de Azure Front Door a Microsoft Sentinel.",
-            "waf": "Operaciones"
+            "text": "Implementación de código validado",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Defina la configuración de WAF de Azure Application Gateway como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
-            "waf": "Operaciones"
+            "checklist": "Azure App Service Review",
+            "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados",
+            "waf": "Seguridad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
             "severity": "Medio",
-            "text": "Utilice directivas de WAF en lugar de la configuración de WAF heredada.",
-            "waf": "Operaciones"
+            "text": "Siga las recomendaciones de soporte técnico de confiabilidad en Azure Bot Service",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
             "severity": "Medio",
-            "text": "Filtre el tráfico entrante en los back-end para que solo acepten conexiones de la subred de Application Gateway, por ejemplo, con grupos de seguridad de red.",
-            "waf": "Seguridad"
+            "text": "Implementación de bots con residencia de datos local y cumplimiento regional",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
             "severity": "Medio",
-            "text": "Asegúrese de que los orígenes solo toman tráfico de la instancia de Azure Front Door.",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Debe cifrar el tráfico a los servidores backend.",
-            "waf": "Seguridad"
+            "text": "Azure Bot Service se ejecuta en modo activo-activo para los servicios globales y regionales. Cuando se produce una interrupción, no es necesario detectar errores ni administrar el servicio. Azure Bot Service realiza automáticamente la conmutación por error y la recuperación automáticas en una arquitectura geográfica de varias regiones. En el caso del servicio regional de bots de la UE, Azure Bot Service proporciona dos regiones completas dentro de Europa con replicación activa/activa para garantizar la redundancia. En el caso del servicio de bot global, todas las regiones o zonas geográficas disponibles se pueden servir como superficie global.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
             "severity": "Alto",
-            "text": "Debe utilizar un firewall de aplicaciones web.",
-            "waf": "Seguridad"
+            "text": "Habilite la redundancia de zona para Azure Cache for Redis. Azure Cache for Redis admite configuraciones con redundancia de zona en los niveles Premium y Enterprise. Una caché con redundancia de zona puede colocar sus nodos en diferentes zonas de disponibilidad de Azure en la misma región. Elimina la interrupción del centro de datos o de la zona de disponibilidad como único punto de error y aumenta la disponibilidad general de la memoria caché.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Redirigir HTTP a HTTPS",
-            "waf": "Seguridad"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
+            "severity": "Medio",
+            "text": "Configure la persistencia de datos para una instancia de Azure Cache for Redis. Dado que los datos de caché se almacenan en la memoria, un error poco frecuente y no planeado de varios nodos puede hacer que se eliminen todos los datos. Para evitar la pérdida completa de datos, la persistencia de Redis permite tomar instantáneas periódicas de los datos en memoria y almacenarlas en la cuenta de almacenamiento.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
             "severity": "Medio",
-            "text": "Utilice cookies administradas por puerta de enlace para dirigir el tráfico de una sesión de usuario al mismo servidor para su procesamiento",
-            "waf": "Operaciones"
+            "text": "Use una cuenta de almacenamiento con redundancia geográfica para conservar los datos de Azure Cache for Redis o con redundancia zonal donde la redundancia geográfica no esté disponible",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planificadas para evitar la pérdida de conexión a los miembros existentes del grupo de back-end",
-            "waf": "Seguridad"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
+            "severity": "Medio",
+            "text": "Configure la replicación geográfica pasiva para instancias de Azure Cache for Redis Premium. La replicación geográfica es un mecanismo para vincular dos o más instancias de Azure Cache for Redis, que normalmente abarcan dos regiones de Azure. La replicación geográfica está diseñada principalmente para la recuperación ante desastres entre regiones. Dos instancias de caché de nivel Premium se conectan a través de la replicación geográfica de una manera que proporciona lecturas y escrituras en la caché principal, y esos datos se replican en la caché secundaria.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "severity": "Bajo",
-            "text": "Crear páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
-            "waf": "Operaciones"
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "Medio",
-            "text": "Edite las solicitudes HTTP y los encabezados de respuesta para facilitar el enrutamiento y el intercambio de información entre el cliente y el servidor",
-            "waf": "Seguridad"
+            "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento del usuario final de primer nivel, así como la confiabilidad a través de una rápida conmutación por error global",
-            "waf": "Rendimiento"
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Usar el equilibrio de carga de la capa de transporte",
-            "waf": "Rendimiento"
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
-            "severity": "Medio",
-            "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace",
-            "waf": "Seguridad"
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
             "severity": "Medio",
-            "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end",
-            "waf": "Seguridad"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
-            "severity": "Bajo",
-            "text": "Uso de Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2",
-            "waf": "Seguridad"
+            "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
-            "severity": "Bajo",
-            "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "Seguridad"
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "severity": "Alto",
+            "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
             "severity": "Medio",
-            "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Seguridad"
+            "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "Medio",
-            "text": "Evite usar la cuenta raíz cuando no sea necesario",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Seguridad"
+            "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "Medio",
-            "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Seguridad"
+            "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
-            "severity": "Alto",
-            "text": "Uso de RBAC de plano de datos con privilegios mínimos",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "Seguridad"
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
+            "severity": "Bajo",
+            "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "Seguridad"
+            "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
             "severity": "Medio",
-            "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Seguridad"
+            "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos",
+            "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "severity": "Medio",
-            "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Seguridad"
+            "text": "Los activos de marca personalizados deben estar alojados en una CDN",
+            "waf": "Rendimiento"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
-            "severity": "Medio",
-            "text": "Aproveche el Manual de Resiliencia de los TLC",
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
+            "severity": "Bajo",
+            "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
-            "severity": "Alto",
-            "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Medio",
+            "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "Medio",
-            "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible",
+            "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
-            "severity": "Alto",
-            "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa",
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Medio",
+            "text": "Tener activo-activo para varias regiones",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active",
+            "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales",
             "waf": "Fiabilidad"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Medio",
-            "text": "Diseño de centros de eventos resilientes",
+            "text": "Uso de conjuntos de réplicas para recuperación ante desastres",
             "waf": "Fiabilidad"
         },
         {
@@ -7816,11 +7608,219 @@
             "severity": "Medio",
             "text": "Si usa Azure Disks y AZ, considere la posibilidad de tener grupos de nodos dentro de una zona para el disco LRS con VolumeBindingMode:WaitForFirstConsumer para aprovisionar el almacenamiento en la zona correcta o use el disco ZRS para los grupos de nodos que abarquen varias zonas",
             "waf": "Rendimiento"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
+            "severity": "Bajo",
+            "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Evite usar la cuenta raíz cuando no sea necesario",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
+            "severity": "Alto",
+            "text": "Uso de RBAC de plano de datos con privilegios mínimos",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Seguridad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Aproveche el Manual de Resiliencia de los TLC",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
+            "severity": "Alto",
+            "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
+            "severity": "Alto",
+            "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
+            "severity": "Medio",
+            "text": "Diseño de centros de eventos resilientes",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
+            "severity": "Medio",
+            "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
+            "severity": "Medio",
+            "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas",
+            "waf": "Fiabilidad"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
+            "severity": "Medio",
+            "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones",
+            "waf": "Operaciones"
         }
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.ja.json b/checklists/waf_checklist.ja.json
index 5268acb5d..63c89fe2f 100644
--- a/checklists/waf_checklist.ja.json
+++ b/checklists/waf_checklist.ja.json
@@ -1,469 +1,410 @@
 {
     "items": [
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
-            "severity": "高い",
-            "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
+            "severity": "中程度",
+            "text": "Azure Bot Service の信頼性サポートの推奨事項に従う",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
             "severity": "中程度",
-            "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる",
+            "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
-            "severity": "高い",
-            "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
+            "severity": "中程度",
+            "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
-            "severity": "中程度",
-            "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します",
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
+            "severity": "高い",
+            "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
-            "severity": "中程度",
-            "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する",
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
+            "severity": "高い",
+            "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
-            "severity": "中程度",
-            "text": "Azure Traffic Manager を使用して要求を調整する",
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "severity": "高い",
+            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
             "waf": "確実"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
             "severity": "高い",
-            "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします",
+            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
             "waf": "確実"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "費用"
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
+            "severity": "中程度",
+            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "text": "基になるデータソースが見つからないバックアップインスタンスを確認する",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
-            "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "Azure Storage にプライベート エンドポイントを使用することを検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
-            "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
-            "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
-            "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "BLOB の \"論理的な削除\" を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
-            "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "BLOB の '論理的な削除' を無効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
-            "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "コンテナーの \"論理的な削除\" を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
-            "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "コンテナーの \"論理的な削除\" を無効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
-            "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "ストレージ アカウントでのリソース ロックの有効化",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
-            "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "不変の BLOB を検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
-            "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
-            "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
-            "text": "より大きなディスクのみ予約できます => 1 TiB -",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
-            "text": "適切なサイズ最適化の後",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
-            "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "IaM アクセス許可の最小特権",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
-            "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "SAS 有効期限ポリシーの構成を検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "text": "関数 - 接続の再利用",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "text": "関数 - データをローカルにキャッシュする",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
-            "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "text": "関数 - 関数を暖かく保つ",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "アドホックSASの有効期間を短くする",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
-            "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "SAS に狭いスコープを適用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
-            "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "severity": "低い",
+            "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
-            "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
-            "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
-            "text": "使用頻度の低いデータの階層のアーカイブを検討する",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
-            "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
-            "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
-            "text": "ストレージ アカウント: 必要なホット層や GRS を確認する",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
-            "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
-            "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
-            "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
-            "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "費用"
-        },
-        {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
-            "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "過度に広範な CORS ポリシーを避ける",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "text": "すべての VM の適切なサイズ設定",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
-            "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
+            "severity": "中程度",
+            "text": "クライアント側の暗号化を使用するかどうかを決定します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "費用"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
+            "severity": "高い",
+            "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。",
+            "waf": "安全"
         },
         {
             "checklist": "Redis Resiliency checklist",
@@ -1952,3434 +1893,3229 @@
             "waf": "安全"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "severity": "高い",
-            "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "費用"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
-            "severity": "高い",
-            "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
+            "text": "基になるデータソースが見つからないバックアップインスタンスを確認する",
+            "waf": "費用"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "高い",
-            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
+            "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする",
+            "waf": "費用"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
-            "severity": "高い",
-            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
+            "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する",
+            "waf": "費用"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
-            "severity": "中程度",
-            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
+            "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
-            "severity": "中程度",
-            "text": "Azure Data Factory の FTA 回復性プレイブックの活用",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
+            "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "高い",
-            "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
+            "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
-            "severity": "中程度",
-            "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
+            "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "中程度",
-            "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
+            "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "中程度",
-            "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
+            "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
-            "severity": "低い",
-            "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
+            "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "マルチテナントに関する明確な規制要件またはビジネス要件がない限り、Azure リソースの管理には 1 つの Entra テナントを使用します。",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
+            "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
-            "severity": "低い",
-            "text": "Microsoft Entra ID テナントを管理するためのマルチテナント自動化アプローチがあることを確認する",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
+            "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
-            "severity": "低い",
-            "text": "マルチテナント管理に Azure Lighthouse を活用する",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
+            "text": "より大きなディスクのみ予約できます => 1 TiB -",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "パートナーによるテナントの管理に Azure Lighthouse が使用されていることを確認する",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
+            "text": "適切なサイズ最適化の後",
             "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
-            "severity": "高い",
-            "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当てを行います。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
+            "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
-            "severity": "高い",
-            "text": "すべてのアカウントの種類で、認証の種類である職場または学校アカウントのみを使用します。Microsoft アカウントの使用は避けてください",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
+            "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "アクセス許可の割り当てには、グループのみを使用します。グループ管理システムが既に導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
+            "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
-            "severity": "低い",
-            "text": "Azure 環境に対する権限を持つすべてのユーザーに Microsoft Entra ID 条件付きアクセス ポリシーを適用する",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
+            "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
-            "severity": "高い",
-            "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用する",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
+            "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロの永続的なアクセスと最小限の特権を確立します",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
+            "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Active Directory ドメイン サービスから Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
+            "text": "関数 - 接続の再利用",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Microsoft Entra ID ログをプラットフォーム中心の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源が得られ、ログの収集と保持に関する要件を満たすクラウド ネイティブ オプションが組織に提供されます。",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "text": "関数 - データをローカルにキャッシュする",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
-            "severity": "高い",
-            "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装する",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
+            "text": "関数 - 関数を暖かく保つ",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "必要に応じて、Microsoft Entra ID アプリケーション プロキシを使用して、内部アプリケーション (クラウドまたはオンプレミスでホストされている) への安全で認証されたアクセスをリモート ユーザーに付与します。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "従来のハブアンドスポーク ネットワーク トポロジに基づくネットワーク設計を、最大限の柔軟性を必要とするネットワーク シナリオに活用します。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall などの共有ネットワーク サービス、または中央ハブ仮想ネットワーク内のパートナーの NVA を確認します。必要に応じて、DNS サーバーも展開します。",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
             "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して DDoS ネットワークまたは IP 保護プランを使用します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
+            "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
-            "severity": "中程度",
-            "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
+            "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。",
+            "waf": "費用"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
-            "severity": "低い",
-            "text": "ハブ アンド スポーク シナリオで ExpressRoute と VPN ゲートウェイ間の転送が必要な場合は、Azure Route Server を使用します。",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
+            "text": "使用頻度の低いデータの階層のアーカイブを検討する",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
-            "severity": "低い",
-            "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
+            "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャでは、ハブ VNet 間のグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "パフォーマンス"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
+            "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンド ツー エンドの状態を監視します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
+            "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "スポーク仮想ネットワークを中央ハブ仮想ネットワークに接続する場合は、ExpressRoute 経由でアドバタイズできるプレフィックスの最大数である VNet ピアリングの制限 (500) (1000) を考慮してください",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
+            "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "severity": "中程度",
-            "text": "ルート テーブルあたりのルート数の制限 (400) を考慮します。",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
+            "text": "ストレージ アカウント: 必要なホット層や GRS を確認する",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "VNet ピアリングを構成するときに [リモート仮想ネットワークへのトラフィックを許可する] 設定を使用します",
-            "waf": "確実"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
+            "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます",
+            "waf": "費用"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE 間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、この暗号化をフローで示しています。",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
+            "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。",
+            "waf": "費用"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "低い",
-            "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) では、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
+            "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
+            "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "低い",
-            "text": "プライベート インターネットのアドレス割り当て範囲 (RFC 1918) の IP アドレスを使用します。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "IP アドレス空間が無駄にならないようにし、不必要に大きな仮想ネットワーク (/16 など) を作成しないようにします",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "パフォーマンス"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "確実"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "中程度",
-            "text": "Azure での名前解決のみが必要な環境では、名前解決用の委任されたゾーン ('azure.contoso.com' など) を使用して解決に Azure プライベート DNS を使用します。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
-            "severity": "中程度",
-            "text": "Azure とオンプレミスでの名前解決が必要な環境では、Azure DNS Private Resolver の使用を検討してください。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "低い",
-            "text": "独自の DNS (Red Hat OpenShift など) を必要としてデプロイする特別なワークロードでは、優先 DNS ソリューションを使用する必要があります。",
-            "waf": "オペレーションズ"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
-            "severity": "高い",
-            "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
-            "severity": "中程度",
-            "text": "Azure Bastion を使用してネットワークに安全に接続することを検討してください。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
-            "severity": "中程度",
-            "text": "Azure Bastion は、サブネット /26 以上で使用します。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
-            "severity": "中程度",
-            "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン全体でグローバル保護を提供します。",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。",
             "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
+            "waf": "費用"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "低い",
-            "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door で WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
+            "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。",
             "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "高い",
-            "text": "WAF とその他のリバース プロキシは、受信 HTTP/S 接続に必要であり、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開しているアプリと共にデプロイします。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "今後の破壊的変更の前に、ネットワーク送信トラフィックの構成と戦略を評価および確認します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます",
-            "waf": "確実"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "高い",
-            "text": "診断設定を追加して、保護されているすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連ログを保存します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "ExpressRoute を Azure へのプライマリ接続として使用する可能性を調査したことを確認します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "パフォーマンス"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "description": "AS パスのプリペンドと接続の重みを使用して、Azure からオンプレミスへのトラフィックに影響を与え、独自のルーターの全範囲の BGP 属性を使用して、オンプレミスから Azure へのトラフィックに影響を与えることができます。",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "複数の ExpressRoute 回線、または複数のオンプレミスの場所を使用する場合、特定のパスが優先される場合は、BGP 属性を使用してルーティングを最適化してください。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "帯域幅とパフォーマンスの要件に基づいて、ExpressRoute/VPN ゲートウェイに適切な SKU を使用していることを確認します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "パフォーマンス"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "無制限のデータ ExpressRoute 回線は、コストに見合った帯域幅に達した場合にのみ使用してください。",
             "waf": "費用"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "回線のピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合は、ExpressRoute のローカル SKU を利用して回線のコストを削減します。",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
+            "text": "すべての VM の適切なサイズ設定",
             "waf": "費用"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "サポートされている Azure リージョンにゾーン冗長 ExpressRoute ゲートウェイをデプロイします。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートを必要とするシナリオでは、ExpressRoute Direct を使用します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "パフォーマンス"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps を超える必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "パフォーマンス"
-        },
-        {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
-            "severity": "中程度",
-            "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure に接続します (使用可能な場合)。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
-            "severity": "中程度",
-            "text": "冗長 VPN アプライアンスをオンプレミス (アクティブ/アクティブまたはアクティブ/パッシブ) で使用します。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "確実"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカルの Azure リージョンへの ExpressRoute Local 回線の使用を検討してください",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
+            "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "費用"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティング ドメインが分離され、ノイジー ネイバーのリスクが軽減されます。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "組み込みの Express Route Insights を使用して、ExpressRoute の可用性と使用率を監視します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "オペレーションズ"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure 間) の接続を監視するために使用します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "オペレーションズ"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "冗長性のために、異なるピアリングの場所からの ExpressRoute 回線を使用します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します (特に、1 つの ExpressRoute 回線のみを使用する場合)。",
-            "waf": "確実"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認します。",
-            "waf": "確実"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続障害が発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/パッシブもサポートされていますが、理想的にはアクティブ/アクティブとして両方の接続で共有する必要があります。",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "Bidirectional Forwarding Detection(BFD)が有効で、顧客またはプロバイダーのエッジ ルーティング デバイスで設定されていることを確認します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
-            "severity": "高い",
-            "text": "回復性を高めるために、ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "オペレーションズ"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
-            "severity": "中程度",
-            "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "パフォーマンス"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルター処理 (組織で必要な場合) を管理します",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して増分ファイアウォール ポリシーをローカルのセキュリティ チームに委任することで、特定のリージョンの要件を満たすきめ細かなポリシーが可能になります。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
-            "severity": "低い",
-            "text": "組織がそのようなソリューションを使用してアウトバウンド接続を保護する場合は、Firewall Manager 内でサポートされているパートナーの SaaS セキュリティ プロバイダーを構成します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "FQDN ベースのネットワーク ルールと DNS プロキシを備えた Azure Firewall を使用して、アプリケーション ルールでサポートされていないプロトコルを介してインターネットへのエグレス トラフィックをフィルター処理します。",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "Azure Firewall Premium を使用して、セキュリティと保護を強化します。",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "保護を強化するために、Azure Firewall 脅威インテリジェンス モードを [アラート] と [拒否] に構成します。",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "保護を強化するために、Azure Firewall IDPS モードを [拒否] に構成します。",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "すべての Azure Firewall デプロイのログを保存するための診断設定を、リソース固有の宛先テーブルに追加します。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "オペレーションズ"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
-            "severity": "大事な",
-            "text": "Azure Firewall クラシック規則 (存在する場合) からファイアウォール ポリシーに移行します。",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "オペレーションズ"
+            "waf": "費用"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
             "severity": "高い",
-            "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。",
-            "waf": "安全"
+            "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "中程度",
-            "text": "ファイアウォール ポリシー内のルールをルール コレクション グループとルール コレクションに分類し、使用頻度に基づいて配置します",
-            "waf": "パフォーマンス"
+            "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル ルールの数を減らす",
-            "waf": "パフォーマンス"
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
+            "severity": "高い",
+            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "DNATS の送信元 IP としてワイルドカード (* や any など) は使用せず、受信 DNAT の送信元 IP を指定する必要があります",
-            "waf": "パフォーマンス"
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "高い",
+            "text": "手動フェールオーバーをトリガーする方法を学習します。",
+            "waf": "確実"
+        },
+        {
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
+            "severity": "高い",
+            "text": "フェールオーバー後にフェールバックする方法を学習します。",
+            "waf": "確実"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。",
-            "waf": "パフォーマンス"
+            "text": "マルチテナントに関する明確な規制要件またはビジネス要件がない限り、Azure リソースの管理には 1 つの Entra テナントを使用します。",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
-            "severity": "高い",
-            "text": "TLSインスペクションの有効化",
-            "waf": "パフォーマンス"
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "severity": "低い",
+            "text": "Microsoft Entra ID テナントを管理するためのマルチテナント自動化アプローチがあることを確認する",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
             "severity": "低い",
-            "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。",
-            "waf": "パフォーマンス"
+            "text": "マルチテナント管理に Azure Lighthouse を活用する",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "TLS 検査の一環として、検査のために Azure App Gateway からトラフィックを受信することを計画します。",
-            "waf": "パフォーマンス"
+            "text": "パートナーによるテナントの管理に Azure Lighthouse が使用されていることを確認する",
+            "waf": "費用"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "Azure Firewall DNS プロキシ構成を有効にする",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
+            "severity": "高い",
+            "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当てを行います。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
-            "severity": "中程度",
-            "text": "仮想マシンに直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
+            "severity": "高い",
+            "text": "すべてのアカウントの種類で、認証の種類である職場または学校アカウントのみを使用します。Microsoft アカウントの使用は避けてください",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
-            "severity": "低い",
-            "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にして、ファイアウォール ログを格納および分析します。",
-            "waf": "オペレーションズ"
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
+            "severity": "中程度",
+            "text": "アクセス許可の割り当てには、グループのみを使用します。グループ管理システムが既に導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
             "severity": "低い",
-            "text": "ファイアウォールルールのバックアップを実装する",
-            "waf": "オペレーションズ"
+            "text": "Azure 環境に対する権限を持つすべてのユーザーに Microsoft Entra ID 条件付きアクセス ポリシーを適用する",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "安全"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
             "severity": "高い",
-            "text": "仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信が、たとえば、コントロール プレーンのトラフィックをブロックする 0.0.0.0/0 ルートや NSG ルールによって切断されていないことを確認します。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用する",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、パブリック インターネット経由のトランジットが回避されます。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロの永続的なアクセスと最小限の特権を確立します",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "すべてのサブネットで仮想ネットワーク サービス エンドポイントを既定で有効にしないでください。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "Active Directory ドメイン サービスから Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "Azure Firewall または NVA の IP アドレスの代わりに FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データ流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックし、それ以外の場合は必要な PaaS サービスのみを許可できます。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "text": "Microsoft Entra ID ログをプラットフォーム中心の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源が得られ、ログの収集と保持に関する要件を満たすクラウド ネイティブ オプションが組織に提供されます。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
             "severity": "高い",
-            "text": "Gateway サブネットに少なくとも /27 プレフィックスを使用する",
+            "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装する",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "接続を制限するために、VirtualNetwork サービス タグを使用する NSG 受信の既定の規則に依存しないでください。",
+            "text": "Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "text": "必要に応じて、Microsoft Entra ID アプリケーション プロキシを使用して、内部アプリケーション (クラウドまたはオンプレミスでホストされている) への安全で認証されたアクセスをリモート ユーザーに付与します。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "アプリケーション チームは、サブネット レベルの NSG でアプリケーション セキュリティ グループを使用して、ランディング ゾーン内の多層 VM を保護する必要があります。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "text": "従来のハブアンドスポーク ネットワーク トポロジに基づくネットワーク設計を、最大限の柔軟性を必要とするネットワーク シナリオに活用します。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
-            "severity": "中程度",
-            "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックを細かくセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "安全"
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall などの共有ネットワーク サービス、または中央ハブ仮想ネットワーク内のパートナーの NVA を確認します。必要に応じて、DNS サーバーも展開します。",
+            "waf": "費用"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "VNet フロー ログを有効にして Traffic Analytics にフィードし、内部および外部のトラフィック フローに関する分析情報を取得します。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して DDoS ネットワークまたは IP 保護プランを使用します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "中程度",
-            "text": "NSG あたりの NSG ルールの制限 (1000) を検討します。",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
-            "severity": "中程度",
-            "text": "Azure ネットワーク管理を簡素化するために Virtual WAN を検討し、Virtual WAN ルーティング設計の一覧にシナリオが明示的に記述されていることを確認します",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "オペレーションズ"
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
+            "severity": "低い",
+            "text": "ハブ アンド スポーク シナリオで ExpressRoute と VPN ゲートウェイ間の転送が必要な場合は、Azure Route Server を使用します。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "中程度",
-            "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。",
-            "waf": "パフォーマンス"
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
+            "severity": "低い",
+            "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "低い",
-            "text": "\"Azure のトラフィックは Azure にとどまる\" という原則に従って、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるようにします",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
+            "severity": "中程度",
+            "text": "複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャでは、ハブ VNet 間のグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
             "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "送信インターネット トラフィックの保護とフィルター処理を行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンド ツー エンドの状態を監視します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "ネットワーク アーキテクチャが Azure Virtual WAN の制限内にあることを確認します。",
+            "text": "スポーク仮想ネットワークを中央ハブ仮想ネットワークに接続する場合は、ExpressRoute 経由でアドバタイズできるプレフィックスの最大数である VNet ピアリングの制限 (500) (1000) を考慮してください",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
             "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンドのトポロジ、状態、主要なメトリックを監視します。",
-            "waf": "オペレーションズ"
+            "text": "ルート テーブルあたりのルート数の制限 (400) を考慮します。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
-            "severity": "中程度",
-            "text": "IaC デプロイで、これらのフローを明示的にブロックする必要がない限り、Virtual WAN のブランチ間トラフィックが無効にならないようにしてください。",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "VNet ピアリングを構成するときに [リモート仮想ネットワークへのトラフィックを許可する] 設定を使用します",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティングの基本設定として使用します。",
-            "waf": "確実"
+            "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE 間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、この暗号化をフローで示しています。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
-            "severity": "中程度",
-            "text": "IaC デプロイで Virtual WAN でラベルベースの伝達が構成されていることを確認すると、仮想ハブ間の接続が損なわれます。",
-            "waf": "確実"
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "低い",
+            "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) では、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "安全"
         },
         {
             "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
             "severity": "高い",
-            "text": "仮想ハブに十分な IP 空間 (理想的には /23 プレフィックス) を割り当てます。",
-            "waf": "確実"
+            "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "低い",
+            "text": "プライベート インターネットのアドレス割り当て範囲 (RFC 1918) の IP アドレスを使用します。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "severity": "高い",
-            "text": "Azure Policy を戦略的に活用し、環境の制御を定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。",
-            "waf": "安全"
+            "text": "IP アドレス空間が無駄にならないようにし、不必要に大きな仮想ネットワーク (/16 など) を作成しないようにします",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "パフォーマンス"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "中程度",
-            "text": "規制とコンプライアンスの要件を Azure Policy の定義と Azure ロールの割り当てにマップします。",
-            "waf": "安全"
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "確実"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "severity": "中程度",
-            "text": "中間ルート管理グループで Azure Policy 定義を確立し、継承されたスコープで割り当てられるようにする",
-            "waf": "安全"
+            "text": "Azure での名前解決のみが必要な環境では、名前解決用の委任されたゾーン ('azure.contoso.com' など) を使用して解決に Azure プライベート DNS を使用します。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
             "severity": "中程度",
-            "text": "必要に応じて、ポリシーの割り当てを最下位レベルで管理し、最下位レベルで除外します。",
+            "text": "Azure とオンプレミスでの名前解決が必要な環境では、Azure DNS Private Resolver の使用を検討してください。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "severity": "低い",
-            "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御する",
-            "waf": "安全"
+            "text": "独自の DNS (Red Hat OpenShift など) を必要としてデプロイする特別なワークロードでは、優先 DNS ソリューションを使用する必要があります。",
+            "waf": "オペレーションズ"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
+            "severity": "高い",
+            "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "severity": "中程度",
-            "text": "可能な場合は組み込みのポリシーを使用して、運用上のオーバーヘッドを最小限に抑えます。",
+            "text": "Azure Bastion を使用してネットワークに安全に接続することを検討してください。",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "description": "リソース ポリシー共同作成者ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央の IT チームが管理グループ レベルのポリシーを監督し、アプリケーション チームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散ガバナンスが可能になります。",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "severity": "中程度",
-            "text": "組み込みのリソース ポリシー共同作成者ロールを特定のスコープで割り当てて、アプリケーション レベルのガバナンスを有効にします。",
+            "text": "Azure Bastion は、サブネット /26 以上で使用します。",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
             "severity": "中程度",
-            "text": "ルート管理グループのスコープで行われる Azure Policy 割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。",
+            "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン全体でグローバル保護を提供します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "低い",
+            "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door で WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
-            "severity": "中程度",
-            "text": "データ主権の要件が存在する場合は、Azure ポリシーをデプロイして適用できます",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "高い",
+            "text": "WAF とその他のリバース プロキシは、受信 HTTP/S 接続に必要であり、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開しているアプリと共にデプロイします。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
-            "severity": "中程度",
-            "text": "ソブリン・ランディング・ゾーンの場合、主権ポリシー・ベースラインのポリシー・イニシアチブがデプロイされ、正しいMGレベルで割り当てられます。",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
-            "severity": "中程度",
-            "text": "ソブリン・ランディング・ゾーンについては、ソブリン制御の目標とポリシー・マッピングが文書化されています。",
-            "waf": "安全"
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "今後の破壊的変更の前に、ネットワーク送信トラフィックの構成と戦略を評価および確認します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます",
+            "waf": "確実"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
-            "severity": "中程度",
-            "text": "ソブリン ランディング ゾーンでは、\"ソブリン制御の目標からポリシー マッピング\" の CRUD のプロセスが導入されています。",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "高い",
+            "text": "診断設定を追加して、保護されているすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連ログを保存します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "オペレーションズ"
+            "text": "ExpressRoute を Azure へのプライマリ接続として使用する可能性を調査したことを確認します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "パフォーマンス"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
+            "description": "AS パスのプリペンドと接続の重みを使用して、Azure からオンプレミスへのトラフィックに影響を与え、独自のルーターの全範囲の BGP 属性を使用して、オンプレミスから Azure へのトラフィックに影響を与えることができます。",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。不変ストレージと write-once、read-many ポリシーを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "オペレーションズ"
+            "text": "複数の ExpressRoute 回線、または複数のオンプレミスの場所を使用する場合、特定のパスが優先される場合は、BGP 属性を使用してルーティングを最適化してください。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Azure Policy を使用して OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage Machine Configuration 監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能をすぐに使用できます。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "オペレーションズ"
+            "text": "帯域幅とパフォーマンスの要件に基づいて、ExpressRoute/VPN ゲートウェイに適切な SKU を使用していることを確認します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "パフォーマンス"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
-            "severity": "中程度",
-            "text": "Azure Update Manager を、Azure の Windows および Linux VM の修正プログラムの適用メカニズムとして使用します。",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "オペレーションズ"
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
+            "severity": "高い",
+            "text": "無制限のデータ ExpressRoute 回線は、コストに見合った帯域幅に達した場合にのみ使用してください。",
+            "waf": "費用"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
-            "severity": "中程度",
-            "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラムの適用メカニズムとして Azure Update Manager を使用します。",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "オペレーションズ"
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
+            "severity": "高い",
+            "text": "回線のピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合は、ExpressRoute のローカル SKU を利用して回線のコストを削減します。",
+            "waf": "費用"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Network Watcher を使用してトラフィック フローをプロアクティブに監視する",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "オペレーションズ"
+            "text": "サポートされている Azure リージョンにゾーン冗長 ExpressRoute ゲートウェイをデプロイします。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "分析情報とレポートには Azure Monitor ログを使用します。",
-            "waf": "オペレーションズ"
+            "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートを必要とするシナリオでは、ExpressRoute Direct を使用します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "パフォーマンス"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "運用アラートの生成には、Azure Monitor アラートを使用します。",
-            "waf": "オペレーションズ"
+            "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps を超える必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "パフォーマンス"
         },
         {
+            "arm-service": "microsoft.network/vpnGateways",
             "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
             "severity": "中程度",
-            "text": "Azure Automation アカウントを介して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンを選択していることを確認してください。",
-            "waf": "オペレーションズ"
+            "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure に接続します (使用可能な場合)。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/vpnGateways",
             "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "severity": "中程度",
-            "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、さまざまなバックアップの種類 (GRS、ZRS、LRS) を考慮してください",
+            "text": "冗長 VPN アプライアンスをオンプレミス (アクティブ/アクティブまたはアクティブ/パッシブ) で使用します。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
             "waf": "確実"
         },
         {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
-            "severity": "中程度",
-            "text": "Azure ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。",
-            "waf": "安全"
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "高い",
+            "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカルの Azure リージョンへの ExpressRoute Local 回線の使用を検討してください",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "費用"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "description": "Azure Policy のゲスト構成機能では、マシンの設定 (OS、アプリケーション、環境など) を監査して修復し、リソースが想定される構成と一致していることを確認できます。",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "VM のセキュリティ構成のドリフトを Azure Policy で監視します。",
+            "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティング ドメインが分離され、ノイジー ネイバーのリスクが軽減されます。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "安全"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Azure から Azure Virtual Machines へのディザスター リカバリー シナリオには、Azure Site Recovery を使用します。これにより、リージョン間でワークロードをレプリケートできます。",
+            "text": "組み込みの Express Route Insights を使用して、ExpressRoute の可用性と使用率を監視します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "オペレーションズ"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Azure ネイティブのバックアップ機能、または Azure 互換のサード パーティのバックアップ ソリューションを使用します。",
+            "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure 間) の接続を監視するために使用します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "オペレーションズ"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "severity": "高い",
-            "text": "Availability Zones は、サポートされているリージョンの VM に活用します。",
-            "waf": "確実"
-        },
-        {
-            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
-            "severity": "高い",
-            "text": "運用ワークロードを 1 つの VM で実行することは避けてください。",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
+            "severity": "中程度",
+            "text": "冗長性のために、異なるピアリングの場所からの ExpressRoute 回線を使用します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "Azure Load Balancer と Application Gateway は、受信ネットワーク トラフィックを複数のリソースに分散します。",
+            "text": "ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します (特に、1 つの ExpressRoute 回線のみを使用する場合)。",
             "waf": "確実"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "severity": "高い",
-            "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知がないか確認します。",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
-            "severity": "中程度",
-            "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから Microsoft Sentinel に WAF ログを送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。",
-            "waf": "オペレーションズ"
+            "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認します。",
+            "waf": "確実"
         },
         {
             "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "severity": "高い",
-            "text": "Azure Key Vault を使用してシークレットと資格情報を格納する",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。",
-            "waf": "安全"
+            "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続障害が発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/パッシブもサポートされていますが、理想的にはアクティブ/アクティブとして両方の接続で共有する必要があります。",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
-            "waf": "安全"
+            "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を特殊なカスタム Microsoft Entra ID ロールに制限します。",
-            "waf": "安全"
+            "text": "Bidirectional Forwarding Detection(BFD)が有効で、顧客またはプロバイダーのエッジ ルーティング デバイスで設定されていることを確認します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "公的認証局による証明書の管理と更新プロセスを自動化し、管理を容易にします。",
-            "waf": "安全"
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
+            "severity": "高い",
+            "text": "回復性を高めるために、ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "確実"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "キーと証明書のローテーションの自動化されたプロセスを確立します。",
-            "waf": "安全"
+            "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "オペレーションズ"
         },
         {
+            "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。",
-            "waf": "安全"
+            "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "パフォーマンス"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
+            "severity": "高い",
+            "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルター処理 (組織で必要な場合) を管理します",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫性のある準拠構成を適用します。",
+            "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して増分ファイアウォール ポリシーをローカルのセキュリティ チームに委任することで、特定のリージョンの要件を満たすきめ細かなポリシーが可能になります。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
+            "severity": "低い",
+            "text": "組織がそのようなソリューションを使用してアウトバウンド接続を保護する場合は、Firewall Manager 内でサポートされているパートナーの SaaS セキュリティ プロバイダーを構成します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "独自のキーを持ち込む場合、これは考慮されているすべてのサービスでサポートされていない可能性があります。不整合が望ましい結果を妨げないように、関連する軽減策を実装します。待機時間を最小限に抑える適切なリージョン ペアとディザスター リカバリー リージョンを選択します。",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
+            "severity": "高い",
+            "text": "FQDN ベースのネットワーク ルールと DNS プロキシを備えた Azure Firewall を使用して、アプリケーション ルールでサポートされていないプロトコルを介してインターネットへのエグレス トラフィックをフィルター処理します。",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
-            "severity": "中程度",
-            "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "高い",
+            "text": "Azure Firewall Premium を使用して、セキュリティと保護を強化します。",
             "waf": "安全"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "高い",
+            "text": "保護を強化するために、Azure Firewall 脅威インテリジェンス モードを [アラート] と [拒否] に構成します。",
             "waf": "安全"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
             "severity": "高い",
-            "text": "すべてのサブスクリプションに対して Defender Cloud Security Posture Management を有効にします。",
+            "text": "保護を強化するために、Azure Firewall IDPS モードを [拒否] に構成します。",
             "waf": "安全"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
             "severity": "高い",
-            "text": "すべてのサブスクリプションでサーバーに対して Defender Cloud ワークロード保護プランを有効にします。",
+            "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします",
             "waf": "安全"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
-            "severity": "高い",
-            "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud Workload Protection プランを有効にします。",
-            "waf": "安全"
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
+            "severity": "中程度",
+            "text": "すべての Azure Firewall デプロイのログを保存するための診断設定を、リソース固有の宛先テーブルに追加します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "オペレーションズ"
         },
         {
             "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
-            "severity": "高い",
-            "text": "IaaS サーバーで Endpoint Protection を有効にします。",
-            "waf": "安全"
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
+            "severity": "大事な",
+            "text": "Azure Firewall クラシック規則 (存在する場合) からファイアウォール ポリシーに移行します。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "オペレーションズ"
         },
         {
+            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
-            "severity": "中程度",
-            "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムの適用誤差を監視します。",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
+            "severity": "高い",
+            "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。",
             "waf": "安全"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。",
-            "waf": "安全"
+            "text": "ファイアウォール ポリシー内のルールをルール コレクション グループとルール コレクションに分類し、使用頻度に基づいて配置します",
+            "waf": "パフォーマンス"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "ソブリン ランディング ゾーンの場合、透過性ログは Entra ID テナントで有効になっています。",
-            "waf": "安全"
+            "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル ルールの数を減らす",
+            "waf": "パフォーマンス"
         },
         {
             "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "ソブリン ランディング ゾーンの場合、Entra ID テナントでカスタマー ロックボックスが有効になっています。",
-            "waf": "安全"
+            "text": "DNATS の送信元 IP としてワイルドカード (* や any など) は使用せず、受信 DNAT の送信元 IP を指定する必要があります",
+            "waf": "パフォーマンス"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
-            "severity": "高い",
-            "text": "ストレージ アカウントへの安全な転送を有効にする必要がある",
-            "waf": "安全"
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
+            "severity": "中程度",
+            "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。",
+            "waf": "パフォーマンス"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
             "severity": "高い",
-            "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。",
-            "waf": "安全"
+            "text": "TLSインスペクションの有効化",
+            "waf": "パフォーマンス"
         },
         {
-            "ammp": true,
             "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
-            "severity": "高い",
-            "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報をハードコーディングしないようにします。",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "severity": "低い",
-            "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください",
-            "waf": "確実"
+            "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。",
-            "waf": "確実"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)",
-            "waf": "確実"
+            "text": "TLS 検査の一環として、検査のために Azure App Gateway からトラフィックを受信することを計画します。",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "ヘルスチェックの実装",
-            "waf": "確実"
+            "text": "Azure Firewall DNS プロキシ構成を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください",
-            "waf": "確実"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
+            "severity": "中程度",
+            "text": "仮想マシンに直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する",
-            "waf": "確実"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
+            "severity": "低い",
+            "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にして、ファイアウォール ログを格納および分析します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "低い",
-            "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する",
-            "waf": "確実"
+            "text": "ファイアウォールルールのバックアップを実装する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
             "severity": "高い",
-            "text": "Azure App Service の信頼性サポートについて理解する",
-            "waf": "確実"
+            "text": "仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信が、たとえば、コントロール プレーンのトラフィックをブロックする 0.0.0.0/0 ルートや NSG ルールによって切断されていないことを確認します。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "severity": "中程度",
-            "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する",
-            "waf": "確実"
+            "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、パブリック インターネット経由のトランジットが回避されます。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
             "severity": "中程度",
-            "text": "正常性チェックを使用した App Service インスタンスの監視",
-            "waf": "確実"
+            "text": "すべてのサブネットで仮想ネットワーク サービス エンドポイントを既定で有効にしないでください。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "中程度",
-            "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する",
-            "waf": "確実"
+            "text": "Azure Firewall または NVA の IP アドレスの代わりに FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データ流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックし、それ以外の場合は必要な PaaS サービスのみを許可できます。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
-            "severity": "低い",
-            "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する",
-            "waf": "確実"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
+            "severity": "高い",
+            "text": "Gateway サブネットに少なくとも /27 プレフィックスを使用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "Key Vault を使用してシークレットを格納する",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
+            "severity": "中程度",
+            "text": "接続を制限するために、VirtualNetwork サービス タグを使用する NSG 受信の既定の規則に依存しないでください。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "マネージド ID を使用して Key Vault に接続する",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
+            "severity": "中程度",
+            "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service TLS 証明書を Key Vault に格納します。",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "Key Vault を使用して TLS 証明書を格納します。",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
+            "severity": "中程度",
+            "text": "アプリケーション チームは、サブネット レベルの NSG でアプリケーション セキュリティ グループを使用して、ランディング ゾーン内の多層 VM を保護する必要があります。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "中程度",
-            "text": "機密情報を処理するシステムを分離する",
+            "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックを細かくセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "中程度",
-            "text": "機密データをローカルディスクに保存しない",
+            "text": "VNet フロー ログを有効にして Traffic Analytics にフィードし、内部および外部のトラフィック フローに関する分析情報を取得します。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "severity": "中程度",
-            "text": "認証に確立された ID プロバイダーを使用する",
-            "waf": "安全"
+            "text": "NSG あたりの NSG ルールの制限 (1000) を検討します。",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "信頼できる環境からのデプロイ",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
+            "severity": "中程度",
+            "text": "Azure ネットワーク管理を簡素化するために Virtual WAN を検討し、Virtual WAN ルーティング設計の一覧にシナリオが明示的に記述されていることを確認します",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "基本認証の無効化",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "中程度",
+            "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "マネージド ID を使用してリソースに接続する",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "低い",
+            "text": "\"Azure のトラフィックは Azure にとどまる\" という原則に従って、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるようにします",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "中程度",
+            "text": "送信インターネット トラフィックの保護とフィルター処理を行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
             "severity": "中程度",
-            "text": "App Service ランタイム ログを Log Analytics に送信する",
-            "waf": "安全"
+            "text": "ネットワーク アーキテクチャが Azure Virtual WAN の制限内にあることを確認します。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
             "severity": "中程度",
-            "text": "App Service アクティビティ ログを Log Analytics に送信する",
-            "waf": "安全"
+            "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンドのトポロジ、状態、主要なメトリックを監視します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
             "severity": "中程度",
-            "text": "送信ネットワーク アクセスを制御する必要がある",
-            "waf": "安全"
+            "text": "IaC デプロイで、これらのフローを明示的にブロックする必要がない限り、Virtual WAN のブランチ間トラフィックが無効にならないようにしてください。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "severity": "低い",
-            "text": "インターネットアドレスへの送信通信のIPを安定させる",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
+            "severity": "中程度",
+            "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティングの基本設定として使用します。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "受信ネットワーク アクセスを制御する必要がある",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
+            "severity": "中程度",
+            "text": "IaC デプロイで Virtual WAN でラベルベースの伝達が構成されていることを確認すると、仮想ハブ間の接続が損なわれます。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "severity": "高い",
-            "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service",
-            "waf": "安全"
+            "text": "仮想ハブに十分な IP 空間 (理想的には /23 プレフィックス) を割り当てます。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "高い",
-            "text": "WAFをバイパスすることは避けてください",
+            "text": "Azure Policy を戦略的に活用し、環境の制御を定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "最小 TLS ポリシーを 1.2 に設定します。",
+            "text": "規制とコンプライアンスの要件を Azure Policy の定義と Azure ロールの割り当てにマップします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "HTTPS のみを使用",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中程度",
+            "text": "中間ルート管理グループで Azure Policy 定義を確立し、継承されたスコープで割り当てられるようにする",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "ワイルドカードは CORS に使用しないでください",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中程度",
+            "text": "必要に応じて、ポリシーの割り当てを最下位レベルで管理し、最下位レベルで除外します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "リモートデバッグをオフにする",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
+            "severity": "低い",
+            "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "Defender for Cloud を有効にする - Defender for App Service",
+            "text": "可能な場合は組み込みのポリシーを使用して、運用上のオーバーヘッドを最小限に抑えます。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "description": "リソース ポリシー共同作成者ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央の IT チームが管理グループ レベルのポリシーを監督し、アプリケーション チームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散ガバナンスが可能になります。",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet",
+            "text": "組み込みのリソース ポリシー共同作成者ロールを特定のスコープで割り当てて、アプリケーション レベルのガバナンスを有効にします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "Virtual Network 経由でコンテナーをプルする",
+            "text": "ルート管理グループのスコープで行われる Azure Policy 割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "ペネトレーションテストの実施",
+            "text": "データ主権の要件が存在する場合は、Azure ポリシーをデプロイして適用できます",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "検証済みコードのデプロイ",
+            "text": "ソブリン・ランディング・ゾーンの場合、主権ポリシー・ベースラインのポリシー・イニシアチブがデプロイされ、正しいMGレベルで割り当てられます。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
-            "severity": "高い",
-            "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
+            "severity": "中程度",
+            "text": "ソブリン・ランディング・ゾーンについては、ソブリン制御の目標とポリシー・マッピングが文書化されています。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
             "severity": "中程度",
-            "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます",
-            "waf": "確実"
+            "text": "ソブリン ランディング ゾーンでは、\"ソブリン制御の目標からポリシー マッピング\" の CRUD のプロセスが導入されています。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "中程度",
-            "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。",
-            "waf": "確実"
+            "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
             "severity": "中程度",
-            "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。",
-            "waf": "確実"
+            "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。不変ストレージと write-once、read-many ポリシーを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
             "severity": "中程度",
-            "text": "アプリに複数のアプリ インスタンスを使用する",
-            "waf": "確実"
+            "text": "Azure Policy を使用して OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage Machine Configuration 監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能をすぐに使用できます。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "中程度",
-            "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。",
-            "waf": "確実"
+            "text": "Azure Update Manager を、Azure の Windows および Linux VM の修正プログラムの適用メカニズムとして使用します。",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "中程度",
-            "text": "Spring Cloud Gateway で自動スケーリングを設定する",
-            "waf": "確実"
-        },
-        {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
-            "severity": "低い",
-            "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。",
-            "waf": "確実"
+            "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラムの適用メカニズムとして Azure Update Manager を使用します。",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
             "severity": "中程度",
-            "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。",
-            "waf": "確実"
-        },
-        {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
-            "severity": "高い",
-            "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)",
-            "waf": "確実"
+            "text": "Network Watcher を使用してトラフィック フローをプロアクティブに監視する",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
             "severity": "中程度",
-            "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。",
-            "waf": "確実"
-        },
-        {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "severity": "高い",
-            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
-            "waf": "確実"
-        },
-        {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "高い",
-            "text": "手動フェールオーバーをトリガーする方法を学習します。",
-            "waf": "確実"
+            "text": "分析情報とレポートには Azure Monitor ログを使用します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "severity": "高い",
-            "text": "フェールオーバー後にフェールバックする方法を学習します。",
-            "waf": "確実"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
+            "severity": "中程度",
+            "text": "運用アラートの生成には、Azure Monitor アラートを使用します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
             "severity": "中程度",
-            "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します",
-            "waf": "確実"
+            "text": "Azure Automation アカウントを介して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンを選択していることを確認してください。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
             "severity": "中程度",
-            "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース",
+            "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、さまざまなバックアップの種類 (GRS、ZRS、LRS) を考慮してください",
             "waf": "確実"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
             "severity": "中程度",
-            "text": "カスタムブランドアセットはCDNでホストする必要がある",
-            "waf": "パフォーマンス"
+            "text": "Azure ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "低い",
-            "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)",
-            "waf": "確実"
+            "checklist": "Azure Landing Zone Review",
+            "description": "Azure Policy のゲスト構成機能では、マシンの設定 (OS、アプリケーション、環境など) を監査して修復し、リソースが想定される構成と一致していることを確認できます。",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
+            "severity": "中程度",
+            "text": "VM のセキュリティ構成のドリフトを Azure Policy で監視します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
             "severity": "中程度",
-            "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)",
-            "waf": "確実"
+            "text": "Azure から Azure Virtual Machines へのディザスター リカバリー シナリオには、Azure Site Recovery を使用します。これにより、リージョン間でワークロードをレプリケートできます。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
             "severity": "中程度",
-            "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります",
-            "waf": "確実"
+            "text": "Azure ネイティブのバックアップ機能、または Azure 互換のサード パーティのバックアップ ソリューションを使用します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "severity": "中程度",
-            "text": "マルチリージョンのアクティブ/アクティブを持つ",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
+            "severity": "高い",
+            "text": "Availability Zones は、サポートされているリージョンの VM に活用します。",
             "waf": "確実"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "severity": "中程度",
-            "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
+            "severity": "高い",
+            "text": "運用ワークロードを 1 つの VM で実行することは避けてください。",
             "waf": "確実"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "severity": "中程度",
-            "text": "DR にレプリカ セットを使用する",
+            "text": "Azure Load Balancer と Application Gateway は、受信ネットワーク トラフィックを複数のリソースに分散します。",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
             "severity": "高い",
-            "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する",
-            "waf": "安全"
+            "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知がないか確認します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
             "severity": "中程度",
-            "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します",
-            "waf": "安全"
+            "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから Microsoft Sentinel に WAF ログを送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
             "severity": "高い",
-            "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします",
+            "text": "Azure Key Vault を使用してシークレットと資格情報を格納する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します",
+            "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます",
+            "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中程度",
+            "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を特殊なカスタム Microsoft Entra ID ロールに制限します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか",
+            "text": "公的認証局による証明書の管理と更新プロセスを自動化し、管理を容易にします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります",
+            "text": "キーと証明書のローテーションの自動化されたプロセスを確立します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中程度",
+            "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
+            "severity": "中程度",
+            "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか",
-            "waf": "パフォーマンス"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中程度",
+            "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫性のある準拠構成を適用します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中程度",
+            "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
-            "waf": "オペレーションズ"
+            "text": "独自のキーを持ち込む場合、これは考慮されているすべてのサービスでサポートされていない可能性があります。不整合が望ましい結果を妨げないように、関連する軽減策を実装します。待機時間を最小限に抑える適切なリージョン ペアとディザスター リカバリー リージョンを選択します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
             "severity": "中程度",
-            "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
-            "waf": "オペレーションズ"
+            "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。",
-            "waf": "オペレーションズ"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
+            "severity": "中程度",
+            "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "severity": "高い",
-            "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)",
+            "text": "すべてのサブスクリプションに対して Defender Cloud Security Posture Management を有効にします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "severity": "高い",
-            "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある",
+            "text": "すべてのサブスクリプションでサーバーに対して Defender Cloud ワークロード保護プランを有効にします。",
             "waf": "安全"
         },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)",
+        {
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
+            "severity": "高い",
+            "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud Workload Protection プランを有効にします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
             "severity": "高い",
-            "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する",
+            "text": "IaaS サーバーで Endpoint Protection を有効にします。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
             "severity": "中程度",
-            "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します",
+            "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムの適用誤差を監視します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "中程度",
-            "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。",
+            "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
+            "severity": "中程度",
+            "text": "ソブリン ランディング ゾーンの場合、透過性ログは Entra ID テナントで有効になっています。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか",
+            "text": "ソブリン ランディング ゾーンの場合、Entra ID テナントでカスタマー ロックボックスが有効になっています。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
             "severity": "高い",
-            "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます",
+            "text": "ストレージ アカウントへの安全な転送を有効にする必要がある",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
             "severity": "高い",
-            "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます",
+            "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます",
-            "waf": "安全"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
+            "severity": "高い",
+            "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報をハードコーディングしないようにします。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか",
-            "waf": "安全"
+            "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
             "severity": "中程度",
-            "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する",
-            "waf": "安全"
+            "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "severity": "中程度",
-            "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする",
-            "waf": "安全"
+            "text": "カスタムブランドアセットはCDNでホストする必要がある",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
+            "severity": "低い",
+            "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "中程度",
-            "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)",
-            "waf": "安全"
+            "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)",
-            "waf": "安全"
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "中程度",
+            "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します",
-            "waf": "安全"
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "中程度",
+            "text": "マルチリージョンのアクティブ/アクティブを持つ",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "中程度",
-            "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)",
-            "waf": "安全"
+            "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
+            "severity": "中程度",
+            "text": "DR にレプリカ セットを使用する",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Dapr を使用してマイクロサービス開発を容易にする",
+            "waf": "オペレーションズ"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "severity": "高い",
-            "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します",
+            "text": "SLA でサポートされる AKS オファリングを使用する",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください",
-            "waf": "オペレーションズ"
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
+            "severity": "高い",
+            "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます",
             "waf": "費用"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
             "severity": "低い",
-            "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか",
+            "text": "スケールダウンモードを使用してノードを削除/割り当て解除する",
             "waf": "費用"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください",
-            "waf": "安全"
+            "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする",
+            "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する",
+            "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "システム ノードプールにテイントを追加して専用にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します",
-            "waf": "オペレーションズ"
+            "text": "イメージにはプライベート レジストリ (ACR など) を使用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "severity": "中程度",
-            "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う",
+            "text": "イメージをスキャンして脆弱性を検出する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "severity": "高い",
-            "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか",
+            "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。",
+            "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "Defender for Containers の使用を検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "severity": "高い",
-            "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。",
-            "waf": "オペレーションズ"
+            "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "認証と AAD の統合 (マネージド統合を使用)",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する",
-            "waf": "オペレーションズ"
+            "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "承認と AAD RBAC の統合",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "severity": "高い",
-            "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します",
-            "waf": "オペレーションズ"
+            "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する",
-            "waf": "オペレーションズ"
+            "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上",
-            "waf": "オペレーションズ"
+            "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)",
-            "waf": "オペレーションズ"
+            "text": "AKS ローカル アカウントを無効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて Just-In-Time クラスター アクセスを構成する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する",
+            "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする",
+            "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します",
-            "waf": "確実"
+            "text": "Windows ワークロードの場合は、高速ネットワークを使用します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "高い",
-            "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します",
+            "text": "標準のALBを使用する(基本的なALBとは対照的)",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する",
-            "waf": "確実"
+            "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "高い",
-            "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。",
+            "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、独自のCNIプラグインを追加します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする",
+            "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "severity": "低い",
-            "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?",
+            "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する",
             "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "要件で必要な場合は、プライベート クラスターを使用します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
-            "severity": "低い",
-            "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します",
-            "waf": "オペレーションズ"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、会社の HTTP プロキシを追加します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください",
-            "waf": "パフォーマンス"
+            "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "AKS 自動証明書のローテーションを有効にする",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "severity": "高い",
-            "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "確実"
+            "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "severity": "高い",
-            "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "確実"
+            "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください",
-            "waf": "パフォーマンス"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
-            "severity": "中程度",
-            "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "カスタムノードRG(別名「インフラRG」)名を使用",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します",
-            "waf": "確実"
+            "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Windows ノードのテイント",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "クラスタレベルでの診断設定経由",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、nodePool スナップショットを使用します",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
-            "severity": "高い",
-            "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "時間的制約のないワークロードのスポット ノード プールを検討する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "高い",
-            "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "クイック バーストのために AKS 仮想ノードを検討する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "severity": "高い",
-            "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)",
-            "waf": "確実"
+            "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
-            "severity": "中程度",
-            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "高い",
-            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "ノードの CPU とメモリの使用率を監視する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "高い",
-            "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください",
-            "waf": "確実"
+            "text": "ノード内の OS ディスク キューの深さを監視する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します",
+            "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure Bot Service の信頼性サポートの推奨事項に従う",
-            "waf": "確実"
+            "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
-            "severity": "中程度",
-            "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "ポッド仕様で要求と制限を構成する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。",
-            "waf": "確実"
+            "text": "名前空間のリソースクォータを適用する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
-            "severity": "低い",
-            "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hubs 名前空間を使用すると、クライアントは TLS 1.0 以降でデータを送受信できます。より厳格なセキュリティ対策を適用するには、クライアントが新しいバージョンの TLS を使用してデータを送受信するように Event Hubs 名前空間を構成できます。Event Hubs 名前空間で TLS の最小バージョンが必要な場合、古いバージョンで行われた要求はすべて失敗します。",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "安全"
+            "text": "Cluster Autoscaler を使用する",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Event Hubs 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前のポリシー規則が自動的に作成されます。このポリシーには、名前空間全体に対する管理アクセス許可があります。このルールは、管理ルートアカウントのように扱い、アプリケーションでは使用しないことをお勧めします。RBAC で認証プロバイダーとして AAD を使用することをお勧めします。",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "必要のない場合はrootアカウントの使用を避けてください",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "AKS ノード プールのノード構成をカスタマイズする",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure リソースのマネージド ID は、Azure Virtual Machines (VM)、関数アプリ、Virtual Machine Scale Sets、その他のサービスで実行されているアプリケーションから Azure AD 資格情報を使用して、Event Hubs リソースへのアクセスを承認できます。Azure リソースのマネージド ID を Azure AD 認証と共に使用することで、クラウドで実行されるアプリケーションに資格情報を格納することを回避できます。",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに用意することを検討してください",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "text": "必要に応じてHorizontal Pod Autoscalerを使用します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "アクセス許可を作成するときは、Azure Event Hub へのクライアントのアクセスをきめ細かく制御します。Azure Event Hub のアクセス許可は、個々のリソース レベル (コンシューマー グループ、イベント ハブ エンティティ、イベント ハブ名前空間など) にスコープを設定する必要があり、またそうする必要があります。",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
             "severity": "高い",
-            "text": "最小特権データ プレーン RBAC を使用する",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "安全"
+            "text": "大きすぎず小さすぎない適切なノードサイズを検討してください",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub リソース ログには、操作ログ、仮想ネットワーク、Kafka ログが含まれます。ランタイム監査ログは、Event Hubs のすべてのデータ プレーン アクセス操作 (イベントの送受信など) に関する集計された診断情報をキャプチャします。",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャします",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "既定では、Azure Event Hub にはパブリック IP アドレスがあり、インターネットに到達できます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Event Hub の間のトラフィックが Microsoft のバックボーン ネットワークを経由するようになります。それに加えて、パブリックエンドポイントを使用しない場合は無効にする必要があります。",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを、CIDR (Classless Inter-Domain Routing) 表記の一連の IPv4 アドレスまたは IPv4 アドレス範囲のみに制限できます。",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "特定の IP アドレスまたは範囲からの Azure Event Hub 名前空間へのアクセスのみを許可することを検討してください",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "FTAレジリエンシーハンドブックの活用",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "これは、ゾーン対応リージョンの Premium、Dedicated、または Standard SKU を使用してポータルから作成された新しい EH 名前空間に対して自動的にオンになります。EH メタデータとイベント データ自体の両方がゾーン間でレプリケートされます",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "severity": "高い",
-            "text": "Availability Zones の活用 (地域的に適用可能な場合)",
-            "waf": "確実"
+            "text": "エフェメラル OS ディスクを使用する",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
-            "severity": "中程度",
-            "text": "予測可能なパフォーマンスのために Premium または Dedicated SKU を使用する",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
+            "severity": "高い",
+            "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "組み込みの geo ディザスター リカバリー機能を有効にすると、名前空間の構成全体 (Event Hubs、コンシューマー グループ、設定) がプライマリ名前空間からセカンダリ名前空間に継続的にレプリケートされ、プライマリからセカンダリへのフェールオーバーをいつでも 1 回だけ行うことができます。アクティブ/パッシブ機能は、アプリケーション構成を変更することなく、障害が発生した Azure リージョンからの復旧と破棄を容易にするように設計されています",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
-            "severity": "高い",
-            "text": "アクティブ パッシブ構成を使用した Geo ディザスター リカバリーの計画",
-            "waf": "確実"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
+            "severity": "低い",
+            "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "ダウンしたリージョンでのイベントデータの停止または損失を許容できない DR 構成に使用する必要があります。このような場合は、レプリケーションのガイダンスに従い、組み込みの geo ディザスター リカバリー機能 (アクティブ/パッシブ) を使用しないでください。アクティブ/アクティブでは、異なるリージョンと名前空間で複数の Event Hubs を保持し、イベントはハブ間でレプリケートされます",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "ビジネス クリティカルなアプリケーションの場合は、アクティブ アクティブ構成を使用します",
-            "waf": "確実"
+            "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
+            "severity": "中程度",
+            "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "severity": "中程度",
-            "text": "回復力のある Event Hubs の設計",
-            "waf": "確実"
+            "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください",
+            "waf": "パフォーマンス"
         },
         {
             "checklist": "Azure Application Delivery Networking",
@@ -5598,2152 +5334,2261 @@
             "waf": "確実"
         },
         {
-            "ammp": true,
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door でマネージド TLS 証明書を使用します。運用コストと、証明書の更新による停止のリスクを軽減します。",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "Azure Front Door WAF の構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+            "waf": "オペレーションズ"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door でエンド ツー エンドの TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントをHTTPSリクエストに自動的にリダイレクトすることでサポートします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door WAF を有効にします。さまざまな攻撃からアプリケーションを保護します。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "ワークロードに合わせて Azure Front Door WAF を調整します。誤検知を減らします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door WAF ポリシーで要求本文検査機能を有効にします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door WAF の既定の規則セットを有効にします。既定のルール セットは、一般的な攻撃を検出してブロックします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
+            "severity": "高い",
+            "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボットルールは、良いボットと悪いボットを検出します。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "Azure Front Door WAF のレート制限には、高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
+            "severity": "低い",
+            "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "Azure Front Door WAF を使用してトラフィックをジオフィルター処理するときに、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
+            "severity": "高い",
+            "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にする ボット ルールは、良いボットと悪いボットを検出します。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
+            "severity": "高い",
+            "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文検査機能を有効にします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
+            "severity": "高い",
+            "text": "ワークロードに合わせて Azure Application Gateway WAF を調整します。誤検知を減らします。",
+            "waf": "安全"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
+            "severity": "高い",
+            "text": "Application Gateway の WAF ポリシーを \"防止\" モードでデプロイします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "Azure Application Gateway の WAF レート制限には高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "severity": "低い",
+            "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "Azure Application Gateway WAF でトラフィックを geo フィルタリングするときに、不明 (ZZ) の場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "最新バージョンの Azure Application Gateway WAF ルール セットを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "診断設定を追加して、Azure Application Gateway の WAF ログを保存します。",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
+            "severity": "中程度",
+            "text": "診断設定を追加して、Azure Front Door WAF ログを保存します。",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "Azure Application Gateway WAF ログを Microsoft Sentinel に送信します。",
+            "waf": "オペレーションズ"
+        },
+        {
             "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
             "service": "Front Door",
-            "severity": "高い",
-            "text": "Azure Front Door でマネージド TLS 証明書を使用します。運用コストと、証明書の更新による停止のリスクを軽減します。",
+            "severity": "中程度",
+            "text": "Azure Front Door WAF ログを Microsoft Sentinel に送信します。",
             "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "severity": "中程度",
-            "text": "Azure Front Door WAF の構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+            "text": "Azure Application Gateway の WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
             "waf": "オペレーションズ"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
-            "severity": "高い",
-            "text": "Azure Front Door でエンド ツー エンドの TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
-            "waf": "安全"
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "従来のWAF構成のかわりにWAFポリシーを使用します。",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
             "severity": "中程度",
-            "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントをHTTPSリクエストに自動的にリダイレクトすることでサポートします。",
+            "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネットからの接続 (NSG など) のみを受け入れるようにします。",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
             "service": "Front Door",
-            "severity": "高い",
-            "text": "Azure Front Door WAF を有効にします。さまざまな攻撃からアプリケーションを保護します。",
+            "severity": "中程度",
+            "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取るようにします。",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "severity": "高い",
-            "text": "ワークロードに合わせて Azure Front Door WAF を調整します。誤検知を減らします。",
+            "text": "バックエンド・サーバーへのトラフィックを暗号化する必要があります。",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
             "severity": "高い",
-            "text": "Azure Front Door WAF ポリシーで要求本文検査機能を有効にします。",
+            "text": "Web アプリケーション ファイアウォールを使用する必要があります。",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
-            "severity": "高い",
-            "text": "Azure Front Door WAF の既定の規則セットを有効にします。既定のルール セットは、一般的な攻撃を検出してブロックします。",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "HTTPをHTTPSにリダイレクトする",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "ゲートウェイ管理の Cookie を使用して、ユーザー セッションから同じサーバーにトラフィックを送信して処理する",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "severity": "高い",
-            "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボットルールは、良いボットと悪いボットを検出します。",
+            "text": "計画されたサービス更新中に接続ドレインを有効にして、バックエンド プールの既存のメンバーへの接続が失われないようにします",
             "waf": "安全"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "severity": "中程度",
-            "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
-            "waf": "安全"
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "低い",
+            "text": "カスタムエラーページを作成して、パーソナライズされたユーザーエクスペリエンスを表示する",
+            "waf": "オペレーションズ"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
             "severity": "中程度",
-            "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+            "text": "HTTPリクエストとレスポンスヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
             "waf": "安全"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
             "severity": "中程度",
-            "text": "Azure Front Door WAF のレート制限には、高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
-            "waf": "安全"
+            "text": "Front Door を構成して、グローバルな Web トラフィック ルーティングとトップレベルのエンド ユーザーのパフォーマンスを最適化し、迅速なグローバル フェールオーバーを通じて信頼性を確保します",
+            "waf": "パフォーマンス"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
-            "severity": "低い",
-            "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
-            "waf": "安全"
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
+            "severity": "中程度",
+            "text": "トランスポート層の負荷分散を使用する",
+            "waf": "パフォーマンス"
         },
         {
             "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
             "severity": "中程度",
-            "text": "Azure Front Door WAF を使用してトラフィックをジオフィルター処理するときに、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+            "text": "1 つのゲートウェイ上の複数の Web アプリケーションのホスト名またはドメイン名に基づいてルーティングを構成する",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
             "service": "App Gateway",
-            "severity": "高い",
-            "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にする ボット ルールは、良いボットと悪いボットを検出します。",
+            "severity": "中程度",
+            "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減",
             "waf": "安全"
         },
         {
-            "ammp": true,
             "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
             "service": "App Gateway",
-            "severity": "高い",
-            "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文検査機能を有効にします。",
+            "severity": "低い",
+            "text": "Application Gateway を使用して WebSocket と HTTP/2 プロトコルをネイティブにサポートする",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "severity": "高い",
-            "text": "ワークロードに合わせて Azure Application Gateway WAF を調整します。誤検知を減らします。",
-            "waf": "安全"
+            "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "高い",
+            "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
+            "severity": "中程度",
+            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
+            "severity": "高い",
+            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
+            "severity": "高い",
+            "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
+            "severity": "中程度",
+            "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
+            "severity": "中程度",
+            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
+            "severity": "中程度",
+            "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
+            "severity": "中程度",
+            "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
+            "severity": "中程度",
+            "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。",
+            "waf": "確実"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
-            "severity": "高い",
-            "text": "Application Gateway の WAF ポリシーを \"防止\" モードでデプロイします。",
-            "waf": "安全"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
+            "severity": "中程度",
+            "text": "アプリに複数のアプリ インスタンスを使用する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
             "severity": "中程度",
-            "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
-            "waf": "安全"
+            "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
             "severity": "中程度",
-            "text": "Azure Application Gateway の WAF レート制限には高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
-            "waf": "安全"
+            "text": "Spring Cloud Gateway で自動スケーリングを設定する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
             "severity": "低い",
-            "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
-            "waf": "安全"
+            "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
             "severity": "中程度",
-            "text": "Azure Application Gateway WAF でトラフィックを geo フィルタリングするときに、不明 (ZZ) の場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
-            "waf": "安全"
+            "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "最新バージョンの Azure Application Gateway WAF ルール セットを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
-            "waf": "安全"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "高い",
+            "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "診断設定を追加して、Azure Application Gateway の WAF ログを保存します。",
-            "waf": "オペレーションズ"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
+            "severity": "高い",
+            "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
-            "severity": "中程度",
-            "text": "診断設定を追加して、Azure Front Door WAF ログを保存します。",
-            "waf": "オペレーションズ"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "severity": "高い",
+            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "Azure Application Gateway WAF ログを Microsoft Sentinel に送信します。",
-            "waf": "オペレーションズ"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
+            "severity": "高い",
+            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
             "severity": "中程度",
-            "text": "Azure Front Door WAF ログを Microsoft Sentinel に送信します。",
+            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "Azure Application Gateway の WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
-            "waf": "オペレーションズ"
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
+            "severity": "低い",
+            "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "従来のWAF構成のかわりにWAFポリシーを使用します。",
-            "waf": "オペレーションズ"
+            "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネットからの接続 (NSG など) のみを受け入れるようにします。",
-            "waf": "安全"
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取るようにします。",
-            "waf": "安全"
+            "text": "ヘルスチェックの実装",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
             "severity": "高い",
-            "text": "バックエンド・サーバーへのトラフィックを暗号化する必要があります。",
-            "waf": "安全"
+            "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "severity": "高い",
-            "text": "Web アプリケーション ファイアウォールを使用する必要があります。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "HTTPをHTTPSにリダイレクトする",
-            "waf": "安全"
+            "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "ゲートウェイ管理の Cookie を使用して、ユーザー セッションから同じサーバーにトラフィックを送信して処理する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "低い",
+            "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "severity": "高い",
-            "text": "計画されたサービス更新中に接続ドレインを有効にして、バックエンド プールの既存のメンバーへの接続が失われないようにします",
-            "waf": "安全"
+            "text": "Azure App Service の信頼性サポートについて理解する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "severity": "低い",
-            "text": "カスタムエラーページを作成して、パーソナライズされたユーザーエクスペリエンスを表示する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
+            "severity": "中程度",
+            "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "HTTPリクエストとレスポンスヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
-            "waf": "安全"
+            "text": "正常性チェックを使用した App Service インスタンスの監視",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "Front Door を構成して、グローバルな Web トラフィック ルーティングとトップレベルのエンド ユーザーのパフォーマンスを最適化し、迅速なグローバル フェールオーバーを通じて信頼性を確保します",
-            "waf": "パフォーマンス"
+            "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "トランスポート層の負荷分散を使用する",
-            "waf": "パフォーマンス"
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
+            "severity": "低い",
+            "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する",
+            "waf": "確実"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "1 つのゲートウェイ上の複数の Web アプリケーションのホスト名またはドメイン名に基づいてルーティングを構成する",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "Key Vault を使用してシークレットを格納する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
-            "severity": "中程度",
-            "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減",
+            "checklist": "Azure App Service Review",
+            "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "マネージド ID を使用して Key Vault に接続する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
-            "severity": "低い",
-            "text": "Application Gateway を使用して WebSocket と HTTP/2 プロトコルをネイティブにサポートする",
+            "checklist": "Azure App Service Review",
+            "description": "App Service TLS 証明書を Key Vault に格納します。",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "Key Vault を使用して TLS 証明書を格納します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する",
+            "text": "機密情報を処理するシステムを分離する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "Azure Storage にプライベート エンドポイントを使用することを検討する",
+            "checklist": "Azure App Service Review",
+            "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
+            "severity": "中程度",
+            "text": "機密データをローカルディスクに保存しない",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する",
+            "text": "認証に確立された ID プロバイダーを使用する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "severity": "高い",
-            "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする",
+            "text": "信頼できる環境からのデプロイ",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
-            "severity": "中程度",
-            "text": "BLOB の \"論理的な削除\" を有効にする",
+            "checklist": "Azure App Service Review",
+            "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "基本認証の無効化",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "severity": "中程度",
-            "text": "BLOB の '論理的な削除' を無効にする",
+            "checklist": "Azure App Service Review",
+            "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "マネージド ID を使用してリソースに接続する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
             "severity": "高い",
-            "text": "コンテナーの \"論理的な削除\" を有効にする",
+            "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "コンテナーの \"論理的な削除\" を無効にする",
+            "text": "App Service ランタイム ログを Log Analytics に送信する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "ストレージ アカウントでのリソース ロックの有効化",
+            "checklist": "Azure App Service Review",
+            "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
+            "severity": "中程度",
+            "text": "App Service アクティビティ ログを Log Analytics に送信する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "不変の BLOB を検討する",
+            "checklist": "Azure App Service Review",
+            "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
+            "severity": "中程度",
+            "text": "送信ネットワーク アクセスを制御する必要がある",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)",
+            "checklist": "Azure App Service Review",
+            "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
+            "severity": "低い",
+            "text": "インターネットアドレスへの送信通信のIPを安定させる",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "高い",
-            "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。",
+            "text": "受信ネットワーク アクセスを制御する必要がある",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
-            "severity": "中程度",
-            "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する",
+            "checklist": "Azure App Service Review",
+            "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
+            "severity": "高い",
+            "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service",
             "waf": "安全"
         },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
+        {
+            "checklist": "Azure App Service Review",
+            "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "高い",
-            "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する",
+            "text": "WAFをバイパスすることは避けてください",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "IaM アクセス許可の最小特権",
+            "text": "最小 TLS ポリシーを 1.2 に設定します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
             "severity": "高い",
-            "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。",
+            "text": "HTTPS のみを使用",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
             "severity": "高い",
-            "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。",
+            "text": "ワイルドカードは CORS に使用しないでください",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
             "severity": "高い",
-            "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください",
+            "text": "リモートデバッグをオフにする",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください",
+            "text": "Defender for Cloud を有効にする - Defender for App Service",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "SAS 有効期限ポリシーの構成を検討する",
+            "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する",
+            "text": "Virtual Network 経由でコンテナーをプルする",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
             "severity": "中程度",
-            "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。",
+            "text": "ペネトレーションテストの実施",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)",
+            "checklist": "Azure App Service Review",
+            "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
+            "severity": "中程度",
+            "text": "検証済みコードのデプロイ",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "checklist": "Azure App Service Review",
+            "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
             "severity": "高い",
-            "text": "アドホックSASの有効期間を短くする",
+            "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "中程度",
-            "text": "SAS に狭いスコープを適用する",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
-            "severity": "低い",
-            "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。",
+            "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
             "severity": "高い",
-            "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。",
+            "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。",
+            "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
-            "severity": "高い",
-            "text": "過度に広範な CORS ポリシーを避ける",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
             "severity": "高い",
-            "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。",
+            "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。",
+            "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "クライアント側の暗号化を使用するかどうかを決定します。",
+            "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
             "severity": "高い",
-            "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。",
+            "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "グローバルレベルでのエラー処理ポリシーの実装",
-            "waf": "オペレーションズ"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "すべての API ポリシーに要素が含まれている<base/>ことを確認します。",
-            "waf": "オペレーションズ"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください",
-            "waf": "オペレーションズ"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
-            "severity": "高い",
-            "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする",
+            "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Application Insights を有効にして、より詳細なテレメトリを実現する",
+            "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
             "severity": "高い",
-            "text": "最も重要なメトリックに関するアラートを構成する",
+            "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
             "severity": "高い",
-            "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
+            "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
             "severity": "高い",
-            "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する",
+            "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する",
+            "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "適切なグループを作成して、製品の可視性を制御します",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します",
-            "waf": "オペレーションズ"
+            "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します",
-            "waf": "オペレーションズ"
+            "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる",
-            "waf": "確実"
+            "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
             "severity": "高い",
-            "text": "自動バックアップ・ルーチンがあることを確認する",
-            "waf": "確実"
+            "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "低い",
-            "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください",
-            "waf": "オペレーションズ"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "調整ポリシーを適用して、毎秒の要求数を制御する",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "パフォーマンス"
+            "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する",
-            "waf": "パフォーマンス"
+            "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。",
-            "waf": "パフォーマンス"
+            "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "運用環境のワークロードには Premium レベルを使用します。",
-            "waf": "確実"
+            "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。",
+            "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。",
             "waf": "確実"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "severity": "高い",
-            "text": "APIM の制限に注意する",
+            "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します",
             "waf": "確実"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "severity": "高い",
-            "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。",
+            "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します",
             "waf": "確実"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment",
-            "waf": "パフォーマンス"
+            "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)",
-            "waf": "安全"
+            "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。",
-            "waf": "安全"
+            "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます",
+            "waf": "費用"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか",
+            "waf": "費用"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。",
+            "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "severity": "高い",
-            "text": "パブリックネットワークアクセスの無効化",
-            "waf": "安全"
+            "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する",
+            "waf": "パフォーマンス"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "PowerShell 自動化スクリプトで管理を簡素化",
-            "waf": "オペレーションズ"
+            "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Infrastructure-as-code を使用して APIM を構成します。Cloud Adaption Framework APIM Landing Zone Accelerator から DevOps のベスト プラクティスを確認する",
-            "waf": "オペレーションズ"
+            "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "Visual Studio Code APIM 拡張機能の使用を促進して API 開発を迅速化する",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "DevOpsとCI/CDをワークフローに実装する",
+            "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする",
             "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
-            "severity": "中程度",
-            "text": "クライアント証明書認証を使用した API の保護",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "クライアント証明書認証を使用したバックエンド サービスのセキュリティ保護",
-            "waf": "安全"
+            "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "「OWASP API Security Top 10 の脅威を軽減するための推奨事項」の記事を確認し、API に適用できるものを確認します",
+            "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "承認機能を使用して、バックエンド API の OAuth 2.0 トークンの管理を簡素化します",
+            "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "severity": "高い",
-            "text": "転送中の情報を暗号化する場合は、最新のTLSバージョンを使用します。可能であれば、古くて不要なプロトコルと暗号を無効にします。",
+            "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
             "severity": "高い",
-            "text": "シークレット (名前付き値) が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
+            "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "可能な限りマネージド ID を使用して、他の Azure リソースに対する認証を行う",
+            "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "severity": "高い",
-            "text": "Web アプリケーション ファイアウォール (WAF) を使用するには、APIM の前に Application Gateway をデプロイします",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します",
-            "waf": "パフォーマンス"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "Dapr を使用してマイクロサービス開発を容易にする",
+            "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "SLA でサポートされる AKS オファリングを使用する",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用",
-            "waf": "確実"
-        },
-        {
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
-            "severity": "高い",
-            "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します",
-            "waf": "確実"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます",
-            "waf": "費用"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "スケールダウンモードを使用してノードを削除/割り当て解除する",
-            "waf": "費用"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する",
-            "waf": "費用"
+            "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
             "severity": "低い",
-            "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。",
-            "waf": "費用"
+            "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する",
-            "waf": "安全"
+            "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "システム ノードプールにテイントを追加して専用にする",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "イメージにはプライベート レジストリ (ACR など) を使用する",
-            "waf": "安全"
+            "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)",
+            "waf": "オペレーションズ"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "イメージをスキャンして脆弱性を検出する",
-            "waf": "安全"
+            "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する",
-            "waf": "安全"
+            "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します",
-            "waf": "安全"
+            "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Defender for Containers の使用を検討する",
-            "waf": "安全"
+            "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
             "severity": "高い",
-            "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals",
-            "waf": "安全"
+            "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "認証と AAD の統合 (マネージド統合を使用)",
-            "waf": "安全"
+            "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "承認と AAD RBAC の統合",
-            "waf": "安全"
+            "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します",
-            "waf": "安全"
+            "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します",
-            "waf": "安全"
+            "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "AKS ローカル アカウントを無効にする",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "severity": "低い",
-            "text": "必要に応じて Just-In-Time クラスター アクセスを構成する",
-            "waf": "安全"
+            "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
             "severity": "低い",
-            "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する",
-            "waf": "安全"
+            "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
             "severity": "低い",
-            "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します",
-            "waf": "安全"
+            "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "Windows ワークロードの場合は、高速ネットワークを使用します",
-            "waf": "パフォーマンス"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "標準のALBを使用する(基本的なALBとは対照的)",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
+            "severity": "低い",
+            "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します",
+            "waf": "オペレーションズ"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください",
-            "waf": "安全"
+            "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする",
-            "waf": "安全"
+            "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)",
-            "waf": "確実"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)",
             "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する",
             "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "severity": "高い",
-            "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。",
+            "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、独自のCNIプラグインを追加します",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。",
             "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します",
-            "waf": "確実"
+            "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する",
+            "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。",
             "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
+            "severity": "中程度",
+            "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
             "severity": "中程度",
-            "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します",
-            "waf": "安全"
+            "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
             "severity": "高い",
-            "text": "要件で必要な場合は、プライベート クラスターを使用します",
-            "waf": "安全"
+            "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
+            "severity": "高い",
+            "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
             "severity": "高い",
-            "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)",
-            "waf": "安全"
+            "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
             "severity": "高い",
-            "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化",
-            "waf": "安全"
+            "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
             "severity": "高い",
-            "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)",
-            "waf": "安全"
+            "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network",
-            "waf": "安全"
+            "text": "グローバルレベルでのエラー処理ポリシーの実装",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、会社の HTTP プロキシを追加します",
-            "waf": "安全"
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "すべての API ポリシーに要素が含まれている<base/>ことを確認します。",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する",
-            "waf": "安全"
+            "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする",
+            "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)",
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する",
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "AKS 自動証明書のローテーションを有効にする",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "Application Insights を有効にして、より詳細なテレメトリを実現する",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
             "severity": "高い",
-            "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します",
+            "text": "最も重要なメトリックに関するアラートを構成する",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
             "severity": "高い",
-            "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します",
-            "waf": "オペレーションズ"
+            "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "適切なグループを作成して、製品の可視性を制御します",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する",
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください",
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "カスタムノードRG(別名「インフラRG」)名を使用",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "自動バックアップ・ルーチンがあることを確認する",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください",
-            "waf": "オペレーションズ"
+            "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
             "severity": "低い",
-            "text": "Windows ノードのテイント",
+            "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "調整ポリシーを適用して、毎秒の要求数を制御する",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "クラスタレベルでの診断設定経由",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、nodePool スナップショットを使用します",
-            "waf": "費用"
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。",
+            "waf": "パフォーマンス"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "時間的制約のないワークロードのスポット ノード プールを検討する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "運用環境のワークロードには Premium レベルを使用します。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "クイック バーストのために AKS 仮想ノードを検討する",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "severity": "高い",
-            "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する",
-            "waf": "オペレーションズ"
+            "text": "APIM の制限に注意する",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
             "severity": "高い",
-            "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します",
-            "waf": "オペレーションズ"
+            "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment",
+            "waf": "パフォーマンス"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "ノードの CPU とメモリの使用率を監視する",
-            "waf": "オペレーションズ"
+            "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します",
-            "waf": "オペレーションズ"
+            "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "ノード内の OS ディスク キューの深さを監視する",
-            "waf": "オペレーションズ"
+            "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
-            "severity": "中程度",
-            "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します",
-            "waf": "オペレーションズ"
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "パブリックネットワークアクセスの無効化",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster",
+            "text": "PowerShell 自動化スクリプトで管理を簡素化",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "ポッド仕様で要求と制限を構成する",
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "Infrastructure-as-code を使用して APIM を構成します。Cloud Adaption Framework APIM Landing Zone Accelerator から DevOps のベスト プラクティスを確認する",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "名前空間のリソースクォータを適用する",
+            "text": "Visual Studio Code APIM 拡張機能の使用を促進して API 開発を迅速化する",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "DevOpsとCI/CDをワークフローに実装する",
             "waf": "オペレーションズ"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "Cluster Autoscaler を使用する",
-            "waf": "パフォーマンス"
+            "text": "クライアント証明書認証を使用した API の保護",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "AKS ノード プールのノード構成をカスタマイズする",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "クライアント証明書認証を使用したバックエンド サービスのセキュリティ保護",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
             "severity": "中程度",
-            "text": "必要に応じてHorizontal Pod Autoscalerを使用します",
-            "waf": "パフォーマンス"
+            "text": "「OWASP API Security Top 10 の脅威を軽減するための推奨事項」の記事を確認し、API に適用できるものを確認します",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "大きすぎず小さすぎない適切なノードサイズを検討してください",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "承認機能を使用して、バックエンド API の OAuth 2.0 トークンの管理を簡素化します",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "転送中の情報を暗号化する場合は、最新のTLSバージョンを使用します。可能であれば、古くて不要なプロトコルと暗号を無効にします。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "シークレット (名前付き値) が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
+            "severity": "中程度",
+            "text": "可能な限りマネージド ID を使用して、他の Azure リソースに対する認証を行う",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください",
-            "waf": "パフォーマンス"
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
+            "severity": "高い",
+            "text": "Web アプリケーション ファイアウォール (WAF) を使用するには、APIM の前に Application Gateway をデプロイします",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "severity": "高い",
-            "text": "エフェメラル OS ディスクを使用する",
-            "waf": "パフォーマンス"
+            "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
-            "severity": "高い",
-            "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します",
-            "waf": "パフォーマンス"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "中程度",
+            "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "severity": "低い",
-            "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します",
-            "waf": "パフォーマンス"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
+            "severity": "高い",
+            "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "severity": "中程度",
-            "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します",
-            "waf": "パフォーマンス"
+            "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
             "severity": "中程度",
-            "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください",
-            "waf": "パフォーマンス"
+            "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する",
+            "waf": "確実"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "severity": "中程度",
-            "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください",
-            "waf": "パフォーマンス"
+            "text": "Azure Traffic Manager を使用して要求を調整する",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
+            "severity": "高い",
+            "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします",
+            "waf": "確実"
         },
         {
             "checklist": "MySQL Review Checklist",
@@ -7773,54 +7618,209 @@
             "waf": "確実"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
+            "severity": "中程度",
+            "text": "Azure Data Factory の FTA 回復性プレイブックの活用",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "高い",
-            "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
+            "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones",
             "waf": "確実"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
+            "severity": "中程度",
+            "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "severity": "中程度",
+            "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "severity": "中程度",
+            "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
+            "severity": "低い",
+            "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
+            "severity": "低い",
+            "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hubs 名前空間を使用すると、クライアントは TLS 1.0 以降でデータを送受信できます。より厳格なセキュリティ対策を適用するには、クライアントが新しいバージョンの TLS を使用してデータを送受信するように Event Hubs 名前空間を構成できます。Event Hubs 名前空間で TLS の最小バージョンが必要な場合、古いバージョンで行われた要求はすべて失敗します。",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Event Hubs 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前のポリシー規則が自動的に作成されます。このポリシーには、名前空間全体に対する管理アクセス許可があります。このルールは、管理ルートアカウントのように扱い、アプリケーションでは使用しないことをお勧めします。RBAC で認証プロバイダーとして AAD を使用することをお勧めします。",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "必要のない場合はrootアカウントの使用を避けてください",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure リソースのマネージド ID は、Azure Virtual Machines (VM)、関数アプリ、Virtual Machine Scale Sets、その他のサービスで実行されているアプリケーションから Azure AD 資格情報を使用して、Event Hubs リソースへのアクセスを承認できます。Azure リソースのマネージド ID を Azure AD 認証と共に使用することで、クラウドで実行されるアプリケーションに資格情報を格納することを回避できます。",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに用意することを検討してください",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "アクセス許可を作成するときは、Azure Event Hub へのクライアントのアクセスをきめ細かく制御します。Azure Event Hub のアクセス許可は、個々のリソース レベル (コンシューマー グループ、イベント ハブ エンティティ、イベント ハブ名前空間など) にスコープを設定する必要があり、またそうする必要があります。",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
             "severity": "高い",
-            "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
+            "text": "最小特権データ プレーン RBAC を使用する",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub リソース ログには、操作ログ、仮想ネットワーク、Kafka ログが含まれます。ランタイム監査ログは、Event Hubs のすべてのデータ プレーン アクセス操作 (イベントの送受信など) に関する集計された診断情報をキャプチャします。",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャします",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "既定では、Azure Event Hub にはパブリック IP アドレスがあり、インターネットに到達できます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Event Hub の間のトラフィックが Microsoft のバックボーン ネットワークを経由するようになります。それに加えて、パブリックエンドポイントを使用しない場合は無効にする必要があります。",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを、CIDR (Classless Inter-Domain Routing) 表記の一連の IPv4 アドレスまたは IPv4 アドレス範囲のみに制限できます。",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "特定の IP アドレスまたは範囲からの Azure Event Hub 名前空間へのアクセスのみを許可することを検討してください",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "FTAレジリエンシーハンドブックの活用",
             "waf": "確実"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
+            "checklist": "Azure Event Hub Review",
+            "description": "これは、ゾーン対応リージョンの Premium、Dedicated、または Standard SKU を使用してポータルから作成された新しい EH 名前空間に対して自動的にオンになります。EH メタデータとイベント データ自体の両方がゾーン間でレプリケートされます",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
             "severity": "高い",
-            "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+            "text": "Availability Zones の活用 (地域的に適用可能な場合)",
             "waf": "確実"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "予測可能なパフォーマンスのために Premium または Dedicated SKU を使用する",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "組み込みの geo ディザスター リカバリー機能を有効にすると、名前空間の構成全体 (Event Hubs、コンシューマー グループ、設定) がプライマリ名前空間からセカンダリ名前空間に継続的にレプリケートされ、プライマリからセカンダリへのフェールオーバーをいつでも 1 回だけ行うことができます。アクティブ/パッシブ機能は、アプリケーション構成を変更することなく、障害が発生した Azure リージョンからの復旧と破棄を容易にするように設計されています",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
             "severity": "高い",
-            "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
+            "text": "アクティブ パッシブ構成を使用した Geo ディザスター リカバリーの計画",
             "waf": "確実"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "checklist": "Azure Event Hub Review",
+            "description": "ダウンしたリージョンでのイベントデータの停止または損失を許容できない DR 構成に使用する必要があります。このような場合は、レプリケーションのガイダンスに従い、組み込みの geo ディザスター リカバリー機能 (アクティブ/パッシブ) を使用しないでください。アクティブ/アクティブでは、異なるリージョンと名前空間で複数の Event Hubs を保持し、イベントはハブ間でレプリケートされます",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "severity": "中程度",
-            "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
-            "waf": "オペレーションズ"
+            "text": "ビジネス クリティカルなアプリケーションの場合は、アクティブ アクティブ構成を使用します",
+            "waf": "確実"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
+            "severity": "中程度",
+            "text": "回復力のある Event Hubs の設計",
+            "waf": "確実"
         }
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
@@ -7848,7 +7848,7 @@
         },
         {
             "description": "推奨事項は理解されているが、現在の要件では不要",
-            "name": "必要なし"
+            "name": "リスクの受け入れ"
         },
         {
             "description": "現在のデザインには適用されません",
diff --git a/checklists/waf_checklist.ko.json b/checklists/waf_checklist.ko.json
index 3aed1e2e2..e1312fbf2 100644
--- a/checklists/waf_checklist.ko.json
+++ b/checklists/waf_checklist.ko.json
@@ -1,7826 +1,7826 @@
 {
     "items": [
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
             "severity": "낮다",
-            "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "안전"
+            "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "Dapr을 사용하여 마이크로 서비스 개발 용이",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "SLA 지원 AKS 제품 사용",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "severity": "높다",
-            "text": "최소 권한 데이터 평면 RBAC 사용",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "안전"
+            "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "축소 모드를 사용하여 노드 삭제/할당 취소",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "severity": "보통",
-            "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "안전"
+            "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
-            "severity": "보통",
-            "text": "FTA 탄력성 핸드북 활용",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
-            "severity": "높다",
-            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "보통",
-            "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용",
-            "waf": "신뢰도"
+            "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
-            "severity": "높다",
-            "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.",
-            "waf": "신뢰도"
+            "text": "이미지에 개인 레지스트리(예: ACR) 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "severity": "보통",
-            "text": "복원력 있는 Event Hubs 설계",
-            "waf": "신뢰도"
+            "text": "이미지에서 취약성 검사",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "severity": "높다",
-            "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용",
-            "waf": "신뢰도"
+            "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "severity": "보통",
-            "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용",
-            "waf": "신뢰도"
+            "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "severity": "높다",
-            "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas",
-            "waf": "신뢰도"
+            "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "severity": "보통",
-            "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다",
-            "waf": "신뢰도"
+            "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
-            "severity": "보통",
-            "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Traffic Manager를 사용하여 요청 조정",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
-            "severity": "높다",
-            "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
-            "severity": "높다",
-            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
-            "severity": "높다",
-            "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
-            "waf": "신뢰도"
+            "text": "컨테이너용 Defender 사용 고려",
+            "waf": "안전"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "severity": "높다",
-            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
-            "waf": "신뢰도"
+            "text": "서비스 주체 대신 관리 ID 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
-            "severity": "높다",
-            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "AAD와 인증 통합(관리형 통합 사용)",
+            "waf": "안전"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
-            "waf": "작업"
+            "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Data Factory에 대한 FTA 복원력 플레이북 활용",
-            "waf": "신뢰도"
+            "text": "AAD RBAC와 권한 부여 통합",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
             "severity": "높다",
-            "text": "가용성 영역을 지원하는 지역에서 영역 중복 파이프라인 사용Use zone redundant pipelines in regions that support Availability Zones",
-            "waf": "신뢰도"
+            "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "severity": "보통",
-            "text": "DevOps를 사용하여 Github/Azure DevOps 통합으로 ARM 템플릿 백업 ",
-            "waf": "신뢰도"
+            "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "severity": "보통",
-            "text": "다른 지역에서 자체 호스팅 통합 런타임 VM을 복제해야 합니다. ",
-            "waf": "신뢰도"
+            "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "severity": "보통",
-            "text": "자매 지역에서 네트워크를 복제하거나 복제해야 합니다. 다른 지역에서 Vnet의 복사본을 만들어야 합니다",
-            "waf": "신뢰도"
+            "text": "AKS 로컬 계정 사용 안 함",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "ADF 파이프라인에서 Key Vault를 사용하는 경우 Key Vault를 복제하기 위해 아무 작업도 수행할 필요가 없습니다. Key Vault는 관리되는 서비스이며 Microsoft에서 처리합니다",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
             "severity": "낮다",
-            "text": "Keyvault 통합을 사용하는 경우 Keyvault의 SLA를 사용하여 가용성을 파악합니다",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험 감소",
-            "waf": "작업"
+            "text": "필요한 경우 Just-in-time 클러스터 액세스 구성",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
-            "severity": "보통",
-            "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).",
+            "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Application Gateway v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "severity": "보통",
-            "text": "랜딩 영역 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "안전"
+            "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "severity": "보통",
-            "text": "최소 인스턴스 수를 2개로 자동 크기 조정을 구성합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "신뢰도"
+            "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "가용성 영역에 Application Gateway 배포",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "표준 ALB 사용(기본 ALB와 반대)",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "severity": "보통",
-            "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "severity": "낮다",
-            "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시가 AVD(Azure Virtual Desktop)의 대안으로 고려되었나요?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스를 제공하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.",
+            "waf": "공연"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
-            "severity": "높다",
-            "text": "'방지' 모드에서 Front Door에 대한 WAF 정책을 배포합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Traffic Manager와 Azure Front Door를 결합하지 마세요.",
-            "waf": "안전"
+            "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
-            "severity": "높다",
-            "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
             "severity": "낮다",
-            "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.",
+            "text": "필요한 경우 AKS에서 노드당 공용 IP 구성",
             "waf": "공연"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 빌드하는 것이 좋습니다.",
+            "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "severity": "낮다",
-            "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.",
-            "waf": "공연"
+            "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
-            "severity": "높다",
-            "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용",
             "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.",
-            "waf": "작업"
+            "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
-            "waf": "작업"
+            "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다",
+            "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로 연결하는 데 TLS를 사용합니다.",
+            "text": "요구 사항에 따라 개인 클러스터를 사용합니다",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Front Door에서 HTTP에서 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동 리디렉션하여 지원합니다.",
-            "waf": "안전"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
-            "severity": "높다",
-            "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.",
+            "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "severity": "높다",
-            "text": "워크로드에 맞게 Azure Front Door WAF를 튜닝합니다. 가양성 탐지를 줄입니다.",
+            "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+            "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.",
+            "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
-            "severity": "높다",
-            "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "severity": "보통",
-            "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+            "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
             "severity": "낮다",
-            "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
-            "waf": "안전"
+            "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "AKS 자동 인증서 회전 사용",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Application Gateway WAF 봇 보호 규칙 집합 사용Enable the Azure Application Gateway WAF bot protection rule set 봇 규칙은 좋은 봇과 나쁜 봇을 검색합니다.",
-            "waf": "안전"
+            "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "severity": "높다",
-            "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
-            "waf": "안전"
+            "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "severity": "높다",
-            "text": "워크로드에 대한 Azure Application Gateway WAF를 조정합니다. 가양성 탐지를 줄입니다.",
-            "waf": "안전"
+            "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
-            "severity": "높다",
-            "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "severity": "낮다",
-            "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "severity": "보통",
-            "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
-            "waf": "안전"
+            "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "테인트 Windows 노드",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "진단 설정을 추가하여 Azure Front Door WAF 로그를 저장합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
-            "severity": "보통",
-            "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "필요한 경우 nodePool 스냅샷을 사용합니다.",
+            "waf": "비용"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "빠른 버스팅을 위해 AKS 가상 노드 고려",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "Application Gateway 서브넷의 연결(예: NSG 사용)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "severity": "보통",
-            "text": "원본이 Azure Front Door 인스턴스의 트래픽만 가져와야 합니다.",
-            "waf": "안전"
+            "text": "노드의 CPU 및 메모리 사용률 모니터링",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
-            "severity": "높다",
-            "text": "백 엔드 서버에 대한 트래픽을 암호화해야 합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
-            "severity": "높다",
-            "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "보통",
-            "text": "HTTP를 HTTPS로 리디렉션",
-            "waf": "안전"
+            "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "severity": "보통",
-            "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.",
+            "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "높다",
-            "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "severity": "낮다",
-            "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경 표시",
+            "text": "Pod 규격에서 요청 및 제한 구성",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "보통",
-            "text": "HTTP 요청 및 응답 헤더를 편집하여 클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 할 수 있습니다.",
-            "waf": "안전"
+            "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "빠른 글로벌 장애 조치(failover)를 통해 글로벌 웹 트래픽 라우팅 및 최상위 계층 최종 사용자 성능 및 안정성을 최적화하도록 Front Door 구성",
-            "waf": "공연"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
+            "severity": "높다",
+            "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "보통",
-            "text": "전송 계층 부하 분산 사용Use transport layer load balancing",
+            "text": "Cluster Autoscaler 사용",
             "waf": "공연"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
-            "severity": "보통",
-            "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅 구성Configure routing based on host or domain name for multiple web applications on a single gateway",
-            "waf": "안전"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "보통",
-            "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
-            "severity": "낮다",
-            "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용",
-            "waf": "안전"
+            "text": "필요한 경우 Horizontal Pod Autoscaler 사용",
+            "waf": "공연"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
             "severity": "높다",
-            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(자동으로 활성화됨)",
-            "waf": "신뢰도"
+            "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "보통",
-            "text": "Microsoft에서 시작한 장애 조치(failover)에 유의하세요. 드문 경우지만 Microsoft는 영향을 받는 지역의 모든 IoT Hub를 해당 지역 쌍을 이루는 지역으로 장애 조치(failover)하기 위해 이러한 작업을 수행합니다.",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다",
+            "waf": "공연"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "severity": "높다",
-            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "높다",
-            "text": "수동 장애 조치(failover)를 트리거하는 방법을 알아봅니다.",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "severity": "높다",
-            "text": "장애 조치(failover) 후 장애 복구(failback)하는 방법을 알아봅니다.",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
             "severity": "높다",
-            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.",
-            "waf": "신뢰도"
+            "text": "임시 OS 디스크 사용",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
             "severity": "높다",
-            "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)",
-            "waf": "신뢰도"
+            "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
-            "severity": "보통",
-            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
+            "severity": "낮다",
+            "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "높다",
-            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "높다",
-            "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
+            "severity": "보통",
+            "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "severity": "보통",
-            "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요",
-            "waf": "신뢰도"
+            "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
             "severity": "보통",
-            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.",
+            "text": "전역 수준에서 오류 처리 정책 구현",
             "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "severity": "낮다",
-            "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.",
-            "waf": "신뢰도"
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "모든 API 정책에 요소가 포함되어 <base/> 있는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
             "severity": "보통",
-            "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.",
-            "waf": "신뢰도"
+            "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요",
+            "waf": "작업"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
             "severity": "높다",
-            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)",
-            "waf": "신뢰도"
+            "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
             "severity": "보통",
-            "text": "상태 확인 구현",
-            "waf": "신뢰도"
+            "text": "더 자세한 원격 분석을 위해 Application Insights 사용",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
             "severity": "높다",
-            "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.",
-            "waf": "신뢰도"
+            "text": "가장 중요한 메트릭에 대한 경고 구성",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
             "severity": "높다",
-            "text": "Azure App Service 안정성 모범 사례 구현",
-            "waf": "신뢰도"
+            "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
-            "severity": "낮다",
-            "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안",
-            "waf": "신뢰도"
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
+            "severity": "높다",
+            "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "Azure App Service의 안정성 지원 숙지",
-            "waf": "신뢰도"
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
             "severity": "보통",
-            "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
             "severity": "보통",
-            "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks",
-            "waf": "신뢰도"
+            "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
             "severity": "보통",
-            "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+            "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장",
+            "waf": "작업"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
-            "severity": "낮다",
-            "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다.  Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
             "severity": "높다",
-            "text": "Key Vault를 사용하여 비밀 저장",
-            "waf": "안전"
+            "text": "자동화된 백업 루틴이 있는지 확인",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "관리 ID를 사용하여 Key Vault에 연결",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service TLS 인증서를 Key Vault에 저장합니다.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
+            "severity": "낮다",
+            "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다.  이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
             "severity": "보통",
-            "text": "민감한 정보를 처리하는 시스템 격리",
-            "waf": "안전"
+            "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다.  (예: D:\\\\Local and %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
             "severity": "보통",
-            "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.",
-            "waf": "안전"
+            "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다.  선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
             "severity": "보통",
-            "text": "인증에 설정된 ID 공급자 사용",
-            "waf": "안전"
+            "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "신뢰할 수 있는 환경에서 배포",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다.  이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다.  SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "기본 인증 사용 안 함",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다.  이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "severity": "높다",
-            "text": "관리 ID를 사용하여 리소스에 연결",
-            "waf": "안전"
+            "text": "APIM의 제한에 유의해야 합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
             "severity": "높다",
-            "text": "관리 ID를 사용하여 컨테이너 끌어오기",
-            "waf": "안전"
+            "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "severity": "보통",
-            "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics",
-            "waf": "안전"
+            "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "severity": "보통",
-            "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics",
+            "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다.  트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다.  방화벽의 로그를 모니터링해야 합니다.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
             "severity": "보통",
-            "text": "아웃바운드 네트워크 액세스를 제어해야 함",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다.  이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다.  Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다.  (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "severity": "낮다",
-            "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "인바운드 네트워크 액세스를 제어해야 합니다.",
+            "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다.  WAF의 로그를 모니터링해야 합니다.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service",
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다.  액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
             "severity": "높다",
-            "text": "WAF가 우회되지 않도록 방지",
+            "text": "공용 네트워크 액세스 사용 안 함",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
             "severity": "보통",
-            "text": "최소 TLS 정책을 1.2로 설정합니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "HTTPS만 사용하도록 App Service를 구성합니다.  이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다.  코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "HTTPS만 사용",
-            "waf": "안전"
+            "text": "PowerShell 자동화 스크립트로 관리 간소화",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "와일드카드는 CORS에 사용할 수 없습니다.",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "severity": "높다",
-            "text": "원격 디버깅 끄기",
-            "waf": "안전"
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
+            "severity": "보통",
+            "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "App Service용 Defender를 사용하도록 설정합니다.  이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다.  작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
             "severity": "보통",
-            "text": "클라우드용 Defender 사용 - App Service용 Defender",
-            "waf": "안전"
+            "text": "워크플로에서 DevOps 및 CI/CD 구현",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
             "severity": "보통",
-            "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet",
+            "text": "클라이언트 인증서 인증을 사용하여 API 보안",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "severity": "보통",
-            "text": "Virtual Network를 통해 컨테이너 끌어오기",
+            "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
             "severity": "보통",
-            "text": "침투 테스트 수행",
+            "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "severity": "보통",
-            "text": "유효성이 검사된 코드 배포",
+            "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화",
             "waf": "안전"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
             "severity": "높다",
-            "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용",
+            "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.",
             "waf": "안전"
         },
         {
             "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
             "service": "APIM",
-            "severity": "보통",
-            "text": "전역 수준에서 오류 처리 정책 구현",
-            "waf": "작업"
+            "severity": "높다",
+            "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.",
+            "waf": "안전"
         },
         {
             "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
             "service": "APIM",
             "severity": "보통",
-            "text": "모든 API 정책에 요소가 포함되어 <base/> 있는지 확인합니다.",
-            "waf": "작업"
+            "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증",
+            "waf": "안전"
         },
         {
             "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
             "service": "APIM",
-            "severity": "보통",
-            "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.",
-            "waf": "작업"
+            "severity": "높다",
+            "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
+            "severity": "높다",
+            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(자동으로 활성화됨)",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "보통",
-            "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요",
-            "waf": "작업"
+            "text": "Microsoft에서 시작한 장애 조치(failover)에 유의하세요. 드문 경우지만 Microsoft는 영향을 받는 지역의 모든 IoT Hub를 해당 지역 쌍을 이루는 지역으로 장애 조치(failover)하기 위해 이러한 작업을 수행합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
             "severity": "높다",
-            "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기",
-            "waf": "작업"
+            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "더 자세한 원격 분석을 위해 Application Insights 사용",
-            "waf": "작업"
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "높다",
+            "text": "수동 장애 조치(failover)를 트리거하는 방법을 알아봅니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
             "severity": "높다",
-            "text": "가장 중요한 메트릭에 대한 경고 구성",
-            "waf": "작업"
+            "text": "장애 조치(failover) 후 장애 복구(failback)하는 방법을 알아봅니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
             "severity": "높다",
-            "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다",
-            "waf": "안전"
+            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
             "severity": "높다",
-            "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호",
-            "waf": "안전"
+            "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증",
-            "waf": "안전"
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "severity": "높다",
+            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다",
-            "waf": "안전"
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
+            "severity": "높다",
+            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "severity": "보통",
-            "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거",
+            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장",
-            "waf": "작업"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "높다",
+            "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "severity": "보통",
-            "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다",
+            "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
+            "severity": "높다",
+            "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "severity": "보통",
-            "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.",
+            "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
-            "severity": "높다",
-            "text": "자동화된 백업 루틴이 있는지 확인",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
+            "severity": "보통",
+            "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "severity": "보통",
-            "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.",
+            "text": "Azure Traffic Manager를 사용하여 요청 조정",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "낮다",
-            "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다",
-            "waf": "작업"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
+            "severity": "높다",
+            "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "공연"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "ADDS 도메인 컨트롤러가 네이티브 Azure의 ID 구독에 배포되었는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "severity": "보통",
-            "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases",
-            "waf": "공연"
+            "text": "ADDS 사이트 및 서비스가 Azure 기반 리소스(Azure VMware Solution 포함)의 인증 요청을 Azure에 로컬로 유지하도록 구성되어 있는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.",
-            "waf": "공연"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "vCenter가 ADDS에 연결되어 있는지 확인하여 '명명된 사용자 계정'을 기반으로 인증을 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
             "severity": "보통",
-            "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.",
-            "waf": "신뢰도"
+            "text": "vCenter에서 ADDS로의 연결이 보안 프로토콜(LDAPS)을 사용하고 있는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
             "severity": "보통",
-            "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.",
-            "waf": "신뢰도"
+            "text": "vCenter IdP의 CloudAdmin 계정은 긴급 계정으로만 사용됩니다(Break-glass).",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
-            "severity": "높다",
-            "text": "APIM의 제한에 유의해야 합니다.",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
             "severity": "높다",
-            "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "NSX-Manager가 외부 ID 제공자(LDAPS)와 통합되었는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
             "severity": "보통",
-            "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment",
-            "waf": "공연"
+            "text": "VMware vSphere에서 사용하기 위해 RBAC 모델이 생성되었습니까?",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "severity": "보통",
-            "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)",
+            "text": "RBAC 권한은 특정 사용자가 아닌 ADDS 그룹에 부여해야 합니다",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "Azure의 Azure VMware Solution 리소스에 대한 RBAC 권한은 제한된 소유자 집합으로만 '잠김'됩니다",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "모든 사용자 지정 역할의 범위가 CloudAdmin 허용 권한 부여로 지정되었는지 확인합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
             "severity": "높다",
-            "text": "공용 네트워크 액세스 사용 안 함",
-            "waf": "안전"
+            "text": "현재 고객 사용 사례에 대해 올바른 Azure VMware Solution 연결 모델을 선택했습니까?",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "PowerShell 자동화 스크립트로 관리 간소화",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "'연결 모니터'를 사용하여 온-프레미스에서 Azure로의 ExpressRoute 또는 VPN 연결이 모니터링되는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토",
+            "text": "Azure VMware Solution 백 엔드 ExpressRoute 연결을 모니터링하기 위해 Azure 네이티브 리소스에서 Azure VMware Solution 가상 머신으로 연결 모니터가 만들어졌는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "severity": "보통",
-            "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진",
+            "text": "엔드-2-엔드 연결을 모니터링하기 위해 온-프레미스 리소스에서 Azure VMware Solution 가상 머신으로 연결 모니터가 만들어졌는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "워크플로에서 DevOps 및 CI/CD 구현",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "경로 서버를 사용하는 경우 경로 서버에서 ExR 게이트웨이로, 온-프레미스로 1,000개 이상의 경로가 전파되지 않도록 합니다(ARS 제한).",
             "waf": "작업"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "클라이언트 인증서 인증을 사용하여 API 보안",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "Azure Portal에서 Azure VMware Solution 리소스를 관리하는 역할에 대해 Privileged Identity Management가 구현되어 있나요(고정 권한이 허용되지 않음).",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
-            "severity": "보통",
-            "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "Azure VMware Solution PIM 역할에 대해 Privileged Identity Management 감사 보고를 구현해야 합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
             "severity": "보통",
-            "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.",
+            "text": "Privileged Identity Management를 사용하는 경우 Azure VMware Solution 자동 호스트 교체 알림에 대한 유효한 SMTP 레코드를 사용하여 유효한 Entra ID 사용 계정을 만들었는지 확인합니다. (상시 권한 필요)",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "CloudAdmin 계정 사용을 긴급 액세스로만 제한",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "severity": "보통",
-            "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화",
+            "text": "vCenter에서 사용자 지정 RBAC 역할을 만들어 vCenter 내에서 최소 권한 모델 구현",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
-            "severity": "높다",
-            "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "cloudadmin(vCenter) 및 admin(NSX) 자격 증명을 정기적으로 순환하도록 정의된 프로세스입니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
             "severity": "높다",
-            "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.",
+            "text": "Azure VMware Solution에서 실행되는 워크로드(VM)에 사용할 중앙 집중식 ID 공급자 사용",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "severity": "보통",
-            "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증",
+            "text": "NSX-T 내에서 East-West 트래픽 필터링이 구현되었는지 여부",
             "waf": "안전"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
             "severity": "높다",
-            "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM",
+            "text": "Azure VMware Solution의 워크로드는 인터넷에 직접 노출되지 않습니다. 트래픽은 Azure Application Gateway, Azure Firewall 또는 제3자 솔루션에 의해 필터링되고 검사됩니다",
             "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "감사 및 로깅은 Azure VMware Solution 및 Azure VMware Solution 기반 워크로드에 대한 인바운드 인터넷 요청에 대해 구현됩니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
             "severity": "보통",
-            "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스",
-            "waf": "신뢰도"
+            "text": "세션 모니터링은 의심스러운/악의적인 활동을 식별하기 위해 Azure VMware Solution 또는 Azure VMware Solution 기반 워크로드의 아웃바운드 인터넷 연결에 대해 구현됩니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "severity": "보통",
-            "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.",
-            "waf": "공연"
-        },
-        {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "낮다",
-            "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).",
-            "waf": "신뢰도"
+            "text": "Azure의 ExR/VPN Gateway 서브넷에서 DDoS 표준 보호를 사용할 수 있나요?",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "severity": "보통",
-            "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.",
-            "waf": "신뢰도"
+            "text": "전용 PAW(Privileged Access Workstation)를 사용하여 Azure VMware Solution, vCenter, NSX Manager 및 HCX Manager 관리",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "severity": "보통",
-            "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution에서 실행되는 워크로드에 대해 Advanced Threat Detection(클라우드용 Microsoft Defender 또는 ASC) 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "severity": "보통",
-            "text": "다중 지역에 대해 활성-활성 상태 보유",
-            "waf": "신뢰도"
+            "text": "서버용 Azure ARC를 사용하여 Azure 네이티브 기술을 사용하여 Azure VMware Solution에서 실행되는 워크로드를 적절하게 제어합니다(Azure VMware Solution용 Azure ARC는 아직 사용할 수 없음).",
+            "waf": "안전"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "Azure VMware Solution의 워크로드가 런타임 중에 충분한 데이터 암호화(예: 게스트 내 디스크 암호화 및 SQL TDE)를 사용하는지 확인합니다. (vSAN 미사용 암호화가 기본값임)",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "게스트 내 암호화를 사용하는 경우 가능한 경우 Azure Key Vault에 암호화 키를 저장합니다",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "severity": "보통",
-            "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations",
+            "text": "Azure VMware Solution에서 실행되는 워크로드에 대해 확장된 보안 업데이트 지원을 사용하는 것이 좋습니다(Azure VMware Solution은 ESU에 적합함).",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "적절한 vSAN 데이터 이중화 방법이 사용되는지 확인합니다(RAID 규격).",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "DR에 복제본 세트 사용",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "vSAN 스토리지 요구 사항을 충족하기 위해 장애 허용 정책이 적용되어 있는지 확인합니다",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "충분한 할당량을 요청했는지 확인하고 성장 및 재해 복구 요구 사항을 고려했는지 확인합니다",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "severity": "보통",
-            "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 신규 및 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "text": "ESXi에 대한 액세스 제약 조건을 이해하고 타사 솔루션에 영향을 줄 수 있는 액세스 제한이 있는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 도구입니다.",
-            "training": "https://github.com/Azure/sap-automation",
+            "text": "새 노드 요청에 대한 리드 타임을 염두에 두고 ESXi 호스트 밀도 및 효율성에 대한 정책이 있는지 확인합니다",
             "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "severity": "보통",
-            "text": "RTO를 충족하는 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점으로 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution에 대한 적절한 비용 관리 프로세스가 있는지 확인 - Azure Cost Management를 사용할 수 있습니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "Azure VMware Solution 사용 비용을 최적화하는 데 사용되는 Azure 예약 인스턴스입니까?",
+            "waf": "비용"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "severity": "보통",
-            "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "다른 Azure 네이티브 서비스를 사용할 때 Azure Private-Link 사용 고려",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "severity": "높다",
-            "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 네이티브 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어의 조합을 사용합니다.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
-            "waf": "신뢰도"
+            "text": "필요한 모든 리소스가 동일한 Azure 가용성 영역 내에 있는지 확인합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Azure 가용성 영역을 사용하여 고가용성을 달성하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution 게스트 VM 워크로드에 대해 클라우드용 Microsoft Defender 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure Arc 지원 서버를 사용하여 Azure VMware Solution 게스트 VM 워크로드 관리",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
             "severity": "높다",
-            "text": "온-프레미스에서 기본 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution에서 진단 및 메트릭 로깅 사용Enable Diagnostic and metric logging on Azure VMware Solution",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 지역 간에 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 복제합니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure VMware Solution 게스트 VM 워크로드에 Log Analytics 에이전트 배포",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
             "severity": "보통",
-            "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution VM 워크로드에 대한 백업 정책 및 솔루션을 문서화하고 구현했는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "클라우드용 Microsoft Defender를 사용하여 Azure VMware Solution에서 실행되는 워크로드의 규정 준수 모니터링",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "적용 가능한 규정 준수 기준이 클라우드용 Microsoft Defender에 추가되었나요?",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "severity": "높다",
-            "text": "기본 VNet(가상 네트워크)에 대한 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution 배포에 사용할 Azure 지역을 선택할 때 데이터 보존이 평가되었나요?",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
             "severity": "높다",
-            "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
-            "waf": "신뢰도"
+            "text": "데이터 처리의 영향(서비스 제공자/서비스 소비자 모델)이 명확하고 문서화되어 있습니까?",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "규정 준수를 위해 필요한 경우에만 vSAN에 CMK(고객 관리 키)를 사용하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "severity": "높다",
-            "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 툴은 장애 조치를 지원합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "핵심 Azure VMware Solution 모니터링 인사이트를 사용하도록 설정하는 대시보드 만들기",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
             "severity": "높다",
-            "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution 성능에 대한 자동 경고에 대한 중요 임계값에 대한 경고 만들기(CPU >80%, 평균 메모리>80%, vSAN>70%)",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "severity": "높다",
-            "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 DBMS 데이터 및/또는 SAP 워크로드가 있는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
-            "waf": "신뢰도"
+            "text": "VMware의 지원 임계값이므로 vSAN 사용량이 75% 미만인지 모니터링하기 위해 중요한 경고가 생성되었는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
             "severity": "높다",
-            "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "Azure Service Health 경고 및 알림에 대해 경고가 구성되었는지 확인",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다.  Azure Load Balancer는 다른 모든 경우에 대한 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "처리를 위해 Azure Storage 계정 또는 Azure EventHub로 보내도록 Azure VMware Solution 로깅 구성",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "VMware vSphere에 대한 심층적인 통찰력이 필요한 경우: 솔루션에서 vRealize Operations 및/또는 vRealize Network Insights가 사용됩니까?",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
             "severity": "높다",
-            "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합 또는 가용성 영역을 사용하여 배포할지 여부를 결정합니다.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "VM에 대한 vSAN 스토리지 정책은 씩 프로비저닝을 적용하므로 기본 스토리지 정책이 아닌지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "vSAN은 유한한 리소스이므로 vSphere 컨텐츠 라이브러리가 vSAN에 배치되지 않도록 합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "백업 솔루션에 대한 데이터 저장소가 vSAN 스토리지 외부에 저장되어 있는지 확인합니다. Azure 네이티브 또는 디스크 풀 지원 데이터 저장소에서",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "severity": "보통",
-            "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "waf": "신뢰도"
+            "text": "Azure VMware Solution에서 실행되는 워크로드가 서버용 Azure Arc를 사용하여 하이브리드 관리되는지 확인합니다(Arc for Azure VMware Solution은 미리 보기 상태임).",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure의 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한하기 위해 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure Log Analytics 및 Azure Monitor를 사용하여 Azure VMware Solution에서 실행되는 워크로드를 모니터링하는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "기존 업데이트 관리 도구 또는 Azure 업데이트 관리에 Azure VMware Solution에서 실행되는 워크로드 포함",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure Policy를 사용하여 Azure 관리, 모니터링 및 보안 솔루션에서 Azure VMware Solution 워크로드 온보딩",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure VMware Solution에서 실행되는 워크로드가 클라우드용 Microsoft Defender에 온보딩되었는지 확인",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA의 결합을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "vSAN은 유한한 리소스이므로 백업이 vSAN에 저장되지 않도록 합니다.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
             "severity": "보통",
-            "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일하고 스토리지 구성이 동일해야 합니다.",
+            "text": "모든 DR 솔루션을 고려하고 비즈니스에 가장 적합한 솔루션을 결정했습니까? [SRM/제트스트림/제르토/빔/...]",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에 SAP HANA, ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "재해 복구 기술이 네이티브 Azure IaaS인 경우 Azure Site Recovery 사용Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
             "severity": "높다",
-            "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 프리미엄 계층에 있어야 더 나은 성능과 최상의 SLA를 달성할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "text": "재해 솔루션 중 하나와 함께 자동화된 복구 계획을 사용하고 가능한 한 수동 작업을 피하십시오.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "Azure의 SAP HANA는 SAP에서 인증한 스토리지 유형에서만 실행해야 합니다. 특정 볼륨은 해당되는 경우 특정 디스크 구성에서 실행되어야 합니다. 이러한 구성에는 Write Accelerator 사용 및 Premium Storage 사용이 포함됩니다. 또한 스토리지에서 실행되는 파일 시스템이 시스템에서 실행되는 DBMS와 호환되는지 확인해야 합니다.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "지정학적 지역 쌍을 보조 재해 복구 환경으로 사용Use the geopolitical region pair as the secondary disaster recovery environment",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
             "severity": "높다",
-            "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "text": "지역 간에 2개의 서로 다른 주소 공간을 사용합니다(예: 서로 다른 지역에 대해 10.0.0.0/16 및 192.168.0.0/16).",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "일부 지역에서는 다양한 네이티브 Azure Storage 서비스(예: Azure Files, Azure NetApp Files, Azure Shared Disk)를 사용하지 못할 수 있습니다. 따라서 장애 조치(failover) 후 DR 지역에서 유사한 SAP를 설정하려면 해당 스토리지 서비스가 DR 사이트에서 제공되는지 확인합니다.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "ExpressRoute Global Reach는 기본 및 보조 Azure VMware Solution 프라이빗 클라우드 간의 연결에 사용되나요, 아니면 네트워크 가상 어플라이언스를 통해 라우팅이 수행되나요?",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.",
-            "waf": "비용"
+            "text": "모든 백업 솔루션을 고려하고 비즈니스에 가장 적합한 솔루션을 결정했습니까? [ MABS/CommVault/Metallic.io/Veeam/입니다. ]",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure 표준 SSD 스토리지를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.",
-            "waf": "비용"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure VMware Solution 프라이빗 클라우드와 동일한 지역에 백업 솔루션 배포Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없습니다.",
-            "waf": "비용"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "vSan의 외부, Azure 네이티브 구성 요소에 백업 솔루션 배포",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "관리 그룹, 구독, 리소스 그룹 및 리소스에 대한 RBAC 모델 적용Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "Azure 플랫폼에서 관리하는 VMware 구성 요소의 복원을 요청하는 프로세스가 마련되어 있나요?",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45911475-e39e-4530-accc-d979366bcda2",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 보안 주체 전파 적용",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "수동 배포의 경우 모든 구성 및 배포를 문서화해야 합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAML을 사용하여 Azure AD로 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 대한 SSO를 구현합니다.",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "수동 배포의 경우 Azure VMware Solution 프라이빗 클라우드에서 실수로 인한 작업을 방지하기 위해 리소스 잠금을 구현하는 것이 좋습니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "자동화된 배포의 경우 최소한의 프라이빗 클라우드를 배포하고 필요에 따라 확장합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "자동화된 배포의 경우 배포를 시작하기 전에 할당량을 요청하거나 예약합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 대한 SSO를 구현할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "자동화된 배포의 경우 적절한 거버넌스를 위해 자동화 또는 Azure Policy를 통해 관련 리소스 잠금을 만들어야 합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "ExR 인증 키에 대해 사람이 이해할 수 있는 이름을 구현하여 키의 목적/용도를 쉽게 식별할 수 있습니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
-            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "Azure VMware Solution 및 ExpressRoute를 배포하는 데 별도의 서비스 원칙을 사용하는 경우 Key Vault를 사용하여 비밀 및 권한 부여 키를 저장합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "Azure VMware Solution은 제한된 수의 병렬 작업만 지원하므로 많은 리소스를 Azure VMware Solution 배포해야 하는 경우 IaC에서 작업을 직렬화하기 위한 리소스 종속성을 정의합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP HANA에 대한 SSO 구현",
-            "waf": "안전"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
+            "severity": "낮다",
+            "text": "단일 Tier-1 게이트웨이를 사용하여 NSX-T 세그먼트의 자동화된 구성을 수행하는 경우 NSX-Manager API 대신 Azure Portal API를 사용합니다",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
             "severity": "보통",
-            "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.",
-            "waf": "안전"
+            "text": "자동화된 스케일 아웃을 사용하려는 경우 Azure VMware Solution을 실행하는 구독에 대해 충분한 Azure VMware Solution 할당량을 적용해야 합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
-            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP에 액세스하는 애플리케이션의 경우 보안 주체 전파를 사용하여 SSO를 설정할 수 있습니다.",
-            "waf": "안전"
+            "text": "자동 축소를 사용하려는 경우 이러한 작업을 수행하기 전에 스토리지 정책 요구 사항을 고려해야 합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 인증 요청을 전달할 수 있습니다.",
-            "waf": "안전"
+            "text": "한 번에 하나의 크기 조정 작업만 수행할 수 있으므로 크기 조정 작업은 항상 단일 SDDC 내에서 직렬화되어야 합니다(여러 클러스터를 사용하는 경우에도)",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP BTP에 대한 SSO 구현",
-            "waf": "안전"
+            "text": "아키텍처에 사용되는 제3자 솔루션에 대한 확장 작업을 고려하고 검증합니다(지원 여부)Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 새 직원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 만들 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.",
-            "waf": "안전"
+            "text": "자동화에서 환경에 대한 규모 확장/축소 최대 한도 정의 및 적용Define and enforce scale in/out maximum limits for your environment in the automations",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
             "severity": "보통",
-            "text": "SAP 구독에 기존 관리 그룹 정책 적용",
-            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+            "text": "모니터링 규칙을 구현하여 자동화된 조정 작업을 모니터링하고 성공 및 실패를 모니터링하여 적절한(자동) 응답을 사용하도록 설정합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "severity": "높다",
-            "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
-            "waf": "작업"
+            "text": "MON을 사용하는 경우 동시에 구성된 VM의 제한(HCX에 대한 MON 제한[400 - 표준, 1000 - 대형 어플라이언스])을 알고 있어야 합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "severity": "높다",
-            "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ",
-            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
-            "waf": "작업"
+            "text": "MON을 사용하는 경우 100개 이상의 네트워크 확장에서 MON을 사용하도록 설정할 수 없습니다",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
-            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "구독 프로비저닝의 일부로 할당량 증가 확인(예: 구독 내에서 사용 가능한 총 VM 코어)",
-            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "waf": "작업"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "마이그레이션에 VPN 연결을 사용하는 경우 그에 따라 MTU 크기를 조정합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
-            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.",
-            "waf": "작업"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure(500Mbps 이하)에 연결하는 낮은 연결 지역의 경우 HCX WAN 최적화 어플라이언스 배포를 고려합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
-            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 사용하여 지원 요청을 제출합니다.",
-            "waf": "작업"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "마이그레이션이 클라우드 어플라이언스가 아닌 온-프레미스 어플라이언스에서 시작되는지 확인합니다(역방향 마이그레이션을 수행하지 않음).",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "예를 들어 선택한 배포 지역 내에서 필요한 서비스 및 기능을 사용할 수 있는지 확인합니다. ANF, 지역 등.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
-            "waf": "작업"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "Azure NetApp Files를 사용하여 Azure VMware Solution용 스토리지를 확장하는 경우 VM에 직접 연결하는 대신 VMware 데이터 저장소로 사용하는 것이 좋습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
             "severity": "보통",
-            "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 애플리케이션 계층), 애플리케이션 소유자, 프로젝트 이름)",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "작업"
+            "text": "전용 ExpressRoute 게이트웨이가 외부 데이터 스토리지 솔루션에 사용되고 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
+            "severity": "보통",
+            "text": "외부 데이터 스토리지 솔루션에 사용되는 ExpressRoute 게이트웨이에서 FastPath를 사용하도록 설정되어 있는지 확인합니다.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "HANA, Oracle 또는 DB2 데이터베이스용 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "확장된 클러스터를 사용하는 경우 선택한 재해 복구 솔루션이 공급업체에서 지원되는지 확인합니다",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
             "severity": "높다",
-            "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.",
-            "waf": "작업"
+            "text": "확장된 클러스터를 사용하는 경우 제공된 SLA가 요구 사항을 충족하는지 확인합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "확장된 클러스터를 사용하는 경우 두 ExpressRoute 회로가 모두 연결 허브에 연결되어 있는지 확인합니다.",
             "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
-            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "Azure 실행 비용을 절감하고 최적화하기 위해 다시 알림 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.",
-            "waf": "비용"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "확장된 클러스터를 사용하는 경우 두 ExpressRoute 회로 모두에서 GlobalReach를 사용하도록 설정되어 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
-            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 고객의 손에 제어 권한을 부여합니다.",
-            "waf": "작업"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
+            "severity": "높다",
+            "text": "사이트 재해 허용 범위 설정을 적절하게 고려하고 필요한 경우 비즈니스에 맞게 변경하십시오.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
-            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Azure Update Manager를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
-            "waf": "작업"
+            "text": "'스토리지에 대한 Azure 보안 기준' 고려",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
-            "waf": "작업"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "작업"
+            "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "severity": "높다",
-            "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
-            "waf": "작업"
+            "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용하는 기능을 제공합니다. ",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "작업"
+            "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
-            "waf": "작업"
+            "text": "Blob에 대해 '일시 삭제' 사용 안 함",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.",
-            "waf": "작업"
+            "checklist": "Azure Blob Storage Review",
+            "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.",
-            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "waf": "공연"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 클라우드 적응 프레임워크에서 정의한 구성을 준수하는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
-            "waf": "신뢰도"
+            "text": "컨테이너에 대해 '일시 삭제' 사용 안 함",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
-            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전체에서 정교한 위협을 탐지할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "checklist": "Azure Blob Storage Review",
+            "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
-            "waf": "작업"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "변경할 수 없는 Blob 고려",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.",
-            "waf": "공연"
+            "checklist": "Azure Blob Storage Review",
+            "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "신뢰도"
+            "checklist": "Azure Blob Storage Review",
+            "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 <sid>Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외할 것을 권장합니다.",
-            "waf": "공연"
+            "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
-            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.",
-            "waf": "공연"
+            "checklist": "Azure Blob Storage Review",
+            "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(Automatic Storage Management)을 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
-            "waf": "공연"
+            "text": "IaM 권한의 최소 권한",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션은 성능 문제를 진단하는 데 도움이 될 수 있습니다.  AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제점을 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 피크 시간을 선택하여 광범위한 분석 범위를 보장하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
-            "waf": "공연"
+            "checklist": "Azure Blob Storage Review",
+            "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
             "severity": "높다",
-            "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
-            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "waf": "작업"
+            "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure Blob Storage Review",
+            "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 인식하는 경우에만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "작업"
+            "text": "SAS 만료 정책 구성 고려",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
-            "waf": "작업"
+            "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다",
-            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
-            "waf": "신뢰도"
+            "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "severity": "높다",
-            "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다",
-            "training": "https://me.sap.com/notes/2731110",
-            "waf": "공연"
+            "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
-            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
-            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "waf": "작업"
+            "checklist": "Azure Blob Storage Review",
+            "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "임시 SAS의 유효 기간을 단축하기 위해 노력",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.",
-            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
-            "waf": "작업"
+            "text": "SAS에 좁은 범위 적용",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
-            "waf": "작업"
+            "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "SAP 워크로드를 실행하는 VM에 대한 공용 IP 할당은 권장되지 않습니다.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "severity": "낮다",
+            "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
-            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
             "severity": "높다",
-            "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "작업"
+            "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
+            "severity": "보통",
+            "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure Blob Storage Review",
+            "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
             "severity": "높다",
-            "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "작업"
+            "text": "지나치게 광범위한 CORS 정책 방지",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.",
-            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
-            "waf": "작업"
+            "checklist": "Azure Blob Storage Review",
+            "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
-            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "text": "사용해야 하는 플랫폼 암호화를 결정합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
-            "service": "SAP",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
             "severity": "보통",
-            "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway가 SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 제한 사항이 있습니다.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
-            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
+            "severity": "높다",
+            "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "SAP",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
             "severity": "보통",
-            "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "안전"
+            "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
             "severity": "보통",
-            "text": "웹 애플리케이션 방화벽을 사용하여 트래픽이 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "안전"
+            "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "SAP",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
             "severity": "보통",
-            "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
-            "waf": "공연"
+            "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "SAP",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
             "severity": "보통",
-            "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.",
-            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
-            "waf": "안전"
+            "text": "유연한 서버 활용",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
-            "service": "SAP",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "severity": "높다",
-            "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "공연"
+            "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
-            "service": "SAP",
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "severity": "보통",
-            "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 부하 분산 장치 구성을 사용할 때 대기 시간을 줄입니다.",
-            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "안전"
+            "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간에 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 보안을 관리하는 데 도움이 되도록 가상 머신을 그룹화합니다.",
-            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
-            "waf": "안전"
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "높다",
+            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
             "severity": "높다",
-            "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "공연"
+            "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
             "severity": "보통",
-            "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
-            "waf": "공연"
+            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
             "severity": "높다",
-            "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "공연"
+            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 다른 VNet에서 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "비용"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
             "severity": "높다",
-            "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "공연"
+            "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
             "severity": "보통",
-            "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다",
-            "waf": "안전"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.",
-            "waf": "비용"
+            "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
             "severity": "보통",
-            "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.",
-            "waf": "비용"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
-            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.",
+            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.",
+            "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험 감소",
             "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
-            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.",
-            "waf": "작업"
+            "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
             "severity": "보통",
-            "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.",
-            "waf": "작업"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "프리미엄 디스크(V1)를 사용할 때 M 시리즈에 쓰기 가속기 사용Enabling Write accelerator for M series when using premium disks(V1)",
-            "waf": "작업"
+            "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
             "severity": "보통",
-            "text": "가용성 영역 대기 시간을 테스트합니다.",
-            "waf": "공연"
+            "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
-            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "모든 SAP 구성 요소에 대해 SAP EarlyWatch Alert를 활성화합니다.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
-            "waf": "공연"
+            "text": "Application Gateway v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.",
-            "training": "https://me.sap.com/notes/0002879613",
-            "waf": "공연"
+            "text": "랜딩 영역 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.",
-            "waf": "공연"
+            "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
-            "link": "https://me.sap.com/notes/500235",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.",
-            "training": "https://me.sap.com/notes/1100926/E",
-            "waf": "공연"
+            "text": "최소 인스턴스 수를 2개로 자동 크기 조정을 구성합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
-            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "SAP HANA Studio 경고를 검토합니다.",
-            "waf": "공연"
+            "text": "가용성 영역에 Application Gateway 배포",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
-            "link": "https://me.sap.com/notes/1969700",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 검사를 수행합니다.",
-            "waf": "공연"
+            "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.",
-            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.",
-            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
-            "waf": "안전"
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
+            "severity": "높다",
+            "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
             "severity": "낮다",
-            "text": "SQL Server SAP의 경우 SQL Server SAP 시스템에서 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.",
+            "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시가 AVD(Azure Virtual Desktop)의 대안으로 고려되었나요?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용할 수 있습니다. 이는 보안 감사에서 발생할 수 있는 잠재적 위험입니다.",
-            "training": "https://me.sap.com/notes/3019299/E",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스를 제공하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하는 데는 SAP HANA 네이티브 암호화 기술이 사용됩니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "text": "'방지' 모드에서 Front Door에 대한 WAF 정책을 배포합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드 또는 애플리케이션을 수정할 필요가 없습니다.",
-            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
+            "severity": "높다",
+            "text": "Azure Traffic Manager와 Azure Front Door를 결합하지 마세요.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수도 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
-            "waf": "안전"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "severity": "낮다",
+            "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "안전"
+            "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 빌드하는 것이 좋습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
+            "severity": "낮다",
+            "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.",
+            "waf": "공연"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
             "severity": "높다",
-            "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정",
-            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
-            "waf": "안전"
+            "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
-            "waf": "안전"
+            "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
+            "waf": "작업"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.",
-            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로 연결하는 데 TLS를 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.",
-            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door에서 HTTP에서 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동 리디렉션하여 지원합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
+            "severity": "높다",
+            "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
-            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "워크로드에 맞게 Azure Front Door WAF를 튜닝합니다. 가양성 탐지를 줄입니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
-            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.",
-            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+            "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정",
-            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+            "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
-            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
-            "service": "SAP",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
             "severity": "높다",
-            "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다",
-            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
-            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.",
-            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
-            "service": "SAP",
-            "severity": "낮다",
-            "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
-            "severity": "높다",
-            "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 SAP 애플리케이션 및 데이터베이스 서버를 인터넷 또는 온-프레미스 네트워크에서 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
             "severity": "낮다",
-            "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.",
-            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+            "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
-            "service": "SAP",
-            "severity": "보통",
-            "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.",
-            "waf": "신뢰도"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "Azure Application Gateway WAF 봇 보호 규칙 집합 사용Enable the Azure Application Gateway WAF bot protection rule set 봇 규칙은 좋은 봇과 나쁜 봇을 검색합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads",
-            "waf": "공연"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "Dapr을 사용하여 마이크로 서비스 개발 용이",
-            "waf": "작업"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "워크로드에 대한 Azure Application Gateway WAF를 조정합니다. 가양성 탐지를 줄입니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
             "severity": "높다",
-            "text": "SLA 지원 AKS 제품 사용",
-            "waf": "신뢰도"
+            "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions",
-            "waf": "신뢰도"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
-            "severity": "높다",
-            "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다",
-            "waf": "신뢰도"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
             "severity": "낮다",
-            "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당",
-            "waf": "비용"
+            "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "축소 모드를 사용하여 노드 삭제/할당 취소",
-            "waf": "비용"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용",
-            "waf": "비용"
+            "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.",
-            "waf": "비용"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장",
-            "waf": "안전"
+            "text": "진단 설정을 추가하여 Azure Front Door WAF 로그를 저장합니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리",
-            "waf": "안전"
+            "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.",
-            "waf": "안전"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
+            "severity": "보통",
+            "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "이미지에 개인 레지스트리(예: ACR) 사용",
-            "waf": "안전"
+            "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "이미지에서 취약성 검사",
-            "waf": "안전"
+            "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "Application Gateway 서브넷의 연결(예: NSG 사용)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
             "severity": "보통",
-            "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장",
+            "text": "원본이 Azure Front Door 인스턴스의 트래픽만 가져와야 합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "백 엔드 서버에 대한 트래픽을 암호화해야 합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
+            "severity": "보통",
+            "text": "HTTP를 HTTPS로 리디렉션",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "컨테이너용 Defender 사용 고려",
-            "waf": "안전"
+            "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "severity": "높다",
-            "text": "서비스 주체 대신 관리 ID 사용",
+            "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AAD와 인증 통합(관리형 통합 사용)",
-            "waf": "안전"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "낮다",
+            "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경 표시",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)",
+            "text": "HTTP 요청 및 응답 헤더를 편집하여 클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 할 수 있습니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "AAD RBAC와 권한 부여 통합",
-            "waf": "안전"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용",
-            "waf": "안전"
+            "text": "빠른 글로벌 장애 조치(failover)를 통해 글로벌 웹 트래픽 라우팅 및 최상위 계층 최종 사용자 성능 및 안정성을 최적화하도록 Front Door 구성",
+            "waf": "공연"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.",
-            "waf": "안전"
+            "text": "전송 계층 부하 분산 사용Use transport layer load balancing",
+            "waf": "공연"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.",
+            "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅 구성Configure routing based on host or domain name for multiple web applications on a single gateway",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
             "severity": "보통",
-            "text": "AKS 로컬 계정 사용 안 함",
-            "waf": "안전"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 Just-in-time 클러스터 액세스 구성",
-            "waf": "안전"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성",
+            "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
             "severity": "낮다",
-            "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ",
-            "waf": "안전"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.",
+            "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "높다",
+            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
             "severity": "높다",
-            "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.",
+            "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.",
-            "waf": "공연"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "severity": "높다",
+            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "severity": "높다",
-            "text": "표준 ALB 사용(기본 ALB와 반대)",
+            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
             "severity": "보통",
-            "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.",
-            "waf": "안전"
+            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
+            "waf": "작업"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)",
-            "waf": "신뢰도"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
+            "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다",
-            "waf": "공연"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
+            "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.",
-            "waf": "공연"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
+            "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
+            "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).",
-            "waf": "신뢰도"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
+            "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
+            "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 AKS에서 노드당 공용 IP 구성",
-            "waf": "공연"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
+            "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다",
-            "waf": "신뢰도"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
+            "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용",
-            "waf": "신뢰도"
+            "checklist": "Cost Optimization Checklist",
+            "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
+            "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용",
-            "waf": "신뢰도"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
+            "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
+            "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
+            "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "요구 사항에 따라 개인 클러스터를 사용합니다",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
+            "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
+            "text": "적절한 크기 최적화 후",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
+            "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
+            "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.",
+            "waf": "비용"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
+            "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다",
+            "waf": "비용"
         },
         {
             "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
             "service": "AKS",
-            "severity": "높다",
-            "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)",
-            "waf": "안전"
+            "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
+            "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
+            "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다",
-            "waf": "안전"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
+            "text": "함수 - 연결 재사용",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "text": "함수 - 로컬에 데이터 캐시",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "AKS 자동 인증서 회전 사용",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
+            "text": "기능 - 기능을 따뜻하게 유지",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
+            "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
+            "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
+            "text": "덜 사용되는 데이터에 대한 보관 계층 고려",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
+            "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
+            "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
+            "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "테인트 Windows 노드",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
+            "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
+            "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
+            "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다.  ",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "필요한 경우 nodePool 스냅샷을 사용합니다.",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
+            "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.",
             "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
+            "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "빠른 버스팅을 위해 AKS 가상 노드 고려",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
+            "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "노드의 CPU 및 메모리 사용률 모니터링",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
+            "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
+            "text": "모든 VM의 적절한 크기 조정",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
+            "text": "VM 크기를 정규화된 최신 크기로 바꾸기",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "Pod 규격에서 요청 및 제한 구성",
-            "waf": "작업"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "보통",
-            "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces",
-            "waf": "작업"
+            "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.",
-            "waf": "작업"
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
+            "severity": "보통",
+            "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "severity": "보통",
-            "text": "Cluster Autoscaler 사용",
+            "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.",
             "waf": "공연"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
             "severity": "낮다",
-            "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정",
-            "waf": "공연"
+            "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "보통",
-            "text": "필요한 경우 Horizontal Pod Autoscaler 사용",
-            "waf": "공연"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
-            "severity": "높다",
-            "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다",
-            "waf": "공연"
+            "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다",
-            "waf": "공연"
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "보통",
+            "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.",
-            "waf": "공연"
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "보통",
+            "text": "다중 지역에 대해 활성-활성 상태 보유",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.",
-            "waf": "공연"
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "DR에 복제본 세트 사용",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
             "severity": "낮다",
-            "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다",
-            "waf": "공연"
+            "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
             "severity": "높다",
-            "text": "임시 OS 디스크 사용",
-            "waf": "공연"
+            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "상태 확인 구현",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
             "severity": "높다",
-            "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다",
-            "waf": "공연"
+            "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "severity": "낮다",
-            "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.",
-            "waf": "공연"
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "Azure App Service 안정성 모범 사례 구현",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.",
-            "waf": "공연"
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "낮다",
+            "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
-            "severity": "보통",
-            "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다",
-            "waf": "공연"
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "Azure App Service의 안정성 지원 숙지",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
             "severity": "보통",
-            "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다",
-            "waf": "공연"
+            "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "보통",
-            "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.",
-            "waf": "작업"
+            "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
-            "severity": "낮다",
-            "text": "Microsoft Entra ID 테넌트를 관리하기 위한 다중 테넌트 자동화 접근 방식이 있는지 확인합니다.",
-            "waf": "작업"
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
             "severity": "낮다",
-            "text": "다중 테넌트 관리를 위해 Azure Lighthouse 활용",
-            "waf": "작업"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "Azure Lighthouse가 파트너별로 테넌트를 관리하는 데 사용되는지 확인합니다.",
-            "waf": "비용"
+            "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다.  Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "높다",
-            "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. 관리 그룹 및 구독에서 범위 지정 및 할당Scope and Assign across Management Groups and Subscriptions.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "text": "Key Vault를 사용하여 비밀 저장",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "높다",
-            "text": "모든 계정 유형에 대해 인증 유형 회사 또는 학교 계정만 사용합니다. Microsoft 계정 사용 금지",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "text": "관리 ID를 사용하여 Key Vault에 연결",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "그룹만 사용하여 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "checklist": "Azure App Service Review",
+            "description": "App Service TLS 인증서를 Key Vault에 저장합니다.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
-            "severity": "낮다",
-            "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책 적용",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "안전"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
-            "severity": "높다",
-            "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 다단계 인증 적용",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "checklist": "Azure App Service Review",
+            "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다.  이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "민감한 정보를 처리하는 시스템 격리",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다.  (예: D:\\\\Local and %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
             "severity": "보통",
-            "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한 설정",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다.  선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
             "severity": "보통",
-            "text": "Active Directory 도메인 서비스에서 Entra 도메인 서비스로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "text": "인증에 설정된 ID 공급자 사용",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor를 사용하면 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 원본을 사용할 수 있으므로 조직에 로그 수집 및 보존에 대한 요구 사항을 충족할 수 있는 클라우드 네이티브 옵션을 제공합니다.",
+            "checklist": "Azure App Service Review",
+            "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "신뢰할 수 있는 환경에서 배포",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "checklist": "Azure App Service Review",
+            "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다.  이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다.  SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
             "severity": "높다",
-            "text": "테넌트 전체 계정 잠금을 방지하기 위해 긴급 액세스 또는 비상 계정을 구현합니다",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "기본 인증 사용 안 함",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "Microsoft Entra ID 역할 할당에 온-프레미스 동기화된 계정을 사용하지 마세요.",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "checklist": "Azure App Service Review",
+            "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다.  이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "관리 ID를 사용하여 리소스에 연결",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
-            "severity": "보통",
-            "text": "필요한 경우 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션(클라우드 또는 온-프레미스에서 호스트됨)에 대한 안전하고 인증된 액세스를 제공합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "관리 ID를 사용하여 컨테이너 끌어오기",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "checklist": "Azure App Service Review",
+            "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
             "severity": "보통",
-            "text": "최대한의 유연성이 필요한 네트워크 시나리오를 위해 기존의 허브 앤 스포크(hub-and-spoke) 네트워크 토폴로지를 기반으로 하는 네트워크 설계를 활용합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
-            "severity": "높다",
-            "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 중앙 허브 가상 네트워크의 파트너 NVA를 포함한 공유 네트워킹 서비스를 확인합니다. 필요한 경우 DNS 서버도 배포합니다.",
-            "waf": "비용"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "checklist": "Azure App Service Review",
+            "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
             "severity": "보통",
-            "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
+            "checklist": "Azure App Service Review",
+            "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다.  트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다.  방화벽의 로그를 모니터링해야 합니다.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
             "severity": "보통",
-            "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다",
-            "waf": "신뢰도"
+            "text": "아웃바운드 네트워크 액세스를 제어해야 함",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
+            "checklist": "Azure App Service Review",
+            "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다.  이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다.  Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다.  (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
             "severity": "낮다",
-            "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.",
+            "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
-            "severity": "낮다",
-            "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.",
+            "checklist": "Azure App Service Review",
+            "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "인바운드 네트워크 액세스를 제어해야 합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
-            "severity": "보통",
-            "text": "Azure 지역에 걸쳐 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간에 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "공연"
+            "checklist": "Azure App Service Review",
+            "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다.  WAF의 로그를 모니터링해야 합니다.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
-            "severity": "보통",
-            "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "작업"
+            "checklist": "Azure App Service Review",
+            "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다.  액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "WAF가 우회되지 않도록 방지",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "checklist": "Azure App Service Review",
+            "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "severity": "보통",
-            "text": "스포크 가상 네트워크를 중앙 허브 가상 네트워크에 연결할 때 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)인 VNet 피어링 제한(500)을 고려합니다",
-            "waf": "신뢰도"
+            "text": "최소 TLS 정책을 1.2로 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
-            "severity": "보통",
-            "text": "경로 테이블당 경로 제한(400)을 고려합니다.",
-            "waf": "신뢰도"
+            "checklist": "Azure App Service Review",
+            "description": "HTTPS만 사용하도록 App Service를 구성합니다.  이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다.  코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "HTTPS만 사용",
+            "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
+            "checklist": "Azure App Service Review",
+            "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
             "severity": "높다",
-            "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다",
-            "waf": "신뢰도"
+            "text": "와일드카드는 CORS에 사용할 수 없습니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
-            "severity": "보통",
-            "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 수준에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.",
+            "checklist": "Azure App Service Review",
+            "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "원격 디버깅 끄기",
             "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "낮다",
-            "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않는 경우)의 경우 VPN Gateway를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "checklist": "Azure App Service Review",
+            "description": "App Service용 Defender를 사용하도록 설정합니다.  이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다.  작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "클라우드용 Defender 사용 - App Service용 Defender",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
-            "severity": "높다",
-            "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "checklist": "Azure App Service Review",
+            "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "낮다",
-            "text": "개인 인터넷에 대한 주소 할당 범위의 IP 주소를 사용합니다(RFC 1918).",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "checklist": "Azure App Service Review",
+            "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "Virtual Network를 통해 컨테이너 끌어오기",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "높다",
-            "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "공연"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
-            "severity": "높다",
-            "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "신뢰도"
+            "checklist": "Azure App Service Review",
+            "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
+            "severity": "보통",
+            "text": "침투 테스트 수행",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "checklist": "Azure App Service Review",
+            "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "severity": "보통",
-            "text": "Azure에서 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 확인을 위해 Azure 프라이빗 DNS를 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "작업"
+            "text": "유효성이 검사된 코드 배포",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
-            "severity": "보통",
-            "text": "Azure 및 온-프레미스에서 이름 확인이 필요한 환경의 경우 Azure DNS Private Resolver를 사용하는 것이 좋습니다.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "checklist": "Azure App Service Review",
+            "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
+            "severity": "높다",
+            "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
             "severity": "낮다",
-            "text": "자체 DNS(예: Red Hat OpenShift)를 요구하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.",
-            "waf": "작업"
+            "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
-            "severity": "높다",
-            "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "작업"
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
+            "severity": "보통",
+            "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
+            "checklist": "Azure Event Hub Review",
+            "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
             "severity": "보통",
-            "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결하는 것이 좋습니다.",
+            "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "severity": "보통",
-            "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.",
+            "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
-            "severity": "보통",
-            "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure Event Hub Review",
+            "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
+            "severity": "높다",
+            "text": "최소 권한 데이터 평면 RBAC 사용",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "낮다",
-            "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
+            "severity": "보통",
+            "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "높다",
-            "text": "WAF 및 기타 역방향 프록시 배포는 인바운드 HTTP/S 연결에 필요하며, 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
+            "severity": "보통",
+            "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "높다",
-            "text": "Azure DDoS 네트워크 또는 IP 보호 계획을 사용하여 가상 네트워크 내에서 공용 IP 주소 엔드포인트를 보호할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "checklist": "Azure Event Hub Review",
+            "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
+            "severity": "보통",
+            "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
-            "severity": "높다",
-            "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 평가하고 검토합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다",
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
+            "severity": "보통",
+            "text": "FTA 탄력성 핸드북 활용",
             "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
+            "checklist": "Azure Event Hub Review",
+            "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
             "severity": "높다",
-            "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
-            "severity": "보통",
-            "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용할 수 있는지 조사했는지 확인합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "공연"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "보통",
-            "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 특정 경로를 선호하는 경우 BGP 특성을 사용하여 라우팅을 최적화해야 합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
             "severity": "보통",
-            "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 사용하고 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "공연"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
-            "severity": "높다",
-            "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용해야 합니다.",
-            "waf": "비용"
+            "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
             "severity": "높다",
-            "text": "회로의 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.",
-            "waf": "비용"
+            "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "severity": "보통",
-            "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
             "severity": "보통",
-            "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "공연"
+            "text": "복원력 있는 Event Hubs 설계",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "공연"
+            "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "영역 중복 VPN Gateway를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.",
             "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
-            "severity": "높다",
-            "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "비용"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경을 분리하기 위해) 다른 ExpressRoute 회로를 사용합니다. 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "안전"
+            "text": "앱에 1개 이상의 앱 인스턴스 사용",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "작업"
+            "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "네트워크 전체, 특히 온-프레미스와 Azure 간의 연결을 모니터링하려면 연결 모니터를 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "작업"
+            "text": "Spring Cloud Gateway에서 자동 크기 조정 설정",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
-            "severity": "보통",
-            "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
+            "severity": "낮다",
+            "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
             "severity": "보통",
-            "text": "특히 단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.",
+            "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.",
             "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
-            "severity": "높다",
-            "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
+            "severity": "보통",
+            "text": "Azure Data Factory에 대한 FTA 복원력 플레이북 활용",
             "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "높다",
-            "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴되어야 합니다. 로드는 두 연결 모두에서 이상적으로는 액티브/액티브로 공유되어야 하지만 액티브/패시브도 지원됩니다.",
+            "text": "가용성 영역을 지원하는 지역에서 영역 중복 파이프라인 사용Use zone redundant pipelines in regions that support Availability Zones",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
             "severity": "보통",
-            "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "DevOps를 사용하여 Github/Azure DevOps 통합으로 ARM 템플릿 백업 ",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "보통",
-            "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "다른 지역에서 자체 호스팅 통합 런타임 VM을 복제해야 합니다. ",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
-            "severity": "높다",
-            "text": "복원력을 높이기 위해 서로 다른 피어링 위치에서 둘 이상의 회로에 ExpressRoute 게이트웨이를 연결합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "severity": "보통",
+            "text": "자매 지역에서 네트워크를 복제하거나 복제해야 합니다. 다른 지역에서 Vnet의 복사본을 만들어야 합니다",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
-            "severity": "보통",
-            "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "작업"
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "ADF 파이프라인에서 Key Vault를 사용하는 경우 Key Vault를 복제하기 위해 아무 작업도 수행할 필요가 없습니다. Key Vault는 관리되는 서비스이며 Microsoft에서 처리합니다",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
+            "severity": "낮다",
+            "text": "Keyvault 통합을 사용하는 경우 Keyvault의 SLA를 사용하여 가용성을 파악합니다",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
+            "checklist": "SAP Checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "공연"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "높다",
-            "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
+            "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 신규 및 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "severity": "보통",
-            "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
+            "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 도구입니다.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
-            "severity": "낮다",
-            "text": "조직에서 이러한 솔루션을 사용하여 아웃바운드 연결을 보호하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "RTO를 충족하는 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점으로 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
-            "severity": "높다",
-            "text": "FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 애플리케이션 규칙에서 지원하지 않는 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
             "severity": "높다",
-            "text": "추가 보안 및 보호를 위해 Azure Firewall 프리미엄을 사용합니다.",
-            "waf": "안전"
+            "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 네이티브 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어의 조합을 사용합니다.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "높다",
-            "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure 가용성 영역을 사용하여 고가용성을 달성하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
             "severity": "높다",
-            "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.",
-            "waf": "안전"
+            "text": "온-프레미스에서 기본 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
-            "severity": "높다",
-            "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 지역 간에 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 복제합니다.",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
             "severity": "보통",
-            "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "작업"
+            "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
-            "severity": "중요하다",
-            "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "작업"
+            "checklist": "SAP Checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "severity": "높다",
-            "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.",
-            "waf": "안전"
+            "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 컬렉션 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "기본 VNet(가상 네트워크)에 대한 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙 수 줄이기",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "와일드카드를 DNAT의 소스 IP로 사용하지 않으려면 * 또는 any와 같이 수신 DNAT에 대한 소스 IP를 지정해야 합니다",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 소모를 방지합니다. 포트 수가 제한에 가까워지면 SNAT 소모가 임박했다는 신호입니다.",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 툴은 장애 조치를 지원합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
+            "checklist": "SAP Checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "severity": "높다",
-            "text": "TLS 검사 활성화",
-            "waf": "공연"
+            "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
-            "severity": "낮다",
-            "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 DBMS 데이터 및/또는 SAP 워크로드가 있는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽을 수신하도록 계획합니다.",
-            "waf": "공연"
+            "checklist": "SAP Checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "Azure Firewall DNS 프록시 구성 사용 ",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다.  Azure Load Balancer는 다른 모든 경우에 대한 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
-            "severity": "낮다",
-            "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그를 저장하고 분석합니다.",
-            "waf": "작업"
+            "checklist": "SAP Checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합 또는 가용성 영역을 사용하여 배포할지 여부를 결정합니다.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
-            "severity": "낮다",
-            "text": "방화벽 규칙에 대한 백업 구현",
-            "waf": "작업"
+            "checklist": "SAP Checklist",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
             "severity": "높다",
-            "text": "가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신이 중단되지 않았는지 확인합니다(예: 0.0.0.0/0 경로 또는 컨트롤 플레인 트래픽을 차단하는 NSG 규칙).",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "안전"
+            "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
+            "checklist": "SAP Checklist",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+            "service": "SAP",
             "severity": "보통",
-            "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스합니다. 이 방법을 사용하면 공용 인터넷을 통한 전송을 방지할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "안전"
+            "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
-            "severity": "보통",
-            "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure의 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한하기 위해 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "보통",
-            "text": "데이터 반출을 방지하기 위해 Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "checklist": "SAP Checklist",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "높다",
-            "text": "게이트웨이 서브넷에 /27 이상의 접두사를 사용합니다",
-            "waf": "안전"
+            "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
-            "severity": "보통",
-            "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙을 사용하지 마세요.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "checklist": "SAP Checklist",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+            "service": "SAP",
             "severity": "보통",
-            "text": "NSG를 사용하여 서브넷 간의 트래픽과 플랫폼 전체의 East/West 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "안전"
+            "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA의 결합을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "checklist": "SAP Checklist",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "severity": "보통",
-            "text": "애플리케이션 팀은 서브넷 수준 NSG에서 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 다중 계층 VM을 보호해야 합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "안전"
+            "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일하고 스토리지 구성이 동일해야 합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "checklist": "SAP Checklist",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+            "service": "SAP",
             "severity": "보통",
-            "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내에서 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "안전"
+            "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에 SAP HANA, ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
-            "severity": "보통",
-            "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻습니다.",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 프리미엄 계층에 있어야 더 나은 성능과 최상의 SLA를 달성할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
-            "severity": "보통",
-            "text": "NSG당 NSG 규칙의 제한(1000)을 고려합니다.",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "checklist": "SAP Checklist",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure의 SAP HANA는 SAP에서 인증한 스토리지 유형에서만 실행해야 합니다. 특정 볼륨은 해당되는 경우 특정 디스크 구성에서 실행되어야 합니다. 이러한 구성에는 Write Accelerator 사용 및 Premium Storage 사용이 포함됩니다. 또한 스토리지에서 실행되는 파일 시스템이 시스템에서 실행되는 DBMS와 호환되는지 확인해야 합니다.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
             "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
-            "severity": "보통",
-            "text": "간소화된 Azure 네트워킹 관리를 위해 Virtual WAN을 고려하고 시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명되어 있는지 확인합니다",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "작업"
+            "checklist": "SAP Checklist",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "waf": "신뢰도"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "일부 지역에서는 다양한 네이티브 Azure Storage 서비스(예: Azure Files, Azure NetApp Files, Azure Shared Disk)를 사용하지 못할 수 있습니다. 따라서 장애 조치(failover) 후 DR 지역에서 유사한 SAP를 설정하려면 해당 스토리지 서비스가 DR 사이트에서 제공되는지 확인합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.",
-            "waf": "공연"
+            "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
             "severity": "낮다",
-            "text": "Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 'Azure의 트래픽은 Azure에 유지' 원칙에 따라",
-            "waf": "공연"
+            "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure 표준 SSD 스토리지를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "보통",
-            "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없습니다.",
+            "waf": "비용"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
-            "severity": "보통",
-            "text": "네트워크 아키텍처가 Azure Virtual WAN 제한 내에 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "관리 그룹, 구독, 리소스 그룹 및 리소스에 대한 RBAC 모델 적용Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "45911475-e39e-4530-accc-d979366bcda2",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.",
-            "waf": "작업"
+            "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 보안 주체 전파 적용",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "보통",
-            "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 IaC 배포가 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 않는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "SAML을 사용하여 Azure AD로 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 대한 SSO를 구현합니다.",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "severity": "보통",
-            "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.",
-            "waf": "신뢰도"
+            "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "안전"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "checklist": "SAP Checklist",
+            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+            "service": "SAP",
             "severity": "보통",
-            "text": "IaC 배포가 Virtual WAN에서 레이블 기반 전파를 구성하는지 확인하며, 그렇지 않으면 가상 허브 간의 연결이 손상됩니다.",
-            "waf": "신뢰도"
+            "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "waf": "안전"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
-            "severity": "높다",
-            "text": "가상 허브에 충분한 IP 공간(이상적으로는 /23 접두사)을 할당합니다.",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 대한 SSO를 구현할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "높다",
-            "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하고, 환경에 대한 컨트롤을 정의합니다.",
+            "checklist": "SAP Checklist",
+            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+            "service": "SAP",
             "severity": "보통",
-            "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.",
+            "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+            "service": "SAP",
             "severity": "보통",
-            "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.",
+            "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+            "service": "SAP",
             "severity": "보통",
-            "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.",
+            "text": "SAP HANA에 대한 SSO 구현",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
-            "severity": "낮다",
-            "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스 제어",
+            "checklist": "SAP Checklist",
+            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+            "service": "SAP",
             "severity": "보통",
-            "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.",
+            "text": "SAP에 액세스하는 애플리케이션의 경우 보안 주체 전파를 사용하여 SSO를 설정할 수 있습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "특정 범위에 Resource Policy Contributor 역할을 할당하면 관련 팀에 정책 관리를 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독하고 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
-            "severity": "보통",
-            "text": "특정 범위에서 기본 제공 Resource Policy 기여자 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+            "service": "SAP",
             "severity": "보통",
-            "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.",
+            "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 인증 요청을 전달할 수 있습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+            "service": "SAP",
             "severity": "보통",
-            "text": "데이터 주권 요구 사항이 있는 경우 Azure Policy를 배포하여 적용할 수 있습니다",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "text": "SAP BTP에 대한 SSO 구현",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 주권 정책 기준의 정책 이니셔티브가 배포되고 올바른 MG 수준에서 할당됩니다.",
+            "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 새 직원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 만들 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
+            "checklist": "SAP Checklist",
+            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 주권 제어 목표가 문서화되어 있습니다.",
-            "waf": "안전"
+            "text": "SAP 구독에 기존 관리 그룹 정책 적용",
+            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
-            "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 '정책 매핑에 대한 Sovereign Control 목표'의 CRUD에 대한 프로세스가 마련되어 있습니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
-            "severity": "보통",
-            "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "checklist": "SAP Checklist",
+            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ",
+            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
-            "severity": "보통",
-            "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. 변경 불가능한 스토리지를 한 번 쓰기, 여러 번 읽기 정책과 함께 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "checklist": "SAP Checklist",
+            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "구독 프로비저닝의 일부로 할당량 증가 확인(예: 구독 내에서 사용 가능한 총 VM 코어)",
+            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
-            "severity": "보통",
-            "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "checklist": "SAP Checklist",
+            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
-            "severity": "보통",
-            "text": "Azure에서 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "checklist": "SAP Checklist",
+            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 사용하여 지원 요청을 제출합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
-            "severity": "보통",
-            "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "checklist": "SAP Checklist",
+            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "예를 들어 선택한 배포 지역 내에서 필요한 서비스 및 기능을 사용할 수 있는지 확인합니다. ANF, 지역 등.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "checklist": "SAP Checklist",
+            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 애플리케이션 계층), 애플리케이션 소유자, 프로젝트 이름)",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
-            "severity": "보통",
-            "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.",
-            "waf": "작업"
+            "checklist": "SAP Checklist",
+            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "checklist": "SAP Checklist",
+            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.",
-            "waf": "작업"
+            "text": "HANA, Oracle 또는 DB2 데이터베이스용 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
-            "severity": "보통",
-            "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하기 위해 지원되는 지역을 선택했는지 확인합니다.",
+            "checklist": "SAP Checklist",
+            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
+            "checklist": "SAP Checklist",
+            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 다양한 백업 유형(GRS, ZRS & LRS)을 고려합니다",
+            "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
             "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
-            "severity": "보통",
-            "text": "Azure 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "Azure 실행 비용을 절감하고 최적화하기 위해 다시 알림 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "Azure Policy의 게스트 구성 기능은 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞는지 확인할 수 있으며, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.",
-            "waf": "안전"
+            "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 고객의 손에 제어 권한을 부여합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure-Azure Virtual Machines 재해 복구 시나리오에 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.",
+            "text": "Azure Update Manager를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
-            "severity": "보통",
-            "text": "Azure 네이티브 백업 기능 또는 Azure 호환 제3자 백업 솔루션을 사용합니다.",
+            "checklist": "SAP Checklist",
+            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
             "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "severity": "높다",
-            "text": "VM이 지원되는 지역에서 VM에 대한 가용성 영역을 활용합니다.",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+            "service": "SAP",
             "severity": "높다",
-            "text": "단일 VM에서 프로덕션 워크로드를 실행하지 마세요.",
-            "waf": "신뢰도"
+            "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Load Balancer 및 Application Gateway는 들어오는 네트워크 트래픽을 여러 리소스에 분산합니다.",
-            "waf": "신뢰도"
+            "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용하는 기능을 제공합니다. ",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
-            "severity": "높다",
-            "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장하는 진단 설정을 추가합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.",
+            "checklist": "SAP Checklist",
+            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "checklist": "SAP Checklist",
+            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 감지하고 WAF 원격 분석을 전체 Azure 환경에 통합합니다.",
+            "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "severity": "높다",
-            "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
-            "waf": "안전"
+            "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.",
+            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+            "service": "SAP",
             "severity": "보통",
-            "text": "다양한 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.",
-            "waf": "안전"
+            "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 클라우드 적응 프레임워크에서 정의한 구성을 준수하는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
+            "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전체에서 정교한 위협을 탐지할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "service": "SAP",
             "severity": "보통",
-            "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.",
-            "waf": "안전"
+            "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "보통",
-            "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "severity": "보통",
-            "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.",
-            "waf": "안전"
+            "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
             "severity": "보통",
-            "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.",
-            "waf": "안전"
+            "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 <sid>Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외할 것을 권장합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
-            "severity": "보통",
-            "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.",
-            "waf": "안전"
+            "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(Automatic Storage Management)을 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+            "service": "SAP",
             "severity": "보통",
-            "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
-            "waf": "안전"
+            "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션은 성능 문제를 진단하는 데 도움이 될 수 있습니다.  AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제점을 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 피크 시간을 선택하여 광범위한 분석 범위를 보장하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
+            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "waf": "작업"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "자체 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍과 재해 복구 지역을 선택합니다.",
+            "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀 및 자격 증명을 저장합니다.",
-            "waf": "안전"
+            "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 인식하는 경우에만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.",
-            "waf": "안전"
+            "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
-            "severity": "높다",
-            "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.",
-            "waf": "안전"
+            "checklist": "SAP Checklist",
+            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다",
+            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+            "waf": "신뢰도"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
-            "severity": "높다",
-            "text": "모든 구독에서 서버에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
-            "waf": "안전"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
-            "severity": "높다",
-            "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
-            "waf": "안전"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
+            "checklist": "SAP Checklist",
+            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+            "service": "SAP",
             "severity": "높다",
-            "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
-            "severity": "보통",
-            "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.",
-            "waf": "안전"
+            "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다",
+            "training": "https://me.sap.com/notes/2731110",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "checklist": "SAP Checklist",
+            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+            "service": "SAP",
             "severity": "보통",
-            "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.",
-            "waf": "안전"
+            "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
+            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그가 사용하도록 설정됩니다.",
-            "waf": "안전"
+            "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.",
+            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용할 수 있습니다.",
-            "waf": "안전"
+            "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "severity": "높다",
-            "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정해야 함",
+            "text": "SAP 워크로드를 실행하는 VM에 대한 공용 IP 할당은 권장되지 않습니다.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
             "waf": "안전"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "checklist": "SAP Checklist",
+            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "service": "SAP",
             "severity": "높다",
-            "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.",
-            "waf": "안전"
+            "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "작업"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
+            "checklist": "SAP Checklist",
+            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
             "severity": "높다",
-            "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.",
+            "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
             "waf": "작업"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "checklist": "SAP Checklist",
+            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다",
-            "waf": "신뢰도"
+            "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.",
+            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
+            "checklist": "SAP Checklist",
+            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+            "service": "SAP",
             "severity": "보통",
-            "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance",
-            "waf": "신뢰도"
+            "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
+            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
+            "checklist": "SAP Checklist",
+            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.",
-            "waf": "신뢰도"
+            "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway가 SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 제한 사항이 있습니다.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+            "waf": "안전"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
-            "severity": "높다",
-            "text": "Azure Cache for Redis에 대한 영역 중복성을 사용하도록 설정합니다. Azure Cache for Redis는 프리미엄 및 엔터프라이즈 계층에서 영역 중복 구성을 지원합니다. 영역 중복 캐시는 동일한 지역의 여러 Azure 가용성 영역에 노드를 배치할 수 있습니다. 데이터 센터 또는 AZ 중단을 단일 장애 지점으로 제거하고 캐시의 전반적인 가용성을 높입니다.",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
+            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+            "waf": "안전"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
+            "checklist": "SAP Checklist",
+            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure Cache for Redis 인스턴스에 대한 데이터 지속성을 구성합니다. 캐시 데이터는 메모리에 저장되기 때문에 드물게 계획되지 않은 여러 노드의 오류로 인해 모든 데이터가 삭제될 수 있습니다. 데이터가 완전히 손실되는 것을 방지하기 위해 Redis 지속성을 사용하면 메모리 내 데이터의 주기적인 스냅숏을 만들어 저장소 계정에 저장할 수 있습니다.",
-            "waf": "신뢰도"
+            "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
+            "checklist": "SAP Checklist",
+            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "지역 중복 스토리지 계정을 사용하여 Azure Cache for Redis 데이터를 유지하거나 지역 중복을 사용할 수 없는 경우 영역 중복을 유지합니다",
-            "waf": "신뢰도"
+            "text": "웹 애플리케이션 방화벽을 사용하여 트래픽이 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
+            "checklist": "SAP Checklist",
+            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "SAP",
             "severity": "보통",
-            "text": "프리미엄 Azure Cache for Redis 인스턴스에 대한 수동 지역 복제를 구성합니다. 지역에서 복제는 일반적으로 두 개의 Azure 지역에 걸쳐 있는 둘 이상의 Azure Cache for Redis 인스턴스를 연결하는 메커니즘입니다. 지역에서 복제는 주로 지역 간 재해 복구를 위해 설계되었습니다. 두 개의 프리미엄 계층 캐시 인스턴스는 주 캐시에 대한 읽기 및 쓰기를 제공하는 방식으로 지역 복제를 통해 연결되며, 해당 데이터는 보조 캐시에 복제됩니다.",
-            "waf": "신뢰도"
+            "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+            "waf": "공연"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "severity": "높다",
-            "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.",
+            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "service": "SAP",
             "severity": "높다",
-            "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
-            "waf": "신뢰도"
+            "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "공연"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "높다",
-            "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
-            "waf": "신뢰도"
+            "checklist": "SAP Checklist",
+            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 부하 분산 장치 구성을 사용할 때 대기 시간을 줄입니다.",
+            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간에 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 보안을 관리하는 데 도움이 되도록 가상 머신을 그룹화합니다.",
+            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "severity": "높다",
-            "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
-            "waf": "신뢰도"
+            "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "공연"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
+            "checklist": "SAP Checklist",
+            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "보통",
-            "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
-            "waf": "작업"
+            "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인",
+            "checklist": "SAP Checklist",
+            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 다른 VNet에서 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
             "waf": "비용"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
-            "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
-            "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
-            "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "checklist": "SAP Checklist",
+            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.",
             "waf": "비용"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
-            "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "checklist": "SAP Checklist",
+            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.",
             "waf": "비용"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
-            "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
-            "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
-            "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
-            "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
-            "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "프리미엄 디스크(V1)를 사용할 때 M 시리즈에 쓰기 가속기 사용Enabling Write accelerator for M series when using premium disks(V1)",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
-            "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "가용성 영역 대기 시간을 테스트합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
-            "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "모든 SAP 구성 요소에 대해 SAP EarlyWatch Alert를 활성화합니다.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
-            "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.",
+            "training": "https://me.sap.com/notes/0002879613",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
-            "text": "적절한 크기 최적화 후",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
-            "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+            "link": "https://me.sap.com/notes/500235",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.",
+            "training": "https://me.sap.com/notes/1100926/E",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
-            "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP HANA Studio 경고를 검토합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+            "link": "https://me.sap.com/notes/1969700",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 검사를 수행합니다.",
+            "waf": "공연"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.",
+            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.",
+            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "SQL Server SAP의 경우 SQL Server SAP 시스템에서 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "text": "함수 - 연결 재사용",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용할 수 있습니다. 이는 보안 감사에서 발생할 수 있는 잠재적 위험입니다.",
+            "training": "https://me.sap.com/notes/3019299/E",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "text": "함수 - 로컬에 데이터 캐시",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하는 데는 SAP HANA 네이티브 암호화 기술이 사용됩니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
-            "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드 또는 애플리케이션을 수정할 필요가 없습니다.",
+            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수도 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정",
+            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.",
+            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.",
+            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.",
+            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정",
+            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+            "waf": "안전"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다",
+            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "text": "기능 - 기능을 따뜻하게 유지",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.",
+            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
-            "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "높다",
+            "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 SAP 애플리케이션 및 데이터베이스 서버를 인터넷 또는 온-프레미스 네트워크에서 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
-            "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "낮다",
+            "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.",
+            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
-            "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.",
-            "waf": "비용"
+            "checklist": "SAP Checklist",
+            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+            "service": "SAP",
+            "severity": "보통",
+            "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
-            "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.",
-            "waf": "비용"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
+            "severity": "높다",
+            "text": "Azure Cache for Redis에 대한 영역 중복성을 사용하도록 설정합니다. Azure Cache for Redis는 프리미엄 및 엔터프라이즈 계층에서 영역 중복 구성을 지원합니다. 영역 중복 캐시는 동일한 지역의 여러 Azure 가용성 영역에 노드를 배치할 수 있습니다. 데이터 센터 또는 AZ 중단을 단일 장애 지점으로 제거하고 캐시의 전반적인 가용성을 높입니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
-            "text": "덜 사용되는 데이터에 대한 보관 계층 고려",
-            "waf": "비용"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
+            "severity": "보통",
+            "text": "Azure Cache for Redis 인스턴스에 대한 데이터 지속성을 구성합니다. 캐시 데이터는 메모리에 저장되기 때문에 드물게 계획되지 않은 여러 노드의 오류로 인해 모든 데이터가 삭제될 수 있습니다. 데이터가 완전히 손실되는 것을 방지하기 위해 Redis 지속성을 사용하면 메모리 내 데이터의 주기적인 스냅숏을 만들어 저장소 계정에 저장할 수 있습니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.",
-            "waf": "비용"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
+            "severity": "보통",
+            "text": "지역 중복 스토리지 계정을 사용하여 Azure Cache for Redis 데이터를 유지하거나 지역 중복을 사용할 수 없는 경우 영역 중복을 유지합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
-            "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.",
-            "waf": "비용"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
+            "severity": "보통",
+            "text": "프리미엄 Azure Cache for Redis 인스턴스에 대한 수동 지역 복제를 구성합니다. 지역에서 복제는 일반적으로 두 개의 Azure 지역에 걸쳐 있는 둘 이상의 Azure Cache for Redis 인스턴스를 연결하는 메커니즘입니다. 지역에서 복제는 주로 지역 간 재해 복구를 위해 설계되었습니다. 두 개의 프리미엄 계층 캐시 인스턴스는 주 캐시에 대한 읽기 및 쓰기를 제공하는 방식으로 지역 복제를 통해 연결되며, 해당 데이터는 보조 캐시에 복제됩니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
-            "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "severity": "낮다",
+            "text": "Microsoft Entra ID 테넌트를 관리하기 위한 다중 테넌트 자동화 접근 방식이 있는지 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
-            "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
+            "severity": "낮다",
+            "text": "다중 테넌트 관리를 위해 Azure Lighthouse 활용",
+            "waf": "작업"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
-            "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다.  ",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Azure Lighthouse가 파트너별로 테넌트를 관리하는 데 사용되는지 확인합니다.",
             "waf": "비용"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.",
-            "waf": "비용"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
+            "severity": "높다",
+            "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. 관리 그룹 및 구독에서 범위 지정 및 할당Scope and Assign across Management Groups and Subscriptions.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
-            "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.",
-            "waf": "비용"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
+            "severity": "높다",
+            "text": "모든 계정 유형에 대해 인증 유형 회사 또는 학교 계정만 사용합니다. Microsoft 계정 사용 금지",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "그룹만 사용하여 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
-            "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
+            "severity": "낮다",
+            "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책 적용",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.",
-            "waf": "비용"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
+            "severity": "높다",
+            "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 다단계 인증 적용",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
-            "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한 설정",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
-            "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Active Directory 도메인 서비스에서 Entra 도메인 서비스로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "text": "모든 VM의 적절한 크기 조정",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor를 사용하면 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 원본을 사용할 수 있으므로 조직에 로그 수집 및 보존에 대한 요구 사항을 충족할 수 있는 클라우드 네이티브 옵션을 제공합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
-            "text": "VM 크기를 정규화된 최신 크기로 바꾸기",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "비용"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
+            "severity": "높다",
+            "text": "테넌트 전체 계정 잠금을 방지하기 위해 긴급 액세스 또는 비상 계정을 구현합니다",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Microsoft Entra ID 역할 할당에 온-프레미스 동기화된 계정을 사용하지 마세요.",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "waf": "안전"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "필요한 경우 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션(클라우드 또는 온-프레미스에서 호스트됨)에 대한 안전하고 인증된 액세스를 제공합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "안전"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
             "severity": "보통",
-            "text": "유연한 서버 활용",
-            "waf": "신뢰도"
+            "text": "최대한의 유연성이 필요한 네트워크 시나리오를 위해 기존의 허브 앤 스포크(hub-and-spoke) 네트워크 토폴로지를 기반으로 하는 네트워크 설계를 활용합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
             "severity": "높다",
-            "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable",
-            "waf": "신뢰도"
+            "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 중앙 허브 가상 네트워크의 파트너 NVA를 포함한 공유 네트워킹 서비스를 확인합니다. 필요한 경우 DNS 서버도 배포합니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
             "severity": "보통",
-            "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용",
-            "waf": "신뢰도"
+            "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "보통",
-            "text": "'스토리지에 대한 Azure 보안 기준' 고려",
+            "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
+            "severity": "낮다",
+            "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
+            "severity": "낮다",
+            "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
             "severity": "보통",
-            "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인",
-            "waf": "안전"
+            "text": "Azure 지역에 걸쳐 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간에 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용",
-            "waf": "안전"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
+            "severity": "보통",
+            "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "보통",
-            "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs",
-            "waf": "안전"
+            "text": "스포크 가상 네트워크를 중앙 허브 가상 네트워크에 연결할 때 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)인 VNet 피어링 제한(500)을 고려합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "보통",
-            "text": "Blob에 대해 '일시 삭제' 사용 안 함",
-            "waf": "안전"
+            "text": "경로 테이블당 경로 제한(400)을 고려합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
             "severity": "높다",
-            "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers",
-            "waf": "안전"
+            "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "컨테이너에 대해 '일시 삭제' 사용 안 함",
+            "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 수준에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "낮다",
+            "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않는 경우)의 경우 VPN Gateway를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "변경할 수 없는 Blob 고려",
+            "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "낮다",
+            "text": "개인 인터넷에 대한 주소 할당 범위의 IP 주소를 사용합니다(RFC 1918).",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
             "severity": "높다",
-            "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
-            "severity": "보통",
-            "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한",
-            "waf": "안전"
+            "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
             "severity": "높다",
-            "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access",
-            "waf": "안전"
+            "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "severity": "보통",
-            "text": "IaM 권한의 최소 권한",
-            "waf": "안전"
+            "text": "Azure에서 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 확인을 위해 Azure 프라이빗 DNS를 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
+            "severity": "보통",
+            "text": "Azure 및 온-프레미스에서 이름 확인이 필요한 환경의 경우 Azure DNS Private Resolver를 사용하는 것이 좋습니다.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.",
-            "waf": "안전"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
+            "severity": "낮다",
+            "text": "자체 DNS(예: Red Hat OpenShift)를 요구하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
             "severity": "높다",
-            "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.",
-            "waf": "안전"
+            "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "severity": "보통",
-            "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다",
+            "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결하는 것이 좋습니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "severity": "보통",
-            "text": "SAS 만료 정책 구성 고려",
+            "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
             "severity": "보통",
-            "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.",
+            "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
-            "severity": "보통",
-            "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "낮다",
+            "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "severity": "높다",
-            "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).",
+            "text": "WAF 및 기타 역방향 프록시 배포는 인바운드 HTTP/S 연결에 필요하며, 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
             "severity": "높다",
-            "text": "임시 SAS의 유효 기간을 단축하기 위해 노력",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "보통",
-            "text": "SAS에 좁은 범위 적용",
+            "text": "Azure DDoS 네트워크 또는 IP 보호 계획을 사용하여 가상 네트워크 내에서 공용 IP 주소 엔드포인트를 보호할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
-            "severity": "보통",
-            "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다",
-            "waf": "안전"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "severity": "높다",
+            "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 평가하고 검토합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
-            "severity": "낮다",
-            "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "높다",
+            "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용할 수 있는지 조사했는지 확인합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.",
-            "waf": "안전"
+            "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 특정 경로를 선호하는 경우 BGP 특성을 사용하여 라우팅을 최적화해야 합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 사용하고 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "공연"
+        },
+        {
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "지나치게 광범위한 CORS 정책 방지",
-            "waf": "안전"
+            "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용해야 합니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.",
-            "waf": "안전"
+            "text": "회로의 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "사용해야 하는 플랫폼 암호화를 결정합니다.",
-            "waf": "안전"
+            "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.",
-            "waf": "안전"
+            "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
-            "severity": "높다",
-            "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ",
-            "waf": "안전"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "ADDS 도메인 컨트롤러가 네이티브 Azure의 ID 구독에 배포되었는지 확인합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
+            "severity": "보통",
+            "text": "영역 중복 VPN Gateway를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "severity": "보통",
-            "text": "ADDS 사이트 및 서비스가 Azure 기반 리소스(Azure VMware Solution 포함)의 인증 요청을 Azure에 로컬로 유지하도록 구성되어 있는지 확인합니다.",
-            "waf": "안전"
+            "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "vCenter가 ADDS에 연결되어 있는지 확인하여 '명명된 사용자 계정'을 기반으로 인증을 사용하도록 설정합니다.",
-            "waf": "안전"
+            "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "비용"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "vCenter에서 ADDS로의 연결이 보안 프로토콜(LDAPS)을 사용하고 있는지 확인합니다.",
+            "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경을 분리하기 위해) 다른 ExpressRoute 회로를 사용합니다. 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "vCenter IdP의 CloudAdmin 계정은 긴급 계정으로만 사용됩니다(Break-glass).",
-            "waf": "안전"
+            "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "NSX-Manager가 외부 ID 제공자(LDAPS)와 통합되었는지 확인합니다.",
-            "waf": "안전"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "네트워크 전체, 특히 온-프레미스와 Azure 간의 연결을 모니터링하려면 연결 모니터를 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "VMware vSphere에서 사용하기 위해 RBAC 모델이 생성되었습니까?",
-            "waf": "안전"
+            "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "RBAC 권한은 특정 사용자가 아닌 ADDS 그룹에 부여해야 합니다",
-            "waf": "안전"
+            "text": "특히 단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "Azure의 Azure VMware Solution 리소스에 대한 RBAC 권한은 제한된 소유자 집합으로만 '잠김'됩니다",
-            "waf": "안전"
+            "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "모든 사용자 지정 역할의 범위가 CloudAdmin 허용 권한 부여로 지정되었는지 확인합니다.",
-            "waf": "안전"
+            "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴되어야 합니다. 로드는 두 연결 모두에서 이상적으로는 액티브/액티브로 공유되어야 하지만 액티브/패시브도 지원됩니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "현재 고객 사용 사례에 대해 올바른 Azure VMware Solution 연결 모델을 선택했습니까?",
-            "waf": "공연"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
+            "severity": "보통",
+            "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "'연결 모니터'를 사용하여 온-프레미스에서 Azure로의 ExpressRoute 또는 VPN 연결이 모니터링되는지 확인합니다.",
-            "waf": "작업"
+            "text": "복원력을 높이기 위해 서로 다른 피어링 위치에서 둘 이상의 회로에 ExpressRoute 게이트웨이를 연결합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "Azure VMware Solution 백 엔드 ExpressRoute 연결을 모니터링하기 위해 Azure 네이티브 리소스에서 Azure VMware Solution 가상 머신으로 연결 모니터가 만들어졌는지 확인합니다.",
+            "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "엔드-2-엔드 연결을 모니터링하기 위해 온-프레미스 리소스에서 Azure VMware Solution 가상 머신으로 연결 모니터가 만들어졌는지 확인합니다.",
-            "waf": "작업"
+            "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "높다",
-            "text": "경로 서버를 사용하는 경우 경로 서버에서 ExR 게이트웨이로, 온-프레미스로 1,000개 이상의 경로가 전파되지 않도록 합니다(ARS 제한).",
-            "waf": "작업"
+            "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure Portal에서 Azure VMware Solution 리소스를 관리하는 역할에 대해 Privileged Identity Management가 구현되어 있나요(고정 권한이 허용되지 않음).",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
+            "severity": "보통",
+            "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure VMware Solution PIM 역할에 대해 Privileged Identity Management 감사 보고를 구현해야 합니다.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
+            "severity": "낮다",
+            "text": "조직에서 이러한 솔루션을 사용하여 아웃바운드 연결을 보호하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "Privileged Identity Management를 사용하는 경우 Azure VMware Solution 자동 호스트 교체 알림에 대한 유효한 SMTP 레코드를 사용하여 유효한 Entra ID 사용 계정을 만들었는지 확인합니다. (상시 권한 필요)",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
+            "severity": "높다",
+            "text": "FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 애플리케이션 규칙에서 지원하지 않는 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "severity": "높다",
-            "text": "CloudAdmin 계정 사용을 긴급 액세스로만 제한",
+            "text": "추가 보안 및 보호를 위해 Azure Firewall 프리미엄을 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "vCenter에서 사용자 지정 RBAC 역할을 만들어 vCenter 내에서 최소 권한 모델 구현",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
+            "severity": "높다",
+            "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "cloudadmin(vCenter) 및 admin(NSX) 자격 증명을 정기적으로 순환하도록 정의된 프로세스입니다.",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
+            "severity": "높다",
+            "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
             "severity": "높다",
-            "text": "Azure VMware Solution에서 실행되는 워크로드(VM)에 사용할 중앙 집중식 ID 공급자 사용",
+            "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "NSX-T 내에서 East-West 트래픽 필터링이 구현되었는지 여부",
-            "waf": "안전"
+            "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure VMware Solution의 워크로드는 인터넷에 직접 노출되지 않습니다. 트래픽은 Azure Application Gateway, Azure Firewall 또는 제3자 솔루션에 의해 필터링되고 검사됩니다",
-            "waf": "안전"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
+            "severity": "중요하다",
+            "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
             "severity": "높다",
-            "text": "감사 및 로깅은 Azure VMware Solution 및 Azure VMware Solution 기반 워크로드에 대한 인바운드 인터넷 요청에 대해 구현됩니다",
-            "waf": "안전"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "세션 모니터링은 의심스러운/악의적인 활동을 식별하기 위해 Azure VMware Solution 또는 Azure VMware Solution 기반 워크로드의 아웃바운드 인터넷 연결에 대해 구현됩니다",
+            "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "Azure의 ExR/VPN Gateway 서브넷에서 DDoS 표준 보호를 사용할 수 있나요?",
-            "waf": "안전"
+            "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 컬렉션 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "전용 PAW(Privileged Access Workstation)를 사용하여 Azure VMware Solution, vCenter, NSX Manager 및 HCX Manager 관리",
-            "waf": "안전"
+            "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙 수 줄이기",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "Azure VMware Solution에서 실행되는 워크로드에 대해 Advanced Threat Detection(클라우드용 Microsoft Defender 또는 ASC) 사용",
-            "waf": "안전"
+            "text": "와일드카드를 DNAT의 소스 IP로 사용하지 않으려면 * 또는 any와 같이 수신 DNAT에 대한 소스 IP를 지정해야 합니다",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "서버용 Azure ARC를 사용하여 Azure 네이티브 기술을 사용하여 Azure VMware Solution에서 실행되는 워크로드를 적절하게 제어합니다(Azure VMware Solution용 Azure ARC는 아직 사용할 수 없음).",
-            "waf": "안전"
+            "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 소모를 방지합니다. 포트 수가 제한에 가까워지면 SNAT 소모가 임박했다는 신호입니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "Azure VMware Solution의 워크로드가 런타임 중에 충분한 데이터 암호화(예: 게스트 내 디스크 암호화 및 SQL TDE)를 사용하는지 확인합니다. (vSAN 미사용 암호화가 기본값임)",
-            "waf": "안전"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
+            "severity": "높다",
+            "text": "TLS 검사 활성화",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "severity": "낮다",
-            "text": "게스트 내 암호화를 사용하는 경우 가능한 경우 Azure Key Vault에 암호화 키를 저장합니다",
-            "waf": "안전"
+            "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "Azure VMware Solution에서 실행되는 워크로드에 대해 확장된 보안 업데이트 지원을 사용하는 것이 좋습니다(Azure VMware Solution은 ESU에 적합함).",
-            "waf": "안전"
+            "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽을 수신하도록 계획합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "적절한 vSAN 데이터 이중화 방법이 사용되는지 확인합니다(RAID 규격).",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
+            "severity": "보통",
+            "text": "Azure Firewall DNS 프록시 구성 사용 ",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "vSAN 스토리지 요구 사항을 충족하기 위해 장애 허용 정책이 적용되어 있는지 확인합니다",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
+            "severity": "보통",
+            "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "충분한 할당량을 요청했는지 확인하고 성장 및 재해 복구 요구 사항을 고려했는지 확인합니다",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
+            "severity": "낮다",
+            "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그를 저장하고 분석합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "ESXi에 대한 액세스 제약 조건을 이해하고 타사 솔루션에 영향을 줄 수 있는 액세스 제한이 있는지 확인합니다.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
+            "severity": "낮다",
+            "text": "방화벽 규칙에 대한 백업 구현",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "새 노드 요청에 대한 리드 타임을 염두에 두고 ESXi 호스트 밀도 및 효율성에 대한 정책이 있는지 확인합니다",
-            "waf": "작업"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
+            "severity": "높다",
+            "text": "가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신이 중단되지 않았는지 확인합니다(예: 0.0.0.0/0 경로 또는 컨트롤 플레인 트래픽을 차단하는 NSG 규칙).",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "severity": "보통",
-            "text": "Azure VMware Solution에 대한 적절한 비용 관리 프로세스가 있는지 확인 - Azure Cost Management를 사용할 수 있습니다.",
-            "waf": "비용"
+            "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스합니다. 이 방법을 사용하면 공용 인터넷을 통한 전송을 방지할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "Azure VMware Solution 사용 비용을 최적화하는 데 사용되는 Azure 예약 인스턴스입니까?",
-            "waf": "비용"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
+            "severity": "보통",
+            "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "보통",
-            "text": "다른 Azure 네이티브 서비스를 사용할 때 Azure Private-Link 사용 고려",
+            "text": "데이터 반출을 방지하기 위해 Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
             "severity": "높다",
-            "text": "필요한 모든 리소스가 동일한 Azure 가용성 영역 내에 있는지 확인합니다.",
-            "waf": "공연"
+            "text": "게이트웨이 서브넷에 /27 이상의 접두사를 사용합니다",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
             "severity": "보통",
-            "text": "Azure VMware Solution 게스트 VM 워크로드에 대해 클라우드용 Microsoft Defender 사용",
+            "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙을 사용하지 마세요.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
             "severity": "보통",
-            "text": "Azure Arc 지원 서버를 사용하여 Azure VMware Solution 게스트 VM 워크로드 관리",
+            "text": "NSG를 사용하여 서브넷 간의 트래픽과 플랫폼 전체의 East/West 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure VMware Solution에서 진단 및 메트릭 로깅 사용Enable Diagnostic and metric logging on Azure VMware Solution",
-            "waf": "작업"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
+            "severity": "보통",
+            "text": "애플리케이션 팀은 서브넷 수준 NSG에서 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 다중 계층 VM을 보호해야 합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "보통",
-            "text": "Azure VMware Solution 게스트 VM 워크로드에 Log Analytics 에이전트 배포",
-            "waf": "작업"
+            "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내에서 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "보통",
-            "text": "Azure VMware Solution VM 워크로드에 대한 백업 정책 및 솔루션을 문서화하고 구현했는지 확인합니다.",
-            "waf": "작업"
+            "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻습니다.",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "severity": "보통",
-            "text": "클라우드용 Microsoft Defender를 사용하여 Azure VMware Solution에서 실행되는 워크로드의 규정 준수 모니터링",
-            "waf": "안전"
+            "text": "NSG당 NSG 규칙의 제한(1000)을 고려합니다.",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
             "severity": "보통",
-            "text": "적용 가능한 규정 준수 기준이 클라우드용 Microsoft Defender에 추가되었나요?",
-            "waf": "안전"
+            "text": "간소화된 Azure 네트워킹 관리를 위해 Virtual WAN을 고려하고 시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명되어 있는지 확인합니다",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure VMware Solution 배포에 사용할 Azure 지역을 선택할 때 데이터 보존이 평가되었나요?",
-            "waf": "안전"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "보통",
+            "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "데이터 처리의 영향(서비스 제공자/서비스 소비자 모델)이 명확하고 문서화되어 있습니까?",
-            "waf": "안전"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "낮다",
+            "text": "Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 'Azure의 트래픽은 Azure에 유지' 원칙에 따라",
+            "waf": "공연"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "severity": "보통",
-            "text": "규정 준수를 위해 필요한 경우에만 vSAN에 CMK(고객 관리 키)를 사용하는 것이 좋습니다.",
+            "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "핵심 Azure VMware Solution 모니터링 인사이트를 사용하도록 설정하는 대시보드 만들기",
-            "waf": "작업"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
+            "severity": "보통",
+            "text": "네트워크 아키텍처가 Azure Virtual WAN 제한 내에 있는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure VMware Solution 성능에 대한 자동 경고에 대한 중요 임계값에 대한 경고 만들기(CPU >80%, 평균 메모리>80%, vSAN>70%)",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
+            "severity": "보통",
+            "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "VMware의 지원 임계값이므로 vSAN 사용량이 75% 미만인지 모니터링하기 위해 중요한 경고가 생성되었는지 확인합니다.",
-            "waf": "작업"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
+            "severity": "보통",
+            "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 IaC 배포가 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 않는지 확인합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "Azure Service Health 경고 및 알림에 대해 경고가 구성되었는지 확인",
-            "waf": "작업"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
+            "severity": "보통",
+            "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "severity": "보통",
-            "text": "처리를 위해 Azure Storage 계정 또는 Azure EventHub로 보내도록 Azure VMware Solution 로깅 구성",
-            "waf": "작업"
+            "text": "IaC 배포가 Virtual WAN에서 레이블 기반 전파를 구성하는지 확인하며, 그렇지 않으면 가상 허브 간의 연결이 손상됩니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "VMware vSphere에 대한 심층적인 통찰력이 필요한 경우: 솔루션에서 vRealize Operations 및/또는 vRealize Network Insights가 사용됩니까?",
-            "waf": "작업"
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
+            "severity": "높다",
+            "text": "가상 허브에 충분한 IP 공간(이상적으로는 /23 접두사)을 할당합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "높다",
-            "text": "VM에 대한 vSAN 스토리지 정책은 씩 프로비저닝을 적용하므로 기본 스토리지 정책이 아닌지 확인합니다.",
-            "waf": "작업"
+            "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하고, 환경에 대한 컨트롤을 정의합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "보통",
-            "text": "vSAN은 유한한 리소스이므로 vSphere 컨텐츠 라이브러리가 vSAN에 배치되지 않도록 합니다.",
-            "waf": "작업"
+            "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "보통",
-            "text": "백업 솔루션에 대한 데이터 저장소가 vSAN 스토리지 외부에 저장되어 있는지 확인합니다. Azure 네이티브 또는 디스크 풀 지원 데이터 저장소에서",
-            "waf": "작업"
+            "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "보통",
-            "text": "Azure VMware Solution에서 실행되는 워크로드가 서버용 Azure Arc를 사용하여 하이브리드 관리되는지 확인합니다(Arc for Azure VMware Solution은 미리 보기 상태임).",
-            "waf": "작업"
+            "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "Azure Log Analytics 및 Azure Monitor를 사용하여 Azure VMware Solution에서 실행되는 워크로드를 모니터링하는지 확인합니다.",
-            "waf": "작업"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
+            "severity": "낮다",
+            "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스 제어",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "보통",
-            "text": "기존 업데이트 관리 도구 또는 Azure 업데이트 관리에 Azure VMware Solution에서 실행되는 워크로드 포함",
-            "waf": "작업"
+            "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "description": "특정 범위에 Resource Policy Contributor 역할을 할당하면 관련 팀에 정책 관리를 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독하고 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "severity": "보통",
-            "text": "Azure Policy를 사용하여 Azure 관리, 모니터링 및 보안 솔루션에서 Azure VMware Solution 워크로드 온보딩",
-            "waf": "작업"
+            "text": "특정 범위에서 기본 제공 Resource Policy 기여자 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "보통",
-            "text": "Azure VMware Solution에서 실행되는 워크로드가 클라우드용 Microsoft Defender에 온보딩되었는지 확인",
+            "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.",
             "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "severity": "보통",
-            "text": "vSAN은 유한한 리소스이므로 백업이 vSAN에 저장되지 않도록 합니다.",
-            "waf": "신뢰도"
+            "text": "데이터 주권 요구 사항이 있는 경우 Azure Policy를 배포하여 적용할 수 있습니다",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
             "severity": "보통",
-            "text": "모든 DR 솔루션을 고려하고 비즈니스에 가장 적합한 솔루션을 결정했습니까? [SRM/제트스트림/제르토/빔/...]",
-            "waf": "신뢰도"
+            "text": "Sovereign Landing Zone의 경우 주권 정책 기준의 정책 이니셔티브가 배포되고 올바른 MG 수준에서 할당됩니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
             "severity": "보통",
-            "text": "재해 복구 기술이 네이티브 Azure IaaS인 경우 Azure Site Recovery 사용Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
-            "waf": "신뢰도"
+            "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 주권 제어 목표가 문서화되어 있습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "재해 솔루션 중 하나와 함께 자동화된 복구 계획을 사용하고 가능한 한 수동 작업을 피하십시오.",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
+            "severity": "보통",
+            "text": "Sovereign Landing Zone의 경우 '정책 매핑에 대한 Sovereign Control 목표'의 CRUD에 대한 프로세스가 마련되어 있습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "보통",
-            "text": "지정학적 지역 쌍을 보조 재해 복구 환경으로 사용Use the geopolitical region pair as the secondary disaster recovery environment",
-            "waf": "신뢰도"
+            "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "지역 간에 2개의 서로 다른 주소 공간을 사용합니다(예: 서로 다른 지역에 대해 10.0.0.0/16 및 192.168.0.0/16).",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
+            "severity": "보통",
+            "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. 변경 불가능한 스토리지를 한 번 쓰기, 여러 번 읽기 정책과 함께 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "ExpressRoute Global Reach는 기본 및 보조 Azure VMware Solution 프라이빗 클라우드 간의 연결에 사용되나요, 아니면 네트워크 가상 어플라이언스를 통해 라우팅이 수행되나요?",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
+            "severity": "보통",
+            "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "보통",
-            "text": "모든 백업 솔루션을 고려하고 비즈니스에 가장 적합한 솔루션을 결정했습니까? [ MABS/CommVault/Metallic.io/Veeam/입니다. ]",
-            "waf": "신뢰도"
+            "text": "Azure에서 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "보통",
-            "text": "Azure VMware Solution 프라이빗 클라우드와 동일한 지역에 백업 솔루션 배포Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
-            "waf": "신뢰도"
+            "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
             "severity": "보통",
-            "text": "vSan의 외부, Azure 네이티브 구성 요소에 백업 솔루션 배포",
-            "waf": "신뢰도"
+            "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "Azure 플랫폼에서 관리하는 VMware 구성 요소의 복원을 요청하는 프로세스가 마련되어 있나요?",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
+            "severity": "보통",
+            "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "수동 배포의 경우 모든 구성 및 배포를 문서화해야 합니다",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
+            "severity": "보통",
+            "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "수동 배포의 경우 Azure VMware Solution 프라이빗 클라우드에서 실수로 인한 작업을 방지하기 위해 리소스 잠금을 구현하는 것이 좋습니다",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
+            "severity": "보통",
+            "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하기 위해 지원되는 지역을 선택했는지 확인합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "자동화된 배포의 경우 최소한의 프라이빗 클라우드를 배포하고 필요에 따라 확장합니다",
-            "waf": "작업"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
+            "severity": "보통",
+            "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 다양한 백업 유형(GRS, ZRS & LRS)을 고려합니다",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "자동화된 배포의 경우 배포를 시작하기 전에 할당량을 요청하거나 예약합니다",
-            "waf": "작업"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
+            "severity": "보통",
+            "text": "Azure 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "자동화된 배포의 경우 적절한 거버넌스를 위해 자동화 또는 Azure Policy를 통해 관련 리소스 잠금을 만들어야 합니다",
-            "waf": "작업"
+            "checklist": "Azure Landing Zone Review",
+            "description": "Azure Policy의 게스트 구성 기능은 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞는지 확인할 수 있으며, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
+            "severity": "보통",
+            "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "ExR 인증 키에 대해 사람이 이해할 수 있는 이름을 구현하여 키의 목적/용도를 쉽게 식별할 수 있습니다.",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
+            "severity": "보통",
+            "text": "Azure-Azure Virtual Machines 재해 복구 시나리오에 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "Azure VMware Solution 및 ExpressRoute를 배포하는 데 별도의 서비스 원칙을 사용하는 경우 Key Vault를 사용하여 비밀 및 권한 부여 키를 저장합니다",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
+            "severity": "보통",
+            "text": "Azure 네이티브 백업 기능 또는 Azure 호환 제3자 백업 솔루션을 사용합니다.",
             "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "Azure VMware Solution은 제한된 수의 병렬 작업만 지원하므로 많은 리소스를 Azure VMware Solution 배포해야 하는 경우 IaC에서 작업을 직렬화하기 위한 리소스 종속성을 정의합니다.",
-            "waf": "작업"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
+            "severity": "높다",
+            "text": "VM이 지원되는 지역에서 VM에 대한 가용성 영역을 활용합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
-            "severity": "낮다",
-            "text": "단일 Tier-1 게이트웨이를 사용하여 NSX-T 세그먼트의 자동화된 구성을 수행하는 경우 NSX-Manager API 대신 Azure Portal API를 사용합니다",
-            "waf": "작업"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
+            "severity": "높다",
+            "text": "단일 VM에서 프로덕션 워크로드를 실행하지 마세요.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "severity": "보통",
-            "text": "자동화된 스케일 아웃을 사용하려는 경우 Azure VMware Solution을 실행하는 구독에 대해 충분한 Azure VMware Solution 할당량을 적용해야 합니다",
-            "waf": "공연"
+            "text": "Azure Load Balancer 및 Application Gateway는 들어오는 네트워크 트래픽을 여러 리소스에 분산합니다.",
+            "waf": "신뢰도"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
-            "severity": "보통",
-            "text": "자동 축소를 사용하려는 경우 이러한 작업을 수행하기 전에 스토리지 정책 요구 사항을 고려해야 합니다",
-            "waf": "공연"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
+            "severity": "높다",
+            "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장하는 진단 설정을 추가합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
             "severity": "보통",
-            "text": "한 번에 하나의 크기 조정 작업만 수행할 수 있으므로 크기 조정 작업은 항상 단일 SDDC 내에서 직렬화되어야 합니다(여러 클러스터를 사용하는 경우에도)",
-            "waf": "공연"
+            "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 감지하고 WAF 원격 분석을 전체 Azure 환경에 통합합니다.",
+            "waf": "작업"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
+            "severity": "높다",
+            "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
+            "waf": "안전"
+        },
+        {
+            "checklist": "Azure Landing Zone Review",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "아키텍처에 사용되는 제3자 솔루션에 대한 확장 작업을 고려하고 검증합니다(지원 여부)Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
-            "waf": "공연"
+            "text": "다양한 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "자동화에서 환경에 대한 규모 확장/축소 최대 한도 정의 및 적용Define and enforce scale in/out maximum limits for your environment in the automations",
-            "waf": "공연"
+            "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "모니터링 규칙을 구현하여 자동화된 조정 작업을 모니터링하고 성공 및 실패를 모니터링하여 적절한(자동) 응답을 사용하도록 설정합니다.",
-            "waf": "작업"
+            "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "MON을 사용하는 경우 동시에 구성된 VM의 제한(HCX에 대한 MON 제한[400 - 표준, 1000 - 대형 어플라이언스])을 알고 있어야 합니다.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "보통",
+            "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "MON을 사용하는 경우 100개 이상의 네트워크 확장에서 MON을 사용하도록 설정할 수 없습니다",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "보통",
+            "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "마이그레이션에 VPN 연결을 사용하는 경우 그에 따라 MTU 크기를 조정합니다.",
-            "waf": "공연"
+            "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "Azure(500Mbps 이하)에 연결하는 낮은 연결 지역의 경우 HCX WAN 최적화 어플라이언스 배포를 고려합니다.",
-            "waf": "공연"
+            "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "마이그레이션이 클라우드 어플라이언스가 아닌 온-프레미스 어플라이언스에서 시작되는지 확인합니다(역방향 마이그레이션을 수행하지 않음).",
-            "waf": "신뢰도"
+            "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "Azure NetApp Files를 사용하여 Azure VMware Solution용 스토리지를 확장하는 경우 VM에 직접 연결하는 대신 VMware 데이터 저장소로 사용하는 것이 좋습니다.",
-            "waf": "신뢰도"
+            "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "전용 ExpressRoute 게이트웨이가 외부 데이터 스토리지 솔루션에 사용되고 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "자체 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍과 재해 복구 지역을 선택합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
             "severity": "보통",
-            "text": "외부 데이터 스토리지 솔루션에 사용되는 ExpressRoute 게이트웨이에서 FastPath를 사용하도록 설정되어 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀 및 자격 증명을 저장합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
-            "severity": "높다",
-            "text": "확장된 클러스터를 사용하는 경우 선택한 재해 복구 솔루션이 공급업체에서 지원되는지 확인합니다",
-            "waf": "신뢰도"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
+            "severity": "보통",
+            "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "severity": "높다",
-            "text": "확장된 클러스터를 사용하는 경우 제공된 SLA가 요구 사항을 충족하는지 확인합니다",
-            "waf": "신뢰도"
+            "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
             "severity": "높다",
-            "text": "확장된 클러스터를 사용하는 경우 두 ExpressRoute 회로가 모두 연결 허브에 연결되어 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "모든 구독에서 서버에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
             "severity": "높다",
-            "text": "확장된 클러스터를 사용하는 경우 두 ExpressRoute 회로 모두에서 GlobalReach를 사용하도록 설정되어 있는지 확인합니다.",
-            "waf": "신뢰도"
+            "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
             "severity": "높다",
-            "text": "사이트 재해 허용 범위 설정을 적절하게 고려하고 필요한 경우 비즈니스에 맞게 변경하십시오.",
-            "waf": "신뢰도"
-        },
-        {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
-            "severity": "보통",
-            "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.",
-            "waf": "신뢰도"
+            "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
             "severity": "보통",
-            "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.",
-            "waf": "신뢰도"
+            "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "보통",
-            "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.",
-            "waf": "신뢰도"
+            "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
             "severity": "보통",
-            "text": "앱에 1개 이상의 앱 인스턴스 사용",
-            "waf": "신뢰도"
+            "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그가 사용하도록 설정됩니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
             "severity": "보통",
-            "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.",
-            "waf": "신뢰도"
+            "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용할 수 있습니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
-            "severity": "보통",
-            "text": "Spring Cloud Gateway에서 자동 크기 조정 설정",
-            "waf": "신뢰도"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
+            "severity": "높다",
+            "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정해야 함",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
-            "severity": "낮다",
-            "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.",
-            "waf": "신뢰도"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
+            "severity": "높다",
+            "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.",
+            "waf": "안전"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
-            "severity": "보통",
-            "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.",
-            "waf": "신뢰도"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
+            "severity": "높다",
+            "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.",
+            "waf": "작업"
         }
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.pt.json b/checklists/waf_checklist.pt.json
index 2b82884ea..b5c689c53 100644
--- a/checklists/waf_checklist.pt.json
+++ b/checklists/waf_checklist.pt.json
@@ -1,762 +1,532 @@
 {
     "items": [
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
+            "severity": "Média",
+            "text": "Aproveite o servidor flexível",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "severity": "Alto",
-            "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
+            "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
+            "severity": "Média",
+            "text": "Aproveite a replicação de dados para cenários de DR entre regiões",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
-            "severity": "Alto",
-            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
-            "waf": "Fiabilidade"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
-            "severity": "Média",
-            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
+            "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Considere a 'linha de base de segurança do Azure para armazenamento'",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
+            "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
+            "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
+            "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
+            "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Ativar 'exclusão suave' para blobs",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
+            "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Desativar 'exclusão suave' para blobs",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
+            "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Ativar 'exclusão suave' para contêineres",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
+            "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Desativar 'exclusão suave' para contêineres",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
+            "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Habilitar bloqueios de recursos em contas de armazenamento",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
+            "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere blobs imutáveis",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
+            "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
+            "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
+            "text": "Somente discos maiores podem ser reservados => 1 TiB -",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
+            "text": "Após a otimização do dimensionamento correto",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Privilégio mínimo nas permissões do IaM",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
+            "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
+            "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
+            "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento",
-            "waf": "Segurança"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
+            "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
+            "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Considere configurar uma política de expiração SAS",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
+            "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Considere vincular o SAS a uma política de acesso armazenado",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
+            "text": "Funções - Reutilizar conexões",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "text": "Funções - Armazenar dados em cache localmente",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
+            "text": "Funções - Mantenha suas funções aquecidas",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Aplicar um escopo restrito a uma SAS",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
-            "severity": "Baixo",
-            "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
+            "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
+            "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Evite políticas CORS excessivamente amplas",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
+            "text": "Considere níveis de arquivamento para dados menos usados",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
+            "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Determine qual/se a criptografia de plataforma deve ser usada.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
+            "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
-            "severity": "Média",
-            "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
+            "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
-            "severity": "Alto",
-            "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
+            "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implementar uma política de tratamento de erros em nível global",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
+            "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Certifique-se de que todas as políticas de APIs incluam um <base/> elemento .",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
+            "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda  ",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
+            "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
+            "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
+            "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Habilite o Application Insights para telemetria mais detalhada",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Configurar alertas sobre as métricas mais críticas",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
+            "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
+            "text": "Dimensionamento correto de todas as VMs",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Criar grupos apropriados para controlar a visibilidade dos produtos",
-            "waf": "Segurança"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
+            "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas",
-            "waf": "Operações"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%",
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
             "severity": "Média",
-            "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%",
+            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
             "severity": "Alto",
-            "text": "Verifique se há uma rotina de backup automatizada",
+            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.",
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
+            "severity": "Alto",
+            "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "Baixo",
-            "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
             "severity": "Média",
-            "text": "Use a camada premium para cargas de trabalho de produção.",
+            "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
             "severity": "Média",
-            "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Esteja atento aos limites da APIM",
-            "waf": "Fiabilidade"
+            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
             "severity": "Alto",
-            "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.",
+            "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implantar o serviço em uma rede virtual (VNet)",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Desabilitar o acesso à rede pública",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Simplifique o gerenciamento com scripts de automação do PowerShell",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "APIs seguras usando autenticação de certificado de cliente",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
-            "severity": "Média",
-            "text": "Serviços de back-end seguros usando autenticação de certificado de cliente",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
             "severity": "Média",
-            "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs",
-            "waf": "Segurança"
+            "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
             "severity": "Média",
-            "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
-            "waf": "Segurança"
+            "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
             "severity": "Média",
-            "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
-            "severity": "Alto",
-            "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM",
-            "waf": "Segurança"
+            "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.",
+            "waf": "Fiabilidade"
         },
         {
             "checklist": "Azure Landing Zone Review",
@@ -2477,5350 +2247,5580 @@
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
-            "severity": "Alto",
-            "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura",
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
+            "severity": "Baixo",
+            "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
-            "severity": "Média",
-            "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação",
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação",
+            "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "Média",
-            "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas",
+            "text": "Implementar verificações de integridade",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
-            "severity": "Média",
-            "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços",
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
-            "severity": "Média",
-            "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "Baixo",
+            "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "severity": "Alto",
-            "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json",
+            "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
-            "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
-            "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
+            "severity": "Baixo",
+            "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
-            "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa.  O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar o Cofre de Chaves para armazenar segredos",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
-            "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
-            "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Use o Cofre de Chaves para armazenar o certificado TLS.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
-            "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure  ",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Os sistemas que processam informações confidenciais devem ser isolados.  Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Isolar sistemas que processam informações confidenciais",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
-            "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles.  (Por exemplo: D:\\\\Local e %TMP%).",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Não armazene dados confidenciais no disco local",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
-            "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C.  Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Usar um provedor de identidade estabelecido para autenticação",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
-            "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Implantar a partir de um ambiente confiável",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
-            "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM.  Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação.  Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Desabilitar a autenticação básica",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
-            "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD.  Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar a Identidade Gerenciada para se conectar a recursos",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
-            "text": "Somente discos maiores podem ser reservados => 1 TiB -",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Extrair contêineres usando uma identidade gerenciada",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
-            "text": "Após a otimização do dimensionamento correto",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
-            "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
-            "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's.  O tráfego deve ser roteado para um NVA, como o Firewall do Azure.  Certifique-se de monitorar os logs do Firewall.",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "O acesso à rede de saída deve ser controlado",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure.  Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário.  Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas.  (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
+            "severity": "Baixo",
+            "text": "Garantir um IP estável para comunicações de saída para endereços de Internet",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "O acesso à rede de entrada deve ser controlado",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door.  Certifique-se de monitorar os logs do WAF.",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar um WAF na frente do Serviço de Aplicativo",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF.  Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Evite que o WAF seja ignorado",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "text": "Funções - Reutilizar conexões",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Definir a política TLS mínima como 1.2",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "text": "Funções - Armazenar dados em cache localmente",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "Custar"
+            "checklist": "Azure App Service Review",
+            "description": "Configure o Serviço de Aplicativo para usar somente HTTPS.  Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS.  Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Usar somente HTTPS",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Curingas não devem ser usados para CORS",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Desativar a depuração remota",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Habilite o Defender para o Serviço de Aplicativo.  Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos.  Analise as recomendações do Defender for App Service como parte de suas operações.",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Habilitar o Defender for Cloud - Defender for App Service",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Extrair contêineres por uma rede virtual",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Realizar um teste de penetração",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
+            "severity": "Média",
+            "text": "Implantar código validado",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
+            "severity": "Alto",
+            "text": "Use plataformas, linguagens, protocolos e frameworks atualizados",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
+            "severity": "Média",
+            "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
+            "severity": "Média",
+            "text": "Implantando bots com residência de dados local e conformidade regional",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
+            "severity": "Média",
+            "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão de certificado 'Mais recente'. Reduzir o risco de paralisações causadas pela renovação manual de certificados",
+            "waf": "Operações"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Verifique se você está usando o SKU do Application Gateway v2",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
+            "severity": "Média",
+            "text": "Verifique se você está usando a SKU padrão para seus Balanceadores de Carga do Azure",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
+            "severity": "Média",
+            "text": "Verifique se os endereços IP de front-end dos Load Balancers são redundantes por zona (a menos que você precise de frontends zonais).",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Seus Application Gateways v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "description": "A administração de proxies reversos em geral e do WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Application Gateway e o WAF na assinatura de conectividade pode ser OK se for gerenciado por uma única equipe.",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para fazer proxy de conexões HTTP(S) de entrada na rede virtual da zona de aterrissagem e com os aplicativos que eles estão protegendo.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Use uma rede DDoS ou planos de proteção IP para todos os endereços IP públicos nas zonas de aterrissagem do aplicativo.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Configure o dimensionamento automático com uma quantidade mínima de duas instâncias.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Implantar o Application Gateway em zonas de disponibilidade",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Use o Azure Front Door com políticas WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Ao usar o Front Door e o Application Gateway para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Application Gateway para receber tráfego somente do Front Door.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Segurança"
+        },
+        {
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
+            "severity": "Alto",
+            "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "Baixo",
+            "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado uma alternativa à Área de Trabalho Virtual (AVD) do Azure?",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "Média",
+            "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere o uso do Microsoft Entra ID Application Proxy para dar aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
-            "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Implante sua política de WAF para Front Door no modo 'Prevenção'.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "text": "Funções - Mantenha suas funções aquecidas",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Evite combinar o Gerenciador de Tráfego do Azure e o Azure Front Door.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
-            "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Use o mesmo nome de domínio no Azure Front Door e sua origem. Nomes de host incompatíveis podem causar bugs sutis.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "severity": "Baixo",
+            "text": "Desabilite os testes de integridade quando houver apenas uma origem em um grupo de origem do Azure Front Door.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
-            "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Selecione bons pontos de extremidade de teste de integridade para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do seu aplicativo.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
             "service": "Front Door",
-            "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.",
-            "waf": "Custar"
+            "severity": "Baixo",
+            "text": "Use testes de integridade do HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
+            "severity": "Alto",
+            "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhor escalabilidade do SNAT",
+            "waf": "Fiabilidade"
+        },
+        {
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
             "service": "Front Door",
-            "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.",
-            "waf": "Custar"
+            "severity": "Alto",
+            "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de paralisações devido a renovações de certificados.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
-            "text": "Considere níveis de arquivamento para dados menos usados",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Defina sua configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Use o TLS de ponta a ponta com o Azure Front Door. Use o TLS para conexões de seus clientes com o Front Door e do Front Door com sua origem.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
-            "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Use o redirecionamento HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma série de ataques.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
-            "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
-            "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Azure Front Door.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
-            "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda  ",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite os conjuntos de regras padrão do WAF do Azure Front Door. Os conjuntos de regras padrão detectam e bloqueiam ataques comuns.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
+            "severity": "Alto",
+            "text": "Habilite o conjunto de regras de proteção de bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
-            "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Adicione o limite de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
-            "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
+            "severity": "Baixo",
+            "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
-            "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Azure Front Door. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
-            "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Habilitar o conjunto de regras de proteção de bot WAF do Gateway de Aplicativo do Azure As regras de bot detectam bots bons e ruins.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "text": "Dimensionamento correto de todas as VMs",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Gateway de Aplicativo do Azure.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
-            "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Ajuste o WAF do Gateway de Aplicativo do Azure para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Custar"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
+            "severity": "Alto",
+            "text": "Implante sua política de WAF para o Application Gateway no modo 'Prevenção'.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Custar"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Adicione o limite de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
             "severity": "Média",
-            "text": "Aproveite o servidor flexível",
-            "waf": "Fiabilidade"
+            "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+            "waf": "Segurança"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
-            "severity": "Alto",
-            "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "severity": "Baixo",
+            "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
             "severity": "Média",
-            "text": "Aproveite a replicação de dados para cenários de DR entre regiões",
-            "waf": "Fiabilidade"
+            "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
-            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
             "severity": "Média",
-            "text": "O Azure Center for SAP solutions (ACSS) é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
-            "waf": "Operações"
+            "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
             "severity": "Média",
-            "text": "O Azure dá suporte à automação de implantações SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de código aberto que pode implantar, instalar e manter ambientes SAP.",
-            "training": "https://github.com/Azure/sap-automation",
+            "text": "Adicione configurações de diagnóstico para salvar seus logs WAF do Gateway de Aplicativo do Azure.",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
             "severity": "Média",
-            "text": "Executar uma recuperação point-in-time para seus bancos de dados de produção em qualquer ponto e em um período de tempo que atenda ao seu RTO; A recuperação point-in-time normalmente inclui erros do operador excluindo dados na camada DBMS ou por meio do SAP, incidentalmente",
-            "waf": "Fiabilidade"
+            "text": "Adicione configurações de diagnóstico para salvar seus logs do WAF do Azure Front Door.",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
             "severity": "Média",
-            "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute sua replicação usando recursos nativos de DBMS, como SQL Server Always On ou SAP HANA System Replication. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativos SAP.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
-            "waf": "Fiabilidade"
+            "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
             "severity": "Média",
-            "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre servidores de aplicativos SAP e servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam sendo executados na mesma zona o tempo todo.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Envie logs do WAF do Azure Front Door para o Microsoft Sentinel.",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Configure conexões de Rota Expressa do local para as regiões primária e secundária de recuperação de desastres do Azure. Além disso, como alternativa ao uso da Rota Expressa, considere configurar conexões VPN locais para as regiões primária e secundária de recuperação de desastres do Azure.",
-            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Defina sua configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastres.",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Use políticas de WAF em vez da configuração de WAF herdada.",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Emparelhar as redes virtuais primária e de recuperação de desastres. Por exemplo, para a replicação do sistema HANA, uma rede virtual SAP HANA DB precisa ser emparelhada para a rede virtual SAP HANA DB do site de recuperação de desastres.",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Filtre o tráfego de entrada nos back-ends para que eles só aceitem conexões da sub-rede do Application Gateway, por exemplo, com NSGs.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.",
-            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
+            "severity": "Média",
+            "text": "Certifique-se de que suas origens recebam apenas o tráfego de sua instância do Azure Front Door.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "severity": "Alto",
-            "text": "A tecnologia de replicação de banco de dados nativo deve ser usada para sincronizar o banco de dados em um par de HA.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Você deve criptografar o tráfego para os servidores de back-end.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
-            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
             "severity": "Alto",
-            "text": "O CIDR da rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastres",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Você deve usar um Web Application Firewall.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Use a Recuperação de Site para replicar um servidor de aplicativos para um site de recuperação de desastres. A Recuperação de Site também pode ajudar na replicação de VMs de cluster de serviços centrais para o site de recuperação de desastres. Ao invocar o DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substitua o VIP ou o SBD, execute o corosync.conf e muito mais).",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Redirecionar HTTP para HTTPS",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP ABAP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Usar cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
-            "service": "SAP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "severity": "Alto",
-            "text": "Para bancos de dados SAP e SAP, considere a implementação de clusters de failover automático. No Windows, o Clustering de Failover do Windows Server oferece suporte a failover. No Linux, Linux Pacemaker ou ferramentas de terceiros como SIOS Protection Suite e Veritas InfoScale suportam failover.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Habilite a drenagem de conexão durante as atualizações de serviço planejadas para evitar a perda de conexão com membrs existentes do pool de back-end",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "O Azure não oferece suporte a arquiteturas nas quais as VMs primária e secundária compartilham armazenamento para dados DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primária e secundária usam.",
-            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "Baixo",
+            "text": "Criar páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Os dados do DBMS e os arquivos de log de transação/refazer são armazenados no armazenamento em bloco com suporte do Azure ou nos Arquivos do Azure NetApp. Os Arquivos do Azure ou os Arquivos Premium do Azure não têm suporte como armazenamento para dados DBMS e/ou arquivos de log de refazer com a carga de trabalho SAP.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para componentes da camada de aplicativo SAP e a camada DBMS. No momento, o Azure não oferece suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Configure o Front Door para otimizar o roteamento de tráfego global da Web e o desempenho do usuário final de nível superior e a confiabilidade por meio de failover global rápido",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "A maioria dos clusters de failover para ASCS (Application Layer Components, componentes da camada de aplicativo) SAP e a camada DBMS exigem um endereço IP virtual para um cluster de failover.  O Balanceador de Carga do Azure deve manipular o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Standard Load Balancer).",
-            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Usar balanceamento de carga da camada de transporte",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Verifique se o IP flutuante está habilitado no balanceador de carga",
-            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Configurar o roteamento com base no host ou nome de domínio para vários aplicativos Web em um único gateway",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Antes de implantar sua infraestrutura de alta disponibilidade, e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
+            "severity": "Média",
+            "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores back-end",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
-            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Se desejar atender aos SLAs de infraestrutura de seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), você deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
+            "severity": "Baixo",
+            "text": "Usar o Application Gateway para suporte nativo para protocolos WebSocket e HTTP/2",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário para cargas de trabalho do AKS Windows, os contêineres HostProcess podem ser usados",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento de proximidade.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Usar o KEDA se estiver executando cargas de trabalho orientadas a eventos",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Use o Dapr para facilitar o desenvolvimento de microsserviços",
+            "waf": "Operações"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online mais tarde.",
-            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "text": "Use a oferta AKS apoiada por SLA",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Quando você usa grupos de posicionamento de proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento de proximidade.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Usar orçamentos de interrupção em seu pod e definições de implantação",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
             "severity": "Alto",
-            "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure",
+            "text": "Se estiver usando um registro privado, configure a replicação de região para armazenar imagens em várias regiões",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Use um dos seguintes serviços para executar clusters de serviços centrais SAP, dependendo do sistema operacional.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Use um aplicativo externo, como kubecost, para alocar custos para diferentes usuários",
+            "waf": "Custar"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Usar o modo de redução para excluir/desalocar nós",
+            "waf": "Custar"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "severity": "Média",
-            "text": "No momento, o Azure não oferece suporte à combinação de ASCS e HA de banco de dados no mesmo cluster do Linux Pacemaker; Separe-os em agrupamentos individuais. No entanto, você pode combinar até cinco clusters de serviços centrais em um par de VMs.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Quando necessário, use a GPU de partioning de várias instâncias em clusters AKS",
+            "waf": "Custar"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se estiver executando um cluster de desenvolvimento/teste, use NodePool Start/Stop",
+            "waf": "Custar"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.",
-            "waf": "Fiabilidade"
+            "text": "Usar a Política do Azure para Kubernetes para garantir a conformidade do cluster",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "Média",
-            "text": "O Azure oferece suporte à instalação e configuração de instâncias SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no Red Hat Enterprise Linux (RHEL).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
-            "waf": "Fiabilidade"
+            "text": "Separe os aplicativos do plano de controle com pools de nós de usuário/sistema",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Ultra Disk Storage. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Adicione mancha ao seu nodepool do sistema para torná-lo dedicado",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pela SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem a habilitação do Acelerador de Gravação e o uso do armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.",
-            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
+            "severity": "Média",
+            "text": "Usar um registro privado para suas imagens, como o ACR",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento usado para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.",
-            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
-            "waf": "Fiabilidade"
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
+            "severity": "Média",
+            "text": "Analise suas imagens em busca de vulnerabilidades",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
-            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Arquivos do Azure NetApp, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de DR após o failover, certifique-se de que o respectivo serviço de armazenamento seja oferecido no local de DR.",
-            "waf": "Fiabilidade"
+            "text": "Definir requisitos de separação de aplicativos (namespace/nodepool/cluster)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Automatize o Start-Stop do sistema SAP para gerenciar custos.",
-            "waf": "Custar"
+            "text": "Armazene seus segredos no Cofre de Chaves do Azure com o driver do CSI Secrets Store",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD padrão do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento padrão SSD ou HDD padrão do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes que não são de produção, VMs de série mais baixa podem ser usadas.",
-            "waf": "Custar"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Se estiver usando entidades de serviço para o cluster, atualize as credenciais periodicamente (como trimestralmente)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher uma SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (SAP HANA Hardware Directory) ou não podem atingir latência de armazenamento inferior a 1ms.",
-            "waf": "Custar"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
+            "severity": "Média",
+            "text": "Se necessário, adicione criptografia etcd do Serviço de Gerenciamento de Chaves",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
-            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, considere o uso de computação confidencial para AKS",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45911475-e39e-4530-accc-d979366bcda2",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Impor a propagação principal para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "text": "Considere o uso do Defender for Containers",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Implemente SSO em aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com o Azure AD usando SAML.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Usar identidades gerenciadas em vez de entidades de serviço",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "text": "Integrar autenticação com AAD (usando a integração gerenciada)",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
+            "severity": "Média",
+            "text": "Limitar o acesso ao admin kubeconfig (get-credentials --admin)",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "text": "Integrar autorização com AAD RBAC",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
-            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Usar namespaces para restringir o privilégio RBAC no Kubernetes",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
-            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+            "text": "Para o Gerenciamento de Acesso à Identidade de Pod, use a Identidade de Carga de Trabalho do Azure AD (visualização)",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implemente o SSO usando o OAuth for SAP NetWeaver para permitir que aplicativos de terceiros ou personalizados acessem os serviços OData do SAP NetWeaver.",
+            "text": "Para logins não interativos do AKS, use kubelogin (visualização)",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implementar SSO no SAP HANA",
+            "text": "Desativar contas locais do AKS",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Configurar, se necessário, o acesso ao cluster just-in-time",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
-            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Para aplicativos que acessam o SAP, convém usar a propagação principal para estabelecer o SSO.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Configurar, se necessário, o acesso condicional do AAD para AKS",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade de proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central do usuário e o provedor de identidade.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário para cargas de trabalho do Windows AKS, configure o gMSA ",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implementar SSO no SAP BTP",
+            "text": "Para um controle mais fino, considere usar uma Identidade Kubelet gerenciada",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
-            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS com suporte no Azure AD. Use write-back do endereço de e-mail para SAP SuccessFactors.",
-            "waf": "Segurança"
+            "text": "Se estiver usando AGIC, não compartilhe um AppGW entre clusters",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Não use AKS HTTP Routing Add-On, use em vez disso a entrada NGINX gerenciada com o complemento de roteamento de aplicativo.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
             "severity": "Média",
-            "text": "impor políticas existentes do Grupo de Gerenciamento às assinaturas SAP",
-            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
-            "waf": "Operações"
+            "text": "Para cargas de trabalho do Windows, use a Rede Acelerada",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
-            "waf": "Operações"
+            "text": "Use o ALB padrão (em oposição ao básico)",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Sandbox, não-prod, prod ",
-            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
+            "severity": "Média",
+            "text": "Se estiver usando o CNI do Azure, considere usar sub-redes diferentes para NodePools",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
-            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Garantir o aumento da cota como parte do provisionamento de assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)",
-            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
+            "severity": "Média",
+            "text": "Usar Pontos de Extremidade Privados (preferencial) ou Pontos de Extremidade de Serviço de Rede Virtual para acessar serviços de PaaS do cluster",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
-            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Escolha o melhor plug-in de rede CNI para seus requisitos (Azure CNI recomendado)",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
-            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM estará disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série VM, o número de CPUs e a zona de disponibilidade necessárias.",
-            "waf": "Operações"
+            "text": "Se estiver usando o Azure CNI, dimensione sua sub-rede de acordo considerando o número máximo de pods por nó",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
-            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
-            "waf": "Operações"
+            "text": "Se estiver usando o Azure CNI, verifique o máximo de pods/nó (padrão 30)",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)",
-            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "Para aplicativos internos, as organizações geralmente abrem toda a sub-rede AKS em seus firewalls. Isso abre o acesso de rede para os nós também e, potencialmente, para os pods também (se estiver usando o Azure CNI). Se os IPs do LoadBalancer estiverem em uma sub-rede diferente, somente este precisará estar disponível para os clientes do aplicativo. Outra razão é que, se os endereços IP na sub-rede AKS são um recurso escasso, consumir seus endereços IP para serviços reduzirá a escalabilidade máxima do cluster.",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se estiver usando serviços LoadBalancer de IP privado, use uma sub-rede dedicada (não a sub-rede AKS)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "text": "Dimensione o intervalo de endereços IP do serviço de acordo (isso limitará a escalabilidade do cluster)",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Se você implantar os Arquivos NetApp do Azure para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, adicione seu próprio plugin CNI",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Garanta as correspondências de fuso horário entre o sistema operacional e o sistema SAP.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, configure o IP público por nó no AKS",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "text": "Usar um controlador de entrada para expor aplicativos baseados na Web em vez de expô-los com serviços do tipo LoadBalancer",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
-            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
             "severity": "Baixo",
-            "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de soneca para economizar e otimizar os custos de execução do Azure.",
-            "waf": "Custar"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
-            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, porque eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.",
-            "waf": "Operações"
+            "text": "Usar o Gateway NAT do Azure como outboundType para dimensionar o tráfego de saída",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
-            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.",
-            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
-            "waf": "Operações"
+            "text": "Usar alocações dinâmicas de IPs para evitar o esgotamento de IP do CNI do Azure",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Filtre o tráfego de saída com AzFW/NVA se seus requisitos de segurança exigirem",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use as soluções do Azure Monitor for SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Operações"
+            "text": "Se estiver usando um ponto de extremidade de API público, restrinja os endereços IP que podem acessá-lo",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Execute uma verificação de extensão de VM para SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma máquina virtual (VM) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.",
-            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
-            "waf": "Operações"
+            "text": "Use clusters privados se seus requisitos exigirem",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use a Política do Azure para controle de acesso e relatórios de conformidade. A Política do Azure fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "Operações"
+            "text": "Para os nós AKS do Windows 2019 e 2022, as Diretivas de Rede Calico podem ser usadas ",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
-            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Use o Monitor de Conexão no Inspetor de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medições de latência de rede usando o Azure Monitor.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Habilitar uma opção de Política de Rede do Kubernetes (Calico/Azure)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Usar diretivas de rede do Kubernetes para aumentar a segurança intra-cluster",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.",
-            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "waf": "Desempenho"
+            "text": "Usar um WAF para cargas de trabalho da Web (UIs ou APIs)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Recuperação de Site) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework para Azure.",
-            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
-            "waf": "Fiabilidade"
+            "text": "Usar DDoS Standard na Rede Virtual AKS",
+            "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
-            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, adicione o proxy HTTP da empresa",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Implemente a proteção contra ameaças usando a solução Microsoft Sentinel para SAP. Use esta solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e camadas de aplicativos.",
-            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "text": "Considere o uso de uma malha de serviço para gerenciamento avançado de comunicação de microsserviços",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "A marcação do Azure pode ser aproveitada para agrupar e controlar recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.",
-            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Configurar alertas nas métricas mais críticas (consulte Insights de contêiner para obter recomendações)",
+            "waf": "Operações"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Verifique regularmente o Azure Advisor para obter recomendações sobre o seu cluster",
+            "waf": "Operações"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Habilitar a rotação automática do certificado AKS",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.",
-            "waf": "Desempenho"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Tenha um processo regular para atualizar sua versão do kubernetes periodicamente (trimestralmente, por exemplo), ou use o recurso de atualização automática do AKS",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Use kured para atualizações de nó do Linux caso você não esteja usando a atualização de imagem de nó",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores do banco de dados para obter detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle/<sid>/sapdata das verificações antivírus.",
-            "waf": "Desempenho"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Tenha um processo regular para atualizar as imagens do nó do cluster periodicamente (semanalmente, por exemplo)",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
-            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
             "severity": "Baixo",
-            "text": "Considere a coleta de estatísticas completas de banco de dados para bancos de dados não-HANA após a migração. Por exemplo, implemente a nota SAP 1020260 - Entrega de estatísticas Oracle.",
-            "waf": "Desempenho"
+            "text": "Considere gitops para implantar aplicativos ou configuração de cluster em vários clusters",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Considere o uso do Oracle Automatic Storage Management (ASM) para todas as implantações Oracle que usam SAP no Azure.",
-            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
-            "waf": "Desempenho"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Considere o uso do comando AKS invoke em clusters privados",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho.  Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.",
-            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
-            "waf": "Desempenho"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Para eventos planejados, considere o uso do Dreno Automático de Nó",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
-            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "text": "Desenvolver práticas próprias de governança para garantir que nenhuma alteração seja realizada pelos operadores no nó RG (também conhecido como 'infra RG')",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Para a entrega segura de aplicativos HTTP/S, use o Application Gateway v2 e verifique se a proteção e as políticas do WAF estão habilitadas.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS mudam após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Use o nome personalizado do Node RG (também conhecido como 'Infra RG')",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) um do outro. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "text": "Não use APIs do Kubernetes preteridas em seus manifestos do YAML",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Emparelhamento de rede virtual local e global fornecem conectividade e são as abordagens preferidas para garantir a conectividade entre zonas de aterrissagem para implantações SAP em várias regiões do Azure",
-            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
-            "waf": "Fiabilidade"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Manchar os nós do Windows",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP",
-            "training": "https://me.sap.com/notes/2731110",
-            "waf": "Desempenho"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Mantenha o nível de patch dos contêineres do Windows sincronizado com o nível do patch do host",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
-            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
-            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "Por meio de Configurações de Diagnóstico no nível do cluster",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Envie logs mestre (também conhecidos como logs de API) para o Azure Monitor ou sua solução de gerenciamento de logs preferida",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Considere a implantação de dispositivos virtuais de rede (NVAs) entre regiões somente se NVAs de parceiros forem usados. NVAs entre regiões ou VNets não são necessários se NVAs nativos estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as orientações do fornecedor para verificar configurações conflitantes com a rede do Azure.",
-            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, use instantâneos do nodePool",
+            "waf": "Custar"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
-            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs), e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.",
-            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Considere pools de nós spot para cargas de trabalho não sensíveis ao tempo",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "A atribuição de IP público à VM que executa o SAP Workload não é recomendada.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
-            "waf": "Segurança"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Considere o nó virtual AKS para intermitência rápida",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
-            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Considere reservar o endereço IP no lado do DR ao configurar o ASR",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "Monitore suas métricas de cluster com o Container Insights (ou outras ferramentas como o Prometheus)",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.",
-            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "text": "Armazene e analise seus logs de cluster com o Container Insights (ou outras ferramentas como Telegraf/ElasticSearch)",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
-            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, apenas uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.",
-            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "text": "Monitorar a utilização da CPU e da memória dos nós",
             "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
-            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)",
-            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "O Application Gateway e o Web Application Firewall têm limitações quando o Application Gateway serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Application Gateway, o SAP Web Dispatcher e outros serviços de terceiros.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre as regiões do Azure para conexões HTTP/S de entrada para uma zona de aterrissagem.",
-            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Aproveite as políticas do Web Application Firewall no Azure Front Door quando estiver usando o Azure Front Door e o Application Gateway para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Se estiver usando o Azure CNI, monitore a % de IPs de pod consumidos por nó",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "A E/S no disco do sistema operacional é um recurso crítico. Se o sistema operacional nos nós for limitado na E/S, isso pode levar a um comportamento imprevisível, geralmente terminando no nó sendo declarado NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele estiver exposto à Internet. Outra opção é usá-lo com seu balanceador de carga ou com recursos que tenham recursos internos de firewall, como o Application Gateway ou soluções de terceiros.",
-            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Monitorar a profundidade da fila de disco do sistema operacional nos nós",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
-            "waf": "Desempenho"
+            "text": "Se não estiver usando filtragem de saída com AzFW/NVA, monitore as portas SNAT ALB alocadas padrão",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança recursos de plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como o Armazenamento do Azure, o Backup do Azure e muito mais. O tráfego entre sua rede virtual e o serviço habilitado para ponto de extremidade privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.",
-            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Assine as notificações de integridade de recursos para seu cluster AKS",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas nas camadas de aplicativo SAP e DBMS.",
-            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar DSR (Direct Server Return). Essa configuração (Habilitando IP flutuante) reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.",
-            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Configurar solicitações e limites nas especificações do pod",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Você pode usar as regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.",
-            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Impor cotas de recursos para namespaces",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Não há suporte para a colocação da camada de aplicativo SAP e do SGBD SAP em diferentes VNets do Azure que não são emparelhadas.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Desempenho"
+            "text": "Verifique se sua assinatura tem cota suficiente para expandir seus nodepools",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Para obter a latência de rede ideal com aplicativos SAP, considere o uso de grupos de posicionamento de proximidade do Azure.",
-            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "NÃO há suporte para executar uma camada do SAP Application Server e uma camada de DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "text": "Usar o Autoscaler de Cluster",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
-            "link": "https://me.sap.com/notes/2015553",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Não é recomendado hospedar o sistema de gerenciamento de banco de dados (DBMS) e as camadas de aplicativos dos sistemas SAP em diferentes VNets e conectá-los ao emparelhamento de VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomende o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada DBMS.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
-            "waf": "Custar"
-        },
-        {
-            "checklist": "SAP Checklist",
-            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.",
-            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Personalizar a configuração do nó para pools de nós AKS",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
-            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferida de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet",
-            "waf": "Segurança"
+            "text": "Use o Autoscaler do Pod Horizontal quando necessário",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
-            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "Nós maiores trarão maior desempenho e recursos, como discos efêmeros e rede acelerada, mas aumentarão o raio de explosão e diminuirão a granularidade de dimensionamento",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Revise os backups de banco de dados do SAP HANA para VMs do Azure.",
-            "waf": "Custar"
+            "text": "Considere um tamanho de nó apropriado, não muito grande ou muito pequeno",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Revise o monitoramento interno do Site Recovery, quando usado para SAP.",
-            "waf": "Custar"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se mais de 5000 nós forem necessários para escalabilidade, considere o uso de um cluster AKS adicional",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
-            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Revise as diretrizes de monitoramento do cenário do sistema SAP HANA.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Considere assinar o EventGrid Events para automação AKS",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Revise o Banco de Dados Oracle nas estratégias de backup de VM do Linux do Azure.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Para operações de longa duração em um cluster AKS, considere o encerramento do evento",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
-            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Analise o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
-            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Analise o uso do Backup Automatizado v2 para VMs do Azure.",
-            "waf": "Operações"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "Alto",
+            "text": "Usar discos efêmeros do sistema operacional",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
             "severity": "Alto",
-            "text": "Ativando o acelerador de gravação para a série M ao usar discos premium (V1)",
-            "waf": "Operações"
+            "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
-            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Testar a latência da zona de disponibilidade.",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
+            "severity": "Baixo",
+            "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
-            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.",
-            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
-            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.",
-            "training": "https://me.sap.com/notes/0002879613",
+            "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
-            "service": "SAP",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "severity": "Média",
-            "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.",
+            "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas",
             "waf": "Desempenho"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
-            "link": "https://me.sap.com/notes/500235",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Teste a latência de rede entre VMs de camada de aplicativo SAP e VMs DBMS (NIPING).",
-            "training": "https://me.sap.com/notes/1100926/E",
-            "waf": "Desempenho"
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
-            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Revise os alertas do SAP HANA Studio.",
-            "waf": "Desempenho"
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
-            "link": "https://me.sap.com/notes/1969700",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.",
-            "waf": "Desempenho"
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
-            "severity": "Média",
-            "text": "Se você executar VMs do Windows e Linux no Azure, no local ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.",
-            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "waf": "Segurança"
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
+            "severity": "Alto",
+            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
-            "service": "SAP",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "severity": "Média",
-            "text": "Analise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.",
-            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
-            "waf": "Segurança"
+            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta de administrador do sistema original.",
-            "waf": "Segurança"
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "Alto",
+            "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "service": "SAP",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
             "severity": "Alto",
-            "text": "Desative xp_cmdshell. O recurso do SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.",
-            "training": "https://me.sap.com/notes/3019299/E",
-            "waf": "Segurança"
+            "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
             "severity": "Alto",
-            "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Criptografia de Dados Transparente) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.",
-            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
-            "waf": "Segurança"
+            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "SAP",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
+            "severity": "Alto",
+            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
+            "severity": "Média",
+            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
+            "waf": "Operações"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
             "severity": "Média",
-            "text": "A criptografia de Armazenamento do Azure está habilitada para todas as contas clássicas e do Gerenciador de Recursos do Azure e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.",
-            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Implementar uma política de tratamento de erros em nível global",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Certifique-se de que todas as políticas de APIs incluam um <base/> elemento .",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
             "severity": "Média",
-            "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras LOCK em sua base por assinatura usando políticas personalizadas do Azure (função Personalizada).",
-            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias",
-            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Habilite o Application Insights para telemetria mais detalhada",
+            "waf": "Operações"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Ao habilitar o Microsoft Defender for Endpoint no ambiente SAP, recomende excluir arquivos de dados e de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.",
-            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
-            "waf": "Segurança"
+            "text": "Configurar alertas sobre as métricas mais críticas",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time do Microsoft Defender for Cloud.",
-            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS",
-            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
             "severity": "Média",
-            "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
-            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região.",
-            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Criar grupos apropriados para controlar a visibilidade dos produtos",
             "waf": "Segurança"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
-            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Para controlar e gerenciar chaves de criptografia de disco e segredos para sistemas operacionais Windows e não Windows HANA, use o Cofre de Chaves do Azure. O SAP HANA não tem suporte com o Cofre de Chaves do Azure, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.",
-            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas spoke do Azure para evitar alterações acidentais relacionadas à rede",
-            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
-            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure",
-            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
-            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.",
-            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
-            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
-            "service": "SAP",
-            "severity": "Baixo",
-            "text": "Para obter uma proteção ainda mais poderosa, considere usar o Microsoft Defender for Endpoint.",
-            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Verifique se há uma rotina de backup automatizada",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
-            "service": "SAP",
-            "severity": "Alto",
-            "text": "Isole os servidores de aplicativo e banco de dados SAP da Internet ou da rede local passando todo o tráfego pela rede virtual de hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.",
-            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
             "severity": "Baixo",
-            "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos de aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Web Application Firewall) de terceiros disponível no Azure Marketplace.",
-            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
-            "waf": "Segurança"
+            "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos",
+            "waf": "Operações"
         },
         {
-            "checklist": "SAP Checklist",
-            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
-            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
-            "service": "SAP",
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.",
-            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo",
-            "waf": "Segurança"
+            "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure",
-            "waf": "Segurança"
+            "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'",
-            "waf": "Segurança"
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)",
-            "waf": "Segurança"
+            "text": "Use a camada premium para cargas de trabalho de produção.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
             "severity": "Média",
-            "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)",
-            "waf": "Segurança"
+            "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)",
-            "waf": "Segurança"
+            "text": "Esteja atento aos limites da APIM",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Foi criado um modelo RBAC para uso no VMware vSphere",
-            "waf": "Segurança"
+            "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
             "severity": "Média",
-            "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos",
+            "text": "Implantar o serviço em uma rede virtual (VNet)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários",
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin",
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?",
-            "waf": "Desempenho"
+            "text": "Desabilitar o acesso à rede pública",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'",
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Simplifique o gerenciamento com scripts de automação do PowerShell",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure",
+            "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2",
+            "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).",
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure",
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "APIs seguras usando autenticação de certificado de cliente",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)",
+            "text": "Serviços de back-end seguros usando autenticação de certificado de cliente",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência",
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
+            "severity": "Média",
+            "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
             "severity": "Média",
-            "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter",
+            "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)",
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "severity": "Alto",
+            "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure",
+            "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
             "severity": "Média",
-            "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T",
+            "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
             "severity": "Alto",
-            "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros",
+            "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+            "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "O Azure Center for SAP solutions (ACSS) é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+            "service": "SAP",
             "severity": "Média",
-            "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas",
-            "waf": "Segurança"
+            "text": "O Azure dá suporte à automação de implantações SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de código aberto que pode implantar, instalar e manter ambientes SAP.",
+            "training": "https://github.com/Azure/sap-automation",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+            "service": "SAP",
             "severity": "Média",
-            "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure",
-            "waf": "Segurança"
+            "text": "Executar uma recuperação point-in-time para seus bancos de dados de produção em qualquer ponto e em um período de tempo que atenda ao seu RTO; A recuperação point-in-time normalmente inclui erros do operador excluindo dados na camada DBMS ou por meio do SAP, incidentalmente",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX",
-            "waf": "Segurança"
+            "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute sua replicação usando recursos nativos de DBMS, como SQL Server Always On ou SAP HANA System Replication. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativos SAP.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)",
-            "waf": "Segurança"
+            "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre servidores de aplicativos SAP e servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam sendo executados na mesma zona o tempo todo.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Configure conexões de Rota Expressa do local para as regiões primária e secundária de recuperação de desastres do Azure. Além disso, como alternativa ao uso da Rota Expressa, considere configurar conexões VPN locais para as regiões primária e secundária de recuperação de desastres do Azure.",
+            "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "SAP",
             "severity": "Baixo",
-            "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível",
-            "waf": "Segurança"
+            "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastres.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)",
-            "waf": "Segurança"
+            "text": "Emparelhar as redes virtuais primária e de recuperação de desastres. Por exemplo, para a replicação do sistema HANA, uma rede virtual SAP HANA DB precisa ser emparelhada para a rede virtual SAP HANA DB do site de recuperação de desastres.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.",
+            "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)",
+            "text": "A tecnologia de replicação de banco de dados nativo deve ser usada para sincronizar o banco de dados em um par de HA.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+            "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN",
+            "text": "O CIDR da rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastres",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres",
+            "text": "Use a Recuperação de Site para replicar um servidor de aplicativos para um site de recuperação de desastres. A Recuperação de Site também pode ajudar na replicação de VMs de cluster de serviços centrais para o site de recuperação de desastres. Ao invocar o DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substitua o VIP ou o SBD, execute o corosync.conf e muito mais).",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP ABAP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Para bancos de dados SAP e SAP, considere a implementação de clusters de failover automático. No Windows, o Clustering de Failover do Windows Server oferece suporte a failover. No Linux, Linux Pacemaker ou ferramentas de terceiros como SIOS Protection Suite e Veritas InfoScale suportam failover.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado",
-            "waf": "Custar"
+            "checklist": "SAP Checklist",
+            "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "O Azure não oferece suporte a arquiteturas nas quais as VMs primária e secundária compartilham armazenamento para dados DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primária e secundária usam.",
+            "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure",
-            "waf": "Custar"
+            "checklist": "SAP Checklist",
+            "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Os dados do DBMS e os arquivos de log de transação/refazer são armazenados no armazenamento em bloco com suporte do Azure ou nos Arquivos do Azure NetApp. Os Arquivos do Azure ou os Arquivos Premium do Azure não têm suporte como armazenamento para dados DBMS e/ou arquivos de log de refazer com a carga de trabalho SAP.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para componentes da camada de aplicativo SAP e a camada DBMS. No momento, o Azure não oferece suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure",
-            "waf": "Desempenho"
+            "text": "A maioria dos clusters de failover para ASCS (Application Layer Components, componentes da camada de aplicativo) SAP e a camada DBMS exigem um endereço IP virtual para um cluster de failover.  O Balanceador de Carga do Azure deve manipular o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Standard Load Balancer).",
+            "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Verifique se o IP flutuante está habilitado no balanceador de carga",
+            "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Antes de implantar sua infraestrutura de alta disponibilidade, e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure",
-            "waf": "Operações"
+            "text": "Se desejar atender aos SLAs de infraestrutura de seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), você deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure",
-            "waf": "Operações"
+            "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento de proximidade.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online mais tarde.",
+            "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Quando você usa grupos de posicionamento de proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento de proximidade.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure",
-            "waf": "Segurança"
+            "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas",
-            "waf": "Segurança"
+            "text": "Use um dos seguintes serviços para executar clusters de serviços centrais SAP, dependendo do sistema operacional.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.",
-            "waf": "Segurança"
+            "text": "No momento, o Azure não oferece suporte à combinação de ASCS e HA de banco de dados no mesmo cluster do Linux Pacemaker; Separe-os em agrupamentos individuais. No entanto, você pode combinar até cinco clusters de serviços centrais em um par de VMs.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "O Azure oferece suporte à instalação e configuração de instâncias SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no Red Hat Enterprise Linux (RHEL).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware",
-            "waf": "Operações"
+            "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Ultra Disk Storage. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure",
-            "waf": "Operações"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento",
-            "waf": "Operações"
+            "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pela SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem a habilitação do Acelerador de Gravação e o uso do armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.",
+            "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento usado para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.",
+            "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+            "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso",
-            "waf": "Operações"
+            "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Arquivos do Azure NetApp, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de DR após o failover, certifique-se de que o respectivo serviço de armazenamento seja oferecido no local de DR.",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito",
-            "waf": "Operações"
+            "text": "Automatize o Start-Stop do sistema SAP para gerenciar custos.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD padrão do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento padrão SSD ou HDD padrão do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes que não são de produção, VMs de série mais baixa podem ser usadas.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher uma SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (SAP HANA Hardware Directory) ou não podem atingir latência de armazenamento inferior a 1ms.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+            "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "45911475-e39e-4530-accc-d979366bcda2",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure",
-            "waf": "Operações"
+            "text": "Impor a propagação principal para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure",
-            "waf": "Operações"
+            "text": "Implemente SSO em aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com o Azure AD usando SAML.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud",
+            "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito",
-            "waf": "Fiabilidade"
+            "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]",
-            "waf": "Fiabilidade"
+            "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure",
-            "waf": "Fiabilidade"
+            "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+            "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+            "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres",
-            "waf": "Fiabilidade"
+            "text": "Implemente o SSO usando o OAuth for SAP NetWeaver para permitir que aplicativos de terceiros ou personalizados acessem os serviços OData do SAP NetWeaver.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Implementar SSO no SAP HANA",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+            "service": "SAP",
             "severity": "Média",
-            "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?",
-            "waf": "Fiabilidade"
+            "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+            "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
-            "waf": "Fiabilidade"
+            "text": "Para aplicativos que acessam o SAP, convém usar a propagação principal para estabelecer o SSO.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure",
-            "waf": "Fiabilidade"
+            "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade de proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central do usuário e o provedor de identidade.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure",
-            "waf": "Fiabilidade"
+            "text": "Implementar SSO no SAP BTP",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+            "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS com suporte no Azure AD. Use write-back do endereço de e-mail para SAP SuccessFactors.",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas",
+            "checklist": "SAP Checklist",
+            "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "impor políticas existentes do Grupo de Gerenciamento às assinaturas SAP",
+            "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure",
+            "checklist": "SAP Checklist",
+            "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário",
+            "checklist": "SAP Checklist",
+            "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Sandbox, não-prod, prod ",
+            "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação",
+            "checklist": "SAP Checklist",
+            "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+            "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Garantir o aumento da cota como parte do provisionamento de assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)",
+            "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+            "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+            "service": "SAP",
             "severity": "Baixo",
-            "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada",
+            "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves",
+            "checklist": "SAP Checklist",
+            "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+            "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM estará disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série VM, o número de CPUs e a zona de disponibilidade necessárias.",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa",
+            "checklist": "SAP Checklist",
+            "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+            "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.",
+            "checklist": "SAP Checklist",
+            "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)",
+            "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
-            "severity": "Baixo",
-            "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure",
-            "waf": "Desempenho"
+            "text": "Se você implantar os Arquivos NetApp do Azure para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "SAP Checklist",
+            "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Garanta as correspondências de fuso horário entre o sistema operacional e o sistema SAP.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação",
-            "waf": "Desempenho"
+            "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)",
-            "waf": "Desempenho"
+            "checklist": "SAP Checklist",
+            "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+            "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de soneca para economizar e otimizar os custos de execução do Azure.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+            "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)",
-            "waf": "Desempenho"
+            "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, porque eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+            "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações",
-            "waf": "Desempenho"
+            "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.",
+            "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)",
+            "checklist": "SAP Checklist",
+            "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Use as soluções do Azure Monitor for SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "Fiabilidade"
+            "text": "Execute uma verificação de extensão de VM para SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma máquina virtual (VM) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.",
+            "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.",
-            "waf": "Desempenho"
+            "text": "Use a Política do Azure para controle de acesso e relatórios de conformidade. A Política do Azure fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+            "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX",
-            "waf": "Desempenho"
+            "text": "Use o Monitor de Conexão no Inspetor de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medições de latência de rede usando o Azure Monitor.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)",
-            "waf": "Fiabilidade"
+            "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
-            "severity": "Média",
-            "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.",
+            "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos",
+            "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Recuperação de Site) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework para Azure.",
+            "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "checklist": "SAP Checklist",
+            "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+            "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor",
-            "waf": "Fiabilidade"
+            "text": "Implemente a proteção contra ameaças usando a solução Microsoft Sentinel para SAP. Use esta solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e camadas de aplicativos.",
+            "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "A marcação do Azure pode ser aproveitada para agrupar e controlar recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.",
+            "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.",
+            "checklist": "SAP Checklist",
+            "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
-            "severity": "Alto",
-            "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores do banco de dados para obter detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle/<sid>/sapdata das verificações antivírus.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
-            "severity": "Alto",
-            "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+            "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Considere a coleta de estatísticas completas de banco de dados para bancos de dados não-HANA após a migração. Por exemplo, implemente a nota SAP 1020260 - Entrega de estatísticas Oracle.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
-            "severity": "Média",
-            "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Considere o uso do Oracle Automatic Storage Management (ASM) para todas as implantações Oracle que usam SAP no Azure.",
+            "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
+            "checklist": "SAP Checklist",
+            "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível",
-            "waf": "Fiabilidade"
+            "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho.  Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.",
+            "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
-            "severity": "Média",
-            "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
+            "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub",
-            "waf": "Fiabilidade"
+            "text": "Para a entrega segura de aplicativos HTTP/S, use o Application Gateway v2 e verifique se a proteção e as políticas do WAF estão habilitadas.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "severity": "Média",
-            "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.",
-            "waf": "Fiabilidade"
+            "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS mudam após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.",
-            "waf": "Fiabilidade"
+            "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) um do outro. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Usar mais de 1 instância de aplicativo para seus aplicativos",
+            "text": "Emparelhamento de rede virtual local e global fornecem conectividade e são as abordagens preferidas para garantir a conectividade entre zonas de aterrissagem para implantações SAP em várias regiões do Azure",
+            "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
-            "severity": "Média",
-            "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP",
+            "training": "https://me.sap.com/notes/2731110",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+            "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Configurar o dimensionamento automático no Spring Cloud Gateway",
-            "waf": "Fiabilidade"
+            "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
+            "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
-            "severity": "Baixo",
-            "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Considere a implantação de dispositivos virtuais de rede (NVAs) entre regiões somente se NVAs de parceiros forem usados. NVAs entre regiões ou VNets não são necessários se NVAs nativos estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as orientações do fornecedor para verificar configurações conflitantes com a rede do Azure.",
+            "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
+            "checklist": "SAP Checklist",
+            "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+            "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.",
-            "waf": "Fiabilidade"
+            "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs), e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.",
+            "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
-            "severity": "Baixo",
-            "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "checklist": "SAP Checklist",
+            "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "A atribuição de IP público à VM que executa o SAP Workload não é recomendada.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
-            "severity": "Média",
-            "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+            "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Considere reservar o endereço IP no lado do DR ao configurar o ASR",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
-            "severity": "Média",
-            "text": "Evite usar conta root quando não for necessário",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "Segurança"
+            "checklist": "SAP Checklist",
+            "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.",
+            "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+            "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "Segurança"
+            "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, apenas uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.",
+            "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
-            "severity": "Alto",
-            "text": "Usar RBAC do plano de dados de privilégios mínimos",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "checklist": "SAP Checklist",
+            "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+            "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)",
+            "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "text": "O Application Gateway e o Web Application Firewall têm limitações quando o Application Gateway serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Application Gateway, o SAP Web Dispatcher e outros serviços de terceiros.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre as regiões do Azure para conexões HTTP/S de entrada para uma zona de aterrissagem.",
+            "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "text": "Aproveite as políticas do Web Application Firewall no Azure Front Door quando estiver usando o Azure Front Door e o Application Gateway para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Aproveite o Manual de Resilência do FTA",
-            "waf": "Fiabilidade"
+            "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele estiver exposto à Internet. Outra opção é usá-lo com seu balanceador de carga ou com recursos que tenham recursos internos de firewall, como o Application Gateway ou soluções de terceiros.",
+            "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
-            "severity": "Alto",
-            "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Use os SKUs Premium ou Dedicado para desempenho previsível",
-            "waf": "Fiabilidade"
+            "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança recursos de plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como o Armazenamento do Azure, o Backup do Azure e muito mais. O tráfego entre sua rede virtual e o serviço habilitado para ponto de extremidade privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.",
+            "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa",
-            "waf": "Fiabilidade"
+            "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas nas camadas de aplicativo SAP e DBMS.",
+            "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Para aplicativos críticos para os negócios, use a configuração ativa",
-            "waf": "Fiabilidade"
+            "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar DSR (Direct Server Return). Essa configuração (Habilitando IP flutuante) reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.",
+            "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
+            "checklist": "SAP Checklist",
+            "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Projetar Hubs de Eventos Resilientes",
-            "waf": "Fiabilidade"
+            "text": "Você pode usar as regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.",
+            "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)",
-            "waf": "Fiabilidade"
+            "text": "Não há suporte para a colocação da camada de aplicativo SAP e do SGBD SAP em diferentes VNets do Azure que não são emparelhadas.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.",
-            "waf": "Fiabilidade"
+            "text": "Para obter a latência de rede ideal com aplicativos SAP, considere o uso de grupos de posicionamento de proximidade do Azure.",
+            "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
-            "waf": "Fiabilidade"
+            "text": "NÃO há suporte para executar uma camada do SAP Application Server e uma camada de DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+            "link": "https://me.sap.com/notes/2015553",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Saiba como acionar um failover manual.",
-            "waf": "Fiabilidade"
+            "text": "Não é recomendado hospedar o sistema de gerenciamento de banco de dados (DBMS) e as camadas de aplicativos dos sistemas SAP em diferentes VNets e conectá-los ao emparelhamento de VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomende o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada DBMS.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+            "waf": "Custar"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
+            "checklist": "SAP Checklist",
+            "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Saiba como fazer failback após um failover.",
-            "waf": "Fiabilidade"
+            "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.",
+            "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
+            "checklist": "SAP Checklist",
+            "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+            "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure",
-            "waf": "Fiabilidade"
+            "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferida de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
-            "severity": "Média",
-            "text": "Implantando bots com residência de dados local e conformidade regional",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+            "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Revise os backups de banco de dados do SAP HANA para VMs do Azure.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
+            "checklist": "SAP Checklist",
+            "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+            "service": "SAP",
             "severity": "Média",
-            "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
-            "waf": "Fiabilidade"
+            "text": "Revise o monitoramento interno do Site Recovery, quando usado para SAP.",
+            "waf": "Custar"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
+            "checklist": "SAP Checklist",
+            "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+            "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
-            "waf": "Fiabilidade"
+            "text": "Revise as diretrizes de monitoramento do cenário do sistema SAP HANA.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Revise o Banco de Dados Oracle nas estratégias de backup de VM do Linux do Azure.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
-            "severity": "Alto",
-            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+            "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Analise o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
+            "checklist": "SAP Checklist",
+            "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+            "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
+            "text": "Analise o uso do Backup Automatizado v2 para VMs do Azure.",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão de certificado 'Mais recente'. Reduzir o risco de paralisações causadas pela renovação manual de certificados",
+            "checklist": "SAP Checklist",
+            "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Ativando o acelerador de gravação para a série M ao usar discos premium (V1)",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Verifique se você está usando o SKU do Application Gateway v2",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
+            "checklist": "SAP Checklist",
+            "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+            "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se você está usando a SKU padrão para seus Balanceadores de Carga do Azure",
-            "waf": "Segurança"
+            "text": "Testar a latência da zona de disponibilidade.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "checklist": "SAP Checklist",
+            "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+            "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Verifique se os endereços IP de front-end dos Load Balancers são redundantes por zona (a menos que você precise de frontends zonais).",
-            "waf": "Segurança"
+            "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.",
+            "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+            "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Seus Application Gateways v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Segurança"
+            "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.",
+            "training": "https://me.sap.com/notes/0002879613",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "description": "A administração de proxies reversos em geral e do WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Application Gateway e o WAF na assinatura de conectividade pode ser OK se for gerenciado por uma única equipe.",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para fazer proxy de conexões HTTP(S) de entrada na rede virtual da zona de aterrissagem e com os aplicativos que eles estão protegendo.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Segurança"
+            "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+            "link": "https://me.sap.com/notes/500235",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Use uma rede DDoS ou planos de proteção IP para todos os endereços IP públicos nas zonas de aterrissagem do aplicativo.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Segurança"
+            "text": "Teste a latência de rede entre VMs de camada de aplicativo SAP e VMs DBMS (NIPING).",
+            "training": "https://me.sap.com/notes/1100926/E",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+            "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Configure o dimensionamento automático com uma quantidade mínima de duas instâncias.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Fiabilidade"
+            "text": "Revise os alertas do SAP HANA Studio.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
+            "checklist": "SAP Checklist",
+            "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+            "link": "https://me.sap.com/notes/1969700",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Implantar o Application Gateway em zonas de disponibilidade",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "Fiabilidade"
+            "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Use o Azure Front Door com políticas WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Se você executar VMs do Windows e Linux no Azure, no local ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.",
+            "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Ao usar o Front Door e o Application Gateway para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Application Gateway para receber tráfego somente do Front Door.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "Analise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.",
+            "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
-            "severity": "Alto",
-            "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "SAP Checklist",
+            "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
             "severity": "Baixo",
-            "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado uma alternativa à Área de Trabalho Virtual (AVD) do Azure?",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta de administrador do sistema original.",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "severity": "Média",
-            "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere o uso do Microsoft Entra ID Application Proxy para dar aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "checklist": "SAP Checklist",
+            "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Desative xp_cmdshell. O recurso do SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.",
+            "training": "https://me.sap.com/notes/3019299/E",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Implante sua política de WAF para Front Door no modo 'Prevenção'.",
+            "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Criptografia de Dados Transparente) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.",
+            "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
-            "severity": "Alto",
-            "text": "Evite combinar o Gerenciador de Tráfego do Azure e o Azure Front Door.",
+            "checklist": "SAP Checklist",
+            "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "A criptografia de Armazenamento do Azure está habilitada para todas as contas clássicas e do Gerenciador de Recursos do Azure e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.",
+            "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Use o mesmo nome de domínio no Azure Front Door e sua origem. Nomes de host incompatíveis podem causar bugs sutis.",
+            "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
-            "severity": "Baixo",
-            "text": "Desabilite os testes de integridade quando houver apenas uma origem em um grupo de origem do Azure Front Door.",
-            "waf": "Desempenho"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Selecione bons pontos de extremidade de teste de integridade para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do seu aplicativo.",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
-            "severity": "Baixo",
-            "text": "Use testes de integridade do HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
-            "waf": "Desempenho"
+            "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras LOCK em sua base por assinatura usando políticas personalizadas do Azure (função Personalizada).",
+            "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
-            "severity": "Alto",
-            "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhor escalabilidade do SNAT",
-            "waf": "Fiabilidade"
+            "checklist": "SAP Checklist",
+            "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de paralisações devido a renovações de certificados.",
-            "waf": "Operações"
+            "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias",
+            "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Defina sua configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
-            "waf": "Operações"
+            "checklist": "SAP Checklist",
+            "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Ao habilitar o Microsoft Defender for Endpoint no ambiente SAP, recomende excluir arquivos de dados e de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.",
+            "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+            "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Use o TLS de ponta a ponta com o Azure Front Door. Use o TLS para conexões de seus clientes com o Front Door e do Front Door com sua origem.",
+            "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time do Microsoft Defender for Cloud.",
+            "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Use o redirecionamento HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
+            "checklist": "SAP Checklist",
+            "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS",
+            "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
-            "severity": "Alto",
-            "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma série de ataques.",
+            "checklist": "SAP Checklist",
+            "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+            "service": "SAP",
+            "severity": "Média",
+            "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+            "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+            "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região.",
+            "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+            "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Azure Front Door.",
+            "text": "Para controlar e gerenciar chaves de criptografia de disco e segredos para sistemas operacionais Windows e não Windows HANA, use o Cofre de Chaves do Azure. O SAP HANA não tem suporte com o Cofre de Chaves do Azure, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.",
+            "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Habilite os conjuntos de regras padrão do WAF do Azure Front Door. Os conjuntos de regras padrão detectam e bloqueiam ataques comuns.",
+            "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas spoke do Azure para evitar alterações acidentais relacionadas à rede",
+            "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+            "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+            "service": "SAP",
             "severity": "Alto",
-            "text": "Habilite o conjunto de regras de proteção de bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
+            "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure",
+            "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+            "checklist": "SAP Checklist",
+            "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+            "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.",
+            "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Adicione o limite de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+            "checklist": "SAP Checklist",
+            "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+            "service": "SAP",
+            "severity": "Baixo",
+            "text": "Para obter uma proteção ainda mais poderosa, considere usar o Microsoft Defender for Endpoint.",
+            "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+            "checklist": "SAP Checklist",
+            "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+            "service": "SAP",
+            "severity": "Alto",
+            "text": "Isole os servidores de aplicativo e banco de dados SAP da Internet ou da rede local passando todo o tráfego pela rede virtual de hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.",
+            "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+            "service": "SAP",
             "severity": "Baixo",
-            "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+            "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos de aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Web Application Firewall) de terceiros disponível no Azure Marketplace.",
+            "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "checklist": "SAP Checklist",
+            "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+            "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+            "service": "SAP",
             "severity": "Média",
-            "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Azure Front Door. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
+            "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.",
+            "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Habilitar o conjunto de regras de proteção de bot WAF do Gateway de Aplicativo do Azure As regras de bot detectam bots bons e ruins.",
+            "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Gateway de Aplicativo do Azure.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Ajuste o WAF do Gateway de Aplicativo do Azure para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+            "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'",
             "waf": "Segurança"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Implante sua política de WAF para o Application Gateway no modo 'Prevenção'.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Adicione o limite de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+            "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "severity": "Baixo",
-            "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Foi criado um modelo RBAC para uso no VMware vSphere",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
+            "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Adicione configurações de diagnóstico para salvar seus logs WAF do Gateway de Aplicativo do Azure.",
-            "waf": "Operações"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Adicione configurações de diagnóstico para salvar seus logs do WAF do Azure Front Door.",
-            "waf": "Operações"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Envie logs do WAF do Azure Front Door para o Microsoft Sentinel.",
+            "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Defina sua configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+            "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Use políticas de WAF em vez da configuração de WAF herdada.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).",
             "waf": "Operações"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Filtre o tráfego de entrada nos back-ends para que eles só aceitem conexões da sub-rede do Application Gateway, por exemplo, com NSGs.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
-            "severity": "Média",
-            "text": "Certifique-se de que suas origens recebam apenas o tráfego de sua instância do Azure Front Door.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
-            "severity": "Alto",
-            "text": "Você deve criptografar o tráfego para os servidores de back-end.",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Você deve usar um Web Application Firewall.",
+            "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Redirecionar HTTP para HTTPS",
+            "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
-            "waf": "Operações"
+            "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Habilite a drenagem de conexão durante as atualizações de serviço planejadas para evitar a perda de conexão com membrs existentes do pool de back-end",
+            "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "severity": "Baixo",
-            "text": "Criar páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
-            "waf": "Operações"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
-            "severity": "Média",
-            "text": "Configure o Front Door para otimizar o roteamento de tráfego global da Web e o desempenho do usuário final de nível superior e a confiabilidade por meio de failover global rápido",
-            "waf": "Desempenho"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar balanceamento de carga da camada de transporte",
-            "waf": "Desempenho"
+            "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Configurar o roteamento com base no host ou nome de domínio para vários aplicativos Web em um único gateway",
+            "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores back-end",
+            "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
-            "severity": "Baixo",
-            "text": "Usar o Application Gateway para suporte nativo para protocolos WebSocket e HTTP/2",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "severity": "Baixo",
-            "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas",
-            "waf": "Fiabilidade"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
-            "severity": "Média",
-            "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.",
-            "waf": "Fiabilidade"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)",
-            "waf": "Fiabilidade"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Implementar verificações de integridade",
-            "waf": "Fiabilidade"
+            "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)",
+            "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure",
+            "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
-            "severity": "Baixo",
-            "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre",
+            "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure",
+            "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo",
-            "waf": "Fiabilidade"
+            "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade",
-            "waf": "Fiabilidade"
+            "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights",
-            "waf": "Fiabilidade"
+            "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site",
-            "waf": "Fiabilidade"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa.  O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Usar o Cofre de Chaves para armazenar segredos",
-            "waf": "Segurança"
+            "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure",
+            "waf": "Custar"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Use o Cofre de Chaves para armazenar o certificado TLS.",
-            "waf": "Segurança"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "Os sistemas que processam informações confidenciais devem ser isolados.  Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
-            "severity": "Média",
-            "text": "Isolar sistemas que processam informações confidenciais",
-            "waf": "Segurança"
+            "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles.  (Por exemplo: D:\\\\Local e %TMP%).",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Não armazene dados confidenciais no disco local",
+            "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C.  Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar um provedor de identidade estabelecido para autenticação",
+            "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Implantar a partir de um ambiente confiável",
-            "waf": "Segurança"
+            "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM.  Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação.  Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Desabilitar a autenticação básica",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD.  Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Usar a Identidade Gerenciada para se conectar a recursos",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Extrair contêineres usando uma identidade gerenciada",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics",
+            "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
-            "severity": "Média",
-            "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's.  O tráfego deve ser roteado para um NVA, como o Firewall do Azure.  Certifique-se de monitorar os logs do Firewall.",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
-            "severity": "Média",
-            "text": "O acesso à rede de saída deve ser controlado",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure.  Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário.  Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas.  (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "severity": "Baixo",
-            "text": "Garantir um IP estável para comunicações de saída para endereços de Internet",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.",
             "waf": "Segurança"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "O acesso à rede de entrada deve ser controlado",
-            "waf": "Segurança"
+            "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door.  Certifique-se de monitorar os logs do WAF.",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Usar um WAF na frente do Serviço de Aplicativo",
-            "waf": "Segurança"
+            "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF.  Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Evite que o WAF seja ignorado",
-            "waf": "Segurança"
+            "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure",
+            "waf": "Operações"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Definir a política TLS mínima como 1.2",
-            "waf": "Segurança"
+            "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Configure o Serviço de Aplicativo para usar somente HTTPS.  Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS.  Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Usar somente HTTPS",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Curingas não devem ser usados para CORS",
-            "waf": "Segurança"
+            "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Desativar a depuração remota",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Habilite o Defender para o Serviço de Aplicativo.  Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos.  Analise as recomendações do Defender for App Service como parte de suas operações.",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Habilitar o Defender for Cloud - Defender for App Service",
-            "waf": "Segurança"
+            "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF",
-            "waf": "Segurança"
+            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Extrair contêineres por uma rede virtual",
-            "waf": "Segurança"
+            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Realizar um teste de penetração",
-            "waf": "Segurança"
+            "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Implantar código validado",
-            "waf": "Segurança"
+            "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
-            "severity": "Alto",
-            "text": "Use plataformas, linguagens, protocolos e frameworks atualizados",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud",
             "waf": "Segurança"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library",
+            "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos",
+            "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN",
-            "waf": "Desempenho"
+            "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "Baixo",
-            "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)",
+            "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios",
+            "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Ter ativo-ativo para várias regiões",
+            "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais",
+            "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar conjuntos de réplicas para DR",
+            "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure",
             "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Se necessário para cargas de trabalho do AKS Windows, os contêineres HostProcess podem ser usados",
+            "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?",
             "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Usar o KEDA se estiver executando cargas de trabalho orientadas a eventos",
-            "waf": "Desempenho"
+            "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Use o Dapr para facilitar o desenvolvimento de microsserviços",
+            "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure",
             "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Use a oferta AKS apoiada por SLA",
-            "waf": "Fiabilidade"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Usar orçamentos de interrupção em seu pod e definições de implantação",
-            "waf": "Fiabilidade"
+            "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação",
+            "waf": "Operações"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
-            "severity": "Alto",
-            "text": "Se estiver usando um registro privado, configure a replicação de região para armazenar imagens em várias regiões",
-            "waf": "Fiabilidade"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Use um aplicativo externo, como kubecost, para alocar custos para diferentes usuários",
-            "waf": "Custar"
+            "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Usar o modo de redução para excluir/desalocar nós",
-            "waf": "Custar"
+            "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Quando necessário, use a GPU de partioning de várias instâncias em clusters AKS",
-            "waf": "Custar"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "severity": "Baixo",
+            "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
             "severity": "Baixo",
-            "text": "Se estiver executando um cluster de desenvolvimento/teste, use NodePool Start/Stop",
-            "waf": "Custar"
+            "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar a Política do Azure para Kubernetes para garantir a conformidade do cluster",
-            "waf": "Segurança"
+            "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Separe os aplicativos do plano de controle com pools de nós de usuário/sistema",
-            "waf": "Segurança"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Adicione mancha ao seu nodepool do sistema para torná-lo dedicado",
-            "waf": "Segurança"
+            "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Usar um registro privado para suas imagens, como o ACR",
-            "waf": "Segurança"
+            "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)",
+            "waf": "Desempenho"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Analise suas imagens em busca de vulnerabilidades",
-            "waf": "Segurança"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Definir requisitos de separação de aplicativos (namespace/nodepool/cluster)",
-            "waf": "Segurança"
+            "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Armazene seus segredos no Cofre de Chaves do Azure com o driver do CSI Secrets Store",
-            "waf": "Segurança"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Se estiver usando entidades de serviço para o cluster, atualize as credenciais periodicamente (como trimestralmente)",
-            "waf": "Segurança"
+            "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Se necessário, adicione criptografia etcd do Serviço de Gerenciamento de Chaves",
-            "waf": "Segurança"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário, considere o uso de computação confidencial para AKS",
-            "waf": "Segurança"
+            "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)",
+            "waf": "Operações"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Considere o uso do Defender for Containers",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
             "severity": "Alto",
-            "text": "Usar identidades gerenciadas em vez de entidades de serviço",
-            "waf": "Segurança"
+            "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Integrar autenticação com AAD (usando a integração gerenciada)",
-            "waf": "Segurança"
+            "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Limitar o acesso ao admin kubeconfig (get-credentials --admin)",
-            "waf": "Segurança"
+            "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX",
+            "waf": "Desempenho"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Integrar autorização com AAD RBAC",
-            "waf": "Segurança"
+            "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Usar namespaces para restringir o privilégio RBAC no Kubernetes",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "AVS",
+            "severity": "Média",
+            "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Para o Gerenciamento de Acesso à Identidade de Pod, use a Identidade de Carga de Trabalho do Azure AD (visualização)",
-            "waf": "Segurança"
+            "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "AVS",
             "severity": "Média",
-            "text": "Para logins não interativos do AKS, use kubelogin (visualização)",
-            "waf": "Segurança"
+            "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Desativar contas locais do AKS",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Configurar, se necessário, o acesso ao cluster just-in-time",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Configurar, se necessário, o acesso condicional do AAD para AKS",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário para cargas de trabalho do Windows AKS, configure o gMSA ",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Para um controle mais fino, considere usar uma Identidade Kubelet gerenciada",
-            "waf": "Segurança"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "AVS",
+            "severity": "Alto",
+            "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Se estiver usando AGIC, não compartilhe um AppGW entre clusters",
-            "waf": "Fiabilidade"
+            "text": "Considere a 'linha de base de segurança do Azure para armazenamento'",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Não use AKS HTTP Routing Add-On, use em vez disso a entrada NGINX gerenciada com o complemento de roteamento de aplicativo.",
-            "waf": "Fiabilidade"
+            "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Para cargas de trabalho do Windows, use a Rede Acelerada",
-            "waf": "Desempenho"
+            "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Use o ALB padrão (em oposição ao básico)",
-            "waf": "Fiabilidade"
+            "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Se estiver usando o CNI do Azure, considere usar sub-redes diferentes para NodePools",
+            "text": "Ativar 'exclusão suave' para blobs",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Usar Pontos de Extremidade Privados (preferencial) ou Pontos de Extremidade de Serviço de Rede Virtual para acessar serviços de PaaS do cluster",
+            "text": "Desativar 'exclusão suave' para blobs",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Escolha o melhor plug-in de rede CNI para seus requisitos (Azure CNI recomendado)",
-            "waf": "Fiabilidade"
+            "text": "Ativar 'exclusão suave' para contêineres",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Se estiver usando o Azure CNI, dimensione sua sub-rede de acordo considerando o número máximo de pods por nó",
-            "waf": "Desempenho"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Desativar 'exclusão suave' para contêineres",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Se estiver usando o Azure CNI, verifique o máximo de pods/nó (padrão 30)",
-            "waf": "Desempenho"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "Para aplicativos internos, as organizações geralmente abrem toda a sub-rede AKS em seus firewalls. Isso abre o acesso de rede para os nós também e, potencialmente, para os pods também (se estiver usando o Azure CNI). Se os IPs do LoadBalancer estiverem em uma sub-rede diferente, somente este precisará estar disponível para os clientes do aplicativo. Outra razão é que, se os endereços IP na sub-rede AKS são um recurso escasso, consumir seus endereços IP para serviços reduzirá a escalabilidade máxima do cluster.",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se estiver usando serviços LoadBalancer de IP privado, use uma sub-rede dedicada (não a sub-rede AKS)",
+            "text": "Habilitar bloqueios de recursos em contas de armazenamento",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Dimensione o intervalo de endereços IP do serviço de acordo (isso limitará a escalabilidade do cluster)",
-            "waf": "Fiabilidade"
+            "text": "Considere blobs imutáveis",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário, adicione seu próprio plugin CNI",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário, configure o IP público por nó no AKS",
-            "waf": "Desempenho"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Usar um controlador de entrada para expor aplicativos baseados na Web em vez de expô-los com serviços do tipo LoadBalancer",
-            "waf": "Fiabilidade"
+            "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Usar o Gateway NAT do Azure como outboundType para dimensionar o tráfego de saída",
-            "waf": "Fiabilidade"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Usar alocações dinâmicas de IPs para evitar o esgotamento de IP do CNI do Azure",
-            "waf": "Fiabilidade"
+            "text": "Privilégio mínimo nas permissões do IaM",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Filtre o tráfego de saída com AzFW/NVA se seus requisitos de segurança exigirem",
+            "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Se estiver usando um ponto de extremidade de API público, restrinja os endereços IP que podem acessá-lo",
+            "checklist": "Azure Blob Storage Review",
+            "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Use clusters privados se seus requisitos exigirem",
+            "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Para os nós AKS do Windows 2019 e 2022, as Diretivas de Rede Calico podem ser usadas ",
+            "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Habilitar uma opção de Política de Rede do Kubernetes (Calico/Azure)",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Considere configurar uma política de expiração SAS",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Usar diretivas de rede do Kubernetes para aumentar a segurança intra-cluster",
+            "checklist": "Azure Blob Storage Review",
+            "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Considere vincular o SAS a uma política de acesso armazenado",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Blob Storage Review",
+            "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Usar um WAF para cargas de trabalho da Web (UIs ou APIs)",
+            "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Usar DDoS Standard na Rede Virtual AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário, adicione o proxy HTTP da empresa",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Aplicar um escopo restrito a uma SAS",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
             "severity": "Média",
-            "text": "Considere o uso de uma malha de serviço para gerenciamento avançado de comunicação de microsserviços",
+            "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível",
             "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Configurar alertas nas métricas mais críticas (consulte Insights de contêiner para obter recomendações)",
-            "waf": "Operações"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
             "severity": "Baixo",
-            "text": "Verifique regularmente o Azure Advisor para obter recomendações sobre o seu cluster",
-            "waf": "Operações"
+            "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Habilitar a rotação automática do certificado AKS",
-            "waf": "Operações"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Tenha um processo regular para atualizar sua versão do kubernetes periodicamente (trimestralmente, por exemplo), ou use o recurso de atualização automática do AKS",
-            "waf": "Operações"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Use kured para atualizações de nó do Linux caso você não esteja usando a atualização de imagem de nó",
-            "waf": "Operações"
+            "text": "Evite políticas CORS excessivamente amplas",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
+            "checklist": "Azure Blob Storage Review",
+            "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
             "severity": "Alto",
-            "text": "Tenha um processo regular para atualizar as imagens do nó do cluster periodicamente (semanalmente, por exemplo)",
-            "waf": "Operações"
+            "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Considere gitops para implantar aplicativos ou configuração de cluster em vários clusters",
-            "waf": "Operações"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Determine qual/se a criptografia de plataforma deve ser usada.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Considere o uso do comando AKS invoke em clusters privados",
-            "waf": "Operações"
+            "checklist": "Azure Blob Storage Review",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
+            "severity": "Média",
+            "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Para eventos planejados, considere o uso do Dreno Automático de Nó",
-            "waf": "Operações"
+            "checklist": "Azure Blob Storage Review",
+            "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
+            "severity": "Alto",
+            "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Desenvolver práticas próprias de governança para garantir que nenhuma alteração seja realizada pelos operadores no nó RG (também conhecido como 'infra RG')",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Use o nome personalizado do Node RG (também conhecido como 'Infra RG')",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
             "severity": "Média",
-            "text": "Não use APIs do Kubernetes preteridas em seus manifestos do YAML",
-            "waf": "Operações"
+            "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Manchar os nós do Windows",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "Usar mais de 1 instância de aplicativo para seus aplicativos",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Mantenha o nível de patch dos contêineres do Windows sincronizado com o nível do patch do host",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "Por meio de Configurações de Diagnóstico no nível do cluster",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Envie logs mestre (também conhecidos como logs de API) para o Azure Monitor ou sua solução de gerenciamento de logs preferida",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "Configurar o dimensionamento automático no Spring Cloud Gateway",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
             "severity": "Baixo",
-            "text": "Se necessário, use instantâneos do nodePool",
-            "waf": "Custar"
+            "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Considere pools de nós spot para cargas de trabalho não sensíveis ao tempo",
-            "waf": "Operações"
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
+            "severity": "Média",
+            "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
             "severity": "Baixo",
-            "text": "Considere o nó virtual AKS para intermitência rápida",
-            "waf": "Operações"
+            "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Monitore suas métricas de cluster com o Container Insights (ou outras ferramentas como o Prometheus)",
-            "waf": "Operações"
+            "checklist": "Azure Event Hub Review",
+            "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
+            "severity": "Média",
+            "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Armazene e analise seus logs de cluster com o Container Insights (ou outras ferramentas como Telegraf/ElasticSearch)",
-            "waf": "Operações"
+            "checklist": "Azure Event Hub Review",
+            "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
+            "severity": "Média",
+            "text": "Evite usar conta root quando não for necessário",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Monitorar a utilização da CPU e da memória dos nós",
-            "waf": "Operações"
+            "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
+            "severity": "Alto",
+            "text": "Usar RBAC do plano de dados de privilégios mínimos",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "waf": "Segurança"
+        },
+        {
+            "checklist": "Azure Event Hub Review",
+            "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Se estiver usando o Azure CNI, monitore a % de IPs de pod consumidos por nó",
-            "waf": "Operações"
+            "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "A E/S no disco do sistema operacional é um recurso crítico. Se o sistema operacional nos nós for limitado na E/S, isso pode levar a um comportamento imprevisível, geralmente terminando no nó sendo declarado NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Monitorar a profundidade da fila de disco do sistema operacional nos nós",
-            "waf": "Operações"
+            "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Se não estiver usando filtragem de saída com AzFW/NVA, monitore as portas SNAT ALB alocadas padrão",
-            "waf": "Operações"
+            "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "Segurança"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Assine as notificações de integridade de recursos para seu cluster AKS",
-            "waf": "Operações"
+            "text": "Aproveite o Manual de Resilência do FTA",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
             "severity": "Alto",
-            "text": "Configurar solicitações e limites nas especificações do pod",
-            "waf": "Operações"
+            "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Impor cotas de recursos para namespaces",
-            "waf": "Operações"
+            "text": "Use os SKUs Premium ou Dedicado para desempenho previsível",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
             "severity": "Alto",
-            "text": "Verifique se sua assinatura tem cota suficiente para expandir seus nodepools",
-            "waf": "Operações"
+            "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "Azure Event Hub Review",
+            "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "severity": "Média",
-            "text": "Usar o Autoscaler de Cluster",
-            "waf": "Desempenho"
+            "text": "Para aplicativos críticos para os negócios, use a configuração ativa",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Personalizar a configuração do nó para pools de nós AKS",
-            "waf": "Desempenho"
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
+            "severity": "Média",
+            "text": "Projetar Hubs de Eventos Resilientes",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)",
+            "waf": "Fiabilidade"
+        },
+        {
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "Média",
-            "text": "Use o Autoscaler do Pod Horizontal quando necessário",
-            "waf": "Desempenho"
+            "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "Nós maiores trarão maior desempenho e recursos, como discos efêmeros e rede acelerada, mas aumentarão o raio de explosão e diminuirão a granularidade de dimensionamento",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
             "severity": "Alto",
-            "text": "Considere um tamanho de nó apropriado, não muito grande ou muito pequeno",
-            "waf": "Desempenho"
+            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se mais de 5000 nós forem necessários para escalabilidade, considere o uso de um cluster AKS adicional",
-            "waf": "Desempenho"
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Saiba como acionar um failover manual.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Considere assinar o EventGrid Events para automação AKS",
-            "waf": "Desempenho"
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
+            "severity": "Alto",
+            "text": "Saiba como fazer failback após um failover.",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Para operações de longa duração em um cluster AKS, considere o encerramento do evento",
-            "waf": "Desempenho"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "Alto",
+            "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS",
-            "waf": "Desempenho"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "Média",
+            "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
             "severity": "Alto",
-            "text": "Usar discos efêmeros do sistema operacional",
-            "waf": "Desempenho"
+            "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
-            "severity": "Alto",
-            "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão",
-            "waf": "Desempenho"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
+            "severity": "Média",
+            "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "severity": "Baixo",
-            "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS",
-            "waf": "Desempenho"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
+            "severity": "Média",
+            "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "severity": "Média",
-            "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)",
-            "waf": "Desempenho"
+            "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
-            "severity": "Média",
-            "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho",
-            "waf": "Desempenho"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
+            "severity": "Alto",
+            "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json",
+            "waf": "Fiabilidade"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "Média",
-            "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas",
-            "waf": "Desempenho"
+            "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library",
+            "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
+            "severity": "Média",
+            "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
+            "severity": "Média",
+            "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN",
+            "waf": "Desempenho"
+        },
+        {
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
+            "severity": "Baixo",
+            "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "Média",
-            "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+            "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Média",
+            "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "Alto",
-            "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo",
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "Média",
+            "text": "Ter ativo-ativo para várias regiões",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Média",
-            "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados",
+            "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais",
             "waf": "Fiabilidade"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "Média",
-            "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função",
-            "waf": "Operações"
+            "text": "Usar conjuntos de réplicas para DR",
+            "waf": "Fiabilidade"
         }
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.zh-Hant.json b/checklists/waf_checklist.zh-Hant.json
index e91289bf1..99f2d0d20 100644
--- a/checklists/waf_checklist.zh-Hant.json
+++ b/checklists/waf_checklist.zh-Hant.json
@@ -1,6371 +1,6236 @@
 {
     "items": [
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
-            "service": "Azure MySQL",
-            "severity": "中等",
-            "text": "利用靈活伺服器",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+            "service": "IoT Hub DPS",
+            "severity": "高",
+            "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
             "waf": "可靠性"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
-            "service": "Azure MySQL",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "IoT Hub DPS",
             "severity": "高",
-            "text": "利用區域適用的可用區",
+            "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
             "waf": "可靠性"
         },
         {
-            "checklist": "MySQL Review Checklist",
-            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
-            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
-            "service": "Azure MySQL",
-            "severity": "中等",
-            "text": "將數據傳入複製用於跨區域災難恢復方案",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "IoT Hub DPS",
+            "severity": "高",
+            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
             "waf": "可靠性"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "IoT Hub DPS",
             "severity": "高",
-            "text": "使 2 個副本具有 99.9% 的讀取操作可用性",
+            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
             "waf": "可靠性"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
-            "service": "Cognitive Search",
+            "checklist": "Device Provisioning Service Review",
+            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "IoT Hub DPS",
             "severity": "中等",
-            "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
-            "service": "Cognitive Search",
-            "severity": "高",
-            "text": "通過啟用讀取和/或寫入副本來利用可用區",
-            "waf": "可靠性"
+            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
+            "waf": "操作"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
-            "service": "Cognitive Search",
+            "checklist": "Identity Review Checklist",
+            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+            "service": "Entra",
             "severity": "中等",
-            "text": "對於區域冗餘，請在2個或更多區域中為搜索手動創建服務，因為它不提供跨地理區域複製搜索索引的自動方法",
+            "text": "使用長期可撤銷令牌，緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌",
             "waf": "可靠性"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
-            "service": "Cognitive Search",
+            "checklist": "Identity Review Checklist",
+            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+            "service": "AAD B2C",
             "severity": "中等",
-            "text": "若要跨多個服務同步數據，請使用索引器更新多個服務上的內容，或使用 REST API 推送多個服務上的內容更新",
+            "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面",
             "waf": "可靠性"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
-            "service": "Cognitive Search",
+            "checklist": "Identity Review Checklist",
+            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+            "service": "AAD B2C",
             "severity": "中等",
-            "text": "使用 Azure 流量管理器協調請求",
-            "waf": "可靠性"
+            "text": "自訂品牌資產應託管在CDN上",
+            "waf": "性能"
         },
         {
-            "checklist": "Cognitive Search Review Checklist",
-            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
-            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
-            "service": "Cognitive Search",
-            "severity": "高",
-            "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔",
+            "checklist": "Identity Review Checklist",
+            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+            "service": "AAD B2C",
+            "severity": "低",
+            "text": "擁有多個標識提供者（即使用您的 Microsoft、Google、Facebook 帳戶登錄）",
             "waf": "可靠性"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
-            "service": "Redis",
-            "severity": "高",
-            "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷，並提高了緩存的整體可用性。",
+            "checklist": "Identity Review Checklist",
+            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
+            "severity": "中等",
+            "text": "遵循 VM 規則，實現 VM 級別的高可用性（高級磁碟，一個區域中的兩個或更多磁碟，位於不同的可用性區域）",
             "waf": "可靠性"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
-            "service": "Redis",
+            "checklist": "Identity Review Checklist",
+            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "中等",
-            "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中，因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據，Redis 持久性允許您定期拍攝記憶體中數據的快照，並將其存儲到存儲帳戶中。",
+            "text": "不要複製！複製可能會產生目錄同步問題",
             "waf": "可靠性"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
-            "service": "Redis",
+            "checklist": "Identity Review Checklist",
+            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+            "service": "Windows AD",
             "severity": "中等",
-            "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據，或在異地冗餘不可用的情況下使用區域冗餘",
+            "text": "對多區域具有主動-主動",
             "waf": "可靠性"
         },
         {
-            "checklist": "Redis Resiliency checklist",
-            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
-            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
-            "service": "Redis",
+            "checklist": "Identity Review Checklist",
+            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "中等",
-            "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制，通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接，從而提供對主緩存的讀取和寫入，並將數據複製到輔助緩存。",
+            "text": "將 Azure AD 域服務標記添加到其他區域和位置",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
-            "service": "Azure Data Factory",
+            "checklist": "Identity Review Checklist",
+            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+            "service": "Entra",
             "severity": "中等",
-            "text": "利用 Azure 數據工廠的 FTA 復原能力手冊",
+            "text": "將副本集用於DR",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
+            "checklist": "IoT Hub Review",
+            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+            "service": "IoT",
             "severity": "高",
-            "text": "在支援可用區的區域中使用區域冗餘管道",
+            "text": "利用可用區（如果區域適用）（這是自動啟用的）",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
-            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
-            "service": "Azure Data Factory",
+            "checklist": "IoT Hub Review",
+            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
             "severity": "中等",
-            "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本",
+            "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作，以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "中等",
-            "text": "請確保在另一個區域中複製自承載集成運行時 VM",
+            "checklist": "IoT Hub Review",
+            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+            "service": "IoT",
+            "severity": "高",
+            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
-            "service": "Azure Data Factory",
-            "severity": "中等",
-            "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本",
+            "checklist": "IoT Hub Review",
+            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+            "service": "IoT",
+            "severity": "高",
+            "text": "瞭解如何觸發手動故障轉移。",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Data Factory Review Checklist",
-            "description": "如果ADF管道使用Key Vault，則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務，Microsoft 會為你處理它",
-            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
-            "service": "Azure Data Factory",
+            "checklist": "IoT Hub Review",
+            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+            "service": "IoT",
+            "severity": "高",
+            "text": "瞭解如何在故障轉移後進行故障回復。",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+            "service": "AKS",
             "severity": "低",
-            "text": "如果使用 Keyvault 集成，請使用 Keyvault 的 SLA 來瞭解可用性",
+            "text": "如果 AKS Windows 工作負載需要，可以使用 HostProcess 容器",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "使用一個 Entra 租戶來管理 Azure 資源，除非你對多租戶有明確的法規或業務要求。",
-            "waf": "操作"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果運行事件驅動的工作負載，請使用KEDA",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+            "link": "https://dapr.io/",
+            "service": "AKS",
             "severity": "低",
-            "text": "確保採用多租戶自動化方法來管理 Microsoft Entra ID 租戶",
+            "text": "使用 Dapr 簡化微服務開發",
             "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+            "service": "AKS",
+            "severity": "高",
+            "text": "使用 SLA 支援的 AKS 產品/服務",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "低",
-            "text": "利用 Azure Lighthouse 進行多租戶管理",
-            "waf": "操作"
+            "text": "在容器和部署定義中使用中斷預算",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Entra",
+            "checklist": "Azure AKS Review",
+            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+            "service": "ACR",
+            "severity": "高",
+            "text": "如果使用專用註冊表，請配置區域複製以將映像存儲在多個區域中",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+            "service": "AKS",
+            "severity": "低",
+            "text": "使用外部應用（如 kubecost）將成本分配給不同的使用者",
+            "waf": "成本"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+            "service": "AKS",
+            "severity": "低",
+            "text": "使用縮減模式刪除/取消分配節點",
+            "waf": "成本"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+            "service": "AKS",
             "severity": "中等",
-            "text": "確保合作夥伴使用 Azure Lighthouse 管理租戶",
+            "text": "需要時，請在 AKS 群集上使用多實例分組 GPU",
             "waf": "成本"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
-            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
-            "service": "Entra",
-            "severity": "高",
-            "text": "強制實施與雲運營模型一致的 RBAC 模型。跨管理組和訂閱的範圍和分配。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果運行開發/測試群集，請使用 NodePool Start/Stop",
+            "waf": "成本"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
-            "service": "Entra",
-            "severity": "高",
-            "text": "僅對所有帳戶類型使用身份驗證類型「工作或學校帳戶」。避免使用 Microsoft 帳戶",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "中等",
-            "text": "僅使用組來分配許可權。如果組管理系統已到位，則將本地組添加到僅 Entra ID 組。",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+            "text": "使用使用者/系統節點池將應用程式與控制平面分開",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
-            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+            "service": "AKS",
             "severity": "低",
-            "text": "對任何有權訪問 Azure 環境的用戶強制實施 Microsoft Entra ID 條件訪問策略",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "text": "向系統節點池添加污點以使其專用",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
-            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
-            "service": "Entra",
-            "severity": "高",
-            "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+            "link": "https://learn.microsoft.com/azure/container-registry/",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "對映像使用專用註冊表，例如 ACR",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "Entra",
+            "checklist": "Azure AKS Review",
+            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+            "link": "https://learn.microsoft.com/azure/security-center/container-security",
+            "service": "ACR",
             "severity": "中等",
-            "text": "強制實施 Microsoft Entra ID 特權身份管理 （PIM） 以建立零長期訪問許可權和最低許可權",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "掃描映像以查找漏洞",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務，請評估所有工作負載的相容性",
-            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+            "service": "AKS",
+            "severity": "高",
+            "text": "定義應用分離要求（命名空間/節點池/集群）",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+            "service": "AKS",
             "severity": "中等",
-            "text": "將 Microsoft Entra ID 日誌與平臺中心 Azure Monitor 集成。Azure Monitor 允許圍繞 Azure 中的日誌和監視數據提供單一事實源，從而為組織提供雲原生選項，以滿足有關日誌收集和保留的要求。",
+            "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+            "service": "AKS",
             "severity": "高",
-            "text": "實施緊急訪問或打破玻璃帳戶，以防止租戶範圍的帳戶鎖定",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "text": "如果將服務主體用於群集，請定期刷新憑據（如每季度）",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "Entra",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+            "service": "AKS",
             "severity": "中等",
-            "text": "避免將本地同步帳戶用於 Microsoft Entra ID 角色分配。",
-            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+            "text": "如果需要，請添加金鑰管理服務 etcd 加密",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "如果需要，請使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式（託管在雲中或本地）的安全和經過身份驗證的訪問。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請考慮使用適用於 AKS 的機密計算",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+            "service": "AKS",
             "severity": "中等",
-            "text": "利用基於傳統中心輻射型網路拓撲的網路設計，滿足需要最大靈活性的網路方案。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "考慮使用 Defender for Containers",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+            "service": "AKS",
             "severity": "高",
-            "text": "確保共用網路服務（包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA）位於中心虛擬網路中。如有必要，還可以部署 DNS 伺服器。",
-            "waf": "成本"
+            "text": "使用託管標識而不是服務主體",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+            "service": "AKS",
             "severity": "中等",
-            "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP防護計畫。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "將身份驗證與 AAD（使用託管集成）集成",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
-            "service": "NVA",
-            "severity": "中等",
-            "text": "部署合作夥伴網路技術或 NVA 時，請遵循合作夥伴供應商的指導",
-            "waf": "可靠性"
-        },
-        {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
-            "service": "ExpressRoute",
-            "severity": "低",
-            "text": "如果需要在中心輻射型方案中的 ExpressRoute 和 VPN 閘道之間傳輸，請使用 Azure 路由伺服器。",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "限制對管理員 kubeconfig （get-credentials --admin） 的訪問",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
-            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
-            "service": "ARS",
-            "severity": "低",
-            "text": "如果使用 Route Server，請對 Route Server 子網使用 /27 前置綴。",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "將授權與 AAD RBAC 集成",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
-            "service": "VNet",
-            "severity": "中等",
-            "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構，請使用中心 VNet 之間的全域虛擬網路對等互連將區域相互連接。",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
-            "waf": "性能"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+            "service": "AKS",
+            "severity": "高",
+            "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "操作"
+            "text": "對於 Pod Identity Access Management，請使用 Azure AD 工作負載標識（預覽版）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
-            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+            "service": "AKS",
             "severity": "中等",
-            "text": "將分支虛擬網路連接到中央中心虛擬網路時，請考慮 VNet 對等互連限制 （500），即可通過 ExpressRoute 播發的最大前綴數 （1000）",
-            "waf": "可靠性"
+            "text": "對於 AKS 非互動式登錄名，請使用 kubelogin（預覽版）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
-            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+            "service": "AKS",
             "severity": "中等",
-            "text": "考慮每個路由表的路由限制 （400）。",
-            "waf": "可靠性"
+            "text": "禁用 AKS 本地帳戶",
+            "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
-            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
-            "service": "VNet",
-            "severity": "高",
-            "text": "配置 VNet 對等互連時，使用「允許流量流向遠端虛擬網路」設置",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請配置 Just-in-time 群集訪問",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "使用 ExpressRoute Direct 時，請配置 MACsec，以便加密組織路由器和 MSEE 之間的第二層級別的流量。該圖顯示了流中的此加密。",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，為 AKS 配置 AAD 條件訪問",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+            "service": "AKS",
             "severity": "低",
-            "text": "對於無法使用MACsec的方案（例如，不使用ExpressRoute Direct），請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+            "text": "如果 Windows AKS 工作負載需要，請配置 gMSA",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "ExpressRoute",
-            "severity": "高",
-            "text": "確保在 Azure 區域和本地位置之間不使用重疊的 IP 位址空間",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "為了獲得更精細的控制，請考慮使用託管的 Kubelet 身份",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
-            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
-            "severity": "低",
-            "text": "使用專用 Internet 位址分配範圍 （RFC 1918） 中的 IP 位址。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "如果使用 AGIC，請勿跨集群共用 AppGW",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
-            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+            "service": "AKS",
             "severity": "高",
-            "text": "確保IP位址空間不被浪費，不要創建不必要的大型虛擬網路（例如 /16）Ensure that that IP address space is not disdised， don't create un不必要的大型虛擬網路（例如 /16）Ensure that that IP address space is not waste， don't create un不必要的大型虛擬網络（例如 /16）Ensure that that IP address space is",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "text": "不要使用 AKS HTTP 路由載入項，而是將託管 NGINX 入口與應用程式路由載入項一起使用。",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "對於 Windows 工作負載，請使用加速網路",
             "waf": "性能"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
-            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "高",
-            "text": "避免對生產網站和DR網站使用重疊的IP位址範圍。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "text": "使用標準 ALB（而不是基本 ALB）",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+            "service": "AKS",
             "severity": "中等",
-            "text": "對於只需要在 Azure 中進行名稱解析的環境，請使用 Azure 專用 DNS 進行解析，並使用委派區域進行名稱解析（例如“azure.contoso.com”）。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "操作"
+            "text": "如果使用 Azure CNI，請考慮對 NodePool 使用不同的子網",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
-            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
-            "service": "DNS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+            "service": "AKS",
             "severity": "中等",
-            "text": "對於需要跨 Azure 和本地進行名稱解析的環境，請考慮使用 Azure DNS 專用解析程式。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "text": "使用專用終結點（首選）或虛擬網路服務終結點從群集訪問 PaaS 服務",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
-            "service": "DNS",
-            "severity": "低",
-            "text": "需要並部署自己的 DNS（例如 Red Hat OpenShift）的特殊工作負載應使用其首選的 DNS 解決方案。",
-            "waf": "操作"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "614658d3-558f-4d77-849b-821112df27ee",
-            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
-            "service": "DNS",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "高",
-            "text": "啟用 Azure DNS 的自動註冊，以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。",
-            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
-            "waf": "操作"
+            "text": "選擇最適合你要求的 CNI 網路外掛程式（建議使用 Azure CNI）",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
-            "service": "Bastion",
-            "severity": "中等",
-            "text": "請考慮使用 Azure Bastion 安全地連接到網路。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
-            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
-            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
-            "service": "Bastion",
-            "severity": "中等",
-            "text": "在子網 /26 或更大範圍內使用 Azure Bastion。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
-            "service": "WAF",
-            "severity": "中等",
-            "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為與登陸區域的入站 HTTP/S 連接提供全域保護。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
-            "severity": "低",
-            "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時，請使用 Azure Front Door 中的 WAF 策略。鎖定 Azure 應用程式閘道，以便僅接收來自 Azure Front Door 的流量。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "高",
+            "text": "如果使用 Azure CNI，請根據每個節點的最大 Pod 數相應地調整子網的大小",
+            "waf": "性能"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "WAF",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "高",
-            "text": "部署 WAF 和其他反向代理是入站 HTTP/S 連接所必需的，將它們部署在登陸區域虛擬網路中，並與它們保護並公開給 Internet 的應用一起部署。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
-            "waf": "安全"
+            "text": "如果使用 Azure CNI，請檢查每個節點的最大 Pod 數（預設為 30）",
+            "waf": "性能"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "高",
-            "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "對於內部應用，組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問，並可能打開對 Pod 的訪問（如果使用 Azure CNI）。如果 LoadBalancer IP 位於不同的子網中，則只有此子網可供應用用戶端使用。另一個原因是，如果 AKS 子網中的 IP 位址是稀缺資源，則將其 IP 位址用於服務會降低群集的最大可伸縮性。",
+            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果使用專用IP LoadBalancer服務，請使用專用子網（而不是 AKS 子網）",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
-            "service": "VNet",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
             "severity": "高",
-            "text": "在即將到來的重大更改之前，評估和審查網路出站流量配置和策略。2025 年 9 月 30 日，新部署的預設出站訪問將停用，僅允許顯式訪問配置",
+            "text": "相應調整服務 IP 位址範圍的大小（這將限制群集的可伸縮性）",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
-            "service": "VNet",
-            "severity": "高",
-            "text": "添加診斷設置以保存所有受保護的公共IP位址（DDoS IP或網路保護）的 DDoS 相關日誌。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請添加您自己的 CNI 外掛程式",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "確保已調查使用 ExpressRoute 作為與 Azure 的主要連接的可能性。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請在 AKS 中配置每個節點的公共 IP",
             "waf": "性能"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "description": "可以使用 AS 路徑前置和連接權重來影響從 Azure 到本地的流量，並使用自己的路由器中的全部 BGP 屬性來影響從本地到 Azure 的流量。",
-            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用多條 ExpressRoute 線路或多個本地位置時，請確保使用 BGP 屬性優化路由（如果首選某些路徑）。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "使用入口控制器公開基於 Web 的應用，而不是使用 LoadBalancer 類型的服務公開它們",
             "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
-            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "確保根據頻寬和性能要求為 ExpressRoute/VPN 閘道使用正確的 SKU。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "性能"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+            "service": "AKS",
+            "severity": "低",
+            "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
-            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
-            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
-            "service": "ExpressRoute",
-            "severity": "高",
-            "text": "確保僅當達到證明其成本合理的頻寬時，才使用無限數據的ExpressRoute線路。",
-            "waf": "成本"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
-            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+            "service": "AKS",
             "severity": "高",
-            "text": "如果線路的對等互連位置支援本地 SKU 的 Azure 區域，則利用 ExpressRoute 的本地 SKU 來降低線路的成本。",
-            "waf": "成本"
+            "text": "如果安全要求要求，請使用 AzFW/NVA 篩選出口流量",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
-            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+            "service": "AKS",
             "severity": "中等",
-            "text": "在受支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "可靠性"
+            "text": "如果使用公共 API 終端節點，請限制可以存取它的 IP 位址",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "對於需要高於 10 Gbps 的頻寬或專用 10/100 Gbps 埠的方案，請使用 ExpressRoute Direct。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "性能"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+            "service": "AKS",
+            "severity": "高",
+            "text": "如果要求要求，請使用私有集群",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
-            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
             "severity": "中等",
-            "text": "如果需要低延遲，或者從本地到 Azure 的輸送量必須大於 10 Gbps，請啟用 FastPath 以繞過數據路徑的 ExpressRoute 閘道。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "性能"
+            "text": "對於 Windows 2019 和 2022 AKS 節點，可以使用 Calico 網路策略",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
-            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
-            "service": "VPN",
-            "severity": "中等",
-            "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure（如果可用）。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+            "service": "AKS",
+            "severity": "高",
+            "text": "啟用 Kubernetes 網路策略選項 （Calico/Azure）",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/vpnGateways",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
-            "service": "VPN",
-            "severity": "中等",
-            "text": "在本地使用冗餘 VPN 設備（主動/主動或主動/被動）。",
-            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
+            "severity": "高",
+            "text": "使用 Kubernetes 網路策略提高集群內安全性",
+            "waf": "安全"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+            "service": "AKS",
             "severity": "高",
-            "text": "如果使用 ExpressRoute Direct，請考慮使用本地 Azure 區域的 ExpressRoute 本地線路來節省成本",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "成本"
+            "text": "將 WAF 用於 Web 工作負載（UI 或 API）",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+            "service": "AKS",
             "severity": "中等",
-            "text": "當需要流量隔離或專用頻寬時（例如，用於分離生產環境和非生產環境），請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕干擾鄰居風險。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "在 AKS 虛擬網路中使用 DDoS 標準",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請添加公司 HTTP 代理",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用內置的 Express Route Insights 監視 ExpressRoute 的可用性和利用率。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "text": "考慮使用服務網格進行高級微服務通信管理",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+            "service": "AKS",
+            "severity": "高",
+            "text": "設定有關最關鍵指標的警報（請參閱容器見解以獲取建議）",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
-            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "使用連接監視器進行跨網路的連接監視，尤其是在本地和 Azure 之間。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+            "service": "AKS",
+            "severity": "低",
+            "text": "定期查看 Azure 顧問，瞭解有關群集的建議",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
-            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "使用來自不同對等互連位置的 ExpressRoute 線路實現冗餘。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+            "service": "AKS",
+            "severity": "低",
+            "text": "啟用 AKS 自動證書輪換",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "使用網站到網站 VPN 作為 ExpressRoute 的故障轉移，尤其是在僅使用單個 ExpressRoute 線路時。",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+            "service": "AKS",
+            "severity": "高",
+            "text": "定期（例如，每季度）升級 kubernetes 版本，或使用 AKS 自動升級功能",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
-            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+            "service": "AKS",
             "severity": "高",
-            "text": "如果在 GatewaySubnet 中使用路由表，請確保傳播閘道路由。",
-            "waf": "可靠性"
+            "text": "如果您不使用 node-image 升級，請使用 kured 進行 Linux 節點升級",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+            "service": "AKS",
             "severity": "高",
-            "text": "如果使用 ExpressRoute，則本地路由應是動態的：如果連接失敗，它應收斂到線路的剩餘連接。理想情況下，負載應在兩個連接之間共用為主動/主動，但也支持主動/被動。",
-            "waf": "可靠性"
+            "text": "定期（例如，每周）升級群集節點映像的常規過程",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "確保 ExpressRoute 線路的兩個物理連結連接到網路中的兩個不同的邊緣設備。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+            "service": "AKS",
+            "severity": "低",
+            "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "確保在客戶或供應商邊緣路由設備上啟用並配置雙向轉發檢測 （BFD）。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "可靠性"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+            "service": "AKS",
+            "severity": "低",
+            "text": "請考慮在專用群集上使用 AKS 命令調用",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+            "service": "AKS",
+            "severity": "低",
+            "text": "對於計劃的事件，請考慮使用 Node Auto Drain",
+            "waf": "操作"
+        },
+        {
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+            "link": "https://learn.microsoft.com/azure/aks/faq",
+            "service": "AKS",
             "severity": "高",
-            "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路，以提高復原能力。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "可靠性"
+            "text": "開發自己的治理實踐，以確保節點 RG（又名“基礎設施 RG”）中的操作員不會執行任何更改",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
-            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "為 ExpressRoute 虛擬網路閘道配置診斷日誌和警報。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "低",
+            "text": "使用自定義節點 RG（又名“Infra RG”）名稱",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
-            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+            "link": "https://kubernetes.io/docs/setup/release/notes/",
+            "service": "AKS",
             "severity": "中等",
-            "text": "避免使用 ExpressRoute 線路進行 VNet 到 VNet 通信。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "性能"
+            "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "高",
-            "text": "使用 Azure 防火牆管理發往 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選（如果組織需要）",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+            "service": "AKS",
+            "severity": "低",
+            "text": "污染 Windows 節點",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
-            "severity": "中等",
-            "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況，並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委託給本地安全團隊，允許精細策略滿足特定區域的要求。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+            "service": "AKS",
+            "severity": "低",
+            "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "通過群集級別的診斷設置",
+            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+            "service": "AKS",
             "severity": "低",
-            "text": "如果組織希望使用此類解決方案來幫助保護出站連接，請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "text": "將主日誌（又名 API 紀錄）發送到 Azure Monitor 或首選日誌管理解決方案",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
-            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
-            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
-            "service": "Firewall",
-            "severity": "高",
-            "text": "使用基於 FQDN 的網路規則和具有 DNS 代理的 Azure 防火牆，通過應用程式規則不支援的協定篩選到 Internet 的出口流量。",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請使用 nodePool 快照",
+            "waf": "成本"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
-            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "高",
-            "text": "使用 Azure 防火牆高級版提供額外的安全性和保護。",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+            "service": "AKS",
+            "severity": "低",
+            "text": "考慮將現成節點池用於對時間敏感的工作負載",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
-            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
-            "service": "Firewall",
-            "severity": "高",
-            "text": "將 Azure 防火牆威脅情報模式配置為「警報」和「拒絕」，以獲得額外保護。",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "低",
+            "text": "考慮用於快速突發的 AKS 虛擬節點",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
-            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "severity": "高",
-            "text": "將 Azure 防火牆 IDPS 模式配置為「拒絕」 ，以獲得額外的保護。",
-            "waf": "安全"
+            "text": "使用 Container Insights（或 Prometheus 等其他工具）監控集群指標",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
-            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+            "service": "AKS",
             "severity": "高",
-            "text": "對於未連接到虛擬 WAN 的 VNet 中的子網，請附加路由表，以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備",
-            "waf": "安全"
+            "text": "使用 Container Insights（或 Telegraf/ElasticSearch 等其他工具）存儲和分析集群日誌",
+            "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+            "service": "AKS",
             "severity": "中等",
-            "text": "添加診斷設置，以使用「特定於資源」的目標表保存所有 Azure 防火牆部署的日誌。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "text": "監控節點的 CPU 和記憶體利用率",
             "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
-            "service": "Firewall",
-            "severity": "重要",
-            "text": "從 Azure 防火牆經典規則（如果存在）遷移到防火牆策略。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "如果使用 Azure CNI，請監視每個節點消耗的 Pod IP 的百分比",
             "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
-            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
-            "service": "Firewall",
-            "severity": "高",
-            "text": "對 Azure 防火牆子網使用 /26 前置綴。",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制，這可能會導致不可預知的行為，通常最終導致節點被聲明為 NotReady",
+            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "監視節點中的OS磁碟佇列深度",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
-            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+            "service": "AKS",
             "severity": "中等",
-            "text": "將防火牆策略中的規則排列到規則集合組和規則集合中，並根據它們的使用頻率",
-            "waf": "性能"
+            "text": "如果不對 AzFW/NVA 使用出口篩選，請監視標準 ALB 分配的 SNAT 連接埠",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
-            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用IP組或IP前置綴來減少IP表規則的數量",
-            "waf": "性能"
+            "text": "訂閱 AKS 群集的資源運行狀況通知",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
-            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
-            "service": "Firewall",
-            "severity": "中等",
-            "text": "避免將通配符作為DNATS的源IP，例如*或任何通配符，您應該為傳入的DNAT指定源IP",
-            "waf": "性能"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
+            "severity": "高",
+            "text": "在 Pod 規範中配置請求和限制",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "769ef669-1a48-435a-a942-223ece80b123",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+            "service": "AKS",
             "severity": "中等",
-            "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置和確保無縫故障轉移來防止 SNAT 埠耗盡。如果埠計數接近限制，則表明 SNAT 耗盡可能迫在眉睫。",
-            "waf": "性能"
+            "text": "強制實施命名空間的資源配額",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "346840b8-1064-496e-8396-4b1340172d52",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "AKS",
             "severity": "高",
-            "text": "啟用 TLS 檢查",
-            "waf": "性能"
+            "text": "確保訂閱具有足夠的配額來橫向擴展節點池",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
-            "service": "Firewall",
-            "severity": "低",
-            "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
+            "severity": "中等",
+            "text": "使用群集自動縮放程式",
             "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
-            "service": "Firewall",
-            "severity": "中等",
-            "text": "作為 TLS 檢查的一部分，請計劃從 Azure 應用閘道接收流量以進行檢查。",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+            "service": "AKS",
+            "severity": "低",
+            "text": "自定義 AKS 節點池的節點配置",
             "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
-            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+            "service": "AKS",
             "severity": "中等",
-            "text": "啟用 Azure 防火牆 DNS 代理配置",
-            "waf": "安全"
+            "text": "需要時使用 Horizontal Pod Autoscaler",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
-            "severity": "中等",
-            "text": "確保有策略分配來拒絕直接綁定到虛擬機的公共IP位址",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "description": "更大的節點將帶來更高的性能和功能，例如臨時磁碟和加速網路，但它們會增加爆炸半徑並降低擴展粒度",
+            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+            "service": "AKS",
+            "severity": "高",
+            "text": "考慮適當的節點大小，不要太大或太小",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
-            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+            "service": "AKS",
             "severity": "低",
-            "text": "將 Azure 防火牆與 Azure Monitor 集成，並啟用診斷日誌記錄來存儲和分析防火牆日誌。",
-            "waf": "操作"
+            "text": "如果可伸縮性需要超過 5000 個節點，請考慮使用其他 AKS 群集",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
-            "service": "Firewall",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+            "service": "AKS",
             "severity": "低",
-            "text": "為防火牆規則實施備份",
-            "waf": "操作"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
-            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
-            "service": "App Gateway",
-            "severity": "高",
-            "text": "確保注入虛擬網路的 Azure PaaS 服務的控制平面通信不會中斷，例如，使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "安全"
+            "text": "考慮訂閱 EventGrid Events for AKS 自動化",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "ExpressRoute",
-            "severity": "中等",
-            "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免通過公共 Internet 進行傳輸。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+            "service": "AKS",
+            "severity": "低",
+            "text": "若要在 AKS 群集上長時間運行操作，請考慮事件終止",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
-            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "VNet",
-            "severity": "中等",
-            "text": "默認情況下，不要在所有子網上啟用虛擬網路服務終結點。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+            "service": "AKS",
+            "severity": "低",
+            "text": "如果需要，請考慮將 Azure 專用主機用於 AKS 節點",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
-            "service": "Firewall",
-            "severity": "中等",
-            "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選到 Azure PaaS 服務的出口流量，以防止數據外洩。如果使用專用連結，則可以阻止所有 FQDN，否則僅允許所需的 PaaS 服務。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+            "service": "AKS",
+            "severity": "高",
+            "text": "使用臨時OS磁碟",
+            "waf": "性能"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/expressRouteCircuits",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
-            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
-            "service": "ExpressRoute",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+            "service": "AKS",
             "severity": "高",
-            "text": "至少對閘道子網使用 /27 前置綴",
-            "waf": "安全"
+            "text": "對於非臨時磁碟，在運行多個 Pod/節點時，請為節點使用高 IOPS 和更大的 OS 磁碟，因為它需要高性能才能運行多個 Pod，並且會生成具有預設 AKS 日誌輪換閾值的大量日誌",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
-            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
-            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
-            "service": "NSG",
-            "severity": "中等",
-            "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。",
-            "waf": "安全"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+            "service": "AKS",
+            "severity": "低",
+            "text": "對於超高性能存儲選項，請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
-            "service": "NSG",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用 NSG 説明保護跨子網的流量，以及跨平台的東/西流量（登陸區域之間的流量）。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "安全"
+            "text": "避免將狀態保留在群集中，並將數據存儲在外部（AzStorage、AzSQL、Cosmos 等）",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+            "service": "AKS",
             "severity": "中等",
-            "text": "應用程式團隊應使用子網級別 NSG 的應用程式安全組來幫助保護登陸區域內的多層 VM。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "安全"
+            "text": "如果使用 AzFiles Standard，出於性能原因，請考慮使用 AzFiles Premium 和/或 ANF",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Azure AKS Review",
+            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+            "service": "AKS",
             "severity": "中等",
-            "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段，並避免使用中央 NVA 篩選流量。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "安全"
+            "text": "如果使用 Azure 磁碟和可用區，請考慮在區域內為 LRS 磁碟設置節點池，並使用 VolumeBindingMode：WaitForFirstConsumer 在正確的區域中預配存儲，或將 ZRS 磁碟用於跨多個區域的節點池",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
-            "service": "NSG",
-            "severity": "中等",
-            "text": "啟用 VNet 流日誌並將其饋送到流量分析中，以深入了解內部和外部流量流。",
-            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
-            "waf": "安全"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
+            "severity": "高",
+            "text": "使 2 個副本具有 99.9% 的讀取操作可用性",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
-            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "NSG",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+            "service": "Cognitive Search",
             "severity": "中等",
-            "text": "考慮每個 NSG 的 NSG 規則限制 （1000）。",
-            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性",
             "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
-            "service": "VWAN",
-            "severity": "中等",
-            "text": "請考慮使用虛擬 WAN 簡化 Azure 網路管理，並確保在虛擬 WAN 路由設計清單中明確描述你的方案",
-            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
-            "waf": "操作"
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+            "service": "Cognitive Search",
+            "severity": "高",
+            "text": "通過啟用讀取和/或寫入副本來利用可用區",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+            "service": "Cognitive Search",
             "severity": "中等",
-            "text": "使用每個 Azure 區域的虛擬 WAN 中心，通過通用的全域 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。",
-            "waf": "性能"
+            "text": "對於區域冗餘，請在2個或更多區域中為搜索手動創建服務，因為它不提供跨地理區域複製搜索索引的自動方法",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "低",
-            "text": "遵循“Azure 中的流量保留在 Azure 中”原則，以便通過 Microsoft 主幹網络在 Azure 中跨資源進行通信",
-            "waf": "性能"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
-            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "severity": "中等",
-            "text": "對於出站 Internet 流量保護和篩選，請在安全中心部署 Azure 防火牆",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "VWAN",
-            "severity": "中等",
-            "text": "確保網路體系結構在 Azure 虛擬 WAN 限制範圍內。",
-            "waf": "可靠性"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
-            "service": "VWAN",
-            "severity": "中等",
-            "text": "使用適用於虛擬 WAN 的 Azure Monitor 見解監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。",
-            "waf": "操作"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
-            "service": "VWAN",
-            "severity": "中等",
-            "text": "請確保 IaC 部署不會在虛擬 WAN 中禁用分支到分支通信，除非應顯式阻止這些流。",
-            "waf": "可靠性"
-        },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
-            "service": "VWAN",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+            "service": "Cognitive Search",
             "severity": "中等",
-            "text": "使用 AS-Path 作為中心路由首選項，因為它比 ExpressRoute 或 VPN 更靈活。",
+            "text": "若要跨多個服務同步數據，請使用索引器更新多個服務上的內容，或使用 REST API 推送多個服務上的內容更新",
             "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
-            "service": "VWAN",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+            "service": "Cognitive Search",
             "severity": "中等",
-            "text": "請確保 IaC 部署在虛擬 WAN 中配置基於標籤的傳播，否則虛擬中心之間的連接將受到損害。",
+            "text": "使用 Azure 流量管理器協調請求",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9c75dfef-573c-461c-a698-68598595581a",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
-            "service": "VWAN",
+            "checklist": "Cognitive Search Review Checklist",
+            "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+            "service": "Cognitive Search",
             "severity": "高",
-            "text": "為虛擬中心分配足夠的IP空間，最好是 /23前置綴。",
+            "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
-            "severity": "高",
-            "text": "戰略性地利用 Azure Policy，為環境定義控制，使用策略計劃對相關策略進行分組。",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰，則仍使用 Microsoft 管理的金鑰對數據進行加密，但此外，Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。",
+            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+            "service": "Event Hubs",
+            "severity": "低",
+            "text": "需要時，在靜態數據加密中使用客戶管理的金鑰選項",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施，可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS，則使用舊版本發出的任何請求都將失敗。",
+            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。",
+            "text": "對請求強制實施傳輸層安全性 （TLS） 的最低要求版本",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "創建事件中心命名空間時，會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶，不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。",
+            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "在中間根管理組建立 Azure Policy 定義，以便可以在繼承的範圍內分配這些定義",
+            "text": "避免在不必要的情況下使用root帳戶",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 （VM）、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用，可以避免將憑據存儲在雲中運行的應用程式中。",
+            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "如果需要，在最高適當級別管理策略分配，在最低級別管理排除項。",
+            "text": "如果可能，應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有，請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據（SAS、服務主體憑據）",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "43334f24-9116-4341-a2ba-527526944008",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
-            "service": "Policy",
-            "severity": "低",
-            "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務",
+            "checklist": "Azure Event Hub Review",
+            "description": "創建許可權時，請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別，例如消費者組、事件中心實體、事件中心命名空間等。",
+            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+            "service": "Event Hubs",
+            "severity": "高",
+            "text": "使用最低特權數據平面 RBAC",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作（例如發送或接收事件）的聚合診斷資訊。",
+            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "盡可能使用內置策略，以最大程度地減少操作開銷。",
+            "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌，例如資源日誌、運行時審核日誌和 Kafka 紀錄",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "通過將「資源策略參與者」角色分配給特定範圍，可以將策略管理委派給相關團隊。例如，中央IT團隊可以監督管理組級別的策略，而應用程式團隊則處理其訂閱的策略，從而在遵守組織標準的情況下實現分散式治理。",
-            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "默認情況下，Azure 事件中心具有公共IP位址，並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外，如果未使用公共終結點，則應禁用這些終結點。",
+            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "在特定範圍內分配內置的「資源策略參與者」角色，以啟用應用程式級治理。",
+            "text": "請考慮使用專用終結點訪問 Azure 事件中心，並在適用時禁用公用網路訪問。",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "19048384-5c98-46cb-8913-156a12476e49",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "description": "使用IP防火牆，可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR（無類別域間路由）表示法的IPv4位址範圍。",
+            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "限制在根管理組範圍內進行的 Azure Policy 分配數，以避免在繼承範圍內通過排除項進行管理。",
+            "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
-            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "如果存在任何數據主權要求，可以部署 Azure 策略來強制實施這些要求",
-            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
-            "waf": "安全"
+            "text": "利用 FTA 彈性手冊",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
-            "service": "Policy",
-            "severity": "中等",
-            "text": "對於主權登陸區，主權政策基線的政策計劃將在正確的 MG 級別部署和分配。",
-            "waf": "安全"
+            "checklist": "Azure Event Hub Review",
+            "description": "對於從門戶創建的新 EH 命名空間，在啟用區域的區域中具有高級、專用或標準 SKU，將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的",
+            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+            "service": "Event Hubs",
+            "severity": "高",
+            "text": "利用可用區（如果區域適用）",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
-            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
-            "service": "Policy",
+            "checklist": "Azure Event Hub Review",
+            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "對於主權登陸區，記錄了“主權控制目標”到策略映射“。",
-            "waf": "安全"
+            "text": "使用高級或專用 SKU 實現可預測的性能",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
-            "service": "Policy",
-            "severity": "中等",
-            "text": "對於主權登陸區，CRUD的“主權控制目標到政策映射”的流程已經到位。",
-            "waf": "安全"
+            "checklist": "Azure Event Hub Review",
+            "description": "啟用內置異地災難恢復功能后，可確保命名空間的整個配置（事件中心、消費者組和設置）從主命名空間持續複製到輔助命名空間，並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄，而無需更改應用程式配置",
+            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+            "service": "Event Hubs",
+            "severity": "高",
+            "text": "使用主動被動配置規劃異地災難恢復",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "checklist": "Azure Event Hub Review",
+            "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況，請遵循複製指南，不要使用內置的異地災難恢復功能（主動/被動）。使用「主動/主動」時，在不同區域和命名空間中維護多個事件中心，事件將在中心之間複製",
+            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "使用單個監視器日誌工作區集中管理平臺，但 Azure 基於角色的訪問控制 （Azure RBAC）、數據主權要求或數據保留策略要求使用單獨的工作區的情況除外。",
-            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "waf": "操作"
+            "text": "對於業務關鍵型應用程式，請使用 Active Active 配置",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Monitor",
-            "severity": "中等",
-            "text": "如果日誌保留要求超過 12 年，請將日誌匯出到 Azure 存儲。將不可變存儲與一次寫入、多次讀取策略結合使用，使數據在使用者指定的時間間隔內不可擦除和不可修改。",
-            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
-            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
-            "service": "VM",
-            "severity": "中等",
-            "text": "使用 Azure Policy 監視 OS 等級的虛擬機 （VM） 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可幫助應用程式團隊工作負載輕鬆立即使用功能。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
+            "checklist": "Azure Event Hub Review",
+            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+            "service": "Event Hubs",
             "severity": "中等",
-            "text": "使用 Azure 更新管理員作為 Azure 中 Windows 和 Linux VM 的修補機制。",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "操作"
+            "text": "設計可復原的事件中心",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
-            "service": "VM",
-            "severity": "中等",
-            "text": "使用 Azure Arc 將 Azure Update Manager 用作 Azure 外部 Windows 和 Linux VM 的修補機制。",
-            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
-            "waf": "操作"
+            "checklist": "Redis Resiliency checklist",
+            "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+            "service": "Redis",
+            "severity": "高",
+            "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷，並提高了緩存的整體可用性。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Network Watcher",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+            "service": "Redis",
             "severity": "中等",
-            "text": "使用網路觀察程序主動監視流量",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "操作"
+            "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中，因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據，Redis 持久性允許您定期拍攝記憶體中數據的快照，並將其存儲到存儲帳戶中。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Monitor",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+            "service": "Redis",
             "severity": "中等",
-            "text": "使用 Azure Monitor 紀錄獲取見解和報告。",
-            "waf": "操作"
+            "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據，或在異地冗餘不可用的情況下使用區域冗餘",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
-            "service": "Monitor",
+            "checklist": "Redis Resiliency checklist",
+            "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+            "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+            "service": "Redis",
             "severity": "中等",
-            "text": "使用 Azure Monitor 警報生成操作警報。",
-            "waf": "操作"
+            "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制，通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接，從而提供對主緩存的讀取和寫入，並將數據複製到輔助緩存。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "Monitor",
-            "severity": "中等",
-            "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時，請確保已選擇支援的區域來將 Log Analytics 工作區和自動化帳戶連結在一起。",
-            "waf": "操作"
+            "checklist": "Logic Apps checklist",
+            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+            "service": "Logic Apps",
+            "severity": "高",
+            "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
-            "service": "Backup",
-            "severity": "中等",
-            "text": "使用 Azure 備份時，請考慮不同的備份類型（GRS、ZRS 和 LRS），因為預設設置為 GRS",
+            "checklist": "Logic Apps checklist",
+            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+            "service": "Logic Apps",
+            "severity": "高",
+            "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "VM",
-            "severity": "中等",
-            "text": "使用 Azure 策略通過 VM 擴展自動部署軟體配置，並強制實施符合標準的基線 VM 配置。",
-            "waf": "安全"
+            "checklist": "Logic Apps checklist",
+            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+            "service": "Logic Apps",
+            "severity": "高",
+            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "description": "Azure Policy 的來賓配置功能可以審核和修正計算機設置（例如，操作系統、應用程式、環境），以確保資源與預期配置一致，更新管理可以對 VM 強制實施修補程式管理。",
-            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "VM",
-            "severity": "中等",
-            "text": "通過 Azure Policy 監視 VM 安全配置偏移。",
-            "waf": "安全"
+            "checklist": "Logic Apps checklist",
+            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+            "service": "Logic Apps",
+            "severity": "高",
+            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "VM",
+            "checklist": "Logic Apps checklist",
+            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+            "service": "Logic Apps",
             "severity": "中等",
-            "text": "將 Azure Site Recovery 用於 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。",
+            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
             "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "Backup",
+            "checklist": "Azure Bot Service",
+            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+            "service": "Bot service",
             "severity": "中等",
-            "text": "使用 Azure 本機備份功能或與 Azure 相容的第三方備份解決方案。",
-            "waf": "操作"
-        },
-        {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "severity": "高",
-            "text": "在支援可用性區域的區域中對 VM 利用可用性區域。",
+            "text": "遵循 Azure 機器人服務中的可靠性支持建議",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
-            "severity": "高",
-            "text": "避免在單個 VM 上運行生產工作負載。",
+            "checklist": "Azure Bot Service",
+            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+            "service": "Bot service",
+            "severity": "中等",
+            "text": "部署具有本地數據駐留和區域合規性的機器人",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
+            "checklist": "Azure Bot Service",
+            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+            "service": "Bot service",
             "severity": "中等",
-            "text": "Azure 負載均衡器和應用程式閘道在多個資源之間分配傳入的網路流量。",
+            "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時，無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務，Azure 機器人服務在歐洲境內提供兩個完整區域，並提供主動/主動複製，以確保冗餘。對於全球機器人服務，所有可用的區域/地理位置都可以作為全球足跡。",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "WAF",
-            "severity": "高",
-            "text": "添加診斷設置以保存來自 Azure Front Door 和 Azure 應用程式閘道等應用程式交付服務的 WAF 紀錄。定期查看日誌，以檢查攻擊和誤報檢測。",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "WAF",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "將 WAF 日誌從應用程式交付服務（如 Azure Front Door 和 Azure 應用程式閘道）發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。",
+            "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door，請使用“最新”證書版本。降低手動續訂證書導致的中斷風險",
             "waf": "操作"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
-            "service": "Key Vault",
-            "severity": "高",
-            "text": "使用 Azure Key Vault 儲存機密和憑據",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "確保使用應用程式閘道 v2 SKU",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
-            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Load Balancer",
             "severity": "中等",
-            "text": "對不同的應用程式和區域使用不同的 Azure Key Vault，以避免事務規模限制並限制對機密的訪問。",
+            "text": "確保將標準 SKU 用於 Azure 負載均衡器",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+            "service": "Load Balancer",
             "severity": "中等",
-            "text": "預配啟用軟刪除和清除策略的 Azure Key Vault，以允許對已刪除物件進行保留保護。",
+            "text": "確保負載均衡器前端IP位址是區域冗餘的（除非需要區域性前端）。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "中等",
-            "text": "通過將永久刪除密鑰、機密和證書的授權限制為專用的自定義 Microsoft Entra ID 角色，遵循最低特權模型。",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "description": "一般而言，反向代理的管理，特別是 WAF 的管理更接近應用程式而不是網路，因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由單個團隊管理，則在連接訂閱中集中應用程式閘道和 WAF 可能是可以的。",
+            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "使用公共證書頒發機構自動執行證書管理和續訂過程，以簡化管理。",
+            "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA，用於在登陸區域虛擬網路中代理入站 HTTP（S） 連接，並使用它們所保護的應用。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "913156a1-2476-4e49-b541-acdce979377b",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "建立金鑰和證書輪換的自動化流程。",
+            "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點，以控制對密鑰保管庫的訪問。",
-            "waf": "安全"
+            "text": "使用至少兩個實例數配置自動縮放。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "使用平臺中心 Azure Monitor Log Analytics 工作區審核每個 Key Vault 實例中的金鑰、證書和機密使用方式。",
-            "waf": "安全"
+            "text": "跨可用性區域部署應用程式閘道",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "委託 Key Vault 實例化和特權訪問，並使用 Azure Policy 強制實施一致的合規配置。",
+            "text": "將 Azure Front Door 與 WAF 策略配合使用，以交付和幫助保護跨多個 Azure 區域的全域 HTTP/S 應用。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "對每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
+            "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時，請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
-            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
-            "service": "Key Vault",
-            "severity": "中等",
-            "text": "如果要自帶密鑰，則並非所有考慮的服務都支援此功能。實施相關的緩解措施，以免不一致阻礙預期結果。選擇適當的區域對和災難恢復區域，以最大程度地減少延遲。",
-            "waf": "安全"
+            "ammp": true,
+            "arm-service": "microsoft.network/trafficManagerProfiles",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "Traffic Manager",
+            "severity": "高",
+            "text": "使用流量管理器提供跨 HTTP/S 以外的協定的全域應用。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
-            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
-            "service": "Key Vault",
-            "severity": "中等",
-            "text": "對於主權登陸區域，請使用 Azure Key Vault 託管的 HSM 來儲存機密和憑據。",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "Entra",
+            "severity": "低",
+            "text": "如果使用者只需要訪問內部應用程式，是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 （AVD） 的替代方法？",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
-            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
             "service": "Entra",
             "severity": "中等",
-            "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。",
+            "text": "若要減少為網路中的傳入連接打開的防火牆埠數，請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "09945bda-4333-44f2-9911-634182ba5275",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
-            "service": "Defender",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "Front Door",
             "severity": "高",
-            "text": "為所有訂閱啟用Defender雲安全態勢管理。",
+            "text": "在「預防」模式下部署 Front Door 的 WAF 策略。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
-            "service": "Defender",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+            "service": "Front Door",
             "severity": "高",
-            "text": "在所有訂閱上為伺服器啟用Defender雲工作負載保護計劃。",
+            "text": "避免將 Azure 流量管理器和 Azure Front Door 結合使用。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
-            "service": "Defender",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+            "service": "Front Door",
             "severity": "高",
-            "text": "在所有訂閱上為 Azure 資源啟用 Defender 雲工作負載保護計劃。",
+            "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。主機名不匹配可能會導致細微的錯誤。",
             "waf": "安全"
         },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+            "service": "Front Door",
+            "severity": "低",
+            "text": "當 Azure Front Door 源組中只有一個源時，禁用運行狀況探測。",
+            "waf": "性能"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+            "service": "Front Door",
+            "severity": "中等",
+            "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建運行狀況終結點，以檢查應用程式的所有依賴項。",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+            "service": "Front Door",
+            "severity": "低",
+            "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用，以減少 Front Door 發送到應用程式的流量。",
+            "waf": "性能"
+        },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
-            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
-            "service": "VM",
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+            "service": "Load Balancer",
             "severity": "高",
-            "text": "在 IaaS 伺服器上啟用 Endpoint Protection。",
-            "waf": "安全"
+            "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則，以獲得更好的 SNAT 可伸縮性",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
-            "link": "https://learn.microsoft.com/azure/security-center/",
-            "service": "VM",
-            "severity": "中等",
-            "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏移。",
-            "waf": "安全"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+            "service": "Front Door",
+            "severity": "高",
+            "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Monitor",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。",
-            "waf": "安全"
+            "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼，您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
-            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "對於主權登陸區域，在 Entra ID 租戶上啟用透明日誌。",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+            "service": "Front Door",
+            "severity": "高",
+            "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 進行從用戶端到 Front Door 的連接，以及從 Front Door 到源的連接。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Landing Zone Review",
-            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
-            "service": "Entra",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "對於 Sovereign Landing Zone，在 Entra ID 租戶上啟用了客戶密碼箱。",
+            "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援它們。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Storage",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+            "service": "Front Door",
             "severity": "高",
-            "text": "應啟用安全傳輸到存儲帳戶",
+            "text": "啟用 Azure Front Door WAF。保護您的應用程式免受一系列攻擊。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
-            "service": "Storage",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+            "service": "Front Door",
             "severity": "高",
-            "text": "為存儲帳戶啟用容器軟刪除，以恢復已刪除的容器及其內容。",
+            "text": "針對工作負載優化 Azure Front Door WAF。減少誤報檢測。",
             "waf": "安全"
         },
         {
             "ammp": true,
-            "checklist": "Azure Landing Zone Review",
-            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
-            "service": "Key Vault",
-            "severity": "高",
-            "text": "使用 Key Vault 機密可避免對敏感資訊（如憑據（虛擬機器用戶密碼）、證書或密鑰）進行硬編碼。",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
-            "service": "App Services",
-            "severity": "低",
-            "text": "有關最佳實踐，請參閱基線高可用性區域冗餘 Web 應用程式體系結構",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
-            "severity": "中等",
-            "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "Front Door",
             "severity": "高",
-            "text": "利用區域適用的可用性區域（需要高級 v2 或 v3 層）",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
-            "severity": "中等",
-            "text": "實施健康檢查",
-            "waf": "可靠性"
+            "text": "啟用在 Azure Front Door WAF 策略中啟用的請求正文檢查功能。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+            "service": "Front Door",
             "severity": "高",
-            "text": "請參閱 Azure 應用服務的備份和還原最佳做法",
-            "waf": "可靠性"
+            "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測並阻止常見攻擊。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
-            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+            "service": "Front Door",
             "severity": "高",
-            "text": "實現 Azure 應用服務可靠性最佳做法",
-            "waf": "可靠性"
+            "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的和壞的機器人。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
-            "service": "App Services",
-            "severity": "低",
-            "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域",
-            "waf": "可靠性"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+            "service": "Front Door",
+            "severity": "中等",
+            "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新，以考慮當前的威脅形勢。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-            "service": "App Services",
-            "severity": "高",
-            "text": "熟悉 Azure 應用服務中的可靠性支援",
-            "waf": "可靠性"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+            "service": "Front Door",
+            "severity": "中等",
+            "text": "向 Azure Front Door WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”",
-            "waf": "可靠性"
+            "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量，同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-            "service": "App Services",
-            "severity": "中等",
-            "text": "使用運行狀況檢查監視應用服務實例",
-            "waf": "可靠性"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+            "service": "Front Door",
+            "severity": "低",
+            "text": "如果您不希望收到來自所有地理區域的流量，請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力",
-            "waf": "可靠性"
+            "text": "使用 Azure Front Door WAF 對流量進行地理篩選時，請指定未知 （ZZ） 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
-            "service": "App Services",
-            "severity": "低",
-            "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力",
-            "waf": "可靠性"
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+            "service": "App Gateway",
+            "severity": "高",
+            "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集 機器人規則可檢測好機器人和壞機器人。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境，並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。",
-            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "使用 Key Vault 儲存機密",
+            "text": "啟用 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。",
-            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault",
+            "text": "針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "將應用服務 TLS 證書存儲在 Key Vault 中。",
-            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
-            "service": "App Services",
+            "ammp": true,
+            "checklist": "Azure Application Delivery Networking",
+            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "使用 Key Vault 儲存 TLS 證書。",
+            "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "處理敏感信息的系統應隔離。 為此，請使用單獨的應用服務計劃或應用服務環境，並考慮使用不同的訂閱或管理組。",
-            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "隔離處理敏感信息的系統",
+            "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "應用服務上的本地磁碟未加密，敏感數據不應存儲在這些磁碟上。 （例如：D：\\\\Local 和 %TMP%）。",
-            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "不要將敏感數據存儲在本地磁碟上",
+            "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量，同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "對於經過身份驗證的 Web 應用程式，請使用成熟的標識提供者，例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合，或使用應用服務身份驗證/授權功能。",
-            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+            "service": "App Gateway",
+            "severity": "低",
+            "text": "如果您不希望收到來自所有地理區域的流量，請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "使用已建立的身份提供程式進行身份驗證",
+            "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時，請指定未知 （ZZ） 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "將代碼從受控且受信任的環境（例如管理良好且安全的 DevOps 部署管道）部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。",
-            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
-            "service": "App Services",
-            "severity": "高",
-            "text": "從受信任的環境部署",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新，以考慮當前的威脅形勢。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務，並強制使用 Azure AD 安全終結點進行部署。 請注意，還可以使用 Azure AD 憑據打開 SCM 網站。",
-            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
-            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
-            "service": "App Services",
-            "severity": "高",
-            "text": "禁用基本身份驗證",
-            "waf": "安全"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "如果可能，請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點，請將機密存儲在 Key Vault 中，並改用託管標識連接到 Key Vault。",
-            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
-            "service": "App Services",
-            "severity": "高",
-            "text": "使用託管標識連接到資源",
-            "waf": "安全"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "Front Door",
+            "severity": "中等",
+            "text": "添加診斷設置以保存 Azure Front Door WAF 紀錄。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "如果使用 Azure 容器註冊表中儲存的映像，請使用託管標識拉取這些映像。",
-            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
-            "service": "App Services",
-            "severity": "高",
-            "text": "使用託管標識拉取容器",
-            "waf": "安全"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "通過配置應用服務的診斷設置，可以將所有遙測數據發送到Log Analytics，作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動，例如 HTTP 日誌、應用程式日誌、平臺日誌等。",
-            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
-            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "Front Door",
             "severity": "中等",
-            "text": "將應用服務運行時日誌發送到Log Analytics",
-            "waf": "安全"
+            "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "設置診斷設置，將活動日誌發送到Log Analytics，作為日誌記錄和監視的中心目標。這樣，你就可以監視應用服務資源本身上的控制平面活動。",
-            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "將應用服務活動日誌發送到Log Analytics",
-            "waf": "安全"
+            "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼，您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA，例如 Azure 防火牆。 確保監控防火牆的日誌。",
-            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "應控制出站網路訪問",
-            "waf": "安全"
+            "text": "使用 WAF 策略而不是舊版 WAF 配置。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA（如 Azure 防火牆）來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意，對於與 Azure 服務的通信，通常不需要依賴於 IP 位址，應改用服務終結點等機制。 （此外，在接收端使用專用終結點可避免發生 SNAT，並提供穩定的出站 IP 範圍。",
-            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
-            "service": "App Services",
-            "severity": "低",
-            "text": "確保與互聯網位址的出站通信具有穩定的IP",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "篩選後端中的入站流量，以便它們僅接受來自應用程式閘道子網的連接，例如使用NSG。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站，可能需要和配置不同的訪問限制。",
-            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
-            "severity": "高",
-            "text": "應控制入站網路訪問",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+            "service": "Front Door",
+            "severity": "中等",
+            "text": "確保源僅從 Azure Front Door 實例獲取流量。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "使用 Web 應用程式防火牆（如應用程式閘道或 Azure Front Door）防範惡意入站流量。 請務必監控 WAF 的日誌。",
-            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
-            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "在應用服務前面使用 WAF",
+            "text": "您應該對發往後端伺服器的流量進行加密。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "確保僅鎖定對 WAF 的訪問，從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。",
-            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "避免繞過 WAF",
+            "text": "您應該使用 Web 應用程式防火牆。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
-            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "將最低 TLS 策略設置為 1.2",
+            "text": "將 HTTP 重定向到 HTTPS",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 （HSTS），這會通知瀏覽器只能使用 HTTPS 訪問網站。",
-            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
-            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
-            "service": "App Services",
-            "severity": "高",
-            "text": "僅使用 HTTPS",
-            "waf": "安全"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+            "service": "App Gateway",
+            "severity": "中等",
+            "text": "使用閘道管理的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "不要在 CORS 配置中使用通配符，因為這允許所有源訪問服務（從而破壞 CORS 的目的）。具體而言，僅允許您希望能夠訪問服務的源。",
-            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
-            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "不得將通配符用於 CORS",
+            "text": "在計劃的服務更新期間啟用連接耗盡，以防止與後端池的現有 membr 的連接丟失",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "不得在生產環境中啟用遠端調試，因為這會在服務上打開其他埠，從而增加攻擊面。請注意，該服務會在 48 小時後自動轉為遠端調試。",
-            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
-            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
-            "service": "App Services",
-            "severity": "高",
-            "text": "關閉遠端調試",
-            "waf": "安全"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+            "service": "App Gateway",
+            "severity": "低",
+            "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "啟用 Defender for App Service。 這（除其他威脅外）檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。",
-            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "啟用 Defender for Cloud - Defender for App Service",
+            "text": "編輯 HTTP 請求和回應標頭，以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "Azure 在其網路上提供 DDoS 基本保護，可以通過智慧 DDoS 標準功能進行改進，該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路，因此必須為應用前面的網路資源（例如應用程式閘道或 NVA）配置它。",
-            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "在 WAF VNet 上啟用 DDOS 保護標準",
-            "waf": "安全"
+            "text": "配置 Front Door，通過快速全域故障轉移優化全球 Web 流量路由和頂級最終使用者性能和可靠性",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "如果使用 Azure 容器註冊表中儲存的映像，請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。",
-            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
-            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "通過虛擬網路拉取容器",
-            "waf": "安全"
+            "text": "使用傳輸層負載平衡",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。",
-            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
-            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "進行滲透測試",
+            "text": "根據主機名或域名為單個閘道上的多個 Web 應用程式配置路由",
             "waf": "安全"
         },
         {
-            "checklist": "Azure App Service Review",
-            "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。",
-            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
-            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
-            "service": "App Services",
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+            "service": "App Gateway",
             "severity": "中等",
-            "text": "部署經過驗證的代碼",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure App Service Review",
-            "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。",
-            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
-            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
-            "service": "App Services",
-            "severity": "高",
-            "text": "使用最新的平臺、語言、協定和框架",
+            "text": "集中管理 SSL 證書，以減少後端伺服器場的加密和解密開銷",
             "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
-            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
-            "service": "Azure Monitor",
-            "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "成本"
+            "checklist": "Azure Application Delivery Networking",
+            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+            "service": "App Gateway",
+            "severity": "低",
+            "text": "使用應用程式閘道對 WebSocket 和 HTTP/2 協定提供本機支援",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "45901365-d38e-443f-abcb-d868266abca2",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
-            "service": "Azure Backup",
-            "text": "檢查未找到底層數據源的備份實例",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在全域級別實施錯誤處理策略",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
-            "service": "VM",
-            "text": "刪除或存檔未關聯的服務（磁碟、網卡、IP 位址等）",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "確保所有 API 策略都包含一個<base/>元素。",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
-            "service": "Azure Backup",
-            "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用策略片段可避免在多個 API 中重複相同的策略定義",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
-            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
-            "service": "Azure Monitor",
-            "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限，除了在達到上限時創建警報外，請確保還創建警報規則，以便在達到某個百分比（例如 90%）時收到通知。- 如果可能，考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "如果您計劃通過 API 獲利，請查看“獲利支援”一文，瞭解最佳做法",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Azure Monitor",
-            "text": "強制執行清除日誌策略和自動化（如果需要，可以將記錄移至冷存儲）",
-            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+            "service": "APIM",
+            "severity": "高",
+            "text": "啟用診斷設置以將日誌導出到 Azure Monitor",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "VM",
-            "text": "檢查磁碟是否確實需要，如果不是：刪除。如果需要，請尋找較低的儲存層或使用備份 -",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "啟用 Application Insights 以獲取更詳細的遙測數據",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
-            "service": "Storage",
-            "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+            "service": "APIM",
+            "severity": "高",
+            "text": "針對最關鍵的指標配置警報",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "VM",
-            "text": "確保 advisor 配置為適合 VM 大小調整",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+            "service": "APIM",
+            "severity": "高",
+            "text": "確保自定義 SSL 證書儲存在 Azure Key Vault 中，以便可以安全地訪問和更新它們",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "description": "通過在成本分析系統中搜索計量類別許可證進行檢查",
-            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
-            "service": "VM",
-            "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM，請考慮實施策略",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+            "service": "APIM",
+            "severity": "高",
+            "text": "使用 Azure AD 保護對 API（數據平面）的傳入請求",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
-            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
-            "service": "VM",
-            "text": "如果您已經擁有許可證，也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用 Microsoft Entra ID 在開發人員門戶中對用戶進行身份驗證",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
-            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
-            "service": "VM",
-            "text": "使用靈活性選項（不超過 4-5 個系列）整合保留的 VM 系列",
-            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "創建適當的組來控制產品的可見性",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
-            "service": "VM",
-            "text": "利用 Azure 預留實例：此功能允許將 VM 預留 1 年或 3 年，與 PAYG 價格相比，可顯著節省成本。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+            "link": "https://learn.microsoft.com/azure/api-management/backends",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用後端功能消除冗餘 API 後端配置",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
-            "service": "VM",
-            "text": "只能保留較大的磁碟 => 1 TiB -",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用命名值存儲可在策略中使用的通用值",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
-            "service": "VM",
-            "text": "調整大小優化后",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "對於DR，利用高級層，跨兩個或多個區域擴展部署，實現99.99%的SLA",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
-            "service": "Azure SQL",
-            "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在兩個或多個可用區中部署至少一台設備，SLA 提高 99.99%",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
-            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
-            "service": "VM",
-            "text": "虛擬機 + 許可證部分折扣 （ahub + 3YRI） 約為 70% 的折扣",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+            "service": "APIM",
+            "severity": "高",
+            "text": "確保有一個自動備份例程",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "VM",
-            "text": "考慮使用 VMSS 來滿足需求，而不是按比例調整",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用策略添加故障轉移後端 URL 和緩存，以減少失敗的調用。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
-            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
-            "service": "AKS",
-            "text": "使用 AKS 自動縮放程式符合群集使用方式（確保 Pod 要求與縮放程式符合）",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+            "service": "APIM",
+            "severity": "低",
+            "text": "如果需要以高性能級別進行日誌記錄，請考慮事件中心策略",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
-            "service": "Azure Backup",
-            "text": "將恢復點移至保管庫存檔（如果適用）（驗證）",
-            "training": "https://azure.microsoft.com/pricing/reservations/",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "應用限制策略來控制每秒的請求數",
+            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+            "waf": "性能"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
-            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
-            "service": "Databricks",
-            "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "配置自動縮放以在負載增加時橫向擴展實例數",
+            "waf": "性能"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
-            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
-            "service": "Azure Functions",
-            "text": "功能 - 重用連接",
-            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在 Azure 沒有靠近後端 API 的區域的地方部署自承載閘道。",
+            "waf": "性能"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
-            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
-            "service": "Azure Functions",
-            "text": "函數 - 本地快取資料",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "將高級層用於生產工作負載。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
-            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
-            "service": "Azure Functions",
-            "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣，代碼將下載為單個 zip 檔。例如，這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小，例如，搖樹 Javascript 應用程式。",
-            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在多區域模型中，使用策略根據可用性或延遲將請求路由到區域後端。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
-            "service": "Azure Functions",
-            "text": "功能 - 保持功能溫暖",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+            "service": "APIM",
+            "severity": "高",
+            "text": "注意APIM的局限性",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
-            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
-            "service": "Azure Functions",
-            "text": "使用具有不同功能的自動縮放時，可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃（並考慮更高的 CPU 計劃）",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+            "service": "APIM",
+            "severity": "高",
+            "text": "確保自承載閘道部署具有復原能力。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
-            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
-            "service": "Azure Functions",
-            "text": "給定計劃中的函數應用都縮放在一起，因此縮放的任何問題都可能影響計劃中的所有應用。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在APIM前面使用 Azure Front Door 進行多區域部署",
+            "waf": "性能"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
-            "service": "Azure Functions",
-            "text": "我需要為「等待時間」付費嗎？這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的，例如 await Task.Delay（1000） 或 await client。GetAsync（'http：//google.com'）。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是，如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術（開發環境？）https://github.com/Azure-Samples/functions-csharp-premium-scaler",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在虛擬網络 （VNet） 中部署服務Deploy the service within a Virtual Network （VNet）",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
-            "service": "Front Door",
-            "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中，將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204（無內容），因此僅返回標頭數據。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "將網路安全組 （NSG） 部署到子網，以限制或監視進出APIM的流量。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
-            "service": "Front Door",
-            "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理，或在 WebApp 中添加返回 200 （OK） 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "部署專用終結點以在未將APIM部署到 VNet 時篩選傳入流量。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
-            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
-            "service": "Storage",
-            "text": "考慮為使用較少的數據存檔層",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+            "service": "APIM",
+            "severity": "高",
+            "text": "禁用公網訪問",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
-            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
-            "service": "VM",
-            "text": "檢查大小與層不匹配的磁碟大小（即 513 GiB 磁碟將支付 P30 （1TiB） 並考慮調整大小",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用 PowerShell 自動化腳本簡化管理",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
-            "service": "Storage",
-            "text": "盡可能考慮使用標準 SSD，而不是 Premium 或 Ultra",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "通過基礎架構即代碼配置APIM。查看 Cloud Adaption Framework 中的 DevOps 最佳實踐 APIM 登陸區域加速器",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
-            "service": "Storage",
-            "text": "對於存儲帳戶，請確保所選層不會增加事務費用（移動到下一層可能會更便宜）",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "促進 Visual Studio Code APIM 擴展的使用，以加快 API 開發速度",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
-            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
-            "service": "Site Recovery",
-            "text": "對於 ASR，如果 RPO/RTO 和複製輸送量允許，請考慮使用標準 SSD 磁碟",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "在工作流中實施DevOps和 CI/CD",
+            "waf": "操作"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
-            "service": "Storage",
-            "text": "存儲帳戶：檢查熱層和/或 GRS 必填",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用用戶端證書身份驗證保護 API",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
-            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
-            "service": "VM",
-            "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式：例如，非生產磁碟可以交換到標準 SSD 或按需高級 SSD",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用用戶端證書身份驗證保護後端服務",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "Synapse",
-            "text": "創建預算以管理成本並創建警報，自動通知利益相關者支出異常和超支風險。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "查看“緩解 OWASP API 安全前 10 大威脅的建議”一文，並查看適用於您的 API 的內容",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "Synapse",
-            "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "使用授權功能簡化後端 API 的 OAuth 2.0 令牌管理",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Synapse",
-            "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+            "service": "APIM",
+            "severity": "高",
+            "text": "加密傳輸中的資訊時，請使用最新的 TLS 版本。盡可能禁用過時和不必要的協議和密碼。",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
-            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
-            "service": "Synapse",
-            "text": "啟用無伺服器 Apache Spark 自動暫停功能，並相應地設置超時值。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+            "service": "APIM",
+            "severity": "高",
+            "text": "確保機密（命名值）存儲在 Azure Key Vault 中，以便可以安全地訪問和更新它們",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Synapse",
-            "text": "創建多個不同大小的 Apache Spark 池定義。",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+            "service": "APIM",
+            "severity": "中等",
+            "text": "盡可能使用託管標識向其他 Azure 資源進行身份驗證",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
-            "service": "Synapse",
-            "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 （SCU），以節省 Azure Synapse Analytics 成本。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "成本"
+            "checklist": "Azure API Management Review",
+            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+            "service": "APIM",
+            "severity": "高",
+            "text": "使用 APIM 前面部署應用程式閘道來使用 Web 應用程式防火牆 （WAF）",
+            "waf": "安全"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "VM",
-            "text": "將現成 VM 用於可中斷作業：這些 VM 可以以折扣價競標和購買，為非關鍵工作負載提供經濟高效的解決方案。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "成本"
+            "checklist": "Azure App Service Review",
+            "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+            "service": "App Services",
+            "severity": "低",
+            "text": "有關最佳實踐，請參閱基線高可用性區域冗餘 Web 應用程式體系結構",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "text": "合理調整所有 VM 的大小",
-            "waf": "成本"
+            "checklist": "Azure App Service Review",
+            "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "VM",
-            "text": "將 VM 大小與規範化大小和最新大小交換",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "成本"
+            "checklist": "Azure App Service Review",
+            "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+            "service": "App Services",
+            "severity": "高",
+            "text": "利用區域適用的可用性區域（需要高級 v2 或 v3 層）",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始，然後工作到 40%",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "成本"
+            "checklist": "Azure App Service Review",
+            "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "實施健康檢查",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Cost Optimization Checklist",
-            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "VM",
-            "text": "容器化應用程式可以提高 VM 密度並節省擴展成本",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "成本"
+            "checklist": "Azure App Service Review",
+            "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+            "service": "App Services",
+            "severity": "高",
+            "text": "請參閱 Azure 應用服務的備份和還原最佳做法",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+            "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+            "service": "App Services",
             "severity": "高",
-            "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器",
-            "waf": "安全"
+            "text": "實現 Azure 應用服務可靠性最佳做法",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "75089c20-990d-4927-b105-885576f76fc2",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源（包括 Azure VMware 解決方案）的身份驗證請求保留到 Azure 本地",
-            "waf": "安全"
+            "checklist": "Azure App Service Review",
+            "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+            "service": "App Services",
+            "severity": "低",
+            "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+            "service": "App Services",
             "severity": "高",
-            "text": "確保 vCenter 已連接到 ADDS，以啟用基於「指定用戶帳戶」的身份驗證",
-            "waf": "安全"
+            "text": "熟悉 Azure 應用服務中的可靠性支援",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "App Services",
             "severity": "中等",
-            "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 （LDAPS）",
-            "waf": "安全"
+            "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+            "service": "App Services",
             "severity": "中等",
-            "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 （break-glass）",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保 NSX-Manager 與外部身份提供程式 （LDAPS） 集成",
-            "waf": "安全"
+            "text": "使用運行狀況檢查監視應用服務實例",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+            "service": "App Services",
             "severity": "中等",
-            "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用",
-            "waf": "安全"
+            "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "RBAC 許可權應授予 ADDS 組，而不是特定使用者",
-            "waf": "安全"
+            "checklist": "Azure App Service Review",
+            "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+            "service": "App Services",
+            "severity": "低",
+            "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境，並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。",
+            "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "高",
-            "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者",
+            "text": "使用 Key Vault 儲存機密",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。",
+            "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+            "service": "App Services",
             "severity": "高",
-            "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權",
+            "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
-            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "將應用服務 TLS 證書存儲在 Key Vault 中。",
+            "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+            "service": "App Services",
             "severity": "高",
-            "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型",
-            "waf": "性能"
+            "text": "使用 Key Vault 儲存 TLS 證書。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接",
-            "waf": "操作"
+            "checklist": "Azure App Service Review",
+            "description": "處理敏感信息的系統應隔離。 為此，請使用單獨的應用服務計劃或應用服務環境，並考慮使用不同的訂閱或管理組。",
+            "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "隔離處理敏感信息的系統",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "應用服務上的本地磁碟未加密，敏感數據不應存儲在這些磁碟上。 （例如：D：\\\\Local 和 %TMP%）。",
+            "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+            "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+            "service": "App Services",
             "severity": "中等",
-            "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器，以監視 Azure VMware 解決方案後端 ExpressRoute 連接",
-            "waf": "操作"
+            "text": "不要將敏感數據存儲在本地磁碟上",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "對於經過身份驗證的 Web 應用程式，請使用成熟的標識提供者，例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合，或使用應用服務身份驗證/授權功能。",
+            "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+            "service": "App Services",
             "severity": "中等",
-            "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器，以監視端到端連接",
-            "waf": "操作"
+            "text": "使用已建立的身份提供程式進行身份驗證",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "將代碼從受控且受信任的環境（例如管理良好且安全的 DevOps 部署管道）部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。",
+            "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+            "service": "App Services",
             "severity": "高",
-            "text": "使用路由伺服器時，請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個（ARS 限制）。",
-            "waf": "操作"
+            "text": "從受信任的環境部署",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務，並強制使用 Azure AD 安全終結點進行部署。 請注意，還可以使用 Azure AD 憑據打開 SCM 網站。",
+            "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+            "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+            "service": "App Services",
             "severity": "高",
-            "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management（不允許長期許可權）",
+            "text": "禁用基本身份驗證",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "如果可能，請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點，請將機密存儲在 Key Vault 中，並改用託管標識連接到 Key Vault。",
+            "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+            "service": "App Services",
             "severity": "高",
-            "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告",
+            "text": "使用託管標識連接到資源",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "如果使用 Privileged Identity Management，請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶，以便 Azure VMware 解決方案自動主機更換通知。（需要長期許可）",
+            "checklist": "Azure App Service Review",
+            "description": "如果使用 Azure 容器註冊表中儲存的映像，請使用託管標識拉取這些映像。",
+            "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+            "service": "App Services",
+            "severity": "高",
+            "text": "使用託管標識拉取容器",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
-            "service": "AVS",
-            "severity": "高",
-            "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問",
+            "checklist": "Azure App Service Review",
+            "description": "通過配置應用服務的診斷設置，可以將所有遙測數據發送到Log Analytics，作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動，例如 HTTP 日誌、應用程式日誌、平臺日誌等。",
+            "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+            "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "將應用服務運行時日誌發送到Log Analytics",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "設置診斷設置，將活動日誌發送到Log Analytics，作為日誌記錄和監視的中心目標。這樣，你就可以監視應用服務資源本身上的控制平面活動。",
+            "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+            "service": "App Services",
             "severity": "中等",
-            "text": "在 vCenter 中創建自定義 RBAC 角色，以在 vCenter 中實施最小特權模型",
+            "text": "將應用服務活動日誌發送到Log Analytics",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA，例如 Azure 防火牆。 確保監控防火牆的日誌。",
+            "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+            "service": "App Services",
             "severity": "中等",
-            "text": "是定義為定期輪換 cloudadmin （vCenter） 和管理員 （NSX） 憑據的過程",
+            "text": "應控制出站網路訪問",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
-            "service": "AVS",
-            "severity": "高",
-            "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 （VM）",
+            "checklist": "Azure App Service Review",
+            "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA（如 Azure 防火牆）來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意，對於與 Azure 服務的通信，通常不需要依賴於 IP 位址，應改用服務終結點等機制。 （此外，在接收端使用專用終結點可避免發生 SNAT，並提供穩定的出站 IP 範圍。",
+            "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+            "service": "App Services",
+            "severity": "低",
+            "text": "確保與互聯網位址的出站通信具有穩定的IP",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "是否在 NSX-T 中實施了東西向流量篩選",
+            "checklist": "Azure App Service Review",
+            "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站，可能需要和配置不同的訪問限制。",
+            "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
+            "severity": "高",
+            "text": "應控制入站網路訪問",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "使用 Web 應用程式防火牆（如應用程式閘道或 Azure Front Door）防範惡意入站流量。 請務必監控 WAF 的日誌。",
+            "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+            "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+            "service": "App Services",
             "severity": "高",
-            "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查",
+            "text": "在應用服務前面使用 WAF",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "確保僅鎖定對 WAF 的訪問，從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。",
+            "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+            "service": "App Services",
             "severity": "高",
-            "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄",
+            "text": "避免繞過 WAF",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+            "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+            "service": "App Services",
             "severity": "中等",
-            "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視，以識別可疑/惡意活動",
+            "text": "將最低 TLS 策略設置為 1.2",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "334fdf91-c234-4182-a652-75269440b4be",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護",
+            "checklist": "Azure App Service Review",
+            "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 （HSTS），這會通知瀏覽器只能使用 HTTPS 訪問網站。",
+            "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+            "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+            "service": "App Services",
+            "severity": "高",
+            "text": "僅使用 HTTPS",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "使用專用特權訪問工作站 （PAW） 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager",
+            "checklist": "Azure App Service Review",
+            "description": "不要在 CORS 配置中使用通配符，因為這允許所有源訪問服務（從而破壞 CORS 的目的）。具體而言，僅允許您希望能夠訪問服務的源。",
+            "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+            "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+            "service": "App Services",
+            "severity": "高",
+            "text": "不得將通配符用於 CORS",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "不得在生產環境中啟用遠端調試，因為這會在服務上打開其他埠，從而增加攻擊面。請注意，該服務會在 48 小時後自動轉為遠端調試。",
+            "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+            "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+            "service": "App Services",
+            "severity": "高",
+            "text": "關閉遠端調試",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure App Service Review",
+            "description": "啟用 Defender for App Service。 這（除其他威脅外）檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。",
+            "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+            "service": "App Services",
             "severity": "中等",
-            "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測（Microsoft Defender for Cloud，又名 ASC）",
+            "text": "啟用 Defender for Cloud - Defender for App Service",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "Azure 在其網路上提供 DDoS 基本保護，可以通過智慧 DDoS 標準功能進行改進，該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路，因此必須為應用前面的網路資源（例如應用程式閘道或 NVA）配置它。",
+            "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "App Services",
             "severity": "中等",
-            "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載（適用於 Azure VMware 解決方案的 Azure ARC 尚不可用）",
+            "text": "在 WAF VNet 上啟用 DDOS 保護標準",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
-            "service": "AVS",
-            "severity": "低",
-            "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密（如來賓內磁碟加密和 SQL TDE）。（vSAN 靜態加密為預設加密）",
+            "checklist": "Azure App Service Review",
+            "description": "如果使用 Azure 容器註冊表中儲存的映像，請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。",
+            "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+            "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "通過虛擬網路拉取容器",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
-            "service": "AVS",
-            "severity": "低",
-            "text": "使用來賓內加密時，請盡可能將加密密鑰存儲在 Azure Key Vault 中",
+            "checklist": "Azure App Service Review",
+            "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。",
+            "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+            "service": "App Services",
+            "severity": "中等",
+            "text": "進行滲透測試",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5ac94222-3e13-4810-9230-81a941741583",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。",
+            "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+            "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+            "service": "App Services",
             "severity": "中等",
-            "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援（Azure VMware 解決方案符合 ESU 條件）",
+            "text": "部署經過驗證的代碼",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
-            "service": "AVS",
+            "checklist": "Azure App Service Review",
+            "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。",
+            "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+            "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+            "service": "App Services",
             "severity": "高",
-            "text": "確保使用適當的 vSAN 資料冗餘方法（RAID 規範）",
-            "waf": "可靠性"
+            "text": "使用最新的平臺、語言、協定和框架",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d88408f3-7273-44c8-96ba-280214590146",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保允許失敗策略已到位，以滿足您的 vSAN 儲存需求",
+            "checklist": "MySQL Review Checklist",
+            "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+            "service": "Azure MySQL",
+            "severity": "中等",
+            "text": "利用靈活伺服器",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
-            "service": "AVS",
+            "checklist": "MySQL Review Checklist",
+            "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+            "service": "Azure MySQL",
             "severity": "高",
-            "text": "確保已請求足夠的配額，確保已考慮增長和災難恢復要求",
+            "text": "利用區域適用的可用區",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
-            "service": "AVS",
+            "checklist": "MySQL Review Checklist",
+            "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+            "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+            "service": "Azure MySQL",
             "severity": "中等",
-            "text": "確保瞭解對 ESXi 的訪問限制，其中存在可能影響第三方解決方案的訪問限制。",
-            "waf": "操作"
+            "text": "將數據傳入複製用於跨區域災難恢復方案",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+            "service": "Entra",
             "severity": "中等",
-            "text": "確保您制定了有關ESXi主機密度和效率的策略，並牢記請求新節點的提前期",
+            "text": "使用一個 Entra 租戶來管理 Azure 資源，除非你對多租戶有明確的法規或業務要求。",
             "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理",
-            "waf": "成本"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Entra",
+            "severity": "低",
+            "text": "確保採用多租戶自動化方法來管理 Microsoft Entra ID 租戶",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "Entra",
             "severity": "低",
-            "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本",
-            "waf": "成本"
+            "text": "利用 Azure Lighthouse 進行多租戶管理",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Entra",
             "severity": "中等",
-            "text": "使用其他 Azure 本機服務時，請考慮使用 Azure 專用連結",
-            "waf": "安全"
+            "text": "確保合作夥伴使用 Azure Lighthouse 管理租戶",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+            "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+            "service": "Entra",
             "severity": "高",
-            "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中",
-            "waf": "性能"
+            "text": "強制實施與雲運營模型一致的 RBAC 模型。跨管理組和訂閱的範圍和分配。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+            "service": "Entra",
+            "severity": "高",
+            "text": "僅對所有帳戶類型使用身份驗證類型「工作或學校帳戶」。避免使用 Microsoft 帳戶",
+            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "Entra",
             "severity": "中等",
-            "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載",
+            "text": "僅使用組來分配許可權。如果組管理系統已到位，則將本地組添加到僅 Entra ID 組。",
+            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
-            "service": "AVS",
-            "severity": "高",
-            "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+            "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+            "service": "Entra",
+            "severity": "低",
+            "text": "對任何有權訪問 Azure 環境的用戶強制實施 Microsoft Entra ID 條件訪問策略",
+            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+            "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+            "service": "Entra",
+            "severity": "高",
+            "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證",
+            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "Entra",
             "severity": "中等",
-            "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案",
-            "waf": "操作"
+            "text": "強制實施 Microsoft Entra ID 特權身份管理 （PIM） 以建立零長期訪問許可權和最低許可權",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "Entra",
             "severity": "中等",
-            "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視",
+            "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務，請評估所有工作負載的相容性",
+            "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+            "service": "Entra",
             "severity": "中等",
-            "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud",
+            "text": "將 Microsoft Entra ID 日誌與平臺中心 Azure Monitor 集成。Azure Monitor 允許圍繞 Azure 中的日誌和監視數據提供單一事實源，從而為組織提供雲原生選項，以滿足有關日誌收集和保留的要求。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+            "service": "Entra",
             "severity": "高",
-            "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留",
+            "text": "實施緊急訪問或打破玻璃帳戶，以防止租戶範圍的帳戶鎖定",
+            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
-            "service": "AVS",
-            "severity": "高",
-            "text": "數據處理影響（服務提供者/服務消費者模型）是否清晰且有據可查",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "Entra",
+            "severity": "中等",
+            "text": "避免將本地同步帳戶用於 Microsoft Entra ID 角色分配。",
+            "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Entra",
             "severity": "中等",
-            "text": "僅當出於合規性原因需要時，才考慮將CMK（客戶管理的密鑰）用於 vSAN。",
+            "text": "如果需要，請使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式（託管在雲中或本地）的安全和經過身份驗證的訪問。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
-            "service": "AVS",
-            "severity": "高",
-            "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+            "service": "VNet",
+            "severity": "中等",
+            "text": "利用基於傳統中心輻射型網路拓撲的網路設計，滿足需要最大靈活性的網路方案。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "service": "VNet",
             "severity": "高",
-            "text": "針對 Azure VMware 解決方案性能（CPU >80%、平均記憶體 >80%、vSAN >70%）自動警報的關鍵閾值創建警告警報",
-            "waf": "操作"
+            "text": "確保共用網路服務（包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA）位於中心虛擬網路中。如有必要，還可以部署 DNS 伺服器。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%，因為這是 VMware 的支援閾值",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+            "service": "VNet",
+            "severity": "中等",
+            "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP防護計畫。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保為 Azure 服務運行狀況警報和通知配置警報",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+            "service": "NVA",
             "severity": "中等",
-            "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理",
-            "waf": "操作"
+            "text": "部署合作夥伴網路技術或 NVA 時，請遵循合作夥伴供應商的指導",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+            "service": "ExpressRoute",
             "severity": "低",
-            "text": "如果需要深入瞭解 VMware vSphere：解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights？",
-            "waf": "操作"
+            "text": "如果需要在中心輻射型方案中的 ExpressRoute 和 VPN 閘道之間傳輸，請使用 Azure 路由伺服器。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
-            "service": "AVS",
-            "severity": "高",
-            "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略，因為此策略應用厚置備",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+            "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+            "service": "ARS",
+            "severity": "低",
+            "text": "如果使用 Route Server，請對 Route Server 子網使用 /27 前置綴。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+            "service": "VNet",
             "severity": "中等",
-            "text": "確保未將 vSphere 內容庫放置在 vSAN 上，因為 vSAN 是有限的資源",
-            "waf": "操作"
+            "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構，請使用中心 VNet 之間的全域虛擬網路對等互連將區域相互連接。",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+            "service": "VNet",
             "severity": "中等",
-            "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中",
+            "text": "使用用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+            "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "中等",
-            "text": "確保使用 Azure Arc for Servers 進行混合管理，確保在 Azure VMware 解決方案上運行的工作負載（Arc for Azure VMware 解決方案處於預覽狀態）",
-            "waf": "操作"
+            "text": "將分支虛擬網路連接到中央中心虛擬網路時，請考慮 VNet 對等互連限制 （500），即可通過 ExpressRoute 播發的最大前綴數 （1000）",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+            "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+            "service": "VNet",
             "severity": "中等",
-            "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載",
-            "waf": "操作"
+            "text": "考慮每個路由表的路由限制 （400）。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+            "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+            "service": "VNet",
+            "severity": "高",
+            "text": "配置 VNet 對等互連時，使用「允許流量流向遠端虛擬網路」設置",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載",
-            "waf": "操作"
+            "text": "使用 ExpressRoute Direct 時，請配置 MACsec，以便加密組織路由器和 MSEE 之間的第二層級別的流量。該圖顯示了流中的此加密。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
+            "severity": "低",
+            "text": "對於無法使用MACsec的方案（例如，不使用ExpressRoute Direct），請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "確保備份不存儲在 vSAN 上，因為 vSAN 是有限的資源",
-            "waf": "可靠性"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "ExpressRoute",
+            "severity": "高",
+            "text": "確保在 Azure 區域和本地位置之間不使用重疊的 IP 位址空間",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "是否考慮了所有災難恢復解決方案，並決定了最適合您業務的解決方案？[SRM/JetStream/Zerto/Veeam/...]",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr",
+            "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "低",
+            "text": "使用專用 Internet 位址分配範圍 （RFC 1918） 中的 IP 位址。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "當災難恢復技術是本機 Azure IaaS 時，請使用 Azure Site Recovery",
-            "waf": "可靠性"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+            "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+            "service": "VNet",
+            "severity": "高",
+            "text": "確保IP位址空間不被浪費，不要創建不必要的大型虛擬網路（例如 /16）Ensure that that IP address space is not disdised， don't create un不必要的大型虛擬網路（例如 /16）Ensure that that IP address space is not waste， don't create un不必要的大型虛擬網络（例如 /16）Ensure that that IP address space is",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
-            "service": "AVS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+            "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+            "service": "VNet",
             "severity": "高",
-            "text": "將自動恢復計劃與任一災難解決方案結合使用，盡可能避免手動任務",
+            "text": "避免對生產網站和DR網站使用重疊的IP位址範圍。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
             "severity": "中等",
-            "text": "使用地緣政治區域對作為輔助災難恢復環境",
-            "waf": "可靠性"
+            "text": "對於只需要在 Azure 中進行名稱解析的環境，請使用 Azure 專用 DNS 進行解析，並使用委派區域進行名稱解析（例如“azure.contoso.com”）。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
-            "service": "AVS",
-            "severity": "高",
-            "text": "在區域之間使用 2 個不同的地址空間，例如：10.0.0.0/16 和 192.168.0.0/16 用於不同的區域",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+            "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+            "service": "DNS",
+            "severity": "中等",
+            "text": "對於需要跨 Azure 和本地進行名稱解析的環境，請考慮使用 Azure DNS 專用解析程式。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接，還是通過網路虛擬設備完成路由？",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "service": "DNS",
+            "severity": "低",
+            "text": "需要並部署自己的 DNS（例如 Red Hat OpenShift）的特殊工作負載應使用其首選的 DNS 解決方案。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "是否考慮了所有備份解決方案，並決定了最適合您業務的解決方案？[ MABS/CommVault/Metallic.io/Veeam/ .",
-            "waf": "可靠性"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "614658d3-558f-4d77-849b-821112df27ee",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+            "service": "DNS",
+            "severity": "高",
+            "text": "啟用 Azure DNS 的自動註冊，以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。",
+            "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+            "service": "Bastion",
             "severity": "中等",
-            "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中",
-            "waf": "可靠性"
+            "text": "請考慮使用 Azure Bastion 安全地連接到網路。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+            "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+            "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+            "service": "Bastion",
             "severity": "中等",
-            "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案",
-            "waf": "可靠性"
+            "text": "在子網 /26 或更大範圍內使用 Azure Bastion。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
-            "service": "AVS",
-            "severity": "低",
-            "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程？",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+            "service": "WAF",
+            "severity": "中等",
+            "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為與登陸區域的入站 HTTP/S 連接提供全域保護。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
-            "service": "AVS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
             "severity": "低",
-            "text": "對於手動部署，必須記錄所有配置和部署",
-            "waf": "操作"
+            "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時，請使用 Azure Front Door 中的 WAF 策略。鎖定 Azure 應用程式閘道，以便僅接收來自 Azure Front Door 的流量。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
-            "service": "AVS",
-            "severity": "低",
-            "text": "對於手動部署，請考慮實施資源鎖，以防止對 Azure VMware 解決方案私有雲執行意外操作",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "WAF",
+            "severity": "高",
+            "text": "部署 WAF 和其他反向代理是入站 HTTP/S 連接所必需的，將它們部署在登陸區域虛擬網路中，並與它們保護並公開給 Internet 的應用一起部署。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
-            "service": "AVS",
-            "severity": "低",
-            "text": "對於自動化部署，請部署最小的私有雲並根據需要進行擴展",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "高",
+            "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
-            "service": "AVS",
-            "severity": "低",
-            "text": "對於自動部署，請在開始部署之前請求或預留配額",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+            "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+            "service": "VNet",
+            "severity": "高",
+            "text": "在即將到來的重大更改之前，評估和審查網路出站流量配置和策略。2025 年 9 月 30 日，新部署的預設出站訪問將停用，僅允許顯式訪問配置",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
-            "service": "AVS",
-            "severity": "低",
-            "text": "對於自動部署，請確保通過自動化或 Azure Policy 創建相關資源鎖，以便進行適當的治理",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+            "service": "VNet",
+            "severity": "高",
+            "text": "添加診斷設置以保存所有受保護的公共IP位址（DDoS IP或網路保護）的 DDoS 相關日誌。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
-            "service": "AVS",
-            "severity": "低",
-            "text": "為 ExR 授權金鑰實現人類可理解的名稱，以便輕鬆識別密鑰的目的/用途",
-            "waf": "操作"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "service": "ExpressRoute",
+            "severity": "中等",
+            "text": "確保已調查使用 ExpressRoute 作為與 Azure 的主要連接的可能性。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
-            "service": "AVS",
-            "severity": "低",
-            "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時，請使用 Key Vault 儲存機密和授權密鑰",
-            "waf": "操作"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "description": "可以使用 AS 路徑前置和連接權重來影響從 Azure 到本地的流量，並使用自己的路由器中的全部 BGP 屬性來影響從本地到 Azure 的流量。",
+            "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
+            "severity": "中等",
+            "text": "使用多條 ExpressRoute 線路或多個本地位置時，請確保使用 BGP 屬性優化路由（如果首選某些路徑）。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
-            "service": "AVS",
-            "severity": "低",
-            "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時，定義用於在 IaC 中序列化操作的資源依賴項，因為 Azure VMware 解決方案僅支援有限數量的並行操作。",
-            "waf": "操作"
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+            "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "service": "ExpressRoute",
+            "severity": "中等",
+            "text": "確保根據頻寬和性能要求為 ExpressRoute/VPN 閘道使用正確的 SKU。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
-            "service": "AVS",
-            "severity": "低",
-            "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時，請使用 Azure 門戶 API 而不是 NSX-Manager API",
-            "waf": "操作"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+            "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+            "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+            "service": "ExpressRoute",
+            "severity": "高",
+            "text": "確保僅當達到證明其成本合理的頻寬時，才使用無限數據的ExpressRoute線路。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "打算使用自動橫向擴展時，請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額",
-            "waf": "性能"
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+            "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+            "service": "ExpressRoute",
+            "severity": "高",
+            "text": "如果線路的對等互連位置支援本地 SKU 的 Azure 區域，則利用 ExpressRoute 的本地 SKU 來降低線路的成本。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+            "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "打算使用自動縮減時，請務必在執行此操作之前考慮存儲策略要求",
-            "waf": "性能"
+            "text": "在受支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "擴展操作始終需要在單個 SDDC 中序列化，因為一次只能執行一個擴展操作（即使使用多個集群也是如此）",
+            "text": "對於需要高於 10 Gbps 的頻寬或專用 10/100 Gbps 埠的方案，請使用 ExpressRoute Direct。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+            "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作（支援與否）",
+            "text": "如果需要低延遲，或者從本地到 Azure 的輸送量必須大於 10 Gbps，請啟用 FastPath 以繞過數據路徑的 ExpressRoute 閘道。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "性能"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
-            "service": "AVS",
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+            "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+            "service": "VPN",
             "severity": "中等",
-            "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制",
-            "waf": "性能"
+            "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure（如果可用）。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
-            "service": "AVS",
+            "arm-service": "microsoft.network/vpnGateways",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+            "service": "VPN",
             "severity": "中等",
-            "text": "實施監控規則以監控自動擴展操作，並監控成功和失敗，以啟用適當的（自動化）回應",
-            "waf": "操作"
+            "text": "在本地使用冗餘 VPN 設備（主動/主動或主動/被動）。",
+            "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "service": "ExpressRoute",
             "severity": "高",
-            "text": "使用 MON 時，請注意同時配置的 VM 的限制（HCX 的 MON 限制 [400 - 標準，1000 - 大型設備]）",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "可靠性"
+            "text": "如果使用 ExpressRoute Direct，請考慮使用本地 Azure 區域的 ExpressRoute 本地線路來節省成本",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "AVS",
-            "severity": "高",
-            "text": "使用 MON 時，不能在超過 100 個網路分機上啟用 MON",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
-            "service": "AVS",
-            "severity": "中等",
-            "text": "如果使用 VPN 連接進行遷移，請相應地調整 MTU 大小。",
-            "waf": "性能"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "對於連接到 Azure（500Mbps 或更低）的低連接區域，請考慮部署 HCX WAN 優化設備",
-            "waf": "性能"
+            "text": "當需要流量隔離或專用頻寬時（例如，用於分離生產環境和非生產環境），請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕干擾鄰居風險。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "確保從本地裝置啟動遷移，而不是從雲端裝置啟動遷移（不要執行反向遷移）",
-            "waf": "可靠性"
+            "text": "使用內置的 Express Route Insights 監視 ExpressRoute 的可用性和利用率。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+            "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時，請考慮將其用作 VMware 資料儲存庫，而不是直接附加到 VM 。",
-            "waf": "可靠性"
+            "text": "使用連接監視器進行跨網路的連接監視，尤其是在本地和 Azure 之間。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+            "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案",
+            "text": "使用來自不同對等互連位置的 ExpressRoute 線路實現冗餘。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "AVS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "AVS",
-            "severity": "高",
-            "text": "如果使用延伸群集，請確保供應商支援所選的災難恢復解決方案",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "AVS",
-            "severity": "高",
-            "text": "如果使用延伸群集，請確保提供的 SLA 符合您的要求",
+            "text": "使用網站到網站 VPN 作為 ExpressRoute 的故障轉移，尤其是在僅使用單個 ExpressRoute 線路時。",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+            "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+            "service": "ExpressRoute",
             "severity": "高",
-            "text": "如果使用延伸群集，請確保兩條 ExpressRoute 線路都連接到連接中心。",
+            "text": "如果在 GatewaySubnet 中使用路由表，請確保傳播閘道路由。",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "AVS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+            "service": "ExpressRoute",
             "severity": "高",
-            "text": "如果使用延伸群集，請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。",
+            "text": "如果使用 ExpressRoute，則本地路由應是動態的：如果連接失敗，它應收斂到線路的剩餘連接。理想情況下，負載應在兩個連接之間共用為主動/主動，但也支持主動/被動。",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure VMware Solution Design Review",
-            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "AVS",
-            "severity": "高",
-            "text": "是否正確考慮了網站容災設置，並在需要時為您的業務進行了更改。",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+            "service": "ExpressRoute",
+            "severity": "中等",
+            "text": "確保 ExpressRoute 線路的兩個物理連結連接到網路中的兩個不同的邊緣設備。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
-            "service": "Spring Apps",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "Azure Spring Apps 允許對每個應用進行兩次部署，其中只有一個部署接收生產流量。您可以使用藍綠部署策略實現零停機時間。藍綠部署僅在標準層和企業層中可用。可以使用 CI/CD 和 ADO/GitHub 操作自動執行部署",
+            "text": "確保在客戶或供應商邊緣路由設備上啟用並配置雙向轉發檢測 （BFD）。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
-            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
-            "service": "Spring Apps",
-            "severity": "中等",
-            "text": "可以在多個區域中為應用程式創建 Azure Spring Apps 實例，並且流量管理器/Front Door 可以路由流量。",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+            "service": "ExpressRoute",
+            "severity": "高",
+            "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路，以提高復原能力。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
-            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
-            "service": "Spring Apps",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "在支持的區域中，Azure Spring Apps 可以部署為區域冗餘，這意味著實例會自動分佈在可用性區域之間。此功能僅在標準層和企業層中可用。",
-            "waf": "可靠性"
+            "text": "為 ExpressRoute 虛擬網路閘道配置診斷日誌和警報。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
-            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
-            "service": "Spring Apps",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+            "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "對應用使用1個以上的應用實例",
-            "waf": "可靠性"
+            "text": "避免使用 ExpressRoute 線路進行 VNet 到 VNet 通信。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "7504c230-6035-4183-95a5-85762acc6075",
-            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
-            "service": "Spring Apps",
-            "severity": "中等",
-            "text": "使用日誌、指標和跟蹤監視 Azure Spring Apps。將 ASA 與應用程式見解集成，並跟蹤故障並創建工作簿。",
-            "waf": "可靠性"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
+            "severity": "高",
+            "text": "使用 Azure 防火牆管理發往 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選（如果組織需要）",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
             "severity": "中等",
-            "text": "在 Spring Cloud Gateway 中設置自動縮放",
-            "waf": "可靠性"
+            "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況，並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委託給本地安全團隊，允許精細策略滿足特定區域的要求。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
-            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
-            "service": "Spring Apps",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+            "service": "Firewall",
             "severity": "低",
-            "text": "為具有標準使用量和專用計劃的應用啟用自動縮放。",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure Spring Apps Review",
-            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
-            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
-            "service": "Spring Apps",
-            "severity": "中等",
-            "text": "使用企業計劃為關鍵任務應用提供 Spring Boot 的商業支援。使用其他層，您可以獲得 OSS 支援。",
-            "waf": "可靠性"
+            "text": "如果組織希望使用此類解決方案來幫助保護出站連接，請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "安全"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
-            "service": "IoT Hub DPS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+            "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+            "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+            "service": "Firewall",
             "severity": "高",
-            "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
-            "waf": "可靠性"
+            "text": "使用基於 FQDN 的網路規則和具有 DNS 代理的 Azure 防火牆，通過應用程式規則不支援的協定篩選到 Internet 的出口流量。",
+            "waf": "安全"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "IoT Hub DPS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+            "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "severity": "高",
-            "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
-            "waf": "可靠性"
+            "text": "使用 Azure 防火牆高級版提供額外的安全性和保護。",
+            "waf": "安全"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "8aed4fbf-0830-4883-899d-222a154af478",
-            "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "IoT Hub DPS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+            "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "service": "Firewall",
             "severity": "高",
-            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
-            "waf": "可靠性"
+            "text": "將 Azure 防火牆威脅情報模式配置為「警報」和「拒絕」，以獲得額外保護。",
+            "waf": "安全"
         },
         {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "IoT Hub DPS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+            "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+            "service": "Firewall",
             "severity": "高",
-            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Device Provisioning Service Review",
-            "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "IoT Hub DPS",
-            "severity": "中等",
-            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
-            "waf": "操作"
+            "text": "將 Azure 防火牆 IDPS 模式配置為「拒絕」 ，以獲得額外的保護。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
-            "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果 AKS Windows 工作負載需要，可以使用 HostProcess 容器",
-            "waf": "可靠性"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+            "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+            "service": "Firewall",
+            "severity": "高",
+            "text": "對於未連接到虛擬 WAN 的 VNet 中的子網，請附加路由表，以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
-            "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果運行事件驅動的工作負載，請使用KEDA",
-            "waf": "性能"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "添加診斷設置，以使用「特定於資源」的目標表保存所有 Azure 防火牆部署的日誌。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
-            "link": "https://dapr.io/",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使用 Dapr 簡化微服務開發",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+            "service": "Firewall",
+            "severity": "重要",
+            "text": "從 Azure 防火牆經典規則（如果存在）遷移到防火牆策略。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
-            "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
-            "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+            "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+            "service": "Firewall",
             "severity": "高",
-            "text": "使用 SLA 支援的 AKS 產品/服務",
-            "waf": "可靠性"
+            "text": "對 Azure 防火牆子網使用 /26 前置綴。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "低",
-            "text": "在容器和部署定義中使用中斷預算",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "將防火牆策略中的規則排列到規則集合組和規則集合中，並根據它們的使用頻率",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
-            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
-            "service": "ACR",
-            "severity": "高",
-            "text": "如果使用專用註冊表，請配置區域複製以將映像存儲在多個區域中",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+            "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "使用IP組或IP前置綴來減少IP表規則的數量",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使用外部應用（如 kubecost）將成本分配給不同的使用者",
-            "waf": "成本"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+            "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "避免將通配符作為DNATS的源IP，例如*或任何通配符，您應該為傳入的DNAT指定源IP",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
-            "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使用縮減模式刪除/取消分配節點",
-            "waf": "成本"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置和確保無縫故障轉移來防止 SNAT 埠耗盡。如果埠計數接近限制，則表明 SNAT 耗盡可能迫在眉睫。",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
-            "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "需要時，請在 AKS 群集上使用多實例分組 GPU",
-            "waf": "成本"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "346840b8-1064-496e-8396-4b1340172d52",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+            "service": "Firewall",
+            "severity": "高",
+            "text": "啟用 TLS 檢查",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
-            "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+            "service": "Firewall",
             "severity": "低",
-            "text": "如果運行開發/測試群集，請使用 NodePool Start/Stop",
-            "waf": "成本"
+            "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
-            "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
-            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+            "service": "Firewall",
             "severity": "中等",
-            "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性",
-            "waf": "安全"
+            "text": "作為 TLS 檢查的一部分，請計劃從 Azure 應用閘道接收流量以進行檢查。",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
-            "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+            "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+            "service": "Firewall",
             "severity": "中等",
-            "text": "使用使用者/系統節點池將應用程式與控制平面分開",
+            "text": "啟用 Azure 防火牆 DNS 代理配置",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
-            "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
-            "service": "AKS",
-            "severity": "低",
-            "text": "向系統節點池添加污點以使其專用",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Firewall",
+            "severity": "中等",
+            "text": "確保有策略分配來拒絕直接綁定到虛擬機的公共IP位址",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
-            "link": "https://learn.microsoft.com/azure/container-registry/",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "對映像使用專用註冊表，例如 ACR",
-            "waf": "安全"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+            "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+            "service": "Firewall",
+            "severity": "低",
+            "text": "將 Azure 防火牆與 Azure Monitor 集成，並啟用診斷日誌記錄來存儲和分析防火牆日誌。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure AKS Review",
-            "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
-            "link": "https://learn.microsoft.com/azure/security-center/container-security",
-            "service": "ACR",
-            "severity": "中等",
-            "text": "掃描映像以查找漏洞",
-            "waf": "安全"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "service": "Firewall",
+            "severity": "低",
+            "text": "為防火牆規則實施備份",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+            "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+            "service": "App Gateway",
             "severity": "高",
-            "text": "定義應用分離要求（命名空間/節點池/集群）",
+            "text": "確保注入虛擬網路的 Azure PaaS 服務的控制平面通信不會中斷，例如，使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
-            "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
-            "service": "AKS",
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "ExpressRoute",
             "severity": "中等",
-            "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
-            "link": "https://learn.microsoft.com/azure/aks/update-credentials",
-            "service": "AKS",
-            "severity": "高",
-            "text": "如果將服務主體用於群集，請定期刷新憑據（如每季度）",
+            "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免通過公共 Internet 進行傳輸。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
-            "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+            "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "VNet",
             "severity": "中等",
-            "text": "如果需要，請添加金鑰管理服務 etcd 加密",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
-            "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請考慮使用適用於 AKS 的機密計算",
+            "text": "默認情況下，不要在所有子網上啟用虛擬網路服務終結點。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
-            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "service": "Firewall",
             "severity": "中等",
-            "text": "考慮使用 Defender for Containers",
+            "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選到 Azure PaaS 服務的出口流量，以防止數據外洩。如果使用專用連結，則可以阻止所有 FQDN，否則僅允許所需的 PaaS 服務。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
-            "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/expressRouteCircuits",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+            "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+            "service": "ExpressRoute",
             "severity": "高",
-            "text": "使用託管標識而不是服務主體",
+            "text": "至少對閘道子網使用 /27 前置綴",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
-            "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+            "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+            "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+            "service": "NSG",
             "severity": "中等",
-            "text": "將身份驗證與 AAD（使用託管集成）集成",
+            "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
-            "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+            "service": "NSG",
             "severity": "中等",
-            "text": "限制對管理員 kubeconfig （get-credentials --admin） 的訪問",
+            "text": "使用 NSG 説明保護跨子網的流量，以及跨平台的東/西流量（登陸區域之間的流量）。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
-            "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
+            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
+            "service": "NSG",
             "severity": "中等",
-            "text": "將授權與 AAD RBAC 集成",
+            "text": "應用程式團隊應使用子網級別 NSG 的應用程式安全組來幫助保護登陸區域內的多層 VM。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
-            "service": "AKS",
-            "severity": "高",
-            "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
+            "severity": "中等",
+            "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段，並避免使用中央 NVA 篩選流量。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
-            "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "service": "NSG",
             "severity": "中等",
-            "text": "對於 Pod Identity Access Management，請使用 Azure AD 工作負載標識（預覽版）",
+            "text": "啟用 VNet 流日誌並將其饋送到流量分析中，以深入了解內部和外部流量流。",
+            "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+            "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "NSG",
             "severity": "中等",
-            "text": "對於 AKS 非互動式登錄名，請使用 kubelogin（預覽版）",
-            "waf": "安全"
+            "text": "考慮每個 NSG 的 NSG 規則限制 （1000）。",
+            "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
-            "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "禁用 AKS 本地帳戶",
-            "waf": "安全"
+            "text": "請考慮使用虛擬 WAN 簡化 Azure 網路管理，並確保在虛擬 WAN 路由設計清單中明確描述你的方案",
+            "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請配置 Just-in-time 群集訪問",
-            "waf": "安全"
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "中等",
+            "text": "使用每個 Azure 區域的虛擬 WAN 中心，通過通用的全域 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
-            "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
             "severity": "低",
-            "text": "如果需要，為 AKS 配置 AAD 條件訪問",
-            "waf": "安全"
+            "text": "遵循“Azure 中的流量保留在 Azure 中”原則，以便通過 Microsoft 主幹網络在 Azure 中跨資源進行通信",
+            "waf": "性能"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
-            "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果 Windows AKS 工作負載需要，請配置 gMSA",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+            "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "VWAN",
+            "severity": "中等",
+            "text": "對於出站 Internet 流量保護和篩選，請在安全中心部署 Azure 防火牆",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
-            "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "為了獲得更精細的控制，請考慮使用託管的 Kubelet 身份",
-            "waf": "安全"
+            "text": "確保網路體系結構在 Azure 虛擬 WAN 限制範圍內。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
-            "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "如果使用 AGIC，請勿跨集群共用 AppGW",
-            "waf": "可靠性"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
-            "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
-            "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
-            "service": "AKS",
-            "severity": "高",
-            "text": "不要使用 AKS HTTP 路由載入項，而是將託管 NGINX 入口與應用程式路由載入項一起使用。",
-            "waf": "可靠性"
+            "text": "使用適用於虛擬 WAN 的 Azure Monitor 見解監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
-            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "對於 Windows 工作負載，請使用加速網路",
-            "waf": "性能"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
-            "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
-            "severity": "高",
-            "text": "使用標準 ALB（而不是基本 ALB）",
+            "text": "請確保 IaC 部署不會在虛擬 WAN 中禁用分支到分支通信，除非應顯式阻止這些流。",
             "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "如果使用 Azure CNI，請考慮對 NodePool 使用不同的子網",
-            "waf": "安全"
+            "text": "使用 AS-Path 作為中心路由首選項，因為它比 ExpressRoute 或 VPN 更靈活。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
-            "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
-            "service": "AKS",
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+            "service": "VWAN",
             "severity": "中等",
-            "text": "使用專用終結點（首選）或虛擬網路服務終結點從群集訪問 PaaS 服務",
-            "waf": "安全"
+            "text": "請確保 IaC 部署在虛擬 WAN 中配置基於標籤的傳播，否則虛擬中心之間的連接將受到損害。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
-            "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
+            "ammp": true,
+            "arm-service": "microsoft.network/virtualWans",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9c75dfef-573c-461c-a698-68598595581a",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+            "service": "VWAN",
             "severity": "高",
-            "text": "選擇最適合你要求的 CNI 網路外掛程式（建議使用 Azure CNI）",
+            "text": "為虛擬中心分配足夠的IP空間，最好是 /23前置綴。",
             "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
             "severity": "高",
-            "text": "如果使用 Azure CNI，請根據每個節點的最大 Pod 數相應地調整子網的大小",
-            "waf": "性能"
+            "text": "戰略性地利用 Azure Policy，為環境定義控制，使用策略計劃對相關策略進行分組。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "高",
-            "text": "如果使用 Azure CNI，請檢查每個節點的最大 Pod 數（預設為 30）",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "對於內部應用，組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問，並可能打開對 Pod 的訪問（如果使用 Azure CNI）。如果 LoadBalancer IP 位於不同的子網中，則只有此子網可供應用用戶端使用。另一個原因是，如果 AKS 子網中的 IP 位址是稀缺資源，則將其 IP 位址用於服務會降低群集的最大可伸縮性。",
-            "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
-            "link": "https://learn.microsoft.com/azure/aks/internal-lb",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果使用專用IP LoadBalancer服務，請使用專用子網（而不是 AKS 子網）",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "在中間根管理組建立 Azure Policy 定義，以便可以在繼承的範圍內分配這些定義",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
-            "severity": "高",
-            "text": "相應調整服務 IP 位址範圍的大小（這將限制群集的可伸縮性）",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "如果需要，在最高適當級別管理策略分配，在最低級別管理排除項。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
-            "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "43334f24-9116-4341-a2ba-527526944008",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+            "service": "Policy",
             "severity": "低",
-            "text": "如果需要，請添加您自己的 CNI 外掛程式",
+            "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
-            "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請在 AKS 中配置每個節點的公共 IP",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "盡可能使用內置策略，以最大程度地減少操作開銷。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-network",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "description": "通過將「資源策略參與者」角色分配給特定範圍，可以將策略管理委派給相關團隊。例如，中央IT團隊可以監督管理組級別的策略，而應用程式團隊則處理其訂閱的策略，從而在遵守組織標準的情況下實現分散式治理。",
+            "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+            "service": "Policy",
             "severity": "中等",
-            "text": "使用入口控制器公開基於 Web 的應用，而不是使用 LoadBalancer 類型的服務公開它們",
-            "waf": "可靠性"
+            "text": "在特定範圍內分配內置的「資源策略參與者」角色，以啟用應用程式級治理。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
-            "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量",
-            "waf": "可靠性"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "19048384-5c98-46cb-8913-156a12476e49",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "限制在根管理組範圍內進行的 Azure Policy 分配數，以避免在繼承範圍內通過排除項進行管理。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+            "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+            "service": "Policy",
             "severity": "中等",
-            "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡",
-            "waf": "可靠性"
+            "text": "如果存在任何數據主權要求，可以部署 Azure 策略來強制實施這些要求",
+            "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
-            "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
-            "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
-            "service": "AKS",
-            "severity": "高",
-            "text": "如果安全要求要求，請使用 AzFW/NVA 篩選出口流量",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "對於主權登陸區，主權政策基線的政策計劃將在正確的 MG 級別部署和分配。",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
-            "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
-            "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+            "service": "Policy",
             "severity": "中等",
-            "text": "如果使用公共 API 終端節點，請限制可以存取它的 IP 位址",
+            "text": "對於主權登陸區，記錄了“主權控制目標”到策略映射“。",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
-            "link": "https://learn.microsoft.com/azure/aks/private-clusters",
-            "service": "AKS",
-            "severity": "高",
-            "text": "如果要求要求，請使用私有集群",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "service": "Policy",
+            "severity": "中等",
+            "text": "對於主權登陸區，CRUD的“主權控制目標到政策映射”的流程已經到位。",
             "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
-            "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
             "severity": "中等",
-            "text": "對於 Windows 2019 和 2022 AKS 節點，可以使用 Calico 網路策略",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
-            "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
-            "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
-            "service": "AKS",
-            "severity": "高",
-            "text": "啟用 Kubernetes 網路策略選項 （Calico/Azure）",
-            "waf": "安全"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "高",
-            "text": "使用 Kubernetes 網路策略提高集群內安全性",
-            "waf": "安全"
+            "text": "使用單個監視器日誌工作區集中管理平臺，但 Azure 基於角色的訪問控制 （Azure RBAC）、數據主權要求或數據保留策略要求使用單獨的工作區的情況除外。",
+            "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
-            "service": "AKS",
-            "severity": "高",
-            "text": "將 WAF 用於 Web 工作負載（UI 或 API）",
-            "waf": "安全"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Monitor",
+            "severity": "中等",
+            "text": "如果日誌保留要求超過 12 年，請將日誌匯出到 Azure 存儲。將不可變存儲與一次寫入、多次讀取策略結合使用，使數據在使用者指定的時間間隔內不可擦除和不可修改。",
+            "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
-            "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+            "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+            "service": "VM",
             "severity": "中等",
-            "text": "在 AKS 虛擬網路中使用 DDoS 標準",
-            "waf": "安全"
+            "text": "使用 Azure Policy 監視 OS 等級的虛擬機 （VM） 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可幫助應用程式團隊工作負載輕鬆立即使用功能。",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
-            "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
-            "link": "https://learn.microsoft.com/azure/aks/http-proxy",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請添加公司 HTTP 代理",
-            "waf": "安全"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
+            "severity": "中等",
+            "text": "使用 Azure 更新管理員作為 Azure 中 Windows 和 Linux VM 的修補機制。",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
-            "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "service": "VM",
             "severity": "中等",
-            "text": "考慮使用服務網格進行高級微服務通信管理",
-            "waf": "安全"
+            "text": "使用 Azure Arc 將 Azure Update Manager 用作 Azure 外部 Windows 和 Linux VM 的修補機制。",
+            "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
-            "service": "AKS",
-            "severity": "高",
-            "text": "設定有關最關鍵指標的警報（請參閱容器見解以獲取建議）",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Network Watcher",
+            "severity": "中等",
+            "text": "使用網路觀察程序主動監視流量",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
-            "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
-            "service": "AKS",
-            "severity": "低",
-            "text": "定期查看 Azure 顧問，瞭解有關群集的建議",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Monitor",
+            "severity": "中等",
+            "text": "使用 Azure Monitor 紀錄獲取見解和報告。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
-            "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
-            "service": "AKS",
-            "severity": "低",
-            "text": "啟用 AKS 自動證書輪換",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "service": "Monitor",
+            "severity": "中等",
+            "text": "使用 Azure Monitor 警報生成操作警報。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
-            "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
-            "service": "AKS",
-            "severity": "高",
-            "text": "定期（例如，每季度）升級 kubernetes 版本，或使用 AKS 自動升級功能",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "Monitor",
+            "severity": "中等",
+            "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時，請確保已選擇支援的區域來將 Log Analytics 工作區和自動化帳戶連結在一起。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
-            "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
-            "service": "AKS",
-            "severity": "高",
-            "text": "如果您不使用 node-image 升級，請使用 kured 進行 Linux 節點升級",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+            "service": "Backup",
+            "severity": "中等",
+            "text": "使用 Azure 備份時，請考慮不同的備份類型（GRS、ZRS 和 LRS），因為預設設置為 GRS",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
-            "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
-            "service": "AKS",
-            "severity": "高",
-            "text": "定期（例如，每周）升級群集節點映像的常規過程",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "VM",
+            "severity": "中等",
+            "text": "使用 Azure 策略通過 VM 擴展自動部署軟體配置，並強制實施符合標準的基線 VM 配置。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
-            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
-            "service": "AKS",
-            "severity": "低",
-            "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "description": "Azure Policy 的來賓配置功能可以審核和修正計算機設置（例如，操作系統、應用程式、環境），以確保資源與預期配置一致，更新管理可以對 VM 強制實施修補程式管理。",
+            "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "VM",
+            "severity": "中等",
+            "text": "通過 Azure Policy 監視 VM 安全配置偏移。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
-            "link": "https://learn.microsoft.com/azure/aks/command-invoke",
-            "service": "AKS",
-            "severity": "低",
-            "text": "請考慮在專用群集上使用 AKS 命令調用",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "VM",
+            "severity": "中等",
+            "text": "將 Azure Site Recovery 用於 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
-            "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
-            "service": "AKS",
-            "severity": "低",
-            "text": "對於計劃的事件，請考慮使用 Node Auto Drain",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "Backup",
+            "severity": "中等",
+            "text": "使用 Azure 本機備份功能或與 Azure 相容的第三方備份解決方案。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
-            "link": "https://learn.microsoft.com/azure/aks/faq",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "VM",
             "severity": "高",
-            "text": "開發自己的治理實踐，以確保節點 RG（又名“基礎設施 RG”）中的操作員不會執行任何更改",
-            "waf": "操作"
+            "text": "在支援可用性區域的區域中對 VM 利用可用性區域。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
-            "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使用自定義節點 RG（又名“Infra RG”）名稱",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "VM",
+            "severity": "高",
+            "text": "避免在單個 VM 上運行生產工作負載。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
-            "link": "https://kubernetes.io/docs/setup/release/notes/",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "84101f59-1941-4195-a270-e28034290e3a",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
             "severity": "中等",
-            "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API",
-            "waf": "操作"
+            "text": "Azure 負載均衡器和應用程式閘道在多個資源之間分配傳入的網路流量。",
+            "waf": "可靠性"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
-            "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
-            "service": "AKS",
-            "severity": "低",
-            "text": "污染 Windows 節點",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+            "service": "WAF",
+            "severity": "高",
+            "text": "添加診斷設置以保存來自 Azure Front Door 和 Azure 應用程式閘道等應用程式交付服務的 WAF 紀錄。定期查看日誌，以檢查攻擊和誤報檢測。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
-            "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
-            "service": "AKS",
-            "severity": "低",
-            "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "WAF",
+            "severity": "中等",
+            "text": "將 WAF 日誌從應用程式交付服務（如 Azure Front Door 和 Azure 應用程式閘道）發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。",
             "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "通過群集級別的診斷設置",
-            "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
-            "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
-            "service": "AKS",
-            "severity": "低",
-            "text": "將主日誌（又名 API 紀錄）發送到 Azure Monitor 或首選日誌管理解決方案",
-            "waf": "操作"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+            "service": "Key Vault",
+            "severity": "高",
+            "text": "使用 Azure Key Vault 儲存機密和憑據",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
-            "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請使用 nodePool 快照",
-            "waf": "成本"
+            "checklist": "Azure Landing Zone Review",
+            "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+            "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "對不同的應用程式和區域使用不同的 Azure Key Vault，以避免事務規模限制並限制對機密的訪問。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
-            "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
-            "service": "AKS",
-            "severity": "低",
-            "text": "考慮將現成節點池用於對時間敏感的工作負載",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "預配啟用軟刪除和清除策略的 Azure Key Vault，以允許對已刪除物件進行保留保護。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
-            "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "低",
-            "text": "考慮用於快速突發的 AKS 虛擬節點",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "通過將永久刪除密鑰、機密和證書的授權限制為專用的自定義 Microsoft Entra ID 角色，遵循最低特權模型。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "高",
-            "text": "使用 Container Insights（或 Prometheus 等其他工具）監控集群指標",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "使用公共證書頒發機構自動執行證書管理和續訂過程，以簡化管理。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
-            "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
-            "service": "AKS",
-            "severity": "高",
-            "text": "使用 Container Insights（或 Telegraf/ElasticSearch 等其他工具）存儲和分析集群日誌",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "913156a1-2476-4e49-b541-acdce979377b",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "建立金鑰和證書輪換的自動化流程。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
-            "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中等",
-            "text": "監控節點的 CPU 和記憶體利用率",
-            "waf": "操作"
+            "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點，以控制對密鑰保管庫的訪問。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
-            "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+            "service": "Key Vault",
             "severity": "中等",
-            "text": "如果使用 Azure CNI，請監視每個節點消耗的 Pod IP 的百分比",
-            "waf": "操作"
+            "text": "使用平臺中心 Azure Monitor Log Analytics 工作區審核每個 Key Vault 實例中的金鑰、證書和機密使用方式。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制，這可能會導致不可預知的行為，通常最終導致節點被聲明為 NotReady",
-            "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中等",
-            "text": "監視節點中的OS磁碟佇列深度",
-            "waf": "操作"
+            "text": "委託 Key Vault 實例化和特權訪問，並使用 Azure Policy 強制實施一致的合規配置。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
-            "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中等",
-            "text": "如果不對 AzFW/NVA 使用出口篩選，請監視標準 ALB 分配的 SNAT 連接埠",
-            "waf": "操作"
+            "text": "對每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
-            "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Key Vault",
             "severity": "中等",
-            "text": "訂閱 AKS 群集的資源運行狀況通知",
-            "waf": "操作"
+            "text": "如果要自帶密鑰，則並非所有考慮的服務都支援此功能。實施相關的緩解措施，以免不一致阻礙預期結果。選擇適當的區域對和災難恢復區域，以最大程度地減少延遲。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
-            "severity": "高",
-            "text": "在 Pod 規範中配置請求和限制",
-            "waf": "操作"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+            "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+            "service": "Key Vault",
+            "severity": "中等",
+            "text": "對於主權登陸區域，請使用 Azure Key Vault 託管的 HSM 來儲存機密和憑據。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "769ef669-1a48-435a-a942-223ece80b123",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
-            "service": "AKS",
+            "checklist": "Azure Landing Zone Review",
+            "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+            "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+            "service": "Entra",
             "severity": "中等",
-            "text": "強制實施命名空間的資源配額",
-            "waf": "操作"
+            "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "09945bda-4333-44f2-9911-634182ba5275",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+            "service": "Defender",
             "severity": "高",
-            "text": "確保訂閱具有足夠的配額來橫向擴展節點池",
-            "waf": "操作"
+            "text": "為所有訂閱啟用Defender雲安全態勢管理。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
-            "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "使用群集自動縮放程式",
-            "waf": "性能"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+            "service": "Defender",
+            "severity": "高",
+            "text": "在所有訂閱上為伺服器啟用Defender雲工作負載保護計劃。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
-            "guid": "831c2872-c693-4b39-a887-a561bada49bc",
-            "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
-            "service": "AKS",
-            "severity": "低",
-            "text": "自定義 AKS 節點池的節點配置",
-            "waf": "性能"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
-            "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "需要時使用 Horizontal Pod Autoscaler",
-            "waf": "性能"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+            "service": "Defender",
+            "severity": "高",
+            "text": "在所有訂閱上為 Azure 資源啟用 Defender 雲工作負載保護計劃。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "description": "更大的節點將帶來更高的性能和功能，例如臨時磁碟和加速網路，但它們會增加爆炸半徑並降低擴展粒度",
-            "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
-            "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+            "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+            "service": "VM",
             "severity": "高",
-            "text": "考慮適當的節點大小，不要太大或太小",
-            "waf": "性能"
+            "text": "在 IaaS 伺服器上啟用 Endpoint Protection。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
-            "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果可伸縮性需要超過 5000 個節點，請考慮使用其他 AKS 群集",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+            "link": "https://learn.microsoft.com/azure/security-center/",
+            "service": "VM",
+            "severity": "中等",
+            "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏移。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
-            "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
-            "service": "AKS",
-            "severity": "低",
-            "text": "考慮訂閱 EventGrid Events for AKS 自動化",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Monitor",
+            "severity": "中等",
+            "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
-            "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
-            "service": "AKS",
-            "severity": "低",
-            "text": "若要在 AKS 群集上長時間運行操作，請考慮事件終止",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+            "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+            "service": "Entra",
+            "severity": "中等",
+            "text": "對於主權登陸區域，在 Entra ID 租戶上啟用透明日誌。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
-            "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
-            "service": "AKS",
-            "severity": "低",
-            "text": "如果需要，請考慮將 Azure 專用主機用於 AKS 節點",
-            "waf": "性能"
+            "checklist": "Azure Landing Zone Review",
+            "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+            "service": "Entra",
+            "severity": "中等",
+            "text": "對於 Sovereign Landing Zone，在 Entra ID 租戶上啟用了客戶密碼箱。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
-            "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
-            "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Storage",
             "severity": "高",
-            "text": "使用臨時OS磁碟",
-            "waf": "性能"
+            "text": "應啟用安全傳輸到存儲帳戶",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
-            "service": "AKS",
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+            "service": "Storage",
             "severity": "高",
-            "text": "對於非臨時磁碟，在運行多個 Pod/節點時，請為節點使用高 IOPS 和更大的 OS 磁碟，因為它需要高性能才能運行多個 Pod，並且會生成具有預設 AKS 日誌輪換閾值的大量日誌",
-            "waf": "性能"
-        },
-        {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
-            "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
-            "service": "AKS",
-            "severity": "低",
-            "text": "對於超高性能存儲選項，請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS",
-            "waf": "性能"
+            "text": "為存儲帳戶啟用容器軟刪除，以恢復已刪除的容器及其內容。",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "避免將狀態保留在群集中，並將數據存儲在外部（AzStorage、AzSQL、Cosmos 等）",
-            "waf": "性能"
+            "ammp": true,
+            "checklist": "Azure Landing Zone Review",
+            "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+            "service": "Key Vault",
+            "severity": "高",
+            "text": "使用 Key Vault 機密可避免對敏感資訊（如憑據（虛擬機器用戶密碼）、證書或密鑰）進行硬編碼。",
+            "waf": "操作"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
-            "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
-            "service": "AKS",
-            "severity": "中等",
-            "text": "如果使用 AzFiles Standard，出於性能原因，請考慮使用 AzFiles Premium 和/或 ANF",
-            "waf": "性能"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器",
+            "waf": "安全"
         },
         {
-            "arm-service": "microsoft.containerservice/managedClusters",
-            "checklist": "Azure AKS Review",
-            "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
-            "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
-            "service": "AKS",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "75089c20-990d-4927-b105-885576f76fc2",
+            "service": "AVS",
             "severity": "中等",
-            "text": "如果使用 Azure 磁碟和可用區，請考慮在區域內為 LRS 磁碟設置節點池，並使用 VolumeBindingMode：WaitForFirstConsumer 在正確的區域中預配存儲，或將 ZRS 磁碟用於跨多個區域的節點池",
-            "waf": "性能"
+            "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源（包括 Azure VMware 解決方案）的身份驗證請求保留到 Azure 本地",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
-            "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "使用長期可撤銷令牌，緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保 vCenter 已連接到 ADDS，以啟用基於「指定用戶帳戶」的身份驗證",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+            "service": "AVS",
             "severity": "中等",
-            "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面",
-            "waf": "可靠性"
+            "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 （LDAPS）",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
-            "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
-            "service": "AAD B2C",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+            "service": "AVS",
             "severity": "中等",
-            "text": "自訂品牌資產應託管在CDN上",
-            "waf": "性能"
+            "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 （break-glass）",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
-            "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
-            "service": "AAD B2C",
-            "severity": "低",
-            "text": "擁有多個標識提供者（即使用您的 Microsoft、Google、Facebook 帳戶登錄）",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保 NSX-Manager 與外部身份提供程式 （LDAPS） 集成",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+            "service": "AVS",
             "severity": "中等",
-            "text": "遵循 VM 規則，實現 VM 級別的高可用性（高級磁碟，一個區域中的兩個或更多磁碟，位於不同的可用性區域）",
-            "waf": "可靠性"
+            "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+            "service": "AVS",
             "severity": "中等",
-            "text": "不要複製！複製可能會產生目錄同步問題",
-            "waf": "可靠性"
+            "text": "RBAC 許可權應授予 ADDS 組，而不是特定使用者",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
-            "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
-            "service": "Windows AD",
-            "severity": "中等",
-            "text": "對多區域具有主動-主動",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Identity Review Checklist",
-            "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "將 Azure AD 域服務標記添加到其他區域和位置",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+            "service": "AVS",
+            "severity": "高",
+            "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者",
+            "waf": "安全"
         },
         {
-            "checklist": "Identity Review Checklist",
-            "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
-            "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
-            "service": "Entra",
-            "severity": "中等",
-            "text": "將副本集用於DR",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "在全域級別實施錯誤處理策略",
-            "waf": "操作"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+            "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+            "service": "AVS",
+            "severity": "高",
+            "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
-            "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "確保所有 API 策略都包含一個<base/>元素。",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
-            "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用策略片段可避免在多個 API 中重複相同的策略定義",
+            "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器，以監視 Azure VMware 解決方案後端 ExpressRoute 連接",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
-            "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+            "service": "AVS",
             "severity": "中等",
-            "text": "如果您計劃通過 API 獲利，請查看“獲利支援”一文，瞭解最佳做法",
+            "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器，以監視端到端連接",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+            "service": "AVS",
             "severity": "高",
-            "text": "啟用診斷設置以將日誌導出到 Azure Monitor",
+            "text": "使用路由伺服器時，請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個（ARS 限制）。",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "啟用 Application Insights 以獲取更詳細的遙測數據",
-            "waf": "操作"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+            "service": "AVS",
+            "severity": "高",
+            "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management（不允許長期許可權）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+            "service": "AVS",
             "severity": "高",
-            "text": "針對最關鍵的指標配置警報",
-            "waf": "操作"
+            "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
-            "service": "APIM",
-            "severity": "高",
-            "text": "確保自定義 SSL 證書儲存在 Azure Key Vault 中，以便可以安全地訪問和更新它們",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "如果使用 Privileged Identity Management，請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶，以便 Azure VMware 解決方案自動主機更換通知。（需要長期許可）",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+            "service": "AVS",
             "severity": "高",
-            "text": "使用 Azure AD 保護對 API（數據平面）的傳入請求",
+            "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用 Microsoft Entra ID 在開發人員門戶中對用戶進行身份驗證",
+            "text": "在 vCenter 中創建自定義 RBAC 角色，以在 vCenter 中實施最小特權模型",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+            "service": "AVS",
             "severity": "中等",
-            "text": "創建適當的組來控制產品的可見性",
+            "text": "是定義為定期輪換 cloudadmin （vCenter） 和管理員 （NSX） 憑據的過程",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "06862505-2d9a-4874-9491-2837b00a3475",
-            "link": "https://learn.microsoft.com/azure/api-management/backends",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "使用後端功能消除冗餘 API 後端配置",
-            "waf": "操作"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+            "service": "AVS",
+            "severity": "高",
+            "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 （VM）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用命名值存儲可在策略中使用的通用值",
-            "waf": "操作"
+            "text": "是否在 NSX-T 中實施了東西向流量篩選",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "對於DR，利用高級層，跨兩個或多個區域擴展部署，實現99.99%的SLA",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+            "service": "AVS",
+            "severity": "高",
+            "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
-            "link": "https://learn.microsoft.com/azure/api-management/high-availability",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "在兩個或多個可用區中部署至少一台設備，SLA 提高 99.99%",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+            "service": "AVS",
+            "severity": "高",
+            "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
-            "service": "APIM",
-            "severity": "高",
-            "text": "確保有一個自動備份例程",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視，以識別可疑/惡意活動",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
-            "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "334fdf91-c234-4182-a652-75269440b4be",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用策略添加故障轉移後端 URL 和緩存，以減少失敗的調用。",
-            "waf": "可靠性"
+            "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
-            "service": "APIM",
-            "severity": "低",
-            "text": "如果需要以高性能級別進行日誌記錄，請考慮事件中心策略",
-            "waf": "操作"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "使用專用特權訪問工作站 （PAW） 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+            "service": "AVS",
             "severity": "中等",
-            "text": "應用限制策略來控制每秒的請求數",
-            "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
-            "waf": "性能"
+            "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測（Microsoft Defender for Cloud，又名 ASC）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+            "service": "AVS",
             "severity": "中等",
-            "text": "配置自動縮放以在負載增加時橫向擴展實例數",
-            "waf": "性能"
+            "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載（適用於 Azure VMware 解決方案的 Azure ARC 尚不可用）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "在 Azure 沒有靠近後端 API 的區域的地方部署自承載閘道。",
-            "waf": "性能"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+            "service": "AVS",
+            "severity": "低",
+            "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密（如來賓內磁碟加密和 SQL TDE）。（vSAN 靜態加密為預設加密）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
-            "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "將高級層用於生產工作負載。",
-            "waf": "可靠性"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+            "service": "AVS",
+            "severity": "低",
+            "text": "使用來賓內加密時，請盡可能將加密密鑰存儲在 Azure Key Vault 中",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5ac94222-3e13-4810-9230-81a941741583",
+            "service": "AVS",
             "severity": "中等",
-            "text": "在多區域模型中，使用策略根據可用性或延遲將請求路由到區域後端。",
+            "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援（Azure VMware 解決方案符合 ESU 條件）",
+            "waf": "安全"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+            "service": "AVS",
+            "severity": "高",
+            "text": "確保使用適當的 vSAN 資料冗餘方法（RAID 規範）",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d88408f3-7273-44c8-96ba-280214590146",
+            "service": "AVS",
             "severity": "高",
-            "text": "注意APIM的局限性",
+            "text": "確保允許失敗策略已到位，以滿足您的 vSAN 儲存需求",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
-            "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+            "service": "AVS",
             "severity": "高",
-            "text": "確保自承載閘道部署具有復原能力。",
+            "text": "確保已請求足夠的配額，確保已考慮增長和災難恢復要求",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "7519e385-a88b-4d34-966b-6269d686e890",
-            "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+            "service": "AVS",
             "severity": "中等",
-            "text": "在APIM前面使用 Azure Front Door 進行多區域部署",
-            "waf": "性能"
+            "text": "確保瞭解對 ESXi 的訪問限制，其中存在可能影響第三方解決方案的訪問限制。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+            "service": "AVS",
             "severity": "中等",
-            "text": "在虛擬網络 （VNet） 中部署服務Deploy the service within a Virtual Network （VNet）",
-            "waf": "安全"
+            "text": "確保您制定了有關ESXi主機密度和效率的策略，並牢記請求新節點的提前期",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+            "service": "AVS",
             "severity": "中等",
-            "text": "將網路安全組 （NSG） 部署到子網，以限制或監視進出APIM的流量。",
-            "waf": "安全"
+            "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+            "service": "AVS",
+            "severity": "低",
+            "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+            "service": "AVS",
             "severity": "中等",
-            "text": "部署專用終結點以在未將APIM部署到 VNet 時篩選傳入流量。",
+            "text": "使用其他 Azure 本機服務時，請考慮使用 Azure 專用連結",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+            "service": "AVS",
             "severity": "高",
-            "text": "禁用公網訪問",
-            "waf": "安全"
+            "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
-            "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用 PowerShell 自動化腳本簡化管理",
-            "waf": "操作"
+            "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+            "service": "AVS",
             "severity": "中等",
-            "text": "通過基礎架構即代碼配置APIM。查看 Cloud Adaption Framework 中的 DevOps 最佳實踐 APIM 登陸區域加速器",
-            "waf": "操作"
+            "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
-            "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "促進 Visual Studio Code APIM 擴展的使用，以加快 API 開發速度",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+            "service": "AVS",
+            "severity": "高",
+            "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
-            "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+            "service": "AVS",
             "severity": "中等",
-            "text": "在工作流中實施DevOps和 CI/CD",
+            "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載",
             "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "b6439493-426a-45f3-9697-cf65baee208d",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
-            "service": "APIM",
-            "severity": "中等",
-            "text": "使用用戶端證書身份驗證保護 API",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure API Management Review",
-            "guid": "2a67d143-1033-4c0a-8732-680896478f08",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用用戶端證書身份驗證保護後端服務",
-            "waf": "安全"
+            "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
-            "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+            "service": "AVS",
             "severity": "中等",
-            "text": "查看“緩解 OWASP API 安全前 10 大威脅的建議”一文，並查看適用於您的 API 的內容",
+            "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
-            "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用授權功能簡化後端 API 的 OAuth 2.0 令牌管理",
+            "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
-            "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+            "service": "AVS",
             "severity": "高",
-            "text": "加密傳輸中的資訊時，請使用最新的 TLS 版本。盡可能禁用過時和不必要的協議和密碼。",
+            "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "f8af3d94-1d2b-4070-846f-849197524258",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+            "service": "AVS",
             "severity": "高",
-            "text": "確保機密（命名值）存儲在 Azure Key Vault 中，以便可以安全地訪問和更新它們",
+            "text": "數據處理影響（服務提供者/服務消費者模型）是否清晰且有據可查",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "791abd8b-7706-4e31-9569-afefde724be3",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+            "service": "AVS",
             "severity": "中等",
-            "text": "盡可能使用託管標識向其他 Azure 資源進行身份驗證",
+            "text": "僅當出於合規性原因需要時，才考慮將CMK（客戶管理的密鑰）用於 vSAN。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure API Management Review",
-            "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
-            "service": "APIM",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+            "service": "AVS",
             "severity": "高",
-            "text": "使用 APIM 前面部署應用程式閘道來使用 Web 應用程式防火牆 （WAF）",
-            "waf": "安全"
+            "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導",
-            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
-            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "請考慮「存儲的 Azure 安全基線”",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+            "service": "AVS",
+            "severity": "高",
+            "text": "針對 Azure VMware 解決方案性能（CPU >80%、平均記憶體 >80%、vSAN >70%）自動警報的關鍵閾值創建警告警報",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "默認情況下，Azure 儲存具有公共IP位址，並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲，從而消除對公共 Internet 的暴露",
-            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+            "service": "AVS",
             "severity": "高",
-            "text": "考慮將專用終結點用於 Azure 存儲",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "新創建的存儲帳戶是使用ARM部署模型創建的，因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶",
-            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "確保較舊的存儲帳戶未使用“經典部署模型”",
-            "waf": "安全"
+            "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%，因為這是 VMware 的支援閾值",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。",
-            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
-            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+            "service": "AVS",
             "severity": "高",
-            "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts",
-            "waf": "安全"
+            "text": "確保為 Azure 服務運行狀況警報和通知配置警報",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "軟刪除機制允許恢復意外刪除的 Blob。",
-            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+            "service": "AVS",
             "severity": "中等",
-            "text": "為 blob 啟用“軟刪除”",
-            "waf": "安全"
+            "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如，如果應用程式必須確保立即刪除已刪除的資訊，例如出於機密性、隱私或合規性原因。",
-            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "禁用 blob 的“軟刪除”",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+            "service": "AVS",
+            "severity": "低",
+            "text": "如果需要深入瞭解 VMware vSphere：解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights？",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "容器的軟刪除使你能夠在刪除容器后恢復容器，例如從意外刪除操作中恢復。",
-            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+            "service": "AVS",
             "severity": "高",
-            "text": "為容器啟用“軟刪除”",
-            "waf": "安全"
+            "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略，因為此策略應用厚置備",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如，如果應用程式必須確保立即刪除已刪除的資訊，例如出於機密性、隱私或合規性原因。",
-            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+            "service": "AVS",
             "severity": "中等",
-            "text": "禁用容器的“軟刪除”",
-            "waf": "安全"
+            "text": "確保未將 vSphere 內容庫放置在 vSAN 上，因為 vSAN 是有限的資源",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "通過強制使用者在刪除之前先刪除刪除鎖，防止意外刪除存儲帳戶",
-            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
-            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "在存儲帳戶上啟用資源鎖",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略，這樣就無法刪除 blob、容器或存儲帳戶。請注意，「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後，「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。",
-            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "考慮不可變的 blob",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保使用 Azure Arc for Servers 進行混合管理，確保在 Azure VMware 解決方案上運行的工作負載（Arc for Azure VMware 解決方案處於預覽狀態）",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問，以便對所有數據傳輸進行加密、完整性保護，並對伺服器進行身份驗證。",
-            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "需要 HTTPS，即在儲存帳戶上禁用埠 80",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "在儲存帳戶上配置自定義域（主機名）時，請檢查是否需要 TLS/HTTPS;如果是這樣，可能需要將 Azure CDN 放在存儲帳戶的前面。",
-            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "強制實施 HTTPS（禁用 HTTP）時，請檢查是否未對儲存帳戶使用自定義域 （CNAME）。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "當用戶端使用SAS令牌訪問 blob 資料時，要求使用 HTTPS 有助於將憑據丟失的風險降至最低。",
-            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+            "service": "AVS",
             "severity": "中等",
-            "text": "將共享訪問簽名 （SAS） 令牌限製為僅 HTTPS 連接",
-            "waf": "安全"
+            "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "在可能的情況下，AAD 令牌應優先於共用訪問簽名",
-            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
-            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "使用 Azure Active Directory （Azure AD） 令牌進行 blob 訪問",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "將角色分配給使用者、組或應用程式時，請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。",
-            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+            "service": "AVS",
             "severity": "中等",
-            "text": "IaM 許可權中的最低特權",
-            "waf": "安全"
+            "text": "確保備份不存儲在 vSAN 上，因為 vSAN 是有限的資源",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "使用者委派 SAS 使用 Azure Active Directory （Azure AD） 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS，但比服務 SAS 具有安全優勢。",
-            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "使用 SAS 時，首選「使用者委派 SAS」，而不是基於存儲帳戶密鑰的 SAS。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "是否考慮了所有災難恢復解決方案，並決定了最適合您業務的解決方案？[SRM/JetStream/Zerto/Veeam/...]",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "存儲帳戶金鑰（“共用金鑰”）幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本，但一旦密鑰掌握在多個人手中，就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。",
-            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "請考慮禁用存儲帳戶密鑰，以便僅支援 AAD 訪問（和使用者委派 SAS）。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "當災難恢復技術是本機 Azure IaaS 時，請使用 Azure Site Recovery",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”（即存儲帳戶密鑰、訪問策略等）。",
-            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+            "service": "AVS",
             "severity": "高",
-            "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作",
-            "waf": "安全"
+            "text": "將自動恢復計劃與任一災難解決方案結合使用，盡可能避免手動任務",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "通過金鑰過期策略，您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉，則會顯示提醒。",
-            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用存儲帳戶密鑰時，請考慮啟用“金鑰過期策略”",
-            "waf": "安全"
+            "text": "使用地緣政治區域對作為輔助災難恢復環境",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時，他們會看到警告。",
-            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
-            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "考慮配置 SAS 過期策略",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+            "service": "AVS",
+            "severity": "高",
+            "text": "在區域之間使用 2 個不同的地址空間，例如：10.0.0.0/16 和 192.168.0.0/16 用於不同的區域",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項，而無需重新生成儲存帳戶密鑰。",
-            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+            "service": "AVS",
             "severity": "中等",
-            "text": "考慮將 SAS 連結到儲存存取策略",
-            "waf": "安全"
+            "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接，還是通過網路虛擬設備完成路由？",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "請考慮配置應用程式的原始程式碼儲存庫，以檢測簽入的連接字串和存儲帳戶密鑰。",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Blob Storage Review",
-            "description": "理想情況下，應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點，請考慮在 Azure KeyVault 或等效服務中使用存儲憑據（連接字串、存儲帳戶密鑰、SAS、服務主體憑據）。",
-            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "請考慮將連接字串儲存在 Azure KeyVault 中（在無法實現託管標識的情況下）",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "是否考慮了所有備份解決方案，並決定了最適合您業務的解決方案？[ MABS/CommVault/Metallic.io/Veeam/ .",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣，即使 SAS 遭到入侵，它也只能在很短的時間內有效。如果無法引用存儲訪問策略，則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。",
-            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "爭取縮短臨時 SAS 的有效期",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+            "service": "AVS",
+            "severity": "中等",
+            "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "創建 SAS 時，請盡可能具體和嚴格。首選單個資源和操作的 SAS，而不是提供更廣泛訪問許可權的 SAS。",
-            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+            "service": "AVS",
             "severity": "中等",
-            "text": "將窄範圍應用於SAS",
-            "waf": "安全"
+            "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。",
-            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+            "service": "AVS",
+            "severity": "低",
+            "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程？",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型，驗證用戶端是否惡意上傳了大量內容可能是有意義的。",
-            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
-            "service": "Azure Storage",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+            "service": "AVS",
             "severity": "低",
-            "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。",
-            "waf": "安全"
+            "text": "對於手動部署，必須記錄所有配置和部署",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時，“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是，截至 2023 年初，本地使用者是 SFTP 端點當前支援的唯一身份管理形式",
-            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "SFTP：限制 SFTP 訪問的「本地使用者」數量，並審核一段時間內是否需要訪問。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+            "service": "AVS",
+            "severity": "低",
+            "text": "對於手動部署，請考慮實施資源鎖，以防止對 Azure VMware 解決方案私有雲執行意外操作",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "SFTP：SFTP 端點不支持類似 POSIX 的 ACL。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+            "service": "AVS",
+            "severity": "低",
+            "text": "對於自動化部署，請部署最小的私有雲並根據需要進行擴展",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "存儲支援 CORS（跨域資源分享），即一種 HTTP 功能，使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時，請將 CorsRules 保留為最低許可權。",
-            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
-            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "避免過於寬泛的 CORS 策略",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+            "service": "AVS",
+            "severity": "低",
+            "text": "對於自動部署，請在開始部署之前請求或預留配額",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "靜態數據始終在伺服器端加密，此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰（預設）或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰，或者完全在用戶端處理加密來實現。因此，完全不依賴 Azure 存儲來保證機密性。",
-            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
-            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "確定應如何加密靜態數據。了解數據的線程模型。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+            "service": "AVS",
+            "severity": "低",
+            "text": "對於自動部署，請確保通過自動化或 Azure Policy 創建相關資源鎖，以便進行適當的治理",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
-            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "確定應使用哪種/是否應使用平臺加密。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+            "service": "AVS",
+            "severity": "低",
+            "text": "為 ExR 授權金鑰實現人類可理解的名稱，以便輕鬆識別密鑰的目的/用途",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
-            "service": "Azure Storage",
-            "severity": "中等",
-            "text": "確定應使用哪種/是否應使用用戶端加密。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+            "service": "AVS",
+            "severity": "低",
+            "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時，請使用 Key Vault 儲存機密和授權密鑰",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Blob Storage Review",
-            "description": "利用 Resource Graph 資源管理器（資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true）查找允許匿名 blob 訪問的存儲帳戶。",
-            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
-            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
-            "service": "Azure Storage",
-            "severity": "高",
-            "text": "考慮是否需要公共 blob 訪問，或者是否可以對某些存儲帳戶禁用公共 blob 訪問。",
-            "waf": "安全"
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+            "service": "AVS",
+            "severity": "低",
+            "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時，定義用於在 IaC 中序列化操作的資源依賴項，因為 Azure VMware 解決方案僅支援有限數量的並行操作。",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door，請使用“最新”證書版本。降低手動續訂證書導致的中斷風險",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+            "service": "AVS",
+            "severity": "低",
+            "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時，請使用 Azure 門戶 API 而不是 NSX-Manager API",
             "waf": "操作"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
-            "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
-            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+            "service": "AVS",
             "severity": "中等",
-            "text": "確保使用應用程式閘道 v2 SKU",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
+            "text": "打算使用自動橫向擴展時，請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
-            "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "Load Balancer",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+            "service": "AVS",
             "severity": "中等",
-            "text": "確保將標準 SKU 用於 Azure 負載均衡器",
-            "waf": "安全"
+            "text": "打算使用自動縮減時，請務必在執行此操作之前考慮存儲策略要求",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
-            "service": "Load Balancer",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+            "service": "AVS",
             "severity": "中等",
-            "text": "確保負載均衡器前端IP位址是區域冗餘的（除非需要區域性前端）。",
-            "waf": "安全"
+            "text": "擴展操作始終需要在單個 SDDC 中序列化，因為一次只能執行一個擴展操作（即使使用多個集群也是如此）",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
-            "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+            "service": "AVS",
             "severity": "中等",
-            "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
+            "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作（支援與否）",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "description": "一般而言，反向代理的管理，特別是 WAF 的管理更接近應用程式而不是網路，因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由單個團隊管理，則在連接訂閱中集中應用程式閘道和 WAF 可能是可以的。",
-            "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+            "service": "AVS",
             "severity": "中等",
-            "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA，用於在登陸區域虛擬網路中代理入站 HTTP（S） 連接，並使用它們所保護的應用。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
-            "waf": "安全"
+            "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "App Gateway",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+            "service": "AVS",
             "severity": "中等",
-            "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "text": "實施監控規則以監控自動擴展操作，並監控成功和失敗，以啟用適當的（自動化）回應",
+            "waf": "操作"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
-            "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "使用至少兩個實例數配置自動縮放。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "severity": "高",
+            "text": "使用 MON 時，請注意同時配置的 VM 的限制（HCX 的 MON 限制 [400 - 標準，1000 - 大型設備]）",
+            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
-            "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
-            "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "跨可用性區域部署應用程式閘道",
-            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+            "service": "AVS",
+            "severity": "高",
+            "text": "使用 MON 時，不能在超過 100 個網路分機上啟用 MON",
+            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+            "service": "AVS",
             "severity": "中等",
-            "text": "將 Azure Front Door 與 WAF 策略配合使用，以交付和幫助保護跨多個 Azure 區域的全域 HTTP/S 應用。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
+            "text": "如果使用 VPN 連接進行遷移，請相應地調整 MTU 大小。",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
-            "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
-            "service": "Front Door",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+            "service": "AVS",
             "severity": "中等",
-            "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時，請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "安全"
-        },
-        {
-            "ammp": true,
-            "arm-service": "microsoft.network/trafficManagerProfiles",
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
-            "service": "Traffic Manager",
-            "severity": "高",
-            "text": "使用流量管理器提供跨 HTTP/S 以外的協定的全域應用。",
-            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
-            "waf": "可靠性"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
-            "severity": "低",
-            "text": "如果使用者只需要訪問內部應用程式，是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 （AVD） 的替代方法？",
-            "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
-            "waf": "安全"
+            "text": "對於連接到 Azure（500Mbps 或更低）的低連接區域，請考慮部署 HCX WAN 優化設備",
+            "waf": "性能"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
-            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
-            "service": "Entra",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+            "service": "AVS",
             "severity": "中等",
-            "text": "若要減少為網路中的傳入連接打開的防火牆埠數，請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。",
-            "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
-            "waf": "安全"
+            "text": "確保從本地裝置啟動遷移，而不是從雲端裝置啟動遷移（不要執行反向遷移）",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "在「預防」模式下部署 Front Door 的 WAF 策略。",
-            "waf": "安全"
+            "service": "AVS",
+            "severity": "中等",
+            "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時，請考慮將其用作 VMware 資料儲存庫，而不是直接附加到 VM 。",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "避免將 Azure 流量管理器和 Azure Front Door 結合使用。",
-            "waf": "安全"
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。主機名不匹配可能會導致細微的錯誤。",
-            "waf": "安全"
+            "service": "AVS",
+            "severity": "中等",
+            "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
-            "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
-            "service": "Front Door",
-            "severity": "低",
-            "text": "當 Azure Front Door 源組中只有一個源時，禁用運行狀況探測。",
-            "waf": "性能"
+            "service": "AVS",
+            "severity": "高",
+            "text": "如果使用延伸群集，請確保供應商支援所選的災難恢復解決方案",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建運行狀況終結點，以檢查應用程式的所有依賴項。",
+            "service": "AVS",
+            "severity": "高",
+            "text": "如果使用延伸群集，請確保提供的 SLA 符合您的要求",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
-            "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
-            "service": "Front Door",
-            "severity": "低",
-            "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用，以減少 Front Door 發送到應用程式的流量。",
-            "waf": "性能"
+            "service": "AVS",
+            "severity": "高",
+            "text": "如果使用延伸群集，請確保兩條 ExpressRoute 線路都連接到連接中心。",
+            "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
-            "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
             "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
-            "service": "Load Balancer",
+            "service": "AVS",
             "severity": "高",
-            "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則，以獲得更好的 SNAT 可伸縮性",
+            "text": "如果使用延伸群集，請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。",
             "waf": "可靠性"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
-            "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+            "checklist": "Azure VMware Solution Design Review",
+            "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
-            "service": "Front Door",
+            "service": "AVS",
             "severity": "高",
-            "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。",
-            "waf": "操作"
+            "text": "是否正確考慮了網站容災設置，並在需要時為您的業務進行了更改。",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導",
+            "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+            "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼，您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
-            "waf": "操作"
+            "text": "請考慮「存儲的 Azure 安全基線”",
+            "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "默認情況下，Azure 儲存具有公共IP位址，並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲，從而消除對公共 Internet 的暴露",
+            "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 進行從用戶端到 Front Door 的連接，以及從 Front Door 到源的連接。",
+            "text": "考慮將專用終結點用於 Azure 存儲",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "新創建的存儲帳戶是使用ARM部署模型創建的，因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶",
+            "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援它們。",
+            "text": "確保較舊的存儲帳戶未使用“經典部署模型”",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
-            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。",
+            "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+            "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "啟用 Azure Front Door WAF。保護您的應用程式免受一系列攻擊。",
+            "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "針對工作負載優化 Azure Front Door WAF。減少誤報檢測。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "軟刪除機制允許恢復意外刪除的 Blob。",
+            "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+            "service": "Azure Storage",
+            "severity": "中等",
+            "text": "為 blob 啟用“軟刪除”",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "啟用在 Azure Front Door WAF 策略中啟用的請求正文檢查功能。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如，如果應用程式必須確保立即刪除已刪除的資訊，例如出於機密性、隱私或合規性原因。",
+            "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+            "service": "Azure Storage",
+            "severity": "中等",
+            "text": "禁用 blob 的“軟刪除”",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "容器的軟刪除使你能夠在刪除容器后恢復容器，例如從意外刪除操作中恢復。",
+            "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測並阻止常見攻擊。",
+            "text": "為容器啟用“軟刪除”",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
-            "service": "Front Door",
-            "severity": "高",
-            "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的和壞的機器人。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如，如果應用程式必須確保立即刪除已刪除的資訊，例如出於機密性、隱私或合規性原因。",
+            "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+            "service": "Azure Storage",
+            "severity": "中等",
+            "text": "禁用容器的“軟刪除”",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新，以考慮當前的威脅形勢。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "通過強制使用者在刪除之前先刪除刪除鎖，防止意外刪除存儲帳戶",
+            "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+            "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "在存儲帳戶上啟用資源鎖",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "向 Azure Front Door WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略，這樣就無法刪除 blob、容器或存儲帳戶。請注意，「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後，「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。",
+            "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "考慮不可變的 blob",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量，同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問，以便對所有數據傳輸進行加密、完整性保護，並對伺服器進行身份驗證。",
+            "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "需要 HTTPS，即在儲存帳戶上禁用埠 80",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
-            "service": "Front Door",
-            "severity": "低",
-            "text": "如果您不希望收到來自所有地理區域的流量，請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "在儲存帳戶上配置自定義域（主機名）時，請檢查是否需要 TLS/HTTPS;如果是這樣，可能需要將 Azure CDN 放在存儲帳戶的前面。",
+            "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "強制實施 HTTPS（禁用 HTTP）時，請檢查是否未對儲存帳戶使用自定義域 （CNAME）。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "當用戶端使用SAS令牌訪問 blob 資料時，要求使用 HTTPS 有助於將憑據丟失的風險降至最低。",
+            "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "使用 Azure Front Door WAF 對流量進行地理篩選時，請指定未知 （ZZ） 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+            "text": "將共享訪問簽名 （SAS） 令牌限製為僅 HTTPS 連接",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
-            "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "在可能的情況下，AAD 令牌應優先於共用訪問簽名",
+            "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+            "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集 機器人規則可檢測好機器人和壞機器人。",
+            "text": "使用 Azure Active Directory （Azure AD） 令牌進行 blob 訪問",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
-            "service": "App Gateway",
-            "severity": "高",
-            "text": "啟用 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "將角色分配給使用者、組或應用程式時，請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。",
+            "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+            "service": "Azure Storage",
+            "severity": "中等",
+            "text": "IaM 許可權中的最低特權",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "使用者委派 SAS 使用 Azure Active Directory （Azure AD） 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS，但比服務 SAS 具有安全優勢。",
+            "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
+            "text": "使用 SAS 時，首選「使用者委派 SAS」，而不是基於存儲帳戶密鑰的 SAS。",
             "waf": "安全"
         },
         {
-            "ammp": true,
-            "checklist": "Azure Application Delivery Networking",
-            "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
-            "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "存儲帳戶金鑰（“共用金鑰”）幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本，但一旦密鑰掌握在多個人手中，就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。",
+            "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。",
+            "text": "請考慮禁用存儲帳戶密鑰，以便僅支援 AAD 訪問（和使用者委派 SAS）。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”（即存儲帳戶密鑰、訪問策略等）。",
+            "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "通過金鑰過期策略，您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉，則會顯示提醒。",
+            "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量，同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+            "text": "使用存儲帳戶密鑰時，請考慮啟用“金鑰過期策略”",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
-            "service": "App Gateway",
-            "severity": "低",
-            "text": "如果您不希望收到來自所有地理區域的流量，請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時，他們會看到警告。",
+            "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+            "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+            "service": "Azure Storage",
+            "severity": "中等",
+            "text": "考慮配置 SAS 過期策略",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項，而無需重新生成儲存帳戶密鑰。",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時，請指定未知 （ZZ） 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+            "text": "考慮將 SAS 連結到儲存存取策略",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新，以考慮當前的威脅形勢。",
+            "text": "請考慮配置應用程式的原始程式碼儲存庫，以檢測簽入的連接字串和存儲帳戶密鑰。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。",
-            "waf": "操作"
+            "checklist": "Azure Blob Storage Review",
+            "description": "理想情況下，應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點，請考慮在 Azure KeyVault 或等效服務中使用存儲憑據（連接字串、存儲帳戶密鑰、SAS、服務主體憑據）。",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "請考慮將連接字串儲存在 Azure KeyVault 中（在無法實現託管標識的情況下）",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
-            "service": "Front Door",
-            "severity": "中等",
-            "text": "添加診斷設置以保存 Azure Front Door WAF 紀錄。",
-            "waf": "操作"
+            "checklist": "Azure Blob Storage Review",
+            "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣，即使 SAS 遭到入侵，它也只能在很短的時間內有效。如果無法引用存儲訪問策略，則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。",
+            "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "爭取縮短臨時 SAS 的有效期",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "創建 SAS 時，請盡可能具體和嚴格。首選單個資源和操作的 SAS，而不是提供更廣泛訪問許可權的 SAS。",
+            "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。",
-            "waf": "操作"
+            "text": "將窄範圍應用於SAS",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。",
+            "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。",
-            "waf": "操作"
+            "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼，您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "使用 WAF 策略而不是舊版 WAF 配置。",
-            "waf": "操作"
+            "checklist": "Azure Blob Storage Review",
+            "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型，驗證用戶端是否惡意上傳了大量內容可能是有意義的。",
+            "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+            "service": "Azure Storage",
+            "severity": "低",
+            "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "篩選後端中的入站流量，以便它們僅接受來自應用程式閘道子網的連接，例如使用NSG。",
+            "checklist": "Azure Blob Storage Review",
+            "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時，“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是，截至 2023 年初，本地使用者是 SFTP 端點當前支援的唯一身份管理形式",
+            "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+            "service": "Azure Storage",
+            "severity": "高",
+            "text": "SFTP：限制 SFTP 訪問的「本地使用者」數量，並審核一段時間內是否需要訪問。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
-            "service": "Front Door",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "確保源僅從 Azure Front Door 實例獲取流量。",
+            "text": "SFTP：SFTP 端點不支持類似 POSIX 的 ACL。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "存儲支援 CORS（跨域資源分享），即一種 HTTP 功能，使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時，請將 CorsRules 保留為最低許可權。",
+            "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+            "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "您應該對發往後端伺服器的流量進行加密。",
+            "text": "避免過於寬泛的 CORS 策略",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
-            "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "靜態數據始終在伺服器端加密，此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰（預設）或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰，或者完全在用戶端處理加密來實現。因此，完全不依賴 Azure 存儲來保證機密性。",
+            "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+            "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "您應該使用 Web 應用程式防火牆。",
+            "text": "確定應如何加密靜態數據。了解數據的線程模型。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+            "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "將 HTTP 重定向到 HTTPS",
+            "text": "確定應使用哪種/是否應使用平臺加密。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
-            "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+            "service": "Azure Storage",
             "severity": "中等",
-            "text": "使用閘道管理的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理",
-            "waf": "操作"
+            "text": "確定應使用哪種/是否應使用用戶端加密。",
+            "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
-            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
-            "service": "App Gateway",
+            "checklist": "Azure Blob Storage Review",
+            "description": "利用 Resource Graph 資源管理器（資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true）查找允許匿名 blob 訪問的存儲帳戶。",
+            "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+            "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+            "service": "Azure Storage",
             "severity": "高",
-            "text": "在計劃的服務更新期間啟用連接耗盡，以防止與後端池的現有 membr 的連接丟失",
+            "text": "考慮是否需要公共 blob 訪問，或者是否可以對某些存儲帳戶禁用公共 blob 訪問。",
             "waf": "安全"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
-            "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
-            "service": "App Gateway",
-            "severity": "低",
-            "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗",
-            "waf": "操作"
-        },
-        {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
-            "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+            "service": "Azure Data Factory",
             "severity": "中等",
-            "text": "編輯 HTTP 請求和回應標頭，以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換",
-            "waf": "安全"
+            "text": "利用 Azure 數據工廠的 FTA 復原能力手冊",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
-            "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
-            "service": "App Gateway",
-            "severity": "中等",
-            "text": "配置 Front Door，通過快速全域故障轉移優化全球 Web 流量路由和頂級最終使用者性能和可靠性",
-            "waf": "性能"
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
+            "severity": "高",
+            "text": "在支援可用區的區域中使用區域冗餘管道",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+            "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+            "service": "Azure Data Factory",
             "severity": "中等",
-            "text": "使用傳輸層負載平衡",
-            "waf": "性能"
+            "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
-            "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "中等",
-            "text": "根據主機名或域名為單個閘道上的多個 Web 應用程式配置路由",
-            "waf": "安全"
+            "text": "請確保在另一個區域中複製自承載集成運行時 VM",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
-            "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+            "service": "Azure Data Factory",
             "severity": "中等",
-            "text": "集中管理 SSL 證書，以減少後端伺服器場的加密和解密開銷",
-            "waf": "安全"
+            "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本",
+            "waf": "可靠性"
         },
         {
-            "checklist": "Azure Application Delivery Networking",
-            "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
-            "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
-            "service": "App Gateway",
+            "checklist": "Azure Data Factory Review Checklist",
+            "description": "如果ADF管道使用Key Vault，則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務，Microsoft 會為你處理它",
+            "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+            "service": "Azure Data Factory",
             "severity": "低",
-            "text": "使用應用程式閘道對 WebSocket 和 HTTP/2 協定提供本機支援",
-            "waf": "安全"
-        },
-        {
-            "checklist": "Azure Function Review",
-            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "高",
-            "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃",
+            "text": "如果使用 Keyvault 集成，請使用 Keyvault 的 SLA 來瞭解可用性",
             "waf": "可靠性"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
-            "service": "Azure Functions",
-            "severity": "高",
-            "text": "利用區域適用的可用區（不適用於消耗層）",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+            "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+            "service": "Azure Monitor",
+            "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
-            "service": "Azure Functions",
-            "severity": "中等",
-            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "45901365-d38e-443f-abcb-d868266abca2",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+            "service": "Azure Backup",
+            "text": "檢查未找到底層數據源的備份實例",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
-            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
-            "service": "Azure Functions",
-            "severity": "高",
-            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+            "service": "VM",
+            "text": "刪除或存檔未關聯的服務（磁碟、網卡、IP 位址等）",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
-            "service": "Azure Functions",
-            "severity": "高",
-            "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+            "service": "Azure Backup",
+            "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
-            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
-            "service": "Azure Functions",
-            "severity": "中等",
-            "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶，除非它們緊密耦合",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+            "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+            "service": "Azure Monitor",
+            "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限，除了在達到上限時創建警報外，請確保還創建警報規則，以便在達到某個百分比（例如 90%）時收到通知。- 如果可能，考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Function Review",
-            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
-            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
-            "service": "Azure Functions",
-            "severity": "中等",
-            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼",
-            "waf": "操作"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Azure Monitor",
+            "text": "強制執行清除日誌策略和自動化（如果需要，可以將記錄移至冷存儲）",
+            "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
-            "service": "Bot service",
-            "severity": "中等",
-            "text": "遵循 Azure 機器人服務中的可靠性支持建議",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "VM",
+            "text": "檢查磁碟是否確實需要，如果不是：刪除。如果需要，請尋找較低的儲存層或使用備份 -",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
-            "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
-            "service": "Bot service",
-            "severity": "中等",
-            "text": "部署具有本地數據駐留和區域合規性的機器人",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+            "service": "Storage",
+            "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Bot Service",
-            "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
-            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
-            "service": "Bot service",
-            "severity": "中等",
-            "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時，無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務，Azure 機器人服務在歐洲境內提供兩個完整區域，並提供主動/主動複製，以確保冗餘。對於全球機器人服務，所有可用的區域/地理位置都可以作為全球足跡。",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "VM",
+            "text": "確保 advisor 配置為適合 VM 大小調整",
+            "waf": "成本"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
-            "service": "IoT",
-            "severity": "高",
-            "text": "利用可用區（如果區域適用）（這是自動啟用的）",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "description": "通過在成本分析系統中搜索計量類別許可證進行檢查",
+            "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+            "service": "VM",
+            "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM，請考慮實施策略",
+            "waf": "成本"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "中等",
-            "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作，以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+            "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+            "service": "VM",
+            "text": "如果您已經擁有許可證，也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+            "waf": "成本"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
-            "service": "IoT",
-            "severity": "高",
-            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+            "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+            "service": "VM",
+            "text": "使用靈活性選項（不超過 4-5 個系列）整合保留的 VM 系列",
+            "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+            "waf": "成本"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
-            "service": "IoT",
-            "severity": "高",
-            "text": "瞭解如何觸發手動故障轉移。",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+            "service": "VM",
+            "text": "利用 Azure 預留實例：此功能允許將 VM 預留 1 年或 3 年，與 PAYG 價格相比，可顯著節省成本。",
+            "waf": "成本"
         },
         {
-            "checklist": "IoT Hub Review",
-            "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
-            "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
-            "service": "IoT",
-            "severity": "高",
-            "text": "瞭解如何在故障轉移後進行故障回復。",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "service": "VM",
+            "text": "只能保留較大的磁碟 => 1 TiB -",
+            "waf": "成本"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
-            "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
-            "service": "Logic Apps",
-            "severity": "高",
-            "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+            "service": "VM",
+            "text": "調整大小優化后",
+            "waf": "成本"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
-            "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
-            "service": "Logic Apps",
-            "severity": "高",
-            "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+            "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+            "service": "Azure SQL",
+            "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+            "waf": "成本"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
-            "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
-            "service": "Logic Apps",
-            "severity": "高",
-            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+            "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+            "service": "VM",
+            "text": "虛擬機 + 許可證部分折扣 （ahub + 3YRI） 約為 70% 的折扣",
+            "waf": "成本"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
-            "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
-            "service": "Logic Apps",
-            "severity": "高",
-            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+            "service": "VM",
+            "text": "考慮使用 VMSS 來滿足需求，而不是按比例調整",
+            "waf": "成本"
         },
         {
-            "checklist": "Logic Apps checklist",
-            "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
-            "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
-            "service": "Logic Apps",
-            "severity": "中等",
-            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
-            "waf": "操作"
+            "arm-service": "microsoft.containerservice/managedClusters",
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+            "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+            "service": "AKS",
+            "text": "使用 AKS 自動縮放程式符合群集使用方式（確保 Pod 要求與縮放程式符合）",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰，則仍使用 Microsoft 管理的金鑰對數據進行加密，但此外，Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。",
-            "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
-            "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
-            "service": "Event Hubs",
-            "severity": "低",
-            "text": "需要時，在靜態數據加密中使用客戶管理的金鑰選項",
-            "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+            "service": "Azure Backup",
+            "text": "將恢復點移至保管庫存檔（如果適用）（驗證）",
+            "training": "https://azure.microsoft.com/pricing/reservations/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施，可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS，則使用舊版本發出的任何請求都將失敗。",
-            "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "對請求強制實施傳輸層安全性 （TLS） 的最低要求版本",
-            "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+            "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+            "service": "Databricks",
+            "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "創建事件中心命名空間時，會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶，不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。",
-            "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "避免在不必要的情況下使用root帳戶",
-            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+            "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+            "service": "Azure Functions",
+            "text": "功能 - 重用連接",
+            "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 （VM）、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用，可以避免將憑據存儲在雲中運行的應用程式中。",
-            "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "如果可能，應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有，請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據（SAS、服務主體憑據）",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+            "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+            "service": "Azure Functions",
+            "text": "函數 - 本地快取資料",
+            "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "創建許可權時，請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別，例如消費者組、事件中心實體、事件中心命名空間等。",
-            "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
-            "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
-            "service": "Event Hubs",
-            "severity": "高",
-            "text": "使用最低特權數據平面 RBAC",
-            "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+            "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+            "service": "Azure Functions",
+            "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣，代碼將下載為單個 zip 檔。例如，這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小，例如，搖樹 Javascript 應用程式。",
+            "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作（例如發送或接收事件）的聚合診斷資訊。",
-            "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
-            "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌，例如資源日誌、運行時審核日誌和 Kafka 紀錄",
-            "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+            "service": "Azure Functions",
+            "text": "功能 - 保持功能溫暖",
+            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+            "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+            "service": "Azure Functions",
+            "text": "使用具有不同功能的自動縮放時，可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃（並考慮更高的 CPU 計劃）",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+            "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+            "service": "Azure Functions",
+            "text": "給定計劃中的函數應用都縮放在一起，因此縮放的任何問題都可能影響計劃中的所有應用。",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+            "service": "Azure Functions",
+            "text": "我需要為「等待時間」付費嗎？這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的，例如 await Task.Delay（1000） 或 await client。GetAsync（'http：//google.com'）。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是，如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術（開發環境？）https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+            "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+            "service": "Front Door",
+            "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中，將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204（無內容），因此僅返回標頭數據。",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+            "service": "Front Door",
+            "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理，或在 WebApp 中添加返回 200 （OK） 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+            "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+            "service": "Storage",
+            "text": "考慮為使用較少的數據存檔層",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+            "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+            "service": "VM",
+            "text": "檢查大小與層不匹配的磁碟大小（即 513 GiB 磁碟將支付 P30 （1TiB） 並考慮調整大小",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+            "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+            "service": "Storage",
+            "text": "盡可能考慮使用標準 SSD，而不是 Premium 或 Ultra",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+            "service": "Storage",
+            "text": "對於存儲帳戶，請確保所選層不會增加事務費用（移動到下一層可能會更便宜）",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+            "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+            "service": "Site Recovery",
+            "text": "對於 ASR，如果 RPO/RTO 和複製輸送量允許，請考慮使用標準 SSD 磁碟",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+            "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+            "service": "Storage",
+            "text": "存儲帳戶：檢查熱層和/或 GRS 必填",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+            "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+            "service": "VM",
+            "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式：例如，非生產磁碟可以交換到標準 SSD 或按需高級 SSD",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+            "service": "Synapse",
+            "text": "創建預算以管理成本並創建警報，自動通知利益相關者支出異常和超支風險。",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+            "service": "Synapse",
+            "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。",
+            "waf": "成本"
+        },
+        {
+            "checklist": "Cost Optimization Checklist",
+            "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "Synapse",
+            "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "默認情況下，Azure 事件中心具有公共IP位址，並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外，如果未使用公共終結點，則應禁用這些終結點。",
-            "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
-            "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "請考慮使用專用終結點訪問 Azure 事件中心，並在適用時禁用公用網路訪問。",
-            "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+            "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+            "service": "Synapse",
+            "text": "啟用無伺服器 Apache Spark 自動暫停功能，並相應地設置超時值。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "使用IP防火牆，可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR（無類別域間路由）表示法的IPv4位址範圍。",
-            "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間",
-            "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
-            "waf": "安全"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+            "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+            "service": "Synapse",
+            "text": "創建多個不同大小的 Apache Spark 池定義。",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
-            "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "利用 FTA 彈性手冊",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+            "service": "Synapse",
+            "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 （SCU），以節省 Azure Synapse Analytics 成本。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "對於從門戶創建的新 EH 命名空間，在啟用區域的區域中具有高級、專用或標準 SKU，將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的",
-            "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
-            "service": "Event Hubs",
-            "severity": "高",
-            "text": "利用可用區（如果區域適用）",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+            "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+            "service": "VM",
+            "text": "將現成 VM 用於可中斷作業：這些 VM 可以以折扣價競標和購買，為非關鍵工作負載提供經濟高效的解決方案。",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
-            "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "使用高級或專用 SKU 實現可預測的性能",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+            "service": "VM",
+            "text": "合理調整所有 VM 的大小",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "啟用內置異地災難恢復功能后，可確保命名空間的整個配置（事件中心、消費者組和設置）從主命名空間持續複製到輔助命名空間，並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄，而無需更改應用程式配置",
-            "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
-            "service": "Event Hubs",
-            "severity": "高",
-            "text": "使用主動被動配置規劃異地災難恢復",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+            "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+            "service": "VM",
+            "text": "將 VM 大小與規範化大小和最新大小交換",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況，請遵循複製指南，不要使用內置的異地災難恢復功能（主動/被動）。使用「主動/主動」時，在不同區域和命名空間中維護多個事件中心，事件將在中心之間複製",
-            "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
-            "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "對於業務關鍵型應用程式，請使用 Active Active 配置",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始，然後工作到 40%",
+            "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+            "waf": "成本"
         },
         {
-            "checklist": "Azure Event Hub Review",
-            "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
-            "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
-            "service": "Event Hubs",
-            "severity": "中等",
-            "text": "設計可復原的事件中心",
-            "waf": "可靠性"
+            "checklist": "Cost Optimization Checklist",
+            "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+            "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+            "service": "VM",
+            "text": "容器化應用程式可以提高 VM 密度並節省擴展成本",
+            "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+            "waf": "成本"
         },
         {
             "checklist": "SAP Checklist",
@@ -7816,11 +7681,146 @@
             "text": "若要在用於 SAP 解決方案的 Azure Monitor 中啟用安全通信，可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。",
             "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
             "waf": "安全"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "高",
+            "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+            "service": "Azure Functions",
+            "severity": "高",
+            "text": "利用區域適用的可用區（不適用於消耗層）",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+            "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+            "service": "Azure Functions",
+            "severity": "中等",
+            "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+            "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+            "service": "Azure Functions",
+            "severity": "高",
+            "text": "如果部署到獨立環境，請使用或遷移到應用服務環境 （ASE） v3",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+            "service": "Azure Functions",
+            "severity": "高",
+            "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+            "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+            "service": "Azure Functions",
+            "severity": "中等",
+            "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶，除非它們緊密耦合",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Function Review",
+            "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+            "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+            "service": "Azure Functions",
+            "severity": "中等",
+            "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼",
+            "waf": "操作"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "Azure Spring Apps 允許對每個應用進行兩次部署，其中只有一個部署接收生產流量。您可以使用藍綠部署策略實現零停機時間。藍綠部署僅在標準層和企業層中可用。可以使用 CI/CD 和 ADO/GitHub 操作自動執行部署",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+            "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "可以在多個區域中為應用程式創建 Azure Spring Apps 實例，並且流量管理器/Front Door 可以路由流量。",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+            "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "在支持的區域中，Azure Spring Apps 可以部署為區域冗餘，這意味著實例會自動分佈在可用性區域之間。此功能僅在標準層和企業層中可用。",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+            "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "對應用使用1個以上的應用實例",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "7504c230-6035-4183-95a5-85762acc6075",
+            "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "使用日誌、指標和跟蹤監視 Azure Spring Apps。將 ASA 與應用程式見解集成，並跟蹤故障並創建工作簿。",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "在 Spring Cloud Gateway 中設置自動縮放",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+            "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+            "service": "Spring Apps",
+            "severity": "低",
+            "text": "為具有標準使用量和專用計劃的應用啟用自動縮放。",
+            "waf": "可靠性"
+        },
+        {
+            "checklist": "Azure Spring Apps Review",
+            "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+            "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+            "service": "Spring Apps",
+            "severity": "中等",
+            "text": "使用企業計劃為關鍵任務應用提供 Spring Boot 的商業支援。使用其他層，您可以獲得 OSS 支援。",
+            "waf": "可靠性"
         }
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "June 17, 2024"
+        "timestamp": "June 24, 2024"
     },
     "severities": [
         {
diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx
index 7e84917a906859611cdf3edc84d0870919c17fe4..b3e1903130c5f63f107ceb4bd50bcf52760972aa 100644
GIT binary patch
literal 499920
zcmY&<1yCH?(sTmB2?Td{cXxMR+@0X=f#49_-QC^YU4py2yUV}#zW*iPtJ;NvT54x{
zdZzo#9^|D!zaW45^a=8loYA6Mk8giYEbymc;PV^sX=Gz4Z*ODkK&NkOOY3T7DHAaY
z4Z;8`;+;RXZsNHqc>J?S>UaE0bu4E<1BI3U^Mmsjyw+3?c8OUMg}y%2TJrUPHY?Hn
zrq4s}!W*XQc13;i*E|ahYd&GsnDBXcxS+i`RtrA^7+~4Qwq5jRinYTgjx%Ti&W)UM
zqyzh_%^VHncvb8j$obPw;vcDHyE_@5RHfZUq&N~w+1{C<y(V4g<o_pu5DhyW=+D5&
zK|Xy#_`eAl+SnWalR-eVu2e5Qa(}1fkw;42*)RVJcuL-2ux{UNP4V*vgPS1Y>9dv8
zxr!CrO~VO}2N$`f`YLI3h{_2y+iZx;)441jB<J*V!75loI_IpWNdrMK2g9^&0^T)L
zP1=q}R9ji`0F*DZZkvyg!p;N*Op3q2zIU$Cf6nWo{|SP_U4YSlVEL)=b=+rIJ;q~$
zuGkK{wmQka8lfNWY;*;Hd$$Zx0hT921BL|WN?+l|iW|e)Fjp{u=FU_3fx=H}2L%HG
zb8@@eh6W$GrnJ0ETo^1LSIMbSZO}i`I!Sb5{tgQey-$7TGYAn6xUR|NppsOHg4u?e
zn!U0IeaKD^c<H@!d0&oo{&Bhw@xQ=@e)}$!0uIED;L|50AaJghbdF}mR>uGN%J2_#
zXX;WmSZv=q&<?%TPPLaBaYc9eH6+}Ysu8#-?DJIP5>Q<zqT;LwAmxb*b)b>OLv^5U
z=Y<rQ`9YZv^Z5q&eOccS(zV+Y5aSm^kn)O1_*;oPF}%_+;KW*0E7OT**?Y9UCCtkl
z{IbGi4_8afduwsC=~OC735+5?BOFoGVjEOTT43e-IHg>UVvw!+d|kZA@5Gc~-=wcj
z=xa?}QAHrDUpDCKOU&%Hacu7h>yBjJ+@RfnD6BXmt^i{0;?9GpZ^);5v>ag?x4GT2
zzi*kt8juP2RYsKKNjH-H>$XPAWzz_a0hM5H03pW-Y5$^T=Z7buj2|I^ewOv}(_kHI
zrG^6m<-!o^F6WaeB^$~i+^SZ@1N^>k2j1h}fL15h@6KNqs>^%MZWVM8S>(RTT$t%7
zY`2ArAZGTZzt>9YxW&5BZat_TMWcS8v^93UP(8|$X)RWLN?8S`ddyO{XaKx*gXrpX
ztDcIER+2wrBP+$gsZ2S`-}fw;A4K8ivejK`Y`RdMBX{tt2Z*N*6<$-@C1wc?aDAG<
z2`85L%7MF$`-`7cI1by^z%tqkR)AfY0%^*s)p_uKlkMgCN&8&8&PPGOeHtYsz9KA@
zfKWED#(Ev3+~o81b${s0;G`Vhhu8D&@X?NLp+n`!8vplB@`vX_oA;+Jshx`rFVDAI
zO&%TOt4gn@<2gL<4vBVv*^h_Qxf@fu&X4EH%uMsmuMu#+E`P-6>92MV4rnKIfv_NL
zf_m|WyrCnAfb{>I{j|cU^3!D?_}EsaEaj3ns4N>)2M>o*>%o9GMi{gWhYZ>_m0{UP
zt2J$9NvnS^Y`VkCo|kg_oX{~Zl}pRs)`Qvql8iH6KMW<M6}c_^nZ18{XkhV^VfZ4b
zAabj9Y%o)|`?M>67%8Df>}f1$F<OfN;^nBC*f*{6MU$6~-$sDKj(|u2u_cVK6D5Q4
zm@5!C$+|EF!O$TZVndwac7{k~KNzTtbHkA^XEd1X*rhGQfOD%MdiO?~8M_?9W@1nr
zdl&{4;f6*0Fa^e0d(!V(ee1}ekP1epjKw6~vp6yJ-SFhvC+9C;MsKW6JfeJVKgWcJ
zHCapP6`T(;oDq~Mt#5|JXk(?B<>qo6Q)RaYFo+Bmg;v{L6u?aeO3OW~z^d<o&oAwx
zDjKp_6sqx4#Lux~4kBjzpW>d^vUoNON`;t)O@Fy^O1XfYjr!h8Q7Dto#f(W_9Cv9s
zb1ZQh{3TuD#5ydlYGhduuhK9h!zI#ZY>R7X(_xg~fUnl-9-;sF=aQJb-r+P&aM&&3
zlJiKvs77-}%Xc*Es)XZo|2!KSuY{3|&7C+Nyt2*aM@3U@Np)J=`K@<9V;Pw6X>C}t
zVPj<n^|@EP(iA6;r<#Q3GGkhc<VclK>JhZk$3C)!n6#rSxk&jIvO#2<kTyufD2NuE
z!!fL8->29@eb~mCVic{++}HI@X)ghzHndy<>7!ky+kSwPF1iqDRv6>L@x*AALd|$f
ztj=IE&*_)X#At8wf#c8FX0fsB_QqELn+jf=JCSJqC@LPVkRBsSC^?~=?euVeLtW(1
zlt7U=Hzb(SO%(Pb*f<_O_*W<*NFK-w>;1xz*RfW#^CPDLK;oHsg6a+3*bH=tU{f(M
zv_5*TK+Wop?v9GN+Y0A;X39DEEei`4wkd!W#$eS!+oxG!Gc`7kO9*J|Sb{?&^?AX%
z%=vL~*{^T3$;LwgmIMfLdQVeEZ&1-mSaHPPPDI$I9J|NusO}4;DoniH6KWIE!#sGf
zhgo<+NyB8~%)~a3(pVND#V`8T40nD;JZgUlgr<}=>7qrjw;re63fR<9v!l?KY0SAs
zG^rLrz!@-e&q0oT`jW9Rd4xP4&7`dppU<=<(CL6sc)k*l5VM~GnpeXb`lCsxqibZQ
z7P_vvLZyDgQ?l*DM?OnsPU+@$c0L^kP3;?U0aaynYU_OJg&QWdSh;c$!_E9is*STP
zWb}sbh?8)B5;r-Qk0N(kdtsW9Z<|Ykwrn25cAhnFonIhci-1~9sX*(lM~8L^_}9u=
zNRY|z5D{zUEs<U1jIwEZj4lxGk26=dB;M<t*ExL2@oTDt32M}pA>~@^-oG!JOg(<v
ze5;!7tyw8{t2b!|++e21Y?!M^)mN=j*N^Du&wURNsGoN;!W83Jv~kVWwN{lfCWDpo
zTAD~uERUz`IAML2%w4|6iY#!3pc<=SQaZq9`vCi2DWjEX|N5&3{L`@p#V7RtNSTX`
zy@i9Bv9Y5A-M`=d)w9!ftJ)Rz7}`fwR||uc`vD)Cj@Y%c2&bo6J2yZ@4Y7;z*zH;R
zCy7h!2oeP%$p*RpzV~|(kUU{YaZ;J#H5az?Aj%c@VB$yLAgImZF+OkFM!Zr80_XX}
zIeYClyO-<Mpf&58K{UFOTY)myySCNf`o3%X)@`n*$+Ndm#>r5?YQm8h$$Tr?gb`xf
z;xCd7l)V;ra@IMQ<>hahb0$=-1uaz?=1NpLWt}ghnR7N5jVc-@+om0ebe)=AbPfI^
zZ`SH%0bfer%=;T7H$sh{p7vbsUB=;Ww%_#&y<D#n`D`BB)q>Y_*=l@V4?>r(b>Gua
zu0bf5EG($56F1sxKALO^2bIES1v*i;9p;`}m3iVaH!MR>$=uxCe#Bms;mDyHP)w%}
z%|3b2jm{D7NiA)dO+Oz@+WwY$BU-)7qvrD+Zp286K9Cp9qSJc6l4wJfa=R^+*O~S{
zS`XO3@qnjU@wVY~E3__eoA6iNc4~etA99Aj&f8E=9(wX>=6XlP^GZ$3^hUn>3X>sr
z%>2E%Z1$sk^4V7NJ>$GoySZegcYK|v$BA=8z0{!GOZ|#&T-&BG{C9)%+I;Z}XQ36&
zLGuYG(t@++bg(AY)kN47&gDtN`}dVakMkFuZvl@_saW4;S$&nTDjrrd`p!Qg>01$U
zw+3~~BPm!Baxx+Cz=PNz-mVT0h-$3_%USt<e#4YbdC)UB^f_4SZPCNiDZF|3{zz1v
ziZ;sYQG4mKJ=Nrvy-Bw=u)aB{?-3qdyD*)>9hrk)2ca!~<GXBXQ^YI;7wwn4k5fOX
zGyO=#In!2f|K#z^lKx#s`Q?-+7cXL_&152&>;yZ*a#QrVxos-0(Cjwh;!*d#jfPKC
z(~Ks(S9jePXK6l`Z`b=Np6(&%8E=Ej+bjBGZ!)tk<ax+@PHd!ghVyzbmPl9pB`9_%
z;`0Y*?7`rRGyYxyXeIXA=Owo%hw8w{O@qdGTLO=cmr<NbXS@dPH?v{6vb*DlHx;!?
zJmF_MbwDd$=i;zKk57<w$NasXnYf3=53J8k{Xg;OH!Hx~ls09)J{ERGqF*+2NOn4;
zYR_0XOE)f^HIJWfskA&3o1$G~f?6|dLclgTRD1Y-wy{tWIGE;{$!{%?dT^&*o3Tm4
zX;`N}qb>Su|2*R3^kLiB_KtRu?s?_!IQP8HVzqr5V-vmM&F|GI<mK)6`fj*(SF3rJ
zY+Y~DGM90rk{Xeg@sNE33HNa0p^I~v(e62P(KvL$hu^tzwBc8q>i_z#@^S7+d-c-g
z$mBUQPLIREbD?=)@+Bx00iO-@=?(Si4Py79^;0v((8b5E#bm<Hj~s88Q>9HF@G*M5
zh|e&fQ_ZRRZ*P~G@HngYTc3+00xhu!a$7Huu6cgns{s1j(`JU$GeVGq=R<$^vb2+=
zyx$*BEF+JSY+z!3@TaR<@(oj18=JX{F{g*tX$^ljE-2^)2emomO0W+7I{hqGbCB8B
zu*id%(vhEX{%CE}vg@6{4)4@m&}b-G=cy_QpRab1pM54Lta)^Zd}8p!#_YMm8k0z7
z!}4jrJLRl@-Z9gwK;z@?tUP;(t|ggEAXA$1jX|jQLAZAz-)?uj=%%~GFMBP`T(yjK
zAP^>JE3&dBobwfVZe8rMZLmF@nPH2rD9<<k&U`#EvX!vBtoiXvC}aDp@Zzg6QG@%|
zi2LBes}8=+^@$f()#lxxd9M=3;G(4n$&--hLn7WDm_{Y<mBDaqK6YF}$Y3zsM1Reu
zL^X5d5nj~%U?iUYJJ}|T+tU16km|LU%C)dTI<Lljq-T0JW_*fd+PWK3xs&Xyb5}5K
zmkeVyiu3E_-ULX*C`@$n5cJ6)0JMT9Fw{KPbmQHH<y$5QpUcmi+UAH$oGtLNhM8bD
z=eVk1ImCqL1{&_f6@*9`;@ol0SSDRiP!n|e!Jh%255x9chtwiEyVXc7;c!RaoN3WV
zg&{(!!|He=jC)>n7m^oMxHxRfoo(ix%Glre%KGIhsret`J!f3zE9zLKIvRj~G~bf0
zIVZc$YiD!3g0(&CUcPmjZQZa}NQe}F_vvlx?43J&=b%Mu61o4?G#OChaAXf3J3R8N
zb&3mp#HpcaM~8PDUhnZuh17Xk+&I4Z?kQUwuZyS7sB_`k$7*jUFw}SFi<)9(!6I+t
z`o0Qn>M-v}Lh&mc+rZY8B$o$Ug6EH0j^p&NceLu>kBMCm+7EI=B<mN=+%K}?quVfY
zE~8?lT7@;BnOSVt;NomGG1k9YSUU`*2o6T1abkuS1Q?fyw8A*sTB=KG-b-7mSgLC4
z<KVh(3b05sqg>f9gjG&eNhA6fL$(*ucNQN(BElK|eY|k6j;E2!iVXPn!6he>AcT5u
z82ZF=X+g@Z%gu~!C!+7D!6xZ<VS}QAXZ2QBIm^aUV>>w|<cGl(sE<rxDU84wdvK`6
z&<2IbQNVo3HW-f#lT6>_xg?rWno*roMz5mTr@taGM%PD@kdFx?F;<iF`DO!W>1r6F
z{rsA205%@vSxinsRqoVmku<;U@su-E7_0G+W5n;iN2b?>H#*rx!p48EGNPY&l^xYt
z)Y}jgq(>4NlfXK9jX*AisU@X!Ep3XU>_`LUSg(5y&7oVQn(DMraxf1+&5Lc6zvoV)
zIBXh|lt{8jIiLC_d)K~tu~~UXB9*ePE|Py<)&`IDy|9Q6_1dd65_!Wip@#2QVt#wx
zD$h_5KF#-3`-$;A-4nU4a|gFJ<>OCpK1(AQ&zv+ynMl<y)P2vdW^2{Q%^{Y>WTCa?
z;XoW)&N6Do8(A15Y_Vz&!dCDP;#Nc^<dO=bPX;OmbNZl?4vaqU6lXGRI2#N;Y>R&>
zkb2E;u)x<wPR<^}7C|M=lWM!i->&ZjyFwHVLZZ_*`*ekfO1>?U(iq(M@x=u1RmE~w
z55k1fqB6b_`?~zG@<+8Y+a9<X8Qr;0j1C1yKg`?UmdiLnl~lpjgO>Yu)28SpD<k@M
z@wGZ!ldb`}VOTZO0v5&?49mEG9;aR=;@e|inKBqBWp+P&nGF?C?FV-Hu6#odM5=#d
zm7b*}eHJnyXB3MLfI4FIV+zJddr#bSa_gj>EnTE$gx>-0IkmOMhy6iUl78m}Lr9!!
z>L7)YRrLA$dJg#Zmvj;;wSwmk^#ab$#(~eLS)fVm4wIjp2jKL|m}W3BIDX<de&Ra(
z<opa#WmtGl?BJPj5RxXl_t{i}diP^hE3X1+Pahc*qRJ0W5B9$Ras6Bq09|}z1x=#o
z^8ADp*l}<)_%^_9ACfRTgyXT@s!vny?ML_gV%5BSItIER0zqr%o8c2GfjQ(8>SUrp
zL<CV03a5pJ(`5b8^)+|)&X?W5If{J@1~kzw8pedoZhO#<lr-4}yNQ<5mcb~H&;eOJ
zDeAoI4*aXu#R{xe&*`O)6#6knldzQeCgQj*%|4sT<YE4EdnNx@?cvD_ch$0o&Cp)%
zmxiJ`YRHDZInINb3*C*0OrJ<?l%=hTZbi#>PyCC$=ed>rCv=W3A&#Giqz#jR(kfB<
zPxJBL!^4a|!5jbch}8S!-GdZFX1P6papM|Qy*MeDAX?p9+n3=F3F=A?sy75HvQJ(^
zPoNEc3BmC5!wUT;Jy+UiNFg3r{<=JLz0;73!1~$D^96X%hy6DQ^bPw}z;gmRM0F&b
z!L}n0p1t=e{QxIZd31E|qF4~{w}zeG=&ccxH~j9K6c60{P;`2$XmAeLiG_rch%0vC
z|GbJJa7^APf)EC28fTz8OCQ@aRbM&@hc^sLsBwFS4r?aVTdF=UkYT!w#ihV{Z3V5;
zW=>0e!?Sc5GCHLr)TX6?(=U!)ViN!B0G#4~C?F2%7zKWa|MeN-h*-KgbA@2k3J<(^
z6vM?Yi6a^*RKCesPi#N{Gs_S84-es{ZKv?Rc8=qdjKSgM`DZUZD@SI!NwE})QUc#t
zF$AeCmbSLPJo4oFM$za&P~=wKgM{RpF6*B2;4hR{ee6~OPUn!BcYqfw+^X$qSHC+W
z5Cc#)VF>GBxYa7}%@zUV>yX!iz}1Olw0_#q*f6F^CmcGLwxI^lovyFHeL@MCkdt$V
zdi)(B&hex3We%@yrBBH!*fieTwL;xDF@sL<4L8t6jfs5RRP$D9C~wm5dfglM=2tXN
z{M2sh?S>Cnj6X`t))eO>b`7v+ge~SkbKzx}UrVtUZBy?^P5~ctZ0=yN5Nxt%PApuf
zcg|1Y^}2NW%U`*k;kBwoT97?qRu*4KHsZ6Wmo+4qcx=uhzn@e&P2L`bX|CC{;9N{W
z-f7vQ>6KL=osG?Q2rn%qvCu=6oShN|9^Dhyzp?*P$1IV#WHuTmc1YeK$;Nt?IF+^}
zip@Hf{WFF}iT#K(?(r2i<w-G&PC-bsh3$0*iT(16L`exWcBBPa%Qk82(YMkucb_H8
zRO{IxV_+>=R}h&wTd)01I*vu#j_!+u5QKFZ<P6J55zdBzVZ<*cv0Q?dNSzWMkio7>
zV87`15DtQW5Z0<AnlixLFgNCg#QJBrk$qJr&G|32*Ua_=j)hI5z^(E5V3}Am@W@|u
z2jS!Dy}YtCa$osbxGmEc8gVlgg`n(hZ6P_eesi_D&+sUCEXHcn!+V&PvBCl0x>*=&
zA&Cd?{;NIjX>0IzJlRE7vz<2fgx+;Dj8I`*#)*K7AO&88@79?2a3$eF(HOtR6pZu*
zTY9~sSSJXK<aOCjAuw9?7Lo3C=|+E;(2VTq{9xU%NG_)+xJ_U-j@WteF%OD#uF1Xz
zcZT<L;oS^{?%`)-xpZrwoCiCd>y`nStI2>2=hknntS!5C+h7Br#O`1-aoG*yZOu#z
zCP*aNA(VSKiV!CV;%vQ8IS7aBQFnc43L%<_a6WI*FF2=<g{%oTiH4W?QEtiqcO=om
z!z%W0_@^A7xavh!!?^y8Ir{+y9|g_t4-xFl4*%_|O{gSq?nuc!mKr?(=5yAyUn_A*
z+{u`gOj*o&q<6dP2G^~^SDZPF(-%G!{-ArKV=clg2l>zGe$a>5g8YLxbg4!?#>t6&
zW25#QpNDF~NF*j4R_q+Cbx>{PKjZxRGYB61zBs}W3_Q2k@eM74?PMsv{OE5Y3-B9i
zB3mvVZK{sicLCf4ES|BI)VGb(zo%m5UxPQyu^prLT!@jl0@&PnpA1P{{{;e(8zO#_
zqv*>d0kLZZ(o2NnOER87QzNAP0MmIbdt3%TdcXBP78pAmW%u7Q33*3-naqwe(Pg>)
zr%Z=P_xWF|*DPU<s5@IWpe?0W6`iN-<TCLF-sDIoI}$ezoy_ynxt?!jh{Leu?5XFr
z9PsCNoV0Ko&l~fJLr~}vB%b=&FBR5soZd5h_*C42oK23ka@ri^_tO0+FR%sO(1g8G
zT&H^vzNazLRU4wN2n=m6qAU^H;Y_l^dji~o2>*<Scl^C{p~Hp_>rHq@=k6}DQ+V9R
zywz_QkGD_yo8F7|;&o+wL;Kls=)U3o(m$~}rzybj!30tgUg~ils5*XIyzkv-REBP#
zFmV^-BlPjE71#SI;^EJ)*f#?-gWv-eudSXh)yVXI>TN?*ubRo__|Dkv84^E##&AK!
z0elwMMq>3wr}_}`V05C5{@^HjofO#fh9mf>O=phf6`t7UXUG4jO-@s68nZjYPU<^w
zHs3`Ay#I~A*(mCDl3>?ZcaX#{OuLK3|E*g~a8Y5Y_gnSvpS-uS_(S{LK6-AD4V^#o
z3%=stt*yh1lUI5jz0ddUzh6qOcL%c8WmapApy}(fENRaw8fsWK60Ql{$D;%z*NK*u
zEs&*<fnvCgOZ$!>7oQy4Ne_%5|DKRemooYVN2%l}pPVB!gsj9n9Kcqce0CY;CXi7R
z9ONtFgVd_<?UJ3XBpn-25c~)2VWTMN-vqbTx?-fjX!%Kj(HaSwGa(H6^YVQgHps+Q
z1gP+|2~uD`iDfG)#5d2i)M#EE^+Tv-oTh;vf=<Wf@uSD*AuTqlC0aBrC0whr<onb>
zOL1s2LZe^<5GC%AZrBGT34dn*10;@yqYQDBm&g+mCwya$bfCLVMiQ;EN^YW#z>W;?
zLM2m(A@NE=mjH<u{xi$8W6+6194jb7uuV=uV$i8WJhcz_h=zQtf@1pBIEa7r2pvZh
zY>aE=B)9XA<nAbnmLxJ#e?CDQsE#~FFYeGY^ezkjXOcDx_W>tq*bhM8q6jP%8uyJ7
z+i21yn5j<23Uy60_KO1Yt{X8_H`^quJOa_*Hhu9E4x3;R3F{5hroV>>MTdy^(Syr*
zKYW@&G8AS_ZGJ3ZTvrz1a`M(N7HZ6M;M)2QK&3F!lY&3*wwn_y1UIK`<E(;sge9C5
ziG>#D#3+3~g9EII-(eF)R3D4hktrP@IvE<y^J5paREMTz(q}*p!yyHMA(1Vtq;bb1
zBl>@*hst4ZWXf&%Eie~O&L|Yk@rznoyit4z-znEa#%YJ%a3{pC=A*t(V5v9Q&s^*h
z%nhTQqW>!9c6^1o7@LWsd$IdVZXBSh-PPdtnNliI(K;cv52;!qI|vY!c46qHB%Xs{
zaE^muT6-@+0_~8gaWd*_MUHAn?o^U>V!eh$66<Ya=W{t}?5!L{@xM}s;FlM5&XOMm
zM5YTN&g{a1!ypeg#$45*@AXBsG8|ig*_%#GK3PCzW-qt@0fV^5>zkO%)+S9CRGC$C
zoEn&jG~8&?9p>Ia(6sv|%9sQ{>zrkLo5$O+V~auFR{*yJFNEV7BF+Y}L)Ny$1L9R)
z=r1yD0QV8%wgjyppFc^+VstD5ojrSK46}*gF5%EyA6hX3gfH+_3V(*Z11zFk%L1~T
z;=p<dcc;^GhU&A^d1M8y`R^eZ;gybZxa)?t3_MaCdM`Ots&G$%5!!sQC_(CYLVxAt
zko<YTO}<gUPM2Ifplmi8=Q_KHC{r^O@Sb;JnQuYxIlRH9>JEGs&D~(;sKTzdS0q1i
zHeL@SYPEV<s*XzO0r8Av4!s0g)!Xw5#8-P^Qgz()$W5c-)`pJN^Fh8{KEQGlyq44~
zq5NExOJ$C35vF%|qq(SUhGaLr0xe|qiYI|ne}H=uA&d;lw3wKB<-stcPt>h2bcE|~
zf=pjyTv`_5ToeaH>5=k<xF13Q-C=`9nno&gHqnBkxa*iXSIjj?zrU%7-(rfY6k2Sc
zfH2moa&<E$LCi@Umyb8774`?x-602E<S*pbw6ZPD-uacnS7r#wl98OtE92ZP4=3g*
z&YDy`6>ko5JqNw4WtM?OX;(LRQC^fjC(fA6*R;{mX9(pN%<>4hS(i;ApN#-nWhTjT
zzQX|re-c28GEoEKJT-c@6Z)*IH>m1UOau?B*8UUVIb`d3kOQKc_^ru3<}HT1CYhKk
z(XHdGiu?ftRStwp=8SzLT=~_@PQi!jPd}1$3V^6Sq=2Z7EJ9vmnf(^G5nj=8$09Ul
znZ}COa-bpmUX_(wU`7^qNB&l_F>)q0WUr79Z`{m%3QrNJiTm+&P*T$4u9&)pGXzeJ
z+Y9#D#JuP>{+LHn*f5~dOts*gq(`-c;mlS-*QGOVm$1V!;aZw{OF6n`UvqluH<8k0
z_o+)ZqGn>$;&KG!4ZFQMZWGdxO8}hzocOWCo+Z5#$l!1|q9$7W;@<&wj6q!OR7p{t
z9~PdK;e#4JD^z!upFv=tL3Agt&VzN_yim(DRe1!3O+E+xq^f+luT0ubtww`-&35F5
z6AA9i;VMj`HbePBXajW)@6dIu;BH9;Il4Dm?zo2A?X*noMme^QK$(?aQEK{RRu+f~
zbg%8gLQ*Waoba<QPvU~t=_c;KC&q+}_!mgNwCEuAK}~Ay+fU6t5gKp@f2pmdhxDDQ
zU+ZIHM4+4!`D5dxnZ>hCbd<8BFtECXL1{3P4?!?!=Nfbp6kQH}G*gGgyPTU*xpR!r
zN6JXK4Z4*0D!+MYVzI+ZL&gi$srVO!;%R8Qmd)91lg(%TvMN?>4iEE#wkoDIe9<yg
zZZMMrLQSbza%D>g*?_rZcXyPe<CD%u$OM*MqmvkQ_goRYEzy^3n-k|2omjId1CrqX
zn^<yN>#;c5S6-d&4<GWg1Zs31QfhR7e1OIT@<9N|2WU*fO_mzCCHdNj35+BMH7oY?
z$U6ntM?ui<;B!ZcKZH#+4Fg*Kt+t>xFoX;Rm?dAI+H7A+^i`*Zk>+H8JVuq&(9g3F
zG}HAyV{T`y{rrkS1G?0z;l2o0%uBT-B($a?Sagy99`R#F@G+`9WH9KBEx#1Q)|nBb
z<XF)a!y-K2pAN>3v()E-oKlBwh!nu2{>pDU;EHw%_3>qz*`>BL7Ah}I=%H+)q|HG$
zRp%?&*voBEfQr+vP`Nl7Rbs{xIGZgpQ4|F0o1MEGYZx#O2I~Bp6muV7C%cxWeSP(j
zTXRTgw1tUYExsej_>kpGeQGmwJdF#2Uk&+YbShM)agP(R>Jq~j3BfZWa{HL29;AUL
zQnYxQ-2WaGv@0-)HJvLdGz-GQH%ox*)Dj5^eQ7ecG*NCL;5>8hq~S%0Debd+scLWj
zxP4o3nfzHJT<<5DKj(MXy6CIb?8SZu_<CMW2?xJoxSSRJOJ0J}35o~6tP&pvbbvZJ
zk_DLX4^fzm20<PvI14@zr8XvTf+$nkeVcS{K6u6zldt5HNoav^p*zF|5mqa*30&FV
z_9f6uev1B=ik#THUlsX176AN8105NDff~$q-{um?KloW}5`6i~Z%??8@DxzJVwoyc
z^6y((uB>ViV67)?`Z=liRLvJ~C_8&KSXEgT>x<M$yr%DBo#LHb1(nY{eDp&v%td{-
z4?8<bF^^(y%kyY1OR~&7Dxjy>;*;`ol^bd2r&S(cVf0t^PjoC(XNp#SI;60vh=c?4
z($2{#!1QJ*Ot*eZB`<4EaDYA`1cxpKlY&K!OG1+)90)+FW{#QRV}sJ;85Y*ZrJVYc
zP75-tc-EP=QkDz`mViF6vnawS6*hK6qZ{{5j1%G{zA+xPYO5A-4prW5vy2^FBO;1-
z#XgebT1a!MV5P@Rj^s-?ckc0X*URNUNhVG{9&LQM!h$VHq*9f>wt<^yh2r?T)-~){
zM>zCeN0n&4FSd*nFaTF{<A_PmN6mN8{@E;2xbDqJp7~36mb@?ktyy)Z6nmTj?ap(V
z({Fobznj=pm?Qqlkr1;G6P|3u5qQOd{*9M~liU^CJ>4?(a&|1Gh`l{D?SbaOuS?3a
zdwXbSEYy?Z305dEgx&#!%T@~)lPnXLQdaE0C2T3<5KlYTR!Te9C){3`{oauxXG0O%
zp2p6~L+6Ik{7XiYN+Bi<Z6uNDN7Z%tZWmMId4tyHc8SD_$2fDH-#1gzpyAv51BjWA
z_H?=*oP!hQL>MLaJtJD*bKP^7rwXr$oH%%-nN&>wjXQ@47`JK4j?RYPGy>j1Qf56;
zMV`EYMFAGT?i}IQjfqfXHwe!SqfL(iF4vfhHr;IvRM{lf5x8>N-@a(U$YXz~C}uAV
z3%8vH*I-7R21~Iou{z6ar&<Wug(G58;L*MCzb$kgFs>vSYJpd8!%X}&H~Ls#sGRxg
z_K?YmphhEE#UI{`oS-uVVZUtkFip9U;Gu>{<wU(B$reDCc7+qPlwad!xQ3Rwx!?@f
zD>*0VXPd^N3af!z3t8^J=!E*ZVk(&*RICI&o3RX+q20{tVOS)X-crqj&7qR}pHvlW
z#xjB~-HKFJiR!kUQ{-aEcc{~dzmdmEEML1$<WNV<aEBYvhOLC)mZ1DCM;(he6|fvs
zvOo%IqM7v<H?-HWs8Go|H$6f2*2KP!-s_aj44P0v#(&%M+$3t%wP#`CE)ZC=>?boT
z2+bIhYe<t~?YS~e_M(2+SEd4>$=)F=QMwvBZ2_n1I!TLd$rYao&bm<i7H&3dka|*@
zU%vE2_m`VpV%QiusSk14UQgVW?5c3EL~Z~^#GkWBh)ERVYHI;w8Y8Q(8M(l9vW<Qo
zb`Nwtq1;-oNNtXB9&XOvuzA~V=1i!&cE!SUbyIbM3=}II*Utye6xsK@v}}kcv($J;
z9#szlGH(=!vn)qZ#YJW|?R6~pc)wT|JQtCHk#67&ZI{~J3|IG~@}+Fx5v)!(ao&Vx
zGl`+_+$XuVu}ku&4i-uzQ)eGG*pW>SqHOqUw}fC7ErEl`QVD3c`oMl!l~`3$F-lj5
zQ=|^HF8^Y+2nq&7o&f3?t4o(d50J`cW{LJWAWKFH+!vTG2cc{KeP{nAz|NMnIO(P}
zE>EOMbS6c1Op}=NZ+Vsmv7%~i@9jXsV71d85E=6qYCEA+4%yumo%4KkYiE9W7S_MI
zmndLvd68mn3DiCJX8v%Q`m_ARYIDnyY)3W#iEDje^ilc`P@gvQGwJq?1YKPH8VC4M
zf|!tz^dhEe3zTYFI6Hu&g>MNG7D`lx+j!#Hc*ThOv%Csde$#B|80W`u!?@GrSYCj6
zTQSuIL3uT$O&ycc1!6qg+~Y}XQr!g)lI|^1ajv);Q#T_LddcfO<ep1zk`exQ1D&{L
z>igU@WBo%{J4BzHVR5~pYpg#?iMWWr*XSa%#|BhN9|Tly^P{xzy&?+Gc52bOw>#77
zlT=QG@yMkN_=o(Zh{`^m)o9M;4}Hz^i#r2{^sQ*k%wK2Lbl;B-TEJF+hetW&`xoM+
zHpK@0xNf6eEhIHvD~i{kU0?6F867Au%o3EtLm(7#+L|?f__m~`&Ayym>=HtoX3mW-
zHO%^h+*xpM{|7;btsb*VzQK5-$WxBpfX*fLOk2Z5()t9mJw^%a1!3S^7V`rSmt@iz
z7ZS$;4AO9-`cRHIv22`J1=U!qaS<c-pWN)1@Qs^XWQ^H?xg{!u#7fY%^5e=j@C<8~
z*UMBEbW)ZVM6ZJzRn5C-9VJIZQ<)>d+`oy8PICI!uJR}Rl%XK=9#-UT^m2V4Fem|!
zxEmFSm@P^z*#7+-e~}myaPr<8D_^>B3CKe6?_gd^jB+EUq$;ea3K||58Tpr4MtcCm
zlwm!|2>`ajj*GzA=O+srmHd5s*f<f$VJ5m-w|$SXeTk8_#R&E7F9Z$_3l5BIR|d6F
zt3m<0e@>P`HLn7K_8%#N_9Kf6N~p%sdDJ8Pc*Y7=3WK5MkE%C$S3nc+mEefG(LJ;*
zo%sPt7Zsxj1hb`P7H4h-nW^28Yo-9LB$d7W(GX=FxSo0^fxZ|xeR_8EOGDyEV;Juw
z?GT^#53n;}nuOv(EkqjTl}!>2+0;SC3blPKg8e^K>B7fo@Rq?~HMU%DtM9BsCK|Al
zLw`=LOp#vU@`Bgo80hx)fy1)!aQ);Gch|@zPVq%kjEaMkDZ1Nip7VJA@B?>xt8+t8
z+NX`~&WQ$}Kip>gng6)0Qi`Q=xgn<fD5z<Ez=cv%6Nw2Vnsj_2(R+7N^)8~C7d?XI
zc1x@Tev!46PvvTrM?Z+2R)L$%<ZGV~Wprz>zG3L-QUqN(_!g9SRVE}V#C4|E(A%nA
zGg9AxXBcmZ@L#3xV-OEH)l~|S#=w%rjvGsYOlTtcdTTcjK-QTH%bZ=M*<Ffg?#HX~
z6w@emG`lpe5$`KN+LYjchYsEfp&V@3sqC>O)u+#YHwbue#}2H1HUxIz2jUyU++*n;
zOSuzj!Uc(2>0WI<$6%CPa46P+tg>qCV#Bk|N$s+$d<dIvM_mSXtD`jC3S4w?#%p6f
znxh78gQT-{dz|i1a|rv1!s``vo>rf+)k-}6-giV0_q<-HY=%kIHRsCtYi#=%&0-<=
zd4Y`%>L$+{9p3s!=TW>5LyFy?ovowpQ>GL6(X~t+jg0lft_UCI{(Gk0x98**T^T((
zKhL<a(VgIax6PUmG)~zBu&9XXp{64Aztv?t$7cXmmjPH^_8mn|^B6n2Zw9*V*IXlA
z)n5ciE-VziI1ZL$k4LIZ$#6Q#qGp(fC%0jwH)ppvPtkB=qMa2anC1p?mvN}Ri*hmD
z(M2;Wg$JFFg$Rvns0@eLC3=s?g-RCu5M*34iZuELJV(=AsUwQvDqV}pvjrv_5~Bea
z!~f{cuyK^pa%X{23L|Tp7I{6B1TET7{%|Qfd?$&6v?6Pyr$cZY4-xi}4kS)|D~*)j
z4Meo%%Xq=+`Q}L*<${<dC53VOdjalY$n>zdbkSl;OA@XDCRO8q0@G9q?<8QzMzqL`
zQe#snhrOL0g9#W%TnJ4n@dpWz=N`Pxe(Dz^ng7#)iAmrRWp5UeWfX?JAt58FGKe!^
zA&tcijeK+yu17(1SR6`4`+Htw)@8ch9(T3T8AEaFUwMoPOY0?z=T*@%^^7}_3Uo_j
zbsFL6t5JfJ0X>L!<lg1+U^Sum_)Q8D$$I0h5nXTU6Xj(A6H9LZo#Wc`e)aFwG7tUd
zqSaayTvb*^UoU;J3#9g&=_vOL&ZXfO!ciP@)03YQgPV&7Hlj}CtDEG4`*Vr6<i|n;
z?2-4ch)tp|pbHSs1v}P;nCJ#_4eb6dik$rVw%=L$x8tg}w8W0uBr00@$-Rz-FUUc^
z=9iDcxd~X7Oeue29NA%Hgerk6<ecp#Hk{k~cXS+I4wUKNrOBIqcsmA+x^tS`{ZcGh
z;7CW`Mb^u>R6<=riY#vHjJjuY3YP@MQ!e>y->k9n01uVLfWok^2dt7tvi2)rlup-_
zfqO1FW6ZFHl%^%-<b(24?!TdbjUQP`ZHKLu3`EWdw5VL0K`na74_`z)Q+{(vSb0`q
zlW}JyrL6Yzb>63u1?0<WTfn<TC>Q?=N6{=+E%>!C%MNcgh7DsRz4+IOHZ^fYglij0
z8aksrnX^T4k|LA85}`PZKi=dmGY*sp_IP<on;1#js9*nKeKu@22A5+xQGqjR_)J^*
zPxTb&2k$AoXXv`!AS3Z|?yc*e1|H&HTpS+33%3iHHfCenv@X*T*&(9|Za4unvf3{2
z*<s3|{|T!f7?z+wz>0Ps{;G2u<g^P@uxNBg2w9%ZHkkC@VgPchzM0OeXu!%}(#eBE
zHNIIuHv&lq6%ZpG>u>L)liCJtaP>0aPV>W-Xa;udVZ2+}W_O9|y_&=wFpRqgd&V^O
z8{aBA2PXaEcijF}L1}56aP8!|GA-fTq`Ug-5MzD3I~IHasl_m@p05qwIILeuQ}KyN
zJ@8WQD$pptlVF|?l=<k&$2*~M@aZEB4d}t(%~$#8Vs`_SCCDj{2wr_l%Ko@7xXv$r
zfcb6~<@vbk?pHw!!lwY{sb0FojMoUp%ifk{n-dB6T`g`o{L<#_GYF3JE&gs*^YMc&
z%5>C^dO8=a#!nadYF4f#*vVoiK0+zA^|FC5^%R=*3XT~p!LQmbrx+Z09uih?*|ew+
zioVr~R&`7>n~25EhWBYAn7e5rEx{5Wxh%Y}<`ayQcJ`<q5?ufhadOC`)ZS4LK*`@}
zqHYug;A$!Wqyndj2zfNiFd<q|U2#Ka2i8HZyfcBX&^o~oH6@18S1=L1x)T!V4j-0*
z@@wq86A-9xs{I#H&<)de`hrR`3V!MK!=zPQ;G?9TrP{F`+I#m+?he7g4uiPKDv&h&
zQRVf+l%~MDyi5+PQq}afJ_QOw#$0CY)7W>Y0qC~h71DlEU)BLTl|x|oOWIXu3=1fl
z@%G!TCWF*_12UESJ+O76P{V%W{BIiIh{XF#);-&+i68#l3r@Z)MCI9n_J3Mf%EHfo
zx0@wk7udpe&c#t_%u`|(aZ?(mMmSZh((2|`hd0Lr6i=+J3RH{|>RxR=afDPIfoqTV
zT4k~%tq|ax@`);OSnA*?aZ2q%>Lz7r*k>cmO~SIWEVx><nj7j3m02dKyC~nRK9|=z
zn{YbY(w(dlIWaN4Wl>as3M#J!V_`ssCmmcz_47t1kE|WKBOHc>-TIZ3{NV=e8?2%-
z!~#HBX&`WBGQY%pnji1Yb9~q%t*CqXI8aNkA+Ie@Sr>4b`YB#gsZbcoxJ(}N-yq0k
zSa2oDox-?FSq0lWWjMqoh{Y`>e?sSj3X-oK+M-*U3B^PPizpy6#glbb7+UPY0LcH=
z`pF<lp0lYy{vYL_qeYR71%G}t5Z5^(n1GHq;cRqdfEe=X)Y1r<;)R?VAZYBWh8wJT
zBu_cUzT;OLX<#e2kFvrsw5!saqQ~u;2`^9e`>BA2V=nu#>JA|_Kgd$Flk$z4PTBq!
z8CH)!+*syA4GR}_${Rfo8S~_>d^D?*l1D<sz^^)>{qvI&UIy&gkZHlnM?3Qe*I|8z
z_bYeXmmy`{;r^OLxvGse#u7tFIsMn2<gttA;b<x40rwEHzY>4dNr3*ydt@QIu*(q_
zX(&MVstnoV555esu_uPTDwf}4n)Aa2!6@|vs@hjt1zw=4@iG_*9mD4R3`%P-fg>QE
z7`*UPa8m=E*f*}zCCYu=f5E+v?c|GvkQ{vCBe4-Mhp;2!Q(WV8v)Sv!s<k<ejJI@;
zQ%YL*&n%8$6(j`T{<Oc;?cblA$q-*&Q_*RW#|#Mli!_B*6e_T*Q2*(wY1%mhAkyS#
ziZraoo3hvQAlGhCMca!Vjco3T;hJ)aLmI_x3?2UIt>Z`{c553_#?Qmeuo7ri+Pn<_
zDY<0{vQo17RyGrO7!*e()j6RkL$EcV-gJ}ro_|7dgup>?7z8EU9T!NE{o;bX&mqyn
zJ(=*HaPmZ*;>w+TDS`cEpeO7zrOjU`9T~*ev9*-e|1o-KdD$Lu<U<AR%6vupMV&&&
z#o3Zc30OT$X4`6W0c}%K;w34i6;L2TofJMQ{8lwD#>toY&aWqJOF@TfEOHi-%g3NJ
z%8#IkT&(K0B>CK|tq#B3&PCih_fjE($*ZhGxf5^e&+kj8PvddAZheGC$T)gRwWD$G
zBq#+$TOpxN8EEFvT9>==?#x@~c~~7}N&(J$3%J)O8Ud2rB<XSXt)K@26HGItWXR+M
z#3H@PZZ!6s35HD5xRm_`8OSa3tSZ6b&c>Kpgnhsj*NPVXXUcmx$m+%&xtgJb4%0Yd
zUpKeiTG#Cr>P_c9qQU9_8yy>={`J2~q6QJt?q~6<{U7@h&+LyxwN#g>R{T;;Z!(&n
zf>SeKXYtRCvx4MOq1?tC9Z~T5STCI#0p(ZPwOZq3*8CP96-Tv@c@ICc)^*}Unb3M(
zpEN<7MT8zX#LM$zPp~5)sHIC{JBfR$Ea4fSV`S5_g*AJ~m_e$`eZc(HoWn^a<qeKI
z$+1*b*$Ax|Zm{mqOoob=;+RKV>`1Tiph|xW#Z79lW^T!P@pX65a?0H>{7T-`2dqZV
zb?*BwWjrUzyY!#um*u>W)`yDg%ctZXJm{Y}Hw5aPZUDF_tx9wPk%gQpr@-|K5F+P7
zOmD+!QLsDh-8Nn4G<&v4gZ%*l<V|VIghz=kPkk`~z1HmBaG$Zyltq8nFL^xT@_1TG
z@^V1BEawrV)eRTC<%Kiztv+%cf4Sq-RdOqk3U>Mwrt_KG8k@hTxIl2s&u9n^!uogU
zkC`*6AbwF(V)%iQrGMLg_7vFm()dLN9iiyRH%=yKm(T1s)AH^=8t6U-k)8^v@QHk*
z`Q`h$|11v(qHLoKc-smLG8pG)>7V4SM~vMnJ3G(HNJtq8Jero6*F&q@Q0Cs%th$8B
z0Vl0i&FgCkSqQN>Za1mJBzcyrzB#3<hgtv&mfCr$RVS6L{bNoPEj<{dLlHLtbHaB`
zoDEau)a%?`^7MozZGw~V+Z^5-XAR1^A5>J?Ud?wldpd5x<0ju*kE~{bZUyr25=H7~
z)Ds#9`$nHhF&A!IT(V>wXWP3&XtAl9#DL?54q=teWOCsasKWj&!TPF9z<)xpw=aNp
zb;kf)?XDVTU;5$0lSap)FWd?OY$N~pdI__rO<<mz8H}tE{^ZH`yuYbL=x@WQ9eo}%
z%whJ5!`g)EUXIiX8;iyAOU0bG{b)Eok3gfZctW}5B(=#FRNPFNFRV&#`U!n6ZFyFh
z8)A$TGA@5iG^p2Ae^T`PZRck)?AdsOGlEZB8pJs8YadvUUMb-l;ClWg4<a*ojxBST
z$$GEPy>+l2b({r5Eo5pmlv4^Brkmh8Ppq%WF(k>%IE1kVu_W;?Im(#D>F{)v=z!!H
zlmx(2EF6LyanIkg&*YSKF4S0Dnn%#e^28roqL?R(G<&ck9~p7TefENWiJ5dPn@pr7
zE?1dXYUlf2VTqPw?^bfa1IwgB9|<I@4q*~-EozLe&0nvb8OstmCQVy}$xA$Y>2oH^
z?MP}FvqEv>k5fhLKsGi3f)D__MywCu@h`%}{j=bR8O3Mubd_P@HnzlWmPfRi-Xnm;
z=ZfW%Khv0Fx1o;rtxa{fk!``qe6n{le0zRBz&bh5)x}6BQe^gyi&KHePVm)OqKVvI
zFi59;I3{q4F<d_>R>|l5{j6$ntn7kh;LYmUsu@aidlv;J*&=rhohaR+6-1cj1fQX4
zb7Pp|kJUa<k(jm_$h@u1bdsIob?rm+61Jr#!?zs&-8H13lffb>I6LJfYHBq|y<qwi
z(>XZqjVrf)wKxZo4sp!b!!$Ls_BI_sN%Q}p?EpmE;lF4n9)LXY%-!ENXrUJenn4Im
ztoqIeQFh|jdBbxVZ_c4{);_jO*yB^|yzxeF=(GEqVnjvA*ZC+viX?rCuTjD|zw#cC
z{HHN{rSgD{S$XRnq5D&Si5f7Di)ik=;(){@u6=apk9|n0UyUZ4bRfbINtzKWGSGkU
zO}X~(@ddbjHi54!HUVy*bFq5J&%Q)szO27dU*~)~2sFE2>D7;fKDXTQs>8+}=7P6q
zk^>vcs57;n0nC9u<bA)9D66%9$*Vbk5CJEs6D<)Cxd6y{6q%GA;+%~!w+Y{_C$Ti)
zm~oy*Mg4>k6XxEcaCn<C!QI^rJR>W(&%7p|n4VIzr4T0B{5#Ykz$LnREhM`r40l|A
z(o5cSf!W)Zl&9>srDRI`hqdvm#mxK~w6DD8>Z!SCp>$Ruyhx04{GGhsRo_6yy7_~<
z?xNf7=|S|2Y!1p&c_$zxBk2bs;8n)yt#JC5we9O5Whd~4NUv1f20_UyoWh=qIC-bi
z7MOJcF|`EIVu>^R4xxnlsqN%=Q@WkL^f_wIh|M2&I*RBQx3R?%zY$k$M=e0%B$3dB
zKg=?xLYFF@LXQagTMf}~UDi5MkEf>jt_MoMCkah=_6t~>-@X1fN)jHJ8&@&qNkC-P
z6|c%|*u4?3Pu#7?FbB8@xU2_@ag^>mJ(naGbzdy#j`y;kGv{Jex-_EK4p(&BElGAO
zy<-N;c^R&Zb9F{~ZOR+&Doc>ZM)#u*IH6@fPTIXL#j2cA-0d~+>>(R1*j^=!AA|Po
zk6S#J1Fg%*=rXupQr{kWznZ!1=idpp8$IJ_lJACa<XseR`L`$*APL&)f_HyDdG_@X
zx-T+CU6Du&zz`4czg?(d)>p7TpgzdnHRHSVoh{;oRVZfvGv1B21r)C?Qxxq+7THNj
z!=|OB(OtdAFpP)|bKGPGD#H=&ORlsn65DBlN*(t`{f=8()pc#Adp#pSeE@4i7&7}#
z^b^DGwe<)fv*L5z7+)eFyx}WyOF(t!gIu#Utl+k-GI$S{<xQT&P-bU&4wKO$l;wfP
z&cH<SqT&HRwx{}62BjG1qcoxS63$WSx2BXmidy8FW^O-k3A5rE=3ka_viyD$NsN=S
zN&{qsdYs@Key_U&udW0o`F|Z%8LPMyj*gNP(3}pM0|G5#<{&}+QDYEEPHxRaC5ckr
z@90I!!pY@oIwaDKT>0s*K_{I_lsfw02!$NYuLCP6<!LD_Or`~t7k0t6^O#hefS=l7
z>g2QlKaEt?wh%$*Dljl37QF+FHtd#WE4pq8MUPvMm*#dhNLUVW%$cUvi%x$Tlfo8f
zrd~}-eOQ*?WBG$`cB)y_HD^n~HPH0`vL??ZUXuq8?zbs%6NBWZ`Jpf{8{?{U{l)n)
ze#UVdQrYQHvzEgKgZ02BLZEA^d%&dzKTPIXQtoYdcS%OOPC|-c;YFD+GSI)*{1>75
zun|&u;t$^^WO7D=C0kRR^J1RpeQD~2_I1`#1s4$0X0x(gOkfkY2-~kE@nmYT4K2u2
z$Q^IpNmr_79;-W8G-%?fz}G*7kG^i$FSlr1(HIp}Yy{M;mWC8R-yAU&-6|Umt=7+c
zF)2?tkdrknZ;w?u){z!Y;*1toKNZ|^;&W8nB}Gc`5ZEMfM)kmDyR!2C=U(UkztBy)
z0f(3@wt$?hG%#>=mQUy~@~OWuPE_0Le9y6Ws6u!~XqM?R!$2^rmBv<$M66%sV{W<F
zwxuv*mpS(YRiE<|uNdw&YFSMIxQqYp7((90V1dsfnD~Z56?p7i+8REs{${&;oA2fR
zhO#?no>esZwIik_n97++LN%r#DL7VsLRzFJhI%sDLdujON;r9OAUzUNIp^=(JjTou
zj;tsa{%3B|Qg*XTXdCf9c^wm`7!oi7T07^nZJiKgPKK#yelA{f(<y3O+9;n-VE2=?
z#Kn)qJ5>@rEl*@IV6qF|9qz7)#3lb$W8nm9i(?38JA*|Qt02ld{N2Lx3*H^5A5YLc
z_=tDX$~+d4_D8to>^i+q<H^E=ex+j%p<6y)gNHt~r}SDIGwgKV0o+cAZIV@J*j3t!
z<+dxFoRyd?!5DRj<ndo%rC4L!Kin3@Vi#s-f#Ciorr?xojKm@?@1dD%v2jV_W@7n4
zx?Fm6W7zDSqnMj9yk(=z*_8@P0DZDnx)3iez@});l&&OtSjtyLwXgyu^-kU(y>6xb
zoKp*-(7>p`U0mm<xPax+__!5xFb@%&N&EPgP+4}I{R*pel4CBbOqMaRSH$#^TBMfI
zg2(f|uhz`{Z;iBg1^2EIC=(+gn>~Ry{PBWlrI_f9b@ms-<Z^<Stdm{{#oL+LXtzX)
zwEj8;#tHmpPe+;Nf1JWr6vmDR)B#8}_nb<|y!bppSeNV}!-N_a_}6N{37I^YbUavW
z?<<8Rc`zOJe6>wkJ+=k843C9B4NXAmcA*gGOXI~Ba%+3r)98qApRzWW`~%KCiTOqM
z7){Y@MvJ-dGh+DMdM;10XrkFg@qlh7Sj&?8;rIu3cF9Yy{95Q(I)4&@AG^^0)3vvq
z-pc=D>MMil>Y8Q~++7mfJvhM~g1fuByF+kycMI<B5FohA0fNK9U4q*^$@6~6t>On&
zoGNC|^mO+OYcJ?zUc?{ebPb=H<D29Gynnmeq)M>-=^&%r3&ffWBvC@<;|ZD6#{tq;
z$}74vP=MALO6}AL`V{X5{|>LH&3GlF9Fk=Om$^~4M1%$!qJ{l9h>N(0^<l=+qnsl;
zu6(?THn9%oX!@B|(4cGq77UYoBNkNIQ+6<!N5^uFH^LO3xH}FTd|@pnpkhiolUMKi
zSI?wa1C3v1*i2qPdL|-#xaAeL2PVi5z|yHAS?;w|p`?%}4-N286lSjdE)NZ3`|#L3
zSvB2C%hd%&)t)nXuB+v0EjG->Lo-*>9`-<QWbz0)Y%@d7>{EW(LXIVL?ssUY-leG5
zgARXxrp{0ln8{n+#(MEfySF07!*$_T-V6DPYti=t&jsDYW9OacyFl;zP8hLk=G^2B
zj;hIcte>j4=%{3FSSR!OwB1sKJBTTS`j-QbJvq-Ca;GD2&$&}?D@gbcLrPC}?<3z{
zHzqeIE<&GL!e8#p;9}l42a3PG{Y*4l7%|-5;%OHiY~tDe+2OG%%kyyfRde;~DgH6)
zsjMG#jLL@rR)E;(**UL{;I9q2n`5F{AZ<6Tgf_8WEeVWBJ9uzLk%6^g0^q%PqMR;&
zWRQKC_2hc_n7}rM%}KkZcc}VZ4cxSs3sbbtyD>#x^+}t3F2`4k;pBUzhG3y!X?G#g
z@sd4CBkkNlf;|c-Lod})5gZS1Z*E0iS8kn;?qOnwc%DvCVocr~%M)+*Jx_@y&_-}#
zE>lZ{F+#lZi@QA6qCfKbIImCWj2%#d#z6<E#(d)LKG4F8nRCGXMc0cu0-RWQ^~V^Y
zkGOYrL{YasbYaEwgZEzrFn~h=?IpRRBo(Rh@sQDz5QXEnT=B50)hlf(61U7H<cB$J
z*Qj{`p0%;xm%{#wGz=8!MHq^yTxSg&m__w)t*Ib{KWp+ZaW{vt?j9#yctVgMiTE%$
ztVdn6b^w%r-rv(c^dB)G&~#W}f<P0I6ilIywxhy5G(eLfcKy{Ffw35;Up7X4%&k?s
z0!^X`94uGnCRqC{b7I*jx@=dGv!eD~%k0>0AIDvf!BRkoHM`_dUo?0`P-45NRgFBH
zSRz4I*UPcH1i+UZs=9!V>3f4$Z#&itBYX*4&l>P0RlX(9Y|P!-8TL1^NI1g+?zPZ9
z;Hb`uPI3dtPR-)-RqNGvn9kZ^;S(4$L?jS)=b|A(LX!VRj}I0J9i04Q5rH;8Dw>3G
z)EwDgLFNfdr>r@24L_-$3Lc!ZvZ3Fpy+NsQ<OD@rvE)ka)7L2++rS7qDY{h2mJS<=
z0(uCu0(WZ&7*Gh_5)d$e*4S`m14<Y@E1@+wDmY~SV6OSkT56TLAJuL`x4z(VmbEoI
z$sUn}$g@lMIqb=NNMbO{$!w=X>WY$~K<D1Jcn27h$-*ei$Nr1a)I_LYT~Lr+c~Q|o
zvOaS{N>rJrY?^YH8YNLSU273I6;J-fWI<WQ%L+6LE~}F>K@2U>$sN^Sju)PLv+R!w
z&2fvhx;z*UXCK23ZpSLiP!+9J#xs_Le6^E3n@u@cNb|RF=aY$6zFaOXAvRLZ-6t$X
z51zE8R0|^D3I5<%BKdvt3+m>3`u?}iiN;%X!$=ecduH-TtHY?~QQ&_exf>?PgmlSf
zghyor<OpC~9zqpS3Lu4oV4qK~_46^?f$jT_Y=!AIaCfx=osei*;#F8IB35IhRxYfH
zCbheBTvz?5GvvHW;v=0Js_t$6uE@Vx!(|u_Z~|B9{wObC=r_Taz;)F4_Dna|6#r#f
z0QN|z4il97JP44YdQ0R%0Pb;RYYm~vX_%dQMxnQv<60OQ;Dxa~96&F)G}};)39cEE
z(Xfuc`#XQ40rJLQF4+nZKoN&UFg`Y?czj4d3itqCetOp_lr-q3Jhxb!E^mYEF0pT>
z%SUjHlH5)O!gk(~Z#g$F`nS3xU(ibb9?iuss{F}Fd5sYL$d}kU=dpW2k>NTW`x~be
zMfFrYteX;53VsF~3{&~pzc~@yC$62pySP1<`Lk^v`WG+gN62O0@+w#H$B?J5QTJ<1
z)mh-#LsOnx5OE2b)QE9K$jVxB*==UVvB`@db3B+je2m)=5-)SG`sQXTLDTTf^X^E^
z&f0Qh^H@<z5&07ePq-*rEu%f!o@lpz{3dFH&*Tf;Rw5Y-17?0N>_2chLqk%6z$FU;
z7pV>nM}Dj`Lzrydax?8rA4zk&()pN4Jm0!{Pggt36{ErRaDTfzU78xZ#B#%DecV|I
zNj)i~3AtH*t1Gc)IM6$)AN7UQD-#_VWM1yK`k$~Pg^!B39LUZw7?~1zaMlHMRFOww
z5$y%IS)v(W?elQ_Djsc^a8^*z>k#GZf`$@GI^`#M^7UZ@BghdXQ^FW0PZ(jNd4dN&
z|7}^F92|@l6g`$^e-Po6lrDwv<+KyE`dhB-m7zy~Hls2cDwq4GBU`WrhlDZ%wd6l}
z!gh<dDnnxPe7~ijJGY(@32-d?*}f<j6ILOpPI<{SV3x%RpP_8%R__L>1e<52vtHrj
zI18@fS>JeDPeU#zf}k}G3AoRU$Jg{AE}p*+2ioUKl}HO@7mFLy$*#hp+a|TQp^G&e
zRZgK5T6+IeUDv?*`%5;!JxFzp#mX+9hR*^D;FYy_(FZ#j3NEYGGZU+hVdRGkKWRW%
zatlRyJcyECtNJFVAfUtmWUM;uT(q5Pcs~^@%a@e(Z2joC(k*qO-Aam}3_NPLWKnoM
zMosW#r6){USJ`!EFERvj8JMDLnwoxAzLQ%caTfHeJR=1CJ)&FWPLA!hxc!Yo<RKa*
zj@x##m;`$q$%ymt7ch<7Fo9|K^nDpG^U&vOTpFT(=zRVxE<m8CBmg?kHDs6cwKH}j
zthwv?OJi_BGCLLpNr@(5NovS;>bYE`UJjS#5J_4M()$|2Y@1ObiyGFBrWX866*?B^
z{CcM&8hIofTJGQ0g&{usw{`h6zL$Z3Cjv7?sqk$UifI`42ayv>WH5ic^-gdZ&?8?Q
zoD@30&*^U-#{>g|_Al9j_d$8Y6M>z2;s`UB5~<UlK$hEz>GTmmUXETaUvag!AAOO1
zlA36&98nlVzNC>vCf>1;6w$S9+BE2i2Z9lZ)?;cXk4qC0ZSJ<+j4f-1O~{shTR+<w
zbfkzuu2!488(X{d);7CUs(1QHc$xv|n=yp-m^4;%8?Bn7QQ*`{vc;4Zagzbc>cyTa
z69_sf#+^kUUErzcfC1a;j+{Y?4<Z6jqlH?gfQX@v;Ro2n@Z%zMEiR#35iTMBF^z2~
zA=zKr3@E;7+%ZfE^j`*mf15Bg=wyWGrj_f&l2t?#cR=_XfRBU(_s&Du*r*bW!$+$@
zx`<jk6(Fl9pKYu9z=Qdw{3NDTr#wS*C5tcRU!mE#Oqwt~DF5NP%#zNJOI6u|Q*Dnb
zB@wB`BA^p1ic+~>LB#*gbXfpc8esh*<5SRYl6^e`YfMDO9gTOkH|~Ic2yen^rhvyq
zx6>Di#~y9C*owdO;WHx|(uBQvj4(W@bDw13FW^xvZT)PEd|aZcpSN^#@Zn82c_tbx
z@$jv3hUl^YEgJ*|jPE;HnuXjTV_JN{67$l^av^R90qt7X^-nn3g2nlm8+^@JMVsQC
zs&f)k?L4epyFHd%3E}cv?%>fTBn3B+n3>KTk<+n4MZ=;8Fo4orfskN(e%ZBYOgd!?
zi<9pLOm4dy?mY46tVHC6w+&3z-$<2<V}zaXG(Y5{bK#JwsD<jp$8-m)XE!d3iKXst
zQ?AT8i+nIokfDv>OzJqXm(jGI^Qo(_{eH}erzp0Je@(frPKz`!irJA&qjpkW=KOw2
z_LIBc+n08wj<sg-Jd(j^l^s=@W^UcePd7JeQWv3&AA*L$q#oHl*yPV81{fGVEI}sX
z=5G*JJBvY2K3A?w>=H-{X`BT=Gvn>mRN;%ZelxP)iq;)ZmCimd+AqCg`KsOH<x@LQ
z_N}2d_b1u>pxiu??n&Vl;fU7s(4x`J1106@)eSkEPyG#lK#fA#E3ET+ho{}FLGAY`
z9`)^5{qT)gAcb2C(}#8@>m4iQs@VTMemB9lrQeTV(-Ul(+qgWmD55m$L$-`836Rm`
zyd;hd22&o<cQ;)yd|VW+lz;MO&<t;-rQMQ;ldIP!u{+r(3DicC{|R(Yp71Tzlor1K
z0C-Kro*hy$0=&8V6(h2yl!Pt3!Q_x^!y<X^)W~u#bfU{;q<jjukM@yoekD8}DVcZ-
zFLFZth#X&H)#D_G<f-?dx<IqrJoy0Z#-f$F7bb4ruLT_h9h@DEZ@^(2i0*wO=Kmp=
z>pfLL;^Sz<t8ucUHQ54k@}%_<H<Ga<(8}k(WItFBFd~08LR*TGxE{xR6*>Kp)`MmK
z1Ntv8ubMt!+~y;7Y%gwWLHNe0K6PV>%q^OjcuM&a;Wmp+MF*#~6;9}HguiHFB4K<S
zyN}6S^XZZz!FNu>w^q6FxKG3D!5BU98x=!V)&>xtl%3FCr3-*d9Eg3T4~#)1>-A!>
z$*UuTWlh<6r$e0f?WM?^-~*Og9jyVh)e}Y->wbmd!@aa0YEV{e7{dCyfxT1USNj_U
z#vU!chjPWho!}7kAvvBY0}mp@y-ObbaGQO)=$GlpQ+-3|wseRY7zDhGt!cbatS<*a
z5YWK}rTx|70UIPJfgk_}h$v-2lrbZNOT;l=qlZ0bEIsCK+Ne&}WmUSF%Y{cY_>{+j
z;{*!NpS-lbQ_On4+EGtvAA!_6WzTe^JygPXC#aY?gzQT)XN7vnk}t-?js8OdM(MLd
z=?P&`_i)A57N2v~p*C*AGJO^k<vY9{PQBU^?Vx#XTxr&9Mf)_%ZTT7M&DbZ70~&+W
zU}6%@9;eXo0JPrF8T7c5t7q}w9#h5IQ|->T?k7!pf-1T>Cr;PZ<?l{P`pvf0fw%V0
zW0-GOzb<OpC#xRD1bOaP(G5-@vcl(Yik|Rb26<Nud{chrpF&AseK=<L91^XE#7YGf
zy2sJTC`73jBk0crA{<}NZc%dti>C82K~{3?q43*ZT<`{Ys?koE97CJeL?zKzH|O3Q
z8Re!;LiKxo@h)wI2A-@)!6#Z9vm;CT7@hocP&i{Z*h7Wd-OkL77{hP6Tow%30vW2h
z;`_TJ6@GrqhHVhC0`wUuvBfFHP~)zo^coxKwNx!i6eoGqtY&mq^B+Ff^WoqJ{jbj!
z2r-DiA$5=(`$c{rp0y-A)>Ewyw3ch&Gsx3|ZAjcZZ@s@HBE(Hv_Sv)=%Tc#Wkb&&y
zO03MH!3^c~Fp#5=es3vc?^L}#&Bh!r2aYo=tShilVqndPyq;?T9{s|qjW^}=Q1U+d
zh|?cI>f`UbS0pX#=aM{plWNnvU>kf^uyV#;!f>71*h8Y{gP?9V|A(FoD9F3t=#kkV
z=?n#-M@B>`AtUUTl?@dtNz;fr_hYHr;-L}yP@SeuT+PEvziCfDIpl&QpKe_9Mn!?J
z4q8WD(4@ZmP{o>8ob0ga2rxtq@KblY_l9?VP^n^ss8xUi5fOo;rZaYK5DI$hCH?cX
zx@-pr-+`m7aAA;a-t~G>4Ej)6Y8~TcKHmVDN!|GqoxLNaL-0N{J-ZVQ4rP!q3tk3r
zx(_DXemPH{*kuWm^HeJcK3?^S<FwwMxc;T)-0!o}#~CEh%UZ<%e2ai@*%a>$>XW13
z$stq@!&Ru$_tl&3zFW%OtVa5651@TOPy!YTavP^UahO|gBK=9<ZXP_1l>Ec$E?o*h
z4$gp(1jgKXy|G_=r7^{eEAbVRV&x^%Fl6Lc!$MZ-n{V@t=!8i)?Oi>UGjQ5SfrPR#
zC$V=u_4lnH?wei?Nzj8)vC#&kZ3XY;Iar7CgHewXDtPIjM!PK$FidRl+7wm2hLbHN
z<7oi|q-y2(aaO5nDp1(=+7&T!_euTPs0_ad1!`}QH!nu`QPECwdV~v<7d^%23GnBG
zZq1ejNF|aiUt}a2+h_ve7lRS#fMSAiyQosvFh^0BY2@Md>YI`Cw|!L2MouXH(L=2H
z(+L0T4LTOO;*oAkX>=1CvazUGi-L>-?i1yHf9{i{^cIg#w9It2*(&RYc!lhJ$PtBH
zz0nC-S=QO?GnutacB3b6d*4!ZWDCxCo2_hPk!*$j5M0!+DP&vA>WLpxBKAt=ViwzN
z#8MQ!L7cuA4OCa)dtpnvzBmxoR^tJ4A3k595v&FY{U^G*I9RL3dTg!X^`8?`2cg*&
zWW0bqWrI7KA58?RlG!fVL{;dU_(~eY{j{gf>AtbCc?r}gg(HS$p<KPsPSVv$Jziiq
zwKVZ8<EOpSmX(*ii^OgAvh7+sq(i5{L@uQZUa&fv96e*pSJG%xoI_P{@Mue_fl;Q@
zN)^2sUbt8$XJnzLAtRg`sX9^w-iwoXIg_C-|86AmAwOTT_-HY-pCV)mte47`YEW%D
z>DUy+k?2DPaagGJBwt9b$9KZS(EjChhl4I*xZ9Ep6_i)bm{_ucjN3(OlFT03#Q`L=
zo>?Bw@mUG)HeJ!V_XqYBWT>AaH`szL#pr)xkKxlU$Oucdc++<A!jy`n!Ng*cJpJq!
zDKrY6ewD^Gr$c|aHVU@JHX|XCBzK^sIj0HS{Id5`wvU9}{v#P<&~q@#in%EXk0fNU
z>3>M$GAJ-mpt)5kRHm{bO*i*Wf&(NOk{q20ggk@e1Jv$tH;RxAtth^|$CT0~1aHLk
z1v8_wS);HjdXG6*#RBZ#snezGt`jMe`b<x}xOCPKx32HCdmJ}{LrlY?8GPhNs1O~a
zCiwJQ+eAbgU&T<8L(wr&CAKL&P)sbwwTH0BBZX4QJuvEc9IfScVlG%32$lv(CFIRR
z{zroaI9L*fdTa?npu(39iY3U)i~xSsz)&%<%zecn*i+{$`pO}DFIy<|OSxVn9&~Pg
zvKPo#nsehYc`%IJ_=lA_u~WBOvz%U2qZlQ6Iwy3G7!z9x`=#Sj-oApq6HgnFyJ2L!
ztw39m6Qx-{u4iAlTO$|?%v_jSMy0W9xNW9et!`+@{!wtU*g@EgsM@8>&r@Zjpd0Ys
zxa7XE=qA)lCFv;L;VIR#CL@Xn0jxKDe`&TMh9px^Q+Ie2-eGeO8H?b1fYAT3l6P$g
zWbKj~qJDm5^s|06vVML>0wG<&ORY6=66U?7%7E<mNz&)CyTDya3E4}jhxZ(a!6&Vg
zqSe6fH(9w_7tjera1W(h#PrHTPkfez!rFgIe<D`(*&4>Ik^2%+2RaqTN8E`W+dsEn
z`y2Y+0H0a>up$<8{<$<oTR)32MNBAP-rpwoW}^Gm+iiIO4g#ZI6tYiVMuN9svReF{
zfiJ@a4cNEf7OpjLe&dKuF1z$5rGiba!75j7XU-wnb#|B(bLHN0gT$GtRr};MG-6nu
zCI8N~gZ0w`dFV!VkRVE-63e2BWc32zqFwtNls_zzH;E}Yp;Ws5x?2{N$XzRC2ZDDh
z*u>7rXZ~{6KW)R2igMK*qKx)?s#7;(NF~`Q>-1WfYr8}udGCAl<0$)lwa3VBez$Dw
zR2$*`Y?e0I&&RJvA$RERrUUua?s)d1Fe!7TdASRSzmL%ZhV43(nvCXx3GnREzQub%
zxHKI(!1mfMvG~D(o#i34L?<ac>Aok<z`o-#IuXue&GY!LEgrZKBYo>?a9)Hoa35T7
z2w#NQ$a`exPyK@pmov#LKMZ_fcgdJoc(iSB)8$QiGJ)En|5=DvBl<YBM@zxis~GL<
z>%mP(<vw7E?z_mEocFA~8u=xMY$`9<=hSpIY7|$oqi+FpKZWLgH9;#4U;biQqT}6k
z*(?oZ_vlKBu7_BhhtcKk*?SUCS?BaTHI6SC=c8y3)!XmccOnCP)x<(q^149ExO8qA
z<fnGYm`3mHJ2@U}P2fcgZ+OPY5T%Xf6{GKv(jmCn7L%G$7-PeO0QI-$iCYW|7;jbj
z^+7#9V&nY*0gyz-UcftHmE=#Mmic_{WMM-<PyuEfchwpTAjXWhSg+za$&kVLNCh6+
z#1t=aGzw8!hmVf7=!?{c;~s|Kg6X4lJ44KD{>Q(w)5FBKEpV}FitR%%ThDU)CdoaA
zkvkADGKjOJa3~CJyBo>{cqg=T_Q|=E!NUD-@|)kKG*c%FcLIo`jV^Qe7F6C|paYV&
zDJx&L6jtL)N<SVvktmJY9Hxmsw$ZlaKB%tEY0Y4udOyCbowC>qI#=2+>?o_<G&l<x
zyx<u)IIJi)ZdlTAh2gM~r&E`%EFwWFq|OKnP9D5N|HBFrg38B!?;zP0P4n{TL8Fg0
z$EvJ%Dx^mO69b}9$~~%Cd~UEK0Y^N#Ktt9_Z@=_EMuNk^GTqi@8~@En0fV9G@-h-|
z?TyYzCVAcW*E|qaeHWXL0_kucob_6`^~{{(Rd>nZoD;iOM(A0h5m_9*gr@%~ox1Mh
zerP)DqUkm{$v7Fz_K!NBNyV+UaVOzSQI9y`5kZD=aE6?n=JeDHMs$q7<~=neIGsZc
zkp)B^J4KfU6v|3MJ>qPOF1w+}Wz=3ZxcsF$!SaBQ^IN!J3H^H|0mpNimp2q}eS+>h
z(0~rUb8}}N=s&_`lJDos6B;<=#38~Hni*O*Oo6^9y(;1<RySoBZ$=kp<F~!f*W%=4
zO9dUfFOdHcX~MzWAV^l-T%9M>3E+-2x-5=`LpUYKR^%wGaLR@_b0WO9D`yg)E@Trs
z8TXBV<KwX4rkp%?)$Os+lMu|-rU9;U=p&4o^Agm5!kOjgyA%=_YQrJ26ms60V6vJ;
z?r+C3HOY)6qnJ68d&($n$j!DsrH9l1rLVXDv;2Px0wIq6zRy_|AvW?0U(k>YZmO3?
zr=A@xit!2@?7UAQ&ALf(1HVactPdiLcby5!G*|mKXkOf$X(*^Ab^G6I+yX<9&-Lhb
zVjq_la?+}6@4#zZ8GO+JXX?~7>Sw=xom%AIt&X1Z>ao{ZxS-gXU~<o;+-4?99V`A^
zVkVnBs73mZ*o?75U9=UWfA*4c;gJ*+qV_VEhWyAQKm*3?GbO+KaP<}v(}vR!DCYc+
zXz@PN74)}Ria>*iHWXF$i8IQ4b;@9V?Y(I4?|UcgSPwfHQbix#jc%N9Rcb^`1{zyk
zdgu~`2@=4kZ00#Noz(zp@7OX8L>dEUEYT;vRVR}Q$U)IwpbA(LP556XI$<7LmN<Uq
zZPEQid`fw5d#BaC&hVgm_iZ|yS54@ItLRaGNWRS7pCyxwW~4AVyr^~Y5Fx^)965z|
zoI6zw7vQ0ewAg~~tuhi$W2e}VB-QH-DVS4?@*crsZl@*;Ib5toKK9#GC?5V=z;9b=
zRCc$0kP=zC2r}bgG8b*B0_%oQ;gQ6tOlCYTc*P0+LiE$thSf6rn{}{Mto`|%NS~sn
zVQ-KkW$deQG6ghnCAxwDzDMLZcS`5?EF1CBu~Nojh;t!!ZdP?oSXm63S(<kEs^#9!
zb$pIM?(V(2EB8e7`}7)@&(z}m1qp4+yN-Ut*yUGM;$yYh9>0{dx+#V9-O0dRdij%!
zTlT6f*%P`h7@_tH7@^8<*i9LD6#Ixt$iX)5h=rK~F$NG4Fj&q^P?dguCjMER2x)rT
zM@s&$$!~G6sJFD)6azp_-c>3D-*qB7!1b#hd*=RjA99x*4ND)&o4w<u&Gjn|vK_n?
z|IjL!SUcEb{f>pdTQ}96f}HUuhnj?vtnq}6g$83ONb~n<$)F2vcd|Sdx1|rK$~tpg
zIt#ft`*hsDLb?>)SGqZWg<Q`3?I#&{zW251eia4Mv3E147`0a2>Z!rkfwy#cR*SNn
z1H3M-ioCD9E?sun%B1SL=wb@Z`|!krH-kwGS6z9rIC#cM_@jA6lFv8Gz5lTWY-rh4
zc18IWHOS<})h<s3i2!{m@cj0;>+1|YUhp2A-_f!u?P{pbGuH<SmyC{CEy8cud{;SE
zj<v7HsnQht<K2yeD;97Ma)ni8ellX>s_;+ORKAne5wMhF-oWA<19GHHX5`k9ZJ|?)
zSdb_(!SXV&Dq&PtiT$MxD$BIy^|tcn98gXRU@BfPL|M;DN-ux6EMZ9orO3_J`-O+3
z!X|C3JHu=^D-~0k(S6J?)_I!_%;O;?deTGq)G4K|fkUfCcY@Q2M*qQCwWztpn{xiB
zyqav!`lH_NKxjBRsHsaU>Zn#2)Dnd=vDvCoq8sG{3c69n+)LKz>!9l&AeJLQqVM?|
zRy)QXQsPF3TJna{!l1$jlcv<Z(!nka*WUE=;X$h4t}dS*4*P`<#YZ`9{mRNE^2Lr~
zRwpy-Ah%7X#1?`m4G?(4D-H-id6MMI5jG#V27EMXs))T~!E#}e$dak&xzk86A-JBU
zGgKgB-V<xaUrPKTfp`7b9a(Xs@Ym%I;uJ5q)s!!kR7M-q^;z;8p+-M_jI>;pB`0}%
zTdBy6r8Q+=nCj_fcKYZd7^l!RNvcqp?9f#T2-kaV!s;(iyjqJ9=DL+7NhqIh`+{_A
zJS1`+XDSEDXrV=!1q<<$jG8xVUquOTXgr~HJGWgsi(HKM_0L1lNiB0op*cRisU#*g
zBBY^3mtwd$H>17OJcOny2PE_Z`r%(1lfOaKpJp3Vx7Fp8vNw1z#q!g(?Fm`$YS}xU
z+;s-niM$*)m<=J1gV*d4?hF-`?v$yN#}?0-0mkO@Crm0<NrtSc+pIOrq?q_;1$U<b
z!a6?Xga{cO7hN%ZWie_B$^tA5$W1?KIBDFf&UgLN5a%(cbDxJ2&HOT-U($~X>Cx{c
zZq3#BP7=Ac#eC#q&!aArE&Xg=LT!%>_xBkTE39_7O*mAsGp)?1gQU=YhAOUwf;K|R
zcX^YFOCFY|zMuKoc|*n^)e3FSYUe9w$37r-(Oo^4c?SQmZ19?=#sl~apO{r0^K(`{
zyl8ZgPHf~Eyo@$In%+juJ22=8F}TcT?76?J{H*Zi!QH|}{WY-0c(pAtygeM8;GI9g
zF{Omn(S5uhFHQ-%<Y;D~F!&#l^q8wR#(4qEi9veV6IQ!?j;({mAi~D){^cc+>xkY=
zgPX6koIMoDrJ6|ppm^c3KSV#VYgCi9pj!I7{4}@UD0TbHT#wU74GPc&s0t%}aUMhj
zaw0lnv8-eG_;P>ddn2E$NMJZUDtoItRlHOXT5xl&XmutNLzc++HNJ!@dJZ#p9WNy!
zWlnCI6my3=73%+aE@vTyexdNyiV!q~g)fR222HsI^t4DU2d@Zd{fa5;n0H$8{pB!6
z=$al~5HFURRs;gk4Bf+1*DRa0K;OJ0NFi=_WmG^-3vHZ08vnhW%5nU7AT(ARHYAop
zRS(nkCX*;VsuJ0@enN?0A5RX)_*lZ%5k14bkQ_UyJE}>iAdibQl7AfK5i)?$rWQ?I
z0O|n(X1W92vUY#|@e?NrZB&4I4fajq<ktfd+b(-BPIgp}OVI~58XEvCI2$@OOUI@^
zpEC4?N#=|{pSj)d9kM!)_s<ZRrncq!334meY~yNGFUwVd^BXC92(6MW4XCTO$GHB+
z`n3zny6z2L0jH*{>3;_s-RK%BEyAJFJ2PY-W*q}+=m_O_S%yZyreYwazz)GZ(<7*n
zSw7bRvqF7OzT|7H>~3!<{1Z5QWcXOe8qncmkiZS428k&|mz7=#vWq|Io6;07+qHNj
zN^~T}s##qa@GT>L@C>S*oXr?3+(Fc$Kjty8{HQi&AV>64xG<SAYFL*nTYO)`YrO8i
zS>zL3IS4cmnIHHyp&}NFn*V1nW_agdIAr9lO)^O7SfKnZMxO^+aZg4uRFu<gM}#@d
znix!t%ycU`a_Ih_4S8mw8yxDgj6w$45I=1+pfDT7Ltq5zY^09q*#~*Ioztffh;Q(e
zZ~6FK__{E=wTcE+cNHSo#PO}`Yf9Ee1TXFgNPz6_8GbGV=+h|>3&;3&W`so!4Y!I!
zjgtZ6Gs!+XIkKDTjyt8?Ta1%%#!K;TVB4BbM(%DiG5<}|$N?c1DNvW~OGy1^$6tDA
zq@Xaw_-9`)7|#y8O0Ooo=~FaDTQrK8)3k0BoA9O>ojP6~0HFhQrH^lAx0{QxG-h6j
zBs!rq`~+G@JZ!TT^lCJBrH%fKU<5yfZn|PozYI0!{mIdn??zgyC}t2Os$@5vtizN6
zKmGR^W1&9-UDIkMPB_}W1+%)w@8a{QLj0YN41x^mNX}G@L_zb>$E^f))N-Z~7?CF~
znVg@5d6QiLOl&MiI<51uQ`yNv!h2l{9R0u!l_@oRFxpN>oV?rRAC%pz$BmHh*kJiH
zZCJADz6gLBsay+Q0MH7KGSJMXs#>_D)qg5uz7RRuYF+&jJWxg)GgLXTtu(v~^$W-2
zeoowG8lD7Q0Z}eobymFz2<Sr^ki1Ilq%lT>i!~-bcSh!njxqUftFjX`RL>e0o)tzF
zKaF@w=kl#%dnL<**lo9Q;8vZ8!WGSI72e0VK0qw|9|U$-=_G%2Sth~!-aqM}kqfa=
zjKErKxT+1)z*`1fZj}VzxFX6z*NeaI{ZMo}h>6~|7ZY>%Z{YNg6mwvWv)DwdL#@UZ
zStkom<AvqnoPr6;GW_xW8g1o<!u7zoyN#|Ta_Gz7-?-*~j2IbxQH_HusDaCFPhHUk
zo@yzLs9pXdl=|+~*Us_se0Z;R`a*+Dm8L7e>rmie7qXg}Vnjj&DjqeImC&V}Wcnwo
zWQI-~wW2Y0nb#Q-qWoH4g0FiaDcSVoZz+an4MC)v7J$M!5Q4%A1G@Lwqz*LaGEYqz
z4Q7v<_-+~-V13g?%K#$s@T|Z4S7?8OOQ>}fAR?&H8k-63;GjZ-i9apuXLg1rkD@zM
zg+gpxZeQT{)Pe2{SA~bxiih*S72sLiiRPhE*R}aPfl#1fYA#Jg_EqeiJnxwUuxp0t
z-G5Us^u>pFQ-dB~M+X_McrXM<cj8iQJ2QjnP;DmzzBedQ%B+sF)G)cXc4PgGX3O8;
zQS-d~Q4=H;1g#=^Qfz0*vGUP}<2*r-$77ZczprS&yy6ybLh#4fVDo(o_uWa0Euq%^
zw%cfm_Fc4oUi2pZyLmj_f8*7AXv+86y+^2U3rk}<#LT^h^d*<;WD)8o!#(5@<1gQH
ze{izz7vI`L(*BbJuzrlnbrsCYq^5W>`|yBd%T+lrW%_5g?4W8>93pGHV`^KKCgpW1
zOy^mZ<Ukc!u=$-$(CY*!Cu;MaBnmHEdMEl<l=$MU-i@xJ?97+=a)dju6Iy5l)mBBG
zFK_jCXFZNU@%GIglGTCc(@0_Nn-oiZ?N)DXThcL=$?>D|HC;NaB$4bwhi(c&UskB6
z7KT8K<OC#PV%qD;Gvvs_!)h+Qgo3n>gn>KQsKU}r8uJk`X0~}{(px}je_B~^A%~-V
zVmVWZ-YY6Zjku2Y!1&w-o;{6mVK)k}Cvuaow6Y53{=!mtni}~8N>NH#Q0yvMid{0s
z5mxm}O3|=Y+<;E%RhAQ0lr90hI@R`-tJ}jKfLwVEP7?o2)x~w*EiSj1?_3-d4iav&
z_sfgkrzVV`8zL_R?P^Ix0$%g9N>x#47SMl<8T<|?7yQZsMI7NA>5Ua+@Exx0)JRan
zGzz**-++L;JFZ$(kq8$-8zWo@9#3<7dKB*FgHaY0b88t@!jTP$kv3_>HyouXLDskQ
z{oE-pZW$CA{xnN^*<vnE-EW7{;lS;pcd7J>$X{f<>upi-$5#cEWbhV0LABa45jjUH
z5N-dorbx@3BEcfd*H35lNQoq&4`du>v7Kth*lZWY(A=Cx3sqGuHQNR{NA}9NL@L{%
z%VZ@GICj@(-m!U%lntWz8nW9I7&Pc@QYsC7?R6+PSQt`-swsI(oK*H@Oa{E^?Bgj&
zn!kR_(<{2pG7eocs{`b>Z{tGq&G13FnKA(0x-tOivPl(N&&{4SRHCsUy1bf_$%hm}
zuI1Ynd4|(wl8}M*jQuFRAXQM9j%!YHyh>&BP^7E&GQgDB{tNInz1_HY1WXb1wqBnc
zv<qTxxG=Lt4G$W~iOVFA`(71J%g$?%klv2q>f4{3PSyB5pB$;GQa*NLkeVehlZK^i
zo#G0YyjtYpG-G^sM+q5#-6r$UwCvkFw;I;D>q3a+?5GCKcgfJHsaFq!N63lc*n)!J
z$J`2+h%+-CKV*za!IjhIUwnly^9T)e*E(F;-80b{Nqw|M-a@pGHWM)C$<LBXyGYv2
zfi6Gi(bvcdMmTCqD~ENp?PbgP7mn7T1y5k6B@ZYZM|kpNk+xuSj`2?-K-aEm?oeYK
z%bcd^zCGHq4)uq~4Po2E!fDZ>TQ=Hoo4O4Z`R}5b@2nRY*$B(#IJ=x*-IHtqU$O|?
zf{kl+R7!>5R*Z_03d&sr6n&1ab(B0&@)@-&B)X1Jf@Kyg3xK~<8jM=?25*^_;nooU
zF&{Sgh~5C=rYwTY)IV2fxtPvSe!a-PpV^srrxJQGs9+i_G=-zFUWk_&w*(f^wj8#|
zGgI6&sS=&M!Kyw)Df%*+Xy(GV#mAKyy7NUxTgKp1f+E|Eq_1u+QC#x4<g|}xs!5nX
zV%@m00rj8M)q_&kV=DZa8nx~E@r@vT*IxNZa=(dpZqwc{NVOY$7-#xams~bEw{(u|
zfN-~CkKIBhdHQW$huu%m#d<dy&-z{{TN)4P`RT1mH5_S>&GThBU646wEkAC|@wV&6
z-M8`ZogZmWH&G6xV1i@HIFWmqINIS-F{Bfa?v`Z=NZgY83}>It1oz3_JY1NTc3ua*
z&w&|uQOs;q-eO_(9zffUC65Tb2v%N)hWT>4pBbYhwfaHP=QSYtyq>d@E0%B`p1ZuD
zIsn_{yAvtLSF*Yk?E$S1?9LrEg(Yyl+cEc0fc{_PVG%a7$mVt@D$XYKD;1=|O^jvx
z8=TzJBHmR*BQYuBc7mHkYdh_})=Z}T8`(LNTwf+uzjI;9rhF;<U8QZVFHNru8bjkN
z8qd4*#^L#BOmZT`Ezhsg;(nYX8k(NeQrZmH&%;xq7Kz8Nwp`5)WPcwBIP5@ja#2iT
zUEUIoC$VQkdF3{PkKjN)b3Y~5lm6}ew5uhXG`w4xq$ZKnZ*eGb^Z=88<NzSzXo=l7
z$=3Ruf%D!o7*!TaukcR`&TVd6fxo<^cNUvo9hvG8=Jp@k9nbZ2xpv+|&$%n;sUJG%
z{s7ylVabK;9M(YV9cVs&2qtvraXF2zBBl=)%ZEhz<X~<R>{-bpi$=Jvj3#&UIX+oJ
zg?nIhad^9I@Bnm)p?t0>UXb&pbIvE1d~F*S#w^aZ>BBDipT%z{WXpE4yt3MdE6Szb
zN({KB7?-FH13YXe#Dos@h6MOiAd*YRRT~ctqI-o-TakBt;r5jGNUqg{-&2yhnc%C6
zc)xLvi+S~{T_-(nt-OEoh*7U8Au|f!+f=#3=fwbU_3DlTC{6zPEaRmjpIwRcP%8VY
zk<aGsuojmcPRUsVSqHXvXj0XHuPV2d`}x94IJ0Q9bCDjoj_b0&3$$hIR^_BCzw$Wt
z@~*P_Lfy_X_wxADujlza=w(Z2Hte;Y@9J9&#XBNOJq0ZA3>kV>`%{)hFL`Z6`|7M?
zyT|*fE%z(^ha2<h(;o0u@dc#(rU*AKu21f8ERonXdQ)^c-;Wb&V!=MX!aq66ska?t
zkzCIOkP{?vV+zt?`!X3dFvGX42DQP;os97kJO}(0j+7^dUWP51K)up+3i><aXSk+S
zJ@j|NY=fy@1zTO}k<c7qv(=S}!qn0##6pY7dW(s#3~9gC7OOajq}U1igb)qP4|DMP
z0{#f8)Lrydy<UtPLU`Ro|DH4FPF?QtrUElDDtV%pAW9^UVf-<rBQ&ZPU3xP8STJt5
zri^I`29G3EFcwGSkNjlJBZbjcs`QIu1!j<>Q132xo;X7bCo$77JY}{>ao0qNkI=It
z(bx?Zs-MeP%<OGu1{&Z^489_vz4%}rvpq9py>>p*_+-9@CbJq%$i=aJ_ptpgE!&N<
zf~114N5mQoJt1$$Dx#DKG@ZU2M`TSd4qIU72yRBlAV@+-6Xb-Y(hwZN@sD8}?hm?*
zgO--iu#(8g&b!FN`>T0k^1uMczD%fH`7RkUssgo)ykVpem<V%iY@8SKeaeDM!URc8
zP04+-`@tP7Uc!#FhXHP67tgCiLlPMs>rdTbP1(nv_ixG!9SI%c`cI67?VK?Cl-*B|
zZ)}C7**Kq}@uxcdbFxgIE%V+yaYzaRQ{FZh1j@?=U6BTkdk6`wgGG-oKSnA7AN*>%
z&7YDw^^BCe-_=u7bT?w`3=@5!7l^|9F%Wf0g^)f=y2#A`1m+*=od199+y!Z<Ew1K1
z7e^0jd3cDA>7t)d7K2<BqK~CUs+=({!RD1Iqe(0J8lY7nC0-+V$XIv}j8U8XBBr~~
z<W2e)_77G^AfsGtFz||0qgY|f7CLIuTESv}7OdNu*QMb#1^+>T?djWd>8B^p0BFl#
zkvuHuHKx)SaCv;_c(vL_d*R}sA%zd$BrF!Qg5C45{*sYVm4m<LmJE0k2#57pAMHfz
z7TDfvDH}~_-ekTE$hB$ro{oz;E0@$Nj!x+bwA>t@3C^ig6LC%yE*&h*@mmIXfR9kh
zs#Le0_)ATeH;dhe#6CK4;R#(ON}69*y{0n#3WD}hU|<rFOAPG#ulhOFNVh_y<Op&)
z2|1+F!J$6EB1>uta8t4Hy{q4+)HlCyO0AKYW|e3tOPQVi{`ucL@)qM@-(s$_o<xG|
zmQwtT7KRckK3(vy*#^t#1k4$N9ycPKQ8j*5QGDB?oA({{;X3?Wj#`DUr)}Js6Se(3
zJntespHZr$k-iHJ{Wg4>Z6xocMAg$}Dh=Y*d}>0eDN}gQy6caA%zs&&q!+2h#3H<0
z#v=6B9cgAWeB8hA+<~;IaS*F4@&fZoNgUls@`0D^+!&WL^T)-e`xTi5DHvZr&H$c5
z8GfGZn`SCrUWbBAA^ewMF*xbd=sGPJKLS=nBEI#tAAPOtS${S)6EEP6=MMAkd}-^6
zL&OcR?)n<j2%ResFaPPSC&|_Iv-cQbQcoUymi4_EM@bT);_}bJRsAdBrodH_ZCq;;
z+F=zcpXg_K6B<m3i6Jr3p;IwodkP*QZi=uotXP#oUAM3}%AxZ7KkkB955L0nxfAZH
z9>c6Cq^!^YQO$2x>&HO<F`YB9)VrkP@K$N`y;M{(6-2`nchTMgR^$f8JCdmewLrwn
zcT|5Ha!hZg^<C*f@q2k?ySe+wqvUOda^7U)?5x6;F>YuRrt+rh@wL79A*bRjZr(fS
zOZi9{OPA7a7Jo9a>|^bRaOn32;(Ii$YuY8?n>6PMCnpA7V>|u7C^ci7x#QQ^5A3mS
z9Ko|NWn!fMluBfh8DERF1gaiI65I1}oN>5-6$p9lgG79rug?>UMzJ%<6j89`_A)L>
zg-Y-#=r7H}m}oc3JI|RDgBmYLXy8~r$k7A<<rotJ8%)Ddr$ihk3F}ze+*S}_wuev-
z8_tuHryTgOXg29!hSt=i)Bw<S{MpEQ>ejZZVy^2i=EF+cDhW*Mz0>s4ah2@_#+Kgo
zUw!_P*dIIH`<vI~FD^*If5HUAI7^WETquvH(UM3|h3nPQ(Lr2yt;#4dh<{^SfrUhN
z7W|8eAZGe$@^*_ncn~Ip@`YrmgxV-3gS}h5X;9N-TrMM5mDvC}eDl<P8Ahj?WBCVQ
zF_VDotY_x49a;09b)WMgeYKm3yj2+qwV`gghzkyE%UWT+p&brvXC5bTnIf2i8)ORp
zjuYo}?;U?aIp{X0fa_1keAMkaR5D$Zfp!?-ke#J?%L<G(q61^)0#hZGp$hZ&KoUA_
zR2Zx_!5;yP)ap1Pu(XjJw*jnDJY<l@LC~;y|Ho^*<#^a+C~K_ZUqSt-qR8wMK@)yE
z@4)-uJ%5U$g;%)Ho&M{~a~!|w_gFI>*1{qe_xiWlq32;tgP<W~c_Z9{A0wCG2kv`N
z8Is}duu(ABcVa=U8`e$g@*zabFw7|t7{;#>X?qSQkxROClzjs)|13J(VE9vEX2cW7
zqAR{9uPG_rY^V94d|eC&B@0W6@w&!^O&F#5E~acH1bMdfk>xvr<Dqd0ejw&A<2`4!
zW?&fpE?`7v^-w$Y=#{QpczqCD(~YGs`DI5N0cF_Og#V8hMuX8sCG8uyLnZFMBWY87
z;xSbiR>Eqn)0a4erb8{lhHAsc_UGNT3W_}cH=z1Qp>K$>V{RycgbGFSRTdRyCg&G<
z>3-o4!I8O4De7I>(#$gCXPd6vfU$}~rIR38KRso!BEwN6?@WF$n*%>bO))<FSq{5J
zp-?ypU&RbE(&H(Sr&%eJHZ({fiq`ua?~eD(>2%#<e<+N(*UC<WSe7D4p8MAD&<Q5h
zgc=XdiQm+F4|4ow))33xe}8v)5CYq>@NdzWKT^)e*wV}wgGL34B;^be^a5T9iur5e
zaAo#v)=36Zj1@c86ZBA$k76!c#`HDB=}D{mc22{L$|G+M<>=O0pY_RhHN7jCbvTSx
zCP)!q$0<+1U>9|jNb$ELMwYGqAa6GUW*<(Q03Y@0fJEGbFH=<dOy87l_$sN$BCfU%
zo8|19l?vQ=KVYozU+UDN62-*Wlf^)(+kunJlXifd$=QKBdZ1#G*W5;pf#we@Zf5X?
zw8{x*8@pFHu;zRg)Wg47i;;>Mcg-lI`26!*a0s}_zEzWMAiJW?E#9mdNoPQ0@d!5l
zX7WgZ#eZ=nf7r*=9>+s9G-Z%3po0b9dvIhx|4{^5a(7h1^pOn1Pq~@F)NC4>{-wGh
zTHufI8JU4`kU8=Qo<&pYbSz3q_vRa=o!==3>y24Dn?#O{D^ycK4^@h7{<*=aLVT}j
z%S%*Oq(|8-Voj*_St(EuUHwa<%fx{>2<w&)u(rRyg1)d%0Bfm4NBWkgG*H?&feIP5
zRIo}9xs1}<UIhLyiwFP4yD`F&nP}VcnIcawWOBvkuv_4%%f$J}UO)SQ5rttM9|z!7
zjd*C1a6G@{Y=l!t(dJTqSO2FyrM7B0SRPHwV)-p~a{|1p)~AW8M7v`GKI;l4^6Ur(
zp&^~J@27$4PNj&Yl5uM4vZrTp9jt<#h_dL3faX8ZN}^NCqPJo+!)qj2d1Q!q?A6WR
z=wJn*nuTNkphFYX4Dlbk?o&11bepS7rm&}`gZnc~w6mhdCiV@oC-*6Kp|U!tTzl0&
z5Xs0#r}FoBc<sv@3*KDC2O{!k6=9wuE%P(Gy?7+D>z#AZW4>c0q=GA(pNO$kqt$V<
z+Opp@FEw=)IzXxrhS>?b<Q3-882__93QyAKYL*Z1r%Rd+rZYo@y>pLm8;_0*gY3p;
z()~gJ??eDW5;cob=7kM3RQ+2^F<9V_%1fDnN@Y6?a_zb29BV#lSY@NbuKiHU8f!-g
zc9gX)?i}~#>X=w?*BTWpnoUnqM07M(0@vAP`uBWIh5A8NSHKOI8zf=$S+6+1n&#M9
zf!<_}y$)VQGoHbl^7%1@nL*<bnm+_G3q`LH?J!~~Ew0KtmHO00W|n>|C?EYyNieC6
zm1_F|CfCf@I5soJVT9(dAuEh_NC4ayC#aOOM|`ff@Rj>aSRBoS&h!I4X<q4P`#PAn
zUCm1f0l}^txCYt-fh+}b1iABPW)&iB@3BS45`}AtX6})5C7?Z)!e@XNiW=BrX#zOm
zX3z+Z%6|<2!GrB}vXv!Z&hqj@3Uc1co|HYlS|q79X$lN$Xf?CQ0>w1=1%+g=>Hpi$
zpbuKG05dH?`xz?P*5U`=pWbQcrGxwjk|=9Btm;kZ`QV3}C%q4k>btS05r*6L$^-#q
zkqiI@*yT)-kcm89-b+Rdqa|vvMQcUyp+4>HkpLNIMvy-3LTlH41O`l`p;$w8pF<a6
z*Uq~bRG_v-d3`j?#}3s^g6g$4mAfDS2FUy^;Se$qBJ)xPG80rn{{KoijtpvoFqAK0
z%neRWe07#9cmxZ*h)>zh#7W)nnE^Hxh{|D0A3sv-Ra`B`1{fi|r?36?g>45#8cY4p
z&ZWE;2sZWsTYWI-J2SciYUDfb_Y9_j%4AX44^hDeDXH<95kV_#3QY91B7cP&ieFa$
z<A$=n#LbtF&uo8s5lW7=x<TnkX^8L!sZ?U&E}`}ZdzL=h22SYKCwF)iS16liKBJ&M
zFE3vXl?RUr<j19VRE6~RYm)vNC49c-#mK}l3jM6f--h3h=HuOw)CfG6O|d#_%oft<
z)6DcGHI}-`ev18403Gh@ANOha-rM_7;1{8?`mQ8~>qzgz7IHSaXMYc^ArIW;&aa}J
zcl`}+n@&}^d&zuUu~(tpSlB}JO=#U*&fW|^{WFY{O^djW7O_OF0&WIluwylUK%F;m
z^IX{6F!XO-kU;WdEP!wKByJ3#D9NeT47Pf*bxU^P0FMA4)M^HUJOK=IWZ`ph9>iH-
zUXI6ug(Rj8QDPoAW+XDg+)BVBm4DTm2hLYq$^a@r)l$;?({SVS%0NOgvw{vil}T<)
zDYtdw?RTh**;U$4-_82r4P32;IcxJRvK7>~G8B;|lV^Dmj&k8he?-%2m9^k*$B&Gv
z{s&}K?VmWn(S<bm=JrE6@n<r9`#Cz^ZXP3vqsMVX(lbv%1ndb{g5Kn+f387nkXj3v
zNuveAF+tmZI2Id}{(<6va>}2CwBfsGvKD(maMiJt)9uEPJiva)zuE)~xf=86D}Jm)
z49V#3GK>9QZd+k#{Km(QLkBI5UO1X^On&CiR0~l(xwbN*@~)gPrN(VPpjXXgN*)FH
zxR5s85+Z-8)=GXIC{mmEODJW}(M$s(N4!32-@%*#1`qi7kDrF<fxoIQWp1iK>FW3&
zxaog`TPN(c7GLwD>Y?<3PN>aM7bXlaKhkUuS*6f4ur(vZLb(e3{%rx^+|4cUQGOrj
z<ue$?LEMUw;+abPnobuY`o}E1_72oS)z3f>heRiiUu$m|X}l9{D$p2om%p#1N@TwE
zz`*7tu>gJOU&bf~!wrC$5eA@)Wwgp7NU;$Xhtm$!DnBW(=1<wWTA8K3bVMLb!!7Qq
zoA#te=TPS??V8zZPmh^vA4o<!he1$C>HIG}_GK0R)?@<WI!^Qux#3A|D8aa`q9g7H
zu&UoI&Qf!R3YlvY-_g5>{$Go=lf^|Pwo|Ytw}Ui<%>F+OfsM)tdykg4j2!>{wKfp!
zLVwjBy(#4D2aX%>j^`m>JQp6Vmk&})9{JpTNDT6Ugqy*}_3N0wr+YflEBON>aE+*L
zc#S^&dLl<swKJG{4kQ2EVgyIpQN(~@L-t>Z^DVUUXxifue<z42->fvYwz9P3qiAN&
zf`{{`#BLvzd}7N)sw$D!3%OdD<?ycuSEpy@R`)U1>ez2Hh7JAMb7W9Lp3f#f<el#;
z?Q^<Dh@Vf>9ba-K+EF<9M@3)LudmzOQ7HE(H1QZec?Co&mZ2j2yfs$%qZ$;|53ux-
zGWH6VLg9*Y^%sTW?N77A>L{Kcr5Z>~Ej}1K@MP{P81oZ~+bjH&4VE{Dg87}|0_F0S
z*oniAwdb-u8Cc4WGW3b?aXsbh$!MoBNOS28+g~CzTr=E1nyN$-Ppl9jhm^yy(NQ|e
zK$knCo)@;+>iC7?!qxEuG?S&KrSQF`oOWeDIIK9mymt@BcI!9GcZ=&1_Sq(qy+XF9
zUD5twyV?AUEUR$I31+7w3d@LG8%xUf6ugpE11s{+N}|$P^hj05NnEX=)DOO9vqir=
zqnE!yY60?i#yr5v4qeC#cYtIsoJu|JA>lD7myy1OlTPNp#c6QYuqfyw|J>nC^xQfH
zJ78V0OJQD&jj}Y>Tvmaws5?0}r7*RzMf(NjPGLl$=hQ7U(X@jiqsA8t<}^8#at7=D
z4ZW44O5A0Ix?enBK5HpZ3L2(q*?N+)sGW16%i<;U8k64cr>ul3QUJC!xSG(@7x2oX
zSE|XCvu5eZblCzZ+YiqM4YXv1rTo1)QM3+>6)J4y2-6aH-S#^opL<Pub{6>s{1cOV
z{u^ZcMULy(g=7*|br&ob!Wd$2kMkiGu_=SPIWQCmc1(J`Q6-TO`rcKCf?@p-^7O6F
zy;$-+%iMf4{70Goz+VF+GB*Pt4uFo4>WXmObP3lh+w=3aKD``9&vU5Re(o*@kCpCA
zL`>!P;2fKJd%iCiDfx!!5X`!(lns{u$=&0ylVzLzWuM*b!Nkh%(r9gMMON-vTbYt_
z-z)nD@|ly=t*q=qq4I8s(vxR*r^>BU-uaV+s+hVYq4NJ@>Kmi$e7?3D+iGm9v2ELG
zY};<w7>#W;w(Z7F)125gp7U$pfBSyPnw)i?HD_jHu6^yj=Z?AY*pyU9*EMZ8yQyl?
zc)OOGEv6!O%trPb2%X*WLA(H%<gxzAvyjd_4M#a<M8DWvf9FCWZ$;CM%0kvY(T>Fb
z^fQVS6J2Vk&IhwD1%0hKk+gbH{C}41wZkbNm9?%KC3h<xPdf8*ug=>?ZXA?FHS89O
zOrHGnt{@9F!Ynne(*I;(v5sFWST%{Lk{=|Ij}tdu;L6r@oeJrs#!4q32pg}#pyKo~
z<9dHshK(e|>;kWG$DLJ>B~h*Gk2F|Bt-UC{)PI7{MUDQ#z(emjfA*LB`Sj4n(AH9m
z)gkAA?<jl_ZjD_#+(&YyiA)Y76Xh|a&1~d7AQ5yN{!jVFqvud4ITlb<I+f@|Sl>}n
zu-7p9m{qrRLQIEtS~?NNPo^lTSiNTmoAv5B!te|Ub#Z0=+`&#*v~Z(;Tf&J*!&}Zc
zf6Egm@%*qSbJUeq+$Y8{qeB2X`FIeXi{LID(l*ttu=m?IxCY_BSnUqGgkRpSoWIzs
zU^&c6-sVHZ9y%b}`zcGs{PG2EM3{)uK-54`gaX@QBetzw;H0H(G*zd(_(CG9#-M1Y
zSp~M5mExymfHDQ`*FRoZxmq13<7mdrd?QKR*x<G~z$VS1)lqol>#^pSIH5&eOu<cF
zM9*vOTKJJPZU&BjB6DGux652twUfOSpMhD(%tg!R5~BoU+m#^Y)Bgxtx#Cfb6`}P<
z+=c^ZzvNBz8@(g*WraRe9p;#o8bw-wnYHB}mOxa)l=}iVpwPS9zmtIwH)itq>9-yw
zz|K7RUm3zzE1n6bBwA%zseEUZ_r)A=9P)^Nq(jup_T+W;jp3we5yt*YSu>4uhB`T^
zgfcJS4$`SQ2Wf@xq1Pi%`m5#%x<Hwb9_~EvUJ;UvPCq~G$Ly{E6LBFvT^W_DP9j1Z
zb{Aw>F^Z;WYHa!PDb-;t0_afsRj$2(;>0VkBTr8)Dwo=>$y!-L^UxIx$uhsr4TwRu
zb`|7k1a(wG$Q^yz*s3%sa!l%4aDJz7sZp^sa7Ts=LR!)#NZ_MdKF9H@+BGnzlE?AS
z-;+oZlskp3KEh#X{1vL+oAhu*#au>YMcF3w8%YMzHP%ArR!zJ@a{|V~T|c`)4xC{o
zu4(_*k{hZAoU3Qwnb8liG<soWxzNLKieamgl@pNgT`>SV-!J#^g>GAq=C>t*P)T7M
z;<qa|<dop5pcEZ4PSGw{ZeeIUa{<n*kFNF$lIhjjfk*wrD;wB{ipX3uEd?p^DNet0
zStM|2G4ymML~wAf#N){+Q}QQFBVuEqBjRJkxQBG3#8_q0VpgVk=o;RCm%xXKQ*tM7
zUw#MFOU-aA`R~Zon1p6|jtb57$TN%Iku{iY@q5x}DJ99XJo@+=ugZ#(x~(xSM?|<d
zQm<rOOXB?YJ$McB=Wfv|)gQY!wi#q(u|i7{#eV&^+A-7?s&zs36e7`IVwz7v-;$kb
z23aUL^qFMVS<T~l;FzZXB$6j=NXokCF@Mi#O`}XI-p(?r%%iVH5yzsxRGlNqhxj(8
zP(|0CH||!XxKX!+E^4F?p!4mPaZG2&6{X6XZ2XZkj-V5cQv|MFJy7F9j{DW$z!=Z)
z^iS?+K+*=Tt-7mQg{83THw@P}QQ{7cypJQ-9~IrQ>z*#o3TB!3=Z%ODtG|T|y9=u8
z@NMt0mK7IB$AW)ExXBE!35x0&jUf1(H%j908?KrX^Kv*v9@nb~=jfG)-ed1bLW<?T
zP>v*=NJveX2TI4=m=o*feEqi`i%fo=&NBWC;Ck|oZ&rZo3H@(9!UZbCxJuhKxx);u
zUIKcl`u0wr`$-ItnQV2}Wn=t$8YrVOew+G2!)3z|H3N@4%!*@HE2lA0ZQ@!Sks<XC
z&(}yYU>CErn-zzxu3Plq8D+gQPdGcvPQC$=&MB}KRn>W{p{#O*;>PI5P=x$jkf}E<
z5o$DHmk2)F%sS`-2r4g-D&fQgX|yX!%&9(R+%mX;_&|JcUR3(f@8+H~-c8z-wX+Dm
z4t}A3)P)?>v(UN2@ktOlaiQ~%Z$|dO*+Ea;EDpI@9I?hO1?;Tme4z_u&CpLGQ$nf0
z%Ww<oDQf<QM2Uu^?B_D1?SV)%C^sDq+%aq2ZD;PZ<CC_t_2S!VM$PpJH<FPK5+dHS
z+mtgua$xp0tj?7!q^xgUALj2oq#XWqLB{seQqqrZoUgQCr_gXjXlAf!pYje!=5@gj
z!#Cy~Uupja;w-n0PfIt&Pa5SMWAkNuA!P<7p7@V0KuBf#vr!&dhY}{sV@%>rj1xOa
zZ-2Pp2IJ_(`Dwn^6|O=a<7&f;{wA-O`zJVm00EDX%u~AhAc`SWVhce^W(-L6x5}_T
zfV{fLdAGPln~i+F9LRI}aR-ZHFqo90Vvn0uzbt8TLs^d0lZaO{IyC+RdVokrtA(3l
ztN-``+G>>w<w@%5kM}M-8pyT_ZbB6+Kl!gtgS&QLzK43Nl#Z?H2KkkFQ0^(#_GWld
zIxe*~2H=228pMEFfVmOu^JP*&b834i>VoKp;YA&35Bj~+aA4RMHec$Uv8}=|q5sm&
zUOv&2Z-*k@NCDeU+2Yo6Vuva<tCRn;p=A_9Wsn+m#UTle=%G1bhNB+naF}F{Bb<z|
zd)Lv=rrMZ&66>hCqyNx!saa+MTW47U5KZT&A174;wc2WkFDoXpn7a+#!`72Z5Oz|{
zq9B>G&rfte%mQC|gxKfh@vE{X=Wd{V2<kHK?H3A?58W458)R;ZrW>&2FwWote(qgP
z$#C1>t{Yn(*jC(SP8ze!9S-TZlEHXcw7CBuQC=2h?g}GUeSX!FVduNLRadn2Pl>Q;
zhxFtlmI~Y7`MS1`{a3{5_d;#R#KX<Fkosf=N1tYC$s&s4Z&E|1w>i<{CBaZyM=)R+
z(*H&%US#a@tQniCtTI3x^Ks^dzzrh@u|089Z8<GEp=-<_L7w;X^hrdcJ;giL6^cE%
zoOBx}ClR;+^J#m}sbnHeUaJ+v(bMDUtFpP^vU7_F+f+;zmjf3y*CW^jla|t-DyfM;
zT4@9m7CT`j960{#kc|4}uOzLc+x+8^%qI1$fuJNxx_fCGEskQ;e^r;s&YoRbshr=9
z1wi4A%WhZq2o0ckCW_9md9Pn@%)Dox4zXEXMLD!w@ZBgIpo~P=YG^1OLxqjbO7a7A
zxXb^{8(Y1;k7GN|8Bf0E=vsNtxIT8e1x5c{9zpf!i9i#Vc*R`kP9k7S8n*dyZAZ}G
zlZvafIB^7o5SZ?t8_7F-pyp!zq2hEPgn21Cl!zCSE%Z&~EMeW$5_4!`+&TVH3unJi
zJ8Qzlh8PO(e`QS)hy@|pN5&jvVHF|SCfAo*5F^!JuDlYz5)Y!)h7muv=$19~n@$*t
zRWrLSUXmk=-(gHicuN#hV9n(aGTv8c2OApcda%fq6emFYbj-!yA{TPJF+|B?29+11
zX@O$|;aJc_<qH3RtgD442B$wR<)N76Gz}yimVL7xdQqRx$`Vr~rb7H**@<zylCa`!
zEpFY2ny_NsW9)b6nT1bL$Y1@*l<@c{Z#yel?a(Bx<lx-7BB~PmR=)br-<NrNxVaEa
zZF?N?RZm?MtL<~gXR3!SjBcgFyERIXZV<NK`g`ubF!<)G3v+SezbWIp(QKWI$pAKC
zXLLl8!5ZCBf8IU)Xpu>FKU&F>WuP&F95QQB-gU7In@h6dK6TYUJU0#iD;ZPtMmlxc
zVq=~!HpYd@XPzf8LFr$L_pX#|aVcpj>>l_EhuKJSe}Wf2rs(*$at<mcA+J1kBMz)4
zAunO_7(azMs%V6`cv3z<<5204ON*ZTwln$NRAElk&EYa%eL?D*#-krfUhQ1WA<~PM
z`BbHf9zh-`E4mD)Bt@AHzH{wvm{mzoLWQwje0!O<?UbD;Z8y0_3D4elNJACXD{22p
zFji)@tH{{@O8r=ar1fz}#7RST7EA;Tx0Gu?WR}Bc(j2Oo&K4;XBxi{$j?(_!`hs|+
z1P$QU&yJ`iXw*Gg;Iv9VOHYqlS(+o|XU(*oB>hm6((H*}Il79>;WS|T)vhp_pVfw0
z>#aH}?av72CZIO@XI8gZ8ZF!rv-^;Qg&hjRE%EOk@FL*xU=Af(X1^-xhisfFk^h^u
z{#i*{9XRXitD3YraMt#2=~-!ZLhe%h3JcT5#wE&H+Y0qiIS*f{{?8Ru0yOwRJi`L$
z@Y_z^8D?@@-C59zS+uWW2*|yvS+xBBRiUARlsnrJ;i4#d>K~I4!W&(Xqa+c?@aEL(
zl6mfV@rP`!MSNIj-Ts@GA^BM3tVY;QjG|lQOrG(c&p`gRTvdc$5Jn|RxZ^rm2w!7T
zZva7d<q^l4t43h;!HU1JM>azIh;ByQqu83V>_xzVV2x@Hxn6?2VrT1(!5`DDAcsbC
zP~yK-cYy>%1<;FlNq;{Q^ZW)yJkHE12$9C4pc@M#KwDoIzI$ZfS-^&`^OXRja{K?)
z8QwUK*V&gzlY1A?Wmxc!)kW}2j#I1}r^rnLQuWk0!>--nuAyts+P5n)4$J^&0XXxj
zD$m!XM%|@|NqC@k-70Fi55E&0-KDS%fi`zCrGfz7>1`j(+D|Tem>yy<Vg5|Cvn`qA
zgA@10){8=OwF`bq7(f&JU5<2@(QtB~qO4HIG3FPsS8$Sg5Zqv3CA?*Fu3>2>aLon}
zdd7A4eDA+f<+XkibeVqUV%DR6nRfp|CYVg^eq17woTYG4pBlsCL+A?nlS0AC*Qq&v
zuJGzJ>pcuKcCL}!QwH9}uaZc%%iruBB5Ee0BA+Qz9o>E)kMsB^Q#%|<Zil%zN5*WX
zU*s$T7qe+SXCg{`<p0z(xIql68C@=+Q^`dT!K^!stQ!MQZ>4psT(`jF+5oZr^w1AV
zBg?<@(KHUKl!H3b&BW8$7h2jT95;UBSUQlVUB8_*+4G&Eptio6KjRsUO%O_ad5pvA
zR|*g$`*7Ag8X~AE{yLr~zHqhedr{iSah>U&ixBBEJwSNt+&Lx<=Zi_^wx<%MckF+F
zO!i1%3E?4Bfyn;7=VR=pJ@tV$HX_ixiLBEi#IJ}`!9ftMz)r7QIQ2+6IX;dXl9K~u
z43EG1r`P0Yj@9I7U%p-FMY{Y24}Oqc6$*SU+T-oH`z(|HurinPK)tf6L*%wK$VOey
zNl5~n!~A1zd@O~p2g_dSROb)#YI=R9$7a^!EN~NT{?Xy_?(>@i*(T-JhLohfDees^
zU?1jVVs9s&dz~Ble~1jtbJ)e^7e1JlM+ux3JD=$%nOTdWtC1*8<Q;4Pi)07JfT!}n
zAsu7oil^)_`{uu_dB+@gjEg-Da*-D<vTA2h*etc7-F}v}NuDM^MiF{NVEMujtd7zF
zhX{fY{c}L)u)b54G<b)t=?_Z_GBom+%p&shE}F-CskMh)3$R*q-9ae?*O6?>3eG>s
zIolDVB&vc_Pk1nm9ECA~>~p=S;2}7pnPnU~9U{vaMG*&F-@M&)OC;LgaCD`9sct_*
znyqZ}%V`?U7_@hncy0un-5SfxJCw>q|F5a;0mEVWu<Kg+px$eVPLv-t#8tNmeM{iw
zn+qDSRh8J`#0A()qfCg{S0>aXzoTLtW(F}AN9ueTNfh&H!qCv1Pbd%Ma65MaQvETS
zpge(e`}*iaa4ZaB|B@14PMYB#i@ik3n+-)MaJtv_!p@&5ASTQ&H})2P8nA@B-}p?t
zH$1-<kbiN$+;~*Mujte2hw&R48|IIEAv!uqy~_D4R<mRF({8v0GY$v3t;(H}7G!1y
zSlqA>=}4X%MGK-Q3}bP1!XoJ~4k{q6mF_`}R(r8AB1hC+wE=vB=r0DT-_A81<Vb#2
z>O|0CDoeq&9Gru?jLAlth>UP6=Tt&-Td6nq{pBC1qvMr0r~dO@BqXIxmlyxxPP61_
z>5*`8q1cLftM63A&#LN$O^nEzry8wL-`c`9rxH!{H<_*8;~K<345_==%wk`}GD7ag
z$^CA*^YQ2X_U*BGYNYj~+*AdCi)SxP`qd(K`VGyBdgN!|%bV)=k$Q%=qqKUf*XOY3
z_mI<t?*25HXJ^95_Nje80Pe32x27xqx4FlAy+&7ljkWDt?WB?oZ1jTZ$>rEn6rLIb
zo+>68>nBiwL5-vC1<hk~jVsR|k9zj#j9ZB9&n0))Srt$Yy!Pxbimz}Vf#5<*d)QjS
zRLScNR5>g9V`8KnU1pIb{p5+K>w5Om@qSi}!8%uc`&qp{>s$|KX0&Th@xDwn!1}TJ
ziOF9l=k3%Usl?xT9V;bg+kWSKvQWz05+{Ui1a?aKXR3G4ES&Pv*Owl-6Bz^s{(rbs
zMs8W#%C7tq&_497!iNe{(+`6^B&LU76u22;k9N?=5R@ZgpZN>(iI!2yjrG+6>Ze#-
z_<0-hgItlN^A-s>-{Qx|VR&U%cDqIsbFn@xNc=is{{GRXwzsi#z8#*PJ+ZO$cM#XM
zyrr#*wUpl$g1Ip6aWI%SOoYM{ta=g+<Uwko6MF8AM*8jcA#|hug#aGJR+oKp5GAVi
z{T+f7l=!1?K*g{dAS%44#G=vTL%Wus{&gb1!kjwJDv+IvH=b%mU$|lKHXChds)ksE
z`aMe_mZuf*ScZi21|tk1Y{!g7EMObqTLcfl^vGff?<zi-MqjQy*E@dPwoG?AO510>
z%~bh($EQUDgPm!wXSZ^G4UuWsM2PmckugItShzY0RmebV%eg{AVy|k&Iiwburhg}s
z7h$9$k^Et2j;Q<N->?5xKyKk`Ph$bxSu@1^ON+g4{Qp_iXA>ddD@BBEij>By*Jh5q
z0Ie7Xk2o)&jhFL>15;@?WZaWh;#><-5@cYb-542GaCNPLnM4c>;YIp};UE+;Mt|5j
z5C^HsC>bL?VN~le#!r&#Q$gs`EQR#}<bJ3jp6P;{ZaiRH37Y?y;t%vvmEI~+bPH>r
zz>vR6u=LyrbrkG_8Go?4kQ-7-mJ^v1n)%4>@t!ky|JKH+aXlBu1xQf0;uYEB)tdbi
zUhGB7Xaj+Px$vx&G~Fj?#V}=A>hZpwP+kEplh?opm-hd@@pne^DSD|2;Ec2jYu~xh
zzDi_V17{?~eSgg0EaU6Rx|Z^~nBDQKYRWmql<$g_X4O@P((GG0D(af2rj2&l056F8
zT_g|vl<S80`6#vfFkRMQLQKuqceDKqWRoJHP$`H;jxr;&C_>_G$sd{kq2+B}kll*t
zri6kXBKV^lW=j_^feurAv@C-COj2Jg$bqj@2C|fs{|B|mAn42ZA8n}mOW(3fBB%mt
z=N$%#Hotxh;U;e(dk|LlD<^Deu}Td$=bHE1JuYedScQSCDla72MQ;A9`V{v-1k~4P
zD>D`uT1UeLjYv0;xeD1B>~JoFMTSSi<!5d`#{4*fLnwz9%bzL)T|@3BhtNPe-I>sA
z{<*@s&&YdIL77l=7={C?jh<BOj3?v;a>MM^f`7Sh-I>{FFOG$1<xT`=h#3!74P8<^
z@_pk8Ik1J%{|bLEz!@~)SHl%B>^Ez;%;};9KKS!-pklrHWSO2P2)lS!#!x0R*0fsU
z#tY5&H<kd+@v_h4^iTEv6=*fzt;1=Vgr&mq1SY&HBOTR-;uR<-s^SVZEYEOX^EL2+
ze{Q1V$80w6r(^?v$~7qPr!eZ03X<=GU1OI9UAop?xDmn3nTI~9xzwWTf$F!RZeP{y
zdS)E2m&PIV#|3vWB8S;g8W69vmOaKed|=Qi(l-hRqZn8Jqsm|oE9GJ1>U_dYR-(4>
zJJ59Dt-}ed2%6t8crSbj=b_yYdrT|-u{&Veb!z9ub!xzq3$Z2M<~H)TA_D?Y>eSv;
zUB6>(gtI-|tE+x{a<6g|fyY^@Q6|M<J{X1llM80E0QOA%f>n=I{El;o42BN^*THE5
zyg!Rr2$Fn5>~lBx&3_G3{|oI{4pM>^+RK8Hk8GE7?F&D58X=z_JX$zy<`>J|TnMSL
zI(G#TGNeA7{FoP7_uW`j4nW(f*${MMGN-krvL>%!PGj6knn@xLWR7yJT#?yFop*}!
zj%2*}7)QcuF~oUx^klJSW}NFHJ!toQvcs#cQ|hD~UO;2iz>~9+4Z`jF+_Hwx6Ue|e
zUFs#_MR>(JYDU_jwrf#g+X%w9o!&1JzrIUQU0g)r7M@2@Vfkk}^BmZ!u(sgEpb5XC
z2lm>M!!Z*uWe;JiBp2uXXviUAfMW3Z2Ls?2Q2D($F!+ITWtsmP5~~5fjn7B;krCz8
z4_L~8v0N44^K$ywVU5qE>w{9C_V9cJXbHy|*m4vjW!okW&Z)HcbHoM@V|*p3wzz>7
zGw!*jirUUJ<xh=~)GDS!aT<@GG$Pn1nX2pa`+E2*Qv9EXxS$s+a90r{1$u~H1C_(q
zw{-JvQrrq!*!ChcdP8SJG$h!IPpXdh>Nvo61VYtf&?rEh58N!eqqX6iZMK}m;q1kE
zDx~25Da`N$)QKRa;(LXhd<rORjbp|-L)DCn3b~xP{l=|R33ha{_jMfcZ<;3Cv)LqU
zQ_eIDc(&~M$~oRWTW7z<*wHPiw04d8LMCD0m0ru=-JIbrn|Jz&%&%c_;;~ZKWb2A9
zLae&4K|!uCWP)08vn#<dX0^2!Tk`$TuP}aHlJ)s1WcF6Wv){f2)!JMpZB82?{s6KD
zwk0ffq!-3%T&IZgn_lDs!=mwOQJf(Si3Ax~5_X|qXZbET5L9Hh!|aNwB_Y1@-vj?j
zx~42(Fgi0}F@T7XE7(HTaft0nw9b)-=xVAJt0>^LBa2P4w@8^ajX$&bc%#)};v!R_
z9Uz4w(Y%eBDecn7i~={@7&YJWgVW2t&Itv764+>QimSnZGh+5L#K{p-=qvK<$I`eV
zK`$uFqc&N5xkVItx96ecsJ}Kh-K8@oc3wOt2DG{7E{epxSGH+C363|EXMz&V9bdTj
z@tx(aBu6*?v<`Jz#|O~fHHRLi*;z+w5;o!WSxPvRKe%w#kvKolCPf|^<u!bm00~t+
zr6_LG|C6yL-hj<ey#pqM-$%1M(QgC{qJI^%E#<5^B>YV-G+fm_I7Oa~g6=iayt@GR
zJ)lU%cSXZ#Vk))@+)ZvTknq#PnFTkb0s=alhkso<@_(yDL)dh&Ve$aeg71Rk^EJbR
z($|y@#`1(b=E-4V@R(|uzFxk+=9OUn`P7n*{1=~N`^d;0{8W{byk)n!FosJah4lX#
zj%>X?am;A)-iY7Lk_SrPpZxy#;r8t47Q0qfcSeE_r+H%3i{FJ6Sg6z}t2@09@Z!(;
zaqTG-FP<h~98bHWjQ4;7u*<F|LEWVrz50ZBvVX!~z5lP?J7s0|`jKPd`acM~x19eo
z+*F?wP=Le1^r1iMVg&Xlw&?NM&GCp9pPxYXfVf7@7yt9r$Ft1wUSI9{$bOnCb*F)4
z$3p@x)ff259J&pW->}ztxX7EIVdI+mQ2*OQ7cvt-EUBJ|#z&Hf?0(sh;F=drs0a8u
z!6NT}VqVvo<$Eul<pYY@xx1L*_P3bX&&1!BZL<!xPwm=6*A2wzci6Bey-ZKlTw+zA
zz{>^*3V@emcn>H0&O3yi_}0}S{Z{c)e2u%umbz)mBwrFb;(qT@-WFb9-qNrPYlqII
zfD`dr@?zevcn>hf|IZ(s)0^h_tC$i3{Xr-2%IK#*{s6FapgK<68$I@^bziZgqRXm+
zp|$7e<IlbAS2B>w!r<8BU!|7_E4L<mc)xMlDqD5fwIg4q!oja~&8K5K<a%b<qBZ>q
z<rLG_;V~ju>1nKNLHQp(x=3Mv6B;LNMPb+W<zWS0xJ}2_u%bT=u20-e03hvM!qDcz
zmOI;-{!?y0DKglqy$Zf?m@Fo$+5d(dR*Nl1lf!EE{CQrqys0JG8s9(dGeKW+$?y^|
z3D5y1oMkv@PnDYatG)io+H6C)^N~ZX6DaG9Ti5btTA<^x;XO!={n5!L#CG1*lXd$n
zqV{Py5lar`L3`w?$1P0SPZZsKHgMnCt(;x4PYh4~ZvBG4+NA*U?s)2s-cRwAVwHu#
z`MM^d^|57Qa@f?4pV(PuJ78ESp_VE^oW6ODLB>39yiiU;C_PC@Y1JzCzdp17z9RCc
zt8zM9hneHOn3)48c<*8pI|Cw*fu|jyOMHp3t5h>`vnIIyoX2;nTs_hVi7#r-tHD(r
zJ9X*ku8)N*pu#xoHa>W3HcxaBd^u{x^4kd5^mJ|a09GtHiW#OX2IzsQk`<wX_gd&I
z1mk=zsE|qtMV|UkcdK;#)$IQ^rg%*`1Gq66|7{FI5j!sHhINCP34nMGzl45Vjx9hQ
z)mGC_&FHk6DcE-@&=k==!PKBl5duR&JA)zB_5=|gD_bdeNY1zJ0{*v;lf%c##vU;{
z3b~j-P?@@JFp&Z`{kE0OeR-8IY1W#W#QXITUaQFQ7xus7{x;=eqPy%O8hG5#53^z_
zIQJ~ez2jixEO>mjmgC2q8j#;;4w!FDC4bK6x7=@dCBgFYdx_R!V_+^257D_biO1$n
z2l9E^zz<mBCd*;swN!`ddqPE<4A1I_9Ar}Zd^NHu7!IThh(s%Ku+sjvtLRlAYLnCh
zZ&YU~Zx*U3#?2^<`%Y$se;a5Iu6wUZ{~S5fA%feiN~QWP4fjMv=}X(i-J!F8^I!dP
zy<Qr!%fPQQ{sQBgc>t7rchD#e)9*ZDgXUcApb>&e?J~p7O&YcPT;+|5Wq#f|J@DOe
zv%FGi8GGx=-n&0Ug8D#p$-n%y1-hmpR5-hG)c<Tjv+goh`-H8HsnT)HDB=w_iVens
z_%M+(8^@V``dIm`KsPF9k)dggv6`#^lEtJuvC-s@U39mk(DgK$faH+_NL+&HZqp0|
zUCYVP=^XW9i?mS8efGS_6TG;APyBN}emdH9TgBSU<;@DN>}n+pRi9BA)}t7^&us-(
znoUyM%C5t<aQ9<3{F*oUR2L22`BoOTE+2RrJlFC^Z`_9K<(sy6uNY~@3&voarQX#Q
zLgyxuyqF|8oU0cH^|CsI<W|Mcatx8GoH;bRsQg9<X%*9@2hRMVT9%`|Fy`M8DP$&p
z{6}9TBRG_41;|W-3R_Vme23>{G}7V<7QOKsLCrRy+Y<&4)e!Bn@6JbbDEp^4#=$A`
zbS-7`K*fQ@Mb>+R#?>t_^$ugVuLohvNUl2(PC~Wd%<W7(n{Z*#qkMD==K~lqTYXwq
zQ~#tT^##!k$b0Wa(~g4bN?{^PGl%!V=U19s(!m(=WHA$%6VvV%uSRuBKJABd0i>D#
z`O7JKaxDiHa$u7Xx-&)F3yO1>c==t74Wj9OC8hZe9@0lo9?~5Rv_*);Dzf4@UinHH
zH{Mk8`NGNyIU)U4?&pdPtx}e$PM6J*U4tGFJhCDlJ_5IWD7`1tI^k1kl^8^QIgDHp
zP6(_zrSll4F%t}2?r%Wtc7m-of^)#o5iDKypviZ@oYo`|zT{e_CDX#LU3Yz@q5?g0
zH0h76SXTU-Q7CCpwds{pvr)BI;S4>vlHlCMNn8I<bYeu=xk-#uYe+Sln>^1}j31U<
z>I}}icnBYK4tI0P6ZTzK+4I~#e%^g|TwE!1FWMwNV3%9qeids>_(5WR15)i#ARc>;
zLUFwDM|K|^I&}h$H$a8Y_r&u?gyZYzF2D{|$uf)j;J)Ef#-F!J?X=z{F@RLN|MNTG
zKW5t@I2PKKI^~Ez<c|{)2Uvr<p8wdh1trS9FwCf#4%Mw|UXW^o9Dd4|!|uxb(gYQM
zzO(-@vmzsI5v`Ap`z^>dJP`22VdWwc7L-Wt@W%wUTfiB5$Q?k412c9zMiO|<q+nW$
zWLkqIx1zfpWMCdv=)%q1(1yt!{+Yml4r<F*F)C+yGc|?0%Ofd;pBzoAyUDeHz&1=t
zS=09igW0C^ol0b%J5vpeDN+G+S)5K-iR5FyBD=L;Oa7(immX7ufhgLox>@_hZ5v-i
zcFH;X?6!!c03Jy?aoZ2u)jECJsVxJgU|3s9jA74^i4Y!tO84<vJ}~w`cz_W1IGanM
zOwA@aE~zyK5|2lc8TTc(gT{XeJYG3J2h$DscV>nckoUmZ(exB}WeDSmrV0q-CH2J;
zAxal7O)VP%Ykk6G_&xp72ptFnKYXw54)*VL|G^XWg9pZ$$dQZNf-*inrIh>o94NzL
z0pwQ#;5`9HdBOiRwbO2C^MS2s2L3p@{DD@_E2oKPN)7h_|3IvumE?&%Ej<lr<wNla
zu)h7LU9=4iUcGXSUO?^A3_MU~$2i{5Uzx2@qrN(STos?ZH&H;RCYoHsg;WNVAb#Nd
zIH+U~=Q6d=Z7f!V=~MO5B7Y6emEa)+^mD4xfjidVxcZUhk88Uf7fB}%1LAn6jX*c4
z&*e>w-zrZ<erHH9dm4R#xxo)=qfO|3JN>63A7wBv5&}#;KQa+`*d0U>xtoX2eptHu
z=iV`)bymABidXr|n_=h#UAeL$O0%Icd(xXV1HAee+i$h~pw>r;67)<<mArH>bIWC&
zLfJVGT3=YF-K4iNBIe4}cj27RzrWeJK=~@iR~qs}deCC;n!et0@tpRvwxf)GjNPAj
z6hrKt!rMqa{seWq`Ry55KILQne_Kl8_$`Khz>o;e(S;b!aX=p#Q>@1$%>i@5XDWd%
zN-JT?DRtO$RAtTkKU9DM_4hO+jY%2!)KNAN2XtzVapXo4Xv1s~XPbGGYXd@ZX2g?f
zS3_?d`W#;U?5@0#x0{c216`9KW5FYYk9R_NSzkE?Jp>!o#Oeb4z@2=Mx1B_-GQlWg
zf0=Oo;jCA=86@Bxxr`)7Q1pQPoSoPv5lC8bk3ptlhqYAl{mhIn9U~`D(8LT9e}e(9
zrp*M>FC59Fz$-m!UA1F47Z+<(NR1}fn&it+Vkxt$DgdO*?Onu*YeCma3ke_@DHQ7i
z;GFM{)mPK<TE4-3PWFoikM{-T=p|Oeje^4#sJ*?wJS=mzzy3KvZb%l56QjV+jt?AY
zSg^8z$S0IIMD%YwoHSB<Sx+Q_R4_TZ8n~{n@d9>5QMD-<3GgefAuajw=`qC8X_c0L
z!eHrMwy(t1mhdog1z3Y9SVG{BSDcwruvAIZ&BS6#Bj@sVyv$4T)Gfs*f5QzWX_>i?
zo2qlba3fUNLe5x(y26XRiDk?+QoPbLLx~C{53fA(wG-<xed*GluxU3?25Y-AWaK+o
zz-i$1uw8SP4eU+xg>!NgpX$`(!3#0j`8V8ffq`E=jd!)`!U~FlJObzP2|kGJUklUs
zyp@%qGZ1Cu7afr-y}F6|N|CX2l&?bw96}NoQvP@X)|OS~frS*}yr!Eg5``#MQ?ZnN
zx-F;Sgdx)rQQZeal8ui9&u;m>3n_p7R;-1#)%ZoRl?>2tiL&tF|KwZwMuJu7nW0<y
z)UGq?a}>R85xG*z2WgS@@I>TssmD#9A<J%!j`W?2TKfftrNLSpHb&YPK>A!3bt+v_
z$nB^8@kZCSxt-B<=8PCaEPR}-46A?TbDccuZ(z6bVM*#si##)#OM++i!1}aPN?0wF
z%~tI^8ib5f_9b29x`o-a80t2+)Zepm7?M8AMA8C~QoMLI2L9{F`mH%u*lT>Yq^Z8o
zLd>Y5Cov0t<dV%gKMQH(?pS&$zhPLy=yWYakawH@=QW;%AUEt9eVmmm>+FHB7VA4a
zM9UhA20fE2#psr`T7bg$;MFB8LP30UJA6l8wFE6wgSBglL>@FL3VVT9k%S2$KRtgy
z#%s6G>B;oe;j{kyV4a-Bo_e@2e$c!f3~&C<0#27RkN+04j1_^y+c&y;(cg~dt;aNl
zn4umXCe1W^5JKT9!I1#Ozl9hOxZWfRp#UJcZ^c^v{lq^Ld6`Mj`Vw+uN8%ri$(ryY
z6cf9JRL9p#m;~?I*x{V?1bcEmCyzL^IKyZn@oph)aV#I8iIdERrz06WUBr=(NO1%8
z{sKHLkR(&`VSObD9<-&><3;K+_!)W%A;U7>OdiR9L)>(JhHiMrM^niW#sbdkofu-X
z`nYzwaN$_T(T>U;7^DO;M)3SpXvatLzy5^fHRXkwtk4-v&cESDJgcvhPsm~7Da;%t
zTdJD~rC0%t=<#PW_nJtnUfZ%w!^2Y8`tWhN5&z6V_9dD2hKJOtcl{jot6N9PNkO<~
zomE=;Z0@5Fi$N{+jSG57rdZ0_rN}5NQZ9guHF8|XygW|JO@h}<UhvfDw#;ulT!f(O
zgT1{y9*1l|5udvI9pDfw`<*C?*fT*=Gv3UP!f9GY)TRXZ(7#K2EDFfG;9)E`L{~r3
zJCj)k&*}?z9?96!@wmpFODaOmc6A;T5f~oXOIyF*-Zwj2)@59m`4w*mF@CB@Kz#F1
z<r?Z$;cU``u;Ym7K|>y)c88@PHKG{Hidip5bodUk5CkjXv!(&H*4}ZB&@ldCfCrwb
z$0U#ZPrl&;Lj!BvR}knt)2-n&+-DTpI^=D3B4Fm~Y2rS(@>`ME*<&~$0FM4IsYL+R
z5CSyZij0vD1#Dl*z!bU1ncxMxNP9mt3?z7oPJWoa!JrCGeocV9)rta}fE3g#Nv9Vs
zsA$4vt4=Tc!e%m`=$iNkyv(=Q%?h#?P`D)8X`93!lTX|VqB6lT4+Vd#C%S#4OM}oq
zDRL_qa!vf}1eQt*QtX&X$n58$(~n#`l;!}mQxHjWwdpJyUdx$fcOok>WljEkk@N%d
zhmroTo{MvI8dt*`XQlU$X_zvHH^W=o_6t!<u##f%N5ysg1@l5n#W~!z!S$QKw<bFi
z49Guzq!BDw&~W2F3_+A|oE@0;K-CU_xRrI{BN!BRpjzD~K9G+w1{<<G%2+8Y<>AAp
z$v3kLh|C|Ami;aMLXx@K&`5ZbynF_eOU7;1(e+P;QhV)mTf8Qg49u9qg{jA3>(?hd
z(a;)3|F}0AD{3ZE?E~m9m$AMe?Yn{Fa^(d%jfD@JZu)mAHV9!xQyGj-1u-ncd@FFH
zyba61eI`w{KvLg;C(J5WU8Na;X@0XCSlDvo)mUVFH<rhAx{YX)?}K|jH3^}mAD$@Q
zNT58X`@@eVIA)oK9Mh2sn{%PDbi?O)IiQo#UA$zPYN6IHU(XSxC70o@i7BB}*Z;Hk
zl=WFH@rG!}LUJ^GloVc)(Jg2h3NK>%v=rrp8fv^ZjF=bqU2@q-HJ!uj3OG?`tI`+<
za5C4xb=sc;#5F`8X`eS?tIM0FK(>rsxeZ`rgppzx^1tg>EWEzWN&DS-B-jP+z*SkV
za(B?(CI_1#m0(Klv<K^+-t*A&$4^15IlIc03w-$w$xw`UJ-MP~T$l96M{9wlDvP%y
zF_RP~J<{D93D7Rv48dWxP@7vGCRa`v*G#MrVC3=LtAxl<|I=UVhQcJ2DpkBu98n2y
z>uANLub&a}u@cxUTFGw1n`fIUgcrm-;XFUDD6gHoUZFaHWPFJ?heBbH#A7jabIziZ
z{NpyA2O%PWA4Wq9<s*Tpq=hfjrO112ku#0I%$q9_j0ikmPN3a|k3(aT{gbn^Eet9t
zcl)-aGdVZOglou)ZAhy!3=Xw((R|wT>rqtI-43J49Fl344nm503*$OBVN83Y_Jhvj
z!kNpaSnGXtL$s2gDt{xFf`|KK>GjLx(FWXplpN@D7e{t=mO?U)cw*6)-zTiqe#`u)
zzM?NE#B39h^S42t%!@AgFvD35@ld;lEPH~ruuX~tGd*>!!vBWkCmrN$(c(oWFZEN;
z&WtfR3hl4CooM)P@F>E$)yZ(nWvkhSOXbkH+)fzqCR1Z4KER4Zw~W_E6QuO~)dV_0
zIgHXT++`Y8C^I?tZdOEza$|?f0hJ#z9WHHae6J~!_AC8-ugMU`D}?>kB+UKQ9kp|<
zDxGVWp>DGMdIioidgPEfp-YxWH^4H9&c>8mNlY7)bt0v+Xao;1lQgTStq_#0!UXU_
zxI26fUm$ij5zEICcRCYchqfpmxgL2OW^YWNy16@E(~HG3UnwmKu48v=yb9)R>F(9b
zyE0#P15<BW5~n>9CdWjBT@n^l74;EeMJlQ=U5p4`XBrX>dStlb_;lOt6jBRjH00v(
zilz?+>l(tExd<1SDii#78m&u0OP|5Qr*?e^b~(K1x_OX}^(b=QsQjTS=cM*6mah=r
zvtGV9M&?vPesy58a7o5t?OVu2sfPRt&1Ug&*D$l!v*Nf|mf5SXt`J^}fI^7?%Tj*_
zdJtfx_!mM*T+*{yu+kjv#VYd7{7ObwxZ#())PNNkEmKCXVYGyHD)Hh5#o#(0JUeV~
zf!8v>Nu79h&#hEIelVl7-wvGKEOlTle&0{4U%^O-IabuJuJ>Kio}2XaEx)tQ({idY
zIwfPn#E9#l;9Ry6CaMAZ)peCPx#faHWTX}*t+4tb>xgd06_ZF3kt}O#FYU>ZrXTrd
zsS6-X<}1?(ze@?HW*rH-5vYC`jf5i9!!vs-+<Mbfs)s4~W4^qi$8z!l&Me$KD=ps%
z<HeSNdiNPYx&74I?U^p8{Vr>drG_4#rU3legkYS3x!UxjP?EXkCgPZ2NDPIl68MGV
zvSY>k!6%z<8^Sxuh+i1ojwVk5^F~{#F^}o|j;)Hl_w(;xTml-KR@92_^lxj#pI*nY
zJ_T%~U>Je*EB}<Fb+3PNiYBXdU<a*!EeD7Lc{B~p<cd%8AvEO$J_wDfWACMmVGChF
z0^Oad;@`teaqK{dk2}&EC-vPRK#;>!l50XE0=<egUxH08&EshII%bGbk4XAt--Qkk
zruEYo6s7=&4FYdBN69{YhR;sMQ|ty~5*;+Lacbvl6?kXV_a&s(R=vyx2}W9S0<d#8
z!IfX;SmwnO$!Ad*;$x~4Bqdrzx%+_sk;m_O@<);Oj<KqQl5hbm6Y4(6i{Y6{;gD(%
zL#ImqZENVf{Z1YqBW_yy8h;yia4`n_<LkiJp-e9)k5L(RfGWA@RCC<NE|HW)=9GnD
zJ^?D}3#Uy=odev-ti`c6Ij~;6zP_!f1n;sVL+^c6X=Ei^LF-;uS1VsRu;akX)vTIW
zjDe!&pAg@#i`yYomN@qo8bA2-ck>t=$Hbbskww_u7_}u2Y-ZDTR&iFazE2K&(=yr1
z85#Q7f6bkj{c=RL@BOM%dcx)YCNIyFB1D^B2_NfV>fw^i%-fgz3#A%97TUCh2jJKX
zh>l?Ws)-DfS`=DiH1CPC-)hiuH*y25@#XJg`I>B~`$>fnUjQ~zE*|7MsGUf4yUC!A
zPUYx2UHJL3`A}*L^-59rWb{?EGb$0TrFFY6D^iK5m0(=DUKLqN8;66~zU6|RZ+kgo
z7^m4PFs_`h+eOz<1517t?6XjIoe+3V!TDlOH}-F30LKiuK7}pfX2|>`R|hdYThYX$
z{cUT)`!SYIR?P({feWnBj5ZgN^)E}5RI`S@*VCy}0_h-?H^pGQciJE&QZ1Vo=r04#
zRBn|b&P52NzN3p={7v^rv)=mt8qHU?cl*Z$J4POSpZyOyJl|v_m{Qz&W4GM;ONjcz
zUxcmApCVFi@!TQs$^nR7IddAs3{@JFH>K2p`$*5r<z3emPY%&({k0mW1r#QpM1Hal
zhqF5^foG)c$Ng%KV8zC3PXWUSE_o%>H^SMT`rqnH;d6^slD;?4!M5rJhxgM>!JXtI
z$Kw9W@gIxO+7aO-=RQg-Lgn|<E<xqr_ul>*y8v-2mtDS`=6(0sM504em3VT1`B>nZ
zR4D&RbvjacH5wX<{qELqzPV!9S{-W8`)NyiW-l~Et&kKM^CjcQFxoKBa5!opVl(J$
zp~GRum^~L3JvU!=p?CWiJesMns+W9ErRK_|uBXGQerHVtfrx&kg`v(90_3Z70%8=o
zn79M}1{nhlG0AT+wl|>?k}kwibX>9P%=a=W?SckD5_D0@y$K|{UC6Eb6nBO3C<MfT
z|2wT*4{7bhBnLupUc(NfjxM;L^1TT28O!O#40bXWDsR=bSF@Z)^8(^NE^L&5*;pFd
zSLEYlLuX`byDg2@Ut!<=a5oreTJxS%!kWH`sP~4F-?-Zz*|^o!X!*(u&AF0NFg`z8
z$|cj;p+bJtfOH!+VJK2T=u7h*QrfoZ19E)4<Ee%8QE-I8+vRh`Zplwq)QNJNC#5iS
zEU(b12jB&dT5qUoM=<;M$z#&jiP!7Cd094j*LH3U^1t#I1Hs)D4<#hhsKN{gPsUm~
zIXoF{B<5+pY~cCyZ`dD4gK~Qx^4{xnrmkb(UO8!XZE-oRIRML|7)3m}#}-i%T+VZz
z88e%os#<7Fnb&ju;xaiNQJgjD-|wW~1pR(SdOLeoIYIQs2(pz1TgOyY4a&ElUkm`d
zS;$I{DLPxrM#rM$8ms0Nj7q>fkqoxR%bMM;_VZ&3b|iLV1@&xu*m{E(UtQQGkD59+
z6Ta!hJ|zef-kmg=-a7Cf@QQRifJ%RU9+O;|=o$N{fVh0f-%!syqycdP<bP-j0_kXt
zvFdbjv3O-k1WdW^iH$xv5nFo=b+AUh@S>khWOMNi0bKvGYMXt_kxLO0rt<Icq4AMx
zt#*cF{ZS3vq{Gt8O89XVq%&QuY+ae42-Ptz<(`u;=kC^z+EZZ&l?q3i{d5dInwXE-
zK0{%}6V4Ew#}H#4_pTT#XO@XB7gZ%Ya#ICaum%>9Q~D;Kp8Db{1}?J_Q8`~Y*(v22
zkID1yoHOt1An54CU+30>bW^aeAyb2M&YV4t>9wcZ=SmJJzFeW^l|k^OS|9r~hZ#HX
zCw5^?%F2dGU%M#L8v?3h*39Du+ZOLWLd0*<^YJwc>=}(CEu49{J3`z+ah0?&CR-C?
z-iyn-KD9X$%(KusXjV2qx?Pp@{fHxd_izf(h=%eQ)PV39^!PIr4bV{XFj5bJh%#1-
zn8uK;dyn4DC583q+2~>T7<u`D@gGEZt@=>op-S>fnCC|Wdc=K137DZe>Sl(F&aBDP
zQO>Wuwyl3VY}s%1c>Q^ofZ0R*V!szql8Ucmo@_%|$e>+ww!HMg=)?)(2WqCaU>Q;Y
zPpsO}w~dt1U$*51V;U-0PyntI_Om3_%LqJYT6yGz+4HKbU={8%oeLM@&uTEF8RH5L
z^%;qI<MBxI2yN>TNkp!m;P0*3h~qu6jn!cl*i~7^m!UP&xssk`jKQtadsS*uVx-qT
z%2zg&gl;XR0z7qjF@^Q|h&(LHITwVxjC$3q34mQ^Lx8t1$;q3%pR0)9<Bnk4N2J22
z8rZ_9%Rj>i!M3^!;wg4hsWUG+$%N=4&jGEE`=*#>7GBR0YSB=$f0<A|H#>;g!2&DP
z7ib<85Z9$zmKmOG6F|0&4C-}@Ic^S~v4vG18@BaI7&n9k_8a+EbK9+)227>Nt@Ahq
z%~DS_9QK`wNDuyHI?jfpndI%Xz3=&y{yRT~#zCzm6Bof^FdLLr{4-|z86uBVDUn)&
z(a0|4-h3;Z5Ulo_tHC@=pp|?8io3f`L?rKba2>=06r=85jb2GH-?_;Fw@T>q`ij)4
zw@Kf67XcyDJxn9T6i?!Dt<^}DG3^KgBAHv-{i78kew*|06Ao;Oa}Ep}4v#<X3g_FD
zZljC8z^jIo*0{O$Kas~yT~DoLDI9N{)t?Bg`34K^5Mk0MMK7jv{5s#cXCIhOB&9Uw
zbz<(Kabh0&Go&D)EFjxkp^L$0tc!yvgT_`Uz`phspo(H1b)IJU7I8W9|FK!qRU@Mw
zs?=eGzszZZuDJb*VR_&$uag~<Npm*Zkkxp7rN(##S9c1_gg@<xwhn&TkoiJrZe4yi
zBveYOC*>cRvDn_`qz+i8nOf{v;1-WJ(ZN@Zq^hlHe(<sQ71;l(one<kMBcEJkj1WL
zy?UJZf`9XYP_5r`GMM}2Od-^-L)U<LrgO*_<~hFK&ObmG6RX$Lnc|gf@euBltG8pF
z{N(uA!Uv}pW4m0aZZSR=*U$nx^m(<&vsbJ}tLmK_nOI$gJ<8>sOpd8CWf-oTeLplx
z=%Ffsu3hg|4z5GKz^AOfvkE>|@;R^7tJbk85PV}=*vmB>Z6%7~gCUP-J0G=ZyXZed
z*@1%;&$uD|Y!(5=!eK%)a=;~>S-d2~bdW517hje?@Ug#PUMEHoMgi_mZt>Kki!qE)
zAZ8P5Wfphesi%(3Nq3Oz_@a)(V7YtVp4saX)OwU5<17jyn!CHV-|y$%V18UIPO7K>
zNaCJae{eU4JG3xux50i7b69uM^C4<gfTPP3&D{BA^if~}_*zNDbI;=!#<Taw#OsXe
z<zoNnrid2!qISpcPN&bi<r@!EL#Z_95i0w9mgF)1WoI$RBwDu+f`)x}nfvd$)k*9a
zM(2oF>+p|{-aU-yRXGdYv+u60vl?L1nLSAp^|ymflp1HbO+2o(ujO57mh|>j<t&U@
zKmFbT8wwkb0iAQE>N_R7!3Luo9^?{b!E^Ie>nkU*IazE1yx|nsCRqz|GK$A$M`J~A
zA9ybhH4aB>W-&1-39Fi=9psGbh8r<&rfkP|mu5$l81E6LZ}t2xww=-v#`&_x%vb#K
z<)q-oZxnLn9wgRiTRq4;?X{W*C9qO{SVHH837+497>}nh|2&cEE`CC_Ua7&PtxRGl
zxTRfX>jg;fz}@ReJLZYBBu~1tc)mH+hCj_7Uh$OrL)!in5yRns6ulNv!hb3EL&Q0I
zqc}_QP3zS|AIXhXOp{r2^L~Vkb&Zxf#@o6A_&%vz?J69)KP<*<?~E|w&nED9jvtva
zv>Z@<w!t^@TCmyFF)36dN?jYG)awllJV4Y%{n7SBC+^YfMM68e-d>|)`=L^~ElcL4
za6^q$(tAWL1J9ZeP<wZ&R(r=p@O#LFVx5!X_;H|he4B_yGcF88CO@Qp839y4HDVrR
z0i3`(_J647R<}{T(%0u$)4RN%R*x<JUP$9~O!GN@x>}D-8dWY9vbd$bNxORC61Mex
zl=4HMb<uWW%z0b;LYMuF6Xp%~k9bE-t!qlLElf(Wsst>#(EOSLEe!Q*|M>|k-O%9_
z0mX_z)#$btd~CTPNO?Uu*=I4&TtqY?EEDfCi=`j9y8UO|w9!wcY?ubqvd)Ah>Ye6a
z{jOG2*v#-f=beWu-9z0rvkA}$6k=dvFTY(plz+SU82fwpEga@PD)&Z2z^wHcO4iAJ
zYSv<}_S<kZRVZ!RT6Pxmka6EXhQ_|xs1Kks9HN4+Kf0!Baf@tkfQ`m~wK9*HaZuD4
z%raYX23bArOKB~cmo*xeW1Ff=6s#l^G#Sh|cD6}DSe?D<?s!YQC(wwsX)`i!e&3i;
z!(a08X?fslMKsPu-|cnI?Y-jEzLkz9HzeaS9T<{u+mzFsHX%2s0q?kcWkkpcI!X)l
z7LF2A_jlj(f~o=1x*R+3V!YUcft0R>LzOrAH~Amm`aGN_Jfnv*hcyN>hdurbO(r~1
z!pRV|fR}0@uJ;)8%8RIbX_1Z1B8`#N)-w?}|LYH5ZozOS_{qJOd2}JoPT@sp0-!aX
zlHhOm4`oLWkw+@qm3Bwm@tZH8AYkn)INQwWcsxzTno`dZS;X>QsP*k42G-$%6fHH$
zujLWsb_}LBS#h-B?S?HG?aOO^l^y|M!Vnjq;U}+PL(WQ?tSXS%e_Y$W8VtX%x&3KF
zEAP{7F1>MC&bQj6G3A1Xv<5fowHB5-wRR1HxGlH=f;LO$$l7dgyW~?bro(|@V)g1m
zD>+2)>|dhiP}HJ`BKHKA3QaNk{<K*aQ{sQE;A+^s=lY2KaT!Yzi;YHegBcfB&9l^b
zZ1}UUQJY3FK@qCb>Jt8TGgkxBH@wMBUkmr$R+{t;7aJYV3yVA8ebr|7V2t#2-#qoV
z>w02IQ$jqa8ZNk;(Xh%g@c}a@f9YTQT}!e0;pP~#67B&o_MZv1Yk7p>b)GJde9zm$
zlaNh8ij7a{6HRfzyR{40(%#b1Nf+E?uPB`gvutFaRE3^a%E5=ce3kb34ye^;NNQr-
z<?cG?q{cfNytV;H{qJr{I^9aSD$)s|gkgxwocQG@KC@WRuLJc?QZ$Armb0`?e5SA9
ztv2kyj*6^Ea?7@bX3LUcy+AQr<hela$wZNr_Sh4rCAGX0U?Zgaue=kzgF}`?Du6x-
zz8MF!3g*OmK#}3EdeM+Ky2<NG$y3i$Bi<zZzezeLjagVz1v~sPc~{N>Jyo6b_EG}q
zGZJ&KUkv3N?SL{XSTFnO3|XAI^^K+oK<Ngri0Pi_ytM8-fInU4^$ZN>@rYcrPxo2h
zr~aqL=Q;_roDY5UXc<0BPs{y=?wb`KViD0Q+$~Ux7db3kFC0|ZzgMg3&lCSzO;s^&
zKtp?MYtc!TjUhkdZxE3iRjVB+Hil!v9ubz)8*!rF6H`jr&-_28o-w-8W!c!aJ@Lf0
zZCexDwr$(CZQC{{$%Hep-oEdib>{xs)oa!MR#kO%cd4sA92A7^_|xvH|7dDSgu(>!
z%%XbXFM=VG|Lx1MybMDwXNxZ*<H8{!E3$>W>}*oaz=@B=o*+0oTDRy$BMH<(QRL`P
zB^0<r^~*-QEc|UDte0Py<>IDFZt+xY*#2q#hT;s+PUTlG0lwR*H)pT)r>Z#OHYefB
zK@-P$4Dr6*7V?B^EHMPnFk@1Y8Y+(^YX`L@>%f0O;zG3@mNQ#yblN{V3XaiGnkdHE
zFM`Oyl9W7%k}4VdivLsO{X<K!YNDn{tpWj(Gt`_r@JB72RLN%Cq>;R<qojDzl*+PW
zcB5oaEbhfy!`}Ls9tKF#Pw5;>^p<J|bu*@pc2))b4~mmC>#Kn$H-t3bgd)U9n4PYs
zsZab}C>BW@q{KrO;!Mv|=Y#}TUxJrmtqi{jza=m7Lv&=+0Pqcpq#+Jeo@nL{>S*SH
z|ANGW9KzRkB)=U`Vdu;OFiqg@DI2pP1MG`fsF6z)0>d2swJ~@*Ekhj0+YpY5x$uf<
z3a_9#Nj&pit(L6~z(mzjg8xW#R?3$O`I5;GXntr!lDzsQl9Xsy7}+&8-`Z6D5;7x_
z5^oC8Kpz-xyC^3K$|NNmPio|rD1%1gh+~o*ePC3)f;&H^_Y0pPxS(Xo;{8Bf%#U<S
zydttLCkU6rU&M~e$qDBa*syR!`Vk1pNUjdfNbde$Pz32mCb~oFjLvC_!)PE28g0Px
zo*@y>><2^2vVj=|Px#-gbb~TYIAezk66wkT5jV1pcs=R@=!hJEhhHL?e%4LmaXk0p
z34YfcSUEiWX_EpM8k#Hp3#;4LOS6{4?Vs~h2?97!1*>^&Qt#V7?XkucV`_xh*d@|$
z)s+OY4|QCzpa@ASbmh7qfn3rxj+>75XBWe(uGE<XKxr}v{?fNV?Z=fs?O=%i4+cZ|
z(;P!+gL#Z@3mwx!-G`SnZJT`~vq9H97027yJOKV%K@%6F1#CZ21G-<10J#wk(3_ZA
zI7iYl&>~W%cp3at>L``i;fZX*p@aH`GcDW6>?S%;oi1e8Sz-d)PX1i?&y91PY2Y!J
zo4H&GjQ%pi2g*z?^1YT!t#1*jStCcbQO2s@$@&B>tPf{gX4!eg|IiY_v9*BwVB(}E
z8z>S=tSS^j;rV|Mg@jrJ%`kViI~_e_N^>8w_fM(gtPs7^((-R__K08aA>tu_d*gmu
ziiVK2#ljSD;T_Wh6y}q}^O+1`5p`Wa41?QGu>l9r3X|KOT(sF&9TIjqb4zPPOP;QZ
zBJHD>Uv-qq(C?S46}JUE|5Pp7=aC{l$ki&`;VuE^u)riV>zQgAzD7xknf>MC&h~VR
zE^$o)h}eOB^J6suv-gFgx$hc73VRl~XVc4Z*|Id+)BD^TB7OFd?e|>WWz`Wn{>Nce
z{RicA&xWC@p!HvJg`b3Km{_KzqgPeJ4#xVCkq_NM5J#5h5eHTQ8;o7cx|dlTT(~*c
z&xPX(fGb9D>&m?w9;weM`B|$If_Tsb!wEX*!wLKU1(5{tBGO>`k_igW$oXIk$pD>b
zM`=%YzlOHDuG?eCE(_~~4E#-S%W0$B93gOFuc_O{%r<SLFQzu%^b=*&EUHngq7rvl
z<^7oM2eX*a8jGFk{WY&(OpZmD$Hv2-Ng_Go4hs(xa7`UhAgMEt3c=~LxI|IY@#8rf
zt&%t>L&ObJvAjU0QE<woFDH25;mo1IefI5Cz4B=7{}gL^W%;D4bE$IbXF8}<C!{Os
zrE@=&LT$`bGh09j7g;+WRA)Wl&`nk*CD!`YHtD2HsGZ*@@fsc;_m<X>|K9TiLg{a&
z%rg5e*devThF{xxiN1UWIqNIWLlBTh@~!VRt<&~vo6>Jb=%?jP<Q0UrPl;0wzuj>a
zoM(40PQKAt5-yrR?PJOJL_}g0-2?;XnvT^?DZ$N5h}kDOtP57>+&z#K(QSmPU3IR_
zg7ZM(&q<*kLLz2_rhqwX()1kJ^KpAAaaZIL(jh8*Y`ODsD5)^0DuwCBa8bd``tnE^
zwPfbJ5m8M@UpkUlm6~aLssE9YHGu+Gqm?ojKt>H202#5N;z*#Tb0NSbML0l_e~~{c
zdtneM4`&eQxbXk7SgLScwlRuqZH*s_8>q1*^|}168b;aE)=L)A8-mCbp<YwranSu{
zMR9y<S%)sS4P>_W6agyIaBYn;;6BQ@sw+ZLAE~PmmIO6gIK&ynF}28pps5269JNRr
zlv=^8Mkbk291{L}U6-GCND{2vJT?lW-TWL)w%%5NWV}|EBp;1nq%%qqEE!@^*MmID
zA1}<cqp6}^SG1aSkLTAN5q*z9inGzmMc~iKyUnt!bt<%EN~H|O%TaT4CyD2zpTEC|
zQ;b)>wW{<NwkV>u|B`o%>Uur!#J4ozLKOeD4;_K<VR>v!UzwO7r+!|bo~FLW>mRDq
zVq46D*;o1C+6$rYGHO1_Yh5z-YxalWux+@qSi-Hf)F6O26g?410B;iE$|(QgZHWmk
ziHlYP18iQH5|x&QChwc1){8Gs)kSz$0#X@Sejz8F)_!4$GK<)tw}9k$ovb8)H(?>m
z>Zp|?FcB$alXu0VuB?vp;;?<vlG9$rH0E*9OCqzu-+ooF{kM<%d_TdYjKtcw{}eTL
z<{xJoZNx^?Yiu=hsH+F<*VOpTr&kL-fCJM4BV2T2Pj&U2i_vf-|D?HD^=glH`@mVH
z*Hvv0D!&L_TvlP-icG7e9U5!P;|;g>OR}fze65A|_ulH08x`G!Q#I0(zgrqR`SQ10
ziyyP?;fLG^Y;}6f_YdhJr?rz^BjZlflHPlOw0$q6S%AO?TA_2<Eu`xqV!T(hpH`Im
zq`r;!^kpOc!E+9k@jD6&Tde^!qh>r{`bPrkfEnA=AZ?^3wi#8_B#H4ogdP+BfiJ5x
zs^VD-YKBvGLO|qcyLmuVs@wut24r;f`(`wp)PbULDbu68m}#XIPRO(w3Uj$bsqvr_
zzYpdBR`F~<+fKVQtK}AvCJX!SQ-E|+sx;8e4}IFZVDJp2Oz5GZ5Z(6{+_F1~<l3js
zP!Q`So6m&3JLGK6tdxYK>gab8HL=(xCdcfQ1k~ziqWh9>dN3Ge9+WqO7QjBpLaC#C
z^dNe#tZrqTXB;%3=raxrAei5C3ZZA=G_YS<G_jKhi#UW`WVo=+B=kf&_Kcnk9qU=Y
zobleV_=9-hPPQADqYdk}%<NHHub#_l;po^wavU9d8h+e#Q{R*>t|Wvp3&H6;Kq$Ab
zV0J2r?MOHInMg?l#S}ZX)qLjWcH*F)6QbED<`I^_?og&&x~MOxv(Ko?I*EndkCm;`
z;HWY>=%~O7oya_CvRy(DCHp<-4W$)x6FzOllW)7-uq*P}X1e^oHM$_|1-vbP-1GU+
zmX~HHR%X}<dWmWuboNryd*8%K!a0jPL4O#2%pp!T1{e(>OQIZ%sj4s%Mb(#6gNzCz
z*E2{&azPy?lEz>;Ws?T}oh2SfyoC2nJY>Ku-4<_R=fLG2lW3_k9P;|$VM*mSI(pTq
zV4>L304@cjA)mG<Bq;1wT}a^X9fK>#6}CV4jJveM;8yuh0RlGLNosH@KPZS#Jj_Tp
z*)$fsUiu}WpA6n$7zkumu3;eHt4!GU*o~t0=Q7aZ->qRJVwDB%qbP|u<$xy~U?k)e
z1R|+r0u!A^qgc!o56%`HkHDwidEh3y>3+ii6J~?_57FKbfG=#KA^nHw0+cU#h`gzE
zqT>PsB$4Q@HNi<m0w=RnO>@ViIVuX~`e`B;98XzoO8Z$3kse%V9j@qkip=$N>OhR)
zM1^LKtipsNw3v62NU>OD7RT(u1XQ$`!tqAU^i^66$$`So_$MC45o-(~-gl-*CBQTD
z8AoXFDlB87usY4ok>uu#`R2!KrREASafRS3-Ur6b?eP_YxiAoz$K8{8%jWeUgXNt%
z&ftDK5`s_2maU<rouQN@+y0~CC+AI_cLdf6h&j-P8RlQVs53VP1$_$dwfCNO?OcuC
zx^-JBWpJpKMdQ*tGG$S+3&<(=3PLAeY}oIcpfNb*>c{CxG>$n2NX7so!FnhZ{&Dw<
zCQr3DT51pIk`S<}4{8ietZ+(uv$PYA0g%6%{|X0%@zMf~0nq%P!mO=WXoIdrvmx&=
zmhXyji<-Y85sgp<3StSVX+>lou)7y)Y^uS2PhjVVjFfk3VcI#(L>+qzt}A}`c)H(q
zKoMa686Z(|pK5`bD+lit=#^RSX^SlaxdY|w3mWlmeJvR4gm@p-4#_#oJMM5TC})o-
zk{oP^Bu@LMDP5HLx@i#6w7UF|?ASLW0`Jc0XdCpeXrWm4369rJ2>_xcK}va*CqXLk
z7a_V}VfaJL&P(lgcfK^}RTB;Vta@kI_>TLW!yleAV+=_l%^c|_XvX{^+iG+vMqxz7
z@U%KzwzDp82~RE5%1D=bAUG75Y^RmR;+N=(c6<(UyxdvdE=d-WW8vB}OrzWIb~M}E
zXVt2&y;Fq&)5%-+GG(mAshRiq*6XPdx*Ap*&>8I(=O}xqRx9Q1$gTe^_oMe&v}PY#
zAs>aiSL;W+tLdVzuj`_3EXCCs=C`Xe_y2+-i+pt=nqc=z>M08{fm-;?diVY_rZ3g0
z?&{AaUDiJU=tch?Fu*N>fR9`i`$!$k&Fs!Y?6ixWyic_`LErqMx9Z&(*N?^BmN*4E
z^&^KMXsMEu+lHh(x4||kFi#qRS6)_UDQAN3K_c?-wegGt0T=KI+M8xKXP6*k5u^YP
zk#_WaVxQS^$iG^}l`}&rB+5dUslJKXlzDTL@8#7>v8u#1X5W{%|5O<vh1}{<G@`U7
zxqCektNW~SPhco1bh|%mRZ@<FSwUD-Hf(QJQ{UgLWVzrx2M=2gR3=W~@JgP_%gfp3
z&vlHB!2I^4Jwhilob)yZIA5D6Cnh;gX=RTRMI(@+$3#a_^h`9-Qb=gGQxY6`Itc%&
zC^<sn+ixq1CuJBanc{ZfGDDJr5SHigJMn_MXAL(sDy7h_xv?8u2sq2RPU2(@?q(9@
z&@5mAa}-*?BArY8LDxQnwO`~@dwM!9TmhD3aICxiZWO@rZAT!xT<3c%PpviPouM(C
z@Dz0;ao*Y)1i&qlAXYtVYDZ!8eQuw=5!P9!GxeWt;`g*}<ZU4FPKeXX&?%QK77E**
z@+g~VyS<)YY2B2<V>yp2F;A1thM&rt6)49C^iPLb8bL)UpWj?hu5jUhebCrCe3ev5
z@78rFu`JoxEo|X;E6Rkf-bOXh=X=3dpl#j=`Ko;Sy|FQx82?f?%u1l53&p*dvnh|y
zo6*CP=L~&~T8C9@fW2^d9Mo{;FeAICo%~_(8Ct^P=Yh{KdxYni5CXU>$gqDM3d1?8
zCm`yi)7&pAU1kpUa8PYV-|wf7ejyn$R*;M5i?W=g6)P@qF6>bB4(+w~7<#b&+0*b|
zDwt!KGgtzxe@{whP&NnqEU&$k4D0-~zhScc)U5>c9bRl`LLEZq(O%uoO}6MtZs&fa
zo$gKV_8mKweh;5~y^_zA>jDJkL%-iiRdQdK{YJ_QlUmW~1)*NzJebOHZ2X&U3^!~E
zIWvOdWaO-Hh1?ynluMy-a%MPQ!WsijBMTkY(^RJD0Id;E-V5z<!|-?H5=GT^g-L4H
zd^Ea${et9sNJ^Iz8DAyh5G6F^eU{`-+N3-_bhy&-8M~R32P_FH%h*avb^DGf6dlh_
z!zA4Da#CfB?#><%ow6?Spq2cUHe#q9%JD@wN@yi`vIAF_5JSmoeH49umc?`*Z%2Lm
z36}zUN87<q<59+Joy7V*D%Sz%%zA!g{8>#5)l_5PG|Ww*T|44CmO7f*_sa62%3$B`
zvmyvp>(CVDgM9y3h5<<iKosh7>lElp_Ch7?c@PxA7$|Z8#l3E$zypGzijS{tswFbH
zOqjw=aFmveGC2wfP#>Jzf~OiT?u)UNmO@19_h-sD6x;enU2>eF(?3<}z0HO@W!4rf
z1WjnO1aE2A^8{$!b5UD48DM&zXg>hPixP{aBCZt>Y$wuWw|1}g9^uDoOd{ddvJTOv
zwe?*!Q*}4fju1j@ssHL{Xl)bo>B>Cw0_;qBTcOi`er`nQ{*W-8Mlrx2r+f$0--Xad
zE+yZ^pUFHo0SX~0YeCJRIjYtp^vp+j{^3!u&fZ^7eKsAy<4@6(&b&~);M5<^q@E0l
zkg+QJhZ%_e)r`p|qSe5;`DWDOt-F_RZiFmurV7l}m+2MH7ecDkN-1>P9O6zOua*P4
zvsIma0pP_L;7#Y?0+Cr4Z#D$cf?EnVpv@D^(gdzum!JgegLXY{Vs0+;1Z9a<!OSqp
zU$U{Pw+MzP50F9jHC}Y(Wzfmabaqv28EeVjm&=p{T|dz?q-(Wu@2@zm64oJ#)eO?_
z!UH6-`A#vELFa}wlCca#&x~lL;C_nGMVEvF8)BeWl&9;fp&L{i@KDmInX0OcI4Hg%
z2R2YL0%87ZGLDLYM)xo=`m0D7(vHw@!2f{$E>cO)`T1emc7kGjgCQQDx_E%#iI=ak
z#SXy=zZG!75iXgo|4F0_rgrAj{p4yiwDaP5eBrzXg<h&#m#YTzb+|Fz(rq{Zr;WM6
zFg-A+JnKGos23DNXPp!6_GCBh=wd_4Td`m{vpDIs1H)MH9dd%+k_2_vr^w=tZW2Av
z%j~H@L3mDtFZme25ecD`BY>l0QV9f)i!_sAQnhDRw3%Db)Vbm4m+r|V>(rGd&2upT
zvVYXSR{F~!@V#!vu>f^(eB7Z#cBpq+0^U#Mf%#Z0@gm)=q7mTncH(HQ3kCLIWmP-l
z@-o<KAI!wNRvM#@l_`&1%uCfb^QLD{Z6|@3&#u}j!zf@Xj^N;4sjNk@k^Nf2xzS&4
z=pfkDVl}7()JAjVs5d%%!+;g0pgS1$6Rpc1=0sRVB+O}*r!I&#PBS@lQ3UpP;2jAn
z?Wu$2nPA3h0kh-?wJQkvWLW<{2A4nzod3n7H<S`FxC&a%AxnPYtC)g-C^EC0d4v?T
z11g!dN6RMmiAZhha>iCD&#E~iIUy6|HnDWU!hM`PL*>o`FD05(#s$_;R0UOagGKjB
z(j-eNcMua!%{fbh&2th6yRtxy&8ipvz<c|`&d?w1bxJdR3k0|p@dn>jSx*_$i5S;+
zm#eD`-F0}f+VZHoBod>3u9Mn;3d3#a3)H0(xTr=!e9m@Un(vRG7p}bJhZ|S|Av-(t
zWGHqAMlmDevsO$6qdCwulnX<Vvmt89KNli&=B1E$2di(L^vJAJ1q6$D(%1~r#c5-I
zYo>;D<UtKXh(r*y|La-jv*HU}rbG}F3&ChnO%7Ykdtx61;rXE{Ml?iyh#?cI@VJcc
zD}Z+*Cf=(2YO%tHuclie_I$|u;jw&7;>*4(>*B&9%FR+7j!$%ofD#Gpo{1jMPv+S_
z%_hE)Up^zo#>eJcpQY`wrka3sJ@HYU`zU{VUrzj@5N3|nYL{iHznPp!Hw7j$h`e|F
zuoN%$HX36v-0A?i+tD05k^BRyD|mH*%2g0c>M}hXPlt8yDX6ksL+chh>Rq6|J06Mr
zLS(wI83s(eS~z(%;IAeQHUbChW~>TQ7Zd%$X+}_jwZKO?I_H2EMGVj%iMlqWtf6bd
zxN5!dDvO+HTWQ@esMfSh{lV%^?125Nr}rwL*4kE19i471D#LZa;g8wFF1%&vr6Sjz
ztlaB*b=B%0)*v67VFaLev5x&m?gjNr)%j}NaCpnrPU)3I$mpPz4(})c_4S>>b^z)F
z&?nmf)bq9RP`)=xX`nCP^Wh4@H?vG+KzSs-31#YJGzGV-{sN;(whQ<t;L%S_=)aQk
zf&rM8>e_)eqL%o_RS#bDafhN$MpCCi<Ebodas`;}Taj;*Pfv;~0>I_aYGsmy*ltlB
zcgHR9ZAKanuFICE#j^{?o%2<j9WQT5*kkh!lApe1>)`n2pPwSf5++kaWRgk)-YI?j
zQK+fnA#)-GBRrA6X=QR$1*?rHobzAa{&BytxZVXnd;PB7eWZwi@t1Fx@`DzI1R+^J
z*HvS1VB3lhR-|!&<1@KvDgV^cp2V0`3HkO}cJ=oxAs$=%O>(DPxRTgporwvlHeg7M
z#Mydw(Sh?_x45_L&y%m*woLaqV@yC*UZ`69=}}#iW-#TWx9KQs6{f@W5B~HE-PmiZ
z8o<%-FpTCxfg62qLVX`&jy0I>qa4_ycI{6`=QOaUbv)J<p+fu}-=xU~Ti}=5>|e-Y
zrg<=Cp$6uAZEIzT-emyy*C33BM|uCSqId=vgjhw5D{C|(7|W_dzT!%4*OI(s@i`fX
z^07-kC0w=nHc!oJsS{!+&+Hc$#g%-*Ifyx#bsHJBW_&)U+R`?jY(ML;#UWdwUoSp7
z6I*HuKZd`Q5Q+@dZc4Z9QuMWTXEO2ivv!;vmSzcX^?t6>vp+i3ckS}px>BBbp64SK
zZD*3J=1ALaN-xLQnYlp&cHdx*Z0CJ_5w2T@#eldZ1n)p+1+<R2p?ag2>SMseN)zs>
zFSIgdk~yhOjrMM&4UsuWVMz!I|AZli;UyqHTO=Wqg<uXT7Y8bk+=#FIalXdV^zFK5
z86Q6BZ=ai^#5yz-o{MI+gd?A&cfkfae&AB3&>RfHvv20~^I@H<+T3rN_I)2QuuM{b
zRj5)@egkR7d6G#$^uZ6tGTaeIDRC%U)W1PDX$rtl%-QW#0!(!AP<RdRsOiu#CtuAm
z+$#G@rpGjlU9~u@@2mFib?cjB*;|H`{cgFq@PlLOUK|b;1-2jOj*=MapO!%{Q7#^s
z7ccG+PeNLd3j^E9wBAfN^+074y-S7~o*_ju^QBmHy&v-@7bTZ(AgoHGb^dwR*O*JK
z46PwThL&NMe&;1Iy^2Gf;s&4IuAzQx+<<oG*q@@m;0Vpko;kRODAutBsE&Z+G;|#Z
zU$K{I>n5{-%c^CjSe|Iyek}uV|3(=NeEVl_>t<&2(UchE8<^!nJcJOTf1k0k5shUq
z4NTrsujuXjcDA)wbbr0hQHFg6mux(`Z@-O}*iaCIThHm)UG~(zAPD7G!Lt-o@1~y?
zO(sLIZS;pGkKQ26N+B=-x)pcJcfWThpVGh2b;-8asI6pa|JL}q4%*gp_h)KCrnW$C
zx9UWAC1JsukXKb?&J!LfnXB$n@MoT^?X81jkRNi#z}N&lp!xqTv?J)#WpQLu`bkH)
zCYl-ek)f90&Eoo~><&^$60X7m9_DxZg+;1Nfo1>gef_L$0jgr6ND}sJ7{y=$l)_mn
zZ-LmLV+6XZ6z=|DI)0%{WWe*(JCsh&Hq9sQ9u?2vs|d`c@wkKKyRehi0kCZr!^Ne|
z83tFfVJW4ri?>p>b`$paYRxp)HpLH6NWaPQVtrTGcZ;;%|Gd^RY2-)hfyVajMp;Pc
z%NslnY`_H$qC7u(X4GxZ9lm{5%Rsm^`GBKsw#cbtV^Ym?P0zjxX@01FuD(fjv)qHd
zyOS$!;Qg5ycmgp~Fo&tz;0LK3ZVP~L_-Kki<&(?4r6-Yl=5QDs1B?W-{nu?&z&NFo
zbm}ROp`CGOu)yqWl1F1IIUN2cOi_stj{4aWfeKg|s#J%=73EStIi;q*A%X{~SZ4S3
z)7%tPgmTt4sAa*Hyh78Q0v$FLhZ75z#9LT($6R9S*0dw}M7>Nd%6k=34I8hrXWkMy
zJKku|{P3sq?~z=W9cVMkKH+(l5pNR}638@L#SH`vcLH6>=!X8X-VKiXP5vI`j><Qi
zb?dMjEPqQrNFw7;I-sP7L5rd|>JIE`pjqO9A5JTa$}V@%4gEK0!NIyO`@D84s{lil
zO%m#dgxhdJN4U+)ncDnZ-qgPzfyFMtxRKsJF%M-irdQo7QPe849X*X$R;{M2JRq>d
z{IJ`Wb>JP=tO5mcPRt(UX+N}>JPE2^8$gv$-Dl@I>8dL2cRV*YB;>fSEsPYl4r+^&
zGedFfz!%_$oYz100>(E>aSP2Sh!)OKUX%>(o6<x%E(P@qqdF2)Uj!M^@w&Rf7M+_I
z@(eZqpNz{m_AT_g)o*CZ5VT{Yp*SIglnMFb{Y0|>K?KIyuxyHkBgfy~GJh1QI&fgN
z_l4@DF^R&k1`SZ!?J^QcJIxa^4+;07tyqDpHXbEg$;(7O4+L2dwLjmV9ccp2xr=MJ
zoqwp|UYhQ0%(7x|^wEHP0!{WCDB+H{|5_f6eL0vT2YTiJ?(Yi++CKsVBBTI%1_RFD
zS4|hfyyT#j#waN<&`fb0^*|o2AQa_vON;*F00Q(kT{Ml21oUo&3Irhj6hOSuY>36z
z@^g|zK{ASNzart~*A6@PE<zN$B>@o70z(a)(xi-Bk7J>Ba=mw6(FQq1jTsjy+31dY
zVclV?(#*QcG$M+NtQ##vp83p}VE{@2+im$cv1eRgB!04zQq6`SY%m@Y7>QcsZsV-n
zIpG{fXkL`kYmE`+`##mjkA;Km4O)aM+O+&6bs&Dx@p~b#=r<mT%j7c>H&=|-$ei1t
zvOh)ti2WJ6_|My#+<6(AZ*W@)F3|PQ6`6aeZAuYJV#RQ*y`uPciyimYbR-CIG;zT$
zq378ku$7!j47Qz8H~Kmn6sPNB6H{2;AFT>?SGB4mbJOf(YfR3vm$>n=v7}5Q<;s0e
z$HpHzn@>yJ&U$ee^!%%Dfx91h?3rW=SJDd<l31VaG~WxuAa5V**i1``2-qOQOW}rv
zRg?t-yc9?XoE^cO`#Sn?O(fEf&+zsALcS2Wl`ec=Mra7tt?cIqh=q^v$`^_qh4!tm
z$P1#ISgrGLr_A>*E+{UVk%GU;y{5;wvAr1boMRc&lkjVd(8Z5TApS@Qdfyk<xmBqr
z!@!QJ%x=n#Qqp5)P7pCvnqHiTZ{&CZ{`bUZ9ESkC7q+*#2Q9g!98av`1UIJoCUOR1
z$pKusY!6%6Bl+;+7NW0gz{?mGn?5J|M~A~_7Z8=p0G$I~1)F{3la^6u!|^+G_=f1H
z&DXoGMw91vgPLEks<_q@pH>2R3YPi-B;R=$OV~VnS&#s@c;6al$bAu+2pn?(tJ(;X
zNHYO6ew0M~UR`zA0l$n^-hUJ+6!}Osr>PNcaD1+k<Zh?>H&7Yl-=q+5F>nlVJ6lYE
zk~>~}`ARmJL@)|WeE0zx5%Q31U~<C|pZCjlEH?$>Jv;vw-*^?!R{2;MBV_Zgom37{
zr4~_Fz~yu2cE1Y+JP#$pyHTS@3-%+R6_~OQ_V-oUmj|035E{u(Ji?PYpEBHzRZ}M}
zZLIpqezaf4c(VOO=iZxw_H0)~{T7e|qRl}-W%ytmS42eSkQIbvceK=43f1{CTI0{O
zSq%&lK|E4U1{xj2&}I04sShXyz9MR8yYdH6pZFi@B>~hY0;nfb?1s)lm{$e941Dw1
zI5(pAJDR7=r)eVf+r5wceeTzt;~og6*p`;d^N!PVO#SXpL#|U*{~i$3@-?3rCgT$Q
z+X6fcUvj71#TUcJ-W9{g-)sRA(_{hC{lB0Hh7S@L^qk1}A$FX`@Kn5sXbJ=IyF13%
z0qx_CaRty^q4>X1tw60H+SmO}%|FS5N9Ce5r)0~W#RI^s>jtZgU%VxSU0V}*k5VH`
z&iBb3pXO{GlO8x|9^muOZlr#T^AjRl<eNK3V)Pf%_J)a)TvxW)ANOK3$}PjkO$-{@
zt#tyMzubx-oIYi0I`NHH-6kGwmjRXAOdSJ1%w1fCeEcbvAu+!#L%RPL6cO^lDpAFz
zV8$@!F-g#0gS&WP;IFOB&sA-Z$dP5KF{02qfPN_dClyu$0sS!0f_gy}GPV$@H6v**
zO34|kM)3&UA0K%L>MT+6J&SLw>4_UY>D!q4VA%IPtUn6P_oj#CLO6v22KIN?K~=;1
zkd`CYm-}6IGnI=|iZbp!1X<+N-<xH-f-qF(B~EsFB#l_fWP5~0c>I{yHUoCt%6u*y
zck1?b_A1gxsXid;FOOcXfC8JEHbHr+c-twfc>Dhg5;blHQQwQEKTp$3Q?}@eL<{>A
zjOVG|Ghv(YI4xlVu<`$0me9@c0BkF>7G;<?VceF?r2MPIU{^<baTRtf$g|%i3H)nm
zr2gWr6bh*kmh-#Tgzjsl*BNbBPo~<yk|r&ze#%MbVD6V4Y6;DQrgT5|cRA|MLRl}m
zD#vijp#I=&rooW|U&`(A1wanB>AJ3!<KXBpoWLtxfP*5eTEO$7!>RyvGH#f*4i~=k
zU*<l1mV$aGop@e;+?duWKNI4j4u!lYx|V5upIVEk*j~@-j^{RlVXw`CtcPgX7fa!O
zecAC|HxNx)FXPfu#aMfcZg?!a^ioD24xvs3)86$sn67$`TJA~~yU4T)sO6Jrz@@hs
zpW`yY5C-*fv(qnhyvl=&OMPej>eZY;{dj-F?O|RKt9~OV(mgZXJ^)@ccb<@48N$i%
z?oW+xsub6vGr}@dms?;}SE>1MGP#^~gUQlD%<_Gq3Br3Uz~SKtDaTbV8%d2nUzS7<
z5+70lnMaJFGw4p>=dFO{#(xW`Sl#$ezgj86^f_eB7KRA@THJEM-`c-D#8g>9NR_FG
zpDlX`Wsf3mj~qeTFNp^%cL)WAB93J2fvg5ibJ%RGs7p>8R}}m*cvb*a#BqE*?&hDw
z@z>DoPK6|k-QOfbkUF?qV*<>k-V~;5Z~mxq8iFNa?!kqZG{auoY<ioyn;m@aCK-k~
z#9Jd(OVZ)|r)!^EL<`*fWV@B>>7P3<{|<1Lo(enOA!+SA@N1CWBk2a+3P-w=&JA_a
zprVu;kTHCtk}4-)1>5{Qqdd7|2Ix+&P~4f>lQ1x|-@+i-geW@0h|u=F68?ZuAR)?|
zuikQofhN8gZ6s;ApUz1&T1g(639B@y+s6^mS=irgORx!;pRApYKNzrW%}@^ZQ}G{q
zDb3tjL9n`e&h#t9Tx2g0kI%=eLo~ml=Pl>o>Kkc8y)f?k@eU5)oJk%zbG-A<z+~R8
zn{wI$75DbtjST6~G@rDi%OIO?t;jjcw5ipWgM$%)>enHrMPJXW$m8$nEw=>Kt=)4%
z+D02qt(#|_k2BjMRN(W!2AcM(do)M$R!JoSKg|+wytQ!-7)qI)ovt1mx+6QgkRF$5
zDmSSKm0f=;H0=A;q=!t)m&b{kJ(CS>e=1{->_pz5!3;c`4Gnb~EwR*GYcw#~9txud
zz0WkKsSEL0J<fz2nt>bRa0>U={$U|tFblL|HlqY=Ea}I+&Mu)l53uIo!Mc*sgeFz=
zPomnk>T{))Ffdcg$VWC-+(U~<R;xl;sk*i9O#vkLA51FTglBPApgjm#nS4s->Oi7p
z$uvIeXz!3(o4Z(8%Mmh_?WrE+w9Zr=8Wo!%J7YMia9hUFPfg0FFU#vLeLJOjAQU{}
z(j7`?VcJz@%3h<&v3GYQmT{`T2F0^CnK3vMd88GG710{k5sffT1pDtP12HT_6Tmd_
zO7SMj2P=60x^lM;0$0$rvR4IY1Y_cfDZ&S&qEnofWhg;Zzms*k9lhfwyD9hd&n~%b
z#d05HvALYM^S8`hjg%2>8Z9-Hq}SZBa0539VQNpcZ=z}w`OPm3O|dlwYari}NZ)={
z7$zpqh+yG|%31n9Cg>8j7L3&|Ih954<jA&kK3vP>6+hIQ{xWc@^MmmP34f<*_bO@}
z%@3AsGo?&ty;2!mvsr2biZ?siEYO)dvVGeA{J7HgAlaI^N($N6wutLHxee)NwF5TI
z)ay+l_pw{}dWyxo`cirrS@pXtHFyj#*wKM9Qtr`K80O2OU;*UD)-msbtBo*?j(7?h
ze%jBHP>Uv;@<|_Ym>@q{rOuG~hZ**V<ejOa5ev#>Qw0B;ug7W_0+y%jW|I$Baz|^Z
z7$7rJhKVI%V@(&ZzNd6Cq@$#Os1biPSZJmS=dR0Ds+&x<cs0Z%Rum&q=TAmO#pA1l
zTBOO>0Wrt!t6=#|72hdh(_6t52fWL-HsthUQq(O<MK1u@W>M#l*KiNxO+3W_yN!Nf
zLmX%T`e!2*VcU%91EK%EFQzAGY|kYELwy78!^Qy4WW<@c??vs+J43p~akTrL%0isb
z=9!T7bjAR?7sm@CEfVJ~?jh8&>KQlt$bc?;Da4A64tr0h;Li?Kf|A<wg_`RiV0kGs
z91ilO>eT~wy0+3zVPOq}E~RV~&YL$vzb&pk<7N4ia5r+EEF-pD=Rb6?^o8k~Be8B7
z=$yMI|1rH?^qv#um{ZMkcKHT1#-qfkzcM11={>aWmUY+2hN(>dD%!3IXr!jQO(b^7
z?Q>W3v6<oxlhT004IFE(XO3c4T~CQ6+FYu^55Haay0ob|J7>1BeH&NdjK@*dovnuJ
zHNu_ivN56#B+%+nVaNUZXU+9eh#;)I;Xy!Q2GY}5LDlK}QOyPXFK6k-0Nfrc@YOSa
zIQ=J|OVuQp;9Yy$k_Q95aen#}ugTV-+uoYwF6rG0B6%ZKX_;LZy&iYAZ{v<~k2S%z
zlsj8yDH?tJK$pW$c9XzUZJQXY<x9NB(}4SQUl4U^HO1g&eSsKw`PzBWxW#i6I|Tw#
zK`e5eu=FH5Aspv)!;)^qf}K&9-ExiCX5e`fu;OUP)sz=1BrYklO8j!~n>(|#0Gz*K
z5%3h~gsqe9EJ7oIv@l|TUknaB!i-(|={i<U^XFZ6z-~$3dUC0ak$yx~5LZy)_xoK1
zETxuR6Ze_ooGFM4`!0V=!(Pa>tz3{EDiyEmw}n@oYpgNppQg(aMxKP1+P|_l?NYhu
zmeWvjXQp8tO!eH6ndyf!JcwtfVWCZP_dQVT`BODg#c8FeXWg|@X{Uo2BoaxWjNF_V
z09b$N%(v;EhOL{K2GAMC*2oP9Zc_|0_{kHK9!7%8_)d}2ZpnjYzPri|{rzdNocVMD
zeo?~n_P3ilR%xn}8P`m+kuLMjRPSKH?LL<u%!S2b?uxAK2E2?JTMP8u>3#?YBz<>y
z5auCXH`3XD2pA-N1?e?K!(3!#r3TqCe1^E@<fIguV(POfHp!Dwc2L;AOA{;&0<Zga
z6OTvgpv<%>F|NbL=v9)p0f@ymzpxn}*H<2aLW)3P2wp1VJAMF-5aORvzG~Ed8ltnw
ztmMb|4NKswe7XjkdIq@s4&=z|g&!2Qaq{mDO<Q)(99KXc0Pn%tu3$563vp#_yfy;f
zT?ss!AlZ%)Th)<&KEkUeD=x+;(6!9(iBI6}NEKTBXNwVYR^m*h?Ose9ZQH)V_m`$l
z@5%31&iIeGD`!S8lr~*vy<W@1#zCp%HbNv<d3cqAPAivhYK7!V;RpFpL+SJPmuGvs
zUp>-#UdQ!st5&^suTol%21u|8&#ekXd|8ZGhtUJKB%=o5%n-uaj94hq101pU9N{n+
z<R{UhEpwWwkl;t68uu(!N0s(#{V)!rM1K!1A_4}8AuDDGst|st;bb<D@Q4F6q`X$l
zLoON07m(wMASoAAGS7?0b1Hu{#Oqn3W#b?<%$CD>;-vCZoqaY|K5loxYL5ye6+df%
zfzP8Q5#%}-(Q0(GNgNl7H;;J)HxIX`^Q-&oCLZpXYrC6Jtv~8Ch;285TT=7FR|kHH
zS>kt>)|RT_%2k6=<*LMTH82jAsuBuS#R(WI3e9u$LGhvqc@5PPMi|Bp@yCiRG$h0E
z!xgH3weZ$Tpa!N+wx$s6lgL+b6Y8BLRQcIuQ!my4b7YZ8HoL}Sm2+EM;nCSTiEtd?
zxGk!cHCXW8!S`>B^SX|c{Y;Qv(#Sy^ZLcA|$l`V$6EuvBfpN#<j3ge+{5e+eG%NLa
zY3G~#S;YLZpSQu^8D0OT7?=a!Xz=obke%&DNR~0u@4>?f5}3$h&eAT@rg`_`r`DJW
zM<U)MS?+EvOZD2krC^BO>ebfG=2t(t#gEN6pq%;7zWLeF%#)|UZozWG=>(wpjp$Y+
zv*r*?#!aE@1&qV!)_8;FZ^U^fA-9@LS)#PmB)5sD;8jCJ(^j(~H(f6s#IxqY|GH!M
zDA){}gI3I&lp*}jC<V>P^a-$DL^<u)HsE`b>D>2x1qfPaMff5`=u0hDOHdtr)!$!m
zX6uG1hl$8dgMm6!OQLso@rmo6_B5fJHjhaRCV1U=Gp+Y=Ht|?@-IfH@TQWmLXgeZS
zTt(g%LmR1uZ8!%MzMHe_f*3oe#1(E%r2&IApfSQ<*!4Fp4i>53s(n-O&<Fdf{Cw}I
z&3F|Dwv*r(7Jo4^w@WrX0A7PraRFt2D-+uM8UIWp<G>L<yyNqtONVUf@zbGFP3Kb8
z>!I2;32O%>qi-WHsj_hE^IV}}$Me$WDJ$mQ9*FEQI32Tq^g;hvvC;_sV+O>?4@xO-
z&J}jfv@3*T>w9<j6~>`;8<JU92-w#5hoS26K<wXUf)gYM6xB!t?`0AqsX|9w0Yt2`
zu75=sxD48=?QYYGTXGATkhv&E#L9@*zXHEdc6CS=PQGSfS^KkCy}s<k&Zpv5@=&|!
z97TDj&w?x^GQDN#t7EMX<9-IH8GcD!RFG!gF@?C6sYa&FRX4(`Zzo-dOIfE?gl$PU
z|3Oc>-Lq)Q%-0Xiayn{a#0O2D*ZU?}fvVOj#9?PlKcia#i<R1J+2r2H?9qA-?o&HA
zJ-fy03BC&D(oENhX1_^4^Tw#l8}0I;M!9V=@N%zk@1)I~cN=OHMIYuuo->P%J=X!Q
z9&_OYVA1p+I(IaTpCHzv@|S~Gf%2Ow@>XHZ9f=&)NK{eFM>g6g(F<kM{m-^(0O{Ou
zyXnj+b$|#$TM`4LQ3;O@Q%?bhCvu$3|D3Gln7lhX0K)(507KeeJB+H=Fjo2}SL9`!
zz3Nd?Gb+w&yx_I>{O+lr<|x$Ah_eol<K5DnsZE|JjMlFsS~1A*#~@$OS;0oz1>(%_
zCa|`Krg8;oOs=OT^VG<M532SM`HR6q6tlet#bMJbO@NUm<)u2ZEv5par%IztD5LrY
zLJw&kwr%*a3Dl&yMscZ+J^Ipg^XmVQ1}fWW>yk+wREbjgtIV5z+cOh(iEk53Q=_?(
zyFh)#PEwxD)1h_WohqcDgr&=nqV7QCbnHbktzpakUaxpJ$Wo`PNtey}U4@Z=EymO4
zLj7mLu*PABz#f>{((Nd7>>e2A!fmzDS{6{*L5wJZGWVHeD%5Nx&jYdO5Ar=Qo*#T^
zUm0R11S#QW_+<wL|5lIrqKbgx=sDZq5R}}G?Sd7z9@zonX0PP=5RX2{U*1obF>YU%
z_oH54fEvX%SZIpD%{@Qwmxo|91j|<7lT7s)=J|L60+FuE#0K9Z#H;+lwc|_2Ua)Y^
zg!}Q?vH_5Jm_Q&JhB9u*VAtwq8|B*PS&}B|X7?Y=q`#63q{SyE$YO>0u+e<C`Oiss
zhSazS+40LSg-~grLtga^KtK>H9d6_huin($D(##VEl~@T^-(ldhi(u*KV*GcDE^eO
z?DeguL`D|CMoCTAEMu)<_j`3xeSR-dxc;mPwva#$SW2CQSOY4@<SzHFnUbB7BpN3c
zr$W%F(;y6}45#m<BG2N|V6}9Nl$iKtuhK)Em(ELBIu+4<@A?j0At=k+wJuG{m370G
z>+okWobIp-U`D2eqI2ru{75)@-N*b^Cp}xplJJ$Zl6@iyI6xwda>*_9AeqmkNe5qS
z|DFJPIH0}S&NjXOS-bi;$!v!u4w`PPmd`A8H|<5Ci{#(ORh6-iy6~FceARulTTu8r
z_1g=u(!)#Ma_kqMELo?Nb@~MA?D4blOkL7H4?yUcx@tPfS&;mGbrVEV^XTGWjnBMh
zO-6Yw4(nTd@=5l;p;l|;Jg{Rs7fE~G%HAXrg89C=N!G*`!UhPmn9sy@+~K_WOq!{_
ztHMN_FT(W&v<Q)~sDCL0D80ybd^fw;S3u&)lE*mkZv08Yry2Zvf+SlW1KGQA_^FC|
zLJH$|xq%`QBrU4quzU9JZn!}n`W^2^sI#QMiUm9XoJZTqmKUw`97H5xK`L<D=xa-H
zeFAlj45PxAQ(4A8+Y`^d$yYwQHRlcKtLLLpYWlKJ&1E^+MTb&u*|`;LgimAr#V4VT
zZPM<c8<|B7W&N9fSbxq+mFr3ovjne8vH!x0u}ZCfJV7PZVL%eq>+&bz=dYTZuaD?^
zzMQvUmrEm4R(41a&JQqE<<_<71BOr58@G>#hq>xkr7xY&UX{82;_2<P64#49x;2{T
z>i4H|*C8s%#W%0r3!f&ws<Rr8AJzmKZzOhx^43_RzD17MJ@nLR4rO+<c~4zx9_?&F
zkjuRRuM{o16GijTCvv~vD*}u#bY0*pu2w9ER3=ZW&Pn;^Ex#7`2m>hQ)Z}#@iqhsb
zTMtf1?=89eHuRm@N*D&ILKZ}m2cgQ)#5hVANGL;^DB%MmA!T|ekGJ5t%uWOqnmDKf
zyZ2L|I=bGSf|X$u|IPh%??5CE{@hF!0_=vpJCruVTUSD%2N7AE_nxGZK0fFk2j69L
zB~E(0fCS!lx-l&W0wNB5vyhqJ#V)UY)RpGFeQLgF_p(pU6~Tm3`?ZMeIru&GDu$bG
z^YF6c<~X)5QJwD%ixo6AZ;sTQSu>Zv!S-^PDc9b7{2ofJ^7K2p6*?30OWr5vH)GPy
zMN~GkT@co2DRm2fAgKT}krPX(ff_kkvFXzc;^Lr4!mHH#L;kb!ZOFa^r<MxQ$PA%W
zNxZ>Bkpf8h4<QSMdR+le^Pv4qg9y>9jHQV)TMN@*MaqKc@+4H5nixk56G?f>39aOB
z2Kw~y0mP(ZY?^ze`ucK5{wSe@&}-9bWVsrVe~pd6IZ(hSY%IS4R@>bRljS$o>`tHT
z*0iH&0x8M0yIWlSx@LAEt!zjAtu%ICgwBQxg^#&iP`CtH|EUKpWq4u*=x?jmm&&^J
zGI}@&OWH(#+BUNjLB7gv3BD~#BzY`yPBx4PT1Gg!Y+*<~))r#G@mWRKJy>pO4XY?B
z#3W88s_yj<{1jBCq*<KQ+EG(PVD%|I79MY_L>epIs2>0c<8~T4dC^5JYT}GXo(+hm
zI}{M(fMgm3j0OU#y%SOl$u%;<B1ERiOgactt=XcISg5@d#KZd_&IAho-Ma;+fgzbX
z*&q`EODx<28!{0`j`)<7BR)AXH+4NLBB(QGEQfiyt!yKu#|RaA`PJpY^s*rV^XKCY
z1ZH3PFjq&}NLj9e?GA!lpSKG8Gj5K{n$YSF{JhsbbO4LpO1#_y<_2%(XvpY!lT|N_
zN6eS3bsJvyxNu;R1B`i++e5MAo3mC&Z%&q{q`cA7x{6(kzRnw+C;h_hzH8i;>DMjC
zv|<3{_4UzKmltyeE>s2m2NY7SY-zMTlZi8O2Gig~GO}E0G!)afxWjI^rT7RH6%?qC
zU=u^+MzYh6yvRnRgf1<G;3TTQDi3tvFN3X{B_m1oE=bfJEh7nE=6|cgbfQQ^mi%s-
zm@J-aHBNJl6AGl%<KA)2R_UD$qu?*mj$Tt0xCZ&^rRr^yBW0sq4H8LpbI<TYBO}J=
z`mSI~6Weqssz#+<eMjL6q@{<vrO$F^k~j>})#S7GK3UZ=gic>G@=7i+RLWj?OZ7OP
zDu0mD<f3BkxE1?SzVJA{Ge7b9So|J42}D=RVi9SD!R9!tKoPPS4V;;%_16FpK4Eud
z?wnhxWJP1uO4P_NrIcL-SgSC_&`%u|y(pFi&AY*5P>s!+leGYLFyPbQ(2)xpU?Wfz
zlwz33Xr$TsSO;Ju;Y5^?Lc@xhCDoOn1BKO;SoA~bCcb!Qq6u#fKOLie04c-%XjC-C
ze`-Y-5TPO$TA(A72MNJWlUh0gUW5V<BbEpSO@s!#uDZQ05Kqi&hc)$A$6_v?S2I_a
zx_xMI+D9uvWN)SBho<$q`LnLp3N3mw178<Ey={Bq`YLi=UUvopXd5ev9Xge%FsW<O
zyYJfsyw1=^Wz&EvNPe)fZBXZ(7~7b49^CrYIWc~=6Utvh@E!^*Or|Vs$n-&(y^3No
zevo9JV;;!#g&VwnGt^vb(U;1Pa>6(%G}T0RvWQnxRf%Ar@?l5*Hkjf2_xL2T>;Dr~
zJM*Uq;6NScRL{VB4BMmJ`v%{J4H6U#_v^JBBH~(rO;(wxzt*rJ88a)tk?C;m5Yayb
zO-idmZe}#1fcaVwbi2iqwFYHc>PA-K%Ei^)i!UaWd|Q{Rhf!nGi=kd%^Tl}9vbN#7
zMjbZ6(FH`Fws4=y6%rU#Cu>>h)?Y=9JiF9G>pEhygm4JJ>RMZLy4YN5ekgmX$6&*G
z09}q|dk~wk`LMA;mb|vxXdU#VVVs*ctN(8CA*8gf!@cda1o@ET8SjCSP&p@f#l0~D
zR#k?Z5T{tKsIzCR@3HHC+Oh%ln01Rcc;2pF#vP71TqgAzcIM4e;K+53KEgzX0pyNj
zkAesP69Sx;U&5|~RTEP%kP{(3@=dMhs0yT&6HO`Z#T|1HBL3?;;}Igk6j`Cd0DR~0
zBMK|0BaRJ}xPFJqoII1Hc{bV+1r}snc#}*>8*V%|I9Q)A)x3q+g~ZD#X0QObEp6PS
zEz>sbF8LGC77TV{;SK5Gi)H0N!)@kAqU92J1q(l|zH-pkniktucNS7v3ik~8Ue%tw
ztG;zPp*C;a);QUs`>y0<c%}fx^&*0L(t0;GFIzyK_mR$MPIH8AeQ3k!KhZeBVmOU~
zcNTh0v@=ec;c6p?+(2OMNCtsv^=#h1wm;V6A+Q%+FPm4a(({jcw@x;SUy4Ii>)Z~W
zcvn#1w!s})EQ-u06Fq(~y=*NWE;kI|33A3o7<|>2N7=*32W+Fn-d1t1!aBbxtyfsj
znj9}z5tHn2Oq>Jx)kE^|aujC>^byBx*>l|wX;dYRUMyZt#a_^o6B{rGP?fYhnEyDn
zxXT7UQwP6v%Ni}#>OCNfwrlvIj-%&!6WJ$6&y_~SP~aCBdn4;k1FF%B(K!_yX}PkO
z=9u_p%%H25n2Z($sx|10^bbwQW`-m(!sL>p9Xhf8PE<19{K%oz(g<ZppX;;|JFOnm
zdoG^bAPJ+ML+F_Cq5hY<8`w8!pCZft(y@~B<yyN~>N}-x^;?V3ttZA!hK|_sH0_Fr
zJnpvhJiT!28h+J&_7}KB-J2H<C%#occFnlTUGS3^8nNT~i`&MRbz^7N{cH-n;&1*v
zJibKGeS*>a7qA=<R%WREM%h3Z`XWG44j>xQfKecjnri=DB~2=Z;Ammxv<AT#qjaFA
z!ZJxDYH^n+0ON0tsDINR@YgILF{)yNtHgt+<6HWVZ{zS*Dn)dheKl$RLf8dGVU2eO
znKd4DhKcN*;T=*jim8b06JisBfD4Abvjw56Df-6Re6gwIPp}4!K|C%_6+RDhJ_jFZ
zEMuPs-}AES4pY8|5INj*XtE>HERbN|mC_e(D&<|0ot^r;g{jx5RU+!Bqj){E)9Z11
zekXC=e96vxww{%bcJe)p;^1eTeTi_Gm6x&iouq~SO$O+#b|?U%rPN4^!I%Z^ffA-k
zemIHm7wa&K_;+RmaP55$t(<%TbtCz@|35367Q^l)Wd#yqIVG(|&VF|VHA~8?FRlhH
zl!JR%f!ma>-g<55Y?b_K<J!AVswF5mUTQ_%?6xXTOdXePH<&^4KJ4IS!w`i8J7>{N
zwlwfGmo?=jjW;^Jo?ZG`9~-f#?7MOTn@goeU7>=72xLaKlbF-Tg-{yeNEg<t($P(N
zhfx~zjI*8*4y)2K^?H>=5>=CN8Vci=#wrke$+xqbvq_W{MGR9O7h;sz5C3x)t^lGs
z?Rm2rQ;Il5Aq}pNB8>3rKni}f?kjJ`F1AxR5%-+VT;btoO>pdvt12}_`?}O`@W`L&
zGX&Y<+InkMjZV!}rmuco1CiTb;YM{G-&za*w0F0Do?h7w9D>{?wnM1x|0H)?(u{g^
zcX{9R`nbFw!Ud{qQ!sVedVeU)b_0<JR5Gri&`y+h`q;&ZCAxj`)qi&^$~f!9Zoj7A
z{gtV7;)R<6=#JM@n*eV8rIrE;=q;K9-<zcrrd=1`2m115cd}H?<u9mUw(i-ub&u&D
z^eeBKS;2#2<!y+irQW7p7ytjL`se6KfNpCXj%{b+OpJ+b+qUgY?1??GZL4EWCbn(c
z_OGA!-tW%y{ne}1s?JJP*Fl}yd!L~az8*V)2qAEtfzA4~$uZ@PKbfBoKw8?xnBM2Q
zElJtkn*L_PQv34D@rPRjq8GmmC4Xiy`W{{OGii!^G{D6;s~8=fF1tPYmX(SYD<!#6
z=%c{glN(-()HohPiKJq>X=+Nn9(~6t1&QW=IKD#9pfZ%*>@s1>k|giseODtpMTpV_
z(4j~Dtxv0xEE6bdL88|wzc4jU-jNWSPg9ZPFgKp%E+_wh3yM4m<0x4EDe_29V*YhP
zJNF4?Z4z}st+Zi9keIR*c+q0htPhHQlT97Jz{Y>JiY}R?Jbcaki0t;!A`#W$LgEi-
zE&nV?={J<p5LMXC6iTGt14QsK$)86skUsWv)>94wM?&XPyUYh>B$^o5kWr${CY__s
z>d>SzbF5K;Fun3w%R&F@(mc@pInS&8guoM${XZw9B{rh>sUS3Ws($;<3Gp)X9@nj*
z0R$9Jj_GvbkG1&Ux&F=d3B3Cjho_4!4#BJPPy+=ts4!GyF#{`To|(a8cO?(JPrC=h
zTQHr(i8-y=YNPU{lwA9_#df7rpBxz<_9^l~&mT8pys0=xZT*~6<P;u1tkQ~Lu~B6b
z@U7)7P&jum_mof|@~`{G-BXccoO0m**=E+aYu#O&J6)h{%Ktyx^usR=?-g*1qNHZ8
zh;6jDI{5JGQPfavUDIBx`c2*VCj1w3*A$pt@?`x9ma#R1Q2~E3Y<Ds;ckN?UOET*3
zB{0YiC6(}cu%<_Sw5zu-@?9EGVI9m^46jtT;3f=JleV&3d~4ceI8BL&c`&JHD46E?
z!~Vz*;s{8s*XppAD+SAJE0lIQ>&(8|xG>mQfF3fXc@1h8LYJzZk++anzIKDG0pHNw
z&idwWvbKyk-H#okh7~zgvfs~1PT3uvfWDWMg;ToU4?#|eBrI^}`GaB0itLLr<rsgF
zO{Pt9tO#z7%B9qKh?5-pAJBpunTqSCiJA)tf6QjU{m<ip!*>6($vmF*xo@HU&+Q)k
z7d(f~gIjEcu=Y1Eq^CH~r;t<w$h1U7ylR#vq?@6<5WH>$o|(-=8xsX+A6Lrz2SWMH
z)o;(YJvn$6QXr@KpOyAb<naw6v$0%-zeO&qM7*>2U?i@qej6?j{kmC^N3K>qo1VYM
zIyJpoGx}!UTUpcb{n_AvGI;dbO?)#d)nc>R+=#JLXQih&_Q%BWHm8e1nveuoht`W*
zxm_YdUFCtFTc8F<(B0e>tDb*N=A`XnH_pT9cmy?cU{jmx%~w|^>>q48q6&*LdSdRv
z4+)>%%NFn({2lpFKsx^(^-yhCR2si}{n<kRi!Tt0l^~cNUJ=aB1O_)XAobTd9=fV3
zh^qX9Dx$69S~r@-_g~EFB!rU9eO{F%k|ufZYBhc4<H{QMA{`|1<x?~zyr@j-k+hj2
z>_4pJ?<?Pf|6AMo%l;Qu;^*@|{ntaso0=n1*igi83VM|mAcX8buP2J9H1El4{hq)i
z381#{k%R-gw}gnYkS|tctiT;E((Io$xZFgk&A9T$4*^XNp7*B7F_Z`)wy<N9WDj~$
z$i2Ey^I5pM(oS+co}zWLQj~iWZ3595es6-=fr3K$5iN!UzM?Qo_XA!14nF~9|LdA&
zOp|r&6!-wgNVD;fXq<Kb&z5mO6G2ZX+t^QlZi#qX>_2WvVgq}ByG9}9*5p{9(xAE0
zVHV@ntm!2(=zDS7nAR+kd?CQy<}oQF_g5cfHBGFlbcy+^=5GvofsdkO*K~zbn%Y(O
zK4jUQx_sT{%@)ijKmE^H-m1@b+&2?s_4n7YHx4L|#-iT<T1D3L38wo^!bhL^vxXq(
z@2;yLSNHz!#`N7O0<d?Oh-gwx3WtWmVgW7W1w@{eZz^sp)fF4bG#a-Mp-inb;~L~c
zqk#8Yzxf>$q^lAJAF~bejdIyd)>=D;zV539ycSn!-)f1hv5^(i!keP+F7iJ}@w5hz
zT$)Ltxqpj={fuOmtmGWix-3OY3@S3#QiHClNnD{zTiA*27!ik+XBYlgE0_dtP;$0w
zKrN0FJ{lVqpLZPPFCHY4GcJZwVAKp;-TjPe@v&|0U|7_v@OEs}(<BIA-By_XoRG#I
z0$FD~ELhu<tu|HsQ}BeL&|{iO`?$7&?MVOb_jS;0P<MM(Q6Y=9N^DM1uO^hvN}a#f
zN@F`zts+8WxN4v5{wh}q=Yr*oEnMc~vu0mpqtJk&Fd=_GHnSn68q+G|)=NL#cwSyE
z&r+wQ8AC&0=KEvM7S^?BuJB%8#6sj_1D^t^lL^u4+-=9DiX4&upjxhXVG>Ppir{)%
zC$n+zV0S)yZ-`)e?KHjV@%&4N(DAKjT&4HC@4BUSHw1IGrdC69gX(mKGxW{^P>Yu3
zo2=X4E$#TI76=>#`l>+ySQEa6D$=L4R4MsseI~UCuW2UwXliZTxsD(#4F1*ndS5`_
zXxiA{B9%S*k-7^tSWZY!2Vd_ru5<K3LvQ*y(OGycgI;&WEcDU~gMUKdG-U%eK>T($
zU$M5U#l9bW2A>R;12_T_gKW2R!^qq>_($5ajPeyN+CqFFRQem&!DK5f^PMwP&-h0w
zwVTYIgqaYfH@}*!7uIBIiU<aoPzz2Cn^uXykl?xEpD9A#YDTcBc5KR6R<ny=OJic2
z+h1OK@E`$)G>YX|jWGB*QybEghxX*0?zC;;9m(74)euMa<Ph#rZ$@-~8O^kE;IKmc
zMs6FWHPx|Tk%5X3ZEN(I+w1iIklT)&+xFy3hxSTvzxzm-G$G@}^={V#JU+i|CI+1#
zFiHnW6&z%4z^yJ{G_@#w+(p#(1V!Zm14m8=NZo<BMC9bW>-yPk%b(`UA0vZ{wy1sX
z%ik56Ad<cpmp^wV=N-g+yWBWMbI7()Bj>eMjZyx?Z`lM&ubc1Hn6=o9U!O<gKd9pw
zv2`h9rqunp_qm5htr~I{dpMp^BJW@))7jD?L1j7+z?ZM|Y{wy(@%t49XA2Pz(=C1M
zT&Kxd<okoF@lD0P?Wks;%3wkil?kjou8iZTrm*55+?GNRX9$%VqMd+q?hO^Z*7z8&
z>WlfL&7lR5yc*4EhJg7$yaSNE0Ol0kOlEOvUZm(!mrpKG90rou_#mEK`u>{FhauE}
zqDl3k;3BREwG8otN3qmH&TvqIR>lotsc|=kQmd|-z4%>*D)MMm1~=yoXGCXbXo3wF
zbD`gLi%cXAITzJ(t^tGvb9M-bvaS(VKi)<Bu&Sj0+Hsr$z3vm?ou4+at8sJba`#Ld
zL81cvz@)eDmmjr&RYt~-9sN!J-Izy;F<S2Vo7{Fw=!}fj*IY`!?R<qbES3OgZ|!#7
z?yE7SOiJOk<y?+kKX~_FpFrNa<JRUQ)vCyDuNS0#a7$-$?evX*y*@)CGW6Lm0a@e4
z1tZt*yf@*7JFWY+gPMUXz@5V}ft|#WaU9eXW*jtk#e{mHGxJnWifc?^(obgE0~GB8
zap*?plN!J&|8>&~AYvR$uwfYl;;=w-NH?=!u8(SW__&^n8fKEvRM=lRtRBJkt6%(7
z_#cnoglxf*Jp}u>nPyC(?2|LE9un<cC})o2E2{!(svDearDYSaJzU+{4}p5Ad3TSK
zZ?!!yO0T~QR)m@xtO<>|T>^;T!b+>Bg~X1st+#IE+61*>pX&%=yW{|G?ScCT!k?+7
zUn)zZYxeya)d$%`ueas2pg?*t8l~)%;`6)qO*RoiuCRxIlq<(Z;oDlO!seO7t^Wfp
zI1V|ob)he=1O(>P)m>7S9JGuhw<fS9F<tM8A*?*K3=Fqs+I1SG)kGvIHeJPT;DJ+8
zLsfJE>(qM@%(^EWaLT`zO|WQi;CJn~af+`w8PS3iAO~e6jpnxtJtU*Ew|5wzs`F?S
zZBXF9)!1~Xw!{dq26xD`pOL@+(hV|kj_PBig$Te{s|u1-%g;kT#X(VH;)c(Oqb=r5
zxX*Ct66n={?UJR@yE9vTEmXKWmC&-N_E8cf@a-lHD1b2a^l+nxX;(tV@~RZb6i(U3
zXxJx((+X4>M#~aTLBU`ah^}ND`-z2_KUGi$r=?`hmI<kq^2!^12iMD<B^>%MabAN0
zesvXtS$fCGworR1E8H#>Wn>t=*D+?-S&O;+RjNXNpW8+G_9&bBz7Y_Q##pZ!AR-)%
zUm`4iUFRUDBaK<|BiLRtKlJ;jqOsC#`+MghLwiQ4v)HO`RgF+dWE~ZInxbAHk%k&1
z;y%0i$At;F9Ni~mG}y~fDdzh2!z6JBd`j6}8OU3aaiw&K$vwdfM{ln7bTwXxV4}G`
zYl#8Dx@I!GX6mytesH`O#KfejF1ZCu4O*5H(CxQMI}WM^0!M*P1BIP5AB<*JP_V^D
zWW988?phHheoAj@oV0OC<XKK3|CT%s6<xW%8chpaGGn180cGIIi;aguE)0}8*-GVt
ziw{B4u_SAXu^RQzBD%ldV1~XTi%*qYJQd~(YNS%d&ryfh6*9N7^ngTwnikLD-{-em
zN<4;{DndyL-v!|`?GP;&a?jx(tEajJKeFs<R(z*d=8Kt^EiyXJHiE+HcwlY9yS~mm
z>HR0ygoLnQ)9Y0E+T@Ft5|I?7S{lIP_SpmMSWcl4V-{pUlTJvXPx<l+&Ozj^k0#u^
zXIv{@TS6dIB<GjhEVz7jtMs}CY=w7qxZU>nGBa6oTo8(|of3f$)N#A(MgOU{HDU;9
zL9(O_i1in6!)s!h29i5v6&sP##5-~Tr;z=N41(O-6u`(p0gMdb)C=f`9^d!i5B(H!
zA)xa5IbC}JO2~o?hI`BXgYHvPv-p9A15<CV?%mZ-ub&%X9QLeyX6?82R<eh$c_%L_
zDiIGcr=p-U@G9Ob6pY`BW-aHAX24-aC=JnC7TL49acYzO>#podxy@+w`UENpz+bQG
zPBQKF{|J6IhMstdm)phX%ajRf7rJRVyXxc3HU4ZUTl?kb@$-Dg6;g>5cHFw!Mup0;
zXoV_t-q&)~$|vKH)fU>Mt)XPWO07c8sfP(dZpy(vDQn{AHwA9-xhM~LpuU8hQ_kG~
z)0YTrm9_{B@g$yMt@sX9_L`_Ds-k&e$SKXo15QEzzdM=<s~j|M>HR7%B~XEfwHONB
z(yMp<YNXc%sI~}NjaTfqqIXl){iv)kN<<#maaN@a_@a)yB(3H;0=BlKLPY0(Dek!*
zlj$ta22rPuFLp8M8&6?y?QBmXg+I9kDbdcIe8tBLMB6c3He3i*StZJ-$g7a9kWW|1
zE{11(HbV9U%}rh0&Pw4Rz~)lKM5OOMF`8;I>^5F_9=5=Sp1!xGnFVq=0!pxz;(=U_
z0PT2i!68y;%#o=|nrKq2{Q^U!ZxGSYw;59(%M5!3;iCJKBeG63X#cl9bPxi?_*om3
z`2YCxq+KZ#5U<bmtCPe(hKZ!a4`#AW<x5QPY);}^x^JItp}K9_QP4BVt9>GK^Y{Ld
zgo;Vz+H9E`JXfH91Y7typs1=04MXKG6d+w0{lIH~P5y)lk>A%Kofx~Ci^zG_z$Ebe
zmcq!Ubjl=%bSin_4zfT?7bkpyg;-Q%F=wfqC7!4+S}5i8O)e5R3KZ|NFjET_8z%)e
zei2}y5Q<`f$%iP<jrh~{|0)=Tj^7afw}R1I1{y=r#U2w1#6}lV-Gcp6N=308?q#QU
zroK`?aC@+|52O)6BORjD{MC;^5gNU$<bGyedrt9@=!VkM(OT2F_3Pviip>}mI?vp=
zKDKEY?EA&DC|zgzTgm&F#?7v8kg3exQDb^I8d@eFM8eY{Kh2ZN*$1rqa{K`Y*)0NG
zOj^)$vw_IY@4tCEOQbbZEb~jo%SjDcFNxDjjtgfWV;e(wZ3WfKyk)1}b%o+=gqly3
ztMlKcOF`|L5caNgFB+e~VMLm*5=Qp5QqXGjv(<{HsshTT<^6T|esTT4p$oP0r?nB{
z3OqRi{F()<2vSc%Ni!IO7jxoK4FE^IP`4}sZ~)c1)?i^jvpB{aY!Y}6RBSap3eQWV
z-=&;*F#oRG70AniCrvAY|6!KM*XzKj_5?$UBKk2fxV{Guo;4CeCM-k>*pfZhNKZhn
zYM@~(PV|9eDUjZieq`8Eb<foXP8}+DW1%U6wqiN~XyMIb6jfIIXcyNpe*Y9e#445h
zQ;y-NY_p(Lq(==`COl=ZzkkK<^FjKwZhb{Thh3g3$`2=TeQb*+ADQSl8zsp}E&o@_
z2~A!)&heS<2|b5`ZWMqU<-ukm7H2LSPK+$mL)FLWxQ8nLSLolZM*<v8-pdXR2^et+
zm8#8Pc-w=0L=f3M8lO)#Hc%P4W87IRy(?`oUsS?aF;qTrORk$IwD0k=N=@*-97h`~
zq3r}tjQKb8I-ZKGHe)(}gL^$--z{)hX^OP5;Tb5Yp2P&p<!^X-<r8Q=MD;xQ*^r^}
zN#UO}ETdc#PS!vLAyVbbW;#tm+tXWwjC{`720OE!j+Z8nHZCq%ZRknGd>TJ!Y!1PZ
z%EU!(Y&9GBzdWBzRKG{zPd<e9*k@eXD4i%%b2C^{J}0`#Hcv4c7)hp96m0>F=g#w4
zzn-gzvlA;9FTR~rN*Smw*HOzEBMo>l81#*FF;Rkr@!nz)i|?mbW!&4U%S8gLXQMRP
zs3$9=oYdu{>#X4>J>v(d?*Nk8ah=1ODPfqjckSb}Jygm?ZBD?+|0)N>j{$0l`k87X
z)V#6F7(u@T&t;Zb=eN;oK1?%<gz8Ew59TiSAytnC8N0Xm*w+^Px1V@nL^_mSpKa}<
z8lLhp5DF&4UJ?EjWFshwi7?n;uslM^tvj^)6in(}*L+bG#aLmy-VrKVq9Hfn6vr!>
z;o2dV`qf#9oU58$sl}Q1oCF=axv2=i0)(e1`-?2ljg_-dfc76Q<s>W{2^<BYsO$$?
z0GLex5Z{_*$V_y}NbZ8t?#i-mh<~OcNIMDt7db!{55;)a2HhCw#F%2N{pLJDljV+m
zU4D&ykON~n68j<*obCLzk-<)l_&TMU<E{k~8TZu&p^rTeJW8#=$GiO88kwpKIk{Zk
z<HJS=M|O3^^eAFLDWfZh=7FwPh5JYLN-IW7q>O&}H$Ts7cY?X}L-aP?z)(n)2<1`*
zx0fv)Hc{GBRZe3bn)C)1{vH8#-^eLx?ZMx-BPsqKH%awftCl(|h9#3IkT;dpH$t0U
zSFgKSeY4kloHKXL)MCXi34M72i=6k1JU)WGaSI0(J>Ga!)T`J=d}TxrtM4C#)LT-Y
zys?J&EB!ebl#fN&sNTw1%Za=FIZ4Ei`+mygp4#=Y*O6icaGLt6$*dxYt4C%i&|;T^
zmj8eC(L!K-^!`8f(H*B~3aBrldOOyGshEjW6tCgLKY}lf6p8^Lh8bNR9~7$WUTt2@
z?jkT;#K~d;ad(oHj(J*Yi};-1?c3#L1Xh!u_a*}qS=HTlwJb&}v;V~PVr9(0ZL8qz
z?`|C>lNySiKj7eG%Z*Dp8OwX2GEojha8b*TOTik;qdb4om6_A!-e}`Rizyb-RsPiu
z_M{<o2Q!VlbN+We4QB#Uf#)+-gqoGaoC71f5l3xuAV#d;qayA)!bZTD4h_y_hpCKZ
zET;vfgsR%&_IQ#%E|MJOWLzkj)g+zTY)Kb<H5XL<7_DVvK6Vl{u1>{XL(Bn-z^zaa
zWZy?v+KZjU4EUNS_=B_v$l3(yg{3x$pUa34&5;4wAvIK@xXSUw4Xu)lWX&{#tPROr
zN!<;`_?IccFcTLQEm0KxN3v~LDvB$R7`u6t%jp75=n|`04FZlL_y>Ayh(2OPH_3d`
zM)*Tq7rZY@f8zUs&}|(fJpr*BP@O}EdF<Xvv4*<L<$@y1H}8o8`_`%zC0liltHRb+
zoE}TtU=?lipstQfm9#|`-Ri(L<n|gFo^#k{do}5*c^zeeUg)pR9YM-ht5>LfT1~xS
zLGo|f8^m{OiqtxX^*$oP=D+(nK$5O~d5>S`oMrhfe7+V^QY)(ChKkr&3c1G8#ZuJ4
zZA^7SNt|9x5>G90T|Ld?pvv_PpfuytvDKjYL)6{CZ%7$?%C;{tM@|8EigR!=>X;gs
zM(H?tjs7Q%$}(4qPs$nq8(qUNn`j`7)l45!%7V`cg>_cxKcW7=C-9hhHoR$-2Aeq*
zpoP{wG!DGexZRGrLKsuCsRBmPTLSiIiUn7d`{bfCXO~d|*sH6CRnGwtqXaslFO%&*
zbkTI;p7+93u!>uUVj7kSW$gx)7;4`_o;tU{E~*!L&agXvpELxBm*IGC4R~FM<5}}b
zM7N#Wat{G>qis{{87^RMw5=Hr?l?#aO@!oJ0AMr{F5-%+C^GfLbjG4U{T-Ert=n1~
zge!maPgx9%6P#PZ&5j!y$jjZ%YQ*{G2*XCUoz)!jJwSwt6O5C_)-oaSYSXipq_uVR
zJb&!0qxbh~jP;IPU+U`hFPA7xP5ojU9im~ik&}!X7&;=hGHXQoC0&$`)yiVs6SoCH
zXJ#@uowwiK3KPu+Q}Qj?ELt1Q=?GNc9yZl3{z4B0ZqL7DD>VTAM>h9Ifr}~U|A^>{
zoxmjYPu)hFN&VGQHBauRHqe$Z(=(3%N;z&L{WRw+{x9)Qc|<CLl_qL}|A>FO&Kg^0
zk#;1ZaJtg8iE#9a%tR{AHNo+QYAp(K!$i<)+=3PDnxms|J)3S_TH_D=48ncDw2dpi
zA20=Bb1$IuIhNDT3G1pv@<iQA#y#MSUb^!8c!{y2x2$x-{oqb2uW7UM$J(HYu3z@v
zDyry(Tw%3MHqUB5i0Tn-yP_cz1W)E4^qlUr-XG(+94(ARFCH<oK&N5OQjFIVEgN<e
z77GQA0u|%QlxS{Q&D20o9C4>`$mjvAa5e%lx1Eveu;aM$W&eJmz;bY5F*iG5NZ>D2
zf@X5{%)+q4eP=eofma0}E)H=%%5Dw%ZYa%eSua&hq4s#7b?|!`?4yG4s|>m_gtGmZ
zm8peC>N3hK-)gP)qoZYA>d)@l=-bi9hul}~!L7bp_=_=q^zBy5=G&3PP0_2022ESP
zy6MF#)VfDct-H>o3sI0%OLt$x413F<JXmIn9-Mm9BzCzf<{<Xkhr@=?5(@1>Mz8zO
zL5HPFxa27QgBbyUe2T)}l+)>ZM|f-ePJavnrM)SH(|1{)o^hWDHx_<yN}chB^l;7L
zkLV*aOjFO3LB6ck|B{-0g6fYsU+qT(-bU8H59Wk>169|a{K|acLVZ;k5@8>;&>OZ7
zG=|XuzQss4Q~I1eX-M<-Kt&b9Ko<~oe|OEF9DUn#=gSx#q5heJ<SnN}6%Np3br<;A
zk`5AGl5{yztsH8)ZBNszg5uyEva3HUGRCX*hPxLw?!`a5*|q}Dlwz?rb;O{J^vX;)
zCKrQpDAvga%L5w}rfv&1g_*?i_fTDwBk`Ea^##iEJ=h&c`#jNC#5yAoj^s=^9Z0`>
zpchEP2~@+SKst>VP{C@VI`)cU43VT_Uo*N$kTYj-{MT9;p*thaS36;WYyCqum;;jr
zTq~o(S}$r{5e`ladyy(c3oSiJ@dYB3TWq7XS|!h>e8)^T>%=!u$%?m#ciirK>2q>S
z;Z~H$I2f>!bn0G?YPai0ygaD&kdEf33Gw4bi>8Rj#W!EcK}Asne$6gK8F$(GUTJm5
zAT}fjiGo^o-i}sy&4lleeJ(o>V=*JD>f|;AVbC9qs*o_P<(2Kwe@>{l@Pn7_^JO9r
z&5vVF3aU45zn+gi*1mpqWsG0@LER4<4(SPM5~*thxbZZ{vAx#r3*_!NWNy4df?8Kt
zAj8dDBnmNSAtdODLX9{wONIhRfe2{xozj5?#y7TD^;AeQ6j$QFb}uwCVDXDg5}iey
zxDfx6c}3)5;+3WmVxV~o%0=^`mch~&CEhm@-~<19Ph@PTTfET=cvHN_!1jXUg2_tV
zQaD~oIRh#fok@q1i8*b3<e7jxi%<Ij;!hKCJq7V-M7?-%<HVz>&fmE`bVgZ5HaPoh
z<%Ge`xI7=)k)=dck2E^aFa)+uo|T{efYjy_G+mUv5%T4xO3Gn3`^fA^12;J}!)D6Q
zrBkVlsf~_Wy$^}>8a?U6Y54>_0QlC$XL+2zrL_z{uSenfX+L>L%UlDW2$+Ee0*pT7
zhkNVk$S;`JoV6Zup3KAe9oFCHq!|*SbG*!1hw-SazsWKqSmB8Yn31)T$e6||(;Jh|
zxFZwG($u)nWQME=|1a9eO}h);0R_45fTGo61{IK_R>v}yBoq5{Zh~gw%GTTM@GY;D
zo;BdX9ZZU5aVzcEF1+H~FL6QF(IGs~ADPS$LkV7Gl-oLh!0B=OHPtue)Tm=iTg7&B
zm2R9fEa_Y+1pCosIOP*<gE;PCS@t+Y#f#=ns6q|sQd=b^h?KG%ek!_bx#wZWzd+sd
zo$r0HM7Z+L!!Um(20h8?dlQPe_HCl*j64%U>Ey>a6TUE0>pQeuLRt9#B|m>=18(B=
zGH-;adEsRGHSaQAf>4=KSRob6z3H$e>cXdue_T3hy(0+7=EFf8^V(cJ9KGdUZ3cYg
z{dlSn{yRMZ-SgppRZJ50p2M#=*Ac|q!xssAQRraJ{jsZ|x7mEt{CK881#ux$f(LlB
z&OO-iev3K9%(LtPkvfDdj0U!W`a~zI>Kl>`O}tol@3HpmQ2D@C{ho|{^`PMX6vd&}
zfcj^b#NxnF(+2D~M3ZC7;dhgL%^Dl;PlpNb0M{$f#WG){PeuFDBLXy8(j0hvovFjW
z(WUq%XJWcImCGU3oY>|-d=a3cuo12z3sUP4P<Ab&-k&@riho0_u%~O71I!}+y#+$(
zK<lQRuj=9eJ%KIxAmPBG%r`(*>+$zAX{x&Hw%`$~6Fp-e@Zzs#Z%JS3r8jjh@Gz3X
zrOKFho@;B&-4v*(PoPnr^=x{)vX`^O67LO;tbGaAT+M|Cb7<Rc2&!Rka3yJ;l5DP;
z7D>STS-aE*@t120%e-Tn+(eden{)_I$e!TD1y+&jqHrjI=})iY;E3ja9a0}RtcB8O
zpdbuZvFE@o=?|^6;9k1eNHT`?i(=+1r+?TLoZef|J+dD5Js^D>p|`Al2qpR(Jclf$
zS9Yr*eis#F&@KcVUbF8WhmxGHj>=LB`tLH_9(>04cE_l)d{egZ3JYs%hAiJ_Da_7U
z&_i$>=7sXSyou8`1*>^-Y_%XT`(-~KEBBGFC(PI16~dp@o$<BMYS3&lH+SOem2TcC
z>6Ygsj1lytSMH2|fU+-z*si2y56QW5`nU>Qe{0@JZzI*t|NNkJHe3Q`bw}gauu}!n
z89Hhc1yog<DMx>#9#sS?i%2MpDcue@Jt6=3A2-Bd+LxvgTA=?~7K`SK)Wc?0m)C7E
zBB|W{q)LmIQ8F|KVyvUBcPzftI*%nK*hX%x*b8dScg0zZN4;aT5>Fxd=*9NX=N&gM
zV=>&hwf&284zFDBylClJC1o&tZOF2(fynDz>Nn%p`3JTlRZM!z^wJf2a@FC~C10Cv
zt9HYeWkEYAh^5I3gM?f;w-KiX89&q&@}ZF*T=H%sunjVp;@beA#{FEh*xyuktpqYU
z#E-gYbEgFHONaq{%8q{w``#wd74jbTl@K7`cqzPI!U>2+AB#BS4>X^bq6zcS7*JTH
zzRjpiU<;+j4f2At2l;N^25cS_F((4?SJ$OwQ*cK$Li!tSv7w0Psgq3dg}y;xJ{12U
z6n?ODb(@=savk}jT8w2rZ4$kYAW;_6N4uf4MaHIwx0-UYgMO!TQ}XcgC9y|gB92~#
z{VPM2ibb_WHnm?`%n8)ePc4R*m8w*Hi>`g_dVS}thlIVV)GWiUe$uI3(kLzc5^5lj
zyn$5GCk4VNzJzJ&W1awM#A)%rpeBw4b^5n90DWL5h2CTwZwy_A{r0TZ%RR2GBs42c
zEfpupNgVd>d5*r)LmiEEG2fz74{shly8GV>oASI;tvk04qqv7|i>NZr5|W`&Ya&9B
zhS_C2G%eYu4-KK^X$tQH-YC;0R?rVts`_MQs^<ApdhwM|vhB$VXr|}Agx({!20dpG
zQmqkZ;7(Wb6vd8LYtl}AY7~~a?;E9)l~i@iQbr5TdVSgD^s3GDr`1o1HIS9xR?p_b
zWbq4SYQ)N*boCf@0mvQgi=&B5vQ)DhYUA)9iz)$TQ2^om^BL)Rzf<wR9%vi>P4UrC
z%Wb~zIqvi<{)Xhorq%{9BVk^`^~~HaD+syx7SH?GOg_$8JBfP;xmkwK7(xfoe&gxa
zAK_w<$XfafOk>7M>SoE<K+RWyAzc1{QH9a(&-F;{#5It$Kj2|}t`uFmEL5g)rz(sL
zcOD!lW^mF781yO)fO23}2vz<3{M_69*l-{c`0{!a$n~2U7`JteR#NgsYWsaQ%1wPS
z9>?8!r9D7I@tmeHTG`Rl!(5AY<x7-wf{M&f_6aszA0g758~}3oTMnHS)xj)g6~rBT
z|5r$5jju7~{(*s3$1VM=OV=rRa5MO9hcBWVoUYB@+0}co8cI8K0g9mO)f*>Sb>;4=
z?ys>L8H%uX3e8j`@^TxomO!CsIQ^fuKRc5wy0((I^`uDO<&Youo|GcEtjY<+Ji@63
zGWnDC?(^SCUln8L!kn}ClhE(;wNR&|b7XkdYQeCIjYcBNMzu)kZ;aKC{1i#BIOK``
z3z9Gh{;KGQ=4;9Ib?`|!HJHw)#-*ml<ohAkv9#G5pRR~B^4(sO-%9N(K_FA$&)ae6
zk&IVe9PQD;(g(n4X>`u1k9ELg*7u^Rv|jOBSL9Xeqgtd~n=h_m<|#0Q<kHuIR&itZ
z*Z+JLtohs6s4m6`MSD_ld&O#c2aVLF$=kgq#pTkg{8%Q=i#|kDv+}1yjRJMz_>{Fe
zf3d*re4ch;D$-^R!v|jHCT~^ogkUwnK7{LW#|RYHqQ{1~Lm$8~L5lGNJ*`~np?^m}
zOboE~;~dqw^5^h2yE-L=`7Jj`1HW;MW1COAYb9bMBBr>bjCV}#a1f=l%o5VW$?vcQ
zsh7DLt85BkKG|%W!_>*&Q!MMp9z`{zCHf*pSAcJUdcYY)MX4z&l`$_x_-2bmF|91V
zPnT(SD~%S)I}*fv6p<;Gv`0t!ui5}?6ODR6Ssy+*U?a>GyEHHOz}aE+n&8H~Z)hW>
z(<z>xu`A;0DY60T{e<Ql0Bf=%fog)W+UE2;?@*&rl|^ukJz<*~YWmV@wSS=fqUVD6
z-OR*|kyh2~z@4Of^L}4Eq7qB7aUEF`#S^W)rQ~MEevE^jV?#GH?55NtZ9Lagp>o0x
zT6HE@-?rlKgh$sY!NNDqO%LP(quJwBaW*1Gx+qtbwAsHDtYzGGR+XvVQ@Z49yXo&=
zWD2)9_t|ngz_tepeyAaoL)5%n@;f82aKB-U1;8B~QL)IQBH=!1@3qiMTv1hBu|k{h
zULE273%`1dr|5B;NX2_3Oq7ow#&5lidfZW@0}s5T9)HJ3A3fY70yHU%JFFUQ{Ay}!
zj>fM&tZbqQf|7y(K{kAEGfLo|`uh4KfeRF6w-;|tSF)m{HmKTji4!zmK8-9x^7+}J
z8L}}dyXlrScvL~_Ih3D~<ztBnzZv}!_ShqEI{{wAb1j{Q!~&h$IAQhe#eTWBe62+U
z(2H|2UtSoy3}}-8>iv&0>=GVuK2Z$;N4<O%0A_kx!a7A&6x&Mp!H<<_Gbc55zdshj
z#3f{teE(%ArQnxJerQj}y1e8`TWs<gBLrNI)YVub4xkK$m+O@N@MS^IIqIGm7UjJ-
zRcL#DsXcQe`m3pKlsWTyTEB2v<7T?D<lK_w)d(6n=#7rrQ<Iz-D>}z_p3LLN5S#kZ
z1V-LG+5&F}tqK2>ADNdTjyB1`JeO2hED!Z@`mg=)DaM9AHf;}}ReSYSx{x6ln-$9t
zUHfL@8rMV~|BBhFjM<$YQ(;UV$6#|~58Zk7a9X*+bH1u``M6NQG{EOd1JOS<ACYM`
zYSZCbPeZ^Rg&3$&9B9;}?rCGt(>M)tv-bIAcBPlOz8KHC(^HTZp8Z1t!*-K_rJiTU
z?Pb~T?HOOj`E6Vy4x(~?u~<Cyw*2#f0S!CSlq8**Yjp#;V{OikCj<f}0y&`n&a`HS
zzaCR9nb95$JH`vNSHrpjy1A;5TyjIc1BFK_(3GHq7%P?7RgU3JRwidDC$)}dn=2}T
z)A06Ozd_oRbk~e-79yf%7maM5bx00=z0oDZ3uP^V_yAifZcvzRN4E>oy)tNKow`W(
zt`F2+ux`KWs%G~g_MRJ|SJea|u>4iXru$-_mU-C8uigJ3bIAXS&%hf{`6F3%RAw6#
zgs|;b3eIq8btGPep=C?0JVh)+X&0E7%Kg34Nu*(FdEy}`F2ZFU(h(Kd0~PI@(-=z}
zV82l_b@7+c-fD*6g_)qi`oke;<m_!>xBeU*+5oJ*zv(0K^Bf#iOQi1%nSBH3oQ^L`
z3-gO2F=16Iyc3<lS?hp$I8c;y%+_!A@KpW?`<H}|;wmg=e2U3z9}CNk?ep;APGf6|
zhJx-$(|N!FL*hvh<vRoyXp(VNg8+Eih&brm>bWR!UpJ}vnEe!JLB-wfJZ)>$TWR;`
zx$hmZ2v!_y)Kxv-+weEh7fUhCmZ8f)W+_y2f(|SUUDQQ3uH~Wlqal6$I%3%UKr}Pd
zF;8t4eQ!15ucQ)OH1J+bqcW@5OsrO`6INHOq+uS~zuQw9I*O7<a7z4leeUk!3GONc
z>+wjTDX{JJ-s!|^z2*Qu=PnSKrW-!HgN~27wXsyqf*JcUk0vcU#CxhZmXH=T^<R%4
zX`<qp$o);`x{MW}=CpbXft88fG$JnM)P28*+83V}&$@%|*>55rd)HhOGBAgETa6D+
z!h#T1yymKgAtfUG+^2N9<1dnYP0Yv1)=qbNo>e9TA{BT!a&^n~4JnA8(A<}HH}|jm
zbOpj6_If{jv&KrExPRohawXl>_s>h$LKOWCEaS%D+sYCoRpC+h{3(p;yj6Q?ec)bm
zyM{v%sx`by3Dp0>@}`VU++q#ftJt8zzj|06bh7ytwimOP%DI`Qzw0q|-!R2H{?Q)E
zcNkV5U>X1>{aI3V?}@UgrJmBwLXhlw{>N$k|Bfo>WsBoGsq4BXekq#{2(mXvsLFSM
zcVR6uN?(?*)uW)jXz9E|P`Es+AM(}vkP6Av;bZzVC&x)uA;e;I9qwlxAhX4wr?Vg`
ze;S>*<@Cdz7}vccwd9?1iL=1DbJZYZbFKm_>~63VNW8_3JJe}I)DsbezI@G*1?9#Q
zkAFr87<x$FvwlNnf$Dpn#^h+Bd23pC5E$-yvlsAAQm@}4H0)t$MiF)pcbrECaHq|*
z<y_^le>x(}%{K|_;a;<;p#JQJawW`r2(5LgQiy$`+W{D~!!1%l-BqKqvqz98RVjQv
zz%nytSQl`oHKQ&_f9YYnI?Tedr&})=qK*?%f2bfz1hUh707~lfVx+&mCBiqto*0nr
z=1KQu45+0wPz_tF2lE<|j@+r58fBGE1~V_#qc<v@5ZP;QmlV&<gJ0x9u3}4l4F<CB
z_~0}$*sjw!T!xPD%q}n*s>G11r@k!|#z*RbtOkqx<cbjdJDuqFe095FT4c|+W=qcz
zMiaYHTyoJofHXVM7zmBFzj#E;+myVR>ee36o8QK)hGJ)kHS3-(9L&D<5Vh%$e8keq
z;nMrVUCc}1>&`+%>8){ryXOZq5E;wEU$%Y-%?6e%Yur@5AE<mX3Uk{J`hDJon|wR8
zN0<UGEdg=s^tY98meBc~Adl}R`^NSh!jz%8h*<*P7Cer8;pOW)zP%(7HK!_~gfKS^
zXJbiyTr3<CULyP~Y_E~plGZmft}!vSx-ty3*~&;3Djl3>Aymi94iW-P{M{0+|J{+G
z`#Q)IY*?frVQwu4YnWLETOZgW7304`lBK7N7tNJ>_Wr18Dh0!Q^Gwr_h~uhP13OAT
zFu9fTBRU-jUA4tIt;YQGZ*bk><r`o>9FrW{_#7TL8Qhj=L)w$!KqYNkye%L<t3h7D
zw;WFAzCEr8^JmHr=Zj#+;k``_J=nY2GJrZPfVVAE%mNm8PkUCZ`92`<vxk1cd>~0}
zipZlPMVYX9b^Yk5;}k1g;&kgJt(ZAW*MHQyWrRDeFjqtQi6sVlEYg{_V20_9#@t4k
z6){w0LP=Nfjc>j2kDN?tIdqf~JQl<3aZHF<1I7Xh9a>C}>*etlVO|4M|BsD7lCU>W
zzv9tkKOh(rq=mf&BKS7X57%^t)5=80!`StTGPSXO_2xdedy|FV!MH3h!?4}c=OgOy
zRwGrGY<G!rkh54Z>Mu}xY<M>|n|P-<48YvS>xmhWyYNK-S{8O3nRk%teHAk`7xVzs
zjk!s0vxR>Z!-*^PNYCXSQla(})a$gGyvx@By1bfz0NXAap^<#$>YLjRBn?|bv~d)}
zUdzFkRv<o~2y`Ppxl^?-J}*l8rpk)$xInpca34%hIC2Pm>#j{w3tyZ(%2<Ec&Qh;l
z_>(Ob68RksR8KWBEc39{>Q`opyb7|*9@eqGQltbo5tLrR&D5_;2))gL-%J5b!C@g-
zIpqW;VAFaZKY{QXou9KUZ`vJE)f;W!M|u%M_;nnkNT_|(NoK|b{}_P;{91K8E+|7v
z{VVDBC$TMX;v$djo&SJ$HJuw8O&&TiVreoz(1joav+vVRH_z!*9LP~@2L9)gk&*kr
z|2(09v~6%-SXr1%!`w{w&F_y7syAK5T+)FMTK)Lc9w|*_|IsAA9nf&4l;ZLK_n3;z
z7KIdPV2s31ZgHfZ+tU>fmLx)VwveiGgvz5#%)~J5ldbwz;0a^Qr&#|O@9}vpVwkY;
zbjxjmMYA4*`L>KTvhAjx6$^0BsB_Gbkt1QugHv709)0vkI$G?K_g*ulRo1v#sEH?e
zvQRZxsia1`uC@8xuhD*++e)5e$=c>xcW!c>JdM05qNv#aZDIHmv1LMC(=J_CM0!Re
z>`LPxi1ehX{kb+#l$wB{)ikZMf|xHsabFmA>;g7bWSd>>)u;v4{CSXOh!`4jg!YqH
z`y<A<AX6~*8@<acL}gPJD*qhKAg8Eled^C*ZSVU>yykO3kYF|uMD?#`;sa_8Zw~^I
zdS0QffOILPB9ufT2f*Cz(}nCOTrz}j^Ulz%P;pR&j<a(gnkeuIwm@{jWnVcc60O?m
z{68Ofi8kf=r;!6{aFFC_S2w|8`h@jhaL@a$1m^nshe8?csozwS!vF82IFw82$V_00
zMHKzCF3%s0eh^yhT9j3!o{h;=l>m=mm1HoOing^~Ir(`PP`9poU+G)q*<nB?+GCo+
zA1Cq-PW*Jx{HAV@1PUr_^@ucuc9VCjh_{{0I-~d;9gc#cg?v>RZ_jeFNOllc^T^W*
zqw+$vcm~z3El(oWP?Pbtz8Y!sm@VfwBO6yNQR%v;%hJLonk~C$Uy2>R!l&A&n1k86
zImT3BOIVFH(ePAN|8%zDEwjm(%WcC&bf6%bOr?Ip`&ya)?MBET-A&SqHW^B-9>I10
zty8*<K_q4!;1BNwFYF<fvIX<PJLPa+J6vCvVUT}#l<V&!2ko#1KX2sr^J%FiOoQTs
z6@O=*LG|+usi6+!my+-KP@lZ7NM+2Vc=2;Y#ozaIQrOHAq!*=+@usWI79(^QYVDo}
zJFKz8xG*~BJ=21UjbTir<OuD#<^O!JQ!K$r42#Mz(1j3D$Ofw+z}Bj$&kK!<CJ)u4
zC>^T7sG%lD{BzAZI}M9)?qcawCt2D%;fHYeB#)#s(n_u6P4<DxN%lVZq+fwjN|qeg
zjsQH^(pr$Oo~WTh5(!S5MZM{CYj}A1!VZV0s`T}b95&jH(j;r)llIu~2@H^0s<@$i
zwquh;MCx_2YVdi1L@;m4T<Loid9{hv)ruJ_vg=D1N-tjjow$@&$M-Qi6&ZzGnFZ>J
z{#QBYzgSIpLej?CH?4D;Z5Fj-KUC%8z1d^+6eC9YyeXhnDg64!B*BWPtUYl8bjb;y
zNaC9`D8%S^ryjC;bcW>1L=STQfBuN(4og*E=~9ZjG%vyOb54;<Xhuq5e%mU*62Xf=
zW0tM0*6ZoTp%&ls&YYv6Pa~zdBoMNazUWwyS}rq!>A^p9!`9+EWEpXOZ85A%A3ZrF
zq<PDEjE-ofe5izRWOd(OSy^Xe_F4OK)vrU7jt{=An$MBy`JqL|F12W`<mUbC^nCM{
zx0X8up~et>J^f9J;oK(D2%`Qd+-5FBa}MbyIDcp{AVK)OR)5N`N#qP7&`-0wkS4)Z
zQB7;@Juih{J(qB@SI9G=L0j>SrS56&v~w5ga;ErEbuNB729CDciq56*@95xupuMmr
zZg@rbyQsb68K<$5c1pBG+te;I{AeDM4=U%Fn%0o~v3N-G|85L+`$tOMY)?sDg0s9J
z$AWH81<L5VTDb^R-czg#d-$5E2}HvQY@8vfflP5BkDa-JzusT?pNuoe9zpqFJVivl
zyOnH1qKW&meBt7iVG|jmEe5Hz8JBVdv;<%LE(d`W24#Z;Yl6GX2nMm9#eJ|7%}+%&
zS^`2q$(oOOeM6gaqtTmpxguzOL+A8SrMrjfm$lRl<a&cqf~VKT3eK2=joRFGVu=a#
zcAf_b8>9|BH{!|MBCf_*0u&25r0}y0{m1kYMdtY^t*k}NsK^FGt?e*6q*2CN=6Fb$
z{+HH66t)ScIWP|T>=MHMCf2Y|Hny;&JB3sAQCQlmANVV4${~-Jwil=zopLjH$}wAG
zAB003C8~GkK_)pzNb@Afj11yrw!^J*S`@HINF||oFX7!^o9831b5tBX=A5-zd#Kmb
zHkc~9=?wKvhzo6L7?|yAi_%j&+dsbM_Zz0))O1XL6HQXT$0OoCn1bUm`!_C64h^_{
zlGSJbj=J#CwLL;N?qFtUAdMe77R<>KBGIcSz2#Mp$dVxWUD)YtQ1#NfjP!2}+D-j#
zpKJqeNq0t#?Utsg`3o5J1PjY~YJDQ&Mo|@UrFRHFy&3IxmOlL4z2=vMhlqIkF1F3u
zczQh%wnbnY@HOaZM!prvsi=Z*6rt|Ddee4v5R4hQ1ytZ(8xs-xv}&EKdR6~q*;c3z
zLKT3y1L+{DSj^tw1ufMqj!^lksg<ZWjo~#1OLqUx9s(4wQ%dED$y@@YvJ`*hvV9MD
z+2F}DPw-N?UG;PNSYiJVs3OeF+b`!qr;(V^+O2LP!f8iK<PEMVbamjb@xG%x+4RwU
zI^1jL$er$j^u+S`#e4FKiD4u?7wr`9T~+h_2OOa{s=LAIbL%DIzfEXwc5(P*b9Df2
zf=kzbHsK6o18*U16+U5<*>e_9-XqWbwDw&9-|zfUEz$aXz`V-!BES}WL@77QS5^8a
z!VGJ&`+Vr-qoZ9z`&MK{L`J%AZvXrmQ1@M0^=N)1vd`ue`Q$8dMceU3hRftS|Hiv=
zwQ^V1Yp7!-t9il%ti-LtFKr#OTB3!o*}vGrHw*8m?8*e>NF08}M|b#80j=SsHEv=k
z#Fn4LwDL60yA5R=9=<K={tgJBNMnxh;%7K(MPhazg(AXk$p63WxUVfGZlb3oF2<QZ
z`e%~Qc!FYv`&5jR3Yo2{Nsv=iPq(kTxn;TVgZ+3Rg-+MkBprlrnWy@29S;G#T5!Wk
zyj4ad-fLO<G!^B>XEq2|rflBF-gG%W9bskb#$_4sQr|i!xDeyv`_=CMc2m)&7|Mg<
zn!Qejw1`XN{wMguw=%rzv|G=@fipK_jng`~#}OIw`mJ%dr0>I?{(iUjUX;mO%nSrz
z<kCcB*VH7IeI@I93LP}n2j~}ya^}?dWq&Am(9V<5k>UDNDrjFXubU%UW&d|d`%CNm
zL@t@@ol|+{Z<!4r;nS3Tt;;vheq)B@H3d{Jy2?b|&+;FA%#)q#ck6Z0G8>9>_#E_(
zbF)^bz0NYHhXyLA;#@?bW)<d{D}^MMykcwOY$a}4MQ*m^u_`k#8y+(ErOu5GQ>Ds=
z`kR^K5F38;Das%rL}fA1OCZR#76wp5?WkymwABL#0HQ$urPbD$k)E~JD(+H_<26$y
zkm8zP&Ebr;+z|o%V)$?)FmGp`J%MLHtZT+!ihw8tPRR|Y<HBd6O1onFs7ZpZoDb5k
zsz9*QP(n0axZ^93M3oETg`Q2$+^L(xA6;xe7oBRC@SZCgksp6=NQ1Le;q>R9-C+jy
z7DkPfmwY$ESsHmsbaCddNxXB)&QdtuZ=f5VrP-yUjf@tP+Go-)PG6^6swWy$I`EXl
z09hLOcRqr4QsgIlO5|gmKP$^FQM;HH8do?rt1m+U!?y${CODA{)wE%OOgq~?1a~#`
zE3-eHDaKeehLXLeMSfP!jw;%BWA&xh7pFYLjv=o1FK;Kj|02qmZ#g{d(!3hIN(q}s
zu&tKxQUB&r<+V&R_gBAczE?*iRzr#igMG}d#;L#sCk$J!(T0keJ&xvYk@#H@(Il*c
z{uKYQz$tfjmrxnp_qal%VzE&150GMsW`#K6-Rar=ax4A}&*_HF5|u=-uQ0_sge8+(
z!2697?1DbBPbKa1t7xL4X62NqnN3$!tQ>h+(8%Uo61`Q!@JgwjMhM$&+o!_-(!jl6
zipib;ftv6^?RDG%IGsevN$LkuH<g-I>4PTGOSkf=EiK9X+1}|hpl4RcH|doGTO?V{
z)1P<CCj(kErTQj=$G`D#a){0SlWZdUx6P%G?$0Ci3?2njCmiz}UOo)`aD>}noO#Ts
zG1l=9<|wg~6!*8*!+(BvvteO&{bgx>U1>5bg}&fKY-|yuiD0EwX{{H*ccoh6;O@^i
zagR4u_bnyw8)(5&Vg$WG`>DWc3L9jQ`NHM1KvIhQbnlmf{(vusmyAxI5w^Uvbb}~<
zL7!Dyd2LFouN5?xuT1Rf+M``K38X-d?|qA-tbEwgwN7g^YlUNOLX+e#vNQlf%h`pi
zH(3?-5bHYD_xUSpOD0@;hdU?FOaZCQ!@XN}qSTg`;LeyOu!^Bjy5F>IY1hmaj!b|4
z*4+X~5k#{)06$(@JO6poP2<^wmY1cZ7T~h5&<jo|F);+Sx>bU0O-*j^MYyPlL|tdg
zgDxmkdMGGzNS46JB{n!l()P6r_-|~*dY|X~TOC)|a3gJt%Ffn*z|Fpb&$4qsRjS(a
z!aNhfZ0QiupRclWn?s6ZFMwgJRX6?Rf<*}r98)<F+U?*MId4kBjzfcE6;7)dd3!-q
z5g>3KG*4FAyD>GfHFs6CaS5T1;a*)#I$Wg{k_5b$LpHw&=31*L%RH#A=vNSg*Q*&L
znk^yE*}`n+aw{NX22I>A@AgupRxrwF7S^Zm4P(NntFxU@^hVf6y;qIHkz-#isGocw
zJ1<aaEIw3}mjzT|_9NR`R^wD(ow=>*(NdheRhcYl|2lhXFG=-X)WTd~D+)X8G*!}~
zsFDl{Oinkz(n9N33eeTre&zpH)U^?l**Y>%*^=NQ(xx3`@A{sJ#DK8}$C7YC7EC2H
ze(5(wL_YmDinjNVoc|0#x%eGmJn1?si5u6lHs9BG*;pg{*Hk5Ly30dRc;qg_%$H*<
z0E&3A3MzYD-VL-4#(Oew$x~A-HB@&xZ0{xICH{)-V=%>13146v`7c}Bt0brfa)AAW
zh286$FL)wI?~fwZDH9tjs}VO^i>1dE)nC6>S>CWmD7O=i7x%3$ut?nxI$G^uBnZyz
z1dzo|gcv<K6_E$%z6Cku=LkrZSrBwE;$WY;${`&ZX9c?^S;+n=;e&&)Xp@A;8uH69
z<9|XUY-Iw@_~)1gw)4p6;cKYp3$u_785dkgTy_*F;Z$OvmC|gZ^B5N{vtqx*us(nC
zksCGS@ZT<U6Etl<pdNp(_O0Wd<3UaRHk@67Z1XrvlXClB=AOIwQcbNl{KTNr5BewL
zrpc`msQ14~KxaHsU0J?Hc>~amqA;93kHJ-8xS@POV=-?a-DpN5WfL>ZRIRI+uN0jN
zyEyHUXIE<s0Hc5$49hn+0a*&1IqkGBCD4VZD8H*Rfv(X?1Yc^W7}Bf4UNFO#p!@X|
z*+6C3X7Eb)&_{}J$~(o!Q3Kh^jr=d=sA-z_>}6Z<Ou930e|pkX(r`8`A#K20E*ZWV
z9u&ZwEcySKy2kK2yJp?kR>Q__Y}>Z&q-oIDw$&s%wr$&XW7}$c_Iu8E-hBV|kGZZj
z&%Fotnl)=ydqc?#VtB5X3`Qs`r@f6NamJ()28jdMTES*T9(R)T`?QqsN521bX>$mG
z(<^b4(tBr-lAo|3YTbs5<gRM!;yxM4?gsog-w$RvoR9?vHR%zw5}c^+@U2hr@H)hX
z_e;g|o@XV)G9XX7;jr=W;TBVs*cwI^%#hiQ1BB*!xs%LO>wJ;Tr!mlhDCYRaXG(Y-
z+P)s6N3h4W67AjnVToLRrbVqO3_J@C##cD6rkxR6@aGRa5eOJ+FUgYLm2k-t*m?nb
zx=#O}1od3n5>;jnUmHj$pm6d3T$w9F;B_J{vrJ_gOiW`zJ(ShPUwOCARnETRoirj9
zQ1VaA=FwdHZ{7f0*YY`-Mk!@wxylCO_RZVZn7)2*g12iiWstPR-f|fGlA;Y6xW;r-
zD-h^C(A%6mh7{wFJfJsPIxQbiJ1!gpoOlS8qMiFMDbn`Vav0l6bC4c=+PV=&u(5ke
z&8;HEUELo-X8xhoq^7DRn!?V-_n0eU#X+x~_(gpF0QCmY6ZWbYkRsK!cBYSHR1t>>
znjMnVEB6KQF_)F6ekCjYz6+ngjq3fdYdLr8gQ+>bgfVSZNTW4cD1)p&OF;nhSIoMo
zlw8)U?)Zk(T-{pCn3F-%M<rLFs<7;h%w(;IC*j<gDF5nO+~ws0(+p23q(A~pB{P2p
zQ)k-Xj%$1->28Z^vGgWP`Zdi^X(Jc<rB+gz@r#<$&Q_&W^Fw(5rs3l^m$&M$3C<<j
zi$n8S<Nfm>0scmO_;S?9j;5!+bb8@R^g|<5HZ(S!?o+3fnkDAP8-dPI+eU8&En1u{
zqZxyE4VLbKTo5`;1n3$IJyJ!*K>`|7q}e|~j5H^Sb%Zo|<I<(Ap|K4hSP}n)Ca#vz
z%vPF_A`s0#0zfo>{LV!r!(~^`Uk`8MZ(w^3Or8sBbG}5RgauDo|C8NSnYV5?$|~3%
zHG6UI`*m_jEY>pUbmG{sLOlCq6K_Gaj5GIW$|WMmN$%^pRh5jo#{v|gSKHEgkL~3u
zj3`FIbqJm8M)B~T23wnyV00_qIR>t;chD$AHP^4UY9?w#H;I>1HS2=ykV?LWCY;i$
zy~3uAoU!$Dw;JK2mw9#Odh>7JZ4vD3tr;ZOaJF_9zhE^%1~xa)l`%+lM4D3Rh=;eD
z0G41PlnDx)(nuBe3M;{zn=wA!maeJ4qK9>$BJoyGr!fC_)`pLF-RoP0w3xei69M>v
zbQx2wA+ZwLOC7gEju3Jhuf@YoA-EB@?4cnW3(dD-`!^#FYCH9!XIq$K!@$O=Tl#Hf
zIC4YDY0BFt0M$OESibTwdzANP3X;&dOwNk7@HI05=0oNdB*E^&sisFQp&i(*p%iUt
z@ypm%5CH@FH)a@<G^v(ZxP0~FfmGm5e<g`RHQ->w<V3kCp)o#!?!9a*T(t;wnAEy?
zc==ceq!kG<+hh70cej{^a|8D}|DE*t$$s9fGTbRhpr@_5L+8AGK}+}m+ED`k6i7Zn
zg$sgR2N0`EoGtgIFH3EZfg25zXxmUF25tbz*zs^62{2My(wr34qYy=JiNjfH`?L+=
zljIH7=E9962fonxL<6U<B}K!!C4($V3GORnk3)rez(!6O1M=W&A0md$Ol30m`5z6(
zyh2+NP?-p8I0OKxsmG74R|r7N(gb9lQyoZUIs*Bz8JG?`?pEuH@AQP2_gRo=Mh%M!
zz<$%XebO3p$x=6*IC>}FxsS6lT~yZb|7+-n-`8#IWY=l;J&`A=)=wA!@^RxzQEhQZ
z?AZxPtZi3$Oua76RL^fvlvIA02vrR9{dxl$=~u^IePV*3_*im%XD+yO865$v#z;rc
z7Yk>Ue+Op~q!Un(>Exsf0B3QQwtGJOSZ(Vrtjh?SndmW!K6_WAqKzx%<N8{6DYqo)
zu0gFcf%4YSb6?;dgoZ7(bIQ3+wnLDA)aNsGlO^?#N}BpgQ-kR!VI#*&@ne~49Z=Ei
zk_HmXV~qL#F}7DB%e@1O8ytqjNKyGObnBDznVJjp;~n19IfSa=AXsZ7b0&Yk28J0@
zLiII^vAoyn^NyrkFD*R0e5pl|!)%@Zo1#plzq^8F!aZZVPuIW_7<Pa?)gm`9I`>D<
zwWQW3#zU18SA@9HjC%aseF#{evNG{mzQM&DakrEL)<))?t)A5e=WH8<6ZBLSiB$wN
z_-mHcV%jil@RFW)7(BF&@BXHV4~;>Q@!G&v{5I2m>x<*(e{<p0teWh%DsZ1^Fyv-l
z4%IqY(0l#DHT+)B78p}Ng>thId3+{o%epEPDSnIL#6xpjaH3f7bV7a`oZSYCo$kjD
zfZrW)hPhOJIrX{UdGxL4PFTYr8n`l$TWz2YT;19HZ52}3jmcoXVUe6$ICI-4r=HKl
z?Dk6)!$Y~5s}c6`A;exG9FTmOIy$mS`V-uz(e7tROw|-<=@rjtG^ux$#lF8my%=*h
zYg!L!l$ozJ3z$wGHZsmcwoEC59LMb(eC@&@#IB+OQwx)+rK*`}v<e-xT@<-h+HN6)
ztrnMT$3jWL418tDOg=!l3~dIWmr*FeN}q;37TIo7Ld^3n8#)B3iD#JPg0MHy`SnkR
z9MrN1lomF~0^CPT!rD6V&rK)?o-96}C$H=K^Pl=36$=eiyv2qknmXug+Tbs>n{O*R
z^BMMk>>%`~=6j0_8!wNhdz>mE1bixGsKxenkette+sh6i8_MKWT?oS%m(!$5!v_EQ
z7>CyRZOBmk*zM*8BG8D$9gIBFNHr2?kF(qzQr29jGa*r(sAblUGv??yVp`F0SVYB8
zLU|3f0gzom3{gwP=aQ@zMHF?C|1!FPWE{rkLYz1Uxg6pdfY<<4t4OVVN}`_-k*2-k
z0Lg}sDdo#(ld>8;{H6ewLyZVyOPlUVMcw!BWFG}u_$&o$y1)O}Dz8IJ!eSELCYH4R
zaH+z1OgpEKot!uB*8g+ljHuQG;Z4t%!>rX{hVc+YE?BwGNMp%?N0!Dc%}fVv;Mv5|
zDb`Rdv3OX&_ah##F{gc#F*yP31gWUjb2=Iq@!)<z9Q%#q_lB9Dvgz{#;iqmCeyw|G
zQDE3KM%O8)grhY?=Q)rRtedbqOE<cgnO&}l?xygUt4u>rmEbmk39&;!MK74r!LESl
z-~U(F6G2<5?<!47c$CwxO67L*$HAEk7f3ytF%?C?S7}z;0gp}Zr#o!mYZGy!;!q)~
z#S`VFK5UjfSeGgKJ#D~tu%p<p^o}$%Ci-`)DP(xyQ&TY&{CiaH4SY;tGHUM?(!@v4
zzS@<r${OzY29-NYtYFH<wqj5$YzBESwn&5L$rBJ-=A;#Ym0iE%;h?nPuGFC?$2a(d
z3Qk?xUMgBKtknuI6Uv`%L*7bTdCkAiW5?g6EOt7~0|XOHO)BV^7ZL>SafV}FK>AM|
z5_7}SzMlP<bziAMn#Q`xpvl!=7)4og8#ePPClfi9`>`D5JIY?xC+4%?@XDuRq?@-R
zBIvW9`;0;Ft)KB+_Y6JVF5k6`;Rpgk@@OUa)(UBKv~2-l-ZVGqjv}XIr!^FP-<yVa
zD!K&h4yc6=VA-KUGgPXfEHUJ#YdTa^3erneO&Zpz4cx3SUUK(K`~L&JpB)xd9DUZ*
z98`z%?t&~`HXXl-4@hy9B?~B_ZW?}KLgId9!|j)Yu%Unk<h6QzyL!+zQP7spBd&??
z1#7dJfdC`Az&M(v&&SGH#MOWCM13HnFyM#gSFn`*k(|!U3GR^Ct@{Q#H6|+`mN%XC
z3jy2QDHplMji<4n(aR9Y_XkO`iblnqWLW?KBwk3rbC9TSNh+?;(hTSTG8ScU0(dwP
zodUeQpOFMKx*LF06+?~oj--b;Q=ArQF7ioFK};|SLi8xwIj~s(<&!S7HiCz5vqFR?
zI>PFP9juSxvNy^pQY%Guja+ZCX{S`)<)dLbgVC$f))BN<u&fxQ1FG;JmRo9_K2S$4
zB)cje#J5C#S9QPNJ{e9foA5cjKl2y+hZVe`5SshJb+sSF|8QbR$x*Ef3R({7-%Ev6
zZ-zotcdbU_D_i5v?OQnjm$V9MaVonr&4a;A7a?U(#e5ogux!};;Z$1YXmHT9AHx1K
z<(sX!PnY%@oAuC-^n#*`Wq4_P!R2dKqP`iXF65M_pac_dBDz~R`&502;a7i3sxn%5
z4g8@@k>x+eZmDABdu}~Jl(n?>=1oA6Z~uA?Z{UxS*Iw(<SIR^5UepPC!DT9U{?Zz;
z<p{cEO7$!~z2dGdFo58KUS>LUtr0~12r@pc^X@lB0w<KgGO3~hZ^n8@%D;=VOr$4&
zLaoq-ew+)ab0Og4wUJF?$aY4Pf1nyqP~mo;jC?5}lVxD@*wYp!ubI&vya-(Ld<Z2f
zgvAMXQep(5@%{Pu>}1||d2v9mPKVY_aDmpNX4E(%;lQC)jI|@wVHdAJ-yh^oL^lry
zlcP7>F+LV(;9mp~rJ~nRO!D9N8$v_mUK)2Hp`n`>{+CmPlz-3BbCt~@*arxy<vx)O
zbBR`qv%X`S6r9+<qu2I|onf=7zy_l0|IK%B9DTzONaqU^e%?a(5*vr<^9-udqOKXN
zYH!Pap!bk*?^4U|z@qhV{h)*JI1sYY8xq-X2&e9DCSI~XUoHFNoI>BBDY3CvM9AZ{
z;o-7AXPPy?@fQAwLi~$eJ18Aqg)f{vgbs%!2-Xg4GqQSjP#~z>1%Ag@bUR`i5=>D)
zo=%TkGw*X%vPXZy()AQeqDtS-4}tRg4x!^J3xT%}@E0gO*o8pm5QPzET?Afnl}9eZ
z$8>OHMJFpb(9BCi(?|U7dmMznnr+wV#2*5lKF?8@Yy*dZzSpc6i*qX7#9mq_kI-3x
z7)w>@g?f38$%-Pggl2iMb%)k&n^zodPvFvazpb;gRw(QL3n~12nMCOu!Jn)@5gxL2
zzS1<fUVJ#1SPZCiM>n*2r>+4G^o7=Dt!6{`r*F#XqmY*ITKs96Eq_vq78H3yR<gz}
z(d7_ALfHCj9wviB5VF3u61<MAJuD3$oHlilNQl4Pu;)XshescdeNQUUuCqpU`t8P8
z^TM{is}r+~N$*V0wtMfkZQ-RCdV1R{`P`1YbQsjkM^Ad^=6wK_Q%o|r|DGmV1Ff07
z=wIN3F7AY??sjqj7t+l4xrN^_nwvcgTADvpoGcj#w%Fk8Xj@97V&W~W(X*zLDwb;T
zKWD=U=eVp(FMI2}>V^1vl3T_(zztS09Q~4;B{H=zMr0Y*9B8fqz4ymaNuX`Ez44n4
z(ldN1;(KM(F<0fB$^~Du8@N<8OcZ_KwSn76IDM{0Z*a9aCU$~BeMRf?8FfXrCVu4A
zf#+dKzfij;1I#=3`CgW))ZzjfWLdw-j$q^rY7cS>bZ`QxKM@@YynUE~gar8R^3*IP
ztY-WGNW@95k((ZQIeHG(pqtjs{C9Um`!K>!4_5dg3EpQd1x|H{UaUmSi=$Fx0X{NF
z+T=&q;0lx2xSObTMyPL0>BI8Ux&F31n%6=VtB3tZI34UPcmgi`JK|N+cN)ZLlwKq&
z4&Wm_q&Pt`O0Z#yMdxlYHf-K8r6RdPU65_Qg$+znLjjd?z(GJ-ZB{LBszU+Eax;MA
z@kZ>PmTNMQz8Qx)<dpQFggrANI(9hw7EOua30ItOhGIf-q&=ZYv>1#UN=*fE5U2%F
zeBx~_9oyi4vkKC&mP6fDngjDFXV5Q^Tew);@Qp|t8Df00!&dO)Uj>8{wOXgE03u{1
zqDXD0@P>Ml1ZjsN)30{lP2VAMQ?BgUaZm$3@*0M?HZeJ$lREA|X=8Jhj^?feC9@C~
zc`t}^gkg5-pq2snldm92a6$`^XNgHnNg#qD6>9?iTkj+fT<VgJtz;=?KmB~Z2&?Zy
zcxzxc#~1wYefKc4E1^&gCPy@KE~xO=A;*XKJ6-VQ-1bSP11#h5i80%%d#+UJ8XP=R
zJba^fCb!8pM%N~j)V(fRcR4a*<DZHmth_%xx+TIcld+=Wn65=~zl=&OpqVa#MbN^a
z`RKDMOTgA7@^hP2^d~S4rH3708Qh{T;4b_%kA4WGNodzu62yiDd%WRpR!n-9s=|j1
zmZfEN7$dAM(4PeNUkz?Gt?L+zYI<6(*a)sVNwESiQ1<O5^DQV8fSE?V3&!?E?{-mt
zgfhZp;yn~IT=(WkKknEZ4=y1C&e7wm<iugdFLQzuw_b16bvAU0U!34_?xC)9`sbik
z(?szrg?;ZUB|7bm8#&UWU^i+PEJ+x!@1so_CZu`s^9$(8#lBZ)|B|i1-3R!pmU1GL
zC58xU6yR8E48$f{bsRx(sNc(XTWT+F1*+Xx<NGdtAbhdV_$ZJ<*qb-CK!v2Bqg`)G
zIMJhm&&zI6=epPzP~B=ATIe2zoqx^I_!_ln@6>i?V8|jlWQxySJ)MT9@eePai<m2g
zb&x0{Af?^mi5vP@GxpASQY93khg}=`fL^lytXTH-CP&k>7Dh)nyzlF%VnNiq<frJn
z>^~Yk7U9Ad6*mtLeuYOpmjPvQiYRAKn!vAj!z3;E?X^jUmvOq%4FMU5u*N8BMVsXk
z;!Fk522OSRW)Oqwnmzs2XIo@Fb{v5g6&g+So7e$@dEhW7TfU%aivF@;s<qsacQ(Uw
zxP#gTcIgopVXm>egbwOlp@p;Pl7|NuoRyWmImdoMLHAhny5;R@OfhGPB4@w$LxElU
zoTzE)4K;Ru11GbmaE&uXd?A1z398l)Un{&OdQN+3$<~uVkFS^x?A|1QV10<m{s;zX
zPmg?fX$C(uRP1zySSJQkb~aD6nc#cxy#-2+INTgDN|1UT2O<rospbSzro9@bo8qA*
z<wuVfKIXPN%V&AJOhh^cQ&%}gjI+xwDZ3qjR@$r{PL;+|%h;&&Dk930aT0V2zgy;k
zT-%F+1)7>ZXJ%&9-ryD11o|#c9J_%~TAH&{oSR(scJ{5!NNv><_97_YD^5QO!DH;v
zqkTp6g>}z%`HwEzX5chW*Ajv@at%Qa6(}{A11l*nJuio{?wQg=ZW6wmJ{OppY8ca)
zL;e01_p(u>QWmUM_R!?t_fkW4ZKy2x3XuJ4rFq?)N!8!m*X`Hy`^z8NhSWHkNy2Ua
zYSvXL3@<MJQIm7#Z#;QfRjXUP!cD5ynNq{W7+Ul*dau`3Wss-#xy`!L6>^Ah)FK22
z43(|q&R8`<tJjGp%-f(;nnl>LYKs)F>}d519xRnVoaijg9Y|tUmv1#>VW?t0U*tLg
zg+5bt$kcaMpbN0#?!O9o7Pc$=<q@3`V`USSRs8)Pw(~0qpb!==ULjJA^%CBvQlI@Y
z?(uyeQ%yaL<H&{`cIN3>G(#rpl)fp%_HSXJOKUkr_quFNLdW}?!M5eoep6qWn)A9a
z)f5y$fKVUL<`)~MWZZ~VOh?t%1zJW2>sK|!MpCYy^65hFF*fdjvn~Q_)A#~i6}GHn
zV1%kyuza@N$hEv<F=;Ja6){#IO04XAA#$r7(=*qLcY--l9U_W|G^5|aEuyXDCl^v0
zu_~UO`9)^l4))^qitE2QEcngtUg4L${wPdjle1S&>o9*2v4ixNmT(*^{)xEFDRXcl
z>;a=B4s*YyOK~zgt;aViisDK~Z;qmgGyErExYMg1lfJjXb%yl2UZC|gu}%aQidK7l
zXaq-aJr7ke;I`X1Xjqv%oJC@kP|j7SbqPWzBIMsJ@l)5r@;W!7-gT4j!<XIA5<4?%
zi`CECM)|U*676Ea?`Ws$@<IoKV`BzE_1Nf9OMpc;^gbM`jI|X{0f$fe%=P7mrL=Av
zR`A%#A*<@|$6k}uKj#gZXO>S7?89Sa@9Jb>Rb<cKMDt+n0$xnlOPRftiycjyk-qS`
z3z*B%!;d45Ru7RTmkOqOvQ?R1s#Euw)@`$nY-Za{tJ(V?ZJNilt*51yu1&Yy9E;^$
zk2YJ>Gtu=X+0T%g>IBm466;`Np^P^3$eu84QNeYLnoEvw(tusmbW5L>!pC#m!?6=?
zk8*rEpzplWpePpAZXpQj3<RQtim<lAm)YQoMhe<=`uz|Q3ae;J1>!$o;wQJOU34HW
z=&7Y4kha4){i3q2bMA9ippRqxdL`&lYSg05N>pk2D&ckoN`W*<#6l%1DcDuY7j;Ys
z#N_@QW(8TQwA60MSNVvue=;1&dXuF7ZKuE2drwxPYL!W5I^L&f?bi1$-7cW#-wyG7
zD&f?kqgzf!mb>WRb$>kbe9{G#k3hS)EGmJo+sKHGaI>-vg2ltRpqP8yyWxL^`6(+H
z6tE^6+R@6Ka@k`2z!%Sp05WFLAQxEXlq+eK0j+*2(yT>6JkJ#bO{lLt(MvsyE$=w#
zc>#k--k=X|h(f-W5y{fK!1bw{Z$ZIg7@g9o3>aoE9G*sTa0)1#rfS3&OsnY5@9P>u
z$>3l?g!GF7af;Qs5119k;N2rP7Z><jp`0v7^m}NBm3;iuj*DRMVVb4G37(JxX`43`
zomzbpt+-@^G`hJnQYp~tts)7DbSRa-!t4s9MJRQ1sf)>2`W?Cy7sty^;s@-t{0|1E
zB6PHfO<w$HbU*tSazvz$QFZfwr3RylU~xz(Akd4#^dg0!&f^(U3f6o0P(G!lzxn3|
zAN@UlS~hsVPg{nwH?4cwI!$#1&X)1=R$_gW`8nH>3t}x6xWisdrxMtkoA`9GePG|D
ziV<#e5VX^RvG+!t1unGqu`PyWq#=C7q*XR^ULQf1P>-`%1E*_OA-1%~u{N)GloB^|
zLmJz?V-8Zb!(ga~J+FtIM2rR9x}}BiX=_KbvsNNlmaK(2a5E6mbcww^wv||a51ym%
zgpA-=g%2!tA;0D_g0r6O3BAtqg>AoHG!#p(|H4=6miCqB>Ox~*j3vutiy0l+se^2c
zxqP3CLJZ6!`t|iY=aKUt(Gbaau+!xr#OA$hYlm#%-v=lvQqUdC<`{<rx38@Rs@O2{
zu8K+dCAj!@BOw3sTHRlv+VKH@iAQ=!e`U7{%=lTkVsk0zQT`${w}8ek9`yMsBBE=j
zko^VjCBhs~0$bB|f1w9sPtV;n?Pvg~YLpeKS%i3Oih6#A+Nu6FLI-(8LLfVL>HMcB
z#uZg|lgoK4gq8Cu&)NZ*A)#LGjoR2ylfuD;=$hnlUy-~#ygFRDiuP?S>>H!pocQOC
z^4s?`Z%-6i9~^IF-L1cZEbYkr60<yh-{#>FcA#c7wug?JS1HZH5CnU}jI0rvgf^qo
z0z__yA9VTFT0sJE>Wx4~g`tbNF~Cs$DRBn^_*qWe*cBqH@K9sStcEz0xikCcqwNcw
zBbghF{Y$<FVqHn~24tC1(S*m=5l2X2LKxx?tc{6AeSw&q7yDN$DD>}z&YmdB9ykg>
ztpxtjiV~WhR6&861sYvs*G1MF3bBR8c{ThpOJ7f~o<^(L&ktu0cu0%~ktRwd@OQhp
z)t;o!HQJ6RjRbEOZ`&1BoMVu)mvIs$8Ya409a0o0?DxKDYz@mT^?|z6@M|_K4T}Aw
zGW-8ZeR^bU&Hzd@{SLIeFeK0;u|tEgh{3jlL?Eq#A>;h4%71qq25#5QIp6D3V8p1D
z%iRUN3A6^UOHLc1ul_O)5l7r<5yJC<cAT8)z_Z0b8%H+!_;KJ-weaDyOA!uocGzRh
zKXS&exv0UfUKLUN7Ke9^+#Xq&HpsESk}1L(WnXF;sVr;kZ>0sv6DfjSLx?1d8J2IN
zicKy9o++WEhfe%Uy59(375;BRLDJJwnfv>!qFf4xrw7!wcT8lFic=V&Aus*ywdv>2
z^-$rzU>bj`H!u`J)CD6U{M!b);a>gjRwe7!kGn~W6*b2as~a;W%MpZQUKSwP#I)*7
zn<Ou?LS-dB5dV^u0*sU$hYF2~1<>p~V?R7Urb&BhB<<1D^+!V2A6e&j5w{mC$gLuo
z6?Y|N=D(Wf4sxKelK(CiMPCplmQtH9m=el_QN!Tz1vRid-*3@}u(k383M>BGCbg{^
z5r(6m6(;3$ZQHE1z&+cOF`4XHw?2{i?)rkuP+<1$LzV92qw|+!%Y{UU{$yC(I<hki
z>wP+2IBs?5B0g>0OYWl&T^h?fe5R}qg>0`UySt+B8g-ZM8W%-*qfiBT#l7a!JWh0)
zrPsTaYLtE7m}{jqPueNYuFjGx>JsZ<OC{r^Qxr@k4U&{wbt%|E0jqgVF*Rl)>W`Cf
z4^g}&QGzz<?tYG?|2mp$uWzorzHg~i!2((-;vcvUT)E=AcXWV4!u%$Di{XB)8^@B}
z%*et1=@}$)FTPFL7ua8H^7|{HVCsa>U5eFLR*f5};i`?=>|Bu)<%4-JWsGtfQ4}a@
z#(-*^-N1$4gyoB2;9&eP8a>97xr9|3@nZf9?FW2SyIl9N8t`%&pGQt1h~ImyJiU6U
z7a)M~3JeFI@_;f3k;V8P^;dRt{tf(%u__htUFmhrC%#y@cUzH;^o0&tdJwn8tu`gr
zm|si<3t|Go0)bL^f|>0QRGH^Kge~jh4&cH9jA?Z^yMP5(RCCrr&N9YH%_x{jD@_mY
z)L@9)07_E=m3bMGDwAF;p5ch_5a|CE`t%~-+yTv~swvHa)@(oj9q)JnK@LJcfAR`F
zQ1m`MGauW<k3!<ok6Zn2wEVQEl#hF-snb?fh~+4P{=e_O08sH=7}WHhuVv)fJ=z5m
zKHcJ%E)H3SW#tXcq_$gM<;A1K=M>vAoc)YZ@fWz9L7?Qs&(rV@k@Ud5iNVKihRt)n
z3G;4**D+yu<AW<|s9dy1Gs=m7Vg`lxoePK=7Z5W9JRoKq#dv$@b_xl<u<hVI?7_q-
z-nYaM-0eCD!@{LlIBFM6E2^cpu6gENS&$l5EwM1kuN5kcv1qq=<|~g)v%E8g!a|M6
z<q3fuSUhG#As^JPanG6;1r2Sv0+F{0pQhd`G`o{SzI2$Qq#Ii;!1>pe+KhUbQ=9Li
zvn|f=Mvw?>VIvVs;KHBYk~jT_Us2Atd`II`5wOwypQScsW?8&`9!ZyTdQ2{_QybuM
zvbab6kfl{1HWFfvGC(Y<iBkI+8=~=-4P+5*j{a#aesLPDt2gkQl2$A5?!Mum*Hl{&
z?CD^D-I)$UfSF|cgd+sud$gs4S2PvSgb)G)BC7pHrDP4kX5Lp*Hf_xj1azwXvhlpP
z#9Q8c2ukT>TQo`wCxR?TRH>+TUBjN<B%bm8{bzs|M$O~M6EyN+CW&S3FfE0uC3Yh{
z1gSyQLV$CjIc_x2)fv$g6Ge&WU1OW)?npTz&_8R}==B=;Blnv5Kz~9<Mx^rx<+8kD
zKu13JA%L|Ad8lyO{lZ%20ipxT2PXaqsV>vG3dLziI`2u^_SHXd=57YOD26=YC=W*N
zo2=clh0wHk8Rcy}$7pKG3lW@XnzYU^&)`@#tTH`{<QZLB!q%PQCuxYC&W#~oDvD9k
zosJdYXof~T;%VrM6{!DklgN&r0!=rBMlIH4jWuvZf&8NOmApA2LMa2@uh(MM+&_UY
zK{9^|oWhHo<CvL9B1;oh^=4e5dj1wotq{g!^IAFiZ@XN0t3==EgoA|LEXBX1fLFmH
zjxXUffv*Jk0uLdcC+K;gM@<_EZi0n?EV95Cv8#NXt}gWu_x5GN{jI!LDU9urNkKH;
zM00Q_ID21rQsA?@FHoHG+8Kg6<D_XDlir)P^vTZ#Ra9#{(pC(@$c$;`sarf_Ca6<P
zJ#NV`lXWuCnWmbMy^j%qf|kp=`khW5DHCM<Vrj)9xBiw>PM@ae3}nAsTE+kLnv2xC
zCXd{^B?JEr5oE;ouDJu0((|K^KK&;Un6k~dOo{ep+D8gDUwsKExSAEg+D<lR+zX_P
zxN)RA*KGeon;5PP-il^3Phm?q7(zQLB7Jpef#NBi4&^_rVYFi(Ci<%LsL~mNQKrxW
zV$4)%0LfGtBPDW<1g4(UM3|m@8Lv2#0%*-l2>$_Mx!;F}ov-wpx32qPr1o&qr~t{Z
z&(tTNB{RDBEF)D4ha&(D#ScP=MwO)UvN&RlEOvx#`K$7S<Hy#@*22Oj#Km8*V~us=
zF9xrDGT6<!B}NzxlRX77M1`e)PL>%OopK=A9U{#&$@4UUc-6{~*U+K?OjEaLfdzU^
zawqbeSSZ?X*er}7{Tjl6H*pNCoVDaDT4#!NNxNjS&;NDLqJ}o%w2l_|zwQy@y@ET)
z<ZH**71ZNr!K@JiSO!Aa{L644O2Ii8iZEUDZN8^oWcDDCn5Zc!pIv89QUBcg_SXzy
z!&Lld@>mSLGY$2?_1ppdcdH~*gAAwu5&pph=7gEOac~NA@`T}37`aIqI|nnNSY|ka
zAUzE88v(SDHwnxXTA3|*hprvBpy3E6=Uq6tNs)gkRtWuf2QvpR2XdgJ(+39p)Ys9f
z;I73FBmdO}_8K;p*;;j^(1c^#Oo;dXw$@p3YVjH%p|5_zTLirhXq1gB#&t7ugWzg6
zZYyk(4tR{i8$;HJBsX#9KKCCW6)JQ(1BC;`t^jX3W4I*`xT)3o9<oZq8mOZyf)1#V
z@Y9K+KtgM51<HInpTP{V3HcI*3DEfr1UUqHjEIqL{k@^O{YS&y!@2_;ZZ@f}ey@kV
zXf{`w#duad5Y)a|aVN-jk;F1)mZwINTLYIC8YHa+F6|EwC<iW0NFpbN5&^iTh0*x#
z?|;2q_7%yW2YQzjspb|=Zt)WdIBd&^@>IR7a!DsaA;|qN0q~{x5ZG9E5yFr&uKx1@
zIE$(U1S*GM3~|v1KY*)ri*SWCS>kgW0M8p4W`OlNWmmVe7s-kCTxv~~e&lTlFSR|P
z&J0z+d=2-$e)uihXVmWziD&|@)C63q4}AN}tooOg?kEg2nDjkx1ha}}i=*!SPE{M2
zffKbo>-afYxA%!whuY>JYIF%tV0^3Z6eeu^@g0ac{T5Q@;mTZdl8KY(MZXF;3Yf_#
zGZa<DQir6~!fTBT^~B06M+3=H)dMqAo?%>+xs(C3|K%!VT8Wc)&xvwCS0RIj>Z4?g
z8<T8k;tnS&Ce-=TBh@+ebI<zEfj*y5H7cwsw|*v4{%V1SaD8t+A)PZ4a{$<@VypLB
zmFuYk=5XdzOfUX$zB^8D@XXpI`k`}SLURVy<hhK!t+|vPw{e%$-g|{n>J@0RU5_S)
zTHKn#71uR$7?On5G*I~SgugEsvx&Kb4_GVpAB61fVPHd!I&TQX{aU<I^V@C}xnS+c
zZiMh|=R6q13NNX{w;=>twA$CLg(xpR@ivFuhsBS100wYO3ThsX#-R-8PDKTmLxJR>
zPDl(=J+7HWA~{I$?%v4`k1wTlMImVe1$2MHaXIl5g=6j%jiZE)uVl>YtfFYJ$QFM6
zl1FvV>nekSrhH8JRlwIzCI`k-x-)YnBx@aj=x}}jyo&N825O1>dE0+PK~(Bjvq6)O
zTEmLdjPvS5UMJRi+0D4orJSbtJ#!#LUTPZE<h%?8Bdao?By~q-BGJHVQ53ttNwF?>
z9QdRUk4bL$eqr`FTwI_jMvCp5c{nrcr_mS+Mw9@JrbN<-F%n|_FJ!f^1y>}5h%qc&
zv3cdh{r+m3X2a^$!h<t;Bb0XekpTuxYv!}zLpM=D({gXLo?~^aGT6-J&y(8OH3@;e
zt);dm{XMzD+n+vYFG6Q7&~lL!CWU!0sZ?^qG88CG%7EC^oxt%#LK94T)qFQtPSS9H
zQ-~A}qMfub1rt4hsbywc6`2ws_7g!Q3a!BLyXQce(g;I9_8_}2n#dgR$E+nPhrQs2
z<b8Ol`_XAQ|D-Lg7tRX30-Ak%Iv8gRxguHnWi=e<8XK4WM5d4t#I9u0v4xUpcmnmD
zWd0~Rg=!&32@{z_lIc+aiU^Wuw>4%!A_=nSWIORTaYXI7II463M+xe`#9?D~lUTKI
zi9%IL7ryHah||V9+(^VlQ<hYUWcwSI$?vnSHz_8+_UCz88ISv+Tl~2h&mr_f?!tt>
z(NvQzGWMOuQdjs1#kBuSBSSncpQFVXuPTj%5Je774Sgg1rTkk7a2fh<!ns`dd5u4J
zdW&B|7p(7<d)@uw!Cr9fQOkILgT(G~i-JS#MD-v}R>E}xyqDh;0kDd~I>?W?!k{eN
z|A{Q3k%l`NFv{>~+)ydiS+%#hhq6bBL<>cEloS5T6Kjf@&EwG<WTNwR2h%|@1F>hw
z0@9>uj?PoYNC4PK^0ym17T8F#MmS0s;nvfxKrEgF&KWS_&m;C1gFc|ToY-X`3f)}b
z)4Kv<Fu|BQ_`u>%jK1=P4)$F!b^<l6@rxPI-|WQwf>O%UW>XQdeH4#b_<PVc3VoI^
z>u5N~CZ@wt!<S?_SmM$>hSh^&M(|nOA8MB~>excg7^n@j%nl1s8{}@zDBXmBV1+A&
z7}xGzCiv7#QL-_SuQk~_81$}s$yBH&{hU$%ZU>wM39apM>P{VTO6VX3eXV$)LD6u!
zC~)<`K@-s+K+|=}(07+bkN{Qu`y=^LihpNroDjcBg|0vka~3hn`j^6iql@i2`Dm$z
z)1He#l|F*}8WvN=29n-sqI3~c;C;FyAnE;el!m7b9tO1*5+yk7h$-gQKf9b_fKs4}
zp<)@Ya&bBgU&QnYk8lWP5@Q=*QXCK-{9=}ffFp)~@VPcU5}4u0>EBqD>a02G$jm@|
z-H_FNg^@pytBXR(Dy0|jR&xS%S-odQXFgm_eMNkHG}7i{|6vOo#<aQemi7(clKXAM
z4<2N|g3UO%4!cg$W)R+-*^DEdkz_eCH5TfPx>)nT4F#@j)YwgfY<xEtz2zz*Tg(^K
zocU8ZuyD+DpmOQ|C`TELi$>wj?iowlP4qYWcNkU=6e|goYPn+r=HtzPZ81XDlUi?R
zyi~;*mhYOT67Os6YC8T9B%rr~>Ix4yPQ3!n!g1wT-b<0oR+ahs3&q!~YiOm4K0!&&
zBtm>+NyS}Uq4b&8VfaIFvxL8K*po5icHSmpS0udhuA<aUWKMd}Y8076wM_6Dv{LdW
zPK2fXUKS&E-lU(br{40Kr0(>V1n3kqX3f`>^{KtT^KtZp+2$i-E&AjaU^x(DTS4?3
zQN2P5d>HGk^5w3JrYu<YNsc|BImK>im;w5!vODT#99>L(Pf6H4Rd=<N#ktL9aZ}96
z5SIO({Lz{U6uIHM#jswFNs__0G@oITNIXJ6RX0ojpD>Bn7bQ+KguX$xuuM2~xbEz<
zb`I4YaCLiXMUo>(Adqbqyju+l^X*R&3bbao<Ukazimtmo$0WgHJ5QyQJ&ns(sFp|M
zUcR8fLiV3aMm{33#yq&pxD$ipc5G&BVNt2uHskQ-#%AES%#XXZlx2x-z#C7B`33#4
zqy}#I!In7c#9}HL*pq{wBqIdxJDZua7aRG)0D}WOJ3$bhvPPPU@eXV<0M3o+%R{}8
zztsF}xe&m^-bd^9?OC((O}wBElwliI#+H_Q>_~8->#gy1O1;j3etym2aDN!efu(B<
zE#f(NUs4RAw3lT&v54sI>%`2sT{KX|ywq*H3HU<`GjMTc45x{XS>u*0NEs7iBg<I3
z<a|{kSGCY#NAuGuyXen;Lf$(IdlsN$vXszG;@Y!&BTuAfHK&)cmOOd5d)w5uHF+$t
zzR;&|#GbDf#o_WE&gP`oin@VA{<g1iE&8f0-FFtt0L~>3LiwvJ;iEp|ZTTEH>bIS1
z{GsR^6OsSs<(JQKuxF)>b|pHgxFVm8%jx<XENq$!w-dJ}K05t5Hf#*<^#V?%do1#(
z>mLiYG`6(u`WYM4A1r;AdDwEe6VQJw)Wijq)CtP6)9f)0uy0TE%~a2mf}rDl%`c=t
zfFhsUSSX3_e=MB6{!lJJKuCx<!p0V|_{bx5I_<P9&~K-#yQ{Xc33usmtj7EfK*|qb
z{(7wV1rj)-<YFA^*eA(c<Rs8|N`LgnDNjC|%!JvsfhXZ%-nGfR4GT7F-$?NaDU(%j
zf+8~@G7ZH<Wiy34l?5RcntAzPkMEX*Kfxn|w#01|#AeOcKjFWMTOd*qk!iYFky1{A
zAh0t4&_t?<&AHnE{J>CWIFGX0jik-EIk;`monqWh-jP0OGJ>Tx^WQ=f<h+#jR%pc#
zl*=w$^Xd54`8#c<C4m*QNc2v`a!(nhJe?Aui`6Qs-9rfEyCo$n7FJfk*!){2w-6Yc
z8G1@ebQ8d2L;xw0zw6p1Aa=vlt2OqB;O2N}y!4hB2f2X)|AyxK?tD?%iAs4{V5O!z
z&_d2{B=O+#_^GEma3?>rvCgQe&o0m+Y8%?5vwBA(p<LOPLhGBQ2;D*@PY#yQx8qBj
zF9>3eD!@=YV}L3Sti|MjOe&tI>6j;FN1{$@j=Tv0Po(^OQ#j#Xt4pP0pd`=2W!`M@
zxo5r{7U%w7ORFx+ur}Vp>ocBeDI6$5@c}rFjMaN)<~Jvir&V?eQiUj=U0jX({TDdv
zcCC4$vu^nzD20^fIDdyfp6qoY2_lgzmNZS+;qN&dB~q)ot%}&KCh9lnH}Y@1LRr<v
z3hl`E*gZ&7jig~1)2XAUCw(zRZ@U+S8vw+MSlXxc-QxI|gGM03&z9l~TeZUHRv1Xb
zE1qTLR3M`g;xBbPSn4#$$#TF{ZRk(odf?R)U4vVPO2#{E{EXJZNtjKnU3^VRCp(_q
z&Uvt`LTB+e(Kb><qo!a(RX?GjE><ap4O7r6iSu=MGu;Qq-eBu%tR=>25RuxPf{qT0
z{XTMYtefJH^iK#N18QOpNrURrUG(4iUY1^VyUaH}V&&g|@xRcr#V!^-HBlfR^lU0!
z`ZVWN?DZoWOjx+vM9&%DO5QEw6%8G5@Ul@H)eu9wD(rKv;R??T)SKvyS|_V0YGQa}
zh{mN?C-2^Ad~U!r=5mJ)mWqaybQLs&qwKy|hZdqQ>abmbl(&=*x(5)QR4iRmi*U%L
zi`R4E?6<!2BT(!<RXtg}TSwpO-%7qN;T?7zaD1>*{H>DQhiLeANDDI?Uf`z4oEgGb
z<`$>omKYx1M*q_R@bO;-YdNjgrPt?I^-?%kxndN=ZkU-w|Aa9}zAqHN%v2H%%A7u|
zYW*hoU^|ncNa~#Y7>1l(_>u`j$Vz)VDl#6L55#?uPTvpoYz*o4B*G6@4pmz=@tyBc
z{KBsTmpoavS%+Y%o=AJGqtWyn0as~gf$CkfxAoADn299@f{ERQBnX;m`=;N+wf1Vb
zc@=<CpXo$UG~y~vKkEwUu7VH)i+lTzb9uPbKulD0l;HJTHglV)F=6dDJyw_zbpI+5
zY@9|0PPNUQ`SA;`EIFR3ELrd-oSKWaaho=%H-n+a|IC_l>9-ZZmJgf|M>BK;K&Q(S
z_a1PdunmP(a|#CD-;heQ=bI4I61RYDb4Dcen-iCwO1-m&^RoZ1$fu7Y7l;N<RLKVd
zeH1yUlz-}*TUd#I$sl^64%;1^8%ZL&@Wa;2x@714Wy(j3l4**0(lUW>2}o6|?;kN5
z!pSzj;G><NLOh_NCUySdR!ByTm^vwH%F7_f5dDG~?u|PkYv(GVTfu<eAoX8mJtypU
ztog$JrtS7G;ZbxRfM2tsnrbCG5y?~47--V56QN9HFG?Pz=#f%%{z?H(c-x`*FD_t#
zqJMjere8uwSx+ck_N_W$lx6ZXXqQc)h6f|Wp-ZVIyzd-dY(F^Cu<ByCY(@5J<;_-o
zLdrLGB9+S8@_}XmBcTXc`F!|oospD@+f1hw%5{;=v1w1cnO5x>cG;#0qb?&Yd39y?
z7`hIkPY3_Q;rF?>4L923AJ)d0J9b82**wl_&Pl%s3VQ=b09g7i-ZEgTyU<DP#Zrfn
zznlaU%5Bhr$c0IdXiCaWH(4<J%)}0n_VWX5tn3YLPaO?_A7DeAwt3wbK<w6fZHWW%
z&|8D+`7DdK-FyYbpNuq#F4h%`xS1hM{G<L-ll98?n?(rM%_;|HJ*;@j6=F-*_C)Gq
zYy3;`3zP_qgxvHOn@F?P1CBY?to~mU_J!8b%({;L$0tw3BM#d&^@&B<#FJK-g`xww
z)KoXU^fydVYt??tx}T=mBNlNCG|gk6Y4$+Qye_SGd^f(*#Ct45UD=c|ZdaN}xq;b>
z_x5xDeHFMyzRL0aCb<fD+0SBK!{N-RY%h3i<L-BeCHUCH!x8Va8DA!BgE12~)zO1k
zN)QOe&FSxs^_%-!MQ^m~F?V!oBv{m8eEF~mab+W5WLGptC0hhWc0{=_V3qyRfwQWt
zc3cy6AET^x*w{_CKQg3%BA;kPdCBn|7}*t}iu(T(*?H$J6^(9Bm5qR4&J(5ShjYyp
z*I@DWe_2LG%*6DsQvX1&>+$o<hBD%)YWtp$-Jpq2nBj=lkWq0`=P(rowmVY&WWi(u
zOl^oV#C^cjhSxn(4cr7xD`B>ekH(7T?v#hq5RQ!TCrP5*=5C>)$NIv`1%DEP0I(Vt
z^1j}zsz@*stUe9_wk~)m33lN7NXNp<sI^(T8Upf-Y8dGifpCx#Smbv%XrP9FBRF$I
zOG&UUY)J|KT8nr+&(VF&IfMy9S@?w>dB^pmFO)SZAa3wl`m3c3y<xt&`-(Y=h#}rz
z9a|tnUC>0WQz3?ed*yn3ZNDoWl_aW(#%J*VcU%yX*ehnFPR5&*vtSRjYLqS%-r6!_
z*t?WGqQKw_|8}{(#+jVBTd?9nF|JHb0FlbK3+AZf>^YY<|NEBW`t)zod@K6<-8sp+
z*2)f(vX`KlU5WJmY(Dn8;}!>HR$Qp&3I}DZQ3KeCPk(;va0oN#2gHvBNM6*H!lETZ
z3QmTTj{H9KFjPu5)licIhS{@zpk(;}%^bY9Be&QdUr4Po!9t%zo`AA9L%qMBjZ5d1
zdMR)b9yPr%yZ3J56sMDkjuTs4jkapv3v5;lI{JHB33IgbgyWarOISV&(uCQ*_RBH%
z%s>r5gz8QVS#3u9y>ZDB%ervd2zQ9CT+p(HcW#XDmgmZWA69c`!T-tayoLitI2pq}
z{#h^$b1ijkhRfLqK`LV4KSL)q&>E``PU<yk;b5&p4+1op!>~M#hi96H3lPl^+Up;Y
z6Q+ZXnuF+2`IhaWC>>sm;7DSu0zBECL7)_jX@&n;oVAd_1i1LT0Cp{J!Y*lI1c&r&
z{D36}QwvRrrtV(|IO~`q?|6}1=hBD@V+yNmc+LM@<_f`4gk!Coj3sN!RxtL2T;i@}
zguqQf@cP0wXj1P5mzw)ygUCY>>@ESb1mi+kZB>YIQ!RGUo+f%YC&V?l%A@7JTBdQ)
z?ND^fG=fZ-S|#;6sGiuIsp?$ZmH(_MaOh2Y_OBJ-&>Jj&I^1in@4H;4#F#f{B&BKB
z<>i`3;-Uvdh5!nQY>0xfoqw;C2Bb7Y(5n}X#p^0uG4V~D;;;PnPsz$2Yuz^0`J=6>
zlPh~C5F0QmwAx4FW^xRo#7&&XCU$X&YdUuy3(-B2&*hqlFBdYT+VUp@@h6*S#Ya99
zJ#R}_Ma<nVB!g)URNJaKI!IZfZQ!7yuYvJ)9^^wAiYlS~yF@hBdbNKd$Z%A740Dk6
zlEcR%X!Z<%688Td<Qgi>_GXtQ*p1Lp!V{<Yyu3oWn5lG<q$@$+q0#EFgQ6gMv#w$#
z-C7J>HnsK5cpcvR-QDXsE?wZTkDiLH=d!+#p6v`rLFbiJl^#oo2$WPUvS6YpoLCz>
z5P=GM?JIu8Fhr^23S~YpRU99smeoj7b0R+B7~|cW4p7qn)PqRqk5FKlvOZ7`5yG_7
znidp8)XV!>KQ#8Cz=R9c^Hq-|NZBHhxq;sG&2C;iMM}$!5b19@xag_t(0Y8nw+qgM
zja+GWrD@UN@QHU;vc@1_WF2heSO&=XORZP!#3P(zLW;FY`5+OwBGviuLKjKxR}SW&
z9;eGNUn!3<{xkgpL~Ic>vMfPwgigi|9Rfa=(~g1l6gX1&C7KXQ@}-|fZ(2F<2jO6~
zw$JK$4AReJZi&9el#dGO%Mt!{eu<;sZ$Pxa#kweV?rnFb@!oW_jSfLMEW70Dl+4Ay
zPT5Zh%5sz~wSBYw^;K3*RaQI~OiHeyu;$1&UKu#o5Fgrs`mv9Ln#ryFin%A8D;XKZ
z17fUHDwB;^ey@ai%-88m1S%2m|Gqy>^fRY#VWb4;`&`Hq^g>X*LkwJz(koJp9#i|l
zTS&_oYo1DiP{Z+N#J?wdG4qEGf<hd)PEgf+ykvFebA1PJ;n<o=5Bgu&ea2yhNsiCy
z)y_e3aU*Bi)fRq{24=UbS>wPFQC2lDwh#txH9&Gsxq?&8N)4N!2gASxkj9xO@Kkm%
zVCHB?n&Wd5f$ul${AXtXeXZTD_VL`V2HY746(6JsK<@`|q{SxGYiMz9G&RX_<nRde
zE_^H74e-1)|F+mB)L9P4fyogU=+KD#;S|68rJ!{(9hsA9ApitT_Ew=S?JaU5xnTL`
z&59k)j9no?zV-ED5T^7N1aKverVdPXcD-35I>19z4ntW)z(0qmRN>U%f4=UTYSd5;
z3nvfhk;RajCW$JJ?{>>l-rDa_e-a0P1&aFHDVjPk*8vFA^aIi6pv(72u>p3%{a?+j
z4q2T8AQ%hz3HE{wH=XOaD5E~kWh|m!F+&NeKYZmOGmH4W6xvlNn+Gmc=~$d5X6;Fv
zaDA-}-g{(!0GK)V#3qCLQzuUTp0K_uWD`C;aJ+zYSj3+muK%=!#+kCb7kAY10?eJr
z@6<nY6fF#KR`B&$R-6*k?Z(&Tjyk9<b@CjcTMjc3h^w9j-FyI0@qpGU$WesB`hT-(
z1QjCYPV}?p{vp1|Gp`9PnZJyYW?Zj+3r`|Ia*4D(K6b-o@Lud;?;LFLEi3SKR=BGF
zSb|MlE5#qhTFx1sn7iR$Sz6gGi46hB>#tS4yM~wWrx~5>qAUBL4$Kcx74pe3-ou1b
z#k9|txeoM7&C}l2g@?7vX%giQmwC$PC%tU+1EoGGuihKxz<d|qK;ntN`+e9!Ulres
z>)(Z<1IS6Tt}~a_-F3Mzlg^H$s;%AK5dO7LyX}B+E4|W}g`uH)g-q2^qGZ2fD3l2z
zv8Z(*R@sl3<OS*8<5GNu%-hIMHo`}YX;vq@DnR8H=7&mv%CX+Vl$H$VWhcIX!C(QT
zp+~F_1_XO=h$Tj;G2I9XZST5E{!6*(JW<yBDtT5QAD<4e=$uwZu)X>!uk0l+Kd}{N
z3O{tW?<SmOI4{|)mcMdd`XLa_oI+;t)^$0~lo@;yQ<(G2fv}JzB7AR;QyMd;;N>4o
zJ<GD|N2!UTN_AUCXljp>G#-=7LiI{o!En@LS^SAgc9EzsaA9HK!rA7q2u?z~k0!f6
z9rh3rHqOtM@T=ZOmlP%qf0A~`;y+*5F0CKK+c*qPtMlWlU@_}5z&((@tj~n*IkN(^
z7wyE$nnbfY$6Zx>vIn;Lk<(~cLD;ju^Ih6)S#nK5-7?TjqFrM*lMdZ1oS6}^wNYIE
zBtK3gZj?~*n7d);2EZ;4R5bq0SP*vz6fR~>Yd+cSSM@=)Ul<B2<CD|5huN`;FFw1^
z<gvuyyzK+j)q<yK?W?=>i{eArE{4URsee-29JPpMpz$>WjV}jt#`9~#AiKBx6hfmW
z@gG4dd%m(gIMvdMkzMcmdaVeLVH*8Xo@$0~P|Pjt`Wx?lBF3TK0*yrut*s@tO?5>s
z0_B@!c9Bm<de^%Ao!0LckP+7aH6ND$^@(><xw4r5a}+edA~h^cCKN%0h$a(3n9hy}
zIy1qZrc(HLl~B{{Akcw6LGR8Tu)MFDvizq);&1W3fK0>p11ZLx*QF0~+w3b_v1YG9
zfJMl)!Wv5qQa-;g5q`*m5dU#J?~koE<7A&&oV3Ci6C_~<hP0BCT^S%o$_qoOrF@er
z_b`RjNYr|TiW55ww;IIR53;nVYA=Ryhq>rA`fY|^%u7FO3;}+a$_rh5%1I~w{vf$e
zO$+bPqV*rHr(C_8apxhMK4}HiE?2dutK?V5gJ8W#?Oj%cMvzz=<ZdAeDdAuG<*$@{
zctUpr*6<~&1OyYB9l2aS4C1Rm84((hWVe=gpq2mVi>eS&(tjIKMDQE6@V5q%?qV6@
zW+3TS=z*!!1+q5a>n*Pwu$mCCtxQs0nBqK!mMA8QdZe6UK9BbP|Fs2Futd=T20|TR
zAXFeqOUPylT9cBCfxuu-d~H(Jp^Etkp{ks}3KlS78ThA}Muc2Z2iQy#x`n<}Ibts$
z>4r~HGUQ1)tiEqQ5FZXjTNdA6b|Umwa{GUny2_|Hmt~8)LvVL@8QdKPclSUDPH=a3
zodJTo6M_eVyK6{r2o52*y*cl_d$>P)R)1^N?Al%3CEbO94c>l>A`r-g;t%q*i48)c
zE?!?$avd_F1j2Zmy#5Az9vW#(X3}|;G4;>{_zPwYcuJuz_UI8H3il*CZ9+?Y6aT^I
z4pZu+&92KZq)xv0jME!3w&!$9+m+J<`**}T>1#6lgZU<+Q)9v6r#%<$h|a`l{EKhE
zP8vOmh!TgW8xdYbYYqY!tt6gc#lH7KAHU9H(8H(wZdq!CO{*CVQTzw2`LQ^+>9`!m
z@7b~<m<A`8*%7k8ueyN#;*dZy3>X;qZ%PR>&Cp|Q^TETgDz0FF)}c4c9A_(RfVL<=
zYjr!7I;ceeUbXskZ^Q$6K2xS_u@zQD{>9{FP`jNoLuRtkzIb4KZmW(dNF$o~mzvf&
zsjnb-3^4-?*I#gHyk^du#oycB(nrhwG1%Q67OYHyWxU249XeMJSM8nML|H4nuctG(
zP0POb%EG<%)c23~c8Pc}_aE==$==mI?AYDDl06V7r~=w7R6HCLCrB>UvGNnKJ;t8|
zjd$!-<Jbo<!_0i6s}yFho6}LNx=1<-<-h-;K2Rci`y*)M3zqEt{Mkt)KJm$@T`)8>
z2(jCw`OHyKB22(V$1}ZFCu5G}lD0LMs9CT!sal@#<%<~EuAu6?i-gstSh+?LU$|ni
zVh=R%4?2B{KP-5cWRrFynDRbSk}#H$fE8J(&#kwFHRE?Wd?CZ!0!Qk)!R9!`f4~9$
zk^O)FA$x)P9$}f`Uen}>mR<w42QCeXf|h>v#7ux*Bi-t{>^ul24k_xqBudAoF13Jm
zQ(K+p;sU2|H_My;X)W~7Fcq$o3*d1XaNhuPg#JY7gi$U}xee`91>l8Y-f92V_x{W|
z*gYsraeV{o-~|D2D?r)yO_5$rQzx|naIJ~|;L}H&sm+S{)Us_rKG1ITm2h+2>@EEE
zd2ag!Vfo<YAL%O8A<}6>q^nT3>XnEnqGnNFy%5&}&F{NeQ+54{F?@+*?_l2`Q1A-i
zwEHT6Wzh7@^y^Gg)+yhMVZ`vcW$nDR<0K0jU$lKB>neqG3@bX`_7VXQCy+g`jqZZ)
z9Ng>;8#-tdDQU3lIwF(lU4zjTz2`b+kh8C|jcA%odq#^4J+=MjJR?%G;XAto;Bzbv
zs)Zu)Z7NHIUr2_IERZ&bhiz$!CMHCX7_+PL{g^WB6tDIC<OhQKMlx_n(N3vXLbjyn
ze!scl&|?T<Okzr$ppXPnCRw@JdCcGW!`nYmlrn?_&v~ahapsml6#CN~M^T_xu>%@7
zhmMr$WT>q;VbwPW<J7YK*;0oJP(5A(lqQEaILX9^11J*woBAbZ{G!m&cdgi=O(2e}
zq{aBn%i0|$>HYTE>B)HDHSI>bnVyjzU$WV6$=^53L9rx|IP4@Baw`oM#jnME{?RsD
z&eqoL_vJls&p8_&Dddj{ZCjQisse<n^XM+QPMk4iB%8cHp~?>t;8X>ow1L?521Bq@
zp|t4wV{z&4uy0YZBf7Scj5m2r-qh(bTLkGoRDSr6I*nDRo`0oGDz*_SuFyUHJkQ5N
zM)>v9Io3e<@#gr)#`?DX7^p+b!Q>V!KwVndKUFKH*zAkBZMs2HX{@eVa(k?FlH+WX
z^cBSi?Id`}Rn+fs4|ko9EHPAX>4zN+1{8?IVMr?^Y*u>{svHI}t)dqi2#?{y>>{Ba
zqGh(=d8Wg<uQTS&G_9hDCCj?$W~UipbF%CtD-o;}^0xCzs>Y#^8W*6bcwWL|GIkY{
zoWsux7FqzDJgAIW2Yd(P7KyFSQnbPgQCH7JRenj<$ohEnP*NyR6l|{9>WGb4MY-Kr
zeKBR}F`>%UUOih55K)8xICuJKE#N0ZiU;J@{c&QNM<?X^pl=G2kNN>C>RuqV8uyex
zrs?g(?Ou>Kxr|ewNpPCSn@HVfY^hEz0jcbZgBQm@zMf4_2IJ)VM>-jk)CQ@>5BDk3
z6;LRP>C<koly=^wbGW^l&QyI}izA=Hh|7VM4N)DXx8;1|XE)O>$Ci)G=<+sn=FLzR
zCSH=HRRvTfgp&gh;bdbKRg59E{CEJ|uOEC@%cH}_)Se)<;W><TF;5xz$jZg)+La^S
z#L_6>m^VvJ!1Ns-SD;G_H|xj}i)jS%xQseGV+mzB(kda=Y4S-*$4!0*&T2kCyn>Iz
zmj&^Y&$Js`+K#&NQ0NSXGt*T+jrhOqk5`Sa88q%sv076o*2At~CE5-^QV-_RfEer#
zkjsF5xuh#Ie1hA!k{Y8|Qs0Y4>WQYClS{z|6LHndihr0@MFjZ60W|n;i-5m{uyN~}
zs8O4se?@|?2Z{uVfR<lfE8GHh^}M^bc~v&#v@R5^=)!UtPD(#we{a5a^(8c?kLf|7
zgT(h9Qbj8bP9z2v6-NTd_y!Ius3hgln>eqJXsrVctXZ)N*QvejC&vIcY1E@T6`ziu
zq`--9Tk!dw^Q=by@w~=A)ewPIm++8VHKG3ZOmzn~p`^ZqWtM=h<|FDNe)#Imb*K|n
zG^7e9P1gZ|kKGfXfN#zHp#MbfFTXru|8tebV&J{+`{;S;e#O5tSmjZX08w7r--SM!
zWs3Rbtbe_~$5LZv6Ue-)E*8Q(ZcEfcqjB+NeDlBJ-_J@zgpq~_!xie_4=snqt`PrO
zA&<ZkZfjq!?j7qZoRT*v?hpYXm#|9dTIzcJM`Hd|$?>-=P||az^WK(CYl<+Ao@IEF
zwSaU5XYK~k_S2LL&NrTc`#h?tb2Q{YJMdl((sAw}HIqJ7_;jjJoB`H?6kLp1?7-wX
znrq;H)pu&YzZC92z7mGWq7ed-g;{;nf=Qcjbid@0ullxI<d^tVt3OR72RUPu8O6Zs
z^!ksRwgi^rq9ECoUcoe|$pPQ2o4)U|b3c9hAf<?Tqu>D7V0fjXjxWQlU2L5^qHS&8
zo|_aDGZ$Dh<jzhy#cB-5vJ6VzU%96E=QE$mI*D)Am|v57WBhT~vJ7gAzzWJ0FTpH1
zZ`>0H<s5ELsN7Q9mc{Y#n1FK*aV91lE#yD3-=c9jlBTXJ>z|<(&;^n+_>4p_B!7mo
zvn?v4b28j2`!dU`|3YS4_PCRiqfM|gUf>{NagWPBvZtns-TD;sN#L}>=8pZ(wwmQ7
z?wM12hieTLohZ_v<z@y>C~ve&K63)1zg9-(lZs>y{f4^sq`HHcz~>ku_I-EypQ~U+
zf&-Nf0#|wyFwfyOSTSo;h5e80KC5Qb{d%IoZ#Wm|E!Gw4L=k8@`t1p0si8r^v<mwe
zkZzm(M_%;JqW&C@AQ3xAp$jRyf-e<1K{zT7yY0R}>Dr<Po3e>iOB9MwL51NA$;*2c
z)`xtL=QY=w`MSG$+}(f;t`&C2yFg4MyyKlL#QM>Jnn(VfK7Y*;VG!Qoc8S6*wPs0N
z8np=+?+~YCgj3B8Q9pS-Lw$2Na72?~mlcV?Y4?$8Iz?uf9T+R4s=VIvUG+n;eJ~=K
zX367@VhRK(Z;4c7dl5?GWN(QU=jIlWh6QnqdoW5sRS^*`(lF+nI~%boxp2<+Tr|-L
zAk_^FRIw2G09W_$?r&{9s})Yr;O}i#xm#-d;<#o)6Y$_~9M&OO;s_tK4A%f*>qIuU
z%+8)^w_($ZiDnZHp8uT^otxQa9|2mDn};G1f_yvNOjyZ2)VSq_PjeW$sgMRS=P*B~
z3}2r>*G0CJW5ZaTDq<0Wr<8kV4?V0Q(@&G=bqhh?dSCAoUxxL@eG6Y-DVFpUB0@g*
z`nweigVtBhTasW1Qb<UK>G66;69Uq<mikcV7%^Znhf$;8+t0Z<yrf(8WlR~17;m)T
z;9cBk91OS1-Z>ePsKVm?PA2(Dq2^T5K`0+GKAKR1iUR-Mt(XYDVxpRjK(aZ-qazm^
z;g8=Oowa<VJM?qq$GA>I^1eb9<<eHF;U;YZ86H=>&y_RiyA(>&f&23Bon-Q2S(;5t
z5?qc?uP0Ha*m~m75$LW~lg=D(tiH{Qr5g_fI+B7u!`X@7sH#1BoQ`-F%MO4kw^)HD
zAfHdk%@eoYc<#az0rT#GPNXD-ka<P_Cu;!XrO=7|`EWBuCA(Z<xTA_R^4@j_FUC`5
zJ_)4)P3=ZXtzPbhcQEa)diN-6g1_3sy{cY0Y|%pZQ}EVn9BHbe{$ha7nsu<6VY-19
zD-T_cCK-&BwtTV;873VJn)WMA@8)Eg*p2WhbeI?Rb)%~zROFB~RAkSgeL;I#xYN<z
z#AH`+JCK-1eEj1+gGOd~4vAl3yGLl07KO$<jzF!;{MvhBDCww&-_PDhG>d}(PGevI
ztqB$vf}rg2yFesKUViuD`gZ?PfLLzj^n&*hclxkjp!S{1G(|WHz6|^_v1K{ZEOW+1
z##5F*&u6*EDf;YW=kBx(LUjkFnsz2;3^djcbee$O6B`&l*fD>hQUMU~aLYsKoLZ<f
zYMx0H3_Qg47+cw?B)AN}RJog&^cnf{zA-r@3WS<6utja04Gmwe^=3Yx(lPSp9xpwV
zs^VNF+QC4@_RooYqfFl$!ry!8mM))^vUiUfqPB-H%`2U;2k)g<pmkTSklhtBvW+{H
z;`9)C4hhST>3;81Oc7ryntGu3^de_KgL<g1VWTDChaL5wg2?B7xCK@|r=BW}a%UF>
zyB}hMm4%adI7a<#{dyZ+s2Qz6^eVK8Y#+JBu*;IJ-FH@yXaNT}eE*N7VwC&gv-cDo
z1j}UOsrC}%WC?B_XolITuFUBeu0nHY?O1IC@9|U9mr}%-0hR&A&Pyc|CmhS<oe%=y
zfWK~?FB=h4KYnEX?y36n`NH96#Z+T?p{>#SPh~G3_RHz?`Kt^fhkabZ?o}BeCWD(V
z0k)thc;s+P2AD+Y2J=WA@)yi3u9^=IF0FeiKakbHkC>(2*(dcQ2kyQZ7bre5>hjy2
z7_c@0&6mu&(V?%Me=pkP<K#_eZrMZyl*C@H1bAlR1^8hnoj<;06$}<%Clv61iSJrz
z6s9}EJH4WgmX2?)i@aDcDy;ulue}I6`{jv>yt>u=3-L-AdA3rhmaa|;p*v9^B_dBG
zQ}b#e`4q-AyJeIwKzN}aGU~%XC$P`AHW=d;xYBo&$42evwfr=O%kGwfn4fdDw{@bv
z&@!OPvfjd<i;z8M5#=kMPp0I_mB@t0klLGmAFwg!4x8O%`eHeRSH#sDW$_Ud5(<WU
zmkVYh-NUGyfK#j%+5>TqM9qdIooF+huXC9cnrl7H64~l%2YGB@FtGo*udNsO%3)@}
zLB8Z1c$$;sGU5l<HYS4s2nQcd+2#5+=ai98@j_(I^##l?^g~8{ys96`S3_7D>Brn!
z6=Wy8f4l9|aV2@D+c-J)2;8`oF}>NS--n#4-4xTjr5%J(<V9TYqF0YSrH?PTFewi3
z@2EkRKz$eKwp7W`L~JM$Z6ARYa=7nI#bD^Fykd-YhB<7dQ%z_DakBGq=}Q7}L{?^@
z%JB6^3CkIwM=I;9^-^`bJ!7=e;w1SGBbC68E2|;!y`!!(KWMRkwdR+sqb{ahvo8R&
zNV8I-(YmQ|_JeiIxM0;aw{c+<{wn<V2Qc4T@;&>}?v|tOf1x~Y(F{R(@*k81wb>rU
z3;Bs@XO|Q$Cq{UJ;J*Gvvxwr`Ii2vU5OTpj)mo%!2Kt#imH;EHhNzjdju6`D3zqHb
z{Q_0a-yL)-J{w4nY5id#mh2NBC~FH#NN4}m{W2NPc_rBR%Mn-;<!;#>2WTXpin(?H
z*2ue9c8e&1;Rm=ezHR}T>_qhJ_}5jzl*;$i+%#xYF|u!aA}1NJ=5|LAa#GzvlIDGB
z^GoLPa~;0ywGF)e`uA^z=sV-#lX&JEuXIGT_uAJ`qW1}Y3gcd4?j}K9&*4z$T((HQ
zZ4R%#&-asK@d#J#5Mi7gAqJk<cp%{;DQE`jVCY6Q^20tYbWXrnmt&*36V4-R%g<os
z;mc;(v+|G+y3^hO0en6-*Lf6y+JrJ_Vvn}QUr7f;nkMnZeNRIIS-d@^b_l_na=TcB
z*}Tr@jF>wT$)Zpx^vylL!s2y5!QBg9q#4F0b~r^jbf;Cgbu+20W?Tzcq4Ky)*nNj^
zuHhN@*z1ao+v@5Fg8@eVAwY!WoS(*;Dm$Sm-kP%`HDoSs$jN}~bR^rOfMuT$#bfcW
z89#!J+OYWkAfAt`?8${fO2FIGUUJDM%A<t?uLbm&&n;*YV))bT)O<(m8cGTRVyqjh
z!s2`x4fYJ7kxg^vfoJH#*(`<$sAHFZJf#1|Pf@IymqZyM4kG?>-V%lPBD=6M)CkQ)
zoCeMGP*xs5Z=WexN5Caugp`S(`29rogmbE!x7i2FIz*7AB1y~YU$KZOWuu6XU%eez
z7b8A74IvjDc5YMlTulyntb0qhk|W0Ev`dt${yv^sqN=C(9*>;1KAKVc>h1dYaGS*!
z+*e)Tr6R}iqX=hF*>et+BXFH;&_b^|_D8F&cJ{RMwcV9b0C?lbY{2>2HLyAfG78-w
zX8pbZ^qJts(5F1fzQ@7JR&d0QfL6n`sI%GKdHOHPSIlgEh2XUTp?oBYj26th3Xy{1
z3eL1eA)k@Vr=%x|g;~n_#QGq;`)*89b`!~CO>3CKt#1s%_l8Tq#EoB_$z&=xC1E70
z1Y7E>hfN%YLhk=+2l0z84j)#&$o|!)C@+5ih%T1@t~9_KN-Svd*rH{f;OT2SxMRg@
zoNgXLZ429k0;>HNzhTLIt6p~wE42x%01~`(DA^j5OqR@of`s^3rwd2xHuZFHHF^aT
zEO{=jG@3dv=oqNHIxQMMzw@1<9=2+<R&+~37vOH_yKzu``h#Bc3#gsvJ9+ISM<6``
zALUW<t|=p1jq}<LS0w;!eq<)YdF>innFJYynjgVyZ2LA&gGI1dk^QIE6?P|7y*Jks
znZM%Ma%V%Pys0x-Hp=|y)jO1Fagb0SOO>gijZ>ZxBB4IkY29(Pf)2<f%b?1d@(C6L
z1xiu7!R)mM)M$+n;0dpTqUP6|l_&#T4s<3YERgZs_{!g5N|;3?xIeG(yvnOdQJ(TZ
zFsl#%mOI+v)hzg&LjPS+c3;@7voTtK9|2nViqi&lTKQBT(D;p0YaTK!_U(`=D8#Gz
zIy|ocIix0sy;q_dj<ESPI@*^Urt-m%3{%#Zy|Au?&QsA7(x44UR(AL9o#9;k(Lpi(
zMZf&l`cgUF)dk%;58H;adL?Dg>5gAv{vZ58sS+>;3)d@osZGqetVaD!E5tzrM>}2W
zuhga$Nmo(<V1gsut{F~cpQ9+Qajkae%XxrJdtMYP(D6sy)w-gI^?2x&)EjW-ictg*
z;7l1Iz-1ci7UekrEk`HTi?ut|Y-$r&ZslXBgJNomgZPROwl2#~OaqR-I0Y~VJ%5|{
z5Fkb|UobiR*Hx@62%BPl_&!@~YWOd*m~F0KV26Sweu*jdEs@XnBFbxn&E4;}_#t_b
z`)hEJId40D!;-MS%IokI7X+atp+U}*r>0Ty?1xOf!P#u#gUC+;x~I>X`7DlyS{^gG
z*6n-Txp(uvmp<s#auKMRPxe9fbDw((9yqb6M0DjFzwmEEGwS(h&35CWWMf;11<e&q
z7W{R6DG9<3nj5}P6Pqgdi~M4ZQ`Y|RfL+;9o^vD75`UQAE{<|MVA#wW=wPdI4+z3}
zv!m1=cWEz42Wk*IN(D3f_naDLFHr(6SH)fqF18Q(zVnW%x#}F=`dLTGtKBIvH#AxF
z?5<V8sG5i(T1;2fP=c*u!*MFFkHP5HLN4;&SSg4<t7*fYf{1-vlRr^)B-owlk-q=1
zq#$nPGGx`9;q!_<Cy@vot0DpLjNYZvehPYj$5`oYFC3ZK(u5cWWk^MMB$~|pw>UHc
zTT(g()G&l16VMgv6oK#8WLrE+rXnTMvLx2sVXb#Td<UQH=e0~KWcZ)^!5Cpj)@Ycv
zTC|UOH<z2#vDP~);fMg)CTHKZ^5`o{)DRUmktF1(a+PqOiExq?pLDsvY#KjAFm=p-
z7_CKt8HypxeRqkcSQUpY@;UcKRfO_qf;`HuF_nwNmq*HCIKFS)aKdtol*Uv{2wOXi
zXCPCIpSWs7F$;DH&nIHc$Wi{Em)&Tr22hU*<u0hRRnt$r*81Z%sf!@e1QR5T1``CN
zg`hxZ;Thm_{y3nDYd_{@-!*GJl?&{0dDhN8XM_PW{wvQs6o-(^=;kmk9fUs@p+!RE
z<FMa&zI0Rl(A?y#{UGAUc)yZNXz6*SNS8cw`RpUzSCeNf{AEtddVe0FDhkr<GMAQY
zdjE@f0S3`TnKS}`jJquwgJ{!Z1gcyb0gh}A!y8AC-wuc*97*YJ&~QO&%h9wj9?GhQ
zdzB{@JWutujB1`S$RN0QC{)EYeo@0F9$pfg&4hH0>!@>A@#jg&`K9XZ@m$>1V;a=L
zeE$K1E(%DD<Quoqbu;Q;q_zCwk7CUUf+5<(8`-2ru@2UvgayM8Vc{vH0DMl?{w#~B
zkq+T5+ku72QJVm}PPwcwKltkdz%Xw>n4fwvCif+kOF+0<8&E}gzp}=#ruiYraCu;j
zfx@Kz8MF;0$Sxk}bPlt3R_-7Cvxh%m>yJqe)OHFHf<jZd2ZPWvEj33coytTuXTc%i
zgsl()V4kZj`jBu_Wf;m%2mx+>c9QI@+-GVo8j;mSbn0Xsn0+2AGG#39gp8%qo0Iq!
zw%{!6_dp92nTOo*K*Oz2$+pUtXes5iFkGhbgB}ZcxqrPm+_z)l$lV3v76l8^4u9x@
zohF8{_J&lBx(1^N;%BRwpxJ5>z=Asnjb%*GT#hV*A*0X^Mz<K~x{u8><20?osFA#z
zsQYvx=&*iN;9eD943{J7w}UR@Z*_t&3N;gmGad%R9I{7<hxL((F?;D62~YiL5G2HZ
zXCL&c|Bh(`4fv<khCa|Y7IOp}diKYcUnIT25F>+>gKa2Q8P7ONTS|5EVJHj!SI*x1
zs6N@Jey9Tq1i&jN<z19Wh;O9*P#f+pYm8;m-uEN}bNLXGsGbA)eNtEGDe*TW2ZcoT
zVsWu^9|hSzgC$BcNMYfM*x-@oJ0feP($Z2D`Xzk2X6>zX@D&dY7?dUI2u2+9_}C2e
znbkgSK&m{RZVt;)QWswy?yG&xY){Bg2*}U(e&hyyhp$ktFAdUv3|pUv@<QR~7q9*0
z-(}HyeRiy8`?@e1R&8;99MIU@<3XIQ@m`FFJ9{!7&BfN*1)GPvHzx&pDjp5V)|wEY
zvG3#Np1OjHk7zNltzE);i*JEH9H-*F|6>x$PVUXgl_<pEflzz`LUAs<B0z){qX!YX
zo8|Ip<sckhQL57?Jao^SOzC!UyoS=dn^7SY!9!*v8w!Ra)@R!m>W-(_{v;10<aa|0
zzyEA&xdPHZQ}|V;>?`$;AMA>6(OTCY4IMuuJ{V~T=v~YYvhZ|<5+4!1Ozc}A05Eyl
zqN9j5MJAvQED+!@=h59$Is*r!@&_i|eJ1>;6?1mr3P~P&n)N9)u%`OofDaZYBe%WS
z@yUh&e<#gND1ULlJ-0VdS1u<J{?)5%Wg*8raZj$oD!!31+C?C|X-!l(({YpB1>wS?
z-!n9(7VArXHG$Y^_{hW&n**a&8yBc_6%rvLA!y`<M2OaV4RQn04qIhubGoAqz{5o2
z)MlK*u5Ov_sCE{@DF>DUwE$(@x820aLqE4K$<7|KLbnhG<w^U|W49DHhg$076Se5I
zor128g}-D#4<10{NNN9u?JgH*K4je!Hfb{0XgpH+d3qF87f<m!g9v9ImoIEpW-_om
zK%p(VVimwI2?Ja>0mTngk2I#m`?QmA4`Tq_BS2hHk0R*XfM^(NmM~n%{mcK4s~ky7
ztx!Skdqn3t-#qeP_9}_sZFjm}YEAtzJ(lV%<DFQxKE@pU*?qk)`NF(iN$I4(q0Nl!
zCUx_89j5qr;Uu-(4q)V$$rGCE$VzJQX=w|rNN9Lr_L2~o1a`)sCoXxV{8gg+BkgM@
z!Eb!0ZXUvr-0KjudDz%n_5D_U@xIER67fmd{sAmr_2~*<L@2v}WPSpE1HjLEH)O4U
z5imb5hP#Z-f53l5{lmtz!9^c$4`xJfJ;qY_mh|e>A)1Hn-@ii4dWSL34IXF#cWfft
z4TLfnsu^E|6S(zhP4~`=10PvFIBwyxZ!W*0VvVU8nPgSZx{#r|R+x_d>`6XXe|<mh
zpe>(gU$&Nhuq~3zhH_`%pfChea*h~wSbuvDH}1mUheI|!onU{KI*go21#Cb=4lTXF
zSqAQLbkeMYeGHtM6=Wbi4zk7zd>G<M-9@jl81&!Pi~b+7P#ZvuxuEAL?o>3LT1$T0
zE=Ns15I6z}u;#u{?^*_5bUtD&y_!hn|30r;zmQz7^mhRbJ5?PLd>m>+U?eB42)W#3
zHs&l1^%Eyl393}fet#uZFj*!ef8}nK+d1RPZxh|jBps?cD!mm=>6y(CG;AX?EjmQQ
zV9{e`7f0)fYi9veq1bl(uR{cCcYhfgLnBi;`(I_G_+{%WwY@q(RhsJ+&Nt40-GQ^=
zpe1CA)4pg=j=Ozt=TaBmP?;^l+6!3Gg%q>BRbF`y5pjXC_PBTDf{}npF535rt+)^0
zceqe-@8?h2E5`wxB>q$<jB%DD&>u`|0F&7N^1sjWbcVEFk$1Q<?i$B-i*NO5-rk*c
zMdQR=%kXe3JL@zehP3iVE7a8u>6D$+zw$kNOWZ~6nRB_Y{QJD5zOF8=s!hlP?{^%R
zj@#5ixe(T@4<_IeNQ2u5aRy|U4;u3xh_1ZxN0LcmCt_r$G&v?x_2F_7O1v>$x8HV#
zu)&{H>=5$DX%Pr)#Ur)HEa6H!ac@vHHdG=L8O&&-4BXh=9oCRf_2+u%Mq)pSspQIC
zap$WF{6FULt{oQ9^XSr{PK=?9llas&B5Hfwz^3TYQ@5$_jQSU>`*Ez2Fb-g+w@|e?
zk=O6YE!vK)1sfFrO(xf@?>0AmSMqpvZgPr^3U9#h*Cw+-#uuDi8rb&uEjN;MY5!%A
zO}neE@m3x%yYB14l4@QBQON}90Ng%b;_LyWy{gP~zn%O2OyARb_CC8Sc${F{xF>n@
z4_!`waj)7cwOhcx&!>UZfuzlB*4FkXA~j?8{UWS`KZS4kj%_k_GeFF^fM?7<+yp|n
zIe^Tui&IW-Z5@NFTEKdFHtp_yVRBM7v`&b5+Fz2xTfe(n1MuMeNBb;9c7qWB7Is>F
z*LIL#JDUi7{|B`f{V4G0^|AC#A;5Kx(#!Hn=Tmg^w)%g}4sp#c1`9iQAQse-3R$a4
z^pLeW3R$akTDaUzspYPVFQ=3H!a+4P(|?+orfhI5HlEH}=4Fj+IJ*B-89)0jM<FrW
zxBGZnIW}VMZVq8g*fuZET>b+<oin(5DO=?jWL{rtu|3Y`)Eq%EFfq;(HQ0XK;E@8C
zA3ZO71Tv_nnlhFCH)hk&BYg731;_8>(L+x-=O<PEa^TmP{oS$rrRO`rRbGm2WVTO>
z*ng09Jwrk;|F#PZT|7u&np+c1+ky*s?%TO0O@;tFHC#EFTz!BYr)`@+@`jlt&Gz`6
z_`&b{tf=#p$g=6f>&Ccz14MTJ9*nNDTo)|BveTo0Vlei2wgZsWs!H%nJi{mPj(CQL
z_W)a=rMl^^TQ}2K#70~l_|b14T8WH>$Hl2OEV?H)JQ&|o*rav(eJ=4JBbT*d#rqS;
z*+UMMEIkZOnL8;VJ^YVRK!!@Nf`#IxhlTp9TDEaH@h*^@$7vV`ih9{bV+_{T&K`!<
z!$Nr9I0$=6;tdTbC^7`YzhE@pF(P;<JepXjVAOUy+)fI_VB}q%9T>6Z8SQu40Q*iT
z=7~6pgCdRop{cc^RT*9n&i|zY1w)Z60Go|E`h5(;`ueDUJ4e*cUsgO;m}kW!yGA6R
zbdK=$K#6eN+5ck069zV$FOZse&#`3gf^YRMl0tCgTawW07oSTr&7*8^Y{9pLdfy_^
znumYFysD$xd)rF{>lq4|Fps7Ao0>sV2*dujD*$JYHnwd>vNe|Kc@-ujo)Hdf9T5V)
zZa$Xa^))tW1VrSFp^YWsuCEoeCyx9zD`XK$6zPjO5yED9JI{q8KYv!wg8fW4o*dEn
z`Rs~|5Rg_jviDjS&<clRXB{<7!qbk5;uJiwfmLxXnkF*IN7TzZ_9sFUuEu>`+A=sT
zj#2G#Gy6Sui20`=NmPc#w*>}Oi&4q$3)Cdrb0lr4=orwF`0xVd^iM>4Cq#Lrs3Fb;
zR-%}>cFg9PD-H1Z6X8cP&%0)mW?Nd&40OSI1RaX!c*U(0q_cX1Eq#qTUA2aOj_PZi
z%Y&H*_A|%#!ys(nYaG%;!TJr-*`Ij9$}}#ua5n;LL@{NPe0u6zZ|VslFjD#Jn>@i8
z7|$HOzy}J5Ji5_CY34Q%aSkg#UxdF;8jvyzGBBzHknS<3gv4@I+m9e>)j{EPP%QTH
zt=qT4N^qL9D|6;f;>5dTntNa?bAC4n#h${6N6IuOw{Zg7fqg6pdljQ6w-;J-C?W%o
zkj@@s?1rGgbZ<5g3RZ}<@3){qXnM0N8YQvX_uzZjwo;OURAx~;KhJcYL<BsO24+t=
zN}Y#>xqJTINZN?v1QZ7@ia5mQ)5w#s{qg`cOz$SY>JAPy5L(Go1i2BtfU=n~OPYd?
zX-JP5|GIkyRLP^wUDK9&PUSZcqyv4yUsI-tG!Po&^ewX<6zK+7i&gih54@StyLXj8
zm-EmZCYbv%cXyKVeooQL$N{LhJEF0Ow!%k{7-Zz&sJJ(C2z=tAk+FqvT8)!jIsO`a
zKV_UwT~8t?tG_rHYQ%1Ik)n0@zvQt*4F(mrFHnjWf^B2P-*7Fg|I@V@rbw3ft8bPh
z>DJs{u1@OW15$ZkG8(zY_HbGF-x~FAgYnw5)s6ObV_nzYnV!CS?LLAcXIt6uST>xY
z#66n<F~Ao34LvD~wk8~$QPVChMK!=o%j?gM``g#6AdjTYqagq1zk5N1)hmIN!=eaW
z&B!^}z>#=%YHP^<;rR|3Nsi!!6vQa7W`l;2ujXj2T(JaMk-Ssg7%u)03epZC=lpA%
z&?(ELN8<C-k`)C>q6mvz{am0nb_FUQBEGSE4NJFk^-n(at*0h{nzOLesYEKYQu64k
zXw>*+JvT&&?~5=UF^^<23#=Kb%+%zIXkwAqykHN$K5H`woopRtXA#bo-4zRF2fAD3
z(HRLW866mItFerd=PMr|_PpB|@29}Rsr+ky7+~-_-Qje!Nlbr9(FR059!C7rW%;&D
zfMe;ywUiIzOI0T>>7Q0ga{=)*D_&4D@fLXTH{@<vxVtV5xS1FmyttC6)uTX~xt2I7
zB9716)Ez!p2ign#9m6ZT%>-`#ufW`i5ad%q!D<K{8)%4MKQ@5GvyGZA;TmW})}x=x
z{L``2o#@6$G1dL4X^wt<D>&j~<AJCCIbD0kw5ZiuDa|B3tVcY<`?v99fI{sKyP(aV
zbCSyoAI$rzLY^;LKM4FX)KN4?@gydh;%cg*pdY8tyEHFzWMD@agh^##aXd@ePYJ!d
zd?$?9shSzpGU#Z8PM#cKc2?s}n~B<=*&ly<V$*zeb(G=&r~D8QJ;kNwB`WYy8M1@E
zvJOUA?1Z7bb`{>Ij?>z8K(pI@J90|YW6%ir0_E5tOze&x3L@#=$K20!6oKwW!W57#
zZ5pEOVxCjHT!F{%ENa)3lRWPU^kIAbs@sfI|H6)g?o+?KT(CKVGQ%+6LyLCk6ZyA|
zxld>EetB3E2BTL~!!xOLt+!TEsB!$p2AaWO<_FP*wH^++P`jJWZ6-CV6i}t75-%~s
zuQ3hifMK;GoRPS-wcClsNVAU;)wEi(8<-Wq*cqL%4sltCrj*V=`8S7ls2rY}S%b0Z
zj8@$EquKGR+_cR$G6>K)L}M<x-2XcC0gQ3NHM@6$2BYcC8jQunuO^J0=A2)xcVYxy
z(m}`qFNhkWWW@CA<wAERrN7p)babF5@_xVMn`;O|A&XJCchj(X=r7)NA2rwbE(cB;
zJZbrc3^Bk`Kri5jk|;9=P!<r%R(kV$c5K*SmTt#Y%tLljB|dssrEAql)P7&(ktRaT
zn+{|<#a!2Y`W^-xd0JGsQcJK<!ha%T^H8Ni3x{`tmGclvrBg#Fm7e<#rCh@_m#ZN^
ztosXo<aan8DBV&oL|u+o4|h*cU$be<c&XZF?0zR>CSWqIc3oGI7&XlD0n=)3>m5HS
zoH#wL8Q;#ZBh06G+=iVvq!lh;Z=x&ACl#!Q=4|1>-SCM-?kFF~!(L$7-<;xTmQ<mX
zt?fB3SUYfzZ$ZPmSt|44X~o_$aKa8^hJ16E)}b@B7!o$56;m4>$?^=BY_wz&?B@m$
z_&4qHfv!I25AZZ~m&eHYlm8W?m#IRwG@V&QbGeD>`k@MAmAYZy`6nAX6RD4d#r_7!
z0HK|>&}Qc^u2tsYq)@UFa&*X?YLTTZHKPHU!7-~NqB$Pj!soaGdD9<%1UgN&FW71Y
z)@yr_wJY+VCubi*2Xa63H&<!-V*U)gd$^9vt*-vX)Ds9_B?4Vs^m0(GhjcW_!9y{<
z?=lRC67GraC)*)CBRp^!hKnM((@FW@$NJ?X#fq-jPU0pSk}i5_U%Ve6isWC91NzJp
zuzu<8*2ZMF(<aaRBHZSMoB?up@^VQc9frDHi+B+TPCAi3E52dAp2s@F+ro|fT=yzu
z^6F)76fjdaXY7IP1bH2~Vb#=dun`AD8d85>X}Pm%d`Wl^J51m@Xa!~=-!Z<--i(D^
zW%lTnq0ZuX?WdC0$=pR-(M31;j%EhXBYl&`-?MESBF!K~nhROp7ah{Yh==Gjkg}YM
zGXD#Gl#5L_3&wV*aVi<y<Mj`aD`Bzb@BBnXpH$@_J#njmt^ix-eCNdpLOBn0=cHPk
z!;007(mj5AbHzv{RWTpb{H{GVMikkd&s7X9wjRt-kEgcRxTH3VykDlQMs7*3O+KR`
z@6~*P&VI?|(_;C-|L%CoyZmTr(fO`Y6Do<4D8tnoZq%0NmlgPu+-$%*$#uvt9x@8O
z#Nb5)XxO=wOo=Q{>TgGphe@*m=G}0erdkPh;=SI8rm$quH9S4)T@Fs5A)56jPBoG8
zVIcWR*NK>1mV7c^=)Ea_soeNzMY<Gidc-%u27z>Gn1gxAUQ(fG@}{L)zzC~0;2^3-
z6X2eFXL-q*R;V12H;&u=D&KuoQ>k-c(egZgNt?uXgN_Y^Hh_&AyE_KeFZl_wZQRo|
zv^YQ=a}EgoUPS)^^%aBq9k)o@)Xmf9bJ+9@$wq0NX60E!@xXS6UQH8m`i_}0>eB)a
zI`?-^MCCwC>z~GvnfDqME*F%6p~rB0=t9#2<lmQsbkncY)xIQ(%lb}xVYO662{*rj
zQ0IB_s~>_VO+szDy<wM&^Ng0eU+6vAjgHx;af_zlc`M<_9nt4m<-Iv>x1@qlOk{88
z)h>FyytXqcqel_{u!PcuM%#@eSsKe>nbFcjyAnypLq<|^$+pHO2Aplp=D%P95iHL*
z0if{WQC8)N?P0<!?9czYZFfY!N07D;(y`U2hJp~Hhvowj*k`fT6BuAcw+?pBzF%Zq
zY=qZGv{TUfo?hBr3+uW42w<EuJiNwRrG;8_cMH7C@SIo5J;J~w6Hu*O=orylG9Ic*
zn-j92qclxhk~{C?ldkV)my}vX&S{@S;x{VA+F_2kqt1|uug0@9F2%xSh7|i(DB~i0
zrJranTu423MaZG1)R1AOwpLE8#(O*8Q|il?Vu_b4g}Cu2n#=6iBYleD4RLsS1bL|e
zaco5Vl7n5fmN>d!f1){P@uFs)KshP8UjU%q@uXv$ept;OJO>P@lEFB_It}|SuYX=U
z#{qOGw&rp+V?aW5Ko3Lt5{Cs&Y;M5gz-usSQaQ-sK6>Zzu$`!WXZ0wAP!Dr}pc2v2
zSQKmLC?s1QleV?EX@*ll8n*p709mTeJXsHBPAPhZFRMJ-^&0BmO$HY0r~+~OKpPW+
zu4MFk5%h5O6g2e&KZ|s!l1Ba5T>TYPdxV;B^2uB^@>}Dxu$0XhmlcCs-$v;HO%`U7
z;ReiK>4y}-0E7F0<*nt+&Pl6z&7x?zL5mVTwvN#31AA|qA#gkR)tmp|+lCE=JNx#N
zK%#1PnET5kBz3(OQm?tdIik_uC9}dB!<{8b9=D&n7%vDopm?((`yPN-hz)sx*pO^#
z-uy_xEUagS$-ykmmmBfKesn=3qA<KpOTV?M1#Z7R9Q>Z=vA>|}7w)83*QI+XP(o@b
z4jjt<!JkCC=6y&KsBe>c$$w`B4nh0-*>g{(V2i)S@oOc^D>=pO_lM!v56>-ZbJ7MG
z_m>&#E<KTXHrIw~f7Jd=Zci7_Al7p`gonnxHkh7Z?vejNjyYN^x4iY#3Yb@_d-d^p
zGJ8#?SXEwSXW8s9jI5RYw8+mdvQfV)4Rs0Ibi}Dp-7g}3sXxJ!1btQ9Zpzn>KXoqu
zAK$zZ(Wq~G;ymhG0eY)~omGP@e?E*+R{UnBql%2YwI7mraLpH8*BImi1%l<tRTc44
zyUMAW=^l{QQ~LOF^_Cwdjt53Vl9rI1EJa#<)lyU8N!|L-kK_r+ZVRAgX7x~#Ig?T)
zT)t+9?z@JUjzDBUrOggyOM2huBl+&4vWv%nlwZp^fy^u^X5%RD`)l7TB4-|53B2p0
zD@r^xTuddeL3SHu8Ytpebiv=m=s1CKvdTqltKBIN{*lXBGdJ@9({N4k%1L#s##|CW
z)xSUSFf3kEKr8hMN1=Ng!E$*0_dsoFJd5|`7e&(JQS(#V%VpBe7VQiEpHwwi@VgO=
z0ZLJ<t8Lk_)ZS^rWL;wDN@O3BVT9em|KMXE-1Q03r$D1wLWo4(wCIv|w_Bn@Lcpoc
ze|RPf2L}(tszZ?QL(9`~?oWlX#7cu{kZJ8?vdUd;8WyxfpmXPYEUd1ZodK4~GGVjE
z@AmpWjAtmG@7A15&y7qfj0YMr_t*t+lUa%_IM3Ch0xB(tI(+WO49{h&G+CVZlZXX%
zD2{%9BnWQm9l{Md`!M>hmt|dr*iT;KQ<;(!9~il*LaB&r65c?YZZ<dH$rTYo?a*AZ
zRCKNp{*r+c*4TD)N;_wdBHIBe9h|m*D_yb14=I;;s%RDLcA{k=#MUSHP4l~*5SqE@
zaCsgYqb#_u75<kDeQFx@O72$7MJqAjuy8};Q|T&6#CEPVg9)fEgi$?KueY8tF;^LJ
z%XB>K{Y7QW!Ccs;POb65Fpb)4aB(MC8H;FS4wPwt?7Tevxa%tEWG2O|kYFbwKBm7A
z$4W#<KEdF;YrWaPt2e;;y9rY{E1J-7m|mYc9Ys8_x%Qimz@)sV5dk3G!fHxjaRdD&
zde|NifJR6$q3oYT7ehmcq(j1$OQfW+1!-vcpSn;+Phs_k`0uE5tAKQzgmTG4_*B%U
z%Y=B}PpjTl3Ue_pk%kEzWPd)6Y1uZu#0`)g)+7pvf%5KAdons5V+J}jZ!b+P4;p=$
zW-*=gtIJ6RkCVvOKZ5Ixrw0V+x|cVSA`9q^#?Ow293B(Uks8Ro13uP$ZK_3!Fh6mu
zjc^dcwb7`RwaSfas#q%G%Lx^i`Y<~)O~@&dO@P3qEQ7_FJj7orF%cc%0J$#vpVCXp
z%w@?My9LAKsUhrRq89xBU41n%qhB#Cy`Ef@s;;_^9ydN@{+U#5Cm-f1ibJq<5~~+p
z^`HJSeuRbYq+-Eq%Lw|L(u$@_*nF)^C$(1K7rvsgtuyKH0pr%e)Sxk9N%bAIIioZG
zAX)Nkdh@3irj6qc2kzDiQAap&iIbdk1|&U9oIAr$qo#6MQU+8qDJJ#{Ex=AK&(w3}
z0ns4FV8GnD+^AK=FI%IH*naF^>;5KHnqtw3iMSTjeS8Dm&D6EhwUzGgP4i@_Y@On4
zO=(7ij2;Vfr(|@sA7``osadL?->cGF)3s1QUWkVN7~vB)W2-J6BMDtvMjT6IpmB=$
zrb6p$;gN^<HB5*Ko5aFyc2cn+o-kiiRX82){kM{FiyNF6y{PgFa|HG8*L&^CM|~m-
zVfK^?vL4xCW&KvyGT&#oy*w*@YGGdvZ-0C}PBL?Tg|vz>3%oxVR&)Nf@p5(b^~a+4
zw`bqSYX-O~+bltKRXeG7Rch~5+zU|_8CvLZwXq+<BSnUTPrr*~mB+`eTdAj4GObxg
zGHVwEgZ{0Ft_sD_7A+PF@!-eMNf(kB`J!1}*u&i2!DY}(7uHr<ZUvX|ei4dvX!Ogs
za}i|i5<Z$)M=#Y9zz7d}F?pNN`*UK1+Rbao^JLbBI3{ODbBsv(6YTn*bEn`?wNYlW
z_e0^C;US<kd`7`vh*>5iea|(WMA~i;&t2A<@&(w7hF^gPCGc+*ntnK0gSQ+L)S)9O
zYxK|tkmMeAP5aZ!g6;zs%@BMl6vR)(3VUyOuoAclqSnfQ4GyqCh_lbnC0&2^Shag)
zzUH5CJr<plw!=rw+iw-I_AE;wxuj%3m~%hJOg@8Uc~HP`LSx<6yg`KQWZO7nfyXOw
z_>49|=G>$li}sB~#<bjRO4hE9!zwz^6^oa)4H8U`Zw9BA`Y3piNApI}ZpU1b_r=fL
z722~PKMlKqG8g9EX^Y)(YM-G~bGVM)Qsns=utBF?vs}c+(CM$BveCPNiuVNzG%`5q
z!?g}PXVrIwLZ@4%8s8P{NSm&NS9c)gJG^DpeV?&-a})>l(CsXdl?I(v+#BIax4+Wk
zW~ysH332d+wKSmN^mFGAB5MgaeHmDbr(=9a@djSz02ync!mn|&8a3H877H|adH@U{
zbWUJ0^5q8uPZd^OPe9Yspc(x_57m!AY(yPiSG%sJj=Y)M3_6NIG+LP-AF$-gA9P<w
zFukPYklh5Gl=7cxgN~<Zn&<p5zCF1eY713nk7*Q2SX9poDS(X6K8hCole!HCZb;ZX
zWvNR>b`&XXhD&P?@xA7g{yD#uYHZeiC$Py%`bBs4$==kU(%&p_4UMSrh}xt`@2YJH
z2;~(^L2f2Veo_`z`%+Z-_kHGF^Ne4)sYzN(zVt5;heA!G#{6s^$@SBI3O}=x&h{T2
z0Rn+6tH-*0_#=Yfc6BBpg*!lBdt6_}$FLQf<hZ8ewfGjEYS@ZMo)r8=LEf@<g}5V9
z!!%@j<m=$Pa;N+?a@<fv9Q!Rz&N0g&6DrN&L>Vk9UIcB?f0u+7h5c!wZ*SS}8?BU2
zvBfb8%I(C`hE;44Egl<yIn9q$!E3P}eY{)7o*P%j>_*nYw%F9pp~;~bs&9svLlmmx
zm~iTZcvdM1LW>uIdw!{rW9j9j(}JA^cc&J=;WAqR34E(=ygO_-dvCOs^Odb@esX8l
zFa=0E<|q$m;P8%!d%z<3)_;4lt>myt<3+kjH(%+Uq1`U;&0ZV~GBXjV2m)CzhD|fa
zD7vK9zjAP3WCUh@WO~gO>ZTYuBwPKx)|`Rz4D?I3H!IP8Pf9}B%tb`m?92_0WfSo<
zoZ4&y`>5}UL^2<w9C%lLM5G+zmMTk_e|gJ~O4vr-IBRL&jwTEC&1#Q;<-Q3>)9a81
zhfY*3ylR}303JR*Y1?~okFDBl#GQE8LqYMEcK&T7*hjlWc6czAEJN<T5{W$(Q{Md(
zC4C{Y+aN@%ov|p`=Y1W8f`jcr7y0xhz2^f!dxV-cyR@pqMNN&9)HY5ia}0Jl#;TfT
zri(Vw3BG<RW(Gt=^aT71b9y$}%W}-qRcgNk;_mes)Jp4)5h^2lp{__9@Etc>9EcTi
zX%!2si+fLYj=6Vu78oSN?<x0a6v~q>Zrndn-7evhnf;p!oX4iy;My1(kfPr=G>F2_
zuG@gz2=m+Ec>t5Jgv*Y6!B*`vzc7+vH>dg>3(wTHCH$M43iyG|vVzwc#61Oc;eBVv
zq-O<CZlQDiWVk^?sElsjuf-LcN~f*4;;thK5LTe&DWKIP3piaMt)t~9m*7cW+)I6T
zlxtqnv#))V;EmNW)xjLItfujc`<n-|+qF-XuKKQ4L}V}+-3MkyZ)Dk_Z5f$XM}e8D
z{*fNuuZmsd26PeP@8*H|aXOP@rOm&uN1?}j=MVgkzL3~d7~1wRy(vly!K=^T{lLRa
zu+MhIZQQW$*x@DqJ^MjvlQ9LWx*jmVF2c!cg~Yn?A!y4O;Z&4ei^6D!hk0F}>9fg2
zNOx2`n96Z+<23ZNq2`?q8$nq$r?U9KUKSW{#tJci`Y1*H(i^Ah{*E?`zT34XjD)96
zqge~nvb#rv!3%W$)F^Zw6=E><1C1_hrhaAgvTA2^jv3cHVzd`8yQzBxIM})8#fVj3
z{7bK!Arh;u^BEYfME&`)R`Od%&&K_>Tn3d6?yiAZ+*eQafMAnb)Z@7NpI0URSR5eL
z7c0<u8)^=B&%7c^hqUfS0FNckd<@OLBU5OCGWJPa2@*fMY=bLPsHy_COfL-wuGqNS
zw2i6laJ(@0NHdjuUBT-2X;>c1ZB4j0rADu&P_N*51#w&cqf{=4Qlk}H=&;=lH}sai
z#GA{xq`Ay*(x*pjG*ni7{T=_ye|o;GYRlF82+6CPA(?k{`P;_0`V0=Hzxxs6s_@8o
z4acmMRSc0tjE2-6F`3gZcfukecUJzSrCVuNyc5%lsNuRH<U|}yhsVHD4JMWko+rRv
z**qF}gmxT}u)p}kyJiLya3V&}wAUYF<?5qe2A8E53kv@B)SQ3E#K}uM1rp~I#h^lx
zBpObwti3}v&^NM8P$XIKD{ZX3W!BJvo5MNBJmO<K6_a}n0HD?WTI;DbD#Jv?J^l~K
z<hPi;dL0dF0~7hPbvkJCJ@c3<%cQxSU~H6H;reb9mK9>e0_6gI>#r|MMnkGOW4$sb
z=YzTu_bf=0rq<MYva!xD&#zrIvo3!zB+g$c+cYCmKJ@Jg6Nxd$zFs4=eL_6msS{$J
z@xDBJ*cmsx`X#LE2vho?Nh)XzzR2FZsP>-$eVq*ZwSWl|Tjkfd>ZNg#;rX-sN%!`$
zyJpL?L<lYjZf1WR@nrQ6G)Wfb3c)C%qp=u-?9iZO%oQLx`}T;9&nA2JfucfOIFddX
zKBhn@WM{XBXwK#SzkG6q;}Jy1SVwW9IeI`YihX)DmjaC}5?qPuF({aKZnSU(^#jXn
z)r#{PF58!T9btYpf~v=+C2q}GoKgD1sO!t?gR6iTBImMrXy5h_Cunv`mFlnQo$hKM
zIqKJl4WU5j&<c4=AMZ7W%yja;AyqJ!@4Q&AeGH-;jz9!9dm{4J2{&-ek*&0y^$tNs
zg~Au9kj{7XUXkGO-cbVV9Shp*ya-9G@Ve77h0X9|jJF8LXBBxbb1k^%QAQq!?M*K<
zPAEjn$S9D?u@5ja=x*s^Tu=TJW%XKOOb1TiV9Q8S$-{+4=*6!cq6iK%X~$J%n@vQI
zaf+sTLUbI=HPPXT7fL&a)vG}_kw!7Cw<?I76llAs{hIpm0zr-5(6bvQ%XCrmN#`+H
zH47bGUYwp+N8-cL*1MKE9?##>1LuPX;U~INI_8Y>pC3g|(?zw?4D-I0vwi*+swR=~
z;Z(f+i8Sz|ZM!)2^;7ahTDj`pZ(pMt%!h}T0bjEk45_`au&^!Ipi^OzAFETW)1Qf_
z;NBY_TbPwxH@MbDC43Ndlsay_2%Ay%@7qQiYn2ORg%<M2L5iRWnRQK@nILX)twnr`
zvjm^L7j;y^<0AUZ0MY3TM5n>@YpGD8wa(ONB?!<_r#iDGPSvy6yoTjuc$f<uSG5(W
z<@~Y*erTdRq`0DH8*zV=+<%Rh9T!RY>M+=Eh;=t@_G&zh-jdj}|JlFp*g6GW>m7gn
zvd4SNm1MF|zd_Te)r|;U(7uh;0*@}%1{i>3iRJ+OA(-qKhyP?Du2wKYf)0GS>HoSd
z+qoWvvtE&6(;=%B_v-)Yadm{FFeVMn{l6QTz2!6*jRnf2+=H{)7Z9C>Oh;@d#{?un
zVQy`b{S90gZ${V5P2UT#dwyC{`s^R~Yr7kYTaHaq{L~r@UEiaf0#7@3I$-SwsM0Fb
z4~Y9wrddrx2N+DV5*PVSl@}OC^sOu?nHkifl;EvxWSuc7jjjZ*qHekmg-KVS_&rIe
z;P@9uMdPRS#dLt@rTO#2_0KhK(Qe;6r@u(gAxg#h(e9;Ed?2Ky$qc*CD-u>@?9&Y#
zsdl`Hs`^pmJP-8!KA`g}+L({{ZPfom)jLPW*>3;CjT$sfW81df*iK`!v2ELFY}=UF
zwr$(SJJ0WY&(rh%lQmiEo;Ca0*T!e_4np3wBco0aDTqyKu|g!y0if&bE`>NYbA$b7
zX6(cuV>Z@=eUfA{dB>D+LB5i=4WNeM8)epvn3h|pj}H9AhpH)WIr+Bp!&-Z@Jo6?5
zMObQpmUFdnAs}?Dt-XNr)g|DnaCF+#psY^j?7RW{tCG~h>*<D%Qdd5kmm^ofWU-=;
zb>I|TrMIghOUXE=8w*p1oIftdw6k#;#!JQn`~W~~e2SeFU&??HUuyHNev&-Ye!B?Q
z9yL=ad8|%t%pe$0avG>@y!verTbiRe736QGtjA#vcEY{{qmVr{j9$sg4OuTFh`0y-
zTofTFPQEyN*zH?BD;wj;@$@7mz+!${M&q){{Jm@~g~_Uoto4`MveenAsIsf@SD1yg
zO7pI;LRPLmhhF)Tkv>_-yjuEFH{T+yM`}EW52%4L8qTe;gKIAK=uJS#;N=##7v$kJ
z7kG455y+vw9+R#o!{jJ<c-@+TmGNNBt}y@0KjTBY|E9Zs`_SXycHU}oe^5jf62kV+
ziXa3@Ey&`-PHPv5f~P+h>@90__*!o2fjdHZJCbJS9AU#l5e6Pe)Nqn;sUB{UC_uUN
zc9fUqQc&bBG;`+u3cipqou4P|ma8x>hoMrscoK|F|ALsB9?Zo~;%0k$T17XX=qCg-
zO&X9$SIp4Ur=bks_?<KJ4ZgcKg$*0ha$k(V3k2TX`CT3b)9Z64A|zq%r_~WSJYKz!
z5)T{qx`-e#w;I~T#%T9NgK+~^1Iuo}^!!wbae`w}-R?uAv1$V8CAvQ14@T6)@juAy
z&G}sbF@>$II8ewWWcGyoY|?JVt(aj?yaa;#oEar_PVMvoegY-~Qd)|?FvlkaN8I;T
zGtLjl6MfSDIT40<Q!#x~Wi!2YOc1f$>wBKf_1}yp>Wa;K3LE6Zd+RvFhbr7^aKFQ%
zN{4W8@8+CcZJdAczb%luCx&auSUA!~Zsd#CHe%bET{8bPXI+urntI%2TauRuSzwF*
z^84o7m;TQ^(We<dL}mIldrFIfyqT?gSNQr35SND9&$gUi7JD^jhh~2{l#0D_qn&Db
zn<w|0QT|3{@6SxR<0!)R&BU~ui)-a3c0VB8-ODZ$cV{&H#mmJ<sNSM{jMIuJKW7&F
z(i=2`a98P4$=#hoBWq*h>SrIz-QB$p4M!_$1LZ0pIAO%^Y_LHXrJ4>&tKpKf3x)7y
zbv&Y@nfreP`^9MwdcuAf=^w%FK=#KL*2yIZ?YLt~_DwQ%rVUup?f1?Y>HTfalQ5X-
z2nv#DUUE;f`OBCwf!h)(xg2`~LRryjWL?%Sk6Ql4sz^r>K&f(XY3K-29Cwd3ao6a!
zCtUDw_1kr-UoEW`>^vKbx%?!1%ERZ$_oG^VE`<io#s=VHAFJ8by$=dUi)I4_;P1^c
z;`fgK+{Os!nNT|jC;v_aa>mAVvSkPI7oio;#(o3Z5;UMKp*(@Fw3#Eoj4Ng;iRju~
zBAX5UaAt`{{c}dI)w$8)<zGP+z*%Tng_?PJ5|%E@R>zpC(9eTcAzLk~Sw^Feb^8Vu
zcOMocE6?ROiP1RS+DavPG2%=UocmKs_*dBjcCF1ts@5AsjHuMi;lV27*sQ~RMDfgF
z@E?hyB!|L-jy0c=Y{gp%qN0wisU*r$)bZy-T}ZWX-v$$$@QR2iz6%G=w%Y(ROVK8>
zBaz^;j3`WO+-Etqz%x6Q#RbAVt%eG3fr{y2#VyT6ze{=dQa^s~hFZChESfAEo96)g
zSdX6WeIz*AEE}k2Awg|p{%nKHq$lc7qUWrk=vjIPUp|u{7foK@zm?-1t{dn>z#ft!
zwshdraOD`kcaERmS*CuK9Gsb*wIpDPO2!tjUe?~u`^t4^heVJ>9e-GIphxA<T+-Tp
z@@7>mt7eojF=1C@Yz?D><#HOY2g)d(M_P`(opRS-y(SdSC!8S-xQ>&ESi87$Pt<RC
zz4Qk^hwO0OX$KY_aPa9x#zyE0j=#OhH>8E?H*@y_#4@+HZeSskOxOds^Yoq=b$1x(
zkXa=)>GTPmJ?R_;@OM(=VUtY$7N+=XqPTlqX<Y}9MHS^OYN?pQ5XSkM?ChCBq)|+>
z@kQ8+e@b2AMXT$`pM@E8v-Rs7QrqEh_+j*hSZ$QT+~bG0&vZDH#)?E&?WVP;cxu6R
zm(A>tHt}ZG5tR*K#Xi=tmh8$ybNrC|Z~*hP3>e|b74i7<=iYtpnWOccG<rd2M~=0-
z#q0Fjv$w=(_RP3%yW6wGK!ld&#bhi@R+R|ZegB{{{?7byLAE2!L5xrGNm*8^_N*%<
zibYcE3xG2PrV^hvpwwTK-ERF#zpQ7Ub6**vmWRcqIBAJHVxnO&_0GOsfe*{iM5O_=
zDuBsQn9_{*$FntibKu_8iElxPD?r9J&`X*(MhA(THKXF##zs2WKDMy8n*|51^4JDS
zT2wH@xQoM3JFbr!Mzedz1p(v`o;=uCX^;iyfAD;J-my)l<SYXaT_|OpjYOOPcm2;F
zZ;b28)V~s={T>Yr+LE*MnRL_kAqGJI+G#wIr@cFW&VZ^!;;H0JTJX`Aospn=_jb<H
zK*EmIW5tgoaed~W>>g^rx3Clej+BOI=8v0Vr}2X?8s7nT23W8U!<q(;A$g7Hn{3yx
z-&!OM!d1hJ<NKL2{ROf<Vxno=+)1nkVR<F^jLV4_LLmppAyUdF5q968$zbF;6$#;j
z)kDi@jeo%N&ZTNLr;z{Xhqs5<%*m&4L`~>cTjKKcwJ6BO^3Q8H&{S-!ax?_{sN<AB
zbun$~7w%24;MFJAC-@p>C1_$!^uqH{b3kY*1RPCbX=cp@jwYEPa%5gYP$03QA)0GK
zGgZD(MPj451m^6fmC<rFvx5HX@_84UaV!H~HCI9?qDb|}9aKchb5a$9e=EH*L=Xhi
zMlJmLTvp^ee)*oJU$(!81p>X=2gmrpI&i?>9wZLWUlKC_%f1KxR`vysMb067Z(>2>
zuJw!{%02d1uB`=s`hX#SddG0r$hX`%SwpGazNkrVwg>bd`m}jiWD&b__Hlh4f~Py`
z(0^@S$n3O4^JGEdKQ?bi%E?G1{aZMn91wv7n`+>>QT#sEzCPU>nXC58hP<c$WISR}
zf%L7k!Q`>Q32={v>*;rdr>*q2fyNO^SXMiF<^6_Dr>ngKh<NoKMWmAyj1JZg$bqc%
z{~xD`i-Q9^KPT|~g}H-<D#mxs)%hUvUdTKljVx}|vRxKhWs)>g)E4-Hj?e{jdVe5G
zJnkq40XA+~W??>XERdg!*@Cdht3-f0M{wFoA{)9Hgy!a`u72QuIYdyJNhWYQ)k|>f
zw|@L0)bbN*jqoz)(A#~L&vJ{vNB&ANeNi5fO_ro6Jy43rQh-v-f%c0mdnH;QZn|+4
z8X~`Bb_x#t^h7~Y50(_4EbCh5tKz}T?)vhb3tG`&E86s~RyywG&YeqA_TZ}c$%{-6
z#-aESH(x!*;~pz{C~8ewL5-NfZFhM1?C#%Gmybj+?j<i8j~7r%v;UD&rI3R@0=jt*
zWX0lG!OE`L!ltRswQk2t??0iO{XFST3*)P&=BF>c=l7Fr)>X_#qO^B6HiORnIy-L?
zc9g6s2QV2ArFLzaSA#9tOzc8mLMd&o=)lD6Q*JLT4%)(*4%fqzZ)qpeoox@=B<T;&
ziJ{l~zVCU#grNt!_P9_p9*|XD1|k^NhK&0JFdhCS^ov3;2ar(ve+czq1`--WPRR-)
zhV1DD8xzvlS-h+5#renirk8z#?X<&46|{K`IdR3Sd$sh{U-QCPGiPS)b98Iu&ExUH
zqNgz&sc}6VYL!-I$;q~-Q4+q9h)XP;+(s?+(9hM0(jS*EDrE>QWm1rB6kZ_$`0!sc
z@Fjz*&w0`G+<{~a2{ij*{#-E8Qq+hXg{4PoOU~K9%x}Z1QV{}_;^j8odB<uLYmuC&
z3-O2g*P;%B(fQauesS#X^n4lCbPe%3@GT;{AJXx7RcbE}&tZcu>hvt7*pn~-9d{7<
zH58sjP9uAYT)(@(v$@A9KH!}}-1gfjn-bQJ{31-Nh%ux9#%STJ_f83C)Utw~ZzzVo
zLiv;)VFoNg`4f(4wHQM|N=&&_TzqW*bH%P3-+g-UNJY9u83#eZ2$VO5DI}9%ywJUs
zeSNh(<U+ckgAey{zO&P-9pSCoy}^=dadb0b5qsg#yfTcVE=ckE$*oNMy?n?A)QwuG
ze~xSUr_%m0{^Lg#uuamZujoNddP#C>ED$T-33Hhm7A@V?HLjLj%h2Z1SkxEINXD>|
zWoL)k{;!TNt>&b(P6{(+0d@QVv658(5}eNXEMv+B+$waTlm7rOCgX_W=_(mJtUQg@
zYxHx@r939eTIP^**KSAYJ3Bky;uqqTvnk4XKa7}Ag!`{Ijksc+OI1%y^BCN7^y;8)
zTtS>_9e##GfXV2VsB6VgxST0hqxWD8#1gfBd|OtPm43j?g|Oytv_pwjc9j*9=9!!!
zzbQDPuh_(2sfh;y$5Y@d4_h_AKn%l5v#VhKYb`;T9h+w^>}?B*fFZba0M+~wtZ347
ze#t?eyL4Q$hYERjVAx%%)|TkR;yuO^O}^cN__gF|y`m<_#&EOTVeM}@SgsAipzDUt
z_p>{?l@FcrPjjO0%3QfgHuOc+19udx!`2=11P4W4A<(h8Yn;~G0W!fT8i@#qE-M&H
zKZ24KJX@o%bF97a@ysn|Inx5xfs<7-XtC8L3kD!*Zs+%n0seCm!PXHb7T)Bzh9PUA
z%ec#~jXG)m%;{I_Y&<x6g7t=7k#S<lPZ3--y&h~2K3EWQ<V=V=0oH%7M{J3}19&}8
znZWBoM648vxnitj1KI@W(8l}uoit_?tQ<R8jm{J9uZ|qn%A<#x%cj+i!Zy*V6!zAR
z%a;=8mdXbKd5$Y${Q8WH=Cf3D{loiW%^z)EejzdINi9n56rISc6`aIvhrv>oT8`J-
zoTo`^yeaaQR)ikTtjn#yHji0aLU&-B2LhVR!$le_yW%VrMs;yA+6!+u7=}AU=%I+$
z7HH^51QYx6-_AAO2^XB&rbkV~OQ0*;f!&80#IS=W<iV+)V^=cZPr-`q1w4ugV2?<)
zV!X}0#Wc#yXP&6<Px=$aYxsb*lLgFv-{Miae<Fx1hv`hU-1(At!mO(L(*C$d{@vdn
z_T?Bs0d43=98Tc_;*j}-{cGjVaHZKP*;YjeLHS`+iLPn^xOapu)3mI;Q&C;(BT53z
z9o>Q%wlKbZpMBE1F;uF_5?#vsc7{Ryx%lkj{c+NW$JVo)Kh6kx>1NWR`tDwBRoYE}
z&=oMo#`aZQwcC3JNZoM*44)cnMhju{19GrZv|GmDI`YPSFJ`DV_7M*H_K2>d?R1B~
z7uU74o$o%`FP^n$YD20YBpep#34e%?vK@QHAE2jny9)W7_zEmUBRCL$gRVaoYkK43
z5`XpGOdR?mc2|W3Vn`~r;a+Q?HHV;IP`U<l`t3|8@k3;C5HMj>!$p}|<^xW9kibN#
z2kRpKPc<1IEP_*_OvxDCYYGkZu*k*exQ7Hn$w+|$X-+yI6<U}a<PBnz63v37CEm|x
zM-#V=Ee-N=o7?4*5SM%2?d8FtbDPU)V8FPO4o+%dRSg7>d6WJ<Er6d`rtLBf7G4cW
z3j=;}4|iT1{Sdfg9&aTU&3>yQg#eLkBk$kdE}tQ|>kW6>op)l<c>FjSS=pa^fn%@G
z(fVISYCnAa{1Yx+VL-BbNIhYyj1TiL?v16&Vdp5nP-oANKvZE^v?#<yk)(E@5TA@d
zNLMe23(zdy`l<}}QYibDa_ahntHBG6pbgN=`lnw&bhDL?frnYwaXjKq03K;~))Xs>
zcGF-k!Ts&_$uJmIVBwsXSr4I-w<Elwb??}~HNNJv9RNZ{^)KvE16)D#*|yqJx?xT3
z{u2MC4lZxgomS)%NPJfWVcD#%6G4G@PhN6&MCteJ-fVlsSJonrXX2JqO>D2Zn7aMw
zFIb3~EhWFko<w26FYq$qazmNSSGu2Z=yA2ARKWC1idiW3H4V(Lw?@2>i|}AQxIO8?
zK@MTS+m=B=exO0Qph1HdFDN#(kKYTrM=Ii;Xav*R@4>+-D(OLiquNUQiJBtj5;ydc
z538QsLfiu94wfFc4_+Fpcd6}pek_08P5qzpLG{u!vCCwEc=DbpBDF$-D<&!(5{Z-x
zA`_(o1Q@^7mr#R=Tj=LUN5uBVo=~^J7nhN++S`E*#|qw(*|c#3d9qB((i6iksrLPA
zv$XSE_%2Nj%$6F`+_Pz=3XmRL3$?18*~?!}!%vJd(93A$=m$_i#tud*S^$AmvDlTO
z7yZVYwJIkRN4)j41?4iRE5GAG3YYdc+1Hgw67ou9sZIl`2+N$e4!zlwHOH#CRY<qT
z|A@OZOZBvhk^XG>ux>$nun`Xu6=T$o4TwTo9{UcUd0cZE*&)78zOv)0<spM%B9`hW
z!T1Z&u9}I4uQDa$7>1{bxeN2ZGUF=Z7SktsAv57Cp7)6;<M^C7*sYrh1@5@foGYDo
zDhol;=PMqJwgWnLe!Fy^W_fc-lA2kGt69O1z_JtrUt#+l4>DWpOCUTHZCK(Pu@cS!
z88=QiE8VHhW|jUz3sLy#Z{0)*RIWICEGwrux}-w15@=5U3-1x{ivWiCA;_C++b<av
zU$1RgLY!kU1I&1E_~*})1LU41wen#rd-<<C2IR8G3`GAlU-S_<kWoY{kck=mX@(;<
zxJMeeW!9C)wq3msJPkTXEy1ni`uVqBmW8t(`l#6wFCInOO_q3=6(p;0&VV~HBdaeW
zo4bDE;cHtdMVK0Mrd_%FJv+2R6!3g^a3BA)5D`7w@?L>d({6rxk-@jp1pnRd2yEc-
z0l%3L82CRjTk5^oyOdMH3xLG4-ZAf@F>qsd8dGs_YYuN~<?m&y%dRIqK5j)z$vi*N
ze4|~wf&z$O!z{}9R~v&0d@mc?rl{NH)&^>2Fa@YuvnJSIzijBZhq+-t%tFeM3a%EA
z2OZ<6ruL=udA#a0mde!Z4r?Rf9345_tjhKtVpvAl<?Waur_@_XX+frP4K;8~S0tif
zTa+)f`os+MkB5RX(}vqT{(RYG>X&yjvIzwamWy(v$iz+Os`4NE&N(xWr>76yifc*p
z@;t*G3oyMIldb#XRlgi{GFff#z+swyy#)2y+beFk*BN2s((Yc-#@WhM6b;&!ymfQH
z6cz+W{;5bn^)#{<a|z=oqD8xg0)%X(45j1isTqroeY*(+*Bdl(LL6lHL6|9O99JJa
zD*QLD<Tntd-Qh{nG>pp=pAutF{SuiJDpGvV(t#HinQtKkp(0xi+9tvMRHbMuN5)~C
zLcjk$)*TCy#~F6^9Kg;{5uRqY=lLaKc0VN>Ki#j~c##L22vqhq5qraeL=+h7^8e=^
zzAv4G8$K22N*E4pEkgVx)@+<+!+1zy_;EW_qlOq7;3`jv5E@K?6h+rIcIanMtlDdY
z^;c2gONds1iqiOxq6iUUuh&cIF=1;Ju4Shp*)U7DUV}$rvd7q}JC58EDl6|!CQ=au
z%nEa`4mEt8zFu@s3~OcoPy#_|rR2BFsl?G`%z_oO&q&iNAulg0IQ<TLL7BfOtu?GT
zsIq_D%+~;|Va8_@;=FQ26@HqUD!~j2#1vL66c-mtmQF7A1p|bFJ}L{=iC-r(wS>cL
z{0YelsTryGN@n}q>fl`ao2Der{QwQy$9TQIkKrq5t%Y0A3D(NfQJ{{Vy>lt($q}R>
zb40PR&WUy$SrrG(o@{>G_Ks8=7V8q7qr84P`5HOupXXdjdXx}MLA!Cu9mmH$wR1>O
zhhM41HC03s)rJW9n$*xCzY+8ih9d2SK_vD4n*f>{wCN-Yz0Q(EWE!4EhAqOLmM1y(
zZ3ez6nOp>%>~*~ur}SX8Em#6LP~DLZ_gXuFb%ojmTYdF{-z~V~=SaP^B$NB2$2Fbl
z^iwNc)L`?wV{xVC53eS<VYf}?D;D3Xj|vtrg8Myk_?Nl@`gdA){v#dYz#Mg1$R4Kc
zSMB{)_AJ2#G7_oL@Uf{S?raduS5iS2EF(hM_J}~ZVhAl@?oDTp8XAoNt!68<iC!Qt
zI$Zz%CyB_rd`aZS|45=s4SCQ_HL%73XFN6~#utWx8R}&1TF}jpvsBUH;nn`~q9zig
z61HX+bDiwda&Ile*fWx5_jsv{b8mJ1_;5;Rc=m`eqo$?ydJv*mfM&t=1%I3id05=Y
zu0&88WF}-<`p*4E9N9n=F212xX@8^aVWuU^RYY|1WkoAW`WVLd8_D1_XG||xn7t@%
z@kuY=GIVkC>u?z*gB}H!shBdPEm^Be0qN~9IfxgNJc_epVGT@S{Sclz6B*>9I2l2(
zGnvE!ES^McBUoTd9{eUDI<E>~ck<T-Fq>iUBs_vsdcT>(^nj3tlCDzzr=wQ=Wu=G9
z@37gg$eIy5+qe>mt|u8}Jl<6=p_=%fLj#-w*sB2crwC)x7UIX>5+3&@xy#$3!j+UA
zGxQ|guPZs+5TtNuS^c2f-=Mhs4W}>q#~=@bY%ppo=*?No=9@j6iH-q=kDu|@kDuQZ
z0#GOi9rQTsU1g*8J*HN^rk;R<Je;^$yod&8y;_%I@p1fW_?0Y&U?+b>jwwSrhnFI@
ze`7&tlGvg1U`xJT+FqdG=q5~WXWaeWyYXpou%GWkcn1%7u;8JIGiBIXa-4}=kp*}L
z1dBe1pS%Q6H%x=jx#YSjtzy}Iq9Z%>2xHNnT-tlFSgr>KU+~bt|ISHv4MgD&dDH%!
z0s@)pYyF?_`@TH`DQ@_7Tk9@&+(lV^*BuG+r;#hxy<c0uMx`|^V9t=h(a*%y_`V%)
z3Wz(0AXOSZtuV4bLdJ%JnO0>v=nhPUViq!0)vPTl*oNjll3?o=djTY>3*j757S4YJ
z?il~UJdZo@5rjC0+CnhE02JJqjCy)#UhL`+KLQ1ObLF)7tu4p;MuWcK1HoApHiXK<
zLts1pMLvd9X3PSFLAT5D4|R`EDEEZr<iT%a&DJceL6P)c6yD<h+mw3934`|uK<16d
zmhJ%#?(-%<+R5@M?g&PCDC!*L+vSxsF9j<Yb;&ym&>**6h-&*;qm+icw3IEOXgC6w
zKdt>JY7gS|B-?m`FbuHZESO>@&OH1QVEKcQkPEdn-op$0om@*6ZkR}~w~~IZh8G>;
z!dO0|PH)tg#4c++W=dHX*n?(s2x+;!#}w#JgKjrkUB0Oanf~&Av%Jq+wN?@#vLO0p
zHnZC9bCacpKCd<F<08NdpUeTa$3)WKLlf9cLHs>eU3TbtodeCA=3@`Ovz8Kt%Zq$u
z@f<hPBqd7U8DmspD=h^9XA$Z-KxF8L0UK<5f>G!<$9#*4X8ni*?r)%auPG*#MEkp#
z1b;(}kd0}m=g9(uR3PfhMT&w#1f5TZ(J(pjFLq*i=O;+fzxgRu>c@!^K&fp^Lm8~t
zX`o_JdC`XgHQdxu%X>M;1JCc6;iQqvM(oCH%;PQ#cP?!LWn{$(R$-m7_k<bZ&e>?!
z<T~d!8f5MEK&ki9RJCYao>sPfZDQ`?q1n5ulfRv#J}U;<CIf#F5_AW*929jkf1L`!
zTe*4-y&gpdLM?fg07%(ooP=hV#2z%Ec;wcDtjRKg%HM9m`Fo6*h3WIB$%54s;4$(M
zqR7QsrRtfs8OCBn>QDLA@0H%0mye#?(dWjJMR?+Q?;sub3z?Gj*+_*gbgk$V0&!b(
zm96IxhnWS%&D&2AoK0^rgRRY=%477%jb8b@LB6-XPo|DsO`g&{@Ky1B+>T?0!W@<c
zzAc*(;Hi9jMk@)#91Kcm<)uBkhW;r_>O$GZtmpI<Tb}N_YMYqWpQ1)Gp}6Ls7PNL-
zyMDNTsa9P;xO<u;Ir@j{Kk{yvprf>kw{qiyweE_Rn~9L8r{fil8f4d2l`55cBRtqb
z4RrV2`jl{@0OPI7hc<+B;|kMTYme8tc?D<dm3#4QpAlM)@`PVp<gdPr$Hr4cxLeLX
zRM3Nb8PS+1?sbl|Y%SH1h!U<J_g&5?*pee!HHZou7c;$i8$%s2w^w%D0FiO*K$A^d
zd^lFYs!7(WlOEN*F$_D8w~7*hskr2_8lF1~me}aB(6{h8p-2NH?Hx+IEV*YP8EQ=e
zg@Yx8D~7z7>wZE*0%t_Nhd1KgObj~P#Q(9EZD++EKzsT8kG-U$m>+uD-ZO&1D}C0;
z{IFe#<|i$=E=lsRQjYF=yNI*+nkxd}pib*wtGwf6ri}kodhXF7cb3?1-!DCg=$o-j
zBr)lvt17?DjW-1qV?EAUD!a1#cIGTSz<pj`B}D?RvcM|pLh3`l5#XPvL~=q!@3F(_
zRc=e6sG%QeADVh7W4uKgVgVx@;x92od{_e(e6pUZHXke+A|MONZ?){}p+HWhibh#(
zqNPXYv-kMI*1gk?7sy$36(1pvdD)q;*{|nG$I8j{I=;%LLjW!QcrP7`{RA=tI88;f
zq@dSEi9r<iCJvilNtlucv3Gv}p*Z<TvobR{kz{c1N)39}SLCOCH2FvO-u*1^MHsPs
zpay#0wm=D3;Fn!=Z08;|FfOXjdprvf7T;nbyUW0TXcOKc0hUS<75)M<x%Rw-n=DBR
z79cQFBEv=~_DYd6>rqUe_DB_y@K4apj0|Z1T5_N-Vg$F+tJk&xUS^Ic?R=)$GY1(M
zukzq-2b9!#`J!z?t^LwjG^+g)P)!S{#0B%`-FnIUNX1(zm_O1@qAKeq%F+p@%!z!o
znmPi<yU@b&amBXWqO~jCRHq_*EoQJhIxI;dpPyrAkaot`dH&0#MZhW7slJo*H@`IA
z22vzK#1^7$<4RQ_T>A`qUF`!940}B$K5_fOsK7x6M$$?yf&a!TCD9>2MV*nklP*l-
z@+d;YI50(pN?CkEkTQEhLX=vox;W2jgWMdX0MvY*a|jAZV3@v<Ck5fH)upYE6LRh?
zs1d)&nh}R?<H4JP+(PMTl*hAZB~IYWzAKN@|MUuY%H&9{fH`qq0SntARF(s7TO$E(
zTO;{@`*!%kdX}8gtI_o)v1{1vfo~u2oBM$TLM%e`2fSGh@^5VN$02~T+aB5x7@Gu;
zB*;N_tb=E37SE+zQ5y>ptZ1?Im|qu($quqo!7FuhQvHh2XQ*BQiS_v?rbBlVKm%MS
z`~biI7z06NVTA(2tZ|QrQjMbJJ7<K0Z1I>qcw~UH?%WoY3o;}2r%qy|<;r60F>c<r
zYzlVKg1MnO)p{p)^l0Qm*6@<!FY6b+iq=Z`4IRC*Ia1U0%}#@^^Sh(hsFRa}v5q4;
z^uDjdnghIZ(RV&o4Gijy-d_!4(Gsk#D<-A%4YYnx$^&<5zf(@e8$ATj`TDHa<rfJ`
zY(-LENx`iTPn`XhUowD~Sl=$zDcF$NbtCU#|6GDRcyr~ZxY3X<{gh^8@CcK&0?G7~
zGiUxc`ynh;+L$C#@URcPkyF>X1;W>^MP@<H%K86^LXUAOWUe&TGk{U(PtJn*lrP8m
zW<fp<xt>MD%XB1@8#mv%$HksSMz#mnFi*fPpTSJk`YOvB+G>^3pT$36n9+-?aXvtT
zgB_KBRrvn)@2$s*Y=r1DOE+)v%2?zb>x7=m=eH<rN_#7r5%u4X$IB+dXOp{2qb9qL
z-PKkWR22Nw7DHDS7i#RUX*Oqs#|x7%`gY7)&|??)l<`21Hxf)ZL{3nOXydeU?=`%l
zgX;-O;jIrZm8n5Po=k%dW792X6RTTnYZ2yS`z*sh<cxX33C2o%+e5F%Evbq6!YYfM
z35qcTo7C*_KhmP<w8zzLKkWQZB%71~V+^XPtvVI#f%?ougJ%eiD-JSUBc}q=Kvu>?
z*q|NE!Aq)~lI^D4L~MC|R?#Als+QOG_38QPc~pJ({2fGr?OgWYu3br%U1@A#8N7Ld
zv{}pqcs-iGigL{Ayu6TpHA1o*XGr^;T7U|e^a4%?Wsa)F!2Mh&dQ9Yxz^P%IuYlvx
z!iF;6(Y83T{yHL`x#?x_$%49n91*^}St7KLP^3}$7VEsKWnD+Y&EV(th#PP|gDSjb
zwUFBkGsaPC@Y^{CmRvx>hg=bewZh&Azu~8<&U2=rrh?9MDnl5e%T<PhWAkon%Ypz7
z`^ENiSfQA7#$|2C3%jDZL*yA#%HfY|Rf;hE;AR(I`ng=4Ei3QxQ-5c!U&B%C`8DLa
zlWkRGPf++PiAG&&yX|l?c;<keWj!pr20^P9oW1U;e(Zut%YrIBH?87Qt{|_mEh#Am
zCu!_4)G6?0A0Suw1sguDmm;Wui3Wz<7w&MLLA@v{ivvLHIN_%4GGVRj*>aA_D-`Q)
z7{*^VEUn3p0ojoJ4;xq&S!_vlZ;eV*fZ4|ZU9-K&C5>AJ{#i%lQrs*O+^MzhgvF{y
zPZf2L4P$gOf5Gf}a_MZpT>GdIyQGA-sS2~%LNCQMO^~MkY|e@LuOiAwWj?7&B@w94
zYA`NzX?k4pI}`&}2FB(Fpqf}nn)#8yxbuAvWjwv^eEnf*1b_hE3&99N5M!$q8_fMp
z4b!lC-BAk_!fQkzleFhHP6+$}h<j;c{;HRcE{?C%l_qEkP`wDym6wb`{bC!mLuP-T
zsHL7?q|Lht*oeEdRw^>XoF*xJjn(PTA%K>k=J3l#p`}r(O%LKyElO7M7^N+lg7p>p
zw8rClJCDQ$^=Gy{?5IHN^w4Uzz`ri<T3F9QVZ4HVoPo!v`q=_<t>%C0q)0kKaQ2Qe
z!5T^h!TtN|qD-q2-ukd>?35W@xo9W^x-Q~mM36__Jp)K(G&JqZpj<^(&WNQ}R%M_(
z^+WGII|#vGXdU?k4nhq*EYX2$)F9&KpVylqV3v09CnBWrUf(|ZUzZnCM>GhXDH#O}
zv5EKcDd(j4WqSG>9Q1<5pudaa$CaA&e)@24{qS%G_lc2@4~qOj$y9d#>r6-+o6E6N
z1=MBc-s`zlMx(F_4AK5;|KlFIdNQ-4r-<+nDfzB^sE%DN)yJ2_?y7RjlwoNrd9XYf
zcEAXCigjNW<+nB&#?^5Zf<Y~d`T%2%qq#Hb;-yv!HZc5aX7Vo+sBPfQTO`e5R{{+m
zSo`*=o5+nwqFcn(mv7{|_Qb)~KBK=u1!Q{b$Zt^PC)TE*_q7)#F@E?5*pjKUHy#dt
zTcs|7w&D2xH@a*)9s2Ee7&rS5TDpW1RlJJA96jP7o_-S917*aD+QKE#okGzgu#|tV
zXv8d{L~aQpq=NrGToJQYa^kMo>;<7O0qnyB??TEY$`{F=JTET~*kd`_x_0?t5*+CT
z&wI-DWsCwl*laeb4*EjHEH!3g+Smj3sc)1U%?98BQJu75-ZK5WNN}`00!<GS`LOU<
z8rm(@MCw^v^bTUgG`~-U$o**9Ef%<gPp(aj4tVTtcT>%{8DLpTb<4zx*duA*7A6t3
zE~LK(soJNA!dZas5Su`HCl2|q#tkjS=7WP5XhXt=Dd>B$ljJRl4RhFVw~%5{8C|;C
zrh?f1zlA|GWdpE5LZ_RQ)7p5|2QxcB+i}XP%T&UGDcZnxq3uq-ui?3^TUjjTVD%1I
ze{(0%6MNg;+>-kt<nsBj=Wi+djY~^%?=-3u0PV}Xclb*9jI2UKg_T{!37S>lM1*(S
z_S2f6o(n>Sk(s;nZqKm-`>i6CA|5Kwe)g{8<#Wk>k+dn6SmUb7=5j?w+!zD#`m1qy
zxpblu#jS!e3F7>``{8KA7x<w)<aond0_8sy=hmB7U;Myx*zb^+X6x_<$}3tEgAumB
zxN>U`u8UeZk9cU<_;RpE?0NLr>$oXjV^`jfq9rHD$T--YG^Sa;3y9aO{9<TP?Oou_
zAFX4|p$ScBI4l!FRx1`#9hAt|Q-JOqd859EsVeWn#R_iZHx0_+2(lw{xKN9iF_r8Q
zBJl7x*>7n%QUeUoU6-q%Uu9Z)EY~qstWTV`7lwxlncraHW=6r)W96<HMyZ~XY=}OW
zC)qzxh*WvKCwH=bV>K(}*__xH<%O-Qcx=CvI@Y|UXy3@kM0=J0-51;{Lf28cLNu!&
z?*y}JG)|GnYPZ*p!G_=zsLhc!<S@_sV%4c7r<XO$cq=}vrHJ^J9DL*AX5I!EC9U0l
z^Xq6h_tUehSJ1f|T32~zV5<wpo#T+;>Z`ns%xGd&gdHZylHDARFJA#uSwDAEa|~ie
zf;i^rhV6PMrK2v6?<Np9^v{$A9abg~&^%3&1+_$xqM-WOAhNR3Cd)z|@H=a0`+5@i
z?t{`dP8f<Z8$^?pT}Vb$yK*w0Ia#9=2wQBD3*7;5Nc^Aw$F;fJr;IQ80ipg+sL_*w
z=bCp<QoFCLv!?b3rlfZdQ=o-hEj^i!76#|RCAvliJrBlrUJaWgY141P&P{B2QK{{D
zk#@2uYp-lZxM?W6PSO~DqjsM3!HL9%o2&UqRKit4R$6%;TOzhxo@p~js%SIkkk<8|
z=Jn!v6$g1BrPG?LD{bj-@+TbS&m)DUq2^{Y3UVpzVMP`V@~ky)HHWMfBC8xFIV*93
z#v{w;V|sO#!hF%^YP+xRoo`vT$PnF~=Q13UVrWyP$D;1`Zu)mh12_9S&bJ8}Tv+iM
zC9f;eN6&6X?i*>I{XJ(89h70yf37?ptpxUg{bXR$Q0`Q5)=hM)#=O~CaP8?)C8mVB
zUQ9`(e%;fOKt9WYs|eHCR(ygyT3V*=1g?Zaa#k?SAklMesTSG~5ls9Dv&HGJf%+yp
z38#h*gCUY4<}Xx2T(-mL6n=|@Jqn(K5p;k)k|Ag9bkxU4A|*7?GzO>1JlntQ8~%Vn
z&js6b$g{Zw11$ICa1q4tJ~U;m#e>XNTn{xyU5_s|csoU(_Qu6EG$4tPWmJ3qL@u(w
z5jaUOxp*Q;WvR+ku#yQ3!y9i<kEhL>hczv-Y)KfME_>7RGPoh8A%}NtRZR?!{CGVk
zs*>#iO9iG1L2@1H+c2jwU+OexmMni<K%d>D*~;qjW$<x_I?K8>?ykGrhZk=SyP4Y&
zv2^0TYjei0ANQ_PiJvdZPA&zFXF`}Z9OuZ$erhO!Nq@3Rf3IIZnz!bY|5btaql~rQ
ztZuq9c4JTkP*Rs();@5Awvo_hzPWfYe&nM3a#u^XQH7Uq+#|(37|fBC$*EFq{9RzP
zO`Lei)o}LXw5wi((34&?;2=4?QhLg8;O&4;+StFh0}=ZnQ4{5%zv1JcWh!wh;H6EK
z^1UGwrZ_!+RTs6Fz!(}yA9V;n%8;rSDF;T8Ae<6WPmM%GA&&S$u>w3e`Cl<l>*xIE
zVd^`YI&`#TM_W__%pWQJL94f!mTM^uoU2%mWBm@o&d@K9?M%}p<C6dmj~pb;z?b)~
z2Xo^-(u@Wt=?u^ANG+{svvnbEi+#TlzebAnGzrpL9`xKWS<$M`d5fo#x@C6Go7w1o
zcCir!$8>k+eK&gv>;_fk7hfv7!y>|Y((7Ee+pB@GnqV@le2-bNGSTRk-Gip7_tE1i
z=}$+UmMSd(+gGC9xb9e6=%@(E%CLxC_0F}lQa)Bm9_0N;orIo=bh6+U?+ttuZNI!-
zL{d)L@45LAcc}O>^@87t3UJ(%@(Ee(604PdZnt_;L`C^e!3x^L?#mP(N^(ux4om8H
zYadAl59Y7eMtYmsshL)7J)|x6_1Z>qdEGW;QIu(!N37a+P$OFbyj<v0AQm!aulrA!
zjFddtaoLI&cpAV`5uI5}*5h+$??pzX)Og5?=815m(${8E^X=W%jS0#2a&j5J+=-hp
zCf;Apyv?2$cV0W&vKD*A*tuq3!D5}{wi_8pYp}S?!3?<-wqcBSHa2?h#Co_al?Jmm
zs`8dEyeKCQEL&u)oPD*FNSTnDlL0TPE}y1)%^W-T1?c>y{gFzJUf0B7iQ=P(tF26l
zfsLHBmEF8on$2E$FDYv=A#0Ku_+dr2F;B{lN~@>89fnUcLrfWPH=-V}!H&#`6)lY4
zOG&Pr9FWMxVD4wIjnCXWg)Im`I&s|r=5l%xQD45wjs?bO-StWBW?>x&$Z~s}JzDHm
zabJ_Qzs%uo@9OVM4Brr~ZZia`)@^PuuOBz4H>lCAoK7wT-febraA==Jux(<)v}^Ek
zG!zDM%p4ldMg-C!O(0JWO2|vc*qTqhlPT0&MDC?fB3+0)lB%o5YD)i!9-w|j<dUt(
zDE<h%NaKn%h_tY$-?H2Cw096}0WUZ@CVg~L0f^O5K`7Unxx3_9o*Y>%9MtD<l$$PY
zwKsV%+W#yS8!`TwVt=%-SKS+Y)+_i0=q`Mq;XtG+VL<lOKkFt)Y^Zg6`anf$$qVQN
zb108PtK%f{jZ#93VP+X=<HpJ)nji;jeBe{{Orvtvpzpa|$WZC^{0ckz{p(m#XkBdz
z84kOHqu(<v$Dk~q<T?km($?SyBvb5d>sK#}xl)PerK`0T8CWTB8%cxfSAXg>La#N<
z{4B-I*S45PvphV$N)(F74?A|RllNRoWzs}KmX<X!1Ftk+A3wZWTe;9tpZz`W=FXQA
zt-VgWZ`DNH_vFUFu+JrW+b|sSocd<i+G+DDen8c{M+OP`Ny7d_2cUe4Hh<5ex|Ol%
z(&+(z8?Ff(rH>LyEfEWlFHLIssSt`kE2%Mg`&RlTDVlxjhX51oI70$gPNw@A_#26o
z*nCs-Aeu@?i^rDR=))ZtMGl{(5ugZ+w5ijuWh=J;@DMS&2Rd&7H5T33kyqW(Zzry1
zDeCOD{m|=nK4Ivx@%xag(_pZ55AW;Xz)$x=RLm1R8wT=kfT2;LDhO>9H_DK}!^Dz}
z4AMX`BdrhxYo#*!p*CiF6Eks}JInxM^i%_KX91oYr`$zE(w9Sxp;3qX?|VjWFU~8*
zW6F;7-IrE3j9S%uMk~&VpiTB{{yLa_50z;F@tNaiK8+{c*wxc<+s%s(buTyk7l~4N
z%e6m$y!JZHC#Z8SdZfg&#jQncY&xQ9iBcrfoa#vo(xtf{$SUn#UO6zOE~WdDHaK)7
zC8W1t?$36n8bvY(MhBWnLbFc38sGJ{jFaYxdMLQNmec9a85{&J3HhHno2jMI?9@bv
z7bHcv6>g?vYI)s9z5lvuAKlVzx+R!wUsLY3YBWen>Wwu$oLV$k&{j$qc?4H}hu>C3
zA(WgEGR(pI)ls!d<cS<5^w%)$bH<tu^U)$ko}OT}Vb9J={vnq_D^F^rq>nV0e#919
zSs;i(Vs8l;_!bf2KP^*YwuZG1t0UI@lEb$53>rkm=BNk4#Qp%Y!qhM&XSPephiWIE
z1|4`aD2$vWPi=^D3?a2=L|CDyL;O=HbUnOBb{#m@3>WD4f0pqmedRY9GUfYVpn$Db
zd-{r|EZ$tITBi+<&Dg<;^CBI<{k_N0R*G9xmPzd_RX@RAd1m{HfkNze{c_fxRTKR(
zUurRag6kF-7bQs{6<j!pktsG$aYOOhkOtQc15rFjvGpQaW7pD!l3;OSZq~9PVp$d{
zXO#?F5S!9c@wAVJDdId9hqz)(MkShacB6W$RNSBfjtPidtwv*B-h7e4yQe*}2;`?Z
zCHRV=Ohd|E7I{tgZwRMSu$hG3`V0k*hIxApfsSX+jg_k2!rR$KHb-Jio-w3?#OXZ6
zoRNdQQqQLI_~dN*_f7No65-Xn(mbc@9O&2;K7~YiDlsiQs-6s!1HN|WNBziGhOT~f
zPWG4+k0GY$Ol=e~BQ7Twhi@F*FC2SNj+E_UZu_dl`RdSh>U66Ewa7+l@)ys<v=Wc{
zH2pa;f9-}F*&GFspPaT@p8ldHZf?G!owX~7iytJo8OMI5t)IH~6zf)K#%N0w=Y_Ap
zF_wjrrq5f@tO;Qk$Ga;_pJ~I5+aIhN^I>)YsfH@6({YV%D|*h(ftC=v_et}%vf_ug
z4&h?2YxfE%635mee5@eit%Xq4UbSxPYf-$JtO;{Z+ttNVK^>&|LmQ&0lMG1H49_FC
zM~N2Pmxb4DRhtoG$^xg+X`g^;z8+SPg;_m-j>R97nzn>Ny`RgvM|9)yEcS9L)?%Ml
z;B<rSo+gB~Y#oNLdG2c7gI*eFs58e~)djadC)Y2O^(2AvzS_?q^pCs`P+o<xmk6aJ
zyG3IgWr{JK2Qno_<x!5rAqpiIvIjx^YkgMF```;co6!j?%dBl$RpyyeHJ3klRzGgO
zrkL|Em{%U$Z6ttm)~uh4%Cq<3aLtj-z`;%WJV?<nC)77n%7zJ&Dv%lyQYr8E*CHm0
z3Xh%CAkX~ZA*iE{x1~HKwv|Luz-9#bFZhhE&xi?4m|gFDm8WZ0etxyvmXdoGtO|~z
zXhKh|-qoH%w29nYpRg8Lv12Pr9*F;?G}lbkZj|>tcP5EPzINxD-z4sKpZ$?dWX?9K
z%`VWC$6E6I8z=Xp_<lxrbz{h!6vupVMbY{7x-hLj{#b<0c&zhxW6}6_DKx>X^`2_e
zLWSmj!~j=8_cr*|Ap=lHA0U(8Rrj(O3BA<}wNal6hE5of^!8B%3XfI6#c@iSi$@8;
z6j@Q91^*kP7<h{UAGg~_tH%2sZOy=}H`qSrCF3h|#z&<Lrqw-4{2WR4WO&+>4ocJM
z1ZU-aRjY?-#8nWnAPKWV=b?RudVbRBVilDm!%#9_=UK+!T+Wbu=zo8F6-*B#Co?$t
zP*ot45%Go+6H-1oAs41sD1h=__~5xDCX@|#QJX^E#XF2-?_c?L*@%rPiWs<u;1>0p
z*MOB?vZcFCpKZs=R7~L6V`Jl{$^6~>iuLXx-TfFOVA)lt+!v{RyvdFe==Gq}it*v6
zPySy0q_W~*e`Fp-O`i5g{8iR58&`^+V;|X~R(&{;V`a%)=Zeg-C+kz6=5@5jVPyK(
z`nhQxH}}!{N0~_P>+9iSq4#Tjmb<LE3T#n`y|`ngAz)M9_|G@V9F-R?7t6_H=|YtD
zy`@W|=cUXD;Nq457iWo}C$#57odu0|JizPd`Jnrai>#X|ynJuF`dQW2@Vf0EZe}?-
zACx^GFy9IlMd-C4^!7}CQpB-OoyM_?1w;_aCdhNZDYHM+lH0vfQ6~rei!7@+{f-l+
zQ#-nJ2)2)Cf=JJrlipE^ZVrHdVyzg%Q|q{TJ6ZFzmg%yJw1QV<+r>gI@LvGMMdLOt
zty}Ce!$}buOeIt+VhK*RK`$0jva7bkqSLs8g_$&G4Z2v%tK&s0<Iw~e7%E&Ozu?k-
zHMvJb9~(DV&OR(}Apy>EB}WFK(&ud=9XM5qzI#t9e*5mI!r-K$+Lg`-dSELbnOAxj
zSW2-fl-NgDAt0;d#f+O|l#Hx*@XsT#|J9O7El2P%3L;NW-&O(6h5uY?E0v6+^u-DF
zDvpDOl&tsp9~54a@*K(a!p0VkRJq#R+3+@Ly1U^*G*Ge>I`r9C;z42>8fnb*)#svK
zyXS{ly~RR9bAREn?~d_wJJidOX;%>#E{=?<H?ZD6fK(Q6{oyWBy-8<`JFJI$rxZ^V
zt1U%NUH2Ud8$p|i_sT^~DIL>Vq3Mq^ff}c09+bNXaC5j6%TyErc>!%9`g!;tP9IMk
zr_d>;|F(=~PBL$~IxpbMX9|<~zGC&(p0+xs+sV7)yWtrB1y_+R4!xkJ=;UjcQ(RMh
z5}=~CNW3^3)fnRT^u@U$w^h%LAVH+h)GyM+Md5YOv7v5b<QzVz)PJ`7ME5B?McuSm
zu<Jzk8vq+L4~}+D6{1ADg@R8~=*TsY+>af;AfZ;Qwr5nqrp<4@`(H)D77)crXB?SE
zV+SV&Yww>5z<I0{+#(*Q%lZUlIvpHsYXJ%{obTvve&1S;cb?6)YSE!UP_x=bMY|op
zS0_@%pB%5dMlC1`9Wu;r2dPom^mCngM$aapm#7<f4=UKJ8Hid==vp7<&ARD(mc(7+
zm?JtN`a2F>sW1cen#|X60M(8ITEql9KQv528G15Wvc(*lT#gbkkdJnkTG9x+C4RO*
z)#SfIFa?Mo;^f?oh$Xy{*=Y-AA_K{R=DH9jy9Uk6p!GF(CSEsdck@!mbISV;2>KT8
zm-IkB>E_W&z}aJUxnxCmwp7=RDF0+BO~V`$(P#jPL9>Uy%W-#~ObInZEt!y6F3Dp+
zrc7w4HYhOAao0vYMrcD2rx!~8FAijMBF@Dil6MEeh}}3t6-07c8#UYmPaik@&N0l~
z1iMl??k1|%pDCQSeZ_u!Qox`~mL$AcUh4kpXI9~)^d1GbE7m$SR%aZooBxe8=fyVD
zGcTjx-rRruSvBQ|$DqMVZ$AryWWl2lev&Tww9(1*_Dgi>ao0IavWZWf9jj_RlsCmc
z+5@gypR6~nKM;y~Khp-APj?a)W{ui`_&YTskc@}#=37DO3J;YD@bQ0@2f;xo93v?-
z%^6&**D3rTt{I75DadcD;Zh@+dUW$ttM`uEy<0@Tt%fALKU5QG*%Y-@uJW~&-&R!;
zYw%^GEe5)2PN~0@<trW3ZwP^D7_7X>Tg5R2>Bjv)<>=ArzJu}<o{dI-IfeqDkCCH?
zXUiGM1?Ix_@XPKOkk#T>3LywLWDWHxj#TK4RQn<P*VE$qbHNOpnL!u?p+vy{<Lr#-
zlVSlWBRaH3JDl7qEFEc|hI=Ar%9LCMsbcSS&@1DH#@RaLedXsf8+i!c(Y<Oc{@>@=
z@n+Nel{31yIKi5E=AY^mpAV!W_ocFJ23OpE+w!T-LwPd-`Ia$TQ_9d=IuIex^3@L8
z%@GBPkElWM5315WC5o`z0ArY>ve1R!3dS!Mf&V(TTPPf51E+?6z9s_oj~{UlNZRM%
z#U0kl9Mvgg=QbK$UvBHQnyCBHh=;@K_Vprv({fim+6c6h%aUsB#_&<g9sX&3umN}J
zL)u&OQ-kh)|7LlKB+baZ<ftYI*{HOYXPs)vVc0?D(LoAg9W{XyjkMv4fu*fIc!`d8
zmO)=*HPK_9!NfM6u+MXG(n}95eN>l%<n10P!*c*#3ZtNc1Pr1ADWl{<qXHoeg{}ad
zgz^0>m15$OcU55+3-sy)#Q*X-)BaeDqOJ`1g+B@crae*a%K-Yw&XE*z&C&6rK~~9}
z)!{1&hwqc9W%{0~$~q+7mJ098;m^?*-0gVUS4)wa**t>PY~G|MRZNdo?&D3~Yn4BK
zMDwu7D^_iP#6N)Ii6VRFNRePGGGCx*VSc20qvN0~KAg7|@~N#)J3AHJmtb^^mn{Ez
z#)o{o%AU^fdYfsOZ8pGrjx)e0cMa%lD+vtZL@jq6t3F^bV2<V`Q7C&8ix>>lZiqml
z2$MSggc)?B*)`b(Csr7(KKNIJG7XMRaqG%hqA?b@|8uMw`p8$>{&TTpnJ;;?TBvQ+
zqD|qdb3-QbAg)AswTYY<pN@m-cA;bbD85&#nd+wGDK&)jy<uGu^5B0GvlL7VLcYny
z11J?@MdZo#J0A)Z^pGKDq>am=0{-h!MGv9~>08wilJ$h~1O9QR!(+@JL3Mp-#kYGf
zgD88movffcyY(9+D@TdaP=$Pla6?<LrZN;O`(8zC^jihr`nG?|)^%g@KYdFE{(g7O
zSNdMeu88R`3r3j0j^nWUtKV31{Q`gFX$U7L-^j;iFtzaYzvKUFi2R(HeU|4jyKZqO
zprcrP)|!)`CrX}_r1wLbuv=5CR%Rhq)0T@iGX=_ygtFWEyk6c8dlfz_hRdtJKreA{
zrGiY19SOM{dwXid-<8*zVf_(q^m1glX2iNw#p0{f!l1v9ZuRW|83m~;+w%beXzMP!
zF8d){B7!pf5<`lf?5R(bQ!Q2X<NdZV7`})>y<}tEn?XDNf8Ah54iV&7<sUF(u?olk
zSewl*taGQY>1~yO<ymG8CDK5-ED0;K&T<v^U6sl*R-PU-z-fdLac4qXNxS(G!$R>}
zqq4gchkVvO){Bwgi65&8CHpg0COI<}^_KtU>m3xp3ZaH`Qh;`X@uZDDf_q<FNA4&m
zbFz+qh!{=?6%slSS79$Ftxh!q^8bwB6oyIswRnc;=O^dHgWHka|Fhqc>7Jp}v=g=G
zrmkK~A@Az&kw@7cvf_@;Y<UHmJlG)(g=Z&TT9rxCPde?1vSE!QGQ6FpLh4bcvE*aX
zVL~ZqGN&t*LoEJWPDkB%cOkMuTK^wYR~Z-8_O-7lAs|RMO4ramfJk@O(A^~sLtR8f
z7`j73x_d|g>5}di>6R{mcNnky-w%A@clMlp_Fnm{XYHM+z$=vfS=^#j)a0M>cQ3<_
zl#Ib2TJqRG`T<1^$Lo>#trn1w(NyO{*~ZiySGEzs+Fk*yyPrC1S%~K&$hf*6Ma;BZ
zY}MAyx0!s%8r{uzuU<Z-B5`Klf@Az(m+}>w+S=;4>KlUHv%|FC6gd6B)9m!isRJ(B
z%cDaO=dUoU6pS2f++l628PSWGN{GF(;B;UM`FPr!UfXfxc+<Eyz3zKvB)G%>0ZB6(
z9y9Kxo@LV={PUTf5oC$xB#w2d_VNNLT?Owtt%{2}iehm0YG>%Llloe$T^!saYe~BV
z7WM)QZ$Q<*xOmjZKbFEG5c-SEy?vC1`kvmUIHp{sw+z0&Aq>8DJ&Fe+vm}3z_DFA$
zVDIVvB{1xQY|Q?p87J)n_I>}T^~2y7f<8aznrtUuvY(wtoV$awr_o1A?}z+}_b11@
zO9WDxwlS|;F}ifUJ<W)jHNDS9HatA4ahfXx&I4En!^I@5X3}8><QOM(Bq9ou5r)F7
z2G#0f#0yZ8*!Ri3h)LH9osdIQihyt&e>SIq&B;#`i}=4eWf%u%OoxuZ=5zuZ4x5u7
z$G-o~HUckeotw)ET@l{fAiOZe-6Y$&5l*cEorTgtqG8|Qz*@rJj>6nQnR9?d`&tKH
zu~DWbm^H%|3ubJn5Q6y|b9!}WG717QBAP_hr`x$4<EdhX<p$MN_!6p~l!c)aky)P(
zY!=ajWLePv#*gUXK=fwKzRBH{&tH`Lx*`TRP9;oOdQ}wlpKTRfgiN;Gb>RN4o%_UN
zdgm|-yH}^E;+A#sTE$PZ$N9ChdKvGqYnG|beO{{npgynLXw%o#j12_0V4Ga{d~#VP
zWMT7hBPxxHR_+YIb&E%$MCTA{$O~dMX$>vrD54tnSgM$bNSg@KVfcf?k-M#8xRp=J
zo`L!DVWTTot0vZu%k_IPdU#sObyddHh5UJllz;<Mc?XhrM`T#PE}skzK3xn~HQ6d!
z$+fG^{(<%8YbWaXa8qAowo=a^>kB_wUzzk=9ks3evzK^XUP5Z5(_(7Oz2FqnY~HkU
z>ists9#y<`r_Y3EfrHu2?)*(EGAm!=u)Q5I8c*vFT#Po7ztNOh^Ns|)4N3_5*!Z$w
z1SrZv&`w`dA}uyz&n)q;97RXwOLINOa#?EqsYZPibt~h)-rR*krYA_Rcx317-GOMP
zD1<E0jpB2=ZEN0BLq?w3rW$llYqzZn|1Iq_gmOO`6)Bfl7jJ-?h07#w!=^9}-els(
zw#k6^%{5p*1R?RCpxY*HujZL)LSj<~-R)He%A}xK^ZK0EG57=)n+9cxlUtzu$pnmX
zA$bOZwXH*B#=>k(Of=M+8D57XojsmivaWb;nnib2M<y#rC$VTcck7daS4vwKzs#z%
zccy>3Q*G(C@{YV!dXj4Z!z~#yCw5U91QDsu7<1e)WWI<eNTe^(d47o!Ar39*ugU?u
z|Bm)={=cfMkFu0bx$hZjn`;2GAVP?7VA$TJzmE;oR(j(5Y`m@9b`U+qIK+i_4Kd*q
za#N6Fp!z9~IKf~xaUgJ(sKUHu=7|7-#$jq(Ee}rT5bpV0jYw90r4nLIitL1(>B49p
zt*!WtQ!IbhZ1`!o<1<6u#rnc8p0Z-*4y6kD%lnE$JyU6ZoQ>RWXpv<(S6ksr#@14K
zLh@=THy=Nz>Szo?-Jtr8DV_M1M9v<=#m7!f2Fav9_Isy>c(YrDSQ3gjpW($))66@#
z#LYpcF?lVSm6SYVT7-D$Sf*~G<?QBK=9+7tcn#7!N`jj`t~ZaGRZ&~c2x6ro4W8zX
za)vhf3WV4x(6Yw14+xS79e=d3YgFJoQ%u-hWWOg!y9Wpq{jN2c>)V<Vtjm!6+yq-@
z;TPr}uw~BwvUh;e@SBUO31YH+qe2V;e($CXD-2c9&=BoYN0L$1EJ9iEBkn(7`&*T`
z+AdkmFOOe@smR5+vU^X&z_m4tuR#Q~-fq=!S`ycEN(nQDL#tMumbK6WocG;+^@F7F
zY)SxHGaa>ucspo71bez5rPC#)OuUNKRyRbPrM5>k#HjKj>v(%J;<kA2?G(`*a#ps%
zjl8&*?o{;7;oR6){hnzg#9h4Q^AWRSTJyu~qp#UJ74|<b<QouBxf~$uOJNC+Wrdpe
zG4r>p%b4H>>#qhbg69_<SqyU(2ILVUea@$D3_Xh`{#G78HKsjMe|0q5IOL_Ec4W6F
zjM(iy*)@zHcQ&_W9LZN;JUOh<610yW1fQR}rE!$iR?Dg_9tR*4K+`M@S2p&To*Ce<
z|5$qaw3$|&8<vGme`xQaT02e&`^6sKoRvv$!5Sy~fn#cSp+Ht5zVEGO?qTkMr^S5b
zxUJ|472E)iG)$iY+ocX|R#v?*Ee&u)aoqKWY@PQbi{~K?a)w49a}y2nU8@P}yq-!+
z_|zs)y(zcCTqtq1+cCX9F_yw;qkgF$D==EB)7VIO@uam`0DY0fijc@SA7+E8v-f92
zB+>YLJu&##AR>BUtFN)mMHtQSXhgeL-#+uBmy1ux-E2x^BTry`jQXierCPT1nGH`X
ze6SuSlMwcF9irFd&8a_I2%+u8u(m>-mlo1ujb{>RL;n5EgRl`MKzBwWSswAPM?2n&
zW1?XTNk(nu=59a|KUKc6y_+zmFe8-1G7Bh)1^&WbCK7WLa6d*y!>0Iy8vNcy!EP=_
z3?av-eu!WPj)R%fd?-jG?d9G2<#Zv<YNPE_e73eJY7Q(qUwH<$7M-+4;_wM9?>WIV
ziH2(@iX~d*hVRNcw5_JrEf<rR($^!ZJXjdQ?>%~sT5M6v1zr_!sE8=pA00z5Eg5mR
zk;z?o-2jOPb0MUW6x53>`z^+U=>8lRNW@zf73X73vfkUq`?<l;MDpzBFxBLEznG8`
zbYCod2|$&NUg%7LWP3dd!VlP^|H~~>x2;&4i(w<C4B(&8n9Q_8TOE$Y6hOCq(mWgC
za9RCq2&0bEx(G4KdcUvGE{y*s<HUj&{Ho<u^6FC8&I$M``8Ya@nR78DInPF&Z0)#a
zlt)CyRle|k%&v2w<2-KX-8|_>2dF79ZKo`bYjQ|&6Mv_E>kBoaQgB+Kp|fC`J=wUq
z;Riphix6IrC8|IgOc+_)fohn$@<Ni9vK&bjS=1XG&n1##SdV=f7+Fay4FIb%`rhB&
z_f92X1K=c;i4zI3v_cQ)&_oAN?IGjSHtd|=cNdcva2DHK+8kIFbtIn4ZY-kUT3nmq
zY`tT*+RZySbzI&u3EfNtI1yIM6HTi17+&Qs{<N-))7^bSs5R@vp7?uUTXF01b^c8<
zv~sj0w8dR>Q)n^jUkhVJ(^A3S0{8FX;MMf&r!(X8@iq%OUxvzJdm&H)nbiHCAvU{n
z*-@jnl|Pxu)+5}NYM$AV8j=h*tDo!o#+>RO5Le=8Yt!Rk+o*OHF-t)DCznXm-7(BP
za&`LlP3*;0rk)nth;RhP5*!G{kX7yJaqSq!@Qj1hRgmNv<*KtXq778ZgIV$3^?uTO
z*#D@?l9?u1%{^o7%3$*@aw;Z8TkXkyC2>`TW<L2q(VQxD@ihW!M%gSgbo^kD=3it+
zd6>e(tZQkq$^>&DlmdqTnv-!PS|2ePj}G?gDYzZ0H3{*IR}PpK+h>#6<oM0q$J@-~
zmeXF3E|o<C4yNXkM--}`BmaZp+l(C#1}+7VmYW%{$p0X3E8&mSdb``m<K>WIYgHW~
zfV9*C))N#Qn{&9^CO8p1G4%KH6^pcf({d*|V=^iDHJTloG3~Dgb*H~Mr!8ph<<{EN
zJzI?6X&&0#D^nSWeLoOdx6{2?e9qhqED0l6>}T!97>jYpsEN(tog?jq>beS4r%<kr
zG3G?z)yP+v_UH(G3-)>gJ`*XGIx+ohcC!n<wK&D_kvsj!8;sX5E3qhOce49#0Sdj-
z_n3-Urf;N;jjSQz_qXSX_2gWKo@7kYj||74K2w}ScCe7`rxiWJ+{-41RAiJ*y9$F5
zW`raC==Ntz8;C&Vez}H)esX4cGc1ggw&s3a-9KurjANO%wK1>E-m=BME`R5k8Nm5m
zv%y=da6zcV`J$qK(Nz7wnARLP<f9T_h;1CLLCG8{{w(O#fOK~V;{u}xX7K{WUq>}a
zO%~te0qtMxVDxy9?Ahcs8jbGc_ej4x9M`))TJmrP^v&4EdJmNLEz2aj4>n&mI*0HG
z|LWc$FZp0y!*VCaisj*(@3f)PC|dMloxM`0C_PA^y5FbPcCj?8;b+Ztjl(b>@d?U4
zU4$sgF)TO1u77rVwnSo;Dfg|&?T~R2IDPHZy1aLHwy%4OP+QEaq`7{drzgzq@7)v)
zmibjHGsL*%7UJCSMm_GEWQ$wa)%cOIUdzYm4k->2x_&iEl)mW+KkBVdYU%;yHRI8_
z26c_TFA_Q)%Md5rWc*(}prlJ3&YpjCw*#iTtny7ESvqFCVDh_?gk6P>ldf@#*@e40
zhVD;+uCA6QdWzR%$H08Krzaf*IZHJfvELDbeL5tQVaHJ3NjdIgh{5!t*P(>#qD(c#
zrPRw^xU@LXAiO1>%Vmah-lDZ->CIC=Q>><*PczN*{q*{fPYCg$Y$W-jjKX*l#0etG
zof0v?lhoOWwBOy7?kMo`HhHT6rTd``){PhD=EHv-^b(f8E;{&e?)xccU%%btUB5Pl
zUdGnG1|y$#?P=JZ5|ZhX;me_N@u!A+<fd;A^zdezMt#36TG|onJy$+>ac`~bEXV(R
zzM$Iv!e&gt{S@_(%{Aj&&uU-9djFD!vpI~y*XMUy`}3$_B$dXP=?#Px62EkE_@VE0
z1>$MX+!idmr`IrphW0Cau10Zi2bo6qO%V7IeUJgEbQ8X#4}y+9g2r3RqmtfQw%I~C
z6JH-7<HTHHI@0tFg4&lbX4<tYlhJXe!pZ1zO2*VD%K1cF?S08Ozn^L@j3WxK78p!7
zXt}@)9wqwp3%GYiUbUvlr5^F$r`-4E227Lp`PV*yShHRq?|`0Jzm^~@lr1l(>Q^L0
z3L?;w;6w8E0#pY*7KQ)yld{+~WUdxETnU3wA}Ut>fQzbp&o2?0(iT?dR3!7ZZ~6p)
z1M}pXOu#w~^{4Xcy3O^vX((G}1U^3n+|4>!{3{&riD5PAx9+nMWP4Rnf%==UKR;j@
z>@E%Mp4_G8Zk1eu+I}37w0LusAg7HciM=;dgO5>ysg@M)u3>5FS)~I$EJ|1~Jf$t?
z$90ai&9qCfwH!<93vW>1k&+zbC{~CYaj;e?HTeD2WA9s(ZXh>wBng(QI-}Xz_?8r&
z5h;|u%D2|LGF9nxDzq%idC4(GBE!nGqn_)gE_slf9mx%ST>SdU(TQs<__&~lwbunY
z@3XRyHFWbBy4@Y6(VJa08HkMSj4u2RU`)BxKAc%GLQ?Xt2*uTTD88E*;}s4|OQd=)
z-=0YN-rssGmVVK9<0ap-PrdFUuk_`;_Ltm=Z04Xl0*}{cF8;pA)@oYDbUa6cPNw<B
zKz5p@uU#hJ?*u1+6Ac$hh4(xoGPF%`7)A2mgATC=5_Xc&(N=<%>QMs$vWqlZuq3<4
zRG;YsoMIQbL#AKs4=tPQY1D-4W)bH;Yrg1;PU`F_F4uL(7qGH7&WNL;JI`+3Q0MlC
zU=~M$V#JgS;U8K~J;YBfXWFn8t-eo)ijh4@cy|qI-{!;~8ao-UL6OB8pvN-SPNYQZ
zP)-WPeS(+sjsQ|kCSV;*^ZDf;{>Gde_2;`uY{ge{d~n}n-BZ&_Pq#_@sybOl6(vR0
zZoc;IgiO1!SW~3R$Y5>(mIb|Tkqpim;gXXK2xEDI%odQIfsA&Q$qkDrb7}C8uRy(<
zoT4q6@;_fgo{AtE6?E!S=MZe~=N7VwAktELFh75VcJ;_x8m*#QJ1K{cLWV)_EQ7GS
zI9f7S5Jfpk=TpM_H=gby8O)+=En^08^mD7eXHK-m;j?%CH<{WWO^1B^nYCG+1NKk7
zjL!k@Y)AnC@4Fw$%z+?;b<^i@!_t{M6RZ$*JWA%Cm@1rSqSw)P{@S=q4C6)UZ4;kp
zlph6$ZzlTfm6lwl59}9Uf<xdE#XB?jCXcLgc<X!WS6QXJAIW)fIz`Q3U06Ro>`t2r
z(Ma!}2#i8*knFSY2W$uW4nh7Elb?^|5ss#a27#*M5l03>FoIGqU#YnM<SOIQF57wA
z=|?=_$5$3is{Fpxf(<FT40w2@8pPW3>TR(1oD>weh(s>-9?_hDW3+>$VKJ4NtW-wW
z=b9<^S0+`){Q1jv1%ANF3VLHy!`v&tQ2@NM?#7p#6Y0kHCc9&_xEpl1n?ry4J(sQ~
zj>AVCO5an74xuM1MySBpefPNVm1Wr-N99v1pD*4G0ZTeoy1Pn9=)bMZEoL0tQg3@M
z-^r?AXj+Or`>j1}mNB)vPQPq>&^&mt8=h(g0(KBR*@U(=62pa#D8b~Tap3^}T75Y^
zwqeA$XqcEIpuH+of@cWfOScnacGWo!A_jZq1ma(`oxB66N^oye2#K7){!_;<S?lBG
zahZp>p6DsnMA@C3C#Q!Un-^W!&&SVY6oQmiR0i1_)F^&EX^jz>N|19|Fe*i>v4oX;
z(K~er&~9T{c<`Gh!L2|*V)-0fcF<gNv<B3`cdl%=E9OqZurfr|)6f2C>Wos0N}jX#
z+3m&6zKHLt+w&9DD%FpLW8<F0DmnRw$Y4#aLVDC;%x)Qm>^c3PeLX4Ue_`7pA%&6A
z(`Q<?;303m6E1i?=9G(-ZEjoZQiOqE+8`~+nFl;e8{&;~R;AsqLBb{#{MK=PhGz~M
z!2_=HD9>IQs5jkj{9*dOE%cSu@Pz17-?06e6;r@z#t+jP$IN<K$}3H7W7$`=yB!-A
zG#L}&S2`_+*OAE3x$*w**HI@d^4TYT1!y=guA3Je)=%yYiY7bmj^ekkxZgSV@MQaY
z&D_uTdhfdmEa-;VvdU^?en2<NTU6YJh|<Vj8j!{ZEUEMYT^rN>fuubOK|@-^3`4!n
z9<EU(4jijr9C}-bGku`15x#X{AMtq*22f^?C~blKZA31r;``ROHTT-3T1`ve-k@wD
zdSV8;DYa=d=Kr&sj!@!_O1Ky+pQDwpu3c1cswgCn9i0nJ-;^7M#8NZ*uD=0eR2)2i
zlz>5CWBw1DMYVt3l;CTbH_ILJtf6}YX{&gCMlDRvWf@##pNZ^(^8)P)9}dglMqsY;
z$ODM!{6g*v!Yh|>xdH+_V?ecX&Z-lmXd$)=H6yM>lDLFko`lAPLz(dk)?-1S%<Y3z
z+hlw8KWLG!;p_|UB`e;+dJ%@295H&ais9h((3rzmV$&xqo<9PYDoqW3P8ykG!KLeK
zdw<qHOb`S~ZCrD(n5>Owe19cMAaL9TltmEk1iM#JeyrYk_vh0Rz+XaEK~Hf+6@9&q
zHZJTp;7jVo&BjSO?I2ntSS?JppE78ZP0Hc%MqzA5tHy&JFLZhCY<1o}du`6o=iA|r
z2ySGXkMG-3D69ry=KOgux7d>@bi^==f-$*{qGQz+f*dV+U!h#QWQ(-0j(WvFuGj-E
zRM;brRADMTDNbCyQX<p}3zP@PJMh7j*sw&lKf*4@b8tvLeqNJ*{`1=mMld-i{o=+&
z_Sajz@rlkr`^CKu6N;e{Ih-Y<=9lnq|J?!p^3QG%f+Q<$VP;V_7j6+XqIW!vD3Syq
zv})|0BwS;qDdM+(C7Hlg@R{g;-sH~hRJ3gpKJd?4w+5t8lr5@=rq)FpX4FD78fJRU
ztMm49h#E&vjG8r?r23OB+xND`NN!CHwd}7NwDK^<mNA`+g<E})PAH}bou+<Xy{qU&
zfxGB8CebSYN=QDT;$Z9+(detkR?&&B5gHWN(Fpq0ErUnnM5}?0p9wO1<gQ0Xl0~b$
zgZ9#YqojIptgI(aMv4?=`n=2kmN0VO-ntgin`sxFn{%rcJKuZ_c+Rkry<DlOmvV)K
z2FZlO)WrDsh#(LyTRUYuF2{4T*WFlTUnaIeIji;f(HZIzY%KBp|BP2uJkq1c$ARrx
zKWvOgVbQC6M?0m%!hk$%2jWhh!kb)~ri&M|INB*wUMf&dxTlQYd(M%b_viiNbn?PB
zjF0oj;y0skEG`R}Su^V(rh+jsyRE|1lZ%vtS_qMi=|#&4A(Y`%(O!O;V}Q`&Z@wq5
zV2?kFd6gTNWZNWh_CJN{4se!{JWt+{_@w%Yi+6yNJZ9Y{pqh->Vv+pt%i^;RMoNbX
zIh;8oygzbI3i}6I17CN6ZNI#^iaryTRy>{PHVq|nwvOi#pLDgVMGz+6$4TzL?kmj&
zuvcK)UOdUYDfHP1{Xx(mq^rcOhWmBcIAOMmyzff=vP-Q@QI%t)(@=FvY<o0^Wq2=t
zdz8F*mw}IwF#gsS#y6GbnXe4A!@s7JIR_pm*RCIt*l2J$%F1H3ww7CcUHnN>jrT4x
zn{ikv%<&gm(S`oyoJePKZ%W71zZkk{7?hnr!oSuTjFFWc_`H0o?E?t;DZGM@+{U#*
z`b?M2rJS6YXvz3~ChjY6^4j~tfdf4GebDvX<&@f<>X!ea5W|PaqeO&&cJo~YAJW`I
zAm|^^#ZHm^?^Vw=T3x%AW@-7Q<np(q^sO$h<Q!RQYnc|2Zp!!;Iu0B@VoO}Uopabx
z0Z$*v1iY@D0xOe0(_TV6;0mxu;+egu7+`(jbX1f1ev&qbM#4f%38Fz#tl)(!Sx!D-
z;EL%N#Fp`7>7M})J~<Yzz_w$u2lpV>{3PM<1E>Xu<Ctt)t&K|Po>5qVUidw(^~-30
zhK5@Vo^eWJ`U$~&Wvo4@<>?=Q##C3T1;>DS`FW)eGF<!ZOo{6_kJgWm^yoHEj=)Wq
z)x2bC7Y+%=?3lb;Gzl;8Pu@N-fBQKA8_z3~=*&6=W#f(UZ*u7av&J9><u4^-CfXx4
za(+^dv<&N$zUef1bckTU?kBJI;x0i7*l#>k%#+RaA}GYlA)8<I2x=JK?6{|-DiozR
z>c@HOY>%Nx))Y-EVCJE&Fw6}O3YKiI$hUc~wxy86?VMLIw-CkD>4(pGbR~iG(y}Xv
z#(?&s9Ik3VO0%Dn(Bn`W(tz0)w%|v<bySwU4cqS151{cs+r7jd-r&1|W^?YVqm_Nb
zLvz2SU){K;XGtCrkOxk=(M=t^nt1DIH?bLXjWCr2n(at-w>~E++4~bc1%YO9Ow5&f
z>Ae{Z!;1@KpV1WJ#^tG+ErFCis;GY80MJY2rotY2+~&w2GIJ%^(du-a{p4`FQXR#_
z;_kF$N_;<)005P0wX0j&L6TUfF(H#fzaq~)H!?^UE9`=+e_}5pp?SbfOD+li!3R)1
z4o7>M&ajKy=kOq{XQs`$a*PxV+RA$Qs<hknsMH`klNF3d6>oI=028kEw3ldqgiF58
zmgAXII2|Od&|4ucTTfR`cLleEvQjjdWE(pdiOKcPi*Pl!K7^rf3Li$~+O(8Jo(eU?
z$~qL<FY4*&yRFqdp{xkQ1L8^4>Cyx8p;-kTBPXhkB@0BMq5$gud9~jWQS@JRq+ORf
z_)jXMK9O8-oOop~=2*_9G19UEZL;nQ{e!{%czJr|3bA9K%Nu>4Xkt1cy*^Xs0|~)n
z<N~U1I}~UQ8=8_rxSdt>-5M0K3UpXg#tc<lWROgZZa3OnSv-eAgHMxUf33_J;gkwy
zkXCW9XpUk7oPfpAk<`8a@%R{bU^kf5F56U9h(?|E#(;BwO!Fj053}Wiz!Z{neVZyJ
zJTQG8oGXs+j1>`!9i)+^jSrz_vcZy^1WEHph!>7E%6}F2!kQ5<VR$s5n;#%R)vPTW
z2AJ`-{16BW%P%Nb>bnV&ySd13k7|BvxfopE-j9%osYxCA`)FVePqk;`9Tt)=F<e}C
zC|xy0$NK+DTd0f-x+Hj^Ng!ehQ><QLn2Gbpcm8!q>b#)mnf|Ib2bTi{0jr1-ckJY>
zR<$tmygKu{&4mR=yDZtGHT%6w@0L{@55&^k`J-C?(+qC)8?IonquzN_o04=%eeyGY
zSHnv6o7LIERA*3jN3yeVE76Ootv~7vEEx?E{0@|Sx;h!M*+-2l^7#@>#mgcdjb9km
zLXf9H8c|H`QjKA2^r%s=bRZz4Z0egh=;?z-v1n<2uyu5q+3MP`I9YLYIA`}I6{A}A
zt#556(%2o9z0dTBR4>slONlrWb!p1WDo^AP?6`n&ir$5|2X?W+BegLMh%qJLV+bL;
zytaBFz?UJ1Q5H+~_P(kjroA{6SRmV9doUzSV$6>IDByE$oou6%CP^p|;|J?${*a7*
zT{0t9B7UDNAkv)j_2z6^Df{Z$h-GV8BmUCd&Gc=t*<rt$|J}R$ll#)>U}pQ9h-8Gu
zGpSm8EmaSwL9-Jl9-0l`?h4e83#9lIUWiw!{7h@Y#d&`TfD))psM1_|<g-@Z@_!}Y
z4jSdH<zFu?U3b0+m-@P(`vst@N)s=w4pO#hlJ2dSN6ekAVhCJdL1hYgT)2jUh#2}t
z9T{9>8hE^?$G$@_vwyBA-}Fi#b#YvBny<KOLe3HUm$h)t`LnF!^j{5!Ge@kY&ydi9
z;p%zD2I9jtUQzBu362p>&`>qYBE5+=cy1OSrLvADT=X+5to?QIHw03&;Kz54mQay~
zmf>SafcTz0Y*rJt5t@D94sru^iUA7#I=GU?wXj8&rfza;vFDX!`I<w`lHHWRVBPK9
zkDvwS{!wu5!WiNu`2h&+SIrv`-81;IY*#4Kn{>Xt|6%RhYEaf%VDDjI$elilRK+aN
z8u|O8!&a!|Hl~%mDBQb7lr~--m8J?X)^z?IEeL%~SzIH5#vIGc;73y$(iHz=FzP}~
zmZs(k9b#w)(!tGSMm&4C|G3L0qSDcrpk(;xU+0@QsdvV+g*8Tg^qO&kVHg$mh(r}`
zJy~=^S#mh%Mx!|JShVFSB%Klf4ka9oJ)91bEi{tHijYVu&@nR|9>;N4@#F}lBqDG)
zFdoHu6r}?<ai!78tb7zm`kzQtD9@>*SxI4PBN8%sNbsrGRYJ{uest@$Xs(2S)_TLD
znCq&xh{L;X8Grs(gk|6PiZI&G<}EA`Cp(~HI8hO}cZEoBsYRtiL0VnO{vpsnHx0O$
zSK;p#Wj(7-zyidJ5Sf`Lgx1r`gWU~tRA_@XgMtQ;w=9_P0gp>!YA;oRtIrGq9<F?b
zf+{-02Ux0+Z4&C;>mqmEnrc}J@>0@SrS?(nYqZIwU--z+`la8V^R@1@?gq``m^&7J
zt0Iw0;k)@&<z12Y93B*7n<&Hv-Ch0cUUHtl8~1^N0cs=Lx&(9IJ9?eSys>EPi{h5j
zq^wH`=3G@0;;nypr5ob?c!^$I@hDCW;Ss1zjXFVi6vo4FUhW<R;dr{XEoZ5|?f&9V
zrPQ`*Kw0=NFWqe==8Q<RBQ@0!VSJ_F{L!6X>RanqjpX)I@iH_vvQ_nI&l7B&&P^;i
zK;?)JLRG-o24+TUuyB<ukDsVI_lf`HgpWj7vidgXOJ1I#j4;z}JCn%VHOemZ?__}a
z77L@cU0S<PSe~6t`;bAAavK`e#m4CgY$7G4--kJMa>myBoffG=Ws1qd7OQ!EkUdJ6
zquw1E1>o1fV&{MlFn|lik^*^Uh+?yw7ZptyC#WP2<tc;2N}+n3NKrrF(<+}6T8#-{
z<k7uJ)knN#YSGEWGY!ChcqIXEi{7dQ<yTMpK{qFA1Km^U1%F~UrPfIA>5X%pbjGmR
z!ecyrZydSpxuz?U%r&%A6WV?l-o%@lwqz^ZtC6ZKdS5(c+Z}B{RrdXzA^G&cK_>1+
z*?r6F(OFI3=z(=uW9f8H*AUk%881pcfPDhZ3+KA$I<JtTafz46<n-&ZU%UK)Gw*d)
z0<0~zODkgMEH&CM#PV?OF4n==N{)5U^WF4}7pG2nfrsg=tZt^d`FDoX-CF>G98TaQ
zhGMQ@N{RKg@zOSLY2pHSm(pW*Qo3$gxL=5&Z#(-M600GBiV(|Mei2XTy=JA=Z!Z&H
znlcwO$gsK+LT>ftLdw#21b@fV`N;fBhF@`!SmBUf)xo=2hbPuF6a4dp4dSRCd*%NW
zny$71g?fh`sELLp<B&>4R+x(t;U|}Jq7>bCIXkBc`+%M;FR)Cl98zS$>Yj1g1Iqu)
zI8z?Ja(4wEO#+(<cTXP_bbW}`z^HD1+nK-0s>#>^X+E|C=TK6&0jz9!6R8Cea=JCP
z=Xt$5I!4{J!%-?G`U70~F|r!3{38<6B^-OCq1OD>1!^PUL~UUk5r}X~LRl^^_-3OS
zs(#2XjyLb7x}pdmGDUp#Xdy)1aea;^QCkR^F5wp9D={%BJi>OGRmW)P$&{hyMp6a8
zqH8Sbz<xc&3N<gt9vP1H<yXwHV6f%a%eu;_+!&}r>KWCr@=_EF^L?UoRI>6L<dp&r
zP$StBK0oUGs=Aajz9BO|q;l;cRnl{p8-}^HW+UPYM%)@>jSP$~XO*!MOUyy}F2Ktj
zl#JU5GV)`)iVbw)hjb*}cu+fx+mbz-AC{BSBLF8cs0OQ*m5h>$1hL|+$*!z<FibAY
zL9j<2<0j9k(a&94wnHW*{0~t~qQ3mGdlSPsLVU6w+2pEy$)qZdTshw4s~oOz?`cuo
z7-~xk!^OTlhc_eXcEa3aCkL9EBl|;61Y3D@3HeTWhV^9;$Y>LP5@LG%f-V>aO!o_Q
z%t^-#8fBopJGst>TSe?m8I}Ahj#0k7pP3^BcBs)K)FUQ<P=09>pcRH_@BsBxp_74f
zBWy3GP1EZ$mT!UAuP=5WK6zBRXU2vln8iC<l*#-Kqa^&4**5iGm-`zH>c@&<(8x*z
z6nQ8#Fi8JTc>n{g$po+$N@T31jj!^uNc@9ANkM`%jcPn1B`U%TPi-DWD&EbCivP`G
z6WCsMX=AJv7NifK#b**wNQAA_=TyP+wO9koej4-Ys^H!YS4~#l>G`5$s`bsYEMVH^
zSe5$i5j~~=C>5h6Qedh~PHo932p{g0PCHOb37Kk4B)`Nn#`h&rYa=qtZYOavnJRsd
zDG_u8G<%}w36}gnBhwlo3Ntca++Z>EZG|X=<l;C0b^LO3c}aif3g#E}0NYl_KD4&g
z@9(cxmzQ>iwl~@n6nHe#A<%Sb<<{v|#c8ygf0z5oY)RgXla>s>pLzhh--9yDzuY_f
zYI=}m2LrbvQdLhiNLnt#b(jy@5a!1EzvF~3qG1)W;Yo-Tl~&0X&1qQ&D4JDjKCVpq
z(`_s0&tj+!JNDUv37q>J@Jq7Ew?~df$GOHjB6P{O@l~Owfv=0a-`!bre#1-VGxz%D
zb%~az1C@O9EDApY5w+o-5R3`vtr`*T^R9oN%ZnB>RBRusGY^iXooLWlS>{>v!{fX?
z&g+S?Zd~@zB6Iez*wrrBxf}oNu<l;oIvQT-)tfZ|$&wdf-5+S@Qx@GR4UQ_39bf}!
zDF2&kP-6SH=W=TyoQ6za*BM&24{LMaMS4j0C3w$aZ4M4$wo=|vnwl>1mCkx6J_D-A
zZ!XDfpX%*U2X@(wq!b1r0h#72JG8a8gxj>a6<WL4>&bANtgdM@)@9cO8uuLPJ#zZ1
zN~)-FM6d{IG-D{4vMQB>%0r!$H8|Xv7H~>-{?4Ib(*ao2vSy=U_+G;oj$gX-%A2~Z
zSVU00DLtFpBsy$MN?+iA*;M%YcV%L-*XXMozf_xy(|2{Mm|x!@)e{L6pfi=0pi0Po
z>rcbSYN-}DuVe+3#I((^!gGILyeU7Luy4DqzLUdy0*o4}H*u6>!>9g1GDK+F3=C#^
z)7DX%5~NK^Ryct7|C>}Xkg|Tw221a~#5?$;&NcM%8WV3A^YSk?@^d|W^5--*?>4<^
zmXg##<-~`lQ|P->O>NUoJ#zsB@_}a#4{P)hNKxV;N2oF{{3VGA<tOLzdYyeveQ?Ma
zBg6Q20u2pM1-BS^N4--?#)xVdc8<EZDe_!%>(SPo;FARzI73BQ+faqzA)hxSk$T2E
zxy}fjRjSdWLK^75FKXU8Rl*=cuXH-=n9FBle)QDm8|y{{6y+woE#(ay5x7N~I;8=P
zC$goqaH+N&B8MIq5V)4ELhR(V)3fIw5BT;E)y!KH0r#qxw%4!!P=x?{R@X7b+`iAJ
zPDS8|M9@=M>2^PC<P)K74yvL0Xdm^(PWc6Hnb>BH02_@d?8a)gyeT81R}W#smx*?c
zmS+Q(*pl6JGB4Dx<CQ~>WuPyg-{z}RS7De_HUkG2o_IY^IC}ilY)z@|L_OwJxr#7M
zIM^~_Laan<E7Z~a8W6eL+e_eTnZ2+Pu`BL+c063a{ZYefVJ4C1XP|}`TwAa)ijT1+
z!Mu*yKiqrLpxT)Ct;_Y~Q*ul9%3vbfz@0aC)4_u;CU=`>m2Junn{IYsl>oJNmefOy
zI{$0H#H&==Yi0kh<EA)`9)`ZHhT}ogJ1g;5ovFju<qG%}H+{P&rccglW`$d;UOfLD
z$&DxVY<N!prVdh2myw#Gbu(NoHNoW8qsEhu5No5b`ON#4zgccK$p;LcMmAjL>P~OY
zJ6Ez~-8`*xtlQYw<(+lEuuy6C6M`|IZbFv2*Mgq@i-Wf*)q3xDN=BCKvzbEgZ{ZKs
zR_SAtF^Qh?lfDWUY@U^&RJoRwRKe=zaFJ`o0TBMJP#5qLxIWA7n|wd|3{CQ(?AR<w
zfUXX4-oIXvJ`Id1-lWa0zazSRQp*Cu><|BRn%QS0L=Oi>m&kWTa3oK!mY42Yn{V$i
zn}tq_!w1+{I3mZU!*Q@a78+b>IROw@U&OJFk3}vvIAQ}d{@3icFQB@<W>e_=KDYmm
zf}B5f>(^_V_miO}!M@9JkF>~UE*{1WRSPFRsAZ!m7bvlF`;>300=`)I_pJZ3Zz9jr
zz_Wh%_9<e5%0C-5JGXDeYa~djaAP3mCggm0mmKA!g3@~G!`e@6p5W^8ayR~wW8zei
zt)*Bt#gqZ7xQUc#ZFJw7i{+w77am$rjQ`F*v#B&Rl%5@Odsj5fkO+3qLT6TJ#1V=P
zlier7SI57RiT?eL7YtRiakV9Q0lVd7J-CO5^Mt+C?1b-!GP-RNzueK68KW1Ra9OVD
zB(^|nu<9%LcQr@RERPWjFMzHcC>?~p^VY0zlfaJ<*?d2OLa73k@X<>%3o!mzv%!1!
zJ}w7dl5?){(O%b+mMya?lX+IBff<~;z>+bqoaQmP*%cv+?x(<GQi?UJFI$an*h6Of
za)Ipy{y$<5kcX@g;Gfzk2sq4{8zqJf)$DaYM;?*Ny%z1N^koa6Sw44_?`g4WiQZpX
z*!m2%mTE{bDAjvlD}W#Ng=1nh#ZWM4gSajQ9q5t}e5(^zV_d9oT^GHyB2D-jIpZRN
z49AIytVAp5q2L>(3u{=b1FZd+;$Qob5ZA{S+T%JM`?5||r63c#GNT{(3ANSr%_eKD
zDM8)eJY&bHm}*?UJi$5-l=u80hwdp&MB%2WOX~JG=G4!xttL)$o~ii|JlLVBY5(Tu
zvJxfoE!Fa<g%U|KNDW(3R`qh{5V>JeZQ=N;`}>C-%&QvhqG?`N5^t;699@L@bX%GW
zFshpx0TbV>l&IX8YlR;UJX<?3xwY6aKH#X5SkKiaGEXkpaiVFLrll-qY<5x)SOVk~
z5>OxXA2TE{KXNHn9i(cL448H0EA8Nn%ZR3@Y8OuXTPEihfu*nRohpI9N2%Ft8q7rp
z<YLIIuTyeT6*QEA3txsqx?+9!{N@JV0u0tlI?zc01|Q%tLjdS&(sfcm7%p2`EC(RO
zhjA>moh{Fm(T|?8|8ugZh)&KyQW37)lSk2Iub@JNEfzu^2o(jsSl<G+uj}1^cg`w=
z&r%am4ef(*HVJb54u?}5-k7Mowq;sdHBxyEmqnk>tZ%pw1T{(AEfwZ;da_s_!$aI#
zP^f4Gr^=K;oVqqyu*}a5DtyHMeXyw%F6@I*<tyo5KE%rrkx$J7^qN**ba$AvE)h~{
z+EnWad+chFIAyNqC_I~4(BB#sCQG;p+E`u}J^eMgP|4G-ux<pK{)1iT>O^SAMMF`O
ze9L#<4PM^r5-l_Wh$?kuNvjza^lBOJd28S`6_4bD-afVjMt&rFVho1<%hrV;`ryR)
zi8%&Y9T}6mo9D&nE=Jo5LVOH;4eraf%xYf6?9q};VLD5`t$KlvDGFBr9ss#Kl{}B+
z7Y!PxpNW2e7|*@&G$D=5*e}1@dzA`u%y1i=8y|dE%nPQP|9qF(E`7~dF`f>CrqzS*
z8i=;fl!VwyvDc*L>Xn|pQTFAb_}%PWs-EO_dXPz1*QfdZ*%%B-0zG}*gCtj*$qpl5
ztP>{K<+5)OW<#ETWsFwErwqZK+YCyMg55AHDH3nNILOHAwA_~uBKRMSZAzvu4~DYP
zb~O^hzcb>6diT41+7!^hS+|*qKgd6?imf;X+ospqQ8s3zU1f*C-h(Y4aJ`sB&Ac&U
zK2F^{bqb(&h$A;@7D|v{Pi?;n9%Z^}BK6JpZ_q8g-&VKs{pNTO;rs0CEeRkk04{ua
zAYiP?wtT;gWs#G9Uk-lDCLV52+NYXN@tGYX)CCZ>=ik&n<#IkIGgfoaLpfS<mM}aZ
zpCMuB-KsO!`k?!GoV65kR<40`Sw;%~p>**LRjDL(j;jmWu3^2?3OXO?4gsF6K`VZD
ziQXeJ{60<OKJ3?*y6<sdt-DE+8NFOos=L1-i9L6UjCm&UV?Y{pZ2yz8g)FWL7D_qB
z7)Qa=nEiVFCkeZMk7%24K_qKX1Vi=cBpM^(J=XkM-?&=8BAOE`P3?yVXPIV}+Sqit
znLruD<7iD>ny*@yZcn2piXl4t=SFm)ZotpX1f9j(Muiyg^uYl^&JD1Z5<pZKq0#=l
zF%{RCXgkPRBT@pdkGg=dp99${I2ZVL71G98cBS2_igSUmg4-y@gI0WWXJwo3<11S%
z2h+~HQUfMGQ&gmEqiZq^ej97g1B!e4@cpkLc0CyQ+P!UAE?c|o`|Hh_HxkW@fSxQA
z4eGCK7~}nz+u+f@EOdzTqhYKppz7}{!(TUp{RCXsDVOYcAxZ9Pxjfmd%pr=q#iNo3
z13jZLJlR~f`{`Qt_`6auA3T&{=~l`|P84T{iX<d>;yPr^uJEyoi-;<(a{BB&3oDF~
zA{fnpx8+|1$}Lp#AaH;^@ZvEWA9CyDnw>OBL5Enw;Q+oKF3S#<dJN~eLO~f9fqFgR
zy%c6@8s9ws=Dh55$<xIM@wyO;+X8|l=v)k`lz#;d68BtbA~L<w`u8h)3aQv2ACPq@
zYrjg_d0eLtZ_K7SFV_Cy%#+u3$OEoF5`|%zwS#H0;zx5J5!HA|D1CxPQs}$SQ<Ul<
ztW~db<o%r}Ze8`_p#rUjut)xG!&&`e^tPGSfGY=J{DHP};l59La4U!I9(zTyV?D+b
zrI~~KOlYoj&EldS=|=GKlgHktD8)bx9(d9^_Pp4Rqok^jFkXRFGhMy|L@yjqne)3P
z866?C=Tl(8Ddo1e1JF4Be~SWiQ|FnTWK2abwu3K9UVi{1N!j9&g@4^>tG-LX=o;qh
ztGQ4!E(jfsyR5%W>t%^zVZ(x6hbr;V%U)=k>K}$q!^d1MqJ%NCu(-T1Gxf`8RzbXv
zlyR<^F&Zr>RVC=fIiJS+OOJ*s;*cK0foY&>%AO5_0&L`iM|Re0l9cV>euEt$&Sf7H
z_R*u0PpCP*H8Qj#L9yr60%->-v4dT2WgF_B7xI6^gYA3l74ouueYJ_!B-p&V{A={O
zsDCMw#t!p`=mTB}5rexco_v}0Aur!6zYpGI=GYP{d(-W#qBQMnp%R)O;-zDiX^nL{
z+2;;SCSN{^N$Z%(3v;dFj~pe$4^*wh6DD~Vzowfij3JY_NEyWMD=}1s-<amkclPNf
z0XZT54VU^VZ|D~fRLI`Ge{vaf0HXThNkLM=4o{vZ(2T=XK5|PEWwVDeO#0B`sN}aS
zrQjE0b1?Ua?nppSsfaA11^W46#rVhCOxT`PSXD7>%oHKqP_sK{c7L)>JlwXFaQQdg
zG-24k$VE0KyTI}1YPn4zd2N;7jUU7I9=(>c?i&OL6Jsn(-i-|-V=TCDT<C1i3RA(n
zJ<&qh%}<k=>jt3j^_1ygz8hnBV5#N)>UfQBton=+QZ4SOvO*JWNT2)d%~QGjM`iWO
zh;U_W(gDISg@%i^F$M>{p&PcrtFvzdK*B}8>*A|Lp~C#Lb1&B!)&z)fDt)q>uR6<n
zW}yVt$_~?HaUPHY;{F3pE8J$o2rJHkCDY6Tjh@*bp6QkQs3@~PXFXb_9#SXkNlvu~
zrTvdqVNd3!>J9}mh^Z$2v4piwS>y@!tfeeqz?Cm2*oNrRA8V9nw;%U8oy>gzS7$0u
z)P#ayiIT~yb%Z0N-B>u5L_<DBr`;<dD4DU=$M%9!I}~v0i=}#tQaDygFDOiypB^SU
zO!hj(*cbcn_FHz!_0aiZ-`?+jn%?~)CkQ{j1Sis75n|rF(?Ham|0%Iatg?w{eGqjo
zxMS$oQMbWJ<EK6hqx?2QXC2AgH`g~JWMQGotltQj1TQMdmRoPTWbf^lA&b)K*w?dP
z%N->zptm48O(R}#re4iW&px<ydO#>NYutBfs}<0zK$<XVRcL1Zency^G|#Ppw=fp<
zj9!?vS9e>(j>M~MI(N+%gXBi}TJ1DgHeOC9(IVxi%VH`M);8Ha_7^2~1>`H--`S};
zR!K_y?!Tc*{Gx_8apY@B-<#=QAkav>E`Iw#oiAJZ{aa5bb)+i5#7tVnxclBO2ExCm
zn)!rIA2Cc9L1FEfH@F2;COzvus9L9^iW|cB=LZ(2PRzxx)?$A8{Q5m~UdZ6n-;m|8
z8b>DTIDa}6b!Sw2a(MUq$kA~y%Khi^ERf{z%^lkqmp*Uf`tMDT)}6C&Q@)nrh6`l(
zYXqJ^^_8Fp$)H#I(hlpb^X#YpddleiSwn<&NA@Eal1eT5(T|=H#_i%_yww3}yskB+
zgFT7%=eWKewbqVtTfB$vIxkc_0~my_WT?7{g&m{jv7P%q-3CqKBs<MUDpHn(8;@Hf
zHSRsFoVdMGm%<isXeq?7i_CV2X5+=Ap)s7AAXv}}>tftszb+P63YDd){PeTr<rjGl
zifr)^Sq--hJkw>?w0V6P4Z=&=Kj=Rigu#gM67;&*0CV$u;58F0g7oT82iY~L(b{60
zs<?*p>*%ng<KL+LeqrzCL89?~`-N=P%*yC<s5M`diE^y@moK=1DJ4{ES%lerj9DY<
zngr@P`fBn>lmoxTJqwRvAc$+#S{~tqnepH5$!yTfml<eE3G9uqp#az$O**)=?V2vG
zktH~1on&urjGGfnspZ}<sDa7Y&`>L8R9F=Z#kfK6#$0DKn+jNCu5K98Kzc7KPzc-j
zr3^*&2!Xm^jrw*HM&!c6dt$(2@8UuzaG_B%@SzV@S2+;Y2kQi3%AYB@m0v$t45FbP
zAH0e0J2u)V(a#?k&E81WDTSRx@Z!cQq=9K&HGC@A_rwcm!mcC3i}OVu!i_rYB<7|w
z^8oxDzuc*T%_2C=qK|w873ef7nA0);R+EzcR+dKOEi#J(x#%GF$G_*kk$01k8x(89
z+C_)N3bbK@=*b5d$C^K=3Hx1tS)%EhAUYro%+O2nx3Aq5<#tKeW0{}u$9?~F3kgxC
zgdxd63{eLD*0C3;F|fBfguO1r*tL=8@50s=rwp@I!gT@!^)u2`^P!rf56NY|elGUk
z@pt5lF&K+wc+?MVw<NgKm8*U>*eIhaIjN2vxH5K4t+fpEj=ImWb6;|v5b+@e5L3G6
z$nExiVWhNsVAVWF)DV~2YE_rWY0X>kQ7Dz%I^zuqn6d2b&JE3$4N><BK-n$9ttt@3
zvTSkxM}pyYM*DOU)(`#$_vwHA;7J+oN&cmT1+aeblP`pyVEy24#_x_*7{)KB%v5!L
z&u-8Q49Cg20Ma1oS^f)eo-hW?tcd&wfVJgPyd{c);cL(6p8`eip%})NWEXEEzX^&H
zd*)`)w$QK2dw-zp{UARs-b;Uus@=!N^lgj;HQ}+D((6OXDpnaD;GvlkMY*CgVgUSX
z$)S$ZXl@qzZ4t)piS_$DFq-c+sg12{zdXr4GqsPN2@D~-8$&QI06w3GbDRE|l#%L%
z{<N5ofyNnVPRN>R<Y+CZKT}6Cr{`d0%GJ7z-^3_^k_l)d!LECRGsHImC%_%*LmRg-
z7%Kt*uP2z!qV2g?h1q(bpT;uvgUa<U-9@%52LVmvYDeMGID6B(qpA+CaM#l_{rA#O
z{igf)9XcZ?25U9&eYLmrU5s;{M}h;3?_2nrQL3jMin;eCo5Zg8vQEkdv%#vm`xw&w
z6L!7k+C?;JFAHoYrjDodm%>5=`?QZ1!m{(zOJhoP8R*50YbHsq#Kxs^f%IO496QEL
zTIyCE`h-^zzMy*B3#8)cACY#jYT%nrm;t50cfO2zh=8dI1%&}QDD6e~#&MEa^u?-&
za}Y-QP$zA?gAN<a;^;@mdKDEx+}ETNzGlpg{ZJ7s!EDINBALHzAr~4Qw!JS9lHnqc
z)crVcj^S=xEQtj*s|4A|Vohq^F08D5DzXu=^&50jeE!66n#`76=fFD<Q5qfss^XwU
z2?E|86FyOm%3G}r&5g3z3wa0djh+lz(k+&bFvSb1Je1$H5O9BZ^1s}0Vh<(iYcZlU
zIX>*<V_0sedP0ndJ$)G`lpRlrHF&-&+4tMHsUYRPPQamZTX6IF6mJ)-T*8eA3&l@S
z{tLyoql0s$$f<<-v$*Jc+yFnFig?Qc?)+7|g9>&&gie^5mcN6z2myp1OQJmu5vRRP
zI^Z?qZ8)z1u$gq8$lt@2M@%#T-IzVE(7{@sI!A)6oq!{D<?Zr`M%2d%w}pk6H3=?*
zgJeEyNBIZ3$-qDQ7;`s9ute^dP+yfOyt!UhPNmzNR+JTX)TIo~Pip0}`Z8PAr!M4E
zG>_2gs-aZkntrL=aRtlshg>JYU;bv`w<)p5c*PlhlERPq5AEvTKOQ+W?|%2?8$xOc
z6__HHZfc96f%AS~-3@Z&2>`D!vqE%@C{K~sHmu>Pc6q8A$p(&Ki67II#DTHYm~sh^
zn>|`arF~om8v&|<^C{#6mK=CjliXbmyn(6KRD=J-R_uHtL3~w!u1O~Hz+9B2DFGf6
zT94u-a;5HH3#+^IRPAfl*Hfr$gg5Zrw0LWXC6m&N<SHCyHhEr`+|4B6zND=~F31y^
zNj-DOYTYm-5nG-wU&bBYA`}(#Z=H99cKDiqzf|;@PCEX0cXe&y>aeqQy#MmzoZeDg
z)yfgaQk|TMQ7~G<kAmJ>JQ`0W1(==uK)r2#fo~!5=fKmi3Q|ey`pn;tE7;H;)@*8?
zZJ$-?n3Z0<PN!V_Q2Mf)+93C2ZS<Bk<5==)`7=<r&Mfan?O$7$*om@<vkpNut8WMP
z-YAMvqmX8OrM;B&rp<|o*-B{XhOAK1m%-U;i)8)`av^eZbvmeGu1%qCQZ6!$(^A=m
zz445c(8MZud&oGXwMyW;)R+JWl0hnc2rSXMWH~UI`UDkacvv)kNI-uHX6&?eS4!VH
z0jes_2Y^w=-0qT#^ATxxPni1tllQwX+0-XxnlWCmA9=_?cV8JqW%qwrG<3(6XI-Nw
z&){v|&D9^TTS_76jvl|<b#Bew+gziZvWPvfc!i(tl=rRlo6#f@9Q|4ADB@&oTQlv{
z6Vd!=t;bl@rUrROdILr_kZ6~KP!<(aLm1y7eC*PDO!0cBv0S{gAPq3Qf$kN)i_>b=
zn(5rDKFb*0wdzQRW2cyk;av&tYyH9(gON=_gYWIZA?}M{(~Z6~87Zy4=A13Wxynd`
z=9`nXf9@ub7Q!5+oAROQKPOvUX%jjQcO#&u?>C;-u55>J8!c%Nv&~mR(i!sTvP=4R
zs8M6baAcCy)!F5S!<`r<eg+x8#EVbV`0+0~Q}O?VwK}`xxJ*;iOS;bG;rtjDIi)<`
z#B>LX7D0lENQ>RXI<MCbik24m*EJeSDWshfb*}2?Cy^Gj^Jz*lZ&o5kF8?(gC$n9L
z9Y?2W0zdb)U$&&PDhd)GhCP5OCafkw=_5QTF!y@2B&=UmTn4MZ;+HC`>r^F-R-qjd
z5BkIO-Yhv4kOkb^&`iO+Ldl1RRLqoSI^CRRT7*?>eyzY6d~w)>!Oj4Uxf@|`8Q!Bi
z`^qTgU#2yfe!BW~@WQM%rL{CMnC`5jo!aPHhWBQ=wXe&76;=eb^SGI(U7W8qK6AhI
zsvL*>wCHw7=xaP=rt!DGHgp_(f3>{-Qh^4^cEEwkd*0Y)&Hcr%rbbi4NyO<NnD`+0
z2W=6<P>*RNieOv5U_I3>fULO=s&F25qQnn0ZSfHLT@H+Fw)6MWK>ff-M9s&I*AtU6
zS~p~_IIjGL`k+9xsL{4}e!0Af1iul+KV!^<c;%&z8kBCmPO!4X2!I`-aF8UNT0=1C
z#YpzCGy%7$K;)Pxl%th7eqkq4kTgM^=q|ZeFKYP9FtkT6FCu9>jS!Hs;_kSB-c1QO
z_`<^OS%HBz_u!O~Ovw@=-9WJB9og<&0`ruw=0AHVPY1+tR~cXWfv82W@sfqz4I{2V
z!H9o(#*uAgWC{LIjDa2?0FK-taSrk$RS(*ewwnJ``l#2+qvz)lr_Zfwr~M{Ie)sdz
z|55eUaZ!F>*RYC$AR*l#NOyNgOE*I!-61Khbc%GhbT>nHcXxLTIrP8-c>nmm@4v(F
zx%RovIeV|Q_Bv<yXZzEpkQQV`rR^AidPNw<v|M?oFy>YNlta=fvuo9YO=k5X4lLt%
zZQT!$^;nltE$57$d?^wKHP_u4`g4rgLCM0&|LQ~kZ<YRL^@2_PqG!tt9z9HU;M$zK
z(#@rW`MlBC-Piv4Zq_1m(=G1L+p^tz305h((irA%*Ji&-V?1w7p7sP9Li2Jr(a7k(
zeP`vL&~#%=Q$+Gn^72uMvVt;5in{X)7oWcL!o7L+P0H^ISk?HZ44w*MaG!2d$I3%k
zqm!=fe9x&{GaSfDSaL2mDuBHdKd7;M#*xy*S$J&ycYTE&Im(yvAbkwAe*cZVota^e
zGm<|fuQmyD-qzKVTS*<r%op>Yz5cVku^+o#OB)i3V(8bf-pJ!&X|NAfM6_@Iy4*$8
zdfJ~%hSCy|oq1uc*EQ;P9YgcgPx|$k!}*Z~JC?Y2x6Bn|s`KsNRDQM={(N1rM)g5S
zp-8w~!j1P*^PNkj;;;7*hFmWm8l{~j5CTKoyDZKa3{`cmtdzs5mckXYN4WP5BP!dX
zUQ#)wMWmd+%y+p_XW>Wi(NbgcNeZ@7P{C-Ib!4{skuD%l+A_zsqG_JMWN&r@>d}JR
zPd^@m=zdyNLjz9TbI)rRz&s|AmO?7}HO9;!+vqg8%c3fxM-}3V5y0{`Gml{=F+RF$
zj#2UE{)ZdS-6gxVNobS%qER!!UUQ>!RQGLrBDj6MtHDTj`etnvv`T?EID8PA2@c!t
zwgtlZ<->jErGoiR()UxwFXIcW8k$0h`uarJx+VsvYPMcJoP-?>ZE2;w1TSDTBj2ka
zFaMRIvRp#>A!2<{cx!R3?L*}vPdu*{j@xD+XbV4aq{C16{JvrSVJ{xn?J{aaJ!TU$
zVSyrlOntk2KHF|y!go>RRG!z>-&S><HV^x)IB=ie@l7U>?0FPiud`W>-d1ArSx&5m
z-W-0<Ohoa0#2TYE=`dx*JM-LpuxFO9bbi9-|0K%2`;t|_^H`ARBdX}Xf-BSWQNm-t
zBgYD$yamBuRO{u?x4cD<`Zp!?Cdf*ylW&!O!ctL4&pP_MzgCQ!FI_`HRgbj+gl)J;
zeA;il4+l};BO0+>E-6Q$3G<90pZq%YP2!jK^IXcAleZK-o1*4D%6$N@GU;&e>|Q^3
z_sW#dDk6U5vU6GJQTT-o)m2(cj+<~BMppLC(?|tppDu1}IGK6k=w=P?d_YR>zz6E|
zBi0!l)&MnCL_^wJlJqEa+C65XNGaH6iAWN0@J)tI_W>Nk)_*I>-$Yltbutc6<5%q8
z5{EerD)s*c$4<~zILLp<wts5cqE+fJDGAq2-~gPT<Aw~<54rxGnqqU=n&L=scUNjG
zi3~A=Q8>cRJ=_L+)O7x0U7fEt<VL7j7Dd%5WoD)hb%2uE-5$oNR9p<|hg&PZCT_aV
z_-Wn}pa!r#;Pj#DCyz&?>XAS;l&3r`{VE)86j|5<pnAN1vLygJYD-o9o9S+pOL4ky
z+&jQ$qt|aDmh?^gs<{tvL`6YseQNA-sdyzMq<@a+Df}!_$Pk9BTtlM2H+J;<j>=&l
z3=T->BcxJ7+}hdep<GsryA52xFak%~JcT5swjqTMq}?dGD4WVGu)YIO5<(cF#9{e?
zaZ-0uF@Xc<T$5crIR6WvPKBWQPt~!RL6L?~cV9Y-;XHn&Z81ZI@Jety<HNWI#JN%4
zDgTs@g?Z=#w9+q2$k#;d3V@NotmRv9^_0KWN)8ziev`iqyLA(jVWJgQEto_9lm0ly
zJ>b{m7mkF_-jH}T)5l+#m*8K<?P<m`mJ2*fETRkc?r$47#639UbQ1#DUinc3R#1hA
zBo$FfxMKwH&@&-lH4!Qmd{XY?g?i6e0sWF3tW6lrS0@M519G!2RiAdzt>1nCYw?vo
zdeM^k$0#PnowDqPOO@M2@5^GIVt&+xIzX1dNOnC;9^h8eQa-h6Ht|ZhD_p7Sn^UzF
z4_M7g#y+rP;nOVdPS#;vAbGV$eDc?zhniV&8wZr80ga1aes>)v>IfIcMp<PZUXQPv
z|GOIH0zdk#L%+D2nsvcqtoQ5>CD#=S2At_=JR9>0ypJr2AH!2*12l)pg>!RI^HLsv
z1EcNm@$WD%gUB>V|GqkDq8TvC@w}bzJI`7;=(ssGhW!ua7vo*WeqVQNPO+#pUC@ZV
z0gL4AKqVUWj@Yj{T=GjRjMERQKxyqZ%~O>0YGfsMeJ=r!rz{-FuuRV^#&e2A;!To}
zXG@yS!Nzl0H`G@N968-`1GOHq#Fr=%y%pdV&S$l$SUnB|^7L^Fcq=uioDxGFe?i}j
zd(IVnR-3ZgUpnzwKBB!f^LLvz$v}D@c+&?|cOtSILBE}|{>i^RRFq@l0%CD4oDpKS
zq~%n@{mSCuX$$5NA5q=q67)@fWo0Su0V6R+F}0=7edBh#$D%BqW|BiTu4`=x4>&}S
zrzl7|lILP%9f<^@Znb-LIu}L9>N5EJSjcW_Ytp9!IL9*8vxc_g6Sc1QK^uI<KJ+^=
zhtvz6@5SsqOW7Z{U6p9|`LcQEFYNX|y6|T-5o$@X#L_}p0K91J?^l5-Uwc>r4M915
zPRxEpM)2t@-D7VgC37Y!?lAPRv<I>L;uw9NLpoK{9+4t38-uNTO=qk5f!8Eek|3oz
zE1%BK`qOgBHui0D3f{zal2I+R5F<1a@E!r7GqY7_CiSse;P5NnTzBbEy5wNG*5pQT
z;F%6N!Ng^KTn{DkX7@WGky4Hb<oOF0+I?&-DW(>Wc6n3=^_jgJAXpE5c}4N=AFSa^
zx^RU;*ae^Vy~PDh2uH(c3vUH%tPvF7)JZCy9|UyrT_5Qa-=R}8@92o9ScStOk)z9~
zZgoeaOIU*pjSXj2E<ViQXZ!Rj?VJNjK462A^Rf2Q5#l+}&i(_G3}~Kj2i=A&&V3`r
zy(c~-n^5;TwMuz7-IPHP-oq)?G~;Q(aWB65{jU8F5tNY1_sxQ@q+ZobB2mieJ?j>v
z`78(-4Lv60<A<sY@USl{Sl_hu&*~(DL4fYpe=GQd;#F+w#P^mGhOFUB@4wR2Ym@qM
zfUkA6r3DC(ucpEYKJPAb+P<;+cQ2OgY3|j!F6>U;E4oWJU9YE46of)toN~+dyWE|T
zPHVvJyR90Q6V`)WWHvZ)(HjI7J*FYqr2iskDb6M}&mp?pgxuuzWtud-Nl#pm<h|vH
zjxvD$0UILj2Tzt)p7F;J=fj)7B2ki%`QvrDi94uOBy5iDmN=6CB|R7I3}10SfPMr~
z7s*q~^JP!0^{VnWA^S9*8gsMkIi3k#EgcE=z`fmbwT#o*FtS^RobKk}9_8pP0U@x#
z`r1}P_@K?E$l_dwj<Thg#7Isk%gfIC@rpn6r@P-=MsMitVB0O6<~+s<Gl8rk$-GH9
zBw+2l5$(R)h9yGTIek{%ABXO$yPi3^il9{cti<+WaTBSM&H|^aQN8z(aSPn7x1TaO
zrT$fQVmxH}j$DJDv<OpWQV$d#K|gU4;&@r%VhKv6sJx6IFfpmaaw{Ao)qgV-Ymy$Z
zI+<(mSo>mIa!IB^$C_T0JjozvJvrMfN;m)WT*RXsqc>@x=k4Th)piy#uXZZWBc$)f
z^G298ZUPFaPT%y+d^c~~x5QCu6P|vZ9XR^6xL>HkXVjkLVED24gr1pkm8X!h1Wa@?
z@>|FJbnYqM$RKKKlkNL6V<LW`6Tl;}t1c4LZ-Meo85)t35$V6!AT>XFj?D;|glQIC
zX&&(erdfqmL>N%(m7;c778JoxSCb$nt*~5!3P(4q!B>@pwaa6Ize;zsc<q->JiqwI
zg42x^w<_jT>LJ12PEP88PfD{$S0an$?)XfQQMZ5LNfW{>Rz&pEVSCBHql$F7r)!(>
z2@kUqaKiIljRmM_N9S=XSO&m~QVf<=wv3HYIvg^YA%~1kzSXbs`>pl7Avx&md<UcM
z7TZ|uoaQJ2sVOju0Vzde<956nO9WG5B_pEwmDi42>nulB!yTsf+3{6@M&?rw+oT?i
z<Z7~G`)!iUsg7Z@$I?sX$zs#k8KZcg4+aJ#J{L`?9F(e4a~4)pKf=ts43feiK{Uf`
zv2mufJ3kT1(=VdBq!5Xc`eYSc-Rh4o__4sU%y)FsLe~eY;$P|0pjE8ZcEYXj_3JzH
z1rzDaXP8MwE+u}-(uYjm)Yz5#UvyJoXAn65g6InW*+;Ex9(DWl6oCFAl2}Cr3RAh=
z4}qf+f*$2@Df1<kdH6xk3&n|vWkK@K(r4t6{-P{_CUl<W(U$i&k#2HJ8n?)ia$ORs
zdq)q%)u_u8=J{KnxAE8yz4-GF7f(`x_R*(L3^nRbv>TjH_H^z%d7FPa8ZWuf4_Fu7
z=h23qzS$W4&T{2HcoJsa_$iBqE1GQ=T<yHFTFJ2x8*?k7ouy1;tFwD8rHnzWaZOzo
zk#`aQ9fj0z_aX!<+h+_<@&gTRvcfQP^|!tqvpA+U2GS>Tp!rd^*lit;a_58nZz=TU
z8X24++-0)JIsuB|U(WR~7=r@uiue<L(6OcLXyIFREkG|HzyWuyKe>eUy|v~_BA48-
zGvyPO)&DKszvw90B`K(w34A3Oj_7m~X2Ru@CkCR0FVxQ%o%sB`<awDCZ)Rce2g{7z
z3+!YCv~g=CSacE=mtNIye;!a3h1XY$QQH!8X^oN^QxNu0gX1(sl&HuLTDOR<Z-h6Z
zd8tHaOtf80bqQr54EnHHl=F0`tl`u{V{@AC9^ACYR0k4_)CWOEp?vI~<lfVtQ#n9B
z*ap%lAK#Q54IBS;Xv5D(;CLOPUXH}I@>aAxrj-8)h`wpYwJ>!qV5Zg$<E1y@X7Gep
z7lk*$&JvK@6rhu69*GPomk{16(L+Xm-RUi-OSkBcjSNlu5)tzQh6%P7g1RVH<x_2p
zogdifbCTgp1v<1f!p*H&h&tQ-H6=rD3~alOsA&YQa)erta-~_#0ex%K_zS_BYlb}W
z4Rwsss+xMPE)?fERf>54_xx5W3E(6uimXbi>6+|B*LKwbXuaW_ypF48x;2XYlFqMT
z$fOVT8DeO|_{WA|^^7%Qu@s~k)56d{{`f>e#g_h{>S^x~%|m{y8WNIi^L=nRe<047
z=YG6rlbgti;52%l+8mu=0S$c+IYb$wqDN1=OE}B$4<(#wI0<nOC6kJ(R0owrMDB3`
zPtd|H7O_;4py}_dcQG+CdD{=_kDHeDJC5!enuKDt*3`rI4yxEZ--4A!2l);E5M$!Y
z3i4FjwD)S@W*7T<E$;ZQw^$5St>@&^zC`5A3HLrvz_u{56+8ShbnTrVKKa?yprk)2
z>-zT`sN-%I!p;$?@_JpOZ9_u~7SpC;3?x*KoPJ6?NlmF7kfB~AytCh{l)(#F^-i`J
zi2E-r3H6Z2u=H_syZ(h0t?3(YoAm&Mt#g(WV>Wj=Ddsy~?4LB#8neh-9e0iVi|MeY
z$E&DbbR=WsF_A(8ENO19vG2b?%}^gTF+#gAdPJ_p(8h?rvCPhnxKd4zjM<lQ4~c5n
zIvxhKs%LjVL)J5bhX^(|;gGTGnfe<qZ;!FmOY+SG<cE%?MkeV#;+QC3iFa+6%A^|-
zH+m?-zi1#|WUGEnw+&GLS56B$8$<!jCCEnF&kTakb6s^}oA#<!j2z~?lDl!HV2h@>
zqC9`ybs<SB>Xfg^)l-f%IqK-bXs_~YqI!X!mtgo_W(v0h_xkUJ-~(M_=uIJ8vexFs
z<SnMZ%fZrgx)&ea!+Fm1((sMYr25j~rnggVPQgR>Ex46UWG4yKDuMedE?hSy+V!&#
zbNQ$+_49^ZBq3A(ELABAKdPQ5j=pV5(MLrkqV%rmPb3YhM_jR9bd)^sP2!h06W^Bv
z15+6=wPTi1r6Dv8^DQIV+-U}e!54w^OiHXp3ET(^Z$)1@(VkreZolvahA)$-dy3b0
z?6Hf_N3bucJY1x2|1gw2(}<I1H<<C4o#;5JT+APAogeM>$RVgRmPs5OoPis_XD(l`
zYd^am{Ymqjjx8ZhZw#83WC?~izY+Fqe#K%@QC{sRK_M+?ks}TQKWqdZ1($~~^Y#Y7
zJqlkH!3;PbUVzwV)AX{@NfQenhQ5DAfg2_J_*k43mwsX)XciQ5ZMBgpj^^3AM44y-
zi}-i&&vMgx^X%+=?U<B!lIR7LhkT8N(+QOc3)TnMC&4DNnagH}m3{j_9|)hSYrPv6
z2O5K`lcLV}GVg|=M6D|b#WoAG;1@Ql@lrSu_^rxnP9_g59}DNI&=Zn1xf<T79Nz-k
zR&I_0XY?}OBn*5G9UVWd1a6kc&exO4)Z!2Af4K6AZqRglSUR)ghe|9s9$Y9-7S?y=
zNyzd|eqxO2c3BVAepZD0)>WBf7R_w@p`-{fOB%dLg(=kvfa6p1!eO_qNr1@kmroki
z{V@6M1s7d1IiGbNAOmP~gUK!he$_t?tZ%lG(q~C}nOfF31*TvGAybpum#A_<$y$VG
zqcF}BL*8TT%X!NU54W8Uw_~YyB@f`65)Ygm&xZ2{QsnFAd)BL1SjgwQ*uaO9l8~gx
z1M>L$WdOalb0dD99k+vj60YDvETO`0tiF$^a(;0X^!h~WOdrX_r6S4NcKh_<4TN6O
zO`paWM>p0#_@8qxd1D?+7oKBJG~rU$mPCy;`=zn<An|eV-&d6E+EtkkRF^?+oJEU!
z=H2^)ku~AB+%QZd+AJ>CcOCAUNXv_~^R664!D5l~&twRE0T6R+?3)ksYJYe*I;;=%
zjPlnR-ubbe`RFQNSRI=0e6Vr4%iJa(3jfRh?Yt|}Dj1$~$UT#Y^dudPk2LEz@Q!M-
z|Cj`wEO?lTth_ZDMBTN)@v^h&8bp3~10vTM$-19*_NEMR>Zo<inNgpE-WD)+HQDs4
zm`f{TN(OUD;1<~i3co2-qZ%+n8Rl1`YyG6+M0v9RNX*dk#4W+s*XB0*ai|<Q9a-F$
zg{H^-QA7nzu=>=c&Jy=*?u8c3ItEYwF4?NmA25GfO#R1mn%_~Apy${X<1V)6ckL6x
z<GWCq?JZ<3lnR%0n8mO5d|K>VreKQzo@<H~XgMnk8>s44akyk-1rwr+@jcFHsTsfB
zC(VyGSC#g{2pTZAhP>GP4&@WyVRwG0OzZx{aft#ww6!++iQ_qE;P*{_x<W^Mhq}Tj
z^z&BQgI?fuaV4Oan5ez<qd0YQ?0ovSH+V0g%zuoyWxW9Q7z=gfS=6&${4Q^6I_xo%
z!@$Zjo@0M;czX-pueRf4UIz30r4zXCyh(UB30E@M&hFgL*Z0R53&FhoexQ(Lidhpm
z;<7f@ysyVr98|^&a<XU6X<}8eM9P>oWR34+XDAWF(<N+`8<UU3m-2}k{0!GGw_&Oj
zC{E2CH!t>00_P<r!qJSs>jjj%Sc+p$G1*2UW?z+hue{$EQ!X~7CX!_zBfa(_Yg;(c
zF1lO-^-sm!I;)h9*!gQ{3G#P1IyY<M>mU!>%_*_TU%OZryXNwCjxp=*;gmq}yd^6F
z8vpWtoyllE6aPqq>tI6Ex*4n0pv5kfi7QGKh>MjdGSbc|t8_@1_~ZXd^Jvx#>fvF(
zM3!i|+H*3=VH@(@;E6VJCc0yUTF_j^hCxmBE1l&O0c$_Wx>%&GJK9CgkR3II3`U`8
zdTt0P#2pN7<@N3?Y6hw1o#rhh(Yq@AYNT?y-LpaL*S&NhG;l7dw=r?^Vlz<}lk2E2
z(NnGq#f=<X$Xs*x8#Q2l7R!omFN6HJjnsbXuXe#>Cb5V=yv08Z&XrIM7jY&kR~h54
zxoy#8cv<(L%+7b+0J~PkEwAT_rj2o&+;q|u2~%!gGym=L2^ZOkv@aP#T3|^oq=OTu
z<M;bDUj2o*o=q+mmKs9ojkf1WZD0(?)hA{*3ee1QQ|l_D@5>DmiHf3@mugd0LdA|b
z`P-*p|2{ZS^MA<{Tv#Hq(FH&SF5=Wp`3GtiFY4~E2WYy!>7V(eI7rIm&C0_ZGF9f+
zz%C#-N;)V`tuCQY9Aoa<vmh!|_KXBsYv2=cp>pnxKhn^>kGY0rYi=o%FO9Gc@#=Ip
z4~!5g4if$=E*C%%9NiN&;6o^h4e(7uL!WVJ`O5e*_LNdzv~IxXPR2KK%l{-v*!Z^P
zBd7Uwd$AMK0hz38TK752sm<}02*14ZHB4zR!K8IH(GEJV!lwBo$=e0@Y?7bSxdkdA
zR^+}?lJVeb1~p!5&-?4~#7#~(QPgz_M?D9qoZxf=P^(`O$b<&_83W2(I<-Y4$}JWJ
z>|`h;R(Vj^pttgcn?rYg>_tn`*qXBz&eLX<x3Cgu1-=v6Rx#DSHVv<XK$Athz*sP@
zc<@)5VzP*OR{J~XCxYPZ;Z418fy*2FT?o6y<EmoZuJp)@j;k8L!V9DDP?oHF;NS0%
z<yz%j$=7iM1Ie^(+jVdozJ7I~@L+z_t#w@h7zOQoV|G=h>N7H;R{&MJL@VcL907LE
z`H!jV4Rw&_@TEmF$DY+-dp^zG=J>NR*$o>$t=`w)&;>r}=aJI}DZDkvM{!1$@qw#g
z(tPK<1p|`XfHg9CiQ0~j){hOCkS_gE`<g&fv3gN=+YbFpe{{-}F;U$QyOKabJ(sA2
zAD(H6A@$2rnnNo2LPl%f$GNnfYY(#7n2~jJLp;!A&8}+e6|)cRsvS;Mz^kG6CFFI7
zmN~-nTpD%SnFk?G7J9C;A8=a6zsbb9irW;hVGr)MEj=Zk$vYuVty@((&-PcT0&zZB
z>XfTFKy8vvXF536yti6=+1!iDD^Q-^zhqxl>7De4E2&~=K2&(OXQq5$9oOa{LEN>^
z;Gj7r{Ch(<^`<xQrXpT4BExCBUem?lp;iO;(_cr<Lq&pmm^XM(Mk2uNmfyN8)Ns$J
zqx+b<EMwgkoiq+Z8cW?i!jLS$JB<R-YmFm7vlI1@IHM9igF@MG%@IBh<3FgzSZOl4
zVW!T~T1oLV)p)S?As+RR*NPzgSsUKhql#fwH?}D_2Qu9**}9lmY=yx*kt_aWku`wa
zNh=+~H>m{R;h1dbPHpkX?c4_PsJp65Sq<wvg0Mbe5Ii}%HUq3)LS^BGsa-?mG>LX`
zWR8a^87qQq^^%+k*5YJl{KrYRc<sv_SXkP;-_<rbC9$?-a45ATh|LWe7o>W|ED6lM
zjZX}L8EzHhhZp0BPwSUpaja-m9a*Bgz!X7}^v4_8C>jl5Gle^MsopO*iK2x3`i}-s
zs$-ehvO*_(gMXp{i>s7x6@PFP5CPPYZpenl9Gy7K{6~aKna6#+?-ryeFU<5Qjt4=Y
zh{ch=%mw7g>Mr&hTyCat`}|s7K{Z>Se<J#qoW!_eSX5-f%Khti9iYG6Ib!(LvSHlz
zC)HQS=odVI_&pS_Wv+^Xfiq5kQa;6pHl}`|%M(ej-v4HPK`{7Es+f!)Rm$UO=KB|+
zxBB?$8PGH&_f;6Ol<UcBN|!uT=5!}wg+j<@@DZiU?N0G4Y3HP?9MeV~Dcr-v+;W;M
zq5=HR5>U+HdCPYRri9CXOp5uNgibhPno*lFL^+PZwdM1-Viw)nF@~Xj288IZ(r&N#
zVTI}1J4ghl`e9E$STWGFYEr(WEQ0jTXfl9Z7VMV9Q@S>cMZ-hB;R$Qubw_0$Q@!Ry
zlJ8#V2RHE)h56&++zu0(f<iU*cou&kMU>Ovz*Ib53PoT+W2|l*ci4aAF%lWH{=J!w
zV(TolM%y`Sj&RduKb~>KA~%J|c10pi?8ftaTrT6a9k&%_u6F*Z{G?dZ*b1U?4OnD1
zUNjk5eExjvZ>2w9NuK&P>-pE%0w#wPC)=2U$Q1tg`C6Yz$J8*yKk(9GIU;OyWLCNE
z=*B&XOXVfsdJKR2nXFp7KN2>&GqZpTm)JnHIUilqMAXzTBWy(hCYfxRp>rI=mOIjy
z==E<aDqk=YZ~#LxQFCyNEH2CUiM}TbGj28$b&vs+t;rl<f#zd*;gTmY6`p+h;6u@6
z`>_d(h_N&iF(s3*Q$wv$LoGOfyR(vOi@}BJPsxribeErmiuG9je0Xl*0$QW)U2Ea|
zK)jIw%Xl`O_hi~L5wskoqaJJy5W=I*?e4=5C5ZPccL7$#kVMz-WRUZc@>SG%pY@U)
zXvK-sVe_g7^{I#Q=99fXfdZL?5tS>?-Lm7&;G+#)t)|)&ZJMwf0Nv$eFyQlA9=wqM
z0_Fr>y!2bk)ZhTNkq>iU=mE;PYk{-8PTUqDI{(4xQjIGITUL+9TWR-889fH8Zauaw
zK(ZFCB}wO@Fnc#CB_Du$<5L@f^3k~)@^$2m;Cpc0kYE#gFJo`2PEu9g#j>o+>qe&9
z3?Q`HUeg=dP&F$M=W)!8Nd)dQW%j^{Tu`~e{|c(EsMf*qN(kfT(wJ!`(W#C=+8-P*
zn4_fTr3Row-h>EQdj59PhES?+T4=jzNMM5m#>GEk%A*A+XV^BjX_ICgL!v3pI6`gt
z<F9)A4*ePK;9uAqp;_y2@8q$a7sK>3d(-3Z@D;kp;P03Ke=ZZcVA={h_hwQQZZtdi
zLC}t<l2d+<=Zta_peCxVvbMjZqpcZnI{T%_e|&x2s)RT0dSyDmJ_oZ!O&2=BRrR1y
z6m{g8AvmaTI;y}2+#w9*`+7AV<1se`gHl?-#R&_$tJ{b24_rGM*8XGrWQnE$N)O;V
z7YBV$x-=4q&yHPPmgn-Q{h^ahXLbMYn0el@rHjMP^*x=V>$Bu;4@p_~@vvGmbB3dX
z?uwkIzo^`v_lMqhhnv^U2~m1h+k<W=1z)qA|9nmFW0;EU5r)OS{uNNrCktVq%<o86
zBX51n^}qdFH^gm;yt6y`*5#2zp7}jXP!yYe{MN0*lViteW185=8|mO1k%u?jP4h;b
zCJY5#?+WtwJr;*Bn$k6@t)a}X>{-qbo)+v^r~c@B?!wi>3dlCjed5$H+DDmU@ZD->
z{lm3hM_n?`iptRfVBE$s@VH&dtQ&X7;jWL~_Y^fTts^<)Q|CGF|6+3aT_dub0~o)g
z^vZsQLH(9BwwtNDKjPKvdPBGvgXs#6U3nK-fI6E~XXHyro$J473dVkyv24%XZ-ny4
zzyBO(dNMe@J?D_{c_o>VWSF<*j}t*???1TDtrOa-bCk?Ty&R2azW1f`7hILoaleA_
zca;E5QQu?zWq|yn1-1?<H#;uc|3#hPu2j7~H&fy3EaZ7Ad4*2j`uNAWZDeJ)r=!xM
zbE_?{Cqi{iVt_ZXj!q9hxYmSJj#mEyW_?qd<3C+#@!PKFab1jEp4!|A`}fwVo}5!4
z`Ir25971iegGR5Y_$oHiQuM7O#r2e^h6$(K|5@PD0OFK4FBN?o<1_qv%k=)VA%rR%
zgR#>vC5kv~U6rJjib4>*Q+!8;Bvo&W;05W|j1eD>7l_}YMP58{kn#fF>;}$t-z6VP
zscCDM{rVx@qG~r>io6-~VKH%SsY=60<eLc4!GWswRPd{7wPN-S;a3zNmZxdwH;LF8
zaIF8uf?G=*!h}hqOrIlsCjA<wMea0Hzb6UPz1Y3+J_3ZP4n|0o=TLDdQ4glSjxCWP
zt`$K)+mO%VkH`t{fom)e@(TJ*ycQh*`9k(R%DA8dKb)%b5-RO~4Z<_)qTAQIlb28m
zZv3yFCBbIKO@9ckV%(j^bX7d=8H+!+y^$!rp|hr^iuIo7pD^?LFXIFd*^O?7<6#HO
zp0H5S`+se!?t4FhRA+v_z=tTJdvFkic)l`OpR%YLnE@S~1VU;@{&^-#KV)I>GCS_-
zzu6tp=<sx5JxSGDBYb-NkF6f`yBKD%;$kFfGE_HiE`x1m@aPJ*w+S(9oZaz~ZbqZF
zuvm047Lb3X=0`u@D;_Z^vCM~mdmirL$2ouJj%Q!mLtbjM2wHYV90@9NhZ<cujf`;G
zsa%&~gikv6z?Yy=&lgyyDf9s%TO#_P7;^ut<NOf&Lwz^k9=UDv5W}ZK=$MFuvvUxy
zT@Bz)q+%oB5qJv&rr5<Oxgcm{QJP<@2FE%Y1-Wcjsh6m@WH0awR3L6wU9PGwe_%sK
z3}{kd?N)YDaT?a9$#q0B(zY0Dv1HpjODI>gaN2K=oIzRC89}jh|Dubyg6Z7f)R`{c
zZ!$#i%nR;!35REM;wogZhxihO$r=*VuB?b9f|WKzKE8+R6b_GLQWmj#@ZofQ8OWVt
zaD{Bi)`8-{?6Zd8)36=nxnMah7Ib|f1pqhfxj22?$B({=Ab#wzze@z`n9-}q8V8NL
z*rDwg(e6x=^6zjWEndAIdKGzY!4H$vY7+4;l%W+u*|8i-M`-wVEgw`=E9sF#T;yv3
zqH+e<cb(!H4C40JU5D@t?FcU^p4o))vDFFh^w@`EZh>c?rrU;(TQfHP_NF^wQp!6U
zGHcN5xLJ0eQWVX`w4_6KqJ}A;h|)jmPBwfj_hD;E2cJ4dg>kTYF*FC!K_LmD^DC!^
zyo=1l(mT%Xh__8|Di#hju#eF*O|72$(l>CAo$+>n!3=;Q$w9L)qL9iC8M+KbKE^LY
z)i7Sw@E2j8a@ty7=w4P_h2Kk70aSAApPLPFi7*^K_v2;<2dz7c7Kc``e`PJkat@Ro
z7;cUlXCq0223))=-QF05<(U*43mNez1p7Vbh*=$c>>HPg2c%w|*k<?KrKyh>{-Yn+
zD6XA;mh!)Pf7{&!p9JB`g={<I@lBS^T&C9XP7zjT=~P`GA}Qad1!+$MiojnF$1kpO
z8YdC02MM*={$6P0ze-95OD4D-S~spl-+l?X)|w5T_oDj{L~#thW9oMkSiPW_BUnVY
z55vYfdKrz=K#%$lCr8$$M`*xo^yLYphGJ`8Th~quDvLnDY|7+RVBHwI3ucSGYn=Ma
za{#I5N`~EVQC>zb#7rH_^!zD@1N#21sa>Ob9co>I4d>N!>e;B(qjp@VDT~lgc=UOM
z3{h$3k<fKYM57{amZ8PxON5h~;z^Med{F_B>iV^Qds&H6)$gE<0p6|HZNmR*NCFM!
zlm>n8M)I21rtPF#uJz_)^G;h0M(yOc-?TZME{nHy@@Y2eUq3m$4+rsHY<B}7`2-Wy
z78ypk0WemIkzuC5w`Tyao)=aWm2Tr%V<5G73$>Nf%6c9D&A~o#jcMPM-0HE2dtmdA
z)93SA+iqCbxs}E@bB;4Oc>Jb6pgEcbSG&~97i7YsY&2?eEPtx~rH8}Td_8nqf8NcL
z;=C}_J_4^YJh;=`RPW02c_L@4Mz*45DsxpfzE`_`3WR$kHEKh9{%yH`u=Nkwe)~n`
zEWF!Iw5v=vglfDcwZkwTmNFVGT%oC_PYF)#ol9|SpEBj*WfAj$-wS?Y|57<~d|<}L
z({91>RLKrrwMMbK`VJ?JGb(e!1|*Wv0L)8<Q^?pTi#}{B%gz~0ZF<%~1>Q)xLc73G
z%%8NISeg7L4Xe(@sOoM~jENtiooJD*SB><VmU-Vu=u~c2<z5?0_S3e}Snc5VWip<M
z%R8g3Bp0i>*Hu<LK+Yx9qowt#owt{^xF@yqztR!bcNSc`gyv1K@SoA2kj77cHuyke
zcoOZ-c=|I6ba6T;<SaFcQwlla5*6JDVcn0>phQz_zm69ce@0LHm8TvDWtf2k@u{h|
zuM>AVY)`96%T^k4-%QVabaKD@MXiPx0@Oj;PD3bumlki#25osTs${c7E+2hC5S;;u
zk%Vt;4QV*mS}K=itaQXf`121e*q6NO@yy}vrRkva3T`Lpm^DK&&gcQa8r~NPBO65b
zoCWfWt3)zszQ+8;Y5ubIG=+mJhKjcenFrLKvtZr(re&*~mMHV2HmCi*FEK8)Qv|EG
zi}%3`iN~3WhIX|Lcc9x{YMi+JTf^v3DKn<e6O6C>$5(4z(?W9^2fctLjqTVT`HgRn
z;jp^52=sfXL%PcT)jRa!-z^@EfEGE&t}nCH=wF)ygu)AhB!mqkf{2Iy_N-A&euxUx
zj<4<QhZmZCp)Jn77*WYu2!_U3eb0~&4A(4)<yai!r+IaAV?ymoBK@9Xi3tK~KD;Xj
zekd`Y9L`%|By$U{v3NMq^kj)bcoq+)kHh@Snc)qM;iHmCoRP1}(6WLAk$v;%%azMB
zc<AKoBr@E}PZx_{|9_qg^!xumc{Qna4Xkp(o)M;*b#!QvmOR~QV3nt9EON4_;?7o{
zDpEeX4sG>nd|30yZ|i;LuJLoW<?{06fh6hPaO&@D+eB~WCrAl1z<%Hr>(LJ{P$rF7
z2qQnCin;H@pCN8PXZ{aXrit(y1ICB3vs0fH^*0(eo942|QZOwOV9=SB7O>b@EBo!-
zO`Zr>MYbmj`iadPo7$gWgZe%3`y+n_!~Bw--?{nO!;c=$_CI!AUxvPaG!sGsWPH`r
z5%y3Hv{1Mae3+FTC%%;2zP%&YC>!5m+<^br^)x=C?cuD)u?0<yR5`<Q+8rV;^|*-U
zST`JjZ6AUcEEbIJ;gf*kAC{GbB!6=2$yg*@mz?rm*m5tAgi??GO|DkU<=)LP?K>uS
z=4iUE;KHMi7n@4dZw&eYEFLCte6*TX0Vos9bzrRB?UU;uKXq<sZzq0WGvfU6dlo~;
zfjGaK$hs5VX<|`zcZ?+qVBsvS724sjg~J&H&MEw~acb=v4C6dr()n;;<<9nj*$t;q
z&%twX@=t#6FXMR$a<}7eyZN~_<Wu$_TR&K5KY7QiapsCT(HFV2Xaq>Iwob(#%*+FB
zS|bkX%Mozgh*w+7uqe+&i|nf#HxhG>P>36+*Ky@HOi#JEawL31EopR$+MgWI23^>?
z&h@x2Mmpff?mxQZ$WLICbFgN9C&e_nX!AHn&*j$NK<~L|Oc74;YB~^<<W)8`dU!Nt
zMj*j7sz+Q1-dbe}Cx>lD<Xq%Fz!}NML2Wlhq^nJsAmaV=(jA#0-cc>b>MwW8HI#+G
z1>KQToD+&bMG3|Te3GJ}huc(^UWn&ok~(?Og7$AuF**}<q)!~pcdq!JgmW18WoE8H
zskB-gI$ToBzEycpm`2rQi~^m8OcAFjXPl4y{$VGldz6NA4*yXCw0rnG*L!F!Eq2Tm
zr24^Kyo3G)d25s%Z6mXy+1PpSmP_}3zT>cZdYQ}cur7C9<Hx?uE?@1Kr^cl&VgD*$
zU4;G_>u>#_V{(d))U;2Yf}+Y~Qn@riQRqs6<L(=A6#q?@du71dommElSi|nW$y$U_
z{Bbj0&TeOW`!O3w-N&6j^?pL?^#Pu-?EXW)@<?zq11zn>yunp-Jgib<%;`ij&}vB|
z*WCoeECne3Wk?SIVuNY4;I2-JNg0j%qdB;UHO^r}fF-n*f=1VHI*P^gEbceLbp0th
z=l<5?SZ87!Od+U~7`R9fBkc#C2E*QypK<@VRq;F{2U`NYYQ;_-?@+I>AbwK^#L1#U
z9YgvY{+6kzymsJoOYv5m)_?LMdezM2otYzR_W{*Yg=#MjIAYoMjl;py5J(M>=jDy-
zj3~@^fQnAaVIk8o;JyB-(RA#)P|n-7q{lJ~`<$ArfAtO}wX#1{FSTXsFueCX^Yzf@
zV+6gH@Koq*QV&#4*><Tz0c22Y2%8)+$Y&+|m5-`(f4e37Ur|A(y=Q4o;2&i4gnKM1
zpwh4v?!oK#*?#?IIop&TO*xGO%#$+~Q%+=^=k3Kz6gS*lv}{d!`PH)S#%(u9@Nu?{
zo%i}I+W%zM2V}j6lUoraf>r+CTZybX2VysZy`dwQS4Dh2&hMjRXQ_tHJ2Em<u}xJU
z4Pg32{Y*OO3K-$G%dSI=X>c!)7RmH={`KTfv)`|kpUr>n@0U%7{25rk5T5GZm^wS+
zWNN<4mI2D>0vHoG|7oBF0i^}sehxPm6{Oj;<#^w_4CS8e`<G~naz}q!XNvQuJT+4&
zq6oBA79pl8kTQtR7f!nNSd$G(d%uua$e9gzc_DV#v@Wd83EG2<jsIRq{|cNFz1G9&
zwiCa*!_xUU{n5gZPu~27iJ8?xaZR?bi+-kE_hzi0Br|RQdUyn-Q;7wkBe>|`OuLs<
zkkWUPQP^DzFl-v`U;e#w=&+%pY;e&E?yO{CU5}kL!Si4Ai9uzFdMo1(xzn{8=(WWL
ziGSGc8bLSB82rtf#kQ%bDIO#A8q+{&(OZ!FBRcZEHk>2e+8l<SfBcc0d-QX@+hm?U
zkyiINdy}2*%l++Z#)pg3FpHHyG)r!X@;%I%{O!yZ#>J-gwM481D7wCR%-E2PMQ5*l
zdn@=?*>Ao{shibPw0)@Sgqm3Rg*mFQqSyP&3+ODp@H%(%!GH&*>uD|or(~1O3ef0x
zCr>Jz`$c$@*yWHj@=1cDJ;X&8=MT;IL{)WN_t|)<MdJ>YnK+}L^Y*rrospuvszCy%
zleuR_Rkx-O7OqlZlKSrTb!U#5z<{H|okN!@7gG<xz15Q|C4V=jqx4gqs+8tS#@kE4
z;qMvGOs_%N;z{<)i4Hf=p~jw}d*iZ4)BQYve^b(Ypu^|84wF;`Me1MTVL=JAh#SF2
z6nM&jxUQVtC%)CB5~=U_A{R6UiU%hTml$o^4GcX)mC`fKle38p?0%f=d?)2eqfMki
zL<pz&>((=N1UbnZCbkj3no0}tteqNF!sa-&Ug^eHHwi|0QWD>Ua(+gCG};GlV|@}n
z9kt+n?&*?a11i7({1d%GKI77xiLe41cxvRVNGaj(X^ox2F>UmB6cpp)Xqcc5E6%RH
zm&JC5Ok2p;j8ibosDkta>9#*}pxg_#^7hL<o|(I`l2u9q%1>A9U*fLK^lfd#ma2ji
zJpd&=ftrYhQh=X}`b{bO)BZ4A?;Vkx38i+!v%`>Y@2EObs3GiZ?o!j+@LDCO2IW+d
zg2LtRg_Y0)M?8B);zY|z$lqU^y^|sw2fqNNc#q)X;ganA$F`RA<L8?7?Y9_Gt9BtA
zLu;w6Gm=Nre|GZ9)QdcsGwT8iN0~jj!<-V?x)y<mD_Y*8wcP*upIq(r(C{|*^@li`
z6(S>nbz4;cBb6Jahxc@P1=woJ!pAIxoF!&+?>v>}>(_bF*$ZZ?|4tWLpC?Q{0MOnH
zRSCVCdTgyNy9k_yUK0Y3Xx`_OoZ68Fk)+*KZ#n9!2L`5=7~pK{#=L2GtAq0Mg<N7*
z)4^^4bWnPbWg$=9EiI5E5uk}5$@W&TI0B+=MHv(jzsmB7hSp!DQRDS~QOX(3c}~M+
z{a`k%re5`l8A&nuq-WtZFgfpg<Fq0TxLKBr{qnb7*{?-a_;EWV=1L_Tgz<kcxngUk
zLT{|`$yJGAkVOSWx<N%L!a@lZUSyCq%_zP_9qp6<>Hvmp@nwb?SKMrg7I&9Rm{+tB
zETOudgh$42)o!j8?S>5&?^wdGk9*bAQ#y7Ya&uU~w3vN5a#Yrj4!6BOlj<d5fDmB)
z08(?9Mm6`$oz$rOmj9Cg$#KRFxU0HO&MFx!A$MQg`WvC9iq`aAMVBr^vsf587T9yn
zl@YS0>Kn~0<zF<T>!JET(|mmDGE=j;_=z@x)|vO;$IC>`J=~fXRl1`Jtk*o%tn(E>
z1>UfYyR5GMb1f!}jF8>M;eJVvjt3(d(i&N^ncUDrwZ~f`>Y@s*kN2GyK&?J7;|{M-
zeH+;4FNsj`CEeDad(y&0C+;ztWPKke4AG){%`$vag<XL3s5)QyX*)=eyrQeenUIqE
z-5+72Fp)s$|G~x#fqvl<(p=Za1&D?+@u)loGHnhE*ryfQ;?GQ%xx~)JHOSUO<V%V`
zo4t4yWAPf))N$AEErGl7dDzjD#z4-=OL6gXWZ;2-pnK@jUt-o#uV}ZK5ksUz;<c*F
z^d>%|Jr;5C9l>r7axlC6a{6K+;Z!%SwfkMW=inQDNalAEd&{Xbq->!g5T9JRARKIi
z#|WYzf3%&>8&9p8yM2OVM15H6g(q*m3(VIasid(^-)44Mq#*h5=dTEE6@>HP!BTT!
z!Wm>9;Q%HH{q4J1m4kD{KgnJH4hNhe>h^PM_RCzF?YO}7$W$DbFa0{InWrorbs5CF
z+9r&RdUIZ;U0P=eTRvp**(7Wj4bN2kk3;pCs-#!pnVPK{iqJ=Y`3R9nV$^$*z;h)I
zc^8Z%a$>4GhJ-6qxy~UA*T)l8qyk=8|L0?k$cQ1;lKlAiICT_~fLTX1Nj+GD$g%zU
zaoumZhI?t9JDAEpq8RUFkn+GNN(n27Wbs!QyS7Aif%#vIPcAAUwXT}6phm|#Gpkvv
zU;Crk3tyRi@XDgQ5{Nbeh9mmnv8mVx&fJJ0avL6+K@{4Xg3!toYb3dk_m*Z7J177j
zqrn!W!u-Ez;MZfYwIw$%%ytrp{@Ol9!@O~O$i|z!Q11=<-3F0G_VfG=Px<1HFkGM|
zih7J0WcDLH+s^pr#O>mGX7a{dR&LQ7RniTkSpuX%mhOm(+9yvctJK$_6w+8-TV$<C
zv*`T4XmikDDdxh*YY1&fBS=pB(`eeL-t5bL&C>m!N6I)(yq}>YYs`h!9syOs)S_Of
zd&pvS`yKj9{)va{%;T;5nKYC04}#%u0v{msj#P8pPE9^2r2;GF?*}b?Kho-_TJ*qm
zXBa*|zN+o52GK^7%h<H#)+m)yz5;QqOCF|lxzxt5`<jd%!=#Q#H`3&EbjwZ|YM%wn
z|2uq$o=r>L5OcdXIZ`Fq<6d@%s6m7&3DzgSpKalZ&fAG7Ftm;!5_fG=^QU1(9yo89
z7y$4m!_kfwTS2|aZ6~}hNR_%*)%h~Z<J|3VDcUclwzLo3+C}@fbw(R0eoqw*{_^Q0
zQFel!qHmIltnGk7zv|<uFciaxZel9P*B%lYk@!C1=rVqJWDbpANf<HzJ0+H#P$dOc
zmni@UO)C-QbXIeRn3Q+U-&QY__9}^BwwQexN4L+p*BIBVATk%7u!=h8X5O3(9{dck
zkalY;THt|X`Eq_lM9c<$JlEq!!c5iYq+fV)@FdV|Gz>-b8(=5(l=O+Cb%*Dk_X!CX
zC=(e(Q6tBSV^Hzd8llIn3nsmPyu;()ImXCA4Ki0+nTdjQ^YV}6dh?r7F_iboG@iV?
zi0}nc*GOyx)quDJM9lnC3w@}G*FGLIe(9m1q#ia;yuw`n&lRU69j<;rDv83b0h2s2
z4S8TdxoV)`d=iCnba4g;)rZ}XiEq@7b66xErT?t?mIKzv{P&X`vX9N7P=P0hA&2)S
z98z|zkz{I4(W!~|DBRq%{363c*WRA|i6Z`?t#u^Ky{o(7+)uaDf{9Q2Hwlhq%aHtP
zun0LgktDNNOnp~cJMrPtXiRg04XXHZ{1iri+F>|ou=oy)M>}1>J#)Yc6a!pYE|izN
zB`CYfH2wUfxrrw50d9b?pXp3t66j@SR&=cI#iSz|SP7jL!#Vhq+k5S^N^SwZsLc{e
zWMf};flg^A{Ik<`M;z1^Hd;B6Cydi?UqE!E>38Y-NzKSGAlWmBPKJjOIh;-f8(epT
zFQ$!+2y_eF0I8F;NkOx`R@*Y!ALqgxFwdnLTo#Hb)r))CM~2k&_{TKoJq{smC6Hln
zuBD^%iKHtkR2Dl|RouI_j$RfDkw$`=c*LJ#tv}E%bD;_>JXr|-9m`E^i@KlRX5r*d
z?9XJtdbCu8q6T$o8RiAFB^4WE2BxXjMH80j@!QZNxP|Bn{BL`1%d2C>c(VF!>cf9{
z@+9bnwV@eh(@O2`THUUhU~WP<#n#2tQ`&q^bb80PzScn3a;sh?FO=isGJ!`6QJ;~R
zbTTF6GM+CaC~>zD!aod8d0NQ9xTN8v8n$Zwt!Q4$UMyduF;L+z|EMNhfoGH_*8^EH
zX8TQQ-R{zqI-$CNI`oGorn4Q0HXmfZOLN~vJH5ub5mpN_cSwnBb24G3O`y4b&Hs3J
zY?Mp}MSoTgSx2Xe8d(raiBBqqsp{KbAz92lz@nMmKaAJV|K|h$qp^|b$$Gt|e~R!t
zD*pkr`x~AypZ&TMbvyo=5+ka6f_Jn|(vZCtY&25Hw+JAG8Y{chkQgZ%MlW)*xnyIO
z86hr5O@vq;W+EDM<5DZrj>Y1aGbsYzsPt_~t))Vy!JTh&%_olb31^1VmoDZ@CX!;z
zE^RX#p?P)5Fy63!kXm+jmbj2E$n(ip?l^|52R?6D=nwADG*Ze`%*rAe@5v>G@hTKH
z3O-@R6QVuabbwchp5^G=_~_6d(x3MU7*F{F&3Vb=zrkbtv*qN*wKcol^mbvnZAqMC
z2c+}3+=w}FB;eld0@$yHqda&6>Jae9eKe7dW5!LAK0ZsIM!&xcrs_gJoNe(r*)`)H
z99=tIJd|?YpA=#KU3Rogg|w;sic-#huMzJ<9HC5E?jr+r_o=Xr;t%ksscJ>P2lb@~
z7(3&|11TVqB@{||_D0qVXERj98A(hB?>3G_Cf>+2&brr7@*TDToBBLqEiNR<bJv_l
z-J`a?E-VOek>}nN62cGsW;p0|a5Zsc!MXTn6PfQQ%^Cifyu89z)NJ7)<+KII9#mk;
zU&XL|FpVs?i|c9pWwGXvBI-~9f7*o2UYe4(acR^zMHy6fT}sKxi<hdLi!OYmHBXu-
z5p#R07Clh{-ak#fsNV*+k*Vd^TdfprHx>1H)LDJ6dDz;{X8M3?n28T(?;LfTH@7$3
z#2O1VT@YJzbYh90HgAzUKMlF)^sK-8rLDD%w54VLAn2aeJae3}t(uiwbG&zFet0(v
zZ%1ghJcc_ttUoy)8=G_0zIYO5B)L|ZHTJ3Hpaxq=tGI&OYhZ11z6Q0M;m(ni9p+u#
zQJ?-Ds`+M<P9E_9b@;m|EfJAC0*6UqDHRbK@M-(7!4`ozW6evOX-Rc{tr}7Qv?R2f
ze}30tRZ^=ig{*;gt3Ugd1U?}0c6cPuj#~X@f&HF%y^WxC@sPoWdqYmEu;gY+K4WD#
z?7q<RSquF{TfJ<AEp1|I-ef;3{Fc7H=w9Bt4D0jq0xCjiXJ)wdv+nu3vssa4^j9+6
z<<{G+UUxt8;hmpJzq?Vn9=%f>s7x{84CEV8?rcLXWf)t%FIf8wkv3(aIf49=QT9n7
z2bDUl{5a*hZ0&x%-7;}pQN8ZyCn`Z~>Fp|KJ5%jAG~zfdJivv+E_aJiCZ9Ulb!b9x
z9^yeO)l{m(=lI6H3jduADi-^8ie-;<NY~(_Bx<}{AbuI9a&vq8%1>11u6sD}+nWg|
zHkpKGLXaj9G2vdVf(dfnoyB8v^!I$6U<c-v9s8DKfB&bnq-C!Nk6?--GC{KMG*XVs
zeqU`|joo}-y{zP;g*w3%9e3Zf$5R2^>(p-_3D{CR<-!4uHTWQxbHPhHA#az*mwDph
zr{q-1v}&>A2PZITnvoH-o0V32;5+4`s;?zVk0<hZm(3zxrIyTDIqHmzqBiNZ@Gk$!
zA#m@1^(+mday>Th2IAML;k9=6>Etu4`_5=7Mr#5h(omc?yW3t#h~sU}!r=u!e&K}~
z0z;<Ip&$0B;rRqN{?Dt)6xUX?Gcu^Mow_N{-??<i7B`m=4D^G)PWc_>xv)6NXOOki
zwcO~EE54VCyYC@}8T5O9j3a_O55LRBH7!8e|Hh8BA~)F^`1f4njBxk_;mYjo<wv0=
z-Sflu|C)@@+2`mSnGPtiHaacRD;ijjX2-|zeawzV@j$~MK8;k^@Q8+^JR>$8!Kq1X
zsbP5Ousfg%>|==9fN4Xl5b)VwKdl16U1#00rBAZ0(S&?Hs}jx2ruD@*pMZS4vqeMG
zpAb`0q!S-pc4f&>OMgKT-p5#av}AjaP7^#QO4D)8U7|!b_;M}oz$NVy=LSrp8#0iS
zPR9+!z)hd&+y!zoy0-n6kT>qs;rjl~_VGph{4@nBdGhCJ*3r?j*!|@wyUljqWs(8%
z@KhCI!~z9j`RHI`O_7X&at2l3@7h26$6q(KynZR#o@QDr?~9vSkUz0JJe&9jq@{|l
zI0<v+c^R{YL3z>o<136XIEbMiOwt-8z0i*YtTvOesrGYYkWK+}Nn?aea)Sc&78@Ro
znUZ>Y?COF=lo!7UjQSyU3{HJG);}1AN*7tQ2-3**7-tbSTAUtrS<oMDJa>Jl=LG^f
zcB(HE$a4obCq&k5Rr`UXbT+1V>&wD6;}-2nVQ>#%sI)fY-veMp!~+$=-#xY<8bX3=
z;UhlTWc!w)b2q{?6~6wzqQ|Qq%j#7?Z~peG{Mjd~`H``>f%90;?Y*K%@~0fj&d1Zb
zQWj>zWdJ9mc2{FyxJzOJD9G`5$vHU)Egg8VQ=rw*L_;<RR@Rz*l-s{1s+LT$#C=%}
zCR}Joa1I&8<o|bx1EbBK`A;od18Mi)l}Mb4sFD35=)QGI^f2}Mj8Vssh>wjRCBrg4
zVsN{zT>k&NZGy8#?qS7jg1_bQlP8l4C-WxEa0&3yfeepmEt3S!uX#KvzLq30zjp2a
z+4rvE;d(8}t=_ewp=`BZ_*&BguorJ(IsE^q`pU36o1R-*ytunN#ogVDdvP!BuEmNw
z6nA%bDHMm|?(Xiz&j#Lye&_GK_grJi%1S1anVb~mv`mzR2R({ov4g3n);~^j<3YYB
zK!;iC9Dd1rjkF0}0?I!9;QRaAyt!c+>2H-FmQAV>Ap{i(KmNTP7kEQY1{*8}k+pXO
zW86gjgr^bq8ywv~01zo~vbH<NNHto=w_$cK&p+KcZNy808r^y9+-{gnpg59CiUH?_
zU12ITxxcZV9=Z)kYd*-t`7=OII^y7H9Et-o@D{aTN*wo^=!)Cvy?a!3zZ3Zo?a3}?
zaglK(s4ih0eoeTD1t<ADL0RUGLJ{>>jxdX@SO~W_QB}zVQ^+L>6yH|p`<VT|BR@qb
zDY!C`3E<GY*EpJGsIC3oX^}U@Qn;+(1d!XH`tjgBvrE1Lj&-F&+TE1-uVq<KGJ==O
zHy&8FV%Z4xZwFh%p&8&fY_*&!tLreVNNxzFdK`VBpQ1ju=0q5v?ieQhpmY%BfT64Z
z7ZfI_YnWO!wPbEze2tbb!s3IQ%%28@^7Hs=9f65G=tK~k2v%4)g77k>6EshD{$M)>
z3B&DO+OVu{W~9JUuNUW<U~IK!OG}bu`&C31yjm5&|FCx7vZdYk{Wd&L`R&ZBjZN0(
zd&l_q4_|z{WPD`v2!jl12ziwV)%~OTCMg568N`bFQl*L7b^c|BZZCZN;#=G?4g`2I
z`6Ux+gS_`AY%+DPRvPQdkgTcWDsSJ-kYpOm9-LOKf<sH4sRvz#KxO>Gd0J@Q6Ki>G
z-$}xuiCLARiNf@9hYtA9uhfceb}NgODkyY@l0U0tSak-n`{iGkEr|iv06S+k7UL5=
zj6C-;r8Y9V#jk!k6k9~0-*D%qh@f&ADkqi-J;;Rbhk<#ES@6Ea6kV1unlImHXv_w%
z1I3(X)1BN>iwB^4znqEVO391O%hw0!+lOeDAJ&m*T4)`3IUf*7#o_JtHqIBUObg@a
z+AM@+i)8;Ls}T-Q6e!CVWZ_7nc;ic9MzbRH*MOu2E}7UtTLy8zG-eqg#n{Ha3vwi-
z0#b%pmzv;qa}0g2cbhV240R7x*7NkS%d@rjB_dWU7yf{SYsoHljL})TSZqfLTQw6#
zH7PPVH)KL2yga48`Pgxd7@z0SapyiW*dv$?gC#-UTv*M?Bk}1ga0%wb_d{P;)hlC6
z_*WQH4$~)5?>C%+&PD6`DsNyz>?1ppo^8JsLKWRskkt@8Knd{(Sz#)<_wIR^P3eY=
zLzU-UHZj|mV7}x=4Hp5fA?0)1Z7nA<;krULb1p3@a8btC2PijK*fpO`$3<gtkL9v4
z=pu>sSlFGC04|q#pXvP`E5UsUh7wT^1Fm4ReP*XB``l=`m}65b{}~})mm;f+)?e~m
zlK5-N!82ZO;z=7EhTbvsI}Hdiv-!3*wfHr#k@58uPNtyY_sBqLr_y=$IIpJ5xBArm
z{T5(<2L-2t=)*AS9Az`4y2UOCt1U=bb&Jeqi?B@QwUvELz*8o@wYYk`GvXvLR^m3Y
z#Gp*9dv4R@MOg0X^@kHW8#q!wJ6==soo$LP;q|o%d_4g9c7P`Z0~g^u5W0hqzryDd
z%E`3_6KVg9<8(3ztfYNMfY5q>4}TRvo1V4|Kq52_i&oz0db86>dLnK}@qRY(U=ydw
z!u(PCpW!m@=g%W&$Om7~NEi$(a(gOfj20GR&5X-awVJeS%?KE~`Op^hxyoTgfi>T*
zmMB8o`=jrE!pJBdFu*VVjpnIFLiov7s80zoupw41XPr1g<#=cf9$52TlrT)8c0ZMa
zH3>l5zxwUw1sb~CS5!9#qWZ)mwW>6!w`=53kBG<MC6zo;%ub`YHI1@DQ;*UM?Vt~q
zU`ipLdl9@-mCB`O`%%iz9<5WK=b2%e18i>~s&3os-3EF7MAAq6XnHj@W`EH4KhaO3
zFvzOF`?+>U$7P)Y$3)A^ByI%JUYat8E0TxM*=UnM(NF#>5JX>}QFdxt@VQGC?e&PS
z=MS=H+LdiVY-M}7oorgzwbqCLMR25hPHJ9j<r0TZVE<sY=Vw;evPD&wN={rSxLRqm
z#VPiW4Cs#Z8{LlX?ee0GTCZzWtB4KF99ofU+c;H?uY&A2A@d*!*DOwI%N`_@G@ui`
zBd78G(viR@`JEe8Pogd$YYnmZCs_Er7?)Z3#^3rsH1md`G{>MDt{fm@ZuS90p~b3K
zLgn5UL#h_iOA8M=&m|nl{&+6ATtr{L*Rr#l3VFr`L@FSgpZxWLmKrr!rU0~nKQsi2
zzb<;IPauQpm;w8_KlCSxb^I`2;)tyNE}VASE_~#7L{eV(nEAVyzX0A>_SKUBR2lf|
zVsr-$QN&itDq6XmRv(NRd2N#)pl(+sQK?;b03JNpSbg|&F`-N0Mk1>N30O)4@C@C^
z7~h-6KLigfMF5s00A@_7sFq8aWy2^Y9IKcZsl<+8qY+!&HKIhige(;3P5Lgve=0zk
z{8e6Cy@{|Oi*8fUZ^aY(D-n6S@=U{gOC&=~V`+0^HZJv|ured?nH#36vJfPM;Hz*%
zLm+2BF|sBui_JEz@Mr?o#ymg(Kk2WllfjVse9y=2hZ4*Af_ZarilxhJ${7&dDYGpO
z_Wq6>dU}j)*8O3Fj$$+8uqU-8vnxjadt~L))A{Usyx4ETm|~lVX8WBZ4yzsDw+4$-
z{DtMpS3^)0%Ycj!vgC4KG~5=q#!{C3by5{(xTa;NZHlIk7tuqtmXCrg5v4`bP?qvP
zly8_P1xBhDR{D?bXs4^keHCrB+3SI==1%nbyu$PPGQ5WX#KcQ4n5ql;YoDya8s$h8
zQ-m=5M4EO68XiNTJUxYh{I*HvIhW(TjAYb1KJM_UBY$;f7M=!V!}HP$_tbJ8@&cp>
z6;CpiH>rVf`)BuFrmS05HD^fFwa9PZl2}cv@0z>^TnEmMBIP(s%PCn-tQdE0-`i95
zo<iN42o7+E(mP%c3!3P?j7Z`g7#|YTWwNOL5b}Ssc6C%lB^-Q|{cA(`h%d1RF>JAv
z!0Y>d-qWQ102qoFD&hR@D@E>{9s(#8J7b)?s*CNtBAEc^D0xxM8E$%0uf;y=qnhQs
zk+h(FwW#)lDRN@C5ufW~p4^RAW9TmULz(4V8f@aWaUk@o-N<us5NjMBlFmXFYMe`@
z<kyb7=gId#j~`;RSCcexjs1nF8%u#u>Z7`utA(W`m+@K$rn&mBUxM`e@MgBNQBzSh
zrScujc4uF6sC`*RP&|JQ*~N|ed74-(-B$)BpYuAY>$R)%WPHVeH<wUqsqj)wPedo|
z9=W#48XpJLDn1%mN{e=N#`7w0LS6!9aZj#4tcG^>H)h%edrd(v2gEO-XO(TytyF9^
z_WOeIPdoXL5kQ}0Nc|(_P=Zb4O2=hMO_Z7<R*9gS-gog^3-u^<6Q+F#-7eUxgM9Xc
zn}Ma$UmaS%j5KS}qIq`m<FRb7_QLl0Ob*Rex5P;$%{WrD*Zx#<sfrtiVQ35;>n+HJ
zq;HPUGfN1j|2bFQHp_Nxg1We`Tv?#U8&N4OevJ~spelGVFNmJyUF9UJ{VRo4UR%AX
zoD_}yT(x9Op+O%L-VLXOhX|=?{s*j&ohA_nkL&6AHGZCz4=f9y)4^X^$}R+_Ig$(k
zb-q$bM3-U6J-EKmC>Ze7wge*bo?WHXi9sRwyU>vTh)P>8BD~t51KcSJa`EG5{?~aW
zXpyjruPFl9)Jx}vKJeDvoC{Az>Cf0dzb~Bb6qRj2A+EN{?KA*meX6j`+MmD2goDAH
z*c{-P<vtlgvJflm)wc_ET9Zuv{MEsy^TOm|@DBKrxZLsw+8nEW?zp>NdH5Y%4YTJm
zj8_KrLH0T9z8vD1=N|R!M_=t_>iggy*d4~Ou&+Yad5wb6eLy$j05P#$fBM4{iY1uy
zvAIE`$F8iA2zo&n+B}|Vu1i?a4+)`=4oQ9lQfPUA^w?1hz3yGcMhI$kns-fSX?|DW
zyqJ{~!F5&c$HCDjzUK7q^TdT+jW{nrZN7Tm>9QTkYStrou5V?z#<g28uIjeA{a|Op
z7MBbU;?GTR<=p3%2LS;SV=02TN%Q+i^e0djDIuxsT??PT27%B2b>l)3B0aCN;agZz
z-n~%@aLPd8eq7U4F}Yyz%5n)|GLAAH#*o6_&Yt)BY3v_i!h0+QbDKR@gZC;Wk7Fmu
zV@KFcMQHs}DFjizZb)>$C3U;#{3|5}3N(}m6)PRZ<gmv`Gqmb*iX;(v{}_C_MxaxG
zc=v_{P3ZvzX(V<15(Qr95PLwE|CjsSG$fe6L^P6L8PV?Y4SoO4e=dfTe}=CgaJwDs
zRoO}2z3TVKg*lwnh&RLg(02V~0JnF*`->CDX()DIUt#H9TIyU;j?(&8ReK?qB7z&p
z92+^8l*>K!GIE<gIkhAdX{xNeO*bRoq$xjO!uMK9B5BtuwJA(=^4W88ShBQ+6Y#vI
zznti`2ds1HSj}7AmR3}SyM-A2x!I_f`i*@#eZh3H81#IGz_!AK(BncvO3Hy*DP38h
zwvE;M!srG6s?8YIeg{;W$zb@+_gZZxWpLe=5N?xmYe4J!j+ZCXLB`$w?=+t|_+SU(
zblV;7f^#iPz=1!b;O&L0I>LnzQUc!0!h{uRSYa483^cA?oCaP1v?r4a<O@is`u-wp
zwP`iyNVF1|wDfrXp<J6jvp@JeYB$okKuX=^%Sj;Z*FO|Uz>0NB4sR0&LMQ<^yHesn
zpg!%BvJ^>J{5Q;H^-Uvt=0*%%TclTRyxb^eFL*s1`-pSo;lv>?p9GaVnO4@a5Z?~B
zN^YmI67bM&%=5;@Jy(N~duQ%HNaBk?djpQ5a#Dm6A)*PVHau$)g%!skcTMF*OrpUn
zIg_OQAcfvl_JJ>iFSLvl9*~gm2t*3s=*Z67j^N;!c)s|Mpy5wiYKgSkSlF8qap*Lj
z@^iQUnLWdtvp08Pl%BGWXZCw$gb3)HKer30pSa^yW!7%j;BuDxgxbD|>l>)qZ=<JR
z7g(90icgqjj31rlUBf0+!5_^3um8{%P(l$E-#`Sy>DQu(gBa|++qI#K7L$^o+Tfuq
zU#(QGrhGYUnP3jxgctH$LBKaydZ6Y+(dl-^oC#jVe+Z+u08k)m75!61qqi!AnsP{>
zrP!9eAm!M>z65QtiP8}Zo8*W0Bs?=~n~;y8<#|AWDMQ1)EOXCl!+J@F4T`&kwQcrw
z??pG(iL^yB?)YM(2Xp09#sbh9R^t{PB$f_W(&k$c#1HeqIAF#k0UsPmdIM*ubU|S}
z2niv0$sp1Rb>;A>FmF@9(DkF?-u(?=^C-ZRyu{j}k>#(~!)(F&IxI>)*p7IV*A3}i
zwrX`RPmx*R)um5O`~A9eq5Tp=5NDfQTR#>i-u8KLsb3b@bRh`;U}<oq3({QCq^v&$
z*Q8x>iv5aUuKqZra2}gs-@7hO;K_#{J@#fi%Uq4?n=%M2(1p+8XB=ywY#08wU;xk`
zD7F4AAapJ3+@gxmjkrii;h>>$Rk5#1gt7k6Dz`=Q1lB+aX#eE#LydFCUsEl*o)-KU
z{L_e4Eqid9=aGp3hW+k#90FW0w4kh7H_@VU5EnF}^^J*(I|*3>{A3GGi11;gd;H$l
z-T5K=W<&2b*s)g<p*A{yNRHDx8}h7;2aro>Y1Z9>Kl4anhBE~9cFA6iULIXPht4Qc
zK&h`p1JpZkJz6?lg4-I+hSH}>QCM};q;T;@M?Vz#eKWt6Qs>aMVN!(B%R{_aTKuI!
zl)Tp6Z>iCCD4Iq?-<TrG%2={<f*8yuaL14P;~g)rU8`((W}de6Q%O#&Vbx4%NBWhQ
zx!i7k@GKWXgtnpIZ{S+=rHSf$y|Mpq*iSS)LRx>|U05ngWL=UD_MDPFJ*N9ZOw7g$
z<3r)$|E4EB|403IP@~Yar8c`0`re8qrU9<ohySu>o)@lQVH~7n(~TcAXyMmfH2Rxz
z>LCR~3%k4&ly&HkY}OEW_tPS*ck*7FB`|NxHc3uP26FPCd4_eFch7|%DyGq-x6V^(
zWsG~WaMZ$9rZH0;TuSU$uj|sNgPKE9?eN!>#@{j?)mnoo1GOhN$wF3m{IM|C_voi0
z*_ph5?NR~Pmsx)kJn4mQbVG-$^b2*{#C`fy`I)c~M{YYmPV6^+CVVrp?#xjbUHHH9
zmaL|0&VVWpTA?;vFLt4E2q^Dw^OnFpfkZry{r=FDZK4L%jOeEeg>l{e7<%Fhr-908
z05>1C2agFovYs^i(Ms(=KBas-)7)uxvg6hYQs9e}DhPC>bVR5KmC2d^m6a2;y;hev
z+^vlu88@u!jj86@0JWoEn9_F^&*^{WXM{l*)5y+f{E=pg47mPHifNhL)AC;P)Rkpv
zeQLefr54cO#mTW{8AARRe=}k@-Bs5{xl*#SfM3*jL4-vpHCm$WrKr9ahIag!pP(nr
zyt32M4m06K-!klACsHYVd-~1yjAO&q2`#Kj$R615U_wML*P`84@$U1H{q)ISDyo9)
zD`W|xg5kSY{M9goGNe3jKu<F6#VZ~>ZqoFQvoWM)*W($y%G>jAOka=yo#4xIY;Ngy
zlcC=;q4!#r0e1{+q%X6h+xo(lgz5X5OpUT$U`ub*r1xWQz$YhkkQ`N*zu1ZcEG7{T
z0tK~LPbt@RUcI3dp7EbQ{#7?*FSy*O2@pql`L5Aig2J!`UK&YpKMdl!kX}cckxOh{
z%n@faW|p6Yo60(;-t@~Ir0&NUbs5y`w1}_zTm8*i=mkuX;wC_9MV{f;oGoGmo5Op;
zPemxD)K~J1GAc18Nq)Nf+hqEo%Kyl%8FdY18)j)RLg~e88rbx71D#b(*@K*Vx09_P
zf;6?n?eW=J0B<w(DZBTEWL#Ql^>ET;ljfDL7N%#EOeuNs9a+&gKv6)L8>gPn$qpNx
zCUzRUmTKx>+O6qxy06@gt2i*neO~V)?dgdPO3+Lg;+ImLlRZ%m`=^V}+dp!lGKi50
zfX)$z`nYF}k~06OdDlSZr5sQb5*0zUB}|SyC;%kTRQqiPd;MCmh?rOkuU9S0b5hEs
zmRq)P3LpY?sB>#W-b-|bbLHQryfyvhw!0WzQgc&y<7+MvICQ7dJYvAHD+j0kbpl&!
zwYHwlW$qd)_$$BjFLvX)_?aOUg_TddxL3BdJi}SfTKz*EAkEszB-XjRB8<x#KH5{%
z_dix6(?X4UbzTbS?4g-=!~W7C3DDk^fc+I2Z&-3^Ok=1RQ~*t3Zl)R(M|sY5x`8jg
z=t<CVi2m-xduDcrlc-edLmKtIQ0lFRk7(fG5A9(yPH<m>FDe|2G;h;N70}9DE!(NS
zc{yqGfjy6D!Li-k*0M6!Eu8@&Bd!no6=#OyplHJI98-AalyzQ)*A;CUP1H<t6n=dA
z&}q1MkCDJmoV~{IY9w4CpyNr<X}+L0P-zOsNG4~H$KWH#DWVEUKS=t?sTnCH$qWpH
zIgz2${G-W&HLF#drVUgb))+5l!nb!pW6h~r`}92Nvpc(RQX$z1nxM}Z)0!ABo4!4`
z(y@|Vy1=u#FlkAzNqx62U+4h@Zj|VT?wd%mh6a$J!+k;LqDuQqYLk`mCnz?X8qEcD
z)91WSZoZDLe~~{9DKy}pJX%q6Q8i-1eWAmBbGBOP{R57UFvMm-#}B`1wU)a_sb^QV
zjwo6&rX%6+GGATe9~@N(Qe2t33PPeC=9|z<XPe^~g&#Jt7}06zVTZbvWS-eF!M-|x
zs`uS&s=w*9S(0Iemtxfx@LGP&Yd+_TUR@uB3>x-b^z<Z4%O|0E<=XQhyA>DFC!uLR
z4uwdcXTeSU8qXsGy*VVVzm;`}!G0vhi@lj%*!Oyvy1!X+J$P(dR<>d_by!T@EqTs8
zy3btFKRHq_pW4x$n)r4{(MJDlb~j(sI(;O!#oDUXl65q5oIZc#rsA|}?dlxqHsI{&
za!Y1`W5sRPy}I?e+}Tw+9h&#63zWKA^4#E+uG_r1mLsL7!-kY)lSM1XFE9cV`2~a#
zW^J}V^><$njGkWd0N|W@d0n4A_sX1+UEh$BMfHzSkc;OB21^8UK??>q;>jtu)15C-
z03rQBe>b?S<TdD>o2ET<9iarTkv89ty}M%>r&M*3#d{O%7e-!MMk)UN-Qs2x0|O2v
zCreyu*G|+u4Mt9qKVV||ig5_-f0<n??q~K)$}v~^j#Yg3J+m2MV4@1$K7U1EPAVN5
z+71n^-_|bt1X69%{4<82nh7ZKxp8#f1>~?wag8GsNPo8eZGQ(f4Q*r6;1{}h@K;|O
zl+mA4*DqklSyF1{By>ug`?9}NZej86!ZrJt+^2$t4YTwQ@leXQwD6l|j~I*Lu3XuB
zz>Bxjre$F0P%}j9Ydyn@rge3S_e5I<F}-&Z-a*9_tgfMx^Lu=WwY14J+Z`=%3P{fA
zb8Op}4f!}#XJaY2uRPQO+s+ko`x5cTM0NcVC}<Rt9H~cC`MG4mssgebWq&()7(4en
z?>2Ag-Xl?YZSd-+*V(j9ScYsPK1{1PLeEXGw6U~nl{eJwhb*Ra-XtU3pDFHoH!76S
z-|O2Ei8Vt$)(11(@1rcV`{Vpwwgk{&hKaG&w_yw+`?^7b0ZL&lekq#VOhLA{(GqgO
z4WUXG`t28%SwL^N7OtACWBreuGFo`M^-ry8`E+o<CNK@fp42QzHiEQ+e==+Zlm_2M
zm9(gyn!_~dx&IvHvV@=*5z<SL+!={GlTMI~6}I<gwYTZ=;&mixb?LaV0tDa(rTO)2
z<+@_~+DasvSVhU37XZKiBNjuobgi4FlI4I?c)<7GT26C2?ChHuj%DZcOAV#uu84!9
z@<rl=!V?(>$Ac+X8KU(b^i&u`i=d2c9XVRn;@%~-h|GCDyaU{tCuOq5C-VqW^QzFn
zJkoxHnQfx>K>EjC?!HKbi0$V$tKOCH4Db*FF`h=2nGx)Zm4rOWDg25M?N>s}lKYFS
zdlSXzp8t&wq5ki$P17e@e*D?DyDwo06pJOgwDFqY)PFJfr~7Km)v$CK8@*6mhA`lJ
z7VYyx3g(%t<~J-_{Yq!5m-lq+q)X~uaW$6H?Rpik3on+@DojJcY~ff9rn1NQUSU>^
zSp>Lrv&s|<=5k^{0~W<TQ&=cBRH$rSX!DE`!bf)81GQdBpXt45tY)#ay0MNcGv;h*
zrvB7xJXeib<?pTApoWw}t(+56lNL*ynH?jf8f13<l0mb!!?2977k4VZx6BSU-4Q(U
zg0E-x_RpJJ<V_3&^3~6+hUtdwJ`-c`uOS2?>RG@siVolyr2&w0o!4qX8i)fwHV{z@
zI<bmP>XHD;o(U`sB~9P;Z;?Rj@!Kv<18KYA@m_HN^$&r&;0B$_EOF-j9n-FygAMoH
z2`b{Zr{-<Y?|Zr&;Rj=pdtrGSZyVy85dMW8C!WDRh1(s)zKtjgKTP=N=G6z8u}ut{
zWZb-scZ1H@ii#7jCDogo5dKD~FWESbvCVa7Areh_60psd(J*H&`&14`J|H-0*9{>I
zMSUdWlD*WmD)u@OK6uJ+y%hMYi&YV}PR(L)WOm{!<)3Zgn9ZZWXfI^1vT&`dB5Iz)
z$vnhoChc0hblp8Rq3|vES;PeJSmV-OL9b5H<>RBJ=<vpw&98~<rnv(K+zz+c0}t*p
zFPu;7&=_(dHDr%`hyGe1yCVD`Sbw*ct7skj;zLQ_1n=Mr-EF+yIjvzIubU9Dv9Fqt
zs|mG18tQKlCyU=n%^r}X&+ikxAfY~|ZB2UkLVx=PWVDSx9yUI~<+|~(lP}&G7oJ<j
z<E4vkew^r%#hck6n81d)dQ&|n`pNhovrHIIl+lLr#3qILlddk<rOJ(cia&$(q6cae
zP2?1hj}DM8RNjeeqEW~%iSq4o`9In(#P$9e;f6-i7E3&BM@7838aK)a`qN2oXl-fb
z=Uf`gU__+Rf}87Wb1EPZRg-~%l74WCy40m_zfRj3JFIVzE8OZA1S|Ko0|P-0@J6&7
z0M%L$b67aF3)mBTb;B))NShu$#2EPY(kwS7<yl+SwIuD(iLP^@%t#JIRl88ua3@PA
z9f+mm2iv4k8aWpMWtH*$L7B}$<S#@dxZ+Sv@V6cuUBC&tP%NnF&V`P*EoQRW49pKk
zyHKPbR>&MrDvfs}zBpBz`m~)}AA6p7N)Bb5h?HBlIMw;&T&k>zrGgjnEvD(B(?XIz
z!DeN3Dv-hkDA)|m)s7@Bj5o7%&VF3u%lco1&<z=SUtV?~GT<a^bSC!iC7Z4uRDV7K
zT>qn=U1wy9^Xu|IzBDQ&soMJSc88qhqxYuEnhZ^UQIB@{JE9&<QBj+dl5~!zY49@w
z*y_QC7HgMnCPb@&^~1uDQxZ~dS_A6(b_xvlTZeY*qY9ydGW5XQw^5<o7{pm+X1TqC
z?Fg>U!Tv-cqd^~ep`q@DPtXI>WKBZ8V9;zSo9GQATq4u{NYlf1706{)r?rsYUgNcr
z4*yXV9-qKGBDgyG<T{vsP98391JljTffX&FUcHyoh}%t2h#rum2NoT?(GF#HB&UQ*
z7c3zvM)HNg<7-cw_D>STP=X!;iud_B+k=RAhY%DlAX;(<3(9M>)`;GUER;IqL0<{>
zGKIC|Ki_B#v|yni*sc9VRAII(n>$6EPm&@VVn&0db%-9)fNt3YRl-DRBO+AU`#^U}
zM6gtatdwI)MlnDK8%d3gttF64O=H*)tDYOwC~_*_g02-zuekLge%idXrZFKP;6vol
z&u)~dO7Tdz>@Olte``3rxV0xQA`x6MbDl{Pi4V)J^~plRj2?s@f_%ly6@sW!=kO8d
z(*Q$oAcrLc3?UOc5Sg^CT#?EEC5|wV5|5^F|4LuAr;17uUaTvVEznOwU1PwSqF$mN
zR!Rh4z6xEaiF&Okv!KT4fCOiNo2wg&-pzK43mXo+L4G+mZJ%bqE9PMv!dOlaC#l)O
zDJsA*B<tib%7R9B%z(wjukPD~I3x8uig~3m*;gvp&mQXepUeVp6`<gxd41R<g!Vym
zA(qI)I~n8|YOT(Q*-YO1M+ylS%Qm1liCxV>pe&tpH3?yWW8A@C+?XWD4Prhgyh`7i
zA+?;fY%p7vzkBTO7lu;Rpt)S)syfOpVN2!`Sa{iC<*xp05V8owA6&Nj+))m`s*`dB
zJJoS9!CB<oa^P~ZZf)ntRhcoXn+TK^HWZz?i<D9&Y=jZf-J5bgF`_S%&MocZ`tvo)
zC8bKwu2;PSUiC=}`#IrAC}m+SNtE4&rQY{tigu}icASvIN5s(e3NB@m+~tV66#6<q
zxnf)xkh~=uzwONG3yy$1eC#;?De8LQf;j4HtBhAgCA_IfqaKh6K3(UoEj9uvA(%4l
z+-RSQ;~6`<-E&@2;d`u=uHl63wP_H^;AHPNM+dhU%8S{)g9)%f#O@JCN6)u*R|3__
ziVytW%o(Lc-{Z=W<i{V2Z1Q!wjhoQWr<3iy@3RGn9&yx8Hb~fw*S@c@Zs-nJe{R#?
z=Nh6J9FeXg9Cjy=i`B!LkH=#CP%6i4?h_G2AniKLC2+WmMw~Md)}A9;FkVcr9>cC-
ze!(ai>>+V$CNkYoY*xu!sw+bJpa(S&>x?L8Lu%~&%V@Q{O8eNQbhael|HKQ)D||G?
zfIcZ^)fo0=dlM7J7dJ?|>4mFpL4oL4D~fQU=6iG9qw^(VMHvmb1*i3pMsYlGWJajR
zJ*m_2L2n^+G+Xy+0(qT+K9zqvT10c<@nTOax;S91kBUfghE0gE$qKl)ZixAY#BFTG
zlFBsG&o&mbDkSq8p1UkYF*7DlpvjWN2WXs1Nt__|pkFpuchxlz&<H%Pt|4|!-ZG9<
z8W(}PUoVTSBM4Vft@_GVdRqW#$&NPmvq6K$M+#RNGK&&2Zmr{vHrgQv85err<NU|U
zQLv@rk?Fn*uilj|qJ>YU;_S)O{I8<e(`k|llJ9`{W4dsi$-0;?xFPTo9+T9SE^LX<
z*+HHxHyeC*z!QbI!vyCYZ_urT4v0fu+r8lFAV!4C1J6cfXn22_MKq?nyBDsW^D*q!
zliCM0a0G)jY{1=c5oKl`;U8Qn9c!2ZE><l5Z{pb+puh$xy+#b}zkw{h*Cj{3KOeCG
zbSNzcsg07RT{KILeIGXrl5hQvsOzl={xMVllk}zG3Ril~`pR}$AJ^*GZrPA8k2s;X
z?gNbHWU=_^v@xceJZ+IMIDV7k$*{x};0AHnAdmPrFrK<*qyXmzW%=Wju(OP#7enH-
zjxIwsx7e@4g&6ID3Y+mknD}G4a+Y<r0N}kb)Tq#j$x85(FV>;|HsBarm#bedl&pg<
z0$k%|2aY$BEp7-eG~9YI5qH`S4P#Cf)X#36WziaZ%xQRiT9-p7f<0#Tm#W4W8=j=&
zZRg_djp_?zNug;s#mQ0hq*GSclB5#tSUTQTWhe-VE7gFJOz<?;bDfj{MmVQex>YL_
zIEq+_LUBDu7+$GL0B9P7%=y1%*_%$;3tSaPL*l9@Sxi8R1Hf`9dt>ic=YY={odfp|
zK08W05_APmK+jkGPnLl=#TTP0XMHT7OZnp8^x0p<aKcHm19inAy4$Hf+E6z1GZ`c{
z#Xt_UPzIuQpG2HBK1NRv<wr8H(zY))RR30@4NI4OPmhYMyAu0V6x%kEE$XqLF43FA
z6b@Q>QwaLR?DRJ<JP#-xqBvvDGY6Bt)nmdgTMyxbHQKW{|8KfKd|4@Amvf+<V}uIT
zzwjdP7f^Bo`ya`{v0*DIo5<hl<{l=P2K%zU;{^QzM2k4uYpYkBV8jB?ukgiIXcvUa
z`aK=Wp*f7BbWtMOq68VW@P#c;Hd1?#CsT;`fk>U5r(_7sY;@Y3!=!A&x`MR3BPsTS
z+3$+7mIiVm?0$I=1_xoeyUNk*M2YAMSvg%9|M+zsn0F9PVfkn_-mN1Q?92RWdEo9E
z1Nw=Cj@KMdCj1gjV}5Sl%G8s&SD-RQSy8G(a3P_7@lrB{$+EzZ`1V{I)~}mZs5}$@
zDXV=!DtLlT<G?0nIM3#7G~zaxWZfnyv6(gxOo1s`lzv#h<%E@70cp|H8ga2@pP|U4
zjsVAU(g0*cjc3ppC>`(0A;Kinl-$T+3-gsQtJ9j#85G#Cj;MD+kveSrHXF@e_}o%t
zS1n}<ORZ(%D_(7wt;I?qGjBg?*1Tuk^}`IxvS}_5=8Xs7gwN)%>BTSvhDmU<N>8Zz
zF>AyHPe>5!Vh8118z}Wk=SXzfv+4bV$%!!dWP5tOnDs!IS1UNN6fXtMyoBQ%MuHm`
zR9F_!(wW<@@zEJN1tqC*4|8~Pt!iU`<IFzldc)<?gR9CS>*x3CM)X%EX~vrpB5p%N
zYS@q<YqA3Bk8HTlmqq(1n)RH1dUZz|HZV_NY5*B%NB=GWl`DZE;%IjC6vN%G0#LW|
zM@W0o4vx&wrzwmu&yxeEoOZ`%8zCm#z-c+r*;<=G##=nbnnQW!+@}Q0hVq9QqG9u#
zBJ?W*sl}1*&S67|VNjGzEue#yAZh6uQy8j|6k01(6AD7h_m62Xw1}`vTUUgB7X)+G
zEWPn=Maf_Vz@Ur{wj8yL@{ZTjd_SC6RXu3p6kQZelQMnj+>qce`Xh+c*wBPa2@zUC
zmRg*3JJ%nk+k9gU7z4^y>wjYafZ6L9Y!xMAg|v44eizFZ2DGrjn?yFv2YYI;g<k>_
zH>kh%_CG>>wj3BNj;25l(0Et4e7y!&_7fY$KiquKDiG)h^8G5sE1OUAdGXAZ0axcI
zx6Y~_mcK0OERw?FKOffael_mxowW$upw&nw#~SX@9=(212pF4(+!%8fgHyC#S`FF~
z0XZR)Of*kV%HW3S;$InJSrTA{CksJ`$i3SC0gs7ZC&E)SO^>#GXtZ-XfZ|%^fv1wr
z(lXo{q_Ns#?(=TzHe5GPj{xghl(90~eYq;Zsc1U9+#f!yP~124dYE4|-H|^IKn9Md
z1ym@bne{&p@cqr?k(}rCb&I#PdI1Ssr-4-AIt8Zv4XfSOfh5W14*P-V{G%yh32yC_
zOx*6Yh=bLh5xN`@RXpLrgbnJ+VB6nyB#c|L7Xt$QqMN~2Is~0Fc68c(Dpd5uw0S7~
z!Pjhqs{w8-$B7sB63BU0^AF3PKDYDg#iIq%vL_e61xZrevk#8)GLh$v9~pn2S61c?
z{p|YUx|tk|Rqf*VlQD?Y!qp;;H6ZI3^G=4x!EoWVMXhVMY9pZj<bb5!1m*X8$u==T
z(dj!cZzR=nrArd^2XSL{fk6oBdNYNHCjAJSZo@obNv`0JjP6q{qKO}M_?<oYd*$1{
zKLyHlSS{VMP}}QDXs3qHgm^;R;7R;BjnfZ68H%xM4IpG}Wm#||XJRx~KCzjV+)@(G
zL5%Xt#f8^oMPRs;$OQi*23Cuf&$G=Pn@mtcooVRzbD_5Irls=c=Q!g8A?dQ<Ek>K^
zvYW<o2`6fdJH_KwFpI^Hl1nZJrGqHBgpj)>mf>IDc$xRi4UiJY7PrdFav69Rh*xKc
zC@cffuKMaDv59uhS%hL(0OQCfw*`zNoncgJwYZOBoUcpR#0TC@V4w)Kh$bZ?*d2p-
zIxMZtpjk%l@W&{Fz~IsRWd74^{+GFA69lC6tV<Ye=GLuF-sjG5tsw3#s5|$^f@h$0
z@pQ1CjK_(r7wM)v#`Q4_VwrAk2-vF|fl59fMbDK=3M!9AU-!`IDaAIdC0|dRL9I_T
z_Q8y$NtF*>Q%Ed9Cr#x;JH<GcA?3mwW`A-=@XIBOo|h6vFQ&5wyrE%UDrbEceZ(W&
zkM+L|Ne9zUr|Gr=Y>0dCM>h8<ynq#tt^&yqPE9eNx3&zQl}5hF^bQ)XtPER$&z#+E
zuH9)EtL%3hMjQZPSS#NJlu%)xx#HeBMrH46uml*7=gk;3$GAM~*}AYlAKa`Q2tVze
zUN`E~FaPY_IiV$M^j$Dn;l(RH&`SN~Wr9vYpzZk0hO6DH+b%s|*X;`w4>aEJJh*j~
zBUd2xPJY%;8-kByVM0-N{*l7yah7r%{#S8N<MHMvz_RdxZ;M(32hr=%E{|!f)|CUt
z=Yrp6+6K3}5I&pcV(piGu=V-yrY^>y`U(m|n=H?&s!0$mf>x%e!&h=V!t$WsRY<TU
zRkSV40F5pljxecauXauoC>R1JX(|PpSP@zGC_s+jL1LOPP?s>3k|dh^XOL$LIi)#a
zn7n{r9Z5~-sBJR~^EW1z9eHIy|6M8M)Lkk=$#%F5UA(iF5b0BGs4~5b=F}e1Xjj6X
z%*UJ#g__0L9Le@W=Zsxf#*FmwZenBZ^u%tzu)#`D)eo|W5mw~Kv+TYSW{D?jC0ocL
zlVLIy3u9!ELtYA~p!!27K#<C!hq46umy?ak#e&IYm7rT_S1o0c%L^G}WNtZHn2tG{
zkL7BN)dU6!%T)!IC#}RJfuo(l{breD-6^ofoDgu+>7upJqndOk7wMXj!L*_g6Jj!%
zFslv=s1ouuV#Wo)cCADaA%wp@zTfAHYH<v{K=u(Rq+cbuw(uL7YzUbakkmvqi)B(_
z@u6Y$$dpN_^z^vFC}&C+J@@H+sAst?yi9VoLY$X-Q!(?b{Ug0@UDo&$vkvYPIW8i{
z&GhHy(f0|~JFH}-^OJ7ecen%P2@!IzLC+vL5j)XhZ>rTx9?E2_jK|0ptxl{I+s7v)
z2YC!iC!Xhh8Ykh4Z(TE3+9C*;b}xD4|E9gaVSl)ht2hprc7z;FP<he~y#k-xXJHvy
zURfR^iQD9~Hc#*5MAuA6VGk#*54mQdD?u_3eJa8!nZqO@fnWect6P$7Fdi*&)IZI_
zFG_7V_sBF|Mf=DmRXQOgWV4rJgP|-Qbaa#9{%-*ex5F`roY?j4)w@cUWG#kNhUSmL
z>lSc&xY^n;Ed)}%n(JB!fO2&ohnosj&BfNGxXzC{EOv)`14myvEQ4vzvS2x6N`|pw
z9xT|I)J0@ZD@f%);YaBu4CAI4rz;}bn$+6FuU3g~50tg|^1lu4q!-zw=?&EQNF-3p
ztj*k9-HBq&xc}(PflG5hgn;cw3;#1_C@q}A0<`<XlS*>=yj*3_Fk{*YY`8GCM7xMa
zOhIBHCmyRn@{6$Jl2{YPw})wfu?7pWDtTt9B#6r!N8EXfWf#Clq2;;`U=|X0b4jd<
z6#OUcSG(w}w(%PxG~QU5^GW4NO(p%jj|(IF0&`I=Elb}mzy>CEGz+1L%3&x}e$`@t
z+QU?IRJ(#Yw2C~4>Ii9Ii9HVi=Ko?s>YgD&`$*^r<2wQY>GwlNyKE9T2wen1<_@3Q
z*A((Y$H#*Z7DoVoP+UM%6ESYoOun-UMQ9wPCwyHGz;geMaA`VQfv?huT}KgN=!%of
zEd2~udNynU)qFo$?m7JYgvsJ4sW@{{%T{2Sy#p;*O9LaeV&FOjQ+%LVxOH-ces8Yk
zFJ%YW9%#m3vVI$iFrNd!Q5O0R^hOZ<O@`2@4dEy((lqji0TlkMXR+c2ctc_Z)+lKT
zj|2Y$0JH}|_CQR%L3@{ePoL)SOFKVPvo_P7u0IniNezjoo?J&f2P7LZ&7CKKQHeh4
zMD<&{m__j$WiT;XC)a2Wn0mktBFvNCiJ&LL#hqv4!yZ_9vJnGKr3qe;pMuON_Ev6@
z5nqROO^Znk5YQ*XzkoXR52~&~r+PB?Dz3TYieH1|2k6L=WI`Z(RuSFdi~iHlN6u~E
z#Vz;9FQ@zkb=$>851eSQ>$n;x!=yroy=Ij&(+5UPCz9}7T?QaKol2sIphNlYucBGk
z4KdJ5LXH=o>0U%GWdORz-$IPQFS}1sb|4mos(Yw3E+c5t8o3m2UXRXyoAI_gYUYx+
z4TBVT@fq%~%CL6s#DqhSffi<b^H8-irL6)yJ*Uz2<ou8&eH$}>(p+pv3d8R*->L&n
zxC`aHxxf!=bAf<c^8$QFydT$WApLp`;c-PHY?QD$1ZXMExVz$D4F-aR3l;Z3P=xY?
z!i6+GuJPCYXXT%JAR?NvUz&kW0oYE-^Q^nd4K|-`E;L(7qMqk+|J1#pN3`pjGc|#2
zWaPI#p2Fp_DpI*VHIFA@S`I5D?~*@ih;?DO*S%)7t}6X#8-O<x&%ZMJlE?B6w_5&~
z;%)(P;{aa2;yK3)wZCzfhOl_Gb;+xK8a_z27}5ooF%<<LsKv}4MN@<bZ3vFjih>Er
zJ7?i4AgMYaGv|N)j{_{}O9KQ2atW2*hP4CIMydMPDDBt8k|YIQ?dJ&61`<DB_UYmk
z$8WR0hiGR^oiw<OwOQK~y)^J^OIWC|YbWQQ1~$RRL!^)(W7tdx(DBP$azu9+`HWvV
zNj3=Zq=|9_1GKE--FV1V!$Dppu6JtzvWe!GD52USfqIEt?rm`ZbOQe9XZmU}_Q&Xf
zH)+0o*MMel!LI=z%E6dRf8$^90PM;moliHlc*|bT6+g0NszaazjauuM#~(P)3h{0S
z#3zQxyx$ag4+61Zq9jjW44)U;wBFvG8@nkD7bjbmII~1(kIhC_QR(QGMvub>MBu;O
z3fgO-huowl^R^6WV8$sby)D{HP36S2tY6feV!<G}GB(b_NB{jTg-910UhU?S<3VQn
zW0Vz$A-5IJqc01<T-lY*pjcFE<<FHk6@NW;5cW<7D})nFMdnw%2N>tp^^)w0NC_8d
zpAt51pQnF9a@BJgQJ?a3266W)B%xQ^hD%M=^J@aigD6zB1Rwrd!w_1q;hploq9Y42
z5MBh3I~UmLnE|qj<to(7SuNTZ(GfQN6(qTJVw0Ts;971eJHT@O09o~YTTatX`qd3;
zaCfecr~EJYtS{KM76>y(Ct`HJ-7Lv}`SqyFXy0u7_c0Bpj;_kDhYiiAv6A~Hkup#2
zwh|5Sbz*WCcDQ~WsXzi}?_%2T(*i;jq~*9N>Go6~f3_z&dq+Hw5j=9@!N1}66A2JO
z1dtyW82tFfWINn}EC|DQXPqi!;oZipU=3FCkP3;4QXIfP-tEW!3O)WNHMk$wNBCF!
zv7rqZpI0I{3`MbM&qkrts5{c)qdB`GKnS&0gW_(KvHli_YF9Vwr?9u-hOxzFcs0~T
z!=}nSXGqOo&YK4yUPg$H^5P0U`(+}<^G88o%mg_aqkIrJ*#AXhnABCa5j$N{<<aj5
z_#<4=8y^?!{r@*X@b(80tRe1UnFzplzA(HxkYRt|N!C;XJ}VG(xx4$gmpVkdUdX-b
zr&A9o0eM1WrGoR_x<yN}sFn0+c`XBoFEYQ}dhpJcD&pQ~q+qd?i+`R_;bHL1eR(ec
z0TaR_6R>8T{Ge7mP<|}N0H(7fS;2?f@zDhuYEwyqB7qXE5V#UnLM8`3sY#L&Z#|HL
zOxQ7$%LnvbS__kVsUquBK+hpiAzrX0G&wQ9uqEkXVq-!7n^GE3iO1BYy>T>a%aeAB
zN{q8Zg!={L$}o878<tu@w)YVM5k-6m-4~knj05{!$`yEq!bu33rS=@vWP<JLjiz^?
z@saLdcUHaMqw2Bg&LP_0y0c2m-z)KYxS&I4wOcc-E!N@O8wVZ6$$y;C#v{mcFk6h_
zIGD3RJA^tHx$LA|m;T7No+LILy#p-vh6?E*-!~C}qI-eFZ1xATBt9YZ(v?xJ_`78k
zM%EU6MsefMgcn&R0wVrrXzif!T?Ri8M*u~>LiyhdnRU^-a#~uiXK=k~PM=R6a>Dig
z26^3A$2o0%kDgZ&@lUQw_A@oQcMq1Ac3xJrHZrtfgq|dkgk^DE#vFL$0$49}!;<7X
zVFXYx7Z~|DS3a}^MiBW&4c72aa?Zl!m*kWiLc$JFstN-)BnwLtK*9w-5!5Va@+@(H
zg_mtJcIyIz)FCqhi<81KtVI_P?5db&T+t_iNrWIjj`>ymU^hpi5~EciAPYgS`XpUS
zC9^dFo7MCi9!g!d{uF;*@gvoGQs|HR>um*LW49OgtpG#`0F~JcigIgi196C!sf}$A
z`11nMlM>E06s^P#2ko6di$Rq9O#gFTv%?Dst=N?|b=wDkGXaR@l5I=x-JnRV@qtu9
z2rCWlXZ)@3GlfiC(3F#B^WBwrhct?NC5N`QRybL!bZegsT~*pm@0aR&rlDgW&<nwp
zDWVm5TQIJ4;Wt%QCQ;3iu2zfFjZ&2TYl$JgM)3=kU#Xc;&Q&1gXIpIM<$9N(0JSqn
z$oq(pitqGM`?ZG&mr!lYloZu3l&Y0mvyU7@Y~h|JbBWzqVH<8%q)e+xM=j8D;CklP
zbgodk&L)sH?5s{la2JoC4zYNN#?VKdF8k_{(=YEXf=Fuk0oK=Sw9Gh}pL57)RQ+hd
z)UbpLC9WN^X+EPC+E21Yz%NamU3d>IZDS5*AE^uRoov8xkp6tw>WY?u|MEgMwqZEX
z)Yfsa;g`rrZsPN|Vel1{E{S-~QRD>i_q{o>McT!l7|{F4bcoZxN4bNE*tW7MdP@px
z03q$hw?&$K4U(l`EsSP@A^8n*2NL=|XN7<;U1Bfx&`l&d#22&S5<m|cYE*0lMgFWo
z7_P5APRl68z@OkN0EG0{Fhz@n)A7Ex>9^7{kbfXE<Zz%F0{!Js{{Iw{9&(_MjGQPv
zGxR|=&k{qKFj6UJC(k5vCr_Gs0KY6)Q8=zR@)0*ZBlI0TP5;mvZqnw5y8AG^qNkN)
z+fgV%<E7yv{NJ#d8v6U`rP@T_wjj|q96y+yY$0Rc7g75GBC&}?9yO97L@6;aAeS4-
zO#Dn$B(&?GOTA8PYY-=qPg#LM?v415B>d2i?b8lNyakbXWs}Q4+!rvg7(gG$(;cqP
zYwo`xg;-tXtPt=ui}rcgHdN+nQ6wP^3)<z)femVC%T&}7sZ1T4TRIZr0_;Os)b5XB
z-gLN^Be>c*RFc2=>8rl(Kj0`SWk}^zKargYB7j&D1`|r^@RB*?;)+1w^^@%){T~`h
z&9UwK0HBdFZ!~h7dZ0eFl3byk6%_|AVhQ%(*!m_V4&SpO58ijneI49l6c7X8jKcSH
z_xXFqzTR8jGOy%4Ix)cq_p=gt-YZi!jU`h>q&A*V$Xf=U_ua8@SWozS7LUZs!~c-+
z;#fElt~mAtQ861hw>}>&EpI~K3)g!&X%zySrzsmP{oS}4C8ijkN>Rx__)sO2G)ZQ3
zd6>1_c1U7-0qwyLK;XWiwA(JYH|9*n|L_;&Y=f~&21C&3*8mEvH4ne$2k`^9Ec;+`
zS(Ck30>tw{vOv851Avkbe+Pr`((yfC0q{Nss%WCSYAeiDTb#9ehG4?Tj`{K|JXPi6
zj&3qvq7BdJD=VoU5(DDq`EdCcdX(squ;4cbqD?~Ve5eVD{Fa1Vx1nMeWud}Xd?VuT
zxbHnB*+5_Z9rR9HAS8YHUS_%+D)~X5k&v{d+;5>o`>5>z${_o>1a{vYEUQe|b+tt9
z`KpDH-#?Fh+3m3}pKKMp2lTfg`kywCjZT)dsuTA=;IG6KaPz{QW5`q+?1ExrKt(t8
z(_Y?u8{kz>kW;RDN~qo|#4Xo89LDr^09XIdvs|Iy-k|MucMk=9BZ5}i;T~&8Zs0rm
zwJSgm?b9W5pVf5iyP80*JDIUpsFOw>0MSVR2UtP;Ba{EtV~~zlIOAcySfG``A7+VC
znUJDIEmk+KNR_lUn|NK_=k}e31zGvhUm#I^^8~QJE9w_DHrY>gYigDfk@0MlZ*S;C
zp>JrlkY-<iGIIR2q_BN?{#Cn*%l)XlyaQ&6KE+M8h~t-L7_J*T4(|yiH%xqSb&1j!
zU}a974^wLw$M#$a`UI-d09Juz{v{xN>hm$J=`XbAPGJuY48PIC;IN&$`22~pyS@Gz
zqXKqqE9DsB4*VowJ<tPStf0SrzX;u}s1hO=GJk~tuyEnTUU=ayRl53$vwpsQiqsQ-
zP?5HddqjnhoB&vF&GomFp2`nzEKnLmW<q>f()Vq>=G2d+Pz`4Q1sQnN;JlSa#*=xE
zr4bzV8J-%Ijb&DqjWz*oIo!3Z#yu9-8G_U?9Ok~}1J%M*_A*mc<Z0Z@1Dfq?Xi2xA
zG+iDa|ED^0R|`kL!=tJnymdgKeRAVrCGM&awf2+<W$C*_LIvdR067CVeF6k%U>`qr
zymJYY5jv3ypDhSwK+9Jj&=qWZkFyyh57|KEBLS62)LbMMpgtv&p?7)jb!sfkj=l#J
z9o7g~ozHDM>YYq805Modzn6Xos{05wTNE=Ob086nA5Jt2Z!N6WR0grZM#W9iS;2SS
z0}4{%|86R=BD_m=*eg)r+fiS37X!;qMmvOb3>3t%sdp5+#eqivJ!$Ip;5I95L<$6o
zyE32v$+Zf0%;+-93p)VpjAiDyc~CnwJ$%LkRF2M3YJ;+M|L;{pk-e3jd$y>T>W5Y_
zRk}rcWIVvLGHEnWp6JsA7UbBoJq6$KJ>>IB^jnJ@YZK8m@F|v0U8Oi$2qXbp40m9Q
zD%A98d&6Xxb{zmvP8=X<sPN8e?W-nHB|gN~h?$CqduhFJe$eZ($m3G`MFpLcm5(&f
zFTqB82rig6H@{{AW5cAwmWvwyl<CFbGN!^_T$W1(HyWjRjuhgmtlk+jOgb!JXwu5|
zhxid)KUT)NWsI8dT|5n=Ju5svxHzOlS~Uq2G=)`8flVheWgdC2?gaA~N6_q^+jD(h
z!f3sdyMf+^gIqoMRW|*6$NMCzK!ki1ug&ZJFlbg1uNo;un;_Gd`HLMOn@eBd{WSRC
zZ9fS16_S@IW?`?*m=O3>6$oLHqy-XwjU5m1;Sj#&0``d%{Lk+)p`|C?^x1lC_9hOH
zEMU{*aHLc0bXy5h-klPuv{j=gt0pasr<HTIT#4M>ZtJ{uagWaGu;%>BU?j$**yD$a
z3>Nbzo+sDJE2S!(OEFjbR?EJ}EO&z`6Qxs4GM+hPM5KpCxAsiU>Agz7*yj(!w9*`R
zEH|z|95hB&XcCu~S`wyi>d*L^tus{dx?AY0B9ca6vwqdT%t;jCP=~L=_d_Rao~4>Z
z{;ANOK+g!B5}}Q+Ku(+XlrDBbRhJP12xs7b!ZyKU`Ue(laIWLK4!GP)5bjd$O9y}1
zcNWHSaeY#i_=zhn_9MQg%==(}5L2DI%EX1D%cd<`j^mr7&~EvQ<UC;0Cd#pHCbK+N
zc&Up0sy?Q(s6R>DhBtZwwR{!e5JQi*4aLJ2j5@j3!Yqw`&3|)Zl<j}A%$!X|+B8^P
zR8MLy9y@cFUv@z*mFQ~0RDNYl_Y?90W^H9@t|t)d`;Jcl{KL;LC^8KUR6xd;5MkFP
zG7|AA@0)-nrBd9_Srce}fvo?612y#+F_9g%hz$5*Vz1)WI^<C~B5UpI))sQE-gi;f
zV%1cg(M7sGE+@m_`Ea#ybN6h!Ve|KxS8?o8c4Y?+PlpwZBczDpV6lhXpJ!E%u;((7
zbJYfvlk>FO_*ZT^ngdSEK2nOHh2V2e@g2tbcw!sGr_rf$Xhkp^`K>4OrqqoPj$Hw@
z;gZkIlc1de6TJRcT-6&5pnxYPFY9dp&XXJN$9rgqLq?s7kqTR%@y{Mnn3j?<E<#!P
zT)(FnaaClTb=rI{xj?Ri-Zv=iTc`)vVC4wF#BsxUd)O*5a>HF*ZepYFc_s)PvppYe
zWDqVP+;~bsB-7Xy?cpYT`nAV#hq~Lg?y*!7;W(6&`}t;wn$^zEXYvTr%WZbip6utu
z|D)<FqvC3sZgC6l?jAH~aJS%2a1HM6?wUYwcMtBa!CeN2;O-XS4&-~2=l)`?VP>5=
z)!ik#c2%2ojwh7;kPW&Y6e;{bBqr)J35>K_lt}buWNVyh;UfX`u_6hW2{6Bf!gI><
z&LWuPg9_oGkCkDtF=p!n|D+b_L)c;n-+PKcp=kJ!Ut^Aa<)p$E*=>?sE{uZMnE9tw
zI<h=W*)KCD5+U7fn$y6$6HYRm{C2G$>pN8MCuZA*W~iPRZ66*?uEC<rDH+v0m|9p6
zNRRk3^+kOkUn9R0h#r8MY6}azMS>KgbgO!!<aStA$rXNg7%xh{LWweZenoF|3T*IS
znJAr+2H-6k)AZZuH|I`Xk7&X181D+;>A6MA(}6f{f|F}dMe|Uj{ANJT<o;}0VSEjE
z!=VbJWGoJ(+Q6C~TE3*pnxMg~tTz|_c(XJwc%#5)4DcT@xEE0D+M{1L;bj8#rm!HH
zWgK_UWLi|KHHPEiR>yTJRUIco^da;4Bg0~0(IUPV&g(kk(LFw$4=*ZnbRW0ef@CZ3
z^`LLnyOmzndHS0Z`8-|cx@p*0*T<xuwjOOmB2F$buC<H0)14qFKDKOlK4U!bu3iC_
z`AXjd=Ds+kl#e&hwwGfTCH1<1D>PffL`qZV73P7^6>#^}-)fL_b^JR6<G7cV8}`p^
z<acUsXTWRD>-S;iUd_Ue^h4Qdu1~?V!TZVKC@eHrV}J@yKO#VHEK<zr#b=VSuBC0~
z>tmw}m#4$#OnJ9z%dp0=McJVS@)lDX(n3y0^s9lnM)tLm0I4SdUjV~Hdlby}NSA*h
zArX*PnE_i*Ix)rHcZcc3{JTZ8$FYAPB!btIfG*^`?GX2*LZ3$sZ2;o#06Rrr5!u6i
zgNp=oFZ$!~wIY5cpa$BBS-khy`cU8}!j}&cr#&-g6V1OvXJ*PnhqfFhov7XYryvP+
zx}Z;EibuoT)H<6!AueS(6dc~)I^7T)&DKg!?m6sbHnECJx|0^Hsqr71%~`E{njLpu
ztPjqBd&oV3Zs$&I$2knZB#%Pao$lH@-3EHITR{i{d{jr<!HF*05(Ms6uzFX~^~VJ2
zZcgMM7T~Gu-Xw9vDkOr?xqmGU67F=@hCLT2`JUb%EhFF7-uVB{n`fCDlkhkgJ=ik4
z)zF!dYY9N8c#NyeWy{pU!4xZB^<kZkXutI>o17PJVfVwC!g4DaD+u7+kJhIsJ%FG&
z{?UZ0^z<@WG4mP9#8i9@WF>3UV#z}0v4Ap4XDJ)!eAlJprr6IH(!4nXWr*d#rC*6+
z&rY^P*<C8{okv`uNhzQR%-cp97d-%>{pGIUaA!pD`^n+@hy0C{kgalnbYt0Rg_*=E
zK`Fsu#0RAx-yRU1n`O-8-STzxN*2b(uRKiGoLF|1w!iUoicESog2tXiuLft_xwGS$
zjI!UFUmvWrOUf;zueGsu2<IBM)DLY0B{?|?qjf?LZ?GL=^6fj7nm=RoH;8vUVe$Oz
zp}L;KEPRf8ArL%`3b~ZDn3;LqLw;y^P7<+mB*LE)6IfgJ!Rn_)*9D+6q~tpJ@GW~(
zRQ#5w;9#e4|L!7!yQEsg#BXyXf}eBWc2Q??p?KRRZ-iPw?QKZDl6Zl?^+98eTHpx2
zjeOq@6-%2s@A1%$>TrYCw-X_N8jB}dHL=SrI{;2D*PvOs#ELSqgnOUGBfu(_W3Q%J
z0CRMx&aYG~50pJBEgkk_+PGbAN8+oX&?xvW61K}EJ$BqxU+V85kIo}HgB-EFi6NKY
zhgfXqOZ^C<>$3aru5ei1u#e^@=d}K_D<*jLWgmkqreF5V$bU&|5iQy1!{Rqpr@mV|
zGq;{%vX7H(GT_gMj%Bx|;FnCQkL>KJ_|jZEJX-PTA;kHKlTwyr*y4-#_trSxajVr{
zIGvyjJg?Y}p6A~Ur3z0t$w7NZFy$MbL%2`nKs51)Ffgl3*uNSPXQ<hh7tK~kpcghY
z0snxoR}JhWv*+3Y<57b1GB&GB;eR;`ARv<F(DtJ-0ct$kYowV>80hBC6(I<`lq}xm
zho|Y8@DnL+cjMgyDG34Bl#H#u3Um!SV$eq+kKxkyICIgDhWFf#XtU?T`XU^JNRO2(
z-vAFXy6ovo%N&`08vPAuxOurr2ofQepk`NzUx4n98xAZM5mtc92*iv7PUbf(C@8gv
zJhd9S<o3J9ja7ne5&}q2iGTXc#Ri|+uovJW2QhooCjsPTEsi{}6;J)~I%6Ag36uBY
z6tQLZuqF)m+yD-0x7o%@xOWW;(<~`x@^gWvR?-*<%cZ|w&4%Xz_7fG*pjvXH&Dagb
z_PMXjc5m|bH$8ML^#&(aGMZn{zkIn~xvbzJ7$11JP-UEL4`Expf80^=DfCf)vQrqX
z$jzu0RNUyO&}mDHW<+KdNni6`An;zv^s%U@{5@Pa-0`IH($h9KuENbpIP1`_eO=(Q
zZ~^PH!w<O*ip(r5FbIzlC`zoT0SR{JdqRw~?+U~BpB+A)6oZ&}IoTj8%|+-Rvr}Ti
zMcBR}t?K}dhrlUoZ2~E=+Z}&CVI{UK*2<k?HJ5#6z10-|@VL7_p5Yi`=U*4o<X{X#
z@}zxP>n*S5!s7|>sS9pn;!jI;gTo&n7^8d<xiwI$B)rtUoS*o~rlz=|n3NHj>^|Z$
z^6B?Q?fXo?9l@?jwolBMuhR_&`-oMP^T1E(EVx<O;)nNmGKO)__Uy6*V*|yLYs0`2
z-w8czTJ!V|?}B|SUBQ97`3^vH-|0x}MM6f4YH7!_({=iZPDg-G^*P7to?@ksXM_7w
z$|+AKLt^43;{(xgrB7R0#lg69>c{|SEvSJv49o+G{|t>NN>BnweRj)HuwyC&X!PFz
z$l5{LH)I(03|ZKd2<A0Jbxd8JUb!c2FWTaJu+~l3kw3h5Z+9eNAMrygyCU@dX`jbp
z3}-DIE--(SUzvN@lC`k3znBV@h&y(vce?8e@B$<|G<eV6&gg!b?gxL_-`3Axhw=(Z
zY}b-w94HVDGS}(Q-exReog5;jsoB4jCfF%_q|NeySeAM^pVHy=i$;m=DyuVG*|Pl2
zlNOVi+u`$SEO=4x+zK`3gW<gqT}(*qLwzSmc81C%6pJCWQjRMcNW2jIGXHMvyvnft
zJGWYV{to)h`pUOb$IATjq^$>55AWUKHH0R!05xyVzI%RnsUXoY!8<iAcAD*it>(Sv
z6yfJ|LDUk9Z>&X!TI=QqIMEv}iBRADX;gi*R<G$+@Jo1T+^j2yhK5DIcl21R(APat
z-RiYam6H8-z4Yt2Z?)~Xg%O-h$&i@C;(dAdH6bH1{l_TfiPbuR6l*4exX({u<kcX&
zA71Z7oqqGOc2Il2^4aA@kH7Z5@JhM-`{QM1x~*MiVL&~EFDNN>w*Y!jA%s@l;mPg-
zcUS28;y>d88|`*u`f;2Pg@^mixX8x3xtAB>h8$ERS!gK$%X1~~tCFpcW9H2%tUG>Y
z^p6&sDVsKAcu{0t1C(#`Wl*PvznwfW?9Mm8_}8>vHZaW`+=5#UB87N>Zx~g)m>gWn
zdhH94Kh;*Wdo9p?u7VP@K>$%B@`C-n$P;?~^_{?tDc@l9Godvw_2-xLJwgGk7Ka~P
zwG#sq072<hpoPN_1v`0kI^T}t3jz6$+`Ey2K)DAAQHcM@&9}=C`xG*MVC&Y3sU52U
z9#b(tkjC?}J9N?<e9d@Y!dn}%ub3HHkdEEe5@167goJefz@NVLBw=;G=0H39Wn6?>
zVA=f5EG*xesMI*vdHl>VF$U~z^2z%aR)9=NeQjB>omIpBN^kZ1548&jrS?tNAdOAQ
zTUB1qvm7d?p&}-#2^BW&l>_(2jLL^yxNCC$Q{VTE<^5VWO2BKhu9r?6{fM5M0*+!H
z0$9II2`z#YA`ao6>_tvQu%oY}g4Q?WA|YT!IEB1RdNAcviur5=w8SmK{>3pc1$+ic
z4~TB40&Jn3VcMX{tPpuqd;SMxD<oYrfA?xFH$LzdQ~Lrw(j@mcGrU4_={QZWN{rwL
z0a4Lu1_7}$nbv;IHg#=h<7W3epq?#rY0fb{Bw0Wo(h);vY%ObpS8kDf)ar!Q`!)tR
z61L;zI^^Z<?v(%Ois+QT_3;tu<$TzN-{|FhX`KJ}1Hs%+y3ij4qr2^sx~;F)#t7zw
zo3!yXbfcY{Rtf}#1Wfn4Pze`uY(nn4`xwU$5Vui(ZH27Kh?n?q(`o2>`&%~a_`$O$
zZY+@MhyJ)EH>Q7<Hb9dhb{uJ6zy#RWJxY0Qcg+gU-tf3`_EYKXY1+xgx_nP|LkUls
z=<?40Zeh~10{6*f4d^#w(6pRHY-dq=R9r~DLRc<`5=-;6<w?=%V`|bnM!BY~m;BxL
z2j|Rc1oXQlWd5aMuO-YaJ79@$AQ^gT{YU1uw;J#kdRz3Eg~#@s=Dn&0Kb;Ub=?Qf`
zvL)l*-9w$2+a5*n@7w3fbsMmA2Q}Wz$m%!S5X@j_SD&>GB|OGMGA4a4fGVly0Ob{j
zxWZ?iaKM^S>D-9--J*#ru%?x6-M=wlFt7o07yBP(QQS5#;ZTe39u2dH^HzOp1J(;~
zOb8+3_Z~<Y#6fosx9-x`%5E;s_Tj$WahU9GsuSLht_l({5jKf<$R#j+7Isc|AX-_B
zoZLNpm!@F06@!~&0nC3rp$3+4uT7?CM_y_qcTD+yMm~!HQMUR=*smW+C3Zr|l9#ed
z!2HSKV7^fsC17@^t=2Yhq1>X8v-~Z3tngDN=Wdfbh{TS(!70l=x<$J-(+(tFV4BNK
zVGhk>YP07Wj13_zDTQjg^OP|%MAlyOBO@-_fm3#v?~#E3;_eL}_msXK<4K&&`whT-
z=LbO6XqJ~@OD4>5PnHJ#Pp0<vLNK}eINOyED1NEvq<#W}#(P{+j8!Wl2A5X;=c0f0
zL@^L)Q=4|)MsHvs>3_amVnX+m=jo&&&7S!3YQb+uxnneMqF)b$&}G3qq((AdrvM0-
z9#j$Pj_0nhOo{|y`}(W32sd@83h!O4@p*ze><&C(z`3oM^c)xvkv;dVUXZ;={?xej
z48^pXGMOktq=Z?Nt>H@QlG&P&oSJgD5&;y8#JX2ayx*25mn^~>u6x!EOBX?Hr1`5Z
z0-k=E-0eoQKoT#cz*j~J{s;#?Gb3JcW7~G2T74!FdSHeb!8^NlydK;yhc6{N67~iw
ze6GVT(7eTviUjq2*VVV~jcFai(xGid;_ZFC#9Tx(B6zhptfi2!a5d9qz}|b1_qszv
zDx?f;5Ic3n61mi<qWJx?$a#teT_B|X-6H?fRv6?Ka}W+=A(Kr+V;%7u2K{bz(zXS%
z33>pNRi6g$lx=_P%5-6|+F{cg25Tzt=2R`QRE@uU&1=M}%J*5eH3i5UoEgL#AHbQU
zw1OHn;Z}ZRGG$*{G5`K(mQX0prxI3VYlxyON_v%q6*{Prp*(~nO!N^c9QFk1Z(>l7
z=iqa0f5J%F$p2=T>bLNs7oy!JkiAYzc2~0T%Jo1Ol8?QvtC&;F84Z8dNY>qz$!5-E
z{|4}1mT=PCx7^hx?y{Kh9BuPll#@qsWX1@mzG~wf=8m3ny&=hOExh((OR5{kGW#WT
zNQzt~4K5i|2YDZbvFmG6Kg93g|Jfa-t*DI#*N?w3(a!MRAlt1fU)=QS2p@0k8z7M?
z)zpD9;P62@gI*P?{}J4ksjd0&+wfH}@4g_C2Y-y`yYpld9-=;Al^6K%OPDcQO3u=x
zjWVGQDb$3#9D75UoFgpKb0caa^iuVL61aE2+U2BeRsYp~R+DPN6CG5UgKK%-fEYW%
zOUIiA7bF|is{#bIenXZFL50#?!+elpWoQY=FP3Tz_x4@h?#h-fpZRtf1!PEMdsYX?
z)^P3PQ{~9BWdJ}LtObNMu)bT#+!&`EeX*qoyPfauzTX@~{d)o}KfXG2x?2V<&@2*m
z8RqX|=-_RMo!c){Q`(ZfEryO^hIMQ3(oyt)8souLD>uh(u&{_EZzlo6=vbJ>TokEK
zPr}EiV+RlJIm=?=-Ne0Aw_kYT&DMNmf$U~LYVbS?h`cn205dqqPf|N2qDJ3l>FXTX
z7TNwVvfo9BD#|mWekfqfpdkOseolrU)H;YDeGnjjNMueU(=JiAF7bATZ45Xe$4Bc>
z_cq>OzfOtUlW(X4IUXyTlz*)8o_5xMF}8*@?TY<rYKnG60c0roCHanhdF66Jjhf4W
zt%t$-Qkj5c&^rER3jL%2<wuB~uyNTc;xSX64xl&2(GMU6J<IwZG%%B4=u4%8c-9Ni
z8SqAB%NUtn&Kl%d?dyYXd~t8b&r~bS{TU6PEIz#Tso@CkcmkV97v9#TjfX(4#fQBC
z5oKK8W+%=Df1~N%2;tS5Y4D2cu`v6M_QJC(shJ%svl&TLN}=T0L7W4-Vo7ldo$x6L
zzmxD%{=oTLKXJE?9PJ&hN>1uDc`d*_DWrp-euF-=+90|EOFEBrd+<uVI&l3U_~WQY
z&*et1T8-_ny9U5P<+noL)L&DgLHr%nz(Yq>&V4mJDGtP>ksZw>4QV6`0hncKjnGpj
zr6lQ@8w3|isvN6kOF?w9ft}&<iZ$m;Ea%zgDS>DP+$HFl|E-K2%rh&YF@7<(j!1g_
zys^Y*|FoXWdAl)*UuV7B3+iVIptP&Q>$h9len}Ja4U*er=2>9l1K*vA7M7OKEJoBA
zie}l4EAm6(m1koUF}Jh>uvyP5sp(WqJhnU-|5xtmZJZ64{>eSvA9aa;_RrsEEp@>8
zE{0KcD8Y|utk6tq+bvJ7f&rKO5GNf@%3xucN1=}US6y5#BU8P@8Y$Sh41{kP23Mln
zDts;G<IUL9aZmb5TTFXgsSUyx>NIN(%;onjL1x26H}B^t5z@SPP8kaMhA$-Nc@f%d
ze2QYXPr>}pm#=7r(c&t6_1qh81x`dp3*CWCFQ`!f4ze<^)W;1Td@y-wxeZxYIA8CS
z6LMaJUX1n7{jHda7pIg~bYdYX%l)tNrf|p&OQ<wtua`0HmT=xmyNB?NyDb{G@Q)6n
zFOrWj1E={X^Ea3orli&gO5QCslMOF}J|aVlKRs=MBs-G{%Q3M!qyQ6#n{pEkd1&im
ztnuhje*l)?W?&9=uKZm!%(c*xT^kI}4jLH#-@;dM&A_^RH9o!+jO`nVrmQA;cg=Xl
zJ>_X#?qI^mfUV3!m;r?GN-TBw?g7NvLeUgowPK5NG=>9D8+l3A8~3-D(pUBaBp;(v
zIV)wHZwiKI&+k{xOo$%pjvp4*!Wte1eHc7HXN>Gdy&bayHGd8%m{n?h*IcHHh%8z|
z6p2QT@91$7Ub^8!39<)bAHu<m$Yo(x|JfUFf=jWV_N&w+u5b2cI(2M$n%>57d=go0
z=CLMBv1X}M4&cqJFoP_C><HTZ`FL~<;8kf7@POl;6|vTtNru3GeeT-4XLpxyf-;6&
zGDI#!Kp>M`G*BXhO?j2he?gRBd+8YrYc&D%*4C8R1%Y}=sKNT-T8w^Mq@cT^fGG;g
zFQuQ8cx!I>a5qi-_5Ud^bpT$eI!#}S31-Ldt#>4Kae45zB{>3BR8vEzbVc+L^~5~j
z6bj7H+<tkMXwAp88KgH0;-R-LgK5w6?9U^iC^`#eYjER-EAjT6Dv3Z(eu<M78K~ve
z;YG08$1BRlVP?~-9x?*SVF9S?X#YnJ6C7Aqs>b(}f;oeI3-$z)3pE2i%>9}=m^+UC
zz_FZBN3^kPy)zDl@LlFdLW0@&!BcZvkSfB&^ACAzy^R~c-#wK?GLB11Th=W#YfgS0
zYB2*f`;<4;mbgxwI?~qul&!}H2~NLG>~{==IsCrZF~(?djStlP+20(<uBt-o8n6Lh
z`e1#DKA`9*ySmd7-V4n|6SjWR2sU%L2)aUm$oO07oNm{T{6aB&UKZF{^F|c7LU7n(
zu|s->h?rw2{<;l@sP%zh?T6nCA?N3yc3<&!irydGMCE_{WF1T`Ey+YlpkV1&so8u&
ztDs%gc9`WMv|=SJQfGr=MT&?{!NGw*fzrQc$-JETa{`@sDJod`8~wzv+}IT3_AUSi
zmb+|-ICgZ($+1o*wJh@<Y@+DbJ*iGJXmdWFGbQZjTlh_Wu$oO=DMaf_!S_IptzZpT
zEJ!&jSgjQHM9D>4ZS=GVI)xUsOt{n_a(&pRHXQ^oe#iG%cEq5c|G6hW!wFgq#LpBE
zra^Cx!Oyb?<@DS)A<#;j#e6@*#l^InDs86lP$%O?w+@4`Kb`4JlI5(;9N`9F`*M5>
zj3bsTlBQF_s+SETWc^DwQ>2=0_%wpvoaHUbg0hgF5^RW!N&*&y4y`iEVR3%qp79qt
zZIotXb#y;Ca}L2}aXqDfLBkq0@ID<wB_QPV`nlF@<fD3qnYwc~^ZOIAf-LskM*oYO
z79XLbN*n8F_Tpa;@$R-6E&M|Vt?t)LA*W-NK<dZ_$h&qj`_6FeZ+bb6s%X<w_tNNZ
z9?MFSNg>^&j-p2-NKzS7=KxNnISwXIGmJbszGxbNprxUj->vEif%bPNC}~C~7a4s-
zOVAtnLl48z9E)P?<t>8lBhvG}M+(hYG`=lz@!;KIi@Ob>U%08DS%!SUu*3AjwnHEZ
zX}u2xlFxyzvQ3m&EZyW9GXT4<m}o#$Bdj|{xb4?BWUorwz^^LkG#q7~bSjoY#Qzxi
z=c-&{kyG2DlU67Vt8d%lnEu4<8@cI%nODt&or|LGFK-(c{71qE1$exAcpnfK=~T}J
zcY~5=-`+Bldh>3>?)a-L1{;#aI=iEj<&=5^xAMdg#?f-$O$*I13WBjz)dN1{*q_hE
zA82~pE5@uGV(;l6kS+#0z&){Lc3H%MB&PtA8m<yAY}V9SU@t?Ps+?+&=0nbfCvQuX
z5j`p+T@XCjwwRf^8iu_c14R<qU$^zyYXm=kI5{_7FZ%8DsHc-f4^E@sm~sAO_3Nkw
zza5}-pb7kxoMw1}*mrI&4OnmutyolgS-XOH7+}W6<_h*Uk918~k7|??b#>yi0rES6
zaaSd3tAf;-7)=izjYdfpot8o|Sk8=iwuDp%W<DM@#XEi}FC&T+)K-+gc}W}BPSn))
z+ppfzxYnV3gF{o@{#r}25lMaMRnqUgI*e%J-VPoE)^b;R4x5@ahZdNfY$9!Z9jsx3
z9Yl(OQeQ#EUI++JUBC6taHq?W{0Tz0AcEpi(G`c}C3H$W^QGh(VFeH+=|nest73If
z3Ix@aKL}9g#b*Iomj6e>0p{L8@eGBrijfk3NH|;PEg$Cev95{h$PL^JmT#>XMja9p
z?c-%@wy>^reeTE}39S#D7Rkov!OGTxvINp3fIS{95>#UYQEw*gKm?5AfVC722WY<o
znoE?_;xmW@VBF;fsjo!v-4$>lWKqxuo4)+F#lvY6n?nlN;z9F&Egp8Hm#i#<ALKYv
z+Y+9S84zHuKCFw;i|TzX*Gie)FO4~UJ_l$8Gedm!0`Zzo_iFbeD83PwGs*dVH{lbd
z9-rmi7$fxAk?$Hvkpiwx1nP{OlsrF;@Y7vFWg7We5SDlX3>YW2lU5^}l81E(*nSCE
z6}8~gzj!pq@PJBN_9+kI`cFKXV<}ckNyEcUW-?^PqS;Z(Crlk_eqAd0rQ>s{b)e_9
zzFI~!kjK&_BVyy5o$y<`Vs#s-l1iNYa?E_9;eOBuajN)|g!GRQOz;g=1S6Hg38khV
z&XLMdc2yw1o~oOf25=Sy#an-#@&24oQa>spAo9=b9AJ}5B?^nsfTFxLz}V4VUbQIw
zOu33~{c_xHeWO?QJ+;)#gap=Q9vuWBlNkD9L$2{hpPvmwwZ#%YLG<HRVS3Y&vr=&z
za+`1P@nNNV1s(tJ3gH79M5pKr3gNwr0Inxr?w=GQ04-8cib;y5hZ<54CowF8zA)cW
zRQ~Xs^ZHtzPGt`==qi9#AlgvLU*Vtc?iz?xY)(^<f))GYLAy>PA+AjlY<z^^y>(Y>
z8GoChtT*qz#|J<5#V-3LdLU})_5d)FDXl1^bUGK*avnFoHt%>Oh>q>0T5!-&X}LVz
zA_{@6wZ1x-zecKDtI+WpTYK^(>#@FGlz&Pn*>>{jij-NGTmJI0e+OxI?Rf)hH4Y3o
zDkv8U<MlEXgT17Lw%sc-!*l!_SA({~^X7a$39E<?!Fq0!pj<2Yd;OEVbl^y-InAq?
z-eA+*-)pnPL~E4i$@&tH&A@>O&pP?G9#5mB<GXh-ww&R%%k?!61kVcfU|JbL!vmOT
z8~*riI-xqsBT6jVyyCL=B@Pv^$y%@m5Tlm{<iYU=+kN#;a<58-!Jt9f<lEnvjW9rw
z#1K(9C?W4+4}k55{hJ2f;IYW=+xOG-WhFxky>fhRTBr`ttoe8LLvl%W<c{I7E>!k{
zEN1ge!4A$I48CGEXav0cI;cy<(lqG?Y7T;rjp8}>g_~Um^$7iTaWL%6(;4m!G0C7<
zD3+~p|E^ysq*36v>(;Ht0AXiGaICS0683(&GYXtTg!j{rzaGx{P-7maO6jamXk0eD
z@tm##Sm0uLdVC+TLRfRmYt_K@-ODz`MW(&8`KA^;F~w{j*QA+BMH?w0@EtHLx^OIe
zsFkm*b~&B*iuJCkv%DpI_9nbn&2bHMv(LCZd(90ud9;9-1?H{{>#+5Y5<`u?{7_nc
zOuy5^$q#hEyV!*w1r>@0t3nL-rRqN-&Hs-!G3GEZrWyG`COnA~Nj!O>#BJA(E<QtU
zNUkLRHy`0`%f)*>|LQ)Or@P$cV-lpZ?V^{45P3N%IjQWgl;Sf(TC?oCoKo7Vx-s)g
zTT2ep6|;gg5bE7)OJr-Z-ElR36s>}<;R!1AclXf)2`KfFujIC00a#U7hgHBPr#P`7
zbe&CCYvh7xJdsc`J3ZLHaz$VDM{B{;y~+jrF;Fh?50I_HEJMCNq-3ei(+83%Ou4}X
zGh69g_?4L%sxNN5I!1W8pao@5a^H{P)nE3go(^PI>&@#{)3<Rd(oISNS2ioP2O+XD
zksUV6P#$q$9L6Z4-V|ppo5p&;R{9ZVsz_=Ipd?AR$?0diE=ZxM#>nvPN2Gajuqf{0
zt#k9&<DFhfGOa(o&khfU4h)o0l%mojVc*0oXQgYqJW`?;z9J;Bh6hhg!0XiwOP(Mi
zOg{=guQ@{<baZPJ6Fx`J;$aIdovj`VQyQ$hU2mJI@s(%P$vN6NAvA%|Nw@R<AbtiT
zx*r!TBOR@A7!B(YZ!=+|LL|C=ZDI99SM|;j>cF(MrS+!`3%nwI64#JoL^S8*5FG)2
zv+;jTeQaNt*mn)?OcjAGtel>`s-r32dSXseyQ-PL(Sa8oQI=mA!RQ*!QNge)?=z!2
z2kRv%AK$~xytF7X2BYzrrkW#A_IOZS>#lqD1(I1p8Q*0GJXCYxzb6Nd`cfpij}gXo
zW)BbKcs2h$o79Sx8VJK#5(K><HCk<Vbl;T8&1ix&#Z~rNNYVmGgZmW7wf@)fhs%zS
z=gb_=N@HN4jxTCZ>dpDt;<umAl;w2yR=k1+L@`3^lO$4tJL{~8Ct*&U6El8)sWiSA
z^6_o9<W`bNK96I=Fp9<I5y~T|gvFRi%-L%eYc7+<3tT)loSUK^B#1PVgRqLjcN)r7
z)NljW2aUcx(!D919)TAB<NaHR8Co!y!~mDAEUZS{ayF3d<H;VOMfH&)G+}ytSg;jC
zstyQ-<*hae?o9+CoXd-HlvAovAGn$$(tSurHV`FT04;E{t+=+OEt)Tz>nYCCsR0fJ
z^yd;2=#(s|*ExbKCZ*t^ax`QN-ylY-B9w*P_zT6jpD(ya6lY1IpdD@~BWtp``MSyV
zpo}vk-F!)8nzqcn1eX2fTE;JOdS4q15ilpPk6}uOZ-C5NCcbrW7YZ(<K0AVXw_kc3
zsS90i$l#W(LE(H^v|(sE;yYwp#A2%43@TJzBoFT#ajbEdb!=2SeA%P*zXI6(T(FA>
zO9u)tu+fXC$(9&@o>5O$U`U8>EO_ich&Z`*txNn{2M-m}((U{BO6S6dN|Q|2>+vnY
zHZDWx7|#5j`j`dD^r-!HgjZ0`fwN%RLUo)uNmfOq0<R?_RFMkVmPJ}(Uk!|*kdtp&
z2KH!P9(ZapdYB3R@6?Rv8;;ZWI|9|u6Jp3^IXgl<z{A@VECdN_IBZ^-6MHLjmY^#P
zc)IZmi}vj(6>ksvwZMVb_UCPp?5+yt%lM2YQi*9=2TMs6zU$Nb%X2FVnbfi>D5&Hm
z5UDMMK}E0rec|4a6YMs-#9WRB(d7r^*9^24si`pJ6J;J`lYtnPjI6QG#|IuQb~8q^
zl&vRYK9Scp4(Xwg6HjCy?;40z@QJ))6_*?3Cg=JQO|Zbr(uhmd2a7I5j~=bjzcYh;
zbS7$s2o3m)yAnkU;=6nd-9jZse8pXxdfuJ5p=udtS`Tzyzmd3NVL`{pGG@2)UI3yv
z4@wQR=ZWWo9MGB0&6oSQz<v#&i;K*%(DJXa!)d0JG#^M5q-d?4njRZu45ABHBv;tX
z&!!ui5e?=}%(D0!W}4S9Yi}_WzW(g3bZb$=kAWOYc$Jhh_d1`#e9noVfWLf|;Ma4h
z^QznR$u}-}yXF(Z1DL?zr?eS)4x$`jha3><g@z67ry#~n^fLuh$(N-_xY0}QT+}6=
zBBd2cYcwXYz(~N}*g-``_#0{Sat50&ZzD%V2x9!H0Pqg-*p%IJXgqs+?UP=6Hg3qF
z@UMm}M2;Pm8oF6+IV8I#=DKPJ6}R)x&YO#mB3txv(|yWf(|VK~9uv2C3vtagz{-Je
zneoS3O36~<$b5;mMs&Z-e$sL+HBKFxQVFT;=7pnpf&aYyBJ<}h25}25u=2OJuaPp!
zAau4ki6|VvggF#-?kM0f?>Ny@a=~{wRcDOC^6wZFZ{N<7+}&aYHdFzd<Z1k-8zE%3
zK5#}U>fp9mlhE>CiO5S8@7CMV!g0vZYLHtWka0$RT4((mHL~qv7uqFmu`>8gzd>Nk
z`zvu?wwm_Jvfp-b859K3P1O~mrD3|LH^MHZR8<@T<=n8(3A=`EN6FeaG86x3`xZv0
zpTZR<al?41mf<>7J(N@ypI1PvP9h;=dQLR1<PG0NIYnuO|EupdjveFW?bgUoXCMA#
zHZDjk0ZY-33m3}}zf2L~H@@dQ(A~~c5>TeiTWkrcmlH;RES94zD61z<yV_!z8!A&c
z*Tmg>@9`^D#`0o>%JdEFG8gmDvV-;SH-<?;z4%<xix!)Ki#pnpV{5J!UmaOOSxLdJ
zNdfZ@o=mZmo@g9~#Z4qOearKb>=*=lcwu@n&-I6+ottEuuc}JbcA;W$z9M;b9JE6=
ze7rKaoXK1DXrsNAVvnN?0bV38=wGstBJFC+rxfs(<sqR;M}1;qW9XT2TwJSzCSmd1
zq!i+sLJ`Gjj)wExr(6(w-!=0ui3l((=+_>bS;k~OC+?cDRbe4adpBc?Bui?`<GE0#
z!<!_M^x%Pzq%9bmN@<_hL<8SstkwcpMps><BaoBIhzS9f?*@&juLyWAq9~~HF7I*Q
z5{QSGbqlW11ODL3$;;8Hr~q|kW9+cbu-X>`jtQmdA7#sw{6w4l{y>7nzdmKpsFt)!
zJ7$=zH)!pM^8G;Ca+6YzXs?<5r0T_QW&G{ppMn$kXBLU+v5mtVVW_p){Jh#f5R|}5
zHvnSr-j~^b&V5RZuQ@QZ<%23Q8)#6D$B-77RtzJh)k0Ad-3-!4Zh~71Bgy)=2ub63
z!fdPdMLYGOnwM{>3k%Wh@ARFmaI?|Ea%1O@+dAnCyC%NV!ZjJ+Pt+2r+DtvUPD*zk
zFG|Fv%*I|eLVlVmGlH{~4lKmHv_B-uCHj0y>)2EEd9HoP%7`hf?71D0f2Z3wri(0(
z;k6a>TfDFBXcXGvZO7~wzg5Q=*UT|FTP48qyQO9XwZb|}730XmbQGG6F;pwyz{6Y@
z$vW}>q66-3@H?)<UHCB|4sW~0J=yJ9hj9%HyO5*eoN8H?F6!r~vpKhUx6#}}xrWjW
zDDk_xc}9N3m+G(X*xrET;izgPv3VCrnUd`OlTant`jAKBK&9Op-Z#L)iMH#;6=G?N
z*-{QSsQ6-9f;`$k{?vUh!T2D832tlXJiJ+~o5qD=DP8IZ@Bj58$`aJ@uG-fRkS!3t
zR)}h3+Y*nvWZZSn(wwt`CKWY*ta>$P%p{T6*hrQWCM*jFrriu6VTiDvZVi&K=v*Q2
zUL2FPa%AoczSYTYVG0Jwk_cn;-E*>ROJ<M)ufTb?qS_?TX=Oz*F!c97@xv*OctA}5
za~7vj$%Hl^r?>Q32i{r`HBRklS|6C~uc&{bUrsC{B-c1oTYS5EDnm3`j$c7<u!4jb
z{-}eLNK&<mlsUU`;YuGF7ILiJn+?(1;{{^=X)qP(9N5PTbj-OBz0<Fa<H&L-KZR7=
z2{DW@!aEs1#T5);sGy1}9EI57kZKAMf}a07QMrbp1Dc5Et`NO%Y5834rzwXjxsFP;
z1VzRbZ$yz<)0O*=KFs<hSC+Lc5cid(x4W~u(lIf%T|TCq@L$(@`mLy*${2hv%T^m&
zL}VO&PnwM^9$)<L;@4dp<pNfpZ+C=wfW4Zp_7?Q@F<Z>Ya=3khI3>XOT-nf5OtX|x
zUb-;_IvY}q44c?^60o7rf0H;$0%4w2`_KV0;y)`zxlNp9O>DJz#oei1G02yb(2P(H
z=&ocUf4<q^u1WcQpQt-JUT4N#zz-<rZejF8Q{3^`J{`@b&imO1tqS(M!3V*7ogVWH
ztRMlkRR!^|g|Zhjkj4MO>D~5RyKf7HyLy5jb!+v9#81FsmK)}<o9bXs{|>$3z+OxP
z{?j?k)t})6hW7<z?M8%_UW*8s?!|6?NlK5}c3-K^FyJd<$%aKLKm0U_@~L|_>N9#G
z*ESuYGYd^15Gk(5r}h3P&avmjTc}YsM<xJlPxs=1y4u$xjJqQgiMx!KAe+Z9-lPm7
zv+zYgK19hv`s)eGIiS2+x3glzefi!zLHU56(2Cy2W*L9i^LFXa^uf3GJgHlsX46VK
zLl<<g_ie&_Ib;|z;4a!z1&9V7Ogz0>9`wJE9$o!(18BL$(msRCD-oB@4WBn+$u}~<
zm~$ADGEfSToLt5+WW>Pzfxr47Xn&y;#SUZ%5g?LJRbPn2<^@rg6d|ANHKN-w`@#K#
zmir8q2Q{PNUZ)}eKL<`lU@*zpWznt{_521CGuj8P%i~2a+fsrcE58z$8Ndm(6_{Mv
zY?DRfNj&sR(rdMtap9a=5Z5j<ruNix>aA*2c0(bND_a9dB#GiFjwcFikA<snc<`qE
zN=y?7`yNa|R0u2e1vT#<2zbm*8P&R-7Z(yo^CvVpe&i2f-3(9uvT-x$xVgIYxM0gP
z?b%^PyD0}IYOn^nJ$}yw9L)g)ZJ#7NC4itU6*yVG&YmzUk-|@9xvx)+sMYYE3cxg_
zNhNIvJ*;*c1=zFtzu6qW_ha4~Szm|8@V_yA?!S3t)KlDEJ-%`<e1;O;$(4PMQU-Ud
zx?2_Wb|Ny)QU=7)wtQ^7&0$(CU8o;0U$efCGnp~iZ^|CcF1pd5utaQ|r6V&%{^*x+
z3zs|-s{&#0QpAa3j3T+lNGoR`+2{$z{10#u9te%=z-PXI?fp|D6MjKAaMZ;GuNWaA
zS5t})YxHD-XEa#q+BiP{#BFj@a8&7o2b{7d;9|!77)cgt1G^mR#Sw3_3oiZ^7hThX
z;@?Bq{$lBj!z)#%RH4N$#z&z>@+{@ix7P2WI8r2a(eec2{P%pDfllD_IWJ(>-=2R(
zfOWDj3IA!i_*PKd$9{9k-R*?e@~V#a0)dkLW2P{$Q5qO?Qothqq~avc+=$hq#|>^r
zcS^oPE)r>Brr}}!9AO|#(?#-cTYWV|1U5*M++)XH2$%xLvaov)s)4kijbKawsuoWP
z#`K!oRu{i8?P<FGS`y*1=2Q6tyA7ZyD->!F49JTfA5^0v)2Tw(Q3S#N7K&6&9K4B<
zlNbFP*EuaG(Ox7fiSh|zytz~t{59uZvyp%pN~wA8j?Z6u;O$kYov;hD1H%gN$F!w&
z7{GfPB!#7=7r~r;h*y9EY!tT<#rhA2&(CyKU%q5`-92}dL{xnKxqJH3!lfO(_ENBZ
zYO~h<)PdZ9YKd~&B+)Q75b+1uRRv?bfNdT8a+V`63fW7Jf*cRQ5C9cRFUQD5q9gRn
zH7qg?O)0Z8;&0S{FvqO(i*X>r6O8e#PH?Kq(2ta?{oTV|U1f)9^Lk%TCLUFt#XFVe
zCTFOy$Ij=s(FeW;@hlmf)BF)2vX+NDFE-_UsX_7<`T&u&AWwgc3mnxVXLGEaSQug~
zk#*H<YSc9}j6f-03D~ey;u|t`lE3~OU^4=DKdeELsTcI-&zEc%=z4ig)8>~?SU-w=
zc4<4xCuAY%8<b+J?W$^LGvKdo*8t9s+G)Im;}GAzzhxOQ%&go-`+d9Z%6A&h%kD*i
zOj>cw*|Iwh{W?(zYV<%HjQ9f9ckl~H4k9XQCvm8NQ2f{0vcSZ=ppqOgWQg7v2!Vf{
z<owZ~q&^=7exZS&yk=f*{PxT~dmFKCxYDpDk9pC)z3d#^sq0#$SWVn)opf5tlV|`b
z^A6Q?dJpK*p52vwS7KRSn4=I2;*XeP1Kxj@gct1b9QJ77%a2UNV-yhNy<$`3aODz3
z^7c%3tIw#t9uPPGb>>w>J|Ax!G<#n^?@<}`h_T@|;NB7ZkzQD?JntUl+9<#?ghux~
z#)yh4jd^e(T6a0guDFU<qpa*B0R#F}`F`Hb;`!y)+GsA(`k>7zH}6q(;5PzWZ67hP
z^h$V=i!8k5SqALK2BNVy<UcZi#_(I0d-Jg(=x<+`DUq<+uf<F_enXwmo*-3Je%Jpz
zdxl}zfNu2l9ro7w+o@U2kOt*{xvAg<+-<~QovAsu>Y%fIwr4bKSX+y)dw6_S-$P+h
zQj`;1;u*FAsq6tI)$tCV?yJhwm2LTgEiTi0<E>mr^sUy7G1V}(1{86u^jifsqFTuo
zXutK-c46Ucc3V(^_~yHjsL?*mZ{?Ux?!nJJJQtOI_}_MGg#M&lyj^fkDYIAb?`Mt|
z-~>=bkRfa}Sc?(9#TIdbl7cb=|NZyW_g-}+VZeQ_5d!A$DTJ>%eA#{z*uoZCg|D~L
ztxZGc@0akXmDvy%pWzN4PCot@sD|10mn??n9qoJPd8@PM;TOW7?9-Q}C5-Cvi1s7#
z=UhcG#2qrxH%VANycN3QZ0c+@m-U6gup!%i$k4)c6kl=8M+~#ex2_C=`l0_7W@gYZ
zk6Jw%9TGzEPb>f6?Ju;gm67<V9ZvHy&L&WnF|(x#w`==EiSyg3=mCmoimb{bAQ#YV
z;64xe&AS{+#0r55!a>5*%uEW%2nA>PdKE}vcK<RmH5?#wCYSin3A2-igB+I3_9gzm
z6Bb9~>$2&!*k2~w+T=@#WCLYi#B1&6+UVZy(V1hLQwgN$V4Jnvv;KLImH31Js315b
zJc2U1-H`wT6z2`Ppf<Wt2`xG>p2DLbtRfHu|MzCjhPc$~vfz-|5`T>As`G6gZV&GO
z&lBN#2K(pOrZvdhAASu1OjJxVY&3Wv@CUNm01}%sO`oQ+J1zrr{*!G;0~^xPPge=N
z7gl26sSuYRN!~zv_qg>yU{)m>jb^?N2Kpr{HXS&^D1la=!M5k=xKr5L4GMzl-$7=K
z{+O-zkqR9-4f*vTe;j;@E+AttBK)mT3Aw~FOp*=@#P~!_urlP>wdjmAvAvD1J!c8&
z(Nq0Ez35{+4{bX}sl0%rK!FB?!~Y5vW{OHrBJ)Nz3|*4Im9%IR!X7Q*A?8FjthXQy
zV*lUy?TC`h)cd%PhMb4=`dEz)yDTK$D`q*vg2Nk|V55{D$$+@Z(x<B5D}kXQr4u`*
z1%U*qJ&^1w!zM%$cnRv{tCj##XNq;=6Ne4wbUCQ(<3(U-Spk8Aj%*~~87p|Kf+{X2
zPr!)~^$F%aA$(E=)o7QEc#!y?J#~_Xf*k&t<x3p!W={c54A{NAcU#Ce+A0kuR_zlt
zGrKGLw`KIMHQ>`}+41(3dTRwgGyJim^?Vw4HiA=u;q2QpZ6O}ekoV*|v-$1JQ4Qe+
zBWe6+ZUdz)lH!{o$<L>U#mFag1hW2(YG7N&euDj;%Ma@J{03&QEibd`F9!r}JOpi^
zfDlO_6ug4#De(r}zHrf{m)kGKr(UUe193bXmEDa|8ftww>@P3LVbQP+D=R98B`4L&
zD=jrxw_p$gshVGl$SBmBw(if6P>E@z`XG$#Z**27k{RA7fJhiqq9*ejDXt_6CN8ox
z><X`qb3cBt>r0J(6r6YP$%>-Q0KG-SwdK!-yqzYUfb^?RB9H8bI6w&$A(`NH5~D-z
zV_El>2L$-lGfjNos#WU4+w|_fZ_L~xkwqW(eXNqPQsH^`;&z*Am8<vJbw9LXnF4Zo
zOo~Sda{c3lyh?0=MeBq=i1O}Iy$>9O%3+4RV@z{7F}<$;B@9eE!a4-<H5*8P<#<Tx
zsiPKhbH*dMm9iH?V^%bKNjs*Ne1zUEg!$=D2V-&=1ke3yLgXVDBX-tx|NjVdO|a<?
z6etV1$6*=Q)a9nQ{J>(Pqv@q5uO9Q{cBN|44KRF}UlTGsWG}aDJF93ZJa0AHmf21(
zfR|a){9Eb$FRb&N=<kk@R`Tc>G3<=dTsk*0Sj_@u4;Rk5Hl<=(r+CtW2uy@a-`3%{
z2zml4cAo|CROG>f3v;7ri^}hl#?>*;WAos@5=!pGr70w$Ge>MvkBXq{OCo^>L+A5i
zo4y0L`Y6k-Fku?H5w>IK8Xdx^Dj)CsB@+N7Ts#}rW-!ng%xEn6f;6;YF^<*H!j^lg
zOSrKLon%?9eM6D4!c(&`L!cU~FdiywUjCs70BM81_2qB#BcgTnQo9h4{owh-&Pz=9
zk^508=K)_P<Ra^^iGQO13Mb!-2l(eciQT#DGY5PifOMTvIKRz5-w5Pe%)s@>4+3ug
zQKJ{3kXz2Ze8wOM@b;xwEk1Z6euY-kdGB8sn~DEhx7bvkScF!;WpYT#9JUQxSs{~M
zMAJI$_DZ$%$8x@|yE6fm`BJ56y2>$b#rbCn1R;4VkEK=P*e}`%hp5Zvqu%L<7M6Nk
zs_(1pOP&!(WjrS{chjFBH{AINSOVX4I_m*$Lj6H6nDm`V(R($atZp#aZ2wFic83q0
zYh<^Eq~Inn|Fk*#NMb^r5`z;CpG5Me%aYrhd@@=aLx?)777yC;lbD|a`-;T|9Sko4
zp5H0g6{w_Vc@+-?C}j2{eHcV#cy<-4z4I^1+KJ-POG$DaF86sC!cC~CPsOIUyUj&~
z<7YwGt9fxN%BJJQ_S{d9Y88yxh@(isr>Lumqnf3tAf_sQ$&XYHj8d@*#LxP&3Yj56
z0lEb=qo-vPoI+W{cgUhh;lu4MvQ`!gpB+tuBTP%nK>>U=>e|*zrE}k9mTpJ|0zR2S
zcP&|e$?|~aRn@>FeOmuC3ndfOLhEE9I#8J6MS|2zfnPJgp-T{da?-@sQ+K;PAodX@
zfgR+#<+yn_lGrr!r@gPQvX!&zedhucscJHPB9QeLa8|YMns~&LdJ4;eo+PWP81&Wn
zk9>9Rp&H>khTnk-h0O<wS8q{g>?^F<Q{z83r)KwECoz?*ZgrAzvlc~Z>5I%Mz`nD@
z#w{rV3~@K$xI^KZAW6^z;f!ht4X4h93k*(s>dBA2qzwu}*+@V@6ca)jI+Zx~fFe6F
zpS;jb3M$D%+5-WGI{rp4iyppqoAX%NBLt?%ln;#d196r-Al=Kn<pwYxy;ocgn>r(`
z;^#2YXiMR>p1Wn^V*8!QcTLM0G2`;$<OEZ;{UGukmJHiS4$+vtBe-zwXSl=-5b4(U
z^WARXoy9kMZMw(Asyjbs3B$$k4NN2=V6Ut?YWQmuz7+=KPEf26ndYWgf{2Sk*(w`>
ziaWW&gEbkV3O!ZhA0#5^{g#O88U%^{kCNEjV4}l!0&+>gIpO{&=|b5tKI*)_=e-cf
zy+%nXE$f<R<(eW*K#K5)nfmxc5dls4qEZu@B{be;D!U^jo1jGza(HnbD7Ud@s{%z~
zPvIXSXw7`(M4|4KjRNE_bmCbyhF6pa!5N((vlUXllD~V3ee_PtQ&$FnWd27O6?>S>
z@SUDQQgF{d!j%3}{v97x6(tcM6dt7oepoLKLw4#img4<>{;>`bh9jhOJwQmZP3*=N
zfo{$SM1FD3Y^Hr5o7PeC78+1=gTtg82P%xA!KA$Ga!GB1B59BEGr;T@$^j+~>=dzq
z0&Wfddj|sGx2TW11T?WthwT8xHwetilb-Oi=g3rmFP-v>1@-;G^uN6ZV6@)Rli~Yf
z9||jlxFdyW?61~mrsK=VX&V%Gtzd1FD6M=A7>D~@0jMcmpjL-o0W*+l9=1RAnvS{0
zoRZS~__eck-Z!(lo#fk%Y>0gJr)K^MvATJX>;uzWfQ6sDTbdinHMZS1iCB3fNJ-%s
z)PC%kuXGZd_%!9{IK=;-fQTeO0bx`EyUeT+YPlb0<}8ZqK>@3)p*sLV{OI83rNx0Y
zZ<TD)5`$X$tKt=oZQZD4aWzMAjvN5T1vwz!Cy(ppyvlA>!g&|mQ`4&Y)cU38UN`%Y
zt9R13EJc?qqm=JXz(V5S$|>%dW9JwbM5TVW`%|{)G>Xce|A_}KKy-%;VoGX1Cldat
zYwWpp$ttx&N4FB9oI~xfLUaJ5bnc<%(5bI$UFWvrUA9lj%dSY98G;$vl(V--6QM@$
zK+k0q0P$UOgs8?Q3n6O1mmFcxN}$n&r8HdQCgBbw5~sZt$%m|#e?}W^2?c3V``puU
z{v3Ir9{g>e0-{;w_^dg~BB`8(xn_|={C6;q*%598G6Lokg5_)k9@BM~0H&KuvV%3O
z2j;nq+v#3rjRynMU23l{0Z^W8s9I9-`Q#!u>f{q<Uv!G#r>1SQ7cRf8e60#v1-cRt
zz36KQ7+lnJ6^*U-Zv>T*+<W}^vxk$IZrtI!;?5Tw`vg9A;_iP!D&aAS1omB`=vRTF
z1W%nDDQS+c)`LFZU6pqE{jlp`{LCUi@KIjZLcyG`5%ln)%IS=eVCdyt#YE}W?Z9})
zr;ts#><=<*zbaK3VesF1ahx7Su-qS?JBna7=K-UI5gTzcBA^Lut5LBtNEYw$9VSRr
z+Pm$Ck=eM=+w2$Z=J~GlYe&&iz$m*G8r(`hi+;eY(49lX2q=<96=+=0t4K@N*0kiq
z{V)v)>vP=-+SBz#wlCQ;5(z`Ioe>;yhu$L%CDz4`sHqJh!?z{gW=Kg;nM9tqJ{@r_
zx6V{g_n5&e9*3ddac$M>cbU!i9jX6_ru+#(zH9-cFPvVU4#h(sKR@k^Now8k_}j?4
z4_^!0cboWfdHS8j!O`FS$FEJ1puf*R>I-KM94+^I4H8aBmgb{P_ub0ZW=6Yu*o(ea
z8~_-WRf<aMrZ}A#&<?BpQsL8ciqGaNJG}Tjk5$)dPdm<n)ehcS?Wn25e&w1B?Fk&5
z#P!NQJwh^3p5MoQ|Hle6<1(odSSf4MW51`>lIs<Er~(bFej+7LJ{{(rlS@wYh!p2j
zETm-DEBnt{IuRI@ZQf&-F8Edny+#Sg2kz|sa7^F&Cz7t&I#JYYGA|Zr>&EVz0z;h_
zDeXx}5eC#(w~9Nr2q1xBRf2VGWvd6RN&`N?D{h)#7AqSH#<Y1!;U@29xB9!sgVeP)
z6yb;pyI!TGoW;z+{=%!MyjB-Yiy-6S2xnyrVB@F?5>N14a4?N)0?D5)0`JMU>E7jV
zN_k>|I`u-iVoG^1O<+O+?9-e}?u1=cd5AJF@YXe`kH`4xw9l=mOJ&c;j~MmvY#P0k
z_K6)}ieS8_>;=|LCKCDu6&~M*YR`z8IolA^m5)wh-Ho;D<UY%aYXNQ2soA&dd61!S
zgsid!s3F>LrtqG$MxJ*P*i%_nb@-uymkUv?AjRq!cmlv@{WY1-h=LmDp7N@eAja9R
z2FdxU4*tyisV<UZW-W7j^&#veLqN{S@$<C~RHD0bI?@XGGc1>tujOJ!SJCt|i6+pu
zdjO2m*|VArz)RlOXEpnCj(p(2Brlv8`G^t!OQ93yQ{$Pd6wPRyg>)6@Y|s=Td~J|l
zJ$_;O!4>i>#<;jsACxkdR7;JV)%?E3)0yS6mr>K=tO3;;=xNsQfU%phKoiRQeUjly
z&o!2t3BxQqM9$&*z>AuzwNhLKZSd9MdRJjob1uL;?Flcr)Urk>0d-4|z&=a?^>|l>
zq~d6>iSmd-<kO)><z*fi`;A?~zBDs%V)%c%S!J1om@WeehMRCx#16riX=%o}udb3{
zQUee9NID&IR@1xD51=+)0z0l|x?6{tqq4h^KrZqT!Ioi(7GdZk!AKCpUVEX8sx0_w
zDKOeDggnKlW{SE@`o_8&8E74kG87&tB9u4tZkbLdE}W+d^z=VEpxs42#Q;uH@55f$
zofCLff|~3w$S&7l{iep35_28Nf%`!j6XVevU%2TNSmk!ffu8si!u<S<n~#`fKr?G;
z!9jiI=!n&v^_an~;fFv`2aK@5GzHW&;*EHsw@*?e=@HQ?iCIn1C+0OUMVAq9b};b-
z)c&o17#NlCgvtjZM<<@%DzMzw9iR$Xk6>E>wiJ9%MSX^LH9zge;<Pk!;}}^)_b|7*
zs1{Lb`GFwe&r7Q;TJJF@9Ge=_di+18zA`M1rRx@l!QF#H2oT)eJ-9mrcXxM!ySux)
zyW8Lv2=2k1<W5e$`=0Y>`gvx$r>nNERkf>1mY`oM6mM3ktboWqHaLJ7O`0z^*n>{^
za>Ro5rLOm$Jhp=FKbGGh5~adSOrDI(sPxzJO)jh?k`@QbxHZ@h<OnmGe^w-yss3s~
z;{mg5dZ%{zpb=d~)Y5D$?|i!&nisR7ks_vT@nJz7(iya+gpPhGWa%9A)??H7i)Ei0
zC5*MIQNNl4RRaZrV|yuc`|#n7e)>npU4+9B;W-V_vFMT^|LXr>mwT7+YU#tTmFSQy
zf3eHinTmCCv_tu>WXDG5qJQ@7t#9FvD0$UF1=S5Koz~Lm7*b-|{a)bxgWZk6>joaI
z#@%~YV=XW*YvEeypB!a;z$#dQ4p~G~FIXWgAQ?F~UBs@WZd=k$vY32XC*MeCpebz;
zr~;HkjHCGv@Z<`Mt1#v-qG1xO_zOH8<w8`}a0S3R0FLw=vrRh9R`$Od6FOko=uc~0
z=yb<*o1ps#Rf9R~KL=RmB!^n`ss4KRtjrWkEfBX?I`;B3)2|kiDlIJfD;;S|FeOSD
z5>+EeC6n?@&l(wbLTSp+=*N|)!$TNT(YmeSiEse$k1!-y|4~(u2nonSB$ILdK~UyT
zkdi8OU2O!N4PeaK>axUYoWH@f{dp%(+HF@cHTkPcd*VyG<BsrLMFHW)N2ENe4J}!~
zqA_<FKo|JOL4#owl#RgHD6tiklZNr!AcgjsdP(vLUML>lf+@fw$<RclR7mo|hrlfV
zqo8DaI7{inpbT`#vcGhIHs9wWb!OVN)0?Q%?Y+^*|8W>~Lx23X=(eX^4St-JIv{_t
z{^8MO(Z-9*M&JCsR0tH&I3{zybI*Qt7}iIuJ<Il~4@Gj~_6Pip8<j9%pk^^rVuLBC
zDWnQ>N#t18E|cRq%b;qaI+B9c3ddVLMS%AO|0jN(qV^?C!7@_9fMNWNU#hR`pF2E>
zj81mNal&40oS24a`%?g4EMITSvQ8EBRDb)JN0H2yh5O>~NVY)Z-#KyP{@>ekVHlN+
zz{n}F854M?pnYku8YEfTQ{knhV7d!~c;Rlz#+3qeUE~oBDE?zB0$~P4#{9USnEd1a
z+KR6h%rSUqo0(OmqnON<Wf(pjL2*UwwaWq|#Kvy9`pnS_v}OAV(N8GX)x_FkPnA*p
z?(M#JUO2(-vbR&@0tFiCuI-w-oQ&g0A2UCi!dTu9mBI8UpxCx-1*!Il$sidWLG6>X
z#g4?(M?jETYkIg8{%sPY0N^H$WqXo|c+Fq+KPtQT3|9sDR5EBJVIK7OID2!o`x2gv
zMAO=UI~-Lx0gv16Gl!4BL#pGWZSL8!Xmg&GfwS$l{`U71s@5jdST8N753hU;Fjc!_
z?;3Yl-Ho-2W%&!>f5;>#;UKYr{UMW~T3|9BL@y5e%)1hRkED~j2`~JVdOIFM8Kq?O
zI-(*-{*?a_m`Ip^u`$2Fr~WJ2R+vAu?sdjWpQoSzdnA{3DZ7@RE)Vi*VpgL$<w#NP
zl}bb_)-TC%yQ4px3g2F$1saddf%^vTuMtPU>?=wTEQuoAP?zw^if~X0Q}6>4Nhnxl
zjS`dvK6BC*ObySJ!R({`>qZ3;C#W7tGZI7}P#mfv{&6H#j9HD>HmY^ppD!dzdM?#I
zYFKBN1B(#CJp>O0u4D87^47uTdUL23dQjLkRvLEZF8KTYif>zUUn^GUM^vuU*d6uR
zV%j7_c>S>Pg1*Ej(#iRtkFuIA#txE+Y%VYQQ~yUNst)1Q(nsXqlpqV>{sH2ZyDFmb
z(bt_e$bo{Ekijj4vw_FIIjv42D{hMie)G}9ZP$CUXY{r^E~>h9I8?kN^X`7D_t`ow
zu<cscIe(FZ))5?clvs38r8V=Y=5{_A5%6rQ{K>J~)5NTtzSg26R>-dgt@ooqZsny>
z$*Z%Yy|9C%tOr_@Vci3B>FbwPc^U^+x_sY*x6KFQmlHSl-Jdx(j>ei77myz7zi3wK
z^{ZcKxQizYxdbl26PH|>m22-id^($tWvWhqO*F3R2tBFv5v;*s_f2+0%Zm)q5FTOP
z&O9eBzwI5xY~*2gz;HEK2rJ4ewp!>pc%U9aChmDUo$;nmop*3Rz&wY2tqR{?za0E2
zS<7EvF9nBe4-Fi*nY9v}T=UQ*Sdrne{m2VVY~sEMW(VhAO<Jmj_0>A_U(vFG_5O7{
z&20F$1}4k1y3Gnt4I1>1(@7OR2qQut=bghST(C6OK6Y&B5v@0<gxsp)mwc?#7hVsC
zIY-z&JMOC~nG?I1cn+gaIuSHM;re!4T6S=?v=V)~Qb6~mXI)0O797JftyLx`)u7go
z@LhcEA)HGC+d?qa=3aN}&b<+%*?UNwdQN76zI46TT|e84vtT6kY&A@4eR|7o#m2kH
z=I6IG63Djc2N~QibI$Grf4dEZw_{Td{yjx&$A(E>Y)6?oH@BaZcJC(c;Bd$(k`pDe
z?TTgJSIyGD^*@A!${fy4=4fz339<|6AM42^nFPyiu4wI+VaU!svuy0FjDmi!`RZ$z
zohOHyRh6OUQ{32RnUDT@khi9MG<UaiZD^xmf}u6(j9U`QLv|YI{7NDBO1*L_Md*$>
zb<5ayU>$3&@_ORW^$(<OSSJ8;DhFpw)dF)8o4J`Q25!SCrv|egQkaQJf{7nV@JC~y
zSQsYagE{>RXv)`7z@1LK`*bY9rv3uj=2k>|Co39PgFW9~yhW-x>5XiSP_1nugcsA3
z8-pveW-dZr*VJm125jerrVv?A8Sv+!y+Yj7pY8Nc#aEc{G91~Dd4tuAZFlJWBHazb
zS~wcBP#lo;*f7Sq7e08^!_LOUf2FF08|PCFzLu&L=Ogw*5p5yZIN&V44wY-X?I@nw
zl=m7THVop^uT1<npZ~PC8JFx8_&nCL=zlKq4_jF_vgD8=*!!ulb*rFE{BWx`80+dW
z#liu0XYE9gY|AZ*@;3%K!-VTu`X3i#hwCZUQG`=}6w8q*meI}KH&j5K*dzI(F}8`j
zQGkTX_n!!O5{laG%rDBoCV2PPa)E277McXQ*<1r-Gn*x%M42+}j}v^!_uttPx7!`R
zPx2{#wX#d$uo1o9`Bv$_x3_TFcUOGoT`U0X=^mIkQoV=XQbM}oKWj{H^5X9Mzm{#m
z`0HDOJr!g7>!Y`m-a@7h*`mfPbhJ}Mnu`LdBYY+_&Z*$~7}&tx{=?cXh#=m8&tSca
zU{`<Tu+G;URut{<$#urJl6S9$>4STdR=dmeMGG@YfiuiqwvBBe@QcLuU*?lM<KH8L
zblkZZ*mEmNRKhDQMFK?*v`BtAJf#2Od+A6YIAF4xVkx-&AA6SO5Zx}mop&1*$)e5%
z_c6;{uW?rX;l@6ayKWj&4Yb%+Z8p4cTlghA4wK4uk98)(r`Hw}Z4(MJm2KleTu~dY
zBnP{hf7T8nUdcePwlniWX$$a86RBel$4+t&9eZ>bN1mzulLTW6e5@uou{csU4rRz4
z<o_^_3DO<<Y?L+`rq$)YJh~=H8QhIsoKpumkfUNTpraC?(V3APCuaxlK8L3CGY&|+
z)jXYpZ+_z1wg#y1K6v9fcBEA8T%IR^rgcy9y0n`#;UFyOhpEcB(2U|abFL!#$1*h|
zkTkkMvlT<wRYVN9pW(}!H{};+PGu<NxFSRjugUTN!xh2BFjYkV2DyTvHPp(~>Cw|a
z>1yaty1G}Y^NF^sOWyF*9A+2xLn3%sMDWqGS!XN1p@d&Xw%pK@ZpT#zO%>l<b$U7w
zJyNcqmDQ+EkJiZN4<^C-q-k5PE@Uk0gRRJH3<O-<#?bx92Aw|sWwt~Fd|v-I2xTnY
zfyl&{pXOgPd}Rsdodx^@S4jbm3{*FWXYsrNXBHlWBeu9Dcw*=y>EQ6;{{k_~7gYGP
z=`aXW7;2J#fY`h<fm`WG?&*zY#bB7@?QqdU$`9LEf@$mfyqMK18&%iiWOmPx(@lm4
zkC;$@9VQ&;ty<TaL`%>K5=WH@Tt5Z4l5RWB4)oY*5Y_C4VipzbP-DQ<w-QmXrLZoE
zZFl-Qv4DNyb{iFFqqHj))X&vh3jwa$)vXG93UXQ(R%4#!6loBQr^scgH;F!baOO7M
z`4uIJ_}v%GC?l2HzMUFFbYE)nQog_f^8-D%7pMp*A>-&-z)qME;%eZ0a*D_TnpA{^
zGoXS8inGH<A|%ae+`};~CJ+U=|8?a>YNP<?HE$AKQ!wB^aSprCc<(X_xI3D;A!F7)
zOK`Giw;^8B=Fot+@!h^w%^<I*69Hk(qK&@t^9r=KqDPj22q(T^hI(4AQTnU;HJ0ss
z3u^lOIFHdvp-e{7@aWIOUgr$y4a|4P<DAs>@blGVx%yf)A5zt$(!Gi!LA6<c-H%t3
zvNqU<eSDNHL|?=q#%ZuslLc_svbOIaB33dERyT<V);R@HhoFN-L5Dgtiyj-SM=vk#
z&=-z6@TGw_p_Bq@FB1>U^*_<j0w3bM;TiN4SlvHS;B(3N$X0p@kD_FlP+EgWOZ__T
z{*N+X^qTrc*|(PNv4{dP_T$YL7jhQqSrIlTH*>uUH>Jr;oAC*0ZkndbVr2To4r`6(
zPZOg)URIuTjyE$sm_bg=AFRTphe2$_8XQrhbIQMY(prND+av-dSr_lIAEGU|#8xnY
z4Bg?+fM%TIR64j-*uUnc<xjdypBdXciKxNz&#aCS_>9eU#96mVu-Z?CB$$b4)$^f{
z9-8I~N7>fTUwuOf6dZXAMxB-+PT5nZwTMmekL>FKRd70~n-*|6FZ?S`U)Omdky5`%
z4CeP<|Di~;FswSJf`ca5tUCKJifN4P>0uFZ(jP`C?v<s{XI&6t0St#}`~-9M{}CKN
z%DnxW_dn15H3uL5R;Q0OvngnKM=NJo>%3*RHr+2)jm5HWR|0u15IRGz#9>$8E;-cr
z5s(U!7b-<2-4F~4zAK)z4hoaR0{r0Gw95(Lfo%SFlLeFB5AJ#QJ!>Ca9FC`;%2c{b
zbVV8+yHh$CVn4&mIG%)8j#jeUk?TU&u~LRu1B+u|>v1HGoICh;Z#EbFX@8I`o59dA
zW+EeqQr>_Zy@ek}!@$%Z+7w&EK*60C-9p$KP0CIf3i#q46;C}af`6#D-@fWG0EQs?
z?~GOTEGjn0%b`tSH2!*dJ^w=px%jA74N5&1>}LtY*b5J2$egGZaV%#Tmt%Rtp1nB;
zPuV1H)XX!2z-mq0jI0>d1FJ=sp&81PlA4YI*))0Pb}a+;53=DC<9}=c1JPh$3XE!s
z&R~EsPf?mh+*@FJhluH;CJ|+DCtXYd;{yWmr`b5XzTp4J{R?g&pz-;i2Sxv+@6YUp
zuH}LoaBUJs&B%xGzjL)683kGLlGmKgDQQwb1BDF$W<gpO$R_4SL0U+(U`0X50U#%d
zA$C~sp@XP55eowi+3YN;xrwR2TEV}A!658aJ#{ET8ym*SBm`q#Y-1S-XmHs0GUov{
zNsj`5kkQjO-R<->J>`eM(ynH*2<JUvAB0MXi2PA|FkStk?=q$OLo~7%w#k-YcS^If
zBxXJ_OiERhi0auc%Zt+xp$4|~l|+dMw<7qTbQT=|4qTfTj}Cwa;z4WD7}3K$z6S>r
z&Sm*tCZs(R$v4myI)vjwLKb2Co6Oi?L?q4FiGk^c$35DRf5r(wgIaAoU+ojZRl~#N
zlQ*;VWkUy;J%93!eevp579Yf9=W=U`Om<IV2c1iMjj+1Pkk<#8k8ZR)LABl?rO*0I
zM@&O>|06>r5Q`9SMcJadkW^PQ182?yzTKnp`;;$Drc^B6Pd(~+LE008rhn6u9w*F!
zfn>BneO|-I&QtO=vngF+;M94{R>{95tBbpvIz;YS8cX;9;;P04U{^4=kQ+lqtg<cv
z6EkbMbd<|xZFg1qHLQLd$*J)~K|_V~56|2)^B-_+Qrt76)z%CK_ur93dx;8`qLEBt
zws<o~2cxE(BAdcs7Bp1+U-7}$y`xS@YPvV3g{N#p2je&UKSZ<ey3uKam-Gw{VJmXh
z<MH{n^q^Q-FQW3no`NvML|*qQQhaKp4A3-f##Qhk#^iOnrN*_xgT3lPt42g*k(+Sc
zjb6nJkCdaD#_rP6q82_J3A{?wTI0PzHLO}`izB4TL14VNM`u0d6f&q*`id{$lUk}p
zTw=;Sbm6j?gIpth+Yo4QEMmEs*mJ1kt_khTQTWwYOR&)aTWPlw;*_o4f8RF+b#}6w
z<i^QAIZ7+lcAx1iaN&PrwOTlK=DMbXcJiT|_4J%?%iPVw9a#vy!_|=&^ZBkNtIi(@
zOpLQQU_XbUeAhc|ElgHVU9zsX1$wN>u<1|AFHdB;JH4JwkLG@Vc>E#9hc`r(-8g~F
z1u<DLddqE>*LxCLGpt<~LSD-84yK<Q+%XP0o5$FkD?nGf#PS<ySL{o1WoV7+Pn9J-
zos5PH-<5o)pT5wT+WGKOq&pc7IHNDYFyyRwwvh;je;hg3zRgCSfK3>??eoquP$lOl
zJhmwi?s?8K%VF2cBc8$*HPW0Hb}5?I7If!lx&NCyM7s$SH)r2`Fb>Bc4<59sR@RQ1
zYq!_lgwqs%QmB#fC~+@vL2+`+xN#_?W$)JfPPZ*B_D04&(LBd4trZkKCq}rW3C%>e
z{4IM&=L6lgx~lZ5VWkpIT<{B4OqRZUt>@gyLHS(cjbYA^W#w`+J;x2#FHD=)gF}Qg
zI4WYPuy5JPyorX(hTMm$*K*A$oQKVYUt0cLN~70dwH3!f14AgB5h@M{C&h8Ba2Nxc
zn4P}T7`3>yIDdLVY(GW&|9j#C7y4kxes~Y+$*ccYJy1{12iwzDa@m2~9O-~b!QRIe
zV_RpuGae6mBgZ?Oqc5+|x^~nZ{<4*I;U0BZHC^pzBUU*b@QKhqHGK-@h^$6U88TZy
zydL1N5$aMdyo+j<G8S=IhilXLw^$Kful2HB?YtU@9Xqrm3Thp>0XW<JCtiviIHTFG
zbkaB1eRdo-ZM%C4>RJE4JO?H0n*hP7C-YFmpRdmrv4>l+id8sd?Oj^y{7{?L%J(hX
z(PJy*_Pkycaaz>W@0p5Qy5*ZkIr1uBs1?<@Ib~Fpj({FjmG5f9MzG^wpVDkyZJruC
zkrCOTG}@CpJA0-}Yi^L#R!4YtW}?6lgw9eg&70KB5VmB&e$gM4Ha!D%xF$X*$(#*-
z3VZcm-&#F=OD^mnKj%QDS42B$ks8RT(R%9E3Ac>dAX4l5+V35ALajT@vxNDBdMoE4
z`}4Cw9;j|b{2~fE5J9kY4iW>y7}zgq0sr`}lyCqZdrNHytu$6j;ITQggR1lYyUl}v
zbTMTOcR7yw(G@0aN2|1DHQkA{O$~PN0j7`n_|*w`6t-DSO@dS8*d5p5v51N$)n(r5
z$H!)Y@_RpW?f}5)4U6C^8*urZlRVNNwXEms)CR<(+RtNqqWRQ}13y~Htun7c$j&8e
zXl1Pp3CEoPLT5acjGR+6x)|mnn_AQ_$wyS+NXkWMfiX}>K{XVN9`mlmUCuXrP%0`E
z?i!Xtm=$~{PTFurj5PS?+3UsH4sy+goXf3+UtCM=tL#87<%C_uVDQNMLlNQ_AL0o=
zp`MjW2s_MzNCK=zXo@iAe)!*fJ*~sb>eN`@^HC%#jf?QiDtq1N(0cQu>E+=s6q7Uh
z?3S93Mt5|BF-5L&jh(;>q?`4Lg@8oGvz#t)RU#$?yJU~kiNLQTb6p({U)u;Zb8im|
z_#*rDaqL{4)Y!N+lRL9%mPaPD2ana%OKDur%Fy!yJ8M{<wR)vEw`}$SH63c;`NHQ#
zL-rvm-+PWJ+RV4VN!Pmh(a6^>j<<b$)=HW_>%_Abqx|gzSnz>G%<F7PX!lO6piFKk
zSchY|cdgATzEeJ^4Eu(zyW;$Wh0Mhm;!vbtluBJ1_uZ+SRQg6SOu*ty3FxXa6eBk*
zK|53Kia9Fb)-?X-^4O%vV|iBc9Rd{qmMBS`w*mg>lVE=t;(G}}52!EX<i{`lU(Ho>
z;rLw4%!ouTqJxoygLjjQW#k7w9OCzEaJ~Tw(&a_wCn;!x3wIZnRH3sbw2C4?ty+cX
z)=rJ^ZHH)&$tN0}<*lAy3Vbb}9w+8^4t9sz!OmPA0Kcp6{Ejb$Jxp=rmsTQ|k1V&C
zD7K691R!$m+cEX~?U#`^Klmj5_Acy$-|LjJ3g-q}Dy9*<#^%Y?B3d$trV=T30Ca<(
zKs6e2@}))L@)$(&C2Aa0oG=u;DVkO=zo9}ul?gpq2&z>u=+^&bKV_>V<m!3rvOAEG
zFT;gNYnQfY6guStVXcfggj-S_I7ee>iO;H%IueQt4RGvTv9?=^Tg0?j^heH?G}P_)
zqGDV<p{vk%!h0iJ)>f(&#v3gqcqm#r2IuK}n(?j>=a$3>Ig8N}E-P6}=hRBNpB*>{
zgx#xrVK_gAOlUeIz}_K$DSBf+po1v-Ayy-~#iMM6>!!WEmb;Bhmx;JKGJFTZpX^ec
z2A!qR859Txor9F<{y6b*jd2RwSVLhGYzl27lT5GxSnIw2fUi#k8AWUU7m1{DvgpXG
zEpj$YQrMS`{%gyMp7O_Vt%Z={+juZT6RX(V{2H~-(aiJ}Z?#S6kUV*0(j7}G1nUq8
zWS=N|@joa>7h8t-;(QNe?Jwa_q+u;)L41*Yqh{aPiWr$%d{~^b0&}a>w+f@wpMOyt
z?k{^l8zqtzYSpJ#o8!P0+}5{1;zFJZ|57Vd<z9-<MCiUXPet(OvLGIv2JODpPYmcw
zEYeS&P}U>;oKDk&!H9fJF%<rz&noMGrA<TO9wIx<9K`NEpb0;;e>m2(_|$~YzIwJ9
z(E95G)fe=hCe6TQlH<JjD}|s{)=5J5zB6O@I>}hnL-iU=oz+#>i!Q5c9Um^_qsngv
z64-F(NJ*y&Ik6qJ;MUpI_&h-^dMj;|_1&C_l-DIeRf;E|nQ7(EQXF?_lqcq2Q})x?
z1MRGtqM-a`DKL3SJoaHklivXYQ1-HWDMKv&RsSL>Wf^8DO|M&_<s5M1=zoeb=*HVg
z&Mt#PabumV2vFYh7fM=ifM4ct^fZSJW4G15lsmeg-r#Nq&oL<4E7`)3NSfDuhFz5E
zR$LOBLVM5xnZa1u(t_gT-#LV8_Pi86NXxaxycC{&Qt%{nK)2)ztk4g1q6ms>4>%G^
z(MqH;lYc3<N@ZA?35rPS`r`9UpVhoX(#0mP0QW#XFqjbj&Q3I-Nb98RqTBsh1Pj`a
zT);AIb*`fdKl;pRxuTra?rV9c5+Mzkn?-hO_=sVo*DSQoZr9rkHDX;DcbSNM>B?wA
zzX|ozYuWl!@@>y?Ec&1-a-dK)E#vAN?9~Csc6a3@lZaD!K1Oz>1DNE8P*0wlnEL>@
zxz!t7$gvVvu>Iq}9#LNOs0Ix>V7F<urHe1y)aDOtfPai6t|$H7k15F{V3JUO_FI$p
zQF#S2_z+PjET4oblU`&+f%SWiN6ub!ta4CnCB6@Dzscw?Z@TV{hTUqj$#Laj!7J3{
z!O$?waq+nfFhLXd<FJkIGz5^P&X-Mves00UL@(Qe^*S^w>NL5Sa~`N+MY`7D@PmuV
zccV)eBU@qwHgn^5%RK5Ra4fB#D_hwxXH6>1niZIkT*e8|NAHpA!i%NH1uyYgwE~id
zezZKEc<fI+WBI9sKx&nH;nM7OsG+D~*#O}XB{Io=(+nG~d=Hs}J9`szavgybC%jup
z(ciRF$5O3Ul0FZ_d?CPN^&|s((QBNUH@7wwxDI5M_u2KRkrx)n8;8Ogx)-GbqQakH
znMM<l1@R%OdBli+?ZS>`myI~4AIbMRQ;@jKymH5XC@z9gS8;ZA0Y|0TJbRbFU{b=h
zZ~~L^KcbbNn(J2kv2DI!=Qvj^BJ|wE-||8ghM$rK{)->$tf}~9QBe~b{zu&w=UMlg
znVyWra<V<NXDO@?cHssunxt2)=218+yHnZ|(d=6iBMSSc5%L62GBVP8mJA0pV?36~
zJJjG)L+VZ^QT)B;@FqiP(ITdppx@LX&zxY3QifhG=W{%VU6~}kJB>#E3TXt^4bF9H
zULG2oz>Jy$w0c`scR=t%=Tcvd+M|t)<=BGNELNAq3C8bo9<3!HMq)+L?oqWT;fplx
z4rpIf7WjA3{R5D_kl(FNLCZS|8~{CG<1z24AEZu?ZoEJK#yg~!4~okO@r9GRW0YLv
z5{|vr3MMjX{JuP-@j01v(Wz_z)v__w5vpd;L>s7#U<Ap9_FcdH{0-t1lM>fLl%Y=I
zL=~)ym~(hcIiFXPcN|m_V{y<yNbgk9p3(bBq(+(g#=gL|`|KBm!b7E-S4U#>2$4*f
zc>lxQu)Y7Pl)C*w*@f)0Lq(^DS9_P=;w9f*E7QJfSpz5hZ^-Tb7Uc7Y`korjFtHF{
zwmKNYj8_K|$te$6VU8O~X~^eVy3a;A%0xv2RgfZ_>0#gwGxOk4D+Q3$8&V|wj*0-{
zqodi}Ulp}yS?<#~mGD~O!Z3C7Y_vZ*eGnKzy3{4><jl3?KOi3oUtPN9b0d;y1@y=#
zd#enV|0>zZcLToZD0Rot$1rM`xn;D^-RIIjOy|_lFLs_>S$<J}5-Jw1%_2s5q+Ocp
z{Z$ns7MYuptF5XSx2{F_Y(f*n<^Dl^=BI+6QR{Zux6IU?wsCdpSsEpM?-dmK?EVdv
zOjZ3nY2BPaFKAstQCM-6m3;bjQZZ4YNY|SUKHO*fa`2RS7h91eG_U#4pmEW;HINn?
z^9@;)iJ+q>qu^pi2w0>6NCm;}hH3M>E`|Q3rY1xM^;EFWKM}jIO+W@;_L)0gX=Aoj
zpcm6N|La%X)E)WW&)dIYHIspx+nc_E)%QhDPok)Ef2@OSbxJedG>ei85U3M3S4x!c
zs}x5uD|&b^KnoEWjyTU`UiC(Z*6;qAEU=-Q89yZ2=~gFsomu8<0dm01g<YgcZk!lh
zvx#PQ8=GexM{6@LRowRJjUqQo<jlJszhZcMj}5KA6b3vNZI<vc8Q#RI%W+37*-G@W
zi;r_yY6v{iMTaBTTupgJ#xj!Setm$7XAix~;xe@5d_Y~D%uyt&_OQM7(zFo@OLKCM
z+Nin<lUToAaDReaaQddzGM8oG^pq%?arseVRu~WuUPF%B<Wv6CBy;>xx&&ll#*@ff
zNUTZktO7>TN);7n=DoRp!}tDnr_TZ^-&<X~+$>j!DHvW}Z0q(W$weB^7}GjSwIoe|
zzMSXNt9%FgvR1e=@apL5`X@3@Y0cFH5<6`Lx{Sw?WBI>HH#1M(k_R7~$!mL1_{Y`j
zwRE{A2T8WnQO@O+&ODDlL%aV*=EVdSTY+J|mRzvCs*xV3V$pJa-yu++xiB!Yj(HnK
zD|Y+<Ymxa-1_?T7%q|oBkqzfvuntj`%8J%(nN(*zX`0kx(K!K3j8)HB)hT}>f3TX$
z1RdtglHoI=-b%8qQe`19Y(rY&!fu1xpB!r`dz3Gv^Fi1^o1O-;jZ#SSJY^^sobq{z
z(W#FmRq+SL2rwyFFD{Oi9(_P3WkGmI&s}TsX)yuu8i&87%ZUy!VpUHO`Uwp((18#!
z99~B^RjigzM3KN$Ska!HJ7SzvBz-0>7B4SYABm+jD@>7$8A219On&c^6yGc*e<2;V
zil9<I9r2)Sj{tdM?2Xp`AR{FiG45zMXoUc+M^3oGEv}fcC(IgXZwzs>OGjyiPqXBt
zv))%Cj=M}m&pF{Fl6KhfhM?c$g~UBRlNn8u>@@_|Y3(NI4i#S{@Ry;vg!hz1*S_xl
zaJAQVO(kX{<+73V4`G`Bc=1~C(DRFdZHu2vz-ObTNMms(Q{+DNcWp@Sxn9e_^AFe~
zqpf?RZp#&itzWI$Gh(xi)uf%!3dz4+@;kVNpAHi}5jakt8GdmfwpTvxR$p3Q@g-GR
z+`@MZ^KGeQrm|uB;C6}0?&;-ji)qfxwR$}3Iv;XQl!X^0?Q4Qvzz#&sNxBc+dgt6y
zl-3+&-rJ;Y-<$2bDSi*pNPY?BDRDG6U9EA%wPG0bIaxC64U?cYRJ~svLUshVnI~VO
zl=x`#h1S<BZJC5;0i*m^mnaQ4%cOF=NV}`_S7Kl(Xb*WsQQL!#s|I2%<d{Lx3IX!?
zZ#U~EuwVK?A73v_j&R_Z-;RWb<NN}CyN;AbF7uD)YMW59wG2@(ts28br00a(9hs2M
zr-u+6v|s5a1mpt{<fKw4Zjw-6NFTd6rO2I5w}?$i-|;jhlUC@NLN(EZJXC*Oo2`}?
z`!ThNZ<i1ve4;?D>?B+)PdVC(y^wl6N{KRVn0F!I8;Y=K^P1+C2(3$h4-{vLG!pip
zMoG`7eWZ_nq5ueEmpI71FS1R}F-9KEj_u}mx#BTTeH%j^VS?kmw>j^{0nis&wc<w}
z^{_<QBt@NkBK6aghRaT8;h4}-i{soCCSoWiNNmR=r#n(icy`EQiFCm$34X)-L<(vs
zUhNEgKB3Jh(^Bu9T=R*L@2^iML`f%6xqf;bu-WM^QW^@9H~S%P&n!gaHX}#?1dTKg
zyvgp(-5A6LzF$$!C=*t{pOG5L1O!Irf4%W<wuA3<e+#W>0Mm3$em@vHQb3OQra>&-
zN-}Wsk_0>97+N+Z<B`V_Mg;e5he946=bNolLPM4`G5ge}q~u3Rwn%A4Sq~@{B_irt
zRTbIBm`M1E`ESx!G>Yx~4oav2LLb>QagxUAnftp|*}0tt8mZ~s#S>VQ0~11l9s8O>
zX#~NxDNnrjQ??R}Q8tB>JQBu?dYxlk++ER*cV=0c`POe{&1e-4TDj(`;$qw%SGv_V
z#&OB$SA*MpgfwSRQ#=A}lNb=WBH;x-E+XxZr*#JKl1Hj^kke6n9|Gev&nFq@K1{(m
z7k0TC_H)|V;)E(QO*}L<5X5$rIDLM~SwPCeE~>5YdjG`gt&gF)rG5Kje{;8*=+$dm
zM#u_ot-QkD-(gKhu%^dT&0`vg#IKTVvBP26=uyR?Pq|sCbnYSgFie<d8;lN7&uNeM
z+bP;W66G0{2!*qB(FYT55pmG|#q;TSZi#)#8@bw;L;xob#Mv@T&0J5h0S}6|DVE7&
zMj+8tcoV3Bc*C5ZnL!09HCcxygE^;`kUsLx>-v!r`gaYfv+UYP>NQQ&OIo~-+BFAN
z(8JsnijSY%in*|wt_~NxraQJc<VEDzl6qS2x8TB^jbcrcW=<SV4D@vHv$+fuS~>0k
zSad;c&XNseDM#-*>#B<TT(i^V0|vOM$fiTZih7;SMp?O5T9}jzrFZKTWvg&uGo%+9
zay+>1wpF0oO^Bza&If<MWD)@%^#a}iGXrY$OqRH?v67J_8no<-sblA~*ghIsWE_y>
z)3-UqbL7x~V*_y#{DWqMNH)}WaufZ$Xh{0ctEd^u#Z=hBTSdV(4L0EFe74fiUu|2L
z9t|dIk{py)1PI_Y@N|2G;MM6z6I`V-dBY+LHqE=@D;DbVHx8vHgw$2wYvL!j9=GwI
zq1(^{0J~>}8`P6{Mw|>Cpa$&^IK5L)Dh}+&NPmqj5{9CfCZo9#t_#ojxe7IS?8->q
z5q+~he6=)hlT;``_V)HX;_-2KZ?xj2prt*33Xh}l6RB0w31WX5PJ_7F10QzVW~`**
zJ^&DzmcWaFDQyXd{bUhe6rsr&N_u7>KK7?~Fe4TmGNy7z#0npFm36CIk3st?3Pv+$
zlfvFYEFMouO$0K|DD4h&u@*%i)GJ^Hx_hKZXpV$Tk~b0}LN4}4fw4_kr9w8j{s103
zezg{WXu+(bX$2mA=J0|e?^APBXKxCqS`n_3R_*q?-MiS@wb9=y{LIK_j&ZZ0W^Mc3
zjU5`Tctu@D9OMi|9{IM;hZK$$mkU{KLL-KyKPV#Ig*7ssla6vSSD`F$PmxW7J3y)?
zG0bueGCEv@Ie3V;^nJd=8xs2^9?c{g5pBlGuu!<(-&F>3)*Xqa@B{Y2GG6)+vMBJ$
zJ&bJ>Y7C1U8NEW4;K4FiPV$QA8?E92*0VO&Ji^wWwRS&Q8@{xv*|rGRF;V)N;SN(k
zQYY%d40sq?I-7DBveI+~W9mUMqxLnoagzI<nvtOe;CLPK$p2uJ{V)Tk{Ko^_UDEIm
zo-~BE5RWEHUOLcqUJB+WE4pV$dip6T3o2(xlmbF~>%AtaNAbv*7;vL!2!||$buAFl
zPq7q41V}VzJ^_OIP!I%U`DO{F0b%{e_Tr2nB}EQZ2CPtreR5L7_6f(Y$vpmMVqU83
z48NHw2ohVYhl7E$saCKaVF`c4SGXKFqQuQfvV<^FnN3ctnqop}&M3$*mfb$;T3uem
zMzUSQio9ZG<WsfQq;K>td0k3Aq>56J&a%(Gg$cND!noOkB*Y8k^*_2K>A0P+59nN=
z$sN*!D3%cbUpQHzZW=is-KCu(y%9mTL`l+tlpm{(6Clh*5?#y;A*v03BuC`ch8ce<
z7IIPk=3C8BnG#gyliI7K3qgy-uD%3WbMNPT&vxIBt<^rz!bY9;)W#qLtcxr=wnR!`
z=ZhkkLD(x`VF7Jp%$SSGo0>w6=uMWbb}~UhmNIIJ<|wnwN*L-eh-at+$|V-KM;24R
zkF?+?byd>`ejghc6fJ@wM}al4B*2u>9{03Z0WOA3TPpAc39URti%#z6HIfbxEi!PT
z#mpWe106F){O7JD)1bjYhX`Y&h5!pf$R>DizZBTxMkAStegzpCYd1H3q@y6JD`^J$
zWm-MX(ZaW$eNdTAy#J>Fb&#XsrQx`XnIS{A$zW66z)c-|KPZ*e!i<d{)Md7e4=~(e
z%R+M(^SEHXvaDj9a5#NI=GFHpv|M~%a)ClnyRedU!I8+e+8}DBboKZ2sm24fjwu7D
zRm?0j!#}A#kYY;xvmbMUn1d+#_Wf;v0_EbA5o^>&D9dgONS9H1NOU7d>%?5_pN;Em
zY@pKsE@Qs8wXvPO9x)ZsZ{;;3z71}nQc)?Uo}%noIPqd;t{&LItZ;xN+(Zeh__(Z5
z`iL%nm>sUpdM@Y>$m9(_qQXJy#6fG4jY9hp)Np@zNDhafY3}#D4GtZyk|GoaByS>W
z9YA9b8);>Dc`)4$wt+o3r}irW5`=wo6VoQB^`y`DfWr*-PMDeBTX5}Fz7|r=?ZVKx
zD15B(jztM#B2rh4frc!BidQUQf%4Ep#mm-A?Jvv{^!SWUr4y%;a}8JQflArYk)jw^
zXo$*{fhH>MQ5_iNm;sGv(wS&wor(8YP+$!1I^iG%nrgN^8ELQ1a9KiJ2eSmcYWak@
zshm{bKLQ2lgO97INJZ1ng>k1NjS5*xiIVIl;US>Aick+x8!-9D`KWh_&)m{O>~V)<
zOhxNKibn0>{ub@H$uDF>tNT`=DDG1H?GY8a7ft6#G&B3=Ty>gss3(VQkfkYPl|v$^
zX1|Ko+_%P|Re&#Y+7{(v&9;-_LPhNKW}~<fvqEB___h$!w(PBKQwSDn?D|xX{$}ST
zd<?YT>ozFV19=#BVrH_ifc_<h(r=QIC-=gs`*c?kxuWIaAz=DIy6!=LFIMuMn49%t
zoS&Q!C1;lsi64gDI|(c<*79l5mbR?KjIoEcC*L)(s>XQWz<C7W+H55jA!jQ2o*<@G
zV?C8&o-Rj4syiM;MdZ|%ki_I+I~^}kCl1^in`jrH50|$FCO<d}so=YMIFBDXmU*Yz
zn5}#_(FComaIH_irBK^waktZFmbXz*@TlOAAxVkuutEOVSrgy?IB6~KRPiBF<>w$z
z+w+}XbL-~=HK;aVeCqX{jJ~4w3?&|YrylZ+pUXRhJ`_EdAm6XVr31?l)s4R5zNW@6
zvn`^x4WEyvSY<`W_=IkF$M?DN$0YTN01+%d+5>Vw`Wo_o6dkmdVI|)PyjiyiY95*f
z8*n&r#)f3VUNxw$Z<|l$l3qssc42+|#UBH$bjzJ)0$d_Q+)(Ra%tzu$q+Q^1wJry+
zMaoG)bhb?TX(FH92S=EOE#e+YG!$BxWKLj;Hzy|(bnseHy;e1*1E>53pcqYoNI$tQ
zsKU?30^pQMddG&hWbUa%lM$cvVqoUCe$g_mUt6mlxSUxjazdh3eQ&k`Bna%tSrJ|#
zB2&PLi@!vMKAE7ypgsZWkWWPEDa9RmrZC023-w7I<3!kcixy^eIw-ocHd@~eE^4rn
zvxVNQC*$ok4b&;j$ZM@<%U2Y}t2)hVqu0gyb0B!7Dxv9`HGmfNDrL(TrG(qvY?V#7
z)oLx>GX(zBb(LjIQc@{fUVYF>pgqsTaD(Pe2E^&th*jD>PuA(mtjGy}m{s9zs;=w8
zaQ5MDUWeHril}pOmBE|QM7YW~EWCt7zeqICY%JN{|K3UDEnln4-}dIuf$z|p(s`mh
zsbGsacw%gGP%Ev<zO|B;o#w~_Wx_ouHzoPWx2|#HVkqS@C&TLE^+Q$Qn@Ko5L})t9
zdAtSP4GFc;ZU@?e%Q>?^v=q98V%8JygZCuBHElA=be|dIUKV|wBZxC#Teh*d0FfiS
zavA#>YsF0IWR)#PCEIYz_9dF_{7${zX!4RFeoZpASCc%kJg)$+8^g{mUq21=$7}J-
zFump%zL)w?a=V{U{usUbXYAJudF5=w195iPy&M((^p~7vL<k>q1{L>jDh3rQAzZiH
zsT{L~!OJ@Z6X?4hosV71qNq;;<WGWwn6nMhP4`0tR@Y|TKHPO17YG#v2TI0uBw#}H
zvXmcWj#NQD-0>nZGZcR^Bt)0ir2mkp!Ho=<R2GODSjE6TW1RXT!Q!|;U5oj`l#+``
zM_h^2^uX4Rh+9eHGF`D$aWSe{X>{KGy_KA2=&rI{U;MX#rd6nwIcjkQBgaY}<vt^H
zz$Z9D+guqYm_u(fPo=~$dHEm-7T^x?`T5qQa_#Z{L34IcjSC*L&#%5Bd@sQaF%NuY
zIUuWZ{x2nx$1VyI!yGC_x$dT`&zDz>8${D%Erne$<vHHHfCH6C-g9(?A_QCCM}Bfq
z2`gP$!r;d0WO%j_gjI3W^ejglco49sIyzXKPamXq>L!VSE6M~rS4GWe%(`Ngd*@8~
zU2-^3IL}xL`rC5Q-x_+jFn>6hOKxAB(Qo|N_kO|AWI>|_tQqR9z_|)dolZRjt|iI-
z@@xNa*Nef!zMS!#ZKzgQCp%jsaoccqJmsKayf{hy=}p#iL32n7yCJO(3f@bxH9Y;f
zN11i1MuMf`jJj4x<6Ku~=QL|;W=FX-Ij{UyW1QSjPJO~~YWT7;E=Ip_^0H~=_yuB&
z;QJaCr=zWk08DawJnWVd^jIjkG2I>~<;5S+YIqC$4tgU@#Lr;#V_Grc5p>~@(F2dq
zF^MG78n_wpM%RoNA7&-J3cK2Z^XXh;5x<IA##DZ&Ui*f$Qi^Ypr_vZRQm*p$wbw#>
zR0dWy*Fe~9uG&l$97DHT@;ZUQP}NUSnN?JkmCyU<llO>x)}Wfsfz&sYQS&oc2M=LS
zaQpBWB%fs1JpM=O6*U=`Ck$+P!ebJYdOSTT7K9&pIrleZiSS8_$07nZx1beOxt%RC
za9gK>XvqR}y_lJWI#HJ*TlCdtFx$#l$_g9Z=x%%l%GFExv4Ch@kAfQtSnf^apIzgd
zy=AZ%+bX)Dt?D;IFQJd`8(^zHOB5v}vfn?w=vCjm{uX6;anCu_f5FO9fHTuD)Y9=p
zqJlDM$c%G`G5-;iz4gm6UB%e(_)KEo!56xR!~46=&)2{jC_O4go08G0pS7W_s2>f9
z067WaCGne##axqtBp(M#!ScrvIhj)n!o$G6xx@HF9I&OaG<i&(t>@(Ly+K{zscJu8
z^!P$G!weSjgfv&vxr9ns&JdJy>!LtESC=5<)g0JPxHM<0ZmWVh49<n%QhIaOk>-F~
zKN*<)q<A}9sZ|FKT|Bfa0N;}@R~NQ({Z_lYo?u@`86IC#>z(dvLnY2SZsJui9dT0l
ziKLu}5;zUo?^F}0n++cJNFB*?0zgm#$tdz6iK{aZg}-v$eW|3N0mB|!A)l|EL6E31
zQ2}+?@=-mkQh6Bb-2Ud3;k0tgO@$yz^&YEbU>PUaM=_Zq$fnH&9zZs!jD8IwiVeKv
zXutbs_*b-A@q&W-1u2NUz?qh8V&T4s$O)6mvwNUA6>u+>65Tt>P=>jO!-kvffGg+)
z4QU5}nc<&WMB5bs)GpdNDq!6hCRJ%SNfuMN*9*S3R^W6wcF#BjbUd)k0ZQ8Sl0ys_
ztSLha^4t&|$1V(sW|FFSCY(cOrY1W!R*z1jdPHT4f@CJ96TQ)~a78d-y%07r3?;jx
zhR~7(0S)1EfgeE|$k53LQGYYCRm(EG<jaZolJG$K7F7RsJzqoxx6+p3eePhGB#;`-
zdTHV$DRPz~@8|7oxfE2-he5i_Lx~p!a-N>s%hUoErxmCCB|`8*8DR@oDXMAuAHY+1
z3+MjB3^CKR#Avg9V@187F#|dh=2BC&fSM7Qmo-L(ZoAH-hK|jOiej*;Cz@{PHtp-t
z(L=<-XPsq#gp`ii9Izd?tp<I8?tPc>h^9q~)T8TyO|*6`4~-O~$44zp0m;@*Z2beG
z7dpMwg<lAWFAN>-voUi>CtyVT9$zqL>ZXU9A>D$c%c(B1ifm#%If+v3jbMTnU0Ifp
zd+*XiQ2;dw{IxP46gg4MoB4C>#kWleUi>Vqklao-W9RN>+mpWvsNF~23Uz~L9|LW|
z^KnpzBr<R)zK713FAkq*uDXA}&~Y|ha;1}V5)M+y_{k_EMdh9A9$?9n(wU>5=HieB
z9&KhU2<ke00VN9Ugx})4`q#M&Ripscq%uC&3VU=g7?rfXc8|x`Sdu<&Ak^@(zVnY?
zsvos5oYiV9e_wd2bYq_U<jLR=SoG&FVTkp+w)>I$EVI<~dvR>KAGTu4Hp2SmC*scq
z>cxfIs_U+^5fJyz5gUkxz9t*9cn(aUoAe&=rZ@W0>0o>!h>n7hcO3;qJz<4v88v*K
zxPxJXZ=v5_BU~k#9@MKi$F?bCw~#k1y?&28Q?QZUv!)URK}Q<liA~qROiBI?q-#DF
z<^oW%F@rLD9X#C0745m`ei^;>-0>twk5Vg(O8eM=TJc*H53oQIPyk2@4<6<n8>A>m
z**j*WC72zXDCmL#h|4Go6Zfb^Mc1IQ_x<Gg<nQN7*@~0R+56M+#m@y(qd875$gwT9
zrmzKAn}v{^aGaN^`okU78IXnZtj&>Xg95o!kmtQAiIyZztYAFn-1DW;|5I^u46kp;
z^C$x{7{^@8?lB~u>Q~QS9671K#mr0rChc%62}fip-yx2IO+(~GGbp6+M?S^U8F5Yh
z9$~rZ1?3Ss{jCMS!IMp+r-NEkC_Do<%xVX8cgQ=q?Uqdai_Wib@vD*|YY+hmHqx8G
z&Q2E=;5gPmlkO(ZA9YHA)ln5jQckI3y`4hyH%@E#VhXxdPlsA|AsPXC!l5ujWZ+pS
z`#{PoCG5gk_g4fo<u;x;D*$4`7$?~HyN#i<X^O~b0yU|98A(2`8Y)dJR`8^<7zGNJ
zeF-DN0OMNnl%#8Z7mSc#qAm)to?G4MNA)m84{6Tw6S8&IG=5lpmJ>UniRY<(`&&P?
zLbKpr$ebHkv3UJw^^WhqzGUOvxq(v%sxOd-(-256y6hvT(VAI&1q2G7G>szJv-+*L
zcMyX;HKgR)V?;swxQVN#<>bp8>hghx?qg=4V#p|x!q5^X2jS3e=+MUs;j%=hDi~$+
zC|S_WL4w0##NGoy9RzAK-t=7ybT-zJe<=N6or!<`E0q7jNeby#z58!$qe7LSM~p{?
z_f%BF^aKdd>;h;A(@k+cy_5V?z7!qD99i&Q#Yf2u7`y{ksN+OUjnMW|WARJC0UI2`
zh!HlncLBS2*-u90Ph6A5JyqRb<&kl$Tx23EQshsKwW`c<I3$LQrI%qr07do?3k;-k
zx+BemXDC8?bm`Pcg%d|K8onA~Zk-*w^kL&P3n^1$El{*gGoa&mlu69OC1BWMz!EMp
z^grZ=i|B|NRP!>|o|6;`wBFDBaqqoq=}}0JlG41sl98f1x@E{oF&02S2GXq)<9HV#
zA~(yeW9;?VM+LuFL1=!DguTFH2rC8s=*-G-szE|oW^&k|8~osL#t&o?=50jqiH~VI
zE*D?6et3rx)D#5;p3!PSwq8sVtBfu(GNmUF34%nE=#koFeg3<Mfc6+N)Q~=Kvv5cr
z{`hlhfa)YPI3ha3rhiEf7kL_DBkFh*9n^$X+{kSM>ft+T?t{62j%_iuAefAV&5334
zi@(M5d0esj40r_nbYWAV)v++F&{oAU5;=N>u)0yw<_VX-G3Z3g?DT7e{3XemJb6Y)
z$dCIy=^m_zZJR9Rb>WMQuyIpk;CWpz@t!W#ib;D%@1ZBid_$UWeaZEfjq_!O=cw$I
zaj~Gt0C5ZP%>Hl^wn?7I{uDH4v-akrUQhgM_jgrj+;1_Mc+BVF%HNiZlK3yXxH8HN
zvO4IUfTUWZC<XPQA%s2Z1KublLl{Gl$OJ(m^S{BTcv|9UREWuk+J<=1(-+lHMf~*o
zIK!Bx7+eawnTQAeh~oO-bVhZ&ihQ8pT(CB-tfbmXCPiXczYQQ8))@Xe$A|9)@ZE*h
z%#n_rcgjz7ospt4C;g4-5Pu3kYwAEa@+%Rq-Y;o|Bxbo&zfH%eO2V<c|ETFZo2c74
z<_z@Wk!tc=i(_m`q7J9nq%i5cXK|vc{t3wZ`hY1KKbBUer8|%VMIr=F`$iaaX9Omz
zEw|Phm^#`C^#t34Hz8F_K5<BBRyrcBRXxNNc7^&C&NdBWyPR3j7b7T6+{O;j`P*Lf
zsjl{YTR(eLztRAvdTdsnifi{v>(2COv2k~fJXZ1PoQ#Huv~z0i)nMP;etdz>O79mA
z#o1&WHJ0uGF)Wc{vmzP()ir%Z(AqZmgy_}sN^1BW220tXdNX7U>fXyzC}ck%<u01k
z!L@w$uNzsM6?RK|ZrQ~m7IZdhhMNA8lMyVO16-QRZdC0LjK?lQmd1Qkaz7D8GK^78
z8YT_6e|}4fe&4hy9zDD7gw+(NaVtWz)|Zh9g(G{}(e)2779vb!l=e<|@ep!`cGDf$
zpbH-qRpcgD48FmKx?Z|Bc0g{kT!rE8<V<Oq52H<k#OPKo?P`XAZ!HEL8$ff;XM?c#
zA@l^^vE19Z^$6uBbxYZMgB^PH*=qB!BP)zKEmF^IN%dg$TAq9HTWmoY(Lk=Rgb~T{
zSAt{{Px_D9sgpux$OTc*pn8FU_9Qii2PtvLXNHXSh_P}wB`5li9}XRXc<qEBC0Ezl
zu7)}~n>N~2h-Q!8Xf`PcvwatrkO#-Ur54m<$SzS*O`RxNb2DdoLLMXXr*h7w9A1yE
z^oHZ2+J(zQV4YaHYm(<?xCoj-<k-ZM;iQ08{`3V?OH>?iO;&c1Qx4oPZO1S10peK@
zgWjfIdwCb?xLK9`h@6$OF^P(EM+;r4QZqcf-P~CD?X7vq$&F#7#hluvM=}MpsK>wh
zsbo{_bn};t9ml;1pI*5yM8bi|AZU@9>dObyh48v%HED(yAewrtdW_z<8Q1($w#Ixa
zN6uMC2X9&d<MD1|=Zo06t-%flPF>*y(tUkJ(IoQg@$g2A+DS=3r-I`<!vx}>O79zW
zb&XDIQ;qX*UY^}+xPoXDkE$0Em>kw;IseL5U^2}GaXoEH8@82y<5^T#1x^)_-r#0U
zmS30vHDug1{Lc7Bb=>!vA6}N$?%5F1mE%%HHY?L}VAwP(#nQWDC@Q2Qjtk8V+;qQA
zIodx)*vVRVBD})0R9|`~e?f_>>0HkB)~~ep>>bw?S}^dDQJP^xg>Po3cCS;$BEPqz
zTG3ikYS}2fG{EJQ?{Z!f_V~U^v)>D5aQ}Pl(Z=<q^2x5vJ*D=sy{Zzs>8fQ^pI17v
zc{W+TNP)z-e1>`2MS#H2G1OD0rCCD;Qq&m&z@(>~5D&uQBUXCM=-FJfd6a?)7;syO
zjQ*CDpvni8d#JhAu;~%2v?y6K3UUxcyB^R`;d^&`?c%CsAmolQI-Em~;mmzx8`_F2
z1eVJ$X}xI2?shL<8wOm7pMy>hlF(MWGVSbE31LcldhZ<jT|GfyK1omcsLK<h)a<zp
z4cj9<9I*R=k<G=M!}<H0R(VD6&GUCxzGHsXTm!cnu&E~sYInCV$I3oh&K79-@xTJv
z{|6;O+P-H<@w_Z3I&+r@AP{SX4gm>CV>gipWX2%Y3ZYiB6c4kY>5MEW%4?8fjOAE#
zFF}Bo&kPY^;~=dFFLVdPN|i;~wYR8LU2c#PwJ*SjSI$qR!exN4?zd9%I+yXX{};5N
z`u1|EwouNYg0C7|T5=`pQo7}8k4N`i*Lm~X{aan;MitrJ=msrNS{F*`YPoJV+T(sh
zu<K|9xY7x@xs$Kj%gK+b6uzqWBKL9?Q-l2mlldtrU6knznV)y#3!S-39S{iULe0yR
zq@L#zpXWRlw19Z7S>}hi)^tX$73DR^{Hq%=8Yby-q$<g;gj$tf0C!^rm5S7LcCd(u
zKupP$qD*H9#Jo%?Ix}>mXR$no#3?IC7}J=f)bmIdW>L)JEU~qFO^2D%bVjBW<uwSz
zt23qeBnqAjaDElJZU%*U;ctD00Jro26;gGq-jr8z-@S1nFK~V-f7Bx=YqO>Dkm7s_
zr2X<fmp{IBjv^`Yq+vj<q02N%*YqT8I<LMYIy3bJ_mkWw+)HB;79J(3ANeHboQpW6
zVVYQi&ciHbIwOmT@*1S;)mco#Bu79FRalDF+*vN~j^K=+^dSQFx8GM#sQUP*f(Xl$
zbSKJmhOo@LUxd!g1q;*I%Lxkr;^?`Q<VhlkAB&JjG{^-rgErD(jxn8)V?=ok!ZJO_
zh_XVL^S)4I+fm{2wAGM0gg;dc6v8WYkO9mT)XjskEL&ZKj%xplJ;Al5Mp~`iA(Sj%
z2Hmz0N&v*Q2ZRj-RA5Lf!aF4;hccZZcJpp9p)<2k_+b#|&_5)G)OJL&!b?aNyFv&z
z=S5_;QQ0stmd!|vp}e@*p)9JJDJpU(8;G1@Whc<Hp~cdd-r63-i%-8@FFya)_Rlz+
zWCvyS)lE#aJ2AQzlN_N;b~(!CU4TMoX1*v`#1j&GJcOHYKFM4+CwZ9AAPcA)x@L$(
zHq2{fGxAy}uR)Hi)&6i<vat51>#us<&QqoB3W&_Ll(%0NOKEJNzXz=mL=QTLQAVa`
zld^f)By?sT_*s}_Dak!AC1EN(BO1|=#7yK-7>1Fp<v=#fCS^0SNhq&DMqZsw!Z^lD
zY}_fcLY(IoU9IZi$#Z<?6dg>D>Y$-qqrV;_Og7bqsEV{w;sBHLm2P1>JF;H#`%np0
zM~8=FBZZgH$2Q8|^o&zBFXM#HocTNmLq8({OXNNWeQ>gbMkMlBl)Isj-nltwn+-Eg
z*^G=6%4?84v_ah=XxrCWhG9$w3!PpU2+sHXQS90#kpQ1lm;c+2)NKu6C?MQu2kf|)
zovI`Z^}VH+_EfF7D(P4Zt2N6ntI``V9Hd`*QVp_=#GlYL8-;Ls<{+DwIY4KQ!XQmV
z#E9UYPr{gSk_J8{MU?vmi?b}Xl(xu*nS*Rb<^bh22qDJOZ<032LsJjmRNpdHWI{#Z
zH7etH1J$UGwjMTJwG9$gp{f#<n<=q+l<5q)nHQ@^XAU9}1WB3^h*y!2#R<vdl#wE)
zu}?h@!c}Iu8OG|f8L@hl*C010mNrbkeE5LKjH#VgU9DQ<q-&aR`KvNjG)<1@Y%595
zUz{!Ndcq#iK*Pv4oEJ;LB4G_H(KQ&QXnOQJn-~2?XYK-;1maS13rup7a_NZ0g-4-X
zEQF=ZQZ$TyXEUPTD6c_^ULE~LIohtSD!8f2^QnmU%~s*-ms?tY8MIdg=@EyjIw}p*
zb~uK-JY-R%$F|pIs)n6x^@7RKl%P4vbcP(w3!0-dccDuHAu9qwD?(Y26Xv;8B#D5C
zm06C4LGx@z&>ZD8$kD5V=J+Jq8(QyIyK)O{f`<~MtPdAOxhXZWR=Po5S9=v=$An}`
z>>Fh|LrCVuzR{VxkR^ct6ZBS!3H5@2#5|9p!b>2&WEPTP>^qwg`$l;ULSkYuc{mu~
zC%Nf7L1$%My=(chp<8twZM`m`jv^p>-Yjo_f2(#fK(|6UE{zz3evN``yAc%P5c1J*
zU7>1o$H&9o^zBX5?ubd+l)yR4bcUqOyC-C0KNrxgfZKu$U?<X!tx7mkBUo<qnY;KX
zf#8>P%b+Dx>~R(Sid;8`*q2$xhavlHM#vuJHOM%|az>Fllou|_^!Ic@lvU5)dcWN%
ztl586xvEnq<ktY`2H#Sr$hL%7UMlDx?6RG_bKNDmtA--~R@LT)h3cphb0T!tQmGYP
z8N#kh59ymp!4(p?Uxez!l&C(+bcRmMyJ%x$|8LX@?3ue*FM(j6wEIa$XzqC=O>>_`
zG=x~6Nhbn#kWYX=rs@RFi|Pc<V!FVNb1jCo&;aEv<$YA{@F5Ixhcj8_PO(nk_3@dz
zC@z6;oBZ`dpU{9MB=*xdNN5DnHuJCV4S)UVSpb~Z@atnN=3gI806_TlkB`dR)BTvG
zEvg~>1%HE$TSLI37SL!*`-F&aObGwuOlJtktkykN_Ww4cgg<i^;3W`%BVi&ULIwAT
zA2aR-K85(3SuFjbSWZto;JgO0L?iHB#MdmJ82eGBM%al-i?>&z+V)*jS#*V|&jqA0
zqrY^B`;FR6Rf@fGLiaC->`q7@;7n)8?yOclR`&l!*~Ol@iwhG70+KLDQbH5?FNIqJ
z*jh}Dn8m;ihO#?7ae?z1WOqu1G}A<z9hINe?UuSZLXU$J*<SeuyUU@o!|tW)5DB-r
zH{u2S%kB;ql9R{hHwx|Kbc14@BeXMm<%|ezd(#@)TgW+U+U)8*gXk9~x!8kuk!b>f
zM`?B8(kt}^QJ6S@#1)?LcoewdP;#edJ8<5GR7$FAzas){m=zITG)*F)VdbGnuJfUK
zEEyowou^9m713w={sxpf+2;_vhWMnaV(KhE{B~5k4G~~$4e#W{i1<#<dMMU8&Lmo=
zE%)Qx&nZ-A%Sjl?4LkK?m+*|mf_d_6!Hq>=0yi4U&-APZ&TE&S*OqI;IX>0Z4g_eW
z#712hRTVaB@u<$av|K^GTfKe%2{9z7OR?c}({+@5mS1UCtG<9q54Hk>^i0lnDAqaB
zgUwvToF`e55YO}FzF7nr$-^`yMdpQGMAI;EE!HO<O3(Cc2hMAkp4TQlaE?KP?pta9
z8?w-1bGMLQA6$Nad{N<&??WYskYE!Tgk*9mL$S^g5^UyF9s|N6FNm84E|KC9kTlCU
z@qM{@MIkN1#E1$B++-*u(^DBZuU$wCvl=fz;hgUa={;>%)r-oT!X<X+eN(MeYISf`
z^ipG#;5O2us-Gag3ftLI)Xyao&QFK0I&W^4KfQIH14Npzl^CRHa?V4s&XFcG=Rw`V
z4FUmpe-}(nEFB&i5(eENa_WV?YrIVoxam-ursq6x-ru_G-(zb1lX+4^h%k;1fK!8$
zqfSoTiRa(8s=@0oB|w%`4r5mfx&}t)_WkwkUF)kC;&BgnHRS*uyd)?Rg^16DR0hs;
zh5*gF1AxyQ`-$hpu9TQeIy+$wcK~>vkf`8PTBERtnGqlvxY<yErY96|Ub{JZZL1NS
z;~+sp&*eYCa{>Idc6@X>gh6@Q?&9MyGEF!9<Zs6V|M(gV2555FU$M@SA8ck<xIqyK
zLBcppN$3ZR<arvC#1FDCb*1Z*nB~VC2H(9I!FQC`DnF)K$K?m*_)$Q$gj&I9KX%7n
zqB8QjwW5?Ng+aU;<fOzmQL_?`VEM~|3lKszkehP1*9H^}7>uB+NObjv?mjK$ciWy!
z+ClFty+G?<?R9nKBdS_@?AuBsARk3VwzRDKuOYIEJ})k-D2rWIy?LnubY|u<KM8V9
zT$e)1G@~Rd{DKrL@r&Gp>TKpzfj3MQcr#K3D6d^sUt13g=lEy)=jcQRA(@^s@Mhf@
zz-JC<ky7Zl1=XeiwVjYW$O00xP<|XFu5ZaEdc(lIHzRP5^4f*OFss==M>+qm`{(FN
z4AL|`i0{q11Axz*^UU+Zh>=1BJ_$vZ66&TANiykMxkZ>4=KCjsHw>kFGeYSo@3Ji`
zh=|e|_W*FygE0eWLwBbaUCCVTd=Y&&Ou6-Gur(wro1K&}R=;SHg3-3|$gv;u7kt|B
zTQK^ppdQD8LxM(m$enaBsoc$n>$!5?>)J{n?CQu+ecizNb!pkItV^?lYw7JU@&ON^
z;Dc*0c=$^v->Y4}gPh}E?aOP74L<f_ug34%;J?s^>MNpT(~}O~yrhGT{rnoQ5cDR8
zGMilmXZgyYK3EI)CzQbzIV1&vzJ`R-!t;gPHL_58#YHSg8YY}TE!ZqoeL&2~GjEuJ
z@MfeSP+p71pHZ#}*LZ|^T=jlxTd`4HTxP%S6&oa}X*KUN+^1I8H9pW6>8^Ckciw#d
zu+;EH)vz2;`G`Sy)v8VmLgQ@cTBvU|P~2_ZSE5t?IF!g~@8U86P%x$aDk3hI=Xh7H
zj)dpZXO~WY)%Ty1K32(gs(w%VJZnMWnz?+xU|S%!*cT(#R%UEXx*D{4Yb~&?U7KNH
z)Y%BAk2ieDAC}6h$w^0NX{Trgztu7KrOwbp@yY(zSX16sSe3)7yIDPxGGK6)K`qmS
zi!?aX8OCWwO6h~0{e0upCGzDFMQ$&3L*NCHbwM#pggrC&izv+fj3jXeMdN4;9Ssta
z`YB~l3ph%Qc<8_zCbPU5$t;xDVu>)epEmM*atVf^C`$HGZFBXdv-t7m_R={vQ%B7t
z5u1fgbMsu4-Nss1P~)M!7j|-$$8?wa7kvD2>!Yd^EB$Y8K8`EoC4jWmL+N^tK;X_o
zu2R2_<rDNvzENA)y?FUPI;Dr_eI?F*<hH0?JNOfAx=WeL_BD+PM08woVPJR$%<p&q
z`Y&-51;O7Mr*A?DC2GMosou~q@t{)Ws{Ep!a?nQstkuyA2Q$X2O*isRIbP+iFJv~r
zWL!DFs~_y<=1vv#-@tP}!8%*aM(f|TP<N0SU4pM)Dr%7?T*|_k&ag<cx=dNw{|Q|#
z<ZG1gbytdpJVHon10g8POkpp=3v#!JpfY*xNi&s&A)(NQJq;2el8nbJHr^2nykXYV
zn~^m|c`arNW$SLKw)SdZnQrd?XwB0f9}%mBJ_s0yu0YY{ck=HvPwFauF8Zd9-8rEB
zxn9)y{h$>3kbdm+C|^L@wn1HzC;Hr-FuHrP(uSxZ>B@PtyjfnV%WZJX-`3@Zm0PG5
z*nj0MXsezE4ALK}GACT3+&JJ{Jkyl|rRot7ONzXcaZCE~__5&%IG8QHghP>b)|!Z_
zhO%SY>4!Hmu)2pY>sP9WkOt=PbY0+e&{;#8x6MX@zPjiBqpYDEu=9~ZX<R4^^vB2M
z?VwyEKrAj#zve7eiTR~~Vnpf^dt3HVy{YEP`SGP)*ZRCC?y7}r3)nx*v7J0Pp;T>y
zO$*H&KC<FJ6~Oj>g?#wFSoEse<5qRT6-Aus468aLum8c$e!idA*;TTIt^z9|f4I(|
zz6?5BVdfNj0|5=<h(?Sgl;tE8VM=JuBWOU9WQ8x%B(a=7hxh_-2EG90wU|?kZD2mN
zr-z?Hu_07f9eK*yIsHr5$0CRb2sJEXdC>O&)>!#c3Qc!#k-F<b!YL#Rd8`3Ns_GG{
zOXNC((;n6?nt|Q<&Juqb_+7mzImD}!imJNXo!wX6!g-hRDK}g`DhGqo-$hrQ#C6ei
z-GD+a=CQ8!+e;|*A_s;h(OMLTpBxUt^3xr|l0~maR-i0r=<}?0c2@TD^;vw|uH;-K
zr%lO7XPpl!y?fbWZNTv7PlG67k@SY*M5=TMiB=lrDTygh(=cQruv{bXhWHL|2EGI3
zwP-WOHqhojeigexH5pv3(XsUP`c?J#2wDhxULRB`H_y<`;ITg(bm)+FK2Q@zw}3Y0
z&RRfFMwg0_qcu*mXHRg9IB1Ui^b$5VRU)76dAZZy1eSYRe4*-3#EM`KaH`Ws)5%9*
ztGzTNeIo^_%6c8ot*6ies81Gg<t)BmXZx%UeSECNqdEfel0I$#56qOJ)N9&bWrQ5_
zz(BTEs$YooV7fP?!c8g^r=v~EYBb8}J9tu<#h3!7L7C358ME#MTiMS&SskCEUWokl
zEJ0`Nk@FzU(<J);*?SirH*zIS^sneHcE&bt(as0+wF6_}N4ISpyW8vP(+4wy!GN!<
z(paU`C?(r<u-M;z86-1BRVk7w@$}5#Vu5qoc9kNTnfii^#}^TtuoRjKr-}BVnj|4P
zqcRtYR#XO(mOhIojbQPhvVm;^6MM8xeAWlIM(xMt`s>tIfmbIVwOQQQtHH33!!&A#
z@`p-kf)I8Pz+$uK+TK0ros}?gp#w4K6x!e6_ckv*#qSSe4a~qocPk%0L*8f$w*fc0
z>=z%P5L(|M(bkE$H8(W8J@0vKugIMZrD^M7_gyI$RXMf0JiHw(2q9fHPB!r}RtuPx
z%z+l}uAse2KfBc#Pr*7G&U$(9eh;^4nqPK~Fatq1Xcvz96c^M~<3cm`lc<{Np!k27
zPl3IGf^oqzMv0OvB~&s+Y9Sg@NLq`MS4}!SzCO=<l2;Z%@<L^&w-;1wPEHFI9`_P6
z)59o|3AkXUyq8Wf!GdwD=RtRsp{s7$`sQS*#5??MkZ3Y^==$>Qa;v`UJ3M&xkjI7u
z)I(KUwEL~?kL_laFw=ghYxQNm(c}B{f8uT$&igkX-hNp;eY0YHZ~7dWjflMM?z9VJ
zrd#N@^bC~P*<`1c7=7(iN{kAHl{kx<{umVhW2Zmj4-SJ>1T70vH!ys(sI`%hSCZt7
zHVV=-g+Ub4y6cnPvIx=}DjVc8O|6RPEG97$e1HD!)#8ilVdfQ7E4|l;+v~3TieT}Q
zdU#Z51{UMUZRpB*Dru_nlBB7C2|Un`jkTNzZ8A!lH)-8W7oTK4xh;zzx1q9OFkq5?
zc>T>pGj99}m$1K)UHYs>yxtfot`>F{l<7)yl(DlN2iNNR;-~lCQ8Fg-;7BpU9J}of
z*qX5QyLP)*i?>6gLNg5L(4Y5De|Ezqp*oK^%KAVCUcByhcJzi`QTxWsb-=Xq?`&Mi
zlAU(FTD8VD8(NY>!wJ~q`l-4<^qas#MX1OOt%@W0p)0p(!G+3F(kRLZO%x|hRac~;
z8I@U9R&^kQmH8yUEP~{R%7(S-+zFGo#4wTFo2~Ko&?XZAw=h`N_?NDNVxzVu?yx?Y
z`FTIF*yIL$IaMu-YR8MOoF%*{MNw)Sz0ezQkv61m>x@)+A&R=>JgcYqpqbAO%Ocoe
zsB9Q2nB*`5!OL_a(7~?od6;wjPIU_yx(B2@eM}2*E{81FE8BAGvo<f`&w(Rlj7elS
z#@2%oW_-U~L5YSbhLFRW+hI-Dhx5uh_ilr{(tj~jt;0wV$Amb#8#5mDuv0%h1j3-z
znTxx>gSdM?^!YTy2%nkpXq~>|df)B))xE!~+B_pfF7BAVzat_Tb0bcVeqob_OE(q*
zLI$1IGh&SUp&rE!A~_r(?&2<maJVRRMqA&TKBUjx7x7~FB8HBo`rf5BtZvpe2Vusi
z=+zbLm)5Ot?{+9v0dk!FFPwMgev}+DmN%9vrak}tZcIRTFjZxJb3DiK=)Gg7&G|hF
zP>~s1NL-HsbY&^hf~6uMl_|SwT7B*$Ob{VtQ8js0auGOfd|Fo)LF+<g!&?Z-?DA~5
zsevl^6=0ys>!E|io1t{&m6xBkH41JQaevI&L{Ji&N4Ri=D((Ls1Jccv0vhDrj!WDw
zR$v_I9m2PxY{Fc2-`9uAE$ywF@w}knD+s(p;Ol2gzycmU>meW4b~ccAdoaO3_-4O^
zb_~i<sD{v)`CMS<6Kpe>z)zV~^^H~aXU`WVu;4ZT`^VMdllJeSS<az9t;eANO8>HL
z^;=l)+>_Z&&rd3vxyvSTFj~Xj&Nl=n;ofggA1?1FzNbl3;c}W*7S~MzUAa_w%FUp_
zifgN~Xj1LMYqf7wofNWYDiNS>W<D<}i{M3}vSB?(8)DCiyJ5m_&FNyjcSxUmFhd}5
z3C9E#ngNNp-Vx}^jZiWznH;A3C5*6)ri3+3!%FSRSJTt|^33OUWD(pBR5lC=l-^-U
zayT3&Ngdt#hO7*4RDJ7&n>zbdt*`Vp1}(B}`*iq;wK#-j%$px;7-{^h2K(}mzxXf^
z<~}a@7MqoX-`FI&E@wPsalItam9_Jsy^ty)g-R=JSd=Z{O16a6jEY)7>-7M-e6B$j
z!8Jf-!{|D@nFK2F>3Hm)L(0vX*vSpre6`lJ{s82;pag5<>Mh*9^nCH@#OT0I9<FGQ
z;%>aIS;VmZPhQs?%r=pC*!)bt<JMHCn2?Y90ck&N^K7=AFrj(`wwEN`QK1>Ijq6~6
zu3RK}K`W6$=U)YrN=j4VK&rG&+El2toSrd}XMXNGi^zSWvY#iz8$V62ioh04aGUDC
zh2F1Vo6}!Elmd+wDztrbvBkxkx4$6BxFmgw3e7-9TyF|=<y_@OkwZ6}x`Nr;B_)h&
zcx1BFK2%%4z==s@<bK*Rk4RghvcU~)YSq)oKqcOrj+BFGZqvf|V>v``Co5l>W^Zec
z+B>GIt`;|4cLSVr*ll>%eH|wao}O5W-wIk?ib{l0l*e_AKvypErdFjs2W6J)V^Kn@
z>71ve6j>^(hBdsLoIR4~egX}>y*VhlIDv*rPBukFrGB=)=I@_O1&<|}-!5-%kNf?(
z0%rXwOE-PGaRFg7Q}AlB``(#O0rq>*8<O=3uZ~^C$1Maguw9a)LxpDGEiOlg%9RPF
zb;D}X(o7Os)rvGVgnL+(^DJYO71cD}{2W~#k)uOp!+1M)awRVDwp%~h9ijmLkG6b{
z`|r9sxn<w)2NOtY(_ZYl?fs&^UyIvqw_g4gi|o9gSbGvVm*=7KxI7fPvZ`1uC1oT}
zpl@>}a>BC)+EHrDzRUznSDr?WpNGmL@=&O37&&L>p->5P-r2wvv45D2%AA12MW7Hs
zT#{`<g=PREF585zTs6FCYN<#o3TTI%3Bsw6BujZx)k$8q#dHWM_p?oTM79Z)4Fdvg
zM-Ye?pn|WYJQO`SR?<+o*6-Ne#*#n}b07U^<*E}?DF$@WN#tCfWXR)^4Cu-wr@WQ9
zB;Z|vXC+9j|4Wp1uTt$@fpayD96!mBM<f|g*)Vd>ZiI|VK#0kmJEjiL1^E#SToQmr
zg=SzNE&z?LJUGuJZ(+hzp=#1(ijqv_Wts|6)I4DL`T^)XA^?rbhB0t<J7ZL0BnSO1
zdqW}!I=|B~Dl!8<anWjYWhPQt=5<2a+EjOQNwl*>2~U+OwC9x6e41>Q`_bw=B3g~g
zhVgUm>_%MTKch9|hwe9%Df?r(LZXj4xzSx7_|D@3-{{JD(UwK3x3?tCD50vYNG*zr
zltr!bx=b2X2FxTs@SR5lzERmQP|ps0qY{7XzL4lb6T8{vVdgw8%#5x~mCO}w5+X&S
zcQckMZA+IGDP)r6jjW4;1}q{!%$!GrnNis=NX`y3qY@v1vc9+l#(~~Kw#%Cv1DHFu
zhKiwKFT*yD^IIRIA~O&X7hXnJW@)PQA+Hg^wPj38y=^p%X?MG-N~$VF3pUN=qkedq
zMueA9*&rgORy~afRN@E`<|u;nl|FHH1{ncJpqIrVfr^A7LE~b@=*n#)c`aK`U<{Fl
zM8aX}o3@~-lqD<mZ?oxgZR*F0X+*3Tl?_7zlRWgSd9A<L{RY7Y8Z>5idR1n+tUzMH
zFvd-|4lIzdCCrn4!If#y05KcLY7P~~OVe)_PNK0{(?IBQC0DMw!j&sow$p1&NST{E
zz8VU<p-dbD;`v>SQIQ!yj0+;8E0;2_Se|oI<f+i76_AIjlo75mSSOUW37s}+s2@b8
z5kX{BHVi~e(o}a0Xhcwm$sSq{Eqkvu(h&avd>qVd!$G^%KU-PC+{l&%*e(Yqi79dz
zDkkQm{3x+u^ZUc>Bn+CD#HmrC8Q_eIQ==<a9LmzQV_0!$Ovs=lEfG1%WUVbMk*0MO
z*d_fqHI0Z<qq1ReVv+$|Vq(7;FKoRt+{do9saNRq`^|v$L1m4@pCx-5<J=VG923BY
z-|Sq=o3uz48l2F>^E-3hhP?~*>`sB}ce7=i+k4C0c6?5g+mrk4nAtnr-#}a!Tea)Y
zfxp?JJ*Fy#`Ab6asL%||$A#k2mD8%_b;&ZKI4uZ;V(LcZloT0nGM2HlrUA_Rp?De*
zibrL`m`5Y(fO)Ua=9B_p*Lb@(?Zt*Ic0AKvA4=_S4mHdVsnvev1Y`uC7_PLf5s)UB
z;wjQVD~1S)V$xPY+yN&`9^b$@SRT)Xfo+X}`I77aDl`MkaoGWM<uavZoe4%tl?a$R
zrNP`LIT70IXf>c4mIuJ>X9s9Rb^w(PgBhjs4_zCt_q-R|<;K~Vubl}Q*x=EJ8Tz^!
zuLvl89x6NjZ`xA58ckj1cGN4|7aoEwYP*A80ebtlP3EmdduYXDkqwmt5Q;G$u~&6n
zP!FBr`Ksft$t(QzpfXYoAL;fx2m!%HZ`9f}uD(%FI$)yOX7hH{LhdrQv%uZHw=MF!
zt*bGB74$LE9X;>EW5=fBdhdmM%|^yE=^T}GugCE*&FzGg^OCd;Dl|hm<I*<h%8k-0
zn8=Le83d|?c0@U?7|_KlRkBnR$@C0U>ZfgJMA`<G4J#)m8Bjh<%#CaK&el86EnKi0
z27{B}s4;Xnwlahyrcaz@w}&#el^W{!EdSTqIagj|b`!-nAGF@XX1|4A$%jQ;SzJHP
z*B#XW1LFDFA5>%p4CAst=*pSYK4!sFB9gX*QOr33t{iC^(Uwiqly%4h^|L=TBKw2N
zhGB?F24IMZ`5Tmn8|n3CwTAxAHjA_s|ImI#@AAt|0uGyG0qtPH#Mj&K{aH4*kJZp_
zh&=;J-9#m3U@$JRgRU%i%bJoW+RCO4p{i_215^f?sH)N1V3pL<6%Eu+?9hnB4k{bQ
zAlfr<UN{aD|MMD1zdO@0@bS61THY;fdmat2L(D{W%C@}k_Zu^j0}wWNh5C$l(s%as
z*H%Z7B#R9=pKk7h@oky4Y6cVM*t&66%k#yn-A>(YcCO@iIL~K@>J1#6-`)gy*2ebP
zZo4hCrXM=?5ACzz%1$3PTlLLs`m^s8(;Rd<DXKY_XS--zwhLWZ)n(DhG$oZvGD4-+
zp_<l0TlfV{C1<=0X^x-mq7m6HR5q+RnB+{&!NiZ%0c>Zn-)?OM+0gTsX<K8|2wT82
zbO<<D!G`n<C1)$Ix2G{8Ah0sP&N{dTcLVZzYiIM(3s|nDZSlMMqm5)VABckc^28mD
zOWdI=(?Vp0${IKaT4NUz#u7@BwiYE7T!>_v*i`t5yCNcShsp-QjY^&vGH@E-=oLOc
zv|x|NW7tL*wp7vt0KrP}W~FJ+!(KYpv_qNu^Tnx)LN)xxaV!r?#T7JqFoOZ)uwM^-
zi4M&#Ph1hm;3k}7=Au~v=yY*p_ALA1cji0*nWL6V-<E9g=HrK}#pmw3+FswPmGKEa
zo1RLDQlM{g%5y}8!g^7}WiQc{lQu0%nsAb*&?-)<lGFvOh|Ki1pS3J$<n%D{!p~k7
z5!p*rHmnzCw~9k0t~FwWHF37u^V)fH!J&-Kw2y^;HJtSpJI1@?L+^>dXLp-_SX_Vn
zb(oz6P5lsx40;c^%ZG~0z)xJ#5nVaw6)Q@qNRea-41~@I&jlx<sY+ERyp(}HScRW-
zEFzMQsB9QNXIHME5})nXWD4qp8SP<1W-c!SL1PmaFh?^~HhCF9n_7HS`h=k8{4Q#!
z$PDzvWd+fdb6F)x%_S+hFq7zWQZrT)B{G)tqNwVUO{2%p3KkJrK~y%3p0lf0P>H`a
z3lCjr0wkBG(Tcb<8oF{SB&*80CCmgjX(36SK^m=WOIE5Xs{>Tc!cU_W5ot73HVl%9
zRi~#jqmuvO)0xpbnLyL!d8{HXkA<#WXK7k1Q4l4|7Fq|?5Fbj3;)!HU%~GBR905O%
zRYc^mP}yI{Q40u|&MtC6B@W$BP1@zH`u6L_w0VBF+?iJI9qc@c-GSiZ&4(9n-rC$N
zYt_vjx``SC=wKy5s|y4^m*iSdp&0;*%e9~@S2U}NmKCH?Nv#1?DZ-PcB&j~I^14-N
zkxWxS3qRLVMC4jf+3<FBc8LrsacHi*Qa?<54R#i_ML=*#S0+?w1_<IZ9q7t=U5i|0
zdKak^ZT2#mkw&&TX>(aJl_o{Prwg_VKhse}WI9mUFbK}Bb3rAhnkd^Ycys$Gzn@rT
z;+(lW4^hPBA<&hj${CX>Oijr3HlajAnzAfOm8ZE#lA^5W^mvxS&qEXuc?eWCjF7Vn
zOi+mtA#d4^5yQkel=NGh77X6)!Qd5Y&9=)9Gi@*FWP}RMfJt1?9bGw94W*10zznMh
z&0&bVEK^cuIftQsO&aL<SNK8qA|mLH$_C95Oz>xISMJ_+FyAW>mc*{$a`<4u3e)3A
z4RdIvnY8X@W_o|JrCE7lmmWG_KKTfr+C4eS9=XI1^wyGlp<Ljn{|bp9+qDzuWqVhQ
z=PF(N3vAUI2x<sOFKMcT3e5m%T<{!SxlIx%WKg6^D#+_==ZnFAN=1tz6HGR0+T<zy
z;CUGlJV#}xXTeM@Y22@Oe>sgzRPZO$3)-L)()X@Qwbz{Zokj=bgT7_Z|NJyQ(5p}3
z0~HG6ql_DO5)z*~?qryDe|TFEsb4|^+EbHGK21FHfkg4YouL6E7Z)#IE}k6Lcax}I
zcnjXxZ>N8v<u=>Sq>z^qI6im!Ge8-72|wR}rmOyW|8@Tyde%bv?&*_ZlES}!%br{<
zo@flg-<};`YP`~ET|=L!DD+`bu#zyY5|XA$64tVmBpJ<^NV6nKrg@g7ACNC20`jPA
zK-bVQEFF`t*$Og^QxhLi`I9OK8@4~$!q^hVC$%R5EV>w0MQjOl#Yr{1JQiO@#Nt0q
ztbCR-K-iEE?*&zZmrr-y3bJBP2Nif`uGhO){^V3QgI^}@k*d6Cd0UW#sf^H?YsaY)
z`eZ5cyvUX0GM$e2mVUmVjK~+DvH^IbgJfpH8y#gc!h8DwwU9!9DiL`+Gz^r$OmG=e
z2)o78{n||50v&M~DEJ6e=ekSu&ya*BdS8=DaCu6hj7uq?D>pRH$}DB1&Ks!EEwrst
z*BL3esEd+Us;#FJnx&soC?iq|sB8dWn3$b~8MIh1@qaX%;$sV?2NUJcE!4)8VW9jP
z$k}VPbC$Kn-e#-X<qr)#4K2%?U9s(r83D=Gix(M1pmj+-4=OYRS`mqek74mY(9FS}
z`Si~I^5uLZ2RZ~p+}3=fAEY*Kc3r=N>X)aUo#P}ve13COZu8H{zdZM?A#;)EOZmX$
zIb8jJFaE6qQ|XNRc7sRVKOde*4v8-x-346v?i*1*Hf(&nlRxtx!0n-*2RI{7;k~2b
zBKn!HoEoJ1_n~VKpUq}`Rvq8=AUJ+?_6Pbx%eH;G?AP6Hy<e@Kx|=!N*0|=ghhMv0
z=c8KRXm!>%q=B+?^4g4j@#NV*r~mS-Tl-(5llRTyrzbA<_p9AMyj)}ywuDn_y<C(O
zZbvSGLov@l#&kipqDb1hBDo2@W>k<SuQ*Y%Xw$k>l}L-}4c<=&mJ#VdR5q}|V`6rL
zcRlVNR3e#e|CiriP4E3^p`F>(hYonBy;PXa#kRY(-p=(p{b8_)2J8=$WL&O!rwxt8
z``>>1{Pg-66hy2o53Bd9d$iR8Erp1oH=LR$Jn|9^KVs;Te*a{v+z9v6h5GL%9`KdC
zTdtQTN$zSlfR4894O#5R(#|NoQTpNZy}&)d*Q<X7PrMX+eT<p$ORKK8<BHtfjqk}E
zaQf%&G4vhkeZqVUsAn*VVByy`9alB=!{weY-YEEXSIfT+zRRgE!@ED*sL8(OZxB;I
zy7HZ&DCtA{*FQlwvZdiV5AiV$-FVf&HQgz8hgp7?R4AfCGmhto%<jjq_#bpU|1$B+
z+Knm8OqN8ZMGF(&GQz;{Z0fd@t;+K1VN&$rmgMJ@%ZQvZDjV36FtN99yXz@uW~zB2
zTY&W97pM7VcCgRg1R|Yfl0t#+=Z7QBt<L&N=r$Hhi^9NsNtPKEngQmBEc3^(_?cin
zY)?e5xn+7o+zY5g!w`-4flL~ewmA`1!wGFuO6p81Qu0D%S)NjvO!x6C{Umo8k>o~Y
zgW0R8RS`I25^u)RKWORL3%!GD9GY{CE#Tz2+utqN9rVSAvj++c!F4zFB>Ee{uzE={
z92J^@)re&H$FTSx=oewnj77ZuPaypJ?y+ZdWa9ef^}$+qU%fhVj-J^H(9p;9`&hqW
z8z$fo|N9$bE}v@=V{akN3*J&D2(+Riv`kyVtCEvUsYc}qPct#yrmpnK2xSBr0hJ9a
zD_VB>=F5zr2PQojzNf4#+r;NFV*ydtOB!FILNk;#f|u|yEdB>7EB4HPyt3L+5tc{2
z-Lm_CT^av#_&KQEB0X2@u*XTtM3gXJrpS0fXsuO`wKXSot|-rBUF3AS=Dzd^9%Tf<
z1C<RJeVCY^x1ZJE1-%lOfe$nC_Sl5SGHqVKH?tL)OVh<xe|NWPwHXY>#m%bY+Ghiw
z^ToC2G4>ng4W0Cd$D*d;C6p0VXodzyP)0t6#s6s25G@m}8kttSA~2bRP*yO~RH`DZ
zR+4fULlGzwEq%sH8NpaVWdpdM!&iBL`{~mMeTGBToQHqY<>bVHq_yA(`5xpgi{(gX
zv~P5{=JUnJPJA_;V6aPXl~6DaW4C2(s~s&n3L0utyvrbpa|w+F6`G+q5j2*MVevm&
zanR9ZZPwIjrtPx4%n21rn`vp)5MDHmR0)iCoz6^EK8vP`V9}tmK{E}N{LRAZlL<ae
z<v-CYz**t0vT&F24+eJ*JU9SAS31$Hw5PSZ9THJiaS$-0>*MTFR3r@LDvogz690pt
zj6S%KRLCslB&q9^(7b9%qe`Jc-O5}Q2`%U}{kif<DpdqY1(lsX15mNUgc-f%|Na)i
zFed$>b(1{J?z&b=4lV68lFiW0wZ*VEnEaOYUi(qA{^G;iqiy^%MBo=3=3om~A_iAB
z)zoZdu4+adL1~XMgnoBX_qVG5y6ZNJr}|Nz{ZB+8aJ~*w-j7Pm(1!@>%g3;ISRd{>
z3FGTtjLn<~`>Xk{Jo0f&&I8j5ycSm5KdP<?qcD0&$%3#fYe`9|Y`G}vEYM@1^0_Tl
z1h)m14QK_<O_`p%gbM!FnF3eGtX=Q#xZb3@_R!Z6I?D9W3B$6$wNuvJfxYDCmWCm@
zZu`0#mEh6v<_Yc5x^ZJ?Mc--j%BiW{7p=p%*LS$yxn`>Yt;NokOE@&B&<t&g;Lv;w
zi_bk>mfC?fmF~U@^<)@IOzg`X6%A7>>^&r@V3lZ7Qd9*c6ec8c#<io(Sy@$?DnvdV
z-l}{?PZh!FL1hDKg^8W*XrothaW11Kqnluhg+0$hE7FtCwoixthMt%ns2G&bFC9ij
zW&k;YvGZwS<+B)(h9W2Rd-|@p2jpR^8aywbnPOk_FYHde1a9P&`@skKaw)Iu-><*!
zUk=>KtA)P7ug5GFhaCIWe}rFO4c$tvcX}`KKkTmP`rbbGKXzrl%!v=1ez!m{ar_c<
zCmuuO=ssSW-#%YT>;s>f-nL&_2FdYnER)2it#s{jrSvP&)~0@=|7s$0Pi=gz*AnXK
ziA!HClB)&DpN&^L5OiLSS3KgWK0SJAFQ5Em|M|p*1D~3=^U_EEvuDRI+P*<#Z^8h^
zR7UHj)=pdwwdqBZk|wQ7A{DJOmA6ToOlN*8pNvvPkWo<Cz}|$3J#^^2y$au+P<qC<
zZfT;ne7QD-62?k>=<OZazXn4R=t>jY)8&kXDy|kCT{$T;S=70<6=kl`lW1F!w~Ue`
ztJ75RCNI@=2)Xik162fX0F@1(2NRoxmMQYUNTrc>Sf{DJ(8k=OXflAt9DCh%d9z$U
z*VbTv$9DR8rD@q?BzrqG7z(+7L9<(_1>fJGW*l~76X3d>K~TljsiP|ws?`uG8A+17
zC6uQ%sav6KCn{^IcPf$b=|YmqPvKV)DSTA+v)XD4<qlHi2);1MS@^<)-!5%O>szIr
z=UX^hxUEw*e5<W#7-k%J;7?gtxu%kj(C2=8v+ed93{7a|JnCOxp5m_}Qv9DLRu*zS
zD}ARw_rjge{R{hY%)1%>;V1Fh;X5=`TOhVst}SqI6PO4u)sL<<|9o<EEq!z!u3~@j
z4t_EJI_?sNr2JKX;N@}+yvL`}kNM=}je&uvZ_Vss<L_@-|K0%bGvE(+y{AYAw}+1m
zrkuWYy%GNRmC`rz;OSp3{<~>gW-YgVe|KkFLR!cBSNrUGDFIBCr_T&W(7(df5x)@r
z?R`mC4{rJD(IcMB&+3PI`e6N+i_|9ij;?oX=4r{JwF7Bd6uAj6SYE@(0^V{$D=r96
zWksZDRhySNE7R#Z{K_XsR1xF|R5l!S$0TQMgP5@Eb$8Qs@@Om6R<Yb@&2S@+A6aCJ
zu}u}<FIR?<=fn?!CPHuChavY3z0^Io3dX^x4Rn`WgI9%Zo|mvLP@x(7XIwW3bmgKb
ztAy5yz!Y3Up^;T1ih}S$Nm|HEh-5lxTKQywDuOJ4%7zc)8GHd8g;NxP_dmUQ`|vbA
zUCh5biYE@aOoKM>RPLeB4L<u2bQsFcZr_Yb%z#(~E#T9{%74qV>*AyN#nIXPkfw8d
zw*B*y6NlTAfBEMp1_EEyzwcGQ`%OQ<lYe;z?BShWK#N{_1qk{8(2l|h;~ic>WWjrE
zM8C0@&(gfDvNqQycA<}&x}>BjR6(kOw|UiauK09^gvuvHR1u^IR5pCd;C-HFRkot?
z2NuvTuYMaj2|$un%*;19DtCpx8@A453z-^o266q}>fc<0Ja8-V=XgJH9~17|<z$5_
zf~@dqV&yYR=N^@EkLstbykGabFYq2;9x>uP3v+ng=2MvR9$gAlDLIoyhdyUhv8<J}
zBqikuNoC6juQI8R$GR>X+LW@IF6XL!Rzw}aia=#U4RBDw6Af^#wDolI27aEn4k*xh
zZEwbgHe-)@=vxEf5YzbmL5CZ;H@V{zeQhwi482uc$54^5j@1z?icb?OUvy;JMnpC&
zb@7>be35g`%-yQ@Pde{AJ31<D(}wc|;h~2%OWv>X1M}ENJFWQW%V%v<h(>F=tg@WY
zmNL@R+BmMOEXy;h^rkS~IlA^aBy|Lb1eFacK05b!hDD4Dzg4aNiQmM;Gi}Y|_=N>P
z1A(TS&lj)nT|ONCX-Bg`)YA-RQLJA=>pj_Rb_=c9=4>@nhFk|MvoFACEGWNPx((w{
ztc7g@mvl}+g=TC7ab3*OmD9RWtSK{+H)R9nn=#}VDVVI2T4bUPH0!H<=0+XC+(2cg
z1M#TXEF@yWaPH_miR?N8TN4~T$Z2E9d-~U=lb=W3Fa%SBWU*SBIk)<p@f|v5cTS&$
zIy!DHqK`oD{08W#$PD1cbt^$v&QzW-&NwM(RTG+4g48L8G*HSURWem_nle=T+=e=W
z+knajfH#BNfCCQ`HbH^ke)|kifIqLn>tAkN;V6Q^Yd4>&TS07Uz#G3m$l99gJJ&6H
zxUlgOO<~_1Gi}vZ*f4JNekZrP%V`mHTt{_u<uqZ87OW*{2|ci>fLX42Nq8v>eIhfx
z;Y~MTs{O2W9g($0Wdo?g#Acxm6SkBATb6&~+<m?nraL?gE7={4Ew(Uz*vt^y?U?wA
z8qen^uTha1Ac{*~qbp}MZ<MMt!ZT434JYlmiKZr{RApN<ENO~>{pKgH>xkqvDjNV%
zO!68P{%ya;A#~_YH%x9A9ko_FTMCBMEe(}dDrb42AUZ!ujf%_wQCyN5T{&x#Ox8k>
zltYS!HU)G$l%&ik<5kjDT$a-y@{`ncM3Nen4S;AyhI$^i551DxmWG3hchUsUHpjDO
z$MILo6KU!LB@jc?`SWK{kr`-;>&lL<oK~Er8RaC+DoJR@OVZ?-w(9Fz7Chrzw9{FZ
z+RydX5xG88Hh`v>L?0>~IM;^pYNJos!=!Na_{VNjGB!J3LBSaehy&ko`nWs4pF1it
z16y$!JalE+u%>P^4zr1%?6Iy$L(_tkEKPWl$g(H`aY{dfS4U*<P}u;sV$yf0a0pwx
zJDR>dV96p3erbdJ4p}A_ZQ#Wu{1$~2b~_W0x;$f7$Mt?kS59fg(p*xKu}qucbw&v*
z^nco-E(%^`yrF@^&rcfF5lJIdHUOy^m9#jdrqV^Wj~Mi8KMkvg;VW%M4L{j$q=}2$
zsoFQt+iP|2ekx6GFZNYIfydCT#q`*+(_Ho6xB56WorZeBHW)h|z4u8+@bV;69oN_$
zU0GIANWmMD$fnWem;M`Pj1wlRqDquhRWt1fHh%J@iAcVnveO7e#pWOo6@De<!pzDt
zBeC6lE!-{qa`aJiGWKKqK?7|m_210s6H|k+vjlYW17IqEkm;l9ItbaWL5|vB=LO$F
zT;nhgez&~CkcmFi6f#kvFfyCCxuodIyeYFp`wb)&QW2WgEooA1*|D0kq-^S}4VZF`
zpB-o-vID4W0GTnl0Ze%D<8Jjo`VAB6<$v33RS%Pv{+nyIcB_v*vwvx{tmH}Rmfbo>
zv}!vK&P(qn2YC%#!`U}zHV9QW8sB$jf}F+X)#Cf@5;oo4a<y_(u+4zf!*S0bqoDV2
z^<xLKP&MGqU0OO|Z`(8)uf{RPY(v9NL+<;nTDi#aajEk21p@p_QW2=o4B*G5BG8pf
zDe_Vj8A-G!LulJ7(kRxFELS4Upb49tPDM0+Dx!%<MWC_);GaEB6_s$~U*IG+6QO@>
zhA6Jv9c|oAqwhv_H(R#3HB&KN8yMR(L;r@fODK{yxd-dF9LcY{HL;ggjx({v35n>v
zqEs<dVg|<IvJU9V+9YMUOcY5N%?Zs*?aL%w`^i#fOevuXHC?sT_*sW0BI|(41~3+r
zb->ru7+ALV=A_@RzpkO1%F}=Pr)LX|85`#{H3A1j`A{62+Mc!%Yz5SjF>q>Y9k)ZX
z(or)^!PZYqvsYN(Rk&avy(CY83eCW2T%H15IZ2q1HET%ORE0JIXiI9^q$K02%#)^W
zaz5RKvhnj2O+=mol?~uDH1-v1DTE3>^0!a5`<ZaO<NR*)ws5~26`296h|I;OiIpRV
z28GLm{Vwh!&(0CJ41>=9$F*%(?{}a#-;LVYyYjB_ul_au^}#isZ|z@z&2xfI1nugd
z9$i>J?$|luUtf1SSBB}X_i&z(e<i=P#OEvBu^&$lA2a18ON17LemPlNt2$Mj)T*qZ
zCbA?oPg_zYZNrnItwcLr6WRD_r6wY+gvthV9uqsOrx<#bOS1vkJ~5dVK<{Eg-!D%x
zHE~HMbmdyHS|yU|!$WCE@jNF?F-~Zcx23kkISnM48b8U@L?oF|*#M*_mYhZrCioyr
ziGky9m##$bWCBT-CzzVJ1QWV4qf*wT%t_I<Om9xLAiOLSB7{mRZBf@n$RP0(Oie_B
z36%{X32n1`*5(vww|lA$$tj4P(T@aOasoe>Cy|<nB+{pemH%%)lK<O}<ZscB1O*sp
z+I-5>iezT`nWWH}M5ZK>LZqdvtE!$R<urblvWdu2qOySvYGTRhJqZ&G1oM%j@4r}7
z|B}|lsL+i4FD~PWu1xcmsiG-J&GL-UtZ4`<8%2^f&jc-~Mrpvf_cNYNM8*@94Zw3^
z$!T~Zf)_>fF>~$zuc7@*vaP7l4D`okThWyhnyQ4!np8a1=r0>eSi&p)AC(nKWmNmP
zQ|PCOmu-cAT#9~Nb`t%QOP+*1F7aP4w2$8_7TU)pf*3QRmtzcHxoMibO6!KSEff?q
z86&(AjHI=!Gx$HxCp+`fB=s?NdEOM44Pb0y$*CQ7V!gj%SRb_({v+f2_@hp2h`7)U
zutw!N@s)Ghu(S{<DYBLlnx_qE5)IqDZVK5HO0ag)TBS+mgZ1)UCoUTR>%@}NV4W(t
zdPIIg&-?#W78L#vlQ6tE9cn~lV2G_;inNg}bZahC0qIboVVI<P_e^=C-KQkWCZjqu
z$$c1Jo({!j1C^+gi%tU(69l(OF4@hx(?*~GOc}o&pwqK&N9Cy)JXamoVh>+-5;_-W
zD2-?gbg-4%nx;v~GLk9n#?XujqIdL?$egC760MTO<V**eP#-#%XDD&mAao*Xsc_*l
z;PZf=G=-WACY9nsGf)#%I)$%Hg<>=*5>hp^B$PqbXQN8OlPu*`F7hG^oO^|jn#*%s
zxNHzLXqF518W%#ohM34&tq|<s`L(eT?9|o*SUR+RAJ)R4bHQ9tTxbS#qH<aI%1u_5
zRFny!mC9|y;hLwM)Uqh5vM5zqPv){{Qu@%jJeP&b2B9;rsb>&AcrNWkAK?p8bHRj8
zTxbSrqViVw$~7(8qJ`$vBGYzFSy95OtRRI@b(7RZqO!>r`ZTG0)Lfpo!exV~nOJn%
z!oibO5BqFjyUl-@h8y_9Oak)aM3@nc0VJNMNL0hKl9Vcugep;!x}YgZvRovIcKZq*
z2vgKPATQ5T;IctLq6vpN<(|0spWURl&xc8GW1}?V8LAs5PT&$l%mt|fTxbSjqEZL=
z%57RHk!!E4rj<VZG(-qvTo94AvQ@N_VtU9eO&T9Dm!}SJ*+8rS6Z`!awYysU^aH~G
z{g-YJsXw!+{r>rv>75NNzcOJg{g!PXJumA70OCx1H4QTR&W7go5ASWmYnars**)&y
zVgg_%HphO?*KqTYnovI&%z?2HvtO>?p+@`#(R^HJ1|XxN`S{9`DqfdmMcP_$LWPv1
zq1uSg+NP{H6pPl=QG?Wv=BE+Sd{lNCkf_)k#}5_$1aYMvPE)UkkL#yyVopZ^`qOUU
zFh3nZ5We;Vf>5C_g3`EHJ-TuwbJ-?fhBZvv@_G*=Oz3~+ZBZ48%nPX|n}*WVkJYCU
zv3gWCfS`#b5!hf7|EP_p{<hn%<U*~*_FnHoV|U-q-?kPeMY_dy7jyxXCxna4Kt^0(
z99@}}Wt+6JCYfNA&@5Bh!E1Ap<wZ*CG^+%goZUcEKQNv~1jbR>05Z-k0>ULcWb92^
z{4a_h9Y#MpLKKFGvm1rsA~O&X7o$d3&LwAMAz-{X)dn-w*kHL}gq4hCZCcb7pDfv-
zsUM?GBVyF3Yyc4xOCpHCB)+(QUdJuMkZ=EzKr<>d<NJ>bG@~mg`YUb)FG<1$c<^<l
zk&v}Sh)U!z%q5e79l;MYrxAf>R5s)=O)ZKb0FwY8$yH;Jp)s!Ly0619c?*wYDuEgK
zs85gHc;D_&F(ZcTiDHac?SR9qLhaNeaJnP{jS9_xQ(OcZU77Q;sh~@F$|<D0SWAp8
z+ayAi4P#0c(^Qnyk3gpp5olC4u$@dSiGV3kQE_m37IMq%oHDsLWPr_z>EBt?V=2^_
zT-6}jSOTXnz3S}bQ1!#K$G%zIsXJ~dQNA6s>AF*q&G!>`I&orM9;r^_BGu^1ZJQT4
zu$|HZ2Cpzxlcp5~VRgasQsyPgCmZI_)Q?oB5s_+CHn?L=EQ){(lXwFeb;z(od*y}N
zZeg=A&9}{d)oX}p_Z!%tJwyVRe^t_MSU_LeF4gI&9PcMqL|IFy#0;#&#i!AgMP1Rf
zO(3BG_HJ6|+OXjoI(eg#s>*rI16c9n(`iI}8kG%fM-xjTNI|=G$)&SwMzWCU*{=GH
z2CA7_CV}y0VlJ#-YK&~Vz1e8sbMW@Jch)jiKg6wRNy*jjyRzfW9EI6@)*gHat}cl*
zqe3&F6&GnnS8i+VO4G6>t(m;T(~59f3&N^8(V(MA7IL!vNOKwyX+~v3lXq~*S&<q{
z_{}f^{Xy^LZnIn7L22jBs^e_6_^$n}!Ibimw(B-z2k?Uy(PppO93JG#fp(lZ0;HmD
ze{;L|_x)0Q9j@K7<*LImcuDLU6`Fy;xY#wivesCUr`p=0ENQjzo(fVIZAwy>SD8qt
zY-Iq0e(XAph+U(yVGK^JiU4o2!Pl0pd(*C2AAA}*P+YjMLriev`;y2sU1M})-4cy$
z+qP{@Y}>YN+qNgR%?YPtP0Wd%O!)fy@z&~I{ioNx=hiu=ZdIMVcd-JGfskBM%-oOb
zLTvLZS1M7|QEk5ymURkJ>tteU=<a)LD`muUh<WG9$R?{VA8okXk8Bu<(V`Tr*L8U=
z+ONu#nA!U^oMgTrw0Rz{pKG@l&G8;5j+FADNjpGJ9XNZUs#3yt<}p%%dpWhG3x=)7
zRWrjwEiS#OLpgj^q*$Y!4AvoBXjgS2&xTCp<VSLAGz{>7K?IHJc}e#M1-%N7?o}#;
z0tXOxagp?c-NC+mZ=OYelGl}KQ^5SF0`D946b(mD{9}&?q&}(Pinh3~sH;=P-GC@!
z{-6|aHZ56u-?B$ZYg?Vyn7+)PX)TkI+1*id&j%|}!Y&L~ASqD-+}}M+6;@@TmgyTY
z5;T``c9ydHe%z5DfsfeZjr<9Cc8*~x-(>6*Ns8{ZYKo`tG3_c*NEz9n1zpaZJ+3pd
z(?8QGm?fmF#pp*M<R|FOXSQ;wQ<bpZ7G{yPtWfuXYnubv$yEb_D|_rm#UNDw3qzpc
zPhz=fE(4`5!!rx2m!ui9RUQ3VJcDkAmY!e6#Ym8bg2#+D<_$_!xvBxKGSkQA$Uk!b
zv0gBcSppGvqRyTGybK)C+w;6<U#QNrqMmj_AxC)5NHkNcHS1~;9Nu1ZbS5@%QWq0z
z_hSmi2x~Wo!D=zR5x{fR&x>3RNyBP}+Ve_;b>=`EzBm|h;35gnCybGzlnMtCY^TOT
z!ox%munB|4fA;x2xx$9P$^zsA0boPX@I+<wr?kxUDw^T7VmHJQT=o~`^D_0w$)ybt
zzw>O8cpt(hbtG<qxHs^_%QIFw7ark2zxLPCw`1FitJU{$KL^cQAPPTtAMKe9xb6^K
z7EIia+c0(LRb|snDNAIFX!<e{O}bOb<VsZ5IdnK4%0_i0+<})1+rI>1rMvSPU$w;d
zp7FE?{X!a3;t<nxET#^PY~?@OBV%tu!Je1YvJ{}DhYIhN!VJH!r0_uMr%1Q9BV80w
zs?zbwA)cQj8|en(G2qc_$+ShpC-ta2lT$x7AXTg8qrA|uWs8{gW8qvOM6`)*#amC~
zlxFakqz|&82mk!+4NMVV_={J`*7y$jBxJ{K0N9nTSv_I-^IO}gG6o|G*=c1u(%CU9
zFHnUj&;@)-y`$gAI{sq3<}^+#V6abzc}&)5obQ?H5uAMc(&A#&s^>{@kmx2W+EO3Q
z5(w2ilhV(|HPC5cQ>djNw*Wt0W~>Tt)_*sysc%cs$T0PdrJVa<al=Bjl(HD@36UAF
zJh%vC$3ztq-)b`2yqybdJ@W#o%k#?{0THXAPx2%lVsU*|cF{M75<4LKeKxHyz7)C^
zZ*Eg|<uJ{&-xr+ItB|UaV`0JB?{^Y-#G4c?P}U+EUYsfnihB52_<~L%8bR9RMg#xe
zw;QNebEEVY(R~KiU@NQjRAkzFH0@~RIU0`EQeZ~Z>{0dd`>M&Oa01O2-8vjP14f)S
z3109&P@<f-3Y=;>0>dL8rAL|Ihwf?(ilo84?WV`fCxG48&#gFoDze0#D+o8^wOg<L
zF^zW*VORLk2&Gf5`tPQb#tqplfP6usgtyImy^EY+!~2%m@c<Z5Sng3WWyepih{d)U
zhekvA`p{Qgy>KYOEPVy4sVCG-{~e`$37hhfV8P8mJUq77WT)G|y_fplw>E1eBDKI0
zVEQ`@Oyh!o=nvr-bUVswRKSvFn2Ridcw<yh&}MWOC)nrO@@ZzjgB}Wy8OKjY?z?yn
z;bb`9dP5e3c*d=?XdD>UEelBNqX_}0O@xfeKfVDWf&QV+INTy<hgD)DRf=+Rmp(mR
zwK*4ZcH<8+@hR%Q84z$2(>gj?9UeBuQl)!?(>mk~Yx3W5Xk?c(D=@YxKj@}`g$QeN
zB3DI(8khb#Ew$Pbq7C4{`H*%YLZt;xy73T2*Z?BkUl9{#V<f~2UT^`!-yxHfccwrP
zjKIMG5REF1lPuyN4S;*Q1xTfYa$BUH;)X|6?(a{=Jw$u6(&0x=ZUFy%5W@N97+s1Z
z?T;jKkXrqp_eXP40eXK@JZTaJF>77Qa;Ci1F-Z~zFqIS==~oq?8Ek=OAa(Iv#!2JZ
zw(^{%|ESmsbl^09TVm9{!yh(SoiUsA(Z9qo@QDsVg$c9H%2?ZMlWs4O!PV-kCIO-_
zV1zyMe~cvpak^yliG*cn$XqcYvg}T2T@>a(6nn6Q{x1vz9~fU$7%S_}GMeEl<8s<_
z4hL`eg?QiqNS6f2%wzu>02e!UhBpXon(<q;Fu2|rgSP$%Kr+H|h>S@wwm|@*2}XkP
zaRXE_TAEIkX62SciNu-}7XExv#zrC^BLi{76bOKC5}|~me}Dm{T5@Mx-&CItP~m>V
zUDli$Zzptd!6QAxQ-cwW7=bBq*;fKu#9WfZxdd^ZgS0L+UR|G4K}9xNPo8`XIcPEZ
zmYNP<>et4;lDa936`{p35twDSVP6=*F<uP<R#ER&A}MC_8DAPrx4@aqVQ3+6c8;cz
z_KSTqQ6^gAF-q-!%F4o6$d`>F`z}To|97pa4N)ca5zHKsH9>Z6xVnU-&1c<uV|bUV
zm_(!^CHpXvqtq^H;AD}yxcoP?WJx;q)7;Zg4jcMt(ms$~$&4ilo%2aS8;L)_td$(%
z3a0sDs5cwNzPJ>+rQ8PTsG)q9WuvYQy)`*F@hdau&3?)CT;&-F6sd>oWU3eqm~3I=
zNoo<18A2Qo4Mo?;jCzY9a6)CX_T^lI$$kQ85?~TaTTGVo3GpN;rJAw@537hKs2PRM
z1W!(|4*mDm#7vxhl+!05B^NTHeqn`ZM+q4QOVjJfAizUNlQ32-vD}80a*)vgC(^{3
zD*!7am|#Fu1X&VS57wRx9X+5dsO#L(o?Fo&n<QDprkjR>2|0YRON6H99%X|J<&vZg
zBfY8eU<@Dx#1L<|FNVK`DC42RNLq|0^YEj@%7Rb`)rE{MI4~ZcuHD$RLz<J2@bngd
z(XoO<xRm^7uWU(@K2d8;&G3vjr^qHy|Af*)OC>eoM;UUlBH#-F!YWEgCFaf>ClTVX
z2TAm<7TQoQ=xJSO94V!>tP~htHjPRC_hc;CA;nQUtlpB|jBPfc_J|~QG?+~ypVc%8
z(Xl}DH02XwN>c9pY-d|mGmd}m-~an4HmHXHo+Tj$e0{P+$Ay>DBbzXSr64+}YEqhb
zsG*HcgQ!9w4-X}UFGfq#05|FIMvAifK`ZY0&jR?CE|p%Boo+UR{P-KtBhv`h55SCK
z=)pY?O+s84@JcBRU?B)%c~EF|-4u~oplt{$id7o$!brLjW1>I^JB{*`Pe6}~3--P5
zk*6;DayD*dk?SsVq)LC)aA-qtAz8Hq4y~lV0C4j~TcW~Pqv*0{vlJ_#if=kY3M@(A
z9hOK+2mp5uIb>RXOuC5kqi($}TU&Bo6vAaJ4;xcb2$l=0GSIfMk|frmG&7j{ED<BO
zocg@KIoLjMtWi<Hfz$JAh{B4Dd<ZO{cHpxIHgx}T00d}Fmazzapf&d}WaJmHG{E8&
zL=n_RR~qHRhLOFnQ1=yq?h*=kYLdsSMlv*}|2;M6X=jm}T1OeSIX~L9%PlV)_mA6s
z;Hs$T>ki;uDm<`w-DO)#JbJ0;QKf)-i2e;h8J>5A_Qu9o()oO_QWlpzZrm4>Fv#@8
zccBQTwt+#<eAMEQkwbK5`BQ+&)r&r_u(qS)-@k)V#}Z?qyG@Sew#<xr>+s2MYOMtr
zcCCqdp*%;MA6Q}!EZWl@{b9BU*=4YDBAKw3lWgBqJ*ypg+)1GvaZ-a6eY4P*IVBb@
z`zG!djdx-rC3m5Gt#@MkQBiTxw=8t{t8DUY`RXE)$a9qlfZ`1*ih5FfSlja90NvIJ
zABea$S(Y=gK#<gajOwBRW=N6nz(&F`%yrWl0)dx{lBi1%-Gqtelnf0DWhOt5;A_V&
z4tcKCpl#2*gw)^IgC36lFE#9~QTgm(W!#>&6<Y0`m%{jZxR%(n)Ob)qn?D~|vYqC*
zJ{_zkmzdYac6z&O9QLh<?3y_k(`MCPm@p4z^;sl)!oA|*=9DYCQ22Y;ux&K#JV+tI
zO@A6=F36^*k!jeFTQp$WZZa}`p!lJpngVh4HQ^oFNVSXVb)N<2zxKnugW;D5HbPMr
z=;ByEe-HK)Qb*Zsc+zn1JUxYUUCvcIcUGAtr~vp2A$E>KKFFAolN##0Gb}tZ(_$+i
zOK9B{Pt;L2D>+d%fq0B(XW?Wc35a{(o8y*cN^31G6Kzw%=g%NFO7ka|$Ppk39>A&1
zwdB{$<+>w?Vi=m@QdMkq-7?6|_J%YIbF=+|lx!>23)$cY$$7(4XGq?&%j1jjOOKa(
z`0MEW4MTfph!hkNS!)$Sz!tI$+jOX9Q47`h@Xy7Ah>?%C=~BW<q3q#RHY}ilpI1K6
z(?FYefG1nLGg#5ml5E*>D?o1~2cqA~o^|u(YO!5_yDGQ?>n2#mQL~jgB85P4bbr%v
zog+KoEwh~pnQgt>1@;{XMJgF^p~Z2x(2T3YK&1AW;Bii<c=m0VTwP|EgU>kCAmrix
zz>r5x2^F;%J&%+5`m&MrTbNi~{f!HkJr=D30<VX}SijbJ%ijI^iQWXSP}@eh2LxUo
z+Pa(@?kd#1!5Jym&*jsFZGFCJHm_Vie}$Y_D|BsLwlUdyXx|_t>sy%}LQm0`)$(&Q
z2j{>hZKnGAv+h+}Q?^p2`!Ic~$ivRh)0d#JbC57K0x3;DIk0V1lUqV3f_^UUG4oJL
zs-0?VY05*=@xco>s!JSYC~q`D8K)|OH|QT@mcpVJbowP!4G(&)==m1)so@DhkwN$6
zaox_;|JB>{QwiA>E`Y=6&(nUUM!xw$fAQ%%sJB@HZeK>)=;Z~qGj=EFv4tPN_O(KQ
zqx6Q``RdTUeYGK58x2@rlf6~nePl;?Tz63F+W9}unJvRZQb$q-So&u+Z=n!iL<9cT
zG1#beh9r7M6iLyOEm{M8`_ozZ^i)7l&Gw6NiM92IPx}^Illj2&=r6+VPRd)J@`aQ<
zE{aE!_01>DKk_>!;};j5Q5w7F8uhh}g7(~>;z7@EhWHv@C!MS7th59#O3o6`_O;t+
z7700e*+$>JVb9d?SL68H-^Y1z95$GGv<|h5xhFmkUN8s0Z)n3}XGQ$=6HyGh6=UUB
z+sQP*2~K0R%J+4ow1=l<HR?27bHg>?ct_aCend}0p(e>Hk^zsd@vo@4bIw7^1>3lY
zZ=*^H`x~}3et=K&&dmd^u}3KwYW3##jOPzo&|@wGaPbYUJH?GLP;RJ{m~rCESDV_K
zHBHUxnJgpb^d)YvCt2yxCR}i{h9$I4d}@Hr1<U7hb+_noXE*8H$Tl@AG)Cj70CN40
z?AaC)P{7#X5a(({NWxcY^!P0(Ktege;LyS9fElG2BIugiqmxzHt$E2Wcq^fuDN;EB
zm)gEA5Pw|XgSzP7_E=3*{D4=qOrmWY#Ce2!&GN427GcPjvl)!+&ESQj!URsWo7{VU
zSA;y+tbuOZ4Cd?kr&kB=7t)jb_eGiATpxgXMC$%D($_IESg;GPdO6H54CWfHr+q}8
z`ZXRG@+2}ES6Fmo6PumAE()?et5qW^QzSdmKovO*ZVu4grO(pSB5S^&-c6DU2l>Pj
zy6jPac7>AeKv^v<W))Ec&qVGzTy3vC2{3#NOUx12dz=b6ai#W^0AEiaM3S0!6_iNT
zZ(2sUgF1G$8A>y{>W!(`bvIwh;f3YuF8MTMkL@ESva9#p?PUxfweOoG(JzAQ_~Y~o
zT&z*>dxtd1o3m%u6D4eiRwSj9C2tz#@^Ptazy?`zf&Db~jTnfwlNzHOTgcD=or=;;
zjbDW8$<8d7dC0xxlS}2oq+_gtPnHuVHI$+lQ`u;eGEQCM3w{yWOkD3^mGrws2*XsY
zj@%Y0Fg=@lIU`@I!VenA>w<LFk%A{O?NmG_GQjqHv)HW%S-HhUFC#?TXWVMMJc8zD
zSyX5dB@K|-{SPW%e%J!c1R-nB#WERH6lh@_WGff+)x;$89^&or>6HZx-ZoCz$lm{p
z^%G=rXU91jR8-PBwy)Qi)X#Vani_LqwZ9<Bc7;i+C9zqqhjDs|mu5Q7#)(K)cW_i~
z#l261H_D{vmnLgGpME_ELfAACT}-Yh4|Xo!ejlV_{YLpH5?%zs%nAAG3J0b<Q#w?s
z43HfRZ3QI=UD%=3rKPGcOnJ6^w?=QUhiqgfz+o&T$>2Q>zJ2nQgL(JXkaEEEl4YNv
zRDiA`*%vD9?%I*(eS94}Tz#UM9x(@gKN{q5{I(CFW;q`Cc)nnj7{=!XWtDIPocj7h
zUNM9nvMo}9Ty65;-yHmX9p26Kvc04K=0^Wo;O5`7iK6cBKi#U}K%TlOh#a8;p}0Q=
zGR~1<TTM__Sa4PNG4bCm7+uWHK0=0pu!Xsp8E@cWf8CK-Q~Yh|$~>qXrilYnj6Ix;
zok|QJ%R|W{`;LXg1bzmh-TX#{T{XlyiPNJOvoZ6hDIZt!s1Q?!96Bgo5|R}?@A0j8
z=7<5r0<8V#+6z;v?>$vRykYQY?c;(;@?eh_YPE~xkz%7g30#9<7xHA}U`N|q0vgvA
z7sV{<S&>0wl<cfXpneOELC#F<1I3)Qp37N99ok}b8%g^#=1d+Hx(><X5p~>5v^g;U
zlM>1eM%0tfK7;;ouK)2qu*GT?GWf|h#@=na?{Sk(*dlbDby5e2BXgcy^$iFTsaT-k
zhX&PtL)mljGA>hkZa`T3ZU6Y-bY9GrIX1ca#&bqe-L{O!W*a7i{YHpTvYW6^-c=Ct
z1WFxEOAPWE%4uv&#ZZQfBd^4Sd-`8Uk<nGh*3&|#k(mxj&08xQAl;VUq>8Uw<9Ht_
zQ<-7k^C0@yDq|+P4p{ut%n;GUT|kpR|IOu5i+HE!umO%0*s?Eaya&2wQVX@T8z)M3
z9>REkb};ibl=WHeIV%y?VBj&s8uN=-X5PDV*Ct5Y-Ah^-!x2-4fVnNT!9IMp{EFz$
zl4$qiqCHPqq?R$qlePZkVU}w<zzcG;5wX>C!|5ezs(6O~K|~Q#iEV~@8QHJ#mDR(?
zu{VCk;lF~$X&W65tpuc7T!`k5v!c38MO_|+S_rRvMbQ?}w`>7@%L_o>H5ooGcA)!;
zFAJkPEN7f3!W1Sok*M=&TrhDAuwhBycX>t(O$@!T{L`Jk>zs(wOZ)Jza6oq;SGoxT
zf{+)mBS<X3w#mQ~*?vmzN|FG4hlhqrzAEWw#k!8#_1;kMU>iWU3Q?F{cbp~kN!QH$
z=HG!;-rH{X^^5q93r+}+DiBU`L%8<Z_)D!nY_dn!f6yRSFIvy7)#8kpEXfw>FbYE2
zZ3a5A^z-a{Z24d6o8f=1Y4Z4bAp^QIRvMI0WlJ`-k`5ndQhPQ3xV_w7wTxca%SiI*
zT4keHsw~wcK}ynOtWoOUL49Zq+|@%|<2488p>Z}!BvQ2rT)8onh2P$&+-nyu;kHou
zD7kL@ZV0Z41$YGV^?^F(#DQjgaVWszZUKGT^}1htK070METZT6ZixTZpZ7J`*w!<X
zG0e~OtgQG40UfGlG+iP@aD)En`T|E5gg%>CyPA~kReFllyLpA@)DU@|CQK28vScy{
zFbWZakOAou+dEuWz}j8zmV^JX^tDuSn<2iRH?M5+)Q~VlSg<JsL&Uhh_lLO2&Z^nX
z0>f-stiD!LOw4<Z`Y4x<?uA}X!HY9G^Ufk0-mq>sQ!<3<GSdr3k}v><;4I7Ppteh1
z0GN(ylI$s?))>%@w8=@zUa5qLLw+rD06yjYF;ilI(Xa@z<$+7FSt$$v$j`*7Y?kX^
zWvkksE#47hYWIRrMAF~##d*`(4Yn{nursqLoGaW#6v|uxxq)cG<~B!*2JPZY_=XYW
z=_Mh|$S#3)`R4^puq;J_8yW&~IY<?z@Kdq6J#997QcO3ietvxTVWtEDZ|WN?19ci(
zoT`YJsC{5&F(H23RCpK6uv^Vtm-I6p!54f#WAb(c$5`lCvB_h1JAm7wtG8evcOkwW
z@6l9%>+*7vKJTgdIzFx)H{ik4J&L}jeSJqSNO3S?_;s}HIQ3EpND4JMXn8-ICYYXb
zyJBprvxTj1Z@8s8mZ*sF#NMQ^^5Cjx3G^I{{dEm2CPxfYjKYP<1O|iIk6N(Vc$EgM
zGO~C$0V$~2xBg$^!%=2O&n$k!h#AY70IbT9sgfTE%GC8k(j8*yHn}*)S^<lPUOeRj
zdW=erBwuwC_${E8^x->e8TFjdpDs2_q+%dKubs!T+g%%;*TbaB2ae#6Gc!R#fnJWy
zP2{egc3SGDk-6gwFn|npQkxw3?B8^@VmZHH>@cWHr*P&d<tX8K$b=G#V~bIXTTD3N
zR|}$^5PQc&cZL3JUolR4-%3qDd~lN(ck{fm_HPSgBfM|(J-<JJ@Y9T39o+@n_>0{3
z#_+dKzq~R{KES7nsxo<TUALRQ06xmw{lH$YKTIsAX+w`Wk_@Pa^4XCQP@VT?T#kuA
z4`R3Os{O1l{*I!kE79k)zZEhEg8Nn?(md8_B+F(p;Ti7+3!*FK*PlFJuM2*NY&*!K
zgOH@2CyBe^qBH0)bHA@hvp*F=s-3oO-It=VFY_jD1vliws;s@eP|&8q&B}}7$YIci
zAgjp9#0}-=OrLV8qyB*cG9BmBRz4yhKc2HLXe}m~oRuvDLPlx)<b<2vzz1LJl29yZ
z_yRiLBB61cECMf(`Xi|}VG(r<iV7iSdRHBOoUX0*wPo}R^FV3&mB}*M@JszBSg?vN
z5Ux2C4&P}kUW=s#e%-8Q2->i^-)4Vyn&|#U$RBK;8@lkDOcdOn0BLA*(b`PZ@?Bn<
zGMG0DsGFPww#PhK_vD~$<Z+)({RRX5=UH3i-^*?0$eJLWw-f?|$G`F@LigM|OQS0X
zI8axmbLjq)sqiqeUV)w~TJ<hkQjv59lKPq^%JLJZ6s@Xp$}9cr*{IhM!yK<(;F~w|
z{FAJ(gcSvF`2n<;xP-!8NG;g%+p&=@XO8l^zgRdwwo8N71LT9I0baa%IqJ`jGrA6Z
z2);*5v3PY^&g?*7ZF16~WidVS9U7PrS;?jxMf)?FOl^TgMSz4eY8B~?8+#3mBNVV=
zBarL){kej1#M<21!M2aB$IqTxMLOKpmOxr~PXF@T9vsUdT=v%}5~aXo|2x84$fD0!
zt5k5(fZ&z&-?g=kYZGIRT-Fgo!#8LBp@N(iXdb%AFqyMCd@$09Hn#wT_$!<1&loRP
z-WgnsBYZu^3dT>DWjd>1xV1-1ml@vx>bISNpWE}C8#v|i+Qi|Hh}|ATvKoi)Jy*~4
zj4kKA!*zioyI{kUH!WJ1j*ye=C?b)~-J=ht)4qXuU<7I=8VO~t#q?_e3KzMj66x_H
z*)WpYqEEZ>My<1toOzlWMbj#h%Dh0*=MQ1x1@-i)yYq+iN>kH@`ZNb2n^e6<A!evB
zBwNxQeQ=+VGC>bx!UV$&!uOhX-0)(n-AE7>8xQpj6O;B}`0fkq*HnWa7>^tH@;}^~
zp^w~12(B+xTDKdo3UYo0IPsfZudQbJwQVYIT?r`I{Yz+a>g``r#h+YpEUS1CGWsZM
zeUR@Ip&D#{n%7vx%Z=OrhZnb9Rkd~4y|ryS_wG1%L@YNG&fz7_Fg4yAAV0;luT?C@
zzRVD6bjQjN*t_NM_I-CSF57(d_HP@&`q8~ZZG@9s6)4W!);O@XI}QIN?lkyj!1^#@
z&#u1Miiq3%dJwefyfp*O&)5Q8e3Zl{S6)qDidVx3l+sXLs-tjdkk$AVJJXZ>2i&&k
zL*+-Zu<{0gC>T!h2DCbRC8s&%8ejw36^Yjx#pd8f7r2bHjU0AA$neDaXuz*``?K?~
z3QPQkw%$nCX`_IRDtP6?v21m$IiR;bP<ZIYL!#W#f*TYd+<TJYK+&$-tzSHIne(*#
zw&l82Kj%Pt9xil~&Q~I4;!#7sj!Qgx5XQI7;MM8p*!Iicg;_*y{dHcc7W_>c?=Hd?
zPi8t^))<R^vAl(pu09(>vLL)td`;-7EU`Ec$g8=)%s@B;r{Y4eH($LWo#6}#Z^|OT
z7ppg9C4W`<(`IVP|HC;7ChlqxA&OkT1Tw%Gx=Iy%{BXu;@C&?Sxuo{MwZ5O7=eIo_
zNbZC~=eFmb5u$?2%3^xD7Z=Cd^HbFYX;%;77D?_)X(Kn93<_jV`8OEweG+n@O?)=Z
z79j=iBd%?z!BRm=u29%ft}K5NTPt9-RMFl3`>mQ>n;4kFAJXiSrOS&@27x30>JsC^
zyE?5$)K^d*@wa#>gLb>|kn&T{<ViMjxIj63W?#1hW(4l`^*sT|1fy893S3eU&4eGR
zp3v3GAi;z3(Qwmt8I>6mh;3L|`d~U7q?p)}GaOyH?zybG@BT4-q0AxEk*FB?TIZru
z?$g~Z?fkx-BFPa3E-Yop{mjKGIpN{cLwiTIFN7b4XEHuCUcI`vpN`QTLd^zVL@~C?
zo6mp9h3Bt(4I#%F{de4}c-J4J@^J5Y3ElGq1IV#%oXOv?7##5T?8%QT!`kyzZ{-L)
zK1FIy#1Z#%ML8q4!}YFaM7V#B+x`rIZ#<l@#e|r`8pPv+%;vf=`n<Qbo_{`e-Z+Iv
z?{`yo;$m@3n)Z4^e0s4n!8s+ok?8F1>`3cB-M(_Ahh<s5LHv32u1o>m8+^Bq6hZd9
zJcRM^5dvEME8dMXbQ!oQgl3dBnzrkoRprAo2~3;KLc<uM?2&M}IN9tgnUlAnDD%=K
zWn1-=duWW4OO8+~X{1TLQ=%olo8T_Fgf_|(N%D$Y_P3!3%~>4MO1R-c1%x?0ONnE(
z8oy{F9o=}m-UGd&cSVJ;R5?enZk54(%ZfkOpP@T)_M<$NSo(eKEh2Ol3|(wCZ4njo
zE39ED6P_Cl_$3|L96f7(kv=+k7PvW%rduM-ael~<TPDM5m$ImX&b!K|G3RIp19Sdk
zn3G>XR-X=QRM_-L)(`(Klz#f$+fnTS2XgdNNK(Mdn0Dr}DvRn$TZD+YOfE%*L^PFy
zM2Uu>eCJGcK%pGrup6+<hL;E|v;D)i;{A9uD`VXa`YSKTsQ*`GB0jWqs%!>9VcUV0
z9EI(}Jkzd6NL?sLhRDn%ZJV2jx@5Bau2y5$AO}$Dxvu%fe*F<C(YE1}SY-9*hi^Ok
zSJr^W=Vj0yAsL;2ATffvc_i2mXGtL4t_ow_wz$P;1ZyB1dy|hmU^UGtkJCi3IkP~;
z@Y`(c_>Fs7q5;)nd<WJ_hBCFB%w~%s{6v;NRle3Cr<|A3r{HMZeYN;mhrt6P4#)tb
zr=K<r$$zdD{uHVxe60zS{M2}lNQ|(64(DUns=k_UnUY_Vq3o#SPZi>AACvCFvA-U`
zkHJ#KO}#_43%cYE{yV$@0S642@WxPS02vk&4-^h?BTE<uE*^5)Iu;bQJ`*;&Tnqr=
zfoE6@4~P&Tt~Jb|hjxP5)~g*RJ7gVGh(62fi5oD9f3gSNbCNKxt0s(-|Ek4R=D#@u
z=Jj_kqCepCR&^ryq5u;5ead8c64p2Ed9LtLEo-#cAC?;oh-Eq9afIk`Rc*7$wI;EW
zEWOH?&<M9;pzN!oS(=Ye_3s&%yK*BxhjD}eX0hy>1g6n>5KZw@LDo?qVf?S{rhS|C
zSi<5)JFJ_m6S>4krVa5PPI0;~URvTUk1VdIXSU*k*Q31AEc~a_AGdzkZ0z%nC&99_
zAm$L@duG}n4BW#2sb!YYRm(1eLRGuw=jG_X<?@c)p|1s8hUQ}lO5N0N0(xQ*c_vPO
zsf8u~yjdJ1ObIZn?r4_J+Ex-m!P?}?qHVwhC?544aU@sX<-mJDxc$cnUEFY+R*5mH
zGZFF~{lSQs-eurbdwmjU{L6VQln5;9#m=SoYE^`e&=N71KAT|fU5g4Kns(@482l|X
zjGc(Ss}MzC2~dWo<B8ifz4=Amf>O>T+De5&870;FhYnUchmYLTzZ3uki*fH=>yv^+
z2T=y%0Z~R<CQ59eIuehulaRHWH_SHD1VCKxn6~bA_9y7rQV2pvXb*)JSFb5Pe*Y$7
zmb*IkC%0AK5T)V;xNlIGP%)WFfb~Jk1?e4o=#b}yQ;3AS)qPd}&W>My^FzqMNXLOE
zYzFsjQiw=Up;WO`4a0O>y^W;n6uj702bDr5MY%B>HgA>BRHZ`Agwi@UDy$zc{6szb
z<%7<tdx1@4T^MBu>Pj(5sGz{RvsW!<eyU=<;yLV+9P}mf$GsjrmNFem#{yRg|IDIh
z&r$2JQ$V%4<l?6r!UTOD3D>&+%v0wz{l`dnMNyrmnLf@CYrG$Xj$G%z*>JGRZO=ac
z&S&O+@6ETb1pFmSp}Y5}-&D<yZ}oGUF^c4RMWMe<2!GTq)P&7di5WeHryBhNd9{}O
zrmwUG{E%%a)nrqWuC<o3R@74!=bkBb#D~FNq03QR;Sg#sjw!|hrV0)c__FeEoYm|2
zMZ}*?#7PxdJ<Er8>jje<Pz^Lr<^#nmFr&-FgTJ>~ULaZ;cgndZiI=K2jWF=fz4oZr
zn5$hDKj(V6=eG}5?4+m8e)snTy7j*XVZRNEx2;oZ_BwiKqe^_0^2m!UYA^5NTdI^c
zI*WBPIZ-W0aHPHBV119OG2`M&mnK;dZB-=BpD7;wSQEHmnK1M%ppMzo{j6;{3a8?v
z6qu7umDcIJ?Tmz+RV%_?l(-cG2Fh<`eaSXYMR?{eSC8Xk3{atwS**B&furbnRvAP+
zLA^EAr*X&^Ay&Se9~LBv@tA2&msR_^<S`yyz$WOt5{*O!72B-jBXrFbR{pP;vWSxt
zcx&$!<fY#YYay9k#BGJ^xFDm!i7t{7Yrm`Hi^<sC1rym&(FWDma#X~em1cM3*53^8
z*%8g$L4L@j)hVcv6-!djNhoTsW=f=seAVJIgOS7F6>%;|G*JPE%T!ty1D!UDQjqT$
zLCU`phRs9rd{!P7w(y)f_K;@0^xSFrCl$MZ<B>{j+OhO<vTcd}!RghoWHh34&lG&+
zUXLC0<Clam*<zwU)MzXxdiOAxaQYb%_hM4T>nck}cyh@lTo6IA7b%?ImoXC1JC97<
zk%=7y_3g*gH0!+H+-n78eb#+@nfiP#1(_Y~a=rcDmwGgst3MNF?#0z+_}<t7>>fLv
zUeVKNm08pr$tKs;84tj!c~<(!q8rky%n0Nm^>YbnmBs7<z5RXw<$4;0^SasnAmX$m
zT6-l84xTxSoBhB#9W3Ptx99Sn={ipxW}vzU*mz>)(kaiZvmaT)-Jj3d6OM@_geipg
z!-~O4Q5lOM-_Fq9027#*AKW(2*iCv+YN%U8^Hv5xdv`?ftV&7?l&ahPX%Kw(f7ST~
z^MeD`PeDGNRs(TXlbK$uTWH^Bj>aaJjQL)_B^5f~p(uJm0)-W5Z7QH(7v$I&l;;C!
zoHf#!3Bk21N09@0!$J@zqU|GT_l}O~zIOJ<uTDOWzup7R;S6a>{^oTTX&U&8o}q8b
zGH=n!AI{rmb|%WV!>Xw7jQRI(p<#3Pug{6~IC^51y(UJk(4MJ8$<)L`#2v`SyR&0L
z&b(LUF~tQye(|@}=F_^I%obhaVhw3~=&B!`MffpnJeFC7P{Kp`)N9-7dwe!kC@N6$
zshue8qq=i=ts`K9%NwSw9L0L@Tbt18@1EK^T48}|cnPu){*o+ES9hl2iX}8cP%|ZB
z$;i8I{8nEaPc!et)go+h9aD=QTN&NCRKVz?M^n5C!eOK_!sgzLFtYz|O=%)uvVBR;
z8V;H8x&N*I9k$2Wg0uRLNkM$c^jLc-A)3i#R*<it|K%%e<M*Q#M{r_*9s2v|u|y$N
z=&uJLz27L#FkygNb44J_NA|u=7N&wxUMmfgHZI*lK`z3&%B~N;$a7f&kO)+@$qZR?
z_+SLzWn}rM1lTGjzLyie=yWP|*2Qc$-9SQcm1YijTu9n`|ClEM7M=Yk??S~6toHGp
z<t}FygsE8kwtu0oLH{L_HfyA^fK;H*O)Z^w6Vp?KRqOVY1(Fj47~xZ(?Tv~+mL*Vv
zf$BHqzo|e<&>FACSl5TQG0e@<ggTIt^cuTScWlcBp+Ne>y7Q7ve@#YSdQ=FPB_;E-
zkPYtAWgX&XvN0X3BOkA8YDVh0*b?w~3g!Q%6O*(&QzEFPp$H^ubd+{Sw?abUemy_K
z7f=go(jvE}gm7?MtdtS8PJvZj5=)6Zl^K8Np{a_IkUT(**(1(6M`prbB-USKrHcQ@
zgGn;cxYt#^Ycc|0A;RT2)DFN}BQ|=1mO3wMHZ^v5>!=|A5idy5sJPN@K#1A#^!r1$
ze>9pF9U|}#t`p8ZLfT>j(a(cX;vCn0tFoUyT`NmHF@sF%+%74_j(7_*GV8C??Oegr
zQb!a&(<2AaX!jl9K`}Bk^z+2(a|QTfDV|D#c+Ft45XFg!7fg%4kDqF}NiWT^ytf#O
zU2eDUC$%+fCcqL5M0zvMlVa(K4=(>5D9JitA@2{c6cf-^VwDzxiF^$kdUhMQ@2(}?
z#SPutD<T2Gmzh9usQ=UzT9XhyR$v-ZL)|1>%2PJutkE2<7Gl*k6xivO+UlsbA~9r6
zF6NH^5b1N(aRY&gwxKc~hwB-`Iigi_MS&ED`5eje2KRvuc+H4kFP2-M+B?Hehz@fc
zDLosW?}$CjMgVLG?A#JCmD!wP@2(S--f3njt$*XM1HXVDoN`H#L_z;N3t;#Qn*zHM
zB|aiMQWJ@)152BluBM~Jb;+3e2m0SJ0+v1(f~&min}EoThp`RPCp57hrugz%;%D%A
z-nehjq{H{ys=DYjQf|h^>wTb^Zg8S-i<aI`Xil4%)fY?oNwK`yuN_3_2-?3v&g>62
z$A7OqYnR#ACbu3#e4Xt8zp<Syn5>}lM=g-ljJY~r`fUUeJ~iwgP~?V|8qN3ez5J|m
ztm6c@x4rOHw6;vf3Te6U@V-Z5J(B<;hNJ6<PIUEG9&{N2aF;(xa9;acxsFPl;sH+A
zQlb~D^Zxyntl((FlOZfF`G&Kztfj1eQ@g1-4^aeF>$Nu1u{E+o|2ERYD?Mb-spO;=
z+tMu+L?8ZM8l)%(RdweVh0R2I;mI$)4BZl1wRBIpFp>mPF<oxF(Of!LBlfiz2#ahp
zyG|tvwpbbBW;j8Vc}4%+*zm{GH;>GfRHz=-vXtdlCOB`UueP2$&s^>c=>|YHsw>v!
zDsX|*q>lW!JGMvB=ZZIVx1Pyk7DX^?3G)1hgMmfGZ5F*sydz}P*Q%XaKx$_X0_eaU
ziWv|hUl_%#CVS<}OAd*f9nxC<h2eiJX30n|D;k>`vZSJ>x>ir7p?Rzh=s6<w&k!15
zI_24GG4VG^eejf#_Z7*WnQh-@akqQy4Eb?}Cn<bC9@TcXa(LTlw*sNX_6gF2czG!=
z3|ybaDmh<3O>o0X;vic6ru?cHGMOz~qi|Z$Z0YuT5}GVpImz74rS(StOQXWSlNO`v
zK*G9u`~C>2W;|tI_KEe-RmkD{l^u=MGxBBBqgNH`H_N@}UYS=W$RVPwp!40Xo!d?}
zw0Kr#h?QB@Tf1_qVB*0r+@WtT2z$nA@yurTFvfK#6AqBYlo2Oe2tEGIu7Tu7E4!G=
z?IW4Xp|$y`WVaa2M((k56i@9_5j(X{DXIES=jBsLkcC*Q-y}NOwg?%Sojv~*rF<1b
zP$tS|n&I`#oz#Ld(c3O+@_T^Dqdf`=vUsBNGVj~$hq+*72gzm_8c1c^>A`XzYC>}~
zkedYL{Yb*6MrWeyTIa9IsHT+zCb(x*7mh%qxr8K`fBPS{m_!?Lw1Z>&0h)K)r?|(}
zFGgSUOTq>j?c9&!m?Oats+iX_0kemHSJiAfLR2~3bC-+0N{<c%w?x}JHXS=y&HzL#
zN`rmhf5}H8M~bY`(y>o_6Rc-5zb4%mUi0k#TF=CH)crgN<%n1gw9%v)d8i|;sbQbW
zkdHOrjFtVA_rgp03)H=N3zdbk`lH0qW0cnwz1A9Zrr7Y!w~Vrm%k1hB@VOe{q||A(
z`2JR;^+q2_w%a)Bz61mw_eM;FUetbFw40dtz5Bg%y{GOzIi4BLnBb(7vX2mevFkaI
zSm!ot0NpL=TZE9{br~@FzmhHUb%huwuR;4G>Qg9N;zaf{m&$=&X1eqzY=(juUT)PJ
z%VLLW4hEZ5n*Rvd6Z@Hs1QcNgVl4(Ag_$NS3KO!AXw>cSKQ8Ebp7^OY9j{-z+fL~+
zjY)HVLZabwAlB#>6$O{DeFgxpZi7*~!+Tjy+qTGNun4^2c@vY)`}=EB8;SDdS64xU
z8p&a8qKavr&5>(&r;$Y9nINz~{umXjtQ};a*d9+ftZ#z^a-TT~R}1!mFHx9VAMU@n
zaSg{(s>5wLhMh#ct<DXw_d(;Zu5CL!ZVv@7G*c(-n-RmVt0%=Qn)wa=djwH8pCCf{
zfeaH<l!xEH^3MIw(+dCk`bK(J?w(Q534iFiVmiWH7Dja{7EO01w<(;eyun77F5rmk
z$=qq4><Jds27(l*x8VeC-I`S9FvM{%{1R$>fxHV5V6P|?J2c#}cLOKRbX5Is|CLhM
zNZ+fF-91}bpj;FAIHIW)q<fN{ogf+>8H#${%-e7JRWP?0#%+L+8%AxgHP06aX<uee
z%tb-_9^D%Akqk@H^M<g4yyMm?R}i~sA*++cC}EU?sdA8W)v#31TvAnhSzuHxT1%F?
z#REok4N%k_5Q+BkUst~z+z96jg#Rg*6y{pu7|va-z^Zw_ZnW3)L-@VsET94S8xq^m
z5N?}y-#nmyRKz$x&hUSdatEja^*I`cGt8{Eazw?a7FPD7In6q`0Y4A7%B+IjRuJmi
zI48xanIznPQ-cA+PY&)-nA@4LX<GE0Wfbbteay#U8dxhEg_is(`Q{p?yuaQu=cgM>
z(E|K*@0I+t_e<f?qI|y;_6Z$=O!#Nl?Yl1i`S+V`5iaDKo35>1E$Ia$rG_ljDn<M!
za`75HV_ZhhtwXxhfkh#+m9Jd+@+)$6)5Ww;L3@);NAa1RMpZbhK+3#HWdqh90v|Vf
zUjvH<<#{|(YhUZln473t1R`y$h?jl+)3I5+5yaVhBEXpjwQnHM4`$u=X2(gqwg9e~
zeKh}#kfZ%<yk(0R$bb-6>d&8nI)IzV#?3D^$$eS~9U3A2`uw`ug64mJsn`k1vGB~v
zQ6e@%{HxA<2#$-pwlg~$=c$7B&_*x*_wDvz%_Muz(kY7I+z0{OqhUhP+K&CrG`{my
zoWJo;#iLYzo4U<6r3qhjfQ>e?t-fg_*hIzaLPo86ECp&RpfBW3G1<|^TAVHWs$4eZ
zC?wePyy|r+8bg?lza-fDJG2!Og-`~RJP(lvrh0OLCeuvs<L4aLb!T3K*6+T)@_Kw$
zEz&@Yt2d<}p;rv#A)8Pv<P&-w4IB?ZV(6M>gD0ha#jGf?->nQ#oJ^bm8uK+qJKQK?
zAX?`P<=UH1N`42qZn{&>0sP{{=NsWsM;J94ad=oXE9$R?ZV+PLW|O3veHX`9kITxx
z?{&YmlP(W4hsVYyPg`nF!r_C@RCPt!4tr)T`;F$lRlbcX#VarwWmADp1S<-=&$qCN
zh%xCUkf`OIsi+rmO$Hl064q^zviHALRbkknI@_$bIdK9rxim4-*%+WPI)<qN)8Hdr
zt;C#lNFPHko;fff#!zA)8U2=+gU_W*f^ZBdkPK_@Xwl)E>R2!C&gr09PB7SUu{cS)
zv+H8keG9$%BQT=k$W(`lZT7Qu#*r<A)gOdl-D1GHIg66gZ|H}`2c|o8nwH4821AmT
zKAr2XikX`)o;ZfDYXya{o}(RY15DVM3m)J}7+mVThvX+!ed;o*5m)Q&a6E$m-G#E9
zygkOj3>jnlzqq5o<bp@8N2%+t;?<8J|4EDziv6+ZK=@wh4KKO9A*_plfMA#7Jg$#n
z`{}2Hu;{N?HgDNRqvwRwiZ<J`b|FL1B;kQ4Qx?GmqS=}duUMt&p0fzz_4%lw#Mxg0
zqS-fIo#C1pmL6LT*wHJ-^q3FqB+;$mP1VLA2)8DEvCER05;nS;?cj8{*+ap`P%I!B
z9@>ahT=TXpf02E?4zNRi>uxu88xmt(%9g4ba~m#<k2civ-5^%?mJ48gKMpukgXdSV
z-?W?Vg}weXH%}>g$NyIJ(nDGGZ*)4~zON~Mb2qG^Uw#^|O3HR(gTxGmOK2*_tq!K2
znbkR1Vk@S+Bd^9`NX<2>|0iU4EUB$-v1ipDK#V-M?8ig?lsLV~iH6-;Lq_MRj_G&q
z09NREwcU!gFza>YyY(CknZ9`w^u^Mq)nSeCCc%{;7V!rUbABegcdW=pY5rf~YzL<B
z15CQkHprP;XC2DEn(9T~B&o=87h&-QW(2H-O!h4^Pwa4!46K5-^ax2Q=FBu3%oV?z
z^~uaA?mt)cRTJpy>}@2L=AZ(?VmO=Duqi}>@U!nwvMOpiS8(`f8rJ7(Ncyy{O3tZ!
zjO$!c$ykQc@|fwxm$FJaf_T!BoGU~tb3YZGC^V(>i{Ln$nyKe(Hepri)?qMzS-?2x
z+?y;(p}ITz!UpZib~PZn-_H<kh4Ra($LkPsUoy9%j#Nm?nWn!QmT@%LX;0>0GQ;S&
zBtuFNc5cjuhukH0ns0e$^Y_r^IaU^?0%8}DT_(P=*Ra(5%R%a(FLZ*$n8nF#TT(6e
zPWOve2P5wH;_t>mePDyY4ZnpLC76E+m#jlx-!E(ae~@=#x9hy>L-AOu%^Z7=<r;V5
zxR$RP9<pWS2_nTLiHTdib%mRq$G?lTVvKIL?BSI>*3&!LdfTJ(!0MQk2e(CPF*H!<
za`v|r%Nf);f6f!YkP4;E)HS!a=RS>nod2MG8#K-uSLqe7Olk2$4CzJJX+&uq+u@E6
z6)5JQ5`{{LTqL7{eEce9sBPtgLh71z%(T?x&QDp9v>>#!nY-khMN9h>w&dMqs48z)
zDM78e>TBcTbJIPx(BNW4O&4@I#}+}lPK(COF}-X?&k48G<<C!9m9ij&3XR>^=Hy5U
z*sFXR*f@<7ToZ6$3Cn`w^ifv!1E4{-D7`y&8WI`G@3oH95GCCGL-T%mT8*Y9cplP>
z$Sa&cJgsn90K(8{e=bD=$c__LQ&bzAeZ)fhV%${f3%352h_NT&&r2Vcwjf31Nk}He
z5%wR6nW8U%+Y{6h$^Vv#d~i)Yo8^dWr33bAUvq)vF!?CNS%{R7RL{bkYoYTz3&}}C
zusWguE)pUh*-XOoV3`-~Js~6nuO9`)`_z{OueCcd9Meah+gB8zcWcONPRAkL%SLma
zw4TN61CuN_VXmF-_oup|Ur3?9*Qq!v+Hf%OO8nVfv$QgEYU|1wXz^8-DoI>2p~|aM
z(>Z`$^F$3_|5&uq7v=CGSeYXM?|WZj>RCTJCSri}n@+`eu}Cx4psl}q`^mm4HSAhD
z7L|^-hfqD-y|by-WRrsuJQ^+mQ0Y_AaW>0f`EdrPrrJz#qNkIS+9EHf%Eci)&F94S
zgVWpEa(M(7ms5SUM4^?<wz|!H@^ds3_pW|zcK|`eW_^@oxH7<@!m}p=%>OHF=iktG
zXi$xN+fKWoe^*yvOuIA&5dnnz`t+}P-pF*??!Xtq{EltL;xdY5-EP~Sg_=#35;X{A
z-dO0tu9HyyAvTra>j!6Z?5G@drh%}?#FN7zI%oQGs19x(c)pkxbq=7&&(D}0Wz%YE
zbmK^FN*CZmu=M%Fh`XPZ(~Jy3U;apWr*Nc;?sU00TqDc{P(0E5-HcGMp+_ymkCD>Z
zaSQ0r+PYM)s~Dx`{c+(GiE91{N_V6gW=*8V&c{CYQ7XHH^QL*rZ$D(J+C)QTqlq1u
zyeQysS><DXG6y{DD1%zMx2#^T{>07@>i9Oi8Mk~+6bqh1$o`cybi!uO1@~<<6Ch<z
z2RMody3Kg0t!o$f^EGcA2Bs9U+TLmULZk<V3zJ5nHhFSm*9Fu*3Cs%wV3ejF_%x2F
zTztwVb0H|!yyz6)ij0Xg%WhDs7P(h1#w|i55^b=Z(vFlh)(ffv+l7ObtO}-gr>1J|
zdi;rIwCO$Dx+e(G1NPmy8n%pFl2a<ft*8R7n$Kd`P_{#@u0E*5L5Tcw21=K?n&M&$
zLe}>LCN}n<h4@)wx_2GbOu|N!06SFwaF&c=EkHE0T>}p?*Tq<*Ib6kL;Oz^@);ou>
z!miwjFitP0!=yKiL{=pQC~)ica4^H3p$Ri?0Mu%dk#yzLo}MEcHh0Ic1Buc=XXGF>
zv$Cak!jQ>hlNiyH;ZFi##-KnNkq!{%i$Ylf%`r7JKwIV;UM;Vgb5q{MEec|jEWZ<J
zgc>f^Y4}b+5M%yfqIr6ML5fV4hZSfk=Rf)LjVy6hVmG{Q_tg85nO}oGFuPX4`Xe-P
zg+F2cX-O>X64oiih%zoCBd;?j@@ba)V{pj~(jC6qaszGC;U7>U@tR+h@ih7`G`7VR
z3`6e}ty20GRQk7HK38WVxSQyC>;mWFkSdtAFj^KM0dPvCiY-$xrU9ia+#8ea(`7A1
zgp}ct3zHjzuM-fAxc8~e^tJ9_J^uAUj6ZOYT>h5y{Z76-FESj<+jlk%@0ZtU)ZP+|
z5Qvcu@_wc4W&G-qx~tvfo(m3ITc@IR!g{@E@NhT%l+-#fb}HZW<sA)MpeP?78_!ar
zlQ2+lfc|d~S^j`ymB5{m;~)csAbE@dRz_t}dJps=JR%sXEiX1FCC<|PNLi=qXEATL
zxLPwBLTOlE2Il2AP|O(v#=3(nis6vKogS?_s>bn;ULW=)=Gr46wgC?1^Pv9$RI7zJ
zdSV!=AsLi2pBoz;+X#qddy8jm?{5^?Ts%6jF_T_FVkCp781P0}$?0h8<X|1J4jQ}%
z+1xt1F1MA}KaFt3*lH3s=@=#OYM41cN35l4P%=DpLoHM#u2^BMFK)R@9)jyo_97ac
z8V6&F-UjM=syMweu5|;yiT;q;FxM2d*EwF7Wji5-fhad_++OhO8~l9+?d>Sk$BmJV
z2YmVHNV}iJjw3RP2O1=h4Q#9e>xyFVXe%Ma5wl6!HmCeCvkc}O<nS@md>RM}MujaK
zreXfp2*_Xrx8!woR!ZKzf&U((6rUOJHtAt9uDt$mE@O`VIOYnR;cN|O5gbImy~<r_
z9J&dqq-(RX(*(T>IiC4rv-c@rz$V}>=<{%Fh5I{bQ$fZ8w<*`hU6P^q{ZYb-gLxrl
zUOxk|KCF&H0q30pX(kd-JTHUJ?J};N3zb1mWk$tUh8v@(zWQ@FQwG&y0-l_I16efi
z0SXf9$OI?CGNAzG6EU_%04&8L1OhOvZZkeb-gg>T>$Q_(-M`mt5Mi@2<q+hOf~w2e
zc(gz%bhy)PFUcd)jW9Gn#Y_P54PjqRB~ESYqx4X_z~C?~CXC32R^cOSx;a+<D>j(J
z2bHp|@&m$IUv!SafrDHwZkkU46#aurk9r2?V0G#>EOE(*&*Kn9V{4#{d&C803=O2c
zPsd54?y`8#0Baat_&sUo!n66cL+F7iggS`&@)(l1j5+2b$H>H}(8no3?<|g4uz3s@
zr3Hj_f-<Ob+!s9PwCD@!Pa|`2CiIub32=E$-{xgS4ZisghAQ2ed=J-bV`>S{<`ku(
zNk&Lzp9n-+WW9d-YY4qvv%;4O>^broH_8ww%f^z#$z)@>EOYRRG}e1!<;iS#OQ~XI
zc&Pp=No}-w3K(q8#-jU&u4m67qKo#EfUW9LdWjU0ntG`U!?kn|y_6b`?m%<P+i<v2
z&Y#SwluvTZm9R|CUtcoFv>M8w5rwJJnNeZ9J$+XWR$o4*E2rjRqT$@~fVVKkTgqa)
z=9+?sXektu@OV@-Xo5U`Pp~nW0{nfpALQ)fSCHR7zRNkYv$g8`rU@cu$Hr~NVj@lV
zrR@gL!VW`kW~RX2>OC#y{galm-JBdpln)cx1~pfay$W**R+n9R5ur7J)B99KcUBmA
zGxXW59IWtylcXpZX5CB@%qU7(Ve0<?^*{>05=MnanDxArFgkPOhcs;Xr6Yn)6fsTs
z^&?6XQWemcD6ME1+OOBKnG%j?q=Zpfm(PU?+EZbun7V`P+9ebD7H>&+{Mox6sCKNi
zR?lNUKz=dJIh{rq6&ay7Gt$3TmYL(Qj<S%u4>Y0~iIcj4-s>p|f-GVgzsnYm-s`cM
zQH^J0R8d*?#)?U*{S;Rnlz&!q{gYh*hd%3%8&Qf2t=Ygzbs>4wI9Ik1)UBv4zrMbd
zO;E4~a0jhU`XQh6w$j_Q_}G)CSq5jQ2=x4D0bjIukWH|LcY5*^lCq9mf4I~`VXaco
z)w6D$({sD=yxgu!{9o8A1znUXsxn$uKFI<o;feWmn%|-MzkC+tL7gW2a$vVkGnpID
zNamulI1{5)#AcPaobm&7m!F#5o$nw}scSQ2LTR;L|Hc%x9B`Qee=}Gd#736Tw@Tf)
z_bV%(F8Um3*d3J^q1^MT4$+xuTm*Gf#iRgM!Z-{f?lT7&VXX0sxM+$vwU_0_W{xwS
zk>f;VoqhqHo*aSMM5UF#tT`V<tXtL+!XC^oiDLUy_rzA#070$AVfCw2rH_EMxn1)u
z`PGx($g0JzZ``Aazcq5a(-j_4Q1OWN0CTf<sDWD-i6;>%)sOrK6J_wq`>^vi`<()@
zOZu|DK^!**(c`3-J>x!6Mb(M&AdZ(UyIX@BFA@2G(_B3WUrGk~_jS8_`YL|_Aim&E
zM@(u;X(cK&!m8$#R-!YPnV+OVnv*mrpsFbf2~C2SRCQT~by5{oV#h(pX1+9@kuODM
zomPbj+Haq>-nUYLf8Nxfo+?5LYARkq`YPOf_CocBu>W3sUS3c6<}Ek~;5G+kb-Gt4
zkT0voankHMJ|;hj!8*6>W)IB#8}RM{Fpa3*lxj{?XoTv`Yme&^KgnD9&e(>))&EI&
zhRD^gPxM!?Wr^!RR2>s&63uTD+-WI9o9I0D^M;8Y(RRBqlf3baBrhuKv<o!JYd>c2
z`IOUP00cy>2<@QtL;o~~<U}7~i>~N~nONl)AL%FhQo`c(6%~Fp@P8VZ186nP7Hc>v
z;JDg6oB>%Vq>yDAq1m$T)+}tr>;`)=+zXnXoQ>x(=(@yb^lRI)<$A{qWb=s@gRM!X
zXd$?<lqHE->JwV$l=ucMgxzAyv~fHmZH&q~Ee0(vU9VcMl!J%H|Mj<zi2Y!L3<rxE
zZYaneY8m-mSN-v6Gp3%t{Om|)-0PpO-x{6Q1%ut+K5CPA+4qPuf{+lX910&@kJfi!
zxK_W?2P0-~Qz~^)p%E50FLCV>pOt1%-zngw{|8bH*qQ~3wwEMOSr9XRZOV(PB9%eg
zYqv-<dmYcnUZb*3i*!^O3sdZ^)7k_99ZGa71wZZWj~!cen(tarTElC-I{vpk&{@Ob
zMLPh$v%0?*^*0{y4n6hd>P~{*i(fvyG%AGo*n@T)^c0riImjM}MvBV$l&~pXaRyCR
zjiw7rCJBQ1^{C%I%vfIqjS~c6H$3=$#dm?l!(jYRUJ^5HY$+`P<LPPdcwXAuB|Z_x
zEiIR=ZeihT)54ivMcs+*M03VgDpZ`uq=YJnxGoY>CUHeFgY(#G&WV{MPi7>^QCXKc
zqk`k=;xO^!)eysZD+iYMGHG=>jv(!g@7ArbpDlyTov2kkkW^s-W$)_56}?AgJ)T(z
zM(+71p|cu{(-|E~jojfz4ohq3n5ugYH_*)Zu3ayb;WJ44i_S#Htq@&I+X0ITx$Q8S
zm&bRB+w4&MPGL{zmhYpmG=$H!<!iRxR{+8z!wm$1pP=uaC>CXsh@y$Oj!BUxjD!Y@
zvfZ-GoP07PCy&ZHEerovp17`8YzH35uOf+fjI{KfWjwH|H}aMyd_d(d_9fP8a8HeH
zdbGNYjy|RIN!lmKWkBvxZi>6Jue{HIBU{K$Ui>q4+ie!m_fSnXj7-7QMAxg~8hYT_
zB1am&el}y8o;^?I_40LzYh&Veatmh;lzu%tKHQRXm3|OTsaaJ?_%_D3x^uPW@DaZ3
zL@hh~xN0}z|Kt}y)E7X^FW|hSWOE+mQS_viwYNy@`4dILNn(J3#bH{IB5E3v8zh`|
zi!?z1$qWzxD(kdJD+s_En?yywNMDb8mH*@}rRbO|oI-6$x*IqgQ+){&)66u7`=zM&
z03CghzNGni(IO6x#fQVjdqbyjfZuvO{1!8+DV61@&<LZN2Q5Hn&H(-k;NKL$zj2du
zZA@rQ1pZfH7wy_;LJN`^&;nHU%Ww-o)bUxWwb4-oPJrKVbe+&anZ;Jzu=FM^@|?XQ
zJt?vPR7(S2)Ni6#+d$5X0K8~72hHa6a8d>=!1yS?dCAU0D(Hde=jj#QsK^NIoR{@?
ziR&%@h8yg@6g#|l_jA4wu%C+`$hG)ZI<cMqyn|J5`L$-ZW$YZtbI&jCpc;XERQvfi
zc2pCuEDMn;wocN}A|-Lf|3m9MCyBw<X*U)#)1S=9^rNy)91bek103yL+wqzAa&!L5
zx)!*Ix&D3?cMjv8&{sqq1_Cr^%xVWbXU^UI#T&kV?;&J<+2bLVZ^jSqGjC{YZ8m3r
zscu86to6ua)U0V&lHNvAqg~Wg*37=sl^R3r9<#eCM98Sn2+NyS2<{R;0XQ$C2KQ{S
zApJdt)kcvEVr<yE$AM4liaT0$8FOO`<A%_*iiw}Fs%BYIB_XpLn+b|YW`H74Sv!pt
zDt0X7E+W<JSo5-XmXQX6v)wK5JZVHd=<ET4eqejjGxg!`J|L!2R&6)@=~&EO!+6AH
zMO@_h=Qp>&+EWR3Ecqy%ZhyDlOOr2kq03@@(^gOJL)`ghC?^!Yls2oH4oOJnRhPTO
zPm0U&YsrfApCO(4{>b1GoF0fnmnK)_Jp=;m{Du<5+#O^QDGc%+yV04LiDU+50+n@M
zPHgRnZ3i3LNm!<8>5ae{srJ$fRT?H5aSM$WOl=a4D&WamU_&z~NHl$%LMjbkpGs*h
zp_r`i3Jer(Dm3T8X{fwNbpdKueB*(VO&c^0eIcvSOb1gW^S~4?@so^(LN~(Sm}vdn
z5y^o^%6)yqb~-a9nx;=p6{E|PWJL(+CsNT6pxO;36ngnJtf-Tu_TwtDL;MpHT#?KG
zSD>=)`xHuRZDylzL&C)2d;xaEE&1is5Z4+qM9mOLgKe&B1<1|}-e8)3GW-FR7@_9#
zYSYn~{kY6o!V(fhRY~G93<+)0kR&u`RZ}&76gjqD6J(Ig02!dN?#l%xDee?c{2oMq
z+$e(s$KF&S0jTFXMm36((FOPQ)diz&J1TJZTP>==kvhtBEJBOu+!PD|Dl|gv=3xL_
z;xkY;s+IhS8z{CCe#VWUP9hT3aL117oa7m!B#nYH%W9hN3!mK#%*=i=BeRdnx;Idi
zcf7xu+ARQu2K;~y(*mt56<U|eHtm8Pc;@T}znkm?c9XjiH~bRT$?Q1yE!w+wyBEx9
zd`I<$uGM_RB`^^#YVO`p;n|oOcs>pvZV9!1A~M_GqWh<~<6ruED<f8rtdwCgC}m;X
zA{Twp41?DY$#_`(N0m6Lw6NErPJUcG;rUwp@%;CT-JiO){{7AFPv_kEg$FqPc8Kjx
zscuJwM%eB=!f$kDT9zqopjAj7LYKWJAbHf3Bnpd$Hg&*QV((UznrZWNM%o;eb=nFl
zX*Us6tcQRN2_CQ6b9?Ev6!6XBwkj1B*!>P_&$$6La7ai}4w0okP*9@<7(X#q{KD-8
ze&~m(?-B2kACcl@;YW_r<Y7KU9np6|-4|5Ct&8bA)^T*^$`3Q(4k1nK$G~$?kTQyD
z5*2kCCNzkP)Q&1n%|vrLBhie?x^>Z6{OwRmO#V@Ev{H-<P4cZHmIpZEi|bD>C9Z=j
zudcTqE{!slx>qe29N7T$!E75IDl|gL=B0pL;-^F<>m~mYoW94HivDWO{~$e?(>xe-
zd77FwWzZxfVvKPQCW#5ntAf<5%!4pvW#tH5re=aSosr;0W!;wGD)Y9Wgi+ad%E|5%
zWV%F9vmDTV)0RmAf%27E9T9iA1=0|~pU~2q6=chf`zMBF{i^V&A{WuYHQ|Aq)~{b*
zDnOLPOTl&FjxP4XUou)m$=sWq3?5WZp^LQi4lhg4y<ZKtWgsCGDMJ3rzkXG7di7ph
zRyq+wg0kMO6F6i6*^+6%4Wr*hC6_#;+TEFvMk%-OM&b$sy9Rtfptm6C(Y5F?GbLq>
z3XRwV=8>Vh#BH0vKPdUfMv-nk&PXU9lC+d|=Z5|e2AokMafKK>wiHoRCADgw6_L2{
zYf{#UPf|bdo4R6E=rVXShn~*Jp`)^{peZVN%EcWW<lpMzjy@%x8AnA%7{R>ExJ&%B
zOoB`f5kY6omTf1_zJo&%?sWQE4=p|PdY^bSV(V4sMN=1fO~QzAC$WruLW_{`3rk%V
zQJN$!0+iHDpr<nu=%}ncr-zC?M)?ZfwfDawhGOeP+{qTbwQ-U7>D#w2=b|l3Cz*dt
zzMuDW$L{HacNfZwzmaK&buco5q9?I#q5-syYy}4%M)`?8rS-g+p2|+=rLtY(r&YNC
zhFVeY5uMpCO&}p@+AUxA#RAD|qYD8*Tp%wez+Ntk{Q-ze1h=zd(6ZZrnb%Hd<h4;*
z=V^fnUS3_RL&BONK;=Kk?fy|+$san84-B=&`VT9hQ)xT6e0$JF8}e|<sp@a-eWSQD
z!5jyfIj;XO5ZHk^Qm1P(q0Hq$a}0@0MMDkx7&vDZy5>_R?FKFau&4EE!NvK{(s85r
z;+Ks|+4aK-+pHyzBZx}eiMJLFl)2<96NSuQkGsVD4PlBFnDG=b(jEVC4S_Bd^}D}?
zU#iyvzA*l#>g~h|J&tOqv}3#D%iHhjGM~9+;v5!hwP;011Y&_({>TDqzyK)luwkM|
z9B69V3W~r{uq66@TX&M_>HBnE`raizBUZlZVM^yQ(SL$(NnA%I>H^tMu;plIQAd7R
zk)X`^e!^ntv{^SKE&U)XqP#4aBM4}w?9&-3dsNoBpP)1cSBzhLhFt~UQEZe41CbJF
zv;<XheXeDrsXcUM75GlG0mzF^cmJpd!c|DgvyH*YDo)h?=a(`DEyfbv)MRlR`%y6o
zBWsPq03(v41L^J7Ti>rdc<DcRP(B0mwReCS7#>_UorR6BWKL3gbXly1Hyr|y&VvBB
z#Q!yhhqmkv^CWMwoCJPS@@robk}{(ONlL$o<EY5usI(iNnd(nxr20`=XTlbhl$Lk#
z=Bv~4@Z5VvWfj`ZVqF5iBOlV+Ft$~Z6oG9~CvSTP=oWzq+cJgmXWVGFvM1JdO$907
zLB-i1r;kL{xXHjxKQ=WAD$@;|C7Rgz2Jaz<zM$2HrsE6JdGrb{@rgB|cie!8`tnY^
z3}Q>6dzKKOh9$8NUB@G!>!D2y)d-MHu-lIbct~de9#C0#oD@yy|8n8998C7ZPW!e)
z%S|}1Bxx+TsC@K;PR?fZL(n7e-)U_0?|&Dh{-0z_1kv!*S@`kycI)>%AcIR>>o<3!
zJGv2S4Jo?rJj|jX2z*3IvG;)@EuiWqz|~D+3KzAkjtNw0X<87wlA3UYbOsy&m34Yo
znBcIx|MKg_l}%Hz5x~3pMO``g5C*f2x#{w&#ERXY@$GqgBe{&#iJ%T;ad+V|5G-FY
z)*l#rI|2~cqccM8;0GJGBn}*+TArZP5r8qHF|R&HBs=H5Ap8{5Nfyq%0C0BvjM{JX
z)PP;kEft4%TN$+mFtaB6Y}P;`2mDw&{%g9e`y;5&co@rqxolIg38>HrbDT#(;1YK?
z#n22P_jG0co6wRkJYucb>vGF1tE>)56~#bp6*7`HLCud87F9W;O;y>Cl*|M~WHSH}
zsI1FcQ9<dEiE{-tR8+W6Ko8xEbb+xB8Hh6kPP)!}!Ds1S_9u+CG7;Wro1TpkJ|+CM
zeFq(i#E(y8w!-fdp96#Io6SH=Ey<$T4<q;ufEMvr2xX{V-NOUxX$SN3payug2KcqA
zu!gbDv>}R6l7J-rq4W4XuNG;-p*9q}8-8pG>prLiQdhFa){a;#y685GMTOiJo6RFD
zaEYJlAOhJ$Uo5?oomWT$WsD-30NdxOv_I(L_!X<mph*d3K($+hCCSSmBRO{-o5U}J
zw079H2{OrMfJ{(Xr+s6B(!TqXSeZJ?`Gb#RoW~O0-W|U!bsOLgmDbq|!BxTq2{?{$
zFmAMQy;!aL!&04*&{Cf0nmK(+{=Yw8e*OQz>ctkKDjVpJcDY~nJB}(0+U$2?UU&ks
zTN80VR0?#!*sXV{+kFX+apHS7?G3-y^5=%WtsPgX72kh87)|=l`e5yFAJlx@2lr4Y
zyj8(p{!bCLc_b!$3vQ8uU`RL;CI8iZTk{=4^l_9JF=TI;0=z+mM(hpqfHyAjllBJw
zb%|PBp=bRL(P!dM2Hc>_($K2%^C~5b772;dm|rA=swNHf3zlRNtxG$5P-X&dvKfFI
zRMwtV#KoMc6jb!fzT{_{_u-2o@zQ1H(1Jt3Zoou(e2ltr8kqo0rB83EfQpPz=y@O#
zm-tBvty+P%8$#=P3!t6VjUd9BfF47aM3s@}1S;`J47GSU)Zzi#9gy8YA)Z~CO)yC|
z15AR-I*&Ljm;_g4Ol+W(7yMVCx}etbJAk{@<yQ|rAX8x4lN0nf*IyAOJ{<&tii}X=
zc_0v%`04agdNV#me;}D`^u<*@XhDE*k;GL^NuDJ>0VX#fa)WO6c2zae9N7#s2P*4S
zRm-G^mZAudyLDSDfG_w93x1(`q^esg^0=}*LT8PHgCR6{hbB<bNiFI+9f*<517f(u
z|8;vV3dx8o!8AyKYLLW!R+AzM69U9(8m?hiWD}B+&46T}vQ9-tISMp%UEVKny+)t<
zw(S!o^_r`1kHQ7tSya{z`IMS1*o|NT==SA`?Nql9Ik$)($S%l-pAxP)`_V!HwEnme
zZ!;UDz49)0JGKNw@Gw1v_@Z~WUhJ39p?0zG8rm)(!~l;8KL2tpF;T1I^CNR1#yADd
zfC`N;$9ZT5m-yIL_k5lBjz*x;tUL0nAq3E08c#D$Y=NMeAhftAkS`)}n1^utXGC<b
zRqR!E<23ON*$jLGD(mp>EmNLxO_MM(#46pb9P|KS4>xe|=vXtqk(UDVr0>+K8Hqq5
zt-v5f>6643wk!GBsz)9ve9&9&ADsURyjFS`{&nx<<@rS`u}vmNsE+V)%ikf*Wzm<i
z8qjo9LN*VT;1WNf8bx9|4KTt;4-9+vI;Vnzo&X6waOCiVD@Zc}BvrssRTZhdST-{u
z2-yq>0xIjU4Ob%vD~=YGK8BA4Wrjw{=HGhTxrO#qLo`RB>5dH}5~&@(RP$2@0CC$+
zRG$2J=#xG7d=d%O<sa&90n(#8rmvS90Pz7kj|##anL@^{;88EzZX>xyr7f;i>&$jr
z6NrWnjfb$KY6^A%6&hh_^RNppacybff%MtkdR=wr*FS&x^7-qx|9<oN>f76^Z|7Zm
z9z|(bBt_z<uWonCWBcos<z0(_rU{FEQnJE_z7G*8nk*ts#Okui>naKzr;Z6u$Yy{O
zP+5m%VPfyL>(%aZ4domn0X&YM8Xe9!h+tq3MwYe);B$>O7w}Pu_)*DS6PJE0r7NnQ
z)S;x#DC2ArEb|9}TFe5b&@`YzBP?JZy1^xW`dMQ_)^$w*cFbU}t>aDvZu~&co<ZN*
zlt7mSP2Fxc1``C4%>Y55vJPXw#7tv2rGf(;@SA9>T;I{v4odUZ4SweI#?cc@8y0kL
zq(Duo=SN0%?1YlGCWzUF!jXYO$NRXhzVn;h{qgfnz`rX7iCOLNiF=!XwmyCa%;=_I
z7*L@RMmG<`;1d5Is~kD)f`qM)4z&>oW01JY3+RPX5@?#B>EEr^nVX=8d<N(Nm9<+Z
zD)w<r>(_JvY5T3)CedNwh@#pp>lMB+?oB`zA{h>~&I|h!wGr&cW-XJU2e+qJ-o;A#
zW9uH=t$IYZJBc3<1B&EIsa^sSqvB6}@wqGp5$<QX=NBt}AsC*lq8o|cg<WFNem`FL
zwSMFh>b6FRaiYs)Gfq^<ZJhZ$xPnXk-@`c3^+{+gsI&=iX_Gh)0#bxgK!5>WV+-xZ
zX(AT#8Hfc`)(LV&B}W4Y(GmU+fbiJ?gy>pZ?Rz@pAfE?0aEU)p%}3yq!@o7)!;qT$
zFo;28&%?5)X8d3!X%hi0aln1yBuok87sfDPRbAKiV*lI(8{{*<2B@s#v_-`ZGX+pI
zx!>qx7cBjYEJpg+uD&B?jt%{7s2&ttUHr@ZE~Xk<DyzXg7+r#l;QF$7&~1%23%ZjH
zA|Udj%m0USR349FsMp;32NG}{C0zgstNa0=@!m)9)HU(Wd$tM>{`!tWtIh{a&ARP-
zM(gK%yQ(*9ex3-!rHgJY^CJC|_nw4~^e7nQsvf#U8_)dcarNR4vwwRuoNz8gqC~LG
z-X3`}Ro>k%7Js5Uw&;ss4tb#uchob!qqfzp{?;Ivt2`mqUPF}VNQg=A5h4506xtC~
zXvBUr4>95rpOn4qdnT%SJ|dMGP;ZKCL8-)vUI)rZQYBGJBSwM}GV?6YNRd>O1PQCl
zI17`YvV%x+6GW2F0Fj`wZm$FF>fr=Mp`xF_<_CTR)uw}g7YoR)a#Jy|#r(k62Bc^U
zp>+&Eoy~gi$CWpiuRmSexy;dr!*ltl$Ovng2R(6#pWGjy*>jZ!Q{Y=BsRc!3sn28+
z8aUM=u$2O`1!#FjpywHh%OE6qlT`%R7IcQuZV@I{C7*#+L1i7sHYWDul8o2{%I0xs
z6LL2{=uXoat}D#u>FES&Upu_=?t96vPZe|-fO0eME92kg%6oBn{q-djLql%?**(yE
z@fM5={`HPuk#`a)^HOH-w~XJ>SWgix@8bHo4lmS?aQnI%K|Jx(PQs5qt?YWRS<Gao
zFrlDABaC()0LLZnX3lzYkinu8x#*%d8ow)vQF_4t1UL@5Ku~H2&Cm#RLnCp_uggVR
z<pgT&paVBc{ladmCLAZ90mngQ9kz;zNzZ!30fr6mcXd+)Q#+)*lFy?W5WKj!e*aPy
z#9Y7kw(u3o3Q|EdqH*}Wkn%=!=TKOWp^|6JN$2tTIyLtr@)j|%aE)a#f+9N5b7K}a
z1!IE>jj*_R7#o-P#G-2rsnLr?#0sB!B%;6?Rbx#cMg?XTkvwJrftGK&Nuk}$Okhnu
z16YH~x}8KjbBMhF8=rPTD*@wdj%vS9`k~Gm?0|cO1Ivg!Ddl}n_Oh0>Z%}gr-eU(p
z^rhXH1z-<naTBLQWb%0s8JD;lV^%@KEkbJ<OgFklbrtu*x9z$EqVIFoEq;59G<y(L
zCT5HeF$8RR^qE2cPDA2|6{N_rT;OSR%Qw3rm?)Zj28sribsK^UNQ0OFCI(D&@Lep2
zn84tV>Asm}UhzyefgVVXr4;})24FQ05WuM<wXxjAFuk7wSwV$HX#PCNic5Ta{j)wV
z`TkFI`1yCx{AmR}*nu098v^i@g0}a|O8RA0hXbPf*aB&k7}xzgA#sp5Kqj9NQG=qI
zLD_ZR#JS`%a4x8<TlZ0fj9vHb{2N!FzZv`+u#3xFp`!Bz{Wr65>c%si4TFE=b^K$y
z-k}=u3^Ii;c)PvVYp5p_?o^*t5Dg324x*r2CMsN5D^rfc5JrP)%%V=G_drEP*wZ`!
zj7$9A<0QeBC&;V3OoNK#NdhjFpO7-;<{PGIoFpu6;>SAt*qThBOg;lBgUUh|G{lTB
z5yO{q^iV^G5GEz-{|}f3Z=vbgK@X9kBbO#(d;ym95@{Hy+u>>!!~;ic2)Xw)zR==C
zoL>i3z$L3FT&a}92Q7Y~30un#KhZ%<x^Y0{)^(85>noWb1?53lJr~^4WRVXy?yo&7
zxI7zmaRfYx3MR_qvZtlg6F@p)L$|7LoW&J&2Qjek#<C4ehvek*AUQ7ae~)bdMdYMO
zm1nt#Gsc8lJtIX}=lqP#q9RJ;B5Lf1YGERBiW!I;RMvT@qLL%yji~&GMj63jC{Y;Y
z$9A><;oa;-8*N$f1lA&L`%HC&@0$qAPis>FD_OFgBnWxcZtmh&yK3{_f{JxVmz&O$
z(MPZ;AF&bip>Z2QMcg)0%tOYw#7{%U^eL)a3jIWdO)$z|fE&X@U7i+mKo=$ULt5l<
zO6nv?B<C9iVy&u<e4jg<+%oJjhr)!z6f@v3sH{D-hl-5}IH1D1Gsf2s*Kg0?zPUc^
z4yq3YeOk5MBZfqU+XOu?7eHrv0C*9WrHP6KpiL5=sw2l>Jyl+)K4^gR?||i4{N_dX
zQnB@{WkUry!IPk(ypDJ;uCCv|Jd>$3Nwl+E?pON!S}XoK=q0Q@0NIv9k%UMRpVe?y
zBZfN#^nwbFFx?rTmn+N6d6wi!R%9eel7Pg}2d^wMevTC}V=>fX$M%xy!bF!8Gtecd
zEbc&}B4)r_14|GK!G`$C?pk&)l;xmVmsg6>%oNoxpRm{hI=W?hpAJMQW&jbcEHgJv
z5=3cPlNuVn#dTPULS@2Tizs4E-NcDw4>gnf#f;=WDr?b^=V&y74x+W>pvy>)s~y^n
zoGHLypDKj@=ZMarSOVM5GCg5m%t+W@S!S+iQ?sz(TZvB_?wD3J$+OBQeiIf&okoq%
za=X@;3GiY@0vwff)wrXAW7P(eS85{wQASG|bqtFA=33rGKWh5_o=*-_o6{K^P>~Tz
zGb3SqWtlk->#WRcM(PN*nwa_|kNlEEISYNRFd?n%?5Bm9i7jSiVo_PA(xAE6QRfjR
ztyD%e0MlH%Ln)8EoBZ-goljo3gFE~U-Xj5>$-2)>&v+IyGM-nKnX5dE_%)Z3uw>Aa
zG^C_V^O(?}VmW2G&rc}3%9vTjVn$XGm368NTIa7pn)U{GsJyYysA$tuz^clw{OzNT
zD2INKVmdRWkRBBpp))hGgjbfC!y=B#w9ZLTM*&ny6ol3+BU#SUGED2BNFDJKGXYo3
zNWh`8PMtxC^ha$oID!8YjghSlS*-?yzE7ik-zj-DRA_{*%*d-<S!OQtkfn*=kTgqc
z5(mK5Q^YlCswk>x60<6>7t|DH!m5~&utH^>x?-6W(GN_b2hshy1)sNvvT}t0rT7Hc
zZzvuU5W2nUVab;K3y1b6-@6yT1PDn7I;F*dnV2=YvWP};R)uv{L6ZQ8r}{C;{VE}8
z2*j@erD^CmPRxu-F(adb%DO|TmRXVS8!az}$mjv25o+IcW*#&BDdo7R&<N9?*X|sh
zxh&Eo2&;x0d<s{XAR}c_0#jm;)@49LYOkeBeIu+6KTOpHT-K!vxTN*!f{R^1ln=5)
za8r3pw~L2gfic9p;M>5iZyybRgk&<;6|`^+pTnXixR6s#gy{6}w^MvPSqQL*uQ#1w
z49R>yi!6*G_zM?Joi$AzlbQzHi79}kI?DKVRRcv&TqQwZ-KkPPFtu}fXd9PxYbP2M
zw`(URW<>3tHfR-yRDE&kG<-rrjO0-zFcz;bzI<Y`_p4~0e13g>asKAw8>Yn*BEh)O
z2rZsf{^%4(+nM;jALdz+1`(pC*ob_~3}T<}qA`?1#CcQ`O6!p1xgS<Biz+|J?0OoS
zdOAJCjLW+96s;-Kks#|04VTvnJ6yla4&z3@VyU2S-h8^o^l(Di8!qJZpm5PNY|6%O
za*_l!_n-<E5X#ktlx0#k8I6)Ax7LECeq?^%)5FEMto!?(TnmPa3Rmhev=M8nByko{
z0M=tI;D;AiAHICJdjAsBfeEo=Txi5zG^^OlDUR+%LE!sEn4Z5yR1<rnD9QYyrWwDy
z@oQYn8pgFU^hwByAc?awiwcKo#-?gck4fXQZq=L@l*Z*BXS}-IzHZmto#T!j>cUMZ
zRKkTuDBP^LGd^>{in5HWoUkH_WlvKYL={P!tjek=XJu^d^O5?AsTkAa&bX{wG0@r}
zyFNH392DY~(FJ7o;RQN%Ai*F0`;A%U_TQh{RVzP(Db0k)GcGhjX=X*9@tK=|79lMY
zQY3!CuZKxS^0aA4>C>7;X;3<-R#HDTm1cV68JD$UOK>s!0f$L_ko3oZSN^qK)$4nC
zc<Ic<z&mzkQlFeDM6u*H5-2(oBGR4pY$Xtoguvv_n_6%{55UceL9ynL3{f#l)s$P+
zfj!1|d3!MqpP*e;i@hNB>%k<F1{2lb32|^-XoLpOs+Mtzk6>i(7xY}N8W~pq9J1bU
zbRgz~y>^h-O;a@y3FEvXu^$zLrddU5R^=?B;3hiECo|1wdJrC$b(qhj5*S?UtKjXC
z;QKxbFR;d1D?eXfd%^?i0mSg<E#qGtkO)EjF_*6RXIton`&gTWsoipIYuX?1lK?g<
z`ed(NF1hjwcJoSGj;8e!+#d$&88eFsA%9$GgjvigrE!XDvrt7Dy${M(=gSA8etZ6X
zwZ31l`i6-fR_A@`r1+l5irsg%;12fkeqJO&7WgD9peqYMX9%s!iuh@r(b(tSYGUp6
zocg(G9MiK7xU9oCTs1Pb+cHWeJFrs?H|F7hsM`+sGo;-NH)^%r(|XB06Ok8(C}mZx
z_p4oRNWHBoT>rroUM;w{^yif9EAQ=U;4z?zoe#Q{$(-uZdAHC`U840B(U2$rkkgc`
z0hN{Sp&=ps{(sW~5rOSJFpI=i^5gp0cKyL3F~S^YRN`D&W)8}{jEa~64L^6zDa1I7
zC?fneS0-V^s81cYw!*Z9=_wgp)?o{lDQ#weiCro^|FQY+YFT%;Y_R~civy)^7zJ7r
z^D~NG2I#De5B5A4Py8c5&I<Y{Il%`Yr=;G7?`yJBW!rY&!RH#v`neN@UlmU-2f;-~
z=;Ew$5T`gAnTY(L2#W%ZOki)6&@81sSL%w@{4T**Lkb#41Zud7G==I&Yav$}n5m{<
zMyd&wwd*)8rZFrB{BB$U@m`boU~gB|_F=QrvHC+~uG~bsfxB=IPEr3k)%}&JA;81Y
z-CQ4Dc^5U;UH(hpR6Nt2Txd^*Y#7YCzs10L@C|quH&m2=2_m<*!}u@0UA}$!#E%k$
zbYNF}Vo$U(5kE2GED@j6Kx23a!S|+~9IN2RR}Hr?RK#sz!MtpmOZ?diuAsJL@f#&t
zO?q;R;}(jpNY$iC&2mP92yXj8OwMoo1(aHrRRy%<_DYg8Fw<?pjC30+>#$H%%s`nT
z_J|U)np}dWX&Gc@IwveY`&AJrdY{AvQq~ey3+NeHd7T<aIW?*y4EL4(0FIjW@9J0H
zYvr{K1|=p`_TiNeKs`hEi=A{1>qF|)bq(E^g>1F1MM<;CETE~Su$RNkZ%QH%6&hiH
z^AdqB@zZ!v<>G*C@#PY>c2WTsz78~?Wy6Y^BuVX)IIbc><0259)5@q0fN$Jxc4qc4
zn2|k1WgTXRiCz5l7n{jpVnhFnzp@AK7f^ChwYytyl|Aq;VcXXsZ&@wfwPOqalVu*u
zp)t8cMTpMP+2`cSlo2eVR!cSym%M=A*#o(Qg*{P+v303fQPxpe62F3sXapf+R)z$i
zgN#w=GiHUGrh%Ce4Q6CSQCWu$qxCPZFWzuJZeIeg;zseZjB4<Lk15$O9@XuC{QTyx
zM%nt;o`!b=1^wM#T&0`6$s#DMf;Q}C55(5=hJXG1qx%)z?{4{>`Zqpsbt@WVzVbB9
znewyvk;P9aF(;7B2-Q&rCArPkiVv4xnMh~6J$Kr=R_8`!6{DC)anq;<953F;`bKZN
zUN9_|i>{CLIGLWy4d&%?UE(L1CO>_ZDQdoD6>r|2Xpty8XIQY1abpaFEFy85rBD`}
zlC%iQxQGOazTG0tL~t-85sb<@EE4Ss3#ZCR3q*6!&^f7V`+L-I(A>AGTvt#yLtD$8
zB$e6hw>N`=_r4!=O%fFIe2ax+XuUG~Fo9<%$Edw^`49eEEO>xEs?`{#=b3|9gqTk8
zfAKkmtxFh&5vy2E0-&pnqaY_aO=1#cF)-amO&L3UEi(%q%*cYHvJR_2tEa>{HPS4w
zL0;2Nax?b@?J9So@|0VC)GQz<`=BUbmi$g3a9oP$vh!Z(XxlmaA^-8xBi<#z4VQd2
z?|xv3{-SNE=WO!eEyS52VghiTIjX-uS>D0o)lE;Z2eZg5o#H2OK0hLO9+H$qb}EH$
z<3wY@mW4%CST|Wrq99EOzn4%#OXd^c_6z-@jtk!ozYWane=sBakIFiX#aVTB$r^CL
zoRA{?;h_qoXJQz*|MkG)1nAobC~gKL`F}RJfk1|&lJrLcXk1ia<a7uSTs=l>!LI~8
zT!ghk5JG+6mG@4zJ`rA=5WVA*tbwlLky^-7mSJ`|o}3putxl%W#6?C}-#l=DOI%wY
z1WOf{#_r*<6(;A~{R-?*P`Q}F6tZ3s?l7G90;E=7K4I#MC(D|N7VF1k?<JDtyrg7v
z9u+|tra5A%*b>q>gLbw2M5_TPpJq8J>aZa+NvkBKb)3ic{83;64T2d!160;wshHSc
zpz0!KH&c8V*`8d}42le+y1vNsM)-aI;J+X(|2o?x)5%M2V2D}2f$%J5AlQ>w3}iY?
zAeaXeaEYJf%&8`scgq7ut_KZBAk&E_6t*&X!?G}oVp7F<O5&1+g!*+w{G<qUG~2HC
zCWauGfgwO;9eO{BXA>7wQA!msUiIy|$_J4Jy;12;xZfQ1Jk~H8*~?93_hr`|4d_0g
z8RCxK_0^k~!VWG!T)gK$a<h8>^M{w*Qs2FiVeRWLS8v~c7N3E(nb(M^oSeZ&B}Q1v
zEG|u_xI3q#m-^gn+i^aG-igMV{m%SdBLdE1Ym(n6VkjuUAo8KnY)z7^;HN~ImV{Q^
zS|FvP<Ii?OF#!g_41fVD>o62d%n@To0R}R80@wF`cUR7I?eSZuWIx($+f~(W=)z3=
z@Gq{Cc~pT25Db*8C-gcTM0i%}4uu{S6KY9up%Er94>;fw{}<o<v31c=Xaa#T5{IlN
z6gtgCX_i7@4B}!|3kXg4K{x|`fXdn}02Q-a04gS0xIT@4ZP-DoQ2cD%SH#b<#UrB5
z=!CfEgNnG7Ih>cHcZvUNl^I<Z9l#|J&mu7c3iF^0h-@*DKo``&uFPhpKAe%MM`az#
zY^{oQXf!7KZLPylvdNzW#RDmWxqXX$S@sN+NkrJ_q5F=2(3r4(_@(~&2zBcIX`1rY
zfW>*#l0te^k3N3pb!(BmU+z1Jy`&2fGXv~D+ug2f)zDB^?Lr>^`uZpF4w(62t79?0
z=^6TPUWVQ!KC#IQa1ASCoM(S%%D$|MG>U6}?}&jhg%$j&9r=XiaU8QC<ws3rw?8vw
zAI?bGqp}YBv+_zF&3WSXh|*f>?4Y<|3-EZYZ`ImRU%*^1#Rs~lt$Dl6`n%)~?;k`Y
zT<+Gb7^$s=|E#YlWXl$U$46y75eqpT4}gk{u#kCp0GIfbtNCHxQ5{s<l2#{L2ev3W
zHcTKaMdB=vNgme$k$qpn2BK1S>oCCp;S4YUD(kQgw5ob&*Q-KNSHE1?Oany#bZgL5
z@AA`s$+L!!!}Wi=UW&W<R<Lyst&)I-c*oBAW_!mv{GRDUP4@Uzr=Mc#7q+HH>&>fI
z0mM*FZmWrlj4+gW*?E`vhzc;HSLV4Of@Y#OjPdL4yk7p+N4WT|L-@~s+0nB5GaU02
zsewUPMaO0d1hV+0B#TH<#X!FUU1I7A;#hV|F_ZM+j3hlO>#!75tnYknE3`z#-yAkR
z8UnD;LV};|i+j;0lmABiqu1!iNaQD-^Mr|U`L=4;`%dOKxaHI^jI<zG<FdQmGKwba
z(dR}(R;a`X!<d(;cZqAm5JvFGFv`XH=3L^9AoBr>uhyRM4Q$`1Fyx8yr0o)74cJn!
zAdE{I#iVZ1oWu#gqL&qStpu_RfMrpc*sZ}#&WAIS^Qf%D8ZfaTi-DU0CJPl|&@o&z
zE%!F-d$t7>*Z?wl(k9H2g~W6kdjMRgr{~kddHHmg_{2U9eY$Q~TmnF?r<uJIJtb_R
z5>|!)kt7hEB5{-yB+tWw2;>$3x6;hoCNB-m40|{u!;Z>2G=4_2NL*NZM_8ZKC-pGB
z<0Qc+YzG(R{+C86exJ-Jp=7x0bkbaR9Wq-a-0sWA&4YmCysd5ly{Y;^NCcR`i;266
zG5+JmL#o??tYcG+D<6HP^8m`pw^_!9o-BtqBDL+pBeZgv>fuc{`;sqIzY3V8pPsx&
zMMjwVyyU%0{4@~%4}O&OH=v<2{fXv`Ek>TvB8;n;gh>^WI4BxI!^VeJ%UKmSEKWkl
z0cNJ*!x?FKRMuh6)9U?Ev3KijuZ*OT9bgaYQ2OZByLP>8&$wsScTQhJ<ZicZ%RS!-
zM2GUnp=lGF28Ou+#tc54{L+V{=7Jxe3jv7PdLISrRM!9Tkb8q3WJP~v<v~BfcYLyY
z*ezc0m3XN+Ll=Ugd;o5LqTBCmCwfR?_J=JOe$q~d288pV0WR^=;tz1tw#@^Pg>C$l
zg^Sc9@LCUS>zDCF>%`V7E`o{%+&ZJ0-?-wi;)Yr02`Qn}x+sdI@EsW-6D$zU01Ke9
z4(r6k4tcR0(Q|B&Z)=5V)_MQKwn9DgjGC+u*7X;G!IY}o^}1ua$V@fZq~3PD1|pm7
zj;m`0=Q~uTX<`85_pi9+X{L_>9jD7i#h8zWLN99Ql38-AsL%*&n+Gp&iBI%vl|}Vb
zivorQM;~mf9d>&=&FZi<E1If^ld>Rw5<)PLHY5*yFugPh8|H^i<p>6v$b)bO@&J`}
zSRF35y=yD>dT$MmW70n(m;rCS(e@@$pgS22G%{ERpn@aQzQ?Eaek>P%>^6K;{quit
zpIF%5f9M)l`92<hA@7S~G~Ym-M9n&L`gL>gWUoBMiq%)EuJ1*b?X2%YD%u3@+Qq^s
zV3k)@(I4g*{^HEz=RPa~RaNWwN4<L(xnxHNKeoiLJY=)LzAOA(o{qu@=b<oM;<lYa
z{I1_7pdU6d_6o(l!k3I+aWrE9k!c$&qJu31cZi#qW(5hFyx{lSq9i4aGm@n_3*ssW
zlGIL&8=0VsXa?v4m9-ncMQnueW75a1@U1G!qaJ(%OKyGI#zB=jWqOj00a%-*E32R1
zd-3h#wZ!9r7=sqO$M**Go!%TA_?owsdex!@<j3P%cn=;iH;xruGVx}I<?7NP?a%(o
zHe3hZ|FYewhv{S+U-1+*I0+1hFT`FW6776EFL>q4=PbEz$#305*&|#lDxlNruLw&<
z;nrdLFny{;QiC0RN9bLy$i;+vq94xkWR&0a@1gIb@s)nW7?07f%I3bHLhel|nun%w
ziI3lubf%Kl5P;jN9Obg1$PR?Qb5aG2CP_)+l=2-Y&KvIUQ%15nV{sX0N$JQ%MkZ1Q
zeX}t;&@`kBD)x58J-#!rDTrJtu8BT(f4Dsz6ow&t6-t01lI_xfh1;!p#e^Huic;p)
z8n`FmgrM7F<G;tpKfV`=vKnEEkcNRh@u&fw!5=QJMai=GZS8&Kk0=-8`j+y&^Fkb4
z0J-7MsYxCy;J{I1OZpD*75ZTzMAvq**7L!;rJbVkkb6+qiO_|Xf}+pufv}*FI;if}
zSC<{k2r-6EKC%dZKvDKUcm})0!7_`0XHU-73a3bHNydKs%JY5}U(m(HrAIq4<eop=
zYS+W~q$8(z+eDe&VF^0s6ybY;Z3~)?D2nDGid^FEEl8Hx$ve>j5uJt<3D61mi&$rt
z+#&lC+LgAf$|m9dP{p9Ou4Xx*e$<d6%d;X*^EyrKg{YB<Ac|%nh)`L_zJ!YD%&*#@
zbU5O0Q-ZYc#b$GTS0URG`bMxbY}VWe%LO}oVhLV%yWTHqxDLoIi+bAgSKpiH>ugwu
zIK`iM9^zKRw>2ZVc1!Q{twOW-4BR77|8RXKf*CNv0307a@^Xlw3~*Zrfvi06A@1k`
zyeu^WvWX(Af?VqkHqF6{^He1p)DZGF8yq?Qh4dokno9a&`Z${|_Yz$Qua{XHhtWc<
z$C+q6B;U}OJ~d<p<(6-A3)XMu5)=b4$1}M^4=OLO870@>*{YMN6ywF#E55D6ke%9^
zRox}OL~d0rm&m9X%kl{hts7VkV+TjJ!YTbHP@xf9;XLS=OMJXHrZ+>v)%vboF#a{`
zUGTxANk;ZSYz4ABty8}#NLm#siD}LEz$B@OA6H=+6;+X^_JC|;;>4mEI5AY#u?M1J
zdJjB`q#Sp5#Kwle5wIcey#Cve*9*AF%L;mA^FT(lcwoXq5*_Xa$LCD@5?;f{AvX|q
zWCO?yPQ?Ds2y~j-V2|ywUkrb$J$9WGj5UIwQ}60swcZR#*LGF&HK<`z(wmG-_jv5p
z%`1=JgZKPf*sV8h1^bAJBt@<KbkrLvGQ!5^q265L<8550MuFa^BI*?C1~cD1Y*0iG
z`u<HCBx#b@ge6H%;--j55yl0-f<-|PgmuYpVRj2Q@omuzd>bn3uy9OF;v0s<%P5n^
z274>>E{pYzIEdij>?0HH>W+20_D1>n12>w^!+<4hAs8_j!1_irIjv+RGqBdmU%%kP
z0+S~{Cx`r{I5t%hQ}?puNBH(wAItZa_jqc*htDLt5cGWtAh0O@aOOP$OTgoQ_yYL6
zoj^^9&%N@#K7FH#ZUhZ5y}8+n8gG7GYU#~t%~!1wrn6Oz5@22LfHspqn6YE(I`6*4
zsQ04VSGRDF5^)?6QIlburEnHlCtNvmCquT9DV#p2(1^`s9#YUHKKAZ(cu#r|<rvoZ
zG5X512||`N5ISzShY<NO-#@~d|EJ(CLQvIdXs4BnOhjNb0}+VII`$8=Rl3+e4)Nrp
z_7H5qM~K;tLWXM>Sk_HQO@C^pBF3O7w-tt{H$*8Tf<5X^z&~|N;osv=H#Y4wu$qdf
z3)K(v;Y;tr!=tvH_d%mdxQ9~Ribv|v@WVSxW-blx(h=<gWU#s6JbfT83V~YSUlHvU
z%^Z}VFD{{1tQv#g8O?mvTEu;1L|OSSkJfm2&=xKxkTVywM{5!5!9y}rx(lH~Bes=!
zU`?0!|JpqSTY-YIG%YIV+{l1^A21<d7!tu0R+d2+`Hn1=iNcI#pfFKc$1a15joDH#
z>3&NQ{(-P15mCWCdLuO=Fp1rURe;bi3>Zv_AE;P;)_eSUkb4TmAcUtN!C6BF2a?l}
z=P{9yeMF$yZzaxut=^8G^`hkF!<W1G@LA2@s0WAR|ILTXuilF{!0Wt#zla@)T&@9v
z=E+7kH!s1Ksr9xorOy&7G{TnWp)p<JV_k$H-#pM?-Yj=LO$=tj*o#**Y5cSaNRl%s
zh^7&tMOcxrW*G~EG^rv-IMqa6Mri*c{-tz4&Dz5CwtBGI^J~jMuiwb7mtT*_y|Ku_
z9n`xpnw2B_2>t?#7MFZ$k-T_w>{;JgB-E`&bW`858t6`7$%e4t8-8*#@v~UhSI2*?
zV}{+~NV`5mtDJUqf6>SlSl+i_lKiXyELtl#(Jr10A|`|FLO>0@b_a1uK)g`UU4Bt$
z8&L_SNej)z_x@|WV*Sh=1-@HJjo^LQd3>ptE!1+W+lFf42Cx5L9^W5Cc^)`9;IM&H
zASvP+ui-O@8x6QRD~Q3sP9%`*+_(XNdeE+Z-6*1Wcopm>aylIqDl%e|nSnXIvdo+&
zVV;C3<Z=Cy|EFZ6s3S)FJdVRGt>dzGBy&v!XM{o4PPTGvAeWV6a$~I=e*u@3qX1MH
zxI`=+lX}x*CFHdlpbZ^#|CMIk=NBGZHgFh1^6XK!18I{3aBK|_7;a=swp?!?Am_WK
z$~^WfxWhyIQ5y}nh9$p0v>V6>3quxY4l3Cd76T@YpZw5pVY}XJz}5by%gPt)uBTuW
z1gC7rpka!9Wb@sGN7Tv0E_e0;y3YUHu50M?u%a98^zTH@p<NOA>|#_^s4Lj)Tfsmi
zIqeTSLtutH1<;BLjWFeT9k0-t%PPonZmuMuKEK&lG$Y)IBa#FxDC#=m23^=q*@T5g
z7y#{LQ^p2znX;|*(->36U%+L`C_L3_$~IW)d$uOS3HeAbMTxC60>rANj`JUXlf8zF
z)ApXb+|0W%#;+bUexwgaB8oqSB?}cAq4+cKnOByXS($}l9!4aiK|<o7N(e1uM&c&O
zgE-1Fme|j**n~vJ81Cs*#YYEnC_XATQt>S>;81*2^5PotR8fiH{1P>RcUnb<3^-`F
z_AKpZ8Fw<@KN1Gu5kI_ul%(yJLWV!VcL652UxTHH(q6~7XWs5%qmWDd7A!OPAg^=m
z;CLRNou7j3%}V6xTe$4P=)$`tQcA?70P-sULEJ7L_<6`j{$k_;)T!J*j)+tlMUbj+
z^6|n6+`v73kQk^QPR@PWTE_D3`E`$V{VB-3^(Ey8rI<~gltNN_1A1(u?vepcxtBrC
zP4v6BZ6BzRd;5rIAStgbGt;~Z)2b**6jJU2CneO#bC0;lX%HnWin82(ZpJ2_F}8QT
zdd*++8pWf$w#a`Tk|{%64%tC$gjIS6v1}lixO)S6Ea{yadj&SEV%6RbqxYbe$F$mg
zM%%uQKUrq8YUgy2T|5J1cV(Gb(V66gu`DDpF!RzlO9{}KG<DS^h3`1rOjKKp_LUl`
zotXS7+G!(;8ljz-xLZ3POCD$^HteP5>hMaqdkBEmVhx?L#Rj@%5YPp8K!Ve6WDa)d
z<AA8=6yOsoG(tUR0H3ZbGc(Bu9gwIgDt_tUn`e>cAxTqORy0iGrm#l|V-s)`W2lF*
z>WRspqMkOe$_VvDyIwif^ReWCdX8QhfGCKK5<0TqF(UsD`WH$ch-)$TDHiLJE)G>z
z15{pl0;t5V_$s2duB!dEJJuAjW`Y-pZMW;K2<$70EZv>Dg+Rp9Cp^TA^RET~1rkaw
zf({b!1oa+!Q4S&<DCzi!NQ8E>xNCH?rJGyPxZY%yl9lQ37;k@uH-7S#XGb2Zccs7u
zZ1#(V_5d}i^X-1S-YATwT-I~7x~6}&TkE#0!;Nfs9<}oDO#P!6@yA8)cAobyrvfge
zBIl?f#AyuGtk*jL$71mfRCTOd&2;=#JOh7qWtllB1gCaFlG=}<cS=QyA}B~jgEFjx
zFi5B!`4pSTrx*p2JV4vtuM7yoy*G|49yW-v-+XfIH`o}jp+@z~7BuWQpWLNI*uC4J
z=q;?XI4bdxK@6Rn{ksMG0T^=C^cYdcDF_}^XoNb>K=52yW{&c_iddKsmis<HZ9`Jj
zO+=cgPALog#4qhB?$`v<#3%sa6m`S~IYk}OMpk3g5pAXAR7VsHgsLM-uBFxSNM1=s
z%k*IYN$MVdgJ|pNJ+V-c5xP197II~oxn>cib-)N$*&N8N`Rz7MQ<6nNRQZ0AX0aU>
z9-DBC7)`LBqN~^-r|2p+#wcCIgx$J|Vna|}#Uy%Ny_CHuyvGr;gP79gSFdkVj;QMt
z>;oz^LSbiMAFeDj2ds!=8YiTvqKw25%Sc(L0ZGHCjM9V_fdl0no8W^OX9v1zE2z=w
zoWb0Qume<XY%q5+?BI#y!F2*Bvsy5P@7eMv+<E;HdADoXzYx-cUa8v}iV$N72uVQf
z{GKj1fAX$Bem-E5LUi@?1Uf1*LR04@(9xNrGNVaaGm`ircLVrMnUqmglB&p3?irM6
zo!Z;L#AX6L#vAvH*3^lqb5w4urcO?sKao7pRBYHUij;OCR))gL2!Nd0D^>DZ1#BK8
zX2j*vbPwPIn4a1e2GP^$+2MFzb{L&Gsx#lu%bKKR6_B{}Ba%~^6IO*ZDw8D39o4b1
znH`RCUYF5&Ix#Pd%8k|2$$8-?k_UQ<4ckLLsrN=4=3j@y9IBw%jm{pmA|m4TEK-O%
z+TI^g$LTrScwWvHojIs#nx#3gIRaQAPHK{eQB0DwNomTmFi-6Vd}8Ko6D+qgULDaP
z9O{V5jZ{Ze-l>kLq^$@X6(n6_cw|k}jyK#`n~iPTw!P8DwryiKwrz8gjcwbuIl(v2
z`~8_eXRcG-Rd-capRT(5ZN`J2wwcOC%af1|_e|JXUFbuos5W%Uy<u*>%+b&Kf!)i|
z@#Cr39UFhy_`DDFqc%`IJlc6c%;QV|BRo|RQpaN}rCZERy+=n>^<WK;JHXQL9HKaJ
zU>L-|1?LrWL>PPKoIc;fsBuDMFOb#UE{3t1-6r<1lEOBiS=4<P&2>c%0Cu7hpFCe)
zmHJYT#021(zy;-a*ukL{B0);*{PL;^_SUJkCW8qO2)<Ma1<@rfdX|g19MOHx=O*q}
zV-`H_$Y54^6PJPT`;_$T4;pA~m5`cHGYWbt+kJ+*zBgNDSl=${;1&UYkwTEr1R@m_
zKB<+|9Fp;iCkGKSU?qg<CXf(y*m!e_MbC!hFj$D2Y-^h^{^7q<-BMyHKo1|)^!y%*
z6C_l~i!IL-P7NzJ%Q+!-VJLHj20FGvzL&xSZT;<#GHnqM$B!F0B(994h@sztnxtf|
zbe+F_TT2*Fl2;beNobpBEGiP-3VBkPi%chxuX`9dH4Be3Vds@QW3T>4h}q%7$7ZDX
z<XLqT5*byfx`1=V33DN{fkM1jA1(kD{Vi5q!*wa3$Y$x?K7w6Nx)zjKRvGGhA!Tzb
zzzasqg)AsfwMh~<Zg*D6s2p1oRJi=plb?L}71Wx~tu8+sUu6{~Exdl0eJ1DPe$mtI
z!pB!oLmAcSEKopn8m~Btndr9JVHL_*bN{e~aMHh$?OEBf_hri|5sSaBKAZ;Q*DztF
zzI=MxYNG#!l&wu98x)j40ktFD%lH@Cy<0jNQ&?HKTbkC}IAB1oo7@BGrTi=^&O}|a
zb8-^awVD6_g*8T%fl0Rhs`WSSz%bsw)N%z_eYKl!A$*kPOh$7A#D4TXYwr}I5vF#-
z`)A!omwB9K2y;j5peOoA`~8;TFZRI$r3nl7cP=LrmMRO%@dria`I81|*da&CA_-*G
znROv<*iT37k?EzfH#7&T$v^N%D;ClgsES)a16Z)oS8$e$y}`ej_GzPrEDY!!crrrr
zkuid=nNJ8kR4)Jag|wYv(B&0MeV6o(4+={0$A{N5>4kH(_f#chQO-&SO%$eM&!<gt
z6)3+0LrHhD(p~{jvj4JbMoy$O#D|I`s2eVKQN<-1oqxqM)^x|snfY7^Q293M2QM-7
zU|+rRb+`?~?C8}F&{l7E^f#8a4TYUFuSUbnI$q>g@d)tWr%sH&=d+fIOP^B}hAhE#
zPpYd+P$5_)6kBG9OKS|)ci9m!v--p7!+BN26_RSZZX|d<Fle~k_H-LiVXX=u2<4-T
z1=IJE$DRDUEJoRMcQdIk<0bLVIufBHy|Jva>g^>C3ht4FA5d5Ftuv5blJC%^O_*EZ
zj9Pw$nGSvELzER3i|~2bs59x9&A^>g4r^L<qGcOWBAaBl4OCB;2`-$Wa4M$u76aXS
z_6dWm$hXN-ppUSI#1oN&|Ky{Ej1kfU)%IIwkeA+z_a<FT8fD>Q!5n^gEs=g+y!Gm}
zu(>WzFQvHqy@C!=`TI(BYJm@S#e*Rb>@z<hQUcG&<63<8tJH(}DOg1PW?b`K+{<aj
zk3E3JViBpx*mk~g@orks_~P6l=gR#9o$n2yypmo-AgHp|);TkWLE*@C*fA1--MY7A
zfdU=hphrh!1k-&zB`yZNN7rl-CknMlHg^r92Q5@eUNt2R!6)L_%eh7pCDSMJV}^;g
zk*&V82A$P4dna;DmGhSi*||itbiUeMYFxMkhl(WTJ$PW3tL7lgj}B{_r**tRsxs;=
zb{~V)3k16+CH5Xp%t>Y{l*{qQY&!C?9#4%pn4_PH<(eQ$nU$qZKNe5}fzI>ubM4Df
z$9k&V$|C=!daHjs@cyi{`=jd(2<*Nhj2qmorK{C|B1g!eqU5%2GgleF93AJOuvAOl
z@E=d$tMjHPPuEqv{jrUX1VcD###FYj%ztBHZ+CjO^8*G?zFpt{*j#keU`-8d4@Ss_
zz}+r2V%W%cbw3PrpAT<z#8PCYn>&CplxN`_8gOp+I!Zpx{5r%xioR!3$hu+!jp?*5
z!&5sMDeH5^-Lx*6$ua9<S?)uta&?a9hLPoAsvT8CHBOR;YUsKPISvz0K`T`%p`D(h
zeWm%7X=_FCuF5v+*I=7Zs%?vKndb!9UOWdTqlSng4n4s{^kz}r*$p_4ZA|(tGpubx
zHOI<a5iK#37ybcN6~}qvbLsBQR~z3<PYtRcaY{VVJ{gnZz)HEwwhnVc*V2tEv(c6B
zu~B&TPG@li;yI<MlZ`dDJwXaqm30|$vm3&kHufUk#8+VjNefSS^;`7|SzV_pZW59U
z4WqZ?4wxuNV&{=`v3}bW+yE!`vAUh{4Ys*`2>N3*E|wkhwE1hcZ~xDk2_`-N%P}F@
zXvLe{d`-YT+%Kook@%gcU}v0~A({{|l=ZA21|g6+kN8{yK{^^OPRsqK`J-OK23$oZ
zov<!xhOb6?A|WG5`B!2dLmwZqh0@X!pSD#2@|?LS;SQ;GHEN>QPxEIi+y07hnZICr
z&ot*iqLPyfCFVQ*P^1vCN*Aq=?X;bW;s)fd!0P0|z~XFasbHH0>M2pwLR@rO<^Al`
zXxG*3=V*(wQe8zBmwQnW;u8^VBu^eDlI-Q@UUGruzox2$4TYRVdYgBgtHc*5nknjK
zkXXZPRIn!S`9O0K3srM6g!_VtLMXIQH){^zAE%9hY#_}o#Yp=W7T7`>HI^2#Dqwn=
zqk{9a=7gmCXI9wa>)5p&g2{sGG8BV<3U3OIf4jchTVEISU<n#QnvIAPLNsX(9@@a{
z&;Sv?4O_|2JK~-4ZNTs}Dj1_np(b#B6Ud~RYKJLhmyL#J32{T>06lNq<(P?QFvx}E
z!)XAQWWNI~Z4Wt1(*Y;<r#G>x;#=Bc|Ae>+%N+Cw_%6Vrtu_DlpvYIe%FCMm6bmKN
z;S(W)^V=jxv1FP&2M7E_n-R?&t(c!T1j$_i$(^!5mx4=Zi(|29%=lYY(U1krZUS}5
zW823uXC7>uM;fT$|7x^sDTfsUK4Q{B3(&}o+vZX~$QD0H^b)DAm>IKc{a3pFi|Jd`
zypDCX^iNXW-0eADX`}uO7%Rl~v-?;d^Y2UQF2tLYw$(CbQ0K8^Iah`X8w6m2Rxa#^
zt(RxKM#!o&grK7i@3inwA@ikGdx&&AG|DOpwtQ~sD4OwtvXFt;O#-<G$v2x5WS1i5
zr-1Re)qTZpfq5j~H2tD2f8U*1HnZFxe;wykMuLerZ!SNa9DUM%VD`>wI`M*O$Wnc$
zJfqt=G87T>dkqQQEFlsEeH?w`M}7^Qs!EK5LZc`9o)NKKqb*thu|~JVe4u^tW=kRn
z0-|3YY3!`MS_-`>K&Ycv?{40apfswpF=9kw^07A<g0mM}ruN&hm_@6K-;VaB8=9oy
z33o}WYQh_6HeK18ka1I0&i+sdIG~R3n%*jg2m@s-4fXHbh=8q($cKkjw9^wQgBI&m
z{c(#UUzccKW88y+f7XCUW{wKkVOgS#=;MBIce7}SeQM8+P3bp?l>~Ji#Mg~2n5RWM
ze`iQ}gup*I%5&7Kj-ZW9!c--qr1_FG8-ynmnx>;n)XyM%X^Cj2N}|}`>T?rv`sULq
zof48f;?lFiRWeq-k^3@HQ7hRnau*(Qcjyo1D6q^GF3p#31S~T`L0?CyicwOauJz$$
zY+v2Xy8;or!^xxM;6m2(cdWoV-pG%D_@E=^a&47Hs%qjhJ57C7-Yk9{Hyr#^vO{s%
zaof>I*<o*@H*c@F6_NsxW8Y{xr2*uJSV~^(=mE9KtEJ4T^(H)+yC4ByIH{kJ(IL>?
z;A{^vFa3D!HW4g}qYQ;2q)DFoU0fiyKt_$=L66`?&!B)tC8tr!N8^c@Wo3=e<kum=
z28lD37$4Rf^YMDZ!o&@<lrXJbom#gqGJ_|oK@`h;@lKz{>_xPgqg^pA-Ub#_o9b&u
z1Q^iWwaJnxg?9(Y7nUBIG<w=Bo=otFix9!f8^J(1E1#k(S3(ri<dga)q>s*AtS022
zNKsm{$)H}&oy;fZfe_Fy9tXe@RlV9h{VMySe@R)b!CV;Ug;#<ONZe`|lxPXV+~u8J
z@G>QWoQ8tLS-7XAJpnpLix0g?7hGGZf1Y|y*ysmxf_$$A1y=L^vNPh<O+QHtqh1I}
zR(;jpKRumyB8T2RBF-h@t`KQKZ_M9|<5n%+9Sika80PE<b-NJA;1W~g&;_jL8?b=^
z%({<4q>X8?O@aX*2&obo?L8N(PJ#aonoOohj(69H<jup20|oPxbP#KBz@*!jJS^9h
z*TQ{f(@X8IU*EBqq)>8`Kv`~3MqY(cX0`*n2|MO?UMr_kyo)G!GPT==UmiBC+ZUC{
zx6_1#$3Pwds*#AAP!CJ6w;vkOX*tppN2X}A>8@^2D2e2ejcmkCuree&?*T`QM&53G
ztgMl%jiBf83JtJHHLG^0rRHeL@$oZsYM<4HNPYJLBWcf8dIBEasEH*VKP5<L!Rh<N
zr0Gw(wyyGX`>$)ZKBLN>l8T5x31;&#IW$O)QHT&m#(?xxGT-i1xX?Ug+CQfz`;m#F
z-%mEu!Y)OLYIw!rEtOBFmc9RrjRN-eC-4cx!TZDo1cG50kruvA&Xp?U@OqK+DxW6l
zlNGh|i9V~HWP~8FMWDb+C2~E}{=?*qfwkckT2GwNcTG!|{s%&V4@jY>v@&S1ScAGe
z`Vh*?^YcD!5p;Y*=Wc!tusY55ULfZ9)Cy7arS$I*sHSM)n1?mY#bUqP!N(@iB#Zjw
z7EPy9DnuoDq=8j`NJn5gu;zQ`(cS(RP<*t?BQm|D6xD&zM!-yZy-RGD@#i7d&wj7&
z-7DH>Xto~~(3cm`tu<85@d3n_g5$71n`AdV<6UYGOAsy(-E8lPJ`u&F<1vhMCSXcT
zAV7>>988Sp5mQy@6i^VeWZ&~zf3h*7!di$Yn=}V*Oh6q?r@)Cx@(jXU{4s6?ue@-?
z`!A-;i(zrWC1Xz<-VAJ(d`u;!*8O5Ug#Z)xP1A0Xo44KO3ypbRLEc$C`74Y62FAfJ
z5xU`(H7yGd!l5o);0^1uPhwJ%ycSwuu!fwp8$U;4&}$>eWbq1f#^?K74=)d$JLM$T
zbR@oP+Eh0wmo4-FbfiZj{1J|R3gq<5#kkEpgxf^ZAC)Z%({G3O4SpcEL>3{^m)mQS
zgGI8Gg6h+DBv@@;oOnB&PI>%KlREXnTejMN)&`p%9|j0%oIq>{^q&Ev_|wTgkT@{a
z*JVYkyKx~CS!_qVAIcw2NKIk^f%=!J<m-K<$O7(1uD~-a5wrvqJ<c(oetfjCT$qfq
z?H*9kxyIgIEu`Q_I-)Dz<nTxmf{TQ?yG{L81Qs|`U&nFyFbmTO%P)CruQ%r0R6jBE
zC2cH-K>LWR;-Zn4c%q)UsKX(<UuJL2{w)urJaf_|p-4vbM-Bg=jMPex32dif0%ohz
zeS}>cWUxS`ocY1`4FM+;;-GW5YUhMu=IyP_GBQux!=kbKrXs_`@W6gt=Ei{6MpN+r
z6xk~c9lDe%<Z|<XktZ(Jn`knk1r@oQ(1!Di1=+4;??+G9U+QvUP<+Ukl0_<D#SSGL
zU@Mna1BYjewiXe0zO8}<5w2q*U7`Rt<d8rp_#r0A!V5(-78&`=8pw#R_y<IC1s#Ni
zTAXVTuE|#3m3L<;`x>hhaN2r)Xf|x`({tO3KA_*~;+iFPKsjEd;hLS(I(~e3Ig`F0
zHk-$Qhqmb2TkGLEvB+L2r4Qw*4q|ho{9d{`u?{j>tElALnTDpE+FhpZ`@_9;01&=2
zy~rUL{~UA>SbNP|2F`Q;@AKiQa3*R$R+$msKB|m^0%GKd^0kZA<jOrIu*EwPA>l;H
zL3?-dDx4Fqx6onP&fU9%NcPv}-7dhH+|LiFWVfDi!7CxtVk8eBeYaeNfBNjU(Y`nT
zr?2BSZF?Tauht5@W;(g9c#NWbikrbS6#O+Cp146D$;BLT0IdpnF8mrPypScff!+es
zd<2ftGOgS)*((cC99=Y4u^V+W&Hwejr!{xnrK&B4sFtK%QP8M}7&Wpb^bB}>>IG71
z1UyDmaf(Jfg0FLz6p4czk$1SWiHgTrMJc7oQ`#bFIbdu|y0`Byl(OEEw)UIw%8L7U
zR{9J<onILEmIG6P0wGFawYs@}dzxam#lg<~k5g-5z`0xf5rII?kK#w`QFmMMEhEUE
z-666uQAW)eeC?SZ3JnS6T@A_@9UDbw-y+BKEV^>*@^4DlzPJRffP0GntEIZfV%UAy
zJreBayqUf;+${J1hv`E$#Q387E-NG@?bkq8wzyY9>2~iKspoQ3MTd4&8UqE#)&Yl0
zF0LF>1aF<vFr%2r(x8)-zA~9hUmqRE*0;wr>kd>89o6F@AYi7=97#7n=Z}oim(9ar
zOVJ==`u%r@G8x<C3+~vS5}*>@;hijtPAGxlD)aq6lJK&7rydYBxvVAnd=duucpyzN
zQBw&sxSuDMnEDQHN8o|kcP{^ypG-V+u;SwL!|&%}QHhNB({U%%6h@2zjT230ZJBDa
z5A7=t`E#4rCk=W{9no5iJ6Gve)JQW-zXkNGyAFRfl+|{ok#)hQJY^*O15vq_UGrra
zr@p}YJ$*7*z9-%+Zbkb$2)Yw3iparw1L?{kGzQ?P_lv;L$D~$GlIp5t&dXvNL)KJB
zLeoVUa_B>2;tn|Sl?#qL62V*K^?A0A+LZH2unlVUd@#x`rW2afP0{{Yt-s}gD*8`+
zA(x}J>!5|B^YTwZ7zeMj#xMp$#TQtFx%~k(#I>kGTMTyuZF{%lWqc|-S*L56n04;6
ziwcJ|i$;Op$c%b@b{Mh!{jY_Al3|#-g^VVRs-Q;f(!tILHXi5X*$NX!;jsi^Jt;lN
z8G16h=?1z#^PLJmIgCn5qs>8N+N7~{@yrE<HU|%gkN=Cg{G6#xvDS}01|fw-vd=qx
z8_zMRtDJ2e%gD5TQ)&r85st-JZBrj}e1#~3ISHentvJ<FryK`}U;M5}22X<MSlGy-
zSLU9JLLEKX5clx!T^(&p`Y1>#iLr5PBK5-&aVi({iL3ux&iGVp?oai+x&lo8mTx?t
zFA}=ZOkB`EFV-L3f_6QF6^rwUBZHk}ET9#44pk~13@eV8Q+ZG-VbE1QncYO{;+HK&
zJZKgqpjpgV0jTCLR3d0{b3`P>CDi2d8*(+HzuAKiD(DR6Ru>3=xb9AOcdvd#0?4=5
zmT`dWJRRz?rKRc7o|a}VX4!?Le{qQ&l~Q$O+d<cnx@Ku=Lr0<lQZg)$_EzU6PNYbi
z78q!Jl^hXt!LyTW#E9Vk4wju^<9{)>Q0C@@ONjsc$MuVz_N@xuZW=O(lec$MF$J~S
zi<kdecVe6uln<NW2e$D=CbCf`NpP3%lPGH8h-huqw3=<Td$e@2g23A)J}&z8Gz%!=
zg*UY(k%%ojJUum6J4kx}DNrj#`qKo-q`cxxl6+qKc#IThov;RYyl27o!RSs8_-cGX
z_!_xBb-JfS)lSWYerM5>JBGnVnjL{4ay+hJM9LK}hQiIq*VPa%07i#Ue&BXEF}&Ja
z>HLv*xvV<k;;+@87_S745fLXak3SN`X3Qex)F&cQSO80GX3r_fTC2~eqmPeo8Nywl
z7bWlP661X8fjdBFTkf37Zq%@Cw|j8^$(TKH$I)Xtj8CLYbJCU93QYK7e*-QfGeZCV
zJ??Mdo&J^k5sreNldubNualcjL`G0rON|<F?Ceh!=A+spl_Lo~a8I0Nzii0bufwMk
zh7FSU-MC;I3^pX}wt70Q?BevWrfft=^ILB}DW@X1I`j1u8f3kedw~t@P5aasma0?W
ztGFwiaZq=YQGiMa3>f?kSz%&R$Kx74mT*>rGDxn)OJ@uX2uu>Fu&wuc9XqM>Xl==N
zRMr_WB2Ak$yJiy29xb3h%)ufJi{bz9^Af?t#2r-+7(+g*0Y2ODqZglC@={@gEd-VC
z7L?9gO-@4$U9-G%<ZaT--e6};IFP=cPyb*e>v*QolzoCaF&9emlX1fW1+j<whDK15
z;wwhvr?8hW7?MIxYN@;IIU9l^&`R5to=u-a&l?^0u-G<BEb~X@ga@T!sZ?@-AltfV
zZJlNG+cNl>uYR__-H+;e6oU}Ab??;xZz`Ym<F%=`rMZYF1?i~*5z;1ieOr3a<StNP
z6B65G@KmrY#l>vFl3>{4A9FHaC5$lqJP0laC7rAo8O~<(f%Alm`s2EVP1vb|6<uPE
zb+ph|(U#Js0D}sKJCh3iePokaYu%CZWf7MS{e9N+&hLRt+>swlU=FE@V$9$RXeRaS
zS81<-<;&B_69bYz@|RoQ)Mvw>l+P2LQ`;igvn(=C^O{2MqW2yjd#WmNfURmTxDbT%
zbY&$`px`dzgoX_Y?u`kFFB3fKqC_g+eM4Tm_rg$>CBW37q(N2IWA8I+3tzci?)Gtb
z!*|f#@a|7jT5*^*Xi(C1_FNRYDeq|wm7OV-R^~iBJU0bNmuf7$ge{AX`+iS@;OXgd
z+{l07WE#=&?j<#KR0w_sz4G>e`yJmZ9gqpkp$a`FFFb-jnlQ{2o*mONsxWhF+CLoA
zwpMjW>RtRk<1=U1W7Pc1z3w?_-U@mB152|@j!43<!Qt6^T=??DuC2dU{{_->_vfSx
z&n&aU5L>03nGAN4Ny+aJxL@eX)}nX6$`*3IsFt_-T-7s>ci)w&{*&tPv^f9R`)VR^
zXA-|WEH`oSD7b2`PEIESHlzeFQ(ZZ4aqW%uCH_;LIJ@aIv1D}iH->Qnb%LD11u8+3
zIkoMGhjF~1fI7dy5;j;Pl)Z_jDqqY+xw3PjOLIznEKJIe>IjYS6qXDawg2|lhlSX)
zVZ{2+NDb?*pLy<7?qf+z=Og0zpfMZiso3xi>b$O{o*DUM<Ot|a>}pmWJnD$i_S17X
zD84nLh~aP}vfKE$9#R=(m>Ulk^#9&eJF@%GJ_(ONX4EP|p{j`txilkCXseV$7-$V;
z9F73J^Y#zjH_L6<_W?H$@8KABrT&;>!GSo0%v0Gk1aqPTwP8vszCZg%ZF2?0GTI@^
z1@hqYE-5~^TjyEzn^WETwfN2`Y7y|!qsyo>`baaN*-CG6&65{=dZ`1-V9=|Bgdu<4
zZ|Bo1E9--yLk@1@H1_wCLq2KB5$ePiu<m6@ElYcY6*Ge9TOp2qr?Et!{9k5Er*t@x
z$}n^aYc6sb(L9PKyE$Elv)Gr)IV%ecWO1TBQhY-U3r=~Wo=aY!Q`+N`AiojLFnJJ6
z4VOcgx8_ex=jb6@A}!JqRk&i*r`nwyavkcMy36`IH<okiK{M|;KDi%zihJxi7IQO^
zakth?lNGez=p)s1QA&0OEQ&~6DYR<DOG4rDGLV%&l!}N!7$}RA?SByDgE&h(KO?wx
zfs+=%<wC1)<6u2O?|zIqgf?W0JQf?S+5x}yFgLf?BYYRSP&R$7t<>mxF@IY_GW;UM
z9rzsdyII{%`R3biz{jXSJ;ka~TqH*;u2q78T23uJG!|q%32)bl-%-&-ur?#=`1eIh
zas`FrM?-!h^+=+)KH<H~QkXuRD<pZKCP|=?{Cu!D>y{VH{SRff)Dy8`oY@F5#b>~=
zbA5;QlW>ZW=2WHLgM=^<s34fdL?;@_Ik_%XsFJRhyp(KQMJ6pQN?C&KNm7*~>#*cT
zbH1#BxH_F5r#dnYg9BEL?KjF+xS$P6nG_fOUc@lexJBuYw>CNrSqRQ62NpjF`oFs8
z>+O$8RVkFx^U<&)%HB)G{(k80$G)@@mq8i<&mjv$unpl}DLa0vjl+Tz_eJRee;(Tz
zM;x!N{!X}qm%5#Rw={)gm$9)<KsHOhh4LS|xIa(1137QiA20(rruW+xB0El_+yh)|
zdkiys(KlPX_}RzJndr||^lSB&x7wBSdUMj(ED2FdmMe}CJ5D=d0=%c&oG`iVp`d;s
z5t^)QAUh(@UiY?^<%#Tylj8{={6mfo$4>qn6x@EwCTDF7>SVq{qQYquT0(J|swz-h
zPD0;dt1_-Y=wqc4p|qg4whfrOsU;SL=k{iT$HhO5V246SswOT~9RcM)0!OD8bGNJ*
zCT?;YOFu3%>bRgzT62iIG*G6|%t^KOo(*q}TbC{e58S?yw=TD0;Yn2I(}J79r)?oQ
zO9o&Be&0xPILTVAD==YM?1_AlH<VH_M+Oo3f^ZFQ0euocou#0XOLMnIdN&-KZd*Xb
zk$SKxP)w;biyK9a+)|zluy1pXZOu<#n|LdXj;w5Gl&;=HVwG##bcOhl6b-P=J{VYZ
z4gp@ZYq_}2n~y)*Y92w^c_*^wS+*E)YIJ>czlIHYKHhR3h@fP*EbH!T-`M;_h_l+d
z35Jrw^CqCBE*ID5St?;s0W;rkO(jOi;m1LUi*pI-`dvWm&7BP`sDAK>s`!l|k(QP!
z;e1qceqYVSRjgwMk?Psew#R5Hk(|xEz47YMscW}~GwD0oJ-oHm80PL~+&LdNFU3*Z
zVBKEX4C)BMa8zLiryQw?zGJjGaYR5#wsx=8Z;ODuTT<_lD0AeYD3C@1ZRFTOF6Omw
zRmJta#q_r*u5}?Xsm3ie7b*8L1Cl+RtaIM2-A`Tt(6!#4PurD%*MUvp71cRx+BwlB
zhB?~%O?(5fyR)y2D}24006RTeY+5HyRRF|?UORMUHSOHYHTDymYfhT^@^r$Lw1AHI
zG{c12Mz*PChCnD-!WE+xPd#v<k<;uE4MxBl!Y|g<x@LWeV6!LF^A2Om7A3La9Y*Y&
zrQKNvwan{2antj{c^zLuZqbW|Lp3CXJG;quR)b6L3AL%i8e-F3V@(0|6SljJy;aGl
z3E>1Hsxs3@Q|LtdF1(T}KksZ0<BWakc<3z)Fx_6i>zXlmiI%kTfh1txx{66hT$5;N
z>_5w};T_I1dUNEC{B@xTV9dOpVRBWK!u|Izlz%$ly~OCC?}4{lpYdmR%jQWg`PY_z
zkE{G<U>`r8OXM$MpxUgjIr@lJ17*SIoGBAx7VY&_xONqyTE;s-2ln|S`amwT_UX|t
zn{G{j^YN5p@@cIm-TIVI6&pdmW+UD0)u%F+s;o_r@;<b^S(fN@Z~yNhD@6n(CXdnU
zPwas}t1X9Rs5ZVnr&FFzj*#)Sg>;uoy^rx@rU+8+I->6`MWiW;Y)^T-e#YD?pQVyZ
z)ANN~O7Y{hMjbHMi}(~k0K`e<lEV5qz&3Ml)eXz{7_Ieb)4b!`GWU@ec(SE#*1vip
zNN-Hqz#SfnHAw$`L)|}P(?jg`C*}|~IfKm!Vp4;VN=-GfYC=b^j{GspBLsB%koc#t
zx`mD~#Jafzje$|RzcgJR-RLisubTBtG_h^ZE7fC=4~m+TTQX0MA0c3m>^K)n0*T@d
zO1hed+pX`f!nw!+>opn-*e$j^#-7}{x&8Klja9*z_f`!CMhaP`(AEzwJ>G!Fqt8Wk
zXT3DcGAuZGZKo&M^9;CEI05-L{##=ps_r!wsL&M$JX}&Tx5w<nBzEZiJWUDho%TE4
zTp5|8?tR!Th0y70B55To<9t+^9ChA9!0bKV9Mcd;aX6rJ5mH3BSZ-L{xl?9>vJw9C
zTP&*YF>^YzrEXnLR0h8WYTu%sj20mmJ$-M+%|}gB1rVMZa&&I&<1mlc{mBWjFP{O<
z$3)h)f(;JFI)anwne0r!CSc(_oBWjD$7}hzdCJltbSQ(EH%sP5l;!b?4kf_3FkHSj
z%bxp`#+;`yMC7n8a<zS>nz6paFgUZ9|BtakPv*b`0|hMfH?ftAA?W<P3{Em`@V&ov
zznuCS>B!Y&^?uBP*`II%3{hmBehX8bNJ*yQuMz%=pdHvz_#?=ze$cFG!Wc5vT&N>Y
zw0!i<-`ZK-lX2P614|eT54|o39v^%KL~7f1gcK<sP)vf@u@9dty_aB5^emy|KOo5w
z^8&K&-hbBZF)Glkv4vak7W?h(H8NaIQp-=$&E3S%ikv<%Xl07!3q39nYqtLFHk$c<
z(-30B8mf$0m>3j+gz%Gp$60SN6+>~6^-+aa^m$6_+94G!G5Ozm0n5RaPJ_jb@<>Ai
zqoVXZ$5h`4KbT}hqkJgA|8&TYlq0OW`9<rPfLDL-wr-Q?pRPI?5iltbF*KQTq~0q#
z8aqg*p_P}Z`9X!Ci^k9pvrxq#qqmf-vGqxaiGK%t=zZ}8S@myZ<XgNa4}ehRK%AnY
z=A2SM+wZi(_-XwgU^0|V!W|C@I}4EYOUTZN!_(|fI%6Wqcp_(FZU<_|6Y<`Z*F2%~
zIjwmvrJ(E9T}rAhjzJLjTbh2_aQOEbN4TRhGvU~h<RUTiPO_>|sNJSKF{^6%QRw|-
z!I;qR?cQ&{H~4wxP??6sK9~fv+mWg7`hIG*9v_LgL(*gMw0Cr@&<5Vr1F*wIH|^&a
zMSiMxLoS|)+wuh~3^SjUnb~6O7rR=he>X*KP(#sH51W}|(u>gjaX1a1Ckm4-fD;T_
zF`%p<2TM>Fa;9>_F+7!{(N1^9-R>A<eQf_|9gkl6*)k7XZ#K!Yo@*TCyrZohX4W3h
z5V^EqY#PdM3dLR&>;2ONz+$=@4|FnifJvKw4DKLu$>5;D{S+o#M*w<wWycjRD^Et@
zj@`}W>^s3?&o&UbCaM=Ps2a=BfXKeE&WXDe2xIgmC3zs8(#i;*N)yk^M#d`@k4KqT
zBq71`guxLDuE;%+Qm<+jfJFfHuZP>^<6MESwd4;DK;^^YWPzT+wveolrYK|jPX@0j
z!D#H6+Ym~8NsodIO!inB7x6JU*0L`J>FkmODUHa^De*BCe<A^Vw48@tSVfR|!D1ud
zI?!JT@xj@C)d6AYzL~UIzvL#=u%FAX)7OEm9%EhG3+P>1rIX;q5;H32lQQwdb&9c{
zXDwA#aK~%Id^}dw(!rn9md4QG7>k>+2ug$>koz*-p@C2zQ!rTEg~OlSj!1oHgb~lb
zq4n5TT}$@5cANyrV7F~_O?0=e3#4;Bru(uK%r<h?v01)lC(H9ecXnWUN^t~w0?P%U
z%(&cwaD)+WBjE83q4pyr)tu#Br*NvJYbwyLPGwXy3y8!^;L}-*k>fr`K-Vf0oCc%*
z0XZ@bIE9xhC;C0P8B}RwT-iv#zpt4o3R*$WKh|zY;Arhj%O$j(Gl!!{Bq|*_;BaC}
z)g1B(Z%(Ot3%QT|l#}>b9NlS|ZWX&j)4z}h!nluhCw`r%8+Ggwb=U$+p|vnYzzU`>
zLjC!`rG`-h%8r5#J6S?WB+QfQR4n_PX{1!8*2)@c+Pj5K#KWP8e3>9nK>Bzov~}yc
z5zK}hz{Icr_PZf<JHJ?BIdyh0z=ir7a7%U=a&6u;m3+mw?i^cC7!|J{tUyGP$n7U&
zgw+&6;xT3|+=j8};a1d00_|K<K@rLL&X4s!E5wjegfZZt!xV^mD##P@i_?c(O(=W6
z-Nejltji{YzW|t`wY^aSV4mFD*M~rQ>(lfdLwfYp1(#d{ZkSGw?<kat4`SFhju8qb
z4@CEVgs|Fum=Upquq}R^3|dX~mmWv@h=uU3-&*vxj}+n&vIJrQY3OZql-KRK??e9!
zKPXB{9yl#Qe}RoR?AIAg>D>lZwrlyUdZK;rGFuK>9wd0AhbCJ1DH2Xp<)&on<Q2Yy
z<4Z&sr<~6eckjqXQsLR3kJ8pa;b18rGDfbfO(Um{+gAUy?;%B6@W-7eZr@T&ZQ;-U
zyyXBWzXFQ!Aiucr>&ahO+7tHLJua4{Pf+NM)w%k1M-3L~G4j@+LRuoifxrSj=SW6G
z)0!^_tILEwbe9l8H!WRms?4Sh{XFjX_q%k@d#{ub$N_|+oSgOl<|shq{4brIwR`5Q
znbcn%Y4=vM;PSI>{dz>4bDpZv|9Dz>MfqEUpf?UA=^Xv}W71Z_0WJo`51yTBO+d}X
ze<gJXZr#*-^_3iF$e2o0?F2UFPafiS_~4((c=z_3Fhq#WOL&3oo=wyQf<IH9{Szo{
zmn}6O`O<o3YkKb3mNdH!>-Ku04J`gl4gWdMd7qg7R{+k^DPOT<`1MFcl<;V>?IwR+
z?x>9^R&=wk@y_mhb@I5NFc;fGhrWyLuT633?Ho-7-Mc*5jnh~;Kvlb~KM#;~!LjMv
zFDf+F(<}KbThx7)pnUkFhU}Wn)W*}nd@OW#xJGNESX?8-$ViZbMUYBOfVKvbY+^Q3
zcoLC4$^SNwXsGZqO+%ce)roO7PJl>`Qn?@u<Q9N-0udhO1_LOH<_i2gonammRk~>{
z?Cel?%xsi2E>H)<vsq<FNb+JkKQ<x$D3ds;$0yve)QW+(p7`w`Sx&w8S}1_j9}pf{
z(8HU(`*3mtflSUBIQ#k$?0ovzOR&*;1A{FgEWx%E1gw?}#!kImFcSz`^C86YA1KDj
zybog~acES~GKD9JnS!NHR&b`-G1|086;)yPXHvlgDKNTc{fGq1kta7Q%I38&092;o
z?Yq(YNbDO4Wlr9@dBPwwo-F(qra(2ye+xr8jr)2q)S($p_6wIe6Nd!@lc&#S2=n24
zq+r47Z|5xsd8nFaxN%wqG1IR@l0{;rE{so?NFS+wkS_ZF(*;Kwl@&)RYaIc;zV)rz
zy*?ZeAb#CH@q|{e+cSe56|yOjxr!#^+jg$R6{};-;_i^LvVhoE(5dvH?;UBbc#nE<
z3i{R%`P4vLEmSoXs#Sw!4UIjXHv1cWdqxk63mUL2l+PoK<mh;f^0Z|Vc>nyjbFwSe
zL(lr@pqcjADb<I?fbvLZ#-k3^e^YHin}V?AFb|csZ|G%IOZBrYAn%v!Om_PXtbfCJ
z(qHtl+9;eQ-_e8D9-lhH?aY6*3+K~}`OQyI@SkOXgMGD)(Uy<BsUg9C3IkF`usR?t
zlj2IQ6lCP{X=JNLPfBPfoyno~dP>|?P|KC8ke~P9U;M3`?DBOkREmoAfR~vqeWRgJ
zB?h+`^<Oze?WG>W|K{jr;DlW2aaJPz3Eo<z)NNXl4|e0j!g<52NnvSNv)Q!CKI_Eq
zP7L><MzP-h+Z<NzTnAuEQWjfk2?`SQ6{{GQ`b>GPIF+!hSqVJjy|nq3YbG*fbBgl~
z#PZ{vA5O+f(QzISR<q0u6Uzq2;|H5IrZw0(Q@tmkPLP5G3(dUcwwc`?X)sSg)N_FQ
zK2OK<VJY(H*v3?;Q8TsE%aHn|*OotC_KXRqHyI3Cc8GnbL};Iu`F@$MnzL<&TxwWi
zmPod_)yEajIL0n+YPwW04U0b!6P`*t;^i`4tZS0iMWv?imPTzu%}M1y&*A0%9dAqm
zWN=;?x^KO4t(X!4aj-vO-okBJ(2_V-i}YObku=TL{<c05{eGCqN>n^guZ;gjX;k(d
zUR_5Qbhq`lE9N4m&zgP*LP_|-45V@KA#wSnu=TrN>|z=$q{%5+SmMfaL;m9ZVMR=$
zI=2%2_=h;8y97AMfxI%x-*)4qKkYC{0wmkDpw?$Fox5HQYZLSgcAU8bDOC9L06g(E
z)`18lpGH6Z*}K<Mp58X2zARuP@CQ(aUs6$8f*spS%FGNAX~%T`N;tPUmtQs@OB0bV
z7Hf#Bnk@MHn25fm<X;9AUV`D>B86B^=h>$>22}p*;0^M#Nvd-Xo*NNH5ZWG`?j{A5
zft$`#ZhqKY>8|(Y8#rAh2-j?NL;bWD{7r0^?bYajyM*64c!lF6^o7^`$<VjA=X&Sp
zEdkc7VQ>dfg)J#xUrk(G8fdB{-PHVM{ml)4>BaFkSLiE&p~>L-jeXtxtFB!}n#hN+
zVw6tzYP={qpv4OnVbJXU-$z)QIbZg~(BVKqhGnnSR#Ju(_{OhdXjDXq3mH=uJvilW
zX;2(wuDBWGXA}2_I~msn-Tm^Np=W+~F}MKb{KzsTe}+I7w}@h+AV5EgQQ3*k>+7@d
zsq}yu^X`;cR(#o`)8bZ!d^lyckDq@sRijq>5byfE<TLq2$trG(HSz<2K(iMM280m9
zX3LYMraxwbdJo4MJ4Pp@j^m@v!Dfl~t3yC&db+()l$IhQcdRk7jnMvxrJ8eMNkLUJ
zu{wOYp8C|q>E>r?)4INJ@{B7{cRbRlWf+GofuT^~k3LE~l((3B&xU+66m*exQy=#(
zJ|d1zf05yL3oN&ff6z{bATBbyS=CungWeA{>?yKp*`-0Y$$=y`h#zAV<`sGqfIf~R
z;AgI`bx`AyrEk>0&-_0}gC2adlS8PR#J9u77c<=BG^#<S2?s%?A-5Ei5Oc#+>K&tJ
zGNxm>yHjCeoc$5K%uASMCO!?W`O_AL??Vig+fZh@7A<w#ZG7<C?}0Wl7Se~SPdLq$
zWr9AnABYLHZ0&EaoC7vS5q9t1u$hxw1-xXRQfBwPtjBu6`CrZD_pY3rqtV!-iP@i@
zbU>fHn+~8`ielA<&+I4CTb&$R(otJ;ZXn(}_6?BR=FaTZ=GFAWhN1%o$y|{meartt
zCO3;x@zdk=$LFJqf7zwf2<WEaGOD{E>;f{83=AH5E0Q1a@kuN+Y7+Bopt5(-vm8T{
z<FrsBrO4NV(4J*w-qofBi4+Jn?)7erpYsEF+Nd*hm!h;m0JaS*n3vbqNnz`Lohx}%
z!vLk&Ep?KdEpyV74`hN#%2gUMuJK84;p&IM)iILGOzkXNx`%Q+dsU>%(R>lbZjYS!
z^iB&C)xQ`Or2rBFx9esB`}kvVyQYOe959X;@ZX;}0bJ*z)TdJCqN~rORmk$IPdd4Z
zraf;nV%OD=^jEl;F2SKBM?9X-s12R@wJ-~mS}sNOtMM)7=jr3WF0LfL{^ht3)`xdZ
zqR1|Q$3-&qbdS}=#ziv-u`kn=l85fadFr8RU?CPDP*E4{iBr?gJNUD!a>OwF{yYid
zdM`Y1Bm0~+N9@S=D7IvLV`grfcE^WSGRH`KfBu&}<a_K4w{?6slw2M^Q)Db)d)-l^
zH{P6;F7Iq)jdLGrNwHn6r?sKeBZ_KJR=JEF@1uYl1WaRddZ$I)_tTxf{rf`dRkxCb
zd>zH8|MR-LFA(1dW|Q+xL1)@^kwFtB)SJV>&^ywd(BLsU77*PjSnBV|;o`DMG)?iA
z!wJCq@F(}T?nMyTZSPjVnt7`Fy8X1<BE20%Rs<*A_9H(6>e`gL-?;a~Js`XfBW1;F
zBW}%_q3|BxZy~Y(pJ!Gwr{_oote*(IN!vcoIt*3<Dde3ww5Qe<ZTPcu9+4ZptE#6;
zpSzzFroCAKEk`zlBM_#G<Ll^S_mqlXSs#a%ym)@GUGFyo&ThZ!{L^bbkE26aw9vkv
zdc`Lp5=bhhRE}P>H6oiKbSR6j-9#Pm$-@;Q{({y_z|mvFWt1;w@&A-%jzOb&R~AtQ
zAoG|VTm=gnTRaPse*lnamM#TS8y7{gC^fBDA0w{czShvMJnzP@8M^@JJa?h%ZV80j
zZ#z)~LDmddmFb%fRXP7W__C6ZX6A>W1*c7{Kbj6MkEaQzYjQ+T<)7{Jj<2q2(7)?^
z_)<FFdVKUXk~iwjv#;E|ZK;jhcC7*^5vX**?d{xrM~1!kfi-MR<JvWEzyG$>Z;?8{
z5AlB#AwYC;xH&y(@8DhlLkxOjC}+B6liSqi-By#Uy0*E;ZF`@d0aE76zpx0_O|{xu
z=Vu=rB<p|rct&d3g?XoRvfNxM0Dik*cew71<M0`5uR0^_e#Ey9y7_<Lo+Z1vnsao<
zbUIreJHUih5J_y1#Ie4q_<o173l;uWfP?z*C_wk=!8v@AbxGVDf&*F5SU_AgLWR21
z%G=V&%vReZNYsWCmWlc4(AXw^9|$>hV~)s>VIht7RS+4er`r^sLDcmWA@s9YO32}U
z>-ViQfd}9Wi%m1hu>Dfu!IA!wcU!Pa;Yn5cNsC}&&S-D)rk26Rl5}r!D}0cUTNWzY
zBe9sBO^dvuf}Bm{cZjO36g7glWe#)p8?7!@ze8&u;T4v-9rDkcFhS#)je_7UzrR1x
z@=xkA3u7IdOE@f5eOJ+!=j?nlBXl(Hk@xh?928+CaZb#is|OJ&DTI)|(E7qyYZ|1b
z-fyScPO|DVx4-azTW-C3jBWDPApVg7Bx-&wW_AVJ4cmSbG}|7&NKQk5zMAUR1r$z4
zmf}6on|KoAQD9hF*=okI1PiUIpjpY;-l>_X6@Mlh;}B`RKtk<nd}p(vbvhKvWo~m4
z`-ZT`W8iz2Yrxby`Fi-b5phS4AbUKx;--e|w%%p1ZH|ukR#I2Gj$80kW>2@wt{Ejd
zv<-N^pyy)ahiom9kljJ{dtQ26E!lNcO4w8wr}aF@qK%A?Q%+?vI_nk4h}EAru!kCi
zHp^_B8nTinrpC0>;r-~^8+i5TV{<v)?(B{~@)i*Lu-<~QZudQV9{l)(I|jiW3}tw|
z%k{ZJ7jJm$Sh1$G8bj5+_4eJ$fwewsJ@KmsD_?ca9NlP2My`qYlRP{%4Rto`x_|G_
z<)JY;r+Rgxj0Rci430WR&_Z%~#Et}OdMU;6=Xah#rj>e+kl&In6I%T-$ZlfdkR_3k
zo^tcu!N!oE;K`C50WpD*ecs$n<vOC9tW$yNZh-^dX10oZ0OnlsYaI)L6~9bFQPD*r
zs+*Qy5heA*UdzS*w3}M{4N=zPA{z!A(ONDYl~X|LV~efLo~NjFj`F$3v8h5D%M$W*
zMaD=$O|!JCvZh}g04MAh)*lqB$T(c<^%aj?Zxpxk$(5<-B_8;<J@Br!wPgas75i)c
z7YFCd=Q;08Djes^wQ~ORYcEo_lvr)N5<<n!;qKPD>R5zH#7M!GYD09*3~G5+X_YeN
z-n$CoX6oeT4vFIuDeYdG?rNk$+-S)NGqK^AX7&f%exQXe6DiG7q9>z&w-6m7x{J0`
zO*4Xx0xP8YH3r))1n+v$cSOd#%OMZalwc^<QXWtD`sZvPC<ey(A-kbWEDxr;IZTO+
z4rRSd)yg8Ei2wB~0HN`{!RmN4J$r24Uwi@+`BW@n;l^ITrh1=-D0HBI$!q=Wae*$k
zax#_@^~>RF(R<itILC-1T3#@9sh>Ryy*Da@sStsL%2sML&8~=sOa7zyB-#+s<QA6s
z?@3xcN3?+PirKyhkutM6S46uJORkQlXUVi~X0?6s=FS?0B?W?%Y$k=0!_bfWjfuCQ
zAuOpKL}c!VQ5(ivU^qjv<Z4UvhIQReXuB<7%gPP)^eO2|!W2myOw(61u_q(wa-2Co
zh0Ca~MSx`C&R6Rl)HDY%d7Sq$G1HT3l3BgjHF3!jfXn|xFeeu&!;VXRk)OsSL9DDH
z(^pJY8I>V&7&v}vxMO|`8<-0kt;C;L?9RxjXyC&+?<oa5UU_%9n_DM;(H3_mVU~Aw
zvEVB#Dh=xkL=Kr7V{Zpkeg>a_gO7tbGfCThu;jgT<Tr)|o%QF3$&tWf+oie5c7L3K
zm98U$foe~1YS`ls#;sFqbl<HH;Mw@wAcgoYUp?}Rso+k%q{8!Jcer3K<xum&tR^i$
z>$~8_9}5jyYua)1{y*6O#`$~0m&R!E3sKa~M8qJt=bZge;CW-@kid=ditnK~woTht
zD#M8b&h83FVtIY-00H?0-bW=sNATQkB~_y@3m@l=PkI_XL2xs!CHl~(9^a7>|G?(D
zxXWX%nS4&M1L1@9*-amD_UqyFGx}<asKLVs3_XlR|2|`ck3RA-gGB}OF?WqgL4K=9
zK95m`J4T0&kk}3tpVjGBY#4z)r!3F^R&4Oe9xX^5=Efb^oXw>mrC`R8Jl}N=Tt>Va
zyV+6~Y;Y;axG6^eN(hoQ=dMY?t>C6FXYlwQN|B%FWAz8T0X3#5$vi#YRsV;eu=@Al
z@i9qQ2GQXdaSjfBlvT%iQ$Jq<G9bi6OMPBP7p7acdwb<m^{0@kt?XJ;^ys6>(?rMX
zxK6za=MsN+;Mo*WyGwDD9yB5>xSo7|<OTatZXxm!xSvmwHg`=0Zbds&Y^Xc6RK^jK
zA<KRU=NQkRoU@sxhdAV+(U@VH<}0kBJ_rsy!$SxVgtn@Si^Tybv`|3(WP%H0C+x&x
zYf%s50T)-utDuk!CZVsYtbNYY>n0+u_Fx~)k_*Z4lP|9>i)ClT(-q@9O@$YCESR^5
zvN}*gDKi}hUs0Fqy#>@AKi(X7yf(Y<XKE@~_3>qxhbb5WsNqTV))Q=+luSOiI0_1^
z;*ED01C%=iI|BuO3MvSOj4L;^80+2Ol3`}W<{TvkBf}_k`?9tEv-|QRO|i!Z6NLCA
zsy<fATAREg#e3cm=+FcI99~%Y*3JpU9{qCY!sfB}Y5&)S89ge<(aPWL<_zK%4KHsj
zWdQT%>U-6{5qRf&Ntn9kzk5Yi<-=h&rgU{v{E8+!FTi^mT6f>9KFGNex<QQEP{SfQ
zE^nxGCWWgkB4L@woULG%*FP$lc(=_MGvw2Ig}rqF=}(r8L*F4X?tAHd<pbSp+D3AE
zM?`ANqW5?cf9Pp@^V+}LTV#EX&YUX&l^RM_?8~j_Ybbz#jS|c(^pt&t^7pt~#gxC$
z*5nh23b!kL1n8yV{;RvqzPgjVYR<|@>SJxhC3SASW&Bx76;u&)F=nA9GR2=%DNZ>0
z8Ui97xIAW6p#x#5`9X%16gY-qS`myn7ng_Q(Lnu)-7&YyuJJE<waCVhK+eXHJ?NWN
zAWWb(*pow>H9DcFMqC6jaA)@YueV>5?7h!)X*;1y$2I!<>nM2X&ZxoX`+)FH;wx~C
zPBZrsD(C%>+61Y(3WD|rFNAIY#LQF8Qj4O;_g0%=OHym(r#tZ!PE1=TZyOp6wkES8
z207sh5f0BqDa)d6-QV0Xd9;MYLErIN-7b5FcncEXY4Eo4e1ClmswvItiJdbt3fc!R
z6X^}Dq_5bz+Dj;rHjYo~fl+Q^;x^4R`nN-Pjx_X?-Ynh!%)twODQj^OQ(OP`=Lj91
z<XvgQ0>Gnn{IUFahTb`h?Y(;(9Nd583Q#n(9^X>>eR>+ne15`rE;A$1n2;n_LN*^u
z)KIYIg_V`cUMZ{hn)ono_@es?yXy=xWms%1whIkYuM)A|d-Vn8+#@@=XgJuuK()_R
z3zHqd)27THp*8sC^Gb7U(HgtgIZuG$%r2L}GTeXA5J-q>`P^H`J+^)V|HHktY4&R9
zlc=-}ukzICgbeXtBR^vyZM|Ctk(`%mjpvQ|#_~!xmJk;C#bI;_gPN@-vEFP}T^O8-
zv-i<1W-+(v5QEm|r^q4GRGm)<m#E9ciZ~n|V;hxWP_OuCWxdXynKWp%mp-;9&i;&u
zU}FR*<}yP+3NZwl2u&%!j&sPwondFqMkK8$ojQHel*Dr1_>SyaG{6Jb@IX$WMyAU4
z6}|x^D@jw%1MM0EIH69d5j^wWwzo&|4^-2aXi4WGYtplXgw8OD@J<(n4x-Q*zQd@B
zFldIUFmS&^QmB`F<Dnl29Qrd_dwsz7H$HcWw4XL>Zo-t6DLozEfgBC$fD;d(`AuK=
ztuMpifOdKiM-;6)9#f|j%4Q4egy^b1&cg+f5!Q;RcgyvQL#LDOp{N=wyC+T2-=g1`
zlysGOhN(~;pw=baY~0H~Ui9JM4j`#L|49|M0sBdV!xZ%!?57dNzkktx`@oq(zq*4m
z>qZM03xZaL)wliYv-|Y!hOiDc6<TQHTo4MMxJfi?ep0zeg;s#KLO^Jh&ht(X7+I0*
z8Q86m3_aS2v748pRG}b^jx`X+P)nRqFh<h38tTy-a>D!5Z&=|hs_~1cq4Ss(iRbNy
z(m`N8=!6&;^c0GO0@7M*dX~Y%&u|B<00Ton_ukDr#)Qx`J;0EVQ8U^Zf}4#fA(+AQ
zEhAmTot16~dPTaEHr|OOO?gGcAb?0^F)L{;NnSa+iQ%0x+zMwGBqszUhi=T6G)t)$
zY%Ca6K_JPvFL#;s=RSbt{3d9p!`3@|Hi8=C$T}50)w<~aczVb1NSo&kG~A7C+qP{_
zu))T*ZQHh!jhziQwv&yWOt`U~oOyr$bIyn7)AUu{eRp+tO?BN>idT0fG{S<puwMfM
zG{o35q1NSYa-5pcrf4uOC(cZGMY6J4i5lzbsu}*N$b(r`(l8ccpzFrVmIs{<N5qRI
z{dD!(-?h}=Xy=)%Y3Wkcf16(*4mGj31J)wEuRP@Ud|0T7<7leSE)nsfdfeGC=skyy
zmTiJ!+_DU|q=~{!=^`k@MNfvV%=&%EgA)O<l8BT8ijW=avayJ?!Vv7Tza52mfORkM
z%vkemq?KoL^O&K4vcO>~q4zSw?dkFWLyoQD@e%9N@0|$oQJ3g?RN7A+SS+M6U4zBx
zP(dNpu};}d#yJV68qJVqRW(_Bjn1*e@~^}@v;rAqC0~z9`4t9(UlRk=VZIAf5kT~|
zMB-t<ZUz2f2Y)t^?tPr|0RMsXB{paPm@-KK_WSx)NORWll2-AWq>VXG!(cAvYw(&$
zU_1&d_Q!}}sV_6^?jV#PR!K*4iHyb$cei=RBi}hKdB4AkWj;ybxtetqF&-Oj?(}xI
z)x95apLMvml%4!D7Nxy7)%*H+A!pTfv?ymM=iiyUd^S8VRe1h1;H^;SeyJM8n+_Qz
z)OE%8{p<H26&sn*9(IDco>f^|jcnD~IuZDJZz)PLj0UELbxY;HKDU{~wtAwVHtEq=
z&LpjEB20wLNKJz=i8<^lw<a(wKfaE<npdp3=fjy_e-ikPEjs=jwWPDmKN>jtWVNgB
zYGiyr^#>OXCOP2iy?1l&T5tDLC%rbCQ#Lo^CX3ly9)_r;YO6RMy5}AOpm61(E`Bl-
zO*b)FW#0vx%Ha>NZ71?I|AOz&l9|l@OXZr2(=@q6-Y^L|9?Q`unM#7e|KbiZnhcCT
zZJZXQyA(~u1Y|QKw1{zkEn*w?Hg3mlfHUO&dNmyLYJ0Jr9?$3Oqr`hRr*>eRJWSwo
zaiKD;s|DX4koE!cD)($D7;fk&mdD$C@;QxgU7tX)EVyHH>}bNf*wjdN{yJA>NY^uf
z^|-$x-|9j_sD&PD!)L!(`}5(gIEyyKW>R5GU}`i;AZ=EXEnj=9ikVva*siSg7e^I;
z9wi$;4L~zh_o432S=v-BUDyQri^s^GJ|P7SnT{)KR^sf(@8P&+&KT&|L%Q{<S8hUD
zlcbyT=uLXW-S^vWBHtYo=fXgSJt!FvKXMuW>~q`fF4bA2NUYh>cPBV!Az89@<G^VP
z2ZXUzcbVxJbF-GA(^AsXUpEP$qaAN8AHXq#12T)LAi|#iLxr&g>8e^JWdoo;kd^?@
z54}^Wl805Aax~N7dbXB<yND$Cmhk17t)=3@yn0xFNg~{mX2)GJIAf@}WH@`q-y&((
zhWX2?em)YdnYwNg`Q(aykd;1q?~jv0D54d?Rh+ewS`h~}C+%5P!#0r(jD?$21&3Mw
za`#MG@8Eah+wFH$PY2g28S#MvR`p-RY4<<T=&<N+V&Fa<z1%C_>yEMPHYxF5wVo;Q
zJ_)}C%}T565esBXbEzR?E8zVW*(_(jZ#-cF7(EYatXw#)_RRZnn=c728OHV^jXt0K
zVa;dk3=lEA4H~mNdGP$r-H><rdv(hoz*^JqCd0q`&2Kw`91*=aqG+XU|84Ekgo)QD
zSc0d-0LiX>FDofDCs~{_J=rmfvs5ler(9C4a>O7i3>k>=Og=<gXfjeKH*eRYGTv8p
z;72?9gH&2Ns?4D=ZE6x&th}e4v_FXT+};4K&dwd2qt4z1jt}phbu58H3R`_wK6R$h
zB(e%Y9L{(x4f7MUp`ra;n;F&Fz`PY0B3%@&^-Yn!?L@%Oixv!pJUnMY3o)64FEL~;
zcQ5kNW=pL?=hKr-vQf%qwKRR_*ALyCF`9x12+f2Bt!0gLTZ9-Tq}EeUY6<qUNJ)kG
zAvZE^Kdc)MAdM(=^gGoxY7i_4!mlo*<A9Yt-$=e(n!eHoCFgvN&?7g=Ommea5J7%P
z&aCW6WB8-7+ZX3$fSB|a8e|^9N`f38p(9~Eg~t6F=zglgy;1GRU#*c!uFgHx%mnaz
znBKZLh*epKaV(O0C``_BIJGup6YGgB<CVtH&F&aHrbvU9&*Y)=An5QC>o3xF0{8bV
zRT>MyNrM3l)JLgbU#XW82AwNHKoigBb{rygmkG8MxM^8RcAEmT=|~wfvo8}%BLp*z
z_2&y0oWVh2((vzu?8`zR|LVGhF3K#j@!-tglguw@S;c#8fGYae<v<`YwpWOC-5Fm!
zn|?}pP|apG9GMNJ%n0YNYvHW7H|ZOr15g#6F?<kmeQ&SQFW|)3-XYP@+!X3NkZjo%
zZ%+kscExHBm&7-FY`(hf2vximtz&R$Nx@vP4Fc7&c{+m=UV0~;EOHz{kP9rj;lg6=
z2q3eU_eF>QWtx^r{~IQJc1r!@ATsMh1?1D0T>}RnY<<zt_rKRp{TvlXs%EYBg?HLn
zv@qp>WtD}gOOdP^vpO|7$c)B8L%dIzevbc4zhEJgITe<16;V=k7E8L5X6w9@sP_EU
z$IT+Jhs#dHzCRcSPgMv;-%Jf~{{e=f+IM%<a5jMux+>F%7TP*+autmhK2l+1?wSly
zGul7!mT>f*@pqR8!7^S^A#~?h$@}Btv7<4>p~Y7pZ4ic{_v-IGeRpC^9{cc?jzTy;
z5uuIr5~>dZt<5K3(y?eOt$(0V6$UHY$&smLkJD*-iGIu|3dSZ@5R-~QfbQ4jc~rCt
zQ<N2=G>6ZV@n-sVo4hRAV0!^RlMVgxHa^I8k1ZPRP8P=!n!6x=A+%y5Y}g>{IxB59
zjq*?psw<sXr!3h4H-NesAUpYuob;a&g~SI;5()^2-FU{`K)7#>eiE<|Cf9M_jR`D?
zv0!Z!BCwZlM3Eob3%{$gTS%&L%rPqi&h#=c$%~7jX;b&yCSn#<0ygHoaqd-w#pWPE
zModjf2$9M-NgZo{VnH0-r&bI4&xWrv^(zT#AZOMyO|-YJ*LU@1jLJ$%Mp-LW#Y{l%
zb+8#lS%;jO5pwN90HqGH?By$}j6FzgQlh9j0ON(@o(A#_p~!Sd9=wKF#BbMWMgTvL
zQIonbK0{udauZLB_cK@%Z-T2>Yx|~&3V~K3#Oj(D6H$fG#OR8e`8cDrA9M|f2wump
zsGb%esS46}GZm#@`e>MMA3)~g@hf+{<MBfelEjRHbxx?=XRdE8IH6s$Z73&rVhH=R
zU|Xsc%yp>KO&2tJZ<8P<8gUDALA`&C)>&pCq|c-?qs8@@h*i!NM0SbCVn3*Cz+8wu
z0(@-1jgbxRC`3s%Cwp>+nIv8vg^`?%D!b2InWEkgv}lmK>CjZrH0Vs)FbH%<)l&XW
zh6LHS>4ucwhnVJqzdN?}gg)_B{Mvjfc3rvj5xCm3Ay}m=G=mAh%ru67#>SL-;+eo+
z(mmDXrp*PnHd5|%zo8aeBfcxIh*m!i<N6#CeMr2mB@Vik1Q~uF9EUM--*){BY;k~r
z@h?})vIg5NXO&7*3XGTM&VTH<myuSUhK5NP=ge@_0>85Z9Rv{mI;qoDX{VZ{aAl)c
zL6OI*inrT4i`|i#2$ZCueSYhINR$JKmjj6pv*JjLmiuP-uShlN0Xqf9(Bpy(_{rjY
zRoin3oM4^G*9Q^>d>Bo|n{WcAJJO38YG(Uf%oF0LiZu`9PyleEIW@a!_Zcu15jEx?
zFf~*lB{DD3R#ayTTzfP2k*DW6`qlIJ?$7H370t>(@u@#(NH8i^oUInqCN-X1s@lIq
zT+hH@C7xQPj)b^e`N&i#K-iFYJt!W6O3aQFn{R;-h?;@0Y4T3P6G$#Zx2bwByJh;9
zPNDSzyS<@d_q?%_cpc`9?jBdK6TfqtR7>pYWCq`ny7i@4<2owD;l1`aN?`TTSCQ0~
zf8Ns;m|ezj2B)KMo-FztX&K4iuvDpP#uz#u#;ug`YYk-sSy^)5WW<<1J$i`p5Bx=f
zvCkONf#FphF4`ZI6x>aTv(^~#T;;HjpT~nrscTY-+7h!}u4P5{Eqa~8Syy$<`)<xQ
z_GZ}KLavd=c0Q2|-e+E_i;dU5Zbsb+#?(&JiYeH<LuD4wEymd4DV+dl)NT~7$~)DA
z?c_m$GVyL<0sg22+?c0T0Xto`_VgX>O>qIPfAo<XAv{8s!x@>w5a~uM74x+R@-ZI#
z7BVh65D9EA5%XKBNI^$2QM{W^ueH+TSO%9bNCSO@!@~R7nDtuArF|8Hv`oMbxA3xI
zC;gn3D(7)Cu=W>}cH~)M&}1RF(*uSmA>kkV8U<I2({>+9pTgTvH|y3av}bCAa8Bat
zNC5*|U(ts{5bpDJTWAOckTeYTU7B`1)%Yv(QtRC23LcnSlyIH1?w_y_w=fHHcWGfx
zLeU&UoZQ_qob>n$7@cGa=9o#b^kj7TI`D?H4+d2?sfbRW*B~Z|Im3*JthnxNi8hZq
zp*|Y3VDhJpiSDJwEO@q$;>-GrwKKd%_<zp&zXv%<KRtXczg4>{{V>Fz<DaYjceh0_
z;}f&ag%d$?<?iQ~^6n=HFyJ!bHfFPPf{ZdG5!`WG6_H|1Y&Y-9tq^D?;zzeKQ7*|M
z>$YS|j_NL^GwYlOholYvc6*ILA!J??G{lzJZn`RRDSvqZy-jul&-$}-#BbT4ktaNu
zRdz+3P*_pw+An{FVC0CV2YE%oroupldpR$Bf`yJ5=9d6@i&9J#owNSZwx?Zwy11>7
zz)l2cF{f8+ly%v5OFf%}Zdg4g@66}ZjIBN_-u~Ga3U=z%bk%LbF5)}&Ok8+(X7e<y
zGp&VmQuRTLO@s4~x%#{W_wfav-1&+dX(f=oI!?FHc};6bNvPor@KBWC+RIE>n{6d4
zjIHC>+X-fn))42P41#vF8^e5r{5Qk6D7~5U;AkH5%qe<EF-I|ly1H%Zkn&4e4_VJM
zv|*i-QaH12?_@{xhF{Z<(vH-9K|8vHmv`aIKrI5Xo1e4IUPZ);L?C9^+$aZj-1wwe
zdg-ppN*&vJ-9;6t<d36ewOOx!)W}{F5pw~aw<yHySg(x-q)fPhJ<_CT%b}Bjpfs#-
zus`mz95w!>`xzKLFA+=Ww_+`9y`U*I&Q`*!*lF+!x^~?ym*Dp*MN#48o#5!2Wa9(a
z##^YoifD{zt0Psy$ZF=|Y}*xD@0SzytOSSL0uA3^=w3{Fl%|TF?oyO}XGsdp@oRKp
z>>EXyrZm~@jw27kq}e=YBZQu2BWU_ph+z9_n{4g|Fh!I9wtD&h38Y8)lgIUK6eb-N
zn-3zXL`zE7Wtb5SACM@9m55P}i^_0V%8FU*T&|_zjW2O+JH}=Xp3WL5qx%jeQ5*t=
z8YSnyz6DMYPVu>mLjj2L(9<r6azpF%mUztjV9h#x+;IL0>zdWwdU-b*&j8hFX69$v
zei1?dZnf+GiW0l+y;xjLLx(zI%M~vu!3nQ@Ai11Maoizzg}KaMk>-|UHsYL>rqi^z
zQ5j<){>TE~5J5WS9r*{y8iR;7!a#-FZPQ0gFw8&&K6x^mfz6x}1%2gxbRs4VjrOO(
z=gaoHE>zlT9}gXnx5t)XG{PDy^_LDObmHn``wy&a8GE*5?p9UR=BDy(1c`h^-X4a&
zn=qBrqMdkYN-i0kv_=A=&rKQ{R#>pZu*|MEL-KQEJ;bH_-^<&y-4C%bCT#gVlOyvU
z73Mn5`qtTEWv16`^s-Q;Bj&B4&M%5Za1Im#v*Gu8ScO+&nfEL<qb6wh2V43@{9~m)
zZtWuf!YmR=1m<ZAuZJjf!3Q3yE@aygTd!~bMjRIyK$>evD<B(hwLJu(4vjcEfr8Ns
z2}g&EvR#TwWwR(2v<{kdjwLwO?e8@-oTRd5n)<}}4)&YCu(2T+sXqVGdwBkN4&B8_
z>B?kaRG1#H)^MB+$^8d-X<&|4dj9v<D;N^9)&t(Hmt=79f%3E)j{m~+Q0CaKhyp5w
z+CzCnGG63>=N5h`H$zT`yO~4-5%b$^ZnDn5aK|#sd<)%}1!aFT@mqTML<3R@<9*QQ
zTo-!^qG_-VJGt#8A(Nw}yl(=U{2+0^&)k`+DD3`m!wqmISQhnuXtl8PAV1u;sHZq>
zrHJ6uUf&Y4ecl9jS(Y|)*PwxvV1A|8UgFMIm>fy6syM2Vv(n~>l{u{%I^e97R7;|o
zrJK;!&}0jIAk9jL9&15aX1xJ@9VU(O;}MPVN;rC+tgzqr`b((3=4VLAJ5LwHiWKw$
zD%afx*X}UD8evpSPFO(!b%pVTqe7k>#Fy#U`@@Br1DEEdcdrFc{p;49;f$-C((OA}
z|0LP|zW@cqS9Gn$wSOiXO2Y0B?->C~U$+VfJ%mq(A{PM{WO`jkni~LA@}Z+2>bi3^
zzlD@(FSJ#$Vi&!V&?c<qCUfVrzu6y#FB)JKeu_y&Mn%NVWsJJVq8i^CkxNj=;*nA{
z(lU8Hd{R1b<hox~+u>=ZW3o1;us=H{kt5hb!GavJFW_---eaOaQ6pP}d$5d)3v#XL
zS51ConP-j5Czn+T1D6N#iP+N1vJc(*&-!pZ#xTvn>sU<bGd;(C_`bM|uEK#L5;0u|
zc4PloXGHWQtPt^fT(N00EfZ#Z{M9iK|1~iEjq{3M>JkU*ZPuJE$8hwrjY#iVPeI@*
zBM$hfGCk*zGpU=Tih*fV1t>L-O(J8@8grY87I3r?Jos#K+9akU8la`}U{Jb2=tWVQ
zhwZ&3vSDrXP&6=-rMMeDu+fBnTd$Lj>AJJC%Zj5m`*QG*gdV2QM1pE#Qtl)3!Ear}
zu8}r8_wj;>2jULe5}1H|bQ&5*ZdoaE7|=!-(O?!Rg{kIl;Qj99D*6O}Nlj!%S;H$l
z!A2`KlUCR(d{IU#4$_8Ght&e${Jq>x#tnQ9jJBYuQ$;fRvcmP+h}n4G5|lNSyKb4~
zEs2(Dev!(3(+Dxa#Dq0Ti#LG-OzTAIs92(9;-4ur^HH+Z(y4OL*;MRSCU1Aj<|1W@
z@x{|h42x?G9|*Y#uws=t?qMSK-<!Ilq@Bd<iMqs_3#$1Eb`J0EUGV<c>Z6Q(Xv#Pq
z|25l7Wr6=DFQja*cw7CR6H~yZ7t*3k98vJRs>HDBLCmXL0u~^GTne<3;)^$z;FM2e
zHIk4;V2O=A%Z}8wEVdj`9KTg9|J-omE5$wK$wtNe-plF*X)udmRA>NQiYih-<9wP^
zywfjvNZ`WmVv!3?;)PPy4Sk!@+H#`X>8Q-=<|jx}z5HMu+#<#!6nqBHOT7x`%LX1L
zM-a5^1VvHRv8OJJq}QQgjcsVO^-UE1t-g~c4n>##$iw?IF|ZT}BcuM#)ACx1+LHfY
zSH@tqLitXWp%03j_gPMHoZ!Lc)<2FqxPH3MoExyv7>58=Vt-+t^5~#0O%>XwV<azf
znz`>yv6IQw$(H1(Yql6sB0krO>m<dOU;=J{g(oReg`UM@We(BcG{uZ8MZ<Gk?TG&n
zI$Y4#Fzn@zj2oSwz#N%;?rylpUIMvas(N+A=5SMtBS6vRb50E8RcraV6J*W)RV^{a
zdh}jq;8pm=3#u&I>Xk|0fk@gQP|YNU6Cf*;@xV`_$TE6pzkx-M|Jewuk2)Ce_4~xd
zg9BATL~7_=l|<75^J!_)^0P<Qa)C<CMDiVvJ%%{tVM19_Fq4#=pp?~47bBfcUbM<X
zPf6Fss47akF{oW2#g-X$3aWTUioLYmmG$vF#68pq`0zzpz$Ow6$c7fO@|f7ske4d_
zNBMor=dJy$__O(e51ajOh6yXXriu%s!C}ts&jh+FHoRH*1*dM3s+S<Em_ggZ<qO+E
zC?WJ~L0817F5oF^!REbqz>RUMRu1|&itBAFS}cB--}Qh<h;jDD){rBanbcj2YO&?}
zxga50ge!qlWORXfqh*iYm@&{9;zqWFo4B3qY(CK8PsUhh?FK@k?&=>XIl70XtUZBe
zUr_c!uQLK?O<dSJALHZ?l_GKkcY@hSYa*kD<+<I3?+oVXNZ01`b;rkv%D$J|TkynD
zy~3gB>%`x~9X~$xBZtK{KisU%SE_T^xo_1>hgT;kzMTKO7RWwgG#Z`zrK(sh9DKWU
zv$h$GMzf+5xBP)c*JfX2nYj}l5lTfUZCSkkYmJ3VZY~^{j1L+sSFD_69vIS=M!X5j
z_aj&X&i79&Id$d0@kORR?C~Dav|S}5fdtvno6HJxKvd1%GJFjs)L~N<8K=X!c}Y`E
zO_dk`y?p`qHq(_LAu77yo3d>xi9ktop*PjVAse8vF6+Y&?{7z_9=fNrdcK1LbuAuL
zA**&A=z7H=90e3-$A~qlF2-JS9I80flQpr$%KX4=QrERUt!K_c=AG~*kOm121-Pc7
zNC8BJrEX+Ru7@y1b@ss`kunWd)VkU{2o|BbJS8IT_fRq6fULx$;vkvp-g|v3I7}pg
z-IW*F+Dj@+ni*vko|PY^ib4mZ^P~J|37OAUo<mZw`>b{Ov_e)qG6tC=uSQy_Jak?B
zk`AfVD#L>eo%GI@nQ08%0a<PG89J^6&g8Fj`yhgf2f<e41npt4;4WQLp&qlY{syF(
z&azpOi~YYh*&k0y{H6GJPOjv1{&>z#NUVXn-A+Z=9n{Ah#b|>E*LtxFXC5+)uD&FT
zdlHoKfxA3Npv_zHo8Qv}S%h~Mwpvx(G<!+nu+pBU`b_mTrvE@32{b8E(6Wi5P=A9&
ziLGXhR>li6ENm^xoV}PhspIZ^ZWrYk#U&`sa50)a&k<j^`&{%tVR&CIK}4Pwk&FlX
z#}kgaRCDnneHM#O7j*t(@wK2S{5>l<4RO|su{-a(myjvWofE=;BUYKO5h=m?2G4&h
z`=auXk^uCa%MYQUo)fchK6AbW6ss|RdiCe>7{4+W)N^~XcO-oJ_fKy@nf_El?*W2h
z2Y%__)-F(c)R*8a(wa%3E+?4X7$bD{Y~B8$gCR<N{WBm5PZkpYJ<)Ayv@yQo*{blt
z73@BctIDC!V#I&Wn`exP>7}Y({o08&t8!ddq02>0Gk1-#{MdcX4$IsNvSS|)k8Cia
zkj@K!Mdk0Qo-<dTFYEZuim{Qf@SnkS0|RTC-~-R!Y{a8KinGnKZ5ZVg;gC3UK}@0*
zon(euS3p`Ti`i}>rz!oNlPx7^zR7~6CEv%L)G38bgp*kti<;?L+~qGL^hk#gd#2@1
zMHwZaidYXQK>QA=(WQF{&K$XDI&5B9`1VX|PdQH=uF}G^bg!z|N=O{STbCCee<Vy{
z#1f+H>5zFIXQYBg;*!kOKafk##d?L`YkKQE?Ru-Ib~EZV&DE0N!D-8(h3$r$onG1(
zaw^PA+Ks{i$wvr$LSv~i`dFnimiC@{seDiDV=sw*6QhmFAhci}5@m=&M*zytu|A>S
zn5!M@Y>^9c00dM9cH^p0*{g-y5A6BA6QfDW73LZ_otAjwaz1lp3Z|HQRhBa8Wsja^
z5{y=0dE&RU#L_}V`&XMyjsL8Bd(`XXcI=PEMey(tM6C!Q!=gI|Mv0K%Fhi>s6`5P?
z*L1hec0NnQV+<eeIe66%U`pc)3qiJ=up`a_Npw-hX3vOF=AQOS(_!8>zsd2+m!%Vl
z*cr>inz;2pfoaJ)DfBj~9xHgfx;CDQ@rWH9T=DYa!zKz$JgY`2;=}J$5z%1^NC8u8
z6S^KZk~TgJEeV?zMeX!)8O+Sd&GyxS?7(F%AJRA81CGdlcNdryDytA{Fbfx;sG>og
z-8~+WBA+w<`SrPox|*{xI(wO6OsyOm*i;D8*2zp-o3YHBpBss^roc=wb%BX>u@KT_
zENSdwV^JG%n<OQB>S_tsl&}^iKmM$TDE+=63X2tU$#8Dg(DqqFbF4uW5FssdjVBys
ziNVsu(#!)|+zVQJH~6|cFq5++rz$<xB_Icm%M|9nCYT9gww5eVjZPe-bdRUMGU{hi
zNbKh$wl*l&hYyIKxL|RJgJ`(Qv5RjI$nZx=inHSYHB6OcbQ$ZftXULIRd{0ZYMH7>
z%b_2L!K;a)ra&ACbpg2IqJEUfk@?7q)g+XMLmGSDK{EpvhYlTuR2w{~lCBf3u33FZ
zuy0XFFpkQ{=zt`0L;iSW2~L}Db|&<aO$2f`R?w|wpaeE)YvhhpZaPpumPrf7MsA`i
zJTYv=Lr5FqfS7<r62p1_FsvftpLw>&pM%|czqP*1nUjTIjq&+|*e%m-4Y-a7h8ki(
zXEqAaC{uAZCue1NdbUbgj7T1nszs$<WQ-hJKLy6=t+?kHQ<Kv<866Sy-kc#!C{RmE
zodL#3;o5EIC&YwvUzQ`O?oF)ey1ufx{C9(EyR8J#mXSpv$*_2lGoEj#OPi~lziH1>
zP1)Ka>RT2hL`FQ<9KrJp-IyT!2mXIZYC({+jIc&kXra_*lBAjikKA7`6zcb5AQ>l`
zgz$o~`jUe7E7>R|dvP}L6&Aq5;a;$ND&wOoc0y93K(D+zQCnO#-;7h;VHQTSl|+>*
z)@*KP`1x*aE%D40*scW9lkETW1Y^|eKRp>>r{*pyNdf<QalqntrzfGOX>S?FyS(H_
zA?MG!0-fOv4Nkt)RlLk$p*=Pd+A?U%ERxnUYRTMQ>x;qG<R7sD__uks1UpgD(nTB`
zIKc}%+vu3^#fyU;L?X1CTC0c3%CCIJA7Qx}nbI1&B5}Wj)_DG*FV$q$G4RQ&E;R+k
z2hpOEF-Ed=12leQ)xfkbi2qB8D-i<R&=igU3M#a~DjFB5sWN?g^FGJ*^tzv^&#1eo
zYQOHqiQ5#Bxjmb^gzURWKF^RfnbDzoR?&giamV6o?WqFl&Ess@F><I$$Gk>TY-DUF
zSH=q4b9|a^z^B?6(m1Wy5>&tq&hxkL{0Ii>Q^*GD3{VE@C`!R7e|uN4DB7`MDSsc3
zZgwe7)7?y+*Gi|%zJM4+iHsv=7e(34<r8cG*5nM#upx9=ii}*CY}PvY^nVjOwXHbL
zPQyG*NSFz>JhAal=!*i`U1x!VwdG6#1O1)F&p%Jp3TDxjA&u3&@i{+kr@J(dqwG_%
z!lrM(Wt&E7bC<edp5It?IN728!qV7-b`W6Hj4e4-nU=F=!oZZksf0m)G~oOjY^uZ6
z@k0e_)}X5rXTf=xM+ej)G&9#WU{^BgH;Je6%z-#16JKcOPvf`S!td_4m3sU=z_R6o
zm9>sHAeFy0&cMxNjz{mi@FVjI{A&L17y3cI(indlqX=sY8ByK)J;!vYFS0=qV$n;#
zYfJxUZ{=-cW$x-F-?@f{ubF(YpOxrl?wEymta|z07r{NqG+rbMWwK_Op|1qcsAc<5
z)<m|qb06Wt6#OwxrqpyqHqWb`(zrrY1m|fnz0ix-tWhf=&3%^yyUXBb_DV%x6q%k+
z-g8LoC)eA0bou)XBLEQFP!6t)UK>4aVc=4=m8y6ybxtfp6_cUft#24lHFuaN8XYue
z`gQ(WoCYcGz@Z%oPtCo2?~3<wY&3P7C1WFGnX3S~nISf-<2!dNK$rE_PMMaH`oau?
z7<Lhyz?+glt9EQ5moVt0zwT*n8hZsDh;bIn{r2cP{Di(Png+|twd>Q|PSy>~e6+N5
zjC58qdg2`spfG^@Tz1uy&brj8Glr+*b!_pT-#DWy#rutqk?u1BBSgT+pX%ox{IEM#
zf|<nYe+D&syZL(q^mo!SdUYmoOW6mZ7t384-7ll|9B&+GY}0`}y6Ws@aU2A6OLFP!
z;$2oUdFEMLfYK=m07mhB+YEg;fjw*dpyaR#YOH4c@ISf|GVo1f<DZ-EnCY{md5{zF
ze+s60NK_t|8ZOFGCbROz@e|5oI2*3@a4vHH?NG-o=_qg$&2z<=QiC<NZz*m`lh!5s
zZxJr9ou}(VJ+UgVe*Ot}5@u?~SgLVOTd6uKO<lkQmV{!r3SL<#*gL;}v=cYg4)grR
z#7r0#TvxfF41PV?PO3P#A`ZBzUCBrIo5SCc+5Wz8!I3iVERXE^-S73|7Jc{Q_V1S&
zX9wob?6eZY551*r?^GXFg4tm#V7rz&ySnsbPA6G+RTh1`)IZf#VtKuCMZKy{xSB0-
zCJ>&(AUtuTPFE9{g-K}QFaJf(5<;`c4Q{vCT|LWRr__ul-RE1e71WUm*#5M1?nRhe
z7H{lrLpo(Ft+qZ_*tH3a0^`XqVU%)g0X;brGwU92Ya8B`_<a4ypl9&Er3GWW$>uWq
zA+pfM^{B3YJ(3R*2vLbS+ssg+^Q|s1T-}8=-dbwd<O0Pk$BBPPVgOq@({$_u`FAZr
z``08Wg3>HLxA)2zh_&u-?cFAbe|`(rt8Bm0Hg4-je{r+`%CEkp5$A*%hk7O;NQwQm
zKCsLiA1uYG8E466O_#jPKwU%YGLRL<xfHw{J)r<y<(MuG*GV8PTC$(iAT>H@6c-I;
z6gNu<$?@qKG1JT~<+mnIZ@7q=B0tk&rMp!pAo&|j9TVxt`y@<oD}l67N%jTrZ^Pte
z2{=2L$uJT&_S}kGe2rr>?H`|>QO+_#8Ne|MbpfmznuM4TP9|gwOn8RAXLS4P^^6Uw
zE1}D+O8eP@yr0bOoO|5Wcep44VD_G8TUSV=FLB4DffA0QZ+>6>WrDoAG1>*|76H~Z
z>`7Y3Mn@QaT~@!u-4eyj0)&Iw6T)7o%KsiVAKXowo=T+ue6r6thbw9S=JXix*lpvy
zP}eD;*)@J&;K(1PMYS{Knw_iY-*EnG7VYizaeKKd;m3eBOn24Au*OsFu`GYc{8ox6
zJiw&Ihro*KS8?SUO+<969xN1pR>mXYPlGAGeB-s5-Imr)RC*YS(1i7R1xv(ptCb$F
zuSv&Q@<OX^F;UKkI${Zr$=^L;u!=PvUEJSz`Zjzb98zdoxR-3q9+z2823Ghl8ZMCR
zsn9|TC3^!nuHm^Cuf@2SP{5aR59t(Rn#iW=43@)8p;2oBZ)-K|=}IPR?hR-&21P=h
zbx9!Th`JJswA-G=un7GFX9@L&=hRIdaS1d28vMH0&1D!mUq63Iv`E3soO3(N9plRC
zRDUK7{JuKke)u;8@tT<);m9d#sKPw`XFaPKW|6wML%I&C{fAWX<g`EI$FRx-X@`D1
z`3m4hi^T-^!N;vPj1r133JvLVH(tX>=hVAg$d4%6tJdy!Vo!^rmA|=;5pZUt9&a)a
zm<Hva%GN-nZQT!bf|tq1m7~*FcTcLlfH-&X03d1KI}^mjM~@bx;WJ0dDX{o<->{s(
zu*`=Zg<x(7*B!bR8_sX#cIlZJGX#JW5`MQ5Fwl>ehnC`G&yvp?EJLGbkjc^$wkcs(
zrP;<vU9r-Cg^hNWVaxzln1OVxl!m{10|zzLIN8XfPt6NQl$L6~jbkSi<I!pNZyj>@
z3(`E{a%ILN1Dp}jWgjce`H|4v4)d1#O{6$+L7(5rvY-?S(V!5}z!>KMxN4!^JmocE
zwuO>ZIr93QmR#%??zp6)i<#DNOF=(P#JLM^ydP+ripHysizb>R8zuTgqmh#!w<&xa
z9v&aW2_^@idpPRat<bO4S-i6EE)pJ|`-07uvqvn6aZF2)jtwvF*|-RJ>Bf^M0H)=}
z$t*_l=bIKpv=tTGD_v9%IzGgItk5#QHxMR|9`fAcU?zkyX1n8u+Hu6h_CjF%&V=fF
z+_$H)uN@>QPkis`06Jw*FFQ0Gx7e3q8Eiyt>$L?281?MH_(+Ju+mu-Ufp-va(~U2Q
z2TX5f>ZGDvk@R;3R)_1P;TmaJH8EgnXMMxkCjGw_H(F5Ar3d;$QF^ab$fCl%@BTCg
z`>oRF52kRMP;W6-2L9*7^<SR$(xEXOiUsj?Ys*9_zVLu}`jdvJz-QN6oUiBs6e4M&
zlI*X)V?a=5KMm2@y}IgzOLlZ6%H(<4!`<r`KJqj`GRt5gI;YBnoMvZH_~e}1c%lr`
zDC&5HXN`u`0kOgV`cJr|5k=CbxVt2Iy#;m+-GjRwZ>-x0Z>M$1yPh1avO`vgj@+XT
z_ZBqB#?$Y|TKgNO2&C$A6o^QaXuFP&;G<uthP>{MY5HB&yzxqn#@MUHf~`f+uMrX1
zs<ADccn}Ns|GB<Bt+auBw8y0P{DIM`hk6dtFK6j#_n|-*dlb!Tb}RC;&3bG^6S(TB
zF5qk@GJ02!$ZDL?Gj3u7Ne8}tRGxJGZDwQZrBo4DBgkRmxeY}Zyvj+k6fjNxBT(rc
z!-n7Xq5tBeG;CKT>=%XM;K@c%zENkLb@HU@Kpm3|V@#^Z-v&i~s$N9o5R57(Q8*9)
zh|&@Sy8i><%6Wee5yXAc_mg?&Wb$w48E1h_D%ZZ)hEb%wkcWVn|B}<PyWqOqrj3Y4
zYWR?c>_^0_)C^V{ZhHgn=&wFXv#k6V__XmDaMMj_RuwKLimkKp)gYH9VM!iIgMZ>y
zX{P;p6<bAGZx9E30PXmVgo-^sRBHFroOh?+2~h@o7+Tx`n#^81`B%xyoO<#zd^Q1>
zuA~S;RU^$sqwLR1?ats8M_-|JC^9v_efFrmXHPf^M~n73DRm}m=rwdS%@hmAjcTEQ
z;V;U|ODrfwc-WDF(W5#B5(52_xvOOkx1-tx^;Iu@*S~qubK+c=bl&MARUk>~v4U+&
ztges!&HyKkgU^{^*1A&=Raw~Ks@BMU6OORhzf%`!Q@_(^*Vr}%=WOnH{Kgw$PzM@g
zsoZFRNn_CUMxuA!D-wadk4~<@IQn^gLL3m_K2DE`7DYGjY>PI~ZsIUD`t9G}`@erg
z-0(8#f?~}An>5tX)o|guwM5VBc`79aB`BN1S3aN5ta0j8;@~w!hD~m8lcxOtg9o*%
z-I7rRGHJD<g?!{3W_+ofXqY7RNq?OscrmjA^1Tbj#7$zc9~2d@>=%3M>~rh*IsGLx
z-`mJEwZmZln{?Iz>%!X~DUNsMScPYI_<GaH&YYfxx`Ec&^w6Of?aps|ID8`kS?V03
zdgm0o8mlhdV#VSTeYR(P$DI>yTTft1m@8}J<=>?(IZVL&Px!Qxqz)v%4*y?%pRI!;
zU%+jQ+G97v^sUNMu{OteogmoO=6>=k^MI2O<=L)?Eg!{?`bYhlOOIc|(=Q1QO~jXL
z62gAjTAKcMQ9kiUNpOki$NdRCo=E~h<cBHZ`2Ea8-OH-*KQt)!5X};+^R<s#=^~4z
zFv3jBDn5z~mssS=@vtdFqDSj$QK7M!_J^4KQlwY@n!LF|f(@P5RV!NbK3-)CdpkoR
zd`=9?pR|j;fwV?n?8^uCqrN@V*pm^H-YielFQJ7j*6A$&UlWDbh>JM1X3PC?(~rT(
zT5H`QEYPhND#an!{(md0Cngw&`3O(#uwY|9eLIp@9{LF<+Q@fmTl)pF@U&*RhWQ=*
zpnvUnFZygPKWBm@Okq{6Eq2qmPQWbI1?@v{qL!tGR>hi2G8VeV5f2XjUlY1ZMRw1_
zzx-jC=Z4UuF<O2ZLVk|x|E2t?#;QDzh`!Wegz>Z-`+cs8eF2w6W5b7T+2LYC!eE+}
z%NV!jmaDw2J!P;{!{zt(Do4D9(Lf*k7xK4C68SZM9XVuGM@_ceqEw355w4NqOw?FT
z?xH|Raub_oobW|Co)otRusBEMhQyz>U-RSAjYa;5><6$+nnitpC_r74#n7m3MXfP&
z+YayQv_6FrqwNbd1I!V7VYe1B{NJG9#xqX2weAwUx=X%h&6uQ8DxFbU>sO_uHi}%>
zg!SOxrbiz*UmT0U(c!hiebUt8VA9kPtM2=0j1X$N`8&sJ=OOPUG-!NrU=;+#GB$>%
zCl?<@w1_%ctcXxuDs&YucClOxTUhlX9LiV}M+X(<VevS;?9vByXF{J*Dhx3;WpMO&
z)JWKGs5oUe3*2fLL7788Z!j<K-!RdX6muq!&R!nGPI~<3G6?m|ikhG-7KMPNVQ^R~
z$9v~jHjNFFhxeD8wN*!54KCcuvq5NDPZ|SUEIYBAIE_s^2oR3<Q2=EyOkRjRpfy2Z
zw&IA5#v<puVihdCgrs$Ct%;5E*_2L4_wAGU{-73&5EB*zCNdcTIs%!19I(uxoMwPE
zYDaf)L9wmuDP`@|Cqrvva1K<nc2|dSK`$zy?h7LK@2-ofvkkIdjxxESpdbVUsIMBJ
zHBMpnWVxyWxRRpL){h@z@nmMDfyM+H=`Q0RL2bS`e0`%~NQL{N4aUKu4O0Ju6PkWv
z@p}f)$SICVm|(Y~yNw`#{b=%|6({KOR1~se40VnWn<LPArf|rvUoDcOxrc!fI*F_{
z%DSm|!A-5H>Q>wXhof&48WAM+1SIz4|HOtdea3!Zt~{77%@CTmW+`uU8GYemlQjfg
zm7j}xbeIVTbmiAkVO0ewDV&h+_Bi<BfZ{r(0<D#r7dzXuWn+WV7qV!hKpDtbp*d?x
zvzE(x5z&dmQLmkhpej638Z!-18Uc9Be(aK{F~Y#@GKOx7c6i51mgf2kY{(4oCl?|V
z8Dl<2nGtFDYbQ=PmFZ48`YKD=Dz-8aLXk4Zewh(C9nqWj;_D}~Bk{+y1QP?m4GG1K
z>NB{^|2uvPD)5`9yUNVznl9^}PS<Q7L4v}c;-GY9#mO;YebLxOK%ir+h5k$XI%LI>
zz~3|!vE-_XK0-52)CKz+$vQ7P&)Q~@c?TiWre_{1cueF0)L)?xj<E}#r#ZB6(hB<n
z#*XVVdi^zLkMyZ&Ewf!`k^5YBM%WXF>v=h7Za`=7EmrGo4YekjbQC2d<SnM(W|(<b
zucwO6R6UUgQDLKEtHj6)c@BcgCpW4<FGivG6){fyJT4t|#3F4fQubmp-SqH2MUgb_
zWDPIFAi`T6UxNBDkjlrUNP<g@vi*Ek07#giIpP<dD{XJP)1P7mUHyhp2<($K^mOiZ
zRNsfeh^MCxwDuozhIowg#~Tr&_!@Pl#Huc<KD|B|tnSU%5dq7SNSn-!7DL%xFBHxt
zZA#=F&(5vx9uKm<%UMV?1_Eig)CDZ%8Zmz6j>zvQ0MrI3zU9eXh&mW`>WqX8eS?9H
zINaVM`Ffi~z9J1YTF5+vyDK)Sf-Dr1)>`E;M_lUO^Muv?LMw+m>o}pJ>_pM1<1B4>
z>(@rkYV{^)4v&uLi-HU9!~ON&21dxO7_#U}t^HkD!{qe9ax{lJM@g6l16fBTU0RgQ
ztqu`HuX{#UohoAv=i^L|yOP?ESV!zAPFDNh@B5;C!)R7c|5GUN2-$brDS?+|pj}%A
zl?#Y2IgUYKr3Ihi(cCjMj~F_K@EP5AcObV@F@$<eFd7UJegGaM&)h|n9lJPk0Lt8p
zH$%JW^|Hrn+W*gq0f&w#)PeyX>%T$%HI%@n^M*#+taZe0`1|O+*3qkS{N3Lhj=J+w
z@Ntkj2TN(=(&xHgl*YKp_LmKX%3j>DsDDA^fiYQ~#WE5VT?ZR|WK^^C=m*5U&_-YQ
zh#h&pYxQW7eZ`R&R@q!EdirfRiyA=n7~%Fvo|Z<r)%tzy_95~Ant0A}8Ow4f?DmhO
zW%TeC$2_tw_4g;_J=ChC94bs@a5ElN6hrQh#T-xlbIJwLKTY}2bJK=Ym|#N07+c3&
zBERVF#LU79vxvRKXKIK>vp}F7?D=9Wzi=q6lsUxb)cu0_49;D1wl~_X8|u7A+O@L~
ziB_~n)W&<OTso*;E88Gz5Xiz22R(Kj@)&~(5W@jvbX1aYN6yEIkd#}?De7&8T`A@3
zK1kUg5^<_WQB6P_J)P$?bbu`#ZSWW;&@2%rWaY2LtLq7r?)rnOpX`BmqeSrPj(7M-
z63%SI60pevFpcaBaBn|J06pcV96u;j$QD5TW!e@mRn^SAdY*k+Q+sukE$B1De<f4b
zz>t*17rUrjAYz7Jk@$(O&kA5=nq)iZMULwCCSZ+>{;r5-ce3f#X(=W3Km8s2^w~9f
z3SMl3#kn-}A^`^?ynC)ZSs(t+I6Z)OUA3>>jMFw5$2no&Erq9Z4#i9W`Aw%OG4iS;
zCGnJMe=>HE23M!ToE^gG!2H1eWO?$IAzubsf}Hy>`W&tFP}^E~s0CIy-IhIDa6J-Q
z3+Ktae>PmHxAGr$1-#M1g>x!9^dpa64%PcuZzm$dI{UAE`Jy7D34)GMDfU5z+t<5Z
z<sZGy)Pp|rmY3CbL6}3Ouw5NiQJP74AHH<n%E?YLZPMnd!UY_3NBD?ME5Uev$>9+5
zSlDmVJn8(y7I<91zCo&bq0b`{CmZ{XVZA1O#d5!2<BG)MJHz~Zoe}4vVet*4PUHR+
zM~V$ZK_M|)1_+dBa`k4IjMYtCirUNmhDcds-UR4T(cgojR2@hSN7#~{6$bkR%3vSu
zke354f9iA{;pj~&l|Ww9-n8uxS_+VACy-MBrn3wMm_x}pOHx@X>ZlNuqoyqLZxt{Y
z?!u*4P6HD|iKPrNu#rI@f+2@0$izS)!0lSgqs~AneR5~aVB&ue==kTpQ?M*A93GM)
z>;EU%?=D8rKBv`Wwe}}RRuTO_{Mp2-{I5>fuJu?xZ7So8zCW~vd+XPa#P~y2j43uW
zRiM<|E!AmTYotue@m|}UyP&LCRVlRh@4*6LYrf!dahgocfNcC5w*{t|exuVA^cr{w
zs?L0eauZ?b-Z?2n=*=Mzo4{0>Usq$~Zr?FyC@h%kR03#+wldWeeB6Obfz3yaKsPZ?
zH!BNzhsT!7UNkr;RBA3#jNi9)x+zrLuctIjNy@FYDEGt8zWYPvLdt&Ma<_dL^uTD1
zx6<&<zj3A1yls?$8~Rwk=gaDE$~eR;+-vmo2DBKpr#`57<GesUIw7Q$!py6XRqb6i
zhYrhGi6$m$EL(ANO^s)fC3&~*kGuuaQt6xSc2ATA(Dk{HBv5ZrPO1rm{in$%S#PJz
zCZtDuCk3Cp9IFFsO)tAce%y*{MV1M2K<%mT&e~Tbj!F*{7g=bWP2aVNr<PVqV<Vec
zVNDi2fnw*XX2Djb?&bH$Hyt5DDA~EcFIs3EyuqgrqePBQD2V<Mkmd7q^xKKS?!CI<
zw{_d!2RvBjUAyw%{)ekGW}~tez<k$>_XvEu9>y3QfZY1WX#fuxE#NnjNYZ+qhc#8o
zDjyh(AdkTJ*$$E^dZtEZ21qD|P$)d*1rC&*?}))2+jXgZ_ebL$G3{e8EHnE?H(6eC
zia!w`{8%|~w8bXaW@ObXw5*iT2xPf&PElf;J+*W<;iVMjzK=wi)&NBTEXHWuukw%=
z?P@7sf9$wwOpMk_*zDL?5R60kH1<u`mm+6GNx57CG(`I}Db#&pLaiK<L}=}c{3IPQ
zw`de1XmTaH_V@KMyy^GIXmZE?@DVL~hCEVs4}9}H#@RKuO18Fr8tmuk50NU@;o5ln
z9;4>jFK(g({b7A^++WQW1O;Q>$V=$$!X{`VaZG}h)6v^bvMXyfG*A})SSC}fM_VRH
z>sY!OIUOFEH!KJ0X~-Ksfh;mlMvjjNV=2c|%IpiRx3;&MvR&pH?fdZ`t}mTh{JI*V
zrEQfAWc$ug(msJKry)rxFc&Of<gD(zTzH~b4tqXYwg&2+_DCdMnXy^A>XCh*TKEe}
zW;2d72%V|Qtt6*$W-fA+sBhg)g7ndfnjWU@z5l!kvQo86C|Os`#V!<dEuo&x=R=;S
zzUc1@w<r0VGYDTijIX49AIxaf)8!=LFeyWSl##^B%QdkrQ%AyMS<FD}nrR^<%rK-Q
zV?PlQw)8eVofsy6mbh5QQ!qK1-IAXPcTsE&vJn<ezUey#O^)zzYM^D{IAxlb$?da$
zT@jT3UQtj}M*saz7A2v3z>2C}sf?~HHxNxm%`i<iLs3Hcq$P8B%`sg}1<Dy{CH6+<
zql`{<Dy;acTy`JrBjyCMWfFRqA(%OipgW;(@zohSB0jeqR)T_wV_#&NjO-?hexx{A
zGdh)R36vh!(>$uMG*+&kjA(L<&_!QLoQy47TB3MgNTN7cU!pi!Ut)hYniMT<HS9^O
z_Y$+B*bR}=K32}5b-R~kakShj82aZ9y$pD8Kuf}Uq_C1;vCGx~*jc>fJHUoI5Fg@D
z6#xG9xcb8cf2D{XcFj6LQvhoBq>gB@<dX|4{CCSI^gWJ2A9tzgj({Sv7wUDbETMPP
z-MLOh{~i#92&<;mpsCeFhVz**S6plHBb%}45^vcEF+gEcSXA;of+c%YpqTxaf+Xu<
zEQR`y&~iz+_C&EaYF(<_2r=g;4P_2fq7ttua=J^wP)mNjE7Bo~kBI9<Ux4nu38uin
zQ=8Y^FBZhX27dCIF0}f$=(LMZC$O5yW9Xn=6nX7IrBk*2GRHaSB6nOmR*3$)NGaE&
zQknr3tBmYQlx*Fm%v8*ko?toc%*s^rM)sYK*l-CGjs#1I;Xg1^9sJCoKz89^WyYFl
z`SX+vzADtYb}L(%sW&&qi=FknNicgLx&B|g0@#QnS8LX6X~tsq46CHbh6x!gto0+M
z`yHG~o+J$<%&!TS{mX`UOBqI~y9!D5O?br?lPc`&%u?cP>gJdVs8qmD4!roY3uo8{
z+t=f;Im%kr@7B)s%8LE1B3~zs`kjW}*0<D5tPtgQGSaT*N#Ou0_#!=Vz&ca9<T%Fo
zt%Qb=h6dntzEFGtGzz}ref`X0KfoWBVTunH!7L96%J9?C+3kPsz&g_8nbi*BZ1+Oh
zn+9uNHiEpr<71XYxKT3<6>_&UvND*MS&TUSsSFSDLi@71W_0%*QQ~YMZIS}XbS>5c
z*xl0vD=17PD9rkLLSpJ-*fT#0X<-XSi(a|vpn_^_{?XPhc%EXveBTs2mU?{gSw6b5
z9OwMITW?kW;Bix}ccS=3m<4AO64tl)wQaww6W7f)`5g6bnsJNw`EobhoE{o<+=RNt
zJvKSsA=Io5d&s9ol*AUt8#F|qf7?QnFTEx#+$_$=l`TD5yuZyJ<G$gVudOf<U@myq
zF;i0=dETU*Y~ewTT|NY@+YLn=@ZxL%tUZ5F2&kKeHz$6uW2WLq|A(sMUx&BWb9x!I
zJ5#=W@6fOuFVH>5dXeUR+S9@vYgo>e!SM=}8I!wf<Wv9cB|ud}K|b>ecVhZ}+L7d&
zUMuo61Z_~DL$vsJMT^7|F9bF|7fiS`2`kBBn(+NyZK-IUDH+*nEp^xuHrHbt3Gr{d
z*`p*S``gV2a*)Hb3#N~&+y!S0M#YZlMEO5v>*#*+7rN6U(Cq1c_%&*ai<0w5PNQX=
zhL})o3gsxVNjJl-?Xy#t6-rWJsB_f7AU13HAhS^d`n`0<yA{et#|al&<^{5`FrW6(
z%dGOAa~0-akIvL0Kku->X*-p7a&*4+(zilrY}ktwxu5dqc{v-Y+uJPEQ*N-pU_yG3
zd%C?G`#%alES4LNnUw5cS(C?8s{-Mj8Udg>wK%hKTSFF1)dFQ5kupjyux@;<+0$@R
zw~-4JhpKOVMAV*R2~u~@0FX|bq!POgc(QT-%b6`Rm!`1qVNbu-%aC<x^oV^k@YAlA
zj$;$K$G?sc?qyFOQ4xl0b@A;L;=$UJxN>FU%pNT(W*<!*Dck3b0*c{p%GS;2z=<y8
zs!4gNODt-e{f>>$wH8Q_mmKyxk%Z1Wku2*zd6+&HVWxX!xOny+RoDM4Aq2xwCG9FV
zUhaZa(>$}ndS7Fx?eKkTot)+PaouL#=%?;rlfv>M8}o6<{llR}_O?#HEr&j5&~_u!
zI^oI((eLFPzb~8G`<xSFwgKpo_xw2zO0W_8U}M#~;$>MGg5n%Hm*+@Gsy-GFy6>d`
zs@j*7YSj-Xx{m<Ic}GDN`->MfZOl@xnMOA24F)l5Zgo0zTTm1rx<pvg*HW&xC>`VS
z#|`1Puu4C*rtmfWD2_wcvtO53JQmfx2BY=6(u4Vg>y=~CZo=rWfx`Z9@7JW<o3HhU
z-iQ1S%flaQ2!6{zFjqM#N;(dR!aERI_DHTth7A*)RxUE52-+xXOcobZIgsuzRSbVB
z4-r~kW6p^HYN7x7Ut|^ASeu8B3{13_c(@nvS6wzwb}%xo^U*_44Q8vH&dJwS?z@IQ
z(UfN8KkMp~R}Y=qe8rpdS-HEpN^T=}6`-Dq{~wO7F*>rQ2`Aauwr$(V#I|kQwr$(?
z#=EhNjW>3(vGL9O{kdn(nR~jrZ&h_ymmW21otqT$uClNU9t!>#QdC(+*V!6sjceT)
zFDds?hnjmar?+TDA?{|DhF_$=hwoYZfBP|dgUFe!9pK(wtvqT@p%K_^))>$vIkJR%
z`_NL*vVtYwYstG=7^py8A}@UD)vZu0{ktbUCP!sWbxv0y?78<jAgRUa(Vjs=IXmJ0
zj2a#lMv0~}e?xxNy8}sHYx<4(`NM9eQO1Fy3Bz|Qn5E`=#<gP;Lk+-;dGD#g^uR|@
zlKZvC%-xJbaFeHCJ9=*gq&D6xhkdA31ID@v3;fBNV%`;liV|UctegeVVe?qZp&DFL
zba~s0j^FdkJ;2Eoj1tV`529whbT0R9*SHDz#m1BI?$>^?soNQ~mSx#Ns1JwW!;$v)
z4_;quZAJJZykeG$KsziWaI0>+U!-5irb$$jrXgcz0B!3c<+n^RBTa=-Y)SK8q(2~O
z#Om?xLle2MeEldI8FdQ5RNQz7e(E{|wQ4pF{6X3f>)N4lx*by=7%3wi!-e4F`_AdN
zL0OL^uK{u~ODbG=5o!v`ZB&_RdCPwXpU)GyFRgZ=(V$|V0h^7cF%pCBU4S926UF|B
z4GOrU_eiy*0$Wuqe+9j$G2!(qB%L1_{+#y*vPfT(@K`WzBAGcNVfP`X!qxPa-vKz>
zoN6+SdP*AL5;b+hyiyH0{U!^5m&fl8{67gVc6)0r`sSX^JmAIHw1|_Mau;gLb>heG
zE?$0vR)mA3?c%>T5%)SAkBq3^ozBqcl{dP;y@Y!9;OBg{HhB$q83hesyu!Siyj&^m
zP|an)JQ<_;#K(2qal|3uLX7%tolywAnMJ}zRBj7t`XmMFw;KhRsJB$Rfv|lTQwG@0
z$yf0Y-UaUb#+Z{^_0wt2z+B}jM66)f2Ez#zD*+m75>_DMR0Uf6L{g*7mfwoCl^7Hs
zX#6QQBLEfS&ICDq*t^vekp`sFI(XAzRTq@UE6IN>gf8lF5pmuIbd_AsQ<S4C-K3+x
z@@EMYZ!uhNRT5F}1b+o|e%CKMDyK6T9@o4k@DRw!yc+75-Pt9C9TL?rMn_byx!>r;
zrg5s}Rh>kma}<#^=--%;v$Mc_cR>)sizkvG>XCqNhYO&4Dh}yt@W?HMI$H#J`)!1X
zGgtjRlgkk^rarSVQh6%T5!>h-!OiZwA!_*_&MD^o@)%R9j*Z$fa+2IMl{693R)289
zKj@?H^=7=!ZK2=`Ezw#zIv?n!Xo}b=(qkvQ3qd--BJHi&iT^9N@J}`gP=d41hIRoL
zUVQd+9d<f4HqH4tSA_RCOnXtNI}H0luDz)-MXc3|&qaD0=gX`<*YUvRob79TT}Ye0
z2q(#oG`LPHt!&Wuh`8t2h}Q5@A~M0~dpY@&_7v}4Oy1UMSzPH!sadvEBK>62MC$0;
z5?ZmW47u*ud2)aO-EG-TevqLZIa7c#<%QaZLOp(r<Dk@s$(?>We`h_%)hL36Er2U(
zL}QbY{^jS$apNw0|Lf298N(mudtbQ0%$$j6gG<p(W`rmav-o#PVO^Y>HMA2j@~k(Y
zUF6aG&ZKIDw@pp}FR3t!f`@)I;<)(3aAq0*eAvC}M~Pec&Nm;FxRK^qp4N~7KKp*%
zK@mKz>98lA*v&AHX32J_E;aSOy87s`-Tc4TLqB)9iHQqUTF^0YLGQfXaCzBeA>_TY
zl34d}ik-`$6Im5vWS|S0d+7n5AZDy(OQ?z&yD-FK5_ci^Xdlb;D;2i&p}&1>Kvh4Q
zIZ9BFO-YI9sD*4~w5$RbBG7E$g*H|^+vPwrliV!y@R;cXeDL}8=McWjBo`{ZjE6}3
zpx#4m@Aaw*W`9!Lzi<K#J#^)P$uu(^Pc#`<nHaE|R&?VDYs&2DtxS)JBu80(Z#SwU
zT)c_c^Jsr8XA!0f0X7}?_#nL0D^a9phN(^eITr+%N2uSc6-@&FiW5Md9@IG0%)s?d
zn(a@g=`)Q*01{#()WtPY(5W&>YEA4+=#?byt@aa1_OkrdHdMbc@Fw8?MCW4yht?Bd
z<K2sy@NnwWtH;zYjr6AzSE{afNm9ep000W(Sz@_t%dRo{MKc}pXJ;txJ9*rWN$E;s
zD8fC?)0Qy-+NhXId1^A_ElJX}>AAVG5nFou6S{n$b!$=vO$wL5JD1PEdG-Q~M%(^r
zLlQf>*j5(23^M{@d&#zE^?COeDe}muht<+qoIYz}Gr&?|NoJJignSN|PnnLgC+h2@
z6J1jx)iv44CrXdQ>Jd#vb_E_(60Q66bTd)W0}VQz@!W!g2XCc2ZnjRn*W|YFz(&y_
zb=Hp;xi;g{YQYC}?f4h@bbtSe@GaQ7EN8H5V0+u1xM(!gx_N2Ejg7yJy*+aJ_*-58
z;;&qS@8()fxafDn1=65t)krFh>sp6|1mtFV7zix*J0mIjz?WM9bM_cg2^$r~j3^^d
zv`VK(Dp-i;J!}YtI64bqM)~_}2;!^A`Gh52A`rucX6+f#1OK5a3-6(74dh|$HbEw!
zc?|9PPmZM1jmM|&@AGiFPEE=IY<%IzduH?fyEks1g=(jV64HQ&MQ?Bt-d5TJYNn~Y
zGW7}$PXig1vZNI45jhR-ESf!$e@Vn;1tmFDMOX~NJP>{T1IQ00<-FUcBf}r3BjkHI
zSE_Rf5Egm62kl)}o1)G$@e6B7R9z15=x^5%%Jrd48$+hhufYmutjR#AV(x-W=ZM)n
zS_C6%M7l{O6rEEc*iWJqtM|@nF^s!Od(tHmZ^=1{onkWiK^7e$SN*_0hzorw+ZR|s
z^pdV61S`2|B&#;)%6L7Z4CnqxUIhsPz)X#MD>HS(<!(ca-Je`t+41_{U|jP!`CbJI
z#|z$OguJfmRqU0b$(_*c>dG-8H(KiCbo;%B#wb7><I60>34R|=RwROnSbe#hE9j>m
z7*AdPFQErnBVxiZfTsqX$&SVs`-b_V_rIvbbqq&Wi-$-92`=yJLlWrNc9qCpz*A{$
zmh5Ied#G-FpIuIxUbbSzNkLk=oeLXFdUhy@g58tqYmp=vxUAh`GH>Hpn1qlkwME3h
z8)rWPS|seR>7vjNu8#SqM(aTf(fD@lk2U(xf7^-ihE@VS4BW08Ri|fs-~*~_JZe_p
zAt%kQr_;uRrQGQ>dlh3g1!-X?=^ZgNOsuB@Ddg8aL2l!-3$4I+fY8{cA&$i_P+0^w
z{q>ofJJ`wYQ*z;Z?Wj(Pk=kRaY`Zt|T|Z>HPs&lOOb3<jE_Gr>%MxkGOyVJQ-7HlB
zL#VnXj#zKjn@E!dAv+&dAzu+)imzdGCoO*Z8Q-{D+XkfLg@e1rqGU-zi30%3<CtoG
zhW1DLa)|&`%P`G1q#R9gMzkE2>x95k0Ayl8`~X1mj+6*3FZN@?+U=!ct4k!&@;#dt
zQAe8zy$v>){P?P62b;<%$kGB}Tu)+8d$?w|aMbWO3Opz@-hMAZnBbFEPpNSBYr*@H
zh_{uq(mc&PP0F+)Ed`Y^HZ0A0oc7ZYSH-gmpP(i1!4CLJ3f6hnu3nX*LeCJ_kpq_J
zA#GFW<Ufao;vMJh90}46K<Fs*&lUGJx@sa!=~Pik54|n<6Yw*B1?2p$q-G#+Qju5A
z>VmQwa>nSqEcqOEeOqRh7cu`K_}MzQh#NUm7|VdCjytFrf<t4Lm+-oX8#EB-`-I5a
zsb}%6|H0YO$&jkO4@K=QIm)|YNBZOakM6zSpkSdqa*{5!WStP4&_c&#iTJ+It-R;i
z(HTE!{uo&a+me_$2@}mk*Srr;uqd^hhL}2k8LKQd1ON3wl4P0X0m?#hZxNw#!y=}Y
zlSe?Ov%s`en8{sF0Jpv&rE0f7f_yeeYz<N+7f;piRCv9i@|w14<@($)!k^Imm1ST+
zsMlSd(DR<h*q#;*PFoEC$X@Q4gacNMzp9XEJV1P{hB8#A5Ihg%WsmHvBVjE*AQT^`
zjl(!wdO}R*P7g+uP9vp6swiABPtzDTa-+nPFxyQ^sKT<8Xd&585)y;|YFv*`;!gip
zQAh>bawLPJq@+SAz+I$L7Q$FAz8bS}ZY9>_fzr`jD}ITdB#6U}>i#7ea3U^iQiS?-
zpD{~DwU8al4cppMCq+^%;YMqsqNXgps8`M|Q`NCf$JG&eXy(J|f(lgCD-?zg2@_uz
zHeo+J2~ym2!+Om53&(9c&RBg?4a;YEp8TVyWLt8sm4Yy+oR*b>aa0(L0ne>lNRe;}
zVjqK@QpJxlE-5T+aHiM{cG-JM?=4USZ^NQF!V#24F_n~<qrCa1X=o-iL<loB6lavX
z6W_ZJIfUrN2Rktu-jrv#cq>}&J2`m=#VE%gKINe?@FB2022=S$Mh<kvU|+2OHKt7j
z`uf^QkY9T2a@P(XNpQY?L;8|7ys9~~rZNlJ#qNL<i#&4F9NxoSwltY!(kX3}aFUb7
zE4DH~1-k&AYD~f*#6y%u7#XNQS2amL0(a4^oxH2$IxxaQn1k71eZ4O6X`~3*+*E7f
zXkNN;q=;9=h4`BI1S^OfTfxCzdltFnJ+&J}+`!y_#i*rdsj}oPN6YIf(oQtZO=S(E
zZL$S!fx#o)wwG#7F#~&qI4u(?XXC?3i9s*{XWQm(Jht$mLuCKudxiYCbFn)Yf3P-^
z-@lvIP5OkK3}zK>;#uUU?51EW4cyXC^Ttw2*d)_w$t!7$jnmLzlQqJNQj~DV=A}DK
zXx&O($5SdSO{Ia7dpf)>XIcVjIFruma(kNe1iG9)#yyHFnTngqS()MHqo$i`W9(av
z@Q-Y-Vr$R`8`;);twgia{x^a+xV}}S9O^^uN{t^)0due7o&=DxSK(MZkTS5kVSsvq
z6_h&i1w=z7g_@dG2H=mowPnS7D6!P)TngL^dk^p{7)nvMRudl=sC#TH+mQZw6_ikA
zAgBA))`t@%)fU+sBY#&TV6JTlagPq15dlpc;uDrEAbfo7pdKZRG6r)NdQ?#jy;MeQ
z)3i7(+@AA61iXb0CnOs1gGsf)5w67(#cf9gIkQSe3vnihGBK>L<nx$Z6Al+JqnR(B
zuk4u%%unDe<<F{B+-J$S9aGmWlERs)gsV$eO}nZbvykC#DLwSZw9cE-!DmlC*vV1w
zE?TyO@-e=&YjeaN@1P!UFc^vk{CPgG>UN1cLFw~|dL!VFyCW95-0s$PXvi(4+5U$g
z8Z=@1yb_1}8yQ(gB|FglZT0vF(LP>a7DZ37nC`Z5D)G|Wje^&;K%!g*)*b>2;?KAO
zHBD<=D*ddCJ)>C-wZJ&xV*1(osf=4$^>{&2kC%Y_<tWLMJkwumk|LO#C&<AX^Cd{%
zzeAV0eLHsT<(rN(bXgGA#L)`7!&h#EZ26fjQM2^q^6~|81?lr{<l#E(B#}<PSkbj<
z2Db?KQV@8CF75J2co)UCN)Ec5`NV;vTR3mh9HP7)p9&KsWNtgOZM(cJXKNPz+xdpS
z&ZW^>a_IUpI+<-x3h8g&3$pkUW~!*MDGvM`MSf|*ABGqCa}Xl%rSD^0I8%zYkUhjb
zRnis(qi7~(Rs2nD4$S4z!oi?Nr*}SCHUsdo@Zsf0C9q>Wq1|CNRz`1g4<i~mULlXG
zE_K}4_k9oq3vy~feL8>$)Lhz>+Ind|f|25QR`&_CArP3*r*$J_;CiewHiz}Be)#xf
z?^n*pzx+9s{OGNdayzE4l%CxW8TPJ2nKKdTL`{JnRiTa1`d*xgHv_aV@!_pU0_onO
zq2m2VxAO^9^UR87wVMONvES}h6wm<#51@~|4>hIVq8onRM4It#BLH5CCPSpFuCM{B
zG_-B6DB&A)ht`C$8EG`GV+`hi4MsjZ`^ba`^8wD?*vEy@-BS?W1>Q5w2J@>?;Upf8
zJ(NO}F-l4oO`!%%_eb>0QUp81natxzoxcKABPN|V_4a`9AP-oENZ9zGD}Eise4b@m
z^<!(PwtPM7cv?~FmRz*rH0bIuQQ~XgpLSAH=9Z;L^U0J09tw+Ow3p$Gl&5{T5){wP
z=%es22CbIcV9>VFR%JfhSoQyK%Lp|b+DIC91q~Q->fsqFbhG3Aep)0>(%NBvXJlvm
z>BuCmx`E(l(U3yYZ@-t4I{|C;)+6R^m5NEz6pl?x{~}{zRS{E)7LlH<mbwq~iHjq_
z%F2(26O+twBcG?AWRWznNmo^y4<w(D{G;R`SC2fNY*(|ZyFK_hwrxRoG0Hj1Y!tzK
zL(yiz_3WEIgBfy_`Mx*;-Bg(r0JPVP=Ey$hv)PiHxc}e^(z@1P9LOcL)L_%J$V{-O
zP~4M?SpXJ+EIR|T3}#Ig7p6qiK)5tFhztj9{Tbvmt>YF$u)nK2g3iVj3aq9}2S45m
z*qLNKdg)Bhh%*sR%u+!`N1RlyZ6n^KKD>BacCsxKD}v`pMZ+1j%bE8OthLoS_*4q<
z`FyfH=%9R{v2w=kpa2F?>Po5G-#b-?60w1ov5co-%j@tK=rp}6cI39flq>mO%yu6~
zNx^`ols6yVE+dtlzM<04lEzlP-*lrj3D^Km_$o5tP^6p;fDAYa%XZjeGp=%*ZA;9(
zTubbN&KLa)G}e%L6Z-*{3ECM`QIzDcB*rpfZz}~<EE6$J^T!SbY6T8x>q-4nvl4%S
zmMZf3IPx$uZ+x-qOc)9JKOL)&hQfZ@D&bO*jrOk)u#d-zi23N<%)gBP`m+cw|3F}c
ziJ*&iM4RM#7<&9YoEJT4-h~n~5f12Npg_p96W|DW&JxZ%3wv^lV9Fi4DP{vg;K?u2
zQlu%5BU*;suqQ-Kmqfu9Ob#BT9swelgz$!dtBK(32SMLZwdi)93lqk}U|B%ZDdfCp
zkR29TZ+aTP%JCQr0F5RNsBhl3%D2yB`mter`R;sE0_Plzg>e_kRXDa(%vNcg1vd#d
zcvmyOn~oEvF81aaP94h+3)pLzDMa$_{;=aG;7x(*&016M^HH*e|FyKn{bB9=(Or{}
zV@FyA*#{HQ*Y`s>iw+b}UtO*xR4*4u^pf!>e+;JFa@B5qHTRE*q9gleJPo*gtmu#Y
z(v6JzLb>%z31M07(ypt7wLMMw%~c)jz0-N~19oVj&+_6Po7e4Fi?;mt$F4cFH6bY_
z1-d?JxE%4LdU*M!=Ts!TegJ0#BEdwcd)f)EDw+Re8COH42bQGdQABfIJ*q8qsh9cG
z@%o#W(0Ae=3CTal!q09gOoftn#cY}owW!)Es1w*J^7l#T?6nU><ry-jxRnlYd_*aJ
zuj^8RZsbVaEX|2M7G=;)RMVaZ$oB@{B`HNqJ(x8E{o&`aGK+725!AHKllm^|ZP?k+
z*EX#!!TVKD1%bDZppymv(`j!U7DhOQJN)HV8B%CnMwnVP3Uxx&hAk4nYtr@9oWwIw
zc0l4<Bss4^ME-?MIN+N=k%;`#@9zon5c(GgNV=36doT9-_ZMfWwC2w_6#I%_dE_V0
zuK&0|7WGhu=)azzkCWnQ=&WW6Zns;v9L7RPAQQ)&sjG}|CRm|6$JrFTrrRU2E9sfk
zG;RmCODTvJ-MVrsdN!>bDPEi&7vfFqkb7}H(gEjFL#l8Dp2+B>CjHp&FjIaf8zk|H
zOO{HtyQ>LB?KD}xuK=z3QmLhucm`-4>%u4%pHPO|`d>cYC|mkF`rw7X{8gmNSb4it
zzZEKX@4V6Rd0n;3mENn!tx+O3g2vlGmDOUPN3C<LJe6cT!~6xyc3rq2xKP{Hh#lrj
z^78T8s<N=!3e0mvd!SvEWttoU|80N?2yAp{*eztvLA3YSk!v`B5iCcKpPA_jCfWfk
z8(dH%s$r!Wr}XINM0*^HI}jG>|44vZsqJ06W+P2>Y{_@Ti;+)C^8kAyjg0Z`=<$(%
z7(LX@>%*cKW@h*7&Md*ATfDzFfc)}0ceid`cF;5&#=l;~eDi&IInLbmZCw+z34Kau
zz<G<P9|3$4tW>H>{dcYOIZ1XoomMv}!>3Nv5{psFF)ureL!nV0z`@`#C44}X?%I-{
zj2B~?)aO}<l_@^W*TZ)kg#F7?h6uZMP0KYFY(z&1GPhWzjb^=WzR9%w^;6%s(BXPF
zwgVq|TA}z%sTd_I|35Zj(Icrs+fc*R*awM0pXTK!F{c_U+vEnhdUmJ?mYun9$#bE$
zQac_G)6<5VU|P=jWeNC)|HD@i($8h2I)?OYwyMK>RK594tfs=?c?4tcAg+1eveewe
zZfX2`s#{OF2}90Vx9<u%sClJ`170~A<ure67$`k)8rpg`7`Y=b#oFko8dYN7ttr}=
z6<zdO&etPJ(R5pKTig#Nq1+3xvc{+46unP_VHo|cQu^EetroS+_LXv6Xg>y5M0G(n
zp1HKpXE0-}#3VhcRn*3jMokD?BWCq1iuWlr$!m&$x<LB*rbwz1O^d2tjasvX5<ilp
zO}90@A;nz6pNSS%g$_G90l`L9cask|H!W8$VyL&Hm0DpqmBpK=Ivi=;5AZEDs;^&K
z1!uo(+WaYo7l1$7UMOC~PtlG5bSNHq590u1Mm9qn#}vjebkG>|q<NMo(JgA~7+j#q
z4%A4|t%LG;@nNhohCIb_GQ~=x<h>dL|1HK|;YN$;V(f}cn5iWo>nnGWxa}+J6=oTj
zwC-WapeE<GtZfVXDWaA0xC>+%je0a}{O?PCUif@%OnTW`W{Q*_xk=(F=*j5hOp_@S
zWwbTprf~3QO@s20@x%0!ay%?RxyZ`bi*fnCT=e_<{8X}Og*x!*f!DaeRoTzg|Lhlm
zL3?3Q6ABG}dTyUp|3$>|OZhN&G)*jE)fPeYZ=2#8Pc+ogZ#*yWhghqhz5X^_=eL8$
zbdQ5QD~J^OiBWmHmncg2c<I>AhsP*hr_<$esQz{2(y8>ItAMjVVbd^Z7_vi2vM8|6
z$#|$<;km!@ybqOlXMhjXngzp8CeQKaTs<DwL0X{P26SC8U>k8|K^C&h-50E%(uOf5
zV1j<`VsE^nW{nT|dqhb@N10#%YWK>5EUY)8651UzBf8|&(=^MS#xyX2$&}ns$q|VA
z5$Ke_wo7J&_WvKXO|y~%%v&vS=1p1`#qO_wB%Nk^m@ONg^$+=o6`$KS+mRUY?IKqm
z7S4Q5y5j{4pa)f!G~ITpg!(RJK23HIkb#z-;XE75T;9xgU4gx5F~VcT=9a|xu<K>N
zLKjI~gdTi)c$fB4YGQ`-rAO4L)G$4eT71Am!kte=cYJGhI!!ul0=oV9FqMg>g8^e4
zM^%Q-FGqXIA-p|p&vG~s<9cIuN^AgK;*RYMt-vS~Ez{jzCRxLTyJ9`2Uugp#R*6+G
z%=PEHVnht%hkE(m(4yKe>m_m$acbC<NfouU<2-R7;)BV!2F8g|?Yu}Y_8>R`cFwd`
zUlRNde9^wn1Tqy={1hmM|1NRh23F1M<7BVN#gT>P>Vru0$T6t3T-faOvg49=wFx0z
z_$<CP@^Q9QbWCgBe2RG4uCY`LcbsTLer(lEuSsN`nlqvXEWvQByxe^7%*6CE+{6#N
zH(Jerm-k1|i$l&61<ItG*H7VGN#bHQ%b=DpYdAzLa#{?vdN?#v*Xm?R>ns<p`AL#s
zwSrJ#QK(x`1dQR}h#0Tn2$|~;g(9%6+dtKcoNL;ib@ms&c$1ZnWzd2F!Gwjj(D#nT
z1_8Aib_gUZ{sI#78Gjv^gvg$NJ||hBeZwfMjwAjWnEb9P)@;lc@{Pr%CUw$9kc_S`
zfLR^}#$iN{F<)8Eq^puV@H?-SR7-H%v7iXq70Mz$lJQ>lSP--coyU7=3IDXbGO$wX
zzzPoAV0;_;1-0VQ3{9y14r1e~sp!}!2Stt^GEFm$(ti?QHfx$NpB<Z3!>$~X_NFKb
zKtaoJwpSlDC%j9GOs{;i=P^r|bY+$V(laZu7UgE8YL%=iTVfL_7u2~^q3@_@OKN5+
zhwY&2JmS>9;6k#)Az#()4~ljCaWjx_YzXrVj;vUma??15wC}Bk%G-KaB4u7BRn@uN
zpsb9VaUnDqgCTk=6_LK##~7)m;*CfPLof_yA~z4ZKjDT-dj`ou`S|#@bad0*%o8`O
z+fDcxda<A^iTBr{u{1u$!kCmbTaui?T+T`jb})sSGCYM;)muAengCM=Q9I=hpB{!c
z3QL}`1Y877hkqfq0vM=cvb9??RPP}P%KKBx$!kW+g;18Yn&PgX4d0K5?+h-bx`yJH
z_~~PBkb%nUTD^Uy#3Ifu<~C0{3lqDPa+s~6ts;GF+opy%k$#7N2n!rOnlS)Egj6P(
zTlGq**-<Khn%1Z!wco#+%~40m?&^oGXYsw}%mHk7crX;(xa#Gky<rxjiF+Z}=iLwH
zjfm|bh?IDHP6wr%Tdm>WzGJ9?{>*QfFSn~4SZW^{fps|v7?Dd4SE}Ejhv@Qqflhue
z7_2h8_`ZE7uP}|zB*Cf$p}$3-ZV7*|qn*96xxiB1b5)W1ATtLW+IxL5iwUi7`xsnx
z+8|VWXlfFIvI>rXjL*aGcnA{6L3zUOR%I88hOAUX<Y82+58N4i>)=g2+uF06UQsSo
z10CE_l)#;ew!lnXM;XM)0d4_H359V#d0gB;tm|gidmJ+T#3&S~r(P1(nCNp^VU2o}
zw5KwechK2EmVIhod`Pq;n=hx^;Wf&4N>32(WeSy1Hw4eQc=vb3^Vx6>1C{Cw6N8;W
zCfYE@>h#iD!}Mk_<>sed<+!YJM?Bb+Zb<{Wv%SIgWLWqWR(z}%PGm|WWxYz`nf8C8
zjWFcvyWfsfpA9kx#u|oR7yQtc{OeeDAx^#%`-c#$q}Hf9g6<;Ti0bDRHo6^}V*k(#
zqtmjBYMPW-mtmLkll6k@XIDx6dM_u|7Bxo==lRo+gO>`hsOE=i4MTLHrEGTI${H@~
z%@WJJ8Yb^H4JuphFE6}RgbWYetcw+1sR)Q+XtRFy`SS+z+aGi$D=VY=PfFdI&pmqE
zjLF5#jZzAtX6Mp+oeN=Z_^ckeaysjPly*(bywp)yR4dS*tflc52vgb6^vMnXY?tvm
zrsu>5$pf>M;EccPA=Nc-rNfEn5Sg~xj4KJblb^6HK5vhBZH=Y$)wfiqKN|RF+HFNk
zoNhgWV5rG<rYgZ5`c=tJoT_w<#Z^7THG@t?Ln)Jaj(kr&Bc-j*Bu52jV%VJXG`W-{
z<|I`&K}12EMW=o~+C*+L*5sqsxp=M5^c{$R_it~&GmFpzB=op9Bf(s@inPrEc(z_|
z%hh+&IsF4ZcP~7OM<EG13&z85tJ$+L@<W~F8cLjTH9}HrWYCHxWCl}{QpjgSa~5PW
zX2-n+T=<7y{BovQ#;dU<wb?o{=4J3fc_@z|c)A^^#tFpo-)7<Ku3RE1|9RyV%!cuV
z`8_oN*ki2*iN(p%kZF*uZG$9n?X@vAdE{khWi^9h33+h9>;==0un*OWiXRg2td_b1
zyH>Bjab+C(KsIKxagkb==s<bHB&vpZqQw%jWe3bL#@+}NN#N;FF=)iIQ+t;izvIl+
zr}eqCe9U;o&irDgS)$M=H4z6K3nM(w#O53>1R)*&wDV8K8z}0J#=GJ`D=CX!75`HW
zaDR73MgVz+j7`W0uSr+rL{b0sQSXfB=g&v~%YMV})5ANQ7$=t?n$k@wZa%~6XT4HO
znrl5nt<s>pjl`rV4A{tgSP_e&N#c)mL}%_oVpsV6erb1Tg`vGRM%`I+V(ww^1|dCv
zmhAkV76JYCf*tRW?thyY+%g0242O0G1jAaknzBM~#Lvqe7GG#I$@^L`2@}<J>3}qA
z5DjP2C}?XDtC6;9t;4*s<b8}vV{J1+ISYW?tYs~J=$fq4CT6XJy(ZhK0O$rN5P>#t
zu^sRmPV8agU%!EsS?6S#H_`gm`%nj{srv)s)Q-A;x1X=)#&(*i&85R63F|(F5S94^
zi)&TAJZ^QE8f}<cYDhBB7DyRpl_^73rq*kQ@;UT_K6oWhH%0zOM~HU0^#T|P-Sxt?
zcNcRa!eBEokF=(OjE)p)iMN1K@F(lwJf6e9kknw}dJC))_n~z?LdGd(XHnKs<59In
z+>TVSSBgNP(Nal@p}PW`U{(&NJC;e*gJ0k*^l^dT7tf8f#SQO>URRJLN7{{Wn7%Im
zDBYnav3iSAG`)W8nRBOjmGf(lmXp8bR~YL>Op~8+X(@44Bjt3(XpIw38quzfQ<9<B
zlXD^UN---@;!zYZP~-tW^JAQ3iNY!)yt77^s#I2%1V>^%*T(5$pMCyYYz)5dhgbBa
z!DN0vv}1j(=do!~f?%++vco8#bG+P)T-hp^ZVn`36gvaVxhFR-m%@ar*QJ4jIT05{
zm1a{H*VY?NN9$NfGLM-ZU@Z=PF^YvP0MT`WZ*=e{;Tf*?wAQDl>up0S(OVbz@pr3R
z!WSMc&E#b_3tqFTDvBt3f&UmfpQn*DTfK%@8af@PYLT<T1SguBp*k*0qCvM<0&q;t
z3*{PyxG!E2NsAjU=N5Os(!zy^GOho7xv1N&rY;cj%AW08NDms*`?yf82m4<F!IJkO
z60a+Yx%psCQW?&2r!hSxy$o8(03JqpT}o0{j`(SE<e{P);vE$5R92O{LC;c<%i$&U
zE)s4w-V?pIc<nRbl66ILgJ5950Oy_f!Fs1P8MHA)LYzPNQ6x$x%u59|$>K^fNw2As
ziK$E|>J2@PK}{}=nj<Dksg2qrP-P{BFMdLt06av9N5B<9&(t=?KTi#F#2FHb-+^tl
zKD*Z&!02jzZ9*X+;|>0ykQ$Ice5~op{MFVx`={a=2Ho9e_1SKnW6mtrsHYCfLCBE(
zO-{-c0Mh6GV5rGV^w7HT*OBIQ%>p(aN3+3O?`+{R7~#BQJH))#{-<5D7ufsj1yySv
z(+pC3zpqlPc+r>Apq~HwLLu@J&Nj?Ran7u(_`MgSn?;WBquMC2$5G5YD?<A*l4%N7
z-m!U_Sxk2c(&IRwfQ}bxE*x=RKrL&RCep?PqK_;EDu)Q~>E{%k5puWbV*8FBofOPz
zH{QQ1^Ue19;Qrh}kWN{s`K;|K^H{rSsIg0hCI!n@CFS(yG8s7;VMdM(HMvPrb8=N_
z8gspQ=BG6r04I=0E|7?6tCGm4C&aoM!Fd9b(-rpb)QHn0_WD)imG~1)kz=^B0DJEw
z!4AkUrQX5|1ZG-{^Y@N+POfuWtHO+ZkzBkP%o>?1-MW>c@<{bCb^|7+#3LVnr@E2o
zv1<3{x>Nk4=oxyl0WDN@u_$gb_G6YkbG_s&OKnEc^zi1f9z0az1)eBoH)N)~TSyhM
zJ${zhDW3L9mso&@BDLWu!sZVQxARuFD-Aj&`#dRT+@K))E411MrzsKw&~zB$kM{MP
zyQ>at4dRQM#WAVeYyE93@Rv$7%NMM3&7mwS)D!O<%ouXz98_FPh&|-v6fA3Lh)Pj$
zLRp`2Kk*ZzexRf<`S+skNNp*U_ZdJF_TDrrd!A=xHv|O(6Fr!CeOIj38>C}`S8*$A
zgt#f4e_QjmhsU^7m|<Gr&@7UZrnyLPyMZde4&a<%Ajo=pxv`gZl(;JC0_|IlD6T+U
zn97M>%&*<C*yL`^P0ivr2lTAlP9J?ssgQnw9Pgh<e-Hel(;Hl9966u16KUF(TC4O7
z6No~s{!pinP{`Abm!NL+%0U>bDXR#R+T;O}1vS%&1n!c$fLgCt9O|WxyEAP~4oRhP
z;i?dyA?qw9vb4j<7GwSWYkiX7-6rZw##T_*#pu~}iFGop#BIZAZX6O=NU^#(c1F(7
ztq|FtH|rsOzsBfxjH2X;L7v#I%p2t6hu8r}Fbw6c=0v}|0NSe*NW$aiUpn;lR3t!(
z#{=Q5sI(T)vs8f9@ok1>r{n1JGoZbJXdPGriM6u!Si+y6>}G*q3fyE$Z~1rN^1Z<&
zwwu*&lb&Pd27G~2W{Ken!;M~u9s$i)<y&r6qzxjh3fdKS{bd{XR#gb9lcL5cai`9J
zvBmOfhwg4z8q$9JeDmF-pw7^phLljwJ<p#{7<;l{dO9s<HH|5*P*Yd3VQ2!gC!UOq
zp^_ch23s1|v%p_Aw(mM`dP-ag)ms9HPyXdG{*F)WM@Ia$g7JR7DawrhCSIxz-tY^u
z_6ipk(zwP8);R(gS@_4l51-$q6qlh+D0*tV@Z5x%HY|;8UM+`yaJ}5`C6zaFLOeS!
zf*;=4fN!D|U2n~{jgP|DgxJLLcQtnt7@}tifor2NdQ$<r>z1gtp;=X=v*rG1dW?Ls
zu7)PBoL2z4^QC4>^MUCXV&>Kq5YcQv03nmGRxOka2_AW?ac$fl5}vYr;M^5Xi3z0&
zbON0=<hUe<5s9M{UeB&TteBj52)$Lg$$?(5yJIzcw`n~K_VngS5XXv%Fk=2xn&k4D
z{T5W1qlOAUpF<J|jKa_m;B}Jt-?C5W63{IjrC%$<aI}Ej?}^x~$g#!9u|jzY1<jbL
zROHhqfSLi3`Q(2F1D>n;@*e@tlUwQ2X>kln_6Z#6Avx1jOdJ|*gQTR0W+iXJk%Hw@
zuW_o8lik#L5&kv)_SmJiY=?v>0xNO5X*zpwS_GaB=pDy(9m3dV!bV(0rk)dIT+m<M
zFv_RXDXnp1C=Zc{rlM#KSHpVfWic&cVjFwXCW$uqi=r$!FH2iYwrH=em1{chbC`jg
zr}oN3BV)Q_UcOwWN#ZfT7sa!{Gxa+^oa^-YhCdT}W9dXA`<k(&odW@Xb9gC{FVr#`
zrvk4I-tFDcurn&?3=Uj+1id&xK`)k70yNwZwHEwps!ZrrQ~+(T?G4iupxrPrZ|TN0
zDpDX$q3%+=BUTbiVoh(VwI4?A<>>Js7iOgA;fJ7F&BlC9lvKfwGl?88=LX{n#o0hl
zVNrgjVfbv`6zdGFc1kZbyBb_h3b3yl%3B{%hBtleH~}*%l6DRD3|S7ej*#&YRDG-o
z4(P_j^a{{LFkg~iTqFms7j1yJ@S12*tz+eDA*a+y!x59taD*4H3%5>q1Z|{fnWL19
z;*>weUd*OSE3Pw=*TlR43EEa{B8O21FRn5|YNpodZpUhtgUar2g{!x4s}MxTJL<av
zZ*_ZMBp%*pBu=4RLzM1i$$r)spA{jPn8Gl!1i{}G?}CZjGoL6^|Lcz^P6!9$8)=Qk
z;*N}aZX<?gAB@@m1NEon?|m7Q%W|#Fl^bNfYPpdTqQSx2gdzj#bcVnd9!S)vR%FoE
z>aM>mY9n<XQVE1uPJeW(@zWj(u}$zF!{uv_Gb@VPr-Z3vpiJKDy*s@@kI>h+(5PZ$
zCcjU^XEV8ZtIow0g5MY7*u^PZTCie8$n0A}roObVk2J3a(#jrsIQefeaz5Iya5L$D
zfB`Yits1YK*PqV1fB|aK@0=r)vr(CVzOHwU&X2o=n1+t4A*GhNbpcK=7o7_70$>nH
zVT#`ZAzfB1d!Zx>Mzv(w5nHBs)S`GUKHy(fjO*E6bSg<}Mp3mPnqq9>`duL=a2}QB
zE`+$WueJ73#+mVYTg8JQ=Dxnm2ulL})o$cD77P~@Y@-W-fG#rlUR5s+psIMC+}Z$D
zrADn9MUJ*pyds=4u~UYugjF0z_O7Pn`aQ*Lyq3aBW=-toZE5IZcVrY>8lm(q;KS$5
zLm%8A1)IP`I5|)qx!-6yx1nh3e&!3B_q$zrAJ1xcft8xCalip?N`xBXp^2?ALb#>|
z@|JP7SHDI5z33Juo3ChrL{nZ@{(IpZN%#`aLs-Ec?HC!yng7_??{u0+QyKdNLfW;M
zfh0q`Oo^66JezfdjzZ-)fmJaA-*Er<Wyd~K|IuK~oRfD{cXQ?KEsMnYC<%|Z9XqR$
z;O@(GcmHGF_#gT*D`&B#ZPi`hUjph7_>4#xfs?xShe_2|eJK2r4dR5mzwCqm<yn0#
zdU}C<29d0^vq7s=x`s^rm!XtBDh;Z9POd>87VB6pumf-Rg!<q+pmm+_PdXycX#W^|
zj06K1KT}IX!;e;z+euso`c<UFFEDwp4e8$(-#a!^IjnyTZn5@<I2gXS#CGVfw`>dQ
zWcaGqa-?)#Y>|LBFJ%v!5voSbPEV53moSsFmf|+2Ke1*@v7yqSSQu-WcTok9;;@EC
z=hEOuYPI1PLp3*~Rk1|n=XpGd-hnhzyRJbbpJBaWc*Pyof>Mj6w&RU=b^iRhX`-LY
zz74WSgNcxu1(`2O2+T=B=1JrS#!RQ+-<Ii0vZ|mFtmVAWPskO;a%#wDmL~5zh*Bb>
z`6})3Nf$=72*naeVDzK%rcw75`*gPbg;s}wp7c}GmGq2oEJ3ZJsa?}e`e}rnBCBx-
zvme=T18+Nr@MnqVuWg^UjKqlNDZSmjJ+C}31;k2%`C4MYLP2lB=BQaYS4`H5HXDXI
z7UX1BrglwDN;R8z4#jFd9abFF*l507d;Fwk7C&J^0C9H^f40bQ;Rb|Ro_1J4^nhY!
zEYW2(LV)%cyWIf%B<6mohi>(WRk6w}s*~e)-;aAN`)AT!fxaLzVC=8=9vWCYMxB`2
zId4@Tqhf13f=x3-OA4b%-FVlcw3v^V1`jhjoDa!`*t>=;c#}Yas=u2*O<s~RTL!0g
z4p%#%g*}L-Mz2O}8$j>bca@Di<I&|!@L@B#n#&j3PFj>(=s&zeLNw^#bE&esoGN{@
z6|@O;sMxB{&@|b3nv!2J=9UBW$f=gF0YoM8VzPv1AgX9nl1Wn`P@D^#XvOiJf1Zg%
zvQxNI4ab8C2#(qm+W7X>z6X4O7lrEi`?<Q;wT!j{Ml)k?MV+kROG~e}xmvmYoWC>C
z4SDxAauIcGE&uvkhv5r8@Vjo)Ag)<vJGYb1_0h?RbJyaE+hD=G^CkxN^;YIYIqY;g
zZ;4wLAhM5MvkOg_LYjaRokA@GYfv@4ex;qrUj|K+bG6cUzvHl(tT}qBM5TvQYT6q<
zDPag~8vepv?|y~+L~H+-@l>9>;ivKdLC4=u9~{5=sw4S(KCo#TJA7b?OV<4wx7#sm
zCB34o$ekRY3wtIDO{ttN68)T&c0?EKb{Hf<i!=IxJSE6Iycj<3D7BFS<-XFyRBa<x
zFjjt6+r@reL&D!2g6#c1Q`n`(56OCY+XjS~E1&g|eWEmCwpGujWy8JgO`{1y^&XSA
z+IA5teF1`0u<bf7CmgW#x0`=VwvSbb5>C%Qe|hqJ2cEa5?o|D}2qfsW@18?qxv%1!
zc6pj_)A?4J+c@vD;-d`gi=AZ^0Hbe4`h_~rVYL0EuY*X6`pvFO#gDNs$o&N8i4Hut
zB>f3Jqi6HT!&RJfkWmKssDroYK8XhJ*%OOSFqpQCY2C*4Rrn{a4@(0eH&6)<`fSFf
z&QS@50{0idrH$x4Kgyp^O^1SzY-hJCzwqJVI>)azAn83wjP*H44lhkz{py}zOo)PS
z*zxCggM<ikdrEm8NmAr|Sw2bn9UdmYGA%r5L%(-w>U~<RHQG-V8+nQwJ!6VL{cUS#
zdL<P0(!`|HtcH2=B!PKhmC?%uKFX*#NBE>6JTzzps2NA<v$9tWuAWg81Sw_cmf(tl
zkzcfVU#?N{&XYWO)A=PS$M^}ppC$nK*&>L44`fmD#fe1)rRxqxUIQ6UK*M&6-spSJ
zXmT{K#@-fA<leq7N$l5VLcz=^vuR^!{+`pz1;!?@v#Yfu!JDej%i`5e^Y**jed)S*
za)*uSKJK(*l>c>KgK!km!$3Zj7q7S6N%Gj~v~oInh^SSY$9@|Zma2b<xcDF~ZPs|v
zZP$rBFL@$OL9zE8%oEr6eW6iWB%vw0B4z5WKKAF6m<05fm)^(7@4LU>=It8D=G9*#
z;L5F^EAUQp?KE)~`$Qp7oi1Dab-7ocLpGZ%l!j{-_M-l~b!3*CsRaBlGLKP8s7--b
zckcH+@io5l64xe1`woO_qgkB{$gIcleE4I%T6;!0p0%7sg~Zg+_E<hEPO{gyCrYay
zi?fU*SYT>$wQ~>m91W}S62kAi%wJ%`aw~WgoHs!_wjyQGAm*)AL>KavF?Fv9GDI0|
zf3@aGe)#S%p1R)@zk<qKfHB5SXW1=qg0k0Kh}IW0en6pH*KqwtbxVLQ38^?lC>14B
zoA0#(akI#7Ax(}!ttM6kh(Q>m%t&X2cS(s?Rk=tmEE=<ejG#FyYKVNTMg?GmL1M-!
zi=>wR@aqY(C6v3Vpp$o$*K4OlE-x`W)8|8t|HQHZ4ZccC0tKG)b|>NRMQoDnvT)UZ
zGp&o;kbw3FjjTZucg&!chI2()j|CY)1iVrk^5t2R0HB5isHAHOh$J^xV2HZ>FzZc?
z$Nnr^GPbXSQ~!>UiZwhmBmTjU=V)F)sPtgw&pF4l3TOq*!eI(qCXlA9SD<U*Y9@u_
zr;1L-p_3j}M=f!yIP|9@hC)yq%srYx7m|SD5SXHeQ9&W?_S`JK^vq9H{jx3h(Pc{1
zpZ(<u@3}&sNh#OC^ZW5S=1wIb67|C+=;52)V>Hvf)mp3-+CV?xZH`GO*H)?t`Wc1I
zWo6mPu!JGS!9SD;_rk1Ppge~O-J_3%Vh;xc*IDp*gsg~7H6y(@4MtjyK&r-NuthXQ
z>exEt*csb*@@~<XA51*^b!l!4$0dJ(MIt|O;ufY~|F=57VEH;L$miaoeaA*WfjAIG
zP}Is3&uXfO(4UI9N>G3f7g$7l=Di1bI*lREHd#$BoQaZCNnz|=VF=n4*Ge55#NcYe
zOAvuqW(Bd8$`X(04py<iGHQg2@no{`6OOt<d0@Mq!;CmJG?)1zprhkPP1D?P1y>GK
z>}l{_I27M+P5(f~7tRu{dg^)ym1TATqKlo2_E6HBmq`jVzw5*ohFLtUhMS^1%7rvl
z3nPw&IA)8Q2$H7k1WrXbk{9C0H3VJBSZGop+`FfYlj*qGSWx3Q#;lrH@|Qy~8T$H2
zvCwrLw&`9L9a^lFtM#G*zSUhpM78cx=>9E=LTp=!q~kvn0Hl8HJ+~ZEywpj!L=oF_
z9yRD-#C!`abm|-TO~@Vj9?cEM^#L<{ywn^PZZM+zq;nP;ZZPb7VyGq7&5t0M>-7Gv
z7Jp@zQ*ZKtgi_((d=$z+rhx8vn+fr{Dw3n_(n4dflT*-{pvGodL{|mXIE8vjJyo8N
zy)P6ifHLJA^Fj8eY6tvf+}#}k?}^Q5*Krfq@EMf<RysfO<4Ui+Fb7Fawd+!@z&XA>
z&n3dY-yP)yp8wtVFV1eq1tMflWAav{7&PTF>~5tcQC5hWTMnm)ueT3=AKbjlH1p#3
z$z#HvtSr}?5cu6$yVo|pf1$2~+U^Lp@*eO$&V>ZGKk?OKKt-0Hwi1=6-?)@WAw<|X
zAMIV~A>T^@Cg52o$|I-K0$70E<J@_$eY#?V-03@N8gEdnzYfeu)%y>AYAirHMg;(j
z(!l^`Uk^|yHcIGnLW98mSB{t7KFwU=T&Q2Vqv$eu{DKadoZN$1gG^-PAeTzo9;&9n
zNT<WxX_cx8XZ({WK#p5NZv_DZ&JZ-}xT!J6&h+MxSi8Vn1e&o2zcex+8KnXMPsv~a
zwPHCC)wfTeF1@}$dw`&TC9EBEVf6+M4bO-N?*MP`h+Qu}>#)n+lLPGg^a=%hS(RHF
zxJ5LaIHv&DV*TS$Mn=?|Mmjq!4!XuA83UEEVY`#iCFSguTY5~XL3FEXjRQQ&zxi3u
z>a&_Ab?1c$4~mr%npfLyQ~thc^>6{-5a*+zpu354DP(0h0I$q3f&dA=q(`d2)W|1M
z(U)KA)ci&vP<s(W)-H01Yh_^40BV~80a=3b6($AbF;x#6Z`=>P2Hu|dx*tzs;<|=F
zu(>v0Xe%N%$dQXO&OinaEi}LlYa!6?##Hy?P0MKsYRohI*J#E4&olV1r&Xq}ruDjw
zU%lR~N_KsIpKJd%Z9n^e3i;lzjbDkjI~F-1R{OTgWck%)a_EJjMEP*~&S8eZKu7z8
zo)X&O#pJ1{9hG}5!PWb=iA!;p@=UafimQn!=Xm?&lVs-=B+7ZfA1w=Ht#NO&886~}
zn;vvSq3}0=JFu^=QZ^xg+*Bb2HkyD;*n8duhX0{2>j(dNDJ>GM-t(}#()e>1G8?Oo
zAw4n-xg^oGolV@hp<k2FZJoXGQG~s;>tGv$o6qOd{QeB-G1&L2QGclYH;&+Ht^>=c
z8)UADREL(jWt^3O0dgPW6|eWbejj3h{e#aX;?G=nhTV#;E3BI;?5(u6_n_bUOOUlH
zi9)3?_8p-4lv(A5d8X!+t<s7DA2N>rnrg3U@&tfEK&si@OUKXs1NV|w6XHNA(eAfy
ziYCv)W|J(i;Q}6vWE1O2m>DgYPes~6xC$voS8<*h)q*Zr$Fd=-;0M12u!Q0~SY)(!
ztDHnD>K~VkGgE_CX?lvfL-ByiCgf9br`BbK0r8v1tD_a;uy~$RL)?0W1o_)pmXV|9
zitCk$?%){xj*tOnVJuec3|NmK0(nsH#Kb^7wp_$|36{0NKbM`nok50rI}o-A#`mf?
zek-zVo6b-S(dC~eUlsP0&~}1SzFS9J9%X|LYmD$d<{eXR>CI$1@mADb9#jy-T13!+
zTOV#xojCFkia)F$@N`2K>AjV|9co=XF`-{NbUX>{T8nG(s1FcUE$r#VN{OKyBmaop
zc-}+k8yEnt9Cc6MK{Hk>BeZHg?A1wk4{+$BbfQ$xWq}@j^!>P?MBQJVh9nJZ$Ho3b
zU+f!B-+k<T0`fNNh6u^NM)H}+YN6KBZQpEIy)y02)aYBJGU~$qUomOk$(d^JRocgl
zp2-LYiY@meh1?M?*3xQrF&TL+5qOzebJL#Zw|9<z5!(-bDq;oK)}Zj-ISw)Zj>S4*
zwIa&75)G-ez^LkA=c}x{euik_e6n28xb|^K$B9&>TaVR$SGAg4<n!~l#%cZ+`6y#M
z659`ierhm?@hK1N{~n(!lDrfv!vB?xM?PMp4QXWPZwc2V+=G%(>t?5kocJyr{*Pfx
zKfQ8;e|=}1Aj1#$y4s*@g5%qukxMr!+Gt;d>9<XX;B)Wa<F6`Qcl)swI#!0>_JvM;
zoK3B#u6oK-lfuTOUpjVS;U1+NYSWkk5b@Pij{0H@w>>&Jhd3O5%uAB^5q3RT;Ru8f
z-vJ0F`X$r1UY7&!hn*%8EN3dyRY`^{mTV?z4nWCdSTW#0L%8_&D0<e|^=CpcKLK(j
z#LCPK>W(y3TPvL$&0K;yRfnvynw$iKMNvi>Gy9#DA8%B~{3JHr1*oUvRzVBs@%+XJ
zT#U_@xLs^oKYKAQHY!M709Eq~dnF4`ynjW8-$I>kOQ+4EBmfd_*wv#^>?>K%9eX1U
z2QuYjB+tP5oo$3u^kxT4N=t{6!|&zm_HmYxZ*wD;)v=GjR9UE_ERV(<4R*TPG2y;t
z+3IIu2YE}J+Si9;Kh0R-zWzXaz&K-f9$)>|#(-x~O~Df0U@0jX`dpk<lkTq<uaVL(
zErtiZu+|RDvVT|2e*|(X(+98N7ET&lsKeoDOBUOR+i1~LM%$JJT~WoA>AO5~w{0x3
zQ#10JC}&vGRIiHmG-g^>D}mPW>tow1FbnjrAe}vvduxIc<r=rXY_GVh<Ia?k<RxSC
z`H|-e5J_kjX47-^w1UIZ3E^4ez4XtPuB&LSK<=AzE~jpFKJWd3rjJ%sPf&<ZPs`e9
z%xTPa9d7~{UHs?HEj|;+*j`Rsbm!Wn2%b<q^DY+F!0e(<4Fb9-=hXKLL=KT%T6GFY
zp)Y}-|EpL?y&Nh_&o9GT-vj%poNcD!kUr)}k58+5-X)d%`U{IqM0fW}yyrfMP|d4V
z&Q4a%06q`bLVbJs&0<9Hw6(NOVKu8T+*}kauL~@qi#0;tW<{~UOoxge{$?8D&69M*
zJhb-A6eKG-bQy1nD!OvXN!pi;h6M;eP+RXI$ay1NY#7;{W(NuX=%F3=I7eyExT^%<
z^R6~5c0CGd>XYVfP_zWUThFb@LM&Ly1mWt~cRl@nqWwLY#rNCaxy4lSN}#{Hd71w2
ziV$<AbDd$_sz@Ib#Qy*cLG!*#t=r%u)CSXQB-$zy4`xZb<h}hfv&BMVaMN`^>S-6_
zydP6_FBhamflYu$Fks6a@U*6z3~#jV>c-H{`;gOZ%ypopJvy81*&go~T7!q!=(h@l
zk9K8Z(3?6G15SlDJz6xI5iNS_7yn;#2(cX~naZ+KK#NyJwL@5>gvW7A68*j@IFI7Q
z6SbNRqgJ!?MXfr9a_ToUmeQx+Cd_x^e`4Ge!vuHA%-BTc6q`#m+<zJ{ho*{QyHcXA
z4pfKj@3&^l<6%+n@%12HAzVWl>u9Zh=r!&MP6!<V8q}I{hi5&gwrg{xq@Th*9Ta4O
zE258IzSG0C4u8@u988|8kJn#=S62(xwx*7>(S_u?dDPx#@U_{3m-;hk5$5#mrc`vo
zq2<>iGs1Ll{o-TIqJ1<-Zxxfr`^OFGO?^yxpi#mst-`E|pe#lLHQW=z%2<$Cs$9iU
zmWsr4zdwu;&d~VS%P(GSfz~hT$grca8&@vDtGhcyQ}{!W5nbVUKtxHn%Q9V=DxtO|
zuHK`zS!_G^0apLBAp`r{lm^1x?PWUK1dr@@eV#yw!L10fcO`uT7}JXYq+SOwP&bY~
z#bnbEa7g-@>|pjfy0zqAvtu)@`)617)Na&cYgoHryEG@|<!nY|7n#QTif!!Cob;;M
zF6G{hs+Y^=dw0nHtJ6Ij223LqLolW2`Wj8Umm_#;Hm<e5Eay<Q6>7r5)asAg_8c>-
zA-3t*VELGjHKjHaDl|fw%m|de^^3cd$p$X@^bWnaEwa{$ty)W3wjw($zWM*Grup|B
z4T~O;&yH=OSsY4H<V2Me62nwM3L0mmN>rv&nR8jVqg}IM6nBQkFON_)XbUQzszE2c
zzI=zM8h?m5qG}uuh^QKOXRVG!+D8{ari|V!xoZtzUeDTj+x}q=({J@sHb2_e=2QCy
z0>OTlf_H0ew-^V+Dwt-amZZC_Y1ZOF*;oPNPc(}z6iR>2&Upb`+Q!%(FdrBI8!!T3
zzCqI<^wdrX14o5MoZ1;-;J1G9{?y)U!)(jVVKrae8#s*2h0M>6$I=HYRb?qj7E`Ic
zgG!Myk|j}5&ZJ0-FfZL{K-n<HJVS%6N1QseNLAkqQrpcMmD`^48B?_N$~Er3_3GNT
zUPX@R<N{czq)n~A{NipJi;91-RZ!pt0gP@^FNwLaTz4B`UVP>rK)-9{*7mc2+emof
zwGjRd+;7L?E~Vw6%?K47*v^1ZP)XH{^7YqW{)$btd0KUGNZrkAf6J+tpw{bV-9o~s
zGU~)!h;}{9ySVV{x1a8Ug$e33fk-w5&uk5l{oww>;K&KbHpqFxr$>Hg^D1|tGs`Hi
zvMMPFOY&U%=`1E?5>+HsOeTt}Bw_BH=xi8louN_3BMu>2W^3jlM8mIp`L(n1GAi#s
zgJ}D&ac2+{{}oa@OsV6c8tD&(J|f1GH+Xuo2g)==f>X6SR0mCMy9n&ol1rvQYHw7x
z_2YK2VN2C)Tkxr?jbUE<>Mz*)Z%Pa>D&#pGpB<ut@<K&Xu0b7gLM4}ksWc=x7iq;b
z^2^BML=Hn~Gc@*e1iaBISu^2{jXM_JlM8U+yU~XxSafTs|L1LA(*?B<vBCapclFbk
z<JNW=6xNr!sIC6`dBsfPfi1k<+GL>a=BSJPd?9K&Gc|p{{Qf=F?C-H3;PV>qzqfl|
zaK9LP1Y3LKbbKNE;8neZ*TK84QJ>9vGA|^U_rmzI=7+;7P5i0j9hNq*)x5NJdE+Mf
zRqw93u+szWS_1~1*Z$%1^JQ>n&a%eQAlem(RtAZ@yk4?CL+h^APt?OrFQ|Q5nuvyV
z!yD18o~$u!*SvYC*OEZ>;imvxxF2xAzAG*QzW*TL%)DhWU2%FfG*o27dvsoKtWSKD
ze{1i{l&Nz;`hMe(IMp5hL1I;}XGwpEv0F53M|hS-G)@F5(ljPCmYlGZrX&?S4MnJb
zn7b8VK8%vh(fClm0z_qJDnNAHkqQu%_bNbC(yi)HF%u1CPkR@?`Ld~zAsZiR^<BNJ
z?PKrBAGg{%*af*l5tXIbtET5C(_Fc)JEF2vfBg@wuCg70OlYW?(T-R{-qA47!PGyO
zMl1C(pd3z8SNVJcnM{KUx+g5db~4(9xb7>k!^(_D0oBvN>_IdPy5TNs1Qqh@n0#KG
zr%(K(JG8wjfiI5?;X<^wHrHvp*4*}{?X*iZbe|ZD!$Jy1@`6@`W+EeH7*Qfb8I>Z{
zsz{V>%`=P!&Cxi>5t;`rb2n4-VB?O}Jd-Qvp_1Ree7*>7{s1nm1;R>oeumaah%&;%
zQnksnIv5MI%F^blww4TRmc#^9wN^9P0IT{Dx*nN;%3Tj6tIy=~ed$f4*V=Mvn~Og2
z27;nGdq<CIHR9nz?etr#Hpai#OV!W*Ke$3fwVWQuiHeL+Ec4<xec~>~Vl{)ZU&0!`
zgg4rnC2ic2@2e$YEwPrcQ7XfakuG3nr4$mm_}Q^1oQ1gv!<<A_30=rlNf^`WBnzX2
zX1oZK)Eyy}4`VxXG(d8M5<!at&Qv1UxMP*b<hp~X<e)K>(H(#LhUgA_>fSwqN(<jj
z*b$hw=B~l`EJCd}5JjLr(?XVwSgVaq4S^hyzPVEGK();-0zfL0p50Z5=q~cU_C3~+
zLyC5f#7Z=v5+ly&yyAuE%rfRl7?mmEQ3SW;MFq{#ViFfT<}}Jmmb;UJ^I@!Djt1O~
zI0<N_!I>uk8+YtUm|VmVl{6=z3noO(d9*>H>H^z_FPxVzm}l{Foz<=WU|_jj7?&FH
z;=vu?d->OIUxeOunN!9R2mQNGX?VGeR{Q=xwXWf?(={b%4iy@4z~+@$L}w1uDvCmV
zw&FC@_G+kd!ebT@p5>HjXIV)u-3M$Ktd^spTO$q_S`TsN0mH@}d%z}_TEur_*UQ3f
zr8>F;_Em(e0jJL@WIevCA!ek%<=b&m&q(D9<30AJOD_8066oo7WV9}weAhSk%OI8D
z!u;?@<1-geF5iesj5sLs;=+95C%K{Gp=rQev~h(tBB+b&(AtHqwA~1MOdeK(3_H-h
ziMu$|>WS!Af4!^at)HAB2OQfmnIvh%tDIzU!L&mPHB_PNudIZAr6xS%)Xg{N!+^4U
zMnD-VJNJNN<BmPxlgm${lAfzDG*HQUf4i%ogZ8>gJS>|<bN_UZ9ByB3aAp0lZkF|*
zYFA0jj9`f750~a{9y^`bY8=ko^hm3GUZj;zeBv$9iwoy7-4bE@l*bv<hfk3-4GV47
zh8Zbk3cW)ss$aSx4TZaHXg&<R%4dXLp|W!iB{uHZLpiySCMr3~ti^;OMc)KU_he6R
z-afZJU%?DNcV`qBI4DoGfaq;42oJnqt9_d(Gh`Q3ssGlQqc8+=Sh4jv4(s#)t9)L7
zl~4Qx+Q_~%D+pJ8G!ZJTelbG6G4BH<hrLI4IkqPrS8S)UG>fW&<|L6kCA6vvQpRCO
zQYI6TaGGSyV<Zn_w(=P<Td3^Z<BC=a9eG?Qhisve=D2og{>D!J_6a$&uDYQI<nCdE
zYqmT>#@J@K-BEn~OnldV_CYPWL%e%MFYg10)m^j24t;@GY|Y+%`?R};-Hp7fR8=p(
zH^0L#43YKIVzFbAV9Wc`b|7mbLBBAeAl7`n8@^c%hYns<Lr)qOXs9UtiEkgj7>fMu
zwdLJKqfeYR9bUscUCgIG(m!LC!s%TbQ4x>wxwWGIFOtsaBZV=vGEG8KDH;=+(25i}
zFG*TdC0yhdD)f-f!=SQ!Mo<|lJ6B6!<9>Kf$|71~a!?s6>9MpO?H?_Z0>|Q@Qw#)z
zn8c4RxTEg^26POhT6Vo1tDw?CCZEI9eA~rhVxKeWqFx?$8t+rmA-<&zwi~^KKW&>2
zScA3#epBpw*QX4Aa`%RsYpUVPt~JjeT)qWz8M03AuI_^W6X-vCeyIyxX`01;MiBW;
zarox-84(X?po;T5M-Kh;vX=S0vX(ya|8WvICVl$GOPQBWMwbE5SuiigJk5B)HoZu~
zP;jl5@+{+oh6N=&iZc>QSyb@1l6icMVK87mBNz~sovW5yu~cK!(&S)3RMMlCFtK-C
z09$|FccFO$?so@E6SUeFrZj5CB$anoL2J^-yOfcO{x5yV+`InMSN78|)-E5VAIgki
zjE;*JwnuXq3ul#!4b1!a%iW;9b8xq<yVSLBdY%n~1k<Xy6Kt_df!WW9=%CYs<xr6k
zI%r<7oKJkJ4q`?*fSYOF34|@5BtOx?!8Rq$Xc$*fM1;@|6^%tgSX^a9WDq7_FrMb_
zsFh+EFIUWnmqTS|>Iih)kvamE_v#3IHxBzgx?CJ|j4pnoQ7v3G^vCJIJOFFr$3rb1
z9AO~fptMl-_JBMvQMaIiEID_WJz`rH0O+8|_+Y|7+Y=DU0vTur{?<W0%r2bGR{mLb
z-6i)er22)l8zz1?(ZtrvvGIUic)#OuAnN$IHgQ7XxHdsW{Mw|L7Z&Fe|DX4Q5DjA{
z{@3L4U*mWBzelFmKmEUq{NI)S|9&C*uVyLw|EDbmCQIJg1^sJsJxb}J-yN%%%D56F
z&hm)RlIi7$tRxW)d7(rhli1CS6vI%xVn(PQDmz!{x#G0OD80#{diZXPqdrmjUwb8F
z`>H?#TWD3ljIHrztz-iQ#DdClmz_ehF4aNSt^N^TG~)N2p4pXo9kQQ&qXSEY?mp6U
zp!Uc0Q1|L_S$kZI!fM}`l%s=1+E!v3B)#2_sjbt4?og2tYHME5olks5M*QwIGH|x~
zpZPp0L_=V!WFm{GDpQi>SxzX|W)UwKC1sf=X_82marcc*F^t12X2jv4vU4>AHttvr
zF*yzom2|sKs92w*v=53f22Gd51n0kZflNi`-6aW_Fe`0TnEGB|Mf8<^UO4bUE7TGy
z4MGOKjT1KE6)!w5ZHZ{FNSi#1r(GeD7kNR?=RLHpdd1UQcKZU4y^Z&Bd52b?P3<?C
zPDo~wdj)#OOi3a2;`uQB<bo2SpQZ;K7W1ki`o#Z<P8zx?QI#iol$WGXc}1v-7-2~$
zh)P+et(PP$V|StHVi*fq%!q|VW#?)mSJ&b(+GuhtBr3W0&2IGz<Sko3(}rVBm)|)C
z`P8(VBWhxlZg>T%>gQtzwC`uMuV_E0YY1brmq$0~^a?yo&_7KdP|{VehiR}87mMyT
zS->0kb@0m)+Ecgn{jzTsuuz@j2Z|Wfhp9)z`>9p~-l}J}y5!8?)V{CCLH20Zte{I`
z9kgSDpC1nY>aPFT;S=8d?e7??<pdp~x2DH&7W0Z9`o#a=%929&iRA@PWD=1i%0ohF
z6%(GyoMdUl;<BPbRPNG4#W3o$m=Se~%Fb0~*tla=+2p8GRPrQMhF0@~dSGqONWat2
zF!#_}Pna%pwuweZNZ$^RCUW>(+k_mx>9L{3yx35m_(_Kk4i&MRqkl}6&5{^-(v_E;
zbl$M7iC9XboI+K>Bq6lolrWV*RlzE!$%v|g#V`o8m=Oeu%FaD+t|-Pa=WTKjC@Sf3
zWblsZRacs!3);3`#!Gu&19h#pX1z5QzYX8e5`Ft-dj@S}woN25(a0D2GaKj)0iACi
zR9`!^o60sm+!YTz@P1U^=jY(ZkdBPKSx=8FMMXv&?s<`=KJn86zx%iy(iu{uYc_Q7
z4W4+ov8@p_7lKv^siH6?G>ru*XsSrblQ8E=k!GG?(qb4)TFeM0MP=t6ZdcUfn8Q6e
zm=u*99i4`b&?RyFV9O00KvSp4_FWks>)`J8vfZb097K=w{=?8)=wi_N23(Nr@v`8+
z#X-e^_UB;<1*0VP^vsKL3tiJ~J=M2QFwip<@%%@oj>6A7=V8B8OlO=P;EIZj&>8a@
z$)htD+N8}&k&rNlZt_Y*gjW?@A*wj%+PJNh=Y2a27%gT5jH0r0kEAOWaLkdM959MX
z9<+qA!QP)-FJLs}wJ|00AL~DMwK$-U`;M7hHw)Dsl;n7R2wn$&Q)(4FKZ}7mF}vIh
zdwvF|6KG32Y;8Nkzc^gTnK?Z!6BQY8X6AKc_lf`W-?P}(2(H4Eb4B8?l-g-6!>&Vn
zUeK7zD9Uno(ZFID-&xFv??h$i9_pF#ov6J3P*02RM8*DVR{*UuY>ykX?Jg?wsL5+e
z?QEB(R(5|EwOTiS)Q|966IX2t@ZPVR?FxOPO{ofq3XM3Q^Fk<n;{I|OEnB_WT^qgG
z?HAeY7ugXh$O*(AzKY{83d4}dkm}cJ$TGt6k`b8;DZ+?TS!C`LI1FVhW`r`LvU5-1
z%uq&D-hTppp^Od_7ZZKajr*ms*kA8HvOgdjIaqEVIfNHN+%y!>kfsfVC8)M5Y2t|b
zAN8%yp4AShtD*C3D&E`Zp&w2EiZvy)o-JnlT3&4))=Jqsd9^h4bDu3u+w%(mz3tzs
z4F_Rba;%z7*JpS2@YF&TUsGq%77?^z;(AN^OtNMRCHHN8kX7@;QgUj&-u8Vi>%;ay
zR)InLv!&{acPrCl+BTT&J0W3D1-JG;8tWSD>qm+Q=o13%!yEJUnnGwO1$cU#CMq&Q
z(anp~^ojrT4H0Z>$}FcU7hrin$JwZeNKwWi3CoJoxJ+r{2}>x4(VFFqXiZdhrW!=Y
z9jOLUd9NBoC7(I`$2B1;z0-vI@C4kD2&_T!;`VJ{!{NeK{{uBN=?38N0^sLCM)}aK
zL05<zf9JP${P?3H{^MWH2(0|<n3*Z<uX89lltV?7xTr|MwUI$Z%5#;_ykPF)Tjek;
zu$&PVh|11AT{FW1QF;IA!XyuhZy{&P)wLO3=qOwb>1@)cK3=~L-rF-K8xys+f`ex3
zZXKyRI_Uj=k0|O7p8Z5{KRq(9oDrG#*)ek}<BFx3AZf<Hy)7syib|0@&J!wVk#QgH
zhrw>;j9@oZb}sH`2D_p1e%w2Q-MnuVOu9#Y7Yb1|eP_GfjS~dmcMYRn+(z|rC>JkT
zqprj)jAZI>VG95BkS|nZ1n}pDeEG!xi6LL;rf|U$9)*g8RizzXrUYRk(l(!<Tt+Ms
zQBt|j<S^u`oDuSc%FaELGef>mdH<PohJ1~ocJL8Av70t5(^R~M2voCOZ=p=j(E7SP
zp6&nFU34jY^wEZC*822*uO&om?bH80XrIy8dVLkiJ{nZN5w%QZdS7b~(8O$EwF_E1
z0W%eZK+$Lq8q)?-O5&kHBlN+%P%5AJKT{uIo1!Gmc$ws+j1om?7!{-xSxkzgOc)Q7
zT&0Oy9}MHB${BG}sO(&QFf(onmG|odZ?!)EO&B_c?bc>{BkpOQBS9VJm?8dOV}J94
zUN!eSmQWgaayv!RLRB#M3Le<^;g7o<mBT1Z<Y-T6?urVHINCD;wLUv$uCg>!IZa6@
zDo$vs4^a_@1qoB_=CL>uW#TzM!#JpNMjR9>JNNv|jDteu{pV*|9272g*d(#*OlXqc
z^>*~A?VBdrvKU?Yi#PpS_2%oH6<oqAty#L_8v3Z@zUPAe^j9T=4{QU*fLgECb=$v{
zUw!>>bBhHOqfg{KEYky@%6WlLKJkC%dl0RkS7ilNT#z!AjL<k$geP%HR9?iAD;cJt
z$1Wa*Je4y-o>1Aj=NMg+RolqvogC=oo6nc9iO;-Un#;;TW5mA8n*M8_NogAj%i!+r
zy5o9|*S6KKz`rjv>R=mx54yFz4lXx=hG*9w?w320^EG%CHZM!p4y&v8t!21^#C5nW
zf@Y7PGj?eg9GcJF-Cklx{`9CNRAj_~pI4U8Cq5%Lv$H8qJmuI<gn3y;RW3=EmIa}*
z3`t3oNWZtW&6|a(O#XlN-o80*9LW>@DvaBR9Xmp>_yWG&#63@_ExFq<Znf8Px9{$W
zCpJJ5l(;Tc)fKDk)_nRy;)O&>l>m$M-0UB>F*{>Pl>mv#OeB!M{3UZ&36wU9s$77g
zLS>g)Ir>aaE1!*>^3CV9a!elZ7TVs-eUsdghd$)8Q=GQL{nM69Ox4hj4vKvs391_;
zKymgH4Du!r)}a3me}iVk-!`iQG<%eA#Y*-_f`QGSrRg8VwEYDDodMgS@*px}tRm*)
z&lwUgRmT7^z!%_L4zB8&uXKl1<(uGd#+&rU3Bejjc0j}5XSaTm_j4Uk-Y7zQ`AhNW
z(hHh(=z5vS5l<tYaU=<qHD5;pDoZUBjF?9{9}|X(Oz=p{FkwFNb1^3mVmBe*9#s#V
z!z1bYhJ1_8b4u7^<VoEyUe_dVa!P2?6oiE|Bt=1^jEk70EZiL_N*e`ME<k~yvP+#3
z`b<uzG#mTno6qZ%yd;12Vc})q|Kj!={FCjTOy2g0P=C<2H^JS;I!+H4XahWD<emT*
z2hdWBgTf%wo;9IV(aG-AF~xRS!U;TSWGdzd&ZqA~MJD)xW!N*H_&=Q8+hUY>N!I5l
zl0a83jmnS~Sx#6Uaza}cl8Ux1Nq82QaY3`j)5fN>fotUg;2J8s)M<Fy;v!CCHeAg&
zpVw*N4TKHOTlZqq_Ylv``;{cSv*=+iPMlZF@9q>81sqylOPd8RQ1N3Q0jH#)Gu+(<
zA_#e7*LRQNL(1#)e1F(lgulAHOEsuA)!r9l<N=v$V6>2L^6VWT+}OyMmGn4<nHcdS
z=R><tkqLfe0krGZF>}P~xDf_N>axm#=Pn}^iwY7aRm3>Ui>!3s|3#sNoPr<b+959c
z7Pta_+wR4e{&(r)Pud$U|F7(E``2~VpK7mu?V0zasX1TsB0%KcIpnSsX{CZL=>|`C
zd$!vXVZ1UorLF_SUe{xVLip&8TQ*$CtCCW5zDnXVmvP!eZBdgjY7;`4*d$6?hyyjN
z+K@#pYceMbSrkULO3sHH;j&Xz5|j6-q-$P8C8yDgLH&<IKe0jHEB6W%7Z3*8y@}1C
zPtP-wcfo0Q@b-p-;_mKxOtY}{QO6c>qOA9_8F{}4_Pf6BHiwZptQV(TMT;?{akp^A
zB?CxvB8FN$c>!)u2t|SB=U=X`pY31YJF&|!g-Dh?%RgKh_=uH6h9s{hkA|SvT-eFC
zT}deN`^(<|e+b~`?O`t?1@Q;dc==-BnO@6Qq{G!8Uw`X%o3-vkrG^sQQKyQd>_x)N
z9{bX;UQ)Qk1e;$3wZdo4qoxkSx*;?vp*=Zda7$W}7<!ZQtPT@*8Y&87+vev(t#H|?
zHjl~sY~D35V)N*0o@4VU5KA1`ls*!$$fIt&$49PL3NvxoZ8trCZJ{ev<*Xcq*muZx
zfBStrIzF=pc}e!H^|!LV!R)&|1Zv_mBTkIER(Ny)Jsds%_*Gr0jaGL<lu=y_M@~7>
zc)j*&xS{*S6d+u8;;18*^653W5b;JJX0FDK`!J2wh0BmtQL?ZidPFzrb9<2D5)-U-
zQ4dml=Ca81Hc1l_r)5MaFDg<bMMStb(<Lo$gq?eK=)|_x`5-J@_Py*Dr%!BfUD=;H
zp}w6k0%ES{L-YEu!wzY<*iosjG~2sF1?_yc*p=Kn=V-#bAXy^^3?4TPUrCEoVWfqu
z2Me+0f$k{kQqUmpVg1bSPNRMC$3Ra)xX1*hUIcRTil0FrJl?061tO34k9*;1lnR_~
zmx8~0+pwsqM9kaNWlCs63&NnNr4*YZ3)`$tGiP=u3aM>Y^RZ00>~yp8jewXH`p|B(
z!o)m4Vwa$@ppS~fjmdQFmffoz4@^n?zt|<@EvbwZ&C1Aj^AcXX+8mmrQWLRJ!5{2i
z^snB_42xupV(jj<2_dz#?qk0>O%{bezVpa88-*lAm)PEqq>D25l4jw@7H8v~rOLs+
zC_p>x9|)7mD_OR8n-yZI*h*2c??p6E2~SE6sHqUft4UMlWs+r8-MA|QqA;~Bbv|ke
zmz{2@z7Y^hMIYL2shF78QqjjWURa#<elsR^Cv54M8b)>EfVMzuwtCukbsxM16H~o{
z<UfOtBAA09^&%MVeyb<V=BPgRZ$gjuI}kPvN#4@8>J+F>l~>pLbbNR9>jx|boB@Zz
zg(g_-0yxyIW9B>!SrxI0gbC0;lxagsD)y_oDC4rOqA+hf`&DLJ!F<dSE<4={d?O%M
zfIhU_3NSIR6`+rK$_j>dSp*JKP4Jyph*7-jHoI=nX=sD>^Y8CL`Tfd_J&{wHXG49Y
z=#nky9|84wxdjzs3*x(4Z1Dt&&hMc*!L;R+sRz=S!{sq35HUe)y^=U(JdIQF1t%0j
z#*DC($0UvtR`a~7qS&($<+cgV2L$1=(@oGf0%C&bL%U7TLz;w}Ao`g9G!w+0$Z3MJ
z`%p^J{{uFZooPcYEFfY(*vpo@N@>Fyk{21=WJEP7^MsK$sj4tc+PZWz1x8_E+s}OL
z3NAa{etaV!_JcmO+kP-Hul;x!ipF+swjDjQ1-lg_d`fbAL*uoz1hVQ(0b(vQ=!bBj
z2|Lyz2#8nwKk1HzGZvLup7EB1!nUAnvmvaCBe89zX-Mm^E@Ee6wJ0oYi<=Mpz-6af
zoNolg;?Re7TO1~4S7u)Q?GME4oE;X02^sE8ur%3yOzc3FSoI#dt;$8Xuub#!ZEzX<
zjqfTh^zHKQ<L%AQzXh*)`3Wh%RSgftp7-;e825d!=J%U@r%_rQXmq;%@paG~I2d`i
z?*p#$i^u5&*@W5V?lDg+k6r)$O&XR#z3Skp^mRToSF;;L%CsJw3SoVLh5H`*$!gvY
z)d{ZaW#&<nhL{AP6cRJ}JPNk9PLDDZ4DvyV{vU7&<w=)t${DB@zXZ<7<YZ#(*73e^
z5)~0+ltejniOxz&N@yt0c;4g<1v>8B=@B9uf)Xu&prEpoJ%V?H(;fkTXs1U&#U^<K
zRQmsVgvA~KU0at&K!yA<MzjozgU+1QMO9ZVC6eZoW?>2azCx1lGS@7hPJY2CvavYP
z0xS+HJKZ*YBOtbkKD665F)?3!j6dd4Ts#EBzg-=K(i>YH!(!kl0QQrkuEdbXKJ@#|
z<MAOBJ}X!5*%-fFLzh0YAz-?WDxFK$=VMT!Wf&B6W?-vLo2(_Q%tT~bW=!aMk&>ur
zX(1_p3MZRw6xkS*XaNQVm7T8Zz7Y^zM<3d)>zJ5V*U`s3bp`}<2BL!4I8GIu53Gom
z0V~j%Sx)mhNkdXJv<5=unv@A^Nm3?FRkJ*=sYeBEU`4b5Sb@q;SHXF}3jCqnD(C@L
z;3|j-4z)5vVh8Rf%-f4t=9~Phal8f*_^|2ss^QP4_jflcG<h`YuzQpa_d>W-9=z8v
zwaFmgX%PBRHVN~&Gni#?p$Q7V0CaKdn7Pg?#?z`L4Qoq6^DH7|oo1vh<D!g;G8E?m
zx5C?yhiC!h0hOJu@be%K_(QuDelFwz6$DK^jtXQE>JS&`o*3Qz!+z+|q4>W~K_sBs
zv)@D2X#W6C98=^u2nJMWf+8>CQNd^Cl#3uC&PdHuDm-_Uk*dlnQnf5ftEOmkHxE%1
z*@%E>0U`jEovz695CQl@yA^pZA^?9(Nq7C19k;HFfBO7!tW*M*4FCaih|{WW+DF3Y
zhsA>E8vdyvJjO}CdVh8I+B#4U=U_P@#OH87%GVaUz%!(R6bzfq7?STF07a{6opc}`
ze17O851HCPpi3rD_sa*rx)XwXz`Qa^0Qz)d(}I~aeo1`n_;Fwrgyr@lfi`S?y($3E
zjEM)h0+4;g<xnpsz>Iwk@BtN?VC>6)59rKkS;Bo*Dh>%nNN8Kb^|i40G^Q+NX%^PG
z`wly@fe+CF-~%c<-Pq>=AMl5E8~a?~1OAw&P71=>5e=M!RzQU&XyBrDO8Cqy56e2s
zD6|XZghrf_k|&g8c~gc_#)_=<#7%bIKU$FYM`fpL;Jmy){?Kj>oSXN@AM?a^b9az0
z{EopLxqb1dJ_5dU^sT!1uTgGQ`cUZSD?a!p_@XE;j=lW__+tphSknY+{ypH2K&HnP
zz3r*_2Vx&J7c^Q}J((sHs=d-dU+ZoTYe_CP9zkT)%VrHCR&j@teIfO$$u<N@mcmY}
zx+A{?<P8)jCu;v;QlRqv4s0W&V)a*Z|H>a(w;DPypL|<v^O=K^K!qll{sIP&TgS{{
z)J9R2w<IYVU}I0=$dqS<HoT5XRy7It+!5H2g=hg}0hRrAtTK??;tJK`sb_fWdKi!F
zwL|td#oT;a@Mh|yCYb{2`Eet(_>_Bj=NOG^Kso<YtS9(@7mKuoVLRJ~-7o!%>l<+C
z^n55ov<%AN6F)C+IZzOiUbr((HoJSa*0p(;l#Hb=M3%A;yU^w6!-xT5%LKIVMHmC?
z7F0h)G>5&nBs@*Trd-zm0(TprjbMltAQ({D*#?L{%mf3(WW5GBX;RnDjKVNX);ie3
ztp)6OVlki}_t8!y`J4wHOnK0<W|k+hZ=0?eS__E-kXY2cA>OoVsvups5*B_k`1r-~
zq<EziDl)-Z7qtWOiu*aJWDN^pjcSle+MQTmAdI;bu|xB8xnh!JhyZ2pr9#;g5fHG;
zp`1!s>5<u<W|_g)$kbvGfT|N(MU1dem}*m|O-kz=km^oTjcsT_yZ~B&%FZ=a{9*j2
zipu&-b=ss3Q^f`d{(M~h*M7@t{@?z~R($=CiT^ME&j+aYg(6#fc!+(a!w(MYPSx4N
zkCLtGup4U?t)N@A36jkl?17*OidB9ea1n3ciSeq<pBF<}@`dE-3{KlKx*oVaqauEL
zju#~PKlsIGw)Z-+&$D<g@wG73BLwj6gz_{dWyKN+a4%9G1H9dBw>In`UI05lWoO$h
z`Y;ph7L)bb?W9TFRPOj7H;P;7e;qb^28@wAiP}*YkZdQRGskvkop6I!{EaZXy%1el
z<WGP6Dy&zS^3aX+XoS~@HJ;sd2p5@PjSFB1AN=C}-Bp2e$I@e|kh{w<9MPXRihK1H
zGLg*~F|)*;$yAh(Hm^$&{<fird?RS*oiLW9W$eT5#x_DCUVxB5WoMfu`Y;pB5|j0s
z<)len+bK2xw72{>X^()jlTfx#H+P@qPx9i$T;s?NpPS%Y$G=;_tg_`^Cbu<P&X9U|
zdwi7zWE^d<=5PVSc2CIV3;Lia?FA|^!7`VjGtil9PFq&REul#wcBLjQ2}@Z?k|qk1
zn1>0koScPGY@;*c1?UV^cDDMX4>LjiF<GzrPny)XE1@ux){6V!40obY$i)jr;y-@<
zORu_IkG&<O{R~^v1{iGMqiVl<5N1+AqE8$t#lFUyH?ZE&>6Q)MjdV(F<S({eGQ3(~
z$Z5t_v~NHDt}=oz`)}(!B}NE^u83nBoR18Nmmx#Ynd_=$O_W!pjcG_|T(yKnO+i}P
z(wg%ui)!~ZXKW)w;swYMRCczpp${{`*f3eIu}zxPwb$T)lU_B1R9b2A{X&+RvpqC%
zmN)&Q5$Ui_=9D45y|&FwQ+~?x*wyX3;6nDE4EVmrG~U%B3DNlZ5R!Nq35HL6!L`a`
zCvUrS+y@;R#1R$>HlUirG&Uo8dCxnkp}3cf$6*%bB*}`5P}WjX=4C|MqD)fOFtJs7
zZdh#GOS}O0g38V|Q}kgbm?<XfHB(IR^NzJ`SF4xVJ)?)xdnC^Ch7LPiv6!x|n*C|d
z?q&2Rso$V_;(oK!*X2i)P>Lo>9_0RO@Kd*1ecoII*U*n|FIW7P7-JyQ_<h~&UqdIs
z@y_Md$AS9o0$3V>weDIx(`vJYzl%?QhTbHvpdK3jbrD=yggWq>*T=v5?fV)&C5HVE
zUhi*(X<(<tIbal2XoA~V)Rf38{*ULaLf@V8C@CUw4uncBLL<gV8ReA3SxJ+&EufIg
z?E`E$OuPUNgUVVy0JQhljnKpmu-_x5kM=Nndwq&N``RJmBkp!Qw0cTy+&{7U>){l6
z<U7X@zwp)8)LkjM#bbWOp^9WgB&d1JE{^TEXSeskMJAZeGR_a5_)HRgz01nwI>nv;
zoOkNn%Ta8-Vz_;QyO&Jfy-=PIxP2k=`bF=@ZgaD-Kk)+W4=Q`ExuMO3aC4j6@yGGP
zhBZ|qfd=yf0#!ULcEf^nTzjf>*T8_Pn38`Jk=jbkE`EFcQ#_dHg}R~{0YlbaC$D1q
zy#&9l*|vY!04RI23SM3P{i=pvy@r$To_*zZ##53jYq?&_0lTr5Q7wChHiPQ9hUa;C
z12o7%XfQxT#i3RNIuEkelF5EV&)Ad^$1(?{g9=S>Ez3|k=*&qNv$z$9)&!bsQkIJ2
zYm%j;E}=_xR<k(v+!fg<op=FC2bDe7Nd4m=raBjygU@JfjEGg@>?G>Gr+efw?;Jd`
zef_}u0k3_k+56D+ZY=b{)c5S>GPuYD<y`>BxpmA;<0i>t5zDcJ<%Fh9ORBcbNEGD>
z&)b-m+>?H@5iaopgbONruJZcFL6moHKNei_`SyY<G1`%316|bR$xHV-lIvjY48t9a
z-9KITb5%8I{7(jv%tg@1!AvLg>rX#jt9G*5kH2hxzBx7Ii`MF9*ODK5(X-uZX(8`T
z|Lgz(yLwVR*vEHz@f3<{oZP*?HbWszXB}U;YbTkHwuzUaZG7VYyr#4GqSQ&9v#JhB
z9zn%4EizJ+iTGE@qatduG)>(3z{G~vBn#j*sO*`3V!}A5{RAqA)A!?Z9i98|OC86Y
zIzTg>n;ZV^at|2@Q>Cg>>g&zs?_9HkLkAA%tpuyIQC$v(OQFNs*?0zh4m7!kO8Ctz
zS;lmM&dg{THEm5v3B>kPd{P{!qMUHvh9xcAl4foen#6{jppQ32mnT3@Ch4+&97LDr
z!c0)X$y**ef<8?diZ_`_Q%n}HB~?#qH_<m4ohr$O`qN|D7p2c101W!D5j)hI7r#-Q
z8U4_H*>naom2JJLdR2nDAI4AsH|$f8a2)IEWR6`XJIo{h#YUdJ3EuC6?P0Hr>=Y%n
z*}BE)sgb>52iXe|tkz6#uupQg-SKZ5IOM5{K`5+PKgl3hr4SEIw}1I6e}O_l*<1~=
z>p8?8sL%w{UPkPJ%2j!oW>Hp<EGnVMJc$WQBTDL~s^TWC%Q|%zOC>gJC0PJlL1oW1
zZT~okY0rhK;4>a=R#=uE75{xOrQf#=7>Z7CfWg$Tm@0@AhJ27lFs2X>^7HB%MeJpg
zfedaPfNw#kx?~3>8O$07(2Frehy;FO$L|l&L~siSK&Z7sj9?D62r4we2o``>KKRAY
z3M0RAz9n!)_2Md%sMT-I3nbBHp-m*&cSsYrOdL2xG+Ab>A+(@j(efPFcia|gBWscc
z$Qo4kTnqJ&gIMTXGz~tZf7iw5)PbM{4U_e?tcO;a!xJ4-vwnabt7cnn*EqfUz<y<~
zRau|8N`YUEEiNpynK1qxUu|ILgx!1lbOHS^0I#ERkL`~44>s)zX1v&o;gRWlBuuib
zF^x}r7OA7bh(2!i+^UE=(`>Od$u&Kku-K|1lxHDfO~FWL(ZjjT*2d^03otsU?73!(
zj^h%%b_jaS)-$8&2K8?r5ZlG%$DLJ=G*T6fv=<w3`cr>=*~WY5h;|{HZj&P*+THJW
zH^Y^XGE4D@#vEV6C6S!m$`(LIVdTj0J=)Mm@=pKCL<X3t&modQg(g`0G8B+cd{IvF
zaZuKOKwc7Evq*QvAt_WtQZA0sMOoLRwz}fDy@3q{N)|wYP}y_60XmM)8_b3Opn@k(
z(2i&u8|Bjh?tMg%eDmj?uY1$VN_MM)C4F=HZwKg91)DbOp-7K6!|`}H_(EtNXvGS&
zVg;}M`1Q3#WFy8NHPgi97Og9!7=hY`>&RbWa}86#Y8BW$Bp<oz!y`_~gX^+yz-#CO
zDSL6jgCEwy1FfD$$MfPPF}H#(C7#ehMJ70vWf&o!_{<6~<u&;F0T#Zoy$d(1NW?0F
zuQ}6|U@H~t)<UF$YE9adDXCIgliX@8<aQ-Cq9|E_C_-h=btN8<5AI4ZL9Z*B1}pM1
z8erp`F4-KT4mGAao-6w|7hB5m#h%qkOWtt+8c4R2BT0Qvr9F?1JAhVBGbz|5{N%g%
zWYF_HjMJ-6$waROb=az5S@Qt7rCJ?oTGk7r>^3Xyf;b?hWS42gAIu>TLWL%Hgk{ht
zpSa5-$lqzmAlnI#4ogGCTsyI5yF(4QZZe($5!4|1?y2rwL{eGVNgGPaBIP8udKbBE
z+=ekF3t&vB?723Mj^nd&OweoNo*A``-|{`gfL|ok;Z(zpcaEXJqTi}Bx{Shg#6A!N
z>A?d%x_zcFy^+mcZQ_XmOQde6pXIH^f#OZ@8$gd&sw2GkOw;w-6?+QSda`k324*h1
zr;nEqM`sIcW1j;wLWL$6@&cgI2fw&6WMQKZu=7G~{L}L-KE2clL3u2&IWUNDp~B5x
z>NSUth-D{w+2O}^x0U~+z5t@X0AhaumlY%1%cw|_7YrzaH^3G!)m<P61>`V|vyzla
z+mgcS0^#-sHeM=OfR{pL&-Df#^b+n3=HjJ%Gx|;qnD|E(c8dW2e~IWGc3~Bt8*`SB
zVvPzJYP-4NvOL}}WU(n2%99G~?a#w)y^IT<#?!wUTa5)JEx}OIf?4()QY2Jpf@Lp5
zVWBhUP*MX0H5nAt(6$gJk+O!!ni`F{cbkNb!b%pPuu$1^O#&UqXA+p;$MHmn*u->l
zq2Y9mn1`!@5*H_4Qz?B^+qsh`ZnIrU491|%FDg3$h1i0&{9Td^StW5Y8@2%+*wyB{
zalTpx%+UI%IEkw!)A|AqF_QC{h)|IUCbA40<r6oX-@Wh}hf3~s^4%}RLcq=@e;{}A
zTj}M-_WK@Iy%WdW{f_fXXeM)c^$p4l$p^i&edZ_4;nuMbnQkFLT2^L+*5bcdQxqh%
zT1Yr8mfCnIx&RM_%ARSl_&6SmMFqXMN&K}9KL6PP_U=@Pz&qC?9MoR*iT53J2@;m{
zNuEKibK_7Detbn`SSZ(fAd2>GcCX%w?d$+atm^^Juj6I0a!~N5U+GR9uEays8(~LJ
zul4Cz)1RDpjE1+}S`lU{Zt1IrDQ=Z_rWkb0rXd~x|7soEBr4?h0dyIAkx%@L`Zsl-
z^_{O)WH{II#;T(|ZT9H9(<o$3ErQ>sqQdNB+7g!4l!Pg-8=j|i8gsYV+t4w(06K=s
zo@@5_m*g?~dCii1^O+==%pLI+V(<RON&5$2tu+O4U@u1na3goEnQ2H!4cEjvf!+1v
zpH5}b4A4>@Ugf2d`26+(xIb&j^{XBQF1L1@!~MhNpxjMmYGqfO`>uX*J{E^DjxyZh
ztLU=m`FJh5i~-3fe%5WZIHs=2@EOwU?~jau(fQZY=+YFL0+c|?OPp9EDk5{9kkX<6
zbsM}5D5DDiWvJ}A2JeA);RZh!Q0AM_i+)B2&=3-KFX5noj;uu3tn1txuvTeXk^%dE
zAOsK^C62Tfd!V7^)_~Gck#xHI5h~-mM~EBPdJojt`ocPZm_SGM`c&Mlh4%w)3>S<V
zUlEu2&PSTjWk@rh_*v#Fv~~6LcTVK`5XCJ{szY<n_a<u%f0_+pL6<4b%NSDAq-HUc
zI<<_jh*hNJWs{~&NbAI1r$=q%8C`%pLuJo3Wo#VxS^0Xl<c;guC*3@u;;`2O@BNPa
z@#}c!JLZtv@sb%_e&0znwtcaQ+1lB_FjQiKp)I3GLT3(XRq&LjBueUv&?=4zYqOZ7
ztl)K9w_%cawjmpSMHj%YP}y^J7aPZ~yO^Z^yopJQgXNTx1yp`ag&v*mZ2gs0a6-YE
z!TNKy5(hqg%51ux$zr*k5j7BgbMtyCb%H4T9C#EeG(qQ=!J~ZQ3&4=QI&+`7e_$&S
z=E4G-G$Ba?S3XHokRs=dWJy%zdBak1>UZ0q4SJ#rKu@Ubxi*N6<F~<ik~gmRK6U4V
z*dYp?`m<gg8d=$+%*v3TwB3py9n|=r;*`3V)deD!yWcVKdkG;D0bcj5+Z`nHwAfUF
z_iGqapBo>6R({op7?a8H(uOICal~+sz?vX)Cc}l!@D$&K>TP!F8W(UB>h2h-V7c%M
ztD)YO!)r*y66nCQB3@0>Fz9lxJ}#f|awGqE`LC<}U;D24*ZcinFU4619^mxbAs%E7
zUlJ-b!GkPo-i6N0sw!hGbXG0mn$Wt9NRhM^N#e3)Z4+^xx?5UP8(TydV2e=Mb1fDd
z$8WLoByU{L?l)9SbU+G^S?HiW2&)}z1?qt06^b$!;AlVMGZJRp!iK4c@Fa}q$V{wm
z_2TPUZ^X77g>e{XVL*aw5h=)BR&2l8p2qnwqrlz;k0a+}f#|YkV(83u80Wy(M_L+E
z;O{C)l_U*G$|j3b7SS?uSKm+@i9;74aZuTFEdm?IZxQn(Z(Q$v#vX=^@r-gutLK&J
z=4BEIM+G-mcfY<?@H=5bhQ(*R#ZW1ZgKjP9Nf+W@jLZ4YN6XM<Xc?dQImv?NQTzyD
z_;cvna91S$pkm82V@hm!+J?1N)TSiioQs$;rGyoANg7@iQJnLt_T>|7EDT+Mg+XP{
zwMP%M#9@!~ByU{LKCQ3@m4BxXUqc?>uq+q`FE(soDq|=MV^s24UPnFvDWBv9>)8Do
zlKQ73M$5jx=n@W@sO;hKpM-&b`Se<&XBD^>j*;Kk>L4RntKYbS2&l>6LCqAV#N6z5
zirFamVg-^TTf9Uvh*$pdNzWNH2YHC?<<%;1wDi3!-I4fSg;v;d_EpxQs|~x`UsyTT
zY6ov5kG9~u-~$rs3wMEihi<uZ;613&1Xr}I=b2C3<%<4;k^k6g(%<LlN*&dcj<NpI
z(jUTsCRS#(5x0XaMUvEMqkFL@gtlQrswNFd7Di#))Vz*;ZpX$O(FJ%TRQ6oAGmpIK
z+9BypYhZ#?Z<8?j|6I38=c9*EkqH*K3_au%KQGUyQpZGghvJW2FSq}rxB!m$=B^3a
zmzwoHGdjT5t0~I1DT{{02^Z0NMMJ{Mn2YmkQ<X`UraorD)CL))3qVGwtbv4o-fTCk
z&An;?Y%t{CP8;1@$9TY*+33^RX?w+A!-+d^z5P*X%ti3!>YXH-{`t#k!$pUJa6vLF
z^Wh!9B!Bt*`QxQ*iQ6lRPn+2DXSV0x*;DW>R`*gCCP_SpjbDI24~;{CW1p{K_s4oe
zpik-AJn`?@Yr5$&(2r02yee6!KGIy{#9)9b8wO9>ZYS1#wL%a;=t4jV3-l%<(40(>
zM?nb-k=>FsU9a0FZ3Ixd00D%`&b3KwyzARL#1!YUN4ci*BoI;2_iFEZR+##iJ`iI9
zQ;hk;8dwUu9<GE$=*rdr6wu-AaF+!8t8@v9iyNQ=VhLd&SW0`O-jG^Ao$Qk#5tWI|
zmRYQf@O`cfS%yLtjGR_r%$xN}h>M?92+h9BU$z=kFbpRhL!(&pK~%v51K4$B@cqUv
z;1RDU4kzLbVTukoz%}#fH}T^JE`jxp`1c3+rG717B^Gb0-%hU3^Sd^Ui|F=Zd50}d
z0WNl21|@Q>MC8>gf-JFtep9F{4w$N^EteEO!2a0PK;eTz{L$~*>Bi<Gozi7UC!hF&
zY}R@}lU`C{{siBWyq-`1HN=@=Pt&rpNy4foQB??M#%V>WwrNRLg;8E6MOAY51$k<t
zo6-g7CRBE=GsDKio!MM?6Ds(Jc=n6HxHQC_x!AHsa#S!URRSQ4sZnjk4_*JDsuAqY
zrmuR_*0dRWYXD%0Z>{zlGL{&Aeyx&2a;yyyd8^WV{%6e<)VQ+>`mAe3li})i!RGrq
zfcO1t0429DU-u0VRpWy{0`Z>ox)t{}kwcfoY4!5~Qt2{)lu!JhWA)f_u((KzHZMpN
zrj<DTr!lE=R+6*|TS}8Mr%C0udK(CpE&xKIvU9B-?T7YM?YdLn{k22Lizh)PmE~W(
z{p7NI9G6rxRXKmZ+EhTHFGdTtobU97o<ttj)?z5^@Q&-UJT9EZPIW%tZJ4AyKdO=+
z<xD)F+jCo0M$b*1fy(wH-Ja<obdUJOUmP#!wBh;Kt8^JDmrr~qqsBL3z(jv}=Uoe+
zOJVx266gRzXqZK$On~!}wG;{nA;IUiUmFaTE&zj}vUBYh?e6BX-+4%~8~3YU1h;=&
zA(o4Yz2BRIg>I>#LSo$)1kMLy%)#iM-@{2_E%7^3KlHEv5@q3E)$JT&Vdpo)!@n`V
zeJ#Uz`NWNVi8D;kw$iL1Yu{hSc@jlYh!_d>K2Tf^U8xAPr6QEU5j}4xf$DNYX6H5%
z8?BWtKx?70bBzS$DRLRfT$(CW(ClvFsQ%^Z7O@me7^2%h^m$WATYQlArX$XgYySO0
zY)`v;)h<Wxh&m{e2Uj5jIjc42!-gr`F#v?0?U8B+JKDGu1^Rfu8%QEb2__D{sNfbF
z!s>lgbv*bkn<&WXRA+;OEHCKA9(~xFsR7ir+Z^@=xvVLqt$IM1*)&jSH^4*<)V6!^
zYqo2KEqF*gTFZik%yU3nxNiF0!7>6XpSZs_rs1~x&erz739H1yBi;ggUEvw3I&Wf9
zClpv|V@`@TYQ&bxle*xnt!vMgY9qzc1xPVecCNQT+qb#A#at#TR8U34o_*De78|=f
z8+I6TX(cyO*y;P=m6)J^J#4ea)a3<R*ABe$@F^KIAA0EIEPs3<vy;KM{2W;Q(D)Ym
zpesK3VHin_1qAP3;4)2^_Fo3Gm2tbCcJu)O5V)-2yX-VQ4vckSyn(#Tlz`E{^np0+
zHxe>1a%w<`DPjldVvb6N^|}1H%fZ~n9F{9wN&RkP8OxPV{M;xVSjq;bo4snhN?KrE
zkhwkZ;pehuqKgyOys4r#BaA~2l`^hKQAIf^L<HZaVHIVK$H~~>yL18g4waqjWU%p^
zPG&9@7Aj~t8Hh<-t_B^#3QAN3T7UY;+;5=^gYpjTm|h@4kU;bf(ZSXj_p9}0h!}LB
zAiU0wnBsmDD*S)HUw``l!RtsDri%~RpWWl(aqxJ$ig<h2%X#4m$bLiQC4pApqgGJH
zLp~fTIGv<naNpgtsuRz><uYHnSquO7z8x>+E{1f)cqw2SJsn*}09T1le~5p|tHWnv
zGQbiZL2`7;XsQyw`rb9dL#?{UZm+Prh;Nz$MZ|U6@0*rE5q;uk`6lsoN%|70XM=|t
zP(f!y5Yc66SzU)koe|E;l+cVuq>So@v@9%nnkTHO+ytDd4M9v7KoC*cxn2ny@BPOB
zipUYSgua0rUx10(P6^9tqR7WXCARoLJg=hTH3UJ>aZ@7^VO<BvpuT;uQgWDOo!`6=
z|91R#wG3D16F<wY8V(Cdx-DT%vjZIC`d(7n&VcozOQH#Y3Igl_gaUs+0sH~LnGKZL
zKpx<>DH~sxF2L8JvU6<;8_#W1b1`<Ppv2e>riGXlCOkGxlU%l7Mqpw}AK=V={V9MC
zsJyrdt|i^%Nd}@{9CJAgYCcRZT?Ui$iJwmuYxbvOd>n?Y!CqYRX_N#g<O!`CMv6QQ
z3GhP$J#<s1?yV@Z@ow1yyc;Sz(`?Z3oMwYc`OF3t^jHikclB-4HM$}N!nu_=Z$C4e
z9g{#4RoiGX%W`?7HSJM^2RbQkI{4S)HJxl3OwA|$Puq*oB}r*5xzq`esS_IJ4Jng2
zB|yk*z-(@#vH@$^0>Bz7JJ+aCD45fz=7QGnS2tB(KI_5;`0~&VDb;2pjA$qufdiIg
zNEtJ)4PWtl$t%?#sx{y14xegndC3L6uAhHOp5OSN9T3@=k6Sm>cDMRB!PS1xAEAV0
zoSwl=eDH0vI*4=J_inWcTGp-L9t<864u+2#g<D;po*$VDaS3xkU$}btox(EEmrvY(
zmpx!TgkL34tlppa)p$=e+$@~uBCzMnc$89}FanunLgONaD=JRnFpCT|t=mP|FtBU^
z3=EZ>>mso6-UFmktS90l&{uGt0bOr?ArxLAjuGeJZ<}Za0JFS@UDzatHivyB5vu0?
zN4FsD^h;i-@@WM_@7C(G^?(!AXwDlExLtk$+FCP=(7L_4=y}yCB&ywr!Q6%m2ef~U
z*zp_~7p?<-J6;Ck@`;~OORCBMEcDj2&=`I9reLx}y<>Q#!4fVS+nm^$*tR*b%@vyy
z+qR8~ZQC{`=EOG6+I!!7&j0m%U0qdOtGnv0dY5qn^sR;XsNHU<CSe`sz#wh)%<S$G
zrbcW4@JzsdHeK}Lk^6M2H#j?V*RJ;7JMa_%wRzCm?+^{iWx^m>K_T#~TQF78It4^B
zP-36HA;0`*#+}CohlkleB+?&xzX~H|hr-^V{f*Dy4T;kr4>{`$&b-diRm#rwe=nWa
z>{M(cO;D8KZGDQiTEmdnjns^;jqpR?hgc`??4}v@c<+zwk`Ur4Qcss&F<$$AzudMe
z<b8i$+PCJ}0|%r(Z2=NZ9Wzob)4M&^1aqD4TVvhn$x=(QLyPwTFnU<%$}Juu8^N4v
zI&7|JUQdR2ODXgquE6tvh#w-`j)?CA*&1MCJkbK$<fM90(sI0I*4?{p=zVjVzOs!#
z2Ei2E;6=5?(yZO^C0xM4E;L+o#sevv0J-Fux3byNtT!oOE$M+Zg?qvjuxHS_gPTS&
z<h_4l-|N<&Rz5c9rhm~q?L!~1No}E+8pXst3G=|kHa+<_)DnEW0aAzs81{{f4?Gai
zfl?S58&5DfX1QFCt(E1iYdBij_S8QT{($D7@4-e6<zeG#sCw-TIj++|;%9wP;cad3
zl7`_=^^bK)=?|0pRLg$u&D(wk(5p>@ni%gpdUT|f;LhfOI)gYf8MS4;67;eBN>}(G
zQU~|kX2#Vaau%1{orsz1pemrX63-7QunahU!r%y}(*YqB1)O-o+3>~v5i;n%q;@E!
zU-=kP2MK1$X4noVz=LnGGZQ)Kf6+b<M?~<5Jla~zdw^^>P55r#qKY1!7k-y>XjW&w
zH>1i%BMLaLx2rYOauUj@s(#1<*%tk>G{jL>%e@O%BpAZc%_bQAS-Gx`S>ivc?P{Qq
zmSmqBa#_00a!hrc-{(Mo&l?G#V#<5*Lz4`65;cvv0M5H<MlTS@NMMmC1=E{Hu-m$%
zvLV)N0f7mfm~q8e`%NgxoE3?fk`1OH8S>4@_Zc?0IN$8%nf|I-V}p}A`SZ(!hNmbV
z|GPQ_$ZGmWp|CX;a?fMI0o5$NN-m#Sj$EGFG8>h!o-X$H7F$f#Jawaz?m8F-HZahX
z<Wn)U%4R?x3=GF6c?-ciuEnzFV)sj`-F_74_=$HRay*<Q5DBw90$=7de|Vw^QeC;(
zqickU9eVWmGkhmEF*hqmVjScw)^bPuMTTLW%JPEIaXXbVrUu~N49ke}zvx~-Mt_R3
zzp@&PO8WVXTJ4swZZW%kOgEl%X>o4GtZ9~f8&>)jDQ6BQA(N!Er!FyhF=w|MHRZjo
zA7l;_nSX!SaNz*P@&DMo+&b)!vw6+bY3@h#+%7Br^ZZMGx>j!hGrGNue5?}$5sn1w
zx+$v_R$1pIY7yQx%#GpR7V)~Z&q9?8Ow@n$Gd-fo;R+=ygI8!dTU(}Zv3`iGU!Sp!
zYYs@Of=-2Fb5k#7CQu#8iQjX@SaI?&HqLvjgSi0P^;R_sX9up0LU0DK9Dr2FVTQ4g
zeay9GOSQWm5@>W=f+`k6aJx7IhShMmsGmPrSC;<GX=1^7+HB{Xh_?V+20c&gYC{CF
z!4uhtrqk#}?_Y;z?b22WgN>wJwH}KT*d9}06>UJ?bUTOC;eIsdlko+l-UO>F{fgwM
zg;lh|2@hOkaK`&eWAy(nXkfiW^TVpu;}O$yj6T0)1bZhvYVs(&o1IdzwU;EY@j90R
zMTaz_)S@&;B0W<-)W)x}KJAAVzv}<Vuw+Hh)zS0*fJ<eOe^0nGsWMTCSLgh)+PNHh
ziTQNXEJAwO#?^gaU>V<0!aVEhy?j@tIFtMhOt7J}$i?D53cNSDF&DiHbwT&I#qtwq
zaMym1r3vHu?E7wPVDs|Q@hC+x@Qz2ZR^bE6>asu`#IRw2a4c88fbH90;7EUfIyMB&
zho!a}AG~bqW*unkD;RJXF7K-CE<H!Lor%7?ysC`|COpl%-~&I{j}PYCDo>29%<JXl
zt=U>Nf{U%$ek2U(dUL5zUX?Enn194ds}2+L)Fz<U$<=}=_m7@e=2Zbs#vaB>?EaaD
z6H_tkpZH6pHLSj!2BF#y5wql7%*5i2nqoCK8O&fEG@(18eFQW=yhPw8$PzJ>l1HQ=
zG|KEuS_>jy!OBR1Vy!t&6|Al?E7@Pf%6R5ay+qThPm%^a6(h<l;$_(N;fm)A-2E*t
z6V`(odlA9j7VW2oc;x?Jia$4W3+Klt>^?9k-GNIpLISGi!U55?AJ$rRV*Jc@YjxkD
z>70ZA!N241^Xz&Sbx5IMsLAd8xZ1>H>PrSBPs(CIR{7Y21T<1B`3OY8C94Qgb_%->
z4S3Hw4nKhJKIZCdFSQ0m5gj7;kHTf!ckF7xB{Ll(;A5Ts0vpilypL`W_s0eMbqjm-
z!&-c-mXF8G$C=pwrS+t>7l0y^_u@i`i_RO~9iJ{X-77>ek;y66@Cff5+=6K6JlK$E
zr1dBfp-J2#1oc5nS0@D<6N%N4b0oHscXqsN2jAov^a}Qu7^ogFN09tgFmsiGb}W#3
zAx^x%m-cz|99(Pj7#%{-ngOoO_s?(Sd{;>(L%0w7ChsIe1owe({^UA5kb<`Un!-?R
zqG%|JeY8DcF8#5S9qQZE@dI4J5coXrA_dp~*3?c!VebKoBETpatB0wRTUHiD6J@1b
zObyX)BvbK=D}ig$BGYMO;pFW7Z>jB=Q4fd{u-mEG5})_9+42|0KRmw!lzREb->V*~
z+PE!+K|F;5e*PS{l8Az%gvX&cUzlr+JV!m@Q4|zB-qfL~pHyswtft^ca1UfDUa!E(
zqr=uvlC}ha&tY(PPw(;&U=1f7a8&_++pj@km{2D9CJO@Ud>Od9D+~4aj0F%8i&V1>
zCs6jJAF4ay2%vJkSwT&|TM+DS`NP1!G4Un>!g-5c>qfkBs^))w<qhH#l#S3;M|H(x
z-zCEUAD1|sA>o{N#lKjzDXV|>)hWfif~o%JVBqZCh}E)YZpke-gCsE=D^ZzMUf#aU
z=)Hv@Z@t}^JNWtU_r%aRLk+6gNkDux7}UGK8>XEtj#%{@620mxt#<!w**VSf>Hc(I
zFEySeZ1u^n`PbhiI;E?GCh}MJBnbW<unW|%$L;`0`)6Nxoswm4b_6zx+v}35xqg&U
zl*nLu3gom@l0<o7uvwp%4yW{wNN0a0<=N)+7^*33VmP2nN<<1o?MOK)oe;F8=_A$u
z`ZeQ{@bU0<b$oYxnUh1?`NK`R(Z~Ih71v!40c1tJI{#!4)lPAv)sliNVZ4GjcsmHl
zi1OxO=%!ChDR?GI=67G=SG`WhS@D{mxjTH>$x{hcYj^GI>jNaGiwwWJy{+TGdy`1g
zjgk(HmujwCB6o{CbmE6%41Z4#A{fG)zZSwWgtjMO#rDuH_Q*(LlOq!W=AqS6qGGy>
zvlpqR(a(-s$8F>Fdq9fACXmQ~h>+Qfg~NOX$=d<!34%T<*RZ}iYToFL)6%oa65YFK
zO^XqTk%8NKL;qg6y;hcv%Z!3f!JnQn{l2C3+;bI3!=+&n=EMeRvm;<_wZ)~-T8=NZ
z6XraSVHrX}J)nTK&q^)LB^ZJdKY|xhD!b6?h(O$5l*?vCSe_2?5mNFf%8`^43JZ*{
z$2$!f$v~EZV#X}3q&k~8l0Fg5x`Ui61p)=xt?>xc23$j{Fn=a>kcjJtk=q<J*fbO)
zdh9K&41~gA!sm;WU2tziBJIzse;>l6q0*dcXsD`IRzl2Z=UBP6k$j%#bU?fs;_e}K
zt%P?JI`7qBV&2kP*Mmqp1JSMFSzR=^@|h62v;Y$7#5z*x{sToSt0^mY+Q<Q@G7NYS
z8ld14k%;>$EA2x%HJnfOUu8`z8e6DaE_ygo{>#iSaR#nTC=Xt3?H!{!n1!tE*|fl-
zfC2WdAW$o-;@KD;15&!TnR7g5#S?HcnyUAKx1<<*{yGM>(c<+WCIJ(<CADkB0zNsL
zC@6j=DkH?0&sRGF#JEvF#Du!RO%L6_x$!N(cSB`q#~*<7ftdnxU@4R80<3HZh^cQY
zmQG=ZjL0MpESyNJ3q2uc{H;E$g`Se}9@$W*1TzeV0Y>AMI$#|1g0aHOU0NrvOkNu_
z{C?7{xH{;2PbK_eC3Nb^e-s`fzo)wNnjUBjTDl8t+ff_hlO0So^;iM2Yhas8<1MU6
zD>o+J@i<|BVYxN*XvSAb0%ny}ZBX(GJ%5g3JYHPz(J=3h_g?IJvty*g*h0j7V4e-+
z59k+;FAsN2r4SJoe4nj;Efb-Nc!tUUgV8ppoUkV-gq=QbE4MyHgBj0?Pb95UNgSSY
zAvdOr;_qzB5o5q2Pf%JX(Q=ZxsTQ64W3UZde-VAojtVIXYeBs3q$&^cOAab1gu8<~
zm>!t62EL&hJ%IM4X=IB$S8r=Ym^o3BuV?@h_@J_`2p^srbWmKA9yAtSKuLL|A)-80
z=~*uqUbQBj2$R+o_5``Rs1xC|Y4v;q>+<bSxp9n)!Zwt;kpzK;?H+=Ep6AY{;TH7L
zpqt!&9r~m4ChS!+-ICVj>+$0_B5D=cXRpEbuEmzhQj^?x5p6?|qWxwV@y26;Cx$c*
zuZ7ilIB*J|=DZo=*PJ<QqZYqzZG<KmrIFq((Q5A4AnH<DdXS%ezB?Rw<&$^B?EAm7
zgIX5wo`d)vIEL%18ipNxpAkAU`3^WBu$XzWjKO=~!eoUB;eeE}kxJMG%!{HPQ;ZFx
z6FkI9L7N=Ws47BQDcDiYLpe<8ss)x8S)FbSnDNukO3!$|QwZOHn7}a9Tko*L^p>u>
zoiOATh)OY=!@7OCtaVS{pCw@hVswXk(k-xB)$m#%rHdqndMM&x&^=`;XlysKDJ*r`
zXg}b2Gt}s$%zz(-%*yBkew1ddipN(~W~6tP7P)SF748js_#ONM+4r~W``5wyW}bn`
z8^_PA5FmQ1X%g<yXTPi{rjUv5;NlL78T=w9kqvn=^r*P{K2&kr$q3X@%2;25db*O2
zddp04L#x3_I29q~F$0w5lo|XxI2|WH@oVV^%^SY?+%*u%gUZ|%K2qO?=Z6&LR3zei
z#E=H)oy(BbSI4Y|AD9e=qbSBSQc_N;nm+H6htpSbUtL_7@lAnmFet0ifHgPk`amy~
zIsGjs_RQxTGx6NF4##9tr`f%|w1@otwNlFa@@&xQ`bQv$`ZU`G8+fdR(@Hw$GB(3g
zm@Ac)OO2#0QjUwqHd0kdtbZqpr^Ln7H!bQN1-f7}R2sQs_s=$5hec0e_}(c!cT2DV
z0WSE^N?RTTin{i3qbOxdUd#G0RwX?y=VteM!_bthyeu3BYitqN9huV1^)eS-F+mrM
zP-dc1vO=Ew&$eV<bTLP`?9gBd%s5r7*eI1$+TzkQp9nGp_=jA^fp&VeNQt>VLcc0T
z;L4b%rH2bd(4#H2mKzkjMMjH^gc+AB5*!~Hg}IGJ#prOnF3T)7TI|r#77Hoae#s0p
zbWtMK!sjxDzwxKqoPbV3dI;&dwNRLldD4667h$Y!lBq`@gHkM((Fo$R1UAf!uZ`Hd
zy9Xe+hV4_l+{eN{f^Mi79-}Tazf^HCRq3xKv%NqU+}l3?{2-^rad9uq_wvS|B=<^R
z9`Qw_?<|IGqN!mz$WHPV1EMlc8WPR&+L-0_QhD$>Uf%9*BTjepef8{nYJWS=0(kEy
z17<{h6-=jlpJUGzAC3kKe--h;N$ZQ4>(<|*t*ElYHd30iVT>j=Ic1gQfYM`|3OTN?
zQ%1&|vd?=|%j?=-x50=EZ^u;i902Cpv^eyTRlO!WM<+?UAM1~mAfi9@OBA*A?2*nt
z4QGOe&nHHTr~@UOu(D<?*E##AJr8kAGBxzPrB>N;vfY334eKw{TA8V8ft8n*|Ar4O
z+8#7S=M*UpGHpHQXX^E@J`9^KuRiY<H4aqKR7CYTPv@?Pq@kt`OZD6L9wFvbqJ))R
z=#n`IZjAR}fW6>zY$sNTo}6isvJtBlpE-Bj_w-5=H#T0~IQ;ti<@LGtfb882rr$;O
zZp{tOBJs|eiGg0`UyY2E{F`w=y=)_4snaU(d2Y`iQfKc}ZT+U^yjO&Z&&fVw4Xd|}
ztCs^CGs6&T(#qLqA4pe@7Rl8_SI^7+5Tl%GPKWWNb}y05!EG-+ZXuFi)jP$Kf9bIL
zl;&pEr5lek3WPytnG6x^<bgfvD*Q$oT2W*UYQX2}_<jmw6Ih)l;8>gP*ygu=ro{ZM
zOHurk;#=G=DAdH`Z8uFmFR&^qbUJ<>)?DT5jjqc+5K2B{MWL?Exd0GNBbjvI93;VR
z8JiW_>jfmD3ne=4L?86NdHdYIiTl$^5AVIBqeC|&ReeP0Y*v0`Q+o!6#b<B5jVl$>
zyDa0U3K0EJWB`YH8S>M_6i|Jw`I-q=N(z8QzQtIJT(V8&=-MTh+0}>Zh*PuF2ZNVV
zTb=WoQd!j57z=O$bplDtxunJ?<KY|b3e?xVfQh633$c$sM@YuO-EDh<#n{}xQ8w$l
z5dF~)WFir**IS}pdDbI%@FXU1Icw=6P5p$2SfKo}+lCPQSLWGd$6dg&lJ5z&@XJl}
zQtf6NzZGJgP4B(f^jwat+|P!PNpw1@8~+&o*q>0b0Cw9D=d}N)uf890Gne71aeMJz
zp2lii4S1C1@?8Uo<wkJu0uM=aDk}9kO+_MQV2!aIks%qy1f&!!@E{^PM4#S(-oJUa
z>2Cqv(%05r@9jURU%;c~?lvztd2Q3WJ>da^yxV1(Z%aC#`{|?gNi(%13~B5EHxYRN
z-m{go(`8bJrd8E@gIDxdD0r_@dZTmY`v$AT3Q{A){CEf!fv!kc|0`~DI%!$=6e-If
zkqO9r6yVDA+!8KpiPzjHIwJ6?ejT2)9E+lm^x!R-YRVEjvzuO|E1`&0We>UYwmvVH
zmpgPV<qD#WS@bs!kI)|9i-a~-o|c7GN6*lw#=}=343Tk!D;ITsYZo28Q32=BEj=fn
zS$%ct=Te#%2m77z&R`0qOD48kkrkdroipKs?Ek7MP>fu6GWaU@H{#JPJ>|B%9+q{6
z2T*}%wAekpxktyV`ukgkBbKfxg%3JG5)rgZ>|YvWIZPWl{|M)<&>hE382G^BZP7B1
za1>8X$!UusQzI_cPn?h)Edl_$VeMD_B)p6KT#{m2LEqf+9niYJat4olc{_rVazTg=
z$k-OHI`@Y7uX=WP<?P7tIN0%jFdpsOAa}mc&xQ8kXIf15xEX^Q+HY4~w){nDsbtPH
zRQU{hp?BH}5v&-bawMr$l9_*%_=oxZ$8P(jW5_Z4CKH=Hu!V^&0#3OuIgtw3Sw}9d
zqhwBuAC_R7bFU<Zw7$Ob@5j7RP9qQBuJHoTBa*<hM16v<F_6H7%|Yp(Zk2?=#n4x0
z;KM{xX(QVt`l%U`&&`Ccy1|{`vY<XRc^eeUS5Z3si$F{0n+1ZGVSkD}38%703MBMS
z(#S*90l{1w9<WuSBMO(}_wcO6!$Vc&B1|{&bI?_;W&4`SZE<WC#~<>DhU9Q`I<l&L
z642upE;>Bz&>66Fu4voI9OPQ3v6&X#(Qu^6oRDg#aQ@zr4wTddk!<fwQ8c1|@EDy)
zrgkRpqO93}vBHodGq<M$)%Bv8c~GXTV3s1@%}Hp4w~wI+_8n$$$F<<MTuN5`tyw<<
zIQw~*gVjUVlpnIvO~IqxXO~peE@B%iZ<o5(uzcMHVRTIcu{9yO?;`OSLE53@MqB+n
zuMig|w~P?Kgq)N&R{cyHDM=$c@FAp%dc6l8u@wmM<bx@*lRs-5JpYT`D~{ghqD6@d
zpeHHv$i-H*xkpT%0(b~dP};%DHu6ksio%~wNsSsAdqux8F@#;%#O?i<-(xm2YI9)r
z%F5eis57b&_xEN@Q0piJuS0)}u6#1UN&XIdf&3S&?Hc#Dk0rQ(?COZ#REtS;ICsdX
ztkFnQ*(IWY;gs%{bV1$LdAxPBh{_8DK;3qh!OPLYB0hP~r9f3~nSiQYpI%p2E}fp5
zAT85=2^>+&NmO(cpJVG6i%Rgs37>!D?fS8RgT3ehm2;<s9CKLt6ZWcYwG4?1;+m*K
zPqf9R)vsYUF>yeTD8-e`Or^ke=r0Y}P3LB7Z3(}AZ||Gd2USm1o}b^hHa_Zhw^~Gb
zXIv|%;5Vh<{p86k(KSjEKQ>v2?60~taXqrG{V$Aqtuxuqu(P9dJ~F8F55}i!?F^Pg
z24$b3@cu%S8gjbx4m+vLG~?B&hR8Z?O?uOCIjC{lx^mmPdlFrs|3aMu{kN|1MrTID
z9fvM*N7+)d%^KH@*JsTtu=Yb5b;{0ttK+K02Jk071Z)|OkQ7v-VH1p~Ei(=}0ku}Z
zq)6uk!3<T`B9NM40N^qFJ-({C){)MK7O-h5VzP~bCCM$_z!$V>+V;y$$Jk6~-`gck
z6nIye5q5vg1Fsh|&w}`i#$3Mx$STH88`1HF@QoMLInjE(kKHM%gZ37Y6yw1IqYzK~
zu^e|{b8`>_XKR<=$Oyp@0DCkiLSI2zxZzWZapk`yk+LblP6YEGL#R6YD}J2_MNizG
zF%%693D{4?RC{aaVM0GxJjqkGQo%B=gu|@e=TkI6NN>3M+{oVFM{rPtrKLx4l5N~+
z*(+im3cSCF&)JicpWV(?27<RFu1+d`j6Nf0l_INeX$Z{qfN-5%U17f>r9=0rkM4n*
z4dxb~q9Naq87Y{|8dxwFfA+Ir`|syhbWEXbgp*N2?u+T8rBagYL6#&-W~{kd1361<
zu$hRUf#P0*nGt8!oJ4GK4OQ_LkU>E2qt6i{LG2MU`kP*AnlSi8H~xln?oK5-MKt<^
zDZFaUs;#hHzd>NpdbeF1Pw0>!tehH8xp<LLj<h<2GA=O(uX0F$Rquc?Ji^R#c6N!*
znR|b%F@DUzilmQ}K0;~hreI^FqP9RsU54PY+q+w_Ehw=qxSv-8`T`aY_)k}Ug^Ljq
zxA)N$j=4DA@vG<mB-f|V#g!lN>QZ;#R=>-ibeYTQ`nQgi^zklD!|LkYIoSv{oY!$R
z+dY$9)Q~|^UJMwgjv2n{JXw_d?Nq5Qx1u@HU-Co4>x~tznO4@Reo}V~X=3MRyHJ1B
z_@09N1``}>QP6FHZSmbQ;E3}hVh9L1A=^LscAu^I>J@Gqluz5+uQXnug1GV==4Mxr
z(o)$y2@dU-L)7S&w~n!?Q)vRZ2%em2R=*DaQ|%hN79)E>MH{7Pu)A*`m*p5Yj%IO0
z9az2W-pA2re<%pG=&Ao<vJsVWwKTC3;;rGHC0ct|I1r5YLn5Q0qG?O;f=g6M;ncZk
zwWBO}N2CZ44@6DZD_X|P(lu$@UNK_&V>Fc1y?9<m+!TkAT$Z=2VpsPmWKncr@I_h<
zqse4)(89=hh*oG1b)dB()EyPeY?)aWWfwwH{RI9)Yt8i0>dm5eI`(!l?nF$81n_;2
z6g(#eU-_Q!_F>1>3AZcda%?7{z)iK)LHEU23s6yOL&@Al%wD8&8zPPjQ-FZ_!pd?n
z0uhlkM`{QuAP_YUuyPBD7~;BU5wK8F4yopLi;YGy^I+*{47{5UW+1WubFROitd891
zjk#wyK1(_a`4OQG>IE>bgf)(#2HL-rM4uYL7&3Y|%g7etHtkei9m;aun?gsd^*%wG
zVLN{Q8NigqXy6;xJ`lVPt>)FQ@brBV9us)~MI=-ZxaQ17)Ok;sm-0vm5jR&3uo~gq
zBBZHT9HcSaKK6b<2lh;E(TNHID+!gG?<yDPgX@}%Jl?x}X@T?-35_hJ>=cgLqrnmY
zS<Szp#ZzZprSyL+FV?4R@qu<71=`h(niWNQ^?u0i@3k+gce`iUZ;W3TTV|Y^kd|8X
zm)kV~1PlQ?u338SB>Mmlijw_vs8gekGh*EZI8R$a1=4j3^BWXe!&LM|>Px)6AGD~l
zRpd>M*xvCFZLc?@Cb2wj!6z>RmAey}*E#7IylvGQ#uWNlx#+a(6E;<GZz-2Ocb{&<
zb#`7aPJ2e9-VSO_2)ak;g4dA<`>{1Xq!j}O!T1g{zEEL=`3r+Ax&J8ZnhOD{jZ$q9
z#i-CuxT^!AY~nIB`FqrpEcBx8Gh7XO>hoZ2m_XymO@YY&*B8PGREmot7*xORCDIUa
zmX;jz&I2fvXIcMRB1;a<XP<{nm!6c4<+|ThO$Tn7ffpxrb~9z*1`?D_a1N=hT<^e~
zb9(<KTiI~<J;t1e974D^zwAUT0=&jz^&(^+q33zb&8hR({gqW@9Rl6m@Ve0T%RMr&
zR&Q~YUaTND!X3=vww6W>GyKxRZRLyJ-0(3cTyLv}5r4r~f45`A_}z_sAuB!vYdH7;
zA*sEc=Q-YbKU70toU3lwwmYruy&3Lf!qPh^+^`cQnUo?<3X|LnBl?@(=A6;+$$^5B
zm*E*2^|?`?>|rzEGc?@~y4E++&(p{8fwK*piw{l*%g^gw8%=%UoI7H3>#D=IYf>f6
z0ePQSeJ6wT(6U2aAK_Z<H!|PvGNU}XzL2P2Oy}bC#Wxw27)Kr%rNu|$v`B{}Y~-^h
zXkl_W>RL*{F`fI24F#&G8^fo32YsQpKSmMit;5n+xpLv5(o!)Ei}df+KP3K@sCRP)
z0C4jY<7__JPAM+9c6iGcl*-_5+1-VlK!eqZi6uL*4aUAmP*4|f)z*M0ys|Nf5IvB>
z4%aDsPU!_PHTedX+JZ$D>54?<fsM#Uo~r#0hZc`mGQ3iZ0&kuZYC4W+Nh9-cAV2N4
zo%~2P=TEU%RZP5Db+tYIBT)H^OK$*cmaB1q`WAn3Feuj8%6Tuu1PN{M!km=*n5=Q6
zr@#s{W=4J)e4RjRY=#!Tc;B1!8P6mPfDQ{4dQyrYl|CwoG=^qY?GIvU#9XQ12{jFH
zL8bpL*p>U(zMIfdXd~?A-47T;?paiHdep_gAUSPS!(gD|SZV3KHYGSTf63cL{cRTn
z{WOh)&_ts9Lq^f@td5sE!lb%%wD%<IonTYI#kFqZlomN>c&Be2@a_NaI~q!%Z4Lrn
z)4vGVc$ZC%%2=lO+7^&$+IGQs&_Y2+b5{q~sF~fdg=H9|Mw*;@#0L*Ff@a_Ui~yDk
zPpAd*#uSP!bUX8p1!^xWt{fB>>4xDYo6b0}q%tqr{F)t=EndYggaO_bIw_#&iIdoX
z?*UXdZhS#Ryssq4{a2cK{J&ihbQcfMsY77)6Q@*3or2q_D$r^@Gl8YLuU%4PP%Akk
z<o%7Rr2wCK!ptd^p=hwp)gyMTS#;{pWLf?JO2ow2zK4$@#>tQbL_dE#vn&AP=fLi~
z_Q0NL`Q1?drAf^T{a@+}t9<>ZosIpSbkR5^l3v2ms5h}a)>g|T^JqzOWJ_U-%~Bwz
zEt#!qqwdQ=SD8#J;pSS{51+34haY&y=mxGGwXB5`_vE$avfJ75O?r(cYX#I{k%7H1
z)f5_Lw!xb%l<KxcyKw6=zGsJFHb}%;DS>-nh$<WR9vVQ<Elp>cGlqck_<bg)oHQw6
zBvasRWL=kx)Q@I9T9wq~B_BWR&GdjDwxBM#6UKutYHqoQk2d33=!udvQHa*Vi}@|B
zSv7uecI|UHa97i-?{<?<@!MYL-hV-jp=&5JuXI+0+_oUr?ntY>{)!m<xC~OOhMn8l
zjM*d^nak($p%1ipe9drCH4Ri}94p@8F*^p}O47+mPwf(t$y+No!TxkrZj#enES=u!
zceMFaZPMgE<Dng+to6Iu^Z!bs9kXcpu+<$KuP_3aAC_Oj;)vi_)1!m8Aowv`tvSTm
zuMpO4<`e2dV6YRF!S--bhgA>zV(<8(vY*Z}YvCCTFQ<3{3A+a@EI6vAx<YDUqROLa
ztK*axmQmVHZLpw^_SCsFY7M!0vP&eHos_e3L>uIsNbAq0c5#z<6wj>Hy~QFqrRz;c
zsB4dxtoa-WG2iaBel?5W+spk7HYYNF=B)|9*gw$dE-dB}*oM4;9+o13LU;?CHd+QT
z@&wFeS2Xm40n*6|-A=IM$6t}^c~lUC{1fdKqiRt`I37`EYhXyuX`$<TZKqO?i?x*s
zU|X8XG*ASbXBvVV;*-i4@aoya!GD^#{!&h*^q7}0TIiUBGUheH`A!d};ECQzJ^ufN
zHI-efYshFpP_&{fyujALm+Wrn=x%>r)b@$*GYOx>JcKzU;n8sSm5@L}lp5KRr)y;r
zw?#M~G=bEU(mppsLo49-l#A^NB}2;0^N&uWAfC^#)OMWFlHK5;hef<s9uj6J)7mKZ
z_@y<hd8O{g3knngf}AJXVEzB;>te0W-!>?SauY<SHd2pRXqAsTzZj%}owB}B{tx=~
z*A3&~QQXNN`~v{Bq|0%et;($*Dm6TfaTeW_R7RwV#j-j;Pt{-R`Nf3y=*M?DkVq{W
zyz9{|ckK~4^AO!wGBbk1J0TNR=2`I74&8ejG{)bw1>;JQ(y+&s7RhF@sKU+q$OCkj
z`_&282P_OaC(i=75#0HVC@$(VCTb~AA1tw5l%zr{Wz^s>aXn?+)r1q@A$hhDLCX1X
zqywc{54AVvAs}r}O_ZhXaoK!YAPG|E2iaytO(qHnd|pLPWvCwlAlyXqoP@P84YKEB
zmR}4m-itY*p=u7=y{blqe52fRL1U{l>4eNY-Zfdu8lJxz-0$A?Yy@EnKzow*R78qy
z1JIH|%W01;qC4DA&%~slU_)zBKGyyCQG$3Rm$6hZnzBhf{xVujK5xX=!cwd68@o0Q
zTTiAD8}q6pKDPh+cW**Jq{02Cy!-Ey$QJK1>on}0Ia*ovI*EgAZfbF0=NJQnEOjC4
zPuFBhadBxlJthlCLl>Gtgv=pK`%3cKGQ9ERHELiZW--RR(cca($qUb1;0nw-*z?TQ
z=NBi$B>}kKTnYl7CgYGD2fM{2YDgv^VzY^VFKkA9xDhwmKNXdp*qUU*ra^gz9Glb;
zd?5d>7LxjY%BPk9RjuL}U1T{ey)_b3(PpTnJE$jtqd^y8q1E=dDbKzi=br03OXcFr
ztMH#yf!t(oPZ;0lykSE+v|vhIMtEh3a4Q!|oX(2Tf;&i+>^tS)giRjtprV5-&$Nnu
z%(YI7VKS4~>l#R{+n}4*TA!Hr%csuVY#zQ)ELy1nVn>Pb?3i^|7}DU=ohA&ifjB><
zvs>wrsb@2IHImkF#tuhKiGga(<g1kd2J`=@RUsy(yb~o|_RM$Ex~u{A3R#aVhhA49
zu087wc2U5kgdhP7SO)k`J%XFhxNqB&OJpyeLCZJ8$kb$KBlXZ~XtU82fp=fZTx%aV
z96f}aHv$R4|7h8Ak9!jfpxQ@!wT|N}j4_Ywat?pF#RsR0tPac)w7xZG=)C?w0S@b?
z=uq|Y-Dc8C<rFiwquJA)Y@q~TMi7(OpbrFBLOMu}py?mlUc#bXbQ#^5+=ZSpsi=8H
zd^AfEDqXUQZ*z-1$c45K8OFfquIo3%I#PZ^Y+;X1Mu6_su8p}x(x4;~n27r;#t@u8
zcLwRY-Ify$yXVgyh2tFmyiEj1^SK<8%Au`LQb-@DXJ0MQkX2QoD~qX3DboxXT-nto
zu1R+tj*{Qb8I{sJ{ck60r&(E6CSjo_4H}V0PGU@t_JOqLKYi}d1E9`LK@iehc~MVj
zhPxF7$JC2%8W--t9g=Q(%y~~iNkmfhoiIUB#MlAzD@EE|)HNPzN+uP?!)$Y@h=q8l
z;e$iz5mN;jlEC`Fc*7wPkF#E}(x#%!T}MoCLb5TD6b^;0#A4I9iuxNE9`9?~M>_B~
zQ~wYN>XV0qbQN$QgmrsS_~1Hk#SR2Hi@AFRP=Obpg~>!9cZ88>$aZP;kn5UAvxj(v
z)P8kQC_p@EZZ2n5{=yWfRp4)!%*!A4g=_vG1eQ0^ri91R;Gy9^Wl8!Rbuq6Jt9t^L
zo4b4~G`y=gcd9CZ2cTif`oh`=bXc!~vF0O+(jX<dx@HL$Xv?n04>6Mly7}-K-4>5Y
zCv~`LEKpusQJO*=)W6BL)L@TnaYH1_)f;Yw%&*K55-#bDs$RFmt13|as+($;;jwQu
zi)|M<RmxRsR&BUA>1@-OG7f7TiAAPUZ0cFq!yS^l-Fund_dd285MzKk!4T??Y%mGn
zfgfO;#42RHud}kA8E$VX$)01elTvG;rk*Ga&p%g5^uXAj!J-tT)Cos&P90z*JoKC(
zP9G?uEf6sx&wQ4m{t`m9g&$s_c4{j~{giVJ{R@`wM5)`Y?eZ&X_GDB-oR7!*90ee)
z6Kts(A36eA;QAwprp9`qDY})-z9M^6o}$<-GyW@`jf7{4Tc*uB{+v39SSGwSSQb{P
zycOKNQ_Ks@Cbs%T9+ZD2%V$-9ni9Fp0N<|3_6moJcFlEPuHVt!$Il<BhxhZRgD5W6
z!euOjp8Eb&jHmGj1wrl)%sXplnvEvR7`)WPma$>!+F$6(cd8c5lN%Cczs1O&rQ<fn
zh2BgO1Aun4y#1dYE$b_Ppc1*d&#uhzi(TE!l02h`P-Ut(m;V%=OpnaT+ZPr8(Baoh
z-4`{l8RUu6Qbk4jw6{nJukL|?M{}le`zSkRb6>4h<Q<mu`xS{ya7_29%QyCzEX?%j
zLIE<bwEX$^_noH)kfY1vPnLb$5Rs4$U4*3TZwJ*o03-x<e-PK_GTxEnQSAu%;k=0y
za`(nx_s0;+8OY|igQTKZ4|yvzV0D*sQaK6O+NS-756W8-a;_wEIXFdJY9qUz$5{2Z
z&$BCZvr5v#Xffryk$|=sJ!c<3;wF6}m4U$6W0Nq-pd%({;ow{CjlAF|a>syZ-ef)Y
z)U5OZfLq$-n4_w&#R?82VkNkNh6FPXcOa7w{+`mVa%Jl@ZG&6-&BQ4YsI7nh^?Jm>
z)27M+VCvC_H@@a+fDxWRK%P=xYK8aTU;r<2n{aSNWPV#G^q=o48@;w`?MoaEL$5}{
z`4t2j&tbMOZ9Vjj3wg7H_>=K*%=6Pq?kQtmi6n+ei$YdOaU5~>YUvC`!)+5t>cqqZ
zx~f4IGuvr&cZsA89Jx0WmQ0`!8N>fE8Dd~M<OZ@1JEw?z;cs3WR4D#PgN@^S8eB~J
zrDI1ge>aove>rSUcbnA_xkT`XN3T8VKDf9H`ehzU2T?eE+1?bumPLrvBii{4R`piy
zT4gkqRFuqBZlkU-X^a%Dtz<1J_*v@y8I1*^q*}2s?nwwNWG8-GlpzRRSXq~~Jr<pj
ztI@Z&H2w3g9wOM-*{&jO9X9j6vW;qSDP$9*X{Kq(;p-!qKQlxP=JR<7FExyG^5ONJ
ze;xU85g0a;KpcdoEEdJf{^UAL#xg{iXk_FumQ3E2014kqs1XN4n*a>*sMIFK6T{qm
z1tMiuli{38w#sfj$%X78qx6xevIE7E0=`3@4p7T`FglJ}oiJ=%e{@*%c}H$nKn@tc
zS_K&b^E5vn>%^Z>f87yyVW2nU)Mw<@YKOQ4AR21Q7+H+ga+oTO@)nyzTw%{@FYA}R
z!F3L5P~>UaO7466#F-e)ow%p>fBdD<OVtrKpUEUQmsU<-i`bn~k|-V{GlJJz#~=wY
ztu!~Ucdo>kw2)&3PriJt{t&1UBmvHsLq({etNAJRK3_Vne<`{1eEC!IC!DH{Cb0*?
zN_v3VSm^+1G+$t1*1PbBUC9i*KTc8!>PGt{Dg28AGNwqPq;ZEO0kdhplmn9%C(<16
zoAQjNweMXDgKSSB>j`F&oN_REtqcQQVHphkdGL^2zonL>Qi9i=zS~`j@xNwEtN^qc
zPr88=k!)ks^sXJ!xo7bh(4-f-a?h1_GWon(<9^d~kBqzxM>Q=v8!_7M!ss?mSO}QX
z{4r;6HAjU(gQt#SK^aj;!!RD-ryPD^;G=<GahC8^=+8$n5^2R^lFb4dTiBMf72K_N
zcRAgbWB7OJW;VkUUStWgXqHM?B%B;m6Tr0$NSVH^E<R#BK%0q%%PKR$Q$QX=>sSSh
zABwF7C2oP-!z}(u2#6_9KX7R{=jRkXY75$To)09b=95g|MTTpU(NJwTl1NN9CQt#D
z;*0SYS`s3bpM+MGUOriBpb|;d!-S={B(W>BoV79>%-|e)4O+Dr=xjeyK0!`?%+-Ns
z2GS1&&ZW6)q0k(*=DTQ>(DFEA%~yp7G=+zOM5B+Wv>1t4p)NP~MUSGzL9UNqVt92~
zVg>hPBLJrv2BxD>T4)v=QO;E(Q=(aR=)c%WTPh8<#$>G66zZuu*}VCby?L(MK9=wQ
z^s$IH&#mlK>DkXQ(G;bpM<(hwqHU>~SHvjUhCu~*nz#GUN?jpV;;e<R!McXx^gB<i
zWlldg+gMP6$~dWVZ}aS)dp<XX$N>|cG<B+|J_CZ1w03Q;W5;#Z6cL?Q6(j;Zs9uKx
zTn{WJWSq=fMXJa}8%6wJSu?SNM|qJNM+gmwV7yKUqnou?!B+Hbs$h@jM)m@uvZqH%
z!quMmdA&len@5btL5K?gLvWYlMEF`14rb|nCbA|5>T-)25aq1<XmMBE4(T=(Je&AJ
ztq18ZFgdaJ4@k<kC4(t5?h)+$8CN*5VVC`Xyh(b3Q(IzvSK_;{H#Hrp7<@L6E8k;7
zJ#_D6Y~I6igLtmze?;b@jEdCt#=<}HdF1SndB@G!e;H>+Axz^#O%B-{c&nQN-?;#~
zAoP6JQ8~PYrbsCQk!9U&@?ukf_(X$UV*_2|fHPv^hC?96<c)kI0!H+1Bf>9-a=?_C
z%n0^?Elzs+<p{l+-G#NQ2VF2L?!&~24+jOntTjRJdxFV7%Z>{ra{BCF6?&$vKo9@H
zg<EIY5JaP9sFaX-O=W6|7G@+X4n6FVmaI(XYB8*be&jSMGCb$7jujc2GTk8WG@T+}
z&@3HOe~B4$mLrY<j4jqxmb2<#V_Y88o3Y?zp2}{VZ-#vlBX;Wo<I-s&s_ym`l>UrV
zUsa<l80<wRgcb)c<H3z|I7vAhPyEy~hkIa$z>c#&a^-|Ndbk`4<|h8%?T0%n7y6);
zEju!#u<Ii=YQ8VG#pj$61WWWSumWtGn4~-mRx_JnN0Z#RBB``Js<{jx7X|=boczS-
zmj&5WN4_|{d=zy|W~5riY`QJJc;pI~0*e_N^EIoP0og|T2w&D6jzPHPNOS~|4psKx
z*&q^6e|4@Zzae<eL2qNf)X_Mqyt9|#JFbGNAtR`&H+b`d17&b?z@&@`?Aez@=D?h`
zcFuamp4fUd-m<C5W1N74QB>gOruUpg2SQW8%&$crc@NzIyY&fHEF-#Na+@fgB3HH5
z0^Y&wjr<slBb8iJd#b}hbNim{7UxS_j&n8|5AYmAUvAazt{}&dG%DT0SIe^VQ4AJ)
zRm2!lh4|+Ww4Q1P1-3Th%J=y(o%ocsgl&jFP=NCS>cD1njgNqcPphA+O4n8u%s$`{
zm5BC7+!sgTeW|33iXr8=p#FG-!<BmWUzF~0@u)=DVcpGEMK{$Z{hP?wjDc}k*WT{W
zAdgo2S^|;r{?$ypIfG3xz&N!GFhp@Vu8UcS4#kuv&5f*1FfW$UlFw`l)xV^p<HsB+
zM}(5zGK^O+?)Ebh(ivEFN7jqVpyQbE8tkRL?q9m>T8;JzB2njw^ToqV`WV6P|C3j<
zO<Ee!@*{NnLYMGZl|k3pfpr<Z4gG!9j*NqAMKp~-O-A?D&7|2?<MctH7xM88gb;3!
zvtV|&Z9X0OLMjcEcP=9<doi1mbYt=?aIT_UDy0;&+yg76%g|`S^XkpUQ1T4Q?U$OR
zO|llvB_4v(Kab?Cvh<(^ycAHk@XAW-j2r=&YK%DASstM!ez)9uRm{bu`}TUJ1lY_D
z1c!i`Y-|r{lZ|+~87GmbDiQ#Yjkt2MYafsxQG&OVv*91LgxHo|QNBji$hOS+qp<uQ
zrcsGGt<;#sU?dzGV`V{on)#8+xNG;kV86-(LWo*%`uqa<+43469~}7l^Gn<N0UXM@
zc*kQaI{;TEImz`=86h<>z+>-`#F3Cy!rthJkbyVKq~tfRbbMOtUbpxb71{oXjd>4+
zTvmLg#!-bcG~-Z7ZVkUH)p35-jlX7fR}gp;Q;dOsHVbufp>F#i?Jyc0`GU!-1H~w0
zUMj9kZmE|@8no@nY$#g9MnM;8k$YEcqw);O(YObhfv3-;R$s4VM%`l1BvyY?Z(U^U
zJ1pVRo?@&+aD!Vif&woKAaEr_BlGEAcZ!HS$f;^J8o?kx2vVp#DeecRm^{1b5MyWX
z8#-#TSbhRX@raiYjihrE<JFie2a0Vpk5{aD5p&xYcU2y7<)CKgt#=H=^=A(@B!-*x
zi=LUvc5AnAVfbGgp<HSBzP{>U3Dd)QOo!$l=T^Woi9zs|Q6H4aR+#{~Dll<ya*D@*
z3~QHT$`Uz!Y>Eh3$Dtyn^eAV2FgZLAtUv5U$zIt_IqfrlGtSE=qGMQOGk~r)5gp-?
zjDvp9YxxUJ-it_1a~@(4H<}SC7I(n9O(9q%Pu-<Wb|*G);g87%Usx(0W@i5MB-+gB
zlon_elB0+waP~|g8i^#SYKNI69>6wP`Kl*;@*>#zSe{E^*^Dja&xFRXTgO%v$Fo8x
zy(zudZeb3}+-*%Q=bsH5U0yLh;QF7A@Z}2C3$uOE1~uDy5Z7!Y&!j?xXE`P=9^E7w
zKZ3!#f2Cau!m<9isyYI+e@J`2+Hct*BT#mb|1Rs|l&i0vjNh%(4>({VQc}tI87d^v
z6*%F!jIZxV(UN!!BNF~&eqBpnm;D2)iEc7#2I0^jpgUB2$c-)Rm7Gv0HRN|xRiZUh
z*y6DB4sc85bT;?+qm7c8on<M!_M20b1*)E`X@ARBvZkiz1r5{@w)W!5UB*(93)rMM
zXV`+Z^YDq3to_^?y5sxhU~ZmfYD)GE*KSD3n_^+pGt@=2LKgd+Hk&7C%sc$L<#k&-
zTYEI=R0$lir_CNs2^&F;@_SL_0=@i&nZ|fzf$ERr@w^jnYi7H1rAjmYwDt6olTFvN
zb=lYPAHstTlH++tU@gtAaofP&|5pD+&6Kt;c(hsw3B8YtrVf;de#wAiHwX)PQ?&W)
z4f@|{932$ZO~HAw@4qO2SsA)@d3`RA_1Lh}0fru|_c61}3VlhUWgO~h1ue5l<<!%u
z<WQsj-}1!sqQuK&y58!d@GBK^i*R>*cJOs7sq4tnT7^YZ%^+;n|62S#v}9GM8bHDi
z)^q(%R}4^Pg^1cA3#Vi365(i&q}}J-ERkko4n^!hb=dWYp@N24WuFGpe+4&f;^VJ!
zI-mC4)-Kh)PO@a3PEmSE6FZW70|ySL3}?JBTQ}6vkk}utc=I-9e8x{v@=WMXOD1L6
zP3NWkb*T*~r|9}Tu;Tkcyb&kxq?wriR(<9q;$yv@b)39~o85_EpTAJHfxnBT-^=PE
zXi4F92@bBi&L6fC;3Ylv_z~|=;GXJV**1|)JB1=TxS#e1+9+pVjhQS{<tWxVY$rUG
zLT^4p&N!uyLa;zu8(rNLvwWW=vWP8&*S8gQU3&E*j9d>GcW_ZR2sAs@Fa^j;*%;r?
z^kD%q;g|VZ`w=Z<3TT6=B=Vb8mc>_DtPkn%ZEr8zZ0U7kAO7GEI0Ru~udtgoS_4=)
z>xVTk<X|w>S&7Mj#H6YUJShkv!oKqN_MEzDKdAvM0zm0i(Sh8&kLp_W`-=<+UL>cB
z$ndCWu*VBB58;BqHkW%N-P@Yssfr71Ian+~vj!HCvY&TnLKD*dk5B1r^0!YU6K-Lm
zg`@9V##L+Z*M`3gJdNYdsAEJRMY_WIB|m}WSN03!p$`F@P#1sgzC@imPpQb(8^7dl
zZTf?mQF8JogJa=%UO$w|vwUZlq|?_4Hd;Dky3Uk@qj*p>!t9#Ec$Xy^d>v6T`8{8d
zBRk>tGn86)YQ0h@g2K<X*Lh)l1pY1pbFfX`TBX=I>*RefhnO%i2kFUG$NTZR;*My?
z@#+rN?K%H|`z^&LIKrpT6OZ!c*SI+j&i8?gWQ?{7C_!sqsYb%Ea8<--I(_^S&eppo
z3bg*ZY_+vd=;(KQe)>GxJP#PEBN|5$aMM9@eo7N`_oDa-Z$hr``$EWsnU@4A0mSpa
zHXtwo_a24X_7-L*3`s4Mi%ux1rAm(T_oFlA?+nO^AUSw+tW#{_`>0T|ck1pmY(E*r
zs03s*c^KYrl>n|?Qi_O>kxKYhh6^DPGTw1Q8hG<!gR32X^KIu9-E<d!?TgFE%Yfdc
z8{e`7eIHXGyTE?j3VT*}2h?(FzAqg0gWlXPY#L_a>$Iatpnq{h39<MqO8kf1o&uG=
zkV+1146^NUdj=CIh{k^e*#-*o;G4P|BRVGy5hEkq_4RMkkCSiqEOH^3_P7V~#_|~a
zF|vS*zy(WJ?c^um9w4pda{N8L)ydHwW3pc87sCA0Yy;D1&0Em3a5k8h^^*(G>662t
zv6GvQOblvfRfWOs*+#=V6W6;&Of4)=?;pr^zc-Sxm@>1pL0k^$0B$W<*n!ezqunfa
zVil39G;*eD8V#?HStxCKLA9isUTEWps)VJ@9a7=jJX+hGz$qCI9mU2Xo2~06LX<i7
zh(fiJX7N?Pd!ktSmx`KsWzhvcwy(bWE4a5sJNr-dK*D`TY*H1qX8L$|iAPGKcDriT
z5rsll18PG(5h7M;i?*(qPKdfZNu@!`jkW#ZH0mL!mJwy;+d|pRa}C&wpKWK19dc)s
zt|b105+{iT81$?P=iZncVVE2m#~FZOd8C>_yV)^`0$nYqsUhM(d4oN7K$SBpsw``6
zf*N0p<1hY$=r+DEp#zEr%4)%p#%H1=Ub_xW*5c2fe!DT+s3o^LJkg7gheU6J)$gX3
ztQvuD#?{ix1)AGIPe>+5sCp(tTZ3@=jYl>E1|xJcNz8j=RyyjE;{6$Ajgcj``mDK<
zu(F9wm_`(tT#j^&rO{ftVk5!o@&#=M?3cg|#X!D3g5T)bmS>pI?F$_l^1nmhCO_#U
zi!q-h`!Zs`broVCxk?*$L+Z@L#1LFQaIgWVp(LkTmMIq2_>{FoUslyx^XVvt-f1fz
za5uC5MQ{ywmCm*MA&2bCl<~F@E%AEIELmRbC|aWU@56o`R@D?-0DO||4x1(FKKK`x
zlWGJ{+<v0CV@;`2dT8_?cJp#6Q_awF&(XCkGtAO>ptNH^X)`2zDcb%&>)OMawp_E<
zXVHuPG~HUW<uB%1B-yQ+C()s8KV+@wddhFk*g6;CT`P(KtQI7q->}eCJ*E*y-IGgk
zIcaME2mly0DO5zjha%~=b!rMgOB@!mfAceIA(?nGN-BPC0=6oIBfIKRY+Ey49Tck2
z_flck1s$+8+<4u-GFo|FA=^=T#~`5e&fO&3RYZlZJ#0=(Fi;pWCP<WIKu8YAj`hhb
zKfeq_{6lt7*4qRA5w;rhicDhnm3A^7=Wy6CA&$1pJ&8B*TH8KDQ>}@f+F-+)kP_03
zrDZu0cO-r&X>o+{^^Td-^CSWEi_A(6HfuK$HmAq(U-1m-3&5`BdceS*<$Yx@^3lLZ
z1s$)3^ebm)X-n-_ESGmj8w?3Lmv?R(j3k5UvJ~o()e)8zBBRszSw*ZC?rjB)hq}Wk
zVKdwC@Ez$sX_FIN*e4u`fft#*jr%wJm_T57f%2SDt$b4c26g-OvEbAF(oerF5qrKM
zjmZ)xb+_p>zx5R!2qkVBXZ^|7AE`YY99<nd;WcUX7)8ghl5;80EvhY*wSSx2uMu=C
zw)4G0&G%54jW)7>Y78VqbyUD<iA5s~m-osKTFoqH2}xu~iA$L8KUtbgqyRTAV*%t<
zKG2|e-N5rO5#FGY7n##EnVkC<vk=p1)@p(%sYh&L;n7nJR%vaujP8AXycxD#u)|3v
z6#OKu6Os>`Euat?OcsZWRMdDckl6yqI$qc{p+f>mkh95cE0b^}UMvMvt^9im*Z)*Y
z*v85+o$!!zWVKRlmW4C?THU#Ao1qjk)NH3!fSDKMxi>T)X4kFMGxh6QX?&`~KBEB3
zLhNsnnsj)2-^RVFG?x<&yHd6oMbz(Hn${92t&9{{VAb@9#nO152mgmk3LRsijL82X
z=_|w9Y?`)P3dNzgySo(E;u_qwxVw9cmmoLp?gWAchoVJ`ySr;}DDdTZzu!5sv$Jzv
zGqXF!QeL+}Gj_9r>Al<TVmQDr9h~N4XzXL_Il6joj^uE@`(AN7n8j=W()J4&vc|=^
zdwGowE%N8sl@P{Ty;D20no16irVQyO$cSCp3Q}-vgv_Rt)m@ofg<t84joqZE3b<!U
z`)$zjI@l96@PL>osH-#N{TNfEOmRzJ<-2)OC!y4%3{CE%;aBp=UH4(@OBXLFp0a(P
z?Bpzt$h(EL%9EweO$(Ns&a>7=;?JKyT|C2`h|i`Jpr1_P<8Tri<61ZUjyK3FFYZg+
z)f!MYNnyot1Ld46pX)T{u*jy{=`}aRq6Ub@&CIEf0gozRS}j(VFPKE@OOLG!)*Ujm
zho#r2X_<h#{rMI|e-IXUq?2Glt9X?=*|Jx2Bz`S^pP$|VKHO`|u;B@~EDa$GESKu<
z^_m_!H;9pOW4^MlQEB=8!yu2Lpf7Qjp6w=Us2WYCe})sJx7>s<R>EqP60SWfF!2TO
z5z-m`1EnUX&&jgC*U9A$m--y>=;|jjSIoCDZQTd#-zNPK8^E+q*Lqm4b%HNe;MQiv
z`l{l6KKY<F3PHL1P5$uCl;RKI@`Wx3+{(u_=STbEd(ewpgci<$86WP5q4!sal(wnG
zCF?6;YVafzy?UmaDc?rpv*i!TsqkZuJXaJse0_B~KX49N;encgCDm?@P)JJywmyAP
zlUpaT@^({av@2|b+(F;j3}0@qbpZL4m?r3)aawX?XV&2<B!lya)ZV|#HbG8j;zH~D
zPAgRxngD`O`YEW06>j`miMA21*T6}*%6zhbg^?_mowNe8q~c!v=~HTDtPX*?Y+)*n
zEwa;+9kQ8<f#jZci<oy@E!!6Z!$HTcmHX1@lbTkNiRpbt8X`RT2RxFOXv3}^@TaFJ
zX!qT607Vn^dx2KSou3DC8N)|HjM|Amu1M}*JB3tV!fAlAIuNanaUopEYlBxUE2qEa
z%W6$DhYHr>A8M7)8{4DrkzwcVy0p14;p(z|gFIv8Tey5(;+n2jV}u4_Dfx3D*QdSk
zw+naGtyBlT^hcF(J2Ar7cGTQ{rF!f|)2r$U9Fgr|HzHl`w9t7st%_1X4!yzEw0#-8
zdArpAJS`Z&Oujk<SR#dZVXa`4;zz~jxAVso66*Ce$iAjz<0aE%EH)naS?Bx5RL9n!
zcjoUB+Fcb5-MP?7-Nk%}QKMQsd_jro1r0o)V9(E-nzSud1luc{lZx4XEjcY#lRW?r
zd0(n2!rlEG^1!00T+L2R5BqM_u<bqjv3ejSV*Ec+H~e>S_CB%{E}u_5nwir7Has)e
zn7_QsdNPu0x+mfT{;kS(h#7rL_)%&rP09cV)589F0!VUTkaA>Ote%eI{*YoGr^z5X
zFk;+_^gusXAPt~N3L}I8Bjk#^oH3y867+@orKp+nJN(WDnH{u1M?JZt1b)U`F>0bQ
zBIC~ZOJ&KKBmway&3iodY23NQ>pP_u!nn~=_2PZ-b-Fz0hE_wsJ@JNb-*1pwUn8?R
zrZKBraO_4>RsknM-#J~LMU%RQojMUlZ`^oE77rob$ne{RU;xy$Hn$*1>>$H%6I~p#
z`XokTzCMg#3M>0*!DM_iI(_%4L*pS`95oK%Z4^@d8%{%DwXjz+7uV#T=3W?B%;Th&
zJ?EC20?<Ez<aU&0=^IP`h1u(E_69cqfFELs^mw}NflD0)?{~K%u|gl-?SKyO7!O}W
zmwT~DIow@Fx%8n5l5*atZol*2s`b}|^k*MV_SQZxP0?Hie=}L{Mg{9?rCNz9m%d2}
zo#dLMUs?At9OH)4D`(scXb5m8WOK&P#AutPB<V5h%@4=oRoZ45Xvyp|GOA~q+j(Kt
z;~EHB_4SadE{02ddkC)|DV;h?RAg?CSNz?LnOXeOz$67voh$h!fhU<NCmZDB&`myj
z=l!eHI?=XKMDgk*fFGx~Jm_&}Q7jOPb6rjdW@nVeRfQsG4!vftT2+Y7^DFTJ$Cx2u
z*06yx{Br<Vr~Gqe{?geK>KUdcs9kmFSFL2Bx1H_=Jy+6i?YxHHpcFq5Y2|ckg^b^9
z@aAr60{vQ&M$s=l#TZPP`14kXnDXLJN>yqM<?ojEjqJ@e{SRlfw-Dno!gMLk;glvd
z8MlY+at10(+?~{m^@tg;cCjYCO3YJIkq4Pp^zE5b=4EgdZLNfqUT+nUJR0WcRV6{f
zY4`Sf$>lh=2#Y2?zo&jp3Hd_WPeVbc-2<c5>Ck-H`lAK>ehsG>iS`Q;bAfjEao3P~
zn6S@a)>OSYmKsw(i+}F1B8_$Y#Ndya%+DykNQOcx?-}t48-Zr?U(X#4J>c=#?&7t3
zV(0<V_;<eMCt%80nAY>U9bGP54S+tGL*$luXGK-ddyi)P=*R}GR9or6+plFOH0R+C
zfB$0Z^ruZG;SOze<TDO_f{1J{Hwvp3s+$StKK)SjzW#=#V0o*guo+EqUHTMzJszSN
zmLrN;m(UM`i-&YWNQ4ou-1pjZ-KtfIA43p^NAN^Fao7lgE*Qdzfr4eFsxmw9A99MQ
z5@diT!3-R`gD_8Q=%JHV_#Kd;tv-v7%Whll=%{gzT}9WtQ^0!BWOp90&%5y#YpE9w
z=-6Gx9{D5jI6isuQ=47*MqOn@vVG>+s_uNk=#5j`O4D7bn)Ted868ut1p7e7>^Ihn
zI6~uwSe~HnBhQ3Y!H~0J^;^B&zBqvp`xrV|<${0uRgC0*vB6fjyK<6U6Y2-7Wh?ii
z5oKS*h4*oiq3LQeF#h(j&NN%-bK$PmK~D^k#$##GEi=$0r_$!T53iiXjU6g~L#K1Z
zY&ur*ZP3K({0la1NUP^%mtS7BR`P${y6stiVw3hvm{UT_>bYy2(-wgeR*f>c{#UB4
zsR_XAr8e#ti(zt}nz)<Wd#0Pyb{y>WLX9OR{sa!V`wUsDw0`6;b>fj*T8xrd?`K+b
zEfV!+nS(Er)NQ<c<?lXe8I!u+HO}4Lw{Nz!R@!&Obf+`c<`jX=Nq9GQQS(8sJNn{U
z`0BMT_waZ|bcmLPN8V2N8IXZzbDZY8$EA^`UPq<mP=#T_QZ5IZX<+39sE@qYPt0uG
z!ET2MAOjD{T9o6O`1}CrtY^P|<*Xm&fp#<3rIT=E<&v9DH(QxTHVum7$$i-Bds<^1
za?x;t8-bf0$2XPK*TZHL^2l66dcVNIdrOMZ?>J6{pQgS>rDVmbZ#;y>l9Xfll-7rF
zPC5a=FqQm0phHS3%ZV7(h0V$3IDF_w-l~zDOV6V|)U?xYxovF2+hzXX6!09W&A$s5
z7kyetV?G7HlUGW!lQ^WOC)A+BuE0#9ldj(H*&w>VA{VjyUkT^00Aw;OL$@!BER!=1
zO(dv}o*5tYw{6iW6sIr*`}YU~Hzz8c3UoMZq`WRIy4&cVET%50c=MRo?#;eiuwYB?
zC8N%n55p7Z(_!x<%KeI%W`gWA*y^X!W6d%_Q>gOi7akL7SpmeRlC-eh^W1BE?vm}O
zUuV9P=-_>xqVPC2HAFK?V0#HSz#=g&0i+)gtrW%WTaVQIXuGz6z8F#c8hbxtT$pNQ
zls?g<lZnmfIc}tt5rHyRaS9Dv+o`9_eU;|SrBxM#iZnKhD)o)-H5qICd*1e89&!_A
z#g`JPex~o9+^d(nZyekamgxJm*MfMq0_Sl>((8<$jraa@dvy8HUxa$mS`JaHtG&A$
zUHYLwrvFVXm|b^rLHwARp^LBE<xPmh`R>Qq?GVDEFyJ-!gMGe{CcYHu+MDf9`g&!H
z%stkatfW$P{l=syUWW$86uZ9S851J5U&_3k4WOUod*S%!d$&K04ZnN4OD=s=8J0zL
zo&0m>`1NF7N?5^|)5G=0OY*S`Ehm(1P}fD4E@07Hn*Ybl<_D11-^(tPH^<F%=#lQN
zCg)|va6jV#=^=L~dNvNagfpL%ZDNGg`~VfGN=?nMAv8<Lx|+4Idf4zTBo1;2z|Pb#
zvrI<`T8d>AS~~mK(cDAo_-Egc%rQ^n;qE2XD3;eWfT`Z5uI$;w;_2s@sLMQNh`|+N
zRm!(Y@lLz;bMwYGobUU`8r0#+TeP7lnXc^ABQf+kEY*(8I{SVTC)6x`JT(Fw=hyg&
zl?bxlY*SIm!$o1q<aG|H<Gl*il0pK%eu~dgZ`@s<FODUa)9~7K2-z0nHW+zjgO3k-
z8y^;H#n#{8^^Ownq9t&AqYL7qm6*xLp;_E^GRE8x<}%g<%kfg>hVeY?H0iQ$1j`6Q
z6y(%E408V-FdHW#Cf4|fRF2WI(;&<Bw}{%8yV!q2i9weG<#~SociG}6;8@@{vElh#
z@C=W6-aO05?|R`Fu$=O(`X;3<9FCiNkvvN8{F}-7F%ul1P6HQjSDUQ7%>ZX?v{zbF
z40s03#KbXM$jklp|M`)I_u$6*^uV$+wEDYVY{2w)<<Q38n26`27)F7}-w8haf4)_d
zo>CESKy~it+QkeC^r=TR((rK9)j<HiqI*#;FZf|p{VT<o>Sm?ZL?#^>@A}cGFxYv8
z{r~kP;7J4?pAL0(`RJ)1SA$b&e6OaE1u^Yo^e6)0r+zVyG)pB6Y##^zHr`NbmAalT
zhcR*aC1p&FUWO(!mgNpVz9?&60lzWQ!-PPaOuG~^r-q#gr)f!$5$KDkIds-}^8*Gz
zjE!yj$Yftc4`{S&Bp-40WyiS@<2{1?ouT71TeLUgrOvwd^5tmdz>nuUcA~6%`XLX$
zt6?2t|0)0lo0>_wdg=f=$N)m25K%<MG5Q~!U-n3+^J#mMH*uD`x@9^r&^DS?$oA;}
zu*M@@_lqYy(^-7RH5yO+jmPIM#b?m&crql*=P$oK+T3gRqh@}j$O2V)Fq1J!h4`)8
z(TzpR!-9KI8b74G=yn<oPd~%bZn};hFdxG-mZ3ct5J#X+(yZQ363_^t<)$kfW=DQf
z!_)UvoB!nP^i!}R<~vSh%yv-wRUkRf>YeO)wl0~~%Z!u}|GK*;VVrS1{k`m%{AwIn
z0O{+m4FlQc|E4tIo^5|N7uicqSFO7%c$tEzZM+6q=sirdoD$RBENY&TrOP65jE(w#
z;){=>r_u@J$pu+;q-cB8rU5@Ac1l)&>gui3<i9cU)kMu^&)esxUhRG&o%HUW<tz1J
zTy)={5Ka18$!7aJy3sgSL*l!6f_(+`eEJ+Br((w~#6p0UU^K#qoykfx@+~%;64ES-
z&Qjcf;is33Vp;0tSS5ZvI8R|aE#rVhYW^$!Q!U#!xzXbNgWnrsn9gr{RS&n%9xdy`
zhrNrc6#0l9Jr&y~!MoW9<Pq85PW#~;SIQZ&c|+Zb1m(Z2hgPaG)k+dC3*M%pK@#@~
zKRz<-a(X_J2v|fdMwEYiQ^_6s8a~<{Et!W~UCHFYKhCX#Qs{l7opjRx29`lMChIF-
z1_%~|3S<}(u48?!mW+*Xt_U~&X_8+u{=4g!CKkq}CKs{FTP9PR%}5BoplrA#{SI{}
z*uuNA2(c=r7VxgAOu$XH2l{Y!-KQfRgv%WRP^H!y;UrSisdt;=QbB8J_Fj|o-W(Iy
z_&3Z4TpT48XDh*u%&OOesSLK$f-D7PJ6U)aqq*O81Z3yBZ;)?#3KaplhzBvj7d&br
zHn8a)$Lt?tUZM>iPrWrs7j~43WuLaF#%B4<?1-$ZouRRGof9d)$z|Ox^d14~EZwaY
z2y8-37^tRIyht~z#-DMoNH(4h4ad5_^i@>Fub|AhD@d?(#e8F40Qb#>W-RJno4~6R
zM!pWc)a<&?vpucnogk*++PJ(ul1}A^911m0<$Ru;!+Ve;6aQHt={t>|KWK^&HpQxX
zqQ!%t<X0GY*)XA>N}Ka5I!Zg`Mnshi)L0ohNTAzWFv!2|qY)er>#4%pa~)0X%lGFm
z*=#hJLGJ^tx4e106b4d=T&8J<QAX|tgySdPIC+}K>ug=&8K#8iHMGAPesw!Hv!kwv
z9Bp!rv~bISEYB(r5&G2mVvJHy*ZWd;wQ6b>HYF0HBvfqSDPJzXF_rksF>}Ke!z{`>
zI2*+<&@BSpz!SPkm)7=l&d?&UBppoC8nzb5Vx6L<VAm&vWyTQmPd;G$M)gwcHW^M0
zpZRA-!`lvNIA0|+JvoQAjn<};ky;0$-diP-q7mt(ZL@%FrQjIjaXmOFXgjT-pFVL=
zR-LbbXa;6PKnh&Mh{6Ta`PC3A<_lj5dAfcof3x`t0TnwSZ5Sh3OkA*ku(`B**v9y@
zb>E+^+D<=Eb@+14;m-PJ9^R#Lh$Z!H7Z9Qjbe6*2{*RVIM7X^@VNhTidQnUTd(>DC
zEs#-&LF3TR(fqW-txD)31?l1M9I1M<ofb1xM(65ojYMJ-vH>b#cuwMrOJMcoG$MT5
zOs1($XzJh-z_yqD*ka8}RElLG^992~zw8xH0*Nickpv>t2>WrC;8%vWnPDR}Yil)a
z?d%l0$xs<Jp{Ws8IDYPc$FBhAou`qoFMQLDKfD-T%x}VYD!k4&c=;qr@eq81;Vb7-
zswTYK4#SMT&Zd5pL;GGXmn;JFcU716*?)nWD-?D3aqSEjLa$>d7>V~W%k7e6`e6OH
zv(3!{-Ri%<<TIPvv42o*dQT88NFWPz9zM>HsP(lMRS&@r`iNj3)|DmBT;%-hy<|VV
z=RY0DH+5OwZ7KN<E2$27`PGRqO>iuQ0hTNOA4x#PBQjRGoe`Hl!AU7u`sg5=??6Mv
z$ca#@9mz6FGF{nDx{=X!7{2jZc+be1r-8r(0BO}D8P<{Z1}8LR-pY<xf$yL(L~V3C
zS-?<67lJ%nzr7cC5%5do<#}86G~XLtTF8|+FsJG&=}L)Qa!op7s(L(I2uw{+!mK$;
z(>qF?Uac+Mz_Sx)Te9AvtgL{^eE23UgP$wyWo3mhiT}FIxl?IsKoAUXdmWAh@!gm*
zeCB61u0m1-6o+~9={giU>sgSZqH(q3s=gsy{gq=6D?pBwnkrI^DRK^9c_qknXAvyz
zTcAod+G~sDPDBbojvGiBO9GBrO%)}(fpb_GcK;<cU(x8XZ~o(}j;)>7dGHa-|Aaz~
z^E=b&cf7a;SUVCxX^l%<vT+1Wuxhz5y$QN0i~~>IQ9p94>7Bm>;A8S)q$~<Hq1I3g
znU~2{9`Sd<T?Z~67X8MF`7N(Qtp~-kio{I+MEc1$ENy<lR4z=7+(TUs&=<~5k$jVu
z>b9VEgHN=ty?|nd*`TaU#@5yv|Cvpw?Q-<S-F=fo9Zejrbwv_B_xH)Tl+1{qPdOce
z;^@=%tygo!e4fdfZ<p$aO@tSbOzM+e#@nCPqZ6ec_C$>p!u~_vlTjNX$<%nUraDb2
zEqPA^%rtaEoO1WHcdqOJbTB$eFghcrIy0nucQ`YY<FVc!SpU$R?Ed9i`{3HT>KsgY
zoy^$0Yx+qf?)B&JbE`za44d}39*51}>Q%6*7$b+_JFct4-lt$5K9@mLld!4Qq+cn3
z@uH-rn1-!tG+^j;>qHd~2toB6YG6L<FfzE$3)2DqEu9CHUHR>w&7>0KzWnhES}&~p
z;Bmb`JnztvBNCzALKGS#%Ov^gdoy&HjyojSN+fkSWSoV#1#6s20uR_?2xUHKF4BH!
zp;yshX2toMXT!zPAW%EQQ$4#9ET5fWVBqe?_CGB)TT?3dc+60`E%#y3Jp2fg;Qp>N
zRxv;9^S5+WvbrNPv6tJEmi%XD<`OWOsZD-@P2;3pEq`DW$MWO7{ew%7K7|ZwD7`Db
z1Ww{`oiYwSLECpbMZ^{}X(}rxQf==2#3tQ*C1n|ww$>t;`4BwSX}TEJ4unOdsB7|z
zBJw}7mEU6nzXZ&tNBhxr&yoSR#zaTZMps&+#b85Yj#>G)Hhr&7?oY}oF#d|Dj)}B4
znoYr9P}|C!!;N*CyXAT8!}E_)FwUg8k!yQpYZZ->3JYlBDzUT2NB~tX+GV&1d|suw
z{-JfRoLoy0*0lFi^&PSRx(#97GsubMS?NYFe4gEMdd8?ocPMF10O2n(<@YgP$*}x5
zkKAZR3CbIj<o3U#b%`Hh!&CN<G-+&@+JsH<oWFc-s49#Ptubf>NwX~)S+~Q7Fl!89
z)mJvs5iBmlZ2tbbP&N=6EJPCgS^8=9{ZO=^v$$gC@}ge|MP1M37}r@=sLnatyh#ts
zu**Wr<EN7~CbutNeo!%vNLjuVrS+-H!O+OLnl4FTTldqk%+=Y;IVb@!q^vO!5`RPF
z-%VMSzjB36Lw`joF{Ui*mZDXSuLUZ>pwVeQDQ8Z0V(;fkyeF?$u($U<9^@6aogVZ+
z${F`4kJuF%n%r{OjNTELq*9LRxLmU3bRxJ@$&D+0N_T;}b*V1D%ZPp6{1x4MX=#5Z
z6Ofa7#ZAdV)%RBssg(Q44J%dofV(V57=kh6*XzzcD^gqG*Y)~=nirw{b_b5E>BzFw
zu)w2!Mzyei^27NR<xZ4NRy*L=6oewuaETp3hCh~!Q`I9vE`28&hw89V*c{yK>+!;(
zr?(xk8i<6H)ng9-*H^RDjkHl(Hsu>`M9iSV@MyHI#iXt<5HQWr)p~@;CZvD%`SWC&
z)F=G`3(Nj_;3|}oGPNAveoqOSs{6I5Hn{#Yeussr8MT)w_FBUELb#qK`{C>c<g?gu
zBJwQ%DG}<)h9OC>hAn}!jBkXCJ|-h+Y=8r)vj!A)G?m#IkBKxfd@e1+Pd70FhT-R?
zcz#+>3HNhTQIw=o?aF$}C5`vZby6(IrTF!1;8a|304>ve=P&;UYtB>Lk#v;g|1%zS
z5z#@zsl#&;32@{UBGD_USkl=GtW%pe^$Sx|PlE+ikXbw%$C{Y*W&X17a>o|)fch9A
z>CLKueYUPvC`{i}o_ubvjB#wOM4=csw*lUNHlzQF_ct^EJbM5UQeMx+U%$T)d#rV8
z*_JAUhqcDccl>N48FZ@><k9|Cj0CoE00-EIq@jzZ3~{;r+!N_pnf*FTX$j|mrIn&h
zGS=|D9ptLmMaX=@Y-A1CfHH$XYxViurH!{cGej^M){q=ovo&lhQvI3y2*o>WBpMOw
zqLd(AtFFlH5M%FXdtFsVd~`f^)n&`bU9nJK%;_!|`7mSG;{Ykm;(h21gOzA5Hfu2)
z$p>N#<3|$M-D$ld@FM+{))-~ABg(yP&`J^9t-okkxoVX+6gq-5F5u4108#B>wg%!{
zkPR7*OorfVJH>qcakCoF+7=l2ev^vfKE>KyPRmu8ttocTHW8^=cW~WyaatfnhadA>
zN^Z1m?*vf@VYc$mE4K=T!SH6741-z{U8fF9@~age64^eIJ7G%LY6>0;D6+BQuS}XW
zQSRnSrsJsN@t_r-?evHx|I}Yg%U#85c-JN7hL39wsLr|(dnz>``(thRpd}lfczv8Q
z9AE@O^C?PcHQ`g{9KBPt38Lqn`U31;X^iEWf=!s)&+J20)LmBe-HS}t&2Y{W&7mAr
zSzSt?y8zP&#_Qksjm=I7%0Sw>jZ=6#I>mL(N$s-HOI~y&6CWyMhc(zT8$*WkCW4Ud
zmhL}uLie04zi|DGM-s|={JLJw69<fT%T&UT($^Z8E7Mx(pVQR5Q{({q!}Od``%h<~
z=VOycrf-{gRNf4=w^iiWE>TtFK|><<!Of2g6gLlOXC0#V`A<uyEiF>T3_Vi$mfT2L
z-(=v)5}t^1i>g}uNE^A;9V|6u&1A{0spW3!#&OFUfT)^NMZg%GA1cg}BookzM+r(k
z$#C_2A6AySTEXJrf|3;~nW)G11I%3wA?c4tnkehF*F+~QaEL=4{zz`gSducia_U%v
zthJI55N72sMpgLY|G=Du(cn4q&eTkQEpInb6a&wsX>?C!jj6~W;{jE(YHu6N?a)W6
z@G;`@h@epu>(}Sr)cg-oEo>=Ycz$LhWu<xL3{l$vk|C^rag_wM&8rnNfrVu8x!Gl-
zDaJ-tq4>FLIYr!Ut;gxck@<bY0Ky`KLfPnrs^vlR+6OZODWqyKka%*o7#%JwnS&q8
zQ%jKOScP@p-lpFp5!N=eNW=jpDfeuRXTR)h#~r8XXzu{GZDbIz85;8_*yAIxka}z2
zC%Wr{3h~M0eNH)&aMn2);-WZfs?Zil+fO~`ppdZDZ#L_z#B-;aV-Z#*hBSgnbPlYH
ztU8^mhU;0gpz7XkPe=xy8ZI$`dqw08+a((*XKY4EANrzXxAqviFX#UF^&Td~#GP)<
z=Nc_FpfPa#5^K|jF`tf<rKlbe3KI2_0>DD0R@%9X)r`eu2Q}j)QPr85aIl4c!WM?Q
z$9&t{DXskm|MS`SwcqXKX3J(HaFzX|9NB21+YWoXwJ<H=Ns2SgHY{*`HnCUP3w@;f
zzUcuM7lca#1BFEeVQQ*;V`w8Yd&RQ3cAcU$7V2&!Fvo*PCZ4~elF*7kHx>ryIIOEG
zP18%X53pNy6bLyrISg;Uo}j_XLXcnb@5RJ8+6q`y_$R_<c3jO{)t7L^lW4iuEBL#9
zC6WmuuK|m8x{ayY@d+JGyis;A3Jk@~<}yRQI=^#R0#9+|QR)rG=cawM-a|<>!je)f
z0nuJP5l54&PO+brZ?OXZ_aKGUR9NOahh1Bi=4+SKQk`^iSKG0Jem;Dr%!81BwiAj8
z(`3~64y4MrV+DOJ82l1Q*CeJ73RJI!bc24Qmx0~qz@`~9|IKMTj^paRTz2AuR{5c;
z$2j&TQ($r07Oy^^(px)bIG>hNYWt?TnG-WHMZJ(CO&Q4+dR)#~HIEmJNc;bY(4}dR
zR^Q?Tz}lPY?9kga*z6blN|>+xgZ;a=(W`dv4A|U-_QzCRel|@g{un!59O17KRLsKv
zvJp-;ZzB**lAaU$fDT=I4UeX>FMudDHcG^@-6=yEhdlNEJivKW{Aq9>_NFl?kL1aP
z4R;<p&=OB**VY#{kO0E`4L=F~v)~={7*XI@EcT)wMRM8=ZPbY(8DrQuP=tE5_%_R~
z^K7LqZLECRv!)5xNSLaSN2SkVwXw@M#V@S%53z}her`|q=F56k4R(7)G+09%{J{5o
z{~_$#qRKjN5#47Z$taDU(Avw>_}XVhkym74FBj>!Pvh<qG0Q#=Bz32epLTh%B<btE
zNJLrHn#UEic+Sh~9C{6)sHeN7mHN@1cVw(-`9py$qA>j)(Jk6SIW^M9B--);70dH`
zp}(U)X#CI}qW_?jXOK7V5CHZT93AYuJSch>-PFEWq-ZW1WP2FxHt-UECH^<IeqcIw
zl|P>v{2NtlILi61^*z@l@Yq!5aq^o%)Porn<hL|@p`US?hIJ^!j!KUh7?WyM`ERlU
zD>K?M%^k54@Qd+xt28{DkOKNoc8!-4NiddEi8n3zIbroLd%k+k_Rh+O&I9Aiz>B05
z2SMFU?Zj7)p31@tWjP<HvHy{?$}Qc}b1jnEy{8>A%!R<00EvJsHTJ8~=;ptdM{WaB
z>sTjIu>N?h3fW8Tl{KZ98X3U!QHocEa7IJ7f0BbVi4_@<LjSW8rYcrL?z)ri4B9`!
zovqN8q)Dc8+sD=wYBEoakIEvVt4J_dVBPmBo~mgnjQS=qClo|`=!_MaQ`a`qZ=>i5
zX4u9kJPi)g!fcl`3>ee85}`fDD2MQh)FiqzAA84wv{qiKP95x1?7UY<+07R9t%kO<
zFHexW*B7!DUOeDnj{7-MD19Bi#A(i=5v~3F9<^pbMVXm49S!}c$Rv=KC2PDsn;TO6
zZ)XMTe?EcKSa0<mfXhA3mIhRcn)aW&;KeUSEDPW0O_y{bbmwLl+PlN8b)m;M{S#TZ
z-ZytUsvw2(54-u1WhK2GX65sUlL_^O{Vg{xKiZBo%v?pJl?&KHb^H?fGI6WN?IBCn
zsYOnSwDyB>r_n<)#<=l=3%H3;AW$BLnr0+ht4#>U)gL&K@$|)=E*1dB%1Y_TNdMe}
zL~=P@vcLY9Z1J}{;M<y7{qayjeDLX`>P%(HoAFJJcu*;{-*;QI3xWrGl;;SAGFMs6
z(Z@;_&ozu`>I}tA)vJ3M^Wzd(9o905?h~Zv!4z8v*3^h8$5!0=!L~iH<GWp2yb{P=
zn?I$GFMpn;I}2SDSQ(h75;;2<z?+T7a2IlCQk7ddAG}#ZJ~dU|Ob!pAq&_p_WmK$I
zHdmaBr2|13%>hKIUc-h$yDd1=TG>z_2ms?M8tI6(h~R%r8Ob|ct4s~_j7tz1dpn%>
z4c~#uPQUCnp*j{FRy!mjS3$rx;_dg}&x5em#yw?czyix^T1lgg9E?RVG3RU@&J)9}
z+|tDk**|8*jul~sVirlrUZdI`p0~Q%UI%1M2#oF5XDLV3tYu~g>q-FGRip}lv%x(i
ztA7n0iY1qlB@-vGEpHQEhWvSPq|~|v<c~@ogBk};8m|fJ+==$NYj0aVVOU%*T5NN{
zxA~zJa;0-CG={q=Y*#91)N`{rlxZq6_R|8-R3y!qjRyx)*<q-(;OISBA@H^6&^p{e
zlYDIzA)R{rw%h;hG^itO8~Q;#XeJM)#nrKzVj9CWax%73-Kmo#IX6n|`4{%$qNUZZ
zNAr?&GtBke+_=yTJhA7MX4~%(HkO>pp*U0<Y*|k_InrtnzEN@Opwz@d_Y(Cl=EZ>@
z(fI=-O<z>?DfSFk`M(!e{T@IlbjymWbVnxSFswqB(N}9=)Ym)|QLxAIkelx6OKFV(
zDjC6qQDvey|38FzS0YZ&Oh|pQwaG7C?Dz7Eiil_a@NZo+NMM{;XL`MHHJ3CYsM#B0
zLiW0P^>+p7jKf#LR%<vky~vy@9TtaFhEL;~<(kLUSa%KJ)G<Rb85~65fZgZ6Cy?tb
z2G^0S#&v|1Q!Px=5Hg;VsKimU#$~?25r!wVWLY8GIBC+SL>9^GFK~VB)E=6#NBIu>
zH>d6OA?S4SNAj0YzUxK&{~F0@yKNSGKT2byoFyRMBkJu=|9JR_PdYU!6!H;O5^+(J
zQ?b^@j!IzHPUCC;ou^}x@<&i>>kkAr1HC9pRYf;AIO@*qA6NG^2ntkZH4}fcC&NxB
zUkDu4l-f9faVPAjFU2gzN~%LuXb3r;_`!fxI%c`DX-U4X23##;&etxzzhUJESJ3z2
zIAQ~6RC-7{2=D*}mE@at`d(A~=oLd&has>RDQl#&ECokakOB8kmd3H%evStIH}XGp
z9A|QM5tUYW1d9y?GN@r#mds&T8-Kt1zIcD8S=vDCDwT25{iIu7^k39dlgI^_DFOU0
zLRxjtx8W9i2Df3r-ZLs2Vud2PS{KJSAD+nFGb3+V&7PcrJo=#k{s(shzdoC?RaI*%
zH;mn-XiClH=qqQwzSWk-=@o-2Os#o@yw88w4vpAATANJ&y=De4k|%kzJc?mHK7hrQ
z)-}GcnuZw8p1zx{uFZy=lPPRPnBCz@(!1hH$eG1VD~Kxz(v@h%eRtEJ*VyAFyImEu
zkI@+%lwq-*?o)@)990kZ@xa~a&MiigC8fJqABpFA7Sn>L&Y-3RHlN@H##C#t|JaJ@
zHt!rHE8O3CahzvkJyZ}gz=5SLQIE$F-_puP-JR^`T37Ehm{}Fwi%SVIvfwFcIxus9
zc_n}uF<-b7W4>ILP<IEh;8Dd^5VH6~YM@^UNE8jqn!9`bM=C9C+4z5tZS#s*CW<X$
zl>ZCUe2NxFRDYCw|DCQ5?wYHJF_rcce6z<jeV{?Jj!(unVK5P;8UW}ck@4@w#-Hm~
zd8<}qcbc~g=@;Lt*q>UKS2MAs5~QcXWMu`Dl@-<oK;QS}lU0Z#{p<B9OOLtbaSJRj
zCQ~+){|2lBJh2&>R|;SRi|pOp0p==epFVb_gO)$BLE0ZjoVP{a@X+s+UcQz?#Li6-
zS$H{fEq^&njJ+uOBoRJSAllb&{KsDyR_`fj@<jyca=O`3YARgtN5Ss&2O7~IrFM!R
z>#RTsKQ-{_Mn2vPeuu?W2k~Gh&y7fFxh81pg?dNkysggMw3UajKpfN@#uB|oM)og|
za2dMk7WgI5_wMF=40N%*%@RS{{g0C0eoz0#oR6I5-`M+TBdfyOoy-RnoUI_e%ySM`
zi6cgHE^L$(7b6W92liADDZyX0fWZkz%`IjQc2@}?zO~e_rFDQ$avx^Th+{bE3Fxlr
zAC==+^`!9Q_^5GnN}&-3&?^i9&X-EZ{#i-)i_oZMP*;9anN#)_?<`$Nq&cg%eb$V&
zpW88tL6aJeB)#TrM*wc{2NioE#dosO0|`PZQ;|)eK|dA&9*)`utkaNlzj}?xEkPA!
z6BtNcVlVCq9i3?g6QxsIv~NwS1rJV0X;#2Crv=*_x#X}Vxj#tf@na7<iDW0utKFi{
zz)=pr=Wk?BW6E`NAAxOR^2@w{4#wW+>F5uSJaevc!A$Lx8FO%0IKIfG)!TLX(?qP=
zvJP{9s*{uvZ8ZbEiC1@Zlr%?S6s#nGyR&4I^a%uo9SwS|8}rsE3nV86zEQR(*|`xE
zh?Y!}ojNM}uEFiKOfn3hQA4s>!zZwK+jZiW8Aza-&k@`w?rJ+O7h;AY8KuTFG0GPQ
zL!GP^Q;quj*GNUTp_dihveEzDJa;_BBy;V#DS~FfSGzv~rI7}P+!C5NA{B)njSZvy
z76WJJ^%+SGC=z&^SPUF(88&YN*zRQXawfx);d(4Rr!z+0itxiRxHJp>C!;(S4S7<S
z^tfoON9))5Won>1Mfgnuxg%Fu-tN<onzwbxV0iK<gUxq|fzu#5d?t+LwRb7M515UE
zXA*9=-%n@r9eD%U?fU1^Tj63w+B$HgmA})b)Ws+gh*)V|r<B@%8fablsJ^|CHLA}1
zFqhY3kcF+|=Z1`GkTW6g3z#K3&W?!~ij0*;LZ$IBsdS#K=#abp>jj(mfbMy+-}_=9
z86*qp`aswDd0aU}230c37I&lqj#+6wEjsi`v#eO1`n+IebxXUfNZZ(GIuxJbD~{=`
zrL`muyY)^z!=R#+K+*Bkq2G~Ody>afu0!rg5Au{@MSb*?Yilj&!)2ajK`Ho+1CeW4
z3WDmj+M8RmwqrOpC>1Ofp1t`+XrKj2HnVmV^p|#5p}I3PC=e*>Tfn_vd$I#1fSuAN
z?3Cc!xWlP?TsO5?MB4wCK=iQ@>umj~^Yeq@{(gLJ!TgKKBCgR@6czgYLBgc;(u*_i
zi`?Y03shaW)!w44TcqX;dS_9PyJoCicugx2;@f7-)&U7@Gp4~P9vdLNPp_ra`UB9k
zqPDV<V$hSpt8d??a=4)%Yivl;w-)cMQhusxZw*9XQ#s`9EYlP?%Z@<!8D#(tn{K|)
z{5?Fh)d6-X?1C4XHc*1VV_Mb5U->cyckMNit;5>h7}m*r)%;pwI^d(|`u_Pxoa!Cr
z!QT(f#fCkO59v*mp4H_Fzu5N@)npx4Q^t|%>s#z9l@&nkttBvWHo`D+OBdP05pr@H
z+|ov4I<MB3CXB=y*ubKrI(ZfjKUtY*&$oHkVNOH%%SUZhS4f}u#n!8=bH%{?SA#_+
z|6ezD3tO1&kJoAk|6ybvHbxPNE)3omUhLA@ng2a>C->|aLQtgY?-*+AGX;cAag|1@
ze}-3Ldevz=4<%9;xgTyE)tapWg6yVtZuLLb9;fJU8)9H3VAvo?{*xUikNIQ2a|wRG
zYSpX1+CAS~BH&fJc>ZKTHaqrd6j!%<B0bZnp0QPPYV&E=WBu~G=O0~9$A^>I4#>qX
zwl>0=J3k+mSN<Lw&-IMSw<^-`_z|Jl_}pbNIUj;V&8vY48_iS@J9tzAIQxWFYc~{S
zDAWrl9l6`_j3%{r-fY4TT6T{{8yb-P%u{cpMW=v9hx02b!2k4<VA((5VS8H9MwGXZ
za`mPFxTVIu-)3)(;@#wVH-&4$-O1#Vy$u>pFMlQLh|L3YnuSB-p~%I_b`aPDu+`{c
z>Il31P(3nlY4^#F1_ca+XIEMDiDdDYw8D<BUTP5|K{KIe%Dev@-M&4czte|QTk@wk
zoe}t3)veCs)>tW#!0pD>FB}uaMJ$UgJHlL&Wh5b3=DJF&KCw0($j_LY=Fd>Cqb5%^
zJ3Fx?a5fXY)(*RI`%%R@znV}I-Z+0kiQhhaB2~$4%QXQk#A|Y5ICM#xxO#fZ0);?y
z0a(3V(1x!BJb@DQpFeB<M?dK7_`fH7S@YekGteu?xpA0vcPZofD>;6Obtu23Rom|Z
zq{3q9{-dUx(v&WJ&HFMe3Cl?#u(Cvbduss_3}|hJYEAW|@t2lQBj(i7Xa0LrW<x$Q
zR>oD<uPHAlne;3Y!rvOd3`=Mmb=zOeN7gS-5kMW6<TXCO#z2p;jDxB~B&XopB_Z{3
z4eg2b1`(yu8b3y&$<ZV{ZQ^q3_?sfnoPrE{3okbamO+k+Zp(^oF$?LY!eVl&Y&7A7
zN_4e*p{&y%t5gh;=IpJX?_2>(Vz+Vxr$M$IiL5Oarx$jGZ278hr0{_6^r0~V)s3Aa
zdg^1!f_?e}zDsGWOv%+Fqn(xKGEy^BY9z-L=~nd30;!p44p}|QvEHPn-wPUd$RaOF
z35$(q?UkY?Wls~ObRXsT!wgn1DYR5-Fm6jWA%T1pf%}E}DJyi~_EL9=xvW=5n;Qlp
zQX^(1s6ZpzLtJK@go?F=Eo~O#u6lnTbuw$J_Sh)TPPH9zBA&L!9)$NVJ33ABa{2;M
z{UByzM{3;Um13+eEoGxiR<4zr5-=ckCZM(ZZ71q?@SHF&m}08{0Yj<!dC`Ea&A#j=
z;;h+W|BU!tsXJH?aS~U=S2cg(^m-Na8{r+yh*ejh%c#5K_a)+);PNRZe%o8n{oQTN
zu7?1<QJQN&V$;<B=$Yd^W$QVE#s4E@9qTcG|6g#UKKT6~ln&Bq)agqIH0-i%k9zar
zpb(Nk9UfZ`v-(Hz9D+dN{{;sx(*X6&HxRjulDKQ6irQIP5wJqNUmAq~N?DySK>4S7
zszcjHY?&HaFNnawmTV3LGa=Ouh#~}e{9_I4dq9%>C-9m=A|))#tjx>$##7^|+au;~
zC6R2q*ev;0p9tjjbiQg$Bids!e4CM)%#^@r4fxFVbP)XNPO$5slFeIe12MP~+<i9g
z$TqTNE<7ygz)Jy)^@XRi#_eX!+vU}D8-8@zscJZ&FEKM$DOGZ)TPkv3maqadkl5pd
z{RFdpk_~>nojypVTI%r5P!dtY_ZHkbX`5y_HtP&gRQvL-fQ;n7c(pxNd$NC@(49CP
z6VH8^Fm$If)(C0S+DKxETmax*^I+NI5#-pL^2KU~^fe*fG}{)H9V|=@@F)YYO$?v|
z_{Oy1?peTaH4Cq#D=jY^8phlIc0d?0n6bvoL#8L);L*0r{PRXuH1RnlW20|f{}#p1
zlkq$ge;Qw*2wLoEy~@4<(@FMi(W$tE`BBssXcniSysb>Y0`7zv5f%g-JDn+ZN^5Oc
zG>v_i5e4?<xmNFNO>f0fV{Z;*AC=^7nB4djcn9EaS`*v@71NesM6cJzOAVocRqs3>
zly>s&MfUq00oU3z`?ry)E4b%k-t*;@XJS{%p3k59pITH5OYY&_#VMh0qPU7^S>KG{
z_qk&&*()zUkc|&GjaCWhD7hH%B|0OK7$*Oo;pG1nU>AXH*jYx-6t;xeipuflT<j%n
zVPKeI)$t>r;r{R&Q&meu(f2EVSw!x}?SEMqTEnLJ!cSP<L%!Wggr~2_>o!2mrn#$L
z<4=TN|Af2n8Hw^4G~2M;ogK8R@SFW7yiKJIOL;{UeejtQH;`R8|Br<^hnDFBke><!
zq_-}$tqOmh{8Om?NwL2#hbmo1sD2RnE4)c;K;&cE#lUbs(N45MkQ0|B_@9v<QE0P*
z#y>Tq$^`I<((sWil7;elYx>D5XWZ<Fi2%82Z0dPl(msdiEormVV6qU?q21q#5jG{w
zJhb^P9DSt3DE$;YO~%<ep5<V>K^()J9&cYR=jNBR&x6Cs%NIx1<;!mdHLLlL2YGty
z6!k|tn|mFkbno5KGYHl{qEKQaaIC-iZJ>Rl(L_9C9;YjgY{PXO)6b<tcR-<{QFotk
zaQI<PtaE_Y+7unbR+YbB)>iJiEH(kB{K;45!fwkjXpXz0W{)QF97AfMBbz)_3FGVb
zEzz*S#JsV3`(`rr#7m6w>G#@uOkSC879SKIt3F+8!NA)&?U3WbLszo696a?jopwH)
z`Dk3ab3K;ARuhJiDa*ytyWte8V&GWA)Q&WGm&M(kOfuJKD2zHwYCtOs$IxZ-_X)`^
z3fTy6J|d<D#@C)$36TjKU*wF*FFOZcB__ANk_tM_aMybDjvDYNpZl}?$!`9hnL?M4
zRL893&}T%PY3}Ih#)WT?Gino}jxV_$*c{W~Jc+PV-q3N8BImL7o2OB`k?y#e1EqA5
z`~^@~_R@>B|JwXnSj*Q8f8s@{Zkh=DOm1vgTStp}a-P_PX{TIfjysP(huW!%c}zNk
z&pU*Udw%k0=Y*k2Aob>rnK8Uw(51#x=;uwH;pS7$@A9O|Ag8Tvo~x~6nzVfOWXWOp
zw0x@M;HKEMlGF-C=A-23=u(9ou8HD|QZIH*tOKk2UA)&}cg>7gc6Mb+pr$@X?eJgs
z&8qS=iNf;GFYWP{S^ni`qyJpm+l-DqppdoyczCq-&&T9%CHSn}HV^VRE+WZ}%(yo7
zg;Sm-aHDi1m@X>+PpK6O5bN_aFjtl6u=o_?Lt%AHG7Z-CjzwCEd1K?`G(?#VHsQb!
z45Ix}?UExDgV;Yj9xVNC%UZ8@KeJK^<xEwsPK5LSaw*iZ`SN##NPp%)r{9eXZ8ALT
zK&W6@Q=8q;$LTa+4|@S$W-7+%g=W>h%%)0#-%vyJ-azhu-h~E_n?;Fx3{|h8>E!+x
zF4MyRvO_N;k3THxjXavCUwNC%i|pNtoDGl=T>$4_B^6WoUEDIYg<Y_mnO(YMrWl4l
zZ5ZI{`vc%T0J_~q;DBxS3Jy`}4UD!w??;}`-AnA@28Az?AJ<yxUOx^PtcHE8zSCm=
zAN=a@<JJx&akbU!7-MkKnrRoxtwvUuH7HHW6l}$h;+40*_Tj0D>H}YpSM*T>ZUL4x
zEzl=;za9fi@BB_2qnh@+te}fy#a#HPn4F+7;QW-i?V=anf3x22KXTr(EIjiLV8y0w
zuw<(iR@UVIm<;IceRPrWhqw|NQd;b`1%^0zhmg|6?`RpE@oX6w`T%t0Ek{U+Cy?Nm
zE<redr;n9@9ITGH$^eXwnvOPnqBx%1Zufq60aY8(|46vRc1UQ750^o!+4-TD$loF7
zy&rX69Dvh)E7YX=S9R#g(%e|7RBUa6AOThV<b%=*zmz|PyCr>d_%s#p&ke*UVK4HA
z0fRj(z(kM_M=khcjVMcl7y>zKTipldLB_;_MHlb+-Dd}iq6h0{zmA$0MeRAW)E_^)
zFS^f|UG~@0+8Z1ad@k|%b3a`BT@gEGQNkRY3%@K%Qo#fuW05~y%AyL<=bZT>cD)4@
zaN2IuUy^_nElc}QtRxF?`<+xv_nTjVovRl|w#&`(GvQ)z^V0GSy=#-j5MOXvOnJVJ
zR&0Ub39^Y{&&A!+9a2vW+E`1lUn%*DK^)^q?kmq>g4bfur|R3`n1KT1Y7y10FdEHa
zlWL=n`}ol@rEbf04e`XXTmcqyNvWyzl^cWdT7rqGQxnM5;e7N$C|@pV%WjxR8R)~$
z30B{V?hZ~ao7#$2kU;gXnE8_wVN}IZHZtstM_~2SYAB`k`IJIqNR-!Hge%#2d^$n1
zc*pKq<QM*y-J28<0d9oVYx<OG+nuD+qDsBgeWGI94ldb|2`9}F;Pig(sFM#wi@(LG
zY8KZy0M&1z{6i}`;u<kTR7WG(NAy5P<LC=nBEsa`zVl73`V|gc4NLx+Z=1JBv=bn*
z0J&3CH4etvlF?{#ih8diN)>xb`F~NdI|qM;sfAqtyzH{>!<C(0y7FE(3uQEb?V1)s
z#Kc;#m^dcsUPLKiDB|f8m#>KTqZ98c>7Dn6p7I@jq(}26B%)w@?3xjfPPeeW?oC(J
zS^!<+dFC`s+qJeb%?xPceI|}?teh-z5kk-*kVy4pRIj^i3go}E--_B*YWd3^g2ySQ
ziV#ktDR08m_FaF5hm|edvXoJ<IHR*VS|i4)VUk@FAvO`)<K)a;*V1c}Jv*G&%G(e4
z<BOn`cQ0K1iCK*`@9~20n|)|f@uxBZEw%JOE~6o^=ZgHxrf^XA%sFZ0cHqnQaSHs`
zeuiVLQ2O!Mn*k}<SzrB1ic!_VebSmk2H6vRjoD&ZDFRzsZ5IA1^ChIIIh@Pf29KWP
z5!swXeYwmd0+)ZFM+jf{$#suzVs2ch&G)<N$eGNXqWdY$5napgkNN^jewTA8VxkE=
z1nIXJQxN8Y)DKS!$G3!93xm}R#meo(0;BK$o!GzmlCO>OcKw%!DDI;LG=*;=5laWw
zCjqlI*QW#LTjFccl$k<|zly=?>1cFo{O42bMs}2|nD9!eK-sj`Zi%Vf=}Gqt_e@qN
zSzOpfD!CfN6HJ;X%62$A>zbo?xIHO-3VHq=BIK9x04jyEk`FGNLEoXJ?y%7J3h3!C
zIM<r8If$&p?6*ps#=PDsK|j~YRj9`1F8JSLotcfe$-HgMyX~2bEBYJs-w0!WDmriG
zAJp<k&KasX%aCBoBQgHPpNIaRNrDf~Uvy7oyFGimayU{UE*1*2#%Q9D8NHDnMj;8R
zn}-+<PgkxSC(^d@?Yhu}+*9w#t@(1F=aM##PMQSK*nEn=Xfg;(sbAFJLm>VonAnO$
zdSvgTI*m`HDLyTAJ@*F>1P!}4;f?~_s;HSU@(l(phAJyD^G^D8ok{8$1727y@nq#p
zmP2|KqE4Ca{8yeFnrfde1MoLj4EW5O0utR1uHrHKS3-zZiF9h}ON_qiNw@?AXxs&Z
z<Muz01ZByS{Jopn(9a(|BXjG{=hNEuy~~}ndnUm{$R_&_j%s91Qh0%9w>4|#FL-s?
z-83{5mSIYnM3E30n}*s8dNO*SCY56#0~$Zzc;N)`u5f*<F;$%oydU9*eQh^SXy@-;
zBw}49Y5yz)buGB=qHWMg$Y-+d&J*|&9B*2+^5H-z?eDZTRb}?n_;kMt+CL!d!a6zT
z%~OxB^6jMdKXK7~F{ee&Z?9@yt!vlCBkbg~)4s-#a25MBWWK}5NLKMaA+&9z{9h)=
zZG0&Jv1{>#FS5qjh=(V7F{J2*(LRLrJ>xF%zy4sOzlT1+H(o$~fLQ2oiixl%{k?l<
zpW8Ii+JC_j1(=w|zr8-^IcxC?Nd<k9?Sfni!`l+DEXluJ?M|)85Q4^;u6&seGFTK0
zbL+j6ObDZdkJEeWKcBvNyh1Q}@t>V7w6@$m#6MK%SHk@hSW=_RE;^rEX_Hh+SA`0|
z1N7P_kgj|$BUNjx7G4HlA{2wZO1*M7859~Gv{fgU{M9G4wg=Hy{8KSHs2*-)<uFf_
zi)W^<C(_5>Rh%ua(Ya{Fc(9LfR5q;XyjjSd?5Q`<kMRO201mPH(T@bX&gNpx8WCno
zccZj_n7oO%3Va86VCq!R9ZY9TG$GM$WBw*JN-P&{?;X;AIGuBjzx<cpfk&2jMoPP4
z=k$W{4Jc>8twTz7CI0g7^qJwDU!wd(!4`ZxnrL`OeRS!e#Q!|!q`AoC1-|hmuClT*
z7V{TSo(Bo8(LaS>eVYo09LIjidvJb4PF3_O)>?4HBcg~5jRC2=Mod49>zpVQTcNCX
z$tN>2`zb^yDy8W_+*jQ9weSGOe=1>9W%SC%Ig6G|3<?rX;aG4&gSE50sFAr8*ID(F
zzmI<@eK{hQsM{ZfAY7pMG;Y?FjsZ_&UdD1IwlQ_6mheWwK0aceLCZD9R}Q`oT#kYa
zcbHN!lc-XmG)lcRy;kE{W#f7)Y7EDn?0Q7J=$KX;C2d{*{vS(U85CF3v<(4*2X}W{
z+$9j)T^EPo?h@SHeQ|epcMlRg5Zv9}zP+FK`>|EKTc^6`^mO;kv|M9n97;y@K>meG
zL-dGJL-dYAL$obw@qwVF{?`CjZN1mki1F64-tBt8-&eyoWquF#wXPDU_}4b&mqW*#
zK}VJuvZ1Nly{>pl9;fvoQy}=dQGp4pnf3w?PzgY_k_(4inq3klXb4F<FpWFl5RNbA
z5bk@zVGeR35x31guLwQ|(J>F;2)p%ZiX-T80@s##nQynqUG-AwHxY*gS)1RPij)2s
z`p|eucoLg}RzF2^yrleyN489As4`ZuG;r+q#sn$r&op!|DoBQYG#C7Sv|r@?-#exG
z?N-2u&XQjIxs_99elL*DI2&33@Ayjozsq}6^%6CqFxli0+S$cEs3O7?M_Vd<?(Z&u
zn8RvQ7R0sppAm_-#t~a%T~<3?<@l*XS#uiJ!nR8c8Yuz_&KZ=Z`&!deS_MP;%6$`V
zTD0EiYhb2p|HpK~E&S|t2&uI)Xn%pJxfkV!mlnY1Fyj$cMjMMGIyMOc^&br_IL)v0
z)|E%f<3zSdu8$eGZ(2y3bDN&h6`{4Lq0Dqsfm*DGFZVkyZ%AKiUB(eQTf#A`V$(*G
zMW!Ft%^BK^T3t9((?!5{?dqp%)25cg?(zG1<r*_zLSzRWk^M(RjMkFgXB}v-s}7%s
z4W~LBv3Yf(3^3NZ6+H_4Z8crV$Ly(<`i*%IsZ#o^c&@rgY}T@9$n(i(8k4k`-y3#z
zP6HD{`~Bvn@?xv}_!-F5$=M7>^I~l<ZW~ra`cgrzTDHt1A!m5vnSkZ67nx=&&8Q>;
z)C6EDPkAUe0j8;3u@gDn8FS4{#EsLgtL4OJE#*SwQ_tmGB^@A2RuLe7REi$$nCm(1
zzd9Hochz!psjd$uPWLY6usro#&~?r~r&eAFnFc*Lj!~9W`#}gh>0d+eG)S#c%144Y
zr4t!evF`@r5Qo>LWbl^Mv;WGPQkA&mt{|rBSXzgD{JUQK!}d)R`v|9*s`O4_9fKHk
znTQf1{FUO$zfG%$q}gnW*~bh54v`^uQoc^_;#!oDLJ4M58vqo5^lRtgttEyaY{zWC
z%AnOEj7Tm{2nS+?A~OsY*fETsax^_YOUo^C)i2|>qAz}HM#mB^MP1~+{Di;qFT>_s
zpgj524kD_RyB{&$OVuu=CArs+JlD--5oNb$G^-+@^Sfr@W&R|I)s;?Ilum6Zpe!kY
zd9Lyt1b2FXSZoSI`Mot%+hpHD_+b|&)S$Bm)C|Tiz@*FT;C@^pzDdB=UUJ=#&63%G
z{~_$CFFT?5hX?FPYsBJw7CiXU+pIPC&A*p4EsJKXKjF3_(Uy{JL^g6gDZ|jUU<IGE
zc-1LHpo*ZAGz}D}d%`@%o5$56as=HXQWaIL=ufSaznE`GisI|_NY&?458lw>O7W!=
z4IY=4kImA%eI*@|U%eA>MUMR^#wPEf#<niO7$YlgK<A_(Ca(TpVNv_KwY<D5<GtoG
zp%Q~7+MVq3RFHdA%+S<Q4Wk2%y&p936*iE_MCaACyB_z+_4^X)35g7I;=LK9dIDWr
zm&g!wNe)d?f5KY2Y=#-0tjAhilN|a!QV|uyj&69DO~Wc#QgMk~>dU0bx3ZLS@Z~p}
zWXlMrl?mS=!B}5F&goqJ^{Iu9Cs(3>T$P32_A)Kqq@X?GGhbsTOv#BL@Eh7|!6E1R
zLuoySy|&24A{pyc%@<MzI^09~iNua^S+odpcd?_Ql7*BPSv@d^dY=Alk$zTnAD9}N
zKB$U;A@`o1+G8#VPNQ*1B3s<EExxl`)yGcV_qSN9N+l68((*Vh7-0;lUpZPZl1w`s
zwW`grCl5a@>7grC^y{juBL7$7;N@Uq6{%j{tF`a1Egk7Rbx!GeI1ZJ#Iz&IYsMPbU
z)CS_-T)>ArilpM`ZXeic#jZ<9{|Hq7m177adEnR|C9q$GV2u!(uz;>8gRLozu}D6i
zG@?((!wFNlU{L4uqk3ovZ_Um4WkOxiA9g5sV$G&|-`Ps@132w<`^cU=0bSjd%h>Z?
zcPVLIs`!lsoaR3Al))m*xa}B=l<Hn9&(PE^&!wl&SW@Yp=wO=XqdUXoOsQBfD0liH
zG?kk85vUcZ>UIvePpQa(K+%e<l`#JV2NY_ZHaJIr!h?0jn+nP&uANw@YZp>pF|`<s
zpCCDtRJ=9jI&xcJYb6m@zOX_5Q(ai+y=lu7oc~O<IxM4;E&gaohC10P6Nkl5a`?yZ
zV-RryR{FYcK9;=y@V4l?>NhwS5v}-DUuiP)Td_q`Z)yD;>Ax#x1yaO~zC<gi0#_v_
zi1tkff`13g-GqKqJ$K<8E?+Rna{8g?(tJ1~UsPGEbPw(EL$i#PuH&OCduox%hqJR&
zRmZJQ%fgT@6Zk6SX&*K9%OYVVbJY>Y6MC#9r0e4sSnB#PlEjMOa@-0wK21}B85!yw
zHiqJ{W2Hp}ebri-_j`KS1#x{{su$>+7b{J$#P>qdN^W7sL*D%id^~zPMf(g*LSi*I
zedq5ZuGq@%qa6U<G?SX(BI2&YaZQK4>!#d4!VI#e6@($dtyOeMMUnG~)4=MzDY<9*
z+q7CjC0I|g7t9+G3Z@%DNYGx0MueNauTN=V@!3Y;q8R((>3!9ok_8E?`D&MPno^vb
zCFA85iXc+%h{oGJ0M89AGz*`XI)g(>1y-BNbgfimBsU#V_o}qb1TdpFYu~>^Dq2<|
z_lL28-YHn#L#eU^JGwn%VN_T+P#;iDEKie}XdeQ3fnq35g|ZopWk}(6zu{}%s)w6W
zMn1GP-Ex+|(piL*C~dTwPo>8<_nbIU3n$-)A(~#bw6W65=v@M{u!ugj$o=ut;Lm?7
zM#fG)kFADuR+L*0ZLe|>UIesGUxGokB24=tV=!Zme%AF7@A_~VKbCKUnRsr>Fu=fl
zrk45X6P0ylY{}BfGSZSQZXF;I%>!l^-aMv`oq+|K*+tE#Uta|BD);9WGWD06{xJ6K
z1-+n<vjFb@VYFpfomLO0x)$H3^)}q@F@tGRDly&$76bF8vNW<5)zzp9%8zK574%d;
zCf@d$!PBXiMe6#+)n~sBZ1pDtlpH-E<u)v1hKr&~Qx1Z+Y8X2p@Ljy_OaKijR-ghd
zI@WP<VwKCvG$ru3PAf7}9<dWHHG^F1fH@F6z+XErgZ#g=b-MI)Y<T`!&JX1+zVGvV
z!^neSN7p#3=H)Ujb@vR3hj03>h#N!^H}Iu!SC`(h&yqlcm54-kyM8VKF)3pJOe`8q
zY*l-;RH3B0R_Xz)$~v+sdeWQ**0L{L&?sch@~zr`{M@M!xz>Le>g|9RywYy~ux(#>
zx*F;^==8JcC7)4IUHhcT{XPP^R*vS^6yPE<(C7LA45*i_kS)NN6e(L@7byj`b4F;r
zS@;aiEVa0+tjNn1(`6C<#mIV*0?n*EGI~P~{X0tLp^;~Jv%RUhX!?SVgLUq$R#jnv
z9il9`sGyhGnuV-_8qv<5$UnK1c~uP`s)wswC7xw}{q;;FCiGMj#LZ@5uV@`T;X06$
zyj5Yb&sf0%Bahy(`AN?}y4Je~79E<@))qWMd-Unc!mg`Js*l|JDx}GaPjg+IRA!%F
zH#=E4wkMXD&*wpIXn(Cs{A;i?IbCUf9H>}p{<rr_o8jc**{cmx4EGSl8ckLpDD?_H
zIufZ6!=An{iIrHBbslmQ(;h&WFPTBdY4)K~2z3Hd!zhwCEV@z0&xJst#%g#OacYQR
z83fGD`X0EPPVJTN&U1qSq2#h}p(ViT)62rQUZOgXr7oVuM&v8^XSBS|9>Gb~@b^26
z1nhz^FkCR8VKy|X0lc7^5<TAk>a=j_H(iT@SjDA%3!>Y(Im}#R?x;m-dR;Qck=aAt
zHgoU|?ReTi&egW?;nEmfJ%?BsTptXr4ik|woC@O>q!)^wUIWr6qo_OS8Ida<cV)+}
zonwq)ay$Du&O^G&=fUrkIDdJz$^?5K3^<^=JICcZX)@Z)NFebS&CwtdFMar?Kooyc
zlL0wi(LQhRxywCiVacNZ0V5RA>b!1a3~Q|%-P_Jy6@p}tR+yFV%-piZcPDFEZq!co
z$PMf7V1tvY{M7rR8tek6J*oD0(CAbZZ)j)BR+jTHb)HD&u3p)ALx}{nfrb<0Tti-r
z4+UBbvHZIrhC4d6wWtmkGdwuLlEvP%06rAmWfX2wTZQGf;I1|6BD>y@XvdbocN{8T
z7*q1qaV&Pru}`}^Jt;*F3d+l2aX)H05-BZn1Xzr6Tw~dRC#M9yp`y~p8+d&{kmCG@
z?w?yWq_#@!6b#X_6@l8E;XKTyJKp!?C@8b&xL`zZ`r$Vo`h^#_cZDXG-PkKm^ov<1
z7Qan|C{3%oi&|%%0;vUlJ}m2mQ?wXrMOj`8uRJar(URZ-T)iTNs`B(ZmMQp+W2k8-
z6qu(pm3+Slq^tB<U5yUD&74x%?-_hV><sOlbiS2-5_NUV|2gW&oy^AG>iFjR6oO+@
zRJRt>)r?y|&ER*=D<taWdl~wvNaWg2!-5bRZGwu9A*+!pKIT&PuGBjum@kJc@VMLu
ze%Ig*|F7R{d1#X5p~5tfk>92&f~L+%H?lZi+B_^qFa=oU&J(aZw*T3<CLh`}4sKCE
z`<V&|iQ@Tz$<H)p1V0KzhDJBxrD7}hd+3eG(Lf-DXq>4|EF3!f`D}o7r5y3-b~e;m
zreF4R{{e2N8Kzzn4~#B2aUOpaj0a*VS=|VIKiJg%y-l}YyK;C)_rUbzr}HZ6F<Iy_
zE)}iZNIMN=yh%Jp3eJCu^1;q%@V;Q4<j<=C2H$Ghx^DOwa!VS*+LM<Js%E?C9un=0
z@Lev)A%gR?(aYH03D)r|A4|s5C;iV1m(QLt!g^Pq5eHsZ7m}=r32%c^5XS0s<R!NR
zp*!pk(#92^?Y%FT{vFit)1YPrbd;6<pn)j+xtg6(kzl`UErR#g`Swxxa_o0YW@B8+
zZ|d)F0_vMExi1KKvHxfrk~nYe7;rgZ#Mz<D5K%xh6nbIBz+y9rnhk2c6yq}ApSgG?
z!MU%pPv6R{&9-FfmNK>>J00~Zt3Q#&d^cPRnjZ_BbgxV7m96ipi2=vS)0OT%Z&RG<
zVuCM%(DLbG=0~rW>sLuLh`!N<(DQKXS7qL8iJn^cn(({IjOhxexb$~grOHO3SePG1
zFyG34;v3z46rr2h{iw6XxP`XpvB+Cg^d3HR=55`WCx{9l<IpETxRU%X4YJEWc%O)l
zhh-+Rz_QaO9rzB6ycL1hy*f@Zt&Q0bTB^)&Y<PIJA?w&&ezEyc({~pTXNdU&Z(Imq
zyZE`FtjC`1#)gT~ph&`AmUo3h@9;x!9+n1cZ9_z`E|a1z$ns|d`B92;GlOS(zrX?a
z(&VZlij}4v>+O>9$b(rx9(>Y%m&F&Hx4X8?!Sa5ytlGbif2|t#ogezj<u^Y_A>;{N
zI14E!=6bTQ?+uuCvp6N(zq}5y79t>gmVE)6i=%@^qw9`GpIvO<H|kjSqOE1lDw*Ki
zK-2*2kz?<v9B&xgE$%4rfzDAMA^_3%#bg_dajETPA22S&Rpb{-#%;6UHVX(yAPm|W
zml`%IkH@PtEijAtgVir6`#UdiK&Y$_(x-X#x3+JS@L~##0CsoXvssTL4A}QM!)#1D
zQ1o|(P~`P_s=k&6ZZHd?L8EdQO=RH+Zv`s4j|A(^Twr_Q*hC+hoaRGvfvAr*B#Dv|
z*hKTQsjxb+0NgJuE2R;597<2H$UJ$mmc|iy4hk5XS^?m7&hiU^zuoDxjn8J<@sY2=
zZ+<2l_eZk=#^xBHJ&8%*s3nh1n?9f5_7^Zi^lTg^Fhi*<UAj^0Lax_4lxNsd98?`{
zr+&@Gi~VV$U6H%m{1C$eudT+PL(dkTn1%7<Ql&<gg&RWZSfy1Qd=e{%$#~pKPow{h
zgVz+Ez+swh)8W5y@WQCypJx{S$*>2cJ6>4W)a^}i>wT9TZEzf2JKXbt@ZP@wI_nGg
zBVOciQVuGi`V%h7aJd}2P+|>w5o5_nARx;!2+s#`YZu_HsjifU;X#49K!CX%8^J?5
zD4-Y|gHN)Czxu>HKJ>o4qZ^ML=hxFH#3eQRgr~E7pRUwLmL$d!kuZkG62YiqQkh05
z{2r2BR5GOhBzyL)EU2i4x`Zq7g}O@!k~khSaxqsBB2py6N4H<dhbJL#jGVfxcSt`g
z?cX;^;*gG>Eg-$9^!_4Ml0+r~zp%V#=T%xOkrJ%1-ju8@^!=2j-xmQ=+J=`#UHicL
z5H3DM(AN?uvh@m)#>MBX4Q(VHA6LKbPM%sNPD0OxVchJGO4H^@Tt%@#`a<WB?B<d?
z-6z=@)YYIbvbA>%h^rgML<3pTAu_hDc}|_9A?D#P@;FkLfnmh&_Wr*$o@~Akm`8Q~
z#NN;bY$c1pW%T{Mog3XAE5sc>+RCOUru9>2%>vg#g`_kVm*1v-@G%D~>;S~pcoB`5
zronsjN<h=ENgYcGOMYzKNqJZI4wFlFFu-*E+0vbZeVAy&u1!dbjWqze{aHIlGZH^m
z!0JbIY+s7`tc2Q7tx3e6iGgWNRV~K%5Ouih5zR8Q)#sDUym#<6NHd*JVc61+TL+Tw
zi||&MV<k~lOBAQN^_)0W(ETpxMf1KUpc<K_38`BP43WBc3$20UJ@7X>H6WCGdeYOq
zl^?M*H=}Mi)352@3oT5&+%l&u#`FZ+jFx57be$r$svP6{uo_%87tp~^^VH-TLp8VW
zTS?@;MDpKVl&z^?>wFB`)8H%VA#e=ad8eyj$ze~~&B!ITYRNvMfnK%CCMFcuO$Ib!
zdR(h3a>OA+-V~JBrqPs=$Tc<RMloRnOBdn5jo7Vmxdltm9#Z!(6e@Auan7updI+D!
z^t88dsO)KERfT0>uc1>tP-pk3@^yf!>rq+C$R(?)>!!$9JzKMii_dPwJc3R)^<#i4
zSRs>2X{~Vv{a@K4pR8fnO0Iz((Wcm{BtD7!Rmm%p>k?nOw32mJwZ=Mq-gWjVe?tIG
zY_AqDheo4g>k|qCcKwyMo`rA6%w=q<f^B|E(Cxe68OEp@jjW$5x=5)!A??{;nr}=X
z+iV^#J*PSLS#}fCO!Bb_;uRVO`(?GZ-IH}$%w-ftAQ72gM1z20flL2qW@S!40f{NG
zgygxLd~}w27Xr}M1*cvSQ?(S3Fn71F|BTf8??L?Rpz*$*==TivTcyuk*7x&=31cxw
zwdqc(X^l{+!<Lsl8`JRF>XE0wT4JdCiLyhT=Nmh!#pspGkJ-w>QVDSAJRR+@JkepV
z;5VpkA5S$lPP@Kc3Qut`vAH2UiqdwDy!JeqLwy|GQdX4?zIa@fHiE&hlQtqg_Z~Q5
z6RYX$u^pcTcU`lN6*v2r@@~cVG^n?ENOW88bj!AN!&}=G^Sf|>HbG5Q)somjUMeOf
z61`%dQT^m@ty=0KU5bN=zPU7ZGq0>nbCf(goz|jB;$p(hpF-UQON+EQS=DktLK8<y
zQz~e2UOK8$qf;s>UUY!x3dPO_=bLmCYE%4&lk+=$db7(*8>yej<Fu(UXQ4+NkuxM?
zf{~o8A01ejU?}0+HYD+Rvnqs?()a^#*ouxKwMl(`fqaT#nKg<|JXPvDNJf^{G)F`>
zs_ZzgxRx!VmY`v73F;BV?0TuBciZiLADZl7)E&}_-I<>Jq5ab{X9-R+_O{`-cvaT#
zEExq;@hJ}taX`gMOR{MuXNF#9xm<O<2>Kr}6_Gc(qF{*)qB9Gqo^LgLkS(^e;ZeCy
z*r-BefluSDnHTxJms9T*Ya8pZwSs;g&-=}P+JKLGC#}AnUjd_Zh+z%w#o&%UTi2W&
zI7tPMLN0O3>K2K}4!(k<)<AqVZ1Ied@^JE3743}3pCL^4^www}hm}3uTjoF1Xf>yo
zvgp6S=9-FnImTyvy;ktUBsW<1^(8he88DeT&{ye^$~_d&D0n8c+507`vb*j!t?5h}
zBwER10R?V)yXlf>aoD4@x7xQdt15F6AE%4}sz;@!$Yan*t0Cm9CEYTpE?35Du%{%#
zT^1Bo%Ub_mVMTonxUhn1o2b@fZ5q^LI4RS3>v{F7n2U2+uk_<xzdc6imiM`y6aWt@
zfoU<|4igSE!d$&Tx&O4x^Oq=igh9DD(3?68P$(!5Q@$6JOUS}L*7!~aYVbc1j3fis
zkG^_Fk`eOK5Ae*aCNFZj+8z{zT(ub5qGLH`V5=+hkJ-_OVkPR9Bob}wnMk&kn@D<a
z|IL>`NYf9VCFEk_eDZ3Iw_dfdz1aWRw}{iV!Bmdai%IE0$b;xU`crRHd!&(V(SW;Z
zdKOtoO9FgDXa8sMpp9wpgw)4AvmaZW>*#I5#x2R(8s{xzckr^G%B&zigGC4Ie%Q_M
z0dv1i_Yqgrx%Y=nJGpJJ6<zNvma~xS`rCYkwYhWq$K#cdzQgX?AA@PdiM(`Wb*>2z
z#*Dj0KOnd~S$upqd_enF+m`keV5*)N5>0KFMPsQu{4m%)p+?D2v?-Sz0(S`tX?bW?
zH6u&L&2B`ss&l{|s2I1xu6V}&*W)*Awc)Mm977CTZgGN%x&&Sl{$}wDsOJ+kd^5y*
z2DkY>$zIvK+rElS6{oO0M9d83Dr5tW*rKG0(DrvFjo58m7;4;5mGMK!<twVH2nqC5
zL#pCK*<Bk*yQ~{lKnDsL0JzH>fRZz%-&qC!uhLpZ9-kLBo!S=J?#_2lSt918PR)ge
zQ&~EK>Op8uGY~NHuD^aO0!d6RUGdNrGn9f`SvS>nt}e?QMmDp>NFAKZi82|&NGJjt
z3w77XVb$@e!UTKZD1!@Slo@UPh{Qr(Hd9>fqYN)sg&__h)xAogaGbK1G8cDm4L5sC
zuRb-M{FIuH1Mejow}eY0>8ylo4m1Bc3HlOVuRL5qB)m5do(P<y#%3vP7^l!wZ2?E-
zv`nHUGn~{0$|f3$048Q}uVr%QV7B~Vwh8&VJlF9fIvl}cI^y)=Wkw8dCl4zry)9do
z`&5$2KB>l?sCPR=a$jdYKAs;+1=}3DmDTK9ozu9W!s_D}4cM!u=aII@0&gQnJ;y*|
z^kIC(by0P+T1#BY1h;H9C$kC~s^Di9kjOT~HG*IN$&Sz(Z?7V_Uf-EyqmqX%MMc^5
zujXHq=f?eN?eS>Nu)R2@mGE3WJ?uYZ_CwBz!C-k}^NQ~`IQ>lSm_1PRnHf<$pb>Os
zAAWe3)Q3<gL~L?cHE;j}FcWT%xndOS-egJ7;m@n6MbqfkQOC+;luGM|#i}}~f*-*o
zB+K!Z^r~A;fkMXhA>SMM;>g?16_LOkSU;j=s7AcT`n=Ynai@C<EiIVqj@*uWhnU^M
zVAd2y`RI-)Gtk`}9Y<sU_N{#X`PNp`e+$J`z`wy(@COslTaG2Z6%D#h`jOPld_6!5
zsf4>Y=cCAL)gvoOlH$|xcml*B1<h!Rjv9iRH`NMEECCl0t8WwS|HjfpE{@uj{CKCu
zZ3rFFD6(`Hl>C@>5>ykyTMk?eB<UEF!mqn9tFUZoBirO}S57+3j7*%a1p?4^OCA4&
ze$^E~bNU(3))wy2o8gmaaed0IXw#B+z#M~=s^%J`p|YCQ{d{Mgx1{#Y5{5zjLorUK
z9+x8^-~2en!=%|~qEYI(qFEbz(F%winO|TkpMKjk9jUZBuiU`Gh4(9GBm8<E*Gd#B
zGzYG|{)aA-c$@pHA(w*iBXjwp3=5%y)rha!B;`1ym0$7Li^_RJs((u9($C>=_+$ZD
ztRad~SG3!@Dqy+<nJhs<BYhP*^<dW?aDF7DiMZa($XMk@Kpk~A=I-k%sn!ik4M3wN
z)Y&5bF(6>63kB))@g;T%1-B=y!>etnD&_--`K5K16H(%WtA)VZ8gHT_{ue_q{z<LD
zRswUC0pT)C$PsoS^^-_x>S+&NoKVd9m+V|`GFODMr%3~@%4z{HZY;L}rvPK|uYlx?
zXdwP*#IM{pzq4+=v^Aav#wSe=uWEjUTIrP??!S${E}VGhN#<K7N8Qw?veG(#p#NT|
zr>qdCJFg0RU1R=2N+(s0EM=0bf9pWJs+Upz!(R;=wQmEBj7<a67j=3rakLq0EY3XP
zxM7}D4B(eBxwBgJEsZE;H+*>ZJxo3U$%?jzi$Trnz640`QePQ#q>Sj9Z-0EG^rVvJ
zpd{R0tjC~XeZTT2ybwKmr~VT@yzq{r<Ap5kI0LeR@$f#9dARwPyI<q>bC@V?{-C2p
zc*Ec77Qfw0WWTpu#QKi44TJK8+#sr-@z)=5o#&tX&ocoSgV2+!aqMUa9qZ%87-^6U
zV)R;DG>&)^WAV#N4>H#Pu51tdriguJXJcKYrR|}@8^(HEH)C35bz;1Nj#*``lI`3(
zy-FFax6US?0S<;6=lHmwl&v-gj)HQr(xDJ3cExrBb2il9h&x9TmJ>HsscZ7buhO6q
zQ&K`4{s_z5c~p6@Bz$(Ps=mF71%7)a46!n1b!B~qo>f!MX9FSw^-<E2Rgmju(K2GS
zj*uv_gEfq&9CgLuXDCvq%rXQNqmr@8!?n<g9TSp)%2>_oQmXS(rTHmZA8ZuEi&{hy
zd=<NN*n<!7SjrUzMiCQiByNc9-PSB8F1H=-sbtk(dGQm}3RIEMEn}VWA}|~%*c5_q
z_|huP=pP>`D-(lDfhxd1nI5SbUwM%ehHldEC~JC7SjLps#p~1g<Tt~$mDnu}K`kZ{
zKFP!g;@zo61uI9DPV_n3_f!xjJR21zg|~9<Vt>>DE}_Q?Ux@1u8q|hRIufFf)y8F0
z_ixmAWp60IHOlRcT567#WM-D|BYS|kWH3o!5S8#(ywhM0TGJ)6sE#}a7js_<<>DV@
zgC*w@D}j-6gh?O<D$GmF^k7sJCTspFV;+dbE@W=XQ)wkamPB5+nrB}S@gc^6Hep~A
z<baumEF#>AEW&CLq*U<J?do2;Cgvnjv~eHFY!r*Abd58O=JBKGu7STZmk+JC(ISWg
z8L-o$=7+xo$EkUPs;2Hc5*X-knTX$t$!oemsjOmdl<I6PKDNSLFX2bN1h>!Js3zMw
z9s@y0S(!W~S3SF1+57p;2FpsdNZ!Y3d7kQ|WaH+OiMV_7*{*(Z+1`cW@#WO3)(fB*
zRZ;M@RJE^8V~rRkWV&wE@`+-BFsiO%7hqgKDd>|jxh@Dm*GNuz`}ClW?CTkQrT#cl
z93shoGu5yzhqJ0*RpykhPam{mv?w~Dd;ESbWPecU)N_F7<Dr5x_KUYW716#M?fkoG
zd?l0GU4C;@VW?dpc9i6$73(Kcm*3fwgs<;)IJTiq2QAC~bz89za%(Us3aF(nP_C7w
zKGZhjl&Y@Y{|3|^woG(3x<tWzrM5d(9AX6XFR=+AVJs2&))Z{~O;y6!tZ$-HhOvW>
zU2{L+?kiJ^>3)QIyQgkY3DG4$rt0+EBYiFxLe;my0^72GK0eF_d;VQ5drFH-)(RWe
zQa!j)CH$XJ5w*&pqS#5^o2i5q<UfD}-?x$=<8Kt=#*(EKZu)d{Ve~0dVO4f|_q1G_
zw&Dg=h+4<R#S-;Hc+`B5X|E=K026Xz<OnN(Xmaf5;b<(iRe{GKB@@pqwR|GE2YJGY
z+;CCh=SjJRFEl_o7eY9g;a?c8>%e|UeG+^Np-8rgWhgrY8)q?BMX<hlDg@={9kAhe
z>MjRT-82o8Uz7qEc0tb{ayj)fIXD4>0`j;Mxo}{Dk9s;vrdhRWP+~uCp)^kLk<!8S
zCJ2%1H7x{o!i9OHdgX2w-OJ75*_FY(c-1!()+ZRkj4Vr0s)u!BcqM$0(JvN%-V_fg
z@uEW&oIGNP>bJ$)(<hfdddPjw-v+9z-$)B?g4Eh|NZo^I>AoC0ODnu{A3ISLO(J*B
zWR!t~(A0x&3caT}aj)7PXYnzeUkI}ftQamh{#ww?ggQ;==||czUY(3|&Sk<75yBpx
z1@9fsCO9CyeGQp*=!d^rlZ-m>t3k{$gSn}2?v-6fmgh_PqbV(qH(y2Rz6)Q7PPXvI
zq#%~4`YmRCUGDd6ZaALEv+~6OK2qBn&lYMV?>e#ueKzx<jv_aQMuz^PQ_qQ0FI?hv
z&Bah^#v^NV`3$KLK@gTmKKq*uz6KoUZ63BT{UZ#T3Eh6Eb7}}H>x!6qsVAB#(3Bg9
z!Ei@o9HQi#Jl^pYikkl$OR(|6$<C@XK2z3Nzu+I613zM0jJ%Xl{>gL=0-`vom-#xe
zGGI8{L{grKsg@dB@-?DHk>ymN*bq6L$noIPz?-9?aYVlu0Bs_!Uir|l)D|=HFZh#f
zUZ|8cjRN&+#qIuS_1sL~jxJDnN<aLRx^<Pm0fORoyJ=rU{s|XS{GS_voG5nw0e!_F
zkDTm5m|96Keffh+JX_Ao4dEHiBA}(VIv@h@6(d2MR%pUbF9@=eD2zpfwRD)gpL<SB
zh&zQ_;5F$`1Kvb0td`(1t_E&Y|A$24juDfu{}Y5&OLe!>5fVX8D7(m%I=Bl(w>TQX
zgOz@J*vXGNZHI@EoES^3chYW<dKy=52rvJQmcR}9tBnWY2HbEKS2Xmd%Q;P%E-Vp}
zI!O`iHY2F>xkCLx_PYAzk7W%7eW7ta`)^nLR5;FMr<Cd>?~yn1WSTmlHmic?o^-Zj
zj#(r9UaV685PDFA7I`v>X-!SPe|zj8W`6p-uF>VNXC;Vs&a05^D<WTv@+xv9<OpdP
zc(6%XsatTIpND$X8ZR-vd1=oTUTK9l7~B7%fY>;`M0K-|&h(cTja9#S86x>2y@hVg
z2Xgj_)62|R(C&k83jd9B;yRQ%9?@VrcVJAHoMjX_L&3lM6<v=_`P-Ibs^-d6*?;#>
z(~I^NiD1{Y!M}m$41;Hm1gh7mtWrjul$m&@PHAa{HS!$_Qz7v4kfe`+2|t4g|6bt4
zWtn$`qs4RvmBTy>7?rr#li~DPZKU9yUhG%lepd@%bQOTZmxB_{KVYj+vCM&&y)7_P
z)}6vVY)nrfubf;^3?bnku*85yrVh*lD`9ag_|f!1mC?XFsoB?d-8XeT!?$y0HjNTJ
z;M=}*XKT+QLH9qO&erdhpBKB!n#6Sm96xP(cN6{?YJ-Ru0Nz4yp4x20p=42FXsj2i
zD7a(;d}D)bwM5s=@U&ksApg@C-%-d&rQb%qKf%AGMuo|r?L+xsB%5dj`@&t`TTpdo
zZcHu#peo2G4_emr)NxqOSJ#tQff%jyBFN$b%&M`-=<B|?2Kopyb<mpalGuJ=L>Xc7
zCuK`hfyXAum15>>)ouTwU8R|gOcWvZ5m8-K+kGklQW*iEvm(}bT#!urqfx*29SWCK
z48sfizOwbwz`#p=x4LM(>2X0asP-<NO*`JatOdnh*^vKh-k?G3+OJYb7bRz)8Xhy$
zbQ`S<w&Sybr<&t|rZ|xX71mgzrYnM+KT|r~tnhRFQq&0l<S(+lgQktB#@D=|7%pX3
z9l+*hr~Rg&mjNjIi=e(b)~l;)^~Xw5xg6hUY3rrXd+!aiJHcvRXf$@C%y9`p<YYc*
z@%UG}hZA<2iNJ3hIsa!tZH~`d24Udj59Lh9!dj!p?C+%;syGv8)}o8vfAqbd12<sR
zMYhPRwde~1Puzy0X-r4TFhz2+?e5=ZgTD_()X^l996vjBISY^=batE=OCLQe?Zh||
zujIlkh>%iD!`zosk}TK4y5{!}u07DbneudVXMJ@OnX>Gkq-S)}m=4ssQ1u-4(1ihn
zR~FIk(*9=fO2z^i(qwJ4FCio}B`hI$$>sd4{z)KiERAKzt8;1e++&2k=v4hAL7XV~
zwxf5wWW97+l490ryReD4F)dpQg!d;9hVeM;H;7qtqw&uoVFZ1S^Ur8#FQL@4w&tX8
zb>>`jvh=jqZo1DDuYP2<CBGt)RBTxe&x_Ovl+vTNGsm46Vb`}!+%^FQ{-K=XJ>^II
z3&lv#p%q#pGYXq>CUhbUMjZA{LowoQ5N&_Al)OgL_xt7N<886Iocr0qppm>Qx2)u2
zq~q`qfKcr<;laV36?z~tC9H%)UdY!X&XGjpuH5K-@am*Uhmbq!_#4AItec19&p!up
z5aRwQh^59hYJy1=Eo_^-zTd$W^1yoHGB47E<e>7hFVz;yj^FaqO})B&Ub4~xcFvc(
zKqcV*@^;E?6vs!2qbTJJCLC0Gc`E4qv3RPX-w0Q#?;Wrm*B^cTc*6B&`L{&L886jH
z{{T-mQUvP+Q49O<X7*B2Jonk2+Z)3jnP#U($+v2Ia3reM|8LwmYXp_w=i7LTu}*`+
zB}vqj?ta#{xZ|lcNb1?r_pQTo9JZ%5=FifFqNOtt8!TMw%kGEif`3*+yUKqZ@aYjb
zRkxe!rd7c>Rz)Wz^#a>BqeU`it~tq`CtBU|YFt_26C%&`5=a4mXKDq%uoJJnqsba0
zhWelR%)9ja3Fjvw@pUor-7iHEISz-?Cx_h!gp!JX=zlGil`*QGZSPy6#n8I)XyVH9
zU-E6T_?RiYAk2n+Az6G)>rmUij#B(m2XR)V@RrWj&p;M;;HWW~1R+f3nGw=+39G){
zCdDRv=s<piv_Hy6K9pTgL5}u#kCx~{1etZt7(?-c|Ff~yugKU}Jb6v+Mm1`5+q+H?
z`Hk1$B6Y*66|na(x3JKmuAZa}6Bpp6pHmXm%hl?o09BZO&~(sD5}rJDLu;a(9Sn#n
z(u2i9xnZMyn^P`e=jcCjAjd`CA6?}fDy-L|Kx@@A(B;Ecyj;jn)n5;2PfV!bbKX#=
zvQq!Ukd;5Rw}YLQ$~<UWJ#T1H1|&AyErWB?xRR-(-OIx28PmcuEBHM~DXqfqO3q;f
zCX56otj!?iQr{dqi5y~FL$wmY>%QOi_jLwVvvQD3E$qSDfTPDCw-yfapBuCO=S4DI
zZ?jxrAGG++<tk>&&7H%jrd~_#TY2hrFwJgQipt$?4>0|Nwp`}JR{=9V=BXbi>LKLu
z+;@XM!7cpi0ltnS(u#t{&!WbaB-yMo$zY#r-bdt|s_Wi2e0ZP}B;<I0$Sm;u@@-@3
zbw)*`9j?1#`$cBvcGX&gqXUH3jE_~IGEXPw$EF>w&#PX!5Q4Th*p+yx75bCyVb8X)
z0Au+f$38+`iX_DVua-Vg*|qR+kXdvpOx3zuUV3rKbrjBLxkYCVYRc5#i{<NZ-{AgW
z+;iY+o<^q%A;5T{vNmeXa+kA)M!<hz;F2V<udc8|v%xYMy6i8?<X?b-3iddRoJ4~1
zZx2jW+hq>S@-lQG$A5s#<X{JKD#(dAy>UZoCjD^<475B-{Sm`oY~nEp^T$k!4-aRy
zPbUh5!3mnTjL)-rg*#&-I%RJj^MS~_60bM=O;B&9?bV*zZmbK0A#4s=;&h0Ck*lqH
zRFfu0V--c4^@v_E$z#EP3nN(glSwS69J&maMR3p|ap5tWE~k}{@Hvusm_*AI#1?Q;
zYDn+Yhb=pUDF(!`dtFO`67yFsWxNVed{^@zD)o$d+9d3ZXL3VJ>{6$UseN=C`*5@j
zk6#>UieWcDr_f^#Ib<o11a^K%+hnkeKbwd@&U6~HGF$#VN7<~fW1TSfFZ{_s6qhAA
zKNpmLPzDEvMyV{OP1V33$Kt?Anb~2h+$EhfH!_B$C&w^}r4IZJ_6;c_SsuOIU)aSH
zr^6v+jM>G}^&W3?3|9UO;B=^lK1qwA;H}`?{E&%8aXn&@=_yBXX_b?eSK!$7mRK$j
z4M&pmM*0@hE7qE#IGCS*K>phdn6MoEYRV`Y4DN*IyakTkk^;n&B~pmS!{rG1K;fdI
z&-EJLgiT9RD5P6cbY!rh7~ESm-tSH_A2o6&{jMbW8o4@c|D0(oa<i$q<|NICer0SD
zvf=KkIizCID*|8CwrjL!fgg>;nP!R>mJkoiDTJox)M%VBCW;-F{}z;c*a&D@tA?kL
z#4s`eyLdYz`kHw=$=z`!^fksr(#~#A-Rt6Lyr)36o!3la*AQ}1SWm5aYfe9lgT;@z
z5D}#7+nh;f{HjjmMeVeWYf>i;WU){XJDF1s>V1A5L=Y3<4cj#^nR?*S{GXy(Z1FO5
zLSY0cTQZ6D0L7e({Yb>R_7EoI(fnoU3XVO%*!}>qgO*2Ep>x2*ujhHUm@whu@I`^R
zgJK!7q>FNTH<i!v3quc~#E3z{T4-tin9^-8k_4B#KzSqx<8(wwJ+0h<t_X>Qt|%|}
zP*7GJSSKa6&<N_=Z;+|vLj`VkaIli?TaXuly<W$Dc-CH~qj4)XYgZ}HACrsfd&|4U
z!^fPX71w1^^_EiigA=xFkf0kJ<lPwSyTtY5?!&kxRZjkaUxQ-K1ef+q#0D)F-)GyS
zayG*PE0ux!dvk13>@*IMQ|wrSVp{w6?^*`(Dr%QPe)*@{56{I>P`_GDG0lAm51pjr
z8N`y6tZneD*qAD+q6<`lV>j#*A|@p<96f1;+#GQeu6)=P&X&kSabPKhA<Z`(+gcBe
z{CaG3dI;l3Hv_%k(>09ot#az1E&j;<J8xR!=YERP2vkkU6-dJ<Y!&qxt`L|4YEi<R
zpJwfg3;bNrs=8b;aW_t?L6t9J`0-q?AQ0%~@IMYEw|mFBkL?Ma_jK3XT5m4n=<JNF
z>Cf%IDEa|#9mWCB&%FmKI_$GoDNZL(KOldQg&!yd&{JP2SG|6EAn}9zjr_oC5A)%t
zi6?)t)T#eO7j*j@jm%{5wT#0^5{S=OLp+g(DON662o!z=*5zrTf`P{=o_d|Am5k}Q
zA^Q}(F)2R-x#!t@l5Po3v)h`c&R(?+h*XqCt(LoMEnkl6V2Fh`<|BN_^tF=^1N<L_
zqj?hHrm3)16$l2JtW)!p<_qww%$~^+W4;}+@-iX<35gK<k{u+3GZ(%;hwK=Q58FvF
zOD$Hfy2wHbHf364IJOd3tW3t&kj<g$zs@{ni<7yDy}|H;+m}Z4{Xvad(8A!t^5QXs
zjuvDs!NLY3$8(xy5_9sV*3uaH2Qc|=2=Fp<70!0Rz55^eiNH^f`>$FxjE}iVSzm^I
z!w1Ur9q-q?jC1Cil@Z+#cxr}!jAG#ISPsFIWnj4Je8s{jhl3-D%6L;BQPGza*!Rue
zcjI!iLC4vN7=i&?;15a4w#{ga&gSs-e;jinL|rzt)evmFfsf71Dn_VYacmI*<+0l&
zTbBd2RTxjO;Qd{%OZ2`Qk53uup`RY^&KT{1P|-RP^igZ3S!++p2+^`Nc)qxA&m3tq
zbm&=Umjx4VCSj?4YdBSPegEMq&sS|~`mJ%f^mlc1s^ofHlloPjVt4g=`g*vaPu@RV
zSKt&0eMpMBp7b|@wsl*Vd%S14X5T%)5_safPJY>QQRQ?=T}?#fWcWGpS}Jtkf4Kas
z0k*dMb+Lc)@8`wMUtJ-eq;&`8gT>p!oalpBMZ#f_IXy(_bP~z?+GdxzOO>~q70r`L
z{c=~CM{)`L<OylPovXn}t>y2DA6Gm~1;K}I8d^3traKYdc>h@kk#g|1S=LImI1+Q&
z;ln*O;#Q@kUZaBVrI51JFIJqdy-tt#eAQqShc^T3BfskWPd{DJgl=lnWXyI&P9Zb8
zr~<jKW$KA_voj)SS5-*pUQX6FPOUo;{}{p4k%|6D{D11T`Kc|4VVo(iHkrj1mx}?B
znkZuN)dJ@>>$&BI19pp=_qwZA%Ds(ctzT<)|LR<GJYX*XZUC{Bz@f4{<VAupJjKXB
zm|~JA$LaE%nDub^2Mw_H!0cB`!`3ne)?zn>W&_SW*fln*<w>%igt#i7TOhGM^NxDZ
zph~4xUy7$qldX$1Wi~TZWpj#2eWgzInnlj|=fSt2{@Gl&e_is`yGMD4I|6MvonT|~
z4*HkgTl<5OniM>l=&^C~XA1a!<D#6#?`M!;3MU7f+Rh9_$mggEBpgETXMc@`HgG3c
z886DntjD)!46J#1@TjN=?UVR-j_uv(aprZaj&hqyzbV8i*WfU0TbGIy^y1*apEHH2
zSQ!k-8D@k(OojpkQa4Rc_&Mba0pL8256LsB+9|YH@VKwVMv#-;L3HRYpkvyYR%~IL
z+&0I-*^TJS7GwrX>oWCx2*r^gLg(h~_!a2UM#~+`ea5_l_*)k+ELDe+{5UkbMtGgE
zbo@16bX1-|&YyaCkavOyxdHS9zdR~DpS(lzh)xtKmoVjZtkCSDZ>z-IpYqxVFrt91
z$D%scOHWvJQFRk$`~>ebL4}oYGfB-y{VqYfAro=!Vh6pi)AQNRGbb5TXN`xJ{o(sq
z^OjCKDHLKD`$&JE$F!6{^#$Yt;0?gMD`2kvy;2MFHhEv2Do6)y!k=sMjis5}K2lyo
zOdtUZazC3o7CM_+P-eGU95s_C@k!p5^L&lfC%x89$hE@OJdED4gmP9L)KT%8-^o5}
z6eBo#AnSQ^B7|IZ@5BTRo-ysxMNaUH@i7)ABB>9txx}E$Xd{thtA@lbpfr*<HacJ=
ziN(uNqW$npYZehsYmS}wutp1BLZJGG*Z_1CEsaj{X^}*{K_TlQsU0b`#ZiP=Wx{k^
zvtx@9gy4Ktd*_-q8{$j4wuyJpxB^a3tj5jL*Cx@*pSM`g!6ruBLDF6}=}{gvtt<bh
z0xNFUgq@i+ozE>mhQjKhUw;HZ@0OUryw=Sg%)p-A#9V_5?6vkLb;(L<9vIwDa7;zc
z4L={kD(9IUZ|4ObBM^KQEV+?*DvaDvKzL$bZN<<=DIF_3%($2cBv=~&U~M@2KW%96
zh=omSyvsR~_)$DkMGU$OtbvYICH0plCt9H%z5SYK>57<lKrcU+hlHL=-RRE(O;0gR
zaUkg!uVVSm)6#0MAV<iR5k4s5St`FH^8786u=sk3Jlqyt8kNYed#f@92{;@iQ_E|0
z{bP!-OY??yf8B<s!V-FP^nr&sNWNr|!XG5sE5myTBfFa{GDmCP72oMir~zbZ=(-`o
z>c_yCm!US+R@$(P!zFZD+5Nvk$4Tu-;BOZID@DL@4=Ajx<lA+3IptTbG+EP5)i9dc
zF3rCICxGT9@zf$ZoFS%CY3|JYt%68{-md$aC-;l*Ne}hl^Iy`~A^#*2W5S6?FhfSD
zgYXpi7BMVEYwRaq;S6-T$w)Dl4iu@uj_|qJ`XLaUCL7vz;Eh7kNL|8U(WtSm5^5$#
zVjh2hirvAKN^Nlvd=H7-ECmb6%J#6&aQ+aU8Bg^Pc(KgYGXBx?hnbpr;MM*-)xM>=
z;`Zun_w>`#QW^3I)lw@MGLDyGAx3))USmjn?2YgDMBO)dm&Vsb_!cURelFU}yW)Do
zHJ<-0_e@r5z`~qf(TgDel#n3e+YnMIjKMnPr(dn0FDct#7xp=}_}owWuRrqti?EG+
z<$QEtF0?kpPN_%IulO}mkzQ(~uB_cT$R{7om=Rtt>{;p>JG?St+0_hZd>YIw$z--h
z)~UYV@TIU5S0xDDT<af)6tdL?D~yC@JDV<(c~!U=AkJPoSzTC+yWK5{ovhh}yy)wG
zHa0i53PI_Av(ETU`b{q!Tm;MB_U?94{oK;^h>a;XZ?z&=(=j3WI8@5|fpB)a!?&fh
zgY=pe8YVpTJ+klULbfJ+z`Pwb|4o^aeDX`jOT$`eL>LvuH4E4#X6ijw{`dCWy@-*%
z#iVxQi{fVm?bfbva{GQqrH3w6^U)c09<}y294<$NDEPm{YHhLke`tGHXN+AsU#$Or
zUYFq;=(_8PWMtjjd%mvgYMbJnon7G_8MGhgctW;{jpEr>Pp-E}T?C+8_T8`)n7kBi
z33F9WtmcU1g06J<(0qe#m=65|nGWmVa<cZS#i5zjlm_Hn^R(O+IpywGu?$)tkr6bu
z{b%p;g4gcmERXOOvcytm8flHl$9SU3d}XHx<5vu&anpQ%Lv7mqqW+btAU2cNHGjv#
z7V=UUJMU_ZM)<4n3zSQN`MLILKnLDDJPGu64IFVMGmLe}+k)E%=>uI`9}{!vSl$qx
z8!s|>5NI-eR2&udH;yvp%%e--M5TX-r@n-`HYL#XaHfb_EL9<R49tOv^$q&m3BdCe
zM$hdyc<cz-bzEpwV4P(?66pIFxn2TO_28bGUr!e+IWlL7*Q|6a^xSji!kSlMrQvh3
zjHo}|*_3W}8(<;ZVY2z0dx>6AF<<OU=x%o<o@_}tDy`J`gP3t2k6mM`g(0;VO|h^_
z3SAN@7ldlWhejTJqmUaMlk3`q=*;my9qah%v222(bt)<o%BPnjHQrXBrQbZVT7hiF
z`l*oJMnLDz>_+<?Y8tYTS!oZ6JLfB{$P~PK;RLul2oRs|ngBo2=rq!X<l=#POB;9I
z^|%0yIUnIqp6ss8EcfUHywv)EhLB^_%>rvLyGhPy<@85a;NiPm7!(PS3^Ut~y)oGZ
zSC_A6=ax(A8~syBm*iI;-YhurX_g~+hn@eDCGR~80G*W5vz6GFIQg{@(#Q!<jTAI<
zVNB|qaNS^l;!X0i<94Z|5*!&}LViR+35K#7*gAhw9^LKM)6!!K48{>9-Rt{($p0Nu
z0c1`UwysU%=<!eV{LSD0LL6r&?2|W(_l=hk64mOW+$;JUvr`xvBtsc(X6{#M&|ZN;
z;y=3#YU&JyA<F!&c{Vb*!-n7W>6BoyY|NIa-Dg$zz3$bu>bFSiE2?U-Tq{r2E72|j
z92p8h)cIz)l0e+s#C>Jdy6}@4$Al@ZZP;zVtta8LTZfC4NYb&G1^NVk3?@8Zj0=DR
z9)>P8;dQ;)T{gMfy|X}_u5x)pvm5fW!CFt^%mepwxwgsGH_hCxUe&NOI{JX2t)!<J
z>G@;7_B(7PiR;EM@7$$zoED|^U!8GyMb%54g~kMHukwxS6I0n14NkwU*GpS%+@dCQ
zlyq2RbhWCv7d|~I8;B4cXGjjF4nW4KOgh36WP633uAe+Ns&`Q`$%qO#4RgvpV}E`$
z<Gt<JDDV<@%a`W2Dmm|s0&x+hMf5`e1=`Ny_@TcQci8q!$;@I`Vap>nN-+ND&|bR8
zXkGo?PyPx1zS3IWE@&Zkcq1yicIjiKwLDm&L1cS`1FL8A&?&c;R^WBNoz`QW)O1w4
z@XKc1hO~;M#EJ`(Z?L44tVgL4$<NFa>!7N}gL3zd!&Cr)T;tg{(aaHV;UA<`Mz}p6
z+I7f{LZ(EZLMCz4lSn^%0a^Idgr0QGRme%&M(x!`_ZFgM$6S-^O}oro`Kv5d3c3+P
zn7={Hl*;H}?J>s_mX*SOAcGjFj%OSZ`<laCKmn#wO#RT86)|v*xYeBc4J03Ikl!__
zk`H!|r%m~>s{d^;Z~@6HnptGDsc?ZOJmq{bmvq6H4XxJ7fhicVv9+#w;cNJfmf?T}
z-Jyh&%>FXR&?X7u1_2b619NiJ8y@LW=}t~ixD6Lt0(kJ&Vu4K7gou+O!ZtBdI~u;$
zO@iML_l4Z1Qr$fO1_+CiP<Uibu#*LFA=4~_mJoo2e+F7Cd@K!8#CUjVk`fXr9kQN=
zMYjd(Nb(R|nQ(pJH6M@fbngp0Vbp+#un*<J>lHro)d*YPxlHljBkYI~o{eq}`Fbli
z_s3Nw%ec~y=D^j}lbQKHGL8uTf5@{_Q=A2qGUa8Bf<dpRh!Uf8mJKe=WGHHY<U=~L
zI8_%=LuOTkq8Y}uH0>n^&>W~@*zj{(nl@ZhA<Ojd<u1tqim~`1<?84$oRFqaHMcz3
zoeX`Pm|kkz3FTM7t<xD=WR_9Je4S)jd+dpogl97yvoSVR^Gqb=w%lIImM6O8zdsZ-
z?DeBI<PUKB*{Qr8QEbU?RgKV)+*eEF5i#>i;u$sd9fDHyaT?W0Ti#Hx4R-sx0RuMp
zO5jYHtiQ-JQ*VX)-+uozxA5S`8S`SP9ho}0C$gxME|ab@^3=Tmm;8b~VPj_0oD2^G
zF0{*_8->jPpY-gWAj<U~XU7f7WRGem>O()bjLxuqehbb^f)URamff8@X<ElnZh6_<
zV9+P$#=?W_yq3Gj{ESF1QUiyfX`-w<{Xo_=K=%Iu@IVj08IKdc;1!SZ!Vx5yAZ0cY
zq=fQLcY^(so$iDr-R^X8>Lirtx1x8{R+lVi;eBo@V@IM|?5ly74%}%BBngGi@Th5!
zB-C7U?&n1<SYE|4I-(lTJS-!Y`+3RzBB*=^2R$<($!sDd3FVz82?0W<Ng_$NNnV^U
z2_*)$FE#dF(_*xlQ|%kIsJC+Ezg8H?wrRWt-`ojG3Zfs{r3~axgOE_y2O410;fX)y
z@*q$sB;{TP_44=Y{bQ@+Lsu`dmB-%l-lNm*`d%#Mx3N$Fraog(Gx7y}L!#<CtjQs-
zy<(@5i5|6{q0bt5UqM_kZzInpJ3U4vjK7j2(xmP-d_^VMU>i30n3gljcnmU|hCxEj
zF&BOi6`X}pRkKL$Agm~>Ql3$YDlCdwSrv{89}|PjCSs6K-sy#~?XJ@ck)+!TFU}!_
z67OqoNnhahUb<mCo6R~W;oa5vyf0_j?jMJ&b#+`Rh`hL}=Jckdn>eu?I3XOGjfWhw
zX^<n-9A?>UCgi!Aiy8I8<N?d;LY@~y%x8&+qa?5=L1!l9m`#Knp}f<CA&TcTVI=7`
z;fu?zLWzAkQwKVdIc^(Gk9oV9SNgx&;n+ZD$EBs_HPnP{b3DkHO#>OB<~+{Aa#klS
znPoEW4&{Gwo)oOAQ>q4-&-}tp@yJb(F`o!BLV1^MLP4i(LP@7>LP=<wP=YF~EgET$
zo84+fcG>jLOFSmIW*Q6SennNa*gW~G<$PtaQ>Yc%DU@*AX+8~pgqq8E<|kEF%JX5F
z>t>f(&IL=-P}H-!uKnD;hUO;xm`{Wsp}f;hVgFR8ogzuMonDMULJ2b``DkO;eAXM{
z)u~wbUDFzCsfA_@m0|N74@>6LU`eRCj6|6FVaRGfOLQFxE~;Ga^L`Nqbs}btvtn+-
zlKDhf63RQx6LwG4WKv+7NXl)R4t<s;D^Qf~F!l$rj!cSd?{a_<ikxA5(=tJ!<_TAS
z_SSS~wgWus26(a>o9YADv^Vm*_@*a%+kZ!@_?j^hQvJ7fyOHb2m72yg_DoOZ1^xK^
z`lxfE=eTo(?~O8b(n30Il2a|uxbRsX2L+>4ogyz}K!41-KXzIZn9U~wvryjYw6H6u
z)oGEG+i4y8Y))${F}rG3?C1vNT2;QF>lg3+ub;na@|C`%=^a~bF?$xczMt%(s3o-q
zT{l(xvb!y!o16Kz-@{rxvU#nedNB3Ued%u+L8(?(HPQvtb&hwxyAwuAU?plUCDd0<
zWoY__ImAg9?R~RAg%RLOu`EL4vE+OjmJBu5vr>e9Tr=MfsCamiuq>D*ERX7-tV14E
zGkXF@Zeq##L@XJ~JDtgv8j781G>+`jXLBYbO3rluxIVhEZ1sThXrZi<9P78mc0-kp
z$c>s6(Dcrt35RIo;pTi=nOmqi%*!ZCN<q~QYZlFtK%O9~nE6>z#C4VCapgGant*LS
z5wL~wP6LI2t<^wBgS9SweNxfCeE?Pp!QO{vUU}bzSkq$LZfQyF5_-A_<ytMet;)%+
z_?8oIjE)@M)vG`E+W(ZQRUMIKBliojEkSlQoQMsUf<kB5@w9YKs5!6GI7&;OrBPZ@
z5l^|$CK+d`A4OqYRPrF~I0>6bX+9Ath4M~2hDfQ^jz^=UE`7Fz_KalCH!2$b+U3?<
z?@!15pFVHIQkof=^h-Jve|n>W4ReJijOX<GdS{u0)qKaJs`)fj6>1KmD9A;TvLMK0
z&>g1IeB-iYaau$?D*Vik>@{d}6IIP8qN-5dX}*rMOJKgE5mlEyoB6_=%fnpcn*p<Y
z_3y1=!IU1^wI0()JPLQ^O3l4Lo0SfkKYZzOHdQ42d$ZUr#V>P}MEOyQ{q+w%-^!@u
z&3w~tU+ctX-S1Q$`yS@hzEAG~Izo|SZ>Xk*9=~hY_wT(5U45*dODm6_htWC-As-r(
zmkEW=@S$m#DAb&Vd7SaAWI;l8oQp7Eyogg))@2gKQR0U&xBHNZiRKU{)a_|ErT0ZV
z%*Clt?-z^sn`YPbu>~#!i|X<<F9|^WywG1RaHg@@nfQS>C2%3AN*k!cMu)VFJGz!=
zDS!C@8f{iZBliYn>0(1|E9H0J*EBuNRDgPKL@j@#`m&iyr3-C#C6N-ecP)6S3!yf(
zH+-9{tA8@gVq+n2zq3rjay}gi!hW)d##t<UdAMYGQKi!8`Ai-#>y#CFB<O-Q3M<FP
zVWOxx1QyRTdL-^NdI(RRY4oF^R4CcEvxdeG0cYy5(!H-zm4LjF#!l7V9=)be*Lf;a
zuFK$5#?H%9zM)gQ@jHtq>-sz%RL!S>s!%iMVVno4&oYq+76r4IWoZyIN?wYRB=<#T
zZKRgW3{aJRm|&_{++nI%@U6N5J4LR#u}C>qWh{7*oP_NZ5Acq+>R8z)s_3Yr(o0{r
zKo>&s8t>+G@D$W+O(lY~j>M?97PS<D*3Dwk{GcU&^Hljth)OjpDuki>uinSu3jf_>
zv6)v?r+BxOA>RHEZz&n|waIqAJ|U)RFU}tjL(KBV(8`WQoZhBH$9o&rTnV|$MMc5<
zN)*&%AYpl3hO93ANC@eRNp9U3l9_LM8$?Ub^EM>z^fn}D_qGcQ4By%w5IPo;Ajjg~
zmfzj!@SU#3?;bVi3!@F?X_bm!P8rHutk3(oT>Mofx&G}hYw1rk;9vglSBv@GYN&U?
zSDyH(_~>`4uctgyZ#&+Zp3;-qsxXauEQ(bnsu%lJLVmJU1u}l9M$FPrRc+bDqo-?T
zc=PRbPZAP)#s*(VNp+H1Rw^)j;Q{Zv6!^vxXE@&^;2Uc$lPaVfMwY}SH9RT{Rz#8f
zM<lbnO7l7pj;$^*oeyTIp67f>-06Hs(C&OAlW{GN30)9L{Bh5>z3q`zKgvyHskfGH
zXL;g@!0C{N_p5d*z2Kl~Ua7YhLG2pKdvy{aWSD%Z-L0vLjIO}6q)s9$@k5^W`;Iqs
zzwklzJnv>L!^Upb1nkn6t5nEod{-I6n)NL8%N@@HH#zSt^SA6}qoI5yI>nuk<}^*S
zD2PfH`-ya?G%n>{#&Z@IdBUqKi)NV>l1^r!=}s_%_B?mOXsyGYkf7b2MkWed9uv9~
zmN59t6ifZ!>Wfq^pl$l8A@@5QS*x~wWwLX_ae&WRC<9c7R{n38LpLjxlT4aOL+5mc
zo)_NNW+}X-x<2bf<QA<RO#Y&1q-pb-XoRNN-t!vec)-Oj2CA{h87?*nsK%PZG)Tj!
z$QX4ok%zOaW|<$wET8#d5?5g+VrxP{GK)+XgL%N`xfsT99WI6h?JkC-zKF#f(+_WL
z&k21DrYR4tS*aFZtL$^wH1unu(-5Gu;&CljI2w&sqEoC8X|CisB`vd@Q8F2e{5oMp
z9QZ8eBKD(#hf!rsA5LbmX@wAEJ<ke}xYG(DioLnxtFF{8FvYQmG?qO3q5uuh-KwfA
ztAmSF{ThwNQcZ2WHGOMQ@=fJ%$>4{Qz81TRE|B*xOW%?in)GGz_2Er~M#hgWoL>Nc
zxiq^OOPt{@lR$5*xz5Y7s50UdC5b#{Q1(oaM6AwLj%JuwxwTS7GD}Q%ff=*sxeLUD
zEBTF`UP52nw3gC}PFGLCLSIF>1G#^<7P0QK_scJ@UfVnbPPJ|2X<LbFjIP~xWqWl)
ztNG@oMk2U+DCIrMn)f*4iAw?CLa@WD_ESBJ-9iijQ6GuDd;-SsBQU1_<lfV+)d<hJ
zy3E4?=VN!k8LkChRm=HmuC5Q7%`>`Wc&6{$RAF5iSfNjDngumUqDr&{ZGd$>FX!aq
z!#f(*7MjT!cn#fBBJ}8;<^5T%)3MMQ&OeDVfHn6H&S=x52IU!(UN2VwxocK()1*Dq
z?)<6g{4h89Jm-gKy50GqR-5xf(BJO-NUTSC{{Fko_nn#8nl#X{$-TLL?s;E6X}w+y
zMLRX%L+d~v*Y%dGx?}uZJbJ$?(yaK&mjvERgSMPMF71emCC)JBN!UHs+y{4z@Jt!_
z`990?qGD;mXMRwp1ZUcfIWvuU5_XTp9mb5rz8Hs8VA3N&do0))_1VE6d}AwwWp3pH
zEZ61buHDkg%^&!Dp-PAA8|N(*7MFh_vWgj{flbY+|DcFouXN2f@}=raJ+;&ErP%Mg
zdWOJjE{5;1$Qf=kDTf+srrrQ~7z8W`1<}T`8O!1zWK>))kNlKs>)G8VH{E6u`j5pO
zZiB?ma2wn+*SZrpFn?DVh{U@9?8p7QyjMYA>s`G%i2vH>s{UiQ`b(qj*e@5yfM^Q8
zX{~a{`TAKZ(-+>h0Pfd;exrjnYT>k*7rT9Iwx6X!k7~=z-dSd5jjl$M6_n@{&qA8R
zP>7UQ2_q;+Mpt3TvLr59N(KI-s30WA>RG-?R`92h6`;7?v!Iy8J#NN{-CD%X^C~Fb
zS6^Ch=BrY18Kn*Cy+!`&VZIP|2)(gPslRD!R*Offy`fa>&u-d#r9*TFr7ZzUCUs4I
zrXwkn<b0!i<+Mw{S=d|x3b|dvpT;PFntR}q5gfxJY7f9;KaoGiWm5B;&=|W*n2Z8{
z8lwP;J6r;0n%iAsgxIY`>`a${3<LQ_RTf{@w8s0aeS<G_?HOA3pVBK&9hx0fOUt+9
zb@{V~U#h_G?A=CfF2`(8zGYo8<WpOYLBCeq(yyPN$w#Qo56b~73OS2MubS7j*yv&q
zeA&LNL@DUKFXn$Lh_=640A4$yG&mMI!)vEe5uoNCA7zB_$Ph6q7*7-VPmtAtAH@Xl
z*uB=IBKXs&2vFSNwJ;&x?zJPtZY^SGdM#|DOsvnNea0F8^(UK3w8}}2Zt#HDI-5ju
zbz`Y&{p{z{=M10kzPx*$L%Q`sJcz|L&76|$<p&Qxq}fLZ$bxgX`rUZWf<KM305$iZ
zDWgkz78O;-@+?SLUj>)$=<R-Iau)n)oCPTUaeu)|*on1G&g-+r0j@Zf#eg;HsoES7
zi4JK3t;x;Pv;i~q1~?Zi5wPGZV<e+mI{As()_}>wXSA98cn*O-jY9x6C-TUYS8{KO
z%Ye(RCXoSRR8Ze>E`5RXDh{pHY7^h&5ctzL1W^1^lXs5;OnzhwXNyL+$s<vl$?w(`
z(a3<c+v>9q+-mPPH3lvDqB~mMcYA|{6vr1o_+u;evu(pj9=ONl)CMSWhI34#HbBi~
znhC#3<pz+XA&cUantJB)^c0n`sIs`oVr$>3#5bu8{xoU>6u;Ct+~WY}7}*!uqH%Bz
zdIO)E#k_p9d5VMWaO5efdQYpF2rm8_9QsR7sO~ro{Y^s`{q=Ju$6V>2>HA`fs(re~
zhx(dg55KNkk9qSYk%YK*DT0<%1%bnw@0GOpEnq_6H)`8`#*-oZX=DhfxlGeAq&Cjn
z=K-}EPgx%GocV?D>oCjeI&?UgNrv#Jks+Y?r4HsE2RPWs_RbcK?%l`1On^RR-+^pp
z*?R{m<rsGx-qkwVm~fOX6|E=Gt2){S7mNL5T2(l^qu!|;i6<(MBcX{}_Nno-0)HB<
z0BVlPps1oGWMxqlEGn~vXazCjMUneF5>-C47Sc$3lUCqQqZL5$OWnvl4sfH94X7;|
z-EMRy)u4NY$~@^Q%ma5Twq(3rv30Z~5OLdzGr7LLz3zLlSkqRt&|k_vGAu;9W$O(u
zr3ZCnh^H(g2W1DpOxqSUp5@?AV>v+0DbItn409RuRX&USncS>+NwtN=%ohpIB714Q
z#5Y+E{xp^Y6u;EBM)r}$f==IZXtep3LsZ%4ZnY8Znw;&SJFNh)6OLwC@yC-0{AnZt
zs5wlFq)4-wT=A&{m`LQwB#ASYSMrq7S*+bEO%j1WjYI&&FSW{%ouILx(<&VrZB~gH
z1&Ub8`!?kVDViz`OumYx*ly-!*MpY|FVZ1k<$Y-67O~=s$1VMlI&7#UQDDhqV0$QZ
zhAmHn?V)B`SgArglglb+kz7})+5l&?vc^>%rIo#@KoXd+eJ~BShvFC7G9Jfa%TUl|
z%Px%;TZW<(uA9xv)t=ua;tzJa5v8D2_uzwcLRg8PYkiGW-t*Pnp4@CN(_(oNi(x|{
zw_yj<z;~!Q53<ZJ{E}5Mg$^Q)7!UG<#krueM|G8E_H_Qh1mA;c;5!t*)Ufeeav1i=
zzSB;PHp51uzYRAyW)RVrU+%ghnThaA+ta<XP10tw<DutZ8uSb`XL*^2aU8Rxl96tt
znuf(m#EMy!g%J;<EOpqd2|WkXpl2w4sm;Q1TsAv4FW#lmX0s3oCJa_xh*1AJY82Kn
z*6T+b7EPD>M7e#o?arV^5;}dtNQT#=fZKmy_hX=6D0GJ1PlJA;=04D1v}ns?Ug0w?
zmu=?DRht%VTC?qTZ$iJpH0T$KUuyTTzPXiy0mYnFKOXpnqWhH^FfE4blRm$^yO}%y
zb5-1Jxiqn=?|`z8Pp>|@+Y}w~bj91nj}ro~iSoYjuGTs`{kd1~R;AurRDZDngX``(
z50j{@>|Ho@m`egB&TzkJFf`Q6MNpPmR5Ci)%55jjSSF9Qtd=L+NFHqITx)kf6NV0^
z!O&3r)6n%0_}eJK8;hXR<1S8ShZ4hue`!?PqJ!#vQ+f5KSsHnXo}GaRbx_9eQ;O0n
z1up9@m5)RB0m9vOE7gNXvlP3W5=~)jy@uwo-W7{^>AffKT8Zu9-1T<%?%TJ|U%jhu
zuRnXLphXmgr|W9tY2&LQ{EfR^X&Pt^HTM-H8P)D%Q68i$ljmtBf>}IEgP2P9*<Hy5
zt%GTxH57Nc(kQ_ji=fk$;FCgELK5$(nAm#L{Cw>Fg&$I8_qMHe4&_nOH9j9&GjJ|j
zIzDo)Qbvu%zN@$<!|RF_<~*;dr^sO$G5TP&uO@K#R8_U1q!{gJ&-kC^QWHhA9zry<
zz>D2x@k~9nI#=o1_*8pr(G_$7@Em+rYjimt=MJXf+)#60Dw9$2m-NXnU|A3f=7-sA
z76&2ae%XD}#JPiMI5!k``s66V8;hXRCz0UqpFdp_gZ@G84j<;L@7Lb#Pb#F>erZ&F
zN$j(*;(_*AHKKP#c=FNS@_g7_ntk8!{{ei|){DUAquM3A2cx1)-%qR;#%}oaU^g^N
z2Ac1KVpI9Xj0XVjHYUv;TZP-*rs3gGbDu`ZC?kwTDVN8(GO3uV??>hRcxi2rk_09m
z9!$f-p}5oCMhV_n1nnGp{G8C4ki;Jp%e|2f@`HF92Pig`&Fqt1=5%VRbU4|af1H+%
zJPu9e^eno%V#QI<=Y1(Mb+9}Yfa*qGhjsmi*?r?0zNfwzzkT`eY@aCu9PZ-A<`%1P
zyW2E~9BS@!D;Z^*v8WCN<7q0xPOAS$<^R&y&LIv=h&-4EkwbB(yNwdOu?RZc?b6!)
zSmHI;5!GPp()>QFKuy<_DF)J&v~zvKP*Dz6pNgi;R?58p+=p~hNMkm@+t5rDziUt9
zI-)}MF4h(ClkWcys{XA1PNmXz3%*%A_Lm_0D@hrNuA4c;^x<^y707r<KbQvTL(P3U
zCZp^x7Dcm+6=51MRpO5-`~_KU_aYP052iu-P~7Q7qXcg(f(|c&&k4N<N_5ormM$5}
zr<>8fe43^!uA8=<7bg=$-dfc3wa!IXWocj(f7|d?tF9<M@JG2R_7Cn|ef#kB`EXb7
zzX*UAAdQyIWIP)nn8pTxn*01lM#)$#%0$faIxm?jnnpF#cwyg6LX!;;PGbW=ahDs6
z6TGnq+T8$(9h{Ne*YI$h_g#fQ<PzrPd~eqVKeua#S7~m{Ro!h=FV*e9%l_C!5!I=?
zxwp12@{kC8rRet5wUiG$8nG>3P!SKR&n(tlwLD$v@8O^r?X|9Eri%>pB@Jmi?PlN0
z=%)Zz7I30)FT%Fsbi!~Na{+4ZlN}iqEMrkl{lBXyVye(5)%o;md)a`{WG=wzo#}+G
zME+~<EggSX191O(!0~~1y15X*JIB=&u)hFj-U}4}?I;gL+3mpR<=)-?wJe)T=m6|q
zm-ySGyjFAxzbea>02DgIqNnj1pd4|_h_TCvvMZyjN=S>YBSx5S&(pD6w8?7-r|}w~
z_;`zUGbMmUk7YRER{+h}nc=SQk^5V*qiX}QUAYk7(TRb2W*`0;Snn8i0u(yKdZ)1y
zpk_+W4U>pE<R$bEU1(*TGs@2GlN9aNYqAr<Y3u|jKHhrArl><fr}bK2fqO+p;<pcc
zvFp#Ss*;zwzTLI*And7DN8UlNBYB8eQ0-J?zhkn@q0kxjI}P54nkj!aPRmG!64VSL
zDq|+YdHGKk=Y0;K-F{7YKb!{dL-FzU>&X7b(f(N6-=)!JyGZnC8P@kd-gd)FI<Dx;
zoBoHM(7WVR^?PNOEC!YgCv3Ci@#uOu4PA$t$$%;Qn^F3=Jf6lm-F1eHESQp5(;`jn
zmTaQy;WTs|ijTKsoCobH?C6{fu;hzjcPR0+9mDFN3xiH%>ryhvVwYmeRXcXRrWzvD
zJnvEcp|KbJe`lM7&7Q|2)8RB^8fqqLI#C=MaUA9HEJDWPtY*Yb@43Ksdp42ja2hfV
z#mC#TWyFnuraZ1xJ$`y?nQADuKi=)jORI1~Y`RQ~L!zK9G4!29kJV(yqr2fWbQfy&
z^H?P|Gs<k1COfMb(FYmv2m8D@yUCj9Za59yh2rB))-s~SWXEB?SgdcxepaP*ILsei
z4Ne8DmZey46)?1z*K(1bFGbHhZ`HHWqOI0oDiR3p0nbdd=3aZ>Y_@DMe;9i4yt+9q
zfXEkKxlo-8^aN0u0H_sTtwWJB9A_F%3pG<pM^TH2#YrS%ml>5ei#T1fr$Ju_%I-KO
zP8&|cX`%Rd$FYoPah!4JEq;2tqgb_d6g$m3`Yura(XTcpJD%9UZlaN?zaf9vS7EQ_
z?f2__A*i`(`YwZ_t-d4FPDLM*pD8zws4V<D%LJ_3%y>LDoQB6j&3!b_VlMZZs1QCY
z!YpG{lcq1YVfPjjj}52cu~2-xw~WABZ^nt;+8!Tz3NHBG*(hPK(nvLpl$#xD%$7ak
zr<~ZfkNBVV83bO0w0}6E?Wo3dH@eb?xPGU*FY4x@z^yJvccI7`PBjhPg_^res+>{!
zD~seIgK>GvV06srw<oJpMJBo%O+$B~_-Lncj(FOs#)#e89v?Xsl-Sp~<;!NLvyOB<
zb;W!;<zxGTxc1ARw-&V@#j;RE+iQaneyB#5r#<o)V`>}f13DCyZ|RfDo31tByB3?}
zylwj)K7G}lVJUc+^MRL6vjYL3<q7bn28G=I7fl0pp=OHwD3g~_Dz6IsSS}+!MxkF1
zGT8mk1a_loz%CRY?|<V;#g7rYwTSg+Cg_H^*ZtukMz=<!QX#sm+0cXJjFwf%lE(nL
zQ0NRxo(AYb&4h$ejao)UYFQMACF5x(7(rn@++eq46VQ#O0lH9pyd{q-pFT$H)*^Nz
zYRUq#;R#UoRvlNoeh6itJvFE=;b%6S)+eBjo<KyKMZ>GMPd%jMceK5r8PEmVf%@By
zM{3sVeD%BfLT+!qcx|)T^=#Dc?Bk-ILfuw(8jmnX(-3B;nGQKrbdyolO%};B4$I{s
zhtVmAstT4_V(&^7nFw<<4Pl1j<K1aoCj1z&TifG9Cvwz1?~>eGosFjqv+e1jGQK&Y
zO3)ioP@PfH1eos_fEfxo%=eQ;l<JsKt~aA(Zx&V5#+>H?qe5nVfhfEEnFw(-4Izf&
z<L%EiBCx*^Vz;)(hxTVH87>#<<_DuSvyc(`ceaqh`9bN0A9TxWkTAP!)9xTFhK$ck
zI;Op|Ov-AU<1yoC8fFYN_v<Gk<bp*-k;|YZ5{$~S_Jt4Zwryg@ksUL>Aw2W;=XxP0
zyXmaldwnm;@AS0+dq+e5@>*H<%@<(R7%d*+P+-_tQo2zwUtrsYFmsPsylzfD=NpUc
z2O%wk4u-csDcMsVLcfuHww-Uw5PP+2cCDwtV)0Xv^l1T5FIT0mR6FXDA~mBJ1*!gR
zsL4|{8|u@k!DwFI)4(-Rh`7?bAaq+DdCO)|>8a54<T1A&;qSyVqMVw|ql{bbXycHM
z`Pl3>balIKS~^{C_gyy$fw`uJ(jCEBLniVKEEP=7Pp1F8w>-=lJ~j=<hMEhWRy-{P
z%k$W0QSL{KhgrnpD$moh2y;KQGmIh=$Byhc_9!1iL%Mtn$+>+DOS*gv;@{9J-dLo*
z$>9E;D)W%dUX%aOi}OARF5_}mH?+OT_gF5Z`O^QJ!3^-GOTHh~9;Q;x>^1AIp4(n4
zUw7|9A4;fAVP(ulI+WbXx{oVxQXd<Rr>)O4@|03B-JftctE-zWHR!W;@3uYn<b^aG
z&86y`P=EB=Yj<)9kiMx}FOi$B*YYfKt!txinzia0HxxRT`|P9FKCa69O|w$X(mKuk
zJYRT!+|L)nP$7p_E!^An5l^PQK9Jl$p<Exjp6~Z^rPB$#!(yUkuiED{>AjX0-uv44
zad@w)>Dv!gHi=$C!71mEC}!QlyHS9#y5CUGMvuG}6`Go=9<yj#(ZBeeT(lSc4_!$M
zxisx3-AxayaN}tY(KOlv)Ep-~2;wYZb(GIoltfgatg4vc84uI6tVChQqau^`5ZP%D
zqgFUHq-%vka_$ulOS)D#`1oH>&GL;!;@keNfZuV7c{^92Rff+ODra0fvG;Me*v@r#
z_)3sFtGW-J4PVP~L@ncxLYg}n>5rz*?%-V?xjVoJeS6^-S~a4jf`DDi1fyR<_b7A;
z(m#zN#O<~e9yPV9F(F-RBMz2~7v49*jAfLu+39xQbOyLrYnE5-Hky*L;#;|_FX&^O
z9{E}~N1-A4W_$mSoeXi*dLcuW9#SJFM}IA&7wBHPcWJrq&9^&cCfD-Gj0HlMUKZ=t
zC@@ga)hewCr4H+)iAa@dNub0}`t&vFe<s(HO=o~Y$58t(YR|gr)?<3Rb6UmwD!KbF
zZ+-CPq4j1wTO^vs7J-_x#4n1VD48E|!6KeeCD1C9rxqUasto*0*mDjdlPwb2*&?IX
z8#JVAy+LyB^#)72)*HzC=ua)wp%Sb-uKDUDMS}^*bp<p+1rDMJ@&~F<*zK{>o0Jg!
znh-VBA5tM`f{q`Zxg(1m&)A5jF*cy)C`^i362`17qL}I}r;I1FkcC0SOOchOA2@bM
zld%!m85^T477gjLSS07RSS;zX*keiWrD2k2*!OA;?AJqDbq!0Rb&=9<7YnffMm3(X
z5KUt&K+S$uN+a@9HVcR#T~jaKDB&#3LtdwK=%<1GVmvk(3$dNCFvh6hkPf4QayMTN
zbCgb778G|{7Jdh>LF@%3-VhslGgs#y6a3WoBr6#U$Q5m)ZfR9xZ573|LpY{N*$Z~?
zf8LdDaVSr5&(ArE!nvt{=&<OJ>Yvy)Ua4<IpADLxz3||pm}P7ok40fqcSfW1hh-ma
zo-(fC<ix4#PkTwQ0w3A!rSUXg1JoR6JTHTkK&yz#mQx4QYF4s@ctt^!6k+J_Qj^yZ
z+j$M6yc7-T@=_#srk5gdx0k|q0KF7RAkzkpc<eMfm|mZ827)s<?TeZ`L6hq4O1PfJ
z!T%kKUCZ+WvG>#o?V(vbP*V#O>U;ZAFV&7O_6Gzy={0mQA%CL}5M?+13-32YZKCUs
z4VCU2?r~P~h$M!yC7rj#u&;jo`)|_OTUF0&xR2@l+TqIMi5>AYVh7Y5Cn1ljGL=V;
zlqgE%%0a+c<>#~9Pk7>@D8(kRBeoMeM!7N?(&fsKWO1G=BXPGYA4{5{931w|5ufPV
z`*A;)!Q4P~RbD_Bp8Wy;__m|->UY$eaVy_U@p#sTiY7!BZw&dwo!j|xzTlhQVH|6U
z;gL3X++UgwkFdYMY}6dP$^^&0eK=BAS(h$d_Vv+vutt0Hv4Z}RMx~MKYiRSnm7Ko2
zX<cvTOTHN-UwH3_iobMY<F!i)IP^L}lTv-n`|oqf>04|mxl9f}r$vOm%mv+%ti?t?
zoIE6M)g6g(_tKVP#W(Zjy5nN11xr-(jb=OdtkA<p>Q$D;O}w-rs=7lnqS|y_=^bf6
zt=OwCPx3O~Ta4w5^=lfF25Qb~UezK<Sy~AhiezEIGG2x(4hqimB8}6TBNQ>2G_jpY
zGiv=pL%P;4$Wb|O{X*jI^$W6a`pc77U%wnRk;Wh}9PQMCCpH?@RiQgABBj`@v}1F9
z%1|cmwT<*h!ZTD-8(0sU6|2N@xGx;8FE0ST;N(?=GhCE5b*+29D40V<4egu~-O5Mr
z>VAHAPm#oz&%dfC`SR`8=huCb9>FTDS_#x+D}cHCy!@T0r9W=F`_ki(>RRVyJfm*B
zr=QS_h{`>x-UI5jUM)rUey(;awFqta4>gZD6=Gh>HHO}$zG3LjQ~j3oT(!~bv1<Z<
z6qkM5B_SHs&)<Ie>Rr7RjdYo6x2mWUcV|q`UwE&;_d{=Zy`z4_R6KJ?Ksk9M-7SxD
zuui|m+HY<?P}F<)+WHzGddKLtj~)XfgA~;Z?dcS>s*Of;EgAYpRR=@*{`Qy9avZsS
zZXdnx#0pT&gXFKjk$uXyMAKv&837+jDf?9u?)orjZl*5SNq<BO@%W-6@wB2NP;-=X
zp3U-rRb?jRnJ}+dRum}<iy+}KPf}6Xi>}8er7X5n%0?~3?&=?&wF1s-%NXzZsq5q$
zi-da}w!Q+r@`5!NN&d0nYwt!p{JPd$8{HRhAeM1?2BK!ji$#aPG{?<$hlLT&P0IEF
zv)2^=A>)(w*yWDslY5wZO*J=rr2A-YtqO4-`#@_WXr<kUKK-Jh+*D1z`^0foT;x#W
zd2I0n9@_`E`2BXfZvXo7rF@#r>cz6}8vUYdmil)u*Ie$4FEyc?(X+F1(d;Tl-@{Ab
z#prQkp3hR@3l>J?#dQ!9F*#*b7zpXkyp#cz-HT1~T>Q@`&%q%t@nYCX1bXpk0^JkI
zgVP`yR(G|%mb=1(STt+xH~U(H4}3ANv`y2s1tF{k=BmoC5BH7A_!x0jv~y^BoAR}_
z>fHnPnDMl;cmnP0gInC~63eEdQrs^&*;#+Xq>oF@<`FpsdSE|}b512N;!tE%0wbdm
z7#S<51V(s935?ieyT$)}wi_Js5~qNzI-paGX1qO-Ja7s~-IHhk9i3py=8nn*>AXqB
zhNf&v{#|=Pv70Z5#d)wLw55Cx<^2n9;GVu;)f*W`Zg%BXISoaYujPiP?iVzPa}Nao
z4;fEeiYL&PKDfot_mE*xVLBCvbvbU2?1#<(WtudOd<MOOtjKE-ml5-4k;*Wbv7BcC
z3(7D`qiQy*eaE@n<WI$jHu1ij?YWME#<|2%&=@KY(R+Ubyk#_d%B~QEfJlZi3>MAm
zPL*nrLDEB0c9&z{h1_sTUfy^78}%Et@$gb}gVe9($yUCaMc?o3V{cpD@Kt=67aP7g
z^)T-&6SHL*K%p}nZ5m$(YA%W(jLUS!V&SJ$Xt8F6sA|SD9+g>HiPDi}5Sx6R7?CV4
zwQn@eCH4)uL$7YUUjnolj3(<qNt=1YswexRboV_OpF$}%Uun`!y-->0L`~!6cYO)k
zCH|@_o9zqlXbhb!Q0+(5EoquzT%}}xFMB+$x}zW;dm+EXPKmx<sX6tMQkMy$&x9E6
zBY^viDfa?}&TyY;<RPdzo`rFgmOhK3RGu@+Bw<;QahCeE+!;#YCsk#4ACo*3LxRkO
z?t{j;#C;%<$?85x>hu0m9=H##+=AT)cFWMEbLIL?%f2+j?Fkw>kyX9dH=lroqOq+O
zI-ZFXPh%oM&7lb6IOGv4vy_VRClTX?G}E9;N<Xe+KgjKb%*13OC9u=OWfls@xxhl<
z7*-2~QqBb)N?I%w%Dkg8BLme&2dj^L(urJwujVhri)(60G4FUuYIz<);A`)$Y3>M*
zqt&-)n(zI^bqo5`!l}R(6Hvl!&B-*z4%8fnc_tDWpHx98!<9<-EDsBxC1v1OY0mQ^
zvDa@%OvX-vrgy0|qj4^=W;8}$!A2KB@Lqwq9Ll@x+EI|?_m9A~F>{A#^ir;CB&PaD
z%<t}d3|r?-b=kf0QwzEsQeDoMa%ENZ;wYKuN29pL+EP?6+&c}4ujEGvs#2t7bI3oN
zm4N0yrh*9+I>Q5|5nZ6>WEMr4Jc6=13REpD!Sbw}v6QD_5d=Kqj+@QIB)TLBkG|9c
z+zlbz9)QL;*8@gVU7)0GWrw_+hUgbV63Bn^47#<t_U~}rdE4&#uz9%BGm`NvWu&2Q
zt1XWwJtWge4^Xp6c~(^sXW>l9*d#4ORs?y<d|#eQlb{qr*e@g#lk|`vNbgcxcDILc
z+cFyCTw5MZdw`NQTShV}N;xDp(qgXS7KTZc?<_-FO>{gQoJ@m*q2@F%;ykMatIIf-
zCK{Bih{}ouelbh4S(wzZu$!m}2PY7Bz0gGe2^cUOL*M`1G)pdb+P;A<Fw@bfuw6Sa
zQ;619MzQ8@;(g8LcFUJKm5*1|yvyV6Ojq4(Q29VhGa#tcYRKbZ*koEc5vVySqN1+C
ziqVw?U00MWlm9YN%2*@FINey-4cSCQ69_$CXvqHr7!;0ii6M^$M(x^xA>*<hq7N73
zgtt0$KFO?mXBow6nd8yWWLgmpsJXu<V`1%6O+JyaJP;8JM40$~S;kr6IMbQ1WP;JW
zfy`#B;soWXSkrC`Dm6hVdA#{bELHV&0^1vnKU%Z`!$SgH)xCX2x2nQKsX{W4<@2si
zg;?Fw?<()$sSKLnX_gJt`U<NXYKrr%w_Du{zS!PB4j<Du)a#A>N(jQy*C%AT-Cgy1
z!Aq+8K%T#q|Lbb|3x%{k9gJe|{sLTais_@E5+-~Ye2p?5UQMP|g@Bq<;fJL^i&>J!
zC5wEKvpg;$CPSStt?QJF)Q<WjCaRfWNbo$D!`&HdE{CLkpKrEA)9-3$Bd;5cV`9Z0
zuf1P*`F*zr-skK>p@SGbhAP-9#I~n_4X@H{K5Nwa|NSG#Z-Q!X4IewuJa4_-R;r_d
zFsiQ9dPDTt#pB_e%zj7D+B2s3(0wz@?wj$h<fNY?N4vax1{68N)2898P;*pesY*%8
z=+Zq3s)QAOJY%sRsGOv%PV4|tV&ba_MkmknG$e2LG$eJVr;UbGv0}8pApr`kK6m$v
z(j0$VP-Lhs8kKoU6R&o<ehGFXSd2mLE(;>!bX%Alp(7Ra8oz$M*=xO_b{Ksn+b+zN
zpZ%)I(l=^ODxrc1RNar#_U?9k!&lobt4CESKYIOr+W;!!@TgLFwjGZ@&tK&K9e5df
zDvOtmhhdXxFf7!Z&ElZSGQrZk^5rSLNLgM40n>!-lxL!Hgpei-o8a;X=Xn`~C9PhD
zq|WrR(KQ>eV&r9xCL15SGUI#WRUMjoo5vnzubpvNwQRUxZHKbv+Ml~%uEz@uLa8E*
zR=Z6P7j$_O2Su1#<;+aid+t(kP*HR^UyJXI2Z)nt05Q~DguV!~GGuj-XEGKH3YLXQ
z$jZ7FzPkR(?K@Oz0>mkXSI_btC~x&0D0QCiSSIc89Vj^@nNd*q_1`|6_9Q5N(|D_9
zs~I}?!uuwcYu!glInnBoO#E(0QKF9;ebRK+=i+oO+gpoPQqvIUt#c(!y53U7G3~xj
zOMTKlvuakX&v{sNWnB6SLTma=Jzr4LMEirU`~Rk@?*I0ozXq2(-?}PZsB9{Fu;bCl
zjgRI=ND39>Q?;$>GYiUF?{etWxliaq%i=*rp;93Ml48$>1zru`j_q0n3c39{od%Ud
z&0<!?c^a0iib}zvFeq7;Wj>P!yrfRcsGK?W#MFe!Qw%Sk=hwJ-h0U*#)R}%g8WV?-
z`{dErUobQd#RuB<D-*Z=cfzgrgl!5S<qp<gQtNzDl{G{T*;U^=X-;pgFPf>V?!GLY
ze(%@4BVT(fv8DbALppnx&ZrZZhKeuJ?Ve!n*Tc1oE-a?9Jo#or6-t+yCfL<KeG1nj
zFB}8cL!mRga2i|>HH+Af;wY<FK$q>2C=-_ZA>~{IvyLHX$B$AIu1_(<eV!L0dAk=P
zsWZKBG%k-7BfqnirRe=h=c(!qwl8IQ!X5QS(K(~sWDY(8ZgbySrl4x#_a`zUw{&j)
zWL#Cupluf9N%Wb<<h!WsTHVcRU8$621#dt%8p9NTLT9+qG^PO59P>1btE6TkPfB7j
za_K=?#G<kei=dG4Yi3WwNKK|diqZA++z83r-3UpY=|-a|0Z>vEK!Cmkr5>8OT<v$O
z?pocrJn8%IXl|`OOPyBm)}}z0Md}N14=hPt{6lY)I+jyO_~rgua_=VxH;`9P-TV5<
z?a3a{xPI!BU7ZN;>wHTHozB+>Of&dg_*e)<&hWTt#0RK3DR@xM0;-BnjZFQBv%Heg
zq=?g~D$AnEQ+q+B)FeKnm?&_b$02#U$04aRJ#I9+0ZQtUBfo#OxE&IGGhCz7>Q6^5
zx?QA-541^Ky?d00CieTw&-agW!mwWc{_%$l7oYd77=KX3jzhQD4V~f-%o=#By^_Jf
z2%c`#(yA;IVqVC%ECb(R7FWXuRbh!=Ret^aK~8pvf%i|^wf3TiEP94CEj&gkkd48x
zBN4i{q4D=+`sX;%M9*dM*759)bQ-$@Y7Tf(lqC;X5!Y09*%yr0Va2LEuA;0=%PjZp
z-fFTtQp|=p&s&ka-CL2=ncg~@!hsbdAGPr}UQ3%RH3Nn?NPNF%4b=?yZR%7k+Se>M
zuK3Gt5a5fj^G=`6cybcD)F)k>2)Ruvk6S$U%}slaV5VJ{ZyLKl5*{Arh;p?SrAFZ`
z<pbYYrVk->C~=0zO=GP<%|(?K#mo;_ofbK<R%R?0e#|lv3LfTpPzH``Q<JrlPGqe>
zdAr9!{>XVAH=4KtCG8O@OzrPWzx`v^Y;|Lzn=k$Se<5o6inmm%s4K6f_6D^to^IUm
z)}rf|$Gs;Ed6g?c$&Pe6+08)Toa$MrGB9dWJAYDpSLG_&<}11NHFP05SM<ewRhf3X
zq07$U>XW836qM?+FqKb}4$68XHF7gWzKNdOdSD#Sa7m{zT%cx=h+vk)1q*qa$PKZM
z7*Av%E3!PydBvk7v8TPICc`D2$Z&!3cK4jdaIs9<<(`<~0z4C@>1!H^JY3xiD%4PU
zxB5C>^-2|M@{{g3XWZEXmqbdQ3_e%alsbg`*mX?m3830(hr=bA)~2hg#EWLP^>*vB
zSppD&rV2<bo?I9f`gT{r`A2iwJG5%k*6qFhD^RP0Sw--~OS$%_!TECjCk=13OzBGM
z&;xbuf0$-f50}cw<<Wb^+wpjwO*)Nd12rdASVU>eSzM-^MWyQLRuoJmQB`I6ED)JJ
zEh;s6Ht9s34U{KR2XJ;ruMh84m);4SeKg6&r5JcTWD?ysO@~@8RV~Opf2>CohHD#r
zp<@ul`e!ZFw%M$D?%V#*3YG>N?}zSt*ygxmqj&Z1U%o!?YvcB{aJ%hUVVzwu#-kwp
zX(FRKajN^}cIdfoo=8=7N$KV?qTW%ZVf8giUBi{MF5`cqhtkjysxKAUs=~S6ThXvT
z!Bf4Z#~MoJHp@b-QSz7IQB}loCkK2o<yJ-!a`54!{{yWbV`@1-p);0{X(S@3xj!ef
zsw{jK)oI1@G|3qkagr50%&N#<`7t#~MCn8l5tO$qAxPxRC1f;%$fX!8A&~APH$v%F
z-i=s@E!`TG-@AC>LH8-@8~o{BL{yVewOOT)>pHf_#az*{0cX%sQ51c>eKZSA5<jXH
zdoLF2cHk1hJy>_LG`4XStP`z6eqz6+w}YOc?N~FU!yqR_kAgSx@l>RA8Wjm@&SDV+
zepoR&T(d|XuURIK*DRN(>qH)|>1=KFz|5o~WfQ4LP#$|A6gkfWEi-m_piA*-4}?-(
zI*6)=RcZUD9q#BURF7l1Q=M+b{nj%6Ab6mn^PhI_EV}5OE-io9*HcNT#;RtH2l-R~
zr>>int|+g`wYn4F{+dcU)x4?5`B07Gcb12Mo&_b`o|R1_13}IGjTEDEF^lBMm~nYB
zW{Er))47<A#dgm!$w1jeG7yxvc$R~Z<MOQ0OdywH;90n)#!1gA7EOVi2=)MyGN=8A
zQ?H6@E>F00P^Gc;DN+9EftYpbF1TIsb$j1zyK2ULXW_28>VA*agDV0Z-5ved%;~3p
zh2udI6?DAu{GV(Z{|9RB@0u8;T*-5(KVx}P<jjvlc`U87yejSI(#+)lWE1&6Q2wou
zi!nddU+=X=3MM<<Sf}dpxQo@ju?TezcaYyS<S`z*p}t4yZP+}K?MvVROa@NCt$DbN
z8eo@GXF<Mdo8=Ex-G954qbVQUh~5K-9Z@M#c#V8;eHQI*gOz6+x5)burQvKI^<kVk
zYj=S(^2;%tA}Dl*Yfj@7LCr-J6@rRK@gS|KWmL|J+%K5$XY#C9&qAIBcGomHMcG77
z5tO&PChW>$bIs9AqRZ92u?W2%3W4i_BC4<@-)--kO_x<@Tn+7$BD-u3T`0b<#81Wb
z>9)0N-A)vEEie#Rf!o?iNLuT&7SFJ!I@D60-4PZeh6!n~MGL`sT~ktw?mFGkCHjjb
zx~h4YFT|bD8DZUn>lPhq8oCqRutGh3cbzil@e#fTyw{GWEM?OuOHgxAR#6g`1uKd&
zV-YU{#&c1yG7oqZR@|?+<M?P&ma>VIB`9xqXe4EI=+Q(aC^_)lt)30b*$kfje!1M~
ztdu@bA1FQ#L!+4EBrJ2UQ#o4t;%B$&4P3g|vZ<tr^>E4HSIEun?4_r(9QI^_VE2V%
z7W`4V9$hfe>O*%s#W5b-xtz{|k)vt+mx5vSz=Q!2^SBV*BhW?nX4t-uBW1b4lao_t
z9u+fF)3<rsT{yM87DO7Uy4xcC2J}9EB3@9_qsDFW7h<{I(p#f60QvDbwK-9Zz31!Q
zVn`A&o&_x&=*8lNV?28*o5r4knuD^;GCxY$ESaSgq?e5InP7<@B{5Yfi!;Z<VX~*P
ziR>vTZ(lg<JvhL^F`6?4B~LRd-dHC{d*}YHvm^HP(8|*`S#CTC>UvFG1JwPI(s`<k
z!MJ%GGZ)3`VZLcrD$h*2?0i)&b_#OV)k+@wb2Dgit1pXHd!w#&k#=CCv17MxQl%5#
zdOyTsLI1B8kH`J7yzTnScGGTpx@FfqX-nPH?l40VzD&%Jgd%77_%yy2)SLz)riwz$
z_baM0l$9*!Q6UfFfiI$vQ!i+{kDGk0Y$9I^%G-S$Nm+e-G)wD=q}kpC4!hs`H+u!r
zT3d=|iTO|po%f;{zMJxXPDV_5*1(x@(W0XY`6q@{Osq=19_a%L?Bvo{%bm)rF=nW`
z4C*Q@LoX3c&61lo>sqJF?NgNU1V3+=(nI%1_Vq#Sefiz5X^Y+Hz@)=_x}JH<wR{H@
zLG;Px`u2_g+<)dIc67iFF;@lTwdk!`ymmZ|E1O2+f||=9%=0p;SXv}h?|CM@HjZPK
z1a(k^BBHj>cCR&QT-ih#7nHYqEt1k5?10yfCT~GWMJxRB%d1m`(cf6)j9~sruOZcG
z=;}Rxt*QH8_<CL)f6Sg&fYtKX$1V00eQH4gtS3*`V&GLi-J0d6s72;Lx>#s}@_f7N
zhSEv3!{=24%Py0i{+qQjsGqB@V!CZ<M*$;uoF6`(9HZ-!smoMr+Qd+;T0Mqt_P6UA
z{cVI!nG#3b(Zhj}Uyo@#1BK4;>}iB8sJRwFsCymL6<m~*A<L?iv#!~3M145zo^2Ag
zvWbK(C~x;{$b2yh<O2U5&DVmGIPyjkpQV>{eE+6xyZP>&qBvkQc7Ijn`G70KnW=rb
zYcFh$qxWuA-bgfe8@|5ps=Ktri&Ra0`>x4_QAOrxx`)X>PZk5!C%qMiio5f@$wo8E
z!JH&vNyTy{xsz*y$`l+pS;$ex(4wHw8IC%Q76mmE8>&vLn59Y1StR0w@q&}LM!Y9%
z*d5iRMP(CdQBeMqu3i8f)kZbyjpwbjw;%iwZOEh9Q8wjo{{Suv*<U&<{nWhs=vKv>
zyXC&7rY391ohwkpK9x`~{82dqLBa||>Uxm_|3;Jg<+00_S3Hf?soA+FC%-;TlKwH5
z=U7$X>>yp<sQszqW9fs^b)}=Ph{3(^%K4_;ExQjLZQE*{X;!LSjc#4t4<;>+W}v!W
z(aVs-E>%zRu42V7(QaC+YN7XSd2Fuhc}Yx5s+=nK@gMsS%TPkIR&=rd{@PBFVR?D4
zdTy!fOVxso79oAU-_ybR`qf8FZ;b)8D$d|b)#+UPq^m(eYKKb*)y4}gOk+A5VZU=P
zOw-t6P;(xZX%b`!3sWA;6TL6b2E{C5BC7o?j>0Szv2|g}O}1D*ku3)0tqT*BI)7oZ
zOx&?BLCJlQ8@xh6;eLhE_1I6W1P_6-Qz9^%+izEj<Mh%4wSA*|^}zf3_uu;XqE#Ww
z!sFG0^e*0mXTvQU`DrbkQn`^@7dlY>>Dl|>P%lm$#gAil?^pRy@(`g`r%ubhVh=@B
z+x>*)f^hT_dfv7|1Y5L}?n_vy_I+#lv7tu7(@F<m6@YIP-w$9Dcdh~XG+rCjT#CvM
zlCom6Fp$AX9TzOCsm4y8@i>e{7^e2RAi2qF%O~>MpuBwzKvLR;-fSBAMc*{d2KfJI
zY8#YPDuKo~7P;XDZJ*__9rnrPP{!YDo5ij_Fw4X8f9zIW`4E-;=zi+Acn;pr<>If>
zB}(zPzpOVZ`C0ts$(uCby`cp8$)W*9+Oq)%%#Usa_;FH2A-Wv0-D(I{UU=`CAG9`I
zo2i<E)-F|3g&uOQ1k)81Rupn;uY1DW)%J1SosfbVOJ?0=L;IZWGvvEeO*z{hVw9nW
zTuaodwqHeLV5DjWQgcqt15!5<s#ybl^vSF00}<V&i{EX8{t~aget7j<Ro@d-5Rl*$
zISCarZNx%_g7SN&EI0W=jPa;YOM66be}beu$+CIjfo1Gsk|1_c_bN7xBnUO<sR;ct
zNm-R-rCh}l&hmi!%+I4dPO2nND|<Qi+$0I+6G?(l-oA>#epsKrf`w}|Ll8=;E6#6v
z!O>M{rMJlmTzeno0cQ&rG&J6DLDDS~!l*5x3oUfYx|+8e-LT`+*Z%il@q!G;$3yVp
zX!Ly&X@4;)RLl6rD27569rUv*ch=1gPKGXGRjD$!ZO<J#sIIG9k`1dj9USEeWTD#o
zZp9$17oOn`vp?r_gGntt`q2)D%l@LJTYz<kKlf>-Up1dz_70hPDAYl(8?O=L*^2oz
zwj$KrGZGoGoEY((7%z&FWxNdXTogodvab;)TQQ%=R)q5QH3CWDHDWYX5lZS3OjNz|
zwAMEk**z3OKK|x#DbPD7{o(Uw{=ii|B)J1V!1NfX=3C>*$CI8zgA8@lw7>0<!vX#<
zYeA9vfiGZ?1~t;T(DNhiVHbgQPIW%%VQ{u<T6*TK`pa^uYXr+xqH7#sdmA+I;lR?D
zit!FEk<8|w`;pe&NSk4#t|+Nl_wDYe)Xi#m>|yCv>s?oq$^dPLG9913o`=Q2FAy&*
z<5`pWG}a{4+%qE?v7lI#`4P)!$&96?UzU6(hy-O{SWMPrK9MyE<?Ra#l2T0+9QP-q
z$&*l0t}b9<K@yawZo08z58id>{c^EWK!ZVkewu}@*uI??v*EI%I-OAU)-e_7H?G<2
zuaeE>sWsOpax?iURS>e^3w_7Z#S@+5c7wv5drb2^Y(j1yn?^8%n)^&2MmYy85@8|t
z?I2}!R^%f03rab#`<O{E%qJ2Ip}gJ4V57UAbkJ_UG^Y#M+*l{<a<P$0-`GU^9dWpN
z>{><?%~l_mi8nyWsa-{EeSavezF8W-RDrMF?P$j`Cv^G<3;YmG^A9zCdptI6yU$uW
zCN!HZ*H?g=-vs(>7qqdJ&4#MyceN>o2S4@DryjQL;`&l$7AhX&eg{8zas|T7w+1_E
zOEJYtgQ^`jS?#j@dzAD4xbJE|Bwckt)8E%tQM#lX5orXa8wE+FTN(r;M|Y@{bc3{j
zbk~TD7LW#M#y~p87`YJ}y!-y%Kly|EIp?`|=bm%#J<k)tZ!Y)S+Ix0v+Nba1pfw6C
zTT4*OZJWbs6YWvYJ-Z*T?IlU+NRI{}*MQ3jj3X#C?`q<53Ug8FcZZ+1$Pa%~`6XAN
zwax*nL5QL53NCfxbEX2efKS!7^5{nuyc7YN7@be27odb6ju2fA?RR#MuGlEEfjmxJ
zEyEA(2tnHhjUUxY?OI*({y3og93@IXLU~U|_Z+C`mc(UC#z~!Is%O!ycuVhWngU?Y
zc1Zm0>WjBpq%RO|4~X$%`&f7{1Q0@qGq2RcQiNDKqJ3Q?oN^YBVJpXQ_=i~UEh{pN
zO8PP4tnOv*565fmyA@yY+y%Z=9eaPdn)}cpI?u2W)Ujf_M}w&mYGc>^k6S2cWmV<3
z{2j8F!GlJ6P1axL(a1^unbC9U!n9%1>eH5dOWFqnK?0GUt*?qdYv7wMe4sT<FP?7l
zem`qy$H&FQ<oMthNaz8@=pLMj=2;%_eAzl#`z(trEa=WkDWnU^%K0I*$$Klt90gM}
zWdbT)?e(K*HeZarjZAX*_{oB<7g^^z(2w_ldADba)mFZI9-t~htC**LPkXEA(UQHV
zvMXz0sLm`j*X$uJ^_9dFtqO-mh=bpu8*v;9Uj?huxCf6I|8o1|HOqEaxuCj~9BCGu
z#7uAic{bZ4QOIlva|HDW$WS1UxJ)^mw1_pvOtp6GOwu#7Bdygtn>^XV-mD$Zo~ZiS
z`M*e?g2<-cye8l9V}6>*lGruUeU`qn*U23C#GX_sx>L4KO714akJ1hLge&yb=bNBT
zgOKl3Qu&2kJ`{hgLamM@_$=2Y4@5}5oGc(uhmHCI6`?AqFyCSG6k>FEKBFMPtLF{m
zbvT)z;}?SHImBpJ*tLo|+gL8;*>@l3m8&|UfCyPe+frZxuflSQLX~z)tIrCe)o0n5
zPjNm4d|JwubUd1@!d)mXmq&g?yp_v*gwLVK3>GFPkBKIZIe4q98fi@C3}}0l5r-%F
z)Tr-Zbq%=~nkao1HuQOI)@HUoz?$cR49Dv+LX^er1iDxf?sjsX=EwStt?zay?XuzX
z(C*Nh_^<H9BE=9z%+pme)_(Jy2Dxry@XD>+K*f=kb^6=lB#Bt1@Wj&TTbyJ8KW{$(
z8~V0Vc6~h5w7vvS1W9j88+Dq12t<^p3A)mLS}t52?oLz^x$O<dyZc7BAJaW?Zp+-K
zV&b>;w*O%DzR+BU_U0w69|UfXfBnMpK@_D~o-&!~-o=HFxz&rK0PgSl5ex#6HCf<>
zza8IRn^Y;!6-B&vyAc|D@k$6iEILb@Ii+D~d>DVghZ?;;AbO8H#c>$7Zcj*p+pCgw
zoX2^LD}*d9KqkCWImAB&uZ8f4=idwXk7Mk`St<tUhX5r50&-@r(O}l#1A|rB^=pDg
zs2^9_X_VKGko`?ecO2do`MaSumMhHtOsn*-p(8~i8${Bve3}KG5u0R-nd?Bn@IYJ<
z7wzzj?Q#I@(4DA;*@jW!Uh%_#)zR>e<5Q@bX6cZtbV;WkkXdODB6b|W-K8H9E4T)P
zH8o^>q;?%yapK6)KH&gB_*>yHtPW1_8n9?ius&I7io|o=7x#$Pp6lp&?(MoS|1%mz
zZ_wD|^$5!oS3k08c5ll5y~MtrZ6Vv1EOMv!&wanXEvAjdHHnUZ42ZFR)JrwI_2zxL
zcH|EaeDx>L&l1J<Wq3lLSUVAM$8S=T7B?K~^ikYAd#W3)R9N?mh3V;rcDEA-6yiuW
zz+CtCknS<uvI4<nF)fv7<fnX4-UB~<9Bz?D{4HttjP4Cp*_0M&D{}lQXeRy(F3r#z
zhdIYU^>*Gsa+C|-P)+SS9hlHN+<8|WUY>!3@0pTo_&m)4<KwC2di_2#;l^_E9KGs=
ztaq8H^*sxJC#OH&42luG=m+e~v$<pkaek&qB_m|f{@v52`xcX=P`}%M`_<AJc$_LB
zCDl;SxM`|HZu8oickE&f3L_bs9{g`y{&*9w{_gzOE2SLbZxYw3Qf}KWukxs)a^xJV
zB7PL_8$ZP{xr|3g(6{CTVb#y?+@}&5InC^dCYPF$!IiP<ZFY?|HS>IYO4Uu}<n}ze
zpl*Rpvavll!-5R<A3BP{mNmbsvB!`TpEvyNx4eV353-1se4d3S6mOqtdxEa~TP1+2
z%zsFDN#p6e)(2K-HlQofjynAi5>9$S)Af+MP6STKfU_&Gki{Hyto3+wE1<XX#D?NE
z?Rm2QjBRpgJca5p*No52k9wCR^II|u4%CIgG3-<OG}V_OKItdpi4$?fiyt0V>}81L
ziBFyfO`zQh=QTDYOsUlkR}JbMBgb$tIi(-UADF%KQ5`-;HQk~`9-LElC$5~>yUYaV
zr${@Hp*h**Wf^7CKQz&8*eBuLv1jxxR@>@+v3d(N>E<%{8AnS?H~8G)^QOU5m-anR
zj_k}#TB&yhV`5A(!sQBYOkFcqfbX-qifuA^=iiw<y9m~ZP<q8B@;Ynsh)E-laU5x!
z`q`$g?6Zu<CFKpgSh_2LVG&TWNw22;LH^@_{ZoxNS_jX8=MEK{21Q!!4&_xV0+7z>
z4Q)NK4>YBY{u}q}2eG2S8cuzk@~ZEA4h8kG4aVCMyt|&>`6aPlB|ll-Qy9FP2)%!W
z8qF;%KvjpV4*3ljL~Sq-oFa(q2K9Op1uT%sPoEcb%D3~OZcn%lWJ|SBSm_pMkHic;
zjih2_ee8Lk?4pm!sKG>>f!_7C0b$RsQ3j7;*}N{uQ0(%z{rWHUd;%j$(@GsiJ@tg`
zNrS@<HhJT-jf7q_#(q`vM{HVd&D}kV#XXUqqwUWRo2Vp7IdMox&<9Q|0jRk9n-mAU
zx_2|qRP>kQM%7I`wE~BwR*~KcR0iCoz?#y+HoI!3vE5~n_qn{Da;0;_ApeM0wPOw0
zp9%uJe$)J1YN%kJ+=`AYYrQUdkzG8+ngw!~l-^#xbInaQ*=umz$`FuWmP0Yd(OFSX
znRdRQ0s-A@GnZbtmm0xn<L*V%xsK~~FwIa`EpeHWxb~IRwm5flv=~P}h6j4I37X+r
zxIMPhbPPq?coGK@=uJWXv7O7mp363iekTrvdE*UZG@vbm-JCaMf|fl8Uc}(*+c7`b
z!0j!sfXtST1VVTqZ|BeQ!<RZ23?=VmVMD-gSwQlIfnOqZJn9`agg~<c^}35#kPB6%
zN#`85wL<k+JVjYrj<J=MTg^t34d>Q&Zalh0t)ErS7ZL1~AsI%cwOl2|T))CrKesOj
z^VdalI~+CeGUvv`8F-J#7>`&KEJ(H>a#EBDiSn%(jg;R1D=;!JAF(r`)m*V-dk>{D
z=t_+=|2RY~*lN9en-o<#LqW{x-T6n%N|+M(aA$Hg`0ceCq*tElTIc6)vbLB-Z;7yA
zna~i!KW+tN7DIRk>7<HcrMW;byhJGNh3Ce%=OY2`o^B%HD&beQHs5u^eoOxH&1p1D
zFr{RQ&l7!H<mha(ILOsoV8mw#>=cQl9MgW+R!g|}%8=V!JgVN99b&MS^Y`j;rdEPC
zP_&OCka8jYoUG7Rqq&5JMXfAXeu-a}*T(uzzVyWhqbCi}uOto`?%gVR=6g@0W$O)F
zpH{iV8c=%@K{y0?c?^}7KU-_Ogq0Tj_^X#BF=pf|ZAzdc941fW@aQ8xCVSYJ`)6pg
z?3SMSH-Zoar%$9wpwkKD>|Fr&n-0^(;ShCrA%U6<$STqI^l+<MZYAT>Iwbl{XWDeV
zNNs4_`;U)@bz7l#gk0;AEVkG)+cnF**HN;Jt?8n)Y{EaZBR?5ZX=YS4jDEIQXtl_3
zQT{NXoAi1tOIg|!p(C6YnDkh_Kqm3csRJmHRV_7uwp$xUe=gw0^-Wxa`27;DH_k<1
za~A*?@oKt9@>m@^{+;<=U4(2iFcql7A`B6eh%vOd%$#rf?BD8=V_1`U`5T<u$!F4S
zzqou8os&H$Z_Mbbdv7nz$ErqwQJg@EYT{vF3pa8IOZj0I)GxM4#9dh&IU04gd#n|T
z1C6*AN#B8{|J>&~X2hMsve{moOL1`?Ez^$}bDtU<80e{PaH;M2l}9!k){bVlM2@M9
zHqOP2SP|5WT~LY&R~D+Cu#f+`<zyGF&6PxPxQHF8QQ~$=XENb?l!E9&Rt7A<=?f$|
zmNjIjmARLptcYe#(I%O2410xlR-v?l0kQV&w!=nG7+OLknkqo~5k6KaOu%yQNu;cJ
zb*EV^_)Ki|cSmOQuQrV$yNR3(ZVkzeS2mTj>3vR`kV4vxA0pL#!q7tPV>56L{4V%~
znm)Z~P&`4$3+_*+6KsZI5P1pLeJ0dI+ne`-eohK0!rm8B<(x+y7ghT)&L&vd<j9&T
z&UC*NrNI?L(V>^F8S=jNm3nD?>Tmb<_dftQ)1{469D;<gSTaY-4-4Kj?w1#SNOJUv
zZQZLERkQ45tt$R~w%!w+?Z3|an6<Q@#h3O@iYJ%q7=A_5dBJLt1akfsik4qD!sLVh
zQN>o`CPw?IaP9jpn(M||M-;BOK6PqjVpXI>#(z`6>Ji$uPrfD$qH!vvc6M$2WEMpL
zp#mC~O^*Wm4@;eWfPX5iD{a%+jHXP6zC@JAKOD(-CT`9zN_r9V`lo$b@OHiJ(x{f=
z(&)b^^vWXTp&#wW&u6QYN_(~)>ts|O-NMP{d&Cj4W5B1i-YjE>rG**q7ico(%Csj^
zi587Zw}tAzR|+Sy^^BUtO3XgN-<dS{y)4kHlKSrH27Cj!3KfvMeMqdg;f6WT(;v+}
z6El0pxcf=u;ch7Zbmz63m~VbA3DQhx;f5q-u~R)q!ATy|(IoOjSb1!rMK^=L+DFEx
z*<)W?N)h(+Bx2!hhj1(DsFo9yeMBE-)%*^&*~DBodNY4b-U?8FH}&|M!GHc~SviHF
zbsF|EoOvNNRo`CI3JkxjE_TT+BX4r_uEeaL$()_fu?}v`Pxpiz8MvL^c$waJnjnU+
zZb2U?xmFP&ClV9{z?pm*VuCCkLsx$J+V84oSv{?Ic{<YUv@M&?dwK9Tyhjoky&m5K
zw$Kie`RB^TOke(5gqBdo<`uOpUe{YqmChQdis~8jWkt5|=}5S}V{>*^(8L36Q+nAQ
z_H1U467TWCTM$kk9nalb982@z6Qd*#w2fYz4)Bghdj4HB&Teud>xt9`+7g}#=DTH;
zE7s?pE&iB1@|Wjx+!V0)gj2lnr|(gb-Q|;iM5i5i0i-W2M1VIJC9&Vu?chlJNS)B&
z%4Tq~xZq<TqA6Y1dXMt7Dbvh1lF@VeXI5J1Yo@^$vKAec5dy>`Lg71=JRrgnKEE%P
z5g<uU2N0Gp0d>iWN59-ndSJzLghj5TP_#$Oe+*27jHvmNbRxa0c=BpAbWDfM%$qXY
z&W?==I(sC>9mBeDwLslvq7sNmm_-@i@B{q-pfJDqqc_gwGM|z*JETfOjEf)bAH=&{
zU>B}z*CYvU5Y2~-+Rdg4^$pbT1bwB-kA^4iQ1EMm)=!keu7|i=e-u5w7HEQc%PvI_
z3DSyM4$?#Ji>$&1_6<uOv9fLtlry~70aTOU149cBURHz8F&1d49@?V-JKpk@Qh|?U
z{jYfi<C57s{$)Z8+kz{9jPL;tQJa5!JieY4a|-BK%nf0+e0d}=yF%cpVF6n%?e*o!
zhE+NlOZ1u1&#tRfEAYnNI@&zUL-5dZoS`Ac1P54sYPjz3al+{!c#5`X^888A?#g~s
zM(1>5<V6=7MYW3=o8(@xU4PTgZ^LJo!5-Us?Qh=eP-cDR`A`|sojK_n{dT0SE!uq9
z=sJ9q&^&rw(4xyke_%|W^|)NQ&5*L{<T^p&6j4YT_7QCx0*OGQH&BtcX#g8sxt~K`
z!G_qrG|}!!2kd8U98C^B^~HZG82QFfZ&=37s0UM~W8*wlKACeE+;FWb89P<{^Zc;&
z`a`KQ38#99aOvDMEzPlWC>;gmBcB5Jbl?j$O>eGQ?Xdgv>Ork?`pYhdTJnE{Egq9E
z#jv}Gn8jZEH`!)`2_w-oB}nFqAZCR+<1)>OXQga+T=3r4=0J<th-u9-r#hjc?|sYZ
zD9BYi^dp<FAEftJ?2E+PMdJ{-4`Xpp6nG0&^jundb_`>N<qGELnw)wPBv4%{W@jF7
z2QXmcqb2mkKb~*3SnjkB9UUJAf1jJ;_}BU~Tb+;*{6@{1(SesIy-;75n;?Tqomlv`
zGS*>w31N{Wb-!lEU?WIV4|2ve&lyc#EnZt&XQ4q4Zq~z&k&h<ATjg5BZzKI1uMY0S
zwx`Z)1=1XBPiqG^VCImP>JZ&zzE2yZ$K*bN{)=v%^~ivbHp~54%it9kkau>G1S-^8
zLHXoIUh`T66JzyO*R=L<z4Jmr0fFQ5L&dYKEzY=k;pV0{MUExZiva}IQyP`@!tamU
zV0>g5)#@~MJUI$2e9aW&`yUMhN;JA6t}b^O;Pi3>Y9&}!BVwev`H!E0p}8LT1B5OC
zK)$Ey_J=1{MeVyx)kjCs`vv}j+;i0ovF1Kx&wRR9gRrlCw0B|PXzj`D*viq&Ck}P|
zzxb<*s}w>cwldAcR+|rg6Q&1}JpnU{8f8zNaA@)h^DnLSj8?l5lBS@R)%gHIt{Tp-
zQiB;sxw?AlhXT=Z?6fvJtR%2z%yS@Z|HsV;FzUX>4_2j7->#%@?nf{;1`)stK1F}2
zv;0WK{64SfaPgYhda83{O#Pr!yVLutmWj1_E3b>KsR3U#U)ofZfNo*Ym(Yris?aDr
z58e49c43#gF8i$9m+kiiO68)`ek7z~kU}(xtv;!k@$umlEcxofUr=~tLgD-#$2@=Q
zS%iW^1<Z$3VX3(`H>a`*o6VoPOalwdvyEv=TNik?K9+C+=_|vv-}ud$`N$5KOH|e^
ztFH$5<iokKd-xo+D5M(Ze4o_qv{tPW8<^=k=|O~*yKFg^YI}CHECpo%@)OOb52ZOz
zYnJAI8&RJ7D>|7SY@w9W`Q*uk_{99Aa9%{(3PDK5?205r_DVJNGnW%^QIqV`+b7~M
z1Jkftad-fO<nSV1<mB`pSa3+gp1Q~fcLN%Zz0mHO%PRN2O9umph=%EkC*hc`W#O0Z
z(hi1zs6Bu#d(pY;M|OuGG>aNVLZ15($>I{QZSP={DT#$jN|Cnye7~;%TMA@U_&n7t
zBI>BhUK|ASdsmy=GSZS3op=5Sym;(QJ~2Nij1Efc#D~Vuc1l3%@i>}?AE;I=&TL;5
zOOp|;+(0E)q=r5IGj0LK<kzs*$E+K%wXeX?v&UcROk^P0MfELub{`BZOO!sHOO#&v
z$FV{<>!Ilkb7_OJs|k4(+p~U|0d0Kt{X2LiCyta%$U}fB7bOu^Q{jjbe23b|PxdCp
zaKqCE(Y)5Ek_E7G*(7$L$^QmoAjtQdWsrmbP*~8mmF(Upt?h)l`1RC@u`NB^-!3%}
z!ivKZ2IQBJB4zSmv>V`-<f^97+!2}cKTS@2cKsfXhHQ3+6=_=Vif|H(pUDjgj*$_?
zX@u9RLI$c!N8vnYwx;U{g`){cy%#LE<5UEZWum$kdy(H{$)eAdBo;0n)OkNRX>uPG
z+O0B>m>+lkbQqbc1&{njVo{uO^2mJpPfw=pZI?KGqoeCMhi=4#-1N|ur~HjW|F(ao
z@}$}?EP*n1O3l<7_BM#S@VT-=XGpm%1T~6Q77RY{5A@ktu<IG620Iy1xSUWVL}U$|
zVV!lpz&iWF$@c+caq#O;8@A?aLxEtnj<?^tKj#h(*9D7dPf9M6V*Bz(1M<)Du#W$r
z-T3!cnA9{%>Xn^!)q-ScuDe^d(d67Ud*RA84kP%TWb-6zO<pszJT^7+)RYLdNc)o-
z-Pze~4kq#tYxLgQROEi#^^j0%7>d0S)}Dr~%3|%E2IKGjh@>*3wi^j3a_UNj>qgs-
zgTIv>vs}*|vtTEOFvkaF^&}sD81O=kic0jh2zp(4HU!`UpkUp=e@UUaJ<AszQi}UD
zCh%cPObGT?EZwWSO~qml{#BN2Z%;{L=^|G{hc>bH@VW9*)B}j&9<1fh90Y4L<o}Ic
zD@ZDQpC?5htI5YbKI*@8JY;LxGo_k;Nbak~0a8Ze2_B2FtPez<dNv|L)%`S%X1?Rd
zM#(;pil%VjKJ_7ezI5(>Vi9pZN&eK0h}LubH~uR57t;<j=5e;v_ia7t?^fYi+#U;W
zFMPwe$^O-mq~|Sc<b~mj1?kUkPteF;(06{N=m-9!m_!kez+@D$n8<YDtK_j&^Ye|C
z%_+rmlRPY~R^QEdbxAx@jwJ5G71Zgkap10wXl7Q#B2BTY-ZGfA5*-WyasF0Pk)MVg
zw>ayFL8SB4ae#5up55nIEYMgih7Xh^Hu-<m+385>QNQLDc^o+^gb>TBJXeuxJ;xLC
zk5RDCmp6&bgWvv#G=(T5)mb!zytf1DbNVOj9u9;)>3YnIFBtZgIu8L)SquoWni_Z*
z_;gZ)Xrz@#9e)2(**VHe!|t3u{?j2mMGFr9ie0|nOaNMjPaLF!u(5;s_cGpXWPow}
zR>#c0$l$v#5Y!Z_Eyc%fK_t%G7-9WODS7gv00|Spe(UnWmwbBqK&0s?c_sZLQHU6s
z0`DbGWjPWD>%KO&)w`YX)gj^@ENGjW?m-eIC|cQ<^g@p$YNFd20P(NpF;iYafD}?&
z@Bh7deQNaQjTBYRf`(7N3O;rnH_~p@%$_IAC^_Z}*yP#c&(@TA3t!@62gk<_J~I(_
z%#mM`+Z>{V1=p=VR|N!jVxCNiHU4T97Us3(2!=+B(56fd*ma&3-piphJaeSh^?ucz
zQ}q=@<Di~11=9TOAP;<z^Lz*pbu#gB4<}LokVjVw&hy`|xza>yCK_&U9!^xR?fH?T
zS&h=VaNXg>?ZC}2JAIh)YF<<|V`z@~Y9w;eJ+<o!_i4I>BB0*uId*KXtLJ&qG=DP-
zGU6>Uwlxlg?$7GmDk;@uTPX>!lecD{uWHhj4_En?IvXgx@#$vC&2X@L?6p@}K`~8Z
z!6b^K5*GYlfKctmS1E|(S2EQXbx?{wJMtpkz7)CSz`D=zpZl{lf;`pb%}_P0eOg>~
z)ILhsj-m6-s*hL+jd}27+T$P=(v>*7aW6KA)B}C<-|ka)_8}IcdRnQYlCIs5T9_qj
z?{J&)6Lo}ZUK%q#p;oos@u+s$@{b?w$C_`d-D=i)0<U+=lfPc^X_7xS{f%0~vM>bt
z=L_Q_YpB~|Z+Ub_?cn$2PDG1W0iKSf+sfiiPMl?b=IDQUhGvajoDfhv?ic&_GDe)f
z$Poi-2O+p3Y3})`SV@ZpQx0kB9o5qzfnKbzM_o4u^>K<pTcXHm%YO9Ig0z+)D-6z@
zr@FT)ge3^xKk?~)vDEC7pbPYjd{t2TOSs6G#`X!IYAAgt_EZcptzRjqwzDdhb#OxY
zi!8$RlaD{}9$&pX5HowOWSElj37`HmZI~;W-D)cMF!pyLML*Z<vCb4K?lwdlhJp#g
zH{pnA@&~OkuD@G&-{kL^DPlibaqd&Vz2von?lx$xR>=8>`<Y2leXQ!+e1hAO`bex+
zo@HqPcZS!ES=ppR`%lh!dQQ^u%5xV4WqQ0?RP$l{3){&&6-f{cYxK4x45D8mElT=T
zH>>h2@Af@5r#9%GEO`<nw$j>v4IOL}1tza%Djh@!v<OY;>W^jQRq)j7CS{IFCJE^6
z2%DLtRS}Q5?_kRtTG-ifcOexawUr+<z&ZY#(+cqX79pRNGJL3^iX!!<x}o)wl3LFw
zt@E<$E3g}6;IcEp-vK8Q&eCLfXcQ?nE$DtWsRD0Vme=v;gJiu^68kd+rgfH-HC2kH
ze<do6$UPF2-_ZoS6xT$<!~b*_T2LcG8OG@D1yD-B9%xi&q(@+#7^JGO7Bd;ZI2sye
z4(@V22Eri5bLZto-O;wu^`0ihR!Nd$Ule9Di|W08VY3aBjM@t?-}#7|Qy<&drX5%7
z))_-?J-&?f@B4EpWnOJR1e)WyDsXWje?AVm2rlnHL*#kp=-+j@uDBtONvFQ3TNL~v
z!`8aVi`QdTQ!5o8TWeqH+hyQ&tx$#T*2Nj>*K7lulrsV%KVa;n_HsHuuoeFNOB<Sd
zem0<R?FfxH#%dVSsOP29$ya&JP1M#OhOguG9NjgZkRiiP*dEUY2e@}X)W1IKH^-I>
z*ole64H7VEwRvw%)b=q}AydeV*2S(!NzcH*wRMNGDz9_ed(zY=n^*oVMqp{^buGU3
z#&Ur$cXqx-$}~ACM0k~le$*PooNyTEHwmy<z4jvr!s`i&dEJ_;u`-5bGDVS<VDyL0
z_yrZ8fa?<8q?W(Sh&cibbPzQBkTe>=zHSop%9kcX){Iv9g42~C={3n3%TfCtJq&Yy
z=Q@Ql=dYWc@;lGHC%t^LCuH6ZzFHbepBP7O%BFsRax^UC0Z&h1t|aNlHiFF9c(he_
z{<p7S%&r=yZSk7vb+mq^fezs;RX_dmtD$}ZFN-Z*!Td=hNFeiBbUk28omGG%TCbF?
zM6pgt*u^&)mm#Zb|I)fm)|-Ik>)OQrg{vFBMM)QKutv`y{?5U_f3<*q7sy>`8#I9)
z3KCw?%*FRYK<g4rBH1H>J@pH@iVk^#G!|;NXTPGSVA^a`T8M!yb75HS(zx$D#;<)f
z_rqT312pRq*+#J-w*ZNyc=LHS!eeeRfXRBwZs!Lj7%7d-S4{E@*fL;E<o2Z>&1(-w
zcPM@L=e8<R^!C+r6(%&7^pR`Jzcl{ex^GkVLYz3Us2$c@^??vo<y9<y-xEWznYRJ!
zHDm?0fMawlHPfl(!mW>`ThmSF=K;MGW=+Af%fE~Mg#iiim*Xg(Ls)Qr!=CcX$TLWO
zamrt+rdF_fJfv8}rNgYTv*z-5Z2FCqs5i>oL3Wz<M_a*BWQQ6od*%SLO8yRZJto-e
zWCbXqQk76d#I-CA&>;=<Fy8AMz2X)z{cKybcP|?l=LV+=@v719Z+%YR2lPntcb@`o
z;5J=|DyQfORO8*d4*XKJZ<pv5<dZF!(DpO)RaS5$Mp*yf-A&<uG{zx#z&ORu|NZ*W
zrkmHjBiyo`IE1Dr^jZukkDe4H3*BqzjO>Bw9U@3!1{LvVHXebOPoXzMWY=wR`vFVQ
z1GTEs(TXO+erJqR(+<l!*>X|~cg^U%FgL%u`%z3-H?|4mRnqEJ9qKcQQg}}GlU>mF
zOCJH7B`@}0o0@Zx(HuQdPS&xyJce^s7Ndp&*?QONF;YHHo%cDq+-TlRXpTQxHjPbd
z?v2-6-;H`EPxP#@t?lv{24%}^O=72cS$*`Lq7@`p*GynfP;<YTB(zOe*YzaQPPn^I
z&NdMmOiuh#lSYtcJ;YoD&O6S9>3-NsU-o@V3s&#suSXJ17u{g*x3G-IL^}e24r_My
z$R#M>{64=@uuffBUx&Ir7a{|Qg5Ui3(fROFPkYOc?2c?y<EAb5%o(Jp*UPjgMI~iR
z(LUKh8f0NOp(`pXxMJ{Sc4)s}ER~wXXw1(1z1|1`>cgSgVnaIAC+&fguMNc;o8g<{
zw}qBIDMuSnUq~ZZ6|mdY3yELSTJH+P1kWsL4bH{>wr$O^fZVSCrTuwo?+tSR;(v8r
zeyn*^-5>RQq3!afE+RUqV+|MbF>MXGvDmhO7u>$?ViDTD9%d0yD7H#!3<rwG1vV!}
zg=D?NyO2A7lx^S>`r=Es0L25Oi&3ih5HQk%&7-jL-9}XuEeBtRqlP0SX1k0t;qj}6
zqcsEEC%F@hR8*j)pS$4yObft$G8kQwGqF&wW8HPb6slFI@lt#909Ofrznl5EC*G9e
zh||RkBw!&b4uhQZsrP(l8KbFFRJ9FGYbcQuFgAZRfef9Ec<Hm`r;_KIOB-jE3zw?<
zBM%631%!+9$1BZH8y>??%4CDr#BQw(>BQx)7M9T1)6nZ|SU-u?lmW;k^71w^Q#uJ4
zZ=l4{!hP7p&$q?9>%!uy!Qf^!4KsHPtym^FSG38>U5}^r&wVOAi~jf7w^h(`9@LP?
zf7b=>xYa{h4t(1Ti?Q?sw?5WDNl!us%gqBAyG&wup6mhY&q94Zl9hOhH=gyOqzXur
zK04DKH3gk-GjBaaOk4W(U)+=rI)<#WKqY&L1<9JeJa_o9;q#WJ!NFRi`Vh!Nx9B5L
zNFDjosH)<sX<>3%cPx0kOf8)M15)5PSoqz9<_|Us&?>RR|M2|vaJOHvxOm+S(6i=(
zK*fQqzAr1eRn?}pT%HMV%e$O}l=U&`V9ze~?>m1IFM07r_)NBho>pq$_lPT*)O+hV
zSqSZZYOgOe!iaDWe5ya6GzytJia2C%95V<TA_7l**Qk;sb~~8&SzL2P!IF8amZD*r
z6OJ6Gx4fSoSIoN!Bdyq%T_6~Ev!YBIz9!i1^n32;{(vbs@N&1sAAGWK)rx@LA0Xo_
zr_k>s&(lx3EuJ&=9)oIa0&aa^ex*GjYeRZT8}ssQ<~Y5Z(-4Quoa=|oyPaQ1mzt5%
zogdS|#-cJ*Q$&rW3;aZeLUsQ0zzHXtN;Mp*56F*a!9j}HILnB|W6l15cr;GCb;7a9
zC4F~#G;;V7z7)BL5GLu4iByXYAM*Fq79a%$Y4IoQ<qN`~NSb%u;9NIkifxg&M2~3o
z$`q_2jd2a?w}9soJ==HbddAQOXM3mi&{?5Axv?y}k2h@WyJ4}D^UNO`j$bEZS{0d`
z-g^4#we374&JeJ}>aQ8jT}w*WN4fd0@Lu?KNRG$Je6^`0`5-lB%_qXZVKz+S2KTQA
zTjD*^nl^Z{gaiH>29gxu9XRl7_-3mT?jXp|pA;0wMVesgfIjrSsJu;)V=0vXLnQQo
z{8hH(yb!jGen0Iq!`<MZBfw!QTKrGoYBs-?aIE&F0%xx7L1(SL99gYeiOzTrC&Lpl
zX=^VDos)8{85~M=j4NPZfq?U}U={_5H+FIhS?`_W>{rh5xjyg(p$@yqPFo6x!umi*
zf)e}+$*zCrY}Q$#-axu6HE5<ZbI01<jtegxn5NLr>HyL5=SjEsNJzKmxoEe}vg^j7
z7<zT0*f9jwR<1ararVS5(el~V@Zv2V%gJ5+mefAi;1-*Gp_3<MXM>Egk6Zz4%!-8D
zKUuYOmuSkAmZumpqb0xz0+zOj{o1H6osZl$faWhWSBcsW`c!keVRA(%hS1K>t*x3V
zGl>*QJ6*@0v)|cU)B}WVdam495fp`j-Ij=zbujP|j`GCi80da~9(jjs7iXmT*$yO;
zmTF)Q$-<=MFV;A;Zdl3vfIz$M9WV_8cT{&L0c~CP7uR3U17|}W#p77zt_ttBo<9x-
zHahhluW7wqj}XT6gao%q;FgfEpSfO@^i5z~mY9O~J6Yvy+8_jJ!{u6c0MuRdqAg?s
zmCc$fx^n%MZ@06TdP&$J;S-6`pr^_8j<4frv1jc)YsW?0E5G+!XRVDN7}{;_M8EPi
zEEAMOvOU_PhlBr6%i!+4WsV2ZFD@T-Z0ehC?Y3DIW%t%c<`;GzxH{SxV$*==nxb*C
z<5!DM{CW#uQKqz-8$Q&3XT&pJ*621(2M>+`Gt^_ym{)1Iem}xA-0@s|`?Y_<?qw9S
zX=lC;|C3Q188m)O5zc;{b$|G%HW8*%H5dnwJ6d6^&)$$E$0r0Ge{WdFaKOLRHK|;A
zHA(&>lXMkd9CXKCJ-1T#6PPT;Mw?rg#5EaKE4)5#KMQWlk?3!8B#y=`{&w%RKljBM
zoNUgO?CPFKc-xRG4j;AEC88r8MG}jvs&EE|#HN#880^LK%G~dSQc~m%=RVpRdA_a@
z`u6ORS_SaF9@&HFg1gu(Tv)3tD|r$-@DG^ENfpT;;A;+Rq!y_IQm-66k)7=%OI`+I
z{UUbesvGnloO&FA2?W`pyaJcH>aer-85&z+M?IWwIM~JSsd|*PeI7cojt!disJ4#A
zH{C+qGpuDnkrv{1669eOExo~<D~ySYwluNrqZq^EGz%NFUPbE)tD0OxEM0P=^9@dx
zIGk3V<@Lj(WOk}N>)yrDT0`y6H-A`S)hmt1)GZ>u2luQ>=%g#h^*dTCybHzuGX)D}
z;J3cVUc+PO7OG-Hdw2&{C6J-fMy0%4DuS+4N4q{v7h?L!tYAHcIUg(oW4u{g?gQLs
zS%8<mvr41&zB?L>_47EOKbO?LpI$$8(60^w-*=gl<O%@@Mi{T$uu_L^-w5KnCeHEd
z!-+S~e$in|1Fzng4G@S+3I93oue0}W2hnmhZa@C*s7KNjgC&1Gq@uY_kas~vYk`nk
z_vq7c#+!yxBDehkvB?o9;z+Lg14Xra*jMJ>Ik=))2|^r>fHm9`s@RnTwV|@@o4k(D
z&v1gwlOG;Qj<}E8L~YGS(kHqye6q4`U5)cOBWP0Y6`TA!vRujj^TmSN50Xves>}Bs
zYsAi@_oR+^;nkjtP+`J5wWLmr(&PG$H+F)kEi5Y}6|(aeWy2oFtWOu=lh>vOG^woy
z8=aoY3azU|ojeg50}uGmf-UMAw2~QEfF7CslbR%C9F6^&3p9xV@o}2cU8$KG-xY}t
zmrvLI>enAEO1el%H%|KHLttim4Gw+0u1>D8RR*EH2IJJej!M?0PU)gP9A@2w@fzlP
zVhAaD`#>2jgFVUdlqG+Y+QIdnmI}j*+yKOh7*{4=BuS}^@X?~ig<ET!1Jw8!?=!x*
z#<w^6OCgJQ!VMddg~L-Lmb8V(vL}&r>2w(C8!2j~N^!_7=Rr$Xt^9gA$g-;oD?k=_
zF(7{&QiiDM8%G&KU@{90dr?HQEgxu#Z90>SC^YOwo7^*4Ce_X+1#<&yT-R(viu%US
z^%Sv*HidG=_yNLI(?#`_bU-3muEa<6J*Unfa@`;Ha(yc|$47`%Gm6`ztawlNM9c}B
znd90Ml+m-E%h1ySS5<~J7W7BGg~Ea3y}^<%!*ZXuy_<zs7w#}_AOP#9QK;|RPiybA
z!cc)hUVdSp)2O^pv20|r%DVEXFwY*#tC3Ak<;JVim|DDprKOoRaWH?w_E@u^6?HCf
z3zoOkuy>bJamw^G*sJuZ(nx?wg|6S?J6XMLxP*@l1Wb9WAYHK68D)b|IGcpLYR19-
z)iPug&g{4NS8mPdHn6Q*F{`e7O5_qLR<-9#>C$Pr8bxGvOBc^tEG}gmW;pEB-6}rf
zUPHfi0|07(-d3~uUf%D*tC5)uG{6~)=pLC2T>P10GU?FnC4jW>k@9m+wOC)j3QKPz
z0<qj#yT5nC$m`)pVm|V((CFd%r|d4%S{A?C4?={_dNcR@S5A91OtI%DzDv!<!2Y@7
zm+iviTZV%J2d?HVt{{;*-AS?Q3g_Iw71y=d&?3>P^LoWbHRpmolVO{1Q7wOhlwbsh
zj4MYBNPw=_ciyfqv|_W@g)1&3$(#CbD{yC$QK_|y%mR&pc3MP_c?{Ey(+zg4Ejpgr
z`0EA*R6WKr_s^K^*<;_`IPDPE=O$AZ;FXxrl$ysDk8N;O8?c`_Pzm@ngTQG>p^~o&
zI|;b4J_d2Avy~o@>{&P@&zKbTQy=hps+jP01T5P!)fv&B>-wbTkr<69OGH#`UD2Qh
ztgWyOhM6EQI?^baLNF5xTC61Qc|*@N7I_+QmYm(L|2zKpS9cydP;eU@9J-U-x1;0C
zEI^*FRG3t6*O}cAF?S0;TSE}Nv@V!pj2+xQI_=cVZVV5obK}o!4X=dVXVLd78O$ev
z+flW{{K&WGNkv0RL3I#w_jTV=Wz9y;sVz%jPnNhJ+tv}U8$nvSbX@Lj$e&=Jm476=
z)Ga=KvssUbW4hhI2UlG?BaaFNS7-|@i2Gh13<s?}bi?>Oy+8gDGz-u~S)VdgQ{Kx7
z|1+u1FWl}m&)R-~<TtF*sTF+!$gu4BxKW!q?^EQ$@!sV1VCJ<(;d=~H0MXVn?X(vF
zD_ZJ+Ey{??(u}RV)C_+xj{GFp>$?$@_c4%edwyp2w0OdU=e>>Xr~$W4<MHI@Dqxqa
ziJ?<#_-8-VrI-mxbX`)1;<TrK2M#M%(ams?L;H*DdmUcW&dz_UQayCBWhamAV(m?w
zOFt1?Oy(LK-uqoYCZx@o2e%MtAAtwmEvg>#XNp!;$`A<G5Q<#i*MH|4$fx9dh!v=W
z!unrWO%+q?#^_SD&KG^J%TzLPG&oUS{7|ca_P&$Ke?RcTOpbOSvP@bK2Zu`9Pbn|U
z?_r!>0<FDsJKQVp!cSTpqU|>TLj|a?G(gGBUB6*UT6vcyeW?>4IO0u(kM%<|WSLCY
z5TMzV`M@@^N=pEmg6@8E>4X2`XG6%<zmvV*WC60Z|Ei7|pFYM02aY^fpII6bG9Hbb
zDC$I`F@?oE(IH8rLv)B|7A~MYm^7Mb;<LprE;sT|e1VFVuDI)?w45x^!#EPW_}@D2
z$}D(Gn;s<R&chhC9E(IcuG|2iqkO>F4Hzmi)!%=1)X?pCOO*r?+txq=(D9t+-<b=T
z9>7A{GNG=hTc1Mtigg3h48B6Ytchsqi-3I|^au`RXyaAGX|>5k@CDyqvmR)w|Lbmu
zOmBzd7)16OB!A6Q?#4Prs94@-dTlk{nH5Vqygs_`9gM8Jq#Trr|6SEXdHGZHUJ=8u
zhexvFl6aRQ;KX+Q`!i)oz*j16&mk&Lb2E}7llouyMGpqm&yu4SfRW9ug$nBI-wI#<
zVjI(9b2Li`8f|A-TKY}($o4g7|Kr^Y6n1Mc|CTbRwZWUrT8)ywM{jJM58f!<+NdHs
zzc2S5d8!VayeaIf@zD7(<H0Kl|Ahb`Iz_HRDF_5F|Mv9q1nm9^%HvG?CvxDle+-VP
ze}s#tWnCyGdz7@;7LA;(d*8k6_xDNBu&-^e`>WX(9Ut7^JPHSccL^6V9K*o^Zg@zh
z;2VvXW8VZ#S<ZxFiV1m~=&OHx4;WoRbC6{X!Q0E@Azu?T=(bne^CdA|6ESuq6l$1~
zF>4VQ<q~s&Zpmept8hS};NdIZ^5=LHK-5)R$i~BaE^&{8o88NG3(O_F&Eu5WRO~Cg
zgC)Qnw=9G7hLm<ac<q?1ZAatQ^@q5!?+P^c9@&u)!_z-DY?W6ShQ1QITatgmy9NM#
zBoJTA?0-0))h^r)k|(y71>DgDUsvZ_7NwL>z5JCmd|;K41BAdfy{)GDf&jJaarI6I
zVCc<!3x$uKyJ2m-No?|SPC%PuUSiOw1oP5T1XT0ak6vGCK~20kJ2;IRroG$bR(5^Q
z({FSppyr_YYImzTX`Pf{63ppm56x2A7tp!xdeNXXXV>OiXdm<Au7-)1@v7rl#M*Tt
zDAd-i@3?C-Ti=XFzAYDYrNEYUF>zA}1qQXP-80lwA$v-t70=p1(QA{EeL`2xTDfyR
zeL@X;{~!Ry8LB=wy;*^eb)<-r9$(isP{gHmG*_R2f2%;q7*|ZpS~p9dA-fYMvB$i&
z`y01A!DRMJ>kft9#Q{FZ69PbU0!g#SY1S{o?sg#}($@OdX5VPhT^3#R3{ub(%M43k
z-*kz?W4f;4RsS(A8KDNwhM!|w_CNp7BfZR5iH|x+o<6K{By9XB7OBtnJzc!Xs&+bl
zzE#Ko>HkL{tv&mMRm)z!y|D&k)ku#NhW%&5cZ|1AX^CM(?p5PURP;WBF<?b|@Y45G
z@p^I490W2!pq>d_nwRypOCO!7_yrAU2R{>#Iem9|y*cX^6h@omPEj~~Ugx9`<|MRQ
zDq){@ywz!|?RVxRdmgDhEf)NxNh^PYwjsCO#Ko`An&K`9e&4cs-x=2Uz1lmtm0h>s
z`2c9po!iCKm8?)Up$>2xUX!dO^1DAHSMJ?pkLnVD3^dhHkXWDW4;JEkL6ZX>h*t`~
zwQRD=@4x1l%oKa)2kAE`p2-lpteRx$S>kxFaY29+=x$5N8K`!eqDGldy`J_o*J885
zy`@wjc?GfYt-8oOQgLxV2jAgWp_Jv%`!NTM)SQpe1zInn=?B!YCd{7c!V0yuCt6R#
z-c?>XZgX*Y(I32G>?{5jE#J1`E@A;x{SX|sxS%tYbj1)l@~AuN9!sfLZk6XTN$&~y
z-E+xkweC4?*dTXRrYMFHc-V(=g=#3yhkP0FcTcxCa58%PjP%r9bFPhWGU`Mnl1Pds
z+ibdIAN_<G#Z=6ofSdgMN-OT)+m~jpK5TiJz`wlhTIbDAv>f8Nh+p(4XpGZj&8cSR
zy|h=Nw)@S(zaN5YZB|SvF6vo#GtKyv(6As;bBlt}w-eKOr9l_{ls(SQKWRj6I`5H%
zbFk*M#F<STpx`q1@WgVe8?N~UOdV|QvJgE`+29-CH{Nz`bDA^-BiHlb$60ltC52o-
zw8J;;9&Z~2RmexfJBJaV`uw&scr^RX*QopWpg12tBt|kFN;0*!3Lu4%cX}+kVdM*<
zk68j5MhC3h>iS!oZ$qvep`Yd^?0lFOXycMX9kz#MR_%!j9UvLY{@OWPW$1at`(WD8
z65z4S-@Ed%^``aT=^@otQk@bHh~n~IGn-R?i40<SE*kqUTHq676`n{QZJFbb?Rla0
zqVw4l)$$T9;$AE+A5>m-a~8G-8-@YAYzF4iCM9R<>{tJV6O}`MAQMzV;Nw}pFmf5s
zK)<&l*4YZ45-%Dn;GR#4i|AXKhM3C`QT8|QZ4^R|S$8%}%pMhltlc4NEaA5a4<zgo
z-JoLVKR>yx>y}^k8+_BwyvW_xWGoC|)qmm7BG?lW_h54~Rl<0i7^j<;m<T2F`#V)1
zky!-ahEhi=xMCnu&r~p+QUcH`B>InwcmQiF-3dpeJ12^=*``Uzh73vRkR#$Gu#w`C
zP=}W*Z}^X!cIr`hOV4_(^w{wn26i<uJ5FmJFLwUwPry1$e~MyIv)o!qT=_CYQSx2r
z;ODU-Z5xzH=O|QuxN5!YlhMhA0M&|H6x{@6Yy{<3XcqaEZj|%Z4zybf*MC*wH&p#(
zIK-9A{F6^`^eM^g?Ks&~0ogbyIktm?PU0}&`#<h)Mjgo-FXK`LA>X2<D>evut2qrn
zXE0n*;(p&4;v`0={*_C^mE%+3XGc!=a=8Wx{fhJVm97c><lF1NvB&_}`K*2Wx%m>g
z%ektiG0yi01t?s+-1~|Sw;n?03Mxb5T?f-&Chf~JNvyHFlur%vGhBW<SuXY>M5g5y
ztZkW75fpuLnuL&g-0V6EEia;S$qP~rHI8S#y>V$i&5x{TULQ4=c&X$y5Ff8@ydU4O
zQT0b~^_={J?&GOeOLXmeS3Uai)B2UzPJ%=jdiCdQ#|8m=4>l%v;ZWp?ijT+Qj(wjn
zMRV!ByzaSbl}|mYtzkd%mX5Rk9;YxMC+8-<gerG0qg%Ws52MH71Sz5gA(jWr)?j6=
zBS~XG`|fepo*W;dj+s9!Ui_x^VZ#`GOm4$8y>EcQ1G?h?d>Wo_w-7xa_E`0oN>2sv
z2pzwnqybr+tz%ro4+au6mN>@0T?~vZ0=`^N#9~Ijlk7%M9dmk#mO6X9nEGvp9Iw}h
z=EwZVztR6wP4ttrD8c-v0fY($c`^MP=Kr}t+Lv|S@8_{_?1fd4@EoS9od@grADzbl
zAGYkXv1H?yamuYjC(5`EJ{C~ds$(rW@kqv8ZNC>{&h$Cd?=zlC5935dX!#v?HaEN$
zwIGY6y89c7;jm}A9lD?CMt*KL1w_kKi=R4(V@9;H^1HNBMe-nti(Dg#Zta>U=oH6P
zbwcJR^84M8LeAGi8$B^YU}JQH)G^O&+XwC-<H1xPzL>?E-5Fz9R$<g$KET76LrV^&
zr?;LM@6je4YNqr^gXJ^1@UT(y)<E&Ts2(16!CCWsqm}(+W<irdRi_PX@oA?r+d1!F
zDt%v`$Q4h9h3o^f79FeD|F$cEGSk(+0!IwC&!?w0GzU`F(V-q)t~XsadckW8eJs5n
zlH-&>u4Cp;(PKR6Q84XOerfGb&HJWd5kGj+@5mcwAZS3T_yl=0MPlLT*N}k;D0Bhg
zzGWUY&|DBDjWF+7Pmq6gu}ZtjG^+9VT1?0f{Dhjx5Ty9M(`48S{!f^QQiE9Nv({n}
ziyPdM|1K)b$$JZ6^UOu&Gbl#h1$3yjHW0i3+6_G?^w_u61ucOOow+2(9g7B)mZ7~c
zuoKEJ*Ogwls_w0e_?>cgjJ@wObE+=;;<vJ10}-|Sf^?>53JZ4T?Le0}4rd={J5^YU
zid`n|-^Oy{U*QQmTnyY|4#nB$q}UMWaHMncZ0NkqbEA#X`U+H$S~2hb{Hv>vAD;r@
zpc{ld%O1eLbGI!+y0uNeJoVY!U!z0*m_%WBj_&!~1T7}`U#@z+G2V4aiR;YX;}~})
zvXw^`2wHK}on>`?8&KfZAkL=e6fk1_kSa$^($}DjZ?#z@Pc#uyY;Wya&uC!0P^FN$
znt^TY^19Zh&BPtTniwCRpz&i>4|ixHAi7Pm(d&aiT2=M%BY?{Vzf(i%9pP`D^^<_2
zC4_rDH;cdp^MXhZU~M&sqK8jWGFP#t*%!h%U()7i`xMAVeI_6gC;f~-`=8EUq50-X
z{<>B4--kOR!CEl}!ZQx;+fB-n@^|s(v|+eG7NTXFz|-nN?KP^5-N>B`6~FuXrjKHV
ze_V!`$NpXkBhybE8X5^of=92KCI36N@lDjRpjz>f8YL{D2cU*z^NbJ;?7?g0KM#*=
z*Qr^U-1tc#T|!i4ZYl;C^WzfIOnR}_uh|%_Gp5_+YGpI%X5xjn5ihd!UeD}aYAQix
z!~bFP7$Z|^6q8>wj*8#YqR>KylHShhST>t6#0dc9LHmj-PTImx=5EfKDRE;vl=f-9
z%4=>;nQ%k1i#Qz<CH~jUs-#Mh#G<N7ru$_xk!HMxOS)HKaZ0L+^Y3!ILO+`@#0?e*
z(GX!1$Q)IdOvlN%seT)W^~+w3;QRAvd0!MOOYd^?1W-VH=4mIw(<ss*Y5CMP*q3;b
zA^l3fPil3Q+3l^;?qkDPi>mX!q1|t_O5{v6u(8e~i)~}4yNd!G5qa2|y9{W3JuBD2
z!#L_^6ULoODlo#5zgyb;L7c`t{8n{cz6*2Z1?YTjBSK>*<yv3DE>53_?du{mY9>Rq
zy*^(!Z@5P)?x!q41T8&JgHz(|&1REg6gFMc$wTD0=O%RG5*<P;q-8=_(X-{Tfy2|N
z69z?{$FC&KSh#SNCXG?`ag^b*SqT(Au7|~T8WnG~GnIJKd48nV)g0-@aGJjV-6WzJ
zFKd@a=i*}H889l*`2Vvx*+~|;)pB;OczH3j=*zX(#Udz&#%z(@8#S8TGw=r9;~TX}
zrf6dytWaaGA_<X4h6|#tm4s|nz+~_zrICrMR~gRC)gOTrl)QP$3XSFQ5#JItDqa!u
zj95+;&aXrAmS$R|e4fQe!^eD~wI4%^6ZV+m7Q^ljwqB1usIj30cvpR3WxU<>;V(v_
zpf_pj{&ynetHV=vCqu!Iy_M6k_wC>w<5u(HFYV;S9tl0I2FBgUkmGr!W{bhu<$+`u
z_HD$v8w!)@gBWRE^2Lypw}wci$UPGVFP#t8y9Uudu>knp79J~Vg*fGtbdkr#Uu^2@
z)5EjHW?+v}t)_fH6q5+|xT=)UE#AW_?y(gbyNNvK>d{6a)`aoDUtS>7AF5&3Kjp+b
z#INNyTQ=vwu~?CUrjrS<pMNgp*r)kkT|mFiXu|z~svC0)^Csy_k7gE1nMi2%@C3&C
z`;csK;vkW96wxiWw;Ia)nE9{80LQ=tU}q6ixhUtM|5UpTA`s0htWn`eS$9GlG&XzA
z{CH?@;O?}|w>e-Ys~UdSARC%%`zQ|tvc2#LsA)7KPTV19!Dv`|!XW-QY`fd1a1Jf7
zF<4VdIYi%*7B1y>PKoE0G-CY?o4d8eT#S{;icwjxb7DHqW&JGjJ^zorw~mWzU9yH7
z2`&MG2MF%g2`-%k4G=82I|O&vU?Et5;1(cAfZ*=#1h?Ss?*8uPymRKx+;e5#Z{(Yq
z`_J=RyJ}TERcm+CyQ{m|jdQ6p)7QFt7=(lkj`1ebaV?x0MW5a&9BJJ$e>SMnvM;aU
z6&u@Jdcs~Th&3sWH`AVd4c2&JCAaI44;LSA;VF(^%kmBNjESf+zc&Wo!NP((p3Q%Z
z@!e=|4TJIzBXDZ=NXd(D!2*Wj_`pNWs25&RQ?Rr@__RfDDjxk!vQdSz_>FBnZ-Rp<
z+<P|UItYlbdoN)f(YSc~L#fU{#rtpIAB-Om%RX0>_#2w59@OMJs8=+@Bq-0k;0BUf
z<C&Ykws~IsHkNU(Zh?s@Mp1)`BfaYMqQ*95?`IdOKk(h!+3j>+;CsaSf-8FZ{^n0H
z`MPs;95T4g6c4D@9JoR;^kfK0;E59lXR|{v5*}U-)}N|@7LkqHt^1~wZ>7Lu$zlA<
z7)H(q_RDnxNxwd$fH0%tg|s^i9#v8bH%v!6rQ%z8HBLKQ%rZCdtQK8*U4QIsov3v@
zT!*lx%%UmIYn|*LmfWu&@D7B5ooXKwK2E2+-#0EsQR04n`&caPx@X`nb#O)3Y2I_1
zTFmRIP~E;qie~rtk)zx7Db32VxG2_J_}I?9ml4mie75zRbOzL_OB8$XqH)N@YV4su
zT4C!*%w<=sHsI$&KX~C72r=BjFyFZ$I<E@FY@J)hAJDdb<h%4vaj)3G5zALzEQ*(g
z?zSa7!g<J1Z@B90@lBKm&36^{jNr!Z`kia3N|oret}=$>Z9P5U8DTihK()>y*)K#D
z!qBq&vt_@nCaGCt4O85i2&Xj_OoPCAHoJY{KX(H^ir*kiX7UlmNT>UKfAYIqbV(A9
zb4~7^>v@O>>v-+KfG!Ow@Dud<lJ<iLcaG2J@jt;=ybujPZG0A3H_O=ET(t%!jW~zZ
zTzXXF5M%9b!`3)XrB(eZXCjuCRImm-Cue4%_@3MSo7PJXStTmYANh6?DX+dChK`@>
zZm(3jzv&1Ud~7gwpS%8sV%t&qrX12r<oN>0?ZbWwB{J}X5>oBhb%e7%<;>yoVUa0u
zb@A$x#Gvtm79>^4yu8S1a|y@Zkx7)hFU7b;#gY||b3&1mMfFB_1+te2VkE-i!f~U?
z@=Qjq>hF#EqD}-y9F^X!^KD%^gt<=Iy<?45AJ2Q8m&N?;^jf3R-a$?|6dY!zIfnDx
zaw}(DW-})+R5Shi6oooj4GOk%Veq$XTu13>W~MRasjErFJB;<+myGKdbHGQ<YA(t9
zBxf47l*)z&RmzNo(FJmzVnts>m`yk1@)(su_tdrbAixLY?$h@dWUIHj*SD@Xz%0A=
zXzTsm#n6rJ;jmL<{VqS>>e{tRI4i>T{(Y@m-`yeQvL@37gR>H)<jp1K?!N9Ns>VrR
zfkE8;nb)1~{bK)q9$5n9p4=H5PH)Dl=l)`CzM=HKf#+s(9zt?=Vl`iFb>G>$XmwND
zAv$21L`JOq^$>ESTecgU(P+IC*jVc2&UMx*^gV;@Y^9!`$7%a++^ZA#Y_Yfh@U6>H
zme<9dXQ`SMr^Rt#H<t5Eu*#B_@Gr^StWsXR_4_0<Pt49)wj(#KhJ>+(rd`&Nv)dCF
zzF*Bu<(IX0%VM{(#vj7ZYHed1QqcAX?_Ic+?sj8s?dBZ|l?ofo-MSM`EsQg|$)X$2
zjcO04f6iw23`EbH9jd7i-rpF`ZxJ?9@n1^f4-&_QJF5($LvHgHCvJ7_35>cPH!f&j
z_FKB08(mLZIB#DdLT2V>$?k~2%3h}7UKfs)(|f~^9n7VkY3*gdq1)V|z2pXz>u^Zt
z;p9Ep{n>2eA>`_QsFStrD%IJwR?KUGwt1joEIC!o>+OAg;^m#*ebMBt&F-nrxlrp;
zoPc`^wamc~ZA*RPGNs-PRt!HyC)r{*rRfb;1b=!bSwuIb(G6BKzg{QVP&cLJ4OUdx
zjO`5}xMsPvclgk78Ln>x#%P(cZv@L|S*UM>+-O<9Z-m`w*|%@xmC<rW--w*ia%<m+
zuF>*x--ylH?`sfgczCIJXZ+v2s)j)M|GZM+bX;)v+9$RD9qZ}?=l3<wJ_*2#;OD^R
z5}m4He{~Ig@czC^cd7#Tx0Ob6;evbHK56VPtfvq5-`7O@Bmn>EN?bBQKxP~jR!aJ3
zE8&CX_cbxB6u^JJN^&|ZFPo3paQ?|!@qm9{cZO{M{1?}*Js0;RP2Qi553A+Fim~v9
z_a_F71n(fmvmP+Xd&Fmk@fhWBaV1inzhGolvwU|!xlAKNjv%ENKP6BB6MZ2_M-^L7
z71lr%+er1pD_RwTPJ<Kr7G_Dd9e9l8oDe~gNke3WlxKQRV~4Vl8kw30ab!c5!B<ZR
z-Qa^UO|U`)Rz*M|A=s2JMMdMWUQ%X^A{9l*S;8-L(ec3A8+;*w;Rj2EgUARM#SlP|
zSRV{P<b>Jz7#%6HRB!~{NMc}6WXNYKIJ#~mNiZlXWRMDuyBkRc4EhrCm>N#J8|fVw
z6dfW<4X4tLqznedNDW6}vz_@d6M9REZbZV=8Thdhf}})|qF~w#{MZS-r9|nXVEPRF
zo)d!Jii$_Uj2ifH5PH8AHHm_mG5D17&Zn5Rts7(uZb?FWNlQ7}4RQpxd_nW3eP^%G
zJc(0a01_l5mqa*-!m2O;y(CPNM0ot=z3UxfN6KRwID#G|eK06JM3x4Qt_R5&49W=k
zOasT=gJcE<eG3_+ffMgRvI2uLLmtz@sq`S(fk9b)gCoj7xqO7)??k(zVE7IF1PDP2
zq8m{#!iIhjLT?38q%Sa1hR`Myp-m_lLYq)D+WgK*;MNk424bZA)(t8Fw<MswWGsEC
zan1mwK}ar*Fc^)sW&qM6Op``9h{oD80O=5t%OE_C!8$Vl=@F*MAh5+?-5G!k2+3s;
zWMi-p3_(UbKC%ebF*qoOAQPTuS%i-<I2eYY_dGCi2yrnu*oGieo>y`RIWh0>9;x)w
z2g4Su`ibx?s7b4Qf&2dgZT+zER=aQ|RK5rq(-FF@U{EvlL<oH;q7!40+v*jT9zvXx
zVmrgUiPzcrE{0Pr`dtRcnmJqRZBu#D6$i|O?bZ~$M(=kksBsQzETTiy=tT~;{SSl}
zFQI*ZjE45D@?Q$;vYuKq(`xhrI<%DkM?)0o7C)Xrcl)~`BWMDJ$Q89p>2U$Bx7njb
zHJJY_NVgGd{o|!>qo3I$lpAUdMx6~-LboS3l2uAy544FYgJHejudtxNWEI!aAzi#W
zVIgoMY6R*WMAB+1|Il#&TY&rG6TbD2uQqi+-JvUwG#HU4Pym<p570m0U(zA+K^<hM
zP=7a+c;LcoFmC>k|0jq%@w@f^f6%@;+WLpEvIbC@eK!<NK%w(cbcjIBmc)KedT+r=
z3`5PH#Qyhm)WVZ2hMJ?Rg#rcwH&=CB>mT3F6=5bMT=k*QNeK$g07#|52*8$d?EeLj
z;h{|mXvcpy%mYEWDAqqHG@vkn4f&topIH9~Kv^&?&_$*l(5CF`2WSt4@=%!NK%pOw
z%{LSxMOTi~-|ZL4H<T|$SC7-*3ty!q(A5Xuk+Nn4tC45oNYhmQY0Vf41EA3Q2LO>K
z82(#9WN5t!52gRz5J4jkdBXG|?02{Z`#ZG$@xKi|&VzOge9^f);c=d5P%r?$)WiX>
z`vEpUA#%ujCEYJAacj5%Z$g4ZTVHe-?8s5*CukC6g0n9DVJ5Z^2?LrZN1nENn{o7m
z(W;b2_@R(o3B5`QM{n%k5#m9U>B>R#{t+B!+7$QpoAV>%SWpwXkb^7W_-pVI%lb#!
z4N}#(tS7vN865-`N=FAGd%HpZ1TTjE_rNw*Q_uv_>v#m~ALL)&|GPrj2vQ(#^k&+r
zxojG#+7LqYRvL$eY%!_Y7((=RnuCRGGpX7XLiA2rxrNRUDfleM9P@`2T-Ep>3YWJT
zdYTjfANRcYBiNV&qhW>=Ow?2!Q1qAKN9|EiLHR?6YAxkJhtwKopo#x?i1&~IW<pJk
z9(ZvEk^!)#{CDd=;D4qhxZi-?<ld;M)#Bo2W{#=Lsj8_p;^Jmy;%dmfS5s@n#m&xC
z)R1#gQ|rXV&B=_`&<#=ppLv@x|5!t*8pkdu2jHR_>I2MC0bp>?7+}rOfkFu=A;;vw
z`Wu(zfr|wV`|Hr*fq+;wj#co_P!9^pm7vyt4YM;)fI&eXoW?d%F>h0O*nbo($^o{Z
zB2fe;3nC;7YGNv*Fa-|(fPX`WT<uyawk=thY3ek&K!!;c<S<@^7RNWvqiIAHlCa+}
zaEmpuDIB~lZ}nGjKy|0#5mum!afqlOEJ)*?;1b2#dMZ-qJKV=@GD>Y2wgRsZ_eY@W
zJN6@7(CSrZmog}Bn@qCtb++>I!27GGR~T*kzuu2u*u@A2Ho%ilNmq)dQZh}`Ph8lA
z2nGrwEKW(+cckK+@SN}<jX0uk-aWk~1$o}uow$K+P6vkeVL+1*u|~v~I`>e=hbj5N
zeHgX}6G->L<p01WID>Mne{<+PID#G=bPtZA-yHfCUx2(X9!v`lrY8Ld?&k-t@Pp&o
z6m-KTg9pc#2ZzFgLnodY7pNij!KCwG`uxE4HhSPDJ~*r&9D~0(j2|4S4-Ri5$+tiw
zCJ(0c2UExc_vNpL4&OgGvK|~sMv_8}h#=Dr(vasbA69Quz+Df@yS2mgWW6BWS=@g#
z@4JcEi0_V>_5BW}4#;E!<J}*Zwha4t8X|Uz`Le<*Y>TYP{Ql_}1oZ2U=Sl!%dcD4J
z4l3GB&6tN<0NkFKpqU4U?So^mKQ40~PN(w0G56qbeQ+H77V(>7;lc6Y!SQ$xno6hY
zAz~>6y2qyn2it>V;lTmF(l@m4^DznVK8}12NULYNwsHPa_9t*cKla1}33Pe1hxdJ|
zl2|v-U+VmfJ#l*mUY7*e3CGkV#%*ivZ#oH^0g8>N{m)qYB&?L<RbLx~dEY2XgpS9l
zcD5Z0sY3I<Pr(=KgXhn((e8Lo1iILLy)Zm5U4J$K1Xs_0z25004V`~oM?^d1$^M_c
zYV-mE^pyW`qx}6)=LppK-xgMXg_e#A?cz_N3h;os(2(6T`Z(}t)iU7EVLRNOs5=Xt
zlU>{T2U{+&KY&-~JWF=3E|Vw)@xKiG1OE5cA@<=EzJZ?2{}-t73>x-m$?nbNKj43v
z4z<t|P^}I<7k?9GL%A+$Q10J=$`1q)DEIz;t1MBIJ#70^OQGHd%#wQcPZ`|DE-UXv
zJz*cEF;j$zi=)9_Y>tHK!R4iKEI;C8nKb4?oVUaisPA7Fk+C{<85)^(*E%`jOvV2T
zrqiRc%Q~$TC?R?6I6Zp=pxY-51gA(tgWn6Xy7EF(Wnb29Y`#dvPfl7p{xor$k9oxf
znD4Uy^E_a_O$1`Sps`j!?A==+wh@T^pHFJvhib&j1BgKj)oA7aYLp%Yh+%IFh#?IX
zvKt_Irv9;{zv~XACqn5X0No0z-CL-@5Uukl!K-Bl$Y#bSpfwj%>nuR)IjGi&P_0J*
zt@mTS`qyud3NP!l?>JJ=dmEvoUMMLZATdKphJsd}GAz*azoQWVxz_Zpzm<u-tlQiK
zr*a8s0)g4kKzkrC1xo)1>E9+n|2|Z)n%cf~A*a|&_l-SpDrO@fu=~a_fIPI;j?-#;
z-37@C`6S8ynK26p|6sRwiXRBvV>!MYoHZ0A`#p`;9%m}%>@1Wt?Jj8Vln9V4p(G0^
zsUO&@61vwvNdGYsctWLp5c)xO=t=m^<cV)}e3>=?Jv;^&S9SgCfr9@AQztZ#9SC&q
z0|LpQx&C4L&s9Pjs(ma}`%I|zo51P#cQJ)u-VColB-9sdJh_Bsy@?xO_3(u523b3n
zOnun$AGE(D$R41Z{W*K;{Bcd{sg2foso=&YRLT=TO4lnu%4Fz?D-ZyrEF?X2ad)pv
zIj_8Swk=%0-34xXIuCbv8KvL2bWGdn*}g6lHozztj_G>vaUk_+s<Qjt%4FfiP4^)S
z)bB+Gtmm#;+smuWK#-e2;pyQ~4Akucjoh#Qop~++L|*KRL)W_?Al3Eb)XvUcb!ZmB
zwsjc{4-Fu}be}5O$vAE*q+0Li)z``bAROIp9I@U3$hHSI_83%$7J&CprZ5j^Q9vdL
z&l$O(m+g)aw7ftdsu&a615n+?Z&`jn{%yCv8tCHw+cy6)(H{ram0s`*Zsafmn*;Es
zyME8yV^9uSq_Z(l!E!QG1}8kAz=i>6t9-!&%f5m&{}-k{-Dd(K3;EQ^Zag0pd!Wv#
zLRAtB{*&H-6R`d1Pmcev*MC)FXF4MEO#O}4p&j6PJZygcJeBq8C}9BK!=-=StbWhf
zBOiLr>S<NCcHF)nI^o`MQGW=yZ{7OWgYW9sjz#XZjxW=_3NPJ<8UgRdyqTc($vy{=
z<@~SEw16wELg;nZ_Nw;rrRyaSxiGK2UNQd@daiG-SMo70&L>p&xa<!0qe=xA=4p*R
zni?B_x;G|6A0G$%g?0;8>z{bGDW?K2-KnqHQVR{p){dihTHPBydBhDU7h@h@GMwoO
zYPSpat>;YwBwQ#-4<IT23z8|6)DI;=GjTvkMgVCHN=krcDg`qAPBMdLLWh!c0TKt4
z6abJWiU1N3G*c^(>7Pl^qiv{<7s|wd#<lV#4otYrPF-==m0r4&%ni6Vu<RQPYR3Y~
z7xrGq4@|7y0zpR}oWLQJyP6EB)BrrDG#Uohjvat1`2~S0{%s2$uyrT2c@>}#(qN!u
zeLx`>CZObSs6xfijK7nRpk^I_{r7-LXvRcnMnEYSb7&}3&SGex(050jy(4SKU$bK`
z`8Vbb1u?IHYc$_G;EL_5*PofX9^M}P6~Z6H{1=&^=Mpiwu5bMnE$gw%V0W)OX&|71
zZwhdY`dhP`K(nr{K(l|#G=FjePPKwkxdiI_))S%pw=%59msx;l?js|;?hTtjvfpS|
z7V!he4#vkWz#~F%VB$Do;P@1HYPt&)Uh-FyF&(?uLR8j{H41CR$*Q%SA_OC^o588H
z=e~x5GJA-<?kO{vF@H*QulHIzUhypITkpQri64mi>+HWt^n>R9^W{<ictCXTAL;@{
zVEtqH+ZwP!DZqQ<KH$A^;ALHvnBSi+8^>&^_#ULd++d&;m>amn4Fn4UPradaAm)l6
zh)D%v{$ok=(9J8MyI25wx+ek^{KNE@mDrmDMgz5gUYmOs!24Ub#DPSp>CSmp^~&V;
z!#`mBr<$%;ErFTEEHFW-;R7ZpPQX-Va}OAs%qByt2gWA$PQch?4?1Q6MmPKJz>C;d
zVCn_TI{-6u>IF4hL8o4Cp;NC-VCuyM9noa{4<dQ)L;D0YB7<rq1ZV_I4qgD`1)$F~
zKqFwhkN}Jqq@m-5|6<ZW@9bZni~KfTc^I_(K3*9B#w#Z-z!*gkcmWz*2gWE@z>Azv
z>c5!5{6~_YQ=8||tKmNw=Fmc`SOF$M$r?asQ9!Bd4v_8TI^ZgG5SYx7@m2$+{yE9s
z7U)MBIu`m<(#;?+)`LKYe3-ZDYsW(OF_(X2a<AKC@_2ex35*zkS>R=wSuZek_yq<A
z8Wn)4;Ll97T22*$|C+FU?{RnSh2VAB+UR+^$eMb$8<={3beXN~c|IZIb$52_M0S64
zZsvK{8-9OrT*<0^zb`XzdVkwnX$9O}l?-xwu^D)OadJHG<?4Bu+US0HHbCZizs-6#
zl5KT=d+Ma^d3Up!Z3S_^zFE!QZ@j)*UAKbVA6!m50l4+J@?vDY(c|i_cHI&p_`T7?
zMbGPYd17GRE7pcg^e5yF^<w{iy?5aLvNt?c(Br!G9#&Qo4*m%U1VRGI7)+{=o5A`i
zwShn(LdYOW!0K$y>SSeWW@ln(Xm1Dn_}b9ij`iVyoyFP0oCSKkQ*Rc&EFMXHr3}kF
zs>3>%(kIIg)-&41D*@+a5yvHLPAg77pJYYH-;7jwH5_j*AJKz(JzW?Np_311Q?4@@
zDt)OKK>8$ec|d>7sPk@JTakQPL)j>PVr|DvRblNK!ZclRw@$^rDIYytH&ULvkX&sk
zG1W3+6fp{}k3x->ns02BPFNJUJGj3aSQHrWRG(m23v(45cz3Frt@%CIaUe8`dgeR*
z(bgWOabvepnwpb3+_~n;Zb@Rjq(i*>%{T``e5L%0o)wXTTzgG?TY-_QpH!u<2O{Oy
zaG!k^?Q>8z++!5>ieR(IFt~J5?be%J`+j-7b)%UzQn={mHAMLGYSS!_sA>h%*z0G*
zz0mRc&JCt<H+_?&@J&JAh$yjul?7vt#Ip`jW6fU)ZRFSj6tLYV!r~~@iKeJQB9(B@
zRO!%3l622sA>uf*+%+F)q#z9(OP4CJ-dQRQjck9?r0vll7|UN6r)jo|c8T0#P~_<2
zj{otMQjtanBgTPIp}dPRGoeoHMs}TXHer7;S%k6|TMOGiACH77heERlPc17S)zFJ%
zh;G6vO)ln2tBg0^0U@DDr&HNN%fY1<Pu21pj1=1^`FeSDjw48t=Spw9)apL6<0vdI
zUdpV)Y1=K9*(?V|-6L+8$Ov{4m)07}w?7nW&;~pLKb1ZI!Q$^Va-O?~W-jpKLs}?A
z=fXB?>viFw7<Q;lZw-5cLdh4W+&8}p#@@1^M&%TiTdLV8Z(hGPWD7MOru)QFXB-G-
zwvR=Q-~8n``&5b6p)irJs<Lk!nMt0IMQPqXGZHQ4R)m_WF8Yh+&|12GHwFZOcV;Et
z^u{$Dr`At9UgWLs@w<o|e9I@uLYZZaex@MLnQc{~uU+`Pj>vf+9_EXP@=i|g+p@S-
z5g)5_r?YJub649TI)8}662x)EfCm@TeKX6}iM?iHN7I|`hqZ`{0plTMm^tDT2yeXU
z$S3TbZ~pDLO|*NNRJ}0dMP|r9kcD{>YkNGG+v-^vX4ejCITeII@JN-nd>3Dn#3Z;7
z$^D)<lQZiBo-6;3x74XrUH%w?(wpy}b<cfro*BDJFC>3+P@<8Ay^}f0sjv0p#SJ{l
zG6ZAa<8bl7i_q5o-JyP0C`*zX=ojN#Up_Rgw}bcPJ!1m?n`D6lEk<(X8we-N>~(`u
zocl^1>gX{^b=bSuj^uoP0jXsZcva||0j83ke)veH4e~8m>a+Q~-t5TvS(?6~a&V(4
zU$55U3lT>UytfNXhhVstTCE{&_$F*qpCp<m&C28Gb@z_(9{<Xo)P2nb`^-%9<UC#N
zGnwk#`(~aL!3E{7d6w6j#U}R3txSF}Qvr*9bNuj^Z1$c^&WODE%&K8r(f+BghkDT<
z2(`Y_jzzFdRMuyj-0oPb8lN%)(n5t2h??-NJ_fovMz_Rrlyo)H!$26qEVU1oKl9BZ
z8?`gAj>3*-c<#<KUA#$-tx^VV=;xmBp*LK*hemUa`DHoN%YMZSovKfZy;<{EIPr#}
zbl#8Lw6hNB97-6%4IudU+`=}&^io?03Hy?<#3sD_+6Y<PYoOQspV+hxC`0&&V~8<)
z-;Gy2y8S?AHM7c#;-vM}rKac59G$7BC}-Nt2L6ew?hWTIYle5DKqMk6=}fLft8@0_
z1{mxLje!LI?eH)M#kA$|{5*v?B^K+YrH@JmRt+%YtFCrgQjA*&^ZtV0bm||~C{8%z
z9ghhzd{CZkc>Rc}o;>oDDsgNmI;C;Npi%p1*^qSv+%J_SX4w&o_GU((JFk=}`B7K{
z+B4T0v*82z3<}5nUarp7IxDL(BpQJe3B4KOM+s!aZaXU*KCM>7uEj~`KBkDCqq~N`
zbW3h~iWw0gxt(Qc7wn>0=<VT_EQ1SqY&G0dKE!$!K3~#gbW6vW?8d(4=?bvtS`?EH
zy-w*ZFmWOZHO2N+IGsvp<HgmPemy`jnL4lc`mEq0Vj6Lpa#-8CJv?3zl_}ucFgVjw
zgV&@Vl-}54|2&GbTAi%^TI`8Sd{p)eWwfbfA0${4gqLf3DFny{#HHjlc=ri-Q%7qa
zC>)S0Zd+KZ3ht<$*RN5(u5-bUbg5+>B(-#XCL-OKf-4N34C)P^7U*?7S&N(0YAx^=
zbF%y-?=91w<5)6*<`~h^%}EiPxKb{aP2&Q=B||Jd(~Oq`T^?rSkUqkLKXD#fB}|cF
zrofvt^91G);<S5Iin<$qZ#8mIsqs*rpKKY1rR3!x=tjfcl(PW;SCuWr5T@xXyVSJ3
z<uP(~vtGs70yfH1$l6I<Gzy%_OpvaoFS5c4*89K-w9Ap!K}4GxaTW!6dSVQi7}+1F
z_11EVcLW`z`EqZY!lmjXJDd0=bEY^T>3Fyi3qN=L$OOBVbu@jr&|bWi^w-rmUN%?F
z3O#55X`ED~be0U6d6qHf@|7N`%m4VMB7yP@(m7$h5SpS>7Av5jq-{5{r!tJ=ETd?P
zz{fi{+OuMf?2blzh!#*TA5AdZ-;wyMx*?Z-eSiZ}vi`EF^<+gdHrpvH`fY7cGIlGY
zd;T(28zgL=Kl|wLlD$cBu8ib>q*2cT!llR3C?&rDav?jWH_h%F+z%|mXo`!_dqh^!
zTt?Bm?)bVqg-LF=Wx$0KCH{?V973?6nXA@gt&f@@$br7^z=GIy+SukfA_8{Z>7G+Y
zUiaNTmimOcYB<6A45H`C(T@r$NSH*vD5<TAH=X+pH&r=pESQ5K)A}$YDA4A62Q5i2
zA%FH~;7Fz<{+LKGURPf@M9CBF=(OlK!@n@#Hh_$_jqOlNFBg9ko6}V;y1IFkZkOlY
zXe9ncZoBw4x-&RwKY(nX^3wVdT=QPDmL=S^o8px$N1qbB>EseQB612DbsvN8Ju2Er
z=__X>9P~u-7`N8&#Ckoiql|ZxscEdm+H%Us=p|pTUy(0~eKi_Zfqc0q7GS%S%d(&{
zG4}NVEl0Mrgj3Dt#S<V@5BMC-_NI%k@IOCG-3VLi{D9%B-sCmZbRn0t4&&Gx-Y6@*
z4L7HSLg!TiJDN9Ohr0Ml$Dv<VmXn2RD~6ojC4O#2Op(;3scgrnW%Nq=cCaV@Qjpme
zg%^@;JL$C$PD&?!6W0?(ewe{TDLy`VddH1skiKxB&m8E6R23H=qD5~n!Jsj7w9FDn
zuI4mTv8}??BwrP4W_!3IW<<JNNZ4U_LW&N1b?N5mZamsspueu8I9j3^X+jX0P=m6}
zb|@Cc=}fh8Te+7sr2QIpMa(1sgc#lq)@BMW*XXWm8garVgdiMCb%NISFWJ8crEU0F
zl6|~rF8t|{&l_~b91$0~=0~SEz49HaL>8SH|2l=Ia7vuz;voFh7onsN9hYuv8l58N
zx)W)ocG)?8RRhzj+#Q{KShv;NRGK~MvSY6a)7D{86`447n=&x7T%sIL<W4THE8CJu
z!%`{IjwodU9jRonfl>7g<hklhqNV67LzS{cpCIq+!h`8T%_1k-mNrJB3rJ$7Pr+zY
zxQW0Idhw>4j}wc80*UY5GpwUAGV^bzOE0Z=c4J__uNAB<!xfXjAgrMa7lAdF?yX1*
z%~$LD)!ZtHO$AX3K&DOe8-7-1fq|#%=XIW>tNFoA@d>e0LC=TN1>3w3CwV`80_<my
zo+qBJWU!m2DnS*SI_y1dqA|*x79#Jc0~}zkgi0=B(Zc&ajkmuJoSLwIB*00SdwE`E
z{!vC*bl`b_?R9u(OL*ziHgNZIdF0Kcv<m^k&m)FIhob9fxZ7N)!YXLjOv8P-Hj!}`
zhoQ+1^?mr9xA-PXKZ28(nq7a&@_JTgu)(i;21OP#m}H&ps}efXx1Fd}(UIsLSyBDa
z%Q<ftiLKJN81)brc2`9VfCwYEB|ld%+kfQ;j!#UBRg64|dp>Fys6DH0ERZ9p@@iqa
zSRpp;>Gh&VH8b0zU!y<Sg<rc#eu1Oxklz@7WKYwdMSzkUE^RZa9OR$j|3;BIQG-^u
z48wQnLxxV)!aBW8Qc#C1S^d672;xsRy~eM6M+zYZV!mtHq0+5|O4*BojlEIf_h*gm
z+MffOz9xOENu#>_Nobn1UlPF-8!SPb?<BLdDE2&MVxn2L!@V=irh6b!eopB{JL*Q2
zkRCQQMD0kJ_Nfr{aW=)0m`KW}k7RHz3>2PizPwT~s^jlMNnT;Nzw1EYXIFrk*J5Z@
z8tiGOVK*2?6bxFtrqb}7i=@pA3p<JY@NO#S(OpYi(vRax+O6AR^p^0a7BU~vnY;v-
z$|~8P&|8T}X;#<;^h~q*M3M`++5le$42Yacv)VU|hQC(r>hYITUZH81Wp?{$a=^`^
z6P+e?Hga&FFDuj98vdldqoz5W7~Rc=s(6giG~(;UVWN-_&OnqcrBP`9aOMy49nw$=
zdjq)*xBNhbpl0K4r3Fb-^NFyM;K5BYD)?=|;t0R4*dcx-8(7hh^yFMLhe9%<&T|!1
zJ}#xH@<L>|Ry-fKYJ6Q&WV3hUQ{Dvbty%lRvi1QzlW@hZPAw#PvR<BG#ch0;*6>Mw
z7&M5|F+5um-CMTJNW%P`UilB@>j%-_eNLMRIPwkIBQoPY{iI9F(+eefg8ubq`t1r@
zds^yX_{~M1F59aQ*m>_-LVITjZWtJ^Oy`4w5%lN~Z~ZV<+TI;8Y)hG$3AIkMwGM_O
zoF{9|^hPJRDr;!>WQc6KZQJ!5Fa{Q0r#yLHh3qcSJx;*DM@H$~*jR=9C?Pt<ZvM1&
z?zH}6?wFl(PR4aq8r88-bYve*n|PK7)|6^&bA3N%>B;qe7G%1%X<ld<cJAsLtrLMC
zDWUeBs`pA;Hj!)Zcv0VA`zS+^(u}|P<(TZFmYB~@5jPj1RGgknW@MZi`$S_c6FRiN
z#QmdV2W^P<mu_k|Y45FhU$FvD-_ds^WX+kde5vNR()Jd{y^Pd4-xX3%&8<l4;lNMS
zJk5)vnva$wo;GKv-52L*Md-hKTf^I$X=qLUBBA@aS1}KzdNA4I@{HO|jvjYsO)Rs!
zQ|YZcUFc&0Uv8T&m3#ZNk=i@h<(Qv2{o!Pa?)=y5bn`oy$T1RlyWm5@A~1K7?)CNn
z7I6J<N490^Zh?c%4l&}Mn<rTi=Isxw3IPS^^&wP?W`5F@Bhu_IGw;%H2;l7#Qzm+v
zpB~y0fgC<Vq%Y*-6%?hXOV?A!p@MI1^)(|=M>`E9;_n%~vFn>AdwfT~8Ix|JauYX9
z=cB`D@cy~p8=V_*bP3<su(NBFg92L|^BafIPpnilo=?^YO)S1G;Rrdb8&UGdEYx<y
zF13u64Oj-r^Bd$Gn17Y|8jQ^!=!dnPdWP*&hM15Rcg%u_9?cag63E!!#Z3!yMEQc%
z*bt)%HXtO7NW$Q)AZ@Y|+UnO%MHSJ3bSK#W`2j?~C(U7g<r2-KZ;in9LaU@qO^Yy5
z+?QC-0x7)T;2IUQpA$pYp3lgL_ULeHFY}NHk!(EPT1x(E1Rvhk8h-Xf%}9?1Rf8z;
zu=K)mNz8<l1#HW@UX)=nNeM<*Z;DHpMoS0{8p|WllS+wTq#my^gP&<>qqCPHlz0ir
zv<b;g0wZ&ZdD&szU>cZNr^_S4$z6SedxmI{ff}LwK80RAZG7~=;t6^RSRvArDPxOx
zInlK2-8#k4F{QYZDYKHwGL>o$inA`(c3CobG*%Ezw5(UO(&E)MZWbEuHz%7=Wio7R
z2+fIs_zm44@FK1MN+zH!97X^aTZm^(Q=FXan^&N4dyp6ZJF&wIB7x$BjKF@Hc|01J
z$gzBq%g@Y@>1#^oU_-e}fHj^Q8=IE2n5zH_%kt&}6{#mx3u9MpF5NGLoh9;YLg8?8
zg0EiTe%;|JJ3)1Ji+%*2*$ou=x_u-;pUDQgMxQ=UBU*P6^<}!)^~bE(6A3SWZ(-IJ
zuI~BN08@i;jLns#RZ>BJ!ODlj>i`yoLFmoOt$_LzgDBtkYAQi#rc4FHC5$&cB2gD=
z39s^NpQD_e=8wCKVQiU4f-Y_G_B~|8k#4%W?L-V^ROzYrXNRXnm9k>ui0i^^Tft8x
z<_03)f$}6(#M$(0vl=^G7qih6qf)nQsmPC)*${ov8|<sm)g*1gel7CRnh{A6qR=6F
z0}~T>qqeUNwyD<>*&f%{ax-|w!z<q>uaKtTZ%q1GNGANji6rp!Qn-sghB>V_7lhk-
zewrV?qBm|pBst+|E9_c~7CM7Sr_tD8)NWk#aOjYB^fS8$x9EikP13PC=ox~1>D8zu
z`6+&Ie8y2AI_objXNv4^4*JM$g5gQESGCr~SoM|lko+4K{Yz@yMjoR|J`{yCvszME
z*C+nk!HdBng36n`%%g3E1PnN(EUaKx@q-L+_g?{IZtf=?yiYjQ>D_RVQ_1YyL&rX(
zg`7$DBbCt4JuP*w&bsK-jrD!J|MJC~6RTt;L0fv~?Gu}C>rZ#KgY42jFI+~n2d1Cw
zHj6Wu#iyg{D$eyHeZ2X&NRWOkp3zt6u@Ko_=kS#F{)J&qmp}*iUbBi7vk>y04fcoa
z;yR|<@v|6oEF^)A7#$~q>1E7M<~9-BXk*pq9NxJx1Zd%4m1De$x!14eJG+o%2vKaT
zGUK^tGvIEyUJ*8A*sW&ex78?8^J)vwb#vI0&9vO(O464YmAtD>Y3mFUtA`hqmU{mY
zlSGU@i#g6<oKUKsos%C@$UDR41bldHx&|?)w?(&&swl5D!qhNnZy3&EG(H^Ge5WM8
z)H?nYuU~GA!OGsSk-F0z5qs==T=ebk^qZ%ep^GoQoymjSo|MQ8!6q&ij5(C>-e0>N
zai^xqU$mYg?kmS<E2}$;Am=%eVpkcz7fk`DNRjc6e0O2%WwBrUxkE#q{7LJT7xPf|
ztYVS5xvp6u#>pfaUZt>7^j_|heiE{eJZe?`DX5TfuCXN@Mtlcb8xI=+kwe4ux6<uZ
zS_O%Oraol4Ak{p)lwXaV`s;0F7}T9=qjB!xW4$^)EPCF_pY-Y%xCL<Ye!;!B{4C*d
zYWX6hEpFXk(a!wGidOXaHw!zkz#;xl`n!k(d_Q{zX}ib6G5!Ly;Y9?WyaGXVz}*LK
z`HI469oaDl+)xwRx(7&B#`h%3O&Gb05Ho%17}Jy(UJse}$lkfR6{H=*jjh^8_)L9?
z#nSAOn7_W1Jv1bQQJkeC)(YzDMZ*!M(SkuDC|7OmQ3dWN0hghq7$9w~ms49WRMaQW
zse*}8JA9nS4@*c(J8&m`%J?Zb;Oycn;$agjEE#QO@9|p^X+$+25!YavLaAVfjoV(T
zFYnl+MCMp(<3$dp<%1e8wJvwi59hxyMeX9>XILJC@7Ek_=F4bs1_*j&tuPx0wfDB+
zLABb3Mfob8@5PqCHGY#<^*#LQ;%}(Y@{6+PBb-Tq{Ma<};%l5V7{R;U=g5H&o9cl)
zsd-`>&#?A4c*z`x-j-2jYu#nvGj_>V(n>6JFI0IMcIL!dcyYa4bX9gdsKR~QyJTLs
zMrw=m@7z*}E$Qx4@nB=}VRmD*IvK;nxP2z|43Hn1zSYOfmWW<ek?k~;T|MDp5UStM
zBpv$V;(v+0-HjbAGuHHEQ!^HlK>)g5gm}3rXL${j?%yv-kn}f_`kWdJ4-N&34Z?Q#
z5{0AC7Zzi;EEY)<p^20)W;46f1|<l<OzDtxd5KmXs(cqkoZB9yTF}b0jJ_Xn()?)s
zOUrO5LmE^2P8vrq7lQ+m!H_J)Bk@|j@<b>z!10vx3Y+s0!O@TS9f&`fwlF6;t(BB{
zlXx7p`XKFckr_5`qe}d`N_X=1<eb$o-Fen$;Ce_sQ0_%PWB#X`xT(CiaA$`v5><;B
z+SB)tgz?eJbK$78xmY9K=c4S8NBd8N<s>^bOL)0@Ws3+c3OA;3A6MwxSI&8IOFNw}
zb+&D3u|4@QM@mG(G?q1idu;J$i5E9;n)pX;{ltkUvHlnKGj;KoJIS(pqu_f4brU6h
zKirv;%mG7I=`8K~!aO{Ggm<zb&oQ}3F5sGa7DSG3@m#T~C_U|;4N6pCuU4j;G_`jF
z-?mwDLBI)u?+?2UIZF}k$2D!GXLp~Xs`%*3ED>ec;HXCf*6c}|A(hSwBx&5L`WzH0
z^b?UpUl(<3++T{`cnru<eD0l3T;Ah=r~$(%P$%{b^9|?*U-`1H2JFuHU1jYhM%uvl
zg)UU3k}36}Cq)CnSh<s3v8ce+_u-;i7s#5v1xt$3(5q|>F8@%Np=a9B228!{`?;gI
zfE>8_XI((Kg1E}-(1G{Q$d8;zNJvv**pVaW*)=r89CziJCQ4}rT7qAy>AS_GQf@qQ
zjk&iWaisWQvl9*5Ci~|4<84c3>v!|#e!itX8fL0*%sWq3+E&J3XX!VhMH?)0_-9cA
z7^VwHt9M#HR#5BL4;3HQ>xU%?H;0nuv((UCM@6fg`$Qx~yF{zQFq-=}8ND&M37b5#
z<G(?{Mx$NxO}KLzbBrbm4&N6bppH1q;B$+Sw~*&K5FHu$1W9H8VXju}VY)usN+o!w
zu=dKGV2&%|%%t~(w{@`n5z0z4nf-k8nhmCU&Sw)juDD=jVxJ{)R2X%}Od_Xd*;F^$
zB_S5aC4vvj;ZK*){41Sk3N$|(RP=;ehJ8V8(8<j47>(TK;I9+%YwMoh^lf~$jS}~{
zNK+~9>Pvf7sdSc?NB)Qdb?{6m@E=#B;XA|Uo+=pcRK9illqYrgb_d6$^Q4C^?L0W@
zy_(oL6N#W_v#h(TOuBM|%JAN3)O!&!a<9h{CDSe2Y~u#S9mZ5I9E}w*U6whiZxIen
zC~}u(+q=J|X7CMV*9WwU>a5s*ZwZd-=7#JR4Y|p4$w?R(w5nsjpDU$w{+9N$^_L}L
zO2K*_()m`mL4tOD#?)bg%Uq5dTjFaUh|M$kVBwBEG&5u5NIUA9tj8kKG0%Yhie?}<
z_!G*BM>Zat-LfCqhsLCOX|}Je4c<O`<vV{0*FoS}xF`)PY7sHJZoqrq-dz@_?KydL
zeg<kOG$ZRK`2u>Qa+AzYK+feG3frMw`|W^jRKfFOFFNd())}hqpWX0ZmhlIvL+aE-
zPw*hTrM+Sv{elXpN;rnHJN#Uday^AEQ_&QKH$&(~KX|V>xqL>N^i1LGDPHrbZZe2j
zQ6)we>qW2X9arDUtCE+S@z%gxkiI*u9v>`s0ts4-hwXL*ETu|4z8r$PeTgvhQoF)m
zPz2GHyp|y|o0m4_$rAj2>;Y~O(mbZ3oIADB4TEdn(fNK{nOqMZMzOzc`gX2Xk`(#n
zkiJr-q=DdKJ6=O4{$~h<`GEmNmyBBA{+PLTv?dA@qst0DVs9#UXvg!Q_1$7xTC@5<
z>V+5ODOA`mXcL}1;vEz53CP|lsSBkS@oLuQua58jB7C^UE%OY9c#n5b=;h^hfM6+K
z{I{c_p2$^=NFDB>L{FiMETY}XYzXmufk$P!GS=Nphq3#l4Q=y<$?J-+)2C8KD3}q%
zWdg+%@3apVRT}YxzOM#8rO8U-F*dCEqNAtYk8mBu!0WVWaMc?wo<dc85Z-s_gQ@!z
zvlnUdQ0lcowoaAu!OVx5pt)IY@2=T91GU~mY`cv!HYHep(bkmOg%2gqnck>adH3<7
z;Ct14&`sLN!9vgni}-MrxTUJgpcxIFCuYJkYAX@eNmCd*DL6cZdv<7(&Q0!t`}JF{
zWj{icx*`oH$^>miK#GWV&Cj*XuQ1|+Nt03_k{cYoFTLO?ll>DG+o9!@j2$=1(TTDR
zsXmsLH_1Gp`Kcq3rX8tVL5&aaok6=h#JzB`T4MowY|?XyBvLHTK&g&zeY5$*9ur9u
z^$V~OXMTZAlM5&H3yFIx6;#muQgEVapB!3BeKEwhKsEiPi1xFdoEAmSOIY<xbLxf?
zo2$Tc+EP)eR=MPZ({Bg1C4}7U>BjE^>`V}r;kEHd2D2ZB{{YXkoP?~cAQJu30|_E8
zM3Jc6c6+0KIlU}ibY*;Eq@T1?zo3KzkqTom^=Ov$bd`ZC56wrTiD<#rr4B)$ohmJF
zKvk^KK*9=&$C=>$IJH!UMOd*`iq6d}TVqH1wD$HHVfZ69KEI|m3guakZK3b^np0yR
zyTYQn)yO7fw<TIKEp?g-c_cUv4T#1&L+`1>tcnU-x^-om-?%4r{aSo9*zkh)o$q;N
z$7!pvwRJn;6v0i{LP}-n<s*vSl&D`G^KLh_u#7J+7zT-x+b*VhgDwRg9q<>H99q++
zmFl^%dA6dj1dPR_qtBR61~Kie{_<mf>PY9T(52YsctX=P6VQ!;SyM3%_M%~wJ)R(7
z@)qPTF4xQ1Pyjc1*{y%=>_=BZm}QQEI}_rZ@)B}&0v~Rzw?C~$&;lz|%)vRuF+RGT
z)Z3Il_U&D}_hh{Em}n?2+*v`BmUYeaJI!Ktr57nFpM#$#-ljyRFTGeiph41}p+JVD
z7iYV?3hJ=TCBEe>VFn1nrl@?QhfPQ_kq7xO6(K}OZS|Jm?dRQX<6nz?a1-D9TQYgB
z*j!uxazhux_S6^A!O3Iyashwe&1QkG=Qw~X7M^SURHY!oKE<;<kf+3~k>-=};*>=u
zYl(!u&njaP+quF%^Mi2BC?`XE3QCjZw4S$+s#Ae&MX;*Px~ijav);QLbKNKi7*b~B
zpCU3|)5sqWx>y#kZr!?Xx+v-#8LH8arHw-L!YgY&M%xzIC!xf$OONTK2-75#p+UTR
z`mDb11z19gCi)mpW=q#X0bTQa_sD=^QOpuWb&hm#rOtpF=`N(GYM77JKGOUBz9a5(
z4q7DtWQ@25TKuG)J-%|s>FA!G_@|Ud__Sa<YXSsAy!|)FVH`LR2A+sG?(^=?N0A5I
z>@oP;!b)oMf%Lt<%5uvp;8nC7GTue2Mw7hreN!>))H81J%EV-_!ej1h(a+a$wI2it
zstoAv>$5u@CVtun9)8eT6MmtYw#0YymMx*CTX~~$@A|MQ$Rmc>txVOaltQMJ2}D#o
zuIVeuk=xke(#R@9^Y~|@;l)tyAlgNBs|6UjSAU;gczu3+?3-73+RBBI&PiB(PZ>dl
zt#fOzHbvENNrq#?kIT;!dgXH7C}gBR(oSApST%1Gd`jAXHFd6G9@0rIWOIy|Rjgg<
z6!QXwTFB!l_GNc??x|&YL}X>&)pzU8xBEs{X8bK&%_Hg33${{WMS-7-PL<w=J@VEi
z3t%lt^-0c^Jwb+He07|S_<lXJs;D!fK+%xK(d^PZRrrcJ*___fz8}#h`h5836GqX;
z6otvoi_a2gwZ<lD$cIXB@IBrX6~68F^mFmRTRT<F8%VmEj&HS#Q8wO{PbO5^|4CHt
z&6oVfE`X+Es<ZLdwIbpZrBAVBzk9cqyG6ihs*7Bb2SV^*lMK&w9^aB`>McsvtNWdB
zW3Q_d?OOcX!<~u7JKHSc>18&M_nVadQNnzUDNHJ9M~dwX>3;rk>$UPTL!H-FueZ(T
zjvhtPcioJRi?LxNi^@)?#qg`Va>y|EV0R-A3Q7JlUP`W?%exr(KF4B(f_*S^nS_8-
z^cRwbyT7{on{Oe*FGz-c<&Q!mr+#s@sa()}N8S8T)|3^iI{tN(%;WX#*3niYvz;&B
zGXkzPrqtyE=ZY_k4tTu7mJwby$u4Kzj%&50kb!{^!6?N5;_WLmgr<hKctYXU=oOV0
zc8^qU>591sJck#An^>(=UnGX#os@TEUFYpB%zBmodQr61YkwJLE>VEN4$;3de97|>
z{q++q&+JzpmwAMjR<|Cz(bwJFXb2f(&=N#WY~%+Ian&2-YzTg8L50U|eUa&NuG1{k
zomS6;6Vvn)(Gyd+y_-g7<B{7cjSd|_<7%vQgT2cyS}WnP%WD33(Hpp&EeR%2bG-&8
z87hx&JYztiUmXJQaYNxGs`tvurYrmBzGMYK<8i(m_Ptu4Zo*BU<;+_xLNt>=jz=ah
z=BRk?tvx;6qAxzmH1^!gMb{fs7S`!!4AXtnh0vJN&oisbE38CD@3`$pxAU2QjO^U$
z1&cBl-f$0{Wfj{^)`J2RI>~O>6};v-{pwv~%5T_vaqcmc$gmf`cMaU$-tuWG5!gjI
z9uUr|d{(NT+f<x<nOSX0bARJ?SFNZ$z3(+L|8_ob8<#)8Y*D+8AoZemG3|SFPebhm
z66V0-{lHZNLs{RQ3ar<Mj-G?9x-zFGb-k7s4qU^q2GkT@M0hUX_b#rls$$0u4xMW*
z&}45E8J(m2x<A{HcyChPiE_VjMyno&ai+}U!X~kcELR=!(4sgHOAMt`iffUmomNHu
ziOB3CmL3VBkBIL|ngDOgF2L%Of%#1)->{zGj4Ad|6(29F4$M^F&`rR2dmJ2c4)?g@
zu1u|Wf7t}?J8!>l#87?X!I2toq<Slyz=_trT*=qotr}496_hMRaaZh3qojgYI(5sB
zqNGkHA>_D}C)pj|g4Ctm8E(6?GIDN_Y_WDjbI<kt7%a$kXkdDf-E#daf2C@uGe~|%
z6_aT843P)Sc#M)vD2O=!RFm{BGL5J%{G-`$8?h<lJKyB|bX<mu%{tbDY-N@e++g2=
z<>I7IPaiiUzv7~T@1XJ>1L<pWwNO|}-C5dm3_?03H!QZwt2<baq?6M|;3;R5!UrFf
zZeDNYZ|262I~ng?cs!nV%vyKGkl}sHy;%+syh`79=1Jr*jjm07sb`EYVDH`2`<mm2
zi@W)J_lr4gl8x^ws8{m!+VGtWSG=MAd>#-1nK^Az>!ZsJhinZ>=zuyhx7xn@4d|}D
zRbD0w;eJafmTaA;3Y)m-&>(8Nc>fm;3N{@d#fxuQ8MG8pMm!@W-5d3O^whryvvpMp
z-U=fR_A28m-<R^J-=0G5ju=Iq3hz)*_3qv#-`4Vhc&_aXkJ?KF)HmwXo{^xun*XA7
zvf5oXpk3icu$3GLH}5u;<@~vdeiHkMRLiSMRP*psBtn$b#>cXrp0W6_SHGCnj8l``
z5OB<Vwh=p?PiqpVPHLDDr_Kzt@9cQFw;^zELy*meMWT{bSDWtx;k&}BpVp=_zH{F$
z9d1SbOt5woWns-Af85f`@(u-uDt!gk(qe{eQ3m9(OE?Bg-#E|+lT9vngjsJB__){7
z2v_j!k9~1v26chM?5{O?bi{XCdHuLT9M<>*i<t9)GHn{3<c9~80@s12S>_)uGM3~E
zwKT`C3w!9$`byxRX_{J$5@HO?;~6)rL42)vTB)K-U*+-z`6cVGH7{}z*2}IKO7~!B
zCQBJ#KWk$eK^U8GcS)B0WW8;OJ@LkF^8Rv13?GeOFOIV~{$`Ojlfsg`s6H)s#i~&S
z`*gqYF81QBdk1J(h7<2uwKLb-onjqJHRV0<<;4Bz`oPlq_I6@k@HXaBYiIcS(ot)m
zoekgZLDa?OaUdpH7MbAf&E>L)l=C?*<L;I~T52NFPxwlQ+Dz0Cdw$W|!%xv#<w8@8
zr2aTu#Ou2<A6hM?7kT4_Pm7gcMWr7Fd}ukYd7Z)>#{H{-H=gG7Sk0fqo$;<rwsnNm
z2&CFSDluVHLhtil{*97XBX4{<$F``8h1QE0#Y-|~qcsK8o&lTFt*h~Sn8Ha$??PRW
zng1QJO$D;P0IHa^aYdhtJ{(Bg)DHY=d!5A3_lTGKtWMJVCrOnaoqN5qEKX`$7N%x>
z&DJTquBLMSXs$Mw{LR)_X8sQff6eFSML6;n${&fmt_dyIMOZekwgJlbS$=vu^?PIe
z&txAtClzwgcr>uGhVmF??|+STW$rA6mUd6P;kScFy+&u@Q_oEoOysKJzmChQ$@^6b
zjK<!u752XngcIArQfdEUX*5jZ)c#y(20Nd?HF|kPBH#5Bu4r+jvX(J*m<CuOSkM)-
zRTV{2U<-#r65C(fqT!WL<VAHBp1_m14HCRtYQa~WC7s%dWg&0Uxm)#SUpDS!J;tK7
zX;<oWQLo6VJdR<gXVd|!ImOSO57N)~54Iws7Bs&n#<g;G0DoW8_ux=MsiZ?lN$4eG
zwJeywcc%PlWy#XE+MgZ1)VVo;ztoz&d2&0pK7Bkek($BJL5pKsQC~N9U-a|aMpU-~
z<FTF@HATe1aR)r<g2<B@PnkvTc<$o{QaN1NsKDz?8PUqXW8lwxZ5kS;=czCv>Dm45
zR35KBp3B|a+rvt--EA(my2a+k`(1qJ^@_%;`NqV%n<2p)7v#J{r>@hF<NE6ZQ(nT$
zlBCi%+PZIwepCf1@);=WMB2hIs=~t=(ZStb1%?)~+}_}iW+@q`T0?lRgUx@TY%I!r
zcXTl6O1=Iyx}lAGBlvZD*>vzsqn|slZ7NIjY${oem_d2*Q+4jqPmNL{q7w8mFN(Z6
z?fRM&Ffxv-SiW_rI9`ErR0c}FmJPQ2oUL8c>Yz4TqC$*LhkbOK7w5+@dybQ|7C6hk
zJaS!I+x4oH(#$0W#kMR*;0Z{|6PX$qf;|5!?Tp>M^_%6F)AMxVPX+=vFCr*)Bb%f}
z#EYb#1Gk)f)aZ<=>xN4)YKsZy(z$kG?QNBDT)x^MVI)7=ZSU&f;^sjr0xOh^3KuT7
zf_DcWul~)q!DcZ{AAK!c+RG%X5kZq;KgLH4qO1Aw-p~IjsU)M)$-d54*7ic3CoDfc
zMEJs96IF*ND^0r;l9)t$7Pqu^-rsN>UWy|)mVq@I7~YZVPR%44oM()vejJg3+}nG4
zIM7={JZf-bAs%;fz%Mklf;KPPF9SDscV(27E9LN(-k*LwulSiNc&luS?05*i{j|zX
zw8#*pJ_DK4kS??;^m@Wo3Atrr8EEEjxII~XeRHwcdN~%DT39fzt=YaP`2J)NuBz~S
z>CXCgIeTEg(6YTV`2PR`LH)k-kK*$E<+->$e}5%De){>xt83`>pFVtw!+la#cXWS$
z{_*pVm!Hpn6xZ*6ycY22THIbh_g{YebbT?set&)YK60Eh_k{W77u%qOg#nu&#yDiC
z(>&JX_qgii+Sqb~eyeqd4g!8llYb>ao;2HQ@0eZv>huUcynCOljO<n8LU86_2;ZLn
zbpGk{_0Qts;^Va)xZ=l8)2X=l>GI}1tku^)-(1@v-0!l#IL8v~bHDVCYup0eS9p=X
zj~Q-@C|_y9{s|lEA2Ev3zy1#XzI%uNUc&!BV?5Zhm;DQ2Hnt(&MYvu#szwhdkSz%?
z(l{5<wP&tQrU!jD8;-ADrV#J)VS4$#9}++P`d|5X)1Tqbpwk^Q!n0KPvYDk>J}Vlz
z7YqcjMJyR>GEdiFN*c?(ETh6f<&XcYMx-AprMA~LV7HO&c2a*FIWvch$_a?P^WK7Y
za053z-=BZJ`1JGT2l4Ud5_Z<xn;UU+{{BLIe1CcK;q&$7<@v{tQ9I153sYY-nfOZ|
zx=Q!eYcsu1x@u+Gp1F=8f8J{ovLk=qYxAZfe;#vs^CF&chJwt8)QX2_Nzc|BP+@+7
z&ScInfZ)lx7W2FSeD`^~e3bCS6)V|fRe`~^FM_^NbJ#4aRE;9$;nKS9^;7QE3@cM6
z7%BpMKSKfKs{O&mReV1_h#)s7R#M8NX4xR_y}DL3-sWBd=cJ)=I=>r2gB#^?mKW$$
z@@Ls%0GGtYDg5bBmxYx1P;S_G*&i2ZLPF#e;dBt9i)eBRKqMkg(uN0@pTU9hz&ToD
z;U}*QIKV#`#w2=9EQ#pPozj#O|G<LBlI|E;s;h!V&50%*T7U+Rk6MH{QKeCj+HpGX
zDw_~#l1ycIe5*3MX-s5sFV{vy@C8n^=w((}R`Scceb~!90N0T#nHOQ0#vby%y43PB
z;R{iw0&|l{n!{1Dc`!tW%(V}&5IxVO;c;R+F944d)7gbLu%t~PQdAL|+vSwR#fk4c
zmqo!*uz3i|Wenn(wGEc*cR`8E$^<RwNU@5OsW>0md*k>l`&2jix2On`lc_t$VRUCG
zTMED=CQhW~Ag0ZtGLTQ7An(Sqe=}+FR2&z1cQSeBBgd;VF*Z8>POZx2z<f9Tgm)#O
zaw0VkZ5S>r$r?;DuT(SXjM`}cjNh+242>$$_QFIr@80V_CtQ+PLz-JBlYfqDnYPg#
zjBm5lx&<RsE-Ku5QW2rVc6BnrXUaz#I4tZbejdB}71*@^jKsy8{q*y8g;`KXL?@n1
z&N&X(K&PdWZC^k37=XN)&>(zouB3ILPaN~HQR+>eMmfh%rr~^aH{#2o8|@iMut`*v
z+1h+GR^D{zxq6g0K^mJ|v)twcn~AF6cR**hg%Kf=ghF~UDd=ZGYHvnD<V}UP&+Ph~
zTbn2&>zu^Lo6roXo-WH#i5Z_i6I+q|ilH2IrskL><7ztCu(t6_!`_AUwb5A@CBgUV
zg3u9Ax3mSfo=5vzPbLNZET)O9Mn*^<Sn3-BjFwnK<YaQt4<$(XB!)Rg3*fDhs>9a{
zuYW~iVn~Hzs!nHW1=w|M`h*)2DQ_aw+axvW)C-uYO;=%&aS|6N>SMkXNmfeyUzod2
z^ieAU-VxdC2ZZ=NKK8n;@INYdJqYodp**w?y9c<Tp0tk-HX%h5W?^H02uA(b@bv=U
z-tzp3RVgsD-!+WAE8KKasuCrstgbJ-ONpIdGt`dWX_vZDW!{yW*u72rOsoVFFkti>
zl`zqLOhS+@9$qVsP{q4ut3mw?Bd3>k*%~{(eaWWb$IaL@4L>f&rfC>*K`u?hj~=pV
z8ip*BOVco<rCgeZ6SL*jG$+#>e^S%Tu)-F)cF{u5s}4_-mib~SMqyGrftq3|v!?e}
zY&DqsS`6FV^TA*}l05Nby5{WKbNBNVw3#!rtMMB~QF)-(CzD2hQoD{&T0zT^Nd6|!
zVcd5AB+L3=2G!!zf^r34zq(5L>6bXLcqeuMjxwgnhI*5f+~F)bJN?GZv(qS>(c?co
zeSbckeCc!pHuFkHIP<PgrUC!lvu#xc6&=*U7c*JlSZfYVyix1r#f)qxPD~x!CfvZ*
z>;)9kpo<e8**YD7(OCce)(ekwroFnR{G-8-ANgST)@BUClN`fRd`#dYTY?kyj%bNe
zqh5Vz4x2dnNZ|kdh&ApygJue`22@M2Qp>l__0avQS^)gP;a6xTkI;LN{j<?tE4*Ns
zJsu-lfD<#0YXMc+fYWw~+edmQYA~oQfgO0&p%wh)WCL)bum@L(!Q@CbMN>w8^V!;0
zIL3zg(pmcmE+cJCR<isN%Vev{I-B)xP5dE>Meg1jwh9c3&ALD~1-lZ73pC>@*X^6q
zIZlM%3u!0*q<f>$zsyyGr>yIV59AOcoT?lZYk&Rf`u*J7gA=hla14i{|80Zu5t&$}
zbw^@46<@T!|3QKE<$BiSU>>MS&GVL$yuUt~c>j}V53WwG6t)%kMdIIAXiG!viqDfN
zkmo#PT1Go27?uYJE#w1u5)2bXEffsl8HADcek}{QQQ1<GZmN?N5jZMN%@?OMsUC{!
zqVKPv<*KevCiNdP`uqG5pYWW(kgg1Hdb>HdHh3hThvdt_jy)dhWE-%n)c8OX^xIQZ
zZR6`#SM(3qN|ohZxxs{JfMo69vATK<@^+ZXy0RN{2qZ=A-hp|Ba!38WfUinawp@!G
zZU94KNZ-`$`*eCfm$x%KNF!Q^9ec}4lgP}BL#0R<{JeaR!@-X%Jq`yahZ?!6%xzt|
zsx8(+nmc&MR;k0U!=mb2)S=8LDW3Z5OlE<C<kpZhvQ(nNf24s62a_1XwlL(&SmWD$
zj%-WL6m6$1ZTgt{n!8kUnT5hyJFQ5<=Et@u*uI2VrT|L`gmq68V+8P%)iHP!@U0zr
zcd~@Ufi_2<+ft%eQZ+a}QgZ)3S>=OAH3eEAuwdkcRZw!LHm(tNT4me%sP(;S%u*F3
zT{~H&fk!ooFTXU3TMcg>KQTBt-FBe&WiYHC-t4x;U>m@Q-tFCEf9wIypv|pgG<dI1
zR(0TE4$-HC4ccM15h^^un0PjeJIDrn3O9)GN1m+sz~gMXyi_P|X%5AnfHeRV0xyfH
zmwL^r1i?YabgF$RN<5lrg|-_*weajI9MAY`9(SI{uxP<U!yr>b#UVfHcbCW~>>I3E
z<Wm<<`?1}X)9F=O(-{*{BMx@hRv>u!?e%2!2_6OA7IASA59sU+wCgzE*U3r?JR83p
z<d*MYn!C#d#_CNl53;`z*+!=#oKe-s5cRCki)2p*)pi&JE(7E8&Mv#zw!1AwcJcno
z*54*tgdq<d=7*}U(Cq~}#a*FPdk$<@(4BQNEh**9>sPOtaLgPDl)_eK!PC1^qOwc1
zy8x0fIn%}-W})qgeN)1IhT6ROAZ7jd1^-lB@xUqOVs_{ha}t@Bf6ca9!>AYAWuv6?
z6QvJyAqkcrrBf?B!B}=Pvm-$;F!$~hr7LjFuu{VSn>~rM#l;G_24KU3M-Li|*Sy3i
zWv5|7;bm2_VFzyr_z0Ss!YpM29T}eGi^|3hPR6f~;zatw9b{ARBV}7n;l&zvCH~y`
zdVvLo$@6tqB^&4-cgvU+yhGji239WJtbMA{tjh}&jT4Q=$|XIk5}P}c&B2dU4Voi}
zk8fVu=pK{E_z|c9vQW(qZxJbof6c1E!w#ZBALX`|4jwnqi6SSf+px%6_^}qtM~h|N
zN_1D`MGnJj4a{~u)B4UNVCT#dB)CZ}CC;)gRK5}YMdIU6fBO6C981qpB`>d8)oggE
z8-q$lph<fY@?5c`;VagwN;Uy=3gx0h@aT+&!kRG+dUK()$eN)XFa?cO@rH+>%~fzM
z#0rUBvnt%M$C==quCS|*f%Y{=!a~*hs<b3teza#-e%Ym!724RfXXOlS5*a@Rvj^Gk
zOMM=1MA^V=hBX}GKyHp7v2-#L)=bo$S(1SHah*MYdvyD3ZF1{iSnDBj<c@11Y@1^w
zZhi#lb#U`zJ#o0LdHKU}QTq(*MC<`8D_yNi-5FORz!}{GmD#=TQ_vZfig?WUKC;6Z
zR*i^5?Q=BYoh<hu6W;j}w>L8^3b6-xaHT~08W@&?i0jRvV}%6yR#{bW0IR~u2K$_&
zO@*7fo59fS1%@NntvA8B_B4mN>u7NN$QGsl-6J)}$bVm-tfa&<d(=Mv9P3fzSXko0
z$N(UY#Tp~AlRB@xc*Kr27Kxf4!?O1KT-q~=#0RMRq(BM{$6^vM--jIQOS}SVevGLv
zteN=263MPs9Y#CGWDapGHGvaTeXR@Ks3y5XZ^b~ApnqF8ZQ=#|(B>JuOk(CorN)@&
zx+pMe*I6|wo|sdG@U9tFn;3)Ir@EM8kc;Z|CMW)R31d62tz1>6Y9tv|8}#5v^2D&*
z#PJQ$C>O08;s<QjuP-GR5g);@JjKy%Kw{)aq-c!&@uZKE82>p++L2WOiznhg2KWbt
zWi5^ezSONNY(85biJl(|I|99~L<YaE%G`e4)0N|zfFC6rH$kRWnylCMfng<yN5SCE
zrXpeR<4^L=U=B-A+!M<>B~kDrKh7z?i3aE&iMwtFKVP+AmffjLlGsi~YBE_j@4%iU
ze;_|bVuw&|Q$tNbw=h3SfdJs!U}MnRQqTf_P1Y4;e$oeqvj1_;VvK_dra;8T$WV^o
zx{8I&ym;umk)^USWWh^gY!@q2d;<~y-MdjDbOC#~NZ=bJc7CJ)ftgf-9Sh5MB}(|^
zBnp0<08uRJ&Kc#giZmZM3eRJAw6a0st!rDKp^gws_`pyeejwNB&V6z5NLAe$|J<I*
zZ1z_YB178X$&Xo^R+S>Ir}()&9tDFRkJz(aktq0)iA@fc!m^12RN);86f0qKnjwW6
z8oAL$6oWXKZ28W4Ec8gDTH~~~MQU=9H901=*Nt9bdUjO#+7GN`$cLOfLtiIAwDEY7
zUKCi#iI3N|yV3~NrkPMx+N|rSamJ4xSQnJ<4O=dxLwUOK%dVyq;Es*m|8O#??`H|+
zaN%YoM!xLf$gtNBCsXZy7)pR4B_*r*fumaYolW(|$O>=Hp|dwG(CY(3MeR+G_`HZ_
zCP~j6L#^zGm_zJ@;V6#{u+YU|YhVQ&1CclscS$AbG&-5+b@Wm&sjQY0{BVD$Wb;<?
zYU4O5^dcws;*%+0#{&(aqJ>Uf#52}CCzp<s30KDh+eGjG4on^U&iZNtZ}+jYE_2mo
z*Jn=U`;JD>k9lmP#~pf4DEs5!@+BcohARLMVz<$wm?tIK$F6LLO3a7!!5o=eg;aYq
z5j&ZpwG$rl<|qac4s`Pt0O?+?hX+?+B4AlT)Tr$0#Ck`Iq8GO&og^F;tf6!9s*z$K
zjNph$njaYIQXg6Vgha@b?~Lnx+Q1UokhTIxq3E!*gb+Y9xt-f|f=cmn^Mc<eL|5fs
zI^~tsNyz-j&M*sTthEw7D0vc{L$-yVb|fmE1ZI$M>Cz1=D&6n{E5+rfA>m0ztPz9^
zk}P8UfuqRrBm06Ucfi$qw$?ESILZk>wEq}uV9SuPnAa#J>#jh@=~{Qq;Cd20Pbv{k
zl4F<YlZpR645N~5;Ois;ew^UIk}%2Em4xfDWTE!dT+d-3I^|+jEs+3*dOGl@j>w1k
zz)`*zIW1O;5z5+EqHQF86A6VUXOMN?*Jul>i5adR4VE;ZR|=l|A#l~m%$yG#m3RGe
zACk`_1xP<I)YW}76rMEViN*s%vE1iC#g8&<`&Y6|qavE#)~zO?@uU&f69#a;k}QIu
zI<1X(bnfO-nWd03-H~j7p%$&<KVB6Eovis{*_uK4R(MI2s%<PiQVs1{XQ)vtvsG>Y
zqyH-w%BG1mts<RyCljY7SnQx=5v&SPQD_WRXYEvSblRV4_yYhh-cAoTo{Yhot1cQ1
z6LOk}amJG`SRi?cK^a}WXe1qL&rmY<VLgkP${L;Cg}<SkJ&eap)rDT;Pa(%4M=@Dz
z?3OkyG_O|rj_x|1WWkO>TY{-kwalAI|3cPCIuL`QIxM1^%P-_FXUG|FQ28*5qq2)n
zrslfYRPfw6(`h(WhC3*%2~z>7Hsp~qKc!Y=FtBW4*z7XRf!oO1)}sTumVbrSOPgpH
z0xLOIZ~FM+C5cbd-Gt93Zdo1#)Fz%S*!W`jl+&SiGA|*^*ZYa4@BcLYZu%*_dj8(N
zLbeZ2mJtLUBjR`%YO(f9yFGO_m8{KDlXetCWmQXJYu#=RDM%1p*@8c#u<4Z~2!?DS
z+M<p1pD+|beF2aRdBzCjV5#2&(+bjkqsJ>lzr^E?s2K{G27hHK!PKf0o?^JlF?*_m
zlJGdOk*5ZOaTF%Kv+4k-%j)zwmr52bRgd8VL$T3kk+I+?JNhiR7?KQ^*AvE_i(YPq
zGL+u3>1HNvawl#PBD?LuHA!?&CM>$g&TOR_E%3F@Hdf2v^&(#>tL@b&nK_j&>z(fG
z8ObcdI%TLgdOV?IC?IM<*upN3+#lugV5lAXh)y{b*TCB1?`$4z+h|-2-@)X9draRa
z=kJs0MRLE))1_De#lT{jU^{k2CUTK3wZ?o2mr#toM$aCegyT!6VFj_$_EsMPZa4{x
zp??p3yOHZ6KOW+$nk||<^AFumh;e5yROuY1ug<VQvD?5S4zX?+N^gd+7q=g0Dzit8
znOJH=j<p+xVw#WjTi-BL#oV#AvK)AZXyIOT*YG3?IMlkLZKSYRNEAGo!Xe7;G``#t
zPD0~J8V*_`&b%j4@$*<%D|n}DtuL#Mqj0yVZDi!{&B-J+A0ZfsCdWD{fJk7z9->TK
zIZ+|ut;7x8R#mdHbpbHT-|uQxX1Ii3nMLk${20iyw2F@xh?(2`Sj)4tK!JW(;NON^
z2RKTGKC%VeLIJBofp7PB-qZn=i$+<e#>9W@$oaxhb`+~XikUPhG~h%9yZ}uSdDL*j
zQBTyVd}KNFPm5KHY^}?Us$C63pn^W0xFq}edeGTHZ2%=EWLD-Ciug%;KYJI^E@dk!
z1r63}*gJ)}&s%ih;Zqw=j`jG^WR2F}xZx;fy4{3xEa!z^Aq%tfu2XI>p)!S=NKy63
zZ#e3oZe!n--iV(a49VX%ym5ul;7t<cT!L{3quW*?B!M#IgWEtc4<|3wP+ntDHYTa_
zvbQAZeUBd_+?kb`#(I3g-G0QN<;UxGmvn{eiwOtHUV+dKTwnfYEegFbVs!3IBIn2F
zsLc$<F5Ie0*Ks;=Hyo8&_d^^TrX((Y<Z5@Nt$mKnNG&HOYvzWbJ}beqt#mLfxhU$4
z=MqUsxNCK-VQQ|euNx+9rTl~?+khcY8U~^_YOWfEiu}Wu@y@d*AFAji>T8YJx~LXJ
z?lcS~V7GGD9-GT{!%*}!szbB#TT-on9#NG-ZWv0w4#(c;39>yfVp45YxpofqC-9yx
zs}2@XW%4$tU4a?Y-YZp!(cP>bo!xv_HR(uUs3+@CxG3Y~OP8m2t|-Fhlz(`IH+Mp1
zMmc`-oW#$Ma&0H9Zap_*F277tS>Xw709`AERIFdsVJ(1BBgG0;7SN)G&2Vn#R2%6%
z=O}BtKU_0xZ^s5}-f&dBeR^2W53NqWKQNTwt#`j0T}}3XkJ!2%M^x0A_zg#u-M8A5
z{0JwpB6-YV5h4NdW0Ta@T*?&eJ`xx|!gv^%YMgl#m2-c?P^*`)g8ZSv$dpac0d1AA
z@)|ywVQa(;Sbkjc6~Xf(h_48qA3Fs4ullmIn+Qbf&QK*7{l+ps+XkDxXVNH)l^vj`
z9XkxAe@SXw!BDV!u`AJSdwf;8=stVo7Rtks=ou;nXO+SKMUb_!IMK?9CA<u^fnT#n
z`4KDZ(a@XNvlsy3>z74^K`;~xo=Ia}Q~q!K*yKl^wxOWi9VOy?!%!LcUd={=>2qLz
z_p&GwInRv!C%&ur@u9=$7Vuv@GJa&|xsdT=GL$p>fD@QR%Ad9X3+vB@Gc}i8(F!oa
zz!0ml$kRlI%ET|!pBz<)A9wh)>}JB$`c64LjkKWBlW!PG7a#U0#FgN<VJK$&bWHrn
z%LtRTe!Z72qE`70LzUvgeFU`3Oh&KRDqJK+ek|rNM(d>8_9+MXaC!;lM{6GA!x@Gw
z^iB>EJ3rzx>Souob1*S#Nh$~2Fw{a`)qUNm#Ggmn439=-7`j@u?hrCg>i&kIEb<WG
z;IUZdi)FF)sV!vs?+rs~<mWma;3$neq-dMfrKjBoVuJ9ibDyY0qJB$6W)rUIC5TO&
z2JsC;wdE1YrM?$7cqRmg3_>6xgHIXCERP_%q!;Wubbex~QJZ`l4gp-5u~Bb(pQ1mI
zouo@y6bcJDU@?x)*ijJb$BaIh=1tl~98xpXa(--h6$zCec{;Qsd6qbM#i$nT7c*Jh
zn~o|yb;D2s`hkgn`|mijbY~(=d?c{{vsoJG0nU$TJ*_DyzzoHv56|e?oKg$BVJIX0
ztcyB{pC2bXNTluhY^8)fDLG{6VrB^moH;GqhBmTl7hRr32>ab|)U&R8ul9gli#b??
zF>c<IsaijD^imWXr>@F^^<aAmYzXJ12nRAGKz@`d{PaFJ((6ID4a&P<CGe2AE1R~W
zsS+#k>oLS+{w2f1v!Zo@(qZ;BT@f)h`SGG2S5OCyo@e}s&7-j}RIomXWs+w#4Tv9U
zAp>-}EIt5<q0seafe4GCf#uKojWV0aN@C*2H+I(bGG8?4m<5_;tL~A$ErvSQyB&q`
zIQL6Tw^kwDxPQ+IMMxp0*L|(goD{acVJK|9)0enofx)L5WF~Y+@?{+u2I2H8NDz#9
zMT;SOIV^~MM`e{HJ?0FxtOxaoH=z2E1%YqJQeB4n)`$1ywm{7pQ#;2H1&yJ^^<iij
zJBDJD3+POmO>tDYez4qF7_GzbxZo(5DfoFx9A~1POz}FRb1^(P!ytaLZu`y2B&-*C
z3k!z*^&jo8|7jyd@T-*~xX<tM<m12nZ}Asj{CAS-rX~Ts1vZl9a#3m1<|*Al{AkAW
z`Z`V~b$x^#<1(XRacpFtSl}~4{UI@lk{>O3q7#mxwDnUF@uMP7Lv+hf;+i^om08wr
z%sc89_@;~u54vTjhrPY9goU$}i%m+!qz@Ak!}m$J{0PaDk}ro6puG#$sD;%xjG*7Q
z3`MuM`+oz=JI}3+i!(vwt%%X|yJaZK{Sqkov7l$rj380-rAGI%N`i4EWaVOPD|$`l
zM}vll29Kkn8E+Y?Yd;MSKMM3DJPehuUt!%~s9`<q#gR5sFU3TH;>T|e4NW|3$c>ma
zvPzd$g4#VAg>QgqtnX3fwi1KSlC8j()Yz^a<({BNILOb{eeN3xkuRfp5aI+lyCOYq
zw+z*$9~#H^D5ajGq`KNj>0?PE0Pf{MgsCO0O<8B7CGZWK+Yv$0846M_&<v|Et}1cI
zpRtO}w+z*$p8$p*v3UX*eyry4U|4BG2a_(D!OFfYC0Kh7Uzr+MAB<7$K)rn;OEDE#
zbxK#o8l?&vK%K=pQEwT_M?aw-`SF><V1jbtOr}^<y3CEiud;HX_MNCukz0o1&`;<<
zPCO;Avd*+tb06M@8HRo|xbO7hUar*CyW$LDQ~9E5QTp4u7&F<*;p@I9ZM_-zdXlX%
zl!rd1wos3J<ZmQFbK)(1*AIKw_aX`&&*7nt?@xX#W~}9ladx33lr0|N0+I0>No@Q`
z%|2{6BOBFX@e^ISgVvST0dWG>;{3bmC;xCdK|ku?a+HO!AHl(l!=7vv*6hfa+Z>k<
zjb5V}$~Hf`_FGS*HZ^Xc|KY}Ukz-R$x;n$a&B2A^(t&4WYw_b(oLh?@feR-s_Y%vU
zHQUdJncdMdh#zH(I#zTkVm2Zr8NhZWiQti2Pi^SYFHx!Aw+tnl$GeBihx32pJD4AV
z+tl{-Df@}5LjaStt}#WK#Kei8c`e@7mh4T?g9f<#(_Z<6ww)M?EAQG)L1Q>sba<?P
zOwI3Gh62hjxBCp1Bn);KHI&Gjd`^;ChLX!;z3I`j=;er^mhw!dcU|rOh*V*qYCIl(
zoT}OA*6gXp9gmD3{|Sc|-e?$?8Yl7aV>*SF8CdQGE*Z`ES$sF~qb(2X3*XB*th5@|
z&P>D7IF1jqA%L6k>0Y!1Pg#vzDY4dF1AKRGViNLh-<<gJ!;NE9<q{FGIr^JJBUR8y
ziVDTPWhmBsr`BSHqPNLHRj`vr*Sx-EsLy;DjA)mQZrg$u>$qj8&b*83sIs893}u*~
z3W=fS@{=L)V=_;M#E-%}84^DhvkNK2e)aE=sQ8hXCwCM->hWYqZ-GA?35gSn*n854
z2si!)5)VK25K}h3=SluO5+*-Jk*PUG&Na^8gN~)(EffB5zE@BJ)5iLBqkEO167n9n
zHnnH;x~sfv;BSEf!gv7*l^+Y)-?NpKMBWMICh>8iB&8}7=b9`RP2%fw1m&;Js047=
zI<MM6?G6$kKZ4TFJm=d>NC^Dc$g{;ruo5`lyW!cw=C#CF@^zGxhoJy*A2&J2(;u7C
zSePUQu)2hWq|oWzOn;5`@iEjLK6u{srOWN{Y>ETc_T`*Z3%q5hHXH!X3O(~dJA(p7
zec)stGw;67?h!L-@>FbnglqzSl!iDS8^=??dbCo7uI;IqEn27+YcYJW$mc3ur-hpM
z17MYjS(g_XIl~zW63aRl!<??sQ=ys$rI=-v6*f7>E1Zxx`H`P3oEY$}vb^mfxi|~_
zArlPz#xO(yY|plWQ}PWFr)njO&iTA`lhJDeL)GG~#_+&kUf8U4x_kLiqb)?Rl&d!X
z=6cC=H5y|iDu!(7!O7`_C~&lnSk<J@*^D6_3^j^lP@~{TY(^$SmEuQrEQym7yE>S0
z69T-=HtOEG30M5k>h$~Xra#-y;os5q@WMaIvi_IZ!`IAkk58MfoWT>g;k)0Bt|qB!
z+I)^jm!rtaK20Rr;mb-!nRlDJmX#S+gkIuFuRl2UR6BD;11#ArWToPYhTbyNevVqd
zBvtL<mZ1`K3^HFYElLITmZ3QG7DkMw0;`Bd!k*>r?JcnDYFrBg0S;Mmn6p7bW={k6
zLiTP!TP#YrfL#(Pduq5-Er*1}iTCl|xPqujCG7!Fh_94&Y*Vx6pN(ppb!2WVL*eR}
zSr4`lSnl?DH=|c`PP8rtq;WdJ^Fn>iF<mx3PK%+ibrgZ>T5V8&m%_(T-8yn(UggHR
zFH|vy7j5;LNJ&YKve#qGUA<^zrfeFh?Z(N@D<sIb$+-5=kBRUVvEh0^Uf8f$_m(V#
zXQ0vQ6DO0(eo-y4$yQ^=DU7jF*;bY4%prI5&K!?ERAZ>Ty@hTN2tIy?gvN<E@g}L;
zCHMw1;AAUvVsyM)`G7=h<Ou^SDRSNo?fnq0Jg69=I@q|Jcr5S6#mcN`B-GsuEWUop
zh;q1|zh@}czRkP(ylnsKaoY|+<j0>6#xMkRV`D}5YxpAkH9JSV{&g{E8)Vv<TIt$M
zd<@oB5D48)>?t_dP`E3aw##y?mktI-C<H~LV@RaO=v?pF(LD@MX;q2+O_~Y-krO|T
zx1q|;a-G2`p7BAgc|`mIz-CXGV`0-!IZ^2Su^M@sqs=4qy)?BQ%<U2nks`oxVy=g_
zq9v?0-+WYEq)i9NI8ntTMyT6vF<MZkx-cTm>!oTUdh-9Ww^;U;m*NI}DQ%Odt<^hL
zUu$iUFY7rTzh-#24(o*Vq$zkIVkWT?py%EG?vhO8ww+r#91>cW6QAVWy0A!I2OsGn
zi2=I3Iq}kw+izI>u~(WG!<Wslm{w?l#8wvyB24WM&XM~4v3#ACD*xCWx~U)5=g^@)
z)J7c_G6owbDm%p13}kFV(dq$S8W<<CdZ^O|RWe%CeKBIGWYI1K{I-<x-2g^TEcGBp
zM{eBtKMjc!H$Aup4g3iHcnLFMYAkx^<Mjp&Fc`@+d`<+G=uz~C85GM3Dqs`;z@kre
zg`%}q3!a9}iN_vVg$9q0T8UUm`j7h54%K;Ar6GkUv*vMT_l}7y?&TVcFX|)&5ON}F
zFSORO67=8g#a<;8SkFlHE!uWwrQUx8K<v#-HkoL_xT6UVD_#HHQ95L?eK@`7Id23$
zPQ2$O@NwciyZD0CrxM1De2z3QPR!@o><f;f{6kbuzZKw^HE@}--wh?MEt7d(L}pX~
zQcfJ^f&SadBN@3`NstT`_lF?82jnObAOOXQz8nO#Sy?vDO4A=oyQK4R-_pQ2aheB)
z?3V9vJ*<}T-SiXQmBz}6-aNE#IGG4*KgqmOjZLiHZUGE+th=HRd5Najyn#<Rp45NN
zhC-se2HiBgDN)<#4u-f{YTXXSVI%T%0UJX)G~%<cwfMR0q_VJc0T~U9HxKIP?y6Gl
z5n*)zj5iPRVLvEaR>`&xJ3R^^Z%(v9DCSC9=laBPp#J<U%5Bb2!u~)<;>)2U@AG!q
zTPQ&Qiw4V3*#0H@l%d}JVe4y_+X4<|qAK_u(4B2z1S-<SLFG-32&ndEG)CT}X!}Sn
z#Gu(Riy<#GK;G15!1}C^)@1X77c}i9@M)<0n9d&Q#L-K`{)JVx(ODNGmIYY(k)JHn
zW}x@A{XE_e%TU?=2t!3yBa@_$lJ+eDCQP(h!cYo-zpx*Cy>&j*X`=v&At@T3Y#Lp3
zcD#b6DZwOZz|sQS3u9&hJci8%wHFd9Ly`Qw7D|of^90P+rUOH)i~x2j60`tr+RZGU
zj~0*p_tVGU#K*t=3U;!>v)Q~Fuss?JLzc6x7;Pi;8~xQj>cg7sE4Do9&a1XCD!pSe
z6w`k_?EHw)QKfOb_+B(SVyMS&(IA*)y9m-s=NU3WVD)IRwT;AI5E6iGgzBa#Xz2XN
z(n07*Auu-Az~&0*a5WPZKDNm_n|xSk0b2?R%z;Ht^F>xV|3ni6kG_vifJqG(i2Egy
zjHPO@gj-dt1x7YH^ma$C!V{ZXNjC^TZgsFhynOsZ>ul60M|fu#77TcB3INP8RvIG1
zA^`*csD0e4ChM-9X<*R83+Y?0H;s^=@9Du#3}-gzbvi2fh*gn*hXTg>M_!Dir__2L
z86Lo@T)+!M<;1vRVjO$OyBc>ByqED}E4zW9c7L9A2D2iJbr9rL7d6E>v9v>hgsNKQ
zFz@ZRSg#cgixUHTkqA&$B?=xw7%CNv)$4~NJT3BxSxS^v4HwHah3zVWXRs<{;F<x9
z2Wv$nrOrC%$+6)i+YLiw<HVt2)~}hSB@0-U78rtpAKx!H_}ErTP_~q~Eh-gsu3`hX
zSk)GY>^*9i0c&Td2PPIuFB(}d>3xP_aRF1?a`CXym{2*)h*{C0Ca_Y~pvF%quMv|%
z$+70Z(B15PK4t`eoYyya=NR=_z|M(qJv`V47-?9XIMTtfD>^*ov$6U1n9r%EM3$)n
zkenFPF33@d@+f^lfW(O+?LtClGU|}`$9oEkrNISY$@=S@m`<FSCgA17g%091s_p7%
zSyVv9i3RPViaup#C6gbKTOX+SPEtLMloRvuJ=X56o)&c5;{BQo<@1B0Vku!0$DVV^
z+sMz-LK=)x-&Qo;I0iS@>iO~37ei(Jt)6y9S04j2Fh<>?OGD(xX~vcE@J#?%C>Y21
zN_^Z4D{1{GXsW`48X6cwE^`prCVe2j;}{Z~2z;@<$B@R17Zofg8WzcZZKZKBBr>C3
z%geHB?MY}@CZk6rL-G1&Etm=j`H~tx=fc+Jf&>Rg`7}0uq~<{H8F_>@9YcZnZFb^Q
zL6xf~7Mb_TN-RFQySBBs{52@Bh2wXqtu;Q{b&(i&wza?;(#^w()?nN`%9MpB>D6mC
zUGMT=-1*0yqRo6(V)Oe}B1_f65b#-dw)27l@I-c4(l+d%GBzH8l>q#M13y56{xsg`
z+IyyJOVCNH%b>p2xi`h43LHUmuqR45{~v*i6Hz)ifx)H(R%^#OOkAJZ6^HQrWYXjt
zY(BC%*NGLIwu_Le763^#UTk7L)A}y)!34T9!<0)5Pe%?VG#({b@y>Cft~9T0BjKq+
zQ1?VxaPrvmoS~@sK`AotMf0-cVfN#!r(tp;T@Q@%LRrycKfs5Zm46AL+XP1%GABaz
zN{~5mwS$nuM&x&`2$pruP?~(p9&!er6_g29UN86@DxplwysZU%SD71I#H<9oq;Bgu
zL$UH>z~5E+z7l}A!`SyNb($(WPNC+UmALr>LmVR;e8_h1565YZyPZgNV?-DgHdPXX
z;vHMtoP@+3Jf1TYML%Sq^=bEMv##U1n-e?R3(k2!V8DlXV9Uafw?p@cL+@U^R~?#c
zL{>89`xcPRfDnCi+ES01Z%-N`KN>fNC@Wp9OXRiKg<)&&Plkq)M-y2T`d(n&_uRP0
zz9!M|qc*{M`w)$8Cr&&t%Bb}fFpn<84Olr5K*CMzB+Mg>IaY$+4}#ha=v#C-f~0vY
zD{=2ff}Hes>34>?%nQ7T#?PMd?LRAh%p~Q+=Yk3VTHyYV7{u{Sj;$vT@EDS_=Y+?Q
zo*jfYk`=b4BjPGl!lucPKpli>gJ`krd9WZbklLtP+8PTXh}yCVjI*V=6)X8~3cXoZ
z>9Wz);F!zWVmqxu!)8d84#KwDEZ_VY^C+9#27T%#%PZ`DJdlpj(LQG-7fzwa;uE5C
zQOIbMYb?=FSWKw55P|kotZGN{V-7<WAmmuHFI@+}xI5-@>L0a~$o{)f-==q-qdBqo
zyIG~?@2m57nNGjbxcLz+nfFr^<(n&+_xTcu%vMOPGBgg$x*Z-N{7~mB-GT|#;QCgU
z=w~Tpwdib=!cw*<xB&CNja%~g5wJb&;$obWJ(-xhyp)D~Dk3(R0um;&{5`?$T0r-@
znlcmj#|c7&w*V?C{mIDg<j2B>-Dzs2(q5Ia57l>}HU7>02V=vR<I^wBIck{?+T%+l
zOL?c7BnSeU1dI7Kt@R}rDzo*53~fg;lruk+BDAgUjN$&<X{(PXunZ;8pVAOUp<hUh
z%D<&HVbCoSqYsNgLO0z|{7BzZ8tP^8_|F-Nt#fRpH$^JVAyWBCn^K$4KSq;EhMMfD
z#UQd-vg6~Jm?Gi;nxP!~Lzo(6b=HLLT0EAd;qmjrJp`{e=I@)_8ntnb42Ht&Pal~4
zsN4pVRpEfe6gTHWtyDqdVJNgd=p)C>LxDsI`-n9CQ56O^X!tRC8t>_6D7e0Xt1HaF
z^k&%5xkAI@N24~d;KRAjpqD(b;4wNzqWYYnwEAe?1*`B$82Ozwj$$M6s7)nyGk`Tl
z!q<#te-isDtUWf)Dq`(nNL*}AzRa|Xj@U$lVkp2mDWt6nU@f5#7b@W`*C@ibN?4a-
zx||`;d5$J1V0UeoFd-t=E{0s_kxk%C9H0{gzP&k+?t^S3iqGIro%oL(Sv&olp@=&y
zgTv_X0N<B2PMr3#P!ig+%&Xk0?Z7uq{H|VUujClqYch>EE@7zq{yc+bAQQ4PSjMX@
z*+vWn<N37_Lq5o^jrftv1(JQ_8Y*!~Inhcj=L}Wq5B9iULR0v%2DRyw&~<#bF=Uh5
za{MUKk{4=JigA!=ROe;9n8!IoP5K?cqe3U!?>ez@BSON)F>zfCRp}qQko6<MMcz*8
zM%lc616D_f!ySHD2=PcZ#Zbq7XH581|IJx+^g_pvDvqqlzDT(k3lxU#Ph^&1f+<)O
znQsLeGe25*ObHSaA46689ej;OS={4lMxQejqd%&C%1(_17_(SV*SarzJJ6P<ts+v;
zSV`9J9{7z8@ch|_Z6kXrjgB7$b9-$lB8)wk*l5N^wb*9}4Hv1^C~-ube>eT)A5Lxg
zpuy#sX=guz+Z1klbhGdyY}V!8<msJ(-MqtN+WvtjX4@lw<CAYO@3M+>gRv5-KV)L~
z@UI01boR8=`z<VEqhazRX&YZ<($yK#&H?|9<{GT@>K(99De)f5(Wz$p`B1tf9wtLd
zWf!h(3CLv7iB``nT;O9dqS6>yDbzpN?q?-U9|Ejhey*!bl*mFgD5EhbTi>Vf4!xu%
z)+S^nQonDXb%-s6)V|afO%)l6&F^Cm&LXuO@Q6rJh63}18Sk^`t?siwAl$61zzt!j
zVz{_nc5HOiFYax+DfrQ$k^MR*J_FP=GJb4lKm$C@@$9|?6DX!4<T*o$`Q6>3&urL3
z;%J2YNY10rYB$Gqy+;|07@M+@yKLIcBu0<hnC@mxK95+-_^~D9!q;4&>G)YZ3uLHS
ze?Y=&6N8$Jf{G$jR9K1H2L*eC5zwUelq<gH7;4uK-6}iz2Jv#J=Wju}{-{)EhU)W$
zmYJBz0vE_;{OpL1;zw(?I?9z~L`rwWX#+#K`3I|s7Fas86`0g!cTU{nwv~mBsWN)b
zP?r9&?4b81z;7Ey_BaD=vhxZi0&N7fMn`jagjXQJh#>q7h3|*{|4@3jFIBpl(vbL3
zpyye{7*e1;T{UK{c?C1Tv`uGe(!|(!in*(g-pwjSGg^j1_=iua7Vuwuk1|xie>P~G
zsL`-iW1$y$>g)Bviiv8DHhQ*)W(_hKaiYdb4F3?s{Yj*|q}Tb1Y^^)lWRpsL#Ttz&
z!ZpZBJO4m4M5zb#s#e>2h68iqVJ*Y)g^$xQWTmzLY~`cRSxM|aZ&l%QRwDYtF3WW*
zGPs5RE0$7Z%_9`BSjpnQ2tZEM>dmiV)02tuzvvn^WhkSsR%j6}yP4^Ex7xL-BWj>b
zS&8TGfU}C*Rvo2~YpgmLN@#9SW1dUdmBG6}1Lj2Eb^vdR*#v?7{c`z}@#`a<aaTJd
zqQv%;m8SmQwopz_UG-x+M65dE>O4y{PEO>C?sLaPwu3z<KIx>(ix#~=HulqnXxle7
zccj~c6D!+k4}Tms03`bOWf~eMQnmvvl*z?ggdK^7#EFLOKpON?USpkvR>d65Pfw<P
z|Gct<AAkB&ta!|np;rC=j;tG1=CG&s#f^8UwX5Z_>rbHDfH|46J|NNNz$R!cthv*m
zKNm`afiw)Krm?Z6Nds(i6|yU%y_8diLi3}j0^Awk7Qh8YNPE{rSgl&0j70<HM1X9D
z<tFnC*3uTgFDZ>Ifc3blvZ;h$BwBr^=-jd?LrwXe+_Kp;4W1^iei>*wbmB_W9@i-=
zIeFKKTS;bNRANR>XRuK9R}`c{;^tJGtrNqI+akA)3m+;@gXcto#v^zbgz3YJH~Ds^
zkXRMV{+t;8dNS2{J8ZXb0s~s$Spr6tS`F&$LG2Pmcim9~CySVpp492dH0VzX`czEl
zq@X!brmbnbo&6gWdc*wPgFb8Wg62}J^yXg;G(V1o#|6No!e4)E@CYM@p|t#dY@2l0
z9JZ)jwntRznKBfL-;Z*vaT@`Q6Onqk?&HLm9zuzTFvyrj#Ob)sA;Nm&E7=uovQQP+
zp~aEO_)~^5?z@;CU+!$mP@Vl4d=sCU-bY5!fH^UoM*t4%ODHZBDL_1BsGGiLa@t&m
zZH@FtNp($6CV_qo;9)VlX!jUHk@M$5#*fm(4$>ko^EP&9@*_Ae0+S!Zi5sVrx`P|q
zGU6&qu6W8&3jNt4YNrf!(O)%|cFIsG{cT2|G1O*%TI?AsDfZ`zoSiZhUoY3@OOebA
z^);XQN}8&PPRW}xlvjTk(SalV+^cCh?*9na7(<bDq9L4|#&SJt@(c^pJ8gBB&u6W_
zP1#j<%xps+>^pgNlxfINef?GQHm3{~)t{JkIAth~{v26{Q-*@(58(=|>oH3fLtXM$
zNU)qTlp24gEW{~8-SKCG#*aGf8?1X?!yt8yatD3Fda$M<#wtI0H859_GRK;=3Ol$*
z8?kpV)DeHSVaku{WSKStm&^9^Be3yfG0)a*{MgJfn%-6yc;{8C2u#y}x1jg^V%Ygn
zpra(go#dSG0Zb8i`Ej3vmY7^=FihdXnRUL1wvqS?g8Zzt*EdZ;L+8hh9yCHNqm`u!
z#ThDmY!!C;-p3ZO#j$mhFX+kzQ-<Q-2b%yLt?0FIfu%U9;R12LR8|J4LD{mZSPP_6
z4!y80obbeo2GI?|k6s;Y5TgpLakkJp8#M|B9oIUq=z?ZbhSJ~<P62>9#u@>UAOEUk
z+nWdYxOc$muAO0S6`n6t$}2L{2>G$F2Rku1%-X^n=QLv|4gQpJ9hsV=?wwt)@yfAV
zL*gk@Mjsh6R2YA-_c0@))$R{nt#!&!P5j{%3O<hb>}}Alw~RH$C(ck|{2)?Q*{v8E
z35;AC8b7A>l!@DRgK0~H=f|-gG?MrDtFSq+7#cQ%^{?946f+60&2+W~wq@$rq0WzG
zJ!L%j*#PS~#=D57^E#$<JMg1l&(IDtJ*v!$%@NTQ{Ak)!nj+Y1{@~EIf$9$sBbtLB
zr+Z3s$Sf0$lY4-LBSsW~q1^dX$Ac6$(x6>}t-91jW{;6KtwIk9hRWzqX%o!FcPbgd
zlS8)vKQ{QJf_<=I=JT~(DZ1*e()X44_DvKzGK_+u{Q5)G0yl;uB0U*uv7eeaF_dwC
zu*09in;B}mzo;jkp_KbWeLLFD<ImL?%B>%dax#87Q?1M+d>IUN*^ijLo9!AgADP_8
zP`dpg=zz7vij6^_B+iC;V?yoEY_hyDE%!YZN|wt-r45#m4XZY~@{C+<wk>0e>(Pzz
zmY7+b{q~%#^R}4X^Oo73veJux1|#OF&GD9a-p*ino<kf~;_!4EcxoF>`dI11kE>7J
z%L=|-RkF#o6IE83Rb&`MFw*$=5xdRNjgNl_g3&(Bbd!s<NmrtA@?&xPLT-&IqQ~Y1
zE2(y3>cxZN$Hn$_R5%_zqPO_*s(rw=BM^Ik5XK-*N}UbLYQwIHwA;Ic=oa9|o#-45
zdnz953Atb>#=aM#vkg_#(7}cm429SC&&c}*>(kl}!)Pn8{zTW1EbfA#kosl|9FW)e
zm4+W@d5(0p3x*o%`v#)TJ+1K|JwHO$<l<yn>PIdejY1D15|ua=>I;U7>9N^PKxd3j
z@90Fl3x<;DwKnadQBO&UzhJ129sz4Ilr*-H<wuv5x?rfCK0xlpT0CxGEUBtnBlf6#
zjD;0ZkRznK(`@Es66<KC<07M^cz=6)HJe_(pTC>Fv&~>oStvzOlXsPB6X@k-1<#9(
z9Caw{;F@hCiz)%#8a`{1y0hbi6uG!yrMVt{^^R@}4TBTKc>)Yh#O4VwIPsVO!-c(x
zJ2}6Tz&G27?DLD0>6|~<A6C!C#_t_>(syw(1@njC__cit3oP(Oq2hdB7bg=be*`XR
z@Z_$@=PF&N1?hgiV5LP)Ve48vn~jK;xnQL>{`i%Sm3}zUJBtE%l8gbxkrM<^=%$+&
znr8N_gu#if2?qc)D2@c-04TVT!X4L<R4YX_mo`J3hRKmY9O}DNR#imU^aU$naBBB0
zV4vz8;UqLx`rrYYQI*MEo~8h+SQSRhttY=~i#6=ScPbOsuOG!RSV@F$_nuRLTSmy3
zUa(UB-o}wbk1dvTxcvny9q%3m^g^K*LT0+QUbc8RoM}Wn3XZ%Xu%07e@FWgpUF3M4
z5F|Bd96Y(gHV)W8bxbYR3syqf+mmEdCJ&cleP5|zVHAILh&vDNOd2w0%3xG6?*mmV
zY+o7Lp(Mev64XB2pHXEGFBpnrd%1dBqSB_bDX?!7_Z)*DTD>h7PNU>R9#kbd6N7d8
zXk=1j+%y>a5v5@+SZP~79<l+u%Nk>8s=KPSpE#-+I5Cvy@r`*AM`#~kFcioR!H^~3
z!f001rgSOn54_cT;!>nNt=(>+9b`_|i@so}jqQqX_&?sCuqutP>hxI`m7jOPP}h2^
z0}VPL?~G{SUJ?Doi4GmW6Xb*(uINK~hH}-B&?c=aYglO;TYQ2n7I(o=z`7Yo#_sA=
z$9Ez_!Rnn(9O1)rnRs-Zm{0^d8W1O*;{e(4vTzhLes)Ah@gpuf9hJ&jrZ@x}h4z#S
z(TYdNkF<R0bSq5)pM-r{*k>V#n%>wL3Qq6z*nM7Q`rg=|f>mZRp;jtF)$xL%<g_;p
z&^1%)Dm*>LEM%xPy#=b!>0NL8z%0{U6Jhi)6q*jWW`&-aQQ0<(h?6il8{xE`NOTOP
zqz|LRSE7OOV;=h~7*#FNFw4Xcr=01Ij!R;w4DAuRx<s8p$>*+J>L%19@{Tnc8b2Pg
zuk-S<>{=_SW(z3>ct5z6<$L5QCH#oYeYY(nXOsJS0uzEZ-RJ3M;YVY#$|P+EGd9QA
z)C$WK<SS`On$ZOo=Z&obe!)uG*%!@f)xu>+C4KIq_jQNh`Q74VY0+W)5KRLZiaQTO
z%He)<)u3Zg3|}@$R(?yWl@v=!LuANwWSyjNLp*enHLSZuXYUxFF2GRF+0}sS&z$Ft
zEENVx^{Law;#Q{khJoWP{-i;qp3NSJJmg?0@>~>~F{(0))tAbajRGUYPUiregvd~`
zdFYVY%5~Tz^w>*jbo`hR_7@IUOqqjQ>@2BK)zK~(3N)*)HLRGX0Y0bvh(vKFJgL~N
zOKYn&4nGk#(^{#h!*PZ(&bw8n57*<R@$ut7qYV>*xWR09mP?@a^cKlbYuT~eO0}p$
zG0(An?(R$dsehqXiWXP9V5p@$UUqf|CibH3Q>V${{XH~NPNe5|DSofFJXp|;mK<z7
zH^9}u(CFSa``K3_+_Ime!~Pj6Add$$@EseJEKFBp7PHF6>PPfQW+-U<LUWd(aPbz>
zS!o<F;dfFR6F)vQ#)N&fOZFVddoxd6G;<bripo%pn4+}~X<ra{OE6-))=<=h<;Rd7
z62(|bE3dFQP(I)~qjB>iQBOOGJ(<|>{r&wG95632iK1F0nNBg_NZlvDdhYjc$o<5}
zMWbvj2_t^}w~yAk`Hu=Se}uoz`~V%k`2L)R&51fad%OTcec|0>XdNwYf5A{R_!)bP
zp<3`3ziaeYl(@E95UDHX(lcHf9(Ts`M0otj&uPpQhFZRnyvWufv`2|1&uE<dsLzQy
zoF5m8>+og?T*5j*(QziENsT~xyDYaEbs>nEZUF9{rrt0Q27nECpmFgdM_V0>-L@(P
ze82ZF#AD+}jVMn;AQG+@C(%exMVc(Cz1~6fwJtRJuL}*P8B8=-sZ85+&Z}L!@OmR=
zYk%lODoS0ROtcq;ve0zwDp*&xz_wRO(|M1WtcUuqSehC|UK3oYORNKA^}>B}i8c;=
zI4|{|H)|LVC7SO|i{l)FLqwfS&!_LN(Wy^05qJI-W^>)BGVcJW$;65@;Vu~}06z~d
zemsgk_m0&Rx#TG6i}kgYa0=AAStoN0Ma8d>h1qDryGc6F8!X`k(-PKVAW-dk7`;Qo
z=f{~|6+S=4v;*HrX>iSUZeu*MQWE3KLi8C8k{^9~0g$KSQ8TPC@(zBrg*SbF{vmn)
zAvvGAqi`?ei3=0#w7$lm+hp;5;KP|oWvv|j|N8Fg{q3mqd<5g*=ZiYJcPHU^PKoga
z=uy=eN=r5aM;YP=o5AkJ(Zide0P&byG`Ug3rFRleZ>$259o^Wqco_}$R7`3CKeL-{
zFlK6Hl^7Q)`Ss&pY+!y;T5HG-WIHkeR#^xXWlR40)5p)h{PeCQeKwa2<%fw$Ylo}z
z>-2Gy{g#XEfDe5*Ui_$j1LTWthIqJdfNYK7n$C)vIORG_Id><su#c^BEWU>(p=%9Y
z73(8ff*<cX=(9vo?RA1XHKN6c%%Q1~gnTLizin7ue$nWTjw-%nC3;MT_T4Xap*F0A
zM#s;)^_=MVQ7@l+>i$F@`CYQoMn)0%MAmuY5`tBRPK)3K_t@a=A7%}_u>3yc57Qv|
zaj3q#^7PL6)A9;SZ~&KbdBbr<I4)17lf2Kj`utv1R(i?DA8`%02wC}@KpHeZa^!OX
zdm@C{B{LkXQHh(EtfZA6i1?PNsnDZzguu=vE5YUChv<N~;Nfct)UJ&ZCcI=N%6#;x
zYxFVu<;hf;_bst?lcyM%1~*oX0mQvkSexG)wMn7S0s)FU6n6;jZY?gw-Q9|NDelGH
z-QC^Y-Q6v?1^Dv&&&<Ib%<-HhImmS-dH0*WpLMUb1X|J5@p%m?4kR@YFer6SCyS3|
z`lVH4$B-q|%#z>FocX`3;;=7T1yBBVSlMyjspRYtKi+HXO!Hao=%q~?XhIT9WzGB-
zNMEq$D302MSsQD!DRfh2Z0IWJ`+Y|bzi4?D>KQfNA?p*28mNxW$Q3O(T4Er&CxVAY
zc*z@hXp;kyb;iXb5M<e#OX=sY<f^n!M#;VkHUZQArWIfX_4w2m`@B72^YPZm_g7iO
z8PTwj(|nW-T=0DvUF49WC>Sr>|2QMJz0OLcrC_CE)UXf}G!g+((AAg=Ue~JF+E+OF
z`b${o<}#tGu)eU_;SmZV8%@9Jl=OZfy`w12EyAbcHn$TnpF_TYKF)yVE<!?-O2>;a
zrx>K_HH?!Cq=tm+g;B<eGSpy!7$D5D<iVm&En0+6r`x!+YUy;9#aX7z7d#(NTaz;B
zd5P(jw(HO}-i3^;F43fMUL6w<V(GXE@I+j$&g#8&$`oj75K<T@#eoWQ2}^=hV)xsf
z#rcRz!mO8mK?hSw7_`4)mH8P28hB{RHI3;dPTjMFP0TZqW)!&H?YlcAh+8g^FdPme
znifGC$13^_k&Rs_>gH1^K>&*UI+?U@<N;CF6-ScO@IDwP$(XHM9uQy}$q}BU?+;q-
zC&)VM`VG_0pL?+2vn$ChihCOTgc%u(US)}2T@-Vbgx3*6iAxk5!1B5C3#1}~kH!Bj
zHb?B<*3BJ~;uTEGA&t|JgLK|`Ay*vDY>IoT7EMYH7m~CgldQQV+$9<uU5{#!Y<KK7
z4hwEZ6{rMQP}Mv89tzFZ0$|4s&*4;Cmw3^6#VFRGOjHgfQYu6}vAa$*jmHOw_|KkW
zs+I^)z{eWtcetl)c~IrR4f@;wFokHsMe#s~Jfk9n6!tN9etCn$Q(TmRINOm?b~65h
zq%|V<R&vTrxdQ&n?DmhIjvR{ajXa5b(X`qVc`!h#S-4_jqnAO&hG8@;;AX;=^4Ka{
znZ~;MB1&rDMj)&Nd4V{HBUpF9H|oz&Oeeqc)ODWet%RCQq4ORQyqDYO?>^+#LzDqu
z`q<FgT0C}lmMrinsTv!IDHjnK-aj5XZAKh6h98VDGC48Y7*9{bLcLw?miIvZ{Cj&B
zDZ%b1e}4SfWsKEF&o5oj^JPJYVru=Qq|#JNDHqV8mCINF`=@(!O==!NAq6KYLl|ki
z<iN}d*J1D`PpK$>ih9oy#*4;h<;F<5?e-*6SkJ|}?t^AHrRgu5gg>x~vQwwD)2n7y
z-O=rF$3;NWOzarjk&3!XNy(!*wfx}#{Wn9U!!y&NB=K&YWZ&@<bI6=Znt>RYx}Pp?
zRwGpPquYLIVZUrgqU3eMFP_c!75vEL`wS+|>H@!2Wqmv!eSn9yV(&;iWr&Hd4sL`6
zirpI(!Uu+)`-;x<TE~bIQ9@h0IyxpUw{O7L4}BMXbKnQj)ZE?izM+8|ANM-jv0XI`
zd-{2%QnZhIEjOX3*|0qWJM62ArDm%!F{~!d1Jv{6g!+bO%{#q6-tmw-nH9x+uVW>r
z_20wSTX!TME%o<?Y{YKHo%QD@y4q1a3GAH@b$f`G>SH~KD**f<=?Ubqp-gBg(C?Z1
zvg2ql4UoEE`f&?xe<s$UxmHU{pm;Blaf4}3m1|Vaxq1{*S!qS8exhzgF|)G(w|TH~
z`l%>d(<G>M7s6!?F)&8lXa<}n&@jf8V^Q5PzNCi1!F{s5pvoG#`SGb>T0uM9`=Vy&
zIT*$D(ZHm>%tDWN)o=UT#druC)>DciE~5j(l*FVVsoGrYW?Ir(QM7zC^$PaO09czo
zW`&%b<xU4VDpWX^B_fqr_yxWgw^T1Hw3RA&hSUu}QRB;J>O)fG$kGodPqrF}Y2vd=
zUNd`;6Cn9V&-nBQr|r~(-#Pml&!}RL0;Xpdg?2q6M3-qWvFxb#tMVj_J+oPJ_<%Dq
z!c+9KgOJXzj+~cTgo4rFbXg?J&F#e$gK#&deq=RIBo*IJ5tvBr{DxNEO-?5hjjBHL
zG|JK{CUVL#L1fPztT@(~HoCNe&vW1Q??kHs-A{vuhvv~E_A*vJ?A+FjbOw`(7cU?Z
zUV=(!*EY0onEIhjE)@Ons1q8Y`q5fKmv-B8zdC`CiM&NOTTBEYe`vJJBrbvhv0y5e
zj_&kgpj~LU3&Tr26*4$rx7)QzRoh{U=R!wcm?DXr?!@wpeszqVGC;~&igo1srF&qn
z?OoF0w<(Pi&Bv+!w;^}=j38y~cdavm_j%A@$5Q!~ZXdS(=#Q8VF^tIZDoU?6R&uN(
zz(R#Di=RHVHUDDgH4l_NVY>*F*`(suDmNik1}X)Cz;BZU6t4{jgmaCg<QWM{yP$HK
zh&XgXo<Q`6n^6U!(tlb|D^<oSJ$54g#Embtbj;0`qy#LG-khc2nCL1z3)4#MDx>e}
zZdLe2JLX8cA;quhIkV0<9eT^}sY|cOc?U<8JP|JBdD(*oBPr6{$<yO++Q#5UkiI=+
z<Or9y)goEN(XEJw=`819XjG)XDBIa{GH7?J4q2f!<)F7T<rUR3!+P06z(Dy$N21hI
zpVL(jN4mee^i+lq#;L)Mvo-3kK%F>8RgtB=Z?8Yg+qjGC@KAK-BsP-EjjNb~&o_SA
zBcD~0G7~r~0zpQ)sArx9Y}%Jo1wbh|dMmz_2?caPA9}2vfEaE%igRY_r|b96IYYzP
z)7f9hNK~B9?j}r7X`cDbDE<+0d$NKf926eg9!NcFNyjb;t8>*N%a>3+*#&oh*)rog
zY82aXYj$vSvGGLkniVH_<IPxifj<$t1B;Fa{<)k^VHc<C$;!O$`T<J^{#IV(j<DwF
z;HI5<`;SodT9-L(m@{435oX>YtfCxQ?|?&aPKOIB>HZ~@1+l6{-7$>hQ1k_EItKM_
z7}=L%0>^msZ@QsfH8&a7VQWWB6JCNc>{Xh#rqXkG9?hYU*^RcgW@ie*JI8c%0%k_+
zHSr8y2E*r34*~2wid21bpHysqFC!hl{^X_sgrGaGAs(nJYHc|;l>LCCUC;bIsR-jG
z$S2&^vN1Q^XSJOgK1|`n?tBdjc}+tP3`c9^UR@a{a<Kj7g#t?EjU%@6j3dFpQwa$E
zLp;;w^fjGoK1?v2#A78`aKBVB9>nQL%*z=yrcjZ7t$%G4?Dgf0u%vWNI@G40CO+W0
z|7%*3QtHZ*c!7>3N)#K#et}It7l<swuFjm=FTarXp<{rBf2hx>KU)3<pG*!T;SA@R
ztQ|af?2GdA-NERtD_Hy^z(12@OTc?Ni6((+R_Jg+V(4=YF6|<#F4{*H^$-e{XbYIc
zh^59v^4b6^X!S8E1W~QF|CzFYxJ7e-+yVHj-*<xVCNHf@xGx%~6Ap<AVX0`1=~qIf
zbSOd^M{!bW;6J!Mo<2psxPoRf0}>rfEr6FkVk^C-zSE?__&Yo6NHi~@<Q^JpTA&Q`
zYtc9oC2^i^2cm3$Lh&T-=~R~~0>p?<q6_p`#{L{4%Y8V=Q6lg)E+-XyLK)f-mLek^
z)2p~;XlM$zW#f|}Ar^fN<932LAn6KI%A2!<o)sNc%rc+W70>)C<DAtX=#!U%RHf>z
z`(cjksFeTvb>t~7H_2vE){X61k(oRZpQ1ckgLAFFu#TK@Y5G1XR|d;KbCk-(9cWMw
zE?y<ll-ec!g`{7*Q%2q8pD2VwCJ5aWt!OY2h0ER`<HeHeRMBT$boR4G6^Dna5t|k{
zN`M3RbmvNz`p@W1V(kyYNmkIck&EY3VWiCKfF>hFq0o^{ybDAdhkKvN8{>wmd4e?d
z=|h^0R?>5@-Z$e7{bY5i%L&fpS7YcEGLmwuaskktskHA0U&60mj@$-+^Zs6GIfb>V
zjv#GchR(1YUv01!FVH{V7Sp9R*d~GsxQo{W==-U*F18+b(eVX=LpC;X7@1elJ_6{+
zH_I9`{$69OYI!Jzk*g_Rf9#aIsB)Gn>a`JI_UbtA##bRY<On`lMt(N`;{sQa^i5g;
ztZwrylPTNICXBru_6t=*d}kN>mzhxeT+%+d&z?=fg^F)(|Gq|<LIdzo+ex^B*lg1c
zSC^*cG)+_AUF3`tadV(>%5``V492hgRu|^6FY)<L+Z<*RfC4@Nm%}x_g%KEil`w*X
zBfA4I>urW&XzC4=PccTKmuHSs#!+wZj5+U#eHxA7Mb1nlmQ3ulmUCU2dw-?ZXgh}s
zaM&->Z1GvSp!IPMN@w91yGfQC=ZT=yyJCR-S~#Si^bCeQ(TNCsE}NGkqI%+D)>VN-
z{>&!!fhs!!GPh;y;#@nOcq;R9wC0ipe;p>2kJQc_?Hl{|aYc~IJxC(P?mIx3jFMdk
zbF=lBN>A8*+c>pNFx%xO3%fdnI$e*Ecw>HHYl7=<GyLso1~>+HE)f;elA!fIR#rZG
z@DJjXQBL<4>puui>ToN9_HyMN8SCP_$}@&ut+{&Nf+nM}E{F1L(y29^Lzde>+BDD^
zr^3mAG`a}r1@E?$%xbZ<YydCyQ)d3W$Pf0mDM^xC^S2xBzCw6LlKn5o(^I${KitG)
zzxG9a)h)NIFrKMIw{$e2^c&TUu-1MuHuUbYUZZ?+TqLFBMJP}l9wUUDoABHzGrcZA
z<<=&12s#Y)*0sR&N8unwBaf>R%w8_cmC=mm-KU-G>JwPd@MUh+b%$^GIEnr;y1|jD
zc8_bH%%f?u<EUYf!5!*zjKP?HpJ&vD^`67E5f?hstK1E^+PrTV(xd1X&og_`4pUHW
z<pc;6?)Y-KTgyLA5=R>Gk2tGE-PG`hz`3JvcRtatUb8&@<px7sTs@6ACV$D9p)z*i
z=JFY5@L+#5vMfj8H7(FR#wdA}ox%0pE}RPxPptU6V~G%NZE7bXWlu6{(00XprHVEC
znvB<zA%E!U?;o5-lJ3D{LlVUG?`bD>Poaj(Zu(}q0X>Be!^3-yqyjAGtU^145tru*
z4Y;a?n9D82_Y<Gbahulk4A%Fl`Jlj0Qw0!V-KNJ5e~Cujwa5BubPWUOWxQOgPavq>
z!{Qd>{~>LC+54ZK-n8<co(`kTZUWKMUH@35MVZfzD^T9Ws#cz0B_KfbbcQcck}YbW
zE>_ccVs;N!^QBygvUVL;M3K9d%pZ)7^S^Ie|E&csPQkS`GN8%yNn6q|*EHV#<jM7o
zdjb~;`mU^R8uPqi1&o)Tb$>z^_m0!IK;D2x=TZt|@aT@^sq#Z3d)%1wL+U#ms-Q0H
zi09B6AuOx3r3M5O7roHb4M+cc!&n9%Px+wC?X8X*c!8Uzry9QDG-A7%VL|t~z*Rw>
za8SCTBl?*r`|UNi*S^DcPzbPCGlN(oNP;3^H%ATisqa5br*UG-V8ZXa+0O$?X4qGV
z2?g3X4J&T;RE>swQ>yTmzST<NJGcPj-+k*$Mx*IWQaIFQ7Bx{PHjd2n_l68NtyiCF
zQXES^)8u(wm4?IyJPj*Qe-s&*6?^)sK1a)<oRnqv{--DAHI}a*r{i@q757A$<A-*2
zQ!y$_bptUBj={|{KUp(z7?K-0*V}rBjL#nGqRE8rZ6UGeJDSJQ5U?g1`4f+Ibw~Py
z+h7{r=6Bu2Fu)C*GC&~??Id1YUW6pUSLDzWa*&uQ%Y!le<(FziS5Y^T{Z+-JVUlcL
zR)FPKoS-`*)Hux|q<QK|jbd$+uY0INr08-LRzjvdli=Vc81=@;fQo9SjbN=e{m8|b
zdiOnbc3p;nS#n^B>dKf>>X*q_@1%K<;RTf$@mY+P%?CVZ;Onr0?%N$QEU~259s7J@
zYmKT3&IzxfVQFq2L`f`P2eSFdoUwD-u0gCnKsO(Pv-}vZZoR-hzuy{MfPFoN8y35X
zaXqbLK$}V$k4wp|kw%pU%BAg}Hv+PV+!O6d$U*dJriv5ii}jH}SlW)g7ywo<^&vF}
z^pJ|!F^f|y@EM<(0L-;v#jZKbB!e$0V}dH0@Vr#{g{GLos|`-exgtCQ`ns=Jj2^+~
z*A=@_trFg*o<4HW?fz%UKRFR^W&Q5k-C{Ay>kuWeWtJ)7>0Jkdr*i8}GN|^ps2G+A
zAeu}PamimZm?fHyV>ytO4q5`42BlsL&ZAE$P`}Tw%SGKjHRFlyJl!fz7ACPSjPms+
z^(g#$k7#q{szkkYU(F!KEgjGLi>xj^|Ki{t8^Zw*4SZ%jd~BdZgzzt{(_Ix|`;tMe
z*IsNKf-D$`f<`6nN=mnT3mCf^v=KhW#YDb?hHh!!kws&km5sKGZP-qXs9CS*2K0;*
zo^G($-h@mHHy8$SBOq6Q$i}x;hi8<|I{$<$5hq<@+Z7dKZ;5k=#eO{}Udt$qb@7mw
z)Mh3dXS9bnm716+GK(Qf>hjB<3)Alp@88FT(-U~`;aPf1Aktw=KrdN$G;g348#OJ_
z1-t=ukI%Q<28ePfMvl)iuPEpx*~wN+A&wrjqN@J}(Yormf}~FSP`OB}u6dCJCvPYZ
ztO;P}QRw??=~mM%;~cmL^E`<G1I{->xoAa0uQ55J?$!<H)3|waM<F77QFuqp7sU#2
z!hdm>lf?wuT!I?=XcMOqaTQ&=6<`T-vXwy;RV;6Y{jJDf%vVa&A0^~w1<|H9pnbY}
zk^fB5#u?Zz?NX$ar=@9s;l1`Yrv8;#5=pC&%Ic@L_5&R5^XmC-9B}nj_ziBY;KCc#
zu?w_^{|O#i$*nwXolB$Dcm@|^xq2h%w)EC!VG4U)pV}%aEf~{y;}!>jXH91=6UY(d
zb+AI9&<r3m7?!mU4?fWBO{FL05DFsS@8{{$i*pV{&@_t%Bn)}V33G;7*ofX{NJIPA
z<~6DrWb;`JzHhMA4RM?YPQ6ND^*XWN90Ij{oc1k?`pHCfZu9(ibZ!zAAVE7{z;NLk
z?cZ8W06%s>fso}g9wGyaRy+Z`u8R1I!O!xGR1&AG)v?G!HwQ{qUF<9-?}1D1M>vwY
zOqrEpk9<`FGSvegOFXvV40E^m74X%q`cE%TN-g#}byGEJBI)l+H;4%evc1I=6w>Gg
zKB1x!(>UjX$<*HyfV4jCdkhNKWZ&KwPc{acE!KELViWV#dtDK=QsR-Sf@*H|5r<?5
zuOvny8F%UZ%HTb&Ea3ZItbSR6reO!OQVH5>yH5fepwsw74N$!Fa8TtXb~KHkB`nVv
zj2>Kkyn46HrzqBCZBly}5;)d)Y)h{5kTEh{ZiOfQ@&IJznf6Q#rg3ozeLUJzg&t`>
z&XiQ#&|}W&R<(GOUX}ybDEz;3OZ|Q|>i#Lc%pJisi*ssCh7~P3s*gS_8MV4P#X-4v
z+^case~AnGTh{GyuQ+vMDir<Q28#s;;Avd!?;R%Ezs1Iv@$Hx^H~%Y&m^!=E9X)Py
z;%GHla!&32qz|y{$1Rpm%UnMh!&y5X*dQ?K-@C_tu~3KqJe`jLzqMam@Fl5O1raWS
z;uY!bih~pwxjlnzfEjL2qkV(=B4YIoPSx4i_%0?#_ny&<uhigcEkW0k+{J+#cbF<K
zk4UN`Kh5>?;tXO+4&yy@?!jl|(;xt0wJS>-X32w>oD2Je<zKhGbLI0OhwmvC@vP8r
zqA+6|IYCqK+@0Yf#da+uTBH$iR8u+gQ_N24{mik1(SU*y?}RThIDrW-SV+f+wM&yF
zx{&*Ya-_0LGmH=pl6<Y>YSxmT{ZQa>DcB0T?EV8HuC?0UL{?B$Wm3scswaV|qhD0_
zE<@6SubOwYfLBeMIVA+XBFzrP31Jpu@573<F99V751HTTgDmGK8(r@fY8&cD`xM+_
zQ^K=Bcg_D4L!4UG14uyoMA#E>f~!07HIR5~;q9MvQAGWN4^wE)O;Cx{H=5mg)mPnb
z8DTlWkHI^)`y>Jeq&`iDLk!=Be%SH={D@<?YMI7sZ76o$pd%QIl7eiqfUDt|Fe()>
zNM=#k5@rCFcxB3<XiZU(m>%4+#K&O;-jrDWvve<#<KxrS2HTsfW1?blvN9DhN;J_N
z<A8&dHpgA@?d_jr_Din3nG3)%qr(8ItY!eByvVht*590EP+Iq{B#}#pT++jmhcN^{
z^ZZ&;qJ;BFUSLQ2x`4%s1iKaS7CLCPEfFE1b#&)J_`|VNvnkK;*A7#tQUek*#e!G>
zAx_x&sC67Z)X6(0ov~ALNky-&To7rCm__g;6?9`zb3T7iY_k)u#_x;20*riUbOexX
z!F=L4C7Zs@4N)QjC$n@UmE(7E_s|tOoeoQ5u?%=o=GD23Gi+Kbr<e1O0<1EM0e2P^
zY>#k33PYM3GW10-gEX7vtz}*o8D%t;O}0tM?O)7r7CY0o!15SWTsi=|G3ug{57LKI
z(D|pOgfY&P5O&xeZP{aIE^Q!B*2(<P<_>;58-glMI~H>LExMUF3rrgJAzsxSfq7K9
zRzwes^H^68QK4+RmR~}1DQn=()g5MN92)LP!SaTCd|*1)rjW)8h(_zdN(He4E%cUX
z!~1D$gZT3OxN6fUn{MaR?g%GAO!TO`VR6dp6$m4Z6B6R18GJz-G+NYeZncrA$k4B_
z?S$5o&9VnX2x=!;9gK7-wZ~w7`$Ub)5(Pgx6Xgq4^qFn#YKLM>@%XNni$l~x`D&P+
zB3U<~7blqZwlZIdpN(pV_r$Cp1MG;w*um!-l_zn+T4M6Y*~Donzf;)-2SJ|Y+Czmn
zC^g^ia|FpowTYt7$x8keCGLxmhiH*ja{WlfX82S{^qKFY8~e#DOpqDfgmG4tGY1ZH
z-kEr(BKem8jezQKFu{_}1zvLSgi2Iu;ZdA)6m(%oZx|Q)g5VTVuVVQf*rFx%@;G<8
z48K&;7C%yJ7inD|MCeK!yM{8d;eAs(IoGfp-{?Su6Q>gss-16DQM1^uYP#1Rc=bK1
zG#{v<$BVQU0-VZlunbw29k30(WWRfnxQtR$rs9u*LH5+6Q<cqZ34WjwYvIC?N{K4_
zgWYNo$Ul<zR~v9I<^4B8c~uz~mW;J#k<zq<dH*|hTRm=A#N~=Eb)dNz;ua<|Hy;g5
zWn-l|{?FDZRG{1Mpr+}Dw|<4+cli#64DUdCAKeIIYT!#~PIvK2?v;)PHl9r8&+#P@
z<JyE>aSjBxc*PNs!YTc~-#ehvkOGs6yNWuj8PRdxoY?(lR12&kVq7t0wkNae9qrsN
zqr!y{q$)f#8H&jXmrW#A5p+4AbwQz@=ktfe%kGqZe0T%nbLB2Ci3Gg6`%9+3F&nc}
z-O>iB{5oQ9U<D?X1A@+v%(@SUVjf(B+2rf`TWr$J<#BKXJDv2`$|w@OmV~nPO|L`k
zC%%GE5a(5N;bm~u%?T;VvTzWxb(<H0b8hx@BolHg2BTet<TS>PIWp5f^?cH&uJo|4
zM8^q}QMAQrNc3+Y+M+)}m%LcukJoGC^KL917p2TH$2?zhqkXLI;{=K-F8)eW>Kmy&
z_KWV?;X?DNB%(jX<9(%)w~6Mf33ArlF2vUgyA91lIK!ZB{Gq0?`H*Z~i1z+%w!eo`
zK?KtUr&_1+x7`LpLyWkYd!cQu{qoV=0=ZV6WS?}ne+f>4{cC8R=^2I+{GtBY%~I}!
zNECD>m7PNM-*i;Ak=f+?PaVmfmyplYG1xt5IxKKY9uY&#*=la-FQhTj?h$!ooKxzg
zgH}Uz-Z_%F61Z`e@#+d*J-thU9MMw*f<NRoQLx`(t-F17(tW0&`<gB05)j>>_1tdT
zW)`fq$5>zB-4BAm8a4wGF5+%``UR3>p3`4)x+`_^>eG|xl!b6>!g+rp<uH7fsZokK
zt;^yXJsCVVFeuoTCkS*V%WkptBQL~Z_C2Q|!`m+%CC#or^89jCW(y2~1o$s+7CU&`
z3OZnHM|PhR^qGnO;i3h}<y88i$^IoXkV(h+esw!$=J6}mI6WhcF~Rvxz0M5Ma!nMt
zNDb)SDc-|(<caarxOWqw=0<IIi`RdLPwTC_#M+5FvqbAm%4OqtucM!DBA^&rbIx09
z4EdJ{?pGY-3<A1TL`k87`xTZrV}q=J8_h+8Q<$*(DSo2~cnHm#y~3!cJ1FW#mfg3$
zlEOLoz-wejSLMXoLYYP+E1o3Kiw(4oU!zKwwAKf-teml)oAKu1CTYBcCbU+UikU?{
z?>=7MKI!8~!tT(to8%cxvP81?#;N^XRv-C#YkI)Ds<UUE4FWpuy0izcpxAwI+LT2s
zKOxY;nr@O^v@?-uJcEvZ8`if=E;UjAmKyfakbFtymQuT#W=eYt`PHi?knVm5+M8jP
zJvzh7gJXD4?Z9bjW0WuweXh04vtq5QK&F<g4tO+kxF^ZtvecJ%@MjMEl4sFIzeGCl
zw*^ZgdxWf=h#;Y+==l76=9GvE{)I0u1b$yEc2BmXmaLUEOdoHFhAmoZd%HNv8~6PC
zuc+Uvye+g4-}MgJT{s&%!=X#$Ox;)e^yaggypa0di={z)7Xp(;Bh_MlTSX4_|I2gj
z9PqvbNq}E(U(wPHlaI&P*td{|B|6orKteO^AaFi!Bw}AH<l}o!|3P?ly=8%f6Nfq~
zHIV*z+)Md9(<Y@iZ#X+=m%@1}j%9E-D5dLN`jOO}D)v!T?Y_+`FAk@$bE!K<*_Zn@
zix?v*YgFEE<EMD8On#EbkJ=!-Pj+Lm(3SQZ-3$j(b7q7O9#jToVT?u1;G5Z>M1hij
z2&?$nprywv(JKZIqwFnI$0#WSCZ!hMCe$9wb?s!MI^w3Lh2Hz6-uZ21SWI5`termj
zy3M0f0}=@@`0HDl{bu}FS<!@gXc5Y_1C8|0^iaJkwQ)Fj<-ERf6sQK&*zdMED1VJd
zUvlgs3})61S8g>O{#x<HGJ*OOU^{ul_k7j$)}pX8SeErfGa6kuQcE*i^kYIojFC@n
z{`k1J&&~WQDKj1Ukiu@RLE%8e1h*QbI)e6yiO!mq?jFN`5xa@I1*cWuy<5cKYtG1@
z>zp+3D)?kEmDM2Q|5QmSN$ii(^!8au!;jl@h(-w^;6y7>E6mHVOhu4?gKvhfd1hJ4
z6R|TSG+alv_kG*paV_f|X5kdeUMd?bdQ+rbNvmF|o&lCG=lqaV9Zg$Z4{~tGrRAMp
zogf(hWmsD(h+6UyDK8hbfU->`-{rfgeDw9a5z2*C#tL_Z@C;qB=f&H)GXW~cAD1D%
zqQALKYfIy&aPqu8>~}$xSK==TtXU3_F}`EgEVe8Z4#MWzTfjSNu`CM|)}8m;Gxd$-
zN_XR$6Zt%ui^_HHHg_E{XN^5jm3fF%u;vwpGM*op4lu$&GxOLx4~e9|p&u;kmEZC4
z^=X%pD@bH6=>i*HqG(-|{>>0p!!YvGix(Iw?{Mu_n#^Ey**7k&Yusd10Jzm|_4Q<k
z%V6;`qJ>%~=9+}Jm==ubd^IwWl<@hkDz{Jm&Bh!9R$<3IZ`$#&A!x%Hp`1s{l|j+3
z+uNQao|JpQ+$+3+CsArQ8E@v;@Sg_7A>PWTS9C#>H>20&k(w2oat~5EKkp{Cpno5m
zG7nYi6QP|OuC>E!B733nPvIbvE|+zwYZ3w}wri_w#aSk3vOnaN;vXtIJ$qv1QR`}B
z1QeVb4Zmli^>GNOau)>AABm6pUWVtD47Lf2f2y9P*WQBhUzdy*4u!ON$n@=!qm<mf
zaVgeyto0S#Sr2jcQs-DMj8Lw%ZP#k{POmU?LPbgDzkYdWCUrFd*WHR^;5;C>DZ4?e
zZ4Pcp(*CUHH1-6P3A2l~yp%nU1mTiaEC24IX3HcN&-m`WrFxIKuUo%))K$!~Cr2-v
z2g%umX1V-*-&2I|GaVX`>n38`S(Vr&eiR>w|C#F?caUIhBNr2P3=avrE$VT&>$r9J
zCV^G^U50uX%`XvsAT?fmE}gM0EJ`QtE;?QA&m)0REGrx}S@v&IZ9yDbDoyqv9?iDB
zA($uchKiJp!Sl?HDm{5=Uq39m#sblc$M#cFIS`eq4xsQaRKr$TT#PhuL~&675RQJu
z(=ZyWE8ARXR_hj{#YWQmm0Ph&`D+IfpR5T{6{vpLOqml=b>ozg)MP(Y<rSJ2U=MwS
z3AZI3$uAU%C=jyY2XEAdb&Yo*=T*q910D0%pM6NG*9no%SvnHSi&0#cq9I=0X8D;`
zW2Wn;*Zaj*r?sseONI}k=;4o6>wj1-YKpy=v}*C{%&nzuSc~V=D*fkacsqgPHS#^M
z!!`HQD;p}AT#Za$|LW0prHOw5W#MozCila*q}r-~6j@j2N~`UY*vv#|AB>JuE@h~>
z;bejo>>+JkOiw@=xzBW1roJl0cF9;cdsJ?Q%X8b}n1RRG&7&Uw%8-jgaE*x2uW<)5
z!q-3Rh{^-nhyseRJL7#MVW)1<L^U}&=3;B58va_2Pe)qSnmJ$-!OGE}gG*dLeV<M0
zgVn>J&CR?FHHZ$#s@{HPt|vxGRe=f2f=eZ)d4<n@My=0+N+rgGJlsNLzJ04o_`y4O
ziUy#oY6O+{He&WI!UQ|~HBrR9a|si%WzOnFq%TJBK|jquRMB-QfHE2rBPZu)wifz!
zXsWN~W|o|giH_coejH>a5AZ}2!y&RYc(oFE{2q}=jLjS2GQTSk>CBhjx|chKXvt|D
zH>}Wg<~5gU!0XrNzauR$SjAykl1lwPQ9aRZkZd#}7tJ0KMf`@a)#c8R$St8uw*QcY
z(})GEl~Z~W;qx(Oh+yP7E02BvF`tus%ZUwbPN3-wpNma4xC8%K5QzI+F1Lz)%hHiF
z_X!1JI4>H!-v62ImOd$Chm>bDoTA@p--4xSYT6Z}XzUeefDd(FVXKc_VEe^ZJa;T1
zb>jl|iN?YW4A1mgr)+p5ky!LJjfRp=r9=X2M8LNG(Qv*ZldJSST9nSXdDgHn?!W-)
z7w6Zog!K=uPQ4N=RyN?(8bLFgQ<)I#CTL?s%I;&jv91f~fMp?9v9w+w8yxeSl)p>*
z+VcW*SuefpjocUl#*=vLT$%C%(2n^`MwzqD`)4tl%W&4B>ZE<PDUcbSA>Z5e2HbD^
z&hw9DV3>r@s_XY=<QvF<pQbU;Cl>@(>b~oZv)tdSQX61Nj75V3%qzrKzZhQI^wM~9
zBnMY_8`HI$(P_n@*F-!s=fjttu+}8Tzw#XWe^|bny!|#64WbINylUIU9^p3Olvh)B
z^L2M$@q;-mD6LlD7;&;hOE28#9C~{XTbK9JWgjiX4%vEtfsENc$`zP2njcg240_eN
zKC>rf;*54>rAx+dh07xuQ9Ss3)(N{1-MdrIQV%Wadb4(*5_Hb%%89+i;@2vPqkoLx
z1Vr=hxl{1@Kr#SL5d?pN)O7<e?Ha9$NBmdA<;&-Ls<?N`$$O?!K&D9Af77#%xzK0x
zC5qu#9VlGtC+UnwQEf$hSaya0j&@KA;xahcg1_roYq)IEX3q-sBY!}G0OqOpEso1D
zEwIdHepHF4eq9j0%6?JB#(P@|gqyRL9Do!V0*LTxmRqxxn=4N&Uv?^_mdtrvFwg0D
z_1D~IohHdB&m2tQXgunz61dpODH`>ITk8SwKS@CXx~BqH3C5Z$`Wy`sfnthOu1&7Q
z0=bvw<{{0uOun2;k+iqSe^O<vdnpM7Ypywa2cjhd_cm)t`Q^b*L+IrStJF)Z;+$Ia
z*i+>1@EXaPBG0K~5NF9oVn^Zx?nHLh(@5-x_7fOqj>yaZps3nRtBE<NJbpd<Mci0x
zuBhxJ{^QrbrCmkD?Bhc?ANHQMSNqpwFE<(6D{JcX`b=0GndEItmBMq9@G2PMNf}xz
zlar68wCCWWpKVjXz3n1HpZD|0AU@Cu{&Zd`a|Ih80GzH`6znIr_jE9k!N%UAxL4tN
zn8%5~9%tdaH@~~qt6w#cFR=?1z^t713p-G=WWQ<3H>+Mv2w49gR2pKEqZjK7emxR=
zyV$ZDt)2?XS$5wpEI6=y<MAdk@!gL?>zdg@?<(E;^o)Qa%BJlzdQ8$>n8y=Y(2uQX
zGa+H>S)g8q8kUz+X6QNi0|Yt9c_%J6IHhg>j5KE^bF{YX9^-JL+ir^VEUv`c5I4rW
zRW=e#SbeNr6f*NzMEf67ng~HktEw_=d%z7J{lQ>$n%cZ^LKkv5ZJ1s_2G%D0Wp&S3
z7h`qk=}Xe`Lx4PBVCD5>bk6KdevHmK3SK)*_cwxtf%%f5Ot4p(-Ia<7MVF6Hh?SSv
zFs+i~duWz^t6j((I!QTW57v$dG}G54in>@S!I*0XW#t@6_=6|=iotO#I*Qxdq~nlg
zeb53X)8IVBp2021dx}SF+Lik6IftRq_67reZaZAXpVkY1X14@aq9?i*11NZ*=_)ax
zM#?fz<jPQx&cXZ!760S2(a*-@*oIp7mG{=_E6z>v<D15J`^TX-*K7%EzN9^BZGjdN
zL=CC2qcGA->V0Y@<bUgoDbpuM&}iN(kInrYfPch2DU-NBdsxA?+y|g^I8#Izv44t;
z(%(u?yYW3Eg9DjsCb;gNs~t&GFReA~bq9SEJhbCi6Wo^YZl+eOtQB<gw~N~?W)~6p
zemje}rHTuoTRjG%qZSbj&4O~(vyTgMqHABVl62tUqoj@@!rz@Hpi`T1+WNMx#RsO<
z+uxTrxm-JXcVda5=suh~AGK2Z(62t|+<Pv2lIF$ItHX?cR%psi<1A#MvHGFaf6_5S
z=>0T4N^w+QJl=G_T?Nv``K%_Xrla}Ao~yl|TDmFG@PdKFTF<zRjNnBpRJ^AP_we>I
zF`LgB8!}|JoTY6Y9l}ZDk(De@uqvi>$#=9UHD_%ofP<FDQjH*XL}@mL`5)Yqy5D94
z?qs1(8h%XB)v@j{F6bOc3j=S?+2r}2YECP9iKPr5^tsWrYM)acqg`*c0DQr4p(J#8
zuEyyCXDJMuqc(ZGTnXcvXFxwQ>e&pF)d;Pb3%=+gbU;GO)Jo24p4t-L15gW+dP)tC
z0wpSN@Azf=4V9tj!Eun*R}V}Z0pUqkt?pTngPS23_I7xA>=^CxCpJN<8D>A-J$`yF
zdY^?C=4{6`iQ*{;MLKFH&q6K{va}(RtSQ*n-WL#lz19odQgj=q1anQyTFiZG&l!13
zfl(Y|!JrSX!B?lTyV_V5pi4oES4qJ?E#pRBT?5NfE%NLbCT-pWOj>*oJ+>vMcJrrL
zREjZ!T4b93VD}0=&r}yrbTBb0GC?>}8|RlX$Usj<ZAZ_Skf@iA6T*?ch0~w;>JWG?
zK_@A!Ivp6^#elZ2^X!#9@;Vn*m*c&cMSo0d^>x!)=8HW@rL$299SrU3&Kp{XKZcXU
zRP#-KF99sHMT=_nmhbvb{)duwOpG(nZ|icjTC!H)zy8?nV}-gVGw|dfaWThBh&eCo
z4{m`Ky|~axUVhIOs(?xe-C4$+@1`D~F1BXqGou$(xm2Dti+5=F)QQn${ajP9@q9O^
zzqRCF`~MK2eZZ=L1gV82CRIEu<QZ=c$%)Eorb9Ue-MswIph|Hm#;ku<4v}NN%z`i9
zviR}Dh7@*RoEA)RPz4dLOY@zC`lA`Z|Neg?Ky|=*ivtGB>DnxZRx`ezwjZixcIke?
zTJCT!Y2{!Gh!-qvHw7N(A+|!DqrvEPk(Pl?oKWARcdDnmK}M{TAV1+%JzS12G!CmW
zw2sm}e~VChk9xCl<5%_m9X`9?3brckR&mftgOy>^NTKJgV#ta_wyyk2Yn}1+uN9q$
zCpTxGT<=Y7q04fYm1wK}$RY_uYiZ*gG<;p4Q`V-`V30f3xnsvf0zd~LcvFt;_3?R$
z>dE4JMk7rLdNsG9(B$=?9Ew%`fAOE#@gE-jV(*aO<H#^{oRTCa=jyk;3;->`U>^K+
zc1ma>lvpPKLVw1Py8THZzJI<>ehy5Z9QlUN7io^I8vkq&*DsY6j7IdyCx%Ay3Y{FS
zRmx>W;9rNSmLxYVPO0HlQ$V<jA8UMLqfA8-2gtcf^tU(k;*;b53jz(c%k~Q4Xyw5E
zckRewz-sEJWwsTMAGo|@S(S6jgtL~-+up!3U;jR$b+%AnDZigsR#3`PRPv)Q2E2)T
zI<#?Ea1$qpBrGTRc?>GT&Q0PWIU>YDM;1A4N@`oOB8s54Z->^tiSCo)r$jd^HIevl
zs0e>p|MJ>?YU%QmSAOmteyS<>G$+R5a<?C0P9;imz9%^c*(0yEf*1^})s$N{(ZBeJ
zIBd6R(N#9vWjrue|BFS`-xZ53uQO+=Oa4Y%Lo-3{-+Y9L&^Du&E;=r?)apxlDLCnQ
z%9h>=+R{7%6$No#c9?oU;&nnPON5<M6q@f__AUtu8=_8MlPL+N2mvt~iLAEV2%)Nx
z8L_)R#e>af{ZwRHtQdrX1kr77bz~=A49)FF@tO}O^8+diqfjMeC<Jqzh;*qcu_BX*
z9bR(WxJ%VPhVRD}%39+m>MUuBW)i>0SaQN9^x1RO6vE7LR<^OY3yZ+%=Fy336p==M
zeQ?Ci3^GYssvX#}iIqAsrK3%#T14bhDw6M0cvj5sexp8Xok2qk+?7{UMOdgAYrL}2
zD8=Gf3F$c8n8}{eCM~&G1?F|6s^81Qj)cPAA0E3dn9p$Nj3d8nTF8c8n9eWBrEqxd
zF~=8PQrXOY0N(j%Vh7@JS?BYkx@IJ>ZgCe`MA=VoRc#8HdlY{GcTmd`xyM!{&q$xI
zj|3p5K(Zr&Q_@WNU%0dySuGQ^7Cfg|S}Bzg(v$ksir&aD$)|>+&|}EE_N-<CZ?&?(
zEU9Dt4^l|B){*u(lDT*cB#A;cJcR791D&jhju_fwOks!Tov|bT2tmkaD#9Y4_k4kw
zOp%pJcJEvGopbVt!NeF){V@IHf={#w5LmmlJ`G7qO@HfySkCTF8cx`o01dT|%qA^4
zmsO(NjFYwz29UR8eI@W>B@Ku?MQrN*^E{JZ2gPKfyG=oI9UgI}f~`9YSg1!?Pj6I>
zXL+?=7GStZ;nbyaVg@7=n|Y*JUuXqME!zb~5W|P*<ijGg_A|;tnty`3_a*&y7f;GB
zw-F@~jtq*y#VGF-PfxY7i!TKW(63F6q7zCR`zi<#olgyuoUMV}w)L_Je=U&r4kW|j
z+C@>|+H6fITfhETG88H1|2_BNA;K2V_GEiG(l>D-%3@RX$v3y3QhaJdWTbq&tXK)W
zRz{;G3DY4zSnx!hbkDmUtm^Wa^)I!>l3pZ?H#`5CqmaBAw*MX7Ot%05d<^jp_hQ+I
zE_CWzc6VLu-$c7hSWUABXGIG&;2-!3HcJaGQ;#vJg;kBsWg=nta5YY?ahtV$$VOEL
zsvwZtt|`w!>a_jb+r$7rD#!d@%NfwpkxG7#`*`sqyJbda4I9U}S0J+88}dJ*Hqr_S
z77g7z5Uc!_-(@YI_{kcF%#6sGnWNY<V~?XvgzyPS?n9JA_6v(s5zNWJ^E;8x3(<e?
z=ndBe)9IjF+XhAZv?i+Sjan)QVFm((eagl)n4t4#Xo|FNz_0ze(Kjyd;C8PoEBz92
zOFA(Jh<eh*Bu`m1sKFe?Hpy>TzY>4r-JL`Ux|#g~jXarjR4z|HSXWOKzBmJk)us0~
z_K(%Y1~M4;PkOQopEx!ngWZ}fHZIJw9`J$O!D0{v^e(pp>!f8K>uvQ!^~G0zqA~e8
z#2dMTA20M(bNv{wE;n~QHq6+QvrMWV@7kZu$rtr`JcZglQgjw|#6Z}N$n+A=T80-d
zsds<N$c5(NGT)!oI*z^ge6&Z0P6LXjkf40IEtPnTC)jtn^lO<dZYG2WTAi3aW>~SC
z6KHOkvfJ_TWY4)+VzA=*=b&=M_U*Q{fp#%^SRwJ1`nei4ePz<oYR|TMD!5Sf5tCqR
z*`y6p0DqQ@>B|7^!XaPce8`O;Ahudk<3jSga_bXu+M&6Li7nt|=`^>mfvBzcxg~SA
zd^cg%jKWu2R{C{;&eeaHo95xxX<V8;#?g~u*O{h|sA;%%oeb@m_q%rR(StRMH#_r%
zn&`bS5{fg&X1X&aOM4Y>nZAfOODDm*y?sa}Wv%zaw;hxb9)xg>@=NGWLWz941{=%s
z#UC09<mMP->gpw~S1eeTn|x30rUJY<3PK72+U#LZS~&X+<||`kW05u?5>Khli4Q~!
zYnAnh#j29~bM>+GQdSXwOo4{!7Y%yF@e8t(k*!Sx74K(zWwSA$)B7dRKPNaLVf^aZ
z1qY{#z65FkS+o^vrk2NfFCn#s=_ZAI1>5aF8U-ZXW#N6@8iB%z0)NTn9}U?vvRIky
z#Gz-s<(4tMx%pi8W^K*^*T443oh%UV5a7g*9Q*5~HXuu5t?SD2g1bL`$In=Y*`B~Y
z`y4!l$925j*7e^IoZN-Z*G}7(`i+@`?a~-sl0sNCJbReg?F(BpG+!A()aBj`;p=a5
zQ=j*G?;{JRf?Wo!1$$s2x=f)JZJ-9hfBIP=D?Vo-f^vd(J{cgUBkjEJ`~Ehji-C73
z$HeX;x#$Q8Mrk%UFgNo1W{R`JNC&{V52bRclRL$0Q{Pe=h90p`3BNq`Yu>(O(>^N^
zi9WnJpjwu$X_)Iq+U*d{9h4fk-;lzjx+fTskp*Ktjr+5_oqux(5*o0VITuT0>MOzU
zFRT|A`;s4_T6G^)`vIwJ$Q`rq2ttN4Wt;_XfWUtf1iwokTaNB{@;@AR`GUdn*Uw$P
z_|9|qH?)1~Pt5rp>3aHu&G^1+a@y%mCP9QPkClV$$DJLiVO(F%!RcB|mdt*20m5#6
zk=!w3<K#@gxks7q*XqZ}Lc7PJosoX_&cS$4a`I69Jb^8#LImD{u%8n7$ho{FN*P3j
zuk)sBc&*!1dxz03{|fU+{{y-TzH&ipWm7|&uhF7pNdr`dAWUB(&<LwYn%M9EX8K+%
zIg*1EFtz+Hlo&j$)4tPv7%v=u^~DoKz4;&3hqW&SBT0xN#Z*V^@OYc2Pi5!F4o6Rk
z_#F^Kd|ygFj#piZ-BK{*{StAx8hH7GBdZ<enKHL$i$Rp|CNAzc50|<?@bU-^ZZtG5
za%~XHBk)9r-3u{s*&q#yuJOPuF`m#w>;RK);@aq&3LPX@sjXXKSfL(WW$@9l%esWK
zh1Mi)g0`A4&_YGs`XVs_1A@sOvq#TZkCq`D5GSoXH7uMk`8L0@dLw~(M~nT<K)XmT
z05G=3;zujj^&o7J^;{txcAk7-a2)ywJ_=Q>TUC5XsVwpu+#4oKWnVQHYBO1epS6B3
zw^X7|!YY>p&RRqAN+v@GIX?l@y$<&8@E#L?hAgbb@=A(zSZTiI^Q>=gY5l|vG!4&l
zUEcrWNs*S6nd1fJ;r)lPMtJlps9x8{F<1;a_l9ca41Pb`K`(zzpF;&bF_$ZYe&mz~
zvAz_HXkjwA_DdasE3hc3L>j_F=Tm@%Nb7%VT_N2eVQJBaKf3e*Jv69y-t8u-y^|}G
zKr<8{Ks6%MFlNwLD8)rDtPw#tzjhcG4`sEjx}?2+(Ci@${gZtqYcj=`aX%g=f^LOL
zuislF84DTigc3fL1u`~3Kj=wLn}0{-;c&&z9>ue#p3us^B4aD(!M*m+*NObiAYTKL
zyvO<`8Ad2i1`+>}nA(BWC2iHum=4dth6SYrB$}7wLwAj1Y>_CG7ditc@YDF_FOINv
z1ZOo2@2lvyP;$rE2#`38D5_&V$cS6=N^_xkHy&oVPpB&Kx{{+&;}WAx6ke-blU-GH
z!g)SGdX?uscpSDX(dHz9eI;O=!%Yz7Cm`=z$Lq^<^*VFBNY=P-+j{=Um}Vm>Cv;Z2
z;JquLVd{~&HDml3q3F>NvT2C-=UMclOd<`W(<y8-PoQUNF1y09%;arHWJm-2$(0ii
zx6PqY@mVWM`feg!6*XRNLpb*-j{f$FJn*N6ikrqCLftT|_d^Ppo<z46nk&@Qe&tGX
z9V?p`VJ>I;F%{iAI{*rtpnM!Ypp4<dyW_I|ric(6C~f+#$!C)lI7{ENWySNTZe4wj
zkQt;{ZK{prGR$n%6wlNYeTh?=FK?$@?;Ml#48me&biIad2Q17Kx%HTucOS}vw1RYS
zR4c|h?eJ4*k7T`I#&)A}JYHs;qwZi}k(}_Lva~Q2?-|q;+=dj4Hg<>u`n2y?SnS5L
zv0M;7u6~n!KxQ*87S*GmxMqK<8N|N~YWQ%*GY8^{^|GCsC5LFKg9^#szKdU!T%1Px
zgjQy&KT&&4s*NM74IH1w6xhbS`}QRJz;{iHbDKr=p==r7Cos!K@2}j%f0e6?-)W?A
z1>A2w4o=l5EE7r7gB6ED%I18pwhl23NL5j_me$^>al)c9R|%U~v>%*Y*%O`+zxQb*
z9b6bhuVHYc!%)(Cc)7A)KOutbjN^=uEdk&_>pACdZwtTnnNqyRkg0v-;$Bm4|K>D;
ziR_=`C?c8YvAuWyI13SL!Wt}J{egY>8GiRd@qO!4-EDZP$GnZP!%ZS(iHM@)kIGFQ
zS>5-)&KpMZy53>T^QnS72ks3sQ==#Hy0z_FpH%8NF6;*cx<1ouNi^CuN<W>famYuy
zjj%qk)TKFD3Bsei_^nQKY~W{Wgu|alvQ$6g&u|ERyb5W#fi^!i;Xmt76wl1)FZ{Fn
z+99mY`TP>OOE}G+&4H6w^U<%+@gw?+DCQf~5s5HnX*!RSM8KymnAk589V>VUQxWkf
z^kC`ldg0rIBXq@(crwd)-hUB05w?ypHP$~|e;#97SYGQastX5S0-C5_T!U}F;z*rd
zO?bt?#Mm{4CWV}h9qM+B=*YT$5OD0rZf=h$a-Qmcz0`($BcGwo=c|fU^L=L6kuL4K
z&IU$)GDWIeEtB<9y)PI)F{M1KnJ8>9V{8i|WBPkk1-v3Rr}rC5SzB=O@x;vWlwXzl
zci|BEJqm5Spn{gfd`}i$@kI^Z(P4z*UOdLH{`5vtc4%R=XoM@-{&KcF>}%fg%d=%$
za(;eEF_m6{OYbmTs4oY{J|Bq9cpYj-b{wl@ZJnluiw$FL)S#_z`5EmiMZ)sDS|H}_
z_7}P+7;rCrCqJu9Jw6x;<-3?%`sYrB6pYUO+kTr^=x?<4YuEeVvCyWUAqLi9a}=66
z_!NsWt1fHf66&tSQmo7KDEJq8t;mN895E>W<|;}z;+1!KZ~t4Q!i7J=RB77Lu*fK+
zl>FbpnLsC>d^6|{MQPX|E2-J=w*$p98d0evxjwWp83uIZv#bpr*~j;KbE?z9_I;H?
zy>5)EIUvBt*i;QV*OzT}9OHi^ubLGZ`Pm`dWj%;#Urf@2@q{27WQG5;bbv8$=Xq}0
zAr_%@l>(Dqa)T+IT58)#=mH1B4DOqA9R50wNe(i?%6Bk7a~i}^Xvp4oXb>8?i4HCZ
zK&FC19UKhZ1uRcqHM<TefHNB1)GH~<M@ZX0{hs#}teJdy=QYp=hYX>dq`3?!oWFrK
z*c^2O*ZHpK(w_}O|Htck6nz%edD??ZU}dDwfdrZ$Kgseo(uOd95A4J4g(z)gESUCD
zu+wK!@u0ar;L{9IKusyHYiXRDcSOpVLTU!(XF9ZM3q^+NP^}7Q^^fCAOXzdECFk!E
zF*Ke%k+C;F#MZSPFf_Wp4z*>|8{mMy{=5p7JpmH++*Ac9Uhfgw`Gpbtftuv>$o`}?
zcKDmJz*v$bf;PO9;@=m5s+nFp$t8Om)R30UbP9WR_#6Hl<*n`Eu#5sqY>ha(>am0~
zH;fa0(_${$i!(rm&L8GJFDBf&rrSOAcL`5Mq<bv%&L#D6r9DYP>YdezFQEah6=Sma
zjBAvgQ0-F(@T4XbWS4JMGZhKvjJR+k(e8Icf8v^(9B~}-Ym|<Os@({bf|Q9hN*qwW
z+3T>k+GFt~ayAFq8VK=O1jP;4`jnWG^z{IPQdf((#K5wBbMSsqc_L#wm)ItkwAKNB
zRwV%5zqpo`SLa{qq|{Wmy6+EJp2IXR@7{su3Eu?baZfF;NbfU(5i$&!WayR&YJ5R?
z_-(^M9#va@P0B4_2KD*ET{D<0Brbel%6K?fMinAF|4&_C0Tfr#wLL&^f@^RH4#C~s
zf(8%n?(T!TYw+N1!5s#-;0^(Ty9I}TcK6%e_f5V3RNdQkr{+90-F^D>>Ap{&gCjsR
z*HHw_T2}wDBP&@FP)<eBxlZ9p%8L0@K;oOZ3<UwD@xFhD5pM!^8GlZqj$B~|$vW2~
z+d?98XqDY8m)RSnkdQahDl2p0XUk=sJ0aHLO!C=$up8_LUSZGcMvew}G7ff^MJL~r
z>fcIXtePW?G>(D3C$X(}wtWHI9?+1_*T+G(KH_iU3kFY}zvnG}_IQSN(+;Z|>2k$I
z*HuC5XG02Z9PIG@Z#ph44{2QCR%OVC&}Um6w&ZPvJD8ycWoD1NTcn$Mg>)_3Gx)x(
zVH=nS%Ox$X9Rq5<;W2SVcTephYB3(2H;G4Qcq1BmeE3i1p@RL`p9x`sRFzzwsQ8!M
zfVIK8E|s6`^LNW`KVIa~JNq8{&OI(sbC}S&K3{EPhZ)WO;`k3juB<hJR<2(dJyr)M
z?uqy$ux!4H2KJ(NF{;Na<Y5YQe#K%JOcpqEtA}E=IZR}nmB{#pP)Db2Uhai(4XVN1
z7%NZPV^VPn&%k5%G}9f8%Y7Pd^=2(*!EGM_EI{?4uQyS#eLh9M#QBM`<}N-|r}|Th
zMc^>K2BXxVN`a=|q+)*aEh=QToq<4)qRFC~c>-OhiYdcS5jO+fZbha=Wl}0N|Cc@Q
z23yJgl3qRZLQ8x@nKJlL!c#n%H=}=Xa|x{mLpRS05KBc|-d@+zL3|cfnO^4?4c2ST
zqHl2(CdMHG%Ehqd^ya!d!m|8tW^VJu&+NSUQwy|!U~qCxfk(e!t0N>?M@6A<jfkhA
zAa=h|^k}W}Tmp%nM2_z)Adj91@pR7m7m@iP`+*UDu#*+kkfawVn3V^~P)V0+x3xy+
z5c+*?)+DqKI{zwN-siZ(VXGxs;_VU>z%>dmjAX5wX4Nk5l*?Ub%M61u%kT>0mBw*l
z3$2D;GlA)7LxVv@!7?rDz)vKhPGFZ?VSSf$6eQtksT&URh&>f}g2vaoFK;5=mvQ%Z
zzkDnC)5tOV6pyy^7cXD`t{jC`{k%b2M4mkz^Riac#hl1361yf98WJrla=!i${#Tn-
z^I`;1?m1%rggnzj%pLPVLH|T88E+Iu%@CH-)PY(&+8j?wQ<|RZx=L-8bT^9RLnU(B
zx$l!<)OTHGB~G3mr>p#QgfmLkZ*h(Dt+&N$)#}UxJHDT4TBLR6l}+-~;mvSD55(Cn
z)=_s|TTi=f*S#Dta{mV}w|L(*4ZKBia_zslB*VJ2XO;C<Vr<_t-VSs4Hn%+%>ymWP
zMG`GZJgQ|x5$*=k5lk4lUgF$rP<iF!gp;hDMl9OVs({MaT~*|FTrpooxBCGTc-H(F
zx9Tf(dYYK(l3mpgGX&Ep1!Gi4#}XguT**HFWpTthv+0}=q?CM(_qoSvQ6k9WH0qNm
z8*3Lu>%#XV{1#qaxvXn3<U0u^;&MJGloN$8M+c@P7D9ChM(6Fh!GB1(3ulwmxamrx
zS#Ux~+(Z2zY(mKLy&7?3NZ(EMx`}^8Rv7UwucTX+NT@Qx9pIh8=a*dgm7Vu<UwRv)
z^<<#&)Q&5tsDGUe=H$}l+D?N)q=&3#N~(2iFB=E>Yy09%GA$yRF)^Z{)-y_Ub!Z{!
z1Zf>rxY$2g$ZyuG!v3fk%?(@`nWHVDzt7GGnd_T|K9LU&l_g_*ib~TC;iG(mv;IP6
z!O+(r(ZAEEEmts`GN%A6vvbK)D*E;vk%Zd=nr;ysHn-mE$NU(N_1C7w)@`=?Ilae1
zV#34vo#P@sW3-rQha{%849h#CI*~}u>hH$W<MY97;}w3x8?*8(MqsCR#Z43Kh~O0B
zV@d=`1i_r*ZAd|C)%8@hX7#x!8L1jS2wpyzl=Z!?+Avk17k59Nf-4)V<Bk{A4QtLf
z!gdUkL+^*aqHA)c16mQT<Ltca!^zDLNOPK^-D~nW(HW&74xO+uMdiUM<4mD0iRu=*
zqlUY!prPl~l95>-)Je}J2~S?`vQ}LWv325=wqsp)9JcB>RWJbow8O;X`%>=XyzbH(
zAjs+zzCXL0T@}RK3Hxi8saLZCAdJ<-fmb#_l*6B)o>Pnw)mhbDWU-8rFHYI#9F_lt
z-axE5Ka>mCfaxqinQ+O(^hWC)#c43Cwucvwca%M5URFWI6j9)k0A0ps7`nygO6tVQ
zH%EEY{@#+9_e@E}H_qLZPw#o*g&I#MV}o3ff|WX9i^R?d=}8ytusJAmBymITKkQG&
zHXGbu<mC&<HQ`h@Ax6DlQCd1_K-}JmxB<mEVG;%3c4xHv_bje(3Yc50nx<Qt5Ro?a
zDG_ptVOeOgAND7E=35_dFA6d6c=m;HBWw{dIY_kn)e>r+a$9cbHv2x~&5xwfbYM?<
zf~g+D(H$#Hp<E7}Kcd-gn)I%YQ||}4%ZP*G>?!2;CiPc_Mo5luf>&c65WrD;l)JuL
z1i7W;QQL|oiny_DlK%Ys_P#cMJ@_u5&ENMBAy|lmIwP}`!WE7<s(*NtdbMWWKxRbI
z!>#L88y8ye1Bb}wrF~JjxU@4rvS{TRNpqljR;L>-lc?p6Hx7V7Cx0H7wzRMW;4{G2
z3Hu<1&7c9q6_5#}-vZ{jpVlu&L?1_RKp?<j%f-_d41e0J&*)3TWyxQo)+^#D`|eUV
z&sgbtI|s4Q=~6Jhdf`O%KrK|LODS^F7_a4Sz8;upDYzTy6Q|ChN7s3~2qjs$o{vV%
zIRhp)Y6ufP;X6QGk;^f&%IvNQVNCfrNJ#Ag^Uu%FWL;+y;V2j{47B@x!G=tCw`GaB
zW#^Dj+;l5Fa2oC)15s3Rd}thJmbIeA^JdIE-+@m(lc3qzmukvgMinY;BM7{*94m((
zNmTQaOQiPY-cJ?N>=zEet46cieX389BNXdbWOI+O1cnwXBm`LGx6NI=)p5RS@^%zv
zyvtHgFRN8}e>_#Y#fpMN5jsg6E}<#U?n;4ZVRIQ)&<Yy@*>8p-g8N?35DSJ|5oNT$
z_%&0N^}1W}@@@-)3xiv5%SGU_!M1X_&(Q0Gw{Oxh(p|SEi@0ULgzOKk^Gt4-C-)U+
zr0&Lf7m(U`R#5-ekBM?JhZ=AyIXesE>Cd+8-dHak1#GkR35KL($>)(`<vFTB!y`&s
z9)olg*lrfpBWC?*?T(#cSz_`}gYsKqeAxW?;xPrt`<46MV|^}V@0ycn7lzTB<h><}
z6nmgTD3oJgfXQN4&d^@r!q@pXr6RI(B-RE99x<6SeRC=qD9IRkX<}RGkYehQ9pcdk
zQ<p;9+^RO066&DyvjEbv&~kV_J*?}7y9rfcCo(SHCWj)~^xH$}d}R{1S0bStc8_ME
zQ(&_FwF1;QI6|<wU^7Ti<7O8mn?GxfK=Px=Hn_2mibK@rF!*Cm+w${v*#-xNtB$P=
zg?UuEBYWu~asJUow?d02acr!+hITFR23D<Z&P+I?p{&A%++h%i(<^n)9rJ_EvDnW+
zh;}<l`sW_ras~)qV3BK5XmIkv30(&ll`3I7Ad>r6p99t1^%5RNfA}CldWp(BOFsqN
zJau;+9>E3NeLQx#Mrt=zEo5M}Qg2BFJUGd8`FaMkx_OR!*8In~5}h|(zVx7BZY483
zo%>=YJxz5J7D|h#Jnb9gl7I(5Vd-i2&ntE%1MMgGutDg?GsqO;_ApzTxiVpg`9i|b
zsf%r*!Kuw;bN#2ZK~h9hb6LJ#ygA@GFz-u)sJYA8Q0yW8L#v8GMkQXzKx`<%m-cr0
zw)qrXL(8(z+wwI{U*T-!-q@kz4N4EP5wZjLC^y~3$<WYX;%IIyMBwH8N<kdfutM%q
zobgCwcxbAGrr4IEv*V;21`)pR8*{1wrn-_RL}3*q@j5*fr7$Aki1vHCq>o+s>sa80
z19G$(qTY??SZ^_;QrX5Wweyqv6qlqo#pfHcrqHT*D75GB7v$3eeO~;opcbej?*?qM
zr7r~R%_vckP2C{MMX6(8-qx=PqMw0Y+oLcJw<a)*mO%D5!y0Y#!`2M=(GZH2fp2Mu
za3fsW+!?TM3Br(6V66Pk86VZK45FUyaJq4~NWzBI(efKU=|{FxtmeUSN5x=3=g-Es
zTh5KBe!Xv-sn+T;I<XPGNH0U8=$dPKM>)Z!|JMCi&?AEc+buBRa{CU$0Q5vX0}p!S
zJRvgdTD2-<DkkLuAnkytp#0ORc9AOrTYF!yCw_JJxMNxRI$KRU(e=FG7=QyI&tdj&
z3K%|4Z=osPGZ%hR^hv;VWqoI8IB_Rhn^)pY7UQ|atW8VTMKvc8(SRiSQ!>H6_`>XH
zpP7)ef4*`J?hIda{G6H1vF0R=%@7J{s*8N9=qD)lSM>ap(S~E4+gl^zgHkO?fwt!D
zp1wI_kl&b)J^&YaX?R(x34DfrPN)8A(*a%6J@;;^asg=;#89U&QF7<7QIA7F5d!&>
zKr);-l$Cu4ZJPv%e-B$6c0e;<g*~AZiX|w)xjb!}JLbzzqjx`6DNG^#M&Kl>Gw0Cu
zfqC@zwVw@wn2{oh>v?Njp^u-+NS9+44&<Y8^nLZI=>=fYcN|qM0$cI~V6ebR9%rIS
zD{mr&=8`&RXv0yu@xO;Pp4IozN?w3Z$uqY@xdW^9`KDX8`^GZ!SnhCDoqI7vZ_c!v
zzz3b5y7VC<DwfRVH+iG;UTzJnpLv1Adp7cGWcmDKNWq;b`I(N*aQaVNqp@iMzQ;eA
zWW<81W|+u)L2saV1VREY2=q#E<6{REYaZFn@8V;PwB4y<?ySmZ^uYWovj@~C#O}>5
z`-@#S41+gJvpYlzM#LHf(cR*bM1oqEAw4P~?^XuY&TLbzPA}Jde7>d7^w^+z-a@kW
zfkUj}v=LJ*441{<@Nng-C!R}mm~H6WG|f8W>X5Q(G2@mwZKA4IX$()h9V9Ld6!~uP
zcDUb<w=(omM5rg;4~+Ot7bI=<&CGZ^+@2eFIJt@D_NYl<@#<f2CR-+|6&@jE<A@G>
z>kOTU9GP)S`5c&T_>-6N8oq8iu9n0561V0*RSO7O#e<n~bl}Yo`D*{3a25~Ts+*pA
zZ2_pPIUB6J{Sg`Nww%}=2)>g!w2;1VC=af6h2|NYwVSuSb|~9hVxExA1wBI=f4;~j
zfBIPATr0ZxFuQ|V!A)mz9O>4|O~-!ReO!TH6ZL1jV|T?guU2~J@3q`!6pDmtUlu#r
zoYVqlAr#NWBfh*vlP;W{DSRJ5{Aa-9j6VY&cmBvs-g4f*X84ggk{WNg?4)KnL-a+M
z!eZg9Fb+}GpHSLmM)kAxCV?+ZVtiSN5!XOwa@qCi@zi*5!icZ{vl#_uM<jV;2N;IQ
zITq3s_@Mtl+xbtd<DU9#*8hujT)>Z|sm^LvnD0#hOOVS$x#2q@L+Ei!iC4hqKsV2r
z{4NxFt?i_(acbOkw*oWXjTB#%{?U;$fMEvn>WqGbi7TeSz)v8*Kyy!hhF5pzr1dju
z$RuW*Mk}@|2g$xpe~2*&`gIl+yFG91Y*u;k+1jv#_sid}AfB-$#=@nLMus9O6>>u7
z$-+<8j90swm&Epa#;Yk)qt<;@c=u`VE_g{+JnE8)3fC>wVrGh-0cU;fIm!*wYavPI
z@jJ4#l{MGjV-V9Pi&BOzO3yyk#et8|2?_}C8x|UxYgF}r`hc7A{N5n-gRJy^pwc1C
zfNPKCf=tC#^kv`WfkDgxd!9jy>B1~TU+%W&?dB=R{W;*3vd+dq`#Pb<q^vvp7`k+F
zI9W`1RP<mraYTWyZjO`SE-iQY$x>t-C~jEXo}vK}7Wfl?Y`Qz{eT)uN%_s8;W>Jfk
zig}M<Obs^2Ise)-b{BgOeT;9CDk*Sp;i$+On?ChIP-#^nCh8k~u_GH7e|OBt-t|S_
z36nBC*&})8ImQ(idz5eywU?w?yh|eV!5_g^Dlv&W#Wr;OseG88`1K%veBQd84GEYy
z*k5{m%}$%v4|il`C3`qEfaxMy=feEL5;8pmn|q??IB5F5$Bf#SAhd2$?W^*NI5-z-
znmuKjJgXUXq&L6;WwL0tTUOWaRx_B6V-KkzfgI<oK(t`-gai*}Vwm~*6Yz?h$)Oux
zr({jJmr2Wab{C+fd0_e3Fk`4yl$6=AV=SaBE3i7W*2$4erxP@p?I>SW;-vo>O~IMk
zl>0?kGxH$GsAS(8&~jA0-4Sh|a+a)jKf8a?L@Yk6xWavD+8{ey5|D)AgGkLPit%>A
zX^lbu=HaL|14op5zxg5z?J%8nHh5wd{c(|lLl8ew#O;Ge$({>NI%`ryRfC0kG>cxO
zari`yxWQGGDu#|Fw^<1qA%qo2Rd3hFe8&kzG0z}^4qvEKVJ8DU1w*agFlb!eA-1iT
z9kI%X^C1z{128MciE$FCjivO`>)@eNy3LO!Dv3CQhivpL_Vd|(beg!Yw?$Wm{OM0Z
zop<WXk=M7(w=cUy>*cBIZ6^)S<Pw3zlgsHAIC~ex36hH|(!ya#$@x&dFH?JHq8<C3
z2bxS~)L4WwmSnzLcNh6hR)x%FB`;6dZxz9bz%z^MIldX3uNXf?{1mf=%yPH(viQo5
z5IIIyA2n2DRJiSZo_!^`qMK!ni!Z3`Wc({C%I*uNS;=VosJym%s`QICDvoH&PT0XR
zgTLEZkBqB!S3cRVC3)uFQ7u&gPV(OGhJ~Y1JFDRpPJ-`6D_sR|R6z2>kC^_5+uIYi
zVP*FeOqS8M%K8Ags_~Dm;Dee})N`+c&1kp?T*R7pMDJi!vZmN$q;p9s=uIv1zdt11
zfzJX>X3=0Dw3$(#wDS_!zv}t_k-E(jDo{?^=j$fRYV)4BP8H=5pT3g^PfJM4$SP$)
z8I};)&7-hUuSXYC0@o=4(88!Y?@c4UV@rc5Bki5Ah3*VV-nL@%d+mxScp2p}JX#Tj
z0-4Zt?GBvr@Vdt~LE7km<n^m?RoxOS8)a8uED9a*0K`5^k?>q*vg6exa7-rTp4!+C
zwdE6Ch>3%WeD<>FeD~+we*GN-R%re7*7LGs)_Q9z2*2{N=)6_jZhUzM(~=@@<hwnY
zE)_^rH-whO_uOI5o`d6*eStmU$ypj(xGfMWbRTzrz1ZvVk}9v^ZmL5=Gcwby9?;#y
z$8iO3a7&u(lEZwV+fY_rwmxb;*ab}>2k@rNy8{V5g+gs!$6-wtdjp3S^h`P941|$1
zzt;F!U($2PCFLJqz1fN*l>}<LeY=e(wW{WpmBSA9MXU0{=69u`-Hug0nX*M?;FHgE
z*H2PfnbUt`42!hPq$dA{=?7(u&7y!=35(C0S>HT$Yy47f(fEUU;TVLv=V8=xJ|43Y
zaY8J*jvtgR0kgxn<@bWGD2lRBZ!iG>031NUcu}L!Rs1Cu3IG^J003~o-@02fy4g8e
zIf3aT&Q6Sf7Azm!ZLFi!bevW=P@m{<1&Y7Yk6I?6u^TNpWKm1=zL@8bUP_U{K)`Tm
zsrmV!<buq#g)Rfd{6QaTBHN&L@oloL-})aH#*dgvM=$z*{FJfq-JW-vf%-w&a>l-(
zs#JO9-H%{cc9yKD!TN8TA{3D=ez&OxEgydH+L6efu4TacOcToF`3o#pSu`(w5I&Sk
z$)tG1ar;^})g^^<m7;Esa<_=?-+B<^!OSQIHG)u?24s=_Fey-FO0+5Y#Gr44vOG5Y
z+3NWxPfjE~UYlw_5CI`{@gS=<FiErS{kzAR#1CEr&bi#yX9sre<loxao9qjB1iyCk
z$gWdW_$RobpIz@_yM8IkFD)Kx`1X=x^RQ{Q9aPz~6}?}$mnFV-++4B&mrQ}-d5QDt
zJbEboL{`Op*}uB~merO^scoQ;HTmJ1L@h7#;?{h>o`mGX=_X!O_X(f)SEsXSZ&;n|
z0J6ae7=Lvte|3VqX-c-e8~A;~Bz>WsZfeRaDjIsvnWgQu1;AP{hV#PnFD6WCQvWV)
zpr3!cn%1F=&`_A5e0P_lste{C>G4U%YB8X`1+5Zs6LmDT31P8LSxP@?qR<^4wQ`-h
zu((#|Uhqqjh*Q|)FltUB+$KYzEHyRNGtU6pqFeNsxHC;IT)(<CkNP3~98Vu-zKs4_
zB`+f70)p@+^@5z|y`32e`}xQ4*A-Ns`GvOYTw;X2#fn(W77Zv_0nSQ}q4y>*;@900
z(0QT-he2OdRZ`a$*KpAfWOF{?nLU^JZi-xBe(n=xu#PomZ~7Pyv;y?MPnMy^m23<~
z-K3R(I~*FwLBaPU0{R7tILnzIO+L@R67@VUb!Im&5N7P<70L8U@t#ErdeET08>pOX
zAxT8s<3T<Rq7QR;{UJ%8hK&8uXt;or^!ZcutIr$f8R-#zJfz2!#gEk-8+K0uKI`$U
z!HC>-;WG*rYOVt}D9?4(NEkgD;p49bvA8a^oR%IADlMZPP=dS$y<3c5L*aMWbx09T
z=bX!OGes(;xeK!<-#{zIRo$e>8;QbBGNJV_so1O64r}p!b>^VX@+c%Wl$jZg>s~@L
za$k{&zhYN4X>ESXvcHO|O0B2HT(?lH!brm3?A08(%xO!TN1v#OKI$&EWcd&oYnN~9
z6RE9bRc1ZjsXoJw9(AN7pRBe0{oV!YSgR;Hckc0d1YMowEzY7|aLCHhmf(L6Vvc}G
zm5nz500RvG@b<4k?BwiWZQ}ID$UV_IirwNseO3SJeYPWwuI@i8F2Y~RpY`o?sU8%w
z{+tIJ^XKNSPTwFtfB4Co)dQh65Ygn5FVW=UfT>0eLw_}0RC;5$g>uw2meEpmh|-uk
z7jmS6MF_?R%>oYs7TvK_iTE9^D1<!BPkkJ6lVPF>``ZR}F~!Vu-#l977o|8|#&J<_
zER@wXp>*cX2MnSbZsTIErKN`Hsmfe%F<Mn`8Y|L^*~Zxi4)m)S%OmW{fU4Ng3)5;J
z6WCH4LIPT#$M`}T)d~aN%SJr*ceT`4yQdqTR8OksXVsK<Y^9AUzsrKE*^@hi*{Yu&
zu<6(*ia=zpdY2mc<Teh_S><eci++s;9Tisk1LrC+5*0yvgWbnX-|JVy1+!kTM~_(z
zjImx-JKo4K(hwVs@;hu;*DPB>p4E7unOF8+Mkg!WDGqgPbmM&7Xl%d=d6L=@?6hjX
zds=YRCSUqxfO0}ZXx-(#O@>3e36U*>S8h&q&tRY!q%(Is=xWEhKw-y<MalJDE9YnS
zd)fPnq`3FJ_yp0;lO3F2EIQKyU#7G?&H=fmhKqd6-W%wQf<hDd)OWFvb&RkH#C(;e
z7DSuvGW4G}RHH*N8PmQ`4m(m1YkZN;OsZwWRzQPKwLmW$TPbar-5GE!s83$Soyc&w
zHH>UBq+UMtpHPX9#wuoIcb|!PN~bMj|2}mI<aLOl@xj7=)m6!MZeAM~`Q)`Z8IL5z
zoE$D`tJB<7p=vr30AZ!6Zoyu2T%^XG$XQw*!}h4}=G+@}VEmKcgwg7>O)TYArx?j^
z{35{G*rT3nd<8fjswvUbrBwIPkiJVUGnR`egqPnYdG{y2B!*QCoRE&!AUC;_(r)cn
ztJfWaUm=_oj`OA$v)+Q)TMWnq*WDAomaZF*=h<YlX{4D%rePr-;4M|%uH9#%F|X%|
z3E{Kh<z!^1b--RRRE<%8`<FtOje;9NXWb?4I(Dpx=X?<B<hecZhtBv{nu*gZg&noQ
z-9w-)zjS>p#oh$GDLY4Zk3!7&CVwc!LkZz2#d|?_d|yZR$25o2E-lw%snbrs_JEle
z>`OeZlQZ5N;LMBZO>L&OvvVFH-;Bu0&oE!d_DRr6EgGL&M;UTKSv|D}%N&n#xh1>9
z8PjxE7{0~w-89Q*j1ehizu={XJD-fr%!HpgF!rJ}TxHk6tW{>~rjKhMT8emyBr+b5
z#urTPho)?O487b>{hr3umbpzTTqwN*v-*yJE75YriM-e6j;1$DZ0--A+bUZ*n9xLQ
z^)-9C9UzTi)E*VxQ%Szo$>;t;yAa3hWtT1IYsM9S+N&Mx#p^$5-xP>AC)57)OATJq
z^ZAJ?W{9V;Tuo2BGo|uyPY?w3^5CSpcdWTAGf>99?`D%2qSsS4(knQf0HBo=2Kh_D
z3Dd{HloVbIRS?(eL98-TyupJR6o;t5>eiAuD={bAAi>V<zruykkr;B|LvgnAXz>y<
zf_(UX1tQi*HKukJq6fN`?(stAl3UAzV7NxI44_<F$i;d-xVh_w0f-R@gZu%2+8|^u
zYJD+ybU+FmyU?fuh$|4OhwTiN^i70V9OTrIM_fMN1<U~AN3ua-I8=C2p*{zpc&SBX
zG$~P32=SN)Ise+GY`iv?i4s2&?ib?!wuDWRM-km%3y2K~03d=(Jx3F3C&mwd+_Ms7
zZ6TSFgsRa^^gfn?Aek!`Yed5ko5T0=(?Rh@pzB}Ji`^vVXtJ-_*$mYvY`LxkPAi4h
z156<8B{lX+K%EthezwC`4O(_tA%;A*xbHWMsPwy66hjPsw)0INot~tx5#o<poxYj4
zAz<D>+*S2`A(s)=T5|Abm3<vwokW=Zl2u)C{8Y?-UNm-fLlXB@Qrw>YI=<jzq-#>O
zK=xW^!BwG=;Wzh<{nxASC7As8U0F<p;nNG^@RW8n_t5`cQ8h)u;t~h|fEMh#p@1v;
ze}0>xot@R6?wazM)d~~pvpOHze(_ukZwdt{WU8)#sj)Wcr%`;Rle3s$l(X&h%T3}A
zj}vZ`Pr^Fy=~^3AW$Zj5trg0!G~Kp(m3~5rPGM;^h52c<4I<_2yCb$@z?wjVTp;`E
zQtOO9^?3cU(V>uoh*djizFzpm@0<6LKO!T9RJpK>6I+FL?1XP?K_g_R(_3h-q<uF#
z=#+w;)-G$bm=^_6lti;@jXV)g8jW^3{cwrEcY4B@^hV*SzufHzJGDf$Z7j`_X&1ez
zt$Wbs{iZV3_sOfhjpcdSdWjH!`DXhV4v$jsNqiF(uG7B{?Pnow@#^j<AaQU?ge3=+
z>-o4tN7e}M(I7`~c*xx$8SMJ=)afarHS@}!&n;Dn*T>q5ygPUwlXl=vNjcy~mnT4d
zJ!^-t56f&VA#9b9_}PHE8J4+39;;E?<p<Ttz2Ndy&+NXKP#}!hYeMS2+~Yw(RHrXb
z^&s78U}oJjZ`73t40<qNhL^E=0$-;i!zY_Tt$y6PR-S5k2O7aCP-E@2)E;z`dPT1n
zGRs?N3w7J)U9X)9MJT9xkN@ADTCVH(;TyO!qruwy?ypY$OM(Az$^Y)!Kb5&ZK@K61
z300yR-4P&ZbMUpK+;$b45!Lyr2NX1xba+D7s+bpPTTp&3H}pvKF@egmKZ~&Bgdlus
zAE>;<(#8u&W_TwKbm1D~Y`BrQAn<{bPwucp-C}A7Zm=4s9H)OxBX|+{=CYQ2SF<zv
zqg${0ys@(wJHC)Q$u8~_eE#~tn^81qR?UcZnZn6(DTKQwC2yvPNj9=<HgIyQUD4N_
zG2iTsEwwI?i@WxyOT2&I*{HyO*R^mHUxOH|!1`dn1p{2y&!Tp=&L+0bdMY0FCQdqk
zC~?2asC*w2>QnO20<G%-5X#asPdg9RxBGp@K!o0<t?a|CHM$nOidGqkLpavi@tFJI
z<>d`3ME!(jY_NIQR-m#5#}Bp<)E=io<Y9}gjc=+-sg>&iT4Q^+Wk}iGpXB*NH5e8Y
zkFpAnOSf&<dT_{q;_>`3-MZzdJQ7wia@y)%dOn|q1+m_{A>&$q1mQu66-~$>6%u2`
zL^FCx4Xec2IDa)e!7bt`k3+^*)ZOLUW|?iE$wSzgaEJt@38^mv;_4mWXX(UK60t;W
zv<<_+e2I)eS}Q<}|0HYQw$7Z=$s7CeP54-{X!iSbuS@tmh4z5MrY*kB+qh*?43$0>
zpD{frfr|}G<BJ@LbrJK|hu+(A=jFRZ2zEaDa_~Y90umGI-=$n{K>yc7a7zw@FI4dL
z_s1XH$^d||ospuWoxKyIfxZ17jr+TFxR!%1!XLi`>mJ(QqTtdWqUS%QjqDsv{+D<p
zs)g(q7_c<yU)}jPf<MFq7!+)soXt&aO#Zqv|1W?Kavg6YdSL*ES~PzyME?N*_QU;S
z-u`o0`ae-ftssNcKmb6LC_I4tZwPSd4-q^H^S6=wKa{_Q)}If5V*NR=es7lF*T;Wj
z`U45#V1EPrceVUG%I^;PKPV8JiGQN}>#qMU`umLbujo-4?0?R0zYG38L;Nc^oBq!~
z|J$hiF8sSC`d7F#<4@uLk6rp5=l4<mFHUkM?Ef0`in7pPE&5~fMg+`(RdFW^7X0-8
E0C+TCG5`Po

literal 520716
zcmY&<b9|o5^LA{zv6`f@Z8x@U+iYw#wrx9UY&5pj*iQOB>G__X_xH!0e4Zz}_v~CV
zbIr`|MotnG3=Ief2ny&Y(NDEr|AD-Cz^4(wg9LbtYz^fcZ0#KB^zH0u-K?#oqsL%C
z7~n*F3&%H1ytV|7zm-V-Onj-0=L~B4VjcMW-~vX_p6<#1b?&o#e?LY&#YRwvwdg?$
z@UVyQrm4DpNx$4R&mzORUt}#dVgUg@XkVW7;<q3MIQH=!SN+*i?a0aFESjKmBj-G+
z;DK5*Cj(ht6$eKO{*05vM{1d#ZpJ57DfdxHj^uK-cV-x$DOWnV|D(XEWwS2~Fks~%
zKtRa<zXFD~4#poE1jXq}_R*sabW8m5Oe;7m3#>w<<P8Py@!!!DKW{R)2_c<1TTP#@
zT9vzGILvryCtuT0BZ~~cG^K8t4v@XKn9hQ3mvJRh3$DfFl3O!n$jxtMkhwz2wuzv@
z%=Ut1CokxQ0ZHbz^8zDoN1FZgWx&5d*Cqu>K@W@H4*`ERa>tSNo8tSF--!Bm&rP~g
zd))fk6o*>mfs3=76D9n+704>^0%;m>R0KErDtAWw@2pMpMT3|gJk`IE`N`~|VIg5p
zZudIS9}w3KSN2GYL*){xIW=kx21Zw7NKP!?;gm%0)8F|F!o-7)q{SpeB~=nI`%!aB
zclROAg}7i{LryMUo5;_emnPW$FK`h^=8|a;0NjXxfKUOzxmnRUnHgIf|MQdK1G+PH
zNn0E?q%O=OU$s;1<z{@*J${X^?#s2vTwfdtR1=agT))I7SQA0XkrwN~povH5z}zkf
z$uskVG9MN44f6Z5z9DC7cP61EE`^~MlzirIC++^^lko{btX;J_lXQ-~R|_d=LHaP<
z8k;>zExF*W&E2+Ju`De(mg0<fR6&bvNG)ZNmGAc{<w`7rObzgL=@P#)Q<6iAzB;kL
z4QW*kk&J%Dkefd#v-{?;gA<$wszqy)b`y%Q!mPMFh=r>M4~o7apX#rbXw!tPowkDm
zt31}AY^CrDk~}ZE(cJLcIxW{NBTNPiqWwYSJZIE{i@IHJFJkEcVj}$<o0X@b2G(i~
zM<U9_VT?V_CsRr`^dp2dt>_2D1OG09$NfRAZmyr*;g+f^`!4QPbdWg|{>og~ndoe{
z#Y-S&4&^`B%Nn@FdN6N2sUAgRz0o_Gf4opV%8+X<)c~cfK~O#Bs9QEEz4d_T>h!3d
zijGxNJmR7$en(K5c9Fa9UA8!k#m{GJxYXEkr94OL;#Ut6PaiJ6rnXPc5gOzIn#7AD
z{R+>4zk?snPbQpzYiD2;=L09eF8l>`+Pd9k=zfds<@rhbT)V+fUch4pJuI;*GM$K6
zCb-UK1EkUf`1*PvVs>asmf*L~^WMm>UEN~G>d|$6^KOcV=VIIUr)|mIi%lP|w_8mf
z9ki=zpQqz_0^hE$ol0ij52y1trgYuEpR2R8Ew<pJ5yCIMzw7C*^$ZPaC;b3nLEQrN
z;SGDkLKXoT_%;W$%Bb?qbujeUPP!uPk~gFx7gUD;k5cQwfcLvFXa^oSj9ogzijh`(
z#_F=xz<%URmyZK4<<2>=Q$aeHmV=!qbKoU8XQF;2dRjYLN7OU>z|8RA5|Clk5~v_r
zyG?v3Q;)}t8-FAju}1u9JZLFqn*hq?n3@=pR^^h(OV>{$rQ)uj7$s6GSYc;M2IX-#
z0B{lwk@A8O!!)FZcq5$*F=zp>&{^k(qmeF{u(|Qe+lE2s*2DB3&9<}ldBm-xpm+|j
z3@XA+ON5c~jB^fT=34z5XrNH?MyHIWpL^!;zBl$DQfQx?zkrS1Sf6;t`rQJ5kBV%u
zk<=?XA7VHos!-h63j3~&lVO&h&v8tZ+Zn_lGE@>#YkyIMFcmB%`>X<|z7Mgme1M@~
z$YNQn#{VU8o*jD#B{%RC|Gb{Xt7%9w%rtTa?8-Uq0&XtWyzfh~bRicrHbrT|rPb{5
z*V9n2%&#XlkqI@UD}n^ohFMvzF@EFQT*F(AWBdku_15>u1JB=<#pLvkW@thqZ;6*(
zMh8SSTC>{BF>Pv+jxz%bY-xOwMzgkd6L<(Jwpt$*OtmG{Y3&xa-vf-LVWVcW;mAjf
zl^xaRUkS?7oIRiFl3FW_X)RM@RK}=BG0PwO$rrz8{JN5jk!vF#LbDC)fI^9dY{NSm
z$7%I{iZ9lOYo0Ad*UHX+-Pn@y5ish&%qNoiwa0WjpyaHJB}A4J$+&ntIaVWIH_;Za
zGnC463I<Gy`6d@U@tkWGAHU&Xe5GVt#cO*f62~7)#lscWYeWexE0njB85L-#ix!a<
zEHdwo3R}K~&RznSz{7|53QYpV19f3@P#pF;-i~?x%Xv^K`OG3o^@eVI7A8!vrIZv#
zAFEHGZq2)=t7`tX%B7K+avpKp(vpR3TFLs;P|aZn(44TD8k^@OB#ccw(GjZpf?z}T
z!i2aC{2Ohm@o<n85wfh_)3nhWbX*Ef0x8mo2-~z%&xAeIeX(SfiLXaeeNtwmClBrj
z3r_@Dq;!Ir*d}TQ%Mz6M#lX7Z?ziYiZLnY%N*R+Mw8#!N6SUhwTRLj?U$mv0^R7`$
zYDJLo2F*P3(BhxKvNorFp)JHQY3n2wGHnZVJ0cgKuLdQ3KS%>DsAG-rZV~GGF*;ih
z)6iO_(zxj*(ec|)E=Ofv@#c1JArlW%4GFD?s=7A4eIfnA9h+LLQn`fTW??kl*2NAg
zZqt9%S-3ETn}W+vfjgtKIK#-l!!=1;rhs9mz=pRWAef*{K&`G^pncD?OS=pLzIqM{
zWXc>edflQe<_86%Ookq#E9Cp*?A7gO-;M6;JigS#byeadHR|fHN-cKZpBF8ro<D7o
zYG(TCR!iL*O<I+1urt4JTBt}i)~r!Cj_McAn+FLrF1Q<Ei*YR3y5;KHs7e}>!%6xq
zPbMi;CQ^2tu)a#<uiWFr6uCfBjaM-#9^$h72LHdQtUO0-nHw4s$j*lf2<x9z=4$I;
z>1bwb?Bq!I=hvTncG~F~zsjC;_M+@YX^^LFkD9uZemc9(HuI%@Cf{Kh<-~sK36WHw
zxF{h{BjI%P{T37G>(_*u2J;yfricEhBidDsUZI40Vxae$t7f|W`-kJNp_z9>Hx}A&
z&MyxaSuX7px)<kVr(d~mj+@p(8|T6uUdCOovsYzZjpeDC7-;I>>eVjJGe$^TR>RRZ
zX~vxI8rGCH=Ns=z%U7(xr<^gfRGpQlyjtJS34CX(z1K9<QzNn;>mOfS!#oC(6k0bc
zlPrk_EPlU^H`7%Ql)YX*T%2C4U}B8P%5uH+uJgS&ZD$J;yL4L_0Y6Q(7ajP%(&&yN
z%8lq~YRbR9wR^r)hoOo&6TKDbChtf(U%QrjP<Fr8Xdm#69_$~cdzqfOrG+LAyAUs)
zy_HjE$46Eh`R0#|@cAkbcqn(5RC#D5b(d3a?w4UN2UiK-1&#6XMnKknzvx2T7kf5c
zZ@+9eyigvQ?QYKWDyOS_&G=H?FVy;MoqCaFl)tIoO7ZB^$kl~Gpre_fi!b8X<G(7-
z7N1xy@q6)Ep?f{4+VsUjm6vUQeqf`sWa^ifDG%M^bE4_HnCHCg*kDb?dV+IW-K4wv
zP^+`H>CQ^DtjZ2+q8n!7G~Q);-MjnpQv01ZU8vxik0-EyQS?>^!eV<PdF^U`cugsB
zM@z84CS_hx_)%W?5i3;3SG#?QCg*->yeoG+eg5BYWM>z821kB}%WrLZ1U@p!-No;^
zVe9WTrxCgs@6xz1&3qJh$u|1c4~zPq)}Jx?Bt0E)L<Gzpo(azo=eiz)MlFVsIFx4J
zMb9D#%wN$n&3%jR_b+ZOIcMLM&LTEHz3sD~O^tuLoZt+xWwpzH_G~SukzGAXxOfEE
zjHX*nQ&~f$>it?~o@C79I%tQW`+8nS>Gy8qO>_GWf$xi!>d%gw%@fzra>wh*p?cSi
zk!QrH;pi{FoynSqPF(2sn?N6A)`6GZpROG$ZTv@UsP+p_pUw$v-5X!r$Lcp}+#?##
ze>ZNzoNRwJ>aI?jKeu(|S}yX~%}qyi_NHVu@;-THq|^@&WD|E=h1zJn6e4*%>?J|j
zV9B1j&@x$cO2wNscB$4fd9eGk-WC^uc>OK#3(5xJc4b5rG+>l6cxKFbDsP+R^U+3P
z%=vsbJs0;=(0m^_9^oM$hjP1bi^j$s!G`BkAF4x%%UQFEs{K`5@zx#N)?M?~9l?*2
z80kei+D6m1xvpOdo<)+@9*3uOh?&(}c09T-&r#<CF^C<!;MLv0)!mi4h_tjQZg1Le
zZL?3I)u6Kjm(rMhx0B1po1B;=>{^jPT5y-oXdUkm9q+6_n4lf+7dcs<+}?!V+6=Q{
z3F7F*dO@JW1dg;OYFd3Co4o^8dA)!=z7vg!61G*Z3+kX67w2jCe0Rj=7-LEWk>^}4
zE;&k|cwT+ew5->vd|Z%wgrBck@<~!$8<o4Ik#{1hyH=N>a^%5dRk{TA9;iEW0F~hT
z&hwkPX>2_r_lT?PDEi{QDCYHI?n1~{Z?@V{G{H-E6nWG^J0ZA^55;(&-?UYyitkf+
zmu>i9&Jm(!mwVlTXDy3%adyc}cSkyQxOYiJE9&Efkps60#bX@BqZ~GgtxRLF3Le}(
zhEnVP&7c}R5e)B!E3EVD7Yk8>p0mVlYb6}i_e^gMy7`sRM5wNbtcsw=3Jl|_XH@ya
zkf@~vSk(p3u7hl_$IpC7cif{>2J5~DW9YJ~2ao9}%GCW9BeS0=-XIcqHx5FNH!F;%
z0{7K4Yt?C(bky5tJa(=v2CuANZ8563s#h0pARFmT6GKi6>*{3Uivz0gRmb+^j^6kZ
zxg?)7YSCIpa^(0-8n;%2UW-d_cYJ<#A@4YD7f0JIr<r1AtP-1=t4XCC2605xB{0Q!
zUiD-8q={CIs2y8mjto44Ks%CB$Hrm>%DfJG@36h2?j)DgyS}2_-G=Gr!4Ufh{4#t+
znP<B?@lk%=@Qw=r77(_N%u6}?=^01&Fjd4Zip)R2a6Cedk37T>zKb<r@5K|{$9*3_
z9HWjU!stOVWonO&NuA!ZL5h&cT}NKT9xabcq8}Xyj)D>}9cI`_CJ9;RvB(x<R5r7b
zE2TU~o>a;iswX-S^HYlDG9SBS3~|||A$s+<c9n>6AzhN(Pg=3&JMEO}8?H}3o#~se
zY+?3o%8P5)4)an4mqq({D3kP6O`;g7(^f6$`dXD~cU#M`Y{qr6o`T{TdF}BI_ED4V
zX^Amp8Jq3updT1_qgqQBk$%dh3K;_@_7^ziubiXL-)AGw3m3lSr<EK*%CmNR(X(VJ
zu*fk;qjmeLr7VD!7}(xbKE|Ii>5g>oy<}9^C*wG?+<P^8)G~hBVXP=OnGkrt-Y3+?
z@KDj0ORl(u?|f3(%k*unzgAE>={~KPXnO4!4{CslxY%E$Eg!8kt@Whb-|DPENS4z0
zs+_D_<#-ih6=J$tS5_gL_gZk!H&$UiZbr?@jIndGEAJl#_pJeAE>%4rt^or_BLcp1
zpv#6vofmpN4EJ0%yw^krJDB=l#vIoMQ$OpaH_SS}acNp3mN8@$gfi^wFO7)VF^vqq
zK8;X`7fo1sc|=Phi=2ueifF)d?`W<}cXDd3S(W@7MP<^pBkK6@&7yg&LdHsj+Ev!T
z@=YOZ5V)za{FKez8d1G<V+7VL(NgGF9c`;y{HxWvua_$3`e}Lb?DsaxI};&zQAPWl
zQl#wH@KSamX>ezg1qx8<0l%UhentDL^zifnKTHvXUE+v+w}BfqEwH!-Opb75k+cJI
zJ!W*sG#G^gId%Te3}3Vr?LAY&UrbYA<js8*i71ctDTUz^N|6S9Hypr^=d*in(e`MR
z1HvEEh|P{IXh&3Nc#Mo&Cz36zOi6#QMOc_d+hY#0|9now5}V2$!4k_%Wf}c}<*Faq
zPCvMQ!hruI*v~kvzTN)mhM0r=YmhAyGE|Hs8#T;SgZS^<(nYjg@qeAeaP0(rcOx5l
z7vLO*86{?I6&BY5Ja;cvJ{in~l)1eb6z^%K-4|?ZDs@!z9=%b{*(s2yoyYQ$@Yl1$
zbe83ZXz;>L?=&5XB%zu-q)R+BROLIzxp5}WiEIVo0^bvV`33h%C6~1rXd0i*r`eW~
ze=5C>(uzV%vKW?A`>iv=hBk(dMddav7K#X=%G!}j>)*y`nczpeBY=686XCX~O)3?{
zW8WM4q)%2%z+IzG8aS4>bVy7ieBe0ScZVq5Nrovfic1MwLP}P6LhM6_c~$)zY-6AC
z$NaMf-2)-z$pyZ!i0wi<O>-n-e6f=HDDyM3wG(t+PWYp8>wCY-D16h7W9qLVl=f@a
z+OAs0EFS2S!Zq6yRi_^}r`a$2P42DVfx9*;bt=3Iix4i7ExHsixK1wd-dd!Z*USp}
zoIDp9fb%w0AyD7taQHv$z>jm83;#F`@p{4<TNHg_x*hn`i;#*58H6jf2fmB^P)9K)
za$qd_F^bR_ArV{&C4Q#SFDDruY;y)8bo6-@NdD*B+nmQ4H<tD{3W-)AdE9m&`AeSP
z+LNdA!+H<>uGV_K8uj}cgN?X|=;havh0`=VXh^N|k<?9sgTEDYN;FR@qSqC<yv!_=
z&`XH~HLGoem2Ik2W4aU2*UPpg*Fz&2IM}ILG=4nRt?{VuAU@ePBD60jT@S#(v49*g
z&N=tcqQW_U`V)^%sX%Q~K-y$2=Zx?DcRW0kmx4VV)KF@B!Wls>3|~&AmIQ2`LkZG6
zq-g^ZIFvBtzDh|f8u#kZqWVZC69M376c$<33Z{6LAB;8lx|nJ{_!LYTtsPA9n9~g;
z84WQ<C@6YTrGRsJU%n<0bf=_pEFY4lq=q<~9qEVL%TJcpg)+Q7%`f`L!}$^P2}9^(
z`%e5$VHO{>&ugh+v{|$+v1E;zx!hxyeYRI+taNnY^a)A+1r~l!rzKZf&O#S+coT-X
zfU*r^co#~jj2*!U=0P!GW;^VMg6=}{{YYU)cDKex_$m%Z^&{!U&9i8w?ful*+ScH+
zQc||c&Y;4BL!+b0<d-^!?hWNloLzi}FeO=E>Taw6ABq$xPsaM8oG|Og;G7UU1678#
z&UJPazYMg!XsSb~)*AKGB34+&p~=3KA@i+I0r)#%f2ld33p3vgRc>_={H-|;wKUvE
zv&xYrPXz~c@A7%0!-O6|t|0v6vb)yD+qMBH?{d}Qb1_(5P2+mC@Z00%S9=XSEBTG_
zd2aqL%g?+KiFX$D=u_9CR{LYe566Qm-d_-n`W4n6Ee*Cs-$-;Zf|knUeTzqZzvPXc
zqQrU@@Qx?`?2)@hb}=!D(I;57fENY+HB{xWtVe&<L2-ag#Z7Lig9VKtwj3D5?W8!g
zjsGB&FVFvuOzBuco%1~<;aq1`2d+Q}$WhlAP06@3%D=26Szay?NmKwmWEZS#t3gRv
z@nufw717-s5mBx(vRYHgLS6aAMIxJSf6Z6bMps4-s^zY1)o(VoxGh*{;}eW{@8oy}
z!#5+%GvndrQR89P#4!kw;e74~c1LnS8K~ZI<5JX+@g~I~_zWp1ebOvEC~?8RmVVOt
zRv?sPrHgsJ2@_dBd5n3zyCe><w0mAo7WUjHTeY_keC(qUkoH~@&RDSmjSiF%A$Q@W
z)KsQmF(<;9BYym!L~i}`GH>jo;8cu!NpYt})OU3m94?&D`C&L{UC2~+gfUQw|MPLS
z@19qo2t6_0+N8cz2yta4K7{Nv$`I5iqxgGYl#$UVyr1<WO~MVwZ-TK}vYWE=fq^P5
zhO*f_W>Kabr9sW`+XmC;VK&RgFY!M^=J_jSSM|ThDIvL-97GC$<AuU-BB47$Dbb5}
zHVm(4ln%Hz(r4F-zbA)LLs^mUSXgghT_B+c{!4r~7oBnfA$lWSv>V;%#Nx_xd>cb?
z{+)moJm7!RV-ih%+nk?$E`{cM?(xGVoF7gE!XE|xgEejrC<i~J!#9K;;3mY$6wM`v
zrn7SEuhEw&Bx^sK>c?XgcIz?#LrTVT>%K`CD6|2uMSwbW`GZ=;-s<GOR*LhN<t^r|
zs1r0>Kv{Z8uohD02x6h}*{~O2vs<xyz1(!(QP{Rr&vUlHER9)O!s$V6$<ydUZ{<Sa
zpN@}z3fSU6>Tx9WKSYAcGBiCWb@fs~Gav3C-lC2QdX3Qx9e2(nj*J{LMi9Qt`8V4`
z*wKMa5dl@?0>4)3ahK&``?83hv!mJC_1V58HoPZ$sNCCY^4gArb%Ew`l=)HlaiOIJ
zWTtW$=5Rm?IwAxf;DV&V=8xa`vm3a?aypdZwnRn<(sL<09<gJ_udzYU1|Iw;%ZAQu
zk|?Dp*YBnBlA|mS@UrNv{P0ck2%Hm%TZK0jpo$Vo_m@P)_&c2mnK|Z116jYj<GVhm
ztIic;)zZWL3FX=H%{wDaow2*O_WKtG4<O-{5*uO<fU`IBQ~{iwKONMM6%xc60k|RP
zJ+K%-cDX;wQDo|n`u--?SpM{qyOEs84hX72;9oy?{-(p9E@ZC;inpbiYpo=riu;Y?
zE60!N;LUp~_02YdtjF_^7{2nyBzr||b<hBIocXmxoF};q_z&0WS;h^m=Rh)bq{x`K
zaz`FUb{pi0aqor2dI;*n9okO~otblq{KW$p^j9AIt`2*;P>r-u-=n4<K%U~&Q{Q06
zD@(Mc(17g0<XoYr>jV9~<NouG=DcX=xRdT{uBI}%c$jDv*e|(PxIa>-RxIEJV6N%`
z<g!IN-lDriL}jH5UOM*4H6Vo}4mCoq#YInSkTB@+lhXeRq;<lxpllA^IFbuX|65Hz
zGbNFmySGI9g9J($5z1837>h0M(kyb#?&>i*syJViXTk)N>eNR=MH^SEr;2y_L0Zz@
z5))uH7{}r7ez5lRrf>)gDwa@Mp#je5ed{ctg1m7LbFr)7H+f6O_Gyj>tyR0|(U{9k
z$QZ7K2oV3q_=D6p9rhGSKh+1@>Vt0I^~$Y+5Jb6Dg(#Hmx%{c39xCP2sbNys>K>AL
z9A<$a_wdrC0PWOP!<LGsm9Ztu#IdCl%4B$i35pXzTG)SC)8_PUr%o&U8?hlGFz27Q
zDb$KREMs|+n%$Wi`vs})#2usJxAck=86u%5pJU~X1_>v^hEXOHmqC~WI1|Z(|GPXk
z2v1~XTEFFKhR~c;$P%ei(Ne5}7pq8tyrt~;HgugJu`<3(1oi}5|BppIl3`v;)9$5f
z`P*Wrwao{4q5j4C=wyJc6^ukkjDT1NKZmgpyD%??!smBQORXFfit+C$@iG{?H<G)j
z>NSTDM)?{hCRaGreL=F(AgKgNdU>JvvbNYT|G!*x+nGX<yk&8eBbG1@s#K(uuQZK1
zPz}K&fB*aBm&~?^ZvpR9q8)*RT+ihA8Ut7&EHou1iW04W9K5vav7kT9U!YnZh)cBm
z2Xp)IYFYjPYFh^F;(%}<Zj<C>X-T-?5}RA0Qa7wC7YhwQCU^k?tw;e5L=gKZSaZ|D
z1+@J+f8$tGmkw_9GdmXNGt%NUP~w+)3Uu$z>5}-l9Ew+u`I}8v7K)Cpm^sJ*ro&u2
z)YH*%JW#e)BpU~!wLJy9*&lN`w1Me=UpDAW*D~^X8jG_E`RIQyTl8kM*ft{rY)KVe
z24bGY9X}+lUdn|+1H3=lFGUNAp%ux%0Xo#&3`Q1HQ0i~`?`y>D-$RLo!>fXFcmFn;
zV37c$+BP-FUg(zdJ3rp4*LF9qgLVlr*g@eB=;ZS%mY2Z8U!4JIF@$W{iHQ8KFDycO
z*elQ`B1PN+3r}<N8%wZAkoKPbG|fkp6JJ_lPPqi-Q;^n$Zp<}8{eVh{wQ(L>5dOQg
z_CU=!Gd+9}><HPv6wjG^a7UcpQEQ~w>_00P@Ug0v{rjW(FLNaZzn8-(x9{8wJYc>F
z*;3qsc{1J%^2=H`ChIR#0v=^J*B^dilsr&8|Ix>o&U8E*hQ~GGE!ZF2lZ3ByH~ZA7
zlyAHBLB6_uA}B=+xG3L{Gk^hr6-89UEiUCAn{o|hU||OG6%j@8FIb>0m<;<-pFai&
zeCP*$NpBENd0$NK5{S7Mcf67)hZ`;n@Tm@l#{|f$FNiye_<pkR(x*oPUjO+N#eHva
zN9~^he*#7h5HN5ec}vrQ5toj<3N$)lHMtci0Elq<DBWX~uL;ZdkSk^Yf5kUS{ObUs
zYIG_iIAb3J{6F9cr_X!58=_YF#Ycxp+(8%vNale%a?wy93T=mS4<ozBl3YVYo0-uH
zBRUBGRY<57Q*1A4|6{-(g@TCJO%37hw}L$m$O8$^;w<(g<lqMa^h`}Qu(*c<++rcG
z2xEQ(1Rs#!65@mXWq}fpZGjE7j{!)3qD}6nH!B3Xyp<KPz@s}sX;QWDiku$g$6A10
zxS>wnke05X^i0i&1rR~F{;q|j60>GE3jAZhALkL#sCMFWqj*AJ_OBv+4j{OQv)Gc*
zgBP*<vzms%0JA8_pV%?{mceAtH-s9Xe^*oEk;}57)=;D=Kwd+rAp|fJhP>9{mXN$i
z!keu056J3il6mR=5)UDL%%#LsHV7B<au#8-K<&10B1TBEtsBBqkiYL@^z5PCP+J-h
zk{kGkNQ_VhN;P$=cXU$;5q*}#%37(|e&puBewYiitzjO!7tWtndjO~nPAc|LU>f{i
zCXq>b>g31tr9PUe++rU8Ah^%H6=K=a+al;M;ejrf`8*0yTRGPu29$s>^Mxy#QStnw
zRO#?ZNqfJpCl~t6E3}mV-}DP#rjruRhoN{yR0Q(JpOyL?ZsZ0;_p<^B?&B;la`fKi
zzJuKx9mEiQ^%DR77)yEu{oTmyoP*#y>0h)BD=@$A#C-l3@CWUICHn7ylnZ)#tA@LP
zvzU^cnN`%R>;X>O1Jf~=h#kwPfNn;XfaI;X<MBkCH8~eBfHh<E#k_{2A7k;Zpj}9}
zS~1<@L!pt&j8PX2*I+@D9LOoJD=v4#?8Uw#E+hXN+HF0H5qMWabtJq-Vt;tv-xiBY
z5IsG7qRdOaxxQhI1(xvm>s{I8K<+)>zCmUub9+$QEjJ@2TV3;kG%DW@%S-XQ1BqMs
zeF=acykk}MhiHW%wxVQjNeFKp5~Hv>Mz9;|BppyA5Ql&R%QBsV=^*1YUp&WB`Tb1~
z-kmKdzSOEaLRDatie>VY&qusC`7t08leQ)cF1nisZS0HnD_g}yE{x*Y6|&`wi2_Su
z!>nH?D(_a~H?}MjUot)NR85wBG}n(Z{aQ^}7X|mi6-NeSjJPDNn)g+ThujyS*_o}^
zm0UgD+pX(OX_zt-EEO-Z%WlV1dXlLcyEJU+RjRF4!BwM7vWd;fp&REymQ7?O=LweA
zDhnO_N^LrxM7(z*WZeyqRO<8dXSm&Jb@8^-3w3rHH%^=PMduJybr;$Xj%{Rzm6wfc
z7uu<mVd@$u1zb*L9ru;95wzoya|_2*L%5AxLlDV53(S@px{3s?A2=(^D8|-J+O;lh
zqGVud36GPV2fl_F2>kImj6EUh;SjZ0Sv>)l3=HB)?}I~B4*99I$bnkC`pDJN_|@n$
zN0Qt_A!?|9y}By?zSsY?RxK8>mhgkizL4VugUb(af(2|0cg*x*fHRdyYYraydm+uQ
zBpzXpLISw)mBA|(@rjV&T7b6)a#`d6E%j_f9Rx9j+&`sI9-rwvoZInK9L&U`C&UZs
zzw+RC0P@N3&#aH)N8u++Bw}8;x7LVe3dGr5!InVDEzpEZg-41$932$6{6y|y{<|D0
zl#B5}jDWvaDA*Gc^ffeTXmLE@p89Bq+T*z7?l+OD(EzGC;!(y`=N@b(VgJ9}3ZY6z
zI!qApG3gJt!q5T|;udjuqZpi~?ds3^aOMGWto-njiLOTc<4jeHgjNjQm9x<#N6Sv#
zQGs7FpW)Oo$7ElyJ!|$_G!eGeH7#p(H4||wRgzq<H=fOB&W%YN<mae8Z#3dtfADp=
zQ>ol3tj{_qs`tpp_N|xgIN%dz3bA60riv6YCa5h-ED(b>`|Yyu>#E}5Z7No|USns5
z22<ULYo}7No#hIny_QbAG6*LihEWip$ny#a?{n9j+3nO2((c8!i1Q4#rZcIc>2I&-
z$GVsPR3$|IFJY^CAj`k25tnHS3<16uVUc)(5n<6jq%GNbKA3Rc$$lFwbD_lNn}_w_
zN|Y3rQGcN7vfj`upx+YnEx-<GzRoTAs8a|6I6pEuLY~YASFuZ3^F^^co~AHO?S7F|
z<TH}TlEtNS%^+mn93?vbFJ<g`<jTCO&5ekuP5eWw!^i`hUP*>)L*5$OB_tMdFG|to
zx4h@g$NkOSN=a4A3d$#>+SgN7?NTD%nw7R|oV!^X><Z28&ZY4>Y;5+1c7np;$0Q!(
z+zB!MJgHBHk0nhSLRNyjW#w2|PWzLjcL9-4z%i+ZVyqE64SMqU(0n)fgz!-u&0fP|
ze@lh1i5yG<^vM1EHuQ`^vX5LQZ1quh5SAKD7#@(JAb$1Yq?)=rVqKi-pR*5Fp`>(n
z66WD&+rZv7b}Qfv9Ln#JO9E687?Jv=D;9L1HOjQ0HRW2YSjO%qFWiR9qzN}#L<WP_
zuDxz(BDDmA#Bh<jKY{9${?amN4W=Y|q;V<8u);qT#uj~2IOPJ^R=}%}XnLC4hHjuv
zj9Y*l`uuyM8_uXQAfWsiw3LBb%YYn|fqRri><I-ud(~5J0LBhy;~P#r+qXFwaK{Z1
zZ6Nukh5k37+)f6R!43b+`V&xBtdZq;;Vf4!)iaIf74vmS%aTnf-Ue_xic0CK238cj
z;9N|wgIkKg{ly@mvfyC6iEXWwKRgHVhE&6}U@;=T{vg)fbEj3(F}>k|-}$d%0;CyU
z^vHpaNq_VKq!}-OKK*KA!U-q5Kf$jk${MMDvY^HIXQqN1UX}pu$OHH1gMh@q)N2*k
zV9?*a#<`1_j2)q5fD?z_P{hpdiWxcyaQ|0LIo<W<``5ZD0bNo2siuyI!%?YHl&;7|
zWhSXh38+fkJf(+l0?kTXs{2>vLLokE<7Wl}^%D#!4;m`8$U9+bj^yh>kVDmAry4z9
zR6tnXm52(~F1#S~U!&|+VhW>127S!>Cs(f0hXzx+Gznh|y^PBYEe(}3K*(d4O;9ng
zq80jmC?b~zl*bG#Yz_iaXr6t<bmtcB?!vAwkA(UBl;Oc$oHhB$5H9aO0RWUFP$Nam
zK|*K#O~whq6ee$19nY4H+o^y<^z_PUsUuf0kF#cn7f)}9P=--Lc_C+vid#q_KkTJ=
zb$W;rXhJzu{v0yGZ)x}2tco$aDTl>z8ClD<9m!Wp1wJKNgP(-pKv@1NB~*bahZ+fP
z0RlDmM`q9xeGWh=7aU39rp+>KV;&nr`gMf)gT&P(xfVdS2f!u?0+kGgL<<eoQsA97
zF=xo)99llgie!iJ5?85ab*D6eWr#%kUz#=S-1@FZtu<4bg9`XQ7rW3P^1Pm5Fx0@5
zp{RA5VBd32x<V{NAS=+~K_UbG^G81K!OAPBTtG67rT7JCTbpEyQawD#LLw|m8PWr#
zG7r;M&V_lnnFc?RO8jN(L3O%3QY^^?FeqWSKmAL1y*{~!{J=_KjEuNBKl8|=M<uHb
zZGUm0gw1CMsxJ?kXb!O`xoviz_k#V2YnbZw;3#GQjX4KYxDz^P|2%hu$uThY4Iql#
zQXDagh@;;KRi~yRi6903)-aqznD-zey|p>wfc7NzPkRE@ito)DgsWWP4LHn>pCYkq
zZSs+;xYw}uZ{kf_#nVmgMeunPE5l(w?ag(AIvuCR4G3wN*9q1x*9z8FWuWF|jVVa=
zC>rEmy!vz)-S<jO!OZ|YN5Z1G6oiEMAEYjwm$7!#_$Y$h|5Prg!P`ViwFji49NL<y
zl)E*&PHHkgRjHigH5ZEcod?q|o(8cTVv+vQ7Ue@*J2)Z~K|#{MKyh&-;xkl>BK(Gt
zuNf=MmYAPrJ>TY3_>lVtV*>)A{xU`EiAZRmA#@xP3h^JNAQD59bt%-~4MbcjxemD-
z^3e5G%zVA8od_R$NuLB);JK=V5$Ozg2eD=qCEgPsMo3+x>dQrfJ{_UP1&s?tB8Das
zMnOUP`a+RjdT49mYTa*;C6ls&Ucw4qbU-2@1QqvRq1&f}^pzdsW5z#)Zg3wVO4$<8
z^R4!obfaQA(8fr6PKVK8EAH#J7$Zf(s^A@x8ghV&yeNWRq=Ap(;#(wVB$h>4t))&5
zth*eD05Qd^1Ly~eG=iZqf5k+V>pY6HV-P?S@%|%5wXg0(ZeR`r7f)ec#%p_3%UWXo
zb~wPxUfHM4O~+>XD&Vq@S79O#3nx7CN7i^R!>~A1TpSWH36Wo9Lrg`g$I)O1;SE+y
zU&1eII}6N=p(r3DsJOrG)5fp>`w4moFkD#lPYG;bg~cd{uE=n2Q+eM|YRIE(=lxiR
zp^0uWSmK`nHIEctmKzK82fwgDBot^OQWTU}@t1_O(jlvHNB`I>{&#6xJ;j&B*I`ys
z^g!Xip&_bFCr*kB`!UJyPm@@t9}A^?N>6Mh=I1fcy<clHxj<H)J|=>C(}H|WVidv;
zD67TvWKFiQd`JUd#i5?!Vz<Or4i}|(yy71kn2pR6Mt-HPbQZBzL+k5c_`Uw;C4l{#
zm_Wm)IHYTme+o3VNP^t(H^K!$avJ$o(J~2Juu8_Kb|y%4BheC<Drz<aV^Ki7Z)2H|
z29AqErN+hTiLM;ZOY!I%W<h}t=CkX0B&V$uB>A`akN+p7<#-@6&@eU520ZiQd%zZo
zYF`R++0u};I`zB-Z#^&cCxw?o(=KIqgwZ@5eI<9FK#mdM*NPaWa@9O53I-5B5*tDy
z0i2Rh1oVrmGVpX&5y&&$@khDaSJ?TmnR;ZWtrR7Ji-z(A_Wvi9;zR@>H7pJZ8Ty|+
zAbC-=MawIKv3Wpu2>bGO85c4C?4d0zJFi3r=4`Yg+Sma0zz!87hsO^(l)LxGazfF7
z-cS(nJIP0lbkD$|h`5k~X&-YXhk$!W)<hOk#BfW<@we?Hzs=Lx6K77s{iR}u?ePI9
zO0F3C1*(S<p7haY1Ld0g*hl<a2)-MVc|xd0GYT3IPsWJBX=1=GNbUk9;8B*!RpHAr
zIo|$s(?X?|#=$!KvX~Z`RwNfeNb^?;+nmQw;-6|7r2Y+1f7<pE<N?nhjqY*cj}6w~
zP}<>OIqRGwY?xqxljkw$iG%gTLirOR0|z(AW-bep=iLbxsqixvxmK~be~$VI-h=eF
z$@@7E3l}yB7z-x!;o)yJ=7_~C5SRl&Yrg#gA_<l9v1E(&5YZQW8p^FJi|!h_>wKgm
z4+{$WXXZ6=brgYQ!Y;CaTU0lj`*SkrI}257HJsYF$qp|sWqYm4tc5l-%JPaaYKK;;
zj88+kg>8(rD#cVv&u9_a%VeXo<a(!z&Qm&+nS)7VztvwFqua+8oZ|ZAk=Hy_YL%eh
zI}{%F^VZnJq<<lHXjP9*J!dx`&nb9E2TZ1n+)R0CXIIIaQCISE2+^S#dnvYW*KIf4
z#o=)xR$FPj68Ul+qx{;ScTUstS@GWef^@lfBkmpIc8&x8*&N`|Ke4_CQ@%E=T9<Wi
ztXG0<R@r8+K8;(e@NS+pd6kMkwjVNXj?rDqyw<9Z3}P)}a?JASt6afzy?R}|Ur6L%
z`|@$=k54x~APc(_gX~{{n0_~v9~M3p86OkwC!T^<+YaY{bWb^myQ<iQ%H#f<%%kc>
z++SBO(;TCX-HC^<|0HyFa{1>nM-*erV)MzGa)c3mqq%Z%J`>D2w5OP{yLZGh_->j-
z_ou?P`HM7sN2Cpc__2=lYtvk*%BwL4l7))*&zk!xIy)B4)>E}#R2!Ws7t2;V<i)m6
zA1$2oS3Q&D>*Iefo`u~V?l)<j*rZBBF^bLYw-^Wt)sifwsxw1y<-s(Q-I}+0t`x6$
z-nx1hckHKt4x16jYKBAEe0>h2+hI5L+bsp1h3zrWoOB4pyXL;hhhFN&6|jN++hB&>
z?j+^at|@@Ee*RP5wZhB4mW3f1YvN{&Jw-+;HfhzbU#sIH&M6p1U^*wY;ZE+oaOUP|
zh^QLEm?Lm~+NE<=$2)s|rO_73l`8m@51nYHyIA-5)c0Fh`b>v)!d`dGxoM?5SFv<m
z*(H~Qml~5QmqvzeFQQOJLu+CB{r2vqU*ih%E}T=$QuCaTNBwzc_<8OL&=*RnK0-du
z^C&D{grC5H*Z#3R5|uxp3Yb7eC{V2f7qx${vgvhTu7;<R+UW}T4fvFH9L(bWU{oG5
zSnXeqP7|d=qQZtX5JBqy(`+)r=ds68MNq!iuM`*M(ejv#aYEF=S!Swe{T|n~K#jHa
z`6**Z52C&WxEP=^7l3BWtf_8UdgyZ8((Y2FOf&E2<3%&-{dvL<)1qv+(o5aGk!YSf
z`WqP5-AI-2tsE5KGz5bv`b4axBZhDr9XU|-pfIlHOb+4~sj*JhK_skiZ!hx=EG-E~
zQxv(cXzb;Go9b1aP}OGC+vozluzz+<w8C~CMs|w2k{kWf$9+3$OYk_98qYk0JXs4f
zWQY03o>-g9Ok8CsU33H0G;z9=JiF85$!#l~s!7z*e~(SBs0Qa9@A+l6k^c(ii^eu8
z7&HH2Go`u^@6jE(w^_csGgQkop-yy-K)1WG7Pq3MBxZzpOv0S#dW3Pp1h3T2<^e3$
z?dAbz`b;eOrCr_8Teuis5Y2xvHBWVHGpKF+`BGN>=i4!?Z)pXhWx0BhN5}798xjqY
z>Jf&G%}Kq==%$w$w2RJ?#`>QnpTaPr#6}SSw{)cD8)#-3so3c5oJ!Ac&dpmVmV<5Q
zzw8^=zVtTVjZ};}+!-t$Jbt-N89Mck?a%kYI^s_>qX>s=2M}<Mo6@!pEGJHvXW98N
zsJeQY4{}~vO0V!<g*pT^;5<;}nRQ?#9l_Gp#dXjes~?C21XK!i^B$MYFz$j1icR*@
z15fso`mt<Xm=^=HCUZYf?!O0)8cuX@^w<%=qDY{DADO()EbnpN9P7?~-h8wXeSVDd
z;ZDB0jcMUG?cxLj&GM{*c(%v)#d;oiweCV*w<mQSYZ126fY9a{43}rCnFY2fYa#NW
zRaR4Z=8d&3HJo4FPVF8fMK-ln_FoEKlF#arZ|yjk#)YeB>UnNCl#wmx+c{%Q@hr>V
z(`?j6?+YBOW$#T?Ei_6!ipaBPj_=H7t$brs3%X*c0)FI<lLE?H>^>=lpl%D1mm|mH
z7n9;{da?^%5BqlSCHeW24c*3m_%D;8IqV#+Wb#?|7@|74F0WwJSxfk1bxYAqy3a-?
z1?(i^_J0r78wYgIOqr8*PF1FBMa1m^8$eCsXudZg68!2kqi-_NioS1;vr&bR^}}Dn
zj!`)L5^g4DH4^tLPwIL1m>o2E$F7LuuW#zgtQD6BP1?N<CN^><-j(LX?+O`K?~8mg
zdRPO-G&v5+M{(X7Y-uJ;iWzH<;_@mQn@-M$xKeCCyLe<uxG4MV@zsWiZU&%HIXiFH
z*i!Vtd>Ea+LTTHwN_91<q`SHDdE<O<&QDopfY){*Qnez>#cYVnJN<PqDSMyBj^y^n
zG`~;4zo{Gx!p956B>wC0DRCD4lrm(o-7n{!ewR+dD6*;xEIb61hQG{?SA{8n6ZP4Q
zMA(G)53O_HicC-XBxc>)4a^STuR>p3><m1QKa^|3ma^4POIf+ziBhvXem}24=VF0b
zEkl{fn7e4_lnN`a%S_d5^*R|dQLRp9BPscn=U%+bO&BQY4cAW#A7rO53rJp2&6Nu^
zbr3{rRR(HMt_rROL%fpKnmjxaFoOZp`Z5WerKXS!Yy_TY0#KO$a<t6tU?<_48+G6+
zU~AhW_hV~2FPX9mlBD~c)MersJ5;|cEk@9a&Sp2c`OIbAl7`&afpA@_p`So2s>Ajc
z1yM~|VN7U9x%k(~P1)^QxdoZ-F^2L~zfv-7yF88S4&8j?apVS2cY)aP^%k@;HyUnm
zX6k_9kL{)vNl&vxNzWrdt0?o@+eAL|3D=jnm<|=WZf=`ZGGKbQln>e6LW&7f$PVk@
z)mHJ`f`shWZrMee&Hp*D{NhO%PN1?>odzmD(w?WCYcqH=V{^`ib8@EeGx*HmX<Po~
zQ@3NjDrbc$hpO)e-)4ha9-N}0bqK21s+NmITCH!Bi)3x*Pr6ZuMH9qJ1wI7=R5+lW
z+)GA4#f}e3rw9mx5mHY|NfytNW}Uf5b0IJZ@_ihRC^=nN&lRInqvi58#}rYNqygCY
zfCl5wx<<<?&(|*I8r$BRI&c9ma-SZw7Mo{@jr>sU55QXieQCzN2$>j_4R%2m@>v*>
z8vMV96^q^;e)CsqHJrhEEFbk;!V4T%d>rMyVyC#hnhcNkK_lw&Y@1eM_8!Gn>00%i
zdC6$%t(gE%yvIt?$$qymkAs=zwAR#ar_ZB_3%od@Vy1{C!j+s0mWwe)jDARIFQ}>p
zT^5CRMB)NgZ$AStYKY8_!Y@z<FY)4&Mr6Pdj+=(Hnr;pSj8|j_XMqfXVSni>O{BWx
z+m%`pdoVS_pOvX24V-+1tAoqCoMK!d*pS8yDIP!LKJZGrl3=;<-o-oq>8nx&`-_&V
z5j)rC2US;T_NTKI%JehXYukwqA!U7LWbxk$>mg)}32#B#0B2azExT0ZuC9Xo6tp6F
zU9mhUfj~;h5h%V&16^!7*-Vm9y%LWkl)+ABxAOz>l=xck;GlG>BQI3#REli;ur<B4
z^blf=d)JSh;orVj8|POL>X4!R4%SZppN@uA5Y4wfiLc>+XrlU}HuqLMVo3mC&YjTv
zlEW{UfIAmV=L_UEQ{kr1$WqE0vIg_)<N8|l??$C>Y?@u1ualKljf)ZZ-Cca#1{`x0
z+0Er&mL1+&U$vp1p`UeC%KJ#H(D6?Uo=Sb}XwvY|2;9l$lIqWLpB=n48t=;3wWs9q
z=B9q^bNP5b$Oi~j7qdhqBr-PbyPc>s&YmX5E?jlGyMaR+AA5eAWKWO{27m&^@XkOs
zy#E_piadDBQR>?i>QIdExr`bScZhqHY7K>y;enV)1^$+>fkD5M0Ti#$zvoMh%{p6-
z+!$WbM2~PE=S#-6!dK-d?83_-_g7Wnhl-qnH{Kq*7JbK8vRY^Ub#qKRi6ySwM{vSH
z)CCXu@2?FN(KvY1FAY;PTsmJiJEpScn9PHyR2F>5+b`*IA9PB1him6;{i)cLlk#-F
zo^yAOdUE2I+=eGP|JK-MzxI9@5i)qwO?tI`nQkXS9&>QEl1G1%E?96<A2CbN<w=1P
zd`@fYovsY7Tdbj~cas8<DZ9*$UT3dZ_wi6aaFAF&MX?$T!gThTh(($?WDv*}J2(1X
zIK$LOD4xm|#+|ex^MlMCAN|;tfo+PK$Q$8r{4ja`JiJnS<_^B)_~WIfC<E0VWb*gc
zppwldPCtIgnxzT>9aR!cAPh-)<~+YO8CD)Icr@Fv)oe8QnqQqZpS2SlyOy^hv>UFL
zIl+5SxH>ZAQMIo*pLwx>y`Kvic&{b3r)}4Mf2$jTy)3sfC6BtwybUAWE$<6nGmH=o
z2-IVB=ExO50Ivt!w!XrmPp9ObBW!h{ZN$pGu#c?Py}m6!Xo#JNhGtzw><Cj_VjW}T
z7`V?EH(vV!k_2vns@1Q^$1E7iU{wD%^sv?FSh?`WOon17f<Gz;M*6&#v>^pg;}TA6
zlxnm@jXR6J4yGanp&B~bvD05L)5S&k$B{Tc-Or0%vnVVp{Jx$0Ea1G^-i;+~IIiS;
zhSU%Ls`PTpRev&xunx*n*}Ph|aWvxCr4***w6I)6G9PW)eS*hwm(eshnLgpE${W4n
zZs^1@tgE<)-L@w8jQv3-xz(k;zV96v?AbPtn`<w=jvJ%DKcyvCzeAe-u8s3;!i)2r
z*N*c=IEl0v_ttbh+FUayU<wv?lS1AG#}uGsJOIm`=twEovJx1#vi&Yf9O1CYz&95t
z%>Flena)K5hYZ6mZNTvW6WIYyJc!o24qHk{`PAwxF3n0Q`<-vsdEgG{%!cZEM!~ci
zjRo~*i#5;Jb5fZ&y25hCmp48C8E?AM@YRDx>{|AYLSw4q<m6&D2z9#Zag1sY&tg|D
zSI$yt^{CiY^VDTUqE%^ahNDuUWt*i$b?)G^BAA%rpH3|_SyI`nizOU&Kf4Ie*OlS!
z6TzFv4YI-Ykr?R`4M&s;ZK4b}@3h$t1uS&<16$bsD)4d~<O!gk3oM2o|7<$ki=cHM
zYX~p9MBK!I%?kCHz&0=zyC{_7?zWH>L-^uw;3`H0c)T_ur|$GrMhp;?kM^h8CKrxg
zDqST0lv*Cp(um&P<5oq$P^Am$@WgBnpISYOmef?W8tPy6DIbil>veJRTJAh|Yn8z(
zeE1sRJ+bIXSe=6VP&V=HFnh`>E7rQWi`^_sXxrsOLkOE<nBR-i?L?ZJ%CzlPn7KGB
z`s2jN7~`m{rfZo-QjgrRyS%O_T!XV+2Ez+~xusUZa|X6*(H6%z$&@9d?Q>F*QG1~7
z_kG`l=BY)m!f5(U9fI39<xaZt%$`w?r$s8`;>~oaf)OFZE6~$xnT5o|RZh)f306ma
zI+b1T<39DXV#_d24!=p&J4IckU5j~cy^%S$y@h8&9%{__>sbxyhQ(!tU>&APRW?{-
zd(Hu~71l-$cZhY~QkxmsR~7R48RX@W7<oGI26N6igcCBhAdgPXxAFpS%?DJndfjo^
zk}JB?xL1w1_GABmQ}hRu1&KbmB<i<K^S--nO0Bl@R3oh1VEN;NstGNw4EiZ5+@xps
zVUW!O87((;6|DO3CUhJxOi4#-nwkWxLZ*weMn{2e>w<^gPFS_H?`PjPB#EDjH(;%k
zIcs$aNvbqZ4k}++j>%bOW($PozsBES1U_BOiH?f`vth;J^@uV!#Q>jAR3rvt4>Yft
z<iLHKS5?lmYM@<|N;bXD49b9lyMk!R-I8L28)>;%&NXG?bI>k|W;W4k`Q&&_e5=KE
z$+XDsX-&oI0lKF6tq?p3CEw`)zVjaas5$BuqNN^4Qn5~Z1}E5>mT;^SLnMB#e7R6*
zik|M!gORzZW5xQxqe+#-rY`VRo$|r#HE$za$yRN_)7)myb1&yWT^hQZJ1khxJbk9z
zC`9XWJ+*oouC5nMR#&Cf;72I<xjJDrFl%0JJBFRDNhR}KXxIK=5GdM6S{#k1ih9^W
z-p#ykCUVaNjOmQ=A`{&>W3`>SzO2{5lguFT6ehLI`qz}UID!;css?nND5!JQA2T45
zVe*_zc{-jLx2vMq$ZL(?3coDVnhOg*1+y<8npaOEgn6V{C+R+V6ypk!<0xay-Vsqf
zU3GEVG@Zsep9x<(tt@>TP=UqROqo$#ce++p-pnT3o2hc~g7J*&7%PhjNtS+l)=_pk
zFh8XGRiU*>U=lY}1ri_NNjZEHCT(+61+$i}P6f}>TC_7}y$U(9N7v69EI#S!&+fQP
ziZ-JwY*ODqG3VcD*Q+%74F(v3(~bZ%=|D|G?+b&3>HCZ&Q-IH^xUb*pryAzZtDoNr
zH=`l;=^_>%5LMxVOUyJhET3R~b>8iV<%$u|dA^|mZeN$l<h9-Cbv2p@T2(m8);jGG
zxM(i$+U+og*OioO+f-hUJ<pJi*CM*Y#}c3qy-$0Cwy@Q!U}L{*8o2gkbNujoftw`l
z10qL9<&y??Bs<nqrpp>u&%vytkK`U2v*v<|`n0eb9t8o`jIC$xSJ+RH`AM$&4C2|E
z1RlzU{l`p#RWdVS+onl3(db*Xkk7u!y<yg!QiwLlpnIH5QmgJseep`r7T}+844*2L
zIt9LF1KpTwp0k;u0f+fq3vJEOwH@)(`KkF*!QXvH*5k94HE-prSl+;+W#-Z{b8!>4
zbb%FL%Kn<1Nrh`_AWMdtB+JdAm3sN@ivEBav7S49sWe&4Z<&VBFs6_r2}4aHawb*t
z7Ub-1RkRIU_^kE=#&v%RU*p-&Z>g(MQD@7}$?;+L9Mep{h4$lX7hVpPeqLBi#f@?&
zCm#<NJ)6Jy#9L-Gc$ZdLf1aFCp^2ECC-h#?hL7|4vYHzqv*fvu`tI%C=(z$T&)0!!
z>0L9XzPRUQTeu^oO1}3^%37SRLb|l>h(<YSr#M*xk1k(va`9>Ighu81dxPidSSP1V
zwM<3xm+m<)za^W8J22_uscrWztH~~laTSPr51O?2DkGz6rp``Do~d#^@MopttBvHk
zEKYpIU#8ci-ro@#70oZ^iBlxntqwk2R^P_G7H$D=OlN}qv8u)BrUO$?Hp7pA|3}nS
zhDEh@QI$|yq#Hy+a%gFllJ4&A?iP^l?(UZEE{Oq&p}Uy@q=t?UxZm~u;1_eAIq!b=
zUVE*z-*d(taWrqZV&KbeFhHKX`IAlt(Hvb!Izno%{|;x>pC+TXW#zLbb2jQP{~t5M
zi+Q!I750hhwe44Ql7mj7!<0iDEF+LoWly_K=gA*yvMGv@=M2*wk)}OX;LY73j@R_2
zj>@&|{G!+nTpj+ruwHP^uu+MxZ$Q6!Uq0UqSeZ;K%(wR@*}&yJBTsZb&7et9^&2kP
zt{jDk!`2aLfi*YX-tdpUkJ+X4GTZt8h*-J{*A8h2uSE=M*Ebcb7gvK5>Y$BmOrTFH
zTT2Xh?ORniN7{CLvvf9noy{KBI^}RJ+$5aNFl*D_>tkX44mQOP_x-NHjO|-A|KGMx
zu)-QdPS_iD!xxL3`o_L+)hmjLf7R>@)rkrwmao6mu3It=+($&cZ(jPQ5&z&Hc5mB}
z^<91R7vz^VPoWqjr5w6wUcqpz)m>b57HU$9*FG!Qa*|cC+%q2~>QDh#%?+duQ-OhV
zbS0GOLb!_|WJr?dgd)c>`1nu#K_K_CgZ8cG<u6JMvZ!6w4J$Kg*i=maF&+lyein5p
z5@trArIm5LdXgk8^SDZi{&ST%O7<QO2rc9`?OLG_VfZ|i88dpx?V$e0O)>?nsryhj
zbALW1v4i)r<kx%V@dKw0$le*Rv#SywTxZF0majFe>r})FuUbd2#yup4j#RwR-THrL
zaQ!~qjS@gtEs$yY213tBF%@=gE@^&QAs<E~e+%VR2@TMmBX@19C=*)nlhvQie1x(y
zhLSVybmuyfxm8Wgz3R#L7rv}c0@w=`I?KHgDrs=2p^LLyd%Y<BfAHIe`!$&2{zbE8
zP$X@=h<zXXx;)7<nze;euTW*bQXQ<-Vw4(QnjFNig85cN|FX;_uFmeuuU(4SYt`$)
z`M$0*n)r2<t2K-Vk88Uc-G-LjZVLfi{Q|yAHUfNP=AQczHPa%LIh*%WVw5DLxa;qa
zV9?$8QVoQLc(hZ#uqF#ytaHnD5pjoVuEHdd1xyf%BhgU^?~S~^X6ijR37G9iW{P{H
z8F^@Lw<<@!7j>tHU((!`5^0w^pi<){S-vUpCPAe!l?N@=^(1qI<}oxX=?B|+hS!)k
zh}Thx4LLIkTJfHwLxp*F<}4Bwxe49sTs%(6XZK($FUYT=D~0ZL>~PPGANQU7VNBHZ
zo*tew39lZ(=o6jqFAURuJ^q~$dyg);nc(C%<W$l^e8*JVgR$Ysy41j`+D<vWxY4je
z5*CX{qX5ehWPzs&z(<qKAoh?UnyrLl!~m7<`5?7cP`hBKX!e=`7VTjrJ6h2KAcpNJ
z9)lg`$*|b{rlQfv%0l#bxnoC-frSE8eh)2pdE1*A|083h2`6uBIqx9{7R_+18i;=A
zpvJDbhhbXb*HA3UA0JuW^TcKzoA3eRk^AoDr!Y%;hUS5{!^nUxN03&8(|-0Y0_pBg
z^`QV`9}<y~;SGdP-kF3Ra!w&cO0Pq^(*kjV(|(!%r*OKfJpb}6F_2&(i6h`CfzK#&
zJSt&D4CoQ>&C7B$;id($s{L<=py2$vsHI_H6Wpfs&Rxru5IfU|2nE*&Ed`2(1mr1U
z<&@hi^~_<=y=ubD4VIkeW_?Lxe4V+Yksv61J|+Ki&vjFkurK&Z>B7@8V8bo32;bqZ
zVDwY<VU0xD6tiQKrG=ttIl5B0cZqqHeS3rIoV4`2nbK|Xc)J=tI_VDTmI{>CHq>D;
z{;PzxXiuID@oeV@XT&Mo82B&Wll78Pu4$^0Q3Hx~pE-(zNaqygixbi1FLOIP*Nq!@
zETtuBp7k9=(oB4o7?%#aMw~dR{oOogNjO{R8yMEzIlpRP$X@%{8t^36l+W%K;${Z?
zLsL#Cy)J8c@iXh0_)wl$%3h(Mt0$(AwERJ8*PVltE2n&`OF_XcbV^HIs?gqOWlhA}
zoMLNGZ$h{Drc;`D^7qG3C3i8YiSfE5=bg*YR3n{6HlVpQy>iN|cnt;IC9ZH&acQ8Z
z1>hHoJBxXKHsAS<fyp0ljTzC9reTkL1*4`ON2X-rFFrR;JjXet20UqRwy`|A<tnL@
zXkSq|y=VLd3`B3hB9KIrUzPcXpcKqRzG@JWUu7@o%zkRDl95AA%VU3n)CvOIOd;12
zokqZe#bm8Lo*gPt25aP+#q+wnQPskN<`wf6S@?vIinih=NB5DUS^+kfN$~^FiE4W>
z`-s^7d1@?%LyE?WR+-5q_N@t^?eD_I5AoMh-Z3>}S;B7l_dmG?joqgr=Uy?fOKQqk
z`1n<s&OY(1y3QAji~4$VltG56#!?KPKMZa0OIUYbiZ>B44M<utxZuJusWcAsGXF)T
z^NC26dJ&9acFKgOC3sSY1Kai#qnNR1Fx))93IMS<sN$)(+n1P3)vlwx+bk$wQ)100
zpz>dn&)wFsopsRx_QxLSHawY;kLAd#1z03PZZ9hw*?vl=HRj0S7SDYlU)v093@aQS
zw6ML($JX{GNL7dWne5k)?hm|L$W>jnLRlj1r2~K%P`mlw+F%49c;3^z7M!}MX!kGC
z@HI=2t1NJ^SKv4xoRlc-%j+R(lRQuSFuB2E(|(wSLZ@UVk2ND(&fKj$SG`DLuc5qU
zroBVLbM%>@?y`J`<G?p|$UmE8H=VsG#;W$gD@|&wpISS??n4)ZNE0kT$-mq%vWXC$
zXOg|WO2bBFo_GQ+)Z8oA_;bitbnw>fbk?Y2vQ$d$cT4GXa*8&au}1Nt8WkE`@Aavj
zdPQpNETm*JN?+A_p1<u|=PrO=(zA4x$B_U#OB1zc;+$HgxqNoh4maUYEMSX(dyF!c
z&NzdB+pZ`ZkUblk%rZ#X{-!!O6!#^vxWK>dcH8bw$JCvb&XPRj{N<C}*thd!HuMf3
zMu#pbPk1`OGH-pc3&}?1FWzBWVvAB{vua$i8WQvHenmOm<l;cTf99&je6!V<V88vs
z4RjZkn#)<Na0BexP2gs`Q{gM6NTa;@J$^=0hkXXQaSOlSWwBPVB<BcZBVGD!+jbAq
z9ek)-s^-$P%1239Nc<CTIwYMJQWuG!-eW;1nVh$LTG_BZKW0K2z-a@%`F_ue3lo^0
zTsI-(9a6=wi`qhqC#)-ri(T=Dc_7kqJDA!qnqW?%7h{ZG&`R0@fY?LG{%`JSdfQ#w
z&W@U(wx|mXWM(~PpXB4wsvJY?5}Wk5)N_U4&3&g-4rc0-YL1hg21V%|#|$z^(@3A#
zf*3Ce*IY-jMb_k|(v-B|{9U@4%S5};asXWAEcu*tW6&CMK-M!p0qlw=v~7DQY_S^J
zs`sxZPo=JH?qHaS-+5dbz<ckC!S^%mIAshWsAcr=o!T+#X&gW!wi*MZLr70yPB%PW
z*Npx}?<)cR={Y<g7xx=o&nKFH(aitW|7QOz2U29Yrk_5WZoX^M!w=HO+Cn>dIJvJN
z`LyRMSrMbOuT`d}&Np+@p|r*KXMZ9=0GVPpJ0xwbxMo?aZ4zz4(adNx_Rqqel)M^h
z^t9WVPCZ5#i+tvvA>S|-T;qVdr`QTyCAcOpi0~Y6IL%Jmom>`D1~bG+?mJ6|8LPUt
z&ev-sAG{`?*4#UZb+J>>bI%_8L4f41BCX(uH@pFG@*@S>{hXQV3S#>=^v36tXjM+a
z<kP6aWlv?_X2mbKrgbhbbzISQpelNj4GkB>7v#7w^_(c@!tekpGqxBisiF;Wfc?6m
z+U1dUR@vJU9Mh0(lh4q`X1<0TuN95^erI*XM&6@~F888DU9e&LjcE-}{9?z$I1hyn
z&Q0`f*-V)UKpW-e34E0{J5_`IUK$6!O1ndlw#=vwF13U2_Zrocj^L`Mc3P*aqtZnc
zCc?G(OIPUjZ(fd$nsm-}eP?;1D>FSAG#+fr#jL*yTpmRCy-Ic6>q4T{wFMEo9}cP)
z8PLXWQax7CI$Gs*r2^;+!iyQSkrujInV#V);2^V$Ks$o;J*V&61qsxHBr&>kQOiC{
zcnl5xSH`X_gi}k>y2K(nG;?G{1~bP^M?~894jR&u`mg#u*8l@fu9V%Z@#7Zkm=Y9!
z>(+?+uE@ZcHGW@*22V`BdI=Kn6|3EhT5#=wS)i+z9<*g1z?{_Nf0s;@7s`DVS$<~R
zB6JjQC0k_Ow~v|B;P_^l9lQ9?7LTzmW)Yk$x4!MJol>JIS8}5ew%;i(;mE?*zX*YO
z=b~=RY7Nm@#(w@LsV`XVV9dLB*y`f3`e{OU!T!6>d-mt-9xdt+O&MU1K@F46k9hDJ
zn?5dbRreEL-2Jwp{<ZAElpH0jf(y1;?UU_W_#7RKJxrQ($x#>ZtX<>U4F+SXK{Q6{
z9ZYWNe?=g|?*PIJui(Pf^nb1a@3;Pcj638YSb``tbw8PZoCC182+Yp1gmH^odryqb
zK}g0Ng~F$kevZb#UUn?zH-|Bi{B2ije$bMMKfkv)7UYO{=mu!`KU6O}Ppf&*I1dM;
z;L!XztaiI!9=iCdI&G({n)A}ESvpbCFx{ZTG7`!>@L&&-)}vLYSFB7aY_gNcBR(@a
zID`RK6)EC6=7W-5GZW0OBDwx-Cl(r>=Vefx>Q9U&xQzQ7i2vZ%YmaZfoVm3HtRdd8
zaDOZCnQR!j4h1r@r(_PEPlcOPB&qG|ZO!j{CY3tAshGAs__e*L@3hM~f}|JOCxp(#
z(9JW#>-ba4<eYB=^xuYf-ZiQjvnoS$D*oA!Wf7mM+6#2H+lOV2`5S<WgyyaJG6yc*
zb2b02B7+YlLdNEXRUtHxP09BkI4fq+0tBn#A0yZc5wZu4CPhZs0926w3V0+aOlbPJ
zj%`Cg1(NR1B(sZVB&bhl_Dk6hw#M5|Nfn-rE5k=tntPvY<?(J5mgVrWhAl^@&JKif
zO|L_oaehp>*Eyzxj&+BeZ+~JT2(lHJ6iYkMm%R3?{mK92eSmQDEGgs_Fi6X}D2K-U
ze2+gxotAuBWiBDloReJ>;ySf4;1eF|BBlR}AF@kmd5*$<wW#ZFpT$fYG00O#4HqP+
zyMb8oRUFtA5G_-ZZQjM6g!q{8brZjJdK64(lYPUpzPj%ECqtxF;@p$DYUuT=hLN`W
ztul;wkXg`R2@1YuvkpAdK`?ykLL{Q2h<x@EK35m~BOyEl>Et3_bTJfhp%%lVF8ZnA
zS`IRBl0KAy&NJo@Ra|Lk*(8*k_LeEE!N*Yh8`@<)i2Gi6t2!b?lSSRKxGHb%&4Lg8
zNQ1nKCdpu=BSrU8*BSK_8o&#?s8^A7s}H_idlYm)I*F#EN#Cv3pky3)_D~jn9ie@}
zDxy9N&TtOl#?U6Izq;goE6L1W#5R{^?+LHYqcCyj?Jn+C7D%No)2rsL1<fU(`Ymjq
z89P#-70S*OGNinaiJvZ-FFyMQif!iii|X^B1TC49aVL%ac#cq1-=2}?$k%3Aq>nsg
zBF$2r%xmr^1!?efl74ada1D2?ks)vM(w&%)5dO^z)nDiOWJ}|8d7-M`s2_!SW#B%C
z4p}i5n0)=A8jC8DO#9*XIO&bRQaBd=90N03RU6jBB4Yy-f2!r2xMI5(T!|9BwCt_j
z)*{``uX@B)Hn|56DpTX-!+>B^#1vHrd_>y_+7NWR$g8gb6|<)7)j&@t<#r}22jHt?
z;<?C_oNxJ};hfD*@n#BNx8e4am*m5XBw9n9L^R<{6+y@Q0&FG4;I;uE0)=~>U~zp8
z2q_W=<%M(4FDhufmVHClFREuWZYB`s(+u-yhCSIEsM437B98r(0;v2oMJ{h@+rD9&
zdDHa)2{<PC_>uoA&gw2o+L`raPj3_B83GU4;ji)#33e_fW=5(4I3-Kc&8ygxCjSYo
zioI=_F8&0C$v0xDb-Fh^+w<8v8T35ZNHh9hk_IriS7l|sckvgH{hNGTp><xYdE6-h
z4ooNrPpJo0AxFHx7nPC8)BO;=54F6aR~`$K&U6J?%Qg&dSk{Q<#LhTNc)FKuN-DJ<
zPhXdh%Fnk&uN0}5r>Gq9G)%9DQe=Rx@N)P*j!fN?MLR4daNWB=Cx}t#-D?)7!-vNO
zAB{oG+W~(Vh~IK*Nl2PSR^_l(oZAYYXTxHrvR{#$QU}{UGv{VL+Xo(n@Dlm)_9DzG
zx~;iC2f6&mBZ;)orUthu{p(sC4IgwlFjD)rqaV85vtI$_g3W5@|3+C!?lKyzIqQUv
zJrZu`xLH(*&DH(gwdvP>QehMAh<Gx?Hs{~vpEi5(6mqBRI53SpFF)}5GrzspB8P!3
zkp_u4o*!fQ4s`KQN|7$bvwR)Rl{c=djo-@tA)7Bqp{|*Sttd7C_%d`{s)T#yl@nkd
z;ko0#ypbFq?K!3>i=kvxX}as38TQ`O2Br^0T)j>jW$cuyL33EP$V<_XaA<}dFCJwH
zr;HHOt&}sE)hZGeXToTw4U|<aIL}ETg2hPx+m1ND@#jnuNjfwq?f!UD)OK$X-`wF(
zl7h`L)qcGUYW6VWdG8%X8|^%Ra1H3}QRQ><-^lZ9gFR`|*fx{+Sr+&);a2z0e2<^h
zJ1go46AJpFPfE8hwLu~$xt*-|hdOfa&Yujc10z@o)g6{;QCQru;d$1O@>@Lx)D3RV
z4<p)#N*YunM&P5m7B>+<>;{jQ^RGHG%YqH=?cM<fN@`8tEQ^a;mO7XO*J2=E=C{g0
zeg2C!It2n9pq3wk*k3GZEg<=_7xDOc37M}?9)~LmoX&Y|G6baJ%~N@=X6ZtCf4?Mr
z{|Za%a*5wdVXpb{RkxGEQ)OZ+tmSuZsylEB4^x9H7Yq9DGGg~MD$p3FsOU14@**_(
zMR80JIAg^PJWa0#fMmt9;e58gnBCEhaEgZm+DrgVZ=S`lmSEg{Nw#!oVMs-T2Pl}A
zVVgqJH_?J)ilt68!L{32CCyIxPfWPSS`lxx(O6gOhrgX5V=^+)LF6=M3BNhR&sDTU
zbI3ku{hD<$qg_A&S}>}3KjzuA0X|AC?=ON-F?f`!ZdVwmmEEXR_LkR%rPDQYi5A>H
z0yWP>0PAcvbE&i0<?{ZAq{KYFmrgNVwIBAMhB;gavMI!%sg}ivtIo4VTX$zde)d1R
z5=kk6mKJp$T8H2BbyR9-@pfa3#Cd7E=@L#0^xhXr)H4G6wicoKuPuG;nacj6W^(?S
zAKTLS&w|jS&eu<V=11}D7Rz(AoW(J_A(ol#Y$wy*@VB8HgJaj)ZU?oR!HPV=X>gue
zA&gWk8S^eQlJRV&acF3d@6Rk9r!h9wE%#Rw*jm8(=@lX?1CGtw&pOmW#dLZ~8%tRG
zta5`8eP0;h59On&k4Zbtb|z6bOdEWW$*Bt%Gw2w~dE53X8Y4dc;@VWWekI9kaQOD;
z7B+`<+(%^7d>>J~uFb@nRpO?cCP6s$DqwB)BsCP{(9827QA}J?m$ybGBZES*1hyYs
z4$ayS4e%~Gde<)NhZMb1f_79^z<wZ*h`sqKBhcB+U0yV$oSoy??IBHUII1ThFtTHc
za7d_7oeSRJbD;Jzx$EGnN-sfJ%Cpy%75q3xlE{lkrkr^Ei^1k;=!wIM;Ly#8#SU9=
z?M19SVkYzL937F?;R#FmcL5GY@9$*fty#^$WOT>R>UBtP*D96BPlB+dEeoYG)^8It
zkK)p*vH%Wj3LZyE5%m?W#w4oegFddAvW?mHVNxB^f4xHE)yDvn9hxm)^5>JoYx2UM
z&oi24ayj33p}Aw?ZL>=w@26~m7Bz}3!=UL?F7Z1tAphCL37a|gK_9>sv9BAxI~msL
z*CHum(g0FqpRPsC`w-2{9gPU(5l9}fk?wz37w1J+#*yL=1t1|k*-l#@1&^;a{4*O`
zsS{N1Rvq09Ext}Uso<4Up#)lNa^H)NQJlFVnNeL7+AZ*W+|Q$~oJ@eQg>|S^CYFN6
zw!+!4%mxJr#%NUs$P9NGAzOzx1Q6h$++Jy9;3@W$F8Xy*Q1Sj`$s)C8`;D>Vr)%1H
zUWvPd{$~C`|1zzs_M3@7Msp~G>VbEV#YHT#$mv&v+gBum=1yC#H5|A+&tys_l3eUz
z&vlA7ticU-8H}(HZn0oYBLaVFF{)}2NNn#rYajYv?j!R^fd8@5Ux-02C0PcC_p3i%
z^$aoTCZh4)z?zkdR9a%8IB(2S$<$vtd`0>0%)`1h*U>elsTKp0I$?gcD%B!3k5V+i
zzwL?0T|Oj;ibtaU4l_S<WGC`-&$zgS5RbUvPD0;E%*d7&njNtIHZRPuNmk=Ebi1m>
zdzs7&qu=}&v0a7vC1wc1_uOzNp9DnWS(sN|g_gf*WR&myc<8KUfk429W#sG6AdwBv
zsExCD3+Z+)&jUh_?E)<~-s)DWT-3H+wFB0mj_p)%v4Z=<P&^cTuYHm1w&z}VQnS$!
zD!(X{Suhh<nqmk3)KU=Er>r<vv7{i`fqK`ZF~=Jx?^oN?pQgQ{Zr6I1$8vO3H!&J9
z#?nF#Z&D2LwDe%b&H5+A-n}o%17E5|zA#w|?n!@7pG4p`;oqnYIE3dLUSHgHin1MG
zs(k7G`0>Afy8rdd+GUgP(>*Wfp9JcZg1Lm4LWxaHK#e*d5>Qxm%!8`(i{mU@QCeOZ
zchUEl>ra|&4QBRQAV!~~-bOkQ6ORiX^6+!*nb=%^`oxq9Mz<*0*|ggIg$L*C`iqC3
zQAG{&WzE5FEZsGiDnJbZv61}WJVqMzvMAw5k%R(L5ufsyQ;>9sLjV>xQ}Ecd>0aEP
zCN-WB`uJ*a1`oH130+W~suD=htUhK&)dF%$xQ<o<-^-y?K^wa<uTZZiiBnm~6|<mz
zlwDBZkbl^ns7M?Uzt01)Tse<6UROmWt+(`vg=v72XYwbQX^(^ZXr{W72F4u5L$Bi`
z5?WL16+O{3;907tw%XX=;7SZWOU|M(kKwr70nrJJKLwIT9(OT?+8h|&DrF)%RmrLT
zJU~jiTE!DaMno0NmJ@3XT@feZ%Xaf^QJ%2A|G>rm?x%`1D>g)z?n!59x`bF|`YP{-
z(=AD$)Zf$@jo2MuSrum7)guI&<ydGYJiG%2$Af=bU$KCu^NCG(7#|!}aF;8gYJe1a
zo$v8r>TaRdu3MV@k;fj>3_IGoryDax{!Q+%&q>RGI206IouS`C=d>S%AS<EA$e_mv
z*m-~gL=pe;@1%2b(YEmqrVRmBNqRAHW{D{@QI}M0HAyA8s)Z(zUw?-QdlG?y$UKX!
z&w*cesz-?n-o0_0+@C(a&TT%D&L{l5sMRWGd{~xJ)w8yDLMAT)DxfbxVt;K(^3IJg
z03Fega~ok?A;s%@(dmk@Q0BHAYGrJB-a={m&GSf?yV@-#LVho;$8wH<Q*y|K<=%DN
zFT4Cwqhu?V3npY<vej#RvJ_uxZfAIDOXMn4%p<2=aaA2RF~7as944)+lkS;)t115|
zN5Uw5l0K|ymp(*-bU*du(SVM)7nYHRt|?qinSIIDQo*abdRSur9@Bt;MatZAgB8(y
z!qA?MX~<0rVJe%K{jLtG?jY1yPn4|S$#NwvZ~d$t;&%O>*Q|2mCa82DdIPCb=0qOH
zI|s?-54p|$MmMvq&JeC!RvP5m!c|vYRq~jxyi{u5lH%3Agk2}lFPjo+!CvtbReEN!
z;nq24%91)>IC?!(zL$Lhgi79)S2L2j0I`L5WLmbSa(UdE#gCs(JvbwSVKP`4Pbg){
zzQ%XYS^#kK|E<zubAT6r+%!q}gp>I$F7i{I{^*kFt3(aitxt9Rg#f9DB|J7$t%DRI
zT0+tQ&|G{O0}pa3d5qTU=#HJ0nPTC2HYMo9@%McU4=wyzr7|(LpR#_Xz~OK%Np+uQ
zwtG1X|DkyoiB&UpQWp@(pmYSK@VyQ!_7fj~Sqh}#-R(_q3LLd>!k`L9ZXa@+m$vws
zQQ<JR^OF<(OS4o8votJ5|7lRo;9&3@VaPGlccg!lEg5<SV{<qDq9T$M_z!J??8P3i
zB|o_6w=vF$<E<%&1r>omO_`Q(8QJg^gwd7n2v3d0#=EV)*Q#rpu`Z)>y;FT%DD5S>
zOsEuS9vQu4)wbncr&UJ4@48)@fkbjDE~hzJBbpwP?^;Y$@^Yp71;8=80y*ur>&-tN
zzuL?j*rZ<l6cRtN$Ri+n@_9&7S@`OA%lKF!LxW>QVQlG3hR}67eXft<u@YStmPs&w
z&AXBLYunCy6V%xOLcmkZ<LYETI>y%#X&n4W^nn*qXq+vD)8&M7KOK-N15I!Gh3^jA
zn@^v|7tJ`h<lA`%-Ttg_P+^k8;4i(ZQU^vZxj`W}f25h`hngeDCq}QOMl<E6LWgW=
zQ(O((G#?){Zcr=!fXpS`K932db6PMgNNhyo^SCyU7Eb&bVtG}@-L5Upt=UGXdA2U_
zDzf(tlVkZBi;FklGx9STM!lkcu|8aeQU@0TjlJ$akuSwO*fKsjq20LU((Y}nl3wkP
z7$V879>}9{4@-PJ0`AGE&*dW#d(^cbiu*X)`**;KbF<ceZ?ZT$(D*!HjbnV*$F2G&
z3rDN6H%(~!)2p)5%9#qY8#A0*^NpCE@A>RG<ubb&QU`M%=gOox`sc!4f?Qun8nsQ1
zSnP*-6e<R%mlT$)<d5fIxY)=m51&#&fAN<Z55raF8Pg3bZe)FZIR(Duv44ku8P6Lt
zb2}ep4M6|LZVh1f4VtcGTOhksS{|HYGpsHyZ=GH6EO6Sc+9>(qD)J+8&nPo1)id5o
zm?HJqu^Nx@LWS_kch7@G@)bgjkZv>H-_j2Si*VfJ?irCx0%e{mA6sY(pd`?c*((Kn
z?KP>eT0aIGU!*uUDbN;^U+4@}IEtEYF#T<&#*<zq78q4=Y=_HHr{4l&ropert)IIo
z0iC|iIu9yWGBXcwlWs3#r@hxJPwkIjv)@uRvvR0bm`Sen{erz6Rg7c@jEA@X_3T)I
z#RT`J<MY;die;n3)Xwer7Ek`*FA9utNMq14yOKw9q_%7i%UMUS;Fz~FLdT$XxerAh
zoYNlm`)8>w;+zYMbJ38L8s~O?4dU23^k20rgg-`j>iUN5eUtjEWPk2%k{Z<1=^Ehw
zU9~wRP~s*x+LVNR@_E(MkB>MKuvb)EU|@Na724W$UrKYTEA-^Jwa=)<EMJ3u#|9Fr
z<?w#UcPF2AwNn6eOilJqUX&V#x@Dc)Y2cefDj;(1_2oSoma9^@Jq3KbY|i+|djE{_
zxpm(z43O4Kf1k~s52~ooer-n3tSrd9>6yXOhS4^6Yl`ZMtoPS;#y+|GY~jrsbfEv1
z;K>Pz9EiuTAMx&?>r&86DcM$akI?1d1u9j_)CnM>un^}!-*bk~o5&WeoOL+Fti~GP
zrbtqQUWz@wq|`mre26-g)74znME_G+d#dCM`H884KFDW3y#G%Zzh{J<QJEIrC`5{!
z3AMy3%Y^ft@vG!?jEbT0dCe79ntv>5SyBq(c5J;}x-*VX{&6=O#^;6IFXQ5UnM655
z*0`I+iIt4SgPN2$_;AD%lH_eiQ$6Phz(M(oa*(r)oV#(2+Q=r8CrhjNfJEWy#$a6E
zntCqOlQ&K!NX$uypzCYpTv}NTp`4wga^3>D*fh7}XF^VFS173nfx8ff1R8-@>c?b4
zr%aDHgC_aAK{32-#ubiIQAunW0S-G^x*4b`4K&&Ag0oUStlctpoUjUBM<;2ypkk#?
zc0}hp!SiVa`hE2eq*mD8wW*%yrC8i$Fu}JUUPjH;0VoeKk{XSrT`~p{R5IKq>If@!
zcz*G)9}6Xf{vPufaJaeutz_Xq9~La|&-t(>C4PxTlJH<>^WA3b{@!AzN@9K?>}eQ^
zyH2gL>#|Fk&das4hNW1p%woxyY~PMp%ncVY`GspA<WD^7W<QGz9pfZE3ADHiGM?{Z
z8D8B3W4Yc?P8O<xG-YWQ7VIAOiWg^=lj}vlD{U1TI#p%Vt~0($--7L^5II5AtSRh@
zVt?-Q^BA(%r5UxBN*+MeKe~#ieKi}q=Ma)|UAb0TO($NnQ9s=fUY!g}ce?^A4eZRc
z*ZNM35+Q%{Y+LK@o2@tN$3t?N%V%L{W*bQD<tc)%*t|w_Mb+jnbg=tv3%P8NKY_Mp
zd^#(#q_klR3_MbIBwQTSMLxK41yUw$j5T!?WGMDmZ`I)U97Cnjb!T`iYNjsBl1bT-
zz75wo*vIP}4^6YXG(EOX51=PJ`Q|_M&bRW8Z0CW|{ZBW9y<+Ri3rpYVx9E4k_>C=r
z{}-vW5=|RkJ=#LVrSSfj6teCu8<s71zczFLnRhX9)Z+8E=A3q;i~W5sSPE%xtfS-h
z>uSH<HzuUnd*8L_Tz6GByO9o$ZMA*EyA~CVZITL$yPz0mwoh|IwAF*Vm|A-XVL3cW
zQ+!X~^V7k%yTN$-4U-&dK1G6(%21iy3Wm@O+15Dln`?)E29@tb+J2&%eNKfkWW?ZB
zkS*suv7+&5=lvzLTHY}`s$_UN$<3R1=9*N)S-J0!dDXs&Jn%=>9~0&?l-D(Y2|;gN
z{CYYBf<e6u&pp#jsVJ)Vm}K^M?~T74x`ru74}8rC%AuhdxH$0n`lHI6n!c*GTh1sR
ze%qDEiD)TIQ{+vUXJ|g>9An)l0Znbj(X%%~CV9&CGj0CS73p9e+=-|rPAQtp?K2&0
zlObp{!~yTMeK9A6*?F7=!GcpyzXGcx0eRJD*5r_Y4OLvz5=(Dsnr82;4V6lJ&q>Jg
zVj(c|ZCMS5xV2mW->G=rEF=*@T(3)Yv&EG#k!Q0h-7x|HLH>VWCOR`U2Dn5xYDUqG
z(z98qZYZ=bF!vW3A|ejx<;z=d<Sa(>`5v^~;bXtls#yzK8wz-!_g&?ol?=`G-1!W5
zm}{v>eVopm4y<7yqFQ;V$!sVA8f9<Ef@&Az?38+-KMICF3_BUvN79&QF8{Vlv|o_*
zh!OtDJ>@PF!d1r6u0TUVrnyiciT`2B(u7CVGt^H)P%@@-x+DTR0DYtVr}pwXlfBTJ
zuVUD{ng8w-Lat23)pU2bFZEV`Yzhak4NK)WX2XL-F6rn?jA{cgAViO18aoYAHtm||
zrB#tpU=Y8hF>X&(YNgR6>;82Z1u*z;<z$+#@kBTT`q2Zzo>xxv&i1a6<UNB`q>ZLd
znW|%gRIwu*xVKeHuDs2sglulum99-8|7%L~(03y@cdabmpuCOL11Wf^iVaS!&5>CP
z20w11*Ml#LZE+IszXSEzlbTgO<t8J;_jJ*Pv4U1TEsk*K!rvG)*tDuBs^}=L!qNo0
z4%w|RCTAu@<JfV0Bfr5re?#6Pqo!x-pFcu_f_%?qz|o917Y?X?B$#uIrbn1H?wYV)
zYni{zE~u=ex{2CrCP}U?7ehJbDjC7K@Dl<_gq?|sV{YzhhC|t+SeLhlzoH}CnyGqf
zpMzAlNvk_=&h9oWawW~?L#TIukW-5Z9t1W>ngM7C(2Fb-PiUM=qprTb;Vedg>5qMH
znEwl7CR9l4d)w-p-0HtKrZMDLWZ}R<L!hgGEoNV>J&`Z7=MQQ+vvvMjd!%3UeO%6l
zaxPO;cXZ)xF1*rN@<~eP1UCS!q}Ep|qJ8^9-M@FPkd6okYHS~*YR@cE2Yae`UBs`<
zn9?H!Ri&=OJPo!UbwkV_IXn8baIjs#!X`86KL~5I9?b<k-X9y4*p`ErxBq^U@Swrw
zIXYCM^@a<)^dWxl%w?)@8ERXW0$o75mn}pp6)1u38NNOqL<2{hokZDnfMKo;66X6p
zRmjTxSknfF5}X#qu4#YD@Q*HVlV1ljSznW+-3_#VOkm41Ou3>~xA*c`x>{q(HX|^_
zA3o${vL!_Ct@?wbi?@vxOFU)#Wh;)3Q6Nw#0-|6@hKS}WB|#`)8k~=nz+B3Dls1Dt
zFb?ds{SmBB4IK0e_A~*XSgUGMrd%`DHHUHPf!Rq#2qm|J)=aR4Q^1n##uZxuE^;2n
z_oT!#B1GZPZq~ZrM$;Kv&Lbl@P|Gg-{&4bF91O9wG?RG-8H}5^jA(@Y^3s46+S94X
z?zi#2K>(}&QhQ4ykU)fEqaVFL{3*4G;4X?n-HnG<_AmJFIM;21>J>%`kP3=b7Y)g_
z4|@VHDp|JZA{?`mtz45cFGW4JwT&}d-5i^HC`xzcy6)r3(EKV>UuEl+eg(*6<M54f
zpRo78Pa0fhBpmDhChs|V@xpt7jvrj)Engdjhx+MHM!f;(nzZ95uwUw>NYbl_H;5`k
zH>g9TdZN^=T&lHP=fJ5ZYx%38LkR%fe>a`1A@Wj$L%#D4`+5{szEhz?;r6RW#cKSO
zH6Ghl?(PcL3%pH`tCNCcDQk)FY{@!0Bv%bC0WH)T%VK6Eaehl5Ytw}4LN0Ms{xaR+
zLkZcIOfx-^WW8Yg_D<<X_1upsA<iL&MZb*os{zvn%M^)qb`mWI!deUunqz~P#&-iH
zYbW#DwXw92kSy@Tbz_f2TNl*gQ1N1<rInX+A>O&DS*3L1yJUH~^hqXnT{&p~*wahK
z+rmm5bQR+~znJdzwPy<&K(CRxxnbGkkFUn_h6oRAT&D`DbFDjdjuM#Gsh3fK&b0l$
zvR0IRjP}Vw4o3cwva85FX}`va!7N^cv2I>5!<BpYsAsRv0&%G;5rDk7QkiiMWYe<5
zq~F=ZsG6|pqINB%1>lg*)5rcYdQwuR631<ob}gEL`18>TGydCbBCfbPIh*lpBHs32
zV~ao5=n#{9@lS7z!cvV>EYm7RsB@fok#wTifJ}*H{lT59r$-T5bBGn&X6_mD)#0%C
z#_^OkRwvzgI`be`zxl&m&T{jN<$*$S2bXxtrCiW8?rd}HSZ<A_&ZQqzxBjLzy;%KW
zCs~Xn?^@kk?g!LxH4==IwL;pIBx+3?A>wt3$b$=CP`tyw-9-sA`3y!-ofV9vdo5yQ
zzj4pOSClTINeZ^zk7F8D8Gqto{fugWa|!9u<fkM1me)NxtZ@k{YPuh5#5~ckwO<Pl
zaQKbiVY?9{KcP=ZYhJ~SSLwOF^>W2eq}=%{L**l`^tn5u#8R>BYT%q!kU)(^WuyXY
z)#`ODmqPZK1Cd~Ciomx&g%L`-69yW}eEazfEgHtYtXK>s{ftz{fqbE~7+hM2ut_=4
zi_VRQA05HmCkSDma$T6iQ3jp}fU%$^FO&EN)n2g5X}R~LZ*r4tC^=XhTVyk^S%pO&
zl%l#S$RO^iXz)YXM+`GZ2eFhqgz444Y-FMnT{H0e00;RhQ_lAlJyWT3@dGQlnTPWM
zg7+agYL{0A1?7?mn{M5pDO;r)={XSyZ-Ds0;}3q`rgB<7NIxuvr+HW4tR7Un>RFol
zwszvqgLe>+`$PqD8{Zuy$V13i%pbBYt2WFT&oyW2${FtFBc_cGV6)1rJzZt-0Uagp
zux;v+uo7R&@3l*ydbQN)e<lzUrz`&%r<(6mr~TSwfCFZp3BLBZEmBHNZ8=UI@1(92
z75SNnNT%JJBp4c)r@Ij@0d(5p?W4vR4LfZbD<QQUOkx=95GavrxE@^n*IKeLkFjC_
z4ZouNh>vdBf|@UntMgeW{Xd`iRL*5WTSeU{G3KVAYW$FQKbu>c86c{e2E0Q>d#xOr
zv?(_~xid%hstdZ+s8E8yb8+6~P9-v_G?5N5-rIrIC?RUAxu+`oHB6VOjpQ9+RWD4K
z%b#~fp~Fca1&l8Z*t_IEwY=!S8{6VAa(2gsi9|rwXl`r`5|704%Az4~^`(ecA0idG
z6ngKXh)MdZ3-{B%83xnfOaxE766Q1TcxLX2DB8LAZb5m(MYw)%Xb$_%B$N^Q4W^q-
z7dk5BuK(QFZ`y}k=7hV3wM>}rK}zU}iuv*j^>%WpwLuRacEB&vduKawJ6u5zJe8my
zlJ%2u9u}$NoIe#&2KYhEO%BpyYBRaUev%D1{Ot0oVh!AmSskLprSop4JSoc!zY8@p
zh>S0G9E)vh#OsCG9-@5GoMPK7M1a+x-<Gdt0<#^#>Uj2^u}zN8U97pC;GNpSwiivT
zYwBwyug?dnKgB49C+Ym%d_485VsJN3nS92${i*F6LU3_PLL9+cbc0Jt6n0uF{!)j+
z6gF|VnSm4U#A)dal}uNuD|>b}Qjf15uaZfLy_1WGX>4_hOQ*J7G?puOeBaCE(>vat
z<FHs7QdO5)%AlSjq4jGjO~&8MeIq}^+S&4QTF`RBlQ>EAr_p-7_YK4Y`e(?~OndPI
z(VF&j<j%mfBgbIm`A+Pia`^XjCyB~zHh4pJu}Cxb>Bj3o`-<(>Y?c=7l~WJ;fi|2J
zoH@&U@`t8oy7mr>1{FqgBN`Kh{cqOgQu!?w^%h&+V0zy!L$3Mw3h_jt@oY<mhcj1A
zG36Fj{t9U*I(bWMp9o@6rR~U|6rbFSrxI46y5Wt$#HFI`Fiw9d|L|E|c_F82#VwAs
zUj#u9O#PA(k?P}nN*DZUQbdh}W}!iv!@T!lo?6@IDO5~+VlV#E=Qb_pIMVhj>MvoD
z?>;|PGPhWvEKV$ELoxhvrahh|(93IO%7$6h?%}eIS0>9tQv9By)Q;%wt4ny~U-AOo
zv}Uo#E}v4K2uJ|I(Ir(zHYS)r2g18y=qj^=TYu4vI?+G^2w|cm!ASCmh2zkru_QoJ
zSg#kPu##8YP#FIdUk5zI0#Ks;y&+nSz`+3y{S&7C&8PCs_pLAoxb9*Eg)X?7YTkdl
zda*?UUddDQPN_5k!?1}NQkpgwiPTrS!-O@+`*khrFfXHuJjKV_24>l+lEI+ck8j3G
zL|lKQcmTF=*+5q!x#Y#5Z_XxNus~pOh)D^lT5<sCyUsMOzx9*a5g{LGy*>4KiNF)K
z&GGPBv^2^8xG7v}wveJIE$$5Xa{-geZ-b&VJtvCnnYV*FkCpaz{0&Jz5hu;#JPqCc
zIU@6S7lI=l#+cuAPm_FseqR&$3`)+)kkT3rivRdaV3D$rHZPIu%o6@ZE|Er5_DJgh
z;0^s5@2db{vDe4Q&t2Ql38Z-H%+{MgN2J9#?!DLZxjkl{Uv@59Z8-C1gWS_mu3bhO
za+a$%P!jTRN}U%9Gbe^|)`!)$tl3EZ?8gjxx6S=A<{z>p)CMl6Nv+Eg>9;$Kfhtz_
zC#~$g;&cbyYLXQ_+GHVfW=Uq6o3_d%sdMu;uRZ75@V9G=ML6pZnUW{}5o+2kK9dz~
zilMAS&WQ5G^$`jDn$xKZSWVU^c1eqe;?mZn@2qg&WU}-TRdtH<)J@SP?Fd$Ulrgw?
z{CB|LvfQd5Z`ep3JitA!wXS+1ciJz>81Ab$t=QI=D@g0jCpj!X4%k(GC946ob7$Il
z()H7=4x!ZsD%KCx?6FEhIoqN2_ZH*CQl=46t+D905PrqI_mg3_SDE1W`5nmhrFg@2
z>0Dwg!`WH)VKBg2atWG5l`^8<bNr-YFg($gn=>>(uL0aiP{&wWWaSHr1u~t(%lF}`
zgj6Msx}*XhIYN?41oDR7VwoC93*hND;{Urt?XjX2ex<RgYhW)VUMiSJP4lNHHk-j}
z^e&>JR%^UJR-kQ&_V(k+vd_vi0`HM@PR;AdG>saz+`;~hu;B*|`M@z$k@U{3;TdfF
zYdY@YF`QvEB9f`%NFy{c5U$+oZH1*MBgn{vP}@dc0GBq&MS)fMGS5V+SYaSE+W-;X
zB$o91DuS24^CkwNt?Hlw4Z#!T3T6mxo^PbXl4xi&Y@&^*tm$a?ez*bmtSsN(F9bSw
zc)ECMbe!M)67OMk$WcZs90&&qC39Cb7PT9wKG?cqhIHySeIvsD(KI$ebFR7-%3K*!
zeZ=cd7^k!UcjZ2zkI&OfS@l<72=2D`J$4o6MIm&Y2bWn(>C<$vpb2SJK)-=pxYJj1
z(5*zBHaC5|TjwVJZ(}Wp02zwq98gS0pUx4xfKtLNr$DMU4}Y`G^YK06fI7*g*(BQJ
z5zBuzC*C76Zn15*F!g6=Ue3?geA@*UTK=6aKr3|l;bA&z!#BNm)OxP6c8sV*b<GwR
zG`N5MODn~So|f3u<3reur6;tHaK~EL+g0qx$d&<mt&;SGC1zfp=h;;p&=A7aX%)~L
zt=I}>a!cqnl-+i!&*>G+o9?|gO1z~_Tqmy4cIq2YEq+B|1O0;eH9E$Kp>U@D%yn@M
z_xnY+13UDxzjeld>pAqr%Mf_3n*vz6mFl24oiuJT8>^Zx{ZlENNFg5#Mb$P(9M_r8
z+GOaH7nTV7o3d+rClJMx74aLJAU21aMrqt#pE%;S4LUZgA|w=m!yQNAU!&1#?aA@w
zzhH2%R7~3|q}Nfz>vk}dnxq9f8F2LlT~@Dv9Q3UH_dxr=`V6y!`P{n`ax+7B&yqot
zrK|vllWir;;-Y+ZP0Mt7p)tDCQ#X4($mlP`_R2^STIUv3?^>#yc@!geV6+44QV%IR
zlyIPR(ctYri_toC_nmzJFb1mb|In!t&^qb7Q1rr>G5)gNOb7Kyq+r<DCd^zK*2Vsh
zY$dit^hsG6Rbh-gdc}`enLd(V(Q*Eh7&Q98TXxZg2I(T{Bf2sS;~W|Uusy3SqOFS`
z#kye38C}nExwTKUhM%l1!f<n?-h`?3dVMq~8ps(^1~qAN0#Vw65E4Z)XhW*$4qW{)
z!esx`reQO>Q-eTUM_(qhCv7^g!H<|b?cgis?Y!KP)>dgxdRM*dwf`Gq<3470wTFT}
zjiKp-_acd7>5h|s`JQ7zbNN_yQG80cod<Y!z@lS~YU>7K=oM>v`ECyMGSv#qI1%my
zzr1g0rGT(>O+v%ey^q6&z@bRx^-jIA@ctK4{K^vMG;ffypKbd>!c97|Lhb9#)QyV%
zuk+CjRpoO^CJ}@~+asu7oJaiDQvR$@+ys8H=UN1%1yx|(>fouyzNqt5u@lVfEdWwX
zGDa?Yv$e%l7C0X3w6oR0E%a_*PlH!Iw0ll1!>pY5lYSI>vFS&6G9#fq_x*wUNS!rF
zCi3YIl=^jSMHq^bT07efXO^~r{tb**kr$!ABO4i$QfU>GJ}`;*__A<d8WQ(v?P5Fe
z@O8QH{B3g9-bBQii(vy)xRK8!G0ZO*GHB1D0MkLU<0{&x!A%ccSftjIzD^tUF~Rf2
zm!66{zS)?`<;z?GCUHsVusjS`CWobUbf+C39WO=a2HIFM<CO$Hvv~C@V$KbMiuMTD
zu?Y_9%=g-AWm9$7_81gSk!z9;^hw>)ZxFS&9M3f}YrgiD+*d)W@<Nab-f<Ji0T0yx
z{{L}-It`IEDh~Nego2}I8vyM?aOe$E@b4xWgz1~n{0K$^i-~k~ZKM2>vE)649SeZ{
zoSUajJ71AzghXLSO8JjlOKan?ojI_-7!FN(>}_MlE}wT{Yut4u2?w`V$=Hk5BHMXC
z>M>?t=J*K+RE(wKK4*i}+;31QTjZA18$Qf?9U>XKYje5R|3xc}<jC_<=jD}+h;PZD
z2-2#{lkah7^+`=;X2tcLTCsH~XeA+M1+%G0-E@-I<K~MWED7tkAU}8-C{E&}F?QmY
z5#LT{ReUT2`KAtEz?jfxo>O5U8vf^hEf*WN86wtiR(vMEt+W4}9esf*S+Om21~I{K
z<-Je2N;G1VyejirOLMbeiBIvW40(TlmNQBld&kOMl<AO;FGCf`p^7^nnsW6uc3v=1
zvi(DE6Xkiz;C+PTir<f$W_?~rxx6eZXT0P}r{mfr%oGN`y=JU5TIX|HbX>A=)A>MO
z%t@z{!91xA<bXH5{PkJ8nh?*VI*PfDEax_UEar3Lh_nXBnTPU0;Ore1AM<}KQd`s6
zfVAoA*Jt0TqXv~n_>DR3D6MXbY@s!KL!h-w9vcq|H~C{bC|E)mlD4nO+%r?9-bPuF
z+e(R(D7KVC86X0UWWV}oLxKBHC>&}0J$B9enL=^J5Uf6MC46LWu^)6%{gYk;Cf)HK
z3U1}Ywlnfl`4dqY>G7aO$l*;wEPP!OTj$`Mvri0{iMA^)9cZ0HSb&Q7vlHi|_{OJk
zD!BI?At26|Eh1ezFj@b{VX%ALS@Y@3J>U+^HT@Y6;u93diDXxhKq;pBN&rdMmV8>+
zS&Z`Zb&;G$3<HT~%Tx4Jnk^V`ccm~e+90bhvN+Kd+L2DLUuDh^ac)Mdd`L&$c<yB5
z{xZtinPgKxyqMqX8Z}&X3>VVh2@E<^ecO{&Ad}x>pa0`mw<3a3p^_fd<Qa;w_eh>P
z2|vV0eLzrMrNk1)U^L>24;|W!`Q-G5z7LlFZ`o4W5p`uQOB@vjfxMnQ_&vcQj2F35
zn<Z&`9e4NHu`HT>SZwywm{Lj+dE$<2rC$?GwwR&GL|X$=2O4|6s#6l>3~c;2!%`F>
zlPviO#WErx?CW{w3}|1eLeL@jnk}r^XfMJ*rGYEmL|3Fb7O_&oH~(0CNmie49;Ex&
zx3?{=f<L`lr4))0vFeHeDAZ6;8MuBR%EuA<f*X>BSe9_oVmb>>I6{9x{f{D7Z$5nU
z+3ghlJ0{7??~mN!;$U=ssil;GmBO&!6JtE;T+*>*O$)9qaOqfKM$Sr%jg|Hzmz^mh
zGM_R-vDUFGbJs*XG)|fYbmwMYhGhHOsLLY?1sqh8NX3E!r#vhL)Hrk*#Ts-}8@4H%
zB?2N#f<RovSoqW1*MtBB@Vb$P8Aa)6JbBw@3B7@~h&d%&0KRAqoXTq(%O;^opPY~9
z8kQg5)kv825#D<o{$fPCnH&s6S$+03rLCpl9=tm<*K6QEI!==!hJKJbJJjjSyTPP`
z4haf-R%KqxMqOjQIXzN^`RiTXpEcLO?*WZb<UFQdJUKkfBR2&b@V^V+mEUTxE$4N-
zENWX|gdAKA@86d_K41m@@O9{5O6tV$?zdTCL95uE>4tq=iz{X!SMg0L^j`i5tg!!3
zU|yGTxpDug^a45F-tK!%*A%~_^6Z?1(fvQ$W6@4~x{@P>mL`gpn;yD)GMcA+rMA6N
z+nKKSo1fzIL+7ze3M@LU07sd)jjduvA+_f~w7uw_-agXeNBFz{s7Vs!^TV0ZZ~ne4
z{-=7#C9s?7n}M|u#NcOtaRc7jUxGMW*D$yrRinsD+}84;(mb#ke~9n-#Zj_siuU-M
zuS0P^rj0YeLq(Err#^<xO8_KybHyg0U{Od14}ZIfnBwkfT8TTTE4IATZOicdwqd^z
zhtd2)X$AA~rOR?kkl9QeMr?X5Q*nv}iKN~|vv1$|JKlL-(*CPr5&rsWcD$Xy=cy5z
z1^#&;%EP=EJCz^+DoRMHo7PW<ERYCixLd;$X{eF_{}t8>_r`~p%rqp~?eE@5?Q#|H
zwIvrzGs&Yp%_K57-r?Z8r5d~{3Q$^~RP&g|cD>kc;J}F;aYWNZ21ja-zvqDeS$t><
zV8-kC$D|?)n0?E1nD(yGUeUjTWQ&3}R17aC5rUZ|G0N_ttzd}tgA~8Bk>zjA3bdj+
zOIi1)%ZG74aima`;}o9N`B&acmNSJ*vkrbHLrLq`AI{tY#PIAm1#eY2DkJ+rf!Au=
z(oSf|7%(GKI{nMhvFJw64oQm94@r!T?vFl5IIT4Pi9?AwJ+#=HLW41lHc9fXrfR}o
zTS2{6DY!U)nXyjF%v$#zu+b*O_VH==M<*Y%ZE8z-o^o7FKlS>vym^r2RM|?JYFpBE
zD6&N)+)8NuIsQ*c<XJhtE=J&>3q2w5(Icm4=}!nwo{rN|!>9~9&BH7^1BtV&qKbP^
z8GF6w5mCz@Kyueyz+@@^J7b|c<tkunOEx`d_}w5eQY&{SmmsRK9Il(K`OcEn>FUM@
zhhRJ*w>^)!1ZVmFvJS!6cpz47PZ=S~M^Voy4u5Etz@C{K@tN|pNc_~)bE;ufT}}$#
zp{g27P7L*h^B+(prg*twMfQ&2od|rbQ%mnY<=>FEv_>pRSQ~N33!b$-sg=ZPaT@ir
zlSEp(dHHgO<s@ML%4F^&id)@npUk@qa+0Pc08_ANxWNd3swU~#-DMlWB%l-~y_uNg
zYhyh+Es{u5zpfYp#4>AzB=rRc*)h@>;v&@70bU{eJE9!}Y_;6s_e_zr3<6%$JD^}Z
zy4EYUJs%i5*8N56b(w~1Jc6zTEtl^1W1ahQ(7ceHH*tS{0gF@NeIR}uLrfx9TV57_
zsh^PdBm9=&x!sE)yQ@GKk{bh8LGus;Pf?1v!svn<)Lm!f&Wxgt{7(E|zw?WhKL$8*
z$t3D6RqxYMnZLQsI+1^<Fpu=Pca;g{Jt%fEbsReJQoLeS2>ImsrgqtPT4m+RR;ePA
zBy#M*rhE(WD7TS(;0I;=b$2i&LUOy3o1Q|4&fbht^&COh;MErm7eiS9Is)APn7Zn?
zsJ^EyBA|4K(%s!DAkxj!oq~jbONY|kozmUi-6bUr(%l^k?*c#hzW?s$-o5vpnKSXs
zJag<hAtaNC4a0L_wHuN|Q`nf<5H$7?Y;2y9ZAj;afXH!zhS5br3g5@A)dtjLv219Q
z-~NV?J<5Yo6rr7n_UbPbj3a${LmAe*QaW7dW5Ixd6X^r)n>^@<b*R|SX}cKFE=3|{
z#}mP7DI57)c^{(d2KX#xO}@OZeh<E?^tlubZI2<AC197)CKv|$SR5Gpo10le;vBfv
zWrZH{t5u@v^Gyf=yUv4>H=VK7+CVY=+w9+tWYoX3-jnt(_@=hvarrT6B*F47KLtOS
zC2vx;5-=&`dG{_vwWf*flBRpS>1OB3;<+GLvH&<L0G!f@1{?i&Wt3GnTAgC>OcgZr
zv|W!&YOnaxe>q*;HGnblemd9~QIDJ!yv@W}TFAdrvD&VzAPW5+q5c*7U1{T01+6oy
ziQbN<J<zZKY4C1+=vIdf#Su9GDxqn(oTFr^`TEs7grR$HTS%Q}-X7AUUMMcKMd$Gn
zi0r~wH$-wa+u`;|uCUs;Hna(U`$9OgxLfyu^P~ws_mhO+N^H>Sn1T3;g9zbWyS2gN
z6>nd(q)i73aT}~9N65JCk6Oa&Kpmf>zM5qx(x)7>u7mmQGS(XC=iNQF)C^*SghqHr
zYy)oq%@<A7zN%IkVX*-Vk)~XZgA4IiL_1nVCc5-D-TELK2L0+-salG!5r(ZmA?jED
zPvfPNe+db_o=b>~wFR$;KxH2g5MK*D#e~rI2K=AOA^5!U@U=L4()V&=lu$b_)*^0t
zPM6%=9!{+UnqGZ=Yf5DE&EPX<G$#1T*rq!g=lx#3vWxk}yPSDgO>QRcc|v1f2-TEx
z+NZ@O@hkHEBr*LY#7-}8H~c3MJUK%_=+m5}!7pN&c9>^c)38n#gmV@4;Y0x!p?jA+
zDTp<2^lN&?>ogD7TvUgHMscxU3maM)Y;a-VJUunvQOGbi+8k^Eg!9Bsc_~rJ6$HY_
zG1r0`+}hHq=~voiKjBa7uP;e=D5H7yB0u$LjJ0+~g!nJ?Lm{YdC1S66^ty?okrWfS
z%W6+ucU9uQS;`$}+!4f06jOTV?mQ<QbX}t}H3tOY=(>f$6Z^6nyD9b&@;;Vw69`B>
z)%%Ry-ry+J@t!;2m$QCXz+BTCjL6MbJvdUh3QzRhVb9hpxE5r7`wVsKx|#OeS$4TY
z)13_=tq2&l7*Ndh28zzSUYSj$(JB=o6S}r-qO(ukJsM|ph=uiJXdpAvX3vw@S<$%p
z=5YCA_Si@R>N5l!tmf5jvr<8S@+W9-xp*6fX`K$%T)A3$!Hhsc#E|Xb;d;E8HYW}9
z;d)Fn=cpq3wjdV>ukc<I)(yDqb}@&?K8ABB4ho;ueU9ULxB0!3swQPoTqRsXq#UAs
z*02=B0qOpHYU)%+L50%RW5w=_THP#4)MZ;X1L$GsF&WkWH4dC72k&Yo1v|5hO<1LE
zn*VwP34!cuT?PzJJ1fz}_<+riX7S|7d7aZohidHOXf^C0zX&9udvyR6O*FNJwpQ;*
zzvJnK|NhsWGeV0Jb$9uPv7Br0!i;=1Vh#-*i>S-y2ufvImjNzE$qb`6p#4Mwg*2X{
zP^`#6=RW0iTc2_Zg3(MP%&KfH%UnTM(QNLnAnS(PMwIoYB%A@OLttW(vU{634L`y0
zeM}u&APqQzhuI`G-RdsxSc!6`4P$~|HPU9Jpf<qgw6VkAP*z#dmx23-BmSh>rY)=E
z=uoBiDSP@ldvL<>ULF6OLdo?~QlxIc<AUspa!M4SmwCY)3w1~y^>;lZNnmRn%1ony
z(r$A<56DwwVrD~mULO}-ubpzOX}e!A)3BfQ5yDC$vLA`<TC@;^KVf5*jFXpVniWYm
zxv-Y5V6496%hgmF8CwYO{#kbW>K?Abcp~H8$i#X5p|B)ztC7)cV=;oi*kYRbgN@c6
zAh*!MG2+&g5F1Or^>s1(pyHB=8}??}CfvcdTc^}OQ`VQDO1o><Av!Uf1&hSwf7siO
z{yN~7FcEzU2mb27y;YZiqYH9ka6ZhKEkX3(d{miB7HKLHfM@Y(TQz!bq*_paaoX4B
zNxZv4Gu+b|?Pko~J2T(&<BS9xE!2yFJVbRvFQl80My<DD^^xHmPpP5$d9?Uo%HFH1
zkVGd_Si4u6K?8Mf=&?>XS3<r+cvC83zLhVFg5g)B!X2knP%|!a#078G&>z-Z|4T|l
zk9hExjmd|*q;Q`gIQ-@Jgu}R<wL6*UGiwbN)>ricIGEX~J{fL~1PnmS5wo2!H_HJa
znbs(4+6Ga&!}N}(V~Meqgz5H4X#V}dzzkRpc>_?}i}VLZQ^kY1oNJ!>qYazfT^YrI
z>w~fTQ>0UShLl0O??ck--iAFk&6x{R%0;W1`q&_@NWdoqq1a0E&xoi;t0mVVE``$s
z(%tvZDM+YgukD4jI0j(0VrYqrrKP00*LNXRkN!7VZEJc!y8@|4U9<WjU4X~BUQ&Kz
zrK9{e2E={wVW|#fcb~eC|NB}2IPUvB<ExRbBZ8-|y$`C7JJbFI*|buwB|1UX|3z-;
zrlKG_{a{a}302iZg^vBsK@+ROU|f#nobwNq*?Q1Me1c58n(DRLMXa$U&|09rqdRf%
zq$FP#MZikt9KCoCi)<-+cjv3CMHvmSde8F0U2z6s0r#6Swq$0?%5=c6AuY;NgTTQ~
zgEDqWYW~Tm6Rxi#XLRw{a}AYTR31ia^dmIkF|_cKzEFb8Eclu9l7aI>ps{m4=L0gZ
zV-eSjL6LZ_>}9rxMAqY|erGCu`-s8UMiSGzRa_Z#3W6c&s;X7*EACt2x;M$^*O_iB
zvyi<yi)lj!uE<7w*5#mCxAxG#A-Hc5#mH>~zOjNWRu$NYnAI;H>kSzgn}PE4pl{_}
zj8Z2!PAtIlmL+0;P{D<7WTkEnQlU$27a*91J4@l!V0hRHNEL1V1*=qG4<lLBV~^fg
z>q<sQ*OHV}eO#Ou*u~n<ujFZdad$ke&Qp4DqtF?!xrs=&1&BK=MQ#2(`0=HVeub$w
z;$h&>3M-lPm|Tc!_=4K?{<siJvB0+GW8no+BkHAz8>Pve_Wj1X=!k|JKi?kWZp(mA
zAWU-;R*wpcqC;8yaql;=&jR(b07J1k$yK)<vp{C2u@F-R#J%Y{3ocjgVuTI_lFIsw
zZ1!*`xv$nP_tnD-+&p{iuS-*ooSR4p{;K9O$DeyWWmF`$_+3T8B#}gVtF?$j44E@S
z{4R+P?Z0v*f28}z!pe$Gt=E-}cu<BY9c=lD<R!x7l}M1!+E;7A2MGPcu#R-_<R+SM
z(1A>pU;+zRG!Mk|2ad(ZN8T#{qz2jD)q1Umx;IQt1Y%Z4y#$44Qu)MTcEq=*%l9jY
zvue}g$5|iF5#BbjH_j!n;hv|Og(%m^58GY4_qL>y=?|tUTrzKPliTJ#x6I*jDEZv?
z^n8r-0=`52bIPlOPON8n;KU4VgBEkdsB4K^tG99s!2h9!M6UOe;9i9xzS~`tYQNCf
zx<!_1R{(|FBCqI6!oNv=J366L+mAt0)F}OC=^HJAo_(0!;Ae|#H;aI4-UE)Wu6_kn
zyDmw596WL*U9mR;+TfPCVnhr6{zc=|$@f<K>5Csm#$%Wg^PESI{j{$E1B}XF@81dR
z@tlw!-<dHR!ada`mxMH3qpfC6$2*RJR7x&!iM?wcQ)SLwQ`_qPOB?Ep>vORwh#FVk
zD$3TaE*!9Ga#u;mnw(M?y5~ui@CrR{@8`Rs7+w;csj)Pdg+wYHtkL-AVwyc&XP2#f
zUfoDqg)`gmupE*g8MWCi-<_FTG0S*p2>qhP07%9OMG+z$^18WEs#gi66uP_0oVri)
z+?2h7E}I-o$gMBNj+GC+urSN3yKXI*3FW~%-MWryK8xHl%n8tkH%}X`{=VI0S#p5&
zNeCM<8z1`u5J{x_WR-97X^3>IPN$=8I9>5>3Xjg08v)vqDvR62RTT>{eUukKX9$`^
z9R#!?1|Pl{kG|Bf^VtzLvwQAM^M_ekt&u=;wK{hTg0P_yl#fhEE1WW~ap<C{2Sm^*
zXz7{)jv1-j{bB`CUunZYcKypV&p`=O5CKhzKUcs-xfbY0t;^NPpl`ma;&ylsH2ZGw
z!Mfz#(#DS>{nZ4cSnilnmePkXcipeoAG8HvJr~67-z5FjsFM9^PjQsC5H9R}(3uzn
z*)a+(7LF#%sko0<N?7T@U2K<eWSK4hz0vID5E0mDrqfPmP{TB#MsY49C?ysn#$1~>
zn5Tl<@XGso(NUz`-ciW-A|r-TJ@2MOH9e&8|H<eQl>_}JIfG?2O(NZ9QNCO~Uq1D)
z4qJx(Qmdnx*2Y;Wf0X$MQcg*72UNYGX@!&GgUg%&s7Xl8rau~Vap8UO{xo&zj`V>l
z`M0b)=-T_tQlPnrqr2j=rRjFt9u(hzM6hUL*W)3swPT5rw<}E!T-JRAt5q!N&&-=M
zrY6<u-(tj`NH+)+<-WJo-fppfP~N8d3WCmchqbHm&|7Xc{ORpVK^Ks2sF&3LmNdYo
z8*W<zUC6+$bl(!Hqy68?Bg{*{U|v}Ic=N%-Jt7-C2g-hdqOp#7ftzfF>6oT-y=n0S
zu@#{!U$y+cx~p0Ro~KyV{|dgV!em>|+1A#ARI7x#y9wUnlBu}xY)1}yrO3fl-n=XA
z^JDo5TxYb*HM~R8SvqHw*h8T#o9Qt&tMG$Lp~ShIkGqz~%^M=FQZc;5!X|scI{q?n
zQ<mAYNbKoFVS|CUC2M!VtRCERtj?|gvt`*!uZwh;@@;qfKWb+!NGtfn=0|Gt;Uw+0
zVSSCyFo*Pm^B;`+gY3{ejnH3~Lzs+;&b+k9-n#QcS{v7vD<_O{8oYMnJri^<!W}=9
zt63bHDDutIcq&Cnr+OGiZ->eX`(g6$4gLvoTjiiaRI<CW{PJt*`sSOQXKfy#K23(Q
ztHZCvOhM4--JHV6-5q+mGmy)>l%Kk`nk(;XJ|q(Vy^Y<xDeC31OQ9^!N${emLOgEg
zww?;UN#eQa=msP}$}(nQ+xgWn>}mDHYR9k{v&FM{F*)Zmol6&YBEjpZHrMZ%YsBcb
z;)87&3S>R;jKC25Wv1&Fb^O~tPRxT4*^;y)uKl2h(GBjU`$7YFq;Y6`_ow3uJcR{Z
zm|P5yICWH$Y(j0%P<Qz{&DIo>FMAeiygyM}wV6MMbpt7?xN&9!zf-#;t~2Vr%33)h
zu>Yq%3z(O4Xl&|@*ZFy>)-;Z{L7>f?0Vq73DrM~aj8@7vQ_RiLwqE4blE39%YrJCD
z@o3WyedRoKz^tgjM(Y>(gG_LnnIj;w6g)yq(cqE{d(Zo&gFup7x5S=hdRMO$>q*Eu
zLhJH;TM@5X3Tp^-hTU#g5ip?TSr4sq_MF%s&UJP<KeJOcb?IH^s^}t7o954cuta6-
zb?=vLNvg6E6fT^|NSN#}dreMd-ki{z->q*pVyON#S^l=6rU7GcR-wjsq2F)}GsGB-
zRamY=k5%_!04eeR1c)j<aQaE$8dB1@N^XwyOs%gj&1n&A&&S_gKJXsjU3muZ)$u(9
z`u@}iePuaxK(Cm{Lwls3nkDk9KkgfYb-&R5{xk>{+VVfo6pi?8cL9Fh3A@(&DSjwH
z#@fB>pHTapA6|3PRY?y_iRSNVugR%`kKstgXv)4%f5@nMST@~~-R;<>^$ZoIcdyeJ
z<s@|k)vF#3_asn-yJag4P26V>AKEx^z71*BxcYL~`@wULGcr$uGY*_;)`!#NY3wsY
zTaqsA9q3GnvZ9-&H&<;)8l3Q1TZV^otD82H88>H5*)9DP1b>Ew_bwFIC8V;le7lDn
zxOaGsR5bOY0!-K)Z{;l_{Oo^G03P1&KMgpQVC?S_54$q!2JaHDvkS}Y4L4#sR5Xu-
z3+mj=stiHrH7(*!<!`8xDI(v68dV&wzYvVLlEKJMKl;pRaR<TJ2Vd)@uEEfqA*gm~
zg4G-@QmYvw8}W>HeYn|T*u!+D+0dWv(?Oo6uhjl@X)BUq45@bi**gMYD@6cFgL`Ww
z?aMZO_?>3dlxV7kq!;w;CohqdWagJT{S$KJ@~jgb1LC>AUw)a`eGqSswSxsK+)8GQ
z@SK3%*k<*SSTU*!ekk;h=omS`u8=o+!>OyQ+}3hZO_{ju%)rd1FYx%+@FxkRs%Sg;
zRP?dUfV20KIiR+xiYDazM#<z!36QWh&()xHHlkQRN7<LLR^E8tc#ewq?e%U_>+3R?
zo0|N&7gVoW`~)?30^3*$`v~cuFju@)gc*m_Y^^Kej!e7t?Ca_YnC8A~z07I`HQl<n
z9BsKbgK%)6P?qXU2LMFL3}Si@i8pC59wb2%{{%5%@8$-RcW(9B4BS$b^c4AL42L#4
z4DQQgJ=F44W)Dznf7zTEsu(-Cx~pBp`@^t~D_*km$2MPqEM0TcWSfJ7N1K0U{vbt9
z!O}d##$(`MN9P8rZm##YIryk<T;rCleokwei;BQg{EEw*UK1;B5QviJw$NqQ_L^5a
z&Z+!E8dK}V(N)Rak$lp{2ko~FH6BZAc-Or0=$o?LE>CW0t1!2q#UfhG+j@70reIvN
z@2w2oD+ENYDwtohn-9{>gS_to8FnSBE$nOl7M~fp;c(I(!ESf=lN#1Z?8IlA#&O%N
zboc!IFDBCY1K|!zY||n5nesnb8%_OaaXL(<{VU9Nt~Zrbzz%N}y3nLV{Ds?$qjVPN
z7r07=Z`Y8)NR`v6Uh?L6Mz2QE8v&8Rw9z{N4-i5fIaqUgsWK)TuelMcs6@V=Vre^#
zuBz*yGk|x^`MFnM3*yU?m%QEsxl&xc(+YgWv4F*lu&buHH(+NU_^Ci<X)S|MWIi@!
zQBfVk6nTTnR!G(&>^OidB?A|L?iBs4F~8I*>^hG4KR1@ajb7%?BC=-?@Z`p#rwbFg
zPwhC^%KG_$3k=M|qy9UK-)R;ec4dk_mK6BhD%O3JMkiZ{T|m)&6Zal6N%lGt;yECz
zhtRxQ?71qE{ae!rJ5MRbiz(vP_FDckt-T@+{2M_O9(m#<bnN%tRxf4<TOFq5+^XBk
zHE2obv8Chvdp^sCG%bjwooMarn1$g?*Szw{{$B~1HQe-ab{rc13dv+Mm^y7VSYTH~
zSehlhVew?+%}n{LS*03o-s~s%IEHhk>&k~^?|iXrb<lK@x_@BpUtnJ5Dg|HgPgz+@
zD-rj1mcVz!**)67*h*HXc{@pxVnsze3|Blg&_x1xLSQ1P`TL%*GSw!^Ux9&qDI7Uf
zLEQ-|TGC!hz}K$;*_)9LS`P$xl2h)#zh<8>EO>k0o~qB#CbSsrMb+b(S45U6KKJIC
z|FFPhN#$>I!Gzir1UM8b0KR*)UaCfHG8O2fK*>{kl$XXXpD~^OgZIZ;jd=!h+*wYy
z4K~ogUPoul*niiZR}3=oaDw()xGDZOsX2Z;n@)HjfP+VIpPI&8-O^TYK<!8`NBM3R
z6zIf|KHbZ8ay+40y+F^@EFKIuw{GZy_T*LU{0jze<5JJ4+{*JE`Xc=>LJrG6Vr29c
z)EdeVQ3Q(+wogd!+xcIMzW^?FGs_g9#A|Va)5u4_CBjZTbk5SH6R4Q&Td@hAlEuKm
z;*ARj@+Z$B?4^e#7{=ogGxv}57kx%f^u6d%(0us?ak<-%3*_En_NtM>@pAbO+M33d
zZRQBBDCK>a^A{#S^L+{QXv>6gZ#cmBkRv|zRMUmy*DRp=@7@!43?&fmt@-Qi?%z}v
z+qY!79_*X}2=F`0WD+Qv{e;W-|5PE+UxmRtBPB>^rVhuhK;?VKo245=tigT1=O3Rb
zSJIsO3q?(04Vcupmv*pNtZwKK#Jy}N8ukJ**qM(^`X7&0WE=(7k`TPDzUlix{A3!7
z@MCi>nP|4q3U!y!wf8npym!9=F{#&Siy8v}B71<k#9HD?E8p8V46lDtgYG$=^6!>-
zj6HBY%4rZ*0TiJu3tqJIP9UAupo!Ial$}v_Wkm*cE#*PWjzxMkp+y5wmxBWyQh}sx
zgFPPF>#4P+j%<3K(P=6+<zoAkdb!Ro4lPi#*)TG0-EF5L_w8CLX!`igbXnIH-izn4
z-Th^MKeUw`+M4y;8L{zM^TD`fgdc;%R;HfXHPCC9#A9w|1e#?x>z5Kw*4Q2X6t!>U
zVraD1?rYOsp}|F9IVG=qWRo+~t)WKl)jNTF@MPC%dWw!O&+x?n`W#ty`wh5Ib;=BE
zBBWI%a|wkamd3V^2<tL!h0K9Hk@)c!OHuEiFwggyx8(HNhLlvnR6?!CEe<}*x__y8
z@-C#Yv4Wd5q1Vf7b2GmSJtdR&=1B5S2WGuL6#al0!`y7&h?{&WH{Y%v8g+;=Q^8^&
z)eh25LN4>wVzO*G34rN({>`8AuOcOOA2|Jr+M5fz5mO)V99KztKQZELdOU&*>2--d
zbQ_kWfpwQzIj+jgv%zBurPKZ-n7Q-*njl$H55_ZC?d;ZhNO&2+f0zQ}B_b!rJiH7P
zcG4s9(H=c1oj!)4J@p>9%zEV{JIb-;=1Xkho%rmG$vyC*FVQHlWtI-1LtN?7Ach@B
z=IOclSqrZywp-X7mxuc91`Ld|;JenOU8_>R!@c#$<y+^y)u9een!UfT$EqN3i{onu
zN{8svv9E6`X_;STaa_1BRm>7G-aRqWF#5}SD+qEe(Jba{=62(4nLQDep5%9rNxrIH
z^F6UjZ8Tvp8CheH15E|GDOyOz+};E?mN1@mkgmxm=Pv>Q&6NQSgU7E!v5Gf2Lz>7{
zfAmql>}r`@;m=SUk@67a8PBM&5c(o%PP_Z^hpHcJ<xnD3`sX4yauTPKiuht99q00k
z+|zPeBT`Ej+nnH$mTO_%cjJa;uumY{{X0cPh@YQbBVpue2<jZye%s$2fe%E@J&hR&
zUUEpA<6&RgsKByI{TRfG?54U7=*6X9<0b9mi|O_bQWRQ3a+Tl6`dSi>rt9|~Xf3<-
zQL}9bS>*>2{Zp#r`r7(9n*V2EtEEf3p6-rWnv1i-$MX?t2p1~%ww=M`6I}Nt3qW^b
z!XfuiN@~rA=w>mlm<`>48^0vUIPwtP8hHK&9-F@gDF)0?&`*Wlk)KqhuM~A5M1Ddw
zV>!~B_@{Q$`U!FQilK&5anc5zs4Dp<Q@&$_f_}+Ylz7lpzp+4J>cT!!X_l-N$>@t^
zM-^D!rH8wZ9<JrE_+}(<;}Y0yO6LuD?LrA~WyCVA9Vb}<c7&Vk2#Xxtktc5g^8+ta
z&9WJE&OQLP*X25rO87KDovBBP4J19h#+i|23{RE!_uB|F&{m0V$ZK(Y4p+;*yA%ZZ
z-{K|qGu@E|Vr^!vXY<f}=59BWuffyzM-G?R#nX30%H3`6K>+)h^bd|z^e~FylDiLI
zF9>+pysv$%IZT8HN4EukkKcv4J21meo~%-kH}5$*JO60`TK#g2Z{qm#>LC3zNQ&en
zMTcE^O(NNB&gD<TN=3SWxvk#q<fMBTLQ%oa^-b+Ua`ooWh9gVdK<O;M4t&c+eX369
zg|-tU7vZ%q7u(dp_WG^~!~GEG605=D@~e6Ap^QqZ#{1ixq3u-nILDtSl-12{aUwt8
z%jD4<X|Y+8(WVy${LYJryY|lr!Gng91aX?A!_#p1f6}bI;9GrF5%tfOAS}Az#W2^#
zXTdW{f=8dt99|`c*4FkBjLIfoTRL+ekwf91E0E5nPVs){13(R!<vY9*NJ6J8Qe4|U
zKd8@aJqTQUuVHnX9ApH<3*Vf9i$qMP4<=tq9wIWq!KR_~$~(Fg7kX<{X`!YrZIqaV
zq?3x5kP$(x=LN!$oZt8Wa5pWg>7N|hM=#IDy!38{0az&@9&7h%tN|4a&ke%e6)v0T
zhfnBADl{p>&U8P<(w`SCJ)9iIYQE(*DSO`-M8(bn3fk$!Hgn8ZiAyAqwgn^l-Zy3(
zyDf>)P;)9{I64UP6G*p_LMKji0>y^}GSu1Eu4$A_RrETR>|!S+H)sCp9n-y+0e?fQ
zMV&?YXUmX{m?7YXEWo)UQ9r^vDJwX6Mx77HE*4>H@@vs3Gz+Erf?G~O1$hz)O7d#&
zMnWZ>EplI-R=q5!3(&U&!E)m(<lxk!Y34a7@DJQP)nZ@q_b&hfeB#XvE;LqAvjQh0
zL#ls+W&E2vtxV{2aq8N_sQ_+_;yXxT)%x56lCusW^$)lwjcGhJXukca%6(=f#%#s}
z3M?=wAApQyh_y|2o3MO{+d+7nUt^Q3R2w}Kz&WHQR|g^4s8C9Y1UGWJ@awxdfX1Bz
zT;(TFY?6E8uR-1($~A$Vht-cf?MEv>^>-`4dM-G17=M-&L%Hy-ER5(!r8*wsaXhRR
z{zxdxJ*6jYa^%(P)%-VIsrIeqOiGf$CWGY^2360D-aVRAaOpReTW}*?I`Bc--1+|O
z`+6FO_nwRnL&fq&EQwPf5`*!%dE8Z;3-w%$%Lp9Cr~C1yln}SophySIVuB4oE1Ysx
z)|q~|Mj3C2&BnWM*rh(LlG3R*1jelY$eDpa%Jsj-5_L;LOM!Y4@jJ0+`km)PNhd>d
zlVY60m3rhc)z^Xi(O<bF3@`QL0NLG)8(rk%{m)E4{m#h;PKM8~Mjjj(vOC6S6^}c9
zx`XCEGq}XJ(73bOwv6JTaIAllLCKPD6=FbA3lmH2EFd-UXYiP(iTsVU=Zgs`W&P5=
z{7n=ufTuQo1rho9_L17SbS#cxZ5@jN2vj<>KiND7b~2#sgQ|)?PjX2WLeiZ(T;v0*
za5EL&{`s8Y9*v}5VRc%$WM#*-wAEESrDl@1Q@feW`#QVPbC~?qYt|rV#TurKS#rpw
zXOP^2!;k=ksK_uF1@^d*Xx8fW*7z&}m%NxqVHK>HOsoEsp7Zuzsng?LZ{n!_k*D$w
z$=VSW@fX22X>2*Zdla;2(;Fbu32NsK=QXWT-`xAt9S68|WOM7_GaNpFQEOy2lf_fU
zU5lI{mFNEXy4yw(X@XBgO64e#^SU()E=42yb_r$mI9FNo;YhljLtc@BwvUFDydGy~
z$GtF-sm92f#kJ2Sv+!iB^L)*)H`E0aU1&IXp3}%NE<5X6KV$Gdu7sbO-HX4p%<d@n
z<*3*rO3!>|Ar1xS?v_ZK2vudQAWObRL;KFk)J<3`mtv%{$KF%D5qM{?Z~SB1;3WAy
zA+H>!%*Nt#qH?tq>-?bH(G$;h8?nA+hl8HAxiKh?8Vlv7S*G;K`#S_+JMj0rcEaip
z{2M+0<w<V71V~mJJ;H;bPv9rMPS{$_qP6>Jk4xu@Kf7D867o0BKUN1twNXV;b~+~9
zC3MZw*7r6St)a;-2u|n~shds6%T2Rhsp~?Ysk3E*%&v14Sy_#2fb*qavq{}qKOEXx
z-#N_gn~bb$HC?6JUH)wQzGEq0fBcO(8WHA^<8&yfDea6T>8+Vu8XMbWggqqriohe%
z$LEdJ!KMv4afH_~p%h^3cbN4^fhzhNqi8I>6)txAV|#El%~y93_kYziVeUpp2No-Q
zeef@jK9oQxVrAC%<E5bHy`VJ2tYYrmsR2FY4=uI=DI*9#rySPb#T~qrbMTQUlY?1s
ztG(jB<dbu-^re*(ekI{4Yub)co(@rH$=!Kud4uPui)ta?oX041#R*_mFbAs?M@-H8
znd84cH}M@36*sfnY#X8;@@i(sXibusoY(xWC;RKgC{BP%+O&$vOHUo^ZH-+@cq9>X
z%4;G%oWXhVN%iVtAsIRH?8Rs%$@yj?S&?rGON~9_&|bNjxl6T45>->?r(bf$=&dH|
zzHrl!kL~k1m-sal-Kg;=_Fa;Rg~6r{;Blez>cva-KOz2;d)6Kk-%tk-5!<&<g|qHp
z`2!nQu?KlNXg>o@k8eKQ1q%caOoZ3Q4iUJ~yQ{`B>^=<hr?@kUZfFm$y%M<SJK2Cy
zf2ekoKaq?)XHXQ0Y9O#wN6(3LdBD{H3S1~W$b9B6G(>Ra7_7k;_nkcmUWF-YR*&6+
zJgjqZzn4>7aLvkYXrR27iPnn_{WJ`}js{9xtaQ@0(!yKESgFg}j%C?g54vWU{X_rz
z4#^_0Y1Mzk8EN0w<Z#EGzremfWjE(kc&b#paZ6z9=AHUwPi`s>mUdXCICxBhe_Rl)
zR!qHkrvwUV$`MVD&E9W4KM3oW-GtZ#>F3J<xk3cp`P6I=KJZasoPKgGQMRFKF@I=R
zU-i7wx>hwyr48nTX=~2vTK$AvscdQx=JU!u{y^m8F8ul)NL&Jsrn8=VnT5w~qaUln
zs~ZwqTimNCfO_G&gWS>bBDTF!$Oj*eju!B3Pfx57URepj6KZJicx4&-Hi`!jYMEW3
zR(VbjlPJf%GmH1<a(ADG3&_KN66s>OzNcr;yG;`c45y4v6HA8YwCJQ2SjynSg8rEo
zZorZp1o8Y{Qq~&_$Sn0lZCgI+5#89<8=P)k9`n+w3K%x1=uzT?ODW#5b7()k;znNp
zX5DPO&m4{MqX<kHk8>*yovp*h14X;QSw(d1{d-BWgt(GW?v8WMzlr0XuxmEadQ$tC
zso%w#EtMT7-zCm|WCPcERzEih><v5X#$vB#b-%;XqhM+L#t5!9vq>hs=OFDJOP|;F
z&g~m%vV6V2x_eW%+hch@3N=Z6N;0~sI+>S$Ls-E5m%8KXyc%7{F8Y46LR*6wx}{P9
zPJn9p#x8;U?A_nc6G(x=nw_nM(?qM&c%ZIXHid7t4r|eUYpDHA4M-bQIhm&R!TRpo
zwO@Q>U)n&;<iqq^uCTU+2gX|h7$9L$iU;0EXy{$(eS=#6T~o9D3?Pm2a+Bc<qRJAE
z!P$3iqJ>9iY@jVnhrdpQ#*@-&=la(Jfw5(<%lYi?$kbYNQ*)2}r=82)HKI$joUoE$
zY7@aEEL!`4xM&eFYJn5SwOO=&pSYkGRO<+Q3fAcIkm2_h@B0SG$Wf)1wF3cb5ZfVQ
zy1$e;>!;ee=%!2Gq}o_#)6<-rA5)QelZ8VN$*EHxT=NU+?rhS?q0Ve4VLI&qc*J(f
zZYg*G4>(8f>3na3qwcm|HlV#h!C_?h*Qa2;`8(>}*!FP;NHy$ZU<YGBG9ikT*H{4L
zh`*}37tw&QJha|6hPQz)v~UpSi(@X`L{!IJ48rvFqkA53g9E26izV#b{F<`a`O=sl
z9(sS<Shh*4v05&?d`?ErL5V7L!o+t2ZV$t@b7D)+ixY>~$MccLUba#=`uWCJ#BYg&
z*<}F^!Iy&QCT+5XucA|V<Q}w?vaK^Eakr_4D@(A3z<Ya%wG($FZb!(FJnJ#bE7!8T
zSpJ=-J=V;--gfSS(Dw?qc2}iL<=RFaw_l9H|8<NHv7vRGiks$oUGM(3ldzP+zb}}u
z50LlG46!87d&GN*A1gRYVZvJOTKc^C(F1~kON%aF1dV|<fFlKO@+Naf>SViQ;k934
z@9|!*pQzA8OKFwJ(5^V&yb~zqvHA7wm^wj<^Jy22!X)_6@&6WEB7*r7c@|$Z62Vfj
zG?Ej26X3R$Jh3wfJH(ME;LWRDLbdLmWW}>6vS9JvwuIW#Peky5v8Ir7z@Q}Rr)tC}
z)3DD*<|9_<dg=c$3mdkPCr5`q0loa6$Xx#VuO`+z^j}%o_l)~Z)x9pbuSR`kVe^n&
zhZNnRQ}n9<@I$Zq;iOPpLNdgiG1dd=BBT*(FOD2-`UwsJO3~X%kwWqjaTe_IO(c>=
zW>mP5ETJYRv-em^O<r@Id6aWE9Mx#$TFxp}Z1r-o?lOFyX(BtuIHE=fRI2Y`zHq@*
zf-o^9-Ygd1b8N<XyDe^k@L>7A+DS4fP561PO`{QvaHwVXZ<5DfzzC_M<jM&Rd7%=T
zt$bh0cf}}s<CL4S?`Xo55sh-SfA$!3K8PuSPP1f`3+=FgOwMhgUjcU&^ZT+a+lWAP
zikvbEMIjNMap$Uxz5$yBhZ#v@lD|AmZZZpNz1&Ky@gJXE<z=ViC<(le=o{<<^1Q#M
zYfJ*c3T*3RkqpB^+T=0{4k8%SQ_<iH{^<g1=?)?`{sQ<8Z1_ipmpwY(FZ$;0Y=3g4
zX_6(4y-I_f^DJTl<h?Ch6NNvMuXzk>`Ni{Hh04_6n&KLFi!_gK_GkGlXN%?7;5`=n
znEIs`Fc5!`d(J;CGn-!0FWz=l;3wV5lq0;9(<E=fq|(-4xR}~Hp&y#s(CObrOa<mp
z^a}rz^E>;}oh{=+?sir10WsjxBDo8nGJ<s67oido_p2jqoamdDcy&r`f`mc$)`W^v
zZM@sKeRea0URBHca~q3f(X+BV?Jw{D6u5)x=UbhaLZugePt!Oshd<9vxb6C6hpu}|
zMyWov%=^}{Yo0P+6&W2ul14z^QOSpSapQ!{yaWnWF97qU2@hmPIlE;Xz}}AjT<g4W
z<`aS2kNuMFQ?Z-b6q9=s&CQ!NE(Cx1J;7tP0&;0_w|w#L`%0H+Wy%jdbu+IkAU967
z_Y*A0r60%M&S>$ewNg7GM~D=Epo!RcjFD>~kX28fDxF%YF49LgB~VZO#o2C5|1`}=
z)SG?VQTfy{m$<smNH^ID9^U+6HS2S1UgSdYYh{;=a*xB1udZhG=tJ-r@gzRRc_{j}
zN$^AMkKGBAxJ;}c^uDkY|59TBHZoJeZfpd&!H&rRz*C{upm;-*sfP!8Ekm#q{_|@g
zcwgA-aT0<VS)cq`Etj_Jpf>PJm|2M<Ac2u}DcZ^4+frwJ^k3>3AFjU4UbO<0shqYS
zTKZpN-s4pd^i9w{p|AU>iWTxf`w<e8?>FbqJ(B9QHOpHENMdeMdhST6I_3vX)5{^H
zP@qv?V&!Qg7_lHrXjHIS+DC=-S87?cbL0sYV-x&TbOKU2KHZoo-o)1#;^+0takm7Y
zNDxiAl&fjnb#N?SbQ=O)fz6r;9a8k2+4${K3k^+ITw1ufvV^XWVE=gLi48eya^mB`
zCbdL?wYzH}il6n~R@X8azkNZ8BzWTVzOxu(6W#35#XRbsvJ;O1_~~k<^zO6C%qZQ|
zUo`;w2$QVr`J)CFxs6KH%ra6K3aee+TsSn(z^}D_;cqeaRnl)99Da4Xu@I-VDrJPn
zue*h>1pskgdiYL`?|=NpT($fc+?)rq9Q?IB9;(#<qpa3Xsk~XzM3)LS#iSQkb)9@r
zU!Uc#j(s_<1y*;iLrH|3BW{h-e736V*}JNVs_ZM#wDPUE6{Px&@#}BM8UVaqLQf;D
zjdj%{KCyfVf&)B9Tav)qV?$oVCkA-6`TOeW@^IQ}aFyvot=mW*)3HB^S$drnaIZ4#
zIP8GpTSg**l5-(4k6mH-?-dcu>pCL3I4TU8jQgJO#+vnAapo@rpU|xOZS3Uari?+g
z#T>GBB$D+7i=x1JXLEbK%)VmDYaKINqwL7PNjt1~H%PF@Dp=dE%cV_Y>yspH$v>u{
z=F{#AHqT};?X$8ts|yf+=t;r>jvKJ^$Fq7qLcsaK24l2#Wx;4~lu|yYtWpr!27<eR
zrKw};ZJ-AufAGjBIAFw`bjSVhc!BO$@m^Cm$Nvamf`EEzDhpm37C@06Z05DRPhCyH
zTJe3T7Vyj9bU}S6%4@zLTvZ0iMBCL+6>T2vOgVnNwBaxGSQyr!pOVD-#gg}><(Gxl
zyrk@LF8{3R^<(|E3igf6ZtzALe^Hgn)|*pJc}3=8WE~lpW6I3k-x-CnMfkf4F-~|z
zT=yziuJhuncXx#B2;-x&2DfI$_C(k<>CG`rSj;#z&qy;|TP+~Sx*)E#D82kBgZM0N
zwg00)E_Iti8_mXb`Zqp6SyAPxGE;ZaKN{lu+Au^*jHMurF6^2ofP3Eiw`cV&!b*MW
zxv4r{j+K2s{-saJm&NIG{^H72=duQYBar878Y!r-`qw{{RI8NL9NBaLB~j<aO9$13
zmg=l9^oU1E^e!IuYeT<m-H#2+VG$p@7ybnF<zq(zm;{xt#oIw+D1*yCM_vmAsO_xb
zpAL+z3ZWCDU)&ipkr%wYnd(>H!T>As0(~iE!ACU8vZy8!VE8bW@Mls5uP3#JpeDb!
z`_vsYg~ej(%JwsjrAE`d;_HNkxY;fIui@xFaOV~!w-*>i&N~2ex~q$L`mw?rD`rjz
z+a6lX^S9lLBav#fPw|>MuW_0Fpnlhzz;(_>O0<-6%3xuf6&MUjj|n4fdg3MV$cd4C
zBPD}D{g<*p=@nui#uE6RxUT0_Tgf}~TxE049Y`&Vp4-_DqD@$;G)7FF!Q-;5HO80C
zu6XLFHTxAe9PsYVZsORK9cA6^O=8CBG{2j^H23sy{KSUXFMf+zkZ5)_eM7vf_8*-F
z&dH3O%HtZ#5AGi-k9XuAe7QS~xI{Mc4Gf!n*7vLH{ybd7F68y)&s1`VA>EeGDR2N4
zF5_lN9!~B~n3DNTEd&rgyMj3rew`RxlAoe-qaslxZEEz(6tn8kl&$4w6lJ>OB0T?T
z`d><(C`}g@GAsiL#HU<bR9y3pE_yh(I-8iQw=SfN>&S5-yrWabhM5KC$re)h$Jb%A
z*fO;Zl6g?HQ$gZ1yfsa#J7l4E81|SbAr=6hzGAdxGTwL*DYl7ke4v%_hW_B-vq+OV
zyQ26|W08&khQ>?52Hv6DA-L4leSM9%PsZK?_0)!GV_n}Pc2!V~Tz<QvG{4qGj~r?s
zqgPLaC~2A@ne-D2+~B}}a_K{4z*-s{IM>*kBi&ffb?dQ+sJ%+mj{BrR;>}>*?c@pt
zfA#I4mq|}DX|S{H$(5lpp_ybpXh5t!D7Rk0D7XG{Gv<mtC0q)Q-^^ix>;E{}PN}sK
zC9?e42(`x_R4NyAE%D+?wVOIrx;ajxnc9yQ^`9WqN&i49Q5h}%5SJglyDgZvKgFeY
z4tg+sC@K=3FfmtCUFC7H>Z4#?HprG0VkzO6Z%YP0W3z)q^K@m_okftL#}?b1V2s)R
z`L7-DSbjaW$V9avaEqbvQ#3X4J1_8^Fa>>Tr|U1rsRscF<g2d5@TDO?0&#NN^ry$1
zk!0%y5->${g`SZOKr8-*^^JWOXsdD)PKkhRf1-LHdL%^DNN7i0Kp@UY0sG>tLcep4
zt{Ka)wk1(M#Yt{n_>~Jkk*7dYkRSh|HIi6CLlE{EuAu#IOZ$(!K}&rn=#p)^(_<M?
zp0AJxR0yr$rQ@`XWImpF7;$ypJ_ld%V)P5Egk8uvz_*a|KPTPFEBZS{vgaVYWh73l
zD*^GJt%u7YE|>-k+kH{wPa_+K@D&r@WwWArjGcK#HRvsu|1Nlqd1cwJAj<tpK)iz)
zL8Oi5wvfLq>OTTr#i3k6-%ymX2bJ_wt!OBvHjeq026csxD+(&(`axFKq>aKwba6dS
zP!^i&sol@)H};woV{be%p@~whsakYeQbmLJYc4p`-yt+hTb3ysZrctiuBT*egcL8u
zRnLPTNqs|vCLV&|1GB)?#`&s=^(b-0*x2<#&C}a`8JQS3qhu!pO`PR$_Z_lI5ufIn
zw3XPSy!r6e_blyw=44Ob7mQpH{mz&M&7-I=q7_Jdz$BaL0fo;H7i2-KeDm{ze>$qs
z*4*PoFN+vd+M!I&@pRYYB4!00T}at0p)Kk9dD<$HT==$$n{gUkaNs0AcUFV+zB9io
z1EKV4%e}?tOzT)-^;2yHq)aP)qP6Gc2nDqx@gYy@8zTJ|ngYX`){G4q+IsOHbs!29
z-npc#9ylHLsvQF%TBY$I3Q(Q7J$Qx~gzV`!@ufTH8*>88Qwfcv^NY5}XrtH1Qw4?q
z4`LftWVlo)y&Y;xb`x<NA8Yi_#1eatSMa{<pU=~RrxA&xjc+m>A45@v&kn9a4S{?@
z!lX=Xe~{@)8m!6%;Fsk+u`62ou<@T3Y#+(M;a&F;>gx_kk5X6~Q=sW`-?a`pOi+(@
zZ@Um_UZhvZ5pDxW5B~pu5o6<;F?<Oaf4^r0)BPo92%uI_O86t1J}5H^TD3kfXG#67
zXeK$d8?2<Tb$!}EY!-v(IDN*mq=D;xte3=??{W-(QliFq{T#p@VZilOF^cmXdjJ1C
z0^>enVD$W;KH1v}$0u^U(JZ<QP})N^AEnBv;NZbk*u-w&^A14EdIT=e8*;A00i7+3
zX)ZBHwC$-va>0miM4Gsd;-IwNoqmLeGYDN4WRX?IG<@oTVF^$s_8UllRRRbS{b%YX
zYMLrNMYA|o<-xQ3s$m{OldX_<z+-|I|M7vD1_oG5?qWL=sFwTVdk&j)@v7U5Ma<}y
z`g;DazVb@hai=R8#mcVplULz)t5Y+U1=?vML>D<Z0G~6T{B>_v-c1c49Bd1!&ef`R
zv;8^Zp4E)3?#x^MU7nNb&r&?eQnXKRJz6Q<fjQ0|(N+1#RUP=aCXU`!C=rkZC8Ac&
zii~oa&l+GGt<7F`n4B4>`d>&ji>FW36t615RQBd6q%vJfnF%plQK^!3R4TK{(Vr?~
zS8DQ|@eJFOtlgn240sKx(aDI)Rg0pLG)VHiT$oIuQTq5)WDc3NX9NB6<C9Uhv|)#U
zZn$gN7TDF_RG?Dyi`Uy!8{sd$XIkG^RKjW_Tw##p+4lsV{o02X)4XJ`iEwn8PUcvb
zG7s!fxi)4cpTgz*qMZdkpNru42c%VjiMM}`OTRPUK|VRX4;@Fc0n4dTKinPA0Wtvc
zK^lkF*CS}OR5YoMZd=g)yIoM1d+a{T1TRX?{^zIrSmJUjdWXPMzBM=9iEc3g#QVVW
zwe&$Y{8DI$Ako0RwVKgi_&mtsE3@zOgXY?CWdgX8qW*rnW8Rdf?C9-8lDNK)Q0@kK
zu;5!C04(D=>-f^t1GsQso>V=#{B10eD+%3}^Z7}bd|w(YP^O9!0wO@f(RMuTj0lqh
zs-&Da**~AcVKTiq@-9YciB{GS)|mWWl8rU**&Z={Q$_8r0Al((MmpY-H&#^e<1ceU
zN;46qA{XJuGqJOOKK4ne?ltO9+i4INEAA#r3(@>Bj7Y#}SP-q6prR{as=O~lJ^#$p
zJAIUUNth6J+)E&W#;{`)3DQ%^l{G)y_wlFtVAgBk!xdlt{5pF2{p4Ly(h_p)j`&&D
zs8EALklqO=0o#+26I20|>zYw%pdTs$R3BbG*k>lqd@PYF5nYk}>4RHVwgl&fPU=Zj
zW1$Ar9RKbX%~H~i-01eYbz~{aj{fofa{SFS<d*xL;N{NHK`z;`2tP0II>TXbmn3oF
zdeN<BZh8pglyjo!ufuod;Ac4)bg{|=m?lO2vd-^Eas|F0M<_^w(j=uV3J5zUU2{{q
zLAl&tFH?|OeOV;NKZwDRi&CqZaotag<P<p8QJqL*y`TZC7fP<?Oj(0dz(w4FqFl-v
z;yI%XJ}+>w>TkoF#0T9RrWfj@?>MaM(N%j}2%Vt0p@MrWe&_XnXZD1Ic`UmWbim65
z;3P%qehVN)obQ*vN>tagM$?gbWozo?MxDfYaY_oK?2GfCPAE_5fpr2W$qmjGd@thU
z;T25;*r{*$?Jh>|8beRx8!K@Rg1er^?z;8_j}($E{y00_)yDj>n@&C-kad*-y+;Z?
zR}Z>U;N6PYtmAaWOkb2KM9bY8`J-2~AjBjsywIwO%M<@Ug$mbC=oVuqA^Va*{Vti=
zk6PK=XwYLmSPh>PYSns0>=XeP$%0Kc0s6(;gxh^dI5SQl7g6fgc%&{b1$y3h%`LGV
z_U@L<T$3a?%po&374csCfHA9G(P)t?w~B#l;|sO5{iuqs6*&tj$x%cDs?pn*oA)+~
z3?ELH3LTpl#jG+B`3{CJkt)EGBLhRT_XA2ec)kq9jien|3?@*Vay^-N@M$`m*nP%B
zZ&FG4ESDQ>l;3~L(f`Q}74H>2pn1@vz5K=q@cL`F3*tYQ&-e8r87?*B{+9hKe&z2f
z<Hz@X_qEx0o*j+6WIQJx$%RIz90r(jRlq6~y$_HfTKB4aHNbZzbJ&Ytrne1d+habn
z?F+zcd%dbL#g6x4vbSdn(c26~Yf<u9K)SmyGVK*+24FiUB8XI`$oD<izIL?#i_mpd
zEqh8WvkbsgTLic<CNR~uY>&;eS_8v+VZG~%wmp|XKUaE?G=W`DWdEGX0Y1i7(U{9l
z*u`-pR}ot*xlT;-_jK4yd8%7Ol0-YxDa**P2%;Vy<48p+oG0?{ENP}8nEV_0hHSM<
zK7!nPzySjmla$)kSL}_gM`hS(!NBQ+)9+DM^D1$%KHX<L(tK=pdaWpG@RxV9w2*`k
zn0ZF-AGl<(ehb@OxVCQPU9U|yGg!VCtCm*2q}>0fvv85YapIcIj`?I_X81#TchWGW
z$gL~}Fkd`xMr2!<otcquns$fc?(acwTj<QT(irp;QQr<$JP|w+fJ$)IEBYvdF;q1!
zml>*za$Tb`S9R-ibCT<gzX62>n0LtIor&;2O0*0pBzaL{7G8a8j*8Tx*R5y&ESr^Q
zZJnC2Ds6s8t8Tsir1iKFe4^LQcq;LT-PrvO6n<6E+3dJzj$N0ffd(&_Ko!Sh^G%mY
zS%+ivEm4F)X5Qzw;YnaFI?>NHC0^K*U$pTAnD}r>gvO0;;V`|7qE*BXqUzYnicF`?
zypa3ao+qwh>-}bG*9cDn)4)l*#1Ll=cgkPu*L0XF4P$_mg-SMZe*^rvxeB>mj{QqG
zoOn(T8;W#y`0D5YS-FC1+^fDTdPT$Z`5#qrOp8&C_mLVoi{K!FP+#+}{YaCS$#On=
z<ky%*g&mlZCCa0ImpyQ9U!MoG6^wZF9;-$ud6-_YiZ4(f6%Me0dE4?r^)UbAZAa<#
zP+Da<gOw>5b&SujB~u=C>OrJCU=!3kcMLnY2@>Q5Q!`tR$|LV|z*ImpuJbDiz<VV)
zo*jbyuO|*GmuA#X^Lq(R7;gOg_`v!)&Cni1pViIpq9L}ly2<?)f1lzSTB5me3HA!o
zX?&EmW{potj_oC?a?14JTFLNO`zG(2cG7etOq@@V@w*xP{|(Vq`;1r77`=~E`I|$s
z_aY1wVa$baNK|qw0w(Px@eD6c9Ckaktmv%o9#2n%=P9!7-W3heC^UUcEhrj37j)~#
zKBbVQLv%f<+HWpRBr&w_wI;R`)!`h)CTajnu>0*yGFXBnZ3joH4#Wyf1ug{TzgB)G
z@i}q9@zs1kX&>Q(8N?@Q@O(*%uvbHv7W)stdi3G(-`vCvlAsU6ra*-umpgzYm^O|a
z-<u7=+IK&3%M;5~=9I``o>cbFn|QFQsG+s3)oSAg{K%mlUcaR~f=fNFq*SBylCVq3
zCW85z9R}8t{|$}Rl@{+wur#s(OQh%>GZ$DQY$#JLGlvzjT?05cjuES0a=i12I<}G~
zN=gJ;cCmQkjo7BmIE2L(!dBZ#D)R;r@E^ye1S2zZ6dAGzdDI;Xr__t6mj8$i4`NUR
zXwT%SqI4Ri1mu4AX7dbwRMD`y7Zsfat7v@UlZp-^fF~7reHUc1@cMn_x64pcO<^}l
zVpOd5<>wc8E?9FL#Wrl-$FZvkxNi*9w;#w3L8<fIqpTzD-b`qGrak0iEB56)JKUPe
zfGm}DYRT_Ynuq&cZ^VS+)oDbkC}*PaK3vuiX#WVK#6b!d83Lcz%QP1~Ec)hSc1rBk
zNgG_^x~8sF1mOIWQV;`;X<dXJDfD(kmKyUiaF_!4&M6!@sO{+hA`Ip2c^fyRpyLu~
zgJDU|3f!pdVJEE^Tdl+Lq}>~W>&U{S!!K=eSwW6bNV3iMDG3Zh&3D7Jl%jT|$I=z<
zq`ZLO>&CprzisbuH}@Aq@|Q)wADR;<T%C!ovX(NjkOWs|P)+NLlBn%D(5sR2@BT0m
z*DMpq?4}L43yL;M8r76Mu)TJo72Z9dQY;+`c|HKJomy+U%y;}sWtEk`+w>PJ@Xu~#
z#;Q{ep4PP){r<H3eti7!<c2p$=8Etj8Q~{`pgSugqy`JinCg_CZg)>>(BUiN7(F~%
zR}`k1uAntZ#&sztI%DE6AGmx&oL7EBJ+1Ih2b1QNN?;Z5La^LVwg!d%#G#Z<KIhij
z<li=%2Fh%FUbnxAt=TQPt2=j#4%VsKU^QeLzCA7-<v}w76xHyUPb_}+E*{kw-80M7
z3bCWmr|h1r{ppYG&Wa8>_xLUh;9q*=f)0P^=T`>B?!4XR>{F{Ogp6V6_yLGy_Wz_U
zoj;vG+<|U>PVA%qtFl!=FPgq_+Ef3oAPt*9m`N^ydl%?5I@CqU;P!>R0MvQ_XCkNt
zVZtXDDO$8&j=aQU@^Lw`)}BMR)geO=dpadPy!$<pCnG<!o(s&|jt=JhRipMX&VtP2
zlZ5s5%|e-iOevA-K}S;#d}zI2Pv>WQ1L_&Ik-WgN*K>hy|7f~XIAzMK@)|p5SzGxB
zgzop$iW*Vta}o1T1?<cAl<-CCeFSrp+TVTlNGuN5$&f-TF_##^WTGLJyUc?swjq`A
zf_qvo27_4t<YR{(GvTlD9K}%=38OIBc7rt4+2Dj@0K9r`TG40%y<P;<@oWUE;Eyx_
zpMC?Dw`!Gd4_Mwz{M`o6^3I3*V6A=*<q|Y$Mj_{uEjGzJjFDYEhrY^OY}^r_G+GF6
zJ~$|5z!#u~Lr}ro>={i(f<h0;ZNrr9Kgo?jOG70H(A*?mpRpmXUC4-w{`pVa+cWr-
zyIT^XkC|v7v+^ny1#9PkW!s(2$sl%J1yLfyv3Q3Iw^iS&lXPtnbCD{vEsQG<;`52n
zEZt^DcJG3q|6}T^<Ena|HVRUb(w$P$-3SOsOLuqYr9q{;ySqE3OS<FI-QAt<1%F?C
z|KkJaaAtRBXP%jPW*5v|5kT@~aml%PpcZs{RADZ-YI7`|5Y!;>Q^)4-tpU?%^GPwd
z5RU>kpD932kvBw1@P~aCHH)h?ojeLI79HSmX%gPhWTM<qm;IK;#lCc=>h~N75=G_X
zrCaZlCZI6{v<HllFgA`J{o4&ah+ap+&nlRwRB>MGgwXGTs3OL6RNuTOFBn<xl_p+J
z{Q4W!JcI%BjVI_fbkJ)0Gw?w4wqn0IV|WYkGPqUD^<Tf{cX9-R?cNT^pm+HoYH&7P
z+ebF+nXr-Npg%fQ$Mc*trN4bzqvEcR{q)5}LL1Nu15c9mBdeYrHdr`rWm?}byFvym
zOPp6Y&JC)8wDH-~ugQ=fZM2@R02ls7bg(d7DMwkjsoIE&;hkC*m~h<xG&%D#qQ+U7
za2&{}guTVoumy7AzSHcbfxl+P_4$$7otGB$1o@5Y@u-PQLEiDKcdQUYXd-g5;!Rtn
z9zVI0&wM4O{aM-D6p41$0o~DE^-5}X13)~T*>EPaq%oNE_USEeRy2$Pp%ZRg#3JZf
z&%f(i$urv5ifw;}%yEt&E@#x-8S758DUaJ<J6AGkx$Dr@M7vX9F{PhzRlgXNr<nF`
zGAApB$CBfVQX{`BOxppk!{S*`5L>{C_^sMvt!gMPFN-D(xVT->hu?L&0|gV`(NTFz
zIX3OskLRAPvBh_O3JO&ru<*x*3B&-Yn_X(;=^l9S4D4O<<rS@_@4OBeXV^{`xU9Y#
z`&u(ky=(mmGKui?nEQ;8G;QqVrQXvr=#q?NU$A>AP=td;Oa{e{j0PIiyKl2Ap)i91
z{3f9}?_yz#?D4fd@u$$#LjWmp*67+VJA?~UTOA__>|Askb)xy`=d6H|^F;SN^ZojT
zSB2Zq^@3cV!>1N9m;EZ1@?T=lw@&r_o3@a_eRug=w0+*V96J}@Ml?H_@a|H=xWKP5
zqK3~i)dG;IN_?qOEcaDxkLS-1X$`_ud(vsVZVwY?u3xNcTnULGvicZrViK@S^uN%*
zQzQ0_phjL*ul$*6L&M0Rv&xvKH`t%JDT-cBx@yqnMXI`Wb=wOTW$<^CfAPjwL06ZI
zeHTydH9o0wZ2iSr-FyoccLJhRcap+mJ-}f^-1$E2G2=mmhakUd_1w#iV_;e7SL<rw
ze$TnCvCE0u^Mi%sINT61XJWOcJL`F>Ro;@xeAnbXuM@f8Z=3IHo7LO4J!!wE4X+b8
zvG$B>_bOzVqCy;#e@&jp-uEb&kqPZavjH0hbVlZ@w%3|vT8$lwzB>S6r24=<b7QAv
zQ(+D*w9_4cEXz8w;nCZ{g?9*BwAbf>()~Xac=5jAZ+jYe$X9a1?HeQuXBHmtM1wIo
z{vF@%EPOi*^`V7#@%4Yk$K3!rWKM$*Z60uL&M1E9=y#<%+m3ImsYrz<DFu0qQ&%J!
z%5&9d*nH$d92;l_C?C_=b^7gpRND(h_B}O_uGLblOfjawrq7{90qY9|U3;LlpP@pX
z29t61WlUY6t6nI7tFaFQs0EG;bj}{b@f1p4R&tVHk?sD^8OAd(F2HJUuP02$3Y8~)
z8-&gen2t7nBv~jC2P<N-MmCrr{byerDZW1Z&@?-l?HG3j(l!X9zm72?M+6B{3B~&j
z8Fa>rzTv9iVsMQw*VCqzs>V2{ZyXl7$gph%z6Fe@2|M6>JY1ZHJUsiH*~OKKi)68N
zH6k**3jEBNGN{>eGjeb1)BMP|d!oa`M{G>y`!tqBz;Wd$f%GBCWxm*0%*T|gi&!Pb
zzLXuG;;?Uzr^`s8a=mA|1eRe)(R?xj0d|(rK&eu@f#a4E$v_x?GmjP*%YdF1OWj8t
z5;G1C^b@;v->=j!3g3LFmEd9z`pYF84C3ir8Cwo|zwveBgP#3!uQyfkxKQ-&YGga`
zm;MhM(HDo0AcED?^;n~XX^Lymq&);6SLN9HtR|l#t!SV)%WBb>32kpZeJvT!&ic9A
z=USYnTV;3HpYr+&SDZtwkKw##nf7FFR7VAwOhD}f8v>~ZZyk&gd(C^f9ORB6k>G3~
zG1uU5k@B!M$~o!G(0x7{87SDH$J&tge~v~${Y?M+pI~6S{K@S=B%>chQm=wRA@y{T
z{b*8ygFq6&B0$`)!G3Q|d7!#O>3RYxLZWfoM--6*YUS8!To!n4hUE`wetWrHHEyd}
ziCc`Pe3-=5wh(bGuMw$AJF(&e!4WgPE2g#sqZMtw{bVQ`^z6Zry&pmVntRA7W^J3q
z4FOWoBfI-E%OA7Sf9`??p^@T6JwC6Z*%7d+v==mjS9|q-c4T->N^yP>^Y#PJfWA#Q
zugiy}2Ip^jKhkh!VU|xWt8kTmq<Urr9-E8{=54UGDKxJkCgsKm^|Rfl+FpF>Zk!HP
zOGHxW^o&*Q?Yr?Dx9a_TB3Z><+Cvf}MMo=wYfrmwf=YV4*^cWvL9~6AW+<TFY}ry<
z*nl5li4SgYdLy9WcfRF(nBkIb3QSPBD7GBQb-1*uHEYT9**{8ibR^{Dz+V|%*f+LB
z_4xVXN7Lxpu(d6jt*x`Zr08c5RP<l#>3-Ag25-mGAvfHd!3X{Q&sDuI%Hg(WlhqDf
zF#b_5^STB-<UL*A*?Bo|?2yw!eILNz^sD&cGMX!dh7XiyTeFyYsy6N_JU$D-?HTF<
zTMj))=iI8!^n_)XOqT;MKX@mca$I_jX;VGm4+k@|4r<f0v}v2JfXM~$h<4^jBa`J$
z7*HmNYS3b}lN)l(;TzJ&{}UyC_h&&nP<ziAW?Ki+tDw}yuQPakZP^3)Ueo^8rUpeT
zC&02<%fpom$s9N5$z>*Ph#%XY<jPc|HVKx8$SAK1*)`in{-o5-9-N9XE3wd-O7bKe
z4>78BDr=sX7QRTqRPOUU&k%y3oX(cjL>K%}iG8-zG3$;tX>&FSm-1NzUL%vsfdPJA
zQ>{4fSdbX1>mZb+Dw;2UlMQ!ph7(g_p^sKCNXff#B!Jj`=vKJ$G$o`H2cNQbmC${3
zhWgn<Fo!BfNyU|IUC*+?<ZAv|$s~LQ9Cb+`B(%Dl-z!RSTK}colOz{^`%BGz)%En;
z^!#>;1UiKeTIs|_evBi;6_yow={~G**%}Uwk&GLUwa2UPYDlT2NDU3%0f*Bir__Kg
zU1*{{bnba6q?WULV=`Fpv65%g4kLqhJsg&e%!%?et}ZP!uN%oMt5X6oX16Qe1H(Ua
zKuTV~0ids=)-o~CD`s#J!hyGS^|W3BV`9oL+RZZeHQ#Avf^k9?kX;-m#g<J!pf+S%
zCjDtC04LE$F{gm3rz^JMheoS7uiuf(eoJ!tdT0T7zU2`FdeX;oxk;XCQ%`Yee%Ga<
zy6P36n#lYfor2YEanaeu=SgMdvXzMtw2OFy_XL|WayzX8-?umFzPID047wSKTX-Bl
z1g1ZZwHpgyH8_I+SUWaKzi{O{GpG!8p!$$KQ{tZCn71cj7+m<=kl8|UI>&ul_6Ll?
ze;aq$3ot_x-B|>)dH!M8ljS9(gYv4`*JXm_c|T4;-3aU2T3;%@L$z!Vqjcr+IqU@P
zej-i1_szDY0^pvfB}9->-5zn{Vt~uaWnq3);nzM|))Mrj#w66oNy9Elg0cdYw}H}R
zY+m^8rcMQQ4OYka4ft@$QHUbvBPZ`Un8tgZ^k8d$<B+JV4b@**q(m`)n>Y^MT2|SZ
zuz}I}jdhrodpHr(d*C&ObUyO`)#4dfbBNC`{=4rhIB2q|sOZtz*_FRuAMRWAx=|O}
zPZ_$9SN#2cg5!AmsICWBq=3K?J_T;;6iR9_0{^#BW;h4^l6TtoIE3Rodxqw^QV}B#
zs*_&+G^xBe_f*6OrlFMYT$#~z?CkOOiyuPKvv&1w0Et*8=GATXw*I>tqx|G?9_f)3
z^!=Hiot^ZsXaw4g(^xF3&`pe`gYa}Y|6Fe?ubdNPJeC#JS+u)>G|~5J8AH)SgS4hT
z*$@pgLyl6Xxj|wN(WKR>hdzI1`yJDBt}k&Y>~ihcm@3iE{G`SPG=hZzoC79E-X#s)
z&8kycly*)Tq-`2JqVDmy&C66k`BZ4zuwzsEE+@Wtk#}(Dewfq<c-j?dzp3)xW@W=t
zQ~8Ya7b9RDZm^1*UZwwN*ZptlX*~rHsS(N`g9PC~yx6^BM|O%Pdb$D^0}u0!`3q-4
zc6K#lt=*!bz1@>+St4@<XMMTn;Vami-G&cnRTDU2@ozjCdFhXCHgZ>uRWY6{Ko-<Y
zLt@_-fmA6pk+bOzTF~XWk*mh?xe0B_@j1-#yt>dqa-RCy(Kh|kS6KcK=P}%B!>{Yu
zH6stofIL{r^Ksa<W|2j$|2xrKBVy4|9^gJ{Y2nlg@xIlK{8_(j6L1-bPGLZ2t+0$w
zSG%xGH=LCI(YgO^I|V#M&>EvIM;VE**_k2#5WYUW65Q+kuP=5weAlLH6{v3GU$6Ve
zSAv{)sk=<+{%(m>lX!;a_0{J!inWvkZuXJiQ~8vma<hiAzt+w`MFt~BM$QA{hs-NN
z%C{m<iW)R@(Lk0Yzso9?7_U3)j5~sA>RJ<E#JjBmm$IWE=`J%^V;3$mi^xcKYK5@7
z5I6g}@zkQdiUH9vmz;;E>MvjM9a-}6;1?kx_Ap~I_o?veSa!PS^wyQ(IB-LVI_Wk*
zP?ChCJ6sUTtXOa56RhX5yV3ifY=wC@Vpqau$BoBLI9Os<J7K`*t`h3YllzeCyBe-<
zyhqpbS4y|rcSntnM}$w>{`L#-s}RvWo-)Mm(Kn+4V?@=N)?fy==v@7OZ!rJGY($kJ
zQhrKN6GUWre=r-d21Zg2HztXOW3%dXjH-qUXSHh-n?T9KsPW-qSx^T)JKm;)3L{0Z
zJCCBy8fuKo(qRLTecVJNWXm*haZe{_sx_3Pu4ny<)`Z128Fvln=@5t`Z|6E=frH0g
zkT~tAS%DVQUo5n}TX>VZ_brWAk-s9`n(Xwxc0QG#KRh<8xW?-nJNi6=h~E535F69@
z%s2mvLnOWV4Dk8f$INJWFBwj_8jWZJ4vb*d;KW1Ct6!cK7Jrp_O$>1!p{%=BFxcXc
zGM5H(&(8rC^EyMfq@drpWPUtUjfUz%p7ZiQ_dYro7}lNCRLsGcQi27~N4%53LiuW}
zW+*PcT-59vk-u-Rp2;fn`y!+;WyPXSGWz(s=}w|bT%5MVqXKGDU4`w!#=UiUf%eeC
zg5phlD5qO}++zd9xjwm>ADLhG)*8GB6Yyl71vG}0p9y=TZ={~5!{{&TOiiEU`Rt)k
z`e<h&%jWs!B5W5ze`aFRbXVmElPJdi)ULi9JkY6t;vW1d_+L1OeBy%Z<irAnuZw^y
z_7bDMIrhQ5k#`_tz5M1uuOxbRZ%_TzF>7il<7(!XE~QA9glaFwq&vIpCJI-p|5w3C
z!UA9a*E%b$0c9aG)5E&*h-+uTsLec~S`_~5+7{a1aWOZhp9!36id!0$;kjkJC>T))
z0fYEoLMJgi{n_!s5JkXOPTsSF#uD%U<^&0RB?BCc4Hq%1%Mm?CbXY8cH2A7DVPW&?
z#`BH!zts>&1Vb!?Y#RZE^mLeDj-ZfU3m4=0M9BQ=+OM+tk~xVZg;hvIyJ2cUL&(ua
z`_60?@M&`rkrQ8Y{L*QsLI!xHyq+&e7eb)IW7>4xEVfp`1N^GNfc1@&xOb2XAThib
zP|CWEjTBU`S%we2A>)ImrgmDwt1Q$~*!W?}^Em&L5-Zf+<DtGjC+&@ufsrId%+gII
z72Z@+=hi6x#<tjLZ)>qJ&2tlW&8_54Mb7oSX<Z)Tv+l};@RI+Ld29zH64uUcby$uF
zm%Yh^rF3`$9@}UzCA9mx%7ry^5JEEpXhKH)RP0G+1=75P*uEl@ME($pnl!Q}2G1hF
zlIU=7-RY#}{JY&U%6c;Wl&W@!1mu@>UXASq2Q4o+wEYRr!tOEkv2I>#Fjb?Kq&cEp
z>9*@7?{g`GRzr9E=L}Bad@#AymPg0}-pYVGb@}F=<E`cIH!V)jyME6%H+5;>pTe#Q
zmYyy;zdzi~BL+R+9L5pwF8=tz$eRVan<~zC`PYkMKphmv=|lg9+f<zqiYWt44eQ+X
zOIbKr%8`C|<M7S9^YQ<jYYJ3!evi0_()sxI$K-dYuO<^R8iRQbn_YccbbE|6qMF>`
zV9rsEf5)87tQ=D-dDm8B!#HLUD$$8|SYAtAsC5}{%GAgY4h&Hv)1fg<BLwHfjyX}p
z_xnjggz()gs`+VE1hofm9CeajBPw4onW{3X(NA1-0~R^(Tm;41JB|)+#=rCCadg@{
z2IRK&cGiCt<$iY2xG@cH8h|C%dU9E)$Pr=kIB&Tb7o*P@pGuCy6I1pf?t{?`{JR$1
zsWToA?9!7$QwKmD{CBFB-aLUm$vUpN_lRLywk(#t{aHFXH+894CdDxf)VMmz?6z$k
zWCaviLd3!YU#LeOlM5cY7jxwsL4W=0O?+Zp%dPEMULMDM-HnP4Y;%?dJpk`L+*<Qx
zdfPb$WJ%ZklH0A-&pfAUEWlCuAyveyu-V>2oUdB4B+Wj%Ut+J~C6$|9=R0Gk0<-&E
z55r^lda=`b7i(D;HJM?Z+^OH-hLHVORnh^WIjJ59Yj2p9ULi2Y03NK5$9mB%VW*sQ
z393T74$N~Yp)lHiw_NfP$&aiem=$Q0wile?KCN7I-|n2jBpzDygAz|cc8u%`k6nIa
za}Pr;2UiMZ_wI<*Qa)B&<3ynrkh^*HLgulxcs}9WH<rSFc#+K>8<tC<Js(y$%TBea
zTm<fd^mq|be+7*v@!97Pl+`J=!Ba}gD@{G@l3PAfjDh=U<>0Aka=ABzBThpQI#kyM
zhGCH0V-S0iXrKZj#*+!eLQ&GB8REsE&#-+E#vJweF9}Bsc>%V#WBQq`;|J{v`m}+w
zR=?pX<0YsCCu*~4Zcr(c&&ekRPe!0%$@A-70;3@+O#?3BnQU67rp$zWJiMvm!sPLD
zHL~-?<xZ6QBbygP9=6bo1MLpeFu6zk?=y`g7<8f4$kWQmvZX<7wS|^gOr0Ij$u871
z<sgLie*Q9jWXE)esbiG<MS_aM1^C+ep)S3^nwd}R$;X8voU{k!s}}R}pI9n+wg$iF
zgyJ_|QV8~z)Xk+TKJiqPnFp|Ybd0Pn%@z~QhZqv;xEg|>5ZB-r;rM`HbqRe(Q%E()
z=q=tbvse*@jzW2Yl`4rg9c*Mn;*9@t>*X3@0l}q)#3X}X1VGjSV}3XWrPg&G&w0PD
zs|_}`5o=Kj@rZ|6l4jY{%;nxWXXZPaZWfz9k{U_t)`;o5z|i%~Q-kZ4?7qB^12(=A
zRd>ix-14$X29La1Lwagq#N(yeJ)*KuVWd~t_7#E&g<-A=!MDZFBByowH{+ROAIA#C
zurNG^#z{rT>7|M&-pci3ZhQT=N*zT!$#f0a+d=fhP@p(W^FRRueG4}Q0b}Lysrt#T
zaWm%TNUPQ*ndE8n*(vX?h{j-w(L_e=Nyx}kaYD#Xk_|@USIS<8aMY4aQ?yqMK~z~G
zC2?V<foa(9T|2JZ#3fw2Xdnjo=J1U-*YyCQOTvj>OQyTNIu!I%%)kf9CA!(#6gcYV
z>~1E2$2$whbU}YgjQQPhHEdrTQ`HpzihT#Ad=jhQmeTa4n#-AqiqW2a19V^AKQ$}_
z8PfT166TrBo$6xyInIC5H_{{k=D?aKk*lK2%Lu5#I)*jH5JU<nHC<DsJ%}zUJG$-e
zb2*drNZR$}@f(lk@}#sjsisOjYA=0X3+`~{Ic&vOv(6}Qm~+0;4qmW1eu_kdSRXqe
zF&_cJH?N9y(`&7q$gv+OQe}plrp>v|(0A_l!tm%O&?-!KpUP`ZYo~sD5`<nGzkfoQ
zVie6{L<e;1rjF&ZV?CVHQzt<G8u6-@h?*IO`VwE`{onKx-&`vX?3hlSHF=+}gsF%t
zHM8HeLdY}2z$7=WtLHqXOCx4|eCm`s+)t-pGC)bsH?4K<Wj_~##7-GGRRlr9wjOdJ
zp294jshZuvpFdGuw6BL_5xTs_J`=u*z5a9E6a}%x<I#nDne<+eQl9#z{~EZi)#_GP
zpZ45*cQ0MlS!F?W-C4298pW00u|PgYKB!C<Tj@tGqDw7Dj_0dD>AGx^e4Fm)S0M1$
zBuOk~!DbZ|bU^=9KQ0F)27@Gzew`$ZVP4b~y(^S+T$sxV)5x;}#WP-47Fc{yHA#<Y
z&8kD03%e7ozpFrW!TZ6;E1R;UvdN)6Ve`pt)1lp-#nF)2l(5vb=5u`CWWK}&uUBJq
zj;EwGk23m}tINREtu1_|UVj(DnwG5PE9OXMq7ZSZ3Kkj5`960qW7@p|yrCIADd;TW
zSafAjc;M{j?;5V{#zN|(*`eb00~Aft1tXTee^w@MlflMBNVM^DYnE&MafRc5xABns
z{vGOD%gaJxK=|IoUYdR6%Bqi7L}?S-W&`Cs+dfcMegvp`(fZuL))Cr>%6+d4{)Bgw
z5@tu(@jFXJ;HB&)EQ~n~oEFB+sGX<h5H=_p%4!m-u{D5a+QO&N*;21Oz_}Dcwc#@o
zO`aI@aUQ&>lv2UgcTVuJ!6m;Mf@d(q_-iqsnRpx+S`syak*lv>ix=#J?6ePuou9v9
zwM^m5ONqieKN<l0L%}yuIhQ>y=Ao?WT$~n?>Tw%q$0mL`E=`8dicI*H^MHyBEL^$p
zA^J>dUaZCBPo()yT{{LN#J3Gb^=^w*sx5~;ZnG1OOP0J6I0FBHQk@oj3rsCZobGs5
z@0TfKP5YE({ER0pl^qHButQ<#xN{~T-w0HE^AP=WtLR`tjx}+ax0=pL#WBfaqbSQI
zx~tBrVPKh?H?C1(NFVWMj4nxR5l_@1I?mkH`E-i1M-SVjlv@nwkh-;c7jCy)foBD5
ztwht28{dFs1p!Z}tIdFdApwaIS%-H?0tRl{8YvP!(Hd5s_Cj{K7rYZ#k&U8o9F@Dv
zr0~WU!88@YYXnfY&f%OxmtVNr)@RLpRBeyQy7-{Qd`_jNPDT$>o6~@HqbC@B7fO@o
z8;4aEZ;zK$j=zE7z{_-4-GH_=IHoU!9-K@!f<NPMy?<1(KKG#hF;PELY!IQghjJW1
zH5P@hoL~Y)&;P@JUL^=@%8O#Xh^QY^F#5$GcfA?3Ssj5dYn^`I3T~zlDtqt<odTAZ
z^j*G)e!f!^MPX_FzSUj2boxE>_}*pJb#E)Ql|?c;@n{L9#UhTGgzUK1b(4APJWt?d
zEFa$krIQF>?1<$2V}4!vwTDh*>5oawlViZK+kxP!4s#*QOIdm5<cC~McYIkeo|}Q{
zRz*Ci=PkoeO?z6C)a^G}k6{7OWTNVGRn}ecW&aEf_r*>BjcE&Gx7){8Z|r2P&d&bJ
z+K9#ir`e=$-%~&m-0$Oe)q-LuQ(oQr*hSbH$K6@8S{Had!93g@mW2?EiW{c@_x88E
z@vcTVes1j8zr0_!C?cLxtG3E5JIU;QL?7P-|05xnLmn2?z5ZKBE<LE3gzgx+GYUfk
z)NShij_8<yXr>57QM_0gY`gnpgWz@$<-6if+52G$oNK+PeHha#<#k#;zPJ0-EzN^&
zabp_23)Ow9jdOU+<EXaO8GK#>oBBQ_nn9tLn`p$&)ms;YW=fh4{b7wkQBpD~(@nJp
zy4mRV-Sm8FOED_+L@7QiRpXZ7@fgHxL|}#z`|@tiNSM|06Urtlm@DD;4(W#_=N`eI
z`pg2buao=P6L}nyB)bBfs6<vXhPYov1(s7hrxa@>?hT4cVy;TGJ^&6b6j}DK<Zw%Z
zU)PIXUwV}sk|05L0)Us}bT#F6O~`fZ^7G88U&ZL?m_o9Jc_$Bet?i7wblhBZN8}ok
z%lijZ&`G#=$KM6xO_EFZ7q0R55o58bY)pUrB)D6_U7A%aRz!W>uFstdqWky!Df5;q
zh1~_0<?`xDxc>nb1B=>?&FTRJ3Z{xNgW<VA6}A#7ytO<a-`IyU=^Omx6a@qoQ|3mf
zS6+hnYLgFx;jS)}xKhj$W665-m^@n08mV5gA68KocaRX$s6@=7Y<$i?oFK~+OWTr|
z!$r5c0Q$WhFo@>TPr2cCWSGN2NpLdw#MH!r5-CC)DP@O(i|6B`?=U&p)3r~w<$YKU
zU~9LmdhD7jr#I{Y=lk4~(2&6H$cKud>Gf$(G@bsbwIJozF_f*za7$G!`X$-c_)_EN
z!a7<H$B0ire0h4X9hYB%{07Wm(67sr9=V$CIooX4S7|vdX~C4Zq8kxUT70n{9Ps&s
zeni28&h=aS0f=$0tg8LO?Esw}eAJ~><;oyXzw{EHVL+ix_gx5jsrA&P;hUK6J+d(=
zl}x}4NZ9~!H%`vczH>**!asweu*BHmTPZw*M5!nHhww#*_!c`BlU|3cU9MM_#T>%+
z5L4uk11)K35~Crvr2cih)X{*QRyp;1JI!<dE8$rSzX<mKRAks9?jroxhAHV$lQ+{m
z|BD!N!+_QB!-W_J@!l=_#bsVpA5Nq=Yx6R6=?nDbQ`**FxGA*L3t&`=o$ch-$L51S
zRwKvgv0t1z3A_<(E#~l7^v)FV*kL<`Dd$9}V8~qRNI|*o&CzHZ4n~df`nL@1DU|Kj
zn1AQNcfVby4`{9Ixk~>MZ|Qb&(7JJbg2cV{)T=glW9llZHr8DqwRj<FW!5iWXO{C3
zhRyxb-U0Whw!lPbi4UPDWv`}oF$dc^W9?vo<Ah_8OO0E9U~C5S6=zrkR8&Cd=>>q}
z6g`ZW?XhdO_>-WY5*l%ry^FGHHzgjY>fP(N6b}yhTg}!Pz-NtB4+;5*iStq?rK{cS
zg#eW9^D=9>sGT)trR9*fo^-m5NJzoEOGsKd-S5@WI+N1ly1czUf`rGkWZr^!Rpd^N
z(x(woju>rSDjOs@8Tr8S3y$~W2HlyAd37d~m=^Df;-bQhe&XFq&@+Jg4*y^SA4k{U
z^0q7tptoROg1wo>(Dwz1_l&0fi{4fE78Nnw=|a*&LMNArtY!d9)})@}Cb>C;Th&;r
z<-8@G(=8u!ttD^i{iWGSqO`EB810v^VBc==)5mxvG2A9u1rgKxkDrQy<v`gxU9`$=
zalZxcnuAN*H-iDrAOBMc+QHfNn8+gM9EfwVSF5pQ&o*Nz)C1tdXN}?I4s?FckMps}
zuxgAF{U9p)<mf0R20p=r+5XS4nKa<>GG_OyluV8Zf~}MewXP*E7t=fm6p+ta(~$~#
z5tkmz&<`pk=*yznopK8M8TrJ>sS~no-S*`WW&*y(6MVE$oR&$3xyL_v{r>+LI5*8b
zpFS#`i@|KgyzmQx9(fs&Q}!ELmX~F8F;dnI7xSYS4}E*A!;5N(I>UUuUPo@`)B_as
zRcdvu+Pv?nRYO>>IY=LU!{oMnzzNQjS&87<9_nZ2naXS!@c}9bHQOUTE&=!5eH5th
zs8XeVlJk)FHC6>R5c7cND}4~CkKuny<m^f<Ys(T8t&I-zx<pN-RX;UcGd12N*DG(c
ztTwt2NGM(=b?Iaw^33(8Ru}Jet2xA3zYRTR_PvSWTi%n9wO{jm5L$FwEH=PMLr^p3
zIg+_nN631vpK}>NyKLtJaN$_qC!|{j_(ZN-&wZKPMs8%<zCexNn}2qE@^Msal5kbE
z`<62Ijz8jS%35s(Iu8qrL2gUdJfr9`B~(18v^v5wB}Vfa*}fo9vUzttr_ah}tou=_
zcbV^Ogn46!B|EJO5srYqW%EuD{$1PH4f^X&0Z(5ybp$(j(zOb0G*oefz>urg`;G9M
z3(oH&0z0*s*AH7h`oyOwuP9E#1Ug-oXQi#0^jSXFrq2JjmrqNf{5~pm>cIGRzAn@H
z;#c-TfCk^-koU}9-?iRG_^FxE`IPhx*>MU0fy03r5At=h^k_!RmMj}^97*w9Nz6=i
zPNdc>nvk~DVty9K1xri_H>zib3R+{<R{2Id%NQ7ypFHV|IU7~~5%cpuKTyj9MpKXd
z`Na=_-UImoi+#)T#oE$+iZuN?Wedg8i~HwjqpIt><s#=6@)(5-RL!agy~ste9Kh<G
zc8?~5sn(b4`3acIX7?!#fq0;18qItl&GMKq^<CSl=yBCt|FHM97@mq5t!p%J;F&@Q
z59{gFN_z;5Nw;*H5mi-~N%s}o!qdbfgADLBf-rUPIhBM!`*=fa%XQR`P3~yEQ@6;#
z$RPSECS4fA-+yUtC+=a$;-!YaKS1C%cfOdMtLDabhh?r(rZTfV*`naL3$DuU$SKRe
zmX5QP+Dz2Oy$H9L$8AR3&Z+$f4%-hxvPZ&$Op4yc5qX6=tCxjs7N)jPqu5U~NNqKE
z5&4C7_x&*h--4sC`nJA7NeLI!6j7DH%nxSMaTsw2%Wd_@3=b@Xb#hj5p|0!y&C78y
zAFk@}0@-JsVT=%bUIeq>d5>)l$lq_MlU{NSBMWad7iN3-l*hKYC%W*UfOzz5lV0_W
z(xwVmjn7KSRC9Fw(8wLODwSsDpzGK)ez@83*~KkxUm_GBsPZevYJOXClSOSTr9!Ms
zt+0d#f4$TQ-jc`W+Io98)-4ikQL-zMul0;Ps?SWCd^}dHMsv)hm@nW_jp_yn53n#8
zxymrXpQ7T~9WqNyBg}2inY5~W94R#Wtnhfzd;rtyFhO*=zgNDsg)T1Tyxst=2c#D3
z`8~Z?5D&f?R%eXh?eRf6gp)JT5NEPrVsGoxcZlnFd6%FmlNsJj?4*1#P;&l0nJNiC
zZ-%Ep@L2!57cX5Sk1MRtT{hlr(9wn2Y}^=DYgkC@y~0)0@8g)6M2S_ZeQz-f@@F$y
z3EYv1QbaDFFSuNqj!Vmph~G4t>3mFa3{>MB%crHagcc3SdB%r~t^zY|ql^TJYR?oE
z3bFVLD4#Ok-pw+WUKgTkZLB|5&avR7Ki~bDUg7V45-fluH$4acG`S#ozom>*qz~Un
zGk^3uDtJ<2U4CjB>|(Qdf(*Rur#<t=D<J8e{y{l&hD{&2$zo0Gu4dFSc-9~$E^G`L
z)G=<v{WXsIlbufFg{l@fr7!MZ^yUPALD+L)+RGsHWr2$t<d4^;f2?;9<oI1p_<}AD
z;lHYSNvC&3_0v(6SnjOw9Z%?psQVyz)F^*2+~i@Ewq?E~T-rCD<x_1$yKm+V)+r!2
zS+cCF+cO6@*!YgI`Q57Dp}~|Aa?x=!KfQ)4-ej|k5n}B2y*$gcr|3rWT@KNnmz2KK
zA%N&a?>xdK7~W#Q9W}Yz()67;p7-bJz_}$F@9*iZ+fi77P+7ZTuaKu3TtW#{<VVD{
z&w0axS%NU|Q!Tm@<W!2!iUJk=Ol)TG5$QGlQCYZm#$tAX_6C8wVlRMW&1prfzits-
zt5B^B14EnM8Wo5L8MIZdWSGMwaHT=T(Q^Eddq)K-I3N4P%z1sT<ulLm8~Sl_brW@M
zGyU-7R@49h(C}5t84N7>1Y$Ev^}4dt@x)6sDYXu3?lWoW_XJaAzcqHg3@8IQ$~(XV
zw#%M6F5i$9ZVU4erDzEXVf6PXlr}!JA*L3q5qJ>a$C+vb-F+r>(UzaQr0~n^F_uTI
zH3DU3$H0w#i!&@IaNbCHh0v>}8p>!IQlCG<yx*&og3ub@tLAahZuy&I4B8o6=b9+G
z9Y#I>6Sj<XE^52xJ5df5Fqos^%Wt`3OBC;dk;Wt?EsZ;v>2OXcT!z;OPb9n=u^RMT
zCOHYCTm()gv<$6}CPR_Ms+AP0Fay7itGN5uv!%|eOAlr@WF?ILMd&5?DG8dAM!E6B
zuMv9f)K|_4m5jMcX%i#VF>S~R(^AiIiGq4`?3OfE%mS}&&5|Sivbz$D`;6;}Jy#7+
z7jVnlDz|+PxJ@qLbM>8Ot3p^2As0ir84~X=*KK#WTYKi4*C<mtZEf9MPC_9Up)e9E
z6JeZDyC&@;wd!560Y7eeWvN+&K6k$?SAMu|;osQ!ecDxi|AlEGW0(AElvyDyA{%oA
zJHpDGpEY_@dKIYaQp<3im0Fv*w7)!ckJlQHTQ!fc9#?7zKWoYC@#nMis|)6oTSRhD
zh$=x;{U2KO6}~0`9$}0O5<yKg#D#kJv6+=tnqL_Z|LU60p$oUZ3kza`F8+sCu;4I#
z7GC<+!(1wl_f*Uv(b%f_sdVAUzhJMzWcOk)Mw2jIi5#z1l)TscvM)wGOs+^o>~^Z3
zZTHEWtk(~urH0yb;WLt=7RC(Tfz>GBCjm=b$7a24S*QGeDAt%p-^CeL;yA%tsXp+d
zl6^cET!YwSG`t;`R!NocMvAJ`>|SXOc*FM>?7=O7Ka3Z>X+;J1_!A;J7}(%&hRy>R
z5|q%sX_&u1XcYqNb;YEHYq~vL4y{d;6&^RB<f-gDu9tFfbIaBOVpM=?vna!DFWmZr
za1xRApRXDOAeF+8({-Q&l)EYr#ww`iQJ?PnpD{pEr%8w@3R5DUhf8M$xCikE&hq>f
z26tBPdc0`18AJ@h3z+3mYMzM*eZN>X8HZ-=mhz;s+<HB;<A|4V9AbYY9VE~K_Gzrv
z&1jhq!s>Zx)}N>@gly}NqhpmA1UWiZC<Y}ze*7HgZn5PN<>)?S(lF=Wkz&y{s6rKV
zZjJNw44|gk|AD%Bm*46xEDUkPxqEoAFB$oH;SYA9`v*OK62PKRXRU?>w7r{gLuXv>
zR82q6N}YV7jkJ;L2J=LCIloEq<ME^PGB?m=3{`A}58Qa6rS%~mvsX+*D|*e2yeUK&
zVYz#M1k;rOf&|lrQiy{BU<&aMcTmMN&k%|$r=G=kd7#Bbef=U%u!0(2_!reIbg6_D
z4wUBZftbp63@`bSj35n+D@@oFlS{!Wl|w&8nG{Kx0@3EPZ+y@x<-*6{3I%s+JlBPM
z0+=Z70ycV!Z_u!tqx2?$X9-);yg@yN8bwSYaj>JZ;7TnK1d2U@-)y|&@pABlVD4SW
z+*+=Old#L}SQA4%Us5R9DU$8zTsVEY+jhJ2oa+>WvdBsjlOAoE*@Y_TkjXUbjLM3l
zsYWYb!{8=l{(}t~GxZ`O21*k$Sh=8sra@T!@WJ!Fmi1G4Q9OZ1o_^PzHM|h^uKUOB
zMZIRaoKhv1ppvI_UJ)xFTz_X$r6^xq_C%4_uNQ-ZT7Y%%DeX?bRzMrnF&R}q^<`3t
zswC*6sgZHR{5qaE%Uk>zFY=FF{gVfuvN2JlpFZq`V6J)4hM_)_L+f{Bhh8yzoCvt?
zn9N(7JloeQU}7{FTdIw)y*;p~Pi5UZhTEUuVV-WxbT@f>gN(vkDvWSz!@T;ZQ-V*o
zgS^vQdW+Bv&a}-qMb5!`BGRA+x13Bo?VcZZlre8HEdJylgFlR?gS;{Eq>p~}g~6|R
z&=cVuw$JI#o865tSzjBt=iI1ps|UiB?!1>OF^FBe-k;tb9<nTnaJ~1hk0P1(@&Fv=
zr!{y$hW^$LFX|Eu#f67#e{EZcz=Z3k$BgD^BLqjISAA<x4c+gA7F&EquAW_xj`ppQ
zgaPwkkV4|B{mp>|Gg^lp`ql14khBvT`M6Bp*ef3^shJEh(G{}k(!>@GiEWF9cXrXa
z)tMrcbo>8Uq+eb)9S&a<KIi%42XMAr83(WR5n6iMAcE1URZx9k);%yQvuW3zcJrz=
zP3k}o`~|Y*YGKEHrLS+i^lM<u9}4Ah3rv6_VT#7+uqKu~F7y$c76llTv{Xg=7N)}}
zSB0kgc{8AN4mYH|de+j|U^5M#tDe|5uFQb^ylfFkk=8Vf`&i+yGoQJ=7P=E^UoUk>
zrj6M#YoynZh37skI!W>)GjegAqi75M^rytHb=&NH^e)jHqa=dl^s4kRf|I`to!6#K
zyO>iY#8l~OL?D9k|AzX=$SylF4lFLwIv20g#7^9_(y>aSrSb8bZKWQh9^;c~6-MKt
zPNUMj#<P-Kp`4b_1Exi7j&y;_(h+8#ZB8wL9N+90Kh?uVp40@A=aON|LxTH$g>Tvd
zo5Jan+gqf1z_+ST1rDEBybffpX!>`3iJ^0&)E#+I`GqG$UuQUkP>Gxk2Zx{jKAK~O
zTu_c)6(ZI>klCo|!adf&;9D1WCX2Q!MEe2C--HQrb`P(CQk688VcP5dBJp4EXrEdA
z<uJx~9?6*8yQA$$NfxUPfUCD>uJ{v`$LZ=)cK(*#B8-J2Z#TwLyrY1{L@bK_$RF!X
z8D@eubwnaT{dZPYv+ygTH6*D)Z2p(u*Y9=l+N!hfkYE&l`O#@bFu7AZg?A)bm1Q7v
z$JVTtW_)W%PStOk(cR{dq$A%4^d?FQ5&n~UFk|WgJ_G0k;RI5|muvg9KLn#|sYD0H
z+sNEge=T(R0GT|cc}Uhxi28SIWJf>0%>oJKed*&Jm0xn$WFGCOk(Q<%GQG2+qmx>O
z8ix1=2jm(}x>pKUDY8g=IM00>TeJDJWpD3r=n^0Lj_iY(>J!;EF2>kVUUekp=+|BA
z@GfR7XIzU#6cGg`%~>Ud1XH)%ZPeVh*t|N5<uXmGjxy|jS#-O+Z60N+R_s_#y4Atm
z7oX@O<*31a(cqxeFl%?)s4;!In7kR8@zW-bGkIyZW~MqCRlJ0B%sv4QY%QUCkW8E~
z{b5zE-jUV1ZSB_hH_Qumi$HhOc!Z)^GB}8pj_spzY+5`<K%?23b+@z}SUU$9S6?hC
zud%fXw=6kMZG7n5tG;p8*&M4h!T|=Mf61W{S5yTL7NHmtgzZ-+g~6zJZY$LHeCXg<
zH*X05WoS^cB&>D`rq>)<h!peD^c(dUK5P~m^;Tp>P`u&;PIM9(;mX;*pI<)Ogm=B+
zpgjB3KVPfwj0elwxAB8baxWhON_z`4;GapA;vof1MnFHqhj%aLEH6bk)oZum$T+V~
z>&A4krtO~KEX3GW@Zh(X01~CiHt0xTkYhdBFzs$W$e3?t#dh>8d8yq`(;r2HuCQ}l
zkwW1sC^Xm^ATl0Q*$9f<REe$Nj&+|R{946bu`b2Yo$}Y1oTwr?_Lp_1*amaG<Rzzf
zYa%A2_8YRM^IInwEvR?tJQnN=r(IjVvuVu0``&(3S`;j+8hiNgy6QB(w>h}y;`Lry
zu#b$QXw#o`Z>54BlMSM%^;J-(ZDJL3+~Q_H5B<w}QBSSMofW;l^|I&yRddqrjfSI1
zu7`^$HGc;o(bOWN<Ml+oILULBTX8*PIpV$V@>mgv^Af9v%Unqe8?|FMf4;rwdzyp0
zE?y6=l{tCjjM<AkQyFPl^cZ<ceXbHus}~_3RXBKfBO7}9@8b(oouH4uzV`a@1`GXI
z;%UGas)wj@Qcijcxd~*8d7$EGkG!YVqwoHS_f@&Vy=Kdy@!X;xKdDlcwUI5eFNE4l
zW8d*At`G;Lk1YlTs&ofCu`FAlEP4R7c0Iv(wh?^-^<$t?K2rcc(O=BfG!5=^R>Yry
z>m~5|X_pb3M-cbSZ3aQY9YM=#`Bbty`K8wbh%TeylX<vI%j@KNTCH*3%z?d09z*gh
zc`ZAMfoyXzidUuWNbc*V&c=OVi3@-Gr`Ilx{hdrGL-NAU)eYU<>408k%+Ws2pU^pc
zkAVgrig#|ZiWP`1nV6mb{AU^u9C<5tXCH&_tN+a7D@(V*ot|sHU5)<|T=_N0T+oF{
zf@n(IVY%9Sr}@~~+GZwSklFY!GL%0PVir_S0e7H)bW^Y6-WVPGf%vKnc!6)yaKU-&
z!B3E7dLM(giwj|*2Z}y^niw}S(J<u4?GY`nu6n}(>GoImtc?**`pO{PK&Z>{<-c8W
z;_a=uc_4$swd|Yfi*QI4BW@7{<{rmZ3}y(GxQU4%?p0Y$26R%9cN%5*&mEqhJ_Igr
zY%aS@TWY|;a~vDCHDqNFy>3BOw$7<8<&k=QEGJmxF45lE%3<RQzBoE1G23VefUMFf
z;}v*0w0{Nu-xVsJ?{qmUsz}9MC48-E?^l<u-_=zuLniP4x_PV|*k?l-(fY+p`*73W
zq#zm^n6@1GCX66_DSBPLLhjbShOQnz)Kl$d_hZSZt3@uK3qhEdR-yXT-eYcIPOmIm
zQqm)Xz~r8P$I(tuE`~!W#^PnE*4WrC=a_g2>tHEWGxC*}ipw=c!h1aS3b}+7Mb7Wu
z#nZOZ*Tb%N^|z*oL|G=JH+V@PqB3-QUrez6dm;o)3jZu_H8Pe@9IMSHLs((Pd1kUO
ztx_B#Z?NL^G@<`9wN*$TB&C{=9^Evc>nSn_1YQdEYW7e9^J{+hx+1jbMsIq!=P!g?
z$Mm%AzSMB`htYo1+&imUnDO+kO03)a+UVC=xP@b~xLN8f%aZz_R+1#RSfpxR*h4<&
z+K6HnlOSNACMQ|0GB^8nf#F+Rs4dG=)krY&FtEq76>uqYHwDBPuLDf+$4_;HDJ$Q>
z1QoW$xw{OjXp+e=24qriPeq&LY6lfn{8!nsu35Ibtg#;zg4r(hwGXda(oy1~eFC)w
zL@eK?DJ6{@*^3X4)5`8z0aon^w`(Ktd~54Sz2UE-suHU{P`D4ChI2_-9Ut;LFi;&o
ziiqu1XPIMMJjK#EU~e67%=|cnD8mmZ`E}0gF(I7d9)ERBl`RE{0%EIj9O51oD)`M5
zkgky*YMfW+kW@(dB^B-7grtYSp>3+<piCf^kn1f@n0D^Y@MtuM*_Sd!CT%%})c6th
zpa@Ky?R7-Ffj*N5^_%=4lm<kbzv*q4qsdB_Vv4A2x{^abjgFj$Nbcem73yb_5t&+a
z%+)pn^W;YR6B`ME!MeQJQBB>;^gaiJaHe`8g!aDEbAP_lpgTkLt1NN&1fZqmMVL_8
zL&Vvnh_N|M>U<Zvy|qUHkSlSX7wZAq>W^|y)YmS_$px|Od}l9w5^{_A$#3Lad<eif
zjXn>Yf~74|@+&I3$w))y`{v6Di+R6y<V4)~ZP$H|tE|z$PPIeIzD^Wzb>1+46WV_L
z?&iAoI<FimV=SR&GKZuS>B|tPfd!6#@_=HtBOILNJvp&N(YJC!X?OHngSIo$V$2ke
z@GXO6qZ)w05~?}8AQDUGpIRlfpbj0JMo^+gv^Bmjq3ITgkq*Z}n;MvtJ{uTk@2MGU
zz0bTvZ?F&NG+t$xdNv+&<#aAPJ|s(o7bEHl!L2E~S9&#SsT3pj(Vn|h{je-s|6S7N
z-fB9zeeo>hQ3_3aN@&F-&J*WL+wozz3zryc9anyx0ou07H=u2s9Mr}Y%=#>;K5Qpt
zmaU4PB6=IDIe;sBsr*mjc>(`&!Gq?~L8haAp6C)J+{|HVPzt^y>ZtRB@T_DDLzm_P
zg=^e?E(EUwswmWotc?W5HV+KPm)YVuavnmH%LM}=j!a7JUY#k!vadFex2j6;$y|vU
za&e&-wE8<BnHs}0Kr$V3Vm2VGpHj;Cr6*Uz40r}tO)6oAouIfPNXV4~LC^eewoWV;
z&W~!~7D4*I<O7!i(*NTIS_hYDna_^lj|5D|)(H-GE9^Mq{hac-1hz$m8X;UQ1+5>r
z=2Q#jGNif{@2NNG^BsA;IfM&Zch7c5k2XKAOg^&_{iLpT9Vf_~s7_1G9@`vUM`d}<
z0_U0K(SixZpyi<@s`0qX@wkdb0m>%53vnB(Cxyy0kgkXQ_)tx{KX}~~y>NxUf(Nu`
z=?5_*=+dj-0jMjZ-x0?)Lm>BmT~|U2s$yJ|+3jiJnN6ph!8Rde@c+}fifj_8nOz@?
z*+j9*J^opD6x8*ZZNoN)uZ=t1KHT0n4m$0#AwkX=qYF?4R-*cNaE&6Bc6t+u6d03A
zO5-z=Eby7HDPA1d0Aq2)>%bxb98%oTdAnoAe)Kl%L-&V(oA-<$kNhl1d`dC<a7_3i
zE4&A5<P$oC3au-)&d?d7lnPHlBzq{dW2FE}u6EHgQN;h`T79nGel`pE9rR)N5i#Hk
zXv;l0Y8)Jxu*0_Tz$=krf^$7RS2i+Wm&wP4!m%NhF^|t!gP-<i>Az<~XktXwLG|O-
zSBUkd?vL_6WeiaHMjlg!RI-p5-UZTr(Br@Vr~PaybPMW1N}3?;w<Ofu1!@1nFIop*
z9FaE~t?N!6-3<l2byU;+L0edOIo}sxICYC2b45N|TE#Bo7ukt_sv6&oQQ2Uxb`i6!
zpDS>)yu&o4#0|<oFZw*1kC?bTUvg|rcVrao!*t4~2g+Y|`&n<vRAMc^G3wSy4am-o
zrsnU@Y{*3o-1Ppaurdweh;Ub=5^2NMViR;E{I5vfJ>uHkiarclpM@KwVf!gAb2p3x
z(Sx=g;TEklkz#Mos&+v0+gn!N1BD-$@mo$NI&5aAgpbl9bBm+z?|o|}%4IkCmijOr
zeO2ApEp~Hv>>Jk)`b}h_IH4y+W>_tXYzHtq_v1gOwE%lsl2ZF<fZ5h3=b!Di-PPZV
z4YrtEX@qTT$sfU&0B|QIcB593t|ab*;KF`8df1UFD^X^UU`R``iH#9x)f0cV#P^0X
z`sDIq!18%h$mC4efVwzeuu79)+KuJS^gWZ;o0#=5Pw+)$Z&a=qqU}!v;%t#V^c`Gi
zlgeO$xBWAWuvF+d3EIwzeV=<K!qdYj!uS!Ph_jXdcM3rY6lben_?;3-_6tp#^AAm$
zbGxe)A4IqHx#`jQ*s67%#_LXP*$hniwJ*%xA%~M%6)<gX&d`B<gbU>GRmsZ$>QpWE
zjmnK-`X^oqvkI<j`tIK4n(1c}(m?Hd!8kIq(wNZtmBUvQIE<*VXpg7!&;ap2)w9ep
zHln1UR(qr$B)GcQVq?<O<I@F`J{g;%c>qBrW-L*O_Smnwq~fF;anx#KvZ+9Y-zxMO
zcG}}q`Uc^7gV*AG!CsN&@Mff^47LB72uXK!ik^Tog<%y6ucHz9Fx@r$b*;fnjO7!n
zp;PAD!0SDIle?~cwMXr0xy$azP@JgdNUw{FsE47bJ+da3>w$ShzMW1za}8A22WL?d
z_=K?(+_ADL*UOped-(4k%76^0%f48PPi0{OhhAA~->COMt^I6!vCjhMTo!gk+2mr2
zt_!SHJO}VV&PN~r@=d9$0Hj9U<Az_BNKnaR@l+4OFTIf~+7iH?_`>5h`G7YAj2yyh
zipU0I(T{PA#ir;tn~aj=I>fs7s^MV_3V%V{TPZ}j%d&2H_uzsT7K|hN3TS6R;wqiB
zqNOkadHd@cb=sR9F3ZQrX<De3(93f6d4odsn0A~<OIkA$K*4)5uJw$UKNHCCCrI&2
zr4&+u!x)&!W(0>jt2CEt;Dr~f<>mS)EN{pZ0~~_#fWk}Ne3#H62o!nN-}<=5Cw?ud
zh8BG$#T*H|%TkfKF#rW&=G1M)`C%$D%k6<5h{*QJ4ZSmwd}S-BgJl(!Y#3n}Q||_H
zc+j;KQUAkdLCT|gLXSl%G6YqbFR=k$=sT%4Ifp4Nu)v1?+j*PiUNv`wN%>F<`B3I#
zh3orW28wvB=;4&BZ!7sHhw}xLrS9ek`-#Kls%LcYU8FU8@7Ls9i%_D+MFtlF7Ps_}
zWxg{L!?wPAAp~*=e{m1?zeD&Uk0gdZ&GJ4jDp82x@EgpY|1GhETWjH3b+vT=9VYT$
z7I()6&zH$oY~)J@VpvdQx}+1;SV>jLgE2Zcyx`xoScEnNROKFx8+0Avb5g5tRTaJO
z#b{V;D<v;jTBNy^MTBw)NoC(Owb`6<oneVy31mN?@T7T6JnPym5Un~?V6~JhsXZ$x
zajYz`FmHx*I7g}W`|^!>rO}9~!C7`4ydn#zd3P=L6kC@z&n10nD?brBL6FyM-GEa8
z-2bXMdjPttc}S8?jT$FY*}mln2{4O<ZJh81>hjCyWnJ#Yy|7%h)oWXa=oT1UKE2&e
znaVCyrMsT|3zD=B(fEN-!EUCx{n&~oxc%(l2~(BXZ9ezl(!Zq^WI30e!tX2%dwTY0
zFX_EbhAx}aATET`q&)g`wy?fXE}Hnjk2L-H?-W%9ok!t(QLP%T8%iSqS%52*9hz$v
zcSs4TV1CVImsr-(i|i%wdA#Gzql@HjRG0J82P;8w3e)fAbiy@iGL&KX<eEDk+%s^r
zof7At$AsQVMlA~#*dCCGTLPpIRqTQ0fUU4i9l2e0Rea;OUxvo7CZPO3YNX>=Cqy5L
z387SwRGAjO7wP^q*n6kMP|0hk?+*G2K{%G3UF#+pxw*q%OUF6pBlTbu#iywF6*Skc
zox#+9(?LWfJ)qZ^US9jtGB&P`MK<KDL)ARWPzi`YfMnlpZ&@y`P^T^Ehn`ZCP}IQ0
zUb24-RoYM!hjS{?jTjF7WQugtt^bCGdgxqp(SDusZhFX!r$)@r(s>^UqGVZ`ikB&!
zmPj2`f2e$ac^vks<0#Y!&QT;61~7gy-Ln;v*rpQL{7^dCJZOaKd?6?!KDU)t2sND}
z;~Fh3)K!<)>C#HvVD$<6HchSYD5=Y-W%*d~V-C}(NX@Q)0k~xj{!xlj?^B-JS@g%B
zPhTs2_QI@HgJhf1`{PK9!c*2_gnw+5Ts>!MC`CBt%;{|@m(CCjp$W>pAX-D+(wQFh
zisO|)_`x3N2c3xYWHA6zd3EU{1qJ!<#~D4ct-!y9TmJ-}(wWx8PgnoP)K!Mn)%4m5
z6nEF+UfiV=cXx*tcXui7E(fQ$Lvbtac5ruhmlnSV`n~l2;m3JqGqWez$x5;^!vN|;
zd_G+zanDCSlA#LWF%?1<lOv6sFvCE1jHjrK-+%$n1{*6QrKV2nLJDEm>S=VnA)D0H
zaqy7wvB70Gp#eumpmosbB!Fmc_|rq(*wfk_&eTSui+Rhky+>hL3ixyysygwma%)MK
z3Umxt<h7Lib*)MW!p~Or#vk9_<Z8q#uCZY1a2}(Iq>lwL+?zg|&~x3c+1{XvlP_U#
zQhh;PdU1=vX9lQ0Ll}SRPx*bpb=zzYVt5sMbbcV_oeFUe$kB=5hhaAD<3(^sg!Y2r
z&e*Ys3mr)pOA5-n#a&iU!G-g7pDZW=?9}E?=hCgZU1ZX0ehz+;E1jKiPjXhrQ(!0%
zDlr^^YcILxu(vo_f4|g`CZbUlsWR}L*e#dQ_VYvpgvXQ#ruc+f6P=&1?ZA0gorP1t
zRRwPzr?(&y_aJ(qhiVbr_401>#dRQAov<(P^bXWRJbUWPXGA>L5&7PpHS8m?d!Ud5
z8Uwy07!1V)G^zHP#OPW352n}GS<8puyi@T7e*Vh-zfP?Cd!$jU52*mgJ|o?*^tBr@
z=vm^B;-u@!2wE#8g2Lo{@`1|ni(koaZ*S|1@P`#qg<uLx_PNZGifH1?&r|j&k~>y#
zJEN1u$E%)PRqqH`Crwa}PK8`s!Vg$w+4g6ZJ9W!%j`@Z)Y?iL7mJ<2XGpwe~)Ueve
zb#5Z2KYnS$_IT$626qgvim7^C{w_hPz4p7m_ZEn`NLnlag|)_8*&5d$Juff(DW03G
z#5Bw6@GZ>y!T$<8X%HnpAZQ>|-VZ(l5t_e1gl49j_*SBfC~{2#I-?2e9{Avzkk89l
z(Mu<S=IpbdWgqexff>BKQM9^{?}&di)KMpSWCwJUvCEWNb>=L;Nv?k6cA~~Y7wH0h
z<$;u1cECXeoM5;vb1H1BGRQxKVdv>eOwz}Ynx;yiEC1Yhi{;HvgY3{Z;Ec=|UrUyQ
zQs2%R_@)!o@BBZ)m|!@5Dy}9RIRvKk--hi;YtWUjYCoJ!XqP;BMe@gZKOL>~{cc@8
zRAXUj{#7T{Bp+&G%7$ivF*+hMX<oDU)_*)j@rSln)$Js{>nh<2@D9uN)Oa4_r4$d}
zQ*HI#WTlPo4m%_g3A~GlH{s;LnnTZlW}LZz*ysBpXaL=-{NazsTH2?cpU`>PEUww4
z&({VpS7o-+lvw&=n>wLyb3a|t97%E?5L0OP>(s>0o-P$Jko%^fP+o5CX~W?*($pFb
zZ`UkUM3A+VgCB+edLXO5MC9XX?xe%X6#3NbA#!<AMKb5Ke79wjGiGIGrQUam@A}}6
zFL%G6Lhfh=qf&?MN8cQavS3fOU$Z54aEAPL+%`@?R$k@1hyI2uC;(u`l%f}S4+>OS
zTl9Q5+Q95q2@>Jj`hrBi%5BQ1V)=7~GNmiU9p!=D(7l(W|JN+K;tFPG&C-sm>x1>;
ziq3|?-)T6dc2ew^hFop|jyEGj=KWn#EuuC8l@y%51t#;bqTNj5=WD-_umW3Q@Ug!|
zp{%~p{G>THBy!~7;Lh}EJVVq)MgfnJ$YbmLI#@WzMH6&mCB@B9S@Z^e&7G~+#PF(d
z&kr2%!iAh<6I*8?Sz^-3_^JL3|73D`9H0rGM;-aKZEixju~bIKkM)`^lbxHbpC`aO
z@Rg#knbW3R!O0b#@@&&IP2j8{wRoJTN}hbzOX=`%k${m~aTJ>=vA}IrGPG8N1&7Wl
zBns-Eg@ads4n1q;4LA=_I5$flgmv<UY1!NN3|^jhXn;nyg%?Uy@hoJ^2Zr@bh^R7X
z{BbVd>D`d?zdick7UpElvVo`DgY&XSdZSCmZf$m&`H`6G>4%wPRpU877_q`E>E1R?
zRlI4;&vj)QZ~w)E#KtVY0JRThVjWZ0dyI<rEelZ=ud9)OG;}}zebzyw#Dg~AqwMfT
z0hU=ZlxcIm?|sE$KjM!GSeWX}K?f0m&gQXEmiw${nZoPRa<yqXuC7*QGoOOmQdGAT
zoC=D*CEVCUG9cKd&kzmSadlzp(&D^gKlag$O5fs!!#8$wf3e^DW8sC3?;DL1r_#dT
zFB&wz&0D5y?a^cbj&g4MmDoDU3&Ah10UH@tnF+*%EgLdlWx6UmAo}-Ks)KK3nl|*r
zxU!5cPh&nf*{<Hoc#zFY!^i30%N6TrNphs=`sf+WDBy;mX4@G3QF=b~Ag8U~?z_!S
zn>QETK{afp`ZY?2YEK|Llq!0hgm8Yb@Kz46qc0tqxvl=6osG^4<bqJy0KV->`->JR
zH8Hq)#lNktO(@dwAjHcFUv=aj707rkY#mRvC_$u8_wp>{bpo5WLO9=D>#o<Aep~#}
z4mCV<=oF{DF88RW6!;~aM%t}MDf~!B5x`fDZDo+}H(wfwkY)b8S1vfIbZmim(^+7w
zhjYe{^H&2}in2q-Bz<UJv}8-j23$(M%_1&YlaA?{dUV(&)~J}xA{)EAk`^1|v93P*
zm(i0E)m!U0bH48O_knWCAH*nB<!7Km$tp$|@dq*{U5f1&O$|prA?e~{z6#~X_=dM{
zvCHb4i<gc|Jb0>z(5AWV(AZI3KO2^<UYU<iC2U`{hY%J^QbNknc*pl)+b-ue+Wky3
z;yZl9pBg!!lAF-7Slzm&ssnk3>K{3wb>;l!f66i;lX1JN*(~8Q%`KXhCN(#VHT<@O
zKk_cOntabhVP|H0L6N!*ynC!x(nfn2j5NhIJ`*@A4COI3>y}Q1D?|mKaH9b6+$e-b
zAAicJg;|*lk$%is<-+>zBZj!_+H6$RDA~LD-PDfeh?FUI%k^3_t<o^BYYSjV{`860
zV=>ltzE60VK3{%5dqI_!19O;EAQYswwHp2nn{Vv;y?rIN9dMPE)EPL%)Zv@hUpR{*
zAkLyWa$wB^>O5%3Kf~XK55UzNCd~j?<G*D992PmTziY&?h;%3uS1P%)-$TcO@zb{2
zH{bHOuW^3zs=N|+WLs{z!}?^I-PG#Ds&5R-l-%*RsdJ9r-;5+>4j0w(FLe$*AXite
z&7;THzJHt%qd^DS3+r8#9yG>(;(@8UqF7utg=YJryZ*wRgHN$gY}7O6Q!&v=jz7li
zt4mB~zg!0O?ML_}Et!<v9dLrDd1z>D7CSZNS<IC;P5I)c(hT7Wp7oh%{c!*wD7Lgy
zj>XrZa@Hic&Lj`N(Ge2k@vG%p?kZN1s6nn`!@An->dG@|(vup@05h}qFf_;;#GO4d
z_z|$=ngP1I4rZC9$<gLVa${G<!G$1!ZXzRVrxiVRqQ6ed^VvA)utOl)oCa>2Icb7k
z`psMF15tS0jw1b36|9Z;jGZhRyNm@kOmNJ^*Px5L){jS*^%r&`58WC~?Q@OaiN2Pd
z&e0!5<*h<;v3pFbVl0B|vR?V^E)V`zA|Bv&r{>V*WEei>VMDqPGAEy~fIPgi=YG>t
ztkqH+ui|kaV?kj_>sU*eiOuy?FrRG3UYO~~h4ow5#Lks@z%6$;aZAY6Es$E;KQS_$
z)+;V^zrHDC!g81=oGNk6+IVB4Se+)=z@^mjbJ5|C%3sUm$G@DKL*($bs>qd1M`t!{
z8gKAJI;xjz_Ou@I(0hFfu&5q(m8VMpNiI#MGR(4OEogC_hiVzeM3WWt)x=ueW7<uP
zJO$0Y4&+`oqj-&v(ifjiHXRz`K9LVPBS1*sMEbp{5-hWN2iv-4e2#f*2deF^&7hh?
zwF+1It=RQ5#wzZ_hJ=1sQc9@kLr_Q{9gI_oE!vcb{)5CWM%1<W596-YiQt1y!{{X>
zi~MV>JeR_2MYMVy@(YTUgO*DYdUYq93^O1F=a^PYSGY77=!1MLt-0V(I@Xl@tb?G|
z5K%fZeG!5CoFNL)OkYJ+<KnRf-Mu<|LR5lReGrkGCg=(OHIYxa`dK@(5aNF2|Jy_^
zZO1l$%-rjMp09L0a}hceaQwJD7e!bV-lO!l?T0n2H~>=x4zIpQuY%&Fb|i}v!T5_D
zV{6ey8wP_7wquo^Cffhgd+VuFQ%#nxda7rNQsD45n50&A$l5#H;xfaAZ*EcFZi_Mu
zepg>+-j;3q=5I<atr1_%xr6|EOTC5EX0)Cpqafq$QuqFt^wvc#BeYu0jMH$POi|Ws
zKONUX9cI*Z+#PeBY?~+@VRN3Hm6;8v9Jl7lvGtnOa%FWGOSC^ZWJe_D*ThEdtNl`v
zS=)ZfBl_Ls>s%UXb>}!JyO2q`@5&)>%sL_yXHfo|hHu4<MiM(BKy0nf8I*_PgYL{B
z3=k85kWB94z_3ZJU_{tMt)npFM*n>A@PqcCdK1)X2SEuN`!D>?aiuqLW|74Hnuz-B
z&tWRG_aw~;q#JY<jZ$s%;Erj$KpaU4Yr&cLIwfrD3Ub^WiMC>Cu_^Oi*#oZ*gze=y
z+QW`93Uc#dP^X_(kQ@*(J2mtDR>^>5oP8eVj@XwsMne=^kg*=N9$#e<=g0{J!fan>
zU+cghz|s!44Zz%b=2@0c_|u|J?(vJf6~TBEw7Yxymf7c>vD>;`YBat3F_#V%snAIl
z))|2(!p+F+=WpT8=$|YgKz)TDKr8?&5&+LGFS%Zc+U~b?c^;a;V&syXCwaY`J^wqF
zIrIqAA!tqXHKp}y#+SIWc&!hyGx~p(;w8(btsdQIUU`59Jhm$qG#9ch<&m&NL|t=s
zeOH9Xu3@v+q5kNJaOBRii<^M&_E_KF=HI2D!VW|Q|4d&h*aU9rB6huB5sc_UD056`
zCT-*NMOieIE>UxleJ~74uU)hLIBtr1&MZopUyBf*_gtE-alyhVo7!Q=MDEBJOT^Qx
zOucXHc)q0#!RmHd?Ix;M*v{;QU~`4JJ<UH<>JM*OT1IB`xiEny*sMKE68`tOn07@`
z$p$k*OioD~4uYN8s}FH5=`HnFu`>h3H*T<YW@WBv_&C934P|$HNR--yrCU-{6*G>+
zdSt^&ol()kOeQb$upk?bhv_rL_=;`tVSnO?Hr|rQrY!$97n~|s0$oh;`=aPlg5JDS
z68kkS5Z-4nS(}nn51P$*A-g<WB?`?SXFr84MwRg|qp1FXH1k1oY%+8rf^8&;&{Q}>
zILOO+53?m}Wx<B;iu@a>42xyO{1g18g<?ZbcMx=i9LM)k&SB!#2zH4<{r)U=jY^s;
zVsx4+17Rz+Ik##Yg!dZ%y=58>-TqsRv8lFc5WT<Wxz(w>)46O=N1t1Tkk?$@$0n%F
z<?hUbuJy-U;6SsN#>o@E2z>KRUEqTbcczD_&a@xG2FPZ-JrT+_!Fw)k3%ibhPTEM1
zrdj3!w3OP(OBabHcbPZjp!w4G8=O>>s8I|MlnCwvP`HBd^wc3<t;flgaoVn_I(bJm
z{Im7YTDCKQ<{qTGwPeu!A|e)tFM_f8P``m7W4c0OA*AAbEp6U3i7d#Rv8WchWm+{Z
z!fTDaTa%xy*VpUl^tGdRYJkuwg3SFd;Zj=ik6_|yFs>g$WHALTIpJU@qn;eWU2bkh
z9F2yuQqn2&2>JEZFG!Tn|80v_eU-=`K^2tGNMs;B0O)XM+a1xKUWX;Ow1Z&B_v3G=
zQ)oGk6{?WjIJq?p=84^w<kOep{}ef~IJyGdWlr4dqjL{crsiqx3!A|>r%>t1$$T`2
z@fmlFi6CD>$L%gbS-;>PeSBa_dfP^+(^s2Ku@S2gs=_8%f~@_66ooEnvlsM&iID#|
zIH^2D6phJ{A@oQuv_=329^fN_oDZ!-`g$puZXWgHPZRaMf@$h5&vIK^@w$+esh)O+
zi_!OUP2xvDfynjcIn??tjPL+WU9;zYFfP~zK}_3V+$b2C12J?d_ToyauhD({J!Wzh
z_3Jjt!Hmg*j>vQ!Q82HH+H$~0J2n+1;YWz^9KbfZvoRVaA2b3jt=ymtSFF_MeX=G5
zikknpig{PU6`rkm8tF&{I(eO#_l!zdG7r9cQP3*A1kw%~iA`O#N|N6I?xEew8};ii
z7pZ3i;&bwf4(U^RnxW&CtV5MwUVFZ4@duH$hARaV4ZNS#bI`nOQWXeD<q}95z>`s6
z@?jl!Oes#^#2G1e1o4=DUH6%sKN$VSCR5Rj-<X*<wgs;>1Q~eg&P{Q@{`fw=vaYjA
z`0+}8lMZV1vqd8Vv^>d{VZns%T+xBaV`j;+*NNAv@f(n}q{;*nHJ>LwA<#W;R85<G
z!?RsqpK>=D?1UDwj@CUA@*yAf`+gMJ@{x~XV0&6+lp7~p182ADW3lhRmD*nQhP?O0
z(p%fWPg^~ebL-^yi^plDy<~WB)os(y1>qb_<6!zxWRC9%^pP=QYJj0glftaBcRf}1
z{qE69EhB?sAgYx-Z1wB1^v3Z=k+tBe1u>0Zmi1FiCxHxRe$wWqS1UV0K+U3PJ2+3j
z(LTY|StJy_eA3a*f$Z4K!#bIDf1z;6KGDXe20X=*dF|Z`QD{Q1gS5j>Vv|5q5dV)!
zdOnRd+4*qdHp}2Tv)&xz>J?)eN!Gi(PQQO@kavItQUkw1(4mi@-$RR+^(HtN;z56C
z^9_QD`L_!@e*K=X0>X{$O*AU(=U0=-bmjk!j@elN?5thXJJp&PL$W7_dcQPhKhR@*
zBT0F{)s&>kImwEtqRK$jC3_-|eTwwAy$6s_*~-(lBO==UJA-?+yti9W#f|}qpXQ}q
z)@jxg6p(uCaFWE!_rr)gRGZZ{p*`IHG=tZ;s$|M<jh$;LnUBv~8G`CN54n{+YBxqy
zU??Mdrt_oyCH5}pQGsqUS>Py0G$31NE&_w83_dj7R_Yn}LZcP~ZlW#C*s4BnQw^!`
zx`?y|+G9C}vnj<PkjbolF`3`Cx4?&Mu}2*6nonDHri>~wzgbB_SN5RTA3_@-#V-MG
ze-`dZV$SVdia*S45PJRW=Uof5IWeF5{(F5)5%!s%MBEH&n{^%$ML$WCK&K+>k0D6!
zqA9SW)p0TDI;Z%Zi`H44D(Q@wTQTLvkoWbKqjahr84_Hc_w}n}_sikvTg|-u-Cu}X
z-UQwF^9Ik~g_k365@sZOXI?7E3<p$(7wh~6O2`LKsidqe`kyu|axF0HcaHsmd7(&I
z1f7BI5~r(p@0H}2`?1SmXn=%ntBr0*Es1t(myW6`XIl<G;5uiMp-1O+0YCK+yn@Sn
zbiRhQzAT`orrqIzAZoiYk@ZAs>&mPuN%{Au?pXWpbvknMaLIaw-HuD#W}2m?f7H|b
z^1f6*%=9oF_;8(BbNh0RoSfgwXrEnZH1ROJ*)Tni;t_dI|Ke6_$Uo?Qg>CDCf0Ku*
znPWrS>*w(42<rnBHQ?MU%RVXB0kd1qWP}&(+nW!s9>wkYP2wNZH)K6;V4poo+O>V%
z!m(tpgMtCaJY;6<1S`(X_Cm?E>0_=@<71xVNyfRt5=X?oH6ce!4j|W_FdV0b{K&IQ
zHLN&Oz!Mj)=P#En5;H8A0TYF*4U<E#<bfnuwbZrL1+StK$e+-Q(h~QCAw_ieIRw-9
zRb90HR6z7}srWK5eE55A{3Ym~0PJhL+V@tH<b)HY#PafF;_OYCV&mJv$`6z5XFsnT
zhxO>_s<_}ls#>(>D#)E2?ES)@9HB=+`9?<O$iUzr3jopR&{fVYcJ8n?Y-Aa3SS6jS
zVaK__K6gs~yE)+V0Ru=;B_+d>FrQ5}r^j~vqd}*D2x0F7GBpqLW(_C5M9W#?{G#Qy
z!DH<owbB-qU#^GjmdR~}ezzr@<7wqHt6!l0L>;Fc;kf<|&olb#PsJohx)Rfa@h&A%
zL-gghkt7DiTkiPr>468ND1)}hQ(}GDutT%DuK#2qbG@7N$JCXq=ki4sT1>38VB4X%
zZA%{quBY9SxbU_dxF{&DvOY(zc{divS?tjqB+WNdACyRviA=#qVvk$=u312yU@QyB
ze7~_i_Va%y>j&#4VRkZByie$V=M}Sg6Jy|jT1ip%F5%NdYIk7}F>jdu&ZK9xLzo`c
zD}Lpk^EFs6etGU0zdktM<}FC=fwo239xY4$>Exr+uxIOM%j^^F<Olz*;kCjz_&DEo
zVif_2Kc!J0D+SC>#}>IXSS}rLrA9#-@u;)BT-$4d+mHP~-J!jBL`9%x(JayAOkW^9
zVo#>YqE+kW`u#yzOffIL_EV&Rk;8R)E3AARDXBm-^@*0QERRyJd-NeYYz#ROEb|O<
z@bt*eMa50zN3Xbrvx&6{7CSTT6E8)7_AR$38yyT;mF?c_1O^7r5^Uv<tF4FXYR4jj
zU@eX^hE-1d`5Ug5%G;g;;`l~1syRrTgu|F49TZMg?$K&1+jM!~ikmk$@lfYiN2j5~
z51aERpsc3%VBIk1xymLodq|Jc((9JGf*pCn>lZCM2+a?6i!M|}j@d;%XyXyEq2}N{
zJ}#n*%aa-pS0LJ2`A|C+U`Z$4nRml;X2g4MCv%m}GDHm{LUl_g_~(8U#=3xkhZ=0h
zlJ?gXL%rzIqNyzTlB%a!;mdD^`*#Jf75TGJR?3HdiT4}$feD-SIfOveBiW;Q-#Ot!
z@oP;s>%)t#5&n3*@xsO$e6%7Qe9!OWJaqhM-vS4b$XBKs!x(3?=URNq(B@Ls#qmwk
z6}H(m`h9^$20t3MgQ#6#^_fKY`(wduzYSD{`BMs>8Hu+hcMSogtx<FN;vkzmS-Rr6
zDXM!i;ovPwM@Mn9(__dR)%uwZ^>iaBs!4itfuYL`R>d6hN2@`*!?~o3->acH=o?S2
z_MDVpmn`*n6?mhvWiZv4H7Z{wO%gWbti??7rV(cKqX8OG#t^~q_h48Ky+bS@a{<xN
zPJhv#UBtk+6^%gxKn>{FfvoJ+HT=ZH2V#y{DWqITv~zr!q#U#+`cEjyctx?jzS6v%
z^Q2PoXA>NrcSbeVP+3w{A3HJ^PSe!xunYJhSOyU~QzT8=xEhM^&sDk%Z9EWIo+wk&
zN>BK9su)K#Q@XEskjhSiAw42fNQL4~zYEF1CqRpTO#d*1K?LWcOZaJ?mLSO50|C0!
z#@JUtgPOT=F1-b`1uH0PxA>^)F&i<g64h4UxN;)@ICK~WOMAx9?m9tQ#o-9-?gjR|
zEu_x+D3WpQjSJbF9cE}|H#%1WQs8Q93u!+yJ0kuR6u~VbTK9}#<mxwX7nKuCI<nYx
za%}L?#VmP4gRL##U#Dd(O=ks7n}V`7kNYxh9*aVXK+Qofa`C%KtKUBF`*Bs)>+|GE
zH>0j#F;-=(+NCUO??0ps4}7tcf(NV!*58v6ZL%F_!NwY|RoKeq(NL@>=2rBoVGA3O
zpyy(ILPS6Xto+;Y*n@tntduP_B-+-O9e3F0ud!08YE9ekbWsx+hyAKYeCvCZ@!3jF
zi*uA*bW{AQ&aq~q(Cqf}!4&7wbWo^$0hE*rpvr)A*IoHTvRP!kBzcDcClcXAumBsH
zCy|q%Sd5t4<@*F-xgH`q@!SQhU=pE2B*5OkCAb~-+h?VKo}rz1Uc#~dBGJ^Jy4KJO
zzdfYV1z*|bH|g3%niLi6lPXT0#nL;Wi(CC~S5Lcd-UxV9FJRNQW*X8Pm{o1D{at|>
zXa_n#FGSedA4;IO)@~C=tBM#HRcRmXjnA#MDVI$5wTXllG~!j=`=(vbQ+5q+r2Gc0
zWR1llxGc;R&#`NUOhONkg^_IT6f;V}@zsgV=5LY+))Bl`9!pHUixl&QNn<~nBj{m^
zk~&Ni*|K1WNaxTLYj*Gs)Yz3zOLZxA`*TeC<-<DGvO=VdfW!lbKC>-Y&q_{I%>hFf
zvPgfXx{W~#gM1^R-i0+toZbkfv$<F&f+14R3gJJ^UfrHqiiVA4E|Y??R5JXcBcJ+h
z^5GK3Cof^I7YbdY?;7c*)|}>zgFQ8}Et=w*(Rv$AFTMk&;Gy#!`mMs`ig4Vw`uPjL
znIO)4O*L|rkp<6El`Us(a~Kp?O>zC*tYYWK6v&w=LBBGxkoUaX+8x|VuBmPugM!*W
zQ!nWIP-J|r5AHz&{z*&YXwNh&#et<0KcF_`z_h?7-@+lUAi%V4(!U)~OQh*S*@4fZ
ziEr%|)0F-`)v%WHuWk-Qsq|v@8A|(c<^_%WVaRTDNc^DCqg_&TYFA74uTZh(g=^p`
zV(*w@_$QWB*Zss@LkCGeF{)!5kX$50yH^-M|69()zUaY5CB7V}bXY(f)H=1&ZE{EB
z$b~|id%m-izaON<zdDX#imo6rW4;ITVv*;uX+1y|c^YzWkiSez2$wc-5iG%WZvaDf
zp3<-Z@rH<kAfCt;&Rar9);L@M2X|gQGqbdtXHUYt>e67gvu*lWFC=EMr|z{d+!e`H
zTncPabf}KG@dr=<IL#99dlr~hs@fRqu~lPJGzsfl7!6{$%Ei``%Lozn$4*zd)}Jx%
z3uvya$XhU6ZTucvPX*q>?|bp7GSUFJoWVtb9+y*}qas=K`p?Wg;GS1(s9w1@`?dc=
zrRq6iW$Ni4vBY?5sf>j4NcLdWb$)qvIeoRLz>1HvX``4kGykL`alB`?o^r*)P*(o(
zIUDo~Ui?;L9P4K@@va%Dg}h<kAHOLzU8QhvYe7{yT9m+<W~F#!4;6Ud12uz_%j}Q|
zJ>55)DLx#uZ25z3*E@AFjt4jm{Bfa%Wn9LyKA(g+1MKp1BpdKJ?zZJ|m{2V%(T=OC
zrs0stl1I(d$iWqBLE4zdLRH@w{Sa8IY^)#2b0q0r<w(|3!}Q`u4s8rgD2kS9zL+$L
z@|&MMY()N+s8?6aFZ_v`z-5-YHu49BH%dSTYt|h6WgoV&G0T1g+ki_+QW)RUQ!Kf!
z4H^KiHj6O)X`o!%&%24>E3+tgR%&oS!}u~;;4Q3;&HRNwOe>6bu~8d;)#UT#m#|&z
zR{%Ik&Rc4qU?~D<<BC&5fGPuto{W#4+j=HXj!c~_Op~a2L*})nA6~xHVOW*nu6k24
zGDRje)ITOsw?F-C(EV~p#wp^tx)`CEX#MI$4?(p-mEnIo&vZ~|xSpcK#88&}V#TVH
zhD)|C%lOLqgpcqZ!pQ<*z7_0ACM}xl!T!YvxU^xxHhPkhkl(oRyZv$g3~ButKR)-r
z#QwJOO|DXOT-5SNJZIY~4CdRbN=Elz`7xXgcO+tB^!yl&!F8J7+!b4pijYjsj!^cT
zg%s7HDwXCcFDf&3DEor5e}6tQvS4MJVVJjjul^Cw>FwE_PezIvi(LHphvl>jyqvr!
z3vmoXUoIHC@<`=3!aB?EZ*UcAIW<)O0*BfV7_+aMswgNO*n4IlJXHf|R^M(WuX7CY
zj~EDTHu9zW3;EzRt#)Al6L&F>o|JplPqH3=mS=IN)hfA;J8F>5Q*IS#p6x4W3_C?Z
z{i@K^pUl00skZ(l1G?p+p{OVp!@&PRR=bI1y$H)RPhpx}gXQlErh|$NziP6epcEz1
zYj(Lrk%sje5S3O0eUaZEcmiyiAUA~yS<>-fZxsDMl?&&Y0;!xSS&!0-%B9r`gVtb1
zGM_}R4S8z@1eWX6o?a;Br-<JZ!Qbp%K{|L%(Va|c6Yw)mqVO_L-Nb&Qy*L<Do6?=Q
znuUjW3%I$zghp!L;VgH$<t8tW7?B+jcJL}m$%_d;qQbs3_#8FjuYKEF#lpO6{_Fu8
z>I2AnSeO|yGtZz2!RnjT8oy)SFMgxkqyolv1mY@vjV8+Hs1Nw?YU9-`Wdu-GN;0vo
z>8mw01q8ymEE)ti`u9T=H#`LuiO*3WrFeI{9yxuVdY@WDsk6$Dyi>U?v#b0${!W-(
zPv8566^GQ1!=OW=RrLKfI{s#42nG#Qmi%LMqY197HwMw2yk_D*v}s;VJ``+)zTK6$
z`WJ0Zu!=L2<>V{csp{A8YOpK472z?8Rjtw4k$P+nxbG>AP8THR(To*^h6cAE%w0mZ
zS%YV3r<8H3wf^hcERZljr98t>KWlPnt#mZ8o^{M=iM1xg-b6<2kV?b~4E>HWgh<d+
zuQ;c=JBNHx%o6<=gt=#lph2#U+#=ePyZ-RWo%``#W|6+IrH#HdbO`r^Vy3o4dYx<K
zC>5b{CQ{mvKcpS}aq(_(#G>tteRs?>Wp~h(U?-?7rr(?po-^gybmoCfXA;PCZX;GY
zS1uDF*y2}Eyt@J27ejMV8Pz`(-5VS<KvOXTC1XwaZ$*_u>4@YFYC*B9{4dB$KKkJ#
zv2F=5*wO3ms;bI_`07GsXCb21(BYwJDZv^Gj%BEe6EKu8_SZPFtT85o0mexD!pKgA
zcH{YmxXVRz;Yc|o7}<=3b{mLb>jAcR!O}j1#{WKNmMeYc{^6JBo<C<mbzTxDcF_`s
zg3^AK^id8Y*8`wPE}Mxo*<AMLSktn3n{qj=-Jbn`K?M~AQjddL5mA?;0nTj%eqY1-
z;DY%a-1F;iW0TM}iCND{@%LFmujO+Gimorl4r)Z_uQ~_NT%&6%C-7l{Uz>J9(Kh`*
zgE<$wM8Y;`iLB}PY%n#)35=+$`fTVdj%zpI!(`MnzllR*+z%0ArChA7WB{M`I6t=M
z-a8f@?R?su;Ek$ERDUoGwHm#7M!mDvXHq_)R>=JBRTT2PtDXci+yx8Up@{}U)w-Dn
zcD&Hz_DFLAnaG;%|1>hJl)MF`4J#z|e?Is>hd&iaN8~Ux^5IRSr^VvDRbzWbkCaYn
zqVFt=I?ErJSyz;JrGb%TR#}=72Pff0gKxzGZcc1DK5741TMX%6m|v5X)hz4uFT%2R
zas8|foN1C206XFdUR1E<fNI!JPL8aM%-2er^ZbEu`Cd}>$s7;y_Cgip;;uG0e}K)r
zCG~@+*znJQ)c!d-V%HE$111sT#{^{J4O=1*<*1xo=Op-N@*a5bWNoY9DcT*rJexey
z(u|^SEG7?%A-Fds`Bc7w1!)G96K?@CmXC2IdwmE%kEKI1dXYWik3fZ7Ri(qN$4>^c
zpPX8#D3VH{`CI2f0#v6hgBG_|lI1V(L1w!Q1*1C10avx$u3|>P2VK$IZIGJ#u3=cx
zS_$#>YpPsKr=n<3LyKE20<8=btR!$LU<%eWd6f~0w1)VZPo6j1wS+E3pk<Zl4lDYX
zV8^GblJg2HpFj1m)7>jh0SrfL%2KwN0rzv!+KolY4r@(ZCXYvfz;Pac-R%Z&F60CH
zCD#slKO}gZJI_U06plr6fCPFGf{bG}xnb~0sF6hE=t|df41y29C#}DvAj}alp#<!c
zh$dn{o19zz)Kxon8w%|d6y$Hqo3lKxzl40Xe@X5#u5pVrJmS`SNY92qES7x!z~AO(
zqANt|@^r?R(`UZ6S8BT!bwHHATdXNlA;~`H4wkk$*839Q9NB$;-}-G}bA9TnaQ<MZ
zwoaRp)#n;O`H_6<y%^}GTh)voZ<^9^a7KphyL;0-Y!e`De;dX*8r~{9Tajt^>n+$H
zI{9)RIeGLnDrinD$eFjgCm@`g9dU;)$z7AN5vwEx*#@lwvBa^jj;o4<;}QLc+pi}_
z8HcYiqdGCb+AEg0-e}b%SZO;_<*gkJ{@JU6^JeEAtkC!6s?mD4B?gqqS5cA>tBt`+
zJ=B>i<PQn{Jlg6H_0hDJ2)3pkBy41=GDrz)Ays~g4rj#BAJ*W5mFx!II(al8>aS3t
zHAV}dTRS+_V>N{SRpkT=c!X4KtBA~JJELT6gfLlX#R>%76h7UFmn_(M$Pall(omu)
zz}__szl-H^h3yK=5;P;$rf)E?b;y6y`%y|GP6N+Qn@#WDbUkK+B>NmscB%^0DbE77
zg>CO3yFjT6LAyuJYX*<x`!(P8J!{D~22PFArXa)q(<UvI4+CKnRGZi~o9A{vzAM})
z;yg^l{U%-%_*FuAoK$Kr;FU`Kes~K%>q?PF_{vI)LHMlKhCJ}=IZT1A;rgm-@po5)
zotf<WI0Iyzru?c3+|0rYU*_S7MT4>v44Tt{#4`drEQG4BNb$LY(IkCPWrYH-sE%f4
zVv>~2Y#&)N)FDy;WTj%Zg02I$WX0WdC^<zQ>xy7P#)E*K;N@Vo@vBgj$B4NxeWuBy
zh^bRPtfKdXE7i6~mugY^@x8u|=Bsv2c}VuTn3CuC5FO(e%#$;mmdW|6ol%6!NOITv
zUmE(VY(6THe)K5GDKn^1*iQvti40Vho~ki5V2giDB!9c08rvy2W_L%D9QOMjVXyzl
zEn~uNre6lSRLc*yc4w!S&p{Th$G4{OtEdVI*1aF%uDi=uMve5K$77Wb$r3*V&62-F
z-rq0Y7yQOjX^dOJnW!}PW3oBg0Qszd=sx$>u-UIj1Er49t~6IMLEUng!WAllWr3+>
zYx5$nn$VYIB6F9xT;hRyO}{Gn{N>B1iq&`>V0}FlyRt8LRJOj&y_-DDidnDRZv#$g
zV}5>TWW0H<#&P{1&=Yg6?RNPtXOm9&X_nL2>i1^p&W!Q$A$$JCJ^@nQ;b?vMPnDK}
zu9o{#XjI4bS%byEVcz7(ffPY4sl@%+8QjGc58F#S?Nz=N&MMn<>&6>X@mNza_^_|E
z=#%?C=Jtgu-0ksu=Is=>ZaP@TWGeEdD<|efQ}RFWiM)Qg^{hd3O4kTt-b2rdc_KK@
zGmjW%4ioCj9fN(&ftOL${%%V?oKub?rosfQ>VoMYu=P)4RnSZfc}<xaSCNCxnncgb
ztEWeMb{QlVK-4_>BThW;v2i6H1}!Bb@kWFJJl|h$eLX5<HBLLUBj0;)AZ(J1HTl@r
z7NEVPOg`ab)a2C{u#gItayy0g$)J}=5<xl+<rK#mz8%yg>>!fH5Hm!`5x0?}{%35v
z(hFFc)h3hIvy}fDTXuy>@tOmG{JkmqyS)O%9dRMNlx$;<)Je#i^$^}J%5v=H%zgEC
zWOw=e&r>(HQfTjZ*!P)J>c|BnugZZJq-GOU1Epct(1Lo?$F)D4wKH<^?MobNr^)52
zh|8sydJo5jcb!hZw1gH4dDfbvzr-jYLpz*TZ_Y}pU*)MPoJoybYu)@EJS$8sCXgYt
zL-3DSwJ3Pjri9HL&FjJ$Z_>?Ko7GrT)+^Os7EZ>iz$#IrfN=~yn{9_6k3+nnVYzCk
zrT#Ec%-Px}6R-ZY9K84FL!g9FVbUt~q4^rk3&2Rmp-q*tSu+=hG<q-hho3XHq>qq0
zrjtb;v73elJv{?m4D-YFw<%N%VAgA9&+Y)qXd=bGijp=}=q0mf$%HZ^chu4rFyNA4
z1)Wf%aCMm@X=OhZN@M8k!)dCzSZg>aKlYMFtF=}$4H=YI;7=IPQt1o#tuCbrQbX*|
zrP<;(w8Rzh4iZAN)&CegC@=S4>>h1#rC+!=Tsesf$jy2|R-lT(eu3lr1^EavTv#!$
z^AhtgdRp#mTozhO&8qn9zerlM-j=yLKASQV_tONCL<r-zvJ`P%26g?g&@5d~SyZG*
zl6@D)jgI*2e>sYJ*MYH1!!6?wY7x2T)DhN<3`;tyyF$1WJe8g7Vt_RJD!sVM*;L`R
zbrA96cMYbd@Mb$dPZ8b0-q<(Z1)qb_y}pogd}98yd5<>$Roy*6J?b~8m3vcvoHt)=
zxf!AS(CqD2rGCt`z)bKP=LTUIOFAvObG3nJ+`cvl^}*#CaNXJ<nS_LjD)0*qR82~G
zAc%u+%4RJN|6o7&xv{|tp`gB?5poQ!4?=x)xoTcAg2~G?L{c_Ll+P|V9|T%%Ap`D8
zmz4;NQuBO%Q;M;m6yOuiz?-8m*#5j|zYACcWck35^{E$H2Cm8%@{j=MQFP)tHaXK~
zo{shL`}$WMKWi)mJt97bKs)ud4Ba*1l$jPZ9sVCb*Z@P`Xc|X5(>U;mYV6UX=cZh6
zSCT8q*jNz1>SpCddM!h<+5-Ebo-ye0Xl$o>Amti?ep5=VmFb^-F&&Jj54<Zgo~b#F
zZ3&_I=*(VGtu~^(H|vBLv|V2a%&_tY?+A9DkZ2ug!)f0Ym-jYI^r?BLJ<)1k#jHT<
z&>HoFdlg;mv?eA!<i?)a+r=+&_AYG|#!O5*0a{z#Cw=y>O>~51%(y?qSMxQ%L^U^V
z-ZV@pWR;CV+}!d;yi>lp8M0%^7cO8>;$O}~F%NA$<$aRR*nD!n0Nl|<wmG|TFguD#
z{ZdaYH#{I5`*;b$LN`?HH_$4S@PsfrH+;Lfp1}1!fT!4IZ&+aF;5oex7?EndiSdYS
z+B%ict3~fp;feq1S|!fVO``Uj{W*l*rp`L!`V%sQSHQSiR7_ytHE`RI9S=QDFU1|4
z1J5NRr_crK;eJ!HJtm1Lf<cgFBIR#hO(lu~?Q;pGKg~m6je2MkH{HbH`!UBwAD53f
zqkga3Uvow531x-?36ZDvDl?3AB8R*T;m9mrUrjVpQY0O8aD`V*Mj3b1iPL_iMeQx(
z15Y_DGob8rGw4I*7@E=)Gc~$iw3}p{5JjDwO;-$&wc470s8BlSmde>!;oSN!h_9M9
z8lP$=qH_9Vm0c`{;L+IeoZv;(iVk1c3`)uPydpD!K8KPcd_S+gwn1Q2$b914H?nWc
zZ!L;7<$vVCr4;y!)7DM@xT&XlN6cb=T<Ld;6=3PO*9x$$#-pE-uevf)m+RolXEE*U
zW{aKZl!Xmsbh`ijlW~;W?u66R>=^HIdQoI_fgzUhG=v?A=2&O}1Ahb2g6?ZNq#LY1
zC`>$N|F7uLx44wvutH^yb4AbWq&O=KN&_FqQAy8nn63+&+2u48uN}Lq`irN@U7A|s
zI^7efn^i5aGGLmEU4F@cfkc<Z_~U@#_{Ob>e<XjDL*?pSdDd>m!C=|<VdTRCb)+S7
zh*^Hc0pA-XH1O!=b{KDGVo}YqBt1Idh{G6WZ6!*Fq(_=5dn}@?M;ZtezAGv}AiyC+
zyls@E@yigMk#aT}dN(tyx-If~kYh(J)zH$kT+N8H_IY6E-=a+r;xBx{#iDZ1`boeP
zbwnb#q#y-1o_cO&E-xG8L=ZAAP)h27trrhxyjLqj<HeIx5!GLRerd2{XO|)Ol#RJb
z4_2WIVAaKAYo`H5pP~lMIsE2Prj>*C;CWh>oH7W<Qp#vwwn{DLm6Jhh_8`dji|x`B
z!hfVz$1<iB`w{XBzA_ptw@>0L(sq_E?W7?*^o$V{oj`(1D7W~8pNMzOm#V#4apVFb
zg#Q(LVou#iY>J7jCOe}@WQFiKj+w=VVmG3XIJ3DX17~=^>TtcW^HP1BuKOT(9-YDL
z1e-hvn!241i}obH30}E^>`YjJcDb*4kLd1|-wC-1HVo*nVTPQ>P^^)`ptHV>AAX_&
zcm6?pv!<YN|4sT0*0smESQ|9yD5hL9Xwqs1<nVln(5T^X@U*T9OR5IQmP#@JwVI8V
zeXd!UD*0I5b&<%OPZs*{TA&?<cgc)ejfm_x_|C=7mP6VDN&k9HnlF5VFNqpKGg}Sw
zT13v&&P6A67nGM**_2I&%XgzpuAd6+k~Wzj;X=yVWP*hImWuX}00#+iy+gEdyJ3V!
z89klEX9$HxY#rRL;lN*;Oi+%fn30OM>lOJ5B3=irD%-3T1QH_sSm(E0G$A6uF6OpF
z0F*TNeyhgt1fA5`c@l>qL)xL3D=`$^8u8Tzm@o03foA<wKF!pi$<fnUXUD3HL<2tx
z=s=cEecC;Y(oYD3rduL?pcH_{l;q3q>$+mO$s`m}v?fU`A{2pl*(2GyIywVi3F=zb
z9lDp?^hEkOj^N%9w?ixOP@t=ZnV>!NO$D+zpx@rSMpv;t=x^FQ8eD`2rbVfpeP7SG
zy}&0Ll%(_t?#W{ubIX;~4-`<^*cnzKWkV)lG6g8cNBYrxl!3n-)SD?C-^PbKtiu5o
zVCm+1a^-P`QcJdvDxcXSj9DKEX*R`ugfK0+3tyTwQrS|HGD_wuGG!iJWWiHnaf}K_
zf>g>L!SL1qu~X$`xpKvNkm<x!w|9^bvNiSfbdA6ir-B6jtF&Sg9y4^57WK#>2nc^s
z3g4`s2>TKO#zOoC%Dog}HACiS`yFbaP<IBr1F=Q9jpNmXf`JtM-31r^;h|=PEqIIL
zF7tYcf_7VYie|l6y(M*=+xYz`KG@@FZo>N%uh@?OFF@JnmF6NBo1@yDcj;a`sPAG(
zwNB9HO^WRrn>|0BmlJ6CMBRAP7y8G?+7vl0@pLt~$`!KN0})oK6ljrR3`4X`nh(fz
z22dM@;^o&{TR=f#3=CB+NM#xj<p=yA#9}afw)l`M+6HYsZgvcbA|&XLGrzFH7Q`V3
z{#Q4OmKY}nXynFa;|FZ|h*N?*e80c(eO;~WnsMvt!b-P`kA9H!i3V3Oe3E$PMB|nr
zxC+qQW?PS&>nbX;bnBg#sg}nDM4a`nzNhUCy#=!tR+$k|sho2MuE-S<7<U_jNB-TR
z77Wp@w}1dpLF~{z#Oz{PG3H}7*KNDA`pV_0msQ|XNdSb8n`?|Q@kideBWC<Qk#wSj
zhGda@Kpm(e`<0I+5>KBPo&RFDL1-0SyAM5-Ccv~e)u1rS3k+s&(0PwYx>Sr)vRC<e
z<p0WHND}kJ2^uVspx5g1F~tYHR<OT#@oYXyoM@0VVrX(Bjk8gtV@QE`SXEJ8JOWy2
zGs^wd7oh$?;ttijGb=YxHM}Q`>K#{~;gBB@qP%vl^&Eyl8S^%g1m@-&-Dnk8%^(6;
z4@)*fMWk1afeW8IqI|cMg67?c|Dh-Bxtt*OEf2f(i6(j<>XP;TdoP-~%G2n(bxXAq
zoaBqO1+l~2xwf5>w^*BCmy|*W$G=?#KBU%v$q`Pbw|1)ifcO9o0&Np*QoZQ!*`m7J
z0zvL+ko)YRx;SnJ4QazgwQ}@Io(^_AN01g#OY?ouYrq5hEB~#%)%2Uj`VWZD0nfw-
z>B2vPly&>-f@*AIQf`g9t_pXTcV@<DsgRor(+C+}4TqbpdzaAh%|Lt(1fDis>}E*1
z8@99ZQ08+yP4?vV>e4TxxU$I&Ee(mzE4Ux~I6Mnm7aH_xaS<QRKx+ixSabXc9ek@L
z4&MjEOY01L#~bS<$T2w<d(17vL>Gk47nO6}z0$q){S^-f;kep<`EB^}*b5#WhP$vm
ziawf8;W05(%8WS(m+H5iKRK9M{IeA$tHlAk;xd6FA?BI;fIr_95Zz4`zfx!%NeNgN
zYRS}z_(A(!fv;h6LFTcbU+U9M6}bEE@0NXn!B0fc9!CTz!^r!;2q3lAY$N%0Gc`vP
zGS1k~)v#|E{P6iVGnWi)9Pt0a%ei#Uk!H2Do%Mb0=g>!b;ZV{6e+qu_VlX<*?1Lc~
z#FkM!@f~pPtaAdq<QkrY{W;&yd0)<b*8IJc@$1M5Ceoq}#h*zE31da7;YMcshU(R2
z?#)#hTfz9C1=jqgu^dE!^rRv>dn1Xb(Tt8FUvtB-gIi6_nH}WD&nUP<Un~ZFWNDj|
zsPQg;S$jkR2!kw+o=5!424nrU_c$JI{ERVkmHATK38U0nQ3Cp^GmnAK0zMH<7dl9q
zIqXg;ng+E0v_?Zv5+HynU8>KAaC)3QdCcZG*Syd0;u=`a&HwaR>HwSq{W2GpRlbMt
zskD{1SO%Ca9*I!aARVjY#k*U-?70@Z4LcV-Z`l~j`KOCz=7fNPy{Uk?g=`+<sQ}oN
z^Dc1N(bBCs1DESWb`GUNs@*)3@ODBA%lJ6&yYa(g$(=RcV37w-!mu+=1fh<xXS|oB
z(x*NAabbVIN`~!U_B=>cG;kzn3DJxGU^eZ)h_1%Fh8KVR)KP4#uS9x<hjMx{bGyqW
z=JqxQ#4mwJ;pxMGa2#}g)6c3govjlb+Itrjk3RbJGokNco;+s)**OC`1Q6f9;dkGh
z9srI+YC4SvsaaS%pInv~g(c_MA@-&UWLRV+^%2Cf73*y$f<M`7<!OHDipvsmn4==!
ztIt5^%%d#U@uNDVoENbI=2Hct#)P{RHLuDZRPCY79Gdb`-qs95ZI8AzvARid)ddIJ
z>=3jJM&Fg+4l0i|<4$sla|uq|^#qhoC0olXsW+bJk8H7y1&!}(jp4{MaOD8IDBK+N
z9H#8a%r*w(ekWWe>L2{Bs%?S)mWm-+HjrN{IMA{QDYP-J1c)j_*T(vg1gK;eCl$Km
z{_0MM#dU_9p6`k3U!m2wzdo+?8W#wT@$413RoPE<=N7+I*7A&twws_akC1Bghbv2L
z)84K#BiA4^P*3V+=<E-$>*cG@#|AGbYMbSLZRe}AL0o0EcJujcipurr2}M}8t6%_J
zPtpOR`_{hfGb!=gAJ(k4Ww-w384a2S)tq24zRiV~SxqxLDpX^Dy#};~nl#>vJh;l4
zQ2uPT(L5!M+=iJyXZI&hGN=J9PZ_e*h%wesN{%fOi*^Ct4lQyl7g|?MqiQxEkQ#hv
z;P163Ato-=8usID%N-2b%=qDCZ;Rfnj7T8foUyI(9Yw6>U}*@gDEk(ERpimRIshs^
zWKGwCd_)nMdTSln4{7k;J3gSfD*8`kI5(f6F^Im;!KZAr%#Ki*6$eJ4jEbZVn*A##
zi1he=loI!<LF}K1NJ_KzW(QX4M=|~XGK(IMp~9C^{Cj9=nT4NY5N0oh`BiGW;xGfP
zn%#sVuRBh@nMs(pK<??76h*N=45YA@E7hr%ah*F#LSR}h{0%9@5NbE!F_#M+*KGtN
z_ub|bQdov!#YGY=cAw38C7i|<-#CKu(2?%Hlt29<v-X?y_uYaYYw40~#kxbjxUzVc
zZPubfEN^M=m+ek|Rd`#KL6}*GtHoQQV~+Eo@{lJxcyB+KJLZ>{Y#~Kc{!=MuTBc8@
zN;<EKY~5j}l}<{e6L5t#P!mIk8-EMI=#s&R8o+py&t3;n#i^D`xv@C7U??`H@3wCD
zK%$6YYO;%OSpQwK?vthqRQPlN0=`<!$0yi@O^5R}DZ)N?6`j#7!xs3(w9@w?{dyp;
zI0!d(`@r?SYL(tZmTpSAul!2=`*kurq?(cSaD#*~(BoKy5Wx=pg8Q2{BytZ^A2R^M
zM%|St_}eB0#7t`Te`%g<hrE0aC#&gH1UJkwruywvY$w+=LhRN#@*knlV@RnMgBjX(
zj*U9WpEX9`;?qZ@#T3>-hbpOXH0>y^V9iWY8lYU;`y3o*g;I|htjya*eoV$EY*j00
zx#GTx_*QPT9@12%R=im``(d-LX1z#&@MHa(yd!?)YCkP^*W1bIqWD;E?Al%~5de&H
z0-hQ5;nU!iq}byDhsg0@5L>_sV0bz=yA}AHcE<y~ups#(`|+l16m`i!lG<dMrjsWR
z^kEmaN*e;9gmL)C9v6y-9f|<Xh0G{T97Cv3=V%hXC>Y+VX(9$Z4HI~kw(P$o2SGa?
z@Lz6K@0Pp$M*ha^c^p(mC-JNH>~L7WM6R8U6^{1$*iIuGi5K=y-@Ub!nNgijP@I=j
z8kh3qriQxHZi_B&X$3U1NZa*i=+SwSqTG}_twI(;FE@Viz9nH+J3DtOdo<0TaoWOe
ziCNN>y&<?cCc>&6%pv8F9@);l`UI-h=u%~*4lm5r${e2N=f^tB=TkO|3jGM0c*K^6
zMB{Qh5Rq7!iPHu`T%=D%*K%IYkk5xm<J73t-!4PO10!L+P<oRoaMQLmQ__AneOML<
zS@Z6qj$Jvr4F8C4Pwz+5D8Snv!#;%RbP)r7Or*=LMUyz<+c6@92q9#+Bg4J>=GCU3
z=g+`!o?60lVuF&=GB4itoO}v%(0~yyMf7Su{{7SfaDyU0NSZqf&TB|vKgf>JQ#6f7
zN5WYHrb3R%J;OK)u!IWqYDgO0V3TD^)n%k#Dzd>xFtUlc&>znj&X}rR)|WSVpO;qk
z`6u9U`=$x;sJ}Gav3DXGZtb&_<!C$t_o!R}kpmWqfvMXclAXy3%}LXV(%*-rtz52y
zGbYNp_ts0(1_2u$qo%|QcKZN&zUt+}Kd_UkpyZWUwc^23?oorwXP6WC%sM7mmjt^=
z2uajM1HN`}iF0lPJtPvBxb8xYSs^2Qd>Efsc;;M(0kgh@3$w15{NRTBj4>`~(YpAo
zh6-spV@e6<#ce`4C%dmZn-4r3Q0H)kwBz4%qEK0GbRi^KrzWD<#zW+Pw~eZV@ns_q
zB;b0l)|Kd+dTu*zv*~bWA9eaJ2O@Gs+h@)E?rB^akGt!xcdO^dx^+XU>b)QXv&OU=
zZM&3*w?bf~mfFX#rJ!=%kR?Nr#2>u<AYHG-8M|$^+*A@WWJNQ7s^(>?lHwPIL->lt
zZ$;jNK{Vh?p)W?o-+(2Pqp{Zuexa}@+*o#imh@mb*y*eKicgRVuY6R0rTD6Ha|eMx
z<4?h<rQbsf(uRUfbhdW+v=NWj2S!H3$)<HEf%j7`Q4ymu4i+QY-k*2gb1cVg0pW@M
zQZWa+Hzc{afnCJwlJ0%y1ouG=mg#*w>ZyF_yJ1_lP0C=N`(&aC5D1Y>|H{*bQ=v>}
zmJv*6r|c*%nQKF#>XQ|0neGVr2YbWo8-JB1M`57Xl=Te7k|zZ$xDnsabw?bUradVH
zeJ8N$te%2jBLI}tgPFi+A`v`fZ~d{G1A!5vJwMLXrnY5>xGdY=NwP*chHWRH{5*@M
zCWg~0j`>K;=RbwtXYIDotaoH?O8$?iYYwmbdAe=Vq_OR!v7N?F8ry0b+h$|iw$a$O
zZQHir+kD?&`v2YM?z5knIkRWZ%$AgjPjH=)?BzF7U6BYc2Q$o7-t%YHaLyHVuxZCG
zqNe(^j>|u|?C>oVq@BnVP1kwh9J^EjYmcuT0=U3Ju<+Q6b7l1KfLO8>+9BV)O8GA-
zAdrz2jFP|NKsBWuHIYaHoO`--^!^<<^35;3=42f`4i3flqBtS)#8s`_82c~X_7rh8
zFr&283gai+m;<p!QpSt++zd8$F1#YxYbuV2szlW{1OMOuDHA3(9`ZOj$h*E}(KidC
z2sxqAY5G{dz^=p)>1|fb!(Pz_Rt}4)H%)BFpnv4?{rk=`=&K_#=r}mBzuyG``>VJK
z7f$RouZS<MOIB`>S5*brKc>FG^GvRdZU{^i_;BrsIz2)o^bWlx6@1|^qGBSKj~S$%
zIUU|ccqTMfOo)`y-<B<4t959ZuKwc}><tk)9+a6jZcj_{9d%tvc%$padLQOeYhUa!
zeIrUUeXh2F0aF17O&4TlLslzk#l%C#g2573Y6eFX5f+Gcoe?N257aYGQ^6n_C0cAu
z=rm;J0z`nTfMKcSxoWSYI<?N(+a&+Fgn(i_>qPF!?%A+4>{g<XULA=3(WIj@?X4`Q
z-HRob>$}mK*%Ki-so*R4X<Sk`Dcj0ibm5?i)@W)%d7K|mJ{d5`#(K-Q(a~k3_0?k@
zm}y!-`EIDmG0qYew&uJ*I(QknA(=)Qs?rOODtD=BoptDnAViKktP;!0{#+XJBZ2E~
zYLSLK+m(g{EaUlG0U2nL&pN-mq@EaCBiwoYatt9Hd6zGGVwW<;DYKnAd098T^ty*V
zEasa8b#?OTiiYJI1?V7W;W)6->mL?*ClAb6?2NX%3BXIOukQQyl9mBWC{OHj?DZY~
z!C7qw8DIf{yU?U*gQ{AtoLY4f<M#)$$m>fr+R(d2B5q;I)Yk5d$#bykS6ebyTYXYt
zY!>D!a&LR14}%o3s67i>_Iro*m;%qdj`j+1msD7zC(#G7Su{&tZ6+Xmb>1gbsJryA
zyRVc_)pA?U<KPzd`(KPX0fk>8VGiv^|2{fL0W5w(SC-&SFF`9}2QTfzO2Sz6#2{UG
z6m5*XA6Q9%pZt@~Ss(Y%IkEs2Ibs373jnNLJxGBEg9T8<GELq(ewUMjyVi)ZuW3s?
z@xU<YsaN@K{-<75ckHx;MYVA8am1YTY=oy#-r(yzx9&i{1B$<3lyHhUrw@x<(pGN{
z{Rq+_#U!h@<|r0``~(A)dNr??C^XoR8~Lk1jTuqMN<|TQVX>lW!>^0OoNTV{4fNMi
zOZTV6V7%Y#Dtf^UoC(nwPYhfItHTE^%RA?k_ovU#i*6+{eMQ0zDy(TcaU#J)?dOXH
zw_B2BUDjgt7E0FG?bDi&Z6_sEYB}9Zq0Vd%GEK@6&V-a&0W50vp|52Cz!Ad)m&B|`
za|Ua{W<V)RZwmf{%-=+yXOsX!DUQfZJ(K_$!fZ*$_;HoZ3Qa>>Y*K+b(Ka4?$C;>V
z-s-o&y*7T@PC_?0H``7GH?E8(c>^fElo~+|k<Of;d5W=n42jz%C0!7bojIi_v=A+(
z(H+XKFNkOxq)wZTML9>MgZMZ4is@<hnU8WOwC;whbTZk^OR&FA;qvf^!_&=%QINCS
zasgl>3zBBK%)?xSXWPab+5I^jAJuAlmtb_+@^eFg6OzO>!L8*A&BtbQAlmYuZY*YB
zU|i6oLH>SRvZ9PdDVZ-bDAYF2sH|`EsZ!Eu1rIGoXO@SXS>F`ta59AE2X8c}7sGo4
zBVKF;KQFp&F74PI=VCQM(%cJvMeH9l*GjIMr;tC}kGG7OcvVpCoATu+vdtWmPJb9m
zMpOUJ%N0--Bm-_x#fC*K!JYe79!p$cz;D!<P8BHVAq=q69Pp_MUt%cT%s_ly@N!ij
z%}7G89;1y)ywP8A`e}WR{n^Uh9Pqv^lu6-3@*hP-c!_J>qSq061>E?;_o8ABc-9M{
zL`31>%rA4GlX80pDk;(t<lF!UB0St6;l^(bd64#V)zh(bW>VB+H4EVdQzM(!^k0K`
z5F-xcF<QFPznhY!2vxwF^b|HPc9h1f2xsVrV!oO7kUk#$6(e12u@1PYj~*aej}ANd
zrf+jmv>@3UX!as-U#e)vb%st+ipw>HuWwmPenc7FXHM39kE)cZzMYhJHBxB$pi%2<
z)*XUI5<(0_LCj{?)r(foYXPNPRr>~V$(2aci<vALTqW*U%i&hj;^V11ai3qu_O(<w
z6{_V;GWU^>IC=Y316S&TO3JMUP&7tV3f4S4!n_D>=dxGAeD^okyb^m$hH=+D;j1@Z
z+uGMno)yM=-&kPO1(KWFMbbN7i+29(hToK$kEnyVGU+l(bWv%xuP{tzJ8(4)@Yd~X
zt!xoCz_PVnyP%o54_?Y1wRk8mJ7oa&DZ!GrBpmXW8y_46ie<<8UJ00W|L?sWN)d#3
zKv^@^3TGQ~n4$xu;sdk-5}du1-}K*C{Ux8o5D+Ka+eM<Il#BAoL?|u2*%UligzffE
zL2p6}w=0x-h%{jA*xBI`>&q9)6bIs_rJY*1HAgQCF|HiV1kwpVxj_~hZX}iF$EFtv
zaI}zoVm;JwuwT@-k=0X^A{PZM07?@ffpnfix-t*&Pt1y3_@#L5@b}(|(a}@FMXi4W
zPFD=Jf(I4l<@9;l6~(Drc1}t;&M{c<V7D{$SSbPU6TuIPpK%hg>X9W_#Z7%U=r7<#
z2?g9nCu0Jp%gY;k<(mi<D|U`o{tlJ8CRnKi7udhy2CAd62XgYStYwdlkk_6+lsH?L
zlb3*2z?(KWY(3@eV+Gby4=bV;%>1=Oi<3}Zeq(TCGJ!h?$VHq!&CNa5x6YDW*Wiao
z{|OK!o+LHk#jq0jEYj}Pe9b@;t(MV^qqVj5sQO`8-N2k~r5;tSvwb%;?}p{%X;|K^
z5v|K(mtno0=;Pk(0R&-kSGLPGnae2>p|c>7iXnvUWZQ$qMi*Vikco}bf?bcrqh{BF
zbpV;-e20g-S~+d&-ocVHsgGq}8@mmaO;{Tn>WY^R!;O(h1uf_y2XNF}D0Pg(tx4(h
z2tOh8yG!3a(b^w7xaRFDs{PP`U|SjeS0z8TrX|tq8UNL`WrU<K4%aB5Z>)?+-_c|+
z!&(Pe&-K+z?7WxVC-a1rn2??A&$nfB9z%A@aa<hD@Xc=br;DX46A*GgT#u(mjnnU3
zhXpKf3g+%FdWIA6)MPX51ShuqoLfuos%GxlHp=`M@q41D8I29D`&{=FIf0KvPi=>n
z0<O*Gd1Yfy&q=98e4NI&i<3!%_=|y;U%g}$YzKcFu!9@=o+<?7cOB^0&Lg~V{xx!Q
z%Zl9aU@A90(}N4rA)C_*N=gvOdI~g}7cb<(K~#i25##VrmsS--A0ag>Ic<KjO~v$J
z>zCMjE^Ny`wj@a_z&?+)EG9Rg-LhKnL*4xb+4`Fxi)4_<=u#Zo!Akh98HqgszW#(B
zUajO#5}d#f62Xa{)0vzlmMwxSGaVm!U!dqsbISyL7Cy7QXvx~J3y=%A1eoD;DqKMi
zslT5BQl0B?>ry5?B3xfEMGtaL2cScYKtj}AFz-j$fIQ7FjCbkpfu_d&XVSJ4(czCQ
zL&E-?PzONq;j&v%w!8zh1JKYD9b2D)PKlhJk7Uyu*rb%rhj)yKMeiSY=|p0`O_dC=
zY2DlF?1BC2PS-5YTkd(XixnK^xLyfOQ=32rJoY=?YczyEda9hhq<(|#%VWL9po_!h
z5KqJAnrmmCQ=T<R`I)R{!qyn=U=VMckK<+f_kd|C*(0zzpitSi&L#)EaPK>w81%z2
zm~=Q{Z0kqkH@$X8!aH69k(U@$jsOA|b1U4r#DCfq_k#oRmt?y<F5*wkeebCojlh$L
zG5+E!|Iqi;Qdi6VIHmmpSUV1<FBSFAJ2hX?TOg&_^Q9Yn`}pM#vvMRBP3YZBmllzN
z>>9gb-8WU!cnyzt66RdCaTI6TYQ;n{Uppn&=*c7&4JDO?qWEpLUJ_6*YMncmlx*^Y
zs}(%>?gVF2sQb*@<WFXRYo3|TLk=sOmifL1J2nB{c~CnEdd>Q)DO0XroZ(^aB$zIf
z*)ZV6vPRjZGvG}FkIPf(6+l7~jH1rK@=E<<S@TcIL|BrMZx3y**aU!QIFxsI?#x<@
z20|(Fe%fm^@1b~VWW8hB-xaE5w>2Aj)fC)4*_X^~j(hwme?4b|Nzo!><28bvvOv#p
z+kkn{<zZHfD=}Us!Z`l;L-aCA?DV_BjbYcFIwvQr3Lkc3L2;STj`1{m=}~6Lpg&%r
z=;;tOJIvi&e3wet%u3jS=enXyzF{HqOroh=Sm2qNcZLTF(-WdoQTj#&o|r%^cb9@w
zo}=RHx66XT6K}Ll7P(e^wQ<~+;8ftk@}Hd+kov_=GVFj(6=LY5Fe*kvJV<C5{NVjI
zPV!%ZX$_R5TVA<VG4#}(qyzQoNT2H_e|iFb|3AqPJoN2!bH|AB>L;bE|InS6+=xoV
zJ7!<8ksu=6j?8`&s;~9otaL4pz`-f4xS!K#W^(^deNi2xuO7s;d1U4np}m;`zt3ZV
z6C)gJ3C)s_%><oC7jKF|1v_(U8S0I%=fKy~n8lmllJG^j4rK~cq0xyYFmn)~V3BaJ
zKCE&brYf|L3~B%)4PLKY{}d1M)raysxbI$rd&hc0Ajm?eo(S2S7DkXD;WC_L;xVPy
zkk`N62Vd)Ubd0<&%LWt=;&tIgQN%03CU`M3OX%lN7oEjo%VjW6_GS&wOpp&LIDy%P
z;j(Q<z5>@^jjKaz=KmNJNakuH`m<uPl;t^8=ssUD=sn5zvP>Ep#ykm5S?)g?g;vz~
z2}lM!_4t@)r>|#TyOtUC<*(p79^2B)+|$Gcm@nC6G#(ubq2edJZ^#peK0FQZcS0`)
z0(SQGMfHD30>f!$Zdt|5(q7Z>jwB1e4W+7pV^3yBVHV1SCcUJwUkTL~Sv_$d^;UoS
zFo&w?7|(gPzqN;t*q9BP*rWfl)2}J+%Vt+fa{UhV>Rz;N@dmlgE0RKYnNZp<=%MlV
z8Um{xiMbxM>?ysS)TINO2&Ej+1Q{o!GPpcW6ICrfNl=$Q^`)Kw^@FpD6qbs_TrTN{
zwiKj(2aQX-#pExbqz-T=YNu#9F#GhWA?Sj*VHo_!xH5pj^*+{qNuZqW4x`H}MoVEo
z?lTMT@E)x0A1GbqY^@Re#M!<ILg!F-?Q9)=!-!Tv{88l4Wp^TjbvaecRTy>Fc{~mm
zlvsWTt$*Y;k-h<dWEIf4C(!y;7QE|L6*%3_G4<Y-dR<-uaAL8Q5O9YL62XRZr(fmh
z=<Ci}{|=I#v&F))YL%t^ruF?GRs0O4DxoG`Ct`Re078BvJik0Dgi&Gtwz)6lX5AI!
zF<Ho#W(rHGqTeha?hH*@{qE<{_cdg-Id5U1xuml9x`Iy*h4zn6%WC{pCDv<7!pYoo
zqiL$cVfS`V7|V9L?fe#5EdF4JaH!*Jf*yVzK|#spUIknUtP!axVJx++c))^Nn!yOT
z$CTrEOJUPoLh=c8oDMJAY3kK1w=F?XQ9gL$Z{~;K!QRQfJ)fy5|I+c)0}=u*T@u&K
zLHqlnvf)oJg2J-Nh;fo3Pe9t-Co@m9d%SCR(q!=0;AcBOOOTA0XF+1%wpJ1ij{@e=
zk2H+8>TFIph}=sJ!ETHnD3G`*%6FWqD!dBxV6hvhT&9BX=gkWHPIJp=U<rao5$PYu
zKsR}J1Vr>FlPjef(*n6v%pJ*is8p)^Iv+U=&xSU83J*?La~}P`&Z`FNG`!g%4lUg5
z-3!9vHBeC(T~K_01LuOR*G+2}j0pkOw!@=-g0*hE=PAp+=M+`XJB%_x;HU9(^t%=q
zN(11<NkMoY@Xp`$i|8NbX7y9*1Z%m(9>%hU;oaO|2p1_bS1-@h2x^lLcLzNyY4$9H
zAm`&)rEP&d3#S_+sYgyhIL(MbpA;S)nvAuuGm5Fl#qvWUDQEOU4+w)_lwlKm3QgDU
zVk8flPOm9DHWoFI-l~JTPfrU&<7ww^EUxq%>RueAzhxLBRjwUDp+z|_4m-=8bsvz7
zF|!#*Fdt+n_B5=S^r-(_noASES(BTS!>o8E-m{nb>b{TDBxgzfwIY=HAou2oFvH_3
zG>=o1lzZd0G{NW0fkg7NpS6RSHQ4}Lm?SK_gt3fu;3;ShW$*W-*<qfARwhS}?unwc
zA?+bOn3RmJAH@7PhzVV(9qi?jOPpKU91-;$iBPdg!raR=Lg6gB0RKnAoaP)7qr$aZ
zwWu>{(a5Q#n$}p*LTJ??-V*j+FZbgwk73}v$Uwg&MO(A0m)wHP9<ho=>t@1&8b|IW
z4;UpDPU2h_B`aRGU2E)V)k;HOBLMg9A;fysB_8H9yy?Z=^^}eVR7fA#oo_7(u_AFn
z(<AHiL!*En{M+G$fK(}9hqExWpN}|U{<bHi;Vr(s)Qur>@G@#1<{*1mP)sGSTPidQ
z>@B|HJy~!aJ_cEbD|<GN=X9gT8Uqb_)(`PwHKbA%oB=@y?%)kF))^;8G|i@6Umhm3
zKg$b+a4Uq8odE4jN_Zk#)m#}f;1ri;I(y+dbICTffG9d`G!=~(+Ae~{mW9-o^=@-q
z35^Pjo(QIlncZ4XiIRb5M5aiy!<Z5X-p$%JptPD8R~=yscJOr7SyaQjmKUje6FwJ$
z3||pIv9QEi(W)(nVzmDiCqkn-VD|S~_|&rxsI!RBr|-bSD#Pt~UC@GMNT*rKm7jZm
zVjb=4S^2nLMXYtE)w4INEOQ=fw_E&;IJx&H*jKf(m@}uUcFrWP1=ESqqRR$Egx3!^
z{Z_=wzLvE=(Ef^*8AbpaAvzLZm0=?Q%P}PtwT!CSFHouc#}gGtEO^o&S4%+s5n_X&
zYOTY+{s-EJbtKA35n`=UBEVQh(!RTiP1c?n3yEkaTcoH|{;-S3Z=>rA+<v1BF{STn
zqQRs3fJ#=apO_K9x+o@s>>}TN3ToNU$!&ywp7=`n0WH_LG1Oq%An##wllmBxkAGQE
zl@i5VrObu4BBOf$7q#p?vpObGIAc?2`bCD=<V%e8EIFcnGisBrpK-}Y@EI%1e^|}|
zvJzvf<Wfn&_W=XmT{DIFWs=a~c10AEc<a3Vlgr^M>yQl;)CBQ@Y3UC#{c@;<s;HZX
z@*nYA*OJrD*s+R@se7jI?`f{o*16f6e8Vi}zfGq`WI8I~T2CNvW88D5ksKyWeABR%
z@sO542rHGBPhF0@)m1F2x56|wkU|lII(@EKd+{&&@!;`#;wVcd-`$qTC}D<F<yv1R
zB;;VXIOiPe{orPeqi`Gy(K5w?xCVR9;h<VnL|7C$m6Exyw-oBSE>?H)s``0mdZ*!y
z{xsz{YjP+FQtdfggH=LpuNL)XpyJf9@C=%L9@e1v=Y-Y;z=A}A3}0NiaFgHeFZxo~
z^Skm}oQl&goy*@&`rM%LcSpkeu(|&Xs(aIE@)#nfWYGt>o0d-|qTD?jCJxP=;+vKH
z=r@l>>wd5rT&5QxqR2xZa)hh;F6x81T}FWo&rY#fsrGSJ-9elSW{y?I%-wo*f6ppa
zU$F9mUD>J;mYwbeS(cQCj~H8q1biSOU1km#^9AA&ESCN*ILbD`z>4enQSYe&n(K8=
z&{{#K>N$O2uc`d*X{h77aGpGkgSCcDwbr`22A~TM-c6_l#j`w#MV#s7OL|_T36FSX
z`RIx6w6EAVn7l)6>I}GQ0&V0$$|sv;so>f)mlpyqR?D;HRs$-)WJMB&-!1EwPE$>)
zO!@v)3rp!Tf%moo^=$i$(a8zu4ltWdSdDKz?hA{sxP>&PgSjcC#6qPe0E;!1sCMU8
zGtnlEc45h#HbrYzsik4%8>v@hC9EFQK83*XLx&`wE@b^78b_r5r#?XN6Dw6^zvd)e
zcg^63a|R^2sP3HWms$sy#J&q}Bt~M!AM(fU9NK9t9SV;~Q%_U4v?<IV6vaTJCFitY
z_Yl+ZE*$jeW>f5o?4VJQ0}8R`iYP`VSA^#e9G#J#WHZZbkc3lxP{x%L4`4jU)b<EZ
z1Yb-xOt%GYk{7sa8me6tM~6k(;v$X>q_IWsN@Lv)HG6EAL?6NqnTjZ|R<eor@(vKr
zcqrgLr-6pzj&X+&GVvsdLPLK$Y=kr(Y&vwvv<q2;_in-%ue#Q%jXIz9$F;3VIb0S|
zcZQrH>3i^3q;u2c<HXpvF3306cw@doe-0CB#2pSLcK;@~%%LU`nluM6!-hmd37f0P
z^z>xhhxDL?@-<bnT0(IpazDoEV{ji)aw0^&`Fc-w!Y|7raRz#%ocrnm_>d5hw5{i2
zalIlbpfa)ok(_-(0g(0ovT5zRFUuPvK&No1mVdKphonCPy`09HFSF&cHXP<!mtooY
z^aYU?p#7K1Vw!{Yo2SsM2`<~>)#{^7zZ_4(6?S~j;QcP|R~-uv4S6nKR&KnW6CE15
z#r;CDf}{@CD`BIO&O)N#eLMjA=0T4(_iY^qs*_LrZ+W`&ML-F_ue*?IzlB$Ce`;yu
ztwCG!(JM=oxqHM{w8@S+*uCt;&oCXdseoa~)B9@|u}D;^)+pQ3ES>YwpzN#G_Qimc
z8Ec~`$oXDNw@c_Y4H~U<oNX#7p?bT<nhoF}MqV|2A|mbwbB0yK-FE(}!F-aWU`Rwx
z6BI3~BwOTh))rU(C$AXEt|fP*RS2$atdQwf?IKpqJ^<Ux;02EEp3d}Re`>7DX~+4`
z**AFVpy^t*$DZJ4nubRg1fb{*W^wp-C;F;mb^iGojCV)RJu*eecj{uP$NoWJsA4$}
z-k$60xdc!wy_;&wcj-#UosqlvfD<B<OF28!tDn(y+|yu|-%BAs+i`a=*E{tQNpyTU
zE@4|a^BF61J*=(Iw2D1ryFtKFFbvajH*~J>jU(Du8v`ykC1D_sFVE>e%9`80k+C6@
zR;Ov>k6%Tdv^vGQI5>#DDi5yjM|Cd?S2!izS-ipQ*bl!)IEUO{z_7kXZ31w2m)}&|
z(x1C=`%<xj^qLE;^*hnap5KK5A?QlQ{ywTLA<J-C4hdjgJ|KFBRnw5NaYU_0jhd0j
z^COsLiozd+-t?SYu|G@k41oP8gjFh*+me*SUAPx@ZhO)Ak$!37RzSESVTnDVmwc$L
z#7&kj2#LRBGX{_cptq+lj$Cp#W|5v01Yt>9PCM=RJc>N2PLlYjQ%rJGZ||zTTzy@j
z5-9RC7c^1J*hi>W)>ssA+aO+Pi7vgL7~7s|CaT>S&Y@{(LfXWDfX0tNsJCG=sHQ?H
z#M!*SjLG4IL?-=`{<Lkn%B3_KZa|da;mj6DV#h2i|9l`l<PZ-_k5~NMn}J);_yUrf
zdurlZd({!suVBz~c&v$wd=~3MRxMpGbzvWtTHX$8Kyfa!1z@YGhY(8FT%hPUtR3|(
zlhaz8yLMjq_fKLR51a|8H&)AHxN_UT2rHa@pTEUQ<|d;?8pOBx)i>jQz%aat)GF>O
z<ryp;_|<!&l^+;u>Pj@rY<MPScfaz7QnXB<?oPk2TnbJcE`33mx$!od{<Usc&kOE1
zQFy%gX<GSm&QbyJPVtxV-p|}}Hm>Dp1m0+Z8mkDB_6><qIX|i}6<OOb0PnGa%Z<i}
zq%(UcA|3(ZmrIpRYS>-~?6S!SPpKu`pZMs?)f0J(YtxvG^X7+0Tdk_N!R3WZSu1iP
z3zm+?-Pma!U4*S(+hrjiU*H=t38dA{%uVQMZQjxL)Kz^0l1>IN5Y%f3rEhh$*N)d6
zaL(*qF~OvwHltnwU#!K_eJHOu!XK=eBr1n*o<Xuw+p}RmO1}6nLM{8=`@8$z+OWWn
ze;cJv3122djZVJI2=~<tW*=7qhUx~pDBX~E384De?l7kMOUFLeig5+1;H$ZR-;;0M
z5pj)YXgP#v%;6ry#*vMb)08|MmgNd|7dpT$D!A{npy{yeeep2LhlSaC*|OeptzWyy
zlZliJDq4`8A+=||0SUw70vfmo3}wF&6pv76WS0bf(E~7*(c1;HXLjV}m$X$|KcDhn
z5)(&aQkRBxRO-#ZT2hrqyR6}3sl8K1DdCn4IBu+WkqJ=JFnt>=+J=J8rQ!Yoxmk;J
z#Qv^y1Q;Y;{X3aPB<0c9d=ewHlZeV5ZSW$`$(f!?a}!PYrC!mg%+82<o+k|Amn}He
zYwB6}+kt5tlu7cU5fm&^CUIcelwcLG;D580<}Y~Qffpzv!H@<RXa<`@#GWYVQG9%d
z5NK5Y5R80_Y~qDOy>;$_$07YE*`TaIB}G`lB1PEvP4Iq$rn1t{0Gl~gOP)2!hmtmL
z5SJ~gMG28i9N)(jCvBRf(aqNNd-+Ly|LK>%;}>uy!DSeOzVM8yzr#_mH!r@y<8ULu
zUwqS(N3z1`8;%X*gcRl0Q;8rf5npMCc0#y^)D`UB68`wwk=VDJ!db~%!UP=dU*5ak
zu_v!;m+&XbY%UvY%K568=f)}FkOE0cx=a5*<@~}@w-5>UU$>gMBiA_?tav~{`xok<
zj9~yZ{_MM~O~NHMS^d-6dt?O;LaH}#W%<1Q%g5>Knzyw3?C-Yw0M@-1p^ePt2~HH5
ze3P&zUMr4CNQ-$luI8uN?Pl;{Xl4qzJS_?-!g((%AubIJIpw8*ujh`0Q(@EVJYM#j
z=cAUML)wbIS{K!8jLtS^zn_A}CVKTZ^;jJEqH8ajLEke-#rgrDxQ>9_6u|2!zjb<7
z+WBQ61nbGMKiqynPbwB?r9?E`Qi1Jn_U&<CetfJiBDG{5CQq<SE$BH4ORDM4TBMVn
zUVPO>BsW2mk+{mwzxR64_mqp`05w&t=@9LtF>mL!-{gcx!fFS_sJ0pMKKLvzfFvZ$
zvc*bZKlB@o{fZ&J8BJ_*C!U&R9J0!AXXU!JFVrBZ!%1GiQRoNsN0QxM_fCvBZ-LEW
zz7uKc1cA4Ab~f(*wjqak3?pr?pX+{30>3C2_<en9nnM?ATJpH?M=0-nnGplvfM>;K
z7I{9)ya+ViZx8is_oFG1+$^r5sQ$5WH}Fg4GNHALHMJfy&9lW#Y}$de?@l0AT^T2A
zypsDQc!=1MR$fPyIxGEs4B*Z8ngyF|4q;_B<*yeiTsYBZ+7`B>x4?SGY98|A;(6`9
zWfKy7N>de~WR@330s&GCIH(+ox#9c+NY;IW_32+I0ne@gCKlMaHA&-j_T>Ld6v>=7
zr}p(PjC_Kn-iu`PAViu(tX`v5%RCVZY9v*$&#YQs;@Q;{XD#iB>gtK*_VDCVQxOXU
z#up_%LB18^95eQREw`cmq0<^R68`d>gSGuf&_XgIM>8S3*vC~>k~__H3KZwc>wu#8
zlo{rp*Wr=hh6q;<`8e9<ZFxmigWGuzO(O<|uL;;1(Vs6Ki9+&5W@Qp~YbI%q|CO>1
zn|#ily)to+WG{VeM)KOvlVd#Nt6`W18h^ZU!`kJekJ11o)}U6^7KP}v88;)Y_T-$5
zymbFf`HD;Fc9Z8Yd`(#)*w?4Q3ii6-evuGkia}wnAfV(VQHTn;O^}yO-sV~c52J4j
zgrS-wE0SZQQwbxS<c7pjTS?3N#1dr(^Sx8`vdjcAmD=5$G~xt`poPoog1?6xWst<r
zeV(jRPzm^%mFi{x-5)P(rN}T>N@B2YX}68k$;3j%E*Wz{RwTFW@-W_v$#%5KOY8Dq
z9Eb;Ri$(S|u^~R&e%Zt91?BCb5j{ZEFCD#Uk|A*2BKPMXqPG9#5x;Er;}{MCM7x}r
zvFIDWnh_)I!=p8*e+{+5a{|oJ38EI}tV`)qNeskTkdp+0+bPz)3bo7}{k4NeOxb$=
z)m0ny<jQg7c0x7S@<HXrkzQ|<Z5x}`^q>PtdWo<NZPD{~MY{S@)Swo4n{Khtz7$1a
z4{Vc0{6X=^y5&n_nRSl6!o&_yIuCd$BBDlH=hixffHGp0r!dHfu7tV{=1NWl6ZVoa
zVtfY-{*a8-wtiy#&M<WS&(GmG>6j?s6tbsR1b52<^Hm$d^-%u~sX|{06mx~rJCt^1
z^*<VAHfQl@pM0{9C|`S6?2(K!IjXg<!Fl3yDzKKMpm-;avI|?IeK<^xeD0KF&7(mE
z;zALVQqv}~n+xps>w=8L-T+A2?Bp*Ac{<5-n_2z%*Y?Bh;gy2h{*+^05g-I1=;45N
zpcc<Pf&rU3eswf;q`?2FK%hhEP6G+Hk_99Gc60>%t+o!LtpUax-pHKb%vkHiQ7hxQ
z2my=DM-J6Elh`Xh@#5Zp_QyeH9CII+1Qc3~xbt*^U(ou0aRU;Z1oJ2{7b~6GbG$$S
zbls4z@CNROSM=0wEVsvZX>`=h|Hc>GP9d)Lut1*uQg`%!msGg}D!jQG1-%|eM_`W!
zkkgq5ylmOlB5Z|~r0dPbER6^DAnDqfh^FVbd%$bFEl7&ET&-K`{z;jaL;k){cxtdn
zT%Osm2Z^uap?6&*U)}KB>WZg-Pj}rA5U-cj73=9O1={w(nbjoRJq_<m?aJ^n7=bDw
z_p%g1=%_28Z54GUNF)1!OWDv!sw92IfvlwbWmM6xg5;;Y4I;Dq1U9l>#P@+50t}oA
z+OAbaw7m+x?@(#vXUHwVAfPi$4o{4})U+Cgb5Qlg7{{J|LWZrO>>Q}cqKt&$e(X=;
zsOnPhO)F1LBj_4^SE_Qdhzt?xKJy~^(`PKXL5~T{i{=w85Q6k;?R^o1sT=t_yn0a-
zSI#=P)Tt_s7ye3x?86xQ{3<Fs2^;v^CTBqGqwb82y^t6jL{n1it*@jfj)~RYzWP)o
z55fVHLF)2FyCenKyz$3MfUwL@rSE<9l?WeLV<jV{g1%N#5@MxC^v?89Cl!|DEPjTD
zUf6rGA!32nC{xiJw~W>qeeUhcppxM1UvsyK15Ive?d!qM10h~Mx`*awnrU6Uh}Qn(
zMec&c&_grFo_We!cE?bYlzkbr8a4ALzxD@8O0Om&P6DQ#gw)pO;e*lvo!Gz*JA^;V
zE|Inz3NEDjdSQGi!U{p?s_immQ^y@3)7|;q+)>@W4~m(Fl{umTyQT7ygW?59Uo8Pw
zagx}Ib<0_qsyTiYxfh;;XDHy{ETF`WSYP3AUB6)$)X>ZL9Qt9)a~T?8Llx|GgXw^y
zb5>bfNTxD?&l2jYyI`*6w1irnn1z^F=!m+gU1lL^4sY`P*rS!v1GY)`)$Daj>al+F
z|L$LZ`_EzFt)&19Oa3nWj}_y~tFE(z&YcnTrmWhAr<kb-t;pnnGxVS4g1e_dB}ttJ
zABMfPA7o3-i_-;S86l4c=i9&ejr?nE<+rU8{TV8;ba;mA=qW^jpJ?w2Rm0_0BTx@+
zh9&vEeX>Pc!QR62<4_;Fqxj9mBm2)8Uhd{7x|;O(H)2r{(!E<^!{hCu;;ZQU&y!yl
z)2q(1ca=cm;Voj5P6eOhxYS|Tv2C9;NCZ6LmRbl!9JBLad=|5kV{fu$<sB07B!JXn
zUus#@Slh>vORqKzWZ09L>-SCF1tV~<AL7=bacRD0sKgF_awj;P`;A&3ms+!BA~<LL
zklTRS#vHp_hj0=#SLPv<{fS$wKkAPuu5x)y1fw#DYF&8ID2A;)olOhzQzT^j!^{JA
zwZYw?eg@YwM4K#_OWc$$iQM?bqUcM|jL#AlG8^!7F_v{Xk1kP%@&>>el@QdaaMp5A
z!mVl?LyCKJ_^5DlQb>ZQbp+GEP;`wtq9}tC)1Ba9osfcuaTt-ejIBPru{!E{dh=q$
z_ySES_`fVgq@a8AWd~S;slcE6B3mZpD3(XBk6s0&VOfU1e$#wzHCSiR(z>!qgGAf<
z@c2y>wE{i5*Hh+^ujpG0H?3;X1Qh0uUMq&y9pTT?dgpY%Tcn8sVMFc-aC~{71ZRI~
zpxYZR07??A7v0<w&#=urwhTZnMuDF<Dz_HXfOwaWrd8tg?wr%%`@=dl2KZ7W;C`Bm
z!HIc{k~H0Li3s!Eo3yC0fu{EVcRyC2itg%T8QRcMhY5cdyqN4eEgkq8*2&)_pKY@}
z6WHI#EIGwvc1>G?VsaGPe#<If`#jsAiBW*d1$>jotiPH!9K9}60NwiXi0fwZA1KU*
zQjBaR$Ls<$-1e_TZr`)+j&8t3L=d(JZWG`tnzR!xDeYADgMB~_2(;B5!H1&o?p`Pd
zH+8k^EY!Qh{s$1D$4w-^!YxoL`sxF)-xG7UDL`V*GI2_>5re7#lH<-M@6m}OaO&Aw
z+!C}*eZE%1YY-11`Uh5N3(!04_WC?<;H8TLyCZVSD;cj&GVWtG;HI%Z#e{8O-I7#|
z$$krgYq<|Ffl%ytiawTs*uvQ}mRl3zti3sL^SH9a*;b{m4SN>ys@hh3!?<%oeLl==
z1Cz2oPVLKr5tSKWD3m*aea*|Tn;FWKqNuDfoi!65`Cb3B%i{jMzS;F3|ICN2MMGot
z$!D^S^X*WgiFyfi4oMs9(lN`iD+9AGOd0tRk|%CVUu%Zr1CCXc>b<o*43h6i9=`ms
zTZP6xgUC?dnhyk^L6d#9B#~3tyTHRC94F%41wr~G)?=!B$XDZ*+%fwzB^P#@)|9@w
zqnNFWQvYPbQ+a;Y5|St_fI3CN%gq^FB{r(${An`gd+k)m)$ZjDeeMow^y{#4#k(UL
zuNCGN(HXBzkWrc|tyEOV;P0$n>uv?W+{+8(Owlkt8t@h{@;WN|hpz%_$gMwv3Bj7b
zlY5o?iMI&0QlS5!ls1dg$XQ!eVzG37&Hkr}bQRp$BZ3_|5N{UJ|H%w*+5YodLZf6Z
zAsbJWPeYKEJ21sz#*L{-edux43~Wa8I9CVyW=67^>3Zn1bv5q}sLtzT8T(319-)G)
z><tXzxB}GdorhTnU>@6mf?0z`sh2C$!}Oo!^d8BuqWonK=2+0G3BhUOowU#DGlH?~
zBfoKz_Z~|I=lfIR(p)fO3c~zG2T8}q<vDNm128fP)!iiAL=ee<Hx~{~ZMptdtclc9
z&G0bE;17=}9kv7zU?Cp}e({d#5Fhj#WKt|wle&sX1WW@d8GO`G`DI0&50AI??QZ}0
ze<u6eF&IxkRKzJFD*shl8W82GisvqO5ek@hL(ZdX6(8ofmt1a4v>uty3+Fsujg6)3
zt-ln5XP;gFcFh4tl+=gpp7>kLpYj3pr6Mv%^!WVkOBF<M(cFBX+%@k9Vu3{;1Nwe$
zi^y^wt!y4uLY%S=^e-Ukc5?o9w65ae=m6P#PY)y#5CWun0%SwWxq2d5puxhbD>Qs(
ze&*}1(VuAbQw@)0_Z~*s(_9+37bLY9e=|655*@v0QG}PZLoEutb=gbN3MWQ*?YGNp
zEyk*v(pD9snN}$y?@{`FFGe!!UE*T4IK;xzKPeo^>2VZmWyG0l&UUD*WPT1)s=NOn
zua%az*8E)o=bYVRCcaUl3@9S~z@+#r|F9%HDaK$jF!LwlNz4Ax`YiuZ7H2s*5v$%n
zU|#4-Jg-M0>~^?L5SW43{QGglgIR&Qc!|v;@^y|zF9%;T>a_OZ)0r#&p^SejW!xyk
zg;)zmY@&%?N3j10&H_H1;4aoxKAasy$M0uBA1N~u7&RwvW2w7-FKD;bU;6bPSC89I
zPUWD$c`tR!SnsFH<*=3y8!Zaf{q{kn_hoxIkBx@115IenDYm_gIIMw!#al?*<k!p0
zJW9vfbIkV%KvZa`?j-f+?D#%w7X%Jnj3O#HF4ioYJ9I-RzGKaJ!7ty3Wi7O&e#WhL
zT6}Cyw}W%T!Mf_4y~B6y@8)tT6AUF)XcyF1+HWak^lE;#8LPdz0`6T?fzTsQs_w#9
z?OT%*BPU8M`%TVx22Z)K=5<30k6O0$0HduDQ-4cde_Zn!e-nBokm&lZ6S!xMa_>7-
zS^Yyreb+j=;=J<v9||%A^|#=Ev9&V)O~QQkjkx|5^>1vA(U_d7#Uz|CkJ-9{oc3@m
z+X#SDZ2fKJeo{#>e*z_yCngD0Rkd*V<G;UTP{&SOKkWCB7VZtST$zSdj>wxF<&*g%
z5JR`6?xUR&0~r}_&)zi?`7a`lIv@4}{6yEQ_}kwbFC>CflkdoImROBRJV%X`tB$Vq
z7?|Da^$t%(IgDkNJAELX8Z3*8uK>iJ_xA;8SgACz5wpR&6e@m!_fp?dSM(lny((?y
zw3py!U;(L$yinOSr<hckeWy<Ak&AEqW8%5l*h4U2@PtdfD%}4!ATAvhf<!0Jc!8Ip
z2>j*sbT62TDn`+AkU+Bejtle<IA4)PcRNpF$!kuJkNA$OQ!h1cZ0m8JNK1<flPS#P
z+%BW5d?$ArO?82Vm3If<8l~B|(+|apJ#oY_76dn=_zqRZO>T8-*Wum=Tb<nNcWhAA
zj3cN!Cct&_k0ZuwqWxJ8hD7<2_LF1iJ1}nrJkeqy5Gu|;nOo65IBayXuRl07$NLT$
z6^7-pWl!9HZy6}ZDS&zfKg$sjjjO&Y86Ca(uvJJma(I*-X*js$DW0v|oSmz{K^CfA
zi^Y>YHCmZ*8<KohH~uk#OY(bxPr#P>Z-o2(Mu-0^c|PGUt4_pLVm+b06L7f1Q~yZ`
zpV$XN26b7|RZ&PfjyNE92{3C(?1~oBhUT)FzS`z<8K1xht*$;UhfmB>3<sdq8vrY1
zw<K*o7ZRj!{UJzlh&j(uvJS|c4sN*yy^VctJ5)Wg`J4zj4_}tUW9sn2i01AfnHz;k
z3gt!U^yJ}U1i7Tlhuj2SCrut-EQ>;b157=fon|_Cmrgap|Nf~P@l@O9493qMMPVix
zbl9YrI^pV1Ex=UxaH>d095)!!uYj0uz_(-w64bh7kb0~=B0=o^+U-0(Y%c)cxv_0q
ze?`k{Am@FCHTwvhz*ZdoD)Q}*yWBdYI0obTuVuEHLAR)LzGStF?MkU$^1c+sd?hW;
zlP#A@{d6p4{@KK#IBg>+U768;nPuqb@R^{mHH1y4cxC=H$0w-1(!gb{n0#>zU$qDi
z2sXqWMMk{{`&AAN;Jy2a5LbWZgQ~mv|IhuP3-M11&nA;+8~}IUX-`1nwJc)n*q2kv
z$Wz0>m|+nn24iKp1>F-fQjEoaR^@U%1L!6asDnH(1;>6Lu8P4m^Z4So28!R6R5A%k
z=XhtTMPSvx8%U|h<wL3FBN&0w!G|n<rxNk>S<L%a2MQ$1hEuoP?`7lsdLG!1o0y7|
zR7U(N<+vD~*~EWje`$)LxG6k<`c8T~k#CV_zaWIztGN08l<$q(%IU6Pq#^+P&|kc}
z@F16BoVqAF!#?f~goS%3&m=sRnF?u%jeY}%*!0`BHVo=LI4%I1)Yo8CsFm;ZU4Dnm
zg`#&t*Xx^ssnp{KbmpA%qY&pVV|7>bO)`ol>@}7t#b{FctN{P88o~INQ~0InQ?;m6
z#cd`ry*Dx1beRP)6+P%26#Pl4%`p2mm-MXSPgXYo98WC1sxph`=}TTaBUUDupY#I)
zIw880UAXytMG(1F;pXnv+C)vm`(d5Xx)F!zksi1IYtm-mf-%!O^zVRY-MlGQ+XRVi
z$?{<sgxX7T?j{@VfgqfuY)*dvh};55oJQ)-RgBa<xmJH8cPeqv9r#x3tiP!0)fXMO
z7Y>|JKBb!4d&H*4!iGGC=wWL=tT-qF?@ZFDRr+eVd&cMDz=<i4h{cEv=DkS5&?}Ks
zNpV$T))4CG{A7DxPX)|Y$2|^(B4-0P=go*TUSa90+pOz$<f;S8l%T#_zLclR#XN3V
z%`^Kv&FRmw%;_DKhu$yUh%fHA{YvaT8db<{?_D`V8ueK;J;-iknfo?Z){#U#Z+)vx
z=ikkBom#a79Z>g+RCVV!lb3~lSu{-Bqv*PbM)ifJE;M-Kp$|_hlkLo856&1K8?;$@
zK?UmerjrC0o#Lod+Si)xX<gvu+HBqg+vNPnW5w1!-1&hrD4L@ehpZ5(FZ-JbocJ-L
zx_uHsj3R&9hJ-4MrYUKEh<4&@F8b2xA9nPCE32K=bR9ey(Q4tEHWn+YWZy3`r!GVu
zh<BJGM?sHhlL`A%nr=D2m~3){Yc8!hEvqQpmr|GeV$VTVD%^UWV6z*z=aU;^dsV;5
zJ)YHUwufl<()y`j3^EQvL=yg<qzIEO|K6-DMW~A)On-&2(}3Ou#o#Bc`qL;dH&*UY
z#XXpAxJ)04VHl0isJE8g^nsGbkQjmK^vlX8RFn!|oa!+mvSIYx-C92jytTb6s6nsU
z6q}?C45%J7j_pSlMx=01SZ$A8MGTW?r9STJUad8|=J_VU*zS!VHmxr0lzM0u!)VQP
z0eQSxoASD!OK~A+5S$_$JMX6YA&dWzQvAF{v+$V&5)-2=O_3ctR&&&`XIf3rZiW|S
zs9n*nGSKec2n9V&9HDZ>JX#PKbwIyeQe?}6eOft7H`;H@Uue9AV{h3n_;w1=E$g$b
zvegt|3r8z2eMwopwH^@Hbg+?QS>J9w@m~F8;I$xpy5OHOVE71sYha#RF}htm6@FsD
zQ?Pb)mdo0RWZ(E13(^mt0o0E&dr~el2*gY;h?WXCQqYKKknp05Qp$*A>O`3q3OpAi
zE>2mMH8)Mis3T%whE~^48}RnxyuCj*q}=^n`ixb3Ic@IPo%gnGaaeWf{PJA-HZj&^
z8MEz)=5gY~_C^e5$?kdelSHZ*wu2OV%VK%?-4gfWk8^*FrrL)j+?}(dzNxL8#e%iu
zP>FR$T8aVA`G_er39-)C;Znv~BXtR}SxNrWV1FjPJ(Lk8yxG+Ggm$r?;`BPSBAAvc
zaClUm;)iQ~s32LpxL_VXI#|E<5@!C-2CopP#Oa$bqK{|CZxGO;w-<d`lIy){{O>i@
zR!JHbmZkN3T5#CnVy=(%>7ShJ7#?oA##o~DgD$ViExta32kU5>^JC)>_Ar>Z2NF*`
zJ_P8rP%)F(fG(bnY-^73kxu0t$Q-o|6G2t27~y*BV~>=Q9bT{w{;E<UuZ~Z0RX+=l
zDJnepJ%HJ!z-TIps1Z78FdeCVKqY>N?Ou)6Nl1JrdCt{u2!nX55BNl3q&-bhXtBql
zVNc<D=q?qwVCdbMV0z5RiR3xb+C`W2lfg0FZeJ<73J7CRlvRHj?Zh~1X8DThD`iKa
zd+h_B9|PDlNBmESG5w|)&l84RGFSf;Y3%6qWN=UB$va%q^U(^{&lyvbT@QRc{&Hmo
zwb$?}aZhX)L(WSg<V{A>;6Xz{;)vOi>hb>i;MoU1=F<VLhOswet4ku))kD{28t3WM
zU$&iv@3kBp>^W~Ja+@AZDZZ~Nm^5IE@u&v@!%7GHVJ~4XeN&LIB5&@gFL%a<OWbk#
zrcL6c47JbW`(xbK-jzlf1NtZT%SoRNxzGRP`T}WBG&%3LPP}@;&;a^^^M-|Ms2rY@
z{0Cl)B<Q}T3Lv@5IGAcx93*FDi{st_EZQp1qwM~n-Zd_5Nl(gpc-1Xdl+y#1H^z}5
zBuhL6kw#Y`DOND5>3CA{_>UMR)t~C_$w9K4<4Kc+otiH?<$h%vd|r`e4u<ObkPZgN
z7V-AIFefpEXD#61tGZuTj^Gz^PC49V7hTz}tdbn+3^p0rriK^0Z<vnWt`OQ*qf1B*
z>^5Q(rP%vSpNY@rN4<}r@|J%T`(kASq7zk!zeAk5;?N&oUx=-YVVg+QLL3Q5Er`NP
zKHXL*Z&~MDO^2pZluBRakI+=QR=H@h(5VTnQS57q4+xht)(^{}sW4_^6$*y@rLYf+
zC<<yxDXvE(wk2An9xRB)7@SME$ykyNI8MJ`cm*O(5UblNT=7namqm3>V1=sK#rpe4
zH$X@{%=qx80Bti%O7TW^45bgX3;KqySLdSf;}kfe3M?w|EH`zQ^=7iNhfZTGBk9+B
zINT67Ptg~7du=s?%pNa^^uo)F;jUG&F%ng;<*+w*9`I@-j3!09-#k*sCpsE(AIrIm
zPF^m42OS~LUD&BLCN@9b&Ln%>yq-J*Ev7c4Hq*D&Jm%NZ4;G7I5~n;Tc`YqVYO-TI
zckSNyEd{1GPY8;dO&*zDweNX_on0B+iVZb$P(;%sB<5ec=22QlDrypuCmN=s_h_qs
z=O<nYN=<|BjQM}_Popz*>NU|G1RUEKn6_x`3T*uIqWNBbO!>>EG!S}i(3u(u^j@e1
z=ZhiSppCW9>2E<B>5A4I%L5<Uvecs&{rDjX4`8dy9P#tKE~iQXuJ~R4YsTIA>Oc`w
zpFAO(&prg$r=%v-mVFV<x@(=|Z2FWp0Z$Bdlgi=4G42<<!Zyb$Ylq8n5p$qr2qW?O
zbu7zu>|;{<Ngi||dNMhMsD~hO91;)^!<t~MW-y{tl_6Qx*1g|qk=a|IbSW$Tv&m-h
z`Ahma`nVR1Mom!qIMb#s8N`K6tkMz1^RYdm(4G>byqRP3Spbwf&^vNo25w0v@ZK8A
zrYDOp%(`LiGtNwdrhF2hdiaWM38bSfw*1#?*?yOUs;RCX4vWs~j6p8K4C8vmaUM9G
zb#~tk4UY+I>^Mis#8mufAxF?YmE!<I)}3@p(5A3Y;{HPQ|GOIIHcou2$<PCM$^-v+
zlv(`Buq(RB!U~tRqV95W2Gyv342y7*zU)LYX$p<gQZi=P)Q_YibJ!zUn&|>zdvm(X
z5=&?53$`T5wdDj+O6m$u&fOTiGGj%zq7L#Tq}j^nABY}V%v@!94!C<YEHg6=EigG8
z3l4PKcD=G`_1rcTp*L)_&D$!El|30MAT5Th_xBYlJ2i?1BYjB~+uo@vuL?9(IJi6R
zFQ|GR2uwL1>~wFgFMgZ8WnzD350NqzW(h;`UKCKO`hRKm$`kpflS3H6_Ys7U(kn(t
z2_pAeCAjFJ_)VU?;aLTJfZSWK+UuF>X0;Ok+#By^j9L7R2Uf*kPTVgFM*|I{2mGzX
z{uk*{Gd=q5nKw4pB=NLz{u7<{Y0$}ZQ&hi{VdY1}zp<%8lDJpW?=yAV&%S|XyQ|4e
z7o*nfT6Q`Q=R1(m9EJA!D7;r$rB0A#%9^KfbAbX%scTWu9RiwS(JyIf;ysHtJ2>+L
zej#LW{|obFghmZfCg@WDJ68fim#fv7jaBzftjv9D0B>}X7G^MUzNzIpUl}S=MP*bo
zzQ0~2JU~|IyiFO552_^*8$CL^r&_6a5h#cw`#w3tqdzUGqaop?0nKmrs<Fp#@^ZZE
zlFhk2>v!MQG{lU#vho0}R?zZUlDkri9oI!o%W_=map*NionbS5p-zd=DpGh7m0qd!
zoI?RZMMO&cWjx+@@2HUZTs6X}=Oeo@$)zf{qq<rw&OEBYyBe%zcYW=x01V>CwbfY8
zjs|{g2IK<8yOd>Bl|@@F%PAT$Nzd1}E4;|IvaL(Wg;VBPwLPy_Qy0f)x-GoTk?Av<
z(kLyVj|I%B8auZ$0AO%FUY*PIa#wvhkXjRW&%ACmacYYXkM082c;V(Mfvqhhe$vQ=
z{xsZ=H#XQBnTfujoQ3@UZOjo6N(}~Tz`Nl}bCcp^;=W{&cJcY-o`JJU$Zdd#AQ#qy
z1w)tu@n#{5K~e&|!CI6PH=@S1y+*(U;0v&x0u+Gg47(0wZ(rvQnu(rQbSClB(j_w&
zhq<&Ax3+vZ^qGygcbn-1p?HnROl&nlykXp?xg!68YB&#*{`lpq@uuUV`OGeD=9k13
z=lwKRGiDYY3R;K${>m}vv8O(u%6bNX?bqCtf9VGdXT=$2wRFde|E4{ztN<!k9uoTl
zQ7e#k@-4b2jU<Rb^oH=;a7(|_$f)A6Eg@WJ&wshM9ib*<=uMfBP7{+Y7I+K*dA-AY
zC^#HtN080UdrTdAU0E&<0-HNPT=HWYLB2;Y^SeKVz3CfRY>6@uSz#=|-V3f&toRn=
zSumnOx&Xr6kLW$oHwlZ;RNNu$dyNC9zWs!R(@BU%aSA@ICD+6FSlZ0b$;ZHwU3auD
zkRQ&pQ8%x4W_&x#Pq@oY`8Q>RPCu(&+D){s-kE5a|CI%lH2f`eV(PNGVW%>F>4{jf
z9((i%^4=%5S=0T^d{a*of>~)Jxj~0Lu-D##Q4Es(Z{X!`V<X;I@EfIVm^&?CTq+-t
z(h=<H*j5|^9vV|Cq;Pz}I$}t7x+>X62h$z0f8eomoLZefu-$%G8xzl5SuU(IHVp22
z&9fLqPm+kD1g1<w)NLV|w$M1W<NlmGzi>l`>lPz?!a?eG)$-_e>CyJ+q3JU9cGK4S
zP#k~%h+E#`5h{3V;c@e3C;A5VYIpdug!#>Y(8a3g?QW!)C3-b%x*@fZe-s-3bO@GI
z7)meTf{b500XZ^4W&<*sFi!+=!+r;?-|xduV(UCj&y4Ywx_FrXekd&a{#e}A-d)i;
z3zj<rixGnJ=$ubvEYa4&ZwklA57w$pGjm~c$z#!>%WLcrzyFV@s|>5EZMqVIG)T9E
zbax{qEe+Bghi;_16_Akbu0wZ8cXvy7NH^c%_`N)T_2N4Bo;~->tTk(9UuD^ym0~wV
z9;`Jr8M;U2J7xD<ff171eKA>+&eoB5``YvK_0@8ZcXaUT$nLkDY))*)rL~d8?q^%?
zhmEfAR5D5L-@893m$7i|Q|>=QNv(@ed%#Prp}QGp#jn|s%3!6_kXE)Q9uI<CY%PHx
z`2XSE8om8eQxd^76E`vl-Z8kmzxDHKO661nqO*>+AfCu{x@_&euW_zTA*d#{Tm95)
zvk`HG={%6V_V0W=TV*gdO4SF98#Vkx7Vd~;+U%~N^=eweB(<JD^IaK?Xv^{!YnjWC
zUcJex?wi$#xz1u|GuTjwWy6@96=oTptbqXU*3>WgxQPHhW|7`)Bf0MVNA{S2vM=vs
zU@cR}+%72v*re^?kwpYDRl*zeNhxy|3f$4TBiEItD$3lBS_D$yAICd4;~J_me(1YT
znFxLU3s1kx{BEQrz_*IqhV30PIO7M~v%m8S6lsU9??wHi6SFEU??Zc}G9lmhp-*gS
z;AG30D&bA=>ub%derJ1P4!P6`&GqtHJ2hQo^f$f)aULh)>Fg@;++RID-Z?Ecq$HlW
z5h=!hcsB4Hjy4aR-Cj#>HY7IgWBndf14fz$xWIS)?n{I0#zqa~*K<VIyp4%Ut9Z0^
zu;Yi7Nki-Sv9lWw-x!G7<tOxG2xXvShshAbJ{d`V4Fk~fCM=5UN#RMohOzOioR(s0
z0E*Itd{V`ceGGEm&1sH5SxLHb#jnx;zGaE{O@yR(4!y87D{{{1wLMFtRerf?yi0rU
z??`HkgPoi_MA$|FN(-V}2Q3Z9nO7LnqXC5$&B&*y3Dw(aZ;4>O_mt?Hg7EPH5tGSL
z_nZkX!Msw1jK5-NfwJ$r$ByhNuS|)SZ%J%_ZI?O1?To1YSC(7W29mj}ZS)cK{LExC
zT->s}5@S0n6J%eb&AeopegIf7F!aR`;qTTjFOk>w^D-K;etbJi>>7(f;a+vSWOQN8
zAf{Y&qh&b~&tLdk2eZl3l`D9w+`T2T^4pj;7n^_(K3gdn)%tSP*Es8q9wXN4f^X^i
zZ1adOvF+=@lg7AhFCBs&-BQ{`v!-3lh1}S9>$^d6G(f@@sny3vhbEMvw;}-F+>gIh
zzZC8WXlRwYuwyTkW*!JIVGq^tHq+_BdsCuZLVR?@mw9`l6?2oP8Ur)dr8ecYPJm<}
z4*fTc*;;1Po)9l-F_OamAA_)x&{q>Zc!xu(MlFY>uo+59M~2oT_VEmW8fs7DPnz@#
z;D@Zw{PVwPdRY^qbz)9BE0VMIFPfG{Qfr|sHzT!vn6sQc9b(ex#Y^%y=*7^UNU6@s
zWuq`?s0|*nV#7cHyRXAwc>}ZU{xh6k_uF<B!S-!zE)ICrhd_n$dK-FGmQiJ*aPlh$
zw7j413!@89NvX40;wPJ-HBoS=Ut`rQ`W=1FTpJ$s@yyuYfEO1+b`u7kUf(ZYaV;u%
z;GMJHl`ocrj}AqARNL!jOxmYZZkrFvP`ePNFHwm>wFP~2`wd4XP=mQK6@!J|cxG|Q
z=(72KD;{MPIHJImgrio8Uc7kZxK`Y1NNo9g?=HK-=mmm)=FtXTU<d76i-}_AE|gq~
z_!hsr3MF7I0B+7bQK3__9&vVvmL*Yf)Mflx^2>54CZ}y7mrL>L>=k8s1<GF8V&wN~
z==}og>Z@R&e8`#5F=oTZ|9H9sG1}gO(6~FNGk!rJ@!0DeR6)!z8%H#?-G7IAKztEd
z3zt9pmwyLpPWlm4YAj*4$x1B{5?Y#+!Hdlg9f}PstCm&nJ03jJEI+|!Pb?h>HDy1U
zDdRc6fclXg+RO>vV-H*T4dCXRa{JZzpHnedV$_g|Dq(aedBSf2Xv$u{+*)}t8X|Eu
zUN1z7TzKYXnTeU_&={DiI`jZSnl(&R-O-6++Z?kiNDRT{Qmhc~QfwT%pvPCm?MEek
zTdIywBVueS9F`Hqp~)uhj=>W+K8^$2r&y&nt9X9Pem-DbzN%HqvPz}bE>m#s;pM1k
zIed%s2f&m+*g{^fauB)gsBiOfd(EFRQ-CLi-kopKy-;BTi(*fsWf-Hg=+GOIe)%yt
zO{N}CT>G@O|E7F3?^E7ek2^J}bO9KFmkUgI#mN|k&X<r7Qo2z|VNXtZHzxOGDt%Zh
z8l#1Ob!(#dK7V=P4N1))ApLBPAN3Co6YT&$tTSS^x&k<R@dTB1g+&agIC{~=8|s;j
z1Co+HAp2!;y$jp;z=A1T6aFry1Eo_Gvtp51PXpsM!1a!0i9Hqr6o@CYzyXf@2I21L
z3Rb3}&ZzSeT2zjIW`EMvyquTtAQ3biI#<qcCgVq(B(oBurPAc-`Od>_LQpdaZ`1vw
zY+ClZul$(}#dCFP$<(AmVqa?eg~__yV+aL(9G_K0{8dudpwrou+;C2w(8vrvJW_U(
z8yk976653n5kE=h$LVpb<BLnh5m6z?_^!2hm)=&<!|$IR^2#|uwVl&vk|oG%W|)0e
z95Vr=4ukzY>HyAZr4X(tQWS&Scse1RVyZ%qRZr8dUL2}d6Q^Yb`rfG-W(f3r0-HEZ
z*cNB^bkmo*6xI{n6wt&=P$ObSI+qCO5c0Cj!*H)*#<($Y@$R=an@F6Fc}LIBZBN+B
z5qO!-Ak?jSj`k_IbM{-W07C8jI5gGaFo-p<x`Kzipq2T+bi2p8X?l!V$mlP1<6D-G
zWc*Pq>0_%z4!n{e)dZa_aobJ8!+$g;eRZGQv-#O%?<VC-rdzVo13nCrc2(3=TfbG(
zsDZUdI5-l|CH(Bk-Sy3Hd2NiGmvU8TF>6`b0v7)9l<GQN^B(`A-}gJj>GX0%DiO~Y
z++p{B<R30mZdo6WJnLG~6OBv){~t6awS87C0IIQA6tomMg@6zCJ!y=P<$IEYE$G{~
zoH*Nt!2f(9a%^4dvA98z*dh1D7b>OUBi?x?ivLM#4aEhNJfs8{7#?@K>88x|b|U?F
z+=*nn{>;FfW=#<pT}g)rTgCc!i^z)3RKqmkXz;{qEGBHju5E;R`+V3)TNb`XaNyF}
zpyyLnrdv>-FReb&p7(x!rYO|5^OBT&i}F@XQKUz1JK>1+LCgf}4<54U+Pz^(0E(xM
zQq73P?oS3a<9)u9O}gTkG{MBh`haQY^ho3=L|O5CF%AX_>jF<q)4t@DiZZ=E<A@-$
zH5*S*9AP*&54m!S4^`Jl*9Rn{6YGv~l)eLGbL9S5pc=H?mA%H~C9bM|rMer2u%r)k
zhe01*+-;N@ny^2rjG@YVzz&!*D&8N-VIXml<zcs{j+uT)AN}gtv}MB!Fn5py$XAmM
z)QI0!Gwf9|1QxgQ74hq_xYPaqXz(H4J&Ht)8Luz!F;NpxQmiNS%&+xU<T_2VixIir
zz#F~HvLB0J&a5q=@#%VVx;Ou*Sd#Fe{T6Lm>z?y^U*>L4*SM3i7Or>o3sPRemhO!C
zv)0UWWn1D@oWE)+TW0C$^Mv8rf!b<+XX7^~R@WMyecgto__CGnA^9wbg!a1f4n`c9
z)t(H(3!g>-P%Q-mpTv}^+>f2-aN1te)2M#ksl~JT!-BZX2{=Q7zE?Q>7)n2PIi)=8
zQ@p(|47{smcQsI^mU4|fmb7W{ZUI(BoygkDob6znS`|G;#^`)fgHdCf{eZBn|EG|7
zaF`!<<vqTvedo#x7cFNPy(p#YyJ^j9aUV!ha9a=h{^O&?nQ@$lmW@DLVQS?>mA%RY
z<8Q91tDU}`>GUj>k?raD+}JfDw!}LHqM+6SgSb6RXUy=Wa~cIBh4&^pe3$D3N5M=F
zi2o~cL1G4tQwLl22T*ab5u5>vq=8-`v^O8ULW&Q>4T2AihluxJjq^g>rsw|h1rgH8
zi9K?kkzb%yeQz%5nr&%oZY1BT^3_1e&(B}hac4Sj-wAQd$F??oyLv--Up}V(HXF|D
zCBS~>q1CMDR9D}l<toO4zcOD>SkrdAMg+P{Z|a~3)`>qJWZ1M2N|hyB=8-72*vxDt
z<KH_#eB7fHO`oKH?2X8?&~3+DWZ>1XzLs!bTnz7>Zd*Cu;f?f^mh+s9tT(q{IyvmE
z%5Tj<=k<QNQh0j0d(f4YV$MI`ZoQ#VmfY@DEFcZJAZJk(4oYLps=Rp57;?_yY&rwS
z<cs`2Tcn*^qwTg&L%aDft+{-CsaNrHwQl3BV(n|#_zKw6K0~{jwRnxU{f;=PRcFQ<
zDza-YI&9SaW669vd}*bJgrZG)V$FO`sMYP^ko$~m@$KI7*%awn%;FpTJIYzNr_=qT
zwr0Ev>wK8{Y2NE;HZ4uM<_~cTfA8D~bzKAHbu7_i>toQM6I%Z(>i^d6-v2Sb6Zn0>
z4-R$Cv}#X*5%Gn&$wLL`RlAk&-eZ%pG50Fglq-&BB2SJV25D*x>4q9=IUi?|zXYNU
zRo`siHaMqlzx!s2*zbVCw3#YycvcSPx<=Ft&t~0ChX!B~Y140L&Qvm5{M9f>zfWix
zu?z)byQaZI;pR>deq#S!!uOgJRx-N>VAZP5AWXJia)NOSl+sh+im$sHPg@>zDQKf!
z_~<fDkV#^(H{cpYE}u-mD3vemf`)hYoD&_o?Lgd`q9~%}qJ@t@a7@3F;g`2pbZ}=?
zcIr9wX^K$yA>9NTn=LI)#ZH<>U+MRt!+(H86&Q3_=0clLje;}LdiqF5+o4GADr%RQ
zAJ~^g^}a&))-|Jp3VA7X6G~>`zoJ=HBgfO09YCx%K?G`cX*<{S#uD>QZ^2JqCa>H9
z9ljRRufj+TTrZp}L}Q~{%^L-@=J4|J{+hic{p1yUfW(dVW}xHRsn^-H59xc);=hx?
z0N-T~y_KFGq#pNB`VGMp`>>0{vLlvmp<C9Lb04Sb*=dRqp|YGjvo8I#H7^NWS74CF
zM>k2{7cHODpran>B`J=k@R4*h-VVbAfZ0T*`1Z!@&8uxe3)}@i)Zcl1@;QP11Zu4e
z-f`wVlzSV($9Nw!ayS^KZQBNq4DHs?MI1!#FWwPvZX^kgRf|8P-!daUIB4Ua8D{_V
z2Deb|D%$kNOjjcH*9G-Lyjw`aHY%mW6mnyYg-uBFr%vs1;2C8mh6a~BY<xn!UrRv5
z7O@9dHS}i)il>)%+ie=58*s;J8X=>7LQ8?}!OLT`!+JUX2iM<>6fVKxbVWa_MMqRT
z4v5nr_@@q(+206=6a0Ak7rLk)HpZXdWIsdrKT+yvZ0bjac;Lwe66YpLOj2RB4nX2!
zR_N%~cOpXLJpSkH?A2q>f6OlgfA0#uc)Py~bVCQ@5~nNNwawo7rG8yurte7Fp0RsP
zRiVK~JG!W?yj-;PU-Of3X_1;`D@|{JX<mVg&Y+XZUZVXo^e|6~4aG_1Ws4sAn$Iq+
zii4Jusnhjgx1asB*>*Pt(vnHG0Fauu+qq7_14}dO-a#X)6oqOC;(_#Ju8xZhfIB?j
z32q4rK5lT|zj3&N=$y}=91Czk$5@pOkW34qyY>{yOrUzNR5UPll+I*|@)}6I&F!w*
zr&B!Zf`Hx~Dg3hx=x1rPE0^+uN3{oJVm|)BFtVuwcsCc+1H!nwXj1jotGCIQy5@|k
za;9gKZVng+rSx2d(yg-&M2&x;QXnYy=Dm=){Kv`p4@W^|Q);_lT29^Qwml4DXDX}`
zy0z@s5k8um7sJE{Waw_mEG9|E+nystrq2JU3|2GdrS@q=7ay~gf01p(huT`Wi-Tz)
zT~_DtQQD&e!N9z&No&1|!7q>eSN6R`+FAwHP)i$+DqX2Tl2uc3D9@Cn9R~*4){W#I
zw}LzNCV}+(8~7o6hezTw%xr-5Kfi;|yIAd1Gn!LlN^y!+v(vyzeD@#`$|MW<Qw=~<
zG<7Yka!W%4Q54K=@jtI~@)Vm}FX=4iKCnh2)P;CqcIq1X<Gkk=f{M4&@AZ0Ju{#L{
zbySHwP431vM@l#)!bh#Ef=_lLj^=&lgR>jVz=$o0U+wNh@9Jv)$>Hy8_sPlNB3_4=
zAYKQ|$7f{JEB810&vOaBRl2Y>&-Dyb!8};^Pa<`_cb&Bt$sBEut(L^f;|Fdt8j({1
zR*~Kdnn$)4Pp6F}H8zEiw$3w*fU}y_FAtm}P|U|J#*EeojdWDPtCQ!0Y?si1i`i!G
zj%s7vCIL7nuZ4llklEVu+VnS<kdQxMdsiCvV6QFv_kw0H*lgvG9eKhty=N$mK$8s?
zvICtfZN-y`pMb@8K)sfmSoAyCcexNfn20_Ogv5AipP~MM<29jLQW)X2Rmo<;w$n%0
zY^AqxVcEjUMG0X{;W-j2>LGMrNWFPVJ=7cH14v-}UpvyQ^H?|pI!G|VIEX<L->u@=
z=ds1Mb@l=in~9Tln5Ub|Y_<l@19jA4)e{Mj%4W4X%wSe|wqz+KkTScl=2+ia-6Sr@
zu#K1dq#9r(95C|@!;Aa>27`(kMPf~Aku|RxBbnuUsO_|N_S-}~C&%P<mIDB#wVQ*X
z7jD}aV-dfN{iaQ$M|ol!_au{(S47z%-AUbLZS!)$zL_7itPW$U4eHV-W~Ag*kDW*D
zJ42#TKI<KQGnnEXlMCI|Wx+(WeUbCUe09Bp@zeYvqcUxa>mM$8X7yNZ<tJO)dJ-|0
z`tA#sFanP-LwjF2mXbe<{e-8E!^l)jlL!}uSHE)u#`hIP9pBH8m~_5c1^<JF<+pF_
z_(TRA1mNu8b3@AE!8C}W78m1F59qM3xw<<97{pBQsKuOBaU?qZT|N4gB`}fZn+7@H
z{J@lipJdpdO<yE-RB;k#OaYp^IGtpe$@x=*-q9b)t6sYxz$bzJsbQsR$fY;<3o>mB
zB&)+0e$FEw4Nmk1ZUNMjm5rKR=xclYzx9j0nMfPEOYS`)i)J{4;J&<wrcW>jVrVcT
zxz6W8$|@!_I|@%U3c!cTF*Q=!;tw;qkL9+jG6>A%|CKJ@0HO7@>8NiZBz7-a3H9fW
zSno9fGPQ6dy6orY{N>HPwR7J}Yq^UZFWwY?j(RK~leBr9>I!kCcGq;#xCQsvuq#al
zW@uQ}vkn*6UV-kh1v|D+|9HsB7RV3J8t&0t$nJf%GY!PK(`-^=X)4UdPxNBP`MG_S
zg`7W%L9D`WF};!hxIgUif7cq-VFnC`82nD^7O9!G@bXWW8`+|AiGVfYH(qtm<ku7r
zyE5|x3}tQiUROad+jm~-0J4~*p?6L)zt<hPj)?#p0GlekV~Z2ppmcLah-S#1iiTdC
zGx%&fOK{Y23oIrp*FC{xiX~)`ch2?L+fw+jPQxhnwJWqQTRDu42EFA|;(lCcax)@x
z?0+#)%}i*1ZCc(rB-0XXva(Z^j&g?@w#|<7gY43WpKK%<-v%$5o-5A>w;7s&DuVeP
zy$Lu2+jo&WciEYiVA`ND$eS;g(1429DC3Z8#C|nAhe{bIgh_($r>dQps}^VtZ>Ob(
ztM#l8=r{gHJ!**{3?P>URf-@Qi@aoc+b>#wSD0hx*G!lxffFvy9AhH~1}t?`<yBcX
z)+*^g4o!brUe){J|Gr?IZOY{CFuTJA3v43(5X%V$CwL*_-f<U1%fw9<p5_YyciyR!
zv#7+8jx?L$sr<a4anTD$og96IY21ETj|4ihf-V-jJdiSi4oCLB^z~;9a&HLVD9tWL
zHaYDzra2|PH#^AZ*d0oGl2q>604y2_!Ei*9m;yyaI0W(RgTRPv_<4iG^xl#o+4RFs
zA4+v5Y+T<)A9|+RFVa-3v@!3iX!6nKj$47}e$~TjS43`+e}bra4+MMAv!{qaH?($w
z!ja4AXDqcF_m+uga?WH3R&R)rrJO*U{j86_`I#v>h99atB3qV5I2|{n*Z}!fSo>e@
z07)zll0*@!PwIpb@k3+>!xcJW%{sHD@0%W5mKKUJhHJ_?jXWJw8y|gi?+EXwzTq<C
z`3AMTfJn*)Jl|G|-ega@cy#?;Q|V$jcq<#lPWZjxOeUcVsvw>9CWq$01h3aHJ{u}Z
zf5+XJ<OQN1?MT7&BM%zz^sK4w#F_$I&7kC|)4Ga5fR!>sYxqP)zBn{x$;SEi7L<j?
z`4Txap0>yMV77d-(~a)8MU?`z)vJL{GqllAKcXG6ii)!b+^tIMg0tZ`{tj=_Z@IBo
z#oxCqrE%EnUK?rmZn-J%&q;a+?@+_klI0thrR}7@bP?|FVD{ZKr-*0xOL!t@l{Hp%
z1O-<W`g{F#=q24VJ?j**Mtbf0mE5Piokp|%Fm6RWO2L>YjGG}7ytvHI)=1jNx=YWi
z3WC-$T5bw?mLcl1^o%iY3?zAY^_y0vie{=<HEt)<yAY=C|9IdN3x($KX$+fy@)2+{
zL%tWtV-oaTH?Oyh)uIZfY!I}b_Nt7wpSCw2W*%rK&(XAD9ND96h`YW!2Li?@8%q84
z#-^PdAfCz>Q%2fbhX^kze2<OuW|BN1Q2au5kA1zDJnfqz$LkpnU&JKKz0-fw%It{~
zsE(x~hG(h5s5;U!P`&;99^i0)6*6U3QYrq@?XkZ04K;YZR7>LFR1rXmFftj8mrKQa
zC{X{d-SnFI-t~hghZ+)nN2~6Tmv!D7=ZLEO%jYec-EQ54fM1PbEDx*0&_z1ZvQsS$
z)+?YUv<;Ryx<ialN;h!M3fXPm*^--{Kbx7PA*qQu&+ZQ&Q_v7UwbnPWY-S^H0B}S3
zP9m<0B2qgk#;YlccDEpNcvWuBQsS+Y{>PiC&3{qzaX5V{ehYq`s2gFBP8xJc_qNRw
z3X~-n--#U#=E!7|B0x0Z={sY-a*AqG25Q;G^V9FDioq_|M4ESsV8SAU6j7Ri(p8W~
zG;ARGYpc;$YD5VyhOsiu<2SwTjqvdtk-iOc(qRDD)$4v6nRfk2_SUq~pJc=dXuB0|
zV@k)leiO(^PbR05HBc!dr<SF-*^mN%M3`43KS_>=UKjcMf%+AT2xN7qe^xusN86VB
zN3WvEtYP20%L^Jb&)=c;a?NNVVx69|oVljxzSsb=QQc|s&~vmJ<khC%j|5y2<1lTx
zg+KP1HDiDi+7nsV)5d`q3elQi#C9^f?xEa8U^IT_$zN&Dcju@yv=cN^mt9#oUvVX)
z!mH^>Ny15s?Wxb@8&3GeapVJETU^1_Z>D$6Ke2cC(12T90s+(yki;ERZ#?_%=Yyx`
z0pIO06L_|G0=2u%w*UPykhBBn2O;oW3-s%NOGmyt;Lh$@<r8qgJyQ1jKBz}TF**QH
zS9rfwi756pwopPzC5-B_c`kX|>)2mbRi;e%wFkqZabfPr-h!v^h6&bA#<ybtg<``u
zxOCf|E=O&=TN5814i+IyJEpAc+1NR)XEi&sr||Jpc^TR`w2}aFM3J#F4erMG<;6C}
z>DN*WXj0U4ktF*Ejc#AU`C@;tI9u<O{;)cBR!Z>RBEoJe9Dkq%bEM14-<L6<(w|IQ
zdX|fRJAGUXs9rm9ntiT$*!tBp;OXUdC)8%Gy~BZf)O6ioLs2%wIQhiH=*=-VBXx9H
zmT^6Qvgw=Rcs|Q%!$9;TMD(l8?4(s-H*YxCY;n)@mUu|~$S_%RF5Z1Bj$wX@*2O!Q
zalq27b*eXV7#qrv(6b=%qH~LS2KJ1pE*^1dfhMvP;$U?dldT_7_wl}%^O@(djt9vl
z)od&Kc--#Vb^!lr8PP0$_4_&HG||aE@-mw%Li%%*hPI)%QpD)Y9?ycpkKLcjw}T_i
zuu?*r*BPPaQ@1k<kJa9_{CT~(6|LIKu1(`wT`sDQO~9hrZOR;?^oaC>D7kI^*p=j&
z^J@W<=cl}7w0j%n^4tEJyX~~3gwf>{MaF}J$E)+p)wIW0#!_Z<^d8Ut50aghNg;Gd
zRE3i3aMZ=ZMnV{(Dn(&{{Z>_UeP^QoUALA{$?()jpvex|&<Hpkm!E6d_2xj2h$a-R
z{4!3C6J+DP*dc!lJ-W*Fi9U5;?h}4YoUyc&SX=kqP4|$L_5Ry2hooFKYG0&ONLAs4
z(w#KJ5LDdZ88CKqj<#dh^qxjz?Aa%SDVA$4knzvJ&}Weq!?|71lrbi0UP5>zO$<^v
z{&I+=U-Eh=e&X?t{p{k3J8L9uV&4ikp!SHkExAW>uzULzY;Q%`$+c*ABEA!UlUE%{
zM5);qFSu}(wgZ>Tpp?EX`5wo&bNt%}4PGtYIsSUrQP(T6M1VV-ib$aFVZ(&C;bgC)
zr<%Q$Q_o~khy&Wd61IL~ukiCnbfNd3)6zZ|sl1gTp1gc57!tk0fsw$x1F|l;HgLxN
zwz}T!_;{*<2PES88W&^p_*L$QO3l;q_kD`W&!Z1Vd@EK9I4(OpJ}yX~H;(@yg?+>m
zJf`2bYK!dkCgB<APF52-iRybIk7V^Br6xw|@7pImHk*q8*bfR;Cy^-1OC=_Y(K=OL
z#j_<VZJDUHKtjlJXM1*6-oG1+L(hGlrmea?neo&=dj+=Y*y|8t6lGdUq9tSB0w7P{
zdq}?d->cQu#i?U}>r&HwzYA&~2EGJS`#OY%vs72qvp~y_plqv%fyUYi`1Dl+S*1l2
z;-EC`obEE8;>0;w7QMd9a${OTORnho>$wB3(uP}E{@49y{=}sv-mvcNl^=mN7ZIKb
zzPXBgczMAu6;Y094JI#NaU4NRBJiSlcuEdI<wmNHhC!5z-s7k0#Oy%=*JW%NR9w@1
zBu>ont9@~8!yO~bD3%Rn8o};|$0R=Bph=+hmhGqObGt@nTG#G#K|b3hJ@$aEd_n)!
zMZzpeag7df8IFTXGBL$?!!csw>I-mqQGsm-8_M-2U_|07dT0!=^*PAhs6>S_#l-bx
zlcE>uh-2tu6lORE?}ac^|A!oIYb5^Om@D%2<bZVpCAWVcoiz!SfUTj=fEH?m21XQ$
zi|w3w-YJ;R;i2=ONT;rSM)t(%K-2JO>Gxw{F6|Ptb~HZv63L4{a*;pjRId?PFDv1C
z`%b_pD?8K%T%jjXQGhzE$y6fp*!o|)rj_9skuU9ad(xtGqQe2(_i?q8qzFrck2vU4
zuXaf^3(trsqbM+xkq6r)iApIADY?^GPq%kp8(^5^F?ST{W_9^NZaX1vWJyE4eMsDF
zP<B*ixS&K}V7RbVPAd9GpE1h&eTxeU%)(HtlFf}E2KPA(v{jjv+1Xy1R0?W1?cKSP
zoF|HX-s<Gbjk|BG>cr2dx=O3kPi6#g+R5y@{(JJpO_8xBQNoaA#5Mk7a$76$KDx7n
z&yBFnon{^QV4JT%ps(2Zv_N%!p%hw=3oL^@?TaCmG0HHV(4jJ5zdS36)qn4M%W9JU
z3O>(~>7996lTss?d68cDjswCQkdOruzjSuU*ZbB^jQUgh{@dckUrYx>?2y+t>*FP?
z;8Z{lS2bc6LLW*J;?MM@6OaaPgBR>ZLqN-qFarAivJUE(mM%szm)aH_^sZMksw;+n
z0GTnwPzDujMveE<AChBrR#TCoMCg@Z=|2k=dI;loo?J$0Fbd_u9qUDh+6d}0h;k}m
z?$WKK)e^hN9Y7w|bgDV@IwNRDMu<CfmA|OP*hPlWdeJyUf(DQ(>5`=wQ4_H-Nxv7#
zNVFk}V%!@m_J}1=TGMd$C^Nj46ee?7_8Y~8OE^jmU_fZncfDxk25ObUqOboUFiZPf
zd+BP_l*nhbSu1I#UT`Tc(ma<T7q4_uCnx6|Z4sYU3$GWKki6x_$2LhIJMyn%$HdHy
z-#f?D5CSYJdXI@MyqJ*&fH5Yu$5a-Ml+;<nc9jp(BMd8Kdo2_ZtHg4<)sz6tc@r<)
z4njWXZTL2(f;URTo7cU=-hzDn!pl$CVHgq*C*BoG<0}p4A7g!xAazB|tZBQ<aIcL-
zRJriz{lORrlVT2@`5KdTNexTYS26c};*@lYZBicT`DNRdD@8U}l1ZFnu<Cc_>$k7W
zAZBfS*^T*ev8Ko@=uf+Acr62Ug*_kdCVdE5FtzP#4rN)$0diaiQN|R0iD~gkxBDR7
z{Kti9t50v7ZaTd$*Y}7I5U4<Etc^zZ>@7-lzFnC19{RlYdL5L+eKQP1uuJA887Ot9
zsH)iy8HG#aO;%%wrHGNzHOu#LQHlQS<NNuOQ-y>}vpogt_1)wxtXHoWbC=@y3Z9g|
z@cO8-z#HSfO&8n5qFu<ZNM?<G$5Y-GcmNKg;gE$N(Ox!r&2AO0Iq9XLa`kb^quv00
z<N$wv00T@*{YYo`j@bwTSd2gs&do^MAoHs|w7D`NNC6{Ev5Zgjt4c$Zex9gu7a-%}
zPtq^Fh;Td7|Ggh4Sq{LOX#X^qLS0Zq|BDh~Fo90(fmi*(*{#EQAkN!nLtoBbX>v_i
zCCv&^3HG$%WG?9EkB`}*#B+(DHq$~v>72fys{PzoHTx1WkvN%rrH_6Fc;QSxV*6@_
zLxtlcF+c17ly=Dpf<_m7y(RNs!*3*k6khLT9$tudUM~MFcodOAt-bSV6(TDp4WWCU
zBK+;uuiE@HUIp3O$5v;*p9{)l@T24eq>(CtWq_UgWgBx%T}Q<>X_kGroVb`h&h2MU
zUMmLkWC)kD^L<#uS*OvnVc^XX0lkZ&OZmKoeI)R7vEEP@j?X~y^W<l6o@9S4!?-((
zcFwq64?udlJbEsWjMhB2+aU~vc94bZWRGi~qBV>Q>r!(&KB8TaySiB7m2$w>nmsaN
znuUIKu^51zZ2z>Dl3xP_cx)yWQK>%JezVi-Q9&-%Tg%29|CEp5L^*xBJ|%3P-+Jdu
z9_oUeQ??t0j=<3j2L0?NzS$041u+0<<;{A#C3K%I?&LAISIGTWg~Dw6s+{8{Ff;}r
zALhny%}V$t((f<Tu>!2>e7_kVJlOdJ0;wNe`T)^-h_w1lbnv<O-55WbWYE!IaJ5HA
z423Ejr5TGzM_m|^-hbB@dM&RNG;mby*@NQr5D~!Tbz}#INgln--n{kwz8Ut`Be(d5
zxJFt>z~8b>fJ2TZ)FC0=&6nf32&BY2vl+O5UOy81bT32vxqCQe>FESJ2*Xt&C858R
zx1{%!y?o|~p^<F5bVZADD&34Ba9VIcFx5L|BwYVdZrRbsq7<d{1HJ#-)dbfIFGj)V
z`yQ<WH}%ZL#r{~J*U?q%JFe#?a~&eBom;^wUEKtkPNv};iTtkaUjUjja@xT7P06VH
z*6%sIeXf4}od0v>O9K0F4{0F9>U)`1AuuM5(j{Q8W^G{&j`6Q(x(O2+v!9(RLrxJ=
zm_VUO439Q;=-l*B7S{hsFy2r*C0%q?=<6Wu8tYae$vk;LNasH?gTxlem1)X$;gLC*
ztdfUID09ylLzuelp)uLAlEk?%G5$S`iNn=!z<Q@$&re_Qco+$ZBHK<7oP&`mWcJ!d
z_59j90w563<NB22GW+}sCs=!{QPsChNiQE>R!hjog}2>OYF11t=$E5P{hJz7sQKNo
zX<p9Mu15k!T@hi_hf?0R2f^vE1XBp8BCaXB#M5hL)~A%C)~D&zk8Y?=_&j-V4MczF
z^T)YJz^QAPU?Tvo6Y(iM`F?5m(Ym}Xes%u&|K~A0)@nSD5sE#i2Sw3pS&&4j28DB&
zQ(?Y&$-`tavW|LMkhDkrr~6^3c<V}`CXxmh#0LhZ&Y_I(E%1-TN{u=)Cvj;@Q!e|%
z$4#<-0oWs#Do@gSRl2-Fn4{sx*=*wL+sG5#Let`pdV0<Q`f|WUk*e(Ra!PPdWtk#~
zA3bRI0kRJ8Xnbzi$f;JZpe1`>n0srIF8(Rk=AjhA$!1Z3YB84wIBvO{r0C|>l0Dj7
zu%vXZuVnAc)mk7=8?v%kE6ovCa@8G9Q>c4zenx!N6o1)4p<dKv{iig(wRFO((b}%=
zd3`63MH<~Wn-Jd7DfT{bVSjWbY0&pz-|4`;xfIGVxzypl(MI>NZjg9)+UZGeMeLe!
zO6@KjiP0@WWx*A}W~6OqBz>6ay7h{_Md6W8b-A^bubcQd(wj~5eLj6041`JB5YE1R
z>N1)UmW{PdeuVx_ZFI6f<g&{a^HXAt{V1&pkx{OM=KwIPLo~9{oF-3&NV4VOR57u!
zS7XTPwS~$#Q(J$uX>QHiz62J)b{f(v)e~93qHo))jQNS6RE)CnE)4&qAhBkBZq6Kh
zN}n<jdCn0Vs7qgftJR!$Nar|{P!pplD^0M#mpA8~H#^AvdC%BX`lR4rfkU>sgpTy1
zJNxIq3NfNvmpW<p_m@C-2gvhHxXze-$4_5+H<$?{gT-Ruar@;#AIlsNz|Z~j72$mI
zHEz2GW67my4ab1kOgGq}7>6Tdci24JDnjNr(GKhnSx5D$nLnc?7XJ{%64aKavQ{s1
zqE$uoAWeCRSWb!8*zqQb^JnWK#4sMtrt?5FE<`}q!+lS780FZc_`I=QE_hybVL9=b
z9ryGk;FCEX|9tB}n(*c_^+(M1NwB*b&_B<6rbNd3$&MOjftUKR8ukw2_tKBsiOP;^
z>YciboK;epfx;*|47ix(I+FKGE4aEOKCfH`ZygYoTuqlm0#)e=S^8xf^JEC)X;O7G
z{4nkBY32-qUkl!-dBHP8d<lP9h1L<)@qzTG;UUDErAA?NgrXITpE1G;b(~io#gdR7
zt>#Vhp2FgCH(?Oh9wKRO7xYlzJO5=jVZs~K!7XEQ%-zw>5?zhm(Ui}!LF@6NuAB%D
zfQVhE8k&G72;ZPZe6?xg_iCp=l9oGo5l{vm^m!p^$Bb<Q@pToR37+U8?;v1+gmyLT
z*bYdzXZ(cJ&-G1Zo)WpcJ*)n1C6fEPcn4n6*kKU|9bD1wg@iqB?inGn!FLYqRRyX3
z4LKL?=fsSsNT;4F6)4Pq@F&LW$n;*uTletmC)ECYpOMt+@N8HP@Z<<i-jzcB)Trnc
z6)W{kKPr4I9O0*{F=@`wS-p@&iZy9>9n*h<zv!i!ID6A|Oo{=M|1fIdMKhDGO-6qG
zJ}Hda-SU@3r};PimwWv{9$kMfnG4H>hgl07o>V_1f}2wp%X1M9{<{Sza2&9@3$s88
z5~{VJ9ABgrh`jEQS?%gPj`>O)sIJ=}o80i{RP1)_Pmt67P2&^yQmgGfp7DB)!)7A|
z4^NuW9p{$Tt?ei$QYB#bV{V9FC93{c6H=5Sc?<yFjS8wUcRgR~Is(C~sc-XV-bP&P
zBM?xx{swnG9nfQFb@Frkk3*?Fo#jdil3^mb$862CK0$41zb}y?+EQIf&a8|uzoqid
z9;SXIftn_`==gj*%iBnv=av6)D#?I&SHE_y%)ueQ<Zlq{2I8XZ<Q9Z^7E#RdCuEOV
zm%|O@hR$(L4zSG+klPl1AW0n+KToGjvDdMe<Uf$t={fr|TI38F{}?-0Q8X@mSCo*I
z6A&u#Scze$D(b3yQ*qKXDV%dt3G-Syu4Fr@leOGcehy=_0IL?>qHPQ$LoxOQGpS6$
z*)OO**bWSL<y{fDJK1nFyZpj0tSj6Dn(f?3d9UlBC0RtaE_5FZ8cb;EPRA|VI5$*>
zUTVnt!(p`EwDT`T_2PK`g#xE{A}H7fSt!d9#C_sG*OaYF451Hukg7QWbnD7gEe4?*
zTyV|5Q&CyF3j|+}w!I|$I9aUljFJ5WMjYEiAPGp@HoSKmD_1kO-AwUHN5XEg1C3Sq
z4sis=+33?wvBTNX@$gws5F`4Q!>x9vX=M$+l9J%O-C%%UAE2x{(W2f8*Wr5UJaZ0Z
z&uo_nT;v9QH$2S436#Ud5STWhWo5@q3#%c?7ot8ZP$oS^U>tm4x?C?@jADlWPar^2
zCx3Hcjv>%Z#Rtx*$uTne0<s@9{nI+qJ9k=b7(S(6qa<$_80J-r1HKSlaCuDT<Q=Vc
zs&noTyB!0AotbER6ZmH5Gnt*)s8GOi>q#T2XDf8IJl)jpd>f1pd-48L94HF{)w$3+
zW{e#ze}7*HQojsdzpudV0f~GRjTB<Tie%mk4xLTG{v=cUp7$E}cd|6h+}zlc(hS%L
z!Oc;_*zCz*H6)om=K#DUm^sZAdtJVge%{o5pYYQ2DbuP)HxbO#06pl`gT*KjydN3=
zWD_L%(ELZg3zr)pv2E%T=fcawc0aHViRE2H3&a9qF(uy@bP?{cbuZDpzOSIUb=Aq@
zhG`53F!OEC>qF3Bei((6+NUBicw_C;b$ulf%>lh=B7Q1zj$0|sZyB=jWo*}OiT{YB
z$vvjB!YSFvps@fOxmPI$Zin+Sk+l9$AJzLt;AD;xmt}Q)iUxeghp}O4zA%4HV$mxk
z1`R#;iFW-Q65ahMm7{_hrmW(Hf#szbbnJ*n4I}*u*;!Yyz9#7){Q{{QlNe#78=U9u
zVhyE(dle#D_-tB}Gp7!Jx5b|%fxznoF~!!G>AwpDm+e0Aw>sA0uq+FAs}!YTUcE+g
znlZUj$(2{gFudhM=D>yI`|XGp8eeL|%2>}v2qhxfU;jXDEL!~Cq`G|~iwFsYS5~j)
zRw!Tg5hpIW@RvvVZ(gcjL<BD`_m`~(5`_N~#l~u47`U+qCXj9)62446mry%=Ft|p(
zA3Jga(y$Vgb-}u_Ns<7hmx&_A>783D7qJ{`TuYys)rkQ`4-$eS=Gk7lJ5B-JR-6%d
zKh}xIu((a&8`6;Hcg^xp!S|0Nj0{_|-#8obN-ZdnE^qSduKKxhfa}jtIs_#J7;_q^
z#6XpICWAQl{{PEyv!AQ5uHv<SJUUtI&QZPidCCv_t>9oy;DvOMW`o*}GJ#PUeq!;D
zf~w@n&tc7Fb$$2#M;{qv@BJ=sf$=|rKjU-6$~!BWx_CrmRQ6a+pR%w1MF}hA!Iy;s
z8)~A+svEhuHoCK@DcbNoVXj@;=gd<mesAQM0dxQrze11#E><q_H>Eli(}aoFV~rMR
z#_Bk;=f>+xp}e^FOwp}Z(@`Sz^-Rv+G3mMGy(iywg~S}*>JF>qMUeWIrePdiJB$pS
z&CbYYSYIRZ0P#C^%ny@Gy%*)Wg&h}(+qQnVVSQDJL{_C@Tu5{Vs{SFSaF068I@`d-
zvzWqu!-<GV0`Gsnzpk;Q?#%A;OaB=01?#k<(*SKL+mNgI^P-94p7sXZn~s##IJxD&
zayqp!^sVfQ7HK4xZ&7^yMl0vDV2-eCWr0`<_pCa5>eVCwyhOdP_(B8tCLQKaN}bUl
zxmxvEVfoK}vtc?6{)t&7BDnw36RwnNigQ1Jb4W{5$;M!>YozlhlqoD%;*klh0=|j{
zo?kuoc<Co@PwQ(^WnIC#iqrn#X^eC4_fiAQeM{^ZJXvXNN^Bkq;O3KxHeODzwmP~>
zA07enKhuu<#W+y^`;o=SDz~S6)?{%p*21hTRi{zM-hza+`xEx!hOg_9Sq1{wm4d>2
zfrwDrxKNI9g%`$&?j6ztUjuxJ5!Aa|L*Q|PXu_%r>}`-uad!Rw=SrjUnxE91*~jAa
zGydU2ku5V|Z7A@9uX?U5{d+g!SGxF-2iw>NFE|vanXl=6NxWu}3tCiJ`(F80e;~a$
z{forfE_wxLD^yGW?*CMM_H3D^U0_FQ3O2ZguDtzS=iVzY6vZ4F)Cf+E7NGihfC=;w
zSNZr8ShwzIEYfR_m}o`0#Oy-K3v+gOl@I41oOM4AGEM!*>@e4501wRzXglSx!6Ch8
z2*Yds+hC?*4`ljI1|R;Be_Eg-2Fa}`udKUalhbe1n0WC=9m@-?hKe%}7rtX6i`1F=
zX>Lds9B1Z@ZfB3*isGy~VC7GZG65occzLdU!?cp15{C0+c#AShlN}8UH<DPigm;p$
zeysn6Gp<SU>&vT}!di^g9_BDku=@A%6dR!T41=`uMi8{e5$i9V-o;$+PlA-sX1!8s
z_x`xDHE`Zq#E5yW5pNuihw4T@8yfancXrcZ%-TWAnq~`8y>Kg_Edwx_EQrF!i0?3A
zgiuwzByda2Dhb?#?;0?Eri-=`&2{We5&mZE{DAQq(Nz~AGb@XQ3K0F}!M#jPdZioV
zjRS-a1rOCL1l?}#D>UYx7V=YxtcUw)K;KCL5>qqmj8tmc8@`w0rwWCULu9jS!NcPd
zhmr-Gf?WiW%^1gQ04IZ5O){|{sz+83O<yZd_*b{GsDh4iMSP)hBXtNOl<aGbm8g$k
zHUNZ4YGijDMun2qYU(uU8<#h6DC9JEwyX-BftHO0WN=qxuAN#Iax^9pYORj<HIB%M
zQqAy6#X|g%JdQkAul{-O#w``Jw3%cc=w`ltupGl~1HeZ}I1g_GWSdtJ<~UBu6@5hy
zP$`Q$*d&LI>FF{`SS@gmd0Pg|WWTd;Dw~dkK2rMH-pPsH_$=hAn&T_VP?5LttO!fw
z5u5&_iHGXaQf0OI&B3F!nOCJNQS&L2Yt*8BHiLC#k?YuHE34c%W<tCr(CL7<($!L>
zR>wAmrP`w)6U!}a`ANrm*1IAtjwmPgexiZ!Tdx<k$ddz`7z~mns3Gu#u4JTYe=8S6
zicmx+8$<WrOVr(~RmY>RUZ#sJ-tOnehJnhyBSB^{m{<Df*;2u1ei}nPh${R4yZv%`
zrv=@x@n2WEQkm=MzC<=Gpr<aYf3N0zPh?zp=mvFor@o`!TgB>jw0pIU(bCjEwh9G(
zjB#$dG>N2sZT9q!l$`l-%Szi&lDszBY>AgAga^;#KUtMciVfI)+YxTCcdIWfZfkwe
z^MLz5=i!-2m0^6qeY|&?SuW1BT7FSvBdc?2-h2$lsExj!7PS_f4IM*f3!|}W?j2p;
z;J9q^qUW??%_nJ`&n^S7hslVue&DyBEV$3m`g{T9rRHKOR{=-@t@8kn%-iMl|9a|3
zP8FpNF{t8=^J}Hq@f<nt<g2?)+vKv&XX76z7DdgI3Wy^PEg7@OX1P#F+NqQvHN_$Z
z3E8(R{<ra^%C*e+e0BoRg4f7_vd0F(amhQVRoL@<N^r8fYBMvGf*f{APsVj0VVbv~
zlBOZr^OQkf*bKf*3?)%~uzaSVp?`dy$<(e`R8oxWmlK@g4I6>LZyV;lQV(kG_&SCJ
zo*>tO@Uu4UH*QAU{gu;j;_l0M76tj-JE_%Ijwq_0tMa~&iyC1Et+{j#(2VNX`EOp9
zRj19kdDhPwbg&)-Ax_Z2HXh+K@HP9xzt^px&skA4JqRM+YfoD2Y&}iJFkB3LJppo!
ze?W=YJ8fz-bmuWjGGyieuXaeH=$ade9%RG)UK%CUUpNpTURNSqRub^t<KqAwt>3`4
zu~wk<WB?BS>-K;=+-jL~jqjzPr3P#yJs?8WGD&N<5<8JXsXq!JaO4tu_gyC93ls-*
z&?M1p)0W_<8Qi1!rEx7n31+3G<xX&k6Ww6YJ*%Mf=()AtUVhakix`aZ;2G1Ef!rwI
zoE%#}%Gl2UXO9{<fX)aH8W2iL0Bz~Wdnd&H|KsyYh?;rd=nH0wGcCeUl|d{&vhZ)L
zvbx7np?9r%o#~~G5sVT(*Pl~2kS(cxH-;8joLKO2n90P@9_U>+bEX4Cr1%Mw4Vw{6
z7qt3|&<WDyHgso+Ghp2uSeyG=Gil?t(cPV<yfaGwo?G9LS*a6GZ)T*CqaDSsG}iq-
zeVM(=A`xf$<=^?zB{(ei6#M*_XUKuDqxzQKL%QuPes}7Vwid%i!|W1j?SbTI6Bg%u
zmskR<5?av*OvO<+(U}2?V`mA}+RoSXM<PZa>_~4p3)*cE^}({Yc91)VvHfU;L5(ve
z?y1xagr!4n5Vx8hE1daFlUfSn{%||cixtz`j4ejf%5a3pnP<nZrC*lapAH8!FW&wA
z>&Uhf6`WUlCu(^X$}!SCLa=@mN7qee^}wGBM~dz`&y{gxO?z=))X6&*miBa7Pg~=f
zEI8gQhF2}Yw)33=^<3ddP^!8kxSIGrFX&<X>jDbcPoH*a#T<Eqf%{_i=%x~zZ#W=G
zl;&axl6`0xI<jcQGDwf2I;e7FKebp&Dx>x4L=8Y6l6}fUeO-GHj8R80Q6r-dT6-Yk
zCquHxuoKl9K$9cmr`1JK`x!rfFI^RB-J+~SK<ZIssi^-z*W1mZHB={kDSqL1#IRGt
z71|%p7{PgwySq^vxn6D7+`GcUW9@tjR~l-}dXJ*AqlwsFqBk7KVT$NPX_Wjqu45*Y
z(i@^R2gNoxyMUzQy|s%1&$wucJI#FS4YbQP;u=<^IA>GwKQ$lr``Sh!%GiH7cY#|!
zvj$S$uJ&~Jyo!7)f<(beMxaFnTa`E&l@JZWXg88{9W29QIx=MAkPRv7mzLdM;@|p8
z{l9a@$5m_1)O>o`b28}n=_BYNE9?90xmKw)uORuJ&tueKr`52pFouHUOUQ0x@B6c9
zh&G))zp=5#3YOJ<WR_#|y|ruMf3%)RSm+!7{f9)Y|H`iKPp^F(c!df34ebQ}>|kEZ
zErsaO%=PL-(ba~A=N$+&y4G7w2=novucxFB7@r_E%=?J9h78PM>!;+A(#8~;`HFwB
zp9HD(TqLXw{$H)<zEF8>(LW4Y0^%OLNwLUadLr{z$lY|nOWS=lH6k{C8<M8Rl+Nb*
zt?k?0VbB5xV*9s-XhPti(Fh5Wg3n-ndRIZo9ich_(30s?zOhT&&1@?XCBkxiry(28
z6v`@S4>MJP$*T<!fcpPiV6=p0?BC7`hk(Ks@QrW?2s6<B$>3??a@7x$sTGb<uM7RV
zq-+u)am5QjmbrL%CQzzP-JY=8jl$Xljqr~3PWb&Z!$mRcp9KtgXWVZQT#N$KtB?t+
zB3PiaAX}MZFu%t@77f5a6;=Ecg%$ShN`fRj<bU}O_|u&pYrH8*479?F+5V-0f=jj&
zR>g~|^>)<ob8=UmisyX>GLfv|z0UYZAyGRh?|4ADJdo)*Tzy6l0v9Q4rkWKSu~SmW
z{s&SKBB6Kh4H(Rf>4h7~<HkQ0eq}6`ZmG-*teO17hY0zqFEX{IM;&XzgT6pTxq6`k
zwMYJNo&8|v%JbWSq2x68=38w^Tq?Gj6iMQ(v!R?JhK32z7r6QfgJ{b(1PjLhP+d&v
zaau5aVx<<U6@EbiXzzp5(SqgL%c-!iet1}e{+sxJnbi$u&hNIlSYH68(*vxEfa&{d
zRRUo@`j}BWY;cjP)3-7kY;{scJUt`&`_7mVv_>LsBDuz8;)i4_eb{op50v>L94W7B
z6fqp;TtUZDEI0qSPvL;Wl}M${GPY6;x9Jp=6>a!KU;q=_Nv_y@^|vp;cLZ-f!_2Gk
z{CV@4%pYtfr#Cpb7fdX>%zb*f0~sM%Qhf=K-FcGaIdsx!eOfRos&O=Lkl&E`zm{^`
zK3FWf+CLE8aBu@akR%=sWANAWm&Khuz;6iKQBS)!HLi>B;m&#2_S%W4M^1{JlQI1r
zP6^FVzMlfT)qxb=QIT@qDG&8pEtyCxN}?)f)!gQkwrmQZhYfwIUesV_>2vb#(-8mv
z^VO)zV7evHT;LSRZ?VwRtYYgck3lGB!XEQU1?XbXpq$ZB$DY%afRb)$0!_fbq+2zE
zrLwCn`|@`$M|43w-GUe7We(=Jhx9Awm|;y7uTx7_n1D{INkjo$Zz}Qnxbx3*5nDaq
zDWy`K*hXjqPDcAx_xao(g9KIz-+gaQc-SDa>Pr)k@%{$|OmQGi=o$_aea|c{)iW!}
zCnrzH(e4Bt(8zyMI_Pc_Wd!geZoRhEOh@UdMw{>k&Y5EWtwiMahKs%?g$yblXYi{@
zRM%?nZ_=XJKss9I=#0N;D_on_xA)Ha<i5O(=a}1SrispS`4s;n8!(<?5<9B|c{%*Z
z$r<B4aqfpj?J$XK^O)C~=Uz~ix%iM~FM^GdRNy6d*_e4yy)R>ty20fTo_=T2@{2pc
zLiaCc!-|(Z?82Y6NC+FYq<eqCSrDFZBg5GOJxnv2$Yvais)90wU)Eumyt#O+n<Vx6
z??~zahPU%h?qo8Xug|mdLqjyph5hG_J}DTwTeJF*ov98kpdcB`np!l-FsOpYYwoCb
znJ%lC$<JM+s%B)h7v4C*#zY?3PFV!C&^u90sUFWZb#lh&5?#E{h>&xPfUH)l374l2
zJ5B*CA7Z?j4Jzb1z74W;W5fJ+uabk9-;72N=HVI*6KTRF0Yaj-@wkWCFO<n<S&>-B
zZ5P=-&-@3x_OL3qwSSbj;;8$-xM&q1kE^NKo4S^w_R{Ls<Z;DBVYr5P{u98@<nb<h
zLCS`ry%ht)_^^uJdCuw!)VbGppxq-u<-qtZ9+;{seIEqPC(Tg2`Mc7M3F&QM$!z%T
z0Cpj<gwS|7HO>_qy^o4PIpY5WPyEG}zQ!xldg`FLBhbHpw}@YMYVxDo7|@yM@`yc<
zokVaDtBXU*TkAP=cJ-Vd4am*!esC2eoFm!psUOKKVT7Y=*Cfg7X)Z2c)~pzWXP%sn
zORGz~vqQtwCqGM3U3EmHP#VRi=__ugLFYdjURDiBWO!|NmXvopx~j2i6G8fcHv<l8
zkSKYL!8g=9Qp_wqRkJhGfArPdDr5@R;l)fHbB$>!xId8lJ;T)4?F6y7U}lQ|rYdS-
zI-65J#+NdisVHK&D#{q5iKS5rx0RS#6~-s2E6PsV<3Wcer(ZB>yh3ka=`DTrKpS4^
z{>)ef`%B2?*4!9q^K`pg11(o1uF>|O<iyx^9HnEM#~a3rrb(H@JLr-uMNk#o&0V9s
z{XeFzIv}d%YbziK(&d8Eu(ZI^ts)>u_X5)0-5^SL!_v~y-QCh4-4fE>?YAty7r%d(
zJIuK=C!X`1Gk0q7j1>QVI7N*yt6I7nbkZ-kaDyJW-_DUVHSIC4IrzL#%1;6*xXK`7
zysxQ<BoskA4C<6@AQs9ts8MO0r+G9u8u%uor)3{M3dW=S$r&X*DbIyV924-Zc+?Bl
zdHl>jnrOzCfM53sc^vq?O=t7sepUDMpm*ty5P&Mf%gaKBN~+%L-94+!nn8!5xNrP8
z`|p^3&H;<h>bnPpd*obGT?Bs`_)HaiDZiG;_QKiHrngRLf8oXoP8c)0M)N5oZCHHG
zHhaCjmY>VyOA_W%t4d-x@<rLkmicgR(g0bVu5K)tGw!#teRmTXSLSubGz+YS`RZAJ
z=p}^cn81NyAdp<ng)I)mAgqFbTgy%(oOQ%--1sw0_xDR?-hU~grctTx-S`e9Y?=kO
z+RZJ(*7X-Ycs`C(d1(7&Q&V;`t92GF42I2hOr&0ado(b(&i^L%^iMf-!^<f6yW*7k
z@;E5i@m|#AU`E!VkMhps#U@IQs%~eZTp*#wS??PftuYh6d1$inYq5$CTLPti?St-I
zHkc1jc&D2jHAwwuZd@R#L|}zPnXzo$p#@31{$rqU_QzLW(?pBA1iZPoLdOHAMEV<t
zyKPSjEfh_uh_$WbRb`=XBWz0_1-W$XkQ8?mZByU>RTBdibQ@Q9YQGKMeoh=Ax}yEi
zyvP~scL~5aCg5X8Z~;1|e_suV&Su1ceroxfT(#_46{*y`b&Pwk-=mW<v}EM#ZzjYz
zW+6s|ws-B7G+H}NeQ#`hf?WSLfxj>RJch}}l&$JKe#?B#79F86dx2Q5k;s82Q$x~{
zX8qeO8)KJobRoq+#OKK_)UHp#Ue;mkY#O0mtq;^xGXUwBV66{0me!IeXL{YfTI?_h
zMU8ch?)J5)&I?l)RZ($k<C?S-m_Cbiron59%74!kssDCePiq>FMlHKK9L+W`)jRWe
z#D<yJ@J?@ixv@VYsXvAO?4q_{p<q9kyixGCa`!rIex+x3H*<V_acn*8ME+*trg+nI
z^h~u{G-mO{<<PfEv;K=owP0->yx-_b#+>}G^1ePn<L#Pc2t8u)qQub<(`M8Xbzje~
z*a?F(7x$?Yj>O62z{NR<Y|i<rg(OX{aJJlC|Mdi>*K36y6Ls-|W}#nh+HViTaP~u1
zaxPe}U86>aGdFRgbL739X@&6-p8CvV(6VS@x(qUSR_UyN_aqRafqgBl@m*Rc;7Xa*
zSHJ)j))PRC+eEXo`1^V5*vV3oTe%<;>tI{vN@gW4)f&&lxkZZ9^)<e(dO0t!$G7Lt
zcqn$=BD*Wysf_LxP2xeTkxI+qMU5c=A-;&MGc4#5;WNjr>%JK>tl<-k1M25|-!A+1
zrXM9YQVyb`fD0|6%&$iatQ|cXd--qtxOL5eKbMd`nEFk9i*J*x(1MbF3fe}k5|WGi
z!Q*25Cq3=5vvXG~E*X2Y{v{k-goXW-14)J{p&0e<QC5Q;Su)q6wc`^eMTmeGlN8HK
zU4wHbRaG+A6j?h_-B;pYkqc=#U4qAEHsAJCG9|uQYX$Bb0?(Mstot{urFr#MGPwC+
zHQ*VpwG+4g%}dlAL(BRXffUqj3NGaNWeSiBd0Y=VsaBd0ZvICfZr0Gbd8uscBCvJ>
z>yE3kZW^@+TC=&CP<B9_9_47_XwfLHsoIK~OQN_)#Jb*$-u_xEU%+y$YfJI59{IL9
zGV*#0Z??sU=we}SN)!MZ9r;cCP;|ldauq;4cSD>D>g&i%#<jE7@CM@tuqFDod55I^
zU=iL!SKZdN!g!2jtma=`@5X;?Kx0|Fj#Zec<CMguRQ*6S?RgHoaJdEvF>noE!o2*?
zG@)_V^{WWyc`Svnpl-6n_Hg3KRI<cZA)BqR)4OZT*@jec11yk~5Fs*u{Tx!3_@5NL
z`kK+t<`XHR=gn;aqyMP+HC0H;7xwIRikod%6{Ve{8~5(JVeSmT1KK!c3T$n@D+q;;
z(#mcU97it7KTQ$o2w~xQMLmQ4ZlE<?qa;?kzLHp|@~go3t<i1aVD0S)vE-B+L7b#y
zWKYq6s3(^0RT%Wc78Jw-e;=gtXZZ`24vY0Bwb7J(Ln;4x<6AjgMXHS^g3p{$`g@_Q
zOS*TDYx0=_UG+xOiv90oVVZ6Sj8G+HQLbt9)n}@;i5Zc779TrcMqvgzH;kA}daB(o
z=~(BVCwZLBzcBG>%7veoo5*Y?;8bbIE6C6G$|;b-e&O0ijood)ai<+k#h#fE%^TLp
ztT-D;q-0Lzr|6iqZtfyx{KgNZZkW97y)U`EEJN9kBX_}YyVOqO@uwp2j|H;wEqp?N
zdI%yS01XCwr}CO9Bes7pfRsli%*XgcisB^y%*;uIDz$AGb58FmC(A30Xi6K({BGw)
zli)?@Jo~=*qxO%xz%%D}2q+ig`%{JlWxq!-NnpCe2oQ36>U#l)xLjU6fKUogUeNGS
zjTvq5UDC7MR4ks~Ra&Tr|J-jYqd!v(;qnXSjt9*9%ywEGDI}KG>}Z%@5Y0vIvwGNF
zJ@mffzeUbZwOk;fD=ut$E*YC#Fl$L5&R&6&=zfMuWQd{pEP3C5SeiVd3+&z!#hEKI
zm+iO7^=K;+#lqdslt-<fX0O0(g@ZpdG(+n}*Bv7Cy4CRpPU8t+s*(CAg=Ui=(uX<s
z84gi4QIw>Ek0XB6YPY6CYUhHxSua(QXFbhvElbHvo8ud*r>!amEXG7ld_(>BOlJjl
zw){iva<U1G2E;6DXPbDWPR8Pwn`MFT^XwdXwpbu^?&l@55ywt0Gy5k$EY9kJMIn4W
zr%h1(_xr{rBr-<6D<+8Tn)dQ(oh)W6qDQUcP7u)%RYuQ4L)aCz#N9K<%?rTM5HS|=
z%y;}W4b>O%RJF{lpA$>gETFd+2tK~6n^@4ziz47(IElN5R<=(?WPfYgga}fl(NU@e
zROzT4^HViMR^diFWJo4g$VOkIojxcy8_O8<BQR_PcXZLhN!?;;Ib$x)uay*maxp;i
zR3L~}A#y#-^_r*U2JbOD&7NK^{+554|KwO1rsIjgI0}2NNmk{gwW&8cZEF}Ce_qW^
zJFVxXcGfN&<@J#Tb@1U$4v+=C9*}>Sl$=ExPb-B^%PB8By-21XZzdgEJ57%4lt%^P
zW7R%f&xn1j@Q4<`dO<lTMQgcm{qnGPGmDT|iqFFx_*5T#q}?I{e%qHsGwnjX&rvVW
zUFx3XHbo?HHkew+^31qvzBT`=tj?3b?UxO;*uh<?4<*4!z!wzeJ6z_A(dgfL@1umg
zfPT>s_2MueFe&Fv#w;bv-M?l{v8scd-zGP-Ef+Yjsu8dU_s%9tkIqa&?kwbJhy&E;
z_rmf<o5FO%DeGmUo#nTxL`|b4fa|i0e~2yH34-hW_vBVOhUGoeay-ALd{Y57p~}lD
z#{62*=fVSH19j+*jR^hT;r`hRT6pT4@))C72k}pE)zSE&rCCC1-;^2$zmO=}n?GGW
zBQk@B*zs#i*jy)Wjemm7aCPO>MN30MeKQ|kE&~u*7TG64@R3gJy<lENNFI5Ptb&w}
zLK!9~To@ZcSk_Yu^{H>><3!~n_>_3+XkyR&Bb@zUa46&`*&%VcPwR&uI6GJ0_3H1!
zr`oa%a^^R|OxBXRD}-oFt+21()G#;bQN>xa97K}Df|H=^sH-@Jr#9w`O*|hOT}8>!
z2LDJ*vn4Gj<o`m(=M@yS134%5hB2snRDW=fFO@GqPs%p1m1FdyXh?h|MXDQ9Uki|g
zZXHJA){$g3M@d9FC=cmUhlCj1*v(SA={ve9AI3^?5q|gv^MyV$fkgNwRDM1VR7n1~
zS?|6pkn0h=BoFTMd{eu1s;fX*_EQlcUhU%x`0%e-`Cg3_DuzF<4kj|Jne~M}3TI+L
zgEQ!~Vb;9bE^973rR?RORI27_EL8=0zcq{5pr1m}LlbPvb-d6+6Jit(u80O0@?L__
z2h}(;Jy7RPp)F@Lj5$C);!>N8oJlJ3hks1}oEje)FywKqSx4}VaWy0feIRTPWxo&c
zZT;NOmEAVNe{~Q#M_zpi8nT}&IsH@QEVP*_EfuQz*1Gn0eXZ^_r(R%2&;O<+2Zp_u
zAof9ZUZrv&-}VXkvHWq!u+JEH)Nla(h_Ut`q+Vq$A?l7*tbYbOMIP3c-;;qECHi2n
z<nj<!;p~fW+6l)7JhZQ!mX~|yBeDLqL`AMbv0MqWUtt_7m5v2<$DGtpE8eXAp8oSs
zSa={ZM47;`xYFn8bUp6HM@PMA!+wz2ua7i1w%VMO6MHp|js+5IVLz>+Y)_{*D8pA>
zL{2F3!zo3ZRIXWXZ1r-F94=`)&P0E>Wslvc;tF1|O7`UCUNQn8!II1~U+pB!b}lmb
zmDSO=F=?q=ROCy0qbkJ!9DX9n3}&h00-C%Qq6kn2Gy3C8o=tqSZp(*_gT3VJD`iL}
zXY3lwb(RlW*+hWT2Uiv#irggJHk-b$_ISR?tLY6nA7mES0x_b-Oa$J-gBa-7#=6e9
z2?xG5-XBMH*I}dXFp~QDom(SX47?$%Lx>dfeDf{EX^^-?j!&u*=+mk~?JiCR_oJtp
zHheLFTr6VyK6nk*Y1I+E7MQr>CB#Or{Pd~qOQmt_-1VAh3>(cr9mDJbq+V4sxVq6H
z>%UW^yE)5W<-)6<O!Sz#zPlL#((w^h{1NDBUmCU0Bwm=aqaYbSd>u}uo9^ezW!94s
zKn%+aRY5?P_Yx=Gs3R+qqo4$X`0y0vK;}%gPx=Wj{#=6Oz_=~~C3+GkZ~trKHtb<c
zr*25tKxP?%zdzX$ckt&K^fVFk%h4Z$L|1wiWex5wJdi0}w)ez>y9pJmA4bNtJVDAr
ztD~bK8d??t+kaVJRtWMJR1$1!D;r-6R7A0|PisJrRu0YQ4vH5@s!oC~gJ!n398)U>
z1SdF~sV~<uf#<GSRfP_x7gC<Pw+R+yZtFK4S2B(w6UZ|hdcdf0*|3wDTgX$*;&0;`
zg5;m|HAfFk=80J4tDox3u&2-jjjhgKTP_Z46*VT`j#dj6ggNH8$@xv&BQ^Oh{w2ER
zM`g?uWfgy5EIA>vC@dMcpkO)mY`Oz|x^Ha9!VtZzi@*M^FNtfd*(A@4pSv>4ziFwk
zZ|?tIYGtUP=#rtn8=jZ{s$S)_40#N}_D}z$nyEismxq3tZ_>gqxB4OtTv+($9h%-n
zq@DC_x9_i{sey(HS3m_TGebLZoA3K+-Whvkz5e8*NNCRqFG8!{PctvDR8`*^jIGEt
zJ&*YZX`05voMGWfwS4!x4vOa8fI0wX&P1MxY~dO*5E5l`L29dDD_=O&bs^cZ^JZP)
zFC+t9n86OUtLl`I$<57m!07234!|nC>34LeA%#>4|F%?usdX@yedNG0!m>h~B0*h)
z4j59$uv)66ujt2MFFzFKMog_?R?Q`n^u3~0E;Or+E`&kgZBkpOzr6p)1YU;1pDtoS
z^0Y5=-t@}(Ebb#!YrOJma%i%zNx_PqAI{(JPD%Q*!R@1prapGiDA;VVjxQbQ=qOv<
z_-(Lo27R%2uYR8SaPG8dm)Shu!zpgIL5V-WVkmgitI@E<4*#?&+r@X<4c~02E^6%z
z6*9C%sW$ZX0BpZ&O>pe3|8={xB$lerd%cvV=)>}4%5$oz@pd=-XbzR$QU#T)*%UIu
z1MrBB!1ft3CqI0&l3t_2(7`tcHQr}=NehflJdpmMz2_;!ImOl~z8Tf-4rtAX{NQ8n
z*7Rv7y!$B)2n$?GI<=DZSf&c~SXE*WuwE9t`J`Vmb_ymytjsR_#+KXG8?q~8>3v8?
zV_p)in_D7I0lfh+&xl0>PrCs{oW4xsmlm$chcrbdH&6Wz_C9ckd4q$U278D^CF`oV
z`&!6xlXUZ0k<+A`3qV6;T2ZvB2LEbx%w$TT^5o@+Jy=pZ#;={4S)onYRr*UgGWAe)
ziI(d`GTUSiq%Dxy2M-H3)<#U_l2G5l%il+Xu!Lb5>r)2hnX_W&n;N5++9)r?Uoreq
zp)2_Hvj-l9UR6R{7}ECbS71S$9cbR7{;Sy4_KteWz>X5N-LJFp@?Tv)2k=rjD%0n+
zAcg5BDWEB{DwHb2c`;iw-|4*P<%(FHN<AP6;pnory@9y_IY+T-brKg@^xmi@)o?;o
z2KkRVg36(lpWbPv=sitGbFU&^BfC|vf;-9*c=HQei`IJ@NT{yazlT=YIfEt_lD_<r
z9{O8^U(ohi0GS9M?}L&T)1MTxxgkF$2lzpeJT2Y(H}(YN1~SXxVSQAL^-jt0Wl`#?
z96s-%h|L`*?fb=+=S<W~TJE<I#w_<N3oX`$0Z++TujQ#69-~Med9cDeW8sNUgy9y|
z^PWr}zj95fIPdNGDEsA5JC8Y=)e%v;x7nG92(agvEpzjkO9Q!;vPKPQ{u0hMS>I*5
zyUK6~aPYDNRcE~jKmC=%onP@(V~G%UkIKce<%oJVTfUcB>)R=z<Q-q&uT}Qp^I@G5
zI-ZA)hy>9!86E>Vz4X{qX(xS*cZAx&fBR7a52RP^*As^H-0z2DWKTLuHQUjP{n$}y
z-gxiDe8naIb{u8-F%Gz2QpB3cO`N<Hw`+S<?;@)aPq-F=ren(~ulPC&z`Mkq3i#u4
zKW#pg=Q2zs*fY7Wl%|%Rq{W$?QH1BW#HBHLL7X*Ww(zuj<o03<0{N7EpPtL5Oz-+d
z&_C+zHClMS5sM9;_UgUPE*M{9`7GWlNz{Y{yV=>#8oOFJs@MHayLz2b&o!y%enXiB
zekWkkTzSnYdP(xq`4?OF;lY?n$mVuwdb7KujfVO8_@2)9LW92>)fk!;5kc*H=_E&u
z<-8kY%8D#Yiv6Eu7i~@Wk|i}-&k9_7)|7%3g#r12&kN`R=GgKjIFywKELb%MZ26T7
zSw?BZmsM|b;L6p46(7B0t-YtBa8PO9b6rIl)reE6dV8R}aExh)i4?uyq8NXV`F!qv
zJ;xf`8;;iFdi#yx>=3GPlBUtxSYi0L4vwfz<*(4oMHO5Re{&`BeJcc?M-Es3=mVLR
zaIsV(!k@0UMKR=_WIYAzGX$+bV)8Oy`4X(>npVH+3VhV>9gdd3^iGwLT^x&D-%|3t
z1>^dWkgC}b8qSJ)_Vc1&k8>hJ-LQ4gepdd)g|#HZb~+EqQ5w%qlCog&f;)p5cioq^
zVyKcYjrnsV-hAD?7eWWHy-Ata`Me+pyNPflQ*}S)N<5TCKD(<-rd#!}Hu@dzv$MV*
zSY0lUVlZ&DxIo2__I?r!bHzD~9IQ52ii1g94WqeY*RC8}VacTnL17`e{g5nKLVkAp
z)hIrJ4WmQ%c;!E`N76gm-O|)rAk+~V^CZx;nLi@b*gtVZX}`~oG6PaPj|btrBX{a-
z`#yFkOV?`0jM!EF3qzMZGK+wj0I2t$6!QrT#F(H%o%d@{Hw*N-*XCb(3fjwEoS$!a
zl5XX0k}LJ{9Hy#xlV0xjG=Qe}d%wC?61py$=l^KkDVJhk;fAz2+Dcbp4C1d$Q=*v-
z)WtDC*<3%3vYH*GtEy62(q9VM1UMRUWz5Lp?uooQd{TOCthDLBnxY7FB@iDyoIbn+
zP$Rgf0}%D~UWOTcT;1b!N5|si9yGiytn&e`tkhLLBJVlwtR~f8ENfRu?{f5vMzO2v
zNmGN?MUgr9f7jPg&w^N7I?HSEr&8>hrrmtfVgN$)EKduqHhW2PDWg2Hv;9+)%Rv5a
zO4fsY&~HIARJsQ=+hJ5e&rs0Iz=BRhG2*az13)!^r2;Ms54>MdOtaj1fug$gEGzMq
z-kO^Q0OK8+`n7F&zILoOMtA$4+UfQ&=g1TNVMFkyTCzcX`=DoAwT(1~d9QYP>w_Gx
zeRE>~^7Jh43J*Z1Wi7=jO3Lx7-n4#)l=fiE$%x>-ItJEj^8x51GBaAV-E!J7BIvJV
z=nr*Fs6>9Z6U9OU-za)Uc-+fibtb2dkbxO1!HL@|Q>{kxI6;}d#a;Aq>OZ3H$j9}-
zp9>b(75s_bdTYa<ktMy)l9NGROb019a8B6VudKhqY$Xt)2~|_P-0-&%uRdtYmC~V(
zYf;Om>ZhdA3A$9Ox#AV;Fi&ZFJbT=jKzI)-jsD^eh~~q_1mfO+_@}V4W@8e1)(qcU
zb9c8FHOATHp%2Z2%u8H<sTXlfM!i|@ZnwV105mO8-ze?%WNUvJ0Lp2ZPBiKrzwDCK
z2~O-lu#gKXa1bUc<HEyxQBG-~-^H5EgsE?jo#UZT{arUW@$G+T>eAFRu_MSj3a|pa
z_ZJ?~qBupmn$tiG!SFvh-Q4L1*YfolU--5@mYyvY&hGy$a1>0ipA*|lh^h+R+7bG*
z`RsGn%Ddz8;~#4&4lCNj-X<&@3ueOzRR;57tg<D5avBx`S)FgfJ$kzVAG0NdXeD%M
zO?HmyVqJ_kZK}s40_PJU!e4(Oe&UWr$!9xS^Arwv2^;ghf_$5*?XOJdwW)~U&0WEo
ze~$WM;FsMS@}aA{!9_baJNLA|)nUyNTo?Moy(Nf5C8GScR#KD8G=BW@sdBb6z}f}-
zysI&`vDe<)UiJHkqHcu-g1CPBXDMb}97kq|&!8fHs=~r$g-R%+^X*-P{&FqfM-@dS
z;urHYI=PrwD`3py3WlgWL<$-Mng1+0M4d-VX1NnpJeUCYK77;0$wg>utjVzsZh2}9
z=Q3p|)f^YrqBj284K&F)3)oOIDA&~9(qAPG9?dAxxGJANKAfps9j6AKQr&1{*qEo!
zpFw=c7SB4~jF=HV_?Q)4LSPr0gv2njNfCp4a$*>@eV*@njZQqtv;Ot?A@`Jz5!13G
zfKld0jqV~DW<Jy*ggTk(u5LC|MJ9c>K*G)7zukp*Af2@=C6ds-Psv3E{cgG&OBM5b
zI;eBu#TIRy<zHXHY*{_{Yob(HE#!&C)^Prq&ZNGz3epwmOGhtVsLJ=z%Yd2F8vyDe
zpyqL#Y!08)1iXajWckLvR|4IqEOiN=k)E81<}pW)=xd-#%u>TEl()7V#W4}Ve&>E~
zGJUTy*Xt~f4-Ig(E}fj#FqD}V`NZOn{1$E3(`rQu{_>n$(vR;M2wu2e`_Nv9?Dtsu
z<V=)v6Ws^x>4pIAWT`UesNZ(!Tr@(mR1B*Ds!wwC3yuNSK)yW#js6ub1PX>VyZ^Rm
z-i4LGil;|MY8~oy7rgHsp3QL_-JA`N0bBCI^X!z9yHz*7ysu`|B+=t8*oNU=F4rdw
ztY1vdGZR9Vsc)Y)es`aq9ypaJ!RRh0)YROyN4Vmk?l|D`-*@n1lAD?)xoFz&VM0kx
z>^JxVGdt@y(E=xtowe1!szXBf1;<6%BvMCcu9aNWz!UvDhLw&51%r~z*YN+LuhqGy
z*HH`xU$Fb{-a^qA@9tcjKB;SfZ2&b^)t{H8;{iP<joLUJbvXoGzFp{d7k5Isj`ajA
zpbwQqiPjv<2x{efREY#E%+Xp}G-RG>bPC&Jq!SPs%yJn@;yx25ZSamb?L3H{!c{c}
z0bb})O$=T?5$e&=qG@fxya)WF25#V@(jHslErR`R2g5i*5$RsnD_c%mEw5gib=F1m
zPWBbqIOJTUiQ*Tth$-eTa7jFFjpRgLcamP7PId0raYYT@F6q^I6BQ?j>|&TRxJ2R4
zI_ncfoObr@Vxji{Ow%>yJLEXyL)c+pW&%U2fVNdd{=Jr@SRNTl3P|vcJ9}~{e3z**
zS}$I4dI7h2**QGG^xJ>lU<(ORMZOGRDvr5h<98o0>;#!vu`v|)3>$y4t(W=Dl&Z6h
z#8LWjime*MiG9<&OEE(tmNKLeD`DT(D4TvxA(pIHj`fu?>-|Iwp>X_ufTvH&0eEeK
z>eHNepTrRe0Sv|trhJ4>(?*_@R6!A$2oz#4=rn7D75O2i$#j{iiYu}eAu((1cU>$<
zLC|%4ICV9L)pZYXA@=+5S7M)?-l<04L(05(d9Mkxx5zM{P_6xzw$)Sa{S$HWgL0l8
zIVGj5_j;-*T@;O<)pAeu0f-UQeD$-;-w_^lqU!1QXa>Y+Y*c8fd#@85bt4X`BU;##
zv-t*Wa{T#`!ci_eOJytF^UC`5<<{xM!!-oM8kGiD3(WhwLmsqucel*f5%b0n(R4zd
zKNZs-u%UTcoS9U6jqEq;4DYrO?}PT?AqWEwJO7D%rG!LHH+gYjFDP1jcRI?K62SSm
z>^3t`IK}Z-M3B3nq#F5lvI8M9+~>FedBeCdTf4cMS-XQ-OA7%yirBK+umWYfs{=d7
z-^;5FSG(<wIs3^g`puIsD&V<VDiSfvKPV&~j@fX0deGQsET5vaVrj@!(rH5Se+}^g
z>6r}3&JjLEsg&{LHx94F{Ge1x(~f=q7#+XC$I^iNv8f<butZ?y8|%un%%3r>bFUPN
zJIRzm_czHd_42y$$P#>0DCYa(TdsZ0GoQUjUgr_W3r(A`A;GqSM4OGe)ky07cWyC!
zN-;395@JB;_JBQZ^)LO%Ag)*qN;s?;cj%x;$WMYcoTSH+V0-PY1|92{=Qtz!VTq(#
z^wMYFVb|zv@A5LISrXM~jDACun(cLbxtqJFoEbY}F);4ve7!w4-Z~*X&_%U2Zk^Me
zhdz0+3!uP3Yc^)HS4+0sS8PtTkEne+tFrt#FlFzBi5w>v%6dGBeM46jw^nGNG0_&<
z?<H%Fe0Z3R7qaA!igBpn6ri8i(lpX(wPB2*vahj!y8WTUhnn@$P?pjA7NqhGO!O$b
z8iooqC(n-})mlOSbf2%N$!89(A|ooQq~a!gm+LjJZ};M!m?YyBS@)iGcdh{lal|%?
z=<NiYTh0{=g#K2UM?M)<t7l@#5pt*A>6=bMzXzRWO&v*6)YEQaRy>i)paStQWUw#8
z*oC_4Gxq!j8F39nYkbcbivQ<=uRugrJev<LxC!Qhf5j<iuY3Ygq0f5*b(~(L!?_Z_
zS&tBGuFcY^Cg<aN?L4;Al<>^7kb*QdrF#6#io4NWE(m-~9i@d2Dm`$tl5X-0*tF$I
zT!1A6okKEL!=La47sVGjCWbNxCzn{6##`PdSjE<fwbf{ffB`Yz{2W}UJ5SL6qdX!~
zkxr!QAPZtFjqot^nHtd6d`mvGGRv?QI&ESP0esEv&Qr|ucnjaLSwX~;r~9JXk-_t7
z1*3W0@^rV{p*KGx+%(ZK4Qr>UJsf>Jk9KmP%MMC8H0s$Bb=k=UZ)PH7;~;1=ZuRTN
zka+W))C@VjzGMiv;d&udjr!@jRwt0<-#$&EF(=!xWJl>pAi>hgNh}{~!)k>kgHikN
z)3w0O3hE;lPx(Ps3)j=b`NbyAI04jJT@rw%qhV0-sfFzINJjk5!s6+d>RGH&(AdlP
zvK2Gc2l&9NqYCV-kPsgReSMyp===0IN~MH(3@NNA$I@@CDXu5nwXEWP&|_F|cs&f-
zgbosZ-SvQn9Vk(X^%&37n+KkST$ZsZ?ROXweSgQ*EMW4a1>9q?>Uyf3e@seZa@(FQ
z&N^al^Yc)8&RKcRU62PDZ!ZA1xXORYn61wJs_7wjivcu2K{0)<o06hpAlo2>q+6Yl
zot~XtvMs@SPhX!%k348c?JcdZ<$nP@M4j8y@>l19WZ=@PdyJLySq#_1v4BRXiL_9$
zzByr$Kn-uLE(UzDd95PX{uBf0G~<@UN<FB1LA_21|H~YSgP&hvZLz(4?k$-~YkqY^
zbKa#z>h2tRW}9XU|0QB}KVRbRgKYhfT``u~C~PxnfRb2D9)YEjb#ktHNICesugV(=
zK?Y~cz+sQMc%3SwN2k;eUq$`7|11--`vBSdnF9C}%sf(<kNb|)+|#6u*qU7GHZtN0
zv$qfgZ7VklLNyb2l$LcklA`;jov$gAmFst@-ObvGPZo+Ps&b^;!?wjrOlpp|xBT`O
zxrzl|?t9cmoE9DSVD7%3xGCd>$I&(OzgnY#*XKzj_!e@X4YxuF#93IQvHN8R#fHwm
z1;@Pac6#$UEUWTL9>0et)&lTxkywnsvmf(O_q~w%W$Iv~5Ma9Rm1_syUIg}ka@TdI
zsH>i85xB+MiVCG=QxNDW&M^(|ue{lEo7l5y+7RU@k;*9~WZqS3x56BkGOC<5!!+xM
zx&)<mGnv5Y@6lRbPMG>0%UKd#zb37H$4WN4k%MYcSGbP#623`-`w<`GE7-gRF)L{L
zJ8t<qSbS9rq2c4-q(WIFLS^(YGtA|o{;Fye2y6@m9={oS-(K?h{iI;k%+6X>>~z7L
zIY|Ze0L~YhJCv?>{jX&g%}hYNiQL~{<UlHfTb#ufx*W0{`3xuSsn33me*M6we93AB
z-a2GBi5w0J7i6*h7iou{+D5-I2(?JH+Lng?uT#1BSj}OJdfot=l^c~CaIsLB+U`fz
zO7+d@E!n_64J-GaEwL05jCASEW4bTr9^*)coN5g%&?eOMndh=zb{udI;jNDuZcL0L
z4(quL>9%)JrcUW|?BpT!kZ-av%o;Hu)IPbcB7Vw`fmo!E&N>ba^Sd1jTr@fU>b<kp
z_@$5gGow2p%x}KxDo-iQ#P=u3YRAuyeC9iiB$p03wnZrzTY|hqDj)L#vWg0N_E#XL
zoohQEddsCWJ<RxAOjMV5vJk#wxEY@7(U)EucnQFOP%Va+K(d}K$<r%;HnjN)bd_al
zli(Nm(fZas@u_u9FGb?FeM;xu0Vn_Ad%Nu>vnN-2LGMy$spo1i?y1^dcZEww;m`pQ
zJmLgN?r!H*AY0bb_81rN+^?@a<Cr9_J-)gW{-mP(uip5e&bTPa7%%5#rFZ#E%7vI_
zV!wWtqj|G~@+CXF9y__4`}r!Tr%1m64i8K|0G2q3OOH;6T8}|T!I^$S38k35(S}S(
zzkE<DTi$Ylp=^BTnR^^64$q^@5_yfuGp+NUy4@T79?5<ft9!{dYw->Q8X_eZ6+$#p
zOAd3Zw**X*1U6fu4SS3jMwqDZ`cJwTnF;Y%`$(+TMjijLR^#W9?#0`(wlCCeQFF3$
z_2juY+Uv1oDc$Nb5aNYa05r-7u!MLCd>ue=GXWpMdue{e3qbVJKI(Ses@y6oS_>kZ
zy1y~zB=>cA^jyJQo(^T5!&1I!M6m3TLT+l%iU;MhnD0g@YH&lM(@_SQMhFXuz16F<
zE|Esl3_ro?6yuF8L9t7-n(4-}%wH$o4%D?*UIL@c+Pev@N?(kanz^pMo@f{Ue$hzX
z+#k(tNWlk_Egpx0k3hr;1h=&5`Gj9yF{qPnKqWyj$=RMEy(Q>`J7Ycxu=L-SvVqp0
zEcM_+N2GJZQnp53mHg`^;b+Klo-Q9qyf5FOeKm<z=yI(SsoT<dfvW6tp_N)GI5|Mr
z)t7hCRF7<4O=jTmV@-P6ilZDJO6yW3qOp`ivB@j!eksT3p%de@gaVhRD_I{^z;!8_
z)L8-y6|<PEypKD^@tT=;TE~F8y&tw?Q@%_zAE(1Vc<^Yg(@5&+*@BM>tm_>9%8QD4
zC<)D-k(8AhM*+@yR~o!Sy)4&L%*c31`wd3fN?7iZJ?bbMLAEjITlVJQY`g%i0>>x5
zE`5gheG!f2?f?OridpCb|7LzQ%r>o)0BmPNyVsQ{ByT38ih0cswRdJRL-?~amgbl%
zD`(JSR%gc!e{;EYEG6uR^IOkYo7sLO8f;YIC4AE9_c56pBjrf6dk7kzA$C2?n~_+V
zpBy^|Pq<SPWUd50!LvjAaMndUesAdt)Ymg_!aV}}qNkgYjKI$ziMsn_?-Nz8>%010
zL|3pcqx<LP7a*4q!lJwH?KPF!+!fEHZ*pH9s3MN-Oz`~W+WC_ob*qKZ6ysWE?<8u=
zu>c1Hh0V+hk=hMZ6bJaST`6%+0zs^tdRJ9AD}0y|nr&9_?no3Bn$<s<7ye05{B$9b
zu}cjUTn$S%`CYJlL?;=u;bdgPOp4Vd7V=x@D}6<-cj2u~Nt$w8%iQI4XUz1T!O-)N
zwjNdcPjL}adTrIKQYIZGMcIM2kG0SP;7VXRU0DP2j|g1CEk98nL(MwkPw^@MxYoU`
zaGkmA{W$L~ltnrPb!N`{=b*k(c%6SozQ5^`o8G8r6xti-jJ`szK#{}8`AX|yacu!w
zP_(fA+%rq46#@jS{1k3;Vt|W9`1(>*G5sBW{W^2YzZa{0+7ii#r~>NXn$x~tTOt5M
zfQ}HJMR(PBtl$m?HPNm{>Qla+W7*r%Ad_Q1i)U>wt))2-rHKsXX<@zxj3Q49O%ie6
zWn~)gBJ$z(7kel0biM0z0xL0u$O{HJf%S<2UCc56O}W`6m+P7(caj<hHaYQ5%erSj
zlB;mR4J7S9NZD4Sl#ZMoFH9!11xbjL99^5P^VA(|7WjYODxm&|L({$>nvarf7lP38
z^jX$G{ma#ar3w_rE?${af_<53LCRLSH%eJoW{i4Zf;a}T#=O<aV0zwX6Z})loDBaJ
z(VCs%n;CtiMWky^UwKPI8K`Eg&cFTn(sAn?0By%JNlD6{oT_U|uVYK=A8*WesBtK)
zF<<1dNp490jF}k$;+XQzq+p7XsR`;2)qX^=xX%&Kyg!OFP49@2(HaBWXqFg`qXK>2
z#g<4o5!>Dd20?5$ohJwk&b9LS$s)f!6k(@FNv3RRBS9{0h0q`0Pw-aeQM?FqklP?T
ze3qvFvoU(>dqeHGT7LV5xu1)6KgtdEevgARfz2D=Z!qUUM&|qL6NeBsATZh^)=8u1
z1Lh?|0hjXeD5Y*zT-LX^+_+~-s9CNh<KdV>|EsN{5}=~i;tCP)FHJyyB->8rSPi1+
zdHVue+G%nXW8$Tk-3P5kxYqzFB<3+HDfE}=+~}!C`SXV1tYoh^|CHAzA;aEPz$-}%
zN?(gu0Tq>$O)}}h@tH-07t0Cyas!{X%lb3@=SWd->W4@Tzdagoxz+FTtfZa|<Z9?(
zWGHVvL?ff8qw90mbu)(GV}!nX!pM6WzyC&(=e_$`p+vS2$Ei$@tN;X((Q9!v_IilN
z2P~gH`~1RwJ}N}y6?67)iIsOpnQ>-aUaL@1f<?orV+QGI<Wn~*nt8z0-Qv|}DxLW%
zY|hVGgK;9MRsQ3xyMhqA)WlPQQ>;w+KBk19O1-iqc77i_+MaNz-Y4f!OIN3mJeV)<
z6{C*R-C$owvZ?mM#M;U1SDO320&h>^hWDgm#=K>?2-&OPTaGy4Rv2S#87{m@mALrh
z2faC>`5(^Y&%CE{U7z>L%Kldk+x9htZu}x?(Em36l9BkroHpow<Dox7H-5L;nG^+V
zf%|NEuYJbZ-VhrrFO^-UZ1|mGf|1vnQvTq|rkSa2zM@C@7_Ybo&knR+SFLf-x)1f~
zTVt6vZ{i*lVv;ltsu0DpwDE13N0H3h&}JX}y3!-nWgin40>w5{o9yXE#9G`(D=4Od
zFJ}BBcW(uRt8zbGat8+E5H!*pWq&+pkX(>%l@9y!l_ZhtctE?>W(@03HVI<8@|wF7
zpI68y|BP_PcCQ(Az_V&71I&@}4v-aRCPJYV?J(D?LIu4Z3wo2~$}imj8hOFMwy7ws
zID|Hu$4wCVge0Pdl5xKYY|k^oPvt~1tfJ!xLY%}++4L#OXMZ{#ISH`C#}QhMkJ+pz
zk&Kh?AC}+@3^}KAFSt2@evKT*kSXe}cQ^C=y|TJHAG?j49IPM07(}|X<ML>{>qkwy
zvJALpQnJEn-gP|+(pemQrfLPF_8AdWU3%8k;EV$L*rGw$1?V`f?=|%pB;_mNPUx_Z
zrA5e)nta~Ai2YxMKf<#7t7RM<V+Qry6+RrJUSqVSCS1jElRKC+b|JGX=*r=<KB{>Y
z`|OB}^v96O1a>VFwvuSx(}}1J&DTY~lih{2N!{1q4H|b7*;qm<cZ<9wP%qg_=+{9k
zHTU#dEjEY+n)y<-cIa70_mBpGx5Se<)X;Jpdg1UpWy#f>3rt;&=J#5al-~m%*nPWg
zam$ttr=WPqJ*>pOhm~zH3f8~E$KbC_Ul=?Y&-h-Z*63dI`cHVOh2<UBdE~y`huE_f
z*E9<7`Qgu<a-|E0y`G78sm|qKz&$ezc0<g<Xw*BLF4QBqZTp1>#sm?2n@l8Ju+ZyA
zvS7u@;vJBpv(^vs^|$@2cbK)bIR$|M80F0ONr;>PMIh(9f&gZ{Rrx(0)345kehwS~
z<<d5mT|x_z^0Qa=R<Z5+Uz&it*GuJdsryV>EIamz<9i~g%`yY2Q$>dc?MyH<c8S%_
zMC_}{2j@Ynt6_unV<a@l-{+lTDMJ)7j`8bmF-$5&y~UzK=9~W_iScUp)0<^R=n&Lq
z7%sT9en&`Ec5pp|B`4tM%E(hDwB0e(S&sZQ(;#}Ds_BdELTb`bEgN_**|hxh_qmeg
zcZXk0M+Gc^b@zI&(K*%qqU%chzxxi-I(I%-Z+<J)(Q=N413X|;LRX2E@@cc4HMUX&
zE<=bo`&*HCkRCRIN%YC5uxqh+N-fWhgBOn>oDAt8s2VyHlim8BcV*K5h@wI8K0N^=
z3#l*enZd|jEpp>@+jo~A*HF&S;Pkvt(}O+Lbd)(*aHbHazS*QnBq3EXH9<%;IT9Bg
z0!T<}f=g){6fuC2<+ju!20T4$QgHE0@yg=G=#VC%G~Z9eWxtBOYd^@w>Sq<pOw9*G
z5Ikl{j_Bb8mMowZZ9PO-Dw1qhzDrEmTS>g*D-6ApZre$u-rRXrbeD|ZXiHrL2#OTj
zF>c6vZFo1i(?6zGDH3z5?^NHz4DCp_Hc{ev75;!T3;^MW%%m$=o)So{C2R-wY#_}t
zhBH2;EDhDVh6$u|heYkS{|cxE@Nc`+P=7iB!tay*xH1CShI*EFVeU+QPGjjNLw-@*
z#L)v{zQmg|L0Gru&v%8QM1?ozrh!u(X-x#2i(G<ck{{v(O2reKC30pLwoL&%*CWSE
zCAwEjTkq-|jwR}KS+s=Q>uI|OMa&*3B?b{QzThb*1f5ZBHimrfp*A*pFzs@rv)9T;
z=)*eyY6(+MbygT*55v@mJ67EMgFYc;>Vc#U2ox50*S9ixRD-vh<!p`9C9zmc0%UL-
zzkQOeITC>!c66-dQA#4%Ht8zuQBRvc2z=nP%ISc1d=eW@2x%*}v|h|8fVe9j9ZWq2
zw9&};VSJu4;nlC)48X^NOGp6^sa->-cc>roL)MdjmxIYOCcida$shTe`}AzDL;%&;
zV}aw>o^bGijAZK3vYGz_H_N2s-`$QGCi<2STHWGtLB-*d$C)R^3Rc!`>7^_3rj86Y
zoS>1K_bSxrz{H4#wXUpoKJ8dx^mV#V--S^RWlrTZ+>krq89(BBG#5L(JoMxHA;NWe
zT@_$74`g|Tu*sh<mQO1HnY*jJ9Akf8JRbt+PiyLoer1@!4YS-@tPE~wdQ9<k?LvFU
z*JQ8PNp+h6i)SKOLQW}$1>>9C#as$QE)<G{00zE3w0X^Oy|r!VGz#^j34!$%&~n~I
zsEaYZ1_p>~wDYqMv5z>O`x-yPZ>+23KQiiWTkv$xM=i;b-*zxYzDC7%2-A`9yTX?z
zPDa~mfwg(aqHftm4rCzwSfK(f<^F{9W%a$^Gz}9^jepgC)n?VX>&VTAy7iwEt2_N6
z_{9FE^ZOvQ$AS;#p3qtSjGlL}Q6*qQbqaBgnw+R+-A8R#c97<9Z1cD?^MEZj{`I>}
zAtvySBRv@X?br-UAl%><9hzMU>Ys*+lWDD8BNB4={{8<ZA)K~s*}n+7BqBNHz4w&Z
z1Oq>h<|h~`7W&#I*shBvZNn^v?DuMs+$hfVg0kn>6TAM)j=Bz6LRN6tr0NNAC6I9R
zwaK|wv}MX#O@^D;p|#C_OxkC7!fs88l?zB0%&6>MLi?`r{cX;HaAOwh1xMQq!?am*
z7^6?NddQno>>)Q|hzOQZZ=tX%YaxClS5?B8EWeQW@Xe6l?H9*8<%lm%*Mh5HMaIj~
z*}t@5>+Q3PnRmyDoR)Xh^YM_Lw5IWBRzux~J?F;J<re6&af9m%&{N;40Z1Tq4aX4(
zCAUg2VxRKgO`Xc8Oi5F^2mg6o4Q^Y{KNmrzuSp^Z995vp5jmJylN2D4qPMh7S29ci
zPIVdm&^v6}U|DXHqJLT=xPy)XjIwa;nBrUEU-y|efs~}Fa_Lu22cyBNGD_{ilGM`$
zBFr4nt^giv#8KQQFZi)aL1=Ek6Fd)hFTqo}`f+C6M=RH>e5$*`WMJmjKLxXLRdb-8
zPz>uEQw!>ZB&@=y6i4+CA0B;gio~dEA$QX{j}EupgCV~)uETUofuqr!sFWaq&v~M^
z%|m{p#%g;lxVRad3VmdYYeR^Z51j+Vh?Z`s3l|7Zqpj=`sq5w8+aC$QRFG7IEL`i{
zu;bl@_TOla0pc9-cStj!;gH4Yo=Ruh<fr@Dzsf9%JApXX<r0n*;?Kc}lh`6X$ht`U
z%2Pq}r%aSwYYeBbVe3Mn&0l9%zMUm8csI^-z2oezn&}!;*pdje*93=I6Qs82^HBP3
zwmY#Wqf*3LgG<?-gPJ8-wa*E<^dD&!H;xwln@-sCupYY90aS6Jm{I)W81pUF!i_US
zqV|IyFHLg{i*RmYj&6jjY<oGDXH3g0qMB`q&@UEW54r2!?H9gGJpCSbY1zQF>oI0+
zJxMszJvHF}6|fcbo6M2}{h<Vd$AZ41`?`zT3Su!ExmoUnZ;-1O|C@kyT0M_>SoF|=
zUg!0{FcAp<x=S;-{Q}?z)94Cv;WB9J0%J7E8^h@o`kSNK`T*H*7mV5YK>~rXOJhfx
z@sE&CMcEPNcQYJZV;;pBlpYf~jzaqaB-PR`Zfp^C*CW3?*hbcf%tDE!)(-AgUn_QA
zy%l<W<|3i=#ofv7Y<GZ;y)EVRW<vcpbNsvA$z14lM=5T|^18cbT@U2|FWs)L?%)t<
zW{&wm+R^T722>&UX_mr)OAopzh19)Sv`~UqkD=BJ1Mun#i|&2p3p&m>FOH2%HifT@
zwD&wQ|4Wlk=U;jbm1K<lJN1S}Ug#a}*_K+3x1>XPYv!j0v*s0d+kbIHWifBAUm@*O
z>)`rbrORh0hb+TfoPlcaGStOYAOwysaY&?|=ldAZ+5HsBoyhW#t9;tFo83wCuTo=-
zL=)N!=sd*od%z#Ys_Aa2Y`RBDsZJjgQ?pCwH?q5#zZlhvDE5s8RG1F!a;Ys*ct}ji
zFeaBRn6*8;__lT%v{h?@;(20dy79L?zpMp#>;^sHp2sWJISYOXs2x2t6xUU1Fq4{n
z>+~LgdeZ_V7~bK}<73y5`;(*YXqy|juc;Z3c;+wE{YlYwg5Q7cxn>{#bOCbEvvOL(
z`~C?q0}O_iLK|UARpKd&LaU3z@W3i@R4Z~H`n~5YGrZIo@wEc~X^9SeAW%hO1Obx%
zpe0kE+J3+N0_`g_rO6JF(%oa&<ZVw78%^UlQ5g09Gx=81@z)5tzOv=%%k17__^y+c
z&{X>dk!usorXts}PMR7K=EUN!u)=^Nq!^i56Gz5P(p7Hggdk&(LB3Q%FEYNb>#E3l
zW7d)u5mNj}2_DUR79-;yvp-!kg*Dqe*@u#-dtB*rVJ5p1Daab5@*AV?D`|Gx8V-GN
z#<5O|Nvu=e^oC_+rth>X+elZTxtMa0!N0oa0;`$HaJ1e7NuS4`?I9Q%6J0Ujisc>m
zDr_~^)#J<wn4>b2J-V{h!lz_73_v}&4#fx3#yJR159r61&J0qiuC|dh_`%7}i#;|?
zlqU^jt7)n-4HcqmOe_=J9vH}*&XCPcQW={!OPMJQNF&@*duKWbG=Vn3HtLlFfhIgX
z29n=?7#B;_m_%-Fjdo@JTFL}*)PS@XpQ16#K1!fB@KhEmfeD<%7|fZ1ZGkdEG1rHL
zduoAdx*T6*SqE}<J+3o%9LjlrC8;U6QJ<!WN1?S_yy@?k3GrG>2<dO>f_7&byb10{
z0K_BH=mC2qblzvP;*>GJaO)~pm1by^qgImd<8y7PdP2eaNJXv@lCrky=mA@PqTW-H
z(X|HIw&}f+kbKRbL~MWzc`mVa!8b@zSH}4m8yJI|{fSf8k~LL5(Z&b!b5SAQz{G*R
zhlxS`eF%^^<mVdMS;bVN#>ilRPe2nj2}nrO)j(2tR?^q`AAF8NbBfnuVZzbUc!1A(
z3QqA$1L_-G%Va;Ti;1RvKCUJ>PWKGWc`|X9OO${8^=#4-V@xu3goDI)VUF*tcOZF@
zBca6Q*`QbU+}TzCyoDm_n9L%&sy&DF!|p4xNaJXw07;z^Vi)iwx~=55TRwt_FHB~f
zv#NKW8+$qvK026ubf*L@*y9hv<UxfwwZy@vLTTQQbsk(1E<{QWYEsGXs%vD<O+CBG
z4Vgb{->-F8SXrvM71eE$KFSB993@McYC||ZuC^e5v`AE%XEE7HJeppoVo+b6*}xfe
zT)a5t|4v|7&IDtN<FU$_o*HPveRGfSP}Glj4p!at@})dh0b9q7TjO=gCiKw2A)!Is
zAMFCP;^~fzU(Qr5UBgacp!vgvmKD2`(QLLtFks#I#*VR>Csoo(ixp$M8<jd&q>CfW
zr!&U<{cl5$G5U@-&$_x-95l^i786S={gxBHUJ?>*CFWn`MJ}C}xxSQV9&_|wNDgU%
zZR6VK;1;M)tVe(wrLrD9WIRby7B$Pyk4D2hoZ5r_?LQAi=<Mj(f)IoSdGZw-20r8#
z+{Myqj1(f>a>u2iw>az55oNw7C?a}0o@bN4vYSW>+Ev<g*l$>O4Ea31ab3x@u(MRL
z$wv4kA^gVDx*-?`QzCGTqdQuld(J$y%0;}fnJ;EwoMB#a$H8X(_0_qdGz8@f`}ykj
zSK`!xnFm>|`)8oCt{|9>`t)mEtqH!cr{t>a$1`h5nce@20IB?M`Ruk2ty*ThgTRT<
zEZ^xhEX!YEGO8M1(Bn2A;iylywrVbD<PTMFxXQZVy;hvQP2&z{J14Ep$Y9DtJ}p*r
z)=N459_X=TV(d=fozJr+AMHr8xb3lI7prb3ZTeo8D8zsr=$3lE`ckM1)eu@kx-SU;
za9}m0ezncnE{72gh`@y2<aaB6)|7)5lYY$qS2^l}R*sgSm7|V_$`MI%uITQdn{0aC
zC+ED-+4VCUW;^;*^a{0Vp4DcfayjGF&-|uR;*f;CCXUU#ex<S2xk00|P^maoMy+ZW
zF!ajY#DS%~y$R!~ErE)d%FOvDz)4!uCW7wEK?C=PM2^|O{eAzHH^TNP3z9^tM_!uZ
zI(VFHMQ<2>_00VTX1Tzldq5{H5m?fhpzbKZxOWekUb$mR?fkl+s3({B8mmjYcU^6U
zcVeMY8x@x&2_q`}2g5mO^!kM_N4>Of^_I~Urg8zV(wl~&<qe~RV5to^UKI4>xqk1z
zz23q^$PSYOZ|Kv~JI9wjwM0(}>>+!!${h5cX;v)Uxa1!Ht3&46)$gWI_Tu&00!>y(
z<L9IXbS-1^=ie*ez8!L}zTV!cRw>*&5g#uQI~DFh1aFY6E4UStjPS^59{jS}g%!C8
zxlH1E<L1Hpy4>S?>0Sit=jA)b2)`4XsGAR?O$~*FACfP8Az^6p#rPD@-VA=!u$*D6
zv{anvm8oaRtnRoEfbL&Y((V&Fl$S!nWWLZ&b7*JiXWl5f^xk=UiPVLkw*>{paKWif
zr)3~5D_j>rBf#thkcd)HDQvd9V9=$-ecXb6lPgk`ND+GqgH=>vG-rqN74Jjs*aN_e
z!s37{Hzm6(tWV|6E-qgA_D_)>pSXOiUK$C?Vp!Bz6Yp!CoqtV99`HLf>cK=l0AAQ>
zk%~o$J%75%Jyg@<o<@^*<7lofyyrF!DHr>*IeqfwEUtALYQzX@oAZ+y7+NIHy+jr0
zbCNg``5&e?hVY}XxZ+~(L>$b60`vW;vVzCngN^`>+t7==FcoD9m8qUPzt%bXH@z|Z
z8I5{Bu@8hFHvLRSmK>)n_mdw;>S?|?roZo2gh|};XicumN91hy3KcDO1%BZBtgXe}
zfd{JV9SUjB5hH#NC9uiKYp`cGZKYl|3iLWFNk_KiLU_qFhrHztGerNVI~k&6B4O|0
z_>VsP5uVG3Bz}nW0p)`UU6K?PsnRK5MAlUJ9U-&0{Hv>vJ$1o-1051f3_DZuIX|;^
z+pT9fYs_)tQ!S8w+^_jYr^>o!n%+Dj&4Ewh3vceBb@z}P6GmK=Dz}5^o8G!+cP{Q?
z1?zRgTVqzIg~i+XOU<-xo_^!E*%?l|PDPikLpMJ#<gU2*{=Vv0Ve$XqP7g4kPm&~W
zohaZ%*4V!JeqLP#t-d%P4C!rlA75UcSXwUbQ3~!Y^4TK;78Lw))(kCE(ce4fTV5|d
zU-`@Yml5LJjfT*rfN^;}Sslyaw$Yqam`eKN2VF0AGd5Yi_kM0xeqxD4p+2~<Sl3UV
z5l&n5Oh`ibv8Uk_2cC{jT|)T&Fj{Jh0xtA0n)L8))j5_ztt?3zu*)UvBQ>*;pXRQ6
zrG+~W8`q%*@BC#}NIlgT!M<B$={T115A3M3ZX6Z&Ed-gh9Ms~Y9ADPfyGLj5#D5RZ
zQfF%(Sr0h|CmPEw!ar%&joeZyD~Pf0J*&uze{~S;)1+Aj3WlG^G+U2J)ju;`Bm?F?
z=14aJq`7UKl#2e$5Ex0(Qwfs2yKk75K=p6i-<~*{lO5XBJ)@1=Ub;2D9+vv0$*X=t
z;yypi5GQzZrOYmS;m4N4E9!1gac$BK`R!Uuoyfs{p7MWGePeW8UDtNgG<IX7v28SJ
zW81dvq_J(=wrw<NoJNgp`#VXW=6=61`l~&wd#|<Tyyi8z#p&OQIhk+z31vwZIKK(P
z6w^lp{E+%m^oN~BvCpZPrkBV<jU-MnZpj1CAWMk&&uLVR5Co1UQxT&FoK?T>TksVJ
zkO?ij&K}-VWlNs#2=ZG1O*`@|Trvz7!3<oJ-)zPmHbgv-5x<dG)uahdNlf7STDo)O
z^8D1`Xd>sqUBc!ZLUhAmQSxO?wUwk}%=b&q0yyHUFG(5h``RPHdah8toOIF6DguJ2
z9lJYIIZjVAsFZY{zH^U^TID_+LfieH@D2iXBT;=zBnYK_6W%eK*OHJgn(^5qOa3je
zmfKQOY8*4E&u6E4OZp13=f<v+NS=n|HB484;Afl1VR;ksiszp=)<n2kk`iK_D2Ykx
z3gq7j-KX{|F`A~s$u$dvZ?)E?K?}LyHNps8#MXN*^zrNu%_}n3fDc`@SM*Epl(kNl
z2y8Cu<_RQ<zawAuwwHJ?3Sfyr%p3BR30DaxQ%|?Z6DA0>1GN#F1EQd#a<H}@OZ#bC
z=B`r3j{aBGvX@xV>2)gFopbKBaR%+K9!trGB&`pbe+*aDZqebp9^JNQa?l+czB4JD
zh=r@F_j51%Sw5vdmdnDXk5K|{n8SFRouykz*0(A@urpZ?$%bbtYBSH^!Fj8izQ`>;
zm>epbRm5!$R!HFg6ztO9eJ~A1(G^D^P<kseAQG2|?PzoR&XMM_q@}cN5>0U#AApo2
zbpbQ9Dv-vkywYN7zuX>ZZM}*vRuJk>bCPa$6su?$BLYAmiR1%$Xa+%`YjO~V8GE!o
z?IE=&5K3t0iTpYkJpzHlZyH(=kx1H!5buRqCBTVfDu5+u25-oCNiO{y;S%Sv)LFt)
zOn32xhsQ*cxuutQyeu6>wahgPqhqN9%|5%mE7sF6=WoO3fu<P0V4{C8I0kuO52dZ{
zkVrY=PJVO^JtVmT5uXdeR%*ia0Xsr|)_+RIk(rg<$0+A(O!^jxc%dFr{f2z(=p?z5
z!&y>6!ybFX%ow^b&oz{myj2|GmQr(pq58b3rrgWidu+%A#)Eal+?R?pW9M{=IF_Fa
z2*m)}`Et>6gK3435%A<=oum_!gwENgqJ^$B<cMR1NAO7VG+nU70_lYQ>*bpS5<;c|
zEh2!Hc@y1aJA+Av;w90iB6EeuM~MNId$Z_bw_inx>A7ZQ9IY<8ECl_Th0Ho%e)?zr
zePCc>OfW48GD51HlAp0!zjt0<q0;U*^bPs6N}=Ic*B>c)MO@@!zHDUgjNuC`YmpHh
z39`1t-%idzPtq;)S|a4qJ->QNIFoZ%hMBVZf&FabVq)?(whiO!;!sJ;aBmzMqIsci
zIiwjIv)KhXBtU6t%yu$zfK@PUDH1}Z3<^<Fpe~b%!ElxK`b_8m@*Ja0ykL}752Tnm
zUFo~3>dgX`B2oFr0Rq6L3eXhNSJ4JU!yOZ)y|T}UqxXdunM_U4DRTZtCMffWQ(|(e
zRa}NsVt{NvprLmhX%VqTup!!y2$~@(k3HJ~j}rydqnGu@4JEz`+7GiJ>dN)`HSL_9
zNag)E)_cgN6#{72l=kh6{oB&(Itl34j3za#hD@(FbQbq^=RVy0l^T)0smu>&9^Ogp
zV8o9BCkvwx;r23N0k@owvNUTxZT?3*6f0`Xe<c+L>(y8pm$T5t0IJ0-KZ`{d>c#8v
z7WEH{z@+8f%We-v-&LRUkvUU-c^FFrXAu5J4=viz;SzJ5=wj?1d@(KgUdtVvW5`!Y
z5K@Dkg}64qKj*4+Mqq4DQF9EbFZ)VQ9*ASZ{L0;bEFZhLbDIXjv>UA@cJbj3<~qbU
z6f$h`lo^ryh3GRTkF#}faaQTNe0W6Ol7R^TtQ4N3x~hlc)6-0Lke0kPRRCkdtF_}y
zQ3CV>I!=m-I>OZ}HOElKx5u@YF`)byBI(KQloeG>ccv8Q{5i~uScK_chxt1zAB|u9
z-@AW{$N4ILrc+4PFNOF<ZS#s6#eNT;91}aZ0*1+l&n(uqj{7>8^hBE!xbJ3O7=Q`G
z)aa0eEnoR@v@I+SL{A_{UIj=})!g<wJ9~EVloZs_^l%Ep9HP#!9a4Bf_S|?#dK?5@
zq&hJ_eF79104(W%ms}`NQR0W(=;#0fA$2AjLz#jXDs;yZuRDS`Z3SnI<oSkRU1*_q
zQ@-H#L8vbTs0a;M=G8bwGZ%a)8bU}ReLTonkY`VU7Y%4m!t~tlK{*gF$T2GqRm<r%
zvUPCwy2;i~lrU+XWw~y@9$r`wW>R)+9kfq}HtG}q(|c}%!#${n>=79d@Ws=E@#{3=
z>hbvgOWJp)-|Xu)hi*JZnzjWEF!_()**`Ow@3u!D`yRG|5mywlu+O-T5?26Rh&0BA
zo6b%7(4mq<yo%Ob>Z!yBvG}Zh3g^LUa&YC%1VBg7aUT9I7p?O<B22qN50*I5IV0<y
zzo}>SO{UE+82%1%N21;s1ytL-Ow8*CbXUw#ajMpXBWaI2Vgx<IEeCYXvnNMlIK37<
z&yC05diX{ygbZV(S3Ji0y3~n5LRWV1GB-#)ppQ`+Ss5jqYV|HM_`D5X_%!=RV)jrq
z_%r|mM>2MVLc58qJ4iu{N8^r5a7FP`XRo-9zs$wA)B#wbNKmk>**_F4Q?)Y^^&c^i
zZlLvQUGIxj48^B;1<@gkAEc}1V4>a3$*|r6?Sl!~yk_qBN;C^;BQ?p~YESN@FA*xg
zI*uDYIdKek%w{;3wM2>FEHV-m!~7mH-@Y`ZWuN*U*pu*d+$m^#*UdS@X?Zf}ZvS|1
z<`uJ?HH{r=FgT4{krolT{2kPIUR<+?+e7LiuEv%v$#m3!@7KzT5$@EI1M{6(%i&~x
zQnNpC=$5#r0|&B+(}lK{$`lVX&+(41XRfWOreuwYNix5kZK7X}N1g2Qk{Jptpk_+g
zwuNo9yD!l%1OkORrkKIjZ~WtGn6i>SJ_SGa#|8&PblZwxwTE)UP-WJCfSO}r(b?S>
zqTGm9WA!F|%UFHg;u20qC=w5kAwRtwmILi>f#)2#{UIF0hc%d>e&bM^fDkxVhp?{d
z*cc#R++$$({lX+4b*o&^cW%eBS6VV9s@r6bTxBw}T+R9*s%sH`pX@Yl%gh4y#x(u=
zm()U=niBtPyGgfb%ej==nCkBed=eYTH&j-bv5wcb4!-83V*&eD1f#bL#DYq*y{$7k
z_GV--l7~H5jg7KTttPNorJ$o*7%>T49J9H^rl(?R+Ebgj5;-)I4tC*xxKId)!?ZtV
zwFPAz1R-EdIZh`C7=Kw`IK>835yxydqxU${`Jd=~Y%dv3HniTW9)x2+8E!OCPLvaC
zq#v4|NNp_Q5>gIb<M?+}Us&M&v^deZq3YhkzD5@&#{}*Yuth$@-I->f{bHtIt{VP5
zEv%?cg=0rdaz)eOH<f~ye#D&{9={yh4oVZOHs?IMn09aBfEd$Yv3*zZ05W>?J5N2P
z)p{ju{Cw|jsekyy;DCm-m>8M(ES4>EAti3?%!#$#dL;!IbNO+nXRmf<1nFuM0RG&=
z;|2uh>+#;);QW5m6`!toYm)fp6JNE!hgKF%H=mX`k*~=AK+K7q#s8p2s&IuAW-3_T
z8p$PlQ$O?`Zxo5|UmxZbFK|As#wgMXz>$FK7Q+WP5?}~hnzLXCa7{-_mpJ_PY&bLP
zS~qq4r*R--arHg+iUKEcsSN{b$2+vdFZLb$H|F<Jn^)p4!W(~n_7oWKWFI<;*1KjE
zx1BB@cQ`Qs^@L5U`YiXF)gv$idNXZXAV!%TqRUe7=KE;@-@ds|N>7<Kc=576_8%>q
zB8M%hE?$~g5!b3m_{XmbQ_w2I&UEVOzCka&^$F;)@W#HZ)tv7?<#9@LfgpF7w@$96
zms7@ad$;w=GY({Kx0}{v6!DZb!*R7AfDaq!+7$G^u!J9F6+5ye(z~%F-o&0ql`Qba
zSZAj3+p$=WRG2_Yr*QdOW)xm{Cgz~c^r%%FD>SI0&zZIvgimfmvuTDuY-gYBP&poZ
zc)a|+bGjvn=*wA3YKtN6!r9fJ%@A(eFKQcJ@FfO#0f4C(w22dkgsO1-@W~cOg4Vn7
zl&5xhSopf}-#E3q6=e}Rwk?Pc6EJnejQ(9i^O1HmP*xHpF{5RM)l|=0boh!EQ2Klj
zL<nfkxUqN4t5~R)g0p?j&;JlWL-HL=Z3c{pWart6-IEi?WkSZ%7E3Zs^6JT@1Z+*T
ziDc2w|5lG#5&{q;&rJe7#4)4OB2k8RqHtFwp~=BJ-&ZnZ_(K_*tEG%Atl*+8<x)k;
zKZkQm(8Wpg4;-U_z&Q1*6AQ#>B_Uo@6Ug;vAV>AC5u}FnT`!d`1r-=}WW;0eW4+d<
zGP?GlwJlIFp>ksr>NRxV-UQJewI2;Jl#cjQ|KQU!vOIRxXc-~YhEOGa91hfeX|V`G
zf0Cu-WQ<nm`#le;1BcQn1D2razBcY82w|Ul8!V0q#!hXkobBWUt@Mk_35=mN_*P4C
zFJh-(F*&p}(C&Pfhi+rSJogC$Py{tg?LnHZNKL-49v-RrRj29-{nmNk%5(KNhdH<P
z_0xuHXPcZ4SGpr{-*?#n8mU>0b}mZ0`IdlTv(Lrr7%KWAt;A6ZgW7d@9Ffeszp#;2
zE)K2TQb9}lT^=kVC1xQJ>y1HTK<U~*bafZmw{o-J-c!C@7M%D;J+vr0PWiN%pQzd0
z(RbKBcTfxI+dI+I>5Tu(NL4J5Okmk5<17wv-&8$YzS+0sd-}3`TvAhmT=4*>+CD&|
zr;8}*n+~nB-6U^%6&gTv!8eYq9VuuGS{mNP^$tZPaGh;>bd3pGfRT-_P_(Z%JUHdt
zeIQ`WkZd72AX<}hxf9|PNql1ioWzNnyjUwfZxvG@x{KwkilqqC9_(68XXTp)6W!Gh
zpoA9Ry?CoX`RG9aMa!pW<m*dSB_4cOmshU>r0h_fCpUh8cY}Wt6r&XaeFx<hAfb3l
z(4o)J(Qlv(_;%w^e))p5ADA&i`b@AC?&-cLW5LDQ0X(EB%`7x^#jda=rv9yP*ysL2
z_uwsNI<Mt8G_V|ukb#{AR<yUX{QY@D3!=a4^G7hKVnWzzRxOB#%Oey7y5l`J$MOV0
z=}2PwYTOlKG%%lkU7FQfAHYOW-d4T(r!zT8%MmoBtlC1^wK$+xd#0%0?IM|qb|!h$
zMU;zFMz0!{kF^@1pMYbEWz4QFmEa;#nPPy6d*M-MzOpj@^l$t-(!>XCU4*tb4jx`H
z?Or}<I65zGM0qd{vkA9|M_-zfO;QlqI}3qd?VVuaV0~2^(g~#Kf=7KNnDah%K1atn
zUS+ZghRT|2M#q5BNRz7gt_??VA4~lf2#Xzz$`;H%znLHvs2X7igP70W;*f%P`_ZPY
z3vkMbpg0@W<VsW~ii956{oH6Pv?>4jA7wx(v6Kceul@(sD6#aFjwu320gGLsWeI}!
zGvjIYjo4Lc6rlQ&ICqkP<<CS{s@&t{S;f7PhUMK-T?)Lzi1yC_lZjqlH+sw~K+Oa|
zVdk`_3u4U5zewRSnTF0Zhu6pe`pp0EWvh{xC^XT*jgVRs38kfKP5)OrVGle_q8xfp
z2%g{A1JF{`77K$%`r@UBgC<-@h4YI=P5a9n2hnk~Q&gsCcTOw^iL9D$ZB#!43;~r;
zM|?~l!%b_XQU4+Y+BbDTJr?ap`?HbW9SaqDmP<7h1p<Sl6cDjy>*1W@YeWcUI=cOT
zg=>4W+It`Dg;8^;0SOXowAa)2E2aKk8^?#tth*?#^l_78U)Y6UVJXEtU2ia<PNf0+
zMh3C!ey}oVXTiB@kr-?Nc8vmnjr4T=c{R$YZ>-Ty>qaXCm}4))uCj{j2yW*|zrl6J
z*MZY=YYzr>z4FD0bDF($6f>s2F^K-m-B$G+B*SgWJJ9of>dq<3^RUs^1w^^8N3K|#
zGc31a3LDHsE`f|fbR2FecU{_ioH{`#|NZC+3(#q~_H^<|`o!MC>{DE0VwnNua$}KK
zAMFywACkMOV5E0BPi{4sk=j;1xwzgJKj-lz$(LM|g1SC%Vzh_4R;$apkD9H&R@DgG
zKA?#`=6;&3$&8S8_i19!6I)r{f829w<m_0vAi4YfsPfEs$b+-_Txw{bj%)J(F1vfp
zc8@T#R?YJggd6dA@X`|V5OA?Uaj|*AOEQ;W{d~3dcoJ?Xx_bw8r?CDzL<U``A2_|p
zqTpPa3~|VfCcOA-8L5+b2UVob{Cn`Da1p&zVoztDtgrIT!J1nBDK;HMej@??{pErC
z=GO}tSMW2*^e4%OTu#S!;<g$``b5`kl^?SRduGQFZ-l@VZIml7(NzTEIEZAaM7GXq
zP$bQWOYC!eULD2`#dt^zVX>R>s*42O&3~Fu19THhy`3&I%Jqsr9Oev=F3IfCd5|fH
znU)f|6>B{y7qh0Z1oBDCMrgj-$+S$#<KMF0e405^G(QpGL#B_M!P)eo&M4K>_Od88
zNtN_b#OV@p{qico)%C70KHuLJTm#eV`<~7zY2P1&SCO02$iXykK$kCSSD~kkrJLUw
zkr-RUz|e()b^3$aMskpPK4Vr5{&qp`enZ(vF@j{gD1u2UktP@#`AhoRQidkbqSLu_
z5`tJ4gkgSZA(C{;@B7*;0aA{oCJvDiLwVcR5e1+ZTN7bRA$geLKz3)EQUTLuH+g!@
zId6^{P-7A=y!?1(-Xc{^#pBU^@+aL4R?mNOVHEzaae`&wCo}Mu@kak_VnXVhK;JRl
z%C}X5Up5+h;Dpt0kCBTmdFbEse|q)SK>z<<y|wt>2m(`P(iPhL6wvcz?A-(81Mbpp
z^|KYS-{VYzWA3!B>$10e$AIKFj8ly>{+mKw;colMj6&soqCpz^IxUSsuWanCt_QKf
zi(XUxdEfJkVthN7uWGRKe@UPh7^f^dI+|D=4RC-hTQPna)AKL1;o?)RW$EC?X?QSs
z7<C*=oje?I5MBze<{qBP$tf)WX0*5pNCvl96dB;R);Oxq$i2Wt_24|vlhNYr4Mmty
z;l%mrANn`S6oE!BLZ=t|IZ}ELl<!ojk`x)kT#_LkQks5TTp+d=J%KLKOK0%EOh*Lp
zAgMYuIv`v;3s{=HpLYFa*{B6K$fm~$SdB4ijyrML$<{R2wun<v2fn@cm;o9^x-1dn
z&cNq2w*-hEGD4#O#<v-NQX-6rCINy=#N4BbWw%$}?`H~m6o~zyDx3sVpk4Xj1C4<z
z0S`pU16OZ)#Z<@N#sX`?xe?@?wW<ksmDunnmrqd+iL#!~F0(-*i|}|39oqeYCZL>{
ziDPJQ7QB3cRu>S|sX+*hDwRPWo-nk4_ouuRNr*GXsv5ljPBM_D{AhI^f&S$mfoL!o
z0S%R|Po!&h?+#mdHJ@pWnDS0Urq~h(f!N=<){bZOmx04-j_+-aO1l0ew3C>op-ogT
zAR)XGTmzTa8Em>~dS~-xm*#2m#5INGL?M0>w<B%7dGc}$<F-DGB~A+W4iWl^<^S@t
zjOX)S<wGb_Oz8P<WgltRXn;un)7>Bm^tE>(n|gPb!Q*5AP`Ljz5ldEmhx-1)k^c{j
zVi>Em__2QDzc*=yRxtE@V1+?3X47Z*JNn78Fwba3uBGfgtR1zved-$S8%1V&I8u5>
zVtbe3h9z1;`##=!sQ#FNX(o&65%#BTt@i*bdms>44Ar(4{b<)K+vZs2h4(9h^(KAx
z@QjCp@pok7*@w;EuYO6zO>;a^_*r6LHtWjcE;)%JlTmZB-<bet=P@#|N{1N$R2cy%
zl;@AN#85n~XWIuTj<pfNMa9Ri_8&$r*~B~Y(IWA=amScWqcX>?lnkifH^elt>TY1r
zR^Cr$9~1Ocq8@E!h_>~uL)>olE6eW{GWacz*|o=(QJ;H*dZ*vVi!Hy|!@V!|dD9oH
zHWKJA&?hjp+yYF7<Sc11SKrL}(#nSo4)lIU`j4w?9#l^PVI7l_h}gJ4Y8V3<<H-T}
zPW{CE`jfi^KyiG7wi}qp+vppc#Sg1PC~xcD<iG(_x)D3*f~TV;1uY^dU@3ecVB;D$
zXHAJ`<(MA&LMl$8$&7jQwG}V7iMoeY(qB70)XO=yw43spLIEUCDn_G1Pd|EkG(w+n
zgI>x#gUjF6UmNG2;C)Ge(MmU?8;#LU{M&z?5H++7IjP(G<ubc*$00dJJk4*du}th9
z?a2zbtk`+VM>xv0?a06p$H1j9|4-eSSw7h7h#y<`fTVP21}^lzOJ93<5aGU7yijFQ
za%_WHNi@mU=6DUVCGb#-#J%@31{59b4WR%Q7yw3f0mS_pTRKt2@N=IhBRaV6Mf-y9
z{eG*dL4wc5sHo>JIT%|{(;PNUs8)KigiTc1fnGhhncAXXmdp$P+jy^@r2kNQD4we?
zjXFY*?;c*9SOB0tZ>PA6R%AFbATM0n*b$%D^<CW5Sn&WQQ?H9~UPDa<>Ox5AoU6Hz
zFZ217^SIYymTOo|7^mE#hK^42$CCY?E@6hxA`39O9C8%-hs>Buf9YC_wiQXwABk^X
z901d}&uW{b2wJW(N#t#fO-WiV`!i-586ec+(8uou91G?jj`c#i(f}n9zhQhh<l3ej
zzCcO>W}>zJW^Nj*+p;SyOIwltbtBtF`5BR2PFyxVS$y|RqRaDWv!;Y!9vM)6Jyv_n
zb`&@sRTxXi0q<kRT42O!9MyDQ(4!Cs4NQ`6lu{nhUbar#=5g^!`|}dKU-b^$*K9L7
zp;&zGt-m87cE&?x1mao_fX6Jr7=OJ;y}-^yj{ICKFing#@SIse)p7|m`H&q@y>R*3
z=^eA}@F@{zpKx(rWP+b}bYv2ls3bN`Nhtt%WO7=c7rW8E-yL6+qc}m^<sC}HdgyON
z;P!ZEZ0C0&_ye?GHG7M;x)NQrKrwEU;m~4gG1o*0evz3@(>0Rr$H7{Hm1I2-+RxY&
zeb%Md_z8pB%O6XaInh-N3qob7Y$?KFeLB(VY6ERTwKPozoj9=r^0Uu-g0pqH0N%J(
z`EULv^bQPk0}>GiphwIKo(Ldb%vjP+CiJ4n4j!JrpHdcRo~Aryq4>GRqhF3v+?>>@
zIk`64wtHIoH9T*nT5S)XeVh>P>M~!pCj}enUQGy(5b9O*m?u)vhO<X!Oz;^VxDx3|
zr1iMshzOa_?{RPPlCqE?fF8f_%7FcEgjEL5>8gy3;ia!C;4cFJR>U(z2)nv*rR~>E
zRD`=xDMHRqSMKi_iiev`s~mNzu=MPDvZpRnNNIcQgS&PBUx4>p0pK&2U(nDhBse2T
z@S)aw6`|M~^z>EoLmxB}gIVnaqZib{(9zy|q2@q<=cx3x0KHK5*m_!nE<v>fdUuZF
z<2+ACbqvVE{%+qqna-CbPfj#A*0rM9GjQ&H5wg+B7Y1#gWyZ8i2srhhtfiav#2#&T
z(*oKO0eKP*@Se-)F^5mkvT+1kapUL-`h9%m&#`{q43e?-c;wjT%NU;ZfHa8%y#N2Y
z^UP3T%^HyWU%T@Fe~EuUWd1!iBi-_|pJG_oXi{df_{z)u!FLiKwNaoa4*Yq|>x!`X
zs6&3vtAvb|mvhHFPOPiyiU=gyQ63vJ+`gF{SXWaSyT^S%zfX>?yR22dB)-HH0Bs<x
zlQr&l1dGz3r5~KQ0pR%jdC?Pg^<eYbvvQQl!hFoJfTzAsv>h2+KV(FpQouhC)*O`%
zN0DqwyS_P+_nI0qTHw8xOI?m}H#<IB0MH`kARS2vs49t;?#NxfUI`+-+0d$TRo_ki
zSzJ6ltqSZ`j2mr8<$alc>$)0qB{}wK+nfLGq!xR=S`{XkF#vtU5)sh|${khOx{peR
z(DObMx*d%WP*adb)B7maiO=f$?z7i8Y1QQYnE-SXGW-02SEgY@#6vW<J~M2eV(v>2
z94fFQv$OX=?uzJkzPZRqQ+(XSN(WT7Z8cnU?Go{rQ|weGDA)mY1h`g%I4Na}K&-uG
zllJgPrbS<JwVwck+1m#<tkhOnxO5$(%vo-4q}`g`DvFOhhCB}yFz;qW(!tYXqxF?@
z6^@cn>2Y%LLj>Z9<k11&LSE#68D!J`7m&2a7|NVd8fFViw^}s*`ZK81(WN4k^f3j4
zgTy5`p`Xsgs=GyVr31$@UR@RnCBde`CtwfeklF`YshNK_$n4j&7Z<8a_p5ii)DFxi
z*`|kC39&nLb0Cw?t}TY%Oev-}Mn88k?WG=%6OkP_khkm#@6!D*rf{yoe!3#FYYb4L
z6W(3Gvwyn^tVM{oZf7(+NLFBX2lnP%MlN&zywj#hhf_slytpHcy9<{|tXs5P+_>v@
zT()cKi1MJytjJ_CY{X@wNp*NcCk`?4$7?agR}^IS9Imr%B42t<SJ+c+76aPqR6Z&d
zdy@|qQ|enQC!Zd2i{^wfj6;o3<76(^!7IJLmyJ2I)sc+W>wC@dX$6%gq#BIt#t+&!
zMg;J4G*H`1FfnPcA3={fuc$M^ECrZ#gn2ARRP67V=v?RKG=S3{`3oT~aC07|k1+nd
zHwgSGz`eOOS~D&mKbv^e6;sDd>_te_2GR5^vtJWn*9r^Ou}4g*h}T~6Dl6pu*l}(r
z?IK3Yt^5ah%MO?;Uft&?vPuANe2@9nrsgqs6`oJ=bISi_p5r!u`6YPD6k`g^jq7(m
zeQe5u&;c5E>;7QpY;&DZAR|5wS9jqCPaIn)Jfw3Z_Ght~WD$x3(UQ3W<TXu@lqP(m
zC2BY+9FOp%P;Hhv(|YZeM9TsNj52H8IVq()g}O9O-f>CpI)8uM#ccX7jEbRb+iB_?
z;!Fj1q4Ji^m`zPk4Wl$v|8Q{PxxsqGfLOocOr&StZ30&Ae(C?}GC?sfnSF(NqZBX!
zKvZzRDmXw!MShk@@gDsm)PzvLKb7}}V&!?sODF?3SgQd43|jkc)uCBF)VB6{#RC?;
zT6GfCb~$ZZE%8u)Io7<NPUe$euAg%lmY$C1%E$JYIt<Vb{D&3q=T%$ea9vq=faBeO
zXbddw&_CVZ-Q~{yhI3m5jg|5&nMwU6ZQI*cbUd=5%~C42>Z-`IYO;Gs+5w2CU-sW!
zS-a8;N<4jB!yx*`BX~o6PZKaF4*RR8DF{BN|LGdhz-otNCuHd;RdLahy%;drWuIuJ
zwdMv_9zs|3srx>xB|ohqtw)1rxz?;g1uu_wjBMuMX|#dE7ObR9t>D}!JHLqLLZZ!>
zX-h#A70@?}E&u#DIG#*6hb!N~O6^MwF4o%mtD?6yfTJK7mm+PUcu0NzkX|GG67_fS
z)vqyz%g@EDO}EwZtIwo;dC@HD)h>U^)j#ehO=wy6RPjRIY<7GU7;vd!<J$fCny+x9
zE7;MN7|&sC%d}Z0l~5|YSF3vj|I*(>Dw}5cc~BsDKIDkw83*u1oPV~KeHEx+hidzh
zb9C=5_;{q*nz?)}kq{h}mw>sgSGmmAdjFH{{K=<P*|YU`dfgl@tO1aXl>_no%!Dy8
zqIWqegPWY{nVAuD*Z)#dy`M4yAh;v&Zo9vhu`bbSx6{~p&y?yEso2sYI9}vVVklJu
zY))k2AD_Red1yAg+t$9fMQ>!zkpH6kSJYO&Fw`h_=i11M86xvykb|uDQh4!aSeqJS
zj<<N%6;l3DE4*v)us}j=-3bv>h+tebt-ON>*Io@_*k`6ueG~9n11CVN{tD^a&&<Dr
zt0iF~87%2+wzW5*U*o(s!Y|Rc@)N28YtsJS*D5muqD_kmF4G6hV`BZ3Rx=15H?Gw#
zyEO}==x_Y#9-6@r$KWTYHyhMQCM9rN3HG;P!z_$WdNNKFd1LH5<89EYC)&}TQS|qC
z_&DfjQbQu!1+6XUYt)}DDHrg~gn1}ZhW3-av+MF133Smh<gJrrMp@Ij=s2}6fY=gO
zV7>+S#IYF<)9#%W*~sOdL<eN;BI1Uz+!RT8N!x-K##>T^9SPV(BNST%NP~AjUtfXY
zSiUY<y%~R_`%0;kfu~R}(YG5m$qDWBz5d8%_rvKq3a|zaXzMGw5Mi^^h+-=rSGcD(
zYOXx(KlYBFL%kF?#KI=nIyWBnRs7a7Xc45^tVP$~*t&?CyP8GO*dlqvIUc(1l(uG`
z2YJnfG^O`wB?NR)M|@~0E)MmUBBs35DY6X$j~}Mgl7=Vk8lh(iI|TgZJx3h11FDtK
zfOZJ*lL1pD<^^X&UBUqqt8HmMG%0A_JPMC7+(~?|*=LR#J1$MOzzNSr|8lp}qo8(U
zdsQp<{5(iQ5}N|s5%C(i<6kl3gL(@L9R)y?NmMUH;MK~IG2oaImQ2UUw2dXnR}FL%
z#;5Pt&^UBO20&1~6X^#Sa4Ji>tS$V`oi`%A2ZNk_O4HGnqI8Gg=ecxzIlFlzH2V$Y
zWgx=SwFIYJlDfHeC_k>DayABZe|%rF;K=XEcXgO+fw{GSEoJ<zoI(vshr1-^x#B{(
z$2qikKO1K$Hyicns*h*TL|T(_LR1A%RuLsX#D|_=O373wA0#l{E+$(0B}DoCwHmMk
zd9>;t`$}g4{VVM7Zve;<iOTr<x1-e7J-_iWCyT1!33t1rUWj7Hu}_Al>#;Gc07V^^
zg`_j@Dv;(N*Ft>|&{77B-dow1!O1VK`AJv1NuHvcO7(b;6%#uRoRo>*>Xwsg_7-H1
zE!$PAOGzHizn+I{xmOzuv8#DXM-1`%9wM5!<2c-32Ab*iVHCAvU8G}+eu`e{YhwxZ
z&rJGQlTDICQ=rFQ$7tZ%n!iW&mgl`pFHmjGxwn76xr4|327KmnY;B;%Rmt4F!!P42
zEzC_}gbUuDARGp^qSYz*Yfp()?WW{aB4jyopM&;`)9$KKK733%)cI`Y9ZUYu^Lz~h
z#|ci*)05=I$c5W~xUwgM)7=9!3Ab*&)Ru9<X;|#Da!a)b%syjH60#s=8IR2vS87F<
zB1$@I5GilFXB)^XDYcoqr<|Hcv1y86#~-IYa?vW3?dz<Z*rgU!LkML?Os}X{uZYAs
zO|hh|HWR={fu*t`RqXf8jzQ|GsYc$Nx_qBM3xusa$)a5P3h;Ti@wn6n&UI7T?&x;V
z^-3gPQ;r}Pn&$e0`n+pixSRNqA0^yf;&(viO4<f-5K<pe?yCcL8Cr-e7a6OPOP~0j
zlpQAI%Dd|{sqs(mam(-h+`cshilB-JGzUHMc*F*TqIxsn#OojS38MJlW2>N|c4bXK
z2F$X?nq(m;!U$L$n<1ozg#3{*;te<5CNGv*zETrZx)*+`-3&fiYT1wW#3?hW5YcWk
zn%}F#P^fU^#~q;B1LM|CE_LK@dwurj?kfvwe3J(nqwQeAv!avpBq*|V1MkMbb5?6*
zX+4RlG{T^60qWdt+My;~D9sMs&2>mFB$c%Zi~t!bMxBr!eB)_l6SmfVIFM9>)?;SY
z;y>CB=DjOFiIxCKUk-IF3v4M36%O%|!mZhITFsj3pJ6%$@Fc2Eeo18^HogCQM=Vz2
z86l?kYJ5|uVBPlWl3%f}pu_Fe;^(Ed*hteV?Yxzo*g<|5{H$b#v=+yOEVCw^;maY#
zGP++{NajYJyUd#K#+t+OLo^+fo+Hab5Gai%cSBytj9v=qXb-T%o-ZhiQlu|m&jIb{
zH?0nZyE0hdmF0&@IBRMQ9VgOr!<zouq)Lkbfhq?D6yq7J+$);#eTi&CAR}^Tou2!B
zvyf#!LdVmnHf*iYao;wZC8)+JG^k2R?qd;8pSuY)=^f`#w*iW-o^#J|Z`C93JUyT9
zcdI9lvp-(#lMjkjK5PrIx7<ADUGflDmkjsfIi3nPLUyw1o7(RnY<~hfW9$k1<YIX(
zm3%<cV}F%4kDaBZsCXi;@p9@H#B(Elo%MLzsT0$D(|$Wr<qcf1ybN^}q^P;6nL@60
zf=WZv0Mgs@e0!VS0^ivoKY@kNG`F_YktWdgJo(uA+f!pHJGIF4xOxFu2?_ZS5o>E_
zlid8z`Q5QSuAB1|tLs_fZyt5d)Qi>hld-WWl7(c~Ix>y++RftXhh8IXo2?In;lbBA
zo_8Tvz-CF0nXb~$e9tB^rGGq-{3xl_arZIVY^o4JC>=rIyhq`jvlHxE8nux86j*Ef
zv*e({RzQHe3OQ71_t(9pkyIi#l2<_xXR@d5H|z*+dC!)0Wu?`gL!SlWsT*-(F%YJF
znq#gq3mHaWlZUSxai)m`GG2PFU;n@?q~Ff?H{lut0dE}~2Hts48a@l6(T@jlt(~(v
z^1B~lq9%~%yz9s!T<-9(S<!i(pJ@F+-tcszL48J{Y<{^bhegnIo-a?}y#`gS^BIVY
zHDpQ9GK&AYeS!KM_Ij43NQEcM9~b>$o+%xzY7O)&Lx9L=!Zm6%`Ph|M@>Nhqvw}k|
z8cL~rhU_K^4N&f1TCz^VTa!|j!S!j>K!4x1j#Z|jgW*A(y4dMGN&w1cW5)GF@Q2v@
zds0H`7o{WSfnllYG<vJ!@u7zEqff{x$u=bCf;wB#*vu1vmTs@d%6g4yJ|)W*VV^4v
z|MO*c)ug5hnuR6UYBGP*L^8=U@v0#VgXt7~FmV`BwVoy3=1M}jPHnkwoCqLL^yAtd
zdwrp<c>~e&)(mrSZLQNgku8moX#d_$-9L{-3dprazB2)Zy8E*q;PnKQWD*d=J{66u
z7V}wwSv&qd@42oLpK+FTTbQ2EIW?~2ohFY;D;lN0XSEOxs04{&QT`ChUUQfklr@Jw
z>#G4~%y;s668yAn5RUV>iW6=vjPymayT_}EdOS^_*CBD&Fb}6(O)v`?_OB98V3I1f
zEey-UDVApglsEyhjg8B$C`45p^pNdhs!E5Aa$ZFKc`TX&E1Y;R>&8_yJg9$GuZ?_v
z6rfT4DCLS*Se*6XN%;fLdSF>FhFl1}3ZwLE$dq=v8ZNxs+rJ+kr_pEoQK+W`vY24=
zRE&^Rfs^uCRP*=N=*3^fP^QX0ObRiKYJFYx86;eGu>s@I#!eqX@}UKo=C@0)XR09V
zIiT-fN0Pm*C=>h(5}DiC4I<B=;?nimw>F5rj7RMbWE#sqjMvjB!Y3aaYt$e;Vk@NF
zch?~$&f_b|idd98f?NQ{Q&bglz`}(Zq0U!Nn#wxlL#Qoij5-SE)Ek{03H5z#s80ur
zLnHTu@?@=A@Evf1mw%Z3N}*D{v|1o|1)QS!G^OT<W>{E*7gqbH4IVRx0-ltQ-^|U5
zrq8kTzSFzO{~F7uAT>Mg+?n70v3iv;`yG#3Be%8Zi&eD~!W-&+fk&lr!NK|Ai$qJA
zvowx>D}aaU=K;PYr<MUC#l~RM${KRTCXYi6BJh4i;8;RHZ3{AA;SxT+T~Tmn(AIt7
z!7l1fC8L3?8njM1P8(|n<k`S&Sy9AyH6)??;QkFgX}tZh*DLx$4S8uLo%ucRBld0|
zVlVUH&6db77`Bndw8~aH??R#Bi3kFB&h_lC|LuC<2kAr#)$206w_Q7>l0xN{A4t+3
zGY^<le5`_hFu!6w)GX`$p)Tg&_aUVQ>h3OJ>bf!N%+Nw0f;(At^1GchoATGdSGg?G
z4uk^dQv14#@R4t^YODDdL=t@ZnA>+>$`IXzpiX3uU3Ni){gw&WMlbk(dJ)!bg@<=(
z@U||H56VW39J(S3KD$atjgwv6*B;j_w0QJpIbk0Th$CksR?oe1?VfiSf^nWW1Weix
zz&V)at<Ex0*So%v)&`S?E-k?*BmJgMUEl{}KV}$!TLM=R0sT>)zxZm;=B@lt{%6m$
zFiC4$7a*zN6pdc(SpsBz5C+vg`(W0x<(&n|+>iATku}^pQ@{Sw*_0T!CMsAgGQ6;r
z8>+nz7`ib;s&8P4q1&i85^{?6#f~mrRv`5vRFL=60Vj_(XUx=SC&juzukf0{J%cmc
zTwmrth?EY6v7=itQy<Oq8$s)_r<-n+3l*2^mztx}(=sn<EAI7BbpKIL+kypYa{5@P
z65ZJwHKM5EF4IDJzEDU&Wiq9|iqsarmc+Y4y7bk4cQLzAaP2<r%KN3O40n^}rgMv@
z4zkSgHU_|XfHa@Q<9}wZP;wZVB(6^;!A|;-5v7qGR{xP6QX3e;i{Q|)Mu7xP$%;}m
z@Yuw!;8SDwc_(1n?2$j6YVsIx@@t$z_+KwYjO1D;uiOXbmzo4&Nx*j6T)@l&cPS;j
z%)TzvT!+*~wq@tgIqG!MD>zcAJx}t!_<r^{A5nqZDxZCk$GuxqD)}77<L378!d+v8
zYfllC;7kq23cL(^;Y^@}qK9KELi4k25_lmz9nz`^7P8FBD2%@dr8)PbC*Itd;fOso
zm6{aLtAs+3XHv6J^A?4m%Db-PYhmu<C2LswsF@2P_@P#@uRKPu;PQC6*vkgr7itD&
zkFUjF_Tgz<k%-z$c><&*ikQ6zBY78Z4D<H03%fyqudWsI&?9Fg;#PL8GQ#N~1!N(8
z0UQTz!v24EHV>1_{%lqh9s&420Mt*^Z@HJ=cG|vUn5C<VW-k|#bq^Q<bxVq0i$>M6
zniS0bmGI<%qi)?ck`9mvur04~`CJG#EsdJT-w|kq<KA1Z-CMO5Mi8jQ{&(QgjPP5x
zHG*v1)Wf_0#!HPXSi5*nN>Hu}S=G>9&uf>isqE@8dQwJ3`E9LCp6B>C`RolI1a9Vi
zV$Td?EWgpHILcJ!&)2&iUDLt9MV-3!P0Z&gH?(rXUsdbY4uVgAEC3h8YO!+2ieOU{
z`|rVYEbvpeHGPcS)cJoOY}>n~_ZvhX&o6EmSh2uoalhOmK2quu{rT#1y$i-KM~=^_
z#Km_xsao;tA8fGhx_B{S<rNnZ$tCla?#z42`utaq^a3qyD3HIC>S(AwRv!_gTsLff
zFfx;j-^<i|euXJ!>Zvp9q;SbWJ8w#G=e2>+hK=Yu0vqM^JE=XI(MHTgL5=-`hr32G
zuy>HqamAYgh=HA(TD}heB$gWD92zsqt(9;`$9D@LM!qIS@qMn9Ke=shuc)-gp{~jL
zCeUMCJq-GG89fk+3%8BK{UmbCS(>bz*Zjmwi43^=55!A=;mcnxy_X;w4|ZRF^xvJc
z!pJc{o5h7il$gEUc^f%Nv0354eaw>!jc3dLhnynZ59f8*gGS77-ZOk2`;B)5Kl7R{
ztNcZcNxx4hrBLSarU4lLv{FwV;Ar#CAjrgVPVsDk6WF?MlE$_9iOAHpiG+_)rBV9*
zG&YVlWHA1N<hmcR{TWnwXVzpeZ;-5%@+B{e`WP5ifYCfEl=v8Lee;0orDs?IY#zH~
zY5=V~6EFc)*R0z6?{0OW6(??e#kMgs%y&z4PzCD_iYr>z@4k7IaYT&}`9>eJi1U`e
zxT#L%PRzA3XGBOve2MVJ17D7AN}@?T0mB!i@6fW|ycmqAq3w-tX*2<UzXT`!OpJ5G
z5`Q-}Cf`@24ps~t+1om{2c@=&eaQZ3Vk;~w_XmX1b?Y3_1*JR0v*nKeD;KHravLi?
z2<SwBohW-yFzVwF#+Nq^rH`+sySah!C1V23Ps)UQ4S_;eky^Y)i56#vdBa9#Y}xBU
zICI?Q+Byv39~@u^ZhqC>9G^u~S7{6tQqvU(6BXPP2t%+}ck#_YZUx@tFnG9yvqq0L
zq1abGyDgay1~3cFm)fmL$5=>@!IP-@UO&OuRVOnE6qKwtWHejv&W61|Vc;*sF_Etg
zOGLB7O<}^#%#}?Y5InZszSkIhB)w4jOpIXbJsR|p1(6T$09uXR?;R))86qX_YVu^c
z^M5(N0cEiJwgPtZq}SE;h33r3F)ycF!1n{YB{P;6qiVh4YDH=SQ5Q84L0HR3VKD{S
ztY?7Al4txeDTbYFJAkm4N%+*G<xI1B)vb@t7-L1i651^gtDU%;1EWat?u(8XL4oe)
zYSpvvO?C^`zL~E;=6xIb-=x6qj=$QsZo;l6zWwRo%RDOKV}bw^et}@@ePE7~!*tq>
zY0R?(fos*O=7xAB*@(au45bjQu#=xwh%W8K0v@VRPg9B759o34zgr<JQrfDGhhyX1
zhI8{Wc3ugS)^`7o*Es>Z%h0N3ApN-~eB*ULzRLr93nVPcDy%BGL+6h{9}dJkei6&x
zDjkGR?ESE8dMXP!RmfA?k<lw$1itmjt%jlXfwbpD({n%fCGAMu{LGfOqx|@Q;=p~u
z-7JzqO4U&+<l4!zF#J2)vJWM@@x`}iePBlG-zc*Rr+h?NC)Z%;vv<;Q62rY*FV#Ot
zhzzUDx0_NEK0c&gFN+UJcHu%sS+Zdz55a4Snl|(0HeB*ES`F*fq1@-F0^D$kt{D}e
z@>xjmy7-e%RXY$rIW?R{1NzaGH=Rcze3mwxiOq7g482O~q>TLdO|eAkCIV$aP0F<D
zRVX@VR7h*_2J%?_8Xpr@SC*7;$u%Aa8zNV1(X60EzW9oxckd)q*f7D);BQuomqV|?
znXtWV<MO;btAs7L-5!*W_ou+|sL+d*d}~O3KHpYk!)3)YoZa<lA!=jn+tc$yeRE&?
z$;wY5t^5?flD2MAE=oYsXzO>mH}!@Q^t;a)`fd11V{KXtU6DtAP;`113+Yr?B#kaJ
zKSeK!);G-R+hcOa`Q?>6t#0!ZPqQw`>qhscxb7HabyzAk>vt@YoIJs>g`!$sIcBkA
zcEozT-2jqv%#~sx55N(`aBh4i@4Qk3%IXN-6qODn)#FXn8{Luac7lgc2+S5s9d%e%
z>sW%ZdP4qBIaj`VB9G2$f;2uuzPdMZo8ofX(sOAP%06gN)uz+4lMWY^Z0Q%4T1BcS
zg5j+zR>CMuoXz~$VzYXGwJ~rlx%9)F9*8e71(e&2avHCxJ-W`4uJHP|(I7vH;L#sx
zMDBp!P`+a&WYrI1io~)ZNGoxaH>`wDDICf!e-M7o{3AZwG5PFK9NrqIcLtWFQt>6q
z52~_ITD+oS2!nDu13*;5sMLIr|6r7QO=#J3R6{#NB%Xkzp7lDS*W!)|n)Pf)ao1bH
z02t$6E`rfF`_%`qKP`|(P^h>4nMofZr8H&iFR5eZNBSmZI1~^2xERg=$IP~cvQ(8w
zINpd~b|KaLyi-t`*_(I6saJ|skiiXV6brF|^c)bMHU7J6tabJ>yxxt-2}*m+T4)C~
zJ*@8SvH_^=Eem{taUU2|cdYefqW3Ka_xvy*ODt1{v>N;Twq@2-rM<xBW6rS0$~yvw
z%7l+oLh~6*g`P)n^2EuGII9+mlb(^@KE9aLLfL9vJ?7PT5O3Z|4-6_HNFyE@-Y4Na
zO%&#7q!1?*S{_R5ct3nY0<uq%-JLu5)tcT=(eGM7x&-PCz#TjQ?&vqJc@vr}jf(@}
z&&Ny;ED8vIwqMp<j6Skdh4>r`FMGnEhxus^UiwSYc2tbKz+ah?Y78#)c`hO+xMRxO
zH#K46qsbrv%|6DjvPA&()2g!K+)fbw>7;N=DW)d;LHXyh)aoTuXW!TVaOVz~PKs6)
z8cFMOOam)G4T-*FG_JJDi(KK##>Fzf7@5YZD-8QNQXYn+*LYs0dQto+T&wE!(W-_9
ze<K1AKnXzh6Fdp<`{9iw^dGGet9CXmu$n005Qo5%5@>M-5H@&s^;-XUMB~d^s#W^_
zgL!Ind@S(z?gj5WQ7F_<uQ%I=P=2Z^3Oa4StoEm#-Rv2N=V#ef6FI2t$K9irgBbHV
zJ+GB(Dz;W_Z+Hm>k~f?uz_s&da+}~yM!zA-O|rH<CR8R<lKEuQ4<r7yDdB<AIy#jj
zNtIPd$2_nk=D$N927tX)Jv&+N3;=-vd(JV_xg*?f=Kd9NlBv^{d)fm!tXtAxMy1)u
zA|hc`N^Uv==lIb?vXf^YtZ8Lt083sRViZe7|JPiY8k3<&vK0+#<N3+Mg^!f!QN60H
z`Aos%iuY6bQ=1b!m@pWgz6r`E=Xf8A1Gs>8U0ZA35GDmjQ8IGG80-0rEqrTU9JCBl
zsgK%V1_q`dT4pEhpXucvCz-$e+v(1!oNIQAxl&8N@p<aK#**+GF#s<ugrD^dve8P7
zXJhmtB>IjQtCEt&rpaU+l4j(vb?`D}2EY6p-#`EN3oLqJRQG~OF1+HGH^a6W$%egL
z7_yo$3;fs`eiJSHaj||8eCG)LF#iApB&)AxOu-+?_qT-_2UcJqDKqU(0-XdI{=|U2
zs7t8$P0!Fr!oMzwxSAKz`p4Wzcsyrovqgf<P^d-i_A&MN*d#U85U<57@W+Xn1bZlJ
zpwI8>?zjEb3+X2co?qh!h*x#jGx{lwCykm>VpuCf2wtPBPbPfP(vxrWTymT+Uzu^?
zb;BZ<(L=QdiD4U)_x-PjXxn&6+MD+sAD>Iadw%4IUM~xK#IJ<pCFFuuR}h^yCb`#v
zzKxXy@RR?9+!lCGnpM>WX?^m`t8tB{`>tjg&bF?z8&y@Nmx?XXg59e+lcx2<O{0AS
zl&1ayQ_6m-ax(*mnS=jvt($O|it(BFAX@6pH-5HKmkB(G=Hp9<1*=CyvHp2ZE17uW
z3lxG#t%T;BT{}{3_jxld0PypFmX7opv>707)MUN(f5mMhqHzVwv$wB@-Yf@D+<#l|
z#fV&|)mpaS)dDwO!;9NTwFiUY5JM#TcgGHmdStysqWJjA!|rQ>;X756K|T4&WT=7!
zJ1G*|P5Pu}W+V^^l>b?+c^E>`HM1d^K+*U&tL2Y<)WE$Sc%apB-O4g$kc=PYTM}L<
zeF_sdRQ#7X!Vsz1BYmFCMh{?o;J;$|m0E@6k4<gyHP$%?_UAJ_;Dcl$uu_@T6eoD%
zoNfr7$MO*1@{7QG`9Sj}#TtVZcXR!}GMXzina0srKk~oiapMrKwM$t%c6u18IfJ~o
zIqRx7n<PmF6c&IneaRN97Ek=@T8d|@^tln;CmTUI8pOJE%-|Ui>8ggI9_9PXh<cfU
zwG~)Z6Oq@u0mcb%X=eOtmL5ZzzXB~3kLHa;Z@(dH_&w<zJQa)^=R8_Eq;aUoR6N*v
zo7zTC|D4_$<K#2>`qaGqDWGh3tSUuvI&5o=n+ffp;<&lV8-%I$w`;s~{&hjw!&Dkt
z>@1nU&=#`EK9FE4+)R}@v@1<Ob49%njOZmr3sDA!L{?0kULgxW0Y$PJqbYmi^zict
zYi!rpc!#hC{5&eP2X*FPmDdw2G+dTw%-m<)11W~yZ$A(hRHWLfKKgL7n~3L+2)&6~
zG;ZJlGEZdFRV*@I@Wa5<u2Yf4=x|<BFe_eIheZTfp$9CIbdg{)_r28``W9p}Qer7P
z|C{Ucr$^opI~R(ZZ*+^O2{)k03x|{F;%Fj{;*>y3B2}MPSwL6{k3*|55$fH+@V3O;
zhBORm;u9mid<)>}og&N?l)%k>!X<)ukTHimfWyB&^(c)vMKK!@t-YAVyh<;XXKVJx
zWz(bS3|@9Q+s1u5J?H64Ymk4E8d7X!-M;U(*}Z5c;$kx9CN}MSivcikTEi%T?RCdU
zDG=!+-AW%<4n{!kCK9cNX^$#z-nOIa`Nbd&f})p~zT;BD8ahm@{4X>8nLNLcQ-L=R
zJ$?F0PfrFEv@X*_LA0Z`4A|Osh2bD`9PA9w2bkcB$t>>aye9b?cC`R6W5Up=wFh^K
zYA+9;JZDJcFZ~D|{#i*(&LM;tmk?<oc+e6wNU+^prS{7uDs&icTp3=U`-XwU!Ob1F
z1zb_*KZTKljaB+(Mx@|NQT3)U--xWau;b*~@<$-eLo~K7w|NeDwfKyQ?y|T$B+E#)
zT;o(<3LVChFMFEHZgS(3JLDIqd~U6CAZguW6P^}N+-zfIH!@fP?r-bKZXArV@1@)q
zrfp=FTB}lwt83l8)+@rE_A`k`Ulw3~+3D=M72UYiV)=)_n{;wqNJk6{z{G$kyxDgV
zn8r@>ZV&|o{L0`q!a(O#1{PnGgrpt%bP$A*5zb3s9=lergCZbQrT5JsFhPG(_+|D(
z-WRI$bu%p}i{cdOld?U%$8OX1Mf2U?$VU@Xz#pZS&20|GJSy%_c~g%X+zj<wErx4~
zMpvPgK1CzFpnA@~w8VMbPMd45K?LviG!dl<G{j{Oxsbm(nqdNJlE`Z=#etKu`Ur5{
ze3hO4=6Ms2%G+D$BQd1DwU3qHSF$_cbF%NRB~1u>Dfi2aOWyaO=<gX506^(88TMQj
zJ0Gcq{D<?W_WEJ|D?H!>i7nEzF@>PG87Rdz61Z&EA+{@OPqWxz&CT!ZcR6cmfug0P
zsAsIHrB!^dDZpvgUM2;E@~U9)usB75dTc`wD2Ar+D~3f~x*a;irja&E@N8CrmB7Y+
z$ak$+x5}&vHZUzEP}B8$r5^OKB(sj$<s1c6N|tc)>NWO=ULkd<<=t!}%Q?wW*Gv*)
z*j*DOR-!K60gHOV$Zw%xe@yD4U@KvH0ioj5)<4o{386jc!6#rKA?o9Xyh{F@NKu#p
z_fxar33C4(LL&?zK;(txeMO7^A~PmY(eINfnkH>yk&@!%&!}bIN<Z0F=Vla!3VV-7
zwxy1=EEcdjhfiJSmx}l$ceN-;O3d5z4hk;5m!VotW@xBr+OgrCoPM_#Z4MsT(i{8x
zYW+mzO~F=U@&ZQXI&;=KQD9<7+JKN;sPg)ESi~gtQ^IYD?Y)}qFKV{`x!u-m6KaAr
zOo|BQO?<D)D4o6y*>JTcWIv2}egmn>kd}KkLc)e0XMJM<oHs1bRJg%=3f4H`^6-4M
zC}=y`Eo$xP?b2bA<)k6Lt(4?>xv&&1k$i1LY+C;pA&{)c6p+@lgutT-R>Qob!6*?N
zDEa9=Q`W>pve~fj_vKlARHg9@wc`ChbYcB#B+?iPp<pB48(r9>u+b?Z{eMh-Wn9$V
z^R@_rbSx>2ba#hzm$WQh(%lV9cXvvIbf?md!~)Wdbc0LztlrO0|8ID~=d0(;IoHfw
z6U;emr}5?#$#e5mD>@;xpWYZH9hH8};njfz|0z@ihBNq603iU(QPTC4&Anwr=T|Km
zXJ$c;0^{jpN&REH@(I#j7os2r|Gy@h76V~4?_=}jK9q!$ZH<yz0ogGudu{?{5N+<$
zwj3&VMT{y3tW29G%wrCvzTQ2229k<3MB>Houh~u6WL+igDHN$95c6#1;}PXg{YbsW
zK_4EmBKxnZB?CmA6KxNmoO|a)VKo$M+dy$`_AXTgj+7H2cKGC5^B5~qe6S)A^)E4&
zg5gtvm23dN!=xtoFaN<#2HgydtcL6Tpf^`*ci3e=Cr(b)ndsAR@CWqW2ti!}uh=?(
z(&+tSu3^wVSx>My(ol@{&aNm~=Zn4a``_REj|}}_-`EQ5rpf($*4F5N>F_7=ei_>i
zomp8>{i|l}vnVN;>45&8BASN5=TC8)jTt)dv-Oxv5vVVgnPJ&)I~n4GIXE#sXT**|
zM2$7Y0y;1JvY^Eo<rsqgm*@@bzS{&$Y5weQ?M3)Q^nh3kNsh8jiPoc@zs}7cQbgwG
zOIOjq#ecRfSzf?8U5K;aNUl?UyRO&2XVF$NH$=f)QLxfy;#gk<|0l9C!AzU$Z!Myx
zrsPuE@v>tKu89UfVzILu`k9IMpida5sA5Hl8CdcTQgQuH(vR3tu(FDRy6*woiO^Ia
zltI+V$ePeL5u0srtbZAI!M8ns3F2l0FX*xOZF}nHxD9E|*Mto<Q)B|A**%<Ng=cnB
z^`y=$TSD|mG$K)uD2R>1WSB*EUp+9r@4)aaYuOPZ*lW8mWkdTfzre~o7~#mKq!8}t
zljUs}-@!O)`}I*GAhs)9=Tu6653lXW^xo4hI?C}M?m`iavpt&eX$A*)|HL6mBGnGM
zq;2X<1@_MOj+l@iFt6`D>|{k0r+IY}gYSQrgQmmfos5Br06=0k<JBr_t@9o{eI;ds
z&T)G-U+%VtBW_e}<IV4n{;l!`Au&6hp0vm>MP!tvKBwy7?d9RKrDoC*`WS0WaZ3?Z
z`n;=m;qZ~0=o@l_h2fhgwdV|?t$nMGkRe}^kqTw+A7b>sQnk=8VX#jC-;b-Tb1yrl
z)6=HqTTLR@MvzGV3;gwgn}BVkymXbHpw4rX_1FxIgt5orD}uXE@n$PAV-zgG{ZjKK
zzwz+Dl6s+g{&@sl@wn@>x2rWbyH`zo!?$SxHDQpRNVL9jxMa^}vc`}m0`du{MbUU)
z^oyngP3Q@l@x2qN_RlSLvQbjCpGvqd|HOe-Kexp4@$p^`fG}ikCc{I3J!1PPkV__Q
ztU=}@Z;NC^cAUYG{}c6g!;-5ggez5}tXG-|nf}yQZ4O5>=zUGlJ$%!5?tAJS97A(c
zxa*YoC|SGbUxiQ>{qhJ%uzNSZ+B|BCZ2)r7EhzIddqNw~_=%R-uF(`CC_;QlnC_!1
z+4Qja@dQL`*sTA$_%mLZxT^{PvRA<Ks*TXOCb#?i!K%28f7%xC-ulLZYPhDm>~c@?
z3NKxJSVXYG+iGT3yK=1u0EUKtXJB${k)1ojb7{1@(fc+gysKG*&Dgw^-Izh96mf(B
zvsi;-($bUWE~MNNIlEs6a2n}vB5g>Hj&2V~K>R6olQ|6XoDU)U3PBAbCrJo-URs7%
z=RUEkX!q?sd<Uv%V##|Mqcl@T1?BY>u@8Ob?moq(#=zH7Pt6MIf;z85|6ol$8u=^q
zm$(2iR<IIGg&y2Dg|Aax*;ElpwcR;lUv54e;Nu1Tb#9nA=paKja{l{84VDJsyd4&G
zpQd@Srzzbl%>ghmjI13s;}fmb!7_}o@_MbCXeL<(L7U(3ct6II-OyA|cY<>5noWxp
zi7P_}Q)Pw7^>n25z;Mk3#^)rk@qf9F&#fOA2f@Z{1-Q<mD@@KqX-6a^>;@pju`LRt
z6+mqueiZBcLPVrv6aHU2Bzg3X2^SDqR6Z@2?km-Zm5Q5{Sy?!8bSqhnzL>Gad3eur
z@S(>-7KpI#YPHrF0RE;6!Pv>MG5cu0e2^d<?HEG9Mdp{zqhl2M$GM0`GmP`g;Pof>
zGB)&u?-OLhz>QBO#t-D~k2*|_@lFv>IUD<8Y$I{}%`G8q1@<zQxF`XF(^(&)$*39i
z2>Ll*+0Na3#85M9T51crac*f32!Fmf5wkcYww&}d>k@iR)fpI+d}(c^jKy@9a#IK1
z0p5xwBLmucFZ6YeX3^eM4BPjU`e-((s)J3CRk@qQmwGPRafg<WCP{_EZLf0H>~EWJ
za$(v?%B-33<Wyq2n<?6^D~={sCr4XmB8$R0pO^yb%h(9>L|{X#uC`yy31;fvhuNfq
z6mXCA(7Z+r8sNNhjEMa=gSzB@9HhTOC#I>_!=)|;vL|Ou@!lcrMX=Kg(I7b+u;|1&
zekJ+eakuZ(n365Zzvfz$crF~*pE3YZ9ZiLu^nkr{qk104p2_C;?+u=(;sk$fH`)_|
zcm|Fe8>QN0r{B2xZil6QFOvsDd)IZGX}b9F><)&1sbnF3L;d^|pr7Z>H#lG#@`fa*
ziZV$f;7=rmf1G2aSnD27y~t8fYC^5L2d6WhaYUI75uVb9AMn|tt<&pqSY@42*2Dt7
z3jbf$N$RVx3JkS6YH7q*B`6?j)n0x5(6Z)opL^r!t<<CUPKWYsHWr3hR{FA93E`8)
zr4{YmubqNlDm;q$jI5PK0Na|f5@eG#1(h8HZWXR>Re+ZC$Hhe@&1+ylB?cW!9e>-1
zDJI3A=8pF;%wh@-n8sq^7=67>4P@gw7?*HwX!seG>JtYf8G{6&Q`}~>0CEnP6#qNF
zH>zLXfznmln<CWTrTfC;V5H7f=t&8$Yr5YL=h3<MSCiUczZY-3k2poVt?1tjlv=pJ
zp0rA-76}&m)@6i#z4~!wOgpz)T7miqQ}uUgmMhy)$T;W-6Cf6czb|<TCuq?|{AwHz
zsxHvhW?d2*(d2O2Ipu8tFz(+8Z3=#SOPzdfYs_oF#6#JaQ7aL4HO_9jc+=-V9s02k
z^7)Z;`Vc!0?viUd>IiS7W*Va_=_cww4ee_6WBYm&g;-z^ouncWJE5a~9u6Upu*bk1
zzd&ZWOQMja=z2*H{o<dG?t*<X7DHU8mOA4BaK2Cd@gs-M94e^PnXB<2k1Hy9`)V?U
z|9Hz*Mfd<$)Q*-#_~J;W<bNJV8`zM(kvRbR#%Qj;>0$SUz<u>a1!;<k&#O`Ms6tw}
zIKFz@)Q!yl(~q(kXwFv9Xa{(En-zgiC-2ffiOp)ffc`cWzc6Oe8F{DD7zd9w(IAst
zlLi_4zZ2AS3^Wcx#s)y$%WlYUr=Y3B#^fWryJ;2Dq!=c(B#_c!tvXHvnE&qp>!5wE
z)XDf(##MeC0~BTvvEU3V$wRMMZf-|Q!oFZs$es#vA!LZ5kYJ%T!Jv{nlg4`GKZ=~`
z7^53xy@DmSJx^zXpWVqJl4z}eN)z--2Wu&JzxQj0F!T$;zi5%XdbgeGLmES9c1tj=
zpk4UMv!oZb!|&%FRR^EG4Y2EIGEdfbts~)JEIg;$S)Tgn|1V?gn4=qX1YKr-e#8(z
zn~P&T!Ui`i9-?n9oXypz+8_-5;Qy?0{B9q*O3v?9Fy#+chQo8{9Q&X*ROR{liOqvW
z{i%!pQFS!D+I48-OlpwDB(;_6+U8?@3F@ExFf8suqiZ~~A)=yg>4TwzJ_>5AN!z$9
z79@8!V>sw_Y}5@*l=ad-vSNsk*}U`caf!BJ>b17qtQ7pQ0w1B<6RTkaxm3-f`c5e<
z<)Z#o<iJ>Uf<ewEj)2ZU$RA&Y8CBT|waj&($Vz}cEAPCSA1<gia9jtgAB{5POL;X^
zC>*^19bJ34_E7T_JM&H48Ae0nYGrULcX8qE+l9{@c-LTw;Vt+{HhFY*qz}6n2oM5~
zp_xE|W|8O>hHg<#mn>_Vf$FctW^sy9YYhjbo8E)DgJ<~O{5CXgh7R!z`@^*j*~^&7
zAQ|?dhD{<Zyf0m5ig1LrDKNT(wd!#(pB4$EF5EFcLZ43u41nk;BKJq?9ANQO6;NhQ
zWcA>xuwqL+ml-e*3xnwOu{A&Bpn1IeR8hgut)TW!IYpBI_~CYOCqN3UVWB|y4b)u$
z&|~FYHuKwAjFx_7p-P=d`5KvbN%G|z9BqQXOTsP@!(Y26==@&t+rsP5=K;B;^}VP-
zxNBGb$`-uu7~4PBj;q|`$?Mfn6GgNT+63PPy-Cs1y9mh)@~ZeUx-nBfM2)~zQO9qx
zluxa$nS&er^@8O}h{rIygBkg<_Bw>P_kaa!u55fX;4{kNQb4hn4bj{hYgtd!Vr26}
zc7C^%T?oRB;Ab4W4T`ez=UBy?*KO=;;H>REWX4#La|N50^Ptpe6uJ+19F9*<orLII
zNIymrEBBVlVPYbyy=<J`eX6hIC_()w<^h)F!q3JOci+yYQp(^+Nkg^#PN5JVAeEv8
zZ)5gl9-a|wvK??62J@tMt<|`?4|mOlRCS$8YU)5HDx@4FN%--o=P)+nAW9mCa<+S#
zZ`r=h$DlG%!`0beF(;MA014}%%<TxN^g3&KB18?A6l{01xbsCCtP4HvpCG@=SzlIO
zrO+j0HhB+oj+8Of@)aE{ioiIeR+L4k?5NrmLxX{&D6qdehFd>&Od&p6gMcDnX}>wi
zwIJ?yLqg>{g$M_I-W%07`rV6Xr#D?qgVfT2@~C0(r|QIMU-O`#LIbLgx(+r5%7?e{
zM<4{Nnen~4BN{{|VNdBt;TtzAu@(5PJCDFjzt3)H4V!vc=eQBt_vMK>lX>aX`Q_ak
zjWjlg{qlAwq5|bnUJ^u(&fe2@Uy8#tAtpy3**bTcUlhLAYl|n7y3xJ<=7FJ{Vo&g>
z1BDcs6b=w7V?QXgQVlAjrMX}FLo|)*pt=+L4)p`DGWV3}C>USEk)XB-M*e1zH~f<k
zhCd!1p6wl<s83A#7=Hg%Kd?10ii{dQkj$?qID6~xTQbJaYgZaHj4_$TLJDRtRzaIm
zt5%d}MsFLZ#X|OK=!NQv4TCL3@QHXh)=}RMibD+O6Ywv?gSD3}np>*Sb=61zccry4
zVMY&n*Ffl%f=;+1nN1ca)m%2=nR`=bG+mSS><X(U%lO&$CO-CbbbGdIgerbk?OMQ5
zD%cd#xG+1n_->NaM~LH_!)EINsIO6??cHGg(4Eo{Zsy3GHXN^w;yEB@m}OLUI`$90
zzyHp@C+a>5ir;hYteGfsjqw^KU=!QBLcd%_6dni6n|`vhex<Ss1C^@EY7NBz{<Iz^
z#&lJ#MV$3wOK0y2lJP%!GsHoUC}6VWK`mjFV+Z=G!+9l%%}zo?u2w!6Z<$?i5na*y
z7duiH$0#XAlkV?BRo(J1r$FT+7Yc1MgB<3D_)~LadFUE#fgB9xtB3@nrC|tu0lh*R
z-;b@t1BIVHdGa*-5v=a;ScltLv>T(iT7EZC`_#elIqDQ`R`QOj1dz^2fdwBnGp>v^
z9Da#ZGLuNoz=z)CsnTU;>+<O@cBh5Zqxsfl*`&VvD!CYZ!hZnT^0YPI(%J@~nN&p4
zX7d%0JSq@=d_}8F+T705v>19Q^3B5mz0amLt<B_HlB!ZZhqFa{ItsK8!X(LLm5kaM
z#h5(|Bgu6M3w|Fw9@jSIL20o^|GACnZESzLs6wbQ18g(5VL1um(7lSno(~Nhf!Q5j
zonK7)IR26IjcGCr|9lM~tJqk#zWvDCNyCQF)NC%_!$x@_85;FLab!ctX%;K0wug~f
zuVmi4A(IJN0Wgl~g_Tq8H@EX*EyF7kME*5N%i@X|S2>(!$*cSQw_KU*CN@(kDXQ>4
z7Q3r^wU&F5Ut0v1MZZBn-#>_ChY}2^E?NW^j<eB@5{aqKM@XlCZh!HUB22L{yBy_5
z^CCCaB)sJR`QInSB{Re=i`RUp-=<kvEu{^J_NKHy+h$TYdNtXgBC6f*C7gFw#91#_
zi0@ht4{2*Ht3kWlHd6IJ5SH~X91d61W6QC-b?!@#IQS2{@&Nlkn>1M{w#3zdH{)yv
zkSncfyvza%=3^Iej<wlfRwI`a-k2C8D0W$a1y8hH%{(=>n`Wyoj_WihU|Jvj=PgT(
z?+!j5CU%Pxw2+YDTK`BvQH!kSZxYf3quRT597f&mGaQNReEBA<kOI3ufY)uE*`6Xt
z;BD><Dex7q%;KJqbd6M7Mcw(fr3?Xpq>DO@2x`a=c8|N8A&Wmd-b}CW6n>m&QX}|A
z_Stz)_NZ*^EN;m6$-c(G{*}nFzK{#ck(TGp`Mt*mp$xs(lL`(Eq_`W`|Fp%4cMuFa
z1)j<P`%K;ET|y@eY3fM(6EuAX^WI(ftbahFZuIs0u_Q?%tw8BF{s`=6yj_h?$$c%U
zBB6tc@cI>Dqc3gq|2KYYuh5%((F!m-LW9aD8?j%hF*7zk&Es9CP`;YwiBmb(nDAI;
z{^n|sr8t8iIOR-Wl45^l)FALwF0*$xQC-$OUo%&VyKg+SPxJA~X9NA^Vjb0*6^mOH
zB5Wo9&RwA}NxN_~xOvkszsG!>@Z+w>&hkmjn={eS71d{duG~f6??e?jPRJ%4!He-;
zlv3PT)jSe<PzP<w{g(M`@z~C}Q^YK?f9~%2jZ9>g-!<u!pY``}3`V(LM2SRfMwchC
z>NB~oSkl$kAixC$x-lVL$+Yf#LxN~+xbYv`&PIs(DhiF<ts^w1jNZ2N!?WZh!J4K3
zK>`ggUZ8esN#E=;!+4&2D{*En{cG2W6ej)s;g}n0y>)Hg1We8LYYOHx&qRhr^P$)*
z1V=kLWB?Uki@=waDqgOe+|5pSYMI3R*h^VK?u81ALa#-7WGW0DflcghQL;KZzwQs#
z>k4Ay9-7Tg&C~3aS<$Pozsln+;dX{BB1twJ4$Ii6_k>l*27P$^$=1~Ti23}o>mxe&
z;FKg6CEgfKu{#joRrz7{Ctpmuy;DRN)Rm80U|8~BNo2-~79HSAWTKJJFlLvb$fMt@
zN@3dYcQ9ULC%y{8%N+*oI~Gv}nqXKK{xwVeT-cWUpp~;XTZQf2la$PIpT1}C;q$Ld
zn}1xRK%wnE97f(}>K(0#2cxLwp+Z{UV#zX8yp2Yx9SQ~QgpuL^ZX_sKem+<_V@yb(
zhF2T8Y~X#=S!Dtqp>po-38>~+$trb%N{2re`sObJN6AQvPbY_IXKy~0$&Yc|g0O_~
zYvU{w<nchfoOcb{yh@a^y_4w%rmwasYITx#MMtQTDAA;U^pc@T*8Pv=9T?N1xxR*M
zaJh)4r^`eCQ1Du=J-rg67{z5a3&x^Kctv}VQGV3C#ca;CDUE@TVC|I%w&toi(0uEs
zMtDxsK4F>P%xzUqU47CPdh27@C)WzDG_gv0u(k5VxMwvbM3VVSEKPUQ>E>0U$aC4$
zgO-KGlD?ah{@d?TXENfJ8{saSDK`y`sL{nzHkpQBTY0R|m7XpfPBF~Q;&30`POEYr
z@6z11)RER2&lc^TG0vkuW5Y=y98KIZ_*Z>a7N}gc?DV}FBV^E6;kALjvh&hc=!XYM
z{X{iEIsIpsw`XM!baG*bLwabbXd0Tk;O9D>GHzkgGoG-Z6Nu<@veEhvhBW0m^(4OO
zW3AIE_X2Y-{JS^FU2}1;){q4tUy3K{jJ`!~V_N%Tg;1N2$l5~9K((fK9#cbYrv+}a
z=b}A0D$%t@XdbiA+7!kn9>>5q6Oh2_;IlBMLj)JkrD7V5;P)j+5czl|)jzrxFIZGF
z`mZbL!4IuB4vR0;zcMCM824oZF4JXru#Mwjs=<f5vN+zH-6g6K;@aF^uK8?c*&fB;
z<bkVg>C)HjK}EyfvPih3K08tgXMM7hVrI#6POhHu(Jt5>j|$&S2H!_ch%X;h`7*iq
z+weX@s{|<vHBvT=b|9Y%^;OMMAK&3(4`!r+c>!_*q?u_H+Fq+jxM6?pgq2RJ-0jd;
z(F_J}Iz$~4-ppTYWPCUoYl+U(HyO8%H&R=VaGV#=3yo=SJgysAkq16kUBz<@^tw-l
z_Ha`h1RZ`X65y`PQcJQRiN^<RrY+72Y_2qIQ|vQFK4HzUh^H>bPF)H*CJM%5=e+H8
z7$QTF{)<HX@5D%bdSb#puimOro3pc<J<CazjK@bS5U4~y&gSJS)+~SzXzi-jg?|~7
zSzb<$4YUK7(G_1VpJp~YJB|32k?b&L$o@1^<B3L%ZW6H}@yOcJ8MAnKbv2Z_A9c}p
zSTa|$qtH@qH^+9Pbh(0QRa6eCYh3E2V?O)5|MY<foLl6gv3BNut)kqPrhJj;R8AAE
z?6!I^>M>UUb+J^yLnpu{cQjq*+4+n0P3txf<0jn(mIvZ(E^A!<NSiRyr1iDEC?CLC
z$h$)%U%~apSRf1AgiG48s@*cC^Ju?$H$vBAYti>_Zh|7?#>>b+p|*B-J>kDzU!huD
zuUkI6sfJvuw;$+KYzomzJOVljo4rdo%4#|HPwmOzO>rq&HvcIu_`%?(rT6iB`=us-
zX0##d9NfK}#2mD(*MM)ZK=Khx<BC%rio=R!^g1NS^w3isUzR0JT$JmBY;-4zod2Pw
z3M5}Z?;s8ujY2QcOy#~KHc;qwvHzxdZuSivqcagNQ>^@8->{ioc3Z|72ywyv<q6Z#
z_rCmV>AF9pI$bDK&Oa?a*r1OD6w!7piuhDx8rSCJKN?^hx9*224RFTb7DjgTVE6Ro
z*EzW5b$7yH)M7Xp)qET=@^t>xd=*bDv4|vi#>(tRl=VJpwO#L|cdS+CK1g19wTwsl
zLfn=;j4hE|B+yHu1gA<sND}5ZPfU^>i7(uE^Bx;WA^8<ePP%#kX%D^`$g)IXoG}J%
zTuYd0_<}1Ln%w1zN{95%^U|TJVFShH{7~sIsrM4GQVJZX=q4uA@=-ViJSNH`BGO)S
zoQ<8573sZ`&Gc?q*A=mUm$s5Kdd;7j@a|0N#7YM}Yjtn)+F=$kol5*i)rDY<(&s8=
zoV5_w)q}76cKw@DPpbOTj0-4;fVt0G9JvRG0BDMdBujz0e|Kt$WbCXGDb-rBTIcNt
z`=-9cZxH?J<qZboyN7JlW`UyxX0@d}Mab|DimTd~Nc|(30eV=>DaPhDB;jL396kE6
zXJAqaCh}@JhX~`l4m_MHT4z3?t9sTe%#&PenZ0*^wI{+peSC9Lc`sjKoJzQY|2(Ci
zr$vI*?2C_!sNR!&0|VH86+O-^j-qE>WBE`?Dd4nnwmG1DrreHN&f(h2zsxPmKiqs~
z4mu>LYnkUTn!tofJQsGi)+ou+D;4(e8#Jz-oo^X;VkOG<%hK~*h`-&yvP4fHbdr?|
zdKE}KR{V*$zUZ}2sz)&kjb*bvv}v=N`~+q|6W+%5%X=Yi>Pn-fU;&YnKz6pYs<OyI
ztwiuj`(SclWoj%a#(-+M)3-<a&N$W%kxzfKD<Dw6dF2&SR_9Vm;%aQ|6P&Wq*xdx=
zM;*s^YOj%BR%t$lFUi@&y<lCD;jyxER|5Ed8zV|LGp9bB`grq14Ket&U@X-ICkl-*
zI`w%f`wMYD7E(Vnq(ZyU+wo(jg?N@tEC`kn2EW;{^f*I(0K|--p})x%_q=zkYy3_u
zmWdk`g7ptTF{oEmD-Z})azq=a6xh8xad59hUIpH7X~e)ai|Jxn8jz-^igYhF2d`Gy
z;DJ7gmKV;HoLuy&OzYE_v+Ihs)_m7u^Ul2Tftx!nr4-4}W^@LI_1rnwrxO$Z>_uJ8
zdR%QN(KV<Ld7&bfLfX8nPxo@YuX<&L>mFm;ywrEEEueEl+`fAWRZ*8^bd#Bcx2%Zz
z642B2tEwnag!xUEk-jW_g4%=@t5Q}Nb=x5ocLS%XzRG$?U~=icUOpPrRJsz?2^Js0
zFGg}GW_~zCfY4;M>u3eDQhMDp&LC7#pBRlqfz%G#1jvM#TWz5rG;H1fA3dk*K;I%h
zeFUM6_5;nS#@A!HEMGTFD*nhv!Kl>PI&8^_d|77d!6PSFg+$mWX6QFW-Ufb2H>k-e
zYg*xBNXPR22Fb5$eQtk+?btcem<NxONyKOLO!OY+!;d9?;$q}q81y-)KJgr*>#q<f
z!p_j26T5H0b-fOIYL!EVT@Xw-_e*E{nU?aK9wvytfUPWpb9Kdur$p<Hd&1WmF?fH!
zxX4UBaj_Au9vl#DX=xHvT5p@n<CNCN4&)=?d<u<+*TigyPuA<T$<Vw-pEZfac$IA|
zM6NoEWl!n@ex$x=h}&_)xTCl^o+Pl>pNdF#iV(|6<$nnplXep7xz;Oy6)nK|;6Ac5
z$ohwuofxWFK)&_XVcs%jd@RDlb!s3<bsSHM%);KtKJ>jch%3kVeaemBLW)G|!Sg41
z0Z7}!_43}VVP#Frw~Y6=b8xqNBZAHC<205sEwXl=zv!BTNh?e~%{0u+mN4mDWfASu
z@<F;NOE~wJyZie*B|urIh%^h2tQdB=xeh^pu)gxhgr&r}GLB=}s}%1AX7Bc9thcbE
zz;{w&t}C@eD6sD+-mVp#g1cH>F<D^}PYsKoA-ZA=#|UY#9_ADMYctxM)19{_r}zpK
z#&?x^ADdSAc=kc;4r@aB%Ae`fV&+@0xNMx=IGx#YK;QQl9u)oT<5BvkUt9-c;~}il
ze?l*7!(0byO1G;13jLV4!b9{e@k&`mNPIUVN+>4E3*A>PoPO=aS{YN6F)Y`hddl;B
z!u{}-h<b@}L(;dMxyJIv(B;5rDUccJ2-U(P2qQHo_rrhkF+%Is^5!ShWaE|a&st{_
zJ?$c6ze)-8pKt85pKMuvwKz*WmpVy4pK)3kvYzb^7Wm)bE_9)w95AP)Q?C~9P>f4V
zuCO|#=Q)(szM&q!IAO%~1bQ&LMcT`_{}W#yevNf?AS>@wEF&Glo<DBz`$s$r?C6)2
zORCZF8e%?%@0@}(1Y8}Nm2C${!L;<qZ%|TWp3A82&8@czkuo0Dnm=EPcs-}||5E>Y
zUGb#**5XiP<{&*&#6I+l(lTw~z6IIi;X}$qtHb*)^bPkprT|R-9v}8J7r%+Pcgp)~
z*ZnwuxJ9w^;Uz%|;GyNpaJKM)u!*C<V)B&lNBR}kEUN_xf49s_Tq&deM+K!%9JIoD
zl!162`d|A{zO&t;v@!m(Q_g74I-QU<MyQ<{mrd_U<=fw@SAieb#h3%@eT{C|P*V(8
z4tnz?YE|=PJlGR}Thi&xhZwSI$aS<5MRW<Qq7m@X%!wivv7s-UgXY=j4}K&OqwqPe
zI{$dz<a>;KAzZG?MsnxGy@u)3f;Fs+kS-}7yqdXD?wwW%DuFAiXb)5$Vf7}<OV2(L
z_q+S~%(}+Ca}2x!NO*XA&7l49Ay?dv5D~|QPaW1w@&G<@B?8X`02L#y>WI&#!=R9W
z1;s`|_KBC<7R9QIkoY9VUv4x$)0a(d?>C8IX3Q)P*sC!+XyX%4h8dV4-C^96?%wSn
z;zo0rEWt9VxGyW1s^q<TrSemr*s<wmnQ`rCcuihc(($8QsCYs%O|p5D4>FIrtNVO}
z+1W1HvJ^N#XT@$=t&^w(SW~5($b+nEf9h6STsOwU-oK2B?I8;Dxq^RRhiA?&zwSpe
zzAa4gdX{lI{Ur;%AXgT%UI88L+_a`vP>(^Te}WrnM`xc4L`xxXlYl+98d68$BP_Iz
z==u>#ULe`6k3CugXjAclyO;#pf{`3G=R|va2@^g&E;_i_n8>hU9kK`eo)O8McPIqf
z|E_faoujrBLZA)3R%~VHwQlX38>+(RN?xd2ll<sWaj&S)+qKuv`6c_DY_sSRLCdfD
zJ&fFpyvS50seSK)qKH#S8R^dsWDj)rWMRJ7?tK?)nb2!8IrO3y(HY&Hq$FXdl<<@g
zOYVbRkMIe5RkzR9Gww4OlE%?O`*z*Am+Y<<6-HbP``>Md_kn2b{lu`Lw}Gygkl~Dq
zKA{+1h=M`*a!wq}OxLbK@z_T5NO@s`{U!Qk9kG(t?uv}sF3#l;x&qiqEvf4}c9RNS
z7|$igrK-r6%lo6Qk5s@_6|05@`$p%sC^Ge>m&4v+{-N)!78S<h&0HtkBjVSt85#cQ
z3U!x#h8b8sQ%Atw0$ruuo`%`)#T2EGxN(X!rRJ_*^1k0e-Ao<q9)jJZu?Pm^h@ik|
zC-3XJe)_3+?U28rSJE15-Dp;xwq!=SyqA{gB~aYU8Bj?Jt7So{61oKUv&P3A&iFmo
zWZ($%!K9o>XZe)nIo{!d9kDRbwZ#)bGtJ%M69a{(v#MmhA0J~>`S2AZp2vH!*@|1+
zzWQ}x=uman*k46fCf&z)n-*GZ%v_Y-dRG9^Ru`{&yg!=YY-#;LYoL#VQqxnySc5Sw
z#wgKyJQh^MmLR~$AkRCGX_q|m%9O6QEsMMk=`W8esWUQ8;Ss5egz~7t>S5ou(7`=w
z%>;NqpR3!Iki9`G%afM4*BPo1<CLbPg6mpHLyfF%3asmN!BXUXA?HatufC2v`R#mq
z590v4@1%DhAFLF#;oQW{xwfLFqZ9->k0$p&$UMW?%s7C^mx)7Z>^R3d#lS(w<ad-d
zC6a`rWQ$(3dIi=6C8WKF2&S}Yzy3nnTWI|{n^i1x!6Ot%^N%|mhqfuLJpyT<+@bz~
zyG<#XAoJLKmtR%um-ISsp`PF&UW{vAL6M$j#ru`goWrQ49Q0#!a9$R|I}QC3D|!$2
zG9_;pH&YqvLc2co-SMnkCD5O+vy<y>PPjYMFa0}R=(8h36Zb<CUK1~R6+#<H;$)8K
z^cLJ~md!&>#w^n(#0Nit8Yo7iR@~To!o@)uD3(J16pI6O)~gd@DfHW3Ufa%i(Q<Hd
z=q1gY=u2VY-mhF#hh5FS(s9RzeE9{kvYbD?ju)*!-O&^y|6Ujr`zdC4r;#Put@A<6
z#FjzohKy&|VOz=7*A9EzpwdpR<O6zicH3GS-q1rZ#ss8pu{<~6?ZQr`C-QXFI3nLP
z$mwlyQ%yeYDf~Utipc!843(P`%gh<h@}kQGmlXL5Kx2;G;m&DgO-z*(5n8EvLS<y%
zMd4!OXI)+6wClR%h-THwojASf8SPD(wl?JB>J1RY8qC-;^%U*|**T@eBq?ymIMxz_
zMN}U&8P;jv(~9eSQL@ii@P{8EZ|LqZ`ldxxk~<$@c^~><Np*)irI%BaU*#+sIc_bD
zE6J_9Cw;k787U@rM*IstKOq#3v`$EdJoLb7!t9gUBr*yN&_RKl=5L=vTT3h_%|0vo
zY*}&v7HMcG_Ls7F6nO~p_hmcc(z4=M5OB^ymto7o@R{BuMpr|cF+XJInu7kYnZ|Vd
zTU68oj<j?sZwj9T3zbB{pu-+JU_EaVKvM+0UdF=@+qtM9&_X8fpYz5aAuXBuc{OW6
z3*aD#VE3nbt7<MIRfv*J_$J>+BIBnuL#?<tFychLE%q)-YrZ2iEmF>`<v1`qQy)Ha
z&A``OL3dnh3MUOs-)VqrJsA3``~d;uAHa{|<X94GxunN3K*>}ee2DJl?}iAcMYkwl
z+@WH_1VT^0(;=f!#}IoN{D1ptGfrpSno`F9&7~sklUT(v3fh8L9l*yS>@#(e3|UN-
zC(ZX2qjD}ZaPikZR`kz;(2;SRV?4?@Z*8rGYm2<zkO89Pe@U6L@!9s~<#Gr9IU3W8
zbspP7sJGO@v;^o(c8%A)Y8YcT6vpG*ZhN}`Y|Fzzb9WkIz^rC3Qq2FGg#>abWS#Gq
zDymTLIe}Ybv+~EG{j&J2ALc~~3NL#zlUcxDvFn%TK0RWNdZ25GkY0m{e|1d(gX4rb
z=?n=+tPHqcnF?jgU$1BygnY1e)yr*H;Na^>Tu4@leB5jls^~<h(llE|`JxfxNVc&q
zY>WWtCMO8=GA;>5^!MU_dHA~ud$r>(C;byw&~jMlJYoe_^`}v)2c|rcGV8jVaq3RN
zm@&(Rhq-scYe5hVY8%2orBp_9Mt_8~AwV%E2(fiShbpDAev-F?9ux8CTp^#}aK-l1
zyTJm?7Yz5Jx5X9ko)mm)4;L|prnP-@02|a*?2V(geS=VcyCW)~xd(Z&g^X*y-Kvb|
zY!b0bTB;Ct#-(5%|4h8a2EY^E3?D>s32VM@Hu(4sOW9_btpS#Yx$S5tBFr(CeCowt
z;O}J{<pzp~Oa(x#u5-6yE{s{|Ubc=W{0_L!iQx<TO@e((#c+X-x?WLV&qKAd9>L<m
zD#}Tz>k_av_&~LZ<G`eYak`qc<MH|f_B@kF(6AEGZJ6Tf#JPTzz5jgxmB)Q(<IBU6
z7&s20x)*;k9f*4mjrI^~XL@nDK;<HA2{Zf$iZLB5>}-e~nf6{AB0%*RH-q;0%iw%&
zX!6T{CU-rQ?$z^S@=K`6_4_1fvv&Ksazc?Z9|for9(ldpsD|M55d3(;lcJjS#5ka)
z7gC1Moz#b|naTViC#?G{H(Tk+m7x!j<N`V+yrzmrT7FP(^&^vTafSJq;Rg*N+e)5e
zR+OP*CoXys#1JGS_ns;=^e@G}o&gFn+XrDh_&9IsUzQ=5E`qXhasG?SC4Mq}`0~SA
zscClEqCSrt@Rf!g^O#mPo1I=8pOWn=s^2`~jL#{TW+A137@I`8{=2U@^~--m!>>;P
z&fkyvC6s79sFJ+-Zg2MtW47_(_U(88cgt?UDayNvjS8h;-IL}xVi97}JF#6VmoY(&
zDp-(_?Uf7d;N5E}eVxRYABb29H0IN+yuIQVDmm$7y;yTOSH4DKvCPNZpi<@rp|wuG
zqs7r{pznGFE<EOsw1n|(pMCo=<CU~;j2wmyF4(pC!k_wCz$w%spMTn=%Q(|GXTR{X
z%6g429jAYCb!ChA9T9iadq)}jqPTr2J?ME2yozyBE-zs%;oi|uF(?TvFWuMp6P>cF
zO$}FmJ4ia)mCy9`G<?`2G<VgjWtqGhUW%991Y}?*q~QT~_@W|*E&PD}(aYTvTZ`^u
z<omU<(Jn=Is2SM*bVUc9gYFTMfeqCaQ$^2@lt*n4Kysk<$o*0YTc70J?5pdfqz@Y>
z<hJe~nxpo<`Qmrg&sf!_ERb4Vzu$94)y(&k(IuQSKB*UA&h%YvZ1^5**CtZrBpVxN
zJ5M+m7m9**2qF0C==BW$A9>%tvqW(Am7W(h1D8%1{0OS(CWrLVB#OMGse9s$#*ef4
z`k1)Pcr}*jN#O$Ex$UFq9iEGS4E#sB4p<?5d3lebP|{VB945t{lXWRd(3+}%$Pp#n
z;<n(DYInys)OaVxrA&|<*F9bJ(9u(@D66Uc*rN`FKTeO3KLxFZY8oH_kvWuHBj4MT
z?1a7Ht{%8(B;|Z-GuCj9)!kLyzCPhuf)puKc3g34>VnQH^m%Tg;_|!Rf&|C_^#F73
zE!X+c_4VsNTyk$=(Sh1zSfRB)7wzbLg^5zOPH=?cM>$q~v;doP*Z5|Tv}3xV1$*c?
z+&>-b2+crzejJAz?bj{KfLQt`e?3R%qIt&~$$HiEv+sG`U8hT0`w)o*!>fHu4#1>}
z`aW||Rnh9*QWf9qTM?p+BEe!I%Vvt*&T^@!03aGWl5sE0_Q;S6bVUDe!x>g5I=ODN
z#7e#M7(s}wM6f^ZCKm?*DoJ69;6`6nHMXf;Qb@EL{e<Te`Ku?`gI`r9NypQ!)Tpab
zOh!>K2NygF(6_CtJ2lHhzk98B4i>mDGxlZLmW`odpOEcSW7Q%rOwqS5HCwjx$}|2%
zGskrzF1@X?stbWrs`h|c8k>WZ@aG6<&w+2}l9x}4ZM}IDRghclO3|$F%7a%n15_x>
zAMQ?!*)nN-SBJl&*w;&MQqQ8>^Os+|(?;lRX(pg$<nMsRb#2j2;l6*qp&5<{k^ny)
zl$lpzsbpk#5aGt#uB*@<^YT_;cCciLHwC-KWP`X$b{Z{av4shQDM9osJst8DMcoVN
zU@akK_*pdqXycg>cM6TbEPw7XE3vY^ai%Xz>9DN;bZiAxb@pk%7Sjb_Z>fzqoV7(r
zAqWfqJ;A>`PA*XiJKU8T0WDzRlF}%2YlNZmoyTP)L(QISg{Tx0M1Fu37B>l*>c`l8
z)g*IEgg)oe@~n{ocx(4v@v^#sn&#qpHmBb6P3J1t7KZD_w3dvO?gGQ$VY!ntNOEou
z#;tA1%h_V7%BbVGC2rzkIHTOp7!`B%dfC(}|4MZv>bY^ZS-#f51}#yhvTs{HU(Zw8
zLC5_OS{fLOc-K(zCX$|LL(nkk>x(h>*5V$_?9GyWgZ$rp1MGc#@Sz-(?|{ac8HPlX
z#dsd$s90gpaU<Ht189JV6YpYLqGeI@pg?k%mw)}0d8^S&304u9Aoh#y057Z)G;E>~
zaQjJb%L1VoZEQOrArI|G3Bc7=?ew#vlZ>)X4k@=@1akJ-a5kc>EZJ7=m(Cj%9OFvu
z3Y{&~`q4lQ=0U;mJ@v{l{xFN>C)AN86cjr6<kFv$N~}U(U;GIzBQ|s?@i}cNryllJ
zuguWh(WPZiC(aI<{LTbecQD~3NJMoUN{4qc8-|ktAR(k2Xd%p4eA8QQ1bd?4Wx_AT
zNnrkBS%IfdFv!r41jcO3tG#UoLyTuGC;cF_wf*gzWS!w7LUYK<wfUypTJyg9#4#eR
z)U!X|wn{0;>hru%)1`_KXL<hep*k=*FFuLn#oUf;^@jqs)2KT+&jNlDhurStREHC=
z(@eA46#*y#h2X^;ab|OQ&;h{<XayA->&ULxuZp@eFZkN~o_^mLub!?FqMLW-U*o9W
z5_2sOQr882MbSZoNl4ik^Gw{9h5_hPkTHA>C3n`ORNV?OO2yN5^EMoo`<Ip{ut`tB
z7@v~MR{%~KYP}J|k8THW1Y>F?p-4g2y4*f<KFz5r)AQ}sgIf5rVSh}-+LOj*bvCcP
zyeUh_`qd~r_6ooVXJ7RU<n*@b(BjI|9eKe=vSIA8b13)Awm|@V?AE2z*x`1N6-Qd@
zno7PJ(60M7OHrBU-G9~nD^z)=;5Cu_>*v4;jxdYy+k7HhENsS$-4&WR0M7`=P%M(o
zsmZs8e~mTcY;z9?S2xee5l0!@a^kO@RosouV~^gzZH$XTs!d`I`Y-ON{a<l=A{|u@
zV^Bam)rh%;&>xva?oMmY0$D%4WDP&2D~*9;)iaO#6Rp9W3z^<3mvYo)Plk&#TV$bF
zNv?@r`Ux~_%AI_Pw3|9+S4GU2!|(qILq2%75)kzTbw_#l%18&7o#b^|TkMcCrdh_e
zanhS$eA2%FFDWU&7fELsEL8w1D?(4TECPC}T+maUlYl%cf1(bq$aY$iQJi(%{Zkk>
zb-E}R>gG8EP3`1hbrXV|Q8F(Bz9rL8AU_7-F-D3ndb&BKN|0C-r<paMq<99osw1If
zI{mZw&Y_u?hTSFE?2bbFK+D&gM2AY_+2TM&r%6}v-RGECZ>dK%vbQ&MV0n)z^r0L%
z85<n9*8}*V@5ymekr~VrQok=_=lfJkviYxt2|tve;{XiPG&?M*0@@5FJ_I>`oM?;c
zx25ky4IkQahU|h^6GY=<{(4Q0X_a{5aXeF~ZMP_7KqXg@SdGYt2(RqGG8kJ|aFM_d
zr2qMjN$-rykj#UY^=M@0?ydj5W`lqyM^Tl*+J~CY#k{6s@H0o(S1cl352jsZV4As`
z2XWWrK(c-1v-g&FT}=RYu;Z+G%4=H8o^n$C4+F9<AhxkhR3C)qiyL1=>&+FP32H8j
z{+g=%qEzM60aLT|$%julSnauUY*Lk-cJXsiDXO0T8Mgo=uEg!?ccK{G_@y87;|gNQ
zoTL+Fq$Mhr?coJshFiM~p{u3mU}F-W*q5i6kDSvpWwGxzC0lV&n&C4vqpmJ|#6RFt
z6>V1U_oM9#J5#Ki`KAA4q#H|j#KckE6t~`ZZKN8^N%R*7=F<h7g6S-%P#jDZLUEv-
z48=hdl<}>N7lIOg8BIeNt-cMb#jOt)&T?J;QE@>7u8%tc3S$-^DdF*L#woeHa$G0B
zk2H)?Z4-hC61E6@Mbc`9--iEcgp?018rS8fPmG}1mX&bFe0=WIumIa7fh$*&Fcq|H
zm3A97t!%H9NXzdhz#?CeORrv=TF}jhje=VmC&%Df5eM$u9VGD46apv2C?osr_=b}9
zqNn*8T*A64Q~SLxweC~>9han#^3U@7{a_^)ftq^tR@TU13Pu8Du{J9OF=hxkS~?)j
zuS#xpNXC8STR!T)qB+E<3>AIfx{nU9aMhO*is6@k+CPrIfKxXF3B1&6v42%zNoj*>
zWno2YvZ#b7_=y=>A8}fI12<J*@>*ByeEhA*XxA5W$Ibn3*xVKoL-Ko6`U$&&kxrz@
zy1^R+e-9dMxnP4Yo5iC<0Z7{100-5h^uF76uTzgjtcANKIWHL0V^McyscMdH+D7lM
z?gU168mN`%We|w)Q@IYepbMLWhYHIrA><Hu{=toWoeqDN`}>nvQ*hTZ>ids}gVB_1
zdMN+(6i{xyk?AE<Lqp7PA~6HP>5L%hQ;)}qg;9B8)U!Ko_eTJ-oJq+MgBAX5jyj@1
z0lGOg=;oBM8cau_o0ByzQOIZ~DSU7mtVSBWalWOlJ2G;1_iyZO_S8~bx5%j?pl<<7
zm%Y$h?=yu#_6t5tcUr`MoYffm0}`Ug(Dv;D(M>`uB!f+4zCd^J)Tl3M93Vzh9b9up
zhBknyBv4AbCiq+a`M*w@VE?jn)O`jY=v5&6VhmyNq}kiZD?g|5)nbbG=MDdQaTV9&
zC#<y=SPt{ruOp^2l>}|;taPH_`~DFr<uUFT|K@U}Rnv`u2cCnmuO-Gkcop!VCwN{~
zoQ}W`>8#&nKo7DLo>7|~=ozJoC%JAWU+-`HK6!oN1mIYjBHNy(Y}>#0+{C<;XtUb6
zE6X7IDr1`)`nXsuaE?v64BjspWgV!<5`(qHs{z=+iqC&+XnQby5lx0FW_~Eog|*{C
z&hdwS0*XY3iQa(5$;nO868l|khS%kcvmj<@(z}UNunYSz=wbqK@mH7M$V{dF){zjM
zXid@fku#u@19lk6IXr31gR<#NseKntd}Kl;3g`2MOQhJPPF!x-{;VNwYZ(3^c#wyZ
zvs<t}Nf5;sng%!Qe(RI^ddk8`ow6Bl$;(*B6(hPG_16eWpQvmTPA>d>PhB0ir1Qq$
zQfXXOKy6$8zB*&Rh~|dXZ;y-<pTvoqG|>GPLcE6if+2IE#Y=19GKNLu=jeSG9g{C#
zWozJ_Fk`X@^flBAFc$hZd^yg~Lay6)F|RV~cCw8-d>b!=KMHKyqD^c#S*hi?RUC|Y
z%1df6l)E{M<ey79pCnZZyCtHIA;YFmYs@@~CJlqruomVLLqrQ=4z$V+C)jg;P3PQ1
zB6NT6^(CFdR&Z}wq#Vi*FX=XZtEZ$T@kjaC^^AiKe>Z8Rfds$1$qkJZCVD!;5KqA_
zzKj&x!=rG=%Eih3avOnqY5LCrF^665ICKkUuwPsNcSUc0*d;&p@uR=?eqW7AjoTQZ
ztY~lWbR#moP}%wf969&v>;}S{sW-}=KpP^519|cUzX(OQ5?tm&WT74F{9Azp^}7!3
zHUxh%4W1iWqp1&ez^YVxjIR}a#OqCFRr(LdzyVM>J(Z1i-_BN_SB~CC6^1a-2ZE*2
zp=RWq_xZ+g+tRFY^69Sy`M!=h%ScFvkK}9q!$X8+nI_tPWeOc2DI&t@1j!iM_}+g_
zgr@+MIH(mMD0c;|TBZw)AT;3&>{dzL{5tVoEuSa|gtfZ+A>Tx22;X2yt&!@pF;v~Q
zmXC%pywaQqX`EehHwlv#lv+X2U!}=rMwBA{-M)yMRq)0RX}R)}G8#{#PjXk(Pe^6_
zxhZ=PH?F1yc%y9i4e`cRjW%GUjn02H?M33TtEh#{tH)FFk95)TNbaue_(lC3BF?<q
z%|*2oh>>5W-VTRL(~gtj{1b-Gh872HUp@pX3|%x-7^Jrf@z}ReVX)1cO`agNPc2?k
z&KGI^-^bRuXsv(k{_+X%3R5w4;6<up0TZtApKvSMYW^%eWOd@tK8i)fZ4Nn9M9FI<
z6ZAalOZ=P~Z@r|xG*%&Ee_tQXQ-PNka-J>PEHA_dJEe$sQusSv%RYsfCSu(@f6y>M
zWiM2drsv-9LHN_CWeZpUe`lJ*0FGIn{j^--o)?3;X!@;>c|6kp^<AjNz0*GBtY*ga
zc?s3iK2jO^Kcn0A!LeP5v$VP*Tu-dOhh!18_Y$kSi8&7sqSH%mB*wvaSkEJ0$jwZv
z>bDbf9{)V~WXdJ$D5nj#D!|OxIoB{(oR`KZxe7b^e%j@L^>=chq#oOqPl(VO>%-J8
z4%q(b{9f?ER>ZN+&qi72`|rVD6fWS^rr2s`wwU(v&p*D7(kkz;*EjAW%^*@bdS-iz
zZWThR6GYqoHOI|@RoaLqw3yYXsb_I^mvCGp)5#7F`IytoB5SWIfjHIJ%A&a`a%LZX
zB|k%77Uk~i`0R=yI1;jz7W0!|8=IR*ivh+=H=!quxU)-8KVS=7+ytnln?#Qr4)p+)
zC)*!*i;hW1&uTy?)BR@t+VEhP9emng6~+Bt7SFxZ@jF4jKDr>#MF7n>1JSZ`$Vmjs
zfetQ#`s}~_iy4Z>?6eP<)6AINOr=^+lmLX7$R2)_$JJNBxw&g-`|3fuW6UkG*39v$
zDEP#l)V~a8PQQxe%6xIQE{Gm-K5c&L!ctBJYlOYtM<k0~vw=opc(ai6%@wQ2xo3Iv
zfxzpfwjRvm>H&F@3#EmDy~wX7RTUw}_E}e>7=DUi^DM8Ap>$xE0q#HP89=gV9Wep+
zGG_7Oq?|sl>Y&^Lbee!U)wU95!wkz4Fr3xJX{VK$owix^Z+}D38~Wx?kVxCne$${r
zU`J5?YXGIF(9kOYUxJr|q<|hJy4O%pqU!lJBJO*KQGe=OH=SaaD6)bTRJsb=q_W$H
zwa3c_SCc0il@Q)Ne0lu-)#N+))O6;P|I{-zT~#G>5#E2XtS`oGHAObn;sF+WJizLW
z;#mq))#6;sRTXj3a6Vrg?Sv;SP{4&^FT`=!NB^EN0xK-VaqCs*hSO5Wakw=61mC~-
z&_H~`lheRiDI;CMAlX{$8=g^65zE$n^X?W^#FN*CS=&g~vT(XgOzoO|1kYGi_tjv+
zdO0}FN&^nea9Sbmo$EUt`^j>;fIIzp;@+`g_4&i9HZshE>fy2nx$SjG`LFh6A_K8c
z30EYLs43q{ijVb09~ha6l$Wib4X)QUgnVsYFgIkIJ$6+*!G%xfX=!Qx_t&lnd5Pw~
zs4ur!*!Sx67=tmgAKM5TF{fR~dH=Y)Svp6^-5CKE!Ok8gInQ0l_CPFvwT!jjC(JpO
zH(_dp^`fgjy5I{&Zw!3fKUv3P#M_{<+9_q=JG_-R9g>qOK-pU*7K;G2k*+h(zXo7w
zB~H|h6nH)lS^Cee21VSymTxicI6H*lvYlmqD7s1EpF9McpWDrcO?*S)cb%c}3FX!+
zj{Q?xNWNsUHqDbQ&PgdR{algyHQQGAqHzB1(PNL?!1UXcG{|o)WYuYr0UfO0#v%yc
zv8!O4)^f!I3Prj1{O6iNL+>FUyZv(6FMw|-#tA-#w<ea5A1c9LbNoR0Zgu4U5Uw(#
zF>~+cyXZ8@vPHYkJwHWAK(UV&r+Bxb>@-rJ(l^?}?C0Wr*lyW8H&yuXbw$QDXF)o}
zrD6NwzB{OB+seAj<0_7a@9|(4`i#Z$ZEFmpWubpax=yt1mjkTz5#npTR$F&cakmz#
zwvIXhd?LybQ=B1s*-v;KM}~DhPv(>c5_R~P6{g;|eyv|lGu%Sh(~Gdt-*V*9ymVWQ
zy^K2K=u+rgHD4(pKp?iyVvB_`+>`F_1sPgAc|!uXtGqH)0(|Rdq{KPY>lsTQonV_q
z!}Q=B5K9Cegx>393(XSe%yc&Bh%<k6i9;;$9%o&B%Ao0DX9yuhc(Z7#jdUPgFg)9v
zVwWsG)pvUf{byFX7|m2hx-rY4U*;{^hh{TQv!hC1E`v`oJhF!EENZ4`v}{z*y!^Y{
zwL(pQtc;oXm7?X45PY-LRR-{?m+(h=y4i;G-79Mk1B%@2tR!O1lr5!cIL~b6VMqZm
z%B;gCp`s)nA*9}3OjN!EQDlsA2`OfjK%QF-pqFR`M*DjO)?wA<pjsxxWvdl#l%K-E
zg1M7q`#?dijT*NwI6;owDGPiA#Vsev4UX6~JD#b`l4>Q@l;Wi<i@C9P?Lt@PYAdWm
zS2wa@58c&aMbF8#*d7PigBg=QIDB#TPcDaA_AFZ<V*BL;z5&Ubbz{{dH?KDHpB8B{
zD!p?~j+bHLpE<GNoVkBmys{d&304!!I=vDS%9LDf(5+hQvDNGPvJtgW-yrh;nEJ-(
zJiDgt*tQy{VPo4i8mo<+#<tz2v8~3ot;RO5*iOEy?fcz%*2=$Rtv!>`F~`i_Cnn9;
zD$|-=l@u3tOOVt~6H2Twm&<B0-`La;Qjaa^*sKcuCGl~*7v2O-e)KB%pF{!VXi|Wq
zw-jm)`v@uouSfy0$@zChdnfq4_%h`6fr?@Z02SS!WFcf<K;3BlvZK~G^k|MH`83@h
z%LadQvj=k=Q2$LwZfwP>;Z0GF(i%|}`UN<tLy>PhE%k9sy)TSfY>=3jg&0XorI8P=
zrcBPgN(KsfPeLQoQ2+bh^k9uyay4fZJnk`@0c_$%4A4}iSdx}6q*WjksM;I@+syHw
z4?taHULURvIW}|bZ-rg>w6$E^@Ao^vf3$g?Jw)FxS_HMwM#J4x(tW_4N<GdVmrc<<
zETR7d%eF}`Gcu2J4jSm;qMd%y>VBQr+<%=d<;YDcqRw?V`8lT)+J?OLJ14dV;2R;a
zS^5z>E@2@Fcdd%|oO(~|w>6^l)x!l0`w|b92J?;d*AE1;=`YU5GHn{8#y`sVl18m7
z+HDNKmXu3ELSnKbo5X3Vl*@}bd3w@LWT9YsHo#!%c~d5848ER+TG9P~D`|6D>Be*!
zTH*)v$SiM<m|W0Bu27-Ir3zQcuA?(Mg2!QN?qM2c?2#yId?Y#8DY6z?NC>oMv%&8+
z%#_cNE&Sm?p8*%5-XgMLM;erdkL)=~TN!(CsSPdAaRLXD7z_X*{?T()j%|<kEDyyw
z9$)(7!Lv=b+~MQ&C6sew_MA=6iQmhPJJX{7p3u{bB|_(1TQlFUUA>-j)bT_crVV18
z-D7o8&=9_2g1;dP4$bl`HPXl+eFBkY#LGR5ev_!qYfUo0c1QJ%sq8k(P7c#Y$u%EC
zs7T$xoE#pNyo-)n4MFW0b%#{r<Xw7F^~~7}S<^b8^x--{>0>QPf26nZ$7mfRqy%Xw
z41WPE4T(6JHMII&y8TYL1UC|BS}FD(OWY^gk$A|VN1U~Z=*a}BVJ|3DSNM=CWM46-
zJ=jf*zQT9#ri)+hIW|jk2Uh}>DHHcKOMG&&$wNXtIE)YeL;3_T>yY8GtdwwRm)^9j
z6RK4RkD_lzZgf&2K=a#ZVVRSUFryZkeKd-bWIC#&6W##+Dz_feP#dj&w$U2K)C<Xz
zIURhW$(1I}{<P@A_Thpq&0fLiVzWdx(%xab7f*k`9%_H8PkX<e2`?B-gJ)^{s=jbY
zW?#NSs4s}q<YpP5+YqGR^E1N*UWLIxWnHIrfE1*lt7)8xgRLf<eYZMApe~sl$`4{7
z<E6j2bv(m3M&5jFu}sMhY$RjXZq)_!{DZ3wtWcc-PDvZQQ%#n|XBf2_Fw93%sVkkN
zZcRC3JO~Qd62AX}C75claEWrd_!gKjbIA9jMTWwz-EBMvmYU&caZN|ikEf6N_F4pD
zEWq=zxkZ^H=G3?Ar-f#hzg&XMCaM0m9&<{ysqA%13AG3QWW2pzh*e0o+<GB3IeRTz
zYQx6UQ7xCJU^@QFwJQBlKCjpbj405$oi^^%(v>t`$JjN2p;;0jv)Iwbfi7Up%3MJ-
z?)!Z3k*SeF<9=nje~2KA51J@_5@?oy6aB6(ADxQ=ah1BJfU{o*x#boe5ZN6Nog0+G
zbX^MyIQ{L=PHkBw>QHKJ{-lUvSWr!jL2W5txL|tGBE4qniLGS1>+u>8N$MvS6be{w
zxv&+2G{!$bSB<)2eM!E+zEQ3K(Og<}HLq|;(9$njdo8uE;<GA3RidQ+Db&~o)?HG}
z>%~;f#bbujG^CRKBCnENr@yS?Ii2Z<1c32Ix+z3>_$86NI%{KW54{rCx<){?D@3ML
zr^_)}CKv|t;u$w=082t=(BVV#sV)&K>u(ayOC$co=wq2D{jEYj{@f_2eNIo{@`V~Y
zxt!CskJutVFcy|PQkFOn&p;8Bjuo@hpA^L$jm9wCm+dET8HLOU>^)|_=<9!sl}&`T
z1ICQky#0;+@z?&E1(#o+H?W-oAt#A~;bgjrwozkG<=UXlKG%#5H_(1r*BLY~pV3dX
zto#jfJ-O>_{kmv>bM#{dR9}H%RG+KEAH%T?stLohpa`j@&eM*4tZzJnqLawet4(e^
zf{i-?22IramP7@_RAEP=@K3n}89=ZFmH#^b!N@`}<<c+-EtmsQe~_-?Dc>!~o8_=!
zUhe8=m&A3$#}r${*QR3Uy|<b5OtW@@-*2xr%+$^tHd{~IyLkc`nUhq~%qamVwP{&9
z2!cbnu1Yk@9dtpc4*g;%(EOwY(lBGdH2(jKKGotp0r@l=^dBGIaZ2+cprEusYP?V{
zZ^vcG1nidTQN0!FQHacau5i#!VnLe-rdXL3SGDe_8A0g6pa6GtElM1CndmvJ8X_Ya
zZ;AMIwuC(sZ`YiHhO>pr4Rs5ji!z}%<oh?!P-7IC$pgQW7{((o#gF)Y!9~Rwff*L<
zk)(n*1Q@e6+e3)MP=LRS#yF+UOg{Y+0VrBG%zktLs>yTV)hoI`*}UAwqrXv_NUmh8
z+p@z$HPph|@oimk%;u3Z%y|(QPEn>bOq@@W@O>MzVDRtipx5xDlZIQll}OM7fS02-
zUgaT@7>WT22Gj~7x`)N>BbcM`)wl^FtvUeShD|Y(`3Fa`giCHFnUT~U(HG<PnE<Kp
z-aOrjpNo6O>?>x*+RE5DDmsLXKVD=HedjOz?fc}~KCMLll@&6MBnKmo$`~(<c>awn
zf*dtFHC_lz6r;>rQ`ihn@js9wTHRhioLo-50j&K)oGt|4nYK0Mu=Y1@EEW~Qw4%6>
zj8+2Woz`kpq4{V77-eeSW|wOKa5Q>^__eEp>=I_OBOm1_)(>V5AVlLE(#hL2e*gv+
zI}!mfS3?bWyo7qJJPvZyfH-rEk}`Iu?b_zVlOy3dr*a<)T90&GCLCt8Vdz^*p?sa&
zEoet+pyp9gK4L*HCS+rsI~;X-5jF~Pm~AN*Fa&655i-j#EEDNNr1O@Or0}c+?n2Z?
z@z7teN?H}|lS0-s63#96-3X9i!ytjc;7=Y02{G6I5+|Ri0SqOWkTM=9q(vUm)X$f>
zet_(``7%^4U>2_#;5h&+U;#g_+eG!~aC)+!*G~4+Q6dGAtAaaC?yGFl=U!v>@lo-P
z*XL8D$JX5fY!g0APP+wLg$9>p6~rD*Z4T?UwqKVL9uAfdS(8Yyi4&V>hYPl;g3U8}
z^M8HKDlQuTHSfpls+NuD9j-mFBd{Ou$@Gq2T6@Al(OV)^;5T1tgU$LC+UW$|)~(hq
z>2b2w@5e~di}{`uzzp?u;^eW_fttVtrtu)bP=?bsUd+?Ta|s|?YpmgM;TDxLw>?`~
z2x0ktfpU=DUs*2CDnR=AEYm@zygc53nwL(NmwmY^ax(}Zyp(O?5|&xrvzzrJsMh?z
z!Siiayn`&OoSs6rt+fKQOiocZ@3sW~uQ?Dceewaq(A|%lMAAtEw19+uQXb3(zykAS
zr;(htO=b^OFB459qdZ^MYM73@Vsu`-a5FP{zH|g5or%yX*-ePDaFE{;R-m=i!sqRJ
zlHMCNoI^)UsQs;Cl!3-vj?FcBr}JnRyH#_LeaLSt2W0Ko9X`C73K<XfyAOgGYZoEI
zMLJJ~W;jr&q_8&1MUtd-*iu=4AteZ@^i5%)EQzrZTn({|YLW2fquWRS(W^i@GKD~9
zCAZ{6mh}N;JmCW0|Bg3oy)%Y8bW8>V9)B_3xV@cj-+Ag}j|AnRYu2g%Nwsl76EM(P
ze3~mHRNw4CF+b4a98y|@G=%}W)F7hG<>ukfDIO&#=pTz(sn7VcXki3ql6s6Ml}-Nn
zC$ql{(`@z{z2_Ht;ZSg8aRSB&HfGFhhG($)%@<Nssj|FKPmYLf;b3NwUQlWhBtdKV
z?s{^oQu}3;)W<Df$7W7nhYMA!FDn-dtV3Nbv^EEipIpahTLi9diWz4)EE>%t<PvAK
zbgj^e1=PH`@z`4Q7*<d7Ut6-5j>J@N>XtHP2ei_&IL|mXY8GpnL)cf3ge$i5G`nvO
zpO<2sU65xr5Giw(jm}Ii)COjp^@+H^D(d<714~S$w|ARMD+)H)5o(CMKL+Gj%U#UV
zOCsM4j3L<8_q$#(9Bp?HmTc+U#JssX#1h{pY`cUI(`MrsbjZPJp0I%*#P6k#;c0@C
zf|K1pQ1?tEYGMsBkBOzYHo;s@VTS3Obl*)WCj^zM;*d~DoL{|n9imPA0s`sd6Mwpn
zT^twQVYzSTr{VZpKN$K&3dea>kkT*n;>vrli)Ib$TP;KVyce+9?%1w>#(K`Kx*=e`
zf@yI(We@eTYo~8DvDog3u}E;*Iw4swv!@TU;W)MvLXkt{XSC>gelVRVl-OqhRy8U#
zG%8`nRh8hwjEPp9NAxh}B*@7`GR)*N>~4jKLHK<9JXB>qGK!?r_sGkU%skAHH*Nj{
zVM!x-2*o~fxw`Zr@{y>2(Lt2%=OB4$Ub88`yoJMtWYMeOZ!a<yz;j-rx!(V9n6d_f
z*;k&Wm=A%U?uDTG-EczuUv)jVqriW`%MrA%c!MoH$lfX7VV?|kx4!FT`_Kj4?<sfF
z9AtJFQM{L?ZYzKXC;7pP88nPGAEB1;RmVSmBjp{bhN^g#yK$#mjsuaZyzao%M>~t}
z0WRviKaSwO+Szzpum^FEn`*b!os5#S7!{c)C3j=7O-~XutqP%&PG9AIZ@?$^jjmX5
zZ@iOG5$TF;K(Yfz#=C#jXg8aQtXn{>Z)hLB87d<tIljBACZlJ?4hXAHG#g>8Pgc?O
zT7SrGh~;rPVJ}nn8u6h^wdC#_vMT>DdO<SN%TFMCh?v_@mi&u{q9aKw%IQ-5gZ{0n
z=_29jpj8uSK@W7~H5yVG5@t#}>b2V~rJPVLpBLdjvVfH(&Hvync1yrnPGyuNs8lmP
zLVCDI?rfhD;~JY)R0tv(cHDc|?$%2HIf9WkDA-sZVz&%M6Lnma)xp#_u5?9YGil@a
z{eJ{A;5F{eonG??%@eSk9;`k!w1Ov0bw+kL-(}igz5QDC@%Nipg&FTuIKjO?2>j#C
z$>l~H`U7nxi>{rc>nF2bPK<|JVuY|fi6@J`uLWXHPJB$M<e`s=^#d-d<mQ@rQY5_k
zhibN1qk*z~6rL4>$^vjAwc5(kC^zr!9$3MzB#<sYv#(Qoxihi6>fF}m#Yj8{NbZQv
zoy1@JR4YZBB1a4{(CCrNRq}k}^SYhypakfy4SCwWQGm%}A|z>J{iLSm@)bnQ=jr)j
zdJL}eK(WF7h{N?slW>;fVZ-wV;1Ebyp+Av3;RIPjEvv-FH!=%V-3JEF>dy&OFxhGm
zegF60gq8P#+51pVgNH$6u0;@$Adz{qyOdLQ`)H|Mfr{njQJAaIS9y>PA*KisCn>x;
z8wHmI5#)=9Va+20Q3`|g-gVGd4X58|T%X5;Y4kN$_R!3oEbD*HMd?E_QvT%3i&A>s
zcR?3%bKXAw6Dnvh<3r~s)dd?w{DX4U4+g1v44}JElKErIRm<xko}(MPGSk}FW(AKI
z{$#GBUJ4=g2cKrdJk0R>alffkd#vVd(CRnzIa)#intZ@~SDb6+dTu(7@{68LUNzXC
zr^nMlM{`bvkwh#H<G{^>HGA6u*c+1#h1d^|NSkPw*GM+aD_*m2E8T`B4%JU5NUsYk
zSdJ$%E=w!vZo)lRF~K6*A8xi!zNMt3wWxm#W1EmJJPT>Y4H!>qpBsjPYz_=bXU_kf
zZK?KC<j_Gjod14_VI%!T3gz6Uf2oUyKi|!?CeX$C9-@A@03G;Tc@A4wqE)?sWz-<m
zpvxT(*d_S#;BA2{yidYz_ZS-DCC#AdXRQ3t>SX*v@9+5*&x{Q>yik{o|F!-8t;^64
zLvWyTL7xU$Z0ut*KcX58yp`LA20hR=Go+=if{xC7b3|l@Oe?mrQJCE<|J;A)-pV<F
z{J3enETCV10P6!e)v@Hnr5I(g@6%B<MASczg$FWEK{K1#RI;0{R-veL##v}wsp?_+
zWWC*K{Z<N2F}LA9tFB0qM(K?_W;?n}r4s#WGP_B9hm3=_MGAg96lZ4kiMjJ{e_(d6
z9**$J%-Y)r0lo}V*C*4R7m2<(-YpAZd=N&LPz+O}i3{P42kjl4MMD3v^S#(1w(;Z1
zW1&~lTm6o;e`*M^(vNznU%&jy<;`@oag(|$Qy45pfU3FWO@9RUz2V3j>eEo2fN9}O
zJC`I=NkQvfmPOm19@}nkJd}zeM{<46RINyR5tbX_{9a7#kpGnfMJx$~bZB2s(=Ry(
zgnXO0hJlHmCjtX}O4jVkF|7_?g+E<()k%fbrCoXBlNxxcS^E>EHIMThcerJwned|_
zfI^Q(6+-4gb0>TzBtyFzA?qF$#U4ecM-2VlJX<O219d|=ut4*aGucS#q>{G+ivr)v
zYl<+d$@SCM7Qv8UxaF5BJ*~O>FYZU?Zy#_FCj?}3p<Wv5`v*FnYw*Wj>-aH+VxiSV
z&tq_T(3!}r?V;yIYS}GUnv{|4EA&3>jCUfU;30G99k;l1f)O^B7#etZicwV`h?x^V
zSIdeL8^SZvgMq4HEf+AsxNej{t^C&+caa?g3>c|_A9Z8#Ha^~9xXN03bVgS=<Ot}!
z36sEVgMSX|;CRwpQmG(P6ObxqckjA6$(J|16@;D1G-oa{aWY`<zsA`}u!;wu(Y?Gv
zD(w*$mat?*h!)!TdGa$l%97EMZ8*LbVTa)zEVY)NLcEQ!CUPW}^0a40&b(wfG*6ee
zv4#@eE>BmfMX;YJdelX33|oJF_y(`5mc6^7^rm?lL2rBnBiuIN|B27u9{kBE_At4w
z5j67;Timk~7!1Rfo_|7eC1>;a_Q|NAg9Ad$ezv#s)>RmfsfL%HH|`145&k+}Qo3Q1
zI_dICbclJP3Ijo1ZsR`+Cp5>9NQ|=dqXu?8)o>$)lB1R>xU*+lk<n$P<xg}rZjgmq
zwYudVuph2M8LoC2M-d<N9L+W1{q_uUX<F8PpHtV|^L|jhD0$t_W%8&AWy=I-T`7Iz
zRjU-8^-jr{NXMTx15M$40}a8!yUcL1GnwlcGoDyD5ZnbIdQPaRd?xU0vr?KOAjR!k
ztO)?VBLyeo#yh_fRF^Q$hIp+9TtvQo3092kqNcwv=)gvk|D{HF{})EdQ##7wXrBmA
zN0tjWzJd^tg`tJV;~^on;$<$>m9{)7og4RltkJ<t))p5op~4md7?TdIXpp;8=mgh{
zM!_L?+E>Ba{MS!!;NNt)R4)WN8N#<mYNL4;)_pb@xa&-mG2&8aBd@3Tall#s&U2gv
z?iH1?`_QO;;0N}(D^~7QYto~A(HYm|hlT~~T10)UajMqqvaN068<Lq-RvUF1`CHkk
z!rf|WRxv^Y&xbK5L#VArOcV6#u+dwTXAp_Alhp0g_%0fOG_Ho(U!yd9XX(tXIVa*B
z*lUUVJ+X<a7Y}aJsFzwBIJ#EO!fji7oO*ACT-CS;EU-<%LepfUM(fG1(+wq)gKg!f
zrC)!Yi7?_Pu2t%jhb_)c;d}n=5*K}ft_%9CUaV8m`u9wiNL&VPy-RiqTF#Ve_sBVz
zCrqUXVJW5+A(S@4XU5=_hBZsN7ZSzT*Fef{c%$bUcc2>nar~l3jWKgSC^*XCwQEgQ
z+TV5r?L{EUo0fC#<BkvT%KUr-b6E?YxQw|e9IxeOtkIUY4m*5~<2lX`c*10BS{8H1
z4MGEGr52=6d49}sqj~;m-lI6s9m!+P3lz`!LM<qbl#YdNYns@8L1ogP9i6&iSmN+W
zsSxm?DpIRJDAKa{X(dl?V`{YuXUjrZ+VTC5`80l9SD9320L>S{7O9PASzs=`a3QYJ
zoqo^E-|XbJ`W0mZGOO@4yC-99IUk&;$j$47bhfrd>l12Lmodq)BTQCRLeK{KpCLh3
zGBG@^?dJR*OQL(M{kWrxX|7%O0Z&RwbFuH|Nzy@h>hGLsum`4aC$bT&y~@}+>we4s
zHEn5mUYyBgX9l_p-LTsU!RRK8@RXyjNK%~EgY(vEtUnP9G;0%DRzc)%r%*zVmSjG$
zjPr5_FiWI0MZmKxxS_^=`83k`cM21GsXom7I<*3cZH8b)1{Ouk!50U~Du&fXM=uKS
z$o7TG`Q-`@im#LPemdwvqnBSWk8W01QzZoc_$OHQ6$2!z#tXy+I|@||0iPAM4-{n!
z7Iufjh@DW;)Nh_9(U=y$Y~&dHd#IO-9v42dQ^#}ZEZ7kG3?CyG3(!(su6nn+D3`oJ
zR<~we^CDHG%@5=@hfG25kH~Q1I=9=*7kZ?Ns~y#;3|k=XBQwe^xHhlPJ=Trg-^5u)
ziR|uzw**R`8Y<(<l(!9n{(-EE{uCT(0@^2>t&dI=S>l_9I|}<(em2`zQj?4PeoP0g
zwS4VCl1+wLp47g$lwb@O8)kyAwpdNp+MV_Xj<AdW!!k`SCh|2-8zZN|YabY`v_oV5
ze3c_!7+S?{8gT4WaVtj6no}mtatk`ohKip<?wtK(Wc?}Zs|UA<c=6n6%Mr5UV-?~?
zKDD*_h-0bT%VO(v1Y1eDi#w#l6?83v)#`yA_Z<H5M5$KXoGt5m#<+z6f4ks$RO~0a
zJGrgYHmkqtXl^g-lV}$uCe;l$7k+NE30quSp>kxx3nGnU(a*06-G)dZg62MQ$kh;h
z6EJ&AEd1>nw>fvk>4=I4IrD!lZSx}@q)W57pMxR1ZlpF;bK_G^cEk^=nO*R~aL{>9
zH&s{=!Z9M6mLjxCq2=`F5_jltQKC+xQ6#s71jTQe;55@OT^L1=SJ`AuUenmc5oia<
zA5I0o&k{%qe-%*d7Y_NgN8q%Bc5^`{dt>diFxz%ySyZNg6XP=5jv~l<2v?I8Mwo5C
zkwF3*c#HRsS3(R_w;&*XIa}!OV;5K{^M1NMoZsE==y<qEoH+A-@N_7$@f5h6Vnj6k
zUD~q!vLJK4{a_;Q7lX=_R~{*hIVxH(l?>B8ifxYjlyj{X_fsnFi7=rCl@#iok@l-#
z_+nQWfy0Si-#I`HYPPX`8Ue-sT6~aZ-LXorZj=2wEe47yqTIiE4)8|l?*PXxx<HZ6
zuB}suv}ylr%htQ?{WG4axr*9ge#c2JWnSj2GaLB4g#ne=0ZF4anbNQxs^7mU0ifal
z#Xhe52EM2k@>`{B6ma|&X_vz%fMG{N>@U1;H5Ee|w;Oc5Wd{`k24jHQ4f`%6XemRQ
zT_HU1@v(Z}zD8q^h!zIC%KJiLkk9G;o3VYIZ*(105?K1XdoVv48z?eboIpNX6Xvco
z5Xv<0yWl`}SIJiNi%jQT>sSC*&_*6A$2vG6^IQfG+J-UhLYAF=E%LFVy=@XO8j!Q1
ztbmjI{ni8jC$yivKhziHU&V#i)2KPHiKue55(Qw<+@i6R#gbFJ=%;k_!t3yxdEi2d
z!mR(p82R6dp`SYbhS=}M62fgj@c(uvMn=Wb3_66Yt@%tfFZjG(L#y9Uk>_5m>+hVU
zdRu><l`Fd%*VIQ55LeLn{n4S}S5pf%z8f&kQ{7LRPT=AWVmhltoyv@1`m;$=jmOeK
zV&;>YzwJA*QP<3j%g;Vim8^|^Ybuq&2l-x6%CNorTpzG&tHKSg`-WBmeJb@G1o()b
z;6Il9QN4t)oyZrh8#)n{Kd?I1?@Yv)avob~tC{r1Q=Pm#{#Q9RsG{)wI|W7JdmDs&
z>bMCG)JG7gkFUH{T^Dzwc>Bo1{o8JfPm||7MJ@cwybx(coAbYTBs<eD))l0cXkxK9
zr!@p6fot;>%t}!F)EH?Y)aRY;s6~@A6_ce?qIVLaM;=d0HlgOGgt7heP<vuqQKkq>
zart}YuYPNhqLWgrmBSLq@t{vL-%23yEGUPt8h?Mdswh`-UutvYpY7Y_S50N$ONoXu
zf(S~c_2i#FVNFMIs`O+cR9L+=b`XQ6*Nhl40JlQ4gIoHvLGxkLNttM(R_$m4)+}8e
zPhG&m?o_Us>u~O3{uLb1#7Sg;pJQEhU9;qhJ(p>O<RyWZof18w9^lr#jM4IIJP)CK
z_{LCMC8jyqh1%7FU}iA3uI1LKP+-5yartc1^JW6v<s&VJ4!JpAV&rI9vGXb)9bayR
z#j4tjKNFF5D_-ll9spbK=X%{b9>E}o42*;24c-@ZOSR^Fh|6Z;K+2V~U{Boz8HK+b
z-ObUKhor(%fp1Rn0~H_%#NKF{EbBpxk4cwuhKfE{{NiddCa)qe71T?IqDrzy2aZEk
z469e~U@sJ}k79=Eoeydkd9=WAX~qk3FnmJVG%2vzR40uK|6%Kf>^VHnNnB^UvJvAu
zxc}vq4Xs<j3(-gg(Wq@0o?F{y^OyPJ)6+lzHN@|VAAEFsH@5>ZwCOtnS#okv4g^_0
z>)avVD9$y+iqu!k0hl)TD%@MMQb$tY(GRfY$T^IwKWo^tPv9M`FT!J6be6<t9I`KY
z=MzcQtNKevZ$y>*n|$X$KJ}q>(F&jX|HpWe=-uqnpE@?d1Kq7+!GxSnPtM%5JKDRJ
zE20x?{&5?v9^fchsQiK$d^JTt52#gVGd5j<^lCeLtY7M>ni<Bxbxe>R80mL=b*}RS
zrO0JFK8#77eZ6w=^*PrU_|<T!VQH;5gK*VGBhS4#P0e!6Zt3i|?51n8iv%}OyX!a_
zdB&Or`=IvusDSn4d>ZjO!w^$MO}Mj%Uyla5Hu3!5^h_t6c(ZtUfo~XMlL!6A1!_i)
zcpZ;Hw+|0qNZ|=Wd@~;PTF_6dcuTlf3?+j2TsKbKjWnzK3yMi{xCu2_VPF<?-6xoT
zZVt|Q^XN}#+ng2RU<g}yJgULD%cp2J9Mzul2)e)J!~PTx5||iu00`rn6flO?jrH+X
znqSs>IX)&429%T+1W0Mi7vRs7C8T^&K=QQT7dD*F3y*GJ%Wk^OqK#~-)O?s{b4vO0
za#DxN+v<sw=sL(p28Yb&@e_&r4+YRCV$*2s2lyO6&2MSgo<+GAe_|cuw~=oxnle3;
zi)H5wNqi7Nu2_DKK99(^9+X>Zk8%xTj`TieB3?+`bDhrT0s;UOqdqn|7-qr+HpYEl
zROOm^{gIW>q7fx4=2*vaSwyOQ?ACq$k4_1iw(KdMwbY(4LB9;_J$-!~`zo0{Nmbcb
zo-foYO)IK|{vxjfR-vydrn(RA9yEb;7EnP{ckYM?9Ve+G<?NG0M|KXeE%;6vZ(obZ
zJsI=MzCD`0U3k9bGWHGHEqTiN5=ua{ON-$RgrV+;+F%3_K>JY(2M4@6ne2@*=b9rf
z641#CG)NHPRU)AY3+_V#KrmQP+?~4>US2(Q?DWjLHE%(xkr)gYH4>8#uULh&z^l`s
zIhTiyOeSt<2}CG_FT3SZMpKR{82)j}i63ik8q4rk3re_M&_11QWC}fXC<QT&<*>;L
z@i=zooNA-4HcXL!hG9nK#*O(sR7)xtB`ZY*#z75apQ{+1%Ckn*m_;Oi5N7`ndS@V#
zAGvXDo8^NY3?pRArh>!@ia!aIyK=%X>&~8RC+Z8_HG2s{sn(F)QEDvWIs&ecQ`74m
z^qlk_xS(IEzBZ`xUb$F&;euGC-5>ab@yrU}7hMK!(OJjceQ~3g{HR${0$k<87B`sY
z6grPanXrrTAM8HPXZgn~o_v%veLbpX6#lZ!goe*C^n>o3LtG#U9hPbKAZb*G9tNag
zkv}sIVxm6J#I}Znq}BgV-epHJR;`C<_`u{nS4E18b%cX#Tc6u-ecBvn^}s(K2HM(O
z_9Aw)(sI(}ILKy&U$nS#ET2qJdPw(7U{}5-=26?u`pIe2!*cmikB(_VHlbYfGTqti
zTSo-xaPlyP)h?UNVh=U=+9vR;gkRhFYT;GQ{M|S~;;LvN_%@n5H%#;@c{H$*rzcyi
z&YFj4m#g_1f9zp2%CoibkDNgI=GXkND;cG$Ud%;|LAkWkCjy<iWhVSL$(;J3o&2os
z%bLA)!HKDWu_u+51imF`Ci|K6CR}vCuqyLWDfW>fAr_5>@ExTHHCJq16qLFGQ3~-G
zz)mC9g!deldV6Cy;LG^fQ*~GI2#Y~LDpASUp~C(xMBlf1Cwn%KT0HL?Fue8@JbKUy
zfI@>Al%R7(w3Fp`_1RO)b3oGBtIbje(eBIX#>_xJhzAQoKMWV5i#|l;Vubl5?4LPK
z<V*gSl;|`U%AkIFaBXQo>a^>PqLBh`G%*G%VQv<zNrvnXVl=UXV5cKlSg-TT?#!`k
zcdY<yX96KAv-goIL`A!Qe`<Nwrp|&tHU|q~s|NB;^0C^9h+XfO;J29~k%Tk#Gn=(G
z%^R*y3@v3Pa(5*?S%`LI2~ZfrbCWVJ!jxa_7z92<FMHH+!1XmBx&NrS(JJSNIA&J~
z7_W7DTtr~^ar1Wl?P$;3ZPUoBv+>*9t}S_&_s#g`Dk70BtkR~_(Z^@07IvfF9IAw2
zDu1#v+s-UCer7D4ecuS%PfeJ%htKod$dn#!z+XJ+S7(2Mtn0(OEFKqyT1IZ46ljkZ
z!HA%XijmDwO*iLeghz$hXm|`Q`O6{(r7Y{6WwG+=3g^(R>~1=ct^-JV6((vO)!``w
zuAR5PikYInH4h>2K#U}9_F5$4E&@o*oME?(irYT}Qelrf+Fo~WxT;yU+a{)-UdY^G
zga&aNVNt@qw<Ur8-4hvbknLq5Aw0*q5Y!AVCo&GAx<uPr9Fe6k%bwS0uNclj5T;Wh
z=>>nU%>54fyc=@Z$iNvX#zZ6oeMa)8C@%|{+*x?cvYgY(cUqc$IsD(VO37oyR56b9
zf_C~(95f4B9m`DGH<(rTA0a?i90xh-+aN&x4k9F6g+)1q8aja8n-%?tuv@XW*n|<a
zKOKW8+CB>tEs%^S?MN$z2($CIiTN)T8V24S-mW<|^X+d*p^o2gk$Qenfwg(YBpG)#
z6J80$Y;iqJ0NdkhFX5;aIIwz&9Z3hc|N25AU-`S~5T(M-gPxl^8(2q>&f{V1{6W0U
z@uh~^NXNemhjoXjyAqp{UYI7IqwkJ6+IcWD#DP%4Y`m)v(YQ|O`!o%^0bEgl;M|XZ
zJufZvhv4LRE$K~jnCiW+@JOz(e5sQfY00s@ao#^8N)=t@BG}x48a^jO^>*tTf!Y5k
z($?$c;m!89mPK96-DpHM)K}qj)JC=TqE9G%(T8JDX@dEt5KbozMzX3yp-jP&UJ^6V
zsBoV8KIe$M;O|(>9Jk%m;ic}!)z^vC=fR}wZz`<1x09>D8kakhTO)uIpr4;afx#xy
z(u(GAAfp=uE{AhqGY_7a5C2X5+=IHLgRsu$`6m~~ZLH@tMUsKq_w*R+(m`~pbX%fg
z$=H}Scq9@T{9Q=m|7CW@!KY&bA8wu`hl@O7Q%`##?-SKZV$**8J5tlM$iVx<#x{<v
zmq)O1^|KOd_RNjPZ#BdL%Ruh$Zwv%1lli9-FFYc2vC9DGZ8gfG_Nt+sLG702ilNMR
zFFL_~!@7Az844&?@2Vo4@^{T;%2)0JRc!>SYWGLgMr+)<l}`DuuLFd)3(a2$xcy1O
z1%$0hiU8&qdu&Zz=h_N)@=71t2{PVJNuxYH{a1#^;PeBZZg)Nd6K2hclBYMZ712cf
z?*(I+TyK<py|{g0F*q2h8bR_J;MWKfjckskaosd-<xs@mC5c?+H=N0o$Jy0!jL)pP
zu)V*~Y1Q*^i?ny_BNGHmpe;v&$cgxlIGLV3yKlgt?cXz~8|%5aRD<((9&|IpP7Ibn
zjQmL8#uz0$KO*xI9%V4G93_@uGFh=26+ZeiqnBpk5yB1SKb+O$3;Z6{%i)gDI3#}M
zs4Klep)y2;D}-d{x1er6Bye6M*U+;a@0WAv>!5FXM|W1MPv|?e1`tYN(Z;Qer3!ZU
zjpnh2Rufwye;X-7Pl|{bTUaO6hgD}6Mz8FxMY`MKc18ZK$t&DoJuNJIO)NjEywdq4
zb6nWNfyXvI!OT`-WL<2Jd~^i9_o{)KGckEp$a2kzO()E_%@vrWHTD=T;Y$p`QYoR`
zR2KGyeK6}(s>RUTEZ?dQr(t{`YVBlTK9e6W_*@S(YOG1~m)?4-+Y7D;nty%2T%stN
z#}eM(SP=hCE5o~9iX_3loXfp3YQn-0Ha&QQT1L!i%irTRT^xWv>d1~NINMBo0Z(GQ
z8AhJ$=9cyBxz`W#86}P5UBIfG3Ad|4hc%#ppJlh3biLd#Xd5L!cut=ex%LahqOY7E
zPkCzy`3i)>Ic)jM83l<oY**+c1uOU4vQ<(tt#gl@{Ac#i^Vl;<>csStf7URgW@{hZ
zxR>aVu(5{H!ACGBcx!x=6w}EhuFL)}P2*I0DW?jg&-6DLfIH*God8C1K}R^VT*i{S
zOvd=j@_t(o4djO@9@qb%>=wv)yL_E~()afE>tpD$*e;Ohuiz_1{F@OwCX+W0;8&eY
zYi1&B)=17A{83%Z@fXM8w>7l}HR9cLLIr<HlLc^~XGpIyhSn@7Fu4-r*uQ6}ZjnsX
zeFf8AdwLDmq<;UF$4e?+*@7;6!r+ygo(ok~ZHaDr&}JgR^OXf$6(QRR$A8Wtq`<hU
zwQRP*EZd-(uZgu2rdUjL(22-QqAP%{gu8ElN=XCXKlSzpGWp3cuKpin3g|?9lx;BJ
zo{n<pf~4ojfL$qNh=DxCj4|NVt7yICGB}IZ30OnS*w2<~>^i^Wc=<l;^QK{4^2j2o
zsIPa=T+}3`B=liHW%+OWXsy^#KH%S67X^9qCnw3M7i5eI#|77@LTKVdkkiP-jTvP>
z4~|XRIDiUSi@c|#qNka91Ma#gr{9v)`rHBmTir8Ame<vH+)83OCx~bF$4Ibuw3NZU
z-0BTKhBuqK&Sa*I5G`b1l&r%~8n^{)lS}uJ`Wc?AH}u%mvH(bF1)SpgckZr>PB!4&
zh?5rH%b0c=leGKaX{nCAKaQ|R;%m^(SZ~Yz*cFlj-8XtZfLBfR^kTMN;R!lMLLyeQ
zu@;;>Z7dW8i{(2(`fF40$sIse^%K7hAcTHge+}_@gQN;y-xdO*g2BMm%SJigSnshL
z{<{tYivT8bxPwv=uTp#9Dh$FVj2_W@+X6Gce*-z~=2Zr78Tgf;2F7K#7bURf)58#=
zP72ZwC$5(0O;dnKUDCyo#cmRtqxv=Ms7L-b*pjX=B`hEJeCDrjP2PcQP%vkXS&6fm
z=L{-`MisADszQ!y>y|6A!9FuvTFdRLwL(W~CEbD%S?J$56#NtT(oz1Z5HR;MUnG?#
zZ1rR4(#ncJ=w1bfKKrt*rP>M&Xow7lZnD!ATSU~OGjX&OxPKiEV_Bc(_h6gjanUqs
z1qf~>^y<NHOcCK4P%In>-3Wg4{&k`Mm2(ou8_kF=$2roYZoFok0Xj!rE+&ZP#^2%r
zzFXKVkA)72%U6bjTun43;I(L_N++HgQ+d+Wjq?%JJyivK!@TPm>;p)9+~ig?ySh5v
z)UwFyw+>?q>f<eAP5QA`j}=GAY;{@U6)p2H?qx^oY#*59q}m>tlW9Ov0Z(Q(aoT)&
zV3#ybL^yhA$Fiq}J`2(LEN4f4^#)S0ECJ>}CBXeVa8aJed^c^IHNQWYX9cP%5re_<
z#?0IW5%p^xJV=j|S8w8@Jj=ajAf>X2b%cT|4o&Pis(wxrrQ_i+5~}{F0;NdYmwLZq
z0T-W%vxuH_t%_{Q1xS;h(!wEaucj&DVUz3)cU|Ql7IO1RRE3$XEso$@1^5H9d0yr!
zWL!>5d$2WZGM<hOZpfNpKcK8Ap9b4!xEM^(iT!Op6~7sKjY{mxzmCeavG$FpgZcl&
zV=S9d?2k(`Ul~%13l}U_&SO4@j3<!Kg^~V6<`e?%|1<pE3J5ov#a)h{X@FJ;b{+6=
zB2aN?ZS(#N19cIzyRyFwGIjKDmfnso^s#@xMXudv;e&SbqOnsxw**tNQk#gAKc?Yb
zQxsHYh2rTiXV4LzpX=7LnC<H0N5Wqtes7fBG$_utSULR=cBo^?vTi|Smu%oa+uf`D
zQJ`04e(-X7{PwWlaHhwrC7RN|bG{0IKQb-?9YwSnNLOLIYO2@3knO&Hu`!8epN56e
zqQ5hMg{Y<6&G|cafk;!-x{|{5&z{<QBvP*Js4j=c@y~*=<S@`^al;J?l8(3Y;-nqC
z(lIhj6W+b0o5;rw(a;_9H8{!nFMEe(dCl1{rq_)$SBfjHG5KZv2)Fo_`{XK>?~sNM
z9{lUPEySm7ZSK=s$Lq23Y@Jbhj0tp8xnf4e?xy1Ic((lv-7yk_WoaO!*<3jyn<SS2
zJMBCRAQ_&Wc+UuVQc@{nZou77hrw`p9P4g5hlU7H^-#}fP50R5y~JL>FlLA&g%aJg
zFL^q#h#viKdqi4KinF~0#Qw?(6y#=_-S@sWr3bW283`w$+R^xPNiB+@#;7RDPJ65n
zAe?n#Wt2f@y@%!j5<&*|KlmVGbzBo4a7br77sSSX84YXI`t36eJ9Dn3l_*IZ?u&K^
zfy2$lGZL|pI~xH>2ErZzK)bZcx+2_Nj@!9Z0GWY95c5bY-H*={_iwZC6%Ke^AxSw?
zF?`Pue&J^sk8A`3K*%%bY&Q%?1f>)_SR=iZmG+qqy@nukmcNo+bq|(GFDpLYJBbui
z8q8lK>fP7+uft}$9KWyueeJ9307SnI7cIosq~9Y%`W;Nfxo`XNA1=M>EFTf@j_+${
z7Y740=SZo5;CeX}Q48RCe>2uPuT&t{hcu4lenKE`qR`I!%Y$MH(Q!z5HDjmUZs!*g
z^ULpP@r-DfWv?6L6V8qwsoGAiyS3>RshIiWPuF)w<*;q&a=z?E>J2S(<~dzG=}QqJ
zXCw!^huIbn#!g<24%r2}q`WE8A2K?MX$yItPP7cuE=C4e1t(zBE;=(<qW{9#i!15z
zd$s#wmJKL|yRox860hS-m{f?(=c!xQ?yy7}1@qqPl?7}e42el3QZyxii4Z_!!Xgqx
z7-jq&RR)gnZ}KL|bDHXE^n5%^@*Sf!4eI>J;tmt7n$eHCb+=qGn+<Tj9$!r1>SU$-
z!Oh8vC5$b4wc%X&a)RsI40(#md2D%~@{>z{!DdO9>s~?Qb&em-H1#FqmDYV!&~CM<
zg`{gZ<LIBrUE#RE2Wu9|7H)xiRV;VB6Y5RUfvHUy^0zCZ<je?x_|P^<_uk2n3;y2?
zmf!cge6<WSt%>AKmuu*)l#bvAI4yK}O6_O1#OH_B&?_Sx?sEf4&+&Acy;%?^$_!Ud
zo!aZ6!h1!gw<^6HW5Yf;bvxQ+G=vm#045#<^f<fS;K80eyx8{f39x1c?~5T@%fFU^
zyBMJ{I0S;=Tjs)CUY&oY7m8|;^L)WuVtM)fhdB6@XWvudUz^Um_Q3`Y^3ZOsz`(Tm
zSK~?dmU-yh+8s`gE^y0N=b=eG-k#W#15PaVNqJCqOf<=OI5l4^c04wRh=hdge>OsY
zKPm^<HP840@3NY;eg*se@erZ$x2+m%>F~>L7j2MPWRF1Bz25vF;440!ya&k-@wPvV
zdjGHbIyD88^UKz`Ad|8v0)ri1Rb)2*?ORdoxf*G#f{xOe!*n4P&T=#U^Wg_`%kMlj
zs%#=1fC#JX<$2;$0G$7R>HI6;h?IJL_bYA|+0`J7V{IZy*56F#*s2^1BC#(=S+m`P
zLeZ1@Vh+w}{)lm_VBPCX<~Zd&jff(4wTxQwup0U#4ErL2_u=VRLhFi=^0CeH%uTCV
zS=+$C6$_r2viKBn0B7_M!NMTOc!lsS(YzpaI9zczoFP(4us|hjwD12jP>ZW&Fo!9W
z!PCH=lN{#x80+{w!w;WNaLPs>#ZPH&S!)&Vr;v&h=zaAVp;mfDa^H#1fk3GAfQ(ax
z7EL*nAcXTeNIEDuqi}quTmlHAhZNY~<{GM!mI7A&mj>dzNLa-kcIm8qmLly|M$#s#
zdr<6eTJrqxwgqHSLh?8m=0jL6+HXwoDh(7d#Eqf{nC~1<Z+^QTNm{wOfv(0j+F4R(
zzSI{;8`c^@V{s1XM?|)-+XQ~YpFj8|fgX)72mgXkwHj!#&<{;tAtG}BUebp2qjfR7
zR3yKY-r@JIDua=FN2{Bm9pL0?Uf{?FaCWu7zSc3R@i?8DB3S)+J<^it!<PB5yg!lo
z873ap9rV;&sZG$V0$cF!R;y$`!alXl35SzP1}jzaYv)n)0BByrXUxZmmyVyoONMK_
zH^^Y1%)-?u-@ZfoB<#8Ag)+)JC18pr$2N(x7&O+&B0~(q41vAFIl;L^y1;1)cp#i3
z-u{3t$SzgU8D-)dIZZpm%Dk|BR-J3YQDE0z6w<s2u+g`^w4j{#f=i2zY%O@f^Yil#
z7o@R#;?w75q8%_nMwY9C!31-`pSb`^Eb?z|hT@cuwD~rEAt+gdD=a=XdC3QnW)t42
z5)_+(4=)f-#<?2UBL|TU!}dR;ahO?kmcZ#*gg+27CC8-E`7?~L{ceqU;1_Z5by<G?
z-j!l_<<bWi+m6v^j|v-mZc9nU*CsAhS{{#Kfq!;Sg^hoE1FIwneIpThw$(%fL!uDN
z`bLqL+SGlu+WXTG#PmDN0!pvXJ6h^0P<TczM1KRKB?FeAd!Lgsl**>?`xt*jmdC4l
zJ|WhL?BY>y>u-<AF;eD{&((&_!qK(A;X%j}0P|S>0`+f%;he|}9(2!03wr5l>a(C4
zFLK4u=~BskTN~R9={<9jAg2l;TD|o1dyVLDD8<{W^_-kXfCzweWB`sq-D7GKGy*Pc
zj=&uVtWj;@L+;;DG<v2re|1y&DF1b`zzl68Y*O<4RV4Z@bJu(aI%qHe1TUgkb#O8h
z_9ui;){3O5ITu(I#2L|h=`}mPdhI!E^#PV%)+Lp@b$Ps(XrfiCcKu6x`!b`}HuL0C
zlkHWEEb67PTP)Gc9t!;=<Qb|()%zl)<H}_VBY?`+D0V6D)zAGZYDr#+&Ze@*vrDzq
zRya*C?x_A?rwK6E)z}#S(#G{8EhOYv^a}-L{m|KM@@QtLPGAbL(G0|=UExmi9GER~
z6e-2V?x-ztx>htKbl~;D8Ho3WkyKq@4n<xaxGh)~H=>7f?mTti@_eA+G3|ROQulB<
z^{{(4k6~p$?AL>(*z5Lm;WNvX;#^o|4!ni7eB(iNjbs#7U=sUU_<Ai<=+V%SSLH4)
z&zJuZcP98oB$aJ$v=$Fq+xEk?(?yUkPS?@CO)LnL$LIfZmMYk?*8<ON{*F@L7=*Wl
zQst9u_@aZi2RoIOw_Kk183v5(w-<qEW}at|#X3>xyt)Ry@Gl5W9r-*koE{i{*iWQm
z;0J7!ZAPDW?5;zzaD+}J{%Z?S`W|;)?YNsVfeHT0?elZP5Alv|iBv!x@6X7KOYshe
z(r#6<mYwfIV^ve7(Kj3$W!?ItK8~?0bOjf6OGFCXEzODCvg{>Yf_&}6r6-4qSIw-o
zm>UJam*C)*E^I2uhc7$QUO}3Zw0mN3PpDrHJpU{;H<jnz<HzF>tJklst<7+=8USA-
zn)h@P?#Pn=U|lLdka8wnyFQBurVdg1HpO0TedaFo@kJ2BI6jnEHE8f#n+a>Pe5})>
zW@sm77vNnPkn$Y<Qh}6lfGKc4XtpkTVAG=ekC|AU;QMICAu*g(^=JE=*73}@IqINa
zb~X8p&`Rw&@$>shvmCf$WF|NFLjC296uSSe=+|fUAo@(DR7`b@r#P?MOHQmufrRaR
zZ9bfy^E>&06ObpfED4p*jEu1Z7L6gc5mGFP#(*i#0{eZ4D!QM9n$+y!-Ft+UGZTp9
z3U_Ph%SeVYG~fPt&$^G21YC3@63Ez6g>Li>GRo#}-ja~HPw<v(aopXvZg&HEiN4Wo
zKZV+kd$Nrek3wljXhPD=J(_<RC%P1t$+V{!GNjwOsCh%DI7fxxfAFb0oho7-qt~2x
zGbpQ3f#ZglbNaYR<bJ%t0u2pu$~~kgms~3WKgE9NORakIm1f+fnaB81$VmZI#L)j_
z!i(*`gss~2>0fB$WK244*n4FOI1w(Kw6U$@dTy92%ADUaSd%?3XcXwhLU+SEC_va~
z!5#i&0Zu{Fp!4B`k%wMM{TtpnXp)&*x2NBZYy3b6YjIM1XG<C7?K11&cKCepNC{z{
z{9C~K?t@mS@*WiO6Wd_3$WUg<NxOUTeEJ?$mR=#2B3R3?JYLDXwk9vB$MtNMZ<^&n
zeGY?q$ZWDn%Usj`l4RQLIP`Qp(`jU)m-Y^%!X5HYt_qL&Cn^17{LTl57ePJF%hIyB
zf>8!VpB8sAqTSaB?$bGDbsRx73$W9$E%TDLB#^&Xbho$lX+HY$*3l4&>bfZx7FEV@
z#6~zPPn~MJl6s<D`iI70LlmdVsP`1=L$IK_Hi?gu!iqud_D-`RPUCjFMZmcI&*j1M
z#YAk;>0L-*fw-?#hiOe`ef%J>bgp=x@jWedVz~f8q7<!B5ju@WnoS)ruF=Am$1=L>
zvV0;`*GHsge0!N!1KiLNntd&@Ck@%bDG{regLn7w$ycg6L3NnRsb_PEn#iWLieMy-
zhgkv7PHK;9!}-7cj7<n8uqp%F$#P2+8_~>Ij&A%b-xGX(L{!*x;obv`DP{%W#koGZ
z>kS0;1kwu=kO-xNpB8&RxxNMCqjCdxrvCqpR@ABrl~5e|$JAd^qK?-G7+V`Nx`wDm
zMmjI|1*gPqqUUGfOV8s++?vI6oG8pT3DN<KfQ=8QS-=8!f&GxB!ln{ZFQC8gW4&pR
zLxWGlpo(LQE)*38(~QFHZ<&GP|LK<I-|fPvPf<rz{Zy!3n=v>@9dzI?$-U@GJNu-H
zV&u#mvk$T;I~R1)Gjx49i5utdKpUsc3(2Qfu_Y6&Es~bry@EJdAH6LSpWhu78vC~g
zq}00A#gV7M_CeMxsAW!V@q{fi4vfi*AiUy?^(8bN7qRQZJTEi3=ZV|H-(e`XrwFMh
z>}Sv3%B^X}ksry!Vi<YU@n2v9BjFVe-ZI6LwaJ-#x)Tlh{zrm#FW}#w$7G_l110dR
zFc8*9ZwE@?36x-SL<izlg7}0t^pUUB_R&~{d{!|DKuNP12EZJ6G50ES#9L~Ox5QG@
zRFCsJjnSW#d+`}n&Up=3M4$ILJlk5ypaB7MtO?A@*1tMOC9W*Y{uh$Op)kb6oExY;
zpc4+%0nB%zuw%FZop++&jjO1>VnQmF_><nD{`rgd!~-Uj2~KE#yh8~Bx*ZPgPb=9s
z4+1K&X5!~-e?F}z@V!BMA^Kh?Q=07)O>BA?Eua%W5$Qfq(YDn&ogrG=v?GXb<rJli
ze{y(!8N8Ct@?OwC)4*Q;sxxk*!PNe*R7V>zVH=cYGpG`|^fH=*<Y*70E@B{2h&9ag
zy>#>NSG<abfC9;LbXJRZ?+WNp$c@H<vzlJqF(h+=p6%stkr}#wu1m1(dOH28{tHD2
zqF-%w5#A5fgbo?J9{Vlq!_l)_$Lm>0`sgh3TkSG!jl{je+e8a@%bTWkYJxEm+7v`#
zaw==nk?Dkm_+K7hC>=#et}>j#I)*_TYwA<prD)vIjjJL=SgaCZ#LTB}T(sH4c+QG4
zmErGACIW!Jl(V^j{Z=I)<>Dbe%S5M5P2Xpg<h!~J9nnl^Km>Va)8JD9V;lfp>PRz{
zWuANWZQ<h`9}^#`a%1ZTaTevwRrK*t`@g|amI`SW>>BV@-axmw5=Pl-)q8u?g9b-}
z&`~GdO-xNx(`rXPOfpcpbDMVwU=A85TB2~b^5p~__%l%^(@KAPzI_siMl=}}5=csp
zi0laS@w{?2mj_|UJT6}<t~0!k8MxT3qu)+y(d3<vK3S~!>(T7t+VfwPR+jp6?x$|=
zt2Ob8n3Y*jJNdO01--g@M*>r^l{SAG#=1$Ce?V7Nd$&w(qk<an_zX1+7XD1MJ{<~E
zy6|LsPYg07`kbUDn6m5^-3wvi#T5F_rE(1&bMd|)7AiF{cKie)!YKw{zWpE-Udjjy
zlQ#q2Y!F$Z5KhSw?MI+sj#l0sp~5VeMnk<1!(hH4Llvv~_TtG7Pqx!XfF3XTe!NJt
zLRchjNwS*cpW~;jPz`ve_xdjlqc|I3EFVd?8TL7dQ>GPW<GDE<b-%8A-*1!&e$n}X
z8x^bJ%{JPdS(@v8-*S@8oK7DrNl6v7(j!P6RK=H%@;AjpH%mZp3#~<PUFz+Xu)^fQ
zbYp<=eI|`CCduKYc?P~-h)Y^%%p|n-Kb-mG(@t9wS@9wS_x2UF-*_V_cslL~H22m9
z>11+5QaKW$dWW7`h4Z(!zTbv9)hD+jhMkt>^obiN8@lz;YsV8kZV3J>^^Uey6A2=J
z8ziAqbRqfk-~W%PuMCT8S-Qr8I{|_QcZcBa?(QC3g1fuByL*7(?(PuWg1Zb31K-@7
z``z>YoOxz;S9Mpf-qlsL$~ZI*Yl2rLz&GqW&Emv)XLtx5A9*5YEV_W~Ez=;nb6{NP
z|E__I;vb(am^FxgQ;g!|DZt%Q#xGtkFi#_Vz0`16Y>g6Ze^<v0UDxL9xWKZu!pHc`
zc1f~0t!bkm{7=Y&SSEhfI4~HCmFyQMGC;CIH5g~{JWY(m6m?(tIV0^^Ds_-pxH1k7
z9rs_Si+G)~U`TgJH7nlCo1feiN8>otlLiyX$pNicLve1anOna6P=$6z&VEb6%S7@C
z9W>^x>C;-$?B4)|%M&`;uXLh<Aw)R2c8`;(K-FT_<>g&GERrcTqCfegx7Ct`gCc99
z!%%QY|8oTft}l{ijccJR<UkqaAW&5>EJd^5s2F6M>=R>R#SSpk$Dtm_9f$V~)VMTb
z_8<#{yZquN#}at4YVyx+3xs>nl>Iqk9Lk3^Mwgb02!+o*P}(e?7Ny%07ezEy#2d=`
z9rUk<FaN5Ew(&h~2r*=oCJ;2S5r)H<ZA`i2q<i>mnAO8LWE+OC$B$V*7*R%mW2)v(
z`+W)1S+)flqo=+a%imYHhp?#j;q~{em+<8=zRxlDVecJ^LU;0+ApQ*m!0`5ciGmx}
zoMal-hKTSNu|x}&qA31~eW<G4R*Ud`Ua}V>n)zS5hwPsD64e7~5)F7x_W!P{_dK3E
zPB4J4+u6WXsqQymT^G!~A%v(A#v@@z*e>x_u;$%ooIw;>uTf^anoAY>_nOTl1IJhF
zSw^HDJ48P02Pd@!H{0j_MTOef6mG<-m#tqHRpN(tH{KmZU;0rOwWlNfNgdIW6XbCr
zVu<xY^?WxhoM;kE!9?Z%2J6C!eFC*7S$ivWxj@t|?qN#NPSY3zoJXMsW1L4D*A9-K
zXk$9UV=fmwd^=gqBJn-A?XJEJA0A>fO;@`Iz)CZevGk_U5>f}!JlK5un}HKU1Eo{b
z6eG?tpq^EcVGt?}<NBG5<oZq5^d}FtmoF|^Ba4ekak;JR&!vCwH^MKAXVhglxmT9v
zraX)bv+#V)oSp1ej)(E@in6-Ya<-P$EW9?|#G2+9OWJ$WyQ6G3L*D>7f!w?=ji(At
zGqlGP@qBluLJ-8ms?9aAl&jwmz)+A|%O`3!sgEwoQcgUP=Nn1`vo<&z=*}vwV)|>A
z3T+-=N?O<LWF-JPO_)4z>+sH3<rC}OqKVes-Hv2Z=QvJ(VHQhDd)Y*Cer-5@|35JM
zO!sIkKs#tdQNSlfBc|<HLIqf%W#w>G3rAhW2xJcX-<~E;yu)#VlaT5ll=`B8pQzh+
z*A6XJs(io%gDu&wTU_NypTi+u(QcDcIlT)jaoU1n?j^9TK|$cqu1qBfi-Fi?or{Ow
z|A5H#cUB4dp+p#nzx;q3hzFQujLM1`V^zsgLPp5H02i^92#*C`Zzfen!S#fh_Wzw#
z#9e+7hFxll<xr-*2!vhGC8z;Lzlx<}cF=Oi=IPmr`L)8^%45j_rZ5N4kA3>J8NyN_
zM7c#~f!Nnz2_F}z<fG-p4`wjjq5n8?RHt#J&uK97Yf1oxk}VuaOUQ}-`cV8|>0Y5M
z8HgpF;6ySfA{XxinXpT4`OwPQ(0-%_lgLBjOpX)LVm6>k!p`IWyEW^#DW}La5)NMu
zh__FV=M1ic05TeFnBb7ZF05P6otw7H>+4~q@VV5mx;_Lb(;S`ajk0(`VO7*Vu$;P1
zKy8nA&vzaO^k@_ir*TG`1bwN1pQc`N&KbhS^rQYB3>k2Szqc%QhGBfGj|PgxcVKAd
z4CS)mrbxftMnS@-ASh`<rIBtfE%bKW2ga)@fTRF+9~F`R@^=N_)L`yl*xwB&6h?GI
z4i&*@B<WqEPb+F!Aj%s>iZ;l<*fjTnQ9*>*rHe%k^1&id{s(d*poS7piB*!`uK5G4
z&7TPDhF_L+*_=cT!)^qzcLv1`=xEYuy_LPX%v-~1hU{vgc`IWYQ}1(o1t!(W=;#}2
z#8cYK>vdbiV)BmGftO->ho>_#Nfl`TZ|mB~3n>aHmG~^a2!sb&p?~-*5HK>gvU)bp
z_irvYDzEX83xO~3)0}X9BC=lyjj=k~5I1C>STZ7rsD0u$u=@eGh0Y6{ZUA&4g21r<
z6L>tm^9UbP;}zvuG}2u!MCLFd7!x>ax#5Tim@Za-)X;rD5{QQi!+EhYL6##P3(%Wx
z$CLk<<7heXzRzBI<A9QfJtW}(N0&d(i25g)Ql8>hQywfO;$uCJh08m~?9vX?n^9Tz
zS6_$RoU*w)kJb~t$L9A~l$pEMP2bnAv(+^;`BKVyaIeR2V1C;|YZb_K$OiIt?6+Ix
zL%9Mv1TKhUJ~xkbTa9Vcji9<hsE_+U^J+(y`@_Dw_H>9qCO9)P(^B((7d2v2YCUEE
zgu-DhN7fWC6at(w<-aDUxkBkep^?CS@iX4hHYy}~9c7k#SE4O62-W6bq}6ctIuZ_b
z`6J?y2|lvaO%9*~L&Y|hVQH!9CxQJKWBY*)rDUf}rnrV7`cGs^5glqSm^gqRZrpHy
z&pMA6-dKQF;B@<$qseazVg&)zxWv0+MxSVBQ1+Xmuco;fmAN7jwIqwe@wsdrmdG}W
zkD6&n6w@?DVBP<TK62haSB|N9tMND(>#hf4>^<N*{0T2-<J4mYhtB?j^4(z#g$YJJ
z=bl?hp!_ipU+Xh>XuiZ3!7p@_L*3MY-p;vs?4hg3u*-^TyQDuh+c@)OBm!^8<#K|V
zyvAw&rk8{=1>R<&CNBpUbe0BOiRIFY{VA)5Eo4Gvk>Ul%Odg<$Qp+I1RK^Ir{Xb%v
z-%;0%sU>UhOd9I08$)xLxH^t-8lnc_=y7~4PIZqC`mp?wJR;K$S$%@+w!YBr(2#mw
z3qN{_QYPD@lSN>QMA6YjQzh^%)uMWqr~o6cX(P+HO3@uSjDT8AMAfuWEmi%qY_U+~
zKjmZ9>4FtGtqi84^?PHBC<3}YG{JJ><!Hvf*jET$guHer5*A>9&K4#c@y?IppxSCX
zg{hmVo~d`Bn%}cUc4uW|AMVXL(2wV%KBVaY<8bp=wk4hda$@h{<J&-ymjBUfoiMO1
zY4alHy~Yo6s_I?^@AIhMU9QrZ=r&-2B3;+^$h#%)zV@lQJ=>M%=j-XIfQ5vb7JnUb
z)`g>!c3mDv5|=_%$6?g&vcADl(AtKT;w;9zK(Yylk>S-ox9f@HaofO#16Ws&v%M|h
z&j07!;P;3hu<r%}EVbSmxFZTK3xj*7mUZU(IX#|goHsi~itf!6x@I9zx7aruPA#}(
zI!P_N;|ogkPSn5N=o7>xU?`~yK69<hA7{Cl(a>)A93kDYx6?mkPVRAA#g$1c`Sij3
zihZQZ`{eER_3Us{*12Y%;kvmt;N>am<f7|z)Sn_jQA^(du#=8qv=T7ueqC1ZQ#H$`
zYQgKsK2N~Uv)gmd_3m5r(xC%fGgBrc1vqV>1fS3DE6bJlQ!$sM)%pWJ?>fiSPW}<&
zZTnI8$e->t)ld!?x0X-2eA#}qP8e!>K9}kzUW+P$6~~nDet~#(w@LC`vSr5Qd)@XK
zzkt)o6gYE!0&WdU7B>73`54*vzj=$>+nCSw2|c%|M#1si>ascDyEk0!<6PIjpYxnd
z)tTSr`W>X@URAAkkdkTkObcl%66{iFBMUtkuKn(XUcgNbzx6#|eUI^LHf=Yp!))z5
zC(_F-#oP(?8*z?MBmosKuzMxaMRt;)hv21>!0IVTYIc=K;b4~BzO{Z?D1Tq`AoR0G
zm4^CnHQ7#A!b1uy^#D=c_12EAPB+I2j?)#=G&pc;N4&?ULocQWwKbt9<99Dpx6d#C
z4|9TMzTfGW=WOwLXU{&BJS7I_uNJ1KMSGtb!Gx|SBJ>zmTBTHAlh>>f|GqiXLpToP
zg$o`n$CfkvI)p`Ra$|=UNoz)vPUMkE(Rm?>Tabk+!3!UxO%88hdgR?kiqv937NI6K
z`9A@>&=;1_yUP9^SEj+%<`81LVLC)PHEu)XmtwL@l8Zz=9G5-f<!1#QJw@*Lmd(6N
z0*^YCNm5h0?-fb!VZJtB@=-lu?8M3PS7-_U%JeOtX`shIdSPo(C2rvzWdQN%`G#<I
z$hf;F!C@=S!dLLr7!TAhrvB?foEbp;(iA!3u4f}NCV;XQ*cP_?Vx$huf^DX4aUH#(
zZ0eW{r%<8#+&FoEivy7x><{(t$#{K^AUR(pO}8FExwnSJ>k$G2nXB@RLSqt4{jqL4
z+S1JT&qzzvYyG$46JO3kA&K5()Od$RqP|6a;lRJAabGgdJ3(JET7kD8(>E?pr1T#>
zX()aMSvj*0S71@Gud1r1msVI)w^T6@Xr5YBfubTsbV;&g-S8}RlEMOl(o3bmzo7q>
zNA+CBdj5*CW*2ni{Smc9;>gun;TO_`jJsS=7ifhshD>&XJ=-j>E0yOn3bTc|G;*8$
z6~$r@?Gf!})n%<QIDO%nHP*EH)~R*h%z(nPYE7VHP;BWCP*NRi9@>G1Zg%mF^`Fzw
zEMs@u3rTkLhq8ET(Vt%qdvsX7haQS2Dv@mJ_3;rjfs=XE0z#)yrNMOn)|QC$o=*G#
z$u|L#58}6}7V=R*0G&A-wARKP($RAApStG)zT?2}?5S6lU>#sJgxX6ieF&{p?0k83
z*(mF8Q7Se)woJ=jDYO=@n-5)^cE3?vh!b=1pa8IZsE@Fcla0%e1%Kgo^40oYP+^!?
z_;WH#AyLoW{NVka_EMZT+P*ZS-X<reR(fejCZ-WCX=i;h>ZkwXJ9zjgDZT(jg|e-6
zCQUYwaaBlvax}R=r!*2}**WnO3E){aZc>=YU4D~n2itGvQkCB#ywa}JjB)=0kH$h`
z7wH}lyr?f4{P!w>`M3@fjSnX%9R7@&ba*U^h>@2Aqmj(9z)^`>8S?-)X1rfxmkt)P
zSVT)Y-0|Oc+`;_rFO)!EWBlnRdT2-1LqM&RHol#+NRkKeRR_u={pLz$H0mLYJ7bkf
zjgw_2pndD^8^nRrN4g57vfJ%!)wa3$PN$#OO_LAAd~_0ZPUnGK2<5dm6Z!h@;j_77
z<#qG1Cohp?k1Aw?*!3KM?)F^NM?miv;@jOzY}>5lHCpf4=Sfg9e<bsO$LEf1tg<HV
zjs1%o6%|%>ENmXv(1Tzj93^XhvtK;Er5cg57D~`YG!SaR!k+rng+x^2bSN11?8CP2
zO#t3lvtU=y>i^|}9c<`!1!=WL0MaTIq*c95qH`FYZ9G%}v-$CN%^a6|J@&F!SxV9M
zdFm>@&-Pk8vlePW8}g9oirkekv8bA=4^rNqd={btQyuT1!lNmOJDSOba94!UW(`m&
z&YHh<j_Bh06eZulRJ|qpkRg5Q2pT%^rBp(dlvf1m-?xNeLG!1k3|$w{>8*X?v%?c!
z+bIFmbG{A_ASRZU#!;G|oHEN!tA#bOP{(!;88uCfAWKrh_oA8fIoC}_CI8n<U_*VB
zltE@91u_#R(~Sm7up~Aq4LzU~C0O*pVf^BbP79oR+VAs=DoZHu2RP0Fyr<Y)E^ZG+
z5DV8lsU6Fp_PoCPKSqL9?#M@>Y-8&eF})Tpf&i5BR?$K!UTe|pa9YLQUNqQeywwMS
zMV_Tieci$qP#v0h>CrHd7x)!<o;Hok&87?Ml4)QC#CruhOaoC+F7&s4><$-k3$Nb}
zRK1VrXXYW?7%|}?$&nT?vz|m4G92Cn)pu9IpF`#q`xbpDMwv3uH))pEO|GUcX`e_G
zYFxZTyl>(^^VgyHqId>-^8a}$Vf8wJ{SZ64s1|xD0Js<U`uX0>`no^Vz8^KdWIwlg
za0}e+oef1zz~~7G?K@{Y=SUrVlFBS50enaM#p^0|N|8XN8t*>N`27HJSFS90>tDDU
zaFa2xPx2M$LONP|*z9jL+on(2XV=i{@@>&=avS4&uUj9#rfaY=vBJx!GilATl(&JV
zoL$KZIX>!@3w3W?v1a>Qc5?rpZ)VrTS><Z;MD{U_{+waD?OL;?pJ2MFj|)zA4!WqN
zz9jUwQUpgr{0}SBEOw?mY2cqm+=L;2Hxc0ew8LRD97(cp*j!48`WQs{sHy0(f-)F-
z&_De=pIkeS@{YC#m76vu*z$VXyw*8Sdpgj?d+6p#?%l$NKP5>u(q19c5IB9-sxI%^
zE|%IK^sMLqiO20T-J~SX&%ed{sfKfHgy2!r>=0OxAPU>i%Efq8Ddw!_5?B@vG^vcU
zCQC)KfN8QHjChRiOP+*~2>*wWr2isl$Zdi9XRU2tpyNc~C)RH282E7rD8||humEh`
zr07#aZN5$FHvTOk`J9T<`?I;~*vdmH2-U1_vR`tRU^Cf%uLB=`4a|aTNc?0Sl82uZ
z)N$x7L93a<#lJR3%|Q}y*w7VgTgvOOOyv*Ddb!Ce+kP)n=%ioYj-Xxy3*2m1hE#Q!
zMX0h;DHmudc|K}HFz{4!eo)5qg&w%~#l<ci3_&*RLf`VQetq6w_h#p2*7Q27$Y|03
z-jfv8lacpC`4l3e7S2pOviVGUL8GOhH!$m`L(7-YxB0R2*1`v35f;1Ib@pR?ToPEj
zxHLHPT231m61jT|nd5)t>+GDB8|d*en4joNHsEg`Qj%}#t~d%h``Bsy=5yD-eE_c=
z*V)Q0S7Ywi+enw}%QA64Q3Xn&``$LXL4qZwUpXJ=jnlSAAfr9AXV0YT5V-yiIdFGh
z=R4kc2b{d-a<e_tF#RiZRyjwT9mF7BG)}j&^+4E`T~t&{dXb1p8S#;3ROnZF*PPlV
zCD+Q|;?x_60w`?zx%g`fxN|qn)e8q(>N|~)iwX0ji_oqR^^b%MrbbtBoJ1@pwgx_}
z@g+@KJulb#R5`Y6jOI{yMqh>+iIjvxaAhFuu_D+|L=r+OVf*_h0IQrIZ6JmXnpQ)|
z|Ie_2*%L>zE%&ppy;&^9G7!m?HxJvOYE@A206t`Rd#lTrM>cwdCl{YFwnK-%K`2f?
z(A%FS>3Wqo+^{?V#2@jzx7yG|1DW?9PG1q|t+C=ppB9_vy3s^?hWY)1@e7uzx0dgu
z9*2#7A1&VxC7M+~Je0%szWYGVyaPWi_Hmvf92Ybb?pPrBj$?;WY$6);KTBOTCj`em
zBNv~g)oZ+vP>bZ;lPeL;D~6CDH_pdR(5bAtkEDYr4cPYPKX3e((jYU4pUscM68>xr
zD-);1TgveFr#yfjGfV>w)7dUv!Rx{Okvt}Z8g6noUrvSI2F0(`%Bqly03VIVj5)_5
zdfG224c>2|zJ&7M{f8!1BYfnn+hF<sQ|kl0=MQEgUUw4=pBfjL?zU5rHqnzCEAv$9
z+Zqq~n0k7FZN(oVbQMAi*1x*IHh6wfT7NfA5-$4Llyw)Y<g?Z}CO4y8A{EkndH6^b
zO>^#uBT8D?&VOmtTd^M;uR6w5KnBt}(rTunY|guod)0pCcJZu#%EKKEJoWv<2mZiU
zLv65ZXTQD$<-8O`O6cA^@a{D<#?&X#ep!H^t2@@eg#;e=TN>*xy$MnrF?d{c@*s&u
z4IcCFFpuA3rzJ^cWK|>g1$o8~zL?ltR-2Z8EFpJG*V&W!SaU1%FI7m=r@UbrWCwVc
zi1Y??83S43N#r6m$?A`u_4C<s<2?Qzx2vt$F#k20!SnLC)or=yf%fJhn_>E>RS>yv
zV_lnX%<7k=r28B7lov+eG*=fN_>S)(@P{JN_*lT<$=lQH^~P=<qud!hXG9N-v+}KC
z&AkXib4O88!fJ8Tv=G7id*$KtcK=BaU1TNro6|Qj#9>Er6tAp({*tD2n7{NxkX&1}
zWsNbHDlE8o98xK=qzX@#$^FJFbWtU+W(kvt8xs>?Jiy*>?EkVsLC9{vq+fyhkL#^N
zAnv7pN~ea;I;)kpQDzw+Mp?9XaNK}*PY|IAH}w;rt)BXMc_CvX+XNLP``oU4IBMcm
z-$;GNTV$YIu-<2*DFO>3`1|tE9UeWajTWTvpO{VnlzryHs(3)~T$%fL-k7X83F047
zD7);a!6|?4<8czjkg7<>di^sGd`Sl%c)R~{Sd&S8mF&*q4{@<YAX~VjK6i(ftX(Q2
z66{ChC?f#5mVvXOA02^v(N^24`r=GxE^7giGpn_`s7*t0=exYkwG@6R`dP}bv<p5m
zeeHnaMqjx0j{6tz0aV?E{w?&3Sj{T!>%Uxbkvo;C)9fH_MD)HKDV*Sj&vu_vNMLUT
zi%Y&n(9sBYAtrJY<Jd1RdlE{Z=|=ef7rF{1*CZ0IN<|Iz)(c13$RT)gg%ZwEV4tkQ
zZj_>IP8rZiqjEHeCP3-&p<($hnZ!9=8yhq$F^MBZlRf!7@~t!hIiv{&npNo6e=9dx
zb}EBGLLf%d^vN`+Rt#cfq>Tuh1b^1br68eERSm7kE+KBl2&_VP_#g4DAaqNev_nrG
zO@Nba1Y))hGEVCa8;h=s3p5Vr*E|J0eC+9|klo$BImH$;z433(ldFU@Duu<0Q-si=
zh-rXUQE0nZPL|dObf~}g!BL1cXUwJ+wkD$vmUu#;&WD&%xd<GPSl{DAXZ<=+6R=0=
za#I}DMfXN`(9uDz?f(z@CloLWfuw)}NfCvJK@Pj&4vka0^i{Va`a1zToM?yqXmbeH
z@9l3<3CdDbfTdGsp=hQ^%BJ5qL9oJMy;E`iuwKOf<TZxE3Wx8sLy0=beflHYt{)G#
z9EE`9u0^K24G7L76HE8dN=<{sTOjA$`ZrW9ESk4>VO+gNz2eW}LN5dk7%2p2j}HL9
z_0%=@M>5Akc+oQ$UwB!`vBTHr%DY<J6X1{v@NiwlJsmz=fA!-0)VGZ4M|vnW*h;?V
zsgKeWvu6-a3sWJRG(QnME~j-&hGn@EN|Ja<mo*hhg$RS6yc^e}Am+;Kdz}1LV4SPz
z?Z)JN<*NXD{PRuH@}BS8is9u*-id)~-G|nzNu3B-^tY6n=My|&&@*rXqWajLFbnx6
ztECum=Bz-)7qF7DNt9Y^0M(zQPaQaj5R7>Lk!*w>s&#B;i8|Nw%s;X)WZ@3_9aYoJ
zEl1q5i63A^@Q_16KkjwPBuK~O1-D#!<YpUqO{K#KwceBM8nVkd)?NYbEU72J=0`6Z
zrur-<gx1n*opz$?xpuV#o!Nfra%r&!LHMH$kG}Yh!}xMBmgU_RK+F<Q{fyvvK*DfK
zGNa5)JFm*Pd*^4SY%YB0_+>`5;E(D&@q8I%`xi`W>G1qJh6&WZw|e40BvawwPC{&w
zV@P`V?<mO~E-nU3->Gzrd0aehl#<@?+Xuc7z^N5{AWUoGt0<gnrg5|Qf$_m3&MP@r
zWvaWmcy);PLY$)=IlzSR@&NI+aP{x&+a*L`Iw)D3>7;xCp2x|veYM#o2^@eV#a533
z(H)8sNxiQ51Sz8LN}28l4wkHlIsCK}L!*o;!Z75EnxV*taYzI<L>S!r_pP%+&^&%y
zbsw)rluq{p0v8Xb`40w50^hpKuAE&>w!mJFIvK<<3+^XCWHMd9{gcZd(*W)STBYNO
za2y!Ir|K{}eBQs{a?_?;I^gwnMyzbpH4JDmY`UW5Ap~T4J}u>qbhT@6lT6WBKR*=M
zVcW3_;SyVIYI;@q5p7>Cw(r{NstfoX5G6$L*|V_FYw7$)ozcNse9X452L+VowbKuQ
z4XPw+4WD!Cek=#Y{uC3JFwdLbH?~QnPKaPpr6a`vjEGaP$4AKCdU6hd5j<{%m&%Pd
zulC3JEGt81w#fQimIdvr+uA?=aD&PAZ~m^fNg=KyswI^3LqxGM?FoC2V?Cx^uS#5~
zL1KReWaN>R6gT!MC?Rkgg&-q;l_CKemk!E8cf-C(GQNJ#pnNO5E>>=X|1fyi>Ke1f
zAHxRHL~o`y5tJDMz`H#Mn2kDgZS$Htto1H0)4Ps_p<w;hbY%*~lgDc#FdiEX$ONTT
zwcxIa^Su5HKbv@ttBpfR0nugm8NVv8$ra?q14RDp9w7%S#QG~B`pg&)%znd^thyEI
zaPC-2!$jote98NGo>a+aN6~cK<`V3-r{%_kaf6n->LIPWTBNo5(4M0um{L5lxi>w-
z9Nu5kH%!L_RU7p&@3I%;oP6uiR)6pr790MNxNlkA$)}wdeFzSRkRj@ud!UrCid2!8
z6gWI_^aVXLg=sE+*4h~{Z-|^A)l_SiJr)uBjltd3N<5uBlASd?R4<i0oSnIGADfgL
z^XV%+ZJbre#>8UVx47j^3=a>5wcq_+{Zq{ja%rXyAC8cYZ@vnJ2!PGenzqW^*q%q1
zH()~S5gq_?@k<WX5BU7?6UqAaO(0o7Pfu-&ZPcRrc9Hr3wvQaJQ~^j+N&fn9cg?){
zR3RLh;sD(}X^J%(Xv#8{Z(<?bKtd&Tn&z=PVm3ap(M}rz^iD^e&`+<YE#RiSlz#fw
z?n<sY-%Y#vb-XtsqBXTbl)X7=H~N8RLT!f!{T;~VR_q}Dd%P|+g>{VO1ff#DS2>_N
zoTQ(O7IvzLCE_+eKW;&uFsM846wNq|1LlruL;&sX_#3xSoD{d9z1D23lkByUJ~s3=
zE4h1Dqi)2fGYl10U*<xmpRr@iG@_~D;e%#li_m$F%487=oN2z5$gW!F4m<<C)51@X
zKd=;YRO(~(i!ja>60y!v%&wv1EbAw)InAI%!aO<~=`4kw?goP$#EttUCdNO$FAjg;
zG&zPU;c@oDmuBx%NlJY=pe_jP|AmBxYT!UfMk2EyyV5f2dnoe+$zlL{c8lU2ZjR3J
zuSM+jzz01H%wK@4@Ym}e?74`oZ2G$plfEvI8JQv>jZ&pC)9ev46D3KD^rK+%HZotF
zknCaA)r7tHRfQrrKS5liN~cQjg5_hjd`l0u=1&*U!LahiT+C%}A7##zFS9idTzp}a
z*=YkowdV_hFS4d&^blrwQu1(sC{>_DXniuV9B|$)4~U<84YPlp&kgEf;Ta?Unw>fb
z$XVfcdK)hU_=zZEbg3sV4)*YH>>QbG<<lN{5S9p~CN%`d!g!2ICOC-)%9;|t)rBkb
z?7U`h?4pcz3c1LC;srgZS3#z$p5DTbxZo@&VNP_j=c8ni!n5l4<H((JhJ$`PV*3wK
zC#*qUB1cVS;UXf+wmL-G@mtOP`u%EW{P>p>mR%IdG|<DoQG({{kd5A8xH*3_o2f5}
zYrY)v@x!)(%@adiBqLWAV_K$ENJHK|K1zA;^a;a3vUGP`@lCKRAdrNSWH+pU^vk+J
zDQLb}{xe?%`Jnkqu9$kTky(@bg!#E21G7VK>2#wH{GNLQddF@Bs5HYj>Ay%S!dFQR
z$ME#H5B=B)h3$O6QWTK)Gd@^3=fZN7Q^|fPI6NFWV!!0GqbZD=Kp*)VI2=Rybj8l_
zT^q}gq7Y?s4K4SNp=$|l{O!2gblac9>W%%Lo-fjzq&^246XVG;;-Jn$mhu?FIL;Ci
zX2S3Sh>>i6l<?PbvdZ&_(SZJlaH>b5ntRK~YmG`$*tJT1c;R)m`~6dStE%DP9jy62
zdHH)TXCyn~*o^^rAGz5(v4>{Dpye@2RLp$}E@ffa8)zh<lBD><DfdT|B7+Zu<n+66
zK4`aWe4h>$yl;E3QJsyjJ&QC4#f9-lIC8@sjYl6uHH)4a`aC`7Mc5cmz*8nHbcahI
zoTfz%^eCyx>5xp&oiYx5v0hp3E`DB8@`(x%oq#WKVg61^B2<*3tfiM(bF<=I*mXp(
zwgL5<FHXDXnV8a)Gxx+2W2@_eZ2!^coq=s6jDCV3Og<xtwc!6`H0YC8A!2QW5+UxB
z$nyeD#sONPF<FW>C8@G8&9707WoR_W^&mR;Gj^X6fqcmk_kH?3N;;T<yU$xVAD$cO
zxg$J9v}r;#9{aR;p{3(PN<<XVnAz9)pG%4>b~bKsj{(zjC_6byIV#M28E)d_7miY@
z=NBA?F<A=t$PISyijPI_UO?-!5z;5|ETLof?m&Og3*bZ<m@{^?-yADS)|z7bX&Q=o
zHs_vhZOir}$+B#3gqutwt-3>rpyh<UO`CchtQ^6cCxF#;R;+H#ihe<B$AS<cx|Xh-
zu7ONSD&r<lkpXI~g8MksEVuX*+sD{>-&pw!goJ?qCvg|~rqqfYd_|$KdQKiLBG&+R
zUjJE7$eG4v>K^9VWur&Z+(+jxF#4EG_(&p;$>s=8*azZ|yyMt<T$l+|KAe#IvN_I6
zhYDXbKBC7tV|>ttgrQxXAE~#GVHCST#(117`&^ia>@I+HcEp*_{ZX2IcUZecA55v?
z4ajdk1DdY4_w;yi!&nB{4Xi-8v#`DoZZhRaloZl7l2HSdP09A7(Q!i)O$(#LAzTF;
ziDbDDE|@M<D&|n~l|fT##GN56Moz#qH0aQSmvn68R>r#bo;)<C(q#o0XPz{Uq)*S8
zwh{+u$~hlMex{2^nTZ!uB_OB}W{lz_r8A<V3*wYP@QU&;2W2n{_%DgN$Pb;Hs$--$
z8$Q&p%>9m>nfZpn5*ubmq?p|={AXqfY1o5~ti7S`TK$%U*td`PF0BMU)kum{!Q=B0
zFJg!Z<V9or9Eu?^NVGoAwn@Si=V4|-1j0VF1$d>%=JG6OCovB_zX1Obi0@HLdyC>L
z8b-xFMWoI(BC|hBY`VaGly&T_kn=d72e-9qM<XvzR8869B1JVABFPktjy)6=CBGVx
z&%rcr9Py6fB#|^9oy_xNO8J3dMx17c+rHuIt$+*+@50U4$Fzuh9rs)$y$=IVy@m*#
z-jy50vCHt(emJbAb>q7nwP>AOo3eqY632_eZB{O^&l&we1Jl@<Pnf&ja@0b&MBQgM
zy6d{>2siGy9MJd^RIx;ieBl#;iWIDgX}lD4QCi92R7MG12TT`@Np~<mlR%5@o~K(D
zBi;URdj%DT8fWPP>ERVW0;A%>*S6ZrUR}n0meZ-^uJMRyCXaMYwIoo&q{Bs)X;0%a
z&!ZOdINd;!X%OoNW4ANC_jNACBXvIiE<h<vMK@k-9Eag^Y?1DZB`&7cE|^`OU$KC{
zA84&UU7Eh5r8wIx#tp?9M!5!JtDPZTv9{iu{#dO}36Q*!X8{jE=YF5alm>TIxw^wb
z%!8z|Nj+4Wuz!=EiKkh_NSY5Wlq<-8uf9=0jaMK>x~ZFt0eBP>xBti(>du#v8rLii
z#uAc-&vfjcpVYt-1kR$V7WvG_zk|)Af>7ruNlHZZR@;uPQr<qoo<1@5Co|1s=>gb5
zkz>`prw)C=#Oy^O!%F`vO;i`p7Dte67lqDGq;&WyxBL5DLI&+9ZPn^>tWzQ3M7OSv
zF2H+z)l-_h+gPPo4BqHxX!MWTO=y<508tI~b+|Z)gL;+2v{N=*hr}T>K?tl8;>QZA
zkO9FLL^2>aA{hv@0%XmJl%!e$cvE>ju{E;>?N=)2_QX<p3LOxUOp?87vRz_xDU?Fg
zZRC$$k9oUM^tdJq{Dkyr+;F)EuBj-r(m#<+0y*XOsAQbHy4f!PK6fzJKA=@y$=1D(
zkmk<*tg}Q}3HZt9mSxw6dmvCH;ikc%W5G*wN=`;2)Pr_WMdub}TQX+VWcK)y35E^J
z2a}vQ#Qzl7>j^&><|ksOIYas~n=-&Qb{h>7oKjE57G%tpA@ye=o3@3_P|R*-xzwjH
z?j5WU<u9H`@T<;)Tg#qbNZXc&vj&cJCJ;eUie4Qa28|Rn%E8U3dQwQXE`}I?oAe50
z*Qb|SAwP#}`=D&a*y(jE7%<sV^uW(jq4NFS#!h=zmK5ep=n-CvpT;8nhlJP>+UG)<
zdU0!71|3GKnD?FvK(J4IkrZ|Z6CVcBcQ#L!5CmDrI%iC1$LrEe3TDK8vE9b)GI|U0
z0$~O~>ZmMjp|xzr-OsNii*S|S>afcSd9LWJ_jZ#{ph$Bhm<nmr=n6hz28uGHz};I)
ze~IHNsHcizq4ic;c^#SM?~}}dDso#8w-gwAmCp5)ucNop@0r`4IiQ4UXpV^6s`7GS
zutJfCb#QF9_uCi#X>CMrf2km+)Y-tGA?;%Ybp-WZ{#q?KozwQ|!2YdKUkYOVL0WKR
zO`<zug#E2H@Z8G%9PAnbK4BTJR5n)zadzc?$3ItIdESGJy!{7S2#X;d*dv+ph_C>e
zmb!G|0#5@kmE|!f)`OJvDH(MbIIhYb#IG8edsIP_TRTCWbcIjH2v<$FV6N6sE9{xK
zo}_7~Q*~Fb=2h<#?EOLUVK_)|loC%PzFv0C=UDjn=1MKZV$JKnW%M8nj-z_#Q)efB
zz7Q_7NpZ(ziE5<&3WvyLLLV<DQ%wd}l9v?vLCB2N$TWpd&f%Ds6`ixOPb67ng&!||
z04<E0;wFsS<2XSW1Md?Lk2oH}-)?#(u++TqtA<6cifHqwcr(*z&li5~#;S;a38&u&
zc4Ycha_@cBl1e9U&622y#ExhLASvN&mO8FTvGcv$Cw(?i=|D8>Q^bJa)2Fz|*%qET
z$2{lgoZ>wuA_e2eElnta-&IyR_VQk*X;?xW!Swj0TPf=$Xmlp?SHw65d7qYW?CZM#
zPdWPrsEpt}wiC6H@JL{Lyd-FPT(Aq8%Be}e6m@80+(k8~KSh)T>#KPXvU)L*USdSl
zCrRQ%4@+SN+0zAnCH59;{_)AqIEy5p7hPpHv?Qd!nHwS1>`|Xd(#_@%R`->O+e53I
z@nb&PQ>^`DbR;6!6|XC*9#^Cm;k72}xM-nnAbzRr6ZtNi8Vq|zxZs)${2o8g7oOEV
zqn)9}R$Yj7!98LIaEdGF+K?ZEdJwY5KVy79HeQN1;~UfOGl-aSrsswLoZQZ48K$~V
zi5TiXJ}p4Zrw#lfvrK)G-Jiq`*$de|IyR=1;6N-*$HkUqZYy9K+TUbqLiOX6or@G`
zR<+K^;AjWClIOE+nqoNfsvzv0b5f0^eT%3$y&xd7u}J&f!4~0$*pQ&vIFxRF2S4i$
zLBkBz4=Cq#J`fJ3lQEWmql<(q5fYCincn%53Uhjwf}Oy}%yy~bQJ*x92W=!9gV3M8
zp$H2yLRg(AA^d&|rEL?~$ChOVhuN<qd)II_ai4@von0AnN2UvC(-L4O1eFW*KU8g-
zsY&7Um=g*hEJu@Aoa3h*^Kznc&NrBfjjePgn^LloglH(P#4AH?2NEI|T-!tM4D{){
z8^VTPZSNWNm(D501GYVzbTTGQOL}hDJ5r`?e{Zmyck8LMnsSjI=Lpvq2t!`;#2Jfd
z99p8Kc|M6`?+2%nkb&qNf?vgi&8B?_*R6B@@DE|}P&XSr4J~q_m|7UfX*h#nIFl|5
z=Ocw9b22;~C%B|c$*q4r-1KklOBOFGp9M>wHkq7F(Na}JOM{czi>6IK4BTfi6fNeZ
zR?bM_YDD=N`x>p~O*o9GwiisTopl&^Vp@yXb0EazqU$h{fMbxK7NEO1kz(UqATg0D
zw4w%FQPo-PZ=Lzlqe0T*CdhS%DJ)`uxT7-urdR+DmN$}LKnqY6WnpmY57Y(cjUq{O
zOpO=3?nmjDg)YcJk9|ed_9lczQrm;#l!j;n<Imt3u=haiwcTHp@+Z_}gQYu8+CWqh
z?2XaG^i9o@FCGGfvpF9Gj+Y}ANH~M&VG^VhF%^4pqjXE@Xnn@2N9A8cwSN$jAgP&*
zrFxj4b(rcL>RowN<v>3si*2vjwTV4c8N74GSgE2b0;9aI-wiuLpzGkS*%R&e$8sLN
zhp_<e6v|Dj!sKfhs7{V#s*68QIn_~`L+=OzT<VNUY$CoZfnU&RJT8^$pD2E9y^dLx
zcvy4clPN;9swZL^Idv^swenHE7$}_B3ajF(_I7%XdK}&4ep7-ODi}l{?V9@@lxL=d
z)>1+NNEdcKpeu|%8h=I^kVGFhgPu|mL4UUFHO3`l`>EkU?o-Odg`yH(>8MFV!9J;6
zh7>Vm-`1p>qhQ6VDGR=`GSWQw#wU9_Yp1liw9+5v)k<<`tuh5o`)FDclsN3dV=0mo
zAlFoKV`8P00N%_NcMLk=k+V(FFv#|af91)h2w;;j@1pI6&{5Okr<h9R9m`IOI2T&s
zHwQm(5SYp=oD$#YxOU$&N$uA>J`czV$h>~0^K0G=Ri9_yS@%PVOBU93?qP#|yCI{d
zVF7yrNGgL|M+_x>cyWtN3WxZB(jg(ie5kOn#34tai{7iG;xP|NWz`tSr}P!39R)ms
z$n75pZ&`YC*K$q6(*_z?1Xo$OhkNc*B8@2%uEvJzc2I{t&5eUzE`8zO@*mkX9hWUC
z6??vEkS8-fwLJv0Os-9OTJL9`j70(&Up)Krk&jojyu7ZFV`xWrN6CrOz=y4=^-ed)
zE0ue^n`f~B*N8$Ib!>a;UEQ;H;&;QgH_)mU{u$Gx5pyXR6c*yZXvvJwadlGZFLEZz
zKZ$6?l!n`8F3i^`Ba#5|gXOqk8OFu~lg`>jns2E(tUw$1m>83gV1jGfx_ke@OU>UI
zasGJoKvhG!!tzYUaF0J^4wU7zC$XAGc2q?b63X5A6)ytX9ZgzKy2MilC*0i^dYh7F
z-3oQcG3I`^41O<PKL)B{E8lOQ_wEgHja<K#z+z(J8fpO2twHcPC~Q7YsgxnIuqqtS
zJ0_e+R=p!TmeNMLHut?Y3Ba@r5>KzdgttQk!n>xfb!%^X@zlnt!Dr^+7lONW2k_kk
zo|#@&J<m-&*QU8zQ*}!3W7f&`4@xNl_Iiaz*b84v7mQNFn<h9ENo<uE!y0lFh$T>W
zvhbxL58!@6&~VAn1uF6|bAGKp9sy7NF_5a9R<KlZk~(o^MF3gR<r7|vN3Qiv@97in
z)oGR2`C>P>C&?B9Fv?Q}*r+GZ!l(D8{+jx}6$C#Bc_U9nv`0eI83w_@FicUT(<R)i
zbAkIxWaFGAiB2O~jWbV_M@DZ--;fbT28VT?evRwAJ-}#kQg~4>N4*qOWp3KJP8B^7
z8&4qnFa<%<m3`#=vUUJiU|q-n1{1M|BV)R*IzDA`RC@}Z9?5uothe6;>&x;Ko>|o(
z%;k%gS%pP#T$uTL0aL!c$Zbr$x;ta$cpTg4uhOKxTKyppT7|!_ofCUXpNq8@2AzmZ
zs~%Fw$K%%w>h{Lci&>gEQcG3oOwa-qX^!!%)ITm^Z61>F69Hsg`BwN8Q4uj5tCpAp
zPZuamTCxufR?Y?TeVLIcUI2L|vq~20`|gexZ=f*nN?f3(`OE6cb5s_`*Igob3d-nO
z@fkfPdc>A??OHih7701HFzqLatMWEKF}Fi{4P!kG2kww1WcAuq<xt|sAVS`z&azd<
z^t%D981^ksdX4tIY>G*qO<n5HES0?eb2o1hb5&D+;Pk}1phj$ng2yOnqV*5mE+47V
zt!^?!#%;kauiYi<mTlh$i66P=D5^07zRdME4?H#ZEWWQIQt+~UV2Q@0cn6`m^1UCc
zg)a(v8!fe2r4Z{|Z5l7rV2?7iQC<ePVJ$3-v+`F%%qX6pe_aGhZ?lpNQz<A?UCfe9
zve~)-!Y$=zbfgXsYVv8_2pQ4ZxKHQH4U2aI6UxIY=!CVN7#7ZtYRHbpbcB{TWic@D
z>@zVKc4{sjzGfU|slat=V0~KVaT$mDh_4W^!TsDAu4QZ$qlIg>1S(aqH4%R0z2?{~
zJjLs%$-Fq+?bjJtO2?*lB~G7Pu>znKW#pnKP0B<FX<%_7?9s_e#Ye;|5-+|^Du|$$
zNimou?t?cvky#3mQ}8KBBUTREv6Zicy*xBq|2&p{&1`tkS<m^p9`)^hqJdr0t0&v0
zEWa)JmAUv7xl4n#*<JCH{8m^brN?(gq4q5NP6eZ?FNs&T&j`X4a(TEnl1#OSy6WXJ
z&@i&tZrAEXi8>8K+y3juj@Z?!)@4uLWp$h8q5)o)E@M-T7g+U$(cSTFr}@a0q1I+R
zR_^?e66g4vd6%IMQNWrXzh7)R_sg-(4T<Wg?fFS(HLkPSj!+|2elUy>Vzq^=CKV1i
z$uAS5^Wm+TN~xJ7wV+DJFFae5p277BGPQkI-qH2zVaSgs@yL57)db768-q=?n_f11
z+$i8!%YExxg&(wt?J-|YxYN3|>bentu3L>7ws>t+%vm|}rC=ZcY6LX6&87r=mLt`s
za*8QX5?K5iSxD9!>53S)Y5uy(bK=q9ruYpx%f&^!CEP$>=e|a4Qg+%V=FV6^QF>->
z(fsY~YaQyk*gD&Jvw7@cWmgfqwv!|ir>HpEz>sQ-ezyjxjPoUJU7FbUsMC@amx4Jb
z;YZadb06+ca<5No&XBfEJqEs>5F-nz+?ShRZ1Ud{bnkC96f8a}ZAZSknzZrO)%cv@
zaHaov44{nJnqdOu%nuWcq^)}&9S{}JLb5^@5JS`xyHLeIQ7>|(^a^24SDYqWF@BYQ
z<&r${_z@2h9^mrL+b#X-7a5uAWcpQ~RUO9?-}*Sp(&<D9OohYgXO6*CW+1(HMj4LM
zNmtMBtL82swTRB8`m0^<`U~xPxOmoz`KKJR5P#+_O@BDONBbI+P38PBgq6DL+T!Ek
zdI5H8+pbOh{Ew%zs+re^G{H}JRTs={d`TBQ`F)xki8A*jq0~G!CJ;I=b*2T=Ghtg}
zS9Of-1i~<JOYGn{_uMh3sLBlY*6;fwtk^#mLK@C~SeNqK>|=ySS=xHOMd$_v&3k@2
z<@$xP>W+&(Ebi}BXnz?Ww-nNWlC@Gh7XXg&8PHi)hb6Zemr;k5>RE8>IyL|~H$pfN
z)EBeaYoe~<UKWcp?~MRN54`H>Ly~QEkG*>p?h8m=-x)sHdOaj}EueMkb3Ts&wee8=
z`p}&n0`&(8)eg1rCnaGSaIp4{H$tx*cVz46^x$gcwbaaY_i^LWs*4Y0b(0C{O2df&
zQ`YIIT(wL?@GZG$9~m&FaH?8gF==xXg>hJ2UEB3Bz?kQi_BuK4+9#(Fv!&S=!7TSA
ziY?6{w~GXXHs4Aa${-Cjn)eF+a`<b7dyvSShtHlaCygVt_Pneh_8krO0}WR&tvj3r
z;+|76cEIeA)A0^4JP+89DX_vfKf`s}VOqBwGcI4*t)7cX<Km=hpSTYRlOGpL$*ja7
zhe^0pR><LMrX2KT_OVT^9I?acB=%ax$q{o4vgTG976&xT4@a<X+&?bNFIhh^IRWP~
zgf_GHTA8|o5Rj2t4yGoKgf$of6|q~<${m9AMd}+mCDF^b0{#$Wh(EY$SqkLQ@+t6R
zR}LF_)Jh>DPh_PIhHL{K8D+C-3aol}S*38tw`AE>Zho4NPmSm&S-7P_t|0aAZZ4X$
zy3zDa87#g<<+^J5>D?y^oG$$-NK!2|VGkI&S~R*+a_{i@AQ3~f^~S=Ag=#67n&=nS
zKu*-u=s~0MBmJd#1R%jc3$Q9+khJ6Y<%^~6nM+3p0{dBAr?2>-?DY5WJx7-=(2u@)
zRXHEYp|ofHr#UJ$l?Qee*2}-O;SBlR2}#7+rP9npy$s}!V60yIt_4b>klr!d=ncgQ
z7eG;=@itqGk%uv=tq&VK4g0UZ=e?dk+!azWw-;l$qXjhHuMr%)v#<||`INq<Za2>d
z3oX79v`=*3<yMkj;YuT!0p3iSUOFw_ncxaOTswe|X{QMSDnEo#w$zZt$r&E{!@*6`
zP@u3>Z_udrNZA;u#xnAuzEm?9+i~pp;)2v+`;R*QbE=s}(7g1IAa#EG-=r1MpTIx;
z#smHkro+VGmp$Y@jaNJipA@pjF8U)2?DlxmatUTlnsza+KlEL)Z~BF<I<Zu>J~S{E
z$P3)X1Lg+jyYaNwdWCK+xN+p!=k~=KMPd^Hv^>B)34nO_tqjRP)wkLjIvY?krJ8`x
zX+FXw@})L$D=(k)M;}tUXUf^Iqip#10KXg@+FEjPJhVaK$t<};>T?!GgWNTfT#LB<
zid)a%$J>%e(F-+&9ivA-$AVv%-F!E>d`?%QAhL+|XF0yhG{%;!9Q+O#qet*y{A4Qh
zawRghM=t6_O;p4Eb~gK0!o?X5nVBT}&`QU1Aq(^QpL`bDi8#J9dOr0Le@I_ZGvU?g
zp_Yvf4&-wTbn>*ry!)K|0PAIVrcV8A&EMjGs(EkHUOhm}x}Edre(`-nl@4ok=&G=z
zCAi)4x^a6ww>3jH#2nwmMz>097tOx6Ypk7u{xresb-7thzMS&Lq#=Ao?1=<C0iyrh
z2J1n_=#z`3vSC9F;BVt@-i)4c7;xO*vO6?uEua-C_@v5<PUW%af<-owL8fRqXXd0c
z#dh|+)$C}@L1bxV>N6&ud8vxJk9Eg)83|R@V}KoGn2KR(njjLK*12=@sAZPuy|*Ws
zuj#o?Q+Posja+d=&Pn~+D*0z-HbFu)oq^babzg;BXYtjp>1XkVQu<26b^1MnogIA^
zGp;xq3T`Q-fsv^kU$>%7u%h4LT5W2zuv5GT*fu|%I9|Ru=nVG#`88xC4zUI@X@U1e
zBSptmzS9=lBE5re$u@J*K95Bl^Gc6UoD9NI>4}A~<N^2qhLYdi6?d#B4FJ=55Xxl1
zXWp^dsAQyygl#*$UiPRm_NVl&Vdnoi#M_q1;&?CIf{Vldn8zXd+9ax=<0k4co_g8}
zE)wFBRe6!KCe}Q~+JqwL-u0Xd|JYqkH0&1M^7YA9kH)zBH5TM?Sv{+3=86172-HJ4
ze)TzV>AK2@xL{XFJaWKqd(83}b2=U;n2_~fAYqgHp*%`P9KW>Hl-`(SDd54tqi~B4
zLY`7U;!$b!%Wsm02mRXSD_1e6-3-y}iHVm(s?A|J%iVDugpRk1(q*=T+2db63L>-k
zSQ6*U?=BaOtULW(%k830KAH%+FlNQ{9-9OgIxnr-fzHeGXbtvQQKwj(-)n6Aa<XgW
zUYDd5LLiY4#@Kf}Ki?yFro=Qn@Z~kDPlqh}g>YnRkK15w*)>_ao;rnenml4EnvF~x
zPr6#hVr_k0G6$8t8_q4Bibp%Cj;iRojm&(#wen&!ULV>06Mx{AImN0aw&Kb{o`Evb
z;l-1YHW^mCQNIlp&MgdNBbtp)6yzAMoyhg!IiUoY9Z4OEEO9m`d5n4gwW=ePx9nBT
zS#(y_)jf39bp7`(GolXYQfJ=)EiatM3o~cevhB_EK)XI$fS&vsKkZO-1QYd}!n^nD
z%OUWn#jocbI1tv;^YL^F`tWfP*OK@CK2m2dAkcU2Bu&YTFKG9go#qf)yWzMG^~5Jk
zT8a#8D2C$Jb)5pccvw~7oS05>0PWKiN(xtcOouhynVI%W2x_~GhHIU5+jaTZR8uBS
zFWMClzYS8%I2r)2t{ebOIMd5u4I6zyY8h9&^O&_MOqoTK)NZSDX@td6LivS;tylQ)
z0CX_Bxy(W#R|Hp@RNjWL3jIpkpzvL#FV0&}$)RjPP}}>7DtjKcDQsJyxBVLT>KYlI
zAv<x?f3;~&k*>JDe56kR47Qv51chNtj7*?6lDBur3p3R|hf<vRi($v-%2KVgN3sje
zmTRS?QzH&M6a3-`(-<^<8P-4J8-m7{bB7%ag%b^v%7x*Yi)mi7LhcB;bNbl;*f#`i
z46MM2m|yXhZJJMA>vT{U5I;OxDAqH<q902-PM_KgtJVpgOt4?x)B&DG@`|syPLiKO
zUFhAv3sSC_Z!b#sP_OO&7<cv5$WQH3v!?H}kk^|UDw^n%weYsXq+#jxKRi$eiJ<2I
zd$&h4n-Ij5u28jCVk_mp>HpHEhLgG4xGC9uo>JUASI@x|2w$m!D)VCo(6By$ryKTY
z+xAqU#mZptKB1jcnqoBJ$Azm|Hig98FlN%zoph&vcMhl0akc1v|BPu0Tlr}}QowzS
zCuFIxwkN$ZRYCy={PO9yeEBHY&b0MKa4mia3$j^qJkbtLfslGU;tS6WCu}jdEEJB@
zlQ=ND5K(R-16KDjn32N)jR4@!<AJ*3mMGCH))-ARh_rAN{J2Rc$vE@zXVcq#39C;i
zg43N@QN@mAJ1uXqfIvHDi{x4AxWP7LZI99Zt5|1{H5YE{9otM^)`Ul??McsRVaz#w
zugE$Zx2I-bzJyA#myxIaXpORQDC<c$v9rk5X*5~sgtqJvho0YXN}(q;$4o&CD1&kF
z8;w-0{zT3#A#KH$r0sN4`7^SiajeM4L!A`9#9R+)OS%4ctNR+&|3}j|hKKb$;l{Qa
z+qP}HNn_h~8r!yw#x@!ojcqq}de85F@BMJT?X$CIW_EY@Zq^ak5yW{n_)-0s&lb)C
zyT(n`=UN&)xlOD1PjPA(YLh=(JP)JG)%BGdL<-p!t6|-c&3>1R;A<vj@|t3yP?xOt
zo$7!UiE7T19z-qyyu%R{W9lR?gO)~;oKz*X8=>;h6voPaYrfBTK-hG=ZN^L>G^wo@
zwpt6JlRE|1+YHm?kvy6t)djmA3)c!&KXbkR(BhVOGctj^&eq!d4uzERthNfr`1IZ%
zO4au9%4UcB?(D}*X|xdc6xy%19^gS|19psr`uk+N>y7Tmd?5w$fk*0F?ANOKzkY#S
zJqQbN0u_w1Z%6y@@XL6q>%3`QzgxALI$4cetfpOVY8Q}+&b{ZX_6HsU>ohKMVdejH
zF?_T;xIX*CGh8EhScT2CY?w;PK8bN9)I-#=xN)Hst3CVHX<Qw*eQFaCrhW-8BDJfn
z4AY%<(6kwp(vS*%HFq#CK}(H7uD52MX(_FB*HF10C0VGXNMS&2QiOz&lEjQsL<Tb>
zn`BwAHmG5G30=@gp@)~*u~qb<ZXi^djBy6T@wH{%kiTyrlsz>EyH!T7ZCK5YKzVO#
z=oDG=a^8!%v%8KYGEMy>C?`0t;=Mny`NO{R@00y--ohxDpY|}!SFo-Nv(q^-ni>-U
z>|f}c(jeqG1cJzHbONPdX{O1x$oA~`c*CSmu`lLL+heP?`}DD%p%e#=l2wZi+27U^
z2)9LhnU%X0+XQ^LR>Z*C;0>5JyXUa}ZOZ*q*U$<5yv{@L+}1v+-2TtS=x<qkKmEs$
z4<7FzgX6RQCAFG90J*>n{b8ov%7h^_h&1BA>*7InH}vT?E#YV5Os_GA>B#oC*L!DD
z52t&zT$q~gv+zw6nX%81#_k#ZX`>Qp%x1PYkFe9G;&;rUCG9l|3CLGR`(8q$l%pF&
zu^fEr$;+3_l`Annd1zeE+AW9kY)QWncCM#Ns4E#f!!fL9&ut?uCu}1r&cI)N25L30
z5$+nLDgTN6F_f~22t)@trY5(9HOri?p;ge(QO%N+aZ^JuyNO9J(1tSwFzIhj><_Ua
z1qjP3DCy+qogAG>+N^~(E6DmkD}yIX5B5>p<1jj$^@|j7Sv4yIDmPQJG_&&8pPPPG
zS%~R*&dr|;R{sgtmF8w5iFKL#Uh9~fH<2(aXC|zvxE_d7f>1c?O9-E&mWPs;Rmfzv
zpMjqEtcK&9^PLD@Q#~2;*QsLziDQc%KiEnlsisC^>yLV^<wv1u;!|^-x}MrYkLq(G
zzB7TVujbi*Ts)sUOM>rnx*74=2BABQ#I#Uc4CLz9r-?bo4)a_HOKOeCK)AjjFWoQT
zSI+Q+#Oy&#3aP?!A^RlkWKqVj6X`@fHAO5sU&Z?xG>_z795hGOIGlA(1QCe!#&5EM
z*2o9mZ7o0OcMc+liB98R-&(2)SyD8RYO3usH!~#M7Wx&#JxEd>@oj9v7#$$*9>@cI
z^^-t4oz-8!?nY(A*+860r4uXscxj9YMRT>TsfA|WWx#kOOXHwf0Yav}>q{WS8;pdY
ztXbHO_h*B6!REeK?z86Gc6#8}-*(||f`dAd@Qg#Va#n*qm-lp}LNw34n5svnn%31R
zf2>EVlA2O`t7yb1o!s7g@e6i3Cw-F_M-f78;GK5LL!$&2Ss<5LpjPB5b?0Tjxqsmq
z>5LoYt{RVWN`V$Sx9L&wG`QOMabb!Wv2Nsqv7tb++7{WqPhEV6^kDLk#W-BCh2`#`
z{d$3)wpFF@62wa3CtTw1z{v9OY5orF;)x-SUL8J5K$uxZPZ;W|Ef$0})r(Y75t1aW
zA;Je`ju7Vu8Ps%fT=`4kRd-ovZ$C0G8T<iC-ZX5x3VI$M2HPz)$NO%kjG^F<SoNVf
zJY-lHOh78_OIju`T{Qd}C-wD2>0?Co)56mr3X3&e#j?s;Ov55vwl}O*DV}8z(#9x(
z%~JRhk@n;E;^x2T-UfHLtEQ84$)_HwC#9i;u5hEJ?_L><;@xZ`y>Tm6Uv57k<G(~9
zb_^T#X|5aqwaDIx(Tzv8cX}Q=nxG#yBITl~`VB^E{`dX(w|#!J@UBr(*vdt6_V2p1
z@`RG+h|)3XDb`c6Le6#mC^%9vta@gK1#<V{+IKH1o^3<3OUY>KM*HRrjCJ_)1*iEj
zNo#Z-YoQ}cvOrqz4X8gju10fi8}$^e1SPJ&#3o0pq+Zo=YR^1v`44_6+g4T&KXBKF
zp5h};@#H1#1;8QJ*W%zH5pC}0+WCFHJ$9_?wsnbGcfC!teq7f*Gily@9XNbA2>omH
z;l>RAx9n`=1@efmBFU;nJ4;@kW9nUEJ`8`<SL%et&7bTKClRMoaexT5Y|4SneqaP0
zv;7uV8y9C(KY#kczW{}{JNE~Q*xty$syt_d;<#be9*d<J*n3!sNa$_LPxhLY+!5X+
zH`#oT$E-IjE~CSoxi`6Hkkz&F<!ARe?4QtWFPqPE?$GEOt3k}YwtjS~m&3K2#!O_F
zD#KnXhoI3B7#(%p{**E!Bm_xPR*4u^$1WG+oOeE6;D6)qSJNbtf44eTW_N92;aWch
zIZ`2x_(M}6nm3Ov2VAgkPTT7+RQ+ttz2N9@S>Sba!@B4X&G}O(QLYoN=G*Cp|IzgA
zjrv|m#+_~vLk4c}X7w1$Y31)|Vmj+Fdm;JcGGF+JqbQP^ViA4mAo527+r`}D81fsI
z^DlPrXv*qPLsgU}eYtryl)cZ}hSza6`r>1Alw_P-J;QGu$`?rRFj^0%(c5ij^O`%y
z8)t<4xi?Vux;>wjeoca0i&{rw*;UqpYNB|Z5}%lH<#vZKGgX~L0{F2TC}<+KE~4(B
zjO_iK7G~eLf1mVrOc9L@q)OJH>IfOhzXi&}OjZ!9j|5?;kV+HZF;9YFVGK?rOZcz0
zjkuT*{b1LsMNRg`w|K_-PV)+GF!m%Il(Bz04AC_f;euHO6RF{5gz9D-RID*6c!^kJ
z&wxaKHCV!)ap>_WxWtl0(vYOF6K$;WZ94i>?DAldU&(o_osR%+fGA}-fr?7fa-Jvb
z5+&beOtsCHM8{pOYB{$P{i=ZYPmBO0s<f<D0=gj_Z0ub|y=n<LVpI265q5-V7l)Le
zji6>ym_+h&7E9$Uf{mxgS-bVHxs-*)E~)bSYO?^Pz@uH(ndG^6heleH7jw9rNr2M&
zy~XXWUhmt-Q=|oH!~}}ZJZeN>O{)h=wM70h-{j+uS}W)6Fs$5}tX(<}c23Z!1mR>F
z?7Soz2r5xZ9_X;SIKy?Rza4j+K+$uZfiNa(Jt!6G>j>?|a*vJhUw&RcljgBh2~&ez
zlBnWnfs)@M@05#|FpAm?2ZnH%Sn;e$AS-q^R1qIG-PL;6uENNDlyqfO<#qrEGDbA6
zvF*T8hzm(&VNFOWQBSNW!9imR2o{})7Efe1`Z++$>gujCTALk|`O@yhHQd$XXLhg|
zoXt>QSM`mczgvPXO)r?_dHHx$EI$Z5pn_W*S9@FecwBB{v`;pMd>O;NMcYF-t|&z`
zh4NoR8sTQt*?$Y?EH^|>5VAf;ZA;ZI2z;uD5Rf1H>JNol9jduR_C1RGr0m~B!IcyF
zF~y2@!mm(V0kS`0k1Vr8IFtGrXoG8v+<uuL;O~kSp?7#X7M}q{xub6fZSMB@Z<QwF
zRQ&X}@y>Kx-%q@s5^eL0<juSHoXb~RY0WoamhW?NsILcPSnk;guYvH0{m(U1|Iu?L
z7j8zuO-ba{n@ketIWi)l{!8!fTkhwZPj?T#!Va-hQKNgl6v5XzqIWm%MOZBHi=MRa
z;@sNFwNRPWeR_3zfM@>HegHYtKtTs>ZHOmq1GYqvksYM136~oX=_U~<TJRjdGE5pN
zm7oRdAwM|MP~1jM{DuqaS$mm{8sAM18gp@l)kZQ2h$J3*#CsJ_CM#gpz(N3zp#EZ<
zJ3Ju)8PU-fem2@VL1{f~eNODKcR+l%ZtCg@Ewi<hGuG|EEJ<E-V&H`?S)Cw=lnjs}
zPFV~&#DU=3PdPH02$ZZ3X1@u3&^_e%WrZO<pX5m=EtS0Bj{27nC4|(t+$1R+*01I_
zEdn90eZl*v)B&AqrZtQw)!cIX9LV39D%w%a>lX$vBM;F};iMe16c`+M915_aYmL89
ze(v1dcziL|xZwKg<8*jDPG{}$i!TIp&SscaVkem7IHHzV0WWzyD&g%4Eu6tgq1|<b
z(FQGP#C1BH^d#t`hZ2L}eWA9esZZe>WsKzmG5QgRQxyq#Qv)^LPJm<xNm1M=Q9LN=
zBVCH*)C)u@rfRIjRpzLigPTx0D#}z0B_~Jq3<+nqwIwcjrrYV|?Kf)?S=~r~!HPfM
z-yr5!2je{3s-30Xj@<ZZ!wy|oqyCNNi0={yb32vzfhv%jjA$Oq*ROd^jRvM-DM}G5
zLx?Fj-$JWgg~ofDT%Z&NWkDvUqEL(y+j{Ro;>{1st8obTjps@mWOAW%;Jx}^<vR}P
ztW8I)Yj`|EusWnPRZntsi=vu?>&q|giPj^9Y#I;H17r{7*&S_>jnC?>seH0tSnoQG
zze*=8!CH{pFB1e^qQttjt@k-qSNu#7jK+buSTk4UeFd`wP!<PB0PX(xr)iJCpZwX}
z8iy04`(s8DC_JI?;-OH)&V=70fWQP91lWk<61aF-%Bk&7>8Dw}h)b8ifwgvF^+jrN
zV_E$s$*v3-!qKKc4OFQV?9|V07M_pBHPOD(;~5kEd3_#FcmgXwb)nx=AWx4PUASdg
zvUYRXIu+8LW(ld49-BQy<#ex)Dj~lJlvg0n3rvb|WL9kF7eGEZYp_^yWe|>8B7qnc
z9~e$D<djJi>|}7zsjL6k@oZ%-0rH!?u_GrX>N5KTDKiC9H1;gHw!~)fiqmVGfX!Uq
zGpb2%xZ8Xzh0%N9Id2nMqeKZ~CFJJK32ej2`-;KNSER5H98ClqV!#u>DvDkQnIw#O
zp;05)6qM?9_)J;2srO8c-$8MK5*#2VNPtxZu{2J?KKu;-<J8^8aawHv0uMJK@A>VO
zaH24!K*$Zk_XTs!{m*~fS{hCJZoK2)rpR9BQu#zfgoU%_rcSKs7%ApEt`gP>%l}jj
zQJ*IJ4y;KF0(|TS_*g8#k{*{Wyvv(+JR~8%$D-eMKSOFOvEy3Bm?5<c#46;W10z@q
zNh~Hf%wtY<?WK>>8pu@V%g=+FRNMevJ#EsDv*(;s$A%h3cQ^U(47t&?8?Nn<uB&}o
z`Tf*}*SgMtE&tK3{I9~p=BSs}pkNY8yP*_^*<RL8esHe$cjZ|{x4Ep3>84H7S(fDR
zQSjN4PTjIWOTwlhCvzw)pc1S7{FMJON*)HH2o@1e#2HnZAaZ6yL&hENlnu~{jQ?~3
zuU<cH2x{a$5LkmPX<5IF7~%ftI&qfUqeQFzU{x4uPvbZ9KOH6EPn&k;-Bf*N4g0Hw
z_Wu(^|Ly+-aUcs5lAn5lM^!>S6m-ge+Nzd>Ick)TfiNoxSClofyXw#5j;~{;bl_R@
z-^E0v@CRgj?5Zs3+14njuvC|b)61|`Q^zY>Fv26v%+^vObkh>?q`@ChBV<uxeR)gO
z;gC>za^9hiD=$+ioBT)k*^#%xEXhJlHRqPZ_ZmHf+Ji`;Y8b(G%v8SVRNpXm1j_47
ztEOUn*rA-1PoKBSPcuZjNMdN93=7K{JYVo_(<tG#wEG_-?%H0lj!_fW&rju@D!b2R
zT){dqf}MMoFy~4m^ZOp%C7a#7Y2uKfdbf~35u)Pd=CZ~3J^nXTy$%yC7>Hhy&h!NS
z?{yHl^jq#74cQv`{=gp#6=g|gVwDYRPnq?=4p)r0#JAc6hs-PF`-(7ghe85UF?1w^
zkNA~C#jlhxCM{XHz73c?TBv3r7Fw$H3GYU`j*@TmhMt^QD9h|{!O3uNwOoOQj{K08
zs8)-~@?$@sBli;8f8b{%_GE88;r90=&@2(tvV)Y}SBSVC@jru47>kf1X%*05hB$G9
zlzELM1-W3Yt6dHWa$x7h;)-)TQb7QSW#Y9hpXqVcQh#}Rh37~Y_U{+>u-<EX3hu0i
zmLip@79Gxya48E!;)MjFVs{#r&nQW6=%cmwcyrs}Pj1~$Cz?~}Q6ywYNu1q=(bWey
zj>sp$2ciq)B`zJa-n;cYIRStBVH{CYe(8bB>+$+|CE>dIep()$YqjC4Mx*F!T^MmL
z^!aRS0~r^S>)$PC;FG64GNwwj>$FoL_k_${VH9VVJ8i)X5@b5&_2tFh4Ag^4dmZNn
zfldNN46e@ju>{@M{&nH1de9}V3|vQ&SqsHE+7aB-SD(G<tExa<>_?UDg}&h5uB~s%
zZ*|@JG=>haI;gL;3qxz;pGl`&P%M4}+P`yEA4iC<vc&VzIeY$ONk!KC#5K~!+oNfB
zW@u<JXK8+!lneH83t%olViABZo2A*!uSvm5m^v8FnD%)66+ERPe#X&qKqC1AZF`a-
z8eJp`?jGmWOx@|6!-hkpCGsN$c5GronsF!rB9U5L8^a$Z?J2idDLTxeSVBbs+#TtG
zlpR};hQCKmO8m1l*rnKU#k>{^K7_hu`&*;Z>IIe1l6*I(UR~mpj{LxxSo^q&RhRa;
zU<Y%G(({V-^F*UvVYR$0e@4xwMEE-_UQ}n*R@*l!JA;2`bvhdCK>QKL0=exc>`s6D
zZ?Uarq2A?BY41K|n@T27E7`l5JK<U^uH03`6V$HL39H1>1toG=V{BJ+S;;$oWLV@-
zdDBxWC)72DUrLu@7G&<gg6Waad)8~YDFGwbbGU{Xm92SO<0~v`J42i$Lv)ie&<$N6
z_<`x~mmPVtC8ygnLwcD|42T;XbPQ0`dd`o8t(RE}OGhIoO*n?2U3wS-D+&9Mo-Q&B
zz9Wc84)>1l=*fwMz03|$LG4%5t60MQy5MvLqj+@{-vGuPy;`MWpTxX&;=LFy>rrPq
zX|3X>HarpPJlok(YqR+3`Q2x7-BrcFD`nURHRMT@X#j5L?7@z^db&Z)SNP}Cr&i-L
znTnE6`A=p4>jlp92hGW?au#G$MHAIIZfJB_8I`h_u@ov&T1#9uzEJ!pn!~@g7_3!R
z0kDXue)9^f{jKA2qg%w1W_7fFk7pysS{au&WmYzm<i6*&7k(>)k5oXTfW~=9Enf2}
zCr0d3X{(z>)LVa%O=dw(UlrtET+qMniO&TA<w(WHsbDvmWu1B=&y20>t($J|_5I)r
z4ThyJZ_7ZLj^Rh~Fx;<syvFr2S8v`NDWzh%`;=SJg&d5~kWLg5;&}#gR=Gv?Vi`)~
zu2^wDZ(d$JfmmzjjWObR5>Dfu>_tx2|LlUso9Sgmc?YH!Z9ZAOGeZ1~LVeRhMRvP!
zBK)o2L$W;<?N%b>m=$jNC-!SUrE;M-y?Hndi$(1XrS3CqfdXf97A0AkfO}#L$@<0^
z)xpUMm}qM7i6Nv*!Q@!|ZBIj!EGQ74h*M(2c&et+C|xaaLeQ?CkBquZ0SM>8?>0T&
zjdnv*+s>mmDC$Zii7JJl6?sym#m)pWQURoay4**b;<`!Pr9t<iAY#T+Zu#PIGm@mm
zSx^P*jI>?XsxT>|YGZ(T@*9KpeZ%^8m!V+QYVm2-zF6e_U~uwh*Vb2;vz(x2UBmTC
zg*%;W`Qp?(e-@5j$H6HKGg$~!kuvr7JPAVhtlJcD7Go)^d~;xWw*RJIVzl;E_Jh+E
z;iF-T5dKDNQ+vgP`)FXRL^vy^BjIR(kLgo-QggnYCxy6uiFm!O#jfqdm+KLCd^-c&
zMp{zDj7pX{rXdZ~WI@MT^g}3vckY`{UMHuv-E37>AoeWt+5cX4^%@z18#xGyB@KD<
z{9B`RJ+mrZ?p)f@6v*%!pvu%+a;3~pYrfS=F}n)t-pBtQw|q0W0ZgjWujse2zJ{Z>
z9XHc0U#z?IHDhlFM*);rdSZ%e3BGj6+6C31q<Sc%YU25i<r1o%kjfmnM?9m<hDag4
zY97Ut<zlaH-cIMy092TDblT4l43QjE99gU*FBle|E}kc^M_`$}fJ*adzgz_K@IL7B
z+C#BSiY)OM$7Wof@Oj>Q{i`Kw>gIT8R6|N&#C*tW?9waz!u`Bje7E2=GA#CI>R$Rc
z`6UJuR?gfFl=vacnt0Bq@+n3N^BcU1VZ4+HC(%bcN1TXp@5Jp14&mj-?n!VU_A^ty
z;h+W1G50>MqmIQfc}PegU7ZtqdhQ=qs(pX6ut)}PsKC=}#e9KlG9OOy>OU{&gvi}x
zswFq283YO7+#46C!s)xOVn7oau3HNGdlqBO9<L&yc|ArAw&&g=cXIBiE$mQAFFVO<
zhGN%7);(JxX<?!c99JlDk-R8^dCDzO2u{h$tuDyV_Wm~`7Zx<$T~HH{#5RTTjslBT
z->XYYc_%9tg-<lj0{fUvC2_`?`aERByuBSRtTQt~-Z4?;l#DC@6)wmhohhR8ct8z&
z;VBF)3Be2{hs7kFoJ1Ksai4o$TRXMAq^~+tyAcl$AhavI7*lT17XW)7IIu!p-N-mB
zJ^;D**XenwrRN(K^+g@AyO{#H7TcTD40Z1yVu&s9fa8gVLlnO0Ue|U#id!W?A*V{A
zqM*48LD$0rDFrn<<UV<doIkZ4rUo?4dw#o<@ga^%w3bwCE;<b*UzEwpr@jqj``cnt
zS+@V0Vj|U|lR)ScU~TMr6J|#K+Pvk37(5JlGXfdc6P*7Ip)8l6>a&^nG%oMW$%?*w
zIKn{-*Z#*uT5)LI`?lQ34s&2O46C7d0jrFCa}%HUqLtvCOa2{)SEx+4{@3>htAZk%
zwSXwNjzHOy#AIM=d>12DMREyQR%%WWPe&ET6rsO#`_ZhVxX_fCTu}xp+|sht0_w*9
zEt2VRGL``nHFfb*@@L2VMpf_9G-%nn%W<?`Q|N@&0f&&@Q@72kuEc>zoNvqgZBN+>
z-+F~uQqLTG<DeHWoy<u?(&+?0H5lW50t9PWNFy^9{Wri#Kj`KC7n)hm^{d!VBPlO7
zRh$Dcps6<h7vjvp>sSM+rkK4v;j|DB;rHJdvLGXKU1c_xEj4b=CL3cWH>MfXqt>HX
zxZ^J){GlEHc~V}4E|I@-q-4;_3zY_o=wU-uLV03nrwS!pbMC1lFG(!cEf~+%GUU`3
zLC80<4%QR+^Ahj@Cl{4Ro{~TB(&R(SW_*k<TAPlroGr<fkPMg%E)hZo8x@P9zKPa?
zGaZtQb;5K*sef<&2}j18QxXlh_Tn=t;NuT6|68p_;^L9Z77{#p(Hcol=yf=#kEPE1
zADhYeem6Lia5$dbw}FVS45v}MC!9c-H+YE4RkulH^O%MpaVK09T(u)f3@_n*7-MTK
zMo(*GxjDfdso9a|!Yrr&f*bG2zMPyVpR;ynh_k1>wo_|OtoeB6QA`+%ttNLp&D}NH
z^xeEGES(~F-eqXQo6+q>p^VCu{+w-^DMDIyLz}#TOFzeGkFuia{lrRPC?0GHp}%oB
zknX`LSgf>Ql7r1tFbvMz6j({ZN|q{bsFR{TBScr|5f8Qyq`=XmQn1J#2%<TA2|wtq
zQ%A^x@Jy`W!BQbHt`c!zUOU&W1VOiEtRid^a)7ew;=lw+*vhNHSp8j&Cha|$QWUpH
z)0iXgtb`<23b%;PWf7^97;+Z75MME-ahDt!I~D>SA{j~j8Q8m=KtCNj$TIpQbM3eI
z0B>Idz2{}G;dk;q>9LDt*&@x4nW9O!!83BgT#<d?ca%Kb<DMS3g(7&X*ne*Q`8YBd
zq^lME6e<$`l<@oe`jdmoZ^(cFIqsew-ts(oSc#_)^d#h!l>}5_Umgb6VnMJl`iV!{
zn-d9;V}BU4N;+a}IWcf8B6jeai8)~R1*i4v9E&uS{T?sFxuKt^kz~)6E4hag(A(!E
zTj=v?FyH7ZQ)n~|ch`R`<A4K$^z5o7f7iFos16YbVMZ+K9uq}_@RzO#h*L>QJ<n&Q
zVZ$9?omU8cvQqHo)J6wr5(6|vVk|gnN#hz}p3Q>Hmf%5MbU8P|gog<fN0ba9k_i2}
zH1d)b{teUVph9t2&nmp0Xg)d4#~EYrT0wd$Q6mPC`<z<9UZ?Z=d^BnMm_Z8uIcX&s
z4UHoicR*0QVg|2K3IBG=zE}tTUFt2C_b6kv=V|MUugk&?y5QQIJze{jZ?PM^#s?m0
z1MZilR`ixA=j>i<3Yk~eqMFZ2(h%JFlseOT40FQ)gN32JrX~b`=Sc1KnAa%re8o?a
z&prPPAMVgGiBKq8TDFMI|B?`83xY4--aDF1DcY2|BzwUi$+%VtgSOZdhLjJDBm)+e
z<0>O$u!PZhv5qAe$(3>c2#{Z^joq$Mo2n=KAd5&4_(VMJE8UO)Zf%%u?mDl3VAxbv
z<c3c1Iyz@L$mdMaf;nVG!Uo(v4*e|<v7ght5M=K78Ju)<rD`O0M<7ojEDzdq8`nW5
z9MunTonXq$(^TRl3U2^HWy}>SC_|7RTO!GU$PC#G-aLdclDzak7yjq=`1f>)dC2i;
zA6fOed7LboXMHst0*4>x0~^fpcBLQl3Z-3_uB9!|9G^iOL*xbeUF~MI6m(m&sQX(s
ztt@_vn$z}H>p8;BD?V`S)B2Z+40T@)Tl3rwzkW)A1)bXIOuO;I6V93p05`9H0*F=d
zjERi2GZsZwi;USoKvTnpTs~y{>_`w`?X1F6o;Rl7(!cyjtOnJDW=yuH8|&UU*Kg%E
zD~peinGSF#YD1$x9<(v!o(y(o%GMhV^hiO%xMwx9*5%sUx>(N3S%_>mIfc|t6v)Ml
zKWW$p4*EryRL#smHj|Knxf$Xz9%gpoxz)rii{A%L4g0`BKQ<z+H%2%c6_44`7}2fm
zee(!{X*pTxzD#vV7o6LnJwf%8BRuaX_22XGa{q0?8ajet<?<3H*^<zj^^&%`Y{6dU
zo9Vvm9fC3q;U({sXf&@Mw_?Hmi}oV5=2`5`H}Gy*oqrGSH%{_8l4h+7Ptu(S2=kzN
zZ-jy&(C)wWRxJ6Pzs@?p!(j;df%(Te+t^=d6KwTod)*<-*d-({_(B%7+!8)i!=$~v
zws_xHTxd98x9)a9Uf83;9fxSPDd_CEu9?rlu|ag^)-?A?ypVku)1=S&E|I%}{x-AU
zW=HY9{;cFvbUf{B5Act@Xi*nD*>ln6;#cg@;;fJG?i)B+wsD8oiO4h6t}<A{``j#4
zV&#7w`YrTNp(p)_3p-<-Lp7|<p?HRkc*iYfbL?rF$sKRH?#kd{wx_R!XiiNHxnOPu
zO0B4sSui#8rY0zg!j05Am{EYk@t3b>j(J1soYftXHyM8sQ+K)OcJ-)_f!%p4=i^%M
z)RV?lW|yc>883X+<|&)qy>TDz-kj4<g+F*5>N><MuTEo6JQR`On7H+RGjjXFn%C_%
zV7i2bDuq<tY2<Xynb4txH`Y6X?=tweYf0S73gE3u?9cu9ee<|97t3VtCol9!>W5bX
zI+y)E%i-gk8Xzvq=MsMJ^+amj>pK#B9pX2B@tN29+)~^21#Gc1i|KHthIO`+D7s4H
zPyPArcq{kkO@PwAWrAdvJ5Iw7!sVfk4DqK!LbJ}sUHJD(`nLKa0vD=ou@@AhZv5<;
zu*5d4rrW!{CcB>2Q|h{PTe@59++qbO164|ncclNeU4S8{gBXdN^#0%L^HScKt%>KI
zBbv&#EB9&}ql*RX$?C^9Fn^nK9iV~#XI=Dhqjf*Vc8m8EcYxlvpUYdiT+Z-vY)lW8
z&krlw$mptEFH<%<kt>fJ?b{r#a~;VDNby;Mf$4>5sbKeY<t0hG1`Qht$C#1DbRIEW
zpt4H2_*Sxw!%DEo+|aVf*aBT7k1qWCO-G&uSx^A1jms`;$t@3Ig>)ZX!$uS{gCE_S
z`b{hDQLN}k>y_nfD}!>&3Ur_Ebq~i;lOa=A3)oMOn)cOyhk6d@4#?luMX*GHj(ayc
zA%*O0R%W-?(RHz%=e)0{Nw&{CtCVPX_;ZXa>+cL}gWOLO<DB-cKdCdG80Z#x)Uqkq
zX~WYqI=?-h-!HBI4bl<Gkz%9TRWLT^qJV{j4%xUorYHouG{|{C_Y>y2$E2|!1Yspe
z(8gtV5wFZwltd$E(?Wu*aSh#1eJw}qQG)UEfBxrC(mJPzmX6Nb(N(m(&g`6vrp8+n
zyj!3`)T^Os0GZ=}TuryQUz>@m5I<-|jd&RkL_}O~5tp{>=kjh*pV<WWo6LLx#(-d<
z_spBf73`3KZQRlj{qMx=vuWmhkAC=L+m)K#8f>N`*_0prA~Er}#|(PN0k%XVLjt%O
z1v7NaQkvHps$lqNg+@?%p~WGm>$udlg>lD^PD1Epf;yB?fLW}}qQcLzzu<HRBWrPJ
z^ux3(MJ>0r_7kgT988<T-vdRmDMzc^6stfKJb|Z99AA$oRi!^!J%Rjyq8U<AdL$^|
zkUbtf@vw6D>6J((e@AI%<fb@lb4*;KcC1<d&B|0;0)K4SY?}YJ>eaZ@q_xhEU^<jl
zk{~t=<fO0+E8#+*Hm};`n2rgF^ycKeW!`WkydL^U!9Z$46AAEEW81n<D7Y3h4CD06
z5RZYZ#_@PJn2W0!mMm(SgtT}9MMxSbnHF|<35w_#xe2@6l@+~AeiyKaE#NTk$474&
z^5u7Nz;qhGPZw}@G3pF7#M|52)Fo^YZs&Az;$HgfUA12=_#!y1(pXZom`nCT;O%To
z$T5#}w)BFqLj}uEBvqh*MVFD7DiU?}`7XQwjA>#y1y1dX-{Myl1he@%61o)<k*<Hu
zVoQFZ?NpNe32o!QW+?Nj?dnXVYhr6V{D$7S?b{XxT38*HIfUC6Ot==i-rE+Afay=Q
z)@j!XB4J@?=m?2VQ6Y{dH8<Hh=+E1eH&whcpURU;5{u>*7fq}uj=?fMNlf9jFGuq!
zn$lp>biH^nzIN&cZ2eV}BKOsJs+C$&pH&0TI(tEqRVj2(L*aqx^621;IV`WoHv7f%
z9#)k{rIo&(mxoub#U~v?(X)*%1px0LI5D6zJWrEEL22Hm0nD3sFLR2F9{_%!mLrT#
zArCB=`zJu&ar3RDfF}Ab;&rKwYM;t)kc|g#FVY$p#8Q5VH@DyW45ol!tEu*#d;Ri#
zp71N#Lb7Rl**q9>tXJ9d-|OOZVLDCFJk22m5N|EMACq%6Lk;CoxR1dQ0l9xnshcv+
zs2epyRg*mshH{U28lOD0J){8CQgR+?RwE|Pg0YsAF^06U9J*Tn{4>?_*-oM3T1ze6
zhwHT-TCPHMW#&$4^aw+*`N!1(AGPr7#GhS5e7l45`*SrrIC+D%aO?q$eN>=T2jV_L
z3JCRLpq3gblIBsOl*>uyHD(Nh#>3~!x;Zvml#%=Gv+&^EMgaR5BI9&=D5@533TC7!
zu42sN;d9jcyB*6qs(}_V#NVjg_SCZ5pvvS6vyzNVP(o8>yDkzLyDqup$MTQARlWg>
z$KSj(nIObJQXYlvGu&s^s=~A=7Ak@-TR-zT4Zp*HM(8(Tel5cGn-YQofC!7!a%NMJ
z7$VY^Kz&(JLLw{UU=o#A9uJf_r5_kG4<0D6B#@u3Q@=334tRvCBQ6L6#(O`Z$T+5S
zC3C@zWs%}~z72s_EtXcIu@kZ1@6%y4s9_7MTY?y$umqe=sL&TvPdkG-*`97@Cy|bG
z)1aq?(8CbN*h$&ugUZj0fD~mx5o4Kw)J6~}{nL_o(8YzQO{?tRQ0TGbGGz-;r{=FT
zA!?TS7mvK%sqvGMu$zO;V$?rTL1+tXp8_-GMH-<`EkXn!=YN743>Z7VMTv!L@#C6_
zGnKzQRH5i$4p8<N-GRLQz@hChF(6rg72~<6o!jBvABl9)V;iY5U!ZA6{YHJ-7srrX
zHm$GDf63XskBlJdW(2II;DoDqN{~df?dm2E_d$nlF>nE41{`>?lLA4TLKGM+bQo>)
zk>a4g{T8eW6yi0t+=}n)#@?K`sDOXYLTmlI;c?;r=1>%dJ^LrOjCCp(w^@Q7ujx#+
zYH8J2Yjk&fS}V`>Oxh(ON=~gg6N*Ib6Uy$Tg@JeiD+!7rWr`%MkqAbjIEIrh6wPq@
z74cPaz}cEKkOTrrC?YSwEIE+r2fR<LM4QLXzD1L#DPjwkN@hpjO8tLbm?<axJzn?k
zY*%8!9gOk}4%vUbZLrx_tmYtN68zx=sLwgSKm53&`x~;{x`o{bG4z5lfdc&AEl$eb
zf7UgwmmWNm4AZ>c)owJLv6QqIzxONwn;7wWt?uoQ1b)~MB#+Tv1L67&dp*BKRslRM
zU{@OIWt@(0{{zw#k_eMCYQ}0%$}E;0jW=D;PinQT&P{8TR8WL7KbIx$(M!a{>Mmk&
z7OTK1t~|Gk7JdhJI+k;=7FHiW-JdP>6~-5L2XwGJr$%O5Zjh>KLWq5vD$~DwNMD@Z
z-_4eVHbN4sVG+v_H3mZX2u@IuuLBHU;E1SQCvhsIC<~f(9T@8)P@v<Dq=ziUDD!Q2
z#`%H@vy%CMx?z)2M&a&z9xu@vvka4XlrA=>R+1#-i@E?a5evm1i)&t6l7bnzLh|FH
zVcn*X8>NZUM3Y3>L+j@s%g;)>08@Y<qe}#G<?S^`{Rjw8%I-h?xK-(T*gr(Lrr;ll
zJyb@GjotOP&>D!EJX<p74PO7)#rhYh!{R<mU?EQ2sAx%RGFSp5o#D7AMH1ZKxkdU`
zV(rbTiV3)dq|7Qyq$Bs08mNmvB>+j`os`Swz$1xWG=v?6T(O#k)fp#DXvk&C3zJ@Q
zNa~ZmE1c$)%0H%vHF**-AmC-rR#(_2_W_-S2+&#)C+=3VOfe5BJ*Ud8M2b9zZAzCb
z@x$d5z(b4%WW||5ZOwUr^P@WANW%E+xX0|=Bl}Od76GRCP+*}Q2CM@fi6&z6+uWWq
zcPyPv60&33sW+67mj3CRhEL{9UK!i!B2WXG_~dL^E4-A2_s5ot4=K=W%Ca8s=9CdE
zC&+t6xR@79w&;GF<f;b&|Kvu{E4wH(8BVSZ57u^u%FAH9PO*4^{qv98f>n3?JLg=)
zqam-poY~+Co^;s})mDaF^k1qLfrg@>-l_<Z!b6sk*g`ZSQ$EvkYm&aR<aU}<F?nM+
z0U!p)9O?By-|37Nu7wYVZ`EJ8B`4#IDzk5K?wCLsgcT=ZX_cR+Fi+D~%o1sZ8!RI~
zN-SUWQIDQXEf8ajmb_|mw=7VNbyc<fv&yflns<FnCsz#wu?Zi&Z0`GZr3V?<>Y1-C
zZ+yIj=2LLUJu6&FHX)lRxK;xHBx};>1Saed`y@IaQTEg8Dh7cqA8vg{8B4%#R|GJ6
zSr|Uh=(_=GLzYMZ!@b;flwd_j)z(=iE|S?52Sz2cw!Wr{R{NU8*FUa=J5j&zAtjQ|
zZNK4EZ*d?wC%tNkv*Jc`%Xy(5J=t#6%(j_hn?TvI8KP8x=T>}F=k<A3_7=W@hEr7?
zs`_0-d&f%aYm+07IN@f!xczgk;u%hr02{oXAT!T~md<0q;(HavY3F5$`m`fc!BQ_p
zOajcAq&0qbOg)}yW5ToqdY$39!|%$275Ry(Wk$Fvii^X9?lW(f)?s?v%F;z_PNTwT
zYWrd2vS*#Gavy^#^2TU4llE|RXTdP>SF_d>=XKM8VYdLg<{!(#NTIiwr1D>~;*f(_
zJt5jw8;Q>AU@XfQOV_&LfIC>D;+u~$CHVyDV{d#ZF;6@N4Va}|MnurtlbG5cDh9Tg
zBpf(x*RgBtIb+$)g5TtIM`a-}cTxGyU)$@9_>i@+eIG|xM|9Mr8<!e%5%|($#8h)l
zU5Eo#hotqx7zgz^iiGC(w8ZnNS{biF=`7=ZjIavEB2n^C<g_l>sfx+`&Cvagf}!a~
zA=An~incsP0T7n`Fbc{u-=5-?*dnxK5Ow{=7RK?^1W)6A-m4llqn=O?tR8Oa@<pFD
zes2IcNxqRDwNNRFe2@8G0WtjyING5^=6Fqvmn~D=_}hbim=mR#NMzhJ0l2LE_<ON3
z{?w9}8a#P6-1q%qDsOmdK^EA4i}V8Tiuy-=zqgnDd(41VhS;+ssjF~2;)Gn$F92dh
znXm2_fGT6$ogm1tBqJk|eoRVQgK@5xUuGpKMjO=MkorW^j!;Y=R)m%N^IcMEMk!Bc
z=f`2e9yP+)gJ4Ur6>3aTNd6+xZ}R0W?TIm!20VW%BT1DFydQj6=dC@pAw{5WB|8kO
zP<UwJ*1v=0fo=)unQB&X%{VlDYE3rE1SeTbj8JkWaT(T`A!<0*0kqM*9wi4eY!YUS
zq>OI(qzruDZ&D-@5J}XT$06kFI~c?r4mRHW<4=R{-9~0wPUw_k87AtFH}9^?8VY#!
z8~si@A0kYb0~6*@8~;Pa0ykKuTd$rwspqu+UPYx|i~-_J@#oWnmo9C(nnqj`NmWRG
zKPjmwplp?XLS|+nB}FA63`YTI-V5kak~70zWX8CpPCNwRqvXQ4Oy;3hNAo~qhK=33
z5&JCD84Xs1wsW_s;ASsoiOYcupbuK2F~tO|z)H5Us`#{2<i)%%ixt-^BL;(B--Q#$
zu9t}04}%Oe(|LtT|040Dw%R4cKWP)lX4O}6b=De>?kzg>dB3=r1x<leb_be{UEPJZ
zQ%|LlxXJy`*MHA0f8O06((mPIFyN+_qa1o<buU{;H6pfja?I%woR6N!nVkzGXvT|I
zsYs@Wm?JGS!sB*z^CKpi-%Kkoi<UBn;Oy`hQRs4}It!E9G52#-6>`_6!!;pB3h8u$
zr8I_iS(}mbA7@bEvuA#pv8}cMe=uwLeOvCv>fY=bzq5tfY^4TGX#^MEJ=2QVlDIeo
zLeK%ZlShpzA^@tlK!wnv<Dg)J3Y0Bo2*;Y9+U|rIOWwYsLEijBS>`H#4^pfmC$3jL
zmeE)_Zt<cOQv5kedxf(0QMl!ydJ`pBlt+@Clr0x>>bL<g>G)xqY9hF0e&nD{$SFF@
z(gc#*Vns%bBno)vK5O;+Qo=_}@C8IoAVSd6-T<G~Oshje69es2?`4^)XylXtgl@l+
zb!#^C7Uy)#;p0=cTOEaVZ5J;!20czQxcc1oiepwh8F#B-_oA?*#HR4fiBtIL#GF0V
zL~?|1Do9~r1T4JqQN@c0;b<96B*B>9HFN$rLD3x}ak1-OJuxEf4OC+&dpEP*dkvzr
zve&BD04ha(3DB$3?b)?$rS$K9ak|N!_E1BlXOls96QMH(vSyKI$d}L};uk&kq*lgD
zh?FYN68p2vUO7#q9AOH{q_6&qd;JqIhSDNpqN_hDO#*iUd-6wnb5y4zZx)p}1>+tf
zlbf9pmwY?}Z|{cuF9-JzBvF=$MSDj6Q}NekHsKq#DTt5S7bdkjOK;<!o!3A2JAYxU
zBNK_7W6r}j8v>qB#w;2Bd@4MlGNqO%xnnFlI*$=5dPukkCA#Iv`9|@fSH9zv1zKE1
z_sr@)oZfs)QOQ0hX|f1H1ICCb?i^ipMKx|ZzqvJ#l=!gt7U{1>x)OURNWTKC=&bC4
z#n`iOcWnP2H7XigWI_drA~f(_-v40=HYI$^q?aD?Yk_Qnz&#ZnG$*7=YLIsvrGDyG
zk~n6olvel0)|Jvg(2x7(WrON8usp(@6?w+o`&;La=yN3&&{T03n&9L4Ysr9_-gv@^
zUXcp>-V1`PlNCUQgx5&mM=pFsBuA#oBrc`)OAMn>5DmXs2Zm%qkkJYuM3dP(GLA-f
zw?wqpM~r{MmU_Lbb6L)mAS*$brw>kh+qABoTY})v`1gJhOe8%F*#bpT{N)&Tz|n}p
z8}9%>=8Tq;Bc;@7SJ<gsrD;{6(8>;ehRl;H`e|{atOE$bnZEy#DI}ZR|9@mqqQ-lK
z$eUPhRJZ$H5O|*L0@TQ!G+PwF2tZ;zxi-F?r?f~aN7e=cX!}|NzJzpudxT{*_EAGD
zi0CWYAuWA<f|}@`)R2*GM0-W@r+XIem`zJW{VPDyPq;lWsb?`fn+uD<VV(OyM&3Xh
zg5jd4B_dNy=&$=qi!+H*q=D8jvU(fpO3owG#QkQ?Qnj8>mUHQ-p6km|E1s`~)<kEb
zq6N&o7XnG=UFK`_Vs`<`W7PpfKHCf7pEnz3izSkLUq&}BvD-U}DMG^Wr~<Bh7fH5C
zePS(yt;IoR)f@E8#3Go%F(sa8IljdFXPRMO%Fu|3cs8x>)XE{#Tb5XjWC8#y0!vjf
z_S)T#n~GDvqcYtbL}4Qu6SqVLy);;CFZx(S#JMupc?%iE#jor^6Nv8rxa1!})$<Db
zO)D2Xhnyjwj`R1vY`d08!<L5Wp~=VU;6DDlWub{cfvCrl_c$ls)8FS%-7Wi@JnQM%
z1O^kPgU^ktr=6bNCGr9ThFLP2VD99^kW<B9F&W_{3Ct?A(#C`|vk9qBg1KJ#>r)o0
z*%cq$WFznWyfN6d^38Y+q1)my*r_Ok;Kb(vamTDaPn8>P=bX<5<PQ?tZK{&;?(D^p
zvIzAnUNMxNta4h)<`bw>@MH6(K*3CndL14igiO{5f6AYJq(`3^$`2DHL8n)im*E!f
zzmf3Tw~^6WS_-=I(3E{->@AuVBsSEO(S8Yc4{$g1bU*ZI+Y``Bv|V|nZ&MH23t%T{
z#(jm<POLJMNK-LJcz#O^Hi=^VaZ+4Dek0Bu)!4r~5RQ8Ga0|e=61IUpTV<7+6jiQT
z6)TcF{<JUDzX^+}N_ZjrwE#CZ9#evq3ob3sIFm|+G#opHO`ek8vCg6P=&!_@NKQYE
zW@P42LG%R56Q4MIGzyA#6MYUs&TF)QBn{8uwWl|s`f4owhnvxdTh=4m$ASF8gro3|
zfjeB`Io)mR)VSDaE_aR+^BXS6mew#?FY5{KEjVcsOAaki;Pgu|)jx^KDaDNSr>^@W
zcBcwaClHy?^~ZO0;+zN7bCoS2=rp;&cZ&2Me<3kCJO6y7k+`9cVlGEd#|{|KvL)?h
zMGW<hOh3oKFheb@WRlr~=GjYRnn*bIGQL@m_FEs_<>y3ACkhwIA$2uGv7@sd-Cfm|
z)GeC6G`wh8$8$><GM#*6<;xp%(ncQjna@qpZ?<?|Y;w9?o?}PUH3d<%aEg7I5G4qL
zm<or5-|g|L@SP(KkID+6G{Z9Ek-L(PeV5K1<p6k{5TyYp+nXqjl=OW9O3jDkfaxdk
zj~0a_+iGh(myU!^EB)8LG3XoQR-NW82@=}p<Kv!{?KBH<H?`nJ3d5JGKOP^ZUn<cv
zA`Gq0^kga{I21`@f<0r)8-lcGs*Z(ULQiI>yxX@jL@oC(|8dBAz9C9uNxQ_hqGchG
z+nT}Fl&`A;h@JIRYIJKih4S#9fi$iuGA)hh*qgdQV;+jy^<w&3);g+3yI1TlN<2z<
z|66T{ef!u4-3YKdDuPL&x=+(~MM`N%g%?5#q6iw!42XHBr^-Zug#Az-wn}2l<W|(S
zBAU4Olmn=zFgz4PP9#gq=}v)~$=BS}vywcN`B;XuLAP%@?~P;b@Sg&YN)(}6%IaEz
zNL#pV4Qr-Z4J<@R49AlQem55!|0p4M%7`Mp>qzMUFVP|@xzFGQrj=$0$%ZURw&Vq-
zRh7S-udJ#JQG5#^ctON(T=!cB-|=lr)oWseD7EBMdKlx#OkXT=A&#o0_oA#UA-N@!
z1xi%&F|^Q<`C-U1kDN$J=`!U%yOHO;_%RrTkczN)$HC@h$T1k*F@7}$Vp>ecfvi_9
z6l{7xj25Y)uiNa4g75M~hYe~TcT62LrjV<YGl*&>BmupZuwVwc4cwE_b4arVN@9>~
zR@CZWJ=@&tWfyhr_IoF%U>6$hxMdX?1i%+|wz2F!q&S3*8IoW<`NzlnAcVLQx-xGL
zx|LChyQO>}iZRfqq#^>ZY5;-tyx8oB?S%Z16<2%w)5I1XFYjKWl<?gL^nzn~tjgv?
z((u@`YMMda0Xz$%u(5-jssq+u9A&e9LpT3Bym_N_#Rqw|3yqkqJ#I@_6ptNJ&(yNU
zc9v-|L5#?nyBiH}{q6a3>GK2gtd~PhZNeMAGr9OmQx5|WaHr%B_J6n3dhMq4<fTi9
z{PQuAh37tBdDrWiC6i>1KNU*>p&gQ-yD~@4voyClT|0{d#l|D1?w{1rkwS9J8OtsH
zJLfpeown8xiI$BEK2_gXt9E^zslc?myv<qe?G{_~!Gf7Ddk_-{V_e!2YDWB;8dM!*
zMkgJj4_$YZY@`lD;G~&gXR=Jw%D!JLn8k!*>kw7<M>Ex%Kp9gcLr`e|H)ZNpsx#;j
z35eFeocAf(b~Q<Ts)H3j;fq$JlPq_M9N=d})zgwyyeB^lkqTA*C9e!T;v<Jf$(kku
zdS6b)C;6^x%$zJIene%oREjWg$}WnEi5H=wv$dZmV7u<`JMFG^%izgepmNe#sd>df
zT%h?HK<vTa6cL5cf5mSO%ss~%Rh*Jc9K`7tBzAMg48VOa0gx~uM0`(w1e>q{bbpms
znRYiCF-N{wBY+>*Ae5e^#NK-F4nJ>pw%Qnp*-DDnP5;?uJK{s6P*s*s8Ga35<oy@3
z+w<Zl>uiK6Win1gv)qLo@*z!v?p=>MXfBAsa(rnvX`f|-V)K#&_z?#113~EkPlbgl
zjAfwO{R5);Vh(&fGZVeH!lC+m@h$vU?N>SaFLd7G|MZtPUJd|9US`yx>`)3KRi$DU
z!VD21@KQC8Da~XeJ$A%=`~N%{ST02fykJ*E#dI0OL=Op5U@k_^!)s>w(Qkz?Vb4rt
z2<P%&rTk$Hn3V4k(KmUF<4FI2@YgE8G_`Z|TN|bidd47Daut;Rk4bi7oLL;2sH6qr
zF)#z|>P@RT3xVLw8Y)_$@f_U=6ql?K{~}{Wm%(b9F8PJ3(U30>NWw=}VjauhOQ~qt
z70||J#hFU##sQJjCW7;+#XwyY6WkysB`gC?IBc+B<ir@03l^N#>iBEHtS=NBFw`GS
z9$-s`qKPoT7I}uL6Ih^pRMak@$XX|+#fgVbDxNWr%#9ZocZy5|NF88S23d$Mbie#u
z^Vv9VO{CEKTW4souRrOeg?5YNxj!7HowT)W)#k_0<x|GR$q5%4G;ETzi&A2ji~PRf
zVAcZy8Kp%Gx)u4!Y%pWBF;xYYkeSM)WUfITHOW)xN{Bwv6jka!@wsZJ2<?u>o{<3|
zaW?9BzH2<ngGu4yLMzKTT!~%y?9$>(29Evnoyv%AsCMe#*;+dn+c~1XJ=b-u*rSkd
zd*4&sJ(IU_%1@Ojqc6m=)U!f9mmOr$ELPDWW^z;}Qc=GQ&>^oMkX~bV6LtpB?xHLi
z8Oq{kQnxqlA*8aL{e33rQPd>u!60`#t$uJwhAPbpWTG#2;~sej<Nj`!hphc7Md+UH
z+7v{cO$MdCN{bO8GPuGtvLaD6V=#yx)O5*~`ehy27FRX8%q(=_3;%wF{qZq4S77jU
z|J}9!raP&hNi7Per=&={%}s@JFf67g<s=JvvSGXZc~%iES*e5Z_}KN##a36-)3Td=
zjCyQ2*P^ZY1D?5RHKQ%UDB6DSaQhav(@;AIX)6=cOj1i2_6U*;74u)J6a|I9mb%e+
zfk<9cwHn4MFvvIvsg!84XVsg^iAj=ws>ed}xe%i*O2Vx9M|Yn=pYQ9T->+xZTPMA=
z!vk;1fAayAw%nsPH{1Wd9QF+eTOCDOFd5v_7i#sRqDs#nZ~Z%7_WruUevyRp_=#rS
z1e=_s-#{GMf<Lxz*wu7|y=C`=t*Kcoxb_s%cG}J$_7>cL^O7j%rI8=0fco(ni=wBY
zT80`{Ep8<_lnVq$S}CRY*BqK$<dVN)-_EJ)<)Eee#_ZP~A-nbls6!0y>kj6~COAEM
z*VC}S+|Bq{`!=#=q+N=8D8f%nG>^e%LpQXS-zCkpBS@p9%M9#OPfdc-O)9!Wp(p23
zfBvwSu#nFitTlm_*iTuQXq37o>5iVy4wRXjY$?&%BmaDg_7K6V+qONItiSq|_D_G#
ze4yKVI<XtIGw|RTC;t$ElAK3~+ueUJ+k%Sw0(xg%b5^?{H}IXYmdWFv-9K$xo8IA$
zRfC5@xU4jG25tZn1}yP?@H=u7@B~O+c@2z<kgMh{wEHpV|Dov{qcdBYMq}Hyt%+^h
zwkEc1+qP}n)&vvVo;bPB`QCN^?$v8|sjI513mF-m07-@c_<E0Mfq3adVv{9o-^6)f
zi9>@~N};SBZ(m<m3s$%9^Sigvzg9R!u%_7BMt$;`H*`N?;ir#VY#6$nkyOFw3*v2&
zXG2ftXp`oB4gOM#?Jsl2SsmmwV1m1`b7W-90yb%4+S$Ue>W)c<W2$4#gx#7gXae<0
z{A$zmcYbK99<J3N?$$}i&3IarTo2sarDrTP`WiRx-dZkYj@oQWiUTU>q|twgT=G`<
zt=|n@uG|N87(a=9xa*p6U#^y2#M7J*$~DcJgcfSEf|)=!7rJ~a5nB1_&f1sj4o`8S
zr}W+!6OW+ZBfjo;6(g0STzRF?PpW%U!R_lq(*~>MyvbkIZn?=8`0y_{-#tHY|Cav;
zu`zOG1AKSVw8s12W_{djt}HJ<Ew1eJR1uHJVN1i5N>ZsO*+*F-Z{b0_ROU=IuaPHr
zLGN{q4d84=FU6Y~voU|1zk?2qnUo70q;&j=qA(@A)W-b*&yXHEyK8a1uubzGh-%fN
z`uGaeCKdbaWs=rV9MU%S3;eA}F*JDC+&UOya}7B@_w!M}1Nj~BR_ya*%(&t4X`=vS
z3&c~8A`m8hmjwHVcaCNsT9Ag!LhJ0qPZ8rrP}!0)cQ{hYBE_$SsOWM(C?W|iEM9R6
z7!yd~2pO|L>vQ-?Ac?&nY|2*VzWP|@lF+3zPyn;~Yf9%<BeX;R0!F-j%8sRJ|K9Ol
zG(I?*@_Peflr<+UM%-PVR{ITDVUjmq7)4D=vPtsJRdI>PLTJA^5F@uRH%2_(oyMRz
zb3V~0_N3UcZ%i`m?fq)4@%28AtM%@}>k3Ae=3~Yalf2$kqTV4+m*Pwv!45w^457TV
zP>FkgW=skBsHA|LQc04U+9wYg!#wBMD2c2Rmm7K0>de6y2M3@pYAwYvPuCn<3#m2|
zU<hWoF5UhfeU<B5wz>+ZS}Amw-HQtt2tqiN8}z()o78;HIYLQNNFwzUsH{WX?g!Sn
zw&uU80NS=ItRw#JT#O(0va*L1Q#-iD1Onc8Aav=pVd!Oyj}}j2s}22wJ}^Y%6qEBR
z!l&Y_c#%uvhyEw#JG4i}^6+bKy41bVgJQFuk?;N;kOcfiDFg^h>Z{@QDWB$eKI5pT
zQwA#)=cGSyf^+08CS}hS>Xcf?5D}bc_m~*PL2o6qKjZM$ZIf;TS0VY)@MF`<NETNK
z&40xc&x;tf?4${`yZ&Mp9^L#$>roKO<ly}~0RArop&wlu6GZD@)*TgNrfP+)YlnO7
zeQ3nVm7-lj@WA~b?wZLmA(VyOuY}oC$D|}lDkdW_appoLxL&>Ggz_HQ&k=kr1Y1dA
zPUNJ3rTA4-OLB&~NpVnQMd{BSvFYSN>l7}0eAUa>jjg3;(A&&J%xL_H1rhq|iA|lU
zcaQ8~`jfGn<3}UN*KwSa6RXwHvpFRyxN*;vBqAy!ADKBx3Rwwdijy&hzkJHVJhKGy
zvdzU$CY{(iw})ZX;v|xBVB~lmx$|@N#c1KSP^A)J&Pv2!g~I4i26;RntM_Z+8&2B%
z_}g6a(KL6<QDo%Pk}1$}Gd=_fY|$!(=FWvd+n~(CJoyCjGv$E)ZlLJcC(ttw8DWkm
z%1Cgc(mU~QE`BZdX)<6{=pFh@_l;`ufp&4vl^(L5?zcP`x|{;a6G%c9l+j=rVnZNi
zJ<pRf%+&Bq-*{#JMn)~jvxK82&j2(tgV^K9_I5-AwK$gzGH22ZRJJji*L&w6rnTm)
zvfR|30Pq<x+=nn{Nx*A@eE8~v+_#`araDZH<<=Y6P*H7UOv7siFWWbAc&Cpx0nT<O
zRI{i05qcqibx0&rJQV#YKeQD=NQ{J)Y8NYZVQx4A<w+qxHR;Atq(XM$72};aNr>a@
zKkP47^&9x#??Cr|Li&Q_x9;3VdG#~&0~JgA%kv^Kv1vRsY%Nu3GljS|UOQa#^2g%I
z%a9iHu&R$3jf57TP~vIZrI8(aN**ww{p_8-@kVd^{4P%%j<hmO@uS-<D(wjN;o;7Y
zQ9kgARs!1H;jcZHUWapmM!%<6A{C(;azUEQT3UVb?xpH3fX%@AJS9c<!`XDl-CnEo
z8mCMgwvsY+IgNSDp#buw8W;!&5Sc^C7quGl^_TxL<uCBMCUfFsj*J1Qz<p%1uJ*%;
z8$44Mr}q!S@dZqKd{cW&87Q=;)k-_rfAQ`9`jP0w{1z0R6_L8VIS(*Q@jMwLkq-B7
zR;Hh*@Q-&bY%E=m{@OSjefJ~kOgWnH-_)+9L!H!SPl>`z?^ZX-Da}Emyg`|(3A*NH
z+UmgbQGo?grsXNck<?}Y{ij)U**WS2w~-qR*Q=r!#hxnE8~Y$$FVOqaA^vA}v(9GT
z<b)*yL4?pX3@BOB<@cZ7Apd-!%$TxP4{>)tqfB0P+ZHXLo<w`Kuf{|rHQJKIBo42>
zHKWDF^Ag)xWQTwE?Cs;2tlMOsZ{N!nP>3A$^Qs7E-DXNTZ;m;zsYGm|DFc=^M%E}(
z(=lSmhx-Fp?Gtm;5~z<409iX`D%$&S!}||74FoK3tQ_-$hW*oje*Bl(;_U<VW}mch
z)d5!YWsA9#6+mKMaUJ-WAA_*pbaD<gkI5WlBkNm%oyKN)CuDR<AUCek4<vc0SajwT
z?46<OVYH&C`!Ik#hzSDuI`AdjPKi`TANKzER*l;F#(dJt`}LSb>ZM`LeChTj8WMnY
zX%Urt+E=XC+8Mn%IcK~AK?n{4pD2>($u3AZ?))4&uP=t+{rk@rk$?8{>>wOkp$lfG
z6Jh?KmeLWo9HlIj1Vv_;C6e6?D4ANk7Dr<H0o<p%__I4-p17+yA-AGClOy*e_>j`w
zUn)1SPstk7gEl*%C@-{~m`T$T?T)(Vht6+{Ef^qYb3f23q)10?KKrLQ3+pBWM51ZO
zz|_-28hWyiY?IKk!ZX;hEClc#f7r>0v!J8|&&Q*7p-cy_Ih%MOHzE&CFFfs}^mT-d
z>X!8Au`+<Q;W<6qOH07l_D;W68w*8{#)~nFtj@q)PU%jBkf6rn?`r}YYy}^<THvE;
z1u8!|4-36{ZA}4-BG149hXpd;(!}roaG>CNoxf~{I_<Llp<b9QSx3~@+@@vd>w`R^
z4vEFND&y=wBJ}?mhU13s2)L0YcApMPx=VpfAdHTDt&S;aiL#XbqM6>dyqbVu5Je4y
z1@Hy}Uuo}u|6U_$ve>z{jUA=cy#ptDypc<WfnE1jl!|G%!1@IKrVq<>1^M0s__Xsl
zjelEq!r2_Z`&s4ij7C58?&M$t{Mu_@va#WAGHeSn2X<|C4+HDn7mNp<_)(s!Z$p0m
zQk8VPcD5D;Y4tPyv{e%i^Z@4k_IG?Te5*gxd-#8J-E!Zrn!mUhLG2U%=!@ig9ckG*
z%kQ>o?4l!{3H&2a!ZMJ^Q}&c^H-qn6K@hFb*O9o%`(8&hm|rpSu9x~zyFGUCcmK9B
zpWiLfzj0FP^Sg%rz4Li6u*T~MI&#VTzTE#c>kV#qTy4TJc#GgS8=WL>m6cEfLqcWn
z68e=j76P6#=7>zr=3YERg3E|1H!@xDWRiLrK>_za<>3MJy3)Bb0PONr;<Xle`;E#f
zH9t1ASMQ@4F8_Nt{^rww`>EgM?1#{mYOEeQI*H_^@N}G)Tqy+_v{e=b<y~t6G^>%w
z5wl&K-HkRYVq5rp{9*yw1kG+dahq$x0sjK4d*Qayrpi{m$1?>1oxUGbu<a?O;oLtg
z4Em$>{G!w8x#)Yfv3J=4KYk~wtgw9{*E4U_kt-gGttHS8l&ermDIwr3knj}keWN3D
zUEE#_by0_^xA|;uOvs}b4BxG#_3(QA>qhq@P~^E#pV95t(mf*iH3YLFCtHd^m9}^x
zDIbNY1u&_nI^G>|tox$Fj$GNx4s4mf$KT9FzpjsPFEBb;2Ywe=a<0I@^4Z^l?($1C
zrCf|sx*`0LRZOI8HNr_2eu`j9C{0s(p{QG&<sKw+(4~aNhADUA28I&R=62&Z9;ZZj
z7xwXlYX6YdAHu(q?9vs?*$v)&7X?p0PGg|)7#iW{(u~ghDjcJg;hL>@Yf&M(oUzK3
z@Rkyo(gO0(f0CEUD1-zv^B-;Uj_gc`+mJc#MMvPJ1t!X{_KC9NHt*+zBD5i>Lg&T@
zKMFte<gj$%Q*F@ppuH0gG;Lj^a=^!n0YjRv=@)WEq?bK&W{3;2Kw!;F_Kc*Gh>F#)
zFoAh^7l~mvJrX@g^ubCAO@(3{62K*{0dS9KAr-%-`h_p_ttIYpXWAit%nqlebyY94
zGuV=QlmZ8<<~S;eXuzI*IouO^ccH^Lzp*8IrT&y0Y`k4!n?n5S^32$GZgv_ym!~of
z8D2y!9s`ng0*O|*^bWY0`J%IM%u8;{N+*i~#PFNY#^@14g|f~3GP=S!M%igd@*<)H
z&mpz&NbyYXm3Vfzpd2yAsrsfW%gphX?W3Q+%V}CyeW+k9u*meltEc-2t+_!tf8X&m
zX+qCWf8y+~JvJgyO+x?WuB`{|a#k*-Gajhm#VGroBDiRbl!(RcQsS3^o{1ZZyG0b_
zK@tH}N_eCWz+C5ln0KPjZXnW_b{~e(U_*Y}AfP=U&h_J4n}oQ}ha(n{QQqCKy#jSL
zBW~Lt+8|W08qGsMlY{4;hN$`Fq<N-_T3wvz;qoIXgdi3?1@}ZFBRt$x;NRkfaNZtR
ztR&WjkJjx-meIeNYYA*TT9IiE+|^r!78vUuyi|WVwIlU#GgU$Jf!O`TL86T;1A(8-
zIr}rn>Ix9&3?EtLQ<h9L1>AA&DWSZYWp<phjj|UI<v~&XM=J~ftv3EgtF+Pib=bKf
z@1TePx>zm$`hG_!XuLE*BHqaBz{ewxzk<BA_5iwMQdkWHg_KP42H=6TAeSQp<8p+q
zy*pkJ?BZ>Cu6r00U;yYM)uZ$cr0_pUdn6MFcKDo4s{1o!dc14qIXf5uiFLB42dgpF
zy{%kRj@-pR7k}v7aNptwb~aaNP?oY3RN@FjVU>ca9ihXIFim%=rT-3!KWM^Jj;=6c
zRrnPA89^Bi@#?q|=Z+wpL&zMZGZ-@MMT%?1x3XKfU&3k6!7R43rCKp%&X`LX&o^};
zcrIhBnoK@81zs?{zwq2<+d*~xXa2Sa_C40C9?ajS^7U|W=CnQzm78w$9=py%I}CO^
zGySou#7Ycgm$5*Zgj_4p0pvb_ttN^J9#XX?cRz~KyhHI_C~a(69F&faeLNK9fG$=^
zP&OcP8c?9Fx7oD!kp|8uc|z*r@lV$=<p7L5XU!OB`_11Z8W?c(+3JA0{jqd&>Hck+
zAFe@Y_r2?!4O4)a7$%0bkbyGMH3-EeAJqXBX%LDHTaA=tC$A-aWvau%yb-p9IEf<7
zNhWjX*5iy+)D)tuc_<s&-hNy)->7y5G~uB5%98YX`-jjElxeu=U>2dVWU*FP6C%Y@
zb0o=%i`~T{`Gy<`f&w`@^j=xrS$T{Nei~(J6S8A@u8|zo*@o(i$USbhF?Q=e9pOy*
z?i9kZ)w){Sl!k89)vRJoH42T#L0=knW8(w^CfqrsYwoNp%8PNMgJNceBt-US*3nIx
zJ~KmE<Q$UA&PLky@BeY=kSWUl*yr$T0q&1p`A*o)dT~3L2~LaAW6N4@JOQwR$rtTV
zzQqf$1hxF$yww{M07x++qz@FF#1FDlUNrwB==mlfVFSDGmPez>5g#moCd)T@H2Oah
zARKlpE_pK@sH;L4r$37n%Nkn#fcksE+vN(+oE`JA9#!TpKnk=ZMCz+BzCc;-=N=OI
z(^a^47a;y7hJroWe#9p_3i(;LXS_i{u(8tR94p^VvO4E*Iqir*)fUH&Jkb&($%7z6
zB&8}-fWa|+Oj5f+c^{GQCr4ejr}`>zh>`2(f{G`2m=g-BzE<%H52o*416AoYm*bc<
ziN&e5Xh#5GW!P)A!Rm5KM&p|$2E8vNE(P|b<Af6y03kD!@x~1A!*RK>(QIn`4-TMA
z`FL4FXC?64|KtWY<R(Nh?HT^7*?{6tNMu&K1E&7_t7II5Rvw4JuT{tAR1cbADBYrb
zLNN;U)k!-FZaZ_7jUkAWh(DfWe>WI1H60lGF-Ocyn@sC`Y@W<5iY_yQ1i+d%6a|4o
zA1-#TFcgIQW5X!8odkw&r7P$dYBq|G6Z8+;;DSwmSGw5dgVz~Nmf9kW?YGcFv+-=;
zRI^_8QiJpqdKWF(-Y<AVnJTm0^Zq~JYRC8L0-($sPht&haff6Tl0>>P`zB*f>uyp_
zY(-Wn=u#}E!&}rtrp8f7rGzO`E_cmMZi_gvj{hlXg@%1dge{TUc5>{cZeHaiN8q*|
zyx7)c%o(S9cnZfqK{tuFjSp~7a324_$+?7L%E{3db5YO4Q<qazwTNUdNe)BIZR9JM
zTr826sp7XgUPk1pC{O_b*e{}&qGNrLzdY=P5h!^By_WDh2z?|}zY5s^1~ts;@-9%t
z3j@`EU*@}^baiz*DTvW?{ydG(7|z#^8yR503n@!b0l~ZP`Tq0^HPXuz$U4%;W~+9j
zEU{8HS}jp2q|iu*#OQ=0sXP<`hEFyGn7OwAGfNAl<VY>m6hFl{<{=?2f^0D{XoZBs
zz+o?r{66VC&3m<8--mzQqssBcY{Lk8z#cBH8fz9l#=kPvfg)~f3cSH`Fdc{Q0?-yx
zW)*_T<ec=$rEZR9R_3J2P@R*gzK|@6LPT=7?8bQ@_n9n;O2)-u>)G1BIr!eS5#|+x
z`8>IpAaMO@5h%nW!!p@&)3QX}|5>GkGMkab2L*^OxW_)&$ioOgon|T=PPh-3s_^{E
zl$Vt&dJ2|}>Q4uzz|YPSg;q<Y8F=>F#*~|`XT8<e8|c3pH3%9cWe^LAgd`aI@Icf!
z<=A(A?3HbUowjTgcfH^lPr9w=$AL@Ja$WRjp}k~}r9W!X|6+x0S@l3%urYb*sCDOY
z>;#onui;X0_R{J#NZUaf3liEN@@fu!8|Trw*1VH=_XTDYU#IKR7SbdpD*lM|#Ji_`
zjZSJN4-Ke6N|`tQRk8*5eV{AM#qXUhKfP1LBjJ}5N?cA>VkSv)_DiG0Nb-}+oY)LJ
zAMuG_^7_h_o7p>h2@!^T^UhO}YTVpjNtm_Fd<|EW!zGh*%+I~l$SX{aoN{x(;Hhlg
zrCruUdr|M_Uv%as8Rt8Jc)aZeeVY1!K~Z%1xP{NM6}Ewkh0*uSBg>4G+LGk@xfLJ-
zPPF9di)_{yLv<y0Mfy6%o}2j)u;BxnIOoK&32PtKKJ*$=);&5$^1@wcPP!di&&$NQ
zazmY=t(p%*v<nTYY7#keog36^wWH(3>(g&;`md;)9GK8)&#VN_Nm!IcHcB>mE^1G$
zV?Sm@5O%}%t@A%F#_#9=^Qs!tV0$0Rbg_OQk%BZkScIlGjx9L~BB<Dv?6l+oNeq_U
zyWtRKHTQUlt(1h?;ixT+vE3O#%Eb{pum?97%SPr&P%<*_F%ZfFy;G8ndmUrL%}fe_
z-HBA3b0pSexrvH+E*5Jv_tm<9P)F>I@WV^Ol|QYnBd0i!nYgV&g*r}QpllhX;cSk=
zP-wu2EYSfQ8l8bOP<~sMGiHymYhyuvpbQnY0dNFy5&lhztvlFYV34P@xA%o}tb^F&
z!~U%`%Z$ZIw5&bkgIPPe^!mB0z(T+A$S{~Ts;PbF>rh8g31FgcD;IH&Q&=fmmd0Al
z1@!0);33z<5XK!UBq_Wr?{Fv|$aZS3$<3FgJfTzq*kXJenW%=V^(Qjvh~M%(Q%ipj
z`|0~0f4xdM#0SInC-`sLTn5p~(dd%skuy+666bjO-TZgVS<8<J7IUjBXigP1vX@9G
zl$75}BvGV2^qsOO9YrC{k4oHbm~%6{MFBR=`3cP|<srEWMYJK%9YH#WOHU<*IHvTJ
zXp&pIl9KtyT-HJ^<qYg5JB>=z{aZl_Ey~@Kako?+G>?ZEh0mAYf;Un|p5-Q-tjbB;
zQc0X_5|mgNyjbYK4k>T*t<S}{4-udq@m&xe3$6@PhMSz-w#lR&Nq<vd{w$<+fBnNR
zn4KNqoHsMi(c_O)&LNUpo}ygL{c$d-WUjKR;WQeb7tROQ!a+(q63&TYqGX#^7Cszd
zw3I6Daln<z%q^LrprBTICw3Huh8%@1#Y3Y^K|!ZX8PXN&AJWv@%PD=SWT?f3_G+xx
z(S3Jx6xMLxR-jsJ5H(v?PCA=IFZI(`%{elot06rDmJ`89{5y~R99{4P$#j;Pn>0gF
zM)n^QM9cpnG?9sO%_Ld;ktsr>-^7IQwim><#a#Fhr+F5){LY*Syt>%bS-J)dFCuys
zX+{YH3?n1!`eWZPpni(#PZvU}I3YV#%ycojYu`1Vb`yMqxdGLl&gZpvZAb7X?Gsxn
zYe+)~8kWeo4|~5PtBEQz*JI2W9htYnf1UFyp%0|Nct`z}!n;*`veqA5C`5$M<{U@6
zsnBG7VSL0FE#(M|Iwvhy)IE;+CAgx1EM_W7)Da^&C{^~AN(>ugG$%EbXD@k!Yr@7D
z0R_MeVVA3$0yN{4VPy|DcxvhUz6bR?VE1@oxWhM}y3mk|h1a2$W}B{YU^_iRHy99V
zhH3B~YGR7uPP`|<3ac>XoPnWb<+!ssqqNym-PhHWc_R!8cu9TqA%i{UTuR=!qyas!
z+zsk+8{;Wtfb}<Gi{_XZ!a8Px&EIxIFFl*ebXh`PchsPbnCZSQQvF$Nu>*aLqm`Kd
z?LwKuF;0oyY$YY`a>_d=%wCU@G{b7-9)8eIB?qIdPVE9ZbLzJr=3(lV#GIXB3J_mU
z)Z7~GiEO~%?elUiM5zmgH=8g%JGSfp45YVu>JKnO=UP!u$rn%Q+vL4guNq$;EH}dn
zD*>Df7wvasfOFw2K+Q_=DUw!gl&&SuCAE~G@mN*$=_44vc@99}9e}`*ii_U`Q9giP
zK3;ARD5VX6>Hr3}P>Wu0-P{&e|5{v`bZ*17GjmSwI0YH=<t2bz(H$6FgcDbO(kc0p
zQ879@&VPtusY2%?zD2odvt(za0RZ1X&CQEC5Vglw9j-Z_lkOU*q@o^S;+BvNmSW!F
z5g3d}${FxkrV#=J;6lFt7N5)GL3%L3-&u07b3r!P*^Rcp79n_9^d;K#nd5`Ced{!D
z!SFc|$KOZwC`)vP2=wLQ%Q8Gc7{{G?2TSL+APHw5EljgA_#}-B2^FZ8PegN0BPhLu
z3;(7xZ;p)A0@!xT#mXG{!qJMb&^0ag3k+?I=ndCi3P|LX%qt(@eazdhafKHcpVA;U
z@rGmc<-!3qA7vdSS}gdk%IOnniD)9H=JiaT8YS8-BYdvlNyY57-G-pQ+F{lqP!kSu
zFCG4S>QaW2v@}#l<zeh>=7tD{OP-IKjE!SZXEKgdh4-CDHrfo>+nrgg1n-VwJ^}$J
z`%=P9hIt9RRUqo2Y&54gAaOHu<QAyTlK>x;sZ(0S(FiA3LY!Iwi6RCq<ow>s8L81`
zMSG|<K^Hpc*|l>^xSSNJSeqLgD%_Z7pJMaX#hJZ!mcGk5gVhn831J(77G*YB&;!X#
z_OpiSpi1_!1Mkk|I>eTp*$7}ZSg5iZTv^V}OzEX7v7Y?D*+)vLzFxePymmQv1Db5z
z3Y1-i;@cF>mCxCmD7s5{U^<u`xO$>5{m=L;hHeuqIx4f(=x<>AOe9@@c_CS7Tl*Ao
zWUJ3b-sEUl;g!x%TBW2djHpm;k`<FZ7gNPVD{~InDR8#4mcEV1QcDYrj8hdR$17C{
z@rzT3qti=UqdWJduHE(4)n>ZxG`^K9==7o3K+ySu%irJHmo^&xww$=f^Ec?{M%Xtt
zNU_ZDeYDb2b2%l73d+Hxh7OX&+BTwD=P-{Mu|i&~xMLM?dMTK_uCeB4u8vwlY+}q(
zb8Wgki=mPB1o<fXmHwrDw8d`W`K4jv$dn>+v1l?i3hJz3X?^iktWTT#);`~5uA)8U
zzcT$5_0yCfmO==&ku7j;Oj(oE9&Ov)trR+Iy;JG%(Z^`$livlJ5=yeRBdh@5+DEYd
zlD;AAO2}$q6>_=Jz7`0TT*&O2Nwo;g!bVRC@DxHla~5L~i30iO#ITUGN2ra^Wr{eZ
zKbgwxu$!EVxUwixZ0^Hv8eFHd?Yq4WeNT2VKQlI7qD?9d0v3TRVPjP=F8N9z1DC<(
zEB*5Gxq_t-CTd(=^ep!~c8!+8lzdO7!3k`7oqLl6>@0Q&2@#MUhhRE?VxS1ymgqGC
zy;E0C1vqjh8>l@>{_LI?%@*zaxYasLu1!=`EBnTbZC$|@ZWDl$r|^TW>EqpVUJX7g
zHZk6{=}&Pn4sBL>k{Y4AssTR@Rbw!jm=H%7!%p=@e$8lltO{oE+jL%adYykk_l;q2
zgWOoh-w;87=c=URDZ+dDW&Uu)Zz5Xay&hhfx4pf;wVy13w(gLw+4ABH>NK4IX=7&R
zInYiK1YT|m*Xnx)(ZOQUl~V)`keFX0hROH5%Qz;$8>A;#F&mYiNE1q1$#9X2^4{lN
zAK5s4c+eV6c!9&w*<Yv^J86a14Ot)fvL9r#uO`1V)WA0KjF3s%BjeX4I6TRSHs=cD
zq5-ZW^>Q*P#XRHCsOCViQa2w3f2v~8w9rv8V8`j{oz+>~(fHa?kGZmV_zmifWaL(V
z*Y(YI=nq$fJ>$GfYxl0bt5t}L{IL{->2>e%`+nskP}d?ZbRm*B@)Zu~yv5V$?J{3*
zN~!qqKCTVnYk0!alhHz5qIFTOj7eN$P}G|(T_k!E>I9lCD|rW2y(o2u2ObJ1zl|%M
z%|tvH+46eMfpCGcoOHA1VKnoGp>?u+FJ*Tb9gN$+G0gl_;YyBztWrqx0iU{3YG7HB
z;;YSEIK3PdcwJ4S9j!mxAE$Y;bCFSD>>nPpzxA&s#1QDsHtS{V#l6Sru=828gD7bJ
zrSUHDNnWg@e=SsQPyYC*?7E=b+;>!C`YQz@4&J`~2=3E9qqri>22Y@T;om`7$J30(
zyJ)Ce*saTJsLkV}A2F4VUnkP%3l4%}z0~CKC(oN$*A(8fBb#KfNIW1Tyv0)eKyJX5
z+K;A=z!IEfM*JQtcCKtXUStLH$*;5Xix(A<ZqZd|gHW`uHI<2WfA`$2-Ef+n>0a8p
z?M1jb(gK*)o!%hhirHBICynvglU+Dw$0NRbyUf$smE3K;j`8|v=Az0vP0*4227HX8
zJFEp8w`uh@5KVh<!e0djq8nr^rMFm=QWs<yiTZ2~+RP@8B1hE|7<J93;ttK+F6V?-
zE{aZ}lP4i(D<TCC+$zT(+E7NW7fknS@?Hjrv6`?8Y(WDg9jNX_DFS|1F%!wk`}wJ?
z`d`Ymls2L7d{5FfHZVAyTnprgIasB-wyY2Wu+SDA!5XXNH<XfIO~E2`2}LM{PR(d#
zsnM2Kj{pHC&{=DKk?puy<_5}_CBggB$BP%E>>TB7xPAxot(aw8YL^hvs98U`nP8B&
zOm{w^uE2_yZ|Oc&G2v!9F{ZIgaUbuIH8Q;;I~G(ar;wN|C}<(ihx304C{Xi{A)?T-
z*Hj|nB-%^7W^{DE92A`GgMwU9@mvOC0KC+Y>!@csq6WP2;VPk?QYFzHA2&)V6$_G(
zBtz{_V_nKdfM2utGGkU)s~5VikmUm1q=6#O))vjfwd+`UYzQwIBXFRr4;igop70&|
zK%I|T@A!@Cj^;yaI4<W9rK~eGt9vf{1$#A5_HY|QYl5LrMUF!-X|-7V4b^_(S_Qj+
zy=>O2S<=9)iICE!v<6ejCSUe5^wwVk-=um%w`D5A@dT(!&KAq*NES2Q^AmqkU?6?+
zsW4riEViMA=8`=TkL<S;RufSi+*jmObYA}Je=0$vHIXSr{!tbZy{DGrKV8UUp~(6S
zzb>lW|G4sV*iqVTub1dUS>LslQ%YE)z5YNw{4m(aV=F^tW_RM8KP0w%V}rs0q}MEy
zKpBfC!E6?MNQpmG(S<(Cvf`jq({}RoXKo?2;E9>%)}u9+meGj)$+6d^KFH+=OCfoe
zz7ZnCL43!Y>bvHMuoF#J>|=$BKBku8kYk`Mom7X|OC^zB{5oE_kC9FpstZz5)^N#^
zsHrbO`yNSsSv_-$+Pv0trjQp6MK4PDm5Y$Lp}SukMZQx%T3%9Gwo;{kYX?3e_~wsd
zS4IbWPA4jB+-TwQ&V88Z{noNZbT)@9^BEP2Zp1%9R}M{`l#^UDV>Q7A`#BRUIBg52
z9S71pm#$?~S;=yl6&yEBx8r3hX}+jY<cm*QZ;b*i$wbmgrE3T4#)EaYAf?o^J&*K-
zarJW-!sPm+ED?gWg<!4verY{;Ws_iGJ}X;zuu1FfW>_Mq={rrVO+KeKVHqA7@1oGm
z^w|6yAH!%?Tbz?eewMg46AY&>lqyAhgs*>p%1Btx@Bd!0fFE6@C-H8WD<3#|=AKJ{
z+yjC4IXLjW<AM48+e|*vAN+THI&i{<l;tD@JeV4eQkENy<}ms@G$PNWc?d-YxD?zp
zc<?AgZ}eX4ORJv9<%+z{F#nL?-^wJe9sJ`rYWiJGEGNwU-?!p?=;*fx<3NEsl06*v
zsHg!;P{HxP{eCwwIpK7LEJ%vV@yyr#BKf^7rEyh3UoLa2y`Cs-z;UAdVA+ZC-DC>g
zI0^zMMJ3F9(rt)&ZX2E7lnbLFe0FO@Z{M6pO}8w*`O20ki|?V@S7WuIGBwW7FJgz+
zjj&)vR(EO08^)3!RtUJA$lzE=WuS_SNRPDcC)4F)l1(I&nKHkef=&?N3TGBi3_aR|
z0vOW{+*UW)*$BR-21AbDhqCapqz`S20(Ql<e@&tR0`m?gfjP3T*NcX@-)j(Poz|DV
zSly-(^cQIT;+B?`+7I}Wrq<?)^Z0<EV{s^j2j}ge%6Uuv41<BMIjSjFyM7st$Y=Vv
zkQAy<Z<%`~y)3)8Yoymb2&AQQa+?4vJJ;@)!opkYmv6;0+L|9LIyP#TQ9r}J5uB4~
zsY&-IY&8cG%p-p#kU$B6pQ74WPqWk9dMD=Wd#a)i1?yHT5oGtPCtV$KUhAFtrTN;n
ze|D`$xi!7VlSIejrs?aA#5LapAEtv0p_~jc&aI6ogS2B%S9aKhm^;IC!2EOvnbk!)
z()p=qMGu#eY~Wx8A$*Cqt*Bibh}`@i_jP5JXZ*Gs=ywEC{5AJ8Z^!TtWR}}g>o;*X
zoUbhb+Yr$J;5&sef8X73;ZOIj&Ch7}?a@V{pe@K}q|xwPjiFT{)JkSTnt_!q#S`|+
zUmHN{$~hIkQ(<g5afnTt4i1roiawn1>ec`wPRZO%=r5CTVvjA0Ukw#o<Lplt^<nhS
zNOI80Xb1<DmlzKw261y!OCR*CStI<*r}>Uh8P(K-gQzQ2&dj1^&r4|nWZ{dffoXe7
z>=8qYZUc637nQoj?^p`7@&{^?Z4X8tGWc;o>%=4F6{VI3R?p_tu){o4j>$~?1dHfs
zCFfA24^q^`P{fq3c<>)Q>;kLz5gAL8?n=ul$$a!M<Iu}-mc-*UKsGIrd=CmVa3o7_
zN~%rndl2lY4M03}{xD8)JU3SD1=&e-;k!@X=LYJSEi10O5QkPjk0K!9K0&i27O>1F
zmYkLhkY9L1>r`FGH~C}*2E&1;>Nq^>1lSbc;}w9vDioTH7Poxoz48R)Omi_FSk>JS
zhE9?O1F3p%(%$DJ0538Q<EiJP`hn{2NdIof5NTTBw^XSIYU~ImDjmnrX)_p9gdQ{N
zP`D(ZfMaN^{8DCH5xXgr8=`0Y7hMX-ViNvJ06e;ScYWDu{n;IP7yCj*7zEl?mOh%l
zJd}q1F-9mo`ks+5C6gMbCHFZcld)nB7eXg*v6}UiwalB5!U|JTQ^z*B$@_Evw>=dl
zicG+O8sL<vNt+BjbFMZh3mZt`Zg40Gza{an9<=#74d3W7S`Z&aW@#ptLcIqLBh$dp
zGp<kR6FY?<Lmi>~rC%@kWl~b4JY?+|DLf2hYJeAG-vTM3=Y;{{R+>3f!Bz)0QW;WR
zTbNQqXx)ZgLqy3q=vc!+1gag*C}hi+Vm<ir79rEXwI%OJ&r}o3$_IMj2l;IJ`>447
zq>1oGq(>)N+R;zI)df2(RY@3|K&|?PHj=Ef5`U8(tdeW=)`v20>C;D!V+dyTk($gu
zDAblvuIx{~ivGYVIi~pPSwt0d&KcM*?n-Nr-A-erJcyXYgjC>^4~>wr#}qQ&)0PMr
z{jj;IVh@6K>!;Bw3V^&+DYcyDsKmzAW;ygEq1y7K=%3?}DsA8CnIL6GpiI~yTGfEw
zk0F9$EABOXxv6lB?+oyabA>pP5|+j?ZhW*^mo1uA+io5y!tm(9O3=2Fo7Xhd*^cAh
z{;<b?M&1ajc>P@c2-x@RQWsdaG7)-%Z!5i194LW5-aPio@$!_B*_ry>G)L+A-T3)X
zCle)@TK`~(N1l`FeLlbG4_N`B^j&{%<Gmf=e|ndvujq$&QdiI?@AGFGkfLN7`zn7N
zGZ+$N%`E7ib5@rwW7=Yf(7k_*GrHTq--6a0-PA@HM90>Tpz21d&>Xe!h6?2SzlpWu
z*#5)qpyK0G)GRb-%Y-YwARLIB7ce8@KW3h3Ti3=OMe<tZJIip5ekQ5FZ*PIhVhHmn
zOj2IFWDuMR`Gsgk){7q>=)Y&@1uE56|4;3&-tg5P1CM&6G6A)Dpc4gEZ{s0l8n{v4
zl{{bBX9P}VNt4|R%b=yB(stUTq%O)xjoF1F`l_VWE&9U5UTs=LCU%m=t6+1W@4htF
zXR|>|3<+jJtjV*$i>EQg@ibl?sGLyIt-`8IXY$q!EISUYwWkmMBfmwdV#AWet2O-Y
z;K~#vvBUh~GNhWRo-oqfnu@GOZMHczY3ke+3)FlX$e)B4L<Y2koM3*N_exA?lhzBu
z-{e51#Hb7S4TOyf;<6MYk@5`+6lwzdJUXFYlZ`{)Z-Petyok0RN268w05RF5v=mV)
z_ho5&pS;H#>*QIKA5;KhY;>>1n?$jqL~P`1XjO}rEaN79PS1J%N*ab;?IKQnxHKb)
zuZrSO{*B+6dAzzn4p}<W1}b*@^IWY?dE)2O!XT7;nXV=hq$2C&2rfjfVzyGcP_jie
zCvNj)X(iNtkoUY&^?AN{LG^6DiPf$8T(A8!U45#F6N|*(AQU(DgKYMzNE(uoTS!Z;
zYH83NVY&k5kcoT-k(2}tgS0b?EakoDpifa_Zc*r-w<&csTJ3xfaQf9P-=bBtVr!Qi
z0TQ2zCT_2FMd7={v5q+E=Z^LqSHWod=TJ-J2n%I!$8IBV5dn`2igN4T6~FjRW<#g;
zy!JzuDp>wozN)mW_9!vb_pZY0M<aZ#>BY8@A)XHIU)-W^746?7%kiZT0=&jfos2%w
z625T87EY?o%8uZC?dN#oTtCkMPQ+Vueq92Y#_x+gc(l8?<eY*a3N_$;o{vYC11+3n
z<#koEhvI+*ws<LYH0b&&rmCiy+8|>c@Lo-Hq`nnZ^bmGLx2l3hHNiNI2RPoXb5bz+
zW9~3Bw&x-Qi!J$e49a!+uZ*+jTYCfV-{|IxM(<)K-S!K8QlIcg=YP7q6zzzvLFlVD
z_bTO^I@tKDA^lTb1A9H8)sX}#A5Bfec;jb0FgfxC`uPhD#lIP~9&;T|BV<+dH_BVD
z8H?`POoxvH-ehjg`$IWFOQ`olTl7R^MYq|9))ur>`f&;eejQDNG!xX1Wl@{Rlp&Bm
zXvU{mCXNZ8SL%k;Idpx?K<uX<R4Gv*J2u=l5ie37i%9H*U1V*+8Y3xAiPlOVsW&}B
z7uiV2?u-I#V0-dK^j&T+6U>8?&taWM-ulJAQNWkdyR0Bw$W-`EUWBnBD@gGy?!0%)
z<-B%;s5*b7mY6f(0NLQkwjIYt{?fZm$1Z*H7N@Kbu~tpkM~luYMRdfARVmd|^cJM$
zYXUc()EW(|0mPTvpW5Isy=i~8<`iD=n!mP~qkiQ<LE+cFAp~`T&TU`3HrbNb4Z#~y
z+GarkGBXz4HBkw-1eYj68V8I+Muf2p3`r#_U>I9mGJx0PA-0ENPRhl<@sb4T#FHL)
zbIxN?Ebi>e5vP^(4UFo#A&kcunlTq>fq<ys`u$49KoMXFf?ea%HBis9pBfYa21O4&
zYi!qA>?ilwRj;$n)1YbjyG(mTHo}VK1LijU=RHA2D>J9CWOuf8V&-!*q-767U<ThP
zslsks>0+Uw-ki`MLu|BxNt;eaSFP~Q)?;jDD?Fv`K-65K_~a^{yIdnCn?WpcAsjWb
zq7}-P3gM)5VY=doQo8Bwhm4JfSL0*+S7kfTkqY_5@y1o$xN&iC6h;<ijtUkc@Y~C5
znY26^YA{qhxYuNFl$^fpZoU;rpPt+2;3jL%_qtEq+xgM18h^GtftNmx^lL)&Df<)O
zf-QTW@+<w<7u;@fFytEK;1b6oRIuO5_`rS5IpbR7<dGr*7(t^ZN#~J)OpFPTf!+9$
zyz{n$UX9!!KGf}oMylmdYwIk)<A82ZVIn1PwlX{DAyskV-0_;Nv!f0Kz8s&w`0>z0
zGN+u*E7SBq@0$$t9)tOR*&o5T@au!J1$*WJF(i|!tX$~pO<<EJh`0VIwUz!V@O(~E
zEtl?QSHG%2cG0^&AIw|-a=-Dg&N%?X&IPL(caO6YoF*|OI}(yCBBF+JsV0gMM}A4>
zt%OL*?t`y+F+k9aXE;t#O1S{T7PAVEQTnWG>_#l@Nd0P1)mRZePzrSrK08<K6xHxk
z&s(>5?_h3Cbg_NDxx^PL`(6Vo0c0hlG>;N;b0AowUDkFG>>FIMuTDKL|H-52{2bE2
zwH*7i*%ZaMA|Q>$uq!QF%^yLtb(wqIAz7plA4Mk3OqcY{rpeXite;|~G~<h+Y9&;}
zdqNhhuI)GiDm~1J$l@+I-fndKJv}(JSo)VFQYn`tsd#f>w=)k1T}pz(O~(P@C`^d(
zV<&WpmhsxFYU;mc$yHbz`hb~=5{SN3@WE*Osy;qCGN$tWI^Yc}<x6%2Qga*M<^1CZ
zggB;92t{=Kb<f3>Ya9<=<_?aR;z|*pv4LcOP)fuen<Pt@Gj)s)L1WM>xrOL!0QBT3
z9U1yl@V*!_#foj`J3HBiKNnz8iVhfam5QhX+ZC3-jVgp=Kz)pyq<ISF_*{qx(V7tv
znM6_Uj-Sd9cu_sP=t6_-?9gl+O9NSL15JdB!228BG)Oz<;zv6^Q9jy=1iPNHvsgkH
z{ZOPX<L~WP41aSqt@@q0yGIjaZ?|-(oFlNp+^}U4_Y<?32hW70rYGviAu6;NiefSZ
z7=ig<qNnB&`WANid4H}P0sv%|0LVhzt_<yS9v&J0aIl(24C+8`=R!DIX+}V3pZ$?|
zx+Ep!=nm}+nMm)_CrOIBa>5&XI9B3zdrkuS{FexVrqjcD80-ddB5W2xZ2oR~Q1!30
z+$obt91ZVS<Gtmsn&F-G_b4l%0fd>1fJt(&@MpAu-ERNCw&$e&i>3mz*{oo)GsITd
zM8vk<%?GvK!}p(vJT9S`yWncujfC6dAiTdnU~^`HdV9eGTg>7fw!Xn*I+g!~^iZVw
zfQxnp?uWcYJ9BvA@XI-c+GT@R3wbPr=7y!$K>`sE*OTeUU2e+BN`;V5m2^|soGvkN
z)ld8JY7q3MYIT^ZR9vPjwC>#N%G(m0BisfhyZ5e(9{8~`&ke7~G<Tu8)!2<t|NK)d
z!P=Jf0J$FOTG{IJcRd;D^Yi}aqQ;oM2WT!^T@{%YWH>S1shUgA4Yf51e~YUo>3kmO
z0rW3+757WTQJPD13~o#LnFar>pYpzmXm7P&+Wx?n-uG@^w-qkAK*wW61193pk)Dl%
z?Z@A&G6<vY_b)V>ml+rBV4#jF2yH_3HjXkjwGBB%`^LkrD`1K{8(`fD#_Kh!QkX63
zm8Mv#Pr6hR(*~vAr+?MAI7gvjtZ*g(6>;Ha6Q^3DMMQFvs^Z|(>whU72df6=Jw+jL
zj9=L&=KQ%5@B#cM2525CvX;i@g2qFjCE_TkVnMV;OnHr2PWq4_be`CvvS2*7a$7Io
zcLcSVN<40b@rpv6^qpQCs_ML|>Od9wFmMMgwyuebir>W`ux+PB7`%5*W8JLl)x+RE
zyfxGL5SPO4Va%si1mR>1!2zOHX+n%&fKl=x<W_@+yl(9KQNFlq#{ibV>P^w_p&IH@
zT{}P>*yv))2f78ZTgJA%dr193^p=R&aiq$mWQEOY6lEIenN7$XU7c|qXuE*zsRxnW
zgdM|eji8(Gqu<okg@$rN{RTBS0eV<sFH}BFpj43($)q|JX6Raun9Vcot(a<XeHVW|
zQ>GWOov@Lih6}cT=&7YWp3V#UwKZJq5>@3o5f+rN{xLf0&nr2T4}l`$F0X|}p{AKY
z2UT!vIVLqGolhpE{qD!hSUtfd&GOGSA>+r1h}ng@{k2%LkhDNV6t*BY53=6VqWK(y
z1TnS@xio;@p}Ndg=%gdHE%+gcR?S8t+d`bN2tT1WE}U~``UAbHlYFSxeRil4;nHub
zD4kZtM&+`n{}YKQn&^{e)q?4^IZgWlsL+Ws<`cta+pSB7zZHBMJUtdQM2UEMFuJ@A
z;p}Tw0`UQLca;b)_c^(kE?eIF-{tr(kLw1t;qaH2ABcOLSfkWo`mOQXSVk3u>3ag&
zmPI-BS$*po^DQzoJe(bMf01;Xw-gwI0&Cw8H;*GUM8BB9i9%7zief7)E|*gu{`n!g
zBvL{ZltvP=p+UnDg$jcq)drgSzZVl@6K{;+i6ZGv)ud=fu3g;1-EfFi#m$9IRH1c?
zjp3=;0XeCU!QsLw@S8Ipv1H%oJBYNhN|Cd~MGL<OIrpi!VQP}8_TumIyZuh?4Zn%q
z7UKse0b4`;Vave-geBjGn2hnn&qIe+6kyM&Fq7E+Ss^Q)Xt)3cn;af}rVmdR%5;Xp
zUUPYMIqX;bYTG?H;g4!!os33Ba()$&X<rREzWV;bb@<9In?HUC5*wL&3+wtloAJb=
zrdfr-^G`ovFyYI&w88CH%fq{0)l0n#AxQ^3dC5f0ZZ?SJcCxxv4$h2?1*e6R6qa%6
z)=&j9NYl9at?Pi{T2UH4)cbQ+!WohEMF@X8w!JT~f#hu98G(rInm`X@4qx4++1Fjk
z2Q=?5p1ubLzn_PH->$c|XIjt~@I*K!qCC2Q>uoGEd~5hk4%y%M=?XHST~Z}2u#hlb
zBBKN}bhzxI8-#5~!{UEI=_1#KGF-nPq+Pql9Bh16s`{Pz*xeAj=dEHasQLHX$dGQl
zFCw=bT>}`l=$D4B`d~lQ=@_HAx&k_T`=Pt=;RM@&LU453QJq>gGJQfKyIk{lzz7Cr
zIB*ms$W3K5iJCs(Rt464qM`8LJt_p^l;LD_nc!2xZ*)_PP?)5l>6NhpZ%z;5%7*w}
z9+?b1M<1L74{Q|m@0<#F0n$HGczfy+i5opT446926LX*rp5?8W{SSowAp$D*5nj`s
zY0t~>Z^-^nvG;~B!{1}=(c!MY8IchtBtiHPn2GlVorXA;2-}@hO*RB&=#iev2^BOU
z*wfP)Ga{DxqeWE5H+_hK@L90>2yEdD#~8>hz8mKxEI2&j0(>;2ulh?8HL0o~raIb+
zw!>(mym-Crm$hRS!!=Y^d(Q@u<vWuz-b|&cG@i@2WVEy)a&pGuMV$}6w+Lezwr$bk
zY52uI6qnSIZM=vJ91EI3H+QsFvcI_jc`%9D5S}9L2q*#*fL8m~`fp^$DMG6xl&J<|
zys)4I;5T#*h9Wyb>A^h!5fnqP<+XTT7812(JAn7MK4u^}a3k2c#y5aeM03@jCFz=!
z;96UD`5Tfuvbk_lt5N<}TqgcH;>euXk`A%kd$Wa#SrdCLkhA&8Hx;!`xr3HT<c(Tn
z?*7y<YTJWNlL;O^>}IBz3@(_Hq%eP!EK4OH&5wyv44abpS!>MMeSo52(Qt6OaB!jY
zuW@*rA}$6`jEm+Ko+Xp$(OvjuDvs~#-9~ppI%orWtB|Zy$Pwr+b_jBZf-9pr^tS$}
zh4m{2veXq)!=?Id$pJHMXLpQ!UF+6LHX2<VNiba%XcECK)p3n7Uj*9}aGq4EGZe8J
zyx-2P3+tZON3GKJMIoD4bBO}vR@5vv+mzlLQT>X$EBxpeNBn{8r*ck|_km*{H1YTQ
z8;565>MtHV)RSf-RX{dw5-+@X=#8w*T$JE?4SDp5a8h-KqBtl^{^_GMl;=LH`?bH}
za0P(GN`*4LwJ$ge(NL^W{V4C5fooyR5lrR~iI#Z%p%BVBUlR+sE?Cmw$}8J?58}!i
zXe8NZTs38E3yg4kvNGF#czc=;muJw=;z+Is$X&KlMrgQ%KT$2`;Zlrz-aNS-U=`rH
zWdhc3ShLx7@(nm}z|B33y#i*CAeTa`O!`!Ks2Ar}W%56<(~e?D-so4|2|6#@KAP*$
zM3@+pMXJqHf-CVLeR;vX@@t^$I^)q2ib<$wgKQn>UCtQf*wH4^OKj$3(wvlR3@k|t
zEYn31_YDr1dJyb?X*{?9i&hFq1Rb?0X+UE9Uaj4Ma`4`P3b_${1iSvZa8}k;rmc2^
zF5<3x7Lr%@6t%VpIr|Les@7WmuDk&o|F_yfYm(mX+^#mu=5Zi=VYPhwQf#Q{RS|lw
zwEoXVy{@(4o$$PE#kYkfx5l;yw)vo2!C-4373tLVYts&M1*B$UE=#EcQuP(M=t-F4
zBplilF<yDHr|X0I6UcIOy(i1F{^>PPAXJQm4fk`FUN$ML0rWHScK!Hw=`45b_uD@e
zj;Ag@XKLb|tvPE}g*$EIX`I-Lael#SZ}PrFNK66rAA8jbhBemwp%(MhGfvU|++7zq
zz|(WT+;DOsj|A_05idrV{6t8hNOgcB&gnwtFSy5yFkn{>d{`S^tve?V7MDt)uP~5B
z`4xK;@A!ShcrS)mRy!V%0{inBxb>xr1>;$p@O+|8ILNcw>QT2<c&!^Y@o2{jrtP&J
zkKbFNX%&1OB(rsOsiB2lz!wgp9IwIJ%YCx<o#$kTMK6Q}Bc|t5uHCo7Tngm%6^cIM
ze1=Vte6%;gG2`ms%MEI0b7C3jS~!>??=>V!fa1#8|B5T=LQ(<6l^Ax5Esbh}(?-<`
zr4VAM;AXj0S;dWNugk?vkpf5RTgMEODV#!D<$8+uvT!-Bt0O3h@=vRhE|Jzk5Ie$K
z79A}o+?F{9vQw2H#xRpLz{E>#rh&r=H%u;Xim=Vcj-i{kr*U-S)ba_1R!B517V0Tl
zN#LsMm!V9%!03q@|G(Km;;!J$WSAm2BV?g)I!+2PT9``_oYB)T3)_MtTq5bGkP;V2
zLBdp`aL{uiOtS)a&Ow;Aw-FKEB7IihXxqmUE5tF3qB&SE#;feMAj{9Qw9QwGdHj}_
zEesW0hK3vphv-mYfAIcJRd$C<6uc_-m4&9n1ksGBHO3vI%j~6ZGn)7h<hz^+4sf&)
z7*34aGP$m9fft#KH=lMPn5h1^VTNK6s;C=I7&M?zby-lege&raicAU4*+nD^^=7`B
z2D-Qd<}dkbVXP610m5(y!!NQXs{Kfk=%sF@_}5~@HMQcBaTr{>^V(m^`bD2Wm6zuf
zU_-Ipy?*5ZKI-IlTa4Nmk`7v6)YVaOu<e(TUHr84L?T(`4u2*O2l%ajONvc1BfJ;u
zTsQT)FHma`uGx8PiQP1i8hEw0Uig&tNQ$RwUV@h>&|8+W2Ycjy!qTtJ-uE7LjM;+H
z=W3TkG8EdSCx)W-=tyqeJ$Nh`2x#A%;n-*UFO*_MPzUt6|6LW63PYFSgs%#{p}RV-
zko1)DQBNz-<SYcHg`S?Oh&c>;TMRI6EYv=`7pKCosT3LwGVYOAr7Na%C{A&|+)lHW
z{Kc&UR?bh*>rGLxru+W@8bRg0F+G?9z{XaHO*6ff;(~K|?{B@Ga5J&II(jbESxpAn
zmy6Xx3Vl4EA3K;`mSj50=#mCG+7+ToM~-y?wih?mNY}To^+8qHq}o)kY7CIlyJ$E+
zsMUsio!m$V=U=NjjAO`8OxVZtYD0-m5cg@YGn6h*ea0dhk;1Q_G|3N0KIe1d(=t!8
zc~;Hm%q{LV>@0ja*crOiptz%WwG+jCH0%t2ddz)BDTYP7=>+AOd?9j+9?xDCg5k0e
zK6E01IMp%nrHwr)SB@gv7t2NSXtM2{RbkZ_yiwIprp{3607$%-%3RV*SWZkl@0VN1
zD4um1c}`3~v8P2HbClu)>70g8LwBxdUIkemlPC?vWgO-Op+&|?Ok-B%0ZXfa;qIZ0
zPzzrUp@uFsD4i&@?L_GuJtq}^`jZNqQ1auDHB+u!9gR_AmOJ`ZO^-%%J?U#5SshGd
z#+7mq{xXdB+jV`~q-g3IB-`$8N11wym4v~FXM$p-Mt5V|)^sH$S{EcY^>VM`&+pf&
zm#TXDcG_t-{9VZMBVTR~rc_I3z8&B}%)#WmQfc?EBs31rxmM$qwVxz^ad;fN$XSlc
z{(dk>Q92J+D~MWa5qP@W&z_!fhz0u4Z-eWT@zA?)8uSj`Im`+_r$s{M3DipFxw!4a
zJR)(N&$BGd{e%zP_BQk`d^zYHy40XPL1Aqt>XXqBJpAchfj*S#^L{M>X)+paW9npA
zpJyp^898sK1(+Gd4U86bfqc;Izv@_pw2XCWl#(Oiyi?F0TNxkU2=85uRfjzdfJUnh
z1C`N!Gkx|Pm%@~nAwBAeCt0laE6|k{fCN;mQ7W`;UGAC5g0+b;xcqwvz>Ad)VSkN?
z?fFANQIZqnb{fzQ-I@EoACyH&(t^%O<OiJOg^*ibC43&GWx(lx9bg0P!j}Wup-T<Q
z?L?p*N<VA|IPrFF8vrBy1GwTzwKW#EtQq(y9n!9IIA4EXZ0j|SSjX0PbuR%_4czQq
zYcSOaNxwze=SUsnus!0DzU1Du)nZ6dsRXsy^s!!+jqdUaPqgMc&{s3*R_}Mb>vJMC
zk!q)Eb^E}Ye4sDYA)(_DaN#rr9J;f(N(-Nr2`Ph0nClVL6sJi}cu14n=i+kB+#QEP
z8vz%-90CqqYEVKaBH&Q^;hXjBzGEmwud(34U}+hD)}}N-y%3p10Zg5_Et`x1Sj?=Z
zGhY2Rf-oioB2sp*j$RMK6UPLgC&De!@rbH$8lno_ndM=UBq=ApL{!b=gyd1-6P`yg
zjp95DQ+MrEXd|k^mqS#cOAX4)L_`%zKP)fK4qd1vicx)SCpjt0QYd{uPuLZU*Nh3X
zOwB?3UEKr6pX;4tpFf4kDBIwPTTD$sUUH<as@>R}NJ`xCQ<$Nv8a8T1u*$?&Pd=*!
z)9YPHyBV%6Yf@w@t|oj8Er4|?N!P&;YXgeO?%9wll;Q;0od&r=cP^rohIvTIJe$MR
zt5n=|QJNFsT*hfu1j5A}ND<kPtMKI@SLjlMvWw!1mJ5mCRn@s)k)-RbV})VqJsWg|
zQ>ZSREn3&Kz+B3kXf07!wX_dqs~D)MQjjTykH(@>E{vDPR&KOvQ^3b(Ws+ToE7kbM
zG~HRzpVA4mAt!65=C3Quv)<9AevUTY-QK*my$a*n_3z-hx;T%1HnG=JEB_eKUAOFP
z9qhv%+K5n(>7<1cogmlKU|{IZMUne73`>~SLrKH~MrfA#BuwW?m9jZ22HMnxHViC$
zIT#qa)Sz6WFtC&5dNdFWe|~u@fBM~Oo_Y5Z+`8s-eZ0!_t!p(UP5h@Ybir*iO(ofa
z9}^iw#9er>-ioqQZd32Kj9Z&(v<GMwiJRzJcPL@krBuq=g$Qre#eu~&F0mQ65-wds
z!_0QwuA7x?LaBnljd^SJnuyo7T8JHtziCEy=@ZV3mkQ!wj}C$Rx?W2bkd6Dr=a7_Q
z6Z>0ON9k?QwHE3YQo(J=u<vA<g>?vMrm$vDUGtyb+<F~khuLQK7y#Xd9JDs{{Cw&S
z3+d~<Uv6$cANC70ZN>`SYN#DM-yD2VUFL!5wlR1)l;{NAHVrR_?hMFQ8qkPTCH0}_
zS4HxY<piLuEM;l#m+r`SWaH(cm&41UOAYBZl<;KThORKE+wkYdY!;M4H&~H3Et4k)
zBfOmsB7<4#ukoS{*KtgTT<U$N;uaTj1Xf13V&h#@bO!<K#Twdk7O!>FZD}q6sMWF-
zVD2Wo89}5QtH6kA_VHdAI`BW&>vCH!%Ga0rldB*aHSKYgF4mhX`4(=2V3-yYYg*~b
zqIBaFA)<*sHR?;C6vJ{EO@o`EJIfK*aT1d}=P`-mtROT@OX%4ho2a*2E^WA3^m1@B
zbg4nPMB!#9%O$qLuw0(q91Nv^d=wS;(+!A2o7fT82HDj_wTbT8#-^PKWfJ#g?p=NL
zA##g$CX*Kw_!GJ<rQFP9Y@1oD8gyZ&?Qtk40IYq9{-oYo*a>o0kNEQ4d1v0EJoce?
zBGYY9m0p80-$f=g_H+doJiHYvm@lM#uZMmd=d-)+Eoop+y?v#ohsg|EzaB=dp`Wa)
zzU@4fOYax{REsy@$8$aSL%ibIvo8YgpiuC6{rs3F!M+0?f=5YCP$ko#Z0ODqd5?-9
zCux#%5`{E@F54M_(7OpYx>bn{Ws6=8%7!jAs7g>M+sUc~Tfq&A#~&WmBPfOPPh?y`
zH&*CZE?3%WmfR~5T}T`P-J-V~z(8~aVfm!`ycFHYFt93=sC6K32re#X3WBERW?d;{
z88ia!F8_85y5)TcPVYA@)E%4OBjK*ym2b&4BAsU=*-(lTgmW5_4c$2`!URxjB&Dn%
z5sxxL3%K!FndVi%vov*&7maKrTl8{BHgu^$;Y25l^0n~7j(OU*4yxh1-GN_2WD=vW
zvSMo;0kkijrthCxld0rQbQ}}?&V51!3x}&%?a_JEGkd4!kZ_1&Dw3I1Uv2j{kX|)g
z0(MI_idyfaeIgJ2D12YLFdO`3Ow6#;J1)WT2(M@w!VBFw3V0k;QAz^8%t;hv48rmS
zDdWKBQAC5Bx?3_uHo_}<IfNIw)S#T9(>9%QhT^P-@FDm!qjEMpUvtHGR6Hc@qYl*=
zY$*kZL^;l)`W311Gwt%$KrK}dDHs12HOx}tK<jOX0MThM@fQ!ge%R8@<I|;(#vhPv
zo3%97pc>QC(CCRDvf{&%U$`3OBcg>9=p(rTN+{6@f;J73h3;I?GE8BvKpZkgqLgux
zl_@2Z7Ga$FQIu16-+{=6WJNCr$wHSJ6f|^-q*KsF1F`UDJ_(SGlB-?->c#!XzTVNs
z?gOBZSs;CO5*QM|8tWuuLPkIg_|Tak8#u|~UXZ|^dAzHNUdVA1Dq;&L65T75z%Ls8
zb2yq1%QdipAUQIQX(7!{RP4^4>WEUDAam0|R_M;zJPylDICoiIg3J{m$qOC`H;)Es
zmC~H&?l$s~4YG<}4rGNc^&Yh5aS6C_o!}rPf{5Pe$&M(cU6}ZXV6Pz=L@{E@$q~L5
zU?_I72KVrxyjx+D2|>G2Q%sf+wz;^yX<m0@Rp1DAq(zx|CW$?e)WYBHttYnWc2WLZ
z=cHZqjxB!H`FGcUy|zX(w|O01u+WIR@8LlXa9is$9?XC_5aSA&tOn7oTUdlYsC*8z
zMZCS~C3Q3=XGfRc;Q!%?<Z{3L=CQ}c65MTgz0gq+3O{8U3qF9IH|r;uOasJj0JW?x
zlWz-CE7&`B-sa=sXwft{8oD#{Bg$#YNfPsnL}gA%PSwDAo<w0%%+t`VS!_63^m1@C
zbg2Q&f}Y?s%`&#T7fRSE7DSVv=sB%Px-0bKS1G!O+T_$+H@4GpkoD)I!5i9*h7_lP
zs8N^ARYjBiUpy|vYumENC)0!P<JS(C17(zL17kB`(hR!pK~^ycHTv?LQaB!17EJ?|
zp*tsK5yw@Wk~{%mSr|rymQ_v|3&P0H$|CXIWe$-IEQ?+aScWb&Acg1&PLo26d{7E8
z!a*q<7?r4R?026&HvMM#7R2D=S1T0+cVQ<Qef)K`Uo(YakX`Q)X+=(STv~4qMjxsR
zcT+<%Z)Iy2!aMzTRW0B?6f7$I*Tqh?F0b@sDJTmFsFqDR4Yd~#L*;M`5DX<cK@O(@
z!O)#kKS<(vR1iRVLfLUh=scT~Fi3+uN^<~uy5-OYf<-R}1Vfh^kVEtYr^z8kJ}8G6
z;h-Giqa)2Qa8p~`W+l2_HN{@AH?-7h>-Yp`3p?(^zj-jU46If}*wEKoq1L+;8mi`;
zmsrZ<*{RPutX&#`;jPU-JnzJfi0T+z6H0V~s7}K*p*sgbkkE{WB%afVM3jXjE6Rj$
z?#J^u4(GA&#%#tmt|@*wTobyKTU7BAoFu9!xjWy9lJ)#yq>ut7ZcSIg)e9LDRY^`W
z&{GyM92-me_gZi>G`drFk#gjYi!A<{j|rkiM6{-Kcd*`>WNoha&epNiO=^Z3+C66d
zxjb)UVVzp|({WKfu{A#WXf6>&iH1cqo(6G3cMhYpWN|VlFl>rMepL}D6(oLKmO(Wy
zW1hO3N5?kADSkPK6S~xZh@vMrO++#B0TCVUrG<zmipOfjQ{7}80HO0G?R<XU;(gfC
z^{yMm3&jIH=M(9d2f^LX*YA#1tG~m~dfeK*{$4Libr4y4p-y5j4B{?cH#=y^2_5#X
zZ#A|;1Ekg2WU0eS-^R~w_!|`*5+}a6zP*uQxl?*_Vb(GFA)N9&9%mF!!x^DF2W8~*
zF!71c7<A?-gqI4Xi;+Jsg{>TCG;>3VV;g4_zZ}j8U1~s{(G#2|&*LCQC|R#J9=wB3
zwcypKfk-sEoW6<VAc}hXK-+$`8`?BK>TL;#xy4rho!m-6l1v~*Mnj7yd(ihma2Ane
z^lMc8wGPGZ0{Yrn%fmgcjB9`+(rufC?Nt|dqle+Dh7+1AT}E=H)>!MT@WEj5i>}P#
zb*tYr1mn{C_j<2DRgblfy|+_+sG0^O%l|vG2GU)+`hQtJz`d{jVJ0gn-(LSuyYrr^
znmAlTjZ!zw1dXL}?2E~ULtNHj!XxjzaPF1#NvwM>%#kJCLVbjl3hy7uhKZiCi$<ef
z-<mr^oc*K4R6<a{u7wM9@$u_x^<=WCYWpQ1w>ax}L4(Yn>f0bk6(E~i__f7aF|#;?
zof(mVjwO|dQ9WO`w_siAq4WnIf1!1QVJeGp3SQN^8qO5zwabYmEY>h1<RsIm)-P)z
zbYd;+?U)ZH=On;%U)fv+7s-14oJmklYvg}y0YHqxeNgel;XWwI33t&nSRJ}^5M+4~
z3V*MNQ%0hSB_xldg!tU2ArGTCr0%>$Y{Tl}mxI-zOAXvb=m}1{i$-^cLn#N%OZ3F;
z?A?1X*S1G97QESAX;osfZ_o<;Y0Z=;_T1h=E*tC=mWb*QjD+>LEk14U)tymiqCNMf
z3hqKqG<_<z3t2SBmi4~u-LH*MfJdxFJ)i`%!x~yDcNx$l_h4&LA|iY~Vh<%bL4>Cv
z_RyVU-_MIG<0Px%j6`t+ony+JFwXoWVdXpx+?``$8?hI^9AXb$YCwchfY&L!eCt?X
zz@Ws)Y=hEmLpnyJYT>aBH)$}bA@-+qD*ji#Ex7m@fKeae1!~{0KI&EdU-bfdG@4$D
zh}5HBsBdCw15()tTTUc+y;<yd3%G5>SsLK|!3gff^TVRgrdx3I?Nn)C(&bXHFQ64A
ze$j-5b*sjHe`w{`DkEHL9O<fS%SF~X0|eN-YVvpe?ri8q8@f`!eb9bwiIVs=sVmaR
z*=$g7qjVkXa4DDq8iQp-iB3>K)3A)_&OA-is*E{dF$_X46HrDpClw3)d68v24Bhiz
zVjIgCzZ{kkU1~rD;h4m3Dj%YJM#C9V$|IPnebKP(VuPiQ-nw2Q-mbkhA-a)A(uio`
zOfVU#vG&$;ixK65p1|OydP|wTp`KL+#_S0YXS8ykY1vn~S6R2K8OF$~{CB>Py#U&u
z)v}F{hBI}$51C+xX3cSBe)ua0tWmrl2>Rw6cFB0KWjqaRiSC>*Uc^xplGqPo66HZa
z@+g9au|<&tSsbR+odk|;ux0#mU`uqV0i}SWB?pxPMmk`T45KU&;m40EgIT>|I_cH7
zUi^T;aNbwYr3Ch9RRxc(EBp2>?P^_BPSn5hRg43|N0;6w)l|!Be5ZG@tewV#Cli!i
z!q?90nmkhPHK>$Sf2^|=1!&i~k!H=#WQQ-k8{I&2X*V9Rp6=q8;1|#fzXZZ1qIw)v
zduFJ`J?!Qu2Vk`w!^FEf_Jra*kGtKbd2@9o-pF=+xiWg^QdnMB6h6q6R((YGy}lC0
zTW7odpF3JKf0L!l%YSaSAchr4yBDUW&L7Q+lANHXrXe@cor?&DJZ3&g<2WS|^(&Ii
zh1LqgfO0?2%P1O%#@oov_~nqB=u!h}3L`r~O<|-1YHBQI6MtE%<`?Rcp-EpC`#fx)
zhk(A&h1H-ZiGprJebOADl6g){Pra9+&{u%`21(Vi5OK}lJ3}5O@Y*#SkRZ)tj4{)V
zcG^Qqr^iBXYd@w_Gc&C?SDdb!uH``&&;)y{owx^jr+W(Z07sr(bxDK=o5|l=XJ7{|
zt@zbV*CNi^spo4wd9upP%)3?Z48G~}&CfU>^1^2WuRxl!Kd5f2bj&KQ(Y3W_dN{*S
z=1>~xFt;V6m#SeNa7ue09@$KR>+LTt9!*X~fFR#?A)$^i4e|Ud22tN*K))!_2?~4~
z=oj6&$_qd8X-4vl3Oh3tZfG8+;*Tj$eMZxgrtU(z*arQ^F9-TXml{yuIEHpmf#ak@
z&gWRfFaD5~cQ0pykbAJHKCZos`}>ctRYuNI;j<xAP6wSjy9Lqtjy9N`;E5w>ZK55(
zXCB>KZhD|u!D^uZ-rm1Pyu0U~=<_I+to7NcUbR+etnCroW$^6Vt?Rz76S=4@3o{J$
zE%f$YC}-0>PdLBQj~CW6WVsfVP()i!%O}qybPXU<xZgEAg_RSW9iM1s^^_5+d<$n(
z$vUy~L7Tk4gHvxRmEqklpkp7bt=<fxna04NQKAzx(=-?~x^rCRRg%pqDd=37mQj$C
zqNq}#p2~Ed`f=h{?moA%4TFwf4hD@bHK3U=vJ*5DMmk_x4g;VaxJrD_wqcTPKYLgy
zV?wwRNQw82LwA7D$~yXNB1p$!8fqUMah`d<DzmPQLC;RpH#*qwGCtLM$GpuWI(OFV
zJ9lVvcWo$7ZaI&>D2J;!9xEMB!%Cw&bDAds^<y>jC`w97Xv!D~^B@e8qzHo89p+AK
ztaS2nSZQ=Aw>+a{!}9DP9k4V|${|YwCHzIfOtc$@CY-N@RNab8Twg~sWQ>Bv`AC}@
z^dL978)L(l6;XprN?iV*c`K)gx`I)gwFe*exHO^<fY$P(6vM)pOhZMZJ112{{Ur8D
zQNo;IE*t<FWhr4LFQP2*3l_S~{=`N_CohMJMwj{^{6z8PO_%cz?PME7I?;7pgtrdD
zp>iXX(7tW;Qy?;mtpGD2o>%J75-J6Rxu|?!Q?Jul&23CqHai}Sh^3=<rP;D^Z~1<`
z+pkqz_?fuA`}ENm*(x^Ekt!>>ZS)Ay5e{z*>IHQYSUd?#pjfJYw7uZAdB!*1JLsUZ
zVBjGvWl@Fh_#;~a%)EQHg`f$e8);jMN7|_lRx{ZU@BUHT;u{Jh;h{c4s|cO+66)no
z3eAM5oN;j}R0UE5^{fD@kGA~%<CnWPZNB}H!qYci{bSwLE1MUC*aGNx!nMzM40kdO
z!;S77$59>!Q9;54#?MqfC0QQ8bk&g2G^^sWa90{9HikQSISe<t)VbORU1v!9V1$F(
z$I&xVwexYS9*i8O<~%QjKM=xh%$O&21AjnT&Z67&CPh(vdD*oUf*{%t2YtAtOsWm_
zGphy!=9~5wqLr#UUO+i=uWhY08P&VLx%qH)fAdkiGo{k5ZtPXmC*01gHuPo|E0*g)
z9~&3i@nF|v8rT)xISj+7f_?x#3qs+K`x(iKBql)?2T2}9^CB8B8Emj?@^WBTbg6TN
z7F}mZXfeV;p>+;Lb_?v_KxBO#xACK%{H|P&^v<#TpEi2_FtebxoPiAYT;As}w@zFY
zn*QiV?>Biy{q5&2wwxs+BX^FMV5=2$CZqY6|NhT@l>SS5xx*i`e`%B0w>>m~i56lh
z@AqqyHIrNPLb&$eoP$Uv43(6wp&2crhDVbYXy?dhulVX}p>$aVZRlhSaoJq`Q0^5u
z$aE_=$)4}}lB<*c%Hq3VY7-SmM<f#^Ize+z!x*DGCn23@1@}oZpGPDrB8YtC1*yUy
z%qvQ{@4L$c5*uTjyd1_DUFuxTiLNuGIY;*i#ovOlcW#7?4=GV}k#0y<KXwPO`?hs8
zBq<3@oQ3z)iYI3JV0%G&!z?1ro6g%3-pdcdU_X-&1;p~E?O<xs4$um;_I~Id`m)=+
z97X-e7uy~XSD8ezmysz=*z3{Ly(2&pnmzJzzl5QGje-h8?VB7f3v5-;M&^LMPn>>J
z!~3d=$UhWtEvQLod+5UrD{~LfzpzwG*i9YNCsf6=H=n-BY1D>J*5Wr_xtHA7Zlc!~
z>gc=aWnpGoKU>&5x^NBma!#6X#Dp^FaGFnC<yk(7S1AjnIvWzg*O+=5gFi-zPEb$N
z@W<%RsUK!V7R-r14;YEKpOAuw;*UJxSqdGE`G9(|@yE%_;g8X!&Q(w7Iz#FSZ7nMJ
z1JO%^ZB<XvOZdLJ)K5WFz<v^JelJB+h<3ehVI;@d8Oi>l`?V{7>{ecKp$Gv}sM|0~
zeFD`1(&UoKVLhKjwR75U*Sd1^P#GC$vF^Usco#xOU#p%Ras-c{dD57fN51NGmK=Al
z7OpBO*zM0>Y5WFI_3CF^#0~bgHs)=?e~Wh|c5PL?-QP#?u>$_VZ$H&P`1bx0hIk!a
zTc+&0OXG+5ekN*#DVDRl#iA4^Xq9OIW_0H`t`a|}IH>|ZCQ&sn3C-g~C>frXWu6qQ
za3cc~8^D~r9Do^J>RhdYt}~=n(6+6(R&mVaZgq)KExodREWL}a*!qva>wUlh=o%qP
zv?Px;^H!Wa()FTQN$cQo4{6^Y>rUxBb2<^-gB|465#{sBHjbJV{5wF<V63S<V?Y}#
z8*r@ZeIx&(-fV<K_r2gk9-1qRhF)1Lj69jtG4M;(twhcNY{TL8Rzc*1_b4nA89eUc
z{AfEeP}Nj}69=mUx<~0sFpyLgc&8_|Z@X`M<#uMEs{LpboP<C{m+UAal;NcsNn?$H
zghR`kFLkQ!k<@0rd!hlql5vfhtao;|TYDojqgpi!5dOXRJ&2B^Yj&nHp-KcuINrLJ
zcZIq)8~_%SBXIRM9vGcW14g4er#Vfsgi})HsSgRZxln&JBR&=XnMN#+*g&+*21X|@
z2aHCSI#>On>kO$swAU=I{+uJ$TlLqU9jcV!?eF)8<6i&x^ZIv0DdOnww(^6P!oTvG
z{lf!qc5N2<3)Qofj(!kC^PSZS_xP7KQn!GR-a?LBGX9nF8=IzP3%WDvNcM1O=dzk_
zZMsr)vt^;D#D1l!KJCt%@7Jv+Q$=12A^*w()Iq)nIj&%*NW0M$);v~w`YcR-J(&6m
zfBr5$(d?9#<@y8j9g{dg)w4t>8a1Eh*gKFzDT}|0f7QchWr7dhwph$E_@D`m)k8|P
zZxWk8;PRWAA!{wHUV&_@#=lE!v3#+T>fkLRHNN17zhWz5UKCNKe6PG6eZYD;q5O(#
z%JB%~WEuh)-8uFPMk^S3ohIUcvWk+t$bFJ0QB2bW=2Okxn$kufCohLUMwdEQQ=;n(
zY09x3h*3ftig1b_imf9ohDBX!V~bf6Kd#H~i$;h}%iJ0TrvvbaB6NQ<v!-}k%O@BV
zqN40}PEHRG;b5%pw$dP!gJ)Z(PF5@&9tupMdih<Z@>i<<Ko~kJA?1I9y<!GQ_lRby
zoQ|%$Fq@UZ=oDxrUqTzigzifUsyXv&^Y!FJOeP#hH4$^u%^;iU`LxXrvyre@hD-i<
zgl{qp;fwB^_<mU?86z=`3K9izKr$XhgvL3|SrFzqb0d5c8{wP09Ksh}>Ric3*BO%h
zu|1FRmoS`B#7HFsKsIIT=g-9Xw-0gx$A<18f}>uFZhtiZ1VCFXw;^rW7|Z~F^kn8Y
zR<f~|l=s@Kylk*zvUmLFW+@BQA637LzLyC1`;$Je)CLquMD}}G=pb^7P4wqizW-)K
zJ!$J5lJ;CgpJw(ftJ-Z))~tES44jS_cwg0r>v&Us&Oh(J-pj9lP|W}FUIpqdy0PKC
zx~WrMNaxO8splqLPWDQx$@K$io`j{nB6cR`wS-@IpCtTZr)<-Y`&}a)__f8FM(uVy
z+APGYP{6OFhS;ixLbA59O|156u_h8_^6HSetyRt6bUp$U>X5~X%8@jJ*S0lfkC;9m
z(-0daIzgpR19_u6&!aR5N*WNMzlBPNM!R_sR78#jE@;U^>Tai$+92=r<v`x(QfI1k
ze4PQ6juH;0I`OwKsMAr>8>=B1_wIGBPk6HrAj@C1N~|~qu;g(Sj;{S>c*QP>phvpw
zH`1N_QA;;g_9BrnD5Y}xBVM`|iwX|9+SF@>lGrKe*mu5`DoNO9T)3>qgk1IDemc6F
z3}@{(4_hj`D)d8!ZCFgtHr08_&GW?PCHfK;jqbW=oMhShQWwRV5@ZU))YnT`4&IZ-
zv&h>`XAe|oO)8fLgY<##^ox;WmSJ=&yaCvv`=New)e_n*NyVj5?}%PPKQd}(q7=hQ
zDV+v(M|Wm(;YEgdL3j*qW|C*5$c2X;7G>^dQOMKK-K9UZ!S3nHf!)!i&Q(fd!R{#G
zke!LYgp=T=D0$lz{JZekl*=V74Dl4(r`JQHrO-ux?V>smq6ZzZT<Y<~btMbgO;3DP
z7B0-g=gCQkVRxhPTu`+?xtt&==iu}j%^rC;D={d;SEi$?u}bBE^?09Zv2Bc+kl}o#
z8l=r4U-mO<tB0)lC$(6kT8|4--Ii9c8QsbvIG7S`9ngL<L`RJ2ERGVLpeClF($Squ
zpJy!0IAM912sM$UB=<u`=JPm7qr&HT<aS3>8<n2E94Z}M>RdH37L|??4yuW1sC1OP
zgNt`&fz=qq?R(;fTK6YSnUJ;_ye^x=YKK(#2f`aw-|~~h0th$i^M|gk#duXWzrB|Z
z%1i+T8UPB+0DB5wAK+NBX|wFixO>#iy|quftG{vKrF`MrErrOC4LR37k1}o+D+xzX
z@Gs?j=+fL3-#ymlRb!8)?&i2#uWa|Yt@jU)c7_pH>gN5`&8^-Hk$#k^T+%-t-kwf_
zx1&4LD9%}!hJ>fQ6w>b}Bnyj>Br(nXl(T|I?()>shPS6L2X9B0I#>F~!rM{8LFsqG
z+lQqeBmbfyMZIVgpn%#|iy)*=Uap$a%jkuaB>;GDd2_60`km{zvTQ^_o=oq3Js_x$
z?2!gShY@-nMv_;sZMTaB_p(jCIhwke#p<sbeP)0i!1L(8mv|zX7*m}w7~k$-nvk^W
z>uozAzOO}qN?z*nH@WH3{|jdn5>FC$Abyh1iTDRq#e2{xU&BC!I;`ajk_!cMKwa*^
z)abu**@BJkboY8STobgZeo9&PCJ)xwF~jb?$gHF=#z^r*WKc&~DD0c%>|xqy3}hT7
zIzbyvgN&m)^Mc0_D^pTd0Vh#b6oj%cCK(ji7e(&JA$Myd8#1209Aq3_>RfF!ybhv`
zMnlH&w=f(>!Mj^aw|vz-yff2v=7)H{mR*q>J&1!gk3|hux~v5T4XDWU(Y-(G?YE+?
zzv-@Q!qV6@-uo}Iud`B>6p)NCAy*pw|BJnMU2Ys#)&*aMadynEstCiy`(>@zbE4XI
zU81YIE6RP@vnJ*TNPxCZ$)ZM=s`iR`_(3KB5|WjmMCsSWoPA<-*;WE1m6=Rre)*+=
z|BRk!*3f;!1=S*>yaJ|pZIXSBd5FDhBe4<g@kLkC{=D7YoUnB2QPQLsq{tC=ejfIk
z+&NF0wr!(ES$9^kw300=MaEU=Aw()<k~fhbC0V%G>*8|QYjUYm?R<P4!p<jCLDNs+
zxUhp}l15t>GybqpFMSn1_YL-~u|A6<86Y!PFDH@dS6&~qDE<H3Jp}Kdy1jw^^&XHy
z_z>dyPJs=ncm8_MK;fEpuR{+C-1)ZoT&^r`<_Qvvou&cPgw(t2ewgA#!hp3&tF+I`
zk*&8F;+WHhX=1~HORH90yAEn>vO;G}Ouz$GoOx%SHcs}@426pqR0!PC{RMY070#6o
zT0XZ<5FJ|EK_*3a@TfDRx>pHh#$K(jg7*?S77YSbV*v2W`|3nlSHazC)d3#q2G9`8
zZnmHYhSN6T3sR;-yo>W7-sH|@R1_g^Yu2RD#xK)^@u<vMR*JaH)G;bABER!;A>PI1
zAl~Fsr#i3kbqME0Q%H|FFE7%&$1wUm7zr>p2}o_lW}KFp`p|;_b&!vr(J7CH>k|Ux
zG)>cq4jxwBW-~wh3_j3TaoA4*qXrRQ=*=Jm8Zgw5v(=%7iZpDl<AATS5t+F;ZxLPB
zq|GPa;v@|F6Wb_%rJVozvForTjelhhVu!SKQiXiBJ{`|ooQG#7caBpGRV0gws$pqX
zRjihwU|Cf_sM5$J9tl)jJach5JTtk}skT184q@vwXn4%lkAXE4CVmojcz=S9VY&)F
zN<KG?H=1P^{Q_am)Wy1uqz9KjP@gbi0DLcx`a@iU{A_RgK|Q!WygqEc=rFv191Z4C
z4^ZZtyL;`xkFNsx#An#Wb^pu#n=3pr;Uc?-q(G|GnvLmy!Hd@jy>C*Q&)d4IPT$~1
z5Dhs0F3A(j6bfNd=m^(v9)OqJIV#I2DZ-q!MUyfW3J6xoEP`QLDiBC95b(PO7r<Lw
z4!}z;^=l7*Cw##q!CQ~uxG(S!@R|mOU;li!+v7mE25O}pjvYgRZbr7~@EBndh_SNG
zOO}zmTQIfl(+rLc&e@#s6vPD__D!GK6E}rHtbKQWvt6N;@7#y!kcU1_3te<N`S))6
z^={XQ@h~xx(GTSo_3YtGAg3#n58Z3a(;>OVd5~OkXCVM}+X`0HamiBAl&s3KjOB3{
z*R4#me1sRUa3Q(H<siA_Qlqv!N$}Pq_+^Ot2wV1oaP<%>x(SJt9_)Ab@tGS5Uc<_7
zG#?h$^!hpKJ5^1>Xg$~Lq%#hcL@gKi&PA!)0}I*!h|0w5uRd<;;6K%i_n*Q2vil}q
z4Kt;>Wv9;OGr1<<T81!tZ^paYn-9c!uhx1|{d{%5_N&Kj{ptV-H}yuIg2JQ~Y}|^^
zLt&CTH)Wnwd0H}_XE98aYgn1djD>NPXGvMgO!%t@rHjHWFNeY;mm0I;X@a*N!O=G|
zecR@ZeAs+xG5yxkgGStU+t4(^SI%2XPgUHpzQd+V?RfZoyVKuYt04BrOd#-J09UK9
zc!Au$>L%abeRV!%$CJwir0@FAnFF{wBX8_+t5u8r;Of(>?cCg%<?6c%HWF&I3&A!W
zgW4hhCKk;z^>QU2sn0BFjTtq|@;n?OxwDAlLWn43ajl}|w233&fvQ-=^E7YMq^x-1
zH%k|XSY8f?NG>&MmXic;J%WBld-|S-H!Ft8?~VEqHcDT1AB94P>03KI26`~$Y5_Co
zx0|}#!m)70+jiFUhiB{!`JaS^(s#Sl-lEZdmX>IjqsdN`HD(2`c4e{3nBh&o6R2MG
z5rKV}y6zCX{`LOD8?er|KwGlv{(i;-IZRj$)Sv8o(sui6$njePRR$RGA74LT>8=kw
z4@3_a={8-1U?j6-Pdl*HoygE>v&L4OSu@+%qKRQqSOv9GZ}s16rK!l03wcSGjl93*
zFW@k@PiAZp<SWo!8ahBbiQ^C}@BY{i%f#o<`RkFm#*yinx0>4Acw^X4-M+fZ_uUGz
zlfQ4(A!4o>vv%D1(a{E}6<)VC9XDB?hnpmKZkx0!;zqEf5h~h<>XubSn6O-CGOyEG
zibVL`nv0t(FNd2Xml}0zlLT))g5%MK2PsK7F-qc2zmyGEHu7h~IT+sBLKmjApFt%D
z&TYbJ(f49(0_>spf4f^53#y;@dgowcJ2VmqmgMS~ocw;{+?uzNZC7&!BOb4VcXj}f
zB?s<_-IQsfO+4?O`TG$ZI~RBEh5Uzg7Wf;yBnFpsNtZ!=Cp74R*5z@BaURr?+&Ryh
zf;Y8fX;#-Pm3hdxC@a>+vMh?COyhLKVYpDs@^Vm1a;Z^=F-h>&BRCQVQDV2U1^roh
zCV^10hmQ*rA|ia_gIh4XMhhoCB8m&-{TwE|)8DMU*Wk|hwE#(RpOo#psXGJ|uAO_(
zVaE?y2Mhjv_F(GwYg2&iW2Uv~5NU01h-L97OmhnIkk*@V<2(;}NbX!Dd69FOvOKSV
zxTu5-AQz0MaU3TyO3KJj$5Fb-!}4;-LvpE6<D4XT>k%9=PCqs6(T5Zo=!j%Qn*25R
z<Mu1Y;Sj*vckz%STW@P+qg3L6+TrHq(kAa`TagTr&Wnw9*?lm8HdH+QI8gTpgO35x
z*+Dy-D~Iy7o_Fd^-X{jNOEH|;Fk&9C2ru)4jfyMU?Hpm$noGO0xe27{0M<1-+vA15
zGWW6@z|7W$<INTuk>N>~8h`YM8$60QkI8VM!Ez3}xL(n2XP%_w>lvJkG%ec{`heXi
zi113(S4{SA($+HWlFkE3k~?Q{5|t6J)Y+m))&FG5B_(ak3NDK#7fF#Oew<P1f+Wk!
zfh5VLMqSb*!CQ~u_yJ=C6-hWDO6s=5kQFi$JDG&5;Qsz|pbHg48__M)$-nUCn}omt
zny>p;>r2x!hC=wPkta9gWo-KNMVH7ydmpkEd~Mmo_%N0T5YYO!ng&+6hu(ekSVsLI
z)IIesPGb?^=9l{BXT!~#Jk0*%($hzETgDn_mbPmbE>UygOdI`ssXieQesr*IQa>-b
zI)>>B1M&XK`q`q`uCo6)G=-$Y<z{bIxzyGY;X(wZ?q?&pxN@GKcI3LXz2DB<tbH5k
zt20jw&qp@8(zIz?74yLtyzWQ5+VJd@{0`v~DGl<Rp{8Rm%k!|8<jzf#OVI$Uq=cUK
zEYDdbtC%%yoaSwm<{9_*w3jaSvb-Gjl3Z%kCr%Q)^$3m@YU$hd`a}|5*^eQ%@ym<)
ziWrKrJ$M-uxC1h2YmR^Z65Rj%2jTxtLRB7g3I;x*r>0=E<j_GLt_TgsxvPO-5)&xM
zqoEuF$j>`y5&^<|1aTjLa$1gE?O5i4I!w-<b_S*Hk*xtkZ@<Tr@&w3&yHh3un1@c=
zu4n&7a(}|^Po|ZnHFDhS&x2u-J7-Z|lv$IrmRC?hQvbt+I-;dv*(OC?Bx&RCQY~E=
zW_dXnCb`t8*-sL@^$3of&b**YeLB<Bh+kH-@9O3EdA9i0Bd-aMK&{yqTXpKftT-er
z2B_nE02HgYD5vOl$UQ!_J4@XE@{?YsFV^Bo1t)muL9cRUG2d$#aBjyDUhU>sUR>+z
zFL!T@wdubMRTA_B20p&)Z>|r_p2F+0!j7aa`tW}JPhaf2ea)Yw`Dz@%hdy$?*btjf
zEYA>(SmX;AIgXUD*dO-<ArPFz%$KBO)wBF^w?lmm5ASMdEVie?{;BM_*VmThdf<kA
zL&YIe;GeX$jJu@s;Gg8qvWW|kl@+U^LOG&17pxR*%-S{&!#He{ko)1Er3?QoF9-i5
zml}0RQ{kVa;CLi52LB`+4@va8>v)ts_d`y<*hGjX?pybz5oncwLz5kTial9iGIk0o
z;h3mva5|=j?9cueXv^Eb-+Y0S(;v5AuJ`7#V(+W9XGs1khl2L2f(IBlf<5!xp4rp_
zOh+i{$f6EgKzLEB>xbE|+?gI{*$ltRr*0#M%h6<p*naNRhOPlJYo8YqQ^L*Sh#_du
zwMWX`S{FXd{f8L52Fh#wt-LJzyfOTh_IBav*q90OL@NuG(Pu$`(KtOQYg=dMvxTmR
zpPp1&i6vXxXa7Id1781^(FbPL;6J{}XI85SuAPzHxujBfo!fLgY<V6YmfX3H!y;Ax
z$3z&ZV^*6-td2NmRm??EC8BCuKPOP>;$h3n;bF<8JkigM?+W&~)(HnUVb?p~u4Ivl
zk}%2dLj$IDLs$b(5<G|<p+R`9u{#;2fUJj++qK?k7vh5RE*;d4GfVdBz;tUM>sdoJ
z$&iBRxzw2U#?zpf4|QoVTQ|KIHGGD5f6vzFtkspQ-Gn@Wmv^pKANSxqrZ$q_)gQM#
z5iTsk=fK<1KSlh}ruof`rT^8TZ!tliKtg`X2TVcJl0rxLfb-C_<jy=wGMOX=E2~1X
zG>IBk6(VP4Q|CO6c@tIsR7>TeX{*bjY00JhK7bU%4C&3ttoYk$``&rPjwo7_vIgwJ
z7n>Qd9B*|V0e^hr^B-^y>Zdbf;s7l6uuCBK7^s;0k~73l{TaYS6>B2IamkaBD_Tja
zpg<jSlpEM#V!qbh<9)gW%T){H`~ZUoW<DUa2MVIaFh0$C5~bQJbw*ij8;l)Z|9SiA
zjrt?@<a@C#hWPZY<w}0Ld4xt`2GBn3dfxT|Dp1gmfbosXVBKSj*mp5I><?(YBNMNr
z$hbGC&I9q1JJ(TE#90C9))rU-tBCQmOjyR7D!~%@evH5G4O|d!bvY0(xzva^@Umte
z;|-=kdFea1EFFEb`@5h2B)kH-hE8#+*XK8w$hCUb9bqq0nn%tkBlo#g8?1w#6%=80
zW-`6mR&((JYQ~}Z)peo4t=JQn3ar=HwonC(>iaj~h7x#2>CZDRVivAS`Iuhn^}E}<
zfCWFzHlJ0LAy;p7O>XZ~_i_`wzP-CwpEMNj_i*eOKJi9ph|~!L7|{09F3w8oSY&ca
zd$}DqPh}g4pp#$!_5S{D;50H{zK*7TTgclL#CyY|uz;O`?BDC+plmds!6E4_U#mC9
z?!VZuE>mj325*<-8S8mX2)9Nl2botUC64fF=V5rsox@fnaTOM<D(eR7>?Px($rumw
zh8IzqCYis)Ubz_F>T(!fa;XuoMgk>|^=cFLz4P7qQQSkMxZxi9T?IH`?Q_0eG>?Ph
z`5+fDmW__^Wz-gXYjeA7Kj=?;ExCB)SkvhzE0|=3GQ`=FJ{p+7A>a=%d}9;*=YK?L
z@z1*30IEpOIMjrG@Q3oBfsQvETA&TG{e8!?-CB7$xE|$ix^DAr1|Xwa{VUM_)NS~y
zg`BgwI?@1PGlqRovEM0s83uLu{2bdZ9t_w|20y9gu6nin{mU=G>+kA+wVwo_;{)F4
zzyv|Lf+<|6q|g!G;5>jXxpR{9jORtm>bg=V9+B0o%2IUzYSOf*$|$d6f0e0n0lL-Y
z0J`K-Bi?`#JK7segXz+D?yE18QhQF|voTaXZCM*Dj2qE$h#s2qGUVw`A`#&qNY>St
z+gi5+`#~lXk-xoP!0w<SJ83)zrkSnBfbuS88OE>nI`|96jBaOhp_>f%nF5E(^dMyu
zFv>3i0~wz?o<Ps{ve!bHG^slDp=CO#w>l5hOYR&cnMlg2VriX3EKNni>ZWX27?))c
z@g%Fnh(Wuc-s*CoUUI1sgC@xzk2UCN&|dn^$;1VTv9-wder&qQ1U7uRF-^4_oA~Q+
zmN6#tq!Pp2C#b>7P<3Oep_ZD(4#lY)2X#5>G_aiWXU&d*=>=Op-kq6+_*{vD0v=~V
z0JHGIT>1L31J1jj0q&-L`80zAioPc(NcY2m(csm>b}7s&>LbAKl0V_-P0cF^a~gQv
z86sl{$T6X#Tc{Brx3fHD!Y5;3Nr@vY_&f|Oxie2I(L_nXiV}byNvbS3R-w8w-l%RP
zk%YCs%38S?*y?f^SaPWm3no!`$6D}&eeZmCPFgSxxn1j47@cG5!HpL5D)7kq#FtBw
zBadABQ)^mrF?lHw*scLjSHnKaU~msWNv^QaXyV~N?tik0KaH~l(8sGa6d5pIs5!V6
zIH3&7pM5dHoF9ggK|iPn4c-hj(f19f{{9)*SMJ^4%ehkVmD2&J`~+O8-dv-+^rr6f
z(HzI%8MrM!Sh$xn(*S)SET&tF(CuN31dI}Xz4*Zwx*K?Kj>>}oicCisJ7Ys_?6e}^
z{!^GbNueXW$9ZT`a_6FvaU<f8m06v#v@K&+#-(I=mX$@4OCfXrShmVVi&mFIi;_!?
zcn^|Qab%Xkl>P2}cT9Q>N&=%;o5Tad1(c+PA-r2I)$0#(Z|}GB{t2#w*SGIJydhkO
zccbR9>kO>Q8TRqi2{|7o*%|^L3p6n1sZDGEd4c7rZ+EZipx@Ry?w{kCf1o=?-f&#Y
z{UtX1=-<QbUiJHe;qxb)cs2mrEu)_9*#r22PD5~fQVT<2zIRdA&iddkx8R*2-Ko40
zUhCX&5bUgM76x1yP?(!Mg?Sowh=IDYZmlc9IIUo~G0KHZApj+Xj&LF8Ay3JjQyFKX
z2qjCZSh<k2O<A4iEfaYog!+kBMdEiMF7mXx9P*T0YQ%+*@VhY=G7Wc1iXBt^q%pEY
zcP=V*-=aJ8xejeHJ6I)xw}jmHFIo5J1l{l99P4-B67b0{!%0S+PE3~)#2+Jt)hk;h
zun1Ov4==(ub!(0x0?_D;-B-RcYY=m;+CbZf$Ayd}NKvwnW$j}cu>B8PsOtQ7Z$pcH
zx{%!lBP2_(kkf}PUqPTkHu}@r>GK-X!J*Z8;81dB8C60gY0BbC)(nQjG9If_43Dy?
z$?7_l=?Heh1&3Cb1Ba4Jjd%?b*EZ%gChT|TyJON<kdV-U7DT_=ol&L$Xw>2PK%{Sw
z-m|%UkbM`wudqOE{FggM2x1P=EnaPc2e1G=^23B0u(uO%>_-}C-ypvLuh(Y-ptDXr
z`t{ztBKY7F|0eaILx&Q?)EIWXg43<L-GG0Z(HTMNK0O)1>A=S7JYXZaGY=b4Cw0bB
zS;z1{Aybyh8RP=vA}VFPe?|L-=>i+8%K;n7rA7>s1e=W+<}^qneaFbtuR_RXHCvj1
z*LlVN{HFtKAS(dW;-&&Xyf<&=-Byn<$9q1|dNE8xS3i=IoyqNAShC5aAGiwJ%eLNq
z68lqCuK@E9d<Rg3$z52)fbs*~7Rmry6K<=!xeoq<5Pjzz??Nk`&NlN1zHjHyX;vGP
z?zw{pJb;e+;ifP;;!jeaGH}Mpmzz&lFilb}9<Z?=?x;h`w)yZZyY}GVB7GSqhcVme
zV;v4;Hr%A9_;}wa6Mi*`0Ki-U!+zQSm_0$@B^g`{(>WBjhQ%pIHU*za3LW9f&ckPt
zJ4a=dCS@U6)&NI96X%Rqb;4p^XSHaXysEs#jXZSlnefAfTp7KT*Ok#?Bd%=Hes><R
zI~BijJeK%j3%(WhM<yXUb1RfR%)5sNDltl~NN}3k5=y_aJL0*YHIK;g-I+ndY@n5#
zbJLf8_?x!Q$z)C&2~TH^1cd7uV$jiL5VM?!u2j#LO&cLCG-`w>I^78Aoq1SAIWKaS
zR%OUiE<#qvMaiU$tE7qQCdp#I5k{^NUJMpVFEwI>6Gy5~+V9RI_VuTCH^v6h9tjH^
zK|(tG_j=rKhxIeVAq0B_>ZmFQROFNIHb3|`oIU6_rEZz*4-v!ZSR*0TK?6*7XLQ$9
z(Dg%Qbv&S6y=n)2RM(f-Tj+4v*TL_do?7ahA8=lgvpWi#A+7p_eNdUyX&vho|LztN
zlLxv?J3|<dGpgClezxn2;1dox1Dw!sn0Wo=(=TtX)o+wI*Ejra(fyc9p}X>QDRU$F
zlTJ3Qm#|-Lu;0iNuta<#Oo@Fl=4>UonevFosy%*qxM9-^XC8{pNW6w8_r^RCc*r}4
zp~K+<{f$#)R9fN)H+2@yk>0uHoYzHGu&7K`tibD%l~p2GQ?*ScqPi~p^9}MacHPv)
zaE|m+BW`NqNcTzm-Fd{uvzWB(S2t_f_f4)hD$3SHJ;t}2$8I(IH>k2xN+4Vlu@5mI
zvCoH?qGz8GS%Nj`(-X99=?mJ)_y^ALlB>Q1+MkBp$&WYI^!~a9)7wjITEo=t01Kll
z)5+r8uECchVHjo`w~L_!Vs|%Ps${$|0is9?9bw34K@{no>q_!6Y)Tg9FsMYCFXJ*#
zSQKZRr%lM?(%YDshly**7lSC$ON|&ZNgvst_3`x|d^%)Zx6}5$^N0<>KVi+JpgUlo
zZ$JM9`<&i$K=cOhws4x>Slf90%lmg4YpblJCu%Us_SZM>-t<uk8Y*G+UeqM`5w(ln
z<lS&2FlmAn_Hop*1#N`i>*VBq3G~o0-{2C3Y&6WF2PdsiL@(4YaUe;Fpoc!p`0>~c
zRmqu(fpDnuqkIl9teP!!RAd~5MsmQPU#(1D;W~IXkX^W>TDu9)<*I9>(6DW{WJA%Y
zUk5K05keNtcJw1y07b_@XY!&y_qF-`EkTFjF#w-qnhdo>(Q_OVwX-?~iM%QVD<u~!
zl_F+UErbd<@;2g4oW*tJcTB14m@Wpjq?a0TOqAHa<f_wHWWpg$f>?U)nDj&=M5&<s
z@G5=|hD%1kR5M%J02nf81UttE&kpMS@2rVT70xN^s%IlTbuhuFjkQP>mTcrw!?^Gs
z^vKr!;=7$IfKM%mbIpMNpe&HOORoh^hDxI7ITlFm9LG@<#v)`@$Xgv6)Nx&~QY5WR
zszRn-ph6yIt^r;QDM>Fyb4%TfUH~@J5e7&}j<L~r_H>326UIo1>dt1MEMdzPWZjyb
zQJ>U(eDEx(tWQ_?vCe0)f=$oD2fVmoAetwo-}C^{9Ml+_)vO*~fG^4GD65$O5u}BV
zu$r?Vg7nVny_L$UQdYxd%+eAj|20X%>bx$>u&jA2y#V7p%w4m&7(|d>%5OIQ3-FoE
zR60q|o;$O<-`#xG6mx_HQLC6_IuN`eYXH!bEacq9&jWdy9+IO+dLs`Uq{0AHZF_R<
zz;8Ho0#ndo^y>%TlUJAUi+c&W4%i<)ZF&(e6Ntbq`BCFiLIH=9#r~=H*-B!n%Iz3Z
zQSRIjA6c{>lB+43?tZ|9KhBoG4Sq-#UdGMiOn#T5ulWz;mi*yiB@HAB3v>OY{`%=g
zy9mSq0HGu_5=w|>u^;-r;dq*O{q_F-jcve2M~0FxtPnDEvwCZeK%agKkQkFg_`DuA
zy7}@40WqK-Je_Kr3>ZYwa~ujuRaum2oj06i5}F9>re$TFrL3v4G*hSdBFRSr;lgz&
z7Xu8^OZgp&{{nuM8x>=E{mRri;hwF>U&kKSNcWO==^JfEOTS9(pX~5%gQe+Fe0VDE
zNm`Xz5jo@!{>wq!e~0hp2g7x+L-Kn2HCS#}fWBSZp+4pg_Ady~%m^I*A?I_-#3lgj
zXrUvl>@0vCy>kkHoifRpltraSeO4mjEXh-z)djD)9Eo;I*UByiu%nmqTbcg?j<B++
z6SzHFk6Rff>aj9R{Tlqt&AZ?=B#38=EzrHcbM*O*oo0<GX#JvtI?)W?w9TPg`QW)8
zwNckIiSQlfQfDk5ytR4)k49bNYSsaA22d>aP0#gA9D5}j%{yzrMwW0<&(m?}_i;>y
z^FS!$oWLGP3msvcXMybKoq3$+QCXF&%yZ7trWDFJBlR9^+NR89S%&dQlDcw@^I{-7
zdMUqg`Y+%J<D^;r#*Fibk=lL}r55PvlYNG2UxhEyn)fpm<zen~&wgHfa$rN<&BPKG
zOy2K;xQL-;51hnC4iG$jdlq?TLva_W_5)v-2Oh)gcfY=WV~Lh+L$Fz2C!#TmUk^{A
zzX}r&3@2)}loS6O&UW>}#^a0pTQ=LiB?m|bhYa-#R@0sH`PlKCdXOYqmlip~k(>o_
zqj%2pw2)O%Fi}I<y5uDTL=7v_q>YNSszmBX*F-MFExH`Uja<s>NJyz0zT^!=abM=@
zU`g>T)AFN7bo$muU-G2rZI8P!XpZM4mb@&h7m|4Gkg;3K9H;9ccRgIp{$ebBQ-GyS
z&uwGcnzn7*wr$&**0gQgwr$(CZQGcCzu!4`d*3`&sY)fO)LKb@omt);{}L@F^)WS~
zSJyB$3;*`+t`UAtc6p^w5ByC^>;u#(6J%AWrdDi@=@r$RagU}$iRJ8zxLOavR(-HQ
zC)8F8DQjkP#}H}U?B2Q~VP#{_3-!e<mV{TK+<m9ci;89DSAdryC?$*C)x5g`m*Xi(
zY(Ys>Qg|p&P@vPughC0;zT$YL*pTV+Tl9ADf@o^sLcBCUCla_;)+pZ{jQLZH;uzc#
zp6zG%Z0i&TqsRrqu?FT-#q0|&=*@mW3?GkhZ`0W|&iLWGT5Gq8xVFmkNBnc)+ILxh
z`kt2PgcBYI@^pLntcNB#F{ysz@i^le812JV?QE?zy4up4bgpa-aGSqz>I)JHj!*8<
zf;?&DHf~<2E&IR5W`eLaB=FEKbDF>%{W3#Y8Uj{$IxH3jQ96R8cfd=C-qMWdih)*a
zWSU`0DRG~=NRuX8q>*mp(kBV$??!8vXgLG$Jsl}~Q}c>qo{^Hi+EVY7Ufy|sg@-II
z-aG$v-&z3k(QvyB<HZkG4Ga8bo?0mC0vU%ZL%CbW9WFQiBhlBnsN^jD>Ek)Qd22xR
z`{I>Zt|NHK0;lV%IR|WY@bEX*X!d2xaS&b|0PX|};_Sr4<tH>xD3;3=lxAoSj6TWa
z+tWZi>Hm7vXAD}f?4t$CwgEIDC%=$bsoJXbs$97@GBiVxwKp5vYX1-WW*I0Y1b0k4
zB+=iNOP{|gXV}F4B;~I=^YbB+PwU!LF6FKBLzunR5#+5i9#8BRr(OHlp;jFYta6H(
z<e*AfMgtG3Dc)qkbQ}L8V*6d!nd2P~KzdiAQ)T?~Y>M~!Aqelw!<}%XZ)Nk@&#s;Y
z*-Tz>*zT64{wQ5Fz5(`lb*S`#ZAd|GXy!LKpLYG2EBYzg(`yFM8-p|F-CU+I0_Z^b
zUhj4Y&cIyelO91aGZ#$k>)^(3ga}$R3}B;Cv&h!BUAxMHI8P44Yr7g6FJ4a&3OPVR
zNY2QdWC!`5=SvYt@y>Fs`M(i@;@aK}hZB#pU87HxN`2>QQU2aPg{vJa5prg|oD0K<
zue7Oq|3d8T*$k2>Q=OPb327aJCOHw@#BZ`Hg_RUXfV9hyQcm1Qs1Pg4%4`>D<S!Le
zexxLhKyC{rfp5o(zvx0q;CU8~0rfM0<6V8+5sdQ?VUIw5FTOsug-*6@V1lmZ<~VyO
zF0_G>Z=S(NFmKcMaFKXN?sj6z^=P>mZJzxU;mKak=vmd}dZay=ZG`0y&B_2f*@v}{
zH@qMRLur$w(^_h0!S_eb1n$Lir)I%C&)91y0;fr&a8^DL8EVd(lz*tNnCuWjxgQzb
z6-*l50cO=AA&I$6Li6XM%5E0!79{+p7YW>LXz6BGfSmND*y6Xs-AC)@E4%%kx4${M
z&A0=?UET`=TgE~u!qZ4-W3q=t70eJe#`J6Nk|qKbQ+wk6#Qc-rf&IUfE8ObT3q^=c
zFr`SsBfP6QH+e7H7xB1UAaO8!=3|XXV=r#)%0fh>X2SJ7r@N2R%*|T+j}M9&Jx_lk
zFUl6S<5;bkPW;uLc(7{^_>Sk5Hr|y^-j#iCu3ihYX-8pGQF%O9*+`syg&AS;1nx*S
zS`iv5v{cif1uiR%?C`L0nqvo5lVqI9zinqjXO3qg0L2r|FZzNvMRLzSwHuB7eN<-6
z{Wgkn7&1r~rMD26cC<U~6-m7I*D<%&9Ol_mprtU=G77We@%6HI_ZOGRil`C=DxM8G
zz!x>>|E=rePF?>y$6Y!;C{FiKoLK+7C{B^9v7uV`Ub8;X-v@!q$1BR|&k~2mHDEJ4
z2$aB`Dw#=cs8z?2l29y4s-bEQC;dPI-`F%$xiQI|Ax;O*(18OUr!!&Sl9aS-LrF;#
z(DS%`-Zs9#FxZ0)K5fJrw=Y%iYqibagd`?${d^2I)HaKq0VQF@-yO>JMz$ZCTbHVq
z3Zb`_W9bzf(!cKLhiCBsV#0I??%btlukoB~FCZAxrEl%Bl*X<5g+;bKi`+10fy_zb
zZiYMe7ZfCP20v+BX?EZ-CmWtTY9<glfjcyQ$~_(W*$9<ZdQqgVp&}2TfT}>LOuc66
z3;c2bs&KL&3Xr!3mzI2o`^yv(*JD_>sryjt%C7PxXCI4Z^NbjiZawFQfn9<*`U;)6
zEd-x!90aADxosu9ZJmng7qCI$|83TM{}k=fxwY|~VC+k6zubwj2kN*twZu{7;ntpc
z!Zo<T-BfB6NcS7ky2}tWNb3T}Sbqttc8llllMMYwxm%Pw*B1j9f{(-vO#;fyenK*w
zj9F^D$LERr44}$w2Fug~5iT%N+ub0*_6P%1fKge=$2cd7v&i1<i&Q4U$fx`^Lj9H$
zwcR**yqc8LmMLgi>2f!UZmrNmr?D_*d)2>j?}td^bfX^vxPF#yf6uD2&@*qUAm&A`
zV6!K!7M4!}v+L{#>rBYDboz~$nf{#*e+`0Ay&uh;^X-7s!i@SDeg%7s->R-Zzqlr(
zwnBeKOag1<35iwEEospq41jXNJN^$<;6zr*R5=-?Dyvw>5)W2+$YbQ5wImvUPet|R
z-n}+VIFdR@m>})W3r%_aOi{FCVV2#qUkD^w^j2!PR|1pagjwhE_POMJi+z4aTmXTX
z8NLH}(z7{AY+$MJ2_4lr0Fu+4+E>Z-)YLxP1I8f;+1rXCoku?kAkBGmx+C!KbpqA(
z3)A-_WdveaW^?H_2wRns&TD{oW&b+<Ipt@G1BS=?P{ipG*A_p#NZXZ%a*mS(Er4-)
z!|>`;t-N%+g|*Mm&2z^6DuNRI;}Pz2qrk&rU2YveHok$*$O746{%e3ZLmPA%Hs~bV
z1vd{-I|LyQW1}6ZE4M`%kKWJv<uP(YhnPdXeXA<{9n9K5Hsn>bpH8xxBokFK++h?g
zH?*C^wZ<56SaBphsvxPDRbGR1BPu!FMufORE9x#_nC^tB2j?U~XX18^g0k0`I6lLq
zAfRV)9wQv(n=8)j$$oc#YH?Ph;0vk!YWunrpr*aPAJ?mw|9*}eZ{k{_HMntfa2TMS
z43QE3%2V9if3_3QSH_P7_H?|DQXg^#b`o}Sq;Yyl{J{M+s|2)UhaE|HIrdVn?Q0uM
zA^)%;)!}f&kj8-zc8GS&*5yz8buz?VO}29R3WL+ZhLQErCDvOHc1HGAx^MB?VED^2
zoC9mCM4U^I5v@l0RHXJ(QST3!Tm!0C=Le4cQsWLCmad_y-L=)-pHEPd@Ue)m0q=Gt
z02~S3880t!i?gb+Za+Dqj0mx@Ndil)w7{r6qWz+-x<DgpNR2L!`302A{yhXDBl>dv
zEf)xr%a1wmPGl*f_c<!tKh@=Kq;W)EVE%qs$@%w9_z40I=XiG<><*VtnAS^UHqzJ6
zt1H9VRFe+K%|ZK3hdsP!_$LPxZT3K?I5cj4@hR}<Shl;as45aWEF`lgRY8UW#W<;G
z=6DxWW(U^168akYr@yyyQ<By_3N2~vgiJip=~Jzp!`blPOGNzDMelK3-r|&RW7_yC
zG;&?qUqh9X>q-NoD|=n6IK#i~){L7rjiX*2$IkdX{ua+x1I~w*CmvhWmZq5@z;F(V
zWT5$phijsek{*iUgxD4xY;JL16UFM<Xk3kk$j)m4_~K0|IM-CY|5|i1IZvKMWIg;H
zx{FDC52jnM6T<#M<_|(hC^$M1Q;p4CUbHOKey~97(J*7*1b*b&ey@08YmF7#ld*V1
ze`8WQ2i4?;b`!bQm|%zNq|k($jx1<Y6w08mRz*#49T;w#d=~b;x@-^Y4f|Xzqv(>)
zlY-N~dbVCIoj<NK1sE~ia7!w1wBY4mCH89;0idhFC>&L1pgzEHQq<+=zQyP0*{!e(
z#eHly6i=(yAfLEDU#8W})gE3A{e(yte8H_zJ}ZY8K6p%FTbd;u^a-p)YQU1qO;vOk
zVW<TmGi5Zf+P>D#S44qE{7e=R9f@U8;TL=jc=<O;OKly>2?8Ag6ki-{=IX870(+bI
zbv)+vjcBXf!YJAOPvHMT6U2CcXShDV-8)OP;S=3{esu((hX}0oqm;pYlSXa!yDMNj
zn$wwP97CB`Qy{01B|Cna;x_W2wOcf>MH=xhk^RkQtH-xu9)>SN<p*MLoG0h_wrM(|
zI-H+2`JnyK{Q4p{1OjkIbhAD*`3~o(+3DJa+%CUQUGql2A%LDM8o70l#cDqc|AyAS
z1^W6<8+w28y)EP-8fZ7`-;vvK$ecBjk@=~<V4j%qoGrDoF6*6b#EY8|PI}Kdg_K+4
zQ$1muHqLc63~cSlwEimhhJq=+36W!vhgcap1-2f`KBTFhU_-Au5lS})E__)iGLzjI
zlR(K*e;%`*09zUIF_>0=KH{$!%;DmtxxqK5HBBI~P0lt6SQ^jh^m=+@Y{4*0Njx!H
zF!IoeF;{}8bPsG|TVtwpS*fGR%zvIkg8)^|J2if(o9i|RVZ_69u!(ryUfl(eaIzb#
ze|TbbgI`|UC%t#SLvjS5$(tmQQLT<;#}~Ags%Dsq7nowHG#?l&ztgVPf>Vcl+{Wvv
zWEXg370>I3A(L}h6cf-MDVa$@M~_`^?GV3MVYTaow?Ba;0xOg<Jh*K9Q8<N^X9H>D
zxY11&iyf#`7?RLwXp^yP20Dz~l~Gv*unMT2tgH?O(2)3T_9bLV)zb^g3nOt?RFtM_
z%Zt*)l_k@A!C#CNG<uk^eqlW2s(4{|ZLTOGTn+l@;vfc5fY-hxWPTWVDp~0GCO%dy
z9?j@9DFxr59-7i<WJtfIhG~opmROMXIewRI4OPn}rn+YQC{@ZV>;k6$oy}$)i-HY@
zCo!&#VNM=u4t~7<uNeNp8keE=*^3%SgI%U*u+C^(@B|4$6h!uEFH2nI(-{dHaD^J?
zt38pNC^l6h(^Rf!s<loTQ5~9~n8b)JXc{w7YEI83BXY3L3GY2|uQF1ulu^0@3^$y^
zmK}|Pt!^``!>(Xs?o;$<RFujT*BNhIC&SM2Y}YK!bAJT|gv1$Z{(@5VKNH%`S1ToT
zgY!^gDWY0O<sV<>LX06F5f$7O<Bm&~y!T@W9j*;1Vx_uZ{G6d>nxGd;D|YtWL}*%+
zhN~n-Y9!IGZx*?ZoCo6Ivy2A@F}1gFEj8FBTiiu`tSQSsq*Xz@I}!t4nB+boLJb(r
zl&{uJ>V~F41w~e~zD-HIiv=3SWk%Wv)q9L*1}mq;aY(XrcyUOdhgU6qJX}UO$=!xg
zD7_S}jc7QEDbSU)DLvuKn3pRI?e`B=m)KYY*E6PQsMWdS@1;g(DBBz*Jiw#S+{xoa
z;n9qH`Zz}n@?K#;m1wn4j7YijU?bbaCWW*(<Rfw`PsZD1;i%Q4hNSc1N?67`7GnF(
zwXLf>1+!$-zPechMnuxqt!mdDC^y4xE9)O(8d+^HoiHegnt<M&ZgP|yE!;)y4y1fE
z=qY25&vO`-SUcF^fC#~q5Avsn&tGeCry*0W@`=18!a6l!w!O*Sn2;t*q_<K2qw`JH
zr+84r1$JRFri&Gfc7ms>I^)@#@()ztkkK?n&>MwW$qfDlG;WzEV6htuxv$b&5!MH_
zZFts##;PmIv|)GyOI11L_5i>ShmrWF5#2+ikBAhe@0f?H1Or9&pl6<>GKWGXkHBq^
zG{XDm>8HR8`;kC={zqV7$n}v@R(z9g8p5FK!{@Dj89SIudrsl`lZTa~9&hp%=eSk>
zB8j2Hh8T^k^mESGQmi7TQ;w)87NFUj)Ru?UL2W5s<*|vbbwSE!MS10L|Hn_YxQ)oD
z<V%oh>)O`e?TJ^ayr58ZU^?VJF0MLYe7L2|KZ-yJ`gWJ^Hs4_}KBGpke|*jCKB(d#
z+r&SNj*sdY=Mp?PDcqQpGMKc&eym1m_qq~D+nq8(4989T^X3NgmI`&ecIq0?Try2r
zm)yV5_EKmPBa>*xRZFyhG@GBa`<g09DNi(jhVH$H`Df8W^LTE(Q@4aRJxd{g=>&%J
zsbQONrww-{ShftxTVa-rc4g3Ec^c41Oo)qATc3;UOQx>#dlww0`D+^_Z)_@4VWGt*
zUPmb_A34<dPlymMp)bUIrd_Es$3>|!kEoPcb7|~8Sben|7XQKaI8R{m>x1?FyxVaw
z|K7MwKP-fpPrrmrX)Bx7x@dz8weWWuy#wE9x4MdJs_8wo`c?H+>9Xt11zV2^52b!G
zjU<7qe!a-MGTT!1eDIW4rMyjLDzb#@5pCfy&&pYQCUs*2Qwf{!MI+k~a?ez&iK{+m
zl`a^wYb{c)?JP^L<P0!m79vL;BaxYR?{$>%13t<R{7|-1p|+t(JS%@$io3i`%NE(t
zL0ooo@<X-yI_Yz3rp6q^O>q7Q=n;Fn<@GKpZp+V7uO)DAZlDGV0ZC&k)>lYDr>sW%
z2>~que|6lV*(^q)*Z@}hf{(NK2xB`}tsQq0xqu9z5s8uyhv;h9m+e08{vHAX!<BbR
zaT059?SpC#B@~>#{2vDcln-l{Y!aBvxp{H#mIF3NZHx4c&7}_P1;oYMTvF6%vVjW<
z8j-XS1^%0DU-fkfdiixiC5N|~Jn?b>@d|;nPr_cd_+6?U<EAsU(E7ML;hbSKxgo|u
zI5h^IkIXad6=$PpclLBXeXD1}1-f?edSEDk!oWkYJu)$WEg#ujlfc<#CN(RM?<^RB
zlYe}w>M@>e3mhe=>tF1E(+Fs+gqv_lAvXXr0qsNUO5J@fO4WTtRci76h82_o0NQaA
zoRtWiLo{wX%eU}Pj9-+k8S@E`m{zX-h3v9~)Y&j|+ID?Bzn-?0pDuXv>bAx6&nyui
z@BL=jwBXFrh!uhPeibNxOM+$q1WpOL>cC{KEiR1U<-RFu4&xJ2Xfh*xe5prq@2}MD
z+Q4%3O2B05oTB5Ss{~12347bX{kWv1YG6?$j)80Yz`S%wnT4==y0h$p7Duq}IXEB7
z)^}43;KvgwpihG#Et-3)K&tq0x3#^0eEyl08hTYP=8?fzX$$b|WOtx9EQm_s<iDOS
zM*!q!jTB_`E9Q~aKrN+>Twsc5Ao17o)4$!;a`1@PVr-wF^x*FS&wow)b;}c=7eSx|
zeehiC`|Uc57D6e7UDKuva}ANfN$$XPMAuXyM?X<=ifTHZUD)xv%SP+C;1Q>dkJ%u0
z90R?JN+fZN1C!ICLv;O#NL14?Sy?4nYf!$$m0R=S#_uR5u_Og7TjwuGBALV$xI=Jy
z=`ud5XTsJsI8gGXU8fbSt$zse8=%jOhbjQrko4TOLDlZ0x9X6<3I@ZBS<h1Is8$&l
z(cE=psmvzCMqDn~+LEDH)FM^m7}1d6byhgRCHuc&8k8n?%IR&FVW}{_b~o(?<HhEP
zRw;3_l(tC#j-vmuA`^fc#S4{1V!JSfFNC@%P=#REWKvv~q|W4^EAAah>{y<DB3hOO
z%-=aq%UB1ZRB{J5Zfjl;VX*B(_D`WM9?sE?q11^KJIte)yU6)hOK!n?(Z63Dy6v0P
zz|Mo#(hKZv>TxVh;_?~H$O{WSNPO<oIa@<dOlBT>n2B4OxRV!U6dcGd05Z?C^~fWI
zp=3e}QI!ZXIkDXet#JuDrEx-KR>8p{MYlb<^o~0T<qEnI(7~@rQI?9RU(F$TFc}n2
zII!(~Ucvb#M`+;<TZGvv<h)09-~ej!B98=|Yt?dmeefD6*A@C)K5S8fP(>nP9nH#w
zL|kVlbLajE_sG&8S&+KlPPnaWc%&K$5VY#C*7td8h$yVY@31^(EZuSGIqG91t}#@K
zfYv4r6f?<~!IoogT23huA|a+}Bg2sH8YgH>jgcr!<EnBD#E#L5%o!B!t^y0*%5jrB
z7hDC+DdOX&3^s_6;wvS?m<fJnbl*~R?>4BAKS9muKQ8{jExN`~UXP*8DP6Ey){^lK
z)zdT7f(hKEE~+bv;D4$`hS##p{oHCb)ly7RNr3`hN7>W01E%Pd0!RQy#@cdYkFh$N
z%>6X}3C%#FoZlH7z5vT4T7#e3_tWI=B2EW<7S^lxB;Ft^@QK=w379^{YY2E$=!hRa
zSwDxwIqQOUMWG;_Hf=m+P50lM$oaqX>SDk(>%&*?J$|db$}wKVW#$3g<HtHiw;0uW
zKq<wRtfAo!fq#7K!T4|d12N#teDFtuz5Z=D+6ErSt(9HDME6ia_=P4{%crDHyc#h_
zw|<o5+BkjtQ;bXzZEAWhOxliVX43nKUOZTe4!~{`JHK@u08$==m0}ST>N(mJ_<BbP
z%c{7IEC;Hp4^?}_=1WtwbY|$3bpPqX;39_Of4cB~^K&Xpt9Z+c6hbNColo7fQ`IsJ
zo|9XcXU(f&NB6=Hn%-;Y4>7xk3ww-Jw(YyK0x78CKasWSXlHnCecESDW<(!wt+bXw
z-VVxyV1pjFaE{h@^0UTit@u}Xn>ihZoHT|Z^Kl~iXhu|5HJFA7T+#vcBMGjOQ{5f}
z)07Am^JwVX>@bD8F*1o7u=R|YmcP1N6G?A*68Nn2mBt)xI9)!pl;4R~|LKT|?rr)r
zfI^fKu%MR?9|(XN`0G$q2fRCQ<&7rN)d)~NCAFvm!ozI7S`>gEw&s9!JjIgL4o){w
z)H|+@15rBl$^I)Hzb+~j4=~YZPb_#lo8t+t5G1YxnEKO*7u=J}Roc^R%zf|G+_)_i
zvNms6>#+3)pxsNtAByK^$Wt8F0<dDZ<)(Qj%(;PqB`B{)6(p1nK`S}x$t13Hg=7(l
zWhRKT%BU?Ul+=w(hLYN)I%Kjm8}UFR)lz2Y<x>AGd^2(fk9}$QcJy{D!o94NPcnk`
z5pIKEJMMtdy{~|GKEyli=_Ujls7w+b)r3pZeUM-<ZVs_5uO)(@4=YOA99^5BIwiin
zw#u`1AHlRYr~8ARMPQoV`_xRO7eL!3lTP98d{&qM><VFi5e>%p2Zb`f9ttU6DLyCa
z+;vf^T!82pLqREXo0dkdJ)b3UyH8>m7H3_raVnux`yOc#??|1|`Qw3CYjlF1{0ZnX
zAn;`&^%-+#iQ%>YL>$XU7Z<>YW<_vJL?)OL*{RlLmoHkSI2F&EVx?5m91hHu#<#mH
zT@ksc0IVHLhSnjyG8iF?ha=*1@R6K~(C)k$0aM3&!6`1^I61)yn*<88#QVgQ%9rO`
zSCAMh@6wnI>m^LN_fvsB#4e$wg%G+-t1)HDKzW?{C0s`-x<cb4blK62Wnzl^w6R)9
zfuUuZYL(4KfT>anlhi<krI=%w9WZOB1aPv>G0Jwy3da2P__DInLaqQge%kLA$R-_^
zX1e=AgwZjqIW>>%Y=8%8gAbwn^=7H91J?E?RI{pYAj<rl6{-2J@)Af6=oPzXqwMjb
z?v}wB_w>ev*+u9W8=2<1Z~>pw0ErV`x@5LWnM(lRU8YXE1}NJb$0Df4olvhJ;gPQ!
z;vDcC)LI*mG|38@?t8HuTmNL}7ySWvmw@*;>$mAp6l~U9^n{yAe;qUj=0H)2cEyg5
zUlG;bAB9{aKiEnCBx>dCj+CVV7e?C0M=HQ&L{@89Rav}Bj-WDU2=kCB!r{W2O332q
ze)Z9*l?m`|rvE&bmXdW;+3`^W1*POvr1vc%@Gh0v<+7SG;<EO=!Nb`?N<0quf`7dt
zvE6)s4d{DoL=WR@jUe^IZE?=#MTdbKQc{S#W%qxM?e5VE0IM&ESEXI1Y=jS1@TmS#
zHMN~KS_j&Qe<XP%?{jK>N!KrWkpzqyqHG;y@pd$D3Nwy7Dotz69PBO3I;Fo`r4m=q
z38bz$ICWS3yd)(Etgzf#37qDTb(YnIQhOjr?{;#E$}^sQ$W&uO1IW;pDb#S%YYcCu
z9E+kZTP6#fkJPr=^)vTM^e5^Z2dzgvCA*2gZ+Vc6x~#6sOVVv3ba$`Us43V0Pk^UM
z4h2+n)G%3GT?gda+4UN=o8^N*36YjQ@d04tWk>GAB95nO4-!kZ13_g>DG?|oA#9|T
zMEOQxEee7)xt{#4k>T&65#fLXQbwX#$V};{4drA9S)HXL??u>Nn0(Zr&HQGVH-3x8
zOQ!mb=Y4`oq~#JCopTINMfHpiMO*y0$bkr8^SM0q9OAaxYnU)kn2a<jRdJ}@2i#EE
zY0#Kb9n#EQm=4&s4-9<b4+sD@pG&IRAt^?#24MkV@AR|MFUM12!kdfXNYGtT-8CNx
zat0+~rZG6pI~NKlthV(TBz%PR;Wp36`;NElAA*1?<YYEeZxRaEz~5Qw_ylfrPJ87X
zb(#dyITO{aWu9rx9CRkB42mg7-*6UJ>7sX0sUm=IYjn-vP&n<+kkOl0<D1?1s8}D2
zw)WoUKg)Kf!t6sG@i09ZE?g}LKwdG=z8)tO?X~KzrRvO&j}_?vBc9IcPVEq<HlswR
zVv|$?XPwAZlh{Bx+4XW+qdh%EuQdIiJ9RB*{c}T^0t@w>&0~_3!~*w#r$(*xq<p!=
zVoUyIvt6oKV`DcAi!wY3!y$97gZ-^)U$N5V{)71CZ#f9%{VMiw@}vBx6GSbgnUVCH
zP^24l#g9)$#*zzgF=t47j3@@+|Lq1iq^Q+`6`_Zf`YXiDsw6}gmkOvV5QW0GXj4wm
zDN_K})`-C*_B5?O&WT4HZbY4qG?llnD1e7*qc?MA-k)ul;5Q-6J3B*AMVO2zbJvOW
zX3Z*lN(ae29k0~gjVC*De=2a#TWJVAQU+hKvlJjvdw!ZMH=h02Vd<t*3Oh4<v8K~n
zr9^I#QV!}2x@fX=zg~N8ch1r)ah{}e9BJCmXrmOWzr~(|Duxty$f_+g{tD)rl%@4t
zBK(o7sxaI7a6Kqh!O%76BiEy3$P>k^<Y85rx~A0{cTqptE;1bQGINa4kI>EyrAJ5_
zGq><al?1SSSwrQ&I$FvUwXnz$4-sb(%P~w%K{!NfQ_$>!8`>m-6LgL(Xi3%YtSKqk
zN{Z=!=>q;-H>;=<>+@s_AlK+7`ua!Bak;g6oCRcR%hoe37JsEupyAjW>NIP^3hl59
z4USWjvt}h>tlk}T8IiX)imo#W;5D$=8{8?<YNjnWM-4*zh5Ep`MrIF-Mr0pR;Vtb(
zi(idQzaVz-M%%vxuf>=tTmR4;JC-K*%&G~YSzKE&4Goy7A&znwt_wyn1TMt}FHo&^
z>+)5#`R#dklX|+2UFJKb1C9=~r`~nK)_Q>fCJ;<A@eEAKz)@N=&txXesUP(db(MA}
z4V_Xai8`jDhSU{Ca5fuoQjflbZjUxA#L&)XEy}3i?^tVvyPQ*v>;9vF$~i5La3LvE
zdHY2Y(HMpG$BLAr8MKoLAo?;dn`uqWkN{RgHBnh@Af36|2D@dz+ASyOn2MO5OJ@GG
zt1G{Bauc*18kDo{4x$JP5ijbI*MhWL{=!>JI{ZbKXy~Q-T}8B;QYoBSB9z|W6q+2=
z1K$3-r4+bHgZ@Bf+;QXSy<iZt)#;~do}w+)Wh-eWcgsi;aD{p}RTUl2ru|3;9zlS9
zUMrl^gxz|f3IY$y)j!^@uyBY6RFItrn@~2=?_gb`g!Im3`%3IlzMBP*Ag{IGd7ACP
z&*+)Qwp}KmucXq<J24+H$-vbRo<5_Hdp7dB@ntN>!Yy#xxdkGXo+ztR0px)WA3c}k
zt#u()OdtqNEmqb)6_99zq24H<c5}6tb}r3r5-!OAxmS6O80OOEo-G>%&$)*+j!yZ#
zt>nggcEMaSX|l#GHZ6n802RDhKWlpLllkbd9}aU)-P$u~GuD;BHcND%)KSySfty};
z@BKCq`T|JyKn`893O(06s-_jx7>n%yh*v|@(`8zK<Vq>PYjMS_b%Co?XNWFJ=9=1|
zD|7a!cH4j**aqyt5EVszyw`Y>-3+=BH({)+EF3jXQrE1#j<)G?sm%B?;bQ-okS_?E
zlh$dpxNNqori)Z?5*xR19%)~ncRT+BRW}z;w~uC)dM}A<i-rbxn{dj6Mngvou^I_y
z(y_K5?uW}-wLThpxqd=r)ENUQ8z30QV)$;g8f|ya^c*AgsjudSnQukCWrKN5T%I$&
ztmpMGSk88tOFED%CkD6@iW_$q5l8dL;NYZYXi25@x{fHUkm;8>YkX8<Nu<^o4V|JG
zi5jMYw#5&c(yPCxh>gI^`Bg`DaO@~eCFU3)fw!BSQE)>S$5VBl_z}~J<GG;TAtLSu
zZOaS{+z~-aM~hHafOvlCt&51Ty^*$_VN8iy7mc=Zfy8Ky2m$v&^LjKE#V)?CO(H%H
zuyN6)s^I?()47~ktKQ$u9Qvam@o%TGuNrrqJW1Rpt_ZH&eM*BxnjOXvY#rM^bN5sV
z$@zU3*8na%vLNZ>D1itN!^-8VD*={E6cs$&CIw9tidp#AAesAF{As%HmF9U0inOof
zykFo_;Xl4a{s3$Pk?dJ`HvR7-&8garB#pb*#V`CzQu`y{@7Q8!(dB%ppV)uAZ`a&e
zHAngOSAREHx88@m9)%^!dtM+Bhp4%`XP2~rwt+$D#Lk!f;rQNq@I<EgY|KHb!9pMU
z^ai!_(p|OpZK%+v50Uk~1DSX-vKxp#PWU`tUWS>9=Gyv`PE{$!vqiH|gv2PNt;!VG
zsD5f-W;9g+eH%+GH646kx}2$#ihG6J3;JcKRT7NM7ETP)Hm{q$Z+MKjl^MTN4$7-L
zR6RcN6o6s>c3k?IpROaNIBvZ%9Ua%J=0Hr^Rug%;uFwcItoY+9PpjS4_|r_e@OL@2
zaq;C+vz{YoOprN<bZm8-1ajTN-fi`)y_7Z?R6s$wJtKZeeVcW{lPF-*awJ?FT&&e>
zSaJb5y+6rZ$L5#|LpU`>L~q`^2WtaDkzspLN*Fb$v+YCC0XH0{l>4qYF#2MN?|z+g
zG&^bE{TC7L9JOB3VLs<wU|0#cg|vp<Z1Jm0`CCBOb3Upb;#8)hu5BHTG=t)qZM13A
z;H|}xHGM)4_3~Q=24c61pe$v3;RY6JUy9F$qFxBsW?yIc7kyv%`uo1NQhcc0i1e0D
zS*PgBz95&xq;B{ZjIjM#x4=K2^z@*ymP@qO6-Mk~q&DtS<aFPABh~L+8EoxNNE1aC
zNaF_;VH#M=jFpZq5{XJ7qN?VqltsH4+Zlh)Yb|pvrWd6)i`L3m<*98Gjf9hD|4Efd
z-)p3jMR*$kWoMuElpX}F$Gm{xuSs?9o+Q*JDK7bC=-IDMYBFCgUB+dW?`POqwd{;<
zE2<(sVDZ%UovYqIbX9P)J8hb%BC>;!^??2@hsUHJ3_`Ufd*rItj(<xRm1?EZ`=~r1
z$C_?B;GhiY`*D@qg*4<|oH%MqTQ#DfG-j+-2u@~B#eRp5F3xdfHAP)A>Kz<YZT`Io
z117H&oEy3RAqkOL!m#M43_PgZ&#Z7Yl{-BmWG}VepOnD~NWPI~sWX$i&J2)9!}O_?
z2CJOJomNEwTEJ1jZkEL>(uvXZSEr}`WW0x`FjPCsMF5Bo$XHF1oBd5lT(l?6pi&oq
zTXGB_hpa*u`M=#As?|c-fwS6w-9!=|M`mNU3r(@<^utg53g!8l&NbLsuJZ0LdTG+N
z2e%{WIiH>^e;wp>czG(45g$$o1k(e1_}JIF?fE>`JqNXWtirTf-eI2F?R%nea|a7r
zmMcF`6cX3Cc4zf=JS~bAA)5>sW&*|YCkY)13jttSADUtsC~%-YwlaLqYtM5nnir)$
zi`MFIYb{xQw5F_ElThA&u&#pZbRW1vl3&o6N=sSc6P@%;<>)Ex9bzJ9=9lL5mb6o>
zo7GSna~bZ+e6csGxi>Y1y5Y+&UxR`d4Z)Ay89*IRS@t!@D?^4IG|N*BiPE?PQDuT;
zb4)GqT8VW5d|YOVZ-zkRX)CM^KNRj8Qw}(1fk^l0h^u2V{g6U6QJVLEy@(Kl*&s~>
zfRJzd(GTrtCR}ELW*^FWg2&J@xio6keZ(l9U2(-sQ72mEQ72FI96~G0qGRz64IqsD
zkYyhXK$xziBzI!?MKCT5u=1zRu_TD`h3<si_;|B_x?nAV#`3RhZ2<{jen~bPNR|~#
zo{ibnD?l>CFOF}*y|6l$$#}#C+<%^Lp@g|`&j9IPL$Om}-m&b)A}Uil5@ZLRI+d_6
zRR`RLu5e;S71d!Ue!X&Mf4pM+Glv39*+I`ZBl@W`Xlls~TO=}8xL*gpuxLT9O3MaK
zg*x5bE!Zr)yWtMb>FQ4Jc{DI?rF#95$IE6fB%0C05$Z_X1f9dwydoxM3aV}S%#P;O
zyQV2)`Rt^&ws+^1IWX|Mc^rR#`81jjtoEbZc!f@cx;yn?t$2e$P1BP7$sy6Na{YOc
zKX$}=U!Y!-&DUywoq7^A?7xQ?EjXmcSntZ{Pqct5AKJ0H5KB(A6bL+d)ZIHotiyV^
zylaa)Z_9Y#(Sd7s+9`n&0M^JHfs>9@YN)VDg4q`ZaT#gC>R(o&t10OqsR_}Ux)qYB
zXH4t+j{s)Wqs~D2y!@o&_4WNq|Ek`9rKOiyhh}h5DXS3Da_ugki{J@oRTy995mwY1
zc`T*LfW$W_+O3MtU~r6}GrA{}XA#itnVHOVkCv{l=6HtQ1%ia}o=1+oE?e_agV;re
zV>8hz;L$oi#!1CNhEHh=coB)hGI7DP3*ExB`Y4d(j1(rwrpX9ec2KROs3;_fv@S#W
zfLj>8R!JSYj*E=OI8xb~`QJ?S0!b`){OuHpPx^7@=mJ**z5D2Qbk6I~wXO+=iMf>T
z)$OHR{H}7A>~rpxpFd7kU3<5>`%`c8SIG=Vb|xE#1#lQ!It}kW>b33Bz5uPAdmRWC
zR@8qE6^RV6=<xbEdVPC*BiTRYIZ$gmslOJHVF%#x-d&?$Q?xe+eVjh2mmW5gJ%p8m
zl@3Iub}~loN)MeY9{+G1%_wx!OQS}%%4$(|s@gAdSpwy0wE`M+w@-aZ?o14y10*>I
zNU}y7&5c>VX~}{6zZ1J;o)(2(h5ue5o&qLdJsD5>{QTYd$u1S#I}X+}+N8;zkqXRB
zK$t>e6HnF?>iW7z`e%TrPIm_AE})BxM*;iNJ3d=PAN{20PWGMRRGL@Aqy>Xas@m+*
zULwEbX80~`O0`Y~a|xvm_S-f#bIIKR)6u-_S~?yQ+*F>zovlh{At0P=a<J`4bg9KB
z(XpRtnY5qj$cUIsG~9cjb~%rG$FlgY0dz;MGlV;KZCfbVlK2c$=`9v-?;Sp|zP}pU
zC=+f<+SAs@cXKn7*A?rTyejIeXJ>mOcqMlGFI|8ZIPJe3|9oT9AO?@DW=eH#k>DV(
z?3heK(U`j2$3M(RGf2OI(|^-g3imI-3KZ2#Xp$uIL}ZXri&?Bup|dONBC!k8u^I6v
zt&x1DgBK7EM}1%ANkLH;q`XDZj(E>9h^XYg(c6_W8d5I>VBms0Js9R252}_rap5pm
zsP_+6Y|=3XA1?9it$NinY9{);*zB&{)`fGYn$36tfhFI80Z|t~Ip#8GEEQtypQeA%
z>icTzL%gMoNPDjP*y@EyXY;^c*gclX75*_95=q%dcRO$bjaNo*SY9k({0Mrbd=AM9
zfFKGMqxn*grAYd>2wBDK&xk=v54^40P$4IxXD+(PMtqKrJ_itG?mtlqNVNZ<AZLf%
z5)Q|B3@Z*;NMlJ<8*xyuj-e&gXk_@|oCnr`Rq*#P-4b>qFrVVT$X>8f0O#hzdywx3
z?0`Z14UG!7oBECA&HH172O_-<Rq(SZ=!lX@i-XKQ2)#7$@&@gS6qlOcv+Mo}G!o7?
z$`rJxuL@M9CZ@NvE=IfUEX_->06)Egqof-dPTX27-9q3OyLJ*jRbgTm_MyZ}|8y=;
zaKS@>*v_1XMTF@9{;Uj+s-nhfI+H*pKgl(l=XLRlMi*DsK@u0HV>6_!V3gQ3%%Xxw
zY1Rd%bn*0zNB;@ZzU1F^;lnD#2~i3kSgR4{JnebkjK}akFt(Fdul+$eQTjX8Wvz4z
zzpZZXnHpJTP`-BO3^uMI;M9O`(?&(cpO;v0Fx5No$K`JI5S9V;?h@?RxtSMD&^Zih
zgsc6%-_``&l$9{WQUiW^6+Xm@|5Yr8_LTDtwisf;r9j9ZKRX)J)?Wwr>nEmQk@jqr
znsBz}o2*+If5raZLG!F!?&*n&Ii=n3_=ePq>k{()5I#m3{QiL>OS1<-Et_^0)!MH3
z)Xg9W$y9}Mb>;$!MByC3&4%bBa&3`-19!1Vnb4`z8e*gl3R`G{&xgHs6{iEL>>vS(
z1gr;cbY1BjWv%5J^*`QCtw&1uu|NVRY`JIV<}3yd9>i%^^FDQU87hwQ0})-&6G$8E
z$x}cvypRq7(87(=Jyeb$b@jVlxqqSddi&IS%f_#V$?lulAiIN_W;B;lSv55%U|!Qy
zerh0j1|HGJO@leBYc;en#M8&m*cU*8+l8ZkrGs@9j|Lim3p4RR9`sZmY1Tbkv?eHA
zsVTA$;+lOQ9V}p~u>VcfkFs9!euzZ|jneE8YN7=y@da+1;lxX$5Zn4OjCbYqpZXv0
zcwc(+kSD0+@ANaC;@<haJ*H2B)8;LK2|>Q;4?eCbGgoZ8c>S;z7Ij;i-*i7*Z@3W1
z*pj9TRDZNU2&?KaruQj8F#VTZfqMGt4mkB|;JT&oISiUWp4-e_M8m2^tT}KPyq~t(
z*!dZ73DmM7eiOU4K*EEonx;gMnexDsM&?7HYAF<Y9Kl_K3{^;j42=zo!Db<4n(Qt9
zHY!>p1by9np(wI0ZK#Z0rk{#o(0kbA>XNcoux?uSZ)|6$=lS!`EsHhw<p?39{D%p7
z6=HR$Ij-S&_#9ud!((zZv2#ZCLU<<dR|Wmv_Y?H_6Zq;XkiL&^HQE&0X(faV@?CJc
z%g@8eZ|;{bEBHZRAeWcGS^{mUckqjL5AQ+eBXt+Nhsdq<07(p$n&rt}m3hxfoL?;)
zWYK<rLgMTw`GH>n_;e@OXTx1R{%Dzd*krnc+2S?}leu~|uD>r3c4ed%G}8GDJNK^)
z5d`VvO2J-Mz&?HavWR+afqmDV+G~$qZ#M02es7++USU?DZ)`1JV(zCBn9=^5a~})>
zhqzAgQNimh3KqLY5-r^%?QR5%WT5b^RBo2g$PR`Y9N8tI&HK1+og8bPgaPS08y34t
zFcA!36byQo9q@6tbKP1JYtPtnWz6BpPFSaYE?MA3mL=a~ZM<4xo@yZW!^(@svLFQm
z7?(UKSa@Za3{9!fr)&jRrCYBHK1}xDg3~f?QgeSC*otMEXr^Z@sg1aB88lHEB?`6A
zW!}Hb-vMou9`%SWr9))hA!LT-7WKqb22FQ!PNhzUp-UQ+tv)OKlc)Ug4p+?|%M4TK
zh#39IJ1q?9_(e|5B$90QpCN9R?m2W#$U5B&vJj*N@{?Y^p18SO7>9;8G42Yh{iQ9j
zl-rfga_cX&Cta;LT`QO9vloC;ulna32hvpEhUM%KIrTA7z&<4hniMISU=*hg4}Jsy
zipHt~8ei1Tx{(Hk%DiTV7-8jNk&)*3BzQ)EH9vin$9zZ4VZa*$VD769f?jJy)@_er
z*&ZFwI(^_HfYKs!;%Am;v-VVaSuO)Z5dpk^;nqO+p}aJjf{&=dpG{vCpsy9uCPS2q
zAg3<qW72N&pOA5|lc)dfUDyGKf}E4v&GyW-cV4IjMRvn7TtVK7sNc$TMY2P33(Hx9
z|3S-hwEAPxG{nsQS5UCusu_4`8uoERff-ahkN}jkN%%VSWwpQdsoDtBH%351riphy
zdOcj~Y*xndCR8aby1&TEM(?|dv|2t8^;*JOS9O!lL4lj(4$6l88`m9Y+Jpc%BInSe
zEc=j1YN8`b6D62Y8hfWs%5i)^;-o>wf5rHyEUP2tBtU=*AiubiAi?(k<i|xVj6*<t
zl;u&_2j}sLrV^|!!3{^}4MmCIvguQAWJ2q~ix|DjTEf(HXMwBTzvN>BI#CINwDdLn
z^4FTMtp|VanM1>n`^|%6TmToddbwv=`J-8z)NJ`eEos<$?s<;~L&mI|f5u5Bew~Hp
zKvL0WBKzz1Ma-ls%49?dPrVC?sho;_sTh)Z^@t8Kst_HUu^k5F@P9|@iX!n*!6n_;
zpQ&YAC#e}}5rpv$4j*FpN8na!f8W5~t+c$&y+@V&o>c#y+_H4os?fuM^*3sj2h|ZO
zO60TuFL<zvvPXMa9QemNgE<=fDOUou;(7C@#7C@SlP}DO9OI;=nQDrQHk6C&RFesm
zMjkU$oyx+_4|A>10vRRxLpj8g8b!U|zGC!jMoH*Hxw0Mq1x$)!?nq765~lr&LpOR+
z`$ajY?xqxFP2PJXf973j*8jvpT*L0z2DK;XS2W8&TJ29&-N<Ge<0o6~ZNd>R<f}u!
zYW+jr_3dyhj2T$-D|Zj{XDNy`yXMp)7E;ZMpkUapfDEI>(GFDv3OW7L*LofEUA=KS
zH#n|};y+CMYq-z6jGfM9bjb})%Lqk6E|SbrbJU$klTKu2fgw_39QnDn!p2F_DL!fE
zWsrzQXR(U_EmF^Bhy~ynN;si%MI&*yFZb8qzi;(_@;~uk;LU4KbO%p0Aa$*8sNQU5
zV`ATIf~+-3*&u`@WF;wW&{1+Yp{PkmGYsL-QbDx`1M`~cFl-~xjT$XxTsDLssiz0;
ztvYue-l@I#&{SGlc;__`d*FSru=@U->+c?(e_n2X-;OvVGIk_z@3W#gW{*1HegRjn
zXI_J(x7HB+sKqMah9`fI7-s2!%`6VNddQ;$Y*YC0wL(8HSu5sVDsSY=?P5Ql8;)2b
zc!y5b2_r(D{$Y}fLgPH>_C=G6+DVV3vCJqiWI|#H^m7_XtTIr{Q0t-_q(R)#Bofu=
zm^lvMU<9cAsiR=l|2y)y&pYI=BCQXfJswntiCj*$PaJO#o8P7X%pTJ{czZhEWqP*B
z2=W1>Pn9<s5|nPI<&<QLhzwFmT1~9Su=_R(O-1#F2rJCy@i1uh8fg9BP@?o~1p_2S
zL%TWrmc5<zo_utKGIail%KO#DIJ7660hzl!JFgU=2ee{4VeUU-%c~ystL)S+3nsnQ
zW(ZVwUsm#eUSn}880}$KV?4SA9)0GdWKsO+K_acc2(8_`tKnX)0N%mOoIS+`^zF0L
z&Q@rpnajOF?$*4qIYe#<h-rVICcs{aPI0e9ySmrzw4rn*{gy3ANz8)@HCfzqMD~eB
z0IA!Fc(aJAFm0Jg)!%wyDeAGrq$|8aYQ+Wh9U=fd9!4U94oZRu{V|h*vSsu%f<BXb
zI>I@v;qL$E3sa<|wuPvUCBKp6?LOvO`XQ$&8()6O|IRKyB!gvNve=qFl%hIZG3N*?
zEF;@S=&}Ce8ca6$j_}ik_m_1@5jLiSODBYq8N_Tu046q?Hgxt<n7{|`U=-hxuNVF%
zRP;(5;$Hk1%;SkQ)F&KHBykEY1sLypBWlYd5EpW6yl};d&jELf16$d1Y1Ti>Fzps4
zZJH4i2gjrnJ?2T9@H2RiDelR<{O^h?Zck2i=)=p#-((=-!A7%!WC=qUIJL8atV<?c
zf|<jPmBtR|d@GBr4Ms-cUw{3;*xl9~Em%?$p!p?m^LVi-nQqn#9tm^-8IH1nkjXSw
zS<MC(DQGo7pM#9La(C)SiswgXw0M|vz<Qk%p=00M;MFai=h$McM4~-<ut{0n*`$&9
za9eve{<ZA`OH}v<eIn~AOGn`na+n1*2awi;iZltS!BG`bQe4I-D4;dB?#NPggn*Z7
z+vqr`J4iSHVVsBq?^?+ssw)-;;G0x*q%HyunS-~<ht94bo+z}=K{q*}@PNQI*nQ6^
zQiG}jgJ?WMG<xhn!c0N(>9QsgK7uYB9x%1}ZRvu*5*<Kva+OvDM#`g9Rc9&3{Jdxw
zgQb*%(Z7ZOk9!)zsd^;?v_{TcYK3{!{erypA$$~ys?P`R>PvqrrLEq7=|6b#k1=d?
z`cVn|-?M&yB{}!=^@h%<_M^ThXRSy2F?1ZTU(6T3{yqxLSh`PtX<qNK`ag7<c1_!3
zY}uF}B;hVLR(alrWcrTbN8~#P4*7V;U!}&b67j@aeeP?xj;B18ZBq>Za102}x#h4M
z88Mn@eVM4@BSXZuUElDHNb1l{T;w+!i=OB78-Uk=j@|iHKBNDH9fkCd>Xg~Tpg&uD
z;TG89gxXk%SMdC`P5dDLn!qw^OTc@9L2`cxHoEs-_ey-W1y406COmv*a43$O-G$Pc
z;Piwi78oj#@$ANg3TZK`-+?QEz=4r*o|KXC$cTS?kKOq*Swa7S2zD+GD@{;3#`-4d
z+`dVrwjG}!`L(uIWB3E;UvtjdN+e!#1EJRtKipBFIdg1}Txg`oX}{=Lw&{PbbHZx=
ztFqetnyM%lSD7Q_VFg_j%={tLj{8LOr29liM#djf<K61|lt;Btro}@e$u1LP%t{x3
z@}BX8$Wb3Sqwv8Y7cx3K9K))PBfgCsHC{@f){xz=cM^w8a<EZ&#be8}4^zzD6OW@J
zn@lXRDh!0s7^xGQBqzI09L|eP=!wv^5p|KY1?m1uK?+tg7Az*MwaLk+bBIZEQl9t}
zJV>LWDh>ZU3MUuE<}`O_aCIx-XRDWyyQ0aasTwXe@E|7?7e_c%)>&yNM^=>`@YH4^
z#$KXb6iTCAj1SArtK7y_(|ZK`!o5^lIE3aloj{{CEwS0Y9N&$zCvS3;y3PjZJ@ss5
zcOv&=n}jwz>T8FpmS(t&=r6;Gj3UX(GOLR+ym0O94bP+6?%vOb@p<CHtRN{RYIpI~
zUAJHMsx%z8DQ!-)^^TR9-th0)+OtA|iodZW`GV+keb&$CiJTLQ6#YSd>+z!`t5w>u
zsszBwL$10thq|kSBJgf8<@X||F##<3(`(lNOM4?l1q%|TxoCDP&GbY{@<r0fL5q#_
zT^kkM-G%)XT8Xi*;m5CUQgy6FeWg2<Z&Gx?j}Jne(%z!4Y`i5XF!AQ3L1n{FV7I&6
z$7z25;MZ$kKARs*iRv2>_^7SX(gDD02=wTwDgmG(8kfxg(X7U%5E{)mH7dqZ0BJ)^
zq8OSY?#I4-y|#bUH|m(ON}86XO7J<;PB@heElb6~k?@+j;q%~h{^OD7EYaLxMRDLO
z)sUM|9M{tlfsz$zY6&GAfmmPy%=!!(Gp>vSWbi5|KUErN{*iJ;GT>=Z%15s`VJqES
zHe=avprU9-6RXmoFy<j6*>-V>lfHuLsno-`RSWa8GP#t3vw5K`A+fm4j*z|4*NJP5
zR8)L9qsz8<B?u`o3AQ5<Q((1^qJx2iU;g8w*vty3y9=a;fJ219?Q6W9J96K%SWQul
zr`3HAaq#EN(~Yk>M{hK0w$d0->sS&q8E2tu!gUZOD=B#{kaV)HVo~Q${AXs3QELq5
z=Ve-{1uI~1HRS+elFp{RGPy+d=$ehuGU>?-<*n-|ewvPEr6HF;^z7Iqf{Idf|HJ@D
zQO`enYEN?byxjAW`T!P%3vca?*v%9SVv6OMrZO9)v}rm6oylNBh`A``C5z0r>FZi`
z>+p}qCgp`xHA_W}iTHC`M@;G~qzkG22c%1J=7pl}E@u}<E}AtEmQ@SfRnxpAlf~cR
zI=4om3*;x}`}dV|)aJLY2&{IebalnaM5GX6C{#uj)I$fYIyJTeD$xWe&ClfJ>ayXV
zhz-h#{|2ctDZNi?PzorVklJ}doVYlr5HDfn7?T9L!#+AsbZioA%m9{N<N*RxwM$i)
zUzE1^?}6Pz4=Q?#b5aWt-DNr=i=F0Jb?8DYdoKw&*))BbsTQU;po6q&O<#yxRFHm!
z-TP1zcClkJzKM?V8iFa_DCI;V_rT{TQ9)PBYr8c%O|a_qH5bwImki{X<s{q#mSqJ5
zRjq)N`#$9FcN;<(j|7Cgu6s)?tIKPojWh(yL-E;RcV}OZby~jKE3um_6-&I80y9N$
zOZNGps8rEOB26~Mq071oF-J7Jb=sHIZMpgHNLI34oO+D>r^SzSNk;K=DDP4d*=4W?
z>uqG5J6Oq(7!N|QSFBEvKSe{C+3qT#W&HdeEe{sAPf9vodXzC+nraRzDysbr|3}j`
zMrXDK+1O^sPRF)w+qP}nw#|;Mj&0kv(cye=X3gKb&N{AL_Y`)qspoZ7fKfLAh$3;E
z=P?ZFvXQS{r5zi3(cGh6^!_|PpF|8pUFWVaNJqt5)0074w*Ixi-Q(&n-^6rD==9u*
z!Dqq}>wx(SWQ?QuN!a!jHnte;e(yQV?Q|+b1ukdpnpZ7EL0SDnx%^`s85LjMZ8_M9
z2c5WmpzG6cfY-4=%3Fr<VZ=>Odx>8-x2R<$+29yT4hadQof$&DtlFkCy|>G8fV$m)
zcMGcZ>D!ujp4EmoSV%h5x~_2llwyPra6$3qt51=*+ev4lTasw%gi%#hWF;*(*l6mF
zh^mI0E;WA}xg20TCPkw^j-`&cq@#VFM_fQs^0-|U+vhB4DuLzP$#?%F$L#yG{HW~`
z0Qn)k^Qy=YvcUuyW89Bid2iw+VE4==@Qq(CZUw-~2Kg!a-B|8m_tYWHlm-n|?UqAg
zBb91-f4fW+7o2Ajz(#Mo4TA6KSzb-+S!`@24UJ#gsvPb16icA)PJS#H?td(Q!F&HZ
z-`*9JAOF6f{H0PG=n?IEV_!$qt7d&*)ah>iHN+R2r-v&&M?IJ1c%UTiK*r?HOtlvH
zkmN8Rh+5H6E4^dSGL_UXtZJxch77ZMCXqVUih=A6wK-IH4fu9*-N-r^*+NVU^bbbZ
zT;G+9P)DV!xTDpRaL3PvIZK5S3nkp$o;DeOn}9nW&Dif!UxqKIQbboFy3_3@I+Z#c
zzR?6|>A7qIT?6JR>VI>Hpp{jZRqwk&AG5bm)A>sMB!DQm&qpecqnVbY#xW{%Uf4nw
z{zzxFwhRA-B3jtQ5>2g-E(_GQpmd!-LE^P6RsT}<I<n+zxNHA?!{jgc3!PJTXfK)d
zby~ut*%2AOd_o`w#_@Ia;P&?}m&3Vpq9jyl;D-D9`$00cs<{g-kJk;916b4j$32(%
zoy^hYqA6yT$r)rSMJB8i$^T3U?Nt5bhgA|#rMEBl9vK1Jlq#y0gUzZwkH@+{31j8(
zh%9cB6+XCx&Y9E}KBJkp38R#F2k|hEY;Bqr#3fyrL3cBCFy*$B0ODcxAFYCpW=bPO
zb0?EhHH&>*&{AW}9S2hoXFWHnl#Q5*2JB=RIy7VxbO0)Yvi~nT$kR(0d%THjf{u}n
z_SbR$eL!~7EwB?ao{e+hQu9UHuN^?D()ax{^NxP;t^6WKv@OYf6UR{4?5PSO%h#N*
zpQjfdBWGQl#7z!46XGS6spvLEZ_ZtYBb^rcCYOw8-d!^;Cts)Q(2)@!yrNXGv<$5G
z>KQ_q;$l_d!7Oe`LCVkmhz;>*7l&eJRuQu_bWylHz!l}xqCKGohBd*YmgxGS`1bza
zlCxJOJ!kRKtEbMVW0Pj>&;3gcOov+ZWgvwhUg0jWZnGDXeLfd3oTt4xgV%AFi4Ui-
zoG?f5Ak^nWWTyD&Q?Q?O2HZ2t1{G!yI~Fy}dVTXTI`t%J;9HNyAPs`5$Spfo+h>N(
zpHGQe7Aqzb=v&g{j^{rtS$;&9@w>~W{#z@T-x*w1ZYKLG!Eyk4y+uYo0W`#(Rc=7#
zoVEjm@eygLJ?yi>Oak7IB$wTiA><b~J;$W2j+kPGx~jBP5QtuL*{KP(Dh;(Un%E?j
z;j8aJwn*(989KEbQg!TQTd6yjZ9XG1p^ouUhZ3>m2d|Ka!>Uc26JL_FNbjwz835M?
zwXB-?^j|1M(}@<YNE)aLsIMVk`-F4TiK7^%<5S1`<Q+l?O)&as)=P{xax99z%2#mL
zTVyyHyCgt5M1>}{8mGd{Qp~F6j)*Jj%Ezq9ZrPTQrBj0tWyeB=Y@+CVvh77gDpdBv
zGbf7KQD&u`VCaPgET-)YXhsd30n&Xf@-)VrDgvn-KR$dhy<A^?CLWa`f2k56hR#sw
zR8?v`_mayxnWj#Yn4`X;KeI3?Db=%ok^=5h>unaUQkzniUX2p)Q>1L6bY~LEXI450
zBg+q=R49p@T&y$cIf>uJT4IU+CPs`^OOCWSi&3$QS?4g-I<zjD5QLcJS#Dkwptrfm
zgewwJ%<#3wYb6U4TkYzlN0z$PA+yYxvC2A0b%s)noS}+AqZlZkr*5ey#m_+P3P>Ox
zrm8%WDz=h^_G4tt+BHWDhot1nS}nZIUNP3ceiD_1jvIzZ1lfRzdEr2bSeW_0<i~5C
z|4n{uX+(3)V#F5%mj<>}Wveu>#2(emWT8#>tIb@hNh-svPD%ox*KghFrNO1YMpBs)
zJYFTEXiKZ39wIDq6aHFfd0J+l6i%7eL8R;i(3ws(D|CcvlXo4i?bd`xVS&8S+fqqN
z-yKfJ(I=S;uaqr{fKYc|{yH{5-sN)Xm~>tvkG;SoFhO5+3Yn6cWmeb(_GiodQcWyi
z<XFJS7u>poEINf850OBv9wnnszBV?@*XiR{wNV&;0(C)Ap@N^wTJm7z2YOC;ou9&h
zWT%8vRfh50#cp`mL{gbng?^brq$M@7$!PLFQRJwmhx{X@cHqoC8sNzQgdjRU@20Z*
zjBq3=j7hdmd9q#9;?PQC>1Ku;*v7kpUPT==lL(acoc&2}YqO2RQJ)F>fuWY)*6fn1
z55F~0a?fof({zgKxzym>@p^zK6^LBV+z-h~R6kwawE#LY(8JzK*eQ{_YGHv7$hm=-
zTV38xCrPasgHp{6S1Drth^CrJ5*4TtO-+s{r5s-jNaB&J3Zbte)a00fAy>lsVktqv
zlXNG4_{*AYw$4M<r=v5uny~vEv(h6r>Kw77A+n9hDqgMQ8uK>Cc6luuOvX_Z+?S}{
zqs|!wDGbz7lJv9it#*8zWggp;N8-f`UOUuF*Jd^wOg*2uxHjvV5vlBuhAz}J7;z-2
zlt3!s<ftRzk;cuk8A4s0520Q}BD;JA-4V^cIAmvgD|qqXevcG^T@0N?1yZ=>^q~{I
z2;XNvXE*wx*S49<asE<wf*$jOJ-<oGLH=#p{_LhVLCobmUZim{ULyIIP!U_0HcJ%P
zrPoK1+_OXCdMj~k2(CCk4C}vPHlfeM{~LzZ2(tFq(qy82974&nN6oHSdHQ1cO!xcq
zz8uC{I=FQwz+qKU=bU>bQ*{>LWF}8j8I*Rqc~S#*XXv`dXd<<)_}S%B{l&w9oa>29
z8cARdOeu7dOo8fuL_;f)Ikz=?R#Z~RTTafjKXg{!A9*IByzD2mb1==)pdG!2)e_Fb
z>WJ~JQuiaELO`2arJ|3xw|(JPn0xWN0gU`GVPmtpHAMIbx>T*Fcd0`J_(p{edhw0Y
zf#jRDlhsd8jg-rom@a`5o(W~_go%YhvR_(EO6ss;3gliIlFcZ{cU~U!V=l4G>N8|$
zB-_%ct@SlPA7@_aPt{{|`9>*Rd4jtJ#%Yf!&18)Omks80@bz4#W|Db|pzSD7*0g9T
zhu<5lBQ?zdivi1&vDGQ<Fu4up56c<?p5>WJ(fUZ^C(qK}>1?m<jIZiyt0}y3&Z>;c
zoT%=AIRFjOJuB3+O?B~DaML+i^s@-MeLW5)OaC!-HrB9fEWzgvohT|2wQY<%8gROt
zggR8pd}c*BJCX5Nbp#N1QBrc!V<HC&5x%r*+YC6}%LgCNC6ZTO=ah)6tW|bq6fm>I
zNZoXxJ^Z@UQNBIww5sGlxRn~)C2J-z1%(%K_4IhwilbtuimJZy>9%p3@*b_YP<bsZ
zrLM(gi}{i4*5C;E#4OnlfYl#BH4c56Q`MF=;==efI|wqLImr+m4P%hljpARTDa1rT
z#ps}hrifK;Xu@wYM2_+6hlK_S&oW7}Kr_Wy#>fhgX*Xw!ayAI7YG+b|G?r*Xb?dz?
z_<3m9W$a2aqa}j_JJ+{5mn1#%N|j0rR+oP*jY$&43;rY=Dn{|bGl!VVNhyq7GBEhz
zN#*04kV0BV1taUo8SR^<EG}eX6XbU<5BddIIwf14Rs__xMo12ft#p703zqF~&L^Nb
zIqe;EzP~+x1Cd%{0t2jT)6B7EU(*t6ytwdSV@?eN&!!A<RsA}k3eRl`yB$!HY03`L
z+B8ZO`!&!*{_4uh(lC5mY7lZI_4rf#4R|c=w=bJ^vCfBH6uXqE^68i<nV+7GP4Y5p
zDSH(E@t%ZJtI0w57=AS1cR3-B9N?J{cF0K)aYRqz86TGHkU9u*!lz*xm0S<`I>?9k
zC?w%*UPvN}usjaQw7X_D)UwRAoXuW38`Xi&1=%eWB4KgC_X(fDog+2%LqqWghE_fn
zvbnbWl|ZU(;z^9qm|DCkVl&_lIQ!eVL|kmE{%HpI+_1TIvjG+~ds>QH-Cmz#g+MWi
zO1nmI@V84__$BDuw%uJ`pG5n5eM~SYUVq?q@*E-hgTGgQrwT(c^mh;qj0F7JsmS03
zTk)~`y=4j}o2y=2Lg@3t?+TftWBFkYsmPII3AuC9N+Lk>>xW*88zVGNI+HV@^gkDo
z_*_WCt%_m$RK2ky%(J1DZJQ4X>VJpu+iGo-0XW$;+{ru1YmIvYLomCMJGY_oY3cQq
zEM;%Fi@KE^xKu1c9%cs5=Q0mH64MkDk+ak?74*`8Y6dWWQd2$C-lIh=>!t~^Idnf4
z9k>7kJs26SKA%LkWqivCAKsM@Kd-8}s+ge)vYyqvUN3@Dgup>dSj5&%zL=7HeDt+#
zUEusq$+JA~tZuXK#^14U)7FI2LJx)D2zSS`)i+tcDzizucu}ijFACdb(N%{v1S=L!
zj~yfgC<fj9@VP=}$QWmY(RgBgfh=*X1l%aPR4iDc=Tv&9(d}uGvxEGwIlyVU;0<?-
zEJ@@uo!4AfUJuVJawbo%-#3C|4^ykM$uEz3f2FUAiLaW?-<%Wb^B^7xo7XaFh0?@F
z%z{X;$zqa5CrN!Ket2R-Dk5#luSG&XkO2&H!s3nA>{MmZ|MKYLJeY0&YDZ@<e@06M
z$?Kn&4L;XjBugzE?82*PEM#q8lmH!P7WVDz<<3^qbM;<R1i^Hmb7Vrk7BZK2$it?g
zlgjq<KF&dIILTQIQ;#eXQnlwYrDQnhKP>M3cX%MhXNd=Rgd5z3jR5R5yo{PYxp}3&
zeRU^5l5H(L{Mr-s?@bnuud@4xXi@b~D&}>A+G~OrS8*y$$UQ5;U&d4{1xp*`Ci))p
zS`84nhsWiNL^DxQ0xgL`s8b>-7*&A8K15h%Ig(s8cEziOf?6icFn82>t|sgL=x5Sv
z>yiWeZd+_DVRI9Wmn|HcyG}Br9zemO)%Uc?eZQb0Ch_mUS92k~$Z}@=sK*qoIyg73
zf$Wii&E<sR$WcL*5*j28R(DD&3EfXp1NV(5&LTniLzkYBu@x*>f^J!g{qOOLly+X`
z>x@LP2%57~T<#++VN_(K?*;Y6h3Mqc>`#)Yi0ZdrJ{`>OE#GGNnRZ##sNmqcC0AF0
zUi&Jk)+zxclgln)7jG`Q^r^w)xlAlXXDyKFzi>=va4CcPMC6wBP*GJ;2c(U!B@!|^
zbo~Ko(yp7^x3e{ytwYU>oxGf;v;Q!Vw#9yL)x7qEYtyB+U24k;h!aZqyyyuc+U<J7
zLx$1Y25+s;N&eyU<Z?=%626(s#H2wa!4?}p75;acP+np%9yH`9F-SV`C~8!0Mo#XO
zzGvx}eqPh{oUd(fyZth9c6|g=Jkw@C=@~bH5cjWX>hDKY<E<a2_(M~9F88ED{`6-L
zffHC=NjBfS{@crm_;2bJK}wAGaEIHg%-XgrkrJFHfi{c=dIn8!o7cDIb=z0qtDP*D
z3VGbFN(~Y2W}t9J{B+qsUCQ!;xQaQb%dBv&B4*5#P^|KpAwy`qwqL)oCMgP=p$?bg
zi*mT!z)@Xg?i%ybH8I&{$W{OaUD-!E9b)E8b!*!Un&?=p6}tbl(iQNH6!a<y?iU1S
zU`CbOooy&b2ND`Ip}NaSZvu}u>g8sU8eu65NCQy9bPAMqK9iXrK@;K_-x(rJF@%)f
zLjWcp!ZH<u(|u?F6}4H0!Q)(M(m@^BRXeOkeec&~-_ds3z87qSVu6u7{L*1k$eElS
zzw|AnJ{|O-Dtw+k2GzBR>@QVkh|S26sXLj?&UIJF;Hsz!y*BE69!HhrX9af`&tu(J
zf*|f*jp=;#9nf0?;m(I0*l6RqLj&n_ot43K@TFGU;ANUtKhp?F*>I&~PX#J2XT8W8
z@@OWMAqBj(c#OFWc0xgHbDn+No8NB9OodBeqD=HGlr}liG7}I#v5b^5JGM%-Z2=i*
zdA}*^CK2DQw!}}Vbzkrq3A({-X%W@*9LpX-H(RP+E9q{RuJ(Xdd*%)OdITeH8#Zm(
z;9Z(mFx{NGtNbXuc-C-kA^uG-kJEUW!uV@E!`2NqcUCPe3wBgeFCywl!m`a|BIfTz
zLjGF;@cwlm7e|s@;14I`a1`Ls@<aVv&86vp3xvhn<Y<z?`%`eY45aGk0f|(vE)%z{
zlyoYmKk|V&-LlCS*%8v0$|C~Gps~>EoA}HVn)0iF_b0W5RqvHx6=ZXU9}isqq;T(S
zibcwE$VV=UczQUtX+l!blv2{^hJK(xB6z~_kVWwhjK0PzGkaj9V@TG}xMJtGkuVC$
zz4(-*;ey?7)BM+o&HNaGR(Ks^<hoGfqXp~d$e2>Qlc4JtH=}`_mG`MoB{9_fqV@AK
zIwq<n{)ok%b*NsVZZzGXfBg4fNWp{w&kRdi_<#BjDj3e4s;`m=&~(CUB_PRe;)DdJ
z@3vv<I&=_BB|kh_C<_j8V0N#Rf@D;_f89)M<Qu*4l#<g^u?*yy?|tWQ9kep7K9~!~
zT7Lsd44)7mps$jhTTY0OEYX{MG$Q8<b;G=T8m63@>b(yk3X2s1;sRq~^5@zOqD!iL
zE+}S`v#x^C1|#U7sLnVrJ<wfZ6!pMU-Mr98yS?k2b}|bNI;T>9f7jxiIFX+*>>9*}
zN<&^<E?9Yz{p0AQP5Df{@+OB%|DpU#?5Uvm>S#DiuxgbZHmmzA#E|lYH*l!nfNmAq
zvp7GBbWF52s9+=78E`Nh46?QP%}{a?F;U$UBD91&x#`r&m8XS|{NmadUYg<Did)O&
z>zC&e^Ddc!qchJx++kwsBUhtK_QE*)FTjam^Ea(RU1{IFN!Ab;XU%|nYs95cFIx7c
zQ0P`Ib#DLL+YyF)S1tTDpR4_HhsSNj5W6tiB<#J~8OdS@rlAIzNkhc2YV0xacrXo-
zCCaEIcKs0I)qMO?Nmhx6)RXDXMDFzUi<$-3KMH%+j<+Ubz4Eq3lT_H^u=Wr?Aj`!@
zeE7;$6YV;WTX2I%ey#&TzG+@fDxIll!<jv>f#G??XT_r@vGQ4t+y~|0Sj1Dz3L-Ly
zD?|y0#f@<*E|)J5y5drefS=`6f0w%B4rpGLex-PMRmhA!9C_YT1pKF`HS!hchO+d(
z6x~6&hG~2mR6U$-vO@Z`%j~k{cO}deJb+U_j8}E~*)Q3GHq}9fp%UB>`xI-*w;IkK
z*+OIEj25CuOHE7yuE@nam`jTgR@K7LL>g8+a1PIAvJ|1z0ua<e$j1F4<xqM1YLW8h
z!@Tcp9gBs-D}1nvccD4&Vf}<>y8?Q|`y<QDZ~;@O-<@;{EfK)guH@)xZ!8fid|54c
zWx`cSkt<FmWL{P}o5Y}<KqVcZq94J_Nl&cwmNQB-jj3r^j#o}zNg;|lH+n{))v{4o
z%)BmK(XA~WPlo8?B7=N0+ar$BW!O_=x+6}&tnBXM7#}wK!0)NOlFLPnsI+&j?U`EJ
z*5%7a7_(Q&SMa_8fBOTCT`2hn=)G?OKBCDldrnt)q6~fWzD#jg6W>#qt=TR--Y|P4
z<pKzx1B^39g@nuz4yhu2^AbY|L`V+~Fmh5IrII)f4by0xZVa4D$YCjmB}j^6fUlLV
z7{W4LNK|%g;YO1nM*^G^U7GkVbU{ZpnVIeWf*g^~c0MeqwYIoSezX!rQ0eJG;-X^}
zMm$=Go=qW}6U9G(8<IJkQ-*jKlaeuNgBi{=a>U{8|4LR%G5U;BjEaEnLUSbdhe~y)
zK4>@!Bt8Hma>Pb!dm&grZ+$*2R+%8d1$7Q+4Hs>;<Ju<A6>k$XFZ(+?94KL-i(E=7
z74k7jDI19-Nu2jUQ5N@DCD|s)cryTCG78bvVoz2Np6F`1(RdKJtT#k#mb2S*C`Rpi
zRI|#LzP6E%uGn^=lje$_44Tn7{xhbbinKdBT$@b;BgAP;8uLrqg4hoS%&mpFgQk)f
z_^0!9!Lxoog7(BzpQ67iVX^UEkume=-*Dm)r|E+BCUswg?i-V<64U#`1^QO&TRu|0
z=m2YN!!%JJ92;$Vtheb?=nphmwCdYc?5lMX-h0?m-xtd0=J%mhh8J0QpkDmlErL-~
ztOFL8=<WOE94Jat<>WXG;D0tdOWX{wX3?8dLm<^PDGSmA%sCH3!GY!|PbC%8eGAvz
zER(b)Jxqf}Sy^h7fT-A}O3Pu8t2%)eye5X<iud?9Y4lEKY~<WyB)1q1Oru~fqgGI=
zLPYRb<{@__adBu|OGL^)FR-2+E?BQ=rW$|Dxkia|M;ipp&F+a~iknGkf`XA|L6Saz
z(bn%UqbKMsGuJL1OUXxxU4h?GYs|IQfmLjBo@J=H1A2pc{o6F*xwOA3g5Gxp`SoPN
zy1{;hbg7q=stZLHxQ#eF&_%hMXMz~~J=6lP8*<VY&T&|+oOpw2FVOqF0=n`D>94q%
z3<2V<ZD{zDBADI#Z2i6oWQ|abHt3aoeA9pdtCo1mpQlgVnc_EdT6}ut&YsCZ-o^%a
z49`1NXW~`Z^`O{)JS!%FY};8<t}Z!pmjCHqgm<C&W`CdUWvzK5xc+wgIwyHUc4QRN
zb}yn|J^(LcW?t|_#{w7%ehmxar;*AEHH4EJN?G83l*CMm4i$&ykG>2j0O-WVuF$c{
zyntOax-bQX#XJKklXo`s0+(S6jM}Oy;$mbc*vV<5y<i5B>l)3CV48UBzta6FN1+0B
z1kD*o163+>LQ6QUYDMMqMMhL|#h$wj{y9vf>eSl7dbc*t7_U@%tjz2w-Ry?_i{x!W
zsX*^!v6%%rw?=2R{t^m>H3CpPt!0har$2%BWEI)3V4#SFZpjg5t1pA(dMeh7PE7>d
zMGem-(i34t`wRqmG*C=Z&=PwuxSA=!GkL2<kINZoMZ&7ctXe42imLd-ceJ)@5+fLD
ztpmQL_q@G-Z?{Y{u3hN*tZaPW7dS~*z88-H3gRZX@FtA+Ha~a%VMm)BsGo8BD<@M9
zyRGN{)u>Ik>$mPI|B&h8NCG}`Hc<qzj16rIcu%^ks+fcbPFL3i&g7^n_ASIDFOBIK
z0T(883@K+hLM}2e3*JxZf%rEH8V+*7!GxaCvsFODwzovYvQWr$BQDe61Q;N|?pEcc
zeQ5Dylj%Cw>_?CpF81}S%HGET56ck?Obe_8C$lS48&(;_Zq%FjEhsl>Gp%<@<#e$+
z{fvNa9<^*G_KssG8nJjli?E)rxV0Z_mWR3as0&QpI&~AEV;TBA-ubzl1krnBL_UHb
zIytsHe+8i#q6lSEYn6EJpT;RIW=6i6zX*LLPb1>282V9s>=`{~*9QRJSrU)JyJo-X
zgKj4<UXX9~&#fMBFZ92{h%=?~>M`bA91nE7<7suJgE9@Jo}KM8>bajqWb6+&{>}Y`
z^mTdr(;`Klt<}*WhP8Kns*GHAS-0coZ)0PNd_x=Ekg@MlCdd|V88CxuMj0<X6M<O6
zM0^rXTC6G)1(X$af+b7r-5WDyf^G7`2bMhTprs6=a^=LFvr-L&epy{v2oV8|5cSt?
zg`S#F&#n)tCOgNP#*1NP6P|*fYp=&t;4;>VtBojo)K<V8kQRCDIWc^qT&A!@MArNV
zMJPD{1SDfLZqLfh35UtMDR{h!zvdB`%B|x<-Z~;6ic^&U^=i50IJ+#^t)0GvIyBkr
zBUdD+nt`NGOf|frIGEJhqwU+2yTrR<S{R>-EbO$$+r4R*X9vpKXTFL0FRMunC{``K
z0V1%*bVl(dro_bC{nA*4c<<BiS_lD}8z(hLDyD&*lLoH2OjO6B;2W6|qrmz$;yu#I
z1@QYyf+4|v&T3rk*zt?8s~Q~g&CO;$go?G}7q*%nP^z+P*)*N@UG!~1Vf}18F6^dD
zf#M=ZuT8gA;K<~<{L5BN5>GPs8$<a3a9f813$?p)Y&j=kVZ&M+m|L8|*GY}yQpH<Z
z>3WStk;aKSjCo=j53I%r6+^VB>+&Z_eDWAHM;&lVS>KuKF%Ppw*~Z>5+aQEX21uDJ
zC+Cb29>L-FYjZS>xHzXVG0)fMrjQoSzI88x1gz-VzdY_~lz!Uu;j*Rie!=K)sLx~g
zHZ<i;;}M{j*5B5EdJShwTt2n#dDFlP{x70i+G>`(53=UPCXZ_rXH!JFB7Va{C`SS1
zr<#IH7N$BOrb34$N20jvwlgNhCjRg^;CL&B&KYavC-;hEp^UfAO<~2#zO6ws)6E_B
zv_>0SPt9z~&U0cKvIMKLzn8im(=Gy$f(P;qF0a{)lGhNAU45#Zb_qr3^k(Tl21~aX
zy7XOQ4l(ahE?s|^?;Y>$9j}TfF*}H>;vC4rM|Hhogwr1QC^}gF1}@*h1MwkL@<Bqi
zf46KwhAQI*WmF}1u2vlJJAnE6x>xiJq@zRl%T}@l!Nk^YdCL59If)U|RAZ8xppce8
zLo1D1`2d$+q>}KM!V4EqhED!s1vJqJKQ2lE-PYV8_G7kP0Z5xW<Mlb^{lrHBYzqlQ
z45ou(mQEdPW=++s*%w4fR`Mk(-c(oy>vsYSD^3+bWgkz*rrGary7=EqiXORe-e7u@
zLZ&;T^aqjro&s-2Rc{LjNsokOKbM2K><RPl?8MBL-Web1-wt=8vb+9~7tNqEhxdw~
zt*D54dE9n8+W0G0&5M!L>pTZAT+Vw<fYLfL7}3O`YQ!mMoS6P1uno|V|A?orIej}M
zb;f_N0j>UQTPQX-igBC%H~DsHJgT^}KeV-HxR>4kmeEh3FXRrFWHyrqskgLO44BbA
zvz@V}_~N$$XW%^7IYsu92Qb41qGANB&?SSY3Ub69ah19XGmhdu>xkS70AM*h-#cVV
zvG@zGVogH0!I9<++nkl}^NXMpQni;LQ|qedec>T>PUa0)2u!qGja|t1oq0sCtTFU%
zp7W0zbM9c`?4d&ev$`op*gu759s}q?Q=P;$#0Nr**RBcVfmvAu@$Xd!jyXd-w_u}}
z!z(jvM^N;x{nU0M$4xwh)MfW}KPb=Nojc5>`!A{+F)(~T-P%$4l~Zkxyj?dryL<g0
za8<2um_PZs^|@prZy$b`S>yAg8t<xkA{3)FH#?1;^5$LJ{>|qBn@1=2Y;&1~XkHT*
zl0^zz{Y51qN@oWK;*Z1;Nup?`9mds6o;d&X2R8-6T{CdWU$)=8^sicy?aHS8ti3TS
z`U`!a&}A@TbgMD)Mx~-N;*Gocy7h!)**Ye_3UV2vkNBZ+G%pj55>+LH#3o((j>Gt)
zU+*^|7?`)Op(70oCL3?mP&+VswM2?3UOMDKL1KIwwvUJkEm4wqpp^}dK#6v1KgczS
zf2_w)&gv1iM~CQ^zAR;+KXnT_<0bo`ZQF=8!vd6qfNZIwEp$DlJN>o-U-a=>>T9$*
z59-T}+zhiP&swXwuP3U?-xbJd`ZWSGUKFRutX*=or<doQ7=qioTfqQ;hkJK`MD-d1
z6d57Xum%G|@V>{y4`+c68a`%+KpsfkhDu>_wVYWSk8q&im*T=e4r@A50<iV~SBtU`
zB!k-Wq?_!sX8#?3{0nFAo}mxSft=D6g3TR)Ot|RfUz_%`Vrwz}bK7e()PC?Z^mBY9
zz1STwlcS;$*^$S-Bd%$P5T{+Wpz~;4lO!^wmAj3RRP)Rr{0E4yq0Z1H!BFYS#IuOc
z73`-%>M-rk_G15R&l)?vQND#O;!^>8Zf)XhfwhlQbUeKdqyl)QI#+bK!t^j&-Jh+)
zxEG=9GiwRTnopoCt>Z)oR#jrTT*V2Az6ZkD&jI>O-p~B(t;DSvJgjr8GDcB_2FF@6
zY;G`g=MHR<o9^jdAz{x7T+WozYu<^uV7-h__A_RBOVxZrTWkLc&*$sKL2FODC0F+@
z=Mz`=^QySNi!<8M+p2z5!CvXqV`Ax<^xHt7RZ2Z%kXel`+$beTlaHV5u%f@|vdrnY
zF&)0<4g%ED6=+H?^Ua4TS(wjaZh(b74bFFFYM@sNcC+O6maUs;V!W)sg{N%(9?2sv
z<VH!(&J>lO#oS&fXuWT>(2#QZ;80V=eeq%zYBCv1opTmSz+Iq}KXD6%ig^rUu^RDp
z43Bz?qA!rAFcH7BsHxxUsG>Ost}!<iL=_W{NoE}lfQPXVxe)OfVVE>e4U$GGbL&&E
z{}bxSrDs_HmotVeG&)@qoPix>2|}VOQzC)u%(+unRZX|TyGC}Ec)&s0jr_ZRT6QCk
zVY_G(&I9fVRc-2qED&prKp$Wf%2t0r>)pR=XmcKJ;;A{ss3X|nqUtPcly?Vv;)`Cb
zGW&BU63VTv51&H9L8)35roQU0sZ~Ir*@XABC*QnSsWk!VezCJ8eO^l+b~k$6`|U4@
z8@}Hw+~OwjaoWhal(5tt8mY>P-|=Aj1*wiT2&wrSk{)*{hV|0#sD{UL<)OL4s_9ml
zC{Ug(Sz~7#Xfrs^A?z8rO%*}uBy$N;T9o$?%?=%4sbQYkQ}YE}A=-i3326mp!*E;-
zvpP?4{KB&}?293T8x(J3KMk5HjkKia(5|WCh&hTGNsO|ba!zTTQe~&)i`30ZJ(BHX
z79&h5wsBoK5|2Wou;P?qR2O6HYplBN+kE8P2zUy-<uYUh!509z(O_^zH?a<GDNnD&
z#N7_ZapJ|9b&@&BzOk!26~KD(zNP>C{+E6reVpig!Tb464mZ-v#Gv3ChrqLk9;df%
z5u|zQ8OsLv{%nk!^LCy;-^}ZFlJxngUd|LNqHVtUnSZ*3d+_6y|Bqg!S<B8Z`Bl`O
z*e!>Bv(?6xsk^P+ON`EUXgr#Hs|x3@i;vTr=hRojHagYkk7=<p091BEHaH7Vx6~l`
zS9YTN@?#Z;3}tS;ILmk2;&<Q*c^&K<A^?h8DaakWZBfeY^pi;cGX`IBWf>ZLO?{g*
zZ5r(PK>Nl6>}uES-tK?9%K!TEoeO2`S(~oo<M<JW^Fd=fRby-q)TuejLMJIT86?6p
z0YzItC^o*(4dank7AFue4mx$s)0b%Hi+zcRo_(}Z?g*sVkgQyPT@VcqaxYPcw!MPm
zBCxH6UWtApfJ?+yw1pc6!8<a3U&Zh5IX9oe(;ARdA1GQam2lbhM4!74A<q^@KjP?e
zXX7oJfNz|CLf=Z18&Y<ewrWj|pBm_o1JxO&GPcX}cb=AO$f&?|^khOAog{y#?}D4%
zzcF4pBHvCL4z|5}2pxcyJyX_vCn!I=mV9A+{um>cSkb~pNkZKD8O~?iX^A0?G|@##
z;h`-+HmwYAQFrm{GvEY67dj4%;vjt`{{XJ>Fj&QIqn?1K+99SXt@JMi5wEqEa1QMr
zKZw6yhkUo9+BJDnX`6-FH6|Ff97E@5SHHzJUrBegtKZJiuWlQECs3(V@<S8*1L#Io
zz90XbV*lh4$o$4H)Vax+uTW@5Y>6}X)xd5~f{gY!^ySqp_fw1K<7@p?+!={Yfn=C*
zYnhb|7=a5@UdeOR|LpT#?j^zsOqth24@k+YN<Q8BGJNPxZ#*OMgBu9V@so;@dsUXZ
z@2y(=^*tt<fv$;-8S-u_O6*Tm+w{*!PzbxB{zwtKVc;gqXOVRs5CovRNXkb+SLSKk
zZVfR14G-4?2wIdQyc=0QmD(g+71wdeDynGIOf^UCHAV{l#8_fsY_UUgnH##lZH)9c
zi6N6fP0#yL67&MuZM;mcUe0_#(LxNvL~?|t$~y`EhVJ019N(;(tK=ZF^>?TZwmRk6
zxOWO6B!oR+`Ymq<8Bs$cqYudaz!zjQ+A8jf?JlVN$mJ`=>)HKcvbI3mJey%dat1FW
za7rEQ^{qzCmdQ#ja`su1zm#CRqzdm1%)lUnw-Dhd=8ODwOiDeOGek2nQ6k}-uX#?g
zPRyX2mHW=QP%2w=abP5u&K6k`9lgG<qhoic5AQHldVfJzeOf08kwkGQv>lf2>bghY
zUb5Wk659Yjzf1@O0cJdOmpaq20qGFH4YGFG;OV_wt6HfS>qj^C3g+{8n0|WZkb5Hk
zRJ5<-{B?g){d(ag*<}aan>Z7{#WMH0^RaQYhyCtFksrf_aMhxXH)?WGhn9QDfqP(#
z$nQ-h;lD;!J-VFs1nEAdUx0Uj!9!V0O0GF$?8rSiWJn={1?}wkcJIq?5XxGVPb;*j
zzm_>l@&(Q|_9j>T_UksV___3Sgc!lZYLY`|;aHfVqwsJ)-2Qe*`tss9scsVUR?p_{
zHv7Z}0+TOinT>o^F}Y~b^8Rg#sD$f*f#|Qk*?~_UhJttvVJSyd^-K1P%BT%;=7eQA
zM7)ZeO@ed^Dh?>NX4Lw6oZ>wh$pmLhC=Q+FfGiaAFHC%vr=YZ)v6WC6N54y@F?V@7
zG<RnxS++}(BOSew!12TF9h{F#po&30YVRkuYmANA%5KX{aJS=aC~M$9(YpP1FZJkb
z;@S}FhE4><JN(1SD7vxDw}odt_Aa16jE7P7l}5%FJ7;3III4yM_(|He2}qi5u<u9X
ziL<}E_jbXsvxh{*GG6|0IlfJ$5@3=c`XoI@Bw6&sCY5VSJy1kwAdy;{i6=FQ+GM@R
z7jPa1>lkfV@b@r&%q*38w3k@#HZ<f3>VL#Y6#fLWQh?r-*g|`obWYdKpI|HM*f3qz
zvSbcYi=I}{u{qaM9F)YMI(kMA*P?xJj#tqTTK-CROhXe*(8M`6jUH0j&KJlYhU^e=
zZD73dINVApV_O*{o0dHX-b`WGr<bk*X{dLT$b}qf_K0XqoL*!l)|Yx%z@!j)n}Wor
z)KiDaN0idW?DB$+^)uDiU71~faaPl5)$L%a67L@wSWTMQXye7v(1NTEyhPu=)vJ3+
z+@~J1P}*C?3(%)3Dxtn}Y0Q@8d`i~;o53AR$JAzdiT*UlNjN!Bitu&}*{dKD<h6;p
zT4>aTzKZAxd!>!#MSWl1P;=4G8rMdUVn+sxQFLYhgn8fkL;RGT^xVg}6rm!p7xhi#
zX_DjC(&>NUzUj^j0n+e>Is@dyn*&c1Hu`rvv|SgWBxQs;e^1G)FND+Mb`8PDv4&g6
zBm^gWIRiOAGu2P#%Sliv;Han@#rr-et%OE1=fp4zt<)G&PL}-zwW98gFuk48CWg@t
z?zoO?`<E8BeGJZE2tO3!3w}=OpR?6h2|x2Yvs%(FC2yv$)nDRa58jB2P5q%eKD<mY
zcLp^jfiTuV$-Oiq%j00Yk3Q8AJb(T*?64Du^Qfr~`ESzfbBB)IL5eDbicoI=Gw8EY
zEqpceV+Y?I)|xeT<rZbUG?@P541c9PFYC?fE}Gc3N$K+Z8c9}UxDHv;R~MSL%A~xg
zahtU5(Zna^7MM}jRXw2n)Al}|a>%+4erF$g0^f!<`0+CDt?{w=?{U57*t-!wlYCL5
z^bA)&csl29jy@?Rk(74Gl7GfG>3HDzNC&q`Bd5GH*DRlwX>s)vY=?qxjO;H2&fpEb
z9l7+57OAedZ*v{Fy67iSJE`~b6*`{c1oRcRjzx&lOqE~wEL=<AX9&}PPlca4Ek&W=
z5o*>cr!13JX(cGtxNK>2(~jNSqkXnB{Zo(VQ<ogrKy-(mcFAtrfF|E~mOK+b(7cGu
zC%blanD#1Yv9g~-t%pTQ)Riv9a2;Z-_wd~j7qih`PNDu_kEy|AgB{bkbkxkem5o{7
z*RSJ1j#1OTy%;5-WMZ;R{WRbD-Kyokk^nlwC7f)v;-cba>{R^n<%)Lc>T5)s#S3KW
z8$z;R{=8Y<0mwJVl-0o26&dRnhB<*|KwJjF-WZtr4z?RG;<u;X?7XJ~uej)z*UfCz
zP1vkXieMUgH!1XU=qp{N!aYS)1P%Fsio1MQUiKE=?#y<>1t&R|+$`gHqF3AstMhrs
zb6|~EoSNfiwPju0Mj`*&v)@pFyaV2z3)#$qfPJFl`{?^t!_^K`foOj@v(%@i>DpbU
zXC{OpMhI!CAKbNykr3?IqW)V4K_!N;8#sF=?%(Q&bkTmsc}JKy$#@k9nXSsb706Zq
zdkp2Kv#)C8=G*qc4AX%54qp(H4bH9PSy6i-RX76YA-ax68$b5lezjOwjR6EjDS3Yx
z{psY`VX|hkFBkkkzA7+$e&&g3LW-y4Kmf);m<B^qs-)b5OwKs!vg%mvH92B`+auDS
zjkq*woYHHGTZ5d|u1ds+R&9c{s_Tj)L6S(mkm@{8Mek<eT?eMsqw)ubxg97Z@caQY
zfl#rEHy$=nF6W8D-xy$mOk<5w76ME#@KRM<@)}9yG)<6#KFQO2o9l3D=;GB$u}b&Q
z!((=3k=uF5k2~0%(XpQJEl>DTQ6c<_9rQ4RPxw2$KFZ+#Iv<0#v>_Vaw$C}b`4Pj#
z&CB4h#i8vdzu>AOKajv8L6sD;FeSw>HBUH9GdQ~KNB3)_A|vCJrDQt8w~$L+guf%S
z@L};Q$Tl#q2Vbq*Yb2jPxm<<?QqYD^UPlj-fss{vnq4sH7=@Hi`)|&sIKfkRDI`Xs
zakH#2Ldq;fRkEXkFqe+`WY@Oa25;14hebv$siHJDS(jt)NV2?WJPIn;Dpuv;8Qywf
z)Y()FuH0=!bmt4RmLVkM4&=^w-K9){)ssA7vs?e!>lwXr*huKumJj~<=E*?M%@m!B
z0>mX^g+(fCqOpAvl2u`@7mY=)AvC>{PhD&ps#R}ni0-mCn*ypr(H89vrEY;X4r7}h
z7B|Wb^J4HQ=-4b>4q6#7nFUbL=p9PDuwWm>zMMwn8Ifqpfh;m|`QwX)&*U)bHDr{6
zVaFg@FbX{k7m=<L(^lmupV1qstDqJ?UjNEfRlF`z69p`cq6!B|1npVlPC&6iF&?cY
z_~Ey<jOzS5llF$)FxGQq)3%aW#=PMT?Vtv|(qbUDKfVK?e`gF#L)=6bP}$f51um8i
zgho=D{~Rrqhf`J{?%ytZGelO)Dl#rHWpbfca$txo=+~^JGa$Xfd(Veybv&97K=Ufy
zCL=qQ6G(ROB)s>XrMCZEZlHYZvEccEWFU_|Jp*vLoRdzwA2ekwFqly8GZKl>HZIbI
z1{c9~(Ms_WU}Xg8G7!c%MQk^sqT=S%R8~rBeg~Dc78Uc|m2xO}Eq#0)vR8aYy=V=D
zGmsK7R6k&+`QS#y#6=N6C?K~jKs?T|x|}SWDoT9CkUEm5u#JVhJEbKo$v+aq9&k9#
zJ%Xa@!j=_VBPdoc7!~binE_aZ2^8bDVnw$q+eU*Ry`p2Q47EQRZ)iZTq+Ke~iv*Zh
zX^N`W6e_$$$;2!!crxH}J8q9fg|t#hCkBu-c(5dcLmEh_4+nsg!O3MXWWvXBi_~OA
zk$)eD>fpOkiMbK~@1+v^Jl{5^{XBS`@ut{pf*k8|JOqNO2lxU2p}<DDes_U3qw0VV
zm64g?PJk^cS}j8yT+#_^3`SYV5-YKuB01(CjVvx)ZeK`e(78go@KRNSM-)xT!hRJO
z`W_cDkAiCRFv4{nj0c<uD`SVX>a06by2%dxG~&+RA1E3<3%GEKbF_LGbnL>C$37~T
z6PAc1ViZ3XxsWn3WMk5J3#o%{nPdhU4S{P(xj<+&@Wp<r@CsGQdlk*Dq)ulaWU`h(
z)wE>+PhMBnASRjtNaBkqVT%W+P}p7VkeVn?yn2`uU^PIrhJ<C7NXk(($QT0;spkkM
z^h5m<EC#uurEMxXLS31W9ONIs?hFs1@?J-AqSyX6aTzqv>MlH8q0r4bpUN=*s@cDB
z+>;df1@<TVJp_-r$|xd=g~(J~h?M{zcC*Cc5~jB|f=-&wr~1r9j*98bXVF*@vCK7<
z6|ri+OUVS$d+CnD8+=)*hf=w&bh(h~?;uF6s5%G>rMwsspVP@Qo>{W?Cb)Y%hydoZ
zrnFUWo}x0$L8XczC;%&tbRjb)qwGQz4HTGi<lNY=huh4UGMGvfqe?eCR>MjIE}CN`
z*YgT+$OX+h61#V0qAJvW&`{SsX`C;Uh}t5=vbeH^LN!-d*MR%L8(L7!1I5MuN&|e3
z(3!39XJ`>+NtJ&G98ygQ4EW6W<YZvV*B4en%Ka`56GRtE>af@>db;Hx|4sNJ>Xl*5
z>(>2QX=`Eg{a#UL9XVDMGQo99@7+Wq^}IF=+Xa&w*}zyU#hptJeQL0JF7tzeKd^#|
z1?vG?_8_L7Fq(M=1*&Qzb#<sZ=-eY!c&W6TLck^RL2kGfAhao%x>+_1P~vMpKijAB
zgQ&#VHq{+;$AxAA551wyP~n$7zy1o5iBa70yusvl#J`|IH4E7TIVwO|ikc+95l#@!
zSgG#Jh13n4-vPQV?5=nsn}|j@P})HiRQ8-#6uiFqzE?!wXt1hvjX<HIT`9$t(kXGd
zznSrb>1d0w?n*2avLiz{?bke;;zbf5e4*lTz=uZ6i5{efUCc?FbKTz9BZigbfYsfB
zB5RHAOj%Q+^6W;DA8z???rV)K)6V}!)N$4qvE~iCQCgOkZ0Y@uZ7EoscZ95B{xshG
zP6@rd3!-i3TVL|vT0x%~>{RH$$0J0_MNen5=tcjHOi4Vl5K)Gd(^B0K=^DD&Ko?#i
z9ZQSuJX(FPGIuF*ClK49_*2ZOjj%sMT=cy1aSKt^>!Ls<dQN?aW1-h3=CpN7YkY93
z2k<R+&VT~s)jKCZU@A?-l6dkGGX&tsGs_VkTdA!jpF@{}?8Ggia}`xAl3sG9x^o49
zL2X)TC7`s_q1~I*XDB5DTZG!4)0M_+TEm|_H?B|gnc!YPhopf5H0dIaR4E)2l$1{V
zh?<$g6sxtJ<e%tr;k|$!mxobH=oGdq9o8cE0xyarEt+cr?LsZ7$=!<$ShC-GM7It!
z%YzN}d5{2bC5{Xg;uvaPBek!|Ns@#C`)7@!CD@=4Iw*8ekO8oEUPen{Ui&w*_3i@M
zjXTDi4a>oyImOpWM=;bmWEpar&G?h{2*YB{B{wbxj2X}o!2ApX1voIJuoc?Fjzu1f
z1Mw&EIv5I}V?q}L837&I-m8?~TXCb4asvchTN+PIu8VIGdtO6EL)mJw%y$2_(4@b0
z9)^b6fjEl0P?VRBMab2>rNTXGbAx3pj?P}yRdB${LtXZxXj7H33ApLvi-|?u7nT(!
z(F&zkYex*x2MLNH*+Mael-_rJWM?*@9mm9tSkuDDW8VdCmgs`19Qjw?VosTm2SA!m
zLSn1Zn4cU3ub`8|vQlg6E6u4s{RmbV{y@Xr5fAQYhqY)exk%9GK%N&ezm7o$LNx*E
zQ9)By1)z+dfHT!`<ZiaChCB_NC*%R-sE34*xBNv;^a*emn=yTB;h$VX&88gkyZjE0
z3Dyj8=&>mgH@{k)I1a?RSr1K=jZn9=$?K^eT_WgnmdDpAzk8RzVSPb)iG>Ld;7whO
zgo1eplN{iDj86*iL&=wZ$%SL%710%A1G93)T2U={5PKM?tW~(Djj@pz*GNQBO<Hzd
zTP*gAwPek>1Tf}6G88etzQG2bv57#VCY1|{kbeDI8%1u?hapBah$#b&K~M~zC|ba*
zpy3LWHkAjHO?Bm24d3oeIc~AV0p<!*+b=E@NblX@^LgCy{TC7MZI6W+I;IHS1|k0V
zzS=qTbAVxY7W_Jf80f(rnZY4!s-l)5K^)O0+`ermK;Die3&{?cE+{sz9T&U>RjVgp
zx&mtz2a#zPzd}qywlqsv9a|7T*B+(j6z_nL0A@3#6IV&s$asEo!5^DO_Foff&z)fl
z-zEZNXA3)DSibPQV4{R;@<k$_n5E5xNnP+u*IR9ijl`(3v1P@T2#V?31q%nu-8PpG
zIRKSCV@b^hgpSwZ4@1F%h?m&g;uBk9T4<c&O$RLTD*RQkez<<K0FW%3a#Db9J)W{g
zy+9$b=X7F6W`}beUUTifhAII~RuyGr?$7H8?}7?IAdQMjI1-hKEQ!BV!gXV2RNS)Q
zin>H{&4i}9W=O8=y9S6`ra|!p70#}fmXN>kcKlova{)=Dtuy?-7AHgs%NpCxW5PUW
z2S>!POrQfmbzv}r4tyP95O`Bv(jQp`BkuwpGv4i39ljw7*VtKe24*2W5%_5&KtTec
z;EvOjn6Si_*PUV!+c7dCoLO-c+#<SWEFg+*c?)GA6M)-H?yC7Q=N_LFOSc)uD+N?*
znYM<Epk1FhU`KGY!xXVxTV^~v4|nx1S^LwUdMWg8AU*>rP%uzNMk0+grijwD>laFw
zVCF9m7Ccb*h)%eR-v)bUzvO}&4foC}ARub95Qx>7ivlWPFxidtgX;Uo`>HgJCVv36
zCe5EecbMSug)-t|#F-QB<?Zh8#fE>->ZCGM1-m*)_m&Fku6AloV(F$z6nyl8!@%mX
zP)hxzEE2&*$brs;r~zTC_x~)o_-+B4xg_6rI?tFx9!mFhi)c>Dr$PEcak%Rq%Hig~
zG7y7cn6cpp_c6Gu9X2Ry#brb=EqtYWU_9#|Zr+1Qtd~hr8^G&?sD}b%9D)uGO{tND
zoEcaU-MdyZ7IIvCUf(UeWGd?MT~#ylf!46eYy`=T95pDM>()KPO|`n}+3TsPT!^CA
z%XW)%n=tg^J?XH5y5(}jn-$pY4=_{j+NjLnP?|F7&gxkX*{diN(pp4fLBBll{*nax
zCISLV<T2(;{0HCp7PBoO^TeMO_YF89u^{tltyq(wwQH;fP?G-9lyFdaNU(&O%NeGi
zi{SHEoU<LaglUDc;`ezTm0dDEH`sY1b_2I0r}e8}fnx0$rUmN**pH+EmjZPvhFFnn
zvL;lawSLBJaHs?EWx{WOYj3)jYEYBLD0sEfqNe?Wqw-MAK~+PRWqB)Zso8K7vV}lm
z`y|0s`uJXau)9Sl#sa=89xC>09?s_na1jnX`WfR<7)h=Iy^oTCri6<K5uu-9#Z0uq
zYv+tvi`PofhZZft0Z4(hzwjYJmemmm(?!SlJLp6#IPN{P)urP|`jUBD6Jl=30}HKy
zenDcwjP~j;E7rqUS#VsGo|Xc1Tf@*}1sL7^{Yc}eSiW9VD;u#j{{^eHp9>RPpZ1W?
zocbJS0oWb^it0i906h%xqMXY;Vb{Nmk{}PR%02*K6Yx~7wZh6Gckz<A8L(ks1PX}_
z*O;gldrrBpm|jm0Zfb;gw80r~YAO^Wk1)l{?xFPNxI0^5my|V=%(`}M&y#5?S}e99
zf*FJb*OY~eNR~`k3jQ3^NJv<^{I17|8>fmWZ-N0R&cXhsteP-p!K;^;wZMH2O7Nev
zxhj!2ZG)-gK8~T)t8w+SUvD!^xdKSDBuMQ;^z0a&>k-1$T(n5vrx<s$c}~J!Hjqsy
zDdUC6@*orlk-y?4`-Kh3#MHsMQvZKB@3q@2=)9W+7aPP|m_7Bm(`64Z0Ciyl?u+|H
zxHH-ktgz=(@ul7Wl1>Q+0syA*DPzD;qXZ+rZZAfkzoAx`xg^VR42;c!c)jC|Q3T8a
zHZlbpw8c=05rem7WEKQ?a#{9}Tr(m=nfF+dD|G?^zoE>6H~}|NrrW%gOnB4r&y9ss
zFD~vRqbRExc5Mgv*VFZSU2M6OF2I1{kf)1b+lRzS<ysH+TF}#d-ynaI2OvZ`lj<zB
z+3mv*f0@eI3R{b5G!;E_4*y$zpz<P229gslQo7>z#1|oD<`P@8oj8IYTJ!`3+!<L-
z3sAZ2EGbM5WS)9TG}YbhTvPKMO%t!p#KxVlH2<*+&ZJ2(ysp_{A0VG&yXwqQNQcO-
z8VG}5gur+BHKd)=<s_BAd{6KTNdx8*D9jD;n^TZvck>49@W~+w^Jah@BDkgog@7Hh
zMpe#!MDF@{{s#*|^uEwUc>2r{{1TPv%|pswXdV}1`>4bS^O#q?8lAaE2nm2CPza5Y
zB8@0XjrJ6FB{d=Tcsj)H5OpZ2tBI*iNv9^fp9mf(DGFA9`HZM23bFSd{LAMH6%-p0
zSJ3GYdps|>9i6!c>QuqAh%Y#lSLcKqZ7S>vYQo#`ba>k#>QGQu^HQ6FPR(gQ5j;>(
zY}EI>+j@NqZ7dcvP8b40vQ>rDR_A-Vw+w7Ot53(f<9UUu(V2T(j6n2XxYgVzG-M^o
zjm{Nztu>+NcslfqiYg(`(kuPiB5iN6j*2-o7DZ~CHI&;u4?Lq%zsmyYjki+Le?yen
zDqeTJc)fl+H^RMT1U#h>6&azk^U}xBnR_sbK;RuJ9*Fa5lxBn(oh+<6o0vFnG9Bkd
zMMvo@Ds9(URLrHbCxWJzMMr(06*pPh4u@-bsOC|Y?0x3m?Vp>bgO~fDgJkEm6&=gw
zV^JZuz9#cZQKK{W7!ZLFxHuV9J{0lGNNBXOu<NS{tR~ZeRaA7GzM^QRU0<grXrBlk
z=qs8!4#jC6wmXJ&1VRNr_g8JN-K{&Q)+CEcdfiJ0{j1c`z}5yB9T`2vq7ox?bsoU#
z5+4z}lQ59pao#SQ#~~ID|4o>UZ~m+0(R(O}#Imkg6jG99NlY@Mb%xzoOfWT>4yK}_
z<BSFG?`k!cX<+J!*nz279z+a#{sr8PSPMk7tp+hA5gQd6VH5L;TB9@funU1Wvhd$L
zB6%$IvN9TC*j3U*E|clVB`P{jB{6A-O5(Mmttx55ENu@WhHX%l#N=+*(pL}S2N$_D
zv-ZSB2gUvNbl@_X2VA<uN2fmb$O{p3wY1x|JBh-OX4sSw;1YfI9!Mb&P8O%~FeiDD
z<fJe<ZrH8F1TK^5z$Gd=&Pq^h&u%4nqgJbxpdDi0zq>wviL}quzZ&nZdFC=}9kC=7
zYpmP0X+4<V>EE$2aKo7nRwnbnN|*Tmg5hA#-a{+|Lfiy`+$7Ip+3aKJ@nJU{6P-+^
zqm!uUIKx4KJ-gxHMYFAjW5Xp!y#r|>t<6NRQTBo=S$Wq%;g0K%Z!um!I+FDuG##Q$
z=0TJ$@xQq08T#No%tIj5PK043B&Yd;6h?OuyP=pkWrF75{`%nQLS3?s-Lme^U1Hu_
zhS*<iz0X6n1H^0`dCzVAEc?>`dM=gt#v=b!USR7bZbE2p++X?j3YqbPO%9auMRj}p
zuVxJeF2xgwPyN9eL^r>$`L=^iWwl#wYoQzBlKqHtmeG0eU?nOt!e-{-mgvkhPl`OD
zOx$9l1&Oi>l7!O`SSV>y&>&j`_N0`=#4QsvEq1)px?x1O(mK+Nol1+zyOq}R0uXh@
zBtBLitE-C3Oq0F7?mD5Z1>gSQvJQn*&?}`pFCO)vJe^EaSy5T9NyagcR32KFHIN7f
z8Y5(GzIqj{m#}SkUA^657}~vMwHBqHj)f-kuuyd7D9#stl*ELE8Hc+-1yq%Susq3w
zBoY5j1H00jSZIQlq#m#IZfMf2^bSZCRd!6yt?cNG4_~E&zJj`8RaKX2?Fj6I4)dkg
zWmb0-N-PR}FF{LR%=<IEWgs-_sXTnHd&^wbqt0|(G?|BsqBEyaMX8?`qzZFJqC93K
zkIIykS?=d0^{a&0DT9fLizX<zIbMU^P^DXg9q_DNOxG-*&wjf%mI2(VY<UBS)?yMm
z)<d6#OVx9F|CGL0)y~tKkL5}3Eu&lYbUGHA%)>&_nL|IOJQnxHf`;Pq$fB6gnENE~
z!@OW=Q7nABr%g>PG(`c;(Rzvwae<zqV~o{PbO5KG;!|svdtO;lvBAX-2Y|Cm+UbKr
z?}xu?KYU(!(b;Uuiwe1wH=PHJqBB=%k;i<I5bno9dAYdS(J;<QkOdh}c(8~aSWjvK
zqbZ7Rj#pkcR_Rt=Y>e-pz4yS{mHMj-Yar^2*N=9oFFv_VdoigG&2lN;wOIMxu4Xdg
z0lF-%^YwDc*X4`XRN}XYmQKkzMTJIa>AV)a=*&TqCX`1BNpe6WGsqsGEGJPA1R?js
z%wO1#0;!2erYIUWUQ69&oZVWAjd6jNVnevK6qCGNZ(Dlh*_9O&{`kRrcjFcP;;)3N
zO6}b~aqpwfCGp6=K5qZr`(0%N%jXl`R)|5w3Q^-JC?+a2LXGF4nCQ$wxX65(N5oGf
zU);$+jjJjpl%-|D!ZZwhJBpc_C}xVmKwrT()Y3O7ZANq$PdQv|c3ULIj7kZueJJS?
z3KpFu8Q)k}>{3^JRzyV|FeTk>o0TxsQhbk4sjrls0BGH+DlvTh1V3Zm!BZ)(E8pz-
zcr`lfJA696-p4O?>nBc^+ozY|V=9`lX~kEvU5Xz|BLdBp_dzknl8R+sd61H|75@+M
z5bAY&3){l!U~uvg#~j%Pvy;yyKKcf+x{E<sRAPk5&1)%)&YX(fp%l9VNzxeV)$*L=
zaS@R?&%#vL9_6VW*-1@EG)1w(ktT=dWZFy)ZQ84<Cy1R!R!_jJ4qvp(>M+UowESbY
zxjKLD_+Wj`btiPV)o~3qj-=gkp|Vmf_cqp-pk2wD(O{NJ>icJen}AMxYuMPq%ysAO
zwl&md7X}6G)HZD`E(Ob%!!<SSBVE`3lpFgm-H0XXx)z?UYtebH#G+qghIV;(WK?8?
zrOoS(jLsaf43N@@WJQvQlNn1$;l~RS`vFaoD9@_IUTQrxG1L@8pvGDno~dcGG)!uw
zrQwTqSsFSqW?^WV=MIAZd?n6BLT$Z&EX8pSf{TAB^%N@3cB)+zZbm2`EOr;MWqj<n
zFfoEgUi%pz9&YxtimUV=a#Ffndir22KKmfqobtE2w>^|=)BhB@_qd}iU2nNUte)tz
znCS5J548}V;XEleI$_q(5^?M0`J4RzAXavHGiOv}gq6)}=8VpqE#iP>87FDZ#1S$r
zQj!-zKq&C>c}g?R>~#uL6M#)|<Z_&q;R&BMD?`!CaaJ}NZpA0YtPB&-8;ZK(F++JJ
zbk*xTZee!Bc{rSkL0;q`4@$v^T|{>^*7mFqb5uiQU@iJEDGMO7UE9ZIb-{Na&3N>Y
z!g<i^q%o6CBMy!-G$sT)Y=^oW2S!Ck*v>p07@fHYeI90INU9*u#91&XNESk0^s3@e
z*(1(##|~xUz$p%(j<X#+57lNnnAAwynT-0Pk`Mp+Nrej@woNOv6R{)|G;X}L&<N<x
z3{iq_e6^A4t&C{>0xJHfPHy6`1|Nlt`^{F~;)KQ*+*>wh!!&o6Sz#Kn+V(}85|tVS
z<t?=Nc27;aC0pLEyiPqA>@(|TO~gLdK{K?qt~1*0$|sL@-UdEX)l1%8dEF1X>Hk{{
zCSFk==YYo3tau||7ChMTXkf-iYb)s*b~mO0Z3@rZfpvqty!R=Vp~s))DO5}-Zmlif
z^Zzlco>EyG6&hjJ^Pp~YX1-u?o`xl1Q3-w6gOX%f<`Z$jORBVt%7trBG@<Sk$BM_<
zHJ-j}vujLhq+L%2xbcbiCVl0-yZ(yUH75Q^XrnZncP2=v2pV8u@?Hf8$a<i70F_VP
z()f!s$ZofR-i&9}>CXD1$+CeBQ%zE;_kPtI@|CydTSzq)_H(6b4yk&<iXbPP0kG-d
zXnG28UJYRvxg(3U*5EwEc~wPv;b|K20PPuU6tlu9a6KwC!V2fX_2|qz_M<q;7zv>I
zV#LdY<bIezqj{No$Nhxct<Z$)Qyk_VXN7n#Ynv5fQX{Q!GB%G-jGas|fe#WKQuZWw
zO{O+jZA|CPQEe337{w-Y@DU`MduLe!TtSB$nXt6p%umLJ9j)$~C0G)CMr?k2I#@-a
z%OsfFZX<bIs_qnOMpM`XsL%*An#U$UXO3x_#Vn}^&!NFqo={;ySwy0;3X7l+=hw`h
zshXK=f(%FDN0|{SZ#5%SYMdEa7VR)2R8mq0Fk8Z<o|~FME~*Zz8^IIUKV+FY=)0}&
zQs*bQvrQncd$JW5gX>*S%563ZLac_f+-?on?>;QKx08bi<f~KjzB-AX>;a9dQ=7cf
z5zL2Law8N6;`Mo(L!S%37NR0<i_7LwAkdkC0$eTvUl?01{_rD8awblbJWeB4mIcdG
zdq?8Tq(EdiabTRq;SITM7Kf4!##!8CwgW1uEl#M@cLYU7ML!H-bnyOg<$~y9CkzBO
ziC6b8;?hLEzy0#`QUiwd_WS1_;<)%)(Ru)G{`&2=L$iR}<r%d`tks^~e=vf_C7js7
zNfT@n-m*CO4y$-IeDGVn;@)q?f6K6?SnO~H-ao0TB`+Vcc+p+~98bA#pw^!}!3BZH
zKxr!JMtx5;deB6l%VMq5sUX=rDhN7rK$8Nv%cO`aaoM9jC$tI~VR_7=tW1F&YPVLC
z3X<UjigDJ8$=j_JWqypa*2%07d}3^C#021scP(_Tgni?y?C(nVdsf-jGI}{|llm;G
zjnWM9mwFJy7P0x?zw|j@=N54#?GXYeTx^rl;+8KudOFOAtn^9+QDN-<N_cpg6DQej
z!%Kz2>!UViau?SyM<qsB+&tC_I&;rqCBPLVQOp-4=RUNn3^@(+JSYQu*fcX)E7?re
z3My~6IFvs!&f+E$S5Qg&i4>FixQ4E9!uI}W*KDc0Ro#5;<NpP(;49v$ZhA*_S1})A
zV%S{oU-p(Dtrz06YYyd3Avmd5pdzPgRm|(TCF2*hH&rT6+jK3qzDBlg5?{+;fl$hM
z+d{B&2z|nGhGYq`Tf)Kyp08MooJMS>m~Bp}myQaJFwc1m7j$OH(oN!mgpiFH(JCS|
z5eHeG<zY@4jS@%c*vw?OWHT8qsJz`g=P_I?i*}hOIx%LMXj5`UBN3OYCk}P#nRlzg
z@zCf3xLz&quX9Gs9x+L@zQFO|wG30LBjjhkr81J)cMOz9J6tY7wc3?FIu^|inm(1y
z3IP#dsR)V16OLi2qPr5#KU&k?pvBa*-+TL4Aiaax+~Ukjx$>aN)~fy|4A1JW-ED>g
zZ@rQaq|N_eUv8=)sEnEX#nlo}i4pcbk7t9<oUpKn(wLICOeu-Vf|EQi3c{0!u`FK%
zJhL<QGm~eN&E(mj@<8f9j2)$yXrS#~SvI>hMk2MW*k$aFi4luOnM6-bqfyIM(``-u
zSdS<SVH*|DF$iM)vnsB1v+lWX`%5e08f?5Di1(0w*6lFItN;4?@EW#eSgKgy3bt>(
zJxi=pm-|0Dq(6yk;h}}e8>dP>*tT`KRcGY=jTA1x-UccSm%Ake<VAdqVy+=1{l@#C
zI7nO7$#ftis9y_T)2BfSHv*UTJKm6gB2RS(k9Fn!c&f`M0C@`Oqr?x9N0ldzM={{Z
zk~?vV5Q7gN{Tt>#rWBDtg+{oLc_boq=Kh{cSXuZas!~SsG|36&agr4@%vfYE<eix$
zqHHFK2$i?E5KLsG3z^Iya!ri55R~pCHbTf~zu`;1g{V>ahdwXBRtii9N%$6aA+z0~
zjVVNd7<?SGS8RDbJAvX)d}muh2L%IFc>8D-iX?tGy!XVHn{MC|p?fg+zk_XD9@c@@
z(NxBk-VO5<aGQq%{Jw|}W`q})(nlpmSl~P=5;}7h^C0j;M&NQyB5}PYnYdmPnTsbb
z*KoJCTcAlr%4SlLP<e|5qI95f7C4!Q<eC_<Kuk)fgUF(zOzA)Da7Rx8gj2|_KpWnn
z;}3!dQ)v6?_Qv8>ZL<=WWoe0n*$d~OBp5`5%^VM~r~X$`UhjFTRH`CR8DT16RCU9^
z__p<mW0rMs4**nRgk{Ym1EDkb5h()qViJj)F`?pSOcHT1hI=twi|v+Wl7X_BWFS=D
zVp(WM`EiytnF-{Y7_lr&3bCwW*%X)&p`8MR%z66}x6FFYYH`Dbiz<w*Zi(VokkYMU
z!QGl}x~B%Nrtr&Ee@~VsXY8?Ra7mzp*wK%+hJXEU7#>QZLJe;^|0kQr|3PQ&V@(87
zuEf36Ul6FfMEp1u*U~D>S?Rc!n*5(^CjSSOzvIFg(<Nein3PHvLM(1F>*w<6K3Igb
z!5!o`4S9^mW~kyQy$+i<GRbeV;-mHwCbpS}VAKG+oVyFsb=Rx_()H+eD@Kzx*z(>2
zhaFK)B=H*Y;OZ`_qruX$jVSVdM4>qCi@J<M(H(t|#_VzmrwA1qVVd(eMd-{$6cs!a
zS3Me}6^XI}O2YaD;r>G0^{PckGkb-S+~gGHGdV@5ywx;ODVu3pmg+Fg%cuKb5&GDd
zVN?_!0xggs%j2nObylGf8rmmC>THfqRh88pEuqaEL|awkIZ1(60t12dyxF3QGiUv!
z!&lf-9V#JD9s!Ht!-5ppqJ+?OT|rVz^8+kZ(<S;q5`=1=>m`S7Rq&Yl!6BZemjRY+
z@E%Uzou15jeMDaay4Ru-ZiCL}QI^n|gOWu_SQexx%8W#`3<%A6LCQR!QOKyzsQvnw
zo0O$|CS?hgw;MDjWi{x@L?y>`j`S5&dT-euSF4@MO6d>k1I6bVsH_?ZI!wYc_d1!Q
zr2;>@b+6#U#8wRxD%Qg#gI!@}Zf7r@u5#Fu0fJ?$-l{<ClD-Jjg8)<CYM?mAgSE-2
zEEqAG!hhi~EFTy!AYdLBTt5N?y4zv<K0Yan4IYeKn6o-Fzwy2Sxn2dFI$CicjW8W8
zQg1-*^JmTra(OHI0zcrZjcn`$X#nEmb;ngOZC!76%OOd?coxiYT-;j(l^EeT=CP;H
znS-*-GCxYmB3YzxNG}Pc3r-R!6`3&>#hJr#nCz*1CVL8%w>u8JnFho%5yvr^Glfc?
zXH<N!E)e$4eXLUx`+8{Qv;?FZ4?^d<hBDAHekA8SSH@u4I*yr(eEnRv&06M}DU+?&
z<#Hz>XH~7_rN1{1r+yOvzS6;Bn7LEPwKm|jP60253qMpkp`G`GFPHGQavm@HYk60<
ze1CoMnx1Z{P8FSMb%iq|(U*xcBvFwOHa?H9h0dG?JPvr65Z`Cen=LCzPNPCx!~@ya
zKF+9}&zzflt$Ze53zfIqINqJaV&jupS|^fbDSLF-{odd1ClK1&!FjfCYgza7471ZZ
zX3TieqJ8}mlQe7&DVbQR|C6u*)$>)@YPpknHO30xctaJIp**~zW{FLkY?~zqZl<^5
zrMSV@-AY*K9?9+#;D+yh16ypX4kjA!QJA<GTf74}LG;PxD*8tM+<)dQc67iFF}(t2
zwb)y;SnYHgS3Zx%h0a_CVV;)}BWaO{otZ6!)y8p5lAsETkVkP6+A-POq;cglX<Vqh
z-D>S^Ul6OEOy0sJ-@m)QLKu%9EON$S{-Co6>^0X7<KC-}^jcB(ztT<3jz4D4E5N6v
z*RTced;6-K@68epupac9A9$6gTQd|xzcNS{OGQxbOPu#fwZrEj4Bcna!+(=b9O`S>
zB;Sa~kyfehAi^9E`>VhhEmt>gS$0CvCNyW_%9D>lf$^!TV95KuN}1wE+|k2<F}p_l
z<5;3^sL%+@o=4b1XRde<rVPL+2*E{38Ip{pRNUC1?e8Lra_X>bldzS~By6GbcFRVY
zFEU!BQ~<H>$$TwT61Qx$0Zv~7Sf+OC_3n+LIAApD-^%iQh$-8<+cc1y*By+b_HJ3;
zh&PWd-8|{)E*<b9=~fr?GwtWhau1V#PMiUpzj?<GC)W3SlZ|GSgE>pW5)%tg@+f?R
z%oH3rS(u?tp+%uWBMfyOEef3(*ico<Vv;7%h?~a=p#=qNjc8BUup6pLi^^xxqEPu?
zRrLbIP;FGBUU}|>zWtyt*oHir9c7#R?svpwQTCV0N<X*m{&XwPo4eJ%rlulmh@C5t
z#6Fo&F#J*)0zkqNL~4GlVf#bu8(Y--7o9CHc^d0;t8*_-e0_=}{i7E5SXtogAYI<5
z{i)8!!Ul!u3PWE5gL~<fbzAOM`a?(Cw)8X2T9&Jk$M9h=p>ePR@Jtf%6T_~q<Y!dH
zieaI8S!=db`}S6Mo%r!oL*-PlkN?<zSR5r3Yek+7cptWtWLR20d6HfR;mh?_*0O@r
zKzBd~)5rT`rnkZXI(g2Zt0lxK_@59O<b4fnc_ISL0d-8+*JyQ2)7fJAJhm7*a~_sy
z5@ZPpQyPmKy)W(t#Udg+s{AaD!Yt+X^4Gb^7RzU{#ZY;>V?z5Cjdx6wNn@zwzQB#e
zL!s<A?V(hQ(=(pnIgok^1ZH#l)ulKP*MpX<g1CC%J^cM2{rRGkN0y~W*|V@N+Jk39
zlnv~(5=JS_Ncsg0%Ael74=(lm+*SPe%<lar9!gvyq<7M@>?`)biE6uFuy6=RFQMmc
zOGL24T<N}q75MXRLyg8|r<D#cFK~H3CtStdK42cN4V}5<%ny>1kwpj{kgK>LSp_wA
z@{Gn|%)>CX*9FN<URyqs*M`d5eSp1v(}%VZU-V7WAT32Ki+0&RCMl;xX8d508zN}?
zERXH5Pp*c-|6bQDcm0J~T$cZPx7OuD_Pw2~Pko24!TWQy{5N3|CI7$wvT0@VGyj*9
zH)+6oLkaS;MFWhqX9EtXk0Ju}IH{uGI)`kx9u6ySy!++{_@*l}RdbkCr)tWhhgd7X
zbOjtM3bD0UJz?(E_GP1QNWp?63mt6eUaNkeCFtn3>mf#Q^bo#8dbPb55eFk#Gf>Q>
zc|bBEA=^8^M^9c=e-MGIpzx}XEmvRStA|hTUd!rx90~#goFWz>&rB^}%A=t8o*~Ok
zybxnNDAdv&(c4dul#?u*Hy+}~E+z@$M(Xxr^GJf|%z4T~zf4jBovMWwODM?$>JvYY
z@;G5ho-%tm_S_^1<}*oxsJz{aUDikI#=1_I<3hQ1kU9NX+-1Z8=7K(S=y*ebM7s%Y
z)D}^N7LIz)$qz$=68&?;d7%u)mqYO3X!Ly&X&)FB>ZW1*z8DHrbWkrqnzL$laQ5iJ
z*G!hV?RxIeL3Ldw?6KT?Z@4&$8^{t+4WI|~!piXsG0gs+qX!eS^yo)7TrT@Si*~?b
zxsuK0y3O=n^EB8yWa?o@9qe`EK4LmsF`vg)L}%_9i3C_q1b9w_7DY)iS_XN}3m`e!
zd_=x5*oyFvIX(iHxA_QM3iA=Rb=rLdF1c?}iIwlfW%p1B*!YJ-SFrB^chW@dtQ)|m
z`PO*i@r32TAVVEBWp8`raDYF|T2L_kz!xw`g9_<fs`UZ)P@llGQH>`(490c^uBYzg
zZ&oW+BUpF|-8jPbHqLcgmihDhAQA+8;H&_~vL9)qM{0+WbWu{X?%U&0shjoi*n{hq
z{!Z7VGC<p*OvkSeqp%qK3&b3Y#co`VMT$;$EcnblGm-!cibR<ok$jOXNLu=3Nf#VQ
zP<F@Sn~r53YZ8~YI~KIV9<cDN@e|vMT`mSC6{3y>lYl&R(~Kp1@KN9Q%jHf24F>u7
zGz(p_eYF*nA=tsrCsf@zmLlxNwVHh>*>q2x>7T&N#HVCI$bv3aj76U(wBhPOk)0b~
zq$N~oQ6aaD%_11$GxwQ31ab~Y#KS`D+d)dItjKxp7m#vbx3R#qv3UeTT;6VDXm7kf
z;iBDrZO#|6xv?(TWnvR2{a_RAcf=v|s9Q!9%~oBPfj0ojsk$PziXRHCZ&t<+<-u3&
zcCcfa3p#&=MeGn;=I?U+?s#n2c7N&Mn$WacszQK@-*kRfh&k5lvT31uzOGF%JoveX
zKKHPlKG&BrvrzIF_dEE(lS>e$-Wu$vEu1OV3RKnHWVy@s?@_G(a}D00skT@9Ba6<5
zI6U3-G7v7<$aB~e?at4Hd6WrF6D<bg_9(OHjQGsuf~RGWF;eDXBCZ2*O0q>zkgAH}
zBq|mx53SYx^F?TSlzDVUT;A?cP-36kqf8|=j+^w#vm`X(Ll`D&w~mAMhOPLO1Wr}Z
zUu6LF0Y$Kf0$a<SWi8)~QZIU1Xy370vL3_~M`c-$<`BpPSD<PCgV+|(<(5+>D=ly7
zA6#WN)zv{onf~*z{|k@N*Zz8c_XRQz+Pc_5<}g$@UsubWyy6ef4tEXd#fIF2(>Gwe
zzJ2{l%+4p&v9qYL+s<bZAn}=@?Q|KYA>k>|mJ>fASx7^YL^NNdyr4X?0v!1wGVOdG
z0TP$D+d0~R&~4{aX^`V4z4E?)`Sr@XZn~|*<ejY>_jlK>-g2^S2>cD>15c9nDm=ur
z4*WuYvE6VE8y{loX#Kn3LC&+^{rW<4lHx?gFS;!mZ02gX^A5>MCLnW&Y^={Zu>OcI
zZ|%zA^^1@X+uyYJ*YLhrz_3W!q^_@XqptY-UL$ZIgIav2K!Uj%%=9m<XJ=7sx82X8
zN8&RJXB&s5xG^vuKyPnK2`$2yq<$Rbw8)`;fZgt6)9&ZdBXN1V-D6Up;70gf-3ZSH
z$8M}kc3Hk{+J08V%u&(4Zx2|<gE)6H$hrd%9}N2NdDO1nGlll?bE8j!N#;k49k0r#
zCqJ0fBtQsjd-(JYtQYz|=Kn{9yX4J4d{Du72EpjyvH<CTv{jKjc+~f_6N^8Y3bVWk
zlt+thxs7iY<q@AbO|vM;SWKYp2#I27+RF1poV63mvMhqGBX;9UOyiqJdBo-I#)lUK
z8)1A?$&R=rG(8w$fS5Q`NHhaUPztf^_g=LFQSYcGVg;ZxU+c7=;Y9vV$>!Z}HhRy4
ztx$XzF-K%w=jjITUj~4#$N3M|-jgAb^~%UPY?^YobL)k2(2_c&2ht(9k6$2H8TQ9F
z-n&lB32&v_(<nhgGmd1_prIAI4uGiI(JF5N{(C>37^Z8=S|XrwPRU*9->+QjPPmh2
zu1J<Taxdo^nrLd`!4X~{iJsVZb2ao4JgK@X0}1=M|36hzm&5PU+ceFxr+glK0|=eK
zW;NK^VKOmNiq3IgXh%=o5Q#t!7ZR0=fMijg6W@<$%)$~{xY*rSYPzp^#7JD;?!NG<
zYa`s(R7#|M+J4r7Vu1KClvc@?eR;@MY{s$*^|mRS<<&uzT&VcmKGUVb?*K6uhg}&^
zlO9GKqu~?}DTYs7kEIv#^t=%ck#{OGDKnhG`y6iG_lghj1w^o;2e$s-)wq3WOieA2
zv!CQYAI#cAg$F^)s)2aNaboBm;usK1h1Qjj1;%@B1I*uZ8hT?NINjLk<kCWZ7S(mz
z_AJ69K6BrCi9p8}VcR7oSrJ!+Q=b=A$e`hi-L^B+w&xKZae2FKqf+1BVHQ1=<Y=7?
zv0t=0p<*`cXB!%bNs6vYCU^x;@LJ^oiYqh&`rJVNJxFGh_5xJf1I8|5kl2ExL6%T(
zyFX?~Yck4e@1qj1vLWrdH^{Qxm6`%L9Ht~eS+4yTW3x6AkA-WhnQHT?+h6E%C1npp
zKv2HmVr|cS+vjlgQUeKEEJ)8I6SRi+rDBxA{WU`b<1kGU1W(`PKp+D5`PdE#neurt
zkAS^clml&1C$~$O#U8|G&I;epvLYm9LV+1nazf)Mf{Y06=K%|&$XdrNU*x7sn8zN(
z<?Sv3?ezKOR~LRil}2ct)W!}%nT}@WgSl{ZWcO6t2crIh>Ob6y=&S650jt}$2R;b(
zo!#y3EUP@=*^FA{K8nZcPRH@3<Pn%ZoZ@>_|H^1gVHSfp0QrnQZU?bJh!sLlAG1_~
zEKxLc#K5e2LVZGu+Pdv}7UK_}IS*1l%!`Z!zP}(*zzR|%oRZ4-c~WIj$YXmH!Z#Uz
z{!GRnDsQ!GRLX7FmIXWP+BWHVlSU<g40GIR;qU(#j@W0-NZPc@C^C|VjO^kewOEd<
z0&=~IpEqW7eaF2mU~T-kEDEfyH%Xany?J`+G|?B9wQL?w(ynzxfDZA1ed9%gF(>Pg
z2+@J0FIfUce$wGSJ=81faA^M+A5h*@-uBPDF2n_(@5|-_a1D350Dm4g51qM+(jZ{D
zxWAXaIPLo-BYEIgB#w$8FLK7i+)n!SO>Ul#F7M^xKR;>f_pYCK`NvW?dc+T4gZwts
znACK2Pyoa$pj8Lq`1+;43?hDEGG7ms6i<)%1+=<dj|Y5M@;_@?I1plW=OP04wij<x
z$LTaSe;$nuojJ_1GUP!_c(xEb5@i9&Srrm-?@TE77xAL77PHQMlg8$wRGdrH5gX(Z
zbwt}~j#0<S+%{AaS4XsQX0MKC`q=lCZd4TuaQO;+5=x6`>&5lnaFG$ZI*%ZQ&MbT*
zrOfBTb%q&<c$t%2)?p9*uv{$SB#jEYu9^fXAElFAqN~^-m*^_mmvW4*PG(J^lDMv7
z5`(S+H=ERl1zb+5yWD);XB;5vI)&+j3XM?Mc}yR4W}oL#M5CAh--n3PeM$<J_#_F!
zB1~eM`>C}EY3`d$A0H))XxR6?xNnVATWqLH)D|0Kl-f=v0lD6ScnOI1q8yT8<Nx-~
zyBFu*qG`_EeeNw|SQT?R6~&)NML}oI(}<>VUXnBkIf+u(^?jk3&{;LgfrYkkD5gn8
z@lj&K<%)?7b%|nPV~kSF$s85eTM#e75`jXcZRdcx8hr@3vrHjxc(N8wA?}#FcC8vU
z9;S~f4l7jJczExv>55B;yf22MZgY}33UJVJk0^hE+u&}c?y>UvDertLhpVrt_r`nQ
zbJk6r85-C~)C}5BLcI8~PhX+(5Tte**(X3Hj)`B1?PaU8(oQOXNLcys7K<1=_P#8K
zrs>2Ne;)A#ojD9MF3$HMDgBg*Jt*LWivJ@}l1~xOGT(0MCh^5b+X7y0>ex`1m^wBF
zw9~xl6CEwpDsL=fxGmoCGL*$bZmO;1K0eHlsy;M4HqTW$&2y+_r{gDx?PGI%taLgh
zyYhxq*v>HU)w#LPHWPj0-85X)+Z?RY`=1@(@weM%1LZ=L^{U$QgJbCa*a>fgvcA!k
zTesZl3=V%Dg9DwpZw^J64~-DBs33V*#Dpekl@>W?ap4I4nhXvfCnQ{KhuBb;*daE?
zC3ZNO;o*82dppFpUu+1&29@$oH$iNQkCKz!?4Yof(Mm$qr<RrAStG4#r<*VryL!ps
znswGT6;%Aj8x9VKzt&}}b<tXFrH7lY-edKCYUXWsT&05^+~)>gf!*e?2e(@Abe@Jk
zkEemo>{nq{MvIWpEC3Ex5D5z|E3&BkjFw5B^UAT4nmi33Z9;gt1!F^9V!>!j!ZC;D
z$y5&4Tacz}-#ss?8U>uwgR<+YINL!d@a<FE>>i&syRB-?{e^B@*(?TZ9kFeDy)W}C
z-F2!$igqVO+x($2uQj`TFu$RWZl|ll(Svd1#tMch_f}nNK~}bx-KVVM9LmaHs@Vr7
zM<;Chc#XQ8RbLOrD9PVf@dixHgDMwW?TXa#yOGuVmd1<i37q{5azREltsb0Klo2TT
ztvL3_E0>sE&wG&<5yS;y-;dP=P3ML9^LQcX%q*r^$aq8;55Wcb8KHfXn=&pJJmU7k
z4!+3?@iCZsf(yciy2J&c^oB7mXfkEQ^%n4e655~gnJ#y*t;!=VZ^>5tA-422uWGe_
zp11`>ZKu#4P@xfOJCF8&&a8SaiTyIpIAlDgKFNC)M8K*b;oQz%4ouoZfI+L5t1UXz
z1!{|qF-C1sVW--<-U6z&sG!+<#e9|O<g1Dnlw7y7H}?$Hy>NMMq4$>g@GuH0;#T2c
z9&C@!tOz<;NO&AnB#P32WQ-*wE8`+A1L!zptxTK;CTt&|u=V9C{1d=?bc|6dJQ=)q
zy#;yr)1{_9)$2bTCqZ<$YsEi-vyb_HhY;mEC@TydeD|9EpYojXMU(lxSMNUm=a<(q
z3<)Q~ew5px+@3g*^fj^eKa{7FjkqZRn*a%Kpo_M-cvNVFeazz#pff|u`66c_33FNs
z``{^|NydoJ(m09JU=b7!7jN<i0u)ET+&+E+n*beSlzmKQ6S&?2?&9$&hoZ2DOP3)I
z@j@!7yDzKVtG3xH8mQC3&+Q3_R$tCHKt)FA^gO-+I<u;~5-|dB8Hv(3Cp1lD-G(6X
z6CcnryH1;Yg8;?bFW2dxz&b$37^TybSqHASfa|ooIo%^~$U!7bT|YZ6TT1AD@4SXG
zCta<W+Q;-w6@}{#3MC?kb96yg&pn-_5X>VfpfmS)F9D>8M8E~hOFtzn40uK<1)#{T
z<t9lX_<1A+bf`<Td=5zg6?SX6o1`!X8A6BoDD&i0-_TXvL9ds6fxy*pijgNA88Xp{
zhY&P@fSU1L^f1g(8m|;R8@<O4GE=A#sL%*=m`9C3XYMgk0)P#P@+u>g33Dj2s0hO%
z2E4{@4kk4s_<7U_bf`<rVGcC{6?U70n;L-_04BJ1`sd4L9y19Bi~>>KDOD~|p%KbE
z59~*0?tw%CSOtm7XhCvSU^;;E(iK1zcI7p}{@~|<{pe7aC@<QpYK-zuM)_TD0asp3
zaHv+fl)RNa;3oUpF5!TpI?O|21zm5s>?hAKDmprk<*+>+9}ni?<LJyif<_?5O`?!-
z0?80Ub$!{$9YWl8)iv?);OF7v=unraE;hy})twBCyWRq>x|rY)+TNGx_z&THjmSy=
zf?xf|=ZDv3S0;)5NXIOG<GuUx5z*$0Q~FVf5z0IdDn@7Su^0l8ZxUs|uZ+d%nk6d#
z4+7tIWj3MW;O9Zb=unp^^Bkxc6?QAL8!ASW854v|z&F3%e)E3aJ@Tz5jt74z#1vBJ
zSF7Dxkt5_$_>>_5$__m}pr;U`%9l2>!6inh@;t~9ow>(n2t>e1RAm{-c^nXx#|GVP
zVtdj>U_y?;&x0J%p)OJ7IgleN>{jKekRvL%KMx!Esq!E!4iKHJ3n{q)3bT=SLkLbo
zXhhasX?18s*16T^5k#q{V3MfN2)&+%Nuo3Npbde@HHnIxkvz;PDI=biNyZ>>ZPn}0
z#3aL?he=w7DtGO9ow~M&$$kl6h9=18b$QC9x9-PA6&V!-pWK%!C#t_3^Zwv3eFYS8
zDpuTYsp-(@v20(|ucSt6CJ$2c4V%{1V(wh9WN39{Oy5)oD|_SVAPoRUDmD7Y8lFVe
zVUr)NJFnXU?_LkXnGUtXCx!~@=4-g}irrSy=owR-81$n9qyOCC=Uy>ZKn?w_&}|Hr
zaGQHL1Hb*`7Ju4qH{HLzeY@neUB6lN@9mA)@72%Vt{S#m^6u?sN!MiP+(jsZu2&EU
zBfxr=@18CRErAmC_Pp;wUqhDCDxzsFuIZWZJ>o=23L2#(O)~CBrSHdy{jL+5U^4o!
z6MPRol-2iGd$l-y&xA>D-H(m?9z^iG6Sx(+)=FYq-{-n_F`&tvw)}6f%|hyn_ldqh
zK~=qU@71?Ya1D|h?Emb9U+54DA^JGi!%<YVq1^s}GE7u=hCFEhCd;a=PuWEVoxko*
z{DFP#Z*0SLfEli!w54uS3C(NynwemWa&__$EynZwHw(4SqIu?TJm`z1-*C5W>k=Z(
zUB7@8r?NHnxh8qirJjFANo`hyPDy6z7iU?S%xn@<n_uat2PD*uJ15H#2o)OP6K7!d
zpWNc(eWLtgAb*Gv*}sp#yCbWLVh#|SGA{ogaqre7x2>!T{uM?{%$7XSuz3MVVC{z!
zvP!qJWLqQIUNPqlH+I){byc0ZNbdFP2MLl@s8%JwBDrVw!`hbAnF+E#Bop}Zk{MB!
zlF&+62S`~%Bol_zx;9kOx|CILIwmjtY=L6FY=MBPpaaCjK4^DDY}=~5avzKEp=2>`
z4Q~QspMQS!`uWhz69?2XQLw{5ZLA-$0mhrPJu@Jl6EpG3O^s^Z$!=o-ZNH0~V?Ro=
zP0)o3hEvBk#0Mh!uX|?KD$h9vm-_oGKl<bj?%*F@eMxo}!tQT%^4Tu2eGy+Cpfz^;
zi}|OGnY=-lZQ0|gzOf?}PHMX}=&gHeu039>vGs_KlG~r800g@W;SYxw&-&(ey?yM7
z&A1+XK*+(8SIfWL^sYVv*|ohwFJ7~wt2gTxZH>tCaGHB}F(o+pqaAAaYT;T4y9&<-
zSXy5i(nhsiFJpksGgc6d5XVg5L4^i5#0d!>ALHV2hv*u${v`hGyy5xxvgzY#vef<6
z5V;4|)HOH5yd?G_m{hVUZE&az+#+hjh)9cu@S4>ex|vs1xK&W$=bsew<(~vp1-&Gi
z!ZF56j#$H+_*-cG;XnU8G4prO4D`!a)j7ty<j-Fa=NKFz)TaU7eLu9fYmaG9YJJo5
z{!q5;-wRZ2ocF3ZH_`HbckaMxovhbH{Xu-~4}AOfX~3W9Zb<k`>lN=#GXu7}<ytMb
z_V3R>^24dyW&+OfPj`a^6*Ox%uIsB<xzX>f2E?T!Zv{DVU%2pdglj$F+Lhld-IJYz
zT>HB@iTLl-F0$>|df8*V^=y6ZdH<UGt?JzM^SLEmvsde0P5%w+yPUgvo&M9(W?0x`
zw8f8mMNi4bO-^r*h*sh+v);FTQN0I)%2%gy-+d^$8O(i?_O4LodOo)IJwY7vm>eZk
zXn<p$kfZc5E<QX`?Oij0F+9tavA^ctCqH#Q8e9wJk+C;Wvr1QK!%3xh1>Lf&M=ncE
zQmS%UaK%{_z6>w?T&ZHdT&aMnphrd%jK+B65o>r85NqSsi$cJo+^gNPEkW=+bSPxS
zw8KSXJ3`?Ek@h?Y7eB^DKZr*|GzNlH7evB_^<u-jQ!C`g>LK?#v0S$ur4KupaNvd-
zcb?+K{_I7rIsQ*x$ho|B{&%%>(Ae?xsoAT|_B<12xz_d_=%Y8Np_?jWe!Ty&O(DDM
zYVKSE?DOvdbv@XN$FmYpkpYfpLN?gPxcG3#WB%T*tSus8$`0wrcAtIE;c08o`$Fvb
zn<^`zf{K{3WP~=nAUvnso|%g*%W^Gsq>ohL=cE<$<)j5v1>FvsZgm<3fVh|u_TI#w
z*g2O!e>I257zk9)n|31kYIE<t%Wd=W?h<Rc{%ZDz<$ZSu1HaR5(9V?GgFB&&xAivn
zZ8%}W9vBv3gFkH#b?&cUTD6dO0S$lJthbeEqlm8A&9>txpy==i#D!tc@xAA`TvI<N
zcGFX=)?vUu+$E<-%O9}&;gfZ4tAiVW=YH<T<n#AWq{P-05sUl#ow;|XZM_ut>y3SD
z%5B=+<GGdGSLhpe-21+|^NpJ`@B6Z!G2^cMPVDBny4ppyz7Iv5*qFRPRA_)3n~)dy
zF)lvzV0(FpeIoXE8DToGM;1+%o4Ns#qp<-~ky7iqa%g$WZN!u*UFG3M_JyC2Sj?A@
z7*G}TT#><DxaS&S?@j!Pzb}ykH->mGOxNqnp<DgrN^>e?gX3qr$G&$EeWe7rq3u!H
z6WG}Wv@-4v@Z6jXX>O0LZYVV?PyG+vWt`|2;}5)oi8A}-1M~*7Ya})*Qx9%Qr{cZy
zGrQ5fr*`-~?cxsa*IeEA3$miXCP0h(uiXre6Hn^~+(;Ou)#<Q@cc0VUxa+`{_UK}^
zXYcsDP&cu6W4|hpKH9a3!EfrubW_4XA9rXIvPD0}#s5D$5MpnD3sY5G2|}5n_CUx=
zBJ(^ah5g<zDYLwYWUUr{)@m_d)@ndi(7#0{d*S|VguOTMC&o!!Oz`B)TukJ4vAa~m
z&rcq6=(-r5M&F!WM?0rtC)U@~qTb=_K~9Bm4dtSvo%v?hcqTX@bp&Y8Hk7;E>q&Fm
zxhp066z$VNLngQ)`ta#1y<DsRH{HS^<azyJ@i}?<dL{OIH(AH|LbBMv2#(})JGuJ@
z@FF63wj0yY35QnPi%dw<{TLS?8Wx?iLHekeJl;PZNFVBB&I8R77G;xGO$Kc-3PO!2
zh~T**xi+=Qv#L}@<bL1J5-wsrh`RI0K>vYH%xc<tN@%6@dbK%T`<=ZGD6pSe1v~OT
z#N+lq?XnJlIV8mrRTA+kvBf{TN<v&r%y{zJwHf{C^h(-`Wq0$uT3y_dAjy=diNGbv
z_!Qw{T8c1gxujW5vyzdbXrvADg&{V&*TmGcXi=;px1xTEaDioPj>9oN*=Zn-F$Fi_
z7*F^O;yAYW*nLIJEP~*+{jY`a$IX56${zBc>`B}P@-_enHTpx%1<*V`F}RqP7>rsj
zC~wlDqD1FR6H1|Bu9T7}R<XP+g;YG;=8yV`!4%5@9EE07+fX#43T{C&sw9l&=;E(~
z7#D*ZAhlVo+T=nP3)#r%1tiRE)-SGO6x9|AT~MJoO6jzIM5yJ88ZI&}h{>6PcCrfE
z$yP+xEMrQfrc&X4E7VURrP%Vup%hIA9g0#+!A&R~msT2GJc82bGdKM+_oKx0`HuKh
zCI@GD;S$1~A4V{Y*~0xSDl!1U(>eyBmh+5qO*0BHuZ@0HQ4&sdMzS>LQddGWS;Wu!
zIe-*RO&f(^Oxs`tV+w9U@VG?4=;ALD{t!5$uk(1=5XW5ZyN;-R$RJ!YFjUTMA^D+8
zjC<Mr|HmT~Yy55B_%%-AeZXSSF^|t7qtluOp_WZ088xOPrlA(rI_E^>l##5?m@akJ
zluh_Xi26xe6w5>y2Ww2*U|3@cZi4l=%&q9+hrk-s@#ax1S8(qE7e5_|G#9YZsYzJ*
z3@R}I)zg{;p_cQqF1fKTx?(8|jA1$9LUB^$c~<B&ubU<kZup5W6eGIFp&HXR7}c19
zn@~M2`z5+~1jsifp}gtuB~D|s_gy{RzUvGPF|>s`g5WW&eNdqRAfDFR2eq8#O`URH
zkhCf?LQ7T<ZcI(Mu2iLqs>suDKR4>9QP3EPejA7}ZG%CKDYyy5@g746jAP43V2p{q
z{_xZ5#pT@h^UNMJE*`_yqe264I<1QjYPpoPkizjvLR*|d-gnIn$qlQj%1t{AmnKu6
zG^ZGMH4dkkw!t_>r`_Cw({XHibn$n|o3Cblcz=}0oiM85^?BsE`P(H7zi_G&tLsHu
zb=O7{%ci5*i=B3@?Vpk_AKqNcDSsa@7dYvSCu`}n);_3Zn9NzK(h$y|<cqmJnl&X&
zZHhXBVTdde68j`6#pslAc*e91#xpuO<`z7UV^5=thxA#%rCCL8icw8haD90x{IC8}
z_&LhkR0LOW)cs=Gl^{qTLn)#{1F$}=^ABpd9qO4i1g?<@O^eEg7da!E=8zB|;TAcJ
zb)VCtvvPW<w!v7RgVRHmM6e!PJOXS?ti6isM$>Q3%!jK1`PUZ&rML5SsK@|}PUGuP
z%RP%h;1bye8JYFR#$r@4s%RlAxI+$O)aUEytb84+Z7@dX;OkH&5sbzbk6;uN3t{x#
z>rV(qZ)f39kpUQ;#=@bNdk%xZH8G)@W`ql#lR_0`O*IS-;X#a+J_}dQ%EF=AhGG;|
za0^CJC1H%BVqJOTKx!FP^P#!;>c3h*jo!*DG5-6>t57_h@cM4W=M>2+#EI49Qn((w
z%=wGn7j1%<8$K>pq)jr1eh>C%o)XcIcsNlmU7-z@`HemwdTWPD#5YknjU+@Z+gHM+
zZYm-vE9^m1q=c15Sx282xy*~SD#O{=rB4!;vyz0Uw!xbSpF7eOtfLnei-2@w_l#o)
z@mIH6oeS){o4K8Nv@x%%gRpO)%lkcr)P46E47X!?lb}KapgWBnL@n!vE0q_NWK2Vw
zkj(o3EU!q}P$_9G3LeRgD}8pboRu9!wGD<YKA&R<bjQ(x(N!bRjaf^+DEmA9kNd-a
z*6IIwMaR2<j<dJ#n=2i}4tjCAY2$Wp^nJ?qaJam#|9wC|9`c|f10X+*IYcd|EG_an
zx6w|`8KE*O31=cF85gutMwXO@Cj^&1b6C#G9HQC=Lq10OC9hUycfcS&jxvm{Iu_&%
zT(k=&AcNXvWw+HB_h#LW?>*J!L9KC4lZVaG!ujRN%X>~f*{rnR|4KOR2(O4PF6imU
zQ;X#^Y7w<urg_P8>)I&=?B`Mvp0kn^wJ6Ih<FaAl;?~lq7Ry<wMO52h*kcOd+DvXX
ze_?<h$0kPCi{LykXGDE>0eHUVyE~O!ed`~mty$PVw6*1}`#u9&i~WP#h#f-Upz8=i
zdOXosP9qvo%d9C`NpnVO&6Pd8DjU31N|UtCMZ;xAGZDT7EPbM}oRw%qwGD<e%GtGz
z3a?^w5s-^OdK|Neud<6MT&u5dz<zfvR-m)}=?^bX5A(u0?)&yA+13^A%>8jCc8L<&
zby<eA)8n>nItaf21lnV`NmOV6w5M^CsAU_GltpQ3>z<)?X>I?DDNz$GYH2vHa*>6(
z$<pU0%UQWeRNG)^2WdsqM!E>P$1#%8B@e1p!C&L^GL(McSv%?bSs6f^3-SPcieIib
z7lK_KKY$(SDS)owwBdg9ng&SY8n3kd)f3Y7Ahq__S5vp%2lNMG{P9$1IgJWME%SoW
zN()YEr3ykJ^OcpABza!4s-YsQX!z>A^r_HtRw@+LHhBBsgG#_<+A!N9ZS%NYE#WQ>
z*+=7;(CFHcjf2yk{W4D%g>HA;@1P32=^A{UIsvQmk9U9P24^Bj#*7A#Jf7$*rxBf~
zWvR6`f<fhT4Ka?fVLPibB2^((MuiboBy9JI&T>|w6V)~t$>HS$K(z=6M<5(8TEtop
zqN0E(>$3qN_T~NgOY-%&f@7&0P5~Y7Y!LKsv)d#u&Exj)gt>N<LmlGU9Xv6oemkFv
ziVWBa)A&@>a#b3pIaKc&l@ppVLpUueBGbC4v@FXeGC{NS`P6b&J{8qAcq?EE-gdR?
zU0*nCGmK+WqszWadi%(hKv_^5)i_sv5ec0dN(QvP4`>ZW@#ERmavHmeTIN++6a|$8
zuGtAyHVokz(?nKTR%dwyx9ma0RzAC0&C0H#+J+()RWJ;(sCXE$(Pj4?#=^Ko)%@8t
zo#`5JT*Gik^}B%T$!;9g9NHGBP<&fd)A&-<a!)J~xQZt<uX7@3%?XoPSu>HtO?-G;
z_<U(KD_@Fg8@w$r1p~LmIKni#?7L*K*nEj@3sj92PQDz(T8o_ymrbHNf+!tNjaJjB
zQPgtJ1rfM8hcjeu!wqWxCzrCySqT^CVU+sRXf-P}ifS8-QcS^X=%RIfQuZPs7C~pc
zRC2)e3##Q$=QG>Z{@-;3aSq&#)VA*X<=(g!+%Egab!zQ$f7)~xZPg$&5NaF`p;3_m
zn4ZRcqLzE2hrrc2p{0ehs5K`_tE{S&hMV&+rhV?Snw9&EXbX16dL0n|)HkR@I3QFo
zf@w^w4L`6mBqnyfqU_IKUhLb1ty7!5z1Lm%A};y$%R8j73|(pfyW<JWY8ruwTBaK4
z9;1j>#*z2-AXrQLM_I@+Gcq?aJnXgd3CwC%0yCm5ie0oaGKSr8{3R-OD$4-?M}q}S
z%b&k|4_ffTkJbz8!~*wWd1~c&ii*0Ke@IM?nL5SPn?Ot*4ytc&ppA+Q*c{WSP}Fjv
zwWv(ViLRA(>>@Wr$}A(buIh@52D&GPH-}G!R<lx}5pB`UfmU3`Hpe(76cs~VIxg^H
z-$o_v&>%O`!rK#i<5CSD#8>10^~>dt=0}&Zy8|?TUVL&1FUYMSYJJew2<{9_b6{tT
zXHu(aOe$(wP-aSK7}`L?P+Hgzh-6X{=o!kCDATNN!aKufQma{+)QGm|&OnK`FYk~o
zF^)b(#oE~scrWD83Qv=-ppkCN>+jp1oaZK@ee2&-X3N2dYoCbs0aL+a=XmO}nnqos
zmNV#5+4iU`6rs5`gqtEGuE8IxMM`D(mb>z)%W78YGNLVtSCn2u@j8yCM8yI~4XiEs
zu$G(S+N)}4ClPi2yU$7#$^VtS{I*<aC3d>)eBbu;w;);}laf)h)4liY^e6rf;=5rQ
z{fSx@IdqcXl4uy*OY52unNvlwtg2b5@<x=AOBkR2tY)P@Bif?70cF_G-7t>vM8yKT
zA+WY&b39z#4iMt^zPz8W(>Hd9fwforJ-gA3-4D6C3#;9YX|(@w{}8`yk8-A?_YbBy
z_&piVnpV?TQ`E97E5RvCNy;R&6w)=3R8dk_veHay)s*21zshG#t65poh_>hsLK#1F
z2aTgiQL(@d3asrS@bA76F6Z(2_hY+)p>qiG(Q4Mo$iKa^6@S_|?x%6DsAUP$Jl!nM
ztY`@3j1kUhMcg>gZopg+_qETx*0XZ25k!4+SY}_;Xtr&<*-h4DO>V+elWlXdZBDjb
zZ?<jQHEF`6X{vjE-*@kG|32qgd#|;Z_R_Zdv{iIKf2|tHey!T@7{@thePHLAI)1?A
zRZdK{^x361*JI_)VRMER>ScBIvFM&?<SsMk<L58@R3D#*x{GINe7w8M=S4|OedQum
z)ycxIB#nWH;p-7xp*zh{&QOP#sZ(xgGR`43dD1l&C8_|;5JrbSw0xv7gyVRnhK=bq
z=a9m)ZMPFH_RGF6>0&e;ep&uOR1u|v2b!#?wxuY{!uo;JUr%5b-^R^m%7UwV68`BT
zx$>d9*jn;CPE!V7+`5x3BO?#>EiCT)9Q6nCR~-M{_2+%Gn|7tk2?O1chna7KZr!I&
zkQ2dd_q*_E0i*bUb4IOP^i_58^ReXKdCuHK3f?#vq;MoX$sC;Z#Gd5K2+mEFi?xgf
z5n_)f3dKoC4MX|y*0<c-bt2c*87+4Qkd>0kk@kJ)NPG^<YHU%Jk!9-DfBj&s4;fG7
zt>iyD9#sQBa8=@gw>XtxSa%C3!(zL$gy`CN>zKNDeJWdWQ!4@J*QhCfeA4(LY*U;<
zSnP3k=~X9|;OJvLb!*d%R~Nun#9Dbfq6Y3A%6@V^%zmFW3a&RGHOmOc5HcL-Gyz?u
zk}F*e=&GoQzHXs887LxZT*>xds#jY%>?yv+00vsX8sdb<Ea75aB;8R_QdIV??V6_7
z39ov6JFdJUrLwrVMD@I-s#WF3xp5#zd1ZRGHq<~E8aKTr+A<{8UxVI*Wttb-70UqQ
z?eq=7U&lHLF#-F;<(+nM`+od~HqS#ch;Qs73Z@@pO6*c5mzGVRbj-f}<05pk#G85(
z#Wx~gmt1*pWzkX#Fb1rcZ6d8}r7`s>UyQBwh%4!J^THdh7V96Xxom->+@u#2K-oOx
z)81l?yGoF~8*hf5?d*xAgCVCZSo?9N7;Sj})S{SpsSG)7eP8o7?ou32@#2nzi%S@A
zWQD_M-A?C)uobass7nlz)JzED)O6A55A`G%7Y@~#l`D{LmP(A_$Qn!#ic=o0Igmw*
z%nm#1;a47Z@3lrSzwW!Oo$6Lm{*r$4_!i&UPLB}g!1g971!w3<6d9>=jYtgTu@kbg
zV4U&&v|6naNs3?BEBw=Ca>he7wK=f&LHbrcl)*y+MRnV~1aF_^8Ey}gojS-3#dZ&g
z-OjNs)Zm@!aXfny3Yxy^URIARFw@o3{>QfLBgUn}DLZhK^?4&kg=tNt6O$7i_9k*|
zEXr5=$;T;LUHF6wFi8R=hMakWrcKTnfVi#|9Sj=AM}-^3e|P(K+Ry4HwywXFwd78k
zQI1EFQ7%i8VN3K7p<{1)UiwcI(oe!tW9_5zKAS+*F=uj0nrQz!=80Oot>*csLKY+i
z1s@9b(c6UQ!jG3@<2{`*hH$$qH5leAY*GKzE9u{ztP5}55m_xQKwiA{_eGwJmHT7f
z)$T*!sC*}Vu>zW&IK<AOwj57vi6qOZmG(roJjhjqEP}99wm-HJvxyiDC#-e$YooUI
zL_`aHm+GA(LD#5iTARkHhyU9>ZqQi*Ndyg>o{O_3V)MuT(g=?g50l4)pvM;+!H4<~
zV}8#s-<<*ukYEN{7n1>*MNlrHQ=JTzGa|#FVGOqB*O42Lx2M#_FXh>ohDMTDE2CSl
z{$mOp#{j(zAIiXCo7~p96stOO1cKFVW8qBbI0k>7v}s52CKxXM?UXHV<9znmd>cI4
zy?1cvrE;bNB}zWa-DsstWvz_|CWe!Y3HqlwaY;Gfr{$%0QA!Ml1J?n3*KQvHkeO3O
zs_VS_8|4luB}GLcgDmk8CV%v1F*egeIaX$X>1lH3zZRTV2i@`MJIgiu8X5HFH)H?4
z<3Z`TP=tI33liYW19C_B3e&8HIWkBjac1+sH@WSCLJ|LDGRSGDjR|FghJ8j7rziLT
z&V?j3A^CVXC#uJT97o8dGCg$jc938KgFaASe9OBbTt~5kY>6l%bkZ^rQ<0-JDqsrQ
z^FwSBF<G+2ZDw4EetHi3h$l?TApoEXh^b(l&f*TCoPt-rGEX3k)A~WldjGwc3I83B
z^{?@zvr0&~<Q{S;XEh9>I1gzlhc*$C;S38ZfNU13(TbVEnlNnKV#Aow{s4icY5@+v
zl$u6fs^7WIGfr||7<tUx3=+`r0n)?WR?5GJ`auxUpGGhP%e5|&YhFB7p;lV=X?kB*
z{lmZY<Uj!872rt(8KHCS5QVt4p<TDN6yl_lP|EmK=agS}BUJ1XJHS>GiXGrnV|5?)
zh*772@{Con;exvvKY|^QqqM88^0wtCw44#;_jb(M_+?(IWM6OYRWkfnIHuj+;99n5
zy@g*2krW^98^ElafPYral-BLNQM8T)GUZct^eoLzygz;#Azj}Oj6GRN@G#jC%;QN3
zGYS*D9A-$UU*a862^f!wJV?I$mVCdOq6ETAFN+xxOV0lCihE=jQ0bYDsbYgiUl)>?
z+Tc(?d9PEHd8zy{meG{t_~cPO>JkJml!IDhSZQBm?@oSlhVRq$`v1FIOlKo!t9^5q
z-n7((O!d>A7q!|Sk!|}a#(edGxNkA{uy-acb#QjFcqRj^6sWj&H~YgS7xQAA=2Hsy
zf;!Ii`@q@bFBxH`xBqs_yCLk}s!fiURVC9SCCVD~%kj-*>}+$*7#riCL&St?6(mah
zDZvX@942^cR}s7IcN19$j^v-g0j~*I-KWq`mo70rnsI<Ch%!<T3fp%&GTz$agd>fW
zAIQ`Z8WgH}^DEjQvBFnJz}MtECmDa1!G)&~%vC#D<dXt+_o{%D)_<fhkC9k4GL5!s
zrHMeckJCQOaHq{b49JM-r&|Kk(Zon67yJaNIU@CiLNGdwjw6)kviUai?;2}rF~nt}
zfOAjH1Z5Lg)yavz=N}~qx?cv5U@!Dy-C98SDb|Vov91J_!c1cpX0QNbsSFR9sF2Da
z#&J9W4+j)Bp<B=P+u)Cit9S=4AJKFvXFNnrTS;BPItu3gJ6s$S0WJ+m7;Rp(T#I;(
z+G?2Ta7fzu%&5F)C&DkI7BnBAjlwnnVjHQ<+wk--(OL+1Gs22KdDiktkB#|Zj$~)>
z8591c-_{o02PIkS$IBaf_88vtPcb{&xno!ekz9_WMS6fAW(zUeN@&&P6+Nlc4i@Ao
zJDa0YqFnMgj+(xPVcMzo6-m(H_xgUBSr<gO9Gwq?EXra-nE8~*yZr|J=S<KkP!G@V
zZhtY_H>vB-`}rW<67Q}OTp<WLUmzAmlI2MkG0?`0SS=&!Mu;U+9ye4$l@ip7CQLYH
zK?AL7N6y8URAuQ!it)N#J^VMbMoN@ENI~Ip8psACaH;-$6Kh*i@_vRw@&;xB!#8bS
zr+FtgtHMt8!<-2Zbdj#s<@@3%>~vWrowVsB4&Ken3EO|mqJ#DrQ(^a9ahZ@7m$i5G
zg4B&ag@57l!vO2f$(=P?+g3AQHO%}q9H5Sw$HNVlCX-5*x{mVoOPHNNFWdmNjSK~~
zk;%Xo8dK^PmFBLT_lMz6`ez-D8?&jh50=SXt9kG4z4zmac$NFfJu35v`$;zZ5G)Fh
zLg_o_l12wJTc(yw1vO#0Nm(lLn|eEgY}VBYrx&=QLy(1wMlH<#sMujv8ykyN$5H)O
zX~59@L^$@#2W}Rd(1L0Wo*0krVmkBBHLkr+fk6>!Qv5ljK&~IS|IWO%SH8vABcN$J
z=f2OEsQ2wqNfaK+@}jxt`S-C-O&lxw#``vvdR3d^{%LfsFw|ODTh5t;6r62@l_a^f
zwyC%?frhlYId5>RoHHnOt~jBiT%L*;H`^hh?AOm<F8&#IGBC}d?vkP?yO@v#b8!d}
z1%e=oCar5q<Cfl0-z?SDZ?zj*{zZmu+(T3>(ROIXMgRUPy5N>U+7Ku~gFa;g^QoPP
z>UHOWR@i+8&%R<#C`$9$(5rGBn<+`@m#f^^a$5*1SQKAEZGhN^hl1EifqB<M;_Sm_
zByyc?UcFrg$yH@@PmrXLH?hYXI`a&BgGcA;-_d^#(#vRIR~o@MsNsb$q?V{J>&(yf
zsaEkn_487#;?3bflGDP0pX4t*C>%sZSXWmZH;a+_4+&;iDDVcT1Yn(;-s3-t7$*y#
zXM<ynXEARW3>}Tw=7!Mm-0jM0t{FZPt$#e{UC7#I7)b;pgYEwL2%mh8&;RaXXSpbY
zDZeGMJ8=ao31^$gu%+L}QDu|+<sy~y%u4R(d`O9vSjfp&ZvJU%bec$=>Cj#&^P@)q
zz3(tN2wsPHgoC#Lg5P11U)p?h$u=Y-4~s%}Tomu@!HLGHT>>IOu_Z=S)mvc!?Cp{i
z-b|zT7=#e(3?v499K5MkD67TeKW)S*5YrVUOn)|VHTA<eh(F<Jaz0QBQjOxz;RP}a
zAlylh#qIxvGDd6kU`>aIv@gH;O}6pS+TifYVZf5KZ4N8JM)B;3>uYzR2Mu}O&zCRq
ziU>2_+UN(F2q~KjbO1AFsozIg5hpAuN?ESRf-DCk&CPa9HT1Z+Qjkr#(}j~POy2;6
zWTne^b|Q{GT^fj1OE^=vgUSuj9WXu7&92x|-TEg-YXV|;Jag@rDza{`Pww=)(_8dA
zu2d6j-Jb@eX?)4&SyczMFxGEi1L8wTTNnI+)yMM0KVX@^|F-XTgPkI$5Mfap&`4f4
zDZof&)t(9Rn$UDPrt+8m%a+d)<fCw@c@$3x0c~7R51s6_O=l=tH+MJ#<~@hH&hZX^
z<te$pIAOEwLV#8>8md@dr}z0Sz%j7*0HcKmGu+A%46H_<JAeYmOnk<dzZg^8ff0g4
zERAdqjqTl~-aZFw!t4zH?Ug<^kr2f)I-dZ$6L;8TY#>1Ev={ogPR!`E6SEg}`j_N^
zKsd<;Ba{bP^QZA|=@(vdiaWXGuiXZi-k&k|d<{Q)_MQgJL1ZXXB0;Bl<szrvhTT*z
z@a&y%Cr%+4Kl$i?so~U=GMw?rn3ctWYnC#MOY-p58wtm@ih=M!u_53faa?S$2q{jg
zlehGLjXzRe4fv<a?AdX&_9)_#>mAtls5!z;!2!{%Mlcv~+%pp|`XvR{&aUWEyky8t
zCg?=A83nvppV^MSK}a|l(1Kv8is!&?IXV|kIS4r?jsLm<Hz01mQ5WGGYIj)VPyIX2
zanYjtt~Q?k@dV;_B>MM<S-S{s8o`^0K1D!J>Me2v3dA3r5jMkiwp}U}STpo!4W%|_
z>w^voF>GogL>`X3n@Mw;e=2rHqD98Rkg?VX&_uX4lX+0}acul37sr1u?hI$_dIT)#
z*!;fN<&rc%Z6C|<dRFD-UIgKK@HfgB#<8M?^D|<Fd-24w16IP#2L`DGAr<Rdl2KaM
zf!Z=wQt??_;2v?%R&xMj8847uZVWZ-h3^rAmjr?j<kBrI81*;KrORV)H%mi8U}N((
ze%vX`M=z?DSL71*^i)t-ueVL7iqx|fVqvr?d7aB03%vF16|=k!)SSSN2|J09Tp0M5
zk-iRzYTJUYNqhZ^`gfRL^q=_%ejR##*>Z&VH9u^e-}CQP7{cjvKv>=DnDr&Q^>=Bt
zD{Nhk1TVYewd&eE-O02=89v|%6XZ#=6{fx3i9&^HCzw=5BxGW)vZ8c^9)qU(EQGr=
zrsdcGyFwuI(%nx$F2j5f22CKdt3@o*>TrHkwwdkUc4*&D43pU!&xC@23USH>0=yl3
z7_9Oh5LdXih}%en&D-+B9(wR19afWeq$IG_Y)INV3#u*<HA?=W<xqkXPJW<%nKuFS
z^?7NM@@dtvKXr|R+o<UBTT1Yi`z9FuYTxx7x_dAoMjIXEC6t(<NQI?3=^IHA*vJSK
zsu5!0C9V5WS8L@DTsISe?NS5Vl|^Is;-&B+i6!8O0}&>+lkv&yUy(RAzO?v-ITK5?
zy3}-$w+Sb)+z^O)##<maS=j>KDH{T{N|aPNW<p+y{6VIVo8s%>&Exujt!B%AhsZ0}
z-A?^%Iu93)P&uj^Qm%!toDtJm_spm%e<howhWyT2c@>7VBk{nq;6jlvgmD;W0onAQ
z)81YON$q%SJL^Oeram9lCatR{^3E>ci^rao3M&bgnu}}<Fz)?mS+}zB^LHZ|2T_oS
zS%mzJF13fb{IQC*`Ht9!Oa8YjI_G6~^myi2FS`gH?B&WyTd$6?WC+o7xZZ6`)ETaG
zJ&pl|KZV!hCT42K<&@LX!TM_S{P$9yhp98%I=T-Zn;2%-X^4yw&$+g(A~^k~q9C?_
z3-w=6C$aIE<i^Lc#|o&{Xyp16=I9`FS4J%{S-#QJ+S`+`wgcMR+feWHHIdQ|{0dGC
z;mE!JI@dcocuNfg!<vGq%YeOp6xMd~U9awqz1sJkEi3gy0xV@1i}srs>cVM>oDnaG
z+kPVap@?6okGgW^=}`}uSM@Xt&G#ExAEvg|#T&R>)+-%80@=C-u|1_VxHd-#=?YNo
z6`t#M5@_n`ShzKPcH*jFW57^q_&vbI+avu4X=S-3L1noXL}j^x!NSu4`l%!CQi1!t
zEvU<c&e=QqeAp;5YRKrP^5Fph7FleM2>-9$NeGh~)~az8@n4LvlG)+oCTFMe76j%`
z4UqLDG6Mz1lv;&X{Jp;me=P?x_Y$qj$X6$&UwwS2_I19^OE-$N{S-{+rXuzZleqB~
z91H^-rr%s)s6dbj1;+kI!MKV<+sewMcvX%4hy+2e@L<~PM18>q=y`YuZqI`R92OON
z6P@<&!T#aU*=}$Z{i0`OmiRQTeQ6W%le#Gcbs45H5D5B4;b>+PugeU(!0X}B@@Bis
zPVFnsoR^9LP?RDv(#r(sZp9Hh;S)!}y|71tn?6CVY$xf3C&Srj?$(K3PPTbFNebJy
zZdD{i`;+QTUXKlN<GH|`C!Go8F$DtqN|*~2H87+vvX6F9_Sge_flsMi0BDF9&0XJT
z8un!`%!C*S4;a-jw!7>M{|Wf_;Z(}@&FVh&^MC~i>d_{H7p_NSaJEI**F-1K<tizw
z;gvtP<Ie0)&1(9|#)-j%KkIcqnvckUxKQgz<A)ycjUeM9i(&b;j9yhr?M8nHbQH^c
zL;3^qdJz%%_a2Pj$upXBan-cp<3j4EVEn#guiFrIF$Wj2y22#%>lLbNi_kZOq%qjC
ztgwZ#u7wh%nls?;mRd_V7Dj?)v9bX6FlY%Cd>d3rn8>Y0T_dRxA%vY0-h}I%2Qz6w
z(+~KnDe&jBe;TV|E;%%W-LNMxm*P!^R2mAhCC(5#kOYoD%ZLA4Y<|f5Th=7vw`Qj)
zn+au21F?52q%9mvC&BWq6l;Z24Rp7Jk-546*UwMqmNs5Z?_#CUcEb7O)##&{i?WOd
z$xiDo7%-Y>UcP1sA(LnL5r1@FF*GpJ>)A8>8qk5^9e{)iIM-iMz}YLhX)#vDM6ih5
zJbk#8Dw3x^ZO;W*7_psNgc;Ii<)Q$F(Hb7IA3f&_L%}7E(fGryFEH;<J<jG}kTXL6
zzz`cJAYth3Jx&Z<hnpAa*_IkBs8gl!CDUU+XQnpOf|%$lz>G{xwCBtNpy!lt!c51Z
z*3kiY*qx-!htF*4w(OSktIwpCBCV1c&~-MM&Q9N>De%?EUE2-`>wSoz!*uKwXx%ie
zFO0HMRP>09b68`<*`-p=<Wk+*benDn>y0(x0E9<a8QnSERTYgc3ymcjq8UU_xJMwb
zc6vPcok$nYI-DG0qJ}W_6sTrZCe>9Cb0Q;4VZ*cZ(KOKcjdbxklFVu{*<Vzij|e-u
zoFd3%atn-GseX{8hee@EbNwaih5kKT75kUzWzF6BZOOw~3d37a50Ey|ORf%-)GFIC
z6|=daVs;+Cd^4jD`A=VQyBMui)7sGtuJDBQG^ga!0UAaCG?cmId;E`vT7S5OWo&=j
zf%zW}(&iGa;k}HF{go^v*?k0i{}bXHE<aSTF7jY(LP~KgYKYa0+5mqr>pFKb4;r2o
z?rn!~ujbT59RQSIWN79JgMBLQa9O3HKSPQf=dT)(to|joLjj{RU3F1+@7dLy-aV^7
zm&itM)Bb?+9Mz5Chk-oB$Bjs>mLGoozrWdewQ(5UqHY)h?Vs}LalQd{9FK!s9cW<N
zS)UX<GiikpJFc25r-aij4DD0?$?9*j6OQf<`-^VF)vlzKERDeAtt){`=M-P7u^9rH
ztpa1nG#G>HNSgMJ8%ZRBoKEfUY}W$h$Zn2)-Q+*&b#0K(N#XW3D?S4X#-~ixyWC7e
z?hC4&><EYTHh)zlb1H?xacX0rE34@<S?x_lx3Q)*Iv}}hw2${Q5xq$sOh&!ubprSi
z`5q*r;ZdlM7iX`6)J#;&a_GCZbNji6JD*3#Q$-?xN6ts8vCTeS=FBu)$srq>M2hzp
z>$lq7ZSBWU@oeH5tR+I>M7@df!gbOf|9x9ugSkGF6IWElnDJCpNUW$_!BykHvU~N>
z|HPCRZvA?n-o#jTxWV?z&5|Eql?m#%ld1kQ?jMQ#kAJZJ?g8V$B|81@`Sl!lpROz$
z9<K_$Pkcok`q1M~ucNHCNUiyC8QEOM?bulu#R+2qYH{g;xS40EIXU>iTh@>5oyMBi
zXh3GT`ph{jz>UNSUyCb9Sz*s53+YzlGEJQI+fBW1NIh@(Var85YEy=8eS;Nq%F|rI
z+Tbl@7`Jw7%*)oNW->-Dh>=Ch&r8mXl6qNPps;f+q822ml;(#Xeip`xs6r$Q13clH
zZ&Pv?1siaKo&=x6`aDU>fVH3w^GWZSH_PO)t><lwUSSO{oc$r1cgc8oYS+9)o?p1$
z4{r=jqF%#~NV!1z(O_{R%%TfKkhjp&H-*D@mC42sA|)0C7NoXL8?HnlHEK4?5ohgG
zFH*!5-|M=J)K>{Gsx%KUCjuRkeC25QTZ8VyJ4T>TOZBYza_3i=hi7QY^4?#NhVBE0
zPHtKo_XYRMeK~yLXfGpGv2#}jUtAoIWfNt5$+a9Yjt{j5jEUqUbY_^8tQZ**O9K>?
zld;62vzJm!zgBTEnem|%2+PY_m?5g#NvOs#WP~}pYOAIk)}2mT2*veWG2qo$04+BV
ztt6m8WZ`dSt(-_cPil?3)p4~UF9I#|W?}WQNW%?^Ww)W_$F#F;1t2Qvw5hN)FltNm
z*JPnO!YbFq2}U2XVqpVWi(_O}yWj?2wQuA7Ya^3K#%m+w2!Y&xh2P9J0*E8?RbMFN
zMqNT&iDV*l!h}%N?vhM}LcNS&sk+o@j8c>MXJaNR9ly{&@QVvD$wd5@tCsASOfjB}
zD#G!nfGIh9{geLE%VTqyAI^v{;3|YFTQ(n1eymXDW=5ox8DsvKU&e(w7np?a#*!M=
zLTj`U{FjR&Cl&6$5)Ot!Ly$s)*|1TR2nN(*7TI1?yMxzX>9zbdvU^Q)cz6M3GJ?Ua
z0&!>xq1bi_7Gy*<ULrA94MK5B-nfge3A&a)s|Jpw$Rgo=PU2=Jwg7gKAgD8U;nc)(
zLf0EY8!yuG#U_Xjw?;J3fzgcL!!5bF!~)t<tI;RzOUfK^@9SIdodN&JQR(nlWwLPm
z{;QZ-_c)`t*D^*0n9}{?D-EZesi`yRgBQO56I-}7F^ZB;*fz@^iOfQQG4f&tn5VOE
z9+`%E72c&c7&3Y_U}Kf_$zcSwR-(__n}!syGF^)qyg=<kX{BXKEOJa@$V8#F%}qN)
zjH=g2R8(mH1*e0n<_RhwQC%59z@wg))gmoK?dJwCM^yF0tFZyN*w1C3zI$A_ZFO`S
z1YBX7r+HjF-iMPqcdi$X4xV5V%RUMlvO#R$3X$ZD3>Ku>B$~UiI72;k!`S=mLse72
z+PMyL!mf53o&5#=NDT)VJdAaM12yEDkCC<B9;PD#f&)}UD*RM;tTUK^eBt+7(cAwb
z(V6u#)Oj8`?_*~pC(=9Cb35*h+vsCOLx2Yge>h-`AGw^-z}1z~H*(Hj5mE6Cxo8R*
ztdmw@HL7ci$EfVr=}yn8k4S*}uol%^D~guUTbJ^+081$BH|7@k?jO!}bGb8%nBECG
zc~@PnF6+I_%l1vXT;avMX9*ubeJO~AL8S>&<a2IZ(c&53l5?g-^HBxrr%J2{By$9|
zuS)rLM0H;J8lMUW$_~$}UH@Ar?KYDS?7cyzQ+q!9gp4wID0d5WA&n7Jx5!<<apg=2
zv*SvLjn|IA?C_g2G72T&nCl${TrH`;D2<Thgh&<MhDt7{SdbNBEOf~J2tt@#IGvr)
ze&GbFL$wN#;0CZ#(FZx|uP^F{U=k_?YLfjk%Z{cAt8YfrKYZ?I$u}0vQJd1g9aLOZ
z{<s^xaUdJ08w4so(QMSI(Jq{c+`@EfUA0Y1*o&tsKF>u4VSSO8mV+i;Zd(GQ;K!#4
zyJ^nI<@~4V0JMnVE}Tl-1KoCM$a%#-m^B@dqq#IBhW+vV#a>4JSXy4gW94NQC*KUp
z;8w{@A^SV0t!WB`O})45c)ep<MW;iJ4S`~&q_TONa<f$(#k-`8=I%dW*_oPNR=M1!
z?4J`yR=_o{8(0yr$#7IJv_Gzv&ehpG9DlWh*i?XT1*Jd=a2<092UI0L%0+sAHFO+O
zH0!&;3-kTD8e(ivhFkxP!PT0qN6}>Gor?_Z1b*V|R4XNJq_nR)`7huYZpB4r-9B|*
zSji+7LwqpBDFMSI2jVL8%EhN;8ju-SD7&4|wh~g`+`Dq5Lgx7)7*ho$Ic&U1sd;?X
z=xewVra$18d+}^eMZm{JMm7Zb1H5KnkiPWm#H-u$;o{>SWCfY$^9(~7@5{DUw)e=B
z1xW9avdM?a<j-v!sR<4O8WZJ2@EiF|R1lXUi)#&|-jWo-i|{K@Z20~k!sM##f_J00
z!GWg|6!D1JY44srO<^NjuSdtH!)2XElj%<)uDmoK_iZ8x$C>}oe9<>!>|l0Vu_J(W
ze3Yp$R447LW4H*dkVX*f7J?8eT?)BskYG6lv@*6?eW8HLG*LjUjXWt9?a}UelMEAh
z3d8JX^jX}uy;#pMU1#&~Js($eJoLuJZw`IFsO^4gnUl%)73_`xc=D0!2PSyR`C2+P
zSwRK5=2Q(7+AyaX!>BVUx00AYT!s(K68x{i&XNkrJp7T5h~vhG$N1$BQ;>r~<)BCF
z-{q4XT>15~wQPv(9}dXB@~Sx<22=0d+t%P$e4soy{0CpxH<Pb!18_?6FAy(-Z*|T1
zW2+=tEaaj_)RC_HYNAgwH!!3flU6JDxR<rl!Ztb5g}-UfOlSa=gujEc`1%lE4N1xf
zJ$pKjEE;4y?^+?p<L$utzn&kJ5V_Kv@KxT>5;~_1NGBI}6mnUqH|q_^HF&e8-ltCL
zw^<s(xX$FDIt_)Yw3SS_RVQ`M<PeC@OiPpctcgJK+iMB>r<tcQW*k#%>B3dOqSl2Q
zP{AnrhsI;Dk4m4JDeaK(A_9C!+6ndiOmCpyIlfgL8LmJP;jfYYz`(1HEBK9@_ak}$
z?#!Fqb_I?YJrLrbdnGn5A;gW9I-Rxludf!RAuTgqVU$T>j{2XHGBb}+Mlw?pWp~O1
zfVxE`AgHp(n|gr?`OG)sGIh5LH>9MP5Z5=<dGhkgSsMC8f?()CC-z_3Ge<h8Fl|z&
ztlhR6nbnA+Sb-Z8*3ILxx;&=Bt9V-PI5~g0nwq|n1w~82mdg<O0s#`wpRi5@J$E#i
zk-z_`j@$I>=e6B%)FJZkdgI|>odHy;rQqK@Jbl8cbGaC3Upo7=DS4U7_c0<vkcJ`k
z6^kTPC&Rc)7`3I;YxoP~m<AXNBIGU>xJWvZ!fcuu^U!L{OC(h7Fau1CdwoOOXHJNr
z4xP46Go*S@Bi=f0=i1jZ!LTebd|ntA)Ma>MGS%Ijl^h7;w_WDkv8$3SoHL%<n{)ZK
z)Y-5$#MGu06kt3s7mt3q0v}SXk3LW^whBa8C?XfkMg+<}Fyc2q6n03j*hu$}q0NKW
zNE$X;A%O?!KYN^Qe4p)bKRN;)W+DlZOo$?UZfkGh7YWffBq?2dmR@qMK$Z%{3t62Y
zTS3af%uNrHEqAXVvR;ri6Ft6<U9R?_s$>Dozt)Jz&cA<1$cQ8J5hiJGJQOFIo|&~p
z$?4s>d4CCmPe1t3_aPZf1#qkx&WuMn!<M;5fV2)#4H%Q1UuWfJnfI|*U8->ew^PML
zlDhhVaL`(F1PDF#v(mO;z(Z05bT(ZSVd9AuiS@yG`{WjB!L;r_J<7FHb|ZVBwyn2o
z>YbyQw}HHGF<G(qK>JOqBk#?A`$8P10hWQTKP9FQ=s1C!KuB3)P`R0!(==DB%qJ6^
z0<V#XYAwYOg$o_aFJ7kSO2^4T%hkmc076F1*$x;XqnJMBYwQT&yPF;u!pCl|$BEbO
z9wO+~4s<a8)lTF}BNV35)GZX!(_6Wk1RIn%4<JX|u~acvHFX`Jq7H7*!BlA@iUAzD
zlCj3F6;JgvQvG1}CzM~Pvo;bxBL}&^Rm}@fPB6+vcPf(=#o{;}6tp#J#Q3M&`<ZeB
zKd0ozC3A1bVuO^AHJZM90TG*^PYp&0WHOWc(#pqLn9N0Bzd-S-^?Dyc%Kx%hcU<CV
z;3)-7E?ou?cc^BImsDFqR76)HD!vLKHkpL>ONcHv6D1H5GbF6JBMv!sy8P~1<1zl7
zn92v631xEs+bZ&G*v{rU4?wCPWes-aX0?-F%hVIaRh2A9SR6TjV&@#IKqi~1-?9Jj
zZK=sjwF3eubJ3Bg62JMZ?WS}9+53BUy{_slc>Le3^@?i(xL&Gkr&M!EGL#@5f5m2%
zlFP?VXRb(WN5r>W7CzRTm1_rrTjf&2a0NVuTp=5uY<va#bnZ^74ry7%Hr-dBkC#3F
z6oxtdDFiwFSy_DMT5{I0WRcXz%3b{#OW<m60{=6yd1kWXptPd0ezwL}xF$DM`TuW9
z=f6#%)vpw#H$Quxb1WI|tlvWLXBLtUqRlS79CV{5QaY#&9uA;X!edXah^1rp-Fbp)
zbESt0(m2Jm#X><{V=m(N0~khHa;7H}ijrTN1Y*qcBC0HC4uJRyvx)Iwy--{jannjG
zbhU5z@q@YIyZ4QccPItmJ<cu?2rh9jwO86i8}qINnrqloMR(Au=zq<sW}rvTJF(7d
zsIoA-1mFk(aBhU+O8<ic*|5m5+28x|Hz?rd(fGgHD?*v7L-}zjeZ_<g@%l*^CL>J@
zZUw>k#8+9M*M~h3qQ7kCT)To7V6u?p^45TP3IrK|$wV))LVoL0naPy<K!hBQH~k>;
z3e!1Zz^Ao{Vy{FJN7lwv-DDHAsbaUxoku|My{pbm6$0oc8o_#yV*K{fHh^UdB^^vb
z(y-Fnw)P-|%ywb!FGnjPvW%8H;k(v-xW*rf5_o%MN(f*&vN*=E)L5!b>8X#Qk-}Y|
zZV^(#PbDr!D3$qBE=0}II*%Ek*d%}{!J)BTAyUw;6Z882XgRNB7Z%#ptXl1Y`i2wd
zhZOpTE6A8WEIV1Eu{xj$6vBlFK1`={Bc-DNcAo$AQ688g%w6AB`>&wlt`UijZb=wk
zb9N$7su}ir-vB=3^$$aJ)j5cQxSyUD&m09#*!<4Qf{dlP11^i6-Jz@r=xeCYmbNHJ
zYiF29;?7)hQ$jqB!p;Sn#@#YkV+-a~=uzbJW-2X8nm`+%`k|2UK4+4W&?qUx$jG-{
znSx~htnCvzVt>YDlDG@*?1fi!KapbAzXCh(F)(uixjmI-^WVzNDm4_P6z$ZJP<^AI
zoNc76DZfW{6lRxzgaR5Ke^vd^{L5I#5~Qi_*>@wQ&Ik3)HDG(TPJeW5HJ=@YBgm#0
zuiUPQ(Md?i)_v0d`xcoUPBad4zICv{>urq2=hy~umNMG9pPv#cU}FzTK7YL>nRyUj
zDS5k8dl$ldCsg@4tJR=QSQXL2uA;g>{B^62*W3GDcEE|Dk}^h9y_yLw8WJyA25vGZ
z_r#~?j!ljn73Zk4)*7m6Luy9*IT(f_4r!QjrgUDX+$`-*oM{JRm|IkLC8Sdup``p=
zTF%~;FW*eKX4t$03{VJTG(;KFc+>S&=WQQELDtW^!G8bEB_fEJCOxjP8{xTQi!|<3
zIFJRg-j3700K@n66O^y+tq_IujgMeMD4-wixr~v)%+X0JDE2+pGXV$*Aq|xjl~xL+
zA&mU!*pO3nEo;?7nv&mPrZa9tx#AC7RT_9&9FZMHcVr4;t*nPX=D7u3V)1N4T#Z|m
zV1*4aE4Ibl;PVA@2aOl`n3tTB&%Z8((q>wl1Ruy@mTH+RyH;2h7cz41|8qQX(X!P<
zV=82U(o^uHa2-|E-lsu_xl+_{`J5!8eb#~Ie=}+^&V>-*aM}y74MgsUe?gkO27+dE
z*jf=OH4RTpM38(TY|TZ~&zMR_H@5p1HXf!A-1+|kqCyybhnDp>N$^kvr1h&txDnXV
zv&)q=YgXH}Jh5+1M?EMSgnj3pnK6n*<0_Nd+RG(D(gS7;h$X3?7gbjh!VuLiHdMY0
zKABCGjjvU6X#)hP0tiqYXEHe;PZpu!x}zVyJX}}j=g@t=fC71bB}o7XVfkVN`;s#Q
z({OQ8F+&Yg$%J}{jmc*l9WKCIC`;6FJ;64z)dVpE7^?#qtBlSY|A#SSX%YN+-PL~e
zsY8)ycQ+pj;C3xp4G~yte@iXbF8Pv5^!iX25Ey`{UtOa<X4XI06qlhK)1V#M5Yd95
zV#2HeQ-0Xi@E@+Yi%tSAcCC*hB*7d6)vb$WfL*IsDw<T8%+~mN!bp{XW^%a9Or@I^
zhSR}dW1TNdnN2h3(-AW*moC*T)kkz#3o;}f%_uOAHt3ZUBT9Iaxm!V4&8xQ2XkBl9
zYGrq|U*GW%V-$aqfoV9K>YkIj@?3~fq?%Tl<YtqkF$(delowZ{LgeHCXDoLu(JX?a
zB%y?@M$BoZ0ancz4uLmzC$Yl=NA=-izrGn+G-UQA94}jYIjl_lgQmyX!_%*sx}I}W
z(aGTcN*i2>*0yq+LYO7}vmnha^;Gc-&3HRbh_xC9rK>cG8b4<gz6P$n=%DXJ%&go`
zspe3lC?xb?21c?ltEF?dj6&mYMt_maYx<t~UQd$JKisy+^G^)dMIrl>qY;ZCJ1!Bh
zbz~d4*ptfFFUbmGLCy@(wGc9#j94<9c_VQJX%`?S)6BHuN~2O;bBXUturxH^r1Ua2
z&KP~lhJD>*W+&nRip>edl1dCyS;lEg&BeqezCP1ryGO{usqp14A1rFIEIFs*H<rtZ
z<!6Sf(4g)=ZYsNeNv(BDCdN~e*b}ZAwlMoogz2+KtP2h>aYm{^^uVYAX5nE&PeBPl
zHUsv#!jQnsu%;#!B@ce$10*d;j)VMPezF5af~kngMF+wX0Elt`1bg;~3IKut0KwiB
znezAUqH6bJ-$PCk;)ftK014uZ3l4zfq778v4iG15i>#Z5sMdbT>@bEhvm`B5X`dCn
z)g~+l*hzF=pnBNBpexP>L3k8X1*ld!Yaqk*TP!gWV_C8Cwu^TLtA7FNm5`~6FqZKJ
zhJgq&g+Q#QIEzh1vAKAnE&?=RXb?N(F$`#N;7HDij4XW6_aL&!7nX%K71Gp4Z(vU)
zVy9O$-u5+}MIST87|Gx7id7#k4>KTaEbV_HhKTLDdZQa4ijVc`w6>!xrlfIYG9)Jf
zWCCU2DTF2_R~8m#2m`y;ap)uDja9H-q#J0sC+GKm>832fJ&ZQvmFoNC=x);gCM#pz
z2NJvm(E$qdU2%~ifvZjRzoh@20KYw^t0bg;W0=>~kTy$MNhDUgzE>f!BjLkq%@`oC
zm)M%b*gD`GG;Z@{^$Pr+0u(HNMxktS#ND*xC3ds8-mbRo)PLn(Z&m#Mj@o2txU!(L
z8T>==#~07|BR>d<tE*xhKpB7+Wf_*7)vWaHJ7~4j@I!cD>5@34iE`(wabobS+Ds^)
zzA(f+T@gp>C>WuDDY48EtUtZ*S?9^?=kutDw-|_XiYIo36_6acAg>Oen)<Ir2Dke=
z-v%`HkA00ymG9BF3mNJ25=8v(d{4QskiaNqv>Rh1xp`43T3UD^PQ*1QUaXBtQDM@w
zlFoS{2lVkAc-a7Yd=fNr5`B^5qy3Q_7MoY;b>~rYn*np-rBx&$z++2L7e|ABO;`y!
zb}I(yozp};e?1(TkR+E5@5u5muU~;O$=(CrQ*uT9p1*e|;YT)s`F|fbSOFgiFum&K
zW-JS|EJzZrBVQfc=d{#R3N445aR{du$7lkT)ts7{_O#TC6jDb+*|vU@`k5gN&ClzQ
z`~Bz^HH;nq*TQXwdB|<?bP}}}Iyu}doV93au<F308SsujIrv%xlcKX~Gem_zYrk!0
z7GpW}rh4g0d<)na@VqQCr7LQG(YohJl(I>!%A|(Ag?8#f4;C%%++Gc>Sy8ClXmiED
zOO^Kdr*Aj#re5p`l{riV#4V35qSLe6+DDAyGLbA$#+V5QLA9&@G-jhG|2bvKr~7zg
zgdf$FywxctYyI|ieO(m4hfRTpNHybq*J~81gwGJ$AfFpEl28f<r;D75d^mdCI!p+U
zVRjI%`Fq=aOkX3zdq87rw|161oXttSWUc)aY-QO>X|TsDo=nu{iFLBtVg2V`k|3hL
zP4;Y3XithCX^%!H;ODZJW|g+g%_hG<u!2F%D-Tl0NfuhJOu;p&K$Bk3&V0#&*4wem
zf>y&`C!rd`gKRiE@nk*oa@4&TC@})JUFJWT9N3`-92IGa<TzUSFXX;zGIbKSY)+${
zAa6SARBI};gyocazalrtNVIK<LV9yrghiu3TvE@Vv}Ruv&i!=T#jV3F=xUG=QDVT1
z<q|L9_*RVw&GQ5q?F8b5!c)VByhLb_61{vlIcIsuVgli-NPTDip#t7fYhTbIW~(N-
zj(Gsz2sX1>g1Zbn(y@hW4XA4*b_9OgfA%GAzMR^5PvD?eaWG$YOoSB88LHe*lgc&w
zX_`b2JB<-ChPYY?Vmyu=L)J9s$Y4({2}M_Tja#-89bS?Q5D>S;#EAZ}avFs1C>0+5
zatqw!2%a94SKy+|?R0Hh26B#kA_nRoW1rSVnD?Xe{-J%K$N8b_Nfh5JyAtoST5XVw
zyyfI^LrZnW^UT!ydpqzv9<}+_2R>Ra=88VnjP5w>=^Whz?E4Q*ap+q1p=C&J?x#hA
zIAe6iPCFRwY*n2H?n@~_CT@(2jHg0cLAfPMyO8v1uA69mOOoz=|B;2c13DL3{}RIW
z6Ml2p`44Yxk;_Fwk4T<58#F((2&|{`CAEw7C-&Aqd&Wi$V67I*a2DuRPlI9mcK&PZ
z&S=9qt3{$;!5%1+RL`GvEg{nAZoS*ga?`YFqKR}uOjY105!h(>o~A&$Yxib+8g%mV
z<dX!XE>vl%nrt!0n8wioS~!#afo5ZrSjjJ|!Th8+SNy7*6rK*Yj+cFw${|;VXV<v7
zN@+KSPiR-CsseSq@$N44#9!!oBeo4r41+Dq*hz|d8!+Nz?tPV9k>Wm0Dpp*`WyCBo
zn1%2tet~gqw&S3&zKFNM%Vke0NsTvYe%-a>BO7h$CSz$QV0k%-ItsNJS?;jK3NR#w
z{g^CF%MJs7Z@nT^QqOaBwvhN)@*}|6Wq!w0e3G`UMc>O632q~6Tv*o>!jvx2x6RDn
z+N}A6nzI6xDkM>Isgc5JB_k@maF0tXFs%fPuI)OqVwXTF1OET3!J2*o>kD0tNI9gv
zmK}XFX`r&>Gu&NtW<rB+`u>5yVwvC6{q}Hvyjl{b$>SSv#k!Cd|GfaM8+}LQ3jO4E
z_&o_6MqqMS`1q~^Bla-OOv%atv7D?WzSX#ImK)hf-5%f_)1@B59ZFeg7^{T4tVoI&
z_cPwQnc$p9J^t`aKR!)2Ce6o1>JDm|&!NL$#{=_jSqst;fnHBrwvJ-v>Uu@j5CvZD
z{%NIWh&(wjK3vjag$-@|gee>KcTI^s$F7r|3HHtI<IQT6i6NQla2PUbz&-U3jMi-V
znN$U}j23wQp+*qLB#xEy{LKW}>w;r&Df6*#w(9vW9=;+yj3P%ey8laf*leePrS18v
z?{O)v`KcdfTNJy#cXxn6d=zQ336Jdz4~{;x5MjOcDE&-45Z~J<vh!zZ{Fi5Xp9mj!
zK1P@X={JGIlWe)ur0Xu1lV1^Q?e~I)&OKt)tdG~>Mn~i34*sF}#D0HCNOEcsj6zz}
z4nA5My19btheF{lOTL8A*tg?ph)G$?mhvg&)Wa)Lsw>H<;&IzFHd_van4Ms!tqX<F
zRMK{&OUtoJ%lEW{fRP32SHI17PvWjq14hbc>-ds*uTooIv6#`{x(&juzfE2qIJZ`j
zyi*D|{QmcYu#D)3%$4B)kE^~N@8I8O`Wn8=pv7rwi~{dJnIyg_LTKVr2Zpnym<i=(
zI&vm4ma;{1N|rh<#PAGam0#1{ltOVpYYlXhK2RK4;Q^A%L;b=^&YyJdrg6uS>x-5{
z9{CXA6&nJ{D(x;0?uxEHDv$9*k%~(HvNYT)l|lc0zcG;RBmZBQ#~J8(QB>Rbm_)Ep
zVb&?Z-7onZIw9>mY^u7vZ#>U@&oF9BHi4;uP5<usS;_X3(&aR61F~r$ZW!86h>j04
z_pGC*?RjGipR<X+6glL%y2;dbUSV~+j6I<`PpAWPdQk^DA|SkVlP%3vn5M1Io{ERE
zA$>FihsJO8HJt}R`R75(2_y1uys7Yf#<T=ip*84+gtCQz?va)PuPp;@EZYQ{kA|_~
zvF9${_@XgVH^kQ0`c${`PrMokJbZs%{_34{Z71<t{r(9O1iPpIS9U!X8OmczzpTxc
z?qx~OE!xdH_0AHeKCbH6ptM&s1a%(v{jILa=ABjC`}hPHP-5Dr|5N%)AyBTVQPD8E
z6y+pmY5s&%7yD+SX>HBLrcUH^EKKurTH*_^HE*+!HRJ5HEGA?8T9PZ7b?LE3PtRVb
z{!r~K33<Hsxx!FJF8kk6tdyk7*O+ZgGKV{#Qb0hGJ9?2G=rky3Y&1+tT7bg{k<-Nb
zVwWNot(z&02QJ=MD4i<9Y4W0%QdfkD1`Ofh(2g!<XCJ6^v2(^RxA>1GY0>0P+tK*!
z&YGhBHlgD}Sya_SGFv<3s-M4Z<e<5Q9!CbI;P(8l+FiM_O<$7gdw;Hz0Lp(S3jlf$
zJ!Pt~<;M$Thn5v6s)}f<1dKF=6S!Muef6=RA|WmKWHaGqfb`q|e$Qn8m-H>q4;#hH
zt&owc`Y=#6Xjt7|I6PYV(WCZo1<xJY=SLS#K*sYi0NzeZuP=Z2uOIA9tNV9e-;|tx
zV*kwcRs=D_gH`+sdj7h@Vf{~M8w#~`yKHEh&~gawhBPWDT$m-5Qc9mU_De;DR7Taf
z4;;Y9fs)IT2}0ukkH?f_-S@Uc4=WdG9{g-l-fF6j-rJUD)(0N`{OnX!CipwYOB#hU
z;u5;fRSU#^PdCmA7bG>L#L63FQ!>qqPjruTqk|e{m(GDdgmft@;TjW?cU!`bO*{%k
z1Nfx;FcW3wJd4IQ17wBr4pZ=GG{>`gQ{ODkCV14W;os#^#Jq(ZG87L{feeMt=>)M<
z+mvlW0uL<a%Cfk#3=PuYIqlXP$E42=dsaBF<T6U=BhHJIBw65NEXV;Gw5=%ZA4%Da
zsyo~-ieeP<N*8VG+>^~`_S{MpYu5+4+$`#z%>>2F<!<c1M!Id&Dgu_d7o2m0H4eL_
z*5`>Gl3;0Sq=(_6rN1A^y_O?bo7NE1qIIDcWadbQ3(R??))z*P46h_axcqV#9r4f2
z5MJs!$-ZmLEu^TiPIv0UjQz@ALEp>&T*+^Qd*|$Y2wjl)w56}x<^$qm?|tjw9|Cm8
zlpovWi-S$D{kL8p_%D@A#s)FJJe0rdp?Q~dS9;r$7jQ#UB~f%V1o9C`w;-T}2RzAy
z9%NDHNxv7Q;W9NztI1iP{gRTm?}aYOFRrlEKJUO0!dg2Leo3E|crUQ7^`A@3;m{s8
zj=-Wm{3|FXaw!dd{~%e&zZiHE1}+r~i(}$T&XpCzb_}w$3t@9QvLMcMha4-_PkM7)
zQx>Pf+8MJFc!k#XL4QnXqABIrWy8xQ)i21sp)W^H8akbK{;X1vbvNqpNPn(K<zLNm
zSaGIu-$?cPrM4I$NPjH=E@`_MAa&5?hO_;XPH?w!7&+oYG#{aJqPQKQ;}~sCT)#+L
z!jsw1kLu8dx-==!6u!jX>|6LLFWgdcc?;%hTn<kn#c&QyL$FY1m$kF&vSmI8r)qI|
zti4y!BQ%MmbtCLZc#)oW7xzM+`gcz4IPdPt_=q>^yD~8DLai?X2^HcWR|^K%_Uk&m
z$z^+UL6}Oe4aiFkYlLueLOP-_3S!3s`QB?yTzy(GAg|i=lO!UX=O0CwqL+x2O%!yV
zjh4P^dgr!+u(=|Ov2GZ3s_H5S1A(xEEV_ez5GKk85eBZ*-~xw<<YG2v<wEwDE<+))
z5s{9Kc9x;VJoA&)fDc(FhK36^0v(e!@KR|YhA*}lhVj=j%_+MUy5ea>0`vo{&nv{d
zUj1%&0e^=VV_SB;;U<vW<zI{U+R|U&=G#V;u0#Tf&lkkgI-}*&Q$M>L=6Wiu|EJA{
zGs^9$r@{1J2Ccmp4$Z{c7+9jDmMxKQW6TqibCuyv?h^vbGqY5L{^$5nh6{`(buX^<
ztJ6QObtr|D+ru%8f9V`Nr2k;GA`D);!Xanm*i#dUJ&<6jQeSQ#qy7X7-u2dAQ~oSZ
zIF1T7_=lns6Mpf{IqzWdwBT8Vn|I%(F=-fshCo;XhN2SOohO*r)gxk!+TOKEx_ZHb
za82Z|WqGyDwZ$sbM*ngL71VjupZmU4`p|Y=H$#0i%#j`LuIRmanEzQ%{OZu_xZH$H
zLJ^po^El0AjRmfj)5s*b6QnL?WhjW)W2RAL37LQa>x(#V@2e%h2rW@po+Pi9A1f~Q
z4XuO4Bkq35;SHux5Ywq|MO4Nb?CTl4>3;L%Z50>>+HQXk(M9UmfBnh*l~Wc=BLqns
z!-_*Oq_(Pg#fyrVbfkIq%gMcC5<n{U&j6`1uwWJokYv=a;M1pmZ`@wj7_<=dP-Fkz
zNPFKKEbt)v1J|Ge7Q4M8%YJWabi3%$c%8n%ZYe1Gp=^m%eir(8UfE6ir&I8O9L*z_
zM7JSMSjX^tj0M-dRSc~)zlqQ!jz$PRj=*n3X{~<Pim$16x?B@DM$$kv;<PcDG`5Dz
zWJ^Y^=_iHp2fIKyzlKp2Cx69rJ5g&RTY^899}Bx^c2Xvrc-HrApUL)GIyL;$t2g^s
z%H*%`7H8vOukZdrh%G>)V7H(b_g39X@j$#!qDcw@Lo|?a7N6yooN3h6h_#clqk`si
zmL&<`Ob|Rvxaz)643vcooHE@WZ@0j*bMx8-0%8YH^E-v4R-v_W`Z}w7@6biGZ}`i#
zA9cIXeXh|Jm_InKauSUCON=f==$c^Rqx{XgY=7hBkcEWe9WVa7VdBhZ%CTRq9@_D6
z6WjD&vLy9*Z|;~^mGE1QMRl+rmH8m(mL;wpoK((2W~)r=g`16BkQ`-1^%Z|tzL%2O
zAZJl<Q+MOQseJU!k~lF!c*oe`fdenQEv#~k7_32bjf%?J-S`N-BaxK*jFt|L|K9dP
zKLVuMh5Jtb$fnd>*HPQ{pjEzvso?&FLV`dPqBW}?mEu!o-I_0c{ia(z#%v628N{r%
z>-74TUSCCgwXftttc6g`L33T=XBY2bI!3HsR4FNW%}ijB;6O?3)x36b$gv`7PK=`3
z&lEfXpE84I1#8UQL;~2)6YL|R@rY=!pJ~ZIbn}(F)I7fA|G>umr}uA}{HH<t48yoF
zVkoxC)S|nZl?e5AO+0j`%0y3rjhD@D=(HfpSx>a)jFG^?v`~7v+*LxOQjU-lt1ntP
z>BY5e1sY~=oXB)%c*5{HA!Rhu1yPYQ1yP7SoGOpbc56U{9`|A5%mhlfm*iOgD($;M
z|7JkYlU`@SY<Hb214D<KZ%%O9NcHv+ySJ=e{N(kWIr*noR>Q|9_?rQhR7h6;r*0?9
z#>+T_1<%qCC;Qfy!&kcY@8_#;`-lI~f9I3^1^ZY1@Q^}DV!G<-(zm)3{xjk@E8Iid
zoS}&wrL)45#H}uuWJQHog4AfEE=H89YC^G3AtcSg<kQ&Nx7HTeiHaS6&7;8HwdrV$
zD~~opjuGoOw;<QqAnA<p^u$_zJDR>fAGT?=G0e6aaEI3F@qYlXKv2JZs_!dkq!0F8
zLa|ueGsUtkl6F(n+Oa6`_wACtTdfPz6!f)SYomWWdkOoKdvF5ng#heR>nqe>tEaX#
zIV9`f^@(!kBHia8_J3K?N9_W`AFt0D#$W5l%{6d+2uKXreA5b6QOl~*MO_pbsY-jW
zr$R|0DYgG&s+8-R!#wuz=JPq~0;3uSZaz#ry7@4{@a7v!K;w^zZb3}qU+yNhwFjtn
zm#q6!|9)w{--*bk!z_GQ?+<nth<+YL+l9`3S`3hP_OK2ok$cz5bl(qLY1`X9LW#rL
zd^5Y`U(2=Ld~0*$J}%eCzx!2x?XQOScU=>Mwv*&?{Z~7Ip#7t8=^@BW>Gy&42fk(F
zDfMC+rH)#z>zdJ=DpF>Z-A;9>V173zrR0^+jL|f9S>{vf1<Dl<+fI0`X=FQLg5m8n
zmM_O26Wva@ggM8A{n#t}i*#F{#q{?;?!Rn+)^6O8>owzT9AwX7%dnv%Bt`Acqqi;-
zO`){r;k4;IJ3l60Hc&O=(p&rH38Lp-c1CV2v_*4pZFA0I=bg848xPrHw>J?+MFwoK
zY3w^{xv2BHppx0sm=yMK#u~yhS`wbxZCUDqnKGQ9TKMdHfzH_+w#6{<=oZ5S!&_{0
z-(dVX(LILdCBU^oOCxR^Ln*wEMt>oFfBnhd2lNI|IG!&rrt#&dWo^$XwPKuPTv-%C
zNq{W#jFiHZ8I_`-u`67kFE7wZp2JXxiAPb04)XM_{ShdRX2kJ_9ePm^=?m=G>Whoi
z_BFO;F#UaM=+^XIz{u~eSE>zuPB~W>9ErOn^DMQO$#<7G5iRBT?7|tNJkYVI=rLnF
zk6ujU(NW6{S4wJD5th5bU{Vp0SClkdWL!1{*O9SE)aTJDTH`usyP)D9y6$q<Hw$i6
zDRh7gDirP^g4;S>_TD9*e}47)`VPUx_pT8<NVYXJE*9xt+roA0`>ACjgnOvA>j<D3
zPABN4!1XPJuA<wg?JACa*VPAeio|~Uj*Jn{$e8{o&pYkTX?W4D@%8C|^GkQYIb939
z(vQpa(p?{Hb}!(P;YEAj=4LM2zzX}x-DYKyZ+#2!{jnp459fDu@-63Fv>;ytx0D!r
z^gi(ZLf7f2P<->#X&D5l<$i+`_-H}~0V8(TTMuBrn%aIe;hP!W{C)-jMVtE$+x(b#
zWb>m|Lz^EHifn$=mbdv|{qs*`??*ESx)OYcSlzeOTy{zDUc*ecEjvH(JTb=g%KE2y
zO8ykb)uGP=06^pC4|HYdmkgB{0Oo1jJ!-iR?g;RiHt@?b!no9=mLkparUp7Q3}&CZ
zr_;E5R6GJ^Ozg9FNJSt$mbAy8)C2W^;1Acc#<<KbtLPD0DqGLp4d4N1?rxk9U5{nR
zhxDT~<f9g~@9Q`j-3l0_*<R|oFP(Ta=kIR2LS)z6PT!*<1GdeyI%?E%Q3}P2JSTZ!
zpxq}+2`lr0q%0GhW;M;q@I5p2*?&5X{YS+k+XfRGux-XQYsQ~*SQv<jcL7+N_3j3~
zCof-J#DDuAk_TXiTJLW`+hxDp90Q_*Yg?=Ki}U4^HP&8uhXT0YPU$yo&}M()uv^OG
zIW{}5(y>QPU}f(ED+@+f<C7KWv}6U;a#0vl3tbVQa%^-}6ogf!BDGM`P%44R3GXaF
zS%FSVRzSrgJ8N89=P_b$LeDsCS7G9RbX>=&MZcSda@oHhVQ)~KeZoFK8wRInum8cm
zyMWudimdLS)XrS-PD}P@x@`WgkQVj|vL(iJnMQ>MY>8<Z1*qkoxFkTw5K41OM446g
zkEN;_!GVnlZwWu6fKJOOK*b|lVqACWF=B5*&p2#Lpcw}CjXpxx=r3JUj!*605UaNS
z8{Gc)>6O<G&9PKV{0UACLC*Wq1%89SHtyr{JR4LTNH;O*+9&7Em8-kcmdh>u^67<r
zgvS42t58G8DWCjN>_$B9f6_)7c;&0*za2%}Uo9ZJc1*oHDl}l%PD@2VE%*E=0fxth
zh!kd?R`!2#)_@ogJmFpIry|g4sR*ceWY>=CnLS4AP3Rei?OIIyBV>I(`_4q;zy4&S
z&E9R2XE%7ruEl$JciTs}8_Rw=NVlGTT;=fXEBc8}7wOh+BFG)A9OjMKAH4jbHv0%8
zve2~$_ucrM1v)Kf0kzzdrUWkO356n1&hm;>LMphVhdcW4zVmYy=(L;#RQ#9o1uJkT
zznmIKA{#NT2ib~avl#FPhs_vlu!4%7$^`a)ZeE)<;P+)iHW#M$Q(rsUYVs=gVV}6q
z8Upz-75u2s0LV|vAwVrx_Q=Gw{kD`U7xq(A*#MEsif}3HUJyc;MR<G^^>Ya5v>XCd
z{8q@v^&pVP1f!4-Bo)LUkB=(GA>Va$L(q<Cgk#w$w>tU5=>V5+yjti;Qk+<Q6Hj|<
zpBy#><dN-hdujtJGGKE|OKm_ctD2ci*Y*QY)ditttq7;wo}Q>Gjb^1}B@b^7Ked5Q
zOKm{KZ`~YmJ;>%jQzT-WBbeskp8nHjwNy{Bof64*c(zl_-v<lqHWMM1zlN&*+$U6b
zISu_yLl^z^>xPZl&0M=^IBMf4#}BnXy)a*Y+wK#REFU3BNVHq(RBC$J;znD<W6kOC
z-(l$MGd>xDPD_SBEvvdN3Tbj8GLaKn%NjaBbCOAuH3ef$Q-n8I=_f;!(~==j@f$bT
z06o_?7%CXsVEBVazdopFY)=KhK&V!~Bd@YL?svkTlAtZ#&Znc`HS2Bxy{TuP!PV-#
zm_4-E>r?Msjl_2*kd1^c6#q`4BJpihPD?95EmM_CO{;<^DJ7wbRghLt5+Nne1WYze
z!!2t{KdqpgmR5j@-@1+BdXQ~2wr@KA;PGuVFx8-Yg$|x=C+hQodv6W^UVkpvl`jG$
zZU=d$*st$w`@yWX@F`lgzm#)iD9!#rwmYHh4(gI2zRxm>r0n3ozQ8966&kR&re!&x
zmTSTDS{2*|eL8Drh6<tV1`{UDOeGlA;Vg&J&vGcIWjUbYx9%-ePe^bP5RC4vVA4Z)
zZ$%dC@CiLM_FLF&U%S%^LUy9s0v>;S5<xjFi2$`+)UuK_ORdKj4WXv8CzGmVgll_B
z=@1)6rJqDlPD>&{#cxF=swalZvAx&v2alr?&nR$-rNW==atd8s85nemG>6?%wXS}(
zxo-~v>*V9cej?Ul^>l!LgdQ=jNEAWx7}_2c8i3_#v^{DW9IJJ!ideTQ2(^9{x(x^d
zp0(7_<T{T;FFtKwPNVHn@msMRX;+S8d2H7K{K4Z`4)OS|dv%uw>Av}0A^r)sJEIJE
z-HRWD6T%vLTDxl`^&r;w=j7%{n-=`tg@8Std@rYw@2F*-GnUCr5nV#)U`k3v&MQ)K
zQ}B{Cx@O^W{?aGk%W330Dt;@lBaPE>V2^Fpjz4%D*yuFq(+!RvM0f+8T_ZfN5dJar
zbnip2C4|}W)N?tFdPXfXu6R+FC8@NHbg66%;bldMOf@Sg%o?pDnDwdWavJrFir<P^
zR8I`EW9#Da2ajVGC4zy2br&LTv;a8MHe<bc3USeJsShc)FAm)q)GI>oT4G-oY9P1&
z2=2#Fzo^gv+)tx^QOkXxLBMI-W1h^2ux^`V)@y^)2A>_qy-)p?)2Lrm{8rqLoA!)~
zMNvPV_(es}o*K!tI9;Fg_2u2o<OP}Q;_lF;NyvOhl>PGk)kk-m(ndUOBF5T$yCU!!
zQr>sT%WYeo{zK9n*Q))rKqz(Q;JUlc%Oa{^_Aa_~w3Y;w7_j}O(a@-6VREGyRRj*U
z_Onwn!tBwOH1=dm?ZFn#wc+jO)6nHK8X6V<_0%aB*>9r+7XiWOj=Q;-9hEp;_$#m5
z793O`Hacl`n@6uMF$rfNqBfvn`1=&4SB_l%wp^`T3ZQ9RAr<g$$Mw?nCvsVeT}?@w
z!nk)GR+H^fu9hnK0K02#4wq|hKX>nc|NYaK<mK<LKP9fA1*OFg$WFSQw8nqq@vStC
zv_>uW9V7|#?t`&qHDUHVO-!DaX`PqQx-YzyeA2p{Mp~od(XBK}a1juUZlwTAjcg^f
zXFW6%+wL}hKlS@XT&B#PvF*MbZb#Xz@#zxH$mR-_<71l(CV5M9;uG3r__kw(zs@@t
z+kM$a41Q3by9r!AmDW2bifK363-NFD*d~g!c7V}n1%5p4RxjLByK~jLjX^i+|7GuO
zo8!inG||7pn26n$BLti8FK1%!gj;gkzQ^wNT0ZW%A3*|?>bR;{Q>>C(^Xo4XFC?l|
z36#jG-Tkop(#MvS07&9VBr>1Oq^3C=7M`0D=f<~=ACvRq+~~}vR3?GsFM-J<CS{y(
z5+!9AW^n?!UrtQscAPt(7w1OBeVCjkc<T`KVG@5*N$dR!YUlM|J6Tfl%XaZ7&WcZq
z^^fb|`<LHOV-_7zV^)q4TtPhf=xlj494_5@K=Z$y#wa?A52Ff_`ca@L(~lGS!a5D_
z4o*Y6WT5?Wz%~_c#Cm|!a6^~vf*Zaoyl~6s#lz8=O&TSEj4<fJEUtA;&WNn<2j%@}
zQ@i12$HVh^@o-e!3%5yvw+=x!haP`U>;Ob1{sdd@Hvy2Jz|%PDnN<(TE_StjegE<9
zbPRFWQckZz*A=Vz;ki7PB9j-(QwHd@#OPsNzhQOXs0!b|5o7)1>!)AFOc?}lFE8Sc
z?+QQM=7q@7nN4mbfowC9wlOEPD1_Mw_5Yy!Uy->v#JL?J&*z26QE@NaCJEj;1U+zj
zaqWIo;)W`VYS`;y`+bpynyM*N52P!x&y|OPK@OHlMU&fB$b9@_OgbT?Vm1icoE_Ik
z8rKmO(m+fX@e}a>52*gETViba{eDTe%O~Rm8C{aX65VtQG^UR(2X%qqAKQ<jc_Dpt
zW|NLdAp47?X;_jvDPkf^{6U4kxNO}hvP1g$ypTRB?nTig!CQx*2SttuK7t}tLQ~tJ
z(-_Qod>D=8(-d8C)AjwLKA9l$-Z9PCD)?@6V#1`~wshS~7sV&~Bo0OM;K9|mPj{~d
zUw!mCMo@sw=r~NKvjOsXYyfm-lix@n8H=PP&q&o)4Ut9Dpk^AaJ%@?S2FT~J0Z?%-
z3?>QQIs`p1a0dSmu0~EbJUY%tUEvRdgzcO+``Y5?F4jXv<o!ChYV|?&MtTR{m}?hU
zRHuA%?_CdgNCdu;bo*rob<z!whVPo!P{af3Gn;0xy6M?LG1_ZY%}f;;FeMG)IMu5+
zGU_Q1mj${|{4AQzT*&7!7tonavLk_lWhAXw1<bOP$U>h`=QC>EWdm}XxscCeE}-HD
z64$|dxc;t(!2Qh-$4AiV=RzRpoK{l+e*s4cFbF99ECwYm_wB&vrNRC9T2>w7$^d&%
zCH}@JuQR%YzbcnYU^=fMpT}!JX9jK=Fm?%0c7=7txY*HcN+9NIcslMKZSxxPdAtTx
zeEN>|GbNB6J(b~rzXH_o@@BXzKeF+P9k~r;U;1@$4>yM3kGrFPMt1KMb^<DN#_pZR
zPC#dd<lH1r#pSxr;XmNeDk&w9ookX5-MiOjC*<?k38?t=-8(f!9ToKMUMEw*uaPnF
zcaL<rH+NTA$xFI#_r16X2eQ>saM0^WTq2fGI~Ci%Q?krap)>aHyzo9cGvv=^MUx6s
z0-8ajO-6({FaA?zmB|5g?_WE-pU(^LqvF%|FPd-e;g_L;-u*j0-y9V^Qp3vs6YRFM
zf$NHL-k84_Lhp(~)$g@kvKZOP=qqyV<mu7%d|q@Nof$STWPcM#{}$KNtO8$WLSP3&
z5^GTxg?lI4(e->@bR89+zLW7hXkTGR?_!Xh{Nk`XD)GD>!+NOJdvC6*y-vx19lPQ?
z%IJ=&F2Ik_Jnu>VL+38~|G~8g*M6QJna<}$rqP*!nhq340vt!7o_RuOR<;DV>4ppJ
z+|Pv_nJ(r<rcv?9``I<(mSbDlyN=Ua8Gm|dRA6PQQL*uQH<p){<^<pBOp8OJper%-
zgJT}omPLj9Teg@N-9=}Ps!S#}6Ub~9TQ+0_=z|3KgC;M|y=Cp_ZZR*qi;7R*vW^iQ
zTXtH^7k~Q00_)eoozR=~WIX6M$1s2D8k{n)+BAH#lYyb-q7_PdvEqh#-pgkLr7d+Z
z6bU@-2SjH&vR-J=KXlt2SuP%jUOaDaj|(8uWzZ~T=K{3=tV{qpEACoHMa}@uyf`g7
zGo*CXEl)|7r^0p#p}bj2!O334rVf-FICh-2m=~u-#is+uF`@%F)1tTd)4O%Ob2d$}
zQ@o=e9P2-N=VG$s3me!?Ff#Nvq>p12cDCq$T#tpI7P9HPFp74{N2ovrza)OA**;-q
z;XgPQ;5=rg$773m@mO?bW6hI{inAuIc|_`@ED6-4F$Fi=XtCq5#k_bdDn1=86XLD6
z)5PAn9v`#vQ3+EATE<|-CRH?2YImryTlVn3#KLyQ;(y*}5J3?(`==AL9o3lDqs#d)
zuHWhIi>i4j0;`utcTtfuKs7JAi_WYwsVV~LuOt<h3_`^%gTOVz98Ydg+0or%UUU}~
zpAM>N)!V0ty>mT23Mw=>In=qOt8TBdj#NE$$$UG7v9Tbo+xhd}G3{r*s%6pk)?$Po
zPNT}x9^u7W+7|kN4n^gA_)UqXYZdU_@a<~R_oj!Bsk$?$g2x3Nc<Hb@%mAE{l8y?U
zfxmfyU36x!{2-H;Kq{{^{75A%KLVzo2{O3xX9sqRd4XM2d^-N7m5QGt_RjVA!{rHq
zA>Ql$@Dih1BSNVVRn~0iL2^dRDr_fD3Fx9iXYAy80bO)vh=f6nS^`CCNtz`Mp+(6F
zgu+a?!M&61fNn7_po@x6-^tU;r%w@k=X!kD$+x_PR3IdtfXcp;*Oft9ZcsxFG9~=%
zhSTZ>r0EGjv{`nP^(OTYlHal81zQ0)&<>`5r+K7yz0SAa<p+6p`!(ph<=(JS_1(uu
zJw@ks!fAShxtJGWMrVdg4iw!aP<4}};*LWqamgWY%YmwbO_{s9QWbWDxtJGWM#ZPY
zX<8=y6tQ=%$43n_Pu+8!<ld`nJh?G@Lk|`9%@I`s-iQp<Srtu??K>sFj0$<S@9z##
zsAC4X-UO1pNy?y&Ijv#>h0IKWDEI!eBgDnL2r()?egFAJME2hVv3IV=NB5trWVle&
z-A@8KvlbTm53&@-`9bN0pWx-SNSHd?R9}Sokn#DFj%gnpi*jzx=`rJCUd$Ms+2~IK
zkqeU6btR0JloKe+Y6>5?_qH7~F5EHWTZm`A`)jili{0v79^5?e<_CN>WWQrW{(2*K
z_w83?SL4y*!45?>HZCb(R4<nJ-o_+vx_;*iQ=kpRx!4(SF?{zIBzuZW=r`D(y~egM
zvDf=<-v=^S%>R-keNX`M<;v6*wude$VhNayf=&I8p(an$ZJ|%63P#iB0S0b?LPX`f
zONegED{s>+nOX`gPh4}&2!98j5#-ctpM>3V4+n<;=2N%dg6nqE^>Dl1ja@e(0&@)w
zr8U7>g-pa7SjjN?>G$~2@i1p#Y+f82ow=q3qeab0Rb>%Lt0*NjDN~ZMsw$c~siMTq
zFe>dhcIl2|Pr(>Eqz7ZDoEKvbNe{+QNhi8csc*u#e}Kw7uxGCUKk(v$Pn-(7oU|Pr
zFXBBmOR;_7e{EytG@4%YePnwWCczwZ8(q(BoRx0$yHJ-BXj90n)d)a|qfGz03{I+R
z!|}4!okrYJ7*YKRhr7D;Y{@}?=||Wa?#XMhaTJ$IgHZkIb<ppH3J}<ot(O3%n~k`O
zT&vpX+ioMf#tnte#X0*F^iS*NVcV@`vot-kS?BBE&xgg5TT_UkWefLybHtPBuMZ^0
zClvZY_k4d4nocF~4$4HyUiGhF(c>(ygO9EC*Wta&rf)xG*(7)kHHDl*pqOdJyOjZB
z>EDpg29Lbq3|pG49<%IvZeILeDD9>Bi!Ny)RMWU<y}Z*J4&7jW4Oh;iJ)kpZIgR72
z%t@P8AxZNTDwHusI4x;X6b<9GJ04Zqw1?77dzhr*upxaK4wLh1I9$@F;n2swJGIK+
z91`C~Uje<RVDoAyfR>?)rOX*uAPzq7m%D}P4$nBiS=N2fd-z(6!&_m8)MC5CCjHr&
z><+5?$lW81(DyI=pseFP6a>^Q6Rds-`cc3MVxC44;`Tc*kGfXYm=Ms~@&lFeI`{@L
zV_{`%_p04D+yNe>&I;Imt0)<3x)W-B3BN|+k*`&A6d00jcMt!u7bcF>7s6yQAvIuf
z7`Kd4&_>!oTIjvSZZEgVwRkd1L8#KpeA8P625NAvf=+0ZStquLm{O_)Nc@D~zJ~dK
z5&C4SHy~Fw)cB!B)|J-B@OBrV#Z8sm@#Ad{J|3oTrn5!Ld2A7M<}#1!I<6ZMrIeGD
z=1>WgmEzVy6UrJP$=x{zrOg&8-E5Ib`UV@)r*AMhzrMjGefkEK{PpdP=hos~uS!z1
zn1EDOK!d2jffWIGfck{`j1_2-LhxgVsLB42GJ?k8`k}WwwqvI=Hp+R74Rq!-$?Gsr
zGSbv(2KAN;Lh~>oNu1J#mrWDJo)gk$Y?N-s#-tsK4e8sln4Evd;*!1{dn_5ev9=^O
z>_@2sjXngeYwaY^i;#Z1T=FHdsird)%6W_hbmpjR#3qUg62?G~ZlM=%np2Wg32lou
ziHg|m7%y$cLg{8KOxje~kiJcY$=!ZE%uzyi7AEfBS?D{s!E7%~;x}MJZx{0ZV+TK#
zpJXj;0in^h(n~8FYfCGpAIvdX%AS*h{|T;Ci$igXdv(@T6kD4#hz^Sm$^MCb7c|N%
z`pYoWFRugiQS36dp2q^SN#D^R{b6OS%~P9exH(bi`qRJ2SeediDChAS(3!K6R!v+$
z&?<$p<<P;Dg$>DpR}`mtog^NV+PsF+&1;y1Qfx>cN-?=JQHqKCQHs6;6s4F1wzUx;
z9)m_1)0=bdK-daSV^NVOU{TsvLe(-3{^wBaTHGIiy(e#IkKOVSnp$9{elV7LVSBn9
zF9>kc>%cJ~exfcAjUNAX@DE9C0{6!jO7{(ZoVB<j@!@U>_boo0t9O6@hX8vo>zNJy
z7>#QWl&2Fr%6Y^NbmlBiXv&&GTsaD$C;^n?m=YFMVHM>x_feEeo7hphi5-)mj1B37
zGA4H>lreEXl#eA3OgU`W-;Vf1*TK(+g)rs@s;fi+I6Tb-|Jd81QT+jWGw#Hjsh`d|
zP_YHUj<<$<2IqdUS}f_-0LG(JEJV8CI66&-M;INLom``?OmK|t!;y4lU2wXL_0deQ
zMxpt50^_8SY2?ZcZTnjR^xD(9*)CReJ4n6`J`NRs!DAEjD=;{eo`6NkzUJn8t|)xP
z9+Jz%@C#5P@G+O*BiZn+csOxM+({pa<$LKHzNXtncdfaYQeknn*ebTOVTB$(l9{rx
zJn>==LDd~t5!9yBrFX;z>iIZ*bCQ?&(Xm<1&|mYIH0aD_OIgd~f)tDkQ>094Qqm?N
zSzJ?E)kRi>9#h0-(v)r{%_RMW4e8TgC`aWy{e_A9^%o|oLcRwLq_rnS{1kQMVxyf>
zczmm(y3%w9CDQQiS^=A?TZY`?LEi~PLOeqzwITYjTNB1tgTHWaU%n*pg)LrMID@0K
zYg^U(MTR+~)zB{>(XDw3t{xWm4`4}r{ql!=lCR(Xcy(=(^dPL#OHCjjTLzf*?~9-D
zR^V}`{iVky)wRmW_yxN0o_<2xB5KB{x(TSaN?UUMey;Xwsf4!lr(DMZ3Nf#Qj)8Zn
zJPi6iWsam*vW=dJT|@9ka@lt}3DK&4{{HJ-aP^*d0y1pBX3&XS@0?e!gSW`{fj7L_
zLqB3Do;f6-ob*U*^(Y3@^Q&0<?d>P9dJkWlsR5!+41Ii<7#M6w&R#2|gV8Dv8m?P1
zm`9ZtL->B96IzTT^yls=_yMc{**r-6_#5m`@s?njWGgJ-BPqFm<$`q|2F1-(1v}v%
zF-1JR=tw!Q=m<J<T2WetRZLh@a&afD7%A(zAW0qPG^2UJYj@H0(x#M^Zc5oCMeMKs
z5jZR0+&ISgNN*55j7j+Qu=5qT>gAx4e{Sg}xaE(3Y!uf<^#vS=WmMdOpc(RVsUtAm
zakJe)F`{b|vL?VBboD=lebOI8?ub4)hPgLTbJIk+kJi>p6X(eoT3Zg9b~JsA(vUEf
zi`Tz#Too4s)N~$OIfKXc$uIt}+im*4y?G;^X1jj9GF_uzH{DA8?9GOXbMcKLbQ5@X
z(k#0@Bk&#GASlKjH=|Wp@Q9Nn1r)b&2E^oouq5UJ&a@E*l^ex2d9M7gC(ofnz68Z+
zClM6IlL>UsBoA(b*s!Xr?X@@+9{IA{DBO&-1|R8i!PK4xw*^F4t(dDUzdraI<>n*6
zRZ-wj^frmLjqKfno-xyDXXOmq*(bla9}=sMK`HJx6!w|%FsbWOw|&Aufjw}PWfg@I
z7+JzgD1lKz35=4|Py!=4qXb4}v)!uydbS%n<O@K7j)8&#mGFY%nWPO0bl6|T-G2`^
z*rvOOazQF@QnH~To09%eD5&>~C9pUTj)cAu@1c2k9Sq#lkLz|T%*gG&*-6lVWqBhG
zJn3IhB+fAua2g@#O8p3_X3&;C`Nhvi$e>h+N(CZ1$L)#yR2iT|k;W0sps%2;tCnX?
zN}@2883rM#Xc?2ZNzx)^Vc16QdwFH^rz$ty=I(!fy8U&m;60!vxcZ_y03x`-IaJuS
z+_RFQbPxiWX?0`pb<*a?UK|hN1vtuJpyFRNlS*#)T8^bo2YJC6OHU|caR+<y2Y-TE
z7A;q-DgRTycg#N&7oZ1gP^Z>d4#QBR=x!(ez1Qp~Z8w_A(bj5pezO^D_nb1e1YbSe
zfWZ`%8(wyXRB=Jw8R4)4o*wP`;5ET@^neno7crFZ(1D62-GOI~m^@N=iLZnIuiHy=
zRs|^^I-pa^Q(TT=J;G3AM^&~IS4nFi%RL~>-NT|Hr+(jfHQ|qsvdERW*Xw`KbM}q6
z&>~r_=m&MBil9PgXv=w|D|F_($lDwk>|v6_!OkmEh9x87RHu0rHx<p@S*?{#x~kly
ztI0|VCtjgS3Kfyx7ST=9O7nQ;(z?k>xk85+{a3>)l=e|=UF?7*u7HjxAMaNghuni7
z2!3*>`)=~)Vcjjeds*vS`xU_k8FUMm{->Xu{}9Id0{nnVnHUtQe~-kumj*&#ZS@s+
z2hAs_B7Q>k{Da@lV6rF-R*Ut1$AzN!b!gLheYjq!l6%Ad3GR7Ewu6VwIIHSqSC5UU
zN0ud1?z@91Du(wdMTStJGw?o-vWCvg<18xU97+q-4M}STe@Y^fCq-MwtSyto-Snlh
zDQlIRvNjp-IBgBZJ1XMB`?T6Zp1ID#J6>!^2I>y?u{n?Qc0O^M!|Avj%Z{ozz{nJa
z!yeHM=(GH<L!2}@>^ZIvPGLQynWT9-(Ogs~nVAZIga573UTC16YAMr>N^-lc{)I;7
zUzIn_t~U&8KJlB<S1$EpyO%d8qY@!djp-4*&J)tD1C=;KiOi!YqBFN;Q#6dmB;l+e
zY0}n&Mqx<Gj5REZX~;cAl`5N}Sh*>Rla&ZI?9FMP?u|p_PI+Q)jF(s@X^M@3=5*h>
z26HPHRP29#LUaix0jbnSE7ujjWQYZD44DOs^-lbMUHe7)T5L8Tc)+zEKzgO2Tufkp
z83S5Gzo2!DC^*C+8YgD}aBhT7lcobWI2PMxzk1Y_GS#OyH3@_{z+2e5YFV;8xGH!r
zhf?a1?Hh{*5kP=TnI$rNRz4>9O@8S${lGk;Bt&T!p#-^XBq!5GEbr9aZqF8-QgAw_
zr9bl5i(ARyt%NaDyg`^ci$=Ftg=Rm{GpJt(o9J=BTth03$_$i20-@OSntSnj)?$^I
zQkhaL3Kcp-ugoJ=qB9o_t=cfm35#h((macaxSBMC@sg*s$#{{wJBe2|sj_mDDktj|
zlpqNk;}&XTNE=ovi6!lORXO=|g#G5fc)VN3cpkljilKT3llZcv>w_?t2F>^^|DCQj
z|9bQ^wppVJya`<+sZ;<(M7v;1__&t70O{a3oW<_H6@1yNjQWM4H9<O@q?&CM8|x3C
zoB_4jm?yr6Sm=qZk)gHoz(0CD3;<d6`_)=oNe8;GQyTg34FEN4pcTlXU9y~o{VTx(
zr;iKBU6r|hy(xoXoFLa$c^2*CQ92SDmZ@tQaKCy@{^Gi~$WWzTF|XheAL#a8*HWfC
zy*&LUo^)*i{cyT4K6`{o#|49XwU*&aDm3ZN6d$v)0S%);sCyj(P^2;GwHj}}>;NF`
zLMYV5e{vlWJ^VDScsgJ@&@F16VfzWU&ZhHOt9g7@bY_-@Q5IG;iSt-!(X>oSMT?fu
zHe_)HjdDGGJu92fTDkeGleH+yO@)2@nf7?A!>OXT4pEP8M8#0u=&TTCty5_|E)AXi
zT5RiwZY#6t*WH@P!ju|yDvw`hm$$%pvfRB;I@#GA)Uh6FfGh@SIh7X~oxZ+WLB_Bq
z-Y!}V>Z6Gd)SGhcj6@{}umS>YwW}Xl236E!?VdKe^oe9&?gZp-pVo9G<mA7v^t)O@
z(a`=_=>eNdW!gRszqydJz&ji&b?PFX$j}dbx#>@TiLtQ4(Zn@)yTx^VG(dG_In}Qb
zJY^38Q!B`b9LmlgjG$~$E-XA5Zh$hRD_{w)HniCp?QL7*OK8-JDKG3B<H~C~nYEfn
zW<_VNk}7Ih7Lq8*I8<5WqzY+4nux|pTS88yJEgL+$*h%|%sN?lIf|!Yg$r+7t1+kJ
zH(7Ns_%fV=h#H$#CC<C->);)1{}21Rmrfr<x8b~6b$gVSAKZO_l8-)GaP{`vm$Ne7
z@W&NK+3^Io{BZoS7>fcAAaS@+YThA8^rH!Oa2H!>%|zG2;8?<aRVO>kFw$5_#N<80
znilJSnvw=8UZ-jZulGIV0Mr~RD2W^3M*J(^Lf+1w4;;wu;|f&yNm;Xm>k#0x=j)}3
z2d1|CyYw51Us)3A1*1#8-ANTCZum>hXAM4^IQU_i${S!y8M3?%Cki_g;^dHa1XRs?
zI_P&$<3Ng)i;&e0hCb^?-K+IuiVFLlcx7=^<P1$UkL`)hoboJYMbeUtB?U?2vL$sw
zW5V;QDtMV>RpCw>s%*Ar<z{<M)>PQA9!=#Fvl>O5))TjmK|ET@H@ESx3oX@b7aOc;
z-EWSew3i)0gX_88&mVQDh-N)NumqZ$bTl7C)4O%u(Jiy@Mv~k%_@brJq`c3jw5{>_
zOTDCZ3nc2Q5{N_dyl1mt%aKQoHgFpbV~%TP{rIzvs(*yai?TMQO<NcP{5x0#u-0pp
z+_Zv%G(w9)Qk1eSVTFnTFcf6@NtLm<qHFbQx|q6BQ{zGp=DZ%J!Cx~xgMJ&bT)^n-
z(=-e<_4pi!9>X?*Lyt`-*;ez4MWQpawk?aatVqRKP11%7J;oR%WzNeuitCut$gRh0
zzH8;?yH3_)I8D^4$9!UE>9J{j2EB7@J?8A4i4G!O*M_QMMdoFSE7eA*LP@qU-n7+b
zr*bA6i6p;j0;>TF6`~yoeWMCPY_PJP*-;CrYM8v?KwTJZB}t8EImI66cGd2ooaBy+
zr;_(9eKV6yS2oLTv9tBwTlpxbVufPldkzNPPXA5Ta+8#LaO95_+YTNFyl&kR<pW_a
z$Ds?Rvx}>FMJ>^p8=9nX%UZ%>C>)!{1*xMjBW)wDWI|8SkUKM2;?Sb`!e1_+3-Do`
zx&RmZeh_(i3z<+o+5s9L#;Fbbi#|ge;Dd}TA?#s-tM6}LfqRq*ko9)3Z*cUW?SJ2&
z`6-V=SmWHv6{J~&%H3^lWsi$~p#^059?5|mRGKg<cETR`jt*?DD%KTfsJ|xkA=FD4
zM_cs$Uf<^U`azm2isd{|8}x4u`OM%IlJ)>tA?nLOXwY&XNjbiLTx`3wT#`=V)bs&a
zgmlr0D-qBPAyY?IN!Pgy&;nL10kq_>&P~^YL3diy;GY83G`NUY(@4?jng*Yl=1~|?
zUXUzF8<J+U76wPl#1$%SvW(L>YCM`IvNg>`$kF()9!-OZy-?FkVoLiLjk|Vm*{_Na
zENuy?HM;g?s^&n)=<AHJV2r)eF8)Ha54!st?hH%EVCrMYb9jEw=^a`JqVfHq>QF8a
zSjkU#rc(|i+YtqOPrO0%j>db^zE`2E;q6I1W^$07<C|;GFesuvUffv}7db<H%%Uyh
zGdE?EwNVt4h-V>5+oB*<oTsFWs;o{MmPgcC;XV#yTYX%Fwu}$^&ehTK#<d<<zbklW
zIQEF*m_%cCh@t8NlMokp6Ul{&s6)`>%g2u@@S*bXtnijJ5rB|y1&UPdqZ<`;8sC`;
z18GeH#F$RiA(AD^qzAwR$W{1+bwf_X@%vL@7u^a~{B%hlIc5Q!`%O-c2^SO!?pizD
zLVC$ntH_}!IH38|LhV@7Voij~Z1{0{%68E_n5qtD3MluoP}iYzmPr}gs#*Z5Jgxnz
z#S-XH<QB?LsO9T_g#rLe;F9sbhH{LOD@IMDC9WnJ98ij24!;AOt24ro#>?DDg{urL
zFwRW98oAihjX4dqL1}IMQe;R^7bISFDhp>Fi2WxsVS*K;%fZ8nWsO-an%ID8*9kOn
zT<8q_I*TTb&zxth;8{vZ6w;ieVU?0PFA`F<ZBm9+Q^kcd2|5lFTfbg}CXNs5)vuV~
zGhKry*h#!`hnU3|$CKD_d8;BgrfZMs1VAquf;G}^&>P#*o+{_+oOklxvA91$&pbD<
zRPjie{3Th`{gZ$>G#<3Ink0*B)`6yVgBnr``=&EUh!|EU#0{NHWG<MjdHIa9AWjwD
zP%yNfETc;i22A4F@M;W=Nh-@ByTx9jN@Tn3lvWJx7obLAWT{c^#TsQMoh4y4fRGC3
z+wD6Odegr(vg<ccXA{(;Or<+k;bX%45wAei{gT88<;@yZ^J%ZXCg2~t^RFQvN0QoB
zd<ALaYX6)#P4xa#Ji2k)4HLYzwQ?U^-TwL(8aF_wSQ_hcZ;GEo&nF6;3;An5A3FJk
z#9diz+D=g_gq>=$I>1Ia;A_YYuEsw48m5wlq~Dpb^$9VU^O$CTDRCc{I76+^BJSfe
zH(}E7D9H&=7!<6I3Q|LX3(hKW>E>w}GAFwt4pUpLUxc`i59?LyXk}c`6mZ!T&{f3+
zd<uRNcOMr!J2A-h@Dk{bM+vTkCV2&_?+4%Pbb#yB27B+EM)gUnt@IyzPQ|!7o>Q@>
zjtIPid#qi^1}i#M3AXK4m!kpl=5io!>FRr+>P8;Jk&VmvagH+^4is@k@0x|34|zJ(
zP_5?|Dyx+3ez}&~z1#2f-9y^r+J9&2w2l-kOg&&P)N!qzOu(0-bMyl?bCX9YZBn5X
zc-;!K5Ap;<8j&>NVUyPx4@2hG51FkWE<(V^hxO_Qv|8_r^}{5Ny+h1ZyZ{#iGU=%V
zcX5v1eE$2Z6V(ZVD>2I}6K|I{B2)ZQ<3zrOMzN^}>*e6!1V9MXTU>2K$DrhVU|>OA
zegk8+*HJ(@w$)cc{F{87A(0V~s(-E9-czW7VtA;gCf~IT^2?OL8~ttuyXNoXyMfE3
zUztAl5Q;6U8^S+(w<f77xRQAUva%>dAkD^pWz}9exaa;f6b;!yzL)K{?YOR$u`tv#
z)m{%_GaGik*#IWcA}v!yTTST6jSHQjuVzu*@tI@J>NJvV60($}Mbi*kLY1PXjGMTP
zBOYgNeU;n#>LOHkd|0o(LJJeieG6`jPm<E;?CFXR<55;GCB3^IRNzSLNXc*BuYzx%
z?qI|8`idvZfQn<gw@MWwD#cZ**|4Xvw<93^>F(7qanE;(K?Odo{*b_}OOYtB83Cb;
zVBuo53w2u>44l1;7kq?dLPNt>qks{iuzBLihl}jksTNjEm)E8X7j&Gv6Smdz+VJZ2
zzubKKh#?z$Lk>G+G7DUa&cQV{b5Uezorf98ik6YIZfa7-5tKA;l8TkQjD5H+Y+PT2
z1&$B<QP+<`Q0-||uF8ksno4a5rYAALaj|#ee5bC!ASO5*XnOUxKwx}OZ4QPOYQlV2
zD@#G5>qN8-fjc(qKZeuy_;m>bM=#{n$(3+;(53Vfm@;3M!J(3WC1vSQ)?~oIy+r(J
z$RkshN!RRE8!YhiH(XItF@R2JfQ}2D0nu6XXME<Ss>?bTw}e<+3?Na1kva`S!gxi~
zgl1{QJRaiGhUi7;&-kz&h<duYp9j%N^k-abgs6`tgpF{cs`pT1eOsWt-*)?rF6#WV
z(~&t{&RWH`B~kW-=TIiJLyEc#=O8%7o4t=E!ptgUUj=d9ZsAI>;oH@sm&c{uZcc!%
z?sNfawe;@i8kh~{m;~;ROvaZ#SAIUm-UuriC^sv<s?|yVMtUiSVO|H%-;o-BBs7AG
zJ9K6aujlAxyf)wI_&w|S9~PUz(Xc;!6EZ1w%rsHNL{z0rXj_j9ouN`@F_H0^<Eo6q
zSQzpVi@=&MpvY(ylD17LuW1&h)Z?A3Y?X2mCNe&(N2Rz|bEZm}#6-r$yr(|S_!Z`?
zNweOoJo^pp`=8yG4Qbua4qv<10ir1Im5yZ+nM{3v8?q`Audm}<@c%9D*J5sS6V@lZ
zEW16_B4V74rHCZgX1~^@LZtpv{R>9L(+}fbOZk1TL(veJ-mixT1VwUCFHz@>Sr0vQ
zim`U!$XG_ejeY|cxF=JKrRW@RV>7chp<%^236omb3sF^)GEWL3pdQht&Dywhrc1?<
zO)ZWtLoG&!b%Prf8{%ohMm!B{bO1N7Q8C@*ReKe$0}XVnlbYjo%B_Dg59k<WPo_0s
zElcPRC$NgIoyI%<+zQ%az<+p<Z4!Cx53kawjQUaSCw7t=BV&yNKCk%e``5>AyjMdw
z0GxR;7%&v#QN=GhV66PHmINFbEm4_M<E6k>9y<R3T&bXQ9v9T~vF?^!=}Mwr5iwp?
z)62*Nq3uUo=*TRDoMq~L|DctU`z`6_Y(s~};T_0Y0z2(=Tn^qwB<BhLVrUo?mGJAL
zXdd|(ojI?{DvGL<WFd5X<4H)$Hm}5=+9qkTGOR*pHS;*K$;Z)U$j9ig9$kc1I@aei
zrh=xijZrb5ZGj3-vn^!MA5k*cOtR3|dNjI$A#ty>f(~bp#sdd_8Bh@VQ%mb#2Vb14
zTyddQm~OHY{N(h9Vk@t7JsazH<uznbIYR~$Bn$|>0tGp?f%pT|dk4P+upGqw<|lnp
z{tI0U5|jafu<7AC)J@}0RodLvZLfph#GmDzN5)s6b_R#}dU!dkgGzDAL>jLtIuc^N
zIWzFltXJ@n)EMNS-9l+8px5#KaLiYj;+arz85cT3_snB1qcfLfTox>)&>E;DX`Y6J
zGI7%hlQxTz4C=zWFFBFTT#hcoTt<ie#MwQT_J9fvHpA@#x;`QLXBuf47xPjrP|?x5
zcw<v()w7RLzQO&^<YV=Nlh7)5rC+=b^qH=O>V!qK6}Bn}aXip|C?%sKCiSvwewfhd
zu%xA0>qvt;_*b=HndP+QvJ}r+Gq+^Il~hQ=pwWX!dSL%-3cKX03}DKdt#UO#X+LII
zz7F22KdJ)mM~jfP86iJvp$Olang>N2O}pEXB`sg@PQM35lpZG4b<}=x`G&#ID}Gm8
zz9e<{wc~rrwwin>(4+XkoSFKVi=nfny!gpB0H)yMkgIQ=)@~G_3C+j5#4JV6K4yjB
zn?@F&{1qOuc>o=(MZau2_)xMIsr6VN=$6SO5ku-$hr(j_(*1d@jOL%>1dvsVw!6`J
zuOAT8)l*o|sL&a@dL9cJojK%XmLz2;?8KTv7)luIamz^76iF2|WyTwKmPur@prgyM
zpwVHSx*8KYPghUlKf7PR&`{H_xUq3QwujquXvnze6?#$KeLWIshh$OR&~W)=C66OI
z8zpA{U!6T$XA8wwoBg0n#gD7iUUAmVj}4LLzgSa$8*B6JC{U1fHi+U1t9K#Egx6N7
zQ&r^`l6=K8$@&G58Y4INNGH-IKCxPE_>OXF(CLKZXddAhotd^A+6pA3%9zlgw5bR<
z`$&?osH~Hix0O51H?j%G(Paq7=&()=iV1y`cOjIGgUWeyr=u*mPhFy-%>#!PSQ3!h
zs8HKPU)pqMSkn$j)w-9z@nkX-@MnGReX({*thopu4r?@__}8CM25I;QlQ1!iz~O(u
zC1=L40J|R2DJ1p|RHW*JK0yEE<Ey@E6x69uYRX#Ns*D0q4^YG$Zs9{ok>`r!<4#pT
zlG$vVy>TIEl_-xShMfn>nJ`rH-AcCNpz~G7<%0+M*y;+rawcYGVIAaz$fP#if)^fU
zIRD^B2Tu=8B=qYs{Umgm7OwU7km@035Na2W6Zz70a-ot%Hk4M&;>234Wx`P}RAsX;
zLobH1e3*iqQ1ToXIzvIuV_c&%w<Sy47RoJA+K{wqa#9y@O`0-l>N1bBH1@b6ZN_zU
z8OAj_tW!b0Sm@Rv<k5~VEnbdG2=qu+W_Q1(8=+%h&kCG9S53M@yZEyV`5)vhYyD=-
zlCi(<Sh^e0m?%YkRMBSCLH8-tkwFC>BoiC0XVl7AYvAB9C9Mf+EA_iET(Y5C6+AV?
zEhQ}hC=U?nk-t)dI}so~{O;Jw&gcfvJEzoxejZbLS7nY^>EY`qT|X15c5a^~eu2yP
zT9<%1Y|C;g*X()-7a#oV^>Gf`@GqF+nL?dLh0ahs^QhD4%yE_{ZCaItgL#(5oRW$c
zHOaE5D9eb3IgQ<l$EHq4m!VFh!#WiYCiIo7O7V#5nMRYw#Zc9QNsKk!o|SSNi?DKC
zPz72j*;g~#LZ?^T?vWQ4M9rWj)MeuUZ8gcO;?qXi8D`jPUEZ5+pC{sjR?#c7>=F}B
zU3R^JsqWYaqX_M}<imYvu!0DY8~dZ!*o5dbT&us_*d1V~FC%*Z$aZy$|Ja+-OB_l+
z)_61%dk;=9Pv=WV^Z3%}%w?FiO_rr3hySEy8j~t&B2q+&xMa0eRfQff+kENhGJI)t
z*iYU4Jyz}Cu^8Pq0zvaMg0%b5U*Mv`iPj^L=>)67Jd|{?=u}Ko$5hqJkQGc3RC~YM
ziHT%Evfip?_9z`ovMi!_PwJ+!(k;*wEfI1kjahNh-}ZVOULEeB9QIJ23CIi91!*8S
z%4{?6Z9~zJ`-hz>1_$Y(pik7rV64JDToW4I|5jZ~Mq@;%lLjhlgW1sUWtVr`-7T(c
zOH+wT=r1mAA>x0>rLH*Nnf@riDIdG0*qtcH&L!HrGghO60X5(KN*5csHrG6P2V%<G
zE?rcT{2@zQLM>l$)#9p6)Ebi5b<(VTG3?FdcSWCcPZanZU>*gJpeU6y(0nSBnQ~l7
z<uKu8bYGc=k^$R6->Mc3Fm5xJ@X|T8nzpL~%VW|CrgNtd;8CG7bnZL?JUVk4mN8Ev
zMv|-*I+vyuDYLL3EQyM^X{scoxm)Mj1o-GO1bB2<x6VZu<JP&;81JZ<)r>$Bsjq`m
zne>|9hG=4(Pk){!1_()G0&>dX+Obi%l|_vPd!^?~rDVXh(J!Rh0L&no8d+5E*J}B<
zenT7nKmNtENck71`j)HHZg0@nJ1*@-{ugu>04DmOW)`nfeEHxlw4D={mr#D)_J^Dh
zRHc03fq3K4VJ}dx=P;*#2YsJ*_CqSv4_(WxH*?V0K?NaCJjoG7^2w^}tAZPP{c_-)
z>ca_)+QrUxuL}*(v4ImO$#w@Uyj^#ED>Rw?!-+ON)6fEN)PCx*&0;_`67tT};~GAO
zP>*9pLQ`1^Vo2(+A>?&{=tLZ*7^`kNeLtE<-$!Sz>O8HREF^UvLh*nkBXwI)5|>R{
zhB<5N)T0n>`hIj7`aU|WTOp#0aVx}We0@~xltMgcgK(B<dJf0_l*%!-8YmFig>I=;
zp6V?!Fu)X@%T`c`62unrZJ@}T{F%W{T&lTc&Cs2U8E9iv{r+KX;R9RJZUaD68vteM
zDmV4v491YNYn4bA#!uC#Wgs_;wX8ZO!6v=@M-}T-&nTv{{ST%v9A640PL7qerCw=&
zm@#m41jvtZb)@7`9e+J)c$8*0CEWlOIzt)FOE*AgZX1@QMOc!u0KYnK8$xNDldPa=
z(H420rtZLFY^NK<mq|B3hjl6=RO;^IyU%a#{&;(e<bUgub7~`8%$tdbioV?Tl0AAg
z?Lk{zx>&ef2c!>N@8G>-MZf6?BRHMqtX4h`tj)|ee&vsrZU7Cap!IpoQoMq-s5)eW
z&>!38flC_%#NKLFf*#?k@%mlC1H5`2*slrhrSK+n8FJ}Kdwx4p3x-<7I&Jf~rPR?i
z8hWpbiy(OW?sYu`>1H=IFjYSYRfU-C8wdq1!7bUTYID8rq7F@r)vxtn@`$Or{r$sn
z4+f<(nR>OL1mQ+|E$+Bn8m2=`!BK?`{eCX>gbMl9Q#>yN0iC(6avsG6CskI&kUdRF
zox~Yw+p?m(YV$gEc2F0Z&sI;D$v{Adb*m>dk-(##rX?WYVt)06=PsOY3F&%^r*)H0
z8(|ChKTsQ8kEMqOij_2Pc5oxs{nvHdI%ay*_5W9gozP)ZG8s^zGj!OzOa^r3G|IxH
zZc9=mlG_!9gtk>nvbJa&UT0~RJNpca|6}X0%VaX3!@6}CnpNP@VbhWrP_Z-GaXN&L
zkSB|a9Yhw@)&~?dKw^U3OKZNB-jl&GazDfpk$ar?p@Tn+3naJ!6}bhKa`P(Kak?_x
zh(_04fCxY%x$H+l&@1uZr@HHY$YrXQaKo?kuTBL?R}1|YD|k6R?AU%vaR3x<$M#gF
zO(#YKKp)!)<LM;#cpk|eojIy_Q#4gUnk-MCCM+Xm+=e7eS<ag%=0)Z)MQoCLd>N8E
zI_&R!2iIF1$#|)6Rg>ruWon|L9x!8KU$%=!u^T@v)<0Zu#>91Z-7ouE?BL)L@(tC1
z!X9aK&}(?2G22l3O_#=hD+^?Awz8WD@EA==eRzk<jv}libWKBVNdw=b3Mj!)Ud66&
zcGMkitO%|vx5$8&bn>WY<!iR-7GNSgsGhj8Y1Gm%A!zfU8e5v;lv-@9wuabR>hJ0`
zy*g@2shS2Hyt{#M*)F#HCj|4h`=t)o-Ra_r@AR6+(S%W9$I&+W;~b1E$?$SUnOA;T
z77JWx(hZ~+K19^?NM=gFiv8hVJ=+P0+(<){;Y1z9+^?6iLxL4O)fK^YJzj`=zEQ*q
zMRcQmr>eG(aadK4(zv`AJFBC^@iKZz7q!L?WVxTAL<Wp!IyxLM=9JYZ+wh=-4s@sD
z<?nFS;#bM@So7%2ag(zo%PEP95(?pDHKA$T5TTCCf;DARdCK3#Hfuh<3~L@8)~k{+
z!826yH1fRr4H#C(nfe(U>+hUz22h>2HQo$p558!=fGWK(T!F0W3v#djQ(UUB-S^(H
zl8>Li{PFeM+uy(a&6-q~=T=x8G^$ic2DV?e-Cu*pc~nlC-k>`PE8TKDP=BDzbVJ_1
z7P{aC;=u;n>?eIPzVLw+vhEn%>TZ?`Rq__PbHa;~1}uc-ph%K6A*Kt^>;o*QhHq)V
zDwxL)M`zBmqD~r~k($CKE3R@<vMeSvW@%c~O;kjsTNT*+@c1(PaCBI&D!>HKPzBSN
z;<(s(J;m_>^mXekl#?~P-7W<6RmY4}2}~2=7S_z2ZiJ+L7vd+nl^a8vbr`b*Q42VQ
z98#Ti4-#Xi^t#=gHgq6PE*}8?Vncd#K-rY*XTNdWa9cWbbnP9(HyZkT4|eIWF1Vll
zFwBF2M=r@wW0@~IuCH4@>9?uM{@86mq=J(Zo-A^69sB^TEmvUPzZm6@-+se%3ifgx
z_QiDWcRY{#jn3Srr8pd2gG1!q*Uz@i$#zY4lQy^6b{jT4*>19JbF<B<Hf**x?r!a-
zcYg05Fmu26e2(s66?CGj1B#23vI6Ub4Bm-aW(1F&#YJWOgy56t0LBwJ6doP!VM$e&
zT5?@`R897kulv>6C!>BZCr5T!4xyN|Up|KEqJs!qg<mynudaG~-MAa)(yy?qB}acG
zoTJ{_kqcmbzSjACB00`r(Xx#TtC$v9dU;txw&}!LM?%I4!%PN3BFO~ki`J_Mxfpsl
zUI!U@-XT!ekJS=B<~44u=lTCA+P@*~+mYH!&btX}AfqE?a7G-AmK@yU-1z;OT&Ci<
z7Te}!fpA#b?wO-P-&6wi`&-1a=q+uuLOmEeOQyj+3d8g9K*v{RBKq_z6XB~lDofDS
zL$Sk9oa{VAeo%|LmvB#Z?Ru%tUuT6wy#@c$PV}mnCzSUO()O!uQf!ku^@Pqbfx0-B
z&mcH|vPRL)^%B6TWr$OFoKWtEo|(lxrsW}oo(JYJ_522I7x{f}BmDck*_0s`wXg<I
zwRGjd!{vfXNGKWviJCYm!wd^=q+xpcIByc6lJ%z5Do&}4Vg!=C`NDNp1{En_m-_T`
zy-!`0t5Q5#!(D0k9c;9mGEdj%o#*H=LtBX+omH_dIfCWzGgucz`3c%ILH>aqKMdyP
zt=3rVvs-j|nVCU(Cchj>%^x0q!#!Q9mLwcO?&{M0(mlLvb5BI9Q0YPGp5SFx23@Um
z0NN2_q5<i8>>00}_QcVw#>A3EKPw`>*e`WDG#fHs3c?poJ*O7H{Iqvx7BUCL9&qQT
z2QsIjeoAvK?(-u2Czg!-_{Fj}yel(k^>p&+Qt|Vp8L8x5fPrD4y<mjFe*?+<U*n1U
z|6KCbrQHq?#WAORYgti2GUMM6vud4(#T5JeGvLQJrS9aMhg>J*6m__WEbH%-W|Ewp
zJBBv8$xjP=x4VOW0Z;G1=gFVzSJD=yTVrq+>}z7Ystu|&c}b(AO?s!eO-ngP{BECf
z#>(f5Nr5i1S_1OQWQMEhk3H;Pd@(~e7)>X$XidvT{a4W#zh)ZdObq>*7qL&if+4^x
zm4ztZFNV`CS^~=$NjL9Vn^F?4H((p!5hFsVjADPCYfb3nRN2Lo?TD^3Rx_q2+=DR&
zNN3kH675bJ4vS-tQ|?rz++$%PBpiQQ$e2bTkoT;WNFAlp9%rKS9WmEe#WUi6)qa?<
z;&s0^81$aV@iBbuE?rY+dCJe08QyIh73D7gQZAOMm+>+2vyXzmj5tVx3?aGS>krD~
zWOKEfHD{)3)ba9w1;$apM64@qrs{o>O9VonI{dwSyBd72l&l*3RTm?QV!UARdRx}G
z<d`2?wca`=^Gur-M}tk_=p<J$V`r;Rvh!z8!=>kenU)SuhP4vmShq<*)Wx6+j#u#M
zUc<0Zg9~!TDlAg0jffbwkji1vA6N5&>M<&c(sx;kpg^DBb10Wf(LOo2&v_4r5;>C~
z1v?@=nQU05oGdlvWqzV>X(`_Tj<RbI?xdBqpM>hp>byODIbDi=DH7Xd-b;(aZ~U&j
ztbcB}iqW6U#w}(DPbqzIU)5Ndiz4*gEUu<X%#SP*@)NS&ju`KVXaJiy=Vf()68jnX
zr$;cC^4Nc$|HvOracZ<U>Bf4vGuCwscIrky7+v?c{z%3&Q;p&*Hw5X$1JWoK%|F&M
z_v&a!znUd-IaI+f;(P*H&7^Jwa+49veAmVo7x>|Qe6Hy8i}Jy<;U^w{yi1$e_3;;b
z71cnsW{ekPQDzCB!PP$M?9Fb2#^mIPgV8)ngp-28TPjc=7$b~X4bSAhjU0UZD`2Tm
zSoE`yU@f-^2M(raBu}Cf+F(?{WVXUdDQ_J9Ze;|TN?bYVCnbaSd;*u;3YWr`TK7kP
zygVK#k~~l(SDUl<hrJOsn^$61ZuHG##3kP1FyW#I{a461YH7v3%wdW}5?*|xY-D9J
zVa|3rdEZtH7c)zk(ZmI!wiju11*{4iMIHugb!=;<<?sIxb21b77ir^y;9dyttti?v
z;3*z<fIV$rWc_HL6uMU5;}fffYV57LBud<G8=2%9Fl`a(6Hu$X9h(2#R{y8<tDHCL
zAF_K<vLuv2#vH{>1*pZVW?$x~^~)ItxHu`))=q;))3~Q=OG_d}pXgdZThlg5TTnHp
z7N%9b2m!2o-s;L0;*E?etdVrajyOEZnfN3*=3>WjL*3(mVWqbMWI{$US^l<iN69Wn
zIfa}7^Np=LrRwaPB%*i$j_tSM6*iY*RL=4-l_~6y$f*aJwuJ!Q;Q)$Uqd#ffUgfm*
zJd+(6jhFz8ZS5J`qpk1Qw|)rbUbcn+u~<?-q>M`mD>kU$K5EQ`OuHDNGj<Zu3O^)m
z7AFL%(C#J>7DJ!-k+?ZeqlJ{)#F2Mv`>N3}xH7&hM@st1_GVW0#AaPu5*8eygk|Y|
zAiUz;UB#dcWxiE;=O(!>;`7DbC%YzTyoIq@nR$1w!|XZJ<|zLe4G6L7qAru<#a3Bc
zl&F@etFw~@#!x79HURy*%BF2HPc0(X_BrH|%`aLNc0Q#g(#4Lj6<;Js+x;znppJ4X
z?3ApZ=?4;GOlX|6CYta+AXt~}9q<(Y+CB=KzQU_aGgXzH2tCnPdbFQ9pA#b>L#};d
zGSCLMyGHhFo{}D5#J#nvnI7Lvd0Vceq|HK7pf^QB#TQegRXd{XH5=|0B6h|xLB8q|
zIQ{ZzPBV(IR2kA?y4eAL8s|38_--|0lXOsYMZ4*&9EE!1X#c~ZhgQ67282hM9*BTg
zsv;_b1IkhGxf&dewC``&?Nq;Srd~)#7bW6rWGcBWzP|$>2Bl=RC3~nodryn~;Q@Xz
zsRU)(iNr2Pr16(lboGw$Ow(tU%ajlp9COa6ZCoE6^Ils)T_jHFI?<vMl}gQIXdL?A
z5V{RDkb~$ax>wA6kL)khf72BIj)P$@1sEDqyQ`Tl!dSm5h)X=JVEJ6osDb&ZD9U>q
zK3989P>gTfY2g1kr9d+Wwh87;*2~*rwS~2ikcAL?sB0;I@#w9Q!RxRYvn-5oxbEKB
znA<$&oip^>;Icx7BbXJ!`uoY`vFzquhJT3Pl!G(Mk~$6IaLS8UJQq!yRIHy=?v~fU
znIcRyj1Ww*9mg$+sC<3x-|KnWF|Dcdr@Kq_XUY1!?0U_=*%|oi@6f^F-X$lw=kI(P
zA89Q37k)aH)-y?wm!kHe%xt@|cQzGXX*GdOxmNk+6h(m^M-K^Bqraq<Q_qOvS|r#Y
zeUy^%UR7eA<C`B<UQ3%QolOF@FF0c1)Atltr*-4Wv!VG{yN7pF82<lVhGXxn7K&Hb
zlD$;(QD9N4yky#n;gphl3|TzYUtk<qQ^`V80xXyL>lV<^j|G5ZHZ#4wyu7Bary)-6
zb?9ilgLGuthGgWt`K(q!Cur_k_WKckCO2nP?c|qQg*pt`+BjWkVy4H2zKdD!MYs4(
zu;Is`6V?a)P?dVHflgta?N+?Y-C`q_VcJrJy^6D@yV|C6iTi>riyNbg`T?tjM6@IE
z+E$$&kA=GjvmL1Fzxs!#6Su|+1#SmCWT%~__h<+kbrRV_g3X)F5-tcur)}6qgU#V2
zO9X((#)MlP+rj^DVp*&bb9xv8-7DDnQ!q3BjE2n$g#~%9cyw4gy!htKFsNGqz5WDy
z8cimaOK(}IB46@Xi;)z0hoS-M1=n+2%4fmT5=$}%v_TSRY=C9{h`5Z;j$`qV*AYbC
znQ_S}^T^9+qqbFDZ;&H*GqMmn&!x^e%B2u3uFq2PU|PYSXq6B*ZTY9sX-fn#Kj*8B
z4DB_6!2*Jv^<78juhl6nhluIY+Uwt}(^|DWJ%M@(CM<1dr!b{$8hGusPgo>_wW2(G
zlK$b-y<CG&P4$if|IxD#(>_!{d#$D?20DENW@eblF0_}(bV;P$Y|;&?%YO&y$||-9
zZb<vtqjc4vnwvTq5*EOVkFbQBt&_oAGRB&%x`DQZE7mer(Z;!ct{XLqnXbi$<3$>k
z0GX?ooVtRO)Y6M9OLXD?F*RWi=5R~+g0q=*IQT6?o7mcpy{&M?Sh)<oe>#mF+C+5g
z@yTK%78Z+cgk9b8*C$JS7{*3U-E}*XCuV{jV=5YySEWAeSm!}^0g3{1CX*EGI4|oL
zc&FewXnvH&$!a~;()1B!{a{@1%<T>cs}d9idbgDg24@y*-(naY(O*-e=$t$HD~J^8
z#h&jE?rs;dntwgQOU0y8XOq%7XEWo}VUm$U_OEOM2KK!L`5Ka!%G$dKdsS|D7LaoE
z-o<=-`ug<8x7vsPLw}9jDRO4(KD5inu<S2mx_)L!*o%x}qxGUwcY107ybAB^60BQ^
z)Ul@*+{xAcjttQvi7I)4CAPQ1I=F1*14Yo}8=yxNb&hjV3{%?co-+-B@S%*mU{Y7X
zt}(7p&C)OhV2umi+uW$cg9)M_;&3_?V=LWEl*y~h@9Cc5(~QBqk)ma_RBo5{{A1a#
zSa(!R|4bXZ&_EkYkDC^;e{=S2a2IyNn&24)1!Vyu&ez30CmeSfb^Xk;t*LXKKq;9l
z8n>`5$l!ubmRcF3J#xfOucpHb7UWNI*qxBSQh!i!xv{^b#b4OE-`G#0OpeR%KWf2!
z6{RZJx_<6$YII4C-FujC4FGl@eQKG<6jl!oEy)LX)yl(!OCV=0z|1evu+GrF7x_u(
zMl=$iA?;x`@Z<8UvG~VB8(Ay;UO`@`xsxe`Ti}Rs!V-CTkesYKxG(WixF#*XCqAHD
zFqqf-k;$$Um3%vtQRmp1|3KINKYN)yL^PT{b52NxLx03Z;TTv<p4|wQ+sii~0DgZd
zGu8iunnhe-D`34>L?$+*nmvMbjbqx_>7Np@N=yt5Bzr_$E^;AcLhObX_+{o$Z=W{Y
z_7?}L!Bz@88<{z+g04wyFi0FZab8??XL~dUGKAzS1y3kKPPTy(WM6y>7m37p-{@BD
zXhC+Ko$0BV(3vV>LGXmI4fvN|GP{4=>vx;|vy6SB{tOphB`FT=a4IF?G6wM*7QFJC
z$*|jYgAL)Qv`cMCgWWi2Q}OyBZORDIam078KgPgh@#ux^P6s>z2c=puBKx?R>}K|9
z(8id{Mmc6v7qXUM0H=4`nXL>O`8F&|dZev0n(vXf&Mr3dFSRZXK~)S+*3;ji^h5PV
zD_Wg#7Oedl{mzLPgMJSU^f05d1&!8cPrXe=gh`UyucC0M&L~WP%Cw<nKLEGasUS-&
z0a_h{1re^o_>OqOW^Oa%2`#pECUGP=o**i_ciNDx3>?R7j4T|!2r-^8-z+jJ^i0~&
zSOXIyY#iEDn7G#;_=v4Kf#0rg7*OAh+c1JH#p|yRtD{;1ANKSgR)EH+)D+>O(tHKN
z84L94C45YNOGLPApk*mGSr02(T>yJW#474+T(d*z3?^Bga7It8HlK7j<_!!cqbH}m
zyK)*f|9PH!I1+wZvF1*@wW580xb7^aF0O93cSi@mSn-dEH-RubuM%FlhTg-eJ2B%}
zJ#fx<><cm!V5QEwY~+H}q}UAxknhYwHD^dpClj&8>AXh2^6(Ik$t8EG`LF?*QqY&t
z`-`1zDLj<huvCwYz04niyo%jM60uaTZKo<qQkcFsknTu``%3-j*u&v3MmLf)aM>VR
z{c_noiy1mfu!h9yg+y`MA_&PDKPlzZDom}7RnbbPrN?!`#~Ww25UWTha$Qq!Y!lQH
za<XEiXdb3?ACg;$glD{shX2R7?JhMAAhxRKCAeNk_o&PK@r>i5_;eXCS?mrsPSiVE
zemf%wfowTHr8&W?C+?Zea#vI`zjDNktUr7V#ClFo$J9Q1r)QliGM4)ppBxj&pN3l%
zsH>`BzgInmeVos!sivh1vBcIP_*a}Hb~VSuizUkz61O+{9ah@e`rJwOTHjGqQcM!C
zdNNjO_;FR<3BhLndwbcs+HbbTL*w%TNR7SN=*trN$FhZoZZ#$KzwGiHO6wMem;9uv
z0Z;!2F_|0Lwe9^pd{BjwcFHXF_E)W-mOKV#I&MamM<MNQBqX<-JPYfuH{+f<I1b=O
zdEZ%reF?|HdW`HKm`onBU|i*3bk;}fy(I@IVPLAS<Vlz1*lez)BkCmu=FDSGaZY1O
zAwT^Z?DmM+tu1BKzvBG*`uOt}XBS=K)wg8r<M$1L_rn^`_pFvyv@j#phu(ZrMHWV1
z7<v!5ftRZ*jk~xZ=$bc)^h_C=_@K59ihG=TtN+MllPPNV6Y6E1Xde<U3k9u2q!F~W
zH;|!e=j_}`2`Rfu5Blo~K}L%uEwKB9(l$y=$Kimkoq>^lPOqT3Z5wv0N-H*GcyWke
zQ+ZwMH%b)bP~Q}zfUgE!rSOb0{-vf>)sl(6dKf9J4FAtyZ8**3cjxbjkeem|ktyP=
z`uZ(DK3z(-46PJYC5?%p!2-YJp(DuosXFFPFE}S09}dVHZZ5}k8W=^~yy)6$qqM4M
zp+JudL16Sp0zkS3i1E%;FT)VXj)<ey77^3#^FG81M&5R5-?7ySOgU83=zb*W{6Psr
zOJNo9XgQ=o;WiIM2HXj_OU}<FZJ%Q&br+mxFVIb$wxB?A@&prd>1sd(Rfwo1V6W6D
z%mdsi4_!WwWY1_ZzC8I96R>;;RuB>p^4v#FX^#uw0xslykHnIbcy{V|&GW)}O%4tX
zr3t+<doOb9IY{VsqDhgi!<6m`b1;Pe(b6m|XslJe+IPV8dimevO9=!TJ(Gs;M$&{p
zZ9%3V0<4#<@|Ez62$M}l9GgnI^u4zNNc*lDu~B_~oAf?M4QGlIgd>G43D04Fr7CF%
zK@&G^&xg{PBj(kiono6Er@Gke>}6*uLvfcM>8@VaMrF<|G3jb-#LHGnFqt%Dfuch<
z^O2u^WXKZWRI9pua3Cqr5MNzChB;>9$l8_z`-33|_I%&Y9Jb-Or3v282>V8G2O9&+
zK9!V<V!OlAouunH%p6mbu;UtDpAQa}zn#;`tFHK*9)o=ro+SBscxpILSfFMNg{D&O
z?Y`nKEDzUZ@`ACvi}Y+MqlX;%NE|bxuAV?S!P9+i6o|E+TZrbmI@o8rS`zq78Zsoe
z2#;XcFpiF*`k<5eeruL*%Hdr7)U(uG7bF2)Uu9@aLe2Hdj}R%H>H&-VKHN&~?7fI;
zeerbs_Y$--H_Bt!YMD`9<&qr}l-rVU$Ir16vBtl!(`}kVxxUCrx~_;UY4u@MdiFC|
z5rnz;uE=K67x+;&|2**OD#+gYcj<{y6cS4h6V<iOy(~aWH5PwQcNK2s&V*Ho{Hx6m
z7COHtGt;85f)KTinHH6c6*h_&&>m}`6(O?7=eyH4hjnh3g>haMUK9%79=&ED?5^W+
zw-3`$d*?~9FZ<u`eVG5;$dG|SCBAQP@NnReWUO1ckzd?_f?OC-5}mT(Gis{EanFo1
zh(r@KR@3;&ZS}cc(OKNs%eh7$JgP(;EDgUYNy$sjbh0z8?lj2Gp~LEEA?+{yOp5F8
z%{uKVYh`EsCmqN_n#i{ZG!BnM1^lPfdeys1s@tfkXM6xTd;>mPsSRY~M0)Vjrn-5N
zavJZu&Bn(EnjS+388}!{$$QJkvBoJ4+XL7u@NO_%Mz>0pS!`U5H&Sn3!O$Pv@wtb_
zz7M{vBGoR|Xdmit(l3CGCP{))_W$1ZU#7>xBYv7O^A-(K!iSwan-1OW9Z0yYYn6{i
zry|zD{Z!nOA(iMLK)WR#yXV)JY7K&|>J4VvJN`|sCNHgjAUFSO!$*RvGjYLKPK=AZ
zFr_v@Wcq7n8h0(-eGxMT3%XxnFUX{ua%+K$bV~s$0Rq|QDjIwuQ;Eu~0hbup!i9n6
z_#a;e!<b0(tdBlHXN;8pl7UrzuQ5w>mIGYrcCZF$ek;&n;3w`46)trYpmoo|dzx53
zkDl%85(0kN&FoXQS6yyTQZi9Y7-PuiXRpKefLY@GV&{6|vn@Jky-iN}iqU0W$`v|$
z3?t0?_wCWZ{QkETnqK~lrF?63zw?^+%ean~s2DxY^}fhUPrgf&YKzbzwpT}l$2fu8
z&5eYZXqNSA{NyT^-u7Yy@+35uO6EnWuAzpVb@n)Nay}=ZmX=~u(Y&tZ@sMsH3#NDn
zs8@2=`{@eZEQEAZaxQX_azYsxUMIV{3%ZRumx94}{v<5v>>}xh&N5%5IRg15by@j*
z4VePc=^$&rc;(U-M`vRM=noo7p=htf8;j=|@+50MN)FZkkH1>VsjFpgt91sc)@2?G
z$Vp%FN0UuEqzm+^TVl&x<M;(l<A^|I5@lG<BSJMPq4yNJNxcEbov0g)@Pms%A5s5R
zLaCE|1JWR76Y*+EiLyjZqFx!X2u<+2^Ku0yEg0MQjq;h|8lLhv_!;BpMkYXn8xH}q
zbz^pgKMo#W!3SUd$4_BVWt#b_SUJ$YKS03ElWmj9@-)aL1UBH4uh3uo?Nb5*`LOHQ
z;~p|21e}x%?cAMM#uzFO9ZXx;-S~W?++7uyA5|2Vm!P%>i4pCB28Ue=hF2saN!h<u
zY8xF<dAcLPMaeVPI_$ZI;XHdVPg)%eQk5uM$PV4>2#)CMz)t#`56PyoUOYqmv6Q2|
zR&Jw2zI+#zS`KXqZ)IfiBV7ZL5NWFKNdMW!YCX%sXoX5QET-yr_{8ZYZyl{dN{PVz
zlD|#O8GA95j+5gyvxL<`Ndmhv$bD&;(`veLJpm}cPO};e1h)`7UZ-(_f;Y{@FCilN
zA=y+ei)Zp%P_-3vawu$5er%!YIm2RssxrPLy(Pwq$Sij8*iGpI1>NO;pyOm$Bjc<X
zQWaZTkt`yko{cFR&<9Yz!OeY*kB({+%>a@b7kKm+;%O;HE^OR9%3MN2QLzr2$B3ZM
z_+Un5Ej)q4q=Iqwc?0bg;Fqh95v&^GER346@T*L`DZR<{<MXK)v~D3FYh^${@e4UI
z{~PU`ERsIN&<?tS#xY>PSE8MLwxSVc=MP9PUBBXV9-${Z>jIc)-Brrh1rvhy7gl2~
zz5rUs<ef(3vIFj^@myYJrOmgIc@xr|e=N5!II{gg<a6EEWqnOSxeX8FrN#+kE<*)l
zZfOcrytw9=e6_U|;tk=r1n$=!jTF?6S9e>~5(QF=X)u2oS+}}!9b=ZUd;QNDyLv`A
zu;;&*lbe5ccEM*`xo)Bu6xuS!3y6M0JX~^6uCuG>tcCOBy(If5f$Dx&&meYSlbvCs
zsq0#$Wf46UuM#!2G%UU^wSEkT%y<looO}NhKAKI|=tkXO_P^<K#x7oCtZQp2>aSc$
zu=kZ-yh6^NKgL|H>*{0zV&0OIuC^amMz_cNxS<+@9^;juaagPplGNg?G<T)E@o~th
zQE5Z!r}cm)I%i_cJC}%c^W)(>*Vt&6*ifNUEO+VW)<dK5^$`abNM$2PvB>8%s0c3<
zS|qh``$z{lpYuZ#S7?jU(bz6yMpvhsP{v#L0H=$^Ka5eDv0bBhc}%151H0@7tt^uo
z0z}oW3uNbdkId2w#kqlG(2g>wN4Yww>mYMz!<u4GP8G{m9N+(!k`u{ylX7b|;(Jj%
zgVT9t>>%ovBNKZ|ko~8Ja7jc!m){fN*uZNPH}cX&es&I38t3VF`BIM4?wE~&6CNWR
zCwnp*++<iYm`)+@voV>LZ$-^W5{Nh}0aO+qz#Sgz$IT}V{gCUcCO5Z6crH)l!`k;8
z*7NdsC2y7b5Q2es%1APo39Da(Q7|%V5M!OrWE^@c;xHCXTj<NXK$2@FVIe<`O)6tK
z8=wYGVOAyAdH^u+lqIaSJLZmjG3qRv8)qn+JKrxXNRIXMd4~=r!fN639Z(Vb?46+U
zFMI%(CV(n&qHdcWmDnl$o{Al(<1nSPmK>Uy0{DSeP;Z~m8AZrR0F?+?P{l;U!_}3r
zV2q9fK}iaU&;x+#(g_RzIAEfL@%pJRr}xF1!zYK}VH+=ZYygD7MhL(N9b^?#fQrf=
zg7uqkkGI9(B$H@DqF*s=`YfS@vRRN@qLr)FN{0)x`2;`Ryy{9Su;{0_nb4>3IbDw8
z-{IR_&<%E>FT*VeOu)*?Ea<o{8?RGvmHhBwX1YZ-IHDy*2Xz*tB+@<@d)f87cr=L%
zN?0x^VIiS0e%C$-d|%7gVoCWe>mjAZ;Z{ihJxDZfR%6qmtP&~m{vtXhEOXU!c0NyN
zSRndAhi2So6<&SB<$xBP`(1xWL0N0eW_pDRgP&y7)riyJ#vTRRBnRJeg???kFGc|P
zh2)``a}4&oo&d3L3OB$eZ47XvHZ?1F%Ko%r?K9TXWj#g)6;vKMXR@)%@n+2yKH4aW
zZemNXMIzB32L5a;VL?+R2R`#RQfO+yuL-+}62c1JBR2kHz1hU~3U*kt(6sv+n7@>P
zWt^i(PBSyLYhGlwHJu@K>p*uC_x1sd>*nPyWX#<Ha+hA;k3wgyJb36flFjo%wuInH
zaOlBdkIaO{X)>|%DwQ>>adstyi1?7PpYtRCC*3q|upF-)^`*@-bWF%CE3j8~KP>4g
z44w5jT1A9Q0;&V#4YY;oX)K_1$LkPW{uwK+4v-cB=}}I!sL|&A{R8;k1B$RQPK$$k
z4v~=Jc;GtaYtGNzf`o5}MLCW;euHMq4P6D!y*m(tTxA5497u`n&P>r;(9>;Gn8Nnc
z0p)TUR^wBW_bV+1@891MC5&048a*PwD16?PveT2kY7yX<;jPRlOnwJ8%aL)y7y=J<
zkZE)7O6#e^Ip>D<rsm@VSQBdfmfoeL!cnpI$Wa06_<?8s*juN-5Cj7XK=t{PD6Ipz
zk^W^v98c<3I^fy{&;8GJa#Hoal@{Vqp!td?%#QdkO#@^|iPaCyHRP=~e@wlCXT2)P
zYTLo7;1xB(X!Uq>=FuSGiwo&u+OnZh{B%A3pY^FuxC0Ev%=uJPTxW<6OF6TGiI16)
z5z-=#nK}%yn|%!Rn0dLAeyS?IEyc@N$5~kz$53w6j6wC+6b9WD+=>TYWX7LfuwN~_
zNeFq;AcS%{hIn9v2*WfPt?!V06M0vq$H0C?J8~NAoD=tB#+v+qwBkxH5%|MEg934<
zOYo4KGNpV2`Ba?3boXLi+}P!6f-1wDZ|%h)+(L2A{!)G*e;8mFv3zzhv3wfBUiU71
z9C6=E-=74I-cw}Te2bBN9LT&Z=^lG8(^nAdz@7@)-M&-E+n{*1GNn`PVqcdH=pT1`
zo|cQpzE~O})q=faB#k|q0krrGUixtg?tBh+v6k@@tJW$a6F;^S_@0#(q?w^6w<Y*E
z7OkAeu3-vh55c;T$6-8|hX96s8=pexP;5}IOTGm}hasnp4#DRDq5|vjH^+x9-r`oj
zHT)<`>ceilJqR1}T9Xn<7J$CrJ3Z1))4@>+9naYKy+wkAv1Jh*YD!09N3JLv^`Q^o
zdRQ-aE(C6AE(Au@fiL~hgTcNArb%?y#V6xyhy|P(!p6+!K~FHRoETKh^CNvv`xad0
zc-QNPQmGbX(|9R;ydt4<js$5a^jDIrLSaAlzoy=kuNI~M`BX`eW#N43fB%pr^zyUv
z>TlkE$$yC|n=$Y7PokH_I-!s1oOMuoXGYhoTs}Zk8Z=`FTPqkZGowYuNEI+=OP-!(
zO<o+H%qRfI;H8^A_#0Yj9GPmD!^uorS|uKx`-$GPrtePsFL&*y>Ml(w4u$Hip_gda
zY3>omo{c>Mt&-obrJ7cv{b+eS;UZl<e;<<f2lsB@J1{=-zHUyw?DLsPyKdaIDVm3k
z?8V&;TDXR@L?G&%V}#7pvlsI{3Rm*fvATQ9a;%opT1Xp#+uAL>$CmlM6}46JnxVKf
zLvcYQ>0u=v;-=*q5}Wmcoztccf=SxGbIcpru^HUl|4j|`oIZY%<c=so;|N0#F$Fl_
zmxYn8#MZcDk6|UvRgMx}ywuD!k-FtDzDtk(9|;i;-~<FH8c`74Zte(FKb~WQN_5#I
zR#>3)vM0rr*vvkBm5RmFg)AB;_myjVKerK1!-!k0tZSwhayAdV+0LVYSodeyH-bP@
z{;kH_P0FZb76Jt5odV~|Xo~q1)wBt{={Tj-hC%tK?tKKPEHkwZemf7WU(T|11rbYn
z0En=Z+tJuMclw*J8*b`H@PrQsqu*4k3(;0gk&%NOVaZS^3y_k|Q1c}mb^a76n*?3{
z8HWEa;&8kSUuu<{>W8?r%ct_(@w}#(X#as=s-4X$i-<vX<OB^`$%I<J?+9L}%`-=0
zbL1mwKtemr2Bpk1+yjR#-urca^qub!GnI@wS>=qy;Q<yAYqM2{L7|>anmk-7`ECcV
z&se}Dta*sbH{zGSJ3E71*1xZ%wtoi1)D3Z-X)L(HzEUEXZ0rZ01;Ur)ufjPhNZgrE
z*RWEtz{2OC_hl*U<bDt^k&RBdK0kR%TLTG8auwyJ?9~0V`PGcj>Dj|M%MQCh4yXbH
z;A&Ludml1ifwGxOI_THXLBEDJEGy=gM;0UF{%{mp2H^g!DZqmz^;_~gdp^xkfe-EZ
zN;uM!$>f-t;=ZkbCo#sB9qnk&$oFN$8}(qyur3nQPC5ZWvA+3I`*X6_EnfVv7<2;c
zp2S*{fgiWlvS=+s<2P9n=Ru9wrkhvVb^rD^DLJLo?HF_(Kck+{$s2WQrt;u1xG1-F
zv4Y0Oa|qW)2<kU0W6>9LY})W@Ra)^N!~G#+2yPA^G^6(@%vE5#K(>CYpfgeKxcBnj
z(@@d-b0<og-7V!rGVaNvK3~j=eB$u0Zo2QT=4J)&{&lIb%{X=^Z}1A@<7Uz5Y%AT!
zt711$=|sUaWTgU^;wqRHWN?7ua#Pb!ymb}5R|#s!*#w`8djL-`l-u!ys(0GHZjR*t
zo%a4L9ae9xp+L~NQ?J)&erQu~B3@-DG3v|@I+?wBr)mmKXv%70Xv-jzEC>n-#gU*0
zy`^bJd_y?U`Ci4K`n6)FWSHi#1KDle>u)>08-@BZW|p6Pj3V5}4QI6)6N}EH659Ek
zi@ebqKjHLB9Ijp^ZOtZ-p5H-+^PRQ{%@?_4hLJ@l3%~+}tRxDx5VNDk8gUP7f-)*c
zJ?PnE{K|x#pEl^L)@XpTlk4m?+IO||hQq#@${OeV&hiT?CJFPB$%Rmj$uHnC!$`|w
zm)@KJtFQQ4Gkuk?CP1ikXAE}sm+=Pq!vVW|AFaad+}>;W5p{5wx9nhG{ws*<ZNSE~
zzO@?pNB0|!Oz>6S$ox>tDy<beIiUqLCrA)MRQnkP8o=DhnN*arYdqqgK8%SAr?)BR
zcuXLG;{+savL@6rS{G*4XUr>Bb51Kl!>X3ZiCT3=h;Z385eR$0rts0Vu}NQY-vBh{
zUn`7xg%9Qmy$F9llT%o+7k`3|#uEH~(VkS)qOi!){<bXE8}=3!;)F&F`!N&bK7T}4
z%r}Wi=%Y`FI|0roI1~aEoH3x5aZl$}g2+x!>2w5%p$dQ)ssPYA`2&9<tn2W?v3`xI
z;agx>gh&3_X_V-TSJ2I;QT_8}<`D%8j=_1xZD&7iXr-4nTW-JBE5rs}TR&Pvq1A)k
z=Vy+L&d^{xwfSQV6fs@GXx(&10Jf2OX)PuwlL?jOik+*pi`nsV0kO%s6iU%jC`F0Q
z?O(T0n`=}N_kboT4>3samDhY$ROQVq97?EjDJIB}?jWDfsN~;?oeM?`h6Zz}Ss#Vb
z&*!|y+jzOiz=Z6yhp!GGBSitwW(tvJVO5{EXIC2JkbTIE6Nxa;9b3m;+OCAncrKjq
zR>q^gxKt?}NjWB)K=8;moI4e|EUak5(qy*z8m@JyWaS?8egEpclQ22~waxH!yKVM6
z+3ZxEjhehrCB-e~Bmw8~csfBr5=-D|dZ&C^2V!dCi{pZ!%xonCD1FUF2VjsP%Jm6E
z@*}&4CKQ%>JH7@L5!aQ{(p1%t=yK#cI=b`}tG3T)q;Pb@vICT$5jxS4qW=cL(R&we
zu}FT&`v@@<WVuf-L2dR#I|IROr7FLfat5N?G5_uRcXRHmRmv+Zi44iI@s|rM%I2n2
zR$w}es!F9S<pc7gZD9K`vsZ3ZMmCUk5gl-!_f7XL!uBLTK%X-AyS!2SEY6@7#V7lm
z=|7F>U)_lPX1;GX?ZFTIR_VU1&HkboG?PXkvom)hOIJw*B>X9qE(j@iw!FfSU8Mtf
z4OEaSxS))e>7YQScN{@jKkt{9p?ltPfk%!+44~hKs_hWe+TS$X*;8`v^FC49u*8zT
zcn15k9LiZMbaVqG-;!>Ju^xG3_FndG4&<4-4%_`gEQp=9LHi`%Bf-=B2rNKkhK)HF
z$|!GBO)W->f7V1ipq2czzF2%R!FDV*JCP!Qs!O_YN>m8c$N49$%q<<0d4;8tcY}<S
z1!};fXo4G`jDJQNg!Y+?=JjIXeO3#$St0%VGZ?AzFU{vqR<rI1G#grOe)L9ea7b#@
zr#?U4<Y;(8IrpEdgOuh<(f9dQn5V}G<v*)wPJ?!A;fM`Br-6AaR4btB#STsu&sGq?
zsYE=4{3HX1FNTem2BZ}>MMOhYJ)|V8{rCj=(5GJSi7oC<DQa|yOcuEIWTs(yo48!T
zAP#K%joCLbQK;c_xsxXuZWtYqqz;bk=YM6+8RB;j^pkY8<-xqmIf~2Vk33#RT0Q{F
z8H*f>5m)MGbXb7z$L8NvN46*C5p$5Bh;EyQogLWH%@5u44(ysB4+aNc@%C!u4w;#S
z7sc;{Z#)b`GeYtI{UdayMv$-<LR#g4W#vsmPW%j}2(V{?Yu5Vd4~Mrc5UBPoo--z#
zts2N0^%@##1(z{&@AtN!EzdAycPgMlQwg$9;|5RY%G9!3xAOVrR6>{Z*|qbbqLWh)
zm*YXv9u7q<L{5rLhnt**ao_LyimShGj!cg-ymo&EZ+4X?k6ld8f-x_#j*}9ah7`ny
zCHs4;-x^KITi&0mO{pU7+MLFt874uk&C3Aa730u2R)}V(!|>X)KS~XT@MOJrpJ}et
z9=WJjyP!f+m}(-ncbXj@${@Z_1~IZzThq{LYo&7`m#$i*qh*-a%8ZPC{!ssCgqJCJ
z!#TwZ#pn?0r+cw@1Ij*Qhn0IDJb?o<#{re)@8L@PsAa<CpQKsu1I5w5)UP(ba4eQ`
zxf8`c;sTkG^8Vv+?n*XGd6S?$zkRlRf0JN4PhM1AX+|Nn0a)}g*y!+%)OFGbd|FA7
zr{&6?ywd&g@)jl?9O!-<q_~CI_4HD{i_*2>w&mL2`_mdJseMQ=?<u$ki(;=eJX3I)
z0Yh!axB~@J(#+pUZ;T<BYuuj0_O(eJw?Khv>dfl!uex2s!QxTG-0}V(K><9ev#n``
z2faF6D6TT1Yi(wPL4I0o(qoiOUoD;;^*Nw5{9}nB{NsFIVyZaIEaU2&-%^7`$ns8q
zpMQ$GWhL)lw`PTEdxc|h@nwrQ<%`gmp)B#=n-85d43idgx96n$LylZU3@N))dClc)
zp>lNtX*wce0NZkuoP*)9cRKN0v``)ijtQ6q>g<kh@mmf-=R0Gy+*%e)COBSgfUPe-
zQQ8bHGZ6UWN%r*ryop+-{iiCs|Bp^)c+wQB!O%c@-Z8YK;MCTKgTzk7owE-9?kFpS
z7s=`LZO~#2{#Qv;NUwOI&81FfAsLl$bu`oaJE^5a@2Rf)?~JA%#do2CMpoHRa5HZ8
z_hCV1qoDrJM*|bsNgX03zyf8Q`7*p>zO(N76MQt;)<&gtopgT8F%5&U+Vls(#GR#*
zsY*P#ta7~nc>{5%{>4COT<D6jc(SyP2_7?hLo-n<PSC1~V}}H#uy?)b_HuShGL@VN
z2!AJMvlG68yWzA#p=H|gtI3rC{$O<e&KH4J`!mwB&>wnhs#%zVoC?%3T?%lz5M~KW
z6N2z^0;G%eF)9mJWt;umlr5=TmNhB#VB9d&pq0?n<g1`EFOe`pXBccf$hS~S#I&J9
z`KoZ<TS|J^%XC?359M+5V-Li=$ZX-Ik>5ZG;R&Ccw~Osidn#Y(NfQZz@|$3cO{QZC
z#{nBLCYSW@y5r=9@(lsETic=M;BDvw?sj()VUVj+v^weiY)kv}UxVy&+r^R((kS73
zZ}y6J@`yr60~^yB?AK#&<vCC#40KXtHryd6JtuS^682#kob8LpA+kv^OlhUN2F3t3
zJe8%P`_n-2cjQU`e5G7<k(g6WEJ#k8U~(C|8VdZ3Z5k2ov{r6fY0_+a?c>bkNUZaW
zv=?Xw7HY>q*~QeLm2;%$2&&gtVlWn@<=r<83lb@k%2(ipGfz)h%-0syX<!-w2m_bZ
z&yY-$CW59P#H?NB%eH@n0Aih&q5rfD3w);5GPyi#e<Qc+dz|P{(%m)K`0&LPH&{Ph
zqkXese@@s(O%tm{kA_F5gvmrlg_9N%6HWh`ri+eaZeax)q%oKBo?ENJrZiQ<{({T1
zE|89VA#gf$@(#eR3~IXKyTRGK2)^#6%os$wsP2EemMw`ShBPc8d%$@BhiP*a-KFd}
zKWFP%WaFALk%AmDQrOE$L6?A1-8@Cj8{2t#!C~4Sz%VT3YlV~?u^$l*kAoym0oP<Y
z4<)O~!Pl_~&9BDwW-y9OPs8Yw<Nsh1MgPgZ$`ki2BZhV8R{LYb!uFQH>CGE$wDp*a
z&n@5PA@9_o!|o9Hz(XSw=cg^?keqno#Jm`f5qqtaE_-}Do(ZK)yToTn@9E?x2+z5*
zkE|ES2OjvWA|1{7zz(rk4ubS&{|QlM{`%W;a*9s>8j<@8CX4oe6RGD9Owa;A0sV&5
zt8miLJY<t`codP?@$H@6T?CyDyetN_0B=Cvf$EYrCa*isO+-7pL?EKegARgIhuIAg
zdG)WZ?I%%tY;;kiYV~YVV5CndS^?~sUpu<jDL@^sP%r=3V-$oa#f}a;&8seBN|4$$
zB2p*9n5xzr!wKq@LJnrZS&}bAlxxomBaS)mW5&@ujNU%p%7TF`xycA*AXH71Ns)%L
zR=<7u9EZ)X#T_M4SDV{>v!eWMeiSau>aL~f-y2ftSTSR{ETZf(f#ClNI>4tbJdm76
zEt0sy2ZdHT_L%4XTof1{t#Qp^dxLR<6ULbdL2~*5069G6YoyW$u^$##!+{HY=f?vm
z!9xSF{ad%}Fe|`j^6E3%jVr45{|g<@i<oXoUg5T1Xm1NvMO(E~6|_FNnjG&msv}D#
zQ|r0FU7IH{i$E8tPN5dL7c)f!en}fsGqFKEu%QAAVrgsHATp?Fwur@z3NP;bC2pCo
zi{YBC``_(7A@YTh6zz%O#3CzK+~%b>c-~A{cnF%io)|uA(LaM~9N)4%rJ{-3tm5&s
zX6M8Hu#RC!I$c=SxViQ~gmz%$l|SblV)T(s1R|a!2wDQlc_NQGdQyZ71aTM3)Qb6t
z1!nnjJ+!{>C(l_be4b}<$m`?4%YFa2?nnPZ-VJ8_r|;-Xuke65+=zTBfS(kwlljw!
zVr$aruh(8d+nIVXOuCL$T!l?)=PHj!@C#jNEgdrtY-`-*OH5+6h->PcocIGg-V_(#
z5uG<*zGa>ut|WsCoNf?19@7#RCuLX=PARzZ<4?5h-+4s2<gNu}8L6nJ>GOW6&tLb8
z%NkzVhD=#P<6D0OH3ZF_3Kgk(^c>{SljO+c5A7vU(?7=GpHDFy!)xiKg^eeS8BnF=
z>x$Gc$FqX)8MBe;1wH73ln)VVUq2_P(wQ3r5#C5da%Do35nXO*tPyQr@@&Nr2LJo|
z8?~gm%>P$xvG?b1CZ0Yoact)#h4M^I^EE~4%oNG&1A?CNrJ;5KB?oI(m`WY-`>SV9
z?phlSC2CqtKdlxu!)|c`)oAVZ-PV$u{Ejiaj>W*<CQ)JKs>cx?CwR6z6#!dDOgz+2
zWt(cMaW0+;uj$7aI)Ci~AMZ99I>FXksZ^l^jIZ*XWO@SV{PhWvXari%pV#lc0=qTx
z-ujUq7HHq7uy)9T%KBIvP8HiepPRcgOkT3YBz`JUE0#gtcoy440D3Cfj2!j=<V*FE
zc-cr|Wt#8l;=X^h@K)aJyE(5g9#)mB70-wZCdE-&9%VQ0O%x=LIC965h|Tz$J0a!4
zFt1G9u0}K!T9iFfn>$jwL&*6%n~T?NTLqx~wa@--=1%7t7?@KpnqR3^9FHL~7%T|U
zN&69#UaoRt$>gC)?5h*>Go|V2`F23Ya@EQiC3SojPlKoqY$`z^C<v|ywcGI6I@dT~
z_X#lr@7&v6q;Nu&Xr@mqC#ogZ3|(E>XjWGJ9iv^rlqp!Qc>*+up)qxO@XS<7@=?RZ
zi&^20!&H?~Ng>%Ino^NiFk@m#a6nH|eVJ}q(h~l##vS?6KNR%<3s$+z47x=bY#Qez
znb&j*M4fJAoaznQkfDgT5GiUzG?c*ltCE<T#*3?{%2VqL(Mz_HZy$|WIxlci8IPK;
zmm0_I&ld=xU#X;FC`CBIV)bnia(%2y?D!od5q@f4a}^9SGFTdR#+El2QN}(&OII=i
z*r^Cb#}0Wc2FJ@%pW&z7lS*E|x4xB4uQTl;x+pN;P)aYWf0rf8xW$-l7<UlYMUQ%M
zb#h!5-40%xQCbOy@`#&LFQRXh(Pxn^wzbZI@LCgebV<{=qZlRIIn#g*E8EBzqUO|+
zHbYdpH?T;oJ}BJW7Lwc$^OusLA%Z~jDA_;AciPt^B4J31)uvemQOXcvQG|s7rKJu-
zb3K*L2%^z%j;jVV8rgUriji0$BYiQVKu^Q;NY%^Sa^5;61{=B79wiXPy4Hljn9XTY
z7n9GJxZg~SXzey8qVY8hbMc5N^L{d1+kcav-<<zzpm^#vpLVS{+d$F%{ab;|??gZJ
z<Ku*KjQ+dmk{^P56d?E}7<LfY-s4O~_^=ho%cYl;#6D6T<9LFXu}`e)NUwUSQ(3Nj
z)mr<7vBvAuM=T|qBG)ZIFj=8yM=%-6osUrNJY7-@-4tW=5HT%((6rup{be9ld5*af
zT`nHh<*LCE@)HG64~w*=Xel*BWI|s3RI!!P=vHjd*d0@-2ZtlW&C3v%h(;Nb>Zj?f
z!&xtj8!g7j60Z!NB&DDpr$wC&Q?BOKMf1IAA4{@i`b0XekP*Ng79D~;gu-||IkhAJ
zqY*3NNpenK?onpWd)vXmwehw~@al_I!F4FS!JhZg63Qy90=Em1`B~_VpYl{RxKbh<
zO-cwmoX#x}loy0Ehpt^lf99<_iIZg;+xpS2`eo!OKb0LjjZW>0UI42(z$Y8%H^VIe
zl?gbp{QwvgD55A3Teu!uOf1AtIB&27KC)9NINTX~84HEEMmx6`RZc(zgtHK^Yd;uL
zMqt%b7A_3SBi@)l7tdBkAKf=~g;y(9rKx_Xv{tUJb>4~_sS05(xhd=dSx#o8RVA>M
z&4`C&<LggE{-=Zas#&bzu7sc;{MX2RS21c;ewM*YL8dibQ@+V<lgOTMkl{z<``+T+
zC$c=r0i@yXzfU%Igjy=xD@Ay&3XxdcZ+-{1UdLeDKIXQB?=~cL;-0xUhD;);qhY75
z%rof$s(V;MP^!8@sj3>R-bG6MC-;3R5mqDilhxc%#Ej}`S~%AILJ0<%t#iP_uHd@3
zK&-SytNM%nRp)BXADKpmyPSlOf7oiD_7u2Pf0cf+Bp4Q<&JG*w8+e5aNTv1+J+xC6
zBMX)ZdYy|`ETd=AOa;h)P7$ul-t=R_Ez#7&Pu0>(XP>#!>AJU?EQ8)&5qkUQ9Q<U3
zNV9JNT#t#0V<&P4u$J26cxY`>H3M(_-+i$#gZVOqXoGyqcFAA2zNh5ldI|lsrG-g~
z`nMU~8+m$uQ369$aD(1u+QCd#iBP6l0uSNlB1ud#p42ULH%yb$I8Pr|0mlL99CTxH
z<IBstd;PU6k)fw!C_qoQ&&E%fi0rRJ{m0xm(8cYcBN?);`rmRfM+U^{yl%G9ZNo79
zFzRCBA~%zk_6O*Z*DEo0KomyG=Jll6xw^=dO%_I?9&W>Cg$D%#$qW#^^H04~EUc6T
z)>Y>mhF~7u9jZRkJq(-UxM{V)-`SbGaibh#L5?hSyx5PBL^{!-0x_Eqa@`y0rF<A6
z*6Y0@>Vn%OW#@~Z|Aova4I%1l{k7wWP720}sq=zG=FDQ-p=FFwXw{07!XzcCkrm~S
z5%~V&{m!?$f28qNZ3Xe0MkJi{Vmh<%d*JJN4l$ylV$!7+M7bQnpEr${vzVE$DW?8V
z>AxyHx(ioA=wgPuW0tc0YENwcQ@LSH3rYVZb*)LjpS*j)$ZbcW;+)3I!MR8aHhdqO
zKQrIglOtDc`z_~}oy&KP--;4h&bjsU2hT~r-8pc5uR10RtPx*H)Y4x^yLoxoEuw$U
z#WRGewW0Ms2oT6C2VzySSO=+hOpzSK{!3df#gR9S2<z7Ntf4fl`b27|m?0W>-R~3A
zZ}71CMrn%gGxOEWcyXU=P$XYe)mgIVU9b}GO@0@7uw}l~u3AXNvS(rD{st$zWc>%R
zoPWLDH7a6ca{1f5kl$V+;pA_I|Aey2`D!*Boof4876yTwqlf^VDQp0c%QQJDKf13m
zVqdO$2alz!l*VrX9nV9L$6yv%cJmp~arFBa%h7KrNm3x^9oR}M{z&_lAHT!Vm9k09
zZIcb?&xhRfxMa38&^O;mm*46Q|AXUIVV{dpE7~6bR4Of%{<SqJw(oKKvuHtF;VSm*
z|M&FA<NoW*YTYMMv!;V~OH2~NR-`-HX#Dd;k$XY$KcCLV-<MMT#^RV&2!_x!(^6)^
z&0-c2dXVEb96FXA#hvd-Z!1*^Z%|(SIy%<(HBaxEn%b>OG}?}IG`(7WxE>V--DE=R
zA!7`#u$m0!-se9}&LV?&e;YCe=e7X{{dsEVUj7U3>a>}T@b<qFlw`cSSrl=hF7Y7-
z-vio}E2+kU7*QaV(8U)e@F9Z9W+6$&F)4)JWT`R$M{+$+>958rGB#iZ50fQ!U;Vo>
z!NCv-hCvvp!6P$F`(V<EjL@QIghvhCYTt!@PLpbhRJ!)XeTh^~dV-j#HFxu64F0QU
zMF_E%4@De{c=zvEtrGNlRnT^e`t?kun0$e9ZipIOO?f5o99#MC-|8ODXEh5JsOL1~
zNTmWxnX@KO7~SkR&K`z8oZD=8JNj8`JZGPseY?5U0PPox0U8vh`n&eK+ZkPl#vCiu
zytUjR+D_xTWTM6l^we=k#VktBq^SL#g9eUqfAAx&Y*rmC+zObh@%`T=I$S7=Gc+#<
zgED8uR!pCzi--}VUX3CP*0E83V4jXiIMRvmo@pDKH!c%23YB0mg4MkV9YScCb+B}!
zu*`D&Kt;CXyi&B@S>qazO;JHGa|>yuFrF!~AhZ0#thUce(#Z3*PU@HclIxhf`!Q=+
zu??CKEFlnv<FO0%d`cj(t{F{bWQCW`1FizFOb2L5L9LQ!Wy5Yr+}uX^m%fbvb&xpl
z$2hBE`|rhJ-4IcAww3;PlyhwXv7098uu+5|S3J7(QD3}Zc0V&%p2L52%}A;K%p|Rd
z%x<r3`1i=>jZ73fTSgD+lZ8x*wL*Qe@kk9bVgPOlK&*}xFVaSpq|8{3eKw+M9;ss*
zO3Y~}G0TWxks0~hO@4e!8}OR)gLrri^qr;lH;a|^3|b?gxXN37<U9&-1qJ)G{8WBi
zcfsGXBkQ_5fb=`ON_|j-ju1@1vU<S~obq5nQro!CaP1gE2ZAG}s{u7Ku&KI$crmL!
z@Xd(#cUuZbl{H22Oo7HwM4*Ng-{FpiaIW3{;E>c?vj3)k)ojmi^qscp%Y}86Sa$JS
zip#;yep7qbnk@8w8s@sQsKvX|UNg_J=PDc|DAy(gQ&~WrLOglX2^J=?1UB%x44#5j
zM_Y=`jGQzdQ9!~TBL<`jfB`*kB6%W3oPkVJnoAcZ7=;;z8`ULS<zD8;+iF&FjGxs=
zFUKp*S4ns1qxr8f%eK#{cH<}b+Yk=86V~a9f3O$*6$`9gJG~B-6Alf3xGx)gva9$R
zj*|yDC1p+{UzbuH^mHz_(#O0RK^YYZfXMn)q<owI<LH>eD`}Rov9WF2wyljf$;P&A
z+qP}n-q^P7<evXN%$%3=b+LP@i&CogM@;P`$>n(W3c1XOvDB_afU+aN^GFQl3xz4H
z7{2m_RYA|&f$CoaS%HI6P6yN{;mP{t)k7edW>b}ffzp4BAlSUn54BuEq<pXB!qK^d
zaB1FF@MR}-GY5|Gx#hl>Favv8NTR`ftXx!oUosF7Mmh;q>nJZQ?XEh}CM&`Lm=Oc|
zai#+CtaK#bmRGM!phJ#PI!XWngTcGit6huTL-$iNuItU^rkh=((6MMAhrqBN7IV9O
z2+?PWr6mS-rHI?f!j(KonN1{WyS6~{v|z8%u<+3@jslWL74PwB{SM5^pbR)zVQ1Vj
zQj3l!=w#f-rSO)xs46K7jCDtO?LGgN<CO#GR|e1zVrF6Bt~!U9SNQOt6dr4>Fk*GH
z48uL=VR_bZ?TVnATJ5c63CH`o>hr#X1e%LXG@9G8({}>s*&OdKr-H9eHqKd{grlZW
zH0B0~ou*L1H-?>D-;0*x5di=Q$56Xsb7I4`9J4<Wi1yysXx_+;cQ{cwEEW46c#xNM
z7Ye=cUsiwqs6DW7{#>B_j@H8jVM`X+7=7_R>2>-Id)?XG1&@BuBMNen57NzcM#7ke
zJP$Cg{QA4X*ts2&AGjmVgH)AhrLfV+s3ybW8Bv_EOY_6pd9qU1k**%8NY=|7DBu|L
z3l03J@B4R8!Ms%WVeSdmq`|ggAtHp$sJk07o1rnoKFB()Utj4!V7jcla>cCL-Xn)y
zFx@P>UBD1j3O35-fb9U2C&eX7%;_dMgP}xKfwiegEz-v%hX>o_sX0TPO%+O9oOrw^
zPT4Cqp&?~Y%{XOeCPoQhA|PcAr&5CW250W54By?t^cs;y)gyEtM(dJK1~I+;>B-*V
zr5J>kc!U`F%(7<yp(>Keh8a<WECea4c%}o<V`r(q31ZIuk*u|RHSu^&^0~}r(bTR1
zKq%bUU}eNR8Fo&^uB!VQ&G@GjZHdLft3OId`%i_4HV|Jlo(nae4QFx>HV$d>rb--l
z!hixs$&#QNfK4XI%-|FqgWHdk_zNpsxuj*7RthTdytjao>L0VLGCd!Ktjj64_rx5)
z@`grc1+&I3BMIv(>I%CBv_Ey;ZG}8T*QXaaZ-P4*vic$ek+Th~hox@`6a*dK_+BZL
zAKEPiE4#D*f)HR31VAyaqBd-13v;v!V~z*-_n5+k`^yzK!1dhagD!!b-;;nXRNEJJ
z=LH)9ukQ!`z|q<}V$Qx(dwUjW{q7zQ0w;^-5Nbypqc0xxSWMm=Yu~zl1!(DmgLilz
zJw<FhO?7)+^7xFE3qZ5k3R1PsfV2eJBrX{@G!vymb~hf%Y<^=!Y_)4vx2B>F00jP<
z|3e@Q9377C*RSZN(TBYG;l?+l)~NYH@acLxXHn@zMm97GyE^E1DVEeCQEjlf`lk!^
zt7Iq#z&SrghUci5tVJdncU=^{x~RX<#-tTX&zy39bt6dC@ndnI((ycJa+sf^s9k}9
z(Hua4lkb81IkG^(+RD;TeLvjZQuAy=4%<MFJ!MJMbIhQ*qqi!9|J3`x3wmaX|D3mJ
zrG6C(`+UqEgD1|%8&|^#gcBz$bPy8ZBHl#>2dPJ$XrfMVIyy2i^Q2|*88c$30V0d6
zrW@uzW{u9dU!Eb3YXaCxJ(n8(jh&evHG5Wfe~e(@IcD$!LF_-~?e%b0AaRLGTF{*7
zG=5<$Q|L(+0WBSg_CJQ%u`>`y#Y|CCs!V_z*sCX2P*Rl}YbDT9Hxx~&WT0Os{hNw`
zGF8Ar5>Mt)@+1EPc(HT8<oCS+g~)~sdXcEE6qi%yJya*dBnJ55BIHYt!0<EAfy22Z
zpEa)R@aH%y4(~4L_de?)K1ahoNy<$Iek*WRC%?0NPqRj0V+-YayFYy=i1u&P>PtD9
zph+@P{&+0Vf_6Hxf^<{WTL4Uh)9FYxz;#hm2TD5mMoo-}su34EN>bhe`?!EsgsA*O
zkiF4pX-#FM0&uRL=G*I2JeEL|Y$5JSp5~jMqL-E_fN3?mRziG|HydlpJpFbSf1wwB
zci@8(t?%#IPg8;6DaWY7S3V)gT&e)C*k=K)g$*q4RsTWg%%ssh*+#Wuv+crINoy2}
z5EYt>bPBNX_{*D#fh8d!f3LMHr4^T@MwSmvBPDGlzt1_D$Silj_*muY@|V|hVvG~8
zjktLyE<v^y8QVU9;qrKZ?9y^tt27^_#4cQjo*;(Xw+$ljiCZ;fm+9Q|F#C+P_%nl|
zwW&No_GX0JlavXagdT~r{-on`0E%9w0eV43gA`0gb)o!AsVG5IO$Q}D$R2YTT#h$%
zFddI$Hiy{;aPS6zN8|GJ2Z(QY|G9%Z83?UB|EyH7ZSIBWS_cdWa5_Eeb?k;H4rwed
zZ?}#KmK#o(KXlGb@@BXI>F-aP;{w<Y2*<%Q^YMk!==Q463;jef%;L!DP{@r*cU82F
z0}GFgjUp#l=w3k~FTGVsE1TuX@17*SZqeHW<?K?hzpYPJ5b$~h@i$M<4lYc54PInI
z>p0{N;{V<bG`Q$gZ)a4xW96tB=PcFM>go9SpS|~3Y}kg875G0NzeCgyp3R?G={aHJ
zamgGIN3$HY&c#*!l#^145lj76#6H1NJvp-BX)0X6LPz1<M)<lj=*2VS_A&U}I7X=N
z9hV!6CAhBEpnSF6CH+Jghg{#nzYm=PS*Cq6ECh@LcyHLEN|Ozz(Pg1)+rQe<EBiXf
z+~7);N8~hp0GT-*6Qlaqq}bz{5E(SbTv`-S5H?hR%w^<^Dl=POiDx%c$GCIHeu?<@
zZjHIH*R(gTw!$|^<+}gW(;#Mxm%zRM%PYwe0+G=ToUVuGLUJ*~MS|z%9V|;f^M=`t
z<&`i`1OrTT%3Ych3yr%k>m(Sk&npw8(<d_KbcTXp#_kykB1Com5?82b4ciPTnuI2@
zu<ksYIX*)=eH}-g*=0N&Zknhnx9;1`Ox8Hucw+07<(8GdXf+DZMY5YzCGx~FA5j4t
z05*(D4#qEWiJ3-a^5T1X;dG3k5pa?!S>}Y|cBn+^s&Wd#lnvlL+{jKm>xr@w5?QRJ
zJ!WIoG0TZj#Fu57zcGYPXNKMl6h&PNGa{}=)N;3CokLxas;!gaN<_WU#}5H5r(;bK
zqEhASzQx52^Q5Uo6EZ@~IpINMSjOd@O^P;<){ae?kMr#3h?(!!r~p>Yk59Mq4Mvx`
zgw=Nx(;4AKf<3(lFw~B9GDz~FeMUD4q{K~?m7ZA4tAANl^PZqLm|h2R$k?y2Pe>>w
zzNczf1ljj#WVPbZ9>L<xhew_HZ+htwV&HLwu0N|zuO&-T<?9><jsH#{o@^wRa?B~Q
zksxgaZRf)F<i*DNR;(bvN<*MvCU4#3_i1a@BLaomhFN=9KYZ!kHb`VEff1+@6hmMf
zbKjG5I;2%_r#1%WJ6CR=Kj2bg;h<nH2gGdE;!Ce_hc*#xkADlExCK5!Vtzq{>rIR3
zqts82XV)o79g&iRoSi>b$2yHh>cJy4q-*O7t<b#<e1d{Ie<1QV)&wfJ%y9ft8G&$3
zyMN3x;Ab!ki<v5@h#4p%G{z$jVy2etCnM7&uBg}-Q+IpsIB}U{937w=&1?{`I^i&8
zRX@t>*W*6?B#)BfF4fRTH?c(I&}*ib3?`j?zu{_ASpn$@yw^j&YM#k#7S|k?mpie0
z1b!`_g4@AZI6oV#OSD=tEy+nH`!M3<5c<VJ<`M?*{-wLui#Q!7sdYtRktx@ODfTDP
z476*(b56UfABhcZnJ%^C@l4HoOh_1w5OhBnK}1`+GX{>oF+C{$LrBfDAoz0tQ_UG>
z@jCY{NNeMfM4yXMEFxi&KgBt%3?eZVR3Zjw`v{wm#D%7W+7I2hv42Ua8#9_G3Oce}
zzCxDz$-j#qC<1C#D<`n*eerA=ic6c_UwKodxl8VN)&-nfpYL9^>ds6(uR-xss4Ki5
zvRYQX-e8K6A-88)f}i`XEwFO(A%I`jy;W24w0c|sX_Gq*@CA5tw3hI|Et+*|v(069
z$J1c$#Ut}!2KB(7fN~>epkH3@y|uP;f9yg2z?9Mtj^TBJPp_O?<Uro6%t;=!Xr6P%
zZo@f3rxtpb`@*kJW2a!2j6nD8{aY$BfZSLX+IrA)lDQ<)ms&QLFTNi{?fAoG_$=1s
z+}rP`Ekvm!A1JKI&j*n)8|hy_vcWWGAq~gcYLv%?FUX60WM(!O=pcKon4}QnSCDY+
zNFZym3MXj<82d9OVNFe_j>u>t0|pq$_;S+Ekib%g-@*2`5M~##^adzsSADys@&h(F
z4eesDUh~}0ZtkoEGFo`>%A`KTN0~1UcvGB5(3G!?Jw4WNX?siRj@PfCduKzOGF8FW
z5AJV%R;SKnF!qv8gSYMbY4d{dnO^~fuHVv%98I3#WWts+M|FnWA~>6jVU4b3HzP%B
zhk<%wc-ngnWC1)2g*s+jX;1*b1j^%OK#hvgxuax2)sdPQh*F$!C=kqwV@*(^5-k9_
z;%aCR>F2_i;6t7;`@IBe3?P+K0RgNq!G_XEd6&H>k#4Of4)GHCvKbOMz{2R@d{!Xu
z`euJy%i8x8zi%bQN2EOnF2_f15Id<r<C69BOz6N%Zw?b+=egrz*b6(LQz@|RQyHKo
z2Q4ch%@>UspKA_Y=Gn(c=)|&mv2I^5c{L3^`iBT`{f&~|FEvOTa{21Gh;5Aux4|(9
zbVkf6_M}shKkkGafai2?P1vb3Uf8n0at7}R|9qE#m23w$x<BoPT7GejgDm~EwDp9h
zD6~C>HR||tYJp}|V-VkEe104aThpy=Sd^DFa!r+|g_wN27t`;4t#Nec5VDV>`14x>
zQ@a`GX@r2Ev)QU~7qXM%&@$T!$g<(yJUCzA>$ebFjy;;{_B)-Z)1#S5@nS+C2jeL_
zuG*DLtP)`<C@+~}EDRo__Y~}6AxUGvC>8@v!jNoxpE;T2aIyrTzq+(?dRh2rw+*^W
zUXPurjjv)XK^0sJ*B8>{_u63LNvcUbCagKfA9w5Skgc@{@EeA}T8HuH)E)0DMen2n
znNVT^XB@P}gX>%iMXcZYd*&IIdKa+EZe4gVQI?o+Y1gsX3`vEZaoKllwyUnE@}n3D
zz<)+(#O<)5Ltk!rDy!<}5$Kti2A!cqZz-<)pa2yZl1#A_egID%uk>UADQ|4DCDuch
zYQChTY$fmbLPeB_t9{_WF*NG+;q@TV{xS<J@hJ)~I<X2$pOO%UC~tK)oyt#H^@@(i
zt;GhLu<0(-mft?GPfW*yJ|0FOen0^-B<43SHW0T%N|15-G1|OXwiz+8a&iHw`*gA+
z)`*(?78Osh94O`H+h!<EkM=C>phTm8EZb)}*G^g9<SkP=B67@24Wz<t;C<c-$JJb!
zCnVSm<#25clcHzN3^C<@72xp?!s1Hlio%o1YmU_5RDZKkM*e0Ti{VKtoGlNSAfaB9
zo(*2DRhy>p8C5uw%vgJDnjVPP{xTA8Zt`^XwZ$c-XW=JRc#kK0S(`i7QQTyg;gr>e
z-`v<HsJM0x?Ks-z`CMXZT2M)!p`$#uhn<U8Q5s@KVH-cERnC#dt1Q<ZAq`LXJ!Gsr
zK7`jyZDk|0Cojpr*|+6kg2h?#&Iu~fybBRi3UL4t<G_{?W81;RSe$JwnHESv%+oA#
zV-8lC639@)rC(di?`egN1D{)83i%!B?(ggL7hMGjCjFNX(V(6nECkUadUFL)Cq;Ss
z>{AQqPcV=9t6iYWMY{2v8PP={9QING4l8*<?FX?S=?*t(?V*QbDfrR?*dRXsgzfqG
zv&m+zQon5%{a6y%AAp6CnIl0bC?UVk9Gwg){4W3_XrhW-wk|2DJ)`rXKvp!P!+O00
z9rb#BEp(#^AePJ#(03!wucaqx!<+Aa`2z-XF-rY;0!^}?1trU5JCOygGeV&Uy2fG?
z0q=!UPj?x2&Zg47y0u!yUjSoS^-5u=pcJ(OaQ&}4bvJNwI;@g(7fWvJ&x1y-E=WjH
zN=a;xErO~fEr}m3xMK9!qj&Od6YG4MYA}<1LPC!o?NN$!iGo4@T6#=pd!RH~NJHS1
zKt<+_uqNr_7hXv}h|6)=uBlmTcoWI|#1dW5!0EZJtT-hYJF3v7eU#dhD}2tS@p0UF
zc?uePi`LmpZ|@D<gX^qkW&q`p9HPf|H7<cHi*yIJa5|(s7M^}*qhdLVSCJwq=*kQl
zl2Qc~RYq?=a0<rDqu(5^M}!OqFeL6zMJ&*G)67gwJYNqSeR;d78tfT*Z4)F)SC2vE
z1^?OilD?~e%A`NUV5Y{oIlLPqP2fzeis!Q04M;zKax0B4=c{~;&0gJBoWh0=B4ZbL
zp1$F)bmVCOj|9iN%-Fe^O%3SGG2<ys0_LiYi~ex^#V^0Ij5n^T+Hx-p#+#<!L~BNr
z_z#sN04jpe_#xt{$fIST!t?=^a!Yq=j-lBaJ<gQxP?uz!dFGax?Cw;(y{|By8+coO
zu!MGYg2F2t<+|tSnbq&Ao*G7w!eBtF!Mm12kAJL~7%(GavhF*o%;OU{8FrHzq$M?n
zk`Bu$D+`d-GCEn5Wq2^Pb0{${=2=GHm6o){YB{z#x|3-LU=-CjVHA-@iDHb>3{)8P
zPIs51R7;Dyb$3lVe@U*ATyj`AF)o%VLH8=9J`9wej$xrtDFhKRCr8b7#7H7B883>(
zFFEJaZiy&TU)`F!7u=Rh%+eM<hbkblTXapZS}e}YopCmIj(L^Atdhbh96wZC0TPcT
z9(~@rgG2U>LRs1JZCxSOQ49yOT}Wu1vfDdS$SHoA_@FpD<AUU;hL9L~=rm_xXoyMB
zi<D3CM@gZNG;=Ne)iEHMbVoN4)07y%)1bR*vv4nHs{lY2eLbjvBmq%55)5J~IbTQE
zU9ooO*zjaTJhzbyMw?jC46I!c9vOx9!hLkGJIKWkqB{XMn2#^c_<SfrkP>RYw`Xof
ztT9WA4~w8Kr(EQM*&4BhG?+vIH{b&t4g%OZyxXs_u|oyK`abSY@5FZQ+-5bdxruq{
zg;pdPJzh^Ft&ky5i^mxM68spsul+yZuVXXW+x(-*Y7Vppf&Y!J)Z%-{L*bVMSpz=q
zfMQ9j$e5|WImf%t7q}W)Ls6(`4B<)5Q|C?6WUi@TbXRrO?ge#p6(`+_H%Q3CkNu(U
zu06CGwai1i^Dv7upoFSZ%pSV)*Li&O6<5(7OEhB}OeqNPqUa))e~quTBagY=R$}Oe
zpBQp8k)w~PEWF^T0yaXix&kSM^;hP5ln*hXx>b4U5Yf1R5LpU(2tM~YE}nE>W*PK=
z7@XfeUDD`sAD)-Jp7&#_Z96cg6*tr2KGhvOy*tTuZAln@aT;>u%n2{sOGC#x3Q<Or
z8K@0IX;4Q0Yx=8phQOWbGS|+lG>5gs0v+S_@2zkce(~EwzZx4bI<P+iG9depvv>}Y
zWJkl|G`=ucbo;t^MiJyVSexZsGf)e)Yo*C}CQl1v4(3J~o9tH>A~=DEZOxDS3ocAU
z#-hO1<MQH|4R`bjA9pW@)d$qina3AHKN?||CIrFyMa|D)K4wy=nVp>x#}&}a<E<+f
z$>&!;!!-y;AjMC>nKcnoN3mXKhwpr^MuT^)=#N8?_X~)F+%G6^2VVFJLj5H%QPcqx
z;RQ-^F*z3H5X~WXRrF@3mA_P1abE5Pal93#$ot+CzhsRJ@nv}eZ=g!<ayBA8yVw5d
z9fM|VSE8X-j0(31kJ_%gFy*wE|7K|M9keAf);B$}xp1^8<!x<r_Zs1$b^v-e2|5>e
z9sZK3bWmc44W@j1u*n}GM!Ue44_UM8+vS@_MAJ5ypIK#ciUf>#GnFb+U*(0+N*%z_
zn4ynt<gD2W^8ZH;mqbAfm*+vgH(d(XkCP#JGm@Ez?Y9e0*Tlbjwa%IQtBLiSDu^Pp
zhQ-~#Hb_fh?^U>Bb`iVti!IMW=R<4GWQ<YH`p!@sqqS4R@}XMZLPrpL=WCS_TpO~q
zsH#vH@{c_PAQfK!Q;}nZw}I|Hi3z#Uab!1ii@Ca?!H}2;I*`zk8g`&TI6?AIGv!Ds
zNp%rkATvTSCoID6JRM9Rml@1w0SdBgwQgaPol&?hjD}HriqD7ZZ#jD%6yO#QS#qMd
zpn+^86TP2ofK}zkykq^P)&99%rR7K(*az21{@G;Dotu}{Pw~2oA>h>=xS-vzrDUT5
zGj?ziy@%ilXHFc+Op6(B-w#bkNnxyPTr?3`S2m$lvKh#exd}jH6M#k#4*(5UvqF20
z>nv6XFpIV*{|qVXYAh>m{Ekd|o&E|}#ugnlgkN@Yr8G$_r!au65E>|xJ0=NI8AC3J
z<Q8<;VuG1a=NTic1%pi<lw7}FcNdh95D^z-pvst2uiWtfVrGU!wi~NL2))7rEahYD
z86OnM1$drlFmdg!hZAM~?Lto^Rj(GjiNJXO2-6=n)3@b4U%5^sv%;t0tVNr*s+Vxb
zDPvr9)2}X4?MMt-&G#aeb-N&yRfmIVG$FDH(iMH{T{S&@Ne(gW?8)v6>(N@wpZ$J}
zAUK!J2uw6^))pENSaW9Fb34MGQArVu-$7LT6dH>{3y-5hVh%?WEJR+d0S|9r#3&CV
zb#^_@H~0(s$O`D}KTGQOo<syB=9$?E?BONeB?Iw9El`_r6Ae<fne)7U7xplFBf!6~
z_1VEzi7w}g@=2s2_<Xt}bQ3<{sQSDt6rQ3-6wnJz_F$h6ddm^GaM#b^^Qy&37#D>o
zY4zf=am56|dkI3EQ5-C(oPgfEzH#I(JJCQbSrwVGY)@ajFj{0_1$x7}i44GG_brL2
zFH>ufAoUVM;uJJGnPoWGS0l!_x5FB?2r_lho`cq`mqP{^4VXxgPy^##F$6ra<waZ$
zV(S1fVj>xQ7+Cv-F=#-(*BiGou0pMerC7D|r2oUC_0Re+A^dPkN+*fV_}59{t2ehl
zZ+dQl*a^@Yi4SWWfjG^tO+yY|Fmz}uWN5VwQL}cXUo|e_;p?OW`18>lLnBw_W=w54
zQf*IEB6g82KCTRDkiYa1j)8X9oo02u6x+$~tfUx@QBA5NYlUVYd2em+dwviq@H23?
z^VF%wpCW+Q-<KBr7FBKDZ)<<Lj8m$UXEyS_>VwYyP_6V~HX^7nwA9%0sADS;XmM~t
zHFjDnv3<=y?4s47zn2?yO*H>)HIa5dtQq`Vcnqf(DK7gmZFzlgoIyw|=hkwXx!gq(
z@N)69n6#9NvWL5qc55-Y>8!vUErGebzF?g+OO{qfPeRfvnrNMQ2pZEF(o7nLp5*Ic
zYc7pYnG4qAdBo*Y)8S5XXY}<_gBW#Q$(U%r>|}5{_rA-_)1!(K(5ht6E(?OXaC*qb
z*~E<1N@ECVTN5MfZ5)PpAIxm3)o#YKY;kTS(m5md-(R^9{r5K^7Ck$#XpJ-%SZYIL
z4QE<>&0|s^Dzm6C(IL1W+7oPWoW@^-Oc)$qYJ4J%lsBIXjVOz%eJ^R<jvIapa)rhG
z2*7DY&hWXw$S2F|QI|E!MM67K2IuyaxnD*%HO|0U8BCcDzbT}A9~T*NzuIP9e{d^o
zE(*8uoqD*uKtyXaaEg<w*WoYCv_*h>*b0m^Z%P;>eUNl2yR+UG<rA)*ti=d{=+n)8
zn&dn>lO4JpC5>Z;k~jX`Q@tO#!ZTFr8p>P-y<@h`0iz67y<@(PA=M66{E9j>0Dt7k
zzm?RKgHcN9Iu;u*I<ewtymP~5MyN4G#;1t4w_`%YkEJ-^tg%ZAHZU#wHgc}66ncrF
zNrF>DnB{Qj{<9vth5oBed;EsbMB1U8OWR7uuM+R7)g{oHHkN#Qml*Q*6YYMq#-{=g
z!9WhsYt)3%p{RS*Kh_NT<XOo+b6HKSBW8!?zCr_=!VA_#9Kg15%Kwa$fQ1ZbEca%#
z8#m|-PeL9AC&)skn&az=Tq!Ym7OTUY;A7^D>1H2NeTvsxx5@K*m(NVai1mCT0?O)Z
z?FWSUcB^1;U&nMrHHi}wD4~ji)X#e-x+bL5kD)6?@gx2@vTCiC_+qca)|e)oDHL??
z8s-EKi+I|D!Ow@9#<N&EXu9?u{;QBIgiYgr1|=ZJF{t?$WPt_XA39&;);^kmml9L(
zN9)Cyot9`vPb6PU)}NQ0B7=m<DnetBObYzsBI*0EA^UjorV^dSoTH*9CTDDE05Ied
zawRPQPfKD-n|7IdFP<sCzJ=3X`|%gM8e%{MYS(jLc58J9)y4X2btikYq77`*CKR=`
zqJ)fddshUDV~f}AHA^FP?R*woEEgQ4ay`<l%97!4O)-@znl$?Ww);74MU=+pYZCc~
z5c1ms?{<!_I0ONb2;DPo2o$fs8Bu<)q+~ie8<IQzLIXA7?^99hzYC@XDD$R@d@72O
z)E|HBC7v~IMvS-S#D+r{_e#6#8(R^^t(D^Mu;4<!v%5k%Zx#sOZK!~1`RTI3cQThe
z3hQ3WQ~gR^DT>dSco>&$*q0u9GRmGAT;FW?PDWzTRyQ+uam#o=@kJOs^ywc9gnb^x
zAI8}D??4?=)IUo!WptnSgFnZCMv4wBCOa+GF$Nnx0-z20x=@F*e%(MazEeu;m9kP(
zBNyA3>8y1rH~Ni9DUDInpA$<JeM~VooUzS^pR$$ZNCAn{c;f=?n&aZAP6ff~e;u{f
z+eP3BiZWhN7Z~DKA)wiC*_N#252QA!t5zDzs6e__-&<D(d*OGvf726o5bOM5!?^|x
z^^Je&x3y|qMfdP8t%=ogx}h^Wm|Qg0fgg{C@+!4+1f(kL^2BBypu7xXv>=KuK!>8C
zN3fPFY=sBE^1)IQlPgOTtJ@1tmXWGu9g&u!U`G}e6o*EmtXXB9idx~S&XQ&oh)E&z
zQITKtpWVqZ+oktjy@U(&{&42asaBr8iwAG~!`N9XK>8Jj$%uVgYKqH&s-j}X42UJC
zWvGpS6KED0P}AtecU9#r3Cc^2iv(wKo`{iQ(Mg-CF<`HGC7+6Vp{dTM?xB4xMNAPw
zL^mL;UMYf_OxNsr!PlRg2PI1ws%yLGoP0E&8J3bW8M_QL)w2YlOjh~&GmGYG2r4Vj
z=Jm$Y>{>M}Z3{l|jK<Y!U!m1h;c7i(q=?^WQS2cAroQCCvoL&&<m^04Y#fi?YJ*X(
z-oDlgd>?-@rmL-k6Qr{ol^0uFYi!V!xq#u7usoS&G&aScpqm!6G-ipjYmjiunPce8
zGBFBKVdJwe70WC~$CZopIFBLdn4Ly!3n%Y<<moYXBJ1WhSfDkA2tG8h>9VhIbZoAe
z6wmHpoOTHWxA?>0{h50(!{NUxJovpl61F&3u3@W(;puqF&wcIn+tT?-_Gzo)Ben;&
zjvoB>-q^0CJHy%lDie4m`%B^vyMBseA?y_x!_whWHBp^!P08!^8aQf#yEiCmPHNwZ
z%7p;qPR`EtM0Ws0$;ABiqk_a$$A&8?e3)Jiq*b%w%TG(3#Y`s`!4g00w|V_{YAP_>
zsKu&no|fbzT)JnS1lwFUbkPQiRw_84pq7Ye`rvmMT*K9tW2~H2xV)&9&=W4pOWsft
z=y8sDQOfv#wA;W+I-lREUCoX*&ICs6*^N}7d(1PM5!b@O^D2KmSo5I$1<4Rb6beR2
z^D|kBy^A35NT42FUjXB#x|$IkYp3#95pm!Jh9S>yl9p0KPdW|b23vGQ>O?YDQ7J%C
zQc>g^C4?zX!SyRMZ$kZSm^PneH~l6IVXv@(ZHO26f-<%cN(ia!w%Fja6u1@mIM&%U
zYn`m7&vx9oNs~+5+QK9a7=f<Vw*#bRa>g$2qxdSb7Fe4S4?2_gX%n%gB9$X+{nG7%
zw`iUJ-7#;bq6vVh34oc0R1M+?giWCq*FU`d*`;Em`ck}Abp%SN2bP*!Lm#l?<NE~N
zPbwdZ#aQlA<&9c@^R?|23R;#O70hq*y8hkIAGVzqg2jj6dof6Geoi=HpU;A{*H%Jd
zS*cqGS0j6u?&wT1OAqp)2fAJLTB4bmb64HrxAe;sm<Ll=W@;x_I0L{kpw}v5HoZFv
za88#MF*PR24oO0;2u1beB1se}CnWf?d?m$MtVFq0fNWL)vH`VAvU3FLD~)$1M|@i*
z;@NduyCy_8oBFqChuqVQ=0A%Xf&d6~dYLdf@pFrR|D3w8aptz5iJ1#~Ly-9Yg%viQ
zkirU1Iwi(e91Nt$;S7^QiI5jX5q`oA{F`*_2$WE&6m&be9P>cr_Po?LFBau|)I#^s
zw&O1ht(vG!Nnp^9lX7moV+<`}!QJbQa}Smv)Ok*DLAcLpdvS<8QAG@`bUMvh8gYi2
zZ>Ii0;B`o}5+(?YBP>%sN4(^F#*M8g9w<?aLQ*d`5w0LQ0iehqNp%z$v)?!yGoANP
zJM<DTq&<G^rp8`07wpDaNduWzHXG93XxR^8jN51?S8ZDSD^D}}tqbGeaq4I|rq&8~
zQHy!Y(wM5a&rA7nL`PC6_){|6)ERX^g5F3=kO&Kem))$Ga>+t?iT@XjzTj3QuPede
z5c>xiKhg*Ik|Uh5;{F7%WV*OVKf}iz(^S6oo?Y>>f$Yw-&VzoBrjS#1R1NPK!LEof
zM9zr+xWrCsh)+FEsRq<~m}R!Q>Gvg~S<CHN^J8h*ZVVlol_0qGmeE|l4OFan0Wl<y
zsrmtt*P;K06d@}R1vyaGZ)Dvl42wHu0y`^iX)j`Kn2Hn3-8|U@P(POFU}pERR)jT<
zNt?z55tQ)ZoC$dE!Rp#M7S;1}IFClQ0b_}MU#oRC7Ua5Z)>hX!d-<;uZ@WQ4G-vY)
zML{Y3%HxdjU~q_62MGd*7^*CEfIHJ|>Yyo)1W||ygsm+6T~|(8%UBd+GFYp<JX8&9
zBP-=q6!5oMrdvTOD#$(~?CfFhkHH9#;zR^}H65|viwk~_zNcc4!()9>)8d(1{qk<b
zCmzkKg3nLZ4-z}J2ysO4$1PE4GpMq=aY!xXbF&!eiIyr)9-SiC>C3L?WSeHSSMzLT
zAFwsw_Z$ld16{6;CzuH_6y15mkh^Aj@u<14NaF|=2m$N}MlNLj2wat9Yv}btGYIpY
zCz?e0Ic)xEc=<}o@eT4zxr$uH3IWbWYvkKQ6vW$k9x?s*aQpD|7bEvVA|BK{dD2yX
zfGz;FuGK@q+em8GA6FpA!He=R^7q!M^$go}z^l=2Y;d?>S`w||17Zk%%e?Q=3ZJ_f
zcgIZea*)Y<XlaChp;1ukRs37wRo|lu^xy_@pMQt^;`ATG%?EV1N^eLwExPZiOu%tu
z-y`Km+5-cq&aufac{@#xW5)WyR2hM*zk;ZoUZIcr!_M4_tl1*Svj=gnLx^HZxnP1F
zJmuClWl6AdF!RCCofkxQV!N`q%C0cVsA^J9@C7|J%{Zj&p@4Nm|65nm#7+{hu4GoR
z9D)e6*4fY_Od#G0;!{DObjA`y9W%MK6|5&+hOGnT%M#9%@VMUZWQQv=R~Cy^lr#KZ
zFSj5!rjT~I<Q{8R=B;>_PS?%rqcj`C7Kr}*(0>P&O<6l8obIgj498{id$oXU*eS4w
zR~r7iQaIZ}S3a;FsH{&E><}b_C{t05+8bE2PE(M~UgX@c-hgv16Y{iv{eI&u7GQFh
zSBLOKHMpA9W}yX6SXFh6-9hzPs-j;2wOgDb34R^QZ4f$<7>%~2Xzi}QDA8`YI5Mf{
z{Q1D@YHIZ5RS{6Fndzm;5>ANdQe?TbQCoaDzY)6X^eIsTq^C{xaJ-M(M~e)_2-XQ-
z2{gtf5u=HoY`uteZ0)wR)7*u((Uj#F_3;IE226JJ|MxS|qXyLz&?OJ8W_u;!W`H1}
zX*WXjqsK5}@iD%!w3QC=aeY#)?)}WUZ5kmY!qUvd>t<3q>uTCR>beTT6ATmx2vDg_
z5%zgGL}l6IOQTm_{n1ei`X^bP4lO5zq^urHOWQc5TgBdzPH-2VMgV|r=XcTOLI{+4
zzlbhE7JqzWi$|=1Of8e)$HvNtT{ihXp`Z4ZM}J{O9qTWLXv~tYpl{c0M$^K`uc$w3
zOe$*m<5*^G?SpxGZx|QCk6O_dOfUVFUlFp{Y*njqc@1$Y-EXY20+Twqb#V?yJN!!4
zYY_LZ?6O0f!wUy$v7FVVoMp>aTj6*M`}=G*lK$O<X(SXut6GB&Oc8{{%*n7=t7Cl$
zdl~IW;DP84iI~M=-9KKFK<@D=T}VIJ=zur75P6oy=m5p{-({^r3{UKWB5M3SK}1DD
z(6X5H1Y@-1NI?LaJ?{8ox4XPmjI0B33|z%Y*xFG3AX6r15pN^3&&}^}VO7H^NE7cH
zR?wB~_5<Z-Q;J^>tiyB3f-9f-=o|UDVy3rdW+oxzpgO7i5P70Y%c_WZUE}uBK-^m3
zmd?4U{kB??_UdM8akhEydttWli_;FR?8zBjd8wJ@A&wusubDIE;x|K0R9EX;;Rab(
zMcB^<N@9FlR^u>pJf`!T?34L`UK6q68cIvU!=uDQU%LlqEjAbPr!jIIUyEDbEX6*{
z$n>GrQ?a}L89v%1<%X&tj;q)n@Pyi^k93`%2&!WODr67R&j4-pC=tHlrRI`3FCdjl
z7ePCqCRWojCQVj~H&#j*otoBFu!=$U@Ex5|rP!t9a%wZ7)|uc?;Y(_|AkMS+ko!>l
zuyI8{9d|I{>E(Mr|Ij?ecIL3qS_S@w>F(6WO9k|WbqY{qu2qgv_#9UXL{55dqWisr
zmCvhj;h9wN<G;-5{h`WXVHKe4KpcQvVOm!8+}v%6an+peeZ@)!CUok&wFN(kuB?WP
zwuSC5tQZ8{quV_BWV}&BpNDYRxf4H3fYKWjXX$C$KqD8Z>R7d)0fA*>S{j0z#S2>U
z=u!HD)%yarn%8OBOZ6w?AF+$UgsVmOXaA+BjQ5ehS$>i4?aq4iGk6G#jrOBM8-x$Z
zTdUYYwOoACQj1N5yVIB+Znrx{N9jXmg8L`A(;=yXh1L+;yjonjpYm9gQo<zb<T)+v
z{zNy1f|ZYo1F;WEg(-E1BEobDGY&r^6PVsYn|v9j-aQi9TV3@&Uy=u_nx|{pp8x$`
zh|OZ$R#|8N1rAQ}@}Lo@2tlRzb2C&Yk!(?_L^Iyc+NO<7pa+rf^OYGRt*rTBP_Ll?
z`mueI*FNNn44yjYKLM$N5gjTC-)8$^pE;aVZyS<v1NTA;ZxUHLJ5jCnXdBA)$D%{g
zM^e>URmy^uBmL77reyr^E6&KYnb{CbP|HP^{`2nsY*1~KXY&;fqhcd7R0RFp!LwVI
zL5k1zkK}*r;3vmPn3YKpdKoC{3vW{6ygmsEpNhZX;rm-7*|2g1LMShDmU1foxZ@_&
z#c<{`Pe_s_#EB9ois4VPrd<2U7$(Lhpv1=l?y^Y1_qGVXH+7<j!Q|7RXss~%wVPc&
z|3nVk9DgdJ?>>~)OP`nS=n+j4&M2)XV0GX?Xmiqh_{emcrFhlP-xyN3|E#-3X7|8d
zFid)0*5bVeyIM8tO`z!<rwy#W#1LE9<IzyPX#C+WLBJxxI2J6kO|P)=&Wrw|D3Bu@
ztQ}8q`q06ePjVuB`i=w0Ya&ZZCZZxU75yiyPF$>WH~`O)Ig*qWHWGB64#V--@d>-i
zDvm<!;=ZOwggGGkU9tflxceIvw@oH@ughV}6+KW_JNGuf?$%wUJRH+!AP9(6DjKrt
zo5NyXWmV|4^8x3L*CkHjb8N|qM*;7Y)Q|&zz9@n@r;Lr()UQ4wi4_sLSZq8ZZlvHg
zD`XWc|4<Z+2q2{>gLeeYf8?$f12-VL6$n=IthD6I4#j;gjX|a$x{lh7Gdgf;TF#>b
zddHnQ5iZWl;47KpKnghhE2#KLKBGQf(-&hwF|<aSjLnF|QW+9K!pW)ikS>}S#k=jD
z!Ul$ke*x0?3y=mp?t*KWzXHiro?)lYdL_e%f(RVGHM!bgezrVYsAHJ%3SeYBA5OVl
z-9d2w^x8K@6&c5~ob4=$tYb!xWDq*L+)X_iL}v@)RZr{t_LKV8u|O<NV9XTRG_sOf
z(LQ*V%V-p%roHk=6nTJHfRrn@jiIAa0*bv60QNM2F+c8~?*;0j-B@89ULVTP7LSS#
z6!Q(%=<$YKu`H3c4jZ2syq&9D;913L@H8SLk^K<fZ1jYwykIY<C@U1^)}?5@o+b;N
zr^>xZADX3~wQS9)DRG@NiKXr)3ydd%@|`Uoiu;r7mb5z-nU){bRA*1F&%^e7&x~IF
z%v3<HC+w0J*N@z&E@kc8K>84{{Rtes+zowQFjIz^oG-rj(O00$NO!C(^FYRDyW(E1
zjagm39hSWEU$`fIhG>G$TF)GpdnE<6l~EPS*0Y2y<Vy`SZekJK6;jg<Y$U~4(``KL
za@OeZd`OWHODy)=LQi;%H+c=YtyE4QrTD7<veNRd3>Dj3m(RNKOs_t4V}sJR2nBs#
z5x-4#P)tIlOiOBVvR-zbL|(!I9ApkMwqL^kp_s0q?4^+S)=}&O)dt_;s8AuLU(RJZ
zy;ZmAx}ETF$Lj2(2ynX1wVE$1;+ZwA)`Xxoe6JyTiqrmy;Rl_GBrce6pBczP!M2zG
zy~^Q26Xa*XdCh8Su^@XIZbn{~Q?4jpS&Iu~EW3=sBmthSIa9XSa<wq$hMyJu?SFa5
z3R;oJvf4rB0j&k9GKD&T#keknsc1PE#~vIP(916H?-)thYk$<06Hi4x#7+0dDf!C~
zQ$&hNk-j%dW`M-Zc~DF|qAUbqfJqf1UTS<(B72d%cn(mw2v7*7kTV`IBR6n@StdB@
zHAn=Pm&&%2nDhBi7Lj(=Fx=ClyZ(d~_^n?bB0qm-^M8g@zTs1usuF<hxRxs1azgeR
zBYP6^p-UJzT9e<|RH5dtvn~U#L5<bCAa_s<-xcxxnjU!J2TS9DTv1t}Zfbqb<@Afc
zonpHGl<WyfsgAbnJ$v@z)OEdnoAQD2BgRbmQo4RVr&Q-%%KU80a&)Eof4_WUB~@5~
z?I+%Z`ElUSv3i|GduG``G6gZ8*b^<)2>9oKnBylBmkTQ|&=#tZN=t9y1(eB6<WmqI
z<$09M(6dN#l~wt=2%Yhk&=51Hy5Z;pPq1ABZ_)@_L00cg`9fIAk@J<p^sk=t28#yv
zA`1kW#+d=GvHXTRwFJ>V%#>~)kmiAEzK`!vWm+KEWl}DziuIXtK_I0dRPn~iG#c9K
zMaa%_36fkO=^02BW8PX4))NSPNXC#$ENEqB=~<wD5gHu#z-Wn1Rj+AdJ01{b`fQw>
zp2h>TG=Ld~9AdwnH69>gKhw*>#y?Uf2`v~Np&oF2^~_iae2skwXY;NA8}GBUX81W>
z_s4E8Yl{2vqxGxd%V7I@{SvJK@vRTpXX8zC=SX$yY-LHD*m-*XWaJ@AgDMib@~><G
z6!z#cEwO>D(MaKMcl#W!esa8dl=v8c=ug11iUu`aTqP^UibdwUy<%fc-^RwO{KC(@
z`@B237Qk`w?}F)_E1rkLe41r^pE?q8iPf*9)8LrQZCtaY)3|`O>pa_u&&M;~jd(^)
zs*~j%m(!oB81~-o&Zjd^`ZadPI4(VgZ33@Lg4r86<T&7#R)Wft*9>chl3MiI{9jG;
z+`WjM{t}7Ar??BZ<z*=%NdyIp2^Emms-)XbSk97f9HY#m+=T;hjSpI(xhFKo&V(Yc
zb=8j!_EU1_Ox|`FpH5&REYZ$6W9O}|-*MzTNf5xw8q)!jF*cz5&VeUlqcN-U=SWfX
z_`wSKZMzt#=LCGHaea>E@%eZG1A%?nGM9&A1LZR`MMCj56w5HcoE6qSQS0Tf*?=kq
zRiy>eq}6N`onLB=iZrtzOc!FYkRfhUw%$bQL97KZm#9^ly!&#s8R1G7Dlqa5d&=TV
zP39YxFg5EsdECOZ^>Q5!up|ORO7@l#D1UFU_W|LeG>zU%KvgM{V_d^3P>{{L4@Z0L
zD`a5>Y`@O+`3cs$2pfS{5u>xsSL@^_TIzO4`7R!d&ZF2D09Y^|>=2oCnlTb0JdE2Z
zBMat|%JcX;dl0H-+mCkj@1xEdnzr7H6v^Pg-+OVw7?1Cxs|!NvLJ&SO?u>(=UNV6U
z6T2+_*Wp}bIRZQmepjQ7T&Aa+XBcw1EoYfckslAA?=+zT--pZi(=oogiECx0zb{kU
z`Zqdb2eT6I69*QiflB-pj?Z;)*tSE`x)j1;YinK?x!VnFz43EC2U_27-?5E97rZb(
zAHKfd1WNdozB7frrbVBlzC*r<d%1@<29L3(?-$5DF%80BH;s*^{egl0_PCBhW26z!
zI2W0kzbMaYO_XzxQ|{CL+Ut}yO%U3g<cM0E;PD|fA}p~uBa59`%t)ao-aBeDN{#YH
zxMFV{zwkQAyweRKmK7Gr3N_tg=u4#u^gnQfb4>5+S$Au!cow)nr;xZI8UH4|dd-l1
zrFopKd$3@B16bZ6d@&y{KR;M5uD7vOAMDJau09_1#t_%(!q)Z+T1=VBl@6|=1WdoY
zQ$-R{K(<hzqD5<5Tr}mK793CA<!M}jUlz$BN+^gS3OvZ=Gt2l-n!=^s198eo`K|Y3
zuRS-yzJb8k)~-0St5?%_8QfS?^#kOE2qxEsA%{yvK9}4|2b}<g2oye?9I=8V{|-*w
zPOTAj5&WidQK-#iD+(&YY>eP^qco374vN|F82FIz5CP|jU>ZM%UkUP^qL3q}!yEK?
zr0CJ^tup;mr%h^yp;50*zf~p0@~{b~+fGWC4sBB{i0P}h6cvxr(Zih9=YpEPhRI@q
zW{2XNH&Lzgk*j1DD;pPnl<T&2+q*eNmifS`V_8CB6uRs)+y+U(%PIHw=v9C0x;w8x
z?(0GUI*xN0tytb|NPvwHG@$zYG-Y_M{&$HDzn2Bd=RXvrPk@ptMV>hpx@bA_s#*<I
z9jKz9@&9V$3C%!6WWmAdCn>J2<tQct8UoGBr{4xq5D}?egzi1l>2iX=xCzwX1Q*a{
zMP6+LU1;&YMiNwJe{`w8l=K}dp6nV_8T1R|^UME%_FskyBIhMCmIt5rj?brapxQdp
zRmp@+%?X1I1(=Vbvbi{6X-TecPH3eLbh(u7*YXZ!p8V`|+tp;nlSvtdm?iO&A4cU&
zY&Ev}i`1``35ps$T^;7<Pb^U0w&;ds+sjp~#_BbBm!UOf^CCEbL|U@2JXFIw<phB&
zV@|oaB#3kZP)!Jgtj9=7lzF19+#&L#2^|~$MeMz_d`P`;ODs#TOx`vJqeWdKH^eFF
z&xxEsw;|3Md*kdD_kn4et?Vm#-5poh4K_~-HcPHLZ?PgAxjB4VGCs2yMuw13f@}lH
zrz5og_H-^%?lK`N6tI3%$v!rhuNF?QLh;8?l<(baA;!5k7X!|X3zGe#V%b>)kUOsC
z#z{xzxd!5nT;?W~nPSLn_5~U~qy<=j%4DbYym+s|_@A)mU{F89Ui_k-(hgm`@Sf4B
zh3PY!Xr#SvJ&UZS;y(ulxN*_G4L@(wN9%+oQkV^S<wyp~C84L?<SH1Y!l5(=@@ssq
z!^4Z%2dVjx24MiC2F$zI*udtD)Cvzz-S4*;X{?p#9xSPJkHaDA4Phn4&Br4;X)_mp
zBY%^BlJf-aKh87V|5VWIR?_5M6>%h%2ZJ{l!NTU<&?Ht-8z;x}M$!mJswN0G1c*`@
zm6!eg4L$okZ4y#UVHlF{Q6kSo$uh+^EL#|oZ|JgT(^>ppxuOs7nCo|onc&H8xhyj|
zHw!iT5K61rL3ZS)`E6Yes3O)`j9-x@`m=1%R=O0be!V|koM31eahvF~`&}(24VE-f
zk=5RE+~oc{uAc<3RD%$$+mw=cRQi-Flcp8ZVho9rSRyYXYf1*`NbMS;RE}0gL6lbH
zNfw+!n$|JU5xWr%O{5>1>{<7A2=)9Ee52mmPx)c5C*W<4NuB;0A`gKusA7mbs2=o|
z>9l_7hxc{v-qzpG5%+}A;)gofJmwAQ%3=Pc$-M{}_-#IlW7F#sDtFZFAzXlHKxtV8
zZIss7;w@Q`p&>3HNevk}9hJBIpdrlAm8*Nvgb%<MJ^){cagF)fk@%~VFsV&=y>Q3U
zHjBBi)dKkDvCoevPX&knjOm;CvU?k4)VoG|LU-56YumO`h<s&8JGI>zgcD%8ZRyGI
zwZte|K+vF4ub8%<*Lsd6VWYqFj8{7(YV(0V9U((7(?FaYys5R-zuxi2>K~!_8uD{`
z9M~t2=`1IRx|e&MH_=Lwi3kyD!Z;L*;<gKAuVrOjie>=<e4>hl@0)qz!~Z?+aZp+o
zSZJFbvz`-lzCOQg-u4o@03H#G!{kc%P2G)C!jl%dC6N*m5Z*^-``tZ;Mc6JY{KQd;
z@1dpCc^t$@VG07|F@DlGUrFio5SReglej*j_D*ei6G!(36nl5T0puU*;J(?HxjAzc
zU$m7E>MQLR-V<Et!+oH<Y_n`)jN3Is6r38}#etU_e;yAgO4J|+YHU||236?Nk}8R0
zeZV1{;Y0lHfU7y&(mLPglX62EGRPVr)^40O?8d9LWw-3O_^i_!1~$ZqgQ%i+uEww%
z6jGe2(-Q2T)k7TMS?Ne#a6kW@g7zMTyPG5bI&SjIho4KlW+3REQF&4ewZfQA2D3at
zmRg@JKV9~LJ7!CDVd{AEFU9^Qz*sGSJ=$!WXNz_UjNn3Nee8$MfB2V5_o$8^VSZX%
z8Aw0nk*+-+T+&od(QrkScafeMEa&aqT3XoGj;>B%4ZEvpNh<Cv!mwoUvXIWc##;h#
zHkV_tU5-?SVKB*9AXC(9O^8lQDjhS8rx%H3-4@7hQZ%Jc*Nw{$)d@Yx2IFa2pZ937
zeQduLi;QJr1WLbOsO=W0`@o@UuT;-w9=Vq9nz<EWn_90teXRqf+hsIr`{7|zakS21
zx^)@_>33L26s#O_TMX;x6IeWGb-fLlF2=A<v76_V)ol6i!P8+Ur|^!WNI7JOp&K(%
zX(pV7a83AwEw-D3rpuj=%Zr`^uo%XfV6fk_c4($ly$9+tC=l_+jLxqwyGKZKYuwK?
z+0yOnVEZmQNm<vOvc+;@pS!hoMvL0WPr>TK^WMCl<Y^|XS*a`u$S}naQi0T|S(d$e
zcpR!l^b<$e<j?DI+>F|Sds;#Rj?S|(>z{G5vdcp7k!<$M7?^=Ej)ZU0CFnN4cty7{
zktt&9Zu)~<!C|qqqDdiWvfj<Ysj!R-%gKvhv9k-hCaSwb%T{cJZ}a-CX@OrkPVrqj
zrM$ZJVmip=-$*XJ*HrGeP|`#j+QDlB;$@PU*?<zC2~bZ{s;0XP%annjPrZI3wJO|Z
zSGzael|S0^(y2y}w2*)<IU8fdO`)Fk3(>|_l-lKxuZ2i)Wgu*uEw1cYLKoI_5JOa-
zl%HGg{+xjXPyGzvhk~D{Z6EQs4o>t}x5~2+QjvlGd|%Wq-g^TZZ(JuE`-&j1zrwL+
z*fSdA6$_>+O8ZwuGi)<+;0t@c*T<F)YL|Sg=s^l`v78yqjTK*W7pWb503Qi#9~Y!7
z-Rk7@hGb4pb|SUqL2Ds>Ip0NmWKMKaR0IebPRzq*$-mg=Dnc)~<_jkcDDx)(@=hdW
za~)%bf^J6&%Eqn_!zkS@lmR_oGK=ZgXuy%Irk^`qj+1JbzN*zba=~TuH{O&gzh0u(
zgO)N73LVkfI;5=}L~|*8%$Tx6Q>PF1@<|B#2OCX$_sR{Enw()rvnn0ah%H<;Xs>hA
z+vTY_lwjQCJaQU*AyvZP&^R|E8%ZiZ3R=@b?X{G!6S)(M*K?Mz$_vWKyJQ`;#5FOE
zn{l?;o#}XxoZ$iA#ci`-dW<e6BFL`!j=!M;I4ZZmAV(tT!;p-?SC?hcqX>CyIDi`V
zH#{Izp8{9n4Qri;-NZ&~rJwu&mDcu7OAQOdIRURJtBrOTD+JCSTI}!bFULN({dI}a
zF^MT)bgn(x)q_|oKp%fw-rXI&%JP>Zt!`mAHW#_rt$<!WBr1>Xu>X;C&B2v5Pdm;=
z8(SMEH{RGAZ*XHf+1R!=w#|)g+qP}n)_33E_s6NaRkvzpdQP9G`{|kPHo@-W5hdT@
z>${r&{k7@mVCRQx-Mr67wx*g-S(CgLDxJFg{Fb@q4d>!@Q@uX>Pf(x^c@L_YK864D
z^ML-%jsJ528z_D#a-O)PbZC^pOzIW~NT!Mpn4zXDL6Ik-P^b9m;<PtzjA%?{fS3zn
z!=a`gGD{gDa4*PJ-_0gMrNdH8r)Uh)eo5)=Dt^|~rh3uO1b-fWj8hI=mIqDfFHcVb
zHy!PD*rPL!(7zPf-8R!4zbxWSY;OOpLtD(Zx<8)kPElH(>w$eee)pi^%ON9^hv-nd
z;|$0O$rz@_Kiy~@vo>aT`N@Oof(CNoD}{00DqF1WdpMPDeOtbxZ&dJh#JhEF6mC#Y
zNj{nBkNtr6cUj21Y@?qy9B{g(gVz<&|9y|W+SBGrz{|o`QUizD#(xyRnYocN@rUEJ
z|0`k7<oxnZt*}NK<ME#l2{1e?Awq>*GVk|nKmoLaDsa>)?2k8T7+I+a>7$$%!+DO7
z&UsFp_jyh(_iva9CEv%I{in78rF-Y!xZMvE8^)1C4t{Gu*pFU+3+)*@>;mk+tRoLL
z>P?@BcC-{K8(TG%9*!w|?yP^{biAq|XBeRBk0V=tg|Gd^u7BY*&X;|k0;6|-;*A=M
zQxv=f1S*)2P#L8al82u)OOgZY`Zt>BnoeS0LXTrXL7#u3BhC!dGL+)Eai$6162Zi7
z{V%#@u7}L`G%My=At*eZ4t{Rnn`z#91zfb)ajm#4(t+jT$Rc!*QVkcfVBEP;jCk%k
zn3K{FXWSzbtdReE;^TU7TPHi`adT^id`4o2yX;%xOZPQNs+#<Cb%Z**>zVN=%pHyg
zW#bnA!!)4VMr5y$z#E{GGE<*VZ4(l-b`ZKlw-b`*Q!K(r7&=Z<pmb3arMRJij`yW8
za$%oQx7hY~<dOQ|@~8Tto8qIVaU$UBr1cRlL#Q|k@=J#VoW{xAUi-6cPoMXjZ4Q2!
zq!uIeo<RU&YvYurv*@HKqD^%Y<WCMW4%mlS1W<?2L0_SmB4<`H3ehMiX%xxmAN=N0
zmW-h@TYBbJN=P40{dwJu<F9kU2!nqX!cb5rdLaV8S$Y3<NeS#9#`1aX`h-bEY<Ll2
zw&zO7lrkYmWMEOygt3y<&@E6VnW)D#D?Zq#pQmProQHy_K|771tkQ7ijBglWb*R%%
zKG;S5xdsIElQk}))hzOhbK78uAe5K0eM0|s!UuSwgcY4esWbF8of0lXG@v$Z7bw^9
z9qb5n<+Nc0YL?5dTO=lEPLDxFd-E3s=0(M0ucO!NfDkVDJe_tU&_y<>`?S0}&xV^-
z9>weTB(w{6=+A8N-22ckn&Y9%&Tl0Q1%m&QU~=3N<7>nIK;XW_#OVGO+&FHMNO%eT
zodD8~<7}Z^kwDJ_eEFV@fu}!hmWvmil*~4S-0mf?xah_n77BpvSn7QGSD3611ud(z
zfi%`JK_;fSs|9x?UUNiqMbo(FwL4)eBH%2@HvK|sdjr5Z0TCejjfC==Nk!u*pl<g`
zfJCli*2ODY?e8L5yr39(F>q%W^obPb$bz3rJTzUmT|U&`l1wVETt2Yh=z;y9D_VCa
z=&5)SIs&AmDQs^&!V+NrJ(q^w9r#$bSlaZ8I<RFTmnn$~?$Q!KJ7NQS0LlBi|B}Dr
zv>c_KTp~kKD4dr>SsNptVK-!yJE_E0QN%u-Jvlps9Yo&3`f2L9l!ko_9lm*d|C?3T
zzUDnz7L{e`H5-i4TxnyfALaGT2UAM(uyXyh54+I*YRP{i;QzyK^W%#}iRbgK!`1BB
z`HJf90%b(tugw$D&YIWph3l1*ll?=-&TSoyS@UbV$H3{3|2<23>66Yf)#i0GQRJg<
zLX&#sR(a4>Yx1lAT~@*q8ipPc7V+;>B7H`GS6$&Y+3(?aan0WhnSUv&A24Bxij*Io
zhI*tmrh2}Frg(y0)!aP>B{5(>yAWCbmJ6+2&Ml=ZM;<!^rmyR;SR2@HZjq~*C7{Q1
z<thTSio+S#3532zjvEOB9w;_@Keye>9<VffgP7$VcZpGwy@C`GnnqznF&`(DQBsi|
z&LT5<mbM@8WK>q<MCd`9?Ug2hL220L{?gr5b=1maDaFB0<&p)C!*YB<pHh`m&4S_g
zl-dP0f#RVn)fnDyJxE*;gzqnN7ld;IXiQQ9oxcb_U*Dbi{d*rkTx_J&@CpsUc4IHI
zW2r<qE!8wuqb>io66o!vyVJ0S@S4@Tx<>pMHL&@*%){=$-b}oeR^Zwa^PoYM4|}8=
zb)sJiyBO4R_ujaaXCu3HIXU5LQIG-ie3pF1!-wi~iG;C^ezth6YsT2W*!tG*;t8vT
zu)eI>c<gA{c#@Pp(0g-cl2Z3~?j@J$p#4XLgjjI`Dvj&pH}o2NA$t{vLzx1ACAY2}
zDK~Mc$!>f2sl!BDag58RD1{3lczqEbpo;_EZ3f$_T1Gi2MR=>EBu;S4=qWq+Mcq62
zBkvZNqOA>)fkoJ^hMapU#U`&aMq*te##CdgS#A@~;tJ>qPJ**IzYIF*H9vGLHecf4
zQ65NSsmdfdV7-t-Wq@c@+X5540Vf0B<z0&iaatp#h51~Z!Gz@Cy$X{b-$wSfkD!|+
zHK3S~P^nF!Mh1{jL{iX*W*XuG4MsN%pL!23F{ySh|08IQ@Gi)hw`3Uc_t~r4xxzo|
zUcZQ~Y+W3-1Q|<yeOzjC7_(m9T{J+>3kzx1t1ww>6v#cJqp^3b;n836a~_MfHbOu1
zJm7!v>STi~3@5wjRcF{-?)N!AC8JD1Mk2w|W|VxoKI-w)7^((XU-r2QPSm;oTpVA;
z6l+ikU|(d4i_zTTRU(5fRv~no`P-c9hequWJ=%|Xh6A~_r}yNh<SD%zCJZO$dHGpP
zULXl(=gHy){rR-2aCSsu&niwWM@k<Pdmvaa=(J(*5Ov#g*9U&Ex~<A+JQo1`t)l8D
z2fEfPi69oHv_DFSlt_GPyobS#RLO~o1Pa_?{!uiw1uf&xoD^YhZdI_eCGs6l`661i
ztKb4#_0S$Ewih5}w$xf`7aZ|ja5rni5l@Rb8s<NT!#8-tD=AT#pdi9l0$nIx>*DLQ
zJV>&OwTeX}$Y~!Y3+PWPBjW!b9pA*jBLM7&Pv-d{Po_PPWUz2Xo4fOs8#-_3YOgF!
zkC7+z6cgVX5jiIvNAEDj0C&=NY$lOG={hXg&)E<x=a=!^j0N9>(Sjuk7Mp%j6qE<9
z&WW0(EYgIVyDS>&-%W&}-%Nl!Tz&RHn;>|%I!gJGAx`1#K>ndCE3(JfmZq`PUM%XM
zYUFo>obI)W+AH_~5_9+pL>~!nk%_#-m;Nsd5q+2J!B9VWg?NAznGhMtZ`9k6;^;iy
zs?iVuPXIEi(cEYl`phV364byGk23aO0?P(}^~^Pb=V|gfoI=#C;60$XiFAb39FJul
zi^=-^twpiBrzyS23UaDuWrQhQV{Fu#yl>jh7uVn$CJd~2$L|I+WE#sX8VQDT_<-#Q
zX%C&~pk!c<16$^zxydlMdXVhss@38)p8sf3s9THEYf!KhB^@8WQ*Xu&UBW*GPH@u7
z^mG2Vy)>&2b4ashd}8u7j9u;S9aSC0u<fQjoS8So)j2N5kU!2S1D>$5+CEEjCi#}b
zCSWd<5xt8NjrHFbz9+$kaQ_OP8OW<iGiq844WIH?owgFK>Rh62T&G($FWNe(NI1*n
zZnnKFeZgX)K@3${@cOYYq>~;IV>~huy@0vM)3ij()}pcZQ9;pmk-#_+bYJ025=t}G
zc7ai+l5L>VjqylmUH92yMD#XE^*Qf=;JinZhlxQ*BIg7JAIsG1N`S6?40cKoGOfMW
zP;I6#5NfIb!fgkH)%tn9CTWXUZln69?==_fPWV-Af65*dD*b2&E6XMF1bhj3iX*qb
zhLg@UKD@Vne)`h`B`NaFPXekcwJirVzVUdiiOKfe5-|mU8c1RITzI=qmSr8H`<T0e
zGUy7-;15K<&0~|u=?5?Y;B&)aeogqQHS^SBvged>qUQV;oy#&kpyl8#df*TpU=YxD
zTXK`e%D8X(dbm~W3P7^BhiA7|Y1&1NZlwsqlWP)K`0jht0O?kNUQWb$D|}b}E1m>A
zg5Cx@)BbE}G5?>6VOdEfE&=4x4KLGs#oG*5G;C0mCls>fwFFEu6fJ~7d|c9o@)p#2
z3!JalBIDVC)Pp<w?J)QFF;GM)!AL%UJct!7ZOpHlI)^-5ogpkCd0v<ZV0A0!MtX|^
za-j$1y{seh46Gw$aW5)_EvJayS*8Qnn+oAFP=LhZgi8h+ss@%fLER{XD8VG32JK9A
zCNUPEqcm>~obQS3Y+N-yr$bnR;*6Q%Ilsx&<6G&Z8oCSplrRxO{j{lD5FI2PIG!za
zK(pz9W&=Dkc@bUf8xUOsasHd_?2F%bdkKG8`)t6j#<bGOp<qqLG;M=6Wb=5)fhPG0
zS^gCE@P=OeCixKd5OH@3M8jke#v8ofUr&4jioQPw1beY^){G@nFrL=SN#*z|jq#TJ
zCUGrwE^aTU9RvV2xOfXDZ~?OYxF9nNO;tDrIcY|ySQPQNND}0C_i=Dkh8j7?<m&mR
z_`dPX%;}HwUodmd0L9$Yiu(ake0K3}O<b*B6XCf!q*0z;l-k@BoE+*NMm2ppH^wht
z6vIefZ9w^)pBi9gE$>EZjS7+wi`k2a&cNWmCup82g6j}R8>;K$^K?%1`lLzqo8-(`
z@GYO$pk&=Vvud5&`p($rA`AZg56g}q<6muV6519D(Sskyjio5$(iZ$VGY@*~V8_v!
z(ZO~)NDcQW@5EEGy`cF07w&t0bX4ruR$7@M&2q9!K6=>4h}2;fqpt4jZQ@`XY#C3J
zeUf8d-9~;v__lQVlpfz&G@H-1WaWIB=k=Pd8f=~J*GZkpTFG6IlWu3JS>4I}H20lJ
z^Rc)Q?}Kdc+G2^=+CI(k%L<k3g--$O1Isky!=uNS!L;<<RM7I0)m82Z*c)RLVLpcA
z;-ciW%^T)DJ>ul&#reuspHB+ALgDs>i<9Wtqp{)xxlo6KrIm4&#0o-a%fIkW&7MEP
zwG0y$iXPq;rIo8(2ewiQo>mVIzB-JD@UI!SnN7yJN7pyD1Ga6|A*-i@WQ3VkjjA(a
zg_Tnca3gDN4;>QCOH+a(Q{`_y*L6F0CXa!LU(kLXBkD_yJ`+n_9xrH>v-{OZT^!kb
zKMyWUJ28pVo7Lj5&G$0mYkeOl?1)eY&1FW(fwQeKymaf9yR(#RNmQh4ATC|`oWeg9
zCXl!o0v~13K7=Zsorl66S#u`KFyx-nZP8x63c3yRuV(>e8FSjq%WN|0!QMw->v1T@
zFsJRRStCC;`2>Dy_iC}reJYO+#F{ui{Wo2S3UYs=<*;|@3!385vIa%O7l)aS-^COr
zw(WbGu@H@+GZTU68FR?Vot~|EB;S(*jwvw_K`veYp*wT}a#`eaNcs}O53_52I;af5
ziz0A!3M_xk--wSth}LrXsR;#YRbZ^krQ@eS{oxI<*RCuQ{rR9#Y9QMbKu8@E9Z(uk
zEGrqe&l))op}N=rtHJ(I!;AWW3c@K3&fpu3Iwvs7Z|#LM#PT&8Kzcs_He4Ju<F0gz
zVXd|IY2wJK99OQ%H8JWl!IXIaRtPcIUD{kOS+=DVm&sSNq6=yD#^X-e)FIHSt3F6y
z=vPMD*U0hhsvq(Gt-BZGu6x-Zp8|GP#`z%1S6CIOKU<HecI8h<FF!--{&?{Iv!RU=
z70XkI1BB;TMNDc8L&N3O8oOywie83Zt=>=EirfR0rshM9@x0J6?+)pki38L{VkKY_
zwJMg;eyTp)t}7OIt8P-T3JFUz==sQZDIgoy9LF0yv_z12@IH@vnx>Fk)Y{}|L-r^%
zC79<BK|8~+2OfrWX?`WJ`5!)yFx#VIYu&1$shDI;#|-5ctCth3l!xSxqp7>?ma|V)
z^P*0nfc6P$&NZkwg&2xjct$x9KG9G4@#Cl`ZUMgRlj*Et=lT(;Fgbl~bly;LE8Slo
z3AaC>2t&1RD`G3)2vb#9{5v#lTxr;EEh>r}iZY4B+c=C-^?g>L5$U=_R>8yot!)1Q
z$QrZln1R^ZxJ@s}ufv0RR-A1y5=aZ&wxr<Jexy7`W=)Xyb8&q+Sy(Ewg7yCb4*f`a
zYMq{vQyq#~y=sc1qykpFTvRXw{&Um=ogolXem1@v^Z5%ujWGW#N-%MvmPn9qKsHbp
zQA<!Ir`u~*X`GO9QEg+bKQ_4@q8Z0qVwotn^OC6>9Pl)blxkH-B;2czt|*~3is><F
zm{aXMM_M~hfhF+OeCT_S-DdjbhWYwS-rFQRa%9%GDhLm<4=zXIa~6riv4M8P8vB<Z
zp}7q|@+SUl^J2+a9mIs=!p{vs*{2;dYy5^Li^Z>d-7wD4FHwKgIC;lvIo%kimZoV|
zFi8!zCV0cs%14_;f@l=+ls;R}Z*#eGs6o*gRBq(1<ycXyeqv*E@;Y)N5|n+#0O&lo
z(|fO3rdm{IyeQmC6F@Je-MB5YKrfM`1_Es5W29N*>q8%AeN{8dcWwh8affaK<OLfq
z7EV17F{5IoHC4kThi55WPm%^i7mR<a$PEaRCkmfeui{7gv-T<@oZI^#-OwpP4$vC6
z@#6fD#9sb1s++QLJwt&ydJ8UxI39AWD74?RXUQxr(qyB*YC7TYiXwn=3A&zW?Xcjq
zzYdHJquArzjM+*skt+e67|4v)BC03E{FKbGaMnh{3J=Ivr?Zc>(>Rd%4(d7DNRu7p
zA8?jxJ{r&YyE$bmfmrfVI{#Sl)Ddk}Ee_du-Z(>^(XS0!^Dz>mS*Zy@e~6^Q6Ccmb
z$%TWH-2aTPxSI~Q?MIO+Qz~}8=n)Q!2Fve7Ck7UogbhH|4^*xaLxp&{Jk)5n#BZlJ
zZ6#LYMQ~Mn?uB@F`PbYGhY@_+2A}f`O6<>WZO=!SQFbr40>U{+KZrq^9_fnWxlHMZ
zBzh~&N?5ZG$80}@aI1M6f%8H&G)z%}P7_E@p;$?e6z-Q$^IBC3P){q+S7$Lnjb)X#
zlHv!(fV68NjtaWOjyalw7$f)dg3Msd6qsGpT54Tc+-UX@+DJq6&jOA*Tj&ihn<McR
zUPkd%FY^5Jq)SBonK9_Fr5Sl~g2CoKZxyu^{E0Ya8~cFuX~fQgo_lD$CKf#l)P4nO
zM;&e=Xh9~*2#$)^M0s+SI^o`@_UUoTZcnXoyQ_CO(rgXiZ{jNYq&US^q7=}@(AJ^S
zVDZ@DdILc&NHbJ2p7CBSg^B*w#K`dLXKd2<UnE?0Z+&7ej+zQOzJ^%{I@{|Wl@A0=
z2oC6%cPK-y1iH;0W`}w#;xaJo=TlM{V;r?bAmSE#qXbv^xiOstBn~J}{7^!@R0(AK
zxx9&Pny@+;#z_3hT1+xpB}9VI%1+?v5kEP4Pq3Vqn%4+7M<=CDyT_H}tUckX0hh$)
zminz_IJtsMhempNO8C#Nou~el=pO?Xs`J>L==K-;Ww3IxJQsgfH96Y54Q8N0KaH{Z
zbu&)UrgR=C3RYx#$crh86XZt$OsT6Mhbp76RwrA{m8z>RX=yN}Ly$r*x?_q236UW*
z8gqy5E6>P=ZV7`4UNeH@ef{y{s?Ri=S|;!d!~6mAv-knn=x_PfbpnAd+I=Ukkb$5*
zuVAyJ+b?NS6(+#R6{vIJhSI6><%a%fL~lNW%)kC#{w}1e-l4^zEB2A|OINSUMU<BJ
zye}{sz5`dr=rlX_h&4Mc)&+y~JX-)iY-{U1oO0e<ju`fP#AO$-w|D|{k5g^<8Gz-u
zi9YfSpgj|;9KP&MJn6o>E(a|cHYk9`S&y*;eN1|7KouAJqgBld+}l!-=cEGiXV-CE
z^{dLP@S*Eg?LM5WnDu^7iAE=G6Io_Y$>%A%kFj}K&IYM}`GJtmTi={|#dDU#AT6!i
zKpJNuc_5{cle|fUV>=8pN!gtUWjg*u|6#8kZzgP1a3*ZpGU&-H-Q(7V6OizV`I=vo
zA&gH$3jIxQGuM`>){y?-7togASVU9B<C)KR?oRmbOr;y~WZ=`3^oAvwA@?d&wjpHK
zE2;4Nrp>)iAS4KaIMBu5P971gC|b;<y0)uz;tOHl<z^$kR5dC7T1OL$4hR4=mO6;l
z>R2T>sbj1?DaDQ;inB2H*%Ij51Y$5gsxTg)S_b`5Hnnfi=~zZC0^fp7>xc#wJ)CFa
z@m9N}8JJ5AjXG**jTPu1$Xw7IHv7~?Vd-pI7bqS6=%P~DmjTp$_jYXsEM`&L>~|?*
zy_{T^qUn0)%BC+Bw-O0H7@odAWw&xpm|V5t%P@HsI18-N`#kGPB|h^{90wEo#l-C`
zX_`MM3gFD$X+x^~x*sSIO(`@QP{&nxRM$-UsZ*kXh3OPKZ#T|jjmeono8JO4nUD!K
zbfXQfp9Zc2-m$Mu$3jSkLGi;5ReHOB+f;z0rnhJpN83U2G=zsjh|YEG=zDZOL<tyg
z4o*!jZGk?A*Q@5(la}>~1g$)AS;;;t-`^Gzd9JL;dQ}g%27<B|Mn5(?;w>yCnS2)7
zVu$+6k>dNPH3@voXT9>WCLb|TN0lW&(TmSS6!E4H3A|32inVf_+%QwIrP{*Cg%s|9
zQ^vjo8MnSJ)OdT8X<_?!&ZsL=Ur_^s0#|m$GXtgqr-f-DST?JnyyCQWuOD4E8#<Ur
zn9*T(gIbCo2H=zTmYLXNE_==eb&fjM<6l1VS!L8$@+POD2d+NqmtU{KDA-fw!+pBS
z*bbXmem^mK0}9%$)KbyaQ3fQ^^O>tiJ%p?c3pYhr3O2j#JeTk@g!i;;-e+z8r5e3K
zvpCN`TF~yVsV9$@2*2jIj8reoCc2Buhfh(Fa_+HPO<{VJ&CZJ-*t^>wKU~JA`gaLD
zr8$ZjPkM}vPpQQR4HSR**(k%|pwZ&-KS=O>4%I5$H?&)ITHJni$&|}15<0;YmK&lp
z6;4UluH6%>B&oK2kdp}?>{qmGmIzumPUH*T|M9Z?vTMt7#`F(p>b%cEKC8#a;jb{!
zvdQ+^GQ5*eZcTfY<nZY1K%;$GAyxtvoANO8j21BE5^Q)xjD8Eo{u;W$zCV`n&dC}$
zu{qW_;qW(}qXu)j#n6c~<$Gyx4{o1B=ys_ZzY)Fe8{5-<KXCq1ZII_HS7Kb_%E&3=
z8s}rN4_6g<N8!JTddt}x%LGgQQo=4k#`=oNRhbW6XGmr)!49vFsbWQ~tuA9>fIKSR
zUo0F|H#FW9Wii_9vGde5<P4mAA-x;x^fykz#{Jnc%V!^CN^Sa^RaJt{%<RkPOYJLv
zsP(fEP4iyib|kxREAXwrG3hdV?)}AMvghy0$Hm8I^Bokwzjb@)TmrWVvw0?ke;28-
z(Xwbcsyu`H<;o?C@v9E2;wurs(2_~Jldff<N_NdzXM4vx6u}VX3+bQEAwJWfy~0j5
zm9E&9f23PB1}*ttMf4}>Hpa9(dC`l;BTq`GsO<!wYGc84{iprdE>$taz0#uT#IIEM
zq9#ra4rx=ikC4158}<^Rgb9nWiW=gph7^0avZ<rz$8eTyuxY6QGt#L6Af!O<k37jB
zI$oIjp8f#K`$L@|?Ss;5;G9aBel4ii%^cI{)5_ArZmsO!@!{br$BKd{=2%hYi;ndk
zmh^+m^ZTcW<A9^sei+dybrR$1WmuQ_+?TtqyG_fX?AMkmwu(X(mAL%Jl}nRs3Cz<H
z$1iQ|sV|S+p2L;-Cy3r#7`g7K&dRV^dup0s_p_RMQ{llox<3HMqA8eaMlWM~b5=!r
z0Kt&UNndK=WWf}p1ZJ9c)jp3m=dM`m$+BmJpweiUQAb{7>b~7<tc?>UkXXYP8i;Jl
zI(#TdcC3*Md9d&ViElxfd}b39c`LVE<9Tu!vfuu$nEc|SBjRVB>V7IO#V5x1pq4g7
zU$#p92LMhrHCuX4Kv$n?k2jHE4?lF{B$Xj>>L}GUuV}jXme(1*_0kzz#$yX)718}$
zf=2C4O8K<(Q1Lh?Bd5Na*}P=7+x0+np9FAz3>V`%qfeG;QM>pZW>_RpbhnugSqk_k
z@JdYik}bOm_;lX*bkSKY9ea;RXzoFcwr3s2oY`o~42jRhq?3$KE0Eu;2ACrZx+x!d
zHHIu;{$cscmPPXyGivW7%$B!_R%lLE2nO(A0M~)4v8zaLN@`;#o@pF?E08b?3hACh
z;DVZq>4@p$<YuxGY#eetm)X7oJ#_#jW9x?;09D6tJ+K^ZcOM?%C8mBG6<sw0StU##
zCm&#*-=@rg;L$BWF?FA80cqZQv5laR)de!tbbKW=3|U6R>&f1H__<<J^`v?vskuf2
zr`dvXnlbXrxbjj$qo$fvTKuU5S_BY^<LJSh)o>uIVaF7dL7~dN+-nJ_OAi|LG;3+Y
z3tfFXNb|~Ck{{w}R_!P;TbWZZe0oR7Bp606A&ARFjCgUbDLiFpImlmBQ}Sfk;+t@m
zFEgn2##}8C9nMIrtu=%H$c1>Jy0$JKi}3+ig9NJ_^L#x^PYWLL0XSDo8564%+jv56
zu3rz%QDcd!CeoeQ$Nl|{pfYGRc3V1fS{{1G*?3A|Qj<E0JC!gB2YS(RtXXS<9Sw!o
zb<OYj9)92)4HCc`bnzCR`P0mb>`RsPM?~dpx*U*?7<IcJqUF7-A}4fU+isn9=8jn@
z$#bCBH0CrBEJHdtPtATkQr)lHxJENISMJARVwS1OW}_ZwTY5JPwFlJsN#eiCI~7hY
zS+4C^3u+e|VKQnJu=nf^eQtPk4{x&q;4M0pf`+3qeVWrSf}#!kZLN(L_=No@xQ#^E
zt%<6lbY}?rk8JxK+TkWi)XlPKm$hMcex`q+y8zvEsc~1KO{EV9#L%x~<na5O<cr6!
zyZ)-}@q&ABozNIj(qtWZO8PREmJ_L6%F<F!`aIrxkHFNw*i#9AVTW!W;8T!6Yv_XF
z<;}5&^QaYIEj*0PyWY;5j2>dIe7zPW)Epi1nsEtz<*)LYA<i1@26j5i{XUHM4esLS
zn4B^vK4ATtI=8#qwBMVWk|?Z#%0DDJL1uB9%GW6F*{WNe*rjD$Esqods1X%#N!8UF
zDJLbCTZEI!l(j|>l7iKwu3$_htU!U(=Z9Wati#`5NtcR0IH{t@GVKlcHh2=mZ>=1f
z{weSLGa5uh+n0YYl8v680c5PUqC8Xa4IG6A^`r*NMHgs`Aqs2MNh&4yC>bj&VuVtk
z<GIzOI)TP^0*yVuG7fIPyQ0d0C|jcArqbYKD)pA9XjJV2sr)M#m(o4-`Ak6gIw_oT
ztqQjy^KECPf`^4e+eI}=aQ|~!s>%lySt+w?;I!jfs6uBu+a4pkhy=zY>W(@ZRM(z&
z4^t{nsJd24K_!e~a+Z=|b-q#tH9b|}Mmkjh1h|a8Zk#fV-DX6U%7l}ls!l1qELmM8
zf!c(<9ec^fOH==}5h@zy8Jxp{%bM(qoW+-yzThLg=HPCTX&1DAxd%A@94JNN5^Z3b
zdQv(lG>sL1HvHUXT)jX&DoN}~4R4Mq>k3iRp1A>&g&*wWG?Le9(8nvPSw~sn>y`c%
zY9jgVFG$m%=20Bnp=upHprqlr=)K>cd)xzz#}M5-`uJ}<P8o!cO#1X$Fa<}|JQn0;
zHiSNPtCtlq9A$A%l6Ip-D+&fxidyOKjbFY^^?BO!UOyefysK*`T#s96+)yGqP(tR$
z6gVl?luAl1Qj+e&Rn0OuK?xa`it;L!LK6&OUo+kGz_}Wp!0=|E=iyT_NV`H`SKt^`
zo{%uQ(I-i}wB!+zb}dlpZ*_r1VLlsEY^M10{jQjnNx<W!cPdIjD%$njC*X&}dFFB9
z8B*^^xgNJuIdn=bpp!8)O~BIbA59Q12iCD$t#XD6wK<R*-wOX!yoDqfn&aAbl{xZF
zk~!*j5IX9PmNhdPlk@Rv?jXZODEKbR1CHK?-II&yNkfJUh?ISubp_Mo#Af(Av=xTl
zIpP)>wLNZ6mfnzgtfoR9xxO!kwAZq}e`p^~`;~5FWGH(sD;-9pv+1xCKKPQFFs0(F
z*L=^`UW>CTYjeS2d14wy?}K?O`EpU6zVK&wg6c$niviD%Ds#>mfug7MUIuAGuO`k{
zr;3$jE4=&|b#sL9N{Hb~*C`$^kxOV`HKSiWG5;OHyr?_8L2o15Qg+g!4C<n`5O7x*
zrH)B~Dpi+J_fzIzQYBwGxd7Eh!-Fxc->@w{b=jIT3jItcNEJ&Mb}@FPh<Hm!2g<r%
z*gXXu#ReHI?5x6@49R4Ag8DWOG9^zd7N+6Wf1pO+M%K8>sM^~y8chD8PgOV%u9-i&
zDu|_tBHB$;oDQ&>Q6Q0_IJTK$ge0pNd!T%Xf&!H8<W3E(3fkkeyD)M!Vs_kKb?+12
zio(YwW?dVA$+Y-1#65NwCv?GX<3VtJFl(1I?M%MTJKej`5IRjUTVPy)bfFjc{P$1`
zQ$FUT_32#`SM%zJ^`Kq1`D4S?wL<0mt!{S2t(-N3D+(QVI1#BVPmQfM_C^XzOnPuf
z9e}1o)x!70$*g{2NU4Gswb$R7ypuRE{nzUZNmJF~_Y<I--&%pi;9X`AQR%P@FV4CV
z{<L*f4z4p?AgusV%e|<0>FwiH=PPsf&Kko@IJ^}Z2`Q2i?5+Jf(DpDtf>zK^T%IV=
zUVchS<%Y>fv}donbhh02{_?jpJ6mcfFmR9a@BhmU=Apn+NE6PDcl?|4VXQ@_L-7N)
zbAvvOM-eD*>0(}y6!O)&T+$z2v+CUL#}U2g4(;LV;Hb@1^i4w=?8Oa(HiHWoM}D!J
z&<ZWLA14+u#Ac$dWoV~UV1~0gAcq!j05r~3+u@Xn@xawlM<o2wv{~)+&^S~4pkK3I
zH(<Vw`4~!_-k>$Uz{RO7Q;GFNE?7@AtkbDfyYJ%HSFjR{7AS@;=RrgPZ&E2bgGE}P
z%*CLV)<m&qg<eZnmd+3jkhkXnPe@5H{fSNiKV+A?ICed1aQutjP`YbN+`H+QE>tNi
z&JR5PLG7)@b+AV{KLNUp<a%qyQ^*3S;|a2oKMGazqGU}4nuL<*mmYR@byxmT+SWtC
z4;ZgL&N|yaf{)r+>wK!Ct{dnsW#EoWWqdo_<%#`pZ7^S!D&EgjN57Mqg>0N{Q*CrR
zO<_Jc(V2NarDH`mA0dxcxd`#DhTk{w)1l8R7}j{w{i;E@Bo9g6ZO(G!elV!vbNd<r
zpWjnnAO_{FTD3%T@vnAL$axgCaJObZJSJ6P`Fxi`+4w!yM8AIb7Bf9<+KcB%1cziI
z(^^Uw4)|jy=JBZ(6wGUbfVIeLQ<{sVoVc>|BR)XJm^5dHbCPZNe><V(U(WHKagBm>
zUk0dF!gUUQ)3Br|I40L(brE}N#}pR%=KRqIkq`ZCe(NEwMmb^dr1IpA1#BOYABv4N
zZ5#0jb>8-{7=G?2jiMM;`)%O*e0e!(i_@q*(SVsCY`e1w6WpmGr5{Lz9bp*zXv1^*
zaLYL?k;q~X+8DOWU@Ja4^UAQ$&fbFO`m}C>we}gMtNytN`{WmxS!|T6{Qf;n8w&*i
z7U#8WXvzvca+G-2HlCg8DKn02k#r_Jb{y&t_~qJ$8%h;k{6|7VA$^+jk1`qA8hfOu
z`cga1&$dQ;bA{y-X$*FPp#y&J|8S%2ZP{k|kbgSPuQt8MN``1<Ae83;m59Q28ig@P
zmrkrQIxa;_brxv57QeS^+(A*ZxcxEpS`Xe1*e+NlK*Vbyq~nXe3Sz-FA{>%OtK+61
zY2(dLYPRZKtvnA4I1*i3Zi$=UZ<|Yf{vTF#dUCKj>TRT71trB-S2hWr8C6$)0gXyc
z(LC07EZJv|10mj8xu(yciBS3wYDibICuFAn)a{HTVfzK=8lX~S7s{_OXAOY5STB%k
z6Wp~+UHoQWId`OF$B)_*sbx$@LL&U#xLJ)kQr#B?J(7N*!G@$&Tsk`uR~v1L?fG&-
ztXj|JYInz5OlJEgw>muxeu<1VS1JQC?uIDx*lZ0WWjL5IqbWl3qU6FafSNh%k`aj_
z7Q0zn0xIs<ovnjIxlI4kb9_wy5k@s{6Az65FoPMr<g*P$%BAn|;ew1(iZ+_!aFIrI
znYaKyY#V&Zu(_YtjO3M~eJ=JAUa0S`rZxlou5B2aDXQR9)qd02nle*+Nju|q3k?!k
zW8X*s!b!$<6Q!;6YKa9-@&WqsM^Vko`$==D%|@J)Z#Uy$dN_Ddqq<;K!_&&g&`2Jk
zL-BoBUauD740y8Pf8-k16e1e5rO=WU4J3pskGy1oPX@DXJJk*^zmBL3>aIeg{$R;x
z<5#q4N8E2peSo*_s$xF^FQF5^70X%<=zRK3iVXdk_TVlf2Q@#~N!WC0*ErVTKW7K2
zw#E^rdfWKMt)|9q;g{srv?@3C@=VtXa|_`!d+S5Hjo#oacWftpT$~*)Tg|Acp7E1a
zypF6%?h**iwt|8fw#0&Dwz5R3yFMHpP}heMVpOl}t<`GYhm1QmEL@20zFwJWNJKi^
z4s?-_-!4;1<WJ+a`V}sNiOJ`ks~|O)v7VlSJ8~VIKTOkfzID#5&}h<%8Pd9rU7j#m
zu*|+oUPy91n0FZ5a-FzyyQ|MKUM^KQ(mc?@-!$)jsmrcX-;{MMdmq@AT__5Gp#S;V
z4M?VSs5n(S2yuS}g|R%$bk*I1)&3;C4_tMmmlC1O<egC9UXDwrFsBskAa~taK2JY^
zK9N3wwk0Tv7Zy&Ae^UYVWpT5;ox0MlylB4OzT)tLS(b~mo1(zkckq09`6#O~kYEX`
z=)dihwc>zFT<UrFMRcm$#dp5+f&b+tuzoP|`+Zu$hPiXbi27cP=s00>N#fD_Nlh+W
zXKswmX2G3Y6*aS}CBLz?Y-2~KwPRaSe8<qTp?TQn>Y()pcgxRz&KJ*iD_CG(yrK8)
z)|d=;U;CBJ*Mo0#kqH!bv5MKdX$!y<W-_ThhV`s8GrSXNGd$4ZpUC>U@NqeZ+TE(r
zIAH~8!Rb_B=>h+Gm~AeJ@i9Lh+dw5S3o^p_T28HO8Pj+=HO?;=c<!GDN((Sx-3LBf
z)d)Z3GO1v^81}{awFE$#A#P&(0SaJl^xO*a$rWOET;Q+9p`d(;!f>?_yVnfA6?JYS
zC%s*wBN-$$xQ)-Y)2T0Dk+7g4ov+B0q?*M{CYXT@*|nnn^i0C%f)%ueDm#tER}Wt~
zvdeqWmxZq$LWI6Mcy(U;@pL;v<ST~0e%6i!1CrJ7N$6=KL4PyAY-G2cVPCWKLM@ZM
zU)D)K9?K2W<neW9eq8&v$*8vP9_I!EUaNtU;jtslP{f=&R=2zoPi&`YE3u$Uldgjk
zCu3fxy!7xn518j5l`J?O@H+MG7DMZB&M7<?$6IOi&(?jPh&*BI5&r_!AEogT1;Ek1
z(xh4b>oT(SPZo8ObQ*Q=sJ&Zk%j0Wo)8kw0r3l$K*m}}0oZSad;UiYfhQzg&g{<!~
z2kAx)$yZ8}Qp%dtFKK3mys`!3J(p4OrTcO;;G3+^ar8Qnk?T6~nM;n{MxWX3Bz_#5
z$(#r(n99Agxy86PX91Y%{bwml^1T;TY2)Kw!^WdtAmOxOefYjF-6U=V2gw>%u64j6
ziENU89PA9E%C$b}&q0DOaKO$#$@Ugqwu#0^XMXn&&x6dtAaTkD)=^$Pb~jxlF(zqn
z80S|+2DIC_SR__0jSZfTUi=l|1*Fbib;(bh-l+b0I8`h(#r2JYE8d6GkXD17lv?v;
zxzjRK*Q}2SYcy(C6)(@Py&#_~G1XkKT+5u6UK=)+Tm!8x69um|0|l2mbDEj#n$z&X
zdVvnP0!K%%_2%W8zYX0}f}%v%>El!;F#vHl2IDK9`*u0~aaoXNxgr_1HF!y6f}_+Z
z$jZ;UtyAE_ftDBo6-F37+Y#f1UCri6sYS3&@g=ZwJ~2WVmu4@@0refqs!Gvk!~dLj
z1CrB$(F%p76x@VH`L9DM1oBvrdABlL^G4!0LA+%l0Xk>YT;ji+u|!+@u)ahB76?@#
z6@Oa0M1ouvV8iJ1wEpA#Uw6u?r*PeR+6bb5IxOORb>4ENDytXYL7f8m`r@bG2AqT0
zi{FZJ4UY<PyHnT7rDn@74UY#)2JjfwaFvn9@|Y^P7+34-rIrkh0g~*B0C<8SIHxTo
z4AbL))<0rkPKHkZ#qP%_G8gSXfi+VJl0vaq4FPh2X0((pf=}Uu6z(`SLBSh3ayuJs
ziSMvBj1ZfZ9Hr~FmU=m0RnG_R9ojkUSoR^8hDqrzOIMgJo@?k@;Ty$Cwt_@Wv#Pw8
zo$lEh$Fw9(<Z*-@Y@Q0T|7M_6xn<SBC)dOM$RnVzLg16WNJ9h384-vIC3Sl)C5;co
z*%c3A35HH2J5!0Lr%xoKaR1V_IAOrBt2semIBJ)wT!XH!4hY;jqwsspQi2Bb%qj{6
zGr2TEHWzy@h%ldxQ&uv`YBJhj&jI{w+MAQs04ah7ND*#M((A#HGM@ts;Nx#&{=Hn)
z`&L33LEK(ImYjv&yq8W9?*i-ir&YikVkni)sJ0lMFU&jQ5o)a0b3_D>`DUX7<u2p#
z!6GUDz4IbLbKd>xX351q0B9MN=Sv=PGLE&=E8*4=9#C>+Pl!zR*=0}%2QehPq1{&E
zf;VrJzgNRQ^$6;g60e6T`v_uCrGS1VAw)6G1*!Uc=jW-~B%0)9+K70DO;V__6CD`L
zr;@Ob6A@UxF|XZTk*4D$7z$N2J?<@Iyt_z4-Npp;;%f?%wem~6x9{l&u9J=`r(YR*
zwx7}dcyONOJXVTzuG3+N%u<7&XWf;!P34DEe$lfXI_V1oku6_=szRbkX+G;XKz?g*
z$mp2J#3@sp0G54f<xicaz&+c6{erqwS2GZ`yY6gfWp#wuWF`aStyP!_mKkqu-z(Gf
zig~sc6_3wP<IZAHh!<i3R}g%)B2LlD$S8@?i?EN&{Bf@M!(mx2fqu1ygu3GER%3n|
zFsC7Q)T7yQDKI=eP+ldc<B(y87#QT8cMQGL7Xn(=r+wCU-i#J>t64+!Ay*mhYol1^
z$+e`B4NBS8QVUT7AHjV}#>}aHsXjZcPd_BWPY5LKPlK)liF!POUFvT0cG_<%duDsC
zg`IiVV#yddf8Ru}A3vgP79>2UtzJ6hUVik^bUjkO?x}XFMKyp)o>wWqtNwVtBzYcG
ze(A2<k+Spbn@5&4WD&Tad)BPsL}0b&k@6-&z5GcWVw=eG@Tzi|`u*W-;I;lZ80i#7
z8a7QNN>N~J1HbbfU2gk2iA%OF?KL?`dtH*T!u~}C9ga3kdOufElxPLn$37ln$|ScN
z<cTnf2B~7qdJ?R8LZ}8hHkPsVk&SIf?gUQC+?7r-objmG3^2EO^PZ4zz2DrP#>=EF
zMT!KeqS+#4*Ls_>_OMOv1@DXpZtK(K24Tv}XtTQYo;HrDQ9q5?=fz@c|FPlEOn<lK
zM;AaGvLnU7l@X>+$Z#RWQ2(Uv%kP6}7l?^P^*n(s5^s@%CWfD_7q!ODG$$=s6C!3W
zbvR>iePO}u`FN7$=+S-tIIQZa%C^=)#VnK-8A6saKzlsZ{;@@JI|sJIUr*1P=6ii-
zs>xYb?6!hpm2Ql*V8m*#sBHoro-Q^op^X_?Ewyw&X_Y=Dves*t@y(^S3LR~9=Z7;Y
z!rKJ#SsmDV?86Pyu(U9qpT~lq;qY2ce}j#&W{Gz;FNT7bw-4{;{L!=UB?<>OCUTYQ
z>+{Gjy*b}5x^&v-xz-oAdWH<QWA0uNWhFXbnBNGoMG_8;o3kpD*@h>j1~!P=KvVJX
z3}C(|oL_JVv?!r&dHB!)P`USY`PEZg*S(*NLS@JA>h9WR8yTH@F8=1<%2J({AvnPY
zFc{23txR(o6la}p0d6tL^UjvAd$tZdhN+F)ncAQ`exfl%jCWAb%z{b^;d_bMo}RQ4
zUrHc_jSA*k;A?3s=cT|&mXck0I2uQEL8iOBu}r+UNwZ|MTsVB-u$k)9Bu8nBiH_Nm
zElpi+P|jsc^|OM2Vlxu)jamkLC*G8r@q2S4<3YsL$6>tlX;X5xuW*~&QTl)mBKD_k
z{&6w$rP<kCXM}4J_wnUErINd(O@l>$m<_f?VtCu~1NTfG<z4j%s@MgS>e@ejRe#T(
z;DsPDbk7}L75quw1Y;)my_$qgH@1$uecGxd8{UWBx;MWO^COm;Rghc8_@nQnb6d)0
z&!bC_!IusO&8VW;av*Yg&A1?uOu*io#khiBtX+LAs{2e>1@ygc^F@~ju^<niMqoL%
zSj9@Y1EsjxHgdBx>$BE+EaDbkqz&0X=0?Ymld!$BoQ<{KdMq=a?TlpYstsrg0H@r{
zre%ibKM+5d^+Y9KOOoe4?bBnYw1Q-PlUtcKg-DyqtKAtFP6W?;Hw!&vFgD7t6|<@@
z4#z5xU7N8~Sb33F0+Gm2W5efoZuJ+d4h+pP>%KO1uKIvAD{4#u=lA*hziCQ*%y~5?
zRW3}^_8P^~$}`iK9{U$4&NJ)Hf2mkgeb?_e%{U!!kARE$xMdcr42s+^jCm=c`Io1a
z^!wcBocL^9C!UltAhImN@G~Pw>#A~Z8jTd2pJpLK&qJ-`ks_hD-5QxY)F8wGa@P;m
ztaIuLm45~i%k$Nt`^AlbDWk<St<|(Q!$=*YhSi#9^?Kw(SJ_d2B}hVH8G#NV9+JU$
z*LR1L!BePD;yGYZ#&Z{c%hLPvgY;Rs_f)(yzoaQCGyCiXl`~l1(JMda?!Iol3{~6X
zT$l`;BoEeo*9-bh?P|+r|MEas{^V`%1`dqpQ;6;_6svt-2dAtQ;iOifJdTt4KrSHB
zHo7$8rukcH$QYBv9snb1ZmgGFF+6ox354>O*AVRZr8>IPjj(zfO}RLDpY_^RkE#}N
zRmbvQZ)@3LlRHjL6{*I&SuhIl5Jn%vs12pL00CCz$)GmAMkXzWPQ)RK(^-gC_Po+(
zxGgvOE=u#$cI`NFfR{cuaqE(u<)z4-C<6KAQ-&j?DeG$s=;ZX2y-7~ci`G2~<#q0^
zEnYYtZqt$I2El}(tZ*d2)5bQdk<JRu+#tTb9NkHIKpyKT3TUj4)-@pA&j@l3fY%V~
zoBNu0h)75_tt6q-iE1*}v~+Zgf89@c0V3HO{=>jc<Xe=z#IEm^0h@*R-Yf}TW>uRA
zvk1#JCFmgp!rB{hmE|TZGM}-kFVhp#rhdAa;v9Xc;S5M)0A%&}Aug%8LSx>1_o{l+
z(Z=H5!iJ?e49X3yaS@I_J36|h0;^Z_K=W-?Z}K}b7M2y*C<&a6O>~5Uw=@evoUlmt
zSs&$sw^8a~+>LxJLa&+9f}GKiWeY^&CaiB&{25Fj@Lam%)aP{2K5VBSO9(9Zk(ku1
zr>v1&K5R~us7+9q+L5ZRZ{Is0oxwyf^jDSh1Ec+wxhHyD<~nT9lOyC}c;htNpw0O0
zLf=$jGM$I8_&7YtlsBmg88;vMBQ`=_&DZx-*hVN1?iXM5W&lgDe4L4u!p~SrLMfx?
zUUFLp6@`2S4&F({p<eUZ^a1I6N`fJ9rDFb0^G4+K8ixIFS69Gu^KJU`s`Hl58{#e+
zN8Ss^4T`5qx?|YG(>-(<jviH7#qpWhL6@nh&afW-HpavsxU!GXp<Uix)JfiNf0;_(
zjLqUy%K>{~p+e-K(5BL(m3WB+FBS`Gv@HRwBy&6mW`TF+;Ek7X!YX$JF$+akUm5>3
z|L4lLl3;+X*C(H|(1y*6`O;X#asMlYlMW$2u!v(~Q?11V`<F!>@*g;mANGkjc-vug
zm=n(W5Vw14v!;Db3~6#*jVkbdy-Ur*L8RKjWj6S}EAShXc|l&!4SqauvbELDc@q70
zc`86HmY1YV1<c%PDDrX?xb{GOM=9U``VhaiIU4{x*QzxL(1|wb5{Kw{b7{Rzw(o8S
z6GQB!QFM2q>1-B%DKD)~b;R7wY-4X}572Ul@P8z7`Pe=}pMQUP@|3Fh7lr)wgXCTK
zAAF8ZXRc5*+*1B5#oG3q9=+Gjfk6{DT{5FAjJFeN0Ctf>2OcrxUcDFZ%O2+~^TjQ!
zTa|lS7u}Q3$JoVZmEb*mdDS;Fe?yqEQr16a8}=#`5<*rYbAYg0@<_?IS9ANl0qJ#+
zcUaR&T6c0*Hq^gV`9{=M(mk-)d+ei4ZT9yH67pacW3aRinqqQAm7cJ%No==D#!$h^
zbs=l~{12<~)tRzp<jkYj**5%HUoHsPY0us0xHGsa-LSCL$A4G(#~Q%y<(j6NbNwQO
zU7ej2#i9(?8Sl^Svm<C8GFnu$yIKOZcd5BVd2E_$Wx?s@+y7jGFVkW;)4JT<_dY)}
zps_CDN(rE;=m$v3l^^JXt|Xl~Z*Bbn&U!p$NP;UTwcR4LUWJo5PUBV~DPK7Oie!f{
z=Qo2H4_+C+C|#n?Job)dHh|ZclA$(2Q`aQ~!D8sVd%Q^?hdE@PY4%yqY=lh3NqIyG
z8{C{UCOL}3Z)6smrRLt2AlT$b-AUHYQUc)?hbP=G1nuS=*<Hl-G~5+#4V_RMPp(J6
zLW4`NMkk!ixO?=<lM~5o-~QF=+dx>eg60ZLyAW;fhuh~aZx%5~rRSLxp!Ll}ciEIv
zeo{!wwC)3~u4t9hczw9gr;vwg$OzJaV$D<iOO0=0--eR87hTH2z9Bt1L;Vz`((Uhi
zI&0L5d}43zJ+ZV66tiwlI=Z>HJrv9il1F2w2~#egoDHF2ww;Awg!d>`NaOY5LYGAz
zvg^i71qPSto;jF4%EMrz0lOGfbYFcB?qF{)XkX(WPMx~CL0w9=3t9tna93k&e(oEL
z0oTQ>wVo1IT4&<%yXH#&=myVq<(QnDtgyNHzkc)Ulw|{jiNQYZemimA$!T;`2c{Ru
z_m<ei>Ph;gV>GX=R*uT2<-2pCmwX?x`$Y_zzEii#ajbucdP746R{Y=GFU9Ay2YNSR
zDItCu?z~Zj5-^#~yTF#lvme^x=RNuytWR1oXyOh<<gzq3;r;xBe9X7d#H0kEm`31T
zh%IQ&l5T47i~=NCb&A>y8YHW@X{_%^JG11yW2vCOqx!I8RvdM&|MXovUGSFtJyf+X
za+9Kcxd{>TckJ5U+lY8uuAyN2cx1ZeCmzCTFiw0hr-F2tK^QuV@1hZ1yjG}aexjNm
zyZiQ^cyrw$@CIhsMrcp>q(3nA(7+i2I*<*`&`uAe1GquB>anii1-SfBbMo9mIhEsW
z!|q_JOMk62f9-8xjZf-Js)Dd<Z@8>BcO>LW{EfK1bVP69!9C1@c7bzWg*xcf><S8j
z?;Y9Q*dG2JF?1xDn)Ms97uP7DE7Q!Pln^SqagIpW^5jCt2E9qWcT0v%lU<87FX4!_
zX4lW>c`q`VIj9p8GECWzavB*ZwQP4i&~Vj9Gq<4O@C+QICTE+6)lyYoe{@{(JgtIT
z%-$YI*Ykpadb!TbEjzTz>Ivv{1E32&K%IWfob5vBl+XB)eC*C6DNxx}@tSwdx6r&5
z&*@Pehf^8}U!OzZ=Un5@8@IAc&uOe-Wi)=5SeTRdta*Xj=2TVKga?T|Aly*8=ZCm0
zVO4_3Q}C^k|J+Dg*k5O}VySKJQ@NuPCp7qk^TZD6E(Q3{&=9+9fbXWso|cr#OQB^C
zd(5HE{hv?RFE<@|mJBz}FcZhL5rr0d<92{~p<&b;L%1_CYv`Ii<t|p#-gS3fsOJ9!
zK+?q>-lf95Uq@kpHmgjLJ@5T?6MYp&vix#z_)*Ww2xUqvhJ^<NyLXGA%iuZy>KuuZ
zL3*?_0NW}J3Svm)39;HuMdX(%_EP2y4aZV()H$Odr**j3RK4%CHOJ>sk$=@za6BmP
zA5Hh{<^RgAUJD-!*H`5s(kQJXw1V9^6HW)2$ZNi6_CS^*FCG>#6J|Oqk&)*0*4lnk
z6XW12iS+*?>YE?yV4inln~fV=Cv4Ezw#^gUXk+WdX>8kSY};xYH@5D1Ki?njKQOb;
z?#%4$U?-Jht^|Bv`E{!|*1rAiY}sM~vMSoXL5{S21YfPx_Ewy6*nbb_<DTubY&YBj
zF#MdoxiMRwJj)|<;Jm2)$6uLWEX_>1Of`99Pa=TOlTyD@!0$mW@_kRN3C#MtGwB?X
zmEx<VLd-N!n*phhp?%4sc&=*f6gx$xNs|M!+KISRNth!|>1oo_p1l(*JCE&!ll``Q
zEU+PFo<noMxbM)#-#U0NDJcGI%kbN9`6<x_lH$BHWYAs{?=x{`+qGWyNLPP`m~2#0
z@~C>Tc!`U9?Vsti@@mIi5zCR<u`W#x_F6E&fbOVY{{xsVh~A4foDvwny92)$Rmkgn
z<xHnpXql2MudoqWE*%iy4gfpOe{Lhxd0mrkDgFY-I%=>1d@^F1xWGP9Lo1UU8Xe7z
zN)RJRy4sRLb&nT~$`|*G(eo5|{l270?8vW+vN29w92G1h@{d-Kga+ZTvmbWW?xaLW
zRxDAR(|m~5bBj&iZxfvRh=#GZab)H>V+%KX0Bf^0G~76G2M|qK@Vkt?&o#Mh9CA#1
z>4J*2;p({1={LQX(hhY-MwmCVqj-OwZxffi{iuF@Q`}&v1tlCNCddIZ|HMcs46N(B
zndtE7B(BfUGl1f&EcYqFOZ?-_^{4wL>vG-HLtnN!OTb#lZdW?W&)Siv<!lLQ`0n<R
zVutqhJD($wmWi&#l5EWHb1^~i`8j=$_X**U(#fC_#ffS49+>Y^D1(q5Zqre_D!~Je
zlQ?mgkJ!+hV#Xc(XiO8mPTBEW!E5~9I38zV?$>TuU54jy%)+kzB#3olq!tjN*rpna
z3`(lO$nj5?0o#I^BX*FJWuiM3@_c<dTKob9s}61{>O?^oT>}k%m&^H@yk$dXWJbsV
z@6~xR!0(V}r+H}7B?iUbE+m5Cb<1f!_bh%NZ$!8GJG_U0*Y<>va5fQdH*V{PpP@Tx
zF1%G75`mJqi`?>I1`6YPovHiQV3pi$Q#3Xv@(SA2pWBLzCjqcNwHiVV{GUGAwcV57
zgsD@vw{aVt-jjXQ-J4v1<8P}uBkO$`8@&4(#H~!WULuiSf2FX`=p?yIkVqM*dp=Yx
zj+<XpWN7n)iM8}pWzT>&fx~yx_~2r=sMz+DiSVt<ps51d$oJf%EHX;3Wg8sV7xyKH
zM(Hts9rE8<!a#`n?Hy<!bkEh*s4f5d%$t+sS38rcVUfku%`ZNLzs$`c(-bu9S*03l
zhxWARUR=Nq8=6eCxP#w}MJGL~9n+vjgXbv^dyWNteBnxWKtAQqINiExsd+oQ@131`
zWU0)DwD-|W!hdfM!}G^rtaC<E`!dehFzpG`uu_tbiT}DNX^wtr0p|^>DoakVD!;0c
z650{Gv%zy-^J-d~axijsTXwc&=;TFKzkq5im5sh(>f{}&A+r7o(rArTi3GZ6aYxV-
zhbuG0`(_h~_}k>hAzyKc(3xS=Ca07OC0|dfXgY6?DrjebTE1j2q&hFuv)S!89BA~3
zoiSvECn6qtM{o$lL62*4T(?y~3vWbA4p{OwH7iK?*1Vr^shvDJj|ny)TPi$hwJYCl
z;YX}nfy`IUp=@R-#;zv4wL*a6p}RWR^_;PMnseUTYAKl4J>Hq$l!>y+vcstc4tSNL
zr@{d0x_>wug_;K8M(+!zNV5o-ph?x7n>}wLYX)0?<VHmY=rN_?pfH8um}6k<&M|i~
z+HpcATGi`&{f&~+*rHAeF{UY8;<VRZN-kR6zLFlU(6Lium>3uo|0BSJPdf5b+U~(l
z+~?Xbeo7G|a+nzN8;+Bj3KrKo;qEF)YW7>HbuPvr?9*M@)PN-R71;9(v-(RBJ>Ma#
zJ)h*Goq?z+sWJ&pO4^W0I$NdDj1DXg9tr4wAw4oPDki>5Vi41PPI-EHoKiDdDz;#=
z$9bc9^1s^fX-w5S9Rlq<rdVKvQ@xlCU=Qw_iY|SL8yEgprUtRXyb*iT`H>oY9a*-K
z=aM*Jx@LGcc5=G6Iq{TYs-2znF{stoI<*y)Zv2doLzc(bJP5z7o&j!fxUjZVu{0nY
z`BvGP5W<@jlhReC(-$he(KdzcI}jr<Dc>|Bma^yEH5&)#i?=TL8uFc6K!o4V5IJ;H
z)9nVGa(GJm;g3#Syanqe>>ln^Xk16#5KLRnP{>{ey&U`0SsboOh6=A9yWt|inYl6%
zzB9`KJiNXucFirDi5D?zTR~qAtk#TX&MF4OwoXm~?4ae)$!c2kY$csB!#4Ir+y&a=
zlr?+VPZa|rBf<AO(;cn1ZnW+3L%mtJ_$a9G;Y+uE5e>OBhlGK`ELAA4QLEW%liX{|
zz2uW`-=Pnc856BcFdJwnulb`a#yci-uq9-2TIl23DR)`qb2Gw22M)ZRQ3%g<z8|cK
z+|}=mVL6`Rj0aD6I<nLTO_@?2U#=T)Puz=L#Tkv$nfD%hEu>A|XU`%IeFn_hK%Xf}
zv8`LGPx&q?!R9#UMK=zzZTn?|H+9$gFWroIc4X8NFljtZbWDeOKUqQ|gVtI7ud_Mx
z*yzAK%#(m03F!#(u63Oi<YqKdS3v(2%&zq!c>bri^<h${?zslORrd{}@x%t#4#bph
zK-{JDmakBdZs<j@F)37?R51y6Cd6JNoq&Mr>QxI%R!|BF5Zw*XPk$0q6wCJ<UWB$F
z&?MFdAQwOn4IjA<VgrN3cwpG?Z21xp5MP{Fhs(S@(r}dD=6w#~G}6ip%F{f_blF-q
zI6%PP_yAs@O_7jqmxZDkqMiCY{sQn1#TBGfyG3m&hDl%iTN)}KtW8Y_skyd;!pxF)
zifKd;7jVT%wa3#0OvY2V>!#Otq`azOj+IHM>ktk-+@6h6VH9Q{i1Wt9oBi&~Ir!p)
zk!B_==J^cY!o`PAk_*lJ;Rexjo_mvfm)yI7d@OCXia{*q2_{RSf_lYyzQ@&<K%(2G
zLY6(k)t}*w7hP8_tNF)$NR<@pBP;6AUH`Tt+H6}pl<j8p4`E?On<Q@>{;4zlmR7yK
zBaTmifm?yMb*j?i?T{I-$Y*yx!R&99S4wHcyw#IB30tT;f@kDr<1_4A_Re;V*C{EC
zQo6DwPlolCFiyzpi^rS4)K7tiKjiuSBE9UxX|R<8NO=&g9QYFdAZBlyFY*hrsA=-(
zOnVVZ=}^qmAYIU2B#tRaayWyWh*^^l0G%gvkLQ9ft5-0Gb?hgzrFkXtmKr7nPcF`{
zPUmgxIg6Y(3tfhcP(66B{<*jmVXj$+15W=wx)-Ety=)kr=mr0}f5O7rzCREYQlDUY
zhVwni7((5kxaoO4KbA@t-qNY^x~dHVms{u$vNtD6O!{?nR$%EncraNr<FuAbF1*cE
zi{|8U=!r)r*z1mu-A1k$*#8r^LH6AP8*1WWBRjN-!_l<N8fV&6B7(%|*huGlIO~5;
zr<#)IkEU`b^cB8k9;}N#&_-eQR>-k5#?JzLxYJArZsh75C3K~h@{tLUe)x@DWeqhz
zP)RijWS2~-B*$Di7(J8T@#2{FgM}IyL5?v&L;1)*7+PjTH2&gH@$?i75?9rrKq00w
zj+cFOtQOzSw_!35*>XkT3PB(WoMMV02CIk26cNGLPEtq?R(mQL5@AmP^hfo0Xr4K<
z3j<agNY8+we~E8R{BE9BLyh>GzH4hzZA39jrp*^z?_^ffLPQo<Qd(qixhcgF#Z<Xr
z;zEvA0!A?kXuTyxNd->QBlJlC@NLbSMiK1E9|G_cJ=`*~0_<T)4<<&x0|c(Wj3y!3
zXa>j)sx|)c|Jd!+Xg$2abyALm!pT>DqTo3@J7l+>n|U6QpybBy+fceZ4ExAwI=n}m
zb~Nog%<R12z!d=C1d*-0@^3w4lhLzFzzPgCj=_s}=O5!GFba0gF>q(>N*~n^IsI(|
zW>r)(EH5iiw$1?xDxz4-3amj@$+hH$+7>Ohqvp|t8LOteacPv^I1+|BlfR~KyZ0h*
zh2NJ`?#!B{R#8pm8Q>^bqFGymTG5MOjN}^4qKOFvnul$Kl}rT<NxH3HZrQ&nvMw_i
zF+^|S-}7wk`8R)zhxh!z!-F(zg}wL?aC9S`LAG+pY}l3As-s~v74@C0&~B=-^O`!-
zCk%VgjUN5uP02sw+o(d=<>I}z)`u3(j#pBd*aP#mb)getfAkon&C;|;DP8Vo?j3Y}
zG85YIpyCaKct}E^OJWWF0+f-b2fxpUnrE!ZTKacjr`~AVuqLNy%@lu-z3;3G)s2C)
z@99e4=MubRmy&bd^p!~GM~mu^LxqTLw?M?M2jk$ldDv_9c#votS?=4QX(?-1;9+zz
z1AbzTTVq<zNb5_p8#9SFqhq3O5tB5ogi&0DHDRWH2IZ-jDroa`e%tW<J$7^Glfv`5
zLkuuV6B@rpIPvVdFz3AqE|heXOC0Pnm(h_aWvWQM=B(1e@$k;}@W$8DRJj%aw4aPl
zD=2x$a!$s-2>d;z_x~psy|wh!?7cj#9*!mQe2WFK)5hUY^VOz%+YqJ~h(323aC6kk
zqcjmCbVQG);O!weeArW*SX<e>J_!F9ei%UBDqU#J<K2R^N}B!n@XwdnQZ74N&*pW_
z$dgsB&A-rrKF?RQmXU0p2pnyQy_I(4b=Bf=C%g&M01}MjYi>7moTzGsS>RZ)&qUL;
zzJ|&8NO{crHaO;)==Ycu>IJv@NJt>`Hmr8~LvQoWu8rVbYKB?&z}-t+Jw4y^dv#AQ
zpaqnUbyZuV-x!GKdA(C~;`=2u2>D>`L?z-S^ZVEU<#2VPUyNn%iO}UyS&X=PRRBh`
z-SIUe2L`ZRV`AxeL<(0Wx9Kjtt}7Dyf4Yn{uq2r-#HT8_qqI|b>@hu6vXFeA@U!H-
z?X1R2eXxm#_Y`Iw3V1|(OL+tvID>_FnGS<DYc)J_?qVaBKh4B=ZmS{sNqFl}LuN-&
z`=12%38y#R6%x(6EDQ|fFj7tAWxPocovAJ6iWJf}((YENYRveZ1qnh7Ij@U{>Q)-O
z_z?HN#g}2ZX5*#!ZfQ%{wrx?vGR4QDHS;d__QSlziMie+#I5I!j@ze7S)AE0Jk7e_
z2>lWHPLf?x>qns1<`dPr4F@Rn{PwsvU)9#Gz16vYwU72UMal@X%L7s+E&3~Btg0rX
z1pX?3!aXz&1-Q%4R~0RkhP&~d{ebLUiI=vo9nnl%zgrWRo`T9!{z`^o^LyLhY15(1
zqDx0le=s>e#R_qqv8Mj4e!8`aIk^2|#_LLT+GNMkK7~_Ya-+bSkH1WAd%$O>m*{44
zpzWzJ%-g~-47xrVnlaQx*?JO7b$D9?N7~QxR<{l=%ZmC&xIAKH%Dor&3`^_YLw6iM
z7@&_ei(Oh4ZSk7423!YX;H=ppbC2qOJN*SuCzWOis+#UhEjr@R)F@I@Pt_UeRHsT2
zln~<9*<GE6QW`GBKk@+snaiU6p<sSEToQW_I-n|VbN-V%*tlz)b%PtZhnU;f?WS!3
zU7@GST`S~uNU`+H4&NrL1mm6WDf?@8D#FgGLdrhS@sQ!|F)OS74GCf`JO^AwTjxhA
z2sSRAVV>DAjzsu2)x~H?785s3k?Smbu#V?ds&?~@_1QV^Zy!V#X^wFDjg0k_utJPg
za}k&7CEt<&SL~e)>1!6qc{;TK-z0xO%&vDoXbK~NIN4=CUw3!xCffqF@Ty<Mt38|D
zsv{T&h{M0X+_(B<Ix>B>&HL59C_;4P&ZLWC!?y@&%Y(Fw>ZM)qBot(RT2IN6E?12e
zC>J5d%Nnlr0abJAvv2MoX^RjpcJJ80OuzjGro=SoV-k_hwdtL|D$LVCHLk|;jbg>T
zHcwN4RE9{l40;bw)uuf%kF<7#S%ce1d}+G$%L*9pUwls)eW+Xgn$pp;b0AU$@2u+Q
zU^pq&+N&8V!;(fSl*3Rpn4lx*lI!g=#$q*SKR0;$;Xv~-7mL~GnR5|noWAJ>I+MiK
zEl6YQvoWZzvg$0oYjX2U>kk+-v5v9Eu<lFu{t*cZOtzcjfnD0yzH_Idr6RRwu)>G8
z(Hh|ApS-BMcB0d^WDqXu31L);sYcFG6-xt!{6f_2ykP}?R*a$DQGp*D;u-rz`u~At
z172KM4^VLnm?jw>3VzYp!>mq&R)n{%Fh$j+ZJ(AQe{Z`F*s4nFn=q=~4(RfRRX!H$
z5h+CE6)#aBnrK!TZEK_fPPMRP=;Nx{?1|8~%A|fv)-weOMqiv~pretGnUCa$ucZu4
z{uEm^o(mN-FGI`T&U^{R5kfomT?rtb2;uaXNEH66ZpwQyjLyw^R=sPqdXaSLfe`t9
z5Eq<k5~sV-ZI+pHX~!=(FXVL8mApXuQhUlfb(pEG=|M$9bDO-HL5oh+k9i?|_dl6Q
zM3~Z-Zu&y1HHgmhIsWnn)xTrPyXp7}@<;3wqWUf)VcW*9i{7hR>h|h`P&(phVZA^6
zm2)bog-JpN_f}$Ro}yf)QP50)RlJXJ&a&BGEhl{tTY%$g<SXIaPZ9J+#^?;_;DnZ!
z>x)B)U2%#k*~Q9VsvGS_twA_&LpGB|bD{8jo(eT7?+fofjqTXh;X&x`OtxfTDE#K*
z5_CxgnDT=fBKv$?l^`Zd)T1tz3cd<i-*Qb;ETPEkr|UivFdP2=W8;~?l^MpL)jr*?
zZk18;(4qe>ZIjaSm4Ucxs|G!5s|+B4gi17*uo$$S1+h*#Z5NtP>wnj0I(`PINNO|D
zpnaqSGMbD=1I%T%EhuU`J8I4~G$Y48sXRVL;KQuN;ZX!9YnUw2zKGsf6QbDvrDZ$s
ztPptT9GTXR&cA?te;#t#Qm)6Le(9MtXi&Gn;p)RUg)sUMY5i#cRfBDqd#G?RM&)0Z
z-lCIk4xFo_Q8<jEA5Ygv+?2VcIPGV#@dEK{%7c((&(#yq)xqLj=JP-CRu0vl=Pct>
z*DSxZVNH}e_2RQ~TuIRUiS{MdAa2@4tK2vIeaolw30u{wSKG4X$1Diy#hCqKy#jed
z@n7nMrh`reg_Zjdqa>o6hSnd8&DC2jEYN_A<&o2F1leGYi%rh7Ku427lnN_c9s=^)
zpe7=Ib!I73tvyH-LbL(6lDlo!y2x^M0?+&F!mrpq3XRUwv^<^^9xCA6Mk3KdjD+)$
z`&hAO2a+XMX=nFxR7Qd32)C;*gK<v6o<>%Z6N8dMx~5uXV7#nKjC6SrYR$yHL1^s!
z9G!R$(RNgt7jT`IUpYI)Rj6<NxjO23{|}q`#t7z}<W12)r~GC2b_Bfzc2xu?!%Quu
zjChK7?wmgFK59&9tW5M=QdFvX@$m&~shy9+xrYr+?6vnNhliH|9?#X0e_nZ6G~FMW
zzRb)H%@Cd8@s^a%XNIwFGA5kaX5QT1x#k|*@Nvh3>`b;Ud#hT%7P$(MN3i;_CNCjl
zNKi1*Nhy`sB?hLAG?>tx9h4g4A=xC_8LyC@6d9Coe?A->%w{ekr02~;EOf`EA^7!|
z;-FFvUf_<ZOVU#)c4~)>8_;V#>N`B{Gnug0nv&j%Hl<{5D9Qh&&&c);qU7uDpX0#r
z4XrJp=cM{JI>(W71-lE6rfE|_md^On?(o%l+BDRILmvv`k-Yh8<syui2~n<4a(I_~
zVu2<9<!8*2LQZ|iN=D4e0NpeRa<7aHbt6dENt|}j#5+wtn61bEQ1LoDu%mwOOU8Qu
zt!9V03U#$L-cRkSXpvN(W>O^MKeUBxDEA}x%g&7kj!zeur?iwZlZKzy^leMt>vx4G
zaIA;8XN7TEUu!W8o2V_Xt@`qSskH9v+^~g~zpy&o6%~%Y*;0~fs?_*6>*i-=GHLVi
zBg09(WiWVX8GCvH*@@%mg3`pcH`R#emO?Od;Mh6O;(6|L;9)p8(|jl6M+}`QcZ#3c
z4G;qDhKsqAUogZG*Hi=qFRuPQmB*i57_!W>YAvEQr6ID<K&O=CSVIoLT|yrafur20
z3b%ADCoyqz<k>LZVp22(W;O$Br6lXu_5iz+a}*-txkyKRoxj7aWLt1kH2Xy3_3M38
z=odk5lJpvS<@|9)qmOkXyq{11x;?<x@6j1Z6oi-%3RPGhlLq=l*G^>x)Dy2dEeO)^
zrUTElub8fi?Ydp0I+|Y_`^H;<-N2GFg{mV|f|l8?_$z;}vqq@MiFu4aQu$?5W-&jB
z$m=SF75}1M?tQj9K>qhP$#uT1e4aM%&kZT+woa~%P5(~`G#hz^s|lY{VyiJCf0au2
z+F`|sr?cHdP^Iq<*j>K-PD}wVbY>oHqKi!2qmI7iONErrVcQOM`RV8d(s;3+`^QWZ
zo<2QI-jA8Ry<Y&mwY@JzC(2RU`a6@gIBb=N-G^c+2FqbeA5dHfOCZ7<YmxC_1(Oe4
zi>gVi<cKcRba<h_szK_^#5L)Yp!Uk<<6|tPp#&2|02BP}n&|7W`#cvsYey)EFvaSw
z@%Xsa=wTUk5a~dNo*H!dV0S*Xxxl6VeLJcTE^ndK5QR|TH!ahX?0yAfMbZ+g#d@my
zgqNfhPHas00_Rx4a?MCarnw0pzYc<w+x~(^=izXv(LFw=E5$-T5owB@`$)THYi+L}
z)3e9(*Pk6)tHly(kMMzO1D7dy<SV_ePPetSV7m*Eb<9__dRO}xRHCsl3?$T&U!;1$
zPXi1xdkr>}jh*u00`b@Ghg3n=a#mJvyAg_Z9kQ*Pt9OhaL6(Bt8UtS=l+3F-ySajf
zwOKxjk_M!_TRN`yRz>$$VGj?F9$7tVgDy;(3wB*l6@wwwbCpg+K#0N;B{~^A?)nn)
zoQa#!*JTzKiO9=iBszrGCH5hd9h~&tZXUAeamO$fl?;qt?epOS2&DlQ22Ys6PW=sy
z22Ki&Cp$88;5yzjJh^sm1_{&y?Yx<}V!xXmh;6@P066ULJla&2R8W?s`R@aH-h59T
zNiSUfihD*Pxmm{6u>h3mro+c?04L=}F|FZxDE`Z64v+Iy#=)`o`tT-*6F=Z%tL1wE
zc>ozce^UoN#ZMR44cKD1F`kYmv&QX{m9Es+VkEfwKtTqEB>i8a^|Mh<fYZ%mru>)u
z+`;7hixgA1q0YS;x=)I=mWpqCVs&S%@UU>laLkp}Lh*14-jf@AHdxEUktoP6+x38H
z!r=vVaqpDG<Svp|n)uY|>B2tD>{ZVt?{D>&T6AG#kRg0cdAC|%wIOfU-(isb8RgQ$
z?{83L(_ZQ*rB8<Zd&E3fiUq(O=>O|QI0q1h1JN~OHJ>*Ib49U`KLTkhk=>B|w9_EN
zw=7<c(WQ99P(RX?F;-;J$N_W`$M?$LQ@`Sa_af|?wVQPNLDw<~Zd3a=f)iWH*7g0o
z7y7!8sim|R&WrGsBw@)pII4(W^<vc?Z_3nvwYxn{rR60pDPuST{b^3S0N45toFHc`
zqsY1ed$jC6!+205fC*{%fUk1C%E8;FbOiu1oUkli0SnP==Lr}5@%t*5^}}=UYGCet
zNds4H&2q~h1l~N9+%a|6&Z0Yslt2CrGr|(1fnfW2f_muuU;+o6Ob|n{Ace^N9_j$D
zZ~LAIOe!+i7<<>lRs&s>#SqLirsL}T(gG4LmlwvXS-Jq%&h-hwhD(Vj?eFhWvJ~)c
z!hCI*4Mz^k+)R```v%eBhp2SVW)$G}`pTF>UqW;%_&mxQ*0_eees)i`)cqdNP8<lA
zes9tQPSQ+LEEFk-YnLEKNB_!%U+A;{q9Ut<FO?$gO?8e+!vUHbx3p>kgPZIisMbTm
z-SG>E7d{)Y7HMRhi`1}HND67`j@aLLVBB&hdh?Lt4EFmmK=E?3O6s02C4sNI3kuxp
z+sK;G+9An&&Q9%%ZZciT#R)FaSXi{r&|;c)WeMJu9EO%yXP+*t_?J{s4R}Rk;gG4f
z^H4<r-?uecIIbou@i+rB#v7}~whLP4=$PLP7_PR;LL_lPs>6j}*Y`99<E(ZYl)`ys
zBDF3qUp{vFCKhCJNyUfv-865$LdU3(lTm&BP1Gd1oof|b0$j&Ypcjj&*efz-T{&k+
zoZ!OO`L!${v#}T;{wqU3kDGr6tU;pNQ;qFkFGm_p8b5Efi2jfiMD1*byC)aa@uL|0
z2u{6hj|t7X2u@YEL$?{B^Z!}iBEgy#&FU63vgn!@hG8@rueM6g`t9lB^koTbt5>pG
z$rL~2ttk0ZjuxWg$Wnb_+*h~IfhVHTh`drI7BmICvJ9H7MH;H%n2h|-wG7w>Ed89A
z^#-i89N#+aJf_jWd(ocN=(@KV-#9R{>zHfLD`m;B<u6|Nvx)u8U+UiduTf7#_*T97
zr{g~PldLdG&zy4By+dnR?)m#m^dW$a;T@6BdK^?06<uadfzQ6QIp)qgja;Ie_*a8!
zeBK$t1j}vh9EJoeRkA!HN20}KV&S=vFjNg~`jsIW`68^5Tw`=?f-PzScDhT3_4sZ9
zhI9fUI7%>>rtNLie=0C*9Y218=Yq_m6DkO^1E##xik*oY#l_WyaYC_%WJbp$w1DbG
zDt|@mWnL^AK>=XzBWf$GZ$e>51ZQux^OG<D17ln*l<+ys^zb5Rx6<%j3x^S<x+oLg
zM#-hsL29ilEqA-8lW@s<F%b^x@V1@T8UUFz%86;vw^3l?orP26&x*fXMgPUoCb7hw
z`DWJeOLB(3J~ux;Joq%{?T^EXJU2LAgP+<ASu(?;cO`pDpR4O&A+@1yaLR;EKDh0A
zQ$G!mmWZqhOXiY%evTt+!P|;DbgGZg!X9V$gc(!Am~QV%Xy={IbcrmqFfG)bV`&bC
z>I*KEm}?li;-#4o7wh0kmUqWWI{+M?&nLl-1?&=Hm||H!`!D4o^!>je*o@gpahiLh
zwu1^g!}<Z2P@Ky9y$6=3#{r+2S6M`#*Z5q!7h}<YJIw%B+0S}Z()%l7Bz$3`Z6hZ9
z2o+?7&9cxEdmZ<BI%G{8>hhc-=1K~J_Ea5^XV>^CL+fR!3y5#Rs&pExs*4?{TV?k)
z0Uq|gXc)C^Ia74Yb0IJ$PQAr6kEd<tFMo~j8TyWd!#iF2^d|)I+zIA_Xu1;_ptn)G
zsmnjLe|N^Y1?7y+KrZ!PQP?LkfL~X-=9$eh^bJL3Zu1lKEt3RkWN9WM0|yir$9XGp
zx*+8VE84~X&)C4@!Us)E{Rer>*+!1G%k$O8kzUH5JY_#A3DatQcc7jma^<m7pS9`f
z*(?uzr;+lJ0D%@0Y}#j@8k>eqRhsk5tgIih<{2KYPQPt4xYN=yxCEL+1Tq-KDXYQM
zV#x{5-8+j~Me?ZCgDQ(t?>qn0f0y2x{jnr~@IZAR#(34z6q=Q0)dx38uf1lxSPSaz
zLtE#Yx<a}L6AhmBr*Fr9x%Nv$c|A@DEiy|~LWLiU0Fp8o$)h@eegxL=S&OkdiKMgE
zq8o~Bc;#5tVIzkvSYY+H!W`QA=UGv-vLaDy(&LFDnyZxw$*boCUuLb|YIt16^xx<?
ze>I12+WA6bM6y8Sbb|HUNxWnrQm7DG8*zlfRR2%VkO>~Hv*GM>B}p93S<1|`5BOem
zawF>4J09`fD~0HbU>XK#`Di?bwsu#HcwDDk!oIrKzZAqjb3wU#3cP2aXZCiV5D7vO
zzu<ttu>xf<d3K>fHT7ricr#5Jmst66y2*X2A~AJ-90gN`-0XDl10w&J+f58Jb}w0K
z2py_mjvQS^12MSjw~DLeM{tzQD;7!rS=<h~96gUu34CCU);{$qBNT1x`RV&Jo%Q;%
zHx91K<PAe|=S!U;!I8`aT`{9PT_IyLt>YmL85n^S7=f`H5g!3PZ<v{ZxaG(lv#mE}
z)1_KlmA5W$$s*_3(PPaE3~#r4{+(4u9#D7LnY8trZDy4jkVa)(CbFJEV*BC3>3o$_
zr^L@A6%lOf{^F#Lg(~!(0^V@w1Sins%x#LS?X%eNeLdwDPSuQ;blx*o?-G?mz_GAM
zdH7Ti=H;L&izl~$Beo`$OtO`NNE3)8i)Jf%Mv><~x8s*6PkY@7V_8HlGz|6Mlto?d
z=G|7tc26D7)8u2r^VXYOF~QZ_2F*SFRIL^ve;9>{24rk-ow0-N^Y}DK@?X_iSc*4+
z7C~(mLj!Acs0<ly<AM~}&A6la!j}&};v|Ajm}9*pN-TQIxb&ty6xmyIIP5)?hK?26
zxqDHqy;gxz$`a{hxsikryV({}Qf^&Ycj%(DrL6X+Nk&KGh>LN&tlXRSW>~})k48j&
zQV|2Z=(b;?80}6cau^~5WZt)jbtgM(pt!9)<@bOQUT4RZseD#8b?Pn2K9lOdBr|`?
z`);nNcUN7ZV*I~Qf?dVo1a^i>?kS{ch9$4><w%;%DuexPd-l`q5frak-E0JfrXIrx
zamOL-fG+)sT2DxnTBfiEW$a9nRuSxF4Lz<@SIWg0PfN|&n$AXK?Oh9<xziaW5j7E#
z>oPJ!x%aF2Fjq;E>vWsQl}E<L!X@+2s5KpO@Pns19h|vcs{M<UsZiG5AFq&@!SEV)
z$4d8=>#K~!vUxqS*T(6s2T=hemOla+c%6}>P5C8Wi&(WKsb0V&&nm2&``V8E`-{<Y
zX->pkQ;&Y|t6QAH(vVpCt}?H`7415lDd33T0H*+*nSMsi?{Fd*4_G|lwl#MmePTCM
zjfI+^U1a9<Ch4f5AKjR`%e6O!1ujaGHD6CyXK?SOG_l8ujn^jez*IxMdXZH0P|xgA
zV&}hvmU1h=Qlm#xe@PU4S|(?3265)Athw$7zbt*dChFP*(j3vPKhS&$kf2w9KLvlu
z$6^FKrRrqB?jNHANs+tbhmt8TOjRX!s<BB;A+y&VBRecc3RvQn|1S_a@~~AD7`1jn
z2Hu{;(b-7pUKc9AGmOM1BqbyvmYq*#FYj+nEej|3%o;=|r&cKrRWIYLd?^l0q!L+r
zeV%7a6C|f4khOy^%MV9^dGz-Pu~ALN_Mk&1RM#a6&Xmi`Dj;RGFHov*>=UQ)R>*14
zOch1A&=H-@`gpUP-}i@!aeovQGwkNgmO=Mlz3Rb2rPXp@N*iM1aabAio$ZUc8X^Td
z9qjiEQtNeAUtC*VA33d9V|PQTD(f@AbOUF6h#9^aKyc_>9vp;;6y3?uo1Kjm9f{$_
zp;#ady{Rv+1{g(M1eB%;v<pnEJgEM2F^}+WHEel#^i#jpB5O$<vX7hW(RUa6pnUqT
zaM|KX=|;A98}4%G-RITmEnC;`q?F=~R=9fLweH7yE=5p@w?T=hIrG_kfdz0=vx-TM
zAW%{vt2uF0^&dpD3?^=)nmE`Rm*wXpFZOgL*h&(Wk%UT72H`4C(cnp@@jT~fwJr1=
zX&3277r)g+o##R+qPpWVbb{g!^9z-%5xL)SAxFRG>ITtZe~p%}6sQzeJ*+~31=gtz
zT$RXbr&>u64ZE*=Ya*8g=`vWArtU_tjGBtUn}hi^)DSQygqD~YCg}#A?8yjwL~jge
zrbm+blj>hZ@5(Xop9-<GO4DYm=SWigBBsR5Y)eE?xNSn)V2~kDQYFB|ah|qOQLmah
ztCI0bDoufoq{&d9R-^%IyY%2z8Hx0rMMB=5cJnvLB<q+7$RE3h-`Os7-TkFv0aJ=u
z@6<8b8j>hRfhkH?X=2sJ{sOcR>GykaU>|;wVuA07%MrWX=7t;OTUKJCK~1ro>Yalx
zqsf`!&!dsKsq&5A69z2hc!V9wXL_c8GUwnl<?yRCBc|$T3q)f+$OF39$^dOc^@)o@
z@RuHaD@vkVSO{@xa>yq{e6U|W7I~;qx9|Cxvjv3yggxv`_d@(BkP98Vo;8KCO9ZCi
z13{6gDLTyf8&yel%t_)kZO$auZDrB@^{bgws^9n{!MywN2z2K>4{g0JI-Y+P&`xg~
zaG;M6PW%}Jp7_p;EhNcwGa*coeSBoS=+~~^y-S6+xj!X(G2{oV_|28pQVGT2Zy&X`
zfKTlzTHYIXiQ*JXvRuVw?U26mphTlx#od4>nZRPCRz@(TQB4UfAOVT_*u92fD=k^!
zbP{-ivf;%VVHLg%CVDKV%sVVEIYU&rrBQpyUbUi)gGDca&1t82F3mz7mGEqLbIZY!
z*gp__weMrF7(wYsTxNY00#Vv(k`^R4anny1!klX*E*>r5n+k>k;084}akXyB`$teg
zTZjb8SCFGa=TaSk(!-2@`TGb^-mc)Ns%cbrURUd$?ChWUg+GZttGdKIo#Jw|Y?8oh
z6re)d&au&ul>n6mzF=)B9b)18p)B|rSdw`1Tc*AOSZ-pW(Wv{cU)!8`dY#?=M&t0@
z4;QS7K=b3lrnJ50i@(+DWwYmr%0+5HF#&D9Wv$UIO5=`7NPP5xJIUJq-`=1Y(o~pl
zHU0T_+3*4dxrtvn3}!k1ic$en*;wcVxnvkLODv|;BM~*y%@Zl5*)nQeJW7zkw{Sha
zi97hb>^s#Tw^3HOpN-pv^4`&gOCy&@Jec1PA@g361;H)|IPjtIi&}kuP}gwmD+Rso
zaF+VN;mj^zVN02p1?w220-)+wHcBuh-_O$_pusbt;f4e0KDJJm9@m7}E7OnhW|g=4
zSq92(mm+e6`n38V03Oq@z+)vHvOlaXj=$kF0;7;Khk>Le04n3Ib7}0Tiac?ZhLUOT
zq(%Elk^<ji8E5c`>w`~Ry*s^v(P+SSWeOc09ve@abGlwu3BBYGi6%oO#O@=){Rdm6
zk;I4<kKxR$mF=RB`<>&!PBiN8j}Uy$SR|FJhHC9miBVNd>>m=7>WW;&>O7k{F&Y^m
zT3q~luu^W2UkG(wDr(*)YnUyulS=cejl^fg)_JlCg`AK9`H4gsv&jWZOme(unSgu%
z4&r!2Tn1+KdfM_h)$fWmL^j_2_%y9t2%3vxd5FZ((Q^2c^l3O5sr=;cq`aiYs8Z0|
z@Y+tIjHhpiOxEk+In0GOKB;)jRssq(mLWM03aS=Z+Dqp!c*Ju-eA;1m-8i%mUmHB3
zF}8a&5^yr#3v6yvCw5O4u3?E5MXTiNRhBH?z1)hM?$m2!S$B&nuE0%fiNqNV4ib%d
zxVLpWwI9?^WIVasz0Z!OtfhEwA5($&8}BbuRwADP;K8MzFbEIy5kZpJ7%}o3i7V<Z
z{bhec=C#$50+RdaH6Z_(=->1Q!02V@YjW|Y!AdoK{gO(fAkNm{N%>{Fhoo=x{7dlm
zYyq#$ZiOmN6dT#ZL7akj@`r0+S;dIg$g>*$RrDcLmGzxfNgfd212ZL)%@j_Xu$iE8
zg36Lv140>6m|!idN|S~|V`^Hy50lwioJMUf;(W_Gq}5TXu(>%|QC$N{NpPQAjwMZF
z-V-V0`+|{Y=`Jz;PV|pJgR{m(XzIS3tu&JEk4y9^lK0+jO2jU<$sBO(_KQRbH2ctT
zQEu@sB-M%%3um3Bf+<_R<5sgps_Ke08Ajd$*uqhB2Fb*3qQa|(i!TzEAu9db)!Nun
zwQ3sfiH3E1(bbk$^o_D%5X@;;_ThTOkj$D!_#5{~xwL(2)f2@+D=-T1-y`Qty8XOM
z2`byHwKGQFl~~~|!VAW@G#XtMoWzlF635i(D13Qv_AWN^BPJ1|>O-_v#&}(uOA9Pc
zFNn^$e^H6q)_>Bxtauqo_~b(=Uc=KqM+Bl3Ts6PUWYKA<*r*TH7IqN_a3$1^5WJW`
zSm(0l!7I=R<7J>_IZKW_Fr{?TYBqP7%4Sz3`qH+$H;644rBti|slo6XlzSa0%)$5?
z5=i(?DBt&P^$?BuqvoW0S^vO|6SF*dx7QpNyvR5`&;J`rdG-0eC7%6~nfu$f(O`2y
zwQ^8tIP~$PwrquU$x4ymeZ3dC#l@6w%w~mAce}L$B);>>n-G1UQ-GKfQ~bwE<mPLa
z)LFyDjJC+ap7jq*vfuNZ#W1T4Y9Ye(QAx)To#^Q?8eIHlU>SOX;3V*vPCH9^LqmU}
zTk1r`$=UFBf@RDND-0%6;?Voxh(iy0bPVkBc5UzJ{gkH<cifKd{^dQ_Wr#9@5cs@v
z%Osc7+k-X>3_|aNjivcY<dJeJ!z3yGGbUE<)P5=yCFP*tq*?2HlpC?e#v=$h&RT?<
zGb6_C(m~bBfwm#hqPDig<k?_7wR~n{WD=m?GOFzGGSpFz0rPzkoGyh>Fz1_9)4imv
z25v0hWYUl28paI4O;K=`F}|1>TJK|$b28Il=SNC8i7WtGp)*(K;if>GqCFkFNxJWt
z_>qXC$HuS>t=Cm}#HN(AX!Sq?d<khAA-9|H`I;I6eEZ?#T_x6D(-9N%eJ6(kq<HH-
za`5WJjF!i5AijPi4Ds*h4);(>9(DD+D&)ESRFB^J2&oM0k~)vo3AztXguJR>aSG&P
z8Nv^V(gjzI>WeZ|3Y}ZI!O4wV$8M%;1eL?skIyKY*>2ll4%4t4l{8#M3@ngL)8yji
zcQ(a1aoKRdb_%*HcS*3_S4}qvphc*fUxQE>UT+r)OK`HQ#;x7y91qO`T@EPw-bGBc
z9af3^g}iKHq#R9=vL4D+f29}@Hmd)Nk*2Rs{NyN-bsl-;W54F*VGou16(_}%&x0GE
zW1*Eg0(l+5gh3iEIIn_|;&ElB7jf9}T(GD^N1{s-&(*}JdjX`~Iqpt<qhRVg8k2z(
z26R}*m^-Q>XFYsV%lDfJcazoQRHxTwr?eXH*kbKp6u;Rl!XtI&OWFg^vYks&`205x
z2*Dnoss7!MCq$B>E$$m-`5qht@ekaX(mi-Qwk(xv$K^+FJy1kl13{6yv4yAycHWEX
zqGS<s0IC8O<(m-fES|ztn|dJPVicun*eZ$ijEG-Z{r!}RQdC_fClPl{Lk*Ltn2}6O
z5yXY6OF1g;@v~Fzh?(N3Rp1ASEi<{noDFW?;L4B0lPPPHh3`ZXY^uUwx>zcJz;ShM
z*&--)TcR$CNd@!iDeFDVQc7&Y1vhgaJoRrm;c^%xS(NDy{yDE`#d`HPM(z9Mia`*~
zp@iZgF9ZI?Py*k_gjEb)SZTklb+3nZUF<H?v_3^2?z8uFpRn4kAGJ2cFc?{=XCV%Q
zv?XCj-tcU1gfa1GdX7qZuOb$%QEP!Pqs1aPkRiUQx;mDh8&*UOiEEwYUa0@j0OKTl
zA`_3@^Emp~uRSOaFY!t+tDW~A*QLYf_}6(*`t9r>qa0I@=YQnNBLB)5IDb)<p*x~&
zO!?4m6MG;G90S<Hx=$GG81_rb8@Mej#Avl8aO*qv$j@$QCK?;CbpG=8F({zSC>Vh;
zn|(1{aAiB!2@M4|d>OzO*l(47(2xez%I=6tAi5PaW4j>!v#8Da?aUg`z1KuSg4_59
z&u)pSDEwH$&pha!2!i{&1}L2edN$4hvT!SFzP}_mhX%JpSzHvi-arjNIW)XpQjEZe
zec`I6>os^{9lml$+~kYrqGK68JG`k$8|aF{N`+D$AtBmiRAiCd^%avsBXEffz@*v7
zA5ad-qV*I$r|<a3hngkUx>)TFZe`*8H(BzNGpnm~_~gXUdl2c_sgu!}pNvb@p(<1G
z{Zm^`s_3w1e0P7A!a#|b3~C_~LaOR>HOhvbrTMis$4u0y`9i_k8Yl0*dF}6&JCxcV
z!EIeoGjUx|x^If3|0K+CuSU*<1X)t)-oQz$bDk6G)|cPfhj%wW7=|pWZZ|~jbZ|Ch
z7aa8+u+b!c{z;9y*beY(RTHd-bqt?#+uG86zW@phoP~LX;W-G1E#zy5&((AAFCWJd
ze1law_u|%RxAxFPi{mAkxyqCj*qlYgg8=;6nX~$$w@rL%&}d-yGU<e3$N2;5AxJ%G
z-4KxY)jOn>FTo7Z)26H&Wkc4X2{iRNXybPSpcpATecnA5#H)n~Ok{g^n>ioe(MUf@
z+Tn15jid+INYchAmK^RY$WExwFeb6fjPxMJ%2%*vW}gOAD#G)3mB<)}-}3i4_~Q*g
zMyo|3#&e+FMlT`$d3=k0G90T(vtLB+CUz3EiCQiwME!X^yjp$}GaO_WZ^I34Em#|M
z%TxQ3?bOIwA**@YVJ;aL54}bM{4%9T*bi1EBEtnL^MU8=(Ex5U1m@!xb%Tz4%#LL8
zA(`KTA*YL8GOclB(1}@<m2y$d8tMuJeVN__;mF`pSaKg2wIrHDhjaW#3NIORGqUrE
zch(DoU`y{jri%m82OyBfPfRoU6+3FyEzkN(c4}jC1&?jTHYXsWN@GOA94l(>JcNSS
znQwe6qyY8MDS&o7SAj+}x?T#6#KSK|SyPp(b7VDbhI6f@37RuhSW(^ixuqRMG;FD4
zG&&JLDT8~bS5YeEbg%3^D2cs`v^LB#ekwWWf{O=e`I~Pnz$mAw4*b=^-W*bwn<q}Q
z@nve78w_}0X^MM&7wO2e|9(xLvgvq65uwVI+R8r6A_YwV?R7Wjv%XDe^Q<s>i@kY^
zE|qAG?>lqT;cZzixSJv&QhtNCs<CTKTP0c^u3u-+Yc++59#l0p-c^24KrUh45Ic8n
zM+wFR*s?1`&FB%Q<a9#<m@H7@nl;(3lOA8KSqr)lA_bCJD$Bio1Ov)6B6IFK<5*Mu
zt2TL}lR5`4d?>{*+AVvDNBkthgNeQ+36DM~JA&~g#L5@8L;^^;n3w>4sw(bP@|4q=
zCBVi4*{H6T)HU41F%HSb+Zd<8$LNh})R`;U7%eJ@M#l`27WM8y@&pqZ5{X>h!0Y!N
zp|Wg3E%dr0s8?#uk0y{@&7E5h*4cm}T&Lt~(#)l2pB#|%O*U8a?3y+0lkhE`69pR2
zI?QFm5Jsge;F@t~o_$lB@=-`-_UatYYIP8Drx&=eh5o4*<m+d50=rn9%l5fsAJDqv
z=<)gX7qz)dzq^NQu-cI4%=f*M=kY8RFM;PE*y2s;zL)vT7Xuq7Lm&CW%L`f`V=Dlp
zA+gy+&jpM&PbS5yN;2U;qq`QW?&Jnu$Y>_YfFv6iik!sLkoy^(JM$c4b1hVl14j3K
zA3-K47hh!3D~#U8s@1iGv)daeXbCqoBZMAIn;T(xX8x6gDbRQ+d*{G^o7^I8+I#KX
z%3>c`amykpv}!iEram||;OE14p}r$lZw+cV(N4cgDt6Xy<eS1S>BPOFsbTQ77d3aO
zn*)C~PCR!gn~<?!EM{+7m+w3AgGngx&Db}CywTI(QcfU&GKOpSrhSg_B%m#jLD~8<
z771gqX7AncGl8{L$epr~nZ$yH3}PoTx0<==rc@vwxTTJ%1k$Y8XQsWF2y;GFO2;$#
z_^f+$P;fbr?$|ZjBW=u1vctw=-G$}QL}#!#b&*vCCRdzhuNl}vBd~!CF#FPt#VZ=@
z?E_!?A(Q%~L!nU`N~+1G#k3eX2Aq*S!}-7Ws(TZp1a*pGAF%%+_&iCV<tqqBRN*7T
zE(kHC8RUt-CX<EC563WaSM|%g9N+$&zjI$2?iSpz0)7d=(NohGHu|`@HERf>2e84^
z{$PibTr$cFy!NO?t!AOJWGkF*WcpCx)yDfI>|%;es$eS6(UqnEW(MP9VB=B8L{P*P
zu(7mHZu)SL7G_@O#@Q55zG&k~P})C`_SZIoP_DBJ-%jZxfl#LL>-A^peN&Y=Cjp3E
zR!mCGHF^=Xr#jQTRkJ15Pph_BL2Q1z8FrKK9gmKn7K97LMQ72$myup{{DWyJIu+HL
zerXG&7qs64^7<<M``VS;ZFH0i7~CGTfkS2?fR6=CS+_yk<HY$rUxdqo=<CcGy7Jtg
z?Bg=o%}y?6avN%kt)Z5Ey9%i20QbiLRCESo)(OY}@lG>+R7A7o95(+JUU4~hGGfBt
zF=p~l0W<gYKi6wKU(Pj46nSR9{)OqlrH!5mVF+v~az(vUipx;oH-`%a;lLPQ1E?ri
z%~VH|sAmJY(YC%Q3rO-E2$7tKOa1yver)=N1!#4nRrDrw;}_BFGB`#dr042P`I~*y
z)Rq)m(?D%5PZ{#Pq~)>Lj;O@&*JkL!^$>5nKaKfwBeg;Q1>HVkb}|P80%tpQ@=a0Y
zzw9#oaVGh~!E8~2c+8n6B`JY9Oj;-YjxR#3Gt8(_YKD^+ISw9S8#~tB?-`euKPxY=
zqv=0TTPAe=3gM}|U{e{RAw^*+BtUe?L)B&E2Xi2ENaUHYz-+ou%okBvuxL;rPq#b4
z(+!(paD6O@sJn^3J2taklIt%I>wGo+Q8UU4=UN%hN8^q=F)$W3lHjrGhOh6EiD<Pg
ztlK=_8RXV`8O2M+2x#uZytuT960mkf0*;5&q6GSZ2SHu=bi}OGXDkTF(sMLt<VhAW
z{Wh~uz3q@rsu`=vS{bRcdn+AiIF3;B-kMvP9yxQJ$l{}sSR<A&rEU1;baoN0)xuuG
znW$f>QKwk}`r(X1(LaNa&pZUC?Aj8OTb}`xiIz7{!Vygk38Sa%s&YwU(72*Q)KO`}
z{=3iqh3NCdn2B#+Js<~tyr3u`AV>2R=g5Kc(3Qe7T2hab_CZePavWN?wS_L(+qX%v
z&g2n9JN_E{TVQd5TszquYKHZPvCub5OW?G5Dv)HF^I$=s0%1lLEs;B>xEuv|Qm-|9
zZ1q-JnEM}sfbU3ANiW_3rj~T$x7MvahXR4<)N1zj#(IQpjd$!Uy~H#UGBi%lQ0aFd
zv%g7zF(kTU&}hUgl_KJiihS89PKt?Uk&@P3^2Eq*^S4rH5SVB?u|Z<)#F3_;yL{9Q
zm!!$*Q_C#B1>J40qo$43_LyEXymeXSxb1}W>eno1=bf7z$A5h2cTMSz2JXcHY<N;y
zp^Z=Sn>SW+9U(*Y85ZT*(^&ajp5?ghv!AAkSX7!8;wk$XvRmv)V_zQRH|uDrO0pP6
zkJbo^1I`#euGd9)8JaC+xg9+dj#P7EFFQSA4lHbvUCPp4ZXJ&@h>HCNR(wQzpovL%
z)%cTBrq*Bve0j&o)@k+5ZoGF>dUSMzv3-oH?&(J%t6KXKb@3iLE!{10^_wEjncD)F
zaIL!m6b&~2{xy9i2MZb*K6LURE1YnLFv@HOM@D*oFqHy@{eUZ8B1JqeCILu78i=dP
zlbjioukPl(FbKgqXVZgTrN}4?zaxHi`g4WxS9mSSUBEx7N82dvuJ5h8JZKGjKkOEM
z_ng{nEEWF{<9%r0G%Q`-cd_st5N={UjwY{1kTv`rzQN+OE5T;a^mM#9DgCm|YyE9K
zSz8!+Ix`MmCfPbjTzrBGs&E3f6hJTP&&~$hybZf&l98Z|7u5iWirRda1;wzh55~^D
zP(fX~9;YHSdG3lwrpJ!%ze<2BBlpj`uel#-QX0#vQf^+A_hIdZvl~>rN9;PxHV9mW
z;Wz~!{vLleplixzDTpM8^{s#H-2C$qJrE#}Q2r&bG_#XrXPXGdW9n?m@RPMIJUBVr
zfR&=~zS&<4gHFITax!D0YzJ$Uk;2+F&k(%WJmz4Zxs1XtEQw*W0+>)^1T<zsY}tA3
zy7UnNhBB$yVP(htFdzS*uvRlSWI{<Ejaf_R&VTP{T$jq_V$SEmk$7jUpg!}{o66=^
z<t6_6i_V5g!4=OQsWBd*^oq&s+-r&_n~9(9^R_IkkbZ^Va^%2u-7B%`U)2v_^(ll0
zP`y0M_9|4<VWxh@s}vw&HKBZ$v<hQuqhR?qrd}4?DvOL>*&mX;UQyYE!=B?sWsO2c
z>+rNnD?<16#6cwv8%^V3B7eN6`u)ABk%U6GQN{f2E5!FRlB`nq@4xp4Ft2&yOca_h
zL(YP4F^OAV#`%zBDL+d5L6v>&ds|a3u(|C}-b_n1j9sNQG16`dG;xs!lB?#o_Ry${
z_6RuyOEIm8izS<a4yZV-HZal*KNeqdrRY;DK1a*ULidp0uO)X9Uw3CSsi0jW-P!%N
z*uZUA$-qk@)O3q}los)UNK@YK0Os4+=;SXnb-kqj{>n9pdkQR<HBVfhM1M2pm*o^O
zVuIe7%gC75B~NCT*=M6{GEYW8Dpsvv(;|o;=e+Ckj_G?CL~VJ!gUw_*Tfny_n+<(2
z<=%`V3;DS*$G8gF8vNVu|FQIyVRbb<*HDVPI}|^-yR^8w7c1`WUfiL$+ri!4z1YE_
zxVyW<ckcK3{?C;?S$icjlSw8)8TBJA5x+Mb!_kN|lejrg?!gVaU~PrUlTYaNU8Oo%
zg==D;T_Jg52Ysf!5?2RMtV)Pz%CN#(ri|lXgxOe^TZu9xrKzQc*(^x1c~jJ-RMF$v
zD%mVNa?$2SW9#b2@Qk&$y<zZ0ZzBjZ9;IP2Y)%uA8X1p8M$?c%yRh3SNYOTx!;+N@
zl0(Q<I&eZiA6t=e4@d%sPltmS>sfwJI5@!Fo8EiGhjHPMZe}|=>X{`O1!^&fKFy@d
zDm$h`D7~5_p_kW3vSg%+h0>Y7)c+mm&$i2sM*kR$xq2P^B470o0lo6#lCL!}{B(^?
zOgbrVt|}(La$^ui2RcL|N%UV|*b?~ATMbddP;1b_jW@N{bD1JgYW%B0+8{B<g4BHF
z^<@;dd0y63zO|x{OOR8R-}zSj%Bn~6^t_w?dV$agQ|g}6oGvY+WG067r+bG4f7s=u
zDlJ2geLV_=J2`@&*2DsjXHgo9fo>i_QQEhOaS`0<boKZmISC~a=3tQM&q~CfNh>;X
zmXy%A>56G1`G^txE`2l;775LYX<f+L<_NcEThKn@bHVr&-;<TD2F3<ZUJPqUUjMRB
zj#F2+@_NN?O`e~wKb4v48lN3u_AmDu?=MJ4*iayJu@LE4yC(d!FU)!9)vWlm3p?Gx
zSOyGz_0+);3joQ@u_@$}C3G{=?;4|nL}mKR0qj2`>ygTIHim_<BKX7mY3wbU>l8OS
zZH>&wR?k=vl5SvLY`gfw7wMfWQl3@q;k;ZP(b#?=jbI=iWN(UHu8v^NQ9l2>AMXsT
zyo<Rb=ix5JnH!$AAiV$_imczl9yvlC{#&>5)erEPPyK27R(mNK-2eLkQa$Q~6+K_T
z^)Xf&;b8GB65h((-gpj&#EPWz<LZO%Y0XEqW7WHf?W2e>FnaVji_#73f=ZbXVT8?5
zDgcuf04WS%{bDtIT9q73{L^vPYLCB#{N-`6LBgf{czX*|EubyxtT(No{&m^ICgVTW
zlX(?pQSRU>58t7>E7#BHLGFC4=?P(Wzz??!=%JH5{f%>*xa)lNdCyp}Fc(KknY}})
zb_OP>Y+mNObLH!#Lh?zt{R9k!fj~97Fxc*dgY=Fadg2jNC3oG>R0`!ASso0+!KwI$
zUG}Sx0)_~;nW~pozt>6#^9Nj8G|tTxh%xEjIWNLa>lNSBN_!>=kI;WjUG*VJ%)z$I
z7s*j7a$C!$@t8*wx`omN>iF~cd%?vr7#hWq;o;QeV}*J7{F(8w6f~v$PW|HzfM+U!
zsFub1>$9_;t55yPIYR(B#jMOzO|;o%TsQ6q`1p<$ETjv3-0iU_{sSNuW~-BS8YCZk
zT$ECZx{Q_<ok)WkhH_~*B{sb*ndPvNd%6Z63VYrK3ly^^a4*$?YU9_^NU}5G>CUM{
zIz|CRap!@~+^DjnY8O=Cd^;NV@mfFsNGp#b2=?NbZ42xMK#}B$j#6SN$v;&O0<V(9
zDUE=1YRbaN8r+Jp0p2Gt7hM7o2?qU%|Gr&vFDUQ_cLY`4OssCXQpErBazSJE2I~A+
z#w>Vh5<H&fX*7Skx!zym?rmr;+HDQGg%J8i#1AVd5kbvz&US~F&AVNsM20=R&r7M+
zAr`Eu#Ktgn`$a}yGF~!1cE<QbBCbm=3fOz`n=$F4!^SjN+`M4$Db&B)RX`)pq~*_n
zla?!wohIh-i)^jt`G(jViH1)LUrU;Mtg_=g4pn+@{J4^i%K;^Q2p79*LW7*MNy1<-
zymma0VV5!jVU*pSmx@oqwv4dp-ib1@+lyy58Bu^N7_I2hnX=t*>n}I|d5<o)()>#h
z7rOrreXaJrqJcXR0g@|YEn4+Z=!ff3^#U^HT~%Y~7a6l12(#vE1$XLaCYCx`piYQm
zU%SPI&<X1H9dA(uc!lfiMv4?SkG)|5%|>F70R-SEqgnL#3uS-;Oco%g?d^M3EZKFX
z%G4!gh`E8&YN9RLP9Z|4A@1m(aDXuc1_6b*rzx`nxs|mKeZiFkcTvYEFJ~*-wfxD@
z>F2CyK2ozn#9za4vFUO7c%RGyX;4;gt?J)Do(5Vc>^|9ysy<TnfU=u)2e9%h3!3zq
zO=X`gpRA>;@(r6r8WrYTC5{Fa4<Xd6XWzLePj0Krz9oEqB7ElJ?(SjV?h7nIfuqMu
znNFnhH{kkabP*eSOZ_Vzqm_fv;0G#k8F<;*KZ8j_jw#b=LphpltidwtXyux4%3CuO
z!PQv%v?4r&bYMjg@+;QuHN%1+x=Y28K^0|ms^?hfb>oQ*$_emanjtjbj?$hLvC6kb
zwzOYgw?lA>vPsU^YxYr7#}Jw)1QIw@q$Pm0XFj^aO^;|ZfFuq>%RT|23%rj)yQevN
zdO-AXJho=_EtYmVvhxlh%<h@%T+XY|2G7w%hwS<V3QpzQ@wdyQ<9KuCQd{HO{x~>9
zh}ipLH!L#ILvUf%fw8{}{zDi@SHe*_ypR$<%&6ZKTv$p=Wm!m`^EbFShrs6;?^QO{
z&>zqirl{N=;S)LQ{fxC)>u6nvrIlo(=Hc5>LAq52U0Lkb<4pw1=HC1X(7E_`+of;a
zWzOS$6tbia5}FzY4e(Em03veZ=1jxM_?%S^wEOFW_XI**_|h>*gcGw^j4U&-+GN(Z
z^^Wma<x<H)0c~+{%6}YIZjodz4~=2fEON{RmIVQVM|vzGqp3_mUYn>`0<TldEmO7=
zY8^{i`otPSQZU)WeHFLy{Vw<_;UETHa{-Wu3bhR3TvCWwu&2Uod31Rit|6@mcTMd7
z#w5IYU@IoLE&6x3CA|E*Gjc&II{LY5n}J-0l39-^$!D3jN|S9#-_eE8?ek9M!G-1g
zhTtpd&pOj~ALL~hdoq4_O(VqJWcIKt`R5zCO8`nr4k~-`_%8_;Gi8Y+`W$p<xB^R|
zNlYebe94e8i-d^jcfOoh!(kWviSUG=b-btYF`hE?(C$Bb!%gBX0a3H~duGlICHz*)
z>?}8zu=#DOxsWEr)fzGItYHReX5RHMkLYrnL2f`6WFJ<D2(Z6hG=-q#b5<WL0wjGC
z$G3u>Xj<;wRr`!8O5f@HLv@eWWemZl2lE5CH`lr#9^-HtLdjjt=+(Lq!oH$V_$SR;
zbu(-tBvl1@t!>7?PYa!p$b9Iz)~FpxL(IIGEk1eck2S7p6;ERLRpp<;1a-h|D^UBa
zPG{tQLq<#LfKdd7Lx|FLx;l5Y<PzpLQ(;@pP{Ag@H^siK&Z{K_k$?_}A>Qg+a{WUb
z40%SYhe?LBomaMjVwiX?_+#OqO2HC_m^_v?jYuUlz!DN2y-Fy43HhYx{xNSxtTGs=
zvG4>%V<lY9{yf}-wbte%LnTSW10kOn*rk*0eNDjIqM!{y=zC!@Wgf&z(`@I93cr?4
zFfFsfxEL+9!yX$0S~f3^=fr@>pFa|0`QS#$h}t4*Y1jgc6+D_3B?~Um(8c4mKa$@5
zMh|nhs_z@RZ`636<L$dXzWJmS)er~AKHKSLa$S7Xg`)JAD>zJNWm0kfxSv`%S+kwr
zXm+_kn0h$VY3F(Zu_mj=fJUI_Ok2P4-R2_cWJy95*>DMBJoPv3H@Zeudh_ikGPhHv
zllre+qMV4Zd|ely=VeUl7K&6Gnm%TqX^Ef<M^nxU_8grXi`ghK-eS>%Ap);s(hOXY
znnp7i3w9A*cmghRg^UEXRU>+OaWRMOCwYBtL)>FRQvu(f>V4;l+PGjmYZp?H%^vgG
zs+a<@<G@^WkZ?JG{!#%wX<};~aXbLIagj0bU^TFGGM2R-$AtFj0w?Oihk~Tc6*l=H
z*}Zx_(o;QuVCVli5&cFqg9jyl#q9p-j|g<0{PLX_L{R~3REh|6CoVQ^jgC-iBX>+H
zG6hbG=(pYS&avjDGeL1E-;A5!5f0H0SU}pfAo2f@7YkKJpoQ8Rc%KgYMVWJ@zUmay
zW4*XZ+L1tp;msNgCNbKQDGxOt`;?~|_6mZ@mp~`W983+hmwMU)!1!%rbn>e-4dHIu
zG8+*lRZqC!jIz&J1V;NZ=4K=2xY+1K)Sf%bLET<EG+kWNI%w(&#2R!eBOLK2kij?r
zm`R^gn~r9eiDY4Dq_1)!cQP&iQ$$XWNEXtu<ia%!XfVa2lJUcjGb-@##G<&nIvS#l
zc@q1R!eb;hkcJwT+`Y;Oqi&2Ecl1ZWFDp*eY}`T0<siwDp6H4|-2v`fP1<65TlZRn
zh#CG=lw7-TrcLz!jY)cA^Ba`7zM+sf+Lna<=83IafgnTkO?d}!J`;68gQ{<hIn&rS
zoyt2e_`9C!fqAu<vrK%B$6evtB+25-AyW|HO#1ljSMOd`69g10X6e30QG7E7*+ihy
znPtL)Du{R>W|^%OovJ6=*%4`GpbalS%$XTvDMmXyx;=td#C`cam+&at_}lyz*a~X5
z*pSe((}z_yx02m{Cy<kIpkkvN4oam5*GJMCr#onpf`;*onvq1sMwyL;iSX`fzeyY!
z_C?*|C`U47KzSv%Ja`TakHi3Za{?&V?b;rey=jh351VptLpFKM21MDF65ylTkqpJm
zQ&v9X+32JgAkLVKZT%5op4ssy%gJf+rq-kRB=8zc;V8gZ7XY;bn$vLmi%{rrQ`^~b
z>*#WxY^Y_Nb%8iWoVoLLd?^^-zOO<@&DdHhs$CGHk0R!-`d7EgBR2Ra;h?N?F%3)M
z2s$z!eKy|(8gdF?(#z+ZQp7*!zPSGlNiZ00wD8xand2+fl{@`P=2(2s71ni5hwZbm
zkXgTRlYE~!G2pnV<4{tbZFNbeNkqrFbVa5U(9D$YrGI6k{#hOP$#=C*lF?vz@_55l
z2N?aTpdYFMWRGHrPcTm?3<-vK4U89&5eBlPTIR4;v&AKHO3*i$TKq>O8vY-WuryOa
zbl1ckyvs9iZY&yYjYURrrVy|n8m}s`<*Q^we6U$!5!6>l^(&=E6Lh!&iXI~USR}>e
z<douR>Xb3gv<bCpk)9qd(Nm`5SG-^<k+}BSppaz4g0}hHZc7UsPygk!#nAJ=zY@Gv
zC{)1wN)_!`tR~0pFT~Zv6bE~~qk1dg(L^}|mO2Nup$Kh$JX{2zKB*R<pw>4lM{W0&
zm#{!_ne7f9OdnC=ZwW!7hr)_au_KpiO!`B0^_U-LVQd1=UJ$bAi&?5aFsU+nv&VaB
zTn-XwQ#6vv(}P3%1jeM5i?JhsN*$V1=Hzb9=0Y&JH>O*dG9MeIG1W@v^s7r_nh;C;
z|2&z*N7r;CFNs?3%o;YYZ`UF)`c<tqC1=a!J&2IMHLE(#p>2ByJqXkQRks!aGCPO!
zK9FDUXIO7@i9$IdjgA0e#%F=}`biZ(NngF;Z=3Fmo)?ZJlA?Fkq;x7Tzhp#cMd=R1
zHB1q}3s|>`+eH`ckJoY}`K0`Ph7lFBBgqTBT%&P1V&nF9HQ$XwSz(-)WqK9TeSO_p
zs5sq9@1pB9Co*ZEn9UXK6m}6>(hC5`fqS9zRwYL!{Hwp_#6j)VCw9vgA)g~u$k(tj
zV~s{(6vmi;l?gyIV>4re!DqL#B%}y=W-COa%B8aH?nAT8gvH(Af0QQt8HKfyai>Q|
zRwY|~DxZ1;EhTq#rf@#`L=}p5i!V2E@GTfH^OaR66b;CJ+p6MNZ4Zr&%WD$gtU^gU
zSV^nBFE<VRV;4(I5&X;+43<7r2bLb24U4(MPs;N^_jEH?u>`jX1h=`N%Fug%q)GkC
zcECT9rht<j_w8UDP0YotNM@|QmC}^Fu-TYgSS&}A5~Nnn7H@&>mbyMQ0%z2XBrG;+
zURP?*5-fh$7ybk)sVk+IbnHc1tv=B2*jy;G-2O_Dam3|2wUMsTJt77h?8rQV3Er~W
zbRa2$O}$ZOmXcXI=?ATlwutR94~;-vBO(zzelf`;-!SH_sRy}?P?W825Sa}>s^*~k
zMFTWTKX<WV1X5_1e~W!0<6`!i>s4y?zv1|;^ke+uZo}a|A{TTp*ZRk&#a+zsE0l`a
zXq1Ygeq=NC1C{7^IB=6xA;sI*7z8A6Z%vQ>lO6(=&LDtl3YKnc7=0zbr1NFW>9=C*
zZn1|%t<}Yey!Ag^8=c#NRGq_lA@K-mhf}t%=-F+ve9dE8QsnU#hx8Lv+kaSd)S(YO
z(Z_<l&w^P4)0jokly9`xP6&~<7d@rOyPZi}jDnR?;Jujo^M$(tv3ZRC7zg1)IA4i?
z9knErteKek$ECM;(u3IdUc>Gakdp=zdAl1rPFZ+)8m01Jo|m^+WP&5Pn7AdlK%#W*
z`Rp0*bRyL-8}Q6vd4n7(H778Ex!I<eaWye2<kCp8o%^YJ8{3WWmjr?7UVGr73ktnH
z>RJIDJPKwU;GaoPj7CJ45tf-u2-aw%tOST8s7Y(FlE_l6h5HB%^Mhfh0Rtlo21b_;
z^$`rrt_tjiXQ=G<kVwUMZFkqfc355-mN<m~_7k5Yb^{n+AbYCXK?Xm20=qJL#u(a)
zPjR7|xcY%|HE`Zm2G{tgK?^))&lzt4Y|9d0TaJ#rTpK9GGrSt{y01An-WmDKKR0Pj
zSonOZj?>v3KvsD8H*$_Q=>K^Apze_4JA++t7NzpE+@h6|5C*CQ0u(&-F>)y3^JSF!
z!4JIw)l`NUz+7*xiein{VhBP9Lx0APDj_y1aK?`-AqL-v8Jza9uJmV1ni7k&SJcB@
zr_6Wj-!lJ*9Mdi#m@M_<^$*kO1$1%bIjRXJo=6cif#D)p!6WF5CK96Q?A+tAb*)DD
zIAIC?D&EsHeM@Gm7WV7))!qEu#RSv@SRt{GnDYWF8Hc}btBR|M2RGV*Pqb+e-RBSI
z21NMNfO|B~_mlJ2CCvaEIn~_<k_?lp7-G##gcV;a?>QV+s~Os?34YQP`jkGWqluzF
z(9FgPtr%4Kx}Q<XqtcY($$v2-x7w_^v5mE=wP42c_ngyl3GFd%jRyS=x_A;%i&~qB
ztn?%9x4T|n?wzlSc=0-SlauyRCzGFzNxyTVY(L#SyqA2ce(u}BF3tVvVXGExKMmdS
zDm4qj8WhJ3E1-PBJvP6C-rD%jU-@;>nAerOzWec8Y5nsxpUSVA58)U=P{KB7N)_tJ
zJA|Y{Z5^W;#l}|3rJxd^NBqKx`Xb=cvK7|{GQ$5CkuZhrW78=e7>Dldy}wiP8$n3o
z+H4Pz=pCW}wy~`(@FVft&V$D^3j5I&NXJTOP@5r$XC~dbPc|J<VvI%Mo^gnByDVBd
zYfLVQRzB@6P0KhOOddxtdD5}ZiFre`&AERMDniOtI>reGyRyD?<6@{;C;OBT7ovWL
zp7J2%ShbzAs$S<lxD0G@#pfUl=@mcv8tZK?)Tqtyo9jED*+=4KcGp3ry%l%22Up7Z
z%hSffQD(>c`<1TZsy}8b%quVxLm*WEH<ATrpG2#$>#i`5GC6v`NJ=ZI)%iS%RbPi;
zz*_mH?Izp}ltmtQ`&;J??gyU#9KUezbSA0Q)YW~-qo(5fy|L%>YS6zQeCz^0?u)Eh
zd(2Tnqx?nv>U2Z5f$SrWRBDjPR?x^zbJcYH{eW5SNHlcCxg_(8Mb9C;0mc-=R=~3^
z%5cS!k!!Lt2I?jsnQqzz0tRp1*1s?>aHoP~Jx-er*1*h|H4(zN#X$m#hjm)Z=#$Np
z^^ac7E^!W%cp~_3I7{90z6WnyM|T&kpknndxXmfy$m`36smF0PS@6!VP)=(UApzbn
z@_MLHD*fS+g6@ULpL;WIX3+?LB{E@Z-@7q?hd%h!{4sXW-45&FP!TSXpH1$Pbf}u^
zxoChZsGWEV^7LrLf6WKdujl#3|42G|7{|)~o0hv~lY8uFwtxU>6j+zKqX{Kq#xgC1
z$Sh@5qL|v~Q&RTy5bSZ86mOSDy#E^k)|NzK``=WJ5V@{EM+HT<`@EsJ;lJ17V<dk_
zw}fV%KoA>pa|Kjz7;*@;;y45{PUJ@ym(<dqYC6{3-USFu!>wmL+d7DXcW@M>hgtV9
zf_eJW0%R~{iV$UR2AxNxKR_3yBK49Y<GpXGY{?Aq4NU__8cVzm>w<=oD>P%7trVXs
zmp1Ikqm>9qxe-R;b7^-=YOsfY+f((qk;=>V&>a!8D*axzu)9S_bPMrWx)kPG%Uc=J
zt($?sSD#VNS`57QJQhn0lBM}*@+?YZ49c5Hzm3#Xu5`j+%Ru{S3Qt>VcB*xgmRuJu
zqlm4*6`Hrq21h`ZJH7}&h-u)I*fBqiiW=A%=Rcg<sJMB=w1Xz$9NG&sS5Ysv)5IXx
zgy%~R(mo8DvcZ3f235ZQONvZG?<*qb*v<-<!Y-6UP_L&PuU{i(?i=1>*MSi#_|IU5
z939QFQ(+_R*9v}jNjYoUWp;l0+!XUY<t|npj$~YQx%t8LlCp4TwZE_PD)^mhef<qb
zZP9c3{h!s;cC3B-ywJO9QB1@SLR3QV$@0~VGY3Vb^zPC+{Pka%y-$;s!B>OJ)5SlH
zL7wh%ZXwEYK|JrG&Ze1J9Nw8n<;>|9m<QC`wpa318hs5f{G)y!<kKVWPCqZdTO&}A
zIj9W`B<mfjPuu)*X<)M;D^KDWM=yVj)F{s-qElJHfb(Lnxx=^Ckt59MwB_2eJ->V=
z`2xRP@It?<^2N()l{?oD-%OAw<KSGTwAk)d_@8F;00Ebp_348N63g!}_b~f=gq6%O
z(J}=WJeTd$Xt!23NoGvQFVn!y?*vaFh~)<HjEG`C%wrSSkmeX@)J~agMP`#6GDMyi
z1(e$ow3FI$la_hV0{$B`dPv8{af+j9(lCH})m6~Klo5$UUC`&$e%MIC56j=(rb@%L
z*WiUp?y`hOQ4g;{jqNwlOR+I*2TsvMzG5Dqniyw`m`S$;Rt^6-pp2!uGc%;3ZCsZ!
zS=?Oe*Fy@4>2qyH(v=)NWMk*rVAe6E5B>HJPUfgBlUZUxIkKb)CWia#yTbN;U$@FP
z8&5}T)wlU~-8Lj~Npl5f<soJLc)1kl{1CIh<SMMAQ5;J$DVES@cJ6({06v{iAeael
z7=%;f$$0sjU5?+5;EaLrljiiz{zBpEdV#a&?{=!`c;f~?BuCO+g!DlvMPCZoRpa5}
zdkZk+ITKZ?zNaUkOOFF(b^}AC4`2ZQ@P3+&=b0w?FeL(yuC9&5TCoc5GNDi`@V8Z>
zf!3BAVOVaCTlA~2qVJG1#4Dw^E4U#nsJjl)2p#FDE|;>_gmFC0*YKTTC<m<l+s@!>
zR@poDXSO^1Y;8($EjSHylH}xOR1uk0B#HzF9GW5^Z?fIjpqLr+W+Yz;FhaZtRNm=C
z1$XRiP+<~jYnyEMa}_mxI_C-gyK!69;3Jv^3gI*M(|oIw*Z1D3vB&|xk&1FAbkI=o
zfa|T#RT?8y9N6`#6vC^oNJg<in{raoV#!KnP`;p|8ym*AFS{X;G?;F&$_S;}&NS*U
zuYx4vuPJ^k;}k$NcloVdHF4oRAtY?Ra+BP80MB90OSI)DNi%+u<m&WxEBUWEp9Awl
znr1AsBi)5uCQ^h)jwV7>qRr7RzxB5NE`iZ7L(lgt1_Jh!alEiD@%X?<8iSF9ost^u
z%8_*2T@esS_j@_l{X0YmyPW9-t@yQMtdaiv!y~u9XPIPhSX;MZm~FFbAY~2Nm?J7N
z7dmw}k-%^d`FBL-|J3?4+`4}1o>LW`GF)AdbW4X%{W5x#g2D2{8zogOBU}ocjv)B9
zuX0cysZO>wMJ3MjC1E=ZS|uWJDpAHqphOKs-r;CV(x&VX3E98Zx5x*q5$Zuz!&P$U
zoY#N-s9F;MigJ&j;Q#oFk-Oqp!P8BeD@8E-Odc`yMiaHywg<FDMvt*FPmJ+KZz>bk
zbJ#nrc3+$$DmX3_jYM~Nc$R5Cggup&pnLwf#r43o%QYw_ylP;y{3&KR)+jNJ5NI}i
z^>Z~nm|i<6DTU6l#g)F_qLL6N|C;Ancb$cz?bVB9ImY_7)UFrMyK+Vd|9B>_21?Z(
zd%`*@I(x!-Blx9^Zs~IXP0*X5Pi}iywBg-lPzVQ7_dxJri_S*5LrP>Yr$kTxt&@#O
zJ^Sa!Tx~aTqE6^;9TGEwO7H05*j03R(5a^hclBiEpa)ODR7`ipRD4h0=oBsuJ`LHh
z;owBXpdpbv6(r=5|Kz>RB$~TDbyzHl!#g5$AM%Y)7lsc#Xw{#~$yO@$uMpSmXTrN;
z>>RDS{*cl%mD$U84rccLqMcxK?7Q|P^6@Nt3GuXOQ-Ad8xWuXCcYMyyn#1_@R<7^z
z53DzY1JElI-xp<tk`G7nSml=j%{5jGGTJ~CPfr}Nh`wBb_EM>E_uq?kd$r*ujhZF{
z46Fo=SAUa)nf4ix7lqrDsic@k|40<oaQX>2xvo6cdclDv-`aC7vX>C(yBDY@TskO`
z&aEhambwbfiufR3=g#n#4OfDa*tq1u2U=d;cRR}+{TWzhMGSTM2x1g+jxXnlZJN_8
z7wHYMmD7UT@0+C?D+e&D?VR!J1Rtjb;0`f>#p8QO<lp=cK`5xt{RP5cM?KFEq9Y`{
z2l)u){7Cbj?yz5~9;{Y%-a9*Yek0GX&(6xNUxe6U|29WcDYr#J;>t#Rs0%ykE9cyn
z(xtI~w8J&9`ZFPDf`8A=VYJD^|AarX{?qKccMTF$Zw<ux&Cq&&svIrinOlfVk;O-G
z(tEA<<moCr-v{2!8nol>yIl!H``&))S!`Nh9@uBthyFQi={TtE3LGZV)BzA(?f$!L
zRm~Jk!aRy1vV6IRQuep8wQ2o$vJfNGde{GGwcoPzbbg%h*%=D@sH#%F`gnORTP<8%
zecx@!LHl@WfuWnB@Fre$T9<#l>AU&yxI2o|wC`$`x@g^=g8ZcHjh1i5{`1E1@lfdL
zZH(z*FRk4mn+SC6o?3Ho@|t)S>a9F}I0a=p_L%EoWTB7+am_R3cQ-;BMA}>Qw!J2P
zHQHArC#7&JKp~E;`d2-!@j9cVFdAD?RhS)=mH$gTEzb262*A(sskX~jcG&)(jU3Hg
z&ik$RLipTTSkE2TyrWK#ba8wccHHyBZZDk{61x3V$^VoM`Cu<siZ*CSFbfn{+N79(
zFACvOG);-8q{G0z1xB-*Gg+hK7-P2sj1XyZD@4pWWLp2{q{>BzW3UwvX&#R`trs>3
z?IXuw;Ubd*lAA83l!&)$kE7hH^`J{Od5hgMsv3-&k&ZEN5g8x*A~}-DsFXTjA`w~o
z*~z59cST8TC`Hz50u#dmod7dL8uw!SPPfU9FUW4qfxGu>;F$Ss0QY^}^8D+8kLmZU
zyMI;z13<FX*<vOuWc;L`E>;$84H{@TvoKRXi(-ingB~*uFE1W_H@mB6!`8n%h&ed+
z;wZ2M_~W{o^qPZi=nmzi6Cx?e8)Xps6Y0n*!;R4A7-;FuSLD%S3NnGFGxFfuB7f!n
zrS)@HF4+UGi)ilZ>~`6I{3%ulFlY1YhC}WZBi+|IKBYPUyH7!bFF~1qU^H!6e1zuf
z#cAJk2^h=00;aMkdF3&4{?t$W7(e-B$tj|Y^~7f_>f$(P#sWHK$u}~9V5lCQXeEyJ
zXSLZkTHPYkp#kDy1AW_91Kng)x=6`o2xt~Me+ssjpZ@T`g5vTcaFXkL%@ug21~?G6
zX*pq07{ZkzD7AI3=%mGUh4f}rQHUfX#KwVQN>0qMM#1_hS)98u)+GQ~Bdp6OsLo?|
z0*ub$?)m{k@0Q*A3evk*^y=Bl*+ACvB`t2HzAq;N0<Seto0hI^UY%?|)!+N>Hx_Q`
ze}6^MORmkCe2u3cdVI+g#v{^WwSv#1#N_c&j)C$q!^W<Z!>6c6pvtG6f=^T-Y^IwT
zwow+7zBrpK{LXT4Wm<;@XiFVn6=4pW%D5hGQcW6QjWm!SnC)Jj4fAq-8lYZuv$0?^
zmFfM-S(1rC+Wh(D$?}R<rKV|a!Joizah&2CI37IFUK$E1<gBqz#TcNdUOuUjAslNY
zCyg+~a|56i+eYb(8P12Ash@^SS{tv#%TLudpY+&Wp&hFPs9dU#?Cub7eJA?Y;0uiH
zp}l`q)r+pZ*cXNZM`9QCa5#R0h=e0n8{x=i<yPw*ha<MgC`_@7+Dz0XZr3K;ck==)
zw5K6tE=={Jr^nkH%sL&<u}t-RV%9O2^t$YuL(Pj;sxw9$Kk+firyJ}I9(slBj;Cr+
zD}1Z87uF--4ZhgDf>0^KQ$o=5z@5)ZCszR!GQzUQQl?^9;&N&P^ch3(N$Cy9s^~ET
za6nVTuVA!{!Dx+u{)d+FHD`{%SU*{x&Tr|EWdV*JdJiOzjN9L}lw7c&gxdmWpg1SO
zRk~@;z9YUl<y1dj9#kn7h&IB4;8026yL`59dXz<Ux5W6gCK#Fo4_Y5o+5az@iWMQe
zXS4drtYA|8{@1K!&Yi<=JLEq4b8+Y;{#Y#L{*jSoN1+=qnFW7OWr?vJW+5h&@TL_c
zp)=iK=Tg`ID*wgig!|3}WKF<k6s-r7j(_LRpD^P84}C1&P}4!5dIKkP!$k%xfWB<W
z`z+ju$+jBX)SJamRcRwr_s6b;tt}_j<mi|FQNx)@J3xhn%@VVHkolWC$y?sC@yLCg
z`8LQs7Mrhf{<&475ot-pT!XEWa*7^9GXD2Ocor79>R0eX>V+5_iUJ63(bnSQ4vb(m
zXLz*swvXEW;&iJf6|f?BAOr5@H!7>BiFvNxdjlXLp5O@eSD1-P(t1Op#^ATuKe<yd
zr)geHi4f7>?9X#9AF9fZuLeez{JUy@Lv%+7pi57vDnM8VeK<sht5H&xCjjNjzvgk3
z0EUdi8TDc6^7n+4Mc{pb9QMP6OA4&YBD50OGED_7s?90afI3K#KH>FD+`Uha`)jDL
zEc3}$kKx!c3j2`;KO){RaF|6Gr_;ToQ+scj^G(YcakWFliUkx4gR$IDonzyhJn-v7
z6TH)%nd-UzPrCBKAfVeyy_r-+TYiVG-x(Lm5}e2sssmG)&;F?NC4ffPmM)bHU9D)v
zdEA1`7=gLfE|d_;@|x`%GSws7n(jB-jsLtE5GhRgt#Y30Y4LjXnhCkt$6y1No~2M2
zw>d7edT>TCcslwcvi7hjx!W-k{;UlNTGafa59&*t{!h~KaF!yB_kuAs<-x0ieX}W6
z1h5W$;NR~J67M_s&+f{&frwOH&`@@hlTc^nZPr!Kh^~HHC5Kxx%g$$^s4qAQqK|@4
zTL3Ipi_8T`cr}kxt-to1sMXefEi+C^seM%|qH<Yo#EOXF9VSqO1gSC4c{-g)E~4fN
z;u((8h#~_(a<zR{L->%+XSu6ZI8*JmhW%aEBOGR^btR`7n+fQ3qF{4E&5hQFaJqBa
zg}%Pnb(booAh&^*bKf9>@>Cqy5%9If2HONuHg5sj4)kPrB%%TU%gRtd`r8M+>@1s%
zCs7-(eRTTJI14+NPo6v^AudAMyh}0GalV(T!JnOJ+8qlvzj6j`ykNJQ2_c3~n#ikW
zb61v7Ptxq7YWIhF@nl#77*ipQk0wmVRMAUVBe05A8ek72M$;&xlhqE$=?nQys7auV
zufbVkRFCykD17-gyto(xk4J{G%q%b?bEYp^7hk*QU+Uik(ZckizSi|PBgHuH_y{oQ
zrwB%Y-e|rjWi!7}m^K{WcIsc%UnKm>SceT)s}FfD_U|6gNjQ{!@gP~94g%bA$Tzf-
z*FDfRd8cPkuOwjc?(;H=r97WKva;YYL%}FJ)kp!6v#W}t%uFUS|MSp2?-$x<(tlq5
z{5B*SXNSj|>W$_0t$8@`(q8Bh4Lg^ZTd#mhi4LfSgw+GPW|dAP2{Cg}-VxR=Z&{>P
z<^oVD7}r#)wb{ud%V|u-J<VGn6n)o}g&gcc^*NfxM>?Gi#e7Qq4#aQIAFikZW#;Id
z@Bg{e5c>#TNiy$j*H{%@xOIAYHtcLkY|wSnU$Xjj6N&wo+kX26?YhAD!2hjkzEUSK
z;jAtCC62KpNa-x;RwN}UF^xL?Ay!;OYuE{+h<t2L3s59rwvERhlWJH3Xw!^l6{*3S
z8UjB$`ZDyd;osK%p#idN<wE<iAWWEV*9o8egD;XE>gCZ9Q?0pB76G&D1DNqa_i#K+
zFMi6b=t^FUW4jDfY323Ny!h<+6!D{Mlo(Wxtkg0`#uJ|ZE#D`ma!Gf(Q(LYhm7m^A
zvnw1UwT%49E-fu?S&>1K%H-eUsK+6sT@J$M$fZ4{@nVcc^4keC#ihisXbjP>lO!&#
zj!clGfa95e3!EXPN9sI0T$sK^T+UM#iu~T_2(o~6>q4+QKYyJQ{=}#x_N5>f0JmJa
z8fRR~?6G#&Ax7%2o&<UYS<Sb^l5O_96`^*VNLH=>CdF)h{en}BZ2wrNoTWjyCafIu
z{$9O&c|VEbSm!lCzxuny28ABKGVc&~kJhG{-@>MoJ3R)RqZmejB0<QY=M=~#{6h?N
z)sO#0^$M|U3_C1Ui;>3Q&O%BZ|7}Z`jhD1RKE<#ZKpZnmE{#P4p9-I^q^z(fEdpd<
z#MDQ?_KGB;G@jtn4qXQB>8Fdy^1YfkF_}eOHlB(&yUv<`+>?1$JV|eR+i^IPEw!L}
zcq~<%JB?Smx7I39zuya{bBJz=7}VJ|3~YUUL(^jrBt4W*+3q}=Sb2a?m%}TgELoA5
za_+a3i--m?Fwe48w-S!a4D;C6BOQv5b}_`Ddue+yfub(w?Gf^MYPwS!{cwwsy=pdt
zyoWS1oH@-`Ih+#{RPU#xsiFGSA0fUI;1+;j^%70<==q$h7phb|C1#`HMLa=piq7JN
z3D{9$cq2t4W~4#YqioaIV1G&{!83m?^5kL%r07;g@)W0y4KaoI9rEYLu5<>>&Pbjx
z%hGBU9c!1T=LNY8TL6CQcJ0vwc~LPVOh7kY2EL~VUX(KiHl4;w;#bMp$!KFDFj50x
zq|654d?$EtqldU7*(f9&3wk)FV}ml@YD60ji4n$^#u`U^J<tf}%P<ZHz*G5$o!#bN
z{%wmMqr6MJzo|tk56ivGSKI-6U6&^mtW7Pw%*DQlJ(X@S;-OK^lf?GP1=BVoS1;iR
z1UF%#nsEnd>@fTVr+K-&b8AP74+5?LN3r^J&7vPkCmp8L?<)qb5>b0ln0cb<apcj&
z`v5egqKq?xfR%+oB;`u7%1YuF$+5{gV>LGIP#N&#WAAZD#ChD901@_B3z;4grv4HB
zrKIyPx|FSheV#RwimQ4QNecxlgeNzB@~JGrtjv-`;ETZMHY7(e^J)t!QK|gNHYxbY
z^6+qmT`|@&o^h2iL1c#n)}1s4Q6gn0W@FHKY_zIhGk$;+$5xDW4Zyy=onqiseQEb^
z;RFF=L>rg0l{q*iD9s*UARP3D8UTB*y^+yy*4rcN{T*0gZdg{YMyFB=AZs+D+7?ks
zsMC`D1MtjhL;Ou+oW!ghdXvAWKO_7~?=22na2Ev{;!OYyStpWee|E{v3Np??ws&4a
z<F?vFN2yXNN5c0vGN@x@Ka*0(+18{V$Y3_Vkw=WR{xw!Hlao!9!rK;)$ILN{-%3!W
zUc<p47EN@)=ZHvnErh4KlfjfZPNw#$N#n@JdKbS#S=s-xTNyYNL$ofbWaY~~n4g<U
z?c%a@9*pq}9mxbmK9f!lqM)V|Pm^o1{K}c*siM+Pu5lwZ$aXWBHOGo3oeCKb-aS&x
z*mdg14g%hZJRR*QWmtnBMS3n6OM!aGRCdwe9^D%~Y||s%mVwxt>$Kq3e55N)Tsu>u
zaYwqOzkch5k^5CNVSYpU?No#8_5OP9xH{~5BqP$ivdef0<>1otXjRn{lN`WU<qs)1
zta*h@yUeXPC#ny<^GhX+<Xk`$krPb_a@(*^;gt%OKUA%tCy=Ngc;V&)<+?PDVtvHr
z`1zG8{af((A4zcDO9h}fFfn*6a=K9}0$^J9j!A||)~|x_sESHV5$A$`6Q1B5f@WKC
ziY*d7%N&e*7zM<-toVhzx%r_lYe*1kNJG)-jZyO&nSAcZ-&>hk0v+%pyr^=!urbMl
zjL1c}R4){q(Y9s!g94l&h-FyXC_AYRC(q<5r$yCRlcz#rMpvYL268Vp&WmS)A^`IW
zw%}iOY7nc;cUS{mE$kv5YGzj@3Wwe9Izv`__ol{AE7(-Xwc)0MVop9xP{wV(cstTh
zF>^D^_$0&Rcm{^X$?PM4#~gU_3L?6XIu?wJS`@xeoMSc%bnpsKy~4UMo`F}C%gHQ(
ztBe3BXtv_uzd*@Et~H&z#1%<x940CoEfC^_Ui$K0;o9X`cRVzj3*Omr>A~=UZ&fYv
zOzQzn)>>?<L-oIO;~5myur<`NS>s@cgJNCqkHAPRW1UBxn5st4P8H+s#sY?T-k(OR
z>`*TV$d9A5U#l%8Gv?7XViZE14}Dk?n4l=Yl>_Ao0x}pX;^JnA5)M@9-Fp=AgX+a1
zxtTmL6vu2V;N{JUW(6A?8L7)n>6v#fM!X%UtgPbE#q;t@?+!5Rl{yd!K0<Biq})e<
zI=3dL)}8H)a(ifOKR_wE?8qM(4?q2J4bDaEUoQWuX%RAhE&ixmzicG%G)uXLdhTP|
zhkko{JCT;{@4fvOo<q2|zb7(oGn}VuPDkE9tA!>tfi71le$6rVQ8p2~t<{bc3-;)2
zQEsa)V+<1e;1gbCsg9YRxC!@UsDLMb8ygkV);5*L=lG!xp}lFYxmOz(?gZ<}s*s!;
z^*q5(KRd$Z?z4@Et;ynzM{X@^Ns{kJX%8}jt_CZF5-h5jk_3#92V^whvgI=6k6bnE
zC9DJQP$za@cA{`$&2!&|ewlB1VLQ{px9BGANWv24)%_||%0J@)k@-9xDe>ee?EMzl
zsp|b@NbAo8F45oSOySsME|RG<2>?v84Kv0*xqjOHQo<=0q%Dd$bUOSgZuCg1fx7SQ
zE0=kB=u*nYL`cEHb?FYTHbQ^pQnBmB%@wqyqbk*uW@^bfCXCJn|0aorpjlEmr^v)5
z@`qX;v!&rsJ>JkD%<(-tbBRS=&Rre$_+PQo%6v}GvpwmRF_x~lp&~TNZXQo0(ib@C
zB>FKv=ZKc#wG#F<X!>6sbj}KeX%Czh>v6v{E4^Y!7fRsnh!q?Rbhv1rfOF?6Zjug6
z#hfx^OXtcKY&0AaB$KGi{;a^d@%J6$k;<oT7l0!qG0Gw|gavB)T*HsY>J5Nnfa7gU
zU9f$JTt-EK@!IF{twI%NDx_r3SO2FuLSxJ5d-fmTORdvvV|1nq@rbvzOr`;qnRH_r
z<6<#|oz`g>_XO(;`SFCpw!Ey!((uxbF&n;Nl{r%_I`HbHk0tBsbZJ9`y;+j$J@Ym;
z*SLEMS>|(}dmbJ@hFxz>XV%5f;@XsR(6^Zx!<qWs=lF&_2K!B?fv<8wu}M1Zt#tI`
zp1E_wI&n|F%lfg#7Nx<~xLmM1jNs*FnXos5#_Nn2YpQnFJ^SgSA-8`K?{sO_s^)fH
z1(sYc_+alBcr_8Tz{iLL=~6N<dMGFG1c^+NN5JD+DvXs+SjaR0q}z0YhovkcMXlXk
z@jF-SR`Y^G8!KLHq^om@MBnaKSmy6>#UgdrF@iKvJKesA0q+dv%ZF+0K}s;pk{Cfo
zjaJZ?n7{J1P>5sy&JRHg1#<xcwyNa0xeU+06e8_JeumVveB!M6Jrz9)5wi|~3WRxF
zg?7@JL<MHjG2?GJ5+e)AJc99KBBa3i94Y31vg1c5jLW0Zr?4bfsGaG!g5y;6sxV3%
z=p-%==Sz}kvLeaLJIqik+u3LawoS_Q8bWb=sfko-mcCZvh1lMmDU1d+>v8QD#Ax8#
zj+Uu{3sfT#<hJHauW0z3$!}R0f+^Fd-8iugMG!!Uz_BzMa`{{GTZ?(txAYyQRTH71
z(5ve*`W6R-+?~;MAt7HG&;F9w;4!9BdXFyal@y;kB(HbzOsK0tw?_-RxBP>kl9W>C
zPdI*181I}Z3-}vqGCAhr;yePm${8{$gYZ<A8m0oOp1LL%lE*Gc&c!^<T<OGhWIku%
zGxDaA0)lfRv4D-X^$npU^Y9Ix@WwKmhTrYK(0xaG>@$=5coq)wH#iAf$Io?|%$8hz
z%{RjG8QQo|+HdIkCa(*?Cegw@6%_V$+jyyu%twF}O+FP8obo14BpyPi3N+C`|7iwo
z$PpKgk-t~D6)&~siGGZSCVzcWnfQ!1L=ZPA6m&|qiD+om2yy<JT2q5Ak&{{WOuQZO
zQ(RH(n3>3@jO361lc{w^T6b0cUEFBb+9j3&l;N*M+uRk8q6-uygh8!p$=hbJDEWMA
z2R`*%$axoSeQG{ug<XLv51BLs#L0>_a&i;=h`aY(tmMeqX=HFl?>824$Tt5^G#`!?
zNUh0du5E%Z9Fg6e+oKyk13kWC9@vC?EpdIe@9t;WMqDgMX;Yop6kfQB3%bZ8OC&#f
z-hV;7P3LrGCqELcyjm^>1ZF%C@BV@+T52w<iTP8XKezkj=!=0S=vPTI`)bV$VtA-B
zuJeantGgUVaa<WD+v|J2Jf#ENAC^PSrx0xXoDd>yL5S?WCq(8#Xt%swFDP?fQ2bSs
z#+0P-uB`KTyT?Y?F}F)Y0}U!ee@#?n<^SF@i)r6f(WKtejI$)+%kEuA)?IsO2Y4E=
z;1L`vQ+><h!uY*-Jslp{Mnnj%<Sk7#{RaROBUxHqA_*|mBwfNLAx4J39WkpA+D+Ba
z9}`n-Y{MbWI(B?A#5rhkABeo8!Q4=%GUCH@zcbc+UjF+FHNt3+Qz=o;!M>mr3^*4s
zJU|JY9YCq@Q$>=7tCc40rZ?s0-tR``#|y8EhrV_8bcMLqW<;kpwna`k)?L`*4a~LI
zBQhRvN7-4LlmbgGT}KC19a?$LyGs8;?%M9#x7W}gg6abfwwfB)7rswH@&mN@5P}D5
z-FQUZgk-B>NsT`V$Q*}144|0@&6ur^*g5ZiZStZlT82)Hl+Kyraq=}F(BjgSOF?3f
zT2S#C^8TXaD5k=q92eXtn`M>A25Mcq2yPP?)#s#zXcwsY2?i*;dG*7l|Jqv`@LdkV
z7HN2E`FU~K(OcLRh}(GG^q|H8`L{bTj5o^ea>0vU{1?S>aQSch#w0G7bjWMYQdm6b
zG?_k}*QS{QH@@ER#90j8j97+E8p&MDCZQ9bS}i#pH6;@3q1AzE14Dlt#rd7%UGDE*
zTFik4!`lFwFzB)KNBLXZ0&~^u`x`ani_2#r3sfD|%xM_Edus56k;eQ;E-qTax_tM1
ztR9H(mj<kPoSkvfoYFCQe`CliF^!YMPNy3WsUEF~+nh3$6B9#Lb=(9a%(c<e(Umxj
z4#z{`M{X%<FoDR5>2Q6}Qk{g$I>&~ZEaHs%X!NdCc-4c1LN#pLJT(&d83(0!^;{xr
zel-&IVh2*n<Kz;3xsOTUrQx4EC=IsZmkL6uTp3nFcwZz46YId(S5k)+vhQIPHRY2?
zk#M=Z!;$L|C~!*p&?{Ld5H*QLWjx$P#n<Mp`<{m2bNG+_f;^AX?|33bTq2KMR=G$?
zIyg;*yitkFP)Vi`E5R(JigG6f<Y*!mDgls7RainxEOOQ;{3^4bsxSidosEd^K92Su
z2$Og^lf7(?I)2UymS7N?LnB$18|GcRqXvqwx73TzOki^iFWgaCR_$J}iBb{>M%lfr
zu3GQL)O25uJXl<alJlW9HmTIyhvn$r+)LEV3-EFXQ+$*BK}h=gp1$YCxHr8w_>+rS
z;lZlGFK#15iHbX>Nx0NIzD6f8b<?&^7PVPYG^plYaX0+Jyzg)xWlH=uFXvHc!nmeY
z;V!s)RQ5L75km~xC#E!F{B{d`CbKfqzJuj!81oP=l8LCa5Gjqu+pg;d6$sFo&`~67
zT=Zuy^Sn@q8WR^+z=L&O_{tZqDn9{=kfhDOUc(}VB+k>s`2+FGB?Me?0-)Z!!T7ql
zaiOS>amU*P3y`bv|2)?>cnR>@stEGk3ql_`3H_QIg(h$9b*i-q+r?z9vgWLn<tbUJ
z8Q0gM*QL3qe;qbrd|+vv1M4=-+*S_+5K>Hw*s7^t+Ui0wpduW-*9RQRO<OVtx+AzP
zoD1KddkCA5Ds0-_$I;Lftmjq_hQ!n#6GQ)FG=tP7VG2r+LpwL!W;>d2%qWthrj?G8
z5uv(CW6@ws5L3n)X93ag50BS7w#tQ4pD5zmg7p(8Bp#$)X^4W(OPb5__c1aqaF_5j
z#}%!5TL3JeRqvSl5=`Isd~8nfV{iG))=Mzy7Jt*!xvFb2y^<hAK=!GwfqwFX3VFH5
z$m#NY*EfhsmWCqzj(vw~3~Tuf6$XUduViqKQ{#Wq;<0X<KQD8pU)5|p<BQ%&B8m$m
ziSHCtRq)Fup`;xpafdf#1zZj1)X9(qm(3elAz&gdQqBP1lv}mmszgU2XGYGr%MdHL
zUf1Brqa3QinZ`6yO-4P=3jRN_=9(HmXlce+yVvx()JMX%L7JS+U97UUYA)O!4%TB9
zLFv5nW`Q7%fdNu-6VS5Zn{^tR$ycU5kkJOwA>Ob*`r6$^&?1K5PfLL-&dt-zX5@KN
z9rZxVb)ttAOUdBVn`uCjNuUKIVvLA+F}ZPnW6rj&L3|k<+!UfXdAhlF3XQUgSM^^<
z3$;)Uqco<U;E6@yfG5^yrWy2uc9QKocSXBT7Nzk~`@+ZF_DJLH^rjXR4DcEv;Jpup
zI9Y1-4j#G!B+=wQaKUPG^T{$a!hd~^Tg#b=K++1CQMlrUoZYTdExDd6Fz=pn;~+ec
z!w_k^0kvi1<7iAENpQPlSCd;mf^-h^3U}SW-U)HSB(Wp}|F7Kng{QUcO}>v2@2r;9
zKlOlTwcuXxs0P>JfjZ*C<?w~@X+HPzICA2{-DmD*wzfm)9dyzHdbND|Vg8V5j@;#l
zw{;xalY?@=vBr$*A}UR7QDhomcQj#`v9DGbSxb%`j5GZ%IE4vx!ZugNp&@rKcwOe1
zW)!7&kXw=ggJ4~xo%}<Iu1BLEK%@V3H0YZ$1OIbqyq?$Q!FSAZe5o8Y?hr?vuWt^W
zIC%Jr$T#2u;nfeJJ+7v|KEwPU=eto5IjHlbJ{`0E)fFF)#M_e<t2KQ!Ey8QxX@z3d
z^&as{@!@m(C@*fjXu#*T2pyd2Fi@5g&i?O28nw-j##se+`rRxkf(j8heH`uWlvc-9
z{bm8(Dc(Voh)nensG=L$EaMp=OXvA(t=sB?5eM3IlBkvPNsFsn#eiwM+snmR-^Ke(
zc4&C67yW=uq3;j+JR5yF4n30#t6hDMzD=*0=mO4NTk8}&8xIuW(+W@JcSbroLuQ*R
z4$DID>$)*s^uJI{)Gj5)v#y&*P)*H}3%2==Ryy;bbGy6SkU{6GHr_Tgy*_B%OT@z7
z_8A(H7euU(Jp#W_z#)aL@h=D9)Lo8!k=k&R2&3S7CBhdvCMoS{Hfb^HoBnlPenQv@
z({ZSSEKxZehsN~RiUwY+B@_&Ml&><!(J7*3v3<;!`dytLH@<(OAYJbDiiX7RAj@Tp
z7Wug*Uj=ndjI}IV#pAZizjrMn{sSzi@AGO$wh>h6fgc|T=dGQ&A6t}JHrVj<Sa?A0
zku+>bQ<{um7LA||U#Nd#b2$*Hl_{d4a+GS)k|sbO)|N|P%jZp2#v0D?b|x}NVT@yT
zMq$;itQ96Q3W<Lj8pG5L4aX*!Fw05i=bzGYP$Kk1!feSfj+ui&Py54v=j%jGZSt>>
zT7x*@NM2&jeOXK5$B)hz@7H55IkwTqah5ja;>vMDcE6-qjjuSZ5&o`Eww&MV>2z?k
zLqHSb(V69--yjSbsyl>IfV9b=mK-94dA3n<97V;=e!Mz(v5my$gJaSFL}*qj$)Hti
z3YC#06SqhUF<Tu;aW$NF=)$7$x8lFRZa;kE>fKS2Lcu5tw4G~qb@$hL;9_PvKpq|R
zj)kH!^cC*;K|x(iKUR$srhM!_m(S|q_I^C)e9KiFGAPimrmok|JVEgPc)IGarr&69
zA<_s+3X=vUBuAr!D5<ohfHaI|^h7Borh<T^w6t^#n1FzE=NJP<!|2@DcK5sYdG7yv
zzI#u6&U@aI%V{4Q-f*~2u1fxEdoS?7>ts5((90&`syztL$sc@rX1SK%n0WKD9Aivo
zrfbTuYf;S9qN6!GVb-Htp}{Vu+@6EG-`OG`W;^^Xp3X;V_c0Zv^v3hv$y+UCGx#`$
z%ljJb!vCnUnxUf)-=DhHn(#*!YG}O6?oIwq{nNTJkA*ylRG!yL(hHM&&hKa{1)ng$
z^PajbFNAwr{t=vW!#rIq@kWX-t$e32Z<iFA)TJj!xqOOBFR9e741q?SkFbHZt><Gt
zP(3VK7pzx+k#AVSqEDa0elY1}iLF%57ENT#OEHvK;3}zo%Hb=$ORS;BBQYlYrfOo0
zjKeN`XQ=|weH<@#zc?A3zW0ZG_NO!3pX}fK_tAtI_I>O+qy)&2r>Q`TqunLdgN9F(
zr^9-gIdF;No)0IgL}BHb{`oXKlIt&==I@M8w{Y{9SH!98w6Cu}6kx#*t7#YwU%jsm
zee;J!-WMRJdM$-t>K&P_amtr3>)z!?w|~`Hti|8#Ia<4JKg`8n_CRWd+*Gc1fUMah
z-kDvoy&Rgf*S!j-9U_IYIMc((lRL=L(<E*jBmfQAX=3W%tCcJn&L`7WW(?8I(~XvH
zf$SmVkv&52+SeAx(i9Cx;?&5BW>A8!feehJz?IrRFlO!S(N9bz@p$C=zNL+TsO#~~
zrXz>zmYaiNUgX!)%!x7Doq`+cMWuqrs@JtJO!eN^OxqRT50GroYc;p4r92tf;$5wv
zX7=|9?=n$c^wLws%vt8^@CXM`>2g-}wnuwcPeD;m?bIoz1al)ygbdI@-!2_+;MI%&
zMHAUoJzc_ar~Tyt!%sezx)YW^Io7%?&aB(W`sd{p9&PHwW4E6wsVM4RZ`&p%aDWki
z3X0>#a-V*3GkmZn=?A_s(N{`^GjKwY=>n7T&m<k1uUpZbotj%b-3Q9FT?Hn~41*Mt
zN(wx}RnmW%DkoMkQht28wYOZW2kQwGK`p<R(HNRkxkbyiprKP`WeuR>`|)!og{+R0
zxcw@9>pe)d<i)4AqwgzTy!o*~v9thclc9AUNF}e6i%Bb=x%&8U-XlOK!%d5BDf(N$
zp}<X(I%!+6p<p*l=AEg1y>Ec8Go2J0-cuYxSL-bq2d)MDLqKN>od;;+kO}st4yjLp
zEl&-7Y(j3{wnub<c5B<u?oI-Jf^|I7LCFmLaiCo%-MWj5jjU-SI`fO1L}kM0Ipf=!
z5bptAQn$#aC{-FMAJ(OR=iz$f`Xg@cT(Z~3-^L||uRj6D?a96swc&iS@xZQT6HER~
z9c(gD#C{&H+}Hg=p|Ae=(c<&gsf=KoV`KceJ?KnOhx)E%og%^>m9)~IXvf%sy+t3A
z<bOQZ8~)^#4)=>|36jw*648N$r4x~_j%Rb%c5^|r7|L~Xp`>Mp>EL)TrK~ZgAeNEG
zoFCz3Ruk;+&hkf2h(9(ZEb<MAZD9me3vzo0zhL<u^%ft_joNe1hklEWl{fsEt&8iQ
zx}csYsC(5twtwZ4)V=4H%;qZ%5-_L?Y?Fz8ovMpaUHJVb)b~l;8=AD$L;V07vG__O
zOKbm#KQyg(SRd38l}|<vSZ+G_4@RHnU~Ry2wSpg8eV@d3QT_lpq>9DWkXVEczVr9C
z^S;&-gLj{}<D<y_-hS%*-r{>g{_fG*>wy12CP91{`zXW0a9ElruVa+kGhHR-DaVuB
z@!uiwh2$=iDea%?JOI+rDky0M8mr7q>fP0Ac{nSf?EUTOGY6ItvEMT~iHmP9+O2+d
zT{$<0zNvdag7y=&YXkwKLOxsX7ZgcSTC#E1@nG#?S#y$LME(=Z>IL~TUMG{B3U>14
zx;w_n3$bI)JFbm8c}qiRENx|+C?_Z9JR4(IIJa}!lib`0tCTrL;#oo%L1lVu*G5Px
zjCmN#E882`mw)$m8GO&46)ScZmhqc!#pLYDxt??gHu+jXyI-v~4EMbY$%MyhzHdUl
zYh+#{<n)%nMuU_SO$Jgm%Sf6m{Fd;H{(6ShGEJf1?U^MiW8B*zqAW#s-S=UW(|Jen
z@_Pl(%4m!fw}`WFI)Ci7Jn^BmsF$oQNC>Bp+D$rdDzESp^LF82nyfdD8b2t*Lb`?Z
zD0Er)6zwfh_TIy0FYUP$_jk~n^`Sv0>AtajcI$v!cWdX!#$RbQrr8>0@wj!iG~Onk
z(Q$F0U}W{%A}VtG2EAj`l6dwmMWZNJl3C(gP<jz>oJ&y_e>#1(BgI{#l>aj3irj|r
zJQJVSzPkK(Jq|`b8;+ya+Pu%2JT4?5Xe=N>41d2AXL0<5;`O`7f^HN4K9WUduTq*5
z3tg8kZ-^F7INwnpKj0uvykKilpS-0mboIeRIBr+fY4}^@Kw3<s2CIP7zzNdGDD&T|
z?x0+wL5A}kb@9aAM=6>C|8dQk#I<J`RvlD@|BaE7rnR_sxJ?<T_=#77F6sI2(Ri{@
zO`_rlzo0)1Buc)ekO}8XYUb&Tn|XCM|D(`7j`b?7P<$OJ{FTp;&sV{)TlQ^<8Rzd+
zl49^)k`#l2=cLW#XC&yE>I{X;M$8li6#l{SpaaEbo6Qptqw9sA*qQ0r0RyWb?S!rV
z8}8}78AuM)B*e5A6|2_vjcHE7ov(HL8To8wunKkTOD^-Hog7U{F{pzoX(-ZijTyh+
z`iodn8BNiU#xJuR(+^%nye~DrjkmrJ<yuea^cFU(R!r$5*?6H7x(_e7*hJAus`_$|
z)G5cT!RyEmfU}`2<t=>J$kEL!PptS<MYZU%JqEAmE6=UtEc6S)X`61yNXeJ}P;Wrh
zdGtq|Amb~E&&kGxcM`P1+6v?E8b?X21#uUWw?69OlIlL9XWO7p>Zb7AE&73GM(F-2
zC;R${S&3VJvF4Q(h31U5qWp`-RmMu<Pm#a6Wi9>j@8?ygYVnCP*C<t<5<jAp3GXLu
z{dN!fSWy0!foF)`v!I#1+$#NJM6YOOZ)D5$9~E}j>+>Ti_#fPkl8Rc&u6mRad16B@
zG9mM5X7V#)3ViBlBrN)bEKk9?Rk04|h~!gv>h`Zj`^$TtQJ$yhSkK=z-{shEPGo%h
z&Y$s&==qC=ZVY_JM{1-nvh@tJxmy8FtnI>gUS5~&{%|dmF8qkpqlF;s45U8p24^tu
z<l>@DzKhBIo7D!n9w%|G1cf#?L>LvM&`12PGS(gx=+mnovMolYq|$S~kG&A+b@|2n
zIKL+LMRv@*X@&YrGghs@*9o8FnIuFP$hJRwzj{@zDEN;g8;3|531img&ASe(+}>9E
z&iXwQ!yfyb-IXcmJZ(2ZjPa}I*AJ$aXWgCwz6jl=f~uQ{PQ3#46tq5M>wiOCZquoc
zWY8;XFH_OVP;y{;5=li<3+^t8PyCQ>9O|h(2LWhoQgDafy&})!IoL}{OH2dI83@O@
zKXV%XK6oT3c4sN})))0o<G-H_D0CSsuRZr0K+Dz?nsLspkhEAa56Kik{k5a{nTTL6
zVzB3<?w%_ntBe#~L>7GGs^K`u^QTO_$fK!SF$odM7lOxy+66lr%>GW*WT8s+t(uZ$
zw(Cxf#QJfFb4<M=IrGAu+2;L{k!D<lq?B?t8{1nkXNavwOFqk?WP+BiQ9`7|(c3pH
z!*jm8D@$4SYI-4I;s121AHG}vn6u#Tk%1yj4?7SXpV!Xxdf5QOKFd(e&%k|sFmlY7
z$M&0XGoSp<+Z=Q0*yMw>ZeCp$vR%fX`i-tEF?;t0)WH9_p)|7(MW>zsUCH_U%5KM(
zhP(<lPH`>N`INDgG$g$>&ym&=+xzIN{%)|&-Jb$J;n}%KaW0&5>49TiTH1nR=f_{J
z#(@RFznbyS!>`4?UjR0QY2?EXPUjWxFC1q{F|}3bq8w1uW+<><b0V<v(pI6n<~N7m
zy0YW@Yg$^)*+r2K*xSRmbU#aJU*q+snvr!cHsfqSli2KK`>`pK3i?xsPC?3ojt^#X
zU-25I@<!tq+mnwRiYG$USgwTEm-7W)YOmL&U#QNo+;TP<efqDGl@gq$-PHIcCx9VI
zt;|X1(O8W>N{p)1@cU?|d;b2bHbuPH!Dc-A_Q+xp?nlZ(*ZOEDx6UJ-n;$HEH*b{j
zd0BCs?4MtIJy+w~8rkC*Q9@CYYQC>2>*YJB=SJi77I?Ilt3rCyzP6&r9(U;P!J&<z
z5LEjE11@r>ALaYgA>*~T18D5o_tp6B{ArEsPfPlsF|RWs(f|4L&HkO~d+2}pc0sFO
zLt+IM8S?~2Su(TaD{qW3vs9c*JhzYKJZU`LduX28@+U5UhP347$}`{YP2pB)6R}7y
zC->PI|ATRh-sFa-5({Y_wI&@-PeyfL<s$Lbj(%-(8L_lvmyR2ft2*KA@!XS2kY8N3
zLrqf^FW;dRaOq%DYv&)6zOvkv!j}Q!BYx}D)OoilDSBkS%jswqEz3R;@eZnEBw2KA
z;n)D|l0XiqUd@x!$B3ydKR-YnVO$ek^{pz_xGQb=Phu_<`|uj6%3Fyk(pU6F_WJ8*
ztmKM_63JQFlg}b_Z9a73FP(m>>5Q_<R*3Qbtv@(Uzfrg;)jjI<FLt;3<xcPU#?&7T
z&El$~Gj~laL3G=x9!aCiQB9BsO#K_Xf}`iRl#_d6#S>+Dn?C%=g)AG~Fxkck$NtGz
z=p^IhJET&yp!YxR&{wuvO1S<L?}z#225_EX2wdXY`OGt(u-6P#=em~6m>wJXB-`iP
z+V^WeA9(pR`a#icvqynq=kyZ=h%wjE$H>~7?Uq!U1?&}T4pjs8TP3*+M#o6JO0avl
zC!hBa;8}XzWa4o@ebjrA>zsS-Iqi+l<aIVKD9k=ptbnAuoWF7ufy;4QDHrP}*^L$w
zN)GJ^h9U-0Ishpg^DB~U*&cAUYN!-NK!O67-2;%mNR~j@P1N{3m#&jr4T-ABudVOA
z>`#t~bmS8d&P(PcO)cVgP%T0DzC}CBG$^JIDgBjFinwj7JId(WHD|f=eDaq00o9GE
zhv2<HyI0x+>j`vx*g*l%Ir$r4K3%rrl|>H9d<)m2tx$nD^LkE5>|UVD7-vf<qS$rJ
z6Zo*VZj4CR{6NFH1pmskB|TJo7L-bl_|EDZ;qmit6YKQbYX>Q29WZXG_w0Y*pkp*<
zzMs%T!%nM{@zB+n1NU6*qXKTldzZp3E9EtGwvw7FuUM4sH;L5E60++7BvOfjk=K>3
z7pZghYN&t9)STD-q}3VuQ+@2wBW^b4<`WhP^i!1v#nBNGS!7YS8+2d2s#VZ$VM=rs
zOjfPX@vqLMc=U_q*ImWG;Vh}$X0%~EFMs7%*X$RCT?}DH;GA8D@&}bJCM;~9L^pOW
ztAoEV)-8-~PDSEFody+kCslTLav${?n)aDVt1-KUTq}?+RDIwOz0^D@=p8qgo-gN`
z3*Q0&x83FE6?%I(*c`&+xh&}IFaFb_{4`C63d56nqtsj0U%6OUei=R7rVcrKdTw)+
z7hn7B?$^Jsig@lvnmRnEG&vA_Y5Z+<&wSJU!PdVNP5G9Xv?Be{&o+!F6r66G;(-rH
za-w*CxOO2EC_Gq<EyGz$UQ$L5D!;adgq|KLP~CaWl1%~OKyG<Pk9YP~VFZ3NKOCet
zIh)Y){^-%Z$Egxi#H~3|;t4)?eWFJn(cX&SBVqDqYBw$RUvY~>F=&8iEM_~rMZIy*
z=exQ?3ivhotD(BspqJbx)lZUG2ehHo(3`jBj;=i;>G?Yrk5sv5(Hki=z7@DfO$5KV
zI}$C^xv5tZHMuw6y+v^Xdu}hGRAkeF(~7Fl1n2i8^i<^0>0$S1In8Y#Ez%s%J}|d!
zwv+0%q1Nt`;^uSZW{G<{>xgxYgUZVyoggu)4aGMqC%qCOo9qr<YTFqQIAOA}cU+ks
zAU)Rwx*E{7%jIRf_xHn}4wCb*1yuH9UVLnahT*(co)f#<KknTU6Ss=MSbLYe%cS6T
zFrrU4&NY$u*5dA9LBHuJ>*UD&+tU%}9(0fw66?}(W1nwp=Dx2Q%j?eEUGY5OgNM(3
zDIfx>PZnQ}2&-RlRDa?)DM_F>{^C6!p{;E*_g$`0Yx8>KBGX}{d9y&4Q%)sq(u|yU
z6lr?JCo3k?O`e?KLa-N^pr)N&6NR9Wj(RmFC4R&BuBQ4uO6)|6xq47G<Ne~#{mGAq
zm1ZtwW50-yx-IF%b=9l6Dr0_fsw;2w+|7$rzC2N92p7m{OWw?AReGxVa6)_4Y==!W
z$YKK&)pp;`FuV=upSX>u!@RWMVW&7n8o1LNz#sbRLqBHfr`)1@A3SMndWu;5)4&s!
z<2RXblkR%VeK=)P1>8fGrEsgorQduKOsX7;!EhQO=F>>|FpDx>Jp#y`A~0n)xW<V5
zn0qWp=2e}Ghq>WL^q-IS#UPNDg9#IX)1oTQI~t2a9xip6VZS*zs2@D{be#R}Tvjg9
ztUSU+XLli0G${(rBh|b9sv~=yOu{g;$~)yDuxc_}gY6rG`xCr8s=S{X6yE85uKWCA
zxaO76eM)}C{S@?)Zi8ar1PRE6(IyNTZ^472E$im8dE=waCOvhHZ#OIi8>*t#k8K-0
zTJGiKJnea=(YomJV|;~S*DdhcsOqO4YfGO>;;-4bTHo_nkC~lYJsd6lG}ouwT;5f&
z=}1~~){zPTMyUrr$b_v<NOy@d>?{^!aiApR&%e&TGSxACtNDs)UQ(olH;6i7@e@J+
zYxMoQL216-_n0S<x@ierz`3IXU6TI$b$>X}O`b;Nbk}>So4&oLayZ=|>y3wp64usI
ztKiO5E3T89jg=ov$-@}whPri9|0G3o-y9M2;AxFnSbe-%*}z&V%bDNG)i5t(_rRR!
zdJ{I+)CO%#RATvQB=&`xN@_@L{yLl7P-@-T_bC69((THdvcFPoueCji)nU^J&H(YC
z-hAqj!0j~_{rZ532cf(?G=DL#v%oF*HhD^Z#wF8;dn`Z6^&GkwJXv{u`8GHRT*`$%
z%3Zkp{pyzoEff8J0um=Bqy_68#EX=VNZ{8uW+{>Le3|<7X-j<MGn6eQtpY7yQd*Q8
z4?RfL+4>H5e{#~3$3dL0DaZIl$$C3qmkV9}e$^2aotC$Bz;#7QTYM@TH0+-<<tf`O
zD2VqzH^*H|?5@At)S)Fm^nQ`neEHF=T0#wEc?Sc3Rs{Aa<(=ASoo`GuegJU0ZTMH#
zDxcHjIq?WR7^WSupY8ZT%q(7xH>uuAB_#nLV^p}lzStmfI;}&;cFphhZm`r&P+^28
zwe~@eP^)~`m*E*!>!Shxp3PA68$aMMdqw%Jo2tW)sjeOvu=c)r{Z5@f_q{<BpKbFi
zUI&-Iouw}*w@)(7SQ5T>uZ$Xx&`%_HUyT}PPL~ObCRq9l`?^;@(8uJ@qk!|3%`%CU
zf&5vDR>XS?s;sdBT0En`!Q1jBWM>V{<F|+DU)D%tvbi!=VHEU*D{-}?g2Gwaag&M#
z;1cEsYja;VkWMZCwvpP5;#kPXo}XP(*B&KYOo-`8J);n&)H(g8e;!@#5O5NKU6r<5
zF`DAA<68<5o8W$|G5Dh3kJi6Hb@enSb>s5S&VRKpjasuQ!xfpXx~qR>a}`k#uFQ-w
zr#EiPF(<xIZW%T{H!*jmLPly~*pg0NvMtCdf`Wq89=FSM7PSCZgAJ>Oa0Tt$0py5b
zEAy*Dz>J?F!i^?Z7&}l#Db@AlW*tW<ki5-FhvVnnU-y&yuK{{rOxvF~jY~gb+kU#m
zM}bK{86yqpTY@PBDw3NADhVxDvoI;B2m1l`bQo}#NsB`rA)}%K;)e*x<k!wO>3Xfq
z9BT@_ujT#ccOROlwWt@1+_A%yS|nJHSeL5En#mT3OhxZ+udgkgc?nfy)qYi%xwgvl
zh}NScqn39><7L5%pMmawDS%%e-%ov0M4F1?bZExJZ-2j0HhoI+uhjh*n&pTVFV!kr
zUl-oTdSelm&;RI7UN;k2KLR>_{=~2~{%#5XRz)vI{37nF?gaZ;YC@158FK1-*7!EH
zmSv`H7-Yw6vTSTs*ME<rFr+`~Y&vTY0)Mm#bh2N=HKn3|neUU<xk+<hF>7Y5@G`1H
zUe}eRE{I|2ZEkQCl|r9?T$pboRKP+x+MP=I%s>C){S?orijHTz+bbj_SNN#k%={%Z
zexf>FEb+-HwYY9iHCL;IvSjOIv$J~7AyeJQ_(l|YWtGX<EoN;w?$u4@T?O{Yzg5o%
zegP{5kF57d+n8Fa-iFjzi_9~zGz2|Hnrj}qoA6nI<#RPsY-{`o*y~5$dGLT&b2c`R
zL;@Czx3NLm1$1?LSIG9=nyUUKB%)kv)M`|BkM|orRCOT!_ivpS#?Os}xW2{9?I5e4
za8Mnr92k&P{}u~-=i@(;_S)X6rhOcl+q$(>?bfJUK&#7Ad&ox39L5Odv3pa!Bp_r+
z^56_oH{RRlq;>=83Fu{gXg^rAGkE8_$m6A4u0IwdH``v(zwAvRFn@Vn5f(11{4(vu
zS9|?ktD6nQ7-^h;FHl6$#@VSuy$R*skIb*%&)H%O+#62Z$uoL8!%oXZjn9Jtzm!!P
zRGtqG^KM!By-54~N3U<od@#{Nx<EVm*8HBd<D=K5yxvAnLp8rLaz@Mb1qmBGH{@!r
zb>X9`t^Q{Az!Xbl1Xm4xT`+0chf_lB?RpY7AMpM5I^F#dYckOC*Q`c$+<7Gv{01lu
zof}$geKAcqQ4rGzP~OElebw0WwT|yiVfdkOEvg^D^xl7!3Chmvbszop(`Uw+WS@=^
z*eS|WML2=6wbT!V0Ou6=;on&W5d%Vla-vTwllCE$Vy49XK<jBhFCsxfe^GZX4R?JN
zdFpt2*bWKyKSKmG2)M@@RaOnF#EUWPM{77vFhCLKPAbyq2s1RiO@+s;mSfr;iN6xl
z2xexxTt>A(3}+#%!2H`qV&|^qh`GB@!BtdXfg7Nz%Jb$TC;LBvr}w^1i`xdGn%dZ+
z%Lv!;DA@;<Z7P)^HYoIa$#`lwhP<;@?|CPF`B~2Han|kTeK82a8h;TGBA)f~tb3yh
z!gh9Nn0VQJxn0U$o2VDVzL-NqSmn^M2Nn0QnD#AjaLKo`AwPQRxKCLj7kZH@!w>d1
z9G#`|&z25G`r^WS^F~<vWr>whNJmrlM$SJBmM;B|x_dS@4QX<%qNa{srEI9p)y|+e
zo4e7`5;~3{?*tXRFEJ}l(OkR#IuW?cS6~aLGt>y|vd`OTC&sqNHFyHxL{%KcP}}?u
ze?oejotjbs+(W<qSQMj;H0ilXR`jD=NE(mlj;|fTR$t(Q(|y`-ZavkTqbFNsmo`B;
zRJdRyv=AvprO@mazjB63&4BI;PtXufcjLC8oK$rB;r>83EKxrzyzNynm4v*v2nI~0
z(b!P!VWDcTT+Hv@`I|o9U)Qn%yg22tnJDsC@VE+FYg+gp1?}6Rl<P;PS^XUNQWgJa
zk5VsO%)n3RzVsW!x6g#(hEB@B=P+87Sqm{#khNt;G4ILh#B5a+yq&|bJphIvScEk0
z-Y|I+Uz{=wC!{Zt<5XnE$K8m1ZqG@4ysRh?sIn7kevYCpyB9q}7@th2A9_^iKUjwO
z{lfN=%4oypr<2%}qEB3JScF%}`sieDyGC*4l;zdxfpi{&=U#)eJF(gdwYab^!a-Yu
zZ}PdD*!Vymdm#NF1*qd|SF=<N`M5`nUCwmHHd~ql0~_zJ@9kz0d@&%DXNzrTA*>0-
z7kuzBtZ5SzU3fS#1D4gyCw|AvDtH~@dZV-e$8JL=t5-X7sW=roq8n~``^pL|o%nd7
zb9@=n3SZEPlkGJ<A=FY6e*#~kwsF2vdpi#D22PpkEVSZT;bc_}@C9qXwolj`LSq-=
z%<3ph$a}Hwv#)Ff8UQGgOB^^|jXDjuy6UPryfWOkc|tq=54kExBcX5I(Wk*F{#VhB
zY-4N%ddEDGsvH}vvj6FPu6s@F+)W~yxagkZc-C%lF|p6|M!M@mJb$@q`<4yWbb@vk
zqE3!xN1Ulw7HCtkl?^xdy<~#2p%0j#tmxkdW8$>h+d-XG!-U{D59NK)XqBZ`50?j`
zEW&CPLYlm=9_Ks1i@b5+?N?V*a~BPV7%AaJ8XELl;1$%?{4J!FP{(vc(6Cj42sEqQ
z3?!byLr$DvcqLl8Z<cqv*!xdpkYO#;zB$;lWi!Rq9uDO${PZ8ZRHv}qspkg1Nn)=x
z1RU;57(kAxm~PCVnP8VFAT0<@FZ)<!@^2tioK3c}A23rl(%&~4u5u40An@@SrP~K`
zAz`1;FFqsv0z>-k7SJi`$870ej!U;>9=rMYA^X8Qw$HkbSj24#NaViwk6d;huT!*r
zPplywi`CWYz^5C{o4x80hKIFt#VoMxt|3pT{3<jDsCSMOzy|_*ZZ>4VI9R&Cdl~RB
zB3i1owT(^YGQ3GCREAc?ei`SDb=5j=ol5Tgtb$D=nMBP55XMb(Uxczu=+JXtK5ohh
zmFzJu)6rNhG*`@D3}QDZ1z9kGr%Zu1x}+1O`;bnAi(Yxu-5aWQc&YtTy=hkX`JrpD
z2%b<w^tfmv0*IHAp*CCAhDOJ`Lxe`OHB#-buVsJ|hmt>-QkR&2vV4wDCU_9p>vP6q
z#6(2bcS!Z{KYVQVAs)TVF?3xy-r->9b;52u{%W!J#d7jF+TQ(WAAzdsb+}#IO%4#C
zE2_BO^`XFX@96q4ry?j06OFgpxXGuyyL0F`cqwO*4jfcy&9c@DM^%jz0=uAZp6x3i
zA?*R~^cjhO{r$_m;B>cS&G_Q?oPo6QCPvLH*Zwd-S<15;b&kvqiFCIgV-X?&8Embd
ztsYj4<xNHEp1Ky6rXL47x_LfMg<2Ja5L*7NStx>jcP7aLB+ar~WPG+hcKwXZIR;Ji
z-iu{V+5q($7L7E(S2`3!;W>-jx<yJ4&qH4C+W?|BkzsaSb3x3h`=+VLsjK86oYgTJ
zMhu9(OC7=}GojUc*o4~QA_OaePUpicuj3oUqQy1^R!`Pdp%*49o@A@lD?}$>hC=|T
z0l5ZB%J843R(;~8^?8S%v@%^La>_M>30O}O)oqffsQ*_~TIgpP&`Ygjm*if@yT4YE
zkN@oe!WZB%!oId#i1WbBuCv{$RJ>b{KB5ffa074ZK6qVb@G>Fe@xBS&E?ou7jQL>d
z{Xc2%Aszd*WZKO5t_)jGd~b0!{;)~~e^3k)UqS1|Z*>4>o`ruaKVQ09zH-<?YYmKu
ziJF4v;KdOed-U;KLS8C)ttdaW^iEsBUAF>&n`OvZ2yv?8?rO=8j^@8S(NL$Xy`Z`a
zD&9x409qw&YFagl?DJ+J|Bc4NKDku>TYz+9KP3k(%VI0jiPECA+;{B{CzK%1){jIu
zfyqm(=}=a!>`bcA=6{{4kA=?-&(D{4OKf20z^?NmqQ6q+SDbQcA05JWYm}1>u8V6g
zo~xT$mSk-=55(e|yf<?JF`t$fJ`k)5iK^${gOPaocM3uNXL~*qu%%EHgZL_5WZ>uS
zJv$uqaIktSH1+a%C4n)=Mkh`Xm8DM}fo#)xF-Z12vUvUa21%3dX8UK7ES<jW@G*$R
z<BZiN1J#m2;Gm)Xw+wGaBs0v{xC!I9GG3bjt@O%@jtfsk|IW9pb*F&ZXUCNw)ocIJ
zbZv<%8_Ig^;Bvs1)o9mV)rj+sR|!I!UoFb^eYVmZ(cM?h-S>fj7-*69m=3I68WRwz
z6#rT+yep>&a*FSTNb8vI@%*0XIr|9tGg_3Yww_0@AiA=UPkR=>*u&tq*3fFi=i)|x
zScY3e=94e|h%+=4$R1#;uO(Lm1kJ6WXQR8B?H{>0wn8kPdj<*o%>EeRJXBd3Q`-S7
zESW0i_uui~@SXKX9^Ie;+6-<oNk-&^HIIC+RWun@Qie!YU@ouUjxFS~cdByg5Mbf?
zb>;1;C>(S)=l<YNR3hEE336r_8PS67+4!DW=1=62=iog?+YkeGH&Ip4N$Swoddg`&
z!q`lDHYK^h$FR}q9?zIbi-v8R90Wmg2wXqkl2SP^FaSb^iey{pl;QtnYn{tZ8>S}S
z4As#uJn9YE?)o-v2rb&rhSb#(H;(XUd)<EWDegKqPY*dxccJL!TVN-Io(c%BfWpA&
za5NtfWh&30VMh_4ELZO;odw0A4*IM_JiI*+?gpD7yQIaj7QIrLGh;;!$ifHAN!`Xk
zo2zwae4k;kaP}g&pjWhVE?6C^6f}hp;4AFqv|5_ZYTJUmsLBBJ(9RRXoMvznCPl4O
z;NFx)2dlih$((f;HQrcrq4W591C)rO+_Vv}!Xv|@aZx&#ru|KG_MN$DagfM*(+*Qe
zL5`U5QQiD9g%ZQQcY&r|v*y_gVMv|kkqv&i3kt8KbGt@$>bY9OTTJXGu49kvs40eJ
z@vgEOJ_}m)sBmd_*Q*2D1rNXW#caF-|Gr8);ZO`BkDH<euXTS`Som7~?=W#Ur!o6>
z&I6yB0AvHeeBeZ4DLuW+tzoLu5mx`8E4Z0wWM(1|8>qka&kt(P5#)mJv6q+luCn;`
zu*!P-pOG`%k6>f1U;KxN!NaLH5qpgQRE1?*RX>4s28=)r7ZJlyKVqJ;`7IWU1$1yj
zH(N){c8`#qNmgevt7#qqg=hH(4Lj-cdzSW(smiP>9blRH)!0h|M(BpDQtt6eUII@R
zSO~mfFTdZX8DQJj9ZQ>nZC3zTGp!?iGe594$P&&7%JXCS7e@iIh1<p6d>6_N$6rFO
zmiY|ZB{6%A`{!Ht8sN|!DbL$y2^KFvA(MdZNE@-x)k0G`;geWBV!Q_9e`2W1x@<br
zwQfZ4PkOj&%_lozYAZS&G05$IWxb(&A9`!wXOC_ja@J~;#ce3HzG>>q@Kg>tCOg3z
zGCvMA@FGaWgYo|wg=m(}X5e8graWQ(%EBd_jlcy<4;WajqxR5O-{KAod6tT>CF_tq
zeTYgpU0WYD-Q9_TR?ph#+t4oMR6kgPMF~`ybQI54vICAC&8AQ?-MC8c^~~?ab45rW
z#l;cyVYZz=uA3Fu<$6?w3awqR73YT9FJ?p;px}6X@E<xq1K|Moh&>9x@jxLPn@q;J
z=dG^Xb@0dC7;kNyvc|#_tX`02`d(4hzs6cB;stsq#~Ln=J3NI}4Y%Vi5h8=Yr7mU#
z%+@n!VrzcjL7zXf6-~WN^#!56NjI!m1m;n@XToLvW@c#pMRAs9xKej&_N0sW8En=?
zd;zxLQawAS7qV*KE+2wlAJraBrP6@Q!U?!K9yInGyx#ycMH{IBbuczi&n~pJ#OBxH
zOx%Yk&M}@G@E(<N&<t?_HmfG$=?eNFHeEh1BQ3s0*l<`g^$uHgf^dF5xz`hD0R8)R
z$qxG0AUk|r+%Bk2l2d8J!JD^xBf#Fv<KIms4~aC9={aa2nr&;!>(Mx;2XmN0=<ytC
zIJ~X3DXg(g8HcWW;A}pLeVkZad~4(PC{OVIaU%AQz`oC?$IRu2ZZq(@=;ZX4?dFC#
z_kmKXodti*;C)5;_0)WO=x!T}zWHvO8D+?R-|}xp<>geW!oBlV=;ODbVbKQU>Cg{=
z{okEj70({q04*mlz`cpsh${!3vxi`T<eRmDxB3lol$7+=bC?CX1X4vCtBYnQCDb|G
z+d!oi<t`INBJ~h~O_X~oZdXxnJr(^9x?3A~<F8##x52EFK5cx~0R`Mr@Knskz4!0C
zuJ**ZxPiWJL<tarrSZq&+KYvLRj5mR7Um~vgOW`mObRV?Z0oeKYz!c2JDa6c6d&hU
zNDi}PmjF(5_gfX7J|nv8`!~0YO7{w44op|e!?U_3bmenS@8Ffs;O^HpW;$!L|D{zd
z`?2>)*z#7+!9bLOXZY2nxt_cNG3{~>OZfNEJDn<cMQB-q1f}7NRxeiNpnpourDY!I
z08AwXtbPYV7?Osa4p)Hv-E3j4U#8cWB`j!Dl`17ybeR-*QuBsm`4R(q{*RUIth6WA
zbfo}hYU*cXa|J5d3qd(uXK3vXV`4zCQiTFc|9hQHqYON>Y2OdCTp6F^R`S?B7i~3{
z&HRMK&slgA*4RUSM~iV<t>%ldPlC2L3{in4EQkWe-HzY0hPMj%J1qQboBdvWFJLW+
z=bb=kr&#JEr+!s$9B4Bb<YPueHK@^6jM<}AE}vvpDp3DE_oRY>lsL5H_OPvNGg0~<
zJ}QT3edZt$tBh-vWlcdOi*{SFXAG6<cESD>34v-sJ|*>t*~;C-%y!3P*&iakeVlVn
zIh+B(wMLXU;oGH&v~U5kp5K!rsPLd_WU&}P0qrHcgLmNu4>+!~^2eYPVLKQWou-^B
ztE)*HrIkzc)9?wj2fR91zS2Llh(*HtjDLa0n@}#q{ude3)NZA#xzL_|G=sd~POLlr
zrVZf^-N|mPXVq3*d3@d~$f4W}$~?6x(`6K)fzeMi5P!^4?@R|+xg(|=k)l;)zk`y8
zQ}X?wSN+Sh$nL5Kj%zFpR96_yi}}|jXqEf=#AF-MWGn&-_I#q|m!FYE>ob#a{st&Y
zn+-WR?W|yi+|rBh3Tu2dIX8b<v7hc=PZ+YV-LlCG^MuW=>n^mkmhG%f(aO*j%xT{m
zKj0s*qO6q`4k$@NI}3#Ni!p1RmhNaqt|QNoYg1mc?v1QAkluH)0OoD#2ozT>>Wh3>
zLlq--R>)S8#PQerLAH{iKB<EqzC=gy2PSjWF=N28hJm2~*}IO$^DI|K-jp(Q8FSi^
zLkIjQU5hTP<40>PGPrW<%wb#<cdw?>m7$PX4`c@D`NX7wUZ4vn63{V$es@L^q;e3F
zAHFzQxdjO|)t$ZX)&g?SwW=~lbk_w8$YIKcNWWt6mT2u86MaF(-12ZkKz5oehjR#b
z6j)MwehxuDkzXY1-<+Z&zO_vG_dVn)HRUr1X8UU!rq66o)Mk(2;hpz)St+UnbFCV0
zZ2JJxHOqGS@{9wM^26?&3ws0P<?K#h_FcA=cI!**3xMG%=e-&zj*U7j-krFS-9~UR
ze<hc_?ITGO=-G(u9zv)AFgsDjVu_x`nuWVTuZ2Qub`)&&c4pnf`gMP0x%HQNWUN}u
zR0dl%@${C>DL!%#yZgN};{hh4N#PT2z3*#@zLpkB@kk&uj1+%-G3j#Yzt?x2H=J;o
zc-DH2L0OKbZLozv1B&I28fw_+DXMo&0)~xH<tCKzaCmS&tx3J}a9KAoKx!eNn*+0&
zWny-;u^-LLIG|FjdE=GSxhEKT>a}vTIUAm7nG<%5f73W;=}}cxyvs0yphGrwtYHJD
zpcNAxaw^2rQ}77^to7>?`)XignDsA;9LoR~#(^Rke1<j3BPM?FF}x2CDW52PtWaiq
z*{Cq6rn}6isvDSOk7T0qY3%0Kgkc2uHqbna0WY9nJmPW)i)rG8$dg}Tr{)}GcbefB
z`xA4T`wcUmr-~c64nL+y`31?tIc=q+oh#=N>XEny%Smx`2xo-9A&%&-3OmzHHNjgH
zRyA978^Z<$c3yTW`rNbT_K5__%}aU{>CXp~@-@wTyal@rP&yq0r`?z|6OT~%0=3J{
z=r?<Zca}36kvPeWx+~YT3r>X#_hBz$4K`UXR7>zv#zvq(xV0cfPV1Wr?S(o-5wcQ7
zDM8DlWr3&(+vyL6`DC2^b0s{X<BLkY!}lM9?H2sHvo2P>7*Z_v{x((Z#Ch6`6tj!@
z`!C`ORq#87Djc~(Q=#|f&7|rZ^fGqS&4BF`m6aL83toOFj#&-O)BfhxOl<3~za22V
zW*}+rV%<H#h{Z^OpPU$7ZT7T-1~txT$4xmRc6r`~_h|iScV=%T)Hk*2?XJxY@68v*
z>Y7c7P^jAoqA*gwQmGi>(dc2)^*QlXC`caQmNXHN;oi8_?-&$ikVbCWseQ}zfL}9Y
z#UPX{nA?fUMt+7W4u2&Q?_~7WGVA2HQ6&*x*Yzg=-vFBz%YsN|p=Bx85l{hFl%+om
zd5Qg=eUGq3)`bMM*hEtlxOg1@`&sKrTfuVSy3CW<e7h(#d`5eOt)Uh~6n_V78bO^O
zH-ee}G;Ste(49lkHzjU+(c)V-t|D{JgRTj*s$V1b^f_^Rukf|~g0`JZpx5&^Z}{DV
zzyX&aLg=S<<VbLPGt~IpYC9PIZRITwr2ZoIjV5PeH9Ot!3>8qCy&3dn>$%J07~hJj
zeS`hb^CHL_&T+rxA3hhG-GorPCtI+nJjC}xtA(iCn;ZOo;mG8s+MbF9`6^%Ups)g!
zk^E=Ne0k4E_{OuUiOlBc4?z>iio*;?3sb2QsIqa;;G&pw{hfT3?2yn@3QDfi6Z*R|
z7l$(m8<?0*fmCDEB{sL=WrbK6oO;?%0q!!t0&A$HcMW-$;>u}DDR$SkGh;A(t;c3b
zXrCQy*fNqqu`p_^KLi;BgkUpAO}*WwNFgBH)+I9LEQ8vUAMM`ZHF(l}25{Qnd+eyS
z93s9dyhZFiZPA>cy5!SoJp%leGRe-)XO4T`h-vw)HB?G#zxIVbpMBbgmx|rj!}`?7
zVlV0VpF!ZKe+-MOC1Kz8Y8M3bbteY^A=UbJ2{cMB*_NI%mWeNem4_YM<Pq6)>{qK_
zw(*8GSu|N8I=OQ+LZC{SA+I}_FLK8#0nY;URaEKY6z%?mSxZsnSPo+B8u!x88)5uS
z9-z<q)04B)Rzyex<-ovMmty*TYwq+YV36xZ4@NUCD?^I|vv5((tN{GJ-8;K{lDz}9
z-^Ek5u>UA-n<ccg%|gp@97Hs%YwE0PO=^_3&pDSahhd>p6}s6yLIqk*0{j1Yvnb=A
zy70R+aH2dwNTzx(G}aa^({MFUztK@~!O$Vn+Q%3ozUWlVY+qvEmZoxMAf{|!4<Po`
z&cLZ57hyT=N%K#*o@8n%M%l-xUk5~M<e6@CwIaS~76>eMcN3Bi03fjjsEywr$e1di
zSG5-x7;2qHozqIC+yFZ*ox|kO*w)OKm(wJ4Pe$Jh$OwM77MdB;x1t@{cfhZYL9<Bj
zRLZFBxo)mzdK|wH*l2jOy-F3)g834Vzn?VGn*~22^_^rhP;{yGqQKS8J{>K#anE6_
zCX`JCkGE^s#guQTHToS_<5cFRzd?eJ+tmfBJdY+5qnESR5}$XI?Do|{9EZp9XeT)b
zhSLzb?^yicJSK`${DHD3&t2u_O4E$2bG&CLONwptX=TYydd7m9XrU<P$~EZr<6*UT
zhkUB<0+YHyM~=BmBdFnx@eD49kz||w<FezSj@eD-;_!I5a5(kmFYO;>#pxl(GoFrR
z*Q0|z#)X*$$VwfYyYRRY(JE~V+4zG?Mc`&y?=IX19+4ftad+HRRroM=?Azx`gf6pb
zS$N$-eTFT+v~<1u%#at$d@#pV|CPkg6~(7aHr!96fpRiQpUL!hV*DEO@dqVilEMew
zGoI}LaKIt}QL9q1L95?2mfQ%qEtnPNudq88%HviZ;(7|fy6<nz^7J;mSH4`;@m(<M
z#qmBb!_qb#H-M%+1a)Wq@nv>>W&AA|*G5VYk*yawnVMxQ+UjKo{1dzves>No{ecbr
zbcoY0(9KsmTSJ`{v;j~tCdvnx*Z~067$s+&)ke4*z|A3~G>oI0l2I?G9k$i=HAb})
zu6m1yb(iylK$LNcD*}Wdi<E;t4`KuB!gM;afukWKxl+jEDB&`pb|@G#e|j|kQI^i2
zJN1qM=`JArHSADA`!7X=hq}&gCw(|J7S~ky0a9QM$s^?NoK9WF$Zd<wG)|<e^lij=
z7U)AQZNF+#ryEHnTkSQ711sxi;jbDhg|faoHqM{jV*6&Eye4hx%^Cbz>~8RXo`Hv^
zoi23SLtsAuTTtK!EKkD$)=<NqMFpcd>5f{Z5>|~W-#j6!LFWWvQ4IR;hUiJn1X!+n
z1LM;vupgQ#58Pc@@GxXlos}vB)w)hUuB{VAw0_o{l!R(@r^aghcbkp#bQEj)j~lAJ
z&bgPY9K4z&U8NaHoQcuZB;AzT5Gch|vD{Ed4T`of`lH?m7=Y4VPBXlE7-y!U)PFCB
z*`ZSatk!baf{^K}!c|NAdDNQUcXMYP57_ut72deuvGKa-g5fnk>6!zD@Rpza0)-s$
zmy-M(xYF4eY58~WgZIbAl}It<+v88q0k{J;HEJ6%MR(h$N=iPYugi4`Y-Aw{kPTAP
zv;vZm9>m0Ei~(Bpmo2)beM6M)mkXzyme^f6603H8m>p0kCGAK2D6hWbjejA6NqP=|
zh9)YUw`bk>c~Az0nzKEv9z6u5XER@Q2r#FX`okJNxyYi6c0wnbopn(`RwWr(^;Xt<
zMaN6}!Jn4s7FV5tg&*{{iUd5<u?4H4*SZn3jOoYsoIMvoGY}LlRhA4xykech+Y|>H
z`7NQZfdAqa*jA-i7ppauLY}zlx~2u%UN!0vvi>4*s`Y7h?e$c$@9PoyCkzohB!1{=
zk>!lP)Tdz=A#R~;tTU_VPWMR8ceuZQ5N_H1(R?EY(f(0K`{InfAo_DAv<%&Pwc}E8
z%xu4xwEU`gpv<P_e1qtAwTtZj;u+FInCf;QX3fS+-ctLJ&vp0wp!FCN8t#UG071PU
zd!F}Owc|!n9yy1nS6FO7pk#YnJBMN0+5U)1s6u$=|7S71y&Leo0ZMvdx?m!QbyhV$
z6Wpk{w|V?{#qwhHZP!)_vb0Z##-+jz0llj5^m!9ynN{dvW*wHc?p=Ap;4MlbOYHu7
zO>k%G_A29vvXBsu3i6C(M_9S<;Hvt*0Ba%o?enx2H;S@=wdZSGZR?n!H5h2{avr>d
z4|v}`vgnSoQR@zEJ2>ec4i1*0iUS!sDX=%*qJCMjJq@h?TlvzWEF(cI_f&IHa(%4)
zgkem$wXfQliD{RJ3z*fd-}jI4Jm~JENd&3={RRnw`1(7GET&R96lIBZO;;hN-h_gc
z0y>uu2*x(o(O={<_d~)K;h@a@;YtVu9*%&6EEj2uwZaA^!OHRD$A*zuQZ2w~Zksjf
zt)9|N2*fsrYz1xXEhhm%NdNT!l07hFyy^#*ZG#hR3Z)7tbShNxU_lRs+teRYd-~KV
z_}(bd4A@8ld)xMDW-feiP`RCKb9(=*I-k~l`y*z427hfHp6MQ)8qIYrL<!%Gz;}qS
zC9>%8v!uYS7ZZCM^<!+aJchwAg4-m#Wq%|rB9VCVhZVSaXq)yqeMGLO#$&L1HnJhv
zQCiryk8k?7b=2uJM^I9>X8X9ddOOMQgPdIQwrZXs47;pJ=mvzg?BKl+32&~C$RINI
zu0*>JWc&A$3gWGHKC4ZUaQ7}(A&YaqGp`H;d+DL2`)NI$-o&bQe)38A>o@*oQ=)bL
zK|y}$F%9F|kqxA;$2`*`oc!DK^RbL0ddbHptL!3$jNpkkX9X)^)gWqyg+fhs2x0?{
z25Xk@>Wf-gE$YDWQa`h5;y$x)1Oon+zeY&yY9eW1zozj!4wgWx+2|r__Sa#Yv|AR+
zYXU<&rdxd6rX+VwjZMHe_#Hs;vaUT!Qw)E{u!OjMw-&`ZbxMG@A{R7mdY=+20hdKQ
z<a@-+GznMB&ouxVmFMq92pgESDGY4lW8H-ubI-s;zSUOHm}uw`PYd=aV%3EcL$V&2
z{|xPR=)ocn4BMAmsjt;P0wgId>Wn+xM2`lS9sLpGxvx25YDnnA+f5v2C`?0|<RLRw
zc*0z`F<P0K?_{jFx9#^o9_;4viuJ{+=E>Mvy>SrddB51*^ZzVUzS%)_*ga3LI;f~(
zu&u1J$+r8y2>FwxxB;6z#{BjjVl)?DAIO~NviEo>Ak7{-A^QrI^?J+-N({dsp8qJV
zJj^E{;&l_y{wumoPDM;HT7PdkEJuV72&<!NOO<ysDKx9~=;Cj*osqW?IbRP76o#t@
zQhOeqkW~ei^(GVTa<9andTU%=bd}W>N{S^KFCVOUo#!6jix3N!#d(EDKVZ3~Ca&zT
zwZ=rHl!sFm^NQ9NMTkyXfno|{)<k1Y<)s$QQ&)N#kgh>)HreFEN7}cB5BRCbZQ9-l
z_Gr3i9TmVI2+BYd{)B{whab-ji2LCBRz47n-wtZaowSDKO=57TQ~Q7-<``7baf~uZ
zJ4!T2YnFoaXWGhQyOH`JkBk*klqQso&d%GacKfPfD{r7f6}Fvcv-j=zw_*6F-;9f^
zFH%FXmmiB2x5UUlzfAob5{|np&kq|H1E7xeK5^ORYM!)iWXZ<rR|@@2Ko#Y}6JGL9
z4?Xg*t1UrfRl(|`rhE+A73rR>rQUf)y7x|6i*ta1{YiwHSG#c-5H8%;ivpEO)!nWH
za7+~i1D(J?*${lV>`(0W*`Jzn+i}9)CdFn(@!up;a1y(Iyz-J{=G{ch_R?pI+C8Jc
zrO&U8*X5q>cnl8%=Gd|}4hyar4tZPqzP4YU2<!ddsr!DtI1inG-vZ%8XRI>A{1H|j
zv=!CiSEGUb)gfk^cai%+?0E-$8OEt5i!_(H7N}bmr~99RtkScz8v>L92LY^X8@9QF
zLSN6s)>S}N;Yv2=XIIUzwpp=Yn5@dIin2`;O4D&L;Hzrm>WH7pr<-lZtGD!Xl9Opa
z!}9k6m2Q1nL=}6p>04$QL<c|s-*iqy!XU}3rx>rvtxNhS%Todl6Y6^$5Q=IIrYG)V
zJ5I6dSI8#4ZF`w5Ac|;;!pBSq5t~EKmr=^=C&(Na77?UET^0R%D?rl0IOqAd<-2O5
zuFl36(TYm1qBJ-U@qvq55f`hck33sy7NxCHuMWo9GB{1DUuIOU56#O15?kwr(Uw1M
zY7~d5B<`=v6YxtTe!DntpIIvH#M*0Urdj&|hC?Q`E8FdST;V75>uWe87*5h;2JbnL
zR_@v2H7ly{mj^3ObcD4xE3{o4$ShPbXSa>k>!U8d=QJKt<zyc9TL?G1puK3ppWC;v
z`+>DPTFhE+JR5e_4&G$Pj7aq6=<Uq+^0@TEWFSTMR=8DXwv>VjDzl#u{XJqI-sk<H
z>2h$xLoaj6aNwOBt8<lm2-{1{6RC40tj!2vpP*^?LLO;lX>-Q$&T`KOo_-LXgb5tr
zdh^!i#Ogf!1;1}tE&hqdml4z{>XVHVz)m)crTt#9yKomNfo!fQHc3KSU)6MjIk3{y
zmeC|=X0lF1iOIBKzOqdWv3B}7h|_i8L76<p&0BFh;L7dUIg7pqE}ZSwWtq3n2`1^=
zk%@XEe&F64_Fz)B?rdEJCwjSe=19zRarF4r*bW<bg8;y#Q#aJcI|(6A9x$QceeMm+
z2-{d253u2lbj;;cGQumcV~&9Ck`rm`fHuu`>C;WFZIEpr^eF*NMJ-%q%4~&ZMc0b7
zhog1xm+4vn-8=_wLVl2MQ);&8Z7&DH1x~zLd-H=YI&J(4Vju=Si(Q8eI8K6Cm00*r
zI2;uHH7HHshx|5t5PN~7>Tg;<+q>^**5d0u=kYfCR!+;L3&|<dv&d$Kb_u{*-tcW`
zqeI!I#iEUg+}SXGqn-Kj+d2575494|-usKY{^rF>oOB9{E|-!XARrR=(X-P=I7MOF
zO27Xss<6kOVW$jJ_YrTat9O46`qxuTtg0BCI`#W-S#)g1s(po!fcHsn<dhGmLzXGr
zq%)p@9^-He95sI4a}X-)EPPGd0|*acW-X+7W;<YZSx(p=wWwp0iL?1|irB-8q2Hl{
zv5M$M_owH(Au<bldl!dgcvj;RV+Fo|*eK3J;}GjzdQ#F(<T10hp-I>LaAlmXm8YpL
zHJ7?m^>GZ?Jv0Cx0Bd87o+VxYy4==NH<;CUFI{0faNo-jm30@{)=;=yPC!VQ+-_i+
z`5G3Ym-=0WxY^1MFNGbxnzj{PK@mrZ!gQB1I0Fca$+RV{??)mbhCnxaWq&@jjv_wM
zQKi8NfW-cXy|0dn>&vnxxCMec1b6pBD!97_4-(wn9RfjuCunejySqz(;O-XO-M*^y
ztm*EVU(59L^vrzI|7`9%XWw(qJ+~IC-hNee8$pkdfZlpfx9i(0Pq#@azW4c~`x#Gt
zrmoL<&&3;ZB+ib$zUT1V&s`)a%lB1*zH2eShoZBcGL%Qq2a0=oxM$89?lLZi>{S~M
z7Al_KJK<bsOpXfflC(Cr%%-7AY&@=+z4W@nw7jL|@*QkWNxyh~eFNO#^^M-?<GJ+|
z^z<Hoj67Z$IbL~w-3+|(i)$QS8PD*QMZN!CE_rx<Wbt&`D_eB$>*Mlxbyk<r^l{<v
zVr;repZS_{C9N%^HM`1p^3mwIrUmysmhaokwio(To<@`r&kt3Px+JGb$Qn;xzB=9I
zed||`!>W&WWk*kqwu2d=XbvAFu1Rh`77d~5>pWfg+)Qo&Z?+#p7gB8RZEc><?VnMf
z9YAldIiEw9dV02OGp=2p?s*JkeWy-jo+{K9eIM>MNoJmBfZk6EPos~%IrrEO_rTMQ
z{QFIki@?=|r&5hap1bQ?-wg5A=Yvf5%boL95*_a<d!sag=B$y@6Sy+F!vl0audozd
zbQJw{)1>aMq}hX5r<+)oCJK^PiV-H-P-dwrnY}fcv*zvjt{KTg;!-{CGJV(jfXC*5
zr8WGkb9|T3qS?`+S)x)SV40C?ee7d%?9!Un)wvePF*jN?M^tJGEHm}3Pk(Gqe_Zpp
z8jnVusT$s&BPlganW+NmjB@?*TI-EI*$FKC;?%ke+;?4CoqJq`?$2#sTKzHd_WRk_
zr*}1{AKD3ox(h6<d7zwo)OKAG{$lce-=9O7ar`_}MO3=OQnq9Fi`w;zgc7>XJF?G9
zSh_<)e!k`rb?)(d3(qg=Msqrd`g;d)=?=)@R-X=XY^-_6pL;}sVhr!|f*ce;|9>5G
z{31>K8xp7jki)4y9pso;^B6hzkO$2e-RA{4_<uR7nk_-q{BC^yZ%8D+9A5S5AP1;g
zrgM*x(EWz*`@A3rTiFiCG4wmfnX)T*i~=SphyLP}gQBvPbwQR5p92^`mXUq11yI)I
zP@lfvj54(5QF=D*`LE;Ok)(-0s{(Nlk4F!i(dnDt)SYV;i^jWis=txuE9*m)HQ!0A
zfK;7#x7PS7O+N@xTz!65+MeK|w}#a|9?qdv;Lx$CSqE2!Ze6XoE8JM&f~rTkZk9O@
z<6`tk+$=pgCftK`+>0;hmVk&_s24dSyi|1d;o}}ZWVSSF|IbMeKk@u|C@w$^Vf$Fv
zB;k)ScTU#HmYKVNM(z^k0#CFQC}99=3X~{7DFsR#V4ngd35ZF7k_J?yK*<8eQlR7k
zrzud1fC)T=0#DXdC{=(`Dir8zKdDfffS6P$EkH#oln!7l6-p0qnhIqAKud!%1hA$-
z83UBkpx!qYoC_&lE13p;J?e2mDc==!MXBHIc13C56?H@D-|coo`LQeNjxxL3?T)g#
zE9!yrbGO?A<z!dX6Xj+%cBD^e>EjLItI4oi!q<~wcZ4jHVfTb@Cc_>G6(_?U2@NL0
zo(SzG!=4HKCc_|zK23&!epqbMB<*EzBMuzE?;8dJ;OjRGBtZK&jF*7bZy2Zmh(ZiB
z!0SQ`48WU03@m^_AqEb>uMh(d@U@U0fb-H>Kj+B5NFI3?qF5et*RNQfa2KLPo?_Rp
zM4n+6qEwz^*RNEbe;1-mUUb*5tW<gl%0PEY5@NDtcH)I$+Rup>Mrk(_FO1XRCtsMf
zyqbLRzU5^6g=x#pxW8!&#Ka4;menzTvzDJ@FU(s`#{A7&?$8wXr=q`VmH9wVdt8#&
zPk$s4_*+1x`A48-3(bTIjjCZtdO#*VXSZEJ@5{_1P6tU+rAQ)WMb+$3Ozf!}QW$a0
z0Le_HNK$1x)$9+eT4na4b|p9;J^l%QTMxp-KpRFuyw_1fWq7%&g;4?OWSAz{Mg_K&
zf^9Qkn<dEBT|=y6xvqs;%4uH$H<MgH9cU@1V+m&9gPpKoyZ?WgNqoqsr$!vf*EyJh
z@o|c?vi?RxV_^JD|C^^4L@~XIIYN19LatbQqgG<#i+zu`TJXj6?>lPpEI~k3$_ZY=
zOK|m2;KJMg&zP)Vfi{Qh18D68;2nAiZU8KJn*zaI5CU!A{A*Bm{($CmPW49<<{?U7
zl1=}0pl6A-r`L@S3j7Ngz@tA49o6cYM?G0DK-K+i-~>l)Z9gTDT0NlVYCq0319#7p
zdE`t@ZS6eOl3G8fwwGSpwC5u~e^ST?Fdr&9+Rc$GGaLi0=Knj01h42fA?rKH@mt^_
z{i>czx|`k4GW!lqhhQptb-us{dPe-z=&yq?H*q^_Oq2hKFj*DYUZbRd3OOS#0EE{e
zxP&GJjO=#c2`gTEguf!%&Dnt;%ar$seMPjNV~Q}=A@7m=iujPiSs|1!jE$V=m|`%(
zsXdN{J-{;ie;WL%>Ni1@pS+$cOzh9WZf4EuJO$b)e5u^}{BHp?*ztc0Jmi_`xpt)*
zR_Aj}w*oBV(i3GQaQ59BoZL<WF&s0GF2Cyl+BFr1bIBtv7j*#LnhGPiMiD(V2&im{
zT0Pkjx$3(tMrf9hGgSX&@E#ob51_&fbom>wt!{~ha*6$s%Fg=tFil9eI?sSD_wS$>
z8)oKx4NX1QM=|#QRS?QnUu#wpVEJ*HuD+K4h5&WO+x>)_xb!~Dm%P6ALmm5n5X_z-
zXRuFQVE+~vR)Z>KOfG@d(dN*92`Z}>-_Ck0m2-7I>#b#b&6dzIe!)H57t60lVq171
zPS?xaqcKA6_+|;!bXxD|0)7=p5+(OMOu?)(St&2ktuNy@9|qYe&(IP~Ww*$kQA-)K
z&XE5YWTm{pygM-O3dEB>B)8v`9q{fx0ww7Aj{%I1HYXCOiQ!8~|6_p-T-q=AH$_^4
z9sj$);!54ldg`HMb-oZ!r=v#Au|B}E=)FD6jQa2fVrj|xJY;D}@^M1!q(!fWw95VK
z9s0?Z_ujdxHS6=j?mk-n)|sNflKxu7ybN_SZNJ(_6Xj=vg(o(1h!I_SM!z}B;5wM|
znQ&XA_vKit*x%pLcQStNQU9RL5?z8@XF#PbWYeKjo3$7)XBFI#Fg{niz9@ZbrR{H%
z8&q3@TdOR-p#DmmHrJXyyd-|27OPiX+F~Kxh~A{e8m2N~e7;t%C`n6*Mw_<6nqImj
zey$cPPhHx2AzX!itJWH(Fd=rKmTXFT&RRRuBKM-UM6*WOXF<JOi?+ksQmbVWv2#kA
z)<*l(BA2kP#IHs<c0s*ci+0GG-nb-wyB4cTeb8|MQH!3k(ORq|fo-X_b6WbFjkdjI
zu1;M^dyR7Cg8HTw?SeJEQ%U?$Emo8Ipz8vn9zA8VwOCmK+j4E^j5MvS_NirVYF!CL
zt@8MSI<z+JzBN5hN&HnUmaF=p=K>->J!Px4Sb756O0Dpy^fz1W3e()hx{}o@<+BC#
zi?_7**7Og>@lUmK;Bp~<NF&&3qnYI**O$DiRz_S@N7kZ+v!RDCiHEMk3RWKsSU?n^
z&+V}8$xJv~t%V$u4ztsaG0T;$FHx*krdw2J(4xh$p~o$WN3O$)R38jkK$M`*?XvF4
zPB>eug&dbgu-8U2&yA=r`Bbeey{Im$MN4f%Pg4?)S%;ONJ{Z1$C_|syW8IURaJF6x
zIUyZpuN`Ba`@O#8N42uWqPmq9Ew>GLb%b?TY3hSf3y2Ezxqa3>`3YwmfK&5a=mvQ&
zEn1OMj0|<@nEmejgoA_sI85dno8}8r^6_2L&do_t)W)WzvA85#@p|b_?H3S1S57z$
zt?j4kNidSer%~yk=$m>F)dU;3Bs+i@llujn6dZhVjfAaC`_7ZZdJBQLht0Kcyz^gb
z;e@~-1qP-0FVpOA!SD_Y=JRubciC6vaF-H?Xw^^flT2ohF$KCm?#Pv!zCM1DJq(y;
z2Z=`|rph%)TBF?-IMu+oBHbTXuQi*#9tu^uC@ln<9cI<S&CQEhqjuJOoF~q)#HkVZ
zFvDcw`Ke5I^6IrgQ^BE7Cz$vFOvGEDv_=)Kl>rg0lBxwh%rTjJeyY+Pzj|%flyfLF
z?jp4iSa29y3-=aG?EFQvP69<-V6yc5RHr+A_1dnf_)uuw<?TXX|6ye<+?NFtP{g_+
zP(&LraS2Rp(jB{c?beiaD0Jo`wh;L9FdS6l0v0G@9X*I>s{u;AQflV;sSQl@0}~-#
z)fNKbj|xFGE~<ed))#?@b{e3FYo(yYbm>lAz5dWtcqoJpCenb3Zx`$4iG%D{K<-}e
zqC+9V>ylbHcd!xK0c`9C8!5oXFTa?-jDsx`SFaO2^AClXuH_d34UW=k;RY7@tWmQX
zT<3|69gnL8;CGfmT^V_VQotAmLELDI$9&9x4nXlnTN)QYQGO4<Y<G(w+dtty)&n{3
zqyC*dLDx-3l?=YKhHs-pw~LcIQC>ECjuL|0mks0@Dd3j=r)cTmXbRwH)Zl1w;AjJ&
zq}Sl2p5UYc;G}<7+7dXL4JfH|9Vltz0x0Ry;lK_y$s~JC=)Yd(9bJKHa0S=U1g_yv
z%=+I=3j{CszZklpTz}>0-w|4}-aP+$#C7Jb=t^+QU(gikMLfAAE{M8kL!JTWTo(f_
z<?lp`{0Po43eK<t&fo~jaM=LLaJLA`;B5mcM35U)NXGvanksmuh2Vxvff^DGZioc9
zA=%)DD1jSN0B*>Cn#TVL6!M?&-`|5c@Gks=AQqhHpYV_9K_efi&%XgxV4LIp*Yr$*
zO7QU4^&fx-0A%|u@KhX~B;MPV6de640F_@(aP$}K?TUhD{1g6$9&CcU_NU-ds72AU
zz!&3|zvz#k8EpI0V7AB`Gx`zm_k|%S>bTM011NkPILANXujoN<8arsa^8Xxw_6*d@
zQl!z%^DMzX0fk`4e={(HEBGh;gL<&)xKcQZbkp1>zX0X6te=1QLh!h3;tC?;ddA$-
zZ}fh@TA+RB(RrSD_52B7je6ql3%a@f7y6O*rTdG&hWPK}dKU>Y|3<_=CQ5m#g7WE3
z?-vM6?qGqc)3^j!pkBJefO7J-M9qtM>ve!?%bQX1EEuH+6~(j%l4<tN5r1O|t!fz>
ze^mS*r}{H%U99`<h<~Cfe;D^({dX1qX7~P(`0ttx-WBkQ{>EJacj(V7=}*N4?Mm5S
z+?C&od)A<mq4D1Wo~!0(4Zi?GL1Dr*w5$lE;Dx$*B)9T;rA>fdIo$&j7fWmV0eTXL
zr1I%`$0+(q7ob;>{TYY1>rErvrR?E5t<g<Koa*#}9VRn@xY0Bo_g|B1;cgdUtWnPz
zkmiZOet~|FAEfz!wYm(jRww8RlHk0KKoZ>Tq8OO?@fWcMOaw_)qhPHr1FY5kArU0O
zoi)gSi6E^GL<B2FV683#tkns+g0woXBal{iyZ8shUlBnP+$dP9%K&S2g03K~&g%%I
z)!i<dfFllp*N_Aj6(q(ys4|+eE@cH>#rD5=9feP`-!5X6n4UGzgE<=Db(Wg7QG+<(
zI3Ov{3oN|df)%>629QDr;(!x^6}nNdLYDzn=mfzE-5(Nd!JJmG`(7RF(FV`{3r4U)
zCkR&Pyub?GEm)yD11of!V1=&#mqIrRmhv+GfY<^idV-19zlh+p%ivzL%z%ky;D{h$
z*6WDGE%{$yY9h+(=oe553dpSxwT^%{+_{cC!}I?;xCg%&uE84FKMej(V%-0JY47hV
z6#h?(29m6<!MfG|IQTy$r2S(g!@svI2NwCj@@oNDe!W25`!X-`ua~M|HMS6}#!i9M
z*l4gCD*;wxv%zZYuUR+kOW>&}e-osGr~PHX{iVNq06_ZT{~d?}FZJ&Zy-iTJ{NMgE
z2-p$d@&gM@&)j_!L3f!CC&$58{ix4+X3@VJK6R`h9mY7PlY*q95q8lt_i6VKkWK^`
zeKoN2b_b8_mVcjLgd)Q<&Gf_OdGR@Nj92>a$X9KD6|MK092CM!6dWS@R|qt42thJ%
zJ_&HX+YjJCBxvA#<lub&B>&rP;QVS`);XwkdQRZhef-tBF>vdcf04z&t!w@XZr$HP
zmX89-6Tjg1IfkA~yQ0(=09iE1ZQ-X-lZ;{0#V?&p9TtlC{iU(AIckEuq)8R@8{{C{
zR@+iucD=jOWBKlS12i-hWcF@l&qxwn`7$b#ar}KJchq(Je0+x$WQx9RzHkRyj6fvf
zbNAiz&mc~pm);%!KPi8yFJ3=E-3kTu@J|hnqCl=A5a&-1c9K$fwTYcvzwd~+_IU~Z
zg@NOS&H3$*r6CaUnk@r$sRcZZ`43G3V3PvK)ZFwXW9#(jy-y-sS~JK-4W<o%W?meF
zX0|kfOrcC5THEf-+3eDVrTdR0uyYmUOsfMqcNjr@cW|cVKQh^ZObwtp{c>%IeT|^O
z*X%^lDho^mNdOjKMnj{tw$C&Fyvh6gwktZajKoLaI0L2akXfNGX{L!ebaY|kaTM6%
z?Cj<7)VeIc^Q=BY``|NQJE6Z)wA1wz-L+NHi1Kj0Tm48w{PcX1-*t6;d*sARtXKQ!
z!r#KboS~3(SP8VbcHMcr#LS4&M~%LoIS1;ydJE{*dEdGT3NE+#HhGnz?%68%hl0M(
z2-MF&4L$5?Q<Q;%#)N=?fQJ|(9n<8!D!X1Cfq*C+Lx3O$S>3FdU2PpK9nDNkoE(|;
z9ZakonSWidGPzk>F@diSS}YwmcoG@!Gyqyk=Pw7Ut#&p>2DD@98u_+GoidKtr`Wj-
zTUFmsP-M!Y$p*wv-0mMQyPc3qFMm3ewH_5fTS`E`EXRg`v}~JxB6%*Ap0iMyD=9rB
zX+0Vo^ts!pwcdZGAF^sy<1=6Rtfh7`IM2a1*E#V%Zi=lfjv#??rPVu$bL04C<M|QT
zyK)=qD>zBFMKJ79;&@3N=gOy6BhkvU(8<l2TYB_#6Y4woK3nU#2D`ORwes8YfzvXs
z<@907;sM)jiKXiMwFEDMC$y7btx~6N3!y#gwza}XxlCONH#NTOFc0fMUu!j$fwO4e
zn~a`(AlGwM{oMvh<#Xw5Vj27bZsN^*I!Y^znLKlZh?z3@jZ%7T-6RM(PS2YO^`D5u
zGnFwV=maKQk;Qd@P*m#^?pHr-_0XK|6}J|8Rqs;JgROEu-I&wA7ZEmS^%ncgR}|zK
zZAK90t8-usvtUWCMebmfEUdwE8hJNPyP*7IrG@M#J&&ZQ2GUzByQNxKSfNA|#iHv?
zhBi}Ztk&F^FHEcYi^&!@bPt|$BZKJbr%CcqwK|>50p=|#o4WV@Xk5TZwmx1o7>I#)
zdBoioUrd7wWzJupp-|aUTd3^mbcLuDw0xueK!PW9F%gQSS_gr8+8Gd}hR6&LGlX$8
zE?!V}l50n+@l+bTP-SsS1jDe`62SUR6?FJJU$|Ve37kObq7_^dvus%@mtoQB`^C<>
zGPS_3!Hl_n$1Xs)bQKzAvE)S$fj13w!?3kqYsC!ew+Kt$-|Vww2G@>5qRd7)Y`j-h
z^L$B-{)Aldou)r&T^T3Hi`K$fs6Ulvs^d`mbDERW*m+Lz;mP|DcACXHiE^AsCK*IF
zYVpg!*ZSd7)=o`_>L|OWu4kqG@O=|Bz7Q6t<!sv{>lXSZABY$n%->nNs;xZ-{ak^T
znB3-W8a=eVFX9d!Xj3lWjVXM?f5B3BqmetZx;U)1G%t(o$sdNO#Qk1lL#bsfLD|jg
zQD?u!{E*rW203pDr7lQWJq4w{roXN-ICIWlZj1_a@DlRwte0x-HgUg6?H)sfe@#@{
z&q5JFKobm2dlH#xb`Nt0|ED%n9yNl`S{&Go9&68NsCky6UI>1WRP-u&4g+DH!};UW
z(*6mU>7lfd4}fOe?J1|9cxG6|HV-d0hSC!^qI1LpGmI?x@%8B%;#>=Nubom}z;Vmb
zAJIAL7ed->B~)W#=(bYf%*-7%&1^0J2neYQFI!UMWaKyZ;5@05$_Df=m5&A}fw7le
z4{<U+s(VemG)WISI?Own&F>|1^ybCfhr@^;HA%KOsYfoByy9n`pU?Gl^~05QU!CQ`
zPs5NpuB!oi-?<KlsXe~#Pa;#nxm40~%u=)RisweYoprrbTGk0q^>!uMdP#lcY!CVa
zgqv|aQChY;bNYrD5$5M?j2cbyF@cmiDo)=L8NtV+&Exd6aKhvTfx>KM;J$R?UCO;D
zrmUVSz4<owvi+7nF)2yATB-_tEBW1Jzrd|BA@boJHj$lj^W)8_OHH$TlTVe`25e{T
z2~k6_<vpy`3Ub7bHO%Nx2St=>H|nCDtxP*e+OB!K)IsU2Fm^;Bzg%*YGAgLads>tq
zP`@P_nvNV0_e>jba-?rhJ>zPSmyCTxiwH|CI58?V3hYL#g*VtS3!~n|cFZD2ljU#7
zlU#j6FO!h3IHE0o5%`9(M6HD8Qfmv<T?(y8Tb?0E7#7nZsgu`+*FK8+*d~>btNXi^
z^r}p3NcZVO^rs*DZA`-g!TuYkzJ^-GgH0jw<ZgX2$f<tN`Z*_Fm#UM&UuMSLLufw{
z4s?EVA2LzfwGa_nmn4)=tD#Jl!GC%``1BY>9#&ph**N7{jV9BeoQq|NGgUT!_CkJ%
zPYoVtLtz!;nCBe974%QlistAfirw`Gi*^d5?yKGyx^_7-nJTnOmKsOoynr=XJY`n9
zP577<iojJVbQkAuth4Bj@db#&>CLOJU<i|#7W{>~zCa*{ao67_-%E3Te8M1WUTE7V
z1sD!MDvn&V7dj9Lgt2O~^nFU|lN8#Je6{WPC06tjbSfM?o^R!d!;NrrjWJ^}E#Gw{
zUUCV1LO^#Ij+>;rd7~kZ!c62MEyvAjet|UCyk@A@+?jU9J@*-RJ!W6^?q)YN|COg&
zVwOULO0b9)4NpIWMt08d;v>#G6$oDY2zLro^agWGLM->sLSFR2kr>ywM`Ah!xiK(a
zJ@5SeWOAryD5$yC-+e1{hHCOQYE%!d`7lTHd65&fZfW0zzBdD+N%`2M$RdMUxc#|3
ztk><vbx-KPM5A_2yhDk3sKHgy3ZP4|Y38#kYAO8Sn;P_y<$=w`bYK`;k^m+Q!ye&N
zYSTC6l48q>>D)>Qrc19pRZq28eC$-7?-j%ETPf^em%N@92NNEh%8EJ{<9K+{Qde?s
zT2Rcc8_oIN_C_3c?Wh-T;UF&TzX$Z4eJ7mYWmi4*C)xeNWU|UNl8G-fqU!%?#$$q0
ziq@3mCMNyZvCM(`O^=1C00Wx5JR%zKh+Qn`oFm_vc)dk;XBlJvNUD%#iyW9GGNutd
zQCq&>pZDs9t0I>2EL|L8O8cES$8wRH*4HO;AQwjmhc{KNflG&ru~>DnZ*88X!zF_4
z2GK(VnYrg(e>6)^mlL%=lDcHl_)s!XFC1@aWrf7=#W`A+;1m_TtPT6l&Mjwoa~s(Z
zMh17J@=aaw&1G3e8qE1MVs<=P^XL=kSf-3pnjfiV%AJIW-`S*`;Jr5`;@;0XKs6~S
zJDrgOYtJ3nd(wVRM&1^>W{PsVa;N|N!Uz+^*W`}P<0HC*p4UIMpdk}b{(3GyL0k6|
z%Pm^kkSsTFFOF+z7`s34+$u{#Rx(996Ca6uRrtA4SXs76vUTf7Y)|f3@=}hRn}fl}
z>ZgI0{rDB%3twRUtJus_a*=pu(pWfP=ttGBN$XO5dxI?-3f?6$f%3cKelKCU@vM|<
ztpUe{Ascmmq3XrN!q8!pjb5I#twAOLGcp$}D_S_sg@xkXfHs+F;c0J7WaMG#YVCwI
z;ueuiVvXQk-MNMeV$TTAkkJJ=&6j)}<0;rU?rA0MR>O%JLv_b2lQI#nT*tAFHyf4s
zmR`tfe-JP!(QVn1sMCYQra#=8JaINmKA-BLNSfeuujHhISj}jco|8=NeAzf1X}!ca
zw~rZF7%Fw~@OeC1bTpcJ_=onSU%RmE4rVV)e5|J`I#TWgg}6`7?iQ<FxIiXLq&F0B
zK2y83#UrD|J42VzTa#c!8neDj06|{!HF~|qZ5Nh49E#4Y&h#MrQ<<&JiVtRkg;oYy
z8G{rDQ(oOefMe4KR&L5X+c){&UQAa|O894Z?wu;x<=dUjZ_6j(TTi)7=ytb9(1+W}
z5Kv>Uh#PLb&Ww14RO9OWl_25q?v_L;2JVogE_|sHTD3{pz+Us}*!SrnzwPmMILhgV
zovO0WLx{8G6rcSaX8%(`&%5?e(iA3VDMwXBL0`<+u~x`%PBBZqB<Dk!pNbK^a5`%c
z3zkT}c-C)#xOsFW<8T2a3xM4;XpAhk{*xf_^3MvqwM>el<H5!-54DQ+s}E->y-vnl
zCs-oE+Y*)MM|H58vI^>wb`Sh-nc<^I*6zl?V1L(rR<IB~4o^sB8yq&SoW6nZX{Gxi
zhUUHW0>Am;ywD$ML4ieyO`-e%Z;<LbF87@87%-t0b%aQ{D8qD0{*Jl@Qvt9o>TQ2b
zE0VD3n5DT<C8Tcdp{Y@<8W*^pq_Roy6LmW9D^1F$H*hq!$@J=4{n0s=LyPJ^1q!v=
z6jiqOuuead?>mZWu+#(KMdIpj#}e7I3I~Lo)Cc>VvmIqQ0-4n#VNe=z7}FCe;C)1M
zyYY8Rc8jGM@tO@O6%Le~oc+@XgcB<6Ux;aBDVJEW4qI%n7i~DNt=ML>vuqkZRzH|L
zMd@@_ZDy`X*yM2=(YlVu)mO^$LAt|^c0PS>P+=A&>Z~y*WeASWoIP>s^>d=XnM!b$
z_z)@)u->Olr4pYRD42Y7!=o#59iEwES0IdjT|d`;#lG1NI;zMSs^PQfi7edX%;<Cb
z%?D31pJ4*szy`m`O`sNk52r;Nx3s&|#q*LB|D5k!VQQgQy<slugF`}-MzLr>mz>5y
zO^@#QGkrjN&2r|1Vk7}{%<2s*&PTx`=>*b&uQTnkty4E+xU&0r+K?>VlxMO@M{)kc
z<&aF{(z3ik-s03IM3v}ga)sMYI$G`e9k9qd@!h%=<M-YT$TI4P?Z6+^EuYO;9-NlQ
z=H@ef{ArhEMJ#MpU7assmzZs3)!La05cU0yxsoX+iz$K>;&YIZu%}J+)_XClUOd2%
zGExdUIJ3I1nQm)$5?M6TB{~`C@Y2MJ9%Sd~2(O_!rx~^@I}r|;>gcuUFY9HBBe04i
zH+*toeB})|y?8tN{*=pxV4}m`xGuyh!>&iVVYZ6_(a7iwwXqE~ow^EM{jO){c=$2K
z(gJEBsq6qZKm5}TUS$DE`19ph(d(YL)^2^AqO8^OSVbEGmW-J7W8_96Yc3S`AS3FL
zm6qble5^G63T0Kn1bSl6gdpeeZ1f~6LP%G=`<rvTUV8e|E%E_W^7aKAN-OIlgXwpT
zJvY`AgBq9+=VAOl?g~@+OTz~bsrWzNDt-N=8St%LI@jGrrH{fW$+p;KzVZFW#)sz7
zeq=dMD&&K2uKd8kODGK}pmJiKw0eQEHA}2X6V_7Xc6h>v3%msneafsOlebTc$qy3>
zLv8g%C$`NfsA~z_ZQ3f29~Y;d8v&Q4SWI7=cU_9cB>F2hBo_0EVLgxEX854qhhi*p
zvXt8S-bC2M6vVstNUs4(W2a`Xj*^6_-r47{tEd;wU{-Q|r+uO(B9a)tVmt4R{!~Js
zQWMM?=}U3)4nXWPY55+yGf)ajg<mya4pJ&Um1o*Mo<>&BFrkgE+in>-R+s7Xj{-yb
zfvSW|wkxAEW2P7jR0dl2;j<0N&?>x=HcgHLj9Xnym3u11i{utek@;_}5EX2iob_Iw
z&Ym9y?bqQP^C?Hs1REPaH(#pcZx{wlDm-;ONQ!s>Xb_@EY~7moVxhaEdH9(-QWF9$
zu93`iWo7YgVjEX*Q%APSGM-Nt+Pt6iGkov+^nuUk%)ZapZ6>#Jr-HuEPg<q6n~{x-
z>J~K~uAb+aZuyBl!*^6FGa4EiJ?Km;t!*Bj&gZ9Bd)DdM;@^jxrtUl*-!B{uW+)j}
zsAi~AK5b|?@ZZFSO$Z&n8ac$N*T3zYo3Y3?7yd47G4Dfr&)goh`XXW2khI{<SmUZO
z{V*L>#)b4vE7gO{E)zs{5Y*1nXg>uolBx4qY1t1K$A^$g6Tl*V?!4ysvGR3pPI&n%
zewS;Z8^W+JLNN~*=-j~L=OI<;hbe09Fkd>EBX69zQj~y`$E$ogeZLpj=}1dmUz(~;
zbz9U@I+AHfbSz5!9+3s3n+OojlsWdk4A94UCA@B8y4(8z+Y4c{AI&PU^*GGv&aN+8
z?$PUKyV9zw7f1FUM<qwF_O^X(ZVpX_;gmg_OslV)41qV)Pe(SugNt5+WX0PnTDr6w
zb$dr%>N|#g)|-{h)nHsF3aK9tW@D%j!(mtg2u`E$DpPy7g=)U8{SN`sJDc7wnZ!7t
z>63<bRoV=Plno&g344kJvin+#?DC95p-FJ{&K0TaDHD;gigv7L(TSF1LMkWH(=TJ8
zE3BL)<44<XTK88Bycfwx3tNl}SOqe8XJ~L#h~_s3=P5-Jc45UV>?RltMRZgpLyKAl
z&6_{X(zy;O+TOw07CykMWKI{-1)OCPL>^p^7&53;d*rWADu_f(pmvZ!XcMIKLdnJ|
z6>at86wVbx`2_8CuK@@PA-NlgAm}<yY#srU=qOs1=mo@ex~aBH6Bqo5xFTVDFUCbD
zoG&PNlN*d_l)dj{wVWHBny_1gLtJRbIVO%CKg_ob(KGw=)QNlA;!w6$8dK6A5{Xoa
zzJpT?dmNER5AXzJmQUPcs01VxbL8KfuHP+LD|`-_z<$yuc<F25wsF9DoXLFx^BGwg
z``YQU@60f368Hw*en8RvuI~&sBx}N`CRwus6}Dr7(lQabCSRh5XQR)%E;b!v#+l`P
z7k#eY_joSD9eoEvp0T{0XsFt!eG4FDBwcw6WXR@fx6Ay+1Zo#?{Y>OHbWF!Y<gJnn
zcKI7?t^)Oulur#WHzbGH96sSX@cIOH4<v9!m6$_aK(vxQd>r=p_?}gUll=5F`vddG
zXbdRA4Uw&gMVT}bOKu+hcFDL;uL!46B9G$whC=gfy`*8rViWSN+&C)I8F(J6#(38(
zKT4@S@N6okusQ=7ShByx%QL~Ni<Ny!a;@d$lMQ!8xilPa4elO|7LKB~DF>YB30{n$
zR_MomxH;|Vqr+1shs23n@WE%0y`?c$NiAcjGp1?rwvrN$dF|`0wbEQZ+wr5ARf@Kx
z-g!XL>)vE=B@tPzULO&U8q(PVboAmjz&vZ#_JCo0!Qeu8tGjSJuS?#DHK23%uwy*5
zx96g^?HPYd!cI>z!eT)2%Y80YBuVI(8p}=s<f4td`;SeP?a4iJQ#t6plp-)kBrs{2
zJl7kSkJk>2;+GqO`%qRD*nAulcDJnQad}CL1c&_R^f(>p*5s!+-8xh|@9@O~L`S00
z1T35Y*z~S;NVp8yudoDN)*^k5>>*M&ra6)mVRZFmZ|)Ju{f=-WjI0tE78sX*oWR<*
zsg=TJDowk76+z$X$i~oCKMgBdr|JtN`3B%6R!=B6s%Fjm93e$gkaO(iW3@kaiAs~N
zXdd*SsX@80OxE5P^N~Sz=59IM6kdo4Z!io92p;1O>F9TSFhaiU9tFgqUbEFqmn$@+
z;ji#I8%jEfOh~~XJNJ>Kc?NHd^ggS^vX3bGJe&?A2u7VO&V0o?HY>~{y2F_u@P+*G
zSsFqVI*~Cff~3u3L~g+)TRX9PB>Js@1t!U<+?pB3o=j-=D&aRuy7F1E=2|uwD#TfU
zecJhk`smx2YwCV!gy#UUz{95Y&8%xqpPYS|kas3jjG}fNKVw!UM$*~Q$ApnGg}9*$
zQPIY;JE8{!OgW5|;CCQgQeaEc8;xnqpBATH2M;Bf)xAvAND4;6Kn)aTM(}|?<`t<_
zf`u_<%_h6CE_h);nf&zdqCHNzjAW5%OwBc+p{%>k7Lw9d8AUPCVK1K+h8RJF!yo!O
zxqcmWO$Iq(iX`pG^plA?U~gq*V?>eivEoY_;l@A(dx*u)oj@H~W}L!=WEb6XOi6`S
z$511D(hLocKE>q+)=dcK9SYDVWAu{e&IW^q^{1uX)#i8DPt4*mwQT5&)`Z*ivlm7N
zAMNzs&Jcel{5aFyH_lLtLzp_#v-7^9rtpL@>&2rY5^hRc?5aM7vrM^mIxl`%*wS!f
z=f@xm+`&d57qtIqp0Yr1*3oPW!?f3(w1OJEl`H3<48_`Mwxft2l`(fW*|cH|XT0GD
zXANG*xaEpl`#Phy)zgW)Nat8eHL9{W6Cps`WJ3rJ_flNxev&Td&l<CQzAROC73{&I
zX6?X;d`jiR)n`&TKN6#?eMX&0zNzC5Mb{@9VO!+Fyi65%Ji1YmHiBb<_^+-L!RD$4
zM`5L;-xhi>ciI$&awtW5ZjxxEjVKX(J+K;Wgq-m_<fsBYiJB>F<KyfhJ!13PoLLXA
zb~G4YgjG<rWf$!-<;}}u(??I);@7B0Iy5q854q@!F+kc5<%wx2Oo}#s9=Ye`T=XtE
z#wHS;g5_hTe6!JQ*!x2sD<7twf=PaHYcgK!U54JCz<Zf4+o5C052^Lvr9LnX&~OaB
zMzhairmo9~0jM1i`_HTB5>R^f-K1>7Zpx?wPP)BDs=2V&{Gp<=2tTWbzz|bd$m{%^
zgq@5Cb{?4x;!(;Rh-h@4Z%VF&EPh^euIUglB9$?CshJ@Hx!E1oI>h8TEZyNP7^=j9
z(l8>*P8L(DU!`mhgwijI_qSIH-_~)AcO_vQV|6^NF%=tiG<Qp#9dY&R3)}s^CWezz
zM<rpR465I2Czv7JGGy-nLs1VCx5-EVB5>|9|7*9kNyW5@swK6*gCSG&_w<8##t@%C
z6^M*vao;!usmK{*%IQ8_B(<dNwdS0BOLgHrYSx!2(#r*qI|_*+N|(}F@t~s_7=lwW
zNAAWh@h#<RM2L)XmZh#I&Tt;o(dnp_&u9J73~^dycXEDmp+Laq?UgbFFJ~Us*sNlN
zo~6^Qn=gd0)s-?+&82g(Z5+959OMOI=2@zbANKJuq|&YlUd_|+)IdaZ_oO@`;|C^K
zjG9?`4=Wja2O<6V8V47AErAbV`eJi92-eTAB*!t6S(p#rZI%l_i@KGZnS2*!PH35O
zE7<EjTEzhqWf_vSw_+sjj*;`Np=Mmoe*hUtt>d`A#m2|b<APIU?412mBQrVaS)Onx
zYf~#KFOw#zrQG_4oSC@lXibn7GLGTKR<~2CrF!FrP^{hZm6d}zf0MjM<4<La-O{&G
zpV|uU);Z|~PO9WE-pWP1LX%JBd1X+YgHMKx)qVdYZ229#y-d7NFWcZtB?9N^453;_
zU(C=fKP;mRg19799u`+T-6U~&$~*vp>wz#Vo*Qk?I(9zcV@KM&6Bd^tg*|JI;CZhC
z6Kj!LLJ$z@IzQNQnXKYVQ*tPF;ATvxBKw0eJ&jfC$)|ToMKrCTgOB!J7Hhf<M2Eo#
z2Cxk`Q4mCC`rLesc=L^W!Nt;GluE*n#NT5N-pzGLI!Qjmv%qUlTcBSqJ9T}S%<G_8
zwA?aeaI2vLgEqrYkix>4v`AkHcO<R!#LUIl9u1wBZsH2><f(Ynoc(iV;_VOvUT_-5
zzBu^=uMXWrWFjG%4@dOUt5YMtgOCp-nS_l@A(dT|(gom`AoUL4LHevTmaNlELXLbo
zM+o7WVmOidj$V=lx(Pl?O!0IRDTLITNkN-n7hlCs6#YxB3H6{@2w!$;EEpYjOe5bt
z;^{J|V^+P%$WCdV$R3huPsi??F5wUPF*G4;M^#v8m<#vNE0Y3InQuImcSTblWU+&>
z5be~&aG}xJfNXB^I|%5+Kr-&Yo#YzR9g_~0c&)b7?H*1M-7EVi-qv|;3+qW1QK=C?
zh~dFRH+*UxvOFrnY`I-KY1gB9S?>UFeJ_8Dd2ManIRdYRC~w6VdX$>~xL;{aV!{qy
zJ#yrjA$6T-TH^v0k|-q%0!BiEX;r{rh5EJ`SGs1j1Tl4a+L(a4hlkPdnm<x>AUgS_
z%|LMx(q=OGNSZV&ZeevF%?|;O1vSST{^cFhel$JyNuz5|>~cyC5qwWvlWbZBIiHy}
zQl|y^pJ-mgiWZN%?*&CVE^q^`oPl2$)F!l8M>_ViCyjgy<TxPl5VJ`zM|s+#xRZap
z4ciPwz8sE@fwlDqtnXmtpEAeJ-k_0nT3r7qv1rl?!d)%Tha?ShMvQ)lI>%eN=YD46
zMSqa|(XE#@o`z-ydTUC1HnvOBFZcR_kHte7-47Qrd^8&2t3^ZMyE@*^MM=Mhg5kKp
z3K7xLYr?>}fZ%n5>5f;7;@ss!>B)+VS!0$C1V#lsNAZS+ayJ)m*)EL=n0&IHND7E&
zcM1bcj$u$z@$g^7@!X<OMw0~$=)R`+UcMRoT7hb!ED&*BBqz}ujU?9bJuN8VZRX7|
zJaJek$+P>5w<VS#(kpNi6y>hX$9xG^3as%bKGhX^y9t9Lh^@c{!za07E57W6O-_-y
zqx{%_Wmkwc>(r_Z#>$=p#5|)cvRu>WxK#q!UFl6Mjy_YGLvPu7s{(Ru(3?WE4A41i
zxQMnB;aQCVTeb^%j+<s{_`9ELj=h&k=#(9g?h?$chnz^LMA8nEgnOf3P4(6i%o?=C
z&o!#*Uk;{Ky@Zekn%|CPL92eOuwO@hHPdrMDA=#)>IuErnaSNA^#oI~$AGTCU#adq
zmFdwZl&Xr&swrI=@o~V(_SXZiTT_Kn9b69lL}ywO_1?ufE45^`5CpupjFeQHPONL<
z7q;jb&lgE6R~oj6alVvj=NoDm?AqQ5eAI#j^Dm6sqXywtzi<^fzYHPLvSTL#pmPG*
zHX&CmcU5>Hg}OPHaM{k<l``+)zLSciUqC6IZ%DNyYG7Nut-_<jDS3l0+qof{cqiSC
zb<nYp20g(9=r7J_LuQzVMWR{P7V`>&9*pLLVfezVbd>onmW7IzVu+k2{we)-pgFNz
zhMYE63@f+m!_yBrJ2z%c4tv%1vyg1=cPuwCg@Nu@Ho>h1e2}v85ASoa1;suXBOEEo
zzF<)OW`MSlV0<5vu<DA=wlb5}-4p$o+ROPtn^J)Q2#AMdwm-V5NDqAM&IJY^R;;K=
zX+D?@JB?h}%+$y`G246^7>dEjb-&1Q4JMX*&5pRxqTx~^Im$+Vc$9su%|G6pC|0mn
zK*0#zF5P%P)&SL+)=GBk82eQou^D=Joq}?jKplT+Anwx9@=O89_`EI%@f>p9PG0A>
zrtj88@SQ|gw##bWXFsSi?E~ZPeB-;^lgLW>FU8J;F|C~zpWT>;YZGSg&=_RViCyJ4
zZr<uZWEW@rByMMT60Un3z&lr#TJ@S6=_riuH{h}^uN2-GQu?+<mZ%R1v%9RB?zlP&
zGubpN&zEpJ&OrT$Apmec56NqC!?T%x&HEYtM47_e4_oJC-guT^_83?=4?#8sJ?FTi
zH!7Ud;pD;q6@DhwpBm&3gn#C;VCa7Vq?xH9AiqFGe1`ov2ZhJW^>8yaAkWkB4ttzv
zJuTXmKP(nw%ELG;$ztP*x~;J<U$s7{KW&dH>@&v8d(sbY&7(6!2^GHD=}_9yhX`-L
zVSlRosiPfeHqBcj7?+|vTiV;@`fkRW(W3ZuHIw<!x6qi`28^;k(57s+qC?c5JIBWn
zBWTKbh-U;5sLyXi7uzC7hhlHGED+e5^KXmV;M1=s+l6_GoXx#DI$04zf%gS)i9u8Q
zEb~uF#SMqW5%qA%)H{8@_v$*=-z<Ha!8+Z>qSD%wtJ97Yl!_wNU-`VkAF{=gQ`Wg$
zF(Za6k4_3a;}WBxR}nb)^u1B`i(St3Scd)9qi|wwLugu8aLLj}qjmz58<*FlWj7(N
z_a=+Ip|6y>l?K!)bChN|g{pjY^a<R3NJI5)ucFW+bRKm+)gnv0B9LIi@P}xaX{Xj6
z`if|$>F9YBoXBXK5FTAIR3rf(MxH{j1^%pK-5ZUxldtFXX343n@fyH(b1XlRe6yfU
zY7E~G^lTl*1TWZ+#4|ZHl`tOUgbz*Tf{P>bBsG^GW*0jQpbacF&u&uF^?VlhAkYrp
z7QW0=<KU50eE|K~GWX8(V%MNk;jPhHfS9ctB}Yx;JKAdbZ1E0G-M5&Td8B9AVhYKc
zh}85ImqEyVP?J@neIo1*cRuxY-5#keI|ZlpxKnUZzQPCcEF3YEeW@7E8v@%t#wPZ&
z%p98`m?O=OLhe>jDYF!pA(@R{<4=@G=yR6jABo?d*i(l=EU{pE0NXz(!xYk)Q5?Ko
z9-Av9P(?NOg!GEy>{8ShfN}WgyWjNoMwtnn*3-hxMr!#beTCC9oCfm}RT_g0CUcDQ
zo?_KbMx;ebXtx()l*IvptANGHw-(RklK!RC%!9j)*Cl1}`<8AC)<*NSIl<p;cnWj#
zUlo*c${z%EUjxkJkzg7$c@JzY>&+@|bw5eIX06IsBkf&-T(iN)siLRopBbo+`Vk!r
zQ5oS*dgAj&4-jep9LpeP@O2=@KBRNMy3$$_(yxTqwmLez*QjoiZ)v`#!{DxHQ`3&j
zhAICpp3lQ2I)8g{#ZFZ}Ba7hMo`ODUroEwjvy?@#NaXnJuJxv^=0MFk@fJ_x<BF3_
z)FeC<eUIBR6w$-0%r{;Udz-5c>lMv#IN3L56hW9N^#v1zrG&xfsAd{vfrO>$?t3h%
zLqJ;i*_oRgY|)d@lbP?3&1;RgFJGP=2p`H>XG|Aegk+*Tzp!HYdLmhEtzky4b11g(
z&K~n{VUwl-2(z;@!f5SQ0Q&hQ9hjP~xx8WMsJnZF?TJ!H4pWAcUCK8~BjH@|xOC@0
zG|sSi3|GPQoJ{S*J>d72>Kg5VL+oq`3a+U2`zm%b$s>i*jMjGr?HSelkE{eTB*p#C
zEov_XqMt*naviu@Fi3s`j&lKQb(ezfv<N;j%oVf#+{0(+Bwl+kZH4_r=p(Nhb$!y8
zI{l-MjTA0cE$PK_AQHi5(@z`$%GWX|*SWJl<1RQ4X}yQ_BbM;)^Pj1ejL$>fDFiJF
zz3Q<bj@O%wWpX#3MP6f-6oOFyT-u||gH8m5yu$_H<hA#&dvAD_SSibjghZmJH__p_
zNa4QTIuV$!tzY?o9w~&60?gt~CY@=atCXIp#+*16@t!Q8Hn#{y=t6;k(o$JFrK5W3
zlllWDEF8m|PZWk^I?s<6u^y5tLWU#n=UIF^be9iIoF|ioGd~;|kUE)*NrLK$zE&A?
z*l>C2Lr`yYGGQo}YUwUwL5tOBfv(YP!75LGn1i>_#=3+`YuDy!Hf^5}+3Q7Pnm0I>
zY$vlJcxsaNhjX>=Cmt7+Onr^^wC)J^6kYEjB|Z%^hkaH|i`5z^cYTB3kE>?yAz(PQ
zTlvb_w2s0c3i&;3y@adkWk7d-OgBZzqWPB*f4B&}?+>4cqdSJ9uX5IGWO+*<2V~>|
zwj_L`{D^`iL3d6f>0MbkWM~rl)S2f-k_vBEcI0`0gYhBrGF)HpWHYrhG(8g|D7y5Z
zCHz9A*FN*f1bCDb@1=ILga{y@+fIJ<FOW{iev5HdeQ<tOhkL~$Nr2)xGq!pYQ_}hv
zHmc03Yi~zOR%6N=g<H#sJ6Ke?W+l-3Mat@dW)eO{#ls0PB-g9GmWx#x;J3UhecY&f
zpd`D#)t4pi2Df%mPfC;oQpd{_*bHJ50&#1_cyPntq)mQjIguUQT8^R3L%yfr=h_fz
zBz3(k3$}^hr^Jn|9$R!B#~blGA@e>8-gFq!4tc~9??RKBvO_@0t+BvlJaic<<nBbC
z`z%iB(5oGC_)7ePxMPl`>b7-SHvnNzIp=3^Q`OV$3Oa^_4PGrfk6@&8whR8qc&qs`
zgU@kr*C>kOQl*8rU6AmhMOaHLN1CL&X9X49&d9bno)U-At_C{3r2|Jmt@@i?fdwhq
z>lTx#FRyd%qwbk+5@+oS75rTi*p;lXx#?8<M2RKWw<J7K?p*K29pgQ#qnjy0Ffn!K
zurC!V(CQ~I(gq8agucJ%xd>*U`pR=uyOL%Swaj*)!m|He%M8iX7->ap6df4LZp%S%
zfQm}*JoIi#a+SdtiNTsJ(u#Nyi9*o_8m?6sE+lq%SNaa~Y=g0iHnm;kbkW%E;q&+G
zRZ0GbpC2#3H0!l{-Z6M5->@dlabyZ>MD3T^6G@L`zeldQXmiR-z-FgkbHhIRf-$O^
z$Z*+ULX!<lDf86D+FowVP<Emugott)pS`h<-l-L+Hz^Lw0Jh+rGm5-;z_I-5J*0T~
zM48;U!iHH6d|z2$@i9b`w3lUT&?%n#DKRtM8{(&0CxE9FWu3O1%TaBj|E40^NQJxl
zjce8d+R~_x%B|CD*)_zMX>i~28I=earK;}}Gq=5!=151&-{jla4R4HS9kHsXCQf<{
zNgpof-bHDDfwiw<2yYUrsA^E*X68HK5J`V3Ry~fs`EjQhgR5Wrw&Fff&6Bn^R<u8Q
z<$(AgiEV#Myd{H0W@{RmbAbfTiER6;2)Ts5w!IHTKxQW&D~iEDS6+*^CTC;2jrEh)
z*`DZ;ULC4htF<iFC@oGhLX#hSZYAxLXh`RY{g9Tk`ayh+Lw3>dIh(ExUSTgus5{%P
znA%ConWKuH4W30G37lZ7MXq-kMUr-i!x_g-ec?t;x7Urfy6}0le;UPg1O-h2N77hb
zj8R8eiU1cjoO}1t)MhG92;ym<k|5<{a3&kS_i=h0VwW_k55pIo<j9fJ-s&$fgftFi
zbZ=i~!k{TrNd~2w&CmuR-nRqrdC%~P*FFm-KpOoBwh9-^ZLNhopsKtaVWf||!N`WN
z#1ZH!HD|$IAm5u{ltje}7hkLG)0PJv$`bD~QCHmkGhcYad2xRAP7jLP)wc)cT1qul
zGg$&g6!UW)UlxlvgiG~I<eBN|r(|K_jlPc5FFCD{sjyb1d>quh=(ndPuh)!D!^TX|
z*@1LiJ<VLRciO=Z<%A6`a-b*1-}1gjSsP|bC3BkW(7bnBE@Iq8Oyr#Y(0-b@2X92V
z@igiGfhj;rTRh1vovab0DZG0OGkRmVDf&a1^@=!0QIzG88lV)bBZ3UmpAqrQznY4>
zpyF@)@=V2`s3??u%+XNOG+Sbf=*C&iF79gavYB*Mv@hzVKj@=A@9gsR!dU97zKP;K
z+^8s$e>w?G%Xo=w5V@;!!*2#fjN6MTsUEO~aelyBz@9mXpSCZ*6XWDiu8i&rSpUq6
zg%Npzu@eCaER8R(uaMl1(8Qz1J60U?E!0Q2Qzx!OM-eVxThdJpJ|aigL%d~LF56L)
zGm?uGs1g`pq<=ibAxy{&M&gBhz?}f8CkRcVO`K`Dw!S_=yWhxP1t>N$oNftSmPZ4I
zK-x*eL$!-w9kNLs>-hG?&b=GGvSod8s(GiP^?iBxa%OdlFi`zm{pYIA4aEN4JC3<E
z%<gdpO<`PzI!2r56K_GfIU5stIv6O}zJ6&0&ob@rdA<4a<gi8_x6_|1pP3xs@y@!s
zNOj0xb^}Re_&lese^!kRqr>2-SSa9y`;3;4VwJ=mqlA#Hvb(9&R5BQcgfD54X^-on
zfo{}3!4gCE7*sP&X(}0ycgh{Z`s1N91I2lo=#c^~V7<3(?y|P}_P4bgJ0E+(KZ&EA
zbuV_lY(0Rpk|YUM>s*lBe7GTW{@gJiT;>q7k7-}29g@68{kk;XT5M^x$VuTyJA`fR
zJPn&bl54xjbMkt{UPIFD!3?{jYE9uAY^@H#;9V6>)=ctzd&%u8o99|yiE9130ak<l
zIOVe+B5bzp(b@@jT3txfmpS>0?5c#!h(@~ffGy=0C>himer)lCzH6P3As!nWHQes#
zfS23i-Z0tu%sj}L-`=)c3awA&(pkD8c_CYGVHI2D(y`uhCDk1#Fj<U)l(D?UZ1~+<
zeL&jEoI2N`WT4$cl)+Iq2NbXOX*lRnkONV56VS`1N6Y8!W+i%K-Mwgu4y18gQI{S>
zk$AX(SO42dJKWMGfvFI2yv=qNV`C%nFXr_aTnp1zecH{RT9Md{jZxOuP*~&>5X0t{
z2Dc-xpkL>8C3@s*?<>P7FysajUxfNf5H^!&#6K%L(BQ?k&j8{d;HfLfF9jUbl(D%)
z(wz6qmInwA1VIuD(d9(D>c(((HJd|}#a^_w5NQDms|mZ)o2LGp(zQ64DDlpKt%Ay@
zjrMc$55QOaKo=f09>h}aRsIAGj2c{8R{v*I)6p!Yf@@Y`1wI$t!ScAt`heV3XBa>m
zm+Z#Hlg_@>MrCwM9%*Dc39l$=aP}R-x1gj<-23QMC7*6YQ;rd;5eBL^L3yvF%wHkb
zOlyn-W>jyuovmAq3gUd=VGeD|u?@^)4Q|GARfc!i8<>jk74B3|H$?KstXF+^`)^{>
zz*@+F;>ZDpya76`?|jxiDVI(`%|tLHxm9rIwfR`LE3(>H+YIQyI7S6z!FLnd+9`Zk
z77zo8PRF?61sPW~L0_T6!bnWrxu`-0cQ9l}?q2FOE`Ad5T4s&s2MS2M89Fd@$mQVu
z0&yLciE?KiF(T#qQzZ(~aT9w`5%-Z+Fx7rg_;~Ym#W}fPocR@d6D&q{BIA_W9g&3h
zMPoP;E7EDd6pYG#;HNc4iZ?#Z@BbfP_ZS^n)V2>k=p>z_V!P9^ZB#loI<`BuI(DUF
z+qP}nwryLJ=Xqz%`(HC_&9|zrRj2Blz3=OHZGi3FlJZ>~Qg&WYT#DzQJl%U>4&)^^
zb%7k^N>%G!-K(%H@`qVEx%X#8cG$}?EWr$0zifT@M0r%c`H<}%59s6sEiSvlGEbQ^
zPauyhv%`?GhTr!nRLAyY>X{1*)?P3!b{UbsA2~{UPg6aiWJQl8qP|PxVmxb*=~=HL
zwJq0w?h@O)3CPwS5-<|Uo6a2#A%(A9T_W<@PtX3?pcyTn?2vyPZkwaN@r33e5mLoA
z1)oMV?Y1Ew<@1bEIqPy~t{wF^X}0{(`h?WWEA5Ol+WED1QTHKlFD^eco{ZG?pzaKL
zrLQF1%^O`jV&sa1twUjERb!ZxgF%Sw=_`)uuc(UQUjrPAfy+Vi6aal2ie&E3+@KJH
z?(S~*rQTp5-&0{ctHP>mK>4x}G`gT0VlE$Ye%S#Xh$*4<_E#a2<^fr@WAX_lwa{>T
zP+itQ{m2iU_G@Itmo7bZ9J2Q<&jkQA8-(!F8id&ZJmjF(BBuHJiZ_$aPkF*+%+a|e
z)1rXKs|H05{F#(vgUy=;&GjMs1Me2Hl!9>89uyuU5mhgE5~bMGS(68-a<q(3O8#R3
z8R8vfkh4G9yr5wHm@1EWH1E-rm16FaYJXEc{@YT0Tu?_UkyA&0vZtOm&c~KbAGHcj
zVQEmI8t>YyjzK8Q(!aolL$uLjHe>IXXZJwuSJ2%@Bv@cqjkl~j#;XXQ-Ob6>%ilVr
zvdah_kQZ*t)RIP`XAJJlqqzAUW|XVB#JE=ZdFJ(=2}9+ln~vVy-Z8s;*!hw8Bz8nm
zH-u2^{}GY>_Lvs_-^rY2dMsL>{K%`ZCjr2z&BQsZGVEfNW1^LCdUhx>fp->mP#*N!
z{O?I2`taw@pg_@7DQ(DyUPiIzRwy$Y-@ojRhwTAWjtLd(Gx4AN1+c-_r=(h50ekBG
ziH5LK8&DSW1IKs;Q#PQGji6g#7u<w{$u9T1;d%(VOs7j3X?rJ;q!;ZG6f24NoJaBW
zSJ22*3s(IZe>G$+7RTH%5+$6l(3pi;Y0-<2&<p*@_3sl(7E!g$l`%hOD4JD)PDt>#
z{>aTVjTCIlDU~u@^?gl>U*|+JGaPxR*D6^%3rDqklviYI*5(xT6h|l#Hx5qbn`<tB
z`GVLV^ggvTE4u^oRxi~~9+AIKaLMN9f8-;LV*0|kBI{egx+_jMTf%yD&pVUKJA(Y?
z@K}4P$4W;$o>-Klp9zHOk4=2G#Vj+xK}4ml(ActZ<SCBJaLy0svVQf4*XQ=|um1fX
z<B+xLL+NTE6V&=8H{khjxB}XwJPJ4?Vn9Q}=j-HIy&U^($%7>q^TP6e;QpTAI*nQJ
zPe6ZmCckePYo?R3V}n!5>lO2w{*jpfrMAxIXuAfqYMO|pq)iECerI~<^!*5)HWJJ6
z%Xn8N#WJpt>yd*S{QVHchbSs5#m0=>`(Ni?+MKOxT*8#Q=e<FL0*#I&6D&=^<^vRd
z6r9hW!Qn*3Tp*d2i6T07AX7Y2-Gx8mKddTDRUn-=EK(x;U2eoiL=EEwNmG*Da%^r-
z3c)$4UNNG^x5CTmw4s^j*4ezr)v53JUS&iuN#0L8Epwbop%wIq+#oqkm=9lkI<L2o
zThnV2Tc#O%hU#^7hbIrM<#Z32>s(6-eG%QC2h6`~P%JlNz7syb&*c-o)0N+)W*gn!
z-Cf<=ZfEYn{-Ipty?X$Vy(V7@fpJ)98wN862crSuHQLHgw^FlV5N!KF9mDOZn@s4c
z8LP4ihMcR8*bBhI@>d=Z#K`959gdYm(itNTr2?y)OpH1xW>m5Lc)0fN{2!5_=I~oZ
zX)o}nYEn^3L=aJ-IrMsp<<D<Er%z%2{zRX_-JyD{OR&7CNWcO`Ty>v)ot=bf>CAlD
zS$B}ZaO5fc<|x})9rVLQPuBwHIFbXEkI;)FgNC1i3eBS=Z&C$#M{5HWl<TE#`qRy>
zzoGIzJc=FX3q#Pa61^z&_>lLEY_;2TH)MD8_Hp(SzgX7h!+Uqo%UEIeKj+n?20F9q
zh)2MD@?q12Is8jTHsH3F_&S$q64Vzt%!`K#guAsAe^VR7|2_78qMI$xgf8QCA<Q%<
z<Her0*hMrE&=)L%AAU#N)4eIMvpq=odu8B}m#R&)XK#=au6|&wdEnK3sv5oB_~*An
zcPKJOt2A8>PnGBDa1vW>v&p@d%QlPcO;o6WYXnjyFWSAQF%?-<*MyO;xudXzvw5QH
z;-2-aQ8rLa>Eonq1kA<CaX!M$B?{~rCGKP5wxd1FuS@>$Dc_!SqZXBu-)*aT;Gn)w
z>n4bl0!avbhu_9Ne40pgMs0-_rs@w2o`l&=Yy5M{*{)#`j|cO{ef}&xZ|bg}lS4E4
zJj5o85?%zDYQB14Ub+HgF27yPWb&i;WI76snG-!CzaSzwP*Nyhu;3ZJis)R~%p42D
zK?Z*Q;8z$!f?N4bP@7UHGMGxBno|qy5l<S?XLUXN#c)f5(BZuDGF7!%T!|=;Jw8Cg
z`H)X2dnfoz_DXvd_QkBUbecv-Rp)7mA2uD0A!Tq{G_wEu&)^VZoD>GFY2x<&g<>cj
z7cS6om|ynC74|M^Qk+uIRmOi_PnV4c;^xKoyuMAOljmJ$WaD0=H2p%umqiS{Q6QxR
z#hHDhj(^scw*FhNx&QGxdgvW8`T0y^>lj$v+JalW5GDVFl9p@%=K{>K)GZXWzX%!a
z&Cr&KY5Y4WpY{~=>rl*WBBU!wFf=Jhpl4sq5FfiQhM+*>ES#Rv%qm~|7B;K+2|mZj
zHy6BDJZk7!Aw71eS{MaBgN{9p0bp&^(cD&R|I$1NZu?ALFpVekTP;FxxKI=<HB8TS
zNoBZZeFp)-2KiC5N=r`<R~oGsRd(*r&6YNm9!4f-AkkO$Z@MUU7ln5Y&oE>->E97J
z*`-Is$w*|mw*Xh5B*~sw@ql3eQ<KZ+9bMgE3jWtaj82hQ;gro>puqBu7F)T_Zgc`;
z^jp%B!)_CxKIt&(AUz$`{jJTUXwU<(O{B>6j0-C`ktm!S{_<;6n*lah*T^3!OsD^i
zb1oWhc7OQwg_<Z~M5_J!bWyQfQqQRTm}|sh{t{*vl14m!m44C5n_$;db=n-pN!>i^
zA{nsYmQVgBm&YvBQNiUZ(4=pHlNz|W4B%R8uYhx~>2H{jK!4+ujq<ys-jrZFB?@k}
zh5{1(K_Dy<j9H==v4vCTu&E<<5X2r~XeCo>bSn&?J4QJeq(k<p%uI`K`ToWxqB>Iy
z34n_6{Z{{5H3G-FPRce}_e<bSWcLBcV&o2Bg!lDM3)Gfx@Q{T<FXGkY&)ipb$bA{2
zmY%B-za2m*Ks4A`GU!H$;tSas30D`lA{Q@W4EUH?#AQ?0q(-Q)Ct2y6D|9ndh7-?o
zZ?d2Zd*z+*e<NWWH09Kl_y;f(`T=|ZKRZkpPo?srkD}<_8YGFpS0#n>GTLDrb`ikP
z%@$xnC-({?-ZwsMlUqq)4*sPjo%}aJ3XEl@XkkYu{7>mTWw7rBGde)zF<P#S0{l7;
z>X$3r4@|Wrx?>sN>^j@E)eC2pB6fy=lA8nK;y&N(hN{tcxY}(ajkKJ{J7#-m8Zeg{
zmay!Lt7wh*<NPL?o-%G<c~lbJ2jpH|FKDy}mkhwqo~W81C|4v%|G==64M+4Q^i^`A
zxbPM3ItC*}0W3eEWsKlpXo~exxbij_0rlP}m@U|8DzbgV9&!$Mzx1xC67y#N#dlp!
zm+L7ckKE^33KnF*S00<&rp1vHQv~O(U4l;~g(#)q%jz$2N+(8H_bQw|f-Oa5z4I_S
zrSTk=hPSQTM0@eSt3XPv<ZsQY#{<|rk*0TH5lG}s-*kZ0azUes0Z%$ED1Xm(<Jv-8
zf5#Y}jmS`9)=_PKK<U`G%5Q@IO#i1Xt-eU?fi|XK72ym|1Xa-`-1WhcOv5*n=2Ax+
z_)=0{ODLYiyNu9b5%Y=vf~R1MeX>jFoYTiwAUpvXYBwj#F`uzZ84r)fJ`d$+tWiU3
z1qH%weqZpL2H{3{ur{}^vetc^GXyvYI>vv@a0Nmo$$dowY7{x#A}4;lt?fy?<m^c}
z$}VGWH;^b?lQKdY!{e~UlSg0ek<0z+i4Ef<`Ho}M{1c_>J~E9Di?<o_Vxtr$)@KV+
zNP9(WlIV25U1Yu72M1Q$kc9RV(J`%sJ8S!$)Gb3PN0nN9wE)Pd6efb5TZ4oO4wSVu
zkWxcOiVt{fov8LrNoAuIJ{>bswu%PB^o8#RvPtGgKe^7pBo<J|)m9p86T=2lm_*eh
z3Yw^;cd&(jfEsM+aMi7b?!u4&@kS`hdnMhPBE4G@gto1b+V)xxfbyOj-)!@<*zBu3
zlt~ssenzEGPgtcl%HC}6e9ADs0zVPKT?vvjiZL^sD6qdZ|F*0*s9G^9Y`B8`iSd#s
z@lN1OpBn0O@5=v5oGGnxy5*S$E+GLh42-K6F<<{ad-p@D;~$h!k0d|(W`mU(Rtrs6
z`)CuB!Jk74`Kr3mxN;NZ;1YxR?9@NalagnIbtjkd;~~J?rvx|+#4>RHa0`;a(QY>*
zO}6;-%?&tJlaTuwUf&7yNd{ZyhYakwT<bE4lOjr5?r|HDU2wBIyYR5;JJoZz+|6B+
z!doNkl<7@J%#G)C%Cp8u_dRvV_h2ZL?_=F0vg`qxiUe`{x%j>VwWN)lIF%SLw32v5
z<MB2p2@<f{L<8f1S7?GF(2%Q`1>@EZ2y3DXR`Q>7y84gI?8|{&lJBfZ{9jrzgf{LN
z@wirj%+ryq3Mx?-ka=UC-NDbJ@(c}}zB%ut^Vax4t<-6EQXRV99%eSE#o~@UgcRbM
z^RjSJFwq=du|_ZxW18c2B5hzlN6!24%hnj4STs84_SrZ4uUU&o>IqPv^3Mx_0P`LW
zT2yZN$9HL1J;ILZ)A(%N9SPzSB!GyF$-Dlk=(%GfS~VZIN8u}uWArTys3%`e7W%bI
zK4C6!;zAyGG^JuV7o99PfFkg3MOZ%!XeXP&Ka_a*%8Acz9jbX%LGjUaIc$adK6#zq
zRt9xFG}xE0nnlx$0?)%Lq}v=vo8ewZc_es#Sg=)Wf@gjH7g1cDEDl^ih8!hMhz~b%
zg-aC0qe(L_c8Djx{%`tzHkJJ4Han*}D??ir4@eFykHH%&=X-Wd9g|1Rben!cO3(+i
z=D>oZF>&2c<A7d!00ZTKdhR7*M!>F=i5?8fL&d2vEtVY%pfcNr!%lZ^Pze3Zt$c~K
z<vY^5oVc9{W85izVr7N&ES$Gb;kRn+5W9goEN?=r65H$nLCf&`MO-0-35wTpoDu5@
z%W^@;Nn|<?EIu~gU<ms93QIgHd`wg*xdPjen#}3&Q%J?`vDk%w9G73|U|!4#xD6@o
zfdhk0>A-TXHxNvz{Fsi+_*;8Y-ho-2T1`d}qJ7IsoMc@|%zW1Br6EP$%_I!SJk8Lu
z1VfLldDy&5x<VfPO`kt@0VXI1%|xNNG6^MbsKcHJJH$2Os*?NkT#S{)X`Xmv*5DY}
zNd9>@d&6*Hv9<Zfv>s-1tN(xbgxg*?4XfsD!D_i^X3ju#_Fu{eeYiJnMU1qX0{hKM
z1;fC;-r(E1BrM;+86N+N9DXA=N?d8b9bqpeGH$67BA#65=}YrJ=Wdy?jchc5Q<tG%
zvp-xCD_Pd}Gn7cE#cS+@eS@{#?IF>igX?IzX#AhD_?9);8TCSTJ9?3H*WD|9Q0-Cs
z?H*kfYNP_Pb*D@|OyulV%XUk0UDm!47@lBs3QK#CG|7rUI0k2YyB!@W&Bc%j6MZsI
z?tyQe?VA=?)u&h&?GzOb)tip5ymY7(6kc(hE_2s8rNL&AEjOv63z|1R%}E~ADwXwm
zgVa<TUT=R}H8$F`JJmbvNc5{ieu%O3xUOi%+t7sf=mqwGVQdASKj|BfX@|`O7EB~d
zb@@!LlwIKC5MLUp)RbO}O_C=GcLz)I5kOHi+&ZGCEy)O@?0~!2ds2w#YiLLuLedn^
zd9l9;ez#L`=t3$pQY1<F>qk)HmRfT+AJ0lFD;(fMM#tSR*{<>|Bs=J?4qNhj$|GME
z;#Dud@MVuLBHo#ri6a%YC|0_wFB(=@TFtGU9wAv^R1!5lDXA|5K%@qnj+(R;I+ula
zu8~o(%@$kr#yJC0WJw$?$=Ux2tcqdJM_fnU&s;D|Z{pXI?zm$zQc+fUWnavRqfyqV
zww_Bw{E&PG8@x=X{>ED?G3FO<f4sfcj5pexPl;WIE`_Au*8`6FO>72?BZPMR&(V8A
z7>LDH9J)K2PPimC!jD3GX+GbX076KI9oC;hh%*5Eu)qv8LPo_tCx}BlF8#*6s<~3B
z_6SJa(<*ZG8;iw5qAxAjPkFy(^4+D#KcXE*!eCb%<Dj<q0W`s-Pbpz;oc`==13?I9
zF)}e|i)w)gWJafwF)azH(pH?u{lNXmi$>}ZNsT4HBl((z|HtiONh$>TYfv(buTYw?
zxFCtHkqXLM8WJ8Qe{&Ws|2mX<)6=NPGNcxx^|nhD41p`=PIPCdPf9SnYY{h4vRc6p
zZWQGeE{pz(m+&y|bTAY7msG6^wJ*4b5v7A$Az`16vvH~wdfIbMnmfX)BR?u3g`b0P
zGOXQG{8>a?D%}+aDjEeG%fv&GQs^?bMffw~t(1^*?h4KCxfc>4{kh`^7TtKxAZt+y
zZdy`#S*1f4Dz8ep@AibejeZLbFGKQt_xKYIw9QL)87#ZlL^vnqvZ^cx>CFy*rpVLK
z5u!(vvd>N)n{{zUY6-!#&&vkMdSE35cLx0mqHGHe0F#Doji*`xW4~w(h`VocdC}wV
z1q_ctNh9`Pr<%zX_Kz0vnB$*A@;gotCjzcUG};fhKQ3=;6BVBV8gCH2M5CL;u5)E;
zM+UC@V*k?jM_*iCB2D>l1^>!6-*x(tc6qoc@bnQ9Am_2cIzpwRc73V~<Z(Z^!~ijg
z{LOsFDR93%4iO#?W+WTS>9UMdqCgR%TgGWx`?tgz5YQX>*tVr*SIA4r5&0XIK9bFa
zLze+U+ByLsVx;>uW*>1t>D@E<SwHzl$kT!DtXHOIPwX!}%laF({E8!oCdP|nPUQci
zZ|xzqI@i7h{SZ=LMRWeU_eNy^NrYp*PAE+yyW++1`=3PMfc$&H4b2@?i8Uftu>gZe
zJbqEGm%x2JJwi*d6l4STno*U+a>H@kE$+l71ffQ?+jl#%lJ5t*{ofp`>tJO1EBxs8
zs~q3hEn2qTV(yzX*%I_ZoJ*P4a$Sm=_qka>ej;;Ff@e&GxcoLmdTeKHX$15)+?u}6
zDRh+yHk<m}uuOt$>Z)zA?)8da=+>;3X>QdMMeS_~jbL6@I_P6a-T}+O^sz`8(w**r
zJC|L6_*!mg=An;DW%*>F;UXbG8{1Sd^w_+7g|t}DbB}WP6>|D3|Hg8sl7pW$+XWtn
z9se5@kFc(ah$H2}%|YqW(<}^2@kNAA>J{3nPN>nt{hr_bmA_TvMWAuf(B2(2ttxvs
z6R36VwAB?jZd}g0`}uP4a4yDl@+q<~?!8y^&EsN?9=dt$7;nnSyy~5X3+@eHDKgTJ
zCop!A-KAvCv~(c#;-{#o)^>pA3TO2bJL+lv(=4=?aU<>zO!LbUQ4Z?Y`&-}@yRI>h
z$!C-DSpr$sN<2jAP>uKJ?IG~}eA31_&mWX)f3?d|rdhfXJX<LGAV!A>$q(Ri9+rB+
zkf(S1KLBpjIn6ok+A9AI9L$oAArE;S_`6<GiHA7R_b=j+=Ykr4NyyBbjY3PV9#I}z
zrrHv;Ne&(FUTr2VW&-Pg&c&Zz>C(y8W#CpL=(}6w`ewiNghJ1NO~}@-=<ilG7pag#
z9$P;Evou~VfF*M01Y>%2Gg%5vZwc%c9_H<?F`*1zlS`PmY&(@!<!YhvyZSn3h$LD&
zgo3~!r=#gLF8lWlmqOX~@{dwhjPgi;Q=BSu=jn;>hhFj!oT|B`=3OKpKPK|PW)vR}
z9gd>zA3U3Jg$_z2R}H_IBb0w>Hio7k29!|X-hbKcT_`Lz(W=&|=wXsIwC)*C-i1hL
zAsMV6kpfk9fSUz(X^aJ|`Y^gXddH*t<~B9^ImD@WLy}oNEX3Zn+a?V^C!`Sfg50R?
z!KJ|RrV+%T<l@uPxY|hi9ccw^Y=poU`Gm|_Dw#=l`_e`B8pKjNyJ8jvEYNwH-IWzu
zgZuUWgKi55M5lid$+&pXLJ#wx;sN2%LSp*(tl2x}wZuV}i$*ul_EeZGH}zi5SzhmN
zNMVsp6g#Smgi{<{FOisXcIEP>YQ>fmPVw(HXFoRh-)fY()FHbiRi2<mUDYMvgHkJ&
zEJ9oJK2<Hp+fBo#cpPyJMk6|eQ@;&HHmlv)sg?jFpxcf9oRm8=DQ}4Zpbb~6$-o>G
ze@;3c^W!W5XwFDUnD&t$aMI(Ph9qA(ikoKb%)q@xl%IRm_wCBi{dDPjW8#gjkXWr4
z$e95^?MCqi=OQz`5RTcX6})+E?e<@fqj-uKSMVi0i^R#{<gjcs{o82DRK0$I_sNOo
zbG(bX$TKl1q*!PqUVl2s*0Kvq4P;;j;{9bM`gD-m=L36)O6+n`I|6I&aS|6V6B|`I
zA^NbH_5_R6h-QNeC*9aX8|_w;5F<!h*^CwgBg>Q`_{MS=*~ve%USGFdnM3u+oIE}@
z)`*%5*sDCBM<VP>z6WO#hrVP#=@PZW-S8euy*X7=qasqUvz^Yf{I9sBz|5?j(f$v(
zeNFxUg4@7@|6g!RR`S2#w&}m%cIf{Ax76;)(T_OE+0&B&zI@jaCS<VhxvG#fRL2fR
zBXG(k2%<HXjXAB09!6x$o&yaVs=-C>>Ip%fcDwh3sXGxH_i+(TMCxXmM22i97FK0)
zok8!tX4kmbs!c!-(MIw4Nuzvk0@Y!2OZP`9;@B$AnPe&&2}`(T+ynH_*oX)cGxucI
zU9q8s@Zy!8qyZr66C(i<@Pv&8V!OMEu#cc*cEFERQWpP|Q*w@$p?X9Y!+_HU`j{R|
z+El4Jes0<AJ|Wxa!I0aSKGqzGmC9}!Lcojm*p@%{9cvWiN!=N0Xuio1qEQca`xQ(r
ze8KG-(c9j-IiEkLI{+$nCh@SjM!cYOwW1Tbz65B6nDD-1-R>eDt7o%vd%bO6pGe`N
z0HLqTq#XqMBI!JWrWWQ`LyM(*!+$@v`lEHcef`yWy*5sMp5EGgKAj$Vf9zj=el*f{
zQf(YwZt9NShqoy-_DhzlTw2@kqhHR|G^uYIoxGf!l&JOWuRi+hAMBpbukwmDC#AZS
z-rv8BH>}44b9W4i`HLmr1}pD;uJSPoA=ilORx9l~p8{*^=S5@pu=N~n`j;4tKcSX>
z^LEv!m%(8a>0$9&=d1Ti$LUaPV*T@`T8Gk0w7qD1#ZlicoECWkhCKg<?2R1%)(Qh{
z*1_yipnw?=uY{7|2Xo2)Ju~+gOHs17AmQQRyLYl=aOcY!&9$5{8he*ibZ!>r=B01R
z4HS;vb+bHwT00Nk=DcPzPFcuJcm4_7(%jZ<Q~&f=u~Jb+@;I}E9&F564nv};9`e@0
z2X?H=#^xIN+Ek)}E(^N{{J=UJnFTa339Z>rsIHb|Ms3GL)TutgLWJF(5Um+~H)VWu
ze$a(zGxsy#sUHAUh!!iB_Irwhi<2DMP6C$==yyjV@312#C%7KlD~!U^H5U2e;XU@2
zBXdX^fRG_t2Tzl@ckIw(kgMqS?MWmbqJ7Z0+_ugr$dYL2Ke(2Q8aqUNGPQxMwF^h`
zw|l|DC`Mn*0&y@uq{Ul>xBop;c)&l7to=TJ+41z#s!&&CEBj@-AG?Q^=JGwzjT1ke
zXGGo|n^r8c2H=DFoGUk&<8nW`HBb8;ONb;$RV|b;e&I|bh&{NQFfCAPv@6=(6cP^|
z2kGJXTq8`T@sXn$Xkg9O9MqydDU_lGo!K_Qt(`mj6n&FwyQd+R(D=S(Z=k#@8h(r5
zk<u+jvOAanEseImI33H9lMaY4lOvKTl})rh?fFXPwW52bd=<3`2X5}iV@alI7PiBO
z#h8Lir-{e7V2<Ae69|$$@bC=dUAPAJ$X?5h;e$}NgbQB&2iT^A6tVsfVB7j1V9Wd;
zU>pBcdJ<Z!`U%!AEHD@;{;mhnEuZN|Yl#;6-p&2Dr3E4Dt3*XKkmrlon#5)RzKE^$
ze~GOUm%*r>+Ye5ZqC=!_4RB}Xz;9o~77G&kY-`V1@ZpQtivE|_?m6jYJzZBH0?@ru
z5pWZ46O65AIcK)Q2+2TY5!;m44wcJ6k_$<%V4Zj1wCJJDs1xIK7sk15s5(O*0!u}H
z7P$3GlxWQ0XJ60m-Fl4kLf`kUZM7H~jAEhse~e)c*AInCz;U%9&yq4O;0w0}sKeuQ
zGTdcqY<T>AjfjA;Pux<`CA$jkei;QRE1lwAG{admP3YjP^*487S$g3+cJS<RGt_K_
zBB?MVgb~-L*|^vD`2}nA*q~g%u64RAr>x|EwE=dbU{C1c#BN0!QJ%i{m1lrPA|*5G
z(w%WRPO+7_DJuw||JXxML3Ty{BuqaA42Q*<+~ohPTA2Jt#f1Kuk&AD(5J`HaQQr%q
zH1|ojg}mK0Z?5Knq!=xM;r{^5ia)u2EjX<761Hf1It^$<rfL7gBeM#~vL3sGwIwZa
zKp|sn*l)%hs%f4z?+55`JBkr3G(`gH21nNlzoc<K4}gLqhmBAco&P%*<?@i&wur6i
zmpoXI7vbeI$1)YzjsRfkYu{;1xWdF42F<6^x929Y;^ut;$HN!?@>I-P8v3@5a5BJd
zC59(LmDv%>p4k4t{yim>Jp<8;2YI#bOw?0!?chj4>@l{G%<Z79KDP^T>W&Aona@aM
z2!Uq20{Wb8`Uwslturl$g-a}X@G_XCY}+~6Jv|sM#lS<&6z50=k$Ra}1=k_j!{bq8
z1hz!>BDE0TUG*n0>7BEiZzZ7CKb!O=lupr0>o}0q6dVtTd228`5IH`!Qnw=m3c;S0
z8PHbOdoyxoQ)t>VxH-hHy3G}cq;X##{mPYyJ%?E{TCZY`DwwssHBCxrs$7IS7qinO
z#*?pz?lAnzhnq;`2S6dD6LGlBg}H=bj%f%4vCZc63{EVZn-Gb0?dvCr&eDNbY%tG>
z0lB^%?e>i2m46jZ^rzx({J3Zw!P(Ore0`V|FXVM&oj3j(gWRSQB75DP?D?oE=QNxS
zBpEPMdcF{QKC+-Ic;8`yB`KD{B0pbON;b5+`b3gYsV7z3x6e-^`@wv{<fYtLZ0(37
zgTD!@(eXYnXcGs$2r}htmMYer11_@bxTpkgu*W?Bj0K`}&p>XmFM~`z#s%bmctV6C
z67#sQn5u9IQ>OSPg*{S~DU2H%;2YgFlAnETs4>}Ww`%RU8ncB1mjg5>CAwDKw*8Mm
z?%jGTB@1C(`L97P09)m@D`tt4@Sbq{?gDvssMbn`Yq<*#josc{9jD;^z*#nym-quw
ztVjMT*K86e#I!PSsuT}$K1dG@<WE%SK4CkQgFL}-#*Ww$4FTx#W~ew+x(tvKH)}*V
zp^guP??cLssiJ&RXg>^t{nJqC6l_M*9V-+G24sIqL+OH4{8GrW|ErLd8D=LGyyC8z
z%za^ck^f{(x05eC3H_VJ5Hfobqj<w<dk)E#e0#j>)76%y|1fjl;hKouHCF|Y9ZY`R
zK6U7oXxPq2n_7}S-a^;fd+oxLCec>E-bTI8W<f5bqnY2k#+b2>VF;bSvK%}nlaFEu
zS-r7L<p%yXZ7vQAgnzFHui&M5?5#G2qV}2czfMU~PkDcc$-Qk!TBp5G!9b+wA({hj
zF$3V%g?CO2dfqpO|G8e+wvlIWXaX2e`<e~%x8)*#Wi<@vMP{RZHZ|JOGCZ8nmmn_z
zT;jULcX!3kKvOb9-v36}e);NC`k<Uv*e_7D+vrN$eYVAET8y$R9MJr<I?j5st2RW#
z=*=}5!vyL$0haWk4K9&-@ca5F(D@I+KN&Mp#9RHP{t<$Etp!(1+bUce$$b}c`p89Y
zw<<~j$+EW@6t#Q5MYP#e@x`Yyjx|7>$~hv8?_igl0SjxX!FC4Kb#l_qL$akmssoQ&
zLb%VdJVAty7(%dbxte0RX-PE5@vH<JG@zTu;(1vCld|E<Bf&Nrm6E4ex9e(Zh1`V_
z1=(ji$K{C75s@t0<+_&B;GQDYvb$Tk`RT{{9!*D7WjxF26u)q^OdLZV<ps>Em@c*8
zgUpmV%8TVj-;m|`t5y5o*LxxHv>y^-^jK8?j;5nHQIccbr^NHv8xn<JS1MGsaFM!9
z$!4#(rU?y1O-d+2ue!3uT+zpXy(P%F>=Y`F=2+$fJ1K`}!fE2uMzZU_&)?<Lv*A?X
z<eO^0Y;qQo+JX?tUSCAVqRwanez<WCiXD4&hWNn+0O~3h>>&gXn<F0<i6;K_nVO(>
zse>r+h>IaSGS}-pbZ58E_24OIcU&_u_k|i4o8sWs-~mdA_yv}FllmLpF+W)1mrBm=
zYyXc*KHC!}+3(XQOa?C3YXT5qIKcV8rXA$5%s+5S`XYZplbx{C=3<Am5P`Fu(Yofs
zrTtPzG+w4LQ^>YuZe+EUO*@Dt!;?~}_b2c#+Hm?Gk&H`2;dZ;!jIx8<Zu^;M$`Jtu
zD*qpmOx5rok?i+Ld1|An5%n69`}SgLIxt=}XeKYwEQ`;!K;eNIkzmW<9*>cxB_Im9
zJMIsC+#^}PdjZbMxWW5<D{B{K)jmAn+l0_iDjLG~{;#b_E!_YwJIeTtqdrFrklQf@
zxjk*-0d6S*LJV3yZw0n_u6H8WzD#_<!lERPt6EuD;AZq|g~l-KJRop-(&wZjY+xuA
zod9&Vf+#D^NxhzeQM14*urc?i??vl&so$2kPFY57Ri7+_Fb?sMFNPv<;P$kxGnBp@
zIWoTHd9;LEhbfK&*ef4B-$#nFy%kK79pYFUkUi$Q8RQs_1NAgNv}!RYpvazI^%0VL
z^Tb($qbZ$}Pt{Fo)-}_!P#d@c`F9s%Y5mZ&sEta&CVQ@84sfwhP+H~0gK+kn)D&{9
zPLqo_(=$Sw=9+dcUq$&tKJlj8$*PBcxD=oaSF0fj?{0+^t1bLV4$hGs)4KUmz}$IW
zxq(jpDY@H;&SD?S8Hr9T?d`lY=8wz0Kc)AikR=3AL*hDlkPzAtbIX7a&RuzGqp2ND
zu~a78p6seN-A-|VT^iFKC+b5)CZD5bnZxlm4@Kgj{23;BgqPfNjU5uxIfNYNR%@k=
z#_jg~i7BfP(bvVT!tq$?F^Idr11)0hYfnvu?(2>;K4Vk_n)qAwWXCe#-#>XAkH@3n
z3V$VJu7i2f5*Kj2b_{n;_lPAVM0R$$oG9Q5NiTP0$Bb^`oh$;`DbD7UJMG1%MLX+|
zMo8l27_*6ey<2!T@GqN{x0C7RQYfZ#6Z`#9e|qyX%Y;%z4*#xIE2qxqaY@-dHYRdH
zzAEE7<_ReL9M-)f7RPaPAhH+=S3`A7jR>f}3@%1u;XQxQ877$EcqlO2{}YRvr&kpC
zndZ7D#*yg@%FcLqn6k~W^>nn!FY#!Nwbga?X<e%bs4E)e!0(4|Mw9Yol3RQdUvPq~
z3dPpVaghSu+)gG-c&#0?rUY(MrN)mzd0fkCCZf#^virNyBBT(-yG?v~18$)<y*v54
zUnlR@W8t3W5D2kEQe6Ev*Dd2Obri{$!c!G$PEa0=@2>IQFJ{kJk91d;R9;{V?+t<x
zU`QIVozLqjC;vfus()jio}ZZ9{^}A~aStcGTE0e6b9v=z11cfv;V!Yqw?iFEIt_}L
zfELg#{|V~bmS~m-kIx2p7TMEItTmlbFZn4!Xm}}Eff|^SkiOP4KEt5Oo+)dM^re{W
ze{cA?Jv+E~q3CZa-^3)>L+qmcFk&^Jak(iPu;AXp88Uvq(}is#H>G%3(&JDMPLiVw
zVBmJnrT_eQ3-EYLT5lt|&buntEo-euucA9<FMhp>$rgMY&ZXf5b9gcgr>$-lDKeI^
zoukD$>7Fd8v)0R`n$J72;?$|txCF(B<1zv##0Y5Bbi+LpAScy;VOq|%@TnE%?cK~F
zS3Qr-HsA-unhI3=DSTgHb6X@Z!N<A%-4szUBg2u8)+44pv9mvhoWrAh9`hW;4bg&P
zQVb$s*2D4&AAxG;Io9YUndWgXwfqd;BdURaQ-FV6nX;b^gLA@fZfu(98#K;Q2t(N8
zHFCJ~0mXHJhxW?TQtYoWjKBj@BhblB?dlI!#>@QDm}D@a@+YisgHZ$dM}z~bT(Khh
zfe?CC&hL~{NxG2rr50s`&)mw5j;f{}Z{OF04L^B@L&$`vo-TKdxRCj$s0@1}PdziM
z?JiCoCXFIi?&PvRGJ0JbLJOUEH+u6$^Q~UqObIeYe@TH19<eOrYmF$wHpA|yu9Z(m
zXb^ti>xadR+$R9YZs^XSCx*8}a(8E0PCy9&r|ZHSh9>;ogv*2iRrj7waeu?1jR>FH
z1dNdGmi~WxPL%_wvj4ZNxA)Z#m|kUS*x~m(B+N*@tGXib<b*C2J#@h=5(vs^e)r$%
zOF7>oUP%tc+?|bog<^H|s<S1Ge6Y*0+|{^}#fyJZOa~1|ZihpBZA|@O!$C<f!i$TC
z=!C(9f4Z!e)L;vm6eG?t3ic<X`SpH1Fdr)pbd_OG>6_VedB-c;?EDR}Bc+1+Iw^yy
zUNbWvSpv`z>^tQ$sZqji#fPDGkB_$7j+ME8uZdX(mIR+6^YFmod2=#wgohBZg-G+h
z&TOkMk3iq=s*18hAsjkIWfwB>sk}Uy<o)yqUzz`jK8OSpD97L<=7r^?f$1$ZMy!`#
z;C=UJt;?lX`ti?S+Ytkh{tL>m<nPaFzCoLY<EAI3wBW?|AFf_%b*#*wygxtkeH~#g
zyJQ!fLW;hA7aAXFtpS!u?qhjBP?+aNy=%t$qCA!k{d^<{{L`8>!XES}hS`}qLPRT%
zbN^+3bet++rA~cC>};g*_a7r0@o~RpGH)tTJ$3RK;8Fr}_Vk5Wn`ylH3=f{7bE`F-
zXUh7ZtS5X1BG39J)_KNqiWpN30wSUNA{W|(H7Ci0$lm>fQP~so4fjm;gc;GtiB?7k
z|4LV*!gmlbK!@vk5A>fbU`r6*8)ZKu37NeW*7$EULUmec6>hCVg)YY@Qt7GLqi+Fc
zxSXa+|FaHK$iiCg`%8U^);{h8<>F(NIx(FW=#)HV(P(egSaQ_RC<U^AE6iQPd)mZd
z8HvPg$7c1KD`Ib0?_z(=A6v+ODN(&>>+dPNLrcu=@`5PqUsAF=82ak}-k~)glDF{=
zSnJv5*oq*8`NH=xdb(_RrHH8@f<67ApX7#9j{doX-jaysmEed6UD`$ZSH{X@zvYtU
z-Fp>^iL!o_wk;~_Uz9H`aKZX#!*x>F3Z*W7L^qwPT)koxyl)l@&TP?(c>Fidls$Wi
z6LN@UUMYDuXnbYy)&9){zZ~j9q__Ls>_^2=miB8vV!&%)HaEY1a+uP18eIy(GB3fK
zx}ljH<I^?%8gCnxbHYE$Ho__(v8m<TKSYDn)_POYx2Evb9Sfy*tOn^NuxGot!3CU;
zlpLDlo>wv<j5k-3UXsLs#pug%SX@fE6sFEpKVgKkKo^4t>ZArX(3C_I!0DF3MY4@t
z!85h=tDg6-V7cY93}<u_@yjs|<Zn(7U+Bq594^If*L+_c)e1HU1b?FQU)ZTF@P#cE
zRm6OBz0F2Ns+Z(_#@fpZb2)yQI(R~jrE1J^vEHOIT|k#<-)@K;CT3%XCWV)c{a}aw
z*xt0rU1fPpTxg)+3|7ah_}h0Ck3ivm`HnX-`D+s7>jk?YIc@4jvsa!WWk|_t&?Tk-
zxk^4YNY$*2_qm5kk)lPRj?FlQ%$BM8QXPv!%{$z@nmDz)Aw<QH8Z%8tZLdSD{IL&?
zAJnt4(cyg0=rcY4)r{1ho_*rnHhtl2%TezN-l+72%FU$0iJWYI%`p<u3sqV8kF46_
zaKML74BZvs3yoWrz@8(wes3j3h#|T?iu5hk66}c{i1hlA@J~px<;FkzC%fQxZoh6p
z7q*OGxaczBYNSJ9z|1gf)M7tzj14YGWAPt6!B=0f3G(<<Y81JDk4keMK{o)S9O=Pd
zWWUC1D-mWLIdP|;w3|pJMaJ&|MXdf5GVf@o&oXpo?*@>~4}w?>8UoSpbVAy=6oat+
zgK7DP)&V^h5GqdQMse9-_rxB&C5JI(a{Z%;5lzxF8F76-*X{zxV$<+RG^{1b@X4wF
zVWWG|oM?*XIn<nnQVF{+_vvMtJJ7z`r?Egl3;9d-RE)4VL|oROpOiLCBxKp$>~TF+
zNQC^P-C@s$xJt=JcBF;)UV@;W*&N>S!}}b6A7l}sF~w*+8(;$HLWgDBT?E``n0f1X
z6XRp$l-?!Mv#ma-WZ$ujv}Xr>2XeUD547xwxy~)(x`?gu8W4+?wWbADyema~O`|#I
zB=ePsbRE!5y!z(g+>sDMDH?H(N=+<W^UWxEhsPANY|*)(DJLj}xwR`yzw<T^#{T)b
z^8OVropk5@+LEA=CG1;BoDXi%1eZc@8K5`#AZY63Ngm&RXZ6V7&8xH*UoXcgK_!Wh
zY?$`QCcYv;rFaMwx%MgNa{w1jgiQ!hhYx$mITTRVH0l-E3M|I)U&O!njov;@w+^(2
zF8oh9fABz0EZ>kukl;^WPYdbX&TRKA%<wXHNAejqA$6SqjAVDECQ>`bx!LemFC{L=
zVguNmuMcG2Au}S7BKvOzUAF@LBbnYc2~v<wVGbi^toq7SG5>OzNs-B_`}bIG`LD93
z5+{t535-rfXPUhcM^*+sN*NxEyjhH>8!H}aQH<-DrQ!xVY1sY~)1t4);a9>+`SGpO
zz&{L;r5@va->3+9N_n2u`%}+CTymxLPZ9sAHHBP-&=f_0m>(QM`v&L9XwGr~beY^n
z@9%AL{bHuMxbx^Ef<Kjx_XW|8>BDSdT+4Q39WT@_NAdrh1eYZ-!iO(+I)9o1dt&e%
z|DYxO1Tt@rZ>}STYiOU3YxnG3=OI|*?6m3i=loB`3U<Avg3G)IqOAT+@Y4}=wtZ0r
zBa~xwbl)GR6VwZpdmA`xct+6iOQKXSu-n3MD?PJ>CI)AzjdAgBsznwTs;0~$n>@!m
z#sj0_>^fW-y0$-6UT1UVkYC)8I79#CL@w<fZONj(3cJTh;=5b^S&=Ymo7iaMXTzJ>
zvs9bg{epHj%s-0F@520KhsP<o8WwBY+LjwCH4U0VtIB|VHG<r7nN%G*$8mXoC)93R
z;{jGUP#f{`fQ)kq<DA|*AterT1nkIkg!i|?Z>&h0s0p+}y8URoOMrS66N9g2Ugwt8
z;H416j@kFH0KZR*2+1P3$#g?XzY_xs7w4m$Jv@kM`M)v2CZ#W0EK2O2#Cm{Z5JRY2
zp066CV@v!v-ub<bfoNN(^=#RrK}w+*U{Ymem|r*5fYCs7QL0^4wgYD0vn?vpLCb~S
zuSSwd6~{b>-&c!yj>CyEjlZSv<*@k|XGlE1z6O0i_kROc_d{O+E2*!5754u-U^N77
zuHnzL93MFKa}(FUp1gw@?=ZZ>pR**UN6GUTU`f)m;iSNTmCE``$J7SW+3Z`tHaN+P
z-1E6?&*-4<5&A@n(ZUDhOAjh{(aeUe0LZ$whefoO6I53e1K~w64J<52><x#0Wt`3Y
zp=9Q+ZI_3e4#Di8(YOEm8(PasdzpRan47$7YZymIaPc7}d+#WBAh_|#Ozo`=ds9L0
z?!^Eiw?oAVj^oV~J0zTzMRUXpjVi9)LMHvZ(#u_HmJB4A9SQS!`6$B3fCMIIEm1uJ
zztYf=Bu|+VADQvZ4s}w+tGy%1oN{alGZw1_?xGCR_WV4UOK9{*tg>+n^<Ydl0`?R_
z$+xh}-?b5sMKoO3B=s>l6F%nc4uVf}Sy~}o9+SZbgN6m`RPSMp<WaJl32fixp3|{1
zTD&vCGQRrQUEuGw!6-NjzFE#1qt-}WXI(ZcG4y*!=xJ!qjXmRrx3(}@XmfkZhpJfU
z>^nhVG@;)<N5ncZ5zJl&9~)?E$?B&(c*k3;Fd7ue;sOEym-wfj@D9Hnm5EE=^tT`G
zp4w#CDd-D+ONww)&yTcV5}yAWE&at!#@ZsG%%oSO=k~W#eI8CN4^I)Z<VK?ZtJ=J5
zPeku}9}h)ky-3vam^Fs+)Zr+KdDI?7D^Z}b{p7DBo4<rH8oo3jP}W3i)Y{lTFrWT<
zU9mjw1_-(-2%5!hh(~U{0n<l3WzH|YWD^>nO>81iKh6>r#Q~&IB4X0ds?ql=i0-U?
zu2ElS>g#-<OW%4^H;*DRd=TJ?2Lg1jC*vF?Ks`l4G>j8TpAHaF>zD9Lnr$Q8^g|+_
z36fmh_HlM)+J#n|b{;0Ea8}sn#e|3=@Uhl*-}pZdGfjElsH8I)yaKJ-Ilhjs_Hm!(
zIqYXuj2$Q5%d4@{hvGJ;Uc(XJZ9$KH-e_8SmC5)Q8hsfs5HC;U#FRgK`R(Yy0JmTh
z0hy<AIPCJ3)7OwV@9`5<t!9=+jMchQEGXreb~I2bHZ`OJnQQ9Y!rT=|gqdU&Q-J2&
zD_?nsVg&r`{Pd_D^`7l7^yZA!EbGjGO5j_>j?r>g8}crXy^HAPt;7fd_U2biRV^z<
zgP#>S{^)LX>6OfN)R2VTtY;~Q`@D<Aia|Nw)(M?>2*4QIj22w0Km)g(vzG%KpKQK?
zD1Hvzjefbkd9>j?DTr|;yB6i@ilD=<Di$~RI7ATYo=;qwY?oX1+{{t%XFTd2JlfWe
zbGn6W5RLGw1fI$2WxBAeeSb|~nj=66w(&U)<R)5UL<jMuH8|3y{aa$W?8wxN{htLk
z+tp?Fs4djS)q%@W_$O4yovvzMs;XK+0>`>F+Y2dQ)?2cUiBP^Pls|2c-b@#L|3O5-
zBOxJIJI$bmarr9^X-;VHM8RbTeMvBzuFQ4_sfE%=?rsVP)@&9ZyL#%3k1?fVy>;H#
z!}aF!JNgHp39iW$NYGWNz-%B%@w>)|Mr3YJHmO0%E<4u8OMvcnyx+(|E|-w#SGY#0
zsPa;|rQ`CS>R?s!&>lFbrV>H)KZ#kJ&JIj$t9Rvthspq*mZ*ZZ*zt7p)88}9SR7c2
zZG3(;)^j?k)>AuSv_C`tefs7sAtl==9irC|^{GJ01*lUfQrV~l?-1r`0p1@W%J#k`
z<AETWj)S$up=^PYB|B}+Nu1U<d^qsdr`+>UE=<vDu}KBZ)e5|WheHqJ=46(6#e7XR
z*yaZX4AXP6Q5=AK$Jv4!i$;UjDs#up2h{JDH)}Tzh@O$n`$S{CX2Pr)!!!S$+<Z|Z
z!gYFDb^E8^qpEgqTo7dr?Y|<%R6>`Qq?Zd*Ke(dPiFn%2X2Jze9Wv4NQ-bvT06MM|
zgz#gY0v03m<AnQ#h`hRE{j#bn4M+ByNX46^tSU2Ik<)x{Xso!h_@;%<OFq@5KDc_}
zXkO*ChTVtFvV@?Q4l#D6UDASyC2{PK_X%nwjpe!>#v-h@0ak&JyaNTFB)Fz1`YU5Y
zcqmThQB-F&4BYc>9D5`&DrcPrS*F=JOhN-z*oY+pKG8R`-!vSxT0uvM(rWvaJ_ya)
zRL-;AGs^^T?LVgtM<q3%%ECF0e7_OFBE)r)P=<goAtJ_0!VxS?P0t8`-8ij@`48|8
zSEDgU*yad4#X?Q{VMthIcxuJ;%$r1+^kb!8>w_Puy_s`1-B;kWleBXiq?}#!1u|*8
zjZ`>?0OR0D^kA-LdtCTd>_siHU)I!3osQNbX6!mX1ew!IOCmLdx6@G1u6i`Nb8Oq?
zM!3|k-&H8n!n=p+BD}vY3~VnQM&`e2L5}3y@4ne^*IY0{XU6b~=P?QE#mG&q8--2U
z3<Vl*yM-wPz3Qi;>;4$=fjU(?!m?Pf=LT*A$FEUZG}CPPl=b=Je^h4r-&yS5FEH8X
z+AJ8ivwh;#G4!r_ye%Lx#r~AUN6So4?({VXR6uv0nn;Vk8EvJ0qg|_MT6C0o8t>1G
z^zItjzXZ1r4>t_07ABa&1DOv6H8G}ILmfiV{%WBbLJ$(!8#G;~%;(z3WIb<AlC*ze
zZwc&I9gTb55wkp4o3qI`nC+%-lE?hciI1dN9jkj^u?njl*o2tS?&hz$I%KUU<rK_I
zm7G;p7auzro2^j3grxz<Jl&+GF>;kjWQ6eWS3~>dAdty{l<`b{c&RJx_&jX!F8sVE
z-qm0w-`Ihie^!##v92z`I+)k<O7{l46mmI;N<;r+z3CreyCnm8het$jy+R3UbD8EL
z*Hr*zf2s!)#sLL`=B#xzWPd2#8$qMm<S0{H($r0@^R9b6uFM5aDjLPk-TU-Sp?oZv
z45XVU??|W#Q8xVFQtnIC@DwzCNx}5g8et(N=RoUe!}KboYKQOR(sl7;64+R?MqW2s
zBJ7M;OVJe&A(kAl#O<NO?3v{n&6-lU2oyQ9nedxRhP-G9+qY)VDN*ijH2OtLyrKLr
zlF<sY&+>=69<ZVQ6C9rI!L{kyfc-S0+w7(Fkypms@^7iFyoIfo<Nd4|nerYI{@a<|
zXf-4|zX=;@ZKYBMhGg-si>g|LxTGEl(gg3Sy_xt99rs&UG+NiSq}#dD?RwG2Rmg)w
z<2`OeA$H}o7*EmCIeHA>3MsEc*Km$FFcy94fvjXp?={q0+z9E~KTdh61t9l?oejV(
zH^G}=_8SudrB)I0tL?0(N3BDg_;JB;*(h|-6vPq(lhC_qq3JR=T<P7mEannz0$xJ2
zg<=uWWZ|Yzp3lxQ*?}0IvQXg>XqQ|KX<|iw;<7z)b~i_30?&Ei9xH4JAg_sR_B6*V
zcO&|ADj4(Jj1EK`yR^6sz0hd>%D_z_@V53O-n*jCUX#q_>716T`Fv2aYmwCRf6luy
zaDPw+u{nJe0OEFQ(;^|ir}lkC|MnZ-=kc)FYV!Nf`@iL7Qn$>Tbp5HXP!1M;e=7)R
z1UMC>^G|AUOHsq)as=x%X@YiUfJT^HOc_L9)jqVNy&Z~31`OL%0Q<}RHpr}7?n2IT
zYX)+5Ph6r8vZtpO5dyrelWs^<w3bs*)#eK0XNU5~g8ED&G`He|{DN!y9KoQ!V$ys{
zg~9aTGa^*-pQi*lzCMEx8D|IM^W(k`K8i8xG<J*SaWs2gwN{Fhy&_x+a8sw2=!?~+
z32%t2vEv2?8+^7%D3t}i9Z3dvTv>&+r!@LZF^S)!i5NzzC#)&^uxPXslI$-Tj5AK)
z$okcSx|Bi%qG@JN?m63Fl>F<Atr-fy-iJ`!x12#_<&Od%9ELdI(bRh7F73lYMEn4@
ztk9k%1>B+S+r7G|)lqZa!u7^njhF#PI#4eoBAml%CizCk8|6$3c;Ek=K(LLYIGBm{
z?27ts>|F!UGYd;|jT-#U?z(Ea_J`w&QU7%>vD?9KWQY8uB{3mA_nf2da?5~uEHXXX
zPPMyXl2H}uYcD`;aMKI*tNcB=c!4<kk29F5n3^GiqkLm;OZ!#TKSk-vjZg`WOgo*g
zd<3)w_bFrSa6=7sT7*|8*8Qb850IYxFzra)7DtN`D^${~`=xKFt&mTovPlGTU(7|;
zQl8nla8fF{>Q+Z(m@E3UD>5jReJ$d{tP`B4-+X$=Jhsi00T;^MkM1R(r9AAjE5%Ct
z@D>-icRnq=hBfXi+e;85>4jGs-z(4iW2<NxDiRIcfn2iMgFGQH_<dab@JfCgE*2Zr
z`p?5fUM|a-)Szt$$y#{~S(L$3{j>Io_IRXmdN0r!4%Q)O@9V-7&XMyEtempXm!hcb
zOl$$j^>O%Lyqb2?9aK)6>VkK2*OaaMhLyhjK;j~wC{_ag6e2#3-7_S+ZLQG3=Y3?q
zAav)%8QTW`sp1S}X%Sy`zK~b;6l#u~-m7S?C>-I36zz;VCinS&0enD%zyI2M)80ms
zByI4o2q0?kF3_Hlq9jV1L2V(A%9#eXdKz7|J%jy{a7H*uFU6JN5mYii>~CK)KjPpa
zcTz_f=Ut#GMFz<rA3q;6H+w9wug`#w4JbBxQB6KwnKn4qLkBfI*Hf5PycFo)Xz7_B
z=o!$i{UdjcrHg=YwaiOYfqgq_boL1hyPwiyxJMw+Gay|1`}SxuJ({rev!S{}4F`47
zUz`gq(*S$3$>QhpqN%^`|FE}-MiZz$x{0jrCY~M`tWJot(k;>obg2?6>R}_`F&WB|
zgbfx_;?~=YMPjf}=kuDhwXXya6vmg82vYFA8BON;@$vCpC6X04_^MSBw;nB%c~WxN
zri`0FD<-4B>W|^6gTNp-wwS)3-Obqa{pJ1TB@_AA_wUMN;fGG&9j5T;VTmNP$G82!
z=!HsosJ0){Xt`~1ER^bx)WqJ%MUo_6;gzo~z_0D1_0?tiUBA1IaK-6-1Ydcc7%K~(
zJn`ADMgFyI&#(4~xb-x26QNrvT|y!316@A4{@~YYRrtk3Z${J3-m?Mls)()t@cOH9
zf|poCO<~mU*L9J?mxM0m=f>qaAtGgt#$lo;f%3zxK#`9506rhw24_I?^a0OOqMrT1
z(;f42AZB|0v|Z<EDi<Q&#Qr?C8-kkJHc+sNBMhdia)D7C-x?V|m?{UZs)0S}@Ixf;
zCVSr{>pSHvl)S6sBy3C)6xH69E7`i#rRHhgiDh#`yauCbZXY>b>jw3x(MRyG#?Y1u
zSQZ{jtzpjz7_#)}7JtAk1T29957@TU6wo+wLwI5XdGMN{I?P1AgcaJj8BLD+F!m*S
z>2nM|k4)LoHq*;K*F(DN{fPv-kf$kgI^_C20<h-VBiM;g^y4bJ&->emUO3mQO?Y~T
zm9G#bG@5|-lgcr3*o{_LCfNc<!f4`ToJr7X0=bv`Na^t>XH;Rm9I(F}HrIi{(z7?C
zDR>{D&zZ@k&D_+1Ff!gLiQb(_cJD0~trZAsdeH>620drjR!^HXxLu|k!tiMC(KNmN
z5HZyg=Bbg6O9h&Ha3wrqn4qS&2U=Jm-W!6V-iLv8`$~An(c@1c_(FS+9`o5+RMH}T
zaEoNSw)%0=qdCJ~lUdf(Iu^Kf2L_KwO62CrE#Jx-yIh32;<;J`*lPrZxwqz=+u9m<
zl)1vXInVqflb|m5f!<SGg%3(nTHE{CNmH+i3RRkPZojdm{kZ5-k|(<Bm%505{%QI}
ze*pg4_rN1Pe&H{?;oYCA$hU<YwfvDu&x9NLn}-su!E~UAm(n#!t7X`Ay$%plD~=g#
z55k|^PfC`1-%6yZni~RL-L|gY@WhD!x*e1U*1)<UCDHxlz<1D~Kb1AQcFWdvp@Jxm
zAikH<nqtPA<Zll0L<#5r3AiW`rGpa~Y)T!T4wpsi1`S0x7G3JFSwSILKwl+x5fb?l
zAPGHLomi0ed&#^h8tv5+)?I*(V&qT^58aIOyPr{AiCC7pk#yB5=N;!s;T3Vc8BOjx
zFte&x=&#e|*J)O6_T#Mg!XzaJ{=_IxO(=;S;Qh_YUP9=+4)LXsk^+At$dtI+LCCFK
zui3RiSQbIK@GX1D7<gLr%~^R`6QPKU)Rpj=s6}03KADT;&H%6fG?uVHcnJ81ym-tR
zAZ`S5vAzt7me+LLG%U({GzIY^hj;-K7f`_#*ZIS7TH|iV;-XS)SlDUh1dY0rkie8#
zf->ZX3^W@6+Ew%NgQLXG_JT7W5E$?-GE}qh<L%IY;aT}_bI+US7$zK7O*Zd+(%*=5
z{bgnW>6LeDo72WNB!T>f9*rA9<av>AGUT;7(%WwB?a7d_*Q}++)3kVm)kACX>BnU=
zPxZ-K_fdW3zkP`2Z6|{I=^mrDDZvOx_87E&tdt0#$4#7|aB3c4%#9|Nel)0OC@zu`
zOg|Ciqzi3sa|XCf@lAgG<Qd=ov(i&0DJ4E<?e9{ufi6P-DHBx%E3d9?pgk9X)n;!<
zsiyA*iiN2Jx=I};)1CN3CRhvrLvk4Oxo!rX`BAr_XltG}HnO7%2}mR*x4ySETp%8d
zdL85LheVHMZ9#&COVrlT3awdwGn&f!sT0&>@8EzP=t4|dGc2SG;A}MQ_2<FHqDW5b
z!jF+2K{}~x{Xi*^rhsV3E!aCjk=s_~@cnRMk1@IPp1ro@B*t8Ht;;I<KSAcU$y;S@
zf1^_(akLw~m9pM)kJ<2%L>qhh(7sH0E&`A4XB745L)I|vtsglfs5u`3&APsqRne3I
z{YRcMVrs0&lK?2>`QG0CDl5!Rsar05jA=6)O?3Wwm`(nsEjfhQ2YwIZY&6;VV5lpg
zM69og<;66bs{HxwU(T_gb1j8#wWwlV2DdeNCRz!dgA){SF{7wbAF?~?a$KUt<3mY_
z;Dw_E^N)$Oe%{ReJJ)C;^{1j#rpV7C72hR>SJ$hmsOvO9SZ791rap);I@v5gK=O?0
z5Di&N9Wek)`2sE~RGPuCkw+e|8j<H-_KZh|1L%&N>|F7q{2#-%CZ@Cm!}kO9)aE<m
zOFU(katFr;%m~Wj8ydZxCm8kH%EUsz0v%V<oD8?}Q7A;MCR?p(u6i4TlzP4nG(Y5v
z-<jvZsR*;tbn=6zLa*e=@D)EcO4N!rD|e~7wuDVTpw{2al(-%3W_Hcney8^Cgr2X=
zMk@?(el2aiFGuJg%tot0aDJ_ep$up**jOVstOI?`qZK^}r(a+tWX7*<OVAy=_0Z$d
zri?aE3PX{4$pS9>2{qd~ZK&-tZhM{e+6EbSBGyHzCN|LkLt8R<zpd=-Zzu9h9E>U4
z7**XQvS2zT#px^g(GjH6Lv*J1^ysz%OD1ANWZ2&U76ZYm2O*|Z)@ZuZJHb>|JV=HF
zaLh(4fAHe4{ZJ{f=>4%OvX(k8rg-G4)PuQR;ptfbI7;00&{ou?JcQ?%&qga+@XQfv
zwp*7GqF5};RY1YF8L8R@wAq`?*j-l+veth5vQS8viv^xL>q@k!AE<ptIz!Um{**`^
z?e=#uzP93TKt$+lwCWA#*SfGs&YY|CQOsGtj>JM%;*qC*<~CXp37h?l&HO>P>7wR1
zS0xgYc;k|vjg~=#N-9ywb&5yhNOzkdt=OkRWrh0u@$35XT~fr}x~Q|!DoQ+AI~*{u
zWWIYYKT)YaA#^rc35e4$**Z3?XlhIo^uwb^MW2GFPcQJ$@evjTVb3Z8P|{<e&mWld
z$Y+NM>x*b@`gmiia0K9?M>%_aR6MedUt)ly&QY+bV-x4qh=Vh4W}_8x2!UJVxXrro
z8YFT^_zJ%;z-+XF2_dlH!?H-Amn<*~>L^*?*=Xex0_UAmHF*|BdX6<&=r9`hm#sKU
zsuOBY&Ip!4*pIDC>ytU~d|n@s*f%3s9brF8BVb@Qa(M0sMvt((M)%PpEc;O+B3x<w
zh$zyP9W`{F`jFy?EGr$l7qVIsta%V7^zMSpgF;OSRyPPk*%q|WXH4@(rU@$>welmT
z$YpjAxA6ArgZM#Gq%%Q-cbLJn<rWJV&-6IX8v&<BfWm-RMLJB6iBsuCOR%!R9<-fk
zOW9!c6&(sOX+>Mu-q-!u>2ak~hWOE4PLDi=!8Y0!sMV9m+63VqCBQi&So&ZOa+^%;
z;%xn>&Xr#s6+lL?`a$4iwc?Q?6)_q)Hl9m8GtP@(y@as#P!CN2I(oG0mFi&42o_Q3
zva+IXkKM<g{ov@4sUA43k!k8`@(tDrawn-B>P+S`YcjURYO(>nNwBCw4{#?x?^dP#
z0=JXl^+A|Su+q|uU?qmFwy-2h>{tngQ|Tx@e>^I|$_!8SxfQvHb&7BzE7+EbYGZ@C
z(f-#eBifqi6*N2|Q<GFFhMo3s^s2iAd(%QxB0vytMz9J)4_cp41=B}@<rR96dc7n|
zR5q@)P`w}3SoG+m7!!Ud#^l4V{}CKsLaKnmQyp1WB9pMEw&e(Sj`)rG`U$63qm@_)
zBvV<*vHX+_3A!X$5n+FSE=9qTs;`{u#YU<O!c*850{Fe*J;BkzqzWF`=-_@S3)~st
z7Qh7tNSj<6EGlxV6)KA&CG-QPM}SQ31>C7D6t2n99JqeGYRPLS437U;@0t0KA1*z9
zvjZ3YX9hBgqdG0zQ^1bJcpe`g-|<?PvgNskin!cyj$2F-9lA{xY4NC$<Ae5!A00jN
zv(uH8z+N++Z4{ydlSJ)yq>ky;OYppcrU*DhCs?oG;H+&+b?iaz2Rarpg5Nhsk<%@#
z7NtuA?-kpIO9k5$P302CMAeRE!-)*NWIS2pd``NLc9xpGy}w!Laiu~3*Nb%=J+3&I
zql)2^Q@WlWhuXzxS26`01DEX+p%SbpV4=b{@Z2R?p}KVqtG2Q#BdiuYJ7rcAtSVsf
z&I?{802IveyzWZInWv{9B}=ak^sLT&HvVGtJC#*oN@{8Gi&|u?hVMM3A;=Oh+vP1n
z*u5;}isDsKsJ0QF+PL`=3pd#}`Wu6uE6O&8iCMJ%C+iUDi=Ld)^JDR}T^6c)3BIpt
z>|?eDu=v!Ef;8i*>L}rAWry-J>?49T1%}fUBQlYf=}HStX&9HicnV&!M9Sg?o1p@m
zH`0FLZjEXSpVbwQg>|&Ogk?dnRKdY<j`V{e*N#2lWv-8S#dq(4&@I851r~oPOPfS$
z6|fhw!m8W$@>BT#<ZJ%Z^i#c1Z2JE4j!of7;DER#Sm0o%L3HG6R9AAj6x9hd?Uqz=
zgG0UEk+Oqb?gvVihIK&Ub4=B|szuUWWxcBhhPqKg{CP`iXJR>gcPCSr9@G0{O%7sB
zaH<9OpSax;EC;aDewKwstys;0_A2GNsMXKy+n^cZv`PF&HMayS2OMk#rL%>fS{*k$
z^PYO#609R|5ON!3>4gpZfC|c{z9m?E;2{1ruOx=&g}|TlI`-yE+!8E9aJcskJJ9*$
zx^thkUy!AP9dNj(;0j;pWPmY|-Z-H5jRG%hQgsUsz;;%iaUGum@(h@r8`Qi+{cfH<
zIi=y}#t#f-Km6Fwfbh9--C~cPy^9enH*m1aWxg&RfTLljo-~KgfT|grw!31Up8}RF
zBil9GIsEiZEn~$VWdb)-+oDJ2lklKzsO=ixI}J3!XitpQg2i94x<Yk#chKf<yfff-
zJs)g8vb(ctv~LK#K@VWvJb$4$1G)#)2G3~BpAf1S=<y&}1;N94w3e7Dh_+{s@B=;r
zk_Se;+9-WI^U%xzfq)rr;hz9`v>FBn;tF(JrRc>DM145DX^xUZ6<?wU!>D@x;8?9x
zyEE*dXy5IPBe*44<zT1hQwc=A+C;8)1uX4lvHv*s$VHA+9fU({$OgT^&1)mt@O;>3
zKmq}@$k9)SdtKaA6|Qi97V{@NJyW*ahrbEVfE%_w|EvhATT<%%KB&4J`t#tP0hi;b
zGR@<<_vne3)^2>~4Sb`&1<rxGwJqSTvG&sQ*S9m^Z(RfEPJKS+GoWz2PRF!qwPG1x
zi~Omc_u?ifv;S0Im)Wy>nxMkIMcm=UJzJFUV2)OKSz*Fre3B!Ul*qn|oGUS{M6~g(
zHY+h8we6Oato{}p#TSD0?8&y<{HQ3gsV!6}Z`$eA*{dpe_)#KH+x^u=o(IFBM2;*R
z_yb7rk=2N4FW8uP6NKo;MvwL!t}KLIC$?6{2z{1yf%Yw1A|1?mKw9(dXo~EC8EfLZ
zsio_xDMcN&{fKcq>-+ej6C^!(m&y%~d)dQYGz8_?pM!=TO@UiT8!6d;j81d>LRUg{
z=QJYkA3ykkQ(`Q;-G~Ka)3p}$X<Og~t>IgO8tn+Pm5jvUx`R1Xr1qAeV*8=d>nfCH
z9P>rR&SBd2>)S_ZbKkr7Ruk!rmSx3De*n#Bn(&we@F?@7cvL&ODP8NrCap(|7K74p
zmMkey;DP0^XDh2|;1c)noi1VK-Kq{S+6ZdLZ}qgP5RS0a6ECr@9DvMKt+(q+lwA5X
z5pD^p%Nrs2$Q1+7BVnB#Cjxd$P*Hw+7DtIx4@#$Q1@sd=R<(o2X+9ZTq3RB|1f}Bx
zp-nJKx4?5S{emAUZThuKIF9H<dIW2y69@S4P$L{2Jzn)BIzJ$KR7#lwOEGrJX87!g
zj-uomI?z!uFFEE$Ap-_j`u;~Cq(@r5HAT(!i74#TOh0RNHT-z!5s;l8vs6|8l%z>v
zAJ8&C0pRGd5UkDvTN!F3WJT_tLVqPFmlongAgJfQ1u8A#2Ujag+nJbx<i$l$x!vJH
zX*(Ex=qyh}Dr(V*<604KKRSBc<1jkB5)6zU^Vny>h<s%QW_mdJylDKf0|ZspEkd2u
z!5Y}cwj^!sS)(5sJsz^J^JJDawLS+~bAasN{jxu~v2(+;1jdHRDf4-Mv(Te42aiqA
z5w(d@o+lXoh-O1%RPGpum!e)>-8trXqHc+;8iyPRHQQCKJ)fqj{B1*z01b{-1{Rfj
z!H<d_4SEz<`NJU)NgGjMy-hF*WDes%)m5XR`$5v9L;c<wl!mi~Z8glWgD-;8?EPxe
zOJ0jdzS(z8I}p*I=w@(B2TiF__YxN7+>w^`whKW8_kHcsX6~)0en|Al)Yckg^|x97
zvQF4@Tal|aZuf9A>aAw^qAF0Uv?%;%G6bdCZQTzHQ{LHK^eMsC(V`zCJ^uBAr)s1W
z*mXU`URG7)W~UpqZpGSFxQ^2XyV`G*Q`BewUP8yI3akOgo^ZXzgRcWp-u+Mb5!0hg
zPaxi%v^$91a4$uWc>OI!CHH;<fCa_W6s&_1$VOXA85`qSsOizIwBQNAOVJdrqL9i(
zw**z&hbRWmPz?u&Q<a<`wtq`d#QiC#_DsI4in-{{#H{h><Qn~;&y-6g*^ek+bGG7s
zi1bJjt~73M?LF4pO}epTH^BQwP`bSjO*`1OOd7TZhUnfAFexeVBZDy8sBdYsNX2(K
z*D)Yiejo}yLL#Wq{xqTk^-M4%6%_@H-G0h?OOF?M8bXO0h{0+zuVli29vI`z_~tZs
zR+~Itf%)bfv6?zrR^9h$_}gYI%JjnZet!QLTJPtUpnkhEd*+Q|8Sp@zV?MYF>l;di
zwX9j45;sav)%_IYx^B+V4rPKm?|$$nl+n2*DDXaDT3eYHdetg1e+|C`twU8~j?GdE
zH5pttUaMa7_?v<rBRgTh`(e^!XMULNRWN?>lnuYnkCYxu+c`gJeOO=`>9qP5bN?7(
zqP4YB>93P{JDQ05bGjF9s(*)0D#}nqO`i@bQ|>G`g0jYhR>=eNJL3t8z#r4~CUa2g
z>gzb*(=?=T<}E=@_%|5v^cdP3fTl;zULEuuLB;ns08Njey#Z)?RO}5vp9?X2Ub*@^
zg39dsaUQH(FLL-z@zHhb?+B`~`?(p|6)#e${*It9dw}6#2e!NBYS;VG(&J+L(PD2R
zrWiv7dO<M0TJ=Ym)^`L|+4nbwt6SfHHMns79YGED{V-3dVSh(ZYTZA7kEv&WM^I<I
z-E(4rrBAk>_lvFg;n8DN+wiQij8mRkh&=I!E8US4OE<sWB&y?COskrMF3h+9lU`>n
z8y5#gRHEBMDji5II66NkTDQtn57!yN7(LA}LjpD=eP5m0q7S?@72)3e_B(=F>n}70
zC~~W(=kERi;YUi5M?H;H5ACE^gIT94#hCL_bD8=H1VNQ^ALd8s*YcPD`r};|f0fD4
ze+N5)r|dU(r?2`T^Xu>SQ(r&f8u2%dx)+~{tZZu0rHt5ILw_q#q*=pO8m^0N!WxDe
zs~YPkvRK9eTNy>BHAHF?S_&W`;=3*uVODy*td)8+cwvqve*VTV>GQ5{jf@{O(PBle
z%VRM9sDh`rzX|Abvpr3)j7vW<dgN?dUP$Laz#jE|m<gk=w2|k+#LaXPl{WjW_W>2$
z+w@tOQ9fiUE~>44yD9=UY?5N;JCyvnAn7r&Js{hhke&`{to>Mifb?mX69H?h7Fojq
z(|vTfmmlO<tf?093Qf2s2RvI~>zk-sY4&vLJYi+j?lzz88#IaZ1Exow4x7tej(q6i
zN>FLsXDh%vVHeTi5A8tq<D|!$_H<(<GLcB!KG#hORNn<5E~HKlS8Sd6k&Z=<JTug+
zG&Z-e9iaB|0@%ePPg9pthyvt!@!0W+#EKPKZ@T^PoWsPPPN#P>Omgux3_Whu0$E__
zE#4aIA-XmihV%LHjm48RmMwf(4N9w&4|~kb;Y8rUuwqG4z#dfBJbthRtmDlbUawbJ
z?p1exn#v^}D0s_0-I0<tKiVVxa^?{!J@la>lpWfUY}2T1*^C$uA9#{ru3pGkr^mHk
z93nmc)Kd^)H`B^4MN`i)k-(mR`(e`KSKBbR_bgkJFgR}fj-Uqm%VVTRuwEV`J-^e-
zW2DEDwlQu!XSrHh-pGJ;_z}|cCwUMm)+E&tT}Y1yy)Z!f1m~Fm>C>Ah0ZuF%@B<x-
z<n)pxJI7EFD_5WvA4;VfU^X{bvs-Tx#T{XNao1%!_;7PXh!$aC@k4uomG%gqY6K<4
zeHeF21|NZz9)szJ*R@X^v?Gww=PfQ?a_hPu8hygj6)*2*VrZx{Vaf4>GtgH3(wpA$
zk>zWzhRGd4-SHP2p!Dd9M{U)HYY+3K<08*7tZc2zXBA<pm3IUs%3c3G^1S~zOfC72
zpgj2@K+Ck4!$X~WBI|Z~_LJhha0#lGTV=^MRKlH(1S{0s5fm%mCmHIJqby9Vnu%o-
zr9V=JplbO`Bc#V@_90X%4QFWt<;r!Rpj4~>fQgi<cy|a2w%jV?u(vt=b!AI*cQUk{
zKhV9Z3+nAO!5{zmDX1Rg9YGQC4n+_5u<V__i60w1I<psBQ>7@%rUUc*py<(*y`U1w
zmwBOpkp*-VJ*Kk%L|-3sA9<WlO7**ig~2ymsmP^vPB_D3dmVcO5Ws#{y;xB{NJ>2A
zFvw06P9$wsD^nX)i!7igDN&WfAdSgnvrnoXOkJZxM=8}SStUkNDr5vxA~1(>&vmt<
zR4jR{h5TKDuMF4*NojvSwF0%h*)JzDSdb<*hR{xDtw9^o0wg)nPABID(?RMYg9S=4
zo@6L~X)0V{WmFrW-Zqn)1_7g-9uwLL+1KglTk>#|8<xrptY#SSEN?OlyDApWq}B~2
zwO(9NDfEV<sAf>F!0Nv7w+TH471ky*ti|Nc%)9h`p6HBz215#_g;v|riKJMC3hf}>
zhFkCOHxfNYHc%7nd}i&ma&?JtaHxrsduXSTZZQ3tA3Qzk7B)hzS*PeyVY}$#CM)()
z3ABRsbb*J(gJ4ab3z0x0!4HC^2Q!w<aSf|w=66mJ6f{3>jF^R1pAgqa=KWCAHQyd0
z!v1WxaY*e(hP|h<8Bp_S><3DTA07d;UHxRfmZo?86Q7{o`745@M-N{SEF~uR>R``+
z^(}Fq$uUs|FqUbt+1jT3AkTot*}y+uma3<<rYmZ~Qx!tQ2+Ee90MoKoKiV^3UQeYM
zZwu;K->w%oL6!1d+yn1JmyGI6b5;7aT_}o_dvLCbM_|l|j+uoj$bKRyLH<fW&ww%+
zTdCbjaRTd0esE_%kp`YLTyqt3=`KC9&JXn*2vX<8*FYn@qex`lFDmFqdIs#M5-7N$
zm<@VDExfjZX?M*J^$a)?Mpa6fnf=3y&JP@wGV3izSo<ZQhv{*qJ^9ps0z*LOF8W#=
z`E3;7Ho7~1%G%Ni##Q{&^b=mF#J2`rK5)g~3TMEj0AQjEeV|uYH$h~pue05kn2ixP
zVtGFN_XI`8L-41CWt8n}ex&Ees<zpqab;%<Z>Z`$K}GS9ZZ+)c@Srxn$e;!|1IBeq
z1DFxeuKfOXI0JHaLOb+NeEn^32CQvQ8{jr3+up{bs&z=%$^B@;<M0DfG(v45)<?El
zF=8!JEcIezx3}8>Pwor&C3qUM)El^Vj`V1bANm<kx&4RweQ7Q~OnTJqfH~RK5XeM@
zA|RVURe^hg;^IATtXYPFqq*-1iiw*^SP2^(WMzAzT4Z28)Yx|$7^B{jk@uuj#I1C!
zD;nyiSHxlYR1w-m-H_bM9g%=rFEhCQz`ga0*6Qj9Q{XVqpfUV{dG`br$OmV?ZLyZ9
zD=v!ukWh{MdxA>jrf|IdWBJlLQ<#APJ(?B;CYN|Mxb6uGhr6_yj6)Y<aQL9gsS@F-
zmiGkJ!*@%z!V4{;Ur?k{e6N2#)E4%2_t)P71pQmXlIw0lMy`r03|{5r9#KF#z~&{a
zBR=Fo9G2aTr;j{<{hWd9_l_VuuWHo&KEeZgPf+vQ5%eODnliytf*v^!UVI3ueD5x;
z7HJH7hc!k@UgL{ifAakq$a`~z+l9=r)<!^(|2;vu?wu}6q<UbmU{)KGFdRM}>5-Tn
zaF*BZfP4@ew#H+u33ezF9(`%+9S_2r0e(+Vqx)bhsGOH-RiOL3+;sjCXd6FFddx>h
z9b-~oTXD`Ra!12rWPWV)IL&KpjAx+Iy$!Q}isi>Q2ERE3FISIvhO7_N@E+0S?d9eD
zjTVMQ4=swk3c#0@*5*c-Rwx)IC=6>8_`~_TRh@ZjW84!I>t2^#s&wzM(PF@(N|fua
zF-$xSp$7!@x@|AHzu{XaK}~L@JvbuWQ@_IxhaSyo;S9Z1CLX`!u{cU9<DR5~wndl$
zjge(4df37SAwA~OVKPCVs)$W8fh$G9GEr9n3DWl@6|pTitk;KXQ2|{<k(pQ&ZQ+I5
zIE7byEinrU5Ntwn*zXA{S-0S<Ad*Xh+d8E2L!;<wvCwQCL5&X+99vPu$${g=er9ML
zR($ZDptkjK4G@r~bx%;-dS?LdhKBiJ5hf?TzH@p}evpJI%VCi2m@XV9Vcz10*`0!~
zb>i__a>g@%5EDV2Yd>l~D#DcJ8K?+ToR$SVDib!VuKaiivzll05@kZ8E9%(7If^;w
zpC8j$9A#hCAagEc&SR@0MURN7_`ELC21B^>1iGt6%mrp7px%GSwb|4k<3&)?x>a}7
zp>9p)Dw_Lk2ZGwwEtod?xGn8vb5Kp0+llr4@ivpDDw^6q1xFLGKCQahLGOG|T%>I>
zTg~kH<_5DXd<{X5)3iXkE)N%TyFUY!>t_{pxF1dDn%vN(M|QUB54u_j;hjs5@U)#%
zHPDk~RbVHEoG}nov_2gRJr~T$SO_XrcT0XKXCbIe-GWGROzf?>42aGps6V~4i0!GO
ziIJWdqZ|N`F2M)_IDt17j~JgEUUc!EqCWMuc@T@LmJ7`C3jsvWU2^*RN0&EXP?3rF
zN28|V`O<I75R{pIG4<kmQgYKGXN|4w6{W>e#zsfSDxKCM=e<fp%<8xKAyT3ihaj4`
zK8%P*sc`I7okg`1E^j@1HHUXp$s`xwu`sdl>j~YH(y2bs40Eh4?MxV%HwZhCiYpAS
zY9r*Ajl||L()d43zv$b*U-(7RHWoaC7qvwGzwoU5xA_xqoMWk(xN5R_?^FKfq{NT<
z&54pOHnRt=gDG5SnbSz3QRs(7i7pvfb;V_lvL9KIG)BF~h@=_Qw#j1?v*yP}k0}kZ
zL2z6P6Ch*Oy6|Xwg8J4TXsCvU!p-JuB7GHByuh40Qfk(x-~|d2qt`qXFFi{2x_Iev
zuGbyUlxUd2i<N3bU8Wopp;MkS#kpeeWx}g%cTZ6@dcPcUF9XjCBDd+XUX;{DpE2F8
z<Td_o73GCg8<q>XT+NGW>!}|qCAJeZAAtr{1&3dy!go=M0?*!I+j8d6U{i|9&cS_&
zMqkMJBSl5$mj_9S1+_kjAEGK)T{R&q=(*FHjF(P`E@0x(BQ^USN$~Zo##EpHXCFmT
z=HQ9eX}xG~QYv{!co9Wq=A%Zft+JOxhx<n@MLp)H(K_!(@V-w`ih2LO9~Y`Vo~Tk(
zU_Ne{6<ndS2QN2S85Gn{QH}Ws2B7MG2{1e(3oCVYPf@6OzZ{W{7%T!@*AxYrkM{=D
zER_opZ{pOy#ZVMxJ_@mo5cLD4$BDvcX)CJ+zlP`XN8kiKXU5dipB|LV_M;|FntBzo
zV(!k|fC*Rnhaf`~_$#!{?EwqFk2q&~G0zbEI^x{v1q^NYU1vw2p1DfFuOvvHOu}Oo
zM@EDKPZfmL&s6|h*`zwv%vD@Tql<%y2-X}hRWyA&68u(z{3!@{+s~mjQQ_y&BUYxq
zD^Cj3f!(s4h*)C%4t@OJAJ#QrF7bHSkCq^*^7O1~O3cF$2}4O`u2oCJ%2~rNBuK4%
zaN+H!4#=!3Hhy^k(6I>BzSJo39S9OG$)-N9%wYtpx@ycq4O26Lhl<TNR^2iB#a;Wk
zZ5<u5VqS);-o#n>(FDoWPFLIQM|6sGR!m4u+Lzp<R<<gqlg2W4TS=G$xbJxli|Ko^
zTFm_>X;X%st7_897vRn{%;)e!CP>Bh*T+kGbsgDo_flO(noF!+XRamkBIn$v2>=a2
zkgmN6cOj_M>;rCB`s9cTU4Zi(IGWX?YWuLPP#37|=Tz>zq;t0H2X(#bnxQ%Bw@@f*
zJ&)WX=g0O=n+s<_^DuzObzOK(ML<W;S+;}D6@6X8*G!snS@8tSl9j#U$9N9x&0>VT
zSO9`NY-|z~fj-=OeKF`3BeUIU;_l6dO=i3wJV839F(TaFLu?E`n6sc%2UeL$x#CK&
zE9L;_&Yt#fBLsD$4RBlgGSX`d*2?QEY?!6UDyXC>kZ<9q%>>1v9UWK+p4O|*=VP8T
z=;o?+Enyr(ew63Hl=ORdDg(m8Bw<xrt^!N}f-=!>G-2uSp@Tk6yB4oD^GYVRRkk!>
z(b3O#>M;0Q;T(9A)3WG$`}!NLZnsHTrZ+%7BO2wXqVCoLbKA0Ftv&bOH=(KD)As~L
zruUgRCfOG6)T);Fp%ElcCyrmYht)i!OUL3_kB^UAsFUI`PYa$zb^^ZRs{H<oOn$zZ
z-Jr?hLqe4}9p8g>#dC$MpQU`G3#VDP?d4R<%ocHgcb1@l^}&5f#lSc!Stz$P;U;8A
zNaCFKkx=OmY)p5-Y4vG2T3EFgG8a8#aqu!GE367XB_$|~y;~pBkAfZ->!GlPSBCLC
zp~15Njvn9gg4=u5mbvf)CP=Nil3no%MJ*UCS@8p&iih{(InXC<(PHvb5)_9;Q1iO2
z<rD!01d9eW*_4cND8`};Fzg5lUhkap*&@)cz_)Sk@4EJ_#H8JRrmQ^$$i*WHLZs5f
zJmZF23BS=pP$oO%%oh{*mTar&mmlmo@GE!XV|!ZWs<ygN4g3w5!1PE{NRMjsuA_<Q
zzBuMchoE-$Axk#t3NFAVw8Do$c?tlM9x3t__=4LoU27=7nMzPuJ7nZ`2Oq60o6_TV
zo)#u;BVhQ_BS@Mz*wCyhdT3N#M7^q}?qyh|A}c*qG>Y{u`$5yAPeag)0y|Vx#=MQy
zidUr<6+s#9A*y|fQI2mEX@lS8f(zQpQ!-CPiFHOWi6L!JT*^PF32JyB-x8HDoJtIG
z%ZyDP5>z*us`m>vf*&M3V&w<fQ4hn#hkuSq)qw_}N4idKfFqI9BVNZN$C9~PAaK4p
z7Ct>nb_9IjED8KN;40QjVC4djYy*0{ZP*52Tl;fn0S9#w7K(#9uL{ILN))`6{g{h9
zUZK*Lg@$zmQeA~xeM|K`!YiF6>t3JCD>ilB3b-0SG^KvKza1#?s26F6OK1mWLfDs0
z$}1O12DY(jn1I1Sk5}1%^lzpP6XK0_aJ6f%Ri!mLz3%-wiv?dbXK8S&i5)0leN}i0
z-YMPsTZkSh+tWhkppaKctIaCW`t#U)Q#|xtp<Wq108NjG?E$TUCQ{k$7B}EH<w_at
zbJ?pj{mXDPEciFZ7*E!CQnT}+n3pCCJH#*{D4)Ksr8YT-x0;~=zXlIzLQ9tbMtbaQ
z-xM%X|EA2D?ng_%{0D0Uh1U12g8I^+QYpN?HMDKOUVF=(_h0y1gC2o<;qE5L>~`wU
z>iyr~UN<Qo*jY7pj&&-OcAx~$U{Vt7&q2J9c`_XFe(a=p9}Ho41K#nw&LJLk8+XLh
zN4`;RD~F8=9;JL8uq%-gQ$IL`J5t*ZJl$H*Tum{Xh*>NK=d+E%_@BA}Vv{Rr4uf%z
zgVmvEmaAiqH7Sa;zdF&QDBpep=<tQ`Ea=)GV9f>P{$er^en$6F2EQONU%YGV=qo!}
zLz7JAGJ`dzP8Gv5xS%<47R+yW{>wN|ju;SULH)v3O85~KPx~h<xVLr*@BYR(3+5Np
z7<#m$umfg8!Y+XuM+rpYv8WPPv~oCXu&sJqOF(PUqmiem9t2MnimLNLi$QA{{Nh<B
zA7NQsi8P&Tx1%l~x2&`a>d0u5^ANDd3b1*R7RwEbSA|ahF{jqN!h=k$R;DF@Oeoz%
zH>n;|u;8R3Spt#Q!XdgP=V>u_zBYdYQR1q8er~|pKQKa;Vj!66hf9fO9u3#|qhZZx
z9cF&Wlt|{Wki(ZpO4RaLl&j(qttfkR$@l`J&T3d7p`X24?124Dcw!>!qdcDkh4Wtq
z7geI?a?7z8tKM8x#GN4oyOSRnK~DA(9Y#?L|3x~Cq5}TQ0HZ`}4vs{ZhBy>_Q%4L;
zN^~a7q0*<neteX;%PV%{d5{+^K&mYZ)T+Y5&<Wadkt$K!v3M|PpNI_&+?t6zDGRXO
znD!vT{AD301{5{$cl*3(>Uq(C&D9n?*X6RqyZkJ;jZ5Nhd-A}MJ{If6gU_;=r&!e2
zOa!2`o1&?huJj9oBG4;NQ7E5E)6gSWeVvEHjWTg-WS4rfVB7EZI{hvw3hcK-qxJS-
zwi_lPAKdqXmx)V?GW*AGfLl{SmTaxqT2^%fL*IRPu#g4}h5s!W-X&Q*{sGLk?}EcX
zF3IZc@14qa_1;<6{4gm|yH|uskF@QtaTsF`U?y<qjUVR4_ah*l1!D_3o|9Rbnj=b^
zl%MJoI`|^}8Q8E=;XgaL98G}#bz-_@#;){XrA?Skn2l`KW%p2yKo#5Ply+hFHx)hN
zW@EiFEW7}%SF@&c5&edZ8mzr{1?SRTj;6w&6tQ}Hv~Nw)KEm9-aC7^jE-s9O;)MZp
zA@hrRB`y>!dKadg#06IuXm4D6_~-8z;WEsZqbcf-(~ob>wf;+{>BVO-5HT0|;vY71
z?c#T^6WV8gx%iJy|GoRBzg+zOkKZneO7}So0U(tZb8!L7SMrM==vdq<tXmTcw#(%+
zQYo%Kp?SKO42SWW&X=Pp<sZa6z!7mUiCW>;vJx0@XU4G~+F0c44WNxhy23`PweUNQ
z0q4@tA=QfE5^M|p_@R!)rVc_qs1sNTo@{JOY{}MYX<r@qR>CI};F~Jo2>bHQwebH~
zNp)fLAk>9i;O=;_;%jl?x>9eIe>dHE@kw{*yNkarE>v;B^8`28%>@jBeVZ*tDB()1
zZ}C@@kg?-L-=P0Vg>wPFz*c?gKKkqT65H+{MFX$?yDlmPYd?=y@4RhER(;=2noi!@
zV5|@$vxT!N#5kNre!x_nWUmI8p6{y<ZSVwx_e`a;kVTN9?0!F9&v8i%>EtNV4Xa*?
zYTf$?C#-{w4HS1?&XBc`pdSC*w*fu3*_OXL`qs#}P520_4RT3Poqt{CYzYt^`KJGv
z@j1+1*1r;}Pku>IivKlGQu2Pi9!lblE1Pj^9oHBrUcm$nb<5FG($5u!z{A1<lp1dm
zUETsQzKLvjs9kFQY_itZ(U!=}3zXx~A7drw?^bo@UyTTg?OO~TWwM}G1zH(li|lAx
z`r&)W&T04(xKeq<u^?HM{mw8p=YYmrgDIl;x3>iOA&y0Zup~l}<rtR{H}ILF(kKhC
z%_^gMq2rkrqMH2c|NF1C_+J0~NAc72y?eia$M9bG7vGFe?Azg?DuqaXy7~YQFX8{s
zw${R5GGJ2BS_!^eX8I0zOH8=--OX<h5>(TFb3#c_i{C8@k38=`9?qCnD_i7ic+roO
zAon_e)5Zo4fco(fWL*dF4Xof$c*N;ex30JP&$cw%+K4545t7p8ccrFn2`+~z;t5NP
zFEeUTCPV8g>N2$3sfl*7mO6XS51t<5dg<<^N4^dqY-5$Tq2}s4^B;|lro+F1^`v<>
z7t!^f>&0AEtNd5Lp+i<szv~uV2BYl^KO%yp=1D{oB=$NX-p(aw#I*r80p0l4EM^dC
z;Qx8_$j44je%so;5(Yg<_)=y^1ThknynkiDZ_Q7R8-N6L>j#TMRn+Y%4^J|wi%;1^
zesz4U=}Us@^fq{|iX&^dtyKwzvj|qYxExJw{@_9QZtb^lFk{gKPXI$(QrX7O^vhyk
zXly4@Vut0P3M(qK<O$#6->%+VQT{jnATH36f<bY{b!g(=ipTt-YVvteJY1L)`d%2^
zMX|u6dcPxOG@bYt4bf=3p3mo%SWEL0{NTw&866<@x;nUeMjYU1TJUd=bS(aYK33~1
z!QqNNP^Ixs-%l^2_tyt}e>UKKSRLMvaxACHC{e7VDbBz7=q05o?^%z#(z=7zFwDY_
zlpH1M)6~HemT<Mw)&Klk%4q8D#|~9DGB+wM0uIgJT)_RW>SFzm|NQ&!7!bbx2P}*7
zhq(BgIUTw9Yp&#SRbMO%nJ<wTxj1pJ81?07`s%OULG(_8+>!7juVXxDbjic8idZoe
zcNT7f;R7v1g5v70g_NEz=CzQ%HJ|xn(|a#qaxHNY!3b!*ed80IudO4R+xeJW{I3t#
z0vGKkVPU$ek_)Y9_<wj2j;5G?yrFeqV;3s@(WbV$^C8w(1n@V)SoG$V7vIt3(LK1F
z=9I4DtIQu}PY7+L8&Ly8f0RFf-S}bB5799P6su;g)k9TTJosI#WHrm535(uw(ilq)
zJziwOC+q=z{|Q_0Z+<}Z=+FMqnh2d`eqtQ!n@flPLnwhUT$%~QtD;ci0>^2_(+g+6
zU%<CqV0OzzFJayfg`BhI$q_giTu5am17wUw)ABxuF-Z!Al5Vz~k39`wTbKR7M$Lr(
z*NcxPe0ab%b#k=-myb$H%xa+fL*&svf75*GZ@>RH`-6SPfYVPpU?94BH;weMp;UFH
zZy){p|NYm`?8|I+cXKtnWw#$bT(axi+e>yoz5SK_`uX<uc6$5i%jXYQVIkq9^s)DZ
zigpp75$^ALZ)X@7d6cf?B`Hm81GAM-atCrcHr$>SyKUVM>|7i+7-Z$R3JTm8Ig)O6
z)amzVy4NpjC6@55_|segQGL*X<&1TO*-2M^Q^jC&`&)(F=@p4qd25C=)M)u%HRkl>
zOTX*m%{8?D6RzlY0CmHN*BpI1?4pZ%y>KUV7nS(dz%qq5_miB_M6+LZ9QNw@;PA6f
zf{>I0g5uhH#X9jxc;?ZYD{CJY0Y*v@`>n&v-&`(Ri(BZ0Lx)8n?>5!2@yB1_zMe`9
zoAUp1dhVA@>XJj9iGCm?p(~H+62L+%r8if({=F%YR_QeyXOykccwx8}_8h$JVkOe@
zVo?>@#fLa9n!LXFL-5Rx=B+u$XW)x11g*c)%vD@TQ@YbdIKi?}tR+scNNcfZnH4Rg
zWmQ`Oi6%is>ZA8EoT;$lqw*mVCYIVI=LfW;zX7PGB|R0!Xnh#%TWpSPSf5YdTxxnq
z7}*8Z3<oBr_lA&YiYZyG=xrIC*6v%0_#uS}shwzg|3iO$Ge^%SEV~M)Zdi2UbTm2W
zWBoT;Yd1}M-ka->S9i1bAMY3#DOc?J?$ZbMar)(o-F^aCH=pk>KhHh~d2gnpiAC#v
z-Wmb0*u?0kNkq+My0sknq0sZtI6`3M7|h1+2Qn73+1Do`2a@u1&$K!1`T+l@>3cJp
z;lb~g^1#FPzrR}LXiP?zKg3`D_^7Yn!3c*3fBWZe@XCGr?!Wys{qjLS{IY^I`6pB=
z^EDqiAJ6{t8(VL2V*fHth;_kFtP#SS6f>PuSk402@RXp`^xGdsPTyQ!`tK-!EiOLc
zwsi4#Ue!4;#b4vX6u$BQ-nS-6|1RJM0(T$Qq}Io7%J?WQx>DU24`QRdDGpQO%FR3T
zP3v*++7%oMtv5e?bIoQiPUs)D#)TqUntqLrt93i2B-Xs;`GB`WkHL%*NrZXVd4i5x
zCw|kE(2D}kz%e7okCT#%$Ml^pQkRP~I4^8EngnwoS$CNhwu@W^X849lSqbe3M&Fd5
z|IpK24#eq4HWoF(a?!ZrH#z*|Er|7vi)ND+2QrZEbg>7pQxDtnX+?9+%4j;hxxSxW
z2Jt~xRYSpJRMCY$PDdA+p>17wXy}9bi%~S17vG)Ik@eKTqhGNI#ecza4v)E(Kl&S3
z>?`&=*oZ5wiDaO__7<?6jd~ci*DTap!dOn?!+-rA*;FP48(ZeyzRqICVeRbBy4&$-
z494lFFTY;SZm!w=r%(6n`q$4N*@xNmhM}U{?ezZs*PEOBFoSVi&FQ_(^B<r7JGurt
zc@=-hVjLASCDJwUk9XJ8+5PMzySxAO3%kAqbNT+$?G^iYdwY3v`{ic#{^lkS_^44v
zPXM3o1%5mG`04Zen|t=*>hc4-et&(*?l0fpun(WUe7u=KzyEssDGc~%;?Sq{_~(zG
zKVE;n{K#hSKh79Dnz8#U7y#EFKFzMCv-h+6_kly5x=6HLgRv1ZSRAkof^0>CTF^uF
ze+#T!ZImu`Xm?z59KqnXRPwtY<*1ordx!1%ccW`?`|f?TR=icCbD^BQQG9>->*c4<
zvoGxG>cdQrUH0+Qbjq%Ny}o-7EB5Tm-As?-cC-D>_?lq5`>l0o<4$P4!m0;;NN{&V
zX-ws|QP@}if+3go`aAgh?j8Pn4gY_^z_C@UC+LE4bVIxgamG+ortZ%nU3_35rOv{O
z-AqT*oPL=1M_4O>h<CZ2UcYY##jn5rxBO}P1^)E9-B2VvYK1SGYrbU@tC57kPyo9`
zv$86&ybWfh(j-h%D;!q#Y*5Qj+Od)q`n?qxasGxI)ko)@oPBC#v`F4r@4-8`ftjK2
zFF#*>`f`2CKHOcy277;Z$L=oQU$GDGukUU@&#td8KYR$>XWp7|UR4SEdmHE)&|7cK
z`92kS&ExvQbdCS_y)`vE^7p;DX7sVYk2ukJ9hW&l(dR>g$bGneZ`T<pJ-<eG5@#B~
z^>|sbg-ik9qpVk_NmxurlV)DRZ*Jxq-UkzZUUPJ!%T$Uy-T;%@pjeWM=4mmHGA{F|
z<O<a~8gtB`So<FK;q%9@>r32C{Y;*q5VNicTFDsDwvHBfP>EXEzf8sObNqYjXzI%z
zm*9e{x~_Qq(5bCN3Me7^mNFR1<`e}#q*x*s3*bn3&AN7BXmzNP$1vJ;s=9FzUd?Xr
zZ&5AD*DPbXnNDby-Qt5f*G4Qioxil#FeY&yRXta7EnKtQUEg3Tl&@LFazdf{Qinme
z22As1E50;+AMv`zb}1GbTOv{zAYf7DxSlUL2C=Z+mf~wJQ$B|^q~7SPj#PZdh7Tgn
zqX|O?xzkI|71NEBSj~RjFt|F}F#sz?fstAp)|StP0RvlM)$Wbfv3~vj>h{KOZ4(rW
z?yZ!GSTk*KL^4mrcNR+)dz0d)1m&T7n1;D^)`PP%%>5w8qHMiQy+Z{PQn}bA|4$!_
zcOCxey~S2-^4Jf7UMRU)LShbItaqA9z@UoEa~n;DVYql5Yg^<2X2F{)K|h63<gf;Y
zV3o_&V3U}X=!=5c6=D;RQkOm*va^r439#3nII0=w1)~Ry@1-c<a<B}*^v#8)pAiCQ
zv{w58^^rXT09%kp`Xrn|=W_Tl!?0#H4Bhe@7z72bU!+;OBu{@6(4$2!(gZ1r^sS0U
z`Imsv6tZ8w39Le~)bSjwy)$zWC17n-LLYxk?8lCtGV~m1FVk4&E^Q*3%XK=ro#?sT
z2oEZHBs0bmiM?!P3*V+eMJA_|3C@OA&cvok<wY$Qc6Y`&Z9H-aXa`C(^d$#PFJEqF
zupF71G@6|FIkgczQcJIm{^wBQ*I%GVQ$as@fzD!%K13UtyDkFM4yNa%fIj|^`2Sh+
z5sgKUHCII{u*kJYtSq9YDR4DB>*CFY*<Wu6w6(l!TlC+kCf%!f+giP)N9OwU!VIJS
zC-r;rkiIUwwH~LVsly*p{R{_9cdW~tz>#gB#iloTtV2%ebG{x&hWqKeK$G#B<pRcE
zU9h=e>QSPuw|=T4KZ}Yf6vIs0d->at9)aFz!v#8}@hdnc3vWx*SXl)tWPXf*+mxU<
z{SJ6M)RTBqp4y3Y#BxKA)$ZUMCK<YL9+oXQx^AV8Hx3xaXT(h{-@+oCm9CV*iZYml
zkETpNQpLyVXe#u9ilCLy(JHYRD1fTI*jA#LNjhaofsss;b#^o#8cnqR)tSREpVLIb
z3^@T~Cz42t68PKOml+bQO~eac+$jp-@30?%JF)7i7PbpKw=xV2Yc{Y!1q46z^CNz+
z^uew2coQh8J|!rHzk_kLnO8D#f;3iKLq|zqw*AsXC1C=-AMF`1G1H^NVwQej=Rm>A
z5>Icw>qqW{++6YFJ0s%tEQ{6<n3mDVfW9A1X8*0*rkeBk=*{`fwfbL)$r`)USm@~O
zX!ZWgC9H58u$zyj|9|pWu|B{9wSA3xpdU6phIZ-{X`#b!>-)Nlf5P7q^yu8{w8Uil
z%JC})J^DwsspzptvQ0&gf|}~Qn6MV@0Jf|<vej|AZD%D#g|3LrM2T9fnxg$|65zJ)
z;%^js^!3FW#a0u*0uL*&O@D-i|GjyAglD!$us>n6dI_%%j3CkUibp$@l1^2;Eju4p
z<ZJrog%VDWK!An-Z07Ef;y}SMc?;{B;U|zocdz?#)1#CFhjCxJl)I>Wx6{SE<Z*~N
z>6@2YIK6idTn{e!F(p`>;e}SFvtws_jXsmYs;8<S@>ncuC*fRSHwm0{1IpRuo1?l*
z^nS`d^k(n7%%5X;PSqOvy=tlpo1{Z5R1vh;(qluXVx5>%Sb^aePCOFRhL#mCR}%eO
zK}~Y?=7k$vlk62-|6ZmAu2(RsIjV0$bEvv%%vJ<6Ie~|Y%{LaFR~Y|_V3mhc)+{a6
zrOz7664T3NNM`NTXjL9g1~0biu0%VU=;*UNMi>2Rv?>py`xMm61g>2XEG`ig(_qf~
zdcv@{zQ7Ag7a{h;rpM#9>ke-{59X*>qt%IcW|t<}k0@Vrw&H$>^c-aU;Wv1Kv19s3
zT6~wP-m$bN@S4c^9Cmmhuep-&7Fz;n4ue~WoDJ@#qgai=Qt5ROUA=kXh>+OjUJdbY
z4XPQ`ysEo6EH<bkZsI2=E~aw$qE}ev>dh-r_#41#Qo6Nk`?=D!)MMZTvW+BVr4U-7
z$nB1>9$?)aw#NEU7^K_NDl+uR+cKk-xA6I*Z0HS^hr&Ey)$#;)A$%zut+d6f`rCe~
zi}>dQg9%=G_opiI$^P$QTkpp)73Rdd8m*?r|HQVW$6GzCk_GJ+B0oZUywbNrXFOKI
zE2?ufS{08|kcrABJM%d__hX|+9iL@U%Mw1BU~>eGS$eGUEz#4Xif@UY9#0(B4rs+?
zbv&fVq{1|;!rB7e7Bs1_lwsb3?+*{W8m$z@GgxvCgF)}fR`dh=e4W|AH_VTewjg5w
ze0nr7$rb+JO89G_Xz~PeUxL*z-n38YQ7r6J*Pqz8sPtsYaEF!Ix*}L~V$PNJR@uKt
z3{QGAY8wmM;id$$9}PX?^eE=6A4Knpg++XkDE-e7okfos9fr4r|Bir0kM_J6G<uxI
z=j1-%8}>qd^GX!QZ+1Y)+RQo^1PL}7*k!FQfgdJ8qVifjN{_yrcrdkU=1i5vgZQQ9
zbM<qaN<Vmd<mIrB!5&xmL3MovRGZ7zHtz1O#fn>TcP(zk-GaM2MMH{H+}+&@#f!VU
zyE~MhbMANU{chLyXRSB0-XzbH%xsxGD|^pOnlLkiMUuqe2Tbi%->w>IC6J;CP&+p#
z2jr9tZOH2M`ZdIqO-8DwL#VW!HD-+3!fW(Wu0t{8-@uL0`DOU&N*~`}1Q$sK!Vm+V
zaH8xJ+Vwp*qc!lh;L}w1>=-2Pnw`it^uM#qKI6QL0;vdCeXn(#T0}^1nfWw8(H(@!
z?B>9tlM%j6xk?NxgvJ|UzzCpiC%xlQPE&k@KqOXY(}*t0Mc}Udpe1DtR;TJ)jsBs7
zB|?}SNUx&);m(kwCTPL)0Be<zJD<J^`DwY8;56d&gZ?E4_M-|dgPAG9ZGCrNFlv8o
z<o7reTNN|fOx&>D0a>6V@lpzd(TQG7YM6DckJ{)8Fp=AaU@SDFm7>kr$aoj)B+Jh8
z0_YfIMx8m2<JWsbyRfM(VBk?_SP3`x)nl??bsg+xVNpb-LenZ9(_~?Yd>D7O^<^*u
zvmRgzNssFsBr4mhkIv8?(87>peV_8_OF$sr&TlF$g-zvrtNjz~2zDy@v!sfES(3T;
z1WC%zXH89@gb3Pc<DR3^Kx{gr3^$glBmMvm^m4Nal0wE#Dv$c4IqKS_(XLV%u`n8e
zuo;NyNf8Ac!Ff0wI1d;+uajM}lnD73CwWb%zNd~reg!A-d<>DmSGz<9Ipgo8X_l!<
zLbP5ZCKjGe1xl0dxpFhl#QIRKXYOqX+ioP9#TNAG={C=4bLIQd3Kk<FcPv!?5BNAD
zfTxVL-i$I;+$*u%VIdX`3i-0L$m~j=sNDVsLHJ?gWp$ac*G`uph^vdbFE$ktv;CYb
zK0GP+7zr^#?IQDZ)H-ET9#Jm~V-Y@vDcVRGts!SfWExOr>#$P%TYTdai5146Ygrr+
z;d{L)?>=7&;)7=pu~jWPmZN<eE@UJo((7l))^EaA&Urr9HbwB4ZF3<W38-vO7yhq8
zC+E`AhPsMdxmS^p`sfKp>$_ADJHzct4bhOTUr9DSjNV{HGH!|M`b{-^Ftjf}k#?8d
zrI?t$rz1h_wsi6Yi5`!KiYt-6F2)@=f-J;xr9^!8NBL!RrfMi(1DUTjCTN2oc9#(g
zm(i^|Pip0;0bj9>f1C}-jR#+qhs*>@#yfM-*Yq0TCB3=&S#MXZQQTNg-K8HmEcRgL
z!N;=7)tZZN?pDGf1pPpe57Irn-33*_9eK2^`R;h`AX)c2V|r#h-+v53So4+c7zhNf
zgi377g8xdA>_tuHb#uUogBo<S{OU&}?bU#w@27T?GL|zLQKX<!<JouZQ7}yYT`E|K
zB(t!OGRf|j_IcfJ^K3bLmwgnr_zV6n8Qdg*S3W7Fp566_e)tp)impXjrQqk1oR_bO
z9R*WMwSZLuyq2#k2)|g=owTyQNy3h8Ao5<)gj8W-9iAQTe;2zjoP0T+ylF6iMHYy>
zCgQkx7<HadqTm|qjoPd3s$xT#%K}g7L%@MA5dSgQA7Wwqi-1ZCR78l?SPbTdaU$}A
znpXKWJu`p67A4Q|SF)BGrd_&B!9`j9R=FP)gY7|D_J>>N);J6kkmppf4sLT;vQbiw
zJMtM{hu4k`YXeGa<4@@r-j^lZ?-yzJRm+{G&du;X9m&mlm@`R&l0N?alh{JmvPgxe
zFMe-Je&U-a(EJQPy%VxO+`Jb^sNqKSZa2Q1w##g+9VL6dTz{Tseqy?~pBM~C?i_P;
z>4Ge}e`e;Ve?xW+>=8T{+_TqzFU2v;l)_s$id5M!G2eQ-Bz!MOy{z!vaF{F;M>Ysv
zEzZNA(?}Vh9jzPAD$F|RIfPoB?`X<XiT@49guC$i+dM~n#m%iV8Zt$<K6UzOZj+E)
z1hlU@Ty>L#r|JVQh)f9<^;UqfY(13#&&1rpC0a(8y1-S2=<ht4=a>IIip0t#To>3L
zc3%0O-%o|}lLnpY6aG<?V$?&9Z!p`j#R7>mkVCKsBfFRY07TUYD!Tnx%TvF?lWT-)
z`x);lHwlptzsxoVo7pr-WwOV2jV!hq^adwK*-TvwRuSj2LvcDkNO$GgO>f`-%qeoZ
zpJzjUH#a4_u@NF=o->)#^CR@IRTpz6aE+i!u9=Hvnu$9FJ^++gMCF4^PK(^(uakC5
zON1*h#xcmdfB-mxsUXD{@CpvvNv#35z4cO+L%<W(&h?8X#S&n<hQQ)d5<5!EPI8$o
zNtJjgt=;W*Pyo~!2i0R$!T*w>Kfpf7hXc|XO)M2v+!+Q~q-8tYFp;`82<4gu507@~
z+*9UD0rba@PCzh7EX4I#avxhR_-f%0KBLliBV~r3=R<K8ph|ND>A@o=1soENdcFk6
z3TwUfP~1TlNQELHg;V3C+`5U6Pi_mp0?f#`!kq8myrh%>OVGVq>%{~c*O0kV0aHOV
zwqvTgWM!Lml)RB74W6xCLzD(x{VH7=AgpRkB+u5d_CtnB4N~-;dn^OQM!K}fZbr4Z
zg#k{H)WiMySd12Bp6)wK`>}MXpUXt~rlqKoW%a2DT^L8D(y1dRsc?ECnu!+xKUsOD
ziYGO@*~WfUWo*gIVbm-Vb+5m2Czn1>s_Y1(PdivJi69^MSZZ~YMz$)7@gqa2m%0Zc
zCzA<Ld!-*drW}BB_DymJ!ZU#pB)DFJ)LuyDxbbq7RtA?pDT>!#PAVyi$5))np`TV=
zp6p5~HonaEPoU{T79ku|I+I}yxXtrSM4GTF8)JC~lc5{$Gu^!Ro~B%*gRV#A0L*|N
zTD^lTJ{Eat{)PKcIa)y3i~0^t?6%jvcNRE)EtWsPjZxF}q4d{7{-m%oldpMC-4~->
z(b-m>SiIJog+Y>boogcp;yfksf(`pf*RTs@zw#TcU%xv?T@Uj!cJ!HrRa8b&2PvF`
zzA=^!&fU1AZNy+ychi`WU$<(WPXptaylY|~2Z4bk3Z5;(b}H5*-uHL!8?}7oDa5t^
z`BDefmvXPVhc|(PUrvo@$iv(j&UXO+kzHsW`*1)WI7$>P{V*p@yn(aLKTGMc$(-$=
zpp?Hzo?g_qLalc5OQ0z=7;x5%%-nbCIF=Z_I4AW25C(3XI9*d<mo7`kjqH$DY6t0z
z7me#+s@qN>y2eR9YuodoVTF<u5g*j#sV;->3C9QlU6n(H#pWc0IX;P$Sbe5Pa{fXQ
z96uXm;Sr{T)1{&`ywEs4w{&2SDw_~3>OGO?JkSt6vWX0kK<~$n0xu)IUvz9=btIe0
zor$98lDd3EJ~oiw747}bjg8r6{WWBiFqIlSIEV!Q!wmP0$Ij5RjR6CI@uuzN;m~og
zNt<;n)*zFgt{otvwC&yA_>k4Z?k%zz>-4ml#n;X6$U{a;?niVMXk5?UMAKjPe(D|Y
zQ>n`S#|sR*javQ%egM=L4bdHe9~Iv(!3(@9;g3R4MPC87r378)KTIwnOH}NylU^1M
zC%gQrea=~rjc$5!r8e%O_2xE|Q%W0@WUa0~#d3R*6~C>*^1$JtVpUNVpRR_RPVq1E
z)7|JaK&PHOk3bM><!_~BU)+<lH+FJsDI=6AJ}OV<$@!{vhl}S$_?=_@o_h0px`2JY
z7+=pLxZ~Y$WII<6y)?-gFmsEAc0gt*+j_2s%jnE4C~&I`!<KEPrhR&KTQ~%L&vOEl
z^JmHNTx}OfS#l6SVFHTOD-cr+1<!Q1E^#xRx0oFeMAJ}R6y7(60^SgX#6mO`r&e_N
zfx9%P)ew=|<Q1O!+Ja~3YN$EUy}Bf2dp&ehOXpAh%9Zqjqv3216sYWq4NNLwVaCD^
zm~>%3Xo$5v%d{*Z@eiJ$RD&h#4QphKqQK`sa1MO00Q47AGJYAN17iu-f+U-w)O__C
zcxaBXrcLwG4*;<jpKVA<kFVaC(xmP38fm?9<0PuXBOc0nrJuCaoN+<z4!E;!PL(OC
zWzU8Rqcf5y`EQ41lRdINP-{#zm>KwW-N4N%2jJ=!dPH1yW`FJyE*vPllUHN}8A1G3
zkhe*f#ie0!fq4d>-d1c2a5eXZ5YNHs?#|@O7augh!WV(Rnh+^Pbc04w2vXUof`})%
zgeNSDuMH$5K`-zUQ#$Z=*qg%HG42V*!TJIAMP2RV7V4)E^?E8uynAm`JGfr~lvt*<
zK(^13Qhgd`C*dMMxK!;X%c}(<|3=_~7<>3Ssu&JQWXN-OjD#14zQ(!frb1~8d2ukn
zgkBuGyQ+fQ&&0G$o_{6KD&bRFu7E6y+i@rzDjJ)?!6n8xozI&Z9IAY-XPy$FoYg5&
zDpzYiImsPhTEpLDB9E=v1JAdc*eXA7EZ3ga+DxceAPC_1;pQPyf6J)ZoP}ET4MJK8
z<GI8!><6`#ihtw;vPj@@lIlT3?)AMJb4>wlZ0$0gtnPV+LZdZ7c_^ywzItIA2K(Zx
z!{H?8(hWYycoCMcXI73YM5p)$c3QohSI?jaFYf0iqTj_$3g{DdH4uN|INc1qJDdw@
zwg$bw*7l^5$vIjV!66kx?dKe^ib)KdIxf}lW>K=lCi7<>XMKo;y9=Ut89u~8Ac)qx
zJJbmh(WoEdIg&b@hh#uo2}cOYE5!86uiRklG_`lV0X$JDO;V!S9UY7o$%pFKk0MPy
z^`<j!tbGD<AL`$l6b#{_r1Fl%P^g2#v?1~$l+Qz0e?F9nS2#>d+&6#IG6fsos~+Se
zQ4gJ+YbK{91Dx3C^`f%mGS%*Y+wjqy?r(~F4;p@&b^OU|Bq~JYH6sFRv;2FafjMnS
zt@l)~zfUxWo$X~OCOhSt1W>VAaCh>v@|$1WO^Q?-@<KM@bU64I0ugPC-Yo}*vkFyr
zF{M6ya&8e1lN=LksBKnT^>;U>kY@DMi!i0`d?tiMS-kv$6%Loh!I6P>z&(}7Lxh$z
zR1o28gm;DE{DU$jJLG!Ki)9Eg`Z3hNt`6Eo4LHK*k9QRGz-1OxI<_pW$KayV+sf~&
z%R#=`3DuC%1afUL_J^<^Sev$BiS7FyI(1X5ZEvU+o*9iX<G&UL{KCm0LUGwyXp<F~
z%tSmn`M^l$n5(e~nM%#GC{^#0oJ*1M$)&zDQa@7Mm!F1EK}tu=$Kq5~8_B8C_Jg;O
zITTVDLKq+)lbrJOK~a^uQ?392FQk~p54+Ae*c&9G3;O|c4Gk;C&2`XL)-(iBA@T&)
zR|Jq|+UzT(L_^SKs|A!ViiK5c?j$dUI=$a-z&&y6PSf?XsTb$CDaK`|bF>U@Dc>Ow
z5PxXtj=yk}Q9{%4VRm%w?d!1`ZH~-sb9`*2f6g*&B$g!?MG#q6Qj7QdIa6x`B*js%
zo1WApoJyAy!b&sU`#{Sfz_j#!YCy)=E1IPfFy1Se<kX?<J<%>iBwL0a#jf`kZFo&>
zDx{ogt?32w9&vN$@yf~BtKS2Mr*s(=cB>91mZ2n3hq$f~l$ZEcS1XImdzRfjJ4-8q
zO$ioaSW(9T585NbqJy!gkwY(;$fD`!1*_3lcz^@11e_2~+DTyY6i%hcZMM4d5a|I4
zt#;qFneYb;kzM1E-IO-hE$EGG8A^xQCi=`tZFr^OHgZ}bA6}fakgb+RD3QlC+&~E+
zzpZ!1w|u4NBX5rybhTxGK!}drFJJ(5R(0ird@=U+b?)UgM38k;7($DaIvcD?XQ}s4
z@ra&rYBBw2g1E464`C2Q6Th|`G});^qqt-^XzAzq?uTNnGCDvJe2<|O9O6<Qt!&iv
zP@IkTfeBEmnuUCA2{n@1eFCN&eyvAs^P_3;q$vtP#0ZO50bMdS>L5FLF$LdXFYdZ$
zm_B?m4c4fH3if62^Kk1CN`{+Vmr}kIb@bzRGs~G@K6?BQe86l!TRx;30~Qm|u=SL_
z^hXl38c`)-93#dDuD8!LgCq{RiyoN!`tZvkl9(~4pK$pzK1VKObo3BIX+lWiweJae
z6cxQhn!?~PM|0};VOXLt+mtOc{pcakD0XOqpaW>yAPkW{;eZk`4i5_!WScwalei9w
zZ66Y3o;e|S6(f4RfQ9F8CQs8h@oip@`UaO=XbPQ15k5*Im?FyaZlUuQ*B|!_bg=!}
zBC|i0nb(^slY$t<m6Ti^g3$9P1SyN-3GBARc-76J3RDarsYLo&g%`hE-f!##m|s&G
z4r1J>r@O@pP!@xZh*I%kr|EG$`pMZAO-B+<!@Q5O(Bm$I-rw``I$4R%1}hc(;w{Xm
zs?MQ)!qNMxWcl}T0V8nM$(?8{K`uS{5-m9vQP?*K!#rX|2A)$Ay~oo4=HrZ*LYvls
zi}DtN@@q4Yi=_Oy*T;F$;rr}%Ao|s0>~UfJ)S14stEAHY4b*$KQ@>gsSXt{J(yY)g
zWVSq74KLBA=sw;(s~Vr8YtV6N7u6-PJWKPyjjzk2V4A)JkRHEkfnYG~1^l?b)N(3B
z2B#`g^w2t{dEV#;^axqn%=Q=6F1DXDV$%q5pI5$F8i-Zd9~?;oL2z2n){W(+#-wRk
zXj@w;=m~767U1JirRL@|s60Dq=ri=L;A|RJpFcdYuo;z!h9YqV5$&iY-$iE+9>ku8
zs(g){bzt`2S4t!Zot(>e?Q5ts0Ygel-=uN@SU^!pWpOA*_nn7Jj7MEYLgcXrLFA?U
zCS9KDVlyZVnx)wH)C?F(FMoheG>3u~d)^Qq?TVaQRS(=uH!({dwKMqW?6$+t7q9Cx
zutC1bjK@z&OR!`U;QOmOTyE_}1^06NUlk_nrS!Q-;~RbM{-qRexS5G>pZvFCoa;@t
zONaJ4K0gwEBYUQk+xPz}j?xAI9Y4z@R9r&l_WD^PWpyQ7mkYlsdly@4G*?~);$qVg
ztKKrke2d<Gv!pmg&*<*JgsG}F{f$^@CbVthO@#E8hrH7x9Y=saj<>N&?t5p;cf_-F
z8$A~)F>^-^h%uXHd#ZGpmZ7eNz=4?28e^ILxh{TVInPRij>%XR7-a6+&DNbL7=Ebv
z>y*=+s*|%8LuAv4Jt(b=`IFm5@&Iay+U?u{Je40*sP17svOtn_5#RtM&-=dpga4Ej
zVNk+1`DG>JqTZ#j+(xF<Mjko4_Hh*bp<U|(goTD^P5u&{qCt(Q)T-HnId`Gr$a?te
zC(Id0k`fVjA^V*~h1;iY#9z$Y9C^heC-w{A@{}l+f}x#~jN*VEn6Q|l47MJG+}|)y
z>%iFHN4`n1i{?7g$fu#-No>NWM)TFaZaM{oLU+^C_sP>kO@+l>0s6S)TYl`3xg#_R
z&90ftGF;Iwd@T1cqcpF-WZ6}6#}~NIU?v2$_K3@-N~Ljq2AsjLu)0U0PZ4Rn=A~uC
zgd+SN2IneD7exyn#EqfBzBf2ot13}!f-8W!$5uPDmqjwZrsvk*5S|Ehxaq)E(u+NR
zkHpxXBXQ>f6Yqq2>5!J3SH#J^{kUuq%$S_&<R=>i@%%jiLkh(PLX|dnmcByacb6<n
zB}d|E%hLPFrmO1^34<ryiMd=tx|IY7UUx;KK0OmIT1QEbbCzG=*Y>#hW$5%^%M%+0
zf0?dza@1JR6SR7ktTV8%v^I3F<Ct73N88-ZVw`NXAZG*-;sDE;DCq5{<pkq$e<r++
zLY?sBr$o2(Bx&5yM`r^I;}sf3Xq87G_noUPKl(B;Vl>7M_oG@f>=lFC24e6;@qBFU
z^C<6J8li_T3>xeco%?O#64|=s_d8e)3&{*`5Q1!%7k0VSa&ST2h2xp;Xr-#I2x-(o
z3R*<uj8c7D!AJRhyV!faO1O`%=Ot)`a-zAdvVm`niIfU5G(tH!#r>;_0gWV~6>8C&
z>@5&}Ra}QUu*vV=qed|w2s|AVAUgXki5E3XywaFy8SIvfApZ$ZVU!Ou!nU^4slN&9
zU=D?haC^`zM{ne;EfU*T)Er^7*&Ez-SF6sn=fesZj6~L8#Pj{-jZ^peeu~b44TTdw
z(~w#(CTDcv)pqv&BOf}Pz>*6Enylid^Ql_lZ;0!Oc6geo7YO{SPsa;E{>xivsp-8Q
zB=zh$i;-0^eH9+mTCs12ero;{CYHEip>%-g@Y$R!Wh_#ml@yzqS~sdNJPmQyr#ZgS
zgFXf2@|ECaSx*{>E>n!W8}}gM;JE2L!%e>HGapC%;0AG_mB_p@6*X>A<2OM?<+B%u
zFP4|h(8+Wv_THH$Iz~m>jS8Sz53EF;h?&nT?^Wcac9>+lJWu#f;FV{6n0qi(QY$ET
zjp;>q<7KP;2LKqn=eCaU6QDwu%*<*l3Y|79W$|jPZm!(~Jz}9v6}j6N@`3o62&%?r
zpv!?tv&h%@Z@FvFm^hguA&StvSQ$Yr;wv*7z4woss=41_UuPXbOUp;5C8GAIk5f~$
z?hYpF&Rg1~66%jMFc78uHzCQRUF&)@S#{oVd-3CXBDVu>$>TggQkE2W2CHTqmmM+X
z<=+)<+L5IX;Wb>c^mRtkP+r2sZ@g2)k{ZH7DOPU#UC-S6XWs(Jed7swU{_*ZVmNSa
z%O%=H@5LZj+ZPp?+Yfajb8O}6X%4OV6d{r!_#uOKf6AI#-q%_^@K~6+-2UE!nJ)5G
z5RC%~mWanbSLsW-<BW4(C$Xn0t3B8kMdaZqr(O|#zGI7(fW2N-p8&?Q1=>0mh6+wr
zu`SGj6~Wu_n2JBJ0{aM1i5!{s!(+K=x_R@k5TQ@*Oget%?kqWD2~9@$)h7%R-x%h>
zq_nA>-+@5jHqV%HJDWSVUz+nH;o8~MWL?Tp8;<gEpMZQ9KTa@E+LPlkm*evSpRY1s
zQ2Ys%bM1pSFBpi!C#~^`_<r$uG7(K<W(r;*lbAlCt89J#Ozx8JG)Ul&9~Lh^6RD{+
zJKdQ&z`H197^}LaUWl(R-x#bW5^NL$GhYTcFZ~wmS$&H&SAtMsbFjPv(v&J?o1hOf
z9QHJ%L!}wOr%KfALHv#sRRd_0e9Z3#BVttUHAVphm9>x9Iz|3~9t2hUGFERW=+w1#
zDSb>hr1iwEzgF7PWfp9u*|p9yH2VxJQFWCoRT0zrZYT&n$D)sG6>M=2m^ByDlD#?E
zIOqo~2B~5)szlMy;~}MA`fTfq6j?_%esxz_pDNp^Ms*w6)O@H>%GEZ~gM%TD-FM@;
zGa-tyWHjrr-XqXKoGA`Xf|nnI#ecnSVlKI`P+y;-pPV?R-d3C@$gR<->k5>LARs34
zC~jV!D<L^SIZ~dxjEt~l!e9Z{Vr&+yK^_GCDA1hG312;N13`}3*z-Jp@!BQ2yDbo_
zxBj+aEzop>z)Qp_-|-+>wt^Ofn*0hUoJs*^-Vg8V1-{yJbG*AcML$vP?(Qt^d@gEo
zb%*3pEdkl;!r)cw-uC=@y<VN$MdSv5<1Ud!Wv~|-8yNMwE55}41HQjzshkj#teRPr
zj{6V|NcPH2YKAj1RUjCZ-~R`3#YGRgcSq$}1U758U6|b{1bxc;aNJi%jV5}}9Mmh;
zIl3wom6gyvgJm2Euyz(`-frGztL(Akl+v}#;(S7&27?+FOSu()GpbMm!HnFzF1><=
ze3ZLuzi>W@rvohTp1M`dg&IwaOh&{SCA<<p+@&a)_f#K=_(>-m#xzjQ@h8fB)eO~_
ziCF#3ntZD5(-oK3tCd;3^jzYhBS~d?k^wHq)7Ul$iZ>FDhlh@UITo;8krB24ZBqme
zQnTtbzW+%$LZ?v8(R*xEAg;(?gq%15-g?oFalqq@;d$4J^1G(-Y~zEcibkJ~^(5q%
zS;TeYa+IRI-cpKF*-gtmYeqJI%uMjUnq(umhD{26-TaS|E(q$9)nrSDLwDGW?iN%!
z8^^gV<;p|wFbQpNq)sLSu~_aQ!LMtvfwB%<a9EJvnvG8@USgyow1`tQbx_CkhW7x7
zPu<ECI;ZSzoNb5wQe{5iZ%LscRYz+Jo&DE35RO*$wq4bUFEPRqX{Yk2sfN-v9fzMo
z@FaQlp`QVZ7atc}413aECx%#?EUW90vkr?(nQn|T1YocRTdB0>jlNDY9J(4+xKk?h
zmHX&vcg5ndfDUU~$p?){VcK-za5N8EbajAHBejKduMKmT?2V|S3@%e*iYY7283~?c
zKcHzZTYDJEuCV(Ny9;gRcGYHD!E7)C;)qU{L@kX)76M6TJWGh{TshC$s{t{=#lSDG
zS#P9Da*$A1U|?WyV3XvNS_N(rzk!foU_%ICV0iDZde}0%+dJ7fTbh}<I5Yp<urYZ6
zY-2R^oR>eLz0l(c7UePwTYp36G+A`apq1hKZJ9-WB~1YX4#TaZ;qQx@-D{~Ud=)Gn
z(92XE)dsmo2*|WW4mc?Q{W6z{S@4rr{XRe8z&FK6`=nw$?T}wtqOwe|5em!6mJvNr
zSHCGr71iQ@pKR2^w83XjCU>^_9o~0}ST-j>aH-O&d67xvNFgbm>KWHPw{-G{H12hh
zrUUB30!BdVVXP-BvpD20go>0vHaVto!Af(IO{o_~Lle}ck)ba(uRFY1Q4IKP>Omny
z#Lz_p?7D#o+O;1Do~PrPy!&0Ud2G)Q?b|8q+c}#Y3U-BZyLjc+Xvzb=xnrE)?BTej
z73P%`jWpE%&H_AbT5N|@bZ^BR6zpe6te!L%ufru$VR~KRzPSt^$-Gch@?7<;93ZpX
zaVxj=7qBNj-H>VIq+i}!9@LSMF`aGVM|Yj_OXNDAPx-*=Wd>0UjKKtG(gbJ{<xEj?
z?BBv45GNQ4?{?8rU(?Vrcug;Eug-(57Gb)~zuvK6(UJ%J;0g2(XxGp=k`*5ODx}!;
z!%5v0YnA-u^!rK?SX~Qx1>z>!aB>sELamClVZvB}2RvHE8f`&QjozbBT7sza*YP2=
zta!Lh#sWE7TAEkhe)I+Rm=OsVx@@>UO<P{gBZgVt9<DrD!_^8tMCy42kxklp1+PbY
z3o_0N`G~h=G~c=Twwr8Hgr0?RAXbYOq?{mE#izj!W-t;rU6Rl_V);iQY3gdps|%}m
z7>9CMO!yYBrGA^DmsnqV#29UXrkqXkpg<e2z7L7Aw0KgDp=g^QCE<<+`?F99{Ye7-
zgGF5wERV-u=iW%VUl%(wo9BtY@8=ZC{*>lBj}r2vLnG*~m~A18N8IN{ISXO<>iD)H
z#gKx6BX2U4&qe;KTJ`1&<uWbvO8_6~d3iy;>eIUYi=gish&>dMr#52xvz3Nh|1Iik
zZ50w`w^qdHTRsrawT8>u(^0Ku*b`ES&*<kCb8a~NE~g$j!r81#X?D73g$z$Y#yAwT
zQe5S2lA?(i>^KX0H;bBsX3dZef3C|X+6>PEQe)Za;kd3vbQ6zdS<p4-`yp-3$ZQ8I
zXzH{E8mzVRMQY4s0?ppdQA=EQA9EPul`w`q#22lfqJZ{!cD_-%IyR-Yqn(=5oEXu^
z%8H3P+Y^tjkS98YG1;@vufH%f*^qG;3_`<}kGF*W+lW5}jjOFgfq^m7fq^0a%ZQy_
zJZ;UK|FYauonzqEC$u-sT%Yq@84S&U83|E=5`m2RFC_+$tcJ6m9IRiOe{}kV@CU$;
zSFaojxAl^Yzxa`iFZ7#hRWtTg(MP8?Mp&st-(Z_8R)r~#XmX=OeYOh2WYW&}Bx2Ja
zNtOidaz`WNV5#<eQW*a#_U&NXs5Z8UmA>AyRdGR@%XJhF71v5dQyWrm_M+b?y5T-9
z_C`i}h=Hcm6%Vsj{kE|@wTNSsv;WYrlDRC>zBEuB2YP-=L;f2_azj{93-kzoSffTk
z&<DB5=e{2;byXgz#-~-|nt2)3WgS~7BPs+Lkk$JN=P+A!Q~iLB1CmHY)=Glps2BH9
zFufJ7CS;5obm-`>B^$Wc@lj|9y6c?2?uOoX4VSD2p`P6q)i9<8mF@VyPLKvU=u`-B
zVBIq8gm_m#ffnAG``<g+;m&YrfiaD9al^o%Wy%DNW7sM6K97{p=uQ6At00wc4dJy{
zkAUxv?Per)jNaK<Row%@;t(!8px*0U+x*YFHf+jn1g%_OI3ML6%M;>0{3IlbaT)L6
zO0()r3I08)<9Pv=ZEn24&+4;|!7L;^mPh*lgs5eP{YJ`PVQxjT*)GfQWnDcc9E&++
zVtmMnic~92COx5s1Lre3e6kfr>Bw?P!_02KQ+{3I3f|av$9v<bCS%&Avw$%*Pz-hv
zJEzBV<V)(uQqGCVt3W=-SUO*9oHu>7Oqb@>QBhUz&2bQtG;3mnl$~Dlk8*YMUqRqD
z+L~6J)hC4-Jn>v5Ww9L3hVCvuLk>-M1k9Li&f3J2-t>x){6{Z?Y)w7uxJQ=*N5i!x
zn|>(Q${REMP)G-IlZ5dJ0223h2&FJ>V&R1Kya#wFot5`$a&6vrjqbv@%AMxSFK2v&
zGPf8}h;F*Z{H)#9pD!{gW>U!0NzA{7c{Ukb>;Kq$B^mL49UFVkm|99iab5%4FM_N#
z>1$6ba9z*86>`yE<f-Mvj(pAQWgowAAZ6+Vz0r-GU4P!y7}z@sv=fl215)je!JBh_
z>gxU+JGv<lPW4nwd`9&_$b-<&$>TZ2@$83=+llm9r+<6U^lzLieD2e8zO2CM-{!Y9
z>AEg1ImG<aqRTs9{hZpzdzWj_`Q1B8QSwXcXg%3xc~#1+IUUbgrha@Sv|4(YV*7&m
zOIpQ0baDQ{_xoo0x1B5)2QfPC(wk8BN{cn~=T)YbLOv47?@vgh^Jb5OlXkww-X3TE
zFC!XDJZ9yt)IPx(J;#B|F$zWTd^Z<P=C_L+9#3D|Dq26Wpo`iWYIk=zLYTs6JS%x5
zljYVbX5XP-N?`rulq=(J#*=v2uNnA>-*?)+DHwS{p{shQ0WanC`a%;s$lF+^VIa|&
zRB^N~)EnsS$wl+%RDD%yq=NI<#UVM!V4z}RkbgD?hF)9{5+DsH!Vm{jTyP^?PFiCC
zzQRleg%2|z0bY*Xr6YS@Y)P?BhLhcQjR&qLIq1lb>SFKN;w@|f@icMWOKON_O6wxb
z5a?F2&j*oBX{*=^!~HA62-2;EQoNhV-9!H?7%2jANB|gEO$Z7%t)VzP23Qgtr|__2
zFLy9fH^(^|IaH*09K__YXIvitB}_k}JjH+r92z{iaF3%fNO}PUU0MtcTq5>KA)uxy
z6Ti)Mtk|E7=l37sOq0}cWY@a~#DM?<Lws)yoXl*UnVJ52&iE#02f>OYT!mp~AYal8
z!CJmhE%p_$IbuIAwHIX4dvh1F&_!m6F87w1$ykNTk?lt0yj)=0&(f>AsKHqQR%=6N
znCY0S^^sFfm@$VVZsK+UjbZPaYLKzVZmvn*`9<ai0d(BzTyN%%fOQN0P}%cdk1M9L
z=or8*_cppRjxdv!QB{8OQp9;tIC6bU7MCj};lOYM%9oFFOQ;geT<y%iE-*2!_gFu8
zyPhb<5_tTP!BP-0H7@~AZD0Ke{ogKMLrJKp7#s}j<9qCe`rgt1iQA0r?QQ-J*Hq4J
zmRZnVHTlsGie_W^lBjyaCTkm58fy}EOh6URF5*JbE_PGDZ{v4)o$;c5zpe3|t+vrr
z0OyE5+Mo`}&~Iy28h$I*D=4X=vOKE-AX3i|9CH+btqL|M1aqz|woV(qr?s4z90@y$
z+O+r1)rp+?*ZUj?ATonXmx;(abCl}>$NXCJ8zDNKk)gd44&3dblk#_4f7qhO{{Ae6
z8gFr<l_Tm!r`1kx7$F%<U?76UU=oph=V4FWsUxNfu(nA2xZp!;+l@ZwKly#_fU?TR
zRFRM4Ckf)6U#73|&@dIhWWAV3t>I&M9~)_lcUMO~nWJ+&EM;$*fv*R2RJF)H9ZKXU
zPlX30qrCv$S_38YW<JG>*~LnUI-s2>!QqG4ltT|{>V9|n96{Qf8GFnFSXNs}5u0!E
zUyNv*VOfh6u^V+=H)u{Dg_f?nXAZ=LgJHzqz9k<hJRjyqclz;G4bYzjr`NvnMPG};
zV1$BA^D$SA5$bh(_swL~s2jDdQKVVgg+_1=)>?flap=8GzGg58o8c?4gS_wYsnbn|
zBo<PCB>Zoomgze&)xQff=3RRU{w36ZDezw*`9GrlTbcX5DIf&1ph;F?IDtt44s(mk
z>{f7?(Oh1-dqYMNj!x-Ym2#r&^2;t12A@gfztLFtWe^vi5=BfN1gb2uwef)^G7?Ax
zx^j<jHQY*G68S<ZCU#h(ZLzcmuCtpaouuZb5d9XdcU?_<sNNmk=rZWKXzVP)0Ts|D
z*vF~D=dJZa4WmP|Ye%-r7L1okBRn)I`>;fgb5LY*OcmDciM{QP_+_qdY5eGQ_0S!5
z1qJk+4-5WxUkf$~wMgF;*zi4W!F=!Q7cqM~7c)B-12s<vGiSZOl(<iASh0r%?Im$=
z{-fJrAf&Zdj&2UDU)P84{gDP&c5+Ymwir6_YC5H4juF`BCnFvMS68=a;B{l#z);Jt
zTfr(?pEfvtp>;bKpbS}Ut=Fq7Cs(Wm>5S~(mm+0$sVWMDYcb9%9cL7rlxzbyx^XE2
zB|rkPUHWBcyplGu3c8x!2EM98Lf9YNQSfZ#d+{N~3&&)U3P`bIW0<|Aht%Q#F1Z$`
zc!j)WaVR)S`g`2lY%>jXIS9LBj#0fS!kP<Uadl1~GW0;yBy7>^Z9_0HX;G0#tNCak
zRXK;YHP)m~KA=2Q#7Lr8=7&`8EBKtx?LkLPTl|~%aZBWwYCUYeBL>cbm+RK1msyf)
zqLyz@Kkv(2mLB54Ir$mNP?hAsA+R9-vy}T8)R!CoK9WQ47ux&v&m-V{l)=DE?M;-N
z>>Zq$jT{{Q8r(n8CpJy~2!DO@UH8!cfxfo^;NAZlZDQ|a_J6^n(5&RrVBXQ>{}Sgv
z3<2Oz@1*bE$;HwPVD_(P*8hv3EL&=kA08IW!H@p$h3LNt0{h_p?cV<Pvh@FC;km22
z-xvb}E1iS~qx^^By$t~8!hrq9N&XMZzf9}zo4>jKHmpB~<<Ir;Kb!%9TAP0o{%5uP
zC(EA!`oCGgiFf~I`A@k1C-l!5?LSbOBiR2vzx@gPbB6d25bgNizx*Gk@+bIDPxK$~
t?#bWa|Bqk#ljlz>{}0dPDeV7c^Gb5i?^^WN<c$b6`>u-Q=dka0{|~&a-R=MY

diff --git a/spreadsheet/macrofree/security_checklist.en.xlsx b/spreadsheet/macrofree/security_checklist.en.xlsx
index 8cddd3c8d9d4da6e7af627e5a37d22e5d098d9c9..059d0304f3e02094033db27cc650c184f9521525 100644
GIT binary patch
delta 29903
zcmY&fWmr`2)BY(bsibs?bS~W?64KpBclQ!UL>lSt?rxTn?hsgzSP<!@loSwo7xn+)
z{jldO*Uoj$%suzSGta}~$Hxm{j{(&;NXP{L{r4aGfASVzbo<^979=A68by4bB0d(*
z=BjSaF76zrE-vgojt)vO;~0;*uw;PZi8U+#uTt=LWp6$w-_|Dzg|sj^ez>{vLZ<4-
z^b?Sur&k*oAZlb>3+Z%xz0>w+1pI2<TF<p?K=o8~kqZ_ST~CTzL`8|D*<awe_%4JC
zOJL%gx9MEDQS=l%hb`pT!m~gzbg<sW!%Rg?+s&O(BI_XeC#!OA5BIf>qVL!n!PH9r
z-#i$B)7~8a--0b3GmQ9N7Nn!d(D;+*fa-Uy-K^UVhE;vtm(jt*)~sza!77(_GdWK>
zl)Y(mL+go!RadRK@(bI!lz%+Ub&6sm&h^Jk+wlz{L}vH>`V;+?7flIBJrc#XXO;6&
z(I?J#k10f6lJxF6{8#!b7b&sv#Z|Y7`lf)DIoGxs-TU>G-NkYdcr&gcrd*~z#!G<w
z`&+{^3y~L&4wXtDInKex_jK<Rzu^(#5H0MF`m!8TL57?11?d?X!fS-o>&*toGGplu
z?0#cuzP`--Ep8TZit)LDE{Twyu9bKIKd*dq8}(RP7}GoK;N({e!_m!`N&f$DelPLU
z?gZ5T{u`qH??3$i{%b^eT!#ugcvcP^AIM>c@ap~J|DGc}>*K)T?d)dnZewZb;m+~r
z#`WOg`7VRR6@ixOTb<{y`qWBq9%dQ5PAL4%7j<ps#_bp0?GT}<K)pu^Z%a~=6H?f{
z+JU=AK5yc4r1O}xt^_%>lmlo5Q0&mtKK=K-bUG6@eAk!+pdBoxLc#aD>!MURD^yNS
zmrITQ&u&ln4cfJfz8o44NZz&kL6)4o)wi}~I4a4kxqmnt54hcR^!zIKXIs)+dYKyg
zP3HHtH`O^yi&W;OX|v%Ql&j%X;`-ZD<r==+`(MJh-jkT(Y`HnO+nD^o^_;fIDDLU^
zt7?eEov%hJ@GDh(dz`p^jf3Cbo*_#7{<!)~`kQjrX~wB&59{{s-Dpqs-Pz6=%qg8?
z9tIuG{52&MejaQ%dPseC>UF>BU@T@~R@{fpzyOHBr#mZ*=b=eXd{mzCSMBVtVTG)(
z!f5C3#YW2w%e{L%p$s><%mP>5wY>){D)%ttYjZuI5pG^$#!;FH6;HX|(1V?OYqMjz
z8d4aWL@h4{F8k+<L%M&Rbe-}oSv7Oq+XvLFIaOX+58s)dshiXu+<cb-lrL&iw;?w@
zKby<X6YVK>{TR+2roBbXX_Sq^=Qv(`Tlec7Xr4~mn73^6BysA&N(G$HM%y_vXnl;3
zPl$nhJDa!9jEz2AX+7Jx3KET2{bU$wlDcs<j_$wNEE(V^v6?Gv{1m5rtd9M~uZp;h
zSh|Yw@NRI?(3>Oqv+Rs>j-6nt53oS4o*S#>#1rZ1%|L;#dS51W=6=IF$|Jb~dsoad
zoJ;SZi=dm(w;3E|cNhHU2JdaVi!OE6>mK0(rPrZLbU9UXVtVV?mD4U7cY8_V79iKB
z2v0ekEiET6?olxe-~Ya#Ywpp7w}R%J!If*xwRT!vorVXf-}+5UzpE31e~zyJl-{!$
zV&jLKcJ1Q7_IL7*%RVb<r+%-|=!4uSk}BFiJ@2hTHKkgm{Z9AT8@Wv_x2GDp^)3%^
zx>nw;v{|F!^i=zW{!5pb_nLX)27@YOw9?uVjbXaNE_uvZ@_u8#uk$kT2Tknv;E9-y
z?Tx65#9u`#TaB?z%<+I0-Pa2epSu<??7AXHpn^el=GVcZF!V~F*!X&=wma(N)4?44
zqLzxw=S~(^2FHo>{^mk?E0C-mmlh4ERS9@1=yQjY1VXFjs92=v!Cj;K9xf3rA@xrA
z2>C)K?dncdtBeX-A{Bg!LRI#y3(jufti_RW^E<cayq`-(M|s+0DRN4matqV-?(o+I
zsD0XN+;M5+&Pn69N!4$OBzOCt$ft?(;-~}3;-obq;r*^EhThgcw=#*7c~r##KKFk2
z<ua<;ZOE6WscVR5?q-9B#xL+)x1~LcCwq&%h3f-aeow0%mkHfu?!$Z5r^CmIpq4n0
zs$UT)10g5a#LE0z(?1LM1BLo&Yoe4E*-TotLLxT$u2+s_D5}Fe@%I3rq!mw_zb;=4
zqkU?7O1%ef!J}DlCkcWb@&f3vEa~Q50K!v`fC{fO7ga#b<hndRuVpm5!nu1D*7SL_
zSx)E1z%c@<u)StmX$R+PoN`po)ak$5t+-?i3Hy2%n;BdT5Jwgl!H;kTxoY1X6DDrM
zH=^%w`T1FxybexGQkI+=*9pQ-8Yjm;&SWQM1{i6uR@zlu@%ts9k+g`1!-B95yWQ^-
zKT*QNd*JVWVF$@z&&VcDVUq$1pR&zVRuqxVkntXSco1NJR`bB7Ai*H1p_7(GrPy95
z!J9QZv*^;o{+8O$y^`85b6Y*~qP!g4cI+wUtR|1T24jq`hoh2K@}R=VDFlOwS4K|h
znL7UCsJ+e%LrOyY#a&kKzAV?{vhTAzmU??(F}o2wQ4R`!WVjwb0Uin2&C)Si3GRCv
z)i7u<^`lru%aVUccGRByx^GNb)jtF-^s~*pAXDIk(W(%dLzeu~Ibt=fuVnqW)p<G7
ze3jT|l<2Uv9lTiQrYqu=YwSLDEi9Yh(!%cb$Z<1|oX%{^(FXKrw61&@fctAb@-(<b
zE$-oWOO`7|#?R#^z?AZiR=cGPsD5fG3SQV9PFOr}9444-rt!$czMjT}!2?@TYtx<N
zi7=j`km-=m2#Bb?e0r9;sb5jCDA!ftBg{=@8(khtUMjwZ_DC|askT5)nrS_6B>xA2
zl1PQ8AJKs#uk$2FyB5%KnR3II%w`PxF9F<~Z;YLv_j2krK>QpUDV4sswf=d`(;4<T
z1-m(9q=05GSb#6q&B^^G?XabYyC~6*RjbQ^h}l)*g1XU^8UrU;gYbd47X<ru<0M6F
zyUfenNvGI|%enU5tHw)y{nRB7^1-!b1yP-w2Eqf51+PYZE0d}d_<c{=wDYJ*>MauQ
z0QbRKOCcv9En%(y%DQSumGdm)SLhN6OeCSeJ#UYkQRo#Bwq&m2jqOPBc^YdQp3(6u
zMF9~DueV|CsVgBm$VGo-%;fMQJ!E!q@Ur~~Ka(h2qarSlfM?^$&1>ZII(+!sUxtz`
zcBPg`r1Txc5;LUn8D3B3%kA)9WAp0#&f2a3RF=BC^{8HXsXDGnYKdHo9CxUB&hJWH
z&@|YfJDhfYiYl_(`{hDQf-4m!LmQQLAkdPjl9k7}cU*)C4U_wW`^``4iyxI`)2d_q
zWhegf%W~(^f<J%kt~+XlsU3@ruHS99ka&rVlp3*(+TrEH)sF3DV`Ro+q?bs<pg{Tp
z4mJT<a@c!>5BN3Ltf5nm_cyV*J;3O1`}BLkr9&LE!8LyRI~_sTjmcyh6i7A+l~v0~
zoIip6pdK$Z*onzaJ@7wEUtkW?-&U;*XC-}aH|Q1l7Egvf^JmRu8!?16f%~o6v320_
zO%3RWe6?Gd)~i3LHN&xID*$i8YElGjh)c%Wx}tSyMN^6&l&>agJMre_=h1AmL7TQE
z60QP{Ftun#1lwyEhmOBSJDqCA3%4YyRCLrCjERn?kO<1od@QD8#Kpjfmy!M|B1syq
zDL2*jv>h)AD;=G7l$_+Io2soP)3+#3gpu*@>ru9G@sa?5Q1ZcRh)YJr$)H=nD!Eqd
z*<$rgK+D=HJYT>*P;uSHmG^GO(v;%rCg+&FwZ+W)r&&N-Pk;*ZR9GbF6;hbSOjEO(
zGh-4$xw6)(Y6WdAOVK?&oLYzRl30RF+`%2``Uhv;=;BY~c1|R+Vss__n9=Yxe(Iu)
zJPTkuth>&|O`Z8O^8M9okO&LUz=g2>K`q3Ec3>ep>{b?pyO^3YhHZb%i^FS_P}Hs3
z=tMwqP4Z26?kkEpO8A5K?vWm2<^6}mD1jhuP<3|rp~N!E96mT&#n9w}JUedNu-V%-
z1AZ-{{_YV0H7(bRCo+)7<bVZNeeE|cuH;kf$2>`zN<?KRqx$sDnTztSqVeA^si@?5
zC1oS_t?IbQ4w!=SCypvR6n^ivO^BuN;kD?MlGTr=|Lmm78jBYSUce^<t5EBGLA{a(
zF-)CnX2bQDEAkT+to24f$0gl4<#e8?M+|X);uh`@hceh5i8csmj`8nJsLl#z!<6vV
zt!FIFASClky17rVES*eXwo-eCOe+beLB{xG8A=b&?vMvXOrATCZwj{Ry`T+iPd`8r
zX}z!@XQJBU4|);$B418cY>Ik3!kutDqC9Eilq=c8#6!r>*?M8+$V*EFTXzMvv&aF=
z!<RWcXO3*b0m#?0)9((=;$uWy8Z`>b_V;7sR$cS61Pt_1tckZ>m-@#=H?HEWCPnlM
zzSlV%DI?++J6}A*>|6DYdP<RxB=Dp6H-p>JtgDbvUvqo2dwtS;!=%@}n%v`I;-qO*
zfBFQLHSchNVV{#^aU)pY(m5v7ugvi!*H(_g#?v(q3ZNu}nAbtdPF^MLgiNbbLZbc5
z`lM8>Drh_n89Y}bP6X#Uf{?1&|HAeg532zppi>V?Q@ED5Dh?4R9w`;!CH&#ltWJAK
zQ20Ag?McQ=BMvjfzx|{rOt^eGA$!7>ODZgi>1h^z-<xRg2TI~yIA!Xo^XTQ0)nev<
z^MJTv5hQP^I3iP(n5TmWIiR33ykWvsu(4mna<x@U*j`xd3?rvR<f+q^y1n(9_xMp6
zW`+^9Jmaj^B6VYwJ7Hr~c@hnro8U8~NPO>P5D=mG4NCjPq0ax(TVZ8BWno}5su<#?
za;nPLw(O~`mAra%@eU^-(O^zV6>X8k9(cFER!8?K3Y+r-y~hXC{Hx+8*)!DV-8{%K
z5ux~tPspK@*adMv<}Y;#Fv6DNzXrb4h;>h$M@UHENhhclRrX4*5$`gu5o<72zgw%>
zI+n2iz7kmnCt<d4)DD>JKeOVfW@u08Xz0?YrOGL8CcF*ab~*5M*NnWWaeS(>3`pBI
z&gRw}6-G9A%u;Mhct<l`f<AuJ4aUN<IyQ8Oqv7!ts91xmd!8DIvM;79FpOA+UEz52
z3(R06jrMW1nRZ5O%EZ_q3oaIT%qGbw?{V=z&9Pol)BmtFCXNO%rH-IMU<KWz=8twK
z<c}^-0_JbKW)ye~t7az;E7K!@#p^I}zK*u0j<Lh)BQ7Jht7(OF=Hx1|o60S>dVoEQ
zTkf-@b2QTgsDSL?V^HrzcBP+rg}#~N_M!de#V#oJcr9pw2u<IBT2BDg{*A6r{&032
zif<BEj&%hHZY`LJ9K%>Jztcj!`;y$o@o$9a_ykw6O=(rJm8hQs%z2v`%JZc|Q3q4`
zM43OU94#{o9CpPbp!Ii~N`A5YDQngh<O#k+aJ=L*Q3@S1YfGs+H|qw&OpjGNrQ@+|
z7P&`K;?Yd2pvU9~VGsHR1*Qd0<TRGN2TO_g@YkBNzM@Opaqye-+Q{TUzF}YWmWGEv
zTQ;NCLy%1Z!T$?G71W9)OwUElJC=!8d4Uq|HDAY{pl3D>dW;|akwgGUxJhk*0MGyd
zpq<7$=5o3Vo3`JMKu9~Ky{M+x^!fNf3nz4Wc?|8Q^SZO8+rU|fSbxyXlhH4~iDQL8
z?zaD_v*orsJ_}27#aRbz|Cubkr`262{=prfjZ!~VW|E8G<6C{f1&2+E#*gmxOQ^Lx
z4k>}zRNNsi$<Q(!9>7gh+6rBrmKk`@>Q1sao+dS|lD_GaZ{lKlo0a9~kvEE(@I2uI
zt<gRX_mY4P*AgN^%N<6~(ILgvJ(b0QB}JhhDKmHAUf==(_?+^XCogN`?^&D_AmxA=
z-nv-3U#&A@`5osRnr8N1f$X3Hk!rImJM0i8XOYx=SLg;8hi6)%!3Aq4ooCveNvhZ9
z`5sP%X1eL#3hU%5Ph)#rUnxl1Cg-1nb%Q5BQ(6<C67>qE0TN@FAa8PBPgezfrI%zw
zps#a)P|bOpBE*ml_swg)7>C~)$9xOkr<Q&{rTBebnoq@{)@mZd=07%l6ELq9z(L%I
z4P3)ZYAE*1N<HsG2**8Z7}A#*Dhz&ql`z46fjRuOGLede6u>S*=>In?S$ZYANq3pM
zNi~?nE3~&8bFh3k7MOuT85{2QvNg-47*BAKnUMi<hC$qN@D%Bs()0^|^Daa`+YXvB
zFqivTA(`APvgexIqN3YlI1e2#u3+d*@oQQ056n)Ru1vp%!;S{aRecLK1@fs>OH$F$
zNL{D_gp-hzw^R%lx0&WZAEK=*a7mU-r_|S5kXC+NAk&nCY(D+P$9sB45|#Xl8I@dv
zN!r7Tc{6qU*hSNE+WZ2gfX7?gq2!dqVNY?;d=O#|1F?Hdw-I+(>xU2ydm_FYR9*6a
z^zm%2E731wzYfN{V~=As3|=oz_XMoL`f;udE@@vS2m0nO->V9Mwd3$|9wh$MJPhZ!
z^}(*l^+C-s>Wy^TbVo5=DjcZ*T(9f)Nqq=PHlKBgLDsWjT^3A4>cMGhNRrx%pfhsJ
zamvx^n0E}zz+z3kS+tox^>4KP=JIq&R{I7;?~-2Y*Z0oEZ>oHDl>qcqJ{D^|4jvRp
zB!_4LVEy3ktbKVA(esV6V;Y@%*V%b*DV6Ds_&)-FS}-VRWcr)&;ItXDB}8qVlb%eS
zH`E?rGQc?a&WdAl606r@l+JF{Y`A_@>@>n0Rgok4Wf2uRhLuriHZoC7CMoMg=g4xb
zyMlpbdHfsLxoychtnmFz8}3w8iWEOtN;i+5&4wKW+P`oRoCEnq`zeIej?krSryt$w
z)i7Mj@k&`^zWCFK*pY8JxMG(?GvikXJDqC}ohVwq02>Q89^<>w!d!T}5(hX=)(=@s
zE?d|PRmjM7DukB~48#K4==hUd@-+s}gYwXafg8=YjP6%vxnrdjXD|zA{&BXs<T5{i
zUu&D|B4NZ`tKF|b*5^d3G!iqL8T%ScCb9TcbE7?nE0ts%q_;e5SX`@lmkuen9-oij
z|1eMNQSq<D)JiH7E`IHKUc@n1!?t^2*>;n9Wx^ug>dH~^ah$EVWVhJv3xtjq&~8ZN
z@Mv|mf|z7hIZnN>-)-QPzE;gLzhh-TZ)_t**i56mXXTooiKzMZE{$!z?Ed>Qthn6J
zpHE~Pc$yuFwgSJ(7JR>Bq#Jw!WBp5-NcXtRL0%saYQ&sssAN`X<+xYPVfaqwMP_hw
zib5iT)Fl5lcZl^5`J8Ux7wpvUI-ot&wiJ3X$I3*JhiHAua(A+fr$?ZwB1s3jS8uLD
zDcW&7dZH8Uk9N&7H)&wxi-MIzf$<3;IjJvwq#9<<W}lwdBjXk`NW~JyD3G^T>M!sp
zYFG&$znJ*IUmyHFiS@kmUx+VB<`6G#@sZH#Nt0Cc%h>@?|MZKwj#dp(Pw!P7cIAu4
z0M-4Cd_9yh<BA^P+Nr5v0uN~nZ+|WsH!DS}Dr^)~kT*w5{<#)3*ZQqW$E0hAwa`8)
zYNsDDSj})xCdgugw3D%gSV0GV4H=ny?(H^8yT4o|@{R^;;6v$_e>P?p<6n#v?Ba+A
zd7lGpsPbc~s0m5e+y{Y1zq7jGmfnV=E!*})0_X>T!Fqsk&8gzysrX(oHWlA+wq52t
zF<1uIH$#MjxW$j|2*KmqNKC|S@G`lQk>D78Q%VE#1?J*gyJs<L%A5*%>^^x3Bh(h<
z{UEEAz^CAJ4fI$_?vN59xj&&qC<Khmf5T}gd`@7;h{QDSpAJ3uxxs_#S<F3MXyH1j
z!<Weim&1$iw5`C-#!&O-Wvo)3L|$iRov#(Mp3kP?R4UUY5q<eFY4I6+1V9Ol;vm8`
zpJAx$3%)y{R{x!~;a=hcB>vpxyHVj`_<T<^x{94C>yoUqPy*q*rWw{ih^$lIhEy)r
z-;k=H+)8xCejP7a!Iu=I>DXPBsK4N7+b&YDKINoCo49r3GiSuEwK>A(uv*VYM!f8>
z8r53Y9!a!e#m9a=i>Ni&#u+?`-KhrwGLEfpMKGj^WLB+Bk8f$w?^bhXZ0Qj)e>yO~
zx+7{1Y<^t{Ak^lwChE+$cjHw{>LS(rw{F7yU7Bo;6!IV@uhJfJC{f|#nOx085v}Sb
zV@cOpbbdcd{ixRaJf4Yowe1B0ekZJJ-9<#-HO1jId5-esHnaLlrMdTGHQ)SM&&iMr
zvp5a~Zyak|uNvJi)>-=$-7R0iP5b~|^&z?xnf%;hK-o$7T;b(|(4Txe<{VcTN~ZWS
zc*~k`^Q19X?mC@=jJu+6kpPEsX@9MeuHv&3nb?9OQgHfNkW=R8g5^f@ZsC<8Pw71y
zj2lGF=Rvkp_=2Mn0BxMWR5{sXNgn}?7Ers*QBR&@y(nkeYy4MjHG=*5Ry`Pj&rg*|
z#w0Sh4ZTcs?{#V&fBKf1-4`xQEvw6P?UzJbN|!Q_sbsLQHEw9c!vutc$ZQ)o%pLhS
zlLULdSh=^4<pCv6GF3^=r(JeC$1(){OLp-{u8K=Fi7Z$NVkR_J7BnJ?5JLYNjb!Z8
z>F+E*trab)lhZl;vPA$^cR>X;%Xc5s?AVgIf3+<{xp;bWuUp7E(xI;8rGIPVoCFa9
zCGzC<!y7X({k2ZR*IxBfAe=BOa-2zl)we^oJLl;+GV^4F6|A)`<U4KLa|ZSY@~_mZ
zW}=b)PIz?D(p`TNP6(86-`G>gZR0eLl!;l>7^hSgf6<}@vYGol$xIugCe|SJViS}r
zN|xtk<wN6OHvDpfHrr?>u`fa~&0jvL?)-uiWj4OQ4KNBS`kwbWRJst+L^yFS^MKA2
zr+MLee)(4zUV1xQ+;LF7lLv`^7H?p4FMnrw?x<*qg_l!~<@w{Hv1@(dtvT~=#an>|
zGhnXEQnm((jZXzWe3+KP8~|gsN<2EC4{86s>((PacK31j=20{8u{1tPzR+H>E&9ZN
z2cv!^ySOB=t8y1gDAtlsKZNvyL<8h1aKM&-8+R=jbuCuUdz~T8A!=wg2a-T%Gr`KF
z=}pHa90xu+)dfkd;3>x~UYOh*0t084pS;HJhWS(2tyOM%1kV@K#CRO;hamQdvJ~j)
zt>ihvv@$9MH*zYg=@kugBE^C6JkVKbZekcD+Ew~$Sei(=FKLt-_r-Ku4vbC)4e|RQ
zCPzBOWrmvcDw#8z$L%Rv+62(62QX>z*NbTuBrm9Od{WPK){uV#{DxF(Yw-A**Dw3m
ztX*f2CEx{jbfonK<B{3NBKpZ|=n>ald$6O{<nEl1P3*=DCDQ17vO}&(3&FWYALi<D
zdi*{wy=Nh&PhCw^zQrd5Uq1hv+UWU5DEn*Q#&RWd$+?wqSG=q~$24d?@bA#8!A*|V
z%qf9n0`p3XfPz@WVU*VGP*0$rFDEY(pHEo=6DMO!eGTFBu`Cl<^DMD}<A_y5dA)ms
z-`APq$B4HZGEW}z&$)X<qm|?76lJvf_ks8~<8un=22qTd{~2!|_a?-ox7Z9}e4C<W
z($SLBwfu>pQpB5GN3&wmnwPOGUYW#|BCmm0-K@<QiZxJg+eY>)X5nPBt~x24IO<ix
zAp)_aueyzhE@g^?uhOB?&I&#jdqkylk(EluQy|gs6_qa1=x5AsWs9PM%Ji}la+FjU
zs2H@kAlp?cnB6Ezhw&$+3b~!3lBjjEJXb?7Fg~*$i>>tv>M9FC^R;q*f~yb6De_Ae
zd><l}L-_jyj+$`8%DCW{4ZroB5&R~(i~a(0`YSopti10kWX-JV?W#Al=kc(qdYjsD
zQ49Q80$miPN6f#DBUN(h*$KwfGYyj9b2G-mHJMiVJaw(4H6izo(W{Gki%B1|^xRb8
z|M+g>?vB#Nviso8CBnc@*h)_Twa%I6=3e;ZQyPL5U30`3<=6<Ods<&zuvk=CBdhK*
zqdkkPgpRYUK>A)R2K1wIK0^KF>5jyuYAA_2U3$4;rASOR0eMsMzarlz*@Ab1(SnE2
z1lgKdnqM`xr?a`6MdjU`LFMuNOb)pPVWyT~=nwGDd*F-Z^qVgG4>14>4)}<*oYRJx
zD+HO4Z$b01bh=+pbNPoO5OnJ#CDZNZa35p<6!3|*pP<gFkv64BG<?rGQ*dvL5R1xg
zoLDfBb>Xm#CuS-}sll=^&KXo@#@2uHFCdqx?IXNV>?6vfB^5x)`N@}X)j$}M{I2mN
zK+_D}k=q`sSl~EGv;$JMt&DOt=Ig!EMMfzbtXDInLNLe=2oQnLRVgeJ>di<cvWJYQ
zs3cj`<zz|2RiO0!W_}UYv^X(qU&<|+fC-^;HiW>RnUan{a2E9%VHR}>cgaQG4TDQu
z#QsgsNwMc`WzMse`y%4r{j)Y8P@Zz!HQEljFjBoM-!RAg`Df~6WH#!OuXzbW`VtSM
zFvFA!z;ozkYIQLmRPG#6R~KeFwIW+N9!le18l5u_Q);%SUh0!H2uE|IiDMNBX8UlP
zUyW;Ot!Hu2*r^F(cp3ke8y7Uy*r!A>TW~08fd04CGm~3j{-^=oVsa&aZgRQzxs{8Y
z@o0w}!(-x(m4q8WACN5h7sehTyns|qzJq$$sGIvcGeYw&D}Iv5!$aa>(%f>YY7wJ~
zArI<pqZ5d7Gi?-MTNR0=4GZ%)MWLYh8;KZJafSUI?+g1iL*+S3#+%<NV@E^xUW@+b
z5-)*}BmzAP!uZYXfz=fa@pBY|JI^n`O&>fc{ARjLBcIyYRQVx=a$nW#tnJzF**42x
z*q+|B6>R5EjwvVVs+-PqKN{@=ec^vBJaJ?g@dkGQbbOryf36VgyYZ?mzi_u>uLyIQ
z{~rgwP~V1nquhqpM=#RtR|~tUKF+%h+X2juf4knbJkjS<{2^iVvDpDpY1Rf)K2CF6
ze!CEC3VXhqmDzQghmVvHV(nta1JYE)9k0ABN7sGsno8I$yb-jyr{=3JIur5eZ?OZT
z3UYO_2yjJPVrfoao7v2n(lZ5^8LdbW7Obx71(;M>RkpglEnFf#JFtNt@!SJHE{DC&
zg9%8R?9=T2!*HxJdN7#1#Xc+Yu)Kmg+kkMqbh9QUXG|3re3Qo3S_IFNdC;ZKhUd&s
zF?JG^BgFg>ubmZb*O9~uY?Gr&(PZ;4A3!9Duum|Eu+2%3w7k2YC&HI0SO8(DWLRi9
zY94$@i06S^fLYiOp(a{3=>u~#3eykGz*)vu1V}`dEn){_Z`z41!D)zxdf5GaXrT}g
zr_tZ@UZY=kh!cv<`1(n-UTfEDrCje{XW#lK!*HXfB<_@VDuk14Z#BK^8F!t0S?zt(
zd<ATu3gRD0uY@rf7V!X8M-N7Fv;?Rs04pat)<&vg9-fGB#;%F60!Qt;f}t@od>W3r
zV=r){G;a)X=QNg2^DB}5&Pp7y-8_HlxOk?G{ZzaEZ;FrX^li2zvB3?zlHo1Pz}o{f
z+q)6#>4Na%??IfHhPzQMl!Vef9`Ba~j~$<52X&W%6C(GyJfJr|?;{jPfq`A_$d~am
z(tAZxdD#D65rWlV`ctRQG;K_vHjai^2Se@K)7!h3l?!&sFdj9p`HEt>BJ{k`J`WSd
z_w_F^pO3Bfe6sif#wswhp5`#Ss$Y;{zEme}swL=adS&b#WWQ&En|U~G!nD8Zb8`or
z@FzKL=U+enP>=`f1H7kLD$-rdoNU6FqwrAhm9;sCchtn{jh=n>igIeFkdf>_c^JA!
zl3KKWuYKFfne1w;Ce2<$0QFdAeq<ZOo9(y!{y=*8!+wdXvN;7lXHq**Z~jf|3Bz)E
zPV3E8lx~fl9y;&Gm9E=;o*LXqf;d+H;B?wV<4<R-=3uY_K=rC(nYKLR<p%ncyXnCa
zle*xH;y*6Cp{6taVo76Cw9L|(ii={|<|&`F$I!3_2{rHUjodgjuTpL4A76R|B6Z=H
zxa5@#ff*2#x;HyPE-&A78qCOeF^DYsOziyCgKKlbtw>Y%(;0`34EIOa{k3Z_K1WIQ
zJpp{FGjT<q{j1uxaSVMu?-}|uhkUuP+uQIo0vp)&?ank$l)&6JYO#8qY@qzXozWZI
z9}RcYwd*reNC#I~Uy_^1%w_%PunB(aBB3B^mx)6jb+fnne$lxIqv&4EJB!axZQ81L
zz0-4s%tTb&i3s;UBx5R`-{9r0Q34f+eL?Vy(W8gG$aB<omR~GwEQ*#BRzJ`VpuZI`
zW>g0pMb%5a$DHr*FGyt$#C#iDt4@@SAu1BLDA)ug|K)`akuv@<8wn+V)XR6Q_L|Xw
zYMGu|?<Z=<D^U6PIe8NNMm|?&YQTIO?^&1BD|B!k4&wJeGu~uig1X~_^LOOc-J8^`
z^PX;y(QTt)6fd+ZEu*FrM)j(_svj@Ki>kT__m0|o1?I+4U9r-z6u?BNdAx7vl&l?6
zp=0cbQ7KTPeOTwOrqk`9lgXj3BC%i1X*_Nl&{`xu8YYIJajt4?9zgKGjiA^9!jv0x
zmdo2r$m5=0#z0-g?2^4@eaq}9ALenuhV(GX3(WPeZ7%H`Zqpo^$H}3J#Rg26bF9|*
z8)4v9>DIbYJw_@a_P^>Aex)7`asG~xMVPm-40_CCc)c+$<fm<vvMpYGArmpcO!4L8
zK)0s(J9@^{+1!znsOI~Eh8kjO=Dl=I8DtsW1rUHJFt@}$FYC%KYqc^OceJ#1h?tmt
zxTA2f2_LAMFXghH^FcwT8{K~hiE<xG^XyG<(|1QFm6v?5XCFc_{x+L3yd$a`WL5uJ
z%UHHuMwemfz%QspDVo>NlR=`DS)cTs7piRQ&XJSEzDpKc4j<}Kt)0pjTW7+4#{vu5
zhdAK3o3WOe3#^fv!10H**GkT$oyWiY+NZRK-F~Eik7PKM*r9%qg`&HV(qzm4;*wbG
zWZ?zxKbrq!uXC$}G9WgH62Z3K1+a#zPnrxLC~{JTFNiKQKfT{}vY_CS&P9Cyb?#}4
z9G!R~)3^h@1yt5kHzOje9k4w{%~6bs7UP}|dyW0qnt5_8ZaZYuj$T3D%$h+vJ|jVc
zV^7l3qNduaACp!fX8u)+Of645ear9!G;Lu%(%wW;%)HG$0<2kG&IMP5T4=-q>~%x4
z(3iI(70edj%2Wsh=A{*rvLKRKV@&TBqC@?=!o1$rS+%Wh13_Y5Iy=TgJ}(@JLQt&r
zgd#-3Fo!2cqB-6zVEt7G$}^Jj?71SkHPiwDZU&Z)wmGd*L#v5cHOcjsHSE0*Dan2f
z`VfTWE#ui&Gj9}8_-8&*sO0OL?KSF=6BaVv#7`TMohL(I;-8*7J@gG8{7P<6azXa9
zmwKN7AIcq8Hj&g2Ju4L-qAil$q7QlA|I+Xi>{BP?l1;TK`4N}uwMUNSfoRQ%9DrVp
zmRGa1c(8_sY2)OLc;Ja&&cW~9ULko2W4{zj+R`JXX}Gkuf%f8+c)fV`C7uZ}OXcq}
zxU^SfHFw|Qvy?z(U04kqi61seZ-)is2M?T==g$laAsX<rucSB$wWR$Qq1l>(EInvd
zz7~pi9q{;;9#o~pq(fgX>BBv8Aq8qZ<SF0mFv+J&<#yDL0TNiaS~X<KFKceF)G`Qh
zTIa$IvFF%Y3*Gk^gAiMbI=jK-^g+D_uG+hy_B~3wp?yT-soVK(Oq3?-UHCwNDJ&Ti
ztGcx|q;f*7(pRfOpCM%a+O6?FeI-RT3E0Qx3`8aC9n{8$83ziHENGhGYH{&*EzFy<
z7&SBZBvw`Ew=iWiXBKEQgJT~VH7n|{6;@n|y(3EgPhS(EC~B0#ivYb5M(Ys#l$C*E
zR)whd#cMCJzEp^l5pHqX{s*xATQMoP#>vog>T*vhe0Di%m3RGALIqW;wfwE4B-ov;
zcXLo|lvE+DeY~SaG4aB4$UUyu!|#N;`3W0KNnIY_u)g*m=Z}wZI^G<%rB2pEz)wq-
zQD1E-_GD+z^J;ibW<c1RSN+hKv~7Z(<e{J@$h@ulG$Kz4T$|Pi4M=W)oQRq5JHvG;
z!OEt$K?W|fE94TG|Ata#6c#~Guqb01&3FxO9nE+NygJtGec_{*ik^ch>2{o{6`+#I
zd&qaYN&RGpZS9+ooDfY%yJoWN<|WZ5&}U9l@5*7>Zq*1g(yKp<8rg($4dQBvE?^-c
zA_XAMG*xcpYx9Nml^&t)HcV(&M&1V)?bpKA)HmqqpcqD=Nm<%?c<&>cVEfk>Hd=IW
z`~GO{gMrLCMiz&ZVyU0)#6mP(I1k55s%LnS9?FP5TD#TbV1unHeeA`+OnvMSB{KU`
zF{Pb0mR7c!#QE&`H_eyO(`=Q@*c)UZx;d#Ga-w~#N!rX2J2YbtVRgiywnV?<DfyI#
zHGE_H2UqdQx}oI81-bF%Wh*VmMo5ciY-@$%!aSdF`H>q61yXas`W-bzuhcZoi>Oau
zm*T;t9sXvG^2ZoMAquK8Wso5~E9;mM7$?@~b=-eouYbw=ka}7fa0#*=_Bd*NvS6`U
zo}n|-1ZTSo(K^=mEz=%JDU`0ryev1go@Z}bX>sbf+dr0S3UVfrSdU>c^q<k^Txds(
z!O)0L-kmxg+46>asIMGlyim`cnZcKkR*??hnSZ+%K`v|IrCB#}>7HEv`q3L{Ce2h)
z?_WIAM>D0+C)lEKz@J$~g?n5+L))hrb4ZKPeZV>xCTE0$C3&k`8PrczWiod5#H3Zp
zHq2?IcW_ZUM1D!qI+ls_3pmE}@*y_1JMzyBrc3(1RNmE*&S+tm{uVVam!@~RdgO71
zJOe`-rR8k%%V1MWTkDl%VpWYO$yCy9UusyhPxsrZ0TK~X{~G2x$>W@_kG*5}m-8{m
z^d~gwLup}}j%645YkJpc2ghX$2AcS7_K-S1-x=5<ze(bDw^1VdSx+|&6b&X=BA0(N
z1aW_G*Qt?OXjv`Ao?eYOTV+d(GD$u?!@Cr6IijH6ggJ-UzH>3$=#}pNf_ZG+c7VQd
zEj~S%lF?)9Ux)q4C611v^HaPz#4GPH8nL@^(6;xhZYN*k${8?zt&WKT;qd|2lAU`v
zVkrEkD_vnJmwDLXs)$y4Z<|XdhJYmI;uL|(#&$=kp+-E7$Hj*kC;|eWHgJZLR@$1*
z`yV_|>6*Ziv7_{h;|W6`K_eL<^bdg%$(o$+k98gph!iow>hereD{1E1E7v?Qu8G|7
z|1|r;f}(Yyw76^<1pUUgGP9hS+C$U&^Z<1^en$>dO<+L^Svoz8*dV-yMQM-7PV6zw
z!wp>#{Qzc|wwCwamESYXMLIL2obeo$5DZ|bX8<#7$bVN(JZSA9eVD6KCH7$o?lxR<
zA+W{FH5)<NxpRZ{6c9CoNukwd5oA>J$htWM$%Z2zHcTKwu&vvHi)Be^?9V*yDf6US
zbW)c3)qb8@#*84xn3eSNlB@2S@fz-zvmzGT$A@5dFWESv?x#y0lr(?3FG5Rm;OIv;
z?o|2dW9J8>D|j4rHHraot->QE4c%(81&tKwJU`RRy$voHer!;vxseFs^qfxs@pNL2
zhwedtUsB{bcg9*43KN~p_>+7#v;-NOx^140e$K7~luaC5z2{$OSX$rK#!As!B0CEH
z?Q+L#;@A)lPBDjEUU~vGcNYCm^yPOF{V$p0?5;3ae6tI0dMh%j-P-6Y*R|mG9o4a$
zw%yCx?z7~!jaeZx8Ri(r(OW|q?r%BIzTfO**_9YO4|VtWX7kMRj=@RkWzddzX_^)#
z8ql#XGpvY7O0GKIf`>7QmSQHyvR4kyH03`_`eFZ_0Thq{7PU_}>K4;#?ub5Tb3{&E
zMJuq9@!FsH!tjd}?usbyMFRSBluz=qht4;q8C|RLQBgs-9Q^bC9e5;%pjGe9eRMn_
zn}@NtkPW=cGHp#M*p;bCW>sFVz1%NgjhRVqFYn(tBrceoX9ER?bgmgHFS1ajkS#|+
zssJ#`a*Ibmxj9OqEBKlR4pmtTE29iuI;39$I6q81pX)Mp;#(j=Wa_X*?;%E-{bs_R
zz<mciqi#2|*!@ElIc7|KBPkotAd6?DRqT^QJc`rTT*t5BXf)r%Sooc4r*-I)QT}%j
zhS@$2O5gbjZU*6dc6+xw$*%Kc0WeO8B2uFF7odn)<r~~@IiB$m_dW$;;I~CxxwWG5
zqT*F5JS9hYG(2@_--7JO>`f4}p#JeA7L)SoM)=i^%RD7jz1d{s&|S*%@v+zk?c}HW
zTGV<UP%9NcdQ<2AIqEuJ8+hUbSz4WHRdng0DAoV!ZH0ZD7D5@I!VKc|4x;Ec!${c0
zZasGKgr;26NODPW+;;c!w|S$j-$hiXUp-`<&b}PB$Z^qgwE%Xv31z)!@+MP%H#262
zajl5vR+Wy}7sIV}w%V8f?t6A!#}qPL(M!;zP5Z$r<!OfAgFc`)Afu^sEXp}|A67Q<
z(Xq*mgEK98Y(NV1Z#R{c+`{S!2WMki4Mm=$^b;fO?vehpm+Sl=_1*Q~I~`>R+p6)E
zla{mDXmW)-CTp#KjTq31baty*HZ|nQ(|>qLC`XjvTQsZa2NHc$+Q2Oenf4tTQ~Gv6
z`J<d#iJ69{{9k^nvWb(YhkPnBgIu0~JAt|!%0drINcWP+&gA-d3F}-3FO(_GGr@jF
z!}3{EN}5v?55dRg6hun<d{Ipgl?w54Q?$0;ev{-xYeOHAmyDbsV^NpD<36i69lzh`
zM^0opYrakN<KofKABlh5;}5QS@fk%MZ?5?@?0L=o{z0R!GErM)?Hiz-xKmeeUF-h7
z`xo;*2bAjEuY;wfdJ-%{X*~O}fUYhcHQuI55;>GRw#NDC{vof1SA*7pX80!D1yU21
zMAj6>L-j81;f6d`o#SW)W><37H>zWt)~YP#kFQk$z1&7UqWKs2j&Y(dAfG7BAPbEA
zbHBNiK+U>9jaGqYj}u?aXX&#8J0%?0D@p#a{S;M6a~L^ilJ7ZLo1iiO1lxssBQuLr
zyA_zOjiD_G-c9yKR$^xC(P#mUs>Fo|Xzt7`+Hd34ZDp35*+exi&r1~KYVv>cH=7xD
zw$CWaICIU7UbVj$uw>vP7U+V4ne`%OlFc%}P0@!|`}!O8oNiV2iP=O;C~e!$FJyIt
znN?E^Bs=@6X2hr_HZT}lzsPCs>d^Dr#BYILxZ}llvG=I4=%galdaqD}WkI<U=j6nj
zAtw!SXgDnVA8V)CUJjyQQ~q1l+sF0NK|Xyoh48fl>sk5=k#;{@*pA+}Tpe`-KGq63
zGBcH?5C+W|-BMIUGB;W;|9pJp)!_Z*K>0oY%J%rE4f0A2GE7r)_cd}hSsW{EuzP<!
z{cc}OnyQhAXm;^$t-WXB3=@qr7b4T%h@*$QsDHDY9qHC;IJ=8eS`BacsK-I-Q3c*q
z=Dk=7ruo=Myfxi*(bfB3Kv<%GrNHr+W3f)=^!Co|Y(kF{|F+c0X&Z{;!k3&XT4yiP
zUrr2Xg)K)^nk+vdo=Cn;^88<7B(SNFFg&V)9?)Uub1B<W@I>9JSzRewojZBG*tNEy
zqGO4u7RSj__u!}dzo+lJMCL)$iieH&+lm*MU;*uuwLD{*3k={R#iTXeImSl{>>zxL
zz+M<99xG!TT-8c)WR`m3%K&jV3%SAf@Fsq*@uNLLQsIX~bkGB8b6Jm|`hJfik3tJo
zX97*(0DMtvtcgCP$Vz_MQDux8%Z_Ty7N-n@@>VLZOhQ}B=sZ|I0kY=0ZU@>QgpXa-
zU7OF(-=qVpDH#Ve+DhM9PEQ}J3)$R;=N%zEgjB%KS>g(rEkyzR(Kh@d=5}{lqAy-{
z9XW{#@=o#uk}GI`F@}&?+=jE)1t1EDHVm81=|1>EqeH>K()){`U{qdzzX!iaFZss{
zpHFWQ@heLCVL;ncsmm^!0N=y+)y(#zQGk}aP2{Cy64*2iq-U|rUe&-K-%c`4A<Xvv
z?YEl*r-8ijf2%<*Y&YLm#BCyqi-DDCSc4a&rBtj3cd^cy#*Q7w#pHT)o+uy5O33;{
z?W-LBaMpe0^}3+eQPj1%s)p*-vnHokGmuB4wA{M<MY*S%JM80KeU_`h<|F);alJU}
z9C25vXJ59E-I1%w{zZ;`oF{^|5L3vdL5L;evAyY?rmuiPP%;_Rt7J&dQ}Q5m|JYi;
zx_$@y`Gg3h+c(&znHdS~m`HoYk!Dg-Ll#+y;(@H?g>haPE5<eYwPt-j$MPklJONV;
z9sw&;+#J+b!0(8>^1l{ROfDr#*2J7Tnrm5i{v@-sW{x#R0!c(~*L-FOPEVrr;}<6^
z`r%%1S<~r~MD5CRhI-dQug4qgSgbyF7y@RVyhIADR*EKKd%sElzVyaNG{v2NR>L*k
zSoNrmQvtTB(nZZO(tc>%TY5Uch^VD%D*3^`0J`m!A(nZUAN(xys%wj8{-v=64Mb2|
zV|n)s;%W&S0<JY;7MCh5WLc2&OpjhrX_)_KcrahWWxpCc_;mtNuNpoS<-)Oxtcpbo
zNb;+>(IMhq|LBi6&$zp_WoT6UwdN)-6}j-kE71$=hQuUivRbkJ!SyOJX<w7_TH7b?
zz*0_BI-KH*_wp{sW$hbl8&Rp12rj&;;rbzb^2tugo_b3ATt53t^;(wX6iS}Frrh8J
z%BH*~bmc@$68U&HJ|<1Ek!+j30>*g;ZB)~WSxK%RlKp5(jL!$3)4zbrJI6gM_FwVY
zCt(kS5#z~CdbkJd#m?JXWi;D@ft+krz!9clJw6JCI9+%BT4OHFQ5ZjxysLE!zT2p6
zy2QH5?XD4?jDg%2w`wvX(L{Fe5{0>sozBKbh6JXdk`Pw%lw`D*2B<V`n;NTk+=-7u
ztysMIFKp>WNe&u0_`%JyHxbFP#roX=+;3DWiG>W8r(cy5gAMhO5o_AX_JburaXDUr
z-aWN(B;v&zq~Rxyh`BChJ5G&`i%!?f&U-bff*dfKpwU?CN1c;TQPsFm(|W3g$(W4T
z^o%!l4DeCzYR$vs20nY1>X@@i?{nu^f8!c=EhORDpQ|0dt&b>dKQeKUGs)V-*v>fb
z1O|$3wO1LmpiLii6U*y>XK;go&jm7jg_gz{Zljo1VSGB+*3awa$B{8X!_%4zd*Ml0
zS$l-5$&}{<Z<FH67`h}|(oP*Wi>=#!!jvOp7hnoyF*_>|-@;^T#=WCnbrS~qihgS-
z3)`Cj<~NRHlZYcmPgKX6lbQU>C~`gBS-jv%?M@$3J5IkNT_3oqgmNDMA+ykYnlX3m
zO<jDf80)pX1CDdsDTcT3MW?G5i+YWz#B9=gZnnXt7U%)&Y*M)_laUiTqS~TC8(i#0
zsWPSnocqh^R9k^*#nhf3l!>FwqVe!9ECfc5)Vq&Xbq-Rmv@{A=vi2J%#MEQIW!I-U
z&C0&{eCYLgQJ=X0(v%DbbdLrS`BJnBOP|0ErohGCP~O=Mbz=cU0o<I;!))?wpfbJy
z&4Wv92_>f$$X*uH?&;e;%d#a--xRbhaueSGQAWOxppHsIkD95UQ!Swxd7STzQuzFV
z@r2l?HA&7Lp^;dFSZeY4;knGRI}G&(ksj@{k9fNVx<trZF94F{k94{mkM6hcjB|s%
z3tECTDb%40L7`asM$w<M?MH?(j9f&{P>p8e?iz*ID}`t}l$X8u9kF4DJ!Na#wN0ma
zy~Q8X)hV0Wn$THPkb^w@U-};J)72x-p>jhL1XnNSCOiY&uvHO}c$znk@}So?HaFx!
zuhZ_)VnB*zx~)|{z1}lmwz(IAm!-apR^2qqTkUyy?OS-0dYj1qd!BMI&__F9ywv)j
z=B~MP5dDs8=-qULYn3eOFd{23as_HL9q*iVucph7*2-@?y_!0``)IuIeYy3J($Blm
zA;Dhsx4PG*-fgt<wBN!VG*yXx)Hnau_}qv~8qmRh9YxeTRaVMRKZdedQ@P6(nN=L0
z%{9F3wO7==i%iY%VTkmvTL(l&3^lrsNX^7dutcS6{d^ZzRLt7#mSyy}&BqqdUiFac
zgcaYEBu|#-eCJp(>_T;Ee&&0j&WyY5^fZ*ws*4d)LFqWb#6eMRXESL#(~Q$Keh!$M
zFv+ZyEo<>=?t~k(+h1A~Hb0r<cic+i%fBm;*^?Fw9Jqe54R0NSvZQT&cycVn`rSQe
zXKCP4eP%EOmHdxpp3SznXJ5ad`i)9Bl18@6WfqR*XeremUs9g$mDinT$+okMD_cQa
z@63+)E6v-}pEJEC^K(;7_Ie!+T-xa1L?d{QIgl24xan$eUwgUe4_<0CYuCWuwQIZ{
z8Hl-gb=8&Wt!ZPPi~TB!NRl|qTs8qSb95e4tAL~|Y3{;pM?muVO}nss0Jv>vNQ^A}
zPY`GdOjw(fvA&en^65?+*R*k4&q~R2Qx=LiOqnH2-ay@b#k*{S1Z<}B?>$xv&_BkJ
ztyf<vwA){(PysI^sj{sEWs~&!+L#y42M2It_qpRpGIx!bd-0?*UbN9fbxxQgPERRY
zj89ySV#k0{yrBrGr-+POZk?tw#P?h(v|`tvE46%hD@TxR<KAiEEmnzvqK;Uoa8}~9
zjS1F+$!~<hO98v<-4cQsaf8ucyc+Tyzb?L8zi7$ezb{>3cSyDsBP|y5`K}x_Q`&MS
z|8<<!EM(GgNG1i8Km9dgm0GUR&{_D6N{ct<aRsh{CAEUwyv90bWwc|RH<s4=wHdp{
zdRhaJppq<Hv&uIv<e=?VI&3cC{LE?FtSZlajQj`)`T<Okc~s9I@tStnf)^_K+twSc
zur8jkA|Im6YEiX7B${lVH9?AQJWi$RR<Gzc!Spgoe(wcoRkA0NV-DWs&>=(!%n_-v
zwA)mhc;)N%^9r#|95%AMPPQLKxTFHQ9A+1K|E)xoSNUnZGycV}5N2tloEaHph3luM
z$RFJ3kMKVSX0#Q;|3y$NYcEk&1}zzuC&D@ohlW8mpJ~gA`dm8|PgWQlbAOC*=w|FL
zBQyA>EVnBPisG4>?_#{-di^8<tU$VBSdZ-#ov*-6aHgcdoo)-y-g{AAY;|A%a>q?p
zSl{GJp&7=b1N$avl-G!eB|IN&Xb`#q8mqqm6btbCUH)r7o8TggkZeY5sUNp%FWjRP
zFR+RgNmPt_mM1w9YLe2;!)mBz8~T(9{*udrcOt^fWH`c%xkTTz)aV7UzVjBx&yIE5
zS>0(o{?}$pR?pn5(D6l<krsSks$1PCS#sO)=$yWXrE$%u<CN51y<Rp`^DWOAfXHkh
z2m5b3x(i>**ROxspz#$yfF3FE6kizqL;rab=^Va2cwo(vo#T|Y0kNI)8WST^ojQ^W
z;cfhRPL0R_3XRC}w4nDwCKv)t{zk`Km$7zki|W{miB(o(%H+(&k2Fr?FB{aVi^f>b
zqn4{0W_Oa|<1)FVi<lLat-uduLcb;rlpzExT4*HpPpl5--gJF`%Ys9yE^H^(^jWR1
zKZjuDtNiFMsaJudTqaxKxEz%<#?^O%LF0{_-!(SgrC|B}PoFhT6@)%25Bl_hl1>x9
zu%AIwPthNXQko1S4n6QXS%P$098WT9lX)v!>sbZ`puozP&yV|$@ih$FB*~6MgFYkp
zIQYBZ%Yp0d_D$lAyEJ=O+X<{W^P}lB`a|#|rJ1{PWRy7-p6vVXt2T^ezf#QAeTovl
zdHdFQc_`=EU-t~~O@I*Y0huxHcx4}TJK!eUZ>C;jg-_}#w6{X4Fy_h^OZZHf<3D2n
zeag6VlXdT3--^8DaW~uxPhm1S7H?Qo;GPIHMMFcpve!yp;1S1%w_Zs^U|fB~0@<y`
zyLF;(B<8#w)}&q+j8yPY?2L*9`pL<sJjuyR%tDz4RWZKE&`($QjB+d-RR*5tuHPM9
zIs;`b7~}5g1}r~{g*q!7CwYXQQ2^yUXe$DWR3yxkB#z(SJ(xdP^VTu<mx2$~Hu0tW
zwB0Xbeyip0YTfgG!?M@$4r}BNKV9lJkP2j?zLv=yx3@67I3v&DW;dKtKMt8lym=SQ
zI2oL@dReC9BHQ%zPZJp7mA28}9<$M}IU(^G@qdGQ{`2;eSN8QVapy5$5b1^tO8L!)
zR<e2oX4O3Vn%3TL)sf$iGa1%ptCPB!P5qs;k-Hv$puHQvNX<&4ly$|Sr}OwY&n`73
z=VNggjP@y;KC)lR&Cg(-)3hv2kd*>B#!k$L!%d1IsoUda(|Mf%@*jvq_p#lh1QuPR
zo<~Z$kKMv&D(ymwfMVHnZ+l-bI<9E2DBS5nAWDp^l3e~X(}Z#rtEaT1>O#4RZ@7Q^
z^NlTC#%zk5PU}T><-Cw+QKpiLq5rGxD+8k1+O`QLq?ATFq$Q<82>}I>kPhiC=@2#z
zlHy1R2qK|0lG5ER-AGD<Fd+Tz89YbyoacGJ_s8dtky*3$y6d{Hb+26uYu!xx8k{_g
za@2|n?Nz*r$dy!c$;ux@cB+(52no03xg6&?e;T<0daG}FXT1)J{FI~JQ$*TSmR@|s
zkS6joFwdV?tmBTBp=GC5IckXnD>$8l+#V&axjw>d*4C;-K6u5{-Eri-^E~sz&5k1C
zCuM4p17u0fVzzPF7TLOYo~-k-4=0pGp7)YwD}8WE{^s>PLRUp(?S6msN?T)~m1(gE
zoO5bDBeq~g=cmzRB(Ub}Bj?>AbHN=4<Rr(*2|u1ormPjdN0X#5^4dgU%T-^0>~pb1
z`P6vA)Z=u*6ljo_t1i)JU7rupS~QRLSgTAnX{XG^p<Dt!wyILDD&O-OM$M|apFq*&
zUbf!hkki~uV*L!3PJ5&syL+?vnz5rBb9!YMFhpxeK9+Q5wpRVD-v+pHK6^7;-dLD;
zY?IN;jAK3%=QqW6ftwZkxQXWSh>2!}t`aA6v?GSY!b7^Jo!Ju)r}9cW#d6O@YpilD
z#LRhCKGMm`;#L~S`RF}}aBi+MTf!1#d63oyJu4EOEEIN@IXJaluPdc}Y>Uvbhy8AG
ziBE1sqZ&<(rN|y|&QlrB5^P*_?N<%nO2%Oy#9ckseXdh&Knk1eQ*g)xqZq!h8kEi|
zQQj6(^m&**!n#0$qjVSRUN6yv*#!>{tZ|TrJCKuxr^H#V4PAH49jO={TFRUZ6ep-P
zzp7dC{^5JREX7>+>iqAU-;QDz`oGNA*RIwb#5}YDaQ4RCP$!<rAsXsLmd?XeuP~Z4
zuQWOGhxX2OuGGGfQQ7!b)WH?qK@qXal=o7kuD*sW7+hqEOtBIK>~VwFS~Le4m$N>w
z&@5efLkd1vxq<FRs0Wst;-A=2--G350QT-8|H#fFaY%WoIF=ZD)|9@HwWEjH>Ezmm
z2hd5qC>6V6v-`;z>xl!;2L7Yyfu&aFz;p`gX|mGFTci6U^~2=KAJr35!-Y8F-Tc@z
z?X`xDch7f=Qm}bfU{l34E~0XF|J9N4FON$eNEZ%vVnn+w$x{gEn|&x2>ZzwE|GOSa
zn<p-_^l9a+<<`M8VSh~6h!6$5aZb_5&GFO5sNQ-<p@9F8KK(Qoy;Ownfo%R*g<Vn1
zw*_-e&Cz1RYu9Bhi_KAC)8~B>6BXMmt;#30MW~;I3c3ZSg2@TGBuFvS+15LrVdf>W
z9@uNSACc8E>P?2yh0@$L!XxpQ|JZAKaBnzRN8kcnnU--Zt(>laa!<Bp7X=IQps^s3
zIhK3$@vZgZo04NS<F{<asm6Y91v7*U$HJUf;gJcns?cKkwC@r?VzHJI9;t-uyupt$
z5<#?p$8h^e<HBL$j^iutuixznxg0&2{Lm6NX7xs};Wa|VL;Ij|XKlZOg`8KIM3E}5
zm@-r!P>zfPWv4l!pE?G0dDj-joK7}JG|KPBPLIfWmh9(i(UuqtU?lC~YPzEhHp`PM
z8<~<JZkpx8>s3p$+{|>m=z86Ep&L9P1^W9&>wh)Y{Z_=<M%z*(Y?#8%74rz`F=3SG
zK=Aa9hUWd77hxFW>C&CQNk+FkWc-=Gg&crp?##7zzfj->-|TYKznptFv}DmPJ(Jec
z=qZRH!Iop=$$l>q;@&DTHAQKG`iA|4uobAPmBt9UN0i{#^sLnstngRpr44t`u$iUw
z7p`XE5&g)dC`5bW(vyTnxIiP5zB+dJN<OCIs*AC2E(fecZ8wS|XyN(6-P74*2kfLi
zv2KFDXF}6O8ro;J^(OOmX}8<dOV9k9NlxZwhpU9cVhZwg8e6<NP+}T&E5`J5bzMFs
z!O_$?-E~Ft^j+}%2>Vvy@wiq3u!?O|v2!XcRJ(w&O{ryS(j;mgJ!W-i&Z~a$O3u>_
z!pR}D(!_hPdNE2r25&?!0^rY&;*^5a&eV8d2$}_|cd&d&aQgII>1n{^Q6Bo{lArLm
zaD{{XbF&$fmF%;7*(e@Taw&<H4pNm;daz}o1V2=x6PgKLG^iEs?2dS0k{B?I$LkNv
zi$O@&u6D>v^dyuD%M2xsq{A+@4&yoPhhhw(Y+#RzvK9ECA9#Ia)`UNwp|Kf!zltWp
z+V>ymeRISeA7dS388p<3mgq1<9N$(m%i>tpYJAh@7rAl(=}L2VIm@t0C<eHQ_S~+r
zmAb{v`KF?8nkAsZrX$O5nMr<ndz>1@@de?qnOg7tytG@KwC_qcKC#RC%XBYdjwpHG
zdkajF09|!SVW>6P&!jMq3vc8hzR{E2Zns0lL(+j@VIdL;b!J>#=sRP+)|iK-oTILv
zszVB6g1nRhZ4t(p5}c3?BWf4>x9u~2sVn2$pGvKv1A<Nam>@}sC$om1yjZJ9BydaN
z%4Bs=Uts23%Cw#E+4!MYZ%%IDfdX7q(1K(py>?hFKD&Z<w1s7YG9d1{PU;lcU;4+R
zUk7;-WPB_5E_KWd)~hI|ov)=SUH1C|Wim0eShW303|`q&Pfi-!<H|k3Ub@2C;nwk<
zqon!{egwJCS7EDM?~8d%r!j{hPk;5issfV;M=92P;w85bqqeLLFiN5yf}L$y%#8%2
z79NiXH=WG!Pfc6}x0@wM@zWWsUfE&Mzfc&rxnWEq>yX!5V*i}*#T~<j9k(0k)h`p{
zF+65iK4*j7ykTeb9yiM2Zr-9tA87X5GqRU_ojVknRr_6I3*YV5RefZCCW;*J!3Z>B
z@Wk4A$bRO>>^NW;uk=2=;1=x=VNc!;D<_F0E~CA5OUOyxM#w#?%zF3Ed#Jzljh|DZ
zdED)W>Lx<{3fGrOn8tUstaY>$M@jWV&{!;r`QRqlW`A5N$l8r>KtYE^V5d@;y{Zqw
z+F6*m!`Q9yIs|<{DC7f0Y$ojrIj*)9@bbbzYRb>!#C)F`yyVakmQ-Fsun1k-_+Zaf
z#*%5_(sp1gZ5e9F=g-9T@wVtV24X6>W__BPI|A|Vd}x{+<NJb$IT>83(x;(-l?6w&
z{jN4zt6>!0XqHf%P?llbxD_tH?yPj-wr9oR+~{pY#V}ZvGZ<KY>&Gp?2Ii|Y6U=uk
zJgS}=wS#$%&`0AGIPN9EjOWZ-Dtwl!mC<VibVu3gQxDz8e^fm#C6!Zi4dnl{Ej7Uk
z2Si3gYCym#0jvy+^+%(q&^BVVCl7ko8ZFmm*Pv9Xjdxqv2DP}Lpcd((4AjTkRoj+5
zA;<_tMehWN5v~ur7n#()_*{U~h|fYeVn&Ms%OSw;a{(v3%B2b<G8TJBr;>!%Wj&)v
z-bAJ6uJ1s#(XdD@65N0LGYgwl7d-abjbS7wxQ2l%b7FH`ulsd%Bd*q*wxVj@7&X+d
zKvZoq3%Uv$IJ*Z8m_CP6eK}1&7%T+{ajfsWCM?MGC6yxxSlj7Bf0DG&_7c2Fpw;-8
zx=7@4nz_+&-W3sktE`_$#%PoyIKfp80L5r>yzU=rn0l@ItoM^pgClZIK>y|ixB`a}
zNolDxi_x&#AJI_1<uIh~)oz&@G^J6{$uH1M>m*M=zOQF^MUoSMtzSckO~PhliD~7C
zYT3$<S7dAtczB}4w9e%x^NyYSXV#{ik8F&4*NoD>4#~?~UOT3iqr|hcD5iwtP36w5
zl1v}+B<LoA$FNn86w5U&GMMD62@VqkQS*geP^1<&n<Be8e>o%f`i-WTns?y^Q@)iU
z4TPw{xBxB`pQmfCj{OsV9DANsX7OuGqOz=ZzK0ZRk33!d72MkGq0JplrTw_M*VnZ;
zrVhh8qa&T!>RgwwxGd5JB_7j4htK(-F#)Sz7*u&hlX<h}Lm!rolv_N<K4QvRuq`*q
z?jFcqi5B21eqIoS2(QCu%lE$fR<gRhmw^rdu5AtXg#0@QN&>cAMK=cLM;j3?@cBH@
zjrg<vs~Vxj2cc~Wl7=f%LgSBWInh|g+KHg2d6C9q-|Jhh3~bmTbC1U%z*52&CF9Ll
z`Iss}<F%n0#(P=~0;ROD)LzeiFtXb~V=6Xl*OJO=5M@2l)y^QVAd|<po(`n@Y@l7_
z_5;H>avuOf>Kzl95{&qT<MlQWK~r|d<dTqJKS3tD6`$H#6R#V;YGoDixch~ksqb5;
z&5%l$IxP~VwIqDyhSf|K!Ca{kq9P>Jkwr<6aqtK~duD_*9DM`YFEqei3=Bw+a-_3Z
z$<Cr^A@vq{hk9oNY0_IUYZdN8ui_Y=9nx&O;mco90k%A@x;O<`qr+zF6^pprKBP;t
zLEk!_NR~8C7q2S!HE`kYz#ba4WQU@6mc(U|XE*O`=hSeWKN%Oy+6&et==_9S?>OV&
zS=LW+1y(yqab^xKYM_5x{H#k+vnT1aZL?Z^khM`h0URn+@i?u#S&R3yQK~QHi)a*K
ze_!}AXx~r)w~_6tjUAI*8lJzBMOm5X99OqCp@93|qcoon6)wUwYPL07;JI;PXC~N$
z&cbOMCtJ@g*NpQrE;AVZEThK|dRdRjgFyRlh(RL_Pg_alO`TVbhcy$BHh3i?g<MB#
z^^Slh)7LBE&Kxj6RY-9kj8{~vf=|KVB;dg?EWay9!`J)X*H|%+AO?k%87B(rPl<1S
zvpumVLD)+EXGZEbcA+Qf_jm?3VBRl2ly};raFY5ysNQxGrz+t9)u8M~zcy55Ufm;Q
z`?W;qjij|;_-R<EDn2hgv7ZDmC1qR8i3po}2zq2Q*9y)LlE`<b4zYIQw;4V4BgOp`
z7Bbg%s0Ixe#PC<m2VV!IY!&7(roDa96-wiNvjki=f+v>{V1!x|=!P%cSbTillO%*V
zgI$8U-K3<e=0ssD#b&5FVK};v&241rfjf`K0k+O*7?i>_wHlQJ04MS@pkLWa6eXS8
zN)3FXN05cSoB@f?RG>HgVarKafQDHSRa`Jlw<~Yd-nDw0dY!lWl}M5xYY38>sBL3H
z4#9`<84cokTC5)Q2eT_$u=EP{0sCb6#Y+X1^?T+8OH!4jFrL;)!BJ11E2+%1Xz!EL
z4?>2muJo#bE&_e3Yc2QR#j4{|<Jr6})ZV7rmN4H9o6c%$#74cSSr@pwzRqHemwc^y
zj(Hyw5}EQ+ipkwTJ=3rxOI1y6;|UuE)Y+YQs&N{1K;)B>lm{hT9<A1w-7$Cc3Y&nw
zvv~?<VOT2ONpSa?H9nGL?Uf~2uF>-i0<N-%Q~L?O6kgn8tOz2<xkyDOqqzBc?l*)e
zj7<tn90A1F%<;KAo*z35y<%NNaML68TM1OBNVUd<l|g65-|P0T!d7HhGOMQg@##6+
zPm1cfSBe;8vk2aNzK`!O)>JR53o;(OA9#6WfwQXyG>7VIl`tj%+7krYLlLP`TfK7<
zx8Ng!nL%pc76w8RTniq>wj)o#p;+PZ{OOgHWNv^)<-B9Wp@0TQLp|5ZNr|t+%uUY&
z>7tDKPHggco2`r?E`*pKM}m5Tqs}?|Oi_LrI~r}DDb6P37T5R(I8`w>_Aj5HQ|vPU
zFt6+}_<O|*zUeMDe{zeewEI0+xprf)&nmGiq*teboqpD;;reG+w(J4l%wYX-j*Y7A
zA74?|T34g^DyM9Dhx{Y@+%p4{OT_ZdAcWUS8RBU8`5d^%-yy(GaNksFAMuFk^i$9C
z)+|^<09jbUTWsOl-R?cWYd^E~hhzrp>lMk&Tai_h7`s%+<hR!af9BThMs3vT#XMx?
z8;yeoj0?+O$gQUGaqLSpMa?@;aoht{dYx)?+NZ!<1YPMz_O4muc;Lt#v|x3ZEhEA!
z;RtJ$;nnX~rZT>dQuNB-E&i(by*>h|cb2iuvz19Wi3?zOcy+$q@y+$}ZlgGXlrEZ)
zgOyW7k#)wOWs&F^hqMn+o?7>$iRv)!8uj9?Dy3qs=9?jVprB>|wS2WXty4T7^HgcS
zPbt&-s<dYTPf?5#rO;C=XZE8fXzs%;t)fWE!3xG_W<+p}fangdrxd7pEb&9FUVb(}
zQsi3{Ec;s3BwM?iSMoM8ATL@^?zKlwFyn-Lp6v?d;<GcRa!95y*#9(ua8bW3VmaLW
z5i5ixcOO$ZDdlA{5oJ%F={MaOa4JalzB|qU4{&_ox?ITwbBtWR<GUemPej-Xkp@c6
z=j8dAqdGo*hc%j2>6Aal0}$@?tFkka5t;xOXz-4(YY6&r>~*!1M0(5yaW^poCVO%H
z$hM1XGp$&I`UlS7pjVMFd_?yece|^4D^X3Hc`t--LK(|PVM9FajG&#-0HV+)+{NEZ
zS2BF;2`(eSej+f+cu36au=P~b!4@1Cx20<ma0Q+p@8Wzg74N%QKd_h4_eo0X@jxT&
zBuJptzGVtdxt7<LHEd^tQ^|bZ?Hx=JkTk^J@Mn^OkKEo5C{XcJ9A#Zl?4gI)kD1ZC
z-6Pe0E-Zm_F@4JgcK02}_Vy)&#C6Z%FbK5_Fmt|srd62;6}^(XUfSwd(!~lsO#(>d
zb8qjgSFHq^wltme@9uIW!On3=>u5EH%nK47**Se0pIJCG>8)Up_~KiSw+|~bxlixN
z?kX5{-4I_bLG}$0XTMJ1%$5c*R+OY9-keAGxL~a-+*S?K(vY?-j(CGRjo%1Ug~FDw
z3Tv|hg7%qLndaS=Q9M;<0go^WPWZ`m5BWxu2+unShuEo1QruxSoE42`(^TIDzM?CD
z<nlfVFR8&FzLwb%z)EP?>wi5i6qZ5U%~8?(4LjA%uWi|%VIG{bg5Bj^1+m~rsb0Qg
zCD<*!EAX2JG|6~LD8ArIc~#)+3o_tB*Q9}h7i5&(j8%<hA^n)CT49?U?q)Zj9NTHW
zky1M|hI_$quWmM?1wO*KVm5n7E~Ol1LOf;Q7}PHTzS#f~Ec}}qy}#XnUwN$#;<QTR
zzh@YKNic<`qzI;P*BI5R{;bc#3#k+>1%OWnLioq(KgG&uc?XtG|0Q<1k(gJN@LfuR
z3-Ke)czwsvesU?C+wUn*D0<QR5ITOjkhoFG2<eW@_AeKHOSwPTSZ8<@@nO&3R)E9B
zY@qT_1c9~!myET0I0Mt}HN}PZf;d^zaqJ%A^y8<JNR<&!>F@Q?fInA>)VT>sMqb?C
zAQGnU=Hb2T9Q=1Af(R9HkQtT{<$I{zFK+YL(#MqTK~7ARxYKMF*neBfg;)fP5-~qA
zjvWd%&`&D`zlMZksE$H0i%ItWui#&3PU7m#Z5R9#BA&!w3owP7NcbiHyYpF*ah{=I
z|DiW#l^Ey=@YrAC<}k^Cf5;2QT{<8ZF@T?*IN%60o~7=oqy8Jg@GvI&1o0yW{R;NK
z%Y!TW%TFY(!Js9-`^j_`zyiYv3b;rC;zq9R>!!2Ue~)rcokXIK#7_vqf(IA>J5cRV
zC_ro8OJ7{627&btKYa}H;f4?Xn{B{<H*PBE23BVsEhzqS@LY*O7LXLi{3|XVFul?K
zMQ>6N^Wd?+e0k$faRB(cG^4&(<Zn3m`Y$-}|AmA9C=aISWj{%SVfxcg(=d#K<HN2R
zRR;l_tjLid4*vv;a07^x%fW+*|1)?nYkq<JpMHXY96tDEjQ?&M08392*GtB^5%(A=
zpy<|wdl6sG_M;<xy<)Te5gg>yzk~b^v+6miJ23}x>*d7aK(+;$OAjRiPFWycUi-w_
zO5h-y%>Koe@EkRng)s=wRriyAiT${?zgvIPufrs}obPp*RiKLAB>aD+DNHvk5zIIr
z!=I!MPl-66GBBq>O)e-}AG4#bvn(YDk=yPUO@0KwZo}vS)C7KEOe9PUAaOn9-Gga+
znRfM1ra`KKX>t*z8;OJbaz&h%vv3G((2|6GUg)2_vz^wW&lY|;kXc~E6b<Y%9PSI<
zaA^h}Y&?@+^F|Ors0g+!!9PtdZl<uDOsX3G9A0E_Io>yTutAEK4F3yWy5Y&iiM;Zj
zzcIrQzq}_Ys1w)>&*$uC%V{moyfA*(>6w>hs^gxB6dYXu-RjV15Abd5F9I$DRRwG)
zd4`MeS61-!JhmV+&H9ZPU=6%IPyRw+eoHmvX6p*$Wp4ZkHkkRrJ{d1)k7qM^kiSRZ
zm(~Cny&<s0I?+M=XXb#WEhO?@?)3k!j|~tm#31m&&q4lwarQzY_P=NZb2iv~;p`nq
z;y}Fs!yop8gDW-tP3UU#e@FvT!DQfxaF9n`PQ3n;8UNAg|Inug1wPuv{BChVx9n)w
zgZ@YSdsb!>@qSV@0R4}hPHL;C^p#2ZC|Y;Q#LMNDH`{%xbv<I~-#nm8d5`>Hpl8y7
zk9aP#Q^_#C7`(CCJAn0Urmp`b1J+lG;pv&1qqgyKp9P|XmGwes2trM}1s0YhmE_{v
zIW*{FWi%5L9NM~HEWA-cQpV3z7q;x7=3{te@I@}LovU2(%iLt5gpE91FMiy6nTb#}
z4F}c9M46BW+$8j!3%KZ^wB!u9gwo&Te3(L>uqN@CHg~^Bi@O8SFO*}8D(2@~4us&F
zQz808c+8(5+CW0g^&n?v_!6*g3vWPq<{mqW!-=$@fabI}m=I(87yivr5qRLZZW(p>
z_n8TM;~kp*95SuBTp$WUYDEG(Y{H|5Yt}rc;Sd3uhz~L0l8b4-^@?zLiR_sJ&3_&x
zI03Jn`)UTG(kIv76@ZP-M|ZoY`vuJ8|2nYEzv}m2N0tV?m&C+zKPsfT2(BR$J-FIp
zg~-Ar3d}7@!d+Qh?fRC-wEL3b1^i#0y|N&`Wdn;B-d_XcfR4Cqat_mt$8o~S5HSm4
zWCsTth>is>-Ett@Uw;KRJ^}9mr#XG2(Hm_V^Jg|a;P-ZJNSTEeP)bAzLSyL?G}Osf
z_@fH=UzuK$Q%p11$q{J16#ECE4i3L-Lk5cc&72HLVg0|Mu^jh@WKIxfmqrGD!3s8X
z1ZdhXz+To023QFgE@gg#?tdHk|7~F4A{DxRA`_koFcmLng5j@BcwD%YXm`n8)(FQ$
z8FjK>n8LdR>VINN{tvJwDgZP|9KYb&a4Gh%Jo3K`*FT45xD2Y_v;sj@P7Q`xKJBk;
z`i}$iz!KsAG_t_gB}s_FGg@GyIUz@Y^pd^*Na7-}>u-$nTL4WPf4A0D;)QDioFCv(
z2>b&$;P+o{#^PhR@mq|*hF6e$D-x88B!+Zb@t|12*$;wlEkXjORsxS{=Oux#)S}UU
z29dS7iE;sGh?g~q?nNs7WXv)9OQ8mx3j6+du!<IcHxBmwZ`l7P3eJe|bc8^yd4SuO
zGhm`p7Z(L!Y}PM)X`v<DB{3!_R{}gmT`OB`lu;rxc}Z^K9pnc795|*Q=o%Mf?-5s>
z9a%K?@UhxJS^kHS>`l8G_3jv<&M^(3uD!lr?{wL2q;-W2+&jX}g;R&jxpO8Xd+22D
z`SR+)1dbJU*TxKBFM7P<&N-oR>L%b(By{||JW)pnT5IC6Y%j1CvpbY*>wFyQd33n`
zZLfRNy`|_(eI#^c0;q8xd0wl2x_x@M8l<*04pdK1w5?T7_=&E}J`((afL&9`LgDdP
zxVBZkQa9P9$ncmFs5%vDjlA0ot!<{mQTV`c7@6Gl)uk7h(&JCLu}Y+wBEnHtyL<Qp
zV!5+0aol-#8rUqy+25I*AQCt*vDe$Gp%y+{A3l#mtJ-HcFrB&6D{{Pg*1_j^lJB;E
zR4;qhX!VJ|V%(i)|LIU==a_xP>JhtS(M<k_&|}#<T}g{JpA&V~MctPgXv1o@(NxaR
zytbx_DBc|b4ai~NQTeNMS$md3o7eX=BDqf*<_EPHzT`Te#ob;u-8B{cGJDRS%AVM_
ztIN~))u-lEjkWfK74_+ghUh-WjMaWUpF1^{?h&`a_QBoEWat+GD{SoKqqiAe?Z;u9
zUMZe0@{58V*OZy*9!<Yb#{=GYU`&uTxqq3_D?#1K1c;Jq+r0uX?w(}u#Yvxrr?1&^
zM6N->H}>5a^fR475M9|m2A1#d=a74?+ZIJ+otm^lZJQWoY=<UqK3(+6UYc}`I?g>8
zhTh_EZzsA3?PfpU`9UT6W8v-w1bXUN4(%GAao?P-b%1_4-kVvOb9X)#zMFX3KXuwM
zv*co)2vl1h9p>2+=}^`#*X})a#A%Jr8U{K{raD}tJsaNS+${tq-Oded)r2T3)<TCi
z0!A}V62@njw)zfw)!8d$r#vgv@2(`ckm+da=F1;tbBH9TyTmURYAtOgvJp;wI0#*7
z&gXl2Zu8iJvsQEJX-fSBAD@G^=fUb}_E)j<WZ+rFJ-<rsD!?9R`WbW|YJ6_SFtB)7
zbvL_tJ?C!bDR7Xi-+6f0+C7oI`F$z(%*ty;HG8wHyH~U)<3rKnk?CpYa?YCS3WG-(
z>X}<<Ma|?2`@*_`)2_FzGkfKtg}~eVBU#}MTVAiEbDm1{w#ZZI(;+BjX<zK_S+l5>
zG|Pso{cbJtaO|pb*$H%sk7xP}=lA`Hkd`Y=CXf*jxG^E+PE>%7@;op8Da*~fW&Hm6
z8}hG6&>p2|e3LJ<N+viSSB<)r@Ayat@XTLmGRl0tji6rI6Xoc*iJDr%+gplsZ(mc^
zxb;E6=yQ4H1Qi7bkN2bsd+B`{OEMD58Ks<c4merHf@GL%1MwKqa#CkgYK>fP8)@_P
z6IrJcs6D^jewgA7h>n-$m5)t&53W74k6+himDET9qU5Ep*!9tW3|{vRT#0ex>bQ^9
zaV<B_#~@KV*(>R(n}70-PTlyX2)9dB^l-0@U2-JEXX2JjTc4uc(Jqqm%U5xM#SlvJ
z6%IG8LF$8Kmp$%$G;7=D+j1o*S_|sokjLnqDYLmv0lG8wz`h(&634)oqZzBIN226(
zR#yp4-wU}8YYswVUbK`b%=_~y@2Z`TSZC4hXnkI6W1vkP>H54Pxj~WlHtkNvVH5Lf
zi06wyQ4FLxBXoAXD>hP0;I<R7CR*RRIT`J(tP%J{kP_|vl@j{m%cS37FxGi@ct_C|
znKH4uw~r0X$pYS+2egi5Q;Qt<jMU!A<n@4Gj*{l8(mk2ryAgG@b}FR{8`t+YB~~HT
zRwk13m}CZryQ!$71>!P#_+0_6Sl7Gny1tHRDQ!MCQz|ss>eb)sCH_i&RkrPQqYdSU
z8>6XGOJq7|Z4$%6vsV-Zh^3;sGL*`w_pC8DzNDoKoBseGP{da+$sYD?FBVsDeYGN3
zeOAWv@}_G_+K%Ox&YFX91t0bs{?b*vLkbqXcF!p@KRG3BMd3ZG*YcW@9abMT9tccz
zPxVm0cs@RObv|ceh?H%i<)aU?z7SpZXXB8Cr-+R7Ox@x={DoNlXv>`93aC~N!xKxa
zNPxF?u~QpAU^>m8O!K)m{s6<p>qYMT7DNQ8BA(_6$rskZQ&mN5!!**Z5bP<xdml;4
zR84)^7+v@Rs|%?Q4JOaGk-xt^`2M!FK|Nn${H@1^SE#p1ZraD#uil}#j>*bq{usSF
zn7chz(`J===K+IVZ<`-z%HMrh^q$A2D*uxwLm`?wcPRkgLrAsREI*kL>Ss}oX*?^<
zBBx#uine)-tR+5NVbGl+@258uoI-R@BRD=i(c`ve?ApibzBJNX=#*vGs2EgKNmqq2
z3C6q<t~B-;?2Z~>QS_}8j;s{QF8akOtT@RecbYLscqvgyWHoVYvbhe(MC}kn-(Iym
zE>hMfFlGd9br~9Mb^dt#p=SK8ySo!dYM0CwPb`;Y^d{6T@0QnW27U(@`c+PB`QS0f
z+Zlk=)DMP=^ymyhg)J!po^`#+;6j-co_)VE-Ad~?USI!hFA|2lI%2j0OQGX)Jo<CQ
z-;-bU<+mr_t{@;Vav&gJ!S);jtk@kK-K>lqU^|U%XlX@e^Ikt=2|l1eyUwP9n@P&F
z8a19uyP>+uf-Y|`q<5`{SD?10#;%iIBF|{W8E=ElRe0Bvo8oD~m|~Cf6_NZK2IIW+
z4@8GY!qV@OO4X>R@^{tt;os6OOw%Ca@=C}J6Yf?ZUKD4d4>XR?yAi|>^fROy;q@BC
zSYlK>7**$U>W&MGxsw@+5|Q`Nb&*4A+)}3H=nkE0lD>*i80T1~y=)9CW6GNre)1-$
zvErG83Ne0}ucbaq3wpOvW{RE-B6nnp^`K4!gg|U+Zf1R*TT?OZbO&ltjOScpia#%K
zt6u=Y_WjEAz2~~4pSwf%fsD`B=d+y48NEjC^flKA98-A_Y19=EU-ROs<rljSzJM|=
ziMv>PZTv(%r;&A;Rvo!8TVWd0xRjpmk^RGlle)Yq3h4yYFD|!7oJ0nSg3eBH7eC)P
zWLSoBQV;b}e9O|~dMMGN5YzP|T<KMMP~qH>ajZR{s_~grUE=gP76rgehTb>y1chF!
zyY)!UD?{1%LyAX{3Iuqv%tXikqL1*t;gr*6xJmrur2>!QYJ5)w1#Z*ZNkvI~*C~5(
z)}<A<DXtpnVAGv%+wgqQ@Gs0V)Nt3hLvo|oNc?VNc1e}qooN2ooHs+W(Slgw{j-*%
zEj(83yZMI4H1oy?yQ@5a!X`CNd?(p=+$u)K%`0+Px+OF~Mo1PGzb1I8mhC!qZ^K-2
zC-W=bvPvBbi#JC+uh5wSxt_J>hHew3cgQ_6tkd+%F21R*s+>)1lrR`gi$%#=+l-Ev
z0hv?lNa7WCeo=MqAwhDKlyYmj<9Ory9a~af$_%ElQ}J!)7g5^ZfaFMil7RH2(hQQb
z`u?UwT3m$@UB#Ad@yT87{t}>&!&6L4^{Qp%I?v3(2Ul5yAo7AD_wLP}?zKVuAd&PR
z+nB=lKXL|-kz*QQ?aG%eP1$sNkjJ@HzP)$S(+VlwESM!wa27=LJ98P2acUjHM|H^<
zEhKikN8H&`V<xq81W0QL3&;rXhP`x&A|wx*TsfzkhRBINC<=XZGVLcm-`~20Cq3qL
zB>#PC=_A+G<Eio30?g?(rkxIjn$}dS_IAcns+$SS9$L&Qne_Y7tw(&%)Mak6G#sMf
z1w!0Cf2hun=!9_jLTXo~Y?u$Fqidceuin=y@)A%Rc4SC3n*c^pag(GQO5FW0Cw;H+
zg{g9Dlpj7RO=8SJE~_QDh1hdH(*-M=T!|YEsg)A*B*psJXXPA+QJ8)>`Swx2=AOOu
z-Klbj5b6h7XiDqX{;?gy$fB?f^6W{y<!%2BXTzegJ!}f+`t{UGx8<DAR4RAX`OXr-
ziSBeufZ1!eL<GQCzOr#Qc3Yk-#rQMzdOB_d^ytV1|LY?wm6DoJhK%>Bo~H@?eQeW`
zubvC2KYM-mw#{K%Ke2e%94*gu$Y3RtH`<_*_&qv*Dnc3LK_z#pVd=fjpi?FBmnneu
zLZhZ=PWoO%NXB;z14PX#N>uMoF};aAjKDHiw^i>J{IC>YErha;s!idWw>r|sm$ovx
zd$Qw+ZCC}-S_3GK<+tvO#cI*8OWwl_kiU+Aj$nXJUZ7YPhD(RQ8fD=fV;$;@LgG7B
zbszuAI~h8rm(_U~S33xvzN@a2H<}Pb2=>4JPJiN^jN>Tb4H=2+i1$m~mwQ~flSvkZ
zO$X0OISz>wWHFI1?X?L}0T!>owq`66_3lQ5{{_ME{dUoG>?@Cm_1lh|5LJIpG*}C4
zhf7GLKOtg0B*UNT;<yg~n}|n{MSmK~f7|O3q+a+xZ=Y%ieE<U$tk18)3<16$<gY$7
z4iM`AdM#L|KMDNrPKewt@GT^NvAKdQA`(9Gubo88q}M{~!2X0t2nZN|9S8pJjVSdT
zvKc^fp*Ke0O(b?t2tyz_T&Zkbd$wY*Q#g3g&EF0}03hVPWDxH_%!>nGf(Nbxket9<
KD8fFlp8o^pcBc^l

delta 30541
zcmY&eWn9$X(?vl*X+b)LAKl$Z2}n0fcX#(!8l<~Hx<R@@x|;=Q5a|?HkVW8G)c=d;
z#lGOP!_M59bI+VR_b!AzUyObZD9OSj;K0GbA;axEuBai2${Pp3{;Gw2Fkv542NNY{
z2S*ncBS%MOPdi)r7$KDBY?u;{qfVX8qCH~9@1|A0)M5A#vBa5**NORe@%6;olRDtP
z-*{y~|Gf;IDO4?X`)vXS+#9@4O$vG?_Qa`{MJ8Tw0(<e3QB%?~hGG@-q@^#5(s$(_
z&|}``I-`?Tc`EE4);gNe^c7LOKznqyTQ8gEI-`c9kS&}GSn2=&c$fFgpz(7I@OqKK
ziO-(l1CE;}lYBQGiY<*_<nWPdCbb;%kaCZ~pM|j9vromopqj9_e{PvF7L#%@$@)$q
zyoRg8-1Q5Wb>i|B1G4VL*PmG7$6|68g*Yg){_RH3r2~xMUhsR$u?J2q!71Ek!Y9^K
z-E<kKZ1b9%u<aOA28t}FHkSz=He%?aNM~xlq6Uc14RtSV1*z<8E99eDuDtah89vH=
ze~pWdyKpe##X?HjUeb`q_a7}ycnV3GmU10<Z7<%93qYi&ypw+<i_iBBK|Vk>GaLBe
zEh_jdgJ0i%Q@Ekt5omdsH1L_Nj$Qi=_y5=5gNNCbfCvXSNDc>w4F^|`_xuYY##14A
z2CEFd+QPxv;ld{_Ad>+$E-Sok)%TiO9E~(W4rs>l2#TG%N)abb$I4=-g(W4|4|T7o
zM0FVI3X8;N(+wV<3xW!Bbuj55mCFWgCTq`sh0il(F$?~>YzFU+UCWGSLyj(uTkprt
za@^Y?v6`AI$1=i^Co5oW=46#h?kVGvhgCs+yG0_pi@NE{@1sDv-0untHiL)L8i3hA
zmRqA~bVuqZ<Ksp96!eXbOvSxDo56?w>~E%~j4$sybt}8>cRa4oGVp{a$a39xP&9%2
zOKri?Dd(HmM*7bW9pyF;N4b}`^}6<Z6-ABl0|x##lecV6Gzy?%-zgTCTRWd~2b;SF
zsC#qz9*3J7<R?JgUGM((o)M3IWu&8HwOgZNZz^4@)Uj`*CzlLjp|8erxRO+@Vc?p4
z(^~yrub@&Q?Ctzx*Qiaa(wYAdm<D=A&->7xy6HC32k?kKsI7w_Y^t@%ixmSRd$*@D
zdRHDA%qX=6$NKt_%ZtKQUGipr-M^dlz0z$Pzok4jb^+=R&EUKGd-rDV>aioA&bw-n
z66oTkFX-Oj_wwphP+iRB!b_o*OOh$A2vyDRR}2xqbXd|_uH*T$+R&S;`%V_OE}FS>
ziBSs50vFZK{ofp-XKRIMYHoFwzx5^hmN<+y?)J-##J@Y{D^CjAVcjz)zf(_9&(SK>
zqYu5B$yvYyZ+=_MKA4gVw~=PT!+MrwT+tuX{cgY)GSNWeAU?J2@7Y`bC9|gZ{;<8Q
zoXx*y#X7^G<o@u801dhLHgLJ7J5M~&s;lt2!r|LXjFQ{XrJ61h8l0GAhIXU-IgR`M
zBoR{{W10u(-o#;MBi-0O8O;!IcM-pAz^Lxx#R7mK5T6Y`FiQD{qRG^@>|Y%#v|iPR
z>-P|v+O_)*tR+0zMzMu<;Dl$k%|Br&b-=g%?h>pJlDFZR42E=`%{NyHm*Q62P#mN1
zG-5(Rbf|s@2MdU`sPGhZa<GuCFl`)keA*RyU9E>B^4h<=qRt=$l!~mB*5Uop-SHf*
z0w^x`{Wy;eSymj36`4N7@=sav=h*OT79Oc-%M*r5R}dPAD4#>oJnx&l*Sy?vdD|2}
z=N}v`3N)YX=zH!Et!ZKqbolFal6F8PHX*r!ID9Q%uOLU+!}r|IWD@B5-PfW&HX#B^
zQ#c*M75X0f>Q~QRlEq_EQcwg>uDv|m0JzRh%BmfyPtedt@q9NwVU%Oob*k#w9NqyP
z`+I($KIoINEM-h)oc-WXe%STAC2F1EzI0ncc`#CcFkpO;o_DeNg>X?ZFM=pBl8gGE
zhjH`9>zz~7Twh4#``7ca6Z7X;8izwRU5pwMGk4pP>I~cllc}*1BVpx*_G=^g9sp6T
zf8E24zJ00Bm51s9u)2XcV6M)F^o9Y*|4;cmC~p(;={LcnWm^uZJJyb|YU}M~24foj
zD}@a=6t@o21^Lg93#%b7D~@=lsY7&kolVNfP>#H7m-muJ(2}V#y^6a87s&cAp(1LR
ztt(~Sr4A2`dHGE{of?R7nHAjptpLt}7|_a8t5xdcwVaXJHZH%%9#&Pk1yyy!rYi{B
zyeHEXkbM-yagkYT7Qh*5cx`JcB?PX$|9MDnV7Agcb!l6_T>WWn#TMfGpDW&uwax}@
ziaJmE4UbQfK+{^pL`>9Cm&<KX3+drU11={(s<#q%n&xK<iQ@`N`VlVOHc%bMIGU9;
z^0B??%&dA?Wppsx8be2cs$W_fId8kz@?&PcY|Dt!$bmh(nyI6zeHFdHghuRw0GQu@
zW1`-UFRwu_QZ8ZgQ(Qf2ExCmxWp>E-wD)-K8g4aObafqFK}jWVf0QA6y?R-{-%_GW
z`UZP(kI|zy%jvZAe3sJ;w4Z2zjs%RVVqM_8Hm0Hqp8lDXW6Zat2A$YzA5|MWXks6v
zbnhM2h%`@dWAIq8H|v}sX$D`QnPu81hjp>(9S4o?`IJB2B{K7k3b3YGRYiFynqX>F
zax>1wma{2U+Y|b<S^+B&u6KB~8&wOL;KkM)9*Yn)lHKUv_sul5Cgm%gt3d7AP2(zi
zUS&y_C{em5B;_VO!fY}}y#@keq!n=&8Ox){oO)c2kG`;06SBc^weV%8G?EIGp&7@=
z@EUx}0|5~RyQf7&TyZFP)#;q&(dE4s|1U48n&pI|tAXXatT+?Aua~u;BzCOzK~6ur
zs=VH1y*=2VuBxa@&Fn~%2M8^+vD?=cr!8%*KdH@;%#*X(0X`2L>9=mP67i$b)xQ_b
z?W^@la>?Yt;$z-UKdKGi<F2PsNZRef43UTJOK$;m@eioU!76R&E}^{Rt>JyBji`=k
zdBq-wHyMp0-`XaN8R(i8v=1TRy+$qn=7ov@!8`kVrN>9m8lvn2z`t=?N|2U$Y9=7e
zf#6!`CLtN6Al?IuqM4|1M*cr5AtddofCcf<O66&!M1MkOIw5M5>dI6BENpa)bdqmI
zr#tRjZ=OAwVbHOuz5Z~ZJw;+Hbn|wBW1ju1cW8!v?trfmlcoS<U_yfL(uv}-b=o&H
z&b-2*@N%_wQXGhXa^<3bo0(FfZ+-{0ZpB_wXaoe@Hp*z+H_*zrMe)2bVOa>6$i?%F
zSBuUeQ=r-w-TxwOiseEw<bD}}jq_ry$2AWr{%_uqZZR<~B0Z;-#^5kWYh;3?MN(8L
zf!j50H;SFzir;Gn4w+>m*}kjugOv+J<-)r_6SX(vtS@oK)OlG<gRiCA+`b6Tc!P$&
zz@wk4-8$6a@%QbC%XRMMZ<Z13dTf;Iys`t4v5=)lTk3{~`rpjHIRC8_`d?iOfP`0_
z<!<e|#x*xAhn)Ad&`BbbKn0&OjRhoGBi^RU`!1TVqUhnu5PYG%;SllgTTK5|Xu{_T
zFsc}rQYFp0Rr2)Lu1gZzl$w1sLF3ZfFwol|_MXddP#0)r+>Jd%k;H%sTFUed#Av-{
zy2NLS2uxoX-C<nHZkw6NEqChUzEFk`bGx*fEeTR;Vz=eF+U|(zP?#;yI!aQYNzhYS
z=!WYqeF&99h&PQv_1nPEU6~M^)gWyE-u(67m@Lw-@gQky2J>Hq%B5FPGvwQ9aH39j
zwb%%)ZCYPFyydrPQ{1qO<Pw_mGCFC7W}H$tFBsR~+52^M-@k)ShIMgBz|-hVYYy-8
z<BT?FFz>Zhb|zM~B|`cw`EKi&Geu{eg&VRkn8Kd&qR930_t!DO5g>nBmH<PD>jCBY
z<fnIS0Ve|XgtOZsWZLNe(8P>y+`9QT<q1vBp&7_yZi^=mOO-1Sw9>(-#+O7L@{3eu
zXJC1rPcbjiev(-I4y@&tc!Dpm9{Q}o2+l4X=Iv{WqJ%s7N#MbYcY`$5HP8fwVdv`Q
zE>3v}6d<$egImV@>ulK(Img%_Sdk6P{xvi-qulHT#0^v~x^`$r*NO1)@izSmr%+iA
zF9>Z#i}Xb(dn1c{;qM#&96vfNoF?sJhT4(zUrj<@;ZkjA#ths)G(NM}qy6|$pD=kf
zn{#NpTt1UHY6lwTI4$ndU!q(?oOx5)uLQ`@79BNF{QBgF<v*Y{2G>kr&A;2!eiZCV
zM5P9EWluC#`c<j;x`^&guU+g?1}D}JHCyEJcV^~9O3CI2nFnBjK^OaaX$f=}jzttt
z`=bGYS&2CHfIpPLPwgDKNk1v+_(qkfBy(78&Tr=6p|ibqy=pPi8>>g#L8BY+e@wjo
z=3X6SzxP2cz~OQ&5&R&g(+_Pcx2jl5-2*#UqtT;V<ASK0btY`>3!z0D6S+nIrFh-u
zoTUtRUu*2Tk=fR3+is{dxs$&$f&MZ~?j?|&`YK&K>FNERdC6bLr+vA8<l?sY_spGt
zkv%>G*&Mj%q)OjtVmm=jgmD2_(C*<m{_^!&dhYO@)?mOFR5kOMXDP}CQM3~%xkZAm
z1ULP`Avxn}bB8Sohb`C}E~N%9kb2pbBJvWHKHO*;Av134BBZc^FJ#PjPCx3BU*9gP
z4YUu45!9(hL+?On8^QWTN;5l`b{6L?@#S7i!&%(arlxWMn^*-LDG32Uk6gB_D*Mhx
zf?YkhxY@Q8=#!2W)g26I`4dR$NF?nTaVm$vxay#vPGd*YHb>2-)hPVdd*()ly&!le
z0$2^7N?1$L66J!WJE%5BN6Mi#ldzZzS=`2mZGS|jevEXDjc~9c+DLF+711e=y`l9m
z!>&ANJd7Ec&;S&n(|E01dI)a5M$Zb+D8#n2BBwDw9w5_*c^5}yIle8lAbc^I6N<g~
zk{EoCmLK<X{#py?RoGJera!f6tV^mZ%;NK3?!yk7=9rY+Cs1Wte!nbvhU;8k5bY_3
zmYGUl>8&@W&7_X!degA{;YgWzr`Q%cf7DK6RRs*VTkx%VYo8=n`CG0G1{Kd}GhKz*
zv{&a>X7}5)VYx3$i62WX57h>vp_(6N$$rBeTs=|0ajR~7sG{2&lS5-4?u@=!L*_3I
z=0#I8kAA+VLKB0>S1$BJS71&?6_+n>X!V_Ej-8YhR>BHOJH%b?r4!*3;c@L?W(~F?
z0}3YPJGpMX1k16Zz1EBwo!Y~mpz2?$iSLW$ZR#5r?p)b6gz12CCv!I>{ixK)6IH%7
zQEiM~u42|$EeA$j_@H$D)KHu9%>HGc`YO<=gH+CHC;SpVQXQL8Iv*l8HDky0w!(0r
z;3)nS2Uq}7pC$iX3P;)6MJG;{0NvCC_?Nr;&@XJ0lHc%EnY<Hc{ADn<YobGr*7KXP
zeia`ys4F*l84MV2Jp3%~93+x0X{Wca%L%5>4-JgH3;Cv%t|YRZ&e$w`vbda{$*zfL
zC5}9w)+=P(SNrZy(vatmO|O%<cuMz%vOOT|@Zt^OR+9^wcDY@*V!-FK-cI-)LZm>h
zr+B}-cl#i;m>6IUFTMs+e|*J(Rk{&Ro~-;spqKiu(I4C|CW?P0+<R*nU6w*mB+B)T
z($0$ZvAVlNZ))_E-kS6NAtAPSc}PdONU_2}_9$$pTy>g$H&SnjtqA0xN`7)C-jVW#
zg$7rHUL62DJ7?w+Mt_b&y(m*w8ebWwD~pIV7e{{G+SSr6@#%>vnHq3A_a8L3So&$D
z9)7^dhK(4Srcm$>zMbO61*?{POm`5%T{eBGy34D-kEi=hm`0NkR%cXHHj+PeKF5?B
zYDF%Fm05ME@?gYW_Od^+)xV)IF*->>wGGglq&<PQ#5;rJml?a8vCDU2qM;`c8~#g_
z)}QMErZIHX`^~kw=%{9gx*1~!F5g*rqDYRQBD|R00i)w=n><!Idn&<!KUt^!G|EDw
z@*L_pUFODj#a`u-vWxvjr2ivHmTi#zVJy+j23BDbT;HrJTr4KM^3ZCuR;O2|K1#({
zSiBcgTq(R9@a0L}Io|93VQzL$p1at7=DKYm=A&Ts`-8#s#JY6a5CO_1FXpb(WQbR|
zc}+H=Nm%oP0K@K>ZjD@hjhfVbPk<>pjJ^WK6Uhk(0Vg%21irsKwHPiwOuYBjG^Q*i
zR}JM-o`uL4Q<m#XL6v2%sTxpkJIC**R$KWqaQAf~JVmBS+kSlfrWQXEB8Qtop$jTy
zkM*n>orm{&(Fyee3m(MIcnX|oc*&$w-PKvSw+9aNhnzM!($B-qI%Q2`(Aw|z1fXK5
z0kA-}B7R34wF#Pe%f$bbb7P<s7zZ7$xEl&|=_^y6AQF)NC9ljbSLD8J{opM&u=A%i
zIk(^J8^_n>6i_X{SlS~JNLJYchmMdc<Xg+B7Tiz>T#S!BG-JVHz&{;j4G%B!MBT*5
zPgBc9vs3{ZgknTcI<5=PI0s{Pj?S3j7HnR*b8=%NYadZs;?5}PrKu1Y!~an{jT@L+
zgPq8XFkn#KrN3<j`85fj1w;95FHBmEb%%S>n4S9Hn(*P{kIxIm2hrV6UrM)W3F!-!
zy)R#(<ua+)J=`c{8oLCiM64;88fd*FtvmK9zgnAn|4DDDmkIY0kP-rXB{Ps`S(VaT
z5ebVy78c%Xii**^<zvHOAd3@{Jv}$(Ul>7-2A_;i|FXzco-;VqiAAh0&AL^;j3vVv
z!-`aV$zasHZ&@f}?WiN$Og!aaS)Jp$PvcOdN=zT(+}DJt&(OlD363*qvqvCVj1Jac
zt(``JK{W@Z6BQV~_F6!UwErA7mpl<hDfqHA?R|jkIfPwcE;1m>XEf&RFlEY4`pF%r
zdhxl8q8Rf(uzEWq<82eB#aKtF-R$i9j-AQ7QNadZ^{3d*FV>YZCXIfMh4HL>y4G(_
zKKd{8UJSzOvo;Z%dp4|wyN2RXY5D8j^d}QGJbYkuUI@?SR@-eT(`XIsJ8>m6Ptsd)
zxXuPi7<O@UXf~z!*+nEiWQOT#m9!Y~Qtzf^%(FUm*=+DaE(JNGLN}#cM3o0(o6gUk
z9mgE>8Rc))+?Ft>2e>wgXj;dUxOQ8{P>X=u^JT@hP9KdEJ$pJup$T=$#ca0PglNFG
z*e8&u_^7d<1st!uT5FV*=WjVv%NvE_gny$;y!#qAgf$Aq2>%H$sN1`(=S6t6g2QU!
zw8SH`^G%?*y8yC?-kXA`2HIewe<Up#_La5z*$MARelaK85R)~nUXz#EBBue<#&Knl
z+N9tYn=X1D5y6O>i}M{aVAo-1#W{8Uz0dKSyh?AO>)DkW@m`uuY}$g75a)@O=U~Wr
zl#e}khDmW%`n#s(vstizdcCy;ft9ZGcuQOwj9$1fIRe9GvGayrNuklUR%kDA%Bh+Q
zoKlSk^V9|faxzny{|n4143nceLY;4*C6r$cFTu64H4OqB+_&3werw*)cvlKV+bA>I
zu3oY$)i3WBV~N{Wc-5vXxjI}$mq4k?Z9;+j1ads%1D}d+svc6FihJ*|D=p%8zBg;+
z{DXm1D6qyFD4cK-GMnrj!s5&^n5|nU-Nwy;5rquTwnf+4yI9q1!YEz$?&;)N8yd%0
z{cMgG7|{ylkE<OYsJt_~U4eejnDD1q(fG2&Ls9uS1>IWljkhpPd{jP5`_-}Rpe9h%
zwSeNSKQA$!wS*WGY_M8;9*MGrccc4j=dExEEGOap@62`y<M6lk5yF&5oqOQ9T2RGO
z_ytXxPLT3a`9jY3Vcnts-G8AU#OU;L(M64c)kH(wAVoAc^4yF_kUUMPgPKsAE#Uy6
zP`x{mGEVtMx&CssSuqDvg>WSp-R}c=m6vMkoF=%s!c*nZ)0e%9F=uox%C#vEN@;hl
zl|L9F5$(gQ?1JUc_nU{g(DpOC3tE!=;qBY+Tfy?ZYBa=?@F^Ej^<Ne51?4U)&xhv$
zk|(Rb%BVR^iM#q42j9pFEG5ko1N`EXZF)=|dRHr}5HZt))o6#d(bgQ|bg>~4l!F$`
zS*I!aJQpmfUQ>Q%1g9rY<O&%w8)I%=sw+(RvAuDUST~@wyDnrgksF#TN9;h}e{%HW
zIt4j8&pBlY@2nbt<oM&|KxJmDr*3tVS>QmGT9rMCO#LVKl5R@%L)B;VisfEi8ca>=
zsZP`6JRtn4rFK9?VK>~lm1`iH=)Ev*Ye0|OZR@c7MrddElJlJwhqG;MKIx+$Pp~+)
zbNKc<vq3c8nDct+voPcMy`3n<D^W#)SS{QT{}le#lj(M#khkCI-}+yMZSt-rvG3ww
z6CVB=nxL5t-Zd^6zumWsq?x*N3_ncE=QFOVEk#E)ADxm1nS5DDIk}ve*{vcH9RkJ8
z1dK)z;ge9<hLv<3+U$mu)T7E$U&z(bhOcr;b95TZ@T0Kv|Lb!gaeNZ{&q@l;DR}_;
z4@U9YyIyFw_fY>75d`a@kffnOP2HhQe57t>E;12GK9zgrKsI%am*1W!V*k809M<JW
zrzBk`ZwO5tGD=_8h+Y>fv-+r3{pRSr9&TX~+G!*=$#XQ#S#Hwzrs_moBKjx38!3*_
zy5W3G%Hh2xbdSwyYl*j&y8wE4TSj$(a?b74qV?knfwaTB=0z=b=|S^P+v8igWl+kA
zZLOpdpOF|dmgo!AW<~@rn9nh>xUlvirj<B2xf=e%!U*dtO<r^t-SmU24ey!w2AI*m
zl$wQo6#V_1Jhm+60rAyrcgc6Iay;$uy<1~u?l&8%k}b9XrS0o)wp9#AmlH$WxzRZw
z@I}Wujbt0%ZUx%_lFn$Y=hJdoqW6d!*Upaaq?R$n_=&~%mC~Ky3+F2LI6Aq@7NH@N
zrpI;TBWC0k^~W-IqS8qJ1dRi7VIK?JLE0hjh<`D^+SXX?b3li8NbNqp$(b>yk0Pf}
z5$Jaz1uHHKGfhAfiry2nt~ZnlRaLjHjh!U#L7ycT-UNtGBhqu&Kes#N0*dj731U~J
z-85fVh++nZ^l@~qOJ`sNa{nu<ulPG6|7X*KYC|%+0{TdBgN>9c9h~>By=_z8aVlCK
zy2)G+ua&kcU68~2$v5+^`-{O@0AeeX)j_0D!p7-q`3*lt(#4Qg)!&M<gugD?&XmH<
zpQJp~aii0+WG#pmrkbLkuXK77<Q_oYnF*2BIleBIL-Zo|8iY8LTM31K|HmswXrfNP
zUMLZ(lF)#r)WY0BZ^4?X5aJ_MR_&k@$T~BGO*6UYN6nFS<a-X_Gb3(=16aTSF}iTZ
z(3n8gbK25mi4cD@$snWZfQ6&7qTScG18Ip6eTlGiyd|K@YT;YD{<Z3Mr!G5%ZR#6k
zd_=4pNI996;PApf_uFVjHosncBZRppm{OAhcO?I=b!#7Athja7OqW61RKvJZY$MPa
zmWualwgyn|AuD4X%`#&>*m-gRqGQpL`hPO;qsXB(<IKFS)o5t^<}1bb=g9;-<jfQK
zd~=cBQAlNVT7?;HzP%hg+wuByluU?Ncz;oDQ%ez!(hc|BxO|%`GX0QtrD@`K#bl*C
zNDgDaUyRFm0<Pv;Wlq(_Cibo1;#Gz&P+l`{4Jwus;56;j5zjG{NQ)c95$61^H47VE
z?Cd2lA00AtsGrN;Nx68$WTLAuJ|S<w7_V#lwp=f9c5ciUyC;8oORjaI5dyllQi$Cl
zA9(&(Daq}j<!N=GC@~iEE3jqPqT97$fI;$Yie6N?AxO8_bCPjf9ksyKOPCVU%MdP`
zsx|IhEL;DKREv#aOrw<Ug?L;jO|#>5!9NG;X*nwgUc~ejIu@+T*ny>}O2~x5v;XCL
z5w%C51I3UA=EgZXFNVL<f#b^ub#?yCJ?~_PqeO6q%#iah{bEYn*}Qwd+|lR+u#G&@
z&oB?*QO+I@xFSzA{)DM*&zSsNJl#9BSf#7MW8aKbW8?j-dz{Qq^2F!K=@y16SrL0h
z3Q6qoJT#MG?Bi)fBXZF_qnEofE27jd{_Qq<<iziKA7$9UP6;P+Zu^6W+bn05WTUFb
zuCt3LWGnEomBx*<7QFhCVVIf6R@K<*`@a^Afs*F^1mPfwPjpoK^|cbOV9B^2lz6pb
zUJlt9*WB@5+2(2b{lQG9^=xqFC(#d;&+IlhS7ocV`52jdjP-6!uTF~?FW&Ane@zY;
zAM4wd=@w=F7Z219ITaR<>{C1&a&DI0op4hubZJ*<m3&^!qZ4YyzK#C3ae!Kc(QbvA
zUzbW4ItRt%+DCq2;&iq_qR4dEJZZg%Epe_r4MScnxNoyZD#vHlsEjCSZ<r(fz)nbz
zF)dEm!i)5Wq+g8S0c&{tzjB13^+?0YK~>COeRObBv$_99^%k%#a=WY07hUn6Z9l%U
zGVZ1#8w15y`xkryR66rkZ%xw9$nOzuu~Z$W6-{oj@JHtbQpw6NnkF>O2>CQ@`|BB_
z8{^+P%pSR`y6KxCVZ@$js6Q94YYdW$KuUjIIxYyW+Iv5}P%>W6SO<|YEg!*7lx9s2
zBiI9N6{E`t`oz)w9d)(o6Za;0;u(IBbK|U96WQ>i0;(+Ot4H;SX?|k*I@!EJ%5Y#r
z`U8Xya~JZA7>^SY<^FTS)Tp!MPlzO>nh=lY6T79FK-iAiWE>5dxM*;^6#PU?Ivd0;
z9rP~)E2w#*9VpY}#r$$jY;P8u_^2o<T4TN4P1_XR5~+bIY|2I*_=e_DL`4r0Ak*dh
zQ7i0f<8*MwX;%88k4V=4Pv(bXyAnz9D%9>>N-#hfXUj9oTi;Ty2qZ-QAb{Yx!1#$S
zNKSEy<McM?kp4rg*Oo*}Ucutfeh)s(=C7cc3jIvB{$d)#gv7h;Edz-5NZ~jMZJ)HD
zHKQHS@5&Br38Mo@_p57LkYKROj`Z<Oq{C*3%@eZUI{apxibRM0l-YrqN=r7OfSTp<
zw}wXjdK$k@gOOqi_ReH5L_fj*g}%2X^1znf$M38QPWfRmn&N$t$+cH`K6W<h;p~?U
z&}A+8<yPnA0=fBHORSmsTcO9>(-L?4;07WIAwbRpZrP6U@EL6L?d6k(Y4}v0#*(_c
zxg5GL=Kf6Ba(b1|ky#^iCfWf{&oTAUgY(E(Zt6Qn4!^bMf6gF<?G^U%D=Ogwp>U6X
z$v;Eu5$HhKBpKvaxLW^dEw^r?YWd*49^@K!fd1|*x<~-Vu4lS!+t1g7l91HQft-K~
zOWdKfoS8+xp^uX3RTzgCDyNd^Iny+qNOTx~Np)KYK;GFh_;>+ZV8)F?>HDQ9P;)1u
zLhkq9m&cdjy{Y=iq=)yr<zY!ya24$|$u7-;W=(>nLRp-zTm4VOP5W_}FET}N2?Fxu
z?p@-sMjcj8zSBzWh`&Xk2RJs~1#^xW$xZE7a5L4VTTiJ_dubKU?s<#lI;UYoVEz*?
zUnnHPfoE^~)rJ(Ii|6KzZ)4&4%f1xJ8u%LSibMNwa9pRfpzxvWkf|b((I#5Wn^-~U
zP#7|7g<a3KEO8sta_lsj;%U-`lR&=A1(vU03N0x>5#AC5|9Ur#I41hzbL6nHm~COc
zBF7zUGpyRR>N;x{ttBUHv&E|ABMI$i&k2i<#2BJpaKds32!8(QoK>J}t_XW~P~<K}
z-=wlwU*+4|psfFTmg{iCz2caq=J%D0@BMXm6T>G@FH7MUTMXgWoUe2{%JE9mh?esR
z^&$d+moyA%CYQ9i->Snc)e3YRhBPt3AD>PK256#OzfnFD7W2p49VYcA*JRl1no-)-
z7cVNpcdnHS6cftm{4%jZfsutsYLn;BzJQ?elIn+h#$8#B1yQC4cNYJaUn>Z5zmNj)
zVdtU`)SVyqK!aD#DZ(1+jj}3Ss=ZiQd%eIy1*i}p4}bQzXWerk^q;f98N(#gX|C!k
z%?GPcK^E~$@1%k-K@uL22;=Tbw(jUe3hB+e(_S2O*9EQ9=TAxBVV1Ty;Xzqgm7Z0J
zD><i7e3qQ<ut}FOU{I`Cjo<9DL*0H3YTb}<;CV^&Bf?qu2i?Cd3KWH&<2=0Ze5Fb<
z#N_s2YgFY{v}u0euvQ`6o3%)J%Cdt&O1d6g073fM@esS{V5u1k@llXYITZiZizDQ^
zsrBoR{}2{wB+^xv*^lS%h{+NNl+tez*$Y5#%)OT)e+o{3)C#dR?Db{@G=2G{k}*b5
z|7nG<6sABZ@Ql4rZD>ON_mX#jl?)MKc}tbWrR#^sl+IEQG3}d?%qp{c$Madg=gaKK
z25HYfDiER=z!>VG_56k3q=%Pd?QPr{HFGa7W}_tzZ(4b3V7h+2O19`h{cyTx<*IM~
zO%AfC;;!iY^S@j{Xn}0KMdTTHr~6o*$aw<zs4nI1s4$k14mFnjIB};LMWaml!r9$0
zZF{F+zmR#Wp{=fH-gv7IEgcuoGq<Y{0}Hfkgs30mp)_TRR3uCt4IH-5qiFEI7?KrY
z8jyXhAZ*GiHzS@HZN~Zsr9m^xviG&PD<|rHk6n-YUk-EXQ+)=OeH5AuSocCP04uc8
zabNhVEoXxtIR>R{AVPL7R9R4(IbSBS$ov7`S}(O`m9MnTKXxHP&*Soiw{V;f4Xu;1
zwWPhhy<_)L=}f!rE`;cT2Iy-~2Q4=$yn0n=dCthv&f6RBtKXYUebtU@W|c&!;!0`$
z2%~_X9WR;|u6JT~E4`8d@Xe<NTtS7wFjmB;y*h}w+Dwyok-+ji_vc3`?+uy$S#l=d
z%$39lc@H#-sDCi6;zAfaN5k(?wjmfLtxd@*T(_EaQ5{n+t({LKWYii1CvZil>VKKt
zQ!U+E7WSE?ne<ifYXY0!(bzC?3kaS3EUELeY0@tj;Q_>GT;~X)Q?r4o)FopBdvw(r
zp(DHLqA(1P+6IxE27sd82>NZh+aw(gw$aF@Yz-eZ?zCao<eHG#-LE}nQh{X;$SXn<
zJcmq&c^@Zc*1qzmghoBlPQXvhCTU8MM7l9sGYhbdn^s0dR;$%1Vvby7l<?zxSRB&R
ztO!V&{prezaDj|k+RLVxIclt!`C)y$+1s-OwXw?ajv5?I$WdJf&gUPk5-a}^18$Hq
z@tL)HR>&pSLtgU2#0nM_C%&SMVM$S>`gMr9M_fdw@U5Zdl!$Wi;h>{sIh-*`^acNf
zhv8R#-P4PAxm1iUEGB{p+>yP3^^DmPIY3{?w)qcf){k0$!bzHi%wtwkvcjQC37OIQ
z^s9y@fTLtMkXI+kQlox9Uqy%;XVrVoZ^oDoYgmYT2?SSJ(krOy7OV%UKB`pRHN17^
zhGA#hemwm#@#Htpl0k->!htf?8Pr2&>r^QCQ+-)QA$xVKW5+M20tL5W{Q>wP{ErFZ
zLmkNio&mhpRN|oQNV{r(94@Rhk*QSc`9{(1h{fVjdyO%X-@>lPn<DNDJzswmRe)m7
zILRP|!q&-Z?Ong0iMV~U^IgKL;x8>%T`FrLr0tUHz6$#U-YHjbntRMDaL4MUDaJrs
z6UG&WHKHJtuQWBw1HjHFl2s=Se-y3D{xqluSkex7ozX?V^ycLKH#UJ_<v(h}tB*YV
zSgkR+Nq9aq%o>?kfw~%ss+{o#y?HKt)qD;%R&qx!_%l{o3j0bM@NA6N+Fg9f$ec%w
zJ5yxJ<IQmkpx`$6ySI&@nN9mlpI#IG!^wdpOhalE0x=`)2l^G;UGYgDSW{G<0&}5z
zv*zkAly<9T@Y>Cw+8eE62p2k8Zj@^Z&Ni#aUm~aH_t2o>n)XOJ5Ev^J@Yz6XGm(~V
zerJZ;GK5ATV}Q#(3fc-b>uO7qv{L>upBap;<K|cpm?d+vu);=FsPh?iCAb(TzMt~-
zoeMF*RhW0oDxMQ(Q^?=hM2xG!kaT9xc+WJ)T6~zFEF)1)SyV{+^2F3?b6r3>Ol)}o
z2iJ99YZ-PpLYpkoQ*bGry4G1D#;LThEI+1vYXLnu-qhf5s{pxF$V%O;i)!P}ay)}w
zy|JU9UPWd7h$n-I1Y#WFZTEQgp2+Z>ygdM?iLB)XjpzZ~EXTiATqnMt{`Dh3+*k>V
zY>be;UC+Kz2J*_U*xTY#jw{CnEHZcZ(sc)%(qfI7qI2NkJ)_cCqpmGz)98g$ZnK)D
zqbi>7T-H?x;`>x^*A-X5Hh|G7lv3~~wR{<Uy00`@ZiAL%oS4T%ZQXzkz+mGtHOBGa
zQiW0oB_I>-IZw3MI4;3QBJhwpT6qnK=wvB^$4FV@8>4K<xeJS{n0KZgT)_W^DoYe!
z<qhHFW4srX+|w-3lJ$6kONHSqy6HIR7lRg~=XH9Tz+InfDp;T`F-1wOZKvAy^S`Wh
za<=nsqCgo`<iG^7GO?=Rbd-rQF>EXI;tlXs<?U1sIDvfXL2mURzj`;ambRtJ)}`Z3
z^HicM{FbGgwW*m}rhdOCXnvbNO!B$yH&0xB6NSR%_$Kd=(IP#Y@2y84D;1tX8^qlf
z#fj|cf~oNYbCre{{)R1?#9RmanHpE)=X5X)1~O0~m)}~^w3Xr_RlaxKxcYVebX%vn
zW&N795lbF!9Rc%}EhG}-6Uv~N2<-8Yqy6_}BRd<e0awTRl?jDHDGC&vcetg>;l<#u
z&n06h*#+peOz&C=d)_~j6{l095%&1aIdw8!BJ>JG{!hrwP%tVvBBGemuh?^SI~W0c
zv)MGEpPjy0yZ@9rO1(%LNVR1;xw034zjc;lw-QEvk)9vGbf86x{De4#-dP8k%)0^o
z^8xEwO|E>XRCEzK*XMQ&a(tY3tjP5BU*QnB(zVhQ2=aV!OP`fy%4?+~X_o}-lBOeY
zd^E)TJDrCtVY1Tl!lSY$3xNTP5)GFs#HhD=>L+E8Rt4zq0=MSHG4^u4RnF|?s?`JZ
zlg!0Y-xYfx^>$-Djx^XXmQH2Ar`8Yy)r>GJJ8B09qiOEl<<6oP_;f~GM*0#VZZ}|*
zk#$;7UIVunTb9-S4n0zZ$Iz_FGMh0YNSH48-)JlbqmP1B(Gx%%H=*~*$55=^ZNV6;
z`Q$q?qVF@~jm?6$A<JTa<h4RiG~muu-#WRa;$A!IwZ?QXhH3n+csQP=uNEH@7DG;U
z!%jjMDg`Ev7&$Bf({Kn}t-5Inrahh+hgKjFQ?p&mY~Bo6XDg22cmG@e4kkIRAUyJ)
z^`{P1<khDVOlWgR#uiyLJ1cXR5U2RYHyY>|?Bxq*sOz-YD%!NL0OICsC=`CCZP?SF
zO%5nwP!&uSZmSffu*4CY{^OUBOU5*9GQ6iHlV7eSZ=zQXho3T3AzYLYC-D8ho&8z-
zUBNl(^sw5sT2PKQ+J*5A1SkfyCl@(|mOOT}M|zseMwZoha?6>j65fAo!p;{f-pu0~
z$`@lzvf?Fu17)gwS^Iex8*{;RnpmOW^VGtRJR|<4(DkWgw)kBNhPk1m<DW6)1Yhkt
zNo>Rzk)N)ss+J5z*H<<X9CCVIq>ttt%B$vNS!?|&%Sdy`7_fG!1N6UFYK+Usiardv
z$_pwI#{Boukah0-JHm8<eva0m_+(P*)nL~8A)*y^_*F3S>aBp9d7jUzoV*HQ@tiH|
z>3Lj807)IYl&@bo!;{HBoy37A>fOr`N2<EClKKW3go@XYJ06B%r%tZkhRWatnupGm
zXMAyHr>+1t)Z1)3s}(V=yEacmy{Kxuu*E8ea8|LlqhI*^iNsK`v8$$jz@bJTmjHrh
z20{C;3TY+_GoMc>Jp_@nL`J{QH4v>>)%MG<yRAlXN=<C&lL7HRiQ7qGso;s2VL~s^
z?>$tJKNRp@Bn2(25!!UTq=NRcC<mYv^6g6@y%xn8y4s5U<-`~Tdn*uX(Z}0&KWuoj
zB^-Puk9<H>IxdFor&`ir#P5f+tzx;kDg#P)>k{TqY51?u;a~q|3Y+HHBDjh!vvu=~
zb5lhtljb3`rnM00{xl%Sg15cWXLzKn-HO^0AIq;tBpvjvQ*20+vJA*@WK@S2PY=Z_
zu};dq@{cy?_PEeYts(x*l`Rob*iBA7=ZoKKfSG88!wUgfbQyU^$2sw+h@imk7Scgo
z!t^Ouc>SjTLg)@PWZxo4iz>5y+qB|PAzzKCuOo9B!3jRUbsTkGQ!82N)a#40{{ftV
z7e8<mviQk%0+p4qmc_NRn7u5;o}c#y^I2e6^W=tJjJjl34QRG^4hHoHauHEC+t6>V
z`ysQXVj43)C4RgJWNhJmujs|-2qGNLN^adb>NA#!6&?RKee$+N-hG`D(3&=yv&p7<
zNVHRw8m-bQJV}*Y?n0YsCO8q`(9H?jsQ_~KChEcW{2-SJXOYFnb?q^5b^5~Z)YVF9
zA~DoKoQrto9W6{mL=H3-^xmteUk%VEo#bm1uo}uTfF*`W9ZU{;fs^+v*a~+kUH_+v
z_e5+_2qh@J^C>f~ZxQ}?Cx{*Pk#&oJJgV&Yr2^;twA=UkRiUa2ySc9bR~Y|(N=<7*
zlQ~B)B?%%0o+|B^JR+1<*b!%IfFgC~A@HLt@-sXb0^m1i8B;hq4NKnJc$0j*j7kO_
zyS=_si~IZip9enMHI~Smud|=Eq>Vm^Pth%mStYg0?PO+gIXozH+oUVJQOB653=&1|
zY`_&|9B>8wC<H7SQ(*I^_jp4p<r5eu#u=oI$t=pJ5#*t-MNwbS*AIWp<78Npt0_C!
z4kgAln>8^*zk^Dcj|yS+EB&jwPpBd73<3V9vdS5u(2HDsG8)$}>H2;)qoxpJqkE<M
zN4wkT*^MfZ!yEVJFrA8>KtZej0v#jhge~i99Rb+*l~9kE`Jk|c&S$N>h`!&yR$!G)
zA_G1DKP(B^&+L(?mNND4C$5$=Crk9c&`znN6xXjV4sj$F2U))S+fTUGFdL}&;hETy
zxiTh|y6o!AFN+92uCZhWb9ui8KquFEnGDi_Y0NMEI8zW{GNfQEk(>qOD~qScGz#2t
z8?a}8I>kDjX*&y@t;Onp_te)d3%uPj4%|2gJ00_1GL`5`yBuL>$PkI5BK#Y+T1va8
z?W4ZxSGz72QvEyt+idBE2|@7Gu%A|IFT`;5Y{rQ^+o8bPnPll~(XgwtiSZ&QLF~a)
z#h*4Zsl|lxcbl&<epx1P!{oE1_l?wOGUk-G<7{xY7C%`0DFR+E<r*=LPU=C=t#-yA
z0ez#D*AUV1!U1yPf8%W?ZUpp*$&cc4W{Gzg6VECO8x<7s=Iqn%rp@;SR4(Na_%P<U
z@?r;7NMSq5)oHXqp2Z`s`}n`2EwJ~4FRNzH0*WY)4iE<oCx^fe3Z|chiFKTrkHcSr
z59Y=U4h=$b-njM(qUcRs`i8+?6#nm+P!g&{HbXEUR#rKpS}ZG4gO}{L{(G@&)mgRJ
z+|%U#-0|^}3}et}z+ct8L%*^s*{i1LKR~Z$RDNft43qFmi|km-!I|{oOZ=_A!;5ca
z0PfHKKnPywvIsvh=7v6Ulb`@F<j=I8hY`A#`3I~f@u`m<2WmnWj&y^d3f#y){40E+
z&Dqk;z-`TKwSJAcappbCo_6<V3tP7?WXP)nZR8LM%vUf8!2XV6m8FH~ec+21ntJ1m
z$gn5S1ew2jJwi-SNaNE?5%T_wwgA|xxMd0@X;(xXV|t%X74y<L9Pp}RzGlWVZ(lJt
zH<gs*&)=6jj@pcm%3G7X@9gWf<D^Y*R7fylBqZ}|OOgM;_YGf*L*p}uY`Sjh<dIBe
z{_~`Z->9M9m;_eBI9tNuQJk-!EnQb3)+Bt`lM?Kw2xWv<d{`*90*!jWluQv7_FK23
zlNOA(lz$%Sbx{n%!eKY27nt`e(P+M(fzF>IYZeI08Lmsjp|k0svB*l9++yO7bGGr4
ziQ(HRZ<OMd#HR!XOC!9*Djk0dPr?2&e;%bTYvk?Rc`YG0VthjD^qUnH0`_96YY-yL
z<_}lclu-mry8?(5PmWYV553XAu_=(P5)XNi<~3zih3@#%!0E7q-Y-~0k-kqgaftT4
zTB@K|+;b6S0<B45-i4E2KLO{faAEF++Ai~0XRq1n_A~6JF;JXEj);>O*0&#Zt_ZdN
zhL|=r6yKy=5wDG4?({<s^;eEm2Y@7in_+IxJ!Ka5obkBN6++4MP3s&Ukt3QJ-5--l
z>jkhGW1M_}!iVvk0t-Rxi4ERKQ=D)%cj`8p4g~*PO_bxZhi+OPK%277^xv72ej>;G
zw>`2f6hkp7cG`!$r?fmj-^xK|+HDlRn5NG_4SN%v&Cb4uHF5eY%mdfSFQk@UOL5p0
zJ{p;5$Q%18(gD|Rg*YwmZuJFlWa~8o>*)eZpsw#yTzF<>J>u6pPQI{ySX))>Bxe|Y
zbFM!SMm?YsRTP}$ElkpzlXOOUrYgSGBg{2_vz%}Sq0nBa<PT-EilHd*L#DvqcB{o0
zGN$Iuu%f)5f}WqdvIEOOn4(r9L_4C$c@3|#RF$(;HWv7-^~$_US6#r}b#b@$KiUJ%
z1!-s&uf5-R2qE*~F#cCKf4PZ?Q{;Q&i9z@Z<N9-6mnNyL_JD3vm`^dk)bICaB$z9y
z@_Y>p6m`Z?2<^^{4S@ye+_Mfxql8d%`KB9a&Mac^`G-3;T6jRrw<vk@ds|#Q4xL4!
zSTuGkw!9Wj2=v<oxg3~PS<ZJFS?uErS+<ndDu)D)$o(o^J{`}{LJTg{p7*6QS7Xp8
zc=IUK-^g1aEhB?Zh1^vP7sh-pn=h)=tJRYc&J^xzzK=Zo;#m#|Ju>J%wx76elPyl<
zO$xvSuMt-CnM?q6`_da?xW)0~UC9ROnK$2V?7h&_=XH>~MhC2!cr+nf^g=vG*n*ng
zWb+sC$+1Pt4E|qQ6f^O^vz=Jv%b`9?*9gSaHgq}l=1z1k987B+1O1RlC<@pPZnBoL
zi(R!`tZ1<@9v(KNqbSOW2s31dAtLivfA7NH;pWQJk~JV+wW*tFW4(AY!e6Cko7|%z
z%TP5*Svf^&iBX%w;^IchO(nI~?%B*mG6GI|A=UO8Hrl$<>6vF4(nxJivFq7xJ9{z9
zMILPRh12H0s}Xh<`PLsV>culFG&oVU4$T5X(zh+Fc@M&qbcgoUSGmX$tiL41sZ4zo
zPs_Mi+eQN{X@C1u4&WWxQ>blR>a8uzJaDL8*;_CbDlIJgsgi)}7KZ8;nqK(5Hb_P*
z($!8+@ZjRtZtgTLSWh~__3ENiw2JGVY&NCk=~Qa7C(afsV&tEV#muuRj69>TMprRB
zq;a^UO$8+?MR8L~m@a>#;}DZBPM#k6Q2+K)okjzwar2ClT{Kh1e<9cAzKhgKW=@B%
zDkg{cx8&(g$n>gRci-@iQ!&)*3s!QEXwv=ia)y0OxYlOK?W8&A3&ynR^V^z24sGoE
z3(V)r=@t;&cpSVNJ%qSl$I_w1xZ)$25?Xcip{rb~cS|w_%KN;0&SIC8luCXv`@t~)
z&^L|QD~u<^d6oN92}ceA)GwhG9Fq+@Z1$XEim_;Ys(s3qtoYZ|i?!7AguD#Z4%5=_
zsv++FZ!%k@_fSZb<{VZ>*ZlR!8kaB!y}NH&$eN(!-SAT<g@^g&?iifbafxj2Jt~!n
zWJfnWi=$oN7hKmI7S<e&pLw%3w^{=Z)8Om&Lx+bCcNnv5cEd@J<YaRnz5#EM3%5B&
zToiM6|4TEUR;$=`TvX&(gp8a>c7AGq2nt7i+7P!6$p68z^ZJ1(xMli*gIb+V%31HY
zZMTtOg|6Fg!JmP`_N2){kpaBDO4{*L)o1YcsSJdhEVr`#x+J%WD%d9K89-M5L+dNz
z5R8A=Qhpb|@2YTEVP{EVH{$4Tf6X`6tm$3TFY8e6W4{6JAaFTaO0T<_T9$J43~oH_
z5w3BTsU}~$2|Uv#e9Nbm(fIl}$D5x<g&E&Nuk(lU560-@C_d(9aT<sa4V;Oj^o}9j
zpo-WBAz2Ixmr)Oc-dWhu6TrK6>z?wyQ6I;XCzA2;lUsw1AMM>6^Jp5h)LDVE-Yq>G
z%7;cK4_BnBv@&2T;pev;NX|g6Ez3(_KwF7BvMNN$UQRtI=~C+IP~p*B`|Nz&l9EZy
zLVThmecBM9iXL*Tz>qif;}_OmVp4?xv8F>z0ycHa(U-4NUKtkHz>2JB3Er&0-$F0u
zU6X$t;{HNM!#}Sy0YWEHzmW%{9>tt1OnrGJ%MzP(V93orhj!v&)2@9y7G+-epB?H|
zn*B1C>~cXoDgIPL{Gbl|o2AtIwg&^WJzu}|I^!<o=zZfxXm5Wg^xaLTjYo&2i8Rs&
z7_F0Mn@A;~0GT86C}22FC2{4&vGi>Oqy4>8D#*bIF_AdG(qHgJ29cAjd@ad39AFDW
z%RZFEZkwC`Ob`19Z(A!9i6ON|HjC&`S3|+M_k?GaHJ20iEV$N6WrUqYhlQlqFVrZT
zO{9uFNSCK+QH%x$xmme0xRUjMunA<yC55cU0h0Q=wbN57G<9a?cc$J&`U83}GsF)s
z=^%`p;kC7BtRrQ({Q47KxUjqbFs|Pl;Ma1~t`!Fv!;T>))PxiBU;ltQ_UAOmqjoYk
zRMRG_+svAl1z5X(0jgfee4LxWAGFO-eDC!oMV}0J{=>fb$}QD7>~^hpmwWr|7?3`_
zhbU=}SqQ35+?r*$TKm*a+MkA&1Vgu%Bc{0t(R7@ukY`86r66zdsp3WL_oLBOy#@Qm
zI3ghsd|NDQNYqb6lFL0ycf>&$gi)gR^#`3a<rQ@x<jpz@a`nQ2(V?BZZKVB4s7dBk
z2z2Rcxo!H$DR*6_x@VK&&Wfyn)Q_^n)>$W#>EtIH<G;;~{KFu(A$f`SbQ*zq5n20x
zq>un)fg=!O*UNX~X@_l^Z}ulbj9W7oAq|wA(+I|>gRX2Xw3e}hhK8K5DmZ*GAFPk;
zCSIjmR>b$NWxIM_1Y!^sc@wj3#vk;#!EcbV+t4b<=99t&V<X^_?(Ch>KRAu@&-Wbp
z{s8w!;u7dclA3vVt{kyKHjZLKjJ5M;F1FMWh-Io##{kZA_a)1g7w=&!zSJA6yRg4{
zG`Fc;Vgf(LmJs<`niP(QP~fh>)&5$ia*33KyeX0+P}J)lWx$uw938I}U&OF-F$#b2
z;i;(thv_z${l*4}#%$`UC!2F{qaq7@TEDuu7cM;L7I%^!{q>k{tb$IOy(4PMA&v!x
z2eqH<yfj_<erWC%dw{D)1}~VVk<Am0x(0+(9k5QKTb5IKjxlqDh4BKtaA_yBUpjcC
zeG?@oF4o*i(+`_dy<>LqipPu3K9J;H)=0Ae0{)7ZCc^&uZ>d`#IdGO`#dhOI?CDgq
zoO(b*wl~GPpVX}Ji#uF%5^>37<aLJ%Q!%0QJ|5Rz-Sny~grq>R^XLWGZOwCdfE2Cu
z4;)7#hL^($?x4D7W?GTixMirh7<P_H_pFn~M2;!rED}FTur4L5EiP|^BY<ACH0%~Z
z6nK$0=$2sC$>&A*vM}r)^B`N)vINzqmGjN`hiVH)Km-kZSz<p-bKJP;M*FCVYjS&;
z3Ebq}x`TM!-gnL>Eb<qS+Hs&(r+x2@Ua_?OQ=2ge`GCgM`BbU_IG4ehW619;e@&Ti
zQ2sNlQ%lG3ao^-e90JnN9Q|?h{~}jq`maV_DP!_=Vc^!=MP<JG%avnjz4FIno7BbD
z_Nhy|cix)M$hzemKJG*{CM|84si%`BR9T0rf}*dnLM7zz`h*Fi!@pV<x6E!;sR?iR
z8?oFBf6)%z!gwkKw{q`GPYQ(kf`;jICv}XOvDV3^bRZ<2<lu7Hs@w1v{2xFZLI(&C
z0N&I95m+g9@x+<PePnZVfYgnu6+FBH5#ZO|$;P8r5yO~Ex(>?EPJZ_ayQKzqL!ns*
zbn16<WCYL&f(ZZ?LbPkoq>;Q)SKS8QZMGkHjI4VREz?|bG}Zg;*W2zm`RpJN7E=9N
zKnd11vN%SB7O#U%bNW;VL&iX(opD|&Wc`>$UU3OBsW8=9iSoB9l>*^!oS6GQJyoSG
zRNEid;HvBTM5VG>vBFs-@WHrIN|_X2`Odjso00RAY1K_8#2N+nD~Viu+IK#7PnY+q
zRIE8L<%{@WYfm?(adgIVO9jkN6rqLJxALZO2Fz9_8ycvR&BeVZO-!^7ktdi|mM=S!
zRM-!mO`QzpCa0GFjAQbo<DMbKQ%{;nV~cZH{^zYjvZ#L2*KielWlo2Ifu6tEDWzAH
z6EaicoqWmYZCj6pBCDq~H|Z_?s|9qjxbqMigk5!2`g2n#)4dzs4zL)nPqXK;x0RY>
zWQED{XrB6Y_Oa3XM|t+*%H>Gs<kP)Kb}}Ks&>9a&br4(06P4t}ZZ8EKA$1uh+<D7S
zrN{+W4@r<Z4LRvrwO=8~H-G<Y2Rjj<lm1_2Ul~wU)3r?qf~3+&gLE81LQ1+rK<SP{
zch@Ea1f)FDAxMWHp$G_yv^0oFBPk`)4d2;-K6u}6e6N3S?=!Pz*0rt`GrO7#`4hiu
zU=HbxHZm-{X6k_YIeLo>N8XxGzF9<D0(Ei+R7~;*_lr^=txGfW7DHFM>tfCpqaJ#F
zsa5%$!Ce!0lt&~vTuj?5Q<2_phVj&5RQ7C8A!x7ue(l>9OAIikZd8OXzJv8y&<uEL
zXP)APly*kY;CjU#)ZBhoWyd*s=}@+UXm(EQ!EcF+YO3t8#HtBCu!hFV*xLiIC`Bgd
zfC>>H<Fq`(->;yT^+5Z@=_a<h_PZth3Y&p)*QeYm(SiMnx0kB9m%cM`R0(o2&Kjwr
zf;luYIs<-TZnVU)DR#qThO5yf%v@k^LXonOVqiKsSd4_RMN3|`aIr@$^QjAoYO88@
z?t~TEA<WmnFP>v(s5{Tz1Q-*}{|c<V7=HA|=8aCaMr&?Vcp#}d)wiVVKvLrFs<>!U
zynW}IlRT9ltSa&YrhzPiuh-fK4`h>-WpymZjSmxsZu`9vWx4NKC|z0Pp{Gp$D#Y`s
z$|uj=YHIJ(N-ZHCKgjUI_gQ#eG~F~780<StHFyLC8l~Oh85>kPz#xKa2xlPj1;O<M
zpL}#;mzV}ovcVD?E`3$3UqaDYMO1Y7&}Ohm>Y;SK8kX%4mOrOg+XVb3GB#oJ<6>-I
zo5GEs(UZATQAI01%js~ArBf!N<R}*Po-M9;cWgIqOf~N{0o-v#so6N%onO#Asx@((
z0+WL1g+Av4#7kCm-}buI9>|IgVx$$hMLCxqHqe+T$JRXf=rWcOD?_r&{PPf>R#+88
za!^b*#)TxO4UVLrHJbOM`JA}BOnVK7Yr_I?$6ahqU$WTAmBuQPN_S_=CtY4RVh*jz
zkTh8PnkvvPwQ987hR^K&!*by|n7Ulv?j%$L6$fV<E$Y{|gh7}hIEiXF9xpGA4yfFn
zqSaoW4<U_PP^J(tw#?@-STt(5ei5R)oN%XRiDAtjw{oXaZv?mW1l#d`w9Xsniwt=K
zQ^?w)T$Yo`>QdWuQF^`hKxH&Q=|;<t+RN-Jt6<~FHhe1HZ<do6Gmy>zhV0bICu$DM
z!8ZZCN?4M&EzqJE)nbe>&TQjE5Z3-V|8{$u^YMd^?}+3GrTp9JxzN&8DFxR9`{_`<
zFT+6_Dxz>SqK&}Ma?WIZ<zGol?FIC4y9U`#^BZ+zL;$&ce0Fy*HRWJ@xtFwr2<YYd
zAB84(luJ&WjDgV9oxV_+19W83XvF=EAm5ps5bGSF7u*@j&h&Z)>^h;P9Ok%zw2Wk!
z#}_F<U$iDTfO0tC71<6f>z9^jvWfM{ws|4-FNU4QA+(=fZ_?H^G=KRg$1{C$wYa;3
zHP(=0Zq1hOp|<2#yUkM=NlmG4CIdn8;8{SPP38p#P{@YIbCAm#{j(xF$iO_&!rb(!
z^L-ywJ67f?)T>q8(2O<pS_UhPA0}RU(5DtN?8{2!8x>dE-H!}y!WN8VvlPc~%73*D
z1?oStsnK8`XloY@&z*OiFA?^eF)EuWm1)i9{b~8-yhu~<%+U)s9(&ljEyB(VlsS<5
zBzTi4P85dma(!k^dg+9PuS6UYM^s?1Kb`L_POC~T<U^ws8%Y&kRJN$#jXQ4=fqFrM
zWOH1pS<=4fSqo15Q^tor8{j=cI4kyL8RS@H$<|h5FA^Vb=nkQ=DG)9U-6=`WeDW!E
z(!7>}OA?~{!2hg}m2coaK<wbu+oG$3?B{c<j!pNa1<D{Z$i&s!dHYr=b}f7}rdfOY
z%Jz+G3OlW?AEup=cstx#e%=F{fe!IptSZ6=fhAhd95Z_}W^8Z$equMSg7&8O8}NDb
z+i|+0JdOH(34-bAZbzFjyLJieJ2In!Nqn3k&Lt-#N@>7(!Gd`7B}`_RAuUJk<hV=o
zHhqd5@#sThdN3np7Mp?3?kWD_=}W(RmuEJ)clG6XTu(0kc0hry(=gZyTvKUc1<C0l
zqdSd14E+RunMxH_!n`&~<__nV2kR6ZF%z%tQ%w1`={$C4ID`>TE%Nf0w|OQQlI3=Q
zpT|lg%2t@%MB9Zo*rg>Eof>OUJ$Pu4zzrJ|y@wo+AcvkDqw2(n;AEx|+G92$G1mr1
zZWDW~#^(AHL*kT!?$0sB(4}vWw4k9~QsWENwdT9`G27txkoZ2!SA-(>XIS@l+`~|)
zNvf)U(hJ!zjvzR)<=H^Y2Ebu_6N(p`D|Q9Sqgdyp*|`sV9A6vwBn;QqA64Dv97P0E
z9!`SvX|tPtPsDpw+7eb5tvP0eg+hn1z_tAcjaGanRhPv}jT7$Zchbz@S$iIQk&dX)
zd)VVz6lMcX;~~dk$(ZV{-+=67OfamU>Yrw-Sov52v^hed<xi!9d;-<jAE(wSDhGv=
zrV1cNI%iZcD%x>ig_z11ea0~*xm=8y2EWD}4!|PYOUn8sN5O5*BJix@yBbB4MhMfr
z)$)D~6fi{+ttu?+2oH7Pb>1g^8pcci`62OZN2~xTM!V`K6;E>oh8LX#L?R_qIKS@$
z@1H!LtW<uL?g!tUaU(!w%>?%w9tI;|?2&!^q_Iz@nQR$RF@GrMX56sU98a`)Gn7Gb
z!-z5}lmT389P(8?l=2I+(lpLNf+s}rMwyz$dAtlxzS*0z?m3v|`PiLyGV2W0b{W!D
z#Sk^b%QSNrt<bSoj9D>61#phfil!eM&h-naxuGukO*6aZ28fTpy5Ze0TXGM=P!_OU
z#c$}``h+3eQNh|t5;Kq{RhR@x-xS(;r${cBZ|2CUcOlp<z2$l%!7<r8_{8y{$;btP
zBV%Rrw;YGH9#(wDS(g@kYWnOGK8Y(aW%mQHMBH|80={*2w9gAe4HtvLq1I_zeW8lP
z*kEdJV(04(aTFpH2z+(#NlkWbL}535;4F$i9mZ6CDp#}|#zk(2z7xwq5e=(?5Qua*
zwj$Jqnht61`Y6>FbA0jsFnFXYd7$a_sy1BRuv~9lsecO6Ex6ROF#CnAEjE-%+4e&}
z@B|gK*oWK`OCMuiWN_qErE56)>|BI3(M|7W<>}4%jSKaEejuc%Mjkat>JGSAuk4aG
zTl{kQhN=D?wrY-v@Xe-1r(&wvB<VY(C4!BYbS3~SSf(5}G2QN4eU*2NXo{?$Qf+1K
z6<&C|UchdO3#kvk7wi6g6Nt^2`SED{4RPqbbIY3qXJY$fe=%nEeb$2MR@KsZ@X6!s
zSn&vHizE-j$na?%H)!_SxqF+{Yg6tt6Q|}1xr3gT!C7R1ftWujJS4w+3%MZO^>;RF
zhu;7o@$n>fB!gjqr@~J&NQ4}f>oQ}}q9T$UlTkHk>;rT%#LGYK&HPN6obBb*Hm*f*
zZ?>#J0`oHfC<JER05gK}m=X<jI>eN^SFd&A3zSARz5MkkZWnnfvY}A{(nT;nFu~Pm
z><xr-%8+;0Z*(xctyIaa5A8dmV4YnxVS}DscG;ud7VHIT16;RJ?WA0YpW<psKPzzV
zFo}){U+!NU6J9DI(fw)`p6wU1fd&rzb7uZ63r(AO@(Rk+t#OO*&FIPP+Y6K7Y<^;<
zZ^&kEUOJ^_@GmrfYzkv`J+acNEX)wy^*I*vXY)lOOX39^pM5tbJ~!7o;jiI!2_=>K
zK2Dy`F1!xz)jU;ZvIF`n<^9APAEt{xAn-FYSJ-xY^G&q4e4k5`tzTJG>Mmm%$B4<!
z{--{!#R&JCs8pacYzug@*T0`;?@VV@)90h8fb_*asPU`*Mc$hq_rbnJpU4;i3EV)@
z<3S6U4kbAKDbKWaM}h#0A=-IW9|!Z3JnyEqU-wG3S!^T(7&59Qv$vC0$2zb69qdwa
zGmG8a47IXIZ{O)l6KG>a28--Ehk>2<uiLe8`O`KSBel%NcwIK(FLimgV)m&@4AO~k
z;n$d4Pt2!-Rgp%iLYb8zPqISK>WON0IBK-@<2!s<)9YkZV(*gk4Iyf;QKsT`M_=<9
ztOGQL`AnHmMN&-88H>~~vNrS@%1*fUlDXJlJE>=uk?=#AO9pxr#uDZs=6tNT<!tVF
zNHVIu5vgYeirzIn_|_A>;qcJd%VtUKE~3ERY)6`cvArx!r(yjhs{k-Hd0?54zB5KV
z!}mxoDo{Js*POr{H3(%EsRuml?0{Smf!enk@#?y(9xBVJTO9MR>q+_gbsYs-i4=#0
zzoy^Df`BQ~tm--G7a=A};q}C=iM@<!_sNIpSg+-&CQGwtR!8pm4WopXsx^MqjBXO<
zc-hK;v(}cG7D{s6-iVBT09~Bvu0(0?iXwNSRCGo*p4D_A1!YXT(o0Hj0>C33-i#4`
zNy9CL?}^hdOpF5t{%(zyZapD(P2C~k>gebfm^*!Vw>aWIbjgsFq73=ey^%us>?PT&
z;F;tP@tdJV-I3nH0T-6~ncY5C%LYGLmbh`UvA`-qk2porK0^wn^QGPqE0&f<M&t^*
zDB}RnGXdeuO~@$RYyi01;LD3<_Y0F{H-EoNRZ0-INEtT=8))Et#5IvWbj`p|T+U@$
z;?1Ov!+ifzGw=1tG9}RpQGB?Ql%twD7BDPDwUUBC;oezn;vwPg*<^)ZgFwco-loUr
z)Y+4+p}-LrenBCbW#F%*O?=4S86iHJ-2R^NWuhVc`2+sTorXj#8Zx1#mnTf@+!{_P
zotW`-;5(2`P1D!lH=7Hw4ffer4ht)KU-#R)p-&Wbhv<F(9MbuEP{oxZHAZX%YY;o?
z+ORuA4FeJ%RG>GPH1B`}qq5IJ402N{Wy6+c>D3eX=AL^~6*9QFH)4moHcg@x0I088
z6wL6{MRkPsdqN)MvEV@afL&ajQE%dCh##qKeZS*1aFj(4j1`x5Ud<sTt}1Qf*Z_Dj
zqFQ3G5COqOnWgDF;){qy=abiF_r%@Ls`8SCDlR`7zk3sv?mVVS1|y)a=RCgIrUc)*
z=fNXkwmN>P`8-~RFw$BD@EEe3uTXW!&mR|ls+?3Be!@kXe&GsDjP=;1d-W@X=(+NH
z5C~X?h<OifA#)5uy}b-R^Y5YH39)M3yg@P-ILDL^9T&z_yoB-vCKCO7*t7d&d*N9T
zgT5vOIU60_Z62bUuRiN#7~N77OJaYb#FY{R9|wSE3G-WuqF|PI%_(=ns#y7)Aj4YR
zlirVTUhNGdUiFh8$P<29<^|(J#LKeR4EJQ3L^eQO(FCpzjF{O<akG56k8e7*gN`^5
zqK}(u#)E(e)^8s=>4@z?sHkY>j%d(M(hl$nz4aOl>Il5rKUvehg4I3%q*JdoVO_>i
zy5MQlb>DZ58ZB1zoEif?w@QYWDd)L<6-qZg4_<otjWL_)I#?XAbGrCFwf_Z~KmakR
zrQRO=(qWs&q;VHgZbz7#VP<dOiJ0gu%8Hfmon(KRFtJG_`8*c~vGSOeU7j#4HMRAM
z>WDs60UG3bKj=JUxi4Oqms0q(ME``rjtG-4iH85}7j9CAfDL#WMGEam)J^D2PvQuG
zLMp*Av-X493H(!*t{oS)?MvpdK3|gbqK|n$j<H3Btk2QKdTEDVOcTQQTgfQu1o>XA
zsvW&|+-xT}Je<puM6EN=Wa=TsiL$^H+nj}FzGy?7g17Fwunv^LH%_x$DZ1wr2--3v
zDA%XJ9v>Hc+hQ|{W9Rxj91=ZE;`n&nBkj{HlgmpDNQOcpdfb>|XfobsR%gE#%2Uh6
zWS53YX{UTlyT3S#2G^M@uJG1?<ofo_@uC*(u4=)R>wdDYChP729NW@g*3DnA#iz)9
zTM4d9zMJ?}$39|cL7UP-jALt`SR4|9R=*G<jeAk<d9CfuTP+@naK|kkBFOY@Y;orG
z$sWHs^F_|XefKt1nVw<`*<9Sdc;i7c3e@0vO&|+$^3k?gRSYM}<z~nSv7{hCB+sa5
zhUbig894CTJ@{dPPAP$!S5)pGErEKzKE>VY(ZDMe@7QL)F^WgbeC}?U4YPTr>*#sa
zj@%i!&!mc=ZO$=JuUMjJOe@KrHdVyS+P|5q;G-xdGvuLD3Ik^R_!J$gx{<|44L;r$
zOACbax?*r!8xL*%`upW6SzMsvrngP{TA{R90WXc(S%evWxg4Vzg+&_l*{IPem_~3s
zhbX~pdJM4~ni2(urr_-KC$3yRJD9C|0SF0w4syR?FvAxTozCSQP6-Zx!EauNf7sP<
zpjn@9Oq&q1tsF{E_?gwyZOQ}7!by!U?J-m24dde0?AO}uKz5oE{XF}S;%0!fnXd_F
z11E;TL>QR1Dlv5?_IeE`_#QgB-~l4CPAWbvs%>^r$}9M2uMWUh?)0**h<Hh?8~@t)
z+^`fRv(SCqZ*v4Dg7iwSI_aK>6E31dG_Ue+2J;8jowaTH18*B6Pr$U0c3rlT2S=)v
zj5-IHOrX+Y+;-P6UKGElO(?Zp^Fzd7HSBUzoTTd8`t3?u4V77yuj!$23EtQAdkziC
zGKM2-GAlLSi`E#7N``)l4=;E+{$eMq+(i9ALD!~ErFz7ofgL@ix~c|p)9A)rQjIh>
z;`zKB*zbDwhxHBmyz}cqIxkEC8x?#fj_#02(M7Hvj4-J<JMO7@_a8Z*T#&pw17oxi
zE?JW$#v0(Db&GN>3vVS?*o^TwO9b^1cm1KPLj953fu-FC2anAWok;y%jXY0vLyaB3
z^hob@YjxYV-X(82-t$sBl1SfpnnmF>Vp)LD3b)bJs5vn`oK`?QB!RHD^f@A4%?r+-
zi|mnlnl)XWNO8H(TwVv3!WXz;GteA~SV8E%vkz|4>bslNS9NyP5N&@YFP^NiE&SeZ
zUFPuw8s^ipqVIAzR&g`ZS#*V^`oYmsz#s%>bYm}RP+A=w)IZ8Y=gmf@$iSg>mjClo
z=bCiU1Ykt|?T(1^L|6{n6Dt(3=0stur|AkVFp9=RZbcR~i)-RuD0~)}c%UYknblN<
zbiwk<X)5>|xiVNd2Z9*BD(Ln-W|!T;J1#L`9emCUy=lWx8o!nE#^8y0e0F(NT1G=(
zHU>+4h{$Y>9zs9cci;RQEH6s=ihT{S5rDuG$gI(goum_KZtU|pmKzGnE6j8GcoU{_
zl#Moc1FAlUE-r0WEGB5+5-(_wJd0x!GG}{Bz8*t`GOc+q7R7*h^|d4Ycy=Q-r3CI}
zERP7LLYwj=Zjoil(BiO@lKAf9W>pA8Jv7a)%zZr}?Wd@OY4?c62Pi_d8&a;nSL`@1
zXWpM~&~O6VS(CF?Sw>ocza&5v?@0%``qMTc{*-ihD0a$?I%x1aLanc!DiR-C8|v)N
z=??jRUa4dMupQoW<}-U%7t$l}yighXqq1+qFV13~Qy$Jjvdi^hHvwi4Z4h2eFtK&1
z`pTVdb7mmzhx@9W-(>EwMYz50u3dvx0cv*&AL=y>O~gDZ#YEAWR3o12h_lHv@@G*|
zj{>r;gEkr{o$oibZ?0(XBv~w4AvQN|US-5{|Gt=EI(X8CAc6B|U62_z-K<WDdbHf^
zZDmMuqq?DJBF8)WtUj@5#99&l5LF0p2o)}zT9X=JZ|Zu?lw`_&TS*CCZ@wD<@;f2Y
zV9uvbL|<CUZr58_7&p~>QH($OwkPJr^}?hdkG-}f<pMZwTzW`_7_n5q*P|)ZB~k@G
zt=g6W@&pQ<aPODI*DP~1tA8OUh?tyT(y51XSu%;<XX#uoca6#gZnI99EMY6)ypj~g
zdp}8*i86_!b@=3>p3msWB$!2DGihiWxSL@A+BGs)kX5+q){f#Y6N`XHIHE>Nv<c@|
zEPd#M6KIjEc6TTghP7%N2iOvRzTWPW|H9oEX^N;5br_Hvb8&%tJsDGH@<yLLd^w<R
zx`e7w4QSOi4M?y&=)J~~%X2RIat{YCl28JPC;#+cB3)JxQ@T#CicBHL>62XfE%J{<
zl?qhLM_Yd>p2Bk<&*5D0OTB?}#fA8YGCN-XQQYl?9KWSIn<VVs)u!;4LU?fNhkMei
zUO^~18CMDM{l5@mz5gV1g7WqD&5IjJgkfT{`?xW)S#Zp+LJkN;JJ2mBPdf=+I5u4E
z)(vWkHi^HjNbgBT`O<jrI;&svMQH9d>*E(`p7mtBfboycF|!gv(P0BJtmjuA_7qX0
zE>8Tzeiwb=!hrKzxBh!+x5K^RW8?hcgOl%*whh(V)&Z;p`*PQ?+^|P4Gtep8!oW8F
zu`%hz2^-c4qa{KG4=r!YJD`r|eXl?VKLPx2()N-i;fUP)Cn9hgz!TYqV&-1}qx~CT
zq3D=j{1oz(<>!~qCb>y?E>2wX6!=Zl*?sAAO(gy}2^r;gxK&EaU4wIVStpE_vf>M%
zL2Vm1N!@{ue*sJjBK|LcKf#Ujm$kqX|FRZv-ubGz{!3{Mapz-S#1*&`k+#Wzi2n=V
z$8b3R0vJ5;FKeCmy|5Ob_Wvi%EhC(pge#h3N=X#&(seI5SMN^`zw>5b1sZh4{v>UQ
z>(af~qG$gC52<Yfj57SuZNE9(&JQ&B@_ExclEwVx75vc-aKe0a68arpBw9D->-xC^
zXFdO-)JG>@Fm%Aj`E6ZricuNpWNqis<&RrL&+5X73=VUCc|D^e*2(w4ep_)G;HS76
zE#Xb3;9(0K=hA^fpU!rAWJBR||0}Qs&hCTEhmUi~ms@1xPW<wJhXJ>??~L{F1%lWz
zOPAp<I_$a!S#%>9c`u>>07l*kCw^48!qH8f{1*z>&Gt8vhtb;pLHg)ytgde1tsM_$
z6Ckx?aj%Zyb|gO2XC<y#BnW9UDrBuIqc}XxvPh?tmCp|FV;Tvfo~y@m(5Yh(C=@Ma
zy(2Q?>;_Fu>bUcau<esF9b0rrH-6Gf*`r7R2WOp-(pi+2iN4z`i4~?m#~SULBCAE#
z!Htr~s8+rY(M?++mgBUdZ!$~Pqp@--ouwY;d<MOt_#nq*gIPCijOfab_EY3?kuFCx
z=UqK_e>%3CN9H8)z>F&t+2gAC6W3zJx1au&%&41IM*v*u{qrle2g`5K^tx%q_*Z@`
z9iY}^`u!uXZdxkdl^^YUz;RtJ$NicnVXsWrl9P-HGj|TpX{iwi8&8wXV1h`+MYL2d
zkU6{1{Lxl|t*2XHZb5QWF_0-jgEiysV(dR8Q}Z!g413a2Tq3}7Me^g8IAuKaNLpB~
zB`?xqG;9M(h4>V9%TfdJCk$$7L{jy^GyN{KyF2_31h4rAtZ0m#V0bpPeBe|{Y6Rl&
zVHRA937};b7slZr@iC|wMbHpLLc6u$8vU6le4g6sG#Q-mw@&h+f<ot#VGY*As27UE
z#;kRLT_Q^JZh@HvNj1fk4v02=BHWBiJaMo2f5TQHAOi;?LXMk+zH{yth*<PHfjA-c
z%klo|s*{%LA~P@pZ~q&ZC;tHE=A9W5*d-A_$(;We(aq-yP*@R*34)4CUhwJvI>Fyk
zNJQXf>AheypSBC{6)oZRNvFR>DD%g_(55Q}fx`_R!=~&=e<OKnM?&+LX1A}H93&HX
z+zS)1zkB`CTrgLAVF2XLe<gY@8A%=A3fSPa=}EW(ps`cVpya2S|FF{bA5;L3|5#?^
zDrMnJsG+rTvRBUeh%d!V*qc&0zaV+@kImtRtIU-YGKGmbkf1_4&v7<(xJ&&v&bt3l
z3VsaxY)=Zjz3M6d?VQ#)M0!$Ox~>3u$?OXww9II`ME^q{GB}yN@-AomS68?V7NbF6
z<B-&0Vzxwpd^0!wxiSCma*|T<F2jrG*EG|A=;%QQhb|ms$^R%A05Sd74F5;TZNE|5
zC0egoScN;)Z?A?k@17Dork>NFP)o?BC;AEt;8p~W|1)KBc(4IX1{6a(xN0Op@B7<o
zg8$G+@Gq#`uh1TJZt(a|)Vn$<(Br`4|M1J{N~8h)O|aQ3F$Lro{P;iq)OLjipg+Nn
z|95Q%PG?{x0t{DX{KrvYmUc9xCL4eM3hMJy7Ctr}Ou>%iS{6ufs2wf;f7MR;s%iq?
z|DOA0P=i_7Q3L0ltLy17PqXmDI>fEH8k>9>eZmTH)|ZX8YJ7?1BAPHOn=m&Zl=4nV
z%z}y`VF#-A*jwAn6Si-^4(@EXR4(m!dvO_-K#Lo#-6ts>eYc(89qc*swP_o?PcB>R
zj9i*At2y+lHR$D-#4hz8IsLR=d#d?0Y-0M|nVAcag>8G*u~0$wel=Q;o8sN+%Da==
zWU`u4^0Zyb*#%P%e23G3?SsAH$PuHHqxsc?#?|W1q1ELg;9YRzymf<K_wWZ%(Qn6%
zQ+yxNKlpAP8&yttoe7l^4HBLCJCFO-YXMt3V>^5*(F|u^yRHnq8Ixo?{xa(W{W#x$
zT)#d8G`@(K^);!4`NzS=d^+-9j4v#zek_bx@2OuA*_&IbvyyQ={;;*GGM4=<A^$Y*
z!;KH=rMnr!3(E~Br_;+5n<r;^kt-wJEZc|2!}Dvv=HkKHP==q);n-S8o!0K~))?hc
zhsvnVQ0f%_l-_Bz%t<kHvtmT=yFMW1P&)S$@aI_Eb>M$y*h{Z(cXl|L=DSnF@nhFv
zJC0*<L97&d(pdN*gN=}*Y&S#WEG;3ia>%uQbzQ#Furxoij%0LIn<7n*qh~R)WwpDJ
zq1VteX_*#>yN9xsV>s9lT6}PD%uQK%DysaWEUo_sZOq_mdjH^TuXn%#El%vzP3%we
zz^b_K<K8;!qC?rKW7*Ca(Z=o=CE&3FbgS|c<>J7|@zd3|cdopmB!|Wv=}o}$K;ciP
z5uqM(=)R>#+IQLsr%)WfHj+~bkF?qTAMM-gvN1<|nRx)R^-;`}ort^4)WlxYk2&h8
zFl-#k9lsw=9%lBZ?prFNZ?5~DoqTin0K_QQ;!FmLlL*aORqwYRi5aY&>K83dy&AP}
zshQfFus-T@c+?hiWUw<g37r()PFDFb4<vB|L*(_#4*q3_sguP=2B&H8cWBHT3NHgI
zh7)@sWt97FlqYLM$Mn!6{)|0JpE}a_1_p*DeATPZHU+00kMg$;OL&WioZY^P0=-LP
zBfA7szFYGx^E>y>7F^4<8qVA~>-VjW=DX3^7c^JuT!<Sy8<e(-%QAeAa_%jk_2*R*
zPd?h4a5>l<ZxE{H=v|}ewL9`CIfnJV+HW0-geIP3rz>eXES_{*a0;%k-wiukJM-|p
z3mn<+9e8`yoRk2YqU^&f^SyOtz+`uxgGF(-=1J79Z;f6)2b`b#VIzl!&V5s?P@<JJ
zWD(JKdZk~BmwYFtr1Smwjv;5JZ~YifOV1txtVf1#`x3WKdvuhfVeaowfH1xf-FyBu
zhgL^E;~b~g{{Gk$%58R1oofgPtJnw##PE-UdD?P#IKZS_2!Jv8C$Vr(2;yIOIH4sP
z7tlSV9&zmWXdf5&YLu_VzD>uhgZ2%2a@kaZB4(33Iu35<&q3=Qfr)3RHg*}d=mD#_
z&pu<rZk3CusHeuOI{9SUsBY)><;}=SRLa}g1uRl%bW}~Pq~{S3F_T~&*L}e3bj9{~
zA7otN=y13#$HxeSARSt!7R^|=AgYyxbr@IpIdMF?b4avgsk%kLia=?N)Ccj~5h9&?
ziDVw~sOvtbVr$sq7I(}q!Wg8lyA#|lox0X1bEv}ykfj<%G4aqIl>8Uaq=4s5a}_Fa
z$G?<0jusR1JI3B)AD?;&Hgz$C(C9g1;IW+%3M4c=p6SQ}rlXpD>KlTF&C@-@k`un3
zL07)+zfOF8M=LGdeNEf+fo55Tp0gt@Q%sl)dhugYdVKR1!{f5ZvYo~3Waqi;z<wJG
zvS$`fIHrrit!66leRWx_%&gv^0Dhg1+{A&YVi9va^$L}mKUzc>oo#Iq_(zb_93RK?
zW(nl`WbUa30EqF3w0;&UYFgVPP@KIfq@SnXX6;8e;ZN5-M(}@o{fxXq&8konNj&`B
zIPzKRP!V-**lW!fpGBCuEu_CF_fT{2z0m&{N+6DuJ;2_q@Uj0GreHPkEpPut>hqkD
zrOK%#?uB0w%k*@g{cpD!Uvtlo6ObZ8+KlD#U_{iw4t)STs0{z2geDx7r9W8p<t~;X
zWy!UK?uv3Fu2;DD6lS&ZZKAi43j?9clpj1s-!!=7t+!I&Y_ssAnlMFYttqv(i<K*4
zDGKYk?UsNVcSvUa_9gbZt)U&GR73c3kkeP`olp#dPuP<#S&vpJUx}l*5)c?L*$UFK
z)R;$D>LM}H1BKcWJ^U3|kCAG^1)hsa6h&zVk5cz!E2qia+-IA6St!0Kw7Dr1Iel6p
zsytrA#T%oERfp_)M4T(otcWjY_!uob8Q>@^=b{OzKB5Vipwf7%Tg)w1)RF%5bv9eG
zQWqa^V<*q6>)5a%IBhmMZ8nK+=U#JHIdsA18jlT~8^BItPg<T_>cYJKYe68=xHV=F
zmyL4^$8E;OY;4M(w$xd3NRljHG*`Qyn9sjA^W=UOTEatH|5LKh?Lro(IUcGW6}dlW
z%ovDD!*1{Qqv7Sv(gpdvH^*ov^++?uORR`pw&2{}=hWih-15nMs|@W=J5uDc-^$ER
zrGHegatMUxAvk|NaF)owCy}3E|L|JVv^{z1Q_<@fj1~s7*o4Z0gvw*Ds)(|w$-^oD
zQeinYHpbYjv^GvQ{jBCTh%)*6(%km_XVIjt+)D!rVbtX}?tV*6;=YYzMA76cRC@Ak
zf@5q|xnXs6iThb&N~h6VlXl&EMQTzkr4_0l`8f3ef|iq8huTEmwnwDZR(nA&#MyRQ
znFQvz{5<YBdDQ6IKN8ob&!XzBN4_ysMMQh{w02j8?niDOt->4fc-O&ev(i=C_&TP1
zo^^D*cL$|asYG5I&-93gV%R#!PM~;fQ~n)?mdH;&t-#|DG8X~@78r*BTMidjFI#gL
z@Dqh=y4o=_{J5tq4<<csJ;R+Lpt7UQBDeD3QQMP0B7K5rlV*Br5Myg)ScaXHIW3D@
zIG|S0y=M8SNKa%YCyZoF?fCttB&*a|=@D5&_|sJO#3Q~T5~4@=4E!_Cq|!n~W?NjX
z%;X|YsPN>e@3IcMM)ffOaUvAbD~_ZUim7cYPoiAaho5dZ-jsRxu($sqmcwe8me0<T
z?2G;9U1~3Nj;OPAA3AiTcqz_mn5JPb99A$NWsz=gzMM`OyCH|4U-4BHG8~W`*7vpO
zd7P!3Q{BF%;L+1W&abBjzMP{s>qfb;J6Q7?nGhUaE*XgVCXBu7i3Ao(`SE67`U|l5
zC%X2HGzipD8Qj+X_$29uKewm=8g(xT|H8*5-BLFz|1M4clns&+)R9MwWuaWR@wlQZ
zk`6~Q^y>tod2w<UbxK#Ty8<Wn>=PNoqS{4C98?(D^4)WaBQ_u#Bu!R4^C-D=Hhbm=
zJDt4WPg&K0vC6~4B~n00gAO;dGaOT~HZ5wq@K}-lv$E2jbus-}K_g5-7JnKGTe@~-
zoV1(gMVJ4Pr67~{^-S*`9U<uT;Ea7tA+xE-PtykXzaHG*#G!mt$&clzgUzbIQPe6C
zL8SO2->l{t5vwwta+elaL~+1=C;#S9JIfdMFY_4=IhFC_mE9|V*PdB;nF-@4;eCdp
z_ST5OaMJfya;K66L!^#8AEw39OyysMv;airbawV0m3?1$cU-9O)D+EUp6L>O@3o0f
zesA<qr#`aETI-QM%L}uWFY&Z@DOtZvKSm#vYq#mj_$uTc#|jv>VFF4ULAGXImHa(p
zq1{Jv;?;m^#Zz%sfbTG$Hag5dEC1EZ^W$ktlkS`71vX{;=4R}lg*08)K73Iz_!S!8
zILdmjd+&tF0Pmwe#%hUjWu4RBJ%Sd08Ky~L<d~a9N+#|YFs<(QgQZ^8`dh(-U3F{h
zRBUA`1}lRP2Q5>#Q2B*3rV5T+#GBqOm_*dyR<~`>6?|O&V-=_*ED_sdjJ%B(4$Z*b
z<Q;f9A1gR9Me9ljiy5#r&30Uo%W{X#yM<?y-P30{u(#2O3!3=3=A!j-uNJ)?@_gMX
zU(b<i6EAu+xw|J^NxL}QbS3UoN+>et4f%IlB}Uo@Z$y2IHx_vtneOyg7r|EKC&h9(
z#`CT5v>Xge;t7C>4am1I(aDFkB?Ubbq{{D#W<PCOevw2IFeqExu^W@f8y*whXRdvu
z@#w*XFe>avzS^&0R(7Jnuc{Q$LDBvY4~mmrm)fn)ZCxVr37^jz!a}3KHLv}Rez{h6
z3Ke~0=$YL7PHWy^2bPd+*a+=z%r~Iw+Zh*Z#dPOv=}-wcUVuM)_~OBPAC-0&!H*b#
z(ue{R+0xL?6hGBUAG59>fk&}d@$w<ZMydGev*fwX#?5LTdapQ~g3)%at(Y&KENW%s
zh%~AS=!kK+L0VK;stQYiT9o}9IJ*kyVxg19ao26&kG>5EGN!b1JVCMCaC(Z6c(cN8
z7^Nxo15vdMV2ae*=hlK_glop=dY?7W-G1)&txRgW=sDDHol#cEwd1ibGdr>3h-j!n
z#jjISA>L=rLUzBA^dRV3z#TQLz6!hkUMdO4B)%uONK!O%fvax%jH;#kNGB-RG-J|e
zxaidPo8F4W5x>Twi4CPfim=_em%Cvh%pKv@Q*gRwdW<9bcYuUx_|9JgzXDn*?AMKW
z{y!Kt@Z;jtA)t(i1^)QwTd%N(ft+aI8SrbWu;@TS#4=cJAQdHe>K`8%g-6?qe*uU;
zU~_>q=WVWhYxKM>{L?0|7<MO!feMuK&)V@nZL-{8A}*u~stSlm_{jhH674^O{GSep
zoZjc9=YJypKfA*EgGiBN0N7d($%XDWf=NXo0ha}<vyF*^gAJG|{@JhCz?r=YK28)8
p0s`sp@!)?05D|l5WB?fq2*$h+7!yp2v=#&_4!(mb{1|Nc{{XwzE^z<=

diff --git a/spreadsheet/macrofree/security_checklist.es.xlsx b/spreadsheet/macrofree/security_checklist.es.xlsx
index ba3ec3728d62aaf42c3bc07992322b2fd0cbff10..15389cffe0e088186ee0ad457ce2b3fdac32d846 100644
GIT binary patch
literal 34881
zcmZ5{1yI{xur(Bi;#ORWyHniVCAbuKcZcHcE-enh-JzvG(W1enI0P#c*O&IsoB7^1
zlaR^$b|!oG>^-~p>_t@p1{Mbj3JMWQ-h5G~|I=VmD&*S;<c$G&n>(4Qx;i<#v6?tL
zvv@n$D<zB}zhQqX6;wLDZt4F^92{JsFrEI;kjfw4O79SMf8z;D)|Kn`L2iy(ZD0Ve
ziEcf-+d+D-9eUVTa>Gj3rD8z!LTG_~EhMgi5WR$q6y|%8!$NR4``ZuWTV5u!m4<OY
z!3E6Wr{*3-iV=ei*6yY%!dk9wbfS4j>9<VE-}*T2v=x0u75Fl%c%QkD11G&$RsYWd
z+I{Slk)a`;zk!0n{C^i<=HzPecLm|e3U=SwFv4D9&e!I@C(!qw7cvW_5h8OpU(%E)
znc4~^Y34mXFw|~SaZMFlTK17NwA3rUL#X?y<6MaF`55#?2-`FNRJ{Hz1*_+m_DM5w
z88@@MEehc^JYAOFTRe=xc5&o4nS##lu$G<_Wt{3Ua5jBwY|tg5Y{73x1S$E%_U)m{
zA16XabW{8`SSwwK|1@N|Heia8os6w$3Lmwg8=%PM>LJq*|Ndz3$6k=i!M;i<p5@Zl
z=!G#@aSIC%4R8K%#D|rXw5z<iFe~M4YFsV9dV}fUXxHTXBirY<n$p*~&myMTn+(Mk
zGIWgc(&upJu-0Jjj*y3`pZ!mp_X0sDa$Ulne_;M^;J)Ew^rpZ=K@E{ZL19Az=WWmG
zZf)UU@!wzezo9$Pop4&=!RbR^d?7zLm2agEg7rYwZ+%GT65IAXNY1c{Wv3>jN*|y@
zetTk*2@TU}k_p{)!uFQ2{tct&5*hZF!TBdlzmz`7T-#J0W_~8LkEwHKLeIDB+uO0;
zSIcs;@$bjsOw_(J88s-u$Osc9S<kVZU3G@%*dRt1K^HOgqq@a}`#3!OnXD~hCisOx
zL{1jXJjVt@Pph9n?f*`C3pw`}VgV`vdU6;GnJ!F1f|!$RO^SndHAeC<7bVW8<(|!?
z+r<NFhKZB#3$*Y$*%<S$<&R%gtj6U_7QeM;Jw{djrsGY(aL8ht3?{kx9nFOr6BdSm
zI;$*F))D~HLsrXvpPPJC_PJx#;3FGLsjL5-F*1L`k!Fs<Q)%|Il0o@$r8|Q{06o;5
zaCLLVv@WyHPvTtYi5$YU6WcBW&EEu1yQu!NO3yg{KH*+Gzt?Kp8cpE2>^h0O+W<~2
zfTvSr<E5|KCzdOf47WHqs#x*7Q?2^+ez71H3JGZ^>rIb^LoEfjTVxB1B0Czgk!~H7
zX^L$_sFI&jDUuO+%D*x0g8yJp2Pnspa3GWarlB)^6LFHV)-v`x|B=sz@rrJ_pYFX7
z(Z%49YX1)mVOs1ZHm49RP8grNt--_X{qn>hk${Vx%k#QF9lX1aU#!#8{hnrdUmky#
zp5Hi$^akG7kg_)3YWMkHffGeGN{kqqd;PA#cTJfaK~D>lD%`(mWS*G1WyG1{1a24G
z$HaBMSiV`^-%mY&i=xA#gDQbvOb&U|%_*fBX=efoyWulOCi(5_U*Rl-=*<)j?=66c
z`-{b_d9dA+uPwEsaV)wxInb5V%Eb$le`eyOhOZr4g?uMkxfK6n_?|GFQ!!>jJy(jA
zeO!a|F*HStp;z=|_D2aDL2_vn%o;i064onmURlJzY%t=dD%_RhbzZ$V@Lbz@a!i;*
zNQE+WSqwp4u}+cd*t>A9*i|u(sbs+{S7Y|}q+f@aW#b2L>oNGVg@geI>k)5@y&hQd
zBN$Q?IOZw5FwAt#bK`rU!m*jHu;6r$mDnRNq=tl3^{^DzDCEc<gNqEjHfVJUob)$B
z-<F^!?Z}OL=)d9g5K%tFFv-85K~Fzk-jO6CsqroeyG9$rAt{C)8tTdA7tCc7I@E_Y
zPbbo`%GH;R2bGYSKwGG*FIW>Rgkd!zcn`SV9xE?kP2xyVZ29Dz#etFzztWd0mHN$*
zF;=GiHlGE{9Y<s2%N+#<r`5~fi<8x9kmh?OhKz3t4F7T)6EziSa`25Z4fuMAf%C4@
z9fh*Nh-yi>Ql~nd2$<`+3vXAmjwE+EzhzZ(>>{GP^yeFLK`g7sh5D#(NNVH*dIq-x
zj?BY5<&-htUL){MM2p+U@2)YUquPSSE;~_cta=om@gaj2gtgauL4YNXzLT~^l8h((
z=KA>yN~jGju3oQ64(wE(O8GBo;!=lD&O5l|Z(_kTY)b6;CRBSsnf@#`=+e~eDgox6
zE$2*B%i_VUtx_69@(#kt89R2g@SMDOEnrofm%^2e6ICPZs^;O6oH>n#TpBkOaJMO$
zZW({DsMbV{u{SzA{T!KC8D4%pvg>CYW*AY}CHeWRV&LW)%8h#gJIErFYphBDf6pdd
zl4eyCE1T`@uirXky&sJij(oK<o4J53=$m$SoV-)ACj>w0_eWVO&ZkRE&^ABQSVv$_
z(WWSdAJExm_2v=X8*+?=p)5&LW__EHX}XG(G<8(P60f#e6D`JVGp)1@>f8Zems|1K
zt&Mnp80Z}*(Dm3{QjESn^!t>G78`OY#`b~do@>tw^WA6-9ySbGRFZ-n8sa4E&1j6>
zp=~d2`d9`CPs$zZ%UyJe(jKSxveC>)^?QrXUIqoL{^trm%<|Kf@c9(WpU~<P6Q*RR
zNt5*qN4g!$2HJH?PQujdFQUV$Rfm=7S92FX6Hu5CIc5Q_$6BLTdwvD*M{0H!;L+wb
zm#T^TNQ^s&3N15+!Q<UUq_mCoEn(LTq?u_cPrhX7ak=mQ)?G?J7(0x<)pq26((pVM
zpK!=PQCeWe7jT?*Y?Dv?O2>g1duo5m^4O$O{zu`#-G6&a*dT3L+aFJlsV1~W^FvQN
zYsLlZDe9XHA02v+qg~%B^@_~gwNJB-AY_la8HQ#?qn0%XKgXK&0CPea`bC=zq4JqZ
zTn4F0#t*mxg~nC*K;_Cgci@EH4;$f}6+*4vTf;2g-Ik~Sul7^neIW{Pgo5h8g@Jna
zUkUSaa<y}_wy<z_WBvE>ua3?2IJj*OwLColbhht5Z?C%Q!%lfOrl#g3<GA4b#8@z+
z1>8(j!cV1HYrw)J5hjW}oeW_kS+nxMx~BLUQ_VYL#-j$KJY62G1wH5O_TeU~pVIV+
z)bI`(uM3`fu8`H%#_XsGM{hmYGxEyoTHd8DRtD{%YY*~dQZl3a>KQN1R(f4gY31_1
z{Mo-~qWesx%ODa%dzZ=k`I0sxrSZwJXIYjS@1dMFImm~0VQIgwyJ4M+?6KL`do`WR
z;A!%6+m={hN|$jf80u=Ws&nV%&aKloCD%0Ffu_UYd3QqpA#yl-d6#|H>$xH2b8K-R
z?V#E99gA_Pn}?@|&n$0hew4^ai=rn7v&xN3hERa~fL=I}V&e0in(?2`d)1Ay4`YF|
zQoSl3>|kOG3Vxiz=RZt!yLtf+HN~|D#sKG^xe~wchqwE3$zQbAbv?2h=yp6>pZ6Ko
zgn+5N*(I*@*GFrcP4!R5<;Q;%=WoUy)|pjO&5w#6Uq<%9M;Z5ljjWza8UfwC3tg=D
z{2*hMDy1vqb3eD)#DtcUvy-na29uug;fo#=o_$G4L1*_GKls%m3^O<9EIvGO5I^?}
zmY4Ti$NciZ>^2VTlz@qKKB8R3mxA4RnCEi$cOx(|j96g(eiQfO{;EOPCD5@ekZnf`
z-h<*>tayY-LOsiS|8v>+NWIxTUhWgJaRd>>swb1)TMNC}Gnj>4Beq|<Iuk0hzUM2N
zgYSZVIj~RELB9NXYmBM*2d2g7S=<;~@z47fqsM-D!Mr_u%Xsfb&j)iM+KSpupzmQC
zYa>wuHUw9}2f>jsv&*rO>s}E9^@kz#v!9Ydhc)+FYHNV2bK7FZD3vaQ5k|nlY0&y}
z!{qMHy&6qljrQQ_q_%*EG_xVK2htfowLQ>orr(44Hej<1?^CaHY*-(~W&%d-+*KRz
zHyhSD`aYY!s67&_S`r))tY<BJ?f^{7fUwB^9Z*x_W3d$gB)?nt<>j}#iKCx||M2@q
zs?>nq<$&x*s?Q$z{ujww)ED?(u>OHC!hJQuZN{s#38&a}*4Gz*ex3-dqO?73#cpf~
z{J!(Jx*L;uEBulhONl_6)$`bm-LW8j8Z!KCe}OcL*gp_qG&^K+AGF`PfG<qG`5p^T
zHVU!O&Fk?VcP~(64i{XyysFyw_!Xx1_DjxKY8wz&>FHU8?B0f~_<fxU*;0;U<MIgY
z)@|<WkBwo<5$%=6Zx0Sy&)U^5l4)*s?QiawuEv5tTsTF%_cCo`joLnat6d;esSI<~
zm`zZiQD$URHNo*7Eg<NA>a*KboOUk4*6;&ZHa1k^%(WpP?{UK~TjS>7tgJZ5CrE;r
zrw*-Y+GLke4+|lXjo3Rsx$Zo%?9U-7p37>#`zqK*f%F{#T3*iy>D;-ms&>fw4Xqxd
zn8zEGdoz08%5hpSGkb@T)kB(VTVWDi<_H5Ljj<+~Z<B%0v0HNW^AS<5fQTdA7*R}a
zw0Dcq37SO(+D;))uU1*o9e}8PRnb$IA!bDHsctdTQ+v81kn^hbAn(3?i+kYGv#0p+
zvJJ}r#f)c~HEx#yliuSO39`8sQs*~CylNT#7znA%tMBBVeb$mIz+G~^2}lt#L|Sv~
zU;qmYrht{No+n6m5^x2Q&#11dH@toZ;VcG_oX56~Y$UVQ!MW43wD~)BK)dBxjJLn1
zLctcWnAuO*?TCJ#l6B!(zPJs>K|-OD44Z1u`7mI*NzG(Qx6^{hiG#3qspH2w(K)1E
z-nd2vz%{bwJaxs4HRgQU7xc^O26%uo*BB^B@F{-~h)X7*{NP7}<3M3O`OtxRuGgq;
zZWCZfUl%@XM{z-jwYO<g$0ul@Op@3%ho(N%QPUs0okbmjzgWw-Mb%9A*GyK2oPshe
zVc~KrcFF!;f4^%&bJXs{lHrUt+k6Gosb5-ZTCPk1>e6}AO93!6?>_6dJj{8m9wz3#
zlpW6r%{F{iWcN=xjB!unCb6S`H(ssvlMS#<)H?2(ae%ONE5FA3Eydmt-TVcx*0;rK
z+BeqfbKO1j{n(x!P%MzS;U9=2P?mF=OR^HMH2Mi?SN7`rsD)m772y*2$TYQ)7IYDS
zWj9*37Rz^S;|60y*rI0SiA@BzMwmFJs#ExJ1`TTnrl5W*S_tnU1eeN`p(jj3>m<YP
z7*N6V1xrnSp?03UOAo)HsxVD^1*E!e0C0;|4X<eHU>G_NV$!_Q0tJL?4l*{CrPAKn
zWyCh$xA!DjxKS)G0a`lvG^;*UzwbJCS9FNN0j1#ae?7Lr8LQTM#>Ta{nIl2an+lQ5
z=0)zrSlKceW&SB?Ef7bWFeYB0H=eU>lIJVV#N60;oU!6Uu8yY~O;>s(>X!s_68m9F
zb+n4an(oZufdyZM@ycw3<{s`v^G?o(UBI!DL17+HW?Q8^1E^(;uqt$@d}jXK+QBri
zvr>RJ7X27d8keuJEylZsC{VyPkie+t*G#X*)}(hA^CZ<dPi<%`k-0oo`p+wl!$IiG
z84K5ubOj9o^Zq^PCVxiRwK=^`h0pGlsD?3VaGI3zhn;f-JL>zCEZk`qwwZ*Z4_POp
zWDeZx97~otMZ<2D{E7EgDGO3w$3Phy{=hZMBVYmuaGYJ>@x=;N`$E~nN^Y!(kFv=^
zjp?rs8O+87m9~eipRIE9Z6_-DJ!!S<fT$O}M1UXNXk4u7d+~3obQZiMDjBp`v*d@K
zzFHQ_itjD9?v`k*7_%Ho*TPK1{^wRsCOQXeUz87OY4>t>`Pl5i9QvRZ)dj0l^OE^9
z)5hZ@?b=tsIw%1z*Y$w5DpI3`o2;^MDgAyzXlFtp_>wxZm&<^wR$)4+V=0R+OSi^f
z$}CW;<>0#R<?-&Jd?!fz(71?cBbxhRD($jwcl^%_PqEvJ{<D^FOv>zNLF+^QBkOtd
zQ^WD^KqH5lV@?MPw3_k4^kfbv9CvLdzeAPpQzjad4ez{QBE!}1nG|~l6i6l;%1Lb?
zc5(l$KyQh}+~S5(iw6=|MxxQ&*ifXzIG?9y@crHts!$$Nsimn?r`2KmoO9r@`eiYD
z7Y-a}RXR#%v%p+Ql{~=wr|aF99Kt(!JSJW09dkL}jD%T(1Fn*BA~@x&f!?U_oj8<a
zhVqeMB$2f7jF5ewUNgRE1^$U}Wr@)@449?v`Fp6YIbN9M1oA#Dvu}6l%SSfa?pp$!
zbDjsQdHmRYimfy*T=hzb-Ns{hWljZ}gJ}olL5-<Bw!Z>>gB}X=)RKKDLFnn1r3e8w
zQFsYx6i{F775-*Fi}l!jujRuhz)d&lA+t>EsFi5qyzf*h=_M5e;7=@eVBg-{_LT4t
zB2LnFAU^mZk2&D*Hp5E5Mf65o=s>RIzkQkdOs;Z|e_jIFmwq#<>ozLS3%ptf2iap9
z*qMvvxz!D}5^&&8)K_C&hw#hnz)dV?IB=pT1G1$S;|rNH5Ir9(QBG;GPFH`8Q@E>O
zH*#q}x2^F*LrGKMBfa*O74Z*WhBSAG*=wHjdtl6)8HOFPr(f8X6OMLi2@RNMrceFU
zQ{;KjAx+$Nl&ZDAo>VDmBkwTdr>};UX%b+|$o6pY-8X&!T<Aw1)!SoRQL1F$8oWIf
zPiYN}N`xaIs~Bg7*`1w&Q=GH|W>l3j$X42C!U}FGA0OH%&3Iz`3Hc8S2VTUh2A2N&
zEC>`QZ+B4}*48{Em(jKa%2LHw;^DnNGI1VlA)=dfMVc#gB8dy)m3V*QXnRYn0t3Y+
zBs1bY%8VB?WvRT?F08^VBqi60^hr=vSCqOaEg|<<j43eyGvfz@ve(QR&Sru3Xrou=
zxmJBa(++YChM7&|GG?p*yYrI?ulwpjdBgB(8iAN}o`O9DG>P&KTT@`2(sJ8}aP00i
z$Jo)T!9d18`v3}8l5klpU2|+Tw0WN7G>L|sU-~2E4m@fT8!esC={cD-+k*OIq*LSt
zgL~)}y<2`@z(<LTVfP<XJ266pf}a}3kDI;~+Zr-emE|`+j-@X;>fTjc8Q;T$?<T?6
zS|VTb%|B~*$;@YHV=5fq25(8G+e`EhM}%Q&?zM)nsf%Q>DQA+#`ut)$jiE;|$gW^m
z@;qMjEGw|nV8tZDlKyY$rwZm6Cg#RrY#ixD(7m*PgkbBtmddEl`dK_@cs%rLpZBW}
zEOgd*nR7;cW-moSU1ESub-qCAU;zqo^B9zCAr-}koMR*c%7?ADYIjZ}$Q}rO*acuz
z8RbNGvx6+ueo588)L!IHKofo9Yzb#G-fmS%xY8)J$KpfmX8fU0B7P|7AY+A{C@lJ4
zov{!7Nclj?mRy-eVaa(e`!M0SQIovld)i0pDRMviBGEaldVJ!WGT0{%5Hn9LkI`GK
zE*L#8kytaFpYBow6{oh`8#m5FrPd~Rcytxq&LVl7>d$tlg)WmS;d)FiHXJT#VuqY0
zI5WV;<V+!zi+`z5`=#p0=3&2~HDN3A_FW=#W_U<_HZJlhHHRmkmn_5rkpZPbGHu2K
zO#WrK7g5!mVfRFDuZt94VHu>F0PhH=rp2AW$O|-OYV^>WF92qw;d(OiPAubi-EaH0
z`KrIv-|euEfyg#80N}bJjp9*YvSNOvB}zK*=WRVcoZP#mBsLC1%34dA_tI=x*#SJJ
zlDA%M+7p}UI%M5l%Tz!s2^RGLCy9dL2*H2Y(z=$n5-kJub`6LY6U^|IL&k`W+iNYt
z&pF5!qL-6sKmE5|dIX|q8(I6Yv*okvOnv*$m)%Ri&~+*k9jb2h8|faKor3%4isL+)
zm6|8*<sj)BK@WZJu0)S=o8qS$za`V+=e}(K=!yAK{1imi%;{*4NSs}Zy5i2|3>%ug
zgpZH_{EVaF^y7!?9I#^Zo(31ka6;T@IHDWlZ~EaQXE^?H75ErPNE25cZHwV2H(J)q
zoMB?`qLB25jb|tPOJlISB)wr3+E(~+>~HZh_1dQLC;0iAh)_Uoi{mFSUIl5qJTT~R
z=%7ib>MO&6r+)Ue7@x~Unb2<TNT!@FoXR!W?TRQ9T*|6Rc5TvE8<9d-R$+U)*GQaA
zX@~^<ewO>Ab^?6dM>bAB@{i4_BgICdWv8>J3X}N)H()kA$+=RO(N=AT%)-0$FJ!|H
zj<O_?;y)1?{z!}ASLpTBZp#~k3PK!FtNK1k-hykkesH`M($}G~nqzL;Rvjh~gRn-e
z1cHn7wbY0A8uU-kmb%)>cgl*?0V%2FJwP!xXl$Z`ko|mr9UC>yn;y_=s#7ee%upNn
zBT4(n(D0;ncP?Zm-asOX?6SX&BMuy&tQot_0bsV%0?d7%yZF6jlKL5Rg#+HcI1%#<
zl4(@Dw$2!dU`h?(84J^{8=WX#q~Z_~B7I9hL&Tw|n!N%aLGS+Nw3O03Fy%wsk(5)&
z(V(Kx%2$0?6Q8`iq85tpu<8HWl=}dT?~vVY!jbOU6SQ2beKpgplx<>jrT8>jt3*A~
zR3t!_N{nA46KJ7co22F$phK<eP;1UQ|FT>+=dq*y)TVRNh>u_=#RtWeOi^tf^N!zz
zs|wZ(k`Gqt_p-hBWu0crDUn*7nA<(5$y62N4lpS=<u(jb<nPe^*Kjg`3xwWyvDmcA
zOe`h84~!TkQ(p668&y2zIF?+lOdaS0BI?$<UDo_WYUjINcSWu)gsp#fN=6;UI4{8N
zGd$QdN225)GO?@N8-ORry&el65l06oueC1^p2=+4MX%9Up3vAJJi}=`v_2h)ScQb_
zMp84Y!(V+OP^iuKvOUcuvr4IRSrF$qTOQHNNg@h~!EFVK-KX~LjOqu);Q`B4WGa-7
z?FMhKfDvKW=?pc!F_F09e{5N+h9IVREk#bFLGPrIuO`uEHVcf*KA0}rH4+XMqm}Tn
z5YoN48g#J?FQd-`C~bnTezyTwL}Iy-4wsXxIi!LG3X79z-i?owMsX4F7lIBZrB5%R
zR9AMYMU3X#qJ^U4y;axsaqUwBghf$pq_{OV9MKcP!ClL(B;LY<glj8FexF8Hd7M=W
zc|C|De<-Sya}-q2*jmHU#|n*IFt5xuRhB?g+`NKKGf6Ta#D~9Gpjg^HA6#~^XVFs1
zIJOU{<?phSBWyTLJ>^Z^MZ(Wf_PhhnxJw^6T5*-`h{})f<*M7RwXasK6mf>fc({Px
z32C86IC#9t1&Awu*$_x#g!sVjEQR{>>!l*YcB>QTx2GhyhTZ#+`YTBW3v~onsn=-9
zA-G8WlxnBcps(YpqzC36&+g1BS8PZYkc#z|AW(3a^P^mkTAL%nbGpG(N|dtt8bvQG
zeFqf-XF35ovp2JxDkHTYD{Y0@8djorcw1RDS5l~rO-s*6-RM0n0@{u21R0aHOR~v%
zVbgtzztUJK5wi)kR3cc|gLZbnFUKFQkH3OAbN@5=m;O067`!_MVMLJh&##PZh1ss%
z3;o=BXJqy6Zo#NOd7&7Yb?HY{%==p{72xqg4$IWUR0gjR${W5~U|l&A^MvR=`{B^C
z%bu+4FaavkHyz8L+A2csX~64hT-G(&#7K?Ys`q&)d_~eBOyUznY(ldm?Ny45k6h+*
zIXVTICB8+e?kqb|uQ|VuwiQJTGk=j<9jP)}F4{S-+W$~NS5CTin7G?5VtAI%5~gff
zq+iWF|EKQB_I-kWEnyog=GpS%S+OIAMPp$ZfRX!)F`D$j$Xifz!0^pV^%zw}P{llZ
z_VYl<RMO$Ps6e7+1f(h2x3{e5?NajkW7}eJFLyw50D$vgyGoYTxC%pV)V*I1nM;DH
zER^=iww+~Hl@J6meNxoP8OC~WOVcpBnp})FR2XWFD=*QY;C@XkNE67t^KLi;TA4eI
zZM>4^_<&dgZ+GXQX-@Qv#VM-CvqOpVlr!4(u6a52K`LwO0a-}pJ3--y47Lm!RYG1<
zbg@Df@r5+nPW%@RueaUFsb&4Cj>GCAYM_RC>R7We(?IZ@5nV<BK26C8h12Vg=J;bc
z?YtAshNj_#{OC@ExN^1uZym30OF^l@w(HC}IF}pB|H5t~Lp#6v;*3G{wmi4Oz#!9!
zqchy0J-F^S9$Ow}FPt>C@*1b-`WqOeau=r%-!7Sq6EBz6jgo4ELfJkf@`X8AmF~YE
zbO(*F=p~GAGMODfxqAt~+imiMYzu)|a?I1Yi_D!|C|9M|1}gU>#=_1!?`&wNHxfu*
z70C*{n2MX-ettFRKbZIVC*)Bv@w)t5d~`gt+G}YEJ>C(|#)m?E*4JqE4z}ZRfYeex
zt6Av)-s^q8MTvrwHn_2Z7MWeEnHUT{S8`X_^bRx81Sa03ggI<rVJe$rc}n<9gHFeZ
z!mn8R#1SL_0;SCBX2V6GkV$~fBKRmJfmGL2#BQ8YJ4HJGgv-Y7uw<#7(oKjuqzv%5
zFfmL3qrMpX!XDEr9KpE+0lz&-9+d9Kx*9UtsF)R0#4db$KSE>0wX`GJ2w?*I&Zr|3
zWEzAEWz}o}_;tBOel_cNO`6WeS8Y$hgFGr(7CwQ$Xs*@UFSB@d@?SH10evf<7$%7G
z>s17n(f&R3BDQk?1s6PbiD#`$ot;s`sL1r?_e}nYwgcW-i-vS=z7{5j)emiMI%~9a
zmqc_MXJHI7Jy8W$F3O;9yc4u9E9Z=}1TNU7TtT~{&!c>~eVxN&urwL2<f(9w_<U?M
zUBIS5FS92c;1Bl(H)YZ0-5DL1isjKLWGaSli_)O{*S`g1zcp<nhVkS2WnoIU>A{LE
zVbT_{C)V=uK%;dMTd4FYE!iQ=R7CfTOj4PqnJxS`F0l|taXKgAi!1r_ZeIR0m@*=w
zqlS3cTg>A0-MhLE$pyLKlA(+ybHTT7@FG^t#K1oN=-qR<Giz>tZJ^Vm)H?+d(M`MC
zU1UC_7AjG9k4}~Ka~WpW4ty`Wh+IDf>aks(&*nFR-6n*cIziVzz`P*Ep7lfHxtgE;
zf_LJ!A}0$M{41HUX_C3}9vndrDqz&Fn8F@*orF3!7t>7mZ!L!=Ej#YDPM&fdVj>Br
z&5z=i^X>w8Bg~3jhke8>exl}O{!US?gEcQaDvMLOLi0dE*TsT2!dj`cm_35w+v$Eq
ztQc*pyFJ8%@S~;#Qs3&Mq~47CmhXTf$usWIP^Z;dmL1dMpv-q;wk!fN#GrT{?QhpM
zfsI(l5mV=Q1HE4$$N2+hlO@4x%}^f0PX5pB=9EfQC{I(-Pamc=W+7+6Yq<Z~4_`Zs
z>%sWwg1B{#wBT-w5683eb>V&U&Kb%+I<@C_wI|!QKLAR@6My7ATs>H5i^>K3e|8Wl
z|FD1W!y=rs4>=OuE(tE&8HIk)!sglJMznQ#XkH*32tA}X9TGZZsJlZ#31gmJY`lES
zeh7K`ih&UktnGP|7_$b_upNx6fQ<~uOfY|F2g!`P7w7<B9vtJ*RcB$pbyYMi(`{r$
zy2YWA;R^S@>n%BqYsVr{@^q2)JdaH^tmEa`>HP5T)gE$WTaQ*|<?r!H1C(m8%+o}Y
zePHn7+n>n=v3ZTD8TwY|?UKPlJ(iw$C|5^elyXWo&BLs^V9h-64f8Blx^w1U@mLzC
z#dVb9Ub*jOMR><3uLL)-L7mkZX<^^p;a)MRthjdIcT7YG;^aE#2@#DDHV<^6J1P<B
ztAs|KDaV-D!kG9pnnyHM4d40EmtO~lK-`McOUJZ)CNrVbDpc;XIM-|TUmcQj#eR;r
zL}lD;R#B3g%a=cC?)*|W-SOBq3n=5<y7%NV0ts3Cn1ne8MuJXV$TE3^OFoUJ6d6IX
zTtr){A#*VO$Xhr)^`STVQ$6)g2_f9Im>pE;;ho-)1g++Y>9_2&hi@}`(FL{C4oH0T
zud-oA=m+{h9$N0|u-R5YL)g{W79|wrQq=N2BSMv+X{8gH^WDLiHC`ZFPwA$_b%a6H
zR|-yxPSpA#;&??!eSO>-p5xK4OJQZoRH$^*R1*oiA*NJ^yi~K@U?@RQn2IXy4EPtp
zaI@r=Gb#Zi*tPq7a`@ts$gfAXO>)VY&+)Q<7mb1{l@>88kmxkC><XM<2y$AZ`Rx9t
z$vAiK0A;K)ruigB%VBNT_r)&t?6M-Zst~bfD|7WU`MvqUJdTL_FKd6KA&zbQADQ<}
zr26z83Onv?SX&CjTMB<Y>77%Bh!>hbM+=5*jEwIYCK$IAH<yyshq6(uuSu9d9L9Ry
zbY5ygo#$DCq&IV9bK^@3vUTY8G@~u;lm4mATJ6onQ-U-|`A|#ja~}XWzRc-`h9j+E
zQN5}FVyRnex3lLTZhbM7fe~lRAn5x*KG$X!|H657v1(a0aZ07@JV}88o6g4zC5HO`
z>*XWWc3|}}0q~wP|6)MSyP}*{&QF~D^(5P}Pfi~785Q<#ScDLE%*7p-_p0`{T}Tcl
zfIr$m-}$?g+cd(pDMoaA>2GFa-Sa}L{p~mUe;H??kGfw?^%eV&zZ;ADJOPtFX-1pP
zf6;bL7O$(~hubLpHyB4|%t9+yngE8<s&c;aPvIdG*&LN-OBty{^lO7*)##f4RNQTV
z7sk<c!NmPr#?2CKB`JR(Z@fV5X+nUHEJ&qeAe<@TuzQ&L)EWn2h{KIFVN1{=H{JK8
zetln4e=huO0tx|f#ke6%Xj5EyM$ctAKl)~h%cNS+UF$@NbN^fdGf12|QrU3$m*{^q
z3{N=ltKEw8!*}@)4&)M;$;xoa#7^{}-1fOxs~z*)(m@Js$(GoU+1Opz`kaRBcMrlD
z9rr?&?ZN<u@{u;Dm*;4M+U58fGZBfoslZ|rl6Pa{Js+z7==&w2t%(b%HWlG#c)=X#
zU=;EHlRJq0z?}^wLy9FSoGg-~ZwRQykt~XQLkso=%$JWHJ4jH(H4*-bi_9MoK`xWh
z9ueuz%b)g67IJi@<IA469r~~ycnooUV*&YbUAMC(Izq=5Es=_cb7kw;cYW84`S*5p
z`UN0QPWOanM@f?Hcq*^e=^eB<i@iVx*GSyx)hPe;bnIyK&r5sRwlv*m@H6b>J6@1p
z>tq(*J>_uj%Ks;pLb=nX<G47lCj2GI;n-Z8U~Vl8MIX$6JWc3~(Feii41!HFbUYJ!
z`ZQBI>!Qozk$|n0ZB%)92+hl_DxluC4l;c1D3Ur>{L&sfoT)#1C7PO0<_saJn=PE5
zzlRQcQ0R&N!eoIh(90-3X2mg$Qtw@FF7BIGTKSp9VPa{(+!PmIo#(ZMd4gBtIbBMN
zuM9h~*WiJh7FI6X4x*2gq-pCrBIw^Lx9^*c8y6``1VP1+a><Q(;QDS+ER3<l9Mkb)
z3FU|{BZ+gCVHD;|OK?IoM?W4e4X5dR%N5t4Qwx>?^TR5GnC6k>wTTkH()GYAjnx2?
zuIf=n`S~!65*G?tnDh=iD4TYComxiIjIfM#7&SnoDIqe=EcvFOE`NiP`Zf!!%`3Ar
zqP?+MZ4x8YKzgaLD-G&>lI5RvZ|8SZPvIiWU#htj4lDkh-69IB#2c1?fci}gJptYj
z5)?1;1Jl|W;n<1u4aEWQleCt3l2^!Rx7tUk40y_h@J59^#36@ox>?AvrROtpvuw>i
zqFy`XXK(()q|*xHY^z|RD@&fO<A<|%8@9G@<+*Byj;gZdgAT}EhVhy9;)Ww#yNN-9
zv#_JUx$Xy-F%2a-yEA?xb6HklrF0YX->9&+mO23=J@BeTuI62Vv8&f7k_CeEJtp8A
z=QHtkI0m-`sJ2_JB)v-4+ycapt5*gf&omad&`Rew`YQ9&hP;SvuUjgE2)3==>N|58
z*1BVxZ=86W291|#xuV!EUoWZZ_?k$c=LFn2u9^F=dGR?eWWNXz8Q(FP(V!)kt|{(<
z=QMLrDsleiM*56mCc6;z7u&kh$xlfF_J@2Lrz@=mnB+CE5QG0jZu!s(oEv+FLCt<u
z#(b6t8Xm@=r@T@Ngeq&76w{(WW+m!*Im!(cvj>iL2F6p7jpq|<UWAlYcZw*}Zt7w0
zVlkY54oLFxtVwtz)-H=xcG6}#c=|f#*0h$OQ24)rfFG=q!^c}@1@|t|0R)3x$y5%<
zL_p=M9_&sLrt*qAKH4Xh)uv5s4I~Le@6IfCmg=VdKyG~Tya8{8Bovu#s()#x><W!9
zUJVP0WN<pytfQg|>VakHWdFcS?o|i7*LTUuw@EBvI!LcHDDH%zwUr;Ao+bb8pdWg0
z_30178qK)tT7y6iVFg%FjW+Dw=lKvkTYlFNIf{$S*fR`W1HZRg>DhehU(4dxm3haK
z3#;Kex*9qVbM6|9*)u(W3?YJirD|1arkE?aqOnj>WX-(-XjvPY)vN+MRgjT2J79NE
z@!}(aLgJAw^r$Z>torK$k5J#JcQ=LLXdop&pU24ErQm4Ff44Jxd!^pncSuRYtD6xN
zp6<U!&d)-KRN!6w4I2_x0U|;A&l12>ijF>QH_Lw3BvKn3L}w7Exnkm46>t<+k!qBS
zG}Gh*YB*^p?bDk>%vVfVLk}>|?0p9``=R>Y$$z*QG2zj}(QTZ$O3FIs-3qol)B)Hf
zHp5DaD`JW&#7T=oHqhBys-61Ts#U5)70Q<yPdO&!N)!f$J~oFe3Gr{zPe&{Y&lmmL
zBCNH2FD=6rpst$<3ykMa&QVsMueCW(2J^lmYep(EW!I-tH!+izX^de~phmino!p}I
zQ~Vn&)`>YsdGQdNGMEJSjoS}@6IN2F(-$G}U+~1WUR?~8jHE|CXqc8n_!nPy;$s){
z3b4$V=Rm9~R7R9S%d9Rdkph!z@?+@q4y#}xtiyXjC9E>qu}k=IU}p;O8msk}AZ|th
z<NFg>6ZF?8D2IMTKeJ!_4vB&Qfjk|4@jMMZ<`A$=gBz4XydtBZmS~Ts=pj)j{N-3U
z8bN47i`kSpCE$YYKp2}!L~$B2_n;B^8yWkH(B?H^<EH!hlu9*0S$FTGgW%CsP7IQX
zZq8Xwi#Ywt#+;T*oeo=R)*Pg=9hwwUD*ji{`%o$QyPKlXG>~8(E$K{*)HTq3S@)20
zi;{-6JCErSm!?0+3&mZuu3lId2r2er*yeJn27SvzY$Njhk@4OH!-?zd8?$U5tMB9`
z%ws>24rxUfKC!q{Q%U_j7swJXXv`|Abg~x=(W7LZr==^nT*?zCDl^SPgj9Lin7`wf
zT1JFq%Jrp^sLHVC6oMWBzC$GmzNYWqCVZ`8_Vd0UrFw;q*H&Lh4G+Z_25|7)7pxgz
zhdBQHEE8WgT667_lgchJH8e=q|LjE}(-;X)fKf3n1OqdpsLUzkRhE-BV^%2Sq1#a*
zT~~=oMfdP6^ey6ld(W;+>}`})FwuJXJ+(@4-<cvp--L%UR>LeKo9xTGgg$0ZN~19m
zETK{MO5z6ks^-R))Jjti*Hi;M@Y~Kqoi~Grv$n-m63LmCdfeKoJvf)+IsDR3>z9K1
zeEoH8eltj#^RDFx*AK)OdR(*=hfL_7-Vd#W`hOrK4rv(g=KPvGA97C<UDOVAJUkua
z{e)XJ@m-H~czwh_w+?wE$4cVVdL6Y`<3wx#!X=ZzSszxhE034~`>beL;Il!dsMIv2
zaQp+!+@CX)<siYRtXE!ECJD>(h9}%=)=;7gAE}Jk7OCL@<2Oymip4&Cb4}$Sn>KGs
z95X7MiIFSRAQuFrZ%pG?jUxh^WOCn%Qw}jo&=8?Uf7P*ECrCo%(LJ|F6$Ix#L@Mh3
zp=azpSdndG-VBr`rIP)^aq|{7`d0xrYFd@xreEBH;M|yvINrngOjA2|zMlIE78ccO
zSs#JNq$+^+{NTWWO>e@Hy?JYlyaXfBiO26<Q;kU0WXh-kK%wzlvt~f+N{?2`$Eyay
z^;Na<FYhfirBy1sJ{Sso`=X(>u-J63`C0tTU$ekFwfd&YK)V6d8!eOW+94mw!?B|n
z=Y>w-!)5g^6`g4ohe7=$0l6TVyX5q-r?N%$D?+ctDuV#29f5kyZX(?uD@h6=kPYHY
z-;d>TK+RzpUFu)6+{qIQIx$zy<L_nMwh(s`Iu>Jt`|l*d-X?;mc#aA+DCd@o#*@9`
z{us|>+g-xZai4wMNTpA<53OFnNZZ%Mzh-}9p(?=yXu1xFjvXPf5hvrI8LEP%xs>6g
zfs}_Jc(YGR@2b3Jo$Q&(Brn3FpH9_+jN)C@0*~Nbj(N%Y>EbUqpu3%d)re1>jnB@Q
zHF!+~)9_G2sjcJ$Q4MoZR^*0jOVLgKw=z10e#F@j)yr$mMVe(>nsD~#<kC>50ru%w
zZ8PprOivZ|$@wB;(F{!`M@nP=bAZQ09KEmEL%XFf^SPau@K5~eL9gGe7?Tz{5j>Nn
zSgcqe9ApX-(!Ib1xXM0Z^UAr6D;FExDm|(vm#d~%dF0y6Yks$*{YoCOs9W0pFdZ(-
zrZmUJB(ie+OXphP-HsyKuXRcmz|XEO2MigNwnsyir=+C8b(XW?*Z$zMa(EBCBSYOE
z9`Lr{@J+B;{s0}Wg<Tup0-1-QoTre0gy2awdd<>Sg@uxKc~Uj|y6GjuJEeI@Qa)1;
z=iq}5X*6oJYBM31K2FVde-UY*tDR-&uw8k94jeY{m5ws)S3M<;Au^r~q^WcI9Ec6u
zOQzQVG-d9|#6s6R<Ihqi@jx}nV{&jDr09UE)OXxhf|4WpJK_t#eoN`#4`b|luk`Vg
z#!xqs;^G9jvNDhtp!7iXrx8u~?XQf0X}Olirq=5+@Rj-l*ZOTzFS`->#isQ=JcN@b
z%beU%AN;wdfPpOFYlADWac0dGvzDR!2+u>g&eew|i>8cg=R^Q>_)o+_dDWKy93ttp
zl^fv_Pk-4HQHxWeihNaHSNiX1%qL&QvEDVY8L{XdD~DE=>J4wE5Vv1Zw7hocdTtmk
z+eGiuX6Lz}naryBn9LM9G(6X4aXOzon?oe-Vg;ydeEc}?im*|@Mj#j8(yPtk?aO?E
z;a^)42|v7vl0szM1pnqE&kxS=ucRyZjZ3F`=xBg!L&?$0g=}C1C?CY^1UPY2*IIkd
zXF}b0fIqYzhPz8bfr$US&SI`P5k^Ts&(^-ncWoK$*!~2KT+Sz@yLUfRQWx9NJIG(l
z+jM9<`9^SEo@aA(0KvAkMs~P=1%qzSvZ|kITY}e#`uD)}s+AwW!t%hpRH{1XLc<p5
zFnALZl9_V~Fm>{755+IXs!sptgN7=AQ7?{sW5o?{s<e6~HQMr&dyFj1@mt$Q*~+gZ
zZjN=LOYpl1LWpGWyi`5yG80=R0WNP1DHv@mHx$m_$_08AkP`0f+Lg==YrhFg$x)y*
zLSi94<`9(w*3<yqRQ|}`r?YvKGbv`^DVS1p&!HX%8(l6kxBZb1R>k^z!KW7sUQDhx
zq=WBCo()>S%m^uhqmD?HS3AHu-?*!C`H0keso^K%W2;ftRdwg0Px^T;9YQfL2mN$x
zCvWX)j)*zn(`E{gJRZ4$dfQM`nk1h2pRbEE_51}*@EKYjo<2XW=Gk}O(`5y+T(~Xq
zFYvzbj$DH?#xw~!eG%^q0S|!sHE{I!{(MhTLMa6yMEZ0REiO?m$x>$KQ6l-)u9|O$
zSz+m)q7%)mPK)@)wR1Sq8t1jr9g10}1)&jI@O!6~Dp{noJlcV8I9im8ZrT<R4VS#C
ztUbJ$0&C#+Te&IkTxHrMe5=0Of?NFObE#6!V4_sAS@2Ke4-)svA>-7S;{k!Xs*b9V
zW>@Sv!xq`jJIX`XD8L;?l`T%u7SBgOp+oEdawb!Ax8~JPiO+)}I6#DyWuv?@tzXkD
zkvh2ld31Ckrjs6orp0~x(ISPv6e_!KQB&Dnl#}0Vq4BnG`QCwbd-No{+LI`A;+BuU
zUg=082Wv~KOxA>2h_DT!13vz7ySQXLyr-zig+2mg3$(0?BnB9rkm}lNtj*mBOV;{F
z89-!OqNFMscJx^vi8SZ{P>p8_J!4bMQOVXS^=#QaM#t-*9Q6ZY$Hk;rEj*b$$Ctu9
zI}ShZlp3kLUDiJlk5fx%K=-ZQMQ!F?(4G%KjWE)pwDC=TYWh#A#_aC9I;ZNX`}1pn
zMRPRv%yFHQtcJwpUx{R{c$yK?8;ghxPGV@Z6<dI6=D3;Gs3W@5(R~;z#sgrSKs)y)
z{ESH38CFefp8i^Uj0=aOeAXfotFO`(yC)lB8}iR@H4v}ZS}XIkiTvVQu_^*(2V`vI
zY+6V&OTUX)0Q*+&I|!-jhHE^nduFX!Z;X_HWu3}Ynn`%*<ck)a=)+sztm{#RI8c77
zkh;soB4C^&lW)PL`+OAb&dC#3q*XT&Ot=zl$FJu=?^F)`NzHdeEIRP27`EJ!4={c}
zI4AV4AK5A&D@;A<S-xS;tF*ng>~T1pd14V*pS=3zQz$S#3G()7nX6j{+*LHPPN(o9
zTxyWWI61BN3?($k%vgT2UVi)6g|Z12JA1?o?o82lM4v3;-}nuBT)Z#iY-c+i;K5e@
z*g%e_kpE4J)|nz6^&7`4fh>l8ZTv-CZ~yxnjTzCXPfKJFL+-FlvDSc>zMIw&;kx7m
ze4Wyh5vl&UxlNhf!ORTMwU!yi)^a#1yB3Sko9jKiSvH)N)3Apwj09<Q2W<aW9>RI#
z<5_seMn?90PU$*4#jL2=;B-Hx17<vXv6Mn+(=K80SJBAPo9)K$B`tIkx*vjqYkhPV
zzy0(3m|~v_GMcB-Kam|^WCaQ#_&Zh&VrM$Occ{VNK3aa;g|0^sLTJX!m1J;oSXjzj
z$HB5;k#&blI`}jy$cAC4R7+ikJ;3JpCm605x89XE+*jLT#^CSMfA`HMxT6k`e^PWp
zn$eo2sKx?5y*1@Ce=7zhP;xk0nR5GOX@2jM2^NWiVS#&JS-JDkPn(G#5`@wPv@%}=
z-X3OSyEn@zNe3Ko3Cw(iho8QUe;Ruak&+7A^yq5Q+`9chfR9%bG)hQ?)llNPs@Vwe
zbX9W01MY$E$~Xt=ry7~HPRCTw<`i?VAW#2Yj;f_c5Yzp}r<!s2OFQSn-KJiKf2MLp
zaHZC~0|)r%r7J<Ig-ALwm~2!bt&<+7v`}5*L!n{OX}H*3T*&ZloaqA@(6`6OjwSVy
zt)wEyj$AM<&8Jv22B^F-;I2nFR62$7?l>#Gi+@gED3vq<=YRQOQw#^-j3#Ble_M7~
zLvMx)wyNXBEUK!p(@@(zaG=NyA#XVJMDUnwG~yKT(b|_Yxk5Cd(}1nl{y-Q3;fGIS
z-&IF-ed(vpjQM?jjj1F=RVYiV&DbV6B9pH{#>F4M<mT)sD^B)toQ8o>F<leW^?B!V
z`BSw*-LYRevqj8Z!x?SOod34m^WARJfrgOQZkjka8Sh92%b5fBK~9-;aC)+xF!pJ|
z=!&q)&Hduz{vP=~Ogohxv8eb64lCE8wJ1b1M)`@5W|Y<3#Q$vDwqV|-(`0Gk)G#5Z
zA^wg&m<>yFF9cfJ)*GR0UpbvVAabx*QMaQ~q6frjBait0RXZ*thJ6pW|5dgu^heH&
z>ahc7om|bX!jVDopd?qczn#2I)xtpx%lwzp{T>66D&&>|%ZbmUT#l(A%k0WNf%iS&
z8{H>C^v{kQihv44IZD3Z`qaZ27fvs(6Ug`xF0(w}7d~iQ_^feezM4=<Tp{v}tN>h+
z=ihXlQbxV~dO1fwn_A9fw49Q@qB<uan~E0M{2HXA-(t;>Af1@=dslx)9Sls7$(QQi
zQ2`NKaZCC&(|lQ*EcFr5JPxDCgG@~2%S25A1adU~!Q&=he1b?&3dJG+HwmRHLvXSR
zeru8_3rY0*^p6@cUY6lDkpK7mzdL#)-^Jq8z0r!z`LhZ>SKA4UMwPuubd!9#d2HWX
zJuQU@_=$V@&?_%x26*C{!#HrRx*rH}AwShWRxA$U&+|l9zmc5&v~xot87dwHFJ?hX
zIQ1n0>!UA?x|5V;6I(J1BX4~LuU~l{t~l5K-uRj)=b{rtK;<BL^tB>Dt{x7as4MC^
zT;v(^0*lBjVQEb+?W};e&&J5Io-3bh)DNI3#A;e7dJt?#HS(tXifu^WjWKl#PRx!_
zltyZx09u#_1A7FFrlt8Y8wDreFqFfXREkAu=VzZ3RrJCBcM5oAmB5S3dAuvq-zC@-
zW3Rm)zYE3~cER_HEVRHLY*aWPf9>Ov=34KI*6!GbA3ZfNP3@lS4``1!yLV%Xn^@9O
zkzF)1UfS^^Q`2uoa^6Vu)zTle^Scgu4q5Axw-k{hXk88Nits)VWtIpor@G+U%9k+3
zg*VIg<4=}-ihN%$?-}!?w%0qCN<4Hgkf=MF@n`Yq1{LGaI7Fma{Sa7g)&HL6Vay$s
zqTtefso}>0xlg|qb%o#4BG-Y}yo3<JMPcr$SSW^_Anp3kj~(-r&UDrKa{FSnXwcp!
zaB2DafO94sV;qSh3ntyi8p<ulC$Nkbi@?|y4W-?w$u&0iuOkqHS4Rv#AdVwVLc1v<
z$ef7~pFk;fPH2kveAO>Yz3~w59*N`$**ola5|5h6Qbx(=$|->yvHQnTxmK=gNoEj9
zXA+DYv{hub-`jWLxv#;G<Y1(5t7b>SHx9K@?e`;RtDZ;;0V<yLz#$5d{Ql}<xX>i0
zE!GJCIz|GKH_`}3R<n}`eg%}x9tmDsly7;D9q{&nt893^eK_x~pPwd!Y=@|30~$wZ
zi<Hm(WSN)CSm-I*HrjL>e3MHnMs$4hY74XcS8#k0#k_0=q}zsuQS&+%K<v%Y(&7=M
zN(+$F&E}GOJa}^?UfH`Y6+Qh>wC=KLdPK})J_R1IhCezTv=-fdJ62a^s07WXM)mTe
zcb@DZ+9+R8DnR_6NS$}01@k##PO12-u8h-2J~_^~u`9?_=`naPFsZ(hR#0X!;}=DA
zlP5&)f*AkPyUxVsl)TYA%pe?_og$*lQbOw3$xx0xEQGFPQFQ(LkW;CaX2JKm(9l>n
zFw~u9z*R9>%qn5%AEFmJ%06wLyK6v)N)h>;)=M)L(-r$3d9J!Ym$3J#7?Vg81%Gk<
z>Lz%I1n6?5Ij%Hcy*2|iHB0R2YuWSFk|@aSVWa#t`gb$O*A=4xyC8Hw3ypMFP9l3@
zV$=6(i1j=qLuiNk3pP|ZMjd-TmU3TY@f{(grgRG$OSCIlv9qeRYrPMEL(0X#;`s|_
zza==bfe4m9bxcxY3+P6NMQc*&FsQKcnZKaqh+lT`RU+vnlw1tk$KWXomAM;LrBSnZ
zV!Qj@)+Q6b_l#U=sg>kT6lSOx@)hX7bp(+U!j1Di4!_$29M{UJxxZZthjl9;`rucL
zOTe5__GJCw@X!IXkPI1~a+>hv-PvsUY6xKTN-5Vz{uTHCmGmc`C@-YRO+!V5#EV?M
z*-3@Ir;-QK4)ChYb_)t)#Q3FH#vl$t?W**5CbleHZ=bC2idBX$aJ*Did0xYz7_LYZ
zJ8vMN3^vG^iP0ES0#LW*aTIi>RQjqoS+kN%Hl_?*jl9*T2s8NaOiqHXH!GH=aMv=;
z!bK`H6j3I=NmwbiC%6vRJ}Xl_1JY1FfpfP9Y@><-%zS=*sM~V3jKBQsX$LTCg=t8$
z@hc?lYVG-&**ZAWo&M`<+^>dp_q5Vgq^lCsiiNWkCPXvZE7Jv)jGgg-x?g7drZyp^
zQE9$=B(O7S#sc5FBZ_}yFO2VZUmkXOl*Iu#WwG^%W-`L^;@IEVk4%@mMYEcheKAoW
zJ#&y<!Bpou8C3HOBUWPk#!dk8zhcUVUrq)xj~U85rNfT9iBFz~A1%}KbuBWs+sQ=D
ze59u=Eg(Ud=GtBOSznA4L|`GqS@LHlVYi>&qE9K8njg~W^h<C$S`2m4CNtV-oS+$4
zimla{)_W+hM$~G{Z1L=dnDros<VxR<8ZkRL>5G9+bPGI&yp}VPx@_t~8>y+B^pKSA
zQ3&KQ-FOUvfi!L3=~2Fmo?RRvG=ME*DiLhuhSxv-x8hdffsMZ_&WM2gZ&tETI!{qy
z7Jr>x$3j51Sx?ip94DV{t>VvgqmwLGoiP`|2k$S(%ULuV8E7h6cV6;iwI%CN$JS@m
z`KH|j+_oZ*v&J?8M7304*aFLu-n<YcsU}>-9;h6;$9bI(#}64Y2?6g#@5__poM3lN
z0E5CfJ(=Pi4~278Tm`%QE2EFV^~%bdoT(L5D-|$xr_V?9T?5N(wO>&dUpCN^5NzwB
zeFa1*E7Hlc_Vx1wY6nYjfh<m7XT0S?^9HAtkW!$-7<H!RHS%dM2{}&KUqGEA#SB#M
zS~%DLr?a<!tEy|>KnVfq?oyDH?nWBv?oL6vLrMvi?mqOPJETGBZs`_~E&&07dk*@F
z@_yfU|M%*T&2QLi&6;`US+i!ZefHTXlqKdZ)4L7C18v?9yDTO*;{$1G0&S_6CwGS(
zHz~sVuGV3i51#nYvz}QUBX~&848*-}qLsQ)+T?`#5+0)N`}F(B0}OE3^^tXKX|f%p
zVSC<-&MVB+qw!d-<`yBAXQ>It$JN^RQ|PliEvqe<f==tOA=8MM(#x!Gt$Ev1m!$Vm
zcU$=Ap)@+pNfGZu0ooRqKxbqLebRz4*MjvcYlmDuC|Xw$MN=232`#mbYziUmeYGTK
z+TB+z^Si3-H>PBYtk3Y(ufB2+=qbg`jfDs^rj(E(M*{NnB``&~0Gi~w-q`AuR0zuZ
zT|b0uq9_lEcg5d6tp2EM;~$~$G-LaHwCPHIU^Sq{9zQ;;?bD-giB3iB$I6V7M#Gl@
z321RR8t*0ZH#&v#K!A<u4&+(`I$qD<OJ1##lD>#f@*|!1<A1)Z(~=p}Mo<cSrJPzF
z%JTJ?R=v7#k7ir9-Ffh}M>iL(gvJYUVXbaF^b$OYV_~ioP4d*`wk*-;i3DZD>anml
z5DJ8pYg}(3sxeHkMU5I<hzj<K4)9Rhqu>SM6CcL;S$Ft_Ko6G(p#5V{t<WQoJ*7)r
ztb?rW_MLpsHm}38QzG0ypC36bR@x+uUQ)+gMoqBU=B~ZBqU|LP!%#g0YE}n*)v9x;
z)*CBRWLzoH>{=0Di!`1`@XHeC$^HBzYev1S`_z3DNo-A>H-E2uYV+baxPGW*>~lbf
zA|b1(t|WdnMor0qmxZUy(fEWX90JfDbPv6N)DM>`Y&Ej)qX&#@F`^JTomlpG<=&&u
zc|Sl3_n3^jO>~drjCrRuQN7w5Cc8(r-ZtKJ1<A9kGgf2ADki7CcHP2s&$By`bgY{&
z721tV*F!|r)cMTp6EQ91;pa-s$DuFp{zU^$<b8gmIQREssrk+!n5X8=$2CLl6iRV8
z>KF8`FRolTv70POgGpW}nZ_G61qM2Qt|)XB25O0<*CFNSo+jmULVN*e!E?mxrglHY
z4&e<0&}jkbP>TJhQ9eNNp6blPrK(E`82+69w!T8&ltK6&z;fx*4#?%z0P}!u9ECs<
z;3AT-)J;x=Dz<)WLH!K$t5T0PGM_x2wt<RKrBUK#2RqAWF`P}*4W)kNFI3&XOie=g
z7ZPkLc?MC2vz%KO)4j^syOu(&EVS8ITQBN0dMKXxNMJ%-E)gF}rP!aL_f&W=msy>W
zN}|*^TA8xem~~OwJ%v)aFH}gHh)hL83!EiO5{nJ7Vom$cSUdXzm4?`k^F|jjtq&NZ
z9pXnE*lS%ZBa6>caq3IPCQ1*!MpRs;^a`s!^Jq=1Di6qiI=0)%QPXLx&IFnnsfNZU
zW8bY?if@#mRfgnYv`ZXRB}yxII4O^)Mq6-T^XZV3ge(@MB7Ccg6&wti@f-ZMo?jNo
z@7B^(S_?jG98c^d;de1Lj6je=1PA?ipDCi3MM*mAhiCn`<JC*bV()od7uC^C8^5YW
zCM8pz3HX*!^8y3DN^zbxTjyC3=U1vH`6QdMZa9U`?9e6Vwk|vEUnjf>2~FujMA<O_
znTN)kfee+OHdXNZ;5EKdG9WfSsS%N;jFT`s-@=|_#}Us=$BI-M(rAmI?&~HEW%<0R
zG{heFc>RWI_U%XDr=93cHYyo*67ScC{REpSHDAkvuDhkQuSN(qOL;!#{_r}(HTkGz
zdo8W*k`QFc5PI}v?z}K|SXFy-{Ok*hiFB}bNbnQTy#gp4o@P?2d^vJiOw{?;4S;q&
ztQaz-Eq4bzR8xFMgwUfepm9&WB#inDelD1(d#=Wl`c0{*@GvI`qw`I%TtaNO+oBwv
z3t#es)kOBu9G>tXhO7(Lk&>%S0)W`Zr1BNGvh^xl$;lWzk=LMw`B5O&ELnNn>l^?T
z{$!#3r*Z6l91AO|uqtB0s%OlB4{~7QK%*x*;02oCyKWPhN*T{&Sg9kIU(>#)B(EZw
z^1|32dM&D65*pCFh{apJ=O<~JRyOlU*;esEaLXq4qVp2yBftdmm>)sKfm0x4vi%H$
zn9~JH(|+oQZO(oaaL9*krDt6*L0)K)tY&;Lu}`uLQ9OE5qlEA1(cbxK2QB7jTKr(R
z6JeU^(|JCiu*KDq$dpU#Y>c|Gjoe0b1>EX?HNj}>pu6s$o%)uWOj%~?-6}H~-e6HA
z!;)xR%vsirZ4LIhP1dz1kNmn9;S<wmA&Bf4?-w0&-&M+}K&$j798Mh;_$OpIWy@GS
zwQKa{c+?q?Ue&53D#Z_t(iTuu`Wi7&%4>GeehoA7>vh*wc$Ts+Ji<&|pt9HSo0Q}r
zOK9zfG;GXYMGa@-Tdb7Jqr2*EzU5+De5(m;?@3#bWlS&8?HU#T>^Ac-ko9G@qgKgo
zaqUdJD`>|;kl*ReCK>gBHoVwQaQ@omCo>OV)MlL&f9^6<5aXEX3kr|SC=P01@GpDb
zpkxIXl?vk~N;PE*$)_QFlbjG!0gWaxP$D|>sqkVBwIXaSZG!JrLs`m7bT4Nsa1P(}
zq-gt`GBth6D7Mgm7AMOywW@&`U{aq;#RFVDe1bOw0*Z%E`;y;qNd5#Nv3SZNQYyxC
zQCy;q=#69?q^MM5&ch}y6M*DNKU^A1xzj7NOB8vi#oz$s0z)J+p`VG2ffSZZQy)f@
zCD!A4e6n1%ZfRA(HaoqCW4UDqlKnzkPHIWDHq>{K<Jr`?@q9X}KDsoWZI!sHVCGDd
zMl=nHaH<#su1fKGgJ>-*4?WXr_s_vNjvn~+0X<}h(P9coA23W1t%DnuRjP~l)!QEW
znPjjcCoZT_d=r^Hh6ph*ta$h{HB^3Ms_4F;HHj=ApI~8pS?ST_mU&aDE{G8AgS<9)
z(WfLWDX3_UIkE0V6(XgLwkibFD1+%56JkoiXK)sUDFAfa%GgBx=&R``bE^*xsUro)
z<}={a>ABKFvw%Y-^JX<`6V5dr2^$Q5wS<Q}o|>ggB@;|%(4casUad07Uhq_X**hdB
ztSTu(XZVqKw`%vq9_`CR9l!^B{kr7pi=u>AmuIsrlQdNU0_i&0C1GgVBTZXJPbFX}
z=`D@FbvfCli|rnMK}7=9I`LLppWXHmyRIo)%FLS{k8;)%OvEUhEAA7v^elG2pXiK<
z2&H)pwh%=#r^L8Um}PREdG*sW-MUSyPClm{{OWjk51&QTYhIh6Q7CZbGba#&QPF}x
zVM6CzG>g1;ox-o$xF9t&X|+{s&pA=TAhBUtv%&AC7A{GzenPRXRG0gL)_i6#fsO^{
zT|>!11f+MTNu-y1Mc$!fIr{7h^VoUC2Yr+t{g^(BHm#|$1OaebF_6~SKfwrMh#s?4
zQpNwQR$aXs=wbjj8hskWK?e-~Mddb>tni&uVN!gloWhZ`B%R3ty$@ZU@v$%C*|XDg
z9gafhM$p>xFvp;^)=K<)M^Vq4XGX~4^XsAObK`=Y*{#^~ITl{lZ0{Bg=7&L4bD9BU
zP#;V#tVU9SXa1mFgPzr(ks>wKB>ZHQW$1)zqkeH;D%}!JX49A}eV8F77&YDSm*-&{
zp0A(pZMy47v!HV^U|Mur&$?u<4X>($@-I#o6DBzSYQDnjH}Szv=uy~Gulk;@quS>n
zx*g0T0Vwt6=U1cfS=?GyI!P1&R#iEijjZsmc{-CX=-eE+T>IP{U7zN1s+I*^pI%BX
z=F{o(ODeP&oAo;JPaUjA(tu69UOjH#_l$IE3Qwc~8}&LwdC~>w*CCoGB(8s@kH>|g
z&EOSz@h+aHS;Ui+RaxP7Z3dhLF)N>{8v>DXyv6nj88*r=59?<pc}thQX|oPL2+oTx
z$_jWTU2QUHc^&*{S}@(b3cPCc$b3vkD53#mD$nT>(O?3VhhAdRq_)q+Jn@e;IM&P4
z*=#AeW_R8Xzt8E2lS5-_PT`R`7&m*~%TM)gl?(pG^++cl&aafbX2=(JrRqi}lCM9~
z7uZ)<jKM^*5AUjyy;GFNh-({n`7kD)KBlDrr>=s_TCd+aapluG@sRcHS}@w!-H^Oe
zx$v=e?m~7S+1vCy4!fQQn`Nvn!ZE)*LjO#D)+49!)UJcYR)tZAeWp*SvKVbqa1W68
zt#04*&^a|!i19Xnb_PKuZ=)kLUrRT2eOG~@jjfFKrJ4(Gnu4QuLh|^Pn+8c>J*M?x
zzOlqyV5eHwru0smnikTUIx9|KV>e;ODyvHjehxjpvdP)V;+&aMFW4$cULSucG#~$U
z^-1y<Pwb<SagHm2R)d61%Y#b;K0Meq(BjJ7W;=`QsnB^t*GzOXAeyr4>XFtX>OA3k
zIUrtw&TC{Wj3jle_Ih{!36At8D2r=OOdIy9UTXXIpJGydbGOt~c37MQU6YuD8-iwL
z3V#S%WedV%GwPG4JhT453HY3(cH8{|f^4bR3?x$O9D~JXpH7{TODuLyds}3}PT#~{
zNR9K7NuO$$H8?Vslz7QL7P$<AYXPTGo|nY0+~t#R003YO^B0&L_oo?;CRmUB6+&N1
zdz1$@J_(+8%CGOwPYrZI(_jvDn87=G{WC#?@E{#k$VR9qqDz+KZ>^?ozF^u(xp}G2
zNRQcS6PWI8<65k3t)eM4C?#4iLy&{Zq{2+P?~*HE6I}>;5UfC}zYxEeG9%=|5%eja
z1)KJZKAYI#khh`C^vY9H4y(-cx07@0T8&ewI$OQRHo!xFSEJ?~YozkSSuaAQHJ*OM
zX;_q}&*#UZN)|HNzu~)z^n4mdoKm^)Blds(wKiQkn46B8z6@N9Ik$1q&5FvTy3FUv
z$eB&zzpl4FK9)DJsJ3K|<YLh98m|p^L8UB`$?e+1m)E%E9sHRSYjOFI=C$^@+teYM
z_KZS84LD;h>4c}r?YiY}(NC_1bdANp2gQ%o`K><R3^MQ`CLB}yIp<0;QVgqNjaM?|
z2zu?lX^14g=3!BJY{dP%z%1XA1&4=b^tfOcxxFGzx>v>9W6*5OM5b^m#6*=Mg=>=s
zPDB}q$85SBk_!aarS<;10MJ(iNjbj{M}nITMuANQ&poUnq&S-uSQ2T_(_VbfF>&0;
z41301*I33q2S+ruiI8}HF<P7umWP}2$!66ElEjU%Gak}Nu!TdJYivHz3Fa#-eS*ap
z5=B{|#C?>?jGUKN0`C0|5hou!qe@<iS3Vzf<ACo3l_9~k!0d31NQ#|f%d_qzS5(ia
z0zz4i_xrQM)RzW3d67$R&GGz8N|QXBakuT!_1S+E<r{d@{?I7kNT=G|Q~R(~;>G0h
z0DP5yiXTYK4SIg7$_q)tr(Xq8<YuZxX76-j0qu+J<&4JYY*xYZ>Z5Oz*wMK~)UNal
zoG~MFzAgnPSqVg`r_19OwjQ~=TD@o^yb~f>#O#0@zhzJnjS+V7gW3gVHa!V$l@GlB
zTdm~CeG;S9_)5jRDrZ?f>;e<)Tmx&{vxZfKu#YoWjne6UTch)|*^zYlAE(p|;#qCP
z&$`+QjSW_vBnwo?s;0f~`5+6uyHyNeixazC++No{7bQKRn&C>wVh(V~WFSBtZFK{c
zs_+}#p>I_$ix;?P;=)(lW7lL-@Y3sSMY50r@bSA^yK7lwm1&?T-FCKtDO*j4?Z%%g
z`kPyGu$<C*K87Iu%#Y@Ih9M!wMkaEEy^>Q_y}GUiBUdUrt$RU0hpiv5Yia_~$!1T}
z-WB*1xXeZNv8X~eDW++C3@=zKtykn>jxDIHaCq+AC{@Y1hLYo<rExM%!s_u72M(H{
z(_jQIfR)7VCrWC{u8M+;;<mz)gviizV4QYX-3<w{GYojV;8(W{E2a=%QLg0g2eYkb
zWFOb@;u-k;n&=!z2KF)#eHK~xhw*;mtcS!^BMXzB4`q6rh@%{|5EDyZmaw=-&S9;n
zTU1c&iu4!YmBL)u@fAXWvmeE)JV2U3HGXBIL7mRlZXD)0@)Swcyt>`20O?FIo|GSG
zQVqv;+&*DiX<DzMTlJ(|^DA{9u-sg;+0=76YRslX0pZt5^4U<~z42=$xrT|x)G4M9
z1igvD&(D=#nDswBQ|iQ8lr4B=G||$)LA)m2ACi#S*-SJP(hA;gv^~zLc)ZIW68a2u
zAwhj%(H~%^6x5S1sOrTxYi`(Uj00P~*6CMPj26ORWcA?JrQ-sVRXejGd2W;W0>CQa
zOy;?xT=uD(*gRLSC*F4^vCt+?lJCA?0!CSnRW;8hO&GyTW;-mxiq#=kl7{(RJ<MLC
zYkOj7-+MyoSJNeoP9-x%q8}(s#gM*!An*-guO8G)0lbq_W4IIKh;wPk=aDxnGcKxG
zc_qv4CJ=n$@wP=AAJLe&6C$I$)0h~%2w(BiR-1Z_StJ`yL4y_z;gO*HZJ;uMiE8=r
zs#+eASqFzSy>>2A868Pb)d15D<j?D}X)C;)<rElCyl@grR@V6uj~(ha^Q~J}F>6eS
zMhH0CHhhS;v6`&bsdQbm7&CnI0Id9wmru9e@2O_g6Pi`SlnN#sWgsW>TU`cY?NNAc
zA|(H3w*`GYaJ9`B%^L^Jh|eQ^Q)aE7b*+qLQ#0I8V6WV|fUlHvK`xMuFet>%q5n++
zS>WL6sy*6mHN!v1YlT!w`urn6{q;MlEnJ7iP8mFO@KUJDLnRwfri(MvoI{Y9U!0U&
z-T`dhz0jkM2S`kM6G4;zs%+4MAjyBw8MM27Qy?ekt)r0n{-*P+?`nHXrgWwV^bC2;
z#F+;<Lyq)`5mYGU(<~dncH)67c3fvT%~k>jwYa>D`fFq!0N?HWC?tsCcqA?d&aJgr
z5(llzWQG~Wvmvu#Cc?1FINECn?#m8+xyWxLF@G&8zHJeh-Z%~*uk#?0*FaA^Uo0kD
zDVZdf?uqpmB`_d(+VfT3qUzHcoL~s1`O@29Ldxb+A`P2^LHZ%JVx>iMkAMco;+!^U
zkM<mGyGd|6@U<i(im}FbO{Cz%uNito8gkVtySsvdBh9Un?>8Sz;jX^J0^`TPBYR!<
zeOs=*Lmz>bwbzRfdF>%mh8?tjg_90os(CAOn#F)GO!boO0LrYc<n8M45fOY+5T5X_
zSxv-@B)n`cMBSMc#A9T@9ZSAfviSvp=nXj#(?B8wP6AvUT%e9)CE(whp1#b61^Ut^
zoP&15xp(}OuO=)J3!EqBYPb$y%*21y>H0{<;@>s<-)??Q`_fjg#Yx7YD)OR<R;`sV
zw=c7&Co6|Oe8r6zC}6z+XwtRJ*RlxDWNn|)J`*NH!6XCn`XX}z&~9Tv78p%%Y|tQ)
z+L3J_%OW&mgLmNz!cU=$<^vJ>42m?-q<Km%4kFN{RWwswLY{sTo`7Kwl-LOa1#T0&
zO<OvuH_kUhzWQ@rDypbuJ;Gpame{R}nBdg#;_5}2&#HnF8;8l+Pa~t3_GR})br%zA
zN?x-ulZM-Yv$_eJoJADCzF;@4VE)aqRWXW}fvNLJO7WR|fqBbwRp;ulaE{rpSkJb1
zmLYIiFW;YH1#*LV<3!9CYg7LPMS7P>WtW$vtab8{YTc>(=5&dKaX3*M(J$8K27V-(
zd+@}G(#66!@m-iuCkxgwU<!~=top*dBU4A9_*A|siz(i)5xI<#V8|4lz?{To$7K|B
ztqTc1#TAe#L4~e5${2%lSy=}a@g#B_&9PT9D+%ReMEX7>7oO^?oG(0v?AEy8Hn+D+
zT=2z>57h0^s&xA$J0CS9kkP1@<UP$#3bSZdKTUkXGE@?$c^y;|99BS)Au$OkES3$9
zugTo?w?Hzs8<tzOK)NNIVeY)1bGn+*{2)Z7ip}ISZq2|^s)mnpZZT%ko6%(cGQQdU
zXPk(Y_~6B*Bnu-AF|E)$b`X7+%Y#2Lfp)|F)0rEd42+nG*H_R^8L=7bZLpl$rjTr)
zkYN)BkzRcLEK!}DCbuE!IjGPpzrUd8dLgkUDQaBV*gMnAcv?T8E+cxbJSvwxY3LB5
zmjJ~*0zovS_cLY*TUh+G%KW>Wh4b-%5tlvH)Op1{Cl+59ATE^!BYqnLj59W3O;d&S
zUj5^VmO5L;Hx<O7PXqZ4CP>YqW{;aREv$3O5#h{ue3fr+E}VJGhsBoqkva8O3Y{4w
z7B{b@>}|E;RYqsru6KB7M?u0d(SkV9o!j(+I*H`4b~9FoXu>b`d0x?Ur@};#hgj2~
zEE5+6Hb2UW5unW}xh!@5@EKeP_-Z|m5p^QF`9u>^-M>Cz0?h5DZ{uuEqfc}yp2$?w
z8>a=V?ah`P{4ga7V#)EeVlZR>HN~`1jM;TCwV7JufMhfNUo7I{8~isr2OJnlTZbF-
zpM@&KdPc`E6b9m+cvDEs5)lCd`q-6FpYC?=xP^TeBXm~CEhW^NbTOtucIC@~1h3C9
zrwj!zhp$@@Yvhl|Xz-H{sBw)9vLY3}l&?An4rg6^<9&U;k^tkkQD#yXqeh0oiM08A
z#pa_fs1-E$YD9+%Y06Gk<s$@c(tEdRL}VDXZ87zsm7tznl=|8dR@OM}d7_!tXj|tu
zaf8mo{OXfx#(s#de0H~k-!RSq2TT=C+d=|grqwJuB-MX%Rf;=ODPYKmFM9+}w|=Qy
z9)bywp=i3U1m#EXgb`nGe!N6BX4AoJWNP&WlIdBuFi%T|@l9(&)Z;iW7*pgED9Tq@
zcMw$3F@G^^l>FLp7y$>~BEfy3@tN>oO&xsOxEarq9m(Ui7|`If7hMXbSp76vXb=a9
zDF=SqeDMs*;?RHa)tb>T^smjL38vvT;+T!qs$v<j#u>Fhs0I|NoQ3I%8C4#|{q-*q
zjg3hoKw|$4wAGVmaG^oMw_8-AlXQ!P1=8#_&cy)^n+<p{;8gmkbsO|eTVLn5bvVsZ
zJYU0;&`q<TfgdI{mXk-S1-H4~e@S6Qg0YvSZiCoJ0O9J01S77=k6p~O#yDTeuNK@h
z(DgxZY~kappu_j+uARp}i-Xz5H+3lBtKH8$<?#>fF)DKkw+H}|;Q{$7szc+Nf!<3&
zL{CDuapq1?)_HCxA8%VN%4AH0k*_P*EnbjYUirq0M6LNcO04vpO%)Ac_{qs_#HcPm
z%P2=AAO|?pNea6I4xkxL7gP#dl5%r1#0bjLwc4$^<PwI%K90lws@4(=#{)eDstxH@
zCc>DpxZ0VG3JH#>sG4m(Ha6?c={lCfa=C7C>Sns2@o4M#1{<?p{9rS*HQ1Q9JOS2G
zm9(ou1Fs>9dvo-pZoDwULT?h>=60XgJlXIYNO==jc?~m`+wtKTYV^wtPRa=PiAQ76
z)WWv=k2p7JCwekz7xM&Jk%>8OGI!tPBP&x=0W&&{3BflTbUz7h0uA!#-c1l_Jgme6
zXDx(bRO021cMEloUGUR-6JS^Xw1_zw$@M~8RO!Wmnn=Iae&IF^q_bBzZ5r)`^d{5_
zwuCjG8}z9P9TwF1dP2X8U<u0D1gFaBC3oxWPan7xM-M&a&2b<nm6<>TvWDP3EX+8x
zgT39hBXTONJ#~oQadtMRc>2XAm%yb}AFm#q5bXK}YvLKg6Nx)tAFA-kyd5`Uk=%Jk
znX&5b)U1yyg8S=2v!&5+IKWlF34}xSH4FCJD|Yo<^b_DoJ@7(J<lUBe5iTt5Q~nh@
zw*6VFv_!K-*<SPplUSczf}nyZ&(UXI;zOeD3584x@Ft?Rd}_CovZe3sVjiPe+T<2G
zQzWq9P{a2$D`+HG+(9pCj5Qq>^o@0gPFpNP>L_b*Tb=<rcI$!fR(VI`^CeKjJ@J}+
zf6}*~8>#7FP=YZ8M5~lQC?9|i&+C*IaE79v@EDwi-9(|l``gkEhXs3!u_HSXyi6F7
z;JpV){@HiLL)bEm(dK;bC=gX=BXStzl>~KXSkm1;g0haQ!4oKO)|q2QdIwTZ23AiT
z2(`E<YUXJ${t=I{s>^L060F;2(oPo>eho?HsoSZAdAo3_MwO1L;zLzi|E*Gmz{kn3
z!a$)<?qvCEKS)702~+(nV5mX&iyS+dv_A5tsWIUkTAGJsU<-J?x;#dW-X{N)>VgD|
z5i$u$%t|78TlHgv(QpXcKC1Khye;TZ?w+ph<(41@j$FFM&J;XQsQ*(=nTm5ol}2k@
zjBM^2*^;P3n)oZeezIR{G7!I$%x$CcA&{(K9s_0Pd_Yz_N3o6rhmE%=n>PMcV>qR@
zY98+uvtE2<ZoVOXY!KvwvAV;&6i&c1U+}%7BGn^yz7KP@N{S4dI=Jc<N!UdVh)=B_
zg**Z0H9P9Zaw}|T@Rb1(9#??|e#1|_0%8#?sGj4^RQWMQLHxWhz<+@kwUm)~;HpvI
zIf@)-Q|=U$qe-sGxcAA+6YC`A@QXWn6ZHXfoWQS-T?|=Fefto!uD@uwNg&OsQQt92
z9A_3PDnP|&iU<my;t;%iz3|VH1JpFTFv#p;;a^Q99{y}Pbo6VF0@Rc)Eyyh9-%ZiM
z8&Y7c6n9NkqJn^Qe>UCIe&>Pb_W6^@*aOnCZ|KsuH~zfvuFKrvNRhQ$+D6&qY|5O1
zb9m|IKVTd(f%Dgj;j>NhpZC$vm;ystFJC<PMjTgC?(`-{n{M84vpF^|$PZ485Uf}O
z^XC%aiPsj$?!~rniXuI!QU7t2K5nnfX;Estt##E-fZ+RuZ%+8no1qJBcpOpdSs5vR
zqI#*8Ndil<csSzQ3rFYG{&SL$be5qLkRoF={%zw4(}9LxIM2qNH=waSE(P{>Mebm~
z^}1GiQ4(Z;uE)>3v~P&CJ$hLyjhge4Zr)%MM;c^-Eyb4Ml6OP+<*vfT+n-VA4>7!Q
zAw8STa0<;Kq?<R|M3Fu#7Uf5p<36+BAd(_2zrCZ?6vSNQxVJjU9di#C&n1C9KaoH1
zJ8AWrgAV!&<`X76)VVHxJL+GqI+Kbs6~U1#k#PN`?QIZv)}y0B|2gQtn}LGixfBYv
z5H!r~>Ig!P#Ld@pN#TySw+Qd~!R596fRz5jhyS7u^1cty|H%iw);k|g{`;Vu7+{Bq
zeiOxG=~n&kIr1}DKP~xZE}<H0px&z2HQt1k{-9CcHtO|M5f%EZ_0|#zy4$@=a7g{&
zYT;1shxDiWe}t6(0OG9mUm=A?1>5xtj`<*Tlx@GD``SRW0hBS?+k8j=9Q0q!Ks+LG
zBfqsU<2OU#NLKE}^fp+Jx0rld{}1Zkf<pM04`~0<2m3o8z_k1?gZ`T#VD<lE$gN{{
zbM-ScDp>u!In93nw&dH*sY}a%^~4Lj&K9X|mxOuF+3z>p8M{c51$i8iY)qB=$j(}*
zlqg{$e)26{az8}X0EH)kK-=^IMxx6(2Tc8Exsf!?rm+QWTt%(g40cc2OcIHr%@KrW
z4DI|r=qyS8AI_elWcfHK_}L1|3L;Vd(;pS}&8E!PWkV)0V0(;e0m^DR)S@>5F)R*O
zw5fv(faak^kRJ>~Huw+9M!mGELH1w`p(xOZDLpLQltWnlRc)<MxTD}d{4y}F^+TFC
zsMp|c6Ak<j!D<F$5-Ox742e{hX63U$z050Q!g^R?9`7=hwFZFIm`llM=4>&c&>rmO
zju;yFv1(FweMx*B;ew~J1o9O02MS=3k~1D0_V?4Vub^IubkW8~GD4EPNOX3$Y7#M&
z)$(~lo|ki(aYP&b(r<0wZ}k{_xOEZ7_I*crP9oAj{skLLBU*qCx4Ns{wCTb=_M0U9
zQmjq%MpF`WNCf+Kio2gW$GEUcE6ySl*Td`%e3VTW=0piPVBL<Z)%bmIdi9&w@3ZuS
zn+@dF_Hz2!U~F;raf2Nf$?z%rz9jG|qmANhH18^g0a$+`k3)(T?AZS2*|)p)?PUL)
z#0hrH|MR5Mu6_RRli0zIVSk<^nvbmE+Mref2P`-|xTB6c^3GjH$J1KwNV3~#2ICG)
zuda*!VeqZ|UgjN5p$feon|XLLW)IV^DAaIqf@K;Oa1g59MpF1~<nDO5G6$BkyTLKO
z3_c59-*I&OZIcp?1P><YaHlx!Z^av7RbVT@(bH;tF(|-E6?GRqn?V7J6>en{Fgq*{
zGr2G4QX~WaVIQa)SpLcXj=zTmL40e*FAy1%Du)K%-NiN~*->H!WVhr$-rh6H93<a)
z>vhjtko?ozi4`%&)B6yE<U5Er?m-NaZ;_~K`JVn_5b_UaP3^N;AA=6JFoG4MfMWG$
z?DizJQ$SXMQvt|XBD*_`!OjvXkp1QpW0GU*J#RtsKTQ35SZjM5uo+6fA%?pLv1>N{
z;J~}v`THM?0vq|;TkfU5y#>p^<G$g0FYX}u4r1tg5QF4@2!#rA*5S_Ce-UaU;-2Ea
z3HA67jKR)6{)<pS_q+wmzX|o{u(ue4%=k?x$L@O&|3#>O83i)(&Rdat-h$*m;(m`%
zD1Q=)`^!CuLGnL@%6l=0{)e;wB2?J_CY1dh#<$KY{za(vd)|WNJ3{?AEEr>ud`BpW
zdl3IksQX5N<vT*H-18PB-x2EVy|{zqJBZ2eK@5`rAyhbsQ2#4KZ6w@N{5PSP|G*gR
zEc0K4>bmDGSiU3FAH&{a43h5%)qfA-zX^5UD3E;Tt?@l?LGm4;!tN0YEZ;%Aeh*@h
z{12hBUkt+k;q1Q%CHFrGm2xjbrTm?tKHc*cB;OJ0&tbtBgXB9xQQd?1Z$jNS3M}7w
zyL``EkbFld|9f!<$#)QA-h&t<|3fHFF-ML+Y>MfK9P|erevdkR4~aR@8Vz#jc8vxt
z!}rcwQKJtf{@1=%f4cLpuK(-g|I4WVtLy*&L4Wt$Wn91+nEqdR+`R7|BmUz5{j-%h
zqI~ARL-((<Yk$P`|I^8Pb-_KGD*x|#Jtw7mmr!%+WzdzZgX7()J>&6H<|aR`cU_pW
z<ui;uWf*Jg<BQp1xmscIYU~%OYwADVKC7Ibk((S-X9RL?uWg?j@oN(oo8ivGQ03Zs
zB;TOAI;O6z&7ONSH>NP?F{-!7O>UpBHDqls+6b0&JAY{DJ6{P(?$~*8wK1`?cDNH>
zII(k4e`y{TUZQrqX4!mwyk_q@WqVWWc6_>aXx16Lr^Ok(S?D8hS#$1De!af!x@`;a
zn!VocI8JSJ^Y$Eh!?4iZ;c0icYJ4&?G;w)3ZXM2XHcxcEx4*b}4Oo>I>=;Pv$VO#~
zqB;*Jo!c%YX%O-eCJzC;2sj;|zfK;K7p%jvZEh00KI}2xZ*qNowjj{c#2KyZbB4S;
zHe_=g^se=#kAu&d?D13s>0H_?k;$7BS6kA?FFpWz9NUsJz0i5}leGyec3s8>M$yVe
z8({Dy`4;Zb5tr@&L%5*(MlU&%;L*c3N9ZfZwxlNzZ^HRn%U=0Tat3#Fyedy<@)}?L
zCV0e^)kLUS67HQ=ypDS;A)vH>Q=1h&H@vFHes!JSbfruucunV-wyEj8W!OBm)5Q2q
zc#Hp}^zFjpjo4LQ{NVQbx08%T3vu~#0pk$;7ilZoJKJv-wb|sa7BX`PeUi>_nz;wE
zo}a-M@(%=&@cBevA;B%)WZE(<I@!{RoWUMjRZTAs<9^IL`^xDHr+fWnzp<O7y6tR!
zwutjh^g6YZU^iULB7yzOS8-?B<b$D9?ky*2BKlBmxvwCRn!g{Wg~}hl(f?uFU~*+s
zKjUeZY|HOTDp>E`^5bA}bH&W%lFz64yO;Z!{54OD^y-SpnBX3*Yx&N~*}VKb?)>Dc
zAHLN!W3ueiMcor$-sx9nXSK(B`>DF5SB;HzI*TOj0<nwZ9<z%gi~Pn7T6)uKL45<!
z3*JiuYZC((jl2Py4T-OYi`Dv6&p&P&mH#-HH}W{|JKbK~m8D;w+`h!zYVxQ{UA-tY
zU*z9TbMe9NgFM;WJGk!Q|K561h^s!Il`5~kzdo-^58|<G>W_v??3$z&&z8$W5BKUT
zMORKi`pNCJ(uTCAG}*;Lwd6Es#<buy2YNwwZ_i~?^X=rqti4C(@!Px5&3w&TC7%m7
zU(FLAR(Vz)uKp;U=6JN|nszc-aak46l;p~I>dkA_6}{_&GDS2Iw6+z$+cNHUBKY@P
zSJ{f{^}a(xK)gnRfcP)3tYZPcdNovCS9z5K>*^_iD^Q+Z4$5yg%7oHCr;Ls_RiS2x
z^R&8HEUxk5QFcqSx{J}Mnv~n)`ijAkiII`mgrZn)4(v?R(&`AaB$dw`q+{bI*q;sL
zRNh2^z7J&5fM(p(k{~qVL%LRW*2g8jV!u8U4vWj{VLD}Q?*M|_o~(WR5vsMKC5+81
zduL=1#{l8t+#aTBXF7My=^FA>Spw=q^j&2U2!t{EW2>lRf}CY3me3BiL{z~A{i?Sv
z?VMpRD<{po-Jj+FyzJuTqy2_3V9Y)%LtHg3K?OVlqMIINkrPwcMtgkm_LT4$qZQsP
zZe0?7*WzYVXmRw|kQ-;oU$@|d-e!``2A-8d<}$vx;bWW7C$$$l$on_|Ze!IZ)6Cj+
zha?3S_QskPf&8#+*<}K{eoC$4#M8ESGo0&sO7AWB${jXMeX5cK9HC~W$(z&HU09#f
zkDNEN%?g)>3DIkqL$!9GFG118Nd>Jp3P9-^`4N}~h7cw4BidL!<@VI_h9CCg5q6!o
zMyZ@bKw7d5Te@j4ijvBUGM0S17~b0AOGoU^>)+%Re__HHZL#169i$=9;tENqX6F}z
z;`mV?TJ&sRM@qt2=TI;yrfB-oar}~1oC{YiK!$tk2v6KVANx3v!41~^VGEZ5OboZB
zxI`kozk_=>fVrwPIuIcz@Z@=q^_tpX`d~~I_3m@vmecizu>{Lk83l(gZS}@*`kWY1
z>bN+zG4U7Gx}zHE6=zt4;DS*^hs00XHKlU~Xw{Sy&x}79OJ>*D6ugGquJC9J*um>t
zjxK*j(QH$tCDiG2ZQ<nN@w_93U=@-*+bG5q21(zKR>Mtw&v=I#HQ{R&=ZM9FYhP~E
z`ma^aBS8sgYDwD>?ncLSk%Ny@#Xj#jNH*gg;c)an7mr7qH>r|shnxn4h?}OcWyyX@
zAAZbi?C2E)Z3H+m0*EcCAMod`X%?>8mK*JFi60zjh735xN8|7X4Wl=P`jLt6^q;9=
zPIYQmkWIfNU?I>?(tCxeyy$iw;2SYj?gW^CEbrniFYScu$g&h~j!MXYBz8J7A{uK_
z7w#EMhLr}rK0@I8DcUH9c#SAVT<<EN<g2u{oKs5~Z1qv*-q8c`iMQ}kva6_F$Y-OY
z+r54d^_<VjEeJiIwH@oV9q&ouwTsGZJYF6&{^Y*@9BJ>=8cCE8#^e}D?HU7S_v({_
z&2S%kqsr`B5Dsb9k5ZKztsfmWhrz)b$j7m7=j}pYqLGQl?(q{|Aznf{_2d{rAsP{-
zpjGba6<N;~0If&Nim~QtPZ$cmUWLy{sJJ2ISdljJ&+E3utY_1GkMCtWoQ#FFX;8Pi
zvF+L+{X1KzMSNBH`Tzognh62|`R5BR9i7~*OdW6E&aAB+UdVxV{q*e_$wM>-Rg8Q>
znytv0Eb?8ot*7vEMiT}IgB;u~&CPawlp-Z2n=Y8U3~qeKUaTbgWz&j-E)V!i(T!#}
zD4z>_o(#zmBouGf$l~g68OEZ}smRtOV)0Hc4&fV6z*`fhp$s%lDnSq88llQE!5lJ*
zdx=>8d`g4Uc_1Mqjx9eJHmpR-ZH-BM=A~rk1=|xhfT1dH2=jElgLE7nbw*+*7jgTE
zsp7SWDjwE{*Dnp9cES&s<YySzK(dBsSdZ(5MPm!iuPpBDuxcr0Umc!UR$;nSn`5nV
zQ;cv!*k*#hmj9LBRP8|UDX<o8wZNs0+Iy01xTBf-@{u>LW@{N9f;USGmk`?bu#E%&
zYn9IS%nyyCHo6UR4d{wOg#{$j8p<cK4pN_fw3f`1NF>9Jy3$WN^N&>qU0-3W)uNwM
zZJaPao){+iT42B;CDN%7*Z)0KDJmzZV&%d#-oZyrvzAap<mweN2`v%)@PrC1rS?GA
zg^V{)*)%u9vr;wMM`eTN3D>(}95Lg0=e<y~B>D9+&#ERYF9-!zb9z7}fD?^$2z5t7
z@qh%zL>J}B&4CSjuBLxQfw88CCL2C_m5H!mTVZvh0b49r3^PG+;lrS(N&W>Jv6h}&
z4g;K@r?pC^aRwSaE85kWv7DvTSyfF;J2qvI^{UByfbR>CxwLc+9x<Rj9{RMB)<+w~
z@u5N2(lYUaJqn&Ckj1{IIQRfJr&q?_xK-;-VHJUfnsOnYN%D9sIWj3-O9wnAFnUG3
z7r?>i@~-j5Qw0A4kU_D~d%1hWW=qIH3Z$975<Z}P7pe0#Eu0HKAO}zb#J~PH(w;(&
zp)jeZ*m)p4cdRo~?Nh<zC8Vte^Ri)weeo>UO&TJIxUAA+U~h0>dmJl>Kj-@a5}#Ne
z^V?}+BqQWwxex2}HUpl-39b#P&wdPcMc3?=EnzFT@Ibz~20dEr+%<s(=L(#vz;l0w
z*VoznLj3STLX(eMlJ7Vq!Zi|yIB0J3=E*{|jKK5C;KUybZ-iGzy7n<8rkyY3j^@|%
zSYR&aXX49{7Pe^)dlj0yvaEV~sB0b(B-46o)2ilEp2l`vaN27~5<LBM4vQHW?cw!Z
zZFN%jJ<IFpmMw7`+H;B6X8W`)F@s8PZuQSjR9P=(r{FLE5}&F)-XP7rM&JxlW7VuX
zSE&I|7eRk$!KQ#56w7x-E+kfBeF)V>iu5DH`qFRn29=tR@^c#f#fa872MNLXx@caw
zT=J8QuH}*GL*wwukX_=!IfIP@|6Ld3%IR+?BrYF!vKrhsifSLJ3Tkj(r^pHrU+r_#
zdLLKwBW^s{6^uWSBg!zXeY}%{5q5HM;fl2^Yo%J<983kwRP(w@<{D;L5RH1ptzjP{
zNN;oAJ%T6Pze3Kw@P533#`od4lJK)9{*Q1Zp~sax9(|Vh))#c8Bpi|9qw}RrOQ0y{
zTiAQx5uy>KRwF5#Z=aCCYzboE2RHXE-%hL$(DS^ct&h4DzWQoF?T&VTc=AkoCZ!v>
zELI!z?Z|Z$VnXrSWQ?NEkOJh;AmAa4;EBr=TSG9OK+r{6`o>uYyTIbVo^KSxdXO&p
zgeIb?1QDheTR*+2RnBBq2;!|jTDswEx}?(-4!WcW8l+f_$Ht%=Ya0F<pZWL=A=5eT
z-zo8f#P<7EP%6ZMf`C8-{nmFdwQ^)+03TDMq-~&>k)D-enCi>qw?i=(O_hnfMXY_d
zk(JmUY25zpG<2%<(F=5G(4zwMrKoJ_E<}#AIaZxa?K;zH?8OijFKG+__L&;A?9$KZ
zGuR@APo~i5){iN=>Dz2Re~@wf@%$S?<aWJdm8mNN)(PbIlC~srDG{w{dtX-Rn}N9@
zgz==*(xROox$FnP{^OHJ5t$NVc68q&vt@!^VoC)7^Uc}EImSj+Zi`=Uj)(KG_|IEX
znR4EZPKv=(+LoQe{Ou^N3Y<eWBm@K%s9Hq*nft*nH#V}heR*3TM%licWkTz0c~1r9
zRn2o)<APjnSY?GAVqHYxu4%GOL_9)Dp1NI?<{d?BjuKF=KI%wywYL|kmg;;tI^*Rq
z-1|MJFY$?GoCRpHNV=4s^@XpS;TfQj{2*<uYYgLBW66#uReAn{);XOkgI&*Pb^6&Q
zX`C&Q-7*D)1$#Q1MBDp`scFV|6}48>lE>!Z7+0qW2G6yMR?OZEpSR#<$^b@;-yv*L
zm|y8ZO0yA+e@7rQcZ_qhXz<)Vm>^i$%5YH2PoWQNhb1yRq5OeH==CLMpFD`3z_1~u
zN#6wWy8}amp0#2`zorZ8jobTq=)ET}?YY}-5pL(aN%57ail4voodjHPxQl&9%2-d=
zs?b+NujQ3H7?`dRs@!gXx5>uj^^oskXKwQPfKkvSEN`ELrWb6;f>88M-sauo<<Cax
za`1#DS_jeF(}E@DBFe^8P?l_uR-^%i<d>W2A<eINLc65*pyj5&qZl_W`H4PmZ66E{
z9uvjgH`6zp?3?zesl8~FqWZQX6VMB(-l2~jM_z6dTaSE{du~(5RmXjuw}Se2KnwL8
z7^*;l3<WWl;AcR8lK0QB-V(VZN*3V_6PkD_h699z^=4*Xq0Jl)Bbw8XkL~{bF<ZM&
z>lHGBZL$jwWV<g(WTL1nJ5q`Bc8T7NeDzbBW@+Gsh@~eG^K<6v=d3;vKP2*kmWyq&
zL|b8M^jl;#iQ7rcOdz@zu5zA_{a&`#x74cNdQj7xixZhc9b+4z44<{o`JfLShE?-@
zqg2jNp(Mih4~nmt-Vd>n0oX=?mFprmYyIAU#TB)dc4s%8KIcf^w*5YVzkSVFCe$DW
zk=FoJykLTS)fTa}aWb`W(pPb}Gj-Gj6SzaAPp*v#?MH0)B(2M)AGD=MhE4{Yck7en
z&iDF9HqsYoRv23FDq01P?B8MU@ASKM9UYyZK~@fGh6lWOyYfa!gJX%U7ww~C4oZ*3
z%3_tOVtnz!Ypwo`vjQYQtFjz_kOuvv!ggxTPX4Mj+ech7Ke0&uuvWc7G#>GnQnEVg
zp88(OJ%ZRzTv70>WZLneMS+7-NI9g~VWEtkl07OB)=rt`yLdpJ!Uz-`1-*5yRhIE;
znhb=sLHpqLglFng5D}FQPf~RwDM?sD78`nCVUvR2Bh6={MJh|%H7qd4HS>ncJb2e1
zD*||u=y?R6A>a6V>%$7)@>#^pV@#Dc7O#GNM}fmdOOwMi@de=*Hy5AI3Y})YM?<pn
z(G`NY0||u%jRnH)A%v94l*Xsm9huP}sR#6f2KxEupDzey2nZ8fV+99WJ4Z%CJ3BDA
z_j}j6zm!7&w*+wy{hzL&-@cF^|LkpS>tOnyx_`t)YmS12farYmGo1fu@P)hpDRr}A
zbb4WGZTj<g`^NSA<KKT%`)>t)O%HDsfak!!-rIg(%l(VzJ1usu|53~BrSyF*_lxS^
zS|9<Qw_5H>?E78sFFto&%YFY^itcy3pUm$%Ci(rg{GZf*zw`aXao73fo7>L+C5_zI
hbAM9a=~4Ipk5g1Z8U_?}2nYnwe}52jas$B9{{vq=!6X0x

literal 35641
zcmY&<b9h|q7j7D(u^MO6*tTukn%H(4v$4&IZKI9VxN&1!jc<BR&%O8e$7G&7`+H`u
zz1F+*uC*0qARsZoz`$U^4jfigVT9z21K$6ud;g%ke@yL76rJoHoEeN99Oyl4ZRBG3
z5WtyGMBhdoyIO?$gpCD%DA(2_d*d<0nTpg4`*m~m#o7_te-ht-H>chzL!t{+jol_m
zKnBCaj%=3KE3v~*wJ0|61moF{pNyW8lrpTCBP@k0PT!MzMT!y6bwVPn@{r#<s&fER
zd@BY(A-*};u9wZRos-|D5G`ErSn4bOkGRYGz(@EG?{b2Jfua8Y;+ohy0sqJw5^o^$
zjS*v@NBYn^gIq5vxEh(7KOCwra7#z>tl9WFjCAI7C3C)d#o?F9B-g#WLTgj4>?fF-
zNlk}*nB0^3JU(={>@(rok0uOmd972%!V=CVSz7@9H7p(a?%!C96W8!Gu)0^hm#E<<
z!m{Q?7zi_d9Y)}i0Y+d@+#a&bfm2Ih@(-C1i4COp-3H3roMt9WyT+db1(s7=%6N~O
zkaZCxGqvH#@h=Q@uWfiqZEY&#zB1f+>A%r@k=;VWLc&@&9PwlzB<v_@%;zGbqzF$T
zDAQD`pI_ULcV+X3rvCgS_eK<7;1dFS2nz%bNP7wKe#qd~xBJE4*x=yb`Z{UgJyRXK
z_6+vFitEEh=}v$K0~;g;14DmToQDmAiv`dY`0rn)KdL*`ny_DC$LK-+`9^$jCf!Wt
z59tc8)BKdoDzxo(5T9Zh#YBcnn*5y-{^O}->IaB+qtp)_r;HzIYQbsTmWa^v1{PjW
zy%TywGp!QY>9}c;3=`+h`CfmoZ*NC=+%8K=e*HWSWu)|tR=-XTLV_PJ&SH-7{I)$L
z!xA>4;6njzKcaJFh^Ot-^;C5M9nLQlJYu2<x;aJ&DhizxGM`W4Tkx5`U~>?0kmG~t
ziL@YMVub7^s}gKADpBHxSxGPgm%BFOe*Zimqn<boxk3u5k&HC$EqU%$FdvsL`q|f-
z_8eYzLCFz=Vw=V|^@ZU6B7zk$GB_9paaLXc)Z{y_4X>2`IWztkl-stdYsg4n?Bp|N
z0M8wBtePS7Qk?!Or(3dI=0YvwO9l48U)fkXtwrZKiJ$plA_I5r)T%>Q^#bQ*7tv={
z?iItwGsK<!Vy(KR-Uyo2x*gA>Ma{lR?d1&KV5wK*)NG}U`ZorKBHCAuAI&;c-cj@P
z01<I}i%r+XLv<PF-|#?Sfi*eNNT(*kG+<i~tY}g!K{PZ={sQIU%QXs_uY5ECGd%GH
zIi)dp=xM@Q)7VA!GnXaJE#-1Q<!3&;tARnq{vi~83iKsL`v7$o2+xPDfy3?nl30HM
z->aRQ%bM#pj$OMvi=<@lmsyUt=ZoUYdwYRyzsD*<hWg(cJwCTbu>u=K`qYix-gie2
z4XGRcFN;$OY!~DbFSMN!!nDymzkjxl32Ww=fv@iGCmukBQ=(CV6+!=u4*>6E5mODb
zHkuE<=Q4#SxbX5Rb>M^bppAg`;DN>bMQ_qL(CWt3lGs*17Eu`Q=R|1k=#I)gGjUqQ
z)rzh_yb~c`jBOaQ#}8#+h#FJNnqY1dT_=9>0T8L@9x;_}C}PP=ERKL$CFNDba4XCq
z3G0`B1RGd^xpK13p&flR*K!#j8EhL+Do+NA#HlINEKnT#6v7&{D#ZLFo;S_OfT=a^
z*C8rs{NQ6P3U@jmzuLii=*L3$C;IGA>I50)1%Nw>iI!>R*DkOSbUJf1D6JDYrce~I
zLH<N-G}$$P6w&jS0$ukF3e6mQosFQ6MaXeGQsb^V;4H2J@`or!*;nMq$tTM@qId*V
z9!0@-NP`#zg&zh7yE3_XGa2~~bv~FT<7t{_>PUW_FCsGf09009w7{1MMyrSM`0n)k
zM1B!%3PTLA<(Y9FJs)@2OI0FQ>^(<BQ<ijLI(sB_5`mH}b?o;gsaE<?n5agDFxx#g
zV0@Ej_?PpTps_%Mtyj3QZ|@BX#;0}{1d=*^(k1ya&B|oF@=Ui~XzQwVIH{Y3E%T}q
zM*;bz>pu9LC<fOn<x#JI#IPsi6gFE7iKkEU31j7Z_2mx&>TI6g5A`W+l|Xvy^jP(=
z%28~Zrxc2Lw7u>t95iX<oun;-cr1SKyVpE~AWI5N?QWwC$RAk>CBMY+i*18g9-!j;
zguak7$}wddk?xgC^rta?C{9eT;Gyf<a!5rqD;(I`Dkg^|Zo>_mv1URF$;kSuUS84S
zE^}*XPg)PTs(QF2WlF9hmBdC`zS|H_xr{wfP;I0{(;X3#d<l;)4=ueO)-f548jKfw
zLwq?a>$kavaPN}CG!IN=9joBM-m?r5C0|uVOK1G}>q3*L+t6U~*h?d|k+r-DdDGgO
zh2w|hDb7&s{wRIv<#dq|(q=BXMJW0YiUiq^14^s3?kv1VJ?61sge7s3w7waMhTAYv
zV>?AO;Y#y0!9vUy<1#D%_MM}<5_2x=wGj`_@7?1#TCST*vJrQO-hqioQ2{qXjGXL`
ztb6XLpGK>&&>@h*<7BLnV5cDOM<cBdt-3Lj$5Q68#9Yww9wHLt_E<cY^=C#ZKLgvl
zsb$RjUrW7FOU_n8781-RKPXR37!#evP1RB#Yqc%wYSb**^OLQ=2@We(9F`^D&RtE$
zAke}x&#F0{sE^+6dFMbMD_H}NMjKlkD<&SpP#$bc)lH}ePIiC7C2g#4@jIo!%}k5A
zam9;|OMUaP=#U$tY18kkZp#i-aXS&7uuVabTcpG0v75GQk&f-9WQL78vpJ)GZcr$>
zmU(jV+1}#UO<LCQ!P2I!3aV1&>}q95xnej&1W)nQq;fsp^{P-VP0d^joVA;WcdePB
zZluv~TC?@Gt6KLp#g(A?X_>-TGE;_0EjC5NiOG|1P=Q@8UpD7bKA}Bi$)B-;tKR)v
zFO6fj>4o8cQ&?&PzyZP$49trL0_@YjDa_s8$=cZh2y}5~_~+}NJT}*5ow&ljT=k-%
zDs?JlrV)oFb&)ilpJg{xFVXzFC^5bKWtS=rvI9q^Kv??J#qR~-3rvI+tx(a9Y!{K)
z)&g2zCI+@+yTi79Zse88?eK%!)st0Q_3P`vwp+);*&axm@F7xd0}HPkOIkgNrWw;e
z1({<Wv_q=~Q<cJT=W?`GsoDLyMdYuNE4E8YrTiLD^?ReIH8odLnA&Xx*u5uQ=~jVB
zlk5L$Y-@I-r?%Td;5U`O$7(sU-RorwqW7<RpQkZ#eB#$mOX=64jTxVTMK%3O3bLtp
z322@=hSQgiKHX;f??0=!UYtwaYWjGo>>cW6>FKWDM2(~j-203q(kaXzzEVcc`}U`h
ztQvY<?8A6Yj6I5YW^NVyri}8*95w#Vr3zriAb-97ZvUX{^Mr}1aic?k|6)wk$$NFN
zVH+n<&O<}bVusm6m-03;ds@hOh@F^ZZqu@QCV<c}<wwmw;o;oVX|Ly+QKYGU^hS|;
zRHL)?G*Z2cRk7#cS<^Cg#XZoY{?Pu)@YL0H2s5;N*W&g|yV|^CQ1}Fd^3)m^=Xd<5
zGQ_PEx|X!b3gjFDa^C1f$t#3RV+m!F95|wGA!Ta?uV8F;Q<D5%XaVJKXO3NDFn4Y<
z`%HOMZr~qVPb%0hB2Ts@3#mw66vSQo$JA1N_PI>NMQ#F}vas>-r{%neXs!i4Y>hO6
zHlV9zx_(7(^ji_h9S<~6MKbaK(qlTEwe0fX{q~`+5xMmC3XT9x_9;%AA*YtbFY6Aj
zL7$hv93S7!+%0f#UcJX<F6t!4c1hq>9V?f-m|MI%%jSILh0N8SR;j){b?f=6qvqrh
zLa9jcx~Y=ltfe^4S?TVMNTA;8$$2Cp7F`KJPXDEj=3(b9o`NXVv*~4JLOmGJ<B`a^
z`|^XvUeBNu!wwI?iFJkx;KkDayeUE2IStFP1#)pW^IwX21ig@C5XCth=lzbqFi}am
zB^lp?B?^%`Ci-!O?AO~~t}KvuhV9xxQ&{5vqwV)vTIr}Lk5Lm<R2tcXL3d->^^3Nj
z=2b~2_jBGBGLKR~gX(L(pWj-ne(v?IJraKpL~c*DK#ReuROA^crN!OV^*ZAE2AziQ
zwCClgFH`o%Q!m&Wko<4cV(~%f<NAK<QLD!!_kugWu62+_k@)=~M$-eP_HXy^q5{`H
zZ$hA9NrtlupP&7n$een))7|(vdlve51cCf}uge0cpdT^Va`qtLd+<UpF0r1&U++CD
ze?@0t8Pmh#`%F-iz`RlFcC{Gt$e{D8rZQ>$4fBFRe{aQnB3=MDX0`sbdItY~&|!B#
z`i9MgZG8NK2eTk_bWtmx>*n-OM2s)B=K3~hZ`l1dzW#NQ@DXI1IW+Qi;!)Ni@y1N>
zGPc4qVRZe-h)3Wyh5qvNyKA#|MOeq(pD|m(ZJc$8PIhRw;_F@Su*0ttwYR*S#UN0^
zO*b2dQ{W>nd!y9gA{7G#o_hUAg4{xfrp^@3XoPgmju@LKR`N0TnAk*Hjh^cs2L^|U
zWA}K=3$FIdL4RbTjuEo{x=Y>lt*K5?CEBG%flf^{Ljfv*{hD{7`_VV*pD42xyXyOu
zL=YD*$OEF?-1WRhWoNw{lyO>gn!}Y&rA3ctd*pNpM=NSMNn&cIEB0a)d!Zv{qjK}B
zlnHYjM+f#-y)B}wA)|B(t~HVChsaxAi;&L+;Lq4-dtbj)e=kl^pyMEpNgN2~j!tB(
zQ|b3T(#*-^q>XSTKgaaetRXQ92$uYO(}{(2q3uCdgENYA#3thSLp}B@+-!kk8t1<9
zbF2m)2plD6HHFr!2kR>LdduiaTD5*^g?Ad4L3EG>GCUePhK&&36ia`}!)IcPj6#~!
z(%HZ@1tES{*p!QO{M&4bvqhR5L2SYtlCp3aU4PVe8fgIb&+4%)(ngm*$Kq-Qg^N(V
zQW8INntRLpJy3&KFj?nZL05KBw>2HN&81H{QgtJ#FGuu19n0q19hzwpjNFdd^F@P0
zpLv1V{5n~t&V9@3rW9U>tQJGY263G8>IFek8tDYuD7|G|*;Q)s1mmTT(QnRUTSw<M
zEp(zB26snMY$L4}UsIpQ6k=^;L^J)m$X50dYhckAFcdULX4`eAAF&L~kCQ4z6Fmk}
zxO?tuc7N2K-uAfIRCFHHPw7Cd;ly6WX#qa3BB2RGWW@c5;6r-~z$CR9?Fv5PU17NY
z(Ws~;NH#;|yP+-OW34yV5*i5ow4k`I+sM?g)^2BTHx!}%yjWmb51{5hqZf=JTpuk_
zQ_a$GG+x1cJv&kdRZ%|)-O$>?BCDmOuq{thrf3yDV;_yZrhC6O<h{i)+he*AG>d&p
z(oU-V;RY**pBl{C6wcQ4jq~=?7_Dvg5<|<rKoM;o+F?@n+X>*cp=MV=L@4ORobp`l
zUf#SSYYbks`#__qPIR_`)20R9o}I0vGnkbD2z6Nm9Wb!r(?sPtKyE-}$&`Dsacz~E
z+Ww)i!!MZ68P|B|mX5psL>^<jQi<PyL)qZL>eNc4WBEt5WO@sHJLB2Fhuu{&-opOs
zG6FQS*)N*im_>G0K)XHbKgURbACe_YZcdLr)>Syub>PC|+GvP)5=B;dd1XF2sYuEe
z(zYF_jKY9yBF`SwW43&-wz+?_hF1I*x^Zmkb`^iZ8eq0gn%dX71(y@6XnE??wAZS~
zWIIdQmC*~@u@xxI2_iT!EE?B=Qg5w357kv|&}ZBYehiQkP6_^AXFDcU(wqx?gsy=g
zh)#l1CCQ#~XC&A%^rC~ogU3DjHM=V%c+A7K_3iC7#D#z%_c!)iYwD@Kk)fq^vpPhL
z7|R~FC5-);6n#!hSp9AHLIQ^Nj6-@Wz1Ve+nL>e~+1INF-Uq3<f=vI{{e63lk+;3W
zjlzP}dNR+Al$#!_*9ZTV{Ps7smk4CpO@jfehLx+H+W9^2`SX{gn%S+y^#P3bG-2$|
zz;)^akfz(7!nYp)m8m*dSBS9StS3_0uJ1AgQ*|Xd3-9MXQ6ZFyau=T)yN5@uS-1UE
z{9%ZVH=5bdg@+8CZnv?%x_-(7dP*#A=UVA_)$(#<%OYCAlnY2djSNg@8@)YQCh|&{
zFQ%*`CG$tA`pUeIDRm{vlRkr7Y|e$PjYM^=9)M0=N5moz_cE5M{>zs^b_k;XISxG&
zCTIU4W|y>j!G)fcKp9Ih!bN(+WgTVKbCEeaKd%qOl0+dp<i9cO{;=+HbvUxf!~Ss8
zgddVM?slmG1HH--NTEi5^mD|H=Jhp5?rfvmkAdJgJa-}2kD<o3qGPzjPmwPcw?D*0
z;=qwb2jh>ikF^@xY6hxFZu#uR1Lido9uaRow-Mfyz`R5xc~<0AWVGj;lhace{Td90
zu0F_k<R?p?BG|aHp+LIPQ$cP=|Enl@|8Slc>$cf<MY-dS@|;etyX@@<ICTZuK$_H4
zBLFp~>8iA*z3HR2+Dp!=iL|E*L-QQ@j$+xV;LR2&-+U7ve-!bvQYr6Mfzv2qY4f)*
zlk7{wWpn3P)GvRKDk~M;=1fs3*8X!$@?Y0aMC$ueY3(Qo3WUy_Q(Uh);3i)Y7UGxF
z41?&TUe$POTg>>Fzz<67k91%?hA>IjS_Jv}t?Z6Sgxtp&6JS@$!ab>GueHoQB9jPV
znFi)Dw|rDpi~^u=ol8+Rh?0$jyd``gpNrt*IxV{;`W~29|3$h;<?$6S5L#=|I7k)>
z@h&&N)A{*+kA3D58C(FADE#(S+|Q7f<#_o=?4UpLh`2RP_={%TQ^4pdbDRJjmEevG
zc|KK><gjoiXT<g+YtxPmXh9w2C14bsI$r*8X_Qd-?dM{F|NBojC6{$R={8|JIMq`{
zZR7%nVr)~aa&`<|Kz5Sd?N8!4O``)LrH8R{O1m=w6U#|vx+Rr6qbavV-gU<)!5W!z
zY8%m3Et|V4`gO|UeF?!D1HonStL$iORy5N+SvBkfMLRZBc7jzY<z>29V<xbHe08@(
z{UP%$?e2kyT4b{XA}Wk`7OHTA%nd_@(mrx-YS(6^i~9*)q2-jh_CL);=FaKf$j%G0
z7^?&T6E&^7J1X72q<Up+hoVTxrShut?4*e{lH@`_JG^1i%ei333{O%}fJo^Wh}6N8
zq}*zy&SWLstGdd&<Y%00;J?q`qY@e?b=NdZsv;!dc-b3X@X2)EUQX<J)#x19!+3cw
zeS<NtTQ2&sVtuFls4|ivqC7haTTuU?3m!nKqFI}06$^?pWMp|-#z=U~Or)k7EtFEe
zY@eO1_=zG>4~T(GZnN!;pP`jSTgm?pKa-|7g@)M%^!`3!fv=Lwm0yV0>2EKB4@dov
z-`lqXI1_y7@JCdCaDiA*<vMQN7Hdj7j?Nj7SI%D!-=>#G6i<$Ki^BbP3q~o)(afEm
z&lex0FZ-UT_4Hl|2NY7!0uq`UD??Jz{kf;JpPCL=OZ$Amj~O2@ouuxHbrV7%2#vJD
zNt@!WX%XU!)C0D=`{wF=byz!I7>QY%b<v>5$<>ETQ!joN&rNG%kx2bbcVkFG2`AP7
zDNvw3oo5^H#SFC266!?SHpU8^59;=z({5L*qg8c%Bz~<_($}9wWc%8<x<_*vCPxt~
zM)i8xWSmZTRc|no;>x1!UJb2^QO>#lEk;dSxy+xct9;QRzV(RUD|Mft*<EpI!r<si
zwgvURO<Rj&x4h`0L<h;8tw3PTS3oLcvS&qa{ASr{XmhC*RkD8bc3QC8FSH@^YHKZ{
zEU0C%vKJ?B_E254KN+Cq5`})G8!Oe6+9GFY>wXb;(V^&omO)`+{=m$%Tj_RNIa}qX
z&T~|3)-JgQIHfu{YvWdTqEJ=b17ygm8hE?UqHZ5b)@99k%fBDUMqDDBg)&NvF-!f&
z)F;X>f~c2HKC0hz)F4h;M#^t)=|p2~!U_K%??)lAGeqk0hs#+;0IQrR`jU(?^Q~=4
zNSzoRD7(K7;02ldPmba^Lb)04#_}?yK4{iFU8qf9!>84*lPgqhmfEdVQ+^}MEK#u0
zN<#eBQAYPfOk1YjI$!c^b;YaXdTC0*kB!WO&EQY&)qvaq<lCFulDY+!SJKJ0i0@2>
zRwf+c*78X-NHeCT`;u2Q?v51dW|5!G-aQPL=-itL=ogi#Y$w^+wabe><&~leRcQbk
zOhwG#sGV1OX(K{wk6Tx<n=FX&hPMoa`h70_E=>qSb0%o%>P$t9|04B#9`OAgsmAX}
zbu>^_Ggx+^0VSM0m^PuaS&kU8Lvg8hVOHr;Nyoie?Ec<4rZ!Nh_o3p}E2p-NwGBcq
z9>e@xz@~Aa(-n%cF?Q=p9sRf#ZxgaX>Oq@v<OC(S24iO+V0zWinj*bwbc;0Y79|0$
zbfLxG14E1gG=LY~+^zF@8D4->P(a2PK`H;LW#R=Z+yu|sg|5f|1Y9P52dGw8Am}oX
zZ<!-@Ml+8UE_1E>weii0puqnLd6|B&us{QZU}j904jtPR&xS|as(RjCh4!J-1=X3(
z(#LDg5u@pX2cAu-y2_WQI0`Wq_oS1bS1o$<^u;?{J!<+4Cg%jSm_|@PTtc4{sf;Z~
zrhlVH1I-NZ{JBA|K$3PKeOH^koVBozxya}rwF+_#SY|k3F$zN%u*bI@j6vs!ZGDeG
zk7AzW^)<j!mjCN#Fi81XC)P^xpunSuC7w><hXvI@{AjObx?M^YmSi2giw*cI;22#d
zZ_-J`SWfAUQNLL6<1M<(QM?hWohj#W9_~%YBxgH~k8P*Ka9JUM8c$gDt{5d5bY)}q
zqd5!zS-!tRt6Tp1Rzxhv#qw}{DK0#4bd?=NDQ7H*)fCByw+^leTweIdgEZ$cCUvkn
zvrXIPXQ(KK>c161g-AH%leTD5S)N9j><$30*>decc85{9c^lb~byQJb#e7twm0EeC
z+a-cvncPW<Bi{XZB-V38pl<g{6?d8kuU;AC;9%~`N(&W~zGU9796D*mr{B1z!(}?x
zB%K-Cu;&+#snY;sG}1|OyfsT0CuuEQ@apF7FfK~8*nHZ1?fPk!2aiNeF?|KPi24Q;
zv;8A&m`Y0+eL51cikPg<T&o-C?If;#EEBFO^lwS({Dve{o@EVC0|kaY&Zw^IDxuWl
z`i{y>Q|TXl9pN@<M$VXw1tsb=kg(+<aIWHf<>x~2b)uh`nZsdTsZt?lNv{XG&U*1-
z^}sGAB}7X%Hk_a1hf@gw&pt60r$iDv5vC}vw7?bmNe2FOdik>CgsZ-<0%I)w*Pyvb
zeMwo?M$+%a!qXhaPd!J0whiV>m!!iFGL=mL(KuQ2J`m1V;`h)unGT!aG#qce1-x{)
zraWr#^IdR5-R)GXuaczJ#t61;p?#2aOSbS&*x|x@ysO)>sh}R(W%mD7pyyQBgb5j+
z$L#)*SXqW1g^Ph2#?fY)ws`C9g!AsCH+i-|TSo}xzYJ3WAWm?mLwWaGTYz6T-KR=6
zf@k~Nyw~P!^alY}U7bb0m<*b=0Z+NlK6Lx0Zew&B=tY?^)>x@mXtvcgPHIK2r^Tnv
zcP6KvE~KtI(V&?3%41*o$U;zgEox!;27(Vi%$7mk#0ZwW37!-e*D7EbM@3j~Q-7}n
zAT{&-s*^Ms9i)vQ!uX#&n*hTEldXukUlU>NVg(9buR&$eE%6z>E+rc@(Sio3IrJjA
znqtkyc;W{wdfjGWRa#Q_M7f$kzVZ_F(QWp#uqTe?BAS<8uNbxh&EC4gO_EPz<82u9
zR(858Q=KCmqU)wh7oBC7$Rzy6meh8B#kSGir$awjK7WtW-Ua3;3~||tXGq%wP>{;C
z3PTYX4Qf8)@YGpf{@lA%wH6P@{)?jtPDlo)kCfwDW~@n$DL8U234QKXs1hnQ-4}+%
zd-A!hrU5NLncuDm9_^@kr8^ZqC2JG?7#nIlS)dKbHXqjP9YOAqwj}xX&@n*fjv)Jc
zP#EeZ=dv8-JqsnhMOWHo&P?QNrrj#ZIS-+|?qr;9$FKh{`=%lrCE`OUIj4*v0<(6V
zOt45#oR$*wv2QazO#}24&emUV9`Ei>x4s=erKVtS*raV@&n#MzQ;dw+Tjl&N>5#0N
zrdjkl>BG2DtFnL0kGqvfR6rul&5~(g&93)rFd?IITWS4SrBa~Id31{GNCC4Yub9pQ
zy&5t7rGwT%$}H-Y*;Uk)2*y#Cb|oDe&bcHd*YeM~(tjJ#m#|;*F%gAaL$9ICq9*Fc
z9@j>Rxqcq5-f7Zh0GJ9}D&rCFV}n$5I98iTY`os&<u2v3$C7il;;)S8xOupU*niMp
z>@Zz7AG2>aETVP7j!BhM^x=V`YKqus4!ZghhcsFnN-tp-dUexjlGO!G_%taojt5I=
zWfYP>b4HWLeEGdCW|90P^rth=MFd3SqvJcrOnn3r=i($%jVz^x?Ou9eUrO*Pl{?)_
zb3|r1_xv(z$$2*5B5k6cF&kMiz#|bba+-K3NHWRL-p4^F)2my+ha=-E%qN8rmYOV9
zoKdU%h|bJ~qV^swnewE^Q!GWlr4>a#78snskTzQi(~ez3aMZEv9Sx-e%KxVKmMaw1
z5w0jkX3Zr<==v)hi-gHhOlyrycKLOUvI#-QAhZQ4vgH^Da%b;`Z6wwj_D-X8W}vKE
z@1>Db`eXZQnJSB{9s8{+vPA`otV*jt2?CHGyZl7rn<7$hewK_;X+<Z%aFh}TT=|c&
z1gYKlux1RUK|-|Xp(XqgmckL|1Nyk%Efd<7SJ{yui~jZz_ThjpNhVtvlb#}<Mg{F*
zuZ{FzJe&+pMn!GQbuEsstT?pJ2sO(ln2fk*)#SLDkCRw%i=2ohcXcydkEjVl9!l_G
zW&T7z!!pjzoXk<5?<t9>xX>TqM2_N#Z+Z7%^pE6j2@L+6`G*p4Cnf@yQ9|E#36+oo
zg2iSaC8il?G=#bGCF|H?c5lqB`n=3Jd_Tr^wL`b%k$4d2mvAkApJ?69+Kt#pWov)<
z-d<Uf_)zh7@KFKP^Jdvas1~WXkcslsc(i_`5W&;+fqi{7A#QIxEy9}fWiwHKJ`a^>
zQ66&%v}mNK6y@Sd{0~<Z;S#6Vw%|}wI0%M_)4BTFiVMp3GynEgXZV4VO6W^2F+7OC
zXQ%tbh3vg={QI>SA*)GLj3@Qes~8{6#2Mt)OdYhu+$=ro;ZG!fu;4&~{@lVal4%T7
zN1<J6xi@;VkyXpONqQqfaknihe`6&F9YFQhKSn~qROTQbvP_soaE47oznxu=yd{pA
z`Oy!M&A|bR&W~u<<Wkk<g4+&iMw6s7<c}Y&TV6E1V(_Gdrl&D5qJiQJ#d-7`_}?>^
zOW8t$JX9(SJIg@i;aM(ZbKBL7S-EjvmUzF?$xOCcA;Mge|Gn#G=r6e&c#p)gkEWa|
zp~Ztn6RJl>G}lRe+Wu^J<%=Dd$0SN)7C97Kma9~8_&`jy0oMurq6ghlaDoZRTZN_T
z>n5DCO~24!RlKIbskpd;NlSqiAISKI(sw@hK*X$B&L)h4nWHC5bp8<sP5E!W6F>$O
z9bm#zso)6QE)H09*-{py{w$toNvcb>=%`oTl~m43sx(#0z<y;uRbJCyb5`P*_+{5%
z-1+AE(Dc-S>;wr{olyu&<7L}fRysrQm9tON>}EN9Rw~hNDGph?LHI|6@Q?S{X$6+8
zoe?lxrYXhEnC`F&h{$%z<w?nkn9slr{I8g5K>Cn<fGJ3!g0r7CuNr)!&F*FmZ^cp4
zX2x)>0GT?zFFb!{;S?e46p<rE&$qKOq*s~MIn_<7yI$#%9E!bP>DJlqNHDcnJnAO_
z2!c%JVq=m-d=uOmr_Rquk2GT{{C@vJ++ayUq24qZ{1NSMjg&6(iPQ@UdPH@QYm!$F
zGW0bT-Gj*6VI*eld3Yg_{H?T<J{K7E6wlYA3GozCDzu9gf;@n|JP-B~?wwqEm{K6^
z!rBLEl0I#XE}LnbPBB%qgOdtZ;Bp$(@{)LWBqK>H^iCwzcH1aIlbExF&{zrvTB4wz
zmGGCqB`2n9YY6|}3Vjst9jyzz&Xjr^UjsL?RpUCfKkm43<ep}^{`r0~!iQ`&{AIaW
zHP&ju{BW>3QM)CeVfSpYePreMQu;)QzGz;|Qv&todf5Xn9$f-Lk}(CRi~WlWFI)Yl
zZnK=cI}hNCDB#N<wSY;|2@CGvgAUw4S&U{}qzFO1$Ym5IjPGgz`+sTydshqCKWbs^
zlk69LzPBCG5L2O$?&a~{><f}bMx&{Ww4Z~WJNIl#=FP7ThOjc2%PPQ<%xBt^cN**n
zkLJpF3aA@DXllzfF=2P$L$x1~i?3;+I1F^haN<`?SAp1{bpjWa*FZZO>JQH^Wtydu
z%L)#4YF4%u9exn}HynNC48G3S_~j!D%rg1TGDB$VR&ZBw4OxCvr$eS6xxU&5i_8jK
zds-c4%CW6Er|Pee+APqm=%PczF`xSOlz4rs%$n!@TJ;e+^e{Qvoe0N+72}VsWb%n`
zd2F~)Vf;>BE!Mo2D^Y$2jAr3}A)>jqSwwFl->=R(&0<D_W+&?}jsfb(<CZ+?lSBIb
z8-u*eT*JTw&M?0aso<EuBlWv)L)*$GAzRqs>i)=L+dxQk%;i;p&gyhHQZ#T+A8%R<
z^H{gje|UPoeXj&z2_L(jOEJ9znw=u5BqjSnCH;os^PKbd9-kHREG{Ffp%jZGD;Q<H
z;l2M<z#2T^Skt?gHp)398A?KutQ61#xx8C|r38g($);pUq891hG;P3ATlTyluP^)B
z6y-@pNQpY-yB3+@^KxWxzkHiVAM75@fw*MP+VM_swJn;t^SiZJY@jEZu(tV4HzSM?
zU?=eWk;!Q&r`^sbjLC?qB-oBfsy8T@6QCgaHg)YIky*VQ@(by&(*%h065PZ8iYbeB
z#<!r{GF(>z4Pjo&@;^V#?;Nw%?C_T|U%TEeN+k=Ncyz@_)m!Qu*8S<mSS(IWI~vxn
z#d57Gi6o|6KYt)}XYKtXQ!dUgfLi~elY}H&$?uDZ%3K$@;FcFoud|>}$f|o)fz_i@
zAeF^yDk<9ZPa*A0aBGS`r`%hoRNfgzUnp26!vAWUP($7`Oh&@@81i$f)iQ&gPIJ_t
zcDMH2{m0KNULr=JME@R*CTo)WMm6tFH3CQTg5f8n`*CjOpm?5)$#=M}TF-Lrw<vBj
zDOuXUwg@<9&$34oYyk6j(Q}5?)LDmNw+YECk4n<%9x^pE+lmbArb6So1O706?D)bP
ztr~guvcOd=>v?)nZ|d}zH!-`Jmq&Ll1I-uJ6Hz%$*;fMJQW%vTFzNCX{b9>6<?8X$
z$e<mO$9T-DGGaNCPN`wlLQCBDinuEYWO+9$AN6%vmWO63lEytbtJoIp$S-FZ?-Jg|
zum6-~3Cp!w-nI)C4i6iR{g3hbL%jla+iA(AEJozu#CC^4fX}>$Xwr$}5w>&+XTtr^
ze>tmRK=4;@sQy9K!JbU+BY_%zix&%SUHp444f|GDUQgRjuHo=Pz^6Y#s6XZ?*!cdo
z?>D}TnO(3%33=xz+42}2acjSu^|Ltk!#3fN8I95=45lZ7j4WmaHyVN{KmNstu!!QP
zdw9y|vX6-&AH#@lkBai|5C_@I1hwaMqAy2mu%ozZbi(@lHI^EeG4T@sbYd&@mV}q7
z4={~$9s+|o6XJmkXBHPwgUrq~P~G?|Cq`P|w{o4naZG<b<Ni`9OPER6P#x;MC|=G4
zAT@X|ID_n=%97#VMyMc!^`<ZpWzNtz(wHe~cRO>s{b5G1{~`n~ERNv}a~N9%XIg&G
zg+C1~@iQSF*I<Bq3&&v7Qs={zdDR;6uJK32B|Fw#@ONaUD%0nB$o>?6`Q*ye;OV)R
zl@aO;=mbx0v;Ly7T*gjPf+~ub`alX>Cc-?GuDsE_OB=YLi=zLRt<AKC?cCD;pwE=d
zG^$%NHaDBwwCzW)JkM9bEm)ipZeCh-?B$(KS}sy%wz{-4{|d<LG}5_@<6ES%e!D&z
z3OdDXJSjow!`dbg*T+X}?$tCqD>fX<M<zPbahd&U#n#np+?A}dOS)n470w8&bX*T&
zd`5l^m8(tA!X|1RPlhXh>y3_()X7Q6S{An9zmUQOY35i1){r*(2{=9rjA1fMoM|#2
zH;bkA{F3$9@jX3GlWE;}XMFlQ{GSLWU8&ob9;f@q_Hi_)Nrds}$n|_j@1x8ekhh)e
z8e{x5lD4_96V$)>+LyJ5ZQIfd(0za8!Sun_B)Ab#dC}6doN{EXM4zMmhnF2QCw~Ef
zn?!Ah__6VLizTLF`7RyTbLTc(%g+q?X^<+XbDc0FpSFQu8eWAXe}LGL6g}NmU!Fn%
z$BZ1vpqTCreNmjf^4V!mXf7&WOf>rwx_l7r9$_*%GB=SIiqBu&KRLku-qQQv!<0Pz
zTd|8fot|r}sw|jjH$SnXfKtF*<3~_Y)FnND=PSA1dsBR_JR|mkRMwihoZZG7ULgoP
z!*NJ<V~-ie0aprWi>?)I9V+DgSOQ2yht%E{)c^am_E~_=NOvgx0o6gAL8c@J!>pGt
z<Q0*mHO^^gqVr8kI^{gC_fCA3HXp6JK6qkme-&K+G*S3&#&r)uV2?A60Yxm0x}VJn
zT0`WRQ~5HdD7Sg;Vy)U+8(l(A5980Ns1<wvDtNuY1NT!ki)iSPB=rCmhY4CdM{pVx
zU(OU%GYXtKI$V&-m{ER?>|yE(3ofb3KjX&f&^W4f%wdf89QA49Bgmz**amuiSUj)P
zirsYtPl<=@0R&UvLV&<`w<=&V<@h-t&7M{D9q*p0!erhJ_&+QBNWb@J&>Enth1z*_
z_+NcHJY_fh+D2?YLw%r(cJ|0BhekqixN|pJfVEwqY{Fj13QWl=oXtSEBL7=kIwNk%
zb<$jrgP127Q@NI8W>L%W>|M{!ARetp^l|CZMzIW?vrdc-vovJ8>2uVu9DQLBm?;PG
z!gx6|gx*7Orwk586^#3C0_(kYX4gQFO$5vmTIo0+gwBk-A37J8L}@bohE}@7TmoTR
z0Y#dXd*}_Z4)|ZLb_1pPdk46VG4=Mx>vZ-qW&FjURi`%SHkZ;}Bc5yGiRHdH6PB&t
z(x=|6420zVMimqH3_U;OD#p&!(0_ZO$TO|$?fjT__=A5v_!0|(a=&olSLnxOR6EjL
zp?9b|PYG5xqQAEe7pNJ7RB#O*(sRmyHs#^jec@~3w*RC!Kye!A0B<v<E)0#iZ(3Sg
z+tRmI5#efh`BI3BHhnVQPNCktem?E<%;(DoyM(b#Crpnw0s4cEVjJm2m~pq`q_P{F
zu_N(Q*L4cUrWY>B0>MAkq`;zV_`3!uGO|`b=kvKnXg_~md}XBTf9ifuNUCw7|0E<3
zu5f_|bmf*UwZVfI`vc5uUyXD+Yl!V`25ME*$Dy9;W?KC#0W>bwnVSQ6r4-pV<tu3n
zn&qS>y@mRtiu8S#cb@%aSQ=Q?*%ipG6O~ng9>(CwBGNt4wkjiS=Am^}l|^)rKLcaF
z_4r&sD5@Ua0@LQmTK@+_+wsYhVONB8<?UtX2X_xL;?$QpdZWM{9sS5bzX7Qy8q0fz
zbBXB+NWkiQAT|G@gMU;vcgs9277an-6~Y9!MM|c!2gR&Wny9s$&W+qp_ZLz<NC7&$
z5MGYUHRN{Rb~L_S-WRk`;EFnZux?txvoDw-|Faje8;YXMR%W^$s-}lZ=u;=ZUn`~_
zBpP`+8aFSFPQ{p#&XFV8r(Th>I8xZz;(w9Un455<wJzrCjeb_QBc%JswqGh3kF;h5
zJ;qGBB}x@U+8!xL>xj&A#HtSGW?DD^)qm~VvW%iTz*37*Qe_6tB&*JX|0XjKTbtM&
ze;1>Yyk(+f>p^Yx-IQWQX)SaR)BKn`OiS;xpUU}sBUKc|q)K|eik)hu{KcyB($;6K
z?$s8lY}agBch9!UHY}s(ph)d1${BAQX4*lWuuk3#qdy*T`4QpHscTqr-S|?;^OsqZ
z7S@QUxzkfx>K0AqY9Qv>JFRvXI*y>amlNP=gcT*iu*oDvYh*ip(<DWEM((&Zcd18c
z9^q$Vj4aIXuS)s+pG5MoHw1xMH!X*Ti9K>d8<*t)>Q=c?B|sh0fh)%Jc!!(}NrntW
zw5M~3%^q^PZj0S+HD25etEvMLhXIe|-pE%AhxaUfJrqRqGqTP@$d^>+wKu`M-)%+W
z!IKXh<g6zUDzf+x=U|zf3U}%YvALxf_UMG{kkbyA4``A6WST^J$?9S|YC|!7$Kfm4
z`Zr0*aRfVDBAyId&ZhSwCmwzrYAIxo)IrT2CQmjTxNl3i>yoQVByKSNNWf*u+VGCL
zhg4>o$N2PW!ipC9L?R-@IiHcmdV!5Q+=^!-xi8a(;MhcHOp57G&?JMopaQ!Ff-QOU
z+#jrxQdw<Ca0%ZtX1*(+OE-xJiT+o?Scrsw+5ij8V$X;mIULkX(9h}7?UZtU`S@5>
zCVMHU@$_o4BA@&+z$Z%nb~O2!x>=1cgwm>YSAE{Ot1i=w>q(Ssk4|eo`3;6=9)|Ce
zPQw05i&;gGSyMMjh-S=XD9KaopwoNid4t!SjEZ#8gQY+yxmKgsPZdS%N4=~V=^~;b
zdDY|a>Tnlbd7NjrdqTZiMP?!>eP654v;Xy!j~O*OpO7guE$C7kbU25)h%zW;rb2_%
zWS#f8`|rs=s|l}wv>5v@%JLl>qK(mxJrO@gG;9Yts*isruV%|JZ>=q<y1OVd$nDOY
z7DSfubhocjoIjSFv^kR2Z^w$e{Si;uRAQk@0cN{;D<9Q;f3I}UbwqjHXu594v`c58
zU_;CFlzHQY4hu?^IV^-y==narD&lOR`xIu4g;LZvkNG}(78<c_h=mYD+5nNf#Yk?H
z1tfJV>6=5N+hLrI*}fY)#la}x|7V9GPehSuL$ET7y%f$J$K;3e)i`fbhuq4FY5jv+
zEg;0}<gN^;zcw<l)Ow;l;+b}K93~}!5N9(OmKS?D8t*I-#Q*N!{!|CfInI3b6&@WX
zE%<oli9c$ShHKt80Hg3|@Ky>I^h%1lcXg_>{B97dk^!7MA`Y<B&KqDzmzKC*Lev=x
zetW1^Kqezr1S#BBH#5)fL?t@!vp<Lao%!wpe#O}f>d5OXeIJOft1lam6qs|Z)SaNr
zrj!V3SyLX|#?@et6?0bLEleyr`E_G<@%v(IYeKP<8eew4{5}-Fe)L#FxZ$xP3`yM=
zyxZzae}Ru-{pPx_&IVZ6bNppa9`=yME9|>RG3>@7%{r`}IIFr=T_;skH$7UGGaR3J
zwA+8JNDZH9WPpUFen3&R!kqY&`au;9(N-zSJ3%RdA-If(%qT&NGy>;ZnWGls#Y&ne
z@b84<1-l<bafCyWv%~<FJlK33p-*woR_0eq!8I*QP>ZYA?5R56k+R%NBTZ+H=tg^G
z;;n`isn-NL@EU|i&#S{fS3z#wFKn#=%ZzglUVm&6_dff-W`Ihctk|cr6tYmVufU_f
zZ&T_K6x*5V7bpX@b>0(kEk*E5su&$Va>Vs$b?rhg?a|miw!OOEL?aqe{Xz4>4fB%;
zchfMd>!*C#n;I?R<qIieGIp74V%SC&@%JI|U}!DIpCK{F9g5~?4`d260q^L~Q05KT
zhEce$?V&`<EfrAN5vyq?6QmUzHK2h_rl%%?*oyd(RJ>U}h4SqxXwmH(Dcz{<d1N8#
zSz!MQ!OJu$=0~$VgN$c$%~QSDqOvO8mfM2kyD05gk>1g;FKQJQ)b<dDn9J-km5iVB
zcZ&;52p>t2IMIFM=I*vwo4^&$9bq;9lBRt8khNC~A1WvL(==?W!EM(eRJf)Irw$PH
zTb_!fTUuf^zMP*W!j!rBw3M_jWT131i^0<zP5;7tuPzL-;1600?EDIWJa*X?E;Uv?
z0#{TU{0To7Ts1ZxQM#`HK2XVR_Frn2eFQ~8<f!a7V)x5ZAkkv6RITZ<iiw*ek>But
zk@*d9k?arW<9gRej)yziHcu{~5J?sl^$j`G*@xrdeS^rt_wCWpyyAUHctpLyLP%i#
z7>c?ntUZfD&a^yfL}MSn(LipI%s?{A->>+V8L~z;6`_k4w==MA{5dKSCVP9=uC}r}
zzTRv8J_2C7E3yp#?l*!uO<KX>vW~)~yGx|e1i7WpN6cN^P;%z5I)BykjQ=s9Dp1C-
zq5+xx_mb+Qp#Z})H0<ql(SxM<#gp(&DxQqSgrMhFTUV2#F0+nhO7=3mV`dJe;#*I!
zGWuCtL4IU$6+OljEeA*L0_#WKFFqPz5A>zu5D**lW>h51pAqsMX<@!~eJO1`Wwz$o
zU5?lXyVCnxGUOs}b_B}&u71Dw!?O$5W3XS)#KvX1&l25;n*N$?)VFL4o$ZQwaWa)-
z$L#aus?4u>D~m$wJJ8Qo3jUGX-7|Y&ABnBZ+M|A~7b>y5Z}qieuys^-0o1Sr%Rf?I
z_X;LAwIzj*Lx_~3uLN@ihy|trnUSMqAqtx~ibnsE)^~)$$xx|^KyxCS`j-5xKKbgE
zaTpWLjB__EV3Sy(TkdjmxyH}}q_+0(vNn#6>fBdHK{~{Erdc&%yjbx;L)r#IUgkS4
zn~#^Zckrz2&C|ph6?yNkP_Ut<JBnA6$iha=eksic><pr?&-Um4vsB^n>7S(v$EdKj
zjYsp}ztQ+lPJ-n4+0PX3oam1_zUk&z(OU`F>&;SWrwU<=V?f|*BZ)T{GNx%cxMH0M
zO~O_!ac}nPWdbjKSo4dTu!B3mgB@NF-XECDwuW5;J)R2)+hi#Sz5yS;e4W2Urftmt
z>;Bi?r)-dC@bm#4vM@c|!|5vqIn}pmo=<hs(1o8Y+a9~JXI`pX(7k8gGO`wIhw`jG
zoiI|i<uIycR;j|M|G+~}&<FL_F-a8a|0B#?MJV$QIm-Nm-?}@+BVtk8qPDfLCe4>x
zEY-b$4+~Z-T&U@Cp~F7Rq>VOFr39Zdd`p@Zg5R(HI|9!TF|7K9ra9(vA!waLk9emX
zZ%{bvx0W<OzHeol^r$nR@)QyTQ}5&u<fUF92f`gJhp1>`G_96xLD2DFb%6>>hr$-o
z_(r#?n5j)6GD`g=3G@BF5%pHe{HW>up^B3`N6<XvR#6dVPgYfl03g)A{fGM%$|!Yf
za6L1D&*I&$;4bRRi?N-BN9vOW)g;`tDi0pf?+Y*V1t+%bV@DJUTf9`2)BsvwB-kB>
z#5d(XNO#qg{w-6D_4v}3>Z$MRBq)39l=MC>I4rp{W(^IxQK{(7Un3{Lh<9!X=Fay}
z2%h_FwI6OaWL33E{PN$v$|}kuRco*xGr_Y8NAHZ9Ry|tc*j+1rP+j*TxZ<9%|4IbE
zsopw2S*^6L74K$L-)a}tT%&?g_02IDgd}tNR){(QBJ(?;-#0)!i%@Zg^<%@v9qog;
z%nbcg6?^e}9Mgs;ZhT+zG5nIEO%gb4scs~<0jQf&DPT{uaI0I;Mi-X(>x9-w0V#np
zd1SMFCRLV{cdk4z<vKU1>{2ona4Kvj4dOzog?NrQ6O7gzK<eTW0t5b$TiDxZn>J(M
zSHU`|>dIvzM66h=m!dNPy`HQL%s$J$U9c-fP{p9_`n2Ht#0N{4Ae`Ijx5=fY4y8e&
zmj_(c`}=t)n1aOc?|=mpZHj}8XQ>pOtV`f*;8I%AXMHlZrb7y#{7VT9gn=pbkqIUp
z{;I>`!0?_zevBQW7f8EFD$$vrEx5Hf>oX3tlSsb<DzRXP{x}1d<Vp_=RlBeleb0Re
z)$&|l*(pi0z$H0_fP|l5OH%BJonlmPBz9fki{X@3fWvFd#vrnPum3Y*`-qDK$m*AY
zrI_t|q?!PM&uPu7{`z2~DBqnyv;fK^z|MDjnXl()t;qiV5nyEs50OrX{}uP$4x95z
zg<b>-9JW;6<rZ?+D<}nG0MV#CW@JPQr7>(2E^jIhi3X`OhtyI!mJHidS7-!)_J3IT
ziPA{f2}$>!I9Clr!TrHA^K2uXXkMM;oB;mR<OYjG{uP9*55q66$|H`SK{}0vO~l^=
zWCMf|Vg>`=<Ilwrry>JHGQM|}s90*<nv-`cqr9~wEJO$jbl@m2Yp>v+wMCy2+2P!H
zMmaGk%9d%1=GH}Aw0^<A2oOOE2<VqFB%ba2hG<Dyo2nEq*PZZW`sUYYE0^sm{mL}8
zNaXqGR#kIO+-L$1o?*+{_)ZIlEQYz=S#~GS+oc@Q?^@5C*hXKG--#T0BBH(X)h+Nh
z+ChjYTme$0c(P<3<`p=yB}<q3$83@(e|v~7cG7$m54c(rZq4(i?QCG<`(i9F&#Fgi
zO|H{YmMYhi?fp|i!?%H=8P|btJM$TIxx4h#R<4#E+tCZ5aYsxcP_~@7NAI0i|1pKf
zR(+FVyjopKQiz4=YGdX(p%3U5AnLvRn~gu%LZPD9C@mC~*y%C;$GEekpl@cW9BT&R
zS=0M9<iD{fOyoz-1zO{fi^I*`%ZGK)?MnE#LRb_(5Iii1ZTG3c5=Kc_a{tq|AT%E0
z{yPb<Ilq~8heZHd-k@OXTH2`yn#QQtV)iYDG0H~i=T=M)gVr2s<}4nEheJP==Gvxw
zO&$qQ;E_!1b<|sIXfg|`{g1A<5i!iZK+_y@xxg`F$<`;I(D04@#=nl;Ga7Z|mhxbH
zb=%P*@YX~yB<mh=fLc%f^@2aZGL=GX+PTL*lG;E1Q`tm>*TFBVD_5NZe#oV3BkLvY
z*)t+cVdEi}fgcNn0R-=Pu@mDb>Wg4^3fvvA`*X72jrc1oGftUo{7gb^hxG5qTpcV8
z|2MV`cF7M$YFGXzIuAl4{wpK0bX(|EV}N0F;W!xT>mTo4%}^+h!n|d!%4&fwKwL*e
zYI?*pWz;-iQCbWXfxY@`SUrBo9XN&$p0Y3-P0p`j57FQ4v-Yf%g*#vh%f^FTq{{Mt
zk4)^S%d5K_bIx-#f`UC_sqigEr#+CPfmr$k=Sm#b6?W>|k`GG#9HWsEXiFGlyz#43
zR#09UDA$$@(k2q&4~_8cy0PA}sx?WB-lK3$FPb-8r*XeiFm+<A$1G`1>HIbr+RP<k
zAOCs5Km_T7Z@-Kn(QIGgM@!1<X1*+q4LQGv`;TY*ID!1Tim*Zivs9bBew-O|0e$2B
z6^Y!qiz7CN@KwjGRXxNN=)&rM9>4cU_Jz?ch?tC5hBSblJC@cFEn!(b>*00ovbDQC
zsPaF9>WOH+8&v(>pp@=7qjRc;8*=M!zmL94SGv(F9div&rhx}wu35N1zXvD*4sPd<
zL-Sg`8tK)aU)h6y%fepbl#Yu)@PF${8{~DBJTgPdr@w`3z?Xhzb?ho5VBDCQoD4(B
z{mY_u*unCn>jzGyArbC!JKN=_Rwr^+c;v|ddkWX&FXxCwjbxdAN!zg^Km?_SXqX$Z
zChJao`xOezwnc73VP*!Hn*NDU(XxY8oK35$s%}e3KjwBt=lrSivD|sbq|p`^&2HfV
zpCSHDoX+`d1mGj3_OW;Qmj_JZteEhNMqQ2O5B)i=^w0NeKl9z7=9M7Bkl6H@%F*Wo
zwrL~3r8mv^FBQ3}Ev>0$Ys8Z9v0A(PGOR@wds6h}<A|HI%~DB~p^s_}DS}{YrBDXt
zj|Qr9O_y<A3j>i6ql%$YNUB_RmH?|?AMc=Y*zox#8_cryi~0ODvHEkFZJW$k#JZRO
zY9`TOc+RXELI2!sF)gfv>PQYQJ@ahY1r$6dN745IciQWgHr;!9vw%uQPvV&dE_^>Y
zXPafQN#zt{N2$+OMfd_*CSIMJc^BnQ-1iAwCBraX3B>xD?~$7Yn_Sl&&U&^pVU{Q%
zsv_fiN=z1%R-N)LYN<P=x}|1|=f~zaE_jgrT6|m#w?m~X05mI|yV!oj?%o7iCEt@W
z%U<ljnBiUn9_Ye*X3GcWfo%iKnaE~kZ@9|{<fT4AJ2e;ygo~9V%JC_>3LC@7Akd0w
z9}X9bloH&YBIsIiKBi(VohgqW`dU(gq!^z%R*{r;z0Xg3XU27zr-yc|Xi8p0i|El$
z7f08n^!+}ws;@h=o&S7i9r=hS-yRjZ%n<{`yIO;Z+^p`{fYkXy4bj>vSJoyYwIvlX
z_{W~ZkWC3o*UwU_<;X+b8c(!NZJ_N4hA2b^`wY4Km~}`enQdb-{lsIKt2{F%HLpO3
z6rnfpFKLSIa_!h)kRjY~Xx`moW!u`pI{62iASAMU0w=VmW&+KEf@a;*jPb(2|5Msm
zKvmT>?}JD;SGpUdyFoCJPU-IMP7x%P?i8g#I;6Y1yBnmt|M#M=!TWu`wZ8S&<-xgk
z&%S$Ro_S{Wxtw#Z7{EH<w5f+gg&E!we+vahk^v0BSgLC22%Qx&<?40fPk4jd_~eZk
z`+ny%)Z4h3Zgc4K6@KcLyY@U;<IM3b_rj(696f=A;x_DXi}ef>N}ceK&vSdB49u_m
zw>JiTP>~GBL{s3^_NYk9Dj+DMYC2s^g|f2XH4P>F(e2Tyid#PFb{W6QYxw-x0?7@n
z8kSU0$2DMMYKnGDvJnq`rh<YjsPKt#Iw`Od3L2?kD9l*gn0Cj%@Xq2Ckeq|be0w=5
zJ;Im5+l7zwf+<_&`OtS)m1C17rKDBC<d?<eS?rk6=>795k3^dit8)en7&!y8EqjZM
z-ABT7Yhk%k6{;?)@*PspN#=Z3Av7t?4|#!@g&t|mXQ3eT;)YdMNYo3UjPJCuXd{p0
zL4x%jpqwc}>zAq}3J@H}D1N4-q6P9@8(tGcwq?q$a6Y>}D$8v0^Q92a`f=Pb@sp0Z
zO%c&`hiBARFE!~_DP6Qo7e_N|o<x;T#j0_>T;m88lXB@487VB9i$MV}`}*eg41PiZ
zxop|oIkdW%Ky!=Au@;>8V)$h?3z42DH*6CuZIL<;(o4-KXCEk9(jF<HrgyZ3UpW`7
z!CbzE-ZTz9y3dsblv`o<D;BH)@q<L&XS!`Ec4vNB>ptnpdWU?I%ktIuUmGnDO(05r
zmv@LOI?BX%vLgMTa?x!eipAJOl&#A4W8uG?sratc^%|dRtR$4hBpp6yNMLIRK37MP
zV#i3%xny+-qvUIzd`heNt-7U_KZZT=HUh%pXUQfggSvk65Ucnqn;@ZAWWAJIvIhuG
z)=Qkp4oMThbcT3d2Xnu~eUz5hpe3I3N_XgK0ak|@zq@wSW_>ZG`f~lY>hA2yb&|jW
z)=7KRq0lMeh;4qn!A4ElJV$x6TpNYK*N;RYs+Vx;J)^MT86PkEatOCgo*(hI5m8;<
zYii7bQYmy9+Zp|Fnp$mYkzCx1_-T&7tLm6JyZS&p6BV0`76Wv|O*#im%lAU1!Ov)L
z-bv1qZ_k0F*l&?d1Ul%`7e=CPaoW725);8wfi1!}fpqv@S&m#)f#T5g!^1An2;j*h
z6#~sX3wGHqN<yW)%6wl-`lc_H?kuq6E*a1ZaxdW&CQsUyc?LBNR-ezRTPP+y6>*3d
zB^tw)nZtiM>52V;JO>CvO{maplXMz$g?Qe>m1SA1i&rz(YDg79{0F`<X?>wEukwi4
zMj`V{SXVNDfQ;CAA1SH(R6{0M4YobgN2Z;kE@p^RA|o2t+kuNLv#_*5HZAHhx*V!e
zE}BVf080#4w02<Vi>QE_@)@tpxct)yg;tw!)3k0;bzU!MI>*seN#}HmykqLzkat^L
z6Luj*-d_(|&_946h)+x47g8;8l;WG@qVk5UTTDiTA!vzIdsWm_9iBxV!yxMu>mFGL
z@03CZbqP$!>@&M;_rXesnaGK9!p9n0;<{1-8T#73aH2n0v&tLmX*Ue*$Ku`Ck9~a=
z`Pjvm_7!tuB6(MkTk3wsPlvN5zgh4~LM{XAlG8YwIr1O`#!2S+OUnsBcg)FkMdI3I
zIKW$ZuWG>Vw23uR|5GX%bI<GmxdLYroGTYN>}(6US4@k8(Lu{$sd8g5-0n2|u(Whw
z=}=fL)Sz@UDj$x1!Em~U3B&WAy8@+>lCSTLDTj?El}veeAA>#<Qex;i<&6xL?akoi
zW(qSG@S>?JN4=I;mUp=Y=ZxT^8gYGbACGN9iX??F&C})Pmz7^L2dVfJlaY&CaA0uP
z5mIK0i+zPAx`aGS3V@}e0#%AQZy2iXSXZM+7O5DQY?k)OTic>1I|KIN-Nz%?s$<V3
zkx!VdYK^sTNtV@lw5JYg&_JG7+!Ee(4OvPFu-h#$@>f7N_6s3w*c$%AdD+&YhZeb(
z^tdx^!XO}uDcpsCQa-;ORxSoLA-yPxbH>4JfTR^T1VagAHxqQ2NVK(Kp-dYqs+fLJ
z6m07BoJvxc@*2Hz(JEy|(n$?l^reHk`K0VI>h`U6Eqdn6EljktqrAbqyY3>XDX-gO
zP}z1mD)TOP-`F@tbaAztsvBoCc?|3k1Pk=bcPN;JDJpn{o->eI$BX8K4U?7263E>&
ze0(oMN=0|i+XaY1A87%!tbL{#2*S%X22G#kbA;K9hX_A%IVH!BxSz;zRK9U0J)vlc
z4WmXfYdVNTMF6@WCLxq;%K`6Bf<130ztvMJbI5JHHS35VBY+k{Vx@Apr4w!NbcL6K
z)uD#l(4Ygq4=@df$1vcEJp4lX2Px0tz5pnvyr*D}s*-9^lvE;dCAuJl&IALXyFAB{
zJkbbt$|sz-<z=RuIBc<d-HzXjj2U`%Cd?J6jC1)0BI0iF?x}CoW!Tv)ABMs^DBk8-
zEQMnF_faYXbxQN!*|U3~Ji#VY2(}unKmqZI84;(OH)Ib3B)*We?h--q<75>p84z8$
z&Y0`Rl6?1rG!Bo5I6E(Ct-`ZMOfN5vv!BhsQG1cZD(x|{>qjP$%(3pVAVGVVZFrFI
zl`js%QkLOE*;F{WXE@?JcI4EJknA_CRgQ1xmSZiLXNLhv69;wx5L(9ZM$FYxLNni#
zG#E6O%Z{YayN^R=9&xY5(n7RHI$^`ta*`2<t>(cdp+$4?7rFaUc<r_JK-qJw#eTY{
zi{Ki5f8An!_;$UgC-E8_NhT#d>0t@)S!`@eTqZxR)m(|`Qkps{zp1xOnd?-KfGlyv
z&vRtT`pUGdSA(FW8X}yi#aW_IrJ<Vm#^x1;ra)(Jf#}VYJ^U9Dj8_pLitwkL!mw}7
zHVSvmU%>)ic43HvR_P_S;a9#69^BYu^bcIWLZ^z1845;xNMBR#M29@yn@pPf>WgNu
zbBk(ImQD3l`4MFh?_Ii;qg{O6;42Hs3?w{L)(^;yvVMwD#v1NqZb^~-xKaB1b_rPC
zg3|GhXnB-zJHsECblzK2$ms>K7bVEXz2blsq7jefFPH?@qUYL-Frr}!Tew{WkD(@0
zAQ70OO;{sS9}kSUQvo{+mk4rK*`0wg6O&xCi^=gjmz#q6-OgGcb3K7_iOT6}?vr$g
zY7<0bUAzuE<WIyq2dpR{=qj2uvG?r3dwQ(&uZZk^IZn^RA?Hft=e}$czLil`o{GgQ
zX5s>6P~$=Fh&^qL_0kk8MI={b%Lt->_o^?0cH(6byXuroBcJ7SW3TkrH2BW0C|r7;
z7&aYBIg``AXdd(mCzr!&l6`p<_K=nNXKu#8s|{K`yyt6$qYO)GD&xc9tL4r6-|T53
zV8nfHahG=GRk~+5Lq@AIgM_W3P~#Gg{wrRFrZE@4C3$gn-w;rgCK97m8(UJv&P$U;
z(2>es>VN;1ia!B<_Kk0p=Sj2h&$L3qe@qB;6+d%iP5}?H1Ad-jHNJ&)hC-|;x1i)=
zq-lQdD<_`amdgX`GQU)-)901Bj^$L&++ptd;dBY)+$Z$zJFn_%?YVo;PNLfzA~x3>
z-kdtk!TPe8rXK{y<PM7TJY8I)m{pNwD6I-`ypY{71b4*e<93~2i`9EKR1-0<`Yn3T
zsjeL+GdZ!Pj8ofd87<m(q}+VHY;^<r3y^!wgGDIrxp&R`HN{m)sJO4Jz?a^BQHiMR
z#cV_C;Nl)nKEC}H;5EL)(g$(8udrRa$Dyx=(rVB+mU5>xHG1#XV=4+fFGcmObD=Xw
zw-?RH?&_(Ippi^mK8VNVLr;6~GC|(&W?bvecVvieIKW<I+!sP-Np;|50~p$=df4s<
zp4tnXWZiDjmjN-{bzeLowDf+~!3{)4n7CpAcxHX76P7w~gcw_=U>D8(Vy_$fh&IhT
zJ4|<$%KDTWdx83z3J*^?+S&@HQ2oFsuCBbH_aD1{bh^m@#zjt-y}Qi}15^ywBh)ce
zm?~bcJqAym93lRY!7d`Z#U+B*F7j!e$h^lu@CS<GTu>79Ju%q3rMC=O%NA{J4P(yE
za(Spi&oIVwUnZF-g4+*@JLOrV!GGCC{Gd%QCqL1!tWA&Amlq|8gLUqx?jFuVn9H}g
zGPcAKZK<3}V@nE%!>e3DyFItBm}2eTNDnd1cc$ZB|BPP%)zALH{py?gCfa5lA6&tn
zg}A4n@tnwp3j~jya-vU*PGmP-S0;%x{Y=th)>M!0t^7u%x|i@jJB3;A4Th_d0ZmZk
zsu5$3RP<HfpciC)YJEAXD370%)i*=6bqEpC&3=`yV`{wD`7y8KO_17=1xf|^B_lP(
zs^kkdM%%BR)LKwIc1-8#jLG2Mi#;lv?@}v!<9T7uJazj0?kH&K9aJmfftRrDPtUsa
z#=xK$HxEzZHfw!-tO~p{7V|E-4TZA&oVMu8pv3nrrvS=hV-sb$ow-6`$g`b~+Kl%Q
zoAcIUyeetX0xh&w;)zOxOO6*krNBs;ND^x8l*EL0ai-P&$K!&WuZrI*sgUWfDkWoV
zORK-HShvTBX=#6O!iMn0Adqruv@-Z=*Qw)d|9tu`IXS(YsTUH+52;wKmMcsYDpMF|
zIwH2#Xw}9P+(X$(z78l#MaeUzph5SWaJ?}>))@28mGYNF`R;I@jQEJY>D}`Vy~Qk0
zw1zNS>lSj=ZggE}HZtQ;HYf_gTHWuF>}PuYPaDgfguV}z?T$rM<<M?Z7qWwYJYTPI
zimg#8Sv_KxI_~iQI7vGUsRbWwSaQ$sX_jj95`!&$5g}0<0cIja!SD)O(fsw>I)jxc
z&5GsVb)vEyW#4EV9T44xW<w(wj~_9wdT2pwqjA%3?CG5U(+IxzUZ9!w5lM1b%(|8`
zz{GjyGMj#uVx?bQHKgMQ85E*Ixy9#GL^Hfu<kzOF$e5^1qu%)ZhSq#VPR2vN9*IjW
zB)0<nRUs(nIC)kw<#_sDn6J4+4mic5tx2=N;&BqJd%&D77css2;h>R<C>EGT8}Y&s
z5moG90#h0}Y3TACCEBghDv2zd2;9lTY^BK&_kb=aDnsWn^YSvB@2?NJ#ac!7xMB;L
zTm4}X4S99$+fwwNiYdB^$_*C638ZpzeDRkcP*W)o=vgd55r|x~lCg>a(41(AJ4YOy
zF}iNHj$t+NK!fgCe9{~ReKqzxeb|8o?`F?UK!;>}G*YXbMviMqFtKQTjIWFOvo%$w
z%qfk9kG&bUGp%SS|3srz#O5(&9t(lRy8|GEamHlM(Xs=5+`1}4(%kPt(J_<E%t<fQ
zG2{B4$Ew;O%*diZrEUkErtG!a?6+Xj37TF8o;&u0R2n^TDLA=dg0>a=$>Rh#Ep%KI
z7MrDh2*RFJFA|>fAM{6XRJ%aH?EpMXX*Z*C-o*!s1}jUFneTT{<bIaLCG5^vcohyk
zR5EsEW@EMMC%0b5!|gb)?px@AQp-_W*=GCVN37IR2qw!(OyvREv@oJalJ5}fM?|Q^
zuwie=C`Lr+(5C1~i^MM$^dqGjFAqH$-7!JKfG2ot28n1pn6w2m)mfqLE>=&F3!ZuR
zm+B_+7K^=Os4z86Fy}aPqlw^9yz-o3pI-(zPiUUpHa-icjs}zsJCQ)Q0ZRxCmVbdV
zZM=PNvILW-o|Ll;nu89^I><eWSmoAu-UUwa8HtcSgA*}yyn|(50)+F#(``Q`vbg)@
zXj;t!$9Ms^Pr+_%Fy+?bg}ug_*fL3FQ{OX_pS+&L_zt{UJCnfAGu;6tex{5Erc-h#
zwL6(oGeD&St_~Cb(O_jbZ2pVhH(8@&*2x%}oucOCnUOE0c8dn+p4ITcrCXL2xqV<s
z4)FqU5u7A|L*`cUMSX4RoMEh|7qGHvNp-;w6Cq-UZA!zS*OLd-Hc-+gU-FCT;@G$+
zJ3${Y{EQqwZc9BU#qDZo|A*tAIDQsz5|<SFYQR`!@Q9vLt$yK#syh_CPE)HB_`thm
zSWFOq=W7WbBrpw~7gEv49*SFxC+;&eCV!bV@J-m|7{o>YLJR7astP$lSDH$Pr^jvN
zlLtr$34dez$k%;HHx18{!}0W$^3QJZ12>GmwK!F`@fRGySeB0_@7PaYMb%v=8noyI
zFugWvJJ5p#wLzZI*sbp4xJb?9pvl$7(dF6_M~L0Fq+a&-or=T`#rg=ERa!Tg(LC1u
zfJN{1^Tfpr(YF?+M)FKV!@1q>yv=dN8*k+aE4p=JbnbeU%iaL`1rB_IFr8eI*BRk-
z0s*cTyl{^|#Tb41ld-KUdFM+sXU7xzW_cJ;VH75=T-DPK59Lg^DG{6|B@O~KnS~e-
zM_?n`9XaiV!0lEe$PwS~5WAsdi2Gj3`yXuBsvCT!k}o^`VzlC>)4gi=b&PRK8v#wl
zjCTth^g$`oU-f%Ic0mw<?1JMLSLa9?^5KL<ge?<VWTPn;F_~oUf2%*pIdVVd$7aMA
z_wid!OmL#MFa2zZsfm3i(AYctncIwbI)P8BEqL+nZ7{S~uSQ)kp4S$73``rLMIP4P
znTAy|k?_a?M&QZF66&x7q89qqqTZ7LUOaLCXZN&n;w}u0N^(ph)Z%m;SH}`HtZ(i?
z7m-TbpKVvTr}@$HwJd^9EQycDmt|)Z5EO2o)bCUzDsrUou6`(t+Vyf8f1g)G2=bPz
ztz<m2K{Z*ayI3iUoN6hjZjiY9^hs@~VRB}{DHX-5pYi|B;g6MyiAoBzr7R^CZ?)=k
zz3d`SnRwmI!MD!Kr*^l~^z$S0xd|CbQlmZIYUV_h`dom65%ISL+l6Fdc@SYI?5+C&
zo1%ph?In~T#&DNR*fRG|1yJ?!z~)bAvszJ!z22B$Pc3hTU2cqQiB?hRS2MYA!PVJ#
z{Ifyu_5K8KLABH2y;KAKz6Q3*^NX{pSozk=5*{=Nnv9^PU_9i!24GD+UI)H#4{p4-
z*3B(v?~zA?4@M5n2I)`SNyb~RX1efjHlVeDT_b(~IL3WR5Az1Ya6xSVO)Z?PEXnun
zVoTu6#Ze2d)$Y;v-~(1T5Vpq?N$=!u?(fJHMPJ)hO^=nt!1z`uX}GQfFNUI=p~{3E
z8RnzzpblcqTP5JVqBu)={k)+_p`?Gh(2WV^St=$t70`tzt#PX(bxyXqQoYZZcyzeI
zPg|WF9)sFpf%>tAi61yd%_LrS2n~Hpfs`uw9d#|pK~0*WBcuGK7Y`%*qn~Hug9RsG
zYGH7h@NWQ~N@Lxk6IB*CbVpC2k+367R<%~UNqN+YsijmM4EGfD10AMGw-LSYXafdS
zkxEE1a@(VE`vXB9vqS8*hII?w`O@=FHjG^$b<PUw?k$j<7PgE{xM)l9!#VS%s3hpn
z#CP5nzM#)ZR+-Ut>5J95hWHs7EAM?|7t~vA-YWOv2tb^J<;PaM2~j)0t&@T36Fp@|
zCq4cKk@ym31|-@{M`T|faVD+&*x*baE#49Z<|$$4)eeCZ4VjaS7X6|pe*7qJEcwv8
zXGQHU$Fs94$`3Q?#+V}pik&8G+gj=dRpGq}?uiR2-iD($>$xls!b{r_D6)NW<#Yv6
z!{i+om&e6GT35k3ehZ@YJT{o)PZV~k92dD~F>$Ay-I~5Sb0()YTTpma)Fq&6nJb2H
z;Q@GU(_p#j2almakzUSCcR1ZLkef#i4^R<-ap6zVv4FTQYR`7RS%jvyoSBOn#rlwy
z(gsazj-0Yc>dTtd8Z%aa|7^|T1!th}Ux;r===yT>F@K~+i<2yx6VYj3>9K0+UZR*j
zI1JGk4(asbU}Il*)2uCxnv;wjWAugGVND);dtWFVrgmR=J~iyNaEVQGE1^y9%%G|;
zyU>q-2occ{-6az2(y4%~rSGwL25d#XWr(_Uxjn5?W`-_X?yxs7dz!e;H2+1LQJ>pk
z`v$n<9oBY$0M%ONSt1ATcqJbeaYHChJ-M_wFlht-5!XKHE-8VUswmP0o7Bh+O13ys
z)siTCgLCz=2=hjhrV+r2A0E+oHNr4<#xu!MsP<)S#$;t0Y;y{3(U2z9+*$5<e!>g$
z?KxI#(hG$(q>Z)r*7Q!0<fq!%39(_lAI;^)5$)ZR9f9As%=p0~nGkVi%$!2>kvlS+
z0fGU3KIM2AdPRGIP^5@)$qS!i7vA0%g{|s-{1;Z=D3}|+^UI+!<nprd#sV*_y>TSR
zxpfi42^<UYp23fDQz9e~e}lf$=J(ko5`JHw#Jhw=WwTvaP5f=F1=?vT4*|FrsDpxg
zvtHL0c~+aXU?PJ#j1R(3VoSWQWV{cyNRzw@%c)3K`K3eLx}i1Rq5S-NTc+86LfI>5
z=V$sEwXZNE+n;{ZStT-ujXHtnGxi0T@2&)7AAFgzVJ)F(lFvycwx_tWrSAJ1@nRLZ
zlhE$Cl_e{ci<i?Ud3~RP4v>~-pM6zy<ej@OC#zQ!Y;U#>=Fun9S2yiK=qdO>ZS6OW
zUh8baj!tj^gq0c_@plcjufz3cM3t6&Q#~{$ThpL_p5P;g4kO5i73ORX&me(P9g^0n
zEoSx9nU}zEv>2V^z8c#{9UGK{mX9dVk5Eh@OZ6P9>uqDk-E}g601?ccW~s(>_rL|J
zEy35v>m`}l-ENfR)Do2&JT9=X;SD5p0{Y5{1A1L2+rn3nXE**_$oC8x;?0RX{`gtq
zqOcsQ_YEh-O{bSgOkU?#+FLaHFNqP;j5mjP=7BZUUtlih@WeiRTMj@46&`xa_v{G}
z(H!^Jdits$%aMY7A2=$3hjC6z8hK%3FM)xw=EEd{ed5lrfFW@#QU>H@b>D2%`%l&P
z&O$xQ^C8YuH+ZU3*o^>5fF-&!OL;b@mK$wEGB?r5@9e_Ilz)awA^u?;!ksml@kgIk
zTWLeN#WF||^9H*MxCzMzmDYD|h1(YvBxhr`v$4`!Oif0iVYFH^QtpzvIVlQOOp5<d
zYKov*fU5#Y=<qEQI@5%J@1rlD;}$SxoflKD>ipRKa*79M{S*bZC4AygmtP73J{rCP
zZIdob#C?=eLB&i#s3_*KHCjXu`Ws}4Z^BKHLGeagdZ~ox#E@K@YCVBJDmZ?e5em%`
z4oZNnxE|270HA5|Lc&l}%Sz<qz0*Kw&z^nU<o;yY)=UDbmN&|EjYRil0h^{@*JB~Q
zCBbIU>1ZX9T?_(kgeGHW0v1qf$q4h05eb4s{;pgwI<z{4mI#o^%edvJh&K@>8;-*3
zo32K*SWCgs&+m74ZC2ORL@lk)?&tOjZ3xokDe`~e`SPs2_%&8_BB$}%Wn}l8eixDn
z(3l@*n4O`(iFa3@`4{;&t}#7vI$ON0?xc&rCEG8yNblsrrf`f~*k+ZQT&c7UIX5Iu
zZ98SC4PZplfm>}!8*?IfeBZKvqf%ESTUCu_@CsvG0SE1S&#woxH4-}z$#h}{s6#{=
zma`dUajLR$(>xxjSYjRipapK`A)=1vTD(I>45o?KzK>Sx48$tU9m8`gwaS-FPoZ;t
zs*z%yA-xL88OR?U($-b1A?J<oz>*TS1$mDSIxXF&08McB=ylE1q^t70ykrgqP05@#
z)(WWJS@HCjv&6KuAnCp`>cVeQGC?IEb7+VdIN)`+(8lz}`_YTL`#F0*L)x<mZB}ZL
z_KSmSK}rZ3?s$B@`gFbvXWO)sC(uusUNql^E6tJ7uxxs*`x?1iGRTs`M4AD3&x#jv
zGV%^Iu)CO-)U?RMIBh&$-#0$`vE5@R;`@2}xz2$xwFh|9kUT3n%|QGy<G`Tkar#R>
zh=E0(Xn<5E{ejz}oJqi~(ravTi&)OOX7^;5OKUr12>hQr1q}Shc1|%6_-#OP7?ED+
zKXM(e!axRKwppcyv;i>hcWbEiQZH%?-c6E(Xf-_owVhrr<p7@KZhy5bDI+vnw7_T*
z5%u^qkN8R6fg^tc3fiA73@@{P;XXYj?T42Lr~au86^?_cBF7OTH$s>6*zn>`%U-be
z-DcWB4LeGbAmibHD2kwtO;Orvpo({ZDA|)cIA^SI;|3=jvPcTG7?}l7b@J9)0l%+K
z9YiaQ)p*XJ$P(#>0`Ku%;IZqNeq7hc=zVaX2?#%SnjE9?opkg^l$C2~dfU)9q7m#E
zN%oBG3tUj!6GZ@V?^qw~k{7eUU+De>yfckl864N*$oQ~OG8B)|S8pz;dtTx8=7id_
z32u~sQES*tU{_zQx=~y;g99JG6KBuXw9g)I_9Aun_{wRruQFM!byeG`(awU`Z2e;<
zCa7hp(kt?KzN}wu-!-B#q;DS)m=k;K7&JN!vy1>@H#}qi2u?&LA+xq`YRpZq8&*Vh
z4bneMi=g?I&%MGj{0ZdZL88P)7V+tdP4@b@nlP-f_<+9E7sq|A)gEQaYvL*SD}E*2
zqgS0)`=({}qx>mu6ei`|N!K?DEp1)$?qr*XCYXvMah5BW$6Knkm5d`=a4+J;g7WXO
zkRW%b*iVNfG3pyZrO(C|753yvww`ysnH2)m@yDpYC$?XX>^uoZN@Xn(!BW9Ezyp5O
z*`qc+Ua+&z*bDZvwM-Rc^)`%cBHT%3=^l0Mu-d=UN$M^YM{`Vmf~&#IrNNq=oJ*$}
zU}BQM+f^@j@F{Se&9GNz`LxjaKswvh$yjKC`NK1;=X{II2!gR{zSuB(vQSIBG1{l#
zK)^LEs4s9PUiqYJ2xY}^liA@dGIJa#quGi!F0}#A4&09dogJ7YIt4oEFvMXpZgorD
zKr)v&=9xr%)EZz=`>BI|)7eZ#PAr9LWmUa~QCZL3!lqaSKCR;S@@*)|=1)G<Gjfv6
zSw5Y{v61`q<m6jy*twVNv$U;Zn-r^WZa<+7%J)`zPWq0hq5z(N0tXjgtsHu({mP8s
z+~-o`nNR{n3%c;7#ga9~yFeu1kRQ7`47?Z8PEaqjN+J7c6)gn;LX8zRYsS5l)53H5
zFC!#pVAc;h4LZki4s+-zp;`6zbkJ-Mh*PpI0Lp+hRqMk2%?#S1q$xI}31m`?3~8xJ
zWEKpHEA5sh+z=(Z+S1s9h<0=ufx4`#_;k71v5g)4aaB|ntb1JD!th2zfs+rv?MDA#
zv&Vn~-QuWg02#-Zo=;$K$msn~%hD={;A^Ob@JjWd$L2(VRS?VEfl6lbrm_2-nV5AP
zpd2+>r&D*<SPp(q?>*IyimR-W9Zl&dM}$;}nu{z!A+>G!%Qr;6EaFVbheT~G;sh;r
zP_(6N^O;g9pUxbjIJ0srPC4W(=|5<Kn$N=LhFr-B+~A8NoqAhYFIc%DLLQf|7jeq)
zcy9K-KY;)7g<xIfwcz=C&ou(F=e_n8l`6JzNWpr1r&Rfly#f+S_4HSf3^AXD5>~!~
zgJ<sQ1~%DU0_qN!gthk(KN$ML-vDUn2w4CiACOs%S~yF-4j+(!P5-=!MIrb)k5OA;
zEj{0Sb2^0Ifa0I67Mp+EKH}p>Bh4h`{5eHmZyrrH3pBd+`IR-nr0n8ZX29J_b_RO3
zBenspcw?dsb_T6DeRC)z?Qy>yb_PAD8(U#+Q?GoP{5&zT%BKsz_EC3u0!5lfPX_Z|
zs>i36_7TXR#SnNB0h9kTxJSbfUG#3@F^-sJ;c<S1T|HIXW0lQTI=7H?<e$GVQs4P0
zz=N=t_3mxDD($THCR_BJ)}}h;rU!uc?)w+m`7@=<w?A_4H~}GE@N|%D4OywGbqGIN
zLw6G~dd@z4m!mNvjz6C7?@2db6ZX2_{CiTawJ(!de@{AhI4Iuv?@8sTzouPD?Cbq3
z@Pn4jM$9e3x?2KTn;2q_N-iJMIh0(+MXKf>hkU&<V!Yyu=GXdhdh>?jPSe$Kd}hqt
zNc+4Xi#txTzqjb3wgShs4N9w}@UhlZ+*~e`zG+u%&I>kU&zs3K39NVH3H}yoGb<V8
z*ICy}6Z#j$AMFP+m*FozosdUp7mEjXvb-1C5<h=F2I-#T-1a06O)h#Qu~U#Rf_}rh
zB1YV|lbMU6{|Q_+%VPf;#<BJUww#`*xbn~}%O=vL-PbS3_8QFC6x}PaymC}zeUCRw
zLpcFy9g(rcX=~z0mwFjrLco3xNbB<vfZU*}?vEvr)9DJ2XW`0P=Gk>3Yu1ayi!g+H
zKN4rvz9*6d>&Pqn-`;kNoHY~=qh`_<>5ao1Ily=14gYP$H_&XqK7H#vn1`T~QJJEB
zB~FOgo?-?xS{Af=Sz8Kdd$)G{5WQI12;D>R)KG4~?l~XO#$e(9`ZjPfYG(2b+H9@}
zZ|=I~U}0wQ=uRf*4C&Xv1%oF0<vaX&>vqzAoC36&2Q)fRJb+rP%9Y|q5P#nG_uK#S
z+17dTgH`kWwd(%=d({u$PA<Os@W-;(A1oU<{Eub-v99}N14rL4+oW&hQ}ABpau`B{
zzKwV?^%GgcCj5FzkV{_!t@@8|gN%Hc(Gp3{W@sbbeg+)*2bAt7`;7tD2N(d2zK^kE
zpWgLxXz;vy1wVk|AC%Pb0y2h$G?QWPkqC^XpWXFt^`>~?a@?<Iem@6-8u-EwG!x_3
zUs-SizB~N{YFgi8o;qO6zdQY0;Oq9ix&+{h$-mIv7|Z|~mHZQFLkHD+87z&#hQBhV
za2Y-u^uiCk{C_W@I18g))bJOi=z^m(UIPz(piDA2$XCI`P5cGrGER0UV&H-EK8aed
zOsr|metBnPNonFe=x~p>>hq1w^;Y4T{$Jh?XbqEu2OfTSzg2j2Ney`KmVfMStqc|h
z%0CipY1zcuLi2ZaF3r@r$_Ck9k$|#5xyHqjbE){{?<M!?^L$3()BS-Mj1+|++X|9j
zS%9%_fp1+w@&ge;{W-0bqQB7;WE&OyP4u57t&c9vB>uT1uCp|Z^|couPnS52CX!l6
z{<$WQ{3GWL4sy7JAE<)lpVqvw4gSXU=ZD_Q_kP%==g*I~?dc8pMF>iGKq^zh`;j`z
zH70#b9F)J92Iv-${DVtCOVWL?B#@hIf4b>EsFE-JV9|SX9_j++-{!PGFb5?6HmCA$
zb9P1O`g#L?ASQ?Fe^LzwPW2NJxodd9wf_;gd-*<av+8cLZ0kM=fL~B7;v6z2F5>*{
z3BUtS0OjA-P(HBc@3{U;RkVdA<Gz%D0{c)GB>(b+<b%M1<X`3_TK#R#OoU2e0^mNe
zm)_X^PpY7)enMEWmuqqD#UJRum+!$}RefG+(ntLVV05h0hJ}EKU)E$k@B~QyZO#7~
z*MF%-`u|fALFPQr1<AiXVe_{q5`pq>b5{R0r;@Ua6Nqt8A#TlG0}cHX6aS|w7jUYd
zG*A$4+x16U0X+|r?`w{o<AL&MBFi6uX<2%m`5t)q<%zxraRtf0t+D=lNq@)nU#h_S
zPW@~<K;}Hq1<AiXvHZ6uxPbC+bJ`x5BL!pw$uv-*3j$)|e^Lcb^`rXIYOt+;_#>@=
zo(IYI?6bMMbd<xj{s&+lP&m+<2MG(3e_I2j&Oc%LAg&Kp<w%m5{;Mt*aIW8;0Fuow
zz61ppDE~GGm}0+J0%T6|2#D1|-2w&>6aSMcC|mD4FAxuN{gGB69tO(y>@zgmiuuNt
z{tv*Q1(7CU01v;csa$yA384Jjn#Kp#{1w-KseXFF`%k3<n)6T>DF61vy9b^C%D>Hl
zd|(b=b}KMrL2U~N6aSMcaH`)t4F5-3fjkeCf3Qz=kmDO$hyM#r-~aF-sE&aK|H{Ze
zH9<@Lo5JxQSQCtP@U!~_g)aDSM;NyM;U$ppCzwk9%sG(o-y!@zt(WH?KY(fqQ248p
z051O@EM4Vrx&HC)znJOt4-bO;037_A-T%}CIsfl=Ao+nCqyn6N?z?~?H|&4lhd(o}
z<UuM={+Z_>;ZKJCn-2fa^<GKUl0n_c#wTP8<?J08)J5`eusB~<B9+&Vb9_mwjFYiv
zA+3pHNUw~uwr9}={%>`;m$%ZnUd`hB#oF~n#d<};NpAP3fwQ|^Z4H)%mGz-Z>CN4u
zg{9%m;?C-t&CR0QiHZA7^M!%!#p3K>uYlwHxjKj2`iimRvCet#sSw{`vt@bA>frV+
zSr3M=_Br=nUGfQKY64*rQvKRa!K}#bIr3}G>s5y`-l^*=lZ)?87sI0`hieAks+Ygy
zZg-!Ytgg-X2UpxJ>`kZ8Yt*|t)XeVcIN?>~9<6&`t^rT5kFNE5x>Z~paWGuo-JEu6
z)VUuXDC{|It5=?6T5Y$tAGW1*SbJ!fC^nN6@YhCPA9_#U;=ws>1@-sWZr7c5O7Tna
zq)*?mrQB>@ll4z$-a34P(@fT!cUGIuy&6s-oUPHkJFhqz-8o!_b@x0dILY)}M~+F!
zKivxH^SrcM%pYq$x!&DtUMW}uuuOVb)zw}L%x-yJiEH$iD>`wg4NTKiR?l1S-ujZd
zCzsfi-SlhD<O;a$c<tW4B6R2KCs=VQ*W^9fi^(0`PT)Z{aT4FoT|K!l;H!B`cjxR{
zcgfpa;}Y3kV4;W!9CEmGz`*Zm&9R(Pneft`!@8F1a{Tb}aOsd{&)B8`aA}!5cx<?9
z=&+8>=X~(Sk?|^yCrcAGczE>CyT-4e+N3Q4aCIQ8a(fLib31V?{LQXhfacnoK53`F
z!{dXP;Z;N`;pvd`rK&pjva1?<$Wb7ROQ~YwAZhK=2ZBp<!(-gqrJ7htshR!Y<JNts
z5k$*pH~ZU;)0)*0d%IV!N<BNyQom$|T=E~kbX?-U-C3)@9w0crIn%Ab;ddT&KR|lY
zwLqM5iZ|~h&|!?cCp)`uG1^}qbLBq&wU6+!cWcRdKDVywjAf7DGVaXo8u_Sa-j34J
z7qgzDIcP57O5-*$xxQ&tz+>cYq`q>mQHtPvCbRw$vc7kcIGDjt6S|t~(!>2qyTrZI
zBHIHJZ|8QihB$Zj<mB?w%qekwFS;5qf4jJitXPq7iQKQ4dlJH+xK4Ombal84P*a~X
z;}`H7JTk0)QGe0Q!BCH#f^f&o(64ixT_qq8Jx@5j7qWBK?hw*me#N8U(cM0F-Pn6%
zS>Wr+!&C3!$W=3u7me9$+B<xQd+U0Ac{qD@v&XTWJG<u#eRp<ZP;#q%H+r>tF}-?n
zn!EV^RHt?>k|EixX0e{0qe4-*IcW8;*}&1SKe%9QJYoB&yLX@2h2O4Oli{vprWW8S
z;5P0#)?D%R`{?R^7x!-Fja$)`re6i&(apEI+xA_S-Ss=<zaN|^F(?1Y`7s#SGi0#;
z_TWTj&;x)!DyrLVv7_A3;5cSTnIn*`WWX{$UkFFGU``rHV{r$ZPK|w}y%1&gxxUQT
zv-<Y+u`_u0T#3pK*HjdgX|{$vxK@X1=X-)z?}1O@#M@4L8@>fl_G(~=lP726ly}af
zfn>G+6y9Ddxz0;Z4Hz_9n7he-O(N%%Mvn01z58&pR55!ZY(q#Dy;u(Wc*Cj-mi?F6
zAj)XWwpxE-@4&S}up>2MFu#MbBcsq_G#>+56v#<N97l$AOr%9x4XnJAIhLYsRnZF*
zXva;)tqCfx=Q?@tfu1z6VC&5r8Gd2cR+5%3F&yiI?KK!RcQpyxYvJ!u>9c(URy<2a
zo;1TOix7Wd<B+m(ho9CzNosy!v*XcO#kA`{QvBH5AWzv<)|9mSD`f&+$zp8#uJH>|
z3SZP$%0nDymdmEsl|~sO1B1^x*<>&RN+$e@PP}wW+hJo1$!I?`^&@y0l)go$GGO<f
z_{4KXFIhgYtt<Up;wxW6C+dO^PDlD-FBjh<_jd?S{2#+?u{f`a<HoojULW@^?{1?y
z4*OE-#4av0_6INAy-Pz0?@sh$K;;l#n9u4km9Ii}y~_UnWytQclK$%VBb&QPNVC^%
zoG3F>*se#M@t!u+A92+U?`#2ISXJFmRos2?f-A%LWlrNctH39|kSPpciy3V-OCh}m
ze*qULFE7(Xje0Uf8DQMuMVE*}llgf&A~Ei>#u$z~$$M~ZNi^lQ<uet*JgxU^D`yJz
zQ*Zj6EWZP6jK&N{>ZsqoaMUM{YHUDMhzObW8ck=1GEE92Ykz8KUcnwqsrXv|6_xSl
z%Z3Z~X7F7(3Y)`_Cv_iYeXTUhQYUD-L_5hPCJO40`y>krpDsVI_eK^%Q&Sg&MUO0T
z6i7WI-n*WqTn=UPhcMwYA9cZbEAXtV#)i+{rWPi^Ej#uwo0T;r0>$~UE-vocjIbOE
zkLLLVY~1`1Vm4%>K>$AHXvCw_ZocSJaV*()Q{W6C{P{w*gNm95@qRt^!w`B&WqL`F
z3**PtF}W=5qlBsXZ(`65Z$G2OZ_>Ap6h&t6CkuT#=pJd8>)<U6icdO{f$wbF&3q(6
zH<&hFKSWo?-SV}3#YWOy-nS{0W?pBV_(;+DZP#sZ*Y>TTN#TY!#Ur!<dFQjmG(w#+
z;1~4_F))bEUug{;_74|y=~v9Imu9tzk0_r_6>fenf+|-{<Giv=dqhsBU#&0m4l>z_
z>}6v}ys<$*Gr&xu@(j$HFg`lJCV@^*BMt%~sRAL1!@UylnTp`bhzog8=j<a`!Lb4H
zz@u<(tLR!pZE5Z&74||gr^mXg0#@P7h|yuYQ8NY;G4r8f_(-}0P1iAvDdE@pF)N)h
z-sakEPx7eGAbH@43HQ&trETTO>fY`>|HkZpMSUE^eyjzbr*=8(ZU%=QgR2_hM!#HZ
z8eB`rFCE2_3hRf!=P1c2KdM$fQxX>CDx}UpPT<uwo7FH)L&ei{8!loz)!5!zlJ75%
z0AcNgNa|WH8yUAYHmVUXeD~;Yy4u9QY1#(T6$CRF7~+rTyxQ71o9Wx$Kcrk$Ib?|w
z<(5Wf&JisfWeJ_goHP~R*pXHCO!NxJAKWxi7i}2+XnS0k9_MLdDhuD+DjtW*t*ab0
z{-rcO>}lESnx<IegwR)$uQi#XuPv}9-QGVJxOzg#xfK2~(U*U@)y`N?B=Cj^AWF<e
zJ8buHfHI7q;MKMjPO*4G`?mi_JGt=>2Ue)UZ{G9|zCpD7?x*B>viUmYJhDgjv&t25
zs_Gld&Uk0>WqI91q_xZ9r&p;s$A_O6;-}$6o@5q}Ni&YWjq@8A%ZUs#60xp6SLC_+
z5W_Tfd*Q}3g<3tug49Wy(MSzu`FT@A&@FoUTVK#xJ||%Lvj-QAM~vOTWF1#Ekp`}E
zgMTcX2a5m~3~@g;=UT(2YQDX(M~|XM`~h|z)T9DcfiE*IfH}B0_Hr^=y_zeS9XV}X
zC4U>K$7}Y?B8JNEV}}5?r4$uirbAk8-~r<ScC#_-Dr7pD>6!k;NjLlAEv=mAbjjuA
zCJwJW8Oo>b00i->#E-|>*Wwgik`iYoxxibKH%5rPezJgw^r~um2B()brN`sSh=<w*
z`jbna3a=rwck(#`uiku6(}Kpcv5RMi$b<?doQPH`NVH-MIc?7aF~v7B^(w<LX(h=d
zdzA13bKjnKa~_U%(2O{YtR`Egl|;>y^lm$!=>-(%P)%Vxqs-}O3mgu>sWBG0eStoT
zW5rs(Aeg8tn)1HY6H}ke+`_SBV1)g|mIxp#uD=wnin-Wt8WmTg)u2)vRBEE6piYyb
zw>=U?%0@^#vfu+dEYe}xlRU=j5Ju~%*^b~Taq!Me&$)!NZ`!x_N<^r_Q@Z$r5G}`L
zCTXyrM{4HRrO4|ABb{DU*eufmPJKQ4E?z~uo%#_ejeXy!#wl9hr8qa#8h{25`0sg=
zCDqnv+~}<y!qjto5Fw~J5;_j>5lX!^!}-n?>POxfJ=Ht(M05pG8r#EfhK&-Apg8%G
z=d-SCg__IPbOLK}<;*(Ld3=gCzL#L+37$~};Q|5-lTi-Yhd!@{^32YY+L1+s44LVE
zvDy|%bue7D5BP$|txkDiVJaW?ZgzLaR_XIu6>KeI<eqh=nicaQAb2XSw=Y0KIX6Ie
zJM8u)Z%|qp{-T)#6{$>_fLrdtI(s8E`Cvs(#J1?1U^>H0rU^jFQZp|KefEHHVk8*&
zc!|8MzF8c}Z#m0NhejhWV7N32)=$i*pJ$9u^PNAfQjk}WndO6u*vORKAE%|q93GP<
z2!0pr!RSbEb81_4)P1aqi9hSwCC|q@<@wn8{9sU|&4EBlUEA<ZWc8#iW4IHM*UWE{
z^fY9`vvlH)IbvJ)<Zkm);(G1uO;3tUjjL3LEl&fyr^KWfHQwgv$vh{~_P|qBcXY>G
z=iIGJhJ$>e+wi!R?#9CkRto1Z<gBR<=A)1iCmPuTd~gzJF<9_0ly^!*h|*%4UP^?6
z49KTqu!6pG+F{V9&V|uKJXG-=4E~Tt2i70JVo;0C$03^&>M<*Xbsx12*ta5Uq3BWB
zJ)`w<uvo!G`$TLWyaF}R{m~erY9{par*6bBOcEkrA!uSE@MpBC5Dsv$GVdP0C6`4U
zC^jGLCwgub%i)jm=p~7W*LQn$D(U?5M>mj2B-5{8P+*ClHJ1y9VHF~hg!&Ra3N$<6
zPCqc<V+pkH%evjsy%zYJ6)S|d0~>&Bi17#v3?BGX(?;LSmVq90ObQpXc*KP8tN=}4
zQ#`xn5mVko;d6iZZvpFH;#$IVTaHgZPBai1p^5=7i=it(X8q)VXFHv4*2dVPHmSh&
z6|C5lS}WQ5v(i&Gv1fFttf2!Z6DYK6N8}xJ%@$)7;<nc!$8cfWRko%2j&M&-z|ZrW
z<4HxIt4vzIWf8mUo#}@giBBrX`+l9twx7{+bV3yRS@@+D?QvL|c#uP60e|vrUD{E)
zu1=}b{KnnUK-Lq!i~1zS^nju9m#`F;g%^;28;U6pZIcEL21W@11_o?c!JNz(K#%#>
zv9vV3Z&Jf8O{W=A+Uf%-AGw!tACx;F7HOB7A$~B=BX?HT+s4BmBqUARE=}<W$2UZJ
zU!*u>OL?=q8>WzCe>F7aZZptzp57ftW)f|@MFSguB{uyQwsMNQm-=;un7O(xq+_`W
z8<uFv#r0GBPn@Z28am69&#nlgE%B@t$-#`-KCucn2aZlmGQ`L$G$7{_8-}3WoW^R2
zsN^jfcn@6EV}2G-9@Gth+ax!<(Et}?#Thw=BQdm%b~3JZ-QFL?S=vgqQOHiD^KF5`
z(>|fNM!|JoN#7&&qr=gzPOR0`13$N+uhuY^3GGpKV7YS&oQ2pWgKWv%b_#X6;E9hZ
zL6#ZY;5~VN$?p8}93ge>lS;9s4C*%?$^G8Ra>0`AYFLXj0FR4QI~!B2dj(oft&o&;
zJc>q;HZxpafRsf5@#2`yCrMb`e3ku(?MZ=r!{>6kl#fhUiI&8Yb4jl@KYgfk<Nnw#
zwhJLSd5)x8yWsVLxS^#lC}{Wv=AMD3!FcziOZm6U8d1vQCGq!N;EJu9=+UG_7Ex7*
zhnW`^m7JAaw^>UMwja3~HuR;yKz;-w7w1Pne}MPTu-*f?HCzJDn-S$z0h$e%u=(ca
ztXzv33<eat>&6zJp2)2onkwnkAd9rzeTj}M0`YK4lh!2stR1|7!3{6jN#<%EuqZm5
zmtOXqJsf2xuMY6sAta+}O;DB?YrN)J^rFAVeU8Pu6)Lr#jXEz}?OtfmY}hZa%ftvv
zr;4-;m4p2<*Y>y@6_Q0cutqe!Kle4<d4-G{V_-ikNiyqDM#<XqyVV|#<oP9q`WAa9
zwQl>cx6OOq{C|TteGylQ5C~o^VE+OD+N%28(!x&P!cJ4(*-GD59R%Q3`EJQ(MwIKQ
zj`61sn_dtmE~#p%&>jtB32lLzhZbU&XJ%+Bu<|N7MAiZ5d*6GU+7Ay;P{2$2ltbPd
z`7e3PDzPuHcA+%drXzJ4FU^;}k%{>__fDl}{VWF|xj{~n&rgYNTzWex{d@MZIcp;(
ziPy_8zTgIpTomqCrlJyRimsaOa-9O`WR6H!X5uZ_5HB+NL=n;n(StuSxW4X`4>h;@
zY`BA!!JQk5gdwf5#<|QqQbwH$x7ueN)DrtlaRMx~#D*+MJ&b~Y`NMp5ClpkCP$0r=
z8cLX)m{s*0Q*<3qi1_1xo~Y-^WO1&Cu&Git@3tzIco)w?r-%Xa&CKpSnzsB0^Co%+
zDX->)jP5R*&T{Rh&LhCtcxiKi*a3g^1mX$McQ9ZZR@3s(f)YAjK&c4$4+Z$|pFeMb
zUIqixv(%Ngv9z*f(6+JyIrpLV)Vls99B3pEd#L}Y0)M^*FZfei*V0D+KdCojqSS>$
zfq}IV{RrnjGrR@g08R>ICOad2bNwGjrvEfSObM|Sgf$qL3k}5m*8A54Ub!&8sLj?$
zU*FD_;r_>eoaNyL{`V{^&i`?i`|bQgUp(xqf6W3O;c-99?=JhH>cismTQ%GJuTu0-
z@gbT2Rt)#~weo+c{h{(h;`pts>wB;KUufjvJP(ud_dHU5|1m|S#UOz}2Lpox{`CPO
JC&eEm{XhQZoS6Us

diff --git a/spreadsheet/macrofree/security_checklist.ja.xlsx b/spreadsheet/macrofree/security_checklist.ja.xlsx
index 1ca90ad44b65a193aa84c3a310366c89a8eee5ee..87f0b92a9e934a1b3576fcc4100e14f05fe59322 100644
GIT binary patch
literal 36987
zcmZ5{1905!7jA6ZNn_hi8rx`t#<uOowrw^x+t{|zU}Gnn+_Yc+Gxy$^Y<6~jXJ*fP
zp7R{M=d6+}I0Oa=2nY;_wDGc5f8eiz#E(xSA1{=Tm$99ZlB1oy6O)0xJ)^sgwS3GN
z92g6NxL@)3rm6R~=!t)s>`d~@k3`;(W*VE|=Lc5^;*Lx&Zs~an<)1&X8mKozI&CBl
zTS13C#kS0}9m;+xT?;I+Yy?F8z(Xz~CITNQuvzjCVL{*?-*q#XE7y&hJjr1QIX8AG
zko*4Yhq<$%qM(MO6SZ*GY4RhzLSGN-lct=<s4P!vCD$7}obQwylhXflfPHpDI5^M`
z&A~uGQ2*}(7}+_R{5e5LyuR!JGsdqTnPaaEN<hT-8f03*Fvz~Z-LF#T&4xFj<g<Xa
z%!QgYrAwBhtd|a|^)FhKQ9;;d^sUoDiuab&Ij|iHZlAQi|G?%`S~p|KFKlB`xI)Rb
zjby;i^@dM7^a#O(VD#92gb{Q7RKlhb0cp{*&J0@A%j^$E$WMvecVrDx`kD)#*g*c!
zt*^4jZED1FU`Q6YwRW^r&VSN`tOGBV`2~)W;PRW!jWIvDjdi7bG}Eo8-aDDU+%6gx
z64v7JhzH#{ar;nXJ`V*oRagzL$`8X|qnWW}r<QLBY7+OEZ$gIQ*KjlSWJ#D5WG&b~
z(eujp4xr9I^TE4?o?g5*QvsfrC%FD!!}VdKbSFT8fDDp=fS`XE&fS{H+1$j&<iGzc
ze@q9^p0Hcv#OOg@ekb{TF4Iim2jK$uwfQBPU1ZPocYKOPBnt%|dGb$cI0S%2Dkyln
zK`LkmfEj_V4vfxqg%~~W*CG(rE1^d$(=w5hftMcXTjKnMz}w^I-d?2p-Kw-yG}$<$
zf${*o-Vb?jNkRNL^LgfryY`R_3z+Z%&;t5?M5l-l51W^pshR=?+-($m65?=%d1i1L
zs;?;&-Z&DwaGBdMIf%H(@xhG5+TbxUB6d>M2{xKlDDlJWq!@v#T|04)%fBgTCjcSW
zNFlXS5yrixuf2+9<1$6deXVJ)Vda<9Trns%Y0Ojpgb$bD?1&M;!O)0v3PL4KJ_}#q
zl+(#F<4;R++tziyF*6oBde7^_@y490Wyk`H)8FKEN>|IBX=QzAK%NAv8p~$189XKl
zGC?OY@HPOJ9Xe{4xWEHM?>YH53~!GRH_pqAnwEM4D0ZuMeD@Z0yC!wuIh_7VuO`5B
zt(^7|149WdnrpiGD~(s=0^_I85_aZ0E=$K6vQCe1CME?|l*A*QTJSTU_H;ptCdCuP
zzGo?1qCENEpiuZIL=m#Wkz7(z8-jfYBy2Q|U1q=XSkT>3ul7@u3E*G<8dT~ZLJ_1w
zUtzWj&|m}ic-sASymwR@>nG%My?=XEd(*~sV4G*2l<WnZ<9dI+EWUcM6YBPTt|nrt
zf7I;pzB`E(+A7kcZS3~CKY40M-SPu2O(}9*Qc42pJ0(Twqxc?|TgODT@=U?jkB$<5
zLxxeKQG*mgEyo9db+U=8g<2Ub1V8W?!x3J3dY9P?z_`<gL%H+8U~V%SHU4UK<!MQ5
zs~-z5jQ4dUGIMZ4<(-`XRP(f=E0XMoD->gY3po^ov@1l7sbfztvyS>9aR&M+Lf0*P
zD*fAM3w{y_c+_fX&myKfQ7$PM-}Dohz)H-uvrVoqQ77{)SMd?SHUVV{6eSV3wS`&*
zN@F-7?2+pttkd!QX^#3Vt#RAOs3qgS5$aHQ(**?8e{X(AD0F*a%>GWBAj`V=$qmIw
z+c-123nT=c!3+&j`%IqYJBs+AVB!}vxs6ZK#IODZI&NE3S~+%Kw}KFgkmL5H$6daH
zvAGB-9HSUyUsEC{pRMkT;S*N77X{xV4Pp=$f({OLW%BZ8G7B7k1vO5_*D}leDiys@
zL~H<RqN1{7P9PhMRuAp|)A8|4VF_&tL;TaON5)0eLfmmLO{sjb*E}&@dD5lv+==vA
zI7+tksjq)hoy@Z+ajhy*wp(n#_zvIjw$qrfp-_X3XPBW+?=1=jPP;Qa=?^{f6@_xG
zs$~3%OxFV_tLjZy>D$F!v+6SkA%&HjKDeAnCYNiKQO|(H&==$s4jT-~7aWCzv5Ld`
ziYFlr4iB%V`joaR6Gp4_SdFo&QEa-G6siTZ!|rQbG#TXmq+P;zEJ3jQw><bD3o6Vn
z-3A#D(^-n8+Y$uDHbHDpknw#Y{*=t}EZGL+hZU0jY0RL-iRqPm3|+hSsfeb9zjk+v
zDPc(3@Iq&;Sdc<8vZ6IADqGxS?=0-d>mk<Fj#s3ODOIJDILIpw8se!}v40iR7%0<q
zhleCz!4W7x$!vypOh%yw;|Jf8T+PY(?rgw6IOnh|n543gRq|mUT7-yEuB)M?Gb3zY
zY7uvT(_cFE)J$z;uV_Nvv9e<0nwA3K4%HovGL~J<6d54x<Wib{N1vujkPG=uZJE}c
zh5xL}Iu;DSB0-wgH!In27b<3GtAr+6Wws$)h}mLTZt2&)e{x@H#$&ZH;?DiEdmLBW
zWoJb${QlT0FcB#-;8uj0oAa6d&<z!5v>FQ?94RbL)(Qz`3gTfj!s^(v8#8$<WdTdv
z87=QAJVE}D&3#pGcBG2Tq`jL~)~x@n%nP;jd@W=#!E_Q-Wn#jR_&jc^j`mc$ZB<9J
zcEwJRV)I>iSgG>3Jo#?^dNKx{9)@*J-SJFg^zP6r2kKPW%H(9UvBjZs;yD!M$)-%h
zi1ydn!7^;p*5<CDV+!o-jJPXLyu`TlfVX*v{19E6USCaHcA%>3ndpQ~3cUOh12&)S
zjBSfdY%et{Oys%sIpb@CV(E?Si?jFMuAolRs-`#A7y9a;YBlbzR;H9|rgKEF6b~&L
zm(v5!N|mzI%#FY~+XXn6+F9C0I=!Y18!y}HO&?=CNt$Jg6oJy&a!gwBDLQUUzI^>k
z><WeQdFP6WFGCiB8EbeN-H*CyTnA0S|1bB`O2ao|x`Kcpm4Soc{FlPq>>RC}%uP(3
zotXZ<{mo-%T|NzKoGIro>T1WlPP3(OE99F}jUA<9SFWU`$zfdQ$2DJ7OG|{&Ru_%!
zEMkjnT8`%Q{mH2V`_V`uHyxfQg?wko0!V21zkv8z?Zgr{cj(_=B=L^FUD@}nydPJ(
zg%0cy+uGhQ@ZFI-Y*`a8NYGUR&P9lB{oLHRUWT$0TyFA1U+}ZYUk^oUxb%Ui#F<MG
z8&#`|Csa>)Z?_9yZ)7Tp0dqUPUCLk9g#`GAH-_vMfcFEr-7-D(Os}2YUT)@ktxror
zf}?zQ8ia2EWk2EfhZ3tN{dcWe;(61aO<PmGrsp|LrYmB&gzZDN39q+i4dVMCzp49+
zX5#Lx>eCRxcEPUw$`z3myM?X_qzYT4hpjchz?#hF>G|Qvc8^fHQ@5QydusW*tsjeg
zcey;<Gmbo237yLOonDv9!}A7HxM1PCC7)zBuj{6_<D=c$$VCQSrD8*p*PW%;`-6**
zdnxksLX`&Hld~UpH|6t^@1}2B<+<mTot9IYrB{#LTb7UcR?f+TrsB)Mef~>l+hS<!
zA^%+u(PHMk-4n9c40P_VNBpdYB!}_9=<OO*ep|6=JFS$sTRHqzs~~5aI0yV--^AH{
z9WHD1MytS>%xO*Pde}vdK81|oo{?FxIQn&{i`DHtPFA8<>qQ^V8-iTJlmnJj)(gB5
zMZEAH!UC($S?jagl5;<OOB1d_EpDTwUYHI?xY*>oM{o=IV_UJyftDpyTk;!nm++fh
zMm^cbBTK3})3`5?@`^qAsm_DG(sPM+T0bX#Y}MVOpVOaT&{KJMA#qh7vrD+rAz$mi
zx32l70Wzj=ocdog_h{~7in|(E?L5o3n(S&Td_B5Ygi!2|`50<l3Pb&Tp0*VEIK1u@
z)O*%zA3}vT32srNomE{JyiXhJET%?aYI#55!?$F|#fB`!T@sReU!dCFK0ROu+)~M8
zxa}rxdc(uk!p!?gJ=R#!@*JB!z#_RMHb2l#Ks{6d)h)Xr_cG1!jDYDgX<r{T)D=7K
zcJ|K9?lxa3bGwRdB5(I2Kx((ZYI|(;hp3jqMVDaB&3&KSot|Qr0y*sXpBR1NJKrjN
zfVWuSwSGf+IpEM~x!vctSq}n7!czfD`VM(Vy{B8?fboDOY`|$+YzXnE9V#g;QPCaL
ztja_etikSZLd;b)0OUjlHa9b^@BGg7S#eB(&(`}5vCoT|Xs)-*TOu$ovl{uN@8)Uk
zCbviZ#j?fM8f>$+Wn%04?IFii4|-C#OLGu`KlhdKawLeKA0UwXB4~fO1}$K5nLfd9
zpWD3JxtO`Icr(LwB=o$L-92<Vk$sdX)R-$rb2)S2c73&R_U@s=x5e=+`+M&F{&4Z;
zhxiK%f=|^C^Mj}D*Z}12RZpAO(&?*lgt418liyCKp^_KSk-gAIOdH5NMgkYUU{73T
z1<9QP!f-LM$*c30Tyu;pUM@X86+VT0)5ATlNL1uzOt)KEM{4ichNN|Gnal~OH@x}u
z9y|DNeI+ic+KcSc=rbJI&VEOL(@vjkidLYXlhlpp3)evFT*p#FBhYWvC#Fc(>o{_+
z_Ki;9asIrdM|gq?)<&TofT}Q8V<uLIt)S>|$hY$K$T(E!rLR&LqI5%>?cD06gP@xy
ztK_hO92M5iHloc?P%`kD%MKF#mshMoivGP{Yg?P9W6RT_fi9r=1#ogH-{jL8Pnp)f
z;+Bf34lp4E5^t1)uM+Q{=XvY*a!p=A6Tal1UP<@fVoPZ`gE`YimEg*2$G~VOhoP0n
zmDxwDNl1@siyNyyBMe!%KH?+8%1Tl52eO@ukGEp0M!g7=Ek(V2n>!i;TL0+E?3(X6
zAVxm56tW8ScyV1s#Nd0aCagOg6PoT=8W_mA?5)GzXgf+@Qy!dJ4e&oBad+r<C84YX
zFY|L^X(B9(roX_n6jO6s+BAazV+8}n1tq8d=|M)KR)ywsq#S*NrySw(Fj_CBKIt@`
zMo$<293?C)0rH<lMi8byXwM)Hb(g-1lqFkrlB_oqeSR``Hro|{$sFecotvq9cpuH&
zx?FkZoVjzo=`kBJAUHd$UYpo)k8b0Zw){d>0)9x1fqtRfEt?1{!MMEOQL4k@3b+)j
z1R$v&z8HquF(9L<uf3eZ4&)-&ufIzR5;n(n0A89r-U2jaroOwLxDjuTfX_NrOn?#!
z3RVatcy6CwTqrEqbW8w6990XU1t>h?9t64U6-~{d@4>R31Jo6cE;Ird5ldx;)uf8-
z^*&|H!NICHs+oFZXtFAI76?k(uMvI$E29@FzND$4D^jkBQ`m(I(5P_?SthEnMm8JL
z4j?koc3Q?T+dwYP#@z0F`Oz%c$GcVMYXB_Dl;7Wo<!0lZwBI8OCU4E;us<1mQ)p!M
zncmjJ8VU*IA|v1|GCMc!d=b{oavQBh<!KFd?IeZl0#m`#2vC41RhwromV%Q*sfPI+
zxJV;|PCuF<+a}XB6SP*dhZ$E7k=$R}suxh$38uJ<`JvQxL|F43MBWqVBD6yavKH63
z7f?HJXg;+J(8zK`_H|HM7*h``c37trT%7YL@vs`*GYE3EBHM4XxFZyi2o1G`lX=-a
zD6=~1RfGt+jmDF8O@jUQto59WcL;8aNkj}&Eh(O-n@B^2q_%3#MZu+)v}Khy3Qtjy
zL~nH?R(d$>Ob8j+Mf6o*+3C9`3dx32)n%Nuc<|(R7bG$b?6un2HOsU&8Q4%0@G2>J
zDvuaTol;32@zUdT)1&H#m^1fBEVZWv=o`6NEy}2$v|Cye(2gDvxQx<|s<kO~;+Pg2
zVa&g<aP@rkh61PiZEz!Q3hCmoNs~KMmBFJ^O=ST*U7HZmfF^V%+<)GD2tJKoqZ?|5
zG5;D@Uk8Wd^dkzkn2aHZ3T}peNNQMyB+x<T1j4K`+0R!(cr7rAq6|auR}%xC$yaBz
zHMmB{WE;pe%2mw_PL)MOz0oS05NwMAqrAN`DxF5#K4<p3e!kPlY!l^a1X4x|X9#eC
zhmK*4yqZbA1GbEQXu=Nux2Fp~;9>rAtP8Nzu!C>d>$cG5SO_oSQ0Q#;*^hl|F4uS<
z+m@Ip7wJTQe_$`tH2e2}r>dRMqfKxir>F>iKvIZ$US-0rdJ2q)QonS>EmsOjzS?)O
z2|7J=1^fQ4|78Bt8Wqcg%o+_J_CxDvh*jUa!@~u@xEZBxa2&;iOw4^;upZYTF83kX
zq>$(M=dF&&LH_v<Zpm>UZrthJ6xL?0=V!Nny+H10S}nBH^~haq_i-3x03Txb1EpXa
z1Dm#tIBIhJ;-1EVl&R>aD#u9=2^AHVi&m5E){y@UN7%w|xqdA@Xp@&*IcQU7gMOEp
z>muN2LvJg&JyNK>^Ye{eXwuPCzl$>#*7T<Iy3#hF#fNRO!v#a|t<Hy)Tp~6qD|x-<
zuEkF8o!giXZFbT;7{#@_PZ*o!1}%lEhOUXNW_x^;i|MKz4O*AR8@m6r3kA+K9$(}S
zae{4)5zM<hRs{j^&qIYVT<xWD6VDe$=zi|iVL=){Md$+m7;{brXG-fA1{x0?>O}gq
zMv`*lD8`6NjCA@7wi36w_&+*nB#CP)bB1F=erX$x2(-~R6K|+3$(L6EjwKu(@>QP;
zjf6fYXB@syZA;?*mPBpg=9L*Oxup0@1Tb$JaG#Gq*bn-GekP}xl`Ez*-o_F`@4u^p
zIw~vSm7*P+tz*#B9~IXB=W%z%)b$+M5H^TSj>$}rtG-VUEjCUx%%ZvlAuftp<xO>h
zASYO#gU7n?#0L2SMG!c=Sx8AEXoS`3B5#}>G46VD78jThy&{@39qHUS5{U0-BJnnr
z5w9y~V5$N~NfAjZQzSk^Da|zGs!8I@#GcTWVp33Wc}KXZ1&!1G7uL?pVs<s=q<a^X
z=rp5Ggx9uuXrX#Kf;kjz$Mc#9WF9&)6Q|hPMJm|6l}RNYFmz~^e|hloXrJJ2xGfaA
zO$S<A!1WjB)k}f9mqQN5eG*5hwulJEz=@Bji&`uP74Hnf+LskEfu#*mbbw-r5tX|l
z53~445KuN{08SJ?kG1dHRbK8Zi3A&S@RJfOz~i~d^cRs-h6ZAPBk!Y?5~>s-1;Xd8
z!gT0hucyb>T*R8G<JDtx&Kaf>9j}w-fI@i|Grjqo=R5;1VeiJKdl%WUWmUVnj^G5W
z#b3(;@%Io_0Zr)eRAKE1H?oO`plBuR#G9=B;ti`18>}~e9j(EkEg6yIc0FYnX_I%z
zzc<9K`6dSXktvK&WMc3X0!kO%;c#%zb_w(m$y&tal)5&{PwF;&I^$zw50&qPGW<4b
z=`7+h?lBt|dtlu7Jd}P9JYOQ+0h%z_@O;1dQMM0|xI~GZ;HY773lnN4qnUK=mKE`c
zB#l5E$f@(T4?v_oTTSBL1C_qT@j@m4B{VQUtRUu!eBPl9^M<+X4$%hQ6gcR;FjqvO
zaf`704v%Who)rF@$k}`Rhu>*Wi21llZw-v+;KPr5^7V8Tvjo>_N~(c}gTNNb6jwHx
zumGZ(yDSdeIG&hR%o!`eBfM}f{5XNZ#D<}Xcg$7IwT-aI6&s*%)Ee{<uP_X*+DGo0
zEYl0Gm}NngxoH=BPE{OAqd5$#HrJk&Llg0)c@k;|@GgRi4*!keyago2{IJ0UmIrfH
zWXr#cuZEbzdH4pU-9oXouX{Sl*bCtE`7LML;VnK90&x3ln32uu$sP}Jz9U7&q35&^
zTX@zMHgjf-s@O&=bfz7vrW1bVv;Xzv^0?lAqrneJcjo%@Dy34}Kv83XY8gHZcCE(i
z4Dx4iHJISRD0(1Um04~2Fe-!UcQHm5nUJDR6^g<ncfg0hKbHegz@ZN&e(TTIU~~a<
z<BiZ2UF6TWUY&7r+cihqLy??H&3HmmnCP_mUVf#TV>+QjJp|}?OW;I4aY%4tF_)eC
zA^I&=S5#J)x}6Cj-qpuaBtL0p9M;R*ATA)$#f~ql&2L%g?x3CyBo}K2QAEns5l*ii
zH^|xP@zhZSh70ll!PO<Ewj@h{)60DpeW<BZ=*yX>YPFRgAe#$EEQ2MCJ!ljRI?goZ
z8)Y5R3N?pd<QN)k7MmDr`9P9dQsw&BH>e;fwtof4FNseR?r23k^D=C!))Z-dcpXbL
z128vt2y+m>$h@8U7r(J6I^s9A%@9CPKh{i4x6+_bdaOY5IIXXgdKl!iN{&kq%U#bT
z<G&#waM#ov4S_$c@o|maeIXn64DBJt*4o3U;#ywd$;rC24P~h~c+<UEH{POHS*_@Q
zgTWAMVhOYSqpcFa`<G*h9owj-@~1DFo`GYPcoeuPbjl^{$$B}UL1mo()D@7(Uv)=Q
z<C`C~S19)r$qF!HQwb$ow#q~u@~2AN*jA`w`1Mc>)OqMe?;d4LZj!az2r39J_C~R9
zA{%?1U^6G|W=lm1J+W?X(6reDOo@nQLGZcle`(-ZZFyQV{4(Ia;$wdh?Jy(+{fQ0y
z)BUAxNAGxv|8if=qyza+U!?^;RhoT^LLVz*OK4Xoo$ZHUACqVzyXOUXzSca4yFoyL
zku}K}5-ohCFjd*nOcZnSu`m<YjTNxAGa;RGuS!kSo?ew{?7aCD2Y<LeNM=V>$0*Wp
z<%*o%t1MX&UY@_wT5kxRz*|kwT1ms4`Fdl1EqHbjwEkS#N^Uh`k3P49z%Wxq60*5`
z=uP|4{hnVQx&7#OO8D_6v!|5zxFeQkh6VNw8q|0WS-1BklU~DWA0(~-&$()=q~fp>
zmt;M3&{^<6g9`uW2Gg2^CZ|A*7UWuw(O0?(bYrA#8dhlLG#>xjNdo^<wektRwsJL}
zHyWli7XQ8|P$lhc;X!{Ao`WU~>Pp(cG8()@Ha$|di#<A8RUhfD@5rVI{-bDWaJjp9
zzG{OYIpjtp^AWg4JQqZHB{n}wgJTADHdCnbAYOa~+@nN-WmMi<jmZ*15OTM(63EZt
z%1ix4Vu5;2I%`A<bsTMpL)-(yso&OLb5LfPq_X_zog(|h{4dp`>r!dZKzbP`ul8X<
z_U6rjlS3~}SLu5gt8+ud%)?KAoQeCrzQ&5eDcn3K-Qx#s{PbtYWK5dMBpHe}zZI1I
z*MBtLAdk2iO0<8=*Z2Z*iN#2APdgv@Mrv9F`gS`#IP^5v8=GYZJhKx*%1K8PD7GHq
zm_;+4h;6xx)HWogOUNjo?1}X-_ryO3G@_1;TPgR&QLqQ=OX}R!rOL%8`1d72c)Q31
zQmL(!L#x*!R^GoI`xd&^>ulk>X;*XIc{;U7Uifr;diC#n1^Z)JUr;mJ+7NQ73OKTi
zLpWF<gSbfos$ObTbsASDYS0s8-hZXJEn2d^Kh+2mOw+EMUYTs;eX#YraG!1&S7Mec
zd+`Q-$XC^4EvfV2eNRNXf<(3D0vE|y>qXBUx6|xrl8Xzf^l_-v>fWl5OKqJxYYy>y
zun%g+jO)SBe{C8&!*^k(0{{t%y*w5+FmFk?t`)uxdd70DAxkzl+3qafZvaDO!-?$b
z-VAornX0#;5lXoIKg_K{0HNs2E-h=!%`QeKP>O1ySC~+0QBqn4_4(!*Ds2~pR#u6|
zJECJpT`dAUo&49Q`BCg0{2hf8Y4KSF%j@p6Vqh^bgCU6GCjj~HjKu8zR7PFB*tUS4
zkUH8!qM>%$bW&-5e`&D&6Y_vfNKM7eFB!VY`@pwBJnQm%=-XDdbcp0@f%(?}e=VUh
zdMS|8mRAN=48j8L0jXKJyiPgo6j^H$-dr9ulvC*cvLVM1bycoh;9cmKC)RNm=ZcoK
zmWCGS@*Z<O)wp$ekh?E%FiW9K!;nGFaIHjVCs|_scN6{uh_lzeUT!xEL(I10hS(~W
z#e2mAL<@JWvHLqDmHN|jdQ$;PcR%KzcQzD8KBI$dY}H=Om#A=UDkGrX=Y2E`+#Dy&
zn#RHm4c3u&^I<1K_S%kFYy%b^k}OioLH{u)W|z7@M^1D(^oxaLX*6DY=%edJOwR8s
zrlr9~U}x;m*(IeM3ciQ4r@r64j$s}$0XGFNJ~gIUw28r{rY~+OkteE7<d>fZlg$@y
z^=hiCq@AQc%zQ;o3LY#nyzmK!GC}UBRP)}xVIS=`q(Ty(g}AC?!nKqRP-)$t@oT`C
zf@?vFsq+zF;!?vO>+=y#8#f87>lSBeHW}1+{(1b5;9m^XI6+{UX8>>`#puMfx`VyX
zpFmVv1iVz;37y&xLl??%@|z>X1+|8;m`sJbfN$v7QH%_yh;q}ylLFo}q@5;k-Gpbm
zSvnIfJ^B|&imO!ZBNG$P%0sFh52mJ0H;-zYwRA=L2`*i#FI{fUH{bn(`9NXaDzj`W
z#K402su2guY1K3<M#xE5Ic0!b2}$(o6dESGO^9*!{}679rtZ&%aNmKoAqx!b8RRUn
z5*+2UZe{)A!RUHo0K8@PmisQgXfkdO-8-Lq;h2q{iR-ii=R8jHPO0JA&x2@?nHi`~
zMN+9yW4cgU#}lVUMN<9|)zL^6q;+L$(u7?!j(<xThK#bxD{I_D!ME+|sOe>bOS>p(
z2mXoanUSOm(*EQ*(}#xU_jJ~_A2#7U67d|Yd-`E|Gy}D<vPLn4c;Vr=kN;IHaleKx
z#{Pj3Gm#yM>*c8#N6UV7U;UZNRg(hBTZ9OYKNbc#8!X<9Z`a+Nob=s-=u2g?ce_v?
zU@m`M(8iLS4p_e>DZ;$zy17?Kf@6pIyODeXGm+;rT@*`!7<7z@UdnLQm;Gd8>5S@5
zLAb!Hf00BG4{|UO<U3z}EL2R9nT>0ehY#!P)ymXXxA#Hql&{E^5J%s%eEqpwrnJP<
zwsO-5{SRr!%vSgM>BXaLWb94vgLOs(kv^4+e0=+vM1PuIo4QITM~+qj&Jq^bfOFTi
z(jkG>ZZ6kiL3dr)q83;wyP(lPh~I#ug9z%+Qm`tYBCJA!NojVgNLi<hMP->ji3@w;
ztNqu+Cl~y-LCbTaaxU(T7p=i~d#uv#vHjkm?TE(2c!v$mc(DRW=<({cHtVkHc)k1n
z%%&-^-p@Sbaqrhocx7FY$Kb>5S?goTI-d9jBzX&h*ZH~M<&H=L7W*#$(+M5q*cgr^
z+h3Ts4NoffCug7IEyT}x5fc%xwDzB-xeUq$UuF@G`;rRL=HQBHrW`ePl8xU=OG!$Q
z{)=N)naXLr;b7xbKPEo3YsP(Z&y*Wn`PqCt7_yYF4?!g#O_V?mBwv$93vLGDUbJ{e
z1S4|I<80>416uC#6Gic&QQ;Emu=n~2fTEy$U)<N4t5w#TIAU~|&VukqkQ`%k=n{Zb
zBZ4rwLy!&+7}_up<Dw**W}oD)!NJbGg?q;#l(gf7O+`mqF+5YgCv>v&buZ%5T8JwT
z%IY1N=vJq-gz<v1p$q@lANdIvu%b(WIOkqMliL?fBTGH*ZDLONiu9s$tWmoLYAtu@
z&$74eOlX5}IDXbV;4<<+KSL8K8Ezo?mIK-5nHnZtg|yBT=s$vyS5FdP98s^5wP30^
zmQ;m;=@Ap0M{vM##5(3Nf&Si4l_m%JpM{KE*lE)PB>;oWAqycf7<KJou~T?X7K8YQ
zutdp>H`7cFxvNZ>;w{}=`c1B}V~X%xKYB)TbI%tl0jm13`@7$x2_L@BG3dSdd^;&^
z2ug%O-FBk>`P74?dn#+lz$-5ECu?=_QW#hZ7rqxxyw!|diaxCI<pNuMa8{8a=P-p$
zM8J>X5;Xghh(rT_;LV6l&5DadR)|ejqAk(fW0MzrYyaN`98j#7ZW=^WC?5zBb8FWk
zG}XQ6_n1@C9r1Me&hOIZS#zRiIuuVi-jk=gukWv$JvaOsspwiH;922jw)d$8KIT(E
zI`*IFZZ4&wf1Plut>0y68mSv%tV=`ADl%GCg&_2sgPi#W?4N7L6|gdygLvgm$AL-m
z+DR$D5G*Gl-S^|WMvdvXjG1gcH<xgMN5Wi$<BtL#lTd!sC*t5DgwVstg~8}wUs^{g
z#G`<^Iw;gCgtcyZ_R2x8*~H%Yrz2tHwh%>9kb&QQ8pWJjOjM^%)mkvgz$=-u68KgE
z{;znx6EoqRHXCz>Aw2H96WeEz6L^k3Z7keEdTaf0VencN?{e_kQLsV2)32~QC~brk
zGZef*n$|)IYxCQgF}uqGS*tUmy|X9aSLLOL4$2St_*0QS9b{gQnxTVcSW{0W=DDE2
zbRzb+V*?g5V;sSTc-@$va7Mx5731f7P&+rPlxfHRJmiBz=|s0HtOBBv?ag?hOE$Hm
zAvmQ@+)!pjfxfH1a3LZK<&k65yEA{)wX_ILY;z$;9nV7l(k%)9-3&JIQs#saBC&{;
zuN3(6^ztq??73uk2c(0$H1WtjtEqO&MXY{luvZQV&eYL=G!TlFhu$O#;nobs*n-oR
zvaG*p6hj*E=BSB<IT8FHDuV^AJii-E9D`$SwXNyx$9sT9Nbe1SoPBVsLei^}<8JJ{
zo>`>80YIElPy8{l+vz|@X}!b7o*wj?<(7J4<%H1E3ovnYi@Bd|OQBzAS<hVuV|=d;
zuGM=<d1jc|UkaHc|7bd)fPU;6vm{vrq>B;m(BWS)Z8ujVg7#_VkC~1ajEsbeS!pdZ
z(!{oPS^cHXBkk=XPwJ|E_||nh$Y~k{q$?#WoMi&O1q9)N>rccSEe!<>rFShM^|8lX
z0wTjsOQg2`+M(2r-}Yi@L9$Wx<C^PNdgmvCv>K5<XGA6KY2o(oCXw+wLyb?<1P9W3
zq{$2E1(+O<X-nR{f1dwMUpL`0OL<c%H6Pm>W-PhAEH8Z{XTB=H!AwH#L%H3?bn<go
z-wj5p9G`rJi9!zIldQa0FMCDy&gI|6QOx66baQQMrA(lrBv4x2Lf*M#I+hXEuyv76
zydKRzaeCd=EX^#(vvq~Q8z`vL7(i*^@rG0Cgy~qRaSEz5q(+nSl80~Plx(G#YpnuS
z(Eg>X8q8z{kz9taq|QZCyI%r~?rRpX3mXtu_ut1SX*!hG*R*o^cPQlvT+EhcX67dq
z^hJ>gpkQIwS=(JF@l;c`c@&}>4-T0rX>@e@th`Y~-+5ov!<oBjsQvyZ#&aOV*<Aw#
zqLTUS(6LD{DOx9_6n6rh42h@&#4;0y;{D7{*E9o5SiJySEhQdeFxe>qtpfa~ngq7^
z-JDtB^JmFtdI@aqLlS=c>c!>0?A95Dp3a+*b7s9?r}u088{*|IupJlXEngFd*REC4
z++d-8GSV5GGNx9Iq&EgN(_=P4T#8va9zD=y|Lm=82d@(vq9j%gd-o%JE0KJ>#h`)v
zsM~H&FhYhlp1W4w#Qm;Q--H&Ero33wd_g{}C?zDNNx&vR8K*M7?HVpdI)q`tw)ntB
z;iCPrblQ6h{vWsmil)lP&}S>N$fA<Z1UUq}rbi>>7Hk<|oFM!NRax05KH!M~Fn*8D
z1K^4B0p~%wSq&pIz)*mx&+_^7Z<np$_<(Ui@N^#~?K+T#9@<2V+WMboi;besrv>lH
z22n}m1%oCPrSY3o$q2^x|5~jfYmA1eoahx~!sCXhm9mDHG1YR{=hNc*h8CM7!I$R)
z{mr*cU7w!YAH_fcp_+&eMGB*xH9^MT$m>;Q2k!p9t%U95sX$dCy2cm%oJ#g}a=G#q
z11il*7Y@3+X?06Bul2<j?S`S=D*TBCQ%tYw+E-6DK0mI`6xc(Y;2s;)6drL~(B)q|
znfxu=sc*A{OKa_?r%m$A4ZW_bMw#DC13vC@`(TYIuqYCm3c_Tx3v~`KNk!EI9Vgj#
zHzJm7mVSK5g8b=iS54JSLA{#C1OKqq=7X)lyh1>LNee@p54(MzM0-ukAhX>ezmv?@
z)3NG<;HBT$M7Kva4DlT)=6&%=ZHetygTH~Mn1HH;Re=yARE`HQzHSZ?L$FLz7SNB1
z*ysEwL}Tr|#QEYHlzPXDKj($dSAtFlzTHRcw44u+zfZkjmnQ^YMHSF;U@p+m#eWlh
z(UedtIiWvTCcY0ihW+Q0Z<xtBy*Ug5pZ?HAKfq|Ue3iOqU3I*l&4n-Kr7xqk0e)Zx
z`s_VA00<Z|Y~lFISlyDD`e5m{{BZjj`^no;#r>>78cO-5cEF9M-?aqfrH^rPW&fMs
zE5Z#lRNzZq{Wnnip85E042$n-CKYGX-XTT17z-{MwRIv7vUUK+zcPQPN#D^R&l}9Z
zA3jUs&B5pe!8Bey6UUbH1E<zXKQCFl1lf`yH&BgjMdUKd6lOV2c!RtUQ>6(5iNCUw
z)inxc^?Gc8@1G2`koOCeY@htmVnN5J!LK!^)0#LssBl3+uxwDmRc6r@-@t8dEYq@M
z1!u_5&T@;O8KB_3sRU&Vz#U%wC_N#yyhd-5ShNddigfs5W6X?6$yHqRl)qF<g?CAB
zA{Yby`D!**M3dRn;A&_LJCe!U+cj0~Q}Cq+unj6#C>u=I6)CsA{bs6vvIBdCrE*(0
zin)@8+W8}dU`gkPe$GaAWP9aGD1MW^f#N2K`g0BB52}zo1}6)kGoe8Jl|ZUIhOuxE
zG2hhP@H}?dgo`5azkVg18Yf!-KZ=M~rD`Jh(Gl3@N)GR~zuFWtugi|htK8Df=SQ2r
zT?RU~20G1jq|-s;;hc3Rooo_26t1Xa-7qnP{K_j4aM<kEd&bNenH8|@^;n6vW1{MR
z@ewqvSucIgOxzyURNimu5;K9%(@aDox_7oVhbwPNr_fLd7k}`)7LdK+t!^4gKY9vd
zoxD|3VEK71mOy~tJlewv@kit@oC?_D-3?}BTOV*{3^>%!BeDvTX7Rtky7iJ1M_c0e
zX|?>ABYQs_?i;&$d<1U2Q|WbZ>Vf}wx=bbS-z(`o{EOi7E3`W4)1!M&jWJ)x8ExTu
z7I*@V)W9E@%-!J$KYix;oo17qucH*Gq4Pdz@^M$zcWO+6i2PrDd1|c8&hN#EC+J+n
zG%zBXI>5a`Y&u!@u=t7_>dM`ek2PatcJHPRrF{28^9^|5Ho%}M=<#dgasKSUfqbGn
z6<Q!cP~yzRQw9Jn4==VkuoVh3mjUJh-N9|9Np|shpxuh8LHp`U^+k?rb~K<lGbo>K
z=6UAy8_D4ZqFBA_41pmC_WtJKkO}n~hz@ZTovfV!OMSxQg#W6Ez5-^qd+Ri>-%|SD
zgF+Z38-sZG9NylS`-E}$Uwy*t>uA2&f4Gb*2ZCTgP=FG58NC(=Tnjq}>u^B2ys4C0
zxoBX00;@9aZtur;V*G16_P+7M!5vLOg@nf3igRmSI<hxNt7;y2$1NavZj|>hZf<t^
zbhJ)-`WvTCsXQdB>{=T+X01>HldbeiCqrNO)7aR?Y!efW_g5*OXcPq<@Ilsi>$upU
z%Yl~<EN6M%aF)a$@kd`C@Iv6+(<78AH6TJwtcJx8a_|)l9=Aet$dgo@cako?;Hg3_
z3$LvID4ihq`X6Tm*x*J#R6F?K3<0SRWQelis>21z#r0j~G)p&|(2s^Sfa`;h_&|-m
zlv8c<o+LWSl{XwY(Vy>&{>k-W=^j}wy(7>zS0!yNNIB>eB?jX%IKpa{aN}Y?s49gR
zX;A=e=Onlz;GYjpqW@~TG22`HESd4s18fL~JC-9mJ$o=@)@}XdONph0<}hUoq<wq0
z!C};vY-M`;(RS1ktdfHuBrTGw!(^@SFF=j~SMjRa1=0R_s%==RW3Alh7uPy6w$)g^
zDDAtcP@B6_bk)bx>jkd&wk_MvLlDuuy!!3OP9CicxOn~vRE7gMX`N~mh4Qk*B&nUy
z!3|eJCy;!HKi6DVNXpaPew^m~&PCGWpX{Roco2@XMD)#%zG=^9wdYgk0qpnEY>-&j
zb|NuY-b%kUe-PqnVf^0VHxiWB3*^GPZ`>)OCEk@t^7%}t5(Tt_t&;X7$fPb!%1nDj
zTwe}KbzKa25)wRlO41@L$9$q&Sr9kZzp<NAY=7HR!_Im>nLO(}_z=!7(9|la)|_o^
zdmL=utL_$k^tOKfGpO1^ye!U0E#k=@Ur?2e9X|9OCRL@4k2vvaS+RD?q}bursCwsF
zN^580j5NDSP}C%1(g)tyEKU)hAB7@s1)w>OC@irLE5}cu>b`9y=8>}ccYTE?i%~t1
z8@-4`Xn|$~OEAEaG6#?Y7<lDPOJ8!=RJkbn>uDsfUSO|v_<lB>%6ukldVcUp0ZMGJ
zxmg>5b!RB{X@1ljH<eG8wKnrs9xW^9$fu*kG0f8(!jE_#LnP2Sb-ptc+ydyC_NsWT
zWLQg?)U;8G^&W<(kL?9K5^uym6G2@vxbDL#DE-hFXRi+LHC||k&`a**^&60pQxcKD
z2T$8)t$y+Xv6ajMMDoBX-(9>HV6V-s{RLMzG1}VBtP}xx-oO%5zfB2A-d|`SoO>|p
zJy++iMZDTNx3=c*T!mz~Zy2roJ3nS9?*4Ag<Rq+h(K)BoF%SwkmT=x_&qONExy^qc
z|K0Iu6T6z^*YV>6aEhV@a^1oll()2Qw(K-RX&8LI5t-g;3Jc?m4T#G8Iisj+{i8R<
z_ZUv&8{_IIp2ebFoo%&=T9LgD2zbR^{0w%ybh+p1&7o_YkgSTrT9-`yPr+vx0agnI
zN(y6lr|+?rHT<w&b?OyCK#8Q;xUL2~#aAi6695=FcY=bLogX_;4BS+Er~e=ghttl*
z3(S>l+uEwKLT@D!d{ZD*<viI;vg9w@*t6}@EX&TbaU<@U!O{}T3R-6WI4VdcWzty2
z6(;Q|tE5`!S8Aq@8BM~Gsh?oIOxG|H^bd=F-NWao{t}PYMz_vSgZ?wAc!qMB-u%rL
zLWNE~N3HRMKVogaZze^zXdaS%wh>&@MJ619xw807Bo;nkhR?EJDjfdD>X_6l{QD2Y
zTnl^x9bevCD&l=G0Yc{=D`rA{qkW%{9S1+?2s){Ca^anD$}(v(82>hbQsNydY@$))
zUcqFU@JyveVutWvy5QR{<TfH=bR-noH<H?w4fU4GWce%zaywX(c7KqUc-0@D$?mnU
zDPa(&`wgx8;k2*_5ImBCaLmHak~J&hK%g*t=#KU2cAAd!xTQma3SPgNdtaPF_Pg=6
zNxUkTh#c-j7D_EL(7L#_`*(4)CSX*Xvz;k@u9l47J)a@S+xZb6*I-Qba^|nu1@W2>
znvq8LY+v+x8u4*%?kzNF8duM!cQ!mrw@BTf^RA25*oMkQaz6Z>zgKlkEhSL1LQK6v
z_lu$?3oV^CnabibeEz6<a&@N$BG|%z0g+oHTO4#jyY=3sQ9X36eZ8V^m0+oLYOwiC
z|JSMYu5(NIj2uf=OMJ_{OvaJ5^yX)QMZFlW><{^$1ClRH%%z3RB>QE~B8+$hGoMZM
zf6L-Z5r#7PEvMGglo@@j1)Ra1;M^Bq`+fxmo-brq36efJyPN6R5l27L4+DNq2eP6l
zHjf@t0<=LC7q{4f8>*Np9F-^^Tfn6H%4*5s)B23z(g(WCW5WEn|59W?!R0<ZOoHCF
zFe=FPFC>h)65U+lh1=iI^u!E#D-Y3Nq<o<es*GUb3+vsy;2vN)T$x}?kR9ApHG?id
zx-}oUt3Tt3^i)asjUH8e?M=E4>PG!78x-bARr{<UX6CYwJ(H48<V`Vb%p&yVtYW8~
z5(g2eNt)^z)3lXzGF^KF!2$nkPCPIWvO;7PhhlH+zXq}=(quIm4eKJ`$K1dKKUQ#T
z4|C-C);rsRJzF%8nmbtV^VRc3FKg2}nSM?k-!0I%*eHT&@GwnG@w_d(zndYH2OmKX
zdT6Q{g#jo~zb75jb<%RhTs*f<EnYR#1#s$}Z9;!HA}Jz#i;-x3#E9ekSbgAxEb>8%
zv1wk7Yci+|z0(84R}nAblUG{47~gl#z1tqecP*^J7Q1!-cAa5yKv{)K7XLn#>7HXk
z%HR@~Qo$<1uE{Z)82sA_#iVJL#gnF!LuuWW5FI+-=5IpURi1Xms_7xL+udnq<hp{H
zf5FL$u6MREXrna87ZN7tb}IE67bIc7XEtgu&5vrj`pOq&AG48uxWdj@i|*g*`Y1-0
z^$ku3|7@4P18<3QXXT|Ykp~#krTLPnd^tD`d^YeA_Kf+?sfb*>nhzLVbh64a>=HWr
zSOc@GI6T3+-MZL^VyWfvPjiDZ+{~*V21{#E(y2}=n}Iu;I9H@VJFpCqN!gdKIC3{U
z@R>~wNc)%1YIwv9Hnm$*TswJ!KfIctfcZAHg)Nt_^)WFgg90nX*2+w!!$Db*vyJ_*
zm7pj(Lv#uz=Bv2gQtmnTGe~sK_AUGK%@-6Y=TJN4U`Tlp=a1xKris4cfc0}`PA|V>
z<NnxTt4h1&uEQjHd@UZy<Thzmj^E{XeYtY=c>k;jM+%2$=u)DvC_gx?gOau}sHhG_
z6H#_kj;SeKjCnh4d=Xv1N!E_~C|iBOCdNDh`Op8=Lo^X6Q-QCSkU1E(r;dsd+oMwh
ziJlrWT0yQ6n`q`%pc9_#BjP9L09X1`r&UR+>7Dx@8*GV+U2cZ@A*jTw2Zo0mPKsHL
z=+bgo;l^^Dwl_SCt@Z*>#z7_P0IIR<H~mf|WW&pyTIt{=g@C@l$1=Jc_|m~OM2PyV
zZBU(&+(ucn_FkhqQ5oCNJLrZ#ahgxUWT!Z?mye*6k9>LU8CXijZL8$5mk%o&SEfNz
zAw%OaF`i@e){3-$@V`^AN2E^mQ~cZ$U|(N6Ai}e4SPL4d*@)XWhh5y;ZYoOO)9%M&
zCuT53rCymF^8A)#8a))nxjCPc+=K}N;i3UZSTC7x+$0rKH3(+TDw?6XX3D9a1ngqD
zRB-O_=MT|TEL94J33~I9c3Q%PeN=-V-c=AA2~Sghx8<B=W^LWFxsE%;>NK6rN)esG
zQ~q{zj~$Z3iC=69u!yyMs9XHB<Jw?nNt{3M+}AM|=|vh-8IUJfMqdw7Ry!V};*wBM
zM2V(cu0rl4;89)C*k4cSk>fQIiU4u<?|`}taPw1?5O-v&?duEu_V*vZFXWzW=+)xm
zZ^Dj?m(^2KTyLnnSP?*S?v$|hYu`KMtPeiPjLpf<qG@$=t>36!UhADxh{*3{WVV2c
ze+jdbNhkt<6`kAqVRusUKzbs(y5#8UhQ8MO*XYi3T`Uu?qS@a^>m7lIzao%dSMP=&
zfr)kZYH5^feTu)vJGM&CXVp}h+P4}XYgceOcN2^o{?{G4bW@WGWyTH1nva$9^LRO(
za&!o@Z8XfG3(IKrI9So+5I+t`FO02FH99&=%HAgiKP+1x;Z1t4wg$QA+L0nRuuDyg
z3r7ffFOZ2=(NO#T3F*&)+j}Uoz`Z<Id=ER~o9aw~D<Y!em>R(<<O`*6A9z(e*0}vC
z;e?MKK-+)6MZGVcrn9n|l#H56Jum~{J7L?C<k2!P_DA5qp$%<;)SI<vf>1#<b!BT^
zI;UQpLxeciSs;3J82);;_xrZmIU(szbz9L>*+^mfct3jMqK)bM+f(e09}#XD0^65i
zRtn0uSHDmSk}TN+4vx40<gH~G)y%+vkH&1OrWTdR$P#!HaCZo7j}CdY`a<%U6R^$q
z2kuAP$PhABLhP9&BXXI9eA6|9hErxpQ$Lc2f4!5DwFkySj^c2aWFw}Lbt>nL_uyi$
zsytFu&KFk4Yiay_oV63G_92@o@I=MO5mR`1h+OL!E5lXkJ=|3O`>`}UFNgHd0}>|U
z?ob2dvC{2>j}qnPw9;Ae*nmfB@`!{7nKqJNcyeubV|ac=ypevQK|ZI@6x^u6k40S%
zhYotg<6min97%d~13U5*)?C1U)^A$!Q0GTXHQ4)k4gX5(250Ho5$=vi^Lq@BsNfnw
znw;qamHnDf>ev1Kw44&8<#oliyn#e-N4NklXhOS8k`R(y(h!gj+Vt>-eEVVt-T-+<
z<KBrlj`eZxEU}ObEm<PRTu}5=DuG|zgGRGNuC5&I?2eQ9E66{<)(Yw&uVEV?NmnDT
zo8dE`bgou77>GQ6T+P?UZfUh}3)V?RPJFd$P!tZ|O4rHq!{E6eGoVr=4V`p0;D-Xc
z+3~{K(N+by`KW82FneE*F6mKXT1vOC=n<+bj~+YCRw@pL=lM93ZE4BJcqJzkE=&vE
z=(}(gcp%!}A^vsp+E_7WTgFFnR-(LuAC5B@0lHgjKx}wF1g~1RlyW;Jq9nM>D<Nb*
zRtj?Xv4eAS9Pq^V8QFTjL}e9(=%R&K@-kovR2WPU8rEG&dmj{R6N^o<gqda5z$NCI
zenPncynO{E+kv?B-3STo@?ZCegd*O1gpPK((_BKrR=eCcX~i{zExcuZa)_@d%E*EI
z&}vSKs0!QGmgF%SOUEnu@Cnv}8L9w0HKw?}hOMGRu*Qn5o3@nkz*J$dnmbz$l$(_I
zK(gx`n)Mm=fov04^6l=gs@gy-RF1Ft7j`iui*tGagw!Tz^B005fKyyEbh0>69>8Y8
z#aM=(Ow|}S9HX>sg=@n)Ge$Fg>0Nl0=pRJy1?Df_qN{@Ii>bf;X0X4V`3c}Gjt@um
zpfX-_I^e3F=Z0rTS2&wx&Na=<aR*(kPWeF*gFiilo#I^>soGzD(>!{*BX~U!{D|Kk
z00f9F0FV0_!k=BzzK0qdepc~pRP|YM-aRyq%(6^@dD%1lV6Z;7f6mGm3AS|u+xKAq
z_4o%$fUa1xtEuegENzdgcIDRhA1w3Ih<($v)0f9z@U3PTv8*(jS#$hWW0H7=vqPsi
z4Xe%I&Ivx8GdG8CspMM);p<*ugNN<SD2Sljed~2Q1Wdvai4@WYZ$J{(D$a*{Rl?Bn
zC*+l4GNMN(1P`KKf{0Ma{}=wkspI%_QOJ>7lJ6IUEZ$$ebr99K$u83lOe;qTiIqKc
z$x4uOU%BZDZW@$o$(kn{!dWP1R<QVN5a_9FY@h(DZ-!L^x^-VRig~KzvuCs7;@d><
zlU`GU#@!#ki{Y$cRB?ZlVZH)%zJ}HcGhLYjiM}oj7xC2#O@8Yh(FptfPI2&mAlvR|
zm<~rED2}ElD;rmf&e#~3INVVw(jx<Jv;Su_vdG>38`!o>`>#{qi~|H;z2-CI`PMrO
zHix7ev*8WKpN~!_PNg>|lNHYT4xvr683?S<I&M{vF>ad=_*?d*H?bH9HFB?l5UCXB
z5VSIMBtA#+J7^t`o*Iz+AiCO!$nBLEsR`1}KAKBBC1dhx0opHfB7I*~_b9vkjFfQ7
zBUKYLN{SqJinS~DJwfz)qUZq}-MqDw?LC><cn8O~50QT?FvSwDIYLi3-D%G08_#J&
z4vGtJo_ZN<8(fVvM>jO#apR}$&m>(664v1N<{%X<pwV*pNE_as8n1~q5c@x!;?VzE
z<R^n<I6_=-8EfnfO|?>kOWR6YXOf-*KQzxr#q?*GM1YT~oYk5ZhmPEW2`3pyJzkk+
z6jx-$_SkyTs&B!!*X|wf{SCZSR%owk&B0Zg_4T#Q@#rXC0(5tErxLRnl?Ac}(ba*m
zWT<IP1yTUTSR*bY)qC-iF#lJ7_m8bWF_5X|G*VU_lmeA+<g~w(8Zg^eV7vM^VZ{DE
z{@Z}Ni0!Nxit_WVFG4J$9(pO#GG(6$*=km?c(A;D%zOBTU+gk!^PfbU*WB8@zx{6W
zvm*}h%o@NvRitY^&gn5iM~|B_guDLO*wv9!6yy`1pBO0VLSoanK7M1aQrzW0jPq)y
z+GhFl24{{(NEL=4V|-7k_ept)_mz1qD^quJZuM*Jq|MSF5vV`EuqZ+OB@hYQc4Yq*
zJx$^#i(KaqEjwT3yUb{|?Wx6$`?E1tb$*cD{+)(!oZqV3{T~r_mu<U$NS-;<z}IPO
zz3L9Cy2-Hx+)cpYWjD$x4ihRlM7`HxbH;y|ge|O|pXCX$)xb1tCAE{Wt0Sisz`I9a
z9P-B$=iIThMGTZ;Ap<t)CS%R6K7r!vtw;}3iH7qrimKwjtJ6zu=YjTC;|(v{6Ig2<
zD`U}}@8+(ZxgM!Z66$_htToSU!Qrq|nI0kKq8OTXpZ!rBeqtiM^kZByFaK(LL|AA}
zhTXpZZP1~e8OoH|fggm9Z|{DYv4kTWtmO~G@&~U^&1nRzm#_tN3Q7uWQ5o{TCUSO@
zclC@wP!0ca$S6!S>{l?1Ls|9iL~H|0`<r@Q_Qo^t%M_)$fY%(Lm-*$#mUXG$BMSI6
zJc<dTep(m{H)KEDA1{&AB7TvL<o`dVeFaoi?Xx#2DV<75r*ugp-64&1cSuM|NrQ9>
z(jC%BcXzjdbax*3&Ou-G<^J#e)?HVZn>EWl^GyC`p66`#xxrcBE+%|p?zwrSb?uoe
zkg4=Rj0Uv0X-8iAn`{VieE;X)Uf-J=5|DqdFScvNS)Jx05Xi**3A;|*A}@;c1T$I3
zl~0{R`1SXQQ`uUr<gHi=_SsvGtW&0&tQg_&-8=zpNlkaW9=%rS!RMU%qXK&TjBlKc
zQ=1350k2hNX;I_LzJ>OM1Q*Qm#Dop8`%6NT_9P}ik5FtqA#cO%DVfWI#g!6&NkhVw
z{4KNg=5)%bdC3)kDrC^69R%x{3=s<4?_#TDe63W^3!R~y#BjAbzpcHJ<*^w+;?EY!
zAFy(nHTSta5s1Cv18iIm+uDfj7u@@4Cty2nH>F5rDFcG0UJ4jYrX+QNeozy=ZdHl?
zA((C<d}fi|3;Km5KeU&e5gajZoSDA>_ltE<5o!<n#W?xy!g!Q~P?O-Xmz~yB^vRiy
zC3H7ZFXHE%pOBom9F#2NC6x|MSISD6?$ahX=PSZw3lUj9Z$v_MWQMjx0EHpPvNCGi
zyc|!j3d^j%v;Iw9SEqppn#(-!u`ZuwUT!c1N+Jgu{%x!`Sj7Abb{$z^&6JTG@?uNJ
zXmEbey`vRUaBW!%i|MBjnO47M^-%JlZ<y!`)u@&LcoBQuoI9KAe*JmL5I8HXu4{@8
zzC{68)^x5Bu()^#5$L*C*kf(EDYl+Xd#X2DCt)@yqL@Ts@YD#X&GJ!F(X>P6naVNZ
z<o%`lba`^2V|FoyaLc`f5+6AJ`TYgh@K*T_Uk)=Njiy%Ea9soX%d~Ks4wP)(?+S?J
zgiWsRXY7z*eLu?b5_`l$K!M_viVubVdT*~v7nz3e$DzmvhFmaRIXSfeFvNUkaY-fg
zH|3ZDE)Xd%63~LmzUgtd)b=aTcaZVpVEpRz66rc}j4u$MjZBv4kTJg7^i#GAtI-jq
zDg9&|XFUeF-;xIn>m;JNd?}|7-;KVztto~4-bFAJ>(rM5XKxVhljVoQ9I$0s(2BRU
z3Z`l~g_AG3s0AvF;I}9<MOc)4b4-=K_G<t%KO9p0JS`5h%oN7}%+y;_uLhXzUVSD>
zSBX;>tqadb#!hPI5aA(sCEDKOn-P>9QNRPazcw$?RApY#B682rV@!}yjI@x!*P?jy
zAxoIvs~{~hHm|WeH(Lm&_jSCU4bECRDJ#92a#20YRPJ(`PxB~REPM$IQv@Ya#rwH;
z<Y-pAQw$NXyl2Gdrr}oAaMCg^Bj<J%;lb{i6LH<|z~zn7Chh>42cMQq_=#CoeDy<&
z;K?x_R45yXzL?v_HZVEqt&17UO)BpB&`e27=K`k*H*tcSlDM}MFdFr|H{ebshNRf~
zSr4gx%{dxL#>cl&;A!%z)b*p?2I(~;>y~2)QZ-+-+YE?R$NHuuuR|HS>i9zmW>UtV
z9`al4T?f^r=((<71)q>k*d}S1(*&pP*RD8Gp%{nO=rO)zg&u~#u(Qe<+ErLjIQWL_
z+)uuHFhKCx<26Lf<Q=!$N2v6o1}I_+1voOvph%^nr*Oega1n9266N)UH00<=LOewC
z@RE`b>U>HEn*yqXt009tCp+`9$C@Q|$7Fw93cMyOiSUT6F4krg^D9^0tM{Fv#@g(u
zrF7ZFmG3S?+twCYUiQp&iP4&-u!qaLChNH?G#yC51$?orJQvZrojK4(wJFkYhi4x7
zz!P8n+^-67<+~I;#ke%OS(%;v6)qXgz^w@5oy4BytIcn7;r++9IRulv1_(_m7jvSO
z=6mR&d+0qBJlSh47Rqi@ADE<zYQdd0ouofq?+x{ABobZBN$QC3$13DE)r)1Ni&T(f
zz|mq*GXo}M9EftBb{-@WT_OB3ku_s;320)i(U-4QeEpJ+XP-G!y25Kxmc-hO+l1>j
zY$A2o={}Kp=p1Ec=Y*anH~5FA?xYyw2Vc$-!+txlwxZ|p+&m5Eamo{ITJ`#5-;Nm^
zIGx>`ysR}?bUIV^)OEae23$4Gy>j9G1s~yA`xzdJ<wsy%3gjq%Ez1llmP^ceBWm{k
zqlB_}v`V~6I;m>xqUbI#Cx*a}j2?nupANeL)bPCw&THWF1I?Q#X<72uZeQZNyAPO`
znTLHkc#(4emxP0>xnXlg&TJuZ-)7@f&Mr7A$841~=$-hNz}I3q&f871wPikI4zaC=
z9{nKwdgi@K(jmYHXS##5Y8zO8_y!|0O5bV(+G`RcnQ4BmHYU5|n@%;0=&P{Vg*<6P
zCxgSf=di>VpD${k2M}MNz0)$R%&$p#pJ)s~loy5_Z5qN=AT4rMKB=en@?%61`ItpU
zi>YP$!%Cjt?xf0IyS@qFY>P5}w-k#Jt}b=QHjUgRN32|OD}uuzc4Ja(GHK|am+<NX
zS#b<vzVhHM8T=mgt_2<R`LW};<P<r1b5N29c_|DEZPh5|Im2{()?2azMH+wzn0Ko?
zySoTjdTRqzq;J`%Hb8;s1*s@Y91Ur?1W`hXU2<$KwY`o2ysw|GDV(IA$}?O642Jpo
zy<i6K`0H;f&jtDg?3^xqSNqK>Vv@^={Fqz7OBj50oG`m?w8A9&1m;xEM^sZnuMJYE
zr{!|YyRvI%gz|ZR=(X{>q7{EZc|!Vyq<D+$MLz~23&?53aJq>dX`g4UQypX8ax5+2
zjkm2faL4PcXQUJZ+N@QHF6J+0j8%!Q<|RvYduSEoNrcVuYsJVS#2tqjLmDyb3t^WR
zw^4x6Z-ZDieu#c)`Xw;>+P=Ed{ZuzkY1WCbpi0BHcS+cp)Z@R>Y&i19%p6ztnA|Z_
zGc42Mc0h4wKsZL+@PB5`IzN!_ITFwfZ30|6qSOfEteGH9AK*v5atL0=m@iK#jPtyi
zwPzIOoE0wXf983Lhc47h()c<K=M=++6J!i;&lkQz_OtUgf<1@+T)LU!xP|U#6F1Kl
zpM2*SqaA>_TOE`VI}<uFDq5&hYiBRG`L-vr8-!Rvy5-`@!0LIrd#0;V;HqN=Ke`Fv
zyg?-RG2#lBoXDhT(hwVfrWYTo6e<y+42zz)Uh@OdxViPYSZ3QVD88hmZg@Y3t$R2!
z@oq0ghV2p(8$w%{1zzP6_u!ict>%1DA-gbqnBT|Hz_ar40KM11eGhM{;}EuQ_cwjj
zv1({Eer`;tIg;WYvL~$2vq%??R$1o6-N0uG+~p=(ZgX66^0oIXYv(sV*||4aVKos<
z6f-hfN_!-MZ=E%6@Fsy@ooRW?z}pL$DkxYcwPVoB!$n5xL?0!_I>claLXkHTwIDsf
zN2EEkDPDWZlP{YaWeIY8ygf#(p#=JwtB~C6i_fi|Z(8x{W1rW37;E$};AFaZ_S8wl
z>dd~bv`flfbjst9VceXTs=w2}WE^@uN~X2jr{S~47W@g7;aT69{)LKYU6bc@#)M0b
ze#*@r@VQVYWUVQ2-EAJfJSREzQ?z(CAH}p>sR(Mdu+wTmA_3J<hQZ_HDN?Fh&xN1&
zv??seh!mrXHspW{Ue9P!B#t+>I}m^JU}z4QJ6d*phvG!*AMV+rngaD2#+9pj6jT2S
z;Ns*Qd9f+5{Xs9onDMwlbE!|kAN47j4Zm^hkmu&j`tu3~VJk8m=x&J)sMmR7Xgnt3
zVNeA)z3-LuBJ!!%7R}Z&J}w9#DE|2J#yM-`OK3*-7#PE?g%8^^%|?S^t>*BH(+D~r
zBU6$WgDG1_{!4EmAgVU&@f~{cf9S&BdkgTwbv!)>h06$`jS;XkXB2<$#8-N+X~_<A
z7T%UhB)R$SruyC=|4H3m-W7LxR6rLAgpQLs1+EH>mok+!YK&57re4CG!%$gS{s5M(
zhtP=S^cgJ9?vt!mnow?Hq+J=v?%neDLhs}kCAo?FA-RO#sh5=UIQe)cc~0`3ltE><
zH%`9qwYi!-K-JM*iNDkOjv95?r(?aLoM<MzTod-?UJW<nGI#YFKrln0;>53%A}^{*
z_(9$f6q5kzI925>iS$H!zucZr*sM{oec#$K<*y~7p)MKn5hZ?hRhSjIHI@(gyh+GV
z5i<e`vG|c}8eX-sE&=YdBiOK(;&sbo@J-fIlW-dE{WEFH!&P}LBhoyD>=jlVgx-YT
zQpbNtZN0U-d?j?qwMBZ%G~EXTp2HV6?>g3E*VaotK3x!!^3&un6eYJ-Fi`@hkBZNj
zorO%U8M)CU)R*uv4wg*37)8Am%4BCHM%fHS|ET4-VzR~p7Rj5m2jw-nQTn;(731f<
zc-Fp|IV-n*E!MhV#CRg_u?j;7DO1y?re+-5OJDt4Lo_#>UEuhIeu<EuxWj(O=Mr7l
zCUWoY;U7zQEpu%F-RWBdb(UJ5Nn9WyYZ6V3N(X0Mt%n*!skF>O!F@3Y9|Gs|v+B!Y
zIHWiLf(*;u9@BeY<~}Dd%EA)duDennB;QMWVsh^{@k}0nk*RWE&~NYy(stzZnUlUv
zq2DLbka6BmmKw@F#3DfJvB{t?52ribU`NAYLHcZ+93chq%%>q)V=EC((Nn`JB~gPz
zYL&am1m36POT{KxZdZcTDCjBX6iD3kHg0XQfMKNuG*d$xq$Y=E9Y#tz-Mm8ylAQp^
z;4ykA+OXZOQ{Wz5&*8(^o4Qgi7DR>EW9;&#YL>D7gu-_kB6u00x?y8^DyPBJ3#~;O
zw;QJxvMDvkBk3Un?yso&mW@w$$*bE&2-p+6y;cJdTw7KKNt+p`fmloK-aD3{;<w26
zE@3nLSVw57N|Eoh;Y1B91S<!;qGpAL%9#o!uJS#HBs!@I>1z&>ie6?d2}B_-2K9f!
zSGF>|a*7}jOmf56U<e&{lL2rXw5r1wH7eM%I`7@(u(Nd@TW!aFJ0M$KNZ@HzIIJ@~
zXvMB+!?<nVov!nP?cIyj)?9HpjnX)K8fgx~DA$wW_YLn$?&}t=`VzAkh?80aXhGT3
z@6}9YNIWveG>BLiOGA3<_uA;dA_A_Tv$+^}7s9U`&s{;80cvC51BhRGrHDJfE|yg>
z7cz^L3&*8659fr#<DBdv;ZP<@5sY`j(D7_rZ$3WNR}0#e(;xW|&Q`2p@!oqpd)D2}
zqRNef&)U284XC_ue8rMSVxlQA*Lp4Tb2g+4vyGZ^sj>5NGn)u*a&?_7+BB&tF|~T|
z=QzS7JG5crp6zzM(dT;ir93nooqE+9wsnS*vNWdtWiRqGyb||xq~}B5-L>!6&a^!|
zE!uf%rW_bTN<PwS`R;rdFI9SQ1Sj0Kox6<GCiWR>L!9h||5AcnJ5lj~WQNmiy2sHI
z3LFtl#*iBC(e$`x*44y_XmP(&sRp4pXh9OacJ0wKbsEtQ$}Ti*;m;fq5u;;EfuI=S
z)$yYE5<x%{=$ig!@98bmeVO~|9&$^hK_e4}oX)m%t~rDFW8E;hZLd2(*Pb@^UC8N?
zesPqPBNsY1)joPa>3r~(%R;pC!4-AmND9nqgR@Khl*^(A3E{;-m620JS9sTG(JUMw
zJGM3Z2}v_3&uuyl&++M@UsIcYC9pJ8g)#MoOJ3Eq^+RvUYk_6>mF9}UuRk1NdxQC3
zkFc#T)z@gVV72oZq31NKj8^%mX%O|@Syo@|bzPdcHsG{{h&VG2_FT#M^h9PdXM1pV
zzvbkMoh((-siV@lxRd44q6}Va=r$$FNM_(t+6%2~*bF(9z1l@?W9+skp2}1Hv5>U>
z>;wb4@`#j@?E%6V3=|6yW9&)>stVSubIkzT(pMFY*5?{l+X+{1aXuDW=D5E^R2iy5
zd&fKL3OiII6lC|BGYh^anSs<?fU#33tG$W;fNl311EQJ_sPnzVgHc<hhblulTdiJh
z^@_UOUX#5)P_g3OXznwzhOfR=vjT*lAD9BhVQl@}N-pxy@1H~0WJvE1y$Q#=TnQ*G
zRpJ#xPN@|?y6&xVb4#@$Je9zaM)q{jtG7cV#Rs8Y)2sY5qjB^pHeGW3XsiaP^=#5t
zZ^Vu<#C7cynE?LXZ~_HN<U55cm3JSnEYXcd1%3{pGe&q(VNEFHJmcX@A1ynRg^X;U
zdRAI(l7`23<wozTMRA|hvsxRstx~kO_sj{<)s=WQ()Bk<b7oarZ}?zJTo7M9MK)S$
zo1*DFB-dSP0c|yKpC0g?ZL*-Q=mNfXeP;}5(Z}(D0quW>aifUol!BB=hfv>=L5ZvD
zznQqcQI0WGTf5tRj;Me5rNS4~8<Srm`E+T+J|W!hvTobr9TOLd8Q62>nSN(zV%eEp
zp+C?$ojl~>pT#}rb7D(hdvkyOeJ};u){C%z)4#+h1X-qa^8sfIkp<amW<2HU00W-5
z#M1uuH%Tm#iY@&z&fOM%)rwCl07E(cUB!Y)U)$KIY|DA#107D>*5!Mx7x4-90pvY8
zQNC#&pkja5%84Zv8^fQM2|uDv{w+fy$slGd$cT)dSqJOsYrrqHrI?VmfohLGs7=bZ
zDvr1@IJ;x@P8AFDY{r=FMI4uFs7&CusIh?3%_dAfR_n?$nmyXL0oWz?M>UE!?yi}r
zle@ga$Cow+YEp<fuY9dFLkMLfx53VVTWIqXVjipE&uojx$E$}+VzF~Mkm{CBG5I6Q
zrseV%DEuMI$uJ;QIYx>lY8C34G*giHgr(1fG~j*9g91V(O%rvR%3C>+|8X(v%MEbP
z7o5mx9=B}CtTt$t-V@c9<HIEz1Ftf6*%Tcv*!G7)Yd5x+Do@>{opx+e-@TqQ7o0o)
zD0`4FW~KdF{}v_RI7Reg_-tS>VJ@=Q!_#++wsk2D$1|C<0RoheDwyr&jr`{aCm19j
z6{+}5M<nGa%+>6v&V;y?>RIwI;A0Ab@BEpl!QvPi8%+iHEx&=6Q-7EfWpLsoyxO4L
zA}i*U$vJ&2Xf<mSBP%2wyBoAqR8T_^>nTwOFL|*tp(F|}H1wW!S^g+i-|8t=FYh?F
zI=3S^;3JrvXe_AR@|?HG=>cv;-uV#kmRC#jm^&;H1i(xi&rKl^QaS-&S2~m&zdH|!
z(}dk}g@L-14NIR$n)*}sq8C-{QbTD|6ZAJe^Z3J#idJib)sk(<?#6D8P!v+%`CEmQ
z%3mpk5C;l>JhjdeH1g+)&ZV7NI+WOy+^r_z(1rMgu=pKhQr{Vp33Wx6UrnGoV#tHl
zFKiVrO|eUU3rxZ_bClvbH|RS#BiG#vtjms=J8Y-gUf{tZLY#XWEUGKxyxD4simJk^
zw<!~e1rEvss*lBWU%{?R7XW3R(J_K;#Bc9L5Oc&n08yVGk+c9^v-llL3x{xplo=_U
zrA~daO%{_pWCpHG1lYqixCeiL^rf)3Z`#G72@*RRV`5uqGVZ{FiMh`c&#Sv-6Bq>L
znZUWtGlHv1Oq1Q&zD=0BinluiGYLI@DVGtB@=xaIeBUzpP*kX;^xCDoN?mPT3jflF
z!ts=N#i%o*#USz>Y-u&HX)m)O13T2&YQwWjM2`0_Y@R@Z`t^2UuS%gFr>K%Lf>6OX
zLC!eL{K$~J7)r&&>m2|ZhY$EKr!}=3GJGO3Ay}o?Rp*hMrAKdrE4^3DMU@(WWJodE
zi><Gj6QRT$7~Xc;GAY`?@YoAh3?2RavJ%SNu*(i*J^|sh&IiTXYh-TZ{kPYy65FX#
zf&kEt#xyc*!3JQ`R5a{=wv4ZCoo^&ca{2{{i-+$t+!kl^0i%#xgkGv<Z-C>{4=7k>
z8$+2A%L8Bh`NqYrImXkg)p8ntm0=iJ0=Rt-J>vM1>YK0@z)0|VHFzZPyG`~>LV`Nj
z1pr;PPBW^l5XX0&eG}<OY(6SQ-OhLV=YXg?mpu*L3esf6oNHhB`N?+40MD-d)lxn^
zu{&L4=Cx(?4!ExX@Aan!XxVt65>iCGKtA}P8_qUt%^niq1M2Lx0@Bpf=7B=WF#(aU
zgdvy%B@_vxN^&JW1UXo>?bm!nwUq-N-kE52y;vdbpAre#;U~F2zn+WJPD-2ToQx-z
zj)iX#pQNif*@vZbjw@q(D$_*gdgOZF9L8bL_c{t&RC$Jg%JNvHv1-gOsd`(-v22d;
z{>ZFOt>~a19epga1i3ncx2DauH)z%X%?)>V52U4JWkeQI$=qis`MkxRi=90r@j8he
z!XkzQM2TQ62+@N49rYeOadji|QRQoGOwp};DlYMu$h!n?uO5S6HJ`y6CPl8x!J=33
z@%a`T4{HbN0ySTSM#4d=<MC?dET4=I%otydC1>@^tqJ@LfV!s&VHuN##Gus_mr_C`
zXV-OvHr<cAVQ$n*H6@9rygRd+u+&U74Lg4AI0Vn=v@O>DL*SwCAu&OM?=o<-s~*M3
zXq>fTyZ-p@U802*TK=B&arpcA5ol1GDmQ<*U5|y9fL0c;!XipG#7x>p+Gp@qA?^0Y
z6%BOH!+{dZ`YO&_v?nh}I^Aj_;JVzt>om)GjP3Dp(Ku?9@0&CFSwV#ZA1Q24^lK@(
zTT`8gm{k*0fg-ZxvXZq40n~v_ZLlHZxP{gzp{_H+UBW*UcYj7KOyDb+nf-H<9A&c{
zwwUYBOERApa&dUhwK1AHntf?NW%R0C;m{XFa3o)AtH)hQmo(r!;oA?>#H{#W%rgx{
zDc}hBaEx3Q&(Rv=JJSdo49Cut)&YeysosC6yL6Pc7(j>CdUH)yd?LFc!|>#pZ5+wG
zDH<XMDCLIMWoAQek)Wc!JnTs>#Kp5nSp}$j(1hRyKjoSR3Tb5*_LIp#AHsr@3;dcP
zIOXu*Bw9~3eIfmxCk%T*z#w3G0&)<|b$FRp)`f7oNZm+5Q&n~{`ozK>`z}X*|K5cL
zbcn>ms7irKO-3WHlv_w8%F=}gr=~2n-B*b=8trx3g2@;5%&`bUgiHXm^C<{;P1b{v
zYam2|t}gst$FlVJbC@+>_sxx`mi-5>j(|B-U8E?mU>*7mWtXsAy$N^RTV-(lke_Cx
z8x_i!_=yQar{@j7jEKdVpkl+s9*d4`wZ>%Vg#EQqpk84RVS?_&8R_;_M&+2ci3;YO
z^ZGV{a*Zq7Bpl}{I?`vvv3D|*SD0-%lwkVSii7A9YBdIxow?P7yoKgr^m!keT@Z#-
z`Yiq{6zE_TKvALfHJR#-l2T|cr8%iY0#SL4ZBH)s*JBl1G6sFPhlL}}Sy{rqW-2no
zqJ~Ntvo8C%3#P|Hr|sTx5*%)=h11V@X4A_M4yQP!Mu~DqO^Z=lr7?)&+P1Yi3Q{an
zJS@xYI67r3Z=@2;<I)r>#(OzQ;<0(NYl{t<2x_<mx78*3KQ*i6Z*a3tmZvfai+@z>
z^i#LpM>e38QvH=Jc5xi7kun0RA}ma4bx_ET33dH~=S;85Thi&BS|pRqJmF(P(KIxW
zImLVZq_)P!2Ih}PSMTt4cISBD+Y-o&2s9d4%7{L=K7V_F;Q5)j-Wsj>A)!(yZf+N!
zL}h{EPzw7YlQXSM&|4>jk{n(<h9XxgiP$Z2gyqEbxm4^gMUJaD%A#ciVnK>jcjy$R
z_RP^17SmCFjW^p*?!0$itW1GXtU}c;haF1tEqkctlJD;s91uWQGgX?9TPDTzHk(0|
zWlePms~j=G&MiSg#drOV)uLK=>O^N7D;oF_%W*x&cC3uR0%(y9Xr%Mw1M3o#d&luc
zuFY&pa48C16Odn7sH87+?>BsCFFa>&s5kG1FFM)hbu40^l+MKP-oqPLhP`|fW}>!z
zr7>t9%|za(keN)Wa}A|m{%gwmsDZ~OnbT}U@+`ro2Dl2KVCCELlePlX4P3@~axayK
z*wNf}w#-w5>e}rx5;o69D=k?WN?yT^lo@|&!*YP$%<<(h@~e1_e_&^GrAFx$boDbU
zD2nvCsVQYI-kEPuuFpL&M=q~s(Z0g)iDYe5jlPpqb61b8J<uKG*navWz81T~;UiV|
zn^$lN4@e`PEPz{&fxnobQ0QvlM0a!pftUm;$1j7EEMy8g-qfv3LZ+Y7xm!3RWAZ-4
zWClrkb|%b~?jSH&z=N9Kl^~vlM9v3kl4rIlw3l6;LUg0emj@|K-wWqTG9+K{#qI^;
zU#!kpYHRiKg;|MycIq-ctbZxSn-Nu-2s*%m51TTw2<zM#%eXsIzDcsuegPQa8oy0$
zT3Y1ep(JImyyN7HKdN7dKkm7htJ8n^td;#P4N)-(ltr7|CPk_Z=};4|tj1bc2jo+5
zt?Kg#Dp%rdJ<Z_#@}z%tl-HbLvzhW_6iq&a44%&|^lp>Z3A?e+^p$tV+pf2C*9%i-
zmL?kCknVW;16Gkm@Y^;pPPl-3Y*-Ky(|AzOaoU_rYspoN@<pj1QoL8du>qB|msdG)
z$XdZOL)`3uAPJ&~Y^qiV@A8;*BXi;VTyJpEf7%%}l1(P|viF@lW-$~lV?Hsp!1>(O
zj0C0on$ifJxp6(AEc+f<dF}_}sKWCMesEX~oK}&>s{X1xy`9&Tbpv~R?@wIdPlA>u
z(V1H*mN6f)u>+Qmdn@lqeet3KC4XWSa8BYfzmIf$=d@r1JvuyS#BN$K$BX{~jzx+d
z6wB}0Q`8wu87`d`jt3;|Zwx;LvO&INmJv=7BXk0+=ITzt=(wOh6oVIsOT-h^N*uy~
z+!SXIV^ocR+1>Rg7;oVT+pFn5-`M0CLyfupfVax)JUY)<K6H7L2RB#hq8i91^&;VJ
zz~k<GjiyPlxmoveMH4Mp7J|SVIBQXD;<%{a%G9;DjTyOLa@d7I)@`v-$-^ib7EySA
z2k<A2!(zKNQjxjTw`6~;I~=g_+>~wGAYn)pgEY}gw~3`Ow0l*6F;Ye>rc(~}vM*%I
z<}>`3C^}UL`A?kqaSa>%8eI)cA^0#t4t)T{EX8C8ml2ENb??seIQGPpyx!#VK4V2?
zzx|YsoD7#^!0X!)JFZJuE)+8c97aU#ECfVfY42wsRZW9Ft>Ty#t}PhV!4z~c#1lUR
zTJ|%#z_vu89GRIul;KAqagIo-V+*BN!HK)AS3XpNzXC0SB8plD_7zhf3RQK9^*!94
zjkIMu-|V_ky)3R@GT9T}3jH}OVRM44Whe^Eny8%CEur1c^){x;MNF7Fe0j6ln4|sL
zil^dbR%ET!*m8&^=sz^)3w|UHVptF+`R+l2Mitg1K%tXA1y8}2V9e3|#b(~(=cVOV
z$01{0hIM1I+>NY8A~mZNC?jI_ZppyoWb`*h%G5;$9lnPo^j2-fSIzN+z>_Fb176#B
zLWD1hjO*wv3+~|S=o6BCqYe!__025T{s91j1+^I>26%G&_ZJs;v;7vgto!rjw$gg=
zIAPKdZC;>rOLoSruQ|)i=<%ugm-PvSk%>Ja<GI<Dg3*WYYf35Uw30va3r%7uJzJgu
zkyc8_0|}H|Oi>&jVSXkRu*`4@hT6UfLTAVI2`Jg3SHZ(vB}@@Ix!_~&%giCR5#pP?
z564^#B?6Y8w-*Lh&pqC{BMM<NEW-ei-TPG^HSvj5F-lBA&#Bg$7#is9Bebiv5~geP
zvI9D;$iKD@FWON(Xu*m)a0J^$&a^+g5ISSRcza1n#%`OhLBaEp@H{P~?!Cwc&cZjU
zmidn)sJi}3R5}cdZrhA9jBxP}wNItY?<o7K#(CaSS`&PawO0oZ6?CAIjmwzwm0C%R
zNtsxpRw#0vrlL2icUx*C@;Wu22}cy_*T;+~wj9I=&A_+$qqZP;fFq$!^w}fX-i-A%
z4ZaM(en|*uaR&d0(w2k03K7L0@Gz{fVSiYD{cxs85nbQgmoG$<odKy%6(&^luJqHV
znC@dKxi9k#K=6fNaDxSbZ!JHbTX*`lNQ#petl1%gjaRPL6O|V)Rd1mngNM*5nlJS)
z$Mx~_&~{OOPIM>?W3Zs+cw{hW7<=;UNN6hoiv2XE&_234E7L|?Xw3;W-t>?DQY3XL
zriiRZejGw?==G<lx-={ld1nRZnZ2Bix;}Uf9A*XBhKPTVeu&nw#Tj01kB%HV$VJ|X
zob-~KS>2gTFQ~^b0wbw}wlVv1nPR@&;>sXCVf{5OstE%*ieXq^OS`>LM%`T7leNCr
znS5$nPR%do?Oy=N2CW^QjOf~BQ=LVDJujUUg1gf-^g3LE-kLq$two20#Z8ocnU!2X
zsAUn@qWyBllX&tc1d0#9L7!ZJ{5aksh0@d4YcZ<9B!sS%t{D?p6{B97xaOb?ZjTXv
z^UG2L8ryk_x|AD`rPC5Pcw}^!Sun8pO7S}<gml_rpM4bBs58?2ZwZa=_kC%n-wtqK
z<(Z42e4HB}jF!J$xpx%1qN3ZrfWd(c<=6^P)ki~ln0FL;4@}A_M_laXE-rSsqI5#f
z7aYw!+CG3ksK#yB;@n{pSV~EjUP&z0`%0L)#HN^9faBr-zEh_e{UM3TrWl;@zW0>C
za05Mr`w?}2t^MQj>#1-;?&84sfv4!B7%lbOE-!dECjpi-r~7A(5JvmnZvn+Et=Yv_
z%;vj>d^4~OlDO9B=BJj@>J?DNv0i+1@jv{9I6_K9=F3VKj((je^TaIxWSVSmfG^?a
zBT}1kA*h1M*25FgC=!yP`vfyQ8IqYPh4#@o+x=6v1d#xlu+*Dtt^y_{`}-4Zq>Q3p
zGY%~SlI7Y|Mo}7hBMJiI>2V2yqJLniW1S*=g*}&97k-&ybE+HKCHljDHoHXG%t^Im
zGDe*00$CL2{9#DuS&NVMWe$|$WELt=c#*cjkZV+tU+&_kv@gqP``po=1ku$Sbcou<
zh;;sAsx1Y$(x+vd&9$Vtl|37krxdmwd<?qZncT$no~)BLlYzDxDLXA6_X4e@TKh@6
zHo6R`q+4R5x0ZzRJc<48;^YLskjCW?(n!#(74)0~8=({EJ`hB*kgvvzd+;#hnynz<
zMtNy90=Cw)2ik&9o+IDDQ1ml?ERpX2p6sg+^{|2Tv2Pk#-dnW-ERuR0{8%4M-5=2P
zeSnHES<Oi99!XMVrirG60*tjc<CNlwcH%MV38|**46VQR8zyd@FG6lzd>O~v_x6r0
zxkN;TWh@w1m@85}bKQ-M%06RlWSABgRX8U4a=I!aVr^UCxJBw?9?>A`2Q1q+>UgEf
zdXs?q*H*rn$=l+#ZBxZQm`cv>8-Vm%>x<ksuKM6c2>tNz3A(%wTD@F}QBvC|6I7Kj
zEUO^v&7vwI9aE>)R1(y=KlHy6`qj|d_`+m=ph%t5(KdKzX{fq9m0W5YotN0^QMydK
zk3M+WcAF3*^XwKi*2DWJ;=M~<fn`E^!L!slN~8MCFKepwl!tbp=tqMr12hy6c8(V)
z;#a|c-^)RO<c0Ac?)3)$c`r`-&yy-spj;w&B%b6utXQp<QJ^{>vkr7kt;i1Cy;Ds=
zXCZDEa30i8f9~Bjc{_Mw)`#0#t#!9BX%|{Y%~h`nVm&s=mIgkgV%u$kFN6cXzkv4P
zGqnAI?v<2F!{LmO$2SiRfB{Fm_f}6R0Z>1m$=Nh&=W*@+BE0?hR-oLeqM{#lxQD&W
zKR>g`NJ6bXP8L9jdNA(#-lcA7JvWT`>8iHyi{kP9B)==yL3u=_?7FRC8V4sbr5i0q
z5;?;{d6A6io}8tKc9x<^_m)7tD`~{r9}(*wQ2kl)txTNcLm2RR`iI!GT-Wf+REh=?
zQfdnJA-39fyPF8|)(MDFhIUdZR2T|f-%Dg1PS?IDW_L%&mu0TwtTr}|k6^<sGU1Z<
z{fOsQq|6L!(Wcp?9F$EUR@Cc_Ow<o40EC$n_AscCcl}5ZeBpp7a}AlNZ!=0lmQ9<-
z*;$i$z_Ata*8)}tHFFXF@a~+4)#3le8+H=5ibuuti<RSmWAJZQh=ZEu->fu;VF-AC
zvAzV+53F0ujMui%i}qe5|0qow=JifN3=i_RWQc>>=6^}%1HQT!n?vEJMKp&gk3^?<
zUq%1-%phU^So9xwf2jp>#{YWV|B3hiu<UPE0s?&;mG6+)9Fe+ZQei#Jeu67FVibPu
zjGz7(<n_oIpzwPA6J7{HU`+lBF9acF{GZ&QIeg3vr2jbbzwrJmzK>b|KkNRFy#I$~
z|6$!~VazTO!Mt2Z+R|tEC$mm3ail2x2nc=tF)A0L$(8xl6D*G3CDjZ;pBd%_J@~Vr
zGT?9b2R3n3ze~mTFuu>06T^o@s0St=7RRr0qCTu+&(PQLV*XuFw1<M*AcjCHNwYA<
z{N{tj5Rg2B1iUC?c)xMR(q@D_5W~-^`M)agZek^VM(ShFFVN^<EJw%#UJ}q0W5;P1
zRf6>;ng2096RRusCFo)V!jtk#Il8cxeuH@0DE(upv`^}IKDD4r0u`g7I5Ku>{dL);
zZvoEllKsjtD*oathr$CGl{=qtZTOC1|Nh@fj+_Ip@s;F8F_76<smj6jOT>Q`-e~+R
z7nZ^#oZTKx#u_}7-@&Q(Ckun^+hsWPewAd$#>9$dzStjwYTr-*=?IWk11rI1wuADd
zZU6XkB{>5|A=o~Q801SeH#NG!fxtfoB`4Xp4g_NSbcGh{hHn!3U;46x=$~nzR&O>4
z$4>FPrp#=uK=ePRP9&pS$^5nGJc!PGKwSS|*@E?CJNw_Jl46Ozq5@um9>R}Rl4#%i
zZ<S8?fzo9%AN-&)z`3?A#Pm;U0k!AM65=-eZ+Sto{+JW}$Q&U3#~i9h=0N6k)N)2V
zBn8kD|0`CYs6U=ieB=or{nHahNBNvN^T~e)?ty*?959`f1~^y$vXwRri14&wf2;|4
zWDPKxfYKh43FySme>>4$B+$9{zvl(Y`r`@QN1g!Ef6QTiWDY2s?0;qxFem<3tUytJ
zJYoFE6CnCm3M<(U)^Prv{15a4d=tFn1={*|4y)pAWqwlq1;L;+<$Pq#zvG(x$cf2l
zN5A^uf8qto`r`@vN1g!Ef6Uo<WDasB*2cQf1By6LB>%5iL8AV60+^G(n-S3SgFyOc
zBkKT`6)+NiA;<&$03bY?Zt|=f-hbKp2%9F75gu9d@3=xgaw0U@%C8}-9B9sCULgI)
z6WEVD0iu7K^YT$(3B*8v1ZpIp>iA!=f<*oHgr?2EJprPBL8;0>?f1XR3b-DKen1eH
zn#(e?L9)MW)w9iv5(HizpbMl@+#_rL9aqUmPLz~r|21g-Cti@OKc09L*q46?R`V~s
z1SJypCv{-r{sed>d(f?a=fwZW3KI3l6F(k#0!aVC(w;{U0;C@h<kaS<*laNDf66BO
zzkCSl4gV@S<F0=TF3<QI!pr{#Jz#WZZ2wXiMEsrMyMG5AMEvcCe<u^yqu2md{8P)1
z^#vOD2M_<Yw334zr2cOt{V%ovwf~h%&f2WTLw{NNUyv!~FAoCcZu|?t%Ykt5cb}V4
zB>p`Os0_?Js`TBzvjs%_?T7Qf^9)4%H7aoaJAru~#SN(9A3r?O7i8QYKm2VeFgZc$
z|IVcUVhd3Fe{d-`(f;pp{4ZUu`7aLw<vtn)9+f#BCF(z;IS>x<9_0hl-+llQfBOOE
zZ_EM`|C(O@4TfHi;s#Xlw;whh=?gOMw;${;=Oy(HyGFUCFcsQ9AfKobaQE*{#J#Ek
zRC(Z#4YWz+`zL&F<Bna|&7NqJI?^TR1GLrG-&LsZ?au7)4qO<s*A3JKpIKG%%oYz`
zAW!2rrOw|u)l`R<*WTKEt((?NDO$3u;`_Ykh#f~5UVQIy{}J%D?p|?l!?RJXB+T)?
zUcJHN>-Cyh-M7ZYdoKF0;wtQ<y^j6V67Ah^z;fKl1))|`&F3SxdsX(Ga`yYP1!Mr>
zWF6n#^6Gy05`f|M;({Le7|?eEgMaqj{rw>v_hm5l@mKBMjf<k3h8p)pKm_nx{A4dY
z*DvP?SN4`VGGSDsk&iDt9S=M%#-C>6hn6~LV}8_kx{n#M_OyZIy;|<OiYrOEo~I}|
ztVJF=p1;|j_Pl$#JV&^&r%eu#db1E`ymTS!eqK%=cd&KjIbdu}=-zu@qh7M4&39=r
zf1lr2t8O{um;|5~Drj0tE^10PQFo7~AD!4f?qE-?bw)lZsrOd{5UlhOrko-fX}^a#
zxyG-rQ!5#wpWK=7r)WssQdt~YX+fXa4ZHg~tCg(HeZ(Vu7ixSOLvdO$l(=;|y?9R-
zt9?&N(KIT0RpfM%G{Acm${RsG1Yp)XPQB0c7|j{1ySrSNUNXfRx_YG_*fh-BRZ@N+
z(p0sXdQ;iKFMIo5OXKp6gZ>);p>UZaoQM0K{Dub4<2tFa*{#V_7x$c=K^Ci;D+EBQ
zDwT2zVKd&=bS=x<lTy)^dQM-yIHYwZs(T;GeSJ3Rt+A@|zM=B_ymRc7#y!`$qRw4%
zDp>i_?JY&$>g^`Qy}x@|BhMV~Ww({*&eiRz=u|2j-~H0ewUNWU?Va;o_`rteNlx&P
zsU~1}hCY?XsbQw;psQ)$bHu$mIbmkc)6jmdH<i$#ow?S%4{*~keQ$3)CCX=I_0s9W
z-&yR;+AOM$?{(9Cz@DSMAv>S;qQ|fk-{IZywvp4frq-D*r7MBz1*@tv<dmYRq|~M2
zp_liL7duOUD0OYkgGNo0<Mp!zys4&}{XM6#Rlq%MpBH&*>T(?N{s^*W)772X{i4iJ
z6(RlkkXgg4CB8hB`|^9-s)ozUt;4;A_3eF)8{?Cy0juh(t-}V{f^y`7y}gU`RNjrG
zfnv9fH2~zjVP#$It64%jhuS(<{}OFY%c{D)nGP$@m2yCEXp`oxxdZm6)N|{zl7YK{
z$@6W!`yO8W^|rFQn<hvr*|QU)o9a4xv-&Gfxqp3)d@Uq9eIgVX7(5EtfA>|gOrWns
zFH)Jan`1)(U?MU{RVR`<hm#FV+bxjFyuz=ON!5jql#B9(_l{jCIam=?lK}6D>Op9M
z{tDyDSqDX~@si+%H4BZWT6#*>r!qPTS$BHMd^Ykf#M%T#J65wo$eU7Gw+S_xwnAaf
zmm}!7l&lcJ2%YD`pPyBGcu8C`r{!~E%V8jLnJ&IxIAFL+s9tmQqjin|UI==%MP;lD
zak4a<f$%|Y{n7`BfHdJ0X{^Gmw?oeUP;X^?f-l>o(^yY~tV67T-;Izt@A~~#9xfGY
zj7ULw^y8$0018gZW-{ATBHhv-gpff#Q_?Z(cQ>$}MI;dGJfBhq-=AP>bf2+MLRNf{
zWMVmvwdPaUQOpK6Up&1ItTM92gWmKyKTgE$+DVJ6uM{JyE=+o&BPE$~mK(xEH0w)4
z++#s}i3L}Q_hq8b51y*Klt4}`r`3Z3+Rf+-rLog#AUwG?c^VW4EB2)F*>Q9}sof@i
z&<T2wJ@Hl$!c>Y1#T)CbNch<a3~-X2u8(I5{&)*Z9=6Q@7l{2{QW$aa=i9?gylM9o
zMN|0JmqGF>L>^pecYf~*z-#tK0higEkPX-BrJ=;72x})A_|5{7lX6fU^#(&oUy|6r
z>FHeSUh&1F<kqfIEFO))T;9D^STlWhclS0Vik8m_72|o59zE3Hn5qD&Jm#8N|7g9P
zz(6>IuOk9A${UVEb~n`;)txcry>kCMs_t`(jvp@0I4;y?i{i6A<%!kH9Zf!8(!R(J
zOL@%LewzZm6DjKLkMlhj<TIiv4CvI^r`Tw$a@KMbTr4KcKGDNRq@pyNXJ$ojAqV)Y
z6&r=1a0|4~G-=OrkVlo<$=#Lmx++-g5)GAQ`r|1a-x~hlV71E=Nmh~1vyaQ1?#EU}
zj#EB}A&0s4>yTtp8MJn*8rz4pkHWV{=i5uCR3;}kvtAPnit6t9F2r1OI>jGo`6+V#
zl@9`im;0oN_lqJmGJjoq=}RX5@r)w27$lW^z}=l#etBE8@kq<X_=@4zs}!=M<!^`@
z^Yg{!<K0TzQA~_$DRIvTMQsy2use1`G3-QcI<bSBdQi7BxwbP!bEAYVO~xcy4XODI
zkExYp1f<f(#bZe7y3`6G<&<hW#ZIQxxCj9_eCijj4#k0ieH_)-M`Bn$K7HG6o`g|C
zVs=V6bHT?p_o>1!EjNZpr;hG^1Rs&`36@!q&KNp+Q+_wr-2C8!FgZNJkRx!??{l_S
zV9MZk#znYl{v3ffgksk<5*zqpz$z6@c1{Sh=vagZ$D+c*r?L7<X$1(H#Ue<bFXN`y
zO`i32^JuQUdV@p3Wfkq3){aVGui4>x1Ib=FWb~P4gO`x~SZwg*?I3WZ3A$Z)A$g{a
zkz>lDymXYg;ZaE0D^=0g|CzC=nBF@G+OKG|%?z*L^l%ECH7+USP0Y=^!%4G~nQOq-
zEzxlY&eeO{(|gwesD;RETLC}UDRzf3fJA$c1CQAz8cGH;Ki2ws?h@J3Cc92Aq`$r<
zmxOtZzhWBcB^MoM9M|$0JdXtmHX>50&;m}j*DFH!*34Sz{bC@7g8duMls|30*#zPl
zB?B1P)1P0BZU64Qg`qtN#P&2a!VB0??q~uo2w+iODxu{)r`nE~%^=xR-ll<*(VNhL
zA7tZfYHYOWBY$0Nu;qxp_tKgB#GRQyyL3i=&=HEK1XXXAja-~}aw;T?@3}~$Y6eGt
z(=Y~^W?7~h9+O8>Q3&^d9L|~`75PWQ#9~x`juDCs1N0%iSaXDL;?t_^4g>Kau`GGO
z7uOd{IIl5?%$kdJUbB!or|2qig)q+K*-6IIQl=$za^Sb08Oq<iR>Hxk_BPk0>4Y0F
z$V=0)0%s0SvmAdL7KJIWu(Gtf%d9S+2{<}4t3Y?GG{#uvBpcxbvrgYy<ag7Wt{DhE
z&#pmP&3CM&^q689?r7w^A@aahYc9os_h4$`5J0&M+lWtLuF%|>y;Uu2qun4;g)A$O
zTSPRhA}5u$lW4tdE?yuIO@bM9qMLHy83UF&0Bx-X^@?KSjPb?9Fu`WN4wJ;|PPy3r
z%TR^LEdR2VYr{A@Pi3{5=c=y(ZchoQ@!*Ch-aH}K80fl|^2k;+%t>=CSBmm{vq445
z5jcz`tiRx}A8M2+yI$&A(SYF&CdX_{mr|a>jzTzuyeleyNC0i{7K!x!(26xj&9^LH
zU(H301sAo#K#;Gkpt4?vC59uK@mX*ItUpbnZ~jJ%nd`RQ0Q=;Odhra_K)q{Oy9y(Q
zgX9-xB?H5bEvctkmBgOeLHSQP)HM%@UZT7hYF$a~qmE>&u6t`{mT=7)2}kvj$+o8`
z_z*j*SISnuS>30g;+d+lVgZgp(s&HXQ$pIN4mkAes1=po6gF<h!1{aF*SOayX=IDN
zH+#n{*3a1pv#DkPf``<B5t^H+;T*VrSt(W7xOXih?a3r)a#LFJori++Cz>Obo@ET~
z0vgKD=5@QQOBXrLl3@P$rR6RI`-1~J;~4%tS(k^1+`_qx0W<iBdQVSes@E5+23+yu
zo$5aG-wt*~RqdC4$CPt?1@3d_G#l&CHGu)+ls#RB^PV54ud~ra<mg&djhj=9`y}L(
zQv?>i|NPcH>0*==uXuTI!tJ7u;Oa=%0lMgn!?n!u!g?+f^v%L-Tq)w>4%JbwTw_;;
zMNbc9716UKYF7<vr9ATUn67JfTUD`VG_6-p&_71GxL+!-PQ49c@{VfS7O|qf5{+rJ
zP2CpODfi%1nS4i)VKO%jgO(!NTIu40IPVS59-_>wR(tiPDuuETvbqVA417>H&*^Ca
zz5+8WL>D3AZJOnc*Va8UB{%tGD&6&n`l+2L-$HE^7fcSxSz6cf$jp&`czMVke!;xX
z#-Z<?qkj3!DH4HW%Wg*9`;EdHA|*am_Pb<hUVOj-C$+~(B@e;|)E-~lp$uM{Va<!(
zEVQt*>uV>BWoZkg%En-d>~v*!KoZCB%SE9`H%?XCXg)fttL_mT!TuEz*2SRlI;sz_
z;|hZOq`pL0VvyqsE<}@}r+xka1;I~go|-?})OicDPQ!w-j}i31)$0jiKJ*Fb%oQVi
ztag6C{h<>hByA^%u$ib^Zu5gG#NKFkH7UR3Y;yP0(in}gC+}*>gazU>i0Os+5&dLP
zz~I32;P6Z3n?uk@!Du7QKEzrEJ3hhnUZ@wwfchdvO7*Fs7y-H$Q~OIpvy8!<09b%8
z$`{?aFJkYeu~5Zcqks!nxoiwNGpFLNaT|}{KWDhY{x>96i|zz91ECNL0t^fR_*2`?
z(88YnCFuG&Qql^75s|+H%}`q^uN{K1aJuw$076aRMn*z=gns+!dFXUAkqN5geM$;l
z2{OwUM?CwvEQ?NtcFh@O)*`Snb1Iz_+jLcGR!M%kG?q`pXVWOO>nCL0bZu6X)l&Ai
z;-~NtJKyXp44vRH&cH8=+Y(76UaQa8eqffoADAD4A5Z*TQn-7Y!+MzAe{x3jDP2_9
zhW0cfQ!3aox`a1np)vC$OJA?Td1>?hWH=Xt=c?&5LssDElrS8*b?FuKzYWEH17nv7
z4hBX62?mDz6Z@U4?acM8t<6E`9~x<GKF5I4*%U+p;a>UbsLJu_SKSJWry-VwWbf4s
zcJS~=2uVKgRHS-D;u|CReN`E?rvU8lM<{=GxEY;ww;S%g%<4-ZHH$R`HjBg?$+-`3
zwX?4VsKlxzE#K-xJ5`yn;z*QV-BLSz;YefE(p#P3zafmZ#<N)_12bj)!XnxhG%-Cx
zANNMN8M*j{aX1>_JYGj!y>P|IXZWfKJ6$SeL_ZLIi_93H1un_*Z2S_Q*w{YS*|g4e
z=WycL%66Kaa$Yjs$Mz?9x@Y9KD9_!0WF3(B(>>FzOK#9M0Kc?*S*K+w|EXWik@?;^
zXaRDc6uLcU$N7`<6<1<hIkNoZCij`&HQRgPOT@JGFY0C5@~AajGKT{*RRZNZb#PXh
z=v*$cU95}^?$v1d4T7?^i6~mZx=iqefwESCFP10uzR18mFIGQ{+L_@iHh!(BPXS@Z
zLbM{8Qb2OE^(Cay?Nw-(<UXX#%q5b3!*?&C7tQU1!NFrf*at@1MpJz=E>$(x^%4}P
zD^h;F;3^&3n6V^Ztzy1CJ<hqZs^zHVyvtod{&zqNwCrA100S8c%-m-`1Nt+0{|@Uz
zB6mbe!}~Cxh?Jn&fr(mfrRNq{&12D{yt{2__wA3~-lO>@mlkZ5S#T)beM2A>NnzIU
z89#RqFK}ejOJRnojteY??wPQc14lo5<(bG4o;##WOoJK93PZiu60<?<ZbEuI-ko5D
z!$Qnu>000SX6@#~s>U3wh%Cxz>raYs8H=4zeW=jPYC-i9SwjV4@R!x{ZVW*~EW{}+
zquJ%_ukY9TJyModl$+WeoHhF#B0jVo^zr`N)~w~{s)WGg)d3DK=s;UFURzteGqifA
z{pP)mq5WG>0(ZRWlWAi>xsB<bqITT!f;4kU(@cZ$XeLeS4AMTflDxjKKvRc%qn=M>
z8;E(Z+wa_Ue0+uiUOuQ6?q?FP;-jF-_MN2{rNurAsmF9>sX|FUu4vI)y?^5(A2Fp_
zQHIA~m2OII=X2I>-l`=_3pTNra0E|SvsMAhD-m-EX-ySZZFj{UK1@<4BpeH=c3eoI
z>_G{{EJDn%P<mIfo;RN?-=!Px;bgxm_=JQdr?t+p$~0a{l?J~yXdB!f&#y8K_Nm;C
z^z+*YassB1rMjLcPZEQJ5En90A`~TU>J}Me8@a-zpaT12UZ;>IxE{l$$<}*sSFdm{
zUwoQ<f&QkA$-Q6Op7&_U%-|?hWKq!M{<`&|;N9$H6gVq4Z2>TMz#%XoF@U~<1rs-z
zR&Dj}NRI+iJ-~m!-R<u`AAnv412eGJm$S3Bv8UIyu>m>vG4~G^J$QJ~oxt2f{mlyo
z_5r-*Z*F~SJH!9P-hz$N82JPYtdr<xIRBCG0sI;$)Y*dmor$5P;m<4Me-c0~j!=Q=
z2nL3f3;D1y|1H3)0ro)vs0Qp!3=QAe(?9(9k5V3Q@Bc`F_56=g9ya@reermx{w)Q3
z+UG&apAq{p>*MD0hjl05U#;jd<6|)Y!#E!JTl0UQ{W0@n;P}Iw75u>b-@wRYIgg9-
dkDQ2*|5&1OlF-1Q1CLXHe|>?Ovm6Sd{vYGrOJ4v0

literal 38380
zcmY(q18`)|`#l`nww-Kj+qSc@ZF^(eww-KjTN`g|+yCr-_FM1!tD2dvsp-1+xu?&g
z(>?N1z#u39000mGM|Nw<-~uuR{$JnfzTOC5ZzEenc?VlNM>>5wJ6bnuE175>Xdngz
z;m<Mq&K7}QK?D97#oBs!Pi(qaBcXahpDvEx7#loW4ACtpQ>vXZxNkp{V|Iz+;Q>(5
z!<%JwN^Eda%!&-%0k{t1rXr`sCB9cI;FUrar5(t8z(tGZIKbgmxyc@!)Y%!6_ZJa@
z!hSkfZ<Z~vT$0@<<1bxtnd{2`A9Gg^jbESuzw87806_fzn`>z6VEo74;5a?0etML_
zZpmZMbTXZYplWz3-cZoqfE_LIi)Mq{5R$p`wT#8;HM`%2Qyh=3a;;6Z(iq@1Q|fkk
z;5lcDxje`&Sr>w}Fotw4xvkR%f?|$_nLC8M8)#azT~BEAlebXR5ZX6A*NCBKg3_ji
zDA030?fO9C{`vr*oNm&L0n;l0vd<a72@NEVU3!YU>?Vc``v$}Te5)xfW!xuC@Y>Mg
z8JbXJI9K1bZ>_jVtgR|!qUi2CbU&&6q<4_e;Lw(iN8Rc0@Y+in^EgN;$U~EH%hVO>
z7dH;$oLPLqsEA)>KJnx7y@DZ*A&iX&B|QYV0n<5kZGQ7MHrV;LeoX0k&Q-^3yaD`Q
z;Cj&!y5hkA0EP$v0Fb|cbF-pzGBdU|{_m6F4|L}mleTNDDBbYCJ_(L4B%4WnL7btq
znqQNc1$JGI;*!lH7)Y^5k_ITCV9w1`0D*t%rvSE})5B2L0#UoH;3MY_F1;gq#&-*6
zSR}B1<D`N6p0IGq^YOH~yBpzlzbYXfMLYqjuh37UTPFi7#)}<mwm^S*|1&t<93m_q
zFrTIm)-gQT-TL)*x;p<G=5GXS0{pOV3-rL0<XXw3UKpY~P#M1=vSBgd<AP}MHGrd|
z1#HEu;;q#x5#mOeiBJMoJGWz>ejSlgO`Zqezy;Tcha2^jy!FVLPDmF1>TOMZ3oW~%
zV2ehuPNkpr!+pF8V}=b63Id0nm*p#N@?O-0Qb;4th&wILX<OI+PET9p;I*I!#Tk97
zoG$fVl=dN`U9wu{L?z`-3GmEY*;qQO@y&e-Cj)RY9c$y<qFr103iEv*)@xqo1I5cd
z*p>Baqq?PDAB@@ZC$?LQifxn1`vsKVN{`yP$yyoJ6AFqvQWV=vvlgXi#3C)Bkf^QM
zw)66_s+8jsl(BKXB^mx`hdT5u;jRuq;gm?c@Q+N{D}-miTLe;X*+^VQD1s|83Im`Y
z=kXg&<5yX49Ol&b6svs{#5~wHgG2It!w9_O$Sd@={;EvC?$0}e$Ge9mF}{4>H+y&2
zHMebS`!=~|iAkRC^K74QS4G#4wtQVaFI9MS^-pTuUiT+4d|QRORE=Gp4=2wJDO<kp
z%hPf!S7c)EG#z4sG?83Szgouy)pJdN)(;O8jzB{xkSG8O!G6X019dQoD2G_;F9tnw
z7(wA)d3crD@j$rIgn_wnL7@JoHEbMgb>V19XsaI&D~R)Pz%#XXMdX~DJg?$tMV2Gj
z3zIEE{~mn63u;?{7+uR8Z)z1;Cwc}*7_Q?QHl6le$ef!%6dJKg!lRJxUXV>3!YAzn
zBA^0w?QD}xGxB7i<vK1r$lAYDmb5q=v!*~jUw#}Tm^oryfN>^{JJmstp*8mRF=Fw=
z5lk%tXBrQ$%F*Tzm;%>V+N>W`@luRSgsupN8b%pWodChe-%OD}HO^!hejtbp@g`^@
zNpBEJ;J^9hYrAfdt7qG4Z3V&<!pH7OOgL)+F*)<e9wX>y-H^d2ovrQ(W8+r26$U-P
z4WZx`01gdxW^i(6(DNK?0U9M?tD9zMiAOCK;_Cw%D=IFV;YbA`)q}eYI6R%nE+b8&
zh!F0$r(Z@c#vb=jmdF%&F5pv_C0-fLpGcgAA!JFM`uHW*O1=o<*C^p-xyJZUY;%qL
zb{yw7;A^n<2sQBTxkEs~_~`^qRHsX_B3q_jnS@=Q;j#~AS+xl%aksQ%T6Jd6C%ban
z3zZ!~=X|3$=HZ_Z@(Q2KVvQp9iXj_6UVczt{>-P!;_mrepWIeyOlz4IqdHzWhEDyO
zOumS8&~<}}BniKlxPu#q#tZcDkqaGYPL8VCrJoKmlPOp7TNJ0rI*{oZG_F^`kBnZ1
zAxod+pj@mkl^(DtA+3VzTj!2l3am-N;Lc7F83aKaR>+(s16*)=W|V4qMT@J{y}2z(
zJ;=K9@rr~InUX{z3rYEYLmb5_`e1&wz5;buSa8xc6pk#I<Yq|wR3u^$cF-Nc^}Mvt
z_6GE$Q#Qk*aSHQz1sD2(d9X0qx-wE4J<RVbb^NaHddsICYAKD(<xTM0mX=IxGveo%
z!?lNFw58Xxh5B&YIb>!(kY~u_rGt+sEK<8Nv0ro;$Ah3(M2S*+=foQBLxc@%<dFm`
zO*i-pP+JVjEPQ|NojjD7a#(JRy0H&*O<-y`Z?8y)Jsf)mB)~=Z-wDvOv%WANxFTYV
zRiPmR!-d95S;9d~gFKFfTOM0<p(c$dFQSP!A>}@Y#mgKpxvlEXjaCvH|LmfYGVS{)
z^+YVWSPNc?H<<!doSZbkzlfc#r8?DUTh&&pS+V6M-TdSqk*_!|OS)gUnTm#{fnc0h
zaX3>QyFc*E20K--G(H(?Y_YGHd<j8#wk}mQq#8Wi{{@-2wYkIVkPJCDE8@ZtCpsa~
z?`765Gfds4+gsh16`<sDCOB!G3@x+#4V}wo)}}==riX$NBI3g8g7&RJuH;tg)yZpj
zhgUmsRm}@clcp-LN}0X0l`i>)?gADl*<GE|`E=i-La{U@V<TYRW)aG{W{#?nTDNJ#
z+S8_L)7uD3jPjRxGEd1|87h^?G&MUaSDs!4dbw=bf>ZgV=CC<$`WlvM*ON{v+kVqK
z-TzHt-OPs&7ajlrIU~RT82_a(S6c^5M>At%Cr7%!!{0o1*6G`@)*8q9qM|I(xsujG
zdw{?Pfs|&X6wSkQBg`}x)gZC4y1EJ^F|rgL?W8(axBGsFP5>F6I|Jk<yhg6|Y&s+s
z1H$V2Tc7R9>G6{H489v@i_$s${oSXX>*GW1Qnn;yYjXp4-1S5kuX}~BG)r{pwZD`5
zm=E6eG8!J7wBkkVag8gU<n2P&#-;mZd22DJ3a-IHuPkT3^X0u}GgYqk$3slXxk(AL
zn^#A7N=S^a^4fdI)+f~Gn9tSW<eF>AOJKY2`$nKw#b)VzH_s9N5#Qx%+~>XP;(_jY
zbjG`li~Q-<=LzWZc{o|&hs=9cx6ML`;pJAtZu@%(K3s-HUQD$d-SgrZNd%ik#aKf5
zN&ow_kMC!3qL#Hy_T9(ZO6G0z^Ne<}LHFk%%=1si{v*SMKn$hAk1fx8MeF+(J$i4^
z&kc-WA7|FhxB5?8%e}|@q{R}Akphpltq*IZtj*)V4-3_@Ca?AEshqHj2EI$a2^G)I
zCpL5MREKV!rOzyHv##j-$MNA^bKk9xP3_ZpF~{r|y~hllTi<6_&sooI(mm|>683!(
zSUAB|fe|}|-Y$uTpdD(%SQnVpXn_zz`3G2&Q5L2%gi721*pL}D3Wv}}T%t}4qEE8^
zuv`r{n9b<k5JMyGr?tv=>jMs6V)Nu-?XeDAl5Px=50_9E7<+rEK)%5+@8bCF7>&EA
zo{d2FYondL3~m|BY2pje<`}XrH`aUlUhod=A>OQ~oof{0$U1n6E-%4h3`2ZHuj?R@
zb)46r?T8ZMo#A{g#z`#;OYsu2dbJypucZii4_V3kh$1BK>*mN&99H+(d(k}E&A99$
zm<0C_kFs$&;JH3<nz<5<@qSsp+`qm{38e8&J8qdd8~o(PTR7Y2Qu(Ogz>({2=Q3xS
zK))Pw>EPqsJx@nw=@~~G3F)aoLlFAS1@VLj<Z}h!`jYRYcHp(z_(9fIdk}+g6)*T8
z)bn^Q|I|0}fR1TIW@$q(<-u0#uCmBB<0>|PG4bmjdv(2U>kSJzxoB(Y^RV^9H@xBC
zGl)6ou;bY`ygQ2pz>*iC?;TJoovs$ArQ1ww%G?v=Bs#Mx=kU3u%e0gucw7wP=?(Sj
z*>&=8Z)b@9Xb1p!l8(>yV)=Qe<R1NaPzluQqyCw@ot^mi?WNL)!*77w@oC&~cT)~<
z8gO3UQNVHkX<vY$G~gV%^y$$-em;SoX@uG!za((GYS|?u^B0*jW)cZkfrb}gIO+bJ
z#(7@PJa6}{Ti^E*TRiBa6uO$vdg6<fgTf1*ZeQp3$C`yYZYw;Cme&gJci*=6Ri-Id
ze<u0MMSaJYqv!ocf4%Iz<Ljg64S0X1t*z6U!N<OI@QZofhJBNkO;4YfmlwHvOUH(<
zTEWBT+3;3sSJut<rC)%zBjde0=Hz#~s4vv}%a(5U&70NiTO>c9XMyCq#nszYNe{f<
zMQ3%-blz?n`}A$Q@sVrBEBGb6nm_)OUMru&fyZW-<1?Fn4yA3hkl$`=4fm_0)mB!U
zyDJi5koTy`hE(&1&rX-1(&|SR`9}Ma7^XmixS%5w$u_sGbY2rAbJ6`;s(i9Xh!3V?
zv!M>;Yv9El<80REhEk1`qv9k#iS376gG*-NyVkGE{i?xp{{(+aMmvqU!guZlQwkie
z(w_T4>u520n;0pP)zw*D!U>%A&@0_LwJDLySLWV!0nnCZqW!MA?&<B2Ag0WPL&EqD
zclI~hRrpx%Td*Dk%5>D~UE9lxa&Pyy10N;4hvD~^JDIlb?t~$xPA)98xl1r*i!RlW
z?X9CK&b(a-JlXOag?h)QY#qL4Fg<oG-vB=mXnxap#!QCHgU~r=e~cukuy|#0<4A+-
zWaZ@G80jqi*AHkA8p7}UfH<<q#OyNMe6rB#cTTbq9BYUD=Ii?~q2r1M-&nWE!%F$c
zxd*?6#7$r>Z_16koA>E-ysr;i^G+cln1a^0q&5tIWP+}+p(8scuZ|j2$iwDKRxMU5
zg5zsJhE{<Ls3O!NEU$z!*2&%l22sVUg)-z%QilU2aZF33kL9EM8de1|poUNv>=^@Q
zw=!O$DL5YUdTzT``Bhwkth(@g5csTvjL<vjeoEZJt?x~ezHm!6n)aM=vwkCC;GNDq
z)T~x*{T_zzD1u}qTC%$SLLrU6ISyb_nL!D_?7T@NM-Ip}J?r7izwh#?u7Ov&Cz0>a
zZS7k5VHZDm{djZT=*xb#Wjo=6rAdvujJHt3*O5S8Sg^YRnZ?UnN*tdqa3{=OT8^nU
zT=#P7pqA%}tGzj16{EWDczheq^C@LeH!`@h+($H%v@H!87AzdTM{2-99hVC#CX&3{
zkr=i^daDq@Ws{@DZv;t1jlVMojVDC+ggGZQQ;dB?O8-#tuwCs6sGA<*>GHsRH&La7
zA0V;B7#fu?KF;n!=oTbbG(0ZuZB8K*YFucku#t2m)tEv&?XhLs5v8wuV9XA~sC`u&
z<c%F!@||^Lz&*kX@NtNzzF!Dqj}Ssb9fTA9Js&x#D?uDe5RuwE9HfH24-!#iut?jm
zCSo`G^a>$}M!;xaNE?sH&@Gf(2oGx22^d}^vI@2a7t9-h?ah4jcgJ|p27Ngha397r
zw-G<3#O;rP_y-S?ho8-bi}CQ|t9Io&Kn6hV%Qdje7{<#Iqw%S5<0g6{Spvwv6g2fz
z@>k-tBaNnN^HkE2PDfS%=6Esp;vc-mpK8|Ewy$&tqQW1}s$r0(ePhdR(Vm^86n)sH
zr9weSgn^KVf@o-fvQl?MrV=ING?`>VQ4z&YR-){F+)`Ctaq5`r3X%{I3XUKNtMU$z
z3UmHIIA$Ul$dzG3Fc|oi^8>+qU~wR><9do>a`m1_I?G;3ar%`tyATrnZUqSk6q5F!
zxH$tX*HEm4;6LOz4Jvl$CBbty4qrDUlF85Svi3|)*FwC{vG(P0Kq=t_(a-?ByO^bd
z=d$spk%QHfkx7gw5lBJisR&m*&SQ8e#qAO5LE@6&?J1+9^4K3>C~3{+VNuX=GA!WA
zhkINoJtJ)wGi!<ldRTR3ND?D{_$hklb>D+E_5;KN_!9#^lkS9za>>X3vP7BYFP_rc
zo4=j_Kj-9m+qU(6KInRzmbrgj{GzSaT>|bgpXKDLZ<o36ea`($|8#w__vIx%p4<uB
z&BykdhsJroiP|~eQ(Bn+!~nlZKy0u`ZbZN+r&Lfb#Wo7@`<ntu;#h2{+bH!Ir9^8=
z8peq9Kg-i7ar>o@nT(3RV5C?2ewI>msoRzQ{8Z*_R9~q3G{>A!yXHm$>Q1urR^Sez
zI2E~rII`d#Aw5id5#N3-a~BHkByY<$Jg;96UAmsAo91U3-VaJS0*X*y3qgTOQ7=gK
z<JWPP2~ZMo8f0+j7{?*zV54-WbZme$0HG9u#xp_+<P!$j@99{`0M?Bjkls3(Rwdg4
zb0o9r`KjXw>xTx~T#lM#==g`r1<B|ihg*`#K{`1WZN+QVjzw}=jb&WXIyG2U$ea-u
zGEYwj_pW^RZ<Rr;gnF*im6@Z%dSrG|r=E+u{bUO;v@@?jY;^bzvGDz_R2>BHGJ6W#
z5NYhTamQ{m@>?d4t-jnu_mAM`JWX1W_dxGL=Q8dRv4JEb0!TrB;B1go%q}u6j~$r@
zs^dmY2V?rNl$MWq5QNs|%Mu>Q4Ds)2z#15sQ+b52V7~kc7HpXHPRx^89C@{hHL7HA
zrJLr#)|Af0;q|(aGNz$BEocQ?que(Q7PDs5(!F3pT7GRsX{2I}wDL1MdBB1Ru&TsU
z1(z|RHDz{6hZVF;;15T}6Ewl%zg}2>e8s~>@wfCg3*!sb0MeMVpO}L(!}$iPi2k06
zuHrbqVqh$3Xr))El!f8K`4i^YT0iRszlDFD-rKp%I4fY7tGLnk<@{=0uE3Tp<Z6_S
zk+zOIK#ReCwQqgs>4M+j(%FZVP6t0<?Ug<hp$BGt)Xw(v1aJBoJnToMD05430?Qo`
zG=BS4ua`5#&8iTR)jcF67AG>Ak`{on)l<<G`SpGM9xyT%(wfL9svVt^_mkUd9ySpP
z<259u0-&f?P6#zun9GZWsMG)|j@4`jNABDFgZ$vyP475Bt~_?2r1hW6tFDEU#VIfo
zsxm|dp@7WB7h_h`A~L&U0-#t1{uc`L0T@MVWU}*gxvb{rF$tJmkgGe~7D1@YEzL^U
zE#wkQY{d6gn$p|&obHnz!0kx(&MG{KvK{>vI~h#z7>*)BLUzx*yeq)~H(O85{GJW#
zZ4gg?NI5p|a!;iZu2CDK?@>Aqw+xe-idyrw?9h2;Hwm)nH_nbB?_|q4;w5us98Ksy
z*@vrVE?~z8ITxXswd;>=a4@a|6s2|I?Op(%Hxgce{cyI(OHKCU090t8C8#7&+5_?<
zn;M;W1YCgQ!CQNjQA&eS$q1y9d+i_QdcOM3jOttS*|d>3cQlYLHzV2|zlpaekq4hK
z&$SS>T8NbU0UxdAr2-`R2}$t|9tR33{yDA~maplkT$@RhJO;8~M%7d!NkMtnFr~EP
zse~y10#EeU-5zCFL|^2x^X~Yp5~8szMCXDGmnJ7j`Xs)^kAXf^=XFPN%$`z)TnK~=
z<8<+N^nKI+#Mktw@U2;iX}nvWtJ5(UH~;i(`wgq3dm_00zI=<Ma}o(Whm{I}U>}j6
zax#Jf37A{v$mlG{|K1`v?BI(LItb_4Eg9*T1_&|%1Mp?45ty>2Lh`Db5PJ<&p<dH!
z-cV41(`0ynaXi#XMez+XAQSNaa_2(o1i%dp6L23ZPjIn;tWzTT;_Zvon^i|=ONnj6
z-lv<XcMv3{i>vMQ@+N0`ny0m+S|zsRMKSE{tmvp{z3>&DEc^cbCyT#Hl+Y@BIOf6O
z#&#NS_vTL_JJX%^tFRC?&}tsoYa_7o*U_pIAGyr~<R=)E2d!})FEFUrZ$LIh2au$g
zh~i?T90s7WaU-Mx>f%FEDus~>bUFTgKL6P5#VY#i3({J?vEsUgdC=tQJKWOXM+Xn=
zJK?I&rA-wRju9|#Z(AAgBxiZ?T1XqyAk3c!tsk(H5)Dpizcpn9<1-^R)n9aj5^Y&Y
zQQ+NXz|LBm$`t0d6OE&XU5<NMG?Z6YS-<72xwc)O{2EMH^PYATzmO5Nvu)bd79}AT
z=1Nf_A@wVs8m*Fm#N*}VIk|EtZZW0ZJR6hQr#pIBZR*)Jpa%vN{>o>re#r4q`B@S}
zFoX&D`~iEE`DqJXaA<>^k4wsq!_KW36Z`;wGFqFPG#HTk4@?LKR%ek84`;E?OsoWZ
zfDv`kiWfHmB|?kkCq^P(x>%^;=<1W$kInh9j#aK%ok6RseiHo5GP|kLd2})(JAzNQ
z4>sU!2^*eGfwY3w_P21qHuUXRz5v;hkxl@atb{U0y7aObDt9k6TX)<wZXYe9t;@}T
zGGq|xtUp{Sl-)aJmb;(#tCvg+RVjj7cGt)wA$Ir%HBoyPZUK?X3HTqaQxt~_Wn)cK
zIT1~jxYFvl%&q4<b9g$GvF%~l8_$<1u}r0IxjempI8VNKDsSNF#T#roKAEjTl*$Oh
zo<}u47A(GMNOq}`udNiAYwsujzN5}ZjMbwcn_j7}EO_Y3dhZmk$;zf8Z|a;OB2TqK
z>dGJvbqqH`o>|}slV;^8yU8jmziXW*;rKqI<l(v*a{W{!5{!58(_5kao91PxhX#r?
zC*k)w$WR(_f@9%5#-g&ZM)LHGB%t@2j>I&Rk4kw#JEA(a^B_NSa)SSA3JoXeRY><A
z=Hv>jfV}E0)aM#8clGAK)l~;sJvF+|Ory0#y`qcZEHxS&vzoZh7$_~g(Vq8`oHG)&
z$wI3fe(T9&(1J)C_D*;+uhPK?10I4wJn(8QH)`$i*fKo}eTIe{y+G0L2f&d4WOZ}L
za_-sCI<YBO3GZsq<m72&?JOvx?4>eOfkZ2P{=5c}U?-@H^5FB6VBcFJ!D-#hS?x?{
zS5#SMJL%oSwrn^w1|Zu~2l2w3$-I_?N=zaZnLrsCQ_>|sR=Z(IP}ftq90!o@0*w2c
zk6sxu61;@6^>1W;k;U(KXqb|;Ql_WW_Hs{U+)za#eM%9WbTAEHM6}tsmYrEJ^GrK$
zU2;tkRG*D8>bvFSxDVr+rr^eq48(h%3YO?DrywbIXHuL)w6<LD@9Wc}l6x%@Q&@+i
z;LHqgq;Z0ps+S1(-s-nAth?y)U8Oz|12S3j8wmiVv5KguNFE>^msy~JD*FdzOO#TW
zD;SU^?R_|_($9klCll1)5Yh%ljW!Za)6bI`DG_UXgQ|IZVe(R+|6JtGKMu$Y9KZwT
zWHNtP&hZ!&EsKu9rX;l{iD^QfJ0xiTG;AGX4?xMNm)DC~dGbMZG!=a@6g0YkLqAGU
zIBkx;n+{mN))}aRO!$QYDF7l3LDWJ9;{H}2_)~3h$c%c6&&KtHAYyW9X4Rvig0;Ox
z>~3=z=2#5K<k4>=0Hog2t^7t(JiL$!(tuq}{D>SARYKHVrSO>Z-b4VIz8(CZ`B71$
z7hmSLlMfZ!SRGijx0iNM@BK!Tu9cM|e@3)<Z+G;Uw{^N>Jn?{y;Kq2KYIEJHDwgY_
zKxl7-AR`E-8w)KOq(qA2S2`qNM5L^3{B_oTwlHed=~QR%dhOvTkH6;<aj`GkwP@AM
zk-zcLuR*5E!g+nLwh;pzhIbL_Q*$$sLUczAIG^+f^JB>X^3`4wP)0_n0ZCjfs7$re
z-x#K;b_Ml!idd=DApbdY%j03H6X^@ge3F6Hi((>Lv&^uSM1xtPt8+pXAJdhuA1ljJ
zcYD_B)g;d0ZgcAEE&LJF(E6&nL9x=_xjemX$mVK)!S3w+ZgqUIVc|O7C5;IBiJKri
zc*2qr)fVq_49Y|uU>qpy-Y<23PR4S%0ddh-qcnbZeH4p$jM<VHUCLBL;D2#NcX;pD
zjA^PNvf(^>!Lqz(w3??<L0@^NglwIXJjbt}5drSsw#OL_UgYAIfzmlk;@rR8YvWIR
z8npX*KFV^bR|^@dbx{>%wap`{EPjOU9g~df&Fm@+N0+{-o4ws#<nEO{Of|1fYBf<W
zW~C7HoS`9T%<#KJsCW?*i!fWh3Wp?0e}<rdlDk_ZhUx|YH2klxL>fpvLwkW~(8{-}
zx8T-a&aISb%sASF#AA3k+_1aPjL^Xd-z0b_!kHId@X1YD&RjmDOI#;GjzX%Xp4l(1
z5F<UziIJwaygMVBHGOFU%%xxK#D&9^jYSkH83_fH$(+|>G7xS2-dR>1ZE5BUy^x(5
zLe^V|8Q~{*t{NE?*@0kQKjWjU3aPA0deBiB`Ey1p;rkp+=zr~HI!*$!5U@MoWWeln
z)aQw<$j9&u1}rEDNoTr&NsXE;12n60zp)R)!``qhnWto$%<-hB7R1il%CxOdsxXG5
z6jOM`9&oXL5S<Fhvvk}CU^;tAOR;aq7LII8y7+4Dsm*O}R$ad*vi$}RH`<y^*qvB?
zIoyfcov40|4mOT1ATmFV!^%hO+-XN26|tHsX}P3|>7K$Qb?`?+u1L6wfO4FhJE%0k
zzlbzWZHUBg#!rAhNX;NYk`u31%<JQ)c0##<O7z~P)16fXcj9yFwzbtuLS)G_+Is(c
zj?Bjbqv(|1MP|n(Nq|W99p9dmDzh26xSMj0g(9_Dz*c5CHQ=Mi2o{RW^2=Yr;#tg8
zB&rqt%PSXbl1QLXL5C<R+=ha+9cd-$-u*|h{ssMGTj_c**pc;uBRaCS9i_P~;bGs-
zleiqQWftiu_GSC$Q#o(C3MErve5Nz8CgQofwHg}Y$L`+;#=lUEHI+7U^r~L0OzNXL
z`_@y(pJK#|dgsG)=O~fbDN=g`Y|qggq9m!Cl4I78SNXET-*>A8>lg4}k5ML8bH6Wv
zh0>T2SPIo^7ct7srXvJkEczJ7p@TB6NV`+cgP2;<Wd&$p|Ibb*=_N4O(%yn2X0mYu
zc6^$mLesRa6e?iD48QAXU$5(%zD3I?8XxrAvgcNtqEOm*YD{J6P%3+~`yu9*(=7BN
zp!PACcWGn2>k)E~l323O_A42@x@CHi7XY)9%*}LOdZUs&IFL@BGkpALv(HVt<d@$?
zWb`3DSQmMJ2BI0tZDuuP%;WT2QiDQ8af)z6IVq}JX|l>I$>nu>Tniva2>w4phXq!G
z5I=DF1%*ZU>@HtYI*{R7Q)M+x*~U1+gWJTrcEgexnnOG)CxhtA`Po)R9GGy4`8MC1
zxl-W9jL){;%BMBgfD0^k*kk)Uv<aVWQK!EkLv7~nnW)Dx)y~5Qv4<b>9@7lv4JJkE
zG{5bnX=;#RuMZK*gu_?)0&Bz}Zr~vr4x|!qEG}1tgBp|sVVJ#d{w4U_U+xEJ!2Ls$
z!$mq7IBJXn!p=&%ctDARmHr{k5S%Ec8h<TFo9i@T^PZ+cYo8*K#JLzmCSHJLY5O`v
zt(i**J5TQn;<2Lb!Fy*L?(Mg%GhIr$D5%T}C{p^g;gV3t=CwGsw(YaF-D`vA_$L>W
zLSG3>-(n6Cac}@8<=s+bqJ*x{cX%u)ld?Y)tyd0Dl*-!`O56)Juh2Cv{Z1-`N#~Y?
zuF@vkiAzC|S_Jg3g<xSOlL`hyg2~qvVo1Z5^M(Z-!n4uRqY-v{vy(DHc3a-ubZ534
z<5TPlgYUku)+_1^rGAeQ_e5@7$x||Fk*9AD-dr^?MfwSheIZXD2r7)m9NVjy7+#We
zJRW(B#SnKW4l$&lYfsydsm6Ux_cH*K<{wZ;(NUw{^%Y>vs^@jgBDIcanVa+4)v%vk
zTKJZ#_%a}C$|_k_pvHaZ;pbg17cZE(9Dy!`d8DWHFXcYoT2<&CV|3CoOP)dwT?!)5
zeNW?<_Bm`j_)pUwJ4Nv~7${1%+pl;+T@!zy9HW0VF)o%bgRvZ7z6BfC)*0|2&7NDx
zud6J1)7UW5lV7U~U1%b%3#B9t9mZURAmx-xD@i6#>7a{N*f*eO5aC~j`Oj!~Lum^z
z=%e=nH)68R-LeiujMpvQ_vf4pmigcu7-<;Dtv$p6W)TC3FXC^kUXk!ii`}W?R=+S+
zgTm4IV-gb7fA^0>pu9(=YmHtncec>1q9&<OB#eX9G!ii{4Aa#GViNq<Fx||hMk1gg
zY>HhgN`nn6xl@{)`4}VR%ris^uLjfGUYiOz@f1V2a=;hGMCueWP5n}-Bi@7Ji3{t=
zjJzs>2UoEQ&xH9Zo7!2(cU{1M624U~;{6$DfXKC&`%I1Y{6p=NEWpMj6Q%OYfeZ`a
z?idkLt^QYo`wx+5)k4O96Es{O;72r+lL2x@QO;@I_hW}@Rfe9T$!W4?UcI?w-p<cy
z_N4^3TJ$cf?M!s<Pa=tsR*TrrNgaQUX(2-8twOX}M`<Ii7Jv(r&C+7b7Ve!uvTO?Z
zGl<qClqSg$6GJg?usD(|1rZ3Ul-=ahr}NW=1*DPw16;yM+5|F#pn-&WsA^EOW6wiL
za*&?Os8WPS&u#{-piGmm{dDmM=i|aecUGtS{VmLgbBz0t&2uv)b^bYDrmHSl?Falf
zFMk=%J~i&XiVUJPU}pQN;;DyLN%3wQk#SuEAV*$|)LTFzXta^%T0tWt5`WP`8ks<k
za7o27X$313|G!iIEeg_nY9>6Zz?7I-q@19%zu|{U#@jS#9VGg|hbvjo0Qb*Xo8Ks5
zgkMb1j|(HTWh-%w5t(d0#KTPwTZ8iak$BG#6LaF0qL}@RmGn8%g94ABQ7a!VR*@ts
zdKPjAgTl$03}dX3TmwlRwKP4R{XHD~UlM-6N!aNn6TgOtx|aCGWH*t{Gkl{vy%la1
z>$9TmATF0&o1rTXGG83(WfSAO@_Ri;5C+Y1*5AjqUT3!`bfUdN8`8uh=+ZgJkxk?W
zxY<soOxE^w?Uv10%u(*r$#*DW_jh*sf_|(MeWI^{C>MX3Dm-r1)11tJV=SSApQ?g!
zP|{>iSC<TkiSr*8jI*hcaI6BNf3WBi_BV7%U~1Z!`6=2LxDZ1IPh^dyxC)l6;}bLz
zUo4J<xSTpfkLoBpqxWI79-o(h#&||Li}iFD%uO)>;>j6w=?DTX69@cN8<;8`^24y8
z!b{>x<F;3f>wbp=0d^$dH|hoAKv4Z29!UdT*Qh8iDLt#X=T3&fR!&1l?azVmk1iVK
z(r_Rd1mHx>L*)8JJq*(yi0Bu7I!s{L?9C00Ik>a6{u%A`XYBL!eFQ!Yz2bISek{1A
zcgklk32T*6p{vk24-;6+F>^mXa0yY`v0LgOEnpO@ebIdkh@PyW?0NnG_pKWLMl0hc
zW}({Sm#s@l#m{+sOp4+!;RZVNxGDezvkk*QBkx(-tfWFxT|$a1QgdS5G&dFRUlE@Z
zg*e{;IdGT9zzdlJ8ohE`4<<$9f<#_DZvd0(2MUwT^|S)8cGpCQNJwOBA&$6t0j0zX
z@g`bTk(Qn&b55!C&AHsU>2%Ve<o6++O!s%Gh$~<`fo`SHcLC(XGu67!e*N1`=A~J_
zx1!g6hjZt0(BQYPr~^pIr|TGhg6W?q8Flq7PJAzjaI)^@!9Wu=$=4hf<>sIKmbdB@
z8OxW&KZ1|7t0ZrIl=^LPu24f{4zNsT>}G+6k7-JS#i5PL82Z*7)*~qZ>-B0MQf|Qs
z%K8f#?kr6$-|j7I*;imJuM6l;MS10%fP4=GjY2?$_n+eQ8m3{#5lx~m$8(=!5CW2l
z3UNTExijr;sedQ^)fOGyB1?I*_?5rzo-naZ(f)a-UK;4*vta*FeBErS*ZDM`QRCSc
zNPfn=`sn(&Grb-)kbBX@BYz0)1YW&7=s@&BeZRX@m$?<SifK0v<!KJ3ydIL{2a%pG
zXbzvwE?1(u`Z>p=b%;vc5Z!gX+$AlL<qdUmCSVi?=JY@!F&_{LG%Cq3AbTlaeS@Ts
zC)vw>h<VSdA}f%_^Un{9v4|Vw$YWPRhMq{IQQ1w-t>503(e>^P^BFcmx-X`mF^W<+
z#xv`FSgtnwgox%ew`F9P8s}Kw&Xkq*w+0fxCcWpHef(xyz-;nL+s-oePNYsp>A&;U
z|3niMQ4T!jhTYyFM_kU<DRa61I<stBT7x%x++3FU-DDXeB%2F@|0VqRPlYE-#NR~b
zA!YpBqxlvq9&Az)SuU-Dc`$G(=8xp{Ps%!D77fUeCFq6!6EZ06q_LroL)v-i<wBp9
zmPbLNqwK`Eec#QUe`UCcWV~Mts^ZG(q{~wy;l?#_%T63;7xyC}JJE`l$fpF7P0g1r
z?q4G=#Vk=xzlFq#NY+e$3U2XG+Wk;Aw`i^PiYnZJQBhH?3Y(2V-|SnzXq|ckU)=rE
zb6>pS7vRZ}%g2NaVO(T+9y)%Hy!`n1e$w#i{^@2hxcTsIfeSbvx>r+?BW8Rh(<Z!r
zNxBZI{sF|OlatsZ=}<Z(043Sk-$D|ATO8~0#}cigO=ofkT#7S%7`lRcfz66^GB`=q
z=F^%r{hR9bOP3$RTN&k)CEoKHQ>Pk!H<u`hzJVh|up`}=)As3OKuJK3lQgTHv0<^|
zD(<7|ZN;G1#poruZ`l9*vmr9hw*+~lTgVWGC!)LaX+?^bP^9H!gAa9Mp7N)XxcQsT
z(+|<BITQo4nE`iBm83U#hviSU_+TG*cW+dABv_&dW`Z!<a_wYc3n)s-FpM~uFi8Vt
zR7*{j7qC;)sd0*260CpsDu|2|E<qO07cv}Rloa2$!Z3b&0h_?xSg_RzsU|HNhAm&5
zm5~~`U~hR?iFzo_Rz|slTye-QSKh3u`F`I4kmMh5dX<18V5|gD{pJ0~$^oZ@Nu3)P
z(C^dp0vFL4N-Y+|@cZpiVF~ZDi!n=z@U#BmmJ$4ivD+PeNeAo=N>S=#O1Oz-C`Il>
z=CY9(Bi$6hRMi6iZFVAUU<^8Q`tNWui~8Q=^k=&$Ui*`PA6bsG<4bFvmZ&q<*++Ma
z*<Nwu<M}+T@!>W=;xfs%;`(S4{j!4E{@McI?o?@g7eE!~<+frgvLYI4?it!(QILT;
zsr%z^cfVBG11F|BT&9*V$3P3rChwtXhzG1DJUO5j4F5%={YnOpGbbP(7qdvyUX8rl
zN{;cg_02JQA@r#4r;G};Us|3Fsz8;~t?`om&X%s%*5w*v;;WyQ+Q2<WjzgKLVNH{e
zE6cei;WmgYPU#^WpFLtDTW~fuvwikv`Qe4qrk49$;^S;(U=^D!KKwUCyodILS&aP2
zz!YEsShi4_IlmukP%*J9H)53pKoT0119!f4V^R(Km;3zk{jmR31>j+`)_F+g^*n}b
zQ1Bm9Ov%7mVDX=OJ#u6Ixuu+M10r_6QSvRmxZ+V!>H!1?GPp=kFAlt8L2WK5s`1@m
z872&gnnYc*Ryk2r{rA^}wf|i>1o#=lo+XE08y9Pr!|wYPw<TPqRB%s(J>~aP5p#+P
zp1I1Wl);R4He0lox=c1_65(Yzt&I!@(JWT%Lo=@9YP(wwM_;RXN!mHFdfT-F?9tzY
z-xWh{_9PY$+oh5Ky(2g%T;Tbt^?~-4LN~tX^QKzY9>X6qe7@*~0%x%zVAKn&=~B@k
zC>oiUCE_3Ff&yKr-bIUIDjKm}ApLj3-%WAF1B`E6IsD^zSOt8bKN$f7->Mv^v3xle
z%3}1<9%!oWHO#DVyX%sSJ`mOJJ0d|&R=@V_0^*8in!ddGx$5V`s(!`8YkyXXC%-*s
zD2*F`rVWek$Oubgd$J^nlnj3+B_R@FlxF`pPcA3!KgW5DR4BQHTsY2SAluHyj$y#Y
zE4(eS8o(HfHYd&Eu+HSjZgDQIg`HWYSS*I#(!^ciF*J3NBS1J*f*APoq{l$^YYQjU
z^6fVpo!oD8vQL6|NtlPfq`i#}KH5N&MLz9TQ@XozL%V78d~WrI->0NdbCq%aXzrjo
zRc6q~^t@t~v6dtfZK5Dd3Z$u$+bQAgyPV2^l7oLY<jXOLQ4f*D2Zao!1yR}Xb_1v~
zW2wcFWyF(7@1^u!(I6LQS!4k(vZI86ktuqfQK0O;>hx|EK%ea1PL3_^l9#PVhX$d0
z3|`0*&#SJWd91Uv>s<DAqM5Qps!4T~<PnM*1nMvsxWorklDJ3}B<$@Z*P*~2yMKY7
z$tRLMQ;q-*K8j&95*}yQ^Y&~)_t<ne$yAJnztwTGVT!&IY3JRh1*Ff~JXQc{EHoOb
z`LeVq=OJY$^YTEi3!rIdn+v6vSjlYgFE6TEQ^fG#wVdP^4{{}KA?@HSdN@h}zbYPh
zvz{s{WK0ocgVwoq|7D!TeKzU)DDLb1p7#L(SoVK869}^a@DSOo=MNkN{)TrDg(uE4
z>la&ireaMMCUjHdhJ4HwhIC_!xG@p$Yb&;U@BJ+)dPg4IX_uJ~vT$jxK!N!uSE%8s
zJxZbFe+^P-as_(42zLD_{{04ux=c|28*s1*6`QEwLZFh0ieyP7;A9TF_y+9p5p6qn
z=U=$Jc*8AdJwT?Y7BcMcX!1f<7~D2C%jAXUR@vt+S6(_*xut@$NgsfHaJEelmYbhq
zI<kHJ$;G3a3~)cTeTv?Tq;!<@_wJnzEiSb_>nb<8OyysSWVwYe4oQIfG9bS*W9ZjL
zZZ&YD1+UQ_Ehm*c4rF{`DXoLPg|_(dRyDxl=>NJJ{YcKV5K9ijdBH=rVtC*hXS_&5
z+p-qEAHyf#wzSY&9vvQ$L<Uk#Lwae?;U(8r=A5Hsiz>><(-~3NiCwC-0x%ONuvKIH
zP7I9B)<zN)a78<O7RPOhQX7hoMUsEL2hMZ}c{8TYeM}x-x~{t+HP7j%Gy<L-xsb1A
ziW8-is#sNQy}Ec!e)bkA$}i#gpb?4NLTNC4mA8C4OY5^)AG-p0F|HY7>~SSA-N{F#
zdc#^u>{o?w@F9~5d1Nyy_`Dw8q_qSr;Gi>qzz1YD)>fs|E6AsE7-(z=y2-DUCvvyZ
zY@B6zfYM{9@B{mAvp_1s5M+j1TbeT)%`j-j(44_Unm2R1G9pL&f#Z?q6vV>&$JmSe
zt*O>@qvmIGC*EqsG1XyA=2LDhn^!X;vM-cA-CqlTLCd}E4(mM2iiu}@DxlWq<nIpe
zN^HCa7UFzOK0y~o<Ia6adWn;B;F)imV4tId)0Z@ZP&OJ&H}sZ4K7)_vU!?nwo9khG
zqW9zdDk;0<K9Mi3X9F>qOeQ<vMy+*}`GwTv+}f4)QZ8Bh1i&dHv?mZ-kM|08$bu_7
zcv<yQcY)j^CB%@`F{Ub>cpTyu-Xbpc@6*e9rk|xm#NKrq?6&2wxb|a=!{?{#0vX}!
zO30kcB~@lFU3_VV%Pc&bD)C@R!`tLc0fi;<cz;6Se9|zz1Y4369^C8WOMy^K@ncMg
zV&46SpX?<o_&cgQJD@YBPCw2jSkl-Z%!}#=>Jd7WL8<BvtZ+w=loRU(8%ytQbHkm}
zsyYW?C6oT;aRgUZ(elh-OLj42SGUUR0bG`YS~O2q67%llYSM`DY|%gr##GPQSW4r@
z%~{DC*>8pt2kWuxq;(B@?lX7<&MS#p3^}*SqaxoPZpE|3>XpF8Jo;1kCS+Go>UF=;
z+Jln@-GuC*i{3{-^GOvAAJMa$hbgaZGp(2K-s%i_KFq?W=3afEE85KG3AhZON4aph
zq|`uApZK2Tk1-;|mzDUS<W10~uW14Q9Rb+SV|dx3(GKCv4k2RxS>R4#B2D0&m(lE1
z+hfwrW*2RxX3bWRXRdLO)s+jzYUMm|mn8@coz6aOv)J>p+|K2@qkFNZWz365<NK+3
zZd9k@5_i<<-Y(R01~$%Tn%jpajHbb_pFx`RzyKj)u4odf;vO9CEUBQI%&u>&niT17
z%2rwn`X6Jt+J`Bu8gexq2hQMPNX>9n<0{iQE~x5UUBoCXZ8b5YwUO)f=NIMg%)d&D
zU(As)RxL2tHN~>rcMI&ajg6PZxT&;JEIFB@WzSxAhMw0)_jf^wj9Oivl=d_o;%rXm
zoGCRGk>^zS=a2kyFeuz1__GjHIf7R(UynnEz^&(I(B5fcJh^(}<ESh~Qt>(oH(I~W
zmtJl8vL!>Xa@`q4(Fs^!nb*IU3xM^vGhmx$^oKsr(pMn~-7gn(kC*p`%codg<)RB}
z83^O5{%_*fkt^dH2B0Gv?L*G&(SE}y(;JBG+Z8(O!tB+Bg;hQ5i*JhYZP&UMk8r0j
z(@v^28AX#r{9I`cJ3rFZ<_kN#0H|{M$+3FDl_+w)BH~KbnCWg==cV=P@vuupv@0+l
zt;pKs`$3RX><^ci$6(If_tj+6if02yZrnn=-)3VQCx~~STcfy=ohX1*#phuj6hO+-
zrgxko5QB@FVNg{Px-Fzsu@p;|%7qfy-*NZCnp}}*aF_ES<QZW9oWoNbz!-EwqYcKD
zL)@+#QW8$ge;uqyiy_udN{pWTYKmqS#*M-TUon+Z>VD5y!dT-tLC>+R&f|&U=MEtU
z(BTTuA^Oi9UwsQF$fqov|7y9;RF9o-5bf{Wl#kB!KcDO>(Q7kq*6IZhPQ}|<IER?y
zN?i<HP|FiF^f=4XTfw%j7?CLkr}!yZLuu;$P_#&svNMySxf)o+U}~UARy1>|<VLY>
zBdgQcW|@GCe*FvjY37kAT+k_V(Wb>$>bq%_f(PC@=4HE)=>*JrP6ItyM5X8@=CpRc
zamV2a{Z-O;$NHD^L@F7aC)8`($X;#c#OH7n66p}}^5g-L682TT!=UK2i140xO>uUn
zrs-S{F}i`^Md#ZkL;>GRVw=ArN`qF>`FnYr>me<ej=Fl8hj;bEL3Fpx(p|YDhI)c^
zlzSNRLXT-K*d|f-;<F!^u9(}Z`>yDRO(>HDGRYW=s4*dFjpBUM_~o2GmfOGDVt_*w
zI0w{uo;Z|=d&zAFCT8UzZG{vkJu|Eq3AZDW*)g?32lzzNs<n!kN25mfJOsfR5-vR+
zL=1c9w9I<YjJ=}dG8eSSq_0w934KBXTH0YPrYuS(O$i}v50Y!RRCfr-_+fhuu~%Jb
z<m@lE7+={_VhOeMW!l|-Ou%JqX!UE6LGVy0v6R9|-t#?nQ{1(#QL31mc*=*oMm>N%
zwj1i`LS(T%ZsL8raA#i!lYAC1(np-3WbVu^2Pr7bM`9?Wk8g|C9Y;zLR()aJ(*+Is
z@(b(SMEpNT5%-%J6hEv4DSZdjciX<vY(=}gXx4EcyZf&2oq_z|WEyZP;!&D54hcx^
zQx{5_lr0g;YCfe^e>bbmL89^k7hMD12R~W|%{P{h#J>(AfwWn|Z%VsYAzV0R^vRJS
z90QlhGHqGH!arPKp?*EU9#&E^ob;I;_smu018#ajyMA&4tm+~VPFAms>*)}TjDSIH
zi{}igfuJjgI$WRrnuh<c1ip-#JuyYLxF;U^Nde%#8PKpE*XDSaZ?N)gOD6|rW!CbY
zj#)K}!$tr^h_Jh}RGY)IkHVCw2@;rjI}5Jme(?;fW+P;>68>-!NwO-DL|pj01OHR9
z$dj283HaA(riP3PA9!!(`^N;%v%Mu7bej_ww?}xzc2j)T64z3KE|IEb%v6F{e@GyL
z`Vk;VpyoR^#wL4~H6xV$MrrvCx8=JH<FXcHT`)2TzyHFzaRvh<&`J;_5Tc>CN3(l4
zY*yraIQiKedc>9HdN^gbGnD1y{xK}ywio?gT8zmyK?7msO1JNe;S-z4E_LtQHs4F<
z4_hiKC9a<{Cpe{B@O%)6+?>Ha_+Q=JhBgQH53%<1$jOWM;_KgU752Gie83{Fe{9S5
z))K@?%Wn(SmyM+``*A`xR2;$pOr$E`@b4H^h}11Z`n#9lq|bnQPNr0jQNQW-oF=Dg
z3Ba*B=lNyhOGYX7&>7Ji6VfjW|3{|`GxpXJ?DA&wf&=Ox@8<bfgO~HeyhR*oZU{bP
zea*=dac%&a%tN+i<eYd_M|w~~a3utOqd0Iy1gkWAqZ2@4RTLA~)Wgz?-&R=cO#4aA
z``@8}{#DAFxCsHVa;X6b3`->?izUD4DXXwpo#GQk>%(>Ku~k_sqK;Tu<4KNf-T0+_
z9{9LmqpK2~NV~^JUpl4NYgbxb_{AoGTM8kB&pA?O5W7kc8`(t!ztmptZk9YlO-&F-
zHV1lFU|}?O0@r?3ezD>Q27^Wd@j0A=j#x{j*I$Xe4|7DR?f=^YKpWn(*+V|C5sth+
zHovB1^#ZcJO-7vd=#Kcc;*n?G-ZE>b=1MoX6e!JbpOBFeZ@&%RA{CFmHtX&1Dy>VB
z%8b~xjOfH6G6(Wyfv?BhKuN9?y+B{Ke+VsPW0e8o(Yh6?n-P>)29h{wyhswU29o*L
zm!Gq`KS7X5{)x<UMKZDC-J?WL4t+3Tp>@1GdP7FaAgV9b5~e=bvm}V%_w$pYlC7*p
zaK_YL==N0wt|qsXNYr0v9G>^WP;H||jL2P!=9I5%H+*r-lsmKmO(gf^c?WX7R%HHE
zTmN*JScw>m;r&-WcRxot_EtvMBjw}1<6EMT20Y*YREThfG^FRCG^Fjit8>jw>=#&%
zGSZi~`*RbUA14?|nR%((o0Ovrd~~i^Wk1Lgm$r)@Vl=Zdi&6!WUiD=Pw^fc&h84zb
zQcSUSzq?byNiT-BZeF9XiHw1nop9%H8y6tL5<g$rb#O)8;KiJLXZ8>yI3@y5pmm@>
z2Kuv9$9+q!V#Tqnj75!cJs`xIs4C60NJ?UBQV!qeK>raZ9y`G)PA=665$_Z;Ui<DD
zUZQ#)Vrf=K#z1>dMvzP2y6>63y#0jS-0-xa$w!f|goRA*eD#u?jDa4PXvbsd>)eVt
zVs6>(+d*UKHObOJj(Z!-MBqp-Hw1#lULJR7^ClnTeK(@g97$IK&?4@oO#f@Z({f+W
zpWpu~x7w^<l79|8JP|h<Z%RomHEHs=Rc9=<CA%&y)Y>KYh1z;y1X4oYec{K2!LDrG
z(nk662xE2#m!GZ<D9}7&pDAt~6tf5?&=*s3xN!xPg35xgA7f<Kc3u*6Wdr6#C&n?q
z`}p%<!khX%gQ5Yppsu+9jEMh6C=gW2`i`@RyCW0$l=%9NPu~sjFF=|`j?#^gPtZZc
z1h*^J9X6%tAFFRq3_B7Pe&cl8WVv+^kA#)`W$wsMbc0j9vWfGkSzjX4$*6JF%xyDi
z&S6c~SWN5tyqQ;TK(XAk?n1d7+&X!`!ygTN3)SaJ8n9bDLjKp!50SO)GL=%VFYZeD
zHb%bHCvANFXN|7JzYUlpl?#9<f;*P$J8Jug_$+gYF$!v0x%@`ohLc?ikS7Q11TMgT
zW#+iKp#%60q$7Brp*NUpL@i-QWWvLN$01)GnII9#xiG-}p~R-JJUWj4ym&)0_7BoZ
zt|_}YZW#*!rOBmpvz_HKmWMS9u`<KYUpha1Aere*{V5?3<rKU~*hHv+{?ZIpzenft
z0blkty-vOX0A2-fv{yL@M_L3RP6SU}q!vlT2t;p0yi2~03~G_*w+!?X^F6E4M6WW)
zzXjf7Awwn1p+_a;UNR-9nYI#|Rxp?p-86>tL<d<l&h|g*k(1@QvB062c2MJI1o%eo
z|MGsd7-5%LJahR~i`<Uhzsix}%eUtQu6loQ3h=xOHJ*sLLQoph7{HLUynQUA_$K(y
z;?YsQ{eN-UYXIZCD^<Q7ACG#ksTFxfjFw?ISAxrAL};g_rZ$I%WO__N&5PxHB)4vQ
z^rcIY_46gY5n%CTy8?v_ks(+Um)V|{Os#?ql#bIlPQ$L8?*=ghVDT78xg>Bz5M<$4
z)gmmi2ZDhT0;xz+VIy<%u9z-t*%I;plbP(lWTptn#pCTdGJ@z@#pnFwWsxnn_H~(~
zmWCR<hmeGIA0@u1gEp)5!JmwSwJ4)o><+DQi+UG6n)|AN7Olk9(y27XGj?CkKe&fw
zQ^MZ8Qp0JXX7~-irNpNSo6gw}$_9|CRltZ42+D?<OIXy_h*P~Lu9WILAhr3fn3|`$
z!x$d4^!NYTXIw*+bpt`ruQm>{lz0bY=uq9trMvXxek$!j4f?02$Gh}Cwjb8s)rzq6
zBPH`lZkQuOC)o44LsRyd>)MO1wToFnTnl(@LbPQ#)0zO_U$tWDL6to;@(QeuSx&kO
ztSpIb;jXp@%9b40Rok>V5Xk7yxqjE?n6epKvIYE*Va6D(c`QOgA{&>G^Z&=#TZUED
zM%}`SASGQ&NOyOGba!`mcL@m6-AIRYOLup7he)?{!`T~stoM7rbN;x!u08i!W6T(H
z-uDU`qF5YC{O-Cz%h;<9+#WPo<8sR1;mudcG-$moz>X#AxRG&pc(vhzrShp>(Pl$w
z(au3x$NS_!7b=$4_?x=8R<p(%?8AV=%ZAXog1M$9`g*<3G>7h+*<jLU<_DLfAbE_{
z5VgB=q6ZOUWjNKF$Qu;+d6s%s^|SFoZYIws(SHhbwlA%!9&N@n3&Zs8xm1N+D>m{*
zOGw!eY0`|m&dDT582d8$b29yoIDYW~(wHwmx75)ow&bo@*(0wU#l5#oa=0w3JEDZn
z^e;YZspH8mdKO!bQx5+;o1!g<HV`aoo|9P=;l8wLE(OO$VUs~ZPO?!BS-$`0dNn0e
zFQ#0VH{0B}XiSbFhrva6CGlVZ6^{3)<T|QF%jmLBLBn|Et`J-6abxeQcDWX7h{<sL
z@ZDA6k>(Bo$~MH5#Y(v=R$Gi+3H8^qn-Yr+hvhHU)hf|NupD_@A}0q*o07WY;bHB>
ziv}M~a@47ZE38^B%CShYVOAy~s*`wm0gGR>8c}2NDn<4Qo!Lo<Qa6F6`}kD99J`qO
ze6!Q!x8aG0KOUKStYWQ#VkHRQc*Lb10tY`|3D2o4edrYPNUv1<Fs=%(67Zoi?wIj&
zT?C05JyubSN>~sDwM;u<Zj^SP4>OwRlg*RhuQLm(k^{P(U`UtBUO)3Vb(Ho({*dKc
z&;c*4u{f7EXGj<*<vUayA2c=yLN>x`JM&ErH(pD>$KX1E2ut9755ycDY{lp<k5SR7
z!zMiis>ek(#WzIp0)lhDCTTp+_UOn<072TvOsc<wDji}5Z*<4DE88*ibrgY&uzxie
zVh}`(j=FYY6fddOix*Dn{u=KPsDO`13{dIu*Xr^jSavFFeb5j@SBS5MQPLb#1N81*
zdhv^Jr<;%UlMoG=jGDSo?qtTh>f$9*=cBETD`dy)gY2t3z6H-v3V`AFHH`|y1H7Ol
z-@&9DmOisMo3H?aYFZ^uy5#N<G*9}!ErQh^68SD4sHuQ2&8<G+kwan53q7$q0Z47T
zXxC-iA#aT?CN8PFJCjR6^Dtr3-uuYW`syMBq=~Ca*FMkDDsgD3)V<$t21Gs-N}3T0
z4;n!_luWaXR{>dJClL=z#7J1TUs^GiR7#kNejmjW5@_?|X&dS8Ji#uXf-%5}pJjCR
z3JW3jGbRYQ5`iWWEat4)k6(VhfXdqqsck>D>_Og@9G$HDq`tIc!;bDtjOoTO#Ef(D
zOd$<K-rXCZhVp4<zQItrv5wr+kh%&55f{Q_on@JrYvtnfR_AWd3%GvnCPjctcK34a
zSxE_C(|&aKcnBynrSM`%ac*MglpF17{l?|VpDaGxkq2Ivz^YBYg?iJzIL7jJ$uBaT
z_hsA#YZiNp7@}8(0JxV~Ruqb|mYzH<Sx6<{r*d1+jm&fu>hU6VH(&LSUbh?|d}6Ov
zT{51>h9G!PucU^FwtsYoBnyPk3xl(iC8w_<i!3qhFYCaUqS`;Jx&Okhs=+7)MFW%f
z5^!tX>zo8$I4CvNn$dWJMBN5zPaZ)lP1huEm?C?Xm&n2GqnRIDt7Nejt<C3gWV7+H
z;$-hj>4el*=o9-G2xFB<>0Zwoypg7X;v=VK&`zLD9J^VV_#*CHM%_k-z&3GAF;QiJ
zRSg)X3#iRrL3kE>AvcIoOe5APWe}r;FElRNnbC4HdyP*8kRx|U$OS0r0R2$8sL%9)
zIVJ7$XQcCGd*|~BcoN+M$qpgD^pL8L@7faOdHcLG^fgS-@$h(f*TKka;?NWl`h8vu
z!;<LxW)QwAZXEsK*Bzh&aJ>*8ZMJ#Z_+h^kwG@ZyAe&i{YBo%$v*y4&X|BasgU;s(
zv&CzL`xor##iH-fJJeW*(xb@`DrK_uSvw53=KAH0Q;E(M&!kOO&feeG<8smBP<gUi
z%Y~o9c?bsAo>U$>S_~*fmb|xZU`c^eldio0E3M4Jx}3hI+6)ZSOe_FT`k=-GQ|8;g
zSg>q%w0{txg$=l;^0T<=v0K#=cOG9yt#NOyFqbKM1n~sctp#OezS;b_e1JzLm_geT
z>vaGs@=GW9Pc#ua-DeeH$fzi~C<emt8PbtE2_LF@a{GFvD$^NW`^C{zp76fN#KMOw
zY2m~g6GXwUMrLZ3tXm6&ag}jeQx)CV8oB4d;<BSMP5dk}K7~~VmUD;L6O8wH+P#q_
z(8K#V>kMqQ17hWIsTSwC{YYGWy)d_lcjh)AENd?%afAJelhwB62q_)Mx9cgZfX}yl
z-_h2Ddu5{n8N=HF$dPn<@`+6Cpkjn!+KEH0)C@dI!hW%KF&Sw*=%bep+S>84?^qe0
z0u$R!k_iY*k0|Zb$A#=P%Wtp~-aV|EBGaZBUfX*HgKu_84V>0gdZ6wjB2BDp1P$G}
ziz&;Zj3jho6*Y?V_9(C%-WIdRjOLVBQ9d(Y#8D#Ur_iZuZ}ZZc?Mt&uob{$U4l^Ek
zE1J|!qpzGnU9GzPwZ6fgS;u$PwG7f24p~^u_@o_{ap+C+#KX*L@qBDGu}|9RyXW>s
z4dJKnAnn0<aus6sqV{lRNT6jqk+X$cvgor&s9Y3}8!0}-GE0NP{H(UEPz2tYmFA19
z`>MXh518JTn`i2wjynCQ94+b(7pDf&_3W1JgCm|^9~s;}6uLgItyvJFlfnMdL*bqu
z*(7Kqf*)VL^>r9G&nc|dly-O=Iml?Xzs@&x7`-Wsc4+r~eE-fCxODrX%FY_Nbmt;Z
zdY(+2D;Y8fBrdCNojQI(EJ)w`6eRWaf?h8|TIudrKVfl)MAFTyc)Y!XmxH`A^ax-D
zynE_Bi;&hwL)S1nR3Y4yHE{X%kFFman-gHn{MG#P7YP04)>)H?r&+a4Rx;Kb`_u|2
zn(ih+O~2rmY`pF<gkoeeKUm~tW??#)o#4R&?6i-UEMgx@?mp;{OLcc$=kYbP++IV;
zYdaC$UO`Q2JHZbs(G4K43V#v3rI!`aFQ=(A`g{aREh<`9gWLs3h0=F#n4VIhw43D1
zo)tG-bD}cc!B*j?kIL>|OL&!P?vpTV4O4D~?Zf7MOPx&&bLmB0W%*(>v6EUX)V0uK
zmIk^F8zyxFC8KZynQCsm8$|6|p00pfA4zg0_AsJutJz2Pj;c9qF|6BNnv^tJZNgWs
z6BA@{hU!)0-tC#D2XTH=dDGD&w>_t0wuR~nh3z@JUvTe_&t?iILtmyL+7OLW5ayJV
z*~+>|F}VBK(Z-+6Hs82lTwdbzY;d|&u@BvR4~3z8YUo&h7jg&w!b2;c5<blv<mxcS
z{XMKG;LQmkQgU)<O;G_drZKpCP$(er0n&bUvfpF$TN5!!y#0S_)JPA+Dv&={IMtHb
zt)#<k^eEoyKmgAw9k1m_*Tq7|#ge8OU)V*&1C2b<1>fpb?*x4C<22!;%UX?EWIVHQ
z9oA)3m1lga(&E@Q65Zb?k!@XP=j(hezheMyWf&5PB|a6pmW*vNXY5%t5wfjVnuOMY
z+m*IUFeKq#_z-kGY>mC}A@Lg4dssw^wmZt(<RU8vGe|T-KPEjysVJ`>G#3p1z`MZZ
zwQBolKXje>M<K{9n|A^CbF)PHz0tEo93*`e^^Of5R{AD;uG19lNP7+jhxr#t<jhx7
zs3-BMaj(_OmzQ(mS!pOfhqJUeZ?;DF?(hIz&Sr;Pez$R)aj!)l;_2zhzc<8lOSy3W
zfJOj!soCFJ_U>&5hzq=`J^UvlzA|ZX-K-!6p_@Py;n7N7AAOf$@<imtmJeY%UK|jV
zI>sBmFJov$al&5&?T!e&85=*OjX}VD1W)m)jYBMb32u{Xe|3eQb4F0_FbZ%^Dp&T3
z6>P3hoxr6mI~Y4wL@(e1a;&c-m?>o|q=w4n!x#D?W+$CFR@mNQ3D{&&fuJ&BL{2A@
zFn-k>k}U%sP{4iv%OG1Hy_V{r2ZnioXSZ{T*~bJ&?n$#c6ckJA8C*gLI+aw_FU(XC
z@P_}IUtj9(bo_D~^2Ss<hJB`^{vN^39TAJg_^GHK?(^@tZ(XY&rI=eDr4OBm&o3vA
za1D)ZZap8(-p2VY(4Wc(K-0o0fM%`Miqe%#gA~(t1oV~j%4R2c%owT2DCRs*(fYCt
zyDtky0Rx^9i-s=UMPkAN3t_^It-wEXg2jiTlR%RZnkOX3+rmiARkI+zB-~oPwtrDl
zq&jvOU4=ZM<$odfQhA1@`w$_9Hn8zcrK4p=;55`QIp|GV_G)PO{0{fq$fZD6=*inR
zv#aAE6#6fLV+rpjV5%=AEMQRzNO<oilZ}X=f|8Xb%B}X{5)L|n#~2bg6Qujf@ET&m
z7kY512Eg+;^=UX7&L{g%F4bi?UV5JyxmsVYZukh!W^y6tCM?m_8LVb(&AqB=I`P^9
zF__X-F303Lf<S>y<u8Aw3YbwQc6tsIYh?}U*ewn>E<S>S_P<6Y(Nj);#TyI@GG{0u
zteRLt24&X?3b?*nAdViOYv4t$K=XJ);0M-^Q|SZrPT3HN7agpz05|pme?Ss9=YqIl
zr@i^<B+PP&|8=_PdEKOn+!(}~;G0o}VptP!+9D2Et(Mo*iTpNC2o8#T`|G6!zgwN*
zz~!bqJf3UPayv5J^g=13u6-!~lq(`KlMNdeLk3SyVwKnqArMOjIZQfouMb8Z{L>>i
zg);rRcj_@+k$$t&(-KZf?MU-8gLMjCckhu2sVv2@g*EE=)zNn*US(4z^qdXw3eqk#
zf27ovbUCcU)EK5j5@|6D%RUg4-8Ldn9>T2mwh3VfOng&mYng%3UdwcE-_qdrK2Mx|
zKy!EJ986QW3FsVeq#LAUgD4z)d>%nz-3vR?OmmH5Fsjg?&Jmt6*Ec>tCJ0#cY|ZWw
zfhJ6o-UCcz)Fn-nhM|Y)fLue#UV9!fcV8@igr?Y3N1Hh|olzCdytr%a>|Qp`YAt58
z7w8zsF&Afhmd#saU=}yYc@v$+{pK&#N9(+&Mi7{FJNqXIc8!4bm$O)F%38vIbhJQl
z3+_UfUb-<Io?^pg_|ajQCEbqdS`|tYqSL^jIz`2MJ<%{gKPJ|t8(QSq5!5v6$5BK-
zMNQ*Y^UwCfS9ROT_%L-Tb09s}eO$2>N)||QbFQABniwRMGa0S6I6~S`9pztN+6(Sg
z&M?ZM!&FbS^mN$c8hSglW<bB$(wE451OrSp#`R@VZ-*|f4KFnx>$tDT>vfcCf_0Xt
zASl@&20L&*W#f&FVM~QZQ2`z{yM(6;?GPY>*!mC!+flCp|0IhrS0*u*XxwN^mZK5Z
z<iyLk5{amW7UYL^q^X5+hX(s^YGggWvuG@WITFH1xGSq-(9v4%O5x=LPTm3j`p8#4
zX^mR=pueNXzaFmp{3{gdfHz>CdWXgz6;hnduZ(Oq!7dH1WYQ&$UrdLl95b$!>OoV+
z-lg+}0;0Gvg1xJc<O_uhmF`?RuAId2s8<Or)s2Sbcbr(`%0eC&Hft<%--@$wfm&B}
zw?;wwXQ#49ZWW~uXG>|#hu02=t4)>s+Dn#K<$|M#3H+tdz#8+Rl}*aCZ<B4w3*T-6
zykp73LLK$<K`}S_`!%%l;F&<&vg-KOc}<`?*ZOE=Bj?KEVjZCci1bUhjbmo_GcckF
z#G)*t-+c7K@_X^K)2#}cxb@kMUA%-z2wBB5)qz6_uWw>Z(w=8edMiLswDTA{YALl>
zPi%k4Ixl73zLi+>vE1<R*fkB>bNtTQ;T~^p`DF;&Q~=1^*Iws?t9$IaDgok|MlXv~
z)V7hNmu-l#!;UU;_*Of5>=M)@d^{vSidi5jpFYXL3;K!3CU{a=k<ZHG$%2(gLUKH|
zQRF4U-?kWl7C)9wxuN46(Oa1=uy17L1P=xyCQ*026Iq?eC%j#A%I`S|XDuJuvz>1!
zA^GlJ7t0V4<j#bg5IYVpD&RRS-K!sT#PwM4wO`zRhC_}YU$H9Nyos5aSdwtsA@VzT
z-B7nrdT;?zOnnoGw!5^jNoQMm_K<kW8aR&$EZSW9FQgTIP%e`c3)QSN?Kby28ppMB
z(^v(2qUIhqz7FfthS>MKz!`gD%$(1qn@~0c0}@S9c#}b(95Do*x20pU#qtPtf1J7q
z|4IKxk4UgsU8vYjB5+5dJ@ia1i2G`&JsuttJyqGMuMf`qb;_ukstmYFNhmv=vG_D-
zR?<CrqbhFPnmA|Mrn4XJO1aO4*3WYan+-c{Q=<z?sSQ3KAN4;2Wkraa65_x>NM;F4
zehY+7UHr<8lcqCUNLdOFsK68EhzIBdtb($i7?Q*vh1O#-&)K3C6i-CCB|Thy&d+{I
z@aP%|C#MUQ>kSa#TRpN2BgM&8Y9iQ_PL)@@f;6kK2h)v#w*Kf<B}7(I7?)FNT2tm0
zqRdS$^p7`#y@vuPr<g?x;kA7T9L#~1*gzmsJ$8@T#Mw5_q>|iPe9~GGJwU{+c#Ow*
z((x!`LC~N+S2b$~6e9%@6he@Z-`B<p$i&of>jVJoeiku=WsFZ62O6YjZ^V{}HLbu@
zn)Z6_O;gh*ox33YepaCAW|>9}>Q1?3i?cDtDO~aT;fh6ey@!!63p1SLvjAsMyltx}
z&}XB70ls7$yVav%4cvic`MxGH&1CDq*`Gc{z*O}ScjERaJ>=@5<?RvnysnKOSkhVF
z(u02chHK3RPruc2%3+O%rH@%85{uq5A5<*R6e~%7vS3*piUi)Gs6Zxp6H5v^#qy%B
z0xvtet-GK7oP8Eq$n-vN#D{nRy@~Nrkb6p)8IuXwiFv|OIVRrdQj_;AjwOYFs^n1m
zos$h7!s6Y`)X2G##e`o8h=ThI)f{%SBfrAZj}{rkG_=WA@W-tJG{*#iaOtsj&`V`l
zXJvd=j2j*i*td^@<+I$WqpqGL3cixz4Jq@yY&vGC;c~05AfUaTJE-(leajwOHSv^_
z7YCn|#fgfQ*Dq>k!S#^zrN?>qV;cB6Df0$?y-xp~&nuVIWOSN(k)0d8HDY`A@AMLp
zPKh{8?&%{EDDH1k(Ex8u9Ozav#Bc*25idL#@@qI`g6&B)TZm_XI}DwG?xnLSRj=Sn
z;<s*lmgo~rhL@TFk(f-700PVgHK^OEk?8wJhbcTSB;t2~G>8a|Evk)Sd)5<#Mr6aA
zfmb{oV1SYj+GnSJCD#s-%<}xF4B&=|CgbQ_yG1crutjtD_EM;eC5_FGq${%{Kda+M
zwmN!EhA>=o^i7n#&|hGwVJ^Up0%2wmnt6H5g^l`;mz)eOUd9ttN7^R7YHZNlxny>5
zu&A;KdppXeMqav)bju1V=^0S_h=55aa`VD?W0AL}=$bKJ1-vEcBp&#ZE8`aOi<7Tr
z```79g2M&B-n~TZwIV63Y$r1iMvTP0@0aVfALa|}x4jpR<JHpP4sE@L`LDEk^8nUy
z<3gjtwUZ8@q5PBZEz_R0+_(+4AC@}bR`MON1*;Nw<by9$eVd4ZSRpbP?DUOB!z*#_
z>`WnWc@A_RBvHvi;xqSIY!6nhUfB!}6q-kMKcqK6Kc*Am7b40QRl!Br`YA`s3(G2s
zeY5S4?dJy@G+>E*{$q?dRL}X0_{Lb-^KI(DDi7YKt#bsqU0sUZP~o!H<4VfjJ01!Q
zeHgBz^_pr3Uzk^Hw6oS616Uo31C|rAf=Ld@x(x^ovXH4|t|p`dbrqBNi9zcOtL-H%
z&(x6?vZCAHKp`+QYgUU9_sKs4=)W-tY`y1VDifUAlpZz>e1^5{b71c-SJ>FA6t@fO
zFG386RS2}D5|bxVDVWY|eRUfQC&yCv?B~cc{U%oZUB`JnzA|wU@krE7<Tw(=^Lk<5
zm$-u*kt}A3cTv@72qo-b$!?yng6Hj_!Q!Z?IzO*nwVz;A1+(e1v@H0-?^4>{m|7<u
z-lfXMNfAeGe4HMpWazpp@x9!xr5^Ji+QFLN@2}TDtXInY2zzmdgr&In5xB2rK^Ym$
zF!7wX8@d8CX-E1wF}3uCsG;w;%!|k2mT&KLx;TH9IFftJw^Tuhr4A%cmH-vd*A({}
zJ}VXxR_yI_$h@Oifh;8ZVOdL+_m^tLw{ShQBFS_#;t@HHTD<p5?YIuC`w*?B$KO$K
zA*(KUcpy^vDPe(q9u)L=HH8Cf4Aym{<C_(*oxe7guhcJ(64p2HdR<I|ND!MxW59Wx
zm=8)4xCOgU_nhM4C2)eKX(Ksi4jonZPr#w+ZE?TsL3^0PJnonqxVLO_DNOS+y@(A(
zJzUO<-U)Exc>H`jKX|um_Q>E3*1ZZ%yXnpzIQkm6!hp<)p6}yzn~>n+mCtiJxi|ED
zH%?V@WAvs7_i1@iA+Dg1tsh1}PPe8^eqS1e-&nFILzkTecv21A@rM-v%wV|;x-L5I
z63j^XYf=lY_t8~vjT`coEu>ED^bgV!ygo86giwo4IN4s9+DT`V>d-Ij8*aGN_iHfT
z#`|)l8hR>bkFOLN8m=xs98*^;2f2Ay7^-eV!=J-~q3x3tm4w#9t%9+$1=gefD2<wC
zG<J6*)#nLCN2mq+OD9qm%AC-^-lu0sRnUltn1EOwfROyzd+SY<K$Jl_*(d1-%XDPL
z5$_+fD@~P9zLANKF(XHn9)DJ}#6fG@hy44SDRaQHB?6k{6vjrDagzg<_vZFaIf)xB
zTKAjkv5_jC^%9$%p?x{hd)lGPIX#zIiY@h_44F#H+M%YMSm8L4A`AsUxt4f`7t0|s
zN!Rya%@1Cs2o89-zVyD*+uTj>Y?PDQqrj^x52tb)XS)-s4M~)gZ_l*&^F=v<u=EhK
zLL2RHS#yEeW-hvN2-HtCoC-nwJPrY4{K-_8At72u;;Z)k&BRCdTOCGM+{U!<jr3}J
z|GwFw7M#l~R&Yf<!NnVh;ROCrNMLqteZ!QX_0aSJO8}m+>_M<CD+@({tPio1q%R^*
z*^6KEYh^EC8;J6SKhWf9Y4*LJgoh|}l*iA7kfk@K5s^i?>}2=#d>*${;vB6n_(aIo
zXnd->e&$#3I5NS-O$gWo{sM@nk+n@~iVH+=C{*+m;!5R(A|-HyZsi2^-BFDpBqQra
z7=RSwMJ0^7F)j9GKzZ#R6qxq%MMKf^Le!`Adl9W@72x3=N<Z*~C`J%)b~pT#@lSOH
zN5f(}t`}DruO3RnLbP%9I`I+OXrdwB@BsIyUupKM`txJ2Pse9p>KSE(TWP!C!}MYZ
z#O5fpi}H&R!FTY=!B9aI(9nV*&>H%FKZT*N0{uA+TM71I>>!_Xf5(wK0XnrCH7(la
z!JVx8I((#)r3{4rTSkC(vIz1gU`*X*yG;gOzhnWA(*d%=IVCNeHc2Iuk2CQ7L_$UY
zm4Gv$Q74>07I31ZmR<G=>4&aSZI#K;i8J}WqUY%KNk(!g8%uCdL^EjEbhekSK;v%O
zR*HtBlgah^dLW~AJem7FaJTETRIl`_X%j&XUL8N(=xzEZniQ|5rd(xmj=K<=R)h(T
z+|7u&9f{l^pn>BF)y8N+R8*F5#H+pZB0M$@avD*(C`0u;#w`!xz&0q!|3)jb81HC_
zjIXcY=m>SXFwI5V6Ejq-<`NqEC6lr|^C2*@x|z5}1XQUjJ<iU~7;0M2M&B+tQEXLD
zWqhBvabumZC%|v-pAIl$@J1k(sq|JHraU8kGdAK}7J~wWp@<Ygkt-f2EX@m#FOQpl
z0*X>wGEXe$N6)?1Cad@p#A~aVm{<v10~i2^wJywkB-+%eUNc?MA`&Ji$+a|b7DlA@
z@udJGW^YL1$it^|TqnTCojfHH*tL9&O3pR4oDaSq>sXs<9Io6lwVbnr%Ar;SK#P9Z
z^+UsavW|&~m%!Zso&@P7?8P@LD_1OcLF}(nU!NT=CS|76B=K)Ot+8TcTj6@Rll5)x
z?#GnEFMEbxuM~aEZVJ&%b1;)gC+s6TaLvQ~k~xa2HEicIA&=_YnoNfC%{#m4XQd3*
z%ZzI>`BpM>^u|<BS(jmJmUv7Q9@2Y^x7{oR1f$UI5RI+;V4>w)c7_V{(;);QFIiMP
zi4mbd2r6cuc*BE>oK{EzmC!>zxR}+?&52L0pR;Prp>`~s;iCeo<;o}-+{eItoxwfd
z&|aPMz793AA`hPXcwK0u!7~09e<bXn$})B9#z#`0mMW0T0@KP)({ib!V(q<V_4z3T
zMO$d?DFO#wASfD8JV~AT-(XR)HPLVAg!f(u9algU6@URZlBQ~2=g7hbi2|1UU!Xp7
z;Ic+#llI4IcV%<G2x}`){TV`K{g{F{iHw5K*PRLQ9@PO6o0`;BIyFqf(~giPa;qcf
zV0uQ}>g9M5<A<p}>}DUgnDM&8B=8Ku07C)^i`!m4+o$GmxSOHUFeeK>{QHTTybG}9
zqnhwbs6LHscdzJ#<=d3}?~O|>oVkm*wp(d)WhGDfl>%NUuUh;@Aok+A(sS50#z>G_
zYo<@tF3Q%^G>pBBy+TKW9IzB0)iw+tuPV=zO<3u`*z|k_OS`yzHnJz<IH(Bj(Bjf~
zWJ2yry-+e~u-lltnldmdhB_VWH^R9|$R4PP40KO!i+-{8x5JFOL*wF=FX-Qmn(34Y
zp@6N$-CkgVK}(5b0D@0E1_UyM7Egh<yh=Cc{Ie%)JDJQ+|7?CGi6sdhSJzDYxY{3w
zVE3Kggqu{PJSW#&mk`ho=LVRm?Cu;JXgo?R$>+20L!9g$4w;*7Y9$V|7s=h3m2t~9
zD2x1uy>6;s#o7B&d%S`a$J+q~Zjpc>vT*LcbH}eq34>DD)oFMPc)FqEq26K?C$wPk
ztV7WMehm_0OUH{CIC^<##J`DtGjZIo!zY}d&x?yRgr;to9LN#L<$f#m(MzM?16V2!
z@PbvrYr^mP&ndNDDRlO-mtM$!spz*aeqk!-3-`^ent9f@T$ONNF;6!^?Z9?cX=-J$
z^{xN7kMj7J!@Kl$6q9>zh9mb8v?8r}_S;izt;VxcaEj4aT1B*6j|99Dz^x{4j?B-;
zPKg|c*iK0kJ<l_e#~Z4(g4q(#9a5GdEuB@3a%!WF8+bGQ*>!{FptZE`^_<YTT)nE2
zDbhE@k^5}3#fQxU5y(Y@Kxqrl%X?+9P-$@QRV81VvHqx*^>Hya(Sd}QKF$bdi0GLv
z`_4!KNH(+;jrMdN(wG|A^`-gd+lJDtEox%+GZ#Zw^ts&^MMs$&7Drr-%y5QP*=5ai
z@2>^n#n}Rf5uZjP%-9Og@<=PETYTk0Vqd}-VDGfX;6$h->q3vsq~nm$7e<c3PY_Kl
z4(844Z!wK%M-=@TerMenA3B)c30-GA-U(;3cA=o+Xen^J!^P>L5oTI%u?6ei=}@!9
z5Fdh2s~EjiOpctUTbJ1K9-$gdA4}FO3#srgr?(~aBvqtj)!(<$<!H?o(~Gc1Rw76#
zZ0i-bXQa%_#OdCr;o+6qBPI|47cI;T+Vg<-(y%R?Hf67_JiWZ3217)rivXAe6!^Sy
zaT|s`3`lijkSHW0tO6UZ#nz+)@(?YOB)%xoKZOi_k)%r>T{@);Ufsv%cmP2?#zrx8
z7JUlwBWte}zN%Hdj_wFyu$0@*4xEuz!f3x%`6wqwJZ??|TuyW^_*0AW56Is)xyl2L
z!&HSp<|b4iqgTxcQh=iE7mJB!6;z4qb&x5ilX(c@KWwFnZH?lC|8c223Nr`yxfW<F
zKLl(GW-R|3rxejVN6DA&ot!I;vAlPS&j+wOj8HqUqI<D{r>W;u=ao=7?pW&ZXdvZ&
zi3z0)0twt#HJ1Rsex(E<I-ze+YfD&GCSA0gVy&*d=u8O-&>K{q#l7<eTs(nM){X(C
z3oSr#O##CLjnE1M%M5{LMdsp+OZq6d2$Nw6vG2%jVv?y*nC+tmx8BF_9Ga;k_bne%
zGz1gy^oiOE8{hMm0{uIdoe`y5W{~4do?6qZ;us^7K$IvGRh;fx{-_PJ%Hiz(0`V{2
z*EJvHlye||PI8<fQ6@Pu=YpjZd_G|(17mzKHZ$9+QzO(5bQr6+;w<Mnp$1o#x;YO7
z=wiS<46d0;|EgGE_Knh$I47VPcunVDfGg*-AjXa#^6<{!4bZoJI0PXrD*idsXzzxP
z1Fl4LX$?+>!wY!S<zpMDTj%SnlaXcZr>0_QQyN_j>dopP!Vm*9CoLFD+norQCi0qg
zz}KAw5R3M}EE;#{$9`@kJrjT;6Xj-ay%GPJ+Os+_T=Y#EX>ZWK4U_|*e}RtdpxO$7
ztFLiu2c!9Z#bE#3Or#?o&yR{|EDG557`hJk8DUJI%!HrzfczM?1b9S4#Cg$l5%may
z<Z)GtCqhW&k_OVYV%yPWe;1G+Lz4y{I^ZlP{H?W0+%4C|Drf}fAn&BsyE0IFn#ZAI
zf^*JX;^*FIpl6)3*N4y?9d2J8H)!r&SiuHN$|<LzH-FJv$By2X2VUh${GeU1grKlX
zz^wK`Py3kkX<15*B!800U=bIL{DmKdL`fi%H3!ioc2hwSBoc~(3+(5Fs3#aGHL=i@
zn}OR*(c>dfSSb^~GuKw8x5(Nt0W}tACmjcCI=t<|{aquVA<TvfQ+ZF6!H#k0wXESe
zQGB^PH+^gWL;!u5H7k)!@{>bWVTGazf|wej=PjA7B&u22swGbD<ex)}03BpK%iGIl
z0EU+t5ugx+M@k+duNkEt>uq~zwHepW`_n&l@@+zpBG(7J<D>9eF=XxC65=RaZFkrH
zTa1yVRIx{EDX&f4D%8Llmn=*ObXB4mK9{<VZ*vG6q8u9$-oIk(b75M;f}7`tPAW2@
z9{vhj<&@)zaQ6)kc25)kQ1;XE6@jbLQ|ci#-K%=qJnA&CrbZNzVR>MAL4<T9Dnow}
z>tA~=VJ=8Z8ATw#G11slhA2$aCru`L9|L%xf3c-wKu3b&zw3d_qDTW)Go5~ZSLHEi
zG>6o|%=fZeVTa4yHaZ$cSG=9#iz4<ZPfMmxifRQNCKbyuM6}D?q&iqnEsQP(NmV*k
zRKLFgR}mEo600Je%)lU4!7S6(lNZ|GA^E3ziTBH}NqRJd(KB?$r^Gy8(`-=<O^Gdw
zqkB)NYq&w6D*8ld!o!cTlNncsG0XRzP89>8zIB0CuxtyV??b#aZ#qGILBCkH=tiOV
z<%G7j6K}hzFi@e|d@!^9)@urJ`S{+?LB63m90C;UILX^3d)X*G4@tfA5pm`G*Ubd9
z^md5Zc)+4U8XR1cY^VV|cIXyu<Pp(O^RRDg7HnnPjwc}bB03tGLFxn~u&VRMqOP07
zD3e!2R>_kLW#CTM;BX9iz7H}O`DrZ_Z5JaPxk4rT3g&os>STx}sh2yF>*M^F0n8(B
z8MTH(x{cHG-Nx;lt<iLCwIl+RV^?1XpH=#|U&Kd<$B?`MJ0JF9tJO@LI`_4O>rL}1
z>le;S3b*)VlVjpm6Rnj#m^#YZ5Wt}ZZ9S+w&sGHwFPko532|dQ#yzSwDkvr!zLUF3
z#|!soAm!X*S|h+?Os(b{jvog-XzGtr7Gq6`oTm0S9v*ZWA|G6nJwx8kaQD36ey}7C
zE<QOYcDEa^?&DMN)Q955!VcDRndSJTtJ7n3CkHou?EC6kM1hUtREj~k>GJe}VM0mP
z->zTDd>wo?6>!}=O`R=sF=et%i#)VLloPlmqKw4@5r-Pf;GjgJYc3H1{~BL%?h)`8
zIGCy&vLIhSkfU3fn&z6Ss99}wMQ8Qf*RUVHbD9yK@<6jLQ;0-B&`n;SIf{IDkaNF?
ziudJ|Pz$jG41C9=YLpU7dp2a)a6*Riani2KXcreOheY;^KP;PE>AW4+O!Va_emMD2
z24~v)`o_f4TZ!`P>(aK9dbJ@YsTZ)89!)AvN8mFR=hqEG3uyN+RV_`!Mwgy1buLYa
z2WprX_P*~B`Dk=+bsRM1rOg@Gn=P~qTn*OjUZ!4O)M|7aHR7fae3M&EI<DQ@{X8e&
z;K7hj)h%@3ym(Z;<HE_#y+?#}g+%}dcV``c{KiUHCQCOS%f4H!YKtL{_^4dyt<tiA
z8<)z`{ljkCy;UQ6QGL?JK|zc5)<EIF^}@nX$zBUB%=AE;d0Aamkzw$))lye(1Lds)
z-a^_zb83oH*~FE6xjWjW9eb!G&O*z?Rn`{(GzP~@zJjBp?z8t}E2Nw)+m@SFH7zJ-
zn-7=a7H|3b)gq*b_}E1F(dv^lna~{ETo`r}Z;WM?hGf_ild&akM~ZT{6qwCcF|g9a
z{g6Lp3U{G$Z0nbsjzIEBEqjM^lr(}}raYfMcWOJjb%LEfs&Bj7eeW^0@|KDHxPHZD
z>8mSk!@S37{emrX61L_3p04%u`O*H%h4?O}709i<hv-{(*CtiX#Z;?mN^@?mRnrxL
z`^AgT6NML6++5iOt~aC#`QyX&g{MwOMully*UL_i73&Rw*at*ZRsvjGP&)(&T!a(y
z6~Q?Pm`%p@Lsp+(PYE5Y7qJ%P8dd1nvAWVG^lv#Rz8^-B)egc#Q9DkzD=FYK+U9T}
z=Q^o9QCvLjv$~;PvN#OAwQ_86DBKuxozfa=+pk}dt2lLX8mqpS08O$ANIGz>A-<)o
zKRmd9e8ttc$K+;v3OQ4FZ7#6_ay^;j9)E1-79nXo-vWM3K*X_adFp=k{rTncfyAQ-
zGxG>HtlYBt`#8jL5xiIRtF?)mAxWPt>6#bszAc?T@EFNqF@7#cOi39LoLZNCG6Z7f
zTvR{jF(RFE8-{b)-E`fz=^Cm!ieB5ioo#ry(R9FmS>eAjz%_^#{D3j9-MsMO+krfq
z)>>Qh+~o#$g_S9roZ(S(+ra4y>@#wYiGpkS*ICj0R~--)I&O}vmf^z-J6&V?<J|V<
zBS{y=v#BF~@l##)3^CZ;)9=Y%J^AW(H(gF=mowLj!$pe|;H&2O(>@cerK6mO$hDCg
zjYkW!ntUoNwD^1O2Iy6ptj2*W(0F&WO}mB=NwYaXWyk|EWoFUfy(Kh&_q;)cC0lZG
z)!OIdE`3)9lbj_PdQ8iQ^i=_OCbuuw#m6T|gp6qm-cKn;#lF25mpJUjVkj$~*hiy6
z6fdkQ!^NsAlos+mrjP!qsENQ+mZc{OS9-*QMCjiT4Xh)In6;M%&Ya<$kwzOqi36%j
z0@hWbAqR~%JOMe{kWM_Vk1%T5M{BTXXR1SvXyoZkiI``$`Vyt?SoEYsL;9a6qQwY`
zAzN4!Ckkb9#ZyUX1R{eNS+_Te6E#U${{VyJL24j0p7=c&SJ;a*NWQ3#huUxQEcu2u
zT6bLBuaB;dAMmB!9wTRhd;fX@h#Ydha`eYktkRvpX+5H@tb|w52DX7&jH|>dX0D2-
zzbSD_s7@eR{Y7bHXzEOV_9rEOvvJI`eN{fGUCiHriy#61)scwckOOA8ne8Y&Jq#z9
z^<dT~hG?B~ajM8lqC1Lrd~<(5VQXFu6Z-92q{AyLfcLP%fBIzd7{-Ys>NgeZ9_E;(
z-~Py3!#H#%_=856Rqa~jf2Wu3VO~5I{v#+@E7m>uE;+5p0%X(c=})$Q#Dm=f;7EYM
z&!9TI@4yQG1Nq_;l>g$nd*#ReR)p4ss6#(N9nVCf_6f;<q5S`V4M6e~#kVCQZqhw9
ze*l9t^R|x?Rz@QD{cFm9NCVCP%YnQ#wSPFT0Q?Ft_!)n!726*CKXS<Fz1ZIl-}uMj
zaqMq@WwOKjfqzH?q5LKdu>Fg)6Cg>QIG&2s%=T|uz%T-#{NeAqwa7pH-3&l-BL2U^
z1|WIL*qye-5KYYS<Aw0J8K3{oo+&lsvqLbJYu5f>R`aoW+>TWe%^v?MRHXeYK=y0*
z{47&{`@4(JCK6?93BR&&_85@+ZDIfM+qpUrngIUbS6Iu|kVMS9vHpt;5JV2}2fu1d
zyN5Vx8kGIN;AE}UU`qgh@T;=g!lVE`a{MnRg?p^H6M;YYB^BOSX~L>V`_4boGHaM9
zEOz);+A-J^o$-%%ei?r%-A~TZ5||jt|M>vV<lF4mz^p*Mk53F~kC~EKP?>%ge&?4m
zBoU;Zc0-^B`6FRBU$GqHUef<6r}oZBNkmAbpD_@B|4AZw@AV%CSMT8~(fgT|okDY+
zb?(2zM>KrUfN%0`vH2<O#5vsTS=P%1eid>eOZ-6u@7Yg1p*<F1vN=@zU8sR}HL!JR
zKMNHp%@Ape?9bmS?L-tJ|Hw(&W3nU`X5wF%$2;p-od_h7laQVyG0<p;b$yfnkMlBb
zMI<5p_uC>?|Hb6r3V^h=iD_$x_ah^TQW=4!fAC#Q=ChRi!55C0t3T1Mb13jvBxq~^
zT?^o`AAv*~`TJW28_Qt?0L&km^i9Pstd{jpXARW>ot6C4S!PeRzf=uCNhl`ZKUD)#
z`t}c{fIle-{Y%N_Pf7sOzbLUs5e*LoKFMik#U>`e_LnvQya=TDqkuj+PbcF8=>HPa
zK)WXr{||ftsRh8i`3L4tEWk$a?Wbk|8U6WfA`A1@r#~6>{KIH565vnCETB#UqXe-1
zi;|vb=YL%jNXhOWN`rq=()*WE9qS(<1epE`FffEzB7hX(e`?vl7y@j6=@r0>KoURn
zN}R)NnD(En1d{k61OI<~$2$V0$~Tj(|G+GcxkC_1WAk63Rs8)eFi7oxGD7-?(V;NF
zpTtiR49rS^?O&823BUa}g#ai?{*#uhtAA30{D%_pUz7l*f7Mx779d6NfZdYzxQG>K
z`>WLgya=TDyU=|82_cZg4^ag~@Go!t$#-Y9GZ%pQk1!w-g#miyCzjuZ_UE_2RA=4z
zlM(4ZjQ)`hfbCzDVi1piNmdbS?!T1&(vFyaD9Qar31IqHoe2SjD-t+=0SgUi`)8p6
zN&GIf{(nLUB=JjF{#U+d*54GSlTrR4{Exl^ayIB6%s}g3M^^lY?%!2t)b$Ulpuc=Y
z{tqMI!G2YP%0H@80noSKh4e3|zZI+KpNs__>sMa=Pf&l#%KwV#tz_eHV#S}5^gjek
z<sVf6TK|Te_>Uj|f&53p0#i~&4lkANH|C*#90@qs?|x<Wj~}Q1^5Z|C?EcOw#y?^Y
zOgG@Meid2Kzn}oe`oCiW$Q84S9n&9~0hkxqL<qz&e?!Lj2Qtw5SLo;dR61a7{|y=D
zAIKPgNxS(!u?HUPH|CCi{OI?mAO8jQw@Oz0qh&^bWBqP}{{z&Ye*9lCxw0HHnGMJN
zkr{vnNF3-B_;UgVbTXrXe;@;_fBRAGA3y#B`5&z^5({+xxuOFq3gthJ1Rm^H?9Km)
z{oJ2I_CG-V-2|)uh&`}70+01esw$d}2z9=uiQ0Uk$eKrmJI&`{8NBN1VVk{E;|d|@
z((#+q@pJwpmCZ6p!afKA_<j*<^LnVEL~U=*_2Ry!V&VMc{QZ|h#g7V3bJ%4b*M_yM
za87o~8&h5HIkhy0P)p+rFDuSnJ<c7iPfssicpBe?W40K-EWPnGx6FI7@Tg~3f!S!H
zS#QE=eZOFHdr|4WlW1x^{>W|lu+kXf#Es*AUAiE^to-P@<bGLnyWu*uw0Nd<IQP|+
zQLAKgPpieP`nqi;Sc_^!{r#mmeZ#<m?IM-o%Ht(-X<`fY^yA&_!Z~+~%hbc#!WR4W
z#r2X5w$m9A);$>J{T%)A*O9K({e-za54_T&Be4su+M$(<4~3eZjfWDaljPhFEc1|9
zkKv6M#8U&xu}b%uEhukC6yd05HmBVmAKHc*HvAuxC@mWrP}o}TMou2+S4NJk4(1vR
zTNYQW(FPta?k<Y3ulG!gx|4{9nVBDNKR+y+ofy{F`7+<bxY~(XzO6}KSg|H3-C|gp
zf7sL7JYPwzPhVKs#$QR!)mpzO;;!4>TGBn<+-&pRrJew8E=~_TXy)HuJ62z@_>ncl
zjA*V<QEdeaI31fGouf4mZqsY!47Y@6m4H9)D4q^nBejfQeIP$`D;Zm-*D|{Kiq7eI
zo<&V_KZw?QgplgHcPM%XCDkw$(oKE7lva6n2ex=OcUEdWF?Uz|z0?ly5xQS$1Nbo5
zrgocfIW}6d7YwhRd!OQ#ysFgD^Ts0^@SphRo;MF7mn@}3(eXK+{5J)j&rEN?)2kmJ
z;gTMisXd+dUyNOdalv9WUloM&X)#g{Em<+Ic#bu1uN{@%f4|+>+l&@Umwu^rVybl2
zdK+Bi_((E!7Or?;Z)fMZ|9NUxj9a<5<xp>GCcJrbD86}<lJYUWZj+md+H?Qt&SU@R
z%;Ww3P};;PT<vvu^KQxG@fT?BhxR?L>kg~$Ny!Im&dZN2HA!vPCl{tobpuqSE#R1z
zo@}KfrWLA`O1bwN$xR2<<jpQyNrih04iCd~x?k?B8$W5>SGu1bLQ!op?}g9kT-`e@
z@V8tqF!!v4XkI+#k5|23R=VsNIGHiH-7CL$n0sq8SKXqwG16$>#ctXBcv1gonp-io
z;Nodiu}yV*n~3(f;EAm@w9>qA@7C0~{7~5P-Du$4_1fcdy1~+MteDB_+^I5tV1upc
z`0lXv@o>6k=HtU~d4sA|%U7q7lK8@NQzorTr_UA57!RC}#S2`Bo->}4Rs#<ms5h?5
zD-~h$B5G3$O8(4Jr|!xn9`js1_xF!4{{9=;j>vRcJYdhB@gqI^-~L869hI|%d9kvZ
z)EW!&1G$V~Vhv$n3OQe7Ed>oth+<jUcyq#}MH7JylMTsWY1*0?h`|AB=tXvZv>o@#
z^|veSp@tq0f&A~Odj&g25268%+z>am0%qe!$8k*G_1hW}A(R~l(yiD<H%0SHK#=`R
zq>-kt{K0pZu~U>zSnnlG*-ouCut3AFaLA^mooC@3B<kb!RFBUG!|#r}Vbn@|>Jc#C
zR_cpb<=2|=JdgAG^4^)oh|$8e8>94daDpfDf!2m7pU5J8{o%^prM@d%GIxL1%=I9g
zK}=<4b_5ZGdg?Z0aY2G-7*3RD?3i7pXX;I<NA}6W<7a<*1>}J5UT0@MN}gZpl!x92
z7)he(=XJtpX-P*bX1<DR+?^_|nQoWac7v-#GZNp@gl+m-^@Si9Uz03P&&R#gaA?q<
z#O$P~gpSKXO2AGOl$B%qYJM+^$T`w8EDJ{YBL|CisCj$w_E*{$0yfTKX~sRB13Wmb
z$&F|+g6Gch1vt9fltIMo$Wj66V#{;yQxBz^GN9+jasV%xt9W0eOf7%j)R1I_YS(f^
z<5Y0F4oO62I>x<_@kmUm1XFqyC8LHr?3Cw;KV<tXYr&qHOWysRs+MC>Ea2S>b$7-f
z)XUxqlOM-4%Z!3E3gL1xht4{_aT|hs*z}QNSe-EVeoCyKWplN0nhUW?aIgD<WSmw&
z5{V=f-vlIE;8O<*G0TWWj^v^aKZ)cQD14sC`fib;QWsncGy$(cHu{k&b;PifKux`h
zVFy*nETg37N)%CvZeKUUiZ0{Ci~RgEay9xecrd;wov^Xo(AqO>ZzGjWT21(z1*Lst
zHe1N6ZCq}%4@5b?D|HxPUsa%KqH&03{94Kbp)J?eMA#^lRTTN$R7QRX?d`F>e5q@-
z&4PCct6ALgO5>N%ov!M`RdFROw7UEUL#1!(PEPxDR8UP}_VG4=SFNNQSDr%k!_*CK
zuXavPi7ACl!7bF*WtmhM6ntk;nB_#&dELkVB}BfRS#TDrL$4@@+-bxpOnk@MR8}a#
zp;mp2q}FvMKcduRyA%dda;Z=a1936%5ejkLJ$X&q5k0q#_a)$lD3AE+F`+svT;p|L
z>kbd|Zz7qx(b$4@`s=Ziy|`;LSJ*BPO+uMfF!3ex5kd=vYyE@|aC0DS&feOMVBReJ
zYJr@JqvVUDV!_JO=%R?-ioF)cZwVs{lw`8{1(OA*13B&HSn9c}ct#FRltheAtHAa+
zL_<AdUf1<PfyJQtHD)@E-U$eYAKz=iGZC;)3*36K1c}!W4LH5Ki#1nh_KoeJ(%{6E
zvcp){_!j;idOaH9q^A#dwm*d@XICrTy24YBlPjVW<}k2h>%J;?L4Q6W?4W-z%&>yf
zcI(?gd#;7N`a}3(F~tF5JW??(2*fZ90k0e#QpKB4JUL8|qYX&WHR0JgCw&QhM~ip3
z{cx!``9d)H8W>Px$~U2?5|j+Kaj2-r>nkrsln&SX`rE0F70tc$*?8!t)YeBOvPCcp
zy?bl|n2~z-mBp5-+iAum29Ve#)$402F)`CJ&@4R<iN3wsBbQwHzC25yU1x8%SF)jX
zefT+vP0758J&inm_;#c<G|W&>NUFRzDW86Nj4_`~?N}pm<~!uzR}624Y|5`<@tOyd
z3lN-XyiNy%;q%qHgfd2Sxs}CNVlY|^OwnygpJ81D?Ir37&0I?}q02B2dGb=YtYsd-
ztfshMXM)3Glb+YA%FyMesJBrWwbgw>E%le;+dB^9!67S4pl<PCYxm)DNq`-O^#u7_
zc6YGu+xI}9J$pg->>13nXV09?sqO4t%nj^-T6>_T68?<^9-y_$PKZ(P-%xNY@H4PX
zoET&;MQ_mqo|`4>Ax=P_?#&2Mp_3(N&~tvMXLqdIy)97Z`j+MYW<mC@vHg=tQiR}~
zuoi9Ho#pGf_r84Gx5&gS-=YMP{kYb;>`nAVg6?sUL~$7@ChS8;i6gn*3hr5>my0L$
z>;;6{%guxwTO$Z5D2$9Lz*z13E4!WV2&Y}e49aGz-r{DcDOmL-x`?mI>m|c(-jtKw
zW}u&)WPVLtfD%E@EuWUAnfZ|5KRR6y6KO1B({QE4ej5@`JN<C|o^~FgVV)kgk0Pgy
z^qE!Wjwa9hxP{u`;LQ>iq_s>BR&tMc`_Z{()&?9+43*Y^Pf#B8+^i6|BX3wXTX)n-
z985e0l{^xU-xR%^QzR+%qr*U=3oHM0GncB-z#7H`m$ju@vIjfpwRCA2PvRfi%l*bm
zii9%PF{?1>nCAFRhY7<5ST=##rNQ<20MqINg`DR?#m&tQI)^*~eELA(EAjf|(6jtI
zaiV@niA&Q$qQ|_pXfa{ruQ0HJ^?QrxLkwwy9=FEqq^{uUuEVMvM&KV)uU>KJuLQS$
z)qFR7{q6(~Td{%###$AYLX5hgn=c4Wd^=aaE((o8l0b4$88fKx!_@%G$y6`-q~qj9
zs#R7+>|({xp39|vV5u(2JnB2*g5K_+i9qy56Ojjglqqy;hL*29$$Fw`zFnSZ1_TzC
zP8Fk*Oy_nuNV4Jv-=fseR!7WY6B@N!Rhxn<O_dcj$kX)qCS&m#u_-3M`an*I^qLK(
zPIEX$Qg~|hyz-Pd_BPjdsbCpi@Ef`n;jQtME)U_QV7|%45A*lP$SwXBbNAI)cL)J8
z&#aWiK%c6gL&^T2Wl~D>yI*YEJO$g(<vpn;QmY5_evxEFgUuxyN|%Qa=`!bwaD)O0
zT}S9><)Oxj5|<i{(~qcw4F^;>l%-OddlL#1#!06ySvXTy@^0;TJE}KzgPJhp%zLxh
zeZFk(SD+U0T#^K1AO#ww!k;jWXKqBWFRkF)6GVrPo9lhH-V@1iG}>?o{EW$_L40j#
zCLig&ba-H=oOxLf*+dg_WRt6IO?QG6HlHvw94Mhu7^t@w`5?d%oK=OjYA!*7FH^<+
zzVLX9sg0CytfnA(Pjs0ln|d+V6iL}it0)#_>6m7AGA!Yyz9?^a30<<bV6FYcc#<E2
zRkL*K++u+*XJ&!(imYByUQuR=^JVmQuI%?23M#aTY3a9N-eDdzPH*oo?CMVk&eYJb
zmfZT~IXUJ%L0ztn$3(gv-%4rd7(I$?oOkC;^uchL`_JKDgwJ|b&OXvb@9CXC?%YV+
zZC)x2rpYwAN%h*Xw?cbL%!!d=?o6Gpu;A>ClBv0)I2F1S?%q%zm+(GBC9Ds$ozyT8
zxkSR{&G*ushEF<^%a&q2$CDO=d>#q!t&9UBEw<yOj6FsTcOeGJ<F~9632x?67B|jL
zlGsZf0A_q_6Y?w`q1<8ytRtxftwu->q<hq%3r-tepTzzhg_on{ItF4ou0`1T%h`cY
zlNa@i5t-=&Fp+3@IDWj~xH!+>QDnSug!&}o4f=sl7G|{EVr&G5&-xQ{06d5Qo`~1J
zg9eFo$rZ>w7%bj`AOt)l?z@g^p2*i_FnAGuI3Pjh=WN->hMe?44#Rm52YPqhf2(4R
z&|Xk0Kn+nro;`yGd}`SmnA=fP0sl>j60-!Mef6#s(LhT)zY~PEXts<m0J=7C>vKY9
zq+aLQMd)lRjxmDRV`?g8DI7z(Bc|O#ws|*Ar}~^CWAU?cGg9qTn@nXgMzMF484MAl
z=d<t>o2P`mlpU7SHR5)6B4<#Md-Zme22N1O=g+T7Iuh|k`Bdj@KG2Ij4lRyAO(v$4
z7VY2VGJek)JUz#W$P^N=rZ|ht5)XEaDdkFCYR)>%*3+$YUfF&;9nC}LylzRM$qpQ!
z5r8DJD!T^zn<$z*xNX++XU~XVJbMQBL;jttY|V77tjvH7AT-L#Y=H*8yCsMi#J!5`
zxY`lsi%z9EOo&Ahp^J+C9wycpHh#)pWtvA6mJzJ)7o~AK;`_tHNW~O~+wpmK+tL23
z?12OV(>Rk|a>&G6v4szib@OaPq{1~~78-hBPSvK2uSF}a@5mg|Suy}`iCUX`cZ(fo
zg=xJ?_{@Ycok6H0XlizjI$mC}6|Mx=C>-(r;*++BYSA~tkE7QuXqn=vV|sy5JA_8}
zn$N`;&?m2;@Qm!@oJ|_s_P$S{f7{KlRm@MO^y_?ysdG+r2an;to_&PxPl>M6klduD
z|NP39szK92CSp*<k^a#+Xz9fv0a$15o^yorHG5)w1)R+EHpjW|4U>z&)vJunbk%Y#
z8H8GP$?rpR)jSn@4Um>uNbIgsJ&d$X?lp)7O}tVziSU}iI&@G)fl`)%xU18;>5`Bb
zC92<}_vW}ujQHgAh(SylaK4G97UJLTq=z)WXAA8SJA5HIcLl50^wo<Wx3%;C>|A&E
zWf$@HY4K^-Pv5NCw&T|xFZC~vd|FR2h98X=ou<4oZ|W}IPs@Mi?X=iw`ESJ|e$)tE
z9ap5c1sIXNz?3TmiBL%5MUGZ*LOwdlm#f)8z-_%y5rcc~%S9_z=iL$07by92@JP#<
zDX-pY?+RGhowsE52j3IF<$NZoXC0j@yW*`(=fxL|K{t(dTQf}6m2zz?wK!wG^{d-Q
znObJQse7{o9vSRuyl<Q`?aj<ZGi3fbZ7IDw^~Z*%rym@MKk#AOzU5*QmugJOpAgKs
z_}(#=(}JwVkzISdmY!ej!S!Q%V2wf7c@w31CYP3Ne&+oD>6yBD_aBArKT=u|bGme5
z!{PU*?NI%?^r3WwJTUPl0NXFXUL!-abADb)YF<fvNM%84aV#hS9}PL}ci2GS&(ssw
zwaQ*LGG|pSj9JKDcR*$Kv99<}dEURi=Lkh{hD5DWDC`t{|K?1^@lT(=3NUUy7unyM
z(ebD`D8lT4$ti(@#Y_24W<I*VB{XpQ+Ivk=XP$pw#WU|fu%B&vgzoi#*K?P?S@}5E
z<e<1xqw7T5z5{Wq1+3h%y?kTBtK(~fPuh#Bl=DgC_#BaBc3F1Li)X34XkV{>wa3Yj
z3ArVU(%(ufvsyiYPb?trnZ;wHD_b=eay>m)*nMP%L--Ab37d;l=EhD`lQZhMzxyN`
z+pO*`p1Vr~CI)*K?7n9>ZJ%|&4@>8nsm}9MW>$aVT<E{2>DBf}HV?l~xTPo@a@eT$
zOnkB3$NO0+ALqN>bISPt>(KYrCAWS|W;C_YSq)4(j7%cTBEYcYV0ck*JA~cQH>nZG
z+X%!0Knw#7z))sjNXbtQD9SG=)=w-b00l0(?px1Oe{q3S0@I!#Oe>IXU|f%^J2}57
z6`S^h;sX07u`w_lQ-DM#%!CHU7eGUS4bzg0)ZA1EX^72${U*;j-c>O$%s;^l9zuW{
z(72idYyc<^6lbKSmK5uQDXgZT4@4kLIp2)c6!5SFdRU;htKp_Fx^<$pveC7oS3U@>
zF?}di5xPe7!W^N|wIA+sSkaEI8NJ{@Xcn6Y){LVVK{p3IQzFb^nuIlr26(dqBb|YP
O3kX|)DJN($hz9^d5>?3n

diff --git a/spreadsheet/macrofree/security_checklist.ko.xlsx b/spreadsheet/macrofree/security_checklist.ko.xlsx
index 25f66db322431f43aa0d5a5c31c7ca6c008d778a..9a605ce7465a8e925afa56e597aaaf4777e5eb02 100644
GIT binary patch
delta 32892
zcmY&=Wl&vB(`^z6?hxGF-8HzoOCY$r>&D&P-5nC#f;$9v2p-(s?#Yw9x9Y1p=LdDV
zYS!*vv%05yHr)ju>ason3esTUXz$*=gL)@rw5ZYJ-=CiV`fC{UMFM?|Yz-A0Z0#Hw
z^zH2E-K?!-qeo#rFu{oeMPutGUcZD6eM_aMlAh`kxPuz0tOFnKT)+w1GCVmYXUP=%
z`p~~ot_QVSi|sYPAMy~{Fx9j#?NhkqTVPuAi>$*&EF{1OQ|ZmOUhoZKg5w<9a@C(H
z`w}^Em`xXSYUG?R6Wm{C=42qxujb%L`8o3_>7G`uyNmfjUB-Pxnk%J(<CPW0XVR77
z|2{#pyQN%QHvyxxWiKOA;9K~`+I(*`RnJ8p9bY0g4BPi>@<Ley3%*#D%;zWS>TOci
zp9Ll+U3hf~NbfNKA_kY-=1D^#aYw_<Eh7FkbWQrsdvv7!W+9jlDZF-0;3h6a#VktU
zAI-bg7~dCuX7v4l$4ks5xNr5Y<ayk0STo*pgQ3hG_o^<{p$=J);AC_~h5x7lQ3qBc
zLkor+_x!8Ql@%|kwN-^|6#cb_?i-D-%oYkd0{Z;HusZ|30)AV`_q^12xP-`RZlyYd
z{*ksxk|T>(I2Ezmj8_4Jv`y*)V{u9vDY1)>7vN@xZY_RKKPP%#HXnI_6UjDymn*RU
z>x^%=@4Fxn{{)sat1!dV>D@cOV6cSuzL)^hpJ*O;Sf;G7r&qtITaa0*$9F(bp@7S0
z@za)!STE6OuiDFdbmW-$ks4X%$6Jslt!3+Vy^qh8fNAojj+;16yOUO$r}O)@*%H<p
z1PMI1ue~(BQTA;f=G+~PzshfT@#5mY+Btq>;1Boge6xQdWLMI(alLycd~12K1HJ)^
z(7I{@t$G^@lMyzj4;EMBId2-?$tTs})>P{ko);yy>lN}|RMrHDM{{Bl_HS;$q^q6}
z`q9b0fcG{~AaHMdv$>u3_-k(x@cKp2=V^bx0Qms+Fqu)jBk)$IvlcP#)3By<(swDp
z(VhzoeTY%(D(k#DlJZ)2eeGNZfK?x#2JIwAcPDp`bq;mN>@EyTMO+b0yi<Xum8ZLp
zdZUNry8Ah2vs^Vth;zmxO)DEJaW&Gak-TE6q2(|sZ%?E){aQXxqJ)#b1rA3(Zs5|?
z_$<9>t6$d4B_)-lU3E0CRln6yBNFTicC}FV#|u;=4o*(re$#8rG0krQbf;qUol_0k
z*45uS9(91Vlnn;_yO0y_D^KStM7>$}k*-tqjK{a<oX31uAL)Y_R_GVT{JaLFWi+9X
zpu*!p#@i2XGFacKNX$l{f{nqC#dF;E%kv_>$|7571hxxBiw4RfZ%QH$$JCt_30g6b
zSd4@Q8~4TCG}&LREZTViV!fR9Es2uK5)MkCPbU%?%+m?l7B6LI2c{!9uc=%cP+i`P
z^4T&QPfXCl=wt|YJqt0#z@^oQK_#M_cBBvYOTr+Fw~+BQ*kKNTo_txPkHkv?#n|TF
zZ;CNsAgkykE6Tr+KO|$>iJGKs8}fBu;IuKP#%0bnk!$Mr;5HS|5KY$cO+n9tsH>r-
zru^BhL6IT!E+i{az5Zu!j^6YBww%tI4_d$N(cJ6#U`7CMe!NY1abS)onbo1AQjaxB
zpYUcia(v!73N#?vLla;}GTGGuCFq$icq8kfl#vr>hm-qAvRNamxGu?-p(j$BUfHSc
zv)ZD5qh00!6U+g~e?o6G9ni7a^i<?MRSRKI?+TSa%<{TTo+qnMp!vYx1(wrQDNsVO
z5SDiY4wIhcv)<-4Xo;+*$Lo#`K;&%9=j5y#oImIZt2o;EE*<Q5q>EdRlPEZzKUjlX
zAn*epN7DQz_iy%Dv0-fE&JmztNsS=#T%ETDdU^=H6bJ$7<(;|qH-g~#TUA!{dL6M<
zW;0j7Ysndb<MrsuRhL!3sf9DrUGT<6*4s<gB1YSs@Z7H#AMKZ%8h|nJYT5x}D?!2J
z>;0}CT^H|p@Amq6n|d<K#`>sSz_67`^3(UEy@qAlrr?}T{<oQ~vmHKNYko|hhvL_w
z$sh81C-*?_V8z=NrAx8pHOETL+s#eZrs>tADcVbAy_x>~ruHbJZIc)dV9JwysE_5-
zRQqD%{Py)(-{fKQSoBT2Lqk4Y{p<C1+Pst!!4F8t=2vz&|Iinw7rKb))RDIk-RWnZ
z^Y+IL{pXpvERAqkDwpD4P51#!3<}09Vtj8UG!KCI);CaqjAiiXuBmPS=7)fy^IJM^
zngG#b8z(;FDg9&dIi@YnDbv1kM2%RnImm3@QttlHGUcQs=tI52_r@nJqi^4a76eK=
zF`vx6v|bJ)1kaV7k15OE7-FsqhMPS0=d3?0)|d?S7;ch_OP#NoNG7U%x=n98_Pl`>
zp#>C8(L63KX7yrAEb8f0E;Q*%i#soVSwxz=g=Azj{AwGIxvMZ}TC+_FA&5A6fmf%i
z&hU0*kW}0l?d}?ev?qK5+rSeszieE;;Q8b^GkagCdc#3FhVwp4YUnxjL0`!KYZ@xL
zo#3>8vPd88c|k3dTU>@tnYvXIk#FEf6lNgcCrij|KkjtRSA=;(9Rq~ho~Js24WDKY
zBJFp22o(l^D&MZ87SB7`qd|db0+E9<Ho_*Z3pnMz63VR;Q~juWr;$+cPdP<~;_Zv)
zUUU*<@hAeSHOgp5RN>B~V>4HE__a<4!<2+%vQoqZN}3(Klag^F(D1_97-hEMH)udV
zHwwDM5S$Rh{9JAl-{M>od5p`GAU(9J_Q8f~|G*p#PiXvk$yxbetH=5r4-a$4H`UK7
zem{Cx%{~y7%W*&nYl%Wt)r8RYAX>06hHQT6@?XPrZDy2I(7P$$D<-__pen$f_nxQ3
z=xaeRu3tTss9Wbx=AM=I`Bk`BouLVYb>X^ozM%rVRs=39@-%FwLdin6xh`8PlLQZb
zLq3appAq!%`?BrKQ7$z%!s_YOZ&P;`9*Rlt>Tw(=7s&U2=g2H@Uw`DhL8!{SeQ5Bf
zm+cc7c}YYSOz^J_{6q?W8M<S?Me*@YM1?WI^Lq4T8BzsZVOU0LL(q!?@}dg}4$we!
zhzp4HhEZ275U8>y`l>&v;3P7-XvvMQFLiY1HYZz}RlFd2afE2ZJE&;QCW}Z~#)B4T
zi?Gr5ns!q;=p$Nn0{b@h5vSWjVa+t^(vy|xG2|302r=pdm19*dY97C|^d3u(GB%PL
zIFY300jm4>bbBPH-s6CYSl23$tw?D6K54A*I?A6L>*EWym_FZ-sF=RM$7D75*Vav7
z4huZ@`(;4unVo8uiUaRb@rt7Ox4~!b)n4DmC^XfnMd`yw)f8a}llbgt882JT(nd7r
z$VVxu(NbB;$U{TXOO0ZtpKY&_cf5T*btmH(++`uTt&`ZsJ$}%R+5=_)HCj4MP_chv
zi`vh$FiQDUBqC&Ka@nFns?9{QzL=LnIB5Wj-msud!Hil$^D`L>mA5i<rVQCVcCi5n
zXt9AnP=pLwIV8pQqt$NL%3|3nIl|G`^hJ>mX2iD<IMY9PHjo4p8n;uS%AYC~$ywvd
zdzDA<WuG2g9Dnr-vMT`yUJdNBL>;FK<)#$xzoQn8HGEj1)W<CrYLv<ELk;YQCZl3d
zLK!Ndpyb15NZFf^d3OR%1zT!FUSvx#HY~TeP>XsbNME0DRYb#iiTDJm8!F&^Rg3Cb
z_e9$H@Xbf~Xc%U3sq_Q6i4V`Osgs(a);VF)N|+Y*S?ZkMn2^#yLaY324pIv<He|qn
zeplq}JY>2d&LHQXP%`J)dnKPlhjcw}p9!pEyfsq4C0e^ec9PpVOTMXX(!LdkRKK05
z!FRQ9e|m1|0Ni*(Eq&h3mD$cO-5aQya>mtqbLSY%*d)>{KYsa?LvP3+3$`WdCvSAd
zN?3-(Bsp3dIs$y|^lBe6V}sLzSNh9K3n7XM=&s<oKeU|Fkm~aGcJy>*yH2h){LQs6
zU^oG16!;V3xWugK{dHfIAz10@H!-X!h)2Wn@+!iJ)wrzt+GPS4nmUU9az?qt+oNgN
zU8G=Ur9Cabgd+DbM|w>C%oOHCQ6aZX7$H#<Q9u#*UJw~um@6<ZGV!AdbHX&@?hsXC
zK@IZAe1HzxNb+>R7x$YVuAsztrq|`A&3AIcgQtW{XV#r=BjP-AV`af-A3x$F%hxXy
z;NeveJ#)J;_v81RE5qFH*STY+H@Tc`GS&gCn6TWz#hMQ9TC@w*Z8x|-ToAj)G^VKl
z#<y?n<@*E(jC%9aa>^j&3Ce?mr@j)KF(R{Kg2>=6Hws(8Nh>5cO*#fG-J^mnGd9GG
z?&rm99!s&O7!8FD_s?x#4JZP_x`Mm^xUE}5YQe3+<9pw7_g6W8Ly<vuV&u!Uhr@Y8
z_WEy$qzD~^1uXqP(~ddD*MY|{3TJYaJI#V;47*}XZe_SEXwbI(QH&`6qH!;sPl!S+
zOdXGhnI0QIJRqOFA5O&d*XBP8p2^6Omc6klD1j8yfn554;q{`Er{@rVV>xC*&kvid
zOaN+^L@}t`KqgY`-Fw9lOC#HSnefn_*2(87qNz7GoliiQstV<j%_ZGNQXsI-gBXG-
z`ysxNUqmvG`HqgUEO;o?K-7q0IAt7zNH$+WquZZXsWfzolu#BX>Az@kKvU$;zF|w0
zy%1ug1r}YaH!Zm**qvt1CJv=$zeiRMkv6%Dlq6EtxJwh@HnBL5MC=ckf*~|J6rM(-
zcHHOz(k+N1DX{}<;~z+OsmKJ81DR;NKL%h{z3VAf_;0`S(d5dtQ@vofgO*6q@T<CR
zrMTLv_W5BhYBj`JzTHXAZFH_Sq|U>mEn5T^8`FGBGJDm+B)#Yuti8;!8Yio5<ElPq
z_cj+164GJrrgm3rv@bSzfGRKiN?0XO3Y>jO|5*rNOOCf6Tq%$LYAt-9Qi0W6oS?Fz
zqZ(AJt?s^@$NyG)FcRb!*QD&q{vatY?Mz+NjQ#f9a8uAN<Aziye>9>91;)eMFdt^e
zO$7&c#9x5X`@?w)S*hA3pVP`!&*r{2ApPal^k%_B)lPJBHYYZT^%#-I2WjW(5IB$f
zzB`A;bnyBWD3%l_x{)TjflcCSQ0NjRnr_z-BTb1R)hD`>KnWLOKQR03=x$mNo9>k<
zbcjLymjT;yvkWiTvo$Y-(-lV=$+q46FcgS}I(Cjn3XbUWs4Kck87SEHN;XND;+b$2
zu#;-vx2c>3>NiL$>84E^Pyr=)6b{Z`Sk#NItYo3kJgXm$?x&Zey<4aRWm2P~q1E5e
zjr6Qs!AMP;*uHVTa9`6xT=pn{1SLzcMJB=@BJy4`4b`2=Sb3@h89Ie_QgbYTm65Iq
zSYc=~Ws1cJmNHR#MBna%ovG=DT|vCWjj-Q0;E9TFtx^<!3+a`w1Ma#a^DG#iW<8w}
zBpTg(4qcRcMRLO6s^zp5*-m;~hIpr<)i_WxEOj};jp!<VRVJ%1W$hIS-&B2(<ECO>
zt<j&9rxy!`r^(LNr;0_NSLM)vDGX}(us?;eq#Ry$>^5L7q;VQTD$7acGoq;y%4<Z+
zs0FgftM~l_Eg9Gn0bvsaVKdP9Fx!4qA;G3KQWSJpdloINE~wZ*IlKDFxc61#Bbw*f
zSyDQL{ZDgi+yypx1PV{H@#BnVUv?i!{kEMaLk^{zUQ7+@Ilci&!?JSQ9kLF7?V4V%
zxrWtrHFl0r!s_Qh96ub9gsqX<Qx*@VYAeRt-h$(5pz8k7Ot(U|j(S|vLRWc+9P|-3
zmZP(B_&vo~RR5lo0Q2B0>!hSqLM%8F;_eggcuE+PB3zIa^S?5pJ#*3Mk!{f^B>?WT
z{)0g&q-(hql-N~0#^ZOaM_7nHZqcFqjE9zQriJ3LvXB+YR?d~zzlAC0=e{>+h0IX^
z^XoWkl!iX5IM|*-90>K(w>-aoX(iN8gHUpF(|i%fq<VNYWSi)+MfW+JZQe7%5Xqtv
z$;x9cL7(N)3=Z?MCnu$!@vp6q<!dRW48u_FlyS^?ScQUC2;~<3TUca`LOU1hfjPTy
zhGsKMA9nA#$fUVvU*xqnq_|H5P30kho!{_I+REQ=E#!PZ!M7$}wn^6vk7Zw<idH%5
z*KWm|r60B!oHR`TO?2cTD~1LiE^!o47kV?FXzpnx-dmAc-TC7%?@k$(f7rE1{3T1g
zpJ@HW4)%D0jcOepv>Bt_?gY^YRI|eeqgc!Q0`Ph=w$B^$9+FaaHj7VymZNuNd#;i6
z5LC9_*bo>2iA`!hp+~X}FawE`;j2Y%2zT`)yA2Q8?dhjk^H({P)?XYv{}}(N0L~2L
z5;<P56PsQLlk-RlqBLRfNNW$BKCP^}KISs-@EOvKrpwi2vCM!;n67YaAWAnMMvgX7
zxjj=J)@WYk|F8`B1UQ}Gaz0j<=*`{Lr7>BduO5AqHCsJ0uGi3f{8Xlu6xL{v+=yqg
zow^9+#FdpuUlL1Sf-$qp2^+iUwUZ%~xW9i+s47RKittA>cFkjJOLwTkB8UlPjCUn^
zC@B(yCBGZ#=qiyUi~h0sE7`0R<(WS4<*PnOOWDA=hd0IC&sxmoqM&p}Ul)yIr^gtN
zAKR6X<|CyYW2`5pm=U(ihOBuW9yNlh*d*2~#?b+%u4r4^2pH2gd<k3I{}F|sUq_gx
z>!DVc3X%Kv6TGvRFcH~*kha`4ll>_&hgNF1eTgZ|Q65Mc{M*m5FnE~}zX(d<QUiZg
zj8!g?6XeL|6GFBWXIz%~t9?_efeDoo^Q>_3+gbnOs{FSvuAAxS=8r*LomIp<HdiKn
z)}y)B#O@meM=teFo#soJ1*?AX1V#EYuoi{^CgA8<awGZ5L-{iinohz2CKRWlElTav
zC4)C&$8MckG&!2p?7J3M`hYxtTK!^I9ujTHNT$}0OG-4!v`b$*MTMSc5u~{xiWUq=
z#k7!3X4dM6f<HDNsM915p2ATz<hmd<Yy_aBpCA2ZcVtoS?OAR!StVWkAreK@3<Xfp
z7Xqdw(Oi~k8Y*6#8&Go|JiOP4C?LNymPC>W8?5eXX^0z=lMUztYo@btm`#xbv%>v2
z_6i04)(eFXZcD3>4wD?u0oT5B*;b7?F+U76Q6p}eRtWYpc~=#d@S_Y+M_z)3DsibD
zExJc$Bs%LqB%^+WM^+oEmN}##8z$LEIV+K15*8!z)!_Oo6u>?aMJ4Y&wnobfAql2m
zuOMrit}%KQu#73lmxxnXnU+;9ZWlm!j5v*1v4F?cxyqw+_~xudMBg;Jr`lb}>-^6B
z@Rvb$>rL|RcJYqI3})y0hS|zU|LbRb7noN1K=alk*>})prDI^Q@2ikS@^guM%w(WV
z?WN*Z5w`=C`_a;9DSW|M|EZQkCe-g=mPkKufq+PTuH=B#HR}ym2%96p=!7M^0<6!~
zi@SZ5-CR`aplk|@+p<NC1lgTd(?npyKY}jU^)Xi*SBglRAcT)<^d$Sd*AJsBZm{E+
zICe{#{-$>@>sLrQSDkJRf2b^xP2?2pra>vFs`o^IKM_Y$Eg0Z0JLY11AV}XwmKFL4
z%wZN_^z{ENHC}!@`$q)SyvJBUbSV7%!_e(WA^2%_^sAq8+xJ`xLZ<>lB>p|T$j+`;
zmu8L4W^AA4AE&9J-^q+3X-*Go*bVXgV%~MU8Xs_tLIv70QtAHzPcARDx<q%7KX?9;
z?o#sQdI_r%QfNra4_B}E5ILwHKyrUG>LsFAR!R&a5EU&e#Vok_42AVKx!dx|Avt^{
zl31~qTC6l>#*FgWjxA|kf+}LKSxB35n7{~N4$V$n!-Bxu>ASzN<{^GOeW_r<i}7GD
z#HY4ahQqm4Vkt&|C+s`2%R9zrqUwVM0iq9f6R2_t5yv`{HT`7*+<cyuRpIl?2pRP1
zpbmWwO(|+`@iaX9<@}Cm{hdL(7S|dBS?$;MN)^^jN(s$S3nC%HUV)Uiu>js{Q9035
ztX=|x_J7_xckOWlgAI2Vyyw~Z<O2Oxg0YQu@DexTk>8+sy#6e3VII)Kex7b6b3H(|
z9JDuH9#|3yNH=HBEnub8F7(;(C)78;H?j|i&|GC2gN$!}PimjXj7UprqmaytqAxYl
z9BYjz_i@;9gTfxGUvVTwF%ezt%8!)(AE&%BC02h3DeHdar!TDxc;M|wt$yIO-*wrQ
z>orz1Mf~~B!~~S{deKH~Cc3WG7y~U}?o!%-<JLBEY72Bn3ZKYUPWiwX3MX1m+2d$7
zs(=+xZBd7dwYtxxMwR?*?@hQeDBS72niz<2Y52`j@KQ~E{g+m3`y326-2@8qB`K-2
z6qUZ874NQOHfj!puG0C>tL>tx210k(zq;#6M{&ts`z{`%Il0JaiKj)W7gt{e2${0)
z`<Ajmey!xO`laZ~J!mY$EJ{0t<n8h*Vx^iXD{G&LjvFSegyjKK-AiwU<>q^;&P_x?
zk&8uA`rV+9)Ha-nZsQm768kO5B@K-`O*<wWp6}V4l`IdnEByS&!?y{{q!&xSd5~h^
z2?=47+`qmzdSOKNQ*e{SMhl!$0%BFb`O9v*<P1*hRzp+3kz#}XX<RfaAr9v*txxiq
zhE(=XSKR2;u#mo*$*~zO<Miu*;xDw822td!l@)~<GLq%$4!8Hq-6Ml<Ra)}8xYMT(
zziWPy^3o?i=PhjUXzJLkJMOW5`TlfBy2ADpPFIKQw)Ry?m&3Q+2C!qQ;R(m<(V2W-
z==LYtXbdG5UFob8WTs4tlkbM9XhP4#?NQL3hJ~*(u|Ot&>o%9)A{P+Vz9%y$Kb0;6
zU4Gl`Jl5InJ;(o2(w<#vBaE2AT(DR5=pg*ciA;s#+5xW5Nz~biOnZAc6N?__Z=(P0
z{_|^owGA5uaL0XA{Z^^;A<J4Nf4gCyUBlDfykOdF`OVnQEF^t#r8Z&f=lj0AfC&5F
ziZVER>j;Fz@E|V=7G5!KQAzV|k+m#O)kaEAz=&;8#*C0ML>QaNG~;|0!Tz^}m*qm8
zz7n}GFj`9wqoy~$3<cYF_y}KX86wMDx;C-^$fl4V#;YVkz<2eAW5tG^@MNUyA!D}?
z=qH}|!il=!e!UlI_~VyS7u`@w+BtM{pITCjO;$-|^ti%EVtfikEcd-`-cXBw#THx`
zSKjg%mG`Y9+_2iEQ}B+%&f$ZtnhmK3!(O;=X^w#GO1qN0UdQfILvW#t-UF~}PiNB<
z6Mk67(Q@4>rGAC+*392ew-XiwQQos-0LL`SV2#mTl-5hWTcy8ddTg-n@tZmTNEm+=
z{ze&C*+d|dJzXQbpp0o$m&a_1j-DYdS{`o~%L*sm!@EQ!3!5BIESpbUQe<U<<5>(>
zzxY=wyyfi;>e7P9JAVMmv}A8bYYbw-wQt8=yT3c9m<Yjb+N9*7nW(@Kj`$6uk?z0Y
z8Or02t}Tg4biwfT`rdP>fVv66-QFXY5-y=5#-;2kXn`p~gyxwL?wJ@c1I*YEeO>=}
z61*7*u)vaf`RQv&i3RKLPh}|Zxd=wrJQptbOgYbmwE+-VNXGE3+X})StJCpr#Qn}u
z7%2_DeW|)&b#_l58}Hl~3pF?^pCZ3R2I-x$#oo=&vAe<VbYStFv0)#Q!gLbTqU2qt
zHxoja<d1pl)v1fs__cHVQzXkwH(PeBGiw?w_oyr%pJ*yG`5~7rpBuL`qzALU)-wg`
zdZ2gFbd5D^ko0GOQ&ko`<CvqLJmz=%W;H$Yp96X1w*%9KW848_+&Ed9K&zjiLDt`o
zW~eiKFiO9ES%(iwJUtZ|D^k$%j;g+f7+63b_rKMDWQIDkW7XNvJUo^~tVOxpiCnfd
zWFNLyvkm`pNxn(cqv&!{1uTBQI9<J-u7$aosGW_iW}Y>)Ri=IW!Qa2}b;K-W)Wnui
zHoUC2b#n1{>Z4}YLu2>ns7^3_X9#`g(y_FUY71r*inz%={4L8g%!D85L}@?hflzGt
z)&38KYvxxFib@+AcifFS+?@s2t#biWq~Bd|W2XwJo;-ksQfh}@Z*~n=&oO~oNKA~o
zvFYIK&lQ6WBP!~-oQjuM#betY$$?^P$c^7xn8(mc2U>oH67cV(&@e=IPNa>yqFGQz
zdD;pq6*Lm3vI&#^6}e3m6x3O=Vnr)b_=DLK1byuzO_#I*uu*j#`g5U*VOJ|-*GxRv
zORj+W;bN9QEz9}9r*1fhJ%p6i_2slgmJsKhx+$)!kP{D8FCv~gG@c~GzQtNU9j*W!
zE|tBpo+L|+cuG!jZb)f~Eix`-dn{Nr#{NCbEHH=Ne+=KZ+ZtIi(rKyMvCr&vh#eqR
zX}?CH9UPAyJ24T6WIsq)c_tkf!vs8>bvAIy_2!{ss@vUlq@eZrVCeV?zlq*FbQ3Sk
zQNs~UFyPU5t%;KNe*^75D<@u0&X2EzeR4(2+&nU17gi7#R(}F9InPR<7znSgPX)E_
z^Euf(zOTNe@*Pe=#b;ief1LtqIXCtUxXH#O-slPqg!~MA5BX|#z|&DE!&EOrtoQUF
ziHJKSt`X+SM3?OsE<uxP*Qr%L>Qh6&0bOcE70qE<!>Q6HljR-Uk65DcyP{tB?@!Z(
z;LM=C5hX{6=v}5cF5Oq`wOGv_^6mEq4n&wC2v-p2JQ9JT3WB~py*Fi2RMxbis6wrZ
zAeR_{e;?Byo&umwct~cbAv>166^J4P^|(8Wt>);NY}-xCtnsM>^5OR+IhDu3PT}*7
zGh?L$<3`P7eRgg5PqFd|GT3M7X84!x$<o1<+06;`Q_sX!O-JsBWFD<lJv#FU@(F8b
z6h*oJ$rj9`e$!(i%Jit->-?)Q&o6hdz(5vIBmp7Lr%?&^3u9rKP=#($e2U9BV-apW
z!j)aYw3IzRA_>m_2`i%$ac1u@l&SV`0cP$AVJlIwxZzD_@LaV{mQ6MvpB0p*K?rKY
zfC(p+^q;y<+%)X0DPvB*jU-@F_N4?#sE;Tx6eQ$yNEgg^UagUQ4MBbJlsEvzrL{!Z
zFF~#8)sznEZ6{?YB7;)e-1xLapG9uLzD*;fIuL_;=G9)hI^H_@gSz<k3@CDl>bgAi
zIJ^PI??jc#iq;bg?B6WEwW3-N(<0^-o7Y>rJA1F{<0EWdI|^dIfW`MCsIQ(9B*gdE
zo_@1)s=sf#4JH^gn1wnU$prMO^!&0zK38K>gN6k&dAgW;tmDuOA4wvw;z^0ABw|5*
zC%pnngh=hfo6!?@sGaaU5Vp<`PW%2%Bb`6kc>5e;59i)a7ce#m#GQ>X*|bHjp9H01
zma7L5)fYnRTi8$Bd`RC8$0IboD+y&R2F;bj-163uSr0W8&}ISAep+Xp#aV&7?6gQ<
zgph>%-ajBMoKlZr>o(iw8i@_~y~s1<i&e&Io<1F<!GQm9;(@y|G>kky786NO4f8-f
zBZYaYlyVpta)go#MOlmfhxh+{*jdK;9^}J!e{jn5J0S7pPHW?7#uVK)eG-r(%2>fT
z0rouWat4Y~Ag(04I>%kK8#a0@+T82V+j=|kh{_la+$zY00|z>tnm@WYrlB1LIp+iw
z7<QcUWpNPox%>&|q78l@k^D<)sF1PG*Wq|OWG1C#`<6nO)$ynnUE$CZp}$QK>t5&;
zc#2*ZYcf~y^K`-YL0D;P-AePL06_g{^fr2Xp`gkh-oC?0dT)6<(Xq|6g=Fb@a-Cm7
zPBCE*?=HNZCT<Xg{$5h&Y1gGTR8mq0ROz`fg=wGUQt?2pK<>^MwQS$zUxsJ>Dq44~
z>B^atty{B7tO1k`a1mBKKnb)0e7c3G(D4sqC;A8!0XTQL@Y$Hc4q&Jl`c6qsBn>U{
z(<oud09oQ6tG`9o?Uu-XaKcneW4yc;*_+$Ngc%+CJN4I70M2)%3zN^YPS2*TLk6Y~
z)J_%>C!AmZ@G!=))&)Jei!-=*>Z?QhCrzJ3GjD#}orb>jM-}5DF(39;+8fQKok<+I
zOPInW#DE3<^&}uD=-D$PBN~#9t>BU!s0|qrG)fU9l7d8a#__LaZY7-2Zy=qQ?<_s@
z1w1SIljRVriKh7-bg0~ICI-#}Oe-m2hzyVHo{q&>s0{y{a>Na-Ld350JH~f&Lhv?@
z)k9n~g3iKYXy&-snsn9!k?Mm+c)x#ctOIfqeW>sxWCu~u#qy3{Lt}^Vxe#}xWyc4w
zt)YY(|A{${gTGbpFrl{g@C{CvPaa1=fd`^odhwc|(h{**Fj_j%PnYZORbxyTN$$Ys
zBXfS<_Q%1uOf>`%#}kh6ZZC3CN010@_M4rW#-YBR*Xn+1KNV%Oys@3|1MrDRZT>{1
zuPT@;G@Uz{F3VU3WvPf<I?0@{SY;d+hYkXz=^u;;dt#g3;ZP6^y#<2_^?`P!(%US#
zgaTPICM&|56fhNn!fveeM(0SN{oZm=mmd3*T17|9ru|Jgfsvb6S-RTy7AcR<`(6=4
z&Bv61U#nmEd4T5W!msp|PqgirV<+6xA&>DDc^SKhz1!6nWos^u3L4m&e3*1FJ<SSf
zA?TRu0W>1xGN{QjiFUf-78c7Gl6mCCQRpA_b^dBrrzlr<^QIAFb=6LdrQ$x#l}H4(
z)!L0fPd*{JW!EGEIvW-FpXe|Q7>U<XhK>pu1Nd5Yn&bUQY?D>o7EF?`da;Q?Emoo!
z7U?TyibyH{4kMZ>JAtEO37hqe@m=Mjn)2TqNDOR=4kQ-#9B=L(o-*#v_7Q}o)C#&u
z#G=!FV8Wu|77D%|j;e>bMqkY+0C>LybZ{<%4>TJoOCfg*HV~KF9HQ8R*dKJjfjGmb
zUW2<9Go>BOd2jSDk+>ONHeGr-U!af#^D(KfhJ?^8IYUaz+?IBvyoockxsYi!_lONF
z$k%tQkV(V;?Uac<5j61x<o?F^8XlI_*(2<vM&I-e7VM;=<F0ay^|>{dwkHCX%GoYb
zz6H$ptkL8jqd<h1>d&<Y=5DEW6YLDHAthjijjKO3Z{_CMg{DiV(B;IU>PjSprb;L?
z>{?K-{YH#M5B_&F3qYmAl@)_sk?I^Gpfx6V$y<SEro~j?GE6P=W)a((@S*c0;`uOv
zBO87N+MD^XcDfy1!?N`3{ezyJPgP-CnP)-NW_p7xitoLFRd~?~fXgaEAgk|X1EWdc
z^~tA=X+QwnGmkmu_rv`{DjYP501@rJbdPx*>8z>w!NYs`@vpXBtGds^wHSZ8VS`<$
zi#W0nx64wUl&^HguFH_JlYQ+PrGD<3KMS4oPo$UHmnr<=s$Q({h&_~o(f_!4>?eLe
z9ct$d2|)4IxnBWa2E%k=`%>Wg&;+&BppYhx-rk6$KQ@w28170`nR~fQx6_uXJfSh{
z9n^*yfB`c3Z#4As%elw0VE9~1dl=(mP0_L3`SRnMda%#y@M7Pvt5JJ~$GsSaLIxY#
z!Pe|@F84y!NRH)l-~qk=yQ&v|?)%=tcXR-V`mLC`Y>&O$HnJ}HIwvCfGTJzTjO_kj
zLHZT<F>)>vM-d!G--n8?TTiTT1Ugsg18KIo;?xS1f8D=rX=wMsuweLy1_%XKK+$nF
zQ)cyC*@qUG$<u87Ea(W6&Mi^J&=;T17lj0S3&(FW3=Jz0LuU<qFBj<Bz_omXDH=&`
z?NlKp?SEK;*sw)gwg}i)Ui4K{agd0vp@)Wr{xGAm#_wlnj|3FWRea&-Dv2t}hok^P
z=90Oyl$EPLHh*U0Id)q{1;d=0+QV5Kt=ULFk94)PKH&s)*pXalfi<i-nb&+fgGYs<
z(6dND&4k;;3IK4nN)SFZLEaVKQ~kHRfVJn_=%DQISy9^M&1*4j(^K~r7U=v18pnac
zvZyknD{_He&q7EXuf#yA%KR<~*4Ob$LLgA~-&UwQ2G0<4X{|N?G2e!SQ!pQ$1aaxT
z0{4Ap!YY$V=A_8H`LnGe1Hr6^Q1zp*`VDZO?^AY*?Y&ran~xRGlP!N^o78-M^TpIm
z7yf+C@MgTyf~Tz%`+`lZJKFG0y;V>VQjx(npL|Ynx#6d6IPR?~cc|wKvxR<SLYe%&
zq=-ZsH!q}1Oj;r{C{>GMC=^$<4FSC8FRv!5<$KGUqfME|>KTZZN!l_3e1)ejR)DKs
zBppoZdv<?bYEZm`#NjpiMj5r@+s9CQj1v4w-4#({#KV?*DKs9%;)(wl{hg8rWxCA{
z$)PTP8IsH9?+?P2f=w51=?X5IfabhTsLf;kFxTeh?dt3;gFSufgUQYpXW}5pZlC(5
zygw*gu|su%@E{vPV-s@+NIuAda=Fv{uCQ(IH)Cb5#I=w)AUyuJ{P64OE8*!lUnuwh
zPaqFyH`3Zs)F^Oc{X&i*$)D~m{q#yTyzPbcFm}hgu^QlONAVY#z<SoNiJ|DdrR}w7
zdw#NYx}vr6{#9<f_gv-$WGl}0ttEscZMq$MqMxXdl*kK!9X*To+$OSeZm=4qV9Tdy
zm+tmj&FqET?2dT_(>)<miugFZnPUF$Z4IIkhI8hStpzNEN4`}T4kElax#iEIO~%fx
z1qN;LH6!`+7sK1wf~Giuk)^!>W=-9aSc?BW8cDcy?S$5O?TSx4!3nomv-j#Jf7&J<
zhx_K`VW8%G?fs7a(L&{ZWGodZDc3U=t?s*He<G#`V)&xyGDJBHs~b<q5WtD{P#>Bi
zW*MkJ_4h$1u?;CoSsQ1()GWWJT%cJxQI4mw_6O#Wobi4$|0=4Zy1rBA7(BIviCyey
z^QDr#kI<t0%bBpX-lCU*5`so~g=9a{xf9?<T1oy%9>xtMlv}Xx<gJt*JhY$1=C{BY
zI+0%8?o0V=#J6O9W@|(iVhkkwEq0w?=N5(hA!xta6T%RW)DqHu;+ISyBN06<x`dxJ
zSHK($0h#?P`c8(zz@tu5bJwDe$M%(vhm@9|$`^cYd~WoG(Q!)h7JTA5fS)*i@sSio
zq@a9o(Vtl8{=2~%W%UaFjc|4_Aa2pNKX~6V4^rXwP|bJfTHi<r0u@xJe->MzF=p|D
zAiWMxt!1W??1Tf0M+*Yg6gudUSR|;-ssH40$jN}wkO$r@MkZvnGV&IJTRXq5DACif
zXdtwKB}*QMmX8PUaX4<zB*?Wt_})j<5ZU+Bq%_!>M~2>gxe|I&&etJ}c&}Mi-;giM
z>wBeq;?qesFFE?!a|G17i6g<qSpNY>`VQ6+nWW<O;Cl;LL5TUyum+sVLbyLth9BU^
zXAW!KIIUfD7ydM-dkoERrjFASVenMS4jvCI@U_l2I0Fk4i;hR?b^C*{VW8+2@4s+{
zZO={`KMi5Dh-(l_#k=VeP7;krkQw`AV>?oVE>Jx%85#U{1|i^Ks;kS|{r*%ZthIvt
zyg0FVIFXDYT4pa)nJ!YH)7-s!*j=OW^648neCPTwV`TcNYEIS>gD=zLJ5p1;>cllj
zaxzokKfmu(T9|qt%7_mSI@8^91gL39%vU_k`3;>SFY&JL8;CbbXEl~xhRwa!ZrA&E
zjIdEj$G*J{agefVfsxu6N~{VQ<7<bmsE8O)O~=!kD_Q@HOJLQbm#m&oeXRFPqK}%<
zW&%}tf2->GUm~jmE|D`f@VCqZwEzSK`+fgf(rvIDN$G2WMf0rt)^c*B$<Y>})3R+r
zn|1jv=3v~RiO~9;L3{oDZ>HEz=jNS10@n!=xPFY8CL4TI(C~v0bbD<u#G8#%r=($*
zOi_=bzKECyD374jCeMgZ6oOyI71@;xu*H;xoNi|-bO*@^9c#_G)C0gxV;sV$D;D@L
znrYW4BbgTHbRceDYc#;-@yF~h<l=3Ss{t3%SsQK;WJbIvMLG1VqmJitev!L#-9*;t
zIEd!md{1RnMZpg7!8qc>>iaT*^XF<=EcT<&sNU`Z;m;)*c<^#HYgD<d&tF)un#YyJ
ziiuo~?e>oW1THEU(0Mt6VIaCKjovo;pkt+4i>f@Xro5=(tr4G&Cg#hx5jvXj-(Iou
z^Cd=hok-D|+V@6FM@qdUFtTbB6bv+y5k>OhnOCK7sOhO!^&pCH5$q)VN0BS8i{ZMg
zlm?z0;emDJ%*nFi%DReIQlC#?hh~Yl@sth4fQq}!93pJS^M~<wOFvoQ13t?Zgb(<*
zM#7jHN<J?a#}gvZg30+L_=t^nWYOj_FC&5%;L+!-`H+7s_>VeYziWd<A!pr4vNtEP
zsPZgbS+GSse=d?J^8hX<Pi*~pZP<kpr;G9XPJPH$Ojcw&Dp<KHPosE{ujLC(Rgi$r
z;1S-&9}7a(mP#J{7bCu?13~g`#BE`sn;3~Hevy{jIsn|J<-hV;k*j;*0_wa$7|Red
z2`rIMD?%nt##!mi1S@!5?SvFo8Yt-}IbSnp>XFsW*tB>E%H5z!60gb66!SQ5&w$%&
z<=KqI9UQBPk<7}@9+S!uV*~1KuRlZC@T>w~JdnupmcS@JHvRWp2Yxy8;1z=da~!uJ
z+=hv-`BRI8lX$|}+BCuFsX_a4RJ%br^pc0-WT12$PvJj`?<iT&PWwX2jDxe&@{czI
zdwq_BB<HKQ%n%2Ax*J$oqe?P-DV*TUG}4c~Nt>AGD{BCKkvfA+-1`ZO5X@64Mw2r*
z=5++u?seYu#EW1M!Bh5s<FUu|2_PCYZCdhuYAnCiZUuhT8(+IS-%B`HV6VC32~Y3@
zXM%ddbwOA2VIE;pNmSm12ofl0_+>6ZDj7ocKbz;2;J9r6xe$@le*FR}v#A4)gTT##
z3CQBCF=@^?x1LX(zDB!y5?<??((ZA2XQOQRc`~<~*S;aci$gGNVFST&a?YHlvyGj!
z`JJ|6`A&*#kq(P?KT@xYo7}M+8&xpqszC&U{M^x&%E=JuEdq1ZCf%`ZvDl7iB2Uo3
zz)HWyc|tdTS`THZsf2VqAXOzpvAly43-}!^c>Qlyu&)+|>X8-ctGhC4=TJd`q0F~4
zPI)skPE}ZG)2%WV7iL)f#JVxp1+Be{i~TdF{U}lap5h|<g{L6r3kSI0T9!<4!sp86
zO&4uhiZrweko(9|_Q&yNoKT=ND3EGFM5}u@&z(iD$i)Ud>c}RGK~}g7<SU&h3<o0P
zND+R8|92M0qxiv%^}e<-Wz&RvKZ5B@lu@efpiTd{30A<OEp}jQnY~PyX7)Go%+gOb
z)bfGP)iI;e6W^;eyfW)61Q=<*ltHc@6%b(fUCZ_VmWt(cb;CcdW~H(Rb@Qd^$tMP#
z$)Hk>lo^{*0!JG@0FZX+q@5zhkEFCiRGWfZ38eedNe9YgkF2er-~aKbdIvm(g5<~U
zE%U0*L0La1Yf$7#s*4J{4U2m!jyRE}TEE)G3#%da{Mf{2@=yw&1G|J{H6|)pP)MZd
zzvh+H!VK|&R@C??YS;nIXZwkJgF(?<RP{94{~TzSk!VP&UY1O8*yc_IXBs=p{i}Iu
zc`f_rgZG*0k?;6H@wkG4^zmSPv%;r-5O#$*Nd0B`gQ-Wf;+D)5nluA%qMJJ}K}L!l
z)F+R>7~Vs)xODI32#W1~u3h)R8vBA%fR#T2Es~VSEKgfnFZWJHg;}9zXT_hiE(eIU
z5Z7uTvc^pFJ#6}8@^|&A<3MT(lH3sl<KGQJ+!vxNzf%yuEIxg$HF?4euy}(nfLx4O
zuhg(e5yvx)@>Jdh7-hzA2dSg+AUoW6C0m0=ILmP`-2^ePJNe4KcJ=FDqe?LG=peS`
z$Vf5$2a;+JyI0wB<P@-tHX1899;a3?LFC*4cNl`+iTwi;w|)XwMrBzcA0;GywuHZo
zJy-Q<a@yF+32lhzUq=+LKTKFo>{l$_Nb0oW1OZ-D1aH5IN=Tkfa;?kQY^_WFqe<_U
zyE(42_x@O`VhQnary>5ZuU&1g>^GdrLOVuKiO_-zAo#Riu#QqjzJi&5^+ter6CBZ@
ziG{FXMnO$FOl0hyi<e1HuyECEXt9zT7siT(_}>{g1{FRt@-tXlqF=EAj@$zC#Mf&)
zNQjn$@q5LNuI@VL>2VZ@nDP=eIWeZ1ZhXT5_cibjtq7)H3G!0Weu7db*)~`!^X(jP
zc?9?zoM>ryPv<##^5kNUze8z){?n3?r|qkfGnYY26Viy4LQL>BRyx@(Z?uOeaWn+~
z{~Z|?J7Svz<WTJp=4&*;t%XHVA)IoWDIB~fAFz&`oX&RVvf3k&pvd5KZXP}OZIsgB
z!z%L^n+?%NF@UIe5?iVf(8cs=t;oBs3{J<Pg%qE9cA6&jYp(3Q`OY(4*!-uAYQat6
zvoF*=t<2~xcy{Vv5TQ6<5;%@T0H0a}&#zNRqd;d>Gqe?%BA@o#^4+PUlx)~2U$#jq
z>74Q-#QxvtnUI2&9qWCRGo_&jq(f;f)`}ShjhZl-`XEqRnn8n?V}2)8_P{!6FV&B$
zsoSx75Lj0QrWLc8ny1Z@vr%oHE4ZvzQa#gs<b`EDC|TlHWBoHq#gDLN^ri8(ko==N
zC}RxY6Q2F}&Tk_?(3qqe=MjiWM=nn|l<_$hgZirP!==S@6s1lO<=3DcX=;fE*ve&a
zcDN{QVKM+|=U<PfEg5wvBl6uPcOp~1rL1%9gaoXv!qPDbNkrr}3%#AU&IA|kyVk-B
zFedGg2m{+^neZi0%^rWjv|{=MC1Qmdx+r9vt%0O1`yKgXDiZlDFO%WNGM5C^jN!f2
z&_!~jx_|3DNE`+(7LyP*(i`W7eF7?M7hwd5=Ay^55Om%OiT368%{ieQWf)80MQRAk
zg@3nI6vPbwj%edioUfpeg@_X(o!^|+f+x;G3j?vJXq%+&#{V#xNU@h=PMlm>g6Knr
z5I8#Z)vW&yi`+=c#6ZSurFe8=(mDDDi-cu=Y#a<Kk+1(Nt9}Lk06<7;>5X|e(2j%d
z2=A$PZuaV^4|eYmSJwP$fXZx^o4%XIU>v!{q44|hN1^%A!FTF%mU>eGEiUDifD|7h
z=KIgG6dx5p5jePiXTfk&mtM6rI^X^0HLo=^Xfbi$`!fFb0VJQFRcL-9W7|Yh;)<Ry
zwvd`@j;IAJXR84xaz`lxtE!+|ZPD*8l>fWc1|@fI&i%pXP-)-_uUqNf^=fX9L$Pyx
zR#DoM<@3uI<m?B85S7wi_myo|C2F*J?_{~pLHMq=75R52U)Iv*f-4Iz^&vUne=iha
zbRt0qfi^Uw7mh+C<!wOe8u%wZIhuPCg^YpZ7W)}rAE2e<JV=7_zl+~`B`VDaP$H!r
zkux2cC;FCDDz<a0-uqe{jt&!-_N^Qe94kf3T95s~HC?565wZ~`%OcbsU)F|^4(!Db
zesS`eJ0VKsaIbQ=dCExTfVctbIv>K!Ijkf+otP9Ai?I{fpv9CA%}khzJ^8{}z+kDA
zjwu7M0p(?k`9I-%k`+Irperj`t5n>U(TNy+M;yxi-!ZN?Oi)(*tAe$$QO!oH-Ez~s
zgG+@x&5{7x?%WZ1@8jHxiyj;W8gJ0=;@+TI$nC=4<e+_vN3iB)R>Q`0Ea-4m+j<7K
z8W+OG(X~J{k|vah`iCG6N_va~z)Pat61Mtv;Im~}@dq;{bV;OOeUT_XXhpeyW1z3x
zd6@@LlqFSg`#-)XUhUm%biJKM@giS(2)}l=Vr;y;Q}@(yb+xFPK@O%p-Gt5Rz`?68
zyKx=)VPrCN=))V8ZdF~fgrA`%k?Jw-9MuEy&1{IFM%QvB1LOYH4KUGH*d_{}`FUia
zXdza!6ehBnCxE$+{;1xuuX=0Rd#ai+oei4ETpKKZLzAvkd?G6^tey+T;drag=35$9
za7VpKPa5oCt@!UXnwhQ|1o$h_`_6m4Yc=m$)VGV$X^s*3$oY>{3f?vlNB(G~YJ@Jx
zbege+nSIjaJj9|vW-PB9%$6uG4ChUYm%@LR|0*?SF2&pfD74ZJxGZTcYraLjxN!e!
zc`d9co67<hs~UW_=DO$aemq`3TYNc7du3}q`wBTJ|8qQK(xzVZ?0LX)bOAHejUo{~
zwJD~=j((f&r*PDcE=VwRBv@G@beJS}i*7)O1lfKmP(M&v9!YFFv(Ueo^!8;HQ79c&
ze+)BAh!*YN@DxE#!;Jd_x&?zFimM%GIlhfV{CC|Mm-J`pGt8>Xm_u}5rbZ%-13T!d
zNF{D64QNp1F$hTmU)QnD{=>Bbs{k`UiAsb9lvU`=iZDvtQ%T8?M}?|bBY?6>YlYbO
z#|P$UV;YszjSHlzz`tEy@j6tkv}j+o<<V5qa6E@B?v9x8qxs3pw34HRjn|u?l^-9$
z(eX|LUql6{YN0^uQ9z=HBszB(PrOXC8oqG{{WO5d69rKm_B&;M=59Wm1QtCQv8|F!
zGXWz?iYTT#>t>y8AP}VlMfZ>AFF&BQWW;^ZPmE=@AQ6V8)?VHzfWc?0h<oN3vx@Qb
z!QfSYdzllUQv0*o;2;cq%_}xtU(_Qv6PLrgP@G~Uj=&M#hF`(boBKrs$@S2+*HARV
zf<_g&q+=L@J5Qp>0|U>!RDJM&<<A4*m#17ipnuaK&G#cOmP+P_i$-S5<P`Sd_;d8P
zPu3AXjGzblHv*_#WV?4qv{&A#63r}qsD71^?rLJ1l?}K>PkYu^n5!22PT_Wlq><i)
zf{V37dzW?=7yq%$|C3TuYj`}U&}JU#Z3Yc73Iw~qB>b5EAf2X&eIJPGui<^-kW-7!
z3`EH<B0eRq2W-sOK9uXy&4r{M!D$`7>0W)*V#qCZhx_*B^Wo232+qa+!d0UGR{!>8
z=g9g3N3q#Ke|6eOVZ2lIGbOV0m70HVpv-t~*_ZSWL_BDhSn<Fo=rDg)7z6y^@2vjN
z0sc>F@4H24jm6Brev-2?xM>)z>dBr198fCkB#IBLK6x}V7T%l-nxZr;y#=!2m}b-8
zAmkUc{Pqhu{538{b^4S8H&JFwO;Q`HN~D|)Q%KanT31#oIjFiaqTqS$qr@|q_5vmp
zcjBJ<3}z5l1>Q|guhi`*)^1Go5>SjUIYUYjL_p!L8MqqpSsBbfPDAS}6^j%Y@Mh;v
zQc?5elz={sKBwL?bcud|e*_x;!rPeglJ?E+G9%*=EUS=XiU7B33S5Ii`W|sX+=RF=
zjz4x`n~tq?>TdLC+hB}jT9D0|$n!J6)E3iAhP}5HHiOM=j^aF<*c9Q{<;0cgTv<eI
zBqbgYSe#rLP0lCLXv}{MSxnvrwA|6;&71n59GwI#uCcB}AzDSBi(`2{=Qg%JD<FST
z&8|YAHF4n>vTEEna^R4#ZbT{UG+Y`&5XylPpo69X6H`iui66XlzXP?55TnxQAU@u$
z!TV=uj6_cVSj$`-KeS9~%P5NVz-ipHiM3dpWx9!6`dQg90}UR-Ui9q_I51BN9Oyvf
ztXD<7DN%mpId4_D4di9<geMjKLf<AVZK|Y(rVbPr4WrvMw3{_-77#uew6UC;@RUk!
zfDsae7rE2qDbw`un)=g)<=o3O+Qp~t=yyvh{VbKZ^1WQ;{K!MueD*#TxnId75d!~L
zV3?X-+bS4s&~rQLb5n&nVA;8m^PPIE&bCH%hhqtIv5xHL@d-9-+sE%Myv`1EWT~Z-
zh9)7o%b4ml2iPVqoG#H@#RYRt!G|YtGO}fkG~$X8<YsE=PqHwK%5Ni9+(-{jE%^vh
zagurRIxlI-1A0u=u1RF|Rdt~E-h<?{Y+P_9oEwukxDa-@wV|`r0bSY%iQD|ySsRH|
zs1Nbv<}xC`FcfvfB;x{@uq0dz%>9bSDB*Dj!%izZT}~yRZ>kRPDrZdR--G@E0gtz4
z_sRl%m^bLQfnn+4_tdH(B?~^51l0hKEc;I#yl9o86>^s!>>L%Ud`e?{ZPbEfunv*d
zXQw~rtuKY-;#*l`_ycJH*gdJBw;BcE?Z?#oNii7AB(4$*sbZj{@8i##C7|V#p>M84
zcAzmS{XUZ?qyLF3VQE(G*rDYNcmrO#mz=_iG<-VN9C=;9a%AVXwtQ{h9MU7+;!i0j
zL9O@XcOokqWy~`w3*jEt%7tCwg`FmI;Zu4d4;rDMxB8p5fCr1J<nLAN>UxbaZ517y
zy!<*BvhL10=FSaY%F}oCs^{yqtLKGv@%mnR(+MI2LR|x3=bF-xDW}V0sjML!3bk4b
zMHQn=kNb3WPlRHIPi>ZAJ-)pWd$PW<dLoF3uW)DZLiQ9?1@eUq*5x82S0=(k({n1y
zG+QYtpo_R81K@G?Q;)g7I`=>Op#2diw`f!$EpKb=$vTqk$qQT_v$B1AR4sKTD>1rY
znhm)oF)KHwjxV2i`d0S3z#<Op=F7LSxteDxs-s-UPrT0BuB3$vc!mcLiYl8VCOa(<
z86svl+D2gSJFx|tx#>ka%C&FRL;hc7UjbKD*YpdLf*>f}(nyDdlytY!-JsH4TS7vb
zgLI0t0@6r#gLHRycinTqM}2(X@80kF^S2Lc?OAKh{Abq8thMW{K|oGk#{<U>5#S@P
z$8~x2c^iK~4+mg2uW`MwU~zFew=k4j>a15P?LYpV=N@Vl7tNc%T>gRnBD#YEb0rJ@
z9f|jRTjK&r_}URRKpGYlaix9*9-PN$Hc@=lHV5rm=8$*+9%+=3ioUJfYXZv>{;Wlk
zLRZIH`ewYtDU!sAq@s44C&?3%1;7qgj&vIZ6&>QB+j$|m^E$Q<e3zUl(R()dG?B0$
z&37JKHSck{1{jo1ULB^%vL#L(rH4P*h=z*ey7(?9g>WA#oV~<5Y)!mOEqbQm=qgdY
zCxbRvGF(yjsqWz1f^bNP*SdM*(&c*>9*IZTMaeW5$3|@AW%E$7*%}ZrJf3%2{@i~)
z<yyfF{G9)5GklJH)J|jDXWIuP4j*~H2DMzf$otiJzW9y}cJhK$B4i)U*iHJ;U_OSu
zaPld77s2^dO&cqTcsV5*5n6|iz914ey~gv@A}HVTiA?fak|?iMwlEW-9M+@>w($t#
z;<IuEq0v)8G&Wi{`_dG^f-GkuG;(V2``f|zf!bURj+`B;izj}x9<TC__p50f3bU26
zmOG<!uN<zjW*-%SPI0hGrv#~}_A=kU*E=#%|6V6yqkVaN`r|Uc-h+Q?r`@ImBm+8f
zxWJ#QbWMAIigR<se2onDQuP$~2Ib%u_|TnW(4v}XB)kjABU>bZM;|?-#g_LBh!<+*
z??M8ybtB-8?0)Ws%%!uNg{4nrs%P66`l%ohiv@vE)R7Q%6Rm3CQ)R(9E4>z4RkCtr
zBbg4!l_4Gmf2?vg`P6(WD6xIy#xntz)?;9}8zViYYUojtN{B6b#*;mzUXTJFIXOyT
z7`a0Dz##T}fEZT^_94=?7!9RmDi}F|$nW80HE=6#9+63mPJ`4XWZBjI>rt*$d&ykS
znPE1pUihshM0vi4=q^Ikg#+itR-<_ZC`CVu*01F92Z*kH^eg&~Zo2bzgPPZsSm8J(
zU(|g3p>~muEv6qEk>2ap;H2;<?>Iuvo3kfS@h$Md5We*s?!+74;F~<ex0Fv6sLlwo
z^YNGWV)K|=@$blQ5rxYb%RQ4*O4f>RFM?KxokoEjnzI1g1ZEI)==nfH8U%{qAsznX
zeoH$9QTE~!*H0_DeD5#_y+0f_654)}2PY?s!nPgAK)VF4h!;}{4+p)FEH$I8IxOG?
zk5OFCOofyV7sZmshUmy4J6Hx4*!$3t`#!GN5fPrYWc(AB+A?0TlKzZ!gpDL?N2EG}
zGgPsmPP0m}uNPA?gR8+Ey3ty4SIWp1+Lp%%HQJp-XL|O%Bgtp7#e`M|O}U|G3V!Dk
zXQ+U>2Zk~@lp%i+ki$5v=<6wY#tlGch`37!3Ytwz{<t3%>HA*tfbr75ZAD*Vzwjk&
zm9EHkG^xq*95?a6r=R9QWtAr4jx2KOMpdv7pv39fsK99J<?wvg{h&*GN?C3Dm4vlc
zZ;xT#=8swnmMP>k6-{?-LO#?^mJ0+?0m7c~dj1R%0f^<|)$@xh09v(kwe8?{7_jf(
ztT+-n4Jh{;;^UkRKFR?wTto`!3{?dD6AF0z*SFvl(GeBo`NMky$Jm+n@8987fWomj
zkc@O@_q1G#@=*rfc$V{fhbs-njgT>#1nM8y-HI7oqH@bx9JH-T+QAG$)*d?EIx`Mb
zgl1XTXKN^mae!I-JCRlt|Mj)@)AF^PF<~Y{^GXs6N)~!UB#6VKxB?w(&+za?n)iO|
zi6}WR@W*-jzQ5|De6YdxnROS9!YH)DtY;kE1M#}3C6*&(5yF_aFhc1+v6`^*mb}VN
zQOxub`xbnF;I)7&WST>yeJR%c!*1j|xyKY8z!f6N23wzv!sc4V;aWpn#?R*(=OVoX
z+qf<|zc$^K;RB_M2n&-@TDiy$%R;Yv%T$&vX7CEe;(&XR>aizrr0Mv`qKpPNXh1h|
zuq@@XNb#asWG4B1dYqCW(Of49B^#=0c#}d8jcJN*B!(n1Bn6#iv!KrA$CO+LUhY!M
z8ki`1Q-+I`43@Bb6kj1a3ZXnu=J!`|l=*Z?RVqA=X-U;-`c~GKN3wcezVD0K3Uy-l
zT09#x)6Cke%b~lGPf#W}B|S&VV7dwfC81vMyX7zQs>I9fCr>1D;fIH=Ne~Z!AaekA
zI6L2=KWr+6`sJ<?sW_e!jRN4Bkzp;FhFB-ZmqC?UTnEXL7#2k3&XxK=!(JwiM+PHM
z;u6&=G~?fPhf_0JP(!jWACEYx8TD5`iq}6`O2r!-Wv5m4a7S(tWF9un&C;Ng3w+kF
z-n$!~+{a0+axv4km!r-J|9}o+;sr)^W?fMUkNLZ!%@HWZ5bjF>8SLaV5rcBb7P1mN
z)aArQII2Ei9?qGirrwD>$1E_VKh0)-O|vVFq}Yi5+;U+64lmPWf=(sfI>KS#tT=G&
zg&N>`R<@HH9>A^<H}+!P^3qDNutG|Jxze<9Rn|cu(+K<4*o&n4zI1Y0ht4!%?@PQ*
zy!>j8Pu=tF95CGto@ugd8NSz?KnDIFx%?FtL8g;wSBODeTum0|Ax`^JFnOvxeqn|)
z?n=wcHg7N29+*4hw<6-`372i=Qb+bEJQz)Fh#3xGeZ(IU3L@nd`th2)%faruMOWr?
z4zc)-%%pc_3acsn{e28+$Y!dHqyF>78nG^N$3PDGja?dh(TMI~|6I<fA7jtaO3N-@
zkb3`~g4EWt3lv}!n9TVKBB~*<#g#;0i4O?vhFyq(XmisgYfJ5bjl3Zj9o3BTWvThS
zv(<JnabYhPW7c|3%E;SXtxkH<O8Plwh#Ac(f#@s#s=-kE<D};z)}xykgu-!Io4{tB
zHiCzvd)8Pu_|lT{*EV@%>5ZfF!X;}>W$P)m`erX<)>0-@WB0}sd$P9_vJ|6H+esE8
zV;Us6tqPR*saraoHO;}{MIU85bHQ3Kw)1SxCJ-cFaW&JCaWHwG)FEfN-#YYtT&Yl!
z)$sV4^rv;ncsCR()1gPtlYfL7$paz@h*&fv&DcIv0^&}w9aualKEyEy78h_Q?kJ!v
zNJyv~nG}Ed95cY2=JaI$S?8L^$^6vKiB?g6v9JEUk5GH|${%|h^7>+0ERzz+Qp&iu
zOQtjOI9R`m+Bbfe9q*09B19piY^$tpo8DzCWG#x-n;&*~JJt0@eI8300K4NE!a!$U
z@M>a&$p#Xq1sb&Z$~~h`eKJ23gf0R7<cMuHxCbl@pIH21it_aqv3}0r*A{K`iAWVC
z7?-YRaZ7eHZ1`-s-Szp}FD=zi)UxL;)rLsSDTirapIt{+ZtCPs*Ct<CDNgA$T^DFz
z`sI>MS|1fm5gr37iNw6yueQ;I2)nU-+O;Q)tcp_1+O<`|YX{2Wlx@)|<DL32#^x|a
zh-H3@56kpma4UQe;Zu-~jn*S6`9ZNJ@&iwAU{lbA(t|U>yX8VvE6RSll0Z$A7r?ml
zZN9)H#6)6N)x<8xTCYS`$Hlia`&^@2RV7O-YaO6Fu)mkJ{z?6@%t`J{8Ho9X&go*P
zAr;PHI%*1|4fr{eqR}nOYawP9^Wf%S;tLPF94%-6@hB52jBh79p(hVzL`j#P9_fGT
zK2G^=H-vKnv%>GeGnwD5{a8Q0-jE5*wT~=ks#)6sDFvU2S3!hp;U_^CneYOyX6MM(
zlpDaeU6=YcXY(8>53jd-$}+0ByR-D{7^9?RA@OkdbNFOiX)6d%fY)~I0aIdvZRO`r
zxRdJ-@Q)mq<WExDwYCP7X1LcDuHve5;n&F+xv&oQlh@%_n`W=&5*LU$Xx7I`2x?g_
z$c$sQ92=X7GmT<yvo=GYYds-8aWdettJdy@l4pjGsLiI5R#*ZxG(K3BtSL-C23Hci
zr@;H2bVUjs6X`nqYfiCYp;)Vu-~y?*f%5sjS8O6`W7p3>lWFT6yY`Z)D1COObB!)j
zgE8i`!lSnowSQFIp5jwM+50ClY4tURCI>sH`9_W;ADoX=ui6LoS<wKBn=E4*OhdG*
z!J;yD1WUK)0*IFgFg>NO7nk`5?)BVed65#?->=SZR>CPh=owRYYutZTxM<W=u~~aY
z+JV_cCr%V4)i56sMI-ZwpMx<z1;^O;E^X%w#_y8ea(mr@SK#Zc&D#E%va|czriL>C
zlsb*9fX<CKF9KBH5SV{)JPh!HryLIGjU%XNJuAsb9Hb0<i%<X675C(RtR=r@_2}+V
zbYqTbl<KN91KZm-1)%Yz&mzY)lJZZ7&!J4>4Eu%GC#U;6=co1ejOD_5YREi*Es?mF
z_6{sW(l59*EfE%Cqu%*KlEzQg8Ry3BsPj3eZ-LoL7~uBZ7qJn#wPv&i`$R#UO33q?
zk$P)^Vd%00F$GMR<T7bKPNcG?5m?zl5=AGvO}IbjAFqW!Yso>m+<wx^vbnq0iK_XR
zh40Sh8~154qT{HJu=oTfH}Z>FRb2812SSt_lLc%~^;gH{NV$D>ihr<v0q<iO_*n7-
zN^ED~7uG5BqJEC&Z6WBxdFKnxE@mINYPzuLbSw+uFgMublk@0eaz(<1qgf-B%4a}G
zAp2PBVs^9eFAy9Ik7>}~(pUufJ7ifiUgoTno8ccmW^^>rX%&>h_H`fMHDtd!_5Qx}
zDC63?Bb&QCHJ-hjyLt;~)*Fz)1>(d&E`nPYobPBRsuLPlE4qE51_n^Ehh^E|2l@wY
zGut`tlhBREbv^p$Aut#8(C|sAY?c%+)xzl-Nu@~@n~Wq?6|l$yoCJ^<QJY!1-IwE)
zMB#Cqe%rt<!KmjL6<2UI=Wta<F0XgDwmywdp{$QeBODdL8-&-|HxZ(&g?OdwSjxd?
zf>pu{H(fz>V<A7}F&pAZiZJl0?Us#4<wI<IW0uID6xYIrGO|iPk(>y2AH*AP&J@35
z6=BK<DuFez?I-`pM<-6OWFEvC^%a;|AZKt+KpsQ)_i<iK)v@CDVm5jJ+0Y;z4Q4^z
z<XHs)q@&P`!4ca{w6%b#=;@(HqCJVSR6;lOcG!ab57i%*=Pu9o!FS)WyhQLgqE1eC
zuhz~ULlFm6(5<$f=o<7<Ri`kAZrIeD&L-~Qzz*z}-?ECnlFYx~nDpicE$%`IBv!t;
zj25VOYL~#n=F$^b14a5KEIviiEH-QaU;^U7%MTblFdbz1kutSAUe_bcN0X8aGjzSt
znXIGf4oof6nl3OZXn7I8Ag)u~%lWa;q;Jxwb2jObKXJv;m|8LLFbM8S7ge(>>A9wf
zANFDKCe5vZ!RBQt`+<y+cQxG>la(h3=Ufbj33_p8AsMVLPhcS(93Y2i;`}9URPg$h
zaFdSm*;owP<YeqaCgq<C5`PnpFKh)czH%Q-5VWn^Y&gbnC(d}z@}xED2|AC{5`4d{
z_i{*#<pd|^Zy&bwis5Zk=70$8A5&)o8|a?Xc4?OqI1YYD=V48b-}@Ar6{X{cc||ON
zQU6w}tj^}r5a1kcpdt0n%+Q-1io#C{=SqC>UE>MwH74I?89riWv5_=XPg%+I2Ia(w
zD46Feuv@FT)Sh;6SHa<2`}}k@KKPfoqp|f=Ts|;foL)kzA@_o2kF>BKn_>}^>AhjW
zbRf{W;O%a7+<L0ZKDg8}I%TNN4qgp`<1h2%=S2irJgKqmV?(MaeJb|%r^B0!!aG_L
zL=GCyn&0&|uCIePafDLT1x=zd!?9tZ$vSOf+ms~)B=E!+Xb##=43b6HB4T;LBtPA8
zueJ9J7;e84@?Pt@bJ1Ob%%Fl1`phQM(6cFK=)l@p##I6DwC*PJ-38$0zEA^GMyFO0
zet$6&B}8jF-C>_^Vq_2wZnLbM>S)#;Zx)h<K;DLXc%WiKE(y@&!vh~Bez+o(nAV@-
z$AsXA;*QQ$QpJYAbaHsDsfOA}M77??(i2N-eV?SM?30$#f}}@m#{4;Nh@eH>K>F40
zY(nzT06Y_9HglqoUh2kT!L>_ap_g!ae&%6B%tY77&@_r*MJKRCfIImL2NQFf45?2-
zb?ItC4WyPce`&Uf{LXuzGKO^BHNxAmSL>;v`?7y&equ^r{pBObN;AKYPK`a(cZ{3q
z#eK*|>3F6QP81QXxO_n*6aUB3xs^yDa(~!Q^OUbssmM|H-J_qrmCypph>79Fn*1cr
zv>sOnv$cEW+mIfX*um`KYmJKglpI<Xep50T6daIP8aFHxM`w-2Uw=voiT3Nn1va>p
zsU#u_kv{3p68#CT!dv~Ze$tCCV~WJ#ac1riTfew(+sH9i4xDBPS(BXxG%CnObe3`J
z|0woT8}=UxEMxrM^G>>jCBkO@$<TOkmV|PC#4s@OEnY$9y&m1bQj)67dznBZ2&RYj
z(&;kPq%R9Ec+ZOGeP-fY7^aKu*_|FhGA2JoufoLyU-I;Cj2GM#A9<4}srL24Lj|5j
zDHvK5F+Bh*e&$R(Ehv+Q3tsW4&B1fb+tQ29p%tVmTdIsQ8@xzrMT;-fCR-gu9ci}g
z9mO3Be&hyPCF}S)^lvh2Cv2cvO(&?Bw9Z2_Tz6fD8!t4d=5z*^;*S)oK84s52rqgp
zhA9*YvIq3+M3WCE2%8**nj#3^%PQOnAV0}nH0Lq&c*9QFmG+aDp!Q%fqlNt}FfV%2
z$7!7SpmS=zPfRzpLb!xTFeMC*liTtG_evnM_6imCJ+uZSCqTvYGed9fkJc9;Yq<39
z*j6KW{LzaZ>zYM3z&Wd2$7&{(Nf-HcGr0q$z-ZxKDMV6vAS$iuwDrQ_)7pKw85Hn7
z&^*qV+E}p<9fb3=e#_(&fNR(7CbOERVlBRuJp-pnp04P{w@wm6xL~QV7ijnOoEa|U
zBqGtkPc$WEdSD>_aIcrAyIXsZz)z*9vNK?8fX#^6l&d3mVl$T6|NhHp)}q$gV%S@7
zfZE0hw8l(`r%AZnRb((#4D-Q+))OE?C+a+QQOxYoA2cC(#O(HuI~3+PjSNOkevT16
zSlONRYQmlpOPMhh)l4wBlg{F8`aI?))$5+2ATf?5>6_V+*7sArvgEdL22;+j&UO7?
zMtufM)w7MKpML_f&$U_Lfes*JN$z%i*evDaCEh-l)*<no%4Gqu2&DTN1DpT~ex#2j
z-i?I+jMxyvq<l`kXDaBFs%YR`<6rJPr(Qc-b4v%_H|7k$SL|pJkxcxsA)GYEx%obZ
z_tQ1mnZ!+Pj$QRhXCE}3*^9)l^K37w!uXyAz&0jiHohugv<D0ZY?2^~RD-ES+83DR
z=WBED9-U!xZE8#QAbBM<Kj3iX#E3W(Sx8|m-%>D@<<qpW<+sqmA!yl^^e#XSqWMGw
zS`k$SwHK0c8HL|^A4N1FvF0l()03U0#6_1fNxS`H;q}3%hO#s?`Os;)$8g+IqpqQG
z?m&IEc3f4CSM3;!q$T0U)8h73DNx?qtgYkqs){2A1QV<z<_FTx6FxWQx~S{kIu&H?
zp*Z34@U4oAp#@&G4vrFxu0RFc7IKIm8y&|k?2Mw5dej<;9)(3C;XXrEd}vyQA^ld(
zBt$Go;wLNfeJCJ9*`~RHd7w{rgR5y_K%&jqw8}+Ki<qORiW=Im=z!ix%<ZD1vVt!o
z|7+o{@{EMNR~9*3Uof<opVTti)WE%vyGTFfCpH$Xvu7_w6t2kgrA)_veD{5R?OS$~
z*$>gm+zSy?$9qsNmpG0-;E=n^UEz-#8oN24do|(pVkv4ii4E}bZw-Hw>^v!KQA>z1
zc>)#0EeN?T_t2`5Fc!|=H3UHwm%Ca@EwQBnzx<VWtW3S^_ED)3PwW?#G0#gc-$2p5
zKphVc>(?Pb5c%_j7$H|Tb#ipD@1=Ns*~xb-hI?=l8b37GS%-i+CsTCf$C>40K~Ldx
z;`k*>@~~nh9!LQB;Y+IFWMpjb#~-sv=e<i6G4{mb6<82PEO}78d%rXA-RGAmod-No
za@q}w7QR@xzF2qrH0OC}-vt6w-<!Jn(vE)kLexgN<K7>HFj{#SrP#YTO-z)7e|i*~
z{Qy%=PSTxags4>;c-&kt=6GxvQa!FZVM_eO_u&>WGE~pkU^XWNS#Y+P@)2mD&|d2m
zO*OuG_GB69HZ*Z<rwgckmQwtjUg*g~X+|XM<Hz$M+BxY%|D@hSW);MrJAu#~c}&H-
z;8%7)BdqtnRDDJ|JtZt(Tiso%%PZM7?~;~a9v^5>r&Ct3F}@h?gs^5@d-2_Q4=CP)
z9@N97Y&2ETIYp6?nGmiJl5WE_+SW;|i4PKh^&NQR2~o6GAz81vqf?|-SOx{l<w+7x
zROP{h;p%$qBwVAXy5O^3n39u-IFq0O;ZzPTi3n<vW*eGIFKoTIxW0IgdUwZqE0Rd?
z{;m}^2Pac;fmW|IHiDfctm8L;D4lR1lMTh=T<A(Oc_zDH`692Dw+vA;y+ujufvroW
zN6EP!FT5zWY+zqKB-q>t6ALB#(p)k-WA`7-)gE?)wF*c`DkC*`WsyjPp9-@xoUt&f
z&fT}|kM*d(+HGAVgp7*_aO^V_3%uz?1pMei$b4>W9W#hs1S_F|km$l;<Pe>;9x_#y
zKA!tXh|G&CR?viQ`s!^DAt4<7`Qy($O4XIlqj@UL*q!*q-X0KVne#>!mM7pWf{7@%
zWT?|;m!w;w-6)zx(x(^6)@2<HOmurO!8^<m=1LH`_BbJ|jLh1=r|O8>cXhj7_!$fi
z2lx7!03pz2HW<8L`k;2rlP6s!G+V$=Y7uR4K+*elb}<VUxJFu@`%NiVFZOxFJu!xZ
zSVVa#RnUCFF5H}6%;OePSx%`a!&ocy=x@4Qti43OF_=GdBG@8)S{!w#!WGye7)DM(
zCXG;*2g{X?jMpC9M{WwU`og_)Hk<(LcCkOvZQ4a|#T<tK36f=2M3@rVi-x!zj*PUz
z!u^VED&Mf_1~>ySn~YI4gO&yEb~)~ipmZY>KBnTMup*2pM87wpcd!jA+a0UtW<B5*
zlsCBSnN#F~Jt{sWyz4%TSp(9&z%=^@rvzb&0G=oD!{LCwvr}x?=N@C>0}}c!f#9*{
zce@b+@|EB0=T6@wer*f)8c$N#vtyFs`)=Q=#+Yx0Fj?6yFj&hAG*Gv;B{i1V`tO^C
z^Fk(&XzWLBzxDSxL*8I-Ly{9M>@16%oQ26*c(Hjw-Yq2HWrN!yoi!=A{GRKH=urxI
zyA=TMx6W<(uD@SMb15YiL$d5t*q*MoeBNosi%T?8w6N7*wa}%?%1=c$d{9~6`>E|U
zsf6Y7@KuYg*Mf!oj>j8rP0ov;i{iRl3=NtbD#k#H1gGXG4fsk<w}zsd0MFBbTvGI!
z=+SaO0y*i4p;NS(s;>ktc8Wv@4Z!nLUZ+Y0r@2#%B(S^<6FujzyeEbfcxo%}$-bSQ
z<VQLRVKpeBVYAYT54++No00aTN(I0dJ4u8by`P?txdv^%n=7WiV*wQy37l^;w?*4H
zTK87hlRBQa3fr<r+sF9^0maHYvEQi8MsOhEvGRv^R@%V1Fgcuza5%hz;q?8dP5y+p
zse>Z_A{j>$10M0WB1|sXwuw+1fwtFlE2lQ03m?L=+b4GN<s_<qm{|XSf7Qyq-nEg)
zUh`n;`G}eQ@hb-+Tnm<vjrMY5^RMQfF(#vAL33Q1u9fz}1Nu%7qjsm?I92wrzHqJ{
zCq`rhq{g^My-@{y6nN?3G94bN$yamkdQTn*K5Fh)ieWUoNwyYkC`O!r(ex>(OX)TG
zoz}ogbC~yC7r9ef;p0w)Yd!#ISc&s~tn?PuWF9SHK=JME461mShgR8WUh#C$M%8v!
z?*j@Xr+5}@8it_I7SMq$0;q-~M|6~O(+DX?f*)HaWlr0_^1AT!qhY58UnW3vvcS+_
z<7+miwfS6EM6h(EwT$PC!(+>d>DLyI#p4axP<b8fun`yIg<52Q&P!~^rD8^LDPJ>P
z?lzIWpa1eR&E6x1j?cPZ&@y0^A?pZlFx~A!cXe{~o2i=v(51X6E^tENuz6L94cx$x
z3wDR8_&j0sW3~5hH+#Z(8y5WAuSD79iNQDBnX9dZSn|bSgG6I?ydaBM)qWoFDsrl|
zh>Lx#@<WLR@H<?zKO$$K(Xo>yqAyoMOdJfB-dc;J$ijhEDe2I{5MASs*KE(!riju>
zbGv~#Cv;w{)>e<zji(dw<2coEcCyqPDB9dr!pwC`ic%ZzY}x4R;2@WRM6%=XUb>!@
z)0|b05}djKN>LNM?akWn3&tbzU&yFQ+X;ZLFj$E{W!wip@}8Q2T(S-V`Q+NsPcl}d
zh=gYh64b=3dfly7ee&`9FrP%Nn9u=J`fI3CjNcBCq*&?Cs8r@;E@%g|T24cwWRctg
z(;e?_)A7Dogx?iL>^;SmDpUR5*e^v_-Ow*B)pFqzfC|pQ+U=5=K+tz_uw2eUTGWSf
z6lm$EkJ>Icd?b}$z%~%E$2XVld`G&w`1~$Ep5?2M0rJF53lB}`{$vAp=W&t&WQ#!h
z<bH3&&y;B!G(l(PlTqXGN56*|AEh~9dObu;zpv3pP3ztI#Uo46O?Ch?t=%X2n_XZ!
zH(hm8KP_Fg8AW6FJ8+*5IAA1q3hvax(fAfP<QMgB<u_Qvl5$ja2}oB_bs3P%i1%y-
zl^A}<brQz8TM=5ZPKx>%uqB<cMp=Bb^GlCbb$Or8@fAXnz$^;mYWeLDRqFQ27K9SX
zfGzCsKPl~KL>syOMcLv9=(CCM{wL`d64AtiGF2D9pP=GeRA1qo9H;(Epn>i>Ef@M&
z3;6ARp}UY^;j0nN*P`V@{Toh8^>#Z}t6JWcD+lW8#yj;-J}C2W4Z7Hp|K1Gr6Gmz4
zuVF?_7e}la&-OS6aj(e#F>K-ij$_Y%49mNVb5fW3hsZ9o%-fzqe}m|HS4((%+l=Ck
zF}VfrE-bj=A5sAST`yk|l4glGBmcs>93hVaEHtmxozJfCw%YKdDn~#~*PxryTce25
z)?1UIh2Y^ymDPBOCG}g+|5JZS0A!e-mV*L@?;%e;xch(LTfaGW0IJ_k!Q-^leptZ-
z?+*#z^jd?U=-aL4-bAQ+PQ4CJKvbeviHf&K_9!G|X1n4GSRSe{dwerVmKgovYvx<D
z40&-vcx<OuxDbrkM@mtH1TA`S)7GA3xRjlXF+55D^=DLXWH-5Wrt-S*|8oBJbk)K=
zu@BM#G*afM3kCOfz?2U_MmEw(G#HA0^|!r=WHd!mJoB?w^>oyn758mt;iBxtK+0~M
zy`?5q((j0fYvlY=$IW0x-e?$005U;(Kd5Kr=?H+y!)cg}Bu*Zt@qejv{o{O-9!VnB
zBR|hS__qDU_kU&kuhUhTx_kzI@Llm2-(YeP;1}a3e=`my|IPTHj6oRRkpQF0srZjv
zf1ieQb}Lr59)a>KFE(d{UZHeIJL`Kv2+&~a&ux)0g`bz1094xDBxHhiCN;{|#aO{7
z_Bfglaz#T)X*ES#96wB_Ubqm$7&?%_zI1BX^9KwNY8n=b47#;xy$8v}FK5e=Gah>X
z(>~SDuij35bxx1zAC1U+&UoMv!eep%(wHZlHrOPvIB%5#G;(IuS@H*?!XPL7(pud;
z#?O!nh+e<~K*kXD^Mvd9r8r$rY(+@LoeZc?cPHf18td+v{F1St4mlfAaVG@==IK^u
zpPsHK>n|x)XTkahR{&s1vblo1kuHx1R+$RwVt+|Ww+qG!TybZVU(^X$<NuNJNeL(T
z_B-%_{Z@wNN^|QsW|Y6|YJRl;{UG>oYq3~6xy{TmvA+y9(0~bB5qw~UKzKb5c&{X5
z5nEyYGasnQvBaL!gAaFhgOy)ni^}Q#+uj3h&$lJ$d)5LWq8sn&m2jTW|I)3w_4Wkx
z(kiaft@esev(yvFu>N3LZ1Wu%)~)ig)!a1cd(uA`0{^I1JweL8F8#xuvD5KoW33Q~
zut-O>GdqK4Fntf#cd8Q373y1qYt9^+pG^2Y%bF{=5WwX-dz*h{i(1b0C&RbpJ4<fP
zT_&)yCH*<~sXt?_0Jjx)#uBK~%{99${Ku%b<y$1a*Pa%b_dMaC`X#Ks_2&UW@Zr{w
zjrVf6{QlzU1l;|yFvJ3ioQ4vFEM$Mrd@%b$l1;1`ZIQq&jQ`mf(%El;D*h4(T>dSP
z&A$X%o&>2U#6P|@T?iKckEXz%U@Q}W`}&Q=;$K*R%l}wKoNZfoz^`cu9uQK#)tw!%
zr!bU2_J_1h^WvHB!G~Ysg#4i&KrztP7GhD|0e2Ra!zK0?j$)DiCer`4F{CY|v)@=)
z{~HSeaQU}9^Z%Bo0&Gzn0M(sIfeqvTr!5z_uiscS{e=a%{L_xLpRM@EKmKD1a6rm;
z{_A>vA%_cS{X^P-=5SeL@Zq;Sw*Qvr-?|O?OSd63=)E!jV_O1nU%#<f{)q)}H@&*K
zz!kp*>iSC{Idf|Z+0T#=2bm-PwEbT-1$Xrui<rN#h=~X8z{pmsGVfvjV|IZDgp_aN
zK>t-U)hk=sKdk0aAQ?C`29o`jXYRk~_LpiC{ypcH6XZ#gnD5#G5P|+`3@QJ{qTw$r
zz~$cp`TQkN(jde$K{5rb{5aeHMN>M;+pq_=#1(K~KYb$@i~E0J0WK>Vf?{o+02hIB
zxyuQEO!~h)cARa;Uo8JyeM|p_iYr~1=Vz7x;rZ{j;PP*ABjX>V{mYoa6(AH_yeGWb
zU?+T=Khc3r9$fohs5n50wuC_DKaTALJNZ>N*TNsn(1qBki_`tg(;)o>{ngLE(QWxl
zO3?tPmfx)Y-4<MipbN6K!v@LO5kR|w-q;aA{sP_D31MwBPQU6N`@;j=f(q((B0#ux
z6I6<zWM>?>TTcXf;Ebydo({hpKldNb4x)d;pLToe_rZl<Ap>I6|3b>7_1`iSf#CrC
zaAF6=I#a$n!QRPT-uz>Z|A*C&{a@X~@gJTAq8?XB!~r$9@ZsOiwxs_GF6fO58vq&f
zmmk^WKaRk;Ol6DC7R=e%V|lnVZ6w;uKUCixdSn#I7LEHd8h6%+NYXY|&p!5v_Hyc^
z*7DfUMYI0vm5H-l?1PQ1^CO!Qtv4a;fd^A?CRCR295=+<-S)%SmeCVS=lV4+)zg<e
zGZxX<J0W=<6&Fq0O~BL@!^%OePCk~{1fav9O~mL?IZ2n7=Wx@t*SBO`F-=!?<KbMz
zy;)Y9SnGVTe`?%vFjbPLa-ag7FJEj=3>{Zm&b+O?SiZRKWlY*yYA&h_B(mGf({zKv
z=I4tV@u1w<kt*Y@sMy(V+qu3TshqLBT*`DhFkxPUrd*P^2KIKgkBEsX>#an|q?1hF
zUpGx%#rHDuR}fj&+}K?Xtb|sd)Z12_TuW?M$0weK&Y;y?ZdzP3p*wB$@=dvq@E&iA
zCCk>NZQLX|S`t?+0_tCsE%Uak@f>xAMxq0|-72TupQvBj@anif|D<<B7do&sKYtqN
z$Uvlb87qb}1cag`yWeCX;J7bCw;aJ#)o6e1iOwCG-%2AgIgM?NovaK$I$j-VHg>LY
zTO>od_TxV9LIK~z#Y&JgTFKwMf6!~Q%gx)#$lIk7@4ov{TiiSI8k70-22kK%Pe1t1
z?d-nl7}u^;(;G97J)U{`{NjA}1ZzsEwrq8+C3(5}J+LFYZ&>OI-rZRgdYDw(evOL2
zf0<*+G_yIa>N|zsHPGIT>Q{qE=`B_Z&9l1Sdy|YkmgaD}vHf;9zVBe0debB9p-1hr
zx#3f-X-gSSj-<t_;Tcr-`$5V3a7^dxt-y2M_J<yOwNn%u4-dMlO&kust}L{M=1u4G
zUmDbW*9Inedy{(rE#Q(0(DsmCSQk2&;Zxo=uMV7XyqR?GbLS<D?d!fVvK{Ck&UdLx
zoOD~>wvMi>-Pv4U%{)44KHetTR=SdTYjxqe>exGKF&yo1H8;O3G2=1Y-Mn;k{KgUK
zz%g)Npls|5#}UFx?$CMT!`!pxT8rB2si{G8XQ1TDPS9J0(Q>8yype<7jg@EY%19m6
zbaxMxpSJ>mxZLGv-sZ&A<e<B9X**9DY}YcpH=WxmqsC|3SJ$l*M@w6w4vq)CM-G+O
z&NoFTfoBuV%gZK}(Y<Fb)%5(%4vurg*b^I_X;T6W45eicPxnu4s>dvrJGZv|S1LL1
zh4>k6ipo*iPAYrPdtFY<Xk9BNt4IB=%9DF6Zfxti72H)Vuk9}wpJ`uV|NAqWv74hC
z9<WeQ+z%t(5d$g;N(=00*R*(!8J5k3bnVCChVX(kj+0Z9FDm%(#UwP}(0(+!cXgyC
zA&V&DFiX+bF>a}Hv6c6^T{*|kf!;?{&VHzPK=<p>vJy^dv-+U3D=Eh(Pe!TibxrRq
zWxYxTQXSRw?@0Gsc)lDI-Zy^CeIk@9$k23Bg*7lc+=T|5l5=Z)41O2-R%N8Zg%A7V
zq^vjfsLW(!Zb|9mxi^LFD)Y*#l_=EjaE{xG+CO~}8Hg$rkfh73S36vL{teHexmWSc
zgf}zGL}m1TJz_HU02Dr>2nEtx5}Q+33|oa)?}Y0>00H%V?I67F#y!;Qeo@%T%3clT
z=pmgY!Td}C059de>ate4<>ImAp{qU?_`$i?K;JNZh}FAokz7Wpvb|5QOTM_0hiw$b
z!p}-4@{a)vkucvFG#8&I%S29+8b!er<0iz0c|F*GE_ow8YFXmdOF_Lp_SFd^XRsF}
z50em!9H@PC8I#jvKjMP1B8IV2fkm6`#?Ba$HSM1+4}7A5^$MaR$|)RTUtHZ@&PCWh
zA+y2`A^0q%bwBia3H^#+<eP;dg-ZG^+<Yk6y3T>|kbuR7UH&wtyLf)7{89^f!Na9a
zSB~AFC?g6qjDteAeJHJ3TUykNttd-fLGf;Pj|g`UROst-WTVLR%w_)e(`-h8fCCyl
zA6>R3T;N3kqOEy~lTY?XE*UxW2TYBV^dzGu27H^ufeS=zQvUUIW{j;k+_4myh&Iw}
z$f<5)e6SYd7Rc@@OB0}1*&|?AhV-gUG*C1dqY$<CdMgs~qmvKi;Y1CV`h;sE%$N#>
zkn&DS$f0`5tZj9;WE#>s#`^0}_^oX4vw!JPrU0CYkJ?1OC#C*Gf#xRyu6*r7w=v#F
z%CkuL7SzGz0c73!f?7nvZen=bYF(%*g)zjbxUBOeN*x5`#4_JDp74vXMojJTRW8hJ
z${IvJW0s5Ms5FS5TC+-Fk~@t#IC!$b?kqj2Dy_63B%0kh+I1$pFzV;@tSVVx97h(%
znjEmIG?0{tJEr4un4M9kS#H{IPw{zFL@J@^;PURRvPV$u6Th1tvC}ly>s4__Qf8tp
z*}?s26f(n<*A8M4{!VB3-;&bVeSMkpk8<^<95F`aCz^ODEv7r_9*!}uB3ZQ_B`uJD
zI>a3Dd3@nHALAD0R&dR{@29^@BGzWYz26Irq2HTx>(Eq@Fz{HN+cj%|uk-K_LZFBK
zj_EEH7P|C=Cr#>YiW-LA2)X0YXzNJWX&g^ScJf<U!ssBSR{4nIAC<mu?&-d1!95xG
z;;|v9L5kHv+j~gZHX@`ky^5}Qmh^Ia`+<|s5Z?p3;E0oN9j)dGmF@~bT7BPQ&S)KQ
zfF+qa=;1T*0J5=`lL9X?ue2*d!$sjk?12ErU7_o%oAdLhyX_3S2aBV6k)nBPFAlyX
zeP(W&K_Dcma_kz|)yPve8u%nhSAUNWTB?J$WK*>>m{4GTQmVXmklPI9p-O5HY-W?9
zWHq+-bix$8#H)s{v>Ym%X1WZbPZ>*G!FOQJbQaw}{o6w+hpoO`1$!uJCMYNr@OPb^
z-Z0wQIlnQog?t8hOG6_x7viz}PlyoF7+yWf#-~{iA5SCOQeLOMFRMSKi`2u;Ra;YI
z)k!IoXSn9@c#FY_=fItnNT*;-p~nH1Hy>SpoSjmFZ+Ijq9pJ|otx-+m?5h2NL7`dr
zS&e|jBmQd;Pq#eIk{}JGuTfkcx*umBRhr@BUj3-o$loPKRXOatV}hdCvIF5m@+6&>
zm_)~4i?^J!kvk>nz2XjH9?Q0oilU=Vjcws1Y&tShxE6YagHh)7T93Bnez#$Es;&hz
zYiR1*L9GxFrT{QCKeM^Xs;=<)YVXLr_^|`{MUM+y6n$J!mY>$9U$|+HmUjmpXOyEY
z<TzANdyKICXs+S9Ao0Lft1G}k@?fdu6hJ!-S&2zvE!Nx^zf}FwNVh_!3R9RXKmEX{
zl#*P=MzZ0uE^mrREFPiXk$%LUcc94c`s&eAIr<sZ$`Ld0WatOcYK|_8q)>}|RM%;+
zVnn)M;rzK#v<;xFR*tVKbmfLZ^pxQKkD-_Flp5Ww=h7Y-N=BKfu0^jvz{?dHa?XGs
zSRw{f_S?b6adOKAuEo_D?ojfqCiF=~NgQazy$?6V6n2T=47E_nZ+0!7WvclU<`}5C
zsIlRq7aIx!{EfLKRk~~+IU||z0&@}lXybfxRz8}$uG@5T43DYjjbU|HxfV95Fk{$D
zrLev-G-_UxM$s-I1u{P5pm3^d?vgN|J?U+jPwspg!CqFWWo{mO{w(4?jW3IJ``5r-
z?DP(4YlAv<@7!WMRb{1I9K-m*k7OvsbhXX*A7_B(0hNv<b{>a-svB1!-1DSVis_Dv
zt$j92e0Jgtnz1Xv-KPQJnybm7oVf4PlS(siuj~7o638COk7z5j><UgEX!ex=g-q@O
z8p?35D>t9boMbvlLHQ9D6uES7_jGRzV)*f<pYA^35y@iqA0vFAk8&VewmfCg?MfKq
zSef|Z66k3Km2MZzV#+%_hxWd99FMYZ9l}6x%or`iaejf**-~RFx_2(7#=|Afa}X5f
z7>-5gH@S90J`IxQlPC&|y`1(IT<B}vc`P<&e=fT}wVcHQcQG{{UGQLfgJ!QozNR(p
zO?x|aDG6TuQ&)|rud*qRKenE8SgVTT(KejHKL&h3F7Btw3nN+|SiC^B>!KD<&%{2~
zSSPQG=oWc!sSMjurI}8QB0NeGYbbH?elY2U#1W*-s#bCKvNVbM3rtxpCIxhlNVX$N
zE}<eT;=NYl2bZaDFFe<79#ZpA4ky!}_o*M+i1ANVfVdGd$&ON6=laI>3_^>7wg_`4
zbyt90pDhQ2qOn6%B8U3Tv`XidFXbe!_*FTs6J+=ZuXebedK{GSBCo)1@kj5<5~LcH
zKiN!w6moQa?uaob^X64aO(0dqCuR4mc+MXT)4~yMT&mWQ{PY%QZGAX`UGrqmrauf;
z(!4_)R1|zc?n8nl4l}6eLNY9N*y(qrC>WLs0Gf-9>U>|)4?{j=>?7+#t5*>tyz3Ou
zoybG>Epu{Sf7gN$l)CYOxQ?Vve)XN|y{-PXGV&Kv;|Xmj1s^pA;O#0XL<FKWNEwA+
zJa{jQ26Z1w|2|=XLS4`!awxiR^LJ5i10CRTy{4)}Fkn-}$!Wr>^N`^>Fm+O@>tqcl
z1el@xeb7?$CQ`)hMzPSvh0vfyN?lfZoLG}_mv~GDZ}6GU{z~6K{2!KJAs<OEq7Lka
zzWoby7PNX-wG=E1jRHB@;MM#I1a_V6pckRc#E=@ur{<BM!BzL5pwPiT|NMIgT@MNi
zCAp=k$40A(fQN!=A%TK={0{;6_Z{>(s5g}KmgbLdvqRzhN#j`!LJOlJfsFM##f18c
zM%^8R9)<~e6NY|E__wG3r@wd5s9vDNF#J35s>1NNpZGyR>DU;(v1Md{9Ob2;?_t1T
zfawvTAR}VGM6me`mW~Pr3hLoMy?}q;K_mHt(8CFDN6Xc=VJHSy27@8M`xntf07y2R
X`ffCraJ+l1A3#yz6!6$V5UT$Jo1Ujo

delta 33444
zcmY&;1yEc~(>3lM+${umcXtTx?(PyGaFO61T!Xv21lQmMmqmkXAh`XICvScASFzmM
z+Nqu1?$f7x&U9@SL{B~hpd<$gg$V`*1_!q9w4w$pqF@s6`mXl%h4%U~b2L?QaddKJ
zGInxe{A6#Z5F>yH!Gb3KGUD9PEYc%tB0Qy1Q-|t9z!YaDRwwG$$<q_-K<tPsxsG5-
zyH$$95TX{lP5u=X3=1csNm0MpfiT6Y(9{czZ!dl#YEoLpNUnUAxCFj1ZCBwLB}Vd_
z3kq@NC&k^vS|{@leT8Ju$S*GTYo)UsXH-|oB=hHd)&~E-y~}&%_XyyxhC+aWp(pr9
zVFJPNhH`z(m;+t12R`Xk`jKC%P-z9jpnC$hbfr(5OfEwyf1a#l%vG&8ZJ18*+<1O$
zX{?dQg{_{@a>|AMc089O@XjOaRI~=kl*uEfWzs}c%GES;i%bxNt;^VXi_JWKi9iRZ
zchUVDJ?vOi-m(A_@uy$AF@$u0F&H%OCwWrVz{w>r#k&m1gnG)GPD7P#ZVOYE9TSQ`
zq2-k3QvSn)Sa57pra#^WFLeI$TNv0V*z*TJyqJiI+lw1=dEQfh2umg^)l#mT1MS7T
za{w^36b}k7B=LElgW(R~%*_X6y+!!J(|HXXHUt~$oq(3-2}7TsRk5H)u>apP^>7ef
zFc@z!y<z$j2I~n1rvD8R3>Pc`JQ^Q3?yyf-;cRMp&}{p<ob{_TnmrsRP@0Nur#4|2
zk7o;Sa$@$b0g+Nfcg3buN@ZpH?h2L^KBAxos!oD;Z8DQ7T(=o2km-oZfRX-jv(Mq>
z^jxEKdtB&@Yo!m>@VfvpNoRXIpPA!a2mj}GA0^#N%=V`a{zIV~$5RwkpZAx*h15+3
zA0gB<s6)@O>vo%DWb*5iLeuD6^@YLH`GD=EOi3YV+qr&?mVub~>}=<G``etw&1NW5
zFVitBpx@=?Lod|wuuVezi{MI!=;cV{Mfk-_Gv#qe=+}`?qd<k{N=65*-|ZIOGb0%|
zBcSTH*W7sTWcBp0d+u?wx%UL{8Xo2!%^-HR@QnOvTrN2-xwvq8Sw1;6v~<ZYCxERK
z0yy@*mkP3{(11?X(#Q>Wi*S9T>d;iNN?&da1T+brPAt{FO$(KcOfxAaadp|ftY};m
zUyK~i$nS^<tlK|#PQ*H1iFCF6P$whd8k(`pyF0FKM@3XOtlrnvAf^IV>``_AM?p11
z)T^8Np+09%!<RL^qireI?0dtTBl|1h?xWANZr8xAE@6F~M5-5Jk2_h5VOY*OD{<Vp
zC|(O=(5!i!AKn)~f}a~I9CqjpjDgpYQ<_#r=oO5CSy<@6XrD0JDHBE6XxP2^`S63T
z!Amk<%tw~(-*Iwy3&B9YWiV0~Q68gMCP?M%V_&zRs>sWb+j%rx2JGeW52PSR(?Kgt
z)E1mvU-rIwOI4h0-|h^P;~Bhcfov0T^J7T-Y@u9JT2qpr=g05_POiuAu(Jh-ApPjm
zDH2+mnnv7YDSXIcFJghkGr`s4(REzc-s$FIRU1ON6g>ku-_O7$$g<^L7^igZYX18N
z1CkpZgQL1w;8BJ+23Q$A21WZJg7_a6whci1KzW^K#?|I+XnTHD$laE{M#{~eqSwly
zc=Y*q?5)o8JZy2pTXYP+z%Sp3db2vI$CG%nIBB}VCv7e*r9Ua=+>7;obXVTg<~TBR
zDoJl>3m|g@bpwa$>TALaMCRjZ)1zDsZNbfkKU19^pH5QfjliGQJ`49zGn2$oAAS~w
z?wNzl92)!FE!NZJ33@zS+`A#ZeS|*0i=ErMJ&sV>kAQ$?m=HSC+n-T4-NE^>v<>$8
z`TKq5w=DGYyN^g^JWl=tcY9gsQVQb~IlJ9^lYjpMLXbQ3{*x)M-%*jH8Fx-cSwTwX
z43|~jXA5h#juK5m$c~ekLLx5w`2A<)Nrq(``l<Ib)61VLQ-r6ByB$N$7@vB<GM}L{
zL%ruGMEBwAqtLpJ$E&KxuGP=m)O%8scqKPBU4njYj~5>%nPM+)KRG>~T27{&ow|SP
zyDHKKKAp}euB>|N9uo@rdfgS@`!=stH9Hb^Jr>><TElV!_m>8O-#hLA;<+{V=;y76
zE1=`^=Iv75Jzj|4wT}7n43W_1ox9D;tV^Qj^0QAxLA$r0k(>6br=ZKw@V(GTOAv{>
zi9nTM@^tg_prRfTEaVUilTe<a-#r#i`27ihy8tBQe8zFXPdO9ChQrTbnu3Gf8C4dq
zz4IUBr+zVfK4FD-d{2!W#=~964L4f19ryK+G%@|K25oyv{ni!OynpX7S>iYT4n2tk
zs!iV20=?4UAyIstPZvRyt8FwH!u0lmZ-3R%ZYKA8)Yy{Ar|DA1cK8h;bV+S5=0SJh
zNk0a&uQ_cnp1RspX?=~kq{>!&`|$d3RLNIl-5|wY1j|rO6fP|iZ;R)%r)SDpU0?If
zkzE(xam04>(&@8edeIW7N4)-8E75vg_2GGaKbkkMPx&;K)>B(|@4V9cNk#MaIQR)i
zT5BG{jVdZ6GlX993nopTI4vb>CdB|i15c5Ro>s`HdWgB=04v;!fPoP@^&5tzm!N-d
z19?qWZyWi!ck;VP^B+0KoH6eJl=x-BPhM5VXptivH6@CIbtK|j2`l0L$Nj*m0Ux^S
zGQ8UF;M7IMS&brsU|IB?GNl#06Mac?QVR6Ac;Q|ZJx&Z!3H1F%QJxsrf^T+!eh0gP
zGPV?pg?v#O+~0KpU$7`CQF2WwE%@zg5>lC7o;9|r2RIB^bKIz;pT-up5vacF7U$$s
zn2h5%bkfrGdT~IZ*PnIK7P7|ClJJ&m;aQ*hdrwyytsuatfppZgQB!bIS$EkWYfd9|
zyxNEs!=wfrV(Z3FS(;<wfYE&MB?r~X^2Y<}nLgBu-z`3iXKU5t6{xg{r~M~$DI{wn
z6hHNQPSA;j1WO>lF3Y(|AFCTAmGjx(AGu`Y`+ySKQV3Fd+$IZ8n6Dov83t)BDFo!o
zg*B=2WQUcc3!E~^hz#&BD5I4|wwWi)a`K|u<coA2R?LOXp=rbAfCGF5?m?^G$zH4P
zjV&Wq{Doa5B>OI(?_0fcMg<kRhi}yB2TvtKn?C4uoWk>@DYYYGYLM)+egge6{!UYm
zwIHIFl^I4;E*qtY9PXI4h8ei_t1EfULl$@9P(cZV(|EzhuHGhf$}I!O3tvEA36TYh
zQaWrc9gmqxnvNa<1&oUoFr`UfN{^7cacZ{hcw|DUXykltNvulPU{MSdLj3T1ev9_Q
z?{5@X<}Z0^ziY;kLTX7BEO(3ek8a&K4*isN5Wtb?R*cjY>~YEjee})TJ8)wMyoz^i
zheRql(oCV$8G4t;wA6@3wc>2~ZzOIC_%yb=7N0Gq3T?eQ<^W-L!`YF~LG-7b@iRWm
z`vSOsh^4i4pm|xa3R%=6$kdfi1bDEeP4M&MLY*frYK)*gy-{I0VE-9;6UVY9CWv_U
zX5`uLZ`(5+#Ydz&OQ9a(TqO))kR8RORk7-@mP)Y=P6h_r?>ZD3l5ygWy0g~`;r3OY
zS9+NNct)<U;R;6RIbUVE%T~1|wo&(m^1IK?0wc#I1aeZXYb`}91|D>Czv&?EvECfm
zl!R+3dVsBh35%diY)WZHg*J_f`U7$-vKMqjo?|F7f}n<x^7D$0cd&Zja#M3nM{h?n
zMULzHp=T&;S}95Ar^WK1<t|Ob$LS`_G9}={-n?2iOR@1>28Qwqr+ikKF}aT9ukO>i
z=ov+7s}IlRyN-W^t;X3sApTmo^aB>O>UBG_{&Icdd%b@27;4rmG=l7HE_Z*1L3Dq%
za8>=>er)$bD|heV`EveAt@+}4^TB0xzt214Ot1wxED%Oq1TrwOP(3FSV=E9A5Jf8>
z$wxb=ViOUii4i9@S62K}k0q`MnU@3p@27B(at``0S{e(#{uFcJ?4RGdzWY3H6`gV0
z3)RjnU)78U$D6>k1;1cEIe?2G&$K|R-AGi*?_q=DO=qU2-k(kzbZC>rJT&s=*k$n)
z7qqJ%i1R~I5UV6>fEO16s@bv<=#3wnW4y5_egunZ4JczeV|<O`$<Gc@Mx~)slF^gp
zI?QKLCh^5qKC2v1S3VPxdRn>l`RS%^(DnFR{Z8srD_#F5Ed|o)wiOkFjEri<OI7y4
zJOp$7@v^R7XLn`tkgk`q^p#z8UGbawk)Lks`S`1)b~$$|F^nk-z}5w+%iKExW-Gz~
z&Yi9g&myMOnMJiUC9hnOHc=GCR@ofeJ_M=q@_9-j)tkJWP~49?gIzH;Lip|PuOI6X
zwEDFNF)>)=(4*6)p8IKNTgdN41}LLJecb5#ALHsElKKnXp2A~)e|XluO=!l}yh|wl
z15?#3jfi{*^ceIW!nGc&TC%wJv{Z$-cG_r$ZH*i=Y7rC``%L5S<FWl75JA0M=K@qC
zCl8JPru2gkF04RQ5HSpmT)F=VJ&kBpF9hCa*n^x1w_=1L>f*Mfq@vPX&rIS$5!9eW
ztP)Db!XsnT+l}*jurE)qEYrtdDD?1fG;egd16*<#cIVyuAME8IP2yjcik3eHw~zlO
zhuT~R*X&-;OT&7BKI()khVg&--7>M3)X%hRKa;h(C+)|LL|p953oQ*FN=k)9J30l4
zpc{gU2Lr2&cQ_yOQ!##kJ)bffDRA2jAr2EJ=|3YdO|3T1>$`*BjG*B!e0k&ttUt<S
zaal7@8P(XQe@Ks<krTe~?B=-e`B8Dqq;(^~&GB?}{*`MfXog()nF|WsNJ%?{7-|vY
z({MLO*e<)cC_<F9ByO>n)gpeegg+8<NrmuxXBwi&Zc}EXM{T3-XB|CL^v<8<DAV;g
z>VHh<Z-XM^XdYO0&vKeV=W#yG0n;T^ohRmae9LV8&JdEijdliQT*++o#Wjc6ioo%b
z$ClgK2>#llDoVqSx_(QU0eMxMd9i8?w1Xky%z4#np_Hs{Ozmls`n<KEWre=BZ+L2l
zMn%;-3Pp=Le4loEi|dcEmR8xBkvC*f-f>`LCVK1WLBcowQmdnI8`=R5K+P%Qqg#%y
z{q%P3^&Krd%E*FG5|QUatmnmM&j$Dl{Y#^^<<E1uxer#AhR}}J7bR1nSHBr-WGg>8
z%|7>Ric(+%J#xa_*(+(Apmt@M%NBT{=c);%gt6k~q?XEak+bxac6OlmRdGT6T@)a@
zrPAgY#`4JdOn+++FaUpaa}Yj15udU~wh>PRYfZvt;+tcEqxB~RiHI2uE}Il*@Xgm5
zR9KDrD@H0QQmgG0lU3TiTYzm`-Myl?#qIBeU4=N?$H~TefH~^yRyAGUSw|qM19gUS
zo_IPG!3RBZ!Q45%8TXQfLq5u!OC5EId0<<*QbrboMrV}{s4#|;R$-!6GY<nn|52xV
z9?K)wt96b5L-v+<AJ3kKSTV75wRe?c%=-HI#;#DN$O+T)YN4H+99Kc7qi3$R-N!+_
zHr4H!KVP)juB_n4+kR`Wr<7F=1ieuAwdhIh-4u|(s;#f^by{64@S#cvY}?W}4Vkoj
zNJWJM{8!TX#$chkD<LKb2ixigYfmX$(J9hHkixZ0FcD<(<qM-!w%AF~z+nHwu&tme
znA4*+*v7LCH+KA7bSP_1)~>64?mW?QzQt8{n?qh|E1&#BN6%MuRI5cAbu>kt@f4V+
zQxe4+)T64pXRw8dh@Oy%g(d}eU9n$PK#b`Pu4QF)U8gddr*{-ihW>iXiYBRq;1*~1
zNx3$S%PT%UGf12|wQlF1QdaHk{&G69Z<+vwCmVR!PC0X<;lU;qs&{)0fUyO*`^XA0
zEbls{lLwfFz@^A{T}$ZnPv}X3T=-C6$+!Pj^}cA4!QYkvQK+R7-`02Y1_229Yn0-?
zJ47M{1+Sr-&xpE;IC~YNR<XIUL|Ld?Sy>k+;hVhW(faf=V{V)d9v1%YeO14$eRi)v
z0*zqS!+d={q>T|GgCIZ(CKXf>#iw-xot^Gn4e@U0;=C#IlzVnG++NYzGXX_>mL;qt
zXavIt?W)D7)^BMrY>!-w9hh_jSVvqio#+wcL)a4);~;{<c>hac{XT-AlI=+dWfCPs
zz8+l7zWs44FL(!@CkL?WwWBrlZB4_w7>iEfzQdp*8S|_GZzTcEJ|}zX;&Qd>$$Etf
z3p@ih79*>9Z~EuNy*b}pYfI?7t1*kzE}?~-$?|8>=%1|U^8n-gw+`-0Yrb)oPxxR3
zSFo#iU1#I6M?vm}8vzZ^%I1y=9!W!$*DcxL#7iJ+>h<Y;IoCf<3sE$ScNH#Ju`^I2
zHY7o_f+h5|q00+dT9T<-ZD}|e6P3@JnKD(;8O5?;aHCT)$EI<M{{v8<X_)V$Hrm6p
z&ZogHAd_*QX0}&~YjSkKsT{{A8AkD&@sz^~hk&qS-iQV3G)h1tzQRPdP4gEU!KU<}
znuPq~rnNiS1H>MbKT@z2NmgC74rQ=8*(R0sVvFTyro@f9xyzr&DcNW<YHAxl(WZCS
zxi&ZkCP5g%eKd{VkOlvIA`8xam9*TMv?9Ng0u=N0U_mrZpa?-}!f8SO5yP0FPJ#GM
zPZ5?b&&Cp|@`WWbKTy_JB5O>qc{PS4kPhmNU-g9u>qWr;Y&xjN#;KF6oSAQ?Wah*|
z-<y<h45pE8vnCUl*D9OG?mr}5wo-``xuUusp=w5Ru|a5Vi!`2aR(1y@ATcqAJ)yP$
z4t`?kSP!s&x#Q*OYVke;HKWnFNcCk-dBBia`sNKW`_Jr?uJ295|A4r%RFcTirO0I2
zzFLqa$x5CobH|<jbL^3j>Av5i_S93Sj@s}lA~$Hs^~FnxtnB{q8tJZ+!)U(2@vx-q
zp{T2a7BZU)UiZ^XlvOiOZxd8@?`!x?vB{;vp?IbtVlb`WUmZ1}A(=OO!|uI8%{|y;
z+dWuNIqG?1IVxdgK}VbB-SWA~83~teW6FWIsa=_t<K@-$ICzJrz07Y!m=p~ESCf-5
z#N`KC<Dg`cjK%x3$Yyedt-ECsi=(i{TAeV0<lz77{tuRcpQ(jVxAj`G8`aR!eTS`$
zzf|Q#4N&Wb+#RS@P$5OeDPKxGu=Tm3b7ra}s(2gHS>~j*%kgH;EMqnsyE&l67?V9q
ztmiqPjX*e`Hqs#`l~g&RI@P7vzOK1t9>zvq8TiI!Ah)IH-brTsxc6^rNBwZYUOhE)
zxH2BA8cuu))cE}nUzK=x3G7LN&8h3pPJ$)>SuHK9YF5K2&IX#sFwV?pM-Y1wj6#~*
zal>@l0sk*KL0O}N75t>%21XzO1}djSaM;>W0;t>yn}@i=#1V1Soz{hLk}`>92AIuv
z>Em(l?%2n_k==}2I+$r>X8Ussv~mi0Z%Yhp1Dq)qM>MTGtJ)cIbDLqr*C9=liMEI5
zI1qVfIdzo8e?X#z!`+5qCNc2^dO6(4c(Ly}k5fkT;KDlpm5as_mVLfE`YBI<p{R!1
z5atr6eW6nM*am4YipxsjS)FGziwXi`S8QUIV74A(_tj5kq{ar4PE2Jp<EP^QNEh^H
zpOfPlO|Hs~ZSRw?S0^8-7yrmHkvIRoBJzk}k&aL&h|Y_Cg&|}7K6=^Wa02g|)DneO
zZfkRlVImv}-8{s<_Vh^Ui6pZKJthr2FVh&+WjE))rmxQr$x=}eabndl@?8!jf7K*x
zBFkrp@@Bs(?I@Kd@nz*%0KUFjH+e&=eMx`gr%ntgdzp5~*Ga%iOq5i}@y3j=lNDS@
z(PC$)r;Ta2@$ojSa=A)&VXD%~=kP~%W}l~U|0*r1zqVNNu)mD-x*%wEqg7ZtJ6Jh!
zCq&NW9wjXGpOdb#Si*RIgLTi{_ExL2O?F)Eee*S6&Aw&=%GMT{-W5CRF~Z1J`e=CA
zvNxw_Z8mF;cb`^Q1DyiSyfHjCZLqVl(+U$0bQ6^Apv(PFz5baXgO906O|K=Nbm8ax
z*}}tie#}|hs8h3_@Gf!sb1$gRv`yPm8lb$?TVDyPNBv!=8>-k6^u1Aif=iP8mrKjc
z>Uk)wm{$=nV*Xw{)Tiu4US>oz$s`G8!U@*PR!RGBpRy?!(o97R<)PGqDqSN$xjKZy
zMqS4g8>Ue|=w20Y|Kc2GJKq8WP9fip`)%OnaDc*8k|`u}rx>r}e4*b_u>R*HRKd3&
zjejmNcOmO0q0GLCn9J}Vv;A<zqoGooU<1v^X#u(H$YTAMVN#;l%9O0dcmBt0|EkX=
zUZ3DQ)KK2x&ml^KkYkpgS?n+IT1C6uil1#7BVpmlAuQt_+a3d-hdi@5D8}SDUalm5
z^3GfT&{1Pri*1B$%l$5r@@s}Wsf)_5I6X;|inLn3YMjyUN2!bY@X$E=332SfsWXs4
zk#-OZa)1^cf%=m8W?x)gL9Gd^MM*a<g{)gXP4o<Aa4M8Dl{VT%?|}ws0TS)sGtolj
zpzuh4&=(XJI-z|+N#mtj>V>lubk+Jc^E?WieqBahr}XqatF}qk%LO4JpEb_hNL9fq
zEZry=&XfdK`{zm_b=AJhq%MGa$+BD{kXzDwh~qn{!L`(j0v_`gAKek+yst==x$ndE
z&u_(&j@Ru&p^(cRTt)eU+#S$Re)a=IYY-4!8UczlX0_xaaSVZGVOx4+xzb_e$>?~l
zcvG`7O>UznpAg|51K&E%HCCA0_d!3+eZCK%B7Zz!$j--ev=+E@wgOaF=Ue>`>0PQ$
zEa+5FhTJ7vp7Wkr<xcHw^=&}6hYaXXLgwXRZ0)PG4gmDfaYNak3`Mz9JBBWhUMcG7
z)nzQIVcJfY>bDAW4sdmOi^2$aX{-d>(k+<^)G<m$;dxxO<o-T<IXe$444RSmJHz}C
z)C25d#<;&z&0FHe1b}Jiy1{?hTIq;nD-WaGNqls9IijlbZO^Ll>OiW!E}xrfLE9){
z9=X@<cnzxZ{XK`pOa{ShG{+fjrFZ^l8@RMrBTG;%I5_*|p*h+;j=KBkL0yVW$Jkb4
z)PV^FI<JANLx%*(B|C-?L4&uj!ejJL?P(i`yt!XG4S+X>B@A2hJG5q)r1!r!=4m1e
za-97Gxj9xmcL@vG^TVX96Njv`vBuJp)BIaF{$bOSI7s&$YCGR>+7sbr;>0nJ4$luy
z!E=oa)fuKr{Ge_8xbZQv24at&Fu(lmuD=ZzQ4QmLwAg8fANEYJbshX@qH1*g34(Ps
zrw*Vb4&fVD>vyUDVJMAY27v%iWI;WVFMYv1lHV=B2>Z6?@A=g(BF4DoAZP3_#ePI{
zuz_=jFa3mXC77rdWc(cptL$AZ=Gf#e`or&zW#W(W2}g8*?`p|jyOh|<t*&l$(vpUZ
zy+iWkv!9Qm#6BmHYd0!maUPogV?OZm^?`ufP2&@O#Y3P0;>Vk;{2Q)i;<Z^i(J6~P
zZxch0@~LZNguuC+x&q=F9mzE21Bo~zdMWlPU&VOk09JG<?Fd&;w}%Hm4V=dR$S#`2
zh~vt?Gw5@l>LAc@TRsE!DD-fHms(63anddyL~o*jN$|E^#_<YZiVpiH^^B>BzKvs_
z8*11nXymImt{sh-{EYOC??qr*G%wayucEk(zykhpB+4B(xVWDGoo3NYaqSL8JYadg
z6eA6jJ>Gg+Mtj|45jW?zI!9fwR0{`rlu79aUE`{L8@Oi2swyZiqww4)t2awYNJk#F
ze5h{e`XB~a?$p0>`+no+>njV$z=fuHlzQ+U+w$%WcL`l`F$pq!nxgR#OX_5;9cx^C
z>Je*B(oe|$D8O#ef58pnd|4C5j8hEdNwq_TXQ}+*YP*BZNlItPt3)j0-h-j+$HuUj
zPVvmCg$uv=<f(ayy}iU1aUvcI%yzrgHwOU8;uVnN1==(h4#<2H92^pYYpuc|tMkj7
zdZc2CKg{>)N~l=BBravrNal6p8t1Xr<JEu{WKKY{{`!ZEEL$Wo#SccqzUGU{ODnnM
zGg*RMUppN5i}{0Ays;iie?V&Z&%@X8(KL*zXrDiUj&QoN!*O;Gmm~K_Wq~wkTXogZ
zR+s^64I`9e@P+>M<Fq7**M2ZZRdoYre0wy#$t@jjI8ZeX8aC<uRn10njyOy(t6L$v
zk3UA@rk=BesF)~^0+d;g$X`MAAbl7YJ5#Yc@L?o%P@Et3PGRBqy4Cq^eLz3#Z2vk!
zIu=GTDWxK;=$7OBP;)F`ZEaNiXLfn@&`fl2?+*)V?4eWf$FJ>8UXQ_nEnFq^rKmSm
zwQ^=)?+YBiO+B&5pf7kfb+fa5{yGyUyh@<<pH@m1-P3UZ)zVxYWsP)jA+kDZCYR!J
zJAwHinw-Uykl*!#uluU>v%6``679xCI`)mq@@cEbGRw2v3E((1hT!~q+L$UOI}HU{
zWciBwsF!s7=-;%f^Pg&}Ea@W?wpyVzN+>LP7Y}aUAU1_NAd*Qw;96xRiTq*P4GwMj
z|KONo&kNpgLT8E}dQMot3HgpBt6}8(+IrhkO4t@}q)Xqgxpv3Jo!?KDb>-&PO&1Ia
zR#t$+9$GxQme!e`xGtZC9`Ov`sug%WJ!%V)A5L0Q=xc$`QN5gck~x4ayr$Zm9GJ$8
z3oRl=MW&TI+{|Ur4n<lBq#nik%1T*+<~-)!zG%dts0r?6^{;?ev4(^ey*r=kWG!;W
zniR2n*LR9CPe~AA>mL%_fB>V%lnmJGV0X9~+(+&tM~&A#ScDQ2YbcuE<S|ZX*hG|f
zBwy1sp0j_<?1VtC6+&qt^D|6K+I<zIa#Ux&`x=&})RQ-klXx7R{3d6<L4-cgSJGBN
z?XaEZGULV(_bT%h-yf7Eo{BP4!yOwqpdjr){FgaWgH!Ep5Z()#g8;kW7Ejm}x{c?3
z-OQrXFMJ>2=E~B&Wvau{J*wMD54-)dj%^aN(t74^_TTsM%+iMEirAT$LofY{yB!Vc
zSvz0*$v--SH^yClju>r6B%QX;HHz*_CBl9<YRR*GXCV>=y7O&4`Iu~p3Z(IV<TO7~
zB>u1oU$A?kHuyg>mH_|hRrw~SxB8smT}O1L82J}O{rE{l6AeDt%MA5)o@GZ+Ra$1G
z9DEz%9ks(2g%+=Tu{b+>{N&IsczRuO(^_uWE3B6s&_Z8Ap9Y)4paK$M{AARmM;*6G
z7Po;*@jiUm8UJuC!Zk4DZOz{eLCi!!qjm63+JGV6%$L&YJizP8U45yGzsRPV1mC^I
zOTSU1JX-5`f+<@jgUXnCFt8z1A_tV}zAx_H4%wWHsvezz?_YZ~mFpaT8df>OFP!bs
zy>pW>RKd^issLo97yB-(KF)xJ;&JM?*ZZ=>6`7MNAkxb1=2|;<Yeh&zm{n2ddC(IL
z0JIZm=(IB@)6`r2t@T8Z@jCyY!^jF#YW|M2@eMlYlOiK2Pt{!l5BKZ_Wv0bzqd71<
z$NN@FH}E49eOz2mJk!@xLw8lXA9gF3BU3eo$my%T7yk%EXKoj<oMp)mQ<HF}h51Pi
zay{c7hKi%l!20@%AtN@ix_uz7v~soD^F7DKF645jr}>NTQl-?8jIbKETCzsKM1)y@
zA2YXvw$;~Um1OdsFP!L#n3}Dpg(jY=P~ztQ$2e-q3jQPa|1nPOJEp88zd0*&&l|^^
zDJ$ES9tYhau^#>Re=IBkpQK|?s@xavX5S{|hwWTEV5Wp|&5aJMeIdt`>YbU8MZHV;
zE2Qjf9Na${?&9dug(?V-e2pLFjK`QLfa6g~`(Y@&4IzW2oVdr&R70k!YUw@g&`Oj6
z)~fa<l`l{YI+fZ%FwSWX9{jdxy9@d5+#XO|LGogK8`Wp%89Ri*6rD#Zi2VLJ`H{CQ
zl4TAcwGwMzzT)e!ga5!k$D?uB02L>BWq1mn%uE-JFz?$_Rj52FK<OR{+!)#6VflDf
z%Q`O7rL7=uw-L~R%-c`q7jJzM95!0YIUSvwc!foi0>03`;xJUHP??aGN;NT@`KL!-
z1~DrdMk)UU^*F*;lRX<@7>u%i#RE7oL&_bYB31J>&urv<em>SLPP!#kduj(r;F3g)
zc48r`n%6&C1dG0bUM($1XxRQ?UApKVdD~9Q--`MT@yH67S{7P|Qy<yFsgp6o^+KpW
zB7WTyHF^?s;RO#13H+xj2C`UDXMiDJC9y2R^Y0`oZV)=x@azB+ft?-I$6kB|QB#LO
zw0*agLQGj*ja&LOa11dA?<`X+4IPH)(+>=mV=CprGU~LARbLf3PAt3S<|M8R{jwLY
z)zK4UUpq;OUxGgEocao$eZO#YRYMQ_8%ou4TsMp}LtC#2*bF16BU4YusYBdebTFO}
z*k%e9XTYshm9&As2c06e5Ki-VQ$?MuWgj9q;=N}M1l1^u57yP<ZJHV2+Vis%E=4zT
z?pCe!JK4NH-QJzONLJ#;$zH8DfqSsgCH)sC6`>N$AEBY+yb0>fB?h5>p5Yxvq;?3e
zNf)5NU>GoVT;=cslW?FdG76!7HOthF$}_770_ZLJ7YPM(B)btRe+6Ij&nBv^dIUE%
zsUy}p(V<j9B3-335}Tu_P_4qLoW#FxEQOY+^aXZR6yT@ZL@=eUG*mr$EsJdDJviE1
ziDHhcID&2(Oi2$90YaG6xr!3HS3+pVcDE;(Bk-D)yqZRu#ysMReOT_iZa<j@z|5?k
zHryD|9HEomUv5-l^N3jJ;7wy9Qkqwx&AlM2XQsiM7rO?0qWjnS?%@YD*TJ7_7~*|f
zY-L=qC~&=MdOZqel{+)Wxn2pOKxW!%Okllsclx8PiW_>QXKxPJ)MwZY9Aj@f7<Q(t
zQzCmhFKipnO4GJ0b_D{y|NCa5y@<i{s%fb2<<(IikM!2qXcZ86R#fjdnc5996XsdF
zx)==CJN!BbnZK}q+FgnFU)im;X?bwIE2n-R@?6U|m}uA;9whfCd*`AY?WIURoGM(y
zH-lUSdGUA62p@e(i;+8Hainm>;>+!A7Gru6`D<+rs{#tc^c6k1?HKDG(c$2OMp!R|
zdy_jwEKc>C2gJkN_~<1f1|`bKZHm_P*RTWP{@rirI}$*`OT82B?POin2nlLZ)n+OY
z1s$km*8!|&Eg3lNpyzeVRT>B{<CiR4qj&Wey|0`y-T2*UY4yidg3}&56xuy>lKHOy
zKY+n9XzaMv;g~txtVo|MPc}?gn$7E!9V+ey`k&wpXZmT~3S#ZGSgMC?Fs(FE9Dawq
z8cRFH;z<TeJ*N5dz1ck%i`699pt&kbI16kv+G4=vHCywFO<O&_MYpTj*Eip|yi~=2
z)QA&l_LL-8SdBj~C-s#9yr*>}z(n4YWBK0t^Q3XJyQBcze&EPYT2floZRW6k<0vay
zL`r83QbLt@ShDzD<b99P6Y;k-Z%0aHA(*LXDlj)+b3LppiV>8p8QYg4!<Lhh7EMU)
zqHkf>Vc}jJd_lh?nsu_kzJVo0TS%C{nPscIq-xic*Xj*%)pfQ5ct?(~>MiQtY}g-<
zYb>IVl1kWO?W?g4aF5p`;T=LxBOP(I{A6+qe_z;&g#2eK$~-RbpJNC{O{tfyAR^{p
z9aGEiKQ+*lZ&-bNG+0wT1JbEkaJ#UtUyI4k2Bbne%6-n*gQ^`f+-xj%J~qOq$)G+&
z&rk_}o(BL1n8p5zTl&|lE;k0jqlWOICzuoU&b9Kfv=$DC+C{j26A^PfuNp1H?_`iA
zr1-nb_`T$!JL!J)1wtr#av=s1q}c!KYDfl+YNw&JDypN(AA1Zvii6MeVrNL$D(}}P
z6)9wdG$Cas>*R@0MnM@Fx?V5mPj@&Db^yNbQ&v&F5XdA0j?(xk#n_)?Otv@B-B5ht
zYmK7q@WREohbMOxo9Adizyz2{T~1vTe`-bH&$wK9wDB3jaB^g&G|6r=^srU0O$xMx
zf37(~GG$(}f{=f8O(ahF!bwlFi^-HVq@UTl<({Gxk3I8?M%&KDmqN!?fC6x5>dk;C
z&|O!g{0R0<vc9+YFILa3XLgu~n_Isx4AO9gw)3wOdDEF@f;`bUpx-V$PJI;o$RM@%
zsk$QKy1~VEE_~~~4P|er1;f(+5kB%NONsTbJ>(;eGCXKcL1W-L#W=ZUVcIw_H;vO(
zvbu|1HprU-aMn3PcsEP8eMB=@R)tliXm6mpY|ysA&U%k{D>j4O)c{i^yYl-&!uEI#
z30foQZq8A$z*~QjM!-dYXli+XrfQQwx69zA5V~uj@`G;cGsHG}eFSL{??&x!f|-g`
z+SkDTag%SXrF<F+;wL<vZ?&Ez67r*&7U`Pjq%vFtlut;mkAg(iHO-n|_U&B#msBax
ztln}HTn9edY$6Y$&<mfUjDUz*v7Qi`HDa8TqW~_;NdgL@@*i(k+9FNi-yMi`x!(oM
zv&?hkG<a`stl_8d@+nQKYh|INr4kR1;&3%rW`&)E02QZ|vkB;J3F3Wcx<XaD+<<8w
z@h<^bJ!fEca>VB??jQFAHcNy)uUa^|bD2IdB~d)k@P6heoa<;WMh{X(?ag_E0CNew
zhyc-U{4aD?ZR0UnAV4J>TUok~6b>YSj0W?+1i3Obni~FidY8Y38Wa<L4_@e%_l%L|
z<sJJm8K!%|gS+yw8Q9Le$2rlHP_W6XS9nZs^l~SWc~EM^W(t#i4lph=y%(ah$g8(3
zEp?l+uD`-z&6baWsW5P};+gemujU{#b)~Tu+G=5Z*W6skz0+LHGc&0Du^a`K;6qpj
z$|tL*K^{7X*XoEaK*SXsT|WYx*Q|FekeukwxB9GFB4D)(0KA?0XIGlPp5Y3tk2ET_
z3rVvPXh(;Gibs@+$Vb#7>XaTzPM?euEm)-}$Kfq$8CVUt$1#7Y{%ieGX-N8tU4#ht
zIaC2W(=j(;>j_GF#zUeywNDjA5N(Px($Pb_5I;_Hktm%`*;?9?-5bjpGM*5NCcn>x
zcE!}t0w@=Gki_uS>c6$UlwUiGXEy`PrZTts(Y4%YZ;JX@X+h%k^vUu7zZ5$6qbZN~
zD1n6<JnN>3KHVy!@H^t>(mV8GY9(mlEjiS3khzA97ztxMlmj9)nEy_uG|}L4tt1kE
zGQN_~6Pe0F+E7AhaCmy>cg|Nr$YuM40zo`*)+i;RLY$Vt?635A+Zb2m!`))dvpQP&
zIe%=ZV|tTm?sb&Qe8>{zh)Wmh3uEd{QV`s0<JAfaz9Ukl`!1Cf+l+9Ue?nP@IdF@9
zCPiS|OR|*BO$6$n2@d-)BEqdCihn|@x{%tP^&vHNyX%Y#`5@~i;;#FEoNY-nCX~rc
zZ@d(rK(RK9)gl{kSZ^l*4Dl12?w%)6!?k9%3J_Hl&k30p!BlC0n@4>n<>L~UqrNcm
zlxMpWLz@DPZ=muNZ&T+Zlnq$`)Tux0>{)L;M$0RWe1?FysR(WWS&Pkul%FoZx(l;*
z89K&~)q(PtHl$wK4^IFN4f}TA2?PD+5TbW5;d)AMvq$TxuINQ=bC_l9!t5G65kda@
zu4u3F1b$I(+J3IC!_XHIa-6pzAC65HamE|S0>5{}ajc#Y@2=}xn<%iw<DC>6gJG5#
zDw{(N%YL(3JP%lBNv)qU4U-?TVh=56^bpa+Z4)`cKXJ0q0Yk4sYftsgCxw+GUt1V?
zp>YEDmZQco+~tb11*w7uHLHhD-^v7*u{c}RtSOHAoSEFgVH3_(QgU8iG#t=fd0~fN
zmfyK^zdl@CmUzBIsO5^sAP}ZJ_!USONCc?VpK{FlvMO_1&c4ldLH+_n-mdTVaQj|d
zgj5ebQ2+o>m3xR(<!&jGz?P^oMENSVjzzVw%2tPKoYlG)#{Ob@?P1n6stDXl#vel)
z*OG%2k$)roq0&MF8~3%#G8~0Ktxty&Ajb5rUl$N09NFBV9jF?MzvKORf(K$^?~nrd
zE$vckT6FJ~$l4zI_8kb2>W+yty~?tyec0usz=C7D-VK%)IvGAT&DRDr>R3F+-mru~
zUQJY&IEMd88v>?_Ca0kqPit(XJEu@<+d?DS9^maShD+-uNEB7bVrVV;rhHniV4{|h
z`1k5g6{eKq72j%3ie`9A4ueST2ntOtF-{3biMNADZ}~SSZhf6J&hg%?M+5|$6CBsF
zFe11>O?pXUhUWE$=jI%G$=}+n3qK^M&#ViJrU!j#P$$e^CKlDX=^pD23&@Y|Iw+42
z*Z4v$R~Y4jy}g))5EAr-{a=F$5Qs^;3XL4yaJ{<rb|okM=W=G-%!xT=YW`+hk6DHW
z=d)Zh?Somxsm&aP8BoaPA(=cO8FVb}Yyah{cH@}YSqslVp8Izcf3Q1#X33gkQ@z`$
zwJ2%5z{bU$f|Z8Fn{;V7YKLkYrEE5%a4?wkyV#}LOPjG|nk03M-aPc<i|dVI?$C)w
zsb0oh(DHh<JD**1<#n{=&{c;k?3Yt7w_}7~y&~q;ST#HrK-0$`L1@rC@nN!9<akHf
z#>v5W$vo4>CzOz{fcd-d4KVHaeZiOTE$86o^2VBw7(|+tOj0VzwUssXV@#kqY9j9+
zDOryVR{SM1Nehw6iUd84mlLZ^mRNQgbbRTcEOW4j@*Q=1ABiFPOhH)k4an1~4o=F5
zw3R);LZbUG?W9EvaWs{oJ6}fk)yhhmckQz?#UbsH;yGYR>5htpAV!&EM?i!#kHmWk
z<+E$3-1xf^7J3m6#;<%AW+nVbc3#nBeRoi1EnQKU9q6Bf1#hr)6v(fqfBgK?+0Mha
z73}EA8&h$Qj(Rk}>M>Qe-MFm>4v6=|>Ujf4mKx%OZ+^|fXj#8ke&H{B(r`FlU1(b!
zJa`s444Hfzx{<B5&Dnhq%i@e;vXxW!i&%bj7g~}Ey0{5UQAxfIEGa`Ky@Qg*^>m|O
zME-v!K}YrU-$A9mnpCXS{SKj#%s|m~AzpWL0;Wum0=%mnXk+*AT*5X#u_0K5XJ;1E
zH>WflSK2*U8e7q3Y`?e^@^xRy1Di<jLs0;RM1+01x3`)rwZZLQONF1i;09UKTvS+f
z^Vxzr-JpO9l*$reL7j;C4*|6%1*9nX5QT#F-?-t4PHGNL*4NDi!V8FBUO#@DJ3Y|S
z<cArF`2hIWJ(=_Ov}LR8C(aKrSEh5C3r#=^YwDL(m#x=Gw)P{t6`$&eX*|(<FVfxh
zXkWo+x;>l+XXK$D&BCUKX*~x27`%|XrQK@xI$e8v$ls~TtA>QJ%pz^|dX~9HTjuOw
zVx<v6S5Rfs#2F}AWt*`}lSxWojt~+3Pdfz?tHh$o8n)r#>;b%w&LyM4Z8z$v{Y{;R
z52E$y1=*{;Vp+Mw55~#bc~|5cA*38ZG#<E*E^@IKGxEk)0j2`-p<77YLe1QJYX~gT
zrKq2H9~C+13Q=BbzM)*{$0Ie;IN~5--V%CK)HsJr6pDl*Oy#d8lrn^Q+)2SQsy0Af
zB5xJ~)X#rj;hn=J703pYzDfCwS?n#E`_V@3&d+sFFnd|aBe3#Jp*W3mjgsYH;yMet
z;YQcNV{dxIsLGBlpy1lS{me5@Tjn(|k+%m0*My3%!MH{uRQ!_5VqGr0XW>dlkzh7w
zM)xC5{t`E-9Wi4(xYms^8aPN^aVC!&fq9z|%o<i%I@T5Jj-cv(i^@O*3?{GD)?@p1
z#R84C4r&=;Ds|-?{dA8^7~da}d++YK>j}ky`kxE0mG1YiKUV~7x^F`r2VubCvEVh;
zN){RF)+`H@!V9!oGD|Dr1*bVHtCuSJ+!-R~C9~wtTBn7rA%NYQbEe7iMe+sVKW&uj
z*U-l7Zz%4@uBd6Fjp38L%;Zg>dT$wxEXI?jths!Fy%*5ZXVvyx=fmYij!WlNMl~sI
zjxk6krJ#_aN!msGuiPLQs2W&3)UK5=1fy4FyFUSP5lh#~<3eCHOZb}<2*kNM2`*e>
zik2HA@&&+GORj~@ZK6qy|1lULFQ`E&N|@)eVpxB~#Mm<9DEtNgUv95QiIi-^quBs>
zU6Jd0Raop*Y=d9qfqa{hDGUC^TH1m~i$>mL=s+oZ%|KnwzKHYouRfG8zj9&u(foAN
z|0>yG)w{VvD=Hm={RfJqU_?P+>?QPoDG8W<aeyS%4t<_%I#wyS#Lj%Dh2=VCd#H&p
z*#9=?iw4ixh6mdxGZ$8!&YDJY!t6T`gseGgBf*rMv%o0Emgfsz3a(ACxhNqoJVLsH
zG3_K`>i|_+4#80wecjehGkb-_Cl@MhK7Z|?=gHWtC$iCxIz}#*3jkj6d;hpv0ld(+
z$Lk<h0dEgGYXeH2xYdUlkh9upnr+jVd3<{hgy{dSDH)8B%m_b%;XRB_p&AY}Ym27@
z8*9xxRgy_s{z5I;n372jm}}ud_R3CHpNpg@GlxGhi1vs)z4#e7U*gn=??-y4>o<*Z
zf&|KEgqa35z*EK@x$5(J-as^Gb)E)ta|r<vkz5tqwu*2vO>Y{XHQ=B@#)u%jmh4(s
z$fisZR`KX297UxO^_UTR+wrPKl`o1u;4H6`nSZscYgQP@m=E3lPv&~2Opvtu77FPD
z89Q)46zF0`v86}F)3eOe`RmMwmqf6dv1S3pGVzWN(fX0f&Dx56ELS$wA-nng>C&qx
z@);?ioUZas4D&|*B0HQQO5&bMz+hh`Lei=it{??=6%7cr*6@BU<K)?y2B&xnE1=Nr
zss=hWWOA{{P187o7!hy0SCc~xno>zv3y@hWkYy1olv=y0mJCu@_9S&#q?v+7fWOn)
z?o}**T=>B|j+wUc_tMMG=WF1<WB#cKFvHijZ?{Ueyn=Dokz2HXKJ2L^h{Gawa(%4K
z(AGBo8&r+kA5`Ejy)46T>dm!NZ*qeejEjg`+7B~XHZ_MKTaRsp!i0A*B8s^GAvs1S
zj3u)s)&Cu_3JiMyu*CsyxM?}ITIxHaL&|J(-ZF=Eh*H2Vd=}jpjUN)gwfkHKvMTd&
z<>mJB`8erUB$5EjX~z{0Q5Ac@jtidG3F#2AVANkx@;WRVoJx3AsS(GO6M^@gM#v>C
z0&Lm<Jg+0C4wJZHLDYHpoHk50AbuEAY^Sr^LU#j+PnQ@15cm0?iamncpegTvjY6}1
zP_#w!X#6@?KHj|3XGUCJ?dWq196)(I7$l%zE_R%$H2rL16P6pS6j}-ZF<R}pL7|lr
zIY~UlFw?2LwzFhZQZ{_>IpdGxBF!8KcP%_kY~tKc;7~TuaI=9UDxdsyBFo4in^U6&
z5h;NSy=IZIzxFVD79C)aD*d0D0oG^&k>eqa_wfey<EA0Q!ipy?&{}DN<GK5#O;`H!
zj_+^2eB6Fz*vw|32+ING*EXX65BH&U{&&`pGtQl8ZO3UHI>+k`6hu&&TOh8P@>|Qp
z9A<lqgl7Vk=1YK#6)R^3d`Ttxd^y|NC)&KKh!#Xo`!+01&~M5L6$!7T2H@@K+CBt%
z3J=`JSp~W6bGc!aigfI#CUFd8U==P2m#-93k6L&P2Rd;HII;~ds(-QUODc};_+c%l
zRP5+af8<}jbrY?vt?^o}S$wIC&C@@@x^=BojmwW*k7woTA`bz}_hZ(Cq|-J>XUr&Z
zR*eYUjM}PZ!`*~o*ytiGJGe=@a2Z5j*syq_At`nKMGAiiH&0z&xZ!?8+Mv@L1L^s*
z@DBe$k)3FggJVyZX(U+B6uA3E=xK!!^<PjR%{e~Y*n(mm9h1G5n|Dr)eb@2X#Zd_k
z{9b~9oDwh*WhHF{RO$#ZiBcr!uWcs|Er?Imy<;pJ+><7~xREt%Q6ftJJIvw6f=diQ
z<&;!M6^GUqZ&dqv-8EMO(;q(7udO}W`&M_}*=PxM$Q}$+pT(gUH^0Q`xjj8e*@PN3
z96oH9IB;iv7_L|$m4~`=kJb{{P;v&078|HL1=Ta-5$IXIz=leZm&xgz&70)>bj*Z-
zCVxE}LwAXcM})m96JfUK(|TAow%6a-e>jdR$eun+329l3VkBt)Wc=#IZxwn!qg)h9
z@@(l_fzCpSx&&<O?FMz+59P}^l?plEV}->apb@=_N9Q^D?6lP3!Q$U@+ERe8zi|us
zCzQ~Bgh><1KBaO$A&5);^Yi^2uA7>?f6V=8%|Ye3MoiXwH=|$fA`Hc8<9@Trjq0ZF
zxI8;a7QkfS{)h=jxOLl~`wUcI(!BXRlYEXdu6i6dc&WUA9pO^Bh*&msUuNI9S=$nZ
zsiO;4l0!IsHaoHJJ@ERZojQ=D{o3{<8s8rvig}3%9}K-^oEq|FQ;o(l<mB~sCk4z}
z<?rpz`@yLK6NvO#!$EpRmWz`0EQJrNP4$EGd{IVhNt;nlXsd)y@Ewl{saUH}N1bR1
zK^ZY{>&G@a-={Nck@7Mi#JNPwY54aox+O-oxTVU5$5a5$7<YS_5EsHC=)E@RvQ@{=
zXdtNngx^<vb4q~)yzPL=G+B!nA_~Qet6g)(@R!KsLUzaf!BP!65?VN+(}zc<C+&FY
zH-vLxELpaeD+He+E;PKzft$ob^pn4Bs8tZ5l3tdXlZgd&;L{(E1TVoqsfD?rbulFa
z@WZ1;{@d^f!L&x21swZzLu^glUO5yGXfU1@I|%*nKdm81FSs{)A6B62$zxwDm5Ix*
z>1oE28mShLp}Bu(6u3AUbeQNHxhM^b23r%?={2Li(qAS`K?V{}UM{&Zt_9xqgxw^B
zIN878;)>x$8Iz3yj)u0#kO*mg1fN5L>#<SXqHNg2Lmk!pHtS&bL@x~_R$y3u-TP#~
zo0DB?L+L#QC;3?>l<1(2e+e6<^X9P6kZ|?ea{!kcm4txBe6Jve4?|rnjteH5%CCnz
zK>pq<ku@7jF``t{X@%Ly8d@$~_0Ve&ceeKN`YL;K(v&w6utbvn#+#Rc&dI@Fx$e?E
zub$0x`I7StF{qqH$>Ssz-I4C0U<y%DOK+w)1J)x+_taSw@8Ge-XST6F)|w$-ovhyn
zmMf*D!->J&Bt5>Gz62FX4Z56)jeFL_&JPO<bNYchk+mUKy-{WCzd=F&Ua`~?*K~2{
zVr79Kq&dzDK<Wb)H$!@QnbF2^O)Zlf*X%;(2?Db18`pHnmydUGYP>bmHwgl+CrWJ@
z-qj?Vley|3O6%%a8`!d3CLa|I7;_5vIX3ONw!^{ca~5y9prf_hQKEhODodTFf{EGc
zfld!WDV~`}|I0buQXU3<>KLp?PD`gpWh>G9^@_I>pzreSh`dF_Yu1fiVJ{Ml$jB=J
zAxmk%Ez`9VJm(#`7^Z|2R8M+ZO0|~@)({ByUk9Ot{~VooR=^t7zsT=mtXPg7JduE8
zR2RZQ!@<f|DMl(yy&&^=-j3_@k}?|+-TlKAhtT+SeSOvk)a^BM!wo|2G^DHV|I@L2
zOg#GxRIN>P?0HKI9x5eD)pzV?e4VDA@oh|HYhDV-v2s;ptcO&dmV_X4ts+?a5-c4|
zF2()<6P_MZw$;yD3}l6n#`Ylj>f5D&2I{}Q^)U6He)VleR&iX!%CX~kX+AaoPOtOB
zO5AaodVYyp<#nQbl-CEGScffffvt)Oz+3rDY}FPKx%3ZS^KKI{nh=r89V~m01+>!U
zAyWnW!g4K)C`0qM+J4;0^~BQ`AFKmj2)L}?pLOv$Y@=G~DiVm8gJg5#-%|4v%`pb>
zVp!ub=vDU$9A1s0@ZX?$GindcbaCd@D863*vE-}61aG^1895z?BHdt14q&kdGGh*g
z51-m${oGQfF*>zw(oJ{oi7urubiAp{eWII+=U@tdrJw&4zZsu(ZfnNoncHDb5}4j4
zs$>W^y;;*3PgD``Sj{tCu}@Uo4xdH*-Ny?)9EL(PT#C}R{R}f%Q9%2aH&li=j$9a$
zZ9Mfrep8yl$!QY{nuI-Ycv{DTCTUN(-|(|ym>lHD<~oU_ECGj6yCEIV9QlcOKpP<n
zI)Iy&zS4-sSyq66AgCaDz4H(M^YzG;cXPOCIk&5B1__=o>+0RAZd(?e%NI|OTscl}
zlg2cj81=^+gu@2ST8I6Q-C4=OV|e$ZUN(irp?<bEAvROZ+UL6fic1`&z0CoFOWb>V
zN;KgFJPU3tX*fJG{80#*Y<S9T@<C(#a(0*y8{u@!WR03c?m~mOSTfmB$H{lU#Ojg-
z1%{sr6TF)=r4*B5QfsH)?Vjwg&V}Dxx@6674H{qBW>{^{4w7+H>g@11CeJiuq%LbH
zH#*P7X+RFwqqJZEVmiq67?n;}I2vtvb4n<Y$8*LvEtAL6XV0f4rzD&gR?Da)?wb4G
z97w=v=8HxcNx*sLB?EoMU8<bEV2-<+iqM8575u-_-a4#`u8SK6=?3ZUl<saMrBk{^
z=?-BC>6Q)wNdYBQx&@>~KqL;`-5u{ah~DwM?|psO_3_7W_MSC+t^HfM_nA3UmVuV~
znqdGjJX3Mo2hPJ6R$9*#f)+WURCV%fR<~?n?h}ycg0<Lolv7lm_ppdNYm3nA=c*7@
zU`rcu0LnQ59aDGMgECsDS`}mZ?f8$vWloTvs>l#2><U3klQ)QLXgwpHG`r9}4@Ge%
z`*X}53*#&NV>dGRn(cu8oj78?))T7&cZkIv;Y?jt%&atEAZV(qUs}CdRbF8bn@*$c
zEMnDo4*!b$q|my+N6F*GcKC8m1tAMC!=M*&9Jq`;r%xV3#}d910@`){1bv}Pu`-oe
z)yFIGttP%z6pt%B!zG-7(yF=Xs~S@~s;OiLK@nC52?5gsHRJne@>u}>l%+)^*3O8P
zU|MB`J4ge@HK}D3Wp|qF;)_%gO0Z%wK7w1BMMJ@>&ADy5(VmbE-;p4oc2X);lTa;P
zm>#S62U#{VUrA_%V&f`bH?n;VcEDW4DIU5@uHLX|?FGss!(pf?Ylm^!B+>!$3H_v|
zsb~0gBOcyOdMO<|7|)IClTIjVvi)5hHJnni{a-p#ORT=4PLSa%m?RJH@yvNZ!`K!k
zEAZry8Bq_}byZxF0BlbH*r3X?U*%EEe}gF&olp^mQ(3215!QUc{n;K^A7Ku)RPj-$
zm?T9k*1?{_dA#ke(vVT)6Tfe>cJ)K~Mo5I})r9G+9pMtzeB&0oF4)bocCd>3XGBCt
zZ%Y~HPEQdu-=Ef_RZVQqP}a40q)Q==v{EX;1cAdx>lh3_P6W`4S)AAz)@48;p&P@#
z;zY7cBS(GeZx5!+`50L6h4HxG6bFsO+hnvTqhmRco(Dlpb(3{_6sFkhCuuu-kI-Bz
zjHIX0Yy9^&?FuRw^QW8F`)c;znnuenKkO)dJ#}u1FZSz68R?UCHT`;$Quw?~H&|l&
z8_Ys_l5hl4h$MgoE2u3W1=~juk;mLgrKv|CaEN`1ywk;mx)2CS5|x6;U(iHcS4Yf`
zo!b(+O0reA6SY4L=}*9eIFP9;VbJ+09<R!nwSi5~RYs$c^!4pzlG;T%9qVo4_Gj7S
zp+yW;>GAsOmP<EOjjEG=14<*sQLF_r1>SxbvSP^`fGVFdm$NTkGiuX=bJZp}BRXSx
zPPb;xKCB~=nE@O;@fY$KCceS&i;8?<!xy#*6WdlDIFYkV)iH;1JNV|!>_54!lw;nq
zM%wTKR-+;htOf>%8t66>vb`5BveTS`V(WW+`6-0l4&dbuhD&Anewr%aBqm40s^>B$
z>jAoQiL&vMqwnW&1riYZggXh<QcZHU(KK@J;Sco1p(XNW?<_)S$Oe|&L8Yw{T%_NL
zXddCuPXCxPtSMEqw_S?4q$m5dp+8=!(TzOKQd3=Sl9g>FQcuPXM?f@)5)wFOth>HW
zW<n2LFaB<tZ2Z*uP~ri>Geq+oN+2pA5Mm5*Z0uHP6O!V=Sl>OG#ci^PzZniQqq!uh
zpXwTb>F$M*^uvKC^7d>l3T-6E$)sM&_8gt3oF$qUYhmU+_0lt^-YZ%8V58$vKZf6w
z?(xJda482|Fr>rw8-$E=rVJ>VYTIjnyCnw4OsCRYz^fzB7)TeaZ-lmbB!!_*SV=)G
zQ<!nBP!Lu~Q{qmC8NrY=&;H|dW*d!NA4%bnu0p2z5b@*6q<I6|<($9_T5_eIOHDkX
zb}66T4xZI+o3LByB_Q!&Se{}FNg%9d;Qfpae>`^J9B=rsR3s%VO=e&lo;ly(p|!iN
zu$_zMfZ)N1=zGAvC;&@k_Lyje`;aQj<Sq;=s+Vg_+3k{%J68|sy@;M%ek(<=4qISJ
z-B#)l6z38iAAl0qhSE<$A@K^&i?Y4H0?ytcAYNJZS5-5^iM)=wDk+G7D;!>9Ad1QF
zKir*CqSo1>)7n2!%z6<CGE65Ho|{J9FkIO*1Xfip1&oEC2!%PrOMhCd#I9(?MCkXu
zu<xp%jPa^dsQ`zaCj#VZ#7ZGEv*U`U<V(Y0Wgpc2Y?xN7a8vhCMP6Cs;i^j)i^um5
zY*C`cF(b;RVyAZsE6~EHGqcbChE4l1R@S`1tJR!9`bu0e1%-`i(&G!R>hJ)-&=4<^
zWI4%~%)w~%{8*M(G@ZxVI?~+tv$LSWr@(Km1-WjCO!^XVEkF7WbE4igZ4SGoAUWrP
zlj%AuyAh#L2HvMxw$}(;9d$F!<G{|z4!1OAluQUa9+CpMCbn@VAqrFWh^4Y(FVv-!
zco5M4<9#3si40U1PP;A*!v_-plBUWDgJnWoOyg$)@!3j3%Rf~&Y**Kcbn0sm@6@>A
zp;laR?K&c`C{bN(a56tzrNsg}`y6$w1Ip57hfx0KiJL{Kw7x6n+Xq&t5;hZZCQ{;N
z$|#I#4By+gO7bu9nTxDiUNhsp{hBW%<WxRq@7Nwi3Gr;=OivthAZ*nPwFxd3O<5%X
z|9gyJ%s21zEVdwiu_^C$q?O8N7`Br*;sZ3B!L)dVriUryw+C(lc*9GwE<&=$(GG(#
zb2~aF1X@R+R}yrAt1`HdFvM-zl56DPw8FSMDtk0z+jCW5Lqzbt^6K4bw8zGq>Pmmp
z_gEde)C?@dNF<8D03lMEW|(O@6%&$7adT`KV|8b#oJ*Eq0u?w4o?(F@f*>SD6wI?w
zSMk`PE${m45T>&M%Sc4Wa~1A{sG`9GxO`&R{*7tf_L4P?Rq7IaMQ&TJ^%y5^#c2X7
zS~(UfRs(syITmA|qG`8u#xMn8HZ>$|z_frcbEP5)zzD4os_y&V(XFu~xh-b@C}1Sp
zEVUkD?E%;5)$1>q2-GEHY@R)8t1pl`(#Xjsz-1(<{Qz6YD)DPMqu0Z*@o-4S&>Ok=
zi@a7WJNouXKTk*h#+xE}i?*I0%{$wj<yyp@+p;Pja9QxRQw!dVm3V?K_&>zd+Oc%!
z0{Js7(ed8RDe+xF@8eOK+G<iif1;KK(Fx6_RyS#n#e6UjlAdY`F$_9fd<T=Rez@=s
z;-ud7ZE05`3`q!fMsAO-rII&PcE5KY7f!#bQrcg1=ON(!<mO&SL<5FckQC3ER54yU
z;xW8567FjbQ@IsMz7>vh4w{|#Df>3SP$x)2LlqKQ#vTV0da`~S)!5rzex5aQy)jXK
zyQ_1YJB%DcNjEg#x72uOk-=MYY~Or+GHw@}Z^M(-ICad~`vPGz20Q!5na9a=)2GYX
zPgdodu#vp9@?1Jv^t?pz$?tsz>RDH;Z4hdIHZrq7l7pXv^onIUm7!FSDezPkymXTr
z+@x2n8Iqz2rd+MNi48-NkZH3VtY)CktVKf$vAKtuaFQVvZwPM08~LUQbs)Rr(++9Y
z=TCd~cz#~VC1Tmy7g{2vM!dt#H=B`5Vh%<vMlW65AKC{6NEqI(qj98qNf<(+$$&Nc
zHd+H{@Bvo?ft5P|@fZrBj(kK7+}yw~9Jw;$arpv|^~#I|^wJCUwz`fu`nLkVBPTyB
z8g)rl>u1f1oH)k0@)79sXD*-Hf4QA;amE|)-A25ZnX7*IW_TlGBLCZ%yD*=7+15#-
z`+A~F{Tmi<i$@6X0oOWaVMqfg4}u`sC>IHu?4!s_Rp7D%B!<e7H^my-5EuH^#7dvc
z;$(T^5zOZG(Bie!8|SZ{YM)%6H3+5O7z+HnrdY0Vh&?5)k!sV^<4{6})G;}S(Um5g
z1F*=nT45`k-*B}i-&UnsB^Igm1`LuwNPfxwPHl-jE0W{{B6}i!h8uY~PnYIEJ@BHX
zu8s>WSuHvz3+0V?+l?OIb(?p7Y4I52_M(i?70dZ2lGm|;wIc{0UvMh+7iH<9PF)Y7
zH0u^k;D0E5D*#tEM7SqQV0<zgN_oT2){F}AtVi&h<e%4~dD}4#%prHHHgr=nxnC+R
zubtI`O3+|QCO7Ib(N|JGz@8icRhoEAy{NGHQ)W~}^(pjl?ZVW7Bf_KOecP_=-Kh6j
zZ~d`Tzb9+V1jIC5vqtRjG!v&%lIg!bEhYQd0<!UV#3r9$+2Rb#oI8VViO)5A!uGuH
z3j<oo{$;iN<9-rF-bXDZRny;FFBV2d=FA8}PYjz(Z@Age(X;`uxGy-FlLpu?Z~MMr
zhYVXo>`}AZU?o1WUWcHBfoH8+lCcj(+AGE-V3A)5^oWT)O7u6VxoT@%CnFWh2VXcp
z_Ztz9Md87GKH0-TShaq~tH^CWigzA-z<Ks!x_AHSllNMAeKkef0F^pd4==*gH|HnZ
zvO0V~MY?AB0HV9OPr&iQb9pT(JlCg+d}Hk1O_+(g4xhqJD&C2FN+Mi&?`7=}&;)Y=
z|5M?kZMi(XO(iRFuX`O+t-vJhi$J{%Xq6$T7wIVl@TDyk-+31G>E_>0uCcBN`grj7
zUSn;4URT~RtSbX-HWr-e36i_WbOrnL$e13-178BEdtXUPN^>CN#5yr^Uh~3ry*JS%
zO1xX@WeG(G7F3d7k}fN&43G%5zq#Vs*`oQ0Z03<Tj^Xu5J#Z4Ku6A-JXir(TSWn&b
z)RL6TAGTv0X3$1FaR|j2V(B)447)3tkICIHJ(d>(C*^IX12BSq=6tlJaWu+ag$9&S
zK<K7eGTdm+G)OEqw4gZc2o#fQD^v&#r2ck;$&PwZ8BRV%ihY)~P>6U1%_E9&RnIa!
zF#WOz$@Ueu0rjSHjCCJ}ve>()qDrrd(#lQ<BJGIAw1-`<_)8mPt{JZc_k$-CDpT6(
zCuHi2!B4v)1TgME<4+E0zxDzc?e9vAxyPrm8H*RDc~3=Q-6IiEjqY5lzNFTKFp@fP
z-+&^0nJ|Jn?Je`15-t^*&Dx-vyvg2gly0LQl!uegkuHl#sW<%SsIWr(vdx|)$!^!_
zB|zu&L!}tOvE;GT6Vfc+XU!J4V{Gz{>vh0zsTrSb5g?x1(<sLciHe1YQxCl#hZ=^6
zzK?Yn_RdHmHq7yHn=a?V=R8vce}8<{{*i0{+hAo_Ft2H_XJR_Ec9{^m=^pAn{_7%z
zQ_5U&PzMog;hXzl*}2OwnRa$Qs<tl#<q^FwL&lzLSl##5mL?gc41~2KrqqIFYJBDn
z*d6`!P7I>>XcRgeMHg3wElo+V$4(`@ly3UaV23Bp3(NElAIv@Q4?!(L+r8!EQo6dU
zn6o65IhkC-VTaVE<;kc5(xi)f<nVDd;l#a*?b|?KL&A+AS%s}i7OUmUkZnxFR*_@#
z?eSuEHgpq|%66}DmKFE5ry+oAYAnTa+wfycO1?D<m}5R8_ULaH-|~+XnxhqA!$g6^
z6C^WjJIfONAIIp6#omu*%RPMZjX@c)vU{{>)nyP<Vo%h{T2<(h`<|Hb`1AMMUMd_s
z%Lf7_iLM?84R9V(gjR+U;3}d?m8`S=p%|$EQzAlZ^7SaSTg+F$icGBqMTWYTdKySP
zoa4Q|dj9%QuMYcY0Hp!@XdUfZYl1FzvL~Z|b}%Xaf<Ed~C}w>%y75GfFQFRAIH?b6
zGpOS&$eF;6)cLq6=#_=hC@y3rh^;I8dCLB{>4QMk&ETy4qQ9CpB(D4vij^i?m842g
zd#Faz#Sm>416U9_vK}TPFV8%UX=QkHU+ydt1Xn#28|LrjhlhHNO%S@u;4e0cVmc{c
zt3SMbK;%vI^3r&ok-biEsq0L{(#ZK2PfrEb*oR|XRa4~OjBuZqe@?sjzRmg7{!KX9
zi4YeXG;IwndoD7#Dh*U-##IwXeEaTeq%Odx#~B4Xe3DS4MsR>Bo10_58i1vBU&;@1
zA*<2)X*(t!qKaeCJCY5l5nc7F!}4a^adDjk0e!7kt8p1~9%)|ZcXhfiQ_67Rg8M@P
zXgEmubWWhoMB9U;4vm3Hn@Sx&f)mb<rbnbmf@~53{aF0oOaXx&2H3>2;$}5vPN;{O
zt@4esb#w#y<!a`16pr1R{hW)pq$e<oZ=`lIXZ=<>g?<&7-Hhegh(TF-w$(na)taz$
zB9JUTml%dDPg#XpAP^m=M-uQ#iHpWb8in#nmk|E^eu<9bxTDE;>_l)L=gL&er%y{h
zB2k^j0YVl9BJAq9ryO<nIOr&ETRtGcxTH$ihs;W?EVDzn9U-N&2k%h&#u1OJHyfuD
z)sw&#a)pNu;s}^~iE~MFGGU?x^Cqx&GK_m<$>WA_<J!vxtSj9k7{eJcNHg+14JIO^
zT}@b4pkVa2W)COzg2Y+qDvOit7zu#bx1LDB;PX`{T!L#z-6=6f&&{UWkJDSlEUTF>
z@UR#)Zi1KFQnNs}&c)~<ga#L~tGUVKigO`fBqN4^!xvDB%HOLedS%s(&MYWr1!p1R
zbNqfABW~<!cm07H!8(a^Y@@c+s*K>>gyi2B_T=O$HQ&H^w*bj<GYwthel{grj${xM
z<)@K4Fi_}^YZV?9$tT%tRwtsme!o^E{*EeQdYcegD*JvZoN0}7BwrLP3g#Ysh`P$e
zCNzXrZv!7#8CL2>b4;a&5|kbFwh6hGOL9ct`bS7B8=JS#A>(RiogL-ou@?_9v+<zQ
zIxj6ipiAm}c?Eu^tO6MVg}{>@J3;nhh?zdnfR^*EDejM>AfS#2msIbBR_Nfw$h6>I
zvL6YM|81j%ToIZDBd<#!2)ka%5;_Q)O10`-=JT!7-TF==7TSbP>$DILD30810*o|Z
zDUIKSF9|a`&cROzfKxEFbO++*ApYvtrI<w~X2fVv&=*i(gFWoXryTI+R2Fe`?u+%0
zuG{_#g^tuiYFXFU$99j%r@jRmAAz@N7IBKr*BkSh?*jN2kSNKGYvTHRXwaj>4Ynti
z2Jwg;m5By1Ujo_FO|v%X0wTb70)dDl@(9*h%ak;*9!mqzZ?Fhr;C`tTKRj<vSCEB7
zD5sW@YS<+)JDXl5N}52J)Y<ArE)!oE4wBr90Iv3aM#$<Za|`j6CjX$S5?3IDJT*<7
zeNnd-9b1GH@)zp<%=?-(vRkd6@lCP-sj7jP18Tuo`|||<-nyfOx^hj=H$sW8fdyw$
zdzI4Ww=aXZksVd}@=G5IZfZX@w*54Kz^b<!9lr5;3&U`;ALL`8nkq`_7zt0%*LcKu
zH(ho-OH6gwmoE+q$l^fr?RJmYRqyn6=r9~77l71@xES_bSlY?ooQ5kQ`4OTP4XAH|
z0X6Ynvg#x?amF_Q9s{YS!K0gL)&-U?!c}hMpdTM5JqwXe3mrsxxso>5!3$7#1BXi#
z_Z-t+m)4|xHoLq-^}CIVgU2p}^-Yd`;9n+#ajPw@c{eQP8`Rs?ehFIHH=?Wq?+wpC
zYxk|;VT|Kz;43PyN1UyrCWRM;go<xo-wY}nb6}Ts0Yp$q5l2LwM0X#Kj!eGs!yTDN
zVC~1F!(>CWZ<HVVKy*EaCRMCWqX#&_8wTj>^L$J=mHBQ|LtNhov|Gi6Nf}sU+9zk~
z$n$Rszr_C$tC1Q>;#dV^)N<$?f45e<*c_LH^QbRyZ}DrC4feZy-qv)I*v?G@(IH?v
z_y|NB8A;+4!<b8jE%(Ya%#qB*h~c?=pNlNDlGJZCcBygGkiy~_#XJ^s<)a|Fo?v$C
zxR6$z)pXdYCCq4U5Gg2Q3C^f0woTxfVDVOYr26)&J<m!h-`oe#yVHmt*9G4~ow}fP
z+{M?1BDo;0U=#RFOmrg)xO!?&)Q-5kVOo6|M&^E*H~ms?*MtI%%kE@T<`T4swYJ;g
zc(+#fGqlcBP<BI@-C~vvljop>*?t(m6u%P=_g%)JWdnDb2a&)Y7P4WAYKAi{CvrB0
z8MOD%b?43FryNE+v7kW?ijk!pLrTN_4=pB?xus~Wx<kgdSHM=?6r2f^Q!5hsv&tb9
z3W#Vun-A(8uC+sNt{2^XuYOhsQ8$#<P^-x%EPrSN=Fk}Ww6G0-p0g&c&7+(5raHPM
z05-}Umgwwxaw1V?Iqb1XoRMPHn8V!Eawc4oY#L?Rjj71%Ryd6P4EJdAAn-=0S&*67
z`3nGN5e(TKf~S5Yu&b5J+;A$z_y@N&=sbNDGZtQzeN~=sFvro6I2(d24Yx-ugk5M_
z-7w%d2~>|}-$QGES%Jg3OGpwyOQYy|eSA|O=>FgilM_tH{-$yxLf}#wgDRc#A_Jo=
z6)o0lrN@nO8gHFX*PwzXq<&=xz#E(*L@dZAZNu_VDWC&beLZBQFK;}AqD~pyPjwpf
z5K#E5^=(Iq4ae&k=08-HUY%I?Sjoo77;Jq%(s<4t$=6QQ(e=cAM%0iy)ys<Ah=0!h
z{F2|+s1XxVhv;kxew-mEcN;3SpE$Y|&FOv#c$H$nCxqNpO&)L@z?4#2k0PsC$4Ndz
z40T{tuBs^=7u~CjZBup|#QW8k+2i<-{-8Lt%2ep-Sy;S95rvW7R^7PWmIlJ<1ZTDa
z_PSFgjLtV~<@#^zF;yg%E4_+^Aw}bL`C9JJ5l0yzr2{>rrO?1kd1dFs5d%tvT+~iI
z5-Lz@qD(q4%&fYj!~=G@Vf2KTcP{ramg+neBZ3%n8>UJ^8FO2ur**x`-|A78_&2&E
z6=R!dpq2${4Yw6_&VQ4O;$qbj3Zes7-*PA|#t)|+7!3o0mup@xI!GuW4p#E0FD$B#
z88c~`xr)_{CR|R9)y<eALQ9UzgKiVN{{i9;5fHztRAXeF{QHAy(8A5dDEVYaFeZAN
z$g4;*-$_33YHBl<D?!8sy(zOLG&MOrA(|lyrEG^zc_z*<go5?UozQP?)LK50p9mc`
zhqzx_unQtWa#+e)MOZbnW<3|UOtztk&vy!l&}GVUk<r-5dI6yUeqqe^O7?A#t?Ej5
zAEhu9ekR2$gsrq0w0Zm%(aWg<z7Ny}<+E`yZT&O;o7@yJtClCNkiw*Rfxzlm98&p|
z@<&(k52$OhUq2{Ji-`N0<VTK>k14zYZ|%~}(Z3P!YY!lDQSCk1A%%t1f+tikuLKDO
z)Y%|l)QR7{Fuk@5TW&${li0Bs{?$QaD;Xrdi)t}+u#-VB{9=FigBWT!44{%2)EnwU
zf=;c+)R_<C>!b)n_Qii~gasck5X2f{ES^WCG9+FT;tzGVAHnFmz1o({uu5zcL9o6-
zZznV-wz`BjXn?L1VVgpL<a>Z|WrUT(7uD(lG7*Xqd|8`_YRt4x{Pis)A#(Xjl&|rl
zG%OF0>QdI&Q`cec^W<n=s;Ilj$m%1r+?*4V<<9c*mKWvV`+!}xm+>FvaUo`iw{VBT
zz1(LeQ|7Wy4EOfomz;(o4}xx{Oc@q47G-O_<BhZ+Gz*Zamc=+XK}(Vp9zY~ey{@I;
zRN$&6w(Z44(~JQBAdlb|mo{g-RbiO)Irb!kdv$%0RrA{NW*XA@B26jke~qmbl+h)~
ztB*3<e=-Qlo15b<I5vDi+mBQxV0WM`>(}2tLJS}Z9p&mQ+Y772qr?qFE(Ab=a61sc
z^PGj`sYC4ZYP}YYQrlq((%5=mbXY;9p8?>_ojG{HF1S3#cB-VXl?V#PL(F3Sj>=xx
zaH`W8RaCmId+6c4xg#nf%jmaW$|zy4-Q*cyt>G2ewA5^7`Zj*iW4bAu<}X9rNJ4m<
z$xZ3@`DNMI=kWmItmG9?jyhmg&$ge<_kpphigYfEBG$ywzExz8SeBcO{|+M+3lifE
zwjEL1AEDH*y~=#x5OT~h+Z^8{t<|MTlhwu~#N|u0s($&D_f6H~94-lmBOdaExYtsa
zRHR8Q`u#3KT2$a>?&iFpF&1`O_$mXS-z*yB45CB|vW5W$EyU#pQL=ua;pUb$Nj}~w
z$o0YkG!GwS1&LDca<S+b!&9Z{tZ{PnO5(nKa82Y&Uj{$?9RYHE2@9dQ`<kxZ4(A!3
zAx1jH{HBFvz0RowVrzK6B74L%$augwB0pnJ$0ve;6j1a;KR@F-b&^H->LI-XgbU<p
zusE;n6E3vqk6K<md;nLe>6NLL&ZvV|s?!wMP>En}d>59sqT8EuH!In|ljxk$s3;$Y
z_@)OnbQvO5jvtA0Aq<t1kw41a;!k?Pv~(&T<MP<2I^C76#$oz}oSmUT8)CIS);=t?
zvOLKb#)rYE$B`9?YJieVOkhs``D?~r5USOZ_y=3|_AR`-FW#c^etuZ<cJI^q0(pke
zx|DDl+5;D^>wF#VtV(IYYTT@{)?1){JfcDBA$(=X=yxG!k^vMm2$1XP`HDOuhQjtP
zUge)<!9Omxe7@ta?#3?h+<m?;Cz(mf3SwKWYK7d20QlK)M8)EMLFI5W8}*N0*;A0M
z(=dOM=CG&1-P^jjY`k7P0=~E5Z1ip8`Goif{o;mAKIe>C;aQNF?T_zo40eZt`rHso
zR=dTLeMb0*S3%&H3=FtbKbaiZ%qz>7UR{=*RI^8qU8kHXCs#7d4)RIn4K!skmN6<e
z08X=~u@EUWTXtgjE)+IylAUSc&j`zg+7-qTQg#mPVxR90zQAeI#DT;i0~8il4cdW%
zo_KN00=UPLuP7rB(abXyLh5{$&0sau?oGk$84fP47yldj?r*KmAdaQ;{Zf#-@2G@X
za?v#So)@EZtlEr@?hZB3tngRB{N%^gn@t2QvGNystICyP`a3fuy)OJ1k`%orgFX6V
zC~EK`b~g+`Z3Syj9c^?I+gcw&M6n7pmrPucTTu&nmWWM*IIPyi$y%+chHOEyhBqC}
zNuc`xQVQkT;#A;xg{9HUPJks*TRGo9WFp*t^5)IT<I_d=SRcbmz_y0vhXdJ@(RKWh
z0VfY?hyIbOl#JsRO+PX_z9Cz|`V42cck2WX;^8%9n>UOixWjl3WQn4%WX8>;$B61L
zH#k9d9~nW*8x?*UR(nFDb%9F6-$?`6jbI@QeWnk(SgQs&h^492y?F#kN?iHGKQpVD
z)zzWc1PRz4fTJk@`HD9%Z!h;N%qL+1ScK$FbO~~W{Eu+6n-~r;4r2q}86RA(g;V8T
zev2=%C*yV2Z*DA!<62}c^l(aGx_(>FXr14m;pjUm_QUC-Vs<$;4N0Hk%7o#o&Y0pn
z!dvm1y&%Tywe>`m5k<u@ULPN})7`-t-(z(hpU(KEg&kGk6$i!Lva{l$EN85FM4)ck
z@s`!0YkF5$wPuJ@08H<6zA>!1_`PZ+op9iBygU=>Ll?k+zFj-tSM+^mIj!5WbyIL6
z<T|}M(io2+SZHzbdE;XeO2Gii@T(WN34+qGPaAHBGB6yH!sQQxLa(2az15*WJviI&
z1Q_8dUv`rRv8Tb{JrCOL2*ohj5+OT^MGtKl>2yWFkDBp^xC*+V9941x0iyzP0uk3p
z^dP?^M+{Y()w19G&RpOy@vmC0zO7UCE#Gv9tuRk*Nb)8s>ufCcA(>C<kVmQL^w*t+
ztq$+%VYZJMpU}itT`qDxqLio40Ca%To?p7$a}oai&;!;Z?B<XBN^c=N#f1$+s93_p
z(@X?%HTg(o@KA6fltN?@xk&1#Vo3^B?_+=G7z1*!PirK7_ZS!vr{!}eY#lf5_2fk{
zvLrvdi5w;}zTlgpUeXV89*J$wBFZ^aa#0_sU#Y=Y)0w=@<^+08&R`+cs!W<@|CW#n
zW)Gv(s4Wd?==|;Y%ry_68_hF<TP8AIo=-m2IW4OsDmlm=e56FB4KE6x@4lgE<v~9n
z;OOZunxzg%cRv(GGBaDH<AYgQ{rY_>;&JTK94MB<XTlfQe|CB*xQVYIc(a0?|0R)@
z=Qf%2cz~YN7g%j4Ofaodis|7BmfVm&*C#?hnt1i7@M~gfRsM=n%thg=n3)byb55n?
z9uBWURk=4vE!Ci5{hq%_ydCQE_&A1AQ4=hkm9iLd)UDectlW=w<|7z6X$zT)1rqXR
zVz$<r%DLz|EYe64tdWC9)AlmVNt=j2nE??>;f#vU2bbQ})ChVPEk*UP>(O;DrAbn{
z(Oqfx20$n&<?c!Nqy)X6T>pb)(p#3zsyvlS!>sppI+wu4*nW)BGm(FY`*m`-H2rVl
zrhUxApBcOt7r2wRe8BC<?B_3e*H6-pWSi=Lj6@1rD~0rM3eXMVAcu2F2(r-(!v2|&
zQQG=Ct^Yq}R0<_xdHUC!1)Eo6Wd8=6#}#-oj@{JvklddJ{=n+-Qe~pa><=6<yLF54
ze}j~C)}<SKdjdpv*3O#Ur_=j#zlAI2n!ls|4MNGH&yFX}UsyYKlY`afA*}ujqko(R
zz`Ag}8!euZ!%}`Ajbv<J#6$S?ACpk3g^ZT}+a5N~vV_R~rlV;HwYr6ZlHT`iF2b0N
zvw**ycA}G84gQiw@t4>b{}P)Vs9lWzOKyb!miynQF%m(4>Ghwi-RP$GVeTbUccGJY
zyJ{tkwMb=7Fh5Xw8z+dp0}&LgP2iV-3i{3cr?UR%G<Y<ew1*nWqnSNwq+(#T64Lc8
zr3z~><PW|Qf>8gZNOJHL|E@>~^&KK0!Gv`n&s@;&cH%<mkNaF)DWwjg`1;W){np6H
z{^d|1S6htrZ#Pw{SVSp?bbw(8Pp;eb>ZW=f+?n=gdRu3b8<37)5^|8X+}a9aZ+ZTa
z5mu-f48oRYA@Iwfl)87tG6rFVvhM92GCEs6q~qQy{{PA#ufr0PH26mWPe~p%#eolR
zfV=S*d_VE?^8blL&z)@dB*6#AJ9Cf37+cW&`NtKDJ1Z+tAP30gTz&R?@>C*KYP0`9
z{4kRG4L<nr%jhCiN;>Oe{+v{gbRku#jk!0u&Z043VY>M*N9wHe#mL87J&}O`TkUzg
z<=Ac+`Ipd{eeRN!_4huCm#q`&QbYAe?|7^BZyal=?%A?|*(&^<ZIW`W!f&=IV++%n
zzqq1-gG+H|odAUGigbdw8>NQTeu)76@ALPkA?;u0u%P9lTr2SRk?-1fK4i}(`XSw=
zcOd+a$hsu!jd8jp343lt2{P`a@CaZ4T&NOQ+zDZ57b5Pv1>x_xE4YjD4nP>x{fhy(
z{hL8)x=Yvpg~5e8-|xY%?gs~VCD?k9{vKS@LmvPOSf1`O_`lcximQ5!&j$tg=>G(t
z=T7#J_FZ@Zt79zF#a{WZxCX}X*K{Be_5XS)c#8iR82JA_GMLk^m<Q3u>c6z{3$9-_
z^1nj;zb^&AiiV8!N0Wp90vgi32fF!Px=Y)C0R{Ijpup|FfI|7d0tNg=>VK~N2U7oY
z_P<63bNUM?{Qm?B1^Aa#|9LHBtUo}p{>$Vc?cYGXPj~70FQ91u00jhtql*0?xZ^LR
z6#pgDKTYbdYws`p2T=cW_P+)OGXnlXD&;?s`nOQv_W%1*$WVU)^)HKJ{mY_ev=XX4
zuwdC}@MIG_J$b2x<DO<_VE>B0S}yMY5=cnl3$8|js3##+44CMykc0RbxbY|Zf8yt}
z?j8uoNlP&F#78(32V<+8pOE4yl7Qq%$~P5xs^xO>w^748;|Ec|hdaHccb2Yf{YzE|
zaeM-*7lFh-9Zckp0)HtX>!DNUujI>Y#A7}5H{F9LR1FTJ5lRVxUfd6a;}Q_PNMRsC
zF?xvt>n96RW0^328_dip|4<TqxGQcTj*jpzV*nHXWhsBZ5@JR$khmQW$*^ECR$Kom
zhD(mL0mpqV&>0YLbfE(NmMK<9e%mhu2T0>jfdG!r=zmuzr17WF`;#bs$DV)76!3Rl
z&6~4@w~3{!n3cp4!8Zb_L(4xp`^kJuf<U{+oeVatR_ccRuxu+X;7?Bt`*FaZ&K)^0
zW}EcNYfj93_LsmKoEoU^E8V_WS+cr*-q^ZxbZ&9#Tieh#(dg?{*EHSORO|h@?tI^@
zq3Px2#S%#DB>T)z%x`5&4LESU8rX^PUg)0P+DWD#x*Vwh)|A`NoMwPV0%fTdVF7Yr
zpuzZZ<Z50l&hL2qRA)0`yQOSAmi#@?+^pB)!{=9rKtIlxl9AE3-9jez^E$MJ4e&d@
zT3$qG06$MWzIZ*>nQ(ivVspD%x@~-O<$amrkcEDGxZM%-@^Y`Ez;B}9boo1ZTY;D-
z1>4nIl2sjm*N2z&U~AF5r`)&>H1yU#W5&0B+xPYppWlhiq=4a#gV*LzN|D#Z%u&i>
z)85v?%8%noP=nabc~1jhM)u9_!p8MQ2h#Q4Ms`N*?NV$C`R?`@x#88-evHp2!rh_r
z7IJ#vb7tDaPVgZJbh}t^Q&h8bZsvip+bwjolQj(h6HYs~A=JKEk<Jd6<t_Erz{MmC
z=r&sPVyCe-;j;RAtMIm>x!(I`=SLDz`N)d5uS+E;Dpp|=Xl$vy;O?lZPsYe<YVmgS
za{J_WKBohIT_op-@foM#wdI19&%w~~z;bC{`ISO7wf#51IdY|C&ke7}ez>E^_!tha
zWe<SckbQ-)?tQK87hK*ju4G+w(h>XdYWY#^W##&*<M_n&`@PG$%`LyjC%)5e?qY-&
z_Pc_ye&r2=M<_eIr-xx&bv3e?Jt86tN;?-=)(1i&3&L-PR6u7@N9$*>qtPnj*Jqm^
z5S{KeABC?urVL5Z$L<_^t&QA_`kqY<0Kjz#X#H^a((l6e;{ELwAwy!D;mj7T=zep;
z2w8SP{r*IW@z&0c@rA9M*SLyy!=-Q8#a5()7cgG)GH0<RL;ogM%$Gy-tcig9$mr!d
zD0}3Pul7=9_jvXK-`IPvT1fQt+`%t&c6p1SJ7uvvuSw|K^zdfe{WK1wevQZvOx%up
znQJ#>WDE>EZ_L6kAHT$&y`Dd;8Q-lrCO0xLwDS{esQ0`)y$&U}pBr0l*e;r4_d4**
zUfaDn8kpc48QBMtm$kt^5pY_xdC={4xmbVg1ZtkE-@c7Wnmw%N0rqx!YQ`6J^bMyQ
zn@PxR%YKx1b*IbT3f<hE4J>a0e4(=reB+n1(K<Jm1MUsy`+LI~$DMu013P*90ViWt
z)hy(~SB`CfzQe3>b`(bPX3f+!{>!U5Z<p$(y4vX&j68gEzN_tn+0ARNeZEEOYacGZ
z$)qMQE4`wQm%88^yh1(L4zEAfonPMY?9kt0{PQiS=poXfC)co0Q0G`sP<Jms#RWJa
zFS1S29ai7u#k|Ii6&k5An@F}qK;*(iHmIFmkCU{%pd+DGt7OqhMw%|)RZx&*cn!l=
zS+JF5xSeI#BWQ$lKFUI<(WYp~1L8Me8Y6qGro*cDqyc8Q3jQVyMNb1xsxGWvn^TZW
z!3~!dG5%d)Ba%wYz%)50Lub@=4!}bksv(llYMiTs>p*ZdaqRYFd6Tg8%X5;hd8>sO
zw&Y$VY5Hy!!wN=?Qx=9+_NUa@BtxD9=`oRXakir9DvKQ%?av6p5eBtEgFZParwm^b
z$X;edOXW9N;66$U$=UO?!q(PW+~b5+x#7u4>6xcR0zZwq3_6VtM#09}+XLd=ZK+CH
z&XicXDbKjfT_$xll;4;A^wvv*W|kRCn>DcvHphXFeXoH(UDmWEM7zQB8a>AQ14WDz
z5j>AW7p14(2>#*djh^u0fPmJ~l5T_+#V0!5VYVV7m@Wzoc+b29cCCjuD>?6!3%Anb
z%Zy^F;T*kLnZ`@3FEw$sd{+V0%q_J{)lNLgdfTjBwI*{HIz5dls53oLtws&Hi?(Z!
z2g3BO&)lG0)`L#1PLd0JpQBrg<tnTsUB?yVFUw@dyC3zAT3u6i#)@(=lr|N5^q*Mc
z_a0m0?-BKTbv|I&766=}Krfvc@d`Ir$xWzoR+6)OlCwoyje$18!3co*x?gtbtIW4A
z7dSqYoCa}N;uaiKx>E53rd)Kj{K#`~mSMU9uywXdS2vb6_3)(2;a%dL-kDVS*#fK;
zJe=*`l!SC9uylK2I98T2G5sS^hRbu+Weu(fc2B>LwFQ=1-v0DZO3qb#uZB?YE^j2e
z$s*oj=v#%~6rQ5>Q@4)*m%CQ<(1r+3`qL_kEA1M|lAJ)vkO$Mb5|1{M0=r72EBskx
z`pPVG`clhSR-n<|>o|Cq^%7G|M)5_?ISkh_ojj*77JoqOM}nP@qn2)>SdnV`)Bnd2
z!M1`G<3tB}A}wB3Yg#ak!?cK_R^ia_Mp5b2%kS?A-&MKlTNbzU0uiHCe6%tv@2f^N
z_2y$AQ3(*1jD!!>&p!k2nl?R=Qa2Rd+n7-@Tt8(S&A35b)-y|xS7KmSw)K+yY?nN5
zGl@tQJ`bnqoSyM;D01r=g1(|(Jc4NKdP3>j*|RUVZ(*cc^{M6p+%xi@Re;Q-Ud5A}
z!qy8C$&=A5Q=#gT;{tRm-=sl5*k0BbVXU%Jojp0fgnC>|8|W}4PV;1|kx=R)!7Nn(
zNj}2kTXxYyf=jBTmoEy3xbTx+E~uFKD@=qaSWl1%ww{PoHC4)mgKo?YJ`M04`io7&
z3%x-x+3S8;&%e|m<m<?bon6Zt{KTl5|FL_~PwoUaK^__2rVe|6GS!4HB}{;1PMG@S
zqyM29TGK?5?G?MS>=zpp-H4fO^X%v={MzM6IA8bAjM<*0@U=3Zr>RaXLgBxDLbulb
za&BLD)*~H4gkR~@hB)yft{|-e?Oe6+{gw#1x{hBT`D?VYpKkMC9&Sn5FT!^6))Y?o
zUCa4wyA&O=&36?Y0=Et+9_Rgh=b1}E^!_NU6A{`;k7h&%^v~=U9VZK(tUI4g7U}pL
z&(s;&8lIBARG#|0K+A)VwEF(TmltT(4)_)y4}Htnc<qY~_6kv$co8gIp~@6|6isH5
zo(&Kue#`S;bZsJJA$-G8EbEAvit_ezPz`ZHGuo@AxiBYNk`2J6KHp$sGjQ8(sOMjA
z|6V7(Zr=n4OBhZlC^Ya(wLNXwTwJ|uEnOfHb6a08c7Y%B=8@Wr$HUi{3%C?^)Ne^`
zJh;_Q6)uUwpkHK~KO8|h+#Hu>C1T2a%O&DpFXUdgaam#@x{x1AIHi8o*q&;W5eGb;
zkTd2;zOpBnco{4uc8NpJzwlZnGemT;)78d8KH{1JTY-{?dBipP8-2Ve+2c(|qAI0~
z?#-}hSB>$geMc-=Ev=zpEi{L%P+gznb-C=b#D4YMr<as(^|c&&(!G=xHO;{{dS6sA
zUA`qcI>?<%pF)<$DXRLR%0BL&7WxhNQIZ({Ox~&COh@Q4Duv_6&G}1?NvwuRF7zJe
z!Zt=Ihun1|iI>S!wS$o>W&GHSxqbqV{8C)MO*9KMP#6*GwT7i4`*Dd0AW{wy@~^b6
z>zBFN`1R}frSB8Iho8`9C=cNz#^#KvO1+rKGHeit;l;>beOk7O-X8!uwNGIHLZiQm
z5jv<auoSuHmqzTf?-O>|a4*9Z(7ZUcJU{N^oxfq$0H&%hF4l>JHEA$&`od9_>NBH{
zim#ODdX=A?J};%aeb<(tD2FqLhW@yIbDC&?JG<ZS@|h5$H$sm0;8S61grKZ5RAGzR
z$o4rS@gL{n2N>kq)%<9VPtlnb0k)DZsR(?fwIYkU*Z9oJG|K(DBoU?lXMOw!V_zSQ
zx{oerIpkL-O;-<WdYxK?mzyz6;)&CjeC>)D2`6f_k-w3~9V2q&ZkdzFG*`$D?ga2H
zY3%Ghs=tl$9=lLrt1DS9yw=B`A9|6L)@aiDv?=oAb6su2N7)veqe;{}<N)*N+$*FJ
z`L8efvwjG>$1?-Q-KfBm{Xkm_uWJ6msgQw7dC3|;wJJ)IneU>AIwsWbZPAB?#H+by
zW&>DA?_QMiTUxO83hTITw~VS7?S&+@O)?7(oL(~;VYm9BY`s^mZg4sk#O?HxWt<U#
ziNz{;V&;yLpgYhwQsz}-cnAdH^*3y@Qm~Y(7;TPdjXcXZgy$E@ntgZaBH8hI#Vn$U
zSi|;ffzYeUwXJHr_Y$WJk;K^H)>)Vbyx((|<Agx7)UGrMvEOaY^Bgzj-@02byM^bG
z2pZC#+rQ9^4+QOOyXfYg)+05sC+<2G88~ttV8=|R4Ge}q(JKu%-;4)tWP~I0KatMc
zK4G9%`y}?Vbbpn%jgfY^rX*ogVMd~WZMx_=wyuNm`y^b@KKswnn6!)f_wNQlM9Q@#
zi|q%`Mx_x2jLKJ!?WUv($EQTjnCi7Pwbei(@Cj>0>U-nNtoS28RLNojWBk}X$gWRZ
z>JR&l^zlhSKE0YE!jk|1>vgt2EZ^l$rebJneJj6w+*LTzgC=YnIzfFB`xE&1^OiGV
z)BN~${o={h%Bfa=wpyc)%2yYmRutgLgd!u!`q=R-KgH%ZCVgLAk5aGFjSIH@GRd3Q
zX-j==2Q}PuUhx?3CcknX#*TVEQZFZkrczZzf{w=w)TKaERa_4MbjgR=FisSaBtm9P
z;}KqXRV05GVo3kW76$ih-zf?z1*^(#9Ihjy1;0kt{6W_@w@wTbObZ5AapnMb`z7Ls
zIh1xWOYlGYqHSR6r{i*S`q1L>sVG7u5hy93#hKs2xFe^k1;YB%s-u0YvKt<vkaA4r
z3&VUMLnR-u<z~pBDp+>*;2I8{YU(i}CK9E1$7hLnf(kUMxDbj55w^#I1^ZSaToG=A
z?{2ouuf+aYO(w8~F2k-lPH9#XgbhI7eM(plU;EWH7NHD{204i!@x&|u96c)&*rPbe
zAw83;mKVs-;I0QyP~bZB&!0bZd4hiw#T`u>K4$Z4cqphY3MeS-KNL_<{?Ka)Em2f=
zG^cDwVF(^jP=?ts;9~Z#KmUNz*U|J85LW-JcmGbZ1|&d7<0cqHW8D${JJ$au^@k=7
zPKb^s{x!Sz(L_QV5l~RZ&X%?=Y^;!@sv`6Q92guhJt7o@Bfchrb3S--^e|9R7{5mW
z|M!O`icElxA-&^PYUIrN5!@LKMu6xaM4M3wqA?7=xIK>{dN3ZH5E4TRPag}R`ad`c
BxH13$

diff --git a/spreadsheet/macrofree/security_checklist.pt.xlsx b/spreadsheet/macrofree/security_checklist.pt.xlsx
index 6b62a5c68a4ecd83cfabe5c61fa10c4fa5c2adce..81dd7feb61c225f93bca31a7ff7e3c7deacbf00b 100644
GIT binary patch
literal 34861
zcmZ5`1yGz_uw@e59YS#Tpur`$4bI^1?ykXu1a}SY4uflOcbDKWxH~NQlee{Rt7ee;
zy6QXaea~%qX$VNnckkZ8zLPXsQ0w;Z&53*aZ}9Dl`t~)lHI#R-wR2?Dx3l}~W^E-C
zISl`S8Bx?Xe`L+X>$ed2Taol+!eezDcMyoiI`HAv1(K*G&687dhC-pI2fLPfEvVI6
zY`5|KfQQJssk(hpkNgGSJoBnwMD-_>JR(AfUpdzE--4JCIY%~K^{0!qBgVj)3_&MG
z&N+bK-fA-^137*b2S@6!>4yn-^s-$YEcdDa_aSMnq*9I-Hh7<LS4R2&rNB0u0X+Qs
zH{>7Qy+iwd6)?1QF#e-KP>inhFDA_14ygmrRLbM9;0hF4{_jv-{+pT-Cm@5%5b~+x
z<+Ry~W%)Daz4XTxsuc}2%7_3QQ~Jh<0J$5BiA=Z_SyvLZ;A$Km`4v;<?A#`1*>lt^
zn{Wo4EH8xQUH2d?$j|P-?_fn-ND5dL!=TJNR+!%BbuxYXK)_3h+qGx)uJ9=fBCeMF
zwp~|oi_^rAdB=dve|>pxzL*zWkD`Sjk){DpiGQZ2b!o&)Zf#X6^MmoqL+6$38(<S1
z8yS1<V9=fJgs8c{E}M&jn(BK6w_>$H?@(G4*`dV?qO#ac+KYfe=mq>_4Ou)E1z7`5
z55~{ptsUqSVIBn6ki*j_5Y_R+!YIf8He44DYI`j7yLWxW@7`g&8P3g$(aFr%+W7BJ
z=0B!8Rv)!pX2<M6S$HMhKam1a_(D3vYl0pV*aWv+_G1#w!<i{Qktg&}!y_J>C%uPg
z)=zrha?FHCSM`C;WswNuXYbrInrCc>NSZ|)I|Da8vR>TGDc{T8+SXRM+x3#9#1FC&
zD1C)r^g7it5aRrJ(PlGDr`OFvsphbuIq!4myOA8jg50eiFUKo#7;t~1;t>;tGR!bR
z&`@b6Qh0q7+k{X14V#ICixLy~nMfTXGE&f1qCD1GwG1_8fQ=N>f2nOF`fg#Lf_C&c
z=mI&YQX<T#v+$`?&U8d7Z=tI(`RRM{88t^Fs&z8c_&0*vvrsmqu)shVq-j}!f_m>+
z4S0nVvb31Pf~=+$Ej^~s`3_z)y71hQhsvqa&-p1YGFpX8#ZI)+-Zby-`OE5xCe<0-
z$MDnMkEVWFJ+^4kQa;0d-a+!3mU+SSau0H4KU=M6sL_XJvuwt5YXI8T1D{Xebr(BT
zk4=_~Y40#G<<Wm|On@|LJi}){lL(91nr%4GAE-z>-oYCi=U7q_4YsNwOp<JAzsnmF
zjTH$_mpwzh|8|K=;Vm0MzyeQvMoDe(A^13UwSM?4<B7|h?wWe3o0^Od@1nO)zPlfl
zp9*7<$<|MW6~g^~v-e<YuQ1A2!24qR>b&x@iDSp+r&)Z0=kqkj>(g2O`K_%$yU#;8
zA!E&*YKPY~I7(nWPlvXy-SY-~Uz@b<`#e7`_vMUI{F%O0T!=n`=Wd~KSV--s$%mD_
zy|{g-@6_nj@A9A*V*Ea|vWhB)SnAIP-f|hi6P$T?71{B@y3vP1yYawc{r+rN*W2jA
z)ezTIGaQ;5<KsYRYVV51JvDk<&eez^N4y;>n~$Rxw95}=n~N4%#TIL76;UmA^qwS4
z+ck7NMNinAmskt|tz6P0kMUZFLju+(1q|z7inV;S#-R}bo@qFb2@ACLE0U!s2*a(+
zRm+hd{usm-z9Psn5yPA8pv&AC{rdo|U}PV$3Y9yBj~}?d7L1td`uI5`m^N0LWsbxZ
z)ll6i?MK_YAPfdmbSU*B8RlSA(LVk-4RpXNi6qg}w;V0kbt<(?Tg~+V#5|PfZOIX5
z%@3^30<s6F`WY9LC<#YP+ah=b<!*U_H^_aM1iA0~`r6XCdDEEq4m95zCE%%<rfEw2
zn9U>7e{Za)IB$k89f)27<JRMFcO*NHK8`6$vgw|B8ZjGv&`DD$lkYi0L{}VtW;6|!
zJPJk4kUaGH7GEXxAVgHDM3~_k<u|gyGw|DS_^W|Ht+mH@1Mki&RLqafP6(vcI^>J8
z#cE{<cqM5rJJ6QpYjBcRbDO5+NA?1;i<e#Snc<Ai7m7n3esLj>D2ZRJF~uK0%Ek_t
z?ADar3#fc?_q?x3Y$`MUY?%_JGF&!<L-&|SHH*I6eu0ZFg|Z#LNf3k0|KaB4CqjTZ
z6_!T3ek$Zdx?JIJG5mb%0M>h`m@dI@luR<r8T#bACF0%5Oz-pKQc8Ik+BWTykW6xW
zH#hSsVTqeQg-ls8BL}6X|4=C@ZE%&oHn%0Ofm~5OSd=uPRFaJULSC{{8$-Q>)0<PF
zuRzxx8kBGjk1q=?wHDGc7J(Ls7kEW{J`M2MSVg#X%4D83PGTD_<-yrC4-%nVQAST;
zLi~NEM%1pSJAde*npDSDQjfA>Y01hlA#se`U$r;%x#)Z{Pak<Bi_$C@V}dFc5VTKi
zk=&k+_n^%(9Eh+eMw;9;C0=_SB4S`8k1kYZy81O2tHGey!nb)Fd{b!3Ww|=&#@W+8
zf~)Slu?PsgIq>w4Lk{=55@h0Je_-2nMf*5Zj*S6<{5@LQ5*c<J@^&c9^1z}UD`7Zs
z7F*N_{pWpXtjsQ}+mg=IU>TWlb33iHY4=N!CtBgja?o6?$=G|v(NP1Ulj!j(+C%lG
zB`wv;MO%J~wb!o$@}&pG3D+|hW045-uq@L+ha;7t>s`-G=tBidWAIR2gMI1fLkQ}<
zb&-l8ZST>}0$lw1+9tn4BHYxZs0&w&*ofpWFS8bze!3=|u8O7%e<hbAp;7BZ1etjT
z93GoVn+B<<PHGm|@Dr<(&rh{-g_qKgPF`D^{95r#s$SR{^yLBN%A9SDjENVFCrBR>
z-PLHE4|hCD6^oM6R{f`KX5pPHr)cZwbm~{FJ#EU@yp2AI(=3=L@)b@MW6_F^({W<)
zWb2mVl*ks(IF*cQ^qcdiE`L&Kztc|U*r|X1|9XFKc<G9!&AWGvco6SC{%v8dwhoq#
zX2!-&j*S2P`mc}8w0Sx%i_Kj>0@YGHs8W;;zQ6m_VDy<nI?N2odNY(&a`tgt3F#*d
z2?-oD@iAxCi_;e6hb3tw1gG8flH$-2Q8xB>pRbPRTV7vC7=0Ls@_0vl)@@vN1lrv=
z@o(03wBiQ?R>CgQyck`j)c1N-@Mi?VAHyAVC1O-ytT}LQyiT;OL_v?6S-zG0;bH2r
zg%{-uL%v?;vc3j1Gy;U|i?X!UyfzIvcXv`Y7bvfH-48j>zeA2*HsrnS&c{1Wd)vII
zP+k{HA!Y;^Q)6H6Z`qcIv{QCk)Jf)F?>47i*d2CVoB`JvSuFS2y!W0e{M$q};q=-i
zwWY&pzRWz|?=n^fwuz^~PQKgsH`=7^v@3c(7vl{NsT|iK5A40}FQuO^oJ+zL_KM&q
zvth5ZZZD*4W*Qg?oJBikySQ|Dp(~?!pIeYF9>HTJ!x5r1l^3Jq>K<<LRL=&9L-m|C
z$Wd8AtEK|mMA$V=x@#OZ&Z*?<@w2bv{4=@@Gq-Vu?gI^@=MOqW{NO`nU+Y@!XWes8
z&uO{H`eWOp&U&qJmmfh3G9))u(b2wJ503pF1&A#)zs!g1f{i(!@WRKl5ONv(IYiI&
z(ZI+*=)0}M?6NS?ytXtiC(cKW-DGgrsu0&%2@g5?AA0Vajvu;`HF4R3Am!k3Upc!A
zBF+ZMz7SfBF0apcxiJwv6PKNY+;1nDk9NRmC3$vzH`T8fkU1Q*Rl+iS@^kI2>ySMh
z9A|wB)LSAdy1v4Bpy{d;P&^!DwCed~?yEnCkXg3Mr#=n`wrniY<(>^c(!lQ#c-7e^
zG7)u-@Znlq<A_R{X{(-TVV%@%R$iw)Y$@R%b7}T>bES??FBU?1ZGGBO8(5qT0QjsL
z?QERlz&MLBXp_spReDeyfi0)Hfn;~W8_j6`*>(Yer!jWYusGm{mbBkaIAG=Vx-5}P
zcsNz$Fe12h4$;x9z(xFxY$o^TGWyqT_1SvGYr2p8yxPgj+PFlQu<L`{YDOVZwM5&V
z+EfCM5{KybaXcURJD{`HXR?;%PB6r8;V|pm9^6lF_|^~_9ya6FH|fsqfzS8T;)wjO
zYoaj$81$JwYvC)0q_<zUe_zs}h#>QKK<&_X?hQXUF5|)5MxSBB(UFS;PPFj&T*5nc
z;2y$XD_YwY>3aWuuiC0Gy0e&XA*$5zx`*QJ8ZjB8I!?5hVv|U)oyhs}aKBY)oPxR7
zZgJ+5p!$lH)`7OO^0DG;d(wmPSN!|7je!78eCf?b&0h(7nzQCVb=VPpIS$PZ(=C@f
zZcfaP6FnGaXWD~Ws3KcSqv|+0uRy4eA&am0#)7N4zG;y!<A;`;RmR@QKafjxCSy6z
zer$A>rhEP9_>v)aTlIZQrC_V(IFpx&1;4TJh-l{0V?x<)jbpq{#s2{k`>J2#L{WX@
zCI_{4^_<VVMm1P5N9g665oG9{lvLXhcKp(^2yE9hz3ms8$tr!_J8_Mz=}O2xqBHgv
zvQnl}oE>QH(bmpu+&Az=wFeC%la87?@bGLGQ=87d4p|kBsKSC<=i4qb=emNwedd4}
z(pZQ2{b&np1-)wXPuoU2Cl)akH@t^8RX}KllEJPF;UBVP{LHS1*<uS)SKKyk=l6=+
zUPj2qW5F?=j@A!tPN@0#lD0YwL5GsVIS}t*d^P5azMze99@jV25mRLa=|uCn!ON!U
zy<@ubNFy0J0tS!q)L!IHQz%(%GK**B!t?{yUpHQAarQZGsPmdq8^`V;8vBOriEMFU
z1wUlb-{v4l6I6tS_U@8o(b#^zd|b>g@ev@b33M|0j&BZ&!^M)mD}gyi%G*G;Bin;F
zNE?$s%23eyk(4obAY4K%c-(VxW5eUbEj`~Qnq|xyO9#K79<H_1MH`JOThyIdL`S3>
z9uAG<s<o)!V#H)-ojU+erWa6?TWklMVeDTenU9pZ_`wVNtV&yVFjGmJ<z1{1-hZ4F
zU;JR4)jZ@h$H8s4*TR;&biA&4X@25w&+y6Eze59|+F7T{D2`})&Y+kRw!lW8751ev
z;QO%e_brljocl)r%4BW*j5YLq5(>&@r*f^Yt6oTyr#egaNU@J$5a7@O2%+t*eWVBi
zmhYA?$VVRQjuaa&<DJdamS5C`FVgPMxoHJ=!$ZZnL^Bbd1qR6;RWG2F5u-UCP^3Fp
zcdRHa3mHQtd{=xJs~6*%=Z<nj>IFDfWS;@K=&pv_%SwOMsHTnev=4yX74Fr5(W_9!
zS@TCyuU0^B53^(C`RXWZ?Hc&w{%OY+5=G@ujs0)c{NiW~pLRMFqHg3?9rK~IL*tE0
ze<D;f5EiU#0s=w5+%_BOw~Kqrnh5%esd|=352t*Z_*6;%qNu17Z<^wdqWgm)zxr&~
znDGi#ntvLrQ{^>%^;CJ8P2gCbb~=olaYh$x%7Ibq-9EW@dyNBRDAVkC6iPI>nZ=Nq
zC18DPFoZS!pX{4Y#1}71NPL7xt>m2O!z?GMv#J@TRHyTTtj+ZCG(OS{s|c!6wsHPe
zYz9;`)!12t02X-l5^bT1(=;qykK?dG*+DTi{!$_|-UvLo^hfFa-N6P0>I?FB%TMyp
zfsYh42-vKHAkyXZEBWDZumMc-f*o9?$PJJ7PEKfXHMAJXn<-d7HCl)lmSnGZXPzRH
zautE^erCd7m+9W-g4GxORK$jAfO^(P4>r_5f+Hx$!A7D5dQ8ay{AEzOlg;DdmsK&B
zp9%j!&|NC1?Cw?9WG9=e__W)N+Ief9h?2gZ2eD_<uMIQ4xT}v{Ja?`v^@bchZ_&^(
z=6Qg&h)+YZ(?J<@V9EL0x5Cw&ER2I^^CSDS7}=v?dBmm$+mLD91q=}3^!55OYTYXC
zb#%&C#N8eh@1}s^z_--=;?=rv@U;P4)ry6soM?O7A5i8)14MZg21#F{)ZKHj354v5
zzv(ccU42w9fFc|+%GYnOf`pGPbx_N6jn3%I+n?!~_eV}qMLv`|-`2-9{(ki`d0l>l
z?Gg{Z!^>c82urn+v7$l~re(d@qJ_&)YVoMqH!;&2X^&$8=Q*<PZH}%ti)USG5ZKSR
z)CL-L!Mj&}Vicv6PBen!`ZXPuZz_nRf%@i5zgpgEMgtPAEup+2e-^!N6pC8o-|m^G
zYO<TL*iP9{|Km%KT>AZte*ZtdoRGiEw^%>99&WQ0e8woj>u$+S_HN?rYc6S<gvfEf
z-wEZAEAW>p7Et~2m6<0|sO{49{%G|ujpIRLuhO^r>E8807Qd+J?9eBj4<oJO-4AV&
z3H>r}1(9$uu3Ycy<1v^1C$*Xfdp5)ASv8ewxBYWt6p#6UHPJsNGal6*cg0YxVX`yq
zgHUx2@Xo5OXCzp^u%bfVx2b|@3y;TACVeA?=81N+UwPNQV6u+31b6qlH*j2XKdM(|
zP8?fXZE9;yU~n{8<-Jr(fpOedQJPE*fAxL@8~Em=C}@R?-M@ZI@isFdO2z$SAgpRw
z23-xyf;|u1ES^jY=;im)O(kJloO4QTd4I(6%6_6NNUe|La#9`g{){V5HaB6<mc5sy
z3~8OHH^$mH`09jpyEA?&F)Wxk=p?1)D4Um}CxUQz#5--<Pk&$kAz7_G+)*J9;6*L&
zswGJ#v_I%SgQ1+5=;vwS4qs4c3#?sGtS?a(1ANG|qq?~|VlWqh<rn;${bKk~0_uC&
zS%6*uYfh*y%ct`jTGAh|Xq3}5*=STk0H&NEXP1ajrcLh}s%I!cN`zQ|yt)Q-Vlf3#
za^`nq-W_ZNQ8QL5d#$X(#LN(iXDEHjqW|<6*S(?69OOqCH=;F(?EnOIkTr)slD<CY
zvajs;<ob+CmH+H&ZgY2kuD6*^OlfA~!njI~$y^#VUA4^YrulsPSkunD?3F|l5-voL
zliF=u{F3`}>t-YKW$2hc3ro?;q$Vb;#9VtDPx1o)w54OZ^(ojxcmcJaWtELn+enVQ
zT2BJOlO+_$$YNryqRcoGg=5fRI-5J^JIledKATmwTTDp)7)?N^rmFM9u6i0`$duL=
zk5rXiq~d2y9nt_Wc7RECo-o|~H`7TN7lKww(a^HX(Splvrlk@i&YPgTx*$bP{L8R0
zrh{=7OcM*%Wq@)ADsUoMH8i`3NOP&<=diL5L)a1j^!iZLQ0>lE-PwFwMTLhn^>}HR
zZW|(4);<PK&p<*wrQ5qbJlwQJoEx`B<z`X66ucgr0DeI>@tj?bNk2H~pSYw5d;?{L
z<s^E*4M1Ps7=fQkwjWnaXgBs8(Z1x|ZMPE&@qo5{*tzk7%cd(5iJ!XNq23?jM{zQy
z-Bt237b=@U*|>8m0O{(#T)&)U2)qj9^&;-*j)6V}tg+{6ErPl^3F%(JVot;8u`&g|
z^(8b)i*n*ZS+{*|Iuo)DR6?rHmp5fRxXq+?`#6m_7b@2Kfu1C`v$S?UxsrK6wxx5;
zM9>laiNoDr7e?TrZqadD(s}aUB%l)hOQsfAOk3lukOmek$EKLx?BI-tQWuHWPw<)v
ztZF(Ots@=FB`(z~p+iQuHIymW0tw);j%ECK#^IDvQ<Rco?Xh+X+O3@OurH$uBRyN8
z&`99&0p*=`9-~`#$thL#yh;F$Sy3nzsTxy75Fc(A>5&&_NuM(%dz8wUODLE=<}gHe
zIl7_d51f4K-{mV!$HAZycdmIK&{lGg%Wsx`oC-^I{Z`}widOdR@}Ga34_(w|`O)Q>
zN`V2X0^tC#RJDL?{ov&MJ6AU7^_lbZvff7Yv=rl3<>XjYgV#ZMHS5u^%+s)0yKP!`
zYFaQb;I@YPI`#1gWr=2<oxBo|WMOwEasl60Uo|ePGuy#laIz!(#Y%-;`r{I$j#Cg~
z7Y&}jlDzs7v>mNli{J3^w|nzsrcBBbu44+Cv`3IyNOdoRpe*(xYP$arJS|%Ol{PPY
zdd)b5Y)aT<_=QW!UW(#r1KspwDQMOsOmLPc58O}3?%}0@Tb6iIo005&?$*a>q8Oz+
z8d;)W=CkQ+T@HrK<{rB3m*I<^B?VqPV_$fyz+1G9I19{WN>ZHz&-U2o@}eti#4ms_
zDZKj$USJRbKk|r&9V21?&+i%>vWqV{hYocDsTO%LZ1g>4OT)y72+XA_f;dH~!xdXn
zy0f)@He#h6{vvl^imiSYL_SS5a+6uc22-`~|D{g5zPP^1jXM*a60>q)eZ{y01fJAm
zjD$#bNE1p8VdT>AkL0fWo7$QmdTB`^IVENtv<bQMi(<}Gv>%)4R14Kc;?EtMW2|7W
zekfmiWvj|zu98x(=BYY26crtmX=E<6M=l(RW0@4&TyJRx9Z7XWFV#>fYO?2njs|D2
zb=2uyQ4Ep>uI{tVB`g=C=lqAJ*e5iyG3*$zNG{`g^tBlI5w#diz-TaQsR+Yc+pRT7
z<_v!;+bb4R*j&xHu;rWSYqi{~%fS-`B{K<(u2*JE_t;FBjkJ$SVuJ^8+)=}M8qRsL
zj#(7$tm4<p3S6fRxy=PaFD@fPN6`WdLN68K4F|KG>>||w1z}s+z^b>Z{&<8sXU7-t
zu<H|N9>))=3;lR%HJ~AAY>uZ^$|<8n^P$V__u+1>a>nn@TD5dedjortAaPfJ63c(7
zrfH99`Ic(+ELci%&pKPiE2;(PKHN4gCCJl!TE_`PyaGU`ng#rxqjuC&82%^Wl9KDv
z+s!DzxA#<J#4Z{^E^&$nwb$l{xL{J-hz2-yXVPwC;lSa{2s^Y{Gm-|yYjot;HeWA`
zq1F=ZIFpvg*tS9+5m)x@>OWPJH*s%>7%AviAi%1x{A*1#4`KLT`&NGSVTE?A1BfK*
zAI3Ci%&0ev{cq)f4xt#&-&{t<I}7U~U_n0qFrk<lXvmMhbuk%loyJu;e@ob)eNI3k
zq=D6~Rsf5bF&8R<9bu^-B~tVDx5t?o6^h4Gk!2J+QDvHDKgfXUBmt^6_V@xN>P%E)
z8t1y9CBQKIp&4WilPOoN_=Xeo2j_~){wP8J2J^IIQv_AX^Cu0#A%pQ6ui=|3<<AGg
z1J?g~BW|3yz2=yEBZCri)^A}Yg`}M$m}1M(teVZAX*qHPG?|>SEI9`vdzGv*re15m
z$3%V(`F%}b#VrCOHu0Be=1nJkmvNu;;7i=`J4TSvrr2(M&VWFpE}|!Z_%OSP2^e2u
zv3X?2SV2)o)vO?b)s$OO<aZ|i@Xtz*PM9Bd(qa7GItvZ|7g48-j<hx&*lSPfDUTpt
zzS$|p{W>AGjPBn_p$q5{mKza0iL|zePw2K6kKr)D+H1=i5J$2UFq}{-vBU%lBP2k=
z$GBgyo=yFNS><6PJ9<+d7@j8MQc0NDN{j@xNKr(u3B~>uuiNjSNr}(SuoRkF_0_b$
z+7zZDlbhl{fxlyleC`6p9`8|XadN2^Up>Ufk}m{LO4pB1$3=yVgOJ^YgXFPbz?ZQq
zx+pv#!Lgi~`8{VX3qV#Wpx<2EHfD9$=O<ryJ1W3|(qHmzwzyoZ70fWA%&bc<Bsw^#
zvh;L*Yb-4@w5V=oKcNfu0JyFR_CZ;}^pY6Em$AxnDX}L(N9fA`4Yj9h3P-Vqon}r5
z=S?~bbV~0lb8Aw6Iqj{R|NMqO(8_`-R2Y4KAd^7ge6x)RR4gnH#)Y0{zCSu{(PR;b
zfZ!sVz82J#C69PZI#U+?t2fHQcIorBD9H376U@FNI_k}I9V4OSTq#|Xalhmj5d(pn
ztKyz|JHyN*#yjig4^T@T2*Y)X-!ZrzUkKHf?gK^a<?Rp~LjG-enl_k*+aDWoYIhK!
zB5KpKQD=F2pm|bSymZq_yY16_bY|lYgY9yJY*=RlylklZF-J`I1yes0Eqai;Y=1o(
zNQofG_%(;h?Lh1VnUHVzEi#=AE7M6h@gcNCGKfJPUlaRMY5Z2G`lgkM#2P7^>~CpW
zpUeG8*8g=V+1i>~FTETo$V~3g<?O`1NSsog2GpGNFtfip&rNuD;MzVERZ{UR>cvM_
z&yaBI(->Jo;nf=njSUd=fo{PYgFWU)(*tKUnBK;`n;t$|vl<+{*diH=YKadOsq`de
zK&j4Wck8}D)wIBJQul|M!txuQ1A(s{#AgreQTs<~GTftKU2X0yr`|;VH7o`JcufaH
z$cV*@;19}<32aRpRlwP?=Z)DNU<>iCnv3-E?C`6+QA^mAZBieYi1pQ`fF`hwoO(Sh
zftb195@wQ<qktMIKo*0B<l}sI3IGl%gCjjm|5nszC5hg*@|jv78Wd0z4WU5tC&6fq
zn*5ydGA|G_0_}Mc=;I@MOSD}-=#IDpWZk(@vHoGQ=77g?K(q^AbP4_teGHKQQBit=
z;E*3q>F$EHTSzv2v%(k2!B+uNINp9Wy-9e%IzH)LXLHYjZIkc@8r@#KxE1{57uJ3d
z0u7`LU~@$?I8fG#n%c9CoNRyHgr$}4|B4T%xyOZMm<WGT`nj5@YGD_ymVO*%rAG%L
ziBLGW2kl=h?<@4g80zVbM6zRk!?!lD&2)950Yh;_6`XMQHFsM-_979f?c|s}4p_Rc
z&-Bm!zS}yxIFzuhp@?hVz9wVf<OF$o@1s?eIE;rcs+eGLS*2DzPm@qh<04u6g%-s@
zC{UTQfSnRKU;yGfU!UOKkbM*At)LPj99iW3?(BaxW6CVYdD*rg9l$9w_c`Trzuz6k
zUudtpAA<zAplAA@c9}50t>IG+6zldM=5wE37{&~E2v-(fKkd3P!n5E79VlmYl`{fN
zb^zps_!6>QadGMyy@gEW2@vQ1)jUEhswqdM4E{xjxrh+K&hBVWdI>(cJHI3k$L3PR
zH<|wmjBnwMf*U3WDvwxJD*QYCF9a%&SKJu4Ev;o!g+r^4N0Qc$pqKi(xafw52E}}-
zOi9JZjm8+&dxa>!`g+$iC1+6UQ%Vh&xbozWgHM^2y!RqYaDDZ^<ID@QX<%MWS}xi*
zJ}y!gg35hXqc&z@@nhxX)g2(<C|b#9h7Z;Dn`yQj+g^3Lg%bn)l6qV$7O!%6kR|_N
zTaV3^ptkwuKa$9Xd6soZBq99?S#xy8&v$AcD3F+WKuMzHMalxTrEwNBFcU7LT4Sie
ztBG_Yyzh?OtthV!g1<_yvLf^>$xp4&&WO`uiJ^=Q^4ah4N#Ezvn{q@={1=sc9Po*o
zeTXuY<GAo&Gg<L(WXE1Abv|7hW`B6qF!fY`N+`T1rbS7#P67gBL=${MkEV9z-oLnf
zN@gPo%mL`<22*Fjigta+_F}>Ovg#A<V)2Xe2*#YsM!>cMyHd}iCedE5dC147`-A>4
z8;G7yReA|!O7`!8ru|uLQr3(1*ogMs;&}Rx;tNe%6OhB=4ObFSAEaW*6@Fo)buUOc
zTl2|VVX!)9P+?P1>HFTPaq5^^kv`Q05dQ-BbmTQ#sEI!X{QFt?s#;$JH62&W-CGPc
ztFTU6j09ZCzW1<6tmDip{WoogN9B~>DK}dH-bY!QNHpL{{bcDV>t$aqlByrdRW9WI
zygUO~J#p(bKdKG)*l$?dykQHUZaHl55P_Rg!Dp7>C>YT9=7|aOM`O5KEG{w~y-R{l
zCzgR*q()wR3%(}59~Szs1%)<Ws7ag@9YZKwXuS{AJa!Y=D2#IdK~Rb`$h}i$e}e$6
zl-gO;aB*hp%>C;0H0UHI4CF!c2WPeIoy4Hdc)Pf9_9YY(T{7=TE|$5=TxY4P6B@g3
zaA(R<Y`0tH5(D7P3sn5Pr=c_SJlGS@C*XivYIeJiK2;$194bS}IH6QH+W$^z90$~?
zp>p{teVBSo2bUC`<wgn)cHN0N6{2Yxzw7E(cF+XO0|eM+9TkFJ+O?@4gI31E$^aLP
z1GA9$ED8mhkaP>7Y?u*dUE{LC$ComRUPeJ$s+PpXSwoh{2UKsLKZ^TUxW6gRpCIGj
z>F<updQjND4L8r4l_x{;{I69lJ7GTe6i&$*!ZR(*APN<a6+S)BggBIzC^os9EtOhZ
zCZ1)lm1w&+Rp(ehS90{PUs9SMNK&a8qC1Oip8THH`D_kIW*T&p97x8<ru;bRpG9Et
zX{_QXf2KTj&oc+rViVQEe<&93X92c=p2vyOwTRMSU==<HIiM4zsj!e=GFPbRe=Gu~
zE((<kO8sMzlI*~QvC}HcsmQ@~6c5;9sbpnfI#_&CPqMbe*{eoO#gvfYvQiGZ)Ms1@
zi7SHc#OZz4ksvk=8~w`tn3MTL6^1(LA21mdpFV-Q9#cGcPA;un-4azAx1tID;91B{
z<k9n>jJFq1fkp!MrjEI9lJm}BWakNz@cc6ko)acdPhpMln`u7Iq|=4E%(NFxeT|p<
zR3`_}aMcF_n?{if3DhzutnoM=O{^|NL^+qnpP{~vfBHyi&Z5oDb|x|aD^~YAjwBac
zj8Cp4{<8F(>wI`=67&vDIdSD3s=DR43m-5|>HwTF-K3|l=UAWxRs-$i*-PEZl6?J#
zB4w5U3bje;eGW4eudRv_oNX%K-ahup7Is{`oR-9E@>rPHrtG%Q+aPm$v?5olNrdMm
z`$a+<_Nfu|&TnYy%R7NXH=9LE-wF)K3fx=#>m=J{06Z1octLSg*#UDds1xOHskhBm
z=#1jQy2Dla)+H2-?!$Zh8z{`-UT-4?<Z{;lwMd?n8Z}3*M?`~Um(2%G@)C;qA8wfw
zgC4#NUf8c~mk#@OkR|2c1RT0gpt4{67D0Sd-EKVc{qxdlNk4K9;o#tY!shck5B@+@
zROQ5S|IhuIEjCsm%u3}bV~waZ2u9INRPmu;9FNS?=;DgUH#!5Bg!n%?V}lxYAOrsW
z51P*3!oqM-O7Xz)(_^`$+RBn=E@zLO3)_S*J7ogLMR@VOw*5!MrSaFt&@4{QFfl|*
zMiUkoF+?9HyPsDEQ0Oq4Fhmnom11s*7EbuSpj<W+NsK$7KD}9~KC2-;Ze*`w&oNPr
zdk@~#5W6|MCjC@Gx1fDz(P<W@i|F5o<&fJ+<Vt(TTJSDl2M`)4m8=HnRY3zgL%aVd
zR<$Yhe>pJkIJF<A;`^qdFVZ~sbRd)G=O<!YrFr~3H{oRfYIT2B;{&C0n`<Uh4!SuH
zfH0T|-{A4_^s%-lc<c!QU}&Z1za8{Mo`y|aqyVm(83@Z#q6tmS!G)HZ0o=?f481|g
z$p1VxppYENgEh^JWtVVzCHKs?k~OH@=_}Rdym1urL~O#*ad^<DxbKbR8@9&YKDk9L
zWV;rPAI>6Ru8%HEmzPEyVi<<hY)%>iL8j3d$CYjpcgnV|%Hvh(EYMT~BoSRQsXU=-
zY?Ei~*`*=muMyTMd>}6s8`y1(9{m$oRa`3w^z&HE(n8Xwo<(4BW)!G6^Ju%wvWx}F
z7$=+>u75oRL%f>nM47!``KzYzv)6s%RrZ0M^GX)v?v?NX?i4CH+qQ@k^joZm=dkXA
zj{_DmUPeXIiD=%PR3HUcp_7|wK&e=m6QgTVpZ0|6tzf4I6<4W!s?1<R5>A70>PJRr
z`}dv%F*LRlW&b|qZ-Y{OtzT8GD`nHbG5pqjz^l8^H4YEZAC8$vy`RLla?1S+XnMsw
zdnr*Sd|%Q8B9_UO1j{fCui26m>yI%^a}9z|n%B3hA1;43s0|})<H%zU3K!t*T`_Kr
z1*st_Csw=<KQAY)S2X6~Q|N3wY$_3?(cXo2+<*jSj^=v0p@#eYC2HC@;KS_;4VVi)
z*z^jjZy3%tE+57q&C+N4096b8RceQyUvBmUN@W8E!f9mpn?nZ>BFr{q#dP=wl7U;w
z59j+TCYLYGZZ;>QLF5Q;uk|xB-<wa)6qLVSS~3+JAOPK@bKP2N$`MDe`M(MLJsXuP
zkcaam7%^ipt!a+qK)#zCvJu$zXy#?~B$wiPRPVFinH&DVC|k2QwCGKsw-{9=8})d(
zb4wNHNsbB@is*GR{Ru~9K>v0^<H0rL`l9E!^|?8_yx=nF6xqWd-Pm&~237k{1pK5s
zb|RQ|gp240f$Kt*RpQ_h5z+Y)zH+1I(EW1?nRqtciLz6#a;KX(zwQJA!J<*rb3|mI
zR@lMVS8>^G#kacU%97*&EiS|l^%nY_g>@LN0J$&wH-+QfJyU7tP0X&pM8?^oBLltQ
z|EjkqVT+lyDYK&lfQoR*EB?9UW#uyMbilTIy>+qL+u}N`G_Nc(1TYO5bNx^$w7XJ#
zTYe(xG49?L)lZ)sr*ur%qa85`@#v0WkMov!X%Q{*H*~|JwO^BA%(08;`5;E8WS5!w
z5`NOQPZ*R;g{N$HaVHYav%<x1@JiHv{Y#t&<B8U~DVbv{y`L3hqYBlOti&Bsn{8`7
zy<T>9$=K`NJ3YG=2CE+iVTN<W82F(vv<_lQ18wuceX(h-^`?{nNQHP6KM6I~*}g0K
zZzc6wT_QQ@+xED@m-73P@1{ghMgPT*3>&=Yc|i_!!3VLF0r|dAPr?xTpc={gjy1qY
zq~@e)_Z1wFEV>ScTn?cB)e}H2_hwJq5AGL@wWTW*D4GgSOPrM0`7=-n^{&b6<A&Hh
zD$nyIaxdpSh5{88?f3a3u6gss0Ur|bO$AQtU08l_`C%3Dr>U{(Q(2m5@&fh}$%Ik`
z50aKIKN-pYcTr)P`w`QYHo$;ZFMb}7-q$H%{j17yqF7+Am)Ko&K7n}L{aDbV=Oa?h
ziiicISlt<=5?PcD*SYF*n!K;AD98{<GQ;NbdQ>>QKnN-Iv*rr%t0bv*R-t6~6?yua
zullT!BG9TEJH4=b%F!;bg;@T>KN8szQ+`thO6tw$4oRWQW->E}T3-&KG(vy^c-0Ep
zg^A-O0`q(fQ;r@mnYSK2d3lc-sI1Jv;YS>3tpAxm8P2@Juv&i<iAt%(4VCDenE#K`
zo#IRG)&*3*KQ<^Db6Fl&TU1BtlwynwB9ZfbkNW59cD$e{H>GnlrT4jBrqqV{%w>-j
zWlY{56n6_(Ybg(wb_}E1a9x|q*yS~LZ~v|W6zcBp4qdy7?LHm%uh#A&_+i+R+I=9?
zaEtT9m`Xh`1RGDKe0HMDQ}{#d5Abr-t^wrMnKS!n5a!R*ftKH{(21kQ0_PYT_5c#O
zU*B#T+F8XXsn?W0^(uc2!f-8exZY}R*J&d|vY@s&=R8qU4_TPLh7`L8PmJO7-V<s=
z2wn7G;?ymQT>R&PI4bRNTkn;8;FgfpP`Cxr6~B(;%_gzw9}D~jEZy4_6#iD`QSzX#
z+xuLqa<vb|Cp7UZGMe>Y3~GM~V?9Tl={Z#HxP0&QG~{-5(vZv29Z9&rf$yb6C_>Ls
zLqN`JV_N^k1;|&p;#fr2PFi|FP;6rSB~)JXq<v^E_wvDHl|uPT!2|AriN)%Pa!8_w
z{=FdBy4WfAvVEcyMV8tu+p!I^29q3WSCFvR$$cUm!yWTadUobIeV&1{7E#xkalJk}
zXY@~4Jn_lJ2_`bCW~@=HX*N&A*}mC*X7X?*CRhCvPupR?_+pyZG_K*dz7<F6jrem)
zE^4{?$zp=b7#vi_0=EB^k<&Sa?J(0$Iz*c<1kYufNH874F5ugm;g{&z3u;+FAzuRz
zm|)~u%Y`Otr>rcNc}7}Wu3e4Fe1bq=$s(GYxfi;eJ%;;FY{AXIfi&*zlXz!1xQver
z%bto(DOXnld6?Z%CEv;<D>03~=Nzy6+C|_g^U0-r<vyJHQNQK*=A4(!<fzQ|ynk_~
zf)|wM25r-=_hou=Tw~Pk%vb6jll4H;oa)m!(0M~x=ft?AM5xVK)4Js|>rfo{?9fBH
z&{^lmh;&*D=&gHbfS!T{JUKR@DSuE-c-47P$nZ$AioE8eTmD`m1(YRHnesTE2)<$8
zRt0cCczBX_{0T^mJFKH)55CFv37(1J&7Rd+c1-{uvWwdQ{56&WekbXTj}c#s@Y-8x
z9`9^{mF~$-8c3!{tZBA@U8YxQh~u&c-&I7+!?oR4!}#I+osq^*U#Nfga(w$V{<!LP
z<><pf;8p%9t3<!FmV76KcaUQ!7|&gIM|#M`StHcs-10T!jDH=Uu%StQbpl>E4ra=q
z-$)H`PJ-}&fs6eX0a=|@dI){s=PSBtSN8jXp7XPx0+lem)D71GoX%+|`blrR-0T`h
z=VxTs#>!iqq~bItLaFeeuGCuc%#e!Fpks2Q%IT1*f4$Kbq)-)Z`;`OHg!Rqqi-<4{
z!W=<_2BWT2+Okt@(Xz}LFsUY_8E>Y!i#x#dpe`sa0hf<n^#{bHbPQyC2clFTP$w=v
zN4}R+pHPbS_ItZjCjQDU2fQ}s8OfmH-!hM`aXaRwmq521!w`_+q~e2G{AZSRrQ8La
z^-j-^yv8}AQ`R7*)!H~C<k=_%)1cuQI#viJ+yaLdUFZ7+Un`B`*$OnOgJ-bPZ0BMd
zVZ$PLW!4}U;~}*FeVT{g1E3`7+XP08cGu?O*xukfMQ^ara{W<rwbKq9Gyc{O(Nn+B
zkH~LhL>9y^cSZLT2V-+%_oh*)w;dK=MgV!}+Lsz5@M*K(avS|p;^)Qa<B$bUq_6aE
zgXg->%NNu;AG6*Pq57*nd0zR9Lp^@inJ<C%HJ~P}knPO^pQg6?cRdb&I>GA~CivlV
zB*d_dFM6bEIuD<i;#)>Qzzj`W$O_t(^0juE+KpAX(#-ub4ciiH0i|oev6MylkR_22
zcc1jzraJ6F=XdNEBMI^O+Eck;?b%Zkvf*$+hNGGv?V}|`G>a#VKY$#px(#%0M7DLb
zKW7$cl;OY~C<gsSJWop@c2OuBghlk;5Gxo`auvqOHT49_DF}wxeTQGdSKXN!lz(w*
z#r<mJ5A^(Zz>kXb_w<4&GB_)Ob965j?>CBWVvKyO5O$}oxl867J;_TAc~){QHu_w7
zy=$#_TkXW2st;$qS+D;-?-vP-QLEs<1_l@LpLiU3|HHAdKQiB{;bl%(%=y!&7?x+}
z0$Qutt2rbmpx~*Zioo}PvNhNM+vvm)tr(Oh(myy=$@k3np^7acA1$NoEeTk==1HU>
z=5;hPPs_L@3m&8C{x4A)Mt6bqE~4v#(rY(Akt5!dB0S)s>(xa$17txee!9Of3ID5E
zoudd?D*w!HDmf|Gz<qweXs|3Zpt7alV3^r83!$0fBV8nP>2MeOk@Ujdp3#Y{LkRUi
zaQ9{QX6++mPux?e8~R&($o0j^D%olA78HUt&Wg((HfDwCUlngxr~9!zuWyRjE@a+u
z72L#r=kP=5Z%4$Bvxq3QSeu58^T8Nd<wA(7?~PT1Wpsw%`KhXMGkn|zN8AtjXR*oF
zUjaYPR?i91_5;So<rIfs_DX5u_$=J!n(2<Y^SaaIbp=pV!8FuT#lLObnNOGEkWmhW
z=6Xi)TJp<59`}~eIP&pHX@L-wVKj8`@3?aiF@zjs*4td;%W}t7F|=1ES_s6dXwyFS
zBcpANI}oQ3P%d|WX7WimYFw5~q0Qw$5p82QwB}eKS&nVmf54fl<qmvfny!%S5@xuF
zr<;0ri^)FXl&F6GFnc72PFF1oh7|ldMstr^@y`Y2{O}bQR9(P=TwN<?LzACEM^|f~
znrmJIEnbR}WDe^s!7#L$YzMO&C29Baw$Lr7*@<S3E&YL7*RdaFHN2zPch5*djGI^X
zIKr=}rvBVZ3vlsF6waPqf7hxPKg!l=S@nr=;tQ<vf;F#)SLnhcE}sC28U$HlYv`1C
z+-8q&eubYEl(c4)RiZmHn-`Wq_{$i%K2u8!XF;0(5NNhSe}-ids4Y$}lDB;p7k16}
zS$_Iie{VTvgwlSWZ2Em6H{*&LvJueL4fZ7MgnFxH)6>vMrKh{*)=SK1Wkax<$7BQi
zMj<fR%gVkt^(Z8tiG;M|)gPe0myQzjIB{bbi|Sr?WEhQ=Y#(sDa=Q*1Rq+Ql{?Fxj
zq<`a+B<lQKE|LmcykpR19@V{A&wW*}t?bS5;Pyf_uM2DvNI!vEgU%A@I<Hx^SIelf
zOO_gl?2H{E{8Gs%K_#p;>{LE6h+)t0C!;cL%p&4is_Ou&gU$Z=o@3FI7bLlF*Y&n~
zbxW<nfITVwl?yBEzR2;CkwfltZkSQ??`D5*={#(Z#Yi-|$VDulCdXSAmB)rxpGJJ(
z5(H3c9xrEBu9ce{Zh6|wud+{%YH$rJmk-Rp0DZWdUlu|Itant?CMmC(mmDeXv0;gs
zO`65`8BhV_eR?9{dLDDRj_pt%1|p%N2?B;#n5qn|S;!0G+L#FYJ;+xP)Do_>sl4}M
z(|;oq^FaTdP&=T+stvoyU96ragBv<8cP89F=)PE(p{GdleQKwR+dPO*;Usjp{<WO1
z-k`g_m1a;$-<F`x*Dz-zpxuC&n$(~4iNzX+!AElU<B_hz_z9!Ys()x1UW6GMz+`pI
z()D|NebUzj0t4&v51!L9OOyqdqf93~>=?3o)x_AA8Mb1DX(Y$U)$IR>ij&+bkRJLR
z`-@q?D$-8t%A&Kd=aGH@?dx#SDolepF&o+G?1wFDZQs)pipXYu+jM0g$!0uss{+fA
zlT3-KH~zS5n_*<^&_<&4?Y)i5Vur?k&#f)XA_{=LmPv$97?hiAdb8~q9?Ni=(GwQm
z25KAr9r;=`HAbKNe8<+}?CQ_O@s6xVj74SLy**R)>R5C*ICLCY@+OH>Ou{zrW59Z(
zS<qV=kb8U6C)e@QvZw7uTA=l9A{bVcyisC1?61EOX@@)CrPt%;Cd=CXY8-{YzEkNe
zVW3PcFOp0Xe0%yImD;dK{hK}+GCd`-op(^x+u2_sPL?%4--AW9tQ4deG7tDLYIF(p
zoc40#M0NLqGu<lC10=Jg$_AqyDa$byPxER7+|V110_F|Rjzl&Q`|4rG<kDxqe_xBr
zX?06?<S%JQvOM8E&=`n-ipKpD4orsD?KA~S>r5F>!9j`E)fSgwCbyPT^?#oJ-Ou0&
z!$qKEHY~^$7_1*pg7R#kaw(evj6&bMxM1@cu6xIvh64x*`O5gqXy=wj<gU2me6E8O
z>sM(p0rUNN`6P%Y&GyjJaw6S&TH$)!=r;$6HhPLvi_z~bEB)-)6%)%p;8s!UVoe{o
zeoPXo9IrA|vG$)lDwN^IW6}HPhgxxFy)JU-5vMEX%ELn10Y$QyMWUZBEi4K1k#x5$
z@dt*K-xfWAUK;A<Y4D%7y;)NM^F^pTETRxCX&4HhKTeWz3Jm4r7pi`JeyL6ZbUbVa
z?t$~wDHvcE%ih(f%d0~}vzN-)^j_gJZ^;&|;gj5|)gOx1cCecZ4w(GAM90SOHGzs-
zpr4-P#?2rsc4q;Ut`(z@Cm4S|Z!lCbxgI!)JNn&QyO-M+LNv-$s(5)c*HjXEeI0w`
z^zNQk>Gwn>#vtt*l4MyGzH>`Pyv|<1)e%w*yt&U-pKqZK<RlcJqI3M;JR+~mklA%r
zR(Vl)TD6cwQ_4PQ23n?khNGeVmk(LF)Fpc8qQ=}0P%mupZrTarWqJU*)}|6lyq`4!
z0-BYP)Q&&|BWDn@!Z;+3roxEJy{E!_yAajm1SLgZ^6Yr+i}Ouoq4dRNvS|}a;8V5%
z`6{v`!?ZOMTO`$m22+KoosW*?@B5IaUnG_3V_*`xIw{(3tt#)_8H(s3AS!1S@d0ud
zEPSKGoAnIp^~K_~wH)Ri1D5{`RY25h2^HtYFg?l0)Rrw`_F!!t;KAA0u|RUFBAz!o
znNyrkr0p@~NpTE!PN&pa#gh45_fL-ApO@m`VdSX37peSNgNV2fL{MSkBPiuA^9T#R
z3<UCg+ei9pAo%b3pS@Z>!{FSBQaf~yH%lBGnYUQn)s^HSTF^F0X5`aOF{=IwbImF&
z*;&3(3ZJglcL-(+Y>cCU-)^=eJ%J?C2;A$>0MClArWc)bsSqj1B9N?M3bn$~4o`gJ
zs0TnyE9H6+ai#@@I;q#=eP2T)uO6gj3UvE-nRr^K;HJb0XUjss*JU0Y>q`vs#<(wA
zI?-eG)GAdjKYcD)`e1Y^bFDNj(A+_DTihP619NB8g?1o1K$@}{sFOZG`lj;6y?UO`
z3j?2)W=V-HLuA^ogJ%AzlxPtP#&33%<S`mh+_f8M$(b^<c&KIS$ps}+Gmk<0$3kWC
zTHWja9jHnFtnR%XsAD8H$k7L#t{_c6N%@pP^d2G1*2Z^a(dSe;SRd5V*REEwc(;*B
zuD{TDxOkG_W6A~wytRfi)=t5wlu^1`ZL5;Bgk!ZhX2SgMNBvWdc;o?pPV@U9XlXqU
z?09>QWXqHBiUL7`HYkZtaWtfFjP?rj;D3y^>v9pV$_6>pfYTLg>zbW7!IVSrCQjia
zva07<-M47M@I?;O<I3<^!jV(cB%bQ~qJ}8*i}iZXlW0&Nbqvi{v*A!ww716K6HKnE
z$U!DGSB9?gBP!elVKZ)ALRToBI*|J9f+71og+&)c!5$N?t|u}=qiwAP4q98N1S#KC
z5-P>NQOBDLo&ugKTcjX2civVunS0737~Lj~jg<h(cj%p1l=Rl+-nb)y&~`uO`>Q#T
z1sJh9*m0D{I!Q=bj!$kQrykYgAgTZcs}3}$XPAvF)NTQJ^<e0`eh~RyH++ix4*;J)
z@r%acxjc_VT&KPEe63`b;2q50qJ6taeMglJ`I;O_xWPJo-|#4Nt%*uS(9Y<ipvpSz
z!YXs_#rz09xsLKZ6yu5V-LD=4Tx)?x%4Kqr!hStIn+F$yt0=LK%%#E|Zh)F<t~#p+
zXgsR`GL8|juJrgYr3AdYJL%3Fn;RHMLo|yK&(jw2O?E@sSi5Z^N_0<eHY%UOIx3&#
zvICj)^Xs{^i&+r_<<R!)g6c!S+mhByvB?ZoUOmb4v<{xWwZv;3eEQPW+zOmf*V7kO
zq@^AdwIdj~G|z6wKx;U{ST>uEmCQF`h(Gi19HHoIVB9{@^yDNBo?U8|B;N*G>2z*P
zFj3Zf3xQ3{+VB+aO?f0VexCp*DiJ>biJ+^jh~J;kdZLzh9!H+#vn(qXklJp)*#2tZ
z$tPEan|+M!#6^ORDMSwYC(|I^r!Yz!b^r@+yX(jOC70$QBMoH>4q7~ku_Ghce}w*L
z4V0WZJrFV_(x;jcX-DVa*W>DfEl{pT%Kt?;uGf!HI7lMuAbwo#A_Sw0@Z&rwufT$E
zqa0OqrCqBmnK$%gCTb4fAAi=Fo`h86LDIw>iZ~vZ+)|@c=@(n~TCTtCGv^%&e82g}
zU-07v-2}!>5WbbLo0M#=9QH?-o83q0R_HR0RS9lX1NH(vy-^OdsyE7{dmMQIF}s=D
z_1s0K%}6H%wFZvF2qMAQ?3+~{&ZSxbvh-^Guf}0-O8O910U0e@8<_5ffu<)^A@+a0
z?O9BaeS>_U&*>`s*i<(5YR2c{79huIfipMUA~u3A<kE-fmpzvzG11xhRxsc`<;<1R
zd|KHon}#9f5UQaJG(vjI55F>XX*yX34q*Md$Cw*fs(`j9-d>tJ)0iUkFpg$ONMi1<
zW*#<mySWpoU`xi^-1D=fPgBZFT35y(bAG&tDbO;6d@w<eJy>n4KG&j#+b&GgUOrsq
z!S=Dfg0F={a|je5FXz3i{ab0vz<g2C4qyCC?G$oY@g&eAjAh0h!3sODI?ki|kjfGr
z_9LbjSew4Q3NvP^vpv@>18k{uWXbuobMqzlt6au|Mck`PyvO%F`_e%e^*l4&`QP;3
zj_uJs#mMO<vICoSQ@)Gog*-A-eSyicuJ-ZFBt_GbcEsXeEcm2NmtFEKHXP;^d@0^v
zrcXF}Z8W<`jVU0*pWtECaI1w$nCp!wG|FDr)AX_7zc?7CN)k82CoH=_Nv0-vbm!@`
zYBLfqhUG}<$}=7nT?`R|@79J9-Eb87`aV{>QaSK(7Kze%o1B8(qsmITuPM1sopZdG
z3ZhRBDgtU~$i2AXav+6*6?@W0=Sw(-j_t;}nI?Fc9tF#|a}7@X9xzz=)im^JNb~(<
z#O?WK=L;5Q?CyL$MqHE7qqJbH>5q0@+uV&3w%a=(YcsbnOZI3ym&*dkTXc8&hd{ce
zjN3RDw?>XuII@Rj$D`jAZTYWkUvv1ZzH@>rF-PMJznGRbj8A%=vC%b#=GaDv3ak@V
zAZOiBexp~Q!(E3QYAGpcV}xN0ut<_BP6}^T<<Msg4>!pw>pB#){g7eXD|lLDuPYO*
zQj8|c3Hwm~?jYwRwW#64b~rbjzi)eQ)0PH6BOCmGYI_T)s=BUi7^I|;mXwz6E&=J3
z?nXKe9ReaHA&7K0NOy-QCEeX1-QDn?gWjUt&+~r&`;GDGU^6Crt-0nk=e6dVYaKQl
zIvdG26<-4LvJzi4_o7nMc40MT{ze0wSOnzWJ!Nd+r%F2U2g(cpk<Qe1a5IfvzJWe~
z>=!brk_r=_+&tW?wLQRz%x>i~<K0j7A2Ft|g5-Ny4jUum{i)yw8b9k`N(Tx0XUw5(
zWQ(~G5=*q90IqqT$bS={RbMaj+Qa{>XlX&DmSfGjE%%+wVP65s*HE4!RZ?=AW93s(
zEQYG)$dp%~KKm0IF$?-v?m8MRKdyRG<{O2G5_~e>M?fRtw^9J@Ta;^FP;tP&kWl*k
zrPqo*4U)AI)_$-;vrK8LL?V7dxhIzrf6P%O(l)Gb)HOL)O@25y?DeM?T19aS8&y^2
z${_>}7&236@}g~@rIj{cUOe`%G|4<H!ZUY@*V`CTo$k^aT)9fehucr1bM8z<Vb~zG
z*8-Hv@Qg%_qH)tL4FXiLefYvdBAq=ppu`clnot<O4Z=x2p+v;vf@98YJee-q%3cvY
zi0~q`Xvt6y;%`XRvhefEZQLq@>>nA|mw6?0Ex9_EQ~f$^GDV~!+9|gUy-Y8tia<RJ
zAFhMM;AQor#P0+PDVPN;U*joU*f&!@hs0!SJ=RO3lj`(Eq1Yh(&iTH@ahpT2L4ARd
z;5{pv2P)H(e2A$)h^H_qp7378zow^edP>@cdGeI+>z5`G@IB%mLOdTEm7EHWe5wsq
zw}hxbYw5*sn0(UkYFcFL{r0?vtHQ~Lx*i23C2ub(F{-BqY$F+HYGinmX^~mO8J@#+
zTv6vGVv|pD76lE4Z~^@e8=?-@p4kQP=NWXbJ8M76ZID`MEnE(s#Qey~bFxC0O83g8
zs;F6N4Onviu~8=Q)qPV?3>M_4eC|L6pr2|AxIb|*sg2c7O$po(%e+4yiewmBQ!-c5
zYQH&JnHfVYEo#V#>(oHp<S*Q$Gak`SH;NQVozW2Np4`Z+v6}2gab?o>?dV2Zpa2=E
zZMcGbLGJNfja69Ner6axthBto-|4ypFg-VOOl<CtdV~@|RfifM$tjgUm#b0)a}5nu
zU@9i*FecT2@Qi*$yqI-+<E3Ga?lj=Yevr!uU_#dISdB4WvO3APwkxO)CrM2soWbJ!
zG&n6Qx5#}b`s-nKN&x%_Dn^+(FHw0{Emy3Eczwp%ZA7m3bckMFNJ(M!=JrJ1PWkhl
z%^mxykP6gIq5{{Xjq~C{7`<bi$KfCIH}*{FAs-u64AxXyOA{C#Y>LF53(lNNg?8rM
z>}z9=ND4K;nP>=Y<pw2`vO*Sd!D>Zp`zG`m6lyDkXzNj|O4+o(Zj3(QkY0(x^<Lq8
zSyWv9P5z~XyN1Tn8g<uOl*F&2ehN|*$3cOfGb1ORwXV%8X*lathduk^8d@sH8`)>&
zPl~d0k0P)V_1sWY`^K~CtQaa;G3MT-(yE)jD=`SWa-C+sHGPqPI`yfbOmJi_p650)
zKwpw;^4p6jUoV>HwA`?z5tSGcbTs4!>~i>4It~r^>_!`O&|cA8hvVt~4KxUb0;ay8
z=^H`-W2gqbvxXPqaf2R?Zz)pc!MTIv5?++1LcIM_$~3mu$aYat8Qu>#9bskOBxCre
zkAF@o%QbV#<)xhsvQUsM+B8jraC?2WSs3)86i=i;9kvhZyu@B8T5aJ?A<ZfzjXhd4
zls4*ADj8ZA$xtLB+>QoPy0RQ->8JsGjx=iW?bWMUm1Uf;^`k!faxN2Gg$tc0waPeQ
zNu>=Xq)|Q?fw`Sick`XP`FcQYOUHFb`o`l7hRHa+>Nb;FOiHsNTBHVJr*c$$Ew{ja
z$ITYMw4#-^P52X2D!Vp3{#<CdV)jVZM4-o4_bUBGI0+!tr@2C^OA&PYIHxbJD9P)N
z$y#q?tPP=5o#)mwVO&WJNAxg^A|EMEa0~UQ#u#-tQ%GAS1&V#`$1JcfyjeFWQoN2e
zk@QrgohUWj#y;j%rQm*?v8yU2Bmi8eKl%k)hN+r=mG27=-t-mJ+kkr=#8QbSIvIi(
zS03Z{?pIRc4)H5R;OOJTGbhg4cw#tWl8X(;+eX4h2+3LIYDBYrEaSj={Kl%NSxuDo
zh(NA*Yg1stoxc&?tu#wtmI1hEO55mjb4|A=CVi1Df?3_hMHZ5gQ+GsVnVqbhd1-tZ
z5!LRzR-l%Ug_9S-6HuVomOy}C%J2g+6C;XP9tYbR?}y>j7m0S*eJ>f@<MyQ#l_QJg
zcS&ySKd=6PQ34OtcO*N8WxsHpJudWTBZp3s($h1L5l++v7ARcajB4_kkMVEfw}k=Y
zIk$Yt<VS_@pAJYw;?!YVcWVw?)F^UCsEoRux11gL`sKLf$ty89v|n64A(58*xmXjn
z6G@M*ipEK0n?x64GN;zjPY||rd`~M17XC6Y)v}iOEY2nB1QJJ#Cklgn-*7!YL2FQN
z7^yM;@d*W|FC&_f9(gA^AKShnIUIC_Nham?H1t8A6IQ!>uH95J*iBz3vK};?M3;=<
zlS_T8^Ty)Xq?bmnIKcXqqkCb~9$!5mNhs4Y=;`z4KP#rnCG6*$hs<(W3Q{H8hr&Y*
zJsPjpF3LYgZLK%NS8h;L<bA$LHYZ34)jFb8Z-B1sX=EC~X_QW6dF9Z!(SS`>i!?bB
zlfpE^p+M+JC2&VsHJG=!WfWW2m1;v}STMBm0q=He*PaI%D0eay%Li0pregVbqva$y
zEZC8chV)s?Er`#%l@tr~1gla0GHP*2m2&g2Ode!ZHRaqO@VO2WEdAunZ9j`WQg3Qh
zC8JrTdF#o!^{v{D;hZso?n3)4naTQ?7^XJFydOFF=m=&562=xPLGpbghIOa4JqrDj
zE41AlYB7L!gQelm_DnRU5m$3vwrg<w9+Sc+x_m!MVooKTOoGvU49^VY(p^~<(9S3`
zx@w#tm0e9$dQGH~m{~!9|4DQNRa<k&+*3-pLhbCh4NF|bLb+f*XN}BAa?&P7j42Tf
z*NQ3#(p!DLR7XxAOYNLmp=e-nsZrwH*&7IK1rZQY^YMMR4=Yf*;g%|TmkMy2tU4Vg
z=SUwHFg&rZtN<=c26~;3fphivgHdRD@K&Gf(^#2(*fu6~sMpqU8Cb0}E-1Tsm}Y(U
zI@gygbJ9$EFD;JY><5<NJX{lxPh~<W63q-+zT5MsC~W80JOTM))nb6nejjb=hKj%R
z)K&8Hm$h02Z?O?kZ|f^6Pcm}_TyHTp=&+RXEm98E$l8!)xDL(u_F#DbvY0w>yUf`d
z@?Zsi^6*+<`idoxxLb4>t~pRTZmynvT1QXTcNKay7sQ|82WcFeR5yVi7ps`l9-bS_
zB0jrgmw=S75$lq;-5E!&cw$<n)t}W?{)tjd$QXlweR48JxwKD~x?+^hNneNW2N%)V
z&60sWj*;_Z9p(ugc^t^1an#Yesg~5PAN5H9rCH#gdfKi|#UJ-N%HYjz2nrzoMVY##
z_vDv{XwrTP{S{jsY(XQXb>ThJrGf-6nYZ$?T>=w%`p;T|dNp-Qb|9lmX9^gTXMl4C
z0(KMbODz4Mxo_Nu$8{P*77&B^IA)<KI$$x$OuSf{d9q~Lpm`ss>)y~3wC?lFG@g<!
z2g^gNrQJeddj_0c13#g0*Qxs@DEqCsYIZsC%%Mry%E}(8e+p;<#EJ=7O;wW6`V%y6
zU`?NLzfMa5?NWA^VxC_fGQaXucq8*ARHlS=i1~{!QO9xZ2pun%o1X`);>jqV=k&Ic
zhGwX9UXkZH|80%tO`oTg$C<722OCzXm9nw0s6#>Hvh;>fQ|cij-Cfz`e2|?NMY6<S
z2wo0)BI@>olE6EYAJY|yF1n0Q%vc6hZn2<4nn%rbGCUSDLw5U%z!B7cErdm0fRxDV
za{=mRO1@R|CK~_+Mb3$FVc}*Y`^?n{^4P#wnbR(&ryE{hWB#`1*cRilL1m_Klx4SN
zEOB#hQm5rtU~zc#G||157R%B!*k%HI0W{I(r^~1XsiQD8xCNTdTz440D#Vjfo+gln
zERm*6h~tuI{+el-?L?X<tD@Bi*=Gq+Y?{-^ws|l%$r(NC5(NtO<+$fcLDG2zXt|qM
zz)!#Hv?h{HSVS77QuSnIg&RSrT}Ow$57r%c&tBF{V#rz-dFY)-VbpR>Fb_>6!RJhb
z>4Z$VmksJ@)U~BM<?a@$pN@Q<(tdAEfTTgizPBmx#=Y4<1Ob#XvGB%IsTWBNqvqwU
zhxk;yB#h2T=V4C`=uZR`2$=PMS-a5AsDH9*+yb)Jk6lyK$T@M<AbifauJ%WL+@5Q>
zqk<i^tj^~+O&#)ME;-AawQU;y-ayUPtjU{={!h^SmfgXzi>=mPIo;TxxvAi{al-9b
zv~?r!hUYpyfP<gls4YHVqk}M{E^+!<X-nH4c0^Pn<kSywn$bbYqm1(0rsjw|wwlMW
z+Y~Zuhr^{SKM1P5-(7lu8Uok1GZ#Fb*Pb5E-8O-J>&DHkT5O!9_EZzDp%E$$yz;9q
zW9JmCDp^OPy$&~sVau(17kNZg3kNqhen&30)82?BFsUb6R<&?z2RTP~_Jv~}s8rQn
z?;hGMu#vZdW+b{HmAvfZk!MvISmyFlrQ_0LxmAgirY1067()!7KZrB_nv;D?VvJKw
zG!1!!_#KE!WA#k<h$~q^b0M8VFo|=qm8nEogj2lNxjjTv_8bm^=VtLxH;DwW=0f~4
zXvH{iyPx_As(8O7lJ~xv(*pjAP*>vk8y-X04_V_eP|R8oYzvB*2%r^EJaO$JDc8>_
z>MEBx67TM@Zn^SlEi8m(Aq2Mx=y7WCnc+``vukWePo0E1zV*Y8YhHNa`-rbqrx*n5
z(f_j5e@T~q>MhgLH)m;@N+N_f`sx+jnB7OW+bmGLXcWF#p#&M*-W_y9IVJ8{pR_<l
zNMbYJb+_%7koJ{2FQH>?Z?q$NR{dQH4fv65$E}^0+kMQjw9jMoZDAw>Fz+mXK{O8d
z-WGusp$y#H=IlN<##>&-{+PasZ^Uuo8^Y9jwDwuPrPNBv>QKw^`?1XK1YOP`M(#;@
zZoAB3lPTN}0HeF9eUi60t-^cg&&{!&=66LI(ye7^yinG~C`GTgr8o?UGH8K;Q-(HY
z2S9|9dEhW5Wx&GogcTd^)Y;;1d^lfgVMY?kPr0kgA=*C(<>Nsh8`>nm_IIkwh|7Av
z-L9ANt&gnp4~#QQU{PSBMsjIL5LMD;OXhuEG|<!FvEV)?C6t<w^Bf()61d0$q@lP=
zm}JNOxAvMQr@mLpJ2ZBP9B5(T7!gWwR-ochA$s>8D>e6>>hqQ_=8>ncVs*><5=xHX
z9FfjoY+_AUA!jArB}Kla=M?QPhOoB`I4&$_w_d0yp?G3UT|1Rc8Hn5r7X@eXDl1Oa
z^Pr!<V!hr`GA+9?CFN;7o=10Qf7*K^VfbaJhu@e=6*67De2_EvXh8r^qEZM0X~pMm
z32Bi`^a)Zd?w8eXOB~iu-G;;5<ash1*Tt#&c9y<+7rPr)0CbRI&;}3;@e*L<SRs4d
z?`fs2^{z6}beG%RFgjjmmwU|532;nm;K^!cc2gg-E`KX>317yYB_~}mqWBI5v`4Uu
zk=l8gukPH#rdaX@Ww)$ecQKYIv5t<V(+#^9fM63sJ;V}8toyFL(P}Fvgg}<(bwOSN
zil&5sQxP7*>WiP7l384sRSsy0mU-UhfekF}Z52gX{CQqt>E--5z(toCZpMT|9pa~*
z7m2Q~dK(qLXi=ZZIKWpP_s=0Sg#n^gbb8I$*LXi4eNlqg$BN4VFen%VqJ<c9D8%Am
z52r=;F0eY#A43=%jeaN}Vqk{IG@|%w6^WH4fCHCRmdj8`KpE7~WK5iN*(hc}Ai*`(
z;2rz)*Ay{bih0`JWQCpZn!~kx2x0j}wu2j;a!vRrvs$UBp5p5!pK~>f_l(#>!n(LJ
zt-5#hvOl5%040B4UppfI<7OasgeSOLu45g`PMyC{JjNj%h^w`w97ii5OE#4<W4UP2
zq-^l`%i}C3G+k8|^qO{)`7usjKer9tTp>;Xg!jH*^H&PS+G0l_UAyT<kW>A-ryyTu
zP_~X8wHqH&`6&gDfi-YpD0_iUcw`TAOUbuIyYpTEm*?jfF5SL1^8Ot){3=>6r;PPF
z4KSfgmfO6F3s8c^^|hgX7B+iJ9NMjnO(@X(ai_MptD-`j)Ktjgtsz?>yUUIi?lrFn
zX!vHlvB?-)Kk#y3kll@w&@)<Ivx<Xh0Q>#gb_`0m21$V|#ES|xV>!Q>R1eU3%obGH
zF8G8(YMemFUvO0`g<v`!SmurC<wAnCWSZ<DQ~>f<WLfE=b-i-EW+x41kKIw?dk!P#
z&(*VHuoznd6WJoM?uP37ygk|zp5pFLi3-~33KM1(#`n5>OYrdz)&TzQJ;oGGg+=0J
zQ>ioFU}G~n>|L%gov#C+2QUW^Gvf13I*C~Q7<RIJ)Y!Ml6C4+l*4i5%7}o?^zFiW>
ztbEVvPZ_Kq0a=lHhM!b8(-cV~{wZRgK}HQbh;zt|qlGTIgmxX01ZhS3X9{uO-3Qde
zCbz@`KakkuRp4Y-8fAm~Zk2Cu#@8dI(^!KS64IC-+ren34~L`vQ8rWhu1v9`8K)JA
zxHym4awm@&m*<bHqkH`=48(@5OHNZNpY78A6WS3tY0D9U543EjmSd-aH77i^Y(HW|
zf3X3NGemSD+!=jnARXWIISltF)-SW<J)%$?)~BL~Oe)6s<!Z-$ygBa%OS)Mib38;`
z0k1GLXOg?0>`S>}qS0q{eM?I0ti8jn#w+QDDs;z1O@316d7H4}{u0YJOHn2wZ_c0s
zvz#wBHOoUuEg#{3d9wrX5k48R28eiDT!@qYB;&?;>?VX;d%MquD$7&~D=3i*BkL|&
zU*;7N#z5q=L1;%rn^U<t%G}Or%rMS7$=_vecsCb4I=KMO>o)|<L7;}99Hh|xmGup(
zrU930xq@hvg4@c$s#7^P1H1tjxMRB_95iUjE9>p{e17YI0yq!-BmrSJCM<OR$eVr|
ztT7)ynxe9(*0~Y^JJet#AF=+eS|Rl!M>&t^J7qFxonKjBCm2HKjC8Nn{>Vfpm?rzA
zbsHm*@tuKwtNo*`pqv&sP*rm4s}9jj1&RosSAxIbq`<dFNgTo4CG9>%lTHE+770_B
zFgs1faKBs<0w{({hRllzxe-{M&UNLha`E^Q)>qh9&x9e0mK17YS7xQy+%wV`F+Z#n
zSLxdS(p`ylPMg1QC{@cJ9AgNvsW2YyGbkGNm}BD7vBk~ay?yefY{|sioZSg`vv)i~
zBjmBAKUv5obFV@WlpVJ&@qlFAYSa<r2Z2-g9XBLq3ed62d<~!*NXLYj5NH%8OAaBm
z(Af<xaW3-(0QZz3m)8PKPwnzFMOURMmY#hJx}TTziUK$)Ht?`6SUdL(^PYSIk#Ym8
zU6}Q7>S=y%+w5xmk}}hXx8lgS0RQ%z>_dFZgG<rr*a@ui9tMfKX|g$=V?V^|q-y4$
zYIeQ<7OGLCE;n)t^oUYi^ABvYUv#x#Ln2!s$4=W=^bDm?(0&@^yutc0`f>v;JyzIv
z`nBt_Mp-ik6UJ+SU<x0lAw^6`P?%wr6u8eFN{V(-H1guaVUG^LLSRuqv%V4{bE)<#
zmr<j&U0XA$VXBc@x6Eqgmnco+qpY5Hz&1bk_B2b6QLGl9io~=Adj+!vQQ{<Cz3TPg
z9<7j7$2*NT>)u9I`+>DtZ{mL|BOkD(v}#6OW@f(&D=HWdzeLyumRggwNcgkT(ezK>
zFf`I1>R~NY%+<IGQ>u|>_cT2?hLzS|w`7VjlOTMdg3$a7M3=%M)MWVNyvFF>v~3Po
zy@VKQLf3Dn&e+{htv(G;(Wk4P`3c-D`0ti<QLG-}im3KW`K(2WH9+V`4t=UjPK_bd
z*3!-)9-WZsd!|Byi5xm5JTkEzy1Y+16#Cgi*7NN`*yh)#m&(kL24;9NnS8n?LCQ=x
zGRLU|5gnE7T8?KN46|PwOa?VOy=AQWrD>PSPcV+h+l%S+zn)-Knr+k(jo{aA(s`E>
ztq4|o!N*EYA!iJ4f*mP$02Yh;N4@=sPqaonex#<<poG-?bfx^9-wp>|3+q?J*SK+k
zU|Qv7kc?=jwMDIoyAmVtDc7dYlL;tl2qLB>%anRdlvvj)E5mz{pT)%%$cohoBd1gY
zmx~!H@4A_s7qFnJY4x)Vq4}$8lmk>cV+TfR5Rbl26uPWsh*!TBk1>mG<Acvb?9o~{
z-{e3tl5pD5><;`@9MIvn2Ue3O==n$@3YT-IWw}&PH!~Y)J?&D*TPl?y%CXS4R*HxW
zMe7|gE4<8?2zTO1G$Y3?ke>Tki9`M(xC)^{Z6*iu@!k2z_*qU4zyB@W1S4&dEZ>Bm
zXe?6mvjQLDQ2gjiuOy1S<`=Sz?KF>h{K+;e%2C6r^~7Wufio>0*y`>8vlhVc-kcas
zB&Jucg(9|BPC3GQW14)!fx0n~6_z5e;4J}e6GU6O5oOneN^PWMw%J;8wRLIqH{2aX
zX9y6#Z*|HQrn*wP-@71>dCUfHx@^GBiK}%g<kSXfe|tw-9JAZk$|d8>6n)e=0zAQF
z)}Ms{EtlOKA*VLd&srWc;{=|OGB=WPcQvI7jyO>eejYW3jw&0hY#DyP|5`vpCR60D
z2oZuPn;0#wmOG`F<ipA3mI}E`D5~s$m-9iaOW(%w>_)-SWU$K=ZRSoNneO|@>@Dlt
zLjEiVY{ofkTUd!ONbp`iUknFc%uUF(W-NaU(Y<D7z7gXdh2VU)9UT;gwsh^46&ILr
zm%~D|H2{hj@n&(GT!@x0=k@y`L3{CMC7b6~X-?4gGckZ2SaRp$*PAcI_>aj#IeEX{
zwfT9lGQ`o}!WxE3(rpMF5O~?liFH*{fQr)m(r^VR|G*%mU(ehxqVN<IRL<S7;OaTv
zX?Kv{A`?hxvDnUydrvWFphu<D%HlMdN_a*DLwR%ob!zD|@#H!1(}Lmw4#yT&qX}$1
z5}_x_h9p92vX;ZPYCV{h2HV~XPnPh#PGSQ;+%1gR6EMs~pgH}rhzIn{Ig>S=Qh4vs
z&@?fks$5ZXr2&PM$)zs&FHaTsagetp_WHyCgK~-8`R$~`SidOlV)0``pJ@E!X5zNX
zN75`9n0M<U4a8ob05P54OHg(GH~>-`Zz`ab1tZ^8II8vAcx1QuSYcnLwwQGDx4Sl=
zPY@tZgS}r)uYY`>^Iq0AG&O&-YPWHu2IeSheWbKVuv05e=}@b}?Fci!U9_^~`lBOq
zmVlI340%Zw6A?o>XtyS`UTB!Z^WFl&!bboZltrP|{6qE@U+!8zsSEBi>VEXJFY?1+
zzx2$rW3+z1<`kHpOPg*wAjO{>|A+x&U!098BJ)&t%JB49M7p-$Z0`+qJgnX;kEvm9
z;Rf)wWf4pq$gr}i18wy3ScYA_dhTMXI0@G~M)aoE#^n^Tk<Wde%8M>7mM1{U{Qz_2
z3yTCYg#Ez6ZTlc*LXQSpHnZ7BjF#NH1<4SVD@in)%aQRb_}#hn#$^|-sEzXwERw>L
z<VAV~HGXA&AG5sX6aT$!i`Yp2P7^mZi!vcr)~m=Y0>UvSN#0NgCO0LC2I6y7<uVm1
z6^qO(;Wq_vl*^9vPRN|R@ymK#&CV2ISPeOv(4c(a8HIJ5))?bC{(1H5%eW19O#$Y?
z<}DFwPTA}Ar{jooB?-=aPO+=h;kJ^;ErN6$cFisO`0HK6>Fp!D-B!Qy(+ys`mGjU9
zBGASkvO;S7baSzzl}ABq8f%%uzU+~;Z$V{w0=7pQ)iqTdL@7)b&E0`Qjxl%1Qq8+{
zhs$7!62nw8!qVYoanQ4y&@6Aq>8q`grPS_<Bi^=Gn6vhs-xOOYCYt3&H#fg;AtOj(
z7hzr)P%(ge1NVN(tZ&9d1l1szk&~|LS@lz+rPK>^seE!d1&>vpH-GGbAR2nMz!Rou
z=EV*?GZ}5_h5((Js2boM&Py8;ND06B#H#&`r{2x&e5tA|FTC8c+=!uDw;sNqNkI?#
zZUdzkYfEwTI)1{fp(O*Q&dpUXz@HNu6vo=NkVIXA78*@>Nu}rJK~OwW6K}L>g=9!i
zP36Bg<3ao?mEr(+-t3763>dGrF$U)Ft}k4L$((AKqAEDl$};y4$6j$x<;l;SJMEK8
z9vq<iWde6#P(vMvLJqTvw&0*$rg+y0E-C22Bz<Zpm=a2Q`4K|HYeWlEe!U2AP@Y+W
z2cTwqiN(<R3{$^^g!j=lrpZ?n;}-wcpLOl?3i?-ZAiE?7jVvAi<=Y@eRAGs|ccumn
zt$K&6E!IwL`seIm<4KKmaWCuQBg|hPGRiEibn>$BU&2YMsMfX(B1T!2l$($pa4t}4
z0l^2j$~eno{!E$9GE3w}yev>>|7zMH^sDIw^6#cuw>&I8NB?R%LHVnx2kh^rE73eG
zq5FR{wI357Zf;U|N)X5G?44Ql^VcD6n)lkJMb1o~T>^m>+keQ!rJ2!RFARV04-Q;s
zpCCg>SeM+Let7#cTK$+16-p~Aw)f36r<u`R$CPwRe94QzBQYrfRJ@e%^Th9KGd6qg
zdis795c#)3)+noD`=HD^nKS}ug6PA67vs1z4Xr=-s03}*VXTB7w(9@z>Wl;GF~gos
zXlR?ttnNB(6zKHFbdRA8as15W<NV(?e)jijhkG;3>G>NCaO|<EQ-C$0#BaC%M6Gq9
z3^ZV8Q0V8W0kVN+^lZD9>vJu=bsR}{)!NoUEs9sj5T{e_)7Jij8b3dQpVtfCth%h8
zL&~J4(K1+vmaI~(-6Y-6oA0d&<zAI@4f^>J8BZ`E(T>omH}!#ErXfxN$asJFuMlQu
ziGU;GPd5W0xXttJcnST2nsdwW4#2wycG~o}HXZ~}fSs}b9P~dl<3*T;uqFdq2pr}g
z&mA{GOhfqJ^Y+feHpo0L@K@MX|G@BH)FInEz(4>}{x1yR_ZUFo`Y(glN8SPcO_VW+
zJM|BO_0y8ya|wINb^cC0oaC5l?bkuts2#2VSL|w-J4<Hue}@#Ar-|3*Um^Vo|BsM*
z!BoTiE2IR@Z{6nq@$LqHu#F}%Ps;;spxMwRLref2@z<aan}K-Lq;Y2<(r<?F?x8%4
zDJWRTul&yuqyEq8gg_zu6NCSM#PI$e0}hau|7Fm7hFo~M)y=I`nz0}(>5v(6ckjeo
zUfm}2J3^BxDaMQ8#7vy}aTUOz!L+9~WzQK<co0+fjkpR8vG=cFg}7VQ1kk4p<;y!@
z`(rqFL4_E`(1aTtNC}8>Bhc+d!Q)Xfk!AfqygN9ncO;8MwYQzU?*H|lvDX&#7!qN5
zc@VO`N5qs$jOgJh&QHmvH#a>pE|m)DV1^>vW+-m*EeHKTLP{-jgW*oYfS#@wvl@B(
zkJxt~9kEsC1t&p2_-Q^2#@Wfx8n9RFZ+J8|cWPo$6_j(hg1zD1T$<Vgdr3ugFuG(t
z%fN@mtiDqt6+oG%h~Fjv)p*Uqg+OCN-t{AfM*(FJ2?Aad=p`DPtd<C+T%@IxM{^!H
zz+N2TMz&H(l#fmQy`bnoYB&`1JE@fX87VQ_yI(W?qn|b;mNo-;>A8crC|$x)$r7&j
z3!f#x!juSfxzmkl9n{Jg6N~VV;vfSCcvIj7gl+I<u_64j)lIWi%&&uqle`bzC!#g1
z7jz-M8#f4Rj?*on@%P>GR!(=P4BFoHpq~R@>jQQ)NSh5~@xqPa1Sc1#t9UyH?0$KE
z(OVx7qWZ^Oyb|6J)r_BES!~t^&?)_KQ!|&BPU)YU>H2`)SAX10Nar5JT*VUx1<Y(8
zP{P4Z@#!9}RWAWMg}mX<n`xYG(+PhVTyrOfQ8F4u=C%f{Yys?upZ*gC%+)(t_@|@j
z<I3850{-EVm_|Z8NJa<6*wl01V<5rZO6Ipsor_||g22nYV!OW;Plr_kt&|5vF9@q=
zVs+)^ee`;JCbD1h7zf_5gI1fxI5{4zgW(tZfZagy&$(0K{P(ax7lX|B$4|m`CpDa5
z_p!CJ+X2~)_8aX3qqczZJ=(qpXo2z_+8p(IlU}|DE(Xf?F1~!=Vvv02i4!bB^d8Rn
zKfuz20G~jo3AtAc{y;IlX%NsV&`bk?h4{nAAg~Y;Ex-9BY=>0+H(HSV4^#ghmbUj!
z{_Wz`w|~2MHKe>1=sM8+1)+Ut6i~iL3-bUiNd6snJe$Ac4w8Sn*skes7lY(~2&FfW
zAoK^=e-R4L_HV_16N>Z4A3g?w&G?g0s~;br1<Ln?`g2&2kAd<%p^*MZLOnDJB;TX`
z{s1jdzK=W6gSZ3bdl&mZa4|^!hfo+joQr>e{THF0JW%{Mp-BGlF$gTlUxW&IKq!!W
zPpChK1^E~#-xKQn0~h~IsE0-Y<$JWE572_-dqO?PP<TN3-o-5sTnv=|ArxRB!Qc<D
z|0dLfWblAcD}VSH1UBn0Ld85l3zY8(_2;l49|PrkLWTU#gnD2U-k%xDuKNL6pnOj#
z#s_f+%J(jAf8b(}{EJY@zzntU2iSiR3ig5GzX^r*hmS#E(f%To%mYG!<a<K>IV{M>
zK>40fJ`Y^{H=!OH1(fg6QanHll7AB_;X#H1$@hf%_Q1tJ`5!`Mne_VoVN)pw@Bye&
zj{8w@A9w<^Mz6g5XBmEY7m;j{Q{nd_{ja-!!uem_{6CEPf2|ks|5wlJ)~Pg3jXxam
zuW4uTKl1<K-O7mft5Uy1_piHu#`S-7^Y6Ogf7P|}uR(WR#h+fKDn?TZ=34GEAsg*7
zd52$ejbEvL2__#ga&0wob&mCy*UHk-%nFTmd0rLm;&JW4rZKhdda==Z^t#~<uTH*k
zUi!#ZTHXAQBWdfy+Xbt_vidjNI(^a6L#><38)NIPykFip*<Vj>Q?O<4oH%jnT-lVx
z;1}H1$2IUIT>~oOv~-+qyY~l1%o;U&#ylH&c91T&39+na8+m5Cod>iwUo*NN_ZiQz
z>ClhPy}7o!?kTgL@@#N!49DuTrg!ac#jSBhrt^4{uYFnL>X}@-J+RUkPcnCXeK|E}
zceS2feO?xG1TJzwdb{uKc0FRiz9wtpGk{jmpHw^Ld3e4~F}B!Kb=uC)=d#ssDzi5`
zMNxD5+IC~Nk?76Egyjvx6X$K&o!v%L0=HA|%W&(pi{!(dZSUx-zOvTEp5xiPlFQu2
z`nZCuO`}s^lar|)dw}Q5>qRw!?7WHPeTrR87oP=D0zElC!8bSC=>)oaVKCTH$a@#B
zOR8h&G0Un#T@!9Z35?5~NV<*(cFRVt^l!e4Zd?;O9fje#PUmIK@mExN1}?WJ8|^al
zcFFQ~W5qX|`f7_cWZz&6TwZ?pOn5x#GLz8Acf{SZMmc93ybr&v@FvmSea|guC1*~f
z+<r;+aP}K}whPPptZqg2dB69nb!qa#{H4wj;!6C^2cxxF-J}m}+;|tn*vACd(0eIe
z$ybS36X}j;jc)PBuWbhLe0N~Z=T9|AtUmM|c$l};?33<R-Po;3>Yhc=zx|5Ee^a(^
z>aiDeYZ;wCC#~YvXK`4ty0auYwi``&!>u*lZI!&*hxLVi_ohQ<)yY)zjmbs3)-qj`
z)>Y$W&Sl!AD-VNr&#h6J>2h5jfel4`-xh(>>~%xgW_ofod-Ud%_jvX}yt?(J+gcs)
z_gcHC>#l5STn49*>uc(3)smgE8Qj^!k!wfHYN+@*v}mFT8#ScpJtsV_>l$)euUy?d
z1shc8tL!vAkGJZKuZMQ%4LDO~XYgnFYhVbgJ&qT1-O3NwH)iVV@>+pB&I$K)`tnWr
z&}r9+Uz@(Dl7C}oC41Sm;mYB(?6hosYQpTWY-ic7M6+<20?5CsB@1^uhhh95Tec1E
zP0{TtT_diniA8lJNsiWR9tpRsQ_w#ycgk+m9g{1IRStJrXRZCWolCF#z~j>|iZ!oG
zucL8_Zead?rz%EL!$)XHFt7mxu>bZ#IwsJIRX?a$DlD;~+)(2<WhJZQp*|Yx>XJfD
zvB6_clv^`y)t=%q?4T$>TPxb_l)(#;fYm{5*iN4@CM@`|FA{I80rt#|GP5-N^NW1G
z_7Z8h=QX?o7|-K6$|*VJ$9|L)AncVhQW;I}9``PNg2#|<?-|$eBjfV5uJ;i?nisiX
z$uy4;1eczyrKxdA^d62Ex5wFrjv}Tne)>LpDR6ZU>`XNb++m6Kz&;@mH3CDO5n_Tg
zF43d0&V(ioL-rBdiFAC;p0YZBU9TnZ{HIs)<Hr>5`J*a7C^2y{;Oj(1;U_~+;<>u2
zw(+kVnjhCxEn;G--;l`DkPl?P&-}Qrz9?^PrHeaM3@%k(-a|iC9wh7bM8m7qd;mIW
z7}KFfIL(7{n3UL9;%4xQJ6ru@o3CWZ8!k52=3ot({z68(2>Ikuv|PE66Brg2+V3dY
z$i>hkdk%OcUu#M@CgOTSV~N`*T@kQE5wP%x#@eb@m!Axg8S1_uYZ43VC_~4@?VMOT
z$b;G0csy+skLUM@%z3LQbo>@kJhgnd28{5DCjsMar;>JfrF$hip?>lYBQz2!3SGj^
z=uqgrP9`F+0lnUqAegls@6>XJ%HA6ov~U(~_Y-b+KQLp|3fYM3(a@o{6ID8%>!<W0
zahz(##0xpdMt~P6De?^Yi+;>XMX5(QEQULsz&}}FdbUD}r8=B9`A)oCP|o?&8dK7>
z2JU;r{2b@2S<`VgR%VZ((*Vx$O_Fs&c-;X@HB)b?!Sgh`fz(%OIZtxFrM~7IajbHz
z^HVkJ%<jcDE>LmfPNov#(^UI`zZ&8Fb=@QyHjsvl&S^#pz6~QA(Ye!I0^SmQ<82Cb
zVhS|)q1)<+ZUo$1)}a7No-7e#VK4(9zAu}GARNs|zIat=`^SY3>82d|4jqt!;;Zou
z*+c4yj|W+e5b_a=cSzXESDifGj+cdum%Tkt2*TQZ#cR%SO=1r}Y-Hqf>+DxqE4_{v
z5Rt7dBc!Y%5QW3&82RpOx~qJg{9O{2h(<Jm5wcNpt-V-LijW8ICPY25Q+=O5jOiAf
zHnnxuGa{w(UfcyEC+xSbuCfCYHjvW&m<N+KBQiE3QoJ*lOelidk4E^Y@^`<d3)I?}
zB*<UjHkfZE-6S{9=cmD>Wx^e&V=AW@;F{CDQJK~H9sq~j?>;-=KC8{pfHJq=-M;R!
z=PvwC$wP12C%87@Kq4@MOb_uBKpLz321&79>ueCq{qf;7$x`+jz2g8qoghX(29qN#
zf<<)%-{-R)>S5mT-I@-l#HX-NiB4o5Pn09iXMLzOQ;#T!%$mxXK8CwU09$fZEMh7s
z+1&a9xe;he@?L$1fG_;JmYW~E1!3!qO7{`}-?>Bi<C@|cFn2s>00Tq(`7%p8dlw5M
zySq0rYiNY#ffC01Q-a4RbV{f>xRe`Vlj$Ve${W<MGWsLBaJ_7tUm6>2y2ynJ4c8sf
zw&|RC4&9jvbc!cl^*TcG7Cq6QWFr^n8yySI<i{0hR88mT{?d<5rdgVyhR5U)Ul7dG
zBZs{#NJ;Kz6j%7fpJRX`-4Lx$Kgt}wR(xEQ-JvHYIEp1F2s)%t!g-lNWYS!$?Sh5W
zIZ026JD71I$5t|m=6Pyt8wY;NvC*p=Ath||s(0pk)NQamhB>LaR^ZH`sg}c9A>kMT
zGmCRuTg>XOGOqWJ&C1anD~!>XILQV$!K~BPXJ5S09<S~RI?1X=S;}>+dG0aB(%;(1
zdHKu(ORcFG8_t923x@#8S;%Tk5_7rc=H!)XelyJ~i7G^Cp4=>gQ6)L4w5`OqtER#k
z0?~MwK_}WV2i~DF|C?*n<?1Kr6syOKL?itKYq`2i5<+cqQQc=B<UeKlmo8oyMcaBR
zt5xHw0{?I+A^{a1Z2yQNG`U7k`-PN8mV!}ss#}>-xToSOB`HThKc=w3jKj`{*Kx8d
z#ct&d=<Z;0%*M1yWl8KPgnh_cqObM{pbWK;NN@M7ShLl9N^=d=T-8{fJ}Ea8<ZsTa
zsMlqQ<cMIz3CeryPaWrzyBcZcwqe`DK02XZIDy$y?^fEP!ier5nZm4OXw<qcg{WOY
z?3opqi^!p_x%Z3?g{be_VsaPNC$_3OEi<#&3)WAtlzvQrj)I^)tjta+fI*YGcV0P;
zs<J{Jwqg8mBncuR&6ieKw5;$&mChtK9>;+CTQ{Mn7fGpPvz?dQ2Q1dOY=l{q6W4-!
zQ~_a{YssM;Pkl3!Dzl#6d>v>>AVHNI(|*;qCpdkmIZ)wQ%HS@bp$uhSx5YYln(ZtJ
z=8s=o=GwE<+p{^0?$4WfwuitY{F(9n1U`a3;-O5{%8XTy8-9#aUE+(Y-uCdyo#J^6
zIY%yV?;EGdD2MhDbQq_s@ltG;7ua2GjV2=d7ouuBoMJqO!5^K%F!BAT*KbK@!=?Dd
zfe+JP&3X$i4Yco~iB33N$Q;b9d}e~WoSBR+Mws2C-0zfYY)=Qiz~Fi1Gn{xTHw`MK
z9P*RM_6v4^su&LSw{vJTzi?OgGv%c*tw5%C;a@gHtf<aKBO3w98^XF}9-Jzp_7v$R
zQ{ynGNuu8>T)h#d-@&m5D>JLroGVr)J<o@z`hr0Q-YcBrgqVjf&;0mNJ0ZeVs^z8E
z`YrNv9`ey-+KU18BU@4anVN8Jm~4{c)b@peiG736vfyp}ylLIlJ)dnygR+SuBm&2;
zTj_N!tNGQ>l=xNIZxW>W@UM3{sXPuVc;QzexA~*@Wbjgrs)@ETQA3U|E}YO8q%D*x
z8iOdZ(v;n=<2m~2W?z1K!>J00;HR}Z|2}{%*u6-?IvY4#NBQ>gu)N?4QlDp-Vi3df
zuFpnAkGlM?<pn>cdTRb?R_DvlJPHZSI)K*)SFb08dD|tRJ5>npSLN)o@wN>;ICV3S
zu<6-%xwW^dkG2QDSCPJuoJ{zRSRAP_1Z`hKCM*!GK}`Sh1%j^(3K%SyJ}iFmtEOO7
zQZSk@v$s)}L5|Q*-_6tuqeG^Mky3taD1?XV#L!7;Xp%9U5&(PegOZ{*l_F+8j`>7P
z2nAfY(si}hnK}9CGLP}_EiS`3*54_yN^~=@3785oAAy0v1HbFo8d=!U(}AvupCqjw
zF(SMuLN(Hn%4vDTm_J@D^d7!CU^P7!_=1I&qmvKgP0vi8NZuwT(H0@Iq&VW)O=ViN
zF|=q-D6<xTm6}uPCIQk^saPdn(5A9{>^~kyp;<X3`%c?zHCiQQcO`xV7q(ezS8n74
zhkguxR@fXzA|a$c0eH(SdD}DH2R9s-Sd_nYmCd@B)qQyU>|>g!uno;oScX)PV?+^O
z(oAE<VWxq8x%1rG?P33Cbl&qXi42(mgJZ(5<krRKP=5o(QiQS100#r3fB*wS{+ath
zFEZA*wl=>j7e85>PcfjheF>y^<X*wGU+IWgqE~K#7;KqO=Ave}iHAQxNRqf&p6u}n
z-x$faL}k#9;(BK%OgYiva&Xe!w!iZ%vn!U=EXowPSj1gQPQ8V#ndIuB6swZ7)G~l_
zsx)K8mMA;FqH;*#NM+U5Uz&JvNf>2~XR|;CX3CnvBHA1{GCn~ct*G3DTu5Xbih6w#
zqbshSzxdj_|NIM9npDz&K>*x3nenwYxFieC@EIJjv0aq2X`S2V-U!a(MyjoHP6Dl8
z3pAeIG5Hk=uKSP7T@rs<9KE`P1|382Gh4bkZOd05yVV?-Z=C~YAa+QhTCz8tKRTat
z$3>SRzZzZRIrhC^a}hp6NL@)$FV%VVq?%i1uV<oCplq`a)+z&y+f}xmm9fFS3N^Pu
zP!<q}q8+5i1eYHmYZXAWFsh#-1B+Xzz8AhZ!Cz=Bq+met$c*LLqGVDY$>n-VaN`@U
z5ABjW5Hb^INCpk_UN4E7T6%+mhF)UrzSem?)-~Z;S$$D2L2<Mw<=Y9a(yD_IMN(oF
zS&Mj(eQs65QNwxjc@g>VfaYo2(v<@P`2omWoSy;xN!~xhdPn5ePttJS3@9Q+sJ39D
zmg{Ms^Q@*Z=~3*jzP9*uM{I0U*UF^^S!LwyNq@g2korVn)|!a_c^fZaV9iT@f~k%h
zERq&S*vo;Vo4w*#WFOBRLMF1o3}um_-fNE8Fls9{Ee7vKu-suL@~n8dYraXRX|J*|
z8#65Pd4%;x1=#f2Hps3gP|Rw9^%9wVd17#9Rj=MK1op8IC$S7>m8}TfE_Zt*%`GZ_
zX>oAY>~aWu+q~Pw_czwe1zc4^AbE9x#S0n`tA>!ZmA#Rby^f-bjgg%eh`_CiT{6uK
zC|8l+$EY0Fy&%k7Q#DgzJeo-3+X8hCtRyc^El|~A71eW}0Rk{~x4NC%4-Sq|z{`5o
zLVZo%FM7+Xvdyz}qI|W>MCveIoGVv)6<sj<PQ82eG#4SMNkN9!UzK)DZZk1+D`&})
z<trAkmv9(wNRxIR3YUnvgtVrLn~u9e2R{a>6B4$CRLfI{ms!0M2$_T!As^`7#5xo|
zTH2=>Z)0b1<$XlLl+#|}SYjHkpiG5Z?ga$3#Jo@$2m4rNOPZ(^Moz#KJXhBN4ILL0
zh%l3Z5~d(&Q#Z>P)yN$x1sTvCDU?JS>vjN}DqH_<qiT_7;q>Dq5t?E%lY6(09pC<(
znc;r2$gH5r?Zvm#Jp0MBaBx;0nmizPz#pMQpaXsP7);!7T=m<#*0gY-)B*fL0e=1S
z?=8^FU|@#U26DF6Hg@!SHZ~yVKJ5L2MIR0h)Dp<OC;xN>et!%8_0Qf0*0x6fsry$f
zl*UicU|?;}euncO4R66OfJ&V$=<Q96ERB9%@7}KdaQugFW&f?ftKspTg8%rA_J>*?
zZl&+F$T<B+Eq5F1hgu#M)xWiX2fE#9xi7IFc73?`+;>fU``1$Ru;asIe&5m0>$m0q
zr1poMA103b&MMw_o&QT3d8p^%q`cQ7<nte=sGKAeFz8@laKQgQK<0$|f~5Zsgg64d

literal 35657
zcmY&<Wl&sQ(=CMH4#Az^?k>UI-Q6vC7%aG3aCdii*Wfn6B@kSK4K8<*CvVmLehd_K
zcFkUUb?;t%x*KIVsP`WrARyo%4nMD{!-^=F27v#n2Y=AOA9E)&Wf!N<uFNK%KQn!C
zuvdr`M104JCjK_=+}$eDFKYT}R<*7H)ti7h-dwCf)USuPKhBZZ30HCp!HRCD9ECAd
zJ#Lr$8!7}APGpOsL8&8Qs&%oM7X<%7!gTbEw2X1(B5@gfar(Z(D@v?nt_uor^%uqc
z<ND7Q)Pu!j(8zBt4x8nRoWH3+DI`BG_-zc8{}0^N1B*ulNHETK5D@79KU^~>7mGi5
zLlTVS23bA~_sSl5XHXeL1=pa`357%V2kz)epSPG^hf&O*tz`mh);@2WP4nJ)Dz!D&
z$>YM-PHTV8hs`|&<_ThYWS@)HA(=6I<h9M1ib}bfW$lm&ZD8v$_1t5#OkE?;!|7l3
zU80AdippCReL$S|>oj>M9bf_h&G$u~EpTQ9Lh&IJDzTB`uE$7qm&ekKb<gx;pzvyH
zYq`L2GpatKbfzu>72$=k{<XaTg@b*iLJac_!0?U!tNacIHVXESqwikK#KfJYP5Hc(
zG}PfKMCIBl4Zw|q1b0q<7`l&73U4F{1wJ8gM{pJv!?FMo0muwKL&t5QrpC|yZLiZt
z-t#qa8_y8`m$-f$w4QG;5D+7z5D=JP;=b53yIET}Sp4^s^$&GtI#W(-TpxN-m)}Sa
z&t+RE{olJI=(Rj0bBOGE944gLM6puhQzQ@3ARwLDq(VY<n505>p0Oa&*S(|nSRuj8
z8~*Wv?)|M-JkvIji;<53#W->Cx8Upj=I(CP7tpGVbj-&|XcLt|2E%#<C@CR=c<V)$
z-=L0=3>&zJ0>}b}0c6+65HE+P>zSGYM!an_0#cF)#zht=T57!%N*`Rw9fZtnxEy3W
z)P!Ir5*?`6SP>`b>TeEORcHxg9ONGYSG#}4-!C6h(oLO(T%m;2N=KUal|J_=Sxw3o
zE%&#jJ%^WH&~V41Ii#`7d?mWOh~Pku3=W1xUQiS+Y4!!`BB-Q)%uF~b$!%ZPH)dff
zcJWy>Lg0%%QO}TjDNcV?&@WvrccYW@rG<D9s%k2m(_!?QCd`DK%D~?^v+dMZzrcIh
zL-tuvc>Unx72?Ttu~F07U;@Ko*Fo^5Rl})S<K-N|Xr)i<%yO-q?*79EWsDf^*%m!o
z?<gP>nV6)L^-uSuBTYHidjt!M0y`>_?_Ju6b7Z>)5Jl4x-^4?+6fe*ozFwnI`YJ{f
zu_2INP|=va3qAX`(L8aH{mg4a529Hep!q0Ba5X%lJTQtTM2)$^;uN6C4(0W*Gkmmr
zP#Whi?0fa==Cby>oqNwQ&pIjD`(=Uq?fIhk^3F-P$M3P4n7QFztJeo~94EY0WJuT4
z<9&Pl(3raA|FSfr#Cbs_^}^64CCU)Zf4|%|A*!8c`ELE-An_17oCbpiq6lU=A>dsX
zyM%g}oe41bj@KN4=mOwV_E`|_3qu6V7k)UbZ6>p(;WiK6*2MOPiHO1kKNn&vXHRs#
z`KhyN-Zo4n(q9pZ#W=<x`$Eu8h3K($9N(<$qw6J4A;}^QJR@e(jm2yPNF@=`t7QO1
z%pg&2X*j?1W4ORdthLikZr$kP#n#J&$Y6(nGDXUgNW9uY?E>Wq+z^habrH7N1c5Xc
zBi6R~?IZM($wQ<%G`@5}A&tY$P^3c7C#LLBx^Hr9Kgc}M%yi5%W4a+iFd3~dpmk0a
zSVPeyMuZY|G2}PMWJsRB7U+9!QETTo>1_oe6`{uel9_bZd&llBtayZGl6^&mntZzY
zOPqkH`b$ypEy~CTqC&`#k?u@BflL;`BRxp-WCCrgOg-rsU=fK4q=l;Lk~N`RFh&FH
zmm!z?Q^h5WnGX_VJ6;*Tqk-{9eYB+t#omh~^yNtx<_pI%rx9q`GADjtlj>w2MM-Ma
zh_gN80w#a*k8Qh7d@>bobO3~#`u5$ReZcK-LnN;^q*zfb*RDz?sL1r#gR!gLgqOMb
zv13(z>MX3da@~)R6UFR)r8*7>NDO;IP2qI-AoYZ+_-&$MzoFtmSd-Js`=KGFy~={g
zE<H|jqG}w6{wakTh_T;ug@+-F`YUONC;?mO-R)~0Vvr3rmTr$p#{1bUrP6Il!eWOY
z_6O*Mevz+KEDEgICKUS>QUhr$kj07VmHdp|JD*dLEenTtc8aOsNZawl=IvNfLNc;q
zG%G4wJ>@_)P81FA*VT_!WX!45WRf^3D)t%^XjXBC3u;VM=zAhUk}nYm6=7sI!#by<
z(Sr$sZ%8i}<o$kbAl|v<umUYoIVLLkarSLO#HrTRG16I(wlB0vdW?;hP5@e|O&k@?
zs6XxO*tut=&+ta;4#t_vF6W9&P=4l8S%+fIQh$>VIi#^o>&YT`G+>(uMqH63PwStT
zY6OLen>s3Eh*nu`d@96hH7&RG@A!3mTWZB?xAFZ8&rr`Ko{sy^75RwUBk#aOl&F9k
z5f&b<M~;0@blmZ3Y)mMW@OU{p6u6o9cjJ+EN47m!$rC9+Yza4vyoZQy3j6F|Rt@LB
zSADeT=%JId8h9=9MlU^I3;FTQavD-~YRZ)4JbtE*?nI}3RbQ)i#Yu>A^X=1^a^+EZ
zGHCH?Iu?-uj%`81<y3PVwC|k*bE0BraXjAC>RdVX7>4%XP^M`{H+;Ic44<^Mxg+F~
z0zW?|;lZ0AIVm&fW8JARO5bkSU(=o)sOE7hI^~dpsIbI{!|yof*eV;>N5cjeb#8yo
z^xUXadM)?l=Civaq@T2^<%6xuP#sjQ&ePq-oN~o{j{GjgOPkjHWDiiOT9%r*5xC$8
zL~yU2r)#1&Y~FD2cC6m?HOH5tUA9RPES)dMqLY}R=fUF7H>$*`P%K|`tC-RqwGql#
z!`JM&H%Q~&Ykpz=zY<oIA(jm93<0sm0tJElpM-fjx!Ac{TUfZcGXMScSH~8+?OfL+
zZ_i#dwA1+#C)JL^A@Ezxnf9b(ZBQL{hSH0sy{>CvX5-Nk-$TW_WGTJ5?NSA<$|=CP
zl_&xi#rMha2}rRYZ%;P--?WoRD)?#d8n?Jl96)i*=eJKAty)?dF4Wuwk0s0Bt5q8c
z*2B9Wt-QQ7&SYulAM>Uj$8%=7D`Uo5jh?T6gRE3|<s#L4FbN*wm^V+97$~vAUih|T
zDK*2UB$IM`Qcrevg?s9H4u$Snd%M?`Nc3N>fAc%jZ%w@TdmKZ6W-42L`M(NIal7d4
z4SQ&gpOP4L)%C_?wHuJA`5zqU`&Grh=4f~hk7`-uFacM9dsDq>XA;kbH5Lu2HohIg
zk*3!|=yq6+EW(cm{Jv8s`(nPCI|cW7Q9jwnri;ACqHZ*zF9(K(6U~peh&45btyDa(
z!(tbYW4pbbr2b{Ut2!pN)vr3V-@cVT@w?A6Tb54_nRNT#Gn@)P)!(<ppS@i5IG-#~
z40lw#`QO$*bQJgG5?1)u+r%y10p4VcN+0bKoig7dw>mTZ+^QV>&0uTx04;V5Lym~`
zN{H|e+%>|URn+5kYiwC9NC!<wVg6>94{9cE5*ICSe!9UOVpiBcTO``zBH?;2tGy2I
z_u0BykbXBIZLt%dw2nRwJ+z-a_Vc!~StG&|W4XM}pto2A$N8!5=KtvOF4-@Iy>9e}
ztMq3f5lsK_oZ08zj+1q%r@c{VBM9KqU>$+&VlMIKtCoth;vr8vhioPm&NmA@B33<_
z!}J)5TM#t)QCPYg9W?klsW{uSnvtsbLf(n)eL2&cIy|bQLsDp@*m5^DNC|Rc&~Wi(
z20nm1jh3fiE2N9}^$e7{wo+xMHCCSdUr8%ol!~Q=Ce;}^ye~)dlNwL>(|xoLfUm!`
zys<)GcQocx?q2e`99;8t+Z;o-)!S@BF4Vt71e3&HM55I!DjfZu9JJsEai2-e`NRd=
z!4Ag-ldKk0Ntv`r-P6c#K7UQ|zk%Y?(0GAT?JZj~!t;NGHK^E9D66pdV4e_|z`R`Q
zU5*81Kl-n|)y#_0{=Pmw+)C~eOfp^bQ6kdih=T;}av%6TuLaFG^&K#0&YVekCKd7{
zAm|Fb`g|@VInU7ZpYyum`8rdZIrAc=^<L<$Um_t0lY!V@D180o<K3rU+t+re;wVD?
z(BnE^XHusQZVLl9$$t`IXiA5}nSAzqzC}LtbFJ||_3{^cd4xi}Kd82Km@zDq<N-Yk
z`yM`tMaOpeJ&wJ`@K4;ih!Of<-&}Gx$d3DHwWjvc9lu3_w!&Qu@oPREw~oAGI{!iq
z{di~UUlzV=h*#6KTqXpovA}@TtCnwD;gg9qlwX@Gqz?3a;M&^6km|9CT|9%hn$;>^
z-k5s56G>SVd~7{BeCz5VL($_3TRE(|W6R$fbwY+U#4#s&opux25cwFZmmWL8&41N5
z_IZ0}_#!W0DX694riYc=BXD1Ut4W5cwVc6<UnO$o_OlY;%v+3Bg*LOJq0F+PUfsS?
zUn|d7aAM;(#a^(TSo_jAETzgvBaq2f1dq`{1t2wZrAJzVv+_-APtT%9RhhaQFYBfa
zg-iU}w7awlBnHv*R%55)b{3n&_l$*LH3x@%RYlBO-qYP78&&jZnMiG+g0=FRS+uMV
zzoFY+(Im528AW-_HGXxob*g!uZi|=fov!K>-G3Cf16Y80E+c;C#z?9DS~IklGQ-Gi
z9Gf^C%`e)(Qm;nkd#;_6$wMANTZ<YgSYwz_Cn_oq2Q?A$kpahW$R$)Y$AMR@-Etzr
z*RPg%?}zj84PT%w_2cKo`X|*PQ(vvalIw=H>~7`c-=)4e@qS1NB*^*X!l4V#;R8Cs
zIJbrCkzW{f7#o_pyOS`*ehs1VqQg&I*iiEcOzy{y>e#~4?yhV89Cn`k)`w`ngyoE(
z`)8RrMO8c+`aoX<AnU-M{+QXQFRH{e$3ar9e`#2k%Xdk=sJWR9s3<oqFQ_qmDhE^-
zu<t1n;AFU8RxeTO0jltC74rhE-$Y0RhxJ)%Bq{~A46}o@HIo>0aKf5gwdrmHDTh0V
zgx{77hk(LECPt^@qVCT?DTc(3Zqm1_OU2W4+bgF#`!^eEda5LD;785zCR#1dY2eZ@
zmjwYx&VDF^?es!7mT1l3&1}MBypZ^%L2WksvJEK&3xVp4)I?w#9x;2_te!+$gnWNq
zj>lrvq<yp|WE_DGy%;IRE{3(n9d8#u(yPZA8M?MYr`+gHLyaT{i6+7z-6^u6-i`Hy
zSrV1U@Pt}RqwHx~S%Gqm(+#*)w8ePnDOOa5-CPx+D22|byVt9nfHEU+Q4H-Hkz`St
zcT&elT(Z6+AKWtdWv7kdSNU*NJJCovwYX(M@=@J-0CPe^psYBpn9-`4kB!ktYN%<>
zZ#lF6GXkSS))dncyMP$Kyp7-L*G)VP=`GdLk*Y7nIbG>#XOYc9y|uk%73Ldz>&Xom
zjkUx!74Oo&Z(ZBwrY^=WOtFjy=pkPc*jl+Qx93PWgMnSUOCD8ZaMU9!*o$F)v{<1%
z94Nwp)t62E9!-x~>M<5P1!ei58Q)Q!+@7wKu^dVz`5!k5r_rqSu6URPU~VFip?m3X
z2fea7C@cnCs8%F@oxl=A9XCEM2MBTL58RQzW!HFQM_@~m{n=2b%~7GWqJ7=p(Eg5m
zrIOC8*6+h{sh=Q{t+6F+1|IE%VgP5uNoT$~s19e6a@WteQJI3w)qc%ozWvM!Z$s51
zFZ~}o?ANT8`>Cvr`Dq844@ZHVu(uA)m=VvTIIE!zU8!I(4<R<A18F<f^E-Q09Pr#;
z-QKJ>`n_v~DR#rE-B4Oh5nIDQ56pj*V4pnz;0!lgC(j&g#8vEUyqu)w_N-96C6>O0
zN4hZoICapPe_OoXdb{osJoZ0U9OqXtvmUneT%PESoI3C9FneL$DjAkqJtOSM7Hj>>
zVu`lL{><R4iR(-~t|wGji0UJQeD{zX(M<gT@sS70Mr;z6I=L)f#|F`^#~qs^_lIkr
zRssaS%dxIz<{Bd-gDtmg!#jQrwN@*6+QJQ_88()>pU*H*g-30!$k98xP2+n=0)%Jt
zSk-j(=EYqaQ^{<pSaMgvSxb1KY%KYR3gKWk>ub+mjtlt}{rh(kv_)SqiLB*B-?hM2
zebx{q<Dn=bxdn7`xN0c&&4~7FXEZeOu)tPeXrNXjv(Yi+^vVvJe|e?a!;@m~d06aX
zoch9tP2!;{X9Z!9+V_=wRgf#I_uJ#%8el*wC1O&Jg=bHs6W=r>NbS&>f2oY7K%!EA
zy6jPMe@)D}Oxv|^?dJiYuA=Ai2CV_s;8-M;{Ew$q?AIK0M$qfvwz2L8R07(2W_0%D
zMq35eBA_}_PegM60Tcp_-Y@n>EBygj8XB0a1glosXmqm*zoF{aW7oQYqoGl`>R8-T
zZ(BX3+vj|1cpRpos`P7$WiucOS<AG{?Iprc@{h0g{<a_itb`d#jyI?o$Iy#Tq-u`b
zm^1CVj;b*l@*C4?H9HcH0+>>78c@5V|FaLk3u)Ng0LF|B>)MAo^HYf_eWI_5?e32`
zB2<ng*53O)K^s0e`gBG3%ISzUjA&~U1AOhrvv_I}ThR!twKg=1@uAV<Q$so%329Cp
zG`qm@dA6?#L~Q*x9~gHBRDl)hn)2^*K2zV`ATffMaEbh95=}xeZk^QrOnLB$BdPkn
zTMuh3q1#A|(SkRs=1EWwL}#p$Ym^Pfa!MpRVv(lTLDTy4%@A@#TYWd?^t-gJ+BBk>
zyb-&P0?jx2^x!27|9vwIO5^A!xm$}oN;TFQkF@gbJKx`*wXl2r=YxZmtAT1&8CeEm
z*TYjw9re0<$9#{F8{f*QDrhWU5VOfY8lHM+xb9_|X3~FLvQn+ysj%I*e^S%nETG};
zG}V-?&vDn);ZB?|Wt8FC?Rn#8tZ*vh4nY1%w@@9hAapBUgAm$Omph~JosnPt3^8BF
zb#lI|YAYwVX2@~$cuVUIxPAprZw6MkT$xu!ef&osRS6iPh)9$LRdm+S3LD5Ip_7Xp
z`pUp%73T~uhW&uSHu`;r&lUxAc5C%!Yw6xK3f;2y;VS<qto_D{o9v4hJ+3|(rz*%)
zk>_ei99rOaO#1qbNzJz>p@O=+SA#Igzp})ezM>YENFOwye6FR@4PfR78n<BjnoY)U
zfpB{iTP>K77wF7*Du<~K>ZPpwRv?hxt5GZCLN^*plZ>oFSH|D~C7Wz%@@*N#N;7^W
z+B>CUpK;C1ab!2`X#k$+nEH#ISP}vqeVKR?+s!_1(s&P&tOcEAG`GS<5`Y*bPHP5*
zezte>y!ZOxEs7%}{~4z-rX-vD3{JDB{4zT1$0y&9kDRdI`Ib<ffXJ@p(udbQ962~m
zGpt`-N&?6fEtH1K;g%oph(jqfaCm>3NUORd5SpRv$DXZKB%g;t?$+-$u%K}@iuQMl
zk1!pe9D!H-V~ChoOm!udtXzJ$OMAkFdG&{_%a~e%Y7|1P!d{j76hMD5@8?<!(e-bx
zihPFF4*b_MQg`|XO|GhjS9#yzZ2#6xdQVOE%$aj_#I6iqpytG$bFsdVb4$#a#>1Mg
zpPo8}9%omINVR>NtXQ=Gdfguu%fDio9KVQgwz$^&vAFdpsFz0QlRN`(`}=0&O9H{y
za{JTux`&t^a3IT0Yt4C5l>c-3F5*&i70dKHmxyz)GUk&h{Eb?n#A0eIsrg{^;svXT
zQEIgcQWew9JXYtWncFscqedrGpc<hQW8Y21B8wRXcmGqA`t#f)s#{Hei5WO_?9J~D
z^OeWf!q%1R%khnD2F3jYn7s73O9MR|RzLwq`Hk^Tz+#oH7Ofk6&mjQMRF!L}D6gRj
zIZZvjJz(PO>w`@iOAb|q!x<%Q=2Oeq!17KC=|PlzxXeFtxrl>gR#N+m<cAMIo_hKO
z1hIzh3d?2}<qxD9adp}!BDNNdk{wg61v-~YS(g*(B}`n6LAI2Yu-)bD8XKhQs1LVw
zj*{(s;T7%Ed{Z%bnj>JGWo!l^{S}xIbYPr9iDj!3zZ7d%)mk0ij)oe&?~YCEBg=eu
zlg?@$U#0G57kA@}oXB)6#2OIj<kmiEmX9=^w9RXQ9P$W&$F-#BJ%FYAdL*$KZ0zrv
zEAiEV|H-;9e`s|B^PpyWWIkVm!k*;gvhu2u_$IvIO?PT*yQYVW!DNTb_Z4>oRsr>v
z%!1WacY`O5;?pYmrxTG{c~y`@O0C9LwNC#mjskZ|42w?h$k7+;YGQFUU|X5<QI}!#
za(CkLDYeFu*0H2;m+sg!h#j5jUO)HA@+(}bAlA<T`iQ+-MSIM2AwhfOxoRfM9Zrb3
zYQ=zBNa}4vI?;XVh`}~PTiiCo$;BC>FL*d9qu+V=P1=K&AjDhqFjU4bI9Xse8kmC|
z(<A3x4JF#kD;HXREP_}(Z?st-s94DKfS+w?d4)vWZ}dwWvIif}^6X0iE5&?oPGMc+
zcf-3M!wQ!<%xuK?CO&X*9Evj`N;cIoPg!KwSSoL=SG%4qhNW<$?+_5|XesNg!aUO{
zE~rO-Vj;fo;APaP<+)(MrdG_-)|dV{*KHbZ^v@Uk2!o8kzECSa%%L{O{RQ%_xjZ-*
z^`yFDnqwwETW!j(=E%H$Git?w_FO6JK8zu1MeA-SPXDV2%}18oXh3r#vU><~%pF|2
zJNXX_v8sujNOyFg4Zm(%>gnrG9JSY}D~AjxCwdPh!B0;1W7Z-THUzkgGsz<O2x0K)
z%h7rP=474%*fYMPa%M|Y`WU_~WQEYlf3uHAccelKqtH39y2+*}IB87#jmbTzRM9?z
zR@EnW&`7E`Pw=ND8uRYzjwV87w4Ln3Ez_qR4!afKHyP_AKFNQYnDusmNo;Yc9Zh_c
zw0Uy=vB}+nuIF6&oT_E7=i`&dJ`Xcv-LpYLhzLAtcHqD8LC6M}iA5uVJ@Tt_$mY89
zm&qFe=G_R}!BEZkhUG?vtp-8CDLDX|s=l(02xUQ%3DX|yhg4U*$O-kybYc#y>%zt6
zJzv9f_n@14g5i(cszMyudso2XqiCh4wRC9%-uMoe63fQpvoxYbqWSN#LmeH*S;P~z
zGakjE4Hzy=Z!u8tv}FuLP-MUaY<Z<UHpeF}%ym>9G`$)UIK7!)s$A}*WdGP%bweWC
z(+`bj!*Z=rP<W__EwOWSjJ(@eC7zE)vt!F1HqMC9#*DW6nH9kaMB#N-=wfoLJy$>D
zs+#H`Hlfo{=&04MSjCb*y(53<LrJ!^ZTO{Db@O6CJKR%)zjX4fSy8i#WkV0gEn;zm
zyIq3fXABV4h}&MSfF1|FtvH{q1XLcV$>@o+!T%>8O+ehX@9jwI=5+fV%EFt((Q6qf
zukC*F{``j#3T$2%&e$zQLW#u1-Ko6@8qCCl3-HKFo@p+ti$><CuDHMYif4*avLY72
zS;|lO;uJ}9ikzl#E8N3NID1d$V1KgZMcVivYaQ4UD^)ztWcQHVPzD*yiR*9bN=4sZ
zLyR%iHI*Z1EDpC=jT6m`?cKc5ogz*69^KV}3mNCn{0jK-A2XIhMGuEqg?nEbDy{_t
z`6RNZYznIkQ99B9j{6%=TIM-vChwt~@B<jPry?%U|KJFT%V>G)IFUEp<1hJL?r3Dl
z`3X*qB!WZZu7i9nt2T@k$sYEyP|+*vcF{Sfg-D6BjTAG5sv#7C$f8sGh26t+>07<Q
zo0B3RDu(ob9+Q7Pf+igc8N<pm^ZCYWn*GDowcfA#LY=9nRU^|akB16Bob0g6tg@uc
z=TDC3CI}{?N~#+7=1TLQC9RJlSiV7-P*~ALyTQweefS<ggQ1=h3n}3;ul{8oS?8F#
zf(om}+}U1dQb}+NQDWcAMD!7_;C~zEj^;_n2IR8duYfo9<NBbgmC-@e<%@fpAY&L2
zb6zXt;q}&>gX8y{T^kuxVdsx!G(+d0u-8lCQ~<~~YG*u5sbi%E4l_E*YKAZfquaWW
zF8-2Nzyu}jtxXB&I4_S5n`E*j9C}&I-^QD}kbZxkTx>>~{vNf6{#~j?%kh(o6!6Fy
zZFI6B+bbT<)A0e%##@^0Ukqv?5o6<pVHh#?9-ONfmc`%ryj<aU{CfWqb>cWTnSY$x
zT`6m9w7<6YY%N&rm-FDs9z%6X(afH+PbK|$X^A_LcWEC!&+^QXKmgY9tn&5Q@(0BO
zi)9BLLJutZ^JdCDsd+Cn;^TMJS+GCz6-83b+XLK+a-Na0gPr-48Iod$j}<)M8BKc0
zEBc{K5b>Z6i2e1ZF4l{9vuy*UX?DVxEUQ3!w-|T5Z*nGXY^4rU5XT*I{BBPy$2WCU
z2X*N${*ARaiA~*D{tM=Q<TtCgB#WNbu=wm+23?}QRJOn5#bXG=@p;u$3ZuT@@B6!u
ze*HrbM0{{{VooTl9Q2(=?=q^k{dKTT$^opSsntMnSRxsC&EH4}03dz+g<FOjREjM1
zQ7Kb7t5nb+!jf}3sQPKMzQ$dGUts-RkUMr%O=H&gwE{23!yDX}PuC~XPEC}FCF@m=
zR@`=`ad9U`#DFBZrSl3@rt?g`W)vVt#M46>_01|v*4!*<nzRsaypK!CHzgb|ufAvv
zl%o8+1~()Q^-}=(ul}s5AZ;sYC1338VD_!3ZjSH;3fJ#Ge18}HsRazCj^g5vv$A{&
zO%3~LeRIV^*n+Ql1E7qvuDG&vVz!uXsaWECdHhT-%jOkwB#_%*Ju~UCCm&o+2&cxY
z)@WcbRLb%@87km!^kc!Io_AHtR$Osm8yO@uHW?GdF3O>P?vv~0-LME9`taXfZ>xU7
zHI2;erxC12@BC@Kt+rr7ZxN%v?wIKg3GAtHYj)qe6~ZCVu<5lUPH_~vO7>IFct3$r
zCQSU}s)J|o<m>Tc=OJe8bPBUyzWp@1&CR?Uq>@&S4>=_CuI@$o`^9ovrPrwzpo1J&
zgS*I?{tEzipq`Sqs4%bL7Yv{57nw4x&H7n)wUGk=K~HcP13VOS#MxrQ5$Fryyvo1Z
zPB}WOvYvK-BqN6(`#LifS424#X5fY-*T>3$f=;Iv4YQ;mUIrE`Ax`$Bes?VXqP;}W
zHcMc@5h*`(G9`DNny5BcoFGtLfnAH5DOJ8G!aSdZubzY&z?Q~AWL}#0Uma#4#-y|j
z@|iVl`ZEVx_RqSz4z{OWK=-6lF~XajpgB;mszOq|*iQ$Uzs=yFsfK2P&uPI1r?vWd
zIv1N*l9%NdyA7>SLJIi3?Ot8iwgZa{1}LGRjc%%(9mrY+(`F37PIXr57?1QDcxN)f
z(ZV1YA*Ty|`tOWbqsGcU7%&!m_&Rf0!{zmB#^WsxaiW>kZb{jrx>16-T(m8oY~=~a
z*}mkwi$lD!Uu`2VuCf&u@Q^`g;-|J>ZUeqE#~8$L^9I*+l))#89Y*piWp)*^q~$aM
zWmGkK*&7`!`Pt?=5f5qg=6}Vv{YwTFghJbP62mK9V{0shTj}kjdkJLou7=D_6Kge^
zbq@?HOsYCMs<mKmo_-x!o<VuI1CijkpEijPd;$K~igB#{KzBlPS!RWVL0M07cIc0~
z7jo=sN{^S!jH)7!7~j+gzo{wfxIpm&O)%tV4sC-)4+RcU<WAKe=j(5RnU3V775_!A
z9zrq2OPODbyix={Hj`U7*Zl2ojU5I4d_)#}h56&zW75uJ(wFRb<!e6vp5b<O!bP7|
zTb#5;kGa3{S-HmplTW?~C9gdphc#iUr>u+fH|s+$U^YjGDVD8%4`koE3!2=I$SI|)
zMzEnStNN2h&Q_RNQwv3S@EuqOY2-3N+OtI^Mq~b9z;C@{+%FXPB~^XV+2Z$OtJ>0N
ze5z`)vgrPsz7b0_K)D|O9Ii^6dO(Gx0J@ihu$lgc*HuI^+k)Ij%;Wwqf&xc*C?PB#
z)KjwGoy=m#8UrxY@e*Mf(qLH={f^~wJ`2Li;$sf{&+e?FePFvIxlhl*m}Run06|H;
zB>Ya)#Wg%6dWxkW+TsSg%{E0&uSU?%y8;Cpz~U}2O+2xoP58b|O)dkSN}0_NifvcC
z0$#FdJGCT3@j!Dmcl#)ox+sIEDC5r^t0)gbP0M*uCz?@bBV!1&FhRQ~ySo{pwo#Pk
z{73yhp%~|-jQRqY`bira6AhbpHd?>deDx?R!t#p~@a>2h<ALSUl{+VekmXy~vS!Gg
zrj>~q7G4{#`V(ubsUW{3sbQj8V$w5s?g4fK=%xd4N4P(5_CpoVR>)tf-rRH8jtNkB
z$;ueo12B(qp-QX-@$SqlMwK<PkFuy02gC%AWLD8#ME~6dqS4QyJ{Z()U{3fm;`429
z8(PiOe?*YbZ4Z{9R?zh;^vo!6jjaxyjo_V-tK{P{^6M`z;HTZt$Pb!#a2(D>Ork|w
z_m{GX@xMTwQmVoF9lp)sUD*hW62sBSIc^73O*R@RX~d~^0Epd~v~icSXg~6$IPltJ
z&1cJwLH$PxjGx=+#iw%$;=`=M+}pzP;MTKO*Qs#ZC0$?gk5PzZ#0%x|!s`+DDBujo
z5P!?Y^TdogSB+5)$AzEimj^iJBd;rB&oJ^|AMl+SjkFz<_4=$?s`8lFj;7c;eG@DF
zyXbHI_ayqK$GXh=G?@J=v(>$`wnojkrVk)|T;K!!e8pO_k5(1IVmIF6sU=58d*n(l
zYCQwcwJ6YQt0~;lsQdoT+r_;cQH5BoYStT*j2L%rpqpdpI=@#1RZu|i`P)KNk3slF
z8`{r+@p(>Cf!lR=GydpwX-X?__2nHN#U#8%!J~W50l)dHEe?jjKLfmspb4B)1Ri7+
zBHywnecqUcSj76#nQJuJ^UbcEIjU*7=|tRi8syZ>xo6y<%uPD6h4Nr{{6XeLlhw@^
z)`m#!>#QrL4G|d2%VZNuB}O}zh2bJ*cq_@uZB7QamteHnw&2+5r@!^VEOQ}G!Q957
zd0zE4g2q|o<Od(AM>Y`SOv#DRpEZ9g0s91lr)`O8*{-o%X){R#Wq}U^9bCU+sHPDe
z26l4{dX>Bc?^mvbgnMIdn*0j57phw$?8^CB^?H0>SRS@6_lguuGCuAWlV&RZaxfN0
zyqoWudYGE$Hc$_S{7GzEbKL}KHtH#1{UA>T=*B{2qbeHJ$#}G}v@4*ZV$VUEAi_nv
z;`o!xSog6C#PCOyvJ&|k*n<}QP+JYyur6|C3#*v@moNi>al<0Opkb3+*P9y7SYjG<
zfN<z9WzAug%>n=prC^3AQbBxA;CeKz_+e$lIuh7*6!$Dwv%42ewVY0}j~tyH>Qp0}
zCZq-B^}LG>gU+1V--d1_5<3#BK9I@nil)HO$u0HGe`c=J*BWAgXY6jzufQ7?_#j^*
zGT`-%w_bs5kICHTpPVVhn%Jz%FvJ`kmhkD%_<3E%x)mLLc3;m8o@;}n_p(920JxAJ
zzWWG%#gv7)QL&GEvn1Da5^M+!YC}{{se$y2SolQIqI?^H+26*<gQ#Xw&oQ0Ffh?8@
z>-L7S!}QNnGDo(V&MDT1-I~5DgbtE?o?F#IowVk!m_L`GvWgO`vg>io{F?sUtvC&Q
zRBS9LwzX<OE|PkHmuB(7UF$QPq0n8A5J&uTha#<co0rZy!hyNo-M+d#zxlrw$e+7x
zsFspMaT^o`KakGP(;njc&`VdVKPb+ivYZ2IYz<{o+xzu-0;&&=4qu7Hb^jgxIz~iy
zT}C?U=upeFcKxE<arf+IHq<s}RtF?c*}Z&b_;N)}x#mLFWg3m~;7H!}hXl2s$#HC!
zrc19p9n~v6eKk25ZmwjB?~;q{j8!`#I7>>=)PX4v3~=p(Y%}SuTP+}@cSlTPMgRQs
z9DlF~?4KVN=02{2++@BURx#eG<sS@lKDob7Q)dS)Po77)BY$;w-yj|C95d(bbRe%%
z6s=0te!kiXa|Fcw;x!m6OFKt&`zbC7E!p(Bl#Ol_#olREL%0Tb3mJ80s1(uYBc+Ss
zLaVIP0mD?BS!V{&47gm@^yN;F9Ra@Su}R-ly|a-SEB*&4g>bOAEwSwnAchAwnVCBC
zOq3SDg$2LIL)6uA0=t=4X}~NFYTWv%#=$~kG<^Sug^hrbEVz=saO`t+mc4f)!Cw*n
zxPkIf$yHj8%PgZxZb(G&-KwkEd1yqAGieMwB-VdA+LyM8`)N4yeOX$p&{kT>H+<BF
z71SwWafJ=)<195{#x0|6|K8ILHEved?3ec0txr)Ayq+0n6=CTI!J8EJ%$EIGSwVNC
zZ>C-EjK!SD-@w-RqV|9@9;(so_YLWqbQ5d@t3JIB8-bEie04!wU3p*tYofrI>5;SG
z!Y90$pf8C3rLxvttY4zI;hk8CUV{7tH$OnPLscJb15d+9w0`?#9PPdpu_~YzFqRnS
zS5p-*vJ`}HV>y(c)TnRhyLdC9UV*6vzz7v*hMEBkKLPb?jLB7)uG)|Wy=ZQlAZ$qC
z%KlLcgAY~qB@qH^VNQu)?DOaDjYPlo&eaN%-Vfu{5r)pC_~BtOxH~2t$kG{5Y&0dG
z@_4D(Xu!MO`M~U%+-bHeoO2aC&puLOCok@)$GE1oOp6%~D!wfBNWWf=nFv?c^gcAx
zwG=Io#=J`g_je*%JzQdV1F*`bGsn{E5~EkJQ5V|x!sAO+LibRzU~E48sXDu@;^Gfy
ziWjEE`mNef0d|K(4D?veGMqt)q(7vvPoL0fp_#!ACLWeGb{PyOa+$vz%Y1{)CFHI2
z!e87XNO00IfZ@y+6nMA{_P}BJNe`FqhR~5D-XWxv7<|;u)7{-r(O*<C8_dX~6jEHe
zBW)xy_WobR8;CnLl=(jW&)!-k-Q^kh_Or>hOK<{i@vG2$pk6np$eXlHi33B_Z|ZLT
z2=Ay$(DFB^-ckKE01Mff2hCDd_k=kHHfrEU;`dT{4L3;J(%jioH%$b)niUL|7Q~fW
z`-dUC{aNd9^FiBi|7sMCtlQz-@PuGvH_gaDXdOR4wI9oI()W=Z9BH6LhH~npHr-j%
z)Du~GsW^o;F*sWJV`Xl5#`Vrp(=2ZBvOCnmI%6&ji-ai-DS#EhiOx}!kK;^5vx7XC
zK*1|s0xXy8bu=4E+zafU(WTDg0}MHhfR{MK*WJ0534yVK|2YHEV8NF}ZSXzg)L&N{
zKkM18yel$5mSE)bX(xjABJzE(j{31fhIpv;<T$-Ox9{R+0XK)KW;|<)Ifn_>$IQr_
zn~m<%I)#&w5N$0j(Eh&I$hXrDk=gfj;2x<#t4BxX5j+oYD2W*HtbO7*SrA|nhjv5r
z@x8*oSZ5UjsUQHwcgY8I^8ZTa?<4?tS`&FNkrU)wDhV>u^hTd(K9z(;&D1fAuf7_U
zZw<RukkH--NVMg|Vp`PD^{slfx{nZLCvpE~&aV*xE)?liDu}5Q=^g=pd6#>p&sWc`
zscPk;n!BkcRY0yy%Ej}f!Pb9RfEHC!98v`n_xnLx_P1nqo}@ZZ!&UDt_mx~b*~w`M
zU~+Gm(#cj!VW(RuA#<)T6m6<ZBKj4YPHqOGj%OXS{KTTd3>Q`&1Z{>rBs0E0faq4B
zMBO+h!;AWk;h(nHjY2TwKsK|q{cyWUtl=bl7TT&9wak1YvjU0`rYp^4IiLc(T?8`?
zzKd~I9?K(5RV)=UbK&8;#l>?GQYg#Uiwr7IDF4Oy9)U|AWRtnhdB<b1QCjs_<V3Xr
z5wb?_g{Jh!(A%_u-aiDCQLcl3vz}ioGvC4MoQ|ejIok=f9>UNJsr}=6Fs5Hk07}$^
zCF|&r8rh0Rn;C?MK`q7&YN@Oo?krgSt`3X@$Z=iPO|g2bGx}|u&Lv^(X;QH<s)HVz
znLZ|X=~&G=!rOz&>7ET=RdPKut5Byt)9Xcb*lH*WS66{t3OLUk;Of&Hp>A%)!@)Xm
zk%L-q?8Ge>?NPj`YnUQ+&V+J2%?`4wdoeJqs6DjMy_vr?F^1|CJN!#*H=Nv1e(G2n
zWlBSbE%q9Nre`9r^YML6bYt-5%5u=+zc{(=>5l~3A<&K~eQ^|cr0vZ_=~0=|M{Y=B
z2PK_G6=@4oFsQ!TVJI}kuUvG`LRp^)_=uH!7d#RtabYNdNWgrFApE1)!ntPsiqSy5
zW2gmgu7{x^6aP|SCzuJE1!OZGu58qRRB%PFV3Qky8O5`$_6{wzJd=f3HY!A9L<eI=
zY-xYM1EYcdSZo{mUldu#-5%!tN(eKP9_u&n8XD9Ip4u(K>|k<qJ+^7PB&#vy!*ZJu
z*Z;#x=?>k^Cj}#S&ZpF)IHeJXSMpYJ&6kmuC+)pfJ(x-8#O8anP_SLO`&eEDG=S-6
zES@>{(WN5eJCp9(@f1I@sQofND`p@Lu>AA1_K`l89?18sX%oQ-MVUU8)U-pNaWzV#
zCxG-Er3driX4&nG2WYm^o}dQgfz}u^7S%8~5j(9pDXt=jw8L?-)Co{JXi}8uZk+U0
zapI^FI-McSIn5M8f{ow{HkoK~y!cV=(4iQT6?+L&*g7Dt2n#+1bKj9bg<5L}TN?m!
zOu_JbB>c-VO9BNTcPz5JH*??V?f7uD-<;hO_vdyoL_1L#13$EZ)Amz7Rwdxa{F?CP
zC-?54hjo=Dv=JFgS9+B1?#hEMu*}e7XP>||^`CMkNUggBU$F+|`hz<K?uw0RJky<y
zE813|^)-eGy3I1F#-1>LbOUv|B{fzIX-1tg{aBlM_ogm_q4b0j4=<@P1i=AXIQekS
z{rAfpL^S~LqoISZJl&w>ho=sRlX8uitNu6=Tc`E#?x#@YJG$&e(d4{WZ|aulj{e#(
z5!5UM8PYNa-vgV{(D}r4B(;<kk?a!|OOq@M29JaOb=B&9mXEMLVPFaSv+$3E9phq*
zan~`ylx9e$AMk;q88}+^OqOcBR#Uxv#z=mP)nj&slFr1b&ULlTtu=jj&(1l!>^CUk
z0v;0jNb(ViijU|85elJ`g9|Xv<!EzWD0j>G-!^i#0NUl>4L_=u^iHccS7+>Y%+*vJ
zIgB4~iCDb>oq`jc;#0zuzoF(+fYCxFQ5@JDLYLbXJf)AeB@fGAFqqqHucq%kD2~YZ
zY=kLe{L3^RSe3syeYHYL;m+rtY3|Bjx6?V#JWJ8mV7{EKKFx9Asm^y_)8#}5n(@hv
z=ge29D!<Zky%0KfTdUTPC_EBRO?h}#yG6Nrm+Hb67$|#O_3%(0M_p+iO8O(S%$v;%
z{mP8y#_JZKx>ERS1t&hmZD&yYc7@Y?X~TKRlCU`_wZtx0h~wu8j!bm|Gc=s&16uI$
z2h-?D2+{H%?G=}TQ=g7f2iCJ2S-vx*42gazCs>B;#$N~{{a5$9SH*=AeSn!9y-;Nl
z5uNd+#U1Z<v@wd&SU&(dPi=W@fQU6LRwy#<QsXvoS^?2|R(G|;C@Vrk6p3A`FRuAv
zKU-SeU9RwVNd=MmX?F!hh;!f+`@^wc)juD1!9Z9M1y|F#Is68&6RKbq$iFFGnQgQz
z^$x*)M_H>*D!&3eMU~xIG=79#J0M`o-?-p|aSZ#6{ikM<3Bgxv&eysu;QoGB6tpOj
z#|J56O4%ZvO$s-rQ)bc*)hfn=_-Ar!LkMR2in?E?q%il)L#*8#bNhMR-(%LU2DHiz
z>dMjF0w6NvKjwK(`PFqownwxyt0^o!apj-xf8mF^l7O^fTCfoA)+iEAI09F@pUcZb
zM>HO$(hRy4PJ49jH+&O(U_UKRgq3NPqH*>>f)E_^C^XaRXRlO&*QmbOu&QO#a<<;i
z8M*;dy-=jb|Jq4CP$PMUuM~?X&xMsM6I2%O(tZ2Y71b*$w)=nhmTyh_owpce+bHgt
zq;~qzdu+78O5Nc_OP7iwO@3ggnx{53{$p)k^f{a4&HYwwPqRI*Y+KE4MGc2n)~&7j
z<q|+wt#5eX0~&M?IJ)H-8*q`Auou#ZJywLBQ@Cm#m@OSGx64_kgUAqI{;PT8yC5O#
zD~a|`3$GeWi}5beJayy@=ti~iRD;%FkJkzvn%p#e4g*-uR`|%8YeLyI5<Tq*dwk}6
zjQW1Ju8?IUp*`&w8GZ8$Jxo2)&CjJSF#3zoe~#Dhe01H#{bS~M%DJZ4=0sQ*j(SQ@
zz}+zh9&5H+i1S3F4lch?rCQes(r-eJCbIK?41M9l4f2Lg{9Jn-=eN30;*#_Gh&pZ&
zRck}B*KP^x+`Lh}fXj;=XgJy9Q_G#8X(Vv_1sFTdUF~U*8P)&A#}&I<#bMru@`Q^Q
z!|fo*hy6X81p5Z-jU^mafi+8k1PgERJmnS=WbphuxMC3tJlwn{rUi_J6?5D;GeLyk
z&{c{YwbzrbGKvYXXtF{7^~1N2%<`IyF_Ju9=R&y$7xrd#;B((Pthr6*^rXWFdz4XE
zxu%|oAmWTL0nTssAFnN`YSv0SY>3>LV^Op<a%c61V9`?8H-ry=N7NBUTcgW|>@l4<
zjSWM`M+J?uv3zzmAg3vDU1m8S;=)ukt|!G#pEfB}TaJGX)hGOy%>HK8*Jp`{;(xOa
z>P6lY*cw;Jd|Dq=Jb5l#(`$90Yzn#t(d{d!6*}1+D=b}9=hAhcgdJuct>%wX7dU~B
zec^L+=K6)u)Num~jkt9VO}8}9?nG6YHCsulHbp)yeBmo_P494n(O#sX7OWD)VQB<^
zCer|2gX`-~&+PI-5w3ss{;t5X(ye_EJeYZY-`Y4l_rtmw`N;+pT2JNxJIAHQp@eD$
ziwVh%yF}i`v+Yr7Ro-HnDZSUe(Q)s__FW<a1;Y+<XZ{sA*<xG3p@T^nYvH>)ZmU<{
zyDbFm?rMq76HXgG>8gK4#}WduD(J*;&V@PVP<yG}<P%t~Os+hyrDj=JV3XSk5^tk5
z&)f4E17O)v2+!xut*r`DHMZg8<nmN~MyOnwWL;zp`^vV&j%C?{ycuR!_dQPO5BwH!
zr$7}0!AW%z^@Gr6?i>!LU(@f#vi~?jTO-p?tOXg*G{w$A(TNuAZZpZw11=l=KTrSG
zm_~>Ov!N5)*cawz*v}V22F`zTaQ_}R)!KJ?GqwSl7yw(m&J;nbJB+_|%YPV5B^}Xa
zH1QOT%eT%NUq;yDMcbjvTTYDVbwR7kl!~P>d}YB?PYHmhvSYVm&3+&5OnWnq%5Mph
zBs@FcELtFw|93(8e39g_<paOVOKl+m!ufSHGwLSaAlx^b%e!#++p$WCls3#2?c$12
z;o*r(($^Nf>M}yq(^zpAX|tt6!11<!xSYj;zq{}FPAQ1v6+|s%y-d17e<T*}<&GnE
zk7jC^{cbdEO+ZgxiIM$0_!xxl5(j*8Y~uG#6beqm`R9IvtZ7;-@Yifa)vmioD%nyL
z$$;L?gs-XXLt7|b$-hrjLwVdgeF=n&Hu44W)cop(s-{tzrVupfPfjSkP9ey3OZxKd
zs0VcZTtK{Oz^_#is=&(bj#R!QyptcQTKse~hbIt$+K}(-^BRzlNHs@2SOj&d^pE)&
zZY{=-75G-q`eaf?(GdSj1>KHt(dg6On}QR;P&s7E&BZ<R2?~wD`izK<0{iciKa(6A
zZwu(uljFG`L^)zN)ZzCesTV7eWn<KdZl?-)yCQQ|{KnqaF)2Vi*Ccdo^G9fxYzAHV
zF#_l};7A`B6=X>5*Gn&S9<{nxg*PdRSoaPN0F8DN2)?Ud4T<jiZwOfy8v7Wg?Y|!@
zNUU~`$P9|j{)5Kxj5`a42KWQ*Co-kzpc6hj$KWtuy4D8N`ROK8tMpo-gr3r!!{KfY
zgN^E#L;AZ=;H9`Dc*F#bY1%<>Ehl~jfwU1i*}~Ykh3_%&h*lry4aDTjqORJE5O)&C
zK>YUK^S=$tWp=_r`;f#m#)Y{!D}4fg6j(3X%nVt-u`STvantbzR=F*tXZMe*FZXF#
z8pvdL7Lo6~n6soM!EW($_<Nb9j+$^>#Zx0lDrrkpS~Mg+7<@#Icx58w{u{T7&A4ex
z6LJI1-^vBtG&1%Ld`M*Q{~H-`K!V3oB+r+ZQo6`=&h0v$lXNSv_Mp_6A;uN~R)+W5
z3cZ&2?c6lpaqsm5)@1|?`^EV%8stlO@;_2H$b-G$i*t%iJcN84_yr#S&%dS!8*)iM
zVt$h+qeusP05XM|6dQ}+b;X_Zn08u81z?ds^DsuCDrpi2P4wHpNr;;R+;6m5;%w=$
zIonEN-%&yNX};xr=~s7!BcHQR<#H|3orK43Kq)maWcucOyc`?iZQ!N@95X78V39#B
zqi1u?Z;c)c2O;mI1{d7%KG%4LKeK0f2fFbAM>1+78^$$9BAq#$?l*>%Hu5D^gem+N
zgcMPK8$+&U7}g<)edOQ@kFtO18brbf`=#WI#~3J9WW$A6P`=SliC5pb^6ovL9_vI2
zP?*UDY1GP#W+Mkjf+r@{k`+$$#{zrTwlW(jW!jy;w3|QGbT}l$34Qd1|5?c7H;{@Z
zbo_zGZNUXWUdfp)#|s6q&8ZPkiP^m%LoPTEe)_*jEnXNQ1nPdNlET6zr_SynnJqjN
zf1qWvjYv>`;F1Y~+?Uu)w0EK<jbe5R;z7pZQ5QSb%ATpQt-@c%*u0x3xTOl2?OU<k
zK(H$LXa(T*N+^u_SPR9$07AMlqk^Dw`Rn)%OF2=I%ywJN$x6`_Dc!$T`Kmn<-3LX{
z5P7LgdrQ6t%hsA)Sm(vdrz<UYiAEp(g{+y>#@fxU*CVGFxWk{Qg0Jb7OwrTydQ+=D
zY@BU(Pc>!4aln>#>o|5x^~Tzcg2%?=p19>>5B&B@EjSg@1x`_RrQok%z@O>f7d-~K
zRJL->mKPkm)oML*&wV!nInCF%hsm}-7<r>>z1?$ewF<n$)VS(BwR;hv1&_k`a2;dL
zuc4tJkP*I5wy^#h)RyW@4F`SAUW4BhK~lGjiotakd;qtGAwco4fi@uW?=`P=v`^$G
z1<#n9o0~i`A$6dtuv-TA_hsn?f^pw5j%NN{q(=H~HV-3I{9`8$#1)w+QPr^z=uL;>
zs((F85dqk0Z?x6$BlodT{M^<oN7}yBDwb2UY2~XQHAQGg6!|24#Gko{6B(s4x)gSk
z8Oq%jl1kz-BDSpt(+TG@ZCN(tb?|&6FB$9mKU3M@z8g|VVmKLCakxrpS(Ai(mQ!Ce
z-RVviPla3B$qq#{q@U9iA2?vq6o2^{>w~Skj`~w18`xuc3y5(epzs%!e*I*Dhd-9v
zPBP+%RwQp3LA9eHrAnbVpt=^xzLm?LQ&jnP&0m3YBoKQIP8=fvZ|9Mjzb-QMqngb7
zX)vlr!M7pQo&{Yd18sn(MA{gO2YoOAopE3$=4Y0vr^3}Q1<7tp!!WdAc(O<+Fx{V=
zi*T;BOHkxCCQa7&gfLSE({rh6xLcuq>iyF9hf^W^*Ix}VQ_lK~5oyNvxProQU<^3z
zOYJ=X(5VvC>yUYjWRX+Y%cJ8~^hRVMgSFEztC6gtH?+AQd6r6z?26)-ljzvipTpf}
z%IiAYwwG7HH1h72)2CP9sf{omeMw2Cs8QM%K_v5s`Y+S{GM^C#`T5vMcq@5iFxO5_
zt^ad-+DcXHVE&q8>AUeJY8ArHA7A#$2C7iAcC-l>3ld)^avYB5{1{Rj&Si>5H_vK+
z*L&4Bol^4jeEd?yU1LG(DJtlWckBblg*dP*)4dEzj2?nkL=d`VPSMnkls+07FiXpM
zTvKDP=Xrj>=GqmF+rY1l+CpJlYNRP8Fq=mSsfxXPUd{)1!v1d8i6Xd(o#;VL;q_=&
zxDKzAV;Be}P!V&Y!?)G?Q6ng|Gxm`lKJ6el=g%~(n#;TEqV0Tsvgx4W@Fc}`-q6GH
zUcuq)(81i_itG&UPv$+o%VcN)B#XaC&sOoQgf}RL&sM>gC$5}l-k)2b5F+)Hm_;x5
zW6qKM*<7eL2(&1@xl{l+$??v<$mOCJ|N1zQH;F)&XBgNN5TE~n)#_T_U8S99S_c;f
z@Y`BATmw~OQcyWr6bVj_o<X9>&GZK=jq=MGttBVnYc3?s=D`ojR8;~*HNz@5x|yjX
z51uLYGUW}GhdL=AK*r6rO3iF-q?p4_Ef6P){=vIJ$n8YR?eQKkWW(b1*y=y$$2CNR
zjFXA|JwIm~*!g&P7O)DvEk4H_BO$z@QG=R$tNHa%g*tr;;mQ!$(^~2j3gA~L$H`i+
z%&be?)96fI`raw(WNKi)=v3cr(F*!ylWp@8E-TLnJzny-HUc2=iMTwKl;%(`i@#?0
z|CRO?P*ru^+K3{8l+qz3-6b885{K^Y?rxA4kdkicl<p1z>F)0C?*AP0RbRgE-ZAd@
zb+~bI)?8=Kxt{r~x%OUr?{wr`DyuCEl&KV*V)JQ_3?rLvLe!8XBz716_XJQPuSgT?
z@Y^MXPAjwO@Bu1cO12lD4VYH6ph*dwkhdaDgJn4+Bk9)mx0AM{S2rohSY_s12C2-C
zLWS7r9^V<nW3bZPc1iRT-r|3B38$4%DHbP4u#gB8yHX)>6=xZBHWifHoEEP|<`H$h
zh)~8G8xh&)dd(DEy@Fl}9+(HsaiF+E<O$)wOPK3!5*U+kz(VS<At%VFNs6C=SQ+dQ
zzhy3NnYVaw?;2{!lC2{fBv#<nz!-(RIaN5jaweg_j}<X#){-X1)P1tXRGQv14QnZe
z31&qv9Wq~`>hCmgdI=c&1~HX|pi0+nl50VX4`43iCsuVKRjNdUlcw%Ek~0gZ8pSo0
z{XueCEG_2~Aw`|i9S}}&C}XVL4_W<Lq(f5^;R?Viw{)3<N<h0o!Yc;#3lgKW`BJyL
zSxM!|(;rr81>H+zNBYeTspE^&YFe)c<}*y$YtWDf03*}OE6&BEfCIypNIRG~JL2@H
z&nXK^Hu#m^UP?AY$F7bMTczj)TVc*q9teC}Y3W!mB-7PAZM+3d#)ElB*O9T8J$}R-
zgopa$zBD0+)4}>UN9`R}RMsNJCrk{7^^{<A{w^Pmp_E^rWgvlK^T1DnsundjVC2$n
zn{ijJ=e5%lm3qHfB@_R|EjKr1*!o&hDOqu^Fp5vi=-Q03>4<p5SW~ItL^A2_4AbIr
zZ7F~nyu2e}>v7}aaoH_mTVwaE*_X|koH||g2&P+vJ8JXM6&(cPs`ahu8W<EZ$T_`l
zsKu~4-l7&IMzAqZd&d_cg$?;Tb{vSFR&wPz_VYyo*4`l<3ujB%(DlRBa;X8NLriSd
zC}q?4l~>f+q~8TIVVv!c`}Mnxh*sxLE(pvp!R4Kt4Hiz3W!CFV^&mvjsd;twAcm2G
z%uLc=3%R0l%U9rtRy&&=B@Zhps~I}KNik)g@jWBkZ$~~U8c_;RGKoH?v8-cNug5-l
ziNuhJr#-4pcS`p$LYBI@y(|wgA;Z(MW3W_Av1@5SIA+&^yhyvh+;w2zCjt2<yRDeg
z_?G83-YU*N7mpTSM$hFSixWySos;iAQC?zcyU&tRT}^vsrfNTK{yBF~EbypeQ|#PW
z)3_LYmX$a^KD@|x-&+Vt-u0r)9(<*Wb(1H)o5-H-vPjOYL5hiU-0L*guP$8oc22_l
z>C|NC$kx-W1X#syYCPjQ&Uov`F?mdpY4Tg0EQmA3vHKb9V&T=R?O(&-3@ItTfucJw
zIYy$<O=s~zI?<HGJ-0Mj_GY`GOMY*ZO*s0rOkOr0K16B93Df43nbWLmn}vddSRm_&
z6Ut=4beNLKVLA@lrFj4)@x;Zv1OL)uqWs=)@Y}U$TS=Wv`9%#0Cyk_;ptLgDVhK$P
zM20RkH~4S`Pp40t&d&4P_1!$qs^v_;?04J)DSd3`lZj}bS5zbqM)~J_z*C8OA{%G2
zwZ6l_)H0$sv_0NxH{ZkBScQ72WZ&I6+iorfjfpX6fgS!T%Sx37n1>wmpUxetxjvO|
zaprZ|<zbAb){6Hg3?^~V!klHo2U%gYmry*7%81q5^rb3oxm024gHqTaqIy|JP{Aug
z6!l^4JsXfNm_O@sgXp3os0G+uiDA-GJeq6L()ZxrycpT^ODwlx*)olXE^A1qr8El#
z8VKzS#v!n0A0(akLgsYuhmOsU&TqLwxs>a#sa5&481icAx{AJ?IILHy@t~S!SkH$m
z{-6s~{v1f4%VQ3X%G!WKoFg_ZYK_|J>F3*KfD(Z(#Y($F!q81u#1#&EZF31cBrLg;
zjg{z8)$N}IK-ANgZdH+KZ||gbEwUJOx1@`<PaDvk$aq8hR&1odJe9_A%G&DZtGx<0
z>XSp>_RTYIR+<iH_RVZ7LW+p0f2Nr;f#M$t73Gwqqf$r<EiF%@oL-#BJY;7wPylN3
zb4o5t(;)3`x&$zO^Uov;tgnlN{h9*l{QW8omsqJVNVk42H+WsimIHFOk4S?<C#buD
zh1A*L$9k&7m<$s1^YV@Kb>(7AQfzz)@%hYg;;c8U@Lu8)N@uTa)bys!QmsD;cWbks
z(4l1Iv{Mm^YmrCNX8HM3z;JRK`haHX1SV*g5}1`fo%L9QOxiwrZY5i2Kragi_92T?
z`jv@qZyHl=LAcS7+xH*gq-Z-GIYo#tMuS4bw?DpIWhUIk@A6g8=iYNBnx2T_yw&A}
zd8hb1yVH8zKb$bPnM}9GVaGvKX;6Yyil_paS?&Ea0<Wlq(!(r)8SELC-w*RHwrl?g
zDT+SDnfekZOTQ+o{j4BpwPDn`e}j@}$}y_oq^yreGW>Phj^vl`s5UTDm9XP?B($_^
zslKn^C~s7#ps%(~UTRZy#dY!9uDBQ1v+hVGQrv&Ka(6O$VJ!g)gc<}xrHlFmpg)z4
zBP2IV0c-7mqL+t!Fg&}=kQNdm133x=gk2K2uB#rbh@2b!__Ix`<~T>iz0uJdyU_eE
zlsfFvssP!%xh~V7%lo0wC%iXW2BTNHMTV8%a^$bS#oq+x?q?Xs#6hP}``R%H<N)mZ
zN4ydPq(BL4)5*Osb^=v9U-r_?POFfgZ2KUdleudPEv^J+KxRo7|70oD5q}hs+NF<g
z?V{)GP13Ul)R&ke{V{Q#L(rg!UcnXVovy2%QJ2hJ={Gas@iJv&k$&Og?)W>@llf)i
z9M=Nl(*`2<X^y<oc*fH#HE){Qu^cYLdo8CfG}ipYEGuc6Y~bWs;6X{op&M?#Z#$ip
zE<dRpV_!nE{|v+x7lRd5n0>Nr)7I~hUkReH9*1t;n(%OyallKwLRm}v`g79a#BO6#
zOpdjui*#3At94Cr5>u>S5qKAX%5+kqCM^`GC%|)V7v3;Xr#3Q-bQ9$pLfJzUE9U=(
zDN@*zo6=%(nY@#skdx*VgOY1^OC~^^$(Pm~^!3dcQWKp0-Wqaf`mFR-MliLc<Bs0p
zxMeMT15ndq(Acamj|C(G1PwPRoRQ3R-1X*u$lP7_(M3Gdvxp-=FQ47}?m8>+=Az*8
zB+tF^=6t?J$6Qn?$SUenkXi*C*#I|bx~}PGtk^y1vV0C?MxZIIo1VSXQ7mpN3-CvX
zwd2ZSxBTO&7=T<Z*2{LtOOJecQy8L2G=S$&N%X>n>=tVjIf1n)Ha!(qpVr><o=7M0
z1RAm17yzuj)IrnjFEpQrfQRq&!w|)G;VioG3URGwh(*zMpEC5>&G+SY*)gq>k=EQs
z3?puj>Gd6%jt=;AajGi8OpTza)A<-|R8L7C5`q|x)2lr1+k~vWPaj>w^+{;I0D96H
zRUf;q_ID`ZZZ%I+t$K4YtQtUHe5d@Xs<P}#Fy@rU8$t0Y>#15a%U^JDut!<~hUt5!
z1gGje_U?*8VF%k3sTjHqwcb_oO>Jz_Cz47l@nNKXR@=t1Z0toNJ8ud-;B_nc9-G2%
zNZaj8PC@TEs%H1>C+6eq!o%!jCC^o_-hGTE8{YTaKFeW12IYUh`;(1wb-+4|P_2%&
zP$~Wn8RyEjlQ}|F@pk8=UqMF#hycB*I?7!-jyakMfV(#f31eSiMf)?XRG6|2S#7-f
zrrFFpt}O;F3`BU98xpauyPjB=#GSrv{pQe|TrUw9rJ+m2fPgq$bOsij()Rg#Q_Fgz
z15I^BQ|sHf0p2lF<;J-B;FHEcx<=Xg+oQJHdtNgw$Ja{(XZ<tO{Uup+@*vdTRuV_4
zCqJWed8)Ai4GLlU%1n8pqXz9OBdH<zd(`K_ttCCEImr$=%WNl@V7&4_$1|L%iDaYe
zu4f=J<);7YIgQHHpyHP3*X=wEBA2_Zj`)r3$?NmLM%&iuZ~GzkMXB{ccvR9V6VuXo
zRA`{3OL8Tw{m!Y-GhS)!q?e$twH_*X@l8RA!rJrWp~)UivvfQm>3IS{@G`+yAz{p8
zm0vKD4q2++>F=>d@4C;=WK@|7v67w%^n<=C8z6G^Ga;(plFdG)f;laJsauyhSzsbw
zi;<?0*;JI5m8t>qmSfXMW6ShZ(wtJ&ye8}1qOruK8(KAyDsIzdFk?ifv(T@%KotCI
z@9e^m@~DS=(6!TsDe-qE`)k-pxr<XF2i|UNI~bt3JmZ)XDdbB8I#CN!`w(369>Thp
z1Pf5-+SF&<BG{$czpU*J(dqzN8w|2Gib+Mu{L<Dk-aI}vP!Br4(q7q_TwOh9N(Fv;
z(A+yY&AxPrhWsUR!q%H?UUJsu4w~%6_=RddbQhC;H$;upo+ROj+5L(gImNrQ3!57z
zL`%zw?RpNx(b##M3gv2nIw4f-Rm0Cwwy#a%iHm=vM{hV9$p-n6%9~ohqMH^^7+BBI
z?d^266Nkoj!bsBv62|8D;j{s|Yx*=@-y^QPEZFF?RME5yr@`GQ@_8m?;c#*_;@te}
zjqB7M(OI1hgzBq}m8<RI%8tByd#Ah?8s?uP(0TpNlAyzzzoH~E=o-4aI@jKFa!{IS
zTRg;wHWUBUTVmHz#Hsjs2SMO0gY@j~h!`*1i~JZpK2w<BUlZ(Sc4(|pSft@=R?IId
z()~;4nQ6^3wwKe~llq0$+{17T-%q3~#Wfma2}#R^c+|}Yni_{AjWLgR3Opoi`Y2^L
z_ps@Pu^H)ez>QtxVM;bB0;eYfzbUv+twRN6PoP25`vkvXMuzqR@|vMAWDRhCWoIHW
zj?LT`4)O|1JmG*i=iv^XSOjVH3XdycDW>xDJf?nF*Y;V75}Ffm#%MPUNX^%*R2xXz
zTQ7xwE}B~;N1{!^;$etf<lxBDphVLZN*kL2_w#b_v^dBYGIdPEgz&q^DlOef!VaL=
z*gUz08SX6(;lE6|)0{XAP@j^FIeTEwov`G-U1sUim~G4UWydb>)@_#Mro;3T-Xi6&
zAVcb(CFp=;AIVfVt;Gj%wl0ek`Zu}(hNHXaba{Lf@nb8Q6KlD6q{6b}gs1GGM*MlX
z`Tg)&^2{cAa8HGf^mx7Yjs)*n(8hrzip!ReGk^kPIw*u{vA9+=x1Ou)y23S)U_+x1
zDu`1QbVIBCF&!ulheHnuL=_hNy$P-7BNemH&(nqnnPW<SvFC*ulKv{%0It_QAVO{q
zPsEAtnaK-1I8A!zTMZ)Ja;g5(u{;+U4!z^aL^`b5BWoHYUDj`%tkNkYApWM(OvG^3
zk_{^gxx5Rur6#Nh%Uu^`jGjLUlf-VR3)fyq^rU&As$TxYm3mB@yuk=o$-4PQ=Au{z
zmREd8l@9V)>{n{R2Q4LHJ(br!2wmK;=dTS@Rh9oSna3-}xijAW1$!$m|A(xo?C7<?
z_RUIVZqMWa-@{h1105z}VocU<gbvWdEzFQvrMcgtjRMWm$PKaAQZJ^=^`K#Tm~*4l
zw+K|yJ$>9>)9<CDyfl?BQdkc=prcyX$haz6NO1-=1D(U655Tm7aR_MU=uh#yJ3hKb
z{o1MjVy#AGr7+xcd(gioyRZhWumFefs<1<{H#yo?$UW_w?<BT#U8b-J+2T`PWt$<0
z8zSIdmv4=BsCf!={?~ORu?|{2>!LX5z-n=yIk?%EPE?u{oXBBk+xP1h^wD>1Il1+)
z1u5v7r;HR12EaD&L8}B{xoD5|R7k5RWzpa?VLblLJ85W#eIaQUCMUIp!qdGlU9}#y
z4N4813aN2k-;DNkrd~$5L|NPN%M8{o=mu#He^Gj!i!^{vLRMRJ?&SqJ>>M*%9W4Yj
zBxgd-0xW1wLoG_EalC@mKG6#;TclBV3aU+#qERz}cdTY2me3Tq@t`<+^z*TwyN0#1
zN7!V#KzhCVHC(Mh;Ko=_SAg5B7B@;^^?5|g($0<sUB+K6<?fu9QO2`w{0Lnd3E}Ee
zu9xJs)ag3Il^ma%b`k))MoMF7-}d563>a#9NTuXVEouehvDAD8(ozi82=^z`RcG<s
zV_e4I$CNBFu^zypWWc8_g~=Yvuau%!28Tw-1ckM0$Z$t7%6w8S#&W6`)aapZta3!6
zUq*Wm>lF|CA$eC1kxELrw9-`Bm@zGEPv4eAK;<(nub&vdiU#PsPbpShIBDnn$tx+U
z?-3%z&5`=Fs4YToh}Q2^P6<tueMmzT(Y{AvLbg=!(8T$ZqW)SwzWg9b73`5kQ#DX0
zI^#&iKnU%GpVPVARpL-{I0duJzQ_(pj#>KN7cZRr;9oPN$<&+<Y*g_xonXh|4n9X%
zFOuLVd{F7DI+|aKm{*;K1*WxAJ|PmBgy^RXC}L*M@9qjU^A>6%K!6Gb2UDa^O8{_5
z0MMa#yexSYU#_{!KXL|~#^vvpwFP7W7;|%5i~LCyOsaB<pg@D_&LbOL-uT3n>+{$5
zhLa*B7c{oBHhqX|1nfF9(2>Xa6M8wi+jUS;ZOfq*I06#CYTYwTpRdf}2*5p(`qTXq
zeZYHUK3v{#HbT-CYXzV=TaXolgH8hJpK4V0E)7$CpMVBcJ1zDOan&B=ieCswmo*bg
zXi%&(&wW0rQfVs>846>4{`UT1#pO%2l2(Mw38f6&kYDgpbhR!&yjhaLo{NJEjq=;E
zqI~I=SiGzWw(awNEY8&!Wm<k1)gM`}$sdXtQmUP32I1RjnH^44z^vg=1QtCdXoa%_
z!D>k6y<0MHMmb6+YC0+qM9Fw=I)2U*>xixT&Z?*E=U0mXSON?e!(&i@Zp9Bt^o5bm
z!;5xK=__PGWv}GZuIzoytGmi4e#-RCRaRnG#&0G!ONd%B*UNZ}4(Ua5W@2D5`mnC%
zx)_As17s5VG7|lT&`Btrp$d3jvs+XNDr`(JE?2yb4Q)<nlS^cNUo~@NsIMjU{O827
z)FYV=lg!rz+;lx1>uc3#x7HLjeMYO7Jev?xN2`j?xGr<>9JHY2nomIc4nq3E$6!pN
zhC+%>k!fiT;eI(&#d&?!Cm*T5^(;Q&_(~6?2QiqX2YRp$2DiK*K<KbJnOtKpO=xGK
zc5@VWe)g6=6Hy}s;G+vNxMrp2wqxtz`b>7V37z>BaD$l!r!Sj$?OSV=q=|;Dl}S1c
z_F&mO#shG@>Vi+p14md;7?Cj{|KyW45>6}eA#G+_zg<V{D#M<Gt!P%#LX0tOB3P|9
z+4ut{lGVL5(jh=4pZ1qy2|+eNg(gHlOX9Pb1KDFLgRvy*>7}N(XokPKbkIQ>Y9Yp>
z%uI71ajY|PAAzNtzBNmfKWSI<O*J4pc@knKpMv72Sh`ARImKG6Os|vLU{^Ng$B6Y@
z1|S~<%Y-c90b0<!_6?7t)4XO&T+Yx^6&9E>i(z?)pOl3e3x3&~DCUBGW^qcCp52fB
ze1!<f%0q|@EWNbW;6K;C#nU8f-r`zffDcb~V$b4J@*$0F>(gV!TpcEQ#;W@~nMIDx
zTvaT~o+q5W77zkxq8S))B9nNeP_lMzWKVGtM;Y188Zo+21(vg(M2#X(x)yVq5J=Ao
z$%gHo7OI-qZl&8=Ucdi9e;r_lsVDLkc)h~r4SS?noTXoe9a^p&F1*5maZ8>WbdqDm
z_F&x_aQ>O5Q3ijQe;5NO7m1X#X!-%leK0Wz3UE5t4cO?t6lAMJ<3c~Cfg3(6X(+VV
z@$$1WTks!B;KrmaqSgYtURbTz+{}pgg`^8;uRyWTaF$>#z|<i<c8#aUCc=A3*{x;A
zT6qhwN+bq8F;IZ-SLR2d`+TxM+_&)6?Me7C8AYp0%3@NvHOhLui#s%lQ$kU&1(2aH
z?%zK(DV>O3YRKW<;=Y(uaVQiFRzz5?_i&5r^888UT)XhO?va7ET(dn=)yk;J3W?aZ
zx6zF2$pbb~bLL(-dMDT?Ei~xhz*%N7fb6jPpnA)0lW!(CZG6bTx+IC%CB&~;MIvEh
zI^5H*pjGDu=xmkcED4=={0l#N75#Qz8<F%$)nc(=A+|n=o{;&*Dmi|gOGfc&lUUW|
z!kyQvIJvy@4EbBLO5J+3@>3RQH#891Mp$BPTp9*}Vsuktwi$a7<BWc$4fi%njrGo>
zdOZ=&iNq<%n(a_W#<*6W^i<nCcMD8LN9=iX<xesjVY-515Eh^F=unw*g-TIF4%E_i
z__y*X!(#_b*vnpr`FRrYF%$iYBQH};+KX4?e5^6E24vtTBXO{L-*+n%W2AHXz)Yoi
zFHa0Qdxbh><;Cs7RZjWFGHE0G-r-Jl77)`pW)OGQZ8RgHY7=I%=^j+EAya{nwh1n~
z%^Q^K?wRT-qM_Oo1R`?_a1(4+!`FHgP|~KO6Z)F<mNn$;T!G6HnKtnKZ8I-^onXsN
zt9mu=&6uDm%litr@42_&yLg1PDTTh}r#vF$jJe$MIdIZKY=Z(P%W+dR{aH4wey&zV
zlWFdBSU*FAWlG*}3if2M56OMPkujBfaxxFPUw2rMQWeJc!Hmm<Wh<_M@aJx58`bME
z5FYDA1l{S8pT5KLI_*uiY5Ze{Q(6<k_%o^mO%C2y`pW$hVlw&h45VB2<PC}6;$)&u
zQF!5dHNoWEGL-9VzW6N~`Vl!(jV_91us*P@dus2L>ho0rfTzvtgzcoPf`i0}4ED%e
z$W1~DLGZxKI~5(vmhkFy)Ka*Y*fp=haUYgIL1}^r<KBV^ivqy!tUYA8R28GR(yCy)
z(-^amXQ_vKViL>xS=*q09h`7a=Ib*M`)&evdai#z5}s{kztqV-qmcnYG(}<d`zsG>
zx^|yJ)I*&oh+=4^G8Xga;D(3ZeORD6jR7X|fr!(BJcU&dO)Y%~VfYhF8F*Q;l7>d-
zlsNY+D~4BHZ^z;GKT>E>5lMbNe?DbI=Kl~@2q()`?oo@}!~$}rvQCe{OGMC|veX88
z4A-2)fUS0WHF3-WcYDcuL9SE65EhR41+BYhzg8<*k~jXwTBLnN;VGX=cXdeCixZ#Q
z%9v)v+f%!-P7B7+(9R(nr0015tOlaOXcR&IG&_-=eZdveimJ|KT=G9rh!K`$=}n|K
zdCIkdOPn0o`TAFV6DANwSnwpBxkJzwzmM@tN<xRg)<??0oiEM>9yD@Vb(jP1r9EDQ
z*8F!APc;>ufr#HAY8{H}Kx(Zw!)U_MX-zr($;&wYX}cY7C{tXRz+Y1_3<ETZWmYSG
zCa~Mk6f6_mdd1T#2l200VI1S)XoR$LSQ}Y6Bo9VMqb0jT<5|-3fDGsMCOBA{5TnSP
z)EpHpp+IRb&=HHP=8Sfld>4dNi-z}WVnH)R;#m^=AP4{s0s$`z)Bc=$UNrx<=+t(G
zW=6y`Lm@pTgMgGfiXY^&lIzejc!3W9j~Kn`OmG6w34YZk{>=)loS8ru*w5ZM2%ynu
zTlWh-SmHC!dsX|nU$+Mwy+0CoNkeoN_Y`p;y;bHPj0>h^BiOSdYmqIPyhZPF{06PK
zUfH`R;S>m?x)c~>LXI!#nun;LQ<J6qtRgCdNML0ru@0Hglo-YrZ678-I1?WaMB=Iz
zHwD}W+qVPbTYFpl)cIeo>y3_{_-PJ31;)3<lykaI1)HAjGsJR^O$<U#n@;G22Y{#J
zcmt-3iiqPUk@NaFrU}BEvu<jVEvfj$cCoZ-cGpb>PKrgvtE@XFx@IuV7U1aB6D|R^
zHVe|;^+k>t$HB{T^tRc&lkZe-8_%5)HnX#GmLC`fKA?-`^Eu+>P<((Th}utxFOR6V
z0^2&uuSjDArR%*Y4CI{9PB#edCi0S=oF2UC_FuP-c5I-dsFWe5T=Ar50$|ODH2^rA
z7G_(sA%BrlUYZ2Zx-Fn}CWRPXmxh-Oym<zYnyjr3kptY)n=l|qQT^B<&b=!1ntW@o
zfdO)z$HS=tku8ZlM(v{C;k5`#Zacn+YErse+$7!CSbq3nv|q~+`_HMgb(;*nIiE^r
zHA&V_MRkfG*T_CcL+#Q==6wVe4C25iy@01AcyxXe^Gx_MU`$CVFN?%8ikWgn9-;YT
z%_Gz>)FMfcjI<dv{q!~IJbRda+DYhI;>84F0+^@K`|;k+H98*-SC%fTnivdgOf@?|
zel^S-f_oUiCWcYDjW=AQ*E-aSq!pDXaS>D~T})^;2UuR_I}=cA+&wJ-g<OG73X}sH
z-DAgkPnNKmEPwovh1aa}8Us&2wf==3(#C=)<Qo7#U&wh*Rkfnzre;BqE+uwFO2G#-
zwGZlYrHN!?iSDR{##6U1k}@d0JD(3v!Y<p-$uv9xU7#U-d9UnA&1NE9Jm{}9J}R5*
z<YQ75OJzz9!~Q_qKk&qs7!aUJeL|fq{WUxWL?V15fw$TVp-q*2qd5TkRU3_xEHu*-
z%^0`^73vo<RF)$v*C$!V=VEA-DzAHrxg6b2t`4oyVcnF>^#yjh-n$iQA?hl*r{|n(
zA;=5G?w_=rZDCI7qq)#P9LZ%e9NqD{lI#|1%}<F)bw5>KbO4@OnpMf|NK<-2SYI&T
zn*S7Z;Rw~h2hV<4W+U<o+%h|GSF#eyF_syG9fittmb|M&jP1vt3p@t{r0oTCz4PSV
z6#DKA4jtwT)6(7(z}ulxEn<<BjzGQ9EaCOh34d3stoy`VNLh};Y6E&-J3q?6>D&h2
z4x(pNtv24YBg87tFJGi})1WPiLcHy>Mt_bED$zc#K?J|e=;zxa{Op|5%F`i9WsRs#
zP`rXg;f005ZUbrsx@6of@Z?pJrGAut%}$S%VRY=V<wm4*sa?<&z&0(wOAKmYdC9ho
zVH%a5c3515bnFs`&UL3E?Oo6<(OQ#XOgxRxb;K|(i>3{R08w4e55Cf1?ctfsymBW}
z)r^uZ^KBSL*?8Lbm3W3PwIaYl8Ne;V^iqneCx-HAvgQ0s1%qSn>Mg-}QFc-ui9t<Z
zlb@%snk7km^k<4zV^P>kRi-?NvU&DSkw)bD&g@J2OEVLzr2E3@6Z<j?>M*)DHQ{D!
zW7?!#N%T)|{0pFt>scMt3qJ$kPb=)3+|X)ie6AvHaji7VaP%na)=N=bsVSqTSIpja
z!G~-$*j39mYP#5W7?NwDffCfS70-is2zS8*Td;mja$mZA`QxP-MLurn`b<U+5q#@E
z2}&O9Nz1;xM%iDs6uUYk$DoP6H6qm*B&(Y>yj<j(LuE~5*CmZ#ZOm$Vs>Pv-XH?6W
zB!e<bZhCyWvz$1RGy=KPrLrT5{7Dg3`m?wr!Vrc4ycXao%2e$Ba!1I3v!C!A8CiLF
zrf^2oH5$-hPNbA#^@}Ec6x!2a-IhtkNc89cpFZYG7`YA~Tx-F4{y<8G22}1yev6pr
zI*v)zeU#A*(VGi`<J$IHPL)T?0GREPkV~g;WM!<5%BJs+Sn63=I+~a=hq)FpafXnH
z=9?T)ss^}<hmL6JpMd5mq{_MBekjG)HKfZb@7}Z$yog06YU!#QDW|Nt-O$$iHBw7?
zl0Dw$Gjgl34XnVClK1s;RxdY`qU@N5laf_V%qeMQm3HrnFyJ4eYOV7jjmc7Z?*9^q
zRih^_Z|PNiCtrf*rfPtoy!q@p4e=_~vXgmnQ^|=OOb$+9wOFhme8fde{jYSXGC^`)
ze9N%lOrfg1`CNp$_yk(S+{yonpO$_=D8y`0nWDb+XJXwDrRm+eG92G<L=_a<cx6N@
zIQe8S)$`pFIdD#WKx{HEK7sqWo#ZI~bDZSaAi>(XLQVS+Y?PYTCUVr=$?Mbjg-!rY
zFLp!Q5Zlko|DEP^Myx|0tkvhWH!(z*6rB7s<Q1HTMMlg$i91{vFi%lL_J3^;Y3$72
zq{Qisa0$sUrkK^(B#cti+!UpjY=lY@-Xz#!Y7WPfP`bU}omI6~u1xV+Y)swKVdY@z
zSUaCH+Cj(s_^S2wM?-z5!uE)7q}sW!N7HXl^}`u8U#OYm*MwPx$4?EVNv*WNbw}q=
zW>Vy^gnQlT{_vcWcJI`Qp$OML0;GhpBD$Hoa+~WV)ADD2k05-fZ#7W6{L(4ylrUVg
z1Q6Uw@58eNxDXwKsLyk3M~Zzd9W|2B$!#7^wGmVq4e;%xV<GBCg3h5|JYPdO(VIY*
z))59M4$abU!a3Q0OJlNCqeCa^UWs9sCL!p1wpkX+jF|o-BBmsL4FKn)pP5z(_NPI5
zpZ7e(21#vy48F8h*OxeYmh5G=JqLnTomi}JeQ2MNSc{H*p+qQqcB%jAWBZ6%eLxr~
zt*%gSEY`^38+-OIf4ryy_4fPQw=RO&usdlKi8@wddGKtBW<af_K-NoH6G7U#bi4`q
zD@c1696%p~Km3m$13M$7Bm5a;)`sQa4|IU2PFlxI2|=L2pw52B?#;Yq$J>8`0`!>;
z)H(p*PbyO5OmxfrX5RYG$Nv$tt&5~bR&)Hz>i+-T>c<}^m0W-R%k1?>W&@l5W%gfo
zJ(vw_{b06H-^$nE{p#f~m~dSyKoTjElzz*bMq*G%1%Y1u*N;I?{sTCPj&oqkzo7Kc
z*&hrzKf(a0^}`t3_vzf6ga*&MmUAK!{ezMQcErqK9`z)s2P6W=($D5*FK-i2v>f{z
z@;etmPy>JQ6U}&U8n2C55qBJZ0X4nv8CwG|F?Jk&WrSeIenTAamr1|T-W*H~YL)a0
zX+wv#g_-ot!TP^5rfB(P4(Jy@@$&y|LP<7Chp_%{NKpnystE!QeV|OzJ1kJb!c6!L
z<#J|52Rz_``5}qgu8k}yOnygaWJzJd2XuJATkXZh=6c(Qnf~9=_iqamdkH-JjDFjP
z(Ipk&g6JQ=+p2><0Og+vwzO<yX{P=sJC|k}oTUP-ukk@ypjhW*%e+*=|HtG$UA9yN
z4(*?aK}nViw64VeodqcCW^XJj@qZ#Bus^r0TKEr|0<9y1tAzhCX?=8QCgE?BSkBW?
z*4OwzkuG%@O?Yc2_P0$S`Df1S9p<upc%%xFe|aNo9bCoo_m@7%4{_L|;w*@>?&<aa
zO$Z8DKq^zf`k6Y4bw+)(OvJyL1{fBQ{F6&SCTTx12^1#lUt#($s)S2FS@gl3$GSlI
zk2@WY+yTjd+^PPzJ9|QueZBra5tGaEe^LzwcJ&Jpd23ie+y5H42l-*(W>sCJ-mQDb
zBmRbBG4qfiUNQ5ZNFY9n1W^9t4e=vy{ynb$p(^~HKJ#HJ0S)Y9U6A}c5@L@A79{_6
zC&A+1?#zTMCB!2>B=(Z5_5Vo~)YUHt%lEP@uJQea{s;L1{57=~Wk!9Ze*s3zGJTi_
zc=+v2)}u&(<Uij0ujBe3su7?5nGr$mJkkZpe<ES^??@y7<v;GM{@a~u;&Nsn#z7Nt
zTizO|>ED?6UsYLvUHzhg!Z_=$ztRdAd64`t=h)aEDvl=5{{@)uOM+QGz{BrI^gS9^
zko?CR%YU2n?{WPPRgzc#lpP><9_fPQKap7ecO+PV@*j8FAGsqAWCO8uP-PVe#Kiwe
z71-6!*_T4?-TLRh(h3-Pko>?tn|n*gxh(5{0p<~f1HE~aups%5H$dwA8>WxO^|7in
ze$uZ(5#-JzU6A}I5<s%~&6l8o1<HTi0jAh*mH@evGy-CEP_=*p#Kiwe6_l+Hl^2MI
zS^i2Z5Dx?82lg47Z9|o{ruqvouLIvEq5u!SBT>EZC=x*Vk2lSay!qF-{)g&UKK6fR
zI-om`b%FAqNO(Sq1W^9t4#XpOIC9#684D^~K$!SHsRFzD!^1ECN-I$0f$~rGsSUK3
zwYK};(6sYc3_<f4sPXTN{96-b>c1)c%_DDuUmyOeK0!kl{O>^Mcl;G4knlH{O8?F|
zknlf4`2S=t+dpvt%_%_PUzG&V{C}`?oy+3<*Qfu%OlN;Z5EKVs<3H^Fw<aj~|1JlT
z9)&^N-{IG~3pnKZ{g2}CcgB@IO2^5+^Bg4n&Cvg*!~fOZYw>!5=l4=^@i{!X`-gfB
z5o}EKj#t%i6^-LeY3bFmlD713>td-hs$(r}>9v9XTV3vDuXb!yG26LZySc1fuZ%y<
z>mJo}bhW9kLo>6mJaQ_#y<apl*S}rdU0t)fU357$a=mT6)U&=^oE_}tvRA)QWpY_v
zF|<F?y68RQ;W%nFuZUh9+}<PTLHVG0!Mx9zbV{5OkCO=3xVBq3D|B}OnNEFYRjY(;
zdgog1Vpn&wx#i?&P47~>oR+uUeR{gOHs2py>3(p&D~?(?&&f7tW=}g4GCg{E%;kEV
zdcACPyw24yeRCO)dVB8%Jd-)kdFhaMUVB<Fb0uAMx~%QEEWX0rSTvcZ877~cB;t12
zXX*|I!G6-V-Z5vZe!W1PoRv7Vdmk5aXXEx|eV5mrO~r@0zi@x1aCh`}^Y{bP{y5j&
zu8VE$jRViT`i=4JX5(e+YF1wT)ySoIGS$qeQ&rOZt!vE9sEZcSG*e$?^nI4{tvOET
z_T(A#zVAyXXF~gPw!YbUi}ZeLxq^!O%RuK-ze0|I+4+q$>h(!4mHx9pzq?zjawk{o
zburj;L)Y>;&iQ;l{ft#E^M3hc{TTW4ql?kqttG2+r3Q|>whros-V6PP-qbrr%X*fp
z@uRDwr6cmj;gye&C-dy7oBb}ylZhWrR@&rUy(arzyspp}nN=yde(WFE%J({0X>r{N
zb|*J_P2<Ghy@>8R)A!-(%P74?pA50wG;yapX;ottch3{icM0iUvrMuS2s!&q@06~e
zFv!cb{Mju{KLK@k(;rhUtN~5!W6dH&Hjdk^*|o9#(X6Zbr!)9VR-2O(Np-)54Y8Sy
z#@U<b{VA`8JGY(adE&wvYBdiYboP~2;GJmukSx24vbmUQ->xRltQz<8MlX3A6;#>x
zj7R0q-BxCKxsH;8?=`V6<M&p24_40g9EO~&=ev`KkL9awIzq0*Z{x4AZ&p0|U9a-g
z52h2|EL~V#*cQd7?T=UDFivOfL~ZFe4ep7r!z%6;6poMUx8Ab5SI#6}oP`&1smz*f
zi6<4xZR4mH^l{y2pD%VmR@Kx^y12olt@qpcyB+(PtGUs0qTgw&VYh8a+qySUH_lhi
z?@#Za?_!^up4;c&M4f-T{N8(PUg*1TXXkdiXXQ|$NJ;Ix9+!2`bhCePx>|dFJ#RiH
zUpo(Lf49Hgt9RRamv-KLT-m+7`=J$ax6P@Z6o>uNq19d0%&aijm$-Y?uXhiVldVBX
z-MpZm8u-MBjmrU8_xhWDt8?L-+XLBqMR@g!68Y#>`t7RZv*WhCc{ua=wQEb)+mKo3
znf`m6f4@GF0pD!h>lqlB1w7dQ^!h|P&})E$<dv<r7!mHsG3+zNO?wCl48eO4m{;tq
zGI`@{GR<4mFp(9l2+)6Ao~m|ge39|2`)GS9mv`HsDs)>eBT^4WqazJ`mGWRq%n@C%
zZOKQ^Eks4nrZ7ORCx%Hb`&b5e9IHh0vRIxi3TlME!Gyi5JK2{XNNxk*&j-VIHy1+l
zVf4W*B;@(IN2lLeRAck)8jRCwU$#^QJ4{d;!ij4ni9FMwpHsp<la~890Dw-##pFvn
zTW$5>twN`U8M~TgDxQuPsV)nuwLvJ)k8Z-F9edW+i2T{(nA>KUTU;%1FurfKSFuce
z+;iT2UoNKR>sLSPTuqA0d5U*|+}?NTp@RYOu`2T|cFG+3G+`>W>LmrlmCCPTy%?qC
z_BnFO!rI2Zzy>=mqjlIZ;X@#Ly{M<yXunmyH*)Tahk9o-A#Wub!M{XyrmbVDfw{g6
z4p4ZV^tnaT_dUIfCo+lN+*L8Rbp^Fp#lW_<1g~fY2k=eO3o#f!GLF8nuz)9WKZoW6
ze|8#6!7|*=pUmFh;N0WNre!8|%m+h{#eT8*>P9`3!h3~If8pi#-d7j)WJl1Ed#!VB
zq*vJti6nALEZ6xn?zT_O3AC|ZWZJbeV)MeQ&j_0e$WPw)d?)D@NKO<;#`Ah>mM$KV
zI2B?CcD6jO&YE~kE|i~7A2l$duj}$20ar>QJw4#H<hQQ}ISkJ#+oZKmWo%r((3fVf
zMLv%d)O;Tk&WCcip`U>(SJc9K<ea9tOJ;CWu#0GIFseV&s0il27a&E(%e;oV#;*-a
z4$y@eV|yzU968rF+t*A|twl!9BeXk;y)N?U=}i`3Wd(=S#oq?A#dWxS^~f0F8E>f8
zfIW=fmsb-K6wZQ6{^B!uX*XHo%_)<(a4*WIUzB5h<VtOv-IMLg7B5gG9uExtu^vF0
z%*h+riwm*Du=1AJ8w2=!L1rk?#&VdG0zp{>y{}CeyxFrl*G3;;N0o?R47o>}lDKg`
zr0{PH$robt4Bux!3bL9CvcfhMl1@8xcjhdwhYSeGB4=pby?(8<Mb)OFPbylE<Rg(5
z?H`glU<1IMil_>inJ6<1z_|@-;!HzP)+(Mb5cxLXS2Y@?vR~|gV-;8+g_D!ADdPBX
zWG;AQdyYFeE<k-9?^Wo>u~RYRW2y0%F;16Q1H*I3RcMAk$ocs>-gkDVg-nM|4hAya
z@(k;LgoH@qNp@%!V^1tjR+Kw5Ygj*Bjv^&JH2YSZ&?pC>*Y;;XmfF*%TY0AHI84t_
z&j1<2ZXCm&2fr`(smoy{ZJWZuzKsvD$<@am<2j-1LW?tIi%S$5C5y<GMd8PBdkDiq
zEecesu^H5@P}?_W8+hKAF1j}e`^Tzv9qV}fQ;6PxSkHH>ocdXKD{s}JO;^9-AF{aM
zv><cOK#o&mjC+01GxQRly*33Wj5d!US37OnPvSr0xD=G_D_XJqF<`a*OjY)DxyKb#
zv4%S0LS@M|XQCYCVhTc6*@0PCDlW6wJzI`2EFk4=Uop4NzGeWObmLImhqD8&e-qc{
zo7<LcAaOmV0|SHo`QBG+8%Gme>xY+?D=UU9F$393a?bws7lb8bT+_EHZw&1jq|Sw}
zF+M#pPSAcm{PK8v`~wvRSwadu$Hy8ryXvj$ToulxbU*ZIshhf%7{mBbfk{Di+Nc{d
zv`H5qUao5-V&<hU{0Y9C%WXD>Izj=rxQN1d?<j_Cf(D4gII#t`Eig&|@g3Wrf^4M6
zKOb7W`XDRYKPU@pzT>Che7Y%^d=b$jm8x`&m!d3d-WlfzSeDUFfLpsNA-hh&I5|pP
zh?|BMLdq%`lb{*@80$AMmKzafAY@s4A<uUGIhuCt?$U*J>Q(I&JzOV6W-}?6dFrMb
zw@cJ?RbSv*0W;!qsv8TrTeQu<WCKert{SFd)2A3{H+n9X7kK^X%xg`X$_2KDZawmD
zafj&n&nM+b3VrD?5$S?UVy-5WRBKs+8R65{l?t}udOT*&&7w*Cf_`wJn~RfBX4$3Z
z1su{GqPH3{tU_cE7@zB2o^~@X-cd-qPnTX@ZDO#?5FmW*_J;w~Bm|x0+yIEW#6-`H
z@`&!Uo5Mu}krrU#1ZuWtFnSr1d)%%K*hrlqzdH3PvFk&6C0)R<>&yqXEU3L7yL^8H
zk0V#g3~QkTM<GI;+s+$+3fRcfss4gWAx0q9qkt8V_wk~e`DpY9`H0=fYLa<+Y2-|4
z@3!N)j(?#R$rQ?a;@ltY0mJ?nb%sKBe8{6177UFG+zHyk$v$oFsJaBEX7;56BaElk
zxQJ2!-K8(esEhr^k+F3eO-l8FWkw2es^rN!+ar;0-{DY<EO<i=3;i(eNg89f3!`vX
z?|^X^J@houaV%x-oA&L!7UHRNmniwnL&0>F^)}egEhX#QQpC-IfmZJ;sBGgxW?dbs
zE_QjF-Nq4dwFBSC<|zu+-t${hHN+;jmpl1lrL~sltjKL{A4umoo`$^271gqP8LrS<
zH(cOYse0^%(o?%jg-cl|uC_faJ8Tet{G6F1X+Hbfny0m5O)H=tQ`+Q52Ag;B#!e|p
zKKD6EASR-}eiFhF<522qDBJA(TN{G#kRcQ8G>dJa6g&M@TmLjHR#oClGh>-B&)L0Q
zYlYPF8mM}jh<(c}6$`o}#Nese-ada(#XNuQ?XWw3_Q3S=H;X2sByT0lxm@xN*BP5h
z2?r~4!?%U!xHG6{vWyTF%+>QFk!KHSCPso|uWItM`(`o3s&bcGjtoZlUa+VYuAiDt
z^Jb1ub6k+s$jQh_&T>2t-^h|W7^k2@9Uhaw4)zRoqp`=nJ+rPk2Hx3=`exR-ONN7e
z%Ke$+#o?e(yB)T;s;2(E(CTS>=5Qx0yNTcA+p~}f_p*t5y6|o7)BDXU(VMk%*`8#{
zI%n}8)@)5L-9;xwNU=6YPv@C&w+G0SU6Jkc9P_rWs1FNx?!LsXbT=PWG7ve2!DmnX
zpgRs3aUho}eDeffLImnb7=ot)F06#eriTK~AT|7%2o$&PoMsrLv13ux5F1I{59&`4
z28WiP!J=Q4n2tlV#y6r?e$WPQAFyqM*FexAv3XD7VQ032`T8rKY4FPPiS8i7r!_O7
zsb9Nc!%*>YeR&}9aG$)VNO@`p9V6-a>?5HR>_Ca>U_UOeMGVs?1aN+QA&(tfRT7DU
z3-DVAIQ(gW7YI;z?^`Rl!_bOg@k4!a!2?WASu+mxIOqdx`?BwLwQnA=V&#YJfF>Xt
zqJV>ey#)SLx6(DSrltZN6TgU<fz!ggFMO@54#@cqPMbeb#QW)GmH&EL?DsJ3?<Z$L
z6HT}VuSD*Xk|+z|8NS+KSx;w}w9|Z7nUs6?4XnhNR3phURe|iC$a~5ZhR}i22?UC@
zW5OSlt!87D0P7o}6X>w*8tXD$duXK7Cl>{+ac_lrl_o7e(u>^p&h$f%#3dHy@7!d)
zJIL%gKE(}9{lITQaT1me2(*hR<V>1vNI%Zd)+%$D-?%>>$VTG0Y)qud@E;oIhaxgB
zx`g;Q{iDi2TBSb$10#M41_mr$!5mDeL9hMRGB-DVC|AFj8&A_9v^NG2gS(cq9#+`F
z7HgK7z<xH(Cv;TQ*~WS^i1RjayDZu5%Nu<-pJMqTYvS9zy)d~%+v}kzSF3@pi;V7A
z0;4FyEpn*1Yv9YIpsJ@>dr1W=MNCz-A?z!R-k}MXUfz(|eq~O1r>3<$`TiOw${fpL
zkr2%A-B*SWtpTGGlhn~Na!v3Bc={o)Z_i>hgp~4^^t=Wx8&OjMNrT${(3^z%w`xyB
z7%)aIpz-ysqZ|xtowpB0F_yMctmJYMD1E;_$I?6{x<SBnUCG#g>qm*9S({L=uJh!=
zimF!4R5G+j(T@J!AprRJCjyA?S=$bw4wr0k(WUT`V;k(JK39y6{1-4OYhRU0)Foe4
zv56h@PF8T2Zr4JYr6aOAiFdrCt#_?_om<Z%ZW)K57N|)Fo$oJh=8v~Hru9_}3bR1z
zAbfk0t3V%k?;A0=5d-d$NK)S0>&>s98(dg}Iz;xKicMa?Y1c1!@ZmLm?+XkZ=0n}r
zQ`Z~so^-0Hx~dZ<K3M|zbUl%8Q%8<^TWl6t1ACNpX;#f#&2pE$1pn^=%~P|YDgzE=
z5D>W-KL_+Dc>f;O2Ozh75ry`mK@cc>Z3XthbTc(O&uj*T8o}nK`MY;d#MUl(jYLYI
zS$f`q=#Oh`z!zepw!}BtyIB5%8y-@VbhT_?k(3zx9=6OqOy#Enhghyp#UksC5SD1_
zJm%?jqIP0aW3cXc%4}yNFN#*X7n;<Y4k{Y5P{J}uBFsajq0;8spLM^2pjQm26VB+*
z6NJ8~lysp9=x4xBVi?LSUE{r9?Qu(*Uy^J5ZtI}ZZ5#Hnb-$bQ-@axnVk+PO!K(qR
zUl4)5D)X9~+31?tsLME7=vu3S0Nf_iE!Ikda1;4soXl?1<EfETib@KkTN6Qidw}|p
znaI_-$!jGj8KqoYOMm43ogRmdqoY%VC#8LgAwCA5mb|1C7#A425Spzs;5rSL=F4Oy
zqrc60D)p?N=fWg4NsDp#DNv3}Y$s;y<Sd&qG^65s@P}~(H>u?zunHIpi>k;wtGh~f
zav>Ag!=ae~zN0_o%j^?|$-qGl4x)Az?34*LwMo_AMayK(3xz|GP+MbOrW+|IO@UtR
zvkd$m^Im=eEVR^$AW=1p2%GNnd~N6R=W&4nFth0hVbUTNwR5yl4QwHRXZ}5ryh#MH
z&PPxw;&q-|l}qf4=b=-0h%&8ou0873oQLy9I)}*ub36w3S1spxHd7bjPu{Up<N>ks
z1RUup5-@fzz&0$VWgxjlwLE}QG4LM(@ZUdwJ_4f*2Bu@KEn#JDVNI=RVF3#6W9_MR
z-79ENOCa`M{i6!}`SD5N-`d*dR=WR9y%`mu;mdO{uy)*^!}(7SAD?UhI|VY6je)MI
z?$0Cbf9oJUjyDp@5)5pb=IO&C{C5W)c`trbo3(+iu8lSI!;k;k%j2c|pI){c|7$M~
z3;V~hcwATi?&V3E+e0sZs_e(Ak0+l$s?}cqnu;DPJ|^=&imBeeE&qqwA1gm5jz7xQ
pz7NX(1C2cH=W$a0=||n~zow{!2n2A@!N8z_f4zaoDf|SI{vSux^1%QA

diff --git a/spreadsheet/macrofree/security_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/security_checklist.zh-Hant.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..116c8c2c55db52fd7d26165748b2dc462894f1b6
GIT binary patch
literal 35587
zcmZ6x1yEg06D^7acZWc5cXxMpcXxNU;O=h0o!}0^-7Uz0;O-6q-pQBzukO87`>>0e
zshZi{tGidP8ATcJPv{^ZAkZMvrav|NgNF)}f&YyGf5^a}se_54vxB1xgOQ^ny{Db6
zT-*dK7!$l$K*{8$x$iIGlfZJBxzyMCWbV)wD!Y)ENB2(zo!LH|Qj26tgM*ljl$)Vl
zcH#$ZprhWRTNYYQ<%5bhd@D?VpqTp4NW}#B-~)wrD}kX*@SKx79!3ildNI={d32!{
zrf!9@VMFznuEq-d>dr2df;p$DPqgxVz0A)VvR>mdT<KLD@2s%?Gad|z|JMh!dD+Or
zf&zCA1_FZee|~_8gR|M6F9=PPu^C`Q4*7_>1}qQ6QT1PcqvK2Y49nJZM_w#vY|WRT
zn)CaWx^|b8b+*Xdy!T6e^LJTnsJdxQ$8S*iXG;ZqXzsZe!r$SE7~BimW=w=7TugFy
zi1-1RTJ$|nn8-tI!mwcJypFD)%-xAfS(Kw7ta<^Apv8iWfnZ;FiMfOhZ9&R@PX&!>
zCHZVIR5;<?)@L}^qX-e4Ppqr*pEe`u!bxUp!;<4&8S38J@{-!wR>{TE-+AkQ&;-iv
zpkg9oE+3D1G2r8OmNk9LNP<s}spVF#Hy#@AoFO^2euq~Tf5?6pFwWejE;5s#q>&cC
zhPeJ@dE(g~^g27;|F-?Y6L2oo$?tv({(l>;4-2^`2@(Wkm=FX64QMz|TLxE4Gdr`t
zf0_Q6?p$liVVxbl7wP8*;n9V33t7M?H&~sP*Hl)aUH7BJG^=PPvd^TcgOsrF=T_;U
z;2lQkpq=N8@HF4SXxvu`&<ci@-%xy#dPTFXliBIGX%P*R7ccqVpEh@Qqdo7}q$FcW
zCLxTJ259x`<-jHQaT6>T887cULbI%(BMU(bY5NgeqC&mwUT<e=3+ZrvA>$GfMA9uX
zf>TlGq>=ezi|@c@|ANj#z(Gn3p(oG+kBbv>kgQ3v)2K#H9Aza&4_@ouPI&rxL`FSz
z9(scqS|=H0`lIak4+V=!>EfS#Z5h8KDy}Fw;*jk!7-s^%JYGezB1DCRKp`y13zRnd
zEos9lWs+nko|fjfZ|E8_(w8{<E*ijc$DOKX$-I?hzRT&BtyQ>E%lJ`&Jo8sKmCtF>
zc}?SGgHC0A2Ao@W>Z)GhyzL|SF37#3`+9|XuwMacTN{iZS#3ISJzLcrn$_MeU=3D(
zXq=m`S5QBpqbs7ua?G~qQ29hJ(G!V?J6LYJtsJY%xIDp{nHAcQ6O46f!p#xw>VXtb
zizSJM<;Y(lKL_3-lljTVd|`$qydtMG1`9h+0yIxt<^JZfqPeGB>!&2)!@U_AR_q@^
z=BGegWpoHqX94$m-WfXHJuHh45b(R%ySuKtZRgmxFR)BW^?6(1`1pNQa{cHa(BuD7
zgU`_Lq|xhpe-baSRjg0l)Z_DT^4yrd74Wt)qri4WF7Za&B_T{3!}IjBZ9-VHz#MGj
z@G$uZB7zc?5~LXNXJQao7mJu`xQ)?L$Rn32?3XKV-*QJjXiwTmNKYPUj9>I7O+#(&
zT&>CN4HJ<?iT=*`7ET^0-1AfCHC%0I3WR%+@+DY?p$GgB4n-(&-&vC^Y-8%h&p?Ty
z^gJSGG7UwncnQVfP->*Siy7{PIV7R|Gf$v{t1#BjHaWCoP8M6Q6Qe@xg39H|N~3V<
ziZlxqC$K|Vqc?<@XA^ldoDG=T5`G<{lujPOe@Eud<l|R6+6;p)@_41s4WmwyVO}Qk
zKsM1b&5rE`2}Pr`K!wmclVb`)78~YI)<%^D5J?gI4lLC5*rL$PbI{rP3SW$ruqQR?
zrUS;}CLn)|Y?OOLj+A<~wkL}FrN*;3<N<LQ{Yw$(@NjoFH*Yp0-?0v;X)3O!MYfJ)
z>{2m-5vZB6@`@#%ObBWNl;@!H)0zAV>I}LV(T-QvWz15-@eispxe}j60-B1HE7OG&
zsk2DrT&Yw4z?AROFTw<MD)_k`@j;W@Jfpu{CIpQI8tuFzjQxJxA){k=xWW<F>yxg^
zS7=tJ;#Ow6??c+uY{E$0E$>*=oH+@|uio~-=0!8O-6)TH2PKEUBBim}p-a4C%O_1#
z9yC-w3#hYs`8+qIwO5<b+hoS8PgIX%(Y&TnETJCs+~A-}BkiT^d`ZOQ2YYxgfct7i
zfuY@Fl=W#gN1^POI9`d}SC(gp#6F=waz;6(TqDwhN{RjqM$nSv%qkwb?j6T;1oNVy
zot+YLXu|f-;qx|3h@n|IvFepotsXM>Rt}^MpEgvFSEWqJRiskbNGtan6DilQh6-zq
zlxTV)LsPF|@#G<;H^V!pV^BhHL+%K#7i9gn0dSA5c}z=Y>8uk~JXi--p`zp)s;HTa
z@V~A!33?0-R!+S&(wkT-n~}C{Y*;vECC_n2z8{X$mtW5n8zFAzlUs(N%~B-Eh8|H`
zXY}OYzUVPegutze6KC|zOElhxiyGT2q6$}A00fILT8%5L13LCj9?C4ZYye}PoP#}+
zI9hJotFn;~$3DTyh|xiJLX4d3FRTY1DA?mQm}uaL5eYIjh|n{i9>=3>j;(tzQYX@u
zFvVO^3!WpB<PKOo*YxMds!7Z`dZ=YA`rpfaP|7aWLzk1xr$Lpcri=+L5@x<rpK7(Q
z>1x!iI`ETieh7{#RvlNQ-Y?!v$HCD;GcTw)pQ(@EANb@!o+{axos2iNI#o@*gd;!O
zm8+Xj51sA*gh|=j+~IdlgPETbbLUDFpOhN#wd|A|p=sCet8LE>R&hTQp0Z1WlUt#~
z;<2BzZ<UV!LCFjqePMe+|GQD4>{jO0)pvJ?UpHk<!xvMVw&rV%Dra{aL)s0)1p-)_
zmnN0l>ArWBa(Q|-Ab7!k3D&J{p1O%fzZqcXV_&oBXZl%!>Zes2U)g*G2DR7>4JQWA
zH-jpyO8JUK*UBmF5i9<z_0Q@(PkI>~`^|6vPwj6ktn@#31OZu;00+VTTf#gXoNZhz
z&CFa~82)?xSH~8+?OfJ5v)*6TbXo2da$PEC$w84xTRhxp>?{gR7g1(R-Akvd=&pn!
zTkOVY#>Pwq-aw&)F|BmL@alccx0-l5NTEsH0G=<~!@d51^8hYi`}N(Wt;@@naDm?!
zx7SZs3@a<)FD^cHhyrK$Yc=Z2op0UTCjl1%dIb0nHP#(SfGxcRQk0cP>&7=g@0-n|
zc6)E7huo_Wpf%tLAaN^QSpwL-wr{j+_Vn!P)p&IfX!hu=3wY9d;d$)O=g8+L=)|i1
zI5!|zEPF8V`5h1S2KqL0+Orq%x?=9KWsj5%c(C58{kZB}xigSXo4sHG_`G*m_2SFF
zf1F%-J>H-DFVNn%o=(X4d$_4CjXc!W#M>?S0Y1*$9|>&S%BploDL#H1);>@7SlX*J
zufG{b`L1Lb-+8!(W>iwX9m@DDY#w{`n!iN7udBzsT~yp0B$s_$Qa_JeOrK0tFMjJ@
z1-#iU;0c^EyaCh}YL|8a*T-yJT@QzV6|wa#hHH^!Ke_Hs9@mfV7wfIOlgE|#@ZF1^
zkFNHW5r+fr`wxIa%R}8uXXi0Re#sq_wy71lB_?giL+Gp(QPM}kK8(yviqI>wrU7Jj
zTHg~AmBO^z07l;{@lzADUpR5}=nHX!g&4ZPo)xhcKE24DS%ei%JG4Lhr9ie%PyPZe
zgR#BY9F{UK4e7hnXb=4JSt6uB7WoB7s;t0d5rHW8Z^ryL=7qg*;)ym&;ykev|E%N2
ztx|gOCvbu&r{3wi)fttZ0_F>-EdGzso?_+;i7futP%&P-M>v_@-Ld)YF<AAVHf=3J
zWpJjgC*|+w29KR}8m|{D<eW;^0}EsbC^93{YhB09{wsZ(YHv5@HlHKnN4nEEI%ao!
zyWjIi{CwPQ+iL>a*YV;$y!{rpEQ?P&7`DrlV03)s#M_QTeW^Ddgqbil3Af`VJx@_;
z@9&W~f)KFAJ3QtsnxA1{IN+BEU;@sfrSsGpKSBhT_8zoKp2r#+YLp*oGWdB_G}(1=
z;=Mu$)?b`@x%@j{TwaHo#w-Xb=n@4wNq*hyT)p7Fa{IaGb9N{c6b#+2NVHxa>ze{_
z^WQK7!0NVsuH*|CU%e2psJdK1L?710ThoVS!6~|2y~KjBLDls_?9=`@m3igHP}#O1
z^%d-gg(;E12IO`j8LcAK*Ukzp0cN{=gg`WYS9eZm)VVRNJ-!Nj%*DrJyzEUqD<GD3
zuHmiw%p5w*1iZKKExt~PtZcvax&sW{9s_*Fz0lf%A7pHTgAS7e;C*k(<Km%a4mTld
zeLd=+5PA$7p?S-45%sgry$_#{I&TTyCiDe%ryi0IlP}LHR1o=J-0Sf94c>a=&o@2d
z-_c+00=hcyeQm7-#OFpjkOAKOPcFZ{a_~4{e;~i`v-IEi+GD(I9K83v_Ay`e4V_+x
zi|aGIkSqRnENxZ($sqYnVEMeo>QRGRS{JZ!j*pw)2_D+@!e_=S<G&b?oFje9fsu3C
zOKZZ#5>QcaCz1a)Af^I%<`6rnHGkCj&f6-+a+_Lh$a>zxEv5Ci)Zt?DE=|?>$THor
zk{nD?cDdW}gP;z8a21-S1d!J`HY~|Rf0^*@EBt{)?YX9xFgf4UDVVt5!@ODOO;>Hm
zy}o(L*hm^4(B9Kyv*iCe@K(BciP(969q#QBP$Qdv_%i$GC0Qe)(3$_9?Q0#s=cxK>
za{8Lvh3oerHMIH2=D%F`jE0)l9Y{~MYc;)4O&C){)1PS_S#2e<meZ(e%BJGB9}QPz
ztdMO?TAiTi9g@gr7Q?rX_W+OX9LYBz=5y}Vyy4g3U6Z}$Fe2yI#%wR6xw#}LkXH-&
zU{aCd#Z+fQ=4^MR{oQ6CzE<pBd$e6|-CoUYB}twXp-1hK^rlMGU#wp_?~!KLIhV0d
zN+deWQQqyovXa=12sX>CveNA2_P;6rA?kTa_ALa#X49?RM5IL5cr~JdCDVg^GOCHi
zfc)H{ZPfJojHgK-J=3eZpvfnj($slJ?ale5YV5p?yi7f&+{D2%&Aeadg<!!HQl+1o
z-g_TRhx;(`-d@4_R>g7Jc2OzO+havx=;KvMEnJ{{WcR|T_qBlu4#E_0Vl>e61|+;E
zl6SvMd`L$ekj{fB&#m4THd<rpG?38l)|Xm{9y>1m>n?o72@EDH761sI_HJdo1V`Ku
zfX{t870MNoGSOLA!7HK-(h1Zny{+10HRbIyXS>b{0K`-bRq1?YcHhrtPp+5)P}1$A
zSM_YVou9KHGouQlL38#?x6NQ05zd>o<rb<Nk!5T-*1NvF>Ka$^Shsa65r!%eda5`^
z=j62~UtdV5>D-MA6e{5d+>cgK-BBy2$qQi#tI*@-ITw<eg{;t$Bymtlp;1?fQ#Q+Y
zBiy!aBx)o!1WO;Q4C|LD>6bKmvMG*>=_91mi6-W;Pp?IEy&}?w+9BUwbS9DB#(Lls
zWu7Z76tlP!S*?^GR<QCpCLSMbXvAG;9lpKV5gI~#TvvQ`;HP+lESvqcU4_7L>xx)Z
z^vBv7cr35$zIC@$uKc0X665n!N8{Q`7+rQO^R?~n{vu>bDOjXa3x#7@uDLZX|4ma?
zSETYA|M^Ti{%nhR_{T2K+YJnE{zM(6+B~hNn=FklTd74doX4$=qLL4%qF|6DLQf}X
zfPpIskS6)ZLg>KCmZMYyCNS6T7jcjE@D-2sqRRLVTu0Sxo~@l9olZ64^?`kwfhi>_
zh75!gEUPCi2Ix{Up8AT!YIHCQB0S5atOj*&eD07YpnvzmiFsA7`NJX-B1oA&3Zkze
zGhx|9i@wCcUlwV*v$w-z)2lb2_rdmr?Z^2OkHjXtfmK_oI1M(#4Q1s{p@zR$y#Lbq
z?LhCxIfKB)%167^yW+)zgqwuFJK3AX$fw_BCSdQ4udBX_UxZpa13Y<K>K5My;sJv1
zr{?QtJuiAw->SG=+5WiHgRJC~H!&$u^n1!xwV`N>oxCZD^&DfLC2?2n!R(TxmQcwZ
zm5GLhQth<4lUqSbwC)$$_4__M91V`kS_k{OyaRw`8u^C9CVUo$uaMDgA;E0)WOQZQ
zQ7X<9Po5S_Yz4iu!ozvl)OOoe6O^)p^(E|58$AiQ`D~!17B@t#vRZqk>I95N<s76f
zT%q$S>KdkSL{3TdbQk1g0q8$KL82=`qBmkQ0s#dHpDt&%f>GLmG;!{na?adI@0!Kb
zO1ng-5gAe@pzr7VcyL&|WwXAiI-+9mq4QX0rXjR^zf!?2^T?41P}LFelTT(HQ|Q>=
zEva!?I0l0Z`W2d=DJjA@8a)~R$ICcV4!?U=`7iL1ir-$p+Lyf^-`X3Wf3s=rp2nJe
z2ID56k|`^gkY-M_a9c*zGR4^D{$X=?m{WbL&H)zOP<e$^3*pNDKfrmV+}>*C5K!(D
zABIolaT@S!Aht-L{2Kq3e?YOk=@)*eLfu$#Xo59Rf9rDe`zka%`@=U5h&G`40)n9v
z2L3$%p=!PEPO@5VWsuen?QJmh!eb$rRk!tBO)WFk!Qs=W(I>%iSn3i59Em{6DB4^I
z61Y@nrBBf5fEr_i?)UW(ni)@Rj`327&6+sCS<8A0|3#Ol6l}$JM~vyFeiuih@7B?-
z?#ySs1RVDaUtq=E*R9JQ5R?p%=D;oM1c><4g#F>ECs+j&xK2VcmaG9n3T|)!>wsm5
zI<Be^t?GvtG-6Z5zd#8PH!?k@#nUQJiT;g4zy5N2E(i0rI_2cDu5{?-J^y}EW_8#x
z)sWtc5UQ)$W^Lii1BC-w)gozOF~HmNrYhih4t@L`eaA>qs}xjl(uruW+8ufGDn*iv
z%7|^kd9&D@Z_P$RGD64<B6Yqj=1j7Pkck_P6q9-%l}9|q&%J!ZBgG*5m?n!169)%!
zu1P`^yU}lZ@gdSI@9tFM!B1<L+hn%umU%zvk>;n^`|i@LtF9MF+6od<xCM&^1>k;A
zzUerx`Mf2%X+T!1zmvK?M!SJd(anX#XFPPZq=^)zXT}Y*UsqcAd^SLM&XgVU$mkP?
zcjaZRfUMH!q!=%ATZs6f;lAM#=AE(nw7odRl=+rhSC3v*I8>wk!{f!r1$#4d^uYs0
z!(8Iog8mns8#kBVvSBy0rV{c3j+_fy1;|lF$WdR%lOPM)I_%Assv#;o`=Do3g`=u#
z+ycHbYb&K4ZPhaTP=X%%X9RFvbaV-epdH~7SN<lMmCV@z8wWzTbWrhk^LE{znhC`M
z-eE6mm4IFs`tt@~>)67NnDm`tT$N!r{!=%}VKH4bN6mmV)`$mQ(!Haz5Z%YiG`tgl
ze}j6@)-%@Fh#NK+cA>K(Fjn=H8q?frNO+{8ONn)hJED`6g&NrEsPkyZGabTrXLg+>
z5W~vx{!}1$M|5fl3!#1C5>YNr$X49uQrcbjVcx{j`w!ROObYMuD~3UZ`5oB!xTig8
zTg~6QQK3d*`3|1u*jn_`3vK4D@}d^q*_fYqQ+vf7`mv%%KD#2K+Uo`-eq$it=Kb;N
z;rUtEvGxRCK?Hi5$}z7;()BU<1Vw@#uD^<vq(L#ISlLObRc)B-)*CqQA2JmrgdANl
zq3KnnSD0_kiqoqC?9#}}v@YJ30HP_+le=YRSu3G$+4K1R6P~Rp^k)S^NVsnCZ&5ci
zomXl3cQ0<4EswPW5Ii_^oH7c%6G2Y(d?4f@ZeNP{3=b`i{kC?YjwwGK8|TS?w_t=)
zgsN&Qzyf#669fu<1HrK!KCr~ucHLILdG@xHBxit+keL+too?E!tTF)Y*M=ynwwmZX
zF$t}P`36Om+cuzBo`?_XZ#hRKR=UH>4b6i~H4YnJoK`!!vI##Ey9hO~?>FPit`ckv
z4_fLtMm97&e0@$i?*AeK*O@ZYAgjI0^6J;bAW%Q-A?q(-Fkq?h!oR+s#UgX@5G3rV
zC*Tkm$Z9YMfQ5?SvgFqsg2>H1XcRD?FCRFxm%p98Y;?l8`pt&`y{iPh`)99=`t{RM
zF$=+avDGjR)_mT`ZX!uJmCe=4dDNHQgrSW1s{hqkPD#-|PghKA2GywNNb*U0b0(U-
z&0ok6cd<M-!K<H8o8Ta+%p&cUfEMhrKZGf6mPxcI>kc!TXB+DX5SZdy<LbBQw0tFG
zm0g1+-!E@XSiK3MwDmhPkcRsb(<KC=9E9RQhWF{90L%yji!}+Bx8>fVaqQly>Wv=;
za^&pA>Skuas{HefBOm<DMm*{p{#I-iD=aiJV#pt!0CvwwVxpCOYA<XwOz`p%rM=G`
zv9Cr`Qb2v*9|XiNC}@AsAEv-bDB2g~ipj~S8dW!x@&*>TI)8zHjAE-RtVICw^2Y8C
zc4dngRc3_D0z<73i#Mvu0?&{Wt$W#jk4S!LVP*f(!3PTXe7L$Tf^NzM8zuZ8LfQ#<
zG))`msr{;gwb-#zH>$RhId0b_eVzri0=l4)%fS>6BJVvJM4=o(F&}*`+BMM&@K;~&
zu$yKO7NkuSrbVHa`TPTwjHb;ph15%rrGF}Iix>@Kj$~fAx?TF7?tU0Af=u{tRy2`E
zPm{FhLlr5>*bX2%yNq`4;oxsNP2G@Za7^^}Ip#ny%O(KI6@wS|GM3gn7?U^f1NvS5
z_5DNGt(RqW$u$ED#$j5@U+5x&9~H33wem{e79+pR&8q%HflpS*C2*JwiZOno&#C{w
zvn8%x3!a`Pmw&`K_Tb;Jlg0D=oa=e=lqdY@&xQq&t4gi3)hPR;H{iL}qK=&Gr7N@4
z+{V?aLIU)`h$H@mW~&5Ige&GJCe^5+&(p=}9Wbd^pTLjY*Dltl?ymx_HkJ$m*i}*>
zESAgWAGlu7dBPk}1@bPY%y0y@mL-Hz(_8L|;=3ce>GYFlKn0Yc1?Ho-B@}Rb9WK|+
zO|U~4;yu>g>nf*m>)*T^?bz29pl*iJYwq|$Nl8@GSOuA*s_8ygU@O_l!6-zhNlt&N
zn6y<^F<a%ny<jUyFb(-zSl4-@Op6;6V!kQI%)KaiCa&vO7rVRGbqYRgVX6lUZp%IK
z<RM^p1c}AVZ&SyNVCc_?q%rj<TR^_MFvfn5g8Mwi3JLk{9_+A=KZUn7J9J^7@9=Q0
z;pQQ6v83)dKMcSdb$`5%#IvU5Hr?X$ZByRc&dP#G-+;pHDMR)R0hWUw5>&1~&ANyo
z83?<U^_(*?5h_A1B99YOzrl4~g#IG=7k_lV=ue~Opadc%liQmSm%k?I5lusLQ_A>6
zD7~xe^U0t5al=oqvRMHrOVGpc>`;cIgodN^knm9Pbp)-k%$dzgfbF%=_)0#!v4Ks+
z2)9!mTF)6mROnPPIKm*r&%|NEggFN(lzB4Bs#a-OQJ<mvEc_r71<R`olwVTn?~4)y
z+2K&Jsm(A?B@DxR_S`jETRZJ96G;4E(_TjUcO5wG@=1Dl&YHP?{7E{|pI*5Q<hs-W
z=lpsB%LwOfMs8oXOP69_t_8EqJqS-cRqq-0t_wORir>|(-k!X+Dos|Tw*Yqh&EAW?
z=WHa!uLTXRuxDbAO-M{t&*s)KC;F@_AK%o-EE6+_eCu$C0RNIGy9qjA#QfW<aLLc(
z(%NpL`CdgoG^OFA))&@$Q)q&0KX$5yZJwR76~F@+K;FfjJNKe=6c3Pmf9j*KC_h*l
z<sx!(%@%(a0Qx?1@Z$qm-_JA@LOhaq-wXYMceC>3Gdrtp2O%V(xgq-b_<o2?g7I&^
za7d|cN-A@>QHugH?tL6|149V^d5K;WC74z)9zkS5$zTN+mzcAO-!J!_Ccsz2yGTTq
zss+Yf^P*VwaNS>f>U^S}<Q$1$OJB@wkjNgZ_7~2;bkJ&FCEd@V3_$wS`&0SU%42XH
z2U5q-W&o4kuha066MGf3w<PN<KOaud&Y?@}Pv^iV=Z3eQ6)w=diwRjyC%M#~$28rF
zLH#8kqpG2)#!`n&pFwyQk(#DFh2QLKh;lX#La+wQlL_oO>dIJ_is8EO>yEPYt$!pH
z%#1(Zx^$UA>%_!Ht*9Gz+{%y=&a401wkx*ZAdv~;Rh-aOoF4q<6bdt;`v{>s6c9Ov
z9@SPUmMl_PUCUFgg>)5_tYls!&O}Sv&{{qskb@TmfBQxv64*`?(CSkNA`&p<XlR^1
z<yrGir(=!F$-EDxt68C-0Yw)x<Eg;8Hol%WM9?pqv>YocAG8X^PuC|it^2F|uM=GT
z24tQgiIRA{2Otl_7}yZ;l7^SB!4d)DtgC$ZRe;?VqRM54S8(XTJKcRg&`-wR@<Qn)
zo^$4vqoY~M(wqz3@s;J&##gh2>RL$$HVz;`8UL$nfucs<w1URngn=O_jd><Z{@)S0
zPP0|Ce_ng`dgLpAXJNeiQtI<@n6JO3+wD#K<`ZWQ4aT>!!<lW7{G>7*ukCE05r;vM
z47Mu@vIzp#cq_J1d6lz;hmBXg6Ra20C)drVmqC*M&^ZzgzUs#m=g{jNi=f2`sl{1N
zs}&e3(^zO$qs5+HO`gL}mq;fg<>9THSQVnNY3A~0%HQ~_FVf`1G_2M)JY#HhZ?6a6
z+8#a+g}7I-w|L06D?8O<Z#By24|;Vs?d!1fN8Bs(>OG}6{s45^OG0q2X?xy(<j9hB
zOg_^GI9O*tumB><O~ZTrJ$AtE;--Q&nIbmpqvtxcgb^oUMhO%CI2Ocf{MU)Bda)8O
z1@8=;vXXu>D~4C%l4}j~$7k?QH~;f11?;Ga5~ZH%C=7{hdU(zckG2F84lwcX9I4h_
z9QjlBPtMbwFH&iDfH>M?bJ;LMQ5;;*o_2KiyMD`F4bPO-QMr70a9XUwm$z9*?~==>
zBV;QN4zJ!B-1&Dd!GQ?t5FZs6kZ^dg@H69Ij%l-y3slU|M8alcV93U)Fl27|*`#7-
z^2k=s%GX)Rx~hd#m8JR?o4@Vgh5uEc-C0Zsq6QGL$KYAagKK&uyP(S>k#$$`lKeck
z?qVXGdbt5?z$+73WRHNE2#&lbx)X<gGP1K!zXUrJ-WVa?7`^-xr_51c1py8z;kO1;
zP_TwdokX?++mMtRm~=6r;=N$>SY&DjQ4-V-c(^}P{^%s)-@ZzqB=CYP428!jO1Xr@
z&3gQt?PFdpBazHGmW?VxdPv_-JK4(GTEcZvwoC6_5=7f<{r!Ah+r7&7ne^9*m%zw<
zMpLfX)&g^KKRwCo(#`#rZ(=Bk>y_M~9sC2<6P_yx5LyPZ9P)Ak&m61x{P&cs?dyIw
zTK>A>Dibb}{6G_d?-ijovv%f0PBw&H4dx*0x=2|A-fC&qiWhqyGevGt{-y-mXUdyI
zsEi&gO@77sfQ|Qdol8RnuTNdIh*-BXEDqeYXQS;b-;;b1)lt=*`bf0KF5NGJc-dbY
z?e5!PNp^*$QK@Ch1a~V_ZlsU!{Trtz+sWya<N&CdGV1$kc9QUQPDErd|Kuxsbh0sU
z)=jt=TuQ3twr$mj1zCw?zpr6#&KCaT1b$L-3XPoW*6l$*SV4_dCpG{@>GOD-oFL!E
zuJrl<Zv0TJFjXzTutbv6UkT<DYS-{TL_Q}i+`fCHU@+-IY!^;7ecWcDN43bMmO@qm
z#pwBje>CJnVlKg#{WG(wa`ng8rtR<Q-{i91JuAHEV(v%$8+F?qE;-^K6-dL5DZ0FO
z>R;thE}jfm27PYu-PDZQ4cXVf>7~sTr3&)zUG0C6FMtCJ>?6;Cp#Ybu!1LMJ;lwT?
zsQ}l1k5}Mt*K$lI&akmOedPAi6vgG`15UEW;lo&-gx~)N$4D;aP4bMmf0(p4#?PT6
z1Yw3@%I18y>}OsDg$E8K`ue%S0JXY23azu73cY}?H^+NjJO%^Luh5e**iMa(0>+4p
zXzF%-7EmlRFVByBcKi2igDhNwEZ-XTKzSEXR0n6V!)lceeqxDRuQhp1D1)1L`XOA)
z{>vkEMOU)?xOq6#$DO`kC~xZs)^-KvntljC#p5W&IvN-v(!1y;DxF2_F$>tm<r7rV
zoAQ>3ZY+iKn+cn|d$@4&wuGO?L~eLskNIf8DL@AXmZ<zn5uVXT5s^TyB`CyKrj)<o
zWmryGfsDHf1A*53$6Q4O(GABez-dLu{4}7UQ&vMk;-e`jvf$T?D4yraNI+RMkMTIQ
zyj`J)IuUX@UJX6mP4yIy;)K3*Ae72)f`EEWMDT>KKXY-)Xf{LS=QjHO1lXN8m~Pds
zcds&>+szYcj1g(Tq>>>yrXrdWL&D7ZA3#tg6%yNR?$On?6M=R4hv}02Ezv(`lyu4R
zW2@j(@AUi;)48PGec7<P9C|w0C$QO@Aw7WmDWeYl)_s~QAY+CX63Mv(wk4{I=6;Dc
z`iB$G#L>#H9OJLKJIoX1eDM@9O%yQ&GGcr|%rBiHlhob#o*Z;a)MlnNBAsz3{j~Ew
z0Qf|)f5y))N)Y46ZNLT^e*=$lAyb1foQ8s3%!2p~>!*1NMgKz$pn}Z)-H!GCW6{a2
z=7F(!R5RcFr~h=WHM8v?p50JXO*{wmkD?S3dj>=>mmhxLt>O52HaHN#-ts8t?X$xH
z=03a=CtZig2SA+x%8*|IfZQmr;Hhu5AOk4mfT`1(D$y!^%);;Y{TCSv5`DhD>=_KI
z^B$S}iU(5Bxj7kFS^lu3HeBaW8}3oHGg{TThK;05>saYx_8)X-rFKRuI5-S1joKqn
z-}FDT>LZgH)(%9B1brRE!zKXQ#~|jK?~KDh)?Mjs%pfeFEy9tXP*4=<kA?2$n`dW~
z9>LbwSti~ii5m)XjwB26J;t*tujA*43jYy0SZFQu!t|-IqfqIWyg+1nG*gOGlA)&v
zll&s)(Qz?dBv(~-C=#fumQizyy$g@^DW_J7<P|@?3;2E~oRHmuhDk8TjSgw$j%l>y
zArHAW!<P?dX{o9VTg%jwxHb=Y-mi{$|Bzs-<fzMzi-!gD$0TM@hF2Wl$AZby#r<Uo
zAMa_r0hj&zeLg?8==-X6h6M`klykO$z}U+`xPmjLUTWts=DY=S(T$mp$M6bQgYQ$V
z@x%=13Xr}vtZsK0gdIMx?y%ol;0BZ?IYEfGgj;@51&XriBFVH><<$|^+VXA62vlo@
z<gzWz_?B>qESIZzz&`cAc|e_|#SdK@XoF>-4d~aQ#?P|mkpleuvSerJ<l&Z)vR=Cx
zW-z~PtP-|-@CdT(CWD4^624|OEs}G%z8PgvJe1G#Vqo@wt~m4bq$M^p{5ojhYU9#u
z7JIO9aoJOB)oI>3>u|eNFc^D?W{}zHbP^NC48OxuO~c`Ha8f_LqIZ@*S=?jT)e<u$
zZys`4KCmmwXS;7bOUV2Bw`tPhjmn!aFFF(^^GhEBH|yBEF}0a!6nX9PJ3o}sdrQmc
zeb>G4ARjq5Z}szAxrh(1(y&<V{56~g&t&L8eDS&E5!g;vuMuZ|QHZ{*?wuj@hfFoY
z{4qnFW+7e5Wo6UYnTlmosNE;Eum`*-1yXZkjxzCQ&filIdvyP_sj&P|>8x5(uh`Ft
z?v9HP0k@A($+{Oaog*d^nQr0E25-%*ZJKv?%a+`yFmf)q8y$T0`aHrNv^)BSJkvty
zfBY1E+;B083t$59WsHh1`?zhn_iVIQI)&TEBp(^9be=DZ_A{6-96MR41pBNTO6Hg)
zaDE+UhC{Z{MYl?;h+1T3qi{bB(<D<)Y@xEAK4q&a_kfatjAZ#2?Wsi(jkfGNw5s#B
z>>18$bqr3=gTY>O_{1~s4=)1(NM7u<=c7B@J|T4cP@jNO=_oPLcgN^gH9Lim{Bmh1
zZ3iAWEyi-%T(I@kQbjhkwOF+p=&~rZ)$$b9r7X7CceAU00mv{~?0;a+QKHpk$A!bB
zJ|=bv%V0E_J_HBcR!wLC;w~SouQd_mn!Fs0n3Cv84y#xw4!_&7axEWL;xJ!7s%(g~
z<c^tRbq$byoz)zq8{W(V|NK==$Fxz%M8zSXV_oefAl|2$&o*x0r`GxD3@%I5HOJ3O
z7Rgv4vrLHcdS1G$rnyoM8M%<t^<tl&cH#}hO4SACQ>y~3VT=FU-LujnaCdCL-7Tri
zL$xyJC{Kssknm{P)?18q_jY9)+7aMyzMtop`-L58KAGoUU*R2L0};}R{pEE{U6hY^
z!_M05_19Z%_o<6b9}a2%pEwuI(77Zt&y{YSJIz5)VrjtSraw%{GNZ0jAwu~F7I$lO
zl(Z@F5Fl8FD!#3`%lqB`j>w_6=wVV5S1}N=RXXi$PK{@9kr3{bbwi}fl#QGtm2;i=
zXk7{D@@}}DsC`xwP5XcsHrb|d9Da8ZGyy8=XU3Lii!b?$N;)6eI7W3G`S_21f<G@?
zB)&!@Onv3R6jTI?>a-wH?faI-n03%~<@mByrRVB(^DX65YpH+7|7*wa;0gunZP^up
z5TUInR9*k6$ta!t(MyXd$WHtF)AV34*H1=Z)Ved_vWw6L#$c<aX$7LV*eniKJ7?ni
z%A4k9HI_F<Sv0Um>uzd-;4u9Ko)RsxQcOlhEDBsIs{}3da!WJ>AZ|oZ0pz<`fR=yP
z`;$}Ta(A9Yro}VG-B#IPE5(+>N<XIs1(dfei`vOt{?m1(B=7N#BcwejRqGX6U%k+z
zP&+VQ28U9z8QAd<JuD)XK#ADPX~jT{T_#osX>*U?17#yG;8ctEhdQhwIA|<-EC~q*
z|9Kz|QVBUb1Hl+Bb&;$8y&o>i=Xoky5hsAP@8iV1b^YTOer?1Jzx^5vL~ata;J<Z1
zv{w*0UZgzZ>)p1_uD=wI=74R_`LktZxX}Y(EuzY`vlXt?$3>|dC-?7xqyL(bp6J5S
zL0fdK@?y#@h;hzq08Jxk;b=JiRmg=YOlz4DhOBGd=_A;dU<Zw_n1wG36ab>C1sQ8r
zZ-DDut+Pg8tLlxRJC)kaQceiUhT2&7K4tM|#fSgKQh=v<Pj9uo|5M$7{V5yKUROZ_
z`dt?cfSY-)s7x3sdMS%iyADRK-8LzO>iDp0ct1`Snv3C2zir!3IW03e>=h~<#cY(}
z?QAvvrQd9%kmBOZr*S6cn2m6+j@UXFffFj=zpdPAC~R^$Wxs_Uee`N%(;dTJU*qjM
z2<&rx5^V&o3Cdb!e@|k2l9kbH(r;6V+oj$b5Jf$Wo0?T(Qnx~w1@SjOK4_z7k(rA$
z3X_Qe87?aqZ3phMUaXEF>mJXSX}5vi?dEGn#xZXKta)=b1uJL&QK;?e2%0|qT=3~&
zHJym)ZQ42wf=3V2E%t0b9iIhX7-&7<BV<MeHk)d~5utTJ#%tFku+U5hC>3rj`!3lP
zUJmzX{J(=6xz7-Kk*ft&ic(7C2q{btd#uU5lCYgq5$n2Im?r*jtdUpC(?net^1Heh
z{CxWl0q><W=~9b5mpm%Z@eG!GJ8(}lO#i<*^szW_@2xs{@Hm=#OQs4UiE<!PfrRrS
z6n}uw93tbY)H*^}1Ll~WCaXKDKmV(X?#1XJ^7Ma4)#P!(jf1w1>gC1j>q{dP%VYLO
zx1YIuWsefhaGg{ZZhwZixN`HI`jz>zU!UGnn3nfzI1cB#FscGMl@pT)8@%jF{JJ>c
zl(6&yaYe3?NA`!sB_SHBilSB&2-ChMoH3@6+ej;h=m|gCF*`~YUx@Uxg(eZxKOeN1
zpfi#6AH}_guC+@h<4@ZRLaSFQAguPq=%a;AIF4P-;|t4@oyy~+D(6f`W_i1JB!o`I
z4xJ|k`dw5Tk(qIGROx8gobZ05aH;FSwM{-N<vL$*YW(er=<XVzkMMo3(L3gWGv_NA
z#HSkKJWTc%yaJ5sHDO&4Z3N7f4^PGLf%{S>ztr8<EgI*awgP}mc)St!kMCP}+QzTI
zi)S1T6Y$BdFcGGIyef&gE6kRudCKIdhRk<XBdN56AeBNXyJOoT-z`%IMy&OhEAA>H
zhnhw*4x=GLpfIX4qKoEuSYZiFZR4gz%8Pw;PQ8+HE;lI0V6m26;<A5~S_OdA^F=Wn
z0!ANW#E9TAoUrP}4g<dd^|c)^Y*?MUD?6QlWxm6yk0u1Cx}<^Df%@)8kG$>Y46r2S
zKQ^W+X_HJA_E9d^MXt@SUKOI0O4YDQJju=~exGI`E%_Jon6bnqq8YU?I;_Eou-dG;
z!=%Sw8ctYdsT%WLYU;PiQ58;QysVKvU9^hvUZYeCBzFnaS$K;YRAw94ocFBfw%egE
zzcd{k(`H34Ec-Sf4EPZgc{zFGT{&8Y@3LT*wd~H6oQvh;xxJt4CB$71k6G23ak6{~
zCml5v`)%zgne}z-Pt3q&(BdVX)sBU~T}1m^1)!$5$G>)v+3@`k@ZUVU*I9grc20<~
zVUJQy*bW|7{)A1RS}7gXQ6rgq0$l=yk)qmc4PEs)&BCs^*5y(w2TWM^ugQxTQze9S
zy|C|K!YUkbwiz*$h8Y_Kh8k-(GdB-f6i%0rXi9^q<&sryZm5X1_V%1PWE~@)#lul@
zSzHl?DkEOu5OQZgm4P|+22POL_UOc3<3spjO`-B#d~x@>(F-6S^wPysJ6Pf2BB{%@
z|BS-r71%b9lyg{JBeibIw%s5XNxPi0s7A~(j$zj9!A}@Ii1CkYbSMp~;g<&YFC#Rn
z8=Z<@X`|h>=Oa1da81#AayJ#|e-&b<-k~@AI@KrsXZh$=%8!t>S;@6s>#2$4=jN?e
z9kt_co&v-Iw)}Q5R|c?eP-8TIxK89q@f-q$8L7-k&Q+<UWb-sO)d{zpXD$cZq5g-^
z4eUQ1vzPLQ8fihy=p!_fX3Tas^)`e*`}O99X(wc|hvL+`XXc=H_||lxuNAkcGqJxB
z|H{;{)@Ka>);Ehb!@LZ<L2tpgSQL+Dk6Iv*XU<8qV0I+ep3Ca^Xqx1O1w05wCMQX<
zxObDeSjh9g>oSb{QOAMO`x&q9z;GT2;AcG9wMN7~_cD=qM7i^~gIW9t>kAH@!jm;T
z2Y<qsk8@;0Xlr}gU*{+BRh+OI2}(fLSavv&s>LHs1CWxOa?0zn#8oDRSy&;g@~#OG
zOTDw-#Y^Y;Z|0v{Hrv!uN)rRL>YTcv$4%+sRS{@(;a7|ajH`_e`Q-R{>?&g$VI}@w
zhtQ8NB+wzxFEn1bKA0L=K;DyYog+HLHuTR<xfD5o#KE8G#JmH;K)&?$e&({4PgjBa
z3r_p`hC`h9kIkg>UB8l%+s<a0g4t((7tV`R`d@}gUyf1lwq~qld=G#2P7o2Ni-;mp
zPw)ngj;S}Ds<WHQMbm$C6f<qsPo`#B-M-Hds_mWt=Mvrf7me!i!h1InIVM6?;oEKL
zI&Yy~llpF4S9IErSvI{2;tww^18$Z^Sg09#f|7Sf?;{k0Za+gyqMPixnzZg`{HIU-
zBBsSQ9M0ajX8&|6{!H9hhkio%NOaFlTYUU@9a=oum$GbwUAag2LHJ)Y5~D6aZE@$D
z%)@^DbgwtQL3CgYq|`@L;w`7W1&LZAk3|<N8X<euM$W6HDSXmSDjhxI#^BO%xr9u_
zEA;%A)eMnCclM2lY4PCukvAv43bpA+HZ7l{`3Y>50vr&=Twe7yrVs0dOOG45bMBB{
zzO0E%7lVW`(j8iX7L^@Qz{G|Zh`l}!TJ7Atr^qdAjZPzx5FTPVJvxqNe!T^<=sheK
z|FW^v+I&<hM3b1(b92@X`l0Pdcg$k1&nm9lWeZ*3K7j>YB=LSD{mK#tN~nm0<%%SX
zjX4{VL@E<ey+Tz%QzDv-;Z1pbsUb*+{1^Xt(uILPc;V|pMWnE|eY_}PR%|-9hd>`M
zRC_E~pn2WYQ_IvDnBhPlSw3H6fF_&QY^B?;AUAfw$u)gvfw3P8!XQ5NAs9Qp{`8Im
z=O7tqX*8(!gUAT630d7P(I5tM_+FUPi3{Jgu3t3zqF8V#X!Ql6vAq-5`{)DkHlH+d
z-eQOQg&TkE?M>W6&|SwT0h`PIqT5Sz1dACKAK4&eoEhm?bd6NO1}T-)=Tc}5J89K#
zBb08r%c^YEl(3i5CWzPnG!dt(h<>bFoU0*6oGlbyVnpaKk0L#-Ti3r``>tIN8K){7
z0s+qatJ?hBS9=)K_Ze$sxWlO4pG_eNi=ZeqD|u+&3Bl`!BPfu0&v^2|9YWM}_plBV
zeY8FXrY*BP@Z#7jLVSuif(1{Q!WWBFcmeSs_mos>ZqzHHrG-SgqdBT#Rd-KS-wLg>
znvmb2!73#Fa%iVdk%joTIOQXbI5YFzF^rTBpS+B^xy#J?##3~J`$`(WMar%A+kO#e
z_tbBFa(*?%K=hJk@%MK9`p$m5wVo~F&Ae0T<Y9v7jrzx;dD8Z40Lu@1Ml`p>Wh!>P
zhlf|F5}(fo93wNug*{Y39$ci9E|QAEW|>gX(&-9u8KNp{7hEI|RcQ0M<;IAr+nF3r
zK8P^V|2j)R5%jn(WH7Vtu*c80eKYQaQMRsRG*!sXPNfJE?EI;)g9n%T)7*t*?H7pn
zlm^mgj2?v#ot)Zyc`V&Kw^Bnr2-HNBUNAiK143dWU_RT|Ix+5_WYp+b^<Vvo9~NK?
zZk)h12o$p?!Lf^FG$dp(Y5G-!BC9p!J6H@SQ5f-J<Om`DiMp_CV(1WBlY&BF6P{k>
z&vDGXEQ^dp5|+bvE|e+gi}?7-5&jE%p7)`1i{g+Rw5Nx9zZTC-)efx6G6a}0epzi`
zCXB{-E;AOOyC7!*o2#9hMRym-6tIR&2veY@NegCMI^iiH>rLNZHBQ?R5$sAam+{ro
z^E8wWcGUczx(F_fo~<?c!#r%_DK7BlhS>x>it=nHJb}0Lk_n!#)REn+C{rnY%6UA2
zAI>mljbHZU0+i;(Zlhg*<>E;{MtBfH)`|&A1-7b%lHOeU5CH|5z%Bh3%%2x*&eT!z
zElM(PjH9|zp=M%Ip|VXf@8llhZ5VV!{QuNVQFMOo$-wwO>my&^Fq4Q3Ha^OQLG|&A
zC$`l_e(}2-OM3CM9LS0r7zn#HH6!BH!`tu(yfPnT83-~$^aSd;O1i$fXI(*{!C4om
zyg@;QR@1?GNbvMVgiM*!lLr@B<&{*D9*SvP6w%ZS8v2AsH{gE@F()IZBFih002Yop
zA=`kNuY@V|3eEQzZc#7^efh|^yc}o?O)A0&9H;$0j3{G7LNs+JrAZ`Hf98oao#q-H
zySeaAK<ij#*-BBucUnRtm{c<qLR!5-A!F2B6nQV9C|){AkK$CWIq5CQIte1+_<s`2
zgC)8V(C3<A6B)r$hmF5{=x`HvzHhz$fa}B>pra1v>gnrWSjLW-%}>2VtUY}_l?@Q`
z=eEzF^@0x>ymR&B;5g>v8o*^H?8Uhy4F;Yq#{IXi87FP~al8z-HvfKde5CVDMRX`Z
zW6Xp>TEfWxHpZm4BVvqNg_5itJDO5j%%eAfS1Y#C&S5EtiuNxtvKC5C8bhM8=nlgR
zk^KI`0ulSId*;T!D8r{437`JBrw22A&8SI*=jxe>oxi4)LsD>u`Cu9fs9x@oRqqtG
z<#hRaB^-ToaHtL}FX@C-s1^iXFF|fTyQM)*zK^|9&y3Y>A_g4m99-2zy;wjITK}_1
z9EMW4856iQj#8LS2+MF@*z{%w@-X`=S>W}cjxYGf*`2Ox`Z^eK0*Xe=$e{~i0ubuP
z{-2by=g-o9zqZarvIA%+@b)N4+E+>vtY`@rpn;w+{H(VoW~>R(pSjp4<}B3VQa@R*
z>HT!<MrHc>?@7}zeXQ~4Xq=2;N1QdBH{%T1vz@G|&-RC7UG}k({G3ikYnM_-$+U81
z3uRnt(<{eIx4XRFzqB|ekDqH6AWV@=YGFHk5D$Q9UrBcwkKg5y(qsJoTB)}~$z!m@
zos;*h+dj<K2=rOFoHiQ7;HZGu*b(IXASaR90e3#v#w@N`dEN)x@6Y((W6JEJr+#C|
z9!6khYU2vlYJ&MvO8-?bp2tIwl>N<9fioNLaPt%Lg5?~AFyk8}93oj4R6q!Li1=Ng
z&90SEZ|hbjpC;1e@9a-#?;(s3d#EHA>TUV_Q2EeRZIlOxXcTihw-={QD?`x6W#Dte
z<6t+D5PN8UvV?CT_}2)nGYa$ed{vvZqzg`Zm(Ln$UNfAOg!#~aL5ql`<ZH|Xo{vqx
z%hN9=+WoTKgwH-<VaER<&mkvprq8|F%-T>R*@hqxdd}*~{<wy9<B!rj68jsk3n*+C
zX5>G<+OG>Q*9BG+sHTYp-n%>@Fu`4Uo7$-_bJj_D1g3NKRw?WM9slpj)MyKH)O|9`
zcmHkXFh2e_OLtq0d^?hpeIc_Xg8YCL#@7ROI(hNEZv(D$!Mlw$A*y<!=ilu1@l?M6
zTe)e4rPZnM0qr)N2oHwmYHA`e3L-J6)Dn0_SH!PG=29CuR5Fp(>oKl}0hznK)+csG
zWW`7S<6*IdM|<$-dTlY6->uswiOL)Wg7~)e&b7oYc<MH&NRc|<lmKtDZzq$NGr3&O
zZ1ye^GG~+(iP>?tNiF&=BKY(>T!t<)eFH%1zW1AVgL0)X^O*l=*s})zGOp}3q+30l
zHK!9Keu)U-5Z&?~-<HVS43NXtMBZTKN@6FE!V(@)63Zbo2D~{AoC5XdLT3%W*uWT$
zWgD=}8{Ip0lh-&)RMBy)8>}4w9+nz)zlJ3@PdICFBtlX(U30{rd4h(L9~R64$@Yy#
z!E9a}+VP~P-wI%TD$Ta(#tKOVF8-9+nM8E<&m|F8llbq*jiz#*>ZD<EC4ek8ma-tW
zRF38=;PSXc!H|EJ2VketC{7C&h@~)bSuym-qS&q+$E+*}c>@pHh?Wtofs%UMFP6jG
z?#;?hhXX^d+v~9duQyQ@0SjWHEKDbv?@ot;f2jYB#wg0qtc%H@jms8X7LV>XS35$s
zuSL0C2X6GA7DzuW6f~rOGEO;>0&^Bx4`vKHZ&@)9*CZaEdTalwE_CTXl_VDzqI3-B
zN0TFt{q68i6^;GQ{O;Pfi<^gR23)>j>+C8IKkuJa`QbS$`j<k(G&{qFms5T2|9Qi9
zWx(+;f<ou%e&FEUG&quXgDL<HR*L~fi=mv>EbzY2YNB15OsNCcMm_BQqh<=8i7u;S
z7Q9kcu?~so^nVhO5&9{ag<*HUS=Vg%_KmK2$2)7SQ5e;E{K@fxe!HBu`{K(xz(5|V
zG8wdzLPy`*8@oWJqXw!0k@SlLj$8Ib*_Y$(rg;7e&qSSJ+oUWT&aFntX#UkU9{RRk
z@&H&y->`=#{<vV-r;1%d7ARbxx}AX4XylE&VLwI0N8YQS-t_v?dsnwre8qm;famz`
zIjeNA6<^8yd%Kr?1YeZsMDc^b+eH6o>&KgAgZr^Y7ZVh-$;BG)pO<{l>5B1`77@nS
zitgjmX&0fI{vs)gG^3cxPzjbaK{`(qR|3x0KaCU<MHEgl3!}+4bNOgAzm54gUk^?)
z!6xV3jjJES%k=4?gQs+CY9NFe%(sS!6JwPb(A58IteE*=)5s)Zo!r>z(&SZPPryy1
zKzj4NbA2(4y|WkUt0Q!}6m&XJI{|mhv<#ikg^)*=)9$y@Ki=j{B~@6UUb53!YT2~S
zM(sEIch1Hm(P!oi*+vU2OYZ*H9=vwY&CkYRTxah&2tM=)D<#N?(dA;uuL&-K#=tve
zTmqyAPN#rcC?Tk+Q<;cJsffrwi)CmgO;FQBg*Bb7+3wC3*{C&Uv9i`Id*w0Cy<}_s
zne(3n=Z6y-Iflbn?})?l#H>5hSYzthd2kzgILEkmDA4oZja{gN!Zu8IjyH-4%royN
zqs!=5O)z(tD?R&b9;n7Tz(-MQ9HeC_DoVp{Kr*=oXB%fGQW}TCOT~itTj;n7!v_&j
z%m0Kf2lN&)iytlhW|M|nj(jBNJSD<LHzn6ZxT8JDfT%W_ZE{b<5IA)wqC<%`Ub*i>
zZH^wR<}qT+VV3D3mRPE3%z^GT>rK}4)pK&!+(cbt+J!oYVOLFN#B!(H6Wur@WTKsa
zvzqv_d@^NAmCt&~K^*0tv&YCH>+)t%&dqR(hF-F5A6h#2nn&O?EBezJf5lP7mPsvW
z%L*Wz!JWGn&@c62S+{Qfd!urwQ%X&NPeAvV%Yum&m!#vS%r*5AM<#2IRHHVXTrIjZ
ztX93as+N9T_t|LiFO@A5tI(2p8o6qMp(r<p&W#tN1{=uJaGTF|e)dd_8+p7UXmfAt
zUlzIe`_>#BB>jdKZ)3U-fAu(?W6Hlkt-s#2+4MFOp|R`c%&aBA;*xSgmA)Plvq^}3
zSO5Qddkd(lx~^>)L`syFmJUI>k(BOk5Tpg^Zlnb1?vPFa>F$)0<^YEd>F)Z@0q<Mo
zdEWOQ-#`BG>tLTT_ugx+Ij?!Gx#n(%ai`9s+c9XA3!QJ82H0lxy?{usuJKRruwulE
znZMbi<Bm6MTYvCdFTpN+QMB%0KlMUxgAm)y4#5h^I8oKU*3M+IJAVBZYTVC9t<Ns$
z+YMe2HrUms(&K*qF~j$D{qc6%eMC&|u>#|!)rhIRL}sj_$m()mO_e&tO2?P1r49Hq
zsj1|1oaEMZYQ!JEZzi(%l=U3kyOk5V4Y>DM5fok4B`aMqhFyHIrn)v?86;Ipc(KP4
z+sKJ^P&l2@aRZs29Xsol8#-3gG(SRVS8EYo6<+d%lZjO^vbHE~GoIGWY%#=g_W<X;
zhAauIIW0BeDCbuk8?U5Bp`J-m+4}Y&hZAzIWxf*}W)M8Z;(0;-CXe$)9ZO<kW4S|}
zpS=f=Ae94NL6F;IH#dW0Y(t?cVAepFgUID-2>!sfjpaNYjdTMBzO|&bfAJz#bV`xc
zhb;(A%s?VPX_$Dd0U5}Co`I&nQBvM2zaC9KL>W-9Icx7^>#Rdm%w@y}c)V%(VMVGv
z_C4-Yh_rHM2R-H92Bkri&FIHT`k_>$mW#JEqlSvx+NpT&vFrVNAeCAIYm+rctBb86
z0TXVHpSmFcpy!xOa1~+di#cuc$^4wFPVwKe<@K;X;Y&i2=zYT<t8Apyq0vZg9BvI1
zp|qAas2~=S5~6t}thDm>I1!yI<Pq|E8`w5E!hj91ZRl|52P2J2O_~i23a|(%srJxU
zAxIMe>n*`{`Tf~DrNyT`@#Q3D>X-u;?I_nZ&!)bOr`7YWG4|6ir%qpgke@uHHFzV^
zlSF<UO9A&IrPFMntvuWtko;2sR>!rxn1gsQv0JzM;^jzAT0E~cpE})QW5*HA>imf%
z4W@L0$8A1mcF517wi|`IuWyG{J<dM9o0WCaKKuB7mN0EIf5VREXt%wP#n7iJ2nEQs
zl4)Q}b0Cav2TjgMnB;fQ9(V$|k6NddALTeA$Ju?iIo6__5`QF3kt^umENyrMoRzk?
zQDPneG<|qSeGsH%9AZyjJu_g_uxGgrC}_I53c@-`#2R*DI6aa)<b_T3`%q;$486+T
zvt_!5=l7P`J&}LjJU4qV8@UFTwEHAC!LU3+P@D{oZZsjcK1T5QrdPJokTP`K=Z`;L
z#3-v$H4L|B%gw(%t(+UkMme9;G9R%_TW5y%DbY^%II+jyN00Sj+;}+`C~>(Fk}+D0
zFn5+FBid3r;~s**P5}?u6!#(E{ns_VD=<8@nH4t#F0RKqr`5&4qotdR$ywf+ybR;2
zruCxRx$7N2)j3(C)JvjCHqpszszD7Z(cZ*9Jh`v_M3#0oU+W^$^Rdxp&5A+ee8<m}
z;BKUOpwCV;Y**QM2sT#7*717D;-!uY9=75mZ-#y8F^ta<?6WVRrBStZ=F!-K4{u}t
zXj3O9;_+?w{ic=R(9qhF*pnb5BUcf(8r~T`42IPnL7zm9TtUrV-^j*SGp<0>MBoGz
z$Il%fM0#`b1$CB84$VX<PZ<H9?~<%MTm7Q^p~yvSuQBY<LJY~}V}YNqV*~=(%n(J&
zShSHicO0Z#U^~%~_3(-Sm_>x$?4p*E;qj)?!NgO!hE}$~F!5}bp#dob_4QOE#B5T+
z@BY6Cpd!bv2LhZ{Q^?SWlOa_Dz-M+NC74Eg#l_j8MS4Q0K_ov%gl<^Lft^ifO3}G3
zU~6R1RNYz?`6M)>^XXH4mF}l<Q1W3Qydz7Cc`ZWB+?a23d8>};9H#asY9~r-rfn7A
zk+vHHsb6cIH6U?xrLFSp3JhC?{ScA^j_+qKzK&riYpRy=Ukr-SWUe>aAnm83m-Q?p
zxhKTrr7_-4+$YHT^Lm1P1G-ap!L*SUA>N-~pex>n1x?Q!3z?rj#kh_l#blj+u_okE
zUMN)`xmH;<AE9LbAwnxP2g~j01ZV5oIyD?=;YzC*=2^Y`F<mIqbt=B$m9+=qX1`X|
zxkDY0PH=m-0Y-*lG)^}cMZEWo7d4ZVL9ded6xA#L8+dVIwQ=Np&UoMVs`Bu+J~{zu
z!Y{v;C^~0-Zdv-$$s9D_|9($&cGmy~2`zfI^|k(+iAf8|r!>N@+CB_Mo|rmdJ~qc`
zvtBM`)RLTvv$bmg$yBsQSEZF|&$lt4LYMoP7cSGxd0=%<euz1C&=pTf8j?nfrN8KY
zLR|Km#5ea9)kvkZFWcpE=KMD(1{XN+M2Cmfg`cg1YAy^btm{B$^A5{32?NGPL+S}G
zC*2h{%0Qy;3!e&2_VtLO-Mpb2qY0;7516WJmxgKl=_Z2PkFHajJH<`w?d)lF%&Arj
z=Xu^fMX${wG|NATjZ@0NtJn!dafmCGausiMCN0my+IK>S1_xU4zl_#0)}3KbqJOsJ
z!-T`eST@}ogeyEZ><*~sJy4yfhjLM+wJwQ>A@<*v>N^#}a>N)#9JgM`tm!P0AyK|=
zs<7H;1AgVk^H2PA``G@63>70QW%kCGay(MeF(t*Zb@gyz{}{`%4>GLr#ELA>zp6<b
zBllRyOOCy{pWY>LM8>jo>^}%cerhWGIf!W+s56tI@^gSg{{l7<z(E4DI@_kbXfjah
z&iHBt8^IlL`s^J83#Jv*Ua8Y-1Qyu46h-d9G@++1Z5Ep7Vt1+pDNNfDq#1zC@sb7>
z-q~5oSUHh&z>EqmR#z%Nn_=0acazF&D&UeLOTMrBmla$uy1KJ;aLj~d{F+Q*Wc)Z7
zVt3sz=p5>`nr>J-Jj|dZo$MKfSsfUqAZ}TUuGnFGEN0`e=n+m~!2LgE_&E9&b$z|5
z$9syP>SFg?aCp~G{Gu@QoRuQ&B9J-{P&*FXuKWsD99M#!VbD8O$r>1+zNbNOXeO(!
zlXoPJw%N6Bwr<f=CFBZt@8HsOMWVVIAq|zps<}tndsLF>&dwY@1-%iqn$z_>w8=%C
zSEW!RyY$r}v))Ou-uC67JU4Th2zGC~N7VlE>&}6u#|aWfo~!Rbl~8SF;M{H`z^s^n
z0LMnSw+BD|5KRv&!h6^{Og7jiI@77>B?H2bcIr2Y6%@i)+H4=<#|^ImyLL}|ej!tj
z58IQ~L`I6aZ!ouhY}s-R@b@MHHos*9@SOE0TyI!l6#X;-8CM`!tru51JA|PS&z?Ax
zsr^&jR2|>qXpa+r#AX2@7<*=rf3QWJHi>z&-jU#m$-zqF9P{ay5aFYh6c66f0Za&b
zidY!-8uh|x^k`Ck7DKZD3c;^x((eZx-!7-iqcfkxMS2fEk;qa>c>IxFn)aH8qsE`^
zasUF^6LcHWWhyXqXQNWa-?d_PyVzWkf7!fFIz~;t=x5IIjF@cXhm<4eY`;>#UOHWy
zg>Bzgp_x1;sY~j5oI+61#$>-S)<SJ>R;hi&>)_&n8iH<PNV(bvrm%lUg69`W+c_=$
zPb`$`#C8Jweb}aqvCeU@s*#|*eg&_t%gPWGym;THzAYlR*9Au##eo`44Q<eN8iS_w
zqFH@ru<q8%eLs7zLfR!&+mkt$y46(aRqLQ{ymsGzNbFz095&y)uJWUW-ab!Z&8`Rc
zJo$qv;jluUG<s|*i8#$=O07-G{IoVKuP~ZdWd)Qp4(V5*K}jPxS!C%Y-Gzp{)&gCi
zt(M@M)%rCwhj=~z?VhJ%5nMJvMFK>rtC2+BWISGm`DDe(wk%De$kr4fPMOt&g;@YY
ziNA>VS1F^GCNNnN%GiKROM^)_5|_cQ3`V3kv*n#I&o{La>X%|qFfA@68K{IAs9>^I
z2wQ5Z$Vb}n#v+0a0xUb&^Bk4K3Ry%ddh&Z-SxohcwPd`6yq}Lgqgv%+UDL>Y+l%cG
z{%rZi{KMI3vzV?7jWk-F5LpJ0gYjY`pa?3Z+Z|0keERFQ+FUlpNj}Be&{Hw`Bh0Bo
zUB@R=7gkwakUEH0Tc#T!XU!k?nO^g{uRdziDZocebyzL;_p^|xDYLEK<K*oa=<>&j
zit&EzvbvgEC2p80wMATO&oc&ujuBJ;k^Y=U>gsNf``YB(${**N2BpHEE-^{8FM?-H
z$zgGQjFZV^y0WW4C9+KRdY|aZZsfcs3NwTB*u1B2OKmfI;^HvPhkH9I-l?Vtl~r$N
zkE6WK^x}LdhTWsS`G;ovaq>D}-=p4^DVikPH%avI<f2)KuVIcpGd(-a)@~@mXLA59
z$n7m3^-P3%Lv_xBV{OZ=mcSH_Af!&)XW}}As#Fq`D{MVNTTXd6I2??C4+|UA@&=S7
zBIl9)T88FOy#vom)w~6;RB=o70<M^EgAg(7napO_D#W&&uS@L8=Tc3Onq96JZe3m<
z4qRMqyahaCy_k5p8GB6etyK!RsqwySZ(XKMj5}bc-XGV6T(Zw=8Eozml6Ia4xPI1s
zM~(!ZGUrVr*5`!6QOTaMCvM($doh%1t>yQ882b69fcI{nSJa@%1C?Phj_X2$(FsMH
z6?Ch`h|>s7W@H9k&h&n&l0|K{Oij6yTfb&Us)YoaSf6G`S7@M(pQLpD>kydO5*J$x
zd!%vmg-mS*oFshCbtEXPr3|bkaCVx%aL?9Pub@;bODA+qrcZYi5CdAaY~<%}w1%$A
z2krk#Ppy1-ogy9*L3E3~hR>jMzF0)DIVfH+dsc1A2Mr7~3`;kadOuD)RjD3bG`G~f
zHIpTp_vqUen)%9flj=L|U7^9gUU(Z08hpjuH<rL;<bvt5HoJtJygo@Bcin@%U5&Pb
ztBIv+fz*mtA4rJ}3kMOVA3s-d2%;_)4)<>c2=Ey3@aTWSf`&vI0&Q-eqLM@e)hz04
zuAoZ!SW6nMWB;MJA_tbzyB|p6_h{iQ^6_41c)5eovV>dmxc>Q(JTLimrhUMW)H5y`
zk`$P5<GEHJ{|`Wf>V)wsT(%N-g3t!1*^-6N+;1Pv7Bs~WY@zV6o_F|&Vv*Ax`Mv41
z2<U0?_p>5D>ElOi1=FsleYGvdb@<I{!G-<Bt)Nm}R|dyLtvRl>>x}s{ry%GKHDrG9
z0eGgIiU}}aiV(UskO;R(1V<b-VM21Xeh4Y?A_GnsF75unO^y_iD6@%-A8X&BOgJ3V
zaDJ0$G1U~oa1CQPr;Sa<%U7+My?=~lc{G8%JbpIAUHclDIh&&ql{<_Z`@AH|;5yS+
z(CX3QCzPs7$)q@6CLb{7>FroRZ)=ai3`BG$Us-iT)O`I6oU|x>+sv=IPZcI3s6LGQ
ztUWW!ya8rL6HsNxQTp8HenB7h?66P9TueeAJjQNFNZbP`Gi7YdP9788enN;(`qXPH
zGX~>(gZva|S8;in3q*@Dw5R*QjOozSoW~0^0<hUc^a67VCN%6$x2yAzic<_4tvNl2
zzKxRY-Ao$1|KN5#Ki%^@q~8TzK-5SFP6s@LzV~XG#pM1mIogC5V&XwsXI7!$qFws^
zRKURXrX!5-8K0M3B#Uuk{K$rZv?IBOuKOcW<3lfu(wK{rv+F>jH@_-Nk0ru4I4#@0
z*SNH#txYImE98FTq+S5(3PX$8=tF5g6r=cU15)3rfvU)2+{AU%tIz?jTkyDK_KWZ2
zAnus}-o&<f=WAHkF3j%I1wFb8Aq$-as`^(u?>KmA$7p6jhFO~9%~}2FRn#OO5r!vl
z_c{0kGf)6h?Qt^Zk%}OZj)xHX!Ho8cFM8Gk>ijY%MpE>gKc73}0ULP4ryMr~*!rZl
zlInN9Ocz$rk`<XBnUaX1)V9(0Vp<95*!uOi9^Fmie%iYPyCI2wbtmn4C9u8ppYBG$
z_sWjf1!eqUuPsOy>=YvTa}!3zQYt<ehvXiw1?pn8{hGkpnGxIcQ1mq?(-!y-+Hc}~
z@XH_h38P17M49s$NMA3-6lmM!6sj)!)_N~iWKdSQsn+@R_qm?G@YAXB#}Q^X$56d1
zLDldk7A%)b3VJ5`_n82uo3xvZH5Q>Rz`;`uBpXXGtCFH(eEY0{D}6!+*^$=3b4fIz
z1K|~=g3Gk@V<h}8=+Liz9PD=$a05GHh!E*(1P!{yIMphdGUOxB6tHoV1~pjbZq3Fr
zQs6G~sW+uOzKuf)9<<8j`_;5H<w$M4vv|ns{64h$^kfZHqh5DY6Z_apx4^Ut|IHs}
zwXxZ^dZ!E6R{?1(_6+5$XUCgHc3fdJCTI-acax~rhc=TU93g!z6`wM4vIxTfMRK_y
z)k9WDV<K>M{u!J3&bB^wm|!7NMg&|Y*=~>e^Yw~3I~0QY*Wc7<Z5Dt;6m7I<6VDoM
zCh?`lFWW|LXSOOg`ze@QJ_Ni*u%i!h6q?EO@3h1iMF3ar9DQTvN?Dw#*ZaOomuhZ+
ztrNi-F}kKT`VMGN3VSnHAvIE-PZ*$5v+lRS@TwSEY~t-FjM>WXyz=^Si(dC*(2+J|
zQCDY}vejmRzm|kkoBIXXYjtcVUr4{icMJA!mhBwufn#4e>kwZ*Cty_lVgAiFj;f!d
z|3d4l#tycTvDg+&L{Q+(()IkXH9`3o)@TL(ueklh#dF(O3s2?%Op*Mi7(NK#Nr6LC
zYqwJ4dfES$Pp_$qAsuXD%eU+>sUcAzNqe$ZWA!j`bPhSCh_(E@YSU{G5Bi|@|J3vN
ze(%4*1yOG8TM}V9a>=sqoz>mEOenB!VmkbE9q|6gsh(f$D1u(j02<Pjdsnye8Exv}
zB{k@*ET|x~Icty;5po{cJ%KH?nAmOvj&JX_gs-+ib|STvorpm98NLCf&!69^@<e2V
ztV+$tov}10qC~R=1Qb3q_bX5>CtPMcGA#S@D}NG&^y{LC*nZ03uMR^<=l^0ED-*mr
zTslFUI)wn$Y+>ZuC*f<c%&|1sDseXrCt_<~&RCcSNrHRHJrV1O)_q1|7D3_sQp$!H
zR|`c=(OCI;KsKr*ou2-a`&mVIhh0BF=$(*`jUPfy^NeTf;EK$JQ6;-@a%<ILQisu-
z<ooiDZte(aU_LC96=}f2M3Niaf#qVY6hM8PB@f4Z05{u9RB23beYzs%d#2ky4dX2r
zrK2f$NANL<LYJJ3DdGlYdKiM_i<hq5AEziZvW3heX+;zEJvL%+1!Na+od?Ft_+(4$
z5h$)PXin8n$C~mv34~7EbJGWxv4V9WnZ;Sv#!2hR3s)od6iqyGo|8$5OHIWvuS6du
z;$_JFDySp7(&S7LnW?}%;lI41%v$H2T%{{v>nv@pI!J0TYAFS~b78l=jR?VGVR;{q
z+?yb_&BAVV`3XCL>OvgiSJB8e<Fe8FmFZu3A<^1QF{19OzR7v6kp4xR5;YWG*QOSd
zCm!~*%|3APSkt<lD#ae|!8vn4^<#;*+@zY0=k1(bQ7UKnN#D3reRsUT^H$Zj>yodv
zEHw&9%e}%VcDuMJO#~ZTpC5sf4c?csY`FkK!C|g3xARXMT5i!1q&aG|`gItsbA2{_
z9>1uW&WCr~u{PgC{G^8Pi4OuVE_6}%*pbnV?IV7o*E>Gn%ICu3PS(=(^->JffjPlJ
zC)Xpr5^*b<f<)3BShtmM9+J&?>SrNIf$(K}Mt4Z(GqmhFJx#fbCPBs`^in=~gq%3L
z0gaqlco@|-YF=(oPR-mQ7T2%*>&S!1wPf?r2*p=({v7LI%OHi#aIhl&R>hH^%yfa%
zX5g}{#Pm)xRDCFb6?_yu05m8au-QJV&*DeggdS_S;i4dS5ueTe(1~z61FW9^cFHgf
z13rmSPtaAl&oNo)&riGO&h8KwW>2wrw&gkDap`!>oP%*4Toq}7H@zJpXy}Sj`wTqF
z)oNmk{XBT{H}?Fz>5wKb(^z>jbiM?`egr+7BRIx9LGob=!$&202Y{JQ2zvA*KO*lP
z%}-UmFVB8aznuL`@E~Nl5W2PJ&?Dcb2FlbGMD|^hzEEGf<)l!<g|0iUz%pxKy|}9@
zO>K#lKrj13uQ&856Gx8Tr2U}7WNir)cx2xC6YHKM?NU}hu~MO41imB<r==4yiCiBp
z-))1pNMmF0^^!te;@*>~TPx0<yBu9R8Z?q}X>zyGoqXjAzt+crumuf1BS5`s`s|xf
zNUD@p5tJ3B+x2++6$a?I#D{8nFN#tOJ5MbJZ6GlU9iGNNU&<ti)Xeu_HwFuntCD=R
z>I?WZ6wA^X=*g6(=d|t1-}KsK<}5larLvW`Jkkb-<(A{kjxIQ~*f32McFwMS<MaKU
zeXGRx)F!D^L8l(Qcs99M_T#zB4=jNcz2gMeg0(Swy*oSmjbtX%KV$aZyH-yp;5j<f
z$;fb0z%`s`AS)<?*;|V^Tdr2N8pM2IyopFbCmN3HQ`&3(4MTB`y9t`X0Q$a^`1TIZ
zpaV*9&}pW{qMM$S*(C7l(^GGawkKQbc~L4vJZ&pMI0Gr8#okOS9589bMf;L<YzT07
zkU(#zXizk`Pgb2KcDa;}_orZ7X+*PkrrsUxVw$PNJm37Z%(3FrtBx9<O_?Uee`wd+
zzmMTwrE>*;AL_+Q_N&j@k1@}I7={kSGZ?gjp(|T6{s3eGTR@p|xP0Pg1|xfeGGxsw
zM>Ea7Puq=^X@i&4GOK*XO*9PM=vFU`OgRv`AA{qASINb*L9{3ge8vZ5JO#QBhwY$b
znqUmLdwKNjJ4DcGAyw%dH+~Brs-6@W9CND8q=KZ)@C*)ZFNU(ODr8eF{3~9)#Bw}Q
z2Ww(2dWX7&@Zz9T6LD;a9~L2lR$cmV!)uL`eB4AKM$S7dR{7FAZq|?c#}tYuZB0R!
zk)~Uue5Aq|DlEs>g0^G=<FiAJm<Qi{e;ESE^yfq#YDxB$^8%gfqx`AKEqql7biS<y
z;x$R(x%L%Z9`$bzWu{?&dF*N}De@w;r+rgA-0y=4BT#(Ka`)O2n}=5~;4|#Y?942u
zp-RI+*<@6$u^>^CRduCkqgtfCtOEr}JO#=7M61VZWQDGPF|XIyHkd}tIq`gle%ZWB
z%h42vc9fUq=&CoRnD+$3-l)rQf*|97$=NMchn;dUy|r=B&@<{C_?ksVhr3BG+s25!
z!^g`TrapqZ9K_8SUYNI%Fj~rR^VOR86}kWSsO||RvguA<+kSeF$M;Oyx4`p=f>w>$
z-M7FBebe^c$S<wABXTeHDQwMtVQOzhjd?aldMd#W`zbMxb*!_oLnz`)?^V?p3RX_#
z1Ria|V+{f(Q4}_8hv70cEK=1v-$+At`cjLvoLio-E<+EV&!q(^bdTTR^@!!JKJRtZ
ziZe*o#DEdY6_tY%-Z-w6`k-Vae-Z9u)v|>A(TWsYXQ4h?w9KUbSnetV=g)Dxzle-{
z6T#eD#~+y~kw?uKQ*ARL+;CF1<V}<lx_+1{HNjLgG+7*LDFC3JK?au%x36kfcNkq8
zJ9FiP2QQtInd85!3E<3@JLl4v$d3w%A8^TS=C9ffU$C8oBH&-*WC+WGuaHbw<;r2a
zGivObV1Q)>-9Ee*3!$9>8nviE?Ea;}bDAKvOn>L(Z+q0#sCQ?pj!G{T;!Y=!>guGf
zX?}dy#fJwStMf<qn`8%QeuY=50Ss2r`s<bw2QNC&2C%MF@J{Q0aw7e85Q4kp2)gd*
zHr6|XWrMZYVgA$u-db<2)&vvd#DV)0m1?-!BuW4LBqo{^%JJ)^PBnjWFtV#yhdTsz
zo988S@t@FM5Jl;Pfcy0N=|+A~$m)k<q$b3U8Sql8u%}k`?xEjmkL{Ojcxb<psjn5D
z0tTO1W0$Xvvk?sDrzX<xzEuQTw`4^x+N<RS-wv=_U}(aFr-HdYCoBao(82$^OO?;H
zxf=n6Ou&u(+UJ6-U(Fw*RmM1lOCUznh9KZ`BI$|Wf#+luCyx=|zD_m}$nkSmcg?qn
zwDLMpn%Q^0bGj!s^sS><dafx(+%N6Eaf)E=gw!v6z9S4FhnLr4Qa$BNOYlNx1w8&5
zS9nd^o{9Re)tU0Fym{zU*7#tPhkcnjxrGN^L##Qa@OH(6n1w)>n_n5dNw_Pl49HgT
zzDMaq-NEuwfha#<oRZ<H9v?fKGF)jKb-eI6!$Qgsj#oJqywBZ<0NpP3D9S_vgD1~9
zLSH~>TVF0L9jalg6mipU>J!;5b}taB!@|nE*eqquGH&u@esiwLD9PcwtI#*KPF;=$
zzVu<kUJ1Y#9l;-4MU2BB0S#%;QS>|7cvK~`kl}pB*2qd?Aq}#r^5DLN!uJO_NBRt{
zzlI)z8D48te<;0gKvGvZN|Iu0az-t`llg?$`|%;kk>f}m_llg93s=dD9P`hgZ}enx
zf+iIluqzaK2il@^#wiz-lZ|zZbdv5ox4{_Si6Khd{?<@8?aJr^=uYF6XtmJqqXlPz
zY9`6`*GtdSO67gnXh_6aD2)RXFwAJ;k#Crg7{R-MFYpHkQ!h@EG4R%bpvEBaYa$)*
zp7K9QN-g9aDiC!s6tjmP->S`F@@5cAE%3B5*(amDoDiwO#flXQWlNq9Zm(~_?^r{O
ztu#9Y2q}4<=lItJ>v_icy4=@m0nkko7Bg-Qpm+BQvIOrW5b*74zGM9^w&moC49QAm
zL|Je&8R)MG3!k!qQnnlrDLG#I?fqdT$_*K=C*bA%s1bAZ*UM<XGF8m&c3KpO3qG*$
zyzV{7nDdGg2&n$TgpuSc0Pf6qfSb#%j@NuVacZmTa2mlz<Srz6UkY`J725TAi0X?#
zr;tSwn6Zl!>(xdo_cGd+yt+<WXHcTRcO9tUIgqZdh42dv=oMR9lNLA30%MxBuyDa$
zoFqWw-usiVV#l)2fe^{-mExeB)u*+`JVFya{493#mO_J4Og{JSY1r}DfEDnxWTbNd
z3!awPUxi$u97gh{5wBS(&r9&w7sRd^6EwBakD*!V7~!!Zj6vN^iin)1(H!P(haFqS
z(*@fUx6-Vhp7`MMFCj>|P&6Q*yF%RVutHj_#Xuk;Q=&_@itBXA?hzFCKV^FdB)6{n
z7YfDY?d^>v1y78Zr?`|!Rk^99o-Q(xUUf|eT@EYd42RQCmtLc=JdvpiP%C)>u32cm
z+YJj8Z+4kw>`ZUV0bdj)f?iXk<U$X_3_CrVyX((!XM{9R(QXVqpIk9-+>}!xQ<fak
zTO4<6xON<A)PkpPpYQ&9QXgj5KHTGvS3X&|)Ii<!XEC$7#tWH8fVYmkuHR3i7?>6_
zji7IWvXE5ouDnF9p^Lb|`M~|XKk2Sbt0E+*U|V*Pjzjo(f85KJ!%hpji)|^j#MV1Y
zgSw$*Sc94-Y1vKMu?8EI4iC5~>fb%RpWK|Jtq?jN(LBHT%L=g8S3w|BMC@`bu<+lL
ztH&llg9QEk=bseRz<28y5*8&#7!td%J*V`0RN;KRjJ$g5Q1_Qk&vcfpHn}(wGH&4|
z*i>sfhH<GII)*Rb9B@4a#i-|y{>u@h#9eMVpkE{(vtib_M2j&mu?@^(Q*{o^It4j{
z<@jhqtkKUi=iRT9dq^baPgq54TzGZXVI-<loxQU_3tmysE^AlT%snSeF+A_?am5#&
zDSR7}?dje+{4B=&+YyX}#kV8(Fjpj~!DlP)8CQ*{-I{;l6jTjJ#*;$*6Vml-!gG9>
zlvmwD^H+cEIpiK9aw%KeGE5UQ`)(byK#JJanI~$91Sv*Z|81pc>Jkxm)I)D(QkJYZ
zqy8|ln!9Vs{^dg;=efGPZC?IiUyD-+?Am|yisBd|GB11a@mCD7tVs6oLYvcmN4tT5
zbgr%We(gV4U(p9tqd0nk8vf<PnhqZ*0jBst{!27J6t+indvJK-f5ndbDc2(hu*)dy
z_Y=>uPJ3`O0@owIhcJgWBQU?a!ImKSbwdp(bdR;b%^reszxEGM;Od)6EdK+P`?Y_7
z@?X3F+f@w?1qg=wvl;(?^?HZsU!i#PUqb<2`#Ti+GjN)V4<T{F0uMP*K>is>cMy}|
zdkQ?{yvV%t0XQIj{}LIcy8XXFr<o3UIH>xkd6u6aGT;t7aO*!I{vXtVZT>T0|LFv1
z=sw=LW1r=(ywT>5>nU;1lbhSwovNCzIM3S7RNw)KWtWDyx4abP$&g~t$H*gK3{M);
zq&HjITdZF0t)EVQPVN3~Q!)GF=vn!>uU@K#`69y4QAQ5(L3E$;w)saEHO=9~3cBB^
zl>DqzJ*zb5ML+fYf4p`3h4Ah2mq&B%3GP^u|7gd@hZzCAX0`2IfaGV&0>u}dZ=f5m
znO{Gpwj}Rej^k259!7*h&=lnat;lYVQp!hM0&Bo|0fWIFX<#jxLJ4Q==Lt=l310Eb
zd|6Km-e6Fxq<<Y~euN2DlSIj25S`z~p4(iNDhz5hpdXJHY4n7DO6Q#?0$9yJR9va}
zm=2!e{IpC)Tk|8MQpu1WCTOB<`jTefa_|aqNwusEdPJ(d?VKS{D<(DauH|^IFncW3
z`8zdCWZ8xCc36?RR(+=AZU5+Bj05mbffjcz(#)a<>PawR|KlG<R}985XkiG}ZL(jf
zisv2QL;p*0B|A)67-+!+_HCPPma|5?zDp@cKaM(5??Cd6s2bk7Bxpg&2=2GSaX-1N
zYd!Gatr|%q4kA;FNsXdlY-wicFxDD{7$swR7@V>RGie6grZe!kjqZ`B;dzO%=Ktqb
zl<6gZp?@|~W30*lxiM>MN&erBR2XY`e{STcB{8!akjn%I41)kO(8h-Nx4UbrTUIv2
zLU+-`pi3z0>i_(Q!HHlQJswp-IZwU*{Qy22MTE|;D41E9gJpUBd!W)eTxODfv$Uh;
zP7Vjh_yltovmdawD)_Ij)FHOynbaY_74tk${K6P)<vof+Np9xSq`#v#ljJ7eZj;@8
z$BsoIo0A%j@TdQ<57Z1S-;bTZ2i?*P+?nwUL@j2c)I_vDV#~G`QVy~^{2y;08U>Pn
zdwco7Td;iRZGK1K>efSuLGo{i2OmHTlJAf(_Sk<jlmzvMv)>m*jrc)}e--0d{vErS
z@Je=&Rp3Mca+YKM4~#+1a(ofw`iD<i%xfPXcngyMVd~%APA$%W&B**0V#MmdA>I+y
zNCGtmk6)0t4~+uL|9WfF{I|DY`FGqQAH*Fb|ArX$0mNYW7oi9+`Z<>WaP~h4Mf5=N
z--HtQ17onW0)G(-@d2U0^1p=ot6MO}AT$0Y)LPgBi2o+kL!&_QZ*Tn`cng+)$KCqx
zxZ{E3-w<~{fEXnILnyhSB$7Xz{ZB%H2LGSQ-~pi)|G*gRZ2Dh>@_*nhNd8TzKf48E
z43d8nD&&7B)B~gN{>)G|?GL;K$-fDO@*wUY`8UKO4<H81{}2i^dRG5%_CE;4@Idk3
zgwp#1W3aP&e-SF=0inS1Z$kaqEf`~v{F_j54<P=VP!Ej)$-lkrdf+Ws{!OR{84B;u
z3}w^z0Ai5*523_{lF<He_CE-f^uK4Qg+DL`JDc_wp?n^A3zB~m>d$V$7=z^Bgp&SW
z3H8t@u>5=Yv_9|_B>yH9{DZiI<lhieJb)N1|00w{z^dsVHc<wWB*TLi|Mpt;0ErsV
z91U{lZjJ^`!w<FsWQkLl{>Qd}Ki&C{rvKZ<|A$`xx2FH^JN>uily*H$LfOh6l=zQf
z7xRD-fAjyrRwIeejsw3#_i$_PpK<-a+4!I?_`hjt^jD`RMX^yW1mbq_#F<kVbceDh
zv`p+Z#oqm)$Gz|6-)5_5X8XlDy&N;R=rFi&jQ6v4iC>%8H7ct}F3Ks^lC&7_ojB}p
zu6(WDPg{#1Ej@R{dP}gg`ntEb>hRdriQ{d(R*`#h(Zpe|gUAHvCF{C28|EIdhaE_4
zfq<cl!2&?<5`aLZ0B~$~I*3Q`_UmfznCms@?VUR%b2nD|tJ}Rx{Xv+(3UiDRm0Q;n
zv%_QE>;8$|@j0%`%Ik^1HBP7ftCMutxAozHr}K+lT^kjt1*fNZ)A(jPbsPu4xu&LT
z?ygk#fJELvF@krbG6w{_)f3v>_TD!>!dToxPqy<w@7+mFb+@LOb#?K$T8iwNb=iHq
z+u#=AVnLpBvxD23lL}l#Li3!sS-#mxT>a+2Tg`j^spyttcb3Po=ax%@dRB9{0jI8b
zqqhKHQmbXJ?Qhrwl*Bw08Kp~Ev8qjYi|=tT5G{h`zKjC1LejoA$Fl(mL*VpL=NzKg
z0wXZ+T$jP+GPi5pW7$gBg{@SR;F?FHpKdkOHFNgXN`#;$t*gQ0;#$GwGDp?@O6`Pa
zr0i<6&Gj3=Mf<1ksLO^nN<-6a;DsDr@<jjora;q3P|AT@CsxxBo{kB?1Z-2)`;?0Y
zAqmhYcz0=BZ4yKxcb+M`Bp`7+-jH8nBR1X&&An?}pH=;|^K2FHzN{^c&P#50$N~bX
z_Nr&jDV*EHZ?~>W%>ss^U+$-S7?OJv%i{PM^=_4L60XdF`zEhn<Ks^<=Z~;l_m_Ba
zQ&(Y|&gSfUE`YWbr+ut*&O1Erw%6|G3r!;({aYtaH?I4a2Ro@(cJ8sA9e&v!GfF$U
zfR5d|)LOdQ;w~tr$t!KvMCHc14M>O5^S&LcHQ*d)9nXc6lTA${x4#=zQ{Hi9lV77t
zr+r0zX)jW2B1OY>b7F5n;<1y%lMx4|^Di1-V+szuM>=%R7wS5W4q~?_nx+%g`-&${
zDMnq6tvS1nRR$Yf#(B4I7-OI|fWU?8NS8g&O%=MLS`p6FqS^ksI`ux<+QirA4yUh7
zSv*eNPnV7lOfEBa%-z+CCVI6UcwKlC8<W4X@@{JJVD_%4yB}PgwDJy&v#E#x-we=B
zOvAc5xmIX?RT(+2<y<sAHC*aC*Df>TYux48EH*ebMsQ)-)!MqYpA4axzQrry$VciO
zqnq}~+u!i``zyapRml|Mk0Br?o<aOipGaf`f9f|{<*m&UIr{ahAbZ0(93te1$@Ubn
zB=fRFvz$ogZKm*VQY7%0Y3%F8yU@B_03rJe-N%b5msW@qi>4X<0!<Oa={c3_7h<KQ
z_SckBm(FAwL#aP2w&wf!6O~ot5)7t_gVAj)Mp-Faszo)@YW1C0C*0X`$8F9N->;C?
z*u8qJwcf&-AGudbFr^%~h5-24Pudf)-5RW3RH!YQWAx!$RMqh8*A|HEb%cW>(;{`i
zvA9EbcLyoQAkW*_+1A}Ng&wJ<(;!XfQ+3|zp4fBJ7FuyY_ta}R$hM56o@_|cN8wj!
zd}0S1qiQ?677M(W0ep_9>9I_}tE^Rf7P0)t{VV)WgByktU!6yw9e%7ZcfJi|)v@`6
zW=rRCspi|hnO0Tn_QuPppjPZrOZj3?C~YppqChpevgBaUEa6fmRJjYg1DP+!7Odh}
zP3fFERPl4Hsr9d}QNn<=ve8FL8WNkBBY}F^%9ClKSOXzg13u9bX1Y9dp>ea_zRaZs
zWRHZ#k%BkA(s9(*onv@jp2N);5W=b%;9`Hfb#1>vQY(H9{FxQ;jsMEJ{VMTi4Ags0
zLzm;C4e$DksoV-Q%cm=wE@+Oz2xFp;{hZQLi1{XVCCQqP+7@Bs&@*dBC;;m=PxqE!
zzX#%_cKV3%Qv-4-DG#2ezJ`l2FxQ8Er6*ek^*s!ziSw8Ow;zYQPtW8<nY~$=U!!sR
zs(#*<Ni~79u?bKO0EkqtT0d{{4$lh@{UPW+Wn6RGzywU}669VzMjY^bD;DKyJTav@
z+RWj7_)Wn3gi#eCdBCLH2Y>gZam$l@emYl+(34-W*q*^IWJLITQltVKs#eXnclEX;
z1_p7k=9Qc1Yh-~|Hr%TM_OMYx4&T$4h;)<W)?VugVJKl8KPl)$QB`)<QOZo0(+PGu
zZ6_%qji-a9c^RDTVMlo56;ou3z2-|tIZzY&DdKyqv(F>-Az}v-)1}5E=2OLzCrqIN
zWv#nQYDd+Yp&dt6?0jO48Kk^?@ExS$LOXf$OEFO>n9K{%gBglJE?LkdqZHDjif}5h
z#P}mlA@RH1LLF`0HU|Q97iW-~ur5#MBt84SFGZ0J%4mzth6h+lBZa}am%3`BBNJR}
zFNdsLd_fB9tz6bBArY*3+!jw6hvb8TM{^Mrj20t+Eg)YG*O3!%LCf(>Q2EV}h3ID#
z&K>XNQA||-#SZ*5pV&B`Y7P$p!hIjPAc-crHt4xtG&msYVdGVCm#)S%lps1MalqcG
ze<%|qymcz}+E5$YtImR`XirGZZ|`C2ajJqZ9ZVOv)Ww7)aD?};3nt@=cX_|gDi+Qt
zn=0df7+1n4m5nxli!0f6k@_fo+SmcCSW(f5$={SC!JLOo{YZgU1bGA4sPK5yxyy3J
zRy7THLaQ`fja@$DJ8sYB)PVHtLuRlS-IE2LTk_ABBW(NtOO{FCO7<<}-}y&5?5E;S
zQ2u#I4*>y6LEx{9+t@mp8ra-@UtB{Yw15@)=9T{`J{&Tw5^5eU<wp2a2FbSa#w&Pf
z-LZF123R?o8XGNp$pwn^*X_}^X&t!^-I(yTO8{~M_K&%XQFNzR$;EiaCxWtgafKUI
zGuZo@exQ?SmS(EqF}f#y4dUvT#aiK~B>!ZPP=w;gK17kBk2a_q^8uk&Y*LlYu0Jj)
zhB+?~CZtH*afM!Z>Vs(K1v9B*ijERz5Cb63S|Wz}Wm<eE`-}Et1GyUkB`owRuMaw}
zI^p~E^U~g#Lo$V?nT@^;iG2PBxHz}9#iTBmdA)yZQjTU{VT8WKK{mtzVUfN*%jc>!
zS=}Fal3k6wly6`2(tU#YM@J*aC80Z}T5}236L-cY_BY69A!~6dOy!!JQ&*~mZPaTd
zs!*i`va?SOD#=Nuti@Zenu~z=B8jlW4m1;X+#_XvH`k~u)hOo_YsU;kV?XeJ=D%YU
z7wD9Y={pOSkI3>XUA!=ewf0a}tHxCoxORPpPlX5nV@wf-T%*71Lef23!5}BirA#T(
zLvf9gl>PG$3?V(B-A=G!g3M}(OL+sj8-y&A5lu>23L7%PAkvnI+#Wu({#!)S+dXrZ
z95tWPd_6U1HD+v-a(#Z@wt|ZKcg)f3Q4BbN1#o_^5`6O4qD@>jtozx<0qR8njQ)C;
z(smUFbUTSJOiKC&9qW?Mv?_=_vIFv;v8!wD5z-<P4Yn?(_EJT#R@J>VF^RumiGZj4
z#Awy?HE<6z>${|tUbDJ)K{<}9vO)ote&T2}$uk1#rVe<t?8rrx?<uTY_Mhu-T?DW%
zQqss~zh7=2Fk9fV5@b^XuKD+<K8I`mObunn_RUJE%*MWH8EQ`=L6x1*lIz^#pE=YV
zs_-bKcYC9u4E>>Qi)HRK$58^p??p+ObN|jj|K=#VA9vQ--cv52Tn2x@i>JEJ4yCJB
zf#&@#FX9~PlKDUneMDC7l*~VuwSNuied90{W7jo?4(pITS&HSvht=EJ_+EJbLPU*=
zLzL?<D9j-o<AvYM`Yq{fq$H16Sz!FttT+GCP}eS+2*B<_`T)3^%Lsi5oQf@ZI=e}^
z|6R7RE5o#>=Vc`!P9l|y29;7C`AKxw1)G(sD9)?aa~QNwk<M;s%1aY(0~oy`n>K{a
zsm?{B8?90|gx;08bEu5lQe?cJo`gkB5oxV(_I^6!^@J@*nMtkYT(L6cWg%2m({nP&
z0iisHX9X|hncyCE5j?$0GrRO$zeRe<MLwQNb1|fTWG%uAtcm1=%^^8X>slBB?CXV=
z1#Q15n0dFh=d*3ER|Ysj#J6wR%BXW%E376|;#Fn4Ns{7ualOky<$hSfjj;B3n>Th(
z8ZXVDnrJHvHRSl>!U26j%2cVMF_0oVUD@qAk^KkltYCyIhpJT+FOB(m_Yf9;-y#Xi
zY`|z8<wv+td44`pA3_XKs8M-m!f}zKUcYO3{;)I;&E+<Ap2Do7kbvw11YJn=dIH#w
zy>H%47a@GAa&+4G*ohvLwi!UsOxP{^^P}pc?cwe!Qa*{Pr0!=W(HbK#wl!ozZ(=ow
z=>++n`br~1z(eT5zbKJw4nie`pbj_r7-JS_4}<LmtQSIm{6&<MGOVEp0s8xM?Jo_@
z()!bHApCuhzvxVV5w)GfKoJ!{h7_uFUK?;^O2uB`G8(<br9a2~J0(_$Yz8!gQX$48
z2nYnwueP;;sSO=1c$pj_Vg88WDPJ+Ffwp8``y+<J$r1s7gzC?08S(AmdhJIi!IRB|
z?@=UfQ&MP(k(j^O<JnASnRe2*YXX#6zCx6KpnR8Nm99#~BEd(K#vJzJcoLa<^^mNa
zrp<i3O48;^?C44OX01)Rfx{E@W5~0jwgeJ!0d;`YM<$8e{+YoiqY25yg<DrSEPL5~
zhsT6r=^{dw)JNf&l7aS7#XKp%#>~SkJ>7E0xu3U(KXTEz&zq9zvpx?`2*HzEl$=BV
z?I@-qtaT<N1Ox>X1O(E3?gxLKTi3$k133E!M_7EArbq5<3ZQu8R`Ghj(*D^uopRG>
zL1u+yPHOs_crS(sNRl_pQ{5w87$N$8QyI3QxZc?bS5CIO9G-Hs{_*`Rt2dt1B*qvt
zStMLaOn-#0nR?w%DOx3A_Erztq0)o}OT6s-ipuT_dm4+D?h=6Sk|4$c&vJnb!kFa?
zvq)RO*d%~1R#CYbsffr3^xd(OxOZaeg^PyXKhB#l(<M`e^gcgXCo{U%f|Ov!89jSK
zY-AJTXk6#Axi^NhxRGY9oR>uNsT~GS=a~Eo8P{z&YnQ~221lnZsX<#G^30mHPRmR#
ztWV9J>DDm-2(?2B-JY}Q80L7+nGjosBscz(>)7{#)k)~=Y1--+^-^s)lxj}ty?#LD
zo3hP1c=Jp&PG^}e7KR45D%AW2ei^F-WUW9Q#wUfJWz0VlEsX1ak%q@DQs0Z*1n?Fa
z2`K1MJThS>T$D&DAh}%s64dDWI=D+>2TB@nhN#yt?<q*s+&&N(I3kF-Yp88F(F<^{
ztiGrhr#M=a^!*O0(xLr4hUA-hbnUZ)oOAOU_8N|x+(o3n16rVEO<N8MWH5-iIQId)
zC-0wOy(4l*gwzvndSu~ZRBH$kv-R}c0`nORI%M0cmUf@MsEzGcwX$h}=9vY1Qr(yM
zk`WXp9my|pxA8s?{q&RvFxGKGMAP61dD^k}u~i%k@8h{aNk=!BATQF_d(JWG$85!?
z$Kl=Zm)ilO&q`K$=bN>g_bMB6Fv7E5Mp=X@z-P>MKJG<<W>O2N7tb0j5Pfo1CFe>X
zFvv`t!aST^wkmMD(&wHsx2W9IZs(}kYZv~pZMT=_Z(p+(a8(IF<b4M!UeG|kY6w`E
z+ZveLYAZTf8rZxA6SzaMSGtWJ`6{}5g35l~6UxLnO*0MFy_qzzGeG;mT;k%?6jdEw
zQ9Yl~>hts6tv<)DgM(va$g%;oP~Z3di{A38tn<v@ky~uC5POUl=gO7jV!zIMsrRj&
z=08noR*>fQQ>B@Z-AvBf%3CsHZowq>6bk1KY1S%0el7e#TuM{LMcYlGhxa+D10t5G
zWIHyLVD^Cc(=3ALA;EMmqCJXXX13`@+gRDJ3&IdFWVKe=ml#JYDAS&-3|IxW$MLC5
zLWGrBlP13nC&y<Dnyc%9fk_AqcnZu!4p)${tea(sY2*x*eEhjDS|Eiq-sJ#3O{U&!
zqiT_B;WTWD2u-n#(XCJ0hG&1yM1Mb3c$WYD?M3Tpf$h{;BqR$LbpePwkdM%z&_US2
zL5S;5s<wJ{q(_3J9?%~$=<lC@A3-QXK<HcO$y!@j+R*7(T7toS*t**3gY*;do*?d_
z{L>Wl`w_C`&(?Yt)&~Erc?%|TV+0HYL?_{WIRDY`5%L106jYVkzBe#4xL-2-Hw9(s
z`R?165D=pxP<IE?|0?iofV)!w9s@S-4Ge5;=<a_0tCoj{<G;1cJN;KJcL(PWv3OWi
z|EmS^o%@3l`(e|Elh5y_Hr{_tMGqT3Oy<8EYWn<Z`9G=sVdIC1<9B14Pj`*~hcxm~
h&%;6aTMxG1e;uN-640QaLqI$M{r3Se$Jie%{U2=w#w-8;

literal 0
HcmV?d00001

diff --git a/spreadsheet/macrofree/waf_checklist.en.xlsx b/spreadsheet/macrofree/waf_checklist.en.xlsx
index 0e1c9e83006be5ebba55a2fe9f34d45bc43ae980..6fc5932879997a4f961c8299b1bbfb05e9104ee5 100644
GIT binary patch
literal 189483
zcmY(pWmKGP4=r50SaG)^#T^EBch}<X?hXZtySux)yIavgi&Na)`Q~}g`r31T46K2f
zm0Zcbc9NZ2K^g)Q{nMvUpFhbPFKhJw7|Kroy&D6)kU=kFJ0k^0J9{Sv1ABXVcN=Tj
z=m|J*CInHxqR9<Y?=7KY|5EAMq?ft`uHa@Wo1o_hS4g6c3@;AJg>Q<3gP0AJ8^N76
zV*9ONqn;w0W||JAg9_KYOHAtlk#)F8g+zo91Nk;f{=rNL9Fse42J>Y)k-v_!>4MLV
zUGimq4%L}E8_M&kIXY1aWS%5F(#rMqFh8lwc#KPPrc|)Mv%>jKyD=#IKL<c#qRfT^
z19=Yq=@ZKTeE=gnN0a|f5FDo`J-~=Q)FXA|l}>&Z9#oA)%@+#Q_hUy(;=I}LCWLJ6
zY%K#=y=K2<^o#SsO}@3MRt6iU=9h+j9!$<DFqaq2HS1ic7Qu+YHMe!zP)OX#D07FH
zZyi&MzWWiAaq0$+=Ck&7?-feusgR6WAv*k=Z-)W6M1a93C@yyy<{#55pX8o0AQBqL
z9=i3Eb~#LqnEn`&{@`CtX({75ZbH(Am&o`IM~;7~uYF_9LuO-LAsfYT>#6%e<1e#=
ziuna|@o3D0fsnAHq%n{48zn_(HJ4JI;m~-;H0g=uJA#VXea1V#Vc0d?Y&~fr#y6T#
zs4GbGWB0azmziJvZ`;q@erJ*$e6BYT|8L;xL=jKZph0mX{`3hA6gYQl24`~<8<YR@
zlj*<EooQ;tps}O-)+~JJPkE(!(TDoSOZMAfA$KTT9cFRhpiOhsXX%gxsq`u9QLE;w
z>QUcSA*resl3?5w@k7Hd%n{A9B&=~b=m$V4x}Z_9H1{~YK4tFiCZsuGofjbxpb}F}
zrzd+2*CCG?Zj`LlTCA^Ls2*d+!<qR^x{IYRCQ6+2KTY#<hfJ3T6+#AhlTYsyCs6|U
ztk#%++R{#6GL7k5_lkyNunx_f!+S$|Dw}#mD>o_2u)v#eKs7DFK;WY7aaPAr+h6fC
z=2W!&Vjw?eejH1j<TfO~-!Z(mnG4qT+uO(DOhQ3BL~baCx_Nk-<!dXU9jsMhoN3J5
zF<Lp8UXdm)ZXQkE^BgjxXU95>=@gPfKuZ20hzt!}RO(@$?+H6uYzNx9l+}FN;`piB
z0i6Y4fZJb2HFvd|Sub<(Rv$>YeZhNFOZ5YE_VmNxJ?b)iU#W#mU;l~sSi5fS=KQt|
zr?=j_l&MBhYVio3$e13*HY2BTS1@Fm5({RQ5_u_xeQUXa-z~IKB#|*@cFf_BveTh`
z`$?MvmnNMUK#%|yElA!UN%%S3^^h^(EB<bz^r0(H$-(1ghF{=L^(8%@w7sO~BF02i
zbtYbXU9J(ZvD#m)0@CB^bmb;QK8OGH?WsU~n&_P?$4mJf_1906Hg$fVn`tDy{2srT
zE8wo(l)L6|&+DIx6u;Let~;rMyY++=`JB$j_mdu9Uu*vsNIuGe2MZ~(cCqLg+3bFB
zM6_6lD_7JP*y40Zxlb0KTvhYIYGj#MwpT^iw{5^Q2Ov8++A18@r3Xb6AucWBEqir-
zX=cFhI#%yHC8e;8{oEfLDvaz1yUMdTH=pWTAH(j?Nmmhroi*Rk-?HH$!%?Ip+9ef2
zFm$5?p0-OH^?f6vbPma9D;7&Qorf^NY!^|!oLCS+)~;GHePFY6GF93n4&g#=hB75j
z3bHWm45ff85gX<(G1>c~78bU*p)#1>R|GDP1iM?hMxm5$Tpdv+_CRfn-LU4i!U~KN
znvH{P3*=-V<@QGZ#zBC`IZsPv#4v#pL@CDJ${fG-{AFxy3ntUX<-ta3Va?`5D>h&f
zEIvji$U+*q`eK9%Pv1~!1GOw!N9zY}K>;t0WnP!?=K=9n`OobxD?tZFw&XtF0xBKD
zQmvh!PU_NISV&;0E%5`5$`*uNV-TJ&`8wvC23dwQ!-v?Wmc%?qowpNNisw#f2`$PJ
z!@cLzCACwi_>vd#U>EzT?WCPL<wWnBy%3Dgy8{tCtZ*bwN1CVjOb789U$Eg2l-r@=
z!ZgV?<${+7DcNV(&&Cn&zjr0fokk5!e_uiK&8$BN#NeUOJGPdlI)VDd_S>(v@@Pxa
zHLzFG@jEb64e&8iZn~z+S7jn+l{Wu<zW~TwaXm!Oe?`?;IO6%rk{fweMn%e9Px*sv
zFTfXxD?%(!|7p)6v-ix~5|JIfwN?B_1w*OSJu1&ns&&Jkd6^Z2Qmp%^<CInv=lKX3
zg&m#zCobzl19Hf{mOvzv<$R)WHo!^MqMH0&@^QqXLNaVn@Z4?!rEGD+B_f&S`;|oN
zFUdM{Y>kEWrMg;a-GD&2?bjy{>`83FLqYckC;q8DtPNfVc{`TkZtLmVPBDAK>_v&h
zepw1dxB<v7@ptEF_bvqnu1#iziWPpJ_0}@l0!%#N3Hq{cgcZ<s9p-U+i6~oTM{?!&
zHQ^f!78?x#?6)1p$#t>ifhNp>7{U#AB`PQZ*s{cn6Sn#*;Tb2uO!*Y;fu~zqvl{L+
z1ZXlfEl)LB><lWV=xz!QyGz*E4e4j`Lx0&pS%jZ(R<^did`XrTQ+yajTe_MKbUITl
z`S+-%O`=SA6z;zHi3v{#y1yBY5*HO2b@Y;Kn78|C-B3%;GlCc6_md$Cn*k9%t-{@d
z<LnJ^QEk<VZn}O_ogV=T`D*OSH&YAESp*as$ce=jwsjdTz>EtI+)D8(opPp##o-J)
zUwbT)9*CrqASzBT1y>}gEAy*t$7I;>4N=#&k{OYiVwX)=Ey2BD#i6p0b*U{Fxgx^m
zS1B3<pBB7!xso&9PX(o9E(0sSc^`MDi*Hh1ML&ik-klX)bHY3<Z}Q2T;kS20drk;0
zMEUdei(XV~mM-zmEQ_{VJd<+gtJQH8n{<v;3ci;th4p(DJoE~MKyjEqDJq;T(x|eB
zQwsveQk3jeECUXjetfUkK>Uuh?+QahTMe&_g+KiP|F4oMfO?p%ult8o5#XOHlaN1Q
z|DQ_cX6I<-WNu>O?8NZDU;is-r(KAkY7|fYs_yQCV)T-)A3^pAV9EAcckK{wah0z3
z^4xK?+eD0otZ1bRYa%o0;9@&(AwnhlrW9;Em-xHIp{|bGMhgiIoQf|D^78A=bWX(e
z(y`q5>T~_tc?EwmLr+J=$qRqCyW%%DM~d=;p|0OFv^3*cr9l3PH7wEOKVja=WFc9<
zml!gK`u!Bgt4ePS_16D90NrG*lvm5orKyzGgV&oaEGe$v-29#z-mP`MOU8}o49a!C
zo|AeT(v)&6ta&qFXb`w^EAn|Wv<w}jY_4p&5P6T<U0A;LMfAKr>HZ#%sefPVVpjO@
zo^5_j;V)@x50JWBr8c?0?ohucVsAEL7kkdvb9`z$ep@d;51-~w_IQ@_>1yv8a#N$*
ziE*S!_+I?{;!6|0J|beR>Ng;Ik;C67YnOqvT{a?mMZ?-AlZSIh(2jB#q2T8oU-L&z
z=Z#vS<<?I2;>U$t7tF-_W`|riFh*_NjF$STefgbN{)GFkXj8Lna?n64hc6;J$A^;d
zL$w)c((nAJMl#%{=)=m#mcB(5Z!E7oLdOaTsl(U*#ksq|^-0&S9!;;kWTU|)^FZ!!
zCHunNoYZwKbe?U8$C8Z1W_@vyw<YS)i9w_Fe)PeOy>E@}(F2d(&-P|$na)|(-3D#L
z1MT=o&br?&<B|w~!iRJ!x(DryC%7hNzah4j&}?9ZhufXQt&1$@k*K&Paa$U9#2?ai
zs9Qc%K$OJB*Buw5E6Mj%Qrp2k=X)!)8gY<!;J}}GX|=pQVZraot;#~i8$IQGQSx>O
z71f>3vQA^k?<?L@%(8A}$?rKr{>rh=y+8SAlC{fl(qV8zrprn%-O<OMkLma1r0Lx(
zRjU>?pywOpnn<TkWbF4OYK>I?%&^Jr=NtF-XF4aHe3j;7RlCf#!tIaVbhUThD!*^o
zG4`XpIB(ak6E_#I8lon%7~&XFf#|>sdysFj=!X;V=9$4xRP{qUd{12(F>bM9^Gi{q
z?&jFul8r9V&sVYHA_zWa{k7WyNmmBA(d`lWsdLz$ovwE}farTKH_V1%Z_L@0dtk{?
zdUmmqXZrc*ymO5Fq)qqUY?OBlSPj!wRKz+L^y@O)AEfixjPn`5Ix$h3@J1(t>x`FP
zdY@L$`2hoR<2eBl9Fbqt`}=WKQe+of)LX%ePn7pN^wTTM-c5_m2O+P#t!H-jk%!~_
z4XaL@_wSHCCqBN$3tpeRm&4+?=}p$0ml#{zr`M5vC$pJ97e4b-9>p0f|9!HhZ|Z3z
z<0dXcn9pyQls&}zUA-{t+x64SzSHHL@D>GvhCweb1RJ#erSp%)Z(h?S%#(b43IuL6
zYsh)arRwC?0oe~vt~64CS62Ox1+@HSW9lZ1KEkQKv66MlXxS?A3kZm>0<4!}YLaQ2
zq>FZA*?#dRy8PHOeuXktibOIkuj<EUbL`g7amhh{UWB5$p7>}Gnm+<-RfXNVryp9N
z=l#rONe6F7lzwk&W(3m8P9G7NytVwn3tV{_p47?hk;x}P4BVCv+CJ%*@W;6GVI*Q(
zuA=JjcC%ysjr`Nk2f&Kk8dggX_I5xTptbx6^UB+?e!yte!sYv&XpcgJ5!(e_q=IOV
z4a=b$kg$KJ{xG)35-PR<W-(ONxbglv{#>zKvWX>%mL+HT9wK=2h8*y?@xVNV#GO#l
zOY2K*36C$6Jh8AxRhvzV*V}Z!@uPWGe0P(-QNa02C*G%+o~b%Cw>U1siFyuwo*SqL
z(z5qmQ)Y)OM)>~T!OLPzvn%t?A%6_$N+x}yPtYRa#mH38<RT>BzlGiceV9?g%=f$i
z72LnIJ{mX@7u#uFADZGAP=>McJu(@VGsLc-PR5wq{Xu_8`MfL5`YYwDjP|)Wal_lP
z0neolxiNVffp{I3Xqk3lcG!Pk`<u;PERETGSO|3=h+%~()WoM}-82s2rt7!7A1?P&
zh-@!hn?x#Rv;b&LyK5<xCR)1B7C`A&ecreCy9}i1%ED!Jk8&~EE(`;oUnd=|I3_L(
z4>id;b}|ciuEo>5<r#jeJ!xT{Y?v_$zlA&Mt>ZjSPttv4dcJr}_7EF>&22%hBQ<Qc
zFGzIQE}^}i^Z#bB7s}d<6_Dm{(*X^gKME(hNLkNBER4CDpkeNZhlx6+MEiQIi=!#g
zI7ig3yBYR8ayKo&dIzqKI2~zSugHd?7lLHMcE6b5-Otrv9hc@^ugJGTnRDvE*A`8|
ztOw;Eww38H=0nbN#5m$0N;1IFOt3Ucf%gaPXQhI16bT+0^Iif=nEbDnZM0e1p^}>O
zq&RsMnhC6$%|lL=8|TVn-SI)zAFqtomc1l9(qbBWlO`yOX(kbq#&Lo5qk@`ykqzc3
zWc?GT{wB>Zw2n|{)kI7b&LlVzOZR6pqa-jUD1QwZ$8m>=p0^mFfDGmTXGm0p=0bJL
z4EAKn=gNa-UaJfP2@^81CHd7+FA*@|b{P_<PCrhwW3`Eq6IIxMZz!Q;z^mCjDx=g!
zS*D$+LeIqdWbhT!QUER}i-}N-K4M3O@x1-ZG(O>KvmIGdL_D0Z8fCp$Tof!$e7HOb
z29X~``qLmc04YHIj3}bZTGFHtbv89UInf;XF1`NUKrf|Vg0TP6E}VMCVclPKqHB4{
zQ)D%)t2Ow=)8D+N4XC7cOcY+szG%=Be3S}a#hv$*VqHWD{MHguRSFM4Q;r&3Z>&oE
za2=I~mA;fc39-p)*gq*h5Hoa4OdX_)LU8w{XRrH3t7S~i&N(g{?U)eb#G*mgj1`O`
z4L)M_TM`_TK`Dik=gaTj2vRcxytXk#Tf@JIu=Px6J<>_Y5HW&ehqcPgC^Ud#pWR*d
zlFi7$OYY_>r69%4+j{fS4Bh)x9>KEHJ)KZr8eVCO)9q~p*xzqU4~dUHq+!GLbixU_
zGhQKK!8yo_yipkT*p0kd7e)6FoD>@Q$;8;CiC=^QUr*LB5R3-%yH#nk*~$?AUj{Sz
z!yMiLIO42gjM25jIO5oZ>}{(V0cQ5<_zT#ufs6h=7XhZIE6VQ%kD?GHiaG+Jd(+=g
z7ZX5uA&ZYe9TN}RLlah~wBdFHveJd4$MK}qE0}_z33=)wo5H6Vi;+B0#xWWPlUSjz
zq{b4*{g4!atCl3oXEHW=2bhE?hq5jNs`*eHkI;_O02mU=OcNyBp7=tByjrK8<y>dY
zUiH@_>NlhlsP{v*ACOW-Z>`Db5%%NZPbTX{P2*_<#xQdC;D*Qk6y=e=u^RdAuTj%a
z;sbOgL)w~83gz~O=K$+FFU>k=ZU1~|BOhb27LvPk*(1T7cf_$i3#=W26~m>zCqqW`
zeS8O6S*aH~uFc3=->msSG39=Fi??x*sLIEY1Wp~(<Y*D0-NkM2c&Vz6_o5;bt95}*
zJ=f8Gc}VKs-zDag>WU4+EkDgYhg_%2s5lkqsBdJLbyXO)Z!UY@jlg0A+u+}HL3y|-
zTn6NHwPM}r+zCY_Z-F(~l1#a_bfl}ES>5)Np`DzM^|}iQ?l=NGxd_d|&<Z1+#F<e>
zgk%xAdha_W2ID-)L!~4X{zi3|;z+_;2>Hq-k^&dcgvTI)C7V(EtObeD_E=B}f5Gp;
zC7YF{=UFiB=|c30hPFjzOh?fgBQIfRhQ2ZM>}b>8=I*!WUD@cos}K5j9$Az%_$XTO
zJ4%%c#pG#VL9UMGY6_(irBV8y@jk-ldQak>-*!OuIt>+%{N;68n+BfX%_?90XE(+K
z0@WUbxRI^~0vuz-!+IH6af}rRKxawWbpBvO*WeWa1<OTu!7~=RX5J{SC>y!4yR~UN
z^e{0bww|bKc^y-|ax>)$)d1;=U521W)P6or2~ePWqCyI3aIr!K@yyFrPwFnM(o-Fx
zD8`Bxs<D`fW?E%*=GDaw_qYNEBjDmIBbFA2-%IYJ!MdF&NmSrl?Sl`yz&aM854Y10
zlet;)uWvip<L<}yn>>He&VbTmi6KczX)o*RJp1p+9>0kRUleJTQrd(H8STELT?&t#
zvR?Y|E1>vJ%Kmm!_=6b!mtWt>{zM6nigri8h!_?8rm%K6PxvWoZl}>G3+JN6xD#RX
zf~xs2#3t`J<iq>xqG^c|uSg4aTFxtQKX3G{q?7i(*L}CWCeYHkl%8}#^_O<Qm(_$K
zr!avK=4`%Jn$1?T5{dW5@IJy15!38~@UI~XkRH_t1)`Lx&iz4Gu@o{>Yd)AT+a!?%
zGM-^+2c;yRMgM<Vy!MVK86}3K(;IQhuT#uMYv!1i9Qb)KMQ=_XkBiNNa5^G^DEum7
zSWr(~9;2~*K8b;tr=!W068e*J_h@o)-X0*XW<<$z8{VgE)*+K>5h)dqFBEUg;GTFL
zJR!2z8c9KKh9Zw;T~{j{_ec`IPw*Wki7f9grQyoQlW_+5?w^>;u(C-R^<$PWS%iLB
zI${1uwEI&fQ)Pnpafh{>U7d1~1D0T-8sVOy?zU)GPfL4Ov+vL-%v0H0meN>W^-?WJ
zI-!Vy<^oTu_@qsMwweZtPIMS^_AjTajAD=R=xJ77sH2jyxU{=c({W-}WwwVdMi<`w
z;54{72!LQrK8JC%&6->~XF%e9A0ANVpM#6?b26Mu3o?pPQT4vnhT+WGri}a>7kAfb
z`IWfe;<;&PBC_tJ4y@`o_KIX0A&+Ijs44~4Q~kiFirTv!P%I#vt%TW=U&)$b6xpr3
zkF!*jM>|o}zKa&CUwu_wXhtsc$P@=EEu2NV`?pzAHL^$_pf;hK@T@~*_CIulv`%{6
zeq>(E?>H4<of%uWf|asP5Ep8KWbUuv`r1REXqA{gIjMd|F8vG=tP9`;iZm(fh2j9=
z)-t0rP%`nRoJ)zOAkW+V+xlt8?b~Yp*uYu?5Z=~yntAP@Rn)5Uf6}_q#@Y8ZN3CsQ
zy=Z%c9t`+_PXpJM2H!DhXY7iAr|1D#rP2V=S`khBue6l5F7CBfGTVy9`IxodC2O5^
zw!p(;KDu$Ox@kWvr2a5hEqjK>3hMMI-YUGn-+sJVrofNl!ezpQxw053O$dYVE{`~5
z)i^~Y*Fl^qjQG4P5RyKR;j2jO=L#{0AjhvrHir(V)as)Q{LD&66VW!Nl_{Vci)Tcg
z<6#mAHvV@wei_tw&L#AC(BYm#+L)Qg?N_20!fBJAr9EgK#)PpJ0_ocmchp@wFpziI
zGi=iXABtWfO`}l7qQuI0&Npl#_Lg?^e`h)=G~oc1os;?1ZGXC&9BGrV7exA%91<lp
za|Sii!L@zvqBIcPlEQc^p?+@h0o+FPK8P5@%&|$W;j66vB%wjqEEpXQLMY>vT;11J
zUKIndNu9M_vt57j%s6;^YdJQ^DII%{oBYo3%)vnk56EYK@$ifU#N?C?Mjfw@K60w>
z{B$)1nRO_LEJ5Q+x@48dKVM+2EGHJ}08Chd;&Om2#I>Z=8gMI&*@iqs(L7?vUYiCn
z#_Tbiz{;YGgE99HsnqhQbD)sSfkL9>Q5_r2{Q8o$V3zJYn6Ysv>jq(>x4voDA^PN^
z>Fwbk@QnGxZ0IdN*)v#|^HY~+Wx?)-l<zL8{(`z#TRK~!7XSvigq-H&NJp{Hh1!0}
z=|ikZ{l060r6EHg*li&zrZuc>j{ART1x+NccXJ)@4QAKUHxZ35E|u_KCg~wmcMw6u
zF4MJ;to@9D35J8DoFb~5TF3espKyq{5)4-dx_nSL4kNr$(b!1nC%sWT>U3K%YK*1z
zf(deS&nua%!!6$UxjT=DhL`5Rk4#`B-}5NbXGdHDFRJz^{gZQKt8H-?y;tfOH5UiH
zQj5F5FKF#Z6(XW<Cb}w7=`AiYvA;Ps30&2hlk`@<2{v#GV0bRrM70LC;qv~^?I=PM
z9w0#|bK8Vf+Crtzql}LcmCB&Kgymg)`cq8!&Ck(YTfycpagc-%>vX$u3Kv0VZIvs(
zLe^hrI`2XM|65EAF!v>QcplPsc*>bh_2ErI9CGSUa;(bEgTk@7cKW9>F|TiY>Uj_G
zUbiD~dn%3t(;KBv)P}%wh63BSQtsrt{45B%ed+BmR`>^mdK_WTp0G|z^mJ86dUG`e
zjK>Q!a<1$7C@<#jx7wN}7d8z(qx}KZ0WFMimUX)bn3E}aqAF9s8qW&$hTEo%f;^-a
zw?KlOk{ra@_*|FB^b+93y{uZ8ki|0;JG#86tY-g$o(yd}GQzx%B<(Y~2j%X9a)N)a
zd-|~GH@CmnD|R-4%<UZT%}vF~h?L7DqCUMg@D`@u^QQRG{B7aOK)CNjlZzgvOUD*s
zhYwIuriX8k+BZmABptk`$kd#nva$K>=24axDag5WBl?(;Ppx3@t3`;^`EO}5x5TT3
zy7r_$nVDyab?qG#5Dl<#SySuF_h?uP4dAH+4WTe!%aBM>=vxzh4$E?3VXXW^xT!qq
zO4}0pieeOs#Scm+032?cY--ulTQ>pJHeowc6T2nN&&@MpWEc#aS%en$@S|GzrPGZj
zwwyf>MNuTVc#SI8v6n<SD^?Kz=TVfVRo6fS)Sgm$)^3VuL{%Q*1k0Q0Y)q-*J*mx5
zi}TPK+BeHu{HIzIyGRll4=3b!`)|^Tcgc^oe_I`Imkx`KC`m0YMrcKKlAfy4!cj@z
zD+P~I8?LK+*bId`E6q9}qY0m`#r!nD4?e`?v)i8-p>k;8TH?tcek_Q#m@1&54k>7l
zE?rq~`_9owA^m_#r@d4e5M0VP_3hRoY_B_Gm?<JbA<8R^G&R<tpG4fA9mBPJzf24>
z|C#k~Uo_e;`ONx|{>)llr--RU@N_vV!S_9D(OT|KbFNlggCX-%b85qD#1}Jzpc6e)
z)ew!SXj8d7aF%j$?2`TRiJ5HLb?F5Yod#$*l=^BTHP(~Os%cMourKc2-cNhz^UX{n
z5w05>?+u>$v<o7;dO(qZ@%fDXD|H5-_(OfAs={^Wn}klw%ivy$*BNe1&Yks|d>&8n
zU46&ilkQtX;NldLAGnv^yqw9Z^!xe`m#bZNKu&kU%i8moNuWrH?`nu`B?Ut^&kMy%
zP7G4+W?IT3+FLx}Vp%+jhtmhfoIusNwMKPb9#QWx#OAFeB^ixJncPAb_|)CCU68lE
z<SqVY8b=^*8Gc?jnoPYfk&qgkmQ^PMIgaGX_mD7nc&0!___rCmbxkOAKL-@Ks~A~n
z9(z{rUp@j%qUE+>J6gKF-R`zmw^ykJl}s=Hw)?Xp<=p{}6yTTfkuUAw4$mzdHPX3`
zS+|^B)2#WRbWm9qt%%5>^jUig^Hxqz>GVNB=F=)>(<+ftBgU~XnXRCU(*g^2n!qG*
z>VH5x+^5_fqj@}&({XyP4vI{u@(gL>S8p-Y=L<f_r{+yjIQk}uy{bK>@+un3XiEW$
z7U62gAfr4D-!OW}rI7UR2+jlvDxT*6RZkV8-J=aks|6=yS3hn!Dy}y=5z#X){emzX
zei*`vzHlJa{H`J5s-D8$2EoHE_43<%Ra#q=)NQG5w7plg1k%|gh$ITdas0Z94_d7@
zZRWEUewnHjfb*sxA71r3%#DU=7>-bXl~BqFcHL(p<hF0tZI5GQI0Sv-ANGzV!FeCj
z!FkJ>ELUO}#Vur)k6e0OAs4-zJbU@^24fD)xple?w9fW5M8#rG*IVsuZgi@LpGr0i
zuTI6-=gwv?kUBJUs(6H1rsB_ZeM#=AHEKnkVZm)<;k?I(?3wn;x)i2xbYQ4q3bO}8
zPf}@MM7SHA8R8&Zr*KX6g7Bw#UgqYbC2wlhOI*JLGrlyXG?DhT!#}+1Oj&`X?fssy
za~<=-6$ZMugL$*q4o3O7v8i6jVgTj?=D~dWl_ug9Ehe)>rh?G-Pn%}H1IYwzJN0oM
zd<fSp2HPa59yUaa!u~SjOqgsudHYf#xl)v(TqL7-7Pi4d`wh>QZsP!0jna>b(ywR=
zH|p?mNHm*$NhgdU1f^oJ$GxE!sTC;yb9(kO$Z2nwyos0aB)qrQyLquLv6tQ3uAukB
zJN3uV?0|dZ>W?JCAFW30s=9(6Fyy4A)D{z|Ll((QOKJhpHLr@+8R{O2-$?$!895;_
z^c;{Bs$!HFl1e33c>2Cb4q0hjHIPYBlWsGiWUQGj;68txFrA-Haan%yiE6?Qi7WR=
zoPBtAXrLS6_vqxQ-?_F4@oG|$S6F?m)#8@OXNS!TT>o2j?=>O>HBB$+;Sa-Ro0K0R
zV6YYodL%zvPEz_zYH&?D+UIj70$GQuFG@pFAbnB2`VB~uzckpSF~`AX(BYql4!Wwy
zSl^46GNb;THy%m(Byq-S$|4JK@zz}Ot;@Rf#&xH=2*U>w>MMF#Q}<ZYP;8@riGRP)
z>#8;e=k5_L8_4R9e<}2Ct%=E&VLd6;y80?ztjl9X!#{SWf7RqS{3HoP=rBp(`|~zJ
z<m+zxR!J}A<e(LvrMljSbMj1I(_RBUn|v%-ykT#I4(L4TeksU?Ar!r8qm~490={8V
z^;Y+F5T~&t5!Awi_UB;X=VAd9@re|XCDBuZBnW9|&}kHJK@@2YiopfclK)_TE=euv
zE1N_HT&C<Od;Njl0sGRzHDd23m4|c61+M-=@!aZ^pxEmPCtY?O;g8XYXH~Odu|U9c
z(p=*8J=Vas@DFZxKHuqsqn4(^f!p#I{6E1ME3P7}PS{D>N^Vis`ZsN!(x8gq8@3V8
z{Qg{^w4Q%r?&}y$O~;wnm{`_PtE^YgXiv7A{Vcz?#wLx*puz+eV>9he9bO<M{nyPy
z0&*(4CqPoNic!Hvz_^rz2MlvX9v^WX1FLY$&O4#)Az5N`xmVoRmnzTF^PG|m%=IUU
zJYiVUB;T#lz4&8VHim5{s1$Sc<X6<bZziv@@;nYI^JB2G6sJG>kHnxy@NnGFtAr`0
zQstZ$_o>+(@qo_%G)!ChIp=FDORlnEu{POd!w7^#0$OH-Xs$yZv-U57(w3=M%?E^1
zbv-uoC~l;VPJ1{iDDwQBJ~k_H1nF4RoaHNp?V*U%PJj$^d64}na+6n^Fqu$(2Au)(
z6y`Oz9nwdSlcMnLxsWaeL>?bn!2A-Am$4^$SzNR5RC;ChU5XMkfye8U;=v+a32Ovt
zZRuRsB>RYANjr8l<}3mHHm#s<a!JuKMSdn;Wy7JgTfW>mnTk+Xl3wM<#n{Kkg6?b0
z$KC7ZS+AlWPt(Vk*)0D@$BjJv<G@=<@Z0n>D?XU@OWyNE1I2V@10Z+zft7%nu1}$-
z3m$_sS2qaaj>J9DUB*3Zz<Df`t*LWXwV+?`UuMcFVEvu|!96NQLFm!U;$48W`D<sf
zJDzh(GxHoMvW(WcIq>(SMAS}JnacEmf~Whw)$r@ZTD^^&SxpA(%~tg(#WY5s8|&AM
z3N*2f`n{CHAgW!vlMyq?xR1?;-2nzahH||ap+9{^>=b$ReTolLANE=wWA#3}*baQ?
znNjEicKAzF%KWA9-*|I##lfL?TeF}oqfcREmTpIRmKWKR@3u?jaQ<Fht^-Lf6JOaZ
zW*~N*o_JcpueA0M-+jg#NDpKItfTEj`<p443Z;#H@ATAyc7t;H()p|k-2XXN`jcw+
zsN7(*>qS+_AQ~>1lNkNiD!8|ODz(3J&zFb+4%2*f|LIX370SrJGgTY6B;{lc6?!o)
z9u}PPqMa{uc3J+U{z`|Qc>%$91A&=tKd(dA*mN)8P-A*}W-Sgtf^kv1&bDMEHWOlb
z!%CFsJF*&e%eC48QXnn3Y<6zLh1YiiR2K^q-dRKUyZQ^OyVU{d56Cp*0utk6l*m(~
zDGcI*EX`|ak<rAf7H5po=Tx*~qYk>Wfv-5R*I2}6{VqoP4^l7KI#A_&Vt+@MYQy;F
zR6S)M830?mw%D>^^bf|2LrQ4)tpoT?k4+=|yAj#t84dsWL;O(~a|~{nDaCC@7gAE^
z92$Hv?uNaT&mmO1OzlfWqj`}7W%Rw>^za;evzhc#4;WTh%q~M4bZV&nFqBuYL-ckL
zU`$wWVD{_|n&_8_be=>0k%QtG9e-<6>|+9Y$7^~xXeCb~_O+7f7|oRE!X!RIH!0cx
zm0#Z@BetSD!NUS0=OKM`MDR5b_xPinR^{S>=;FH47g{K3fbER>W50+`<*T#=Z*hZX
z)BE70kIJL;I&5<`pZZ<Iz3~`>;v1-b-BJ^eiwO}}N$UmKQm3Uzr8rR3<%waL<()D7
zU<)gWiz?;9{EM1;hj^}JJ!JxEfLLu@?eMZh^6Fx{yMsbEzH90o>}+-Uh6Q@?YWs0~
zmcMq_+L^Exb_?*g8MB8(^N5qLzQTAR<@|9fZ=M#}df1+vOP(cX^=CK(o<b<E#PVqg
zH5FaybxN*)9GV)@|8Bsj73c=wBo$b2hm7vZJ=sjrLwBrLf)hc~?kP_8>rT-Za0?8T
z{f$^JfqTMW*#=;!3^eE{a+<t!mHH2ohX|x~vq8<-c(sS8$T64j^j_`xf-x^TCN>W+
zoXsa6e<9TKax%#S$%7l;>SwA~Mh2`yc=mzFOrLuS=}@N|H2alf9QemHI_-Ir>4P%d
zBUlk8xuXfG;YI&~rZb%k{;rw|z6clZ4~7Bva0ToWONjAYpl-s*kmvSeteU(XWqL{J
zz&#9lde-Op44O$$_i#&(VhV~rr3fY22TKETlBPtD*I5NSdsFO(OIdI!(NqdawDD;}
zubbhpuzbBjc<f3xvMz3fXeMsSEg`klKkFMd@s+@i;>sk@wB4a-A)wa<@MP;h-CNm6
z4)zS*KyUx*W?6P$`C^zs(PnMsijk8mr=CGun!>S6=^R`p+#Ta$($(|+dh<LqVpRQu
zO*$5v44JJ%R^>rzeKB+`v%*{SKW7!Ym4@}w_*+wQ(~2B3D!7^9S9w)#k5Tf~N3m&1
zhP(+&IpN3<Ok<f+1;_PqM9K&T1LB@a4>A5ChuJUw5ai||$j!v3Ai81iafDyBcL%U$
zUvi&n^)L@d=JS%c+qy2i1xD=dj+<bIpu2Zl_1rB#+U}|)e4CUs2=L$1mB>-0kX_97
z!n@KtSOKBa8LZDpDmK!*_{J_X85PZ<UiBbP*OZ1gCp~hX)On?T;&4Y_2EpNx?GYfE
zjOQ=wFdqF3%ivTr=N_gVC8Qn@`J2OEM)3&q9mNO<peTAEH>ciwo!nrJcpY!&od;ie
zr=>j6RI^v8ddye;at{}Sf&zNzVN>7jyPCByWHAuz02XdL;$%nd_<}E)1e$%}RI1dE
zw-<JuUTuZFC<sWKTe@1muRjy^Fhvik>Zug-S*zi8pPF~Jnzl<iF+1^!UDeYQ--Rs5
zc*enpJuc1I6}jvw1WS}QIU=!7P@5wpgR6NZE;nBAU$v1SmxS)Jl7a@6VuCT5uCFF;
z>HgT`36;|m37H{;CCuMyqRreEG9SA~o9Oc#NZ;rpZU6MjxT+XPtV2oNx4{WF(nw#R
z1`~r?fQlsd(%~6W)}IlK3n521nZ;)I+1a9VT9m6dUmZA*jCb(HqAd{=|E?QWC@c`V
ztSk}AhCll-nnYh`wZm+gqp>EoUyN*baxBO?&xpS0JR>+Pz^L0)Y0)HWDzb5>hIrjM
z_TS6^hqoEV2tG&VXjOFGDQ+w&QP4PJu_rg!^L%Dyc3564xv-K>VH1VpZwZj7upV!T
z{UPkqv?wS;YNV8aj3LtdT6`V}<HNgh<jlM;+(lTfR7gmCY`t%Z{=ZPNhU+x^#4u11
zIz&P3ci+A?HmESz)GamGbc2e}(JOxnobWk<O54SjhjT9tLjH?P&mWSgLKo?%LgjU{
z27adZO4rbHDrV&?SgKW}8>SC)5Z>STn)(E&TE63T(%H%<jXC$_n?9<~bmhsdDBD!>
zaTRf%i=vuN)rN$BF5?zl;ZPR}1<8*(B*cZ0J!dm9QZT$iT-a-pho9MvqEAY}_@^M@
z3wjL#VtJf@lSOLZ@Ig=$`~zZ84jI91H5EZ2F6l2DrF|7>#JO%aUo<Job+GN5H;OWC
zK__ehr_R#yW@JWpC=GS|WYzMm$2Yk|q%If8R@7-ZzSCv@J&_dgd$fHx=-FQ&h(QJ>
zUO}yl;kDIT`$A@UPfoh1q;iNLL<H(4wg%8>=1!Zhbq|niKeu0&!d(SiiG7O?fkXS3
z@Fmdf+GPcYRyJJ9m=lk!q)l<!A>)zWGeYtWf`q~&4gb2mJ>cruUD8WqE0OqMconuZ
zsaQum56%9peXrp%^A>#TfxlcJw|au-Cs`A_TDE2wtySCw9k1unx3Plm<x{dy?&q9i
z)338_eEYX?f(<h}UDm$zd2V|#?}rWVcP`om*d4qQf1F~_GB@O)f6pGdizqYVbn3e*
z5XbN_!h%n2pY<(<tJ(GONu?klf8@VkMKG~HC3}LC{<5zobb3sJFmn$hOkjQ|$Rwto
zz$f|Xlr&`;I-sAI;Gl7gU{E$6kx##!dsUklGS2+>*a0lJ6l2V9R^!ZN!=b$)%q5w`
z7W@d_ax20vVBg%C7f1Xa*A!jXKiaVZ;o|H3ci_gm29Mjke<^cF!<M<ow=A7?9GV~$
z<lwnB6Co(J1l(-q(473o`wVd|AcD&NSdWTZZK?TXJllmJ&oz;aUp3^rX!B-wGFI~P
zhE~C8Yu72_qw`_n<+zYswp6D&cn5IlA^dKT`NQv*$rHAkAC+BYvBREL)N@mH-$(w>
z<`VgCEY)nDwz_QZO5h3I`0ZE&P8hYAiS5G0{5csNcBKHz7pobjN<j+EV=22ltXx^$
zWpUBYzvXiVULN)8c?tbWDXNQ}dfx6Ty`FTP!6c?_b3ivGJC;gXlx}j?qTw`yUDQun
zXXlIe?HJgJ>4z$>p1q^0S0bHai{*WHDM@NOymi-DP6Z68SG;AIg>akV(|tROr8x|E
zd2e|sVzjW<>HY5gg#M~b?)r4Ut+{Jn1ea+7$KT}||8~+F15oedF@D*rC|6N<z@f!w
z*#B*i#y|=foASn7a~+N!g?Bf8fnS@B?1oC3`8SztGD`}b=qU?H1Aaay!#DIR-Cqbi
z&k>Y+!CZuY`LmE|vnAVDOvg($<+4Svg~}VoEgN{#AfKHn<><mmSuybDqexv-$ly)e
zMR41H>aSo!=TcD$kzP>=YC~=r6c<5t8Xq~&{tXUhA%T&%4k2zCmR<b2SqQQ%P~*B@
ztp@7#_nWriz&J*g$eeF>$+T_z17uy08%(wG=4}mBkgB?UjZO;U=I@KR>s$tTU6rop
zkrSAfH`MdzeV#Pqr60bg7ttFJDlUiaZxdOM*SC)~&DXKB#ArQU!zRd_-TKT9ycnlX
z@vyeslhVrEwL1KAK1OL@h*a4M{;u9acqCU&^^{j+0AiK=O8bR+<fmGB`7<F1*pIq^
zIE9+!UK+QRN3AM_6KxYN=SoxdaH+_$?5N57gYrlaNxVs`3@2V)Fh*pjFF){`&Aw@}
z7LKE~!NF#CK95kanEtwiT6j%+H2Ln3JZ;U6K3>EHUn-EpXz`+B0BQ8onF#3h&y^G|
z$%`{R<qKJWSe2pDkrP#l)H2dU0m5}prs;s&G3-%&w4vP!{K?2;H~4Yk_|Z4dh$Y?5
zS}gctFoN+7o{b$FxRTU2`tph5cK#i=1L}tV`Ioo?@^8yc(W6;@v;jigGuj#BBF~ZM
zp+8mh$H?TpwU(p0dmf`{@U5Z;+g~|l?~Tl(*-zGk4TwGD)t|Y?Yf#hTn0HSST7N$_
zz!;K|?Oe`&bbtP?u!|SHD90<QAhvOw`CAyt!Dx)UU`k67Xtk`NYI-%$Ra!2NM>3Lo
zrco|fv)<=gxnhvJYJ1!*jz6sJ!VcO``h~S;fcOO;n)>P<Hq32@Lox9(5vmTx!WauS
zf@j*OJAt!~rtP3(IR6(P_0_+5<BL)J;95`dV1{L6x|bsA#httuzhG)#Saie6qW+DN
zL%TFTTFQ8uVB6;`e6<t@UR4pU_Q(=hV|u<YZ}{`R%B@>PUI1_#<;S$D3TWJUPN6KP
z+LfLYC|^Oe@*`zwf;G86r6nApO0{@9_5N`OKiN0D^nmD8Y1UO1`*=1>&BruEY@1nP
zuq6g&W`OYLFbh5Tsw>i?nbbQ*++ZK?=Jm0ZjNo6Ttd@*-{z#8^E@v8dQY?2KbV4!R
zYWpcCofG=gzXDf;MP5|tAZIUPAL&x}3<kNplph5t*mANgI?BDYjoJw$(0rgKae{gd
zUUX{a2iUl_^qfcE^kCXCAqis!5=`MD)6ImisX)eh(t^tcanb$1+!WiNAhQ1s5ZzZX
zI+XhzeC#;xn}+f&?FHu=dWjX!bOiC^-o16>k$27TM6RqCI=e3ZwKf5w9Bp0PZE62_
z64V{MNjvZV2k<2Umwn;ES`LE{$;oy9A$Y$&e1=F3Y)?KX<2^WrE1xAmHo=2p7Uy3G
z6~2&VwfV_raRQf@iJ8Zf3t!RWJW5=CRT!>W$0IG`$x9~$nnchu0Ibv1uXTID<n9=M
z9nYOc_*^9Tp1+s^nWq|LpsEjEq_Su{Z0Sz+B}(}^zrc~Kn8&66DnECjzHeMUVpL7>
zTeSsFgFRh5i0bmz^1k*n$s}FFarW_fD?#+IXf2#gW4Qb;zoG3^yPJJCx%ubB*R6Kj
zKTcRR5w4Ay2nWF;3`Y!NQDK;Of|&n^O$Uaz|0`t&u;gLwfmY$|Wy8bDcFK#17kQ_k
z4RI&^FY2ZiX^g3DKyE$B1KUTHgS6}(3emOA)U}V9IUrdYBfB>Mg|s8Y=cpm$^xOEk
zezh^)*(7tTNWCnMpO>o}`+e#<NM=(5>KyW@A^fsswB=@k*V#0QErFg}=$%DG>wr+9
z{igz~@JiC+Yb(=&NUHWlXpGSWi3YqzzNC$-Ubu0Fs)G+~#0@bQ$scgUXmC73Z@;cl
zZ+UELP3$E4rde)Z)RSp1(_&`ION~+N$>0CnW@ymJGO>kP$7u4(UArNsDL?Ao#c?yh
z8kTzE9)HDXubCN4JRvl)&+Jr~f~#r-M!oxQXsXO1+eNIV+AYE*UHqVQioZvz-$|DT
zJ6s=DZuO&|tXk!Ao5D4`)+cAB?kai)2pzWVX#LOH6&=VL@-u(oDEm{rj2@fR<{#@K
z2E!+AN}rU_xd)w>cf1$Xv1{e*QI`b4c5NiDO8WE4oIBC}iN+pjh?tYvmaMS=q?hNA
z`hoJ4=fILG{Ks#s{utH#4GXGqdf%hVZXdXhn~tORnK?LzTa7BP84+xtk0!o);o#%5
zL_?SU#Qu95qoEU62m1hkK^3C~bNjrXsr4bVpT<!K<RD*HP7$coYsftmb{=07N4{=M
zH0<wbu$-V_z6KZzFd|`=_NE@+kLok2>qokp;%JjFo~QeGE0NmImPR6Hlc!}!Zc1yA
zCqV7SQD{)k2Z{P_aYl&lhc5772?v+_yObdbK_z{F;1U%hbR-7!Y^D2&{mUYb>@{@R
zMfi%v{5rL+&FECwv`E1@WQB6qawePQA_%JU;9uOv<X_8Ki=HEF{y;jp6ob^rzHeOf
z)tV4*pOX%N)GY|X2j6pjC7G}qIb*kT3=@5mQq0(&lOAz&i+mG}DDNHHYonSY0b0-(
z+X?jKFM!Pwh8E@umv+pPBbZ$@k!bouhDC;#t*5N#0z3K5^DWb_8!B<=uO}~SUQ<0T
zFLT0^iyeShYJ&7TEdstPL4n{FaQ1sOYnrOG(TX>N4uZDlG){2RqLKT4>G)V!VyIoE
zRazPFK9S?nQCeh8lE@KD2o=wNsOJ43J94m>Jz@f4|9N6aBvig1=6%axds4I`u38hd
zk{%zPlOjSVxZaCdKm5wy*Qf(!ou5+#OTyVjpzc--r;`1s=1TqP4l#<O$Zj!t^0c4*
zM2C28!%f{y=pfPt6LL4d8*iak(TSLVxLm^VD@A+VU~@Obx4X3R&#v_HX7k7Sj4|q^
zGijdVhwcFN{YY06P)423(*cp{rLP=c_eRRFR!MfiZb-Ko34`b(T1hn%O{*`QmbSyL
zGL`(tWB&3)-h3(<|Ceei{$kvMOlSi+F2wO}>4&`chql`D3qtBrKdZ76->T@5b6GSd
z0?cL=pv*iX{t}6C`Ku7Mf$VN#piSiuQ-7(1GB513fvF^N5Me>5NF;y=%b*WQmYM(=
zZe#hX-+DWkHkz4;+NGG*wLejGwqN&gg~Wk{<w+5W;V<iweUL%f*~>yP0I@}V`!mV-
zO*UgcUU-20{D3X${T{mU>HGz^2Qk;+Z`r;d_fss`-!mG-EmHavOPuWLD*;I8n4aU+
zUvyX80}8B5uAoit3+nZb$;FoW)$b$zhxnJGNI#hSf}Kr&<PXz16xY+X$?2WMt3f1<
z)8HS$y11nt146Rck(RxmFh2hEnfLOjAJ9waAE15FX^#Sg%u3JsxK<7k?kO-ikeC4V
zSHIPp%bM5OiYc(XT`=tYIuBL9{J|WbPaXXKWCg4kWOc3pb?ZO!?j{<FK7&n`IA=bG
zW`k$p53EP!8TBTlV_uW+R002oFG+q$a1d*PgIH6-g&rMD`M#!uxI<4}NIlxTu@QC7
z#N<G#>n7dt?722=wzM_*cx_aGPhI=}oU{7BbIKL$to~=w7E^>-hc>mr-UtvYP8eaF
zTu#+>M%Ous=4v|0iJZIh{jb2#dt@Kq%GO!jnrs<4$|;bhTu6TLM>(#fxPhw#MT-eH
ze5QAw_7zs^rDLF*&d74_>QefJr?@@vh9i@v03;Y8FvQLNH|311NAd1ofyA_9eD%1c
zDUDMvwq4isdi%I#86RsHLHw1lE5&XkMI5@nncur2!?AIf#i0Y$+bjI>`>J#yKg_kN
zxL!2KMw_brW{l7-J3+Qtps%mW!&xQ$2_k-vfz8-*^^enBXIg|y{?KyYD>qGGNj}U|
zvu*!FiARHiUSf;k=Gf&Li$GG+Qn5`jk&w*Mb8@>GtuN9+xGktT7?2ie0jV%mpMmQM
zeZ0t?YjUDPUq71Z!N!6HIOjcvzfNgvVbcf&mu~!1Lfb<mJ=ZSNJ+(kf`UipK=yn)t
zotj_Z#;_-@T7x4-&Eo2L5u^OKJYv9mv~uCT3ZVL0i>z~;_eG*E3q+|tejptm5TDie
zUgxR1{7&-YV3DSDwUjhsP3aU#OEG(Vg=RM^@h-O;+?w2c2&*;gJktJEzsQlsE(0R?
ziO+&wjdv2dWr=MSpM`Hjk8Y@1sR3;^i-*2B9$-Qwhe2U=SH{^dh%vl?#EiN<sfrD{
zia%2*Bmdhdbm1>}p*$<dUt-7SGL8O#4x5EU3)^MPdj0H3R0MA%7=R26`G@!m;E{0G
zL0{@id$B+wNE`D(X)ZXAsO7EV%)I||A*y*{V&Q|nV>GSTv<5wrzaZXoqkB43)xLpV
z;Enl0jsk|yyeOVjVd%wCERLJl&-YWYYi9HmUqO`0rQ-r_zUIb=LtQTX-WW%hgrX?2
zr^-wKqk=e3<BoSa(Ao@PE{jRReHc<+xHth`(3Y42fZ6s%aftdaR&Egz&?~k97!{y(
zSaiU+6W2cWXRXxx&h^fxGJ^V!)WRT~yQ9|4G1$W$7dzkQ&(`nx5ZR{phGSYj9FNwP
zjn*Y%$;ml^FqH9zT4iBM>o+3Q;ImH=s{^Rd6H|m>Nv%o`VRA0}QriE+2w62TwF6=e
zg~QoSJALH<YSP_Z^2@Q2*7KuB!$;>LL+?b&F$Mo<4K=&adf3!FCENg%)0Q&{lJRKJ
znd3e;iG(miSgR%$PJX+@-+OkbM}9;yV0BCa67t^Q4Y-f>K5GrskK>BOhUh3$aLeAP
z-PlJ8I0v*EVOTd12^0mY_$lx+s&jz^CQ!%-5EPH}B|by;R1qE4cUf(_y-54&)Df3|
zgmp>qYMIhT<V%QR>5lJc(5CLZ36VRZ*b`!}#K7VIWqjfn3RwIBD>!_R`4#!)==z*m
zURmy6-o4Xqwb}UtfoE(zK!CoRXu0ZSjXsQuR{*=?hy6J@<+MLFc3F3Rwn4Qo%Go$`
zr%2B-!0HlVN!puhfMwyC0@!ot_4ut%uovkuX(ON&2Irf>elRt*1aXMq)-bIMT1*&O
zSiMGQs`PFd5Ls2=|AHH%Bp8maGMFTQ?U>;6n&O4Pa{h+Flj+;l;g@|5FqKgW7g!f?
zCzD7})3E)GdAM3L5bdi-(B>kn0Lg-Ik#9<Y_1)8X9LwPn3Z5JEVAr5xy97(Ab9!;+
z6&a!?_IRR4p3TcWiL2pAr$`ta$=^Wav80lPBGgcYf)?2>&_QRVEV<UiH3nWH%$rt4
zA`LQ(92=L?6+fO|DspUddwEpY2?(pJ!uMZK9sX=5+M>*5na8=zFQ(0dAsID|(ME6H
zluK7wJF}G9$G2-POig0Q<?Dbh;Ae^sQ$*XJv2^d^y!LBWz0U4xC2)E2TWlZCmp9VK
zGiO)l+p@l^-0l?<Vo35E8yfPrG%H<kB{5C$hXu4iJbTx(hkS5~HQ(pcl`-MXu;YR0
zaqfepXG<UNrjy%(!t3X`^X5B`m3i1L8O>%2|0({X!X1-m@pT_dKWx^J$#z91^^%U!
z3O#h7UbfT@HP>Pn*n!?8V&mO-_UlA~*+=8!K{36pa`Se=v7*jzf*m!cDwx7~ZX@ra
z=UvtLyo_enm0hf|CBStSv-aA;r$e)d0Im3=>0sY43jFm)f*EwCmlby}D?Y#Pux+u1
zkA0m+hPZu<SC?ldcqX!s)g{i)PeRC(qJ6)Vy;Zt>n5DSn@SnI9zTjau*J#(+?av75
zJzRggt>+9~*V**GKUC%OS##GHbZ6LxCXT@bix9%1{szg0Mk1}T=UJT+%&ZwSoPbG8
z-TrT$4j3Yvb#a%S1pt>@57X-j5$Q_TB<8yp+AWvrV#a0#y?o{^*$w9NrCs!WP76`X
zg4`-svStj1Wm!l)Xn#q#;K<W8Gs?><Sg^TZk^Ts2o3jRW{g<c~Y@l6r3qVoz9`vAi
zRqy@WjEnMcpy+7p0p&A;NdM{bz8orTD;6F+cW@~+-ro*AmM^_<Ji5AU9JKbN;5FeD
z^BlkT@zwfaC{2{eMS65XXI>fant~>havgyynjIj{VWVs=nG!cRaB-fHdJJ@g(aPRe
zJQ^{tX2m<3W^NZr2Tfhdgl-SFsUyOJjUtB(^@A}uSak#LxGyq3s7&lz*;PL;C?_KS
zKc=oRysoZkH;rwb*tTspwr$%<W3#bs8x0!Uww<Oy)3C{R+P+Ww{o1+q*}2xN!9DlP
zT6=BYSOwMp*95sHRdsWbRb>Ze)QWeeJY##%6*h)l4nF9KW3+DtVY=BvJJEBx?`(@`
zsN+kz@iR*$oWbXS0X9qa{uH<%cKbbihEm@)$8WUACq7~9Y&wM7V)NyRqVArJSXRhu
zPR}Vz;ye8I=ucZ;$Rn@Um9Pcc>yQkxwYTWvVdlxvgw@DX8enDf=4!f8mOJ67l)Ii_
zQvXd5MB3MjR&up3mKoV20S7|dQ#5#N>|a2B%p|3WtD&MP1(3+aDIOKl$9BXupm~qX
z<OL<Dxj@gyU&!d>d{gzf5z;m7qHkGerwZ1?uujr4SGYAKIj44s@+>bPdbEesMQ!z$
zQ5`a!gjzIFZVi-IENIX8Wz-WCS-0h?Uc-XG({Lo2FuAmmfdm;7zrF`zM~yUSiAjQ&
znUpzqQyVmT(J}+TUz6TADG6_$WO!LtFh!<fN|sP*L-D1Y#~M&yD7;w&#vkE=9mvTS
zH49wqkvG=#Wzs=SnvgUq2(c`tBb!YwvI6t4c&bGP5C$fM!H1EFIQ5E%UG`VZ<c`Fn
zC5VmdQ$=Z2W_|kj<U7ilAcccrV*e_HsF55xw$K_TwtR@vOgE2<{F_K_@@tm;yl9eT
z@hyzj*H4+m$iWZxeqMLC!^*RbZzb->KM=VSjZ)j{xJJG^G}ugOR1#LMoK8qpz_Y+B
zqBAYtA_Jxtk$;PH5>BEbf$NwQ8cffz%X{4zV$w3bIH2{wj_QWgD0aY^zGsAzPLnH9
zMvwVd6>|=s=s7w{=u@qt3wFWhbZ#og$%juQ22rhblbSQ;HzI<z6oNO4^~wo-p{sPt
z(-b#^w;tq;ye$ym-Y=NaoTV&fCQfy@<V`tI58A<&f_8|0pRP7_4wq~#9|wGa_HRJy
z80n}n%lLNlG&FWD@UlEpA0%K&0CG%xciDZZQ2UwZ0huV-vRipW-Q83VO3<`_p%Fmz
zs<X?umTu}2;lL>z(w`89k{f>jVP{YpQ8=VOjS&smr^-|_na+UehFcs6nZwl}M%MnX
zqJ2mtZJ%W$YX?@e*9;1WN-Y8>w>V4F-}r^md!EfYEDm6)ONzVS>vCq&lmL6f(e%jk
z;$>;<H;OGtD5|N?MEV0njhOuEvlR@gd4R|0;g)esx1FM#`U$mQX_bGb)FziwDYTYW
z0h+Q!Cr_!^#t{EOa|lD_xJ$L)kmVWm>7a{#<MT&OJWJcS&i*N<R(BoDd(S}N_IYmA
z3gr=yWs4da^sm6zB}GdB`OJ%yf~R8P{F{`K7=3P<Cf?BddKgT*MfA5m6!1y{yN(8E
zzT#yksQ>I{{pp0IqvRwJXt!nX4*45?YG0(EX-5F@;ulWpO^ti)dVA|dGUm4;Hh}I{
z*8I|C<?}N=)K{|rT~xE9{5jc*9+HF|oon*nYW8TfUJ~p^A|oJ*zA;S!pOa79OOFKG
zWHqRFVL5u<kjo-<Q?|=_U(iSSm-I+>OZAnVWb{!27u>oQVNDc+tM5!(e;T_opgi92
zjKo9S%zf)vxw3J;bJ_Vk&ar8cAH5)qF1Iiltzcc#2MugMb%^dRuvzC}PzwNv<9ZnP
z(rHYoHAxp<A{qMP#bTedaV7e0yTp>9jhWk_k_rCqIR>>_jgopI@m*aU5o=)|qM!4K
z)+@R$uM#PzDG0YCsg=4ay5%buRD_H_7pWrD_-W(bXnGg+X7wB;zy^uYf~b~_C@<KF
zIhy?>y#M}KbNLCE)H^0oA#=)zXe-wga&mvSes@@uS2!-+0|HxkVgPlQSVnVC0)IbZ
zGW}{Zm@FV1baxeYH0Bvzw;zIjZw4l8iL;4G*xV<ph-5BRHz5u)S&CwE7+VUfKRr(z
z-D1pY&Syzg&K`sD&VW;9-ltMTfvvZ4cX9!G{fE)>m9~99KG@(;-ECEvh!IM*M2XLu
z9XX96lM>{lDH*i{w=lUHN(Uy7EXKwy=Z8fZ|7+T)^qm9~y}hs+m3`whfbn#VAqkD*
zAuK|*qlIzslm?g7&jN<e#5560lxli;ABkd8b^G*aFh*<ZR{hW(@vuYe%5$6fP0+3f
zDGQGxRj;OKc`WD)6}rZdnVBLLsvdM8q6USTIW!-l!*WdOjj%qL08BRarD&tWPCtjn
zL<_Uga5fF)#~^bXFOY6Vc3(tBcM#4KY$ne;g{CX15S{)kkGIM6OY9Yn#3jdD7PYqX
z-XsN~{j6p9wuYOyn89*g_8_>0I~g;+r`~Qq)i=WM-eUu<xKE3B`R(3l7Jq7yq~dOV
zn1C%gGiPv}`0*}{V8M!eh5nMTpMpA%hyc2UBp=?q0Z(<tWk#n(pNe6J3f=3uzn*?{
zF6wQoj9l+*T=waCe>43BCVyFKGbH<o*(88O_2oiRqpBHr32{tSTewhH=tV%NcCd&M
z!69)uQYSBW`);cKod%N>hBT&}8uEJ=>oX2{ZoazlGn*U{#g%XR$3PG5%lT*GFx-4@
zaIYRgVRtES!u$5S+iWKW9?flZ>L!Tt_$lhPS|>V=nFz3Em%Mal_t9nKumEY_5pBFo
zsA=@)ou8U+Gdih48XupTVTQd~xZs2}!6HQY2<G5Q4ZpPE^p38tn8!=8Hg`=l;*mB<
z6pL{-_2si6*hbH!_oo#x0KIG0P$&K|jy04O*GxhPtDEYF{F&W*Uwr;1{=#E)7la!b
z+!i*A#d1(S^KJg3I~%e%_G~F@mGOBYXG>X)H~xe#Rnb99<8ORSOanzW1WO;BokFh*
z#kx>M94^gPI^~!PYb+1}Yz&8p!|rn)D<>}%nY++=ElMw7{pQ@H^dGLT7_@y=EHY-t
zQ<vVyqN0-}{fH*;(r2Ka@4n}`Io|ILyk$h8)$y-lffvDmR2;h?MA%qy45o-a%>w$)
z6y~D)?hGJ|UHoL?QEtxTbiC%ohe5Ja5)fBg5kDlUWu|<wbinV=JCjV$KqR)7W5H=B
zAvgpO86ssXeLh5I_1><KQdWdz!w#;RnT-6j<i)OEXD8C-{`jh1eIS?Al>=^-THEtB
zL~Ss9;EX^afRiwZ-y+~*>8(3TjOT`rO{8!Ncsv*q4{yI=>l7GA$lwvy(V2PzkbqIA
z@C3oFDPe~zlw=KF3Rlc9$Y>;SA;a2Ixan-mnwVu&bbbS{dl9HGgo#+=u3_b~d}EPf
zDP{OvaNkZ?Phu%EjZOh|ENWZcT2gUGbh$H2bXjQEiTyMoBQEA-f_TN2+s@6^$pIX4
z+*pO$J^1w&?tX)1qhHi|Uf%xAQ2Xt)_z+Cr-9PiCmsuj5H6FM~)fOGaYM75mbJen6
zLhmkWf^+v>w_iLrEE3D{e{OqA4vl>WbX!kR>wW$>#@EyRI5TyL6}HArr3%4fE~{$w
zj?XCmn-eWuyS`&AcjJWan~rKauw6Y>h+lB64}6qbgGIT^k`gX{XcV!iPlVr_uL?Qy
zkye=V3aekmXItCo7i#;yV1CeF(Y+ITYluUY?PGYAu2j(fk@)kj8bVK@w#JGEof^|&
zlJxWQ4<p;hk_rm!JEx4UGjILPkzwZa1<6|tg7w;QBQ1uGPmHq5%`28?^U|LyGwo@|
zYP;?09`h0zzO&H#Rf#={UoJK?+>JKzdapg>>9c!A-*LO$x9Rgg+Lt2k%);}}OdCBw
ze@Ev(ZQ#UL7DmYFYusPwe$a@s7$0iQg5Mc7JUyJB*L~S-c}>(~;k@VtjP5_Wnpj*w
zjALTa<#hS9Ge);Du+&$R&iN{5&%2Y3+wvsW;}p}n<T(W&1ON;U1L+!8P_3v9!-!cC
zE6cdC!_@u<b2w@gQb|BH<Ek+rQ6&zY)Jd=O!U?bP(-SSznKy~Ct^40V#72HhS*Lq}
zZj8mueKvLTM(6z2S`Z3~xHOLty_iXVxV6?Yea>;$Sz$gB9z~rs$^*c0JhsZZeg$Ih
zWw>{-Xe@~}?9m~Zil{FH-=z|i_Eg>OMSm!Zd}lngyhF)-R{p1AOky6XvS`46asi&+
zd1oZ8byp;1SlKQ>Dh#C|=3V%yxqQV83-W5zg@B@DUmcDmE3#X!l595f-p5~2^ZTUT
zD6m?71>EUdGt2M|QY!7~^~(i(C<o&e#6nk$2dH<;65#9f4HREw-kSvE&r6kW9l_U+
z{U2X=Z@A0v4SEZIc6P8GhS@(aCrI5Nzv*Q>yuyrlR(QCA9tlQ2%@zze=E*PyarZ_;
zo(4j1-=@_7)-LaGvg=~bj}<LK{uekDys`rJ`l<r*&Fq)K(8deU@{;}Kc%><y<2-aI
zxe*3bs(Ne@+M2G>_mnarT>10NbVW5Hm}v%E*43@XqwuGF?4qVeQsQDpSGPaia~y@6
zkDt%}(xaJ%xaLO|{TS=}u$g^&AzuSZ#ECq9#{KTZ2Fhl>l4QQ_;X+21Z%pfLZUiC!
z8TS@yzUldgYV)&-^*(+8qd4Dt!{r>*MVQFex)0AaZMGXC<hyxm*&A$oySdtX-GL&^
zt~nM2jx<ROBlqaM?G^1cv)5Ex=Rq9$YaeCu`TXAbcSJC)P4k2L|M(S5mhu|<gxBW}
zAEh6IJ>I=k1;}QxNwS=_2~np{Zl*b|%WIgFf}j#d{!|Mz`tj~T6BJGBKY#?4;juQ*
zzpDaST!SnZZsXi8kn^vT$bJWWxj_L<PMgoJQD4zSBH^QHdA$1Dd3l!xZTuh_PU?4M
zeF5?9)dIh!U-<T68&>qER^Ym<!^-N}h2w%5H<Ypapn1x&jC|k(E&0K-zUm3IF7f3z
zc#his@d(%<jR?V&B3rFMUridNZ%LkB!o{erh2X70NuG8Yj8pUBgLXrjD4{ip?Rsb=
z!``+p9`9lPX3@wJJo&m>FWvyF7*0vabP-RAMjB$cxSBF`B877qYOF)nP3_0Ea=4IY
zRBy*hi7(`ayK*lum11Ya)pF$vDxyiAAj8=Qm}%b+98mOQa-`CSpIlVVAF01SJn6%8
zdp<;(m9f!i+q^iucl~T!WB+3p?DrhcpK9DVLC&Hodd__7ei#TJqYFgwp)~CrquA`}
zyl?&W9{b3~L|7IsFL19=$wV9q!w-~UcU<F&pEZVsrC+AW^8S~Slx28Qfg0C&zX(Wh
zj%*s%1vgw-Ks!ymyF@zIC~ogn+Byq4DnQj|9q)H&bFAYjs%cBkQ~m0e@^mzLO_4vX
zT`^?WDn{F3WY|?JZbbaz0qW{(9BcUF8sd+fSTiQY5+egz!ZVlGD{)2%%**HwMI(ta
zq<$ks8TJp|1Z^$WRa?t!HYRlR77~B*KDKo!^xD@-n6>gH$t9E@oYqu)-uZ(&UiWIU
z3aFFA6vKPn*_>S!M4&qN(-gx_U;3S==?vuqE@!(XRY=$3F}u%vIWSH)z?gVD+5H$%
zG1aq`@59JQ>dZe(0XJj-iJ$dsQTcD7pzx_<BPHq6=zIs)W@I%lia)i>8A&Aci>&LX
zX-2{J{tMtGIn=;)b@V{x>KF!O6yPy?<yDo`FZ^cWzAAB_H@z2Kf=xxbrfThelvL+?
z`mK@LyW^;AR1aB`77R7-shAH#Os!fu{&7#CzNgHTBc83LJFwHMDB_Nb`5F^_s?}|f
z5Sa0mi~!F7|C5jLUgdP{Cf$?1LtTuf3CAI{AA-K@D&lfWzP`s<HZT0kziTWq_}9BD
z_%p3ybSg<N9PLH1emEC=nc2b<$1rtD4Wi&?wS4m8NsjBgGfO~S5C0OfqOv`dHEl!0
zzV?gvyYjaoeGZb@7s%hbAa)*NL2QBYoFFbQ+0qHtO9Bg^0X2Rd2U6`*hdXkZKU7<i
zL$=FOU$slBS-g4-`H1tF9Evl{@-AhwgrI8jE**R<;0GWt2LP_2%ZLScw%5Ia(b{36
z`)vhGV^gqGpJ2_4q-P9r1V_o}bZNSS$K=Fkm;6b59&Rus^M_d9WQ`%Jh@<TxlGjUi
zto?H=&HE#7VxtWNQdpMMMg_CjVN?pq_WC-Z<+_CYwic9--$jT>DEE9*@|0?GvWoRW
zo#bjES~1)<!E)!_NEv2#>Yi&)d{;6?gVaOvQS#Q0xDWO6m;QN^+f`e<K7!Nzddoi*
zn^bcI?f2Z*CN+L6FWeD1q-R+2bcTS~j(+a9JfBe0DELKTW!Bu_aV*w_Al49wL|D(k
ztR9lsqewImQ0=}9^zBZ#6}a@`U6w(&B(xyZ42k5U|F1H!;E|0v)=`a-XcnJKsT;QB
z5lXl}Bhil1!W;=gzpxvJM$oL}TILT(Y;Aw)AG3zCalg7W)qW(4%Y^fJHYBFUieDay
zYznem-TK6bSGZ$ii}%}Z#e_K>OTCBo2t*%0c#?h^>@%kx(q+V_K#n5DZ&*l%-Hi-4
z-@skxZhL|M3;TsTtdE(_s*gB}04bq9{8GYV{7gotNG1Fa<X<N3#AsWqsK(&NvG-au
z<M|0V<hc}{ApPS?lRAR6>TKSJu(ryce)a}ARYZc=XXd&Qm%!rHCJ*}!_}I~<W3CR5
z86qRgxD4O-XZ9x?RaeG?Cd`O1**~<W-jKTLcn2_IrPk*E^;@_ca((9-YW+ej5^R~3
zeYg@k5lkZm=gB<>Z^+eH7cR84$RE&d#)su-+UUi?D5$NnMuBy3>WzxoLW#+ojm<U|
z_9=L*sm2xw$0R0uSo!0TpT2xxNoQhkKppbsG3<*IJ_^$-dfmPiUiWdE?se6q{I96M
z9xgd;$f`VRC|eSD_ov)%uF*Cs!7_Z3tKd-Ca2pqt{h$Wk-g{u1^RC*UpJLqA&MF(K
zBlS)95*<0pw{XVFIh>7-_TDqQvi??CIaYogfe0kbziP2#N;<X}!r5UJ-Iaq=!aS;G
zX6qNyNX){_0Fg#f82OM)@r0tjpLo3)``)KlI1F+km3NHSE{c>*ZTlR+?u4c;n*Rrr
zqYLNJ6sJ_t6@lp)xA;JX1h<$~<b9d5x55F{7-Uz{+SgpN;VN%gUhgr2l^F#Vj%Awh
zwVGr>bgMwm3a8*}Bz3L?KKuwt^UAE5UmSrR)iF6Ss4@#z_%JE7582X&g-6nNNO#zr
z_!jSoEYSJ%F(EZw-55{jFj$xdS8IP}2r8S&F=K4By<#lF$~G$^Nz^JhLdEo`0^^#!
z_EKD9=|b;pUx`Nybfi=h<7|^ZB7J?fE|I@{oFGFc6OU>UshofM-YPb|-$RpZkWWc(
zuoqnx*aAs#X(@yLI^7U-^a%}<jjOF}lt@%IcE18!EUiuhJXT>rKBQ@@&&=xe#PKw8
z<!-Vx2Ulm|pGXNV8D&6`%6^Gdq#|^R{7FfgNVaKs@FjMmQyCEgWjfqjV~>hWEb{=h
zgER8wlZ`6v`X?@Wt2;&<+>(q{rb#+xt34EohJBLYEILQw=f;b?_TT|jBW@5m$qFx*
z6Hyc;hP7_I3dMOuO;U_3@Bjx4#eps?D&nJ^IsCsIB|3h-h;K@@m=9>3VAAMeD5<m@
z6^O4MtCIJwiuu#-o=(g1E_CD4h@p`gxi`|4h;f=mJ37;RaE%Q3@Ff|!X2N?71Qq*f
zN6YEek3u}Zgs>T46TmYuBFTT;tvSD$*j2!XGSaYP*&PV<l-uF*8+bG_oLV{B$sqVA
zM9e&^z?3SR08j`Upb#sZLbs^DcR&4fBr8b{*uu1GTKF6nPhpb#jd0s&HX?CAP5r(-
z@jcG7!%u|8%KCcy7C*?}wrGG~{^k-NVH@m6ks<_;MCi{!WxOmULbYr#$ibvYx0hf>
z3rBjl{4MXl*cEAMpa0Htsd~qwVqIuc7%j0Pz9rTe0s^{{;G#QKWyk3QZ)}K9AgH}e
zJ1NNj!&`C5(`hBLA^i=6V%>|c3r@gxsY#pg2!APPVj^p4lKz@$Rfw|In;{XGRBZB~
zsT^GKv;w)q;)mMSS%sl2Y}d6`ezCAXfEVtkLDgwG&hU4pbiqraSxRtpAMNHwzYYZb
z;7v}7E1CTYdV;$OFN(H4Om#|qF4rZc?Rn#&S!gmbE@YAqm_gLcg`cWCYFR{k`R>0C
z6M3pzxa<E+_4~+>^DNR0N$RnMwwfO)FLdHM`8?XFY%g;GG%gHtqOR~bI);$gI=e{B
zGN28Va6u!+v5-;bu^A9h0`M!u7=9?=_0h!BCosA?s3Cs?sJ+iJgYv#2gR-L8QC$)%
zu3fl7utiR=p!jE)F71aISi}<WpXE<-MGa9e35ShSRP3jttXrIQO7@tDrPs$%mf@KL
zrYZ}YG4*aO(J+4ug^{Y*-WEMZW}@QOw3CnH1o2sc+F!~DL%bzp+`GFD5C02!QhIY+
zG|XSbH~z|so$RfOjlQ_XX$`&4w4}7y!}8&RAfrJM9WL-p=;AzVw<YnVAapE~KhrSS
zcDV_s3!M}%=$$zHXGV)HDO7bo&hx4GfLl|AOB-yo-<ijBXK=L-f&$EtCx>i(FP{0K
zeB$`Mu8#g8$`duBRgNT&F+C#Le)@hrrD9`J5)X5<aROLQJ85Lpd8NYNa>z=4UcFs?
zQC+b*MmduazmVM!#_)bPb}s01JGMes%&rhRv@Gu_|41AFF`j|IvPL<y@6F3wQ%X_T
z73}<H+@v%f^UK~D?U~-th=6u($nPvP8h75Pqmv7iqlz#ZPa?s85Z9^lIVuf0r-OE~
zkJcfCpeVv~cy;jZ|K$RS($mI`%Cp9@r6DeE{amqhxjhROA%+$;<hRNtVvd5!{f*~W
zJ#4;NQo2u|aH}hq$x+s|WjV1-4lPfAtip_>uHWAFG)A_d9ucoZYcgQN`KA9Wt8t$*
z>4!o}N0wn^zoALEfkpLy2?(^bymq6qq82zPHmAO?Sb8keRX1%OF&ZN*#(Zm@T&QdD
zGQsN)h>})$em^`hWTib}+KOA_qAa=rAZYOlhr&Qmen$jm6;5GO^udi*Uv2OLM<fx`
zr*NSH0D9^eXB{60@Z}7@`l!mPe<~l6Rn}}*SJhOkMlPMBy8R*9p6(KCn+S>kHmL2%
z>)suLw#1!o=?-VGEX}v(B&6Ev)amPgNZ_g8`m9B<YV6%oT7KZR5#qO|bG7@dUYola
zJ?(10gPYS`kktJ24kInjdW=Wop}JUg)EflmOxeC3oI<BtjDHK+YC6R}{}+SWxc(8y
zJR<A1NuFu)OyBA6o<E)l|IxfuS@)=%p$6F*Iwoy9MbM1b4Kw-!hlw!!5$##BAp2)5
z9g@(0VU=bHV7jjWFjcUP4Jt&IGhvD>%hQi_I8sZjewSDTcqH*!BXCkS4c|7h)ry+W
zz0tN>y?@EuT0d(C_oLbViqO1OTDi8Afk$%ALMzxPZ10q;RAd85V|_0n8!cyFsXN}i
z!g6Pj(f`7j8j9#9RuNt)5QrsWQ4eQ*zw6Snu9cDt#@;&QYI&fHf6dzHYH9Hi$U~Or
zb*S!^n7++uj?uX-h^UNE<J9;$L*HfodSP30Oy`tJy`K-E(#DD$d1T<;mIDohIcRv%
z{;x}<SEiTvIoDSB6>1ggz#G1fdpD*MO>}f}SH@KjH1V{zp`P6-xqttjdOsa25uf?<
zOl7vjE>8K5V<bmgz(sq0a<~@Zte2f==DDSPIVfd-C<HLL*Ui-pO(fmQx72}0*{H@x
zzXRbo4m{_{EoLmAP1p@xtvp99Ec-@K=_FVusHHhq`C~2coWgV`CAPgN2PynVUJ0LB
z8&&+@F@Gl(e7CIr{!Hn<e)DS$`5B07tErP{@KvoUvEvbUz_bToh*k~*|C}me0=-X1
z=OOH`y|@Z2`vmSQ`UHUXLRK8@Mv`FVT3p_~yu&R{7)_1O1{)A(dx+Dvrby(epRUY~
zWqQr|rmS!$2z5ihP0)RE6Q#?n7rfC16@Rvm)ovd3?swCJzMY}0drig?;VIQ129`np
zOEl_M#am6m@R?~Q-$(Nr<hjk{i1px!y5uF!i4VSEjskF+Nf5A0iA!mwq4e}DqW`h;
z(2b*clhBt6W|0cE!1W}qKHIU2$PIb~wuMtpOXnxUkxFJJXTOzRkmK_1IES2Rwa>pD
zS!POkX*=n5Qx}_4AQ%n@b+=C*gV!XM0Md$Ao(1C;%nhbdtPfPciPzZ+E%yBMUkpyk
z&(B|1o}HF0QBEnd39R$BeuT`BzSV+Q46S+NvXS^kpA<6V4NvVLK>qDQ{emSC8?#sO
zCl<-A4KnU;Ly+ALx^jPR;MjcmnpU3aYv%{<Y_PSN5HS)wP@}ry33tQGh>(sCX5w{1
zbukf@fSbDVk8+FVkk{|4C$A`0D~gtUHz$coNcy@j+S#FJz67<O8QsaKkcxsqw>U|>
z&sdW~;w>P&xq8O+r()IRjldcfv&%wiZ>Cr?f|%DI+NG2OlW_E5dy`%Kj%n6o=Cn)9
z@sFM8%!}H+R1kAiutn-5bz4X41b;Plim0YN-$zC|SG!!F653c7__m}I9uKcxnc&VM
z+_GxL_Gc(|o$4XSW&p*4)uu{fZ~PGF$Ph_<jK~jSNj)%<jC7ket$zg#$vSH@pr=AB
z#tL|PDA^%^1jq3Co~PZOBBplH=C)<EN9$5xv};Q5yE7Gv?gp|n=Ur+&+fO|*DaV=5
z7fu3_o0gjqz~)VNas>Z?V_R5&Ldmd`-51kE%+02)4rNe_+Oj(-_PpZqQhT(o9Qc)k
zL?*)_jtBF&M9(&c|FZ`Vee`}CV=QW4n@ow_o+macf6*}<XdHAx$pm`6LnGyf;;48$
z%%Oi)Fv%s4-d9H-0$Smei|Y9sIuYW%Sp#YbUjxVeLX&G@YeZ~v={)Z|bZsWFZJ4*N
zZCOLk>%;DT%v~G-zt%^j&(8vy-}rreAZXOqM9uc<s?m3?vsrj*X<eJs)7!XX&t9=u
z%q#c*5Pud&5WHb<mn@{2QH@}!BhF}V=!@^9R)Voz{#;VT#vHMMq8aj9PCA1B0+z`+
z!#`GERZyatom#Uvy1sb_daV73KDL6DlVlaagFD|`{R=z>3;#Wf0S8gPW7I?Hy=+(Q
zSsH&GPdAwt`j-x4B8SI3A``+vbo+(sm|54BJ^0`BWe#0lW5|&SKrvvUiy%*4NT{Uf
zjKp|1oz@;;9<_p8A9JG1MKAuZa6aLdjUK9{7BAGoDWy>jLC!yC1;>dmU7z5n5R#j9
zssv|Bw4S@Q((+K!Y=x8zVt?sSTba$;viVLj*{7U3QHNU7B+>{NKD=E&=2()3KjOn1
zl@;K+YCO6yUtG|?j6{s2gW6xuvc8u!5O5Kb-7M=ZN#O@U@ICiQ*xEWHKwM6)+#(sp
z9N9J=7@k<_aMU>;Vwmf2h0pYXs}bH0hM`06{@%%I5Z{;Nn7{GC0+Q-hcQ_2KB))gy
z!q@>F@UKH?Tv9&spsH#CY)(x0<iNx*^MHdB+yb6*zjW^hl|;VcN{hi)Qnds&NG~T<
zSfP)lW~(NTbWz?Gc-j5*DJ8xor<r8B|3HO9LFi50U@T<Lrzw$zSp!peX&>F(sA~8-
z0i`w*O=;;gum$6PG;e+GClofoH44Tu0z)SrpcbA12?WwY6WISx3r8_}DomoRVvOhv
z`Put(sMn32kBVG*LN3qg?-I~vBO9<pkIs|^M{vgJlp#Ee@VOf+R`A7*oOL?H?wq3o
z8jH36j2qzb+JeB$6py0DCPHE!zo|W0$`Te5OM^v<75dT_#VCXo4*QSy5rKAD_ECSU
z=%cP+vr33+kbsaIyHLU3PaJ8rh5SDGy~3a=W5kZEqq+=Uv&+!QSEqvA*={8W<hX1q
zf04d(wU4Ul*J{#eTa6*;KKIC%HlptjJR-yLox$F;v4-q$pQVVK@W?kgqZ(NiK&)*{
zvckqQ{-N)XY$BVddNP}0bwYHZGzIV!N;_fmTWUn_>=*_AP%1uBFRQhXL=2mCmoSl!
zo^e+&>P(8dUp(2g`-6X&0sGpXArv<^4#^1;Wzm785kV%qEYpp)L)olB*m)U9;zBJ@
z^C9QN&E0%DrvHl8Ypaa0k<S%l;Z`vR=&FdwyNgYk@1A@ZTH;3<Y^eLb$G*Olk=y1D
ziZEOkdtIyWLbq<htj9j}x{0^)*qp!kt!pm{orKdQmgU3+r)=4nqWnn%q%|@(4yK<Z
zC=-S47=TEhhUX|I$#awD5D1<q*XGcUN=MpoalSi7`VW)i=aZziRFkDttOpKancto(
zTg`-(I1)-CE%w~>RoIGVzosY?wbEPQseGQ?J*c8}3qtiOzag9ymPus?9z3;1chyN3
z<!jqT71^MEH7a;>e3l?2Rqh1)2*0y?8nb-K>Ec9@sGsRP<XU|cJNb(E!h^alZ4NVi
z=fj%pAdaEGc<qpkb{Bl*=+Pn$^K}x~1(?HMmh@~BA0uH^GE5@PQ4y&_;x*-UB+4(z
zY>*jJJfQ4*<QMkVA^BHS&H81CkA1EXkF<&@;460Svydl8QRW3WY0DGW$~hQZKg%`R
z`39pwc(?o7b<GCj%>bAoH_m*>X6m*2H0L{l!9G^NZvt5=`nv72ZC5s4@b@;YNH2cl
z!k;$Hf2x~ezM7O9hvp=Svf{vKhQ1N~x&e2eAx{(*;JKkkH-ymhgj%HKnqe;=!@Y6v
zTNA8x?`x5~N$O+P7cqK9!NhkQ*IBrYC6d-zf-b!21Bo>+%&IWZ6|LkUdw+gyRYQ*=
zUTxN3EzW|y$WA|1r^Q(ONxw9#Z2ibd7a~ogBkf>Woea^EEB@gTv$$BMI>zoMgZ?$0
zPqXKJT2X8F?%6!O%zCWHI>C;-%u1EnY7SeOz*{S>%(#B5SKRJKVmZk}lq>rk&|Axk
z+7bH8DF{k)d_eCG7;F^xVgzG2C|S@GIh~B&7nkPUB;klYxwP=h@#W9Kq@w6(Sr-TN
zmnh1=ij`9+Tkj*V=-4={fIXaw;vjUAtJ}ys9miB6ERTS1u$S`Yp4(YdW9FVk-)LS!
zIIUF5_mg686)~q`acZt%dQ$A|B%am}ZACQpQZxyCAe(fhMc{vg=#WCk4={;HvVLBB
zYSohexK__$ua_ma+YF0P>wU+g_ku%RDhMdiDIjBbdOF8kvOVre<#-Dv6CW8}sRV79
zsP)Qyrtvjc!m%EIyS6_kP;GDSPFa7M3`Gw+gZjMBpt^l-7gx<;UnQ5@(@-k$pzK5U
zs{XyX-F@^MWQ;z%*EI|V&$GbU);9NN(7Ws1fXn=;`O|R$C-=^JFwD1`<Ya!?(?mjW
z=kvynjP(msP5Zda$#K2@+M23C)i=G`wb}p$thOHmEr+O%51|5;os$F{VFGX0msjTF
ze#MW<FBUJ}g|PBy7^DiC@gA0PQWqWc2ORf#2kGalPfuq2a`S)n+-q$BkUiE<Dq(46
ze+4k=*m%IFMTWIBgNF6fAtQ^j38kS4B^LzoA~*0{e&Zgg64eqNeXqDumU-c*&qjlP
z<4e3YlG$0KaWR}&o1SAz`(qkn4w&wfSvh{}3ueTDT6Tj-IxA6ABcO2RN$rG_=hIF^
zNGgJ1N8UiK9`y&Xs%Y&h1%9xuX01DAC7kS`j5o8g-6#o-f@f#b`I(QhRPaJ3eh$i^
z_NZaEf=B9eSQB_3i)9z#`(=N(dyRvvMbrwk<zt?<om4<0EY7XFwr}x}!6)3wmDhJ-
zV<$pJSHzmcn^&#6TRv~uWS{QixtFxI!g=e{5*)=Rzc(3+=S-FXNi?-(4e*An6gLSD
z7Mp8$h9Cmdp4bApBeI0(0ZE{Xs8DdHy`wmMvRYfx&YTtvd^B&2;w{5iS-KVuN5igB
zP=YKXv3x4jN%46*eKK9CjP{QhyS1j%J=;#6l9%H3&sC1k`COfSg`jVm2;fqWN!AB8
zQa!o8?o-FhFRL$rwcO%QM;)lg%SlDfr2+b|Hwp{OBo3^Z9*!4@lzJYbq__b-B$^e|
z{Ac?w0P1Q7s@~#ewX@GGX+yQ(n1{>2(CnCZxo+c;Rqv@K!g18x*4`5hYqHwPK!T{(
z4^TbtVR+QOVl--gmGxF*xicTI>a}qI(jX-%mg*9~l7_4lpz^Nx_+AAX0ZL&#-jbBO
z9C5L^kvAw2xR=$s8e?bY@1Ot;TR<Cz4w??oTkP2S2O%o4Yy23_Z!r$>x14cysgkeM
zL0Bhq@N<ohK35#ri(d+0Jp~@i2_%vQ5iH^dP^&m-S%YEQ(C`O(ph@h=ATl4#t|9@+
zD{%f^Xkk0=aRXuDkg~X0g?2Q^u5D6<BW1*QEYPx|3p^{PHIa6ZaQ~Y<z{3RqhN*)V
z2o&T}5hzHUoMbcjk)oJLcm?}U+P4&T-*8SD_)_Bb$C?fX8Ls`LdHHjV%FegLlsNsy
z=az0Z6D%u&ch_`NW9j&I6RnM!z~TZ34|l*D;G8s=SQ=bB6N6G>?~j?nQx)R|CJ-er
zFk|=I&|-~Ge4`qj%9{F$!BUsBEO*u|t8^R`)utBK+U(&maeS=Xp2U-r1geju<s$$|
z{=xmsHCiH8A6~x5$9*00p2Ju_DPdk&@-d>CLT~kkLuJMW<6JfKN@2>JGF$&0ILjrR
z>liyW+6D&e3lWs>y{`voY;xDpw(9MWJ}02|t95Px9|-*m(CpbmE#R1@>p(A9UvQ}J
zEeWj@JFGdzVc=Pk*x2de!AgIyZ-0wTgQpmi;RCR&+Z4e4GQIO;D5@!lToO1$fsCyg
z%8E2m4(byrj8S{)C-y=7?`HiG%zs0Zah<h*wvAHpS7_RpBb$~~rWVK~-@$Kbykw_b
zu3xw>w%RrlIr)=3AztBWYQL&yyUCGOh~P4+s$zd8Y}XUX*3<r=>K^Rv+>gJ@UPt6i
z!Kb6n%tw%gY^j%Tbjw=X!hnE5@F@JAv1}G1Mr|1M<7eT*Z<m!Yfdh7}wGYo)Rcz45
z+B{m9hd9rka{(Ar0X%(5SD=irK5*0aktQP04#HF42V)1LSEK*<(hyu$0<42LJtL!&
zl}PB94#w+;jno-VnTV0K)r0({Vc^dq#pv{8ZB0wkL1|1e39$5IBfwye!!~DfDybYk
zTg7J!uGr`wt<JR*kS$b2X4!klEFU&D%Zlmw0~gqiFLY22EC5NeI5QzYFg5}H?PHZX
z8dHP@+9wy}IYwi{jH8i2COPWAKpTKvnjqaPCPfBJXlAU*3BiLTUC8k2eUh3I1Z8O7
zf;w!IrIjZ`7p)Jyk~$Hb2@nX=JGhRzSKk3i)-QNKgp7ZWD+mMk?h_<7A7L(J6#+7X
zF>=1otMmX^i{a?qWj_e%UyC_xv%aHhqx3fcTFf^z%3h<_Ag!DuZ+FkERlM1-Yh7h{
zL+NMzrwR-*1c5u{@m_;=2{e+}ekmg5o|%2@UK=^6uaiI@`5EdgEIs!)`30KJe;6FF
zjLKRAxtQ{ZmJ-foBLaH%>*s%g&}x~b;Gifs0t|$0ILx@`Ne9P$4sMqXd+J&VCt>SE
z_++22bh*)eT<<h?vQK!k-ZS4Jxo_D({23}cj73m-j%)hMyLJ$Gyfd*PN|>Q-m#x5o
ze9TYavOmRk+Pibl<Z&T6L4*Hu{ii9|QYOJ&F>FF*>%u7(UEVX^`N1a+yra)gNtg|M
zQP+GB7xyLRg31z#prMVUgiRd40B6m!(l8bzvxHko&Dmyw;~QpZ1JO+Bdyb=rGG!%M
zDAqjb&`cqccooTl6aLRdKtbh5g8HI936(4j!E-X?CZ9G8d3{4)oxcXW^^g^}o}q`O
zL5F$Bv<^+O;_M1}H>%9(u<Sy~hm-K;gX}tX@**g?3%$?0ZcRUi2wu|^zwt+pqMUr0
znXk<V=IjglZ$1!a8KGCfm|`BlP|mc}L!p^Bg_#P-0IiV2{FwAq&R-X%oWE{3_FYew
zPovsKKlrKul|f{{hcm+Xg1XxVWs2PK4}SP@MxgGI%2^OQzKpnH!$MC6MSBQc_FYT!
z$J{o?n^E2JMy?=II4W3%e1N8}Zl3$%H!qoWRX`eB-t73CttdO~^7XUT=MdEK3eh<3
zu%A_tlHfKmCg%eIl~O)<dm^~aO#Elzh~|atz@ke!;~aPc+HrxLHIIFQfzVb)2zQ0~
zs*jMke&2MUHHh(hqyMZ%PZr8v8T?=DesBO-q3WSEGXb$%q<`??DByIgUY9qa#Yp1u
z%}kzoQpJ;db|e1qt6P5ntOlSIDa=mhCr;z0%?ZSB=&}tH;UGfT42C!vLU^p3{~@dd
z#!ujT6qQzFc@*CV+u7%s-XGtb1pK#ub99@}%e*R>i2=@W9h)A%K6`hJX?@f_w6~J(
zIYX^y+6^zZI<14_sAF{n=1;&O466y_YD2@XNMEk7x@BcOV8esB7Lqzy2<r4eDG$?M
zG|lX96UA2N{iUquC5AM+V)f|22(Mw$oe1;&9((G`aX2K?y$VA~LnVa9X)=r9Q2niP
zpB(Z_wPW^{E@zn08CZ7?bEfbgud&}nlMYv=%nuNj!lWPPqu6uiGHAgB$z2Qak;Hz~
zLn?MmL9gLwG6X*JFYu}@(WE^TVFrPL*D8Y<=Q%D}7mhwAbGUJKIHX862Wgk+ngf<G
zYVJu5IaLmwp!%H<8J!<|V2Rz4dT_yVBdReS?RRM05l<Bbb0(qy($Lo9s3sqZ=wUVj
zJ?elbr)UacL`_7%0K#1IpS>T7083uT=1K~`X$Zi>5s-+Ymn6m1Y&HUK)8T_V!>S9f
zvjW|t5^tKBbd_`I{7H3>%bIeEdd{JrV7r^jQjeg~o3d!bkhwbb4C^MS;@qvOUEaN^
zrbqR;)6aELK7}Oly+QZjD#m>OZg=)%OJ3J6f@bg7A|}PX4OqeOMm~Hcj)iXin&pA7
zQaf6h#JHZ%ALTpkhP1tB1N+a*+yLt+fB+On;2zy;E;CILk&*_$_A;`^SGr1uC3%U>
z_jfV%&Gj9Mrn9(aNX==PB8pcKepInmS8wO))^_5JwMYzmO;P2EZJ6fs^uQH<ps$N%
zxhZ~{ih@`(?ZvR$?O!tZqMw_yZ$>Ix=pP)5<2_pt{#D`QfWUwy=6_JUaBsvK;}#Je
zJ}SzP0busLe&#m1DJX9ycqmg%;;M~AwU-^Ug@z1!ENk9Ds2+gmygSV49VL}?eB)U+
zH=R8EUM^xOlFp&HP<_BK@0JUyRd=A_(TLoCn0e5`cU?>EVMC{d)-dMiyj3o>pP>58
zSLvRN`+1{2@{3T}4`Z+G``nIW?|IC?C;klh)!&*d`KH<r*rt)%fA0SNl7me^5@wfi
z+sizepM^l?xQkXaB3vr@b;PXOPlU9O2<N|fuwMOS9U*6SAfEUAXg1pR?L2(;K6Gh|
zjRNopc87=SOqyGKZpVMSN}E;KmIxltGQv8n-(2c6=+(bV7+X%!wrdu|`CEt9oVWuK
z4oDQt{+#r5#2F3#w8AMjm~>e>PR6NV>BAo{LSe&BrTn2F{~tg(%nN3Xd<m7|*hp_a
z=&mIZ@5k2C#!#Db%RGbDGiKD^)Ee(t3s1E<uIk}68~JvpFjm0wQfTka6VNMUzvVvn
zzSGD1`8D~j>;u@f-%M^d3B2wg9#`h%pP-Z2vylsK<Vpybl)7DU;}swQcgEYR=OlJP
zek6_NJEMbPpiA>R!P&Jz`0HDoPJm2QStI9;k0Hi2tgL1(#pNueb|-pb9H`tg7YXku
zAPZcldyvy?#(<xkvVM({7lS4+#&6}yI(r+M)AK^;n7;h5qq1uq&=${}kdGZ{c;bEM
zH&fY-2aorvaoT-KFzCv%8IH<5s~Id8jLMBHcOnWQOyP=Wrfh}E(4fnYqsvJe2_v4x
zSSW|K9&$`*Hvo<I*HRAqtilu-q9-!0h51Z{II`JH9gf1{Stir?WBWlXnC*v+eOZ^z
z=L&A**?R&iRtWrp#qLG{?#gVC7xEF>${D_Vm+{4`P!eu3KXC&f3sy%EegonYl7t&E
z@I`aD5rkW%<*E15xDc7to`(HQ&q)L6AIjyk8J#e^2=+$)X$gq)4XCohZY57MGikG7
zB~w_w78V9JvT7I;LMf*A7rDbu(*nghFDGBF?q<<T7FBaR1x{qP!<;J{#Tt?Ee}j@M
zQS6l{XCEpy5<Y-A3>=#v<%Wac8s-ccz(sY9$D?1Ap2-dCOMC+*;qedbL*|ikEKvGb
z7DGaZqUl*(hfah=KueR9?xXDx?i=P9nF|Iq@#bxZ^voJ9@qY9EW@Nc@QO;^qYzw?~
zXy2pRv|!7363{F_(l{P5orZU)i2JN^pOvf9uZ6SQgh2h9IfCNI7P=NlHBG7DU;|jz
zMi#IOW1{gaN<A0>HZ&-GxtbqqmbfO?+bg&1Ipd7a5MSpqCink<*}4NhMV}|or}x|V
zW4=yIM@ZcIBjW8RA>v_zk9IQ38)F=>&!?irIN(G6Ejl;YV}>KhuQ`=B%`7HP*p<zr
z?O0eHye#=X*8D7YPE?a}a2r~H-7s!k#r^~5SW{D!QpZf7JpF-`<CwH0O(XBima&le
zDQG0Iz+p3nT@pypt%$R-h5quKI9X%!0x3_!60Zvxzo8ZE!eKagpFG5u%LcS^N;sfL
z)4c|Im*Ja=?@l@2tfp@mlp);P?irjPQQqXvv3r+o`ExQFpAmP+aAl?fH<JKq(A#cj
z^e2~BmMdn<%NfcmmWFVhT#tAKPT8MO7}7?WH<$*ISKG)_<A0NA_uHOjr;N=GW%u~U
zk|CK_7Pp}T0cFtXmu27ja@SEO9!JX69_?w<lGwc3b`SQPz+dg9barKUYnu|%n8~NP
zTW<`zOEmUdC;~RG7dA|#zR5$>BZn|9O$E++em1}8eX75i)1cAPLz<TgazZ6DJE9DW
z$G9n-i9iNE?pEKPWBWwew)z2cnTrC-xfyY|dIGWko2vHnz8kDP+e#AZH$GJXtJZw&
zt~&>X!G-n&)kF{WiohS{z*g5$zhW|$gsKr}#ix++X?Tmo5Q2dL8mF*<kn?z(1PJ`7
zMzN#w#|z*i{~Xq5ULn~-X)3M!hzC`j$!*A@JL1u}W7@foHI5DIE5&|;NwhP?5JEJT
z4ZG)`Q6Tz96R{}djX*txHy6f#5)<YVm~I$2${Cp{e+tu#52d9xBBhauPNeuZ+d9hw
zDIckufrYeLgX2#WB@juy7Vc5inwc9QagQS{@f{u1Xio2WEMN4`Z-5_o?EdON`N0qR
zP5j(12vUsz$$Aeivi_W8DJv#F?{~|D%@K}lh$(5sKi|aglDWsfQHrV6?4W~m%tG*j
z_XB1ND${zz-O>OP+FxX<J7R?+>n05~vYN1%bY?<R2KCRksCL~`G`Lf$YRfV->Z1F_
zNo;K<$#P<f^0I&BeF{fXvY`avC`Cp1&af2sk7!6sytnZQl&&zJ9z7?70qC$L)5NIz
zk}!YK*~1C&2}K`8iiwTg>tJgIwU7uN{`>S}OR;JOXpa|xtc8<CPqA&9U9Mbd#5c{j
z`wixl<z=;2gY|ANT4#Rh5;a-aB}NNRF8}tyX!Nzz;RJbb!-t|DIO{f&?R<;@p2tqA
z<<Gz`Fan9(X4lE&=~OF+fOZhmlN8!>4qWIt_v_c7Yn(pJRI`3ICWPey^WNVVP90R7
zos5w?3yjYNDd36Cw8Wa@#7*VjRs+Ho8p0jhApS=B-Y9Duc{iz!v6T&PPS%H|Gyu|_
zNrsW^2gj?otAzywOlX|Po>($+4}nt%mm4}-wa7_quCiq<oyU(Qi^nDB5$2$RObG7=
z%|U)&INzb+ydxaxme$QcrEqrItB*%K{`!R?9d=b6meZ@abj%p{-M?C=QXbTQ@56h+
zlA)n$Kl-1>R`0O6eI7m5C-?Fx24dvNfnPIm>!}c$uR~_l8hi=5=5OOOM-^d`gBvtQ
z{(a$OLc<BqCm!2u^QY!8#QI{hPVQ*7J`h$^g-{5r;b3WpIGO&|a1cMT#Nh^0Nke5~
zV%BeUbVe2gozLn=KWr_~9)emaHp>E!qxq&XFCu5xorqIwBWH5c`<gm7=6O<f5HOJ;
zG`1r0rcO8>04Khm4Voc)E#W!`C<x`;(A4nM3}3#_*Jl#Vdgeu6=-3B+_fs(iacG!8
zyDk%6^v-?_k;oiGvBFRnsyCqQ7ZC!P>>AM)4X&TrbsV^Zx)aVVT8NG0rF-$nmv_V7
z7exE(UBU5|f+{{zgkuXU9#CAVq0DR!$`MwRR#JkV+@+8(+P#@DC>RH(KUE31q6rf_
zbQbPT^HpE`9L)KzwgkS4CY;#vUkIVfsqk5zm?ZAERA9%^G7!nrKWD#Zf224+l7D;t
zIL;%i{PE$2>M@8teHPNVXP8zXv-fPf$^Nksi*~VY>V`9DG1UdGD7P`3E?j$nDz~SU
zD<WuwNJwx#nma&!V8n}X%HVJ3A?GlAkQCyB&xKM72Rpl&r?Wg9@DIY0W$ma%$PBx&
zr*58MxdW>#S`Fbi;HOaeSgqYV-WhZ*hxxJ8aV`sh&<}&DRPADSG*R_bs1CPsES=W%
z#@q$n#zF@D*w}QKtzVgkgpg7<=p>|;Hos5Sz^tlrTUDq5L{3=nxDHz}cyVMEc7F9`
zShBtjveJL8Y{x5f$kN5}jMm4(_Z%p0B%a<W*&Hb>@=PeTeegW6EIv*!C*<ofw;9IP
zEkYQz879vmU_n{cgJILX=|kj8F<t8owbDTKboj4;CA^X8n;RIW$Ml>klQFxDV7kG&
zr59RCA(u^eUAe6->KUtzW182Rta#CkOg)m51v!^x8JXF5kQT?p4hyFiV~`+?N5+-r
z;;V6UP4p0-pmIBuBkl4}yo;AXZYWuj<uEAu9<yY0@SbX$kRHw}AD0F}y}ray@YW=k
zfHF?s)U}F^e`%J%7pn)`=2S$7lO-uHKKs*AC<<DGHJL6Y(_zq_F($v$H55TR*ucIB
zrZCkD4ngM%lc{HxB?pm8|C&Oeu-pGy%fh3iBXT|$PWcDX9X3ZfSRxTrg({j+BDYl4
z<2G}WhtUwGW*L!ji2OcMdbe*q=m?>?uR}`MAN97opTVqwM?*QSs=;ec7*>lO>7!W_
z+$0Ph!Y#?}2yj<oe~lLp!CP8zP8z0>pAFlN^lpw|oq5;OMYdA{hazZag{)G6w|*lI
z*ph1A99@ncNKV(R9tdIChZ)15wzSg`TJ2Mt8$<`yJ~@VEaAr;&cyF**h>mhS3se7S
zFnDB)j#Y8;>)E~k>R}<B^Z|^>I9>XhEJcT@4OC+tCRRp6XJzz)`2y4-oELIt|BH$a
zdZG>7$$M`M)HQ@F!a7>o<VoxyK*eSy|H16KxZ;QMX?G>ltQniG_n#-qT09Pc2b1m3
z8qr^JwwVfOWd-rHz@Ha@NAe($PD04ASQ2?=9St}uOV81k4#@h(6(fAW)MyfPl+gKa
zl_4A>(Lv(6eq1byWo$3q+b9|%6ynpqnRA7>QX#~g1dPZ&v(gCpIOLXIwVL4iyyLeu
zVaj;t7XFLenyO93qtF`cHN1i0(AORQoG3{IyVd(^u5gp}x~XAGVy<{#Ln*F&UqVju
zg3>)a_4uW_2MTX5OlU#_X@GsvuBalknO_`P>VFGs{5iprK;=vgn-hKl+S%8pljkGZ
zk56>C?TYwmRaT?h30>3;UK}`f*Zs=cZEB9vo>Jdhe4M6_aoBhSLo9o_-Jcx6$CHgj
z^+gcHmfRt*iQDFLU16o`!&$#IV9@8%UX`?#Lc@K;NH|B-dxQ6yd{eI0vteIs)!L{L
zF{`WvL6PO{6U^K0YI#2)uis6&_qpSYu5&E+g8lnDo`K1adio^0=5CWhj;9mvf|--0
zGjRMBN*a<~Kt{f(y#IpS-Xg)g{sZLr3fdKmOwgf>PRsY5aJuwgMMDWDrbz=84W7r6
zChaUA4Km_!FZ9j|?;a0%!~>DPZ#$w1y}ylQhW;dQh5K~l=}k1=a!G7ZXy2}Em4DsC
z@`HbBScWYOY3#(*3ORi?wuFL#vXt{a6pT&FC;C_{f7v`v;pGpWP}h%d3L~`%rQjgZ
zB43}+em(Hd0db*udiMfVO6u#c4IIgnEo}^3d5abkaBRjAjI<jy&3Jp&ORFJ#ix@X{
zboWPK+7mL=O%_EeCiJr_WHozUlkwKFRqID90cDvCH6RV5X%B}-x3C&x4-KVaAWY@H
zaIfh>8-%+gc|EUBEqL}L`bS|-)7{r;eYLg?crFDn0|<8kn9WdylAVk`*v8jJ^g`Ti
zmI8WNBJn`4-2<172YRii>^d?{CRhr4#Bm4kwecC?*Em3|0d~^Oj~+l^@CZOD`X4X=
z7o;LEF$Y9rVq%7)SeO)zL1Vbe$gW__=uodK>^3KDUmP~rgWRxed<vgCF(9^__qAB3
zA2VBrFnHnJ-?UkREXyL5Io6(UUyFd}vS5cIAQP!{BJb&M`_=muLE2qVykpH6nF$c#
zHq7Ta^Y^ba$KEf5-CBvgJQS`}7%iznEQk#FGM+M;94Tz{F(izbvyI$fX}%_^?6mOh
z%tT^=A!c|86tys&&l}{tserA`bIOhJ%qo=o#oMCWip$4nmGA$Ey2j|bpC%lqZJe~R
z8@4fT!=|y5#<p$Sw%ypaZM1Q2Y}<Tq+xMS-`kiyn-m|l_v!k7PcBv~-lw&a{SdRT$
z{#U1x-l9m=oZ6BE3$2&@>e3ouLPSSHs(nndN_rbIeS56R+^J^$Df0#X^2Hr)OuOH)
zaO+NcC+E^~rHNYfK2jey%I0BdgSoyd|CuuBXjnOgI#8tP*0{r@IyJaf6C$LuN9C()
zSRt=w<=dI$bB<~JOlbs@jnBce>woVX1Iw+*+teeom|0lxHO6%f!w{(I4G{a`kBZk6
z3)_(xun$m7&SNs}bj>t^b0n|g$TBTg$i;IEJsi!JYJA;ny4~`zP!_Zb$ZTeJjBSLe
zY?*`d2qy|4AFa2^=u^kam>HN-loVw_*1$3|vMhQV2J!tbGg7rxx)10Gc$K$enpa7V
zEV>mAoFc2M)Tzy*ioRl-QbHIB|G#6rf(&Q{KqEdxlav)!{_M~?45GA5#Eyhj^Kf|p
zx3>-EtiS7MSg_PGW}a7&k{<lw@ZKK^FIo&bl9zGvd(;N2`Iz|-BD1%#fE->f<Eb%>
z%8yxAx!RqLa1azy$y@G>z%xPIG@m5=x6DnPDM3doRR*>XRAlnZCG<_vOadpO<0nZA
z;Q)Z->L!OS-&NyJHG$PR>eME^tm09j66_f)yjO2EbXjS+miBF1GBytDedB6zB{-&{
zsCsCM8brq4WcayooV$>wam5Cc5v?N<Yrn2+H(lX^?7YIMqq-Z=-mu2F+3CB2^~w-{
z371<8hp{8&@h+3+<h-$=h!aPl)=G7n3+~US&q@yHS-jvyJ2rv_V3KT!ohJ#iPUzTE
ztG&r~_!3_H<3F?GHJlbcOgoqZqQ~K`QLO0h_)$;Ad^ljk2hiVEeCr}Z#V|M9wEFnm
zf({My>u!0fKm~wlwR%_+wf-v!zvrjK169pr-%kl(hsAlJQ1^NrUE0-29^34iQGW^R
zOZnA0Pn=Hsc6Gumop_<fFzp@m3*Ez0$L2cd4v5EWn001&scnJh970~h<5Rr`%T;;w
z)62%v+PKAS`Qe9l8d|OX(1`J&$D&rn3s-_LB=D3DOW%wREcf-hLP70h7bttLX~YOF
z<yGWQuO25KTs;~!jc_t(MG@#b(Rq0=tGRHCJ*AE~2i-ndK@P_0OXK!(L3-^nKw~1N
z?8lv}(`wiFv4Dri6KPxy6cX5%!iHpx0Sg7Q6BfyZ>YMfMdTmFrW>%o`rn!Pf@zr@g
zkhZ>@P;8Lb!IHrr$*ae$NAh-eBRHjO<T!-{qBiclJs4Z63EdP!%B4D<xR09BM1X;M
zo`$_R!qH|;)`cb2c*C;D4gJr@j8IAsgq@OgG>W69=|Ti!O?#(FU%%W^seTG}2jQ-?
zM4);mAJN`kq29_6(EiY^rBHrbelVKS{XEddc#4${V_!;i2Ie&a*%N|+B@D?;USU=$
z@wf{~FgE$R#XPGQY+fhP6D5U}XB`eSOeV&w_0};4+9{iBiUd<@?v;Mvj5!X)<MsE3
zhKBXRdSI1%DlTvzTr;Pi-|UI}pvp%eRy-}Z-cqAvv0j+}<>q1<@BnMtlP~whhqo<w
z1BiFiEF!?yFj{PKVBgOW)%ixmH8_*>n22j>83F<~lkV_Fjdz__*T?O{(Nfec3&ujN
z0dF%4;?aTu&z}#V#snu*4R8lb3HN4`3K{lA=)H`<>TU*GUp5jtpeE$?#;3FE1S&){
zx)Bs?`SdpGmKA!@_H&j9fT^B?v6p`ljqs+M40xksw(9<|^^NUnee^?n?p*0uL=}hs
zJ2cD0GJm{<b3%Fy%%d9i!cPJPYhrZ<HJ}XF&u%Y$4XxI^%*6qp7?=H_7Vn7R9k=U-
zA{qxY8AGd8UV7T9+Xll3>iQ8e=}$DNSlE`SGhA@_wN|M!EOgZ`cZKPX#ZA)fMK|JM
zAGnM^?dCl%S4ON^y*KC898YvCJc(km!}Mb0+jsTmN?m(H_bRBq)tP8xG=p~_K}9my
zv2M$Q*<A6r>+VNViPPU&%46F`-+P&8c+0dQkj63{drIoII?0X?spr+)%^9H_aQ`8K
zy~0nHdq<_DTt!iY>xeQf^Me(>^t1kZm9FybdJ7u#3$7AgWIeAzBbge{=1o5#+mwjA
zg=%^YoPO7%YP#PaGu(?>gv9c1f^SUG&}iYcqpJuBEhU6=4QBe^;a>3nm+JCS{MqSx
zB&yv8;=E38V`6zBxZYaIbm{crUYBJKb@l{2hvo%r2f!^c@zSnVcXm|V&g6-Zf$&hm
z!50N30vf^ohrB8FX|}6pvD}Ou;SEd5IiexTPemXw^jJ3t_PNhgd5*3r07Xt2PYbzj
zhbMO_dHIYU4ee8l<6WsPUsX6z$89r1be_|VN^7>!1IOwyaPV#Fl}RIaN5Binj}GPz
z#J$KB69m1=vu!((Sxvi=6W7EhJ#ZgpB}_srZNg=0I_@84hRaen?)~RuH8;o7(HE>j
zRIwx8!f%K+fFVh!)iT6X8lem@4Sf|j>0(G6V1jR$cvzTVsg0J73}pAmpByZQ87k5Q
zCGg@I9)wMMBRZ2<dJgmqo!C;W98=?T3+OsASEyUkMHua^FKhO9TTd%78eHy=59gCW
zf|VDytAmGekC&_RllGRcUEXVh{aszA0(Bmf?uvkrC^>|KE{L&#Yf^DVLkbLtl+7L+
zBLRxf91w$Ba{eZ6iXB)=uj!#TaCibUZ6qH}KzR?U)Zu|-?A12!tM}$yLc+F&tL_C*
zxk%8}DKgzZc+!QRg9ARy*$>)Vet2~CSbQU&0emPM#0hJ#v%gk^eL7%i{s1d;RNWy9
zik3?Oi3<r#<nSpqWKc6CfjfeT8FqYMP%fhUm8X9Xlm34k`F*8S0#?k9=4~EGe(j1Y
z$;s-Iu?@d};yPDyr>UyzS}vU_KvVfniSaOxB6$=d7UEgK>~q$?;ot5fi3XFbH_c@s
z@oA+(@cHU1OWzWHIGj$LN@yAmeGwxL)zM0gf$R=dg)GRx7J&@xk!UirHyIqUS1U3^
zGZ9JnQDPu`$!H^YsWcug)vJ_3X4`js--*^NEUdK3PKS$6#s&-AZ1@-u>>05ji*prM
zn+0tC7#daHBilAq6qYJhKOcG3f0wt2vYaWkm}MT55`3fYw%8f}rrt82;BnjGF&t@C
zO)aAgChc1)2L_&<es(rucsQFu)}If6Z9j41C)oj^m#z-fuP~J4eoB-S=+Qfd)(9)x
z_pkQeb&*FfO?Y?rK~T~3elIb+=@!>=%GL@9+0*Sm+$qff`wm!N7|>otUW}S6rfK~-
znCLWtEVbqP2ehyE_TzO&KR>so^;?)fJy+bxv}R+uTxhT_vqkV9wx_#Q9^Gs1%t$%s
zP8ORC@V#MzT*a^ke*vPWuZ!fdc}K+4Y0wglyQo~O$<`djEO;HbLo3KT`)+g`m3@Ae
z*5uMuk^(jyAGFq8M)jQnyT*#xs_ztGcXZOKZxtt}y?@?M9?WXvUEkM0C(9w78<Z0i
z;ga!}6EVY4W(~oN1UqViQzRknUXyH~RqAu63h8gv=FxK3BNc|2!i+HI)KuW1M>Abx
zo&|eG4ZvxALSeVk&9{$-y&v$`DSOSbBG0oW7BjxJNkg9>^HLSZNFfH^Zr!h*tLJh0
zzu!TaUrxu9OZw$x`eiMLU=I!Gkok+2z(OPF3xp~R^nx9iJ9oK-&q-@tovR`-SMLtC
z>5CM8iK$Gmv+O6G=n@5l{M{4^@@pQjnfh{!s$?@|&TrATB6_ZMn?cymvSw_tumWpL
zl5QfmGshAGhD8T4IS#!J<U6uO79a7lXX4#99FE<m2`u<8w^^r`a~t`W?!vCh(TUtY
z??2bI$G|4Dk}^A1Pm`T2euvukj>n;bz<H+V*Eg%qQiBb!Ppi&Uo1C8XsStY+r5GJV
zK{kTWpmn04K(#t^tqu1oA5H7J`A$x@ZdkeV%X0!6sUr%lGu;aLmWYA8=T7<clm|B8
zwap~;%u0kb>`c_=g@~ifUSh6iX5ro*7K`A{mxs6T(|_MwD;`8^)jKW9b9rin>{h$1
zykKqc2~_Whq@zkz?MyD^=!1eQ`!-NI-crsWdUV9ORSw~Fi_9PcnE~Wo(Y;9HRGGGp
z(JeE2OrH@4|BBUU@<m)ufrog}?PPsxE#d|5w(a1#kt^#n6}MFrY(pg<IRCg_FEVDz
z&`)G4a_*|<SwtQ{d0mm7FnK}%y6AC<l!i+C0MnC&g{BP__Av&L;V^1Y#r<7C{mJU^
zp6!Q_eE;^ON=G&vRC`OIxi4_2ENW)q`RvXO<r<S7L7L9@OLE5cUqzD08g-c)eek-e
zm-OM^Rsj+YF&lJ&;uwAeP(7k%__{hsBA@Q*gBBwz>Bf9OPtDt~0}}ozZ=SktQudgJ
zO(ULb+)wkim6QY6G#F9Gu|^(-o9gOhNt!(3?86fNFXl=$GRZG>CfY)MyjRnEn;(#A
zM}5(+TZwAYM4S|9EmqE>61{^Q9;{R1*q<*Z1=Z882PMC}kXAtOwg@(%=*bEe@OHCi
zd(gY?b8}GbV3<7zqQ#^zqaeL2tQ=Fi8WY{T)N1)5EW^EbdEjZ-x)e<9dUg3u;Fho2
z<r%8>>U>u6s`&Fkw-u0Zr5TSP7>P@N=^O)jbB&EDBtAMxmRYT=l;Hj6Q@W!dq-i`f
z@j%aIE-~)I41FkK_JrHfZqB9%sxpFSEEaOH+wN|k5IJNp@ydjr$HU<<Q`N;zE2|wU
z)kWK@OP+dXab!*IA%u-~`73uv;(Uni0U-GJ<sl}WMM9I8<Ws0`Bw~k-I-g<kL(lLz
z9SttJA5qn=m(KF*X+5>y)m$DU8F5(vuHg;<Z7cVVG#hZ^ZSGd2+$t8hvA(>---T%{
z=0%kH+xMyn!n^Z7cTFZ<7m1fDo{A1E;os)Ah!-!?Nm`q&^4F71SF=j|!lJ0}JimlP
z;d#Si47^cElVeXBL|zwd9KD0wL1s|#wC={A@6(=jm|f?zcU?_GY1AmEBExRmK@erP
z^RQNSSmWl@9mtDZ!|7)A(}!F|MD%1g0AI~3&KIP*elYL0;O8S^{IM*Np9yWCUcs-7
z%j^JO;Iw(KwSBQ>0`~STN5)y^UOviOLwx@91bWu#>}|yG<m~@qBc7K1%<VA}duQbq
zHdrQBHPc{)NjjUj20WNgM^(CwZcu>zvb4-1+~N#b>+*LU$3C6~S)cp{kjHs_2b9YJ
zdopy$(1Z&=Q2SHIeS68*qBD%n;(}kM0{TxL%`VN~?VPdnr>057onn%@FzWI=s5RDc
zai5r7^q{vk1FP99F@Fjd(lTPDGOTx3u1h>xbe-%uhFpDjlhmG<r!pOuQ$ayAp*QA!
z3XhTkWPEnex7k7*i(@yi+5#<q?Cjy<j=amGej`N|P;-o#c{LUG>rM2Y4EyIm1KL|t
zE_JFv(bmP$L=5LfE{qT#-h<a&Mt)(NXkvV;oPqu_#xn!b$?F+w=MKis)H~+mGNc(2
z8%P<7CCAKmybk@b<1PM;O1)JkjFcN0zmjfR3j-#vclG2U=yL;dC5zaYgg&Xw%v22?
zh~FwQG-E6oGd859Hwi0F;PwmO>Cn$mDer&Vu3&%sHg}>m3hudF*BbZh&_vk`c)>E;
zBAG`0EHa|H)l-jUg4nht!zv0$fE>i2DA^vmMB2r5;L<x8$vb>tJ%Syqrf`{@e#zf%
z0Q_7@NWYoLHxj_xM~Rn7ar~l3GE|j#+lZmZgWYFeR(^53%E$fcf%l9c{yY&QzR&L+
zv2k>t?9EFw>O0XJ;n-q9flHg4s;W+*ir?8M;}$u&tiZhgiteNf23RK7m3b%Mm$}Rn
z^YgkUIWJlfi8ojd_vW0+Hij&wYY=~KPn|46y}f=ZgGnu*bD?=_)Zk#N8KLw5fr5B7
zI%VHWa-?*88ink%oKTUu+t{rl*<+w1$!#DL<O5c)9YlKV?H7J*Li5S#yV+bjUi&%~
z3LPYU`^6vBvZQ0%={*AHirNcreaP?XyW{`GN{8!5wHa_wMmGV5yWjIa&-I>u=qOdk
zk~~c(@qM<KxSM{;_ivB)bb3w8$a!K39-E95mEz}X!zx0$D&{PvDV$2&XDGu+a=F}o
za~3rhoE~(`7CkY?hZj(Piq`gorz`w<<)i!P+=Qzw&34j97d_|f(a(aU5~BmrDF<&;
zDQ*_$!nNIkzF}}nz7hfBzn4l5qJcb7ACp%`pc}J{6|2wE$t1BpqGpi^uktzHo3rX%
zb`@?p_$XDt;>Q`zp2ke{iWKe%C7w*i3$n?lua!zC9{Zu6m8qcmFxCS#YPnB^gXeHW
zuMfT0FNT`d5d9ElAKxvnn9X<sGdxf%%#EKyxIb%&!w}rH%+4Tvuz+0Hba2&#{nWX$
zeORtq6Ypswv-s`sd@u|E07B7LE7z1fl)BPA%TL&uPTg*2dJ~vij<YRhV$VQ-c(mlz
zaCRT>x}FUE!V-kF*{fa=+oSb9dd{Y0(aM|do8nsx?!|v=<;k^a=xkkFgOQQx%d}p;
zgPGjg?~&5^MyGDVyT>7#=v<G%{bACz4kM&M#h2HTUiaCjl2zwqcm56cpL&snw~`=)
zcfM8=!u>S<eb^*|(=YAgD?i)tVhRFrQJdVi1$mO$qS_W?L(r~XkE&)qqV$P+cmXT3
zUd^PFRO{ZkF7H-fS42sb`A~A#7x-rmEUFqxh%GZR#U5Wtp0$kDo_uFPtmAt>8~|s0
z3glY(AiI2&>XK9WF+8R8U4knq24{-H?uQo)p1O>4JeFO(a!I=Oy!?c_;YkNuXv!~}
zZD$er$yr6}_n#FfeAAAtT}r~QwhJHD<4BN8cDbaM+wobEs+|GNztBi#WbhY4D_k!-
z4HC7nz&!0LWA8d%>KTU&u`TL4B*T9BfURqt>^9xmwaB-JZ>M;-?YPQY*T=c+B1uj8
ztfc*HiiJZSbpUb%0Yp1qF#P#`a8p?%{a_cKAvh*Vh=%C>1o!F9awUG+%)@dN_~2sB
z{ITita_^nX4b`(cb4f@hfaoOo&E3d#VH&m28}=o2)zhp&Z+((sYwpk`Iw3~guij|q
zubf2YVfSru`SNXfDwf_m9d<B<=B2}D2ML*6%j$Tk?LA|NISVbmt>>h<x8X&^Tly(m
zx=f97H0|5b9WR2Eo*YZVZAZ_f#DYTg;TDp#B!80o%o0g<$-P)GHd&lGb^o+TBvi)$
z#=OXg>mp&_U%G}Ietyk5Adr<}o*AI*0<6udg-kQ25^Z6qEj!kpx|)hMbX}0gIf23q
zxpFX-=uEej4TVF>a@1$Q@q#>VtR$I^d%|1qmw4dDk!vN|?X>xa%O~|0h4ao^AT|!g
zSl_xDZivHp*ScJH6I}q~ewmjvQld#dPht$A*j>wTgc)it$9^xB@@*qQ0G2iKKrfcv
ztHb%m22WtA6*t@5cnEWQtb0m4VI?rjPxS`sdK}yA<SDcDImeg_?{F;72h`6U$29xd
zk--Rq++Gc`632k59x^#*F&tw31Dr^~#=LKzm6%T;x>mu;sI8SY#%oN}@{0&GUh^*L
zW#Ql&iE6{b+a=!3PkF()9W#aTR!_v?Qa&l38Y_M`6MxJKuDmNBvF0WGToCPr+T6PI
zrE<vg`;7`4{L0xVP=z|MWB8Es5aoOjs>SMVmEica1jUL`TEq>q8Z#=U78Sa2>)pm)
z?R+Zf1l2mr;Qn24joOmxIS5F|)$^CfBbv5j6#Z^^!TBAxF(Gj#YNBe_edrwJ7B6a|
z-<$V{+v2UMH*`#3mtpqoS<&nvf<L?IXawfm>7LQgj0R1YG5*wj>ma9}&i7KP&VF5k
zX+yh1l!drPr+mqXjRH7eDe<N6`0^a*zL8#Ae^2wz@MI$T9bgaiorLl9ZNt+Wf|g7_
zV7XP8n2^K2R>MJH&>h(l8BlXc4{Q9`)$z1&?-le;124qxysUtu5a}?>yQE-hVY08G
zpE|RU_)1yF;CRyBkcKx@NSIJLpCP5lR2jW=@MhW^HYSW#&PF6iQi*R~8bvH~8JxWW
zp}qLf`er^k7u~9(t_raNs%xuiXn3Tk-d15n0ha!OvYzi+t>#lc*m|Yrps&WKbmg=V
zld%<IBA5+%ZcGnh9muqKT<Skc3kHjWyE-Jhtn97b=po&@m+!4@CoCHl!doO-nlm%~
zey8Jescgxk-SvXcuS<tYLfqfS9_TnhU;r(hM<29wo<2*`!`{aM^0R#D-VXZJoW69S
zmZ;;6m%DQP&$m<Ys?7}tH5r_Rp^&2hFd%Io#UN6jAa?bpsWIB03TJApwfG+4q2F~0
zR0w$F)~cxAf#m6FcfNVVO3`@p={SBPg3Av8;h_J_BTW2ZWNew2$Ah{kb_%1SHHe0I
zrs~*Hmv$v46Zk1{wHAw=cN;ojTxPdcmR6MK*K~7lC=Ot)5Kg=(-nrk(dqoheBF#)3
ze~1+^1`Bl-+;TE*Xls7SY<Fqy2EWzmwg|j?XB1DJK}~UP1!bYcNiP<V{8J2w=cRZm
zJRPqG8}&m+1MlQG!_CTj*Ru#-`=oGGyWfDaQT6*{U4RIPVLWErfz4{nzObA%*#%>$
z8`V$gm6Qkqav;gG3Wctpk0t-he^!pTnrPe3QD04gBs5(s5!HY^scitcQQr>0iqCA;
zpbSS~z!6fA?loz{-Qa`=HJRe8`7DJeVEpw-)3o>fq}Xit)0rtUYu^F)K$`zkA&#-v
zrjl8~b<No=V>`iO^$w|wgFwsXXddIABR?rxq!pGBn{)PE;};e3#G=pnD%8FY8m%qS
zo)~6iESq$cfgb_wB_uRbKI4BA|LPFMW1CFjGr(@OB}+7FTHYn?zG8@AYq6W$pU{1r
zldZ6zRF`mp*`e3OB$<2`mZ&aO3`}~P4aSZ6z^I=$FH8Jq!O3s)Q8`mZF5zW~;T}`@
zN65@k3|xsvG{mfszwpJT_!(F8my`>wugMa>%3ER~FR61(0bh2~7!<1bEY9d<t0cI=
zFH$fn`+}fHSOTmaYo=5PFxUFR@5hDdof3l{?lF{fpe9o)_Tv=Wbf;Q3aLSv_ib_h|
zzUv2LS_u?prTwPd^o(|RSY%sBp`k@bau#92Z~bV1OOk*NZE8t``a8lqb4iCA2<Oa)
z!#3aNQ($e0=hZWY<GO*QQ|_KTdx8JpSMa#_sdzWa@Ia-L2q}tMVdzivp4-5q@F^s@
z?jXB54T&eCw!6zqllCe$7q}FAi1Q}52K_;XxD`sNIlKD8A4Q0f#BfSPmzHf)m-Wo(
zm<AWQe|$9@Oslr3?z`{f9SI9o$`t?$6Ojfp@we=D)&-P2S96{L7rFn89wxhMp@E3V
zgKhJ3K~Y8<j#@AsvtDR;jFiGpA~#zmRS!1iTCH~8V0JD0x><JUjccyN_9~S8k?l8s
zbw4FQaCZ$i%V71*62*|}_N^~}2=tlZaU_6N^?QTU*QC}{jKa3$>Hr(x*Ev^X5e0XX
z8j4OVhmvr!_MEe2;AbQ75~5AkCMCt3FtM&X=MZdHfGMMeS$_)I!z?96yT34xcNA`o
z<TBM0d3fURoW&$Y^!RxCmL2Jb_!0P~b3FtH*ciV~p_z@Cznv6Wd{Xf<DK!~1MHu{S
zJxkM?j8cbKK*&n#)_Tggd|D;-QbJt1&V^<8=xuIzOSHa?>E8|w($qgcGFqClgm6YU
za|JQ7lBC1=v7UF3d2QrH#xT^OY)^K7VR^Nfr{4o~F5p)u`uEF5z`)88nuYTGLnV?I
zQCg!yjc8fvYTp~OdXVFm)NvlPMf1~mT~>To9*(Kip8Y6C@kp@OeLOyM)F1ch4lD>A
zIbtm~zA)w%Xv~u9_y1O4N@}G18V<<ZtvsSDpHvi&wNoCA)h{G=)v>x(n5R~n*qZ}J
z@}MFA>La!AM1~nH87J}V$ugK*KRO3s(MVp$DYniB>Jy6BaHLGPq+q)jDP`cT=V;sI
zv48Ig_iZP*%s!#z#jx@ig^8V5{%zPb0GXR>p3w$iv5Oq4R6m%=d6MUQL@{WBD8k+h
z<5KwS1W0?946l2lz8<yPVn_-nm^b=O?PGi~c@BIhwB1`~+LXqvXg+P@`8)*gjWiwJ
z5gJOE@!U6v^V{?Y0OWP|-<oI7OQ9^JfV#F8-UI~4=2S<4f2yiZ_2-dA-Ur*+x%(1?
zJNwaH3W`ZH3k`bUD{?^azm*E$6$~)0qEDLHl1VUuR*Hi~qk%5JY>wGwv{PDJQXEF8
zFn3+KsGx!g9MlP~fR<i9lEVs?P+Gjnk5HyvS#I;t<7{%ySn~}jEN&Rrzo7oxxWJfd
z0cu<@fN3MOHf7gNl2pWh-!tqT*rRTU7EfdSE>d)V|8u=FV8#1CgL2Px!R{Jj@s*zJ
zVPtBeNIbiwcK*`c&`iIjMePOcGa>6CN^mr<vHv+?bf*02jP@lsP0cd3MtgJA92@oA
z5(+9((Aznqc>j2%lbaj^IvH}o8K%eiIk?|SPhVM#xuh~NnhE^?bkB_CEU}9*MNY56
zx2R3@agP`=a5TWjT$T=~v5S^|3%GtI2?qT@leP_f!m*$HamLtzf?&vFFs|l|zl-u{
zkCP>+-3Ybsz)W9TW0Nu(fy%tY=j&B1B14|_&zMS*XySgen7wNr^;7I~$Dwy@<={Vv
z@>P%<puO;HH&0I<c=8{@Q^&_{f7ed`=@QRbGrlSfIk7)2J-OEF3m`1l3ueVCxT0ip
z!|gspz(fptV)FK>m)@if#Gp^;k=Q*CA|L@}gJl75t&LXj|BALpmO3q6A$3oew$mrl
zmlr36uz#1=UoNvS5vsos6Wv<Pt~K}GzbyeZ2e`5{IDHQoOio6$%*-ih$g3xlut;oT
z)E}L{g!yACl+p58T~n7&5ib3A`r&{GuF=gX8y8#&<6x6iq)zYoB)aSNo_r^9Ue(5G
zK4R+{j+F1o^`!6hr8|S_?E!gf2z<g49YB-P_zryH>P=ggotj>5;yI<rsB==n)$IMy
zLOj;XiuJ6p!6@SV=hhU<uI{N)de%`gj=#-i;()ca4c`C@LJlZs<Nnz9h+ltHW?amx
zp+{1M9s#mLhzDGM{|WNdHC~(|;&6qGI9)PN25~?<<~F>tKIUxf$a+&vZtIb=7UfH{
ztanxuM+KV6Jbv!t_I?<QNu0_vG?U)6#6kShw=iem8b@H^tWI5uxbNS><0DJrp8g=@
zm9M@~Rw6d6Ig#tppo<|YlGyn#Z+!^gWXUJ(>>(lC0Z{&lPTc`AQ5(4WtvOKKP|~8=
zh+|+b)ItJJ>5NH=O*<t-8%>)C8WrywGc`cYc5z6#I9BphH%Zmvr*Lpp;VN;H6WiA~
zhB-jwd{3Yv^wBmhdq+)0bT8sX=VrClrTKU_Pkvb5u9L)Ym{1^@4U21b3%{JRAg*r7
zum{gh5cHNCDK5>v=)`2M0>r|xY`0Me*SDu$1R(45BEPVLJGm7diUh&70s`++Jk^d2
zut+9CO`R$@VYmmu6_*;97N?{bHp&&es{Jdj58F3N-^M(r1HG18A4j@tcE41_^0GUh
znynz91!VAx>4D6LnkvI$(u;8o%lPGX$)^=FB$#)D)vaYieGi=k+T25927Zt8CCGmy
zN?@Mx)B4bgNFQhc*vP`eqcGdorx*9NiTRy})a0isgg+Pxjz_O;9zvT6%r#>?H!hU$
zQ8EO$2*l0`@SDv=5_!$`eT^`0@6*%>3}RlD7-5ma9Lb93u&aY?#zZ<-k>sawcI@de
zrMiZXYZM{1?8p3-!fytfgOPmG7qUN#k2ntcz@#R6!FP%O<hM$OtU3wSVd8+_H16>e
zQ?(QroSLM!7|)CSD}O*VlYaMy>!V~)>0^KFTMduwfWv3n2#Y%I(wF$BqyCHt$)?<~
z3}E;Hyvf%zZFW8TH31TBXafJUB&48UiyysGa$N&)@1w%tyDg{QzDg-PkSEPm2S5LW
z=@4{O{Fzk)OGy)t$^Dhg>dY&(Ct_=maht74F>BZ!2ZwqWx|u@_Zg(<tiQ2Xq`6-P%
z-F5Ou#E6^mN@P1Si<3xET0N{_hA!cCp3}s6{`L!dj8izUZ7nUv@^JDiv<_RX4zYqM
zfP)^asrH;07!K-xOwBQmL}QOgqo^uO+aAD%MO1yQ-}M@1?})R2iffzPLR*+@UbI{*
zy^LGl-<Tzyq+(9rDOYwBB&a7=u{&5PqG!Uq6QP+h5G*^Vh4?N_K#q8xa;=`9@~KqA
zV#r%ha^BzWC3tJVQ`gKJR~J5lS3Qr`f=XhfujLPOStT&bxL73yq7i(@pM)A)cOo3W
zGQd7Aa%IyfVpdcw>Zc1HB|^E6`1s*G_@X-reIpN^9Jq2L$jWfT{rs<?TJvY;kgHB`
z{s}y&sB;n)uG?=eQd7ccR5G$inu>Mev9jb2M=gFmQax_($m3}Wm(MVs^YXcOjehbX
z^v;2W%l}Us#dGf&J?Y+~Zb$#QU#lfUGKwP{T0}eOwds{^lAUs`zLl<1)R~93{r&%m
z-S-tq9#{f6c%jLgdm|ASW$q*zzDM0AQxDT$bOsOB4#=d(EK-H$DZHPiG`OeHmNUdr
z%<)I7T>xztO^uINPclukHeDJEBzh|Hv9Mhl*`{!Bm0qe0dU3cWm#ZyYNp1(ys~$EK
z3@_Uotr{s2ea+uKw7xg+8`ywEnf47-jWofQ53}}&*-q#4^>s6#t|*=S6i+>kn<0tS
zghUzLP^<Sa#~tx_frCf;uzVZFg4r1($5;uuQ1arg9jS1PXSopxxX!-CmoTd6U5Qde
zEz7v%Cl<TGd;7K1w4uynQXTBwnD>EfcQRNGi8$Ck$Z+oU$KH8SgyNiGG+_vm=!f%~
zvPxdiiDT5s7(z;UcH6z$0c1}$OEpWa26GXYdobMwWVo-@Ll*d%kNVYPWcG;m{XS5Z
zCH34-=a6#>=AXVo^pY1a^p=EGO@#*by4XEF)v`3a*`tL`p0T*TF|E#)bnviT?rhJK
zlv{c%9$8qq^CDW3^Ze+Ncj7d%Qys<m7f0bs`thfZFU=ht^L|E$)%+cSN01nsbRz2j
zd!g-3D$OzCQ<<ebPst*!(s8RX#JInhFXQZ~AUelDbUJ6?(Db;Px2)7{moKNj6U!R(
z?Sb8bcJr)hL@-bY<e(Mz^G{QCUy)~^JzPughm5#ABE7G@1`|9MbHlBkG2KM`6GxZo
zH8^)2>o>#C-YIl>hzp+4x=z?7XPWFRgNI*3!_<JDz5pzr#7tf2tn-@-{UXls^;3#$
zF2uN(ZI{AWH6(a-1Qi>6uAwmm9`b7P>rXjq#%<?mVa=O83O|x%#04e1i+hSGNiG!;
zxgMruO2^1HQ({$_k@s|d$3oTBJcIVaTUwsX0eaNi-*j|QF{wnQyPX4CsRI~yymhQ{
zer>`1tw~qNEg$I(fZ5P_z0#8|1)J{y)IGK6=_%s_E`b08V@wBU6wg3QW;C>VsF#k0
zje)2ojp-kS!Pgjp`5_<XUrbtnXH3^X#|+5jY?Vg9&=z1;t@Ga8#%XHb=+<jAnt{&+
zVw|LKFXKIrxZUJFg3q77v)moGeW0Hm@qhlSV3`4z7^@Q+nx4;wk@{G6-`CG9g*ezH
zh4-xwdfbosl@j?YOEr`cEq9S#m8a^Y*RwYquZIjsJM~!-ZDXT-R_u5uo>J-01lKFK
z6Lcxj*-1S~-Ji;Uvk1Zr1+|6cuL`F_;O4x8CzOj{;7@!Y^6JG|zvJPfu=^P8VztTG
z?^TP_Dq|V>?sbmTU*Lt_a6Yo2IoS13h5SfG8JFctY~%UKGcrs3fgN(zg;#bmw=SPd
zm0oPJ)dKI}QaxNhzJErEA{3z-8W@ML6=l7s$AcyjVmXX5Qy=!z+!d-;9eoqa+lV#~
zyWc+GqhSGK2YHzVzSAbAaja;VIO_ICb(<S@RLejEsy<*wQrGH=YPJSAnxaHbU4QJt
z6<7k;gOC#luq}1rUJ3oi3p@XgCe&2iNRj}1n@A;ZxNWif{rG+RlyOP#ju9-T?@+Wl
z?cNjpR?$QK_^`qc!U_B_3FWnQq@#dKiLSR)G6{XDOer0I8AZP4Q~-e+@=i=qwwgl3
z5c71+aIMpul7upBF>!m!C!4~Vd`<CRZwjE$haVcF?*~Xs9irF1jR^NWFyka@Z%qDJ
zl&`O^SUm$PDT%9wje5>F2R~3R3q!{#I)!Nsuw)yYN}@*^&5QXf1H355M5*ZeqRC#y
z@!M9I>`>eGQl`-_I2lVQL*x$78Nkjdi4)L>e_caJc7|E2T{RQ2*O&MpKl6G=r8NkC
zmM2Qsy|m-*03H!94VT1Z(mY)1v~-&WGUs%QHw3kl&r)H_juz6$rjUdz^NTJL#7>|X
zC%(;sY51Ezr#H>th7W`ZG1`HmXK!rKc!HdAhksUphK9Wpdg>ror>V8gCv>z6wiEcz
z1Q=-re0)bcf&$|H0n?;kpU+Sp43}I)n$N%wj%EszTcL;)NNHhkU5Wd#p0llT*<-|g
zyy<q6ap^w9weWWaKJ<UDhbShe69%oao66}8G@O^gDYlODSV$!l`Fcck93k^UJLZ#H
z6dRbVFC#Sq8ChQStmYV^4w`ymWzw(o<y5p^lDUrwk8&9#W3DU9k>~dPFGE_~66URw
zqcDh_Of$0my5*%Z+u+ZrTPH&S)}Pybiwrd~?$hd#^Hs&v@EDIwhoJv(K|Dl;hDf5(
z7iNfbn9~XnmZQ`|ZidwYgGJ!n$8xopio{OIo9Zt^^Ge2Q4dNE6dZP7jGK^xXgxvt<
zjHY%ceRBdXwfrUH@Q6vwcHTd)x{wVN#8`0{M@;SiPK02?((FyWdA;nG_Cjc@Fyrw>
zc0Pq0K){Fgm?890b&a6qSuiYB63*(7lu46T37x+VgGQ+04I@QFI!co!cx7ux#QEaI
z$2@L7?De^SefW+|KCQkOed-{Yyt&LV)`gM8S=e<}j;Fv-`oi}l1BHoX_1t4yPcJjR
zE%{gcru>Wh#i-q{oduC@?5ZDlZMY^@JwCcP7hH!4zxCwqhy1uWr;P!Fv%KCQYS^K6
z3pW}z892^)<j32B`>BvY`SeAX2gQlz0>zi3$Lh5cpNY;8*5NH}XtS7+q{W1=a1}fZ
zbIni20<n>=Hv!2VBFI$0mRr}wp>J61Tyt9<GPET>8hs(`ovDfHEH3v%@@l=hiXUN}
zuFT-(pY)z2j62^XORBuc9hdy@)jCgrQEK1M%WZ_%^dEOwOB77d|4iU%Z88(vbNb-%
zQ*Z&dOZus>{8q7L<d}3Bk!KrB=a~9(H*1LK>X4aZ#^3xTyuw-TL=nbeb@IqqMs%Ns
zTYpqJ-c?nRP~V3O|2p*LG2Puyi6{T#(un538-jdavG#(>IhGXEKWbuePQPIR7nr;<
zcW|vrJYVG_B=s>`qk<E4$P$K<iB3p;7hrjq*5Qnu!M({9WV#&!UCT6vMU}tDi#100
z>Syv$9MB1^`C;XN;%VOboE{y2DSg9ioFR98Q*wn8;BJS`l=@D_jgS9BS*j$7Uv&`4
z-&lDIt1zeOWB7HbCVK@Tk^>U#_v*uj9a`v~WWeQn>`e07U~z5MH-S3=h(W0}gnm1)
z>P-VWvy%o9@2qzJdEh1UUg=$MypkXVuVRCGsauhkg&?inI-e+~B6`m0F0wr96h_b!
zz2F1zNN0cxw%U65zFFhBQFrRh#r$#ic02zFP@l3?Hs~*n&&T<pSfBlqNL~kQIMVr4
zC`H)~s(m1E`1tPVj@uXF#xdd1yQFqwDtgZa3yz?=ko3<w5C{OZ@7Jfk8)n9<a*r)`
z=#h-r9GkIQ3W=#bTQI5nQss_>T~2)ulo9=R(m)8#@6{8PlR+m9=nqHk1f1}1Ql6Re
zfl8cFyBolkly<7(H-G5@k7b8BZmTjbFuUx@e|IIFrtdTEDdW|a&q1XNYgK5h5IW?P
zGBANno-QUyx7{`0gZ3vpYeFVZ|CZ|b4xtB)1UOnn2dhZ8zMLH^HH#E<<U%j519Z3$
zIspy%r-m`?1M^S2dL}_?n1)FeFzA=Zf?tvgeNZX>9FK8{<HxFg*P;H%FH!e07)Dmz
zbl!M8SvI0;b#ec>J*N`G;|_1`M0-K3)Zt~REk^HqV~h9u*2R>oNtWtQavj27M=V*L
zzLz>7T_`=q^_HEKQP0QFJ_^jTn(}6-FNE~2$B|YaT9X1}AD=v)K7!sX@z-ec)S@8p
zTb7$%64+#SJ$p9;=NVr{<niI;CC0J0yVU*BtNo`_`&~+kdDVu0k)WyQ*1LNsd1mYd
zHjI^b93Lr;J_hr(Kf)p%f-^`6bwJy1ZFLWCILyvioDwkkT%6(ngxi7iT=f7qi5dhA
zav=AVB^sBx=lI3iFnCv5iD##W)KTxvSU(8^o+a?^-~+))#R_AcjFE5enR`@5$cs$c
z){X~*HD4UT4a8eRSgF~Wm1LxjRyL3KKP)2slejy1+#iUm<XyP3%;OQ+M?0MRVu*K)
zp9_e;!1~~Vy}ajXuD>v99huju7f^djP@wL0@85W!|A6-PY*xa&S6Sq#sTF7N7Vnz9
z3Rn$`9~QLfcbSC`dm+Yx1$R~5$?;e0t^kSoBx(h$o=#RMy-w(PP!mw=jfLU`Xy_y&
zI(b#@`@Ecppw~kGkBi7taN_B-=GWQs`;fM-bs;U{z#im%J3p0Z;waD5jlbGzfX(|V
zP?`Fn15W8?8Zu*fu`(ClCGCUofSh|I<t$ty!?}HZGb+}I-$xIfy_ce2_jx5miH}n?
zAAgKL7tENnpD98p&8*E#S)-?4otJ+=Mv8QJikt4K$`R3YROqZ6auLvCAhmbnYqDvG
z-x|O~+yN6`8A+@(u<`t3J55YeA!Vb-=3o$|co3oN#qY$1;Dp~(eT$w~f@#jHFe+kY
z83TW<<Zr9YMuf#wON31Ql|D0<2Zzv?ZtJ9TI6f_nZtGX_96<IFos(%91@g`9TJ2Ta
zdpZzYX2XWN?8kxP>y;8+ji+Z@(mrLUG43i1vkQf`K(NINsphKLrfNk+S_SU*XgTa#
z!?)%XpGVDyVVk0K__)+#K2|+O4Mjt01E9OnlDfX~y&DjSHBTPNc0g~hr&8#Eb<@6p
zg(15ans{k*j_SCS3+MATWN8ol9g`+SePu2Qf)e?~=l%O;?p+vR1*d2WAWTRX2)Djz
zgioj3aa_WJ$_KCw{4b3P6O{>xCxGFPm|v400p$<Z|LZ>4qG*n%^Xc6|NC}Y6dFAUD
z)To~r%X!YgRj91J8J)T$ab(aFKcLQcGfQu}uD4yF1hM}}Z8hPDFtQ%>83cA@-~vlf
z>m1TKA>xHt2Knc%x8Gh9_Z8v+grPKI$PyqEm*V796?%gfP()-BFjuG$^PPStV3S>Y
z6e6!PKZfE*^7!z1GLrF%a@&zIcRcq1dXK1yV8(3-gVmkM#Pj!OLJi-evX1nyRLl@d
z{GXS&I@c+qAO8~ebb20#g80A>GZ(=|<<K=n)QATS0;v-r?spJM-uVJYyw9KI4$0M}
z#r=;k4cO}t8u$m0UuMDG?U!vqy&>+B+EPFYMf%Ia!onGr2CcCM(q~YEC4du;ig1tG
zZ_+c*JWR=$1>q0t8{@mGrTGEr7+9w*se0<~=O_nN0lr4G6vEw+DCC;z$1<#XN$Eim
zmK^`W5~}IWiyv?sPQNY6kmXuIu9%{_T~YHlMys**wyLIl>J(zyc{e#;{>JZRA>Ap6
z?<RPz0@6yh1-8WKnggH|m_5$$B-jt;IkTI$Bgs>FP0%gtDqz9H_gPy$rfM^C&L)x@
z$o&6`MVMn&&euji%8PNBW82X@5*6rYcFb`ltU5;&<O8i^8nx{g(Xwqh2LBo-aLlib
z{D8C32T|wp%W{o6*6nFAwQh=ik}t{1psn@E)eak#CBM7Lf-{M~EY_qtBWC(wTti+P
zx6vRUdcOOqjcs{}w@5$g;peBTMh;?JNk%*S5%cOZraxMx7AKwVbJu+3Ku5S9;%5eK
zBw@`R{G50jp%%p)lB;j~eKcy0aGY8AYloPxG45PxcQ`+We*f<nH)XBsr^0HD32=5L
zgG%YsYFqRP+3BQ-c^?7y$~lI7-+r<&^^?10ew)`er1DSGuW)}{RRmv1WfVk1eweSH
z9n$9DHUe|%@K9*i(U|sSBA~ED-Nr9mQ|6r^*F4c*C&es)G~~yCsR2#OI?+<|-GBH}
z4#K=gG)OT*d>c%<zx>mJ(fnR-@9Gf+nSsZChU=WX3h_R<jcAurl!Yy<PTz8Kga`iq
zwTN*hu&&Kt%GX9EkJex$wYrh|4<ne#$ISQv^&hYrO6LaE#%;9M^@#|?tO+6kIb3H)
zBa#^S7w=TslL*!p|Iw6K-EGE?v0e9@ru?-oU_SNI^Z;<wRz_)oopakkjO;N|@S1Pk
zT**#V?#2JtN^R;{Va)~V5-M{?hGy&5=jL*jMv8GI+k=t|q!4ZJ30!z56(b}r!MbJ3
zroKxl9sgAE*}s`=BC93=VK!duUF;Q`?8rMTt;Qo{+5v0SMnqD-3^soB9xGpx{RqpZ
zf7lT4^I0Z8;3k<tVuJ$`n*t()*|rxv>mNfcci!?*0nqn8QciP(<DyQ_((Y36S)b_H
z*Tg~!MRn|xM{EAhnP!;>0@7knN<`0SG{@|Py50^<fF=_5q4>!E6*6Ff#dLJ<$d{4&
zKPRWqBEO-#rUye`8N`m-n7uA~_9TlY&ckBy3$~aKRMyWosX@tB^#>6%W$V`Wx<>`7
zU-!~i_OyvBa+JFEi1Jt!+sQe7lGwgzS2(hK`U75)1OtL=fd|30bpD2GDRMJ|Xtr<#
z!^$HWy5pdwFg0dxgG{kd_UQ$D`j^0mImjeF^OKGOnLPykZ~T4m`VI2&QZYD7Km4;h
zc$bg)qQiiAOCFqI=zjfkg}*`xn-QbIA<1w%sJK3J4Baf^3k0T+_m}~+wD->vf%<4<
zf3HSaQt5)Mx=2`%$&7JQI{I+EO22$#WF<{%&7^|IIvn0x@<${4j}u0#b%<K18i{nj
z11mFsIKd_Troz+^PF&Ui>wdG@izLUGtrCj*Tn?i#a;*qk4f%fMZ<K*?mdZU-Y4o2*
z^Z5TpHzELP)QuV;(@g%UYi6$}rgbOtuLVa<Bm*)lw1>!blb7;cMkxOj=l1~gAX>4I
z-$4s08a0DHX?N{gg4Lx-<!OGCWN&OeB+~cPevHDPs_v(Akx=ZlL)Q0fG30!OwLa?~
zilD8!-hVX`y8X^9Wz#-iPxob`yhAyh4~2X^GHB1JFBO2p!1E^|L#|G-6)SYvA++Q8
z)+5VIM3H4?$34)>mz0H&%2+hDLjXSm{QgT2Bs&JX)3bI|7gzf74xsDb_HdmLQl0ss
z#DliSjjKE}d5>YBYD!-e8Y2M+2|S5-4ALCAkNEVV7YXYHGxfW#WYE@V-l4K`uuTe`
zn4J80uUBu~HuQ^ybXSGSQ{=k<G&00+-Z5RdM43x4dzvaY%6JKCp^s35g%y^b7u0#=
z1aPp`cj$lpCs+dmqhuUJOJ_2c2}a}L^o}|bkD~zktU|LG3X!yteEdU^{cdoH@mGi;
z9>DGd<C))H5{TID&K41?ykRbfgKi!HSaZkLGs|DSwh{CjqhxA-x62W*hq{p?YD%a!
zrO)9d&SQ=+PBb<84HY20>OU30$<xYg`3w40tC##FQd@_Mq4{ldx-E(H5zsav*mv9A
zQ73y;!>#J4@$HXR+t(0o!6X|Duy7YJVuV|5EPHyV{OET^1XTad_{G2Y#ipDJH!}zU
zENmfwyn<DzCGyU<YLQGLatm%YtAe@Uh7@t)bv<6R>|o-qTAuo#w5i4zq@h^Cl}K{e
zZ7dTdpD#bbCoa*_Yws#_qi^3~9`jyc<M?zx`zJzlmQh)p!L}M$o%c?)(vOdkY5bkM
z`uF7Ny^YCp9n%G+&JZ|}JvQBe6Ok_|0D?FDkdQ^(JUAPw|F9e#>$<0VFt&|B%HgI2
zlyR!=doV+aeKB2uXR2?##GtD;{q?3Bj@1B&jd~u~imb@Bo~|!RcO<JcfQ;R|64GX}
zvq67m%JCQ2Q4Iv1%dQ60J=t2JTB~22yszNaufX$D#2~i>X^L=4D$kA?GLNNi3sU=Z
z#AE1PKfAgF&_gXD{@u5h0EsNMWm;J)x8H7=mmm?>PQ_d$@qlZ__#qs*Z?DDWk&@ic
zu-`R5<T})4B}IVcbh%u2C)7W7?xQmJ>q*L2Wl0*zxqbM|5p#UyZdu;uv2y`9GsOoz
zPWBrPHRJ*y@+)b$W8*7L$DCb5Zg6PI=X#lM*#l(einmk)=t|fhn`r<MuZW(`+twK5
z_^{7U+*&j`%`i5jy9r~eefpY}*BTY05Q8W6UvhveaqKVzXoG9lhZ3g7!5<dx8_*IL
zfr85B$zv)n-Q_b9qOdo|$)j_n8Mkj#4VbOgsEXHq*O8=8FZgGul*Xm2m=PMWa6S4R
zxOBX8R2Skv|3Xryh8e&X!mnk(1XrUQ4gx%7e#K>|NM5Q;21iLUW9DrZD0Xvbzm&(Z
z5b&Uae01o>S77Jy8WxF$IB<Hni?P#0YDVBJfN$guW(qD(IUWenwAd;e>?vd=3O>Zl
z!134!5;a&r=C_Y!n)RosniOHf!H!Hz{9un?5!itE-pBHmgs$!=l+QkP!8S_2t(5Z_
z1RVK${9pWP?74}(Im_?N^;j%SH6}G{4mY9}-DmojERR#^r2&_E`>AD6hvxHngxqI)
zRKulu{pJ}FDpB7*pa&A3G3)B1ebGL)Wc)D^akke#0>HTM{G-M|KS+Mw8!_~BPu%&=
z{)2wddhRKt+B-+fIEGI0WB<)l2W5?DA?VTpOL`af|3LFtOW|1Laat)_0w9hsx`Q~P
z&jijCcyb#`!(H@(tSMRTooOvMOB(y#Y=le(Kcq`?onl&n%+Yg6Cgtc-!TruAW}h>7
z{p)r<*4eHq?wga}qQV)xooYmyCWz31s5f!}nGj7Jp}EJjO)Ca!a|bv@8n~|k!|k8=
znM<xH-W{&~MI<;am_6Ig5iw=tFgBds{dsbnu$=9$AI~4Nxo&VxvLEdLo2Iaidv?@c
zuUUHyx#;K0FnCRj6>CcvXCttwwJf>k2lZ&qr6|nK>z8uTtlS<9{02W*d=$cq17|G_
z!gb45wu2CJ`DwRvk7_(U7?aqzx<4#-ex5OPp9h^!P2{wvj+;)il|<*RG0Nyh$2Hl%
zpTea$;^znBa0nY>qnTBwrB?CPD%~qbspP5^WSdiS-Y5Fe<@-8=^}u3PUqt>=Y-cUP
zo`HdTzti~_92=SHQKBMI_TbRWz+ydbzPIXmfhPK(+b?S??$cnVN|=*Diz`P!<(c)K
zq}ITpB0&*s-hSlvOhQDxeBU*!^h9Oa7>gh60&qx*cu2zCR}xR%me#xdLAm9CJ7b8c
zi%0)d%g&doXH_(ch}jJSgMdiQD&LC}SY=_G9l=H6qU(BEneeQ7{dY^;LaPKzb1o{q
zI6tAoVfTFbxCU{K>{}*C@hI8R578F$lVgVbEeIpx_qhLKZn)ywx^fiKEl?4p6lCUw
zr!V*BnIGBDL_C&1;qa?p`yZ@W0Ds;V_6glkru3Bx_BTD<VYDVm;SM@J&@+zqMxFkt
zCl-6*UK2V(({ksK>w2gc33{l}nMq-t36Y^q#+p7DGdtO&t#|J%2ObrBd_^f^2rxB3
zdStBl0s<p#^C=kGKe#_Qa~9R>O-Z1Y#ZPSKW}_`D0d?X&fxTQ8t;hnSw;Q>zGlp-}
zxX+Eg8V;dL>9LX5WU?p$(s>zyN>u0rj^KKQmakArW4>ts#zG-r2|&ltiDL|t=2`LQ
z;=PyoF3aT1UL$>7W*C!pYw0NY<pr&=V=0THOFh4RnpDNmTyEtqBSuNrpL?lYpS<_R
zxgkBUfX`7y<+x$+7V7v#;#Xlu8bt-CA~pHv;O!H7XitWRh5f4SLU0*WnKeN|+~@&V
z1ctX|2hCKHHk@Nw*fVVSq?P|y1^}*oz%tmov^7WG;f-)sRgTUxe{_lP6{Jvj=IyL9
zA#-Z9fr_pdE)yZunuL_e&6+Py=M5hOm$t0exFd2O-w^B<lkF=k*l_wRUu|@m+KQ^O
zG16r2#z$}W`MrsNqflUuWWv!(KY&6c(R0{{bo4p_zh6V<9wp`$;+5xH*nb1k2`JKK
z|2;l|vJs9#ekNKSYA7PdWXva1FUITIedS>?<be=y$sD?O;1UI-_4}dSEPh2&%sbO>
z3l}uh(~_oQTW`RB$L>JkKv<6-OYZgfOFZvpHk>A;^MR-T9x)X`1Eez9kp0R*D%0z?
zp}l~BY|r&LX?J3DlkafH&{BTp0U^*40A#PgHE$Erf_Q9t8JrZ%Le7upN<^PlLSA;7
z*xiuBR1@wr!!3=UR%W<AC91dzwi66<%I=sx+W^#!o+DQ{4xnouPle`A*cZ6cuML)9
z4VPtu{>Ri;07dnF?<*n#(jg_C0>Z-5Ev0lVv2-Kdol?@>-HmjYwB$-lE8R%v!hhlW
zlh1$V&g{VK?78Q>C!X`X=ib-u#W7C$;V1U4%&QXH=n+Sy`JI|ke@L}g!&Jb2h3uUV
zC+JP@Q1z0^*L~X>*I9>+$@24ziogyh*UZR!Quo89wIAU|u3orS^U@3xjAU0Y?sn>H
z>&k{f@zxSKO2s8}+x1nfjW0+#-}r^CQ0A8jZqzV8qs5oSL$jvxRamT_Hm{i)<buC-
zgGbL0)GRtHw?cIgx(=-tOqe-ow{CZX9v<C$wSgn=!}^a`UDp`ojP6_K?srqcT{597
z?$fE@Q5i0~rg`QWxfBJgh$zoQF;8%1Z5Tx#_EHu7d-Vdt>3*YcAx!5PDfYPTE$pAz
z^ou*kyBN})&5wdUhh>VQ1v;36M(|qLSs8OQatAvapi_Gd)|~29<2t3Usun98<<7b@
zmq`vMSe1rf*(+tN-_7icqqCcMUv3v}O!d#uKyK7gohRp(4jZ9m{pB0KxNEl7ss^|%
z73PVeW#n92{q3EbEB~CRYQ$C!+$Kyn-09I@na6C<w=doyW?Q)Nqi{&A4z_pOWpP-?
zdx;T82d^<(cd!ex9=5S1qRgjKG*20GF5Cjz=qAs9UvEbCw6~Qn!ds*B%r1{rzO+{H
zs+DqHbmG=jVRZV|Tw!uJsovj6C~KgWHF82r(CgglGj~_LZ!}=So_SD~bU#KlO={QO
zv>$L@BZH&=218nwk@~>1W6pX&XFuSB_}j4b48c>2C``fEy!nzHzsS1VqD`=DnOu!e
zj8cg(d<M972_P%}NWj?2RG&7<abdSBTh*$Hx`6SwQm6@Uv`xq7BC@70CH{VvH<wzE
zZ22{(sHaf=USY|mRR8=Ax{>RSI?*^++-WSxmc;P^!g8}}#%_*QeutYT_cw8~ur{K+
zB>m*3#$I}bCsjnAT&LO@Fp9idoQ`8=opTyW@|~wG0kR6uGT*OY1e=G}QmES?;T#<l
zrB7%8CsLUX8?B8<9MGS;y~VDPH><4uD~TN$88mw-VQ3cBpE)ob6Rp5OJF$;?!f7-i
z(cB%~Z=rcE`@0(|y)eJ`Bk(IYbzK`M2gHNBuYOL_hr@^qp+<kDR0+tKlgK8ak?hdK
zlkutj486a{xbf?_-<SM88)wCr?va*G(!srB!J^v;j=fE~D=%9Pel?a%{zq_mZu?K-
z$g|>Qu{2{#h*<x%<jy&LBq}Jafl;AE(R8v;0`F>`0R>mY6m}-F)awd1(+Y8U+gmCZ
z&Z0Iq8Wm}A@j6veS5BnU5%%E=w~NUdbCv?1Vtl4Lg-#qmSfP{RXQH#rIGn$y;`gqW
zam2=G`%%BFdN(`1?Xkw*G?`i&AK`Iu^hk-hPOdADf)i>9R`acFMRn@Sq;ajW!N%_@
zZo^Rva<kd`75(x9R8!bED0z6iumavr{*qU<&`x`%;B2AYM_jz(&65xCEc=X)mwXoX
zHQWna^Tq)7(5~hF%${sH$pVV0Q_EbfzL9E5`xTcu?Hqs58Qn~!=Z_<NCVaWhuz)pl
zO|w#8azlK%{k)&`JIw^II~-*Fxi^!3rztB8G=6@aP%qKd_yfKaSs9=}KQPaxXu92Y
zI-$H*$G?%5J*jK@C!VIB)OPeJ)OHj!l4yC)H<(O+hZnnODikl?&N+RK%3XT{c`I0b
z{fsxW4tMCRXtcs)*>ZU5JXL49$Sn5Fs3Fgywb(Lq%dBzRwFO<!jV=2f!i$N~N#@^*
zewfm{-7aRd0UY?E+jv$0fIKm_kmDS!G6AjIo0yGvtLfvhF^xrPsmk%7=;4wsIgK9t
zqQEC-*A4U8x$N~ZD>1fH6pp*!{#<#u@Acv{R}jyzi=HCH#m46CYiWe%1&hBNQm3pq
z($s6+fg+S}Vc`R?C;pObDbY5*>9N(t3R`+=9b8LUqS}9u&09v8mRK5~vH}}cZ~U#@
z0_Pvg616544^m_tby=GaGe3Dt)me~Egie@Ffmu5r8rinNqUCkEbX;ve`MyzTL5CJY
zY;heB4}(Z>9<;gJIdBl*sN+rRlneAfpRKuu&RXZQ@cyh(***$r(O8&ltx4WfsaHvz
z(G)bijK8~T+`ZM__gb<hF|Js;yMpfC&o49TQl+?QIEb>qHXZZ;u$$HhFriIpUH;K6
zx!=CMP{N7r-EhwUnPz8Xd^U%WWN$~|+I*`5fd_$EJ8MF0sev>xc_!SO)z&R#(iDg5
zLf`bQ=Y1qh=-AcNUGgR70Tk)0c$DeIDa;M1RD~$>2svwVM5!NlU3hFg8?7BH+O|!g
zcIFWz-;8NI6RfyNCa+z9zIVsT13maa@HYr6$wJzk-)hgQ1ZuDqjg^djmGVXEpK6mu
zeN^aT<!?tou-QdF(Nz!v3JM26UIv=MG(zF~#q7~30|V%wlYjcgHFG^Hymwcp4f}^F
z@~`4+{#4kQ*$ch)!#uDbsJX;<&e^(7G7{?}*bL@&UaT*(5Yxs99&E<hbI|oClC)?1
zpCYe;!i}qVB8?A<07Ui7aDC~#7S=1vdrXo3)L1Hrmtr*&UzM=f{F-aMR0S@!TrrQO
z@f|J<h|;;tVT2iVe}*~ZHU35qpM)wmz(_9V6O{H+td6p<MfUsq%doMvKg^eYjjGne
zW5ubf=w?^O@2msw?=DaNg!8I90w<o|c|@>~c0`6l|2m7eC%<!-$-8ZwDZjn!?kAk`
zs_3|DspuzdsalSGP0CSC9Tw?R6>jK{nAv;OSE9pAeJw=k@b%JIC<qe&oSMXbDAlV;
z@me)!)8v}-TD8UG#Ozno>^9a;eBn+i*a2v;y{lvy>3^Q86mHW0OFJDpzU0BKS@*7k
zkRwEUc6l_ls!F><;9d;9<HP+qM!b$Pb!*vRNS$dMkRL4!jGM?E8<H3-c~f+;Y_>^%
zUjH*mJn%6Q@mOcaVuq)+;)hF5c~k`yAY;F0yHd&IkZL*n#WZsc-{v{A4Hu=wnPEY3
zrLlFgnO^r3L{}Lg>zk~CFSDQb{mq>6o@sXa8o@=HRJ+WKsIie5)|<jP<>(AhUE6O)
z$w4j^%lM7Kj_nlP9h`sb7F;SmX?m<b`A+%7NEI{Sohtux9{%V}JA39+jQ$PMpNAKz
zBfpe3ibtGWTQt4PH)UGfs}2uNJvK)*opdD+_C}s@ScW|xy<lKBM{m&WiY1#q(O|W+
z=+ZsL5m(}UH|ft6T@vd-Lsj`x`fSduNmn86JgmWXV6c4xh`}WF&AplFd2t3-Sb*@q
zTEOxL@wJRL%IkbHtI2v!Jh5`#Wt-o`;EZE(g<Gf{>>VW?O8RvjK#`JZDo0lLTz6hB
zZ4%XwBUNFYULwc6%gv`nOIDm;U;XBh4pp?x=^diN#|?l@=OD8a%O<5@JTsu3k<-sV
z-E8MZb9G)u>2SU=cfQBRR&qi%xDz_R%;63Jrs=S45}x_EH6`rK$XMTBO@X!C*lyK^
z$ZnSq<tjGS0{AbBQFBa$%<Z*zr)qRg7_4=TNApE$7Jo=|V7CbVI&?B<pW7(QL$_#i
zzYR(y-u_uPa^EkxEkt8|Z+tGe*QVHQ_}RI!18;tPd6E8)hl?|m&b@cLbmkm1(HNLo
zgRQW!oGUm!LbaB<+?s<IIKg~oc6`fO<02G4y2G2vy&Yo$X&>%USY9p~5mgsYKft+8
zILg^qBO3A@_@?TaQb-Zm=IquS(#HP+!RG%834b@@cbHYb=bIIrHy0m+AVONG-&EdM
z&ReX353^{09Dm?->mXX3W-ZWKYGOY)uhg6s5$a!weEC(%S4LdfJ>y6IIdOTVM;#FS
z+5xGK<27TJV5cGTnG;?@d8}?VULS0&Yo$7`JY#VpR}p>LhmI*$^7ZK_NY*9dYD$J!
zr;R0#rD?SAt`zFwvCHIB3?8wl%mNRES}Y!=T5-yN?ZOF}N=aj~9Q053{KdqVG(q0Y
zI}7_E1(WIc+~<p<dB0gQ(^Ie;F>6Xer#23FDBrqtVJSl$(*z=e=y00So$*^?k<+BR
z`JJq{0OR#V1>b5;#oa}Rw^4_dU`Yq@q}6?_*B97-%<YXGDoC?J1E+Npevdd`TG(FT
z{0Rqd61UZR`v~76iKd;4jTgFgrEDumCflnR(Hn?OpPP;~l$$|kWw50WpFGv{Sp3xL
zSpSqs8OSX}J~(0eqll1X3`)9m=KyCmGA5Q^I^7*o^D$|mOGGlLTu)^0Z~oM>M7ams
z`baeUtpF*_SQ@8|XqL+uT~ckp7|ca2|JZ2%@z>SrAZvnHD`IA-Q}LUmke&;s2#%%J
zbo1q2rQAr($z`AKmC;W$i|RPR1-Z?aU`Q~#j@m7WGbXg@T1J23527DxT~TIw?cJ3O
zAKUh1X~I~{+0<72S*a=MJifvZrS3vnK$}j&%57Y$$0{5r_uz<rZL*zQP4bXmFO-ja
zcx)13wPUj7cRdaM{r_&x+-_ky>Y3H|&t^YN1ot@M(F;czu44X7desr3`-<y)tx=ea
z@;DnpPDyl{z5d8bB9&fodr2g;B1d*jze~TkGC(0gaM+})TwEAq6iwxZlk2d$)$t3^
ziNY4Qq4o$`V-ak6glL)jgp}BoP{|b1%$^0W94c3MvyMXeQV<CN#YCj*oB(?h{Jhyi
z0a69=69`f2(3C~@BGC*(mBu##i2nlLo=J06O*a#N=|anEG7BYF^ZGmgxFG|g>m)~n
z+OQ;_0`24R9610y>I1l*<5<c2iDVp$?JE;8BpFOEr>34PRX4OS8UR1!&zM^+)tuo+
ztv*ci1U-)Sf@Ea1!(?F4qt#Cqr{Jv=4yVYQ#m!1+VDh*AF!k?3y(DVm)yaop+lKDn
zfAX{gFKiC?)gdm)pHTQ$FL72(xwjf|4;$$Ef{Pov{1SDO@E@~e7BvT*xH}|&SpfDp
zC6)SEbr>G?s;!<Coh9lf*6V@zu=rC_l23rS*ZJHDgpBW7$9u9UYdKw6Y7<MYsy}3Y
zJy-1AkJ*zGWbb3$xc6c+|2DMGl1un^r+*bTt`a}{!M5E(P%wem4zQG}9{CaWK7!M2
z*x_erZnw0<3O-Xiz`ryI{>6CBlb#5aU5~K;peLv@*5iPxa+C|p*CfZpHsd1fB%-E7
z&VG7>b%GN1N>urKY6PS{o_{Es$JvCZi)R9_n+FB}nq%pu8)NAOD!+^HC_!9cA$QrA
zahhr6g~FecWZ8Q?z4Vsu+<gp+vT?Mjmo^(7g5eZk3fM==g{{eF4%MoD3)$nOea&Ns
z03(fe$~0v%&Az7dNYhTr19rv70;QrLqq{4k5K}q2k*fdUWMiVSjP1~|3>Z!xIp>>;
zrN5id3ok!+VTp3(uVL~~*VyeHG!$9dOE~{t2I@~HXC*4&DMqZC^(~ftD4p^(dL_VK
zkcp&xx&$tD^&Zcg287>#l#Q9zVi@HbKZh1Et0&)#1QyHwe*zWKw?h@u|0ggnmfmY`
zb|I;9@ly-+xy@UbbIBxs#DlcZZ0@#iZ%2`z=juhphM*C>Pg?VT2y}Kr8tw^rqVPdQ
za4m(b%g{<*R2Z%0XbGEyntB4Od2Ic@o1jyy{wK7jDm^A1rFpF%^%hp8bNM5qazn61
zJ}qjUoimv=>^0rEolm4+??*;LQ?#s1RcTZ~4NV=KL%Db#6Y#xq;rdBX#Fup+;5L8I
zSOZS3^}8?aN0K0;%vxzjj!+G7Wk^54kl5Qg1*#Lq6YIqSd{4iBK!2qZ^E#m&|5|*?
zW7ZF{x>U3h_eulWOT1p?oI#ZKx##&yZl0fA-=+g$rw)M8W351~zuY>Dh{6h-6pPLP
zI|+6c{BWHiuH-8qyM&-TlU8Xi?Bu&l0fw5gk(l}w-Lzm##wU|b6OpTJhmxzoOj>@?
z3LgTpb@sP5vUa(cw{Bi7G;unh{rbvu8<}NIlznElOn}sze&3N}#l&blxiReYTs^tl
zsdRb+E~A{JZ%%{8Dc$AS0EQxpg#xp)UO5m|yk3_NW`OjN=yJAhS?Ws~@DEuh%U%kw
zvYU9(eJO5^Q4T{jg`y&EymvXU*8}@sO2RITxGXsBy`(AG7?SlQSrl!LkE<!yi%=Q5
zS+De~Y^prITAls4ALQUX7xFVuQxd9U{8i6bDR%Gc8q)bI1Om>0J>r=Dd8$Ans)(?r
z*<DUfB`e2<vhwPxxD7AY$hToEbUXRX++6tnzDF>}a0DP^kH6(jdgd@kFPBq0thON0
z>!NvH7IHSM6sIZbs!YS5Vx}+j>d7zsKKjUB>-(U={Nj}$I)pp~;?<@D9Xj~nurnga
zZ!slnDOl{yqrKoz_%W_taPphF#9?w-HiJNuIz(gy;BXq-e?0e_V>!UF&9S<9YX5uN
z)z(-yXN}H5LIL(Nv+A3ftJ>NOQq-D&FK(wvLeS>r68C%}1fq2t0b9-m2NTu8h>x9t
zyni^ZD^7>f)rqtHPvA3jAh)RS1z(B;2l5dpk`Nvhvm^tc#_1E%QGd?TbTVBsLJHOA
zhu`$9P|FvE#DE-a^_kpbya?%f*)aZDJ{Cb=^hG|i_zMMg9V@bok1rH@&E5US(F$gW
z3|e2o-d)MNq&K5Tbgp7))v)qsR0!^X)t5Y=Nky%L4N3An5*wpfdc2PHv_+9Ru>|xz
zUz#h)Q4=sY@k4*-xGn-B!UHx<NP2D;14)2?5toqv$tX{a%4N_c1+Oe*&Ocv~Mz~nk
zXfTtHz8B@`masJ<@Uu>P@yTG$Q13zVLR3J*-DuXk-fzGAdb6(S#qX&O==^T-`Sjle
zj;X%flfDFgExujS0`%bG(Z1Do?VHJoIokBa*<ZnDs^|17C$|Q|#Ja}Ps0tmvQi~P<
zcKC;yv|}QT$~~}Y;!7ApF*cwGVyp;}j_h`YNNV>onkr|AD}(dP?<sn5ltlj3_Vk<N
z$RhGP{Yebv6EVS9J<Ns}g>~<mrM;H1)vm6Sn(1_iAFn+*E~lpRMkfICAvm*MY4wtz
z^K8=(@PCw_+5elETjR0ht>15$oI4TJA8T-)_UDq6bYx?RYkqL#uZijnd5HqCH}TBT
zj0CZc_1AlVi6`IJaDDr^tulRRbK&H;H+0e1dsxw>%sPhe#8`8JD}CgWZKCb+Y-+XN
zLNYb~{wKy6t>m?0e3cov_;@_;?+|#lkDno@-7L3^xp^tGE7G9o^*^tc(BSfIz6|}K
z1xp3<T_)OZW#Z9a%E-sM26O$v-_Pmlk<kIny?iJZbEkT>p$4^~*q>F4MT;p0&ay;I
zhw4lR{juJ!D$i}2;x@d^(t4Y#_0Lo?jGV$Pm!a7Yzx@7USSqdf7&{7!d)rKux<3mK
zm%d&Lu=V)EX1pkFwy+EC6iaiEHSyihwf0uVw>`DgP0U>$TwFId9b?@|2+P*Xr-JN6
z`7^Wwe@hIODV-p#p-J@K<We0FUpcuM2uqJxuRjzQ#kTXY$$c%NnMPK3$E$VkUAWsJ
z-0ZbuK8?)(USidk+Ef|9)FiRMZ185_Tc|y3qI_G>tcwK$@t>5ua+2p?ZhL)%U><16
zj{9axMQNS68%_7esZNO7?<D5DrMoUO26P$}y@zaf^HLh$4tDth)=Zf}Dn?~Erd=+I
z%F=7``U;se#E`~%HZ{HP{^b8c4x2d=QRGhFpB$D=n3ePtwA(cW5Z#6BbMC#5(ce-=
zOp<OYDq)6kbv+VCxcIhfunT?#|42<tIHByb!6Il4*M!3CHB^v(AWqT+^X#qwjxyrO
z_9-ElD?fBlZ1c?87eMlQ3NkMh?m9@Gb+WX4YD0k|a{)9W`aJ}I6bh3a?1IxQE1`eC
zQmyZ49g_tL*0r2MdXrc!J$%1ha5o>%jez$LdZb+1!80A>y}*MZkDD0e&|~VezYJIy
zHhXuGqU2mOXvNFD`6Qf4T>g(4mV*Y38+LtoThNMSJKf7D<u>X<s9F|M+dok~Xc%8C
zd#alg9xU=ymPSc1zuxu+iNGvATF{k~CKGp&asMUv@P5)yXtToZ0KD>^*_8wT<KwTN
zG4^4mubnV{q1@2Y99UY=&*)F@#N^$drJIJ@EvQ)1=Tbc<B7lAQsld)+M!;<HG0%+V
z*dykP!ngcEDehP)+m@xRD{~W+&v=R95T}(1FoOKr`V@jzsq@`m`^*3XUp{>7{|O}M
zgNF$u_=0p!9hs|1#i$Uk&xc7oK^d1e5ZB+d<3?RGc?b+c`q#8L9Mo9&BN;OXA}O+C
z3&3E+Z{{m)xrW)bG&HA~D<EV+EWo}~3k-OM_>haXm|$2;OZK>NSM!+hwX@`3x==NR
zqcmGREOQll6U(?B%V;Olgv*Z^1PG9<e{^c2Iedl@GeU*}yV8LhjhlG<eUa?Nd!3#9
zutiz2wY}WgYH%s84Ia&K(PyS6h9nlh$7R7Y9%da*GJ-cyp>`c@;nQ!G-?mwHo$Y(i
zV3dICno!z$3N$7#9{&HN^duQE_a!|_(S~Cwx%{D-(Y_tZ7jVQvA0(B5jPT>J;`0YQ
zuSR)cNbo!=o^Q8Co40rei+_Ib^{8mHA>%FxEN1kknCjRa`Gw(=oAR;4{iw!!@uMi^
zog6<ldG6r-x$nzKTWDgFDS5XI;aPp+0#R6D=R*uM<E@&4Ll&hd#G*^)s7#tds8&lD
zz{y8RViI#=(OX8-*B1cRFq{wnxDDGw#CL<*DDQI23Knjpi-PE_r+LCTQz<`iwHu6n
z`%<DY=DPPfEZ~ZSK1!+&dBgotgYbZ>43raog3gOm+w5kx@fXtCTSo;>SlF<ZAMc`C
zwKYoXRkPUeh0s4KEYm@U1KMGS*=FsH0YZUdvmt{*#?H5=7bcAfw*Er|N_9Cmv)Uh8
z=24Qu?*44f8e6(Ge^WxgSza>Mzd+`P?i~F5Hg(shFTA5_d!N<vv84&dqAll6y^)@l
zuW%g5>oi1tAmNK7SirG*)ijhp2nUokHe5TetIY`x^9*rSxuve@nbl)GYfcXd43o;f
z{Bw5waZGS*8$MVBmLu~ZQY7NI_e*>2`@^Z>2hdqmj#^%O6Q3||t%=iwjRLvfY$$_K
zomw{P0EQQjb&+j&&@d@}08ynNs(6nQ_`XbZu<_tNY3o#QLV%(AQ$aH5jyD`QJosb>
z+qs~4m>uF_cG#;msb&RT-REyQw6u)qQJa`8S_<xx95`^^7%xzdG9tH#@#E2eiV%Ni
z=P)M8eR%-sj@TPYtiy$d@R=0Ht&wiv>OAbUBPxZmIM2Ztwoq3BS}|Izj#NM<+`r`9
zBSR@b?am?)0PD$8GX@If*FReEs2Scem+-p}Sx5GF`Gf+1!u$j+bV>OClYmJhp0;L>
z`5`Q?8rQYpm6y?A{y}VQrsy0JjU9Q6!02Gk8ExetfaO0CVwCz+?kxKLFcF~{1EKQk
z-h4~E&R+59%PdKESs8YwZ}FtPzd!h<8^Q#s?6GU0Bv!uVn6u?*PCc*`YLvYgds?;|
zB8ztrBMN&7+63u8w@-JcAsr*V3LPT_jr6#Y6X5?LENKNZ^KIbhA821$)m+Uo5}TnD
zzjyRv>pWG|;IE#aeR;F$V@-Q7Wm{{4$4pY6I_lANV}1n)-W~P@{lH^PdPPa`&`W-K
z<ACeVxJ4ED5<(4$@k~_}OSXU0u;3GsW8#FG8`8{F;V;j6Li%cuh2lRweJMq$yjetH
zdg?cb1&R^;HEjwe!9z5$V@NQs@uopP59{of{A`&d`JUIYE2{2@B#?4rb-Z+BRB~r#
zeUyZuS@mMyCeE6V+5MM=ikE?Yv%ecISIV&8EY@Scr=ed@)o&poTS@JiX<W>mk7wdJ
z)F@9~dd*~zGc1}i#D-UVU!U=|hWej*WGuM#rH=6oq>56CGmer8!itU$Q7Wu2p^Mti
zZe}g)=_v=Kk<b;{`Qw^{*N#!VH4<&NEioefpCcA66U`Q{XwXP$ApD&8m{>fPiLdNw
z07<aDwY#n~i3sl4wBORr)xT{?2`q-nTzia4XwAy&HPnlX=*H_UzH|Ug{<De><tWT5
zqcE%3HC#v!`qSTkV2T9RO@KK?yey^;J`ib-9K=O!IFv5F!fwewpK`LVBu=?XyIQh5
z{JQ-0x~`>0^=-rTMfPMRHRoD)WhOB~z8AB;jlbI$sobBsHt-KD-ed&++W{7?80_Dl
zbd00dTp`!eZ(xjVr@FS2G>%bT_+TzP<JKnr+yA1vACoJl1D{KHYN4ncDtmJi?(AR~
zM;Uy47{T>p)+^~?hXeg)y=|b{?P0r&{YI>=@ap%kn46Io^F*0Df2eDS|8%bsExuiB
zQx9=!8V`@)MsMI=SQ@!=Qgae)X?CyDw9EptgbBCJQ`aDL(>>A?#=QW^2)(#89|Z@$
zx%{dORy)kIu+$fJM$`R_Z%m^dFcaJ0Vc$W1LN+xKx^cI?x;Q1q<7JRFg`(s0PrE8*
zj@C`=UnK?2Tar(c-Mk7-LWwmUJBtv{dZgYUi;F#G-}n9s(Qk7pxW9x@#Y<GHoVf{@
z92+{B_6_ERffdET3Wla&(4B!bx476-X;S;_AF{?A7$VQEL*gX>M0%}!S5;%LrN-do
z23NRzXjL<xI&5lZZw)Yvl^Tl>K145tj<2XSzj(WD!R8+<ky5|_PM=nU9&}$K;vQ08
zyj-RHA0^X$`6=QkI_>+%7z*an>d@pZV6TfQ7Hg4WRgh{riA`Tl`ECD-U0CFQ32+&a
zbU+7%^dSMZo2*cRu3)}eUnfOV6G_^U>PQp%*?LKSB#=MIJ(Wc-_f;4N-f1+8ZU2ir
z9_R$hn-S31zI2)ats7s{S@K3VRhK<O;HLP1-z@gS=8-&u{yA0u9xQ}t!4(dI6B~>S
zG8yN>5{uMM{6i~zQ}$i8Vb9!S49?;Iq55Flk9!h#`g=$)bjctP%bz`%`Xw(?goA%c
z{nzAfOSd1fQ3@$ktd5j(PQQCF1l(~&Q`K+Jv1q)mQ3wSD|6VW?wXtafCdqzzp!3fN
z3Y5}dz~@8ZDaGdd#F%_=B7o$`H<)P`A7Z$CZbURNok_;l@9>`sWQK3W-I_WKk_wJ`
zfie>YFJ4{}g9jobU!!`dDtx#ddlk`2J2WNIKAeBh5Ga~?&3;#{IW)rDGJ*Q4WtQ|5
zv4)_&e`It~8yz^JSjbH^Ltpdt_sxM<65s8@CsECxpE`daqdf2)(SYg|s?2CaL$O+L
zO0VbWIO`O!LE2eOx$tAO<?sZ@sL>GRJ?bBBag~1_!^5e_BCHZpNY0QLE~+eCZXfmG
z8KuIybi-*s`r-0u!kog_x<#}GjYVlI$IMzUhu9hV&8bXqfE#PIBxYE`cNh=;QoUDs
zuPP*#PlY>?Peo$zlar^h8W#V^AaGz#v6peb^qV;~q_iiKH2eE!q^GDT4f`3hV)_|L
zFMgAnkla8>mVA()uoVy8saP8c8u_O>n392_&QvA!6)^Ld=;Z{-q+hmzuO2$SG;IBI
zb${i4ul)GoJBfsLLX$Lwy=nwO4DNeun$%C4bsHOv0=umDomFt%Bu^<cjMbMvq_C63
zUm-}csFQ#I-VRw|H2=%(<)Vi13{swFtjzMf<~J{IT{S<qw|Utiy6P_;$x*VTX*xuz
z)uWPBPHS<zMZO60uL)bJl$vwpXuPrY*9?%es12u2_MYLhVr&<MLHV^8RiC7)QB{R9
z1om7b4}a)}svWE4bBE?0e4ds3o6yS_K_ypOR_0^GBKTiwt)}$Kb0HKIR!b=IuVuuA
zuVz#jb+Q^-JO`AWLl4NTM`ZGc&TKqR{<sj7*EVR+iiwz3Co(E<-s&Cq*o$Cyen(@*
zzwmkVOkf{Ba+o^~{J~hS1i0R`-!2+A%-OS_ew2GiA2$?Kz$XQbErMJ9&oB$XE|_8d
zkoda?Nq)MJ|Im6fc1V(=xk!qA6g2CX!Hyc-Ywc*z4E3-dyvvT@e7$vl(un*yM(|*t
zb8iVNa?Yl3zhYGk-pg4})DQWMb7H3t!XpFM2FOy-70M-h7GBG6Tsx?w62xf0$6^|0
zP&0wst8C1Xs62hOAMhOYsn<Ctd`{Rq@eH*~Ta@~cgLnD!Z(^v!Bm@8Rb_{b~kJ*${
zQ0~a@*@K^p$sjdBQuV3ibVEz(s%lk4{2$BOc?N&=fLm<P_~-dPiGb1%FA?2Kbmd<>
zGA)w$lXQS01&l0l9U3i-l+u=#PXMOcV$m4b^LEvmND6}yei_Jqgio$g#s<e8Quu|?
zKmHRV95~pGry5IPRLyh-X|ep1{c>O%*Z8GK`J}cd<<tO=dHJ(U-4b6no>K{c;`7H2
z5<3ipgI`RCnCF`s_O|?IO&0y1utd{gQEkcTA%PgN@e{u1T4>_*|Kcy@($F7-BPT+S
zm?{74#VOL6!y0zZg3d5Mps<`emil`{f6|aD&>dsGE&V*{XbJYd2m-o+*0q*Zk9lii
z=@0VHwX(=Ubdlj6%O`)5FCE~e0tSvhN%Xqg0i{}L3-;nrT!2&L9vE-kw*ib<{HF1h
z62_CR3&0$*kU|BFht;oiFDj(Gz*yhum!V>DuMqG&iEVnd(THQTc<Ohcoibv~e$zN3
ze!a2kb@JO8C6J(qOxFY(1^AEw0_I+JqsSi52KW%f)PE8M)ibWx8e)~NmxYwX71J?`
zO`l0*e_tUABzV&Lmk~S=XU2!1NRsLJgCYD6R#EPum$O@`{S0gOMYQbmbvz^jD(0yc
zBeOrshkXqqH_`c=WnD(YDe!fD9(p!*bOijgQ*?DHorCFA=yj!f8==+|Q{F;Z>K}D`
zDDw#|iIp`e6SMaq?V{0N>!rPhS7!kXr#%%}JMhf$2eL!b$qdo4po?!MhL%LMrXUB3
zU1%W)8O7{h{c>3P6h|qa+lo;1LD{Y<nvC*UI6PFIe~+!E2Ke?aZh6wfx}jN)9SJ1@
zEIne^&)EXGHg~r!bl^b$;%(!0_qPVYFJxEPPXWQ;?IR9F4J`dNq06=Xk`Tr6^j_Z2
zpuwzx+k*G(W`E<ajR6|p!Y{$0R9gd^(rI^~upMfbD{lQySN;NIckCsis>Kk9w^s4l
z{@p=*`4#);Dp@1rdykg;8Sw4ge4u<s{KDG4VzE92ZoHL9vwvNQJY(=lnba9T>vUm0
zFfK{=2`!BWh9M>#6T-h%9$4p~iqat;lHdmFsI(}WIiHD-_+1GkWiF?lmP^&N(C)K5
z7bFAgCk2GSp^gseCcS(JrP`+N0I6WTgcu*NDEUhJWbRQ(eAk-sdo|_r=2r(RT+AV5
zQgPnBwLO5>PiY<!rVA4ZfQdAMz{fCxxLckdrSkLhiZ-ATI_+D@refZq_MpdZrV-KH
zPN%XaS$}z0-ZPX9jX`+#z$}UCvh}7SE{5D9wplOa={F%Y33%XCXCnp;Z>(=v6I4&0
z%m>Vo7&QM$1)@&m7ZH2L(LL~$u+?h~Z8t&gYdi@xs{4slWrw`JzQ5ZBbu7Hd|6mPG
z=g&{U+0ijR;?<InWfajeNlccE^Y{a`kioq0I9H|+)<mzg#-5*uPwK>mWknwo{zQbS
z6DyCI6%jz^+<GG+w`ts>XT=#s?zG(bSGi@D0XVtLkH}wYLs@Gbae}=38QQ&;ym^OY
zBs{1~1OHf9_>+*{v0y7=Ne4~(F~3`lp)Q~Oae%crTN_^=^}}^3(G-kyKP63VEc_HQ
zjV3+*aWlHYu#jn?je1Q^Y8G9rhnCyC9}RlDv>CZ`vIkkIoI~FwGj?5D>~}jqx@^iW
z;-6oU^HS0$^he%RWX3`9e{9dL5nqr~BM3{vAr64(Z_3uB9T9Hhl{-aYg9H0{cOBro
zxt`38mL8%1)Fuu0i8>|}dQhA6r7$_D3A^F)$R#9ymT6}3_(NHs!hF>7h!Zzwv;9tk
znKS2vK+Hyn+zENCx2=H+vPvnWMzwSuVs_r(_iG1IA>b#AEJ6jUZHz@O`1H6pG!pPG
z21|*G`a^WB0)74u>LJNkgl`NCDw4C+T=a%2Yw_~j_$zuL|G~K?aU2O()DZuYwdy7~
z39OQZ%b@D0aVP0zL7GLI1f?6<h-0fu8NVY;`Vc8kMSuX@Ll<vG6c!nWPx=nYLln21
zPBFTg4mkA6lc0)q&^>`Vz+$3EsRXXR^YTBf=fnQO7W?u+>v?zzDo|6EW%GzzLtMgJ
zmbSPNYR5hIQ^5mLH1~Dc`x{R`ax8k3Mp<H%=*Nthf*?XAdz>8T^9iI%|IMW<CoUD`
zyJgQDD?|;KwwS(@F|pX&yRir3KR`4QMiz5Sh=Bx?HUTdTljgiB?ponim(YJhzLb7W
z2PNrjL_C|6@{|HF{ZAk4uu!f66KuHLEqY}m*nS3+(QsqXYZWIjWQA+oh*zNwsS>G=
z?w<qkG)S;_(Uq9%;((~}EQQ6NSqR4i=eZ9K;<G7d<*cmk_C<e~r<}Zky<a@!`KW%0
zt}fhzr~YL9rXOhp%e53`;yyi9Yun5YYgFwdSkW`%eAW%OT_?knyL1G!0gf&?yuuj`
z!S$}%Rc30W(j(VdGaI-x#Q(&n{PGax0nLyR!~A!iFUlcnaB8=$nb@Yd`)>5tt&8#S
zH^g?&8?SS-E!vUmzG8l^H{+Qn6`CM?w=B5kp9(6S3ojm-pIw#<c}$ybN3Fwt`T#zj
zyVu0B{@PnrR;qC!xJD*#ne0?TsEp(J2NP5`=u(&eBn|oeqkvZaVkRnR`3+^!H|_lu
zV)CQESUmP>YEW%QcLpH2c4(4D`ld`w*Qhp_LHZct!)77R%nkVbLe^sH{Eko_`wrOO
zxm_;eV!sI}wv`pPm=vgu^kfxYs}v;bJ&)fDEm=3(hTv)H@x6HJI~>Jb#2r!j{9umi
z2nY0(UmxY|A91?6kXXK4JzQ!(X@Nf>m=s}dqDq21)-^|@4Iurn2?#zj8`NLQx2={~
zuNX<WnouV;RzszlJU9<((7H=I$K3!v*|pKI#{@L<8~BhHsG=ZQgUQJ&!5#P<-SuV-
z%S^nf-AgV#`d{4e?abRHa<O^64s|*FkYCE-`^};}@)4W59J#PF!o;cw78cG`9T;U@
zM;rH~2Yd2#bAoQPd&|REe|G3{{HKz=xCKlljt7<O;bu`v78>U0N5n^W^gP#3_Vxji
zM3$b!vLBZmoKF%ByvF+BDu#_xuhTo#P)`UzpA+4(bp>8Lf)%MGND&}Y0n;N;8bmch
ztxqFD1mvDm!~NK-G#HZbdMO3o(u-M7;6K5M;vO);0uO={;jSJ8_YY6+j-(`?1($DG
z<Xlc|I5jPSNt3xFp|nOs!&>qRn$<D@*XRF>eQ9k_Qfm?7an4MeY^Ew^=serFQkpQU
z-ni?U=euEQ4^~{=zkvg<pYUisK{VbJ`;XTpF+=r8RLn(ohl#xIQ#HYhhIQcNcsToC
zs9_@jtq=U$G3>tE$p3Q>-R2w$jF3c)(Zp`jUEULCH}_j$K$>&GQdan2S@?~AzO5#U
zHVz9zi)3Z}K6m6QYebyj*G~cD7*A5sNIsBFv6ErIq@tnu3l-T#HUz%^$o1nsw*%Bn
zYIw5_HQ?~q!~AJ&5#}xboa{Cixld5{VK7uH{0N=)iiZ#G{*(P!iiVt8VOysQgjXfr
zsApUt{92MqvChl5r0eq4Qz>f+`y07Kc=-yJZ(872NI~2kTEqGoR$2KYD(nuv#uQFS
zNj%;^n+)Kr1&VzoFdiGPeqF2{34wljD#XNqdWq4HlKqk1517~#gKC9??F=izy#z^M
zJ*=lZ4ebBB6%EgF54Grzir2J5A^x(=0&1GAxG43mg2AOb3AxlgYNz|tRH=Z40O5_7
zq|CT(!<+6m(EbKsW+Y7{=}nLa<!?$2rXL?+$HqzM3GgW2YLKSqEnk18aGf4l<&qE^
zV~H+!w_36;-4mSQ@GkybBHl^)Fx{*vgkPZRDe!Y$)^ZuL-WXCRdg27CN39Pd2XGHG
z@~>wl16o$#)sk?J<L5G`uWtLkM7<<H&Ip~&`LgsSDj-(4?FD&g?Ai(1bCw=Y%>JC;
zj3c3<a&|chbw(Pj(LJqk+>wTV+WJP7_s-D#@hkr~53(d7zSIQQBcvis6;bFXbWT2)
zj;7lN^@JW6({R?*-H9I@^i0#Vd)@r~d(*LHo0?&HxZvN<JC)40wZPd4@AsZ?i|7-8
z>)j-0lrEQqz%mBB$jqRkL$I!J9r3F0y=rg1Zk5Fi$ce_Zg3}<U^w%!z+q(Z7Y4eDU
z@UVaB`=!kPR0h9CD8XG2zt@Utn-egTJL<)^#C)eB$)U5XHWuAx@Ds+$%?RFhs5dR9
z%>LYt`pebO+ESvqRl>1b0gdougD2ph8>@Ty0*U}egbl}{R%6g^lO`G-=?C_<K=1S%
zIuDL^|IRG{?gNZSCYa9k>u#zYKOHydEB-=M{-i>;lyWOafbFWv8r$8M|MxE^JI0I7
zf6FmG`By>7{w0cknSUc$EE*g;yJ(a3N9@jii7ZRkW?A&lsFKvo%hFK2<EWE9UzfZ5
z18$sWoe!|kl8Nk@U5v*f@VO68`Ih0BN?B-(v@;~$kRldIiZ!`Gt8YTmSMNQ%Q02c3
zAr~4V*A3)nh+w2y{;w=#hTP82vm}z4dsRl4ye?ostt!=$goK0FG7;LhQ~v8cY+Sv(
z)qOg)KdmJ&=$Ug>cGjzi2VTX5Y|A$0?t|8zSIyjQPW`HY6F-~9K~%UY)QeW70C&mj
z_Uf;?;50P4W3LDG%B-9&k50X}gnmM4mVQGzkJ==;tR%;Lf?gK8W0Snd_ldMWx%zRU
z`b_zUBop(CfG_lhP5rKAo&nB+lbjO)S^cR=0wi;F61@fqYKxA~bX8tw<Fe*REgI9+
z`aYzzIe4MZ>r_|GGH~h=G40Cv19!{EK}W)8Wg#nS&Z(9}p^QVKOV{t=vvC>!jVisN
z7k|?XS1YVyH!H076B#^unmocXw)M5n;}@ePR^!+5@%mYMQ(9JUZL5n{Rd(GY6Sh<R
za2tT(O2`c2k*(9-v%aRTuL9o>IX`tp{n0trphNO|xRo8)-)U5t%ZNRBQZ2PRB{A!k
z=GfOXWyAEHD@hGZ%n8fZ7%WfgztUj0*1$kUV@SOQU=L#@AA+4nWf4I+HNBve+fqJj
z+X{47BSrza4xYMaq#R9-Y-jH3jkXQclXa545vDWraKRvw%>Mnboy~)+NC$IENP-MP
z#X;t|Txq6}_1xvS9>WnU#m)&A&{Z*STxqIo@2qlauNS11+-IBi;|=4XkQIW|ztM3b
z`S3X(1{)ykW{zd?c|;OU!Zn?TI$HK(oQlkj#>yu%)jb7J%}F7V_sy+>3y|rrH!A2(
zoNY~v^TvHO!DmoQxE_liF1D!{gR_tKRF4!@!!6OSo$%WtMEle>2l<UMpHVABNyToz
zQZyuQCx+wT)-^(_SNrRSQH00mceWSwj)H1}D>`T8<K@vP{hp!a4!UjzI+xsB4GZ+K
zaX^mt;z4aA%PHb_Bxko@Ob)X3zZ?YnZ4*9}Z=s9E5dH((n124v7-!j}BaUJ<hCF>f
zT;IAXdT?SwN$EHr<h7s{wm~z(6DV;PcaZTwZ4NA1TS<!wdj|e0X}D5m-}=ROY6Ld7
zfxKYq#<}Md(r>Pz2{{|Ih$YNSo+0%@kUoR|*-!F;XQ{hwVq#3AN+5$|=6>hwlSRQt
zZS$K(odb^2BasnIF!UrpJD`3CuS$KtJp<~{urN!}GEsTMlJ8gCyChb2U)4nLO?rOs
zs{>jyk$_j%d7VDzjaa!#jq1=c8+%1Z#<tGN>|vRe1Clx4$!p$nNmSdVVGeVpmT-%5
zN_ojS8+GU|lq!M2y>ji+CbrG<2Tz{PM){r0?w7I*jG#qh{)zPqXMJlQ%@YOaS8T-;
zVv|&Bvt!z-BSd?_lX~Dx7)k>#s?_JN?kB=h{JUJG-O|#su{Syi*ZU2UBs`AOMJcZ{
zBe5BP00NnNlXjVX>jCTMzSyg}-|72&ly4ayKf<1uCc%}BGlf*Q>S{KmxXD9+G%hOJ
z8#SMlvkgf$@07RkU#L8_rYR6iU0j_Pl{xg;1(${xMKANKCz7&T7ejcy#qp<nuE*Wg
zaO9}>u3I2lU9#Hy?FH1BWdj<_hrN9{r+}ibP_@!20SJ7Y4B24{)9c0W4naZ*Ep%fe
zJ@TavX1f?rCT2Ku$rxBb)lj!iU{|f0(ZcWc{omt7jpqJ(y))k{Vb~B|7LI_iWPz=t
zE*)U)1)evm(z_Zy#6Xc%i1c5S18~0dduWj`hGlx+aUeSO%Z;5&Xr3}AY7Mv)w<+||
z>xm`fHoquw*j#Hv98%t6M-2R$^}l+DK+q|2#QvMS1k3J#2oYUjoo1jca#K7-q($AS
zfWfX*^!ys@KDlfFI0_Z!Be|x=f9v~5RlY{}s*i%!3(wUvUu&sULpTK7$NT0UFFBB8
zq%~_I0TweoSdI>6;evlkm&}wlbnOUSFq#@|2CkF5B(2Tb*3;KM(nL~aj(UUeR0owW
zuh8wic|dm19-Bj4>x|d$MkaT`sJ7K)QlJJ(p+xMmc@kHSa7X2H!dJkLk2@Pq-NOoL
zdMygWvg+bS8fVfyS{41)m?pyFEK*|edFd-J6TN<u^$nx_2b;o^(k}^z(Ug%)8-y&r
z(q9xRQ53-DuGwzdewFI<nAD_IbMMWM=)L!5ji{1Bbz3q>%SSLcXvjHCZ1+GSr9tPv
zz`#V`tMCmbeuPvn^z>=_dSs<Bc(rDX->JTw$OO@(wi@P_C?@0=zgZ~>8637IlivGB
zOtG>24EhyZ@nKIsJ_-TZ->Jy1Pv}svqPLA?G&p{MeN{zdpEZ|c%Cg>W3w9dUh@t?K
zbjn!f^_lEjr>*JCfo@1Rj_hhrCmY&hGnEJk$2K6OrTLtuSS-1Q&|y0A3sN?ttVIIU
zUZano#N5Q(3Il|{cv=A|N<!Lpgm4jMJ69HRjNa@)&lb((^}3UT^`zMI!{xj6RMNZK
zX~z5(22x9(P3h6L?5K;4W4DfEK%hu(;LN%&%iG7EgFz3aU*dinf7Hb$o7C|qF8a)$
z!PTo$W>LE$JgE^Bc@PT&XomHh%fQ_9ckXmX!_1;;vC<Iyf&Zv1jIgM*OTtfRFe)pM
zEUG_yFuk6ycTZ1^#&v!Y=(wg~Eem$>ZYecxm>*tT?dKPr#Lztt4B1z#Ae3HyBtbY{
zCbip+3l_cmOT6fzM(6~#{JK~9%@iL^n}lV{xqs+eAuU&?_9^U8u04_)>)5}l8;ZFM
zU{1jl%bdksW{cP#h9AHLCg6MxibcQ?pR)8;CqK4i0`X?Lq()_A5IN01NIyECX9&+i
zJ>!!E3&MH{L-;J2oWW#;yXfy+MtWS~;_ZeQc6V7d^<P7tqY208+95qO-IeRMxbEsC
zv~5B|KpZGm;*AE89oLB%Y7}$y`kvkV2WZ6b$Xqo&eL}sfxj2ijvgI2V`?~rT@?Y~#
zRQP{<pOBVQ7{<3XLPR{6mFg)m{!k2FVTXr9;%F5#XYbwx$E+po&&tak`jgyR$kKYI
zgx?i5m5qkks2jO3Z$tPK$Z|F`j;WbZY+`h~UOn_|waK0Sa>BZN_lv_GAMYY~luv^P
zx)VUx-Y#S7(x0f4e%!Q6OU-UHdB11vEP9$_jWss*=b@evN{1PM6Zj<!Tlv5bs<I_9
zvC2=iDbv3>+qc9l;Lgs*xctlc3@D9coK(d17eJk)=ld`UVJQgcj>E_r7yO;UYvVL<
z_rAk|Nw`f~WiW@K)L&w@PsHk`<Oc&k-oQx-b}MM1Lm)<X2l=VgjeVR{wnN<sf%S}I
zFNzsT(vm~N_`G<&Z3Vu%3BT)dMiAy$zJ;n(VmAkMLjkUPP3s~xVCqiLo5xLzb(Z*e
zU3v!cqB2$`iI}Z-9)*L`du&u?A<}RYWsxTWqmuF0mAQwoV*Wyp{<Y-e!?^lcnDOzN
zeuFvmO%_=~RH5`Hn6a}uOJ3#|b>0g5bfpuef>Rrseqg(WFW)e`)h7L_<a|vTAEP2u
zmyn^8O-1;pT9*x(7DX~WNWZ=jSl|t+7CzO)p*R>C^ggHSWP9_Ji!#GLm#q=9y@9oG
zneaJkFmkmH>UCm!K1OXzNUV{(mi<@bWesSuhIvH94^02qqt@sq(3ATVlSY2@bSeza
zCsw-4WPYo(qqpi!$B*Mc`_-#s@hyqfFf@P@ou+9t^{Dn(rTl_sJwnR2XlU76e`n_F
zpP=}=%c8zN9*Xam_c)E0jXZA#y;gSRt_wv-GOwY#C*Z1P?_b_t>&S#hf*c!e^nbst
z9-Y{-os1Oz*>$|#oMqS<`?mT1tHhCe6U)R}+g)15c9^i2hx_s?on@5H3}{M(AkWP@
z-`(C&ZqwDi^|9LGjMUZjnKWd0ftJSahF0JiBb|%j^~T5^Lyi95_=?z@h}&tEa-3E=
zJC$=JPFGodemy$YX=+JB@Q}U2Rq-6Wf!9+po;$+aNYs3Bl1tyT5b=uD3)HmDf_k!#
zu?rCy)r6*B;z}a|dOz}GDtJf$dS5-%#5o6p5N2}uwtK7Q`<CrH=3frj%X6)(t{S~G
zw8|jBs1!eZqU-2*qqH)`AkzSJ0EmT>^l#*i&9wQWkEtE%_qdWZy9we?iHhq>G8N-C
zU)2t$4n}2l0&Wc>IDX9P_T*ZyDiTjKC0{|eSG2rEBHt;|w@Y=O>JH*O#$9=ToT=}-
z3I8l<Wo6^!FfQQ0vUEaWNN}qqc)V94O}T5$>x2kdso+UX6!skHSabOT5cSEcSnm1n
z<6crP?Fv9m{i)+UlFoQE1Km+99~$;*WO+SIzrAi#4P==g(cX_sX|r#;ESq*}ZJTe|
z{T&&+9N6$|NGypbpQ3k2taI|+V^q`u9CxTP>kzGg%-6yo$?7s0gT9+uLyCPRm3Z56
z8a}y}CGTJCoeMNierg`xII>2#K%<OgR4!x}OMfxC;V@S+-z{mOnz@L2csyZe!W4X6
zZWMOGDD3!-dizQVLX6`?nf)H`Guf~i4Md+^t5@K~A8FIgm{%UMuQT!~jI<I{+a>Ph
zsE@;_gSS>B;}x{Obdm(3{F}?<;gsj`MVT-c3ItL6fBAv$^QFkHpWg$!m1~c)40w{f
zv|*pJjpXC=DqxgB-~{nZdM%nQiQfMKn4AWc{#wPPb>*{Ta^<5C#WZp?Jf}iljgG0K
zk7tyV94iE;IxJn>E-CMw{6`f>hUqq+5(0>ok=CPy(jw?DUL6fsEEBsE0F#}sy3o)Y
zG{_@edA+?B$Y*q>(~}XlT@s06iAN04-OnCKaVC?qtG;vT9o1~wrJb|zSt##YdpKUo
z<`j48^J~t{2C~3|AF9GH__wg<{P3HkG6NR!VIKy2AAH%AY{8CTWtQ2GF-OukWig6!
z#h{Wx1tWsOfQt=H7#Q?RV)OeS7<91_P061j8!3{cLr17K265K_FHbtPVr~}gJTDzT
z>D#e|@L$XkJQH&tE2t+rFaw(7Z`fP7GF!=Ip3fs;e+D`HlI?^ieDr~Iz?TG?U$XF!
z_zSUq-c_pjZC7lF%$q>}n&GuVhLu_isr%U&oD<C_humXZX&N{Gs|lixONR?)DtWt@
zACCPKb=EiRi&HGqK3={T?By6<_IlHyVYn#_NoS9_pB>M*O>x*QAAT1%m58L8m6fqJ
zLy5Xcw>*e``pj14M+wAL;c_GZ%>1v|(rge`X>YTuF_&NsYJRE3Q$DEm_i9<NCMhe;
zb5pYvh&;Th9Zm!$NlmabX6!<iNmXw0IVRR$yC|UqDzJ2Ms{!y39%6py-EcsD(rYOs
zCdLp-{*e&-0uUh!NoiW0Q8FN&I%HFV(deMVle1S7|H;SY!W%132{rLy9#AaA8b;4K
z3p*n~Z~APHVE(Ld1Tx6DCj*hXmhr=6p-23jqAP%c04u1IY)R-+Knp^+u4plBDy^6r
zib$-QSaT*Kth8P}DP;RY)r6~Kpywg|Icz_H>;GP_0NW@?J0-+`AyA_fA(XH5CK0#%
zWj$`?g)%#_{EU1}WDv~&PIvd8{G&JJ&zh8!q}S!23w6UQaX$`z1$KgDQw+K>wnPYr
zgb~N8DHw)pgH)w!-N+L2tII&(fyTdwld$J-o@jIZB+Tn5?H8U|^w}ubh=TI#OXi7X
z9OxXmfA=?Hn_P4klkG2a=I8S+j6c&jnAGt8!VLsFn_#p5dinJ$`Eu#GI_!AmWV~M%
za={n-Z+H5aA=<&2y?YE$_62099J9iS9@b{ldXVb(ntWZJ#~p`B`=p3ZEX2`@4*p?o
z??N)DZ5L92c`q5}HCbv(RP#KCLU9}vlOmpOaHR>8I9l5;0(OIZc%MGXuMZDu7xtT{
z-ehy~xaJAC8XD7abSMCJh4}H#Wjc#qpgb@-a)6!RdH4SC8rP9$t4Zu>P@R^xUkA<{
zU*=SoJ8pLI3MO;3^FPhAVJ7Pajsfth8K#Xb2Ui5%x75m^=KQ%}7ypldzjX6A&YKZ}
z5%6?6uW|@LO&6)FSgow3q#Ep+m~1@aW@xR+OJi0U(29m-Z<C@<qY5W?fNeJj0e9%-
zX8<Y!@Nw8{KcW+b_NrM7ZrJ7&3&^Vz=A29tGAN+WiY-Q;FL4jQ=hylFn7ZcZI-jTC
zG;XZMxv}krjcwa*tj3LP+iV(}jcuEaZRfphf8X>y=l=6N=Q($0XJ<Zxo!N!`Ps~S;
zyF_#$+98tol=$ZZ!$9VNVMwf1#%-Y=4J&u(9NO-6TBDCE*a3(Oec+#}1XE~WF*UOE
zh3cl}!!gqe4;@ppimTJCQ0Xs91BNjd3KT2W@|J}4q^>un>IWkQc9eJM0aFqQP}}rH
zc3z4HdN)H8NRdQI3%>Kt&eieB&B-r@w=N#To31ABmZA^X5DUnQzGZp)5PbMwWE13L
z5afe`=)bgJWXz&<OF?NIFJJspIH;sXYRs@=jSnmL|H2xmob|bH<Ul5Zg7c#)HbxqA
zdC?suOqts^W0R_r&K2L!SyVSMw5;ByUfZ=Vj4lgpyWY)y|B+311t}89Y1}+=@D7QO
zGL4t6=jd5}xvW+yapfp?F;%doIhnov1y=1=;{s$nvqKT0PZ7fFV|)k0pC2?Okwvwp
zs5T>BJoi?KsA{}jtSXhYki2l!;q!hCdjaFyKFgiGpwXFyET$sK=@r}L>F{SfUrII}
zdJAJo;}#Qmtx+e7^NQxBZxl#<is09Rd*Ql8@BgScHb%)h@CT+CZI2lmvnxrGue+RA
zTPm1>CCe>SO*<-x{MhQ9{o%j0C0)hfLwmxK1y_QeaR%o{Q*4}qI6L9<LOM2ou(_Mh
z60s1FqCQ1iqIfQTzKC^|tk`0MCnYQToMr1X0R4yWTe@~W26jFu+k%O~rBYRXJt6kJ
z{%WE{hMkio2MyGVEpeW92?loW-<)Jy;cc*Xh)+Oa!X%4I%Nk4%Gw9^ahyy$sq~$)Q
zo$RW)&8H|WYP74+)AMm-yOLle{Vg{7071&mC#2~TzLL44G&r)DuY0HNAn|OX^<5fa
zk_Lv`Fx3lqc1|!{9&hmBFGtsdxd}A2gkNG~F$q)!ycyLczhdIS(ZT7KxI|+4VT0d9
z!3-cA1=S8g%&){>i{Kpvr8GKn-CIZ~6BvEW7_v)$LB;f`MrG{OlB`AjrBqTMUF$>|
z_h*M;1RpY`Xv6mrU$H-Rw&Mw4vBWsB#A*0qcCoJw$l!-Vf->ui@(glLNGPr~lrfTL
zl$V*`x08t9g38SjB(ctNz8Ij)mwg}>E3yOJ?r`d38LjM<^So-MKMs|(xkop8%2PQu
zqdl_$lsl;t-4*qhR)8&*?tUTI*fbb`Keg2?SiK_b9YIf9%||28qXqJWuI9IuCXVB%
z_(XyfoV2Q)Q)%ZpQfl!k;Gxy5v{iXZ;@%)!5QcA(#!N!=IY0+ADw{GpCFb+z0LopC
zJ?D|kBj;W173;c8lfY-Y+NVbwech={3?}-uo;29|uPx4_zH*qqUHoxYkX%OT3&%Dv
z*G+gZdZyc%^m1`ki;ILlp%`?R{0FY`r-+WdfBVjTVdE&Ca94gMes+@huKe+wE4xlj
z_gBVFUJetl%*HPBqHZcB+1UsI^X}{!c9*G;zGRBTiNh$c8GqvF6yP&(qdV}OjDE)u
zGYanauQBvib_p;_!lmJ{%#;Sv=ks2!;Ra`Kn?m-NhD2w?%@ALK>zf1wucScA-KNxg
z5vJ`s7hr_|hpL|hf^y;^j0dce?eoZT$9UPvFDp_!Cf&wif1R;|RgW)%GN;D%q^X-P
zR?Q2i*W>+ZcN31QdzsYX@d#9(G$;s;DQ2&`lr_qimX1h&G@)cBq#lQ3p5sQA9WbPs
z5x^sy<X;sIBjg<@cYf(I#eONWxHMXOOn4#DUo+`&7`Yc1bI;@sEdxg2?x)0&r(+~C
zg_tHrDU==Z1PZ-U@Hcg$3LkgX5<|+Akox5l_5NRC^;E<`%ISAv)$hUsUrQi<D#J}O
z*`@`hv7U`M6_B<P@-&}%qM311zxF(;C0y2ec^+8LyD#koQ%A!Twk#{B&8ST8_^0E*
zoLX|lFsW$(>OdHQH&?s>?J$4c^+g#~^30D3v(H7&SZfmIwahc182b%3da>l#7Fdd~
zfv%6L_cWZ+$yWBtK2Moafq|XJ@{x3Kd|h1Ka+K8&9`xx7M=AH3D}jJk0DGMEfDP>@
z@}$r|bvKTPJNk^nJ%(WD3VW-f#e^nm+O=V!Ir@ZDsIlTVO3T7xllQy!m^=D!vdV7S
z-D5bnt`Ed*NbpJE?p_~Q2}BG7B-jyuzqw2MGA|wheQeW;@4@FxpnM*j+ek6P7#sbm
z`grzHONOmx#OxTX!K_DbWwf9AeiJIHrbGfBDiKe<&})p_eTx47dMeI`fISsu9fLsi
z^n^Av0;=a#eb*I3;pmQa;D|Pk9Hwpg(MrWnQjD<d4A)`<Xk&vvhBe%0Aqlpc0kfmG
zq35&lM{W!mrVha#6k{v%Lq*JF76hPcfc-DSMNY&@+6;j$0K`I)sBmC{OLfV2x$bcu
zuB&FFbCUD;W9=%A)hWbjQub0A3Kh!|&P~_uNQyVf_!Cd(I4m0KiIq<==AURDUC*3!
zs3H`~r~AhT#%jMTEkk8k1p>825_vQ;b7jOQ+D@>4N{Ai~6?23I1`YHcb3Xg{QQoq1
zJzCw1{TS)=#>_~bsm_0%>vEbZ$$muoKEr^S@QL?bi|;2SO4OrtUFp9CMVv_}1N3Au
zNNJ*DZkWkOT>hp^y_Y=3mKiVwl*NMaCYs-{YnX=rq3ro+5DJi+!Lsqp0yprnr(M<=
zpJjmq7aDA?ZT&c4#f&^Q``Hc1#hs3&4IlH_fd7*|aMo=gdMtnEyvI8w@@T@5gI(Sp
zHj%ZO9l{ZBB3~)rL$T#C!!RK}dO<m1WyKl2{c?E1IBfa`?Um<26a8f!roiMSE4&{w
za8vyYMC`A%$Y9S=6poaLv6i{5V(|8QhCDuQJnvaG`s_d6i}@ExQ}%t{xp~gHcaR*Z
zUxOLLoAaoVXMe>zIi)H~#u;@8CiMM?@=>9|Sk_N?1DfD!5o$3fxC9`wIXK}<^2gib
zUIAEv2cL|vS+ZEL+D*%(E<w)~Zn=4y82I?PKILn3CgJ~40~R(?(X?&sDP%A)Izi3a
zR{i+ltEAawchbp-YRWPWr262n4!KrXl(+J;bPZAf67f9?6f#iz7!47BG6KzZG*Klh
zMWo|alU7PgY2EA6zVt<}70W4G>Vo(e>-bM5Rxg#!b5jE4-bG}dCM64a4AD9Xt}zRX
zmWQ0&fN5T@uTMhr#rx;V;VWO9_fCwBf9!5ZuN)3s4%$(4Jt;Y)t0zO(##C?3<TMSY
zs<~C{P63;+C(=8WgAK4Juvp#dW-eE|WCIn6W|+}Qi<W+<rq&$3e8+7k(fKHCcd1*m
z{S<8i$NxfI(+xbj2Qh8i3~}`L84xIx(qE}m2aU!Ytm7-|V$(CW>liJUiei6wCA0MX
ztKW`=(DO^!p8G6OB;F4}5Ji(cIP-k8>MnKT+$7YWL(ajWgj0W&aH5Z3fHXm?vWV5o
zcxcw9K9wcf$ee3_tYn_Z)t3g1#(*We+Ytr*$0P5dH;ggpCnm#>t)b2p{pACV))OW|
zsHe1cpjI>}823GFH<*`AK7s({4e>r=^O4@O;G>ivPwIQeK`Wh{yFVeZF*q$)8v`U)
zch{^F?e5A~%oxp;=}*p|tv-=T7RhEg`<x^Hag$DUTZsF<ib=1NC@B|cP47}iigWi!
zTzf%B*Gt~`H#%m8Y|hH?>|oIS^AFOIv}1HY>9Q#aT2cBFWq(O#T+IkS8o8;Khg-8+
z5%tjbHjQCAGDmX9j1=)q@iys{(cMAWlPRi>i*(HYon<7wQ;fk8F<C_{ZRn<E0`B2O
znLgJjld>{@Ws9g10C<6;N)|%r{6Ay>gjd8qVa)@PVL$iti614~s6I1h1KjELD*e3^
z|8?Mq)inBs0QjdJxgygn4<9|$Ka+dZ#USaU7nlA?j;msZR7i2S#R#angeIZljsRA^
z?AxPx8^z*uk^c+NnSA6fEPj$JlH_^3H$yE+Q!{hd3}VlS2C4h`75W;r#T79u5qSIx
zuoU3^7RjfMC@zEYb-m_$1QzOR>ptjFYgkTagInv>FlX3d7t7ev5!}sLrDZSqcAk0P
z)f+Hg(E_WQa<=B%hq0$A#68H{-TKBU5$`0C_J!m6rfYYjuDcKq7Qc(y``yFT1(%}g
zp;Xjq>#;OgI`tKY?fAxeVhaOhBe9|3iL*NM>Z+@Z_}}>#OAdN((Epv{#~}<R?Fsij
zu*B~R$9p6kU~!NDGBc}MUrXfx*a+cXX$Bhr(%e;*(s3m8*cT8v59fy2r&r+_IR^24
z)x%!1k>#*(sP%B$Szu(VM@eC!xTd*lbXpf+i7r{Iag=j#bYk;eIG8@~z@Jv{^*!lO
zQM1P~&Yc3Vq3=VU-4Fwf;Pb4F0)`~apDt@w|D=zD3^Z{HHL}yi%%iR!`+^(6>BiKO
z1wVcNn(5#{*%0<*Vs9@A^VXbsejoI4u$&J@E<TC}A<rMUsk7^x2_V(LYJN7huwq+<
zJu5kX%2a;*F;HfK(^iS1+U`OxE$II~aIS+I>5uj}(@Vsm&vSz1#46*`T}mfoqq_Fy
za!ph#Bv&?kSt?BwiWjRG^hLsbQ=U~!0*-qYL|mZqaC!&9tDQ_4Q<(5lUF*6QuB=}1
z^=<v?n^+4!&Ua#Uj74?R)3s&_PH%O6yp8njv$~SJ+1hMQU1%OT@yz8^tv!7bOB(I^
zRR0la-=F)H3uEuEGl34_3T!b%_a0F6h(6B=RqKE;E2Em=R?z;S+?`gaMztmGQws<i
zc(V?+b5OAZ<=z88>u~a++px$kH;rm-QEa?#YvL@mFCU+bMZ>YYeZALmEeS0P&{hlD
zXPap3H1dq|7$`=*JNlu}>_RsM;&;MyS}m!-HfBr>Oe)qUL$QQLH73s0D)Hl@n%Z1t
zscGZ7rDpH47m{p*8P<RN7)@6SGfmmVVuk~nU}{FFb>Lnpaq7e)O4h~AniG+IGAh}F
zK%s${lXCte8^hzHG57Fr+v9nXbB}bxON$!r$;@d2E7IU?(|r4r5cRFA-~F*&^HMvu
zJdq`&i4|LB0w;GJj_asiP4VGsil4v0bLtOV=a*Es?x=*No+>xQSg~x1?fTpM)2-pv
z>GA`g)=*v6KT{cB1=e4-rf*l?Hg0c8d@n^c>Wf)kzMLt5MzK_`C_A;wIOmdP+NgE*
zUcmToGNd<nl?**o^GO969<N_n21p8d=|EvHr4_tRojLpmmMu)?*Lz$G>NJ=ZriAOq
z=evw+k9eA!<*Zavl}l-t%@uX8{6jWlf_?VU|5$w#y@&jtR}y^VbgnnO1_ReN)gv^z
zv(@sETxyev9t%QhBzdoQLf-r6Zv>EHP0;mB?Ijkb?zt=|_uFIz2l@0dweDnPx9Uw|
znG{QAKyi;u#eQOV+?{#R(Wq2dd%8S+(J?VUTb}a-=)nej*p7+x5ySX1JU|b*;3u&p
zUlhF@wxe9MN$Kene<aIgh>{$Y8nE~ISP`jSZvPgERPW6zy)zZ;M3o`Z%Q(s1{iR9J
z<;_F*A!ViCc+a72W{cZRbMBo{CvEPR8DC^KP8`(Rg9$_V>!EAAeq-X{f~6DNev_j;
zHcVr~B67N9YK+*wJ^^O0;fJsRR4`Jast92Jc@?FleQ&IGCF`h$@{QKqPEJutKW{b_
zJ?TGR(vV29;42pCr9&(?og54%JTs=$u=^?wHRN*zhjesJ-^um1X}g2iR=D->OPLEN
z=fmSc5yGPZupLdT_BOuEsQpN}OR-#O=V0i^-c{r{7fddT;(Veey5!uS$g2r{iUqvD
z;zLN8*iZwiQm@@gJwqAq*x+OuA9-%cuSQfx$V+O;xqs@l5>!T!Aw0*m;y5<+z#jmr
zB~su~X{HA_%~<Bv<|$q&^knhGsw*f|(SJzyGsB@oZ2;E-n_{O=0rrdXbTUgv>j998
zg2@dPFGMTKj@Y+KB$J~`4AjV~aujJI8+g%myygBGXCAC<(w-^V*uuv>7Z)9%1Vje;
zhyYqWzN+FXsPbs*>vIse?TD1Ls-`%MxN%M_T6+Yp@<?Vlo)8>B<ifPd(f9u;+&mzJ
zwL`_&CWng39sb^cZZ`0>AP)~z8F;N1ooYFUT0G-O-UYBT3uF5&bG4a+)Gx;cxBay#
zG{ac|5fk14N$!lnBj%G-TYXCa=C761r6HMtiAXlP`&M5H_=AmxSLj~$KM_f~FGIw8
z0~~N~TSGOv*c?l>=+FpTxt`MFNuPZyk$9uol9p>CS@2%=H$h`J@v}vh>0-|~!O3Zh
zEaCh%HGI0Kn`I4@cK^2L^l{e8eHCK>uP56fY=VUXB>*8wJwss8fa|99wTNfz<%?X`
ziZOftirJ4D0CRb^a^~^C>B?wAbaj_6Gug+d-mWl6G;UUH`VElW-_;phl3#%Z-&{Ut
zqEs0oKfb7?C9^m!kVwV}jp-{n*-|eSmHb@9C*^vh4#QgTD^Lx%GOW0A+J<^_eY|^f
z5o3>ytt+n_>l@jqJ{Fb^8`l}mF6*ed4wjl0&7B;)d)zsFX6^h8i3U?AM?d;^T%s_0
z;J8HZcV(53(Up`cO2-^ul@w#*ll3?r1pC{9>}Ei)_0rxdb?vd^iPCc2u}04gvE{C{
zYLGBttB{n&sVlrr;R}X&O5rLr+Uq5bAY&hOtsm(Hl)gB_E4o{=x{nORs#PzX_<Nn+
zK6RKl<>)uj$5Z-({3)*eEC4L&46uvoliiIm`CL>JD`^*97J@njP$`{$1xQ?Tl?*oX
zn7h3ymUO=Ze@n^>gue^97<>n=v}PpWzloyQ;jCc<%QVXFU;!_%;5mTvv}mO~D->YF
zL5lflHLXaZUjXuAA|WY1i@#~RP&eUkSCvdsJ~@Mg95S_#PD$x{y1p3ZzOD95e5sV;
z*aag+2`lAR*)7>21%m|0Tb+aqQ9@1&qXgfK2(?ty#%B>Ea4Ga_&WY#JS-agB;{`N3
z`|I9C49T%lcndRl=9GHNz_E<NcCdm@U2wD+5(RKyv_Hiuz-OW0j*yu5R2PggRpbW2
zrG6)QA4Vy)dln7MCWNC!T{dJcHT5h0rSgh}b%k7vDtt;J8I{OY`OugP9{7?pL|&<t
zT~`fHKUSDXUpX9jR%du{yv);nft5gktj5aj`xa4srt!f5RZ%jL8ZAuj54xxWpGkVj
z#oy-!O|nWeCRfgCe^AOpvk285EBLChLrQ0n@-W7gh>`oIc>2Xi!gAV}xmgE~a?Y@Q
zSC*bK{&uK}eD<^#&yj2&gKBLa=!>u;l8+Ke#SU$H?;I|F+N1|ML`}XVjtn2GTFxBr
zv(}Y7G?l#U9&I^WKPPm-f}>rK41qJD{^17jStuAYBu1B9okTHO$u)r_zfLn{yYv{v
zp3Fn%BjYbj>*rhX_@wNA6g46V$Z02MXB`mHpns5)1z*#k!^HQ<mz-6whuW^tJ~@`}
z>6hA!Rn4&DSX2OX3E>|q94ML{85!&QE<6c$1%adOk>r94eEc)Ma95O2FhOX{H|ncA
ziC&k{<eIJ?al6?;MkA$<!P>99c(%M_+WP(f76W*28gMcCfs4VcPHx19#&v9;?8my(
zdsI8LQj~6BtQi=%;AB64sPB2GTjk@*tf@uk+xX#6@?cB1ET>yjNX!<EG1{_B++I-r
zR>D@3F`9%F&O91sl}sr9J@Au%L)i*z0*5O5J(TqCb>~7l8q$j)$-_Gtab3ZE_Bv{P
zwBKroIlV8ZH#R8vt`C=b+LxBJVl%gevr=X*_v@f6ePMq7o!Iz}nc6fGiOT)cbto8A
zNM5uLT;uL4fOT_~N$ceUA~^+0xr}j4!mDuLRLEMJJ2G1<3C*eNJM;(^{B$@knkR7a
zUgw8*(WoYLl3ScC3~E#8dtX0_SJl#`wTaq35VDM;>;2TP@8^#}CCN;Be}E$XJ*A?_
zri&7uJQMBe#(xUEsHQs~CsA45%vgu$fzZR~p>sNOAEzs!ou1`r;TjIKt{m-C>Ye_X
zm^e97E<3#9N0*@VcH9siR*5lC=`{~?l>l$OWHWh-s`t3V{9<*&{;_D{lbG?|rJ^2V
z;nk(2W@r$^Vd9y2wTaQ>dUAW<1Ue5huDP899~9L$<s&4helRnYAgM*SF{<eujG-P`
z;~<zT6$C6DW7(~pE<Ss5gT34^&EFwg*f-EMu+&~7wSRNlh&V^zH_PAGkdYeXu@*Lm
zQ_tE`BOjP8f&FoM^JsZ{s-oh))wHA;5i78&bL?E>O`rDtv5uou&AB$d1}1x{fan<F
zg{~3cX`qq<^2ErMJn96;9=Pi!qy>RlY$hKyKB6yg$OppkWV?@+uVKnNGFD>n<9L%D
zlJZwW&7`=((ugp-$ju;oU@>p(F;<`NLRs-f(Dw0nf$O0GgZ=g5U#zKC2wg{)v_1`1
zW-Mu8dt>*7T}ktmW`1Nx?A1G*<LA_IhGu;w1|vsB#Nqx@BqP}dNHct>=)^_%)*A06
zM#C6ldZDGb=V(I2+qZ{p+CbwI8sfGl#i>T9zjQkrmJd58Jus;!(QN9O&jUD|zG%fZ
z*ZHDEX*8Lv?dQ@Hd=)(}QW|O+k#Q3Z0R?%z5L}~}vm`qy7y41)c?<b7$I~KlV>!?)
zt?+0#<?(Z0wQS6f^o?ba0DC~P_oJvlTY0V!Uk+?%3=9Zq0W|a-GIK;Vy>v33<gm@j
zKT3|ibbA0P@c>eSn~u@vySTvgGm=cj)Pt1#UH;FMEPSkC<)rKNZ-M(OGHQ`5>)sJ2
z*~A)$9UzggkX($Q>l-uFKSJmUr>~Kb-+xO=&=cw$zs+uuluG_ykB4*iIiG~~53`vL
zF+uPas6g=wUczP#B)%qL(Xuk`gYWO+w#DmOB!{}W<3R`BOb++HYyBcHXYO;5#=jiR
zN0M@`gf(5dp|DoqE_j4c$S1kQYveV{48@V*AM@oH_<}JFVgQyoNF`4xZ8ECc7Fron
z6AE~*6@7xg-k#mzw2qVsJDiWWgyx{FS$@3n4O<Rhl}Z7h<TK{+SONqC%TsdseVf1@
z`kFo;8LuP!yHKdr)D76c{qXU}%Hfpt&mzB>n!FAs5`cn}?7a@PwJ24Bk6#)P`U}x&
z@PL}cR=!D1URX)}Ad-qPZT;VDnJ|%X7N}5gfU`B$m#|5~iU1`S@>ncvE`eqs`R?fC
zo@d%r1KY<encHDGfHnDd9GZ<N;Q#@wWRS_TWe#zJIkH*}6XMbsKf_=dv5!5nrNuV}
z=xP@mQ4o|gwiJE&@yaO+lTefW+L)8{*Ct#^75>bUaC%+DfSs+fUt?!&zYeR7x289B
zp1Fu)^}|#GL@p;&Q6j98ARNr$OyI2l>ROh~SE8<s@ZopX#L<bB_`lqWm}wgLzzGI6
z8}KUuChoTA)yx909|GBA&4ML9(f+8J9L^Fx6TTTd3n*@njn?e#$eJ}Yod;YFh>1<_
za~M~@v@RSYxVv3_rye+IxleyhYy%SrsKzWnN@E0Au!7=_0l{U*w;B_3)YuS$HMg`=
zwEHuu?M@7RFn(8-#=D%<Mx(TNs~nR|#<Y=t{Jg}h#9W{P{>_VYY9viEP+wBV3hJZE
z0Dd6>?w5xnI%}PBzWucGxF23RU-q(niJ9C6PD0#GMm<Fin<yIHdv>eb7$ONQc+=+T
z;qKyU)daBr;wvl8qHN6QBJ6m;VP7SBJ`aV@Ad%kSE7|uLpE!n*mbfMoxGTLFOnA$z
zN#sO3O?9*U<l6A8@T2%_I0di5A0r9#Kz#i{v&Mpeh;*-~V7XKvlc2$7QH05DI4C<y
zT;|pjQ?Z{0_ewJ4pG91JhtpTc+}&>z(8WBeAZ$Eh^LG*Y&kQkvV4Lh+78FY_T9k>*
zd)^o=*G>#hMI|qf<!^LgkJR|sv;Plj8LIlZC(+K<%FPUWU!*aUUFd_NF|pgMIifA-
zc~LE_c+Jn9X&71dsf}j0=H<hz18{|c0+gM6B8{_&IXN*oJk7~`ucoDqC#P;pH>vZ{
zh|O=O;{5amR6H^y#FPbtbtdpbi&#I(JC;_WX#R)q)hO16WaUGm7>}IczfuBy)k7$5
zg+cwj4n=mMiU-#FTAoLp*qpz#DxVV(x;Zpj)IG$WFK9?f^<#ZQl%ffT0>_Utv=AhJ
z#~{i<#P|-8Hq)|%*baJ)dd9tqLW`U*CMu?K5{|0hqktP*1=r&D_cni}95b4iF=q}O
zKkPX<tUtz!o|P-cT|fF}T-Kzr*g5Vr5}w4c1HXpINTYJ-WgnkuD(3V@fy*3jrIC+8
znDgO{?58=jcoKEqlRfTOCXB1s;1EL1Q7=A3l3_E8uU|as_7~<0mCfLkg9;LqgMH9|
zMpqoQ6oWWj3F~JFqiAkU0Ov~S&TDKQgBW-JO?OES)DSr||1q+xW9jb?fBw(v#&`5n
z>Y$g>-<VX1OO$oa)9=nshs2rYEZQDFtvcACey!$JlsatjCH&QyF(1jj^tqM8c2iq{
z{Dd;2J?4I@0`ztPs-VsYP6|jyoj*SckPI5s6d)Ovm|4LMutk|?E~7)pJX`m+VpUDR
zTPH1)g|y@4Jh<8qR4p{fnZ5s~oOPYimaVkRdPif18VSRGl^c~en!K@mg4@kKGtIX)
z;Uv-@^x8`17S~G<s$U8d4AP+mm}_fr;&OpF_bUsh2Y;Ws@24D?oGS3h(6h$=%lm0m
z5#n%DA@Mn>&YTi+-m|L&Upv%>H)rG1M8BPOVlMrS^Mh_Da?aP)=D|f}kK|eTGo&r9
z=`FvE<*Mr&-x!o$g0w1thSPh%Z~edVtwQn5s|J8_%602S`K!H)g(uNdgd`4SDssgV
z0XG_URxm90uR{4Z4DWfrr*>jGaF|6;>W<*u)<XuY-1ZahsRY?Co$P4}b%vo*>wlaF
z;0ygIhdRTbr0!T`@#qlU_Mld>`9tV7V(YQ&j#Jb-oCWGSHFChkBSB65Z}B7s`V+L#
zQ-A+`0(B*{LDviUW+5FcBeb1;42+nZT-gHK&#O;E)^lu)U*%bZcP*M7xzP0^Fjt)W
zIP3_?dU2^<f!3W6s@TLZAHW`@GS{an*SDZsC~OL+16)txpiXr0Di(g!HsE?9VXeco
z9l`h(MTm+Dh;j)?$P2cKl+0gtRt1%yau$5vfO*q6rcMV#zj7EIpvGDHC7k(JX5)k0
z<IJ2qybq5ZZcN{CX#0^)Qe*QZVdYPg3E5NWPhV~um$N!7d(g=~sbFj@q4k$1z!yNC
z7#nBN624&5b`g>=7b{p9E5Qb3^}SNjR5PDz)=w*ED&Sg-z~<BbPwA4?SQ)G5@@d1K
z(^;7$4m#&$g~<6~73-bbJe$1N^4Tv@Y`~Y|n)`kf$-?p$Yk94J4?sIROtCylh^$c5
z2ey)*6Ae9oVTC=3+do0_!M(LyDEp-+y71*R3)OeebID1o3)_Msd||y%*i3C)khz9g
zEN%iQgJL;hz4-f*lRr)G&<tReGlX{dmu>cAVPkv}%+Nk7WA7OE%RvpAuK$O|#bT~R
z!d-4g!d=sAVzJEd5KLkUUAA0eeS^5N{?>*C7Ri$j$C;Xu7Ob7YE6EU%i|HmK?pe7&
zH*@ktu@9?RA*T1F;5Q5^s6#4!L@vJ|xRl(CVGgr+;Z05?i3U7GdoJy63`71ixhp~U
zXWGg4^w-XdCtrdQ6a<n!{IaXEOZhM=d_%dl(GZ3B>I@?$=vKW{89_&{bb{HR$}MT`
zy40zMIQ343nwi@I1MH6#ob~U*$AkC%3V}g9z@@He#uo!-%<}Oo;#@qEdUcb2FyNzP
z=xs?v?eFi3{<@8&7GS<#%VB+!9yl$v>d1qN2~_8tm5ZtoDnm+BaUZ4UEOtkLm)KgT
z^Y@5#n%ir_-Isfy{^CNEwAN*x)59X-aZyvi-7^IS7A$mW2WK`VT}-mLZKnx(Vg|^4
z@2E*_`98D<L1osM##A-X%3GqT%v8>{*pz_A|FwKB;YILc?{Hcytl5^Qc<FZoCbV1%
zMf03(4C}2pa5v7XD^&!TFG5A~>puyQdFa_@%E)&nbsLh}ec}tb^GYY}{8k-<n+x3C
zZ{m2Rcbh8q!0h#1N@Q8^jsV&vjmORbcmy&|F3<%eSC)Ld?^(nl5}owLqUs+}rOBAs
z^yTF8`mg+BasPj$Q`N<!3!QM|s4X9c9w~0E6CmyS_(9uHM`i7Pdnimfz#hLqE?u2e
z-5&q1xo1iPJ-31HX0pK-1D|+N5{_Z^Z_?HitRnm_whxh=O5z#sx)@~yob{*;JlOwc
zogU7PIQETBb#cK(jYXS_vNau(<34W?Nh=cWpj{9NwawH}H=ybpBU&J~%JOtxJVn>^
z62@pqlCa;H;cOlhM+(qYrGX_A;z~n3hs_hkP&QJ01kbiwkFBr+<)@Gk+ezR%PNapC
zFeL2~174Z?zi6tu0*PW1GYfdt5@$L7;BTJN3y=YNwx>-beM{ibR^lSjE4H}K;1+Wg
z26HMvRXXeS+v+A&UMJ2PD;5y$1?rn`vWw?yb_ThZ)@tL2TUJi58{nL)JgST55ngya
zv??`bS5NkC$|z=1_i3=mlqEBN7OPFAsPg@ZBc!&vLjqB#GQ3qOsMw%2+vpt+7m4&h
zlI_XaY%^UQ<&}^wqp3g<$dv!Ng#{wrAtt)S)Rqq|>NIqC@v8-J>F$>4C$<W!$BR;z
zGCPV6GVz~+w?8di_h+aPjWTb<38$<|r&KqPB0{M(FNA8`gcmqcX?Wh-Tq+T!5%%q8
zH)GewvB9U;LAJ7N?S<|y$f#AbJox+xKrDJE&=Ev*xIiC}<J52pie<>D2oRJpVoD<v
ztmfQTjUD9_MNz#2bLsv`%Lvg`4^tLK!t9s58PgFuocPt0%&xAW*!6Oc3s4uVmRN9_
zMXh{Fu_2ry*U(N1^r^?pDsqcK@IT7>(O-d9d{QmW+fIzAm(fZ&FTyA0l=42MUN>4q
zb(mk=H?K^<gS|dbf%e~kazukYOg5+qAB}(m%KaWN2R8kQ+Tx|d=nkEfN(3QsUk1+&
zBz7~O$Tqpap5ucz4}5o-56F9+UNZJi&Kzjpu}$F{13-FL$1R=vEcu8@HWctQsV<C8
zU-!Ck`>|4AY#w^9Oz&={Q#|?pL@LFbSD`Tu1?E{gF+MJ3nR&$G;{CG7Zp22^_!N1X
z<mSr4aR*Xpg*tDmHm&%K^t{O%>UsZlzQ5&y%nC}1J9+rhh-d<MY&iB~gPw)*pkE2+
zi^VDc04x7JBt+U`T|-gcI@pE30dxyy*=uX(9({LbN`5$SL|QZDVB`x&RB&=~Z%|6I
zHC*#woE-+@EE5oChYMnMQ2P-kIUJZanGRy;$uY96U^#nXNeAO5^Ttz>BfI_|?~IA&
zd%Qj#T~ISIT^TZ0qlberFbMz(Bb1FuFdV7D-Yqa#ZNM2W9h|b=@#?kTMnrDd(4jDW
z&W5pM99Z~Puw#rtWo0#c1@lMyM&Jr{+|xYI;jUmt<k8KkqAB4U8)wA$O)-1A4f3&@
zt#HYr%h}k{Jo(<jReS6Sx|iy`M3dwt7bRV7cI58mVQ4wSYw3d)-&l+bAyRtJ*Pi_w
z&Ni>+cy#|?WgyF6JWAnn*+|nI8N#=_JxA*cwEpA=ETq|wH@9j+t+TXps7EQ;bp0l(
zNVBmY^3I<8i1{#usDomPX6cYU(wzR^;8+v1FV%KQTtjK2#G2Zy$lYm@X!-|83=qxV
z!>jieYa6t6Qv;3XtaLZXEP8)h3fVUwVvZgjC!8J|%5Nj|C30AoS@X0w;yF000F1Yi
z7gK2-H#Ms1{vdxXYnsQo?M)9`B^|UQg^~M(_%HPdBDEM7KO;WX^Hw!v|NPZOn;Y=A
zTt%s6ciY|Ap!o&01!t_Y%YrDP1=A)iA^k?-VJ$go!}1eYN9pEG`VzLJ#!owVnIW1|
zd#6CSIB&=8cF547`&B7xJ@#9DEIcc{+3COQK?7T;?Vjd(4mTZ|c;}sI7h5tFHf9ng
zAJbSX;zI}($}u2cKsQj#F{_Rt-J10`y9C6;>rGy&$AN0<Bgx5MMnrtn!{Z{-*s53&
zQcyc3#%rIBZ^NPPy<4$phHferbU1XJBMFZyMLDE(V^UiMSG%R8E-KWzkb<F*d_L!J
z<COnI^KzRniw?pEh!{zZIhbdg!43Tl$LMWUd;9b-*T9Avn9s63-Q}CY{4hhsuv920
zo{7mjORieqtC?<Az`pqem^)Aj=b7=!ztjTE_6DK`4~;<ijwZ+Z&f^3fW(#jN6Rzis
zU+V=32q$kjg-^5fGEXGZo~BY(@b=1L`eIR<1HOZ{{@6ea1*USoj9}^ih2Y;WA_b`1
zK=dg>#v_U9i9O>KiK$@{^V(#B(Z6a(eMIce65;j0(f=nm8rXc)Z46Q&no7^^dl}BW
zCMRctLE|vOxooTgZVd)h2=0W<CY(9%FJ9JTm70|*cVmneLdCHKf|@?4oyt5#2OnLf
za`K+cy{=lC4ZLjW)U`OjkRR!|qBFk4UAAReBh)!=@zq=#x+lV~<=b7NyUA`q=u+;E
z*%Q#RbxUmU+peAU*ssBP=_WToYo9lQm=^xH-9p&vq=0w3BR5qVNEN=yA9dbq)Lk5P
z1YG6k-tX~Xwb#om#szqx9aD27z%SpKfUp(JIzK+wJ>Gu*&XU_a@~ibhk#6Wl`{nqc
z?FYO&rXzTwY@VDL0Q$#CsuZY;yx4-(Hk-hlps==%S?|TrSrmtg3BLQJ-z<R?<K{Uy
z@0y$mIE86a6tQ$NdO`+z&x0uqfXw|30EcJ7p#W>&vRjsCFgdw?9c1ugwSMPZ(LS~0
z`J4f_O5wO(?=aRHc3~=D4u7KG#{Up**}TM=xkt2wJ0;tC|FFMf39y_@6qt46C#rSu
z@|rI~9QHYGXM*tWdeF4nVwYAufZgl9!(JSBBh8S(LzP?^+b3(_n$g-lW7+ViK7}OO
zwBo3XPKI+THT-M^HAX3aBcP0OIvKx3y$IRsEKLK5d`jb#D-A}_B|mc*BTsX1K<~5`
z!1A{fHKgTgc){$Um2_8Nbn(Sn4vv;H>1w;I$MdSpv~pOG1@g8+A(YpG-{PS_0p0y$
zwvqX>J395H2BJ9CJjf}>`%LP_a*9oB+ZPK;vlAHc$O&>vQ4EC>>#iD7A#qHx5<h>T
zBtfCDG~LZ7^fy_*UqX8Qg<Xx@I=z+=y8}FUf8tR?Atf)cPVU5Ht`n|~i!>Uh&$xV0
z6s|G!D&z91d9U?>?JMMlv>`G03}-Y9VwrUs?yFg7yYeVHkL-Z!>arXUOus&N)Csse
z@H}+ULAkg9u2BD(m2n#9ub+QdYMfL9(m5BeuZpg6wb=ZuKU0Z1R;Ds*A9)@8bQ^F8
zlGTQJ!sdcIa=k?kMiJ0v^XjLM^dtb|bUryJ1+X@BmiRXysv@&J5-{DEN;f*Bt#!{i
zcs%3zh#7A8lN%JPyPoC|Jzrd2bKY?Y`*tT(&R(|)DoC(}OxeGvU8NP*E`(d{zmzrS
zyrS}4-TkOFm-rmfDBDky$?1$u4ik2#j5D7qo>Kco?xSP3N(D(M5wbG1e}7eqp;(Hc
zUYfFP7*6!YPrNtoJ<RHY9f1pXAN#k>EN?)sJ@`zRdVDW_uD9i>4<&;*c5pt{)9T<+
ze9+;Lsk<zasJ%2qBCnfT7SZ{cB3Xs%e8p#JGIP%6?3bg^<g{wz?8-3RzH*WxweaPB
zEt1X!2HrG75XP#S6`pz*Zx8EZiwD9YX2;nAe&L5$%=Ly+ypv(9bN9aZ>$~@sPXmL<
z3)3!p5)Z3W7x1G5{sxM3_6J>f7g*l)nT7NR@EVo)feo#mgmJZ~rwwB}t6C$HjInEg
zqiDM59?0wYUBMV^tz?gCU$MY&K<P>;Kqyg*cdQ>d(k7tN*Vz3U#tYy@ovDY{<}YKw
zjBEDXw14Z;Sq?eduyZ9v=E=<tGsj%(`EsG^;?(K&fH0DB4)C_ykK9h;Q92!;xirIh
zP@F`ZH`DB~N{?<B)<>QU;k+U*3BpeBL^3o==yhdg{y8E0<}KUr5iv8<@6fmv3-FR5
zEdn9Wd2g&gu-8jG2T|p9D4J7+{Ze1QC*L`s@R7Tc>*J7$w-Z1mA6?+gX5^8eo^ue`
z5$E&4`FPPAe87hMT*2Alb5k-AfW`@X#RdG!bx-REy^5nzb382~mqK;%9hn@iU{sAm
z$`g^Ru0^2Msy4?fdj)9b!_9FWMF*WzApa~lDvWyTT$Pcw+?ei-8v7+yT2D)gI`5iE
zC18ogi%NdHj3W30GI!ID=dA>SzG4vRIS7cRx`<Zth{=!&a&a+L6Oe%?`YpGopO;+i
zly|H;r<FEMAKz>;*KAN3Tv+3}_Ce*S811dk#2$A-wnt{9$;xU78fd9a08^{+<xh_2
z79ET&hO~?7lJQl3@vWF}>gLvX7~D4eCAM2xrrgbDrSo03mL=R*miK79vS<1pQ~lqQ
zEWHH$V$TW+T@Eq|h_+xBuCuX>kT<oV{a{Q~p-U#O&k#df=yKrza4jd3_ZL@<;!S9u
zX7`VeBUVDX{7SOxv4a{Z$SATlraZEm3x0uOOTn~)@)WSytvWy^Bl4&DhS;0Az`D}S
zIz^2oco`dr{J4#~`E0KX#|+6nj*|w?oT|?2yvDPV%ZvOXmDytX!A6~fetfd##yw%$
zW<v22Tx&gGnfn3lH8ZSyuca!)!{dza+tlQn+r5J)Qsbce%}M73FB~_+E^-VIzRHbd
z|KSGPxDg~!3HPXKhE=klDSqd1`Zh?QnP=)zSs4M)68eQ`R5p@;{~_)qfPv@sMJw;a
zj~-!Mc&1`3WM?~bCTLJA4wK3a+Q`Vbvsxn;GKigRnT)iuxu@OAQ=-EeqeS+u@%za_
z&`qfgc*yr|dO{qHVdxVb;L~}>j}6<oSX#^Vo9s&3tk+ay3uGQRrl1<z2{PKBPdebA
z$Fs@O3)Z?QBF*6PA=%^b(!ldm)nA>DgKXdN(7!vwG_p;LkBW@&cNa+$&O7tS1as$+
z4DGxGRq@gStiR)W1D8+ZNbdj`Nk@sCvIc>LID3~Oxz1U=dC{$)XfWIxOx<FnZM!%t
z@S#|<D+%$k-j>@%h7W1DE6ao~?_hKJZ>DT+$P(NcdoIo?v6F}!&Jw;)7kk+rbV;Xe
z@x|Dmhq+IXPSVg_1ln+Hp6fhpba9-lY(As!jx@6zb9iIIyh^Or-@31zxSJtVw0ps1
zgk~(FEfqGvmg>E}3w-vi*7Z_2+%3C~NQz#Bih5jn<d$>8>DJpg2lFP#$jXyD?yVKc
zi33NJK}1ZsCpo7|pkE8kWgK4{0Q<@X@^6Zza$J16B?7MLsa$c{kf3ExVIX@RQ`Maa
zs|@sP$w864Vsm8(&!k5WD<dNswg#o}ZHr9_seHD{ZZfay5U}CoIJ!tKrTLvQLQn8D
zO%7SPZGaQj{x*`Fb;DQbDkhix@d4~jr-q9J4YN;GeO6;9oVK-xIINwNnQf`2jPwbL
z#@I*Ssv+j&>jT?ZGrz7ISDOJ`%P%rptCtiSBFgagjMwHkAj{b(v3hTt8TSOVf>CLl
z)3AADIy9;Q;lnHh!UBd>!4qfEEVOvkdJi9EKCvF^LOXE5kSuVp3LGj#SRz0+KIMAY
z?U1RM<lhm*MpzA;5w$(==FdGwuGG-yt{!hpV0lxh6Wy$oNTPIB(UTD9q(w7d8OTFY
z8_UI`DwQDQemFCQ`v;9~xu)Si6?tZlZbm~VzxKYnvN~0pz<qB0g%r3!3KL1}>nn7E
zuA1s@&Kd~ltY~LREqPwm3Q=hVXoI6cF1@%PZbi_obVtZ=G&>Ek=J9%2IRC<pwF#a7
zS$mjqw^bf{>H<<<?^b!{bL%@ZhNt}b%rm#&aM*X90KWiXI}WlE9^|h>3&~KUjJKUY
zXM*5wgR_a<{=V;XAf3c1$Qee=Peg&va4vl{<>+|?sy2o1m;)`8M8guMO2Wmdh7TAq
z?;;8QdASJmAq3Epa@fWQHoy%Gld#XH?_rPa>U<T<*ui|bVa-?t)6Bc5JG^Eh`zW*A
zN#t-1!9J#`b~&u_B|)6Qa0kB&6#gk6glBF8@_Z4*hsioIlvqC0u4`TEwR}Ua?Zr_p
z-Fc5VZ#8$qaRQi?WGA;ZUES3>-eOyQeY)>egTYd-_}YA9;|9qCx-3R9N}grkItJ{)
zOyTKJ;OXM{`gezm2Xrg}YrPWHn;;?QB8H>PH*6eVOf*S8)6iQbHfVxU7aZn&3Ek31
z;3sduWqgsV8uAmhRhQL806{pGE%LMVMSznI!3hj(0sD>(*CKwss4W(eXGY|tr%(+O
z#<^}+?68eT3)s5Brl3hHo)fti=t9VTKy4trwBSK2KK#1h$4&PrXq>JcUaZXHI0kit
zCtw!L_o_SX1(NoeQItc1N%l&XEXhT?^LU6xR22;^o7zrHK2A=m5y=?OuH>7-)j#6Q
zh(dViZ4ZqlIGGF%n1r+HnFX3(airl$tf7KP>RF-8luPrQXcpv=a;JB96G1|rvkf9$
zdCe#{3pCJ_?9*bGwrYoPTQabh04ugCUN~VjuhMwR2atA#GxvzJ>5(2O$e6(tq&i>M
zU~Cx)Uf30hzEu?Vy;OZ6`sBpGck9^C3EjL_$`g#DQv_9voXh@vKeSfn)#_yBM`YVp
zfwT;N2jX~VSNE-S#AAC5PLcY4vYCMgzkii>G+-%*X6ZP0S-hX&^fX0FsLr9@%RyJ>
z8TZ5&^(URQt?;)ZRXO~K4>F7v4`%D8F)XB!ztfRREM1sMPd4%dGJ47VJ_3p*azU5d
zLye%zxVQ+WGe@7NOa0PDHd~$)C;b}xqR}7t#3sov#P(Fcv*j?Ni>L|f9qs`r-JzQ;
z|M1y$!lrvDkd%LAPe_V8sbvqy#p|2`Cm*Z0h&++TOyecg#8YRuE$y8MjoG}fNiD67
zyk|;dpIZeIs-;}6T<vqw(fOKRHrsAX4<aYwUKEV){Za|fBdYo!Hu3r-k=9t^OOfGa
zHrBzDu-@@99z=&zDz_VAY$893HcR*b>NM#YD;c&T)Twu`MlBvHWzrJ&u|HJ~e)wT#
z^BaHEn&=b`(Q#|=T2b8(4WBrP+#!%m$^;h0TyP$9VpXmwOw$$>C-H@+ou^9jh{d{6
z{A@8}hp+kN6Ot3-k#6mb3LMP|M#FOd%giS$U^8rG2T!tc)-p{&@fv`+78-94Wfz2A
zZa^+`INQ|1+@G;wlcF5=!<;$^fI%;aA&?F9?_^wfq`doqnJ4zmORT+UXJpH&Os7Zd
zqDN^?yGZu)I>sXj=BbkF?D=Qm2|nDV(5;U=(`%PHuiZ!oTBsQ(^H=vdhu_Dso`wJ9
z!+beFpA+x`2CS_i*H+PViepDl`@5V3OhvXSb=V8fheTy6ER!4hra6glATz~N&^|iG
zPCBA&&R}kTH^j`2YtEm)_MxYhXZsvO6UYu9@m5DLYU<}3NcwK+C~Q=+>M0CqFFpF)
zV<rKSag_^-v4W0k=5$KDZVA*Cl%)tCuVT5f6;{WWomB}_!V;_5>76kp>4h@z@`?xF
zMY?Ayr0;!~jH!5FLpdnwOv8J+zmxN>Tom>}2EExJOl41mHm%fz{<|G366z>eWIX3n
zopk(kqoz4BRfwBO3~!b(c?F6IUP`xo;b>H{_cuu+qvNzD+(#T4jG5BWOaXOkUKN0x
zpizJJ`p*&K>%&`L<1Suy$=Iy`(v&yE^hh|qwHffa7B@$QCyLHNpSH|0r2yl_9sw){
zp??ytp}i=)f$X<fSPd#{CER1bdXGeC^VCeBDcldD38nef1!=#3Sh4q1#<ifq+SQi(
zyK}2{732mdl~=rwGbVZWn<$#aajUpeY1*$|Ms84CuTYL90lrHc;*P><nn7C4;+l@x
z{d86uO{)RKwa=v~k@^L+-GKJ`fL|;bw2N0+dx92lQ8~W9YlNuB-ic;@c^zu5^Z!-r
z7e}%?C!n$nJxQZu(v>K1Qb&S`yX~Oji7+r1=|>lg1(i!8Tj=9O+!WiZ6EG&Q%Luz|
zh6Wa`G7TN<QM87q@=li+t@t3O{DTi6EkE}+q|I%LH^w%GA-P~>NM)qB(l^0MTuo1(
zs5Bx0q;GrC$=#G!Ef*c#9@)j-5t{7Vx~Rv)C|uzqhP7*jrs8y;+4fE{Yr5-LN~z}j
z-f)_|(21?!vgJPKfb?Rw!^Daj>W-wSw-C<hm%7hc3l~!sA{g-D*rozwbCB@(wT~!5
zEB97&u`1GU^p(}l?4ZN+G+{Wu7}wAdNe}O!O^)Ve*W!|`{c``s()!K@8rBST4$-X>
zyYtjas{Z0due|99+OjB+82xbEe-(5+EN>sg20>R!^e;i6T(ME^y(9T)+ZNw;PQk@y
z&x3K06;VT)0^|#y4Cppo-9($u7y;h|60<>?!gA-oPtg<bDG3sn9>y8A9mWJH^I@Xu
zAu1TA0>5~(6g!~8<3L&+fVA#`QfEsjaK6JJZSfiQEP>zH6SjvYKU}*h@c3jwD_>sP
zJlkk+xJm(g2t`gf=2gMjgy$J2-N+L(@_d>ZXz-Z5OE9Nj?PB`+j!!e|rA8ZpE$K`{
znL;c3hhUezIwO?d0^CY{s_oops;j#d2q>yb))QJgogJUY)01`%vC$A*bh$O{hKDOu
z8uo*R;V0j&)B@}G&c?HQq#P+d_-3Y+XJL7ZUW5ino06ucy8K$a;%aCOdB)i?o%p3<
zDX5silN`Ph-f@kty@cJ#|ANg+Q6f@iu2g82Yuzi+1j(Y}6~r`{S@yQ+kEZcZ0f!6}
zt`Y?7UEUf3L6wQo*H20;*2MbDf>qPr>%H1!Es9L%4pICvq?{n~rS|Y{Jbqq`An{!o
zcltZnxr8P&!oo2tn*N*Ac3i-Fy7`-4FjYT@ve{go^xm)GzO)};)dc=rbn<W)F}(;!
z8+|O;QdV5m>z}*wO?$xVG6{RcvS38R9RcpK!;lFa@}?)B1%EJeTin@)C`HgaK-ZUf
zaG$_}HL)+8oI)Uh)2yd%=#v0e`edgD$RaV3S}EnTJgEprdti+2<h<c{A9iKq#=@7f
zV#wUSYD0UeW1gG1VmlI0Ud|jq0HEyWqEeOVMu%WdjA!~(a2&CR;<En(LQk!yV!0=o
z4x9%ZfpZDfgs-Zw7MGe-t%9!71C7`iZ33Hgo5gL+fQ=Qr6oBH1(<_tPAMCxOo5JKZ
z;xA`+kyf{^VC5;ukY+ZEoWBz~Ic5n`4tLA#JpBo;J*?noh4+2aNaHh(dAfK?Lo>U>
z^Wvqb+6A}SULr`gCvGfbz<gTVM>(G}9ro#v|A4#Tgba)C$Hao{_hMiXwM#El%}L*M
z*>1M_Y{x_d<LCefL<0BPY0AY3m@+ta13dDQ3~eHqDFVEdHkyp@mf<hrI}-l$=m~5N
z_YF`(48J4ko7`BNb`YlcfzvzFZl`K<d;%ZQ>t%$zrKt-9q|f-y-Z4|hUBS{^@L*V`
z9#dCD>35`4h2akc{a7kOzb#b0HDm3|rL#{^JF@jtdB=781K|F3s)hUYaE;>rG2vB*
z1@R?QpZw`{5e{ON`i>m(s=VWIw?X!L#8h(+XpL)FjBGo^H~WG`I>Ro`6KsWB#%bi0
z3zXImtw#xQvW4FEGtfEsO>?V})D;kf(anR$Qx-jxtfW4MZABO&2t^mE!e||<&hRTs
z7bevIY7LER9uV6EeJRvmN$`Tru;@SLX|q-#iQoS9c!unFNc*}R*81r*(aE(PHn$a-
zFE*C%gUkn=pv6Y~2*f^psZ7ihs2`Q84$Qw}nogz)RRNzkJz?x)rkOR#RI%2v4zY#e
zyz@^+NB-2IqG{dG&@gRZsN}I?s6&0op(wG4epwQw#r>l^lZntMw^~dMNO`7#*kH<H
zG5#RY29dIkM-)lJ$J$2}G{S&fGF5BK`wyadLw+QY;zqaI4qf}=b>722qjZEIprMra
z1`1;7Qttwy%Ex9S1qMsVY(p<^(`muuWfX?S4b+Wm@jW<N_K}rHt&pOVM7Ov1k<Mf!
z4TlV5G7xM%*s;Gn9N5g6z(MBzf${6~==Hm?l}uswR2<BC!*Xe#ZVASisytGHOY&@Q
z4djm#Np!XE*)FeHXb97!gx{7xgiSv-w|c=4I1v$(0n*e(53A<Z-d(Pti58IdTV<2u
zlFqHl<x%oo`YWl-2arN%`Aq!!l`#i6@EWI(zypcHpG&&jWpmHoUeG8n`PJK_1^Qa{
z&2raav!!bnJ}Qtp#FKky2S4g^v85bO7esQr4Ej>cVrB2!GUNf3yp*!gUYSm>JHoAB
z9{kwap8}Shh1umSAJlEhOh**{&I~#uy85o2+lr|Z`n3P^*C}EeAIdY)brM?Wu0=8-
zMH1o&t^*TC)r49e18qN))qjwWF5>6xz`9`xgnV=wXlsS$u_%;kh4n6x7ki{c(B=Ig
z!qzHH)iG{&tfj`)7~A(t%!tb|KajrskrDL^3&MHbY(dYGr!m7Rs~}UE2e2#F-q7mV
zXz$t^Q&d+mC^b*tZ+?zQ$b;|uFEq&XYzT*}{i<i*#y4&un&sd~t!2IbKc>Dhu&%c0
zx=9+_w(Z7AW4p1<#<p$Swr#UvW3#cX_uTFGwBO(J<Lv92J+nq@X6v$OOD?R;pPMK@
zJlQ?hK({u!wT*6f@8O=^xBD+0h<yre-s&b|xZmh7vJ8xHK+yw2e`R$qi38mSxkwoU
z-RMrFQRCS=$h3S)p-N?cVkWWss{Dz)=le5^O}8Gb%^xvYcaZh)5LguGP{wu5@9vd*
zr*8J7o{jWaChI9A>EXt#*b^g(c!|$4=#x+bvr+o7gdrMp^`(CQo08vP6B~1JrY{4|
zdyAbk(NwC1zi^jnb+0>3gq&4j%I1XpW3u?<9Ak|YD1E-mtV8m+R7wdOwXZv?$g4GF
z&+BL-Dt;NF*uEpiJ??SHtl9JZdXrC3lsTFCBYwp6#%YNKH#qE(0EdvxGphx@PGn?e
z2EbH4@qdnDmCr<svJeH+<k}y9Wv2$&A&W@oqvlbVXT|wo;-h@@>oy*#0~&7p7kRvj
zwm3O_sRF!O)Ayv7rqcBnWfbT(YcH7A<VTrzm)%Z_#ftO--L&+T!W(D<4HK)YsG4y?
z8%gz}5%3<zmeZzXKx1xF5qUv_?1x}F9%{3c1s>LK50&(UHFBHX%GtAgG}0rJ3~HaB
zr#s+W9~Pi@aE&Vq=-7x0@>Out%iKOW5NBlmv!e$F{bGO}nE~wRL3dOpedX;irl?-$
z=tSjl{VTV{!zUt(RXt*J`x3!{v#Ph5HGe7rQlYrFRW0`=eMKfX@^ri%p|ZdcELoA?
zREMK%UvkAn;16^5i*_ttQznmT!<OJVY_=#!*}`J~a?i~>%|+5g?CaLeLdINi5%I(X
zr6V_C)xz417F#KdzZKaC_W(#y6NA1YyojOip^)h-urqRHFjI5F4V>rQ#e4+T{`DMd
z=ssrxB_M_hWkOGMt}m`j%6=t^-U>ghO*pjD+&shxp&rDd&fUw=K#4|oEg7cp$J5`|
zqZnO9`@ay$zgwDmWY>emBdjxa%~J|f)_;dq%f%Y8bbVOjZ}W;ZR5hMXjKzH=mS?Ou
z1EK;S6_Q`QZ|}G;YG3EKk`hV_v!xV0LeE8`OQ1w|<ZD5+l0a1I3o1)oQtYMu@t|y#
z8Z{a}&Q(%<a4BjwxJa$wsQ)m|{$crCxFtz$@s9cXjlJKnJ{|HI90e#&D;^z9*Rw;a
zDfFpRhKv6y#1m)UB(+iw&dnCq^Vw!$2aWveb2nJ=<fpHeQ5pa~*Vz-`b2om@TU}O(
zW`XJ4u-l#8?(N;C@E-~sbbu}zJFYPCSh{jav@ve1<r2@gCmfkD*isfngF8~zvNlEh
zmzYZ?=W#A%#8ZeHOe%`ovyBNTqs2_o`JSqHsmC{LSrpbpgav@=#VL4Vjbeb?{Zr&L
z(XUn>Ut%l(iaeS0wW@U8nupgHE95Js(AvSyTj7n0*-s_vlx5nKCMn|5(F>l-CQkwC
z&cbcY3bS7=g=+S-f4b)^@XahZf`FLgSMFG~8A>uq7$puz0ipO@TI_(VUk%J$OAig~
zu-w1r&Wd1|dwdBp2Rzp-38Snuv#tS;qD(_c+Lc``;8RwY`mcCJQDJ*6?#{VW#YI6`
zqI43b!fliyv%QvFHN})aY^{b5BgzSkVg>_{K(z!G3hrdY<|<+&1!W|4H;+QiAmM%a
z>RUf`>qGXy(ErKZ*oilfVYi-A3ScK(%>@k7XHqUrB-O%3Fg_D{chB!8BX3`{tAFf<
zy5D?^e~RgsydVu-x3RvQ{?;Rp=b!#D<b1C0SP{oby_G)ot3w+0=_F?&nSioZlR47^
zglcxyclY^?*)9xo*CqexhSN3-Qv)RGH_7Ub-WzG_5$YYZ7}Ee`a-@ubu8x2(6`cX8
zO<SUl>0TVm5Quh-Ku<pBfu4Ob<nM9cjf9woOy(j02J}7{XUx(VKj@At-}K_LTmqCA
zFhlfmp-d$!2W)FhUd<}Xb<|7i7}J8py@2b9@zENcoF2E}Ch9vEUj)v#Pf_tC{->fE
zhM;q``%B;QEBXn0m>QDE0PTri03zGsyrbfdh)24#XY~Z|fP$?9;$JhSaSWgvGRY4I
zoFd6QlrC*$Qo`}!u2xtZ$x2{M_1lqEDoUxWmqTF^7=G8<NDy{P^6Dg|gBU1x39#bp
zPaW0$*U0lsc$<Lkb=FLE^^T|OX87zF)j$k#ROx7sF_B6&;om1)`IQ}SdCy8_pP>)|
zo1m{SY&H@WXDBZ${!26h#Wx!<slZFAW-L<Eu-->8?603YAQDN?_xMt13h=W;G?c=-
zFL+;eUfsWyXe4g$f0P3Myf_MytxmMJzv=3Zn<p<ntbew)c<&F0F!g3<vs3PJsCt0=
z0DS-rNM<8CcVuaAmbIUWF7GYD@&xslBDTSS7#!}!hn>*}{YKvP<Ph0{jKj&|$^AI$
z&*~8Jo1$lOjpb@_mwWN{d~AgG864LD<kv4UwS%AH!aEd_;;Ke;qkTQQ<FH+nA?qbj
zCA=+^L;RxuydDAZG$Svz0}H_G5hUg0m*U1qb<&pi3)aS&qSlg7fj)fc@?K*C5`eo4
zA$&(<_vuna+571dAVY_1CEf{#_2J10fA;(-aR_u&GejV1x;8FQBh?b94LYRslevWU
zDx|4^6+=<AVkx;13tEL%7k?(`VH?ddmJHjf*2TkD#jG+#I5=LASP2!<cHG57l;BEO
zL&f+;rvdz@>A+y6Y{9wEa8X_?-XVh^D?~6ZGXj2CTcs!$E}T6U&%~DIdN7VZZuIQO
zCk{uJMcnM2k^asKDVG*<EtOdC3t>2TQ8ojRw$#r?!fI-91rh>CMM@GS*li@zg7n57
zw26h!P@0TUR{s*Ke(c=ztL0xsfW)f5UWiTlEU2M*7j}Mbays4u>C)3+u^1sp+$eh+
z-1TU!AwNEH+t4AWJBl*2#}n9sS3<hLWme7CzO`)SsL9H}c?5UDAi9j07tBONIvelY
zpdwWMcXaif!W=TAQVPl>!E(#uS;^QP^Q`FrH|movqJ0o#mVuDg5)r`aD2}+m3aNT(
z;)OMYs({2WWUKi1wb_diud(oAvjMVQ2eG7<Qa}ViSW-Ygy_)?pp*4&h`{9@ndn!;L
ztmxeyOBtq1{Gj{@a>)Ri{*1rG0k`jGt*-hM0vN4oJ*1Drt2B7&cS`u#9qm)dYI*Q&
zCn|h54AKU6#DOHs@E)c{%6zatEW)zv)n`L=`&-cw$e?EeYhvhc)x%HR9`0aA;7H8s
zDi)RO-U*T!s}LigwUmN7E*yY|ie^eHunoew+4)NHw{o-M%>+yoU+*iX2!Emez2AAt
z)uM7ceMM{hbT&@ol-hOU^vFuq>b|nYI1!x9!|9?XWa7wOYGUB_p8SV8vc&?zf6Tw6
zAb`8U2#aG0VoGG$tHD>&&P*D(JN5}kkWE!fVG=NtZ=WwWLp_Q2CS$kwhh{-c`mpi!
zYJ!UJExD=!K}Al`94}v)$W?vEwO(1!O}tfIrHUbgG5QTl>S)*3I{37|%uW_G;Asf9
zfS?Y6g_^h5nZXZhW@)waj(nB_!Kw{Zl&^JC0mntiq&+tnvWC#xI^Ohl|M2?K>23W;
zB4tzo%Dp#PY!T=Z*#q;5{8<96W>e0jW5;ZfXhh$(@iP=wA7@i=C;Qo!Ux@osLXGpU
za6s=dVaAMcm7AsAX>O4yQR`~CE!MYe7asD8kKNnsS-I9NFO=0Q6z)H6?xFu~a%eCY
zK8RPUi_%e>k#HZu%@YmmfDoGTfU_i<zU>j%h>@k=?*CT?@(_76viss?b`0dqo3vI~
zy3V@UAlXl_h4q++iBvS6`0TLyCIT!Uyxw%Sw2H_{8vi9kd*tzb_aJ#QY8afkA0@a(
zFvUd&UaG~n_k+b<RqiIztbO&tj4G<D#D6z<lW&}OHUG(*V784u$N>CGWO#R#tsnAo
z^IOE?OVEXSYrC5VbXNo)B8%c8=UDVz6qrYHhzV+~#RgB4Wv`jS+=Fi$tVIgS?`cP?
z{^4~n8GACYG-k>80=PV%NBM);m_kr-|9RqwizojyrK}S|3$%;_p}*N&Gh-e{e7%{B
z0el7bX-(!E^M>{XC(Ie|CH@fHIY%ZvpH8>^`D$2YVDGr&8^sSum<FG*I4ZF?>%764
z#xQ@sC(So$e8|`>h(fcBUqKwTU=+X6#X_+fNN!94a+sLsZZz({Ht9pmb#oqlbn;e)
zq5c-hNtl~bFB_IpsxV1KUxFNj#>At5Pn)BrNbS2mOD~7`U$d=WLnKelm=woyXE$q2
ziYWlZ9c!A#;e~!ROS2jrGyae_A5-L_w)_MO$9c0a?=z*&XPq#;s?EXXNH!yfCI|!E
zQ_i$<n){Oinwnt_aS0n8N|KLVtU5ZD1M}t0E*XI=Je#GR-K@}|zstkv-jkYf$70%^
z2E%oo!@F*w(%g{Wc~37OXeE_K4Hv8K@PH4QkwLOCuPN7|<3nl)40=r3E`vx*>qww?
zS}3SVh^Tv?r2d}%27#EDnInCQ<=$piP_-`=U_Y#`mptzZsrRtW+h$1YYW1+@idMg#
zZ8sA#Z{Vaf&?-<qj`lpxVBGzn4-dQK;MP8kdHlR~q<&{!yU3}f(t4otAb0+_X4!uB
z^ro`2e|ti%+Z!sCnyb&cMqBts_IsePQ#hcy&6b9VQ7<-D5;_`f0G5D95lx8%`e{w8
zC^b7V@Q@6Z$$3}xAH=8~K!i*E7$S<~$!L(0B%7U=u}BrfRRexG8hiQyH6X|L<*W+x
z6y~`9{jM1lqhO}TMrMX(PZ7*mnksMiznXB*JB-5BkweDyQOcP_mkd!1@&Q`k!gFeB
z*om-0sedRXePwonZ5AWrWrQ!jJlYfD$I)j(npFb<;sfMOXw%WSyh{&5g&|jwzoKJ)
zL!3&<m}LI%#Xl!8<d?30u*?nT^327^rgpJ51xJ}Milw>Tj#`kZ44iR#<!UWnR{r{q
zC3=qpQkPsy1VybLOA@(_Fi9<*^f_UkU%tgkE*Uc}oTE3E=kGJ>j}YsUGa^qh0neCA
z>c}e1r0V|p%hKIAd)Mvil1g3+OoGB%NJ_xlznD!gBa}JvG67OU(e`(EnAxclANFFM
z-f4?wMP&xJ{z@aGuZ*0$%2L2x0zvB$ExRqh7gVTG)YT<q=T~p@H~29=B1WU*NDpKN
zsKhKSKf5BAd{(ALr9=kY5N#OjO=!zjHps_!j_b#L{Zm*k&qGa)?i#J$NBX;CvX8rd
zo#Y?sG93a9n`7oj9>*UiuouqTmP_B;t=*K9_^Wz~+PzP{frEJ!E<3}W$on6G;yZj1
zmn#vWaoYJ<G}<$kX|>Y*_7;dWuYjkLjL!CIBljtr{#$tK_b;9^kKtXH_H&RBxl{T@
zs-I>;y5oC8x2H3X`uX+;Drz|#xWoBpD+RTg6$#ICnJR;4pU6_Q79x6FVa(Xvzytf;
z0IAgOqi?cXLePMuKz4vFT3khyqJWwLsS*UK5mKjrpWZ*gJIWnFEJ#iT-9_+Z*vU<~
zxL5i!HNJe{&bPvuKSRpmBmkbeougo(iTK-hmDBvJJwQ+ZP*)iNe$zy=NLX#25HWP8
ze`zwuszwqxiPSU8#S`lYWf=8e!lD#mGk9yMIkVI+uA&!8leQu)OB6&qcKzG~EB_R|
zYYbXP!q3ZQB{5k=RAc0dQZt#m+WauL3*}O2!&J|kbdfvOlD2{H(r?Q%hn!i*XQ2=O
zn?ZjcjO<P+b6N<d4{y#Oq@;<QHs}Fhk|nI_U?I|1_J1RhmbzobQpi{m{EM+K*of{&
z%L7@p!SVMd;%BKVX0pIQ7IW#KQTeGGzY^3`k<EUq6f1Own4~QcEh~Z<3uHV~h-RF!
z9%P}UL>y=X89&-LVe$9^7{vOXP?o<6%p8swo0KJ8@Sg&sB?+YgO8Bpwn%MoLY5FRU
zoVWZX=6(tpPg<*IMv-&$;py;pYOd8@rtR*Gj9Qna!5raU<b^FM>Acq#b}Eq*((FCP
zZWW3mrja$dzl|CKWDUZ$g@(1q$VfpB4VAUjG&7bVlqW7xUg~&4mYIH1vuki3n-DHJ
z_ivFMF>0&s*0N;+Aavq}fN`m_9=9TD&RAgs)w#R7_q5gaH#u*)B(T|D)0nEfRl$|;
zb2u`tffgI(36?d*A*0E#KTmGC>~N+0VN?i47akZvfBBk{Km+vzqcTuHvEzrrdY6|c
zaq@Z8CUr*>?QfKXxfn7oF?CP}&?pu<NxJcQnT4}gvtf~B0Y2}^XuWxcMxdfXI4ZZB
z)mm?yv`p?{)e=ZVCyUE$o}N;&dbaSB^yYlQ`0WbO4#LxiEhhi(A`!{Cl8{cY@z=KD
z&E5Xfh?pVk)~6ZO&XFS()a2?LqgYgtp}snsmqG3jw>d<lANj_1!Oq7=O7C??Hd~5Y
z8wFfw2fm~N<oy@V89U(Y2Yxm1t}b_bun6D*yCy}|w+SG1LsP%W^(Q_yuQY>K_47X2
z!fFTZbaK0D$8j}u+rZ)Oxg+pqLitOy$ZxdDVY?=OVdTI^<WbG-i<j}~b^%D;z?9Tk
z1DEW%@2#>gvq8}VhY{++1jcV?Pzg+5n!aPGY)(*bx?^mF6HIc6Bq9(UNMgV*wo@>s
zNnd29No=8=F(L3*U&}FK)sB`8lK}dvtS4@qx^h&spYETs%d600hOHwolH8MFpW*+k
z37MGTHJ~|ng&E#`34nu}N@<fp=#*w%Lh16c<(dn)_TYg<DYUWa&X1T{g)VfIHVwWq
zBA+^fi`?!VGkEOS*oT%v$0Q;L=(GqTKBHCgO5SoVN%9b4)!2rPmrO8x{Oc35IKkd@
z0r{AVnBypvhF8J$!5a6KitScseaKvQb;GzJjxTfQ9%Hy__Ljd*$Wasn^kJOfXe}0q
z%D!{uCai#rU!8xy45DdET&gcDQClRON_T_<11|BO&T?V#8yzjnrIrR4((vWWjz64p
zfJ}3d2y!imy42!(Y;9Tb;u|o1P(iCSuEC|(wqppJ9#4Xsj7ar!81XK^VEz{K<e?H~
z9bq&3QOmed!TS0vU{dHRzXfWPQ8g(<SCt7aF|$Ke(zpbk-((8R0p?hzunIoaf^c>P
z8d+7_FhCec$2oyi$mr+{Q*`(rsXI&bm#W(rPUGWV!>Odpl+sL2mjh;2oQ&RqNpETk
zWohzn@-fCEzV!D$^L65vT=*KKS-+L+zi7Ruua+0Q<oA3hAXr#)H$_(fOiyG!1Fyas
zm9mBe{?0>WZNSP&<4MBAR0PVESL{1?bzn$DI(96IkFU(7h0$by_l2trrEs>PiQHHR
zEbZYLY$2a5!;X=sTY*4w3W4b%2Yg~{E-7;9oI#Y(l;l;(5P*xELD+Kw|5pepvLe6+
zQeR&7Nh$^R#|H4V8mxMze>~ZCzdu+>O5Wpt)a`d8d`f=b|9JfTq(C4(>H-yf=9^-j
z(O(n`8NZcHw0olGEY-xYk~~sYpQo_VLR@0QF_yo_&_&w1{f2rL9Zpy|9yl^{Vd^<}
zn@iT!cgvC6MO1H`H~n9c_=sAnl9pOd*78G`<NRm5xkul(*@5U=!tBp}{bD0T*@mF7
zLJq1}jQINf4ZMW?;xvCD^#+m{iJB{Yfay;68ZwC{sdODYHT@Pp*h!X9@l~cL{yHM#
z{BtjR<KfJ<-%XH~o&Cm5(TV)^{3f4$b&pm+%VLmJSv=mxaV3sPwUn%nMk}l9ABj`5
zHGHXtFiaR>Bo9}$KdXwesD4L{_x$S3Bd{PBh{5QL^Ew8zl?-)5;;3Nk!6n!3LB1ut
zb_pWkPjORA5C;R^{ZBF0M7LC&zC0QM6yrSUS90mPN>`f>qy~6``t+C%@0thd2hyS0
zu>;)s{FC2DuHL3-xcd<~XK&AKDOPZLv-2FXgjkO<7dF_Txx+&VpW?Vp)5I-_YFYgR
z7L6eIf4d@n?&_)q`5UDI(NL?Y&h=G`V|?~Vs?3X+4lyPv;byx`#jX*^9_H@vW%?^P
z=5|EYq)gbPR5ymyOj31Y^X3xK6N4pDi(^4;?$V0um&0sM!n?>p;5N)faZ^G?qK<Dr
zHl5d4pj$K!SKWAJ>yMF??;dLW@Fn){o0o<;X?9b0fXS>AKidL!t)x&$ztDY1YxnVC
zHVA;kz?5J{Ri^SXd8juBE&P7r7F+BMN!!!v#(oQ7Y0BCPF)Q#|NYBF3B`Spla3?i}
zG*O)j-uhYF(^&sJ#v_FK_>Z6kDV`LVH6#t@#*^fkF)R^Q=}#1T4&FYXjGD^0k<B`I
z&>o+~k|viXUS>h`yFK0jdjk5N=o#3W=n*CRF~7_$*-F-vE&Vx!nTa76GfwF`+fGP>
z4xivMPu)8I2=RbmncYUghqiV@{LoC>M8Lw}gtGxXA%DgYNr9tS9m$PYrZK+|^;ogj
z+mU)uzT-cT2Np5aa{8ifa@@NIOta0Y*uG65O&1YNQt0kRy)aJ1&lG^N(bWDfV;tA|
z&6pW=_1N3l%WC1I`YiAUPh$2WP}HUW1;Z}qt;y`(nmz+QKfaOeDTd$)IIe7y$@INv
z;S9~;{kU4r^BT6m%J-wqrb_e)eVg98*jwFev!~pp+1q6QUB!xgWCOQ&Q7U^mG`({o
zO<VAHzv0F;GOp>cKxNWKgpQfPj_}5Bez)B&q=YP2lybC#gv2W&kYB49L9X(Fgq=9}
zf2d%bWjHWmWWsD$geRpGoy7>;NzIsOY;;ly<&gwAU5q&u95YG`cFRor!EX7p4MdH2
z>uaX1&@ZfBtYX3c8qJldUB*yN`MLKez*ih6RB4lnd0m$+xZrP0Aioa#Td_0R26yIZ
z4S{^^*@)mao>2of8f>TG|CU9i+&@1XnfQAF%A!TzN1szy#22ao9hYM%cvg7B*d$UN
zzp5vxA0L3KvbPNo`nAuw7*N!~cUy$TGf<=U+|~1{K#EkSvyRsHLq|w&H)s<C_h)eI
z&5!UlI?whhYw$p&=Pz{-mfm60ce_|aH@C0Wrr_flzR@3V_5F*+&P1uesHj#Zftt5b
z(4rSo*$<_tL9A|oOa@SySPaZ}#*Er90=uQN@jPA>mi8mrgYy$%&E?05Wh&=B9wfc<
z+$%s3z4!+L{1Mabr<S)r=Kamk^+GpNSMI<eUk<V$EBafDU#_DZ1(#r!JgA4koX_f*
z(x}k9BP4}kAcHTZK>AfaEkNM?87ZU~oP;3XD2g+NJX7J{x%tTqYbwxJQYJ3H$avL3
zqAPwDj44>vXuAXZSB4X&LLEjX$kqTE-c*oY8=F6Lt-sErBOHyt^>uuyVrRgaxihf=
zcB5Vdrx2#jZ&`+iD({9aM#{Vr*6iIJbp6;reCXSmFZgmh-;5WQD%*}@jx2q?G(T>q
zUgyqBdhyL)K2p#&<0Btv$ouWryqwn2qm--&p(Jf=`k?#IpBe+$TNqhKyF9Fw>i#Z&
zD)r#isVrwL#4Y)ArxAY$72{qR9e{zB6W<&uQ~5TMD}qgllp&Hy;CCIm8-?nye2TAC
z>$cZ$|GSj*n*1r=DA(h~&01_Nc!j`<{f7EsaMo4OTbYaV5`=M)KD>&1i;v<HF$rP4
z*{XM47ZlPr%>ae|ErYF;=dPzin=+TBj1m`4?8&9PND$%kIbkkp`=S4!G?N1!moIYz
z{HT;?l0>>gGsRU&D~QDZSughj)C2sCG@y26vajMtpK7`}U=>F#`QNPx_2kxuvWE&5
zLwGXPaoNnDI+aqHLPoV3#<Xe9>x?)VQar;&Ic)FA4I?KOfkO$3o?Z*YJ%LHytM=os
z_T#%p1`M?L;NchD1lgU7XJto%JoozvkKI$^w#Pm&r07PlY|n~=UguI`I~~y6P286r
zV)yG(qSOm7wd{X}?gf>dfo@_YH0VfjhXoEs@if%5ChJ`zkT$!bXh6A!dY7cV&51ri
z=Isi%+IL#;L-Oo42hyVfCXO!rnA{}l?&wUN8u({j(LqR5NUTuYZ6);S{b5*qWli@2
z3o63;s`HqriNCW{9jl&b$%(=Jzl}7`SE3vHnqohe{72iD`0a+Ax?#cIR-1tB6SuAP
zg|+)YMwPgn$-(u)hN<8DT{^i3cH`T`BB4#RW01<a`Oymf2haIibE6(clasb8olfs-
zinz{~?rnlR!c&MOCNc5P5-3;v>>vMINX9BGc!FNJ`k`wnxn+1a%Fh$4qj49P_;NYT
zsiRBq&^LxWiX^_jm=J)d(`CX~DV7psrC$Fzj`Y|QNaB3^Z@NPdA=0&_X*UHpG5S)h
z`;^P7*Bg(YuJA0>3Tq~32#B1Cg4s6m#4PE0o$cOfy6i2pC-v^^Pd(h%Bh^uxfuD9N
z^#&(s%Fs3X%e>lOmj!b^lQPR)s5-O#5DadCLg``V<!B?U*}u5#{jc#&uAP5=#7)^o
zbat`IgFU$1H6fmJyD8<yc~CHAGVvxT9}_c3m#ZWZ$~9(E;fzG_7A*O{jZrd0I2@t&
zM|=kGWaN6HADFAS=rGx<()loI7>A6p%Hz%t3Mh;2IdE(vf_hibhf&tNBLVfDPiF`H
zHVqVKAI5j$%WoR&mMGS|ZGQe1Z3YXpbJGL&;zCys-U`ro1I0NdxmW(2jjuI<uvh=B
z6FX7Xu5UQTA^GJEgV6P|!q9se`fDx9m;Lscs+`16_dP}!NW8v|WWQvrY~w6vfROHg
ztDsslP4}FBkitdsq^w2Z+L~HE?0*ss_He)29?tsCspP4Kq8fDAI&T3^Q3V5yu);sU
zULLd?xxEGag;nMQ+2J`m=jPyH%35^!!DVxJvu0%`;+Xam)~BaO)ozox8Ca_CQ*N-i
zy+r(U0}N}-YJH8%IGwwXbwM8osWkYoAbgfB@fv)1o~!Y}Lfq&QR9Ji#r_YKk4YwK;
z#U&&f-FH|SJ9Db~M=47Oa9y?Lr#&gpkB}day_ua88oA$grDk(vJ@?fVzW(s786#2<
z(i4x9-&gBw7AO_@Yt}c)S0fsklB`(n46f8%C4f&HW_xb6*o_h9Pv>)U#KMVWdPpqx
z6;Fw@gyDh!i|>6&Z#ac#a$j7i&LjY`$(}IHfC=_Etabp@!M!-2sCu;`FiI*<la!rp
zrqsu9b)~tieoD8Wd*XlyAyc)P#-mU0#+UZj%IHy~skh-Iw0?`L9Ov+FMe#mqHEr9q
zhxI55=>8eyz0@uUS<AfFGPjU7(;t775#pO2@r>0(f+P;rM@6EB#kdn~zI2=kF($k7
zSNV~}MP&9gy=DQ*AG)+1KjgGUzcIRtR4aS*z#>@JtFw%!Jo|%<U;1pQozALmEdoEd
zFi0H^79zg`Cl!&%W8CqGhS1HR6ATMmTak6$Ng6*>`onlQi;^8tbuapdKUq7yp_bou
z<Pc!`BE4oG`;T6cWvK}#yZdmdvVXl#9e#o$Z9Bf09UL;t=nb=(`qBBJ^kLL1`S>9G
zd;$I5YSy&#F=8EcyNQG8ZLb1Kx=KwC3+xG2uM-q4dT0SdVLXrCKuq{qC%`KsmZroa
zE(&Vp$P+e9|KA;}#YMXgG*RXNcU)Y`O&M}(UCX}AoaTG{0-=m-N1Trn95VV#yqb^}
zN-=e;_$GOz@Dtes#RK2&Vt-(a>Lxdytp2ynIsi;K1nCM51m~C*U-8R6A!xK9|K1?P
z`#F#cT-+oDtcBSZLNcT}g0PFJLeVM(u`&dr_SC=lHYl_&^WXZQl;shIsX(qsp1on*
zjt!=>Eg1tYAd^`I)X7w1hNVzNL{@U>d2@yW@+WAY@~Z8_d)e3@HYh%{=WZGl3^i8W
z<)L}jAb7gBvrTAUxH9^W&yWLYBcsE!d6x2$9{*dX()hz9FR6KL4i}0sHyr*f%-fH_
zGu%4{`^wQt|Ni|uypBqLTlrg5Ej7iqtK-|Jnae#zK2L9>75q#3euHBiKcMP}7dNMZ
zA~mVLxDWWs*#x0{Hz&7XpPj_NmpDe~K-50Uj8p*-k*7DNFnt#YF*Y9vinr-2EOG*<
zo9F3wQgj;{@n_4VqA8WsFDLP+GB6IW*e)KWJbfgW9|S3syN|Y@B_TSjoQZCqgRBjn
z2*#3Dw|7_HKjq7Y6=8}D9vc%gr;O)O0QO~JF7lSafDW(fbq1$;i6O%qJip3ReB!ov
zNB&({<Q<xS2DM$fmb&56s2;Vs?J1L2hN#q#mo2iTRuu2|a-pk~=o%~ui)lyYtALCg
zk7+@qrcM$v+B-Rz1#Dr=)c7~f)6A47)mcxeXaG-M#>9PicE`KFtYrS+ELZjw)X-mA
z2Dl~~6xwPakXi%YxxC*|2;P%rU4B*zf|^V-gDIq5`2G0|*HDjM*cY4wg?)FeF?hB8
zo<K`I_gbK0b+yRDE~b~Q8-~(?;RT~eyFcsXwxU($cMIMvlG%=)w-t4{>L>`Nno#Rw
zFn+h}a&VF0xYto;@KbV;CzBI!b2G_pM~t<$>eo7XCZ|rt-fe}yd7C{IamzdxHXWcb
z%C7W#u4-_)YPkJZWzU@N0^K88{uHjFuL{B!nz8bcOIF0SR(~Y2{EqRm14;N6d~atS
zLOb|n<1}|wkeNxm<Eq;SVz>(HXIweJH(@PX+yg6=$cZGmGdNgzt|-~`CNuuD3#2>9
z>?NLxuCKBqLg14|!q^JfzcpJ{e}#{+ykdekk>dgJ$0ALIX91@yh3~CkC7sU)Emcz%
zmfsID%87&otX0zj`;n9PXQP5WCNbDgu5^CD`8h9Kh9GWv`={a1;N?2aM7=&dI=-{_
zq2FD(ffVIcA?i`=#@h~**mBOZkVL@URUFAVFaX${>MUuQwlNN1hFi?*HDYQ5L_45H
z{C#~7kd+46LM%o`S_@VP1om_Q+xUxpK#`A97nZzp^Zr*JJxJ3mja>R*@!y}8f`l4a
z*_g_JD>1ZgGTpqn<ydi1`IotVejAi6UH!B^n7i@I#$)ytqu5x%!UO4dLD}gc?Qt(*
z?0k=Me4I=YC+rqRt{~k;vO3S_GinAXn3BY7fIJeob}R{Mq-kz25f4t-zwVs|K7Z`S
zvRpwa_^zRuxG;bY`zT)pp9ry@P*h%5^m8&z+G*(&oEqL8v1Jf__`msJIt;-seJi}Q
zb$%57?fByQrLWm<K_7T!<dxK2rp5Z5fDc}{@^!Skiv^RMLj})u>7l^Cs;r#v;R4&p
zUGD%haWb5{F9@DPfJGC=h&+NBLsCAUO7>56#nYn`cbEsd+*zNz>9iF+H?O|wR6S~=
zfaQ2|b|&}9i_f9kj7h5X$Nh=e6->o<0P!IVNQziEQIVr^9L=31Qc|PnY!02+mI-Sm
zb#yJof;$Y3)W5q%GXf)b*7phlctFv5;$&$nuzJX%Rs*H*Yo0J7(6w1R2r?_Q^R#J(
zhI{V?K|g&b2x(k;LOZ_<w++84t~7YS?zDED3|9$eJb1{HB%ydz&S2kPy&;?ov<l4i
z=RrGLlpy?Wq85cN2;-4tnqk>=&)y-AWJ?`S!xAE!i-ZxBh{Y(?;>*)d=zHE42Jd?P
z&C`w3h}WjLupgKK#7$|*jj4I7q;EBB(H2Sps#?v`eKgh9yxoa7jBI*|#g{I;Wc0v<
zI(|>H8~wf9b0e~oeha#IziWunXQ{dy_Eqy`?(ecoG?SPc+mCV3c7z{wpxjaGu3)EC
zRi;`ljzYjg7&<+ogt=y^v0<pChvXF$wHj<V?f?1>>G*oi8_P?X07Ay3hMjYf6aEYC
z-Pf~{d2uRqDqJ#iS8w_}LQ+N|xcLhL&$^MimFZPj0`6zh=aFcSlm3g(U#5Fgdx)J$
zHoH2``e6-OfHPpZr|<YJF?*7n9voT@PBvk{$~FW@zsuLRO-%gqz^+`2R!aWd3}B$F
zCcpD!9uvrraoTcxg4}468L$ZRffyzGj`=2N=oAYbZ|u!TgcpX(9m`(*2_KRkp%&4G
zVx4tq7WfcCT4#+i*<=#&4@B%^s%P7|dKd3qtajxL;Nbmw&?(4mXvccHgebQtN$sR`
zG|}mXfiJVS26JJA7%K@2OS54^kEwB@R`?bxslRA{Qf62f-O7fe{ZEA+zWAYc)^7_d
z!WX^pNjlBUpL>_)i)Dzj@PLhx<nbxg7w$^sIitm!n!nYhdyD%b$hRe}vt_FOkXqod
z`IQex_2euykA7G86E2EQrm%QQu~1FR$V~Xv=L%N_u`R%um)KVaRSiKDG44XmvBD9Y
zy)8uI_p;G>+(%-E89r<+KqEMe(QRneBGb1Nm&Q?O6n-feM;7S){?5Y75yWY2ROn*&
z_T0PB{XUbI6TXXk0B0t0vx+Z@k~Bsb#b9nROCMXc^_NBC<PfJVSkW*$<JHT;Bf)>#
zL$mH%dN)4H`8C2^$0?X1tp-DsG`4N|ir%twp+4Z4k=2Pek;VBD6gH=b$v1C|$$)f#
z8c9B~ksd0y(H`Ff@?YcZhbT?1_ZLY3JB#6r&)}1rB%4V^z^HqY;&$;5S3t|LAXu>v
z%#NQ8Hv{pSm3RFU^85uzP`|J$K?vzUAjJ!C0z$LHF9;g1HN|2(N&c{4(L`G9oX@Pd
z`&~iNj+J)G;y%ApWRST<+tqFkUN`Nk`MbmU7I=7B9LPK5NW*3L6~$S(7+ylP#`f7=
z;`#742d~HjnoV;mq_cP4eLw00PeR|T4qk9yYrSbG0(!F>yg9ERC*gJ6KbI}vL_4RL
zlWH^?=qr)(mOB#5SZ#xu3<uMEl?6*V*i8!U@QN{LrzEt-M|0RWsM!(Sh2Ke-Y6v2q
z`JJ;c>mX-kZ0uWsxxG`7NcdH&WT1<yDqnEe>e^A6{qQ$c2DOq$supWKG}Pk{Ybz7i
zY|)MbHH&3@yNiehiT{fR2OOe31>Rp60Fy&|9JIdTid;(!xb^G)`(p$&R?Vnuv6fcw
z($3_&y-O{4+QXS&XWm=n;2__jFi2LTp!P#qXD=_BuY<nb{uD^XO6>`Hqez7rG8M7i
z%_lZ;oLoK4xPKXXdQ)lo2nTT`-g-*|-(rad=?=c_>+40IkRx!v-<HCS;Bh+AFi8H>
z5@Dzg)#^&}@4b@P^ifgZi=5>Y4?PqCg*+J{7ZzYfLbbvT;!g_T&vj;C*ZxPlgfk9M
zc{bTi1QhBVmH;E34-6tnwFOLoP3>*8IS8oDIws>wReTeuYYyFU=6F6CXozTB3&UQ_
z=NUfPXpWpE6pPH_l=hazN$fRCem|nG3ha{ww$V3m=fKL#@|r_H-Wl8{N~;+>fQvl>
zS*QQ7FLbWbj(DS=D)CzK3ErCD^YXFqi^V)ageCmN5{`)FilYOpPGf0&Xto>R2$68<
z%I>^?i^cvau51K_!iQzp{Jj5>{xK%;^b4e5`=IvO#50qNo$SowwLk1ab+-;Y882Tb
zsw>yi=C`$9-EY>~r|-g9Q^#kR;KI_x!m=iw7E&m`X~GMyQc?*QcwB9$A~2t%o%hLo
z4_(`kqjZ91j-_TlxeFMhm4r#=(9l6r;*^jmi4m}dON^DXiR0Y=1DtrA-mLfKn&MLM
zxs9H<JC;WO&fbf+-k#<Y9nq)yVMWT#OY5ZvXx^i9D<jHDudEA|pq&8UW?zjZSc85h
zpD9!XNyhZ2{SNNbD5Jux-9R5=B<JuJ=)?3iESuq6W$?OBOV09&QXQEzw~h#eI=DKn
zI8DcuzR>H9!JSaozs4gXb|$wom3V5~0?kR~Ty&>Cq?~`&)L>N2isD1pZTGaw&L!KL
zBkE0h{sG;yj93yy?bkAt&dnp^*UbR5SL``=QXGmq*sqiiUxib@@lyIDn1ek=6f~+_
z1p-5lCCs$Z#0CPxCHxDGRIq>w-<Q9Z0%+1Ib$jB{XJDq%>ev|75~#&8jDvlj&=@jr
zg6Of@n)~bcTTyIxR^|mGiCq$x>~J`hwZ^=8&FYag(62Zz>A3Er1wpWpH)M6vO@E2(
zZ3XBHZf-dww#Q_HJrFqYyshGSMuLbhf1wpBzHhzGsfONn95`yyUG+ZBSQS)+Tsla(
zhgw+npe4~<Cb<*#c4Kn>9^&5Dt1{PYH^!q@U;W2AWUJK%I;ILZ3p#h{ed50>2$~by
zYQV-%K*vYCu=|~0BWN}oDsBH{%!QFaH}>M6?UNK6d*E~2L(|qI`~f3s^H2R!BM~$|
zEI%*K`;VroA+;1a?d~VSD4ySnVy&Z@M~QzZ;#)UBSc~a)gPdek+TmM&IjgxpO6Fdx
zJ`0iX&qw3=c(A_ce&yR*42VA!Ts?|Dc(>tuoaaR!y01aMfF>q*NeU6ncu(dny(;s#
zT+j7+)7;~1o}{J4;ytHDez-ada$gem<j&~Cuo{U9{!-?5vR4C97j(yF^~yJhcwLdI
zN@bT##FQ59sMq^(+gaKIugUf>sXYY$s}nzpIK68~abpTg^v^KCgF7sank(NsPq>i&
z4mjsykMEK@Wzgv^MxAwEjG0=S878tweMo@quh<E|Zf8X{19_zBvgu;#2U{4-|J76{
zUpF8G@27@h0HmVN_B5D=itVp*mxE#TBQHddRHR!M+2B~1S(ZIPFZQ`J-<kD$*|jXN
zki3cvCKvvUb$U(dT4XO-4{l)-OeRg2tpI)QY()(O)5a6X!BaJ92ODaVeM&|eX%rL~
zX^IzU!lg(8Zd4%n8MWbLJM?eGjHUCy(z6M369C67&?JWz=Fe3f)aEfiS%69=b>p$a
zxPA=!qKnlDorwt5ou|{gwGWD`&FR{-H<B6sVX`%w#MC{ryqmXW64gOK1rt{Th%P<P
zBr2G`NWvsE)Dp9R?awISzAFSuXoSqvQ5}CRq0|wKc#oAG+ZB+R)ci1k`D&3_<g^I?
zUGWacvj$0f?##(JkBh2?0h73T3#QfqEvbFjr2_C3fr)t*s(C383%}n3gGt8b=5Kr!
zZc6YKj9aAzdTRX&C})Injlls{3b8bo#K3_ZD2HXNTc1qS{;8smD2;{9mvI1D->@f%
zro42$x!w2^Qd!dK5rPf)s!r_Q=?LvN%SkKY^RaU|%ao3&T>V84LU@j+rpM9pf%CLC
zQ-aV;x2IoV0UsxB?T)<HwhqZZ?!2bX2_G*W?@_EgGJ>5vx7trHCf&~F8`SzaC}5DA
z&K@cY4%nU_L^mWa9BrWHZ{@R=lJXb6-*d5pVr2;Xrm3f2NP!WBzjy#cs&P(cM;#{g
z`_6=SAp8gf1XJ(`%=A!dUm<NUNp2PKqbM-1)|V7ffp4`T4h8;Q3_7x9ddre-eyP6{
z_W3`qqJNfF{+j{5Hqe4M^a-Tn;xgWSAi?fWLIUsJo^tD+w-9bTriG&Ak;NpC><z^|
z{KvApW9)B;a_g6yzqGUNJIzRd_~>Yh=(Jk0SG#|<LuVYZ@Z3>4>rFcRK}4+%usKRL
z6ecnA06Sg_K}3L@bw9C}Cxl6if0m#X%(CjjyV?o(D*mYiLe99BcVEQ^B;#Ks04egx
z#O6zn8GxigUQ+;|MmyBn>b7jEGKQvOzYgGf>gMO)^L7a>M*7rq248<1ehnF^LOufV
z;)c^5bbcpel8WvwX$N_1?>6@d_&`_yUhaFrMw-+Z2?xbEekocV%QKq27-{!^)2c6r
z&>Vu(>sliET+An(y+v8AFYW#32IbuG?*YO`Un7*hFKey8CLNB`>wIiFkLz@MJ>H!t
zEoy=SZ6=DU?F}V6zq~YVgm1Z+==N|iM-L%FYbn%B1WKF(jUJN_IQEp~$&`OYcRF9#
z?k?4NbVK<L-Nt?jOt=tbqr<8rc`;mNijRw4ZwB`lF*G(r)u5>hG8|3fdmD)IU`P!c
z)Cyxde7B#0#aE&gVTc<<ozgkg3I<A%)$Kr*kfcdeRaYxiqi5>n>L=gLw1h=>M-**}
zr)Eo)J#}`NG86?0D8bI<YV0Rfw^ym??{yckbX#8#2}&)&d0WfNHkT^GAj`a71|no&
z6X9<KZ#T3u!9Zy$#voC#|3GCFoGOBuOK<7NwP4WbnJ^t;$nOX8$?+5$6U;b96^erx
zOXA(5XnMh6&X-fyFCCa2qnh;K)f4F_XU+$l#PeJ%!fxLyHhW&+OZNV~7^AHdZ5DY%
z6@GoVOk2<<`TRV~)M3R#%_J2d+aY;i*Sh5sKGuG1DCeWaN|W%JbwjKO*~da7F-9NM
z)J$&%x+P1w+T-n#><nezg<MsHiL<c2Rv{DkNJ@X-Y|!$}osRJp2#$y4Z!ab)tJgGi
z)q<38=QU()a^}K-3Y<lfBu!FQHd{E8%9*|#m7~z;AG8`qgxnvSxfOsb51g4hGd%Ir
zzj6xo0n<pQ8`9KQ@m{;&^f|T!+1=l{YtkS)9a=4YCT(bM<#qa2SUQaW<yI#kbdaS>
zMI1Tv*rxGftn`hif-S-AWxh^*!&&9Jgm|rjZ`mOB)R;Q)U71w9OgAL{1&98Q?*{_8
zr7WXZ)!UQ~q^)-4M=y@ah)qVVrIgn<en<u3gr}|%|7rAuZI>1ig9~qlVaP(#Bng_z
zirI>fRGW<Lcn+B=u=D#BVs+gMKfGAZw~ub>8<mYjNXDqqH%7WUgCFc<fBt_-C)A*C
z{HcrlM`O}KZQjg{s{3#t|3nNBqY~B^iK$qj*`S2LnZ=VvcCmnKBc#VNtF$3J2F3vb
zvV<g6s@jG+iTWrDVErIjFvevpI++X{eyOT8`r=>QWd6SIVV+D+O87&t>2=XHS95MJ
zrMshM+ugb6!Ix))Zz6c@Lgx+9T%RSmrM=tKB1@0C)>AVTTHp>Pu_am--o7R~qw~#R
z*@bYw`LBSP96!_*UDgU>HFdgiSRA&0x9^_IZ#@d$JE%GNF*TeNjohQR*#h{j9J|S<
z_<I&>GLZn!n(XFVvYMl@j49l_v~jD3<oNSf+uh(oja#+vLph%h)##_dL(tuPR2Q53
zbt0pBpCKz;8?3<GH@6#ig%&nC^_7!e7Br8wGtJbNvh-s#+ZQdS>jZ~@X25e0GqHae
z3*o2Leb9NX8X|%;9L_GvA}-jbjL1QD6A8&0m5%JHL-8p~qZaa?E;{*q8Tdr|S7N-*
zz|#PUnYLmrjph;ak0-jzYOPV$7%nzWvzZDG#GYf4JpkW1eE&uNyvEwy#g}3cHg{=v
zBL`vK?f!A4ufK9bmbJQx+6tQ)tFe>@IN0Qe%ID%tvU)502LI6~H&et&afWZO%w<P~
z=)-WInA;BH0&}935FT?;8YL(VvhYJHq%HXMsK76WHh^?R(Eo=KH*f@L3~e*<m|9Ii
zlJQld9i2blG+R?&+V#}oujT@G%tG&wztelNS<=s}@960*oC$YoU6@tB<cB)cJ?7jd
zTerL1-|q$=qG&}b=$GfKHS)NNu0y<?yiCgAagjZ`249>h-Q<uH30{v|SzDSeK7lQs
zI$hbAtTa3-KfnlhC7np)o0`8LcY$-=$=v@qdPU|w$ykC%pOPjrnaB7Ka)!@CsV7B8
zKg@#!ylH3N8X@)wA;#yKv?br2E?rzaB&!|h)QU*I14hWvP|T1EiNXYQ_QW$Gp>B`{
zl?svQo9`tM!J=~;1{6XI6P42LB#<xJ-I!b^7Hn!&>;|G*?LMr#9R)qdTti-}7(Lrg
zO{)3cFFV3zFRy|Jv%2iG63CFloLX48(T<A;-%wrSEiX`1w;AJ;1HHNhKQ`(wyAC2J
zcdFVs)`LTEHn1INQ^*c@b0xLHnWbTVgVEx(%1{DNpe^>+_O>G0f$Yuq`i$+=?{AR7
z2oLhBpT9>bdLxC=D0D$EZ$|r17kApad;1~kQ_$9a(>F6pG=3ZXOc<3Ffnd*SGoB&Z
z(6do!bI~5#*cvpiUTKBn1+^wpv`C$%$gpDdKKFepB~=06IWP}s`uOlGUqtPW&pIRQ
zL?a%ZJ&_3-MpF?0zw7yYLC+6B?u;L%A(kCXGV|6?gyAsXe&#NWPrbQ0=dcu4&+FYB
zz5@56+kbewvFJJT3<VN{q2n1t`L*aF22!EBrWu3b$h?w}S}vWtML-Lhg%%=7QkS#X
zzkNmroD|xgwWi9MB&gLc!O_1<*tuA1e6G(gD#!S(XB)H<smK+AYZn<x3gZfWMZc>3
z)PG$Uq#_DYt7<e^#K}Ym{kM~;=Og@j;%eEbM^rfM%!q^X9{=9Z7>}(NM`CuNXh+NR
z`1pXZyP1#wdge5&X+2=m*$?~a`vVPHY<6S9FE&&%flr_iBivjr$a+<O6+LyGT+{m2
zuqwISx3QggWjyhuuj#$x)d;C6ap*Xz{b=rdW><PN$*XyX1%zGt2_5{cZns5*J=4f}
zAbXUo?a@l~%3}gbkGrLa8VK95AiuPe=?Z+lt>0Nj2}AQyL1Gpnzh@2H_YnFA0fVJ9
z0LQgPkiTwySlocZz=*;yoSHZ)lX}tCu@@=%p@&n=XsO4L$m5ikL{^Zw@_n;B`^vxo
z^GA*+U&(rGZVh!)%C{$f0Qxls8!H?34Es`3GoT9G<3#rDTsZBT9)f<C?TYW)yrVyu
zj~UuLL#mTd$l75%@dSg?>y-wNTAX1>oyw_MnB(hp4HC;pzX#oxC-(~qGmP6-7PH=+
zGgOFExDIZAb(p|l_zw7(ci@ZD%)11-E&qca{t!vwdWA_#k2LL(tW#U)bc&s+3kc^}
zSF(e`Kt=hIr*Z_9y*KyTDu@4A4eKC5>%EgKoXCrJZgYQz-GJ?wxTcAjF`Oq+E*Bf=
zb<XJRDJAR;L+Eu4=p5+;<zH<%IU~!kyET+aE%(i&<H#G+Y|T46^YW@PXv@xCSPkYw
zV}p0Vbz20@&hg4U8N8(m#cMfn9JyaF50>$L_UCdu)gSB9-1Lsp#yffWV1gWsx;}re
z`4#0?@^Jap+NW3Vywt{eD+0EE0mXlB1^cyd=@P<kO(M7b)2<ikT|9ttVpe9oiauCj
zGf>kPi$1~~jx;miwPw^7gQDAQB``G?PPPv2<0(G@_3y+WWEFt-qMTB>y~7bsOfdl%
z{;u|>;O%n1JD(grs=Wxet-vQEJn5%_l<^i1mD2i7!MuoxWZ4!=*qqb4GQEF!Y=RX3
zS^EvkJcUorDXD%S;DBukZtBH!p`Gr<=>be9^V(tcQ@9DA_v`jkIGoB6u>9sak7cmg
zXqD_r?xtbJlH=&+3qrkC%*mM<l<`F&1KNb=ZE}-qMy>8|U-eSjwPT}w6`gN*LV@vx
zO>&n;=H}ag?P+*PsGz)3Y1ZmqtU@e)v7RCPKAPT_zm}mU%BW|bPhQ`u3F~6EH?nWH
z&s#EOao2t|zNz!^`fQjoc3G^*ySMmY%7+4ywYIvuy@q)aP)P|k`jZT^337;XigX;!
z5c@?>fi<sGqfT5dRn<&DwxnOKQ5t(tmwS+%^nYHEIbF(T?AItesR~F_D6!~hBDQ7S
z0`)e$C)VQ}ZF~E=ljqvm<bJ}r`XmI^5!>gYUR9FC6v_N>W{lr~UHNxAOKcdzEJ>Yi
z6WUb~&{jMd?&ae<)AbOVN}laT{wy}}B{!=2RWQMj{{^0zt7KVUL$2Zpg{r{FeryqA
z>9WGBRIx?3erMn`0!%sT9U3$*-_OOgyG?NGvrRp5Wu*pNz~I>Go0!7?hnJ!!FsK?8
z%wlLK8Inn%YSRTu3luW}EIUH8$ZEfoh$g;mnXP`VYa$m3XQTxGUqCj&iL5~9#Y8#$
zvqx<>HgR|CZb9wbs8ilxtXGjF+{)r$@!`$kyDj^y@foa?10FHNse2P8x=7{{riB05
ze`4k2ZGsEx(+7hpuP2z8l?%&JXbd_28b&orMEIs|q+pblRkK{_pUd#qODv>*)w_z%
zWvBxC!5Jlmp<=~!d>c%yvk80382eMUpTl<R3DO4cpuHtY(=Lj68}vWVRBjJ^iUXrO
z2&0O+C$CB>P4-H5OZnp~ongL0tT9!oU%}PQfR_V;K@HUZVue(DGF_!t!<w*iU;8Lx
zmBGY%_QUO#cIJn{HjC2msa}IGVEQl;w%=R!Fiqs3ek1u*z!GzcOc*9-=@@V!xj?1Z
zYyo1dZ0-C_3F3F$pvDMdrI-5}9LA#foc}p!S7QP4LD{1C7A*ED_C9gV)~m5OYxfmm
zjA~W$_!#+(IaEuiP6Ik_$3r_XRJRrlmXrSC{(2ox_k?W>djZY#ONHT7WWP#Ekt1sO
zSFR*49MW_ijC-<(Sx(dAG`p&~*aq~_iE@M3&j|t3$xM(vhA{PP|I?PqQ${`O9rAiM
zP1rTFTR<fJ0FGWA9hEjkcPgJS0kjC(4<01a(%jDC!EQiY!vnxRIDE!?@FG_IsD+U`
z1%eU{9#fJA;e+D5F=`2qeRApj@vnX*GK@v6f3NpsAYd^dTg2LerRvQ-i>2AR=ujh(
zfy&dz)w=2N6qzSRuYDq4Fs{#^K^-cTZGO^YD#92<-6EoC7s;#*^!vS8;DxGO0u@ja
z10YW~PpmjAIS4&ZY#1Xm1k-`YI=$h0x){ssqD4*y(qT|3ULzKiJpRwx3x6Q!eB{3u
zh2h{Q-yzRO)`YDf#65znTHDjTeT^$yCeH~k={H`}`#RB{PQJeP!{+~(y2^m8o~NsV
z64KpBH#~HMbc2)#(v5VNfOI#=Lw9#~cc+AOH%LprSN#9*{lXV6?B3bgGiT1s?%i2#
zreDTY_);3c|EcNb_sK;ed#T6Ep6;fXGqX}X_FM4Uu0aAetVblB5sUfbHS_q{)t5XB
zeG@z<=Bn8qc(`Vj<PbDFp5x&>ydOo;W{C$nM8)SIi3gj~!jwL_x__x9_d|a+j;ie|
znl3p%big>KTug7(>)R7@%^PnOrO5ruo6(n>oF9=n5WL^2<I;1EU~7Ckq!R6~Y3NYz
zcsGaFZUrMT_OW=zkoXd}xnUrdA<H2pub|FE5xd9S5b+F6kN)Me8<UW$3*PC|dlq`y
z`;erx#WEKbUZeM|s(nlTnL8^>QZL8Pb6Zatoa*6(P~>I(y2LuJXf1@M?GgwjTpYYi
zVUsG}(Z{Zu1f-=)bG_stTmUq<g>hV*isob#Pl^f`DF5{Fq<9s3YaR2^1Pno;JM}!Y
zEd@F16p=I2UfYj0&J$$1GOkD(_U&DSUVp>p$zb;85Qw)mXVjxb-Ocl_P02<$ApT@*
zVbeI&HE>Ga`sKa#`l`zLO$8ZTsMLrg=HYoL6NsjfRVK;PIynV>Y#LtyCQ%9XjJB@Q
zR(>1(91toHrifxGtC7d9r@h5dxWxUtCJ6UFp+1i;%%R&CTE{c<_E$J7L_@4rG7TF<
zMkOzwwl1Ph2~oScP=^(KF~iyWkL7)O44Crhxx`XGKPsh|DS>~Z!@fw>E_r^pcz<$r
zp;P@5&*IgI>@XmaSbQ&CpE3AVs&>)ivt{Dq@gl9o$~RdF3r%V7%GRCZOh;AnA^gr=
z^w7>=#uP66-xKY}{71Oa4_9`CH6PJ(j(rF&j5=5{54`FVd3Y)Z^@E`l!`;0vYL<Aw
z=bzRM!sz7)Y*@DF>PB~>GLxO(K7~O1`;7oDn>(qdJw6NTo62TlrT84uX;l+1&oG~t
zTz5q#^9}GKNCwpbO(0Ar3DfaBF2(e$O`;tp(AdlW;JauL`~tr}+7qG1FIdBmWTZXz
zRy&HyZk$@QtaCw)Fr@D8x3vxi<GQk4)Rm;iCS@hW>-ni{(|fgMzlE;`+LMh7Um&XY
z`FAL6t*hix8$T^Cns6tmFI|kO!kJV`L!R~DJCC7i2l=?3OYwR#i@bVD6XbsNS#i7l
zj<&wfuPHrh33#Y2<ui9|wN$drR0+H(z4`)|YV^>iTj<We(isZbNeu&0=%h+;n|~b0
z66YCkZYS86Q{WrNk{`m;tPo1$>hVnn{W&_^w?lrENP#OXV^u#u#FIxaS-8rDq{^k6
znuJSJC8UIQnvqJX`E+}t&gSSsZ2{8biZ0q;?7ZY~z||X_=<Vci4HnUxXoV}?A8b)?
znoki#8{|X&?k?}4ym-^%x=4cGNQvoY1C7d&>6$26tzUV>>6iG1TSH%l(T{-_YR3cQ
z+37aLe`vOTgqV}0x9$BhX+y%(1!ZW56g)10CE8nBK|Mr5mL++<raoa}MBqmpGD(df
zNXBcj+$agkgm_*S6)=daKN=e!Se9lllC;iP*ZKK}@Y~0N<Al!QpJtRrSE__#)Dp<s
zxuv^`Z$5~A?|<7Hu%uNCwUblR|81gKK)~c=V@)$$Mx!n9{^nQUG*)h1i_7>6#}UxG
zE?#>5brd5W=%*yfl#i)kNagcH`u4U!iZ|UZWTps=H%2#;OjfR&dLcPxq(X6@0UB(O
zQ|!Jx+l1+h#$rY_$p7X!G>uwC>CB|oHElIM9j1<~a<o{p<WbL$Al`9}e{9jllcbQ%
zJ7(wcb@5|@zF9%3*Va)%%VNSOAqLD+TyyDrDaqBGxU0n$AH2yOSr_lcIx+#hM~0ZK
zL(K#vRr2wPM#cM4cjw!qYZV&EXiyLr{C$s0sE$h_ow;_>7W|fdXRQ4fpZ?ydT0Gwa
z84y*sTT$Ju)mE0aDS*?5d?`qNTZvu@@=6KAsS0q*rHpp9&A09ElsmpD*(Y{|4#fNt
z`dN~tzNnnEg=Sw`U^*}buRBJHmF4xUl-*0eFWBgRhYl!ZN4=35YXiyIY>Aho(fUFV
z3$x9aLaC$XCrbx9_N$wFp*(og7i(iGQ=>D88ZIo&aKCYj1^lw5&TLLJTHkSA5N^TW
z9%;+FrSrTx)v-O8<{fs{9nh$>Xtgug*U<BFmhFT_gpnWX^jvzguCb8oWP;m?eeCsz
zB2~9uOI1ocq*B|H-Pp2e46=(fNP<wmgQUUd20sd#kgXS-h=cY%^if`kXsWoQv+<E_
z)m$-wVZ5JTV^A7gw$U$*1-yo44>I)nz`Y*JdidVpn#yT)poa6p;Vu1p54TG_mXYQ!
z4L|%2Y0fMzEw)7saJ+I~k4R%ZrFd)xk{;1AjSx`d9z$LZ7B@-;sZ*FI@ejnyhM(a|
zlBK@)dkz$m7g4YNfGqK~E66W+KW5IEodvhP;6BOHzJl|N)bp}!)f@dQIG;O3=DC1l
zy7lyFSG45Ea)a#rvVs%tSd)!Qie*ck-g8H$ggFvJAu|Sr76g=!l}+QzGWQey#a}s=
zjxP84?Yl3E7nbrm2fHJ_=4lb`)cdD=0bgZJz1VVHbVSwYN!Lg<y3jm){d%kTYTx2j
zCPm%;%TGIkbMfqZ%&-UN`Z~o3qf2%IM;Nz@qAx3s?i9I>Ef)G4y5ftTcxiR#H4PIf
z0)AME#|8dS#EUxq^97I3{NCkFw!8aVh5{w8vKzr|aze;tCW4+I)W{8Y^i85{_*YPA
zScCr=ezz%Ag5s0rjXrI7@u~v<SwL;=C9`_HP3vtFUs10{*d*!dl|5nn1nGMVG?5GT
ztyYiO<s>s6dgU<TQ~4HW-hpv6-CBGH>Ydc8h}}J7jK;mz3(NMFO=s^>+EL!Y*Mqqu
zU4&0j^ZT~sqX$<nR?5${dtiPJPy$E=Y6cy-2f6Y)M#Rz9q<1W*>$Gt5)D;Zy3PX5;
z|LGWK4?djIsY7@btm@}2BvyT~x3UBcUwibv{Ungysn2arVKv)<`z1w~|0r8}Hq0Bv
z7rml$V#YD-l>M;taPpN1!*W-5CfU8V`#5)KU~^0-1X~z`u*LPh2kz1Eb5sph5&2hk
z*QhgDPiOJE1M%dSqEB*OqfaaGXYDu&=kI9Oki3Do87b0&>6ZJ*AOUB3w?#AbX@SX{
zNa%Y~40(J>BAQK@0SXK!XVlG<dkdo=7|Ca-=k4%GlTMZX08IV>84pIXWWf^6Q!fPX
z-u<_iiBN47^zNE{(>&W1_u(zk_jAbaU#->3Kgfm=e5p#3-^tjr8MYb_EJPv0jouR4
z+x6WIHD0guXdmpp;%2S~y+u$wuXK;b_nk>`b8Q3>=Q<wm?Jr?UbAn|1-L&f*t^KHU
zo<K%}07h{_;3FZ+-EV`X!LHIv#Ls(1(n<HbBc-$EzA5xAIBx@T9;cyyc<6O$Wcob7
zst!IZ5jB=lQyppf))PVo(n;=yuS4nY2V#K~MNJY6BU8S!*bVYXFh{Zr(C8;kSraEx
z1|Rf^1hq^5d-HL~A?Z{&!#{5xh}RBC(x00@)-meqdq{+Xv)q}}6Pdsl{T};T0o4y{
z#m7_MxOe#=&($q=iV)6UVr6Y41l_(c3PJgU|1*3mFsg4`)$G6|(qw$g$#fi|c@^Gk
zt>#gl*n=@Tw3Q#T1#m<&!YYJ?W8r+x6V#lnj}VPA98C3kP@YL<HARTQjebv5@oGjj
zKDJbex`){hLS73h<(bR({cl>a*!FV#GmQ6Fof?<e*EEm9waE3W`xk#$ez03^KXE@+
zt$5qabN%})al7ZnGI)l6hwy^pvXeh(n*nepk4gLpcUlkktImn0EuhA&;9hlwfMvUp
zf}s<Z&%6bV`=<)B{cGc^Pv`QE@@<-%EVE!e_9zuhIF^O_-Q>ArF=qqIqSKXf*%dsv
zN}6+m>HM^z1Q$8Cp5Qh*3#DQjAF>>&QzEC?vMuX5d9Q5I5md{OBc}sI|4aC=EHafN
zb1{N3!!-`StKb>K6A8Cn8;b>iOuD!+uq%EM^w``Bt7kIK>fg!jk>=Wt1(ON3&UunU
zf>SpL)+YF}m<9eO_4}z2amP2e5#UZ~Yy?}5Q8YU&qKx;ff^XcZJ4j`AKwcxn2RXfX
z&&3DkNjZ+8^L{*X04yiDZNTdF9^k4DE&TTjh0IlbcRX{zw~mj0!21L#gn(@5Iuu=u
ze2|}_`r|`v{P}~;qizJF!TX-oqz_}BUIA!i@2_aIAk$N?nZkB>+K;s0fV+GCr)ZuX
zL+S%A#q<XWN=f<vBrssdg9hu=wjN2RyXLM}Vml3A_@%ICM1C#Y_VCM1(VWfELg4?*
zWX1PYhNYRub54V4T@k~sQWD&J*S%K8Y_`7Gnciqe#=dp#Wno{qeptdu%eF7~B}7Rq
zX1zDugMIV`7p^qOhLG^cEa_V02^hE&Tcfm!Zb29Wq}zv$DHIoMSjN(vY2^iHq#-!+
zV#wX7D)kZ8J20^#@>zGnqhw!PExkQOpSMNxFr+c?4lIARg*l$5Xvsq2OG>8sZ(GEc
z%x3rSi(|}Os$VTMt*{hAlPzrUjvP}Pl-3~1^~(&doom@xi*YNh@Y&G2G|i>IJ`%)K
z+!A_6E<or!a(hQUX@575rH~}I_no#%`KfjXG^!qnSB&V+^r`{Azy&5_C*J}lXi-$B
zes|1}t&<z?+O-|INsIim?}JYe09GP@?At<u-XBYYz+JJnc6j@EkORyAc%z2<wY8CX
z-q$s{vJt;jP0@WR)1@2>D&eKbtm8?RhngjSGu9TV+U!?sat8e4F?(_$bG=7KcjZIg
zmxdViy`2ENE{Fd7XD`V8g48WX9Ihy}oayo(M<lPVNTJ(1(mvhqEZjO8JxLO{>J@yv
zvlLUse;`a)l5oxP10;Hlmk{&_{@=X9P=(R5();!U);b2?oh2m5q8@0xe1rL4NrCGa
zwgRRO%!{qAZ(28n&a-w{tnpIiD3kztIuyp=YJ|G)(7Ko+I&nFWDq|V!5wex6m4;{I
zwk&a9JzvnmKE63~;c{iQQ}=RFf<;MYM%7LSE3DR)47uBB>84Wln=8mpJA#uWq>Qoq
z9p~js_1$ztkbCOI%O8f0X9eq1f#hkeYL8;54bdK0<=-qE#vWt4eyO+^us-}s!&pz1
z`o1X0A3%*Qnqd+xEnNOZSb1OMTRpu%Em;S34Gw?j6!9|$S(nS}KIoq!2Da5Yw?eQw
zC+v6zAI$)*nFZ=y$)(-qY8Ou8$<h-0Cr<Je?GQX0Iv)fFas(YcfL7Z7(h|T!IJ>@B
zywA~t6I<CnS3$O;Sv6(bN!<F~*{glV-ubSl0Cwklbei5vWM6Cg3fey3`keQ*Xi+TX
zx46vDa^3J9uMScr1#<vUC%!-IduOxh$N2y{Od)tVwsWiO<7a)dT;8`Q-e|whKoLnG
zCYhG;%gn#C4Qr3VX1>G}XWS8yeKFgA-v3Jy&UrVb$8|$XwySD`_uO8oz2koSLL}%j
zZ1jzh0p^vY{Omow8Qgu^;E1N}r!g`*UZes(t4@`-;X2w`<VB6)`JBAF_d?nHc_)f5
z7I6&m>-pi-ll4c6NS=t_{ZG_aV(xCEH;BAa*zD9dtr*QKi8u7pbcS%%;A|$u3@#J_
zbtvM~vyXjg7s4r1CivCVK@cGJ_J8)SY%vw2GnC80_yeaJVN=8^N4Jaa=c&d9<}P3p
zJD(G!)!Pe;R`>K7Y(t8Q&v7hhw&ohVJ0q5r(ZecGX_NEVQ<&zIZ;IU;kM><&WwE)q
zR5A9QyPrf$7)OMyIkS9r7X5UeQ_#KNf9qDdeBikEF7^KM=5|}iuOU>T+^xa)M)Qb2
zfBjxG!{;1Zl%{?ZbtEgPUvd@<)D~TnT4Rc`@~0Z^i5qs9Trfnq-&OA8uKx%-IeV-@
zfT{eB-Ki#8uO+4BD6WI*Obq*F5tCJwmO4l)ZreG@)uD>Gv*=&gKrrc0Gn6y@6E+;g
z!-{~g5vSq7Z~KC5^hLj7+uoIiZrVwazPeZHP4JCFEq5MKOR!p^3{w5<u>;zpi^o(-
zp~;fyOC3L}=;-Cvsl`Dgx+^;gedrGcdr2z3mmfhP{cd=eeMLj@y*^Kwft2&BaAzIs
zX-8Z=YD!yN?;IAE9lSBWL3VpOtRF*IO3aq~JVAx(PS)>@7%R|KSL7d~x&#WF(uxm_
z7_or^!v6`8_H?L9%z9Ss*h$*Q>R>Luyx|5p0@GtH@M+xAJ>BOUSLfViH3bfs%6yj(
ziI+e=S9EKMCUk41zHm&nz}j8R!LxG_gNMPqh_`*Pf1&G8ahs9Zlbgt^q2Gwv`MMHU
z&0y{pkbi9u1LF8bcqpFys`-s9I8i5oNzZs73q}#!FE&7^6(e%UEi$_WO*uo%ogqk#
zp+c*)4<z$k{U3@$O<-D|7~$)Qlg2M%h(8TsApD%b2DhR6KF!2x`jR<}^Dy+GWt#c^
z^L-;<i+!QdEz1mxsHUSULzL!Mth~YQbvKXii$8@U<l!}tzg-tI!&%zMxtT;b_OR>x
z(e|oMy$*v``$Ie_CM88>z|O?Q(C*(=$+A@ZiH(`iH>;10@_EM;{Z=KOV~#^|Tl8FJ
z2Njcp0qQ*PV}RLVlVf0>zQRj&`S|D2*VE{di3lrl(GE@f!7~E01I)E#!qCzHy^Q(?
z*+kPv1EsLH11i?)zsqau_A|O3=v#N%&sI5#citUOt%)95T%JB$O2swi%xi-buSCwu
z2&H*Uma(U=>6*Q;2mQso@ErZdC67>>r_eb%W1m!7hu2g`u%J0Gqkd*;jq>-t_j%Mo
z7rGjv#HF3$T>`OCOcCxFo+U4$L!b501}_-kapA?xhF3WVH8k1-%o;BhZw|dBCb&b|
z*I8zTHEwhfIQ)j|T@v6d%GM$yb~~wVO#SKE7Ee0!r5N?x4cN{vCE0Xq$smI|8rZhs
ze`BbGqxvWMvxfdM{)~hgy^w3$KRq%;`qYw9Gg4N}Smi{oO1|M9qc1=wlEK4EWLceg
zHvLwl*a*10+ksw4+Z2xOIdWEBK&lO4@f^w5818AC562jp4acyZC>u8hV-yGbyYhZa
z9h&tOab=_rGT_f@Nt*%lC`31xWA->K{&cJ(O^0&P+cCVloyL0yK9f@{%(vtYJ#Cs(
zp2FSneR*$-LZJrFFvp7*n2{E_^!4;+v+=dBg7Z#=4tTtg-|e8#*}6elfOgAbnT~9T
zd&jx!=)igVEbJk~7DxOPjrvPc%vUM7DG#1SmrPTHNeUf@=-Wxnz38M}nZHG<EW9fT
za0*WxZK9*(6^|xr0O%JA@(*Xy0?OD1$5Vw^@z${Bg(V6dmuD`0#z&Pp7R@QN&zmE+
zwzqOaT5`9^7f7>cG<>Hq5j&vR)<dLpu)*hZ<SDD31+yj2fQRww{?0@4^HtU;kIe=t
zwSFASHkzcv0sg@QkH>dr51Vk9+Fv$CB~NT$%n<?o^8%+hhGUA<cT)tJeG%);;Gd?|
z+>_*J^+Pm~+xCeY&MErZZy9<6NS>pmqbyQy64434rfd$vbh5N_PjWb2v43S?a>68;
zkGs}4j9sA)Xtfteyk$%A0blBK{jcB;^A%hC8J4SrQ`LT-&c^F$N4bjI4W)8JME{BH
z^=hcw;1R}TFteSmMm3WhwH(6$$pCh26>&JFPEoFcBzLk){QVS7uid|pZ7RFdm6YC3
zU?2lbA_160g7mHjQmYHcM4Mr}oyD}{zFsZ42Pe#zv4a4ig;4gGM!WF)l!TObSJ}r6
z`IRXZy(wa48P_d@L$F%hY7SCfI&M}iEIYY(fD{!jW<Rr8%k|?9oZ$k_E$;N@<eW|L
z?R0OQSCr)9l1STHK1T4bmhi2|1=@%eVKowPcp9?PNZJF4uP8k61DVtRW+7rID`AkC
zUYy>r1+;;-LFQoU@C>{?da_KsDSH$#cg22c0el$I*Z)wL6jcdigjFtPPpXb%TtcEV
zz>MFoCzZJ5IlX$(nPSssE?rhRS_K{F;>G8HWVrq9<C)k1v74HFv<jvVtL2ow+&3=D
zpV=PPDZ9RA98qkG3C%c;Xw&net%nesrHy-D+`VS+uJQ#+xhp-N%<jV5rP+(7IU?_5
zjo(GxXYze4fwd-LBG?DGbsFV|vW7S98E4L~=Msgpo8amuT<Zm8DYJc<rqKYirjcaa
z8QCw|!QepYX^qb~oyjuM(nmuesnzhI%Xv}6P6o^xN&CmKY|^Q>SBg-I`JeNlcIj=^
z`C|}a@MHs*X<1QT8p}davtrE3Q~ut4wHi}5B8{FG;$E-0YT3wfmO5i|vX#5mossqV
zGoehF`r`Kq_08A#kbd`d;Wr&&>PK+5?SCp0KgCw?COLa{ZQkUbsqxDam!hPX>hcnP
z2<+314<gSC%#GGu^10-DwQlzeayJ1mvT^*dxwjY1^_RESb&O{p@u%76yP-tJDGu*@
z6xWC<LT`Rxd^)H5Tr&Cy9H^WRcd>cze*ythD}QU`zioK3yqNI=W8ZOd*d4!^V&rn7
zdX}P?H8o<<94m5NE$C_{2^nx2-Ix}e!B)N9Uik{_z}4lB_adIKsH?a3<iz}i!sOMZ
zd$U(cXp;QVm&J#8XO_>i3t?GZJ{3E$L=bh63=yc2?-MsG*^Z7x*w4g47=VXy+&MnC
zpPzn{ah(;D(#vPeZ9*e+w7jEg?y)}hmB;OO`lR7P<%NSdkM{i?a7$<7v`~e6@LRU7
zU$|FEac_8ye!~M*4zfgK#<}l$6?EHuHM4`KT)%{6kzF%*#6>n;%lj%gWTQVmdYJQH
zjWEu=d6strP%G#>(B`(ZyK*7l>f`!`^u@Tc_e(!qhr%E~{s>iDpICRYH!$q{BL4Zj
zwzx@=eCXJH$mNc`F&!k>Q;ivJI`RS=2=<a}+&Wyey>_2Q#&kkqv(3JeO>p&54j9s(
zl1d22_T*!V)W^j0l8A=w{wwo3B#h}?XYPQYxEU`rYfxt>^(k@|reu4=2p19j3t1%L
zF>uvcw>D!sLqTdAhhJb5t|sSaHhZ@nAap(jo33Uf_hU~3@~LRQA(6B$eAKWYT%a<$
zCqbkVNz{Ox$tdfjX%PoXVCk!TB`n}($W@In3EJnNj*$@Y={i%K7V0f8Ssvazr9M$k
zQa|k3&yBcUF=RCw_#Uc+3g%F3TQ;pXQG2q7mQytkOy8Y99>(60TCkm3y&&(fL!Rl8
zBDcv221<tV74guSLf-n!$leIb&Zs$|MO0MP4{{3Z#HJJKeNC_#!r{WI2+}^|ME^}-
zL^{TW!Y<&!4IZ`pLX!!3nX)l()@IUrXFL3nXvq=AUnVPxFMkjzBz|F%B6#X(ua^48
zHtarI-gr77-*fgd-6V->N1t%vk2}^N0(If+(nIFx77H^xHr1R8bryHEKuUO;$k$95
zOcKh}wm-UJ?NcrDW_1Z^|7*p%JfXOBMw?&PPNjfkUB~r3=ro`@6h)6liv8`Har(nS
zUNN9OWiK7~l$U9q|9m_As&=5o7v$P$TL?05*9)Zr)Jo`$kf>qWh#G9NL{+SxqSSJ}
zCdEFmHoQ7#_mWCFcmZmXs@cw)+wrXUV;{<Y01vkR?OKZ`1A{l^t3th1Q;>*4EYX<W
z`rk)L9Z_}uN?(^osBQF@5i*itCwKoohYuP|PP{)_b?>9rX8KNWq%4!WWH{f3)9!fr
zu)U;{;Ly)q0tag$2l(Id`!@X;v!zug<B##F{sMHAA0V>Fi+rS+<$NS?3$wlyQr8M*
z33Y!2o`d|`CA*buwU#XQk{n^lS<r{NMZS+4Z<pz6!~$o~<RPN7<&x?HT))Ts!Jgbt
zeY?>O%f(Pdp~m>aP4XAD7?eze#c>A+-m_4*FPw<C2i#Vs(K7YVFnzd0`?nb0>>2Aa
zguvVvWr~N(P`?#Ef{JI0Uv??h8svJZhw8&s_8%#~rb+m{FaN>cyEO&LD$o+`6jQN8
z3o1T1K3BgQKg%u8@v4*9xMEj(!HM*0O!Ug4^#Rpy+L_(;(RLdo(>Y?DO=M*XI3Fie
z212I3ErK^!mCTZh3~nH)=@;Zp6XF8(EkQD-;rSSPDYZ;efEOe~$V2^YrjEB=3$!iq
z<|@1R{-sm}&(Y^_Zg^dkyKFN^sMWuD8P(U!qe;jAmf0NF&NSQmr=5{ll`IqMxhi2J
zS_B&HM*<l$)W+O*7i~3It^=_yZGYNlLP0n*HFF4F$jtpN+oP7cu`tA>l*77tP_(TW
z@u|uw=hUxA4{E%%A;15x@0NL<40T=uDnxr<1EH^^c;BOw{cZh`wQ*M?|Ivlr@h_dL
zvDYWJ)pyP|2~$Fdlg0xO9ojuLd`U^1VcF~1tuhE1F2gP?+@_25*LamI30`4a-dUZL
zb8lG0xd6XZh1*Rln7Yyj184Evke#h*D{=yThdPA~m1C#ru*Tl)etX71)!i=D86x~y
z7fz%4as;z_9j3b9KjHkGu^g`YRP|m>5lrC5X;!uT^eVUd-qZzou)E(I%;j}XCHPps
zE+<npkA{MFkZWZk*A<)I_Jl`DeII}s<iQE0=O$1G{Cv+a@lzVnQ-bdF9fHU^nQzHT
zto5<*cz|Sq&V=^22bnq35H(ZNKV5r&Gh|OxzHGB)Ja1C|S3chlQ8dr;bvs?tt9L%2
zS*WHB0TpP7+CNwiMdSmxJt7m5DDHK&=B_hw;Li`j@tDB{vbx9v)YFB6qlhS=PlC`8
zQvYk9kB2%7gery5DZ8*Cu<HcP+K{u2EQN@;o$nAdI;HdK9@H<wU+G@ZxQ(7Q#5pF?
zT-`1<H*wCL7m**<I(mHl6tSR{nW*-AZXc1b5r1fVT8gqVClz;;F*}uN$Cx|79C&31
zq<LUwhqGUub<kPusfpwFerSCpBSsXW!qIZ6PwgWOY#W0rhyM?RM$EV6%HSU*XWytC
zcOOdD$hX<4*RN?u>6EYsz3L2O5f!uiQ1z=Di@j-CbGL?Bh7$Nd#httnRIZA>V>8BR
zRow6o=K?(!;1e)FLB62;jBs1dc1!3;ARW=o=m7$dNy&l{)6dr_Rlhm`Wrx`=L?$j`
zBs<Zx;ZKuWxnF$e5_XSEKDq7aJwQAQ-G~%-{vKox-i22ci1^otC3t#**JDLgSvVpg
zpnT09h~s+Ra>BtiHzUo)Y7j$5HU8(pcnnXVL8sr4PCEEE7~=$6Ei3GNjb1tc83q-Z
zHJ{;hT23UzNs_8`pl}vPK__qa3-I9kzXu75Skp!BXvT@vo8yW%#e=OjgKCzeHr{Xz
z$i6S-PPD~Ilc(n!9Bxo;nkTrjk#EAcd>`KQ%OrG`D9p_>{MdtP_~OWITlN;}_6F!&
znq)q5Ik`#>OfrtT28)_Ix&`>rhYd0BgXgw=1-;30RO`ZzIts=eb5x%~mNV`oEnkl6
zS3g4uW-i0Hc<3nVvB?=yw2F)KGSxw@k;Y8;##+YVSI^sI9=Oc56=k^NhwI#Y7|UCg
zBMP;uc%c@J#xkorJAX6SJw<2(=<KA{xq5l^bhKq`$-ibnh0BJE8YYK}iDE4%zUZTP
z)e0lB!S31DT!WGyCmBnlDw2YKbIKU=Zy<71N?@RvKLe46eSihjN9@Em@4DY<FEUx!
zjEa0VNRmPs6WM*$bq~_NggP{hR&l1(b3}flRA;D(W08c64y0x=W_%q1LE*^gsRBv~
zpuTyQQDNmtnew79J|QNf71O4*l(2fOCx^g8u+Lc#p$roGqhtWA%CP|<=P8wXy_c7b
zB9kbNm|be!lEYQ()!vp4$yLmpg(Hh>X1aJn`i`pQ_ic?=$w!Vrmt*)giyq75hx(UN
zOd;7;@XZ^fMxfVEtSlO2zoxg>wVfB81CtSO>Zp>RQujJuGbVcivs|lJ89hJmg1HfR
z=${27Q1`l8QSAR%Kq71iM&*c*{MxM8SfE<<QKH<mr2$5?9r%FdNz}Bgo?l0IrPlJ}
z;jgdd9<vEewcJ*FhV1A)GIeb05-H3UuRbdR`%(dm{e;nCjk!)DiOe2-qvb<&YJm7n
zXy1fzAe-fVU!1)nO&LZ<9n7;Sq-3m6A0_Kx08>bDc95%c@^Un1a?V@E=vs@LESIp0
zMLRv1WtO#yie9mJls7_75~wrN!}E?*K>-qgBwMQX&(7W||Isl56M`HQW%dl%$xjS^
zq#|AgJn8z;qyyoJW#xVv00Q0sfBE6*6b5suv@znNWEB)JWGY7mfqMONk2NGb-WE@M
zNieJFTEs<_?7ej>x1B97s&=v5$%D;_)N$oSdM%DQtb%bj-6Au$gFJd8d%WSt$8_!h
z_i-t`413-o-&@1+Y&}9-&^%p`4$={78$>)a>|dj#VZFvCO$5H~DEy`(|Beey25GNe
zM^^#5w>knSK9Gjb=ag%upD@DyTb49bG+<d^|13*d*gNRYVF-=V0SSttTBu^$4pY@j
z9~+_8t4Bg}f18oS-^G^qeihUbirhH14l}96>v>;i)bZW6=RMH6AYY-1p!d#OzY@>e
zlTx)XujK1^9yJQGr-~|mO~xfjwmv$!GxT>oEC|p475H}-Y}z3qU`l*Etu8dH0KTft
z`5-eaKd}~rwq#hh*lE30S9%0B%a87K%4(ZD=fkq!_T4Lv;HXhus8m+fe}jzg^p0xu
zuHWqireU!s^E;qRCnTyn{lkrQ3@rk09KahR3P0p?A-Rj@&Z<(2Y-Q(12%vAvtFtmy
zKoGxtBmA5&a@xHLfK+)UT<5~TJ%x<4I<Wg=alW=O9G`{EB+Myj*e$46CT5+cp>9$R
zMD+@EZCBS~UJEbEU-wa?B9!?KX!!%Ykqzqs8gz#Y`Xz=XYCgFIeCYs`QP%1iA%Pdb
zf)K?M)I?oyK%w>0kN<htIm1^TkSbpMz_9Z@$PX(6_O~IS4+#zumB(^$;vRU?-lOSK
zQ<Y91TOJOb<1P})kZ#j1bU7Ye1aK+ur5eB8cz7^Bm^tEzGS)%WZ?G7lK|F2DNl*~7
zHX4cchmbOu*f^1NXrP}{Uf4)4MGnma_ji3zRw;EO@XT{B)sP7)8c7{WP&?oNCSjCs
zRE{(-3$N_Y;!8r=gS9Mn$5i=;L6W?#ttD67l9=fpa|$)V&GE`OW_m>Y{oVWFmMNn(
zH_4a3M-yEvn763t=Z3I1pZfj`nL}&<kTirFh@7$ip)W!2MH=an{c+z}8>d=OlE3sP
z$ntcyg%d?P=3k^5CZ`m$B8&MGsfO|75lZmjjqlyp{MmbG35U_+gyL}gD)`J>Xe}ro
zZ!U4aPLV_zv45zxwybR&J~A{v>Pu?QZ;s+iAHw8ak4fEh5#sg2mxKe6b-2BXqurAZ
z1o{Ir^(!fJgkMPqLc)=uh}f$cxs1fmOkm0v`gih7k)$hGBPlb5B=or>VQNc4J_k?{
ziWqS#GD#m`S|a#V$Uvny{@n2)$+NAy69WHTQE!NBw7%T1_gvuk5_<1NvKr5P5&!tA
zcU`*qh)5;h*MycN!!$w_e!8copuz6SQ9`Z9ujG!LbNyLv2^88gA<0&92nrSPHeoGY
zLlWQOQ7P{^B-yl>h9od(_<wb(E5UbvD(2DBFMd!VC}fk@L@Q{+$#BY>-IE$h`d`%j
z%BdskMZ-t|L|wPtz9g&7q1Th+yr@PYSJI6kzNp<<+PHel_Z;MEEUG{K(DEEGbw+$l
zDeNMd4PW8@@m~=vW*Cqm3J4qsx6UJeFP$g+8tsR0xUE1`kZ=K|gpHN~_G~~G_#c{L
z%7CI*B*A~s6q8ezT)m#1yYt2IEjEeBDO=!ML^nMQ#4C8B2qE`%%g>|mXVQa13g*-7
z<m;dxzmL}W+je~W(U1D+WoVQ8|Aw~d&JD?L{juMORCHCh<&hwXmH4{FfAN|(kD<mh
zob}0(@QVVE{0nURGJUZtk{hrp4AH_dmY6n#iWVtHB1@AAmaXKy@i5Du6NHYG&&slk
z8nrMS_naC{d*Coe`I_jL!WbilODKLJ_ej;TbyOa;VKY3%^ey6$IKW*+;51PR*kWbW
zf&qCS**Be_ZH)`PqC^QzIaZR#wa@#-I@z=Sq0Z7S<wdhfrrul>j0b~SvalesJb2+3
zb&c<M^T>{NFT6XqXjpu&cd9}=<ST6pN}C$rXggXEMHS_uoTYvZjy%gry6ua_hDnM?
z{v*Nw;eDv@-Q3qM5Q)rp5zT2oLC0$smY_Z94GA)l2xm{i?)q)9z(p}I_CE|2TlK+)
zDeVfey0GEXoqzqcD>m^)JW<!0MrMUeNN2Yl;7o|@wZV_~W!wV~f~>>$Ju1`pN(!y#
zq8>@)tkRWEz;|jO7R7JVzWnUDV_L8zN9o=xKQl~m4sm_8Q$7}d^X(50Tx0y>kr?60
zQf%Ry=4lm5Stg?Gs+po2Et+Nq*2z^&;e|Zqma0DBn{WTMZ*7&sTp()(-mL5yWayR;
z3u5RE$k0uveu_2^bFE);$Xag<e=KL~I)%W`-$gc=X-bnXMjZNy$+TLG5WH+Tb8)yP
z>#=WdZ!RVOovy8%7xrTSC-M;$J#DczNN>p)j0(d@@hY28tlyBu4>d3mq-Z@0%cX@X
zA5A9sCh$Q{WAI(58kc4zF1#)A^LmA_tqOP0SOd&7X&g@ixg^P+HoBAL!x8*%<0c0w
z0WKWgq;U(V&`$-+?WL_vAm>bYzWN{ZlQ=RA?2>yPV+buUX+J{4&ohc|+{zbO-;v4%
zm>?hN&|eP&Z23=)w8btR>;uMt!B*4fD9CZn)b#nGN?+0Ry~8q^9N`{3GH~GDSq1&f
zM_Of!BY#O&L8~0&-rLu34@aV{4urOUv^@WiEyjG9)2N7*vg&eSx9TgGB=YF$5?}&K
zRkQFP%yh8S5%w{CAhYBoAqI*klygnK$dLjS&cOo0e$0jfP?|0iJN|+nWvB}V&b--*
zcbW!|=t2VCKle;bLn6bJ`UF^A=vs2F5t-HBfAc?x4Rrfbl7SD?zvuXZ>T<W4AY|I3
zV8m6!q8;`A1gnF(>-U=(LAwTYu1Z`$lLdzKo(n~)#3kyqfZJ~K3ahVjRL~NSr9^fr
zPkkdHnXB$_tnKg*)*Z<YM4iYS09aq!#h9nuAk0~CY7jZA;VV%htg~x<pbeM2t6Fm3
z8}Z<tJTT7x(Ym#bkVH&us*$OR-$PT^qk-d`1oNkTIL7R#-A5z<COCqK*6&P9fI`{j
z3nnD-+Y2l-!xl`abTKGphb!%lSI@}pO70`#MAqR|7$>#bRr3~m$GTsChv^LI`!6(@
zPmkUmVi&7WeY#N2>~NoW8I2tnF+GlI_TqU%Z;D{H5p3XBk+~|-fi?=txjXN<Af!rk
zqRx*j%4@gzgaM>i!~(U7J~28Z0Yz7Wul7l}g$Q+P{*CNGZU&58<5hTdy0hN*(Q4Dh
z?}3;yd`1v|=6v6E3&S=52ByR<?#(+R!B<a#+Y>~DtSd;Y4;@HZ=tXLbB0pnIlkw@Z
zgaUaSkD`R)rVN-(yA=-=<=LI#ScphFXpm6=$cNtu5VP7Ox4Ua0I2Iw0_4(>iKA5z^
zH!K1UU%_$i7a8$^eB!W}I)b_pX7swyfu3Y2K9T|AZ21uqsIbk(SJ8E{fiY!`(EsoM
zt3Ut$1;aX$ckQwJP#LwR&XtS!luWFLw#)hJnvb^7{U<Vx6(h?h3k)TA!aG9(ZGTiF
z+qYZq-t=!__<8qLOusdl3P`g!&!U4dB`PeyP>p)+Ok2ox)eiRNgnrfz7g1z50(K<v
zAXOOFF=|xX=+x_L_uMOQb*Gv64=pfCYi-U%T(`=c+%jw8I>vcyia0$UnUAex8bQ;-
zBR+q+@Fg*>-v3ds>$cS^LRbs>n?<P)Q@AoG)5JHF6#`k#_9bhm^IwXf>2&;ShzHz5
z$d0VTvoOv!oMg2vcHa?>+^A%@#C@l81Pq*J0kOn1p02v{#QxZOL8tx+>*P(RKE%w8
z)EirJ+^2*S8!j3inH-lm%&hN}JV=r1^j)zC+E#ua?lPw4he7g4h3ghKCQO}*e?zvD
z>jOhpcmjJND!?4AVuplRy9^ihLe|wxCee2i=|kgXKKltt2*~QNMW5El=TECYSz<Y;
z14+k+NEhi%winOEy(9}DMdp217`>fPS8`8btr)oDsUm?x7R7p|m)NFWAYm0jEP!6(
z4kGJm4`QqJskf)qrBrDq%mxrA$_I7|vdK6exb*u1TSnZ|bb;)OLkRW>P!_z2d<81%
z{XNn4nu;$tlme-Td3b5biu+<yuBw$|3&}4#I3y2`+9O^)gV~kzJKr72h*tm|xZ?1F
z1u~tD^v2_*WSDVfvI|uUf(AS_yQYGBp-4SZdYw`W=_G+eQZ8`!WOEN~?>jmI9S2WS
zmW9B8q}A6?kuas>m!Qw8Z-6J}7fHYDiuWJbBnEc&f(K09<OjJ-8uUMD7x=Hf{?B_1
zQxe+Vj>oRNE?F8(vGKv2wYk9#$#wCwfWGD12>;B(ZKvNs)!R|n{fj1J;G)2E+2F>x
zC68UwL4H_vkg+ipG}gw7b=!|^^c3v2C_<Qpv5W$+l61s@DGN)eGV`NOM5pBauMARo
zd?12l^e@om!i*qkz!<IUH6KujefOkcZ`^y>x(^RFvXn-kyKh8bGpD2!#;h7rhtArt
z3AQ(-hb$<a{^&}E*mzh8A<j&oQ|4*9mwlbW{PV?ADj|hs9sv4@#AxiDGV;S6Cp#m5
zU07H%qdDd#GUdA4e%*2R+ks|>F~qa&8Dz%%b|j4<R2XVUx1rgsHg8DnLU|TGa@QYc
z@H&cB{UmXXsd2)IQky^7x`e*`1)6TFhC>t@`2g`$<=EHGBkK4d)b$?zUOYOuA>Bkn
zlSZB_mSG}iz>6acMawhv4IJxp_^2F#{1Q+C$qEpTY3nYWI-6$u^GPrrN4@;*dOEK9
zd0JksV`BHoM}{m5$Hbi5W;{jML`*HXdK(YH*B8G(KIol{viEunHvvcHPj1eJ*P0vV
z4_lMmjr=%os4gD-lSjEd5^O1$5QCC;;6(p|3Go{e08E76goqc=Do|Sp<7S5jc#&hO
ze&1F8uElP>UdR#E7Kjz{Z$-Lbu#h!iLRR)RlXjp*0ef^7j63vbOr9@yVcC;l$Uuau
zHpKqG`ckBTd(WA3^7u)d7jmg&Seb&eM+zr&flO(KkF#+Uq|na$<}#jH;pOK)4A}@P
zAB!|`6f28ZZcW|SnV3mVK1G@Lpq~p-B&o|}{k8JE7jy!$DD{6kkn2j7M}T^bh6r7~
zIb?L!@MWs?rfA4Qh~2sLPm#l$EuGRF;NtvA-4jPLb~L^WkL#Lrjw(GLl3SmXCK#j3
zRW+zXRBq;{=%ac7@rUZ@rrP#1NsGkJZ0L~cW9`D|;gDu1n9wI=1?_+ElZcr=MAggr
z7l7QzrA5Ay<p80tGMq%QJ=T>O{95|@jZdjmxyy&o%vSw6e!t5RO-c7%uF7~*POqA7
zi)wmX`IUOSay3L7TR}?gtdAWQq6cuwPkECqmLIh)oN^bOk~~>OluVvK*<2Sf?7rGY
z{i#SanM9PIwOa4xVhENH`g4H7WAg;wUjTUjq)xnY*b?<|dYtSde_oh|!X^HBp!`Dq
zJ1FG`JbT)Mfjk~YDnDiPo|E+##!#hF<9(|L_m5)4^cW(olj9n5_(zf#gg;y74*lfc
z9;uGSF3iSPehd9Wxmbr(yTFwJ*dxSp6M13EBo%cNnW{;qrP(@p{#9wG1`!`kU`3gS
zRG<C#?59s<KxvmM;J=!-q;z#Qdd3*`1oox5FHC4NLRL2FQsY{|GZ)As+YI<0)jNR;
z*eK5$ZxkIVMNNLK1o%0_9U=b;8ISMz3l)sgdO*^k2Nz0Y+p6G>3+pv^;Y3a%|Jq*9
z__Cnji|*VZK_|<b=baiZV;u5ZlI4vG!#1NBfj7;Js~J|)`ImihYbCb*FAP^3kwg>~
zKt0%I7@OgXSo|ZaE7qY)BVWNuOX;F8R_n@7Clj?DIPJfQEb<$WE}V83+&9Me7{qTO
zV9n7eBPm)K_J&5O<!bD#%xZxL{&U8JIpbH_T`I3YbuOH^oWxk_^-H3>b9SxV;7Xbw
z<^z*$QxFFv)w1E{69_CZnm^RTm#d9B7Y4f<s{<Jsw}^Jm&OV4v)2*JyKyA3!&O;Zd
zs|X)k>{a0+o#8A@YA~fSm;aSPzJX^07|W5FyL#Rm1T<N^LN;(FD<IGJ;pe2O#6?2I
zefAAF4kETS8f09+H(uh$!<Q_m^gGUmK%93T#(inExS4MsR^=dV5a*GpyfFLyT3YG7
z&fw*icV%jLH`duo%2CwIWJbg%LinZ&EEd8T4sPf9Qxxq^j|eKU_0^%Tpe*#MkClr%
z)gzQ9W!(BFcYH$~B56U{YX32aJ%)U?GEk3Q#?PGSe0;}7X1?#(>apDX^N4=P(@Lgw
zgWd=Q@+tZ@f?!beP)H5MBX|OYU=4_H;`gr&z-)rk@{|Q!`M9kTw(;}pon2ta|MD`E
ztr8d*6s<tW)xFJyO>r+k1UGMXHg4(Hbm36&C~Evx>1L54Q8%2K!k(}eeZ9%wppx8S
z@-x(r5fR97u!phF|4Jw<a4vv*8N=-$3kPEE?q)`)N?FfPz4DV}mRAXc>nwmF?L$V<
z8~ew!$H~*gzLJf37sfFsknFU_a*IS!H8u+dCDya95dWI%kGgkv<Np{+@4^`J*>5#N
zKU8R-i1Am$qA?h->RQxzlEh!Digsr8zMBi_i6C$<P>5%(|CMzrob`$+0oJEpRRWX7
z)I{t+Puk_bO=V|Mr7!40szS^Qunpo%v&?V9bv722-Ae&sGt{H=c3TuB^_X`t9GQfF
z=!NPX<R3I!1Ny5fB1_}6tnnnrr&Yyk@2g`gsF9*K<J?vxK{x+aOb+#&q#or4STV9q
zoq1o{i#jKqMbUMWW%pTqyTw{L&`5jrPLyeqHNulal(ch*d0B_~v~%7VD3eeMrv*%i
z!eaZzf@up68ZlscIG^`Ky`h&asY(ZDor~%W$0?qAeQV+vbK>yYq5q_vnLJf>a!!7R
zY9f#MQldW5o880pyu>;$baR~#un>w3@)rrB1^%~-m&+KBXY2k~r4JhT7oTaIulD$V
zJk+^f6lQp|e!V{Rm`nEWM>xu-=N!d8dRo&h9ymu*tRr!(I+BkPA}SBB7q4>%wUG^0
z#-->RdXt<4$Q5q`RlQabp2^KfVjF&c><U7O=CpH|9hAyZ)x?ds_ZawM81iMB{nQN1
zY8Y@l?TD=rH#)VPA7OuwGOLPpeX$68o8AU7Cz4|w_leZ0`<#RVq%NSHU9I$DH>x!a
z!Wj8lhPHqfPFScmZuit?%Lq_~zW(#2VDjIhHe_D`U$T!RX>E^Xrr)D?ix1duRy<-?
zK-5FCa!YSe+|Y2fD6lSbEsscbTqK%>(4dU=mxD?mU*esrJ#WRFT%-W+t*9Z4=XJ&J
z{)J4sAv;p=t~geX-U=IJGF`B^0@Al83*m^(*e_8*Vc!pzI;8&{khPQnhiynoL#Z(A
z(~0GI(}*n*k1pildwMSpm(t@6uW6QC;eQmzYfhnNQ<yKoUSP$MH|H<CYNT6`kpsoH
zvmQ_U+K@K*i<d|_OeoR@q;Ro}5tv@G{uiVSK_c|ZbQPc>Z$ACTMM3buGlMWphl!0;
z4;%o*3%ZQ}1FOwGLC+eI`91roOL2km%PL{61*rjP<^1*Ig4Cl6>l97!>)0D1h4WDl
z)!$1}XC9?@T}2&tJWjh5bH55-mU1-<X@xGDf!kIHAj3b7+`WF{U4=Ri#O-$?9ltO;
z$y3uZb&)sYQJhI^b(jdJ<i#nv9f05ei{?Mb??i0K9)M_Goj~#pIPhxTJV(29Z!Pz5
zQ|3A*RY1trC>j2VFlLImo{vVCFu|}f8_P6x7YVo!@Am#CtcMX*+Y#@_L8?+JR^hxA
zKiGStQ@3;(Tyv7R_`PSOSpu@<(6V+X@|U=xwD)r2l-(r_9gHYv9pdT)cqhc>$$-q%
zqMRrpHl%O^j0ZHZTwgHc(Z)3@idc<?<0YB7Olok^Gx47BJ%meuGm0i1575Ts@l_E@
z7V0*CFLI)O4K?rWzMWZi`+8yM=y*l580>tZiGRUex*xZ%b9<8dNENsax|@l6TlO~4
z8u3VgA$}bD>Ms_GhPVP)7y@_1_zvGIEb{_~!IW|=aYCx)UGXhPs{^y{!avu=rl=FM
zAzJ`kmo<~*7|2|0IqYN;7;h%k?e8n(N`KRDAT=EOcj2T8=;e5u?vk-{GUNZve0<`=
zfK3vp!}Z1@^Q}L=a+TghpCmY7)@?znF%dNRj7s&16EKsJnt{6j$y@-Gg}Oi*$9@^3
z8TF0JZkUT5_EReDj1)EtfwbDQE51sEnWDGT63Hj<e-Mgx+H(T90i=ASUcX#6TT8IK
zY*$@c*jyPVKj9PDYSzt3tI%E{#PUCIWdRuXvUsVFrPW0Rz_{7#Y+k>_b~A>zjrBSD
zjIu4<4r$zBBxr~_#Avp8HR@h5>=d4T!}Jn)FqB6jiTzfMrrQZ>Mi-6moxLHqw%(sQ
z4QwSol_9r6*x`;`<ZJvW`2;_;4Ve<3`aFp%mdrMHGTLsle>+f0W;X0x(hS&v-lrAA
zf?>J?Zlx;X_vzDAEIjy*yV)~H%90LdL?VrR&HC0?Y4;zg=wCSmy@W3@ALAaedt)a3
zr;kOOi=^95bYKjd_cepaw5Vr50!yYHeD%ZV`*x{YY5H!ve-!ChdMD&u((VsM!WZN4
zrtxoLHj_<?vK_Zr2Jg657V^jcZm~n2IJlar!Y}8YDA8Ipx7i8b>_FKwQyD+vg0r)d
zd#$l8ZQIuKM~A@A;RI3#F2AjvNGCbDdmb)&DbpbP=wKKW%VivC#^LAn9I{7EAZbP!
z2BJ*;2=dm-fSX6qN@0TSx;_7n#LA*eW6Pui*SzTt+kt7le3j7n>-5@0s52b(^)%-s
zYj~h1KgMjUy-qa9Iy9z}bz*^Z1trE)O4u0-I=+@=`;11CH49Va(pa9V=ifyW@kU;z
zSt=c@03|znx@h9<7WT{sZenI>wO`$j?z8bBRHj@4OLPcgbH0N|8R8m4q%pdN-ln81
zk<4W;pHzEctXXl!vPh;jQN&GZfxtRpG%>10<}e>m8@I}&FNfqEZT}35D)TM$T(S)?
ztP!!8CSX|UbKP`5ZL=t>;Lsadcr$CZ6Xtnjq4x(5zh<%q_A@6Y=~vv9MoLsKJw+}Q
z87u;leokDMExKW?t)w6{jK;72CE$ERR$1UxacsX#e`j2Q@vQR#nva5ho+&UX+M3+f
zU|qj|yYiMCPRxbO57?EqsU#iku{3@nKh`b<N?R}x?F!|?rRRI}rRD}2`7)*&`S~L9
zEgWwzQj<&h@)-<QffUJL>7CN)F9RJ6Exq>#I@@DSzaMlwTDkL75TRC>rFE=EU%G9D
zXg@9c8MY`$Aw)Y1&MV!kVPu^gMO7y8(Bvq%;CqU3G?(let%@}q+dQM!ztuNFg#=dL
z3t0W@p~$wC0p!@<nKu=`&2)Ve<_Hf931bMFZa7Xc953dmjyF@LHH4sVY+9G5O%LZS
ze&b>nS{(3nS6%P%0f#TCiVd#b`7zWP`4HHVGdyiLXQXIMZ~e1(LYi>b!8_CZ!z@%b
zN}r8%1>aCOAnKm}19>Ql4G|ZzQvl@8(ny?ul&w(hK5-IG;ntV_#FXJeFG(|}n2M_=
zFk$={zoa%;uw^$X52}wr@5Ev<Gu(7pbrf>U-FF=Z@0+&5^@XbHj<iK(%jZcShg&NZ
z`zzx-s9Ccq!*X1HE?3>wv(c4>mZ4sV!~GDKC!19=i1NPaH`ID_fh7nF-5@|m3@ej8
z6B-I0>v5>y@6LNhgzd{=@;osIvMFF4%NgcrwY7jFtorSI-eBvUI%6JwwMmET>vfL+
zt*T_phE7&nDj9mpg~XJ}hl-D`s|*%)<I9_InB?7OWuS%0^7j3Tcguufl59fe8fMAO
z<3&B(miO@|bx=Y*gGmC&fA$q^kM|$AWL&C0x7YK}gY*j9>7r8lA&!{KRE5LPnf6am
zUzd3wc_5hvtzzjcnQG*iLPFUQ%RKT~5qy**w<(yyc|D2;0nMBJRmY|YER&e5bJVEu
zy;G=g#@kfQ;3t2Ag^^vIs;yHV!iBrrGJKm5n7~w`5uH)HgLn6}8I7%>^poOOkIYPt
zZ79v;$A~@B@fv?|S1021l>!e9df4wWw_ftjkbfmIc3G_G1IZ8=fV_x`_4&|Taj=)v
z8X58o$bCu4$QZ?*42^8)SOoj#E6^3oQg|P>s}GlyZ-c-cyrX2JoRw5h5sAltE(WfW
z3cE80j$+kI_D*<XJ3dc8HV{T14)_(?GfPZKETfu>okas!qHUNJ&|s2z854-kE|FI?
zUfEkIvQqYSsx=LJ+r>4(*8S`4C4BMYkYqT0fjz~xo_(;IMSjqdwH>nmufg>jS-KSD
znF)sXglu9zf2&R<LN%Pb{d`f;`^e`}WUJC3M%<q?_qS$O(seNKZce?wjHVO0F^xnR
zSzbRii1=3ew}C5ZF<d3hGaFFn)KRIRDW?J001f^saJ@z1OZd#>;nANi<ltYcrloti
za6tEchO|&xN;XgQ?Tv$*(nTa+hS9wtoJje+qBOTQLr4vflIb%THT>;AX$CDu=`@h7
z?|h#QFI0Q&5~JucN5M;`pJYHhocZpH*E<R3TL%-rU5sY~T_%jt&Bg9u00z<wb9$>%
zvdlncoBw}AU1NA%UDIx3+cw&mCvNPdN!r-9&BnIb#^#A_+qT&_X`19a?fW&)@4c_R
z*XW*EGqYxuTMP0bXw(ipf=&eu3Cz17yR13yZ8`EeqJ1-TTyP~oc9v(_=&rkpi_bvC
z{=2`B>kg3)LQRek)J*Fv-Oh^=RWDX$T+-K(s2meX3A7_Lk<{}2RE#U8`L@sCGV^OR
zR1wl_bZ^R(76)C3<HBv&!4tT*E-?9iog(z<5zd-_WtNISyJ$gwe;DbxBJo7FqgP48
z!I1F+)_jUpfe(Wp|HM=70PDV)3KAg%75n^%0e3Rh{%_UE7&OGiFvWfdXSmPCTp-Dt
zzLiaxOwsLQ&0um)#R-+%HIwWIkGwbpC5AU~AONy8Yd$J4Xtu3><*e5l^wrEmQ|EJf
z)Lv)w;ou>k=GBNUyb(@$Ir<S?8_7FdzRX8(qi+?5@Un0p+{dcrd5PY(9O2^Qb4?un
zitDy6M8|DvywR%q07_5F+sji!863vGLQ=)zxNl{_iNOqK6l4E6C@WNp{41+IV%|MR
zxA<XWX}V!x=Xpy<yKR}K33TrUK3RE3nTyNXh4$JR-Z6_#qz@|TE8DA8z+(i@ro`d;
zMKoh2oz;V#CqRR^69wRuQ7E`3l4A{~Q;F5~W!L?YM!oq3@2eF$hqEeA4+PS`lnanw
zS7_5vh0M0meTlylwQFm5?CBk!O1>3#nCd!m=C0Lqh)YWp_gY;1fXLEubnY_IPXsIn
zR?VKO$jmO>Kg-s%8co=@@??x|2v*rKswj3r_T%4uR<;gcQ_7gy>YPZ~=Srp<Q5q)A
zm@EG&lp0C{^FcvWlBSuUy9ViM)q8=XhYk7PYFGv2O|wp=*pO8iTX>y%-5TvhS6b8<
zyy<<2$RmzSa$+B?y=Epdb?6MQHyqpM>Et$EuaNorUyDc82D0QnbLgDXj6FVm=UL{n
zmD-n?`5Ts}qZy<b$5`HNffdd+G3HiH`RkI?;>yt*iZ!GtGMddSSAI0>aE{eWgZft$
zb9mZCPowHUlkJ%sSqiqou0mFcI@dyJ^ukK5L^k4jQEV9@KyXHWrMqjrpKA+kEi};&
zJ}6viq5|6({63wKR?y$kHV=OMtRSE4QR0+=ph4)ezRNmbC-2Z@*TgCY{wIswXZN=e
zCyFQ85<BxZO(;-|O(A2Nj18rUct2+tY~$Wfog>t%bC_A|ZG6nA9eM<4Rbrr3$$naL
zCLQ2o(28oBaKy{{)w(*J!BP9PmT4EQHdxeh>q~Oc#b!KkaInW%nA~<$u^q+eI)6F}
z|I0xHy(`cjwsZ!6StXmx*tl_^*^tk~80v2t=az{z-oTj3Bn7vaSBEkz4q^t%a#D;8
z8I11^QteE|d#%@(uU;f7755D@=F^#29}`n>L73qlHHx4zUiRD^Jbl7-mfUx5vFxpN
zAN;M>OX{S>*w9dS{S4dSQ<(LgTdP+3E~LGy9(i<4%Nnzu#NH*%i3Y1w#l5@XS_)hA
zmwx`oQD*rbz7t9T?rSy>$dhm}&^Sb_?&35J;qHp{#Uj{;QI&_>CDl=v)FO$@&${7I
z+u^z1^*j@h|2GJYjz`e?>LV#92vUs*WAQ6i9cvTZt(PXLe9et73wT0W;1w*Uk&u(K
zgEAou2BzkcXTI;_ByXvE3^|TBB7o{;5)}nKBC=7TX&L0^%N$|xMQGab!DL~Eizbc;
zUzgcJv7fT}@MNMw@!q&mkdDIsm>7Zw;)Y|C2%?I$dGp0Bjq>mgeQN0n2|E{|*|OQ~
zCav<#Ok_wG-Z?A-?i6kr2%|vr@<LMDhL}C#Sx;qCMBL6PrM|?)i5N?TeL%8MD2%*H
zmyuFis?^*~X?shc8TZ0^#Os8%Z5<m$9uBVC?)8t2_1INL-O{hwAE!)QH{uw}U;p56
zmnzn|a(Zc2GCb<phN!!p;ubi8y|A`%A%U`QEa=&ZSj8OxwReD4;FGdA#9STE+AEg<
z>JUo@OeZYo4Vk7>+0?$4FqM7z{D?Nn&s_bVGWwwFQ+J?MgOu^t1nSb(FyFk7VQ#cQ
zTfrxm@3L3{8?@BJnTl=fg)VfbVm+IP3u2aRCZ|w;#~9@5u}}{f%8kcxDG(Y-CbE&0
zrm2f)XTYm96o(`Z=MlTRB`xjf@1~6YM{O-^Du~+AKh*9^?Az`US=5>rn&g;VkGr>3
z5{E1w2`Q$7hg*Lf09>4E?%ZXAJ<+AKZ>dL}9ms5eiX{HK<^lvsR0E%7#y>H;W$eqw
z9ojK05Jf0<V6qfb`j)s64Mbwk>1Ksy<Ge}pF8vepW8x1SkTkucJ|n1{Ggg7l3t}Im
z`8c_C{OTiPBG@-<tk>`1a$xy8NC1zaC#Yw3xXCbkGN*NjHLM1oqdlaX1WWOkZ%B!V
zXk@Zs^)1&1GNuM%a4{y$-|^<DTU4`B-jwEnpnZ4-c^xPkD{e$e@b(;CbzilbT_@Ne
zoQ)k{ed<-$vh9u%%-laHvDv#T*wEsd7^t&;l4$MpNHNt*M{GM71^y-Sm@lFglmqZU
zxSF2*Ab(voovTp}-6Hk+@%}3%*w?36MHYqXXFRc}SnPjPj<+VeQSS!6cwI)nDBoW8
z-z*0WisMlSkr*zzTh>L~E?)JWC--d-m-MYnn+w+e76)og8-1J8Ioa7RTpMfFZf)<-
zSv^OBa?dv050@fprk`+#e+IU;ysESvYSe_cs7V(D8Q_N^n80!4A~k>}lW_J#V)|G$
zD*RfuWgTK!{3@sjnTWw+^8vNby?4Z~7hP7Hdbf$jsw@cqLp=`CTO0e<@6atAP<ODc
zJh=AaRoPZ!Bl{EKTA7w*#Ki9Nb2ho^F9ero!UBG|neRO4x#ez)9PTowXg$LdzbK#4
zQ?TE)2!;e&k=3Vv?DqRJPN8&-WRFFPqlGy^I-M<2n=Zfm-v6@*eYKH7QYgngxj>Q{
zhWq?XOSb->7ybS>)fTA1RE;kz)wq0S76Y%5Rfn(i;z;j(Y23j>&>K8%Vk0p5L7r$%
z7CWhUy)ybl-5SfWLk}2_Xp1SLu$ZK)(&R_e_-EE^Gn^j{Xyc6uo@1!UuAouZJt8D;
zDiBCEaxDfSNb(Gbvr15Rp$QHvuka&*``>u<(XU&*UlHK8j!O#dXe{04ziK`@!vQXC
z8f$5gS|arnsW{hLT>W++Askqfjgxw)e_Gpfy)2zXUt}@zuiOo;k1ab`^Ar>>I#<xZ
zS^pXATklUZOtWM;@Pj7uMx7BM(e(FdZWkSDQ$lP}E``O1BXM7owNy~2?lMvi&HtZO
zSP?~EVczsFJ<Cc+4xt}!j*@;a^1$+*e2qWGd(g<`bu;)j_Lx1k_FigTp{p-_doH~}
z%b0AbBptfRrnzs$EKubF?_|$kO?v!!e>5W{Co0N+bcm#h8;OM)#0`R;3<|;HCycH5
z?$jwrHQJH_DbZC9#b^hG^jT#IcTguEU@$}XfBo|W*zyDe-;ivagIm_N&Rp8suxzZq
zKAQpg7Zo2o2j=^uY@#hA*Nio(a&@#%3IT^MDz*C`IIpDZR=jHPA#+GiS2S6|J`(u-
z8CqAWKtcf0gIp$C7%eiGn_7AK_vxA<g394#R~CW|Fi@6D))+9sy8l{(SfyB);lMw5
z<|<?b1@JbrJLlRydiGxyt;8|$puI}+pkZX&RQ}>aY+CYEyWvci{hUO<23B<YIgdK{
zgkiron>fS8N;>xU{QRg65Gu1}EEbs=lCTZxF-Fk-7H?PhPq{7#ne>;=d={D+p&^<1
zvF5HF8hrOFwEEIH``~};xK`)B#1p3U%w5P53;eT=N;{hurcl==m42CEQhoTT-de#9
z*SkN3<Xh|s+S!z>-|F$7$JdWnMP)uRM5<N%fCinPlBnSK`!PTR>Zkig1aTwI5&^Nt
zm2F{LoV7}sMUvz5E%FTX9Qy6#4zUqBF>_TH=dVLE*MVFOgL_mZR|4RAd}`2I=f>R$
z`LejlhtuODmkS@xTRL+$0n5qs09|Nw9itFldVHyMajU~K4*@zQdC=fD;;2IMv#xcm
z1fY8%{E67-PK_`cdnTt<OXtKhi+jG;ci6mV!*QeQH>)%9dXoKNR#`!GLozk1^Rcoi
zv`Zm?G7HrFNHn#0Nx@|B?b&D;-Fgqa8Vc2aS2gfv%JYtWLfAMwDnzA-wvJqz(PSWB
zJAQ5^L$SCCXNDN#Ju5Ia|Lw}y5MCi`K=9CI*>N!%wQrrVacAP>qT>SLEWkY=%`8gz
z4D%QV5)JvTG)Oe!L5$fgV6tM>kPiB(GaoSA^1%d?A*VUY?GybGF$R<WX^G>xxKDTT
z1H#TvEAL(No!<|O^S_Dj*6W+>2uALIe`rOoUPwg^lBVb?JW4qnlqm$VeO1dDo||g{
zRx^G=t94UCW6#;8b2$y}0K5}aV2dJ&ANQ(5Wz95t6-CMWE#UfVtMgF&q%Ycuo;%lG
zttIyCZ1{0p<)h*tMRTBjV_I8=w%P)uPHOu4!s<cjS;?=-42(9kdu{eJJH*KA$55L)
z==x@7{v+fwQAV}dqe_c|EY3+V9Ufu}z#Y)`{NA#Ule?}6hUs>{>(E4lek!(*2Tz-;
zZ7(!^P4Z_L!{VkfJ?^UK2i(a+#oBV_$WUzCE#u^IiKHi@%N&w@(gP+s_U5I&EzB?K
zn~Gu5(z$H54#?Ve^e}xN*LY*qnrb<WIW<`82G#J}JZqAIeTofRs>;VtH8s*OrhEhC
zPEjfRwXN#7J|#B+iZVLSc4L)@e*jlkYe$HzfOP9tE>gNY9wI?bGosacdYt3*Ihq}f
z(i%Vxf$9oC=X%vT?e^#`Y@EXyvfu)X>&>s5`wnju<SX$r-m5v~gge>qQZr{d0pR{F
zt4Bs)0cT;+WFeh&>O51%MaDc1{hRP;g69uN{CN&dEP3`#_A?_7533U!qzs2>LSe5P
zXIWeRwuv;lCNIOzbLK|8ftTYi4d3ovR;OBH!>`58Db@%3+{m#HA~oS{dQE%Hw(R4K
z6oiU&s3<<}gap94n6xL0YMW&#+1jncBw{rtY)?<qAd(qIbJ~~dj+c_{ii{pkFQ<^_
z?QL@id7EDUIv5vE^5L<Jl^YXX3W{o<FNEB+$0MXd!J}5%>-pVf*Vz+=6$oDKEN=;!
zUEs3$X<ZBE3HnD-Bti4HmQ)zx4+EJQv4H(8|E_UZdq9T6X=eAar)qiLVn?*htCAx%
zXL#`E;P*$n&>x)1s|_68iQSF{7k!n!o>P<zJKye^eSg$hNo>SK)%lbde}~B-Lde<S
zL-lk}{*aK3*5N2`5~hgdJyIwcN8Kc?xxq+suOfmorrGURmJ(=mR0DA|u=N}31HCP6
zUw*y<o=7oK$DaCOwu)GB=;C~S9kY1xNEEz7Z^u`y#hirvDuExl?}RxIGX`xtrQOn6
z?AzmX!IVVkgI~WEXF{BP34_77jy$&LJgB%8{hWXx#WFIbyr3iwtY^#@LiThWSXqqY
z<9Un%ww+HsHyoCq&6P!P3oG5BXY!exY?T`ch*K+IW1p1VTr}-4eVH9{H0rhbF4Cvs
zbvJV9P;zdCS0`q~sS$oYZQvnT7mJNxGf(6RHQ4|&%tJvHHQtWVk{ip3Exx`gIhcNS
zEbU-gTJg#Z7IslSmL3@(m{I6J&r1mJw*O=#VGR6)U;;nLf80kJ+D!sOUJ0Y+04JhV
z#f-4cOZXwbv6fBBpJ{RDNb_V%zY@-W28~-w6W;-+_Io_lHiQgj@k3#EZ#@<j#az&!
z64Xj37-6EI%P0XIW4jRr==w@VxlfLlCjL70nT5$aYxOGgMei0Nqbmk(tNfcvE2N=!
zCjGeyJ+Bd}O$Vy-3tT#0bKMv{+)X)u_RYt8AE0ylaYnh1gYzDaL=_ZKC#$*MAT&{k
z?7FF*L9|#>RSE989#0a=5;g;z4&`!?tW-L-e<PdT0fvybk)7AFP^wA;g*Gd{o%Y^;
z>lMhbcBFSS5Pa^9R6`i>=?$PtJq!-Y!N=KCJDvI##2~&+EXSEM4VJ8^sg9Q~`1@ok
z@>~?R&brI_`_}~z7d@H`81AT|6s`~I!$(Pd0w)MgKAkDbvflTe^yJYvUY}gxjFWdi
zqO9RB<|Ya6$3iVVo0WD7;1N1rxkF3p%`Iug2nk~7ba&Ortb0K^7_%53+?JRIx97w~
zpGqeGgm3IZ&HRLF^|1e5*OaeC`O8?n^$(rGyH*aF0FRKzg({)R{^@-MULw>By>jv5
z{gi;}B%M4qmi^6lg*>pEj&|Q>`rgYefY}<;eNd$!`xFOJ5dz6TIT}q18%BY8`3VAU
zBV|n*+cE+Y&>1R4%RnDFO@ejvPVPSERNFwmOC-rbq;IskQ*oTQ&i0$!y60J~1LAmP
z2BxR@FkT4O<*1c;g7r;r)%B!!+Z0DI4g`stxnD*l|N0Zm;-FvwFfQ@rIB)!iwE)9F
za2?a#IIglb;cOH5m2j3=xfnv+tgrv1VYbQ`^I+LyRu^(kCHb|SBdM_0O|yo@m$NH&
z2xexmFC*{zD%OXQrj8P{uUm&i<t@o4hOIBkPTY2WUstPNuG8x-Ka*^0g9rGz+tCNw
zdfD$?!iuu_!?Q4O-Vh@{CT7cPJ;^z~sLr&6<4`8I5x3lb2pSW8_5$bYBTu04UTlc$
zle^pBC6VFB=e<h8R-H5SZp19xs%O-81TRf|5sdn2blh){zjB<q!`#2)9Xmbf8X??%
zPBFO9N2-Gz?5PF6iytt04aST^Z^lB-mdBtcs(>=Czb~$!ZR=341hN>SofyXdw;0z|
zf6uk>xX#GX0d%(wR7}<Z18FWYBAb=G_ou#sM9({L+UX3N&4_?7^VMO4P<W(lXdLLX
z1`7owMo|GqrTCxUSc;_z%E035VtWaC#XS*4$I{2<+S9-BFo@J5Qw(&Tu@1%aBc+97
zOqFZFo<Vb^@cZL@VQ=xb#Mn((%8jTQ=vzlzA^yfSB^g+e`4w_CpC<0?F8b9AMN0yA
zOZTdBOatsA8h3V_xngsINDG6HWu3sF^0_*%8e?8@f}ZC}QM}2XUxi*`ZKnG!qRRKA
z_-GX}uzEm4|3Z{ba@wpSkC_oX88v_Qn!-u<bEU1v6($)f8hLq#gqdML@1>OsTKn1d
zLw)$pN(JOblrZN=D;+h1QO0Miuy%{jy?GKT6Je_k2G+dcS|FW_0klW{zfKC>{j^#T
zdWedSL6<xSu}xgUg0I$Bw`uDTZz?{9i}B-n#@%RVH9k&Li8uVu3|octQZ3c?q>i9(
zq!s3fW~1aBMJq$ra9@6*<wol_;L9nu#1EQlRSj7K)Vw~VIzI$1(cOT@nXr*0K%?qy
zjZ(LZtBvpQy71)*`^C={)pq7%BqxcP={69loq^6h+C;2T3C)v#Fs@HOtCCy-JDP`C
zZq1VZ@zpQ!WiG68G)NHrVrx1X=NTM`4<-J6P4W=PuxN-w;KiS)y*?A^pohXq#>$8h
zL~AC7gNS>H{ykCQs3q1!E^d4KkoBLV;bxCm5dO{wPs+2*RPSdMgsZ@ut7o~ldW(*5
zJH*cw-Bj$M#+ZGv1QxAT_yS(5pONu<r`4eJ;<SnMcK;btiK!lM*!otInd!H2X@RqD
zl8_@^W%HBP8sHGTxQvMf_Q%=QkL$H@*-uF+)(*KxmD%acrkr}3>wA1&KjUMzBljz(
zgbvj4a1|Z9f?{$gg(bKW5#qs^rR^D|B;u3?qtgQ^XpOmG{YhZ>@QmASkZ6g<b#mWu
zQsU@xVO?~<C<>MqUEvfYv0w~ot`zXtBIcWVJTB|A9&Zi4QD0#_oX>U6Lh;4J8NVIe
zm+Ej>E(p2cHLS9Z=g@6_PSMjz)(y(NuX5m|3Zjj|Ge+*SnN8uc8R@WlnHq!vi-(P=
zZArIWvxS0xX`_W&cQQWrc?=Gb5gL84o32F^I@m#iBJlwkY@@%@*g8eYQctlla$y=D
z{2W05f37G|sDiTyY$WNqD-n5M`Y0Nwp`OIp5+84dxmZ3V!~Z;7<4kT^TlnD`vz-aq
zCU1`Zexm^`^!B(}<Kv5J=(-P2q%sY3Pgq!1G`^fdz1@+?<-q!BpfK=2`WIu8xvz-_
zWCx6dY+c2-2y1$q(8#tFdxjqb3&zdRTov)NHBmJq*DTzbNseb<Y*h(H6P)pR3EKS1
zx2JwWxf^4$WHgj&JsT0iXq@?tJFAp0RkU37r(W=kR|Tj|u-{yK$&2S%6PexrrJ*Iw
zRQ$e5>D<k10_cA|9&J0REoXU0C6k_Eqsx;e^I9m(pkmTS)N{TWdqaP{?)Uvc8f`9t
z9WAq$UQ^9#bE1e#FFpn)LT~kt=K$NWY~&0@T!2g`W0JG<z|!YoP*bpHBva@TonX9U
zMFXx<`zA9d87iQR#bgo7S^g(-h;!7Hby4w-sL)RIt+PKysw>S^05j?m))wo}5n{r%
zLEDUS3IWc1#8Fr*YWodSGn9+$ee-&ZUuDZ}koDuv6{OD!`JkLZ!|L?8rbV)gk$9PO
z`yCQTyWqj;y(8)OgL?t2i%ND!q>-UW1lg-CN~l?HBHJECh>&O02O>w#_b{6(h!LM7
zCzdV@_r<}adgSxrHd?);FOcwYF<nku%7P7>7sw8~@aH<43FJ?buG+f0Z~1X#1&`x}
zd1%^f+kbmsv_5rPT)LF8_+DgsIL$rbAAn!ccj2!SaiDN~jVdQp@gWRyD(BD+?_PfT
zNOpX8x3KU2uv}mFFjDHe5>R)Rs{Ir!Ag#Sx)M1YUJ(z^-Y&hJud6w&}`(j5cO?Xl5
z<J|tf<yLZhY9U=<v+_$TWf9d<s9@jbhes8<kE_-KF&}NmfQ@_VVG<+Xx=umzs4?n<
zb+bVut%T>OLjd%itC2XTF=0)hMPs;)!j7Q<I2po2zPpjagU&0AW^AqYkUGC@R!ni-
zQCeK49(xVcgF<<qLc&rtprpB8SF6j%;YxF!^^!|B>q=F+v(b=)DQoUN11O$K>)K1d
z+C1spb%-=n;6eq(7fl7n1dQ#Sn}*&Xm@f`yZ2`}}p95;42Z(Z!tXNWNsilVH9d+OL
z1~hAv)(_a8Gb-Yld1Rp8Q!#JXmol#5%={$yVe6_zp)(ik*QsI>)Xhf#cTe}(wKGnw
zS4++l?lSKN49p=a?<XGv82pH+&J2OPEe*ljhGJV18SdU21H<~`BA)y@3|vEEE)rG?
zR^$n~&YXtPsd<}Lao;U<eF>Zqcgkn*)qLpAPbpk-D<d6_U`4t1mHJIaOpC+*w2`v6
z2ZEULSnvu*;R#~PxC51Kk`Hxf$0H4%MY2R^G9`Fl7FtYtCjm=mYJ=9CFlb4X46vR^
zExg9edaL1*STn2lK&Ej0YhxW`>J|kvU+KSbQs*RJ&B~L4VMDoYY4%3QX?@~#EYF@E
zCGwQV;+I!H-vFEe&t&o_uXK%fRPji2aP=A)wGFZi%U8cI`;Y3wMmhK7A}E}LJsA;^
z{ln$mH!7E{>@*SCTJR?h!lgixpI!rup2+&SS*hrppEI<^4IIcIxJB`(cc|bq+uQ6~
z`?L%Hj*9Qe3M7aE=Isi~h4SRWW<zGi2J{hK+J6_TO&OEIPW{k5r1z!}KRu!e?korB
z8!GRF;^lh-trmQ+ymV(`PUhYB1n^SemUv?@M~yEYlrkHX1~(c_+Z~bw>P?G(M=lSi
zemwp9(p;>(EnDV@^`r9F#mv$AWaZa-10Dw!QDpE>7iH`MK&u&i#Jrr_R134R5j&E(
z9^Wq$V0p%=2heV8<nLX`rzV3ahg=oVuvpUu+`1gn(j$Yxi~sYjtwb@$YOZ4{cs68#
z<}EKh!5Rm-_d}L^BXv56xUD~CWO_H1<MQ%lUg4j07SYO+n7_!uvJW(M*g+W;@x}C2
zi-ZmgB50Rry2bAd4_9e&6+^#t9LZHLmL3hp?fudftY~m^Mt3!~*s(3W9m}Y`Gkw4;
zpU{*xD39!^RA*6J0qcNb75JfWjwVIUOf%jS6JmiAx~j-l$mP=0?J82ouxM&U;4S+9
zfxsEj@8hM#$py6)MRj-0T~>`1vDPeLJw0Xhs?tS>Gjf`=UTm8lBjKrz9sk;ku`{w<
z^Rl(~IA5-$YAwG5eWVkzT(|kqE)hKJiGu))C!mNf%F`5wRxh<GMkSyLKf(8eaz7J~
zNUr;B=b?1}z=t;9pqo<Z5M9ou(PP^3lHp;wFr2%_Q=o*XpLJWIJ!RikYW*-)#|zoe
zr)vb9M~tk<3~u&*hxT5b9^g|vLUg-sT0aAqnKGulpkpy(XREX8w388}Y+R8aD>nm)
zpHV>RKO;ve%(F+$j4b*c_|tO=lD<(IO~64i#lsqvl5R-I+%YX0Jm*blo3%tF$172G
z-kCF0irMuiuf_d$<G~uhr7|WOOJT>C-^ZuAXo7N`ok9;JdeLA3y@iJQmIrIj0}DBc
zzL;A!RbH*hOWFmdU%u_sQRIA3%}drO(Iyaxd_WcOS-u09;0erfI7@Gz<_Uym-q<-$
z4=hP;bjt;?O6>&n<>hG$nqoM_^*%<3&|R@k7$lIM(DIMVy>ZN!(&IGGhUfUvDJcU+
zX1St4ZQ41*8PQd{0eJ5NaF5PeuU+lt_&P&y^P?<%^kOfdlN6s=c<Q_?k;kNJ%9KF;
zds9+B9)kFeCqd*jy(vMoswPGPs!zY@1<SBkoEvP$LzbKO;a-Nr^{=4lT)Q`>=vEQo
z9jwS%d1rP}UD?*3SU~|ZPY?)4XPzM@PjBV*m?z90aEcsE+77rjBA|jNe~s3$&2s_(
zyE~gPHt&OTDB$B7H}gjQMIQP`B*m`%T&+36w^NCee7U|hMf(fC{bw_s2(Y^{4*HJ`
z)wEFk$)yw6N+NMs&YB!Klyd`nhS4Np>(c3xI%Sovs6yRi(#@k76L?LD!_DEzgull3
zG;_~mF(0-h|9O*&{OW>k<cK>v_x^@SRy{Fb%};nR)*vR0lz7$Oj9YFv&Dx{7-IJCd
zGO`5!g+|~?w}-eJV9Bl1U(jQ5S8h#YjAS(joi@gsg1LlD1Fd~HTObP6EE~8E;-+fh
z|MIdKLZ0JrM<UEdQ1K>#>rz@JA{2}$zIP|Vbro5QbHX1WTtI6}0r>|1n$yCHo*%iU
zvwsd#8@tHt%3ChHKHk2pTOy4Fo(<s)w93aENm@f<lanjgJ>Ea;qk5}!&i3+I-YJN2
zTZ1#D4?&G>a$2FXH+4EM^4ixg3-G%TD~*`1Xtk|(r!}UvKp@w_TdrV^kQQe0!%I+R
znl}cRX=6bN^R$^$H?VYxj|G&R#ZHC}Pl-fCqcguykcnYihP?yiZEKJuhO~H}kAtC!
z#kjBS*#<d@g&xNKQcx3%5Z|w}Cl3Dd`Ja~{0lOi=+z3n5#CT8DO$)M+-{yB6w}U6L
z;MdPq4ZtzbZL6ks?F%q2_nv3tIEj2<VE)a=6O|I*XW(WDw7l(KOYD$5?35%LX@Lkf
zE{WW!`+3H<=e|d{DW&^<Vf<ft06L!`f_^JZS6ztAZICNBd?DgvpClgZdjMeX$ZzX=
zW`tkbG4wasGS`NXH`(z9i3%KJk`ArD8(+HH9lvZu7z;n(AMg9|FL3u=@X(B~p;TkI
z`Xxft@65OFG-5P~Dz}0OsTb-~w%Pi=sg{JE%u<=)OTYN+WD?J6c#<>Zs@Y0LxV^f*
z?8g1e%bn|mhTX+ELRuhqzLe*kwiR+qBD+79mVMn>^!CK>txji4pbe+8KsVdW_wwqF
z4+cH`oro&Md%IjPWSvEs;ga_8zln`IG_nxypG;NvZ;}eVze9{1`pJ3^=%p$Rz56i^
z2AWPQmy>6^HM$W(k$QkyhflB1%owxIhcxmZ9UC515jL`i&aoTR1%W`V=*KmCwUt(H
ztBF-!yu)`I^|cqDD|He|&)Jlm8`7p73u8(irk$&A!;EaO!&Z$H37p-#YSw`6aWW0D
zdVz!Fx;MtA6s6(i^Nr!+!aRiyyiS)CrsCL^_RL6U8B$Pbb1qH92mG{c6j*$YjO01O
zr}3?HO&<@U(DUZ{vkCvXV8>(qWq;=)Okh)Q-<{%k%c3*iw*HDyLmd#+#}AF!Yj>R3
zvn{be5o(>+znZ97_UNa=;CTDm2>~VUkAr^6mWg?fo-y;zVGaCJEqz-<b^K4-M7{6J
z&kEL2+QJ=Y3bJRHv>JY<)~I)J%<l879KT`(t}*%~2IKTxzT55>btZS2>e)e*_D5kU
z!lzpjx^i<heoV#8`)1BcGno3WJvI~Vg+d&1JLsFi&mAlr2a)QwT-IxEN46|S_nG(<
zA?hv3W?f;KsW{NILC{gnWi?ca*zfUv`x&1%MkEOa7*K^@sv_*uCStPQ_gzx_BbqIQ
zmX9}7-8Uy(e^`WW$e9mIi7wfRr<eamE&CNr`LK}_f%_t7Y+hPs%}#gXcv3ZydHv!3
zX-VBzo;`NtD|fbg+d9!ETNFo#CJ%o5tM)~^6IbRk2A(;Od$N(D>I>wV<C-j3Nx%#X
z5N73UlP#u>>}&-nrtPOF0f8egJT=9J(Pu`(9U7DaKoqsZ3sX0xA!=m%VJFC|ikZuc
zEV=!w3U@BOj-t(NDs`I;<KO-pPvjdBqG<W=X;D;NGDxEqqVRXvhM_a#%8zPaIE9HJ
z^k5K5vMqc3ObzAv!A{=qOXwEE$VfTnI=mxTsk+W_Ow}kWR@pRrkXbV!nwzTE{oPX^
z1M9WB&1HOed4owPtD}(7o)drgF>FQ!qp-3lupLen16ouSEh~Vl>RHB>s~})M|GQf%
zj$rTpS^?;dH%I{mp1;D>-HO8z_+p!Dw4!mBlUh%UD@1@Ui?yX%ZA-kS5-RK#_uWNZ
zwFa$YCQnvhYC!2>l?I<rln`Iqpy$ey+^Vj2BA%zpsN=6Mw8hd+uxH!`*auFMeYcu3
zS34^2swOKHjZ<R|cur=rf#8m8ykd5)5psS5G)U131Vp)5u5_a*$rHQ)S|-%j9YwJ?
zA;(iUlqs?aAX(@rt{yE?boLvZoO%4jsoU1ZUh*bmGj1UQw(ZrlSX;s43E;T&i16fj
z_;XyXO-$(T%Dnuh_42IHHG3))=<vpFyT6As38IJXc&!GoQ^>I4AQ(kqVegG`(++Hb
z?t6tlO@~a81!zWyH8;1O@Y6Vq&>LQr97}#_!cQUiu41Gc6P<R{CXMpqzVyz8uLPgL
z_ehxL)m2C@@a~CTK3F__>I*?%F@QTXEEj+&ZucQdy$BE;sFuYVZ72vU&fb(!HO(jy
z3jrB<O%siNE!cxmxc$a{67`!Rfcf4cLl_pi8DQmBwYKqH;1k8mxkKRXd-dU{Gw0-T
zZ5N#7Y+wFw<qhXa4S^}Se)(9$PI&MJUuT=pnbHU56hL$1&MTA9o1e&T+muV;KG$b`
z1Q70l%eU+``2~&_1UK+Oi2a(JDkJVw6W|WL%>|r@+s#L-t9F!y)L8Dj=S9>&sCM8=
zHsZ&mJY_seZtrEe5&CYI5x*&~YsbK^DNeoT(|pxd8>8pZ^#)Cj1-GWxr_UF23d;>0
zC%26e$v>%UgKNvJy7iVMhON7UJy_{1T6P8watT{{aq*Fs=yaFc%Y)UGK0C$JQXAp>
zxPeB_`wfwztb}BJLX?I~gxHP7rAvQCN_yWc`o2gmS-(LRND2<W3a$v<X(h4&28)tZ
zD8L!Ylm?XtK$M`K`i4>Xo>mTA5gu_+_<XFJgq%NIXi9*FRxcYz<tN}0U6~0lXdmJ|
z=&iR+7Kzx6>8D>*Y(LsCq$6;|!Iv4Hg8j~WU7uow>w(>mWmqG3w%zm_ekv=d-Zr9R
z1O#*q?snl)atEdD&kJ`LHcbRD={klFhsK1Pm97iM@kVN1i#)+r+Lf_^{6$P)FI;3I
z<+JJ`5YbRh+(B4&76mP2zeEQCa}(FruIvj@MPKVGULgDKk@~Ez9lOEnd=DMTU6<&)
zNV*2DoTt`@OgUn=Ey*%_sT4D0^8o1*^p^Un54e$FVt%~(0sFYrl5s`>!L>BohWnR`
ztvu<Vci#jgl0}p*u@N9!o2(zon{={5+Mzzc3QZ~v`<>{dIgoJvYVsTTyRzi>EkmO0
zXN%;XEBHLAr?Rv7kxazYfYGUAFh{g~sv+x?%?-DEosNx;1(TLTpyqOWxCq7a>a%~>
z?8qsyy|WO*NJx}a;>8@zKEQ(%nH(inJi-mhRxxU{j_iD{e78vH6#?4CB{=pZ9um*(
zXZUsC!miGsl9%tmag=BALMlS~cJg5E@cE)Y%}>!p{HZ>)Ko{a?9<*sXovx;rSyQm<
zn}R|GD>UC?cn(qaj85J}gkC3}LZL8T2Uz-CKMI8ulzxAv@f2e0Sx>5WeXuhBIR$e*
zu=sXZUo*x&v^fSp!U-{U4cMGq65jLGE6j}^N0XQGv#)%`4pk0Kk&-E2vYZf8f9d_I
z`4(Nusu~0xOA<S(91T^2QNo@hs5J{!)MZ8;?OA8VO@@9}{7IMp=yb3PQ`dYOeIQC6
zbS}-GmITLkF6^nFTAvO%z}ZO*JhRY+7ZEQ0o19h^EzRbqgJQ$Z8t`+s3LTV`SW>q1
zCJKf=AIkUN16L7sh589FY=5Bt3rjPh0)Id|LfL>hE=zL}V^}V%`1_RyIN#@w?rPAm
z3L$^u>?T%6_Ac4u5Sy~br?+X5c6l6%RF~!ye=T9#K7Q9^z>B6Jt)<Y3C+#Cmsj4Y`
zrm%Co3aIlDzAA1zQr@~QVIU#egnnHlf@JkzN~`5<+X-Frm(0s&Sk!f<#~t<l(AHX*
zrAEnACv-@M0CTM-BBZRCqVAiDnY#p@Q7iHmpabtEMmA+7q&;Y{fI5zJKh=O5QlCb%
z%8wB)>+(CJx21sjxCC)(U*r>csnO4W7!w5CKv2|a8k=!guJF!3-SPgY%W_Z{@F932
zFR_J{>4`YJ*Mbyy_CbNSMEQsXFUFeueq0kOK4s*c2?KaW69V06ewH9*)lu5yYGy3O
zDB3oZH!8JJ21b)x6nST=^na3v<lAR)Mc<#+4x_}<bo^4eTxy8~nFO}{*|z4OX{4G7
z0mVG)^HYgHtAH^&Cu48>KG*2|MS*5Zo$|~L*b3Y2uNGb%+Yapfp~I>jZVtyaXgBgE
ziH}4&vNpA)j4b;%%2rX7VHfWAWyWsDTATzzWc{uctT<y%P=EzonQd<Hj1vUg3f3yy
zOx%3j;MwZYa4EnQ52@O=aX<^J0K;(Vg#H8pn{CCL#1Z|(qE8Uk15QA;3X6vw8-L&z
zM9-z`Qjsi`O)bx;8~kk0X5m0`vo9DOO0evebezEDbwy0D4}C&V^|eev9IhC?nI3EZ
z+f|rJtNBlNbEq<mg?MPy#67LL*_zU3nDRAtORe$_VFWWS7CsBO>p1zjFag^-msT%N
zC(q(C(5Yu4l)Ed$dQPCM%%V2bvH<Q_927trPexx7JcAO^Hi@mODo<N`a&m$-&d5!M
zW`wUBEi0Dy66Y3vA8VAC8FiD6_6>Ie(ukz-T4ANlL3U@((9JLrh^N8d$1pp(aN@r#
zRYFb4jc{GeGvU&x)3QMtv(hw2aG;mlMzz{r0e=}>p(4i<PHuOQ1MRK0Q1JxjILK_V
z9mW@~`i`{(1w#*y6+h>L6~bo?6;U%dSzpvhPfJydpfeU+8)68obZ0Gj6Tm8}7ikE$
zZA1;h!z$qFn-zP*a#b9-x=Jm2?lE5xLu|GMWod))#83G4_4BQ@t{1M$OE@`?z@;78
zI=-^zHK#TcL9*1n+niWSwgbG)3=5`E2SnR(_D-&a&i<x-H-Z*6GN3J1m&8Zvh%o@H
z79Lbg9v~!EBFLfQZQqPC<ep*ilPaSW<WnesgtouZxym!onhoBeQvzJlaFrI#JXCX0
z6sJ^l(d2AEg$V8r^QI-@ocOwu`8lYtV~)ilOH8uCTG)@=wdKf1!j#JpmDFpAnVvQu
zze*q8mLait*6yk|xK8_>yFcOxaB1J9d`KmEmvF0owuv2^D+_cw&-~Qa;>Dkq3TZE9
z1(QGubYbeM&a={(uJ~BIR==_Vcf+LX&ADdalJ}h(QQivuaPQ&xbJvEhY_rcaCEA`C
zT3eTC4rgcRx-Qxj{-%h{H}p2&z{5E&7O*Wj1Vk+<G}NCG6x&)1-Gm}M4hcP>+W(oJ
zJzox|D|*fX$n=KQDv}?|+hIyQO(qIZ94+YIKO}f-#y%%Of8D-}IoL7%N$Euf&2Obj
zx@L)-U=S6G{Y7GNNts$QM8dLxm_6Nl5#l~veh4uFS3|PKro$lrkoVYi8Y?Vvrr*E0
z%k(p6r{J0{S`q%{59@FK&AyPcb2EJq1;H?T-eUUuqInU(0BUO}ps?}D&JTt+?Nsf6
zJ_bSS@v?Na>W2NZjgL1I{<{5I`EtZ-x>Wp>RSM*Ao}!x7Mrcm@{c#2f^Y0JuL}$2o
zer$YJMh;%Hn+E3qW}cR_udFMU`|w{y#)EejVh6G?Kn3v0Tr8S>`!$sLGO0JY7O%;+
z#RN_V&2D9`$aNeiZ##F=QA;ikgM7wy-?qcGlC8pE4c!=iJ&31(uFyc;zR}?3cl*^|
z3!ecE)BFN_hjqP;-6@YmgT0REGm<k)XCUK-Y0r{7WG34WUt)DZ0Y<cv{(S;OF^9JI
z<F`=pjqC3Y+(EE|NT+F&(PT|v!apP|28-w*r~0YS2a>@Bz49lmXhEf21@=EDg9!FD
z`UKIE*D}}!#)Z?we@>+S-ie)gfL<E)fCc%hk$4H%hr&U3W;`ZwvWV4I;QV`+Dbpy7
z@-a|CQ!BtBPo1S{usgOUu9-BF4=u=>A<ZMTi4*q6?L@8`&b6BU_%z`r!GD<0STqm|
zRo|n}=rSdebOZWN%b+5}O~szB2Ak{T&^{i9%>l|T4xS8UmJ;x)0PEm-Q?8H$FI|ci
zM^-zh?oYlq()LPGnhIZSaD-y;%C+ACZJL6#76sfG3zG=-^?N|7MlYSPWk7uLKO;Pv
z71N7uMPM|Bwc@BrGz3nanCsWZmWS{(g=$8Stn3VCtZY;|rIogR%<A&T+wWXP#J|#&
zuj4u`yh~wCc~<FItSRu_xTz22LJo#QFgpeFCYpWhjj10HM8u6MAfH+W<<zEQnsxn2
z>kOH8i*K&7+{SU}9ikINsg~J~Jt)Rmm?I)xC3*s8$T*P=gfpW4bDP3<hl7)8l9&3z
zaugIgD(FB`deKiU&JCq{%k5CBwg<nb#&3!!=Iz@}Rfz8fXh|;NaU%9go43}Kse!<s
z*Vb0I-I?rZ>>?Jd3)8A5TV;A7z@Y3v_M722Ogbb<{%caMgo}8Ddg3wr4|syZ{=Mu6
zfpB*7C~uO_m@`1^2|sLnD%Z5DPO~7hH*INGK?DM|pP4k;HNa62EI0=U2G88&?aw6G
z)E9Cbn%tB4Mw=};!OvaCMbqbRlt$~UTkT#LGsCmBDj%^oLbp#Y@Hai@sJbkjHphFA
zj18jho$wTTwNsLNmg6qbzvh0Jk<+N$4O@QB>RK0K&%Jg79`Ia-RC&~Hw-l5|rL`-B
z9=mn)a=?%ME|hPu;tpNulh-MEo(PuV*j!W#BMth!rq&V68b7vW3W54Jr)~fnMG^$?
z!%;`+tqN(ns7`sX+eXEsgw%6PLUmCN!lf6Mkg<uP1o(wW!D~v{nVBU(Rp$kh1Y!Hy
zCHKdLQskVuThO`P_7F@cDjAQsdbm65odR57rX=qmnkHxJkF}U<s*_o3{j)md2fV?i
zWBcV%>-jdh;-iA@|Cdh91GHjq|I{}1y&tBVIE>h%$i9sDjD<xpA}zJ8cIxgs&^^e`
z2o(%y4Srhy)mfLvmeCR%BioTk(1df_TpmY&&5XvmLjMU`{#_Qz^05qOSQXRspv<9G
zRA3vZEWIyN7{<>Rba?}jk^_do8DB6bxvW#5rt+XcOBMiOpuJI*P8dyWXX&AFKp=o;
zFMRSxBL;S2G(v=}vmxz2N+(~&h*Dgd#Atpqp`g`FhS1X%(LTaTNHzw&g#U(#fOhDn
zK&;&Zr>O6P%}W&x+%JB+Q3H~C*mw&&T_w*{*hjP5;>0WGo}lu=7VZC+7m(xw0lb*%
zo5eMw<N~^ow5$?is1v+#3LO+>Fwd$)zJ7V!@OG|nZ(6rH<6kJW^4L~sKOqt{45FTo
z1FmTO%aZ|K_PTIgaU5})#Ugo2=~YE(TKL2&;M&>kI}h=>K#}}?p+_KOY4E`FWsc1n
zs<Am|)G5sfL4lf<PtP((1a&h|U<ubHYCrvda>)d2U~GFTnQo=$=!!W^e2=x=hYo12
zmXG@eNr99zY2ZdQp3`|MmtiCH7RI{VJrqoKhqaDpqBB#k+$y^)R~*Fb$ltM(Msg)U
zdWn2JF8u06!zN(nj11MZs&?^*4cYkr*svA=a70)CfuC%`#^9IokO9u{8E$8^2A8(g
zQW;~F(S&Qderpo(jn|EZ&}#u$V!KY~se@~a6%EY;_FgS(nl0kDP(~jLE4)sEG(N2n
z&W9~LeYb3TPRGH=x}qrWUaCm3I{?)f5#<n#$^B4H`3VqrekA_E#THu}acL?SHQfw~
zoC^4-u$n45m|Ics#Lo9Ek_6C{A8GH=S*NkKnUMZlK`Hc3KytoP%cK^%8^IrXwchRA
zP|<W!eBk4=E#Z*_9xK)9j$}8dA0D6W70!PJe^iZv#p;ab92e+HI8Nc_+9Bl}<PA}_
zwezVA7cL7y=c}jYT9}VCcK@FUA^|hGl=1lVGV%)hWpshhaEx(QnbfN|*c5q98VUU2
zI6)|zGRXhd!|h}+Yv4`>&&g8xYO6bR5&>-`y2$G)h#9dC)LPietK5>zbh(m|kN|kG
zxD+=wbvruF9tg_HSsIm6NFj^lHWAcvfa+ariJ;xf2YOr?rw_QUN?Vze(I$Bq{scn6
zG7`EWnjy_`e=;d!J7ew3a9alGH>H%B+p#BuXR!}0rUK)_{?cXnK|`B)ia9}JT-4#V
z&QJ1p^J=^~IUdat;w(Pv9xs1zq;^c<0i)>&UY+uS7A0~_;y|DB6X+<BK*EnJ&raBz
zN%X*lTi3y5tBZFigFQOUb>UIh#V$PSmM4+C2e4O&HfnVz{KnR3<Qc!K+rn98_1V&%
z1^=4u{r0JR08k({@cGi81woT2KJ`Sw6pbA1Ku|<Tf*vmz7(i~)A_jQ!f5VgWvuc4@
z$eG68HuTW%@Flv=m3z(d?kgA${F3#zE@SoP{ZKr7L#KopPStY|Huqxj45n85>Ubvv
z8IGa0)08za3<=o$g+mb-k91!Sa*fy`BtDPw3eawo{9pw-*iQdfCdrr~*CNwMDuK^n
zjkRg|0cU)$h{j=8zXFKf&d#o0`ihJ^EoxEkTb|fFC!B_p!BM@2)i7i_5Aioxu<`>^
zp^m4CV9f_KF<|pK=*1%-AtQ@|$1`D}a)t>Flgoh{^NTTctD(OIkyVn>?4g#f{g51~
z5-FOWA%U`%OW%HR#PV@TFi~(@dYEB{%iD_eIP0uZ=fWcX75^=)oT&&P8+8dLGH-A@
zXEfx5stQz=L+uaud#I%m!h)M)oxl(SWc$8xkN*f2FBXyhPz>!z4_eubaL3bq_p#yY
z-09eQ>Y({zh0RBUyJ-4}h%8{^(~dtm5T(oz%kTSA!8c4@pp7ke&o8(M1U<1CTvM<A
z@pL@ImYck064yG_!{}VGn+u(gnTSdRKubD$AbQ@!j2yf3gDhkG(;Mm>+#E&>)}IPY
zbD?t~f~s4Y1})0+<s$)H-vKhsBiAd+a$bw+*EK#w3GU{EBZ!w&CTsxTc~B*_y1%O{
z6b71_3?4x0Zlu?H6)_nA9bhaep}%n-5O~Eh?yzvLWw?(7P5qWp>;&-HlGT(yM6->H
z1avz;tL-dStaUjjWe~G&`G)g*H?tF;ntvQ`v*V{Vm)sM4T+hVXT?6QRgcQ!C5-Gm(
zTm!sBUO(yWuyIxO*4{4(11lHCU))CEwd*w#ei2&WwcBKDK5P-{6sPtMn6Ch~6kJv3
zJ`jh)z;7E*Mdl*$*k55<_V5jHEMwsl3xKy^Uwg^3wWjer5l^J{JF_vMZ8b`;!D5Hn
zYEpFD#SZ#~W6(LSneN9j(TZ}`jne3iVy}JC7R$d7)01O$811w}ebbZ>Ts}>TnokG@
z2K^$oz0S`|DS9nfcp3%q1I|jpar%ZEyT(Lr2wP39ZH4y$D|h;af%Nq$O&IlbP~mkM
z=0K>{uqHMUerS~>9QSfH096W?Vj77IO?+rHH}D`3b^2yo6XqXI;Vl*o1d4FH)60vb
zLL;j`nOHsq<KFEv&|*Ih&`SY}qn9Ip8FTsC|0Kbb7qPCQ$u5Zx>0gUjzGMY>)GMWg
z(i6?CMy_Q6K@~fGl$Ys{AqV^&D%Lt3e0K%}sWc3tesZs*a$IAGTMV>aifF;X?-F>9
zG{gb^&wrc3x!E;Vd-(O?lbEJ0>-DXSfm%M}mh~1FUpTOyd4K(o2|l|TfK!}xnf0>4
zZXEsGXyq}u?|gdGPCZ`JZqzD_6WuTH7o4XxK_P2Xts&FGpODo~d)K<tK5l}HIb@fY
zboACFpwBJ?LZLf%a+Nf~?l<@wPL9s?2<YQ;GEHlu$D)9gb<C)#o_&EDz$Iqn_3*P>
zIoTC9n7NGcHX>Q92j_nlK}pabVuwRs--%;~b~TvEjD|@^#s<y^sVAtZ{=g+0MiDy7
zHJ}fg`u}DTjJLWGi%F~odC62@cpwJ557}Ft<ReGQsMnTAWeFU7^p5qhCF%J^Ht}G>
z7U%o7s{GOw3(DHE=)=dwJ_eq6yeA*M7STuurj&f3qp<4?&)K9i9^4g)Ajkc;FEHEu
zP85f_GOZSIGa(|=1G0rz)e5WU+{ZO{hgb&?s(|boV8WLFzt4|%(MIAFvgyO;qwYaY
z{N|;oN)a<nZRzI9h>Z!BM8$?J%TLYpSHk=6>lsA(psx!>IF5_h|M~g>=<As?S;#P6
z9PD05M88~pgKfQgez8ornzD8M?<Yjvuu(YF0Dbtb?1ePgvQkvMP-fIzSZcwf0M?Cr
zUA3`O(u~dj*o1rw6ZJ5FLQt<?PL%e^cCms`hShWGL~dH($nABLAox}^>vF<03jA-J
z{Os>Qz&vi(ixnlz$c3(IKsFm`Oo0@y$iUKthfc?w`sew7i~mkEfclCP)uUWCCx8w>
z8mSxCIhpI=)JVF1eP}p~>UlKzy%D84D{!*bp!iT~H;UA4hoq5Nt#<CpHs<@M%cJ_P
z%Pb0~kV_waEL%kfwu~MX&#)Q?swvdeU$q}d;+Ibe^s-I+Pp?jAa=EsNg&h{d>XuEw
z#`Id8Cx5S=2+J^<dH)o_na6f3c*K?E`0=;n$H%sYw0|gQQHbNvNCj*}G{9I8Cf+83
zLh!U%Qn}kac1ZxR^z9AaUyfoCFQZBEE&J4;S$!?5w0M3-2f+GZe)sJ^Ktta8?0;*N
zbvbET_Wm!M_yP<N)mhvI{n!uZzJQeq<-kKL**(&cy+4rL|HZ0`!QufkfcGDq3iFkb
zzA&r$m#dZrQ|ThsTimjBhiXxLbww68=-Jm?bb&G9z3OhNMCO^51JvnyRhpc#;c0&Q
z>*sm4HvN)hoNKZKbLZt@=@3xynpgq;L9sMDl4t>tW$>wI0sip+L~=AMCyA^n;f>I!
z`*GeF6r3KM8n!4`mS=q{5q9~Ce*oXvf}c9YTJGXe&!T>OV@;h@)2^|qIAp5%mo9Sp
ze0UC3DQPI_OsOErW@p^QPIc7mc5IY>-e?FnRYiVyz2ZUBVu%6E|7cU>(<FUlZuA4u
zmQS?_H*fJM$0lyU%)87s*Y56zI$f!s(xP6s1n#RPa0Kpcqyfyd)$jVHJ+WxUR{ia-
zO*(gn20~C{p}|-GQ27c=M-nO+|2@8!-hqtMu*;i{C@nfl(pLZd8@8Ozl4HdY3)B74
z0W+{_-IhC7+rr_s`pP}|xgbjw88-1N$BX^gp;Kd){LS!WT@LIhR@Kq~nFGpPHK@OU
z>V!4ULID_wQB{R%JC@Q_gLP)_r|`A9u^+&)TpUJo&>n{{!TpayHNGSeg>-+U2c)V(
zsJGxT84^2m07Bn+tQ$victAnpmT~s*vZm>O`uJx<HL-~y?5Bhf8mK>6S_Y96N3v2N
zt=c6-=0evMl+TiD40;a!<|SMU#F;4sg7m8}EpA64!n&O4PfKE)%}9=}E55aTLo<G$
z@NOz0CQvS7Js5lGB86IsRCtY`!kHZY)1xB*=!)5d5Y{Kfx%u$Xw~hkvEfXzC1UFVA
zQMVAy$k>~q3l{3l_x+TQ)&*%s7f3UXzr#ZKpQ-<x@C4V0InG?3X?SSg;;D*VVg}Uf
zwqPEoOpSu6r-FPQH<Sq$T85eg-Kd|oDrJ?sND;PJK;ZWOvG>+-Rc&9tFoKjwihxo|
zij;JNN-HTPUD7R`8>K-&K)R#_B&54jO2AFS2BamVdvn)@BOcN7yyrRhx$p0M?&tn9
zS&TjAoMU{)m~)OX*P3h9&bW~end3IiEsLOb)BSkFLD#AC;f8J$qUs05RtYUU(?Ppx
z)^V1wu<@J6<s=g0Y=gjSwO-c{o!W!TgtgoKbPnilu=2j#dIJZo`)#Be>U$c$k~;xn
zc=I}(mtzC9^04RII^ly@esogk#3{I;Yl#GOVjx*}!*tMXDtYz=6K1Nq;Z56{rVP+H
ztj0+ckL}s`=s@7+)Y)WUVCi|g9^1R=<-G+;MR+t(&y7125=VhJ<(ViuxO!2*&p#ZD
zw_lJTloU8i<X`Nh58t3wZKo7@UE<j_$2<3}pXLo?l=u&(#rS#HP!SDNyQ%DDdbA*1
zZ8vm3n;D2b5w5B*bG5<WTToDd|0?83h5BjC?ZHe5*^t5;AAN70`b$4dVkv_OGf5rH
zByUmSJXS{Rnzv`e+KmvoZoWMJlKkL#$#&L9+V@-y>xin?KS4(g?JnhX0y}E)o`q;Y
zFYOHs3(fNIkA*y2Ug6;RL1V}CKc_FV@SqytpS!PLSm<zwy88+Al2ieniB;(K0gF_D
z#whn<Lf#{II*yqem33Sm&kwslOyF1rRhhrB{swccZZ7qD#`u15#(0+365X<2(=SK3
zqv-KdE3cLdnKKw$??lI?ps{lzM}9wQ7x!f+Zc`8o(d2{T{3}u1_k$(f<+IWOIbC#j
zJhZCOj3Yk4!E3-=Dh3e|i@W_99-8~x$cOC``njpRK1MI&+Tw-G3b+fEW#BHIx7j(p
z-KnE|Qz>98@m7X5BHxW>oz;ZkSj2BlUj`a%Z|K(!8Sk{evECSP8aD&C6~=y|&K|hO
z(|YnUthW=d;v2^C%Ujz6cCC833|zU>AU~@?jg`o1D^Ix@tI=s|%jD0y#>Gqgx&E00
z2a_E8EcaciO*N+VY(#BhH_{-=w1H{uVfaBd99JF~0%@}>N;2@>){^^JbdSfHcAtm7
zDL1@=#^F)*kY!p_udeZZXJJzrwIIGJjQ{)D%u<MTsU9{crjp(((Y`cCKdO>`u$cNy
z7V_g!Z<+3V-5%qTJ-t$GpX8Co{a32JI|z>t<=GURZPW%55U7Jac@^jPi^Izc6_H9;
zpW^9ScF28|(q^i7DLEjl{OZNC$;g+{q@V6kBYIg2I4p-WZR;?h*ccS{bt#kFe4whH
z-&=7f;QN!o6-5T>Xae`TDk2(sR0kDVIx9+IAMQMR`T%+j%ABY`rsq(y^Gv(<Gfm8K
z{NARQ`i6AEx~K5hK&Zp#OVjw!<)e0t?CQ<cMn+JLPZ$xV<pvQ&-&iAr$@*3X%hSEs
zy?3T>t&zBN;u<xEjx;ykRMdWrIaVK#OD`C(z23|{3Z6>B0qa{zZ>%g<(`gE<^iLYu
z9%87(W?7f!Jrbj#4{mSdVOVR51z{pj)khd`&Ryq5Ippimi@(XR)-E4ZEQo+f>2_?t
zlUF;)vkrQ{f0&^;zmczO^%ZGR_!X~;um&eHZqn0$h!$@$T$4o#xjO|~^j^{kjO*4o
zUNsBCo^C=<vC1egH*U<@%uzki!VtbQ@bdBZeZHhS3tnVsQB3r>%2xzP{Y}{#ABN0U
z^u)UCR*iQQ-kJ>)(=B8VuW}I5#@6nGPkzaDInY(F(c_sOUknS=14K&8%2!W0x?2r0
zCMho$e`S}yrS~vyi6mcr4txFKQSPwdny{Cz9a+#;LRkoh?8bWhmVgyK?d1?0sVEJr
za@^5@M@n$XDNZ?L7<kE~ls$th*|a;R{Kt#k2X5=Ll)$l3G0*9TDmMxJWYpe;NdVan
zT33M%9&Wj)gYsn^-fLbI40qy0i97WjrBYtq#5c69Z-G_#egIZ>C_o7BwVnz^0j?WA
z&akn!Fj<E!^H+P5_l~{NGxS82Q~Meihg`H;`ja*BtkU*is=Sg;i7V<h(q?l@GYRNb
z@EC>Yi`vBpG<>YV-D{)*E`9x58=d1W3hiRaLG2M(VZ)8&J)I%IK)L5nX=L=?LzXTx
zOah}sOWaDln#`Ze4`*nKM2}y*pn<$oPos$(&)PcTI^dl3cOpFhcx=61wx=GiKtIL<
zHcaw?Vd6nQxHw#=fNn73U$Tcy1UB#VDu>f!8x}HGGEEt*>KrH@yV`=hBtq(MTl_+)
zRjBkWkD};R%PR_`j#VY*p-Gy(yaPT8m&ox6CW=IdAe>lN9VicpK%XIdE!b%<X2n~y
zQa|4Wb?pY*_AY2W+o?=jErYa@DR`(R9JpS20={m#!Q(HFPSJP(pJ*k37f-)RiJg=i
z8`6pC8p_gAaHoBYLL{9@CiTksM0G^6dt^T4p1wc+WY4j7)YyA}+%BFQX-TlggS~J6
zbYt#7oFk&ri84k`TjE~$0+0av5MN`uM0F)NHz%P2Y|*<>vhuC4u()U?V#GF^wB;L|
zm3!vFuJPSShAnmQ)@%kOUKjK2#Kw5J-NX~hv0dE<`StYDt^$aczg}VACqb-7>g#Ym
zuxj#%!*AMdAW|f8!6{_E70uDnNa3d}7C6diTQ34hxkYexiU<Kh%?D9^on};1it9G9
zTN0yPQ>r$|Wg=&hFu0v$RWf;E9k}mBSrCQ;8hJVYNoVbSa{?h@Fk%Z52cPX2uGV|n
zp&3qG0zxtG9M&3AYVjsv^4Nd~_Pb;a8_X1RTLf`_R}IsLt?u0O{yxg2i060QnFe2S
zOFoaw`BoTIIB?Y}ZiRa#m>4o3iAeYfc=vzHJI<2W<VNG2gd9`wAo12fKnzE0c6Hq6
zm(31f`Hu;eY615AE@gb|;T&YRyrs5SwK<7GgbZ0o*PhFmSRvApvu06uv-cD)0N*Bi
zKU);-<}R9h<=)NlovVh8OF`+QQWlOn*7i8#>1gajYLAg(6CW|I-SEe-US$b><ArPx
z=MdLq#Y)a#U0v6~$@s{+acSD-$Cmd{m1t=>o|s8Y7vQ9&<$#lR(GQM)yjHS>TNbCI
z)9q%DMc(!Bm0V($Iz6A^&c2>k?Ne8iW4eR#8=&`ZRj(ErOE0lj>!>O<Y~FKLH**Rf
z{&u|UWWa5I+^vE=_C95i8$aW#+N<D0X|;p2FbS!mBx|=8>)N-eTbYbE)i^inG0{R1
zA1n&fJ?G+RWMc^G{_#NDHRpx6L-JlO)v5V-PMr8cb$kDA*S+KH%UYc7jAksz9*zAX
z{mYL!0`X!M2A?mnk$uy#=cz`)%$e_S{-~V&kTpFSb&Y^%UDzf-0wGH+*r=<8*cC6d
z$|lv;%BDNsv%8#=dwzN$&g8+o3ww&W@?O(p_geAkS4|p3*M{8cU*4Nn*6Q?1Mq{ra
z6rDfYeYjax>C;^<00?v4ZDJgdZPb>&Ur~NpTaKgQabRH<DT$|jCrJr^<HQROZ6`!-
zbV!F0L-`wuo8WBSL3I+{QMKYtJ*C=#>6Qcg=`Yg;z47|l2Fi@-6)okj?Hjrg@zX4V
zSeDF+XKe;5ChqS~i@r6;(ywbRDp-bFUQ*ydfUK70DcA}4^6^Zx%@j%%TkK`A<~<(O
z_*kyRbaTMk>S<5><*((O@8_rU6HH!g>xg_IVBVW$#X#LIP|GnczY(0=hvrxpBE^OA
z^&IC1`3v<<tHGYzre2Adc;woAqqd1Eweqp=`AsWw^URg?QgV1YYZVFQ68AO{rPBur
zN7qX<D&b8mFsC6d4x@HS#wTUjn3%x`FZG%e_dZ5vG<4N+!$GX0bu8_%9;^}5IUn1d
zG%pT~RT{U}20UFSaZ6K<q#Z|i1YQA|Se!hVAb|%rddLv2@0DkAfDBw`tS{-XKAfLM
ziRVF0vbOT<ZpP*weEG@I{K0qwTAOKv-$WCg4#nfLJyPy#u2&hOh5eX5R5A<^+_Ln<
z2tPYI?!Iu_W;Ix70j3caIX3sGt*>0Sgpa05^6-IzUo%<n9Ibhpp{uFiWBY-aIF?1j
ziq7UmW_uj<xoMl|fPTGPFNO{@Mk%eXyPdaORYRI7FyJ3O%-bTEXGL+*XQz>hJO}TE
zxU)_4A^9RR;G~k=p$vuU$d<@gb9#{vXG#4TS5ziz?BnbggYvwtO<L>YLKH8teX?*K
zs_uJDn4r8}FuoXPAiDXCp*yTR%z+tyzFjSj8h9^&a&&7=;@+F4Xk@-MG737(M>u5~
z(}+4l8f4iT0Pl~^4V-y_&K+T$^YMgI1Gfn<`Yjx3L_SUXY1JJrmMI{45A1VEH_j(w
z(29jq+GlAKHZwXGQiB&(hOh<JPxw*3=03w?7!Of;6`fGtZ|ll*=%!4(_TIM1?tNv7
zA2UAn$1!oC=zwc_3{r2(*^^&gcazVLlhM3dXmrQ>fz|DUe!6zvo85N;ucd~!_%WYn
zWR@<$cdS7avih_~RbNDL^h&;tu-%<X%hJm4X59)Hu8j=O8qD3OFtmRQGLT%;z(My4
ziyDdEc|lLfT|zq|UabnHn0Va@e4ID-!CX6CIM1L;aC(E3h0~JytFH%V6G=<aEzLJb
z4EE8YTD4Jz{?`)o?`(<V9AGcwd#vc_>rS`fpJ$>3g+4C8nB6Y`#%vUM2;->jCs%&c
z_8O|m>rp%tjp9sQ#f3VtJ_t`YZ?*-y#t+gKJ7<r5VDssv(HTKoMH$z#q8>`4gpLtT
zGH7p#j_TsEuYd)|jvkCzp+i~0i%v2$O*s)NQznBcjs^Xy2~O9^8=%)B-4-drfTN_%
zpGzd+<EWBe7z(i{*}UCs*ydA2ayN>p_HWervAL10fr+<Cw;-d!ap*%_s|j^deomq4
zSTZ9PIoN6_KRT=4JzIJGB>Uwmiv;~<e6L4_*S5w+{5HQq47~-bwHIu+Aw(T`z^<NN
zg}H22p81~A3w&gaD6B{7y|byx;-L-m&+z1ygtZ?OHZ0>|8swfQQFZiua~})SR-JNG
zsnT&OtN8Uxhc;Ynsag3x7=sm?_Vb*`E1V&u`%-3vNUwFa-<R&AN=J8jW)K!CAebps
z^$OvhZXv6n`lRy`#ca@h`rL`WS>@@W=TL`Y>nMT~ZZ(WqHZN@TvUAXZlhx~dS4wf|
zfn37Mvk!wRMkC?|dGCUUA4QVbA<-ZcCcBU?H(q%gQO{{y@a0Q}svQ2-<|I-E^aduC
zV@f^6+1*Ag3@S&?sF~q93J$as-dAER2)$&8<`01z&S6nV!dRk?bJQ(O`4w6z9+vk|
z&nATz9!^@J_SjLW!QjeHAvw!bC2*@L*<)0lwjp^hwZZxB@Vj}vx*|i~SMbFM*_IfT
z^l69h-c>0un4gll&Kw?jIdCed)g@^^iyyaIbyE^rreA5%&_T<kT#(npyAWTDG*846
zgRx=B-4-i^?8r$xGiCGIAj#uOPw<u1C({PzVs~beyU1F^LcN?C`l|NUrfjgzJ(ROV
z6xk8K_d%ZZGA`AE!Zs7nfD|%KYZl_}ihJA|^-QD1=6*P1ZfWANENixe2mB`PM#nN7
zqI-K#mepJ=AH-}=qo|b*<XQ8z3$3CS5iwYq@s@43=4izY5;YZCMP*O_l$}fs3ryz;
zCJ(cS1oX8XD)j&e(M?g$++qs+X4TNNMsPuXkoBi<Hqkd9_RFez?}hj@3QbT%wKZy!
zVfy&-qDg#C|K!_r3zriSZ{O3Ag!~ek!WDF;TWqb@h^Wr*AbU9UdH7WYXeAFehtZ()
zW-sXmQ4hGN^$~1e(Rnlq9L4z>IQ9hjDB%jbQaSH^TKsxAJkFWbDqHn$*ZXMm#|}84
z>U%u+A@DaHzEl?v&3?AlGHLp@GbkmOeGg9cYo5ZY%;KS|TS^IHu3~Ey;R<;v*9+}W
zIV9IK8aj-{CUBfBMa`cWV<?BM-Ce%d!SgkibCBnTB%dSa_Kak50&kqthUHRwp^P;2
z)uHUF^)zJ&t;kF?GA%pTR9w&LS+IK+x&RC6`Hoz&c(Bt3Lvn%!zGQm7R9;pvSIpB#
zhN%9!wb08taQFk1%a{%~j61Ps`Vda8a^OlH`xnN4Gf*UjD>N=q(5P2DF-Lnj)+EE`
zSWT1dBN%JgSS6*KjXFU{AbH=B^U|y&*<0Q?_YF(<kA*lg4{#hEZzJJZdZx#Ap#&K4
z%hJ>sDdO=nr+8nJ`94t?O+rX6&8jyoR(03Pm1O`PybS3;c}HtR*;}*DR~tIerD*Hz
zu=TP^S%yfqnahNs1u-^D`RmHVhIc#(gVIa)sG|c#r9jy|_)7!6w4$U`cNmEmAIHgU
zP+2`9>85ey%$QN;Ok)R?8a|<+`!J`CLWpw1Xw%-BgAPk`Iu7UDU-t@HX&mvb9_4M$
z;&Lwn{(9Iaf?Mnk&3@%rBQc-1y#$G+@7M<&jViuM*9PxEg8I<{%aDu0?r{pNqB}XB
z#I3<`hios%`VT&t0e#rU3;KFT4^kaj+NVr<vrWl)+0UfXgU`-nJLyW_X0DfC^Q}n&
z>|A2EP0N%IZBJ&`bn-E*a^?g#3`C8`hcD^i_TKMbjY?^A(D_IxDG@)h#p>S_mW+a-
zVAPH)OeYhrSs`5a#n*usD~D%S7}shu?y{B0jjpk}_}kUiL|H$a_fDTjR#m{;tU=)r
znmb^a^O8m2d>S}jP_?G`z&G%r>h}BhNaN!PletN2FCyNLA(&^T<FRyeh$imp`qs$n
z(F|`LTsas}FW^lryoXo3A(Em9oL*wvPyMW3p%vC{b@Qt{^QWi$XgU!yO`Fp~HrJ0{
z`o6Fi@>eE7x)gpG+)34HME89OwK0BPE2_JX_ukO6-Ap)vZ66SawLIr?RkoH@dD`Sj
zE%2cczZF8xe$8*9DaIKbe5jOA3VBI<Qxr-SX3tQ$_D`CV{OB%oVZ0cw55r#LM0j0V
z_rGWFfm0$J&4RthndN;x6(^<oWbNapAv>$zi4MhG2CV6W^BC0(l=QggL)NARI>l<4
z;YPQjQx?XQiAK@P<V=O9<97e3S|fL=rB&`AJVs#5JZ-i*f{)32VdMu_)R|;-jW$%=
zWKMv4{U1IN8S_?VS{ZgHUhdlGWS#%=DbC`>9K3*^<5SBg4zD-!?x=-248QU$pU0C8
zrJ!S-C)=<x#5f;-65}3oM*+-%)!m=vHUg@%`1R#fA1$bu_C6um>6_dmYH0RS&)M_%
zwx(NsH}@@5^@x(m1XTgVit|KdXmyE|KB{WPY9-fL{;)bHHr=@2p@h%*8>`EK$}Cl1
zwYN#xwIhA3JLYjVlq#0xHp4r3xk0lU_3(8Mq?mHKMp>yxAVLlu`yE3m7FXUjPIhHJ
z5?7q!39D)VBj8WHd&wbN5?h6w=7)U!1D#KIi!qqq?Cw!kX_O&J+fWTIuS}r+HP<-F
zE$R<`{M}RsoUse4LrwXq{GTLJQ%T}hv4P{X<tXxW8<%9=DVpZ)dlmYfk8-ScPNvBx
zJEqAwZJRHQnPUxUr|gGj=|1l52MhEanq*W=aU6J}i_W108F2dz)oIMh*g@?grn;=e
ztcU9G7?}pJL(sE!!rry4-@7De7KDv4ATW#Cd>HS`1H6t1&hb-12O>haap62Bk1fFi
z=WE5m5)rf<1NWB~W}jVtTTevULSnWQJa^kQ&S#5y{WX8L-~lJ*qN;<K)*Jsg=IO37
zWIs9A(E7z&xv}Lno!XsUgu(#p`D1+^cY43vJ}#ZV4ft&^PMD*ZD(Z=RwAgn3eI&H`
z@!s5T0lR}z7(EWWpYq<RzV|EjS@wgx*V}}y_FItFxVbU%+)2;%;wn*lA|7~St7pf=
z;%k-j``BaeoPB2$Bkz#ltdm_)hQj=Ma<S?4V9hm9Xz&q76pN9uE%&6#Q^It)#Al?&
z&O;`48#^3u5g+3hI<#&f_01BX2_B?qi;?==J{G^18r=ArA4Bi}j{pZNjT28dg*n3y
zg(?{mvhVnSmxDINa87Vl*!o_*w%GUa$cjS6N6-gyCg@X~+1Fye;awE|&7?S2$ly3+
zC5W2XhWe0uZB<~bcCb9m>x2AzBTO`T=jP^Hbws!5I22vub>YJH!=w4vq&;cebDLMd
z<9b(Y6?nJ;?;hd;XDPzLFZ+E4z_p*>87Z+r>XynK$k<jE-#0x)w%T`)=p_xLIp9oR
zkZ!<rC6e2+lIShf@^@!mZ(u~Ryj~|iL$PBd<j;#@pwUTIO4r5T$|QU)^fyOLxh)8Z
zT+wyMiTN-lVZag#CD&YDo8Wcl5E#z9rX6-11dfrq3anQY4M$%N7`O{612+?2V+&u-
z^uA9X$rkdqUoG3U{u?%*xc1KK)BC-o=ywh{-!4eQ1G30$S>5j~h4UxU%6NOnSF`)d
zLxiES$?I>*&dwO$5!7e2x{rN6mg7bdaF0uoaRIlmUwwAJSFs^4j?KB;SSe=@;Rv0}
zdIvnbF<xPObLMST&w!2|vU)sMYQ?-IZ=$LGELmgmW_~uNDi>r(^-Yyx23m=ni_@Bp
z{Ug~*khr<Vl0tqwnmau*QD^r^r&V&fMhBD|QtwZ7q~-@Hm{Ya>(w5-&UWEf}Id&;6
z2AZQHZB^iOvOvTRPLH?s61)Ltqn{lC!n^+BMKB56{k2Prn6FxCk9!@`g1?0GBZ)z&
z8IJqJ(_d?AQ@=1xW)MOXzz%fn)ESz>4Wrl$xQCWp)fwU_6c_(v1ibFmr9Lh-paxXM
zyb(4mu8P_>YK#!F@SxH77Nd6a!(5UE_(qSH$es@1lIA7zRAQVk3pF!uhDnyTt91lJ
z8y>pv1O+k+#+;w6y(8k;H6~5pEA`$+EC+wUcZi|yNn5WNMt2}V&Oy5NA;r!8^=<Mb
zDK;7fCKPPSj;*I)4P5k$#>`hrK9adFb?w}hk+`~sAwyk{%kI}0@?{T4_;)>1snM!3
zVTtMHt)4Z)iV-qcdMRmjC4)tpva!MRzF?c9C|u<&IE~j7!GhD&w*w3B!7ViqWmt0m
zIHxf!AKbkKN$3VVi(g7IoyCljVBn^Ahc_A4HlBpuF1!eyS>hz|P><H^E_3Pvk)7BP
zw<eeMQ3Z#5kE1;pLvJ!8d)N5plc<$pWrah&xbiENEb(z>l@gJ_vvs7jbu~K&TbVn{
z1O!B8lQS)eGoE7YyZhu<Ly54>62Q}UEj0brO27giClt~Kyh)l>L$r-upRUlp?I@|j
zJ5g&~(V*ijJa$vk%dbEBRF{%jmocr+pt%}o&3NEF-PKrQyBBI~%Q-uFzk}_N%1M73
zFS${LMnag^_=M1`(&{}unCPH|IU8!IzYQFTPO`u$1fD?g;*V421Kuem*ZA!6B<@2l
zA{QkG5<mZjG!1qH_GY33Oa1HLJw4u=e?(Vtag-&ygsjKA28hxK4ooSphN`@SuPvDu
zeIY8}#>pkN<iL7hqWHp$ErdnT33Mm!RoZ~bHqH8Mp*3RC!qQD>4p_hxMCr`06uiBg
zT_W9YXa8CluN`FRAiuYI>*EU1(DmJ0(9L+Y1$I$r{gl(-bB{yk&B?BvRKtb0DL24C
zBI=33?I#OHBz))-aW(0SypyAJ;Ct*kVU*O`+wW6J+HYqH$Mv}5F?nP7vt<2Pd$^rm
z-F0;q0R!{gC#GoG;_y#|<I#L!Ux)gLmD=NI33}ISOTztceU#~$qr)2zwS47;ZePRd
zg4zGbMcsCEYW6^)+Tf-`c$>58?!e+V6w5La0S)E$!V00QE=YUo>b68f_3wLDQN?(X
zXe@_HjIIURtCJ6tdNi*Y$dZ?jiwx9{F;x}vL!-HFamNItapFIww)%iOuS3(_`~(d@
zJA@ft2sKGq3UyOI&f#?re4lbzbUEfjD+avp=%d4n2M45C^fZt7^OA~DS$`<Oso-xz
z%}APis8KdbL}O~p8VN2h4Y@>?H)ztP)w@{`M+>}SYBt!Z4=LH5S8TH7X*%8GxiM!Z
zD+HFIScc9vaeTJ@9FZVQqM%ztn{!9PE4}qu7@v9<m$GChu8;Dy-5^QlHb_Sfn_1oj
z8&jGib*|W#cr4meU<LNHi;G(4;m&I;QmlqgkI^=lD;ZB|uoa8Ai(vD`JiY4u2s`kZ
z4u$|DoCp&#S)8-*_eX#{?tlKGu{dg-2Y3*2a{E|zjwb^a>Xa&v$@sxjNxv=8OJWo^
z8!IMi>4>M>5F~gyq^`=W;yhN$mX_Ww?O)W3o}Q;LzyHR4h9|kFmqfSV3wJ}5x2YMZ
zb@^od2LGaAa`?0mZM;y?lQ_dP&fZ7#LfJ@NC^C0FHyWsw?``@?z)km~+`3+PVwHUE
z)#yhMa+Sr=YdL^Ohal!&W7_&5?2tl~>a=;<-uu~-jvF>fU$h~{gIC{v@xL*Pn90s3
zCixWOiaeUI$YC`36%pMD<;3|oCei++)90d0B;qjAIEf$8+q|P{M7e**v*Lwe)bVo>
ze|OOkB^fQ5&X%S{ne&zGo_;V!nuW9vU{s6FcAIxOo?kTVZI`Os6~g&RzTrcUG9;o7
zrH-=N_q|uLR7f}S^$C%zU5%f}67PWZM?ME&&j|{cDa7Fuv6raV`r=d1BV>ucen9#8
zX;SHj%WnLRMjYK$%Llv16+2YQHjg1Dqs|M9mG~CRBe)*9;D^<#;zTcEbY<7jEmQ)Z
zXe0#szM`hf!$~A14y<@WWSbTyqvW5Giz}+0iD(O!A-Z%GsXHz@<kbNxst(@#YcdK!
z<^x$G+aK0_3l>yg98JlESvRNsUH0})gTA!cl@rk+wn6k^;lb*xfRa&-*R9;hqtT7s
zh`cM_g~XSrQUwSvRl3g}T$Lcjm2wWow?;c2_T}ot_l4Vx_v3^UB9wT}%(r++oZGIL
z;Cb8l^TTYrn?gBWr3hI2QI-Z#Tsc9=R1Mo|QYCF&wfWyFM-gh3+7)g-b@qNowSLQO
z43U?}YMirnD)?@1Z1|YStqkkIjryemb<vlT!wgm+d=Tzo#H^Bw)z16e&zEo?*+g;Q
z5zCPxEy<2)FT}e0EG1|qwjpK2@M_dF!M%9TOL9aA>6}Os^aT0%<!*7!Bv#|mqK4hi
zLoHj{J7;eP)68%P&WTxGB{(0q$tsu#=@!A4MuBk)rqZn&z?qq$vKGp_qT!p|lN$C3
z%MSGtU4LNqM9A_Bl-PnfUr^m^qt>J^$y&SvHtM%HXYcEH-F;FVB8Cg@NrWG??--DZ
zMUm_dYb#feGBS$WesE+^a*baJRhFwnwRJ~mzC}G{QO&=<+~&!KoIgSpF0w-=;$&LL
zJf0tZ*q9fCgvMnGJIDKXHgO_w$E0ys2t=*ie;gX>oIr3`97U)CEEwy`TxUW%#kq>Z
zE)b6e?l$H4NZdnSZaUg&Fj~!Ij&BUNQbrK<9>a?u`5x!IEn~0&q{z-qmYSi*d=NQ(
z8E#kR3qOIaANFkRXC_e|rk5|S84fd95(Nv?(I}6q^5SENSQh{Z9y)Rur!sJamS{3=
z8TQDc9=4u_nlBy%QwR&?VQ`a%A`SyIOuvw9CzGrGb~Bgq`OrZ@=97x3;iER8-EiTI
z>TFkeluxnrIxK-%+Gm*-?eT-2!-_8EEZ*Td6@%WDci?g3xi{B~X6Ei|J2Mbp(?Yq_
zfBTTwbQy%J8Ex9DcXCpeqBQYgKh|^;48N$jb@%PWk{Wg!XdsYy3)fF)uKC^lf^6eR
z0n2n9-eRL?C!(Yb5WOo4Bu{Gt%?V#G2(+`Q_<`#UUTb*ImV<I6GyFjzgMqJTINh@-
z8<B3w!)_5>YJ3=Zz}j8)X`X`4|Me&3$<V0%>Dth;s{z3Fv*`p_+NuKgyVJxYy?QGe
ziDV%i2}}%x_cRnpb?fpcpsT@K5HLnX{o5mBg?UrTb{~;6YOfx<dEfSGRvbRCoiR1M
z7Bp=0;o5k(HG0cC?d+I`jL(uLUAfTTjzi^{6o~n>N3(Mhn9HBEx8`DWy~xR(Sr@$-
zW@Zz54fW+1Cuy*1lwNP`czbyyL;!Nq>y6Vs-a+mgEJ)ODv8C}ba1*nwxIn=4nLpTs
z0KpHxeORjLn#J7ypwwFY#|g<uV#!rw&*O(q4a!~jJNn;j6&36W4*MlGXH=r2wRSy{
zL3j0yV|qHQ!NGlq{Yqa$+QJbh=cRaOHp39sr=n*lh8dxk6lmcEdQ##nOWj#U3CKG!
z$)=yg<kKY}x@q$xFxN#Z{V={E-yEBR^BinBcV~}wES}InDiZLH!1A6q)=u9J3S(HE
zKcQAuNDlZm)t}eaXYO7fVL#v>cSG)S%9QlkW-BfR2#NFP#?#53)K_6-!OYW#H>f}B
zGH7eahu(SYFs(mE@7g5GdE|G#qY$)IpIATIm<S9G9%JSsBl@Y#TzOpv6%wxfITw{9
zH;Al^{+FSIOxFiFgoFw+mC_qk8_l^+SYJFK+gK;ikb0+uL-yVzL)+WeUdufXcNQxN
zzDaY^&0+|S-J!dj@$M1uiO0dkrpe{P3iFW=;l_cu&r5Djs40@M132q4A57*6=T#l+
zGn@vG+}wGJZ=fq>DC2jMBaVKpBZTxi=(~T3uBYH-sax-aYh^(|ONid=lhzp|SANh;
z(9pxu@Ra0QM5TB`A)QsUW1~30{3ABH>*S#SZO0)U$jg&-m=la>r|{DE2c{#Ro920M
zI}aPIGU2H|l3rlMPo}OKbiTI}%)^izaC26$2k&w1`mjbAv|76oy2Rsb9<*zI%^N3*
zK-S|1XHJoOp{%w?*6JpyKpqv^%zTpONqn9nNB8jutmED<v%zFnZ4WI7mODoU850dl
zE|;`anFI&9G1`~67x^StO;DT1Nmmo<?zSZmYqURj8q8#rA$O~x!Rb@F{kAmX+Lf2a
zZB_oNRtCibA7iq(a2Qsi9#c8IXzH}Yy&P#ER=1;lgWP%Bc$aWTV=$20T7{mJv=lM%
zXuT9w3%yl_6B8N9?-{2km9{Ae)xnThvIdEB|E2_)CPJJGy5$C2{_8xqkk02Ve4+DJ
z67Rl>QebrW&J^<MQevw6r=|nX)BK1Z9-0KZpid;Y6ay(kkrb7t86}Zmw%UXJ%)6Do
zeWjYDdW{=5E_3D?XE&EW=rYtedu7~;=VsQW?rbDH4K{`=H-&g_-+zpC(}2lO-Cm?B
zZuYhTkrpcO+@;2kUY0+9QSd08R{&D4(*9=}V8xg9Qsw1I)oro_RSpI@ZCs*(-ZZ_Z
zF9MV0l(;c@PfzOw4V%j4%opkp1DZU{K_X*SD7=x#_bH-?y&B(~+kWyLiNuX6J_#e*
zjj9x?#y1f-bdQ6bLbRN*QkJR`S+>fwZaGICc(l53tdt`)w__VM%0;{m7a!HN_er(4
zM%T16JzQ{snpEP53~{XmMPELF;K@J)EXp@YPo~szw(FNT%*@=3Pr%_7OS!|V?q={&
z$0s$RqCAcMf_EX!$oqJ?P|`ckYk9uyE`3gq<dKPqh<`m80ClN$)DVPzn5YzTYSS%m
z)neTxm>ko+=jVLYa+RsBytS@@&-+1x16C8oV;9aUKPpeeG0NPp*OjsLfOnhB!FgH-
zpKFNa?lh+RZD%Ycrwy{7^~5pzH391l*P`%G!{t1blkHzoj2Bg-^P|>Y*c)2=eH28$
zUhR;3kciA7U^YX)-9XHKll|-<rq5KqwtJ)Z3q<zLLg4wsPAuIdWMA$3x9Bfp6YJZ4
z@)ZqP<RfA~PnHpUwzV23SF{CHLlk`^=g`e4Z7>eu3#U)EE7hn^;7^tY9_5J%_}4o6
zEzyXbyvn;Lwc4#hIHr`6$#-_(<+{|0QTq%nT5+qvg9s}N5gfxJL*;v+Lb5_a!7+Hb
zgd$d2-VO+HBZA+9YXr^hcfhMcGx>lXH6@XD=_sR|d+a}v;;A2KJS>d>(|ToS39nYz
zOJG7m@>ZJG)oID&b*_?C7V<BY_bwT}LqB~|n%>9S0(hBWcSE%!C0YY73M#Fk#GQCQ
zbMjzboPE{|t0*Q$cGAG>lVj)4T5uPu4SkttD4m}$6&|76&ANMo-hei#bZ<)`ct(T!
z-K0)cIWyz)#EGdUv69$CrYD>+r4M0GN{f*%zC;)43#}K+0G@@x+ou!LcNA}UJL%b?
zQy1PD8aJa1`;NJ{vblNX!?@D({cHsCZHMe{D~_~)n&grqxu%pwqS}x~tDVvf8I?j+
z%ZQJ5KGx<px}GGRK2;77?lviBeQJ2Z#F$Kp@bWILmue^(mTS!o%JRhiCdrM?u1@lI
zSO%GYzIO;z!3qy9+d_>rw_0Rj7@z9vDPvuuK(GjYRBIEuhzS=~W8A)XefkyJA8+N(
z%Wp071U|VUs&?S{xU_8RM&zpHqJdhBedr=>lhU-H3nfYTSrwDTcW2)^sA-r`aq^|F
zb!$qKF0%=EoM^R(5$V>F=13h~^U!6Rqe%%QyO<sEO7nJ&Tfo^%tS4!gb0FSBPLSVr
z6G<rOQjYycH)!5Jx_PPXn-k^o+ivQqn($3!{^(}r<#{*s<(@-tj(*#X(&dLP!f=0d
zV}0<Wn>aV$F6i&I*#N$Ll!x^PX#K4}>TFs0c2WJl4zt{!>x7)uiFfmowcuuMnESv#
z-AAof(VW&(X5;f%;7eas*j3HjcYzHp?>sD+a9h{UU*mY9J~Gbs)lALcCY08nDm;ek
z2KM-#ys1(%9QT5bw#Kc@7;CCz3PpmDq<2H@d8DBOXj{g4^E>j-L!VaIQGCGHJ#=F)
zx3_K3K_UEHw&5&Um@eF(MPoF=IvY@RZOP2w(`ZoYvG^+LHaGd=Cz}fS`242^NY&k9
zF>LfPijv~}=`@-%@iKWV9vTJ|E5IiY-woan_et+hTk>q?W?8Tm>3eU~TV(twhFx->
zY|Yat-Z9kvVRiRar}&VqPd0|!>RD1x-=9|Qioui2PER%Jf5W&T^=>fwK^{x!4s|*8
z=dZ6)1^XAD03ycU*y1KP8YnVUVWX6cO?L_T-c*r5J6{qY0C9{|WY#sjubpoJDSp<(
zR{s;w(0@b|YDYkcQ;{$w0ca?l8$LWW5V?S1oJ?OwK-{%QBZ&Z<eS-Z-i#D0u+8?@K
z0Z6f$sIcb5gr-Z%)wJ;ddcx`gd<g*Tp%{`GkHM$`w)!xfl>3v7z;9U1Vm5>)0E@9K
z0r*2Hb^+K!&aqAbaJq=~nS?OYol1CSJXqxm#=8M{fe|Rw8L*%jH)}kD0yW)0v@9Tn
zzGOhUf?Qvb(MSAKWnoPnhK*f=wehdi<jf6W;GVf*0d<_et$yFn7<QvlR#&xgB>`?T
zflA58dhTASzi}^E-HYx;b-~E6ffDw+fwK53)@Kq*oJ)8*P+*lW8c+N;110)50|nO9
zF9YRYrOBBa!bCb7DAo;g%>m8{`y0s9zFI6p@Fg!P^U>)bJM*QNogGILHLsc0c9v5Q
zAuPl3xMo|7yx{;o&op$k#63p~)fAzlw45WnvCC{#a@NK=8YIUx;ZCfTVX-YK=qOh{
z>E5M<HgqMTjy>Nc)>*E6W^8Uk-kd9PpCjA^W9X9Ifg*%8f+IW(<LBo3yJ5|hoi?}j
zM{}ba>CeAhimk`XzfSkUOlzNgH~sn7@~-MkHD`uRi@Uod`3TEfIW<N~6Y@d)f6@Zz
zFh~F<<7ST@RB{&XvYmT;4VYu4BlhEU6jLPCI>r3UB`;=2$6`OSEx;PZtmv%GRP(IE
z$nP&bNC&jwLVNL(7F?L)K%*E!FfFcOpJ`!3XK~k_EdPe-CDnSIA*2WkYe1xASfkAg
z%qQv3S>So<q##SNQnQk?mY3N*=(T8{!jIN%!1Q#t0ifZ!tv&~l4-(Tt9$Hkj?N1*I
zxj7V)`lo*F<%}3DHqGyv)pk~A79pQ?Tl5Q?v)s^W%@sg8FJkeLQ;h$&*b?R@aP3l&
z>?n*d|A4rhoGqVR{3lc7pOQuyH!ZI4gchAy;@`u@*HulkEQY=;)<<%RuWSEvQDZI9
z(4Xv}E$S5W9X-BN>o27zjfKDiwe<55O%We!5k9Tys?02kEOq1vFVO^iVC0V>p|UD=
z3Bc#a&^d(+4nX1<Fg}3Qneiidp11=h`SZx}BBrSeq5y1K3kcYE=5n(^xPK)ZOqd@k
zT=~@sh=9{vH2nn)U{JuMJp_h>wrJ?taG<wOg^BxT|Gjc1ts5|=fkw~9bjO*ve;zdr
zr_us&KyZOZVcrWv_cx-Q83ESw4?lv5`zIfV!GGp%Fk#Moe4G`4&GRSN0Qh${*w@ng
zb~?slA36UqK>)Hf08n0#4bbqSZ2rH(Cj1-N$bL3F3^r+Nz`aj}`C)kMUk#7)8^iys
zK{+rsPo=$RctG3>P6?Ct;<$o|djU3>v^yO~u>b@sr_(gxlfMxy<9p95m(C3j6ZdDs
z_w|nf4dDX9?7+cXH!HSeHt6%u=vD#9JH`UD(xKj}WZKz)IY|G74c5?U%?p}dXzjnj
zw#B*&45?xOmLHbSgiUonkE>JC1?T;@uq_&`0z=RE9N(o_z{k=4!VEB^&a9=tvGS2P
z)8i*q|7t8;V1t?clyni1pIiHHu$}3!1k6-tK60u9@-I3(fsroGg8ve>GdKTS{~cd2
z2QUp{{5qab2hAyZXT#onB$DR|=1-~u3-ijX*@R@;N@O`OJDrZ2Q$&7dJDopZq>G6B
zW41qZX#7bBl3#UzkuJ{o{}#40e0>1F{xPlc{nhLXL+X!}!RC&A>V<W8Tz;fu6quSu
z8G!)oPjlP_HdsXSyEX8ivz_W-1Y6#J=z#F64lvTiY5L#7cDlOt{aAS+K-h@%>q>LB
zK*NwaTgNLFpRS6L|E%g?MM)RfU~4LjbP<t%&UU5)Y(@JKA&dN~1B`SrO!~L5o#6{x
zyMM$<fxm_<XW<kKsk4C4wm)+$gz9Hi|0-v=zy=GuV5EzP{ByQ59Z-MLLGo7}V5Ez&
z&A)~14Bu<#_`;&vn7@k4VMv{ZKpf8fbHX3UU7-lJa%O+Z2gc+_J4WMTjR9@Vv%b$u
zW*=jhh{Z?$9JhdZ`hak1J7|mbB;850?<__`p9LtXKSj1n#EZ<k0EbfyNUoaP=q$fz
z*?`sgDSq4zvWa#EIQY71Gbcid&Z2lAmHu0Nm4B1(@Ne?@{7t^rzsZ;JxA?%4vA<+{
zz(QSJ1<U1*0Tlm~QT-+<gpn?05dWO*Vv2bhF~c&zpVOAlzex&DY5xMYv-lgf1MsK#
z`^8T|DJ+cqBgQ?C53^#ue@P306i#De4p_6@04M#^boZOI5SGMVTqb_ATK~PA`%E@i
zj`~A|(>(lVcwuSyMbrN#v4u%{aq9d(opYZV0oL=6%<FIL8rb#&YxRY+@UKFqU(>?V
z%=bb9@y~PavkCU+b?%=hw*QHo`)rl_IoS9cy9VYXzhrxVnLhlQ6rSdZ7t@D-%=Sn6
zaGqkGra*YWy8WlM3l=QHNEg$Ge+%1L`T*Mj_z`;31JlKycI|#_-oTLhBYh~M{UzJ`
ztFiE#q!32Bh{!)@yO?5H0NXdjzv=)ZU7Q8~Eo^6-W3bfzN9fHBOi&j#s?G)t45>fT
z2P4f@u?yMWU!@Nh*kD$LkuD<g&)Lp&_>p45QXr>ab%2pB&iMZpwljQTsr`@iVf)w6
z`)u}wA@x0d0QS0(epdCb(uWIdu=D{&x`@a>XFJp3M~YcvR8Efms}3;I#q{Cd!ghu)
z!a2UM^x@`Tr4KNqzTa}tEhi8BS=GOak}j~pc12;Ni-`Plwlf`mq?o5V{JKMZ6Chm-
zlVG%;5)p0D{|MVzye)E$FD%|>{dprBw)K1#PQj2m3kboI8NXzEf0Z-*CMkrGE+X>J
z+0JyJ`dJ5H)AB;jzzQQ>*kwPZ{T$T(N7&Brl|09HTe5@L=;dGJ3^1h5c2Jik8v}Gi
z4~~$R(ntQZnwMvmM3!=KfB}fd<wyTm^nu&bV4l#DKi|m6vQGtW5CN&O5fqj{pWPR^
z`8Sj9z`vPvm;6mWyT8e|^Edf0{w810-{b@CO#h8dhOAh2;1<u%3F}|p3Hq7s^cK&B
zyjEa*D>f12a(wV*W9dsa<aiFuND4{gun?$$egpdqLO|TB-&VMe7V|b&Gu9?tT!24H
z7X6i&CkIPkS~&!czkz#Bc4iv~)<?JZt)~w`d$TKF^Z22yhl91p2Z@@suCXBKLG~``
zMAhN9xi27>gF}#0fc=^#$YFbZJOh+Fc(T)xU8)J%9w)8sfgJCA?QuLh&ZymCw9q_W
z{kqjLx(0l?{qUeN5472}DGi;A6*vZ;OhYJZK7k^0k1CH6?MZ77b_Yo(Tu$a{_c)B9
zCm_y~cv9(4pjbmUUdYinXfcm;TT|c-=opYmpd933F_uUQn#$;!06Fh$_e8Jp9}68F
zXJgI^XdLbf+;=<P)I2`=QYml*QL+H-ZzX9$t!EEGpxv)0v$Zw*+ZitF85+mygNfA^
z5Z42m<3<73gI(Xxtz2%<9FfEmfyu$zCD5+uhW(e)jNKEsypug><JUwGbPJ^C#@n@B
zA-P_0vI#nBjDap$Ot>A5*6vSzfw=8^oNVI<(?Bt%4tT0wgM9L8?M^n9F7XS1Gkids
ziy%-zV(r1aeeKcKy0ifN;~vrd!}ZbH#2Od+J!xuH{wn9%s>4R<#FG~_M}9~BhnoDW
ziO^on<8KECVPAbP*ZALnHo&8$YtV0prFm`#kv*UcO;D!=<mhM}D$7=TxDuI&DR2VT
zJb~slmL@_)LC5(qn$j*OjmN`@d;9ja`|JIh+l`}uxgYQ6oordS@ArcgUG{dmGVG6D
z*P7HE#bpZU+~p@LBVFGYkj}&OgZi*G`xHTaJf{V@PXu+=Z&#n(He0{#adKOI{dUU9
zZP)eNVJEi*_n$K!1vBM+6|j)2vG^ijd55%YU6b<-<Jg`w(MM|YBMyvNLJlao&qfI0
zNx0zt$H0@$B$v4s(7a5I^*0Fc{S=}jdyKjH4=3FpT;?Zht?3|Kduv1;_83r}){S_N
z-;+~L$qT342Ww+7pvG^Ia(W0Ca2>HmbZl?lVIKtLDV^mJJ&7OPhzHos_PcvQ^Cd3x
z13#C!r<Cp^p2CxE_5JRg|FVof{q?+b-R}mj&&ulk;QJ@>ha2%ce^EN0($7nujd<Yt
z&n5CEgzd<l<fHxS@x_wll>Vdau!mj$T6TdlHzAI65XWzSDz{Fr&&#_IN8tLeO6HT5
zVbFZ0%RB%UP`00z;xpp=-C<YWY$Q>K++q9}nIM!}btlmYCwe2<<*T^o$AFCw)FF2n
zKMp1cy|21gO!j=%YvnpN9izmDDy;U62G$O=^@a5Pnkv6T*>rIYUjvTW-C2dPU}p7=
zhrCsbwTx@iZf}gj@TV8Eui#o}+P-ygR(*LF-we%P%hVLz|Cy;NroW-7DYn0<sp&O;
zOH<S9{x+tj`2G&25;xe%ND2GB15w(jhOXdSSRCYIV-H6?G!+tIPsb+24h_s~5=nig
z%l!eHX*lYNsgM+VIszf~8_A-)yAu;dTI9(EMk^J!CnmPE$Qufngok{KOeL<dlQ9s=
zc?Gt0wAg5q!xu8?4f!^iN)WP>F%!!91h#dyY-y7}EM)Q;^8IYeT}kg($`L-~J7y|D
z%}&NiDCZw2*4<L1L!Mm7R6OLnY%0OXPR2_p_bO1Vr-fCQe7cYcJmh<1D#5`{c0YE4
z!FhT`l82q_A)#DwVB4pbEnV`5MNEjpzPM%*g6w1>gmNK)ZM`iv&&XdEF;NctQkY3R
zW+!_@C>Ivk2BhYdSq{!}Zvw^oTUhnTr;C^rhJAU>B$U|6WC-OV0>wVJ6zP$Z6*Jim
z`%0KeXtI;Z6Us#eih)~L^~rULZ>(g|PfXYVUpXmeN*nflW+q|6PNqUA7aQ0%(6XgZ
z-cZccJnU;@CSlD^ra>qdAJ{h7Vq-uKU&1sy?CWVJ;ml5^1H7{>ux+Si%Ygi02@~Ro
z?;A4-4|Xzr55G?$Gp6^hkNCbtrxGNTEvmOMBoAee!ZH);N0Lhp^c~T9QiQEQXd2-E
z9=$|Zco3;S`GJkuy~O0J$tE5&1Gg&Jqjb>!+m~<ov5o!N-bs7K=%8<eCC#mXGXy0+
zAZ??{%DsQ!`slM8gPiM=q65=(hr^}K=;@Ue16FW`$jUq`Ai$xrWN&f3n}(c?S$^U$
zt~%lJJUfg$3?ti^VW|^J3?lu%%l~N{Bw?WTp5ptrF9GAMFjikzCzKo%Ijsy3{{Ok$
z4sZiH+U__l(LliU{$o(rXtw5&Nd<eBCe#Epo_l~;x1+S0r3r5eTFE^St^?;yT(__Q
z9p^5L7=jS<U?uu#dHu8`J}oI>Wd*x`ZeY4e%Ky9kD;&&D&78A1a;Kt%O`TA9u;di3
z0UI-1_0gEzz+@BE{$g1hGr$`Dx#!G^Fha?7_0bWC!d+O!(bFGGPPuayMu6(H|4Q-_
zM_Ej+8Q8)K5IGAnV_Z?9P}>Ctqy?p9J34Qxs;{icD%1{xp$rP!qrg9M3bj*UsFcFC
zszx>>8(89?<_f*VImgFYfU1W)iU3|ayYB(zSJqSjIDocK5mW_u7Dvue`oEoQaOw-u
zFy-yiO#tQNPnG}wAg>6)xOq;wrEJU$YPCWaM!Idxs4GfX)JOetS0o1Ql1+H}i{t-;
z<bWN8=FwQ4Q(2$FWThE^$?9KxO?@=_7qUtbjEo24j(1g9-$@sSRWa&?RZ%ID)9h?7
zGR&xn3j-*w52*W-;}1fmc1-SMGA=!<^$$HNkeXYW#kXU&$g3#|J63tL6u_gPDJfo6
zeeCoIK;rOvIMDEp$z1@OWhDii?_K@e%ee&qB{{PbCey(OfID!fx@j~RR>Zn3!)!u&
zYLnJ;hUot>^3G}7)r+vUElxW>?ef1SuZZ>*S6?WOV=9wPocn{T7e*$wbQvp3IF5$`
za#th;cK$QuO~+mhK&88d`0AsvAD4v(chZ@i0kJbX{|hod;|NUVfK!>1VX71v!c?KZ
zNS4=!k;8{!+<Jel;o(G0<iW#=x%sT0QCS(BRnROOa?{h;P77EWoKw)O8gjGM*q#Oc
znOD%PD?7MS4TNrk3ksS|LvG<3`+Bc{6`1jvY3-A|gC{L>*3mH8&V)$pI8{y<rkv5K
z&MHMPo$*#+I{$Bxd7?;`ga<Kp6wZs*I~8{M0zgFKam?hOOH6gBi>ui=x@E^$VHdUh
z*q3pEZ#WXm!osN%U!5mrVpVuBD7_RAEM;*;!)C?sPvo8X$c2&K(~7Ls;{mzEk`}wk
zCZheL9x(FGtqMEVYCc~W8S|X%7E5^A)B{*k&RDP>NQ7WLAphS)p0lonVIaQ`!$5%_
zhCw(CgUxaXOz{y{nBsP%FvZ7ViW}|zpCIoXE(1NU*pFbV^Ng$&lULXkLCi#f{%avY
z2Q7R%Jge_4#&v7wgAV5S!1m+V78bQ@K?g|uJ3MReET(ktTFXG1TIJ{7)&vFv0=klu
z_OE&zDe}(&P8pPLa%!*<nA{b1Fm-Z?Ve0&b{F!5yNuB4N#hUIZV>FCW>Xb2T5mx`%
zUy^avc>r!<fcq&hTZPdK$O7E{wg7o}t?O=u9dk3ce{Q_QhoEGW3@y!vRlvjm<G5=L
ztN4)!R*@N2@qdK8*a~a=zzWv3+iBaRK-+RAnhI6G)cd>N!v0KVKCN=~RF6i0`}438
z5N?08gf(~Zw`ad0uMg%P&mH6^f_7tf^V}S&YY)CP#wNN!msY;62|#zg;-4IDV$OA8
z3h<w7x7x4O9%W0PP@HV7erdHoIXFro)vP^O-S+7LZ7m`n9aq|u<_YZ0NrR?9F30PU
zyPDO&j_I~EX|2orHpJ~1I_?ups!_eax2?3M>3Wc{*UE9Se*o;99$=sBEv7&>$1^aU
zE2}`8`<27eE1xlY8147FNGDwPBG0yW*Px^_j}b28!ok6zz{xxtdMfysDGW~l4o(do
z0gfD?I+!xrTRb<hHq_Izv1ZhKu4ih^c=`_$gM*nV1ML5CSEH~m72&g*R!^s(-a2W|
zUHgv@gaacNg7P!?j>k5WYB_J=gifZS;61qec>C+T2Ax{bjMo$8G*x2l+R%5Dws2US
z_B^|qP`U5|aC(7>`Y6O@_)Ylne(BeeoD-#pVV4~CKDT?tS(D*uM(hP%8C`d?^`LZ0
zcVj_Ed#~BPtnIDTLOb?&K%1rNIZtYO=_0w6K=&L=Wfh!f0t(q&<m8r?_DgGl_rEA+
zZEKoLIV)AD+XrBl4?jz+u?zedk%JppQ1LnIqrEMSJ(_NUS;?I)vQaVhOYla`eKrbH
zC!Pxsisyv~mE&_eYooE4UhTC_wY&IoaBl?Mj1=VBH-M&hr{^K;CmLf%I~>Do_ah&%
zgM9+K33a;)Y!}i58H@9?h8vVdubyOmRyNO41Lt%-`w;#uAInyk-Ii9qxG(%kV6I~A
zXD1VtLzb!n;~9N~NFkbR1!NZbjbc;nXY96_V|nCAdQkGKA4jTu2c89VH())D+sgtg
zWQ@k&DGJBCSAX|omm(Vv{Mt(Rw;;tDwKg><d8407eN#i>d~U)%sHxi~(3kO&l>0Ni
zk3th462w$#!}Gpu-b*4|GX=J2stEMKHi`>b3i(Cr$gddjvlzNCKom>_yYG>|SW|Lr
zD6=V#7N_?X6h$9AiA}%W6YfZ(aH(|tp^C7(ixx67qofjwa@0uI7!Eu2woZ(}p1JZe
z^H9o_vFw_dM|z0M2icFr9B4*u^s<G~cDauTqAaq}z@954YhTfiK9VgmI2<K%QQ_cy
zY&ph(Kj}Y_I7-vV8D%rQ^qFtH|AgRZwO=Qx14nbUmTNiMa<W|^1sD2Rd2h(k{$rP@
zogg@>&%))Nh9e24Q(4SZdkuKWtD))j^lZ+=-M2LNc=CtWh{QNC6(-o)G~K%tuXldC
zTEfdYA5qyW-*^jd&1{|16Y(;u^eA4b@E-pzeX?*aa%z5EqfL^hYcKsR8)>UR)P59q
zQ;A^^KHJNy`;$-<hF-inffva0&}<!WRIYb8!mdoVXKlbYQ{mTng0*;Tya?Q5m|iW6
z;d*7lp%&=gN0y|-anDVvP@nI1_2S~hrs3Wvunl+|qgHn{6T;tJ(W|PSb$#p|G}p&f
zi<~xpVhobAjl@xtrcs|kQ+6aaSx>A?z&ax;qCV|E+d7NEVeO?FaGg-jD0KszrCGdM
z%~_bHJe-f|RVrJzAHunW>*0l_sW4laPb-VE-&=GI1^;77viUcKI^q2%d$L)Ld?mTP
zDO=5acN-PI=E*GVh0wlKZA^TEZd!sDCCl(QT;XH<?fb#T2&I(o2eRsNN}f#Vr+K^I
z<}uzVHlNz%fzOG^dNGRS(6hkowwc`Ph4RfR@`<LgLp{8baVEKbcQF2SuMcJV*teLy
zs^`hpJ)>D>glPJeO>6YQcw!-`a2w=;U%WURU*ck_zZ7x31bh(#KHUVaf?A~Os)k&+
zn!6VYyNn)N6(YZP$vS*Q@ssc<7s82Q=%?|4H~r7LgM}Qi#G>WHTvu(NrmDk52#mO2
z>@Oo2-~}cu25{iIxCxnL$Ce-vQZGL}?8$lhv8PZ?@!_s_!aG;XR7j6DsXH5aGamm8
zogpV;<f?ZAxH#F>$l9CNRDzrZy|mtVd<3c%fFH_n-<!Ad_E_y<VTj`lM7z?fi*N-K
zs-@!l#KOh|WF!gQ1iq2S=(^{_243ESU^}nbhp_FY$v^eGy?yvVG?cW9!Y&1l%ltkr
zzZ+2~cNhmV^5fu!=3uIXmb9A|*r?_1^SI1ztReSY9xiL?RO&An;e8wR%$*8D#1LsP
zo^8EVOKRs<^zBf4z7_SwMmB#(N>3Pew{sG^){JWF?ikippYHdv^iHJ6-%<(ZBS_cC
z_bn08>f`J6=9Q2-ckOiJZ_G3p-$z&Nq$aE1Oz{-fTR(vxpDRGW*PAc?tla*nY<M@e
zhsVw4$~;T={{p!{M!zM_D<(IfLFR*-q*->yk3cP?b$+PuZ}P(AN167Kpq&i{0<234
z3qO+dq84K8<X!^hdy!?C$z@^Pf08GP9}7ASZUz5K2F8!#yb~~f{DpE_pYZllK>3pu
zpk96Kw@^#jm8}4)Yk@i4Y4O54hNR@1%;r5ms`ADF)4E#-TbpO~ODh-l=e*PubbdtT
zwErN49w<osn99YF_)(S#Bxmdfe_U=XnJ3PVwVa+I;9_<*xl)>(Ol!O6$6ZcCbndu)
z*RfcErSKwm<mSnb%)G^4GtNioJsK2respIt$$nm!U{utyT~lBfQkuGot1t@zM@-m;
zQ@+4t)T;GS#_$#jA3ruT#y5H_)_S!rcXBIriJ^C@AcY@$d8ZJ-13z*y;bp_d(lhN7
z$v*g}wOr_u&USkEk?6~ifhjhsZFFvhELB5>8y}bxnpi2<=Y5RQ8`9EAADD9-U%i48
zhfdCedQS18+x0ZJCpZs7ymgkZWm&3frK~VZfi<GA2C#alF4gpdxo+}~4naTsNR;XI
zv?&THKgx9KC<@eYbj7L`Efzalz1VI+A!W{xrgs6JyCNLBZmT}L3uYm;H~cef3*_qN
zN3Sj$2?{Six^?<)UMvf$!j(D6x^z3I;PYc*C&{zhnPHde>cB-#S+-asLg8jk#`cj-
ztk_kj3k+6L82NEAESHF)1*1&1C76H-?%YRy)ayl+<>0(kMKl=P9D&*3T@o?qLgC{_
zl;SV%^BuirglL-%_Mt)yg}1V4E0Q2R@*_xnKy3NB!0=ev`n>0O=QUkPFHC-HsE6gU
zdAd#VJ;smDycr5Vrg9R>OcynU=ZPOxAro)9A~~<<i60di_J+6(TG;rUkEn2ks1ziA
zEaPB9-)K|@Qs@<_O{sIrjrGKjRUA$e=GnZgu~u5eV&VQZC-5MJm_G=giX*K4N^z+t
ze$?Y&Ch?>K15Y)`N62a9%QY~=!OKoi7#OpOs6{obyP}emU;K$5kANTDTVp+@J{v*c
z%Zcpv=?7vKv$jN;7+ZTE5QXeVA{v+wmcxXuU@A!p^%FnJF$vVDFA|j*h0RqZ8*Q?<
zRL3cA(JQb}@bi>7%Ov}WF)6`h-vZO|OL7{o#X}ARO8+=$2>j|a1YY#B&OZJ5zr|mX
ze87sF<)*1AJU;>lDYRTw#<n^qr-vW8cvrv1PyD#Xf#Kq-ng^Lo^tOhA&JY5oK=LCa
zmwDTM;zvd<1jLVkTnLCC@1O#!vMBoV_&}2aUzCYiKQ|xwQIq{mCGMH6Tn)7mvp)St
zj9(|=@*^S_RZotEI(uKMRVyb%n83MjKJxRe?9cxID>%uWRf~6m(5*<4-}}gq>3j>6
z{0PuH$UTs#`O=~nS!L0t60-7%vlYE3^W#8cM5D(^X^J-=`B9+D@bF_mm*L?@fWE`N
z!BA>?Jc|=irCvjc1jUcvoLZU~T+mi58d>FQCl&1<O>#8ADmE{uNLz`~XUS3EOKRNI
zPU=a}3miq`>b{hXgvgiCyb5s!oL!Ngwi|}R(66oI7nD5LD1EL5!FyP?2s{XU2wO|o
zn~Kh*Mc@mrWFvv1GZc?rp&3?T@>J%do#|Tm{J6~pVE7T63&8MWH5Y*4L}{W)mn~pt
zUvDH>dmi5=x3E80tJ;y$`b=)bTy$0mQ<XbZ9cTb`k?KIbVW{`~_IYF|?|d3e6dhd1
zT)-D^w6*xBoXn?tB`GuHhM}JG1rx}Lr|7EaZ0i*A;bpkP(2oY+JHLIATQv`^IE&bn
zUR5oMbvqYhAzL}V9%j<Dg@Hd$vNeX9&gXOh>XA?UjU;GJyrrM|@$80KM4jR#JT&R^
z$&bZMMR+l*E;ep*tsat_)ZH)?UOt9Rx*nY^HYzcdkFjoptcTZ~7B|0}|2{mN&(M!L
zdOK>oxR2ms#$`{A3Tt+>k$|OAeL<%C>hwLD6InWccbfEP>uHpLAM3{f=0C^IqZ)^5
z*3|{(X^!4FZSD6PYP1-NDsvt!egrN?T3#f!C2RJdkBhcb?;wWq$w^^FUk2uqQL+(i
z-#`d^`nvtp<sAJbtxFI?!R6`c;cMQ)Kj{<9kH8JxH)AJa-#-9u*1E<DWD*l6eiqbp
zVTQ0VIC{_kS9sbBn$WfrLv`ds+o|uSz3MQmKRL8Xfc)6mw>y1CTM{NaOa@96jb4&u
zmZ56$R55z;EPXrT$Jl(Q@bHhw6=tX=<6$U<+zg5|*`(4R*Kzv6!BFWq1}}oqU?=cM
zJp7nWX=DMGdx={{GkummP5fxf>q5aVatS-FfxWXZur*He!(0mBkT~6Il3<k8%B>PR
z(>1_%mo}yR?&gP6QGR`Jtg3w3Ar43X<uFJU43eU<ux}X3E<dZC*rI}Mwo(<Gr0K1x
z8A>gm1|!;aW7@W)^*C-ADlH%4I;)N64MR=kiy`r&F_%JOsFi#%Bz_d;Vo3a0%ps(h
z`_;cfqT)wlE}kfU)Z=1EKLUR^6A~vDaWvA02nT-yiH9G1NNMuk^Q7<^36meADAW=&
z=Nj+tLB~?xx;_Nwd!-~WZJb{>eOCFgjU#YfY0u=kZ<uT0-x8I9@eLGIhMLF6XSQ-$
z#|Nq0BtA}*WTQ5jcTH|qO%}RsM1`-;stj<~Mpx~q69);9A3^EwJn!4fNC^Dc$h+l8
zuu?BRdf>Ts<h8_H@?DaXhoQW1pEtS0=#MLDENzwpShInRq%`^S!hA{g@iCMYJ{j-&
z+-Vn{&2hoHxm=Q}fHw@)gd@O3X%-=AXVi|UPn_&?=KbGuXT(BUor}GXkVC+a(h%XX
zX+8z)M_W~z+C{}&>p`{JiSfl!FIB$FOEn7tU{#1kr^|xA!#VLERl(61Mo61h6z~<{
zU$K^=Xl4f*%M?CV8pPiMA1Bf?#s|j>+^MpLZ&{$wJyyHGvTk+NAzwIDTaL=Ru9N%k
z=6`Zu1OJX<ZtyJja{ni}ssDNL${QDWC*@7IS&TkKjwUCDH6G2en1!mgx-pgeD?lI{
zL!#nDx+bVn8n%s~ixA<-rX6j5@dcqj?;RNAuyEpQrzX2M-`5zm!)idV^k`_Dc-t7-
zIDj72F-LGoT%6e2sVN(k=lZ_KVy$G^t_A$IoXja^rFVQ1qHkO0^EyaGoaood?dM2e
zB1}4REy0|HIL6;3cP6@FrIbv}=fR;o3lAK4JiT3BR#lRyS?MXC+JHun&)I}ni78KJ
z)C<RTRUXZT0#hNt7QjPeCQIy0C}<YMN?Q5b?6RzsmJjE!&r1fbGs!bcb!)KFR6YYA
z&SfE+LbS@#u?mJl%i|?FX0ClSZD_Yl!{fwuz5zT=Oy>~Z(8tc&Qsk;>_0nypBrZ;T
z=e;ZnhC0j>P(D{2(AXU?m`#5QO59dvOI@n8{_Qs$Wtor7p6uE+CMSkmM|^4;{WYmx
zfT8m87-NW%otJKKH67-&FpZjHHmbn+lck*@@5YL9@7<oxEQy;FlX+#mdK04%+M#ZD
z<Eq@>&3}*IN<!sCYF;}qd^E}#Oj1{>nW1pU{s6eHAYEAsy+PY+*}x|}JL*3tuy_lj
zc;v|NCPHmvI#}O!ZP3|0q@bsSAUSG3PdF@`Dd9f$`8YVWbd$Ur<`U5TeY>yTP2%Fs
zen!2fN9{Mx0?3;Q9g(`8dFF%4iP&yB#W_A_C;@$98u4<RM%S@3+9WZ<hQ`X94!zfm
z@+L@Ab8DepeW;zO3VsLbc$ZdS!dntj-js+y>b{JG$eRl7$L#v<Mz~;wtTl;`H=!B#
zxW^=&*>E8wOZVk<BvO9-=15lN<kEO{T>!f1Qu1)-3?-k7!q`zJ(f;#Pf9sr~`tup4
ziL53@NZ&Ic3<MZ0iH69Wp=$K;ghBZ8&c{rb4bB;ALQf)>)|8!FtYBG6FhUwIt-#pA
ztTDiD>OpIeM9P~8^)^Y3qC5ib)TRT=YeVDWM}5>5L#gX-VGnLjR2vGuf@ekEaSSz|
zN7#JEv1wXS%AIP4N{s>ZMpt^%Z6doP@$zFnBfQZK8@<iKt|d0KjnDL|atwYpy*}~Y
zdL2o+f#95>2K3%g1UKfP^UHhx;LpJpOv2>HkY1bdkS(%TniXVVF)0__DWWm3MUOh6
z4c|x(2R{}y8jcv2A1;Yh`T99SvFQ=Ay3t!)%J>zDsUmY$iqi*(MsuWVv4oYWngl*{
zH7)6bj+aX(_i1&hv7)7hBW7XDvvq|9*#`J+R!fO@S=Sd4^luWM{`hZy-`;#EO#X#L
z%#RlxpT^jcwy&W$$S3zMvP116atN4Hs124iiB<!NAfd2kOrzOcDI<zz94I59u_i|&
zXiF8VTary|R?5-G%rIAx3#a-NXrGN2H>y_n@<I|XKiU(*lM?>0qb|T;HQapextE(1
zlgxZlnsLrbSNbqd?F7{QO?6hI?PA*$lEX?f`t68gRU(jHI9*%!iE~DQA2CW;+_)h(
zsuvieK(Z2rPDz4Z7}6MHCEYy61i!s^6yal6{-~Tjs8fpYI=He-OOcwh5^qkNyBU7Q
z2Bb$S?7-~YbY-jKJ777l8d<N&U7DeO^JZs1m)WvZUvzButD01WyE#MU=GOt8Ao4nN
zE$|b6KC5S__Dqa}7bjou7L6_h?9zTg`*LdEkY!ip>&8^knda;r_X>Jl&e**9(XUZS
ztpz(BMhDJXi4{4~F&^w75*sJhb%;&10_J#+Ngi3<-ZF|M1G7qf!SZ-TN6#4wK>vv4
z(sPE2)0Y%V&six>w~f>lCOB<O(fN3uOCjE`@*+WTVr)n3=Fn&Y_i?|S?W<q7tFQsU
zIM7W(=M1%|->il2&bBZpLuUta1o*MFcNu{an;oxBXUX%8p*HnfM<9fabcq7TBVp=3
zR4iAG@+~66$Ieqhm@`za&W#=SzKrNYm2&1|YC=gEP7EG9MI88xvrxrcnNX>P1ML!B
zaykc;q2~4bEE%WERyP{ceD;^hbfYDQh#zZYH$?o1CA%Tw#~I(;$aKz7*!$#shusr}
z8XI(jsiDCRIcW^lz7Mo-F+Q(LH7T(g4w0<Zn<43l#LJIF9^jp%Gw#1CR*mUu>)Xkz
zzSD3@43VK=_*?g|ejWJKoLSu{r=p1cl|u5(q<O6n;%y{~p(6RgiYN?bMD!iQ)Au-j
z1TjfBEKYtVi^2*8xT+!y0tuNP89ccC(a}*i=8JpOx4dyzNO=5++@X>==Et3<I6r47
zU4FfmM01A9=HuAaBvv)@%co_kGt@FarXwxCYd`8aD+TmWU;{(2XmtK;;S}%Ch21|0
zbnKu_S#Wga0^S4meUi_Mp)~rTRS`O}9%=9ycp8b4A2k~_oIPj@olG%UDW`i}@81u4
z&QMI<?^(c>oPcVWx@OdbHA6l1{tY4GmJ%9bsH^^VGoPb|dZ@qjqIa=#^;m$SFVP(P
zLv5lF$WStUPdP4h?Dl1v-r6NW@nb~CNW)v2Ps~~AoF`fB9{RgCo1e2%L_cD$PU+4F
zGzp9!$GNoK{G63E`Ke>#g4XPFRwCmU24lZ{YxX%S;qq|OUf!C0&PuoZRq^YgoGNy0
zM>8}6CUNp3N|&^tpR<xKKlGuzy#@W8l`OeOc1a8RIV-{On9_G~3;H=Lt?{GNBy28S
zo^G2SQeY)8?ol~6EP7%0_?gp3DP5g<R4DLg+rCu8NFbPGJ*?EnFCzuL?*M+=IA_OO
zWV3@Sn1$W0V?=Tie8V7JiM)d5_^jm3`^3}Ug&pMRMk0!H5)nV*^Dg@rL*jE}qNYq$
zSFrqT+jO~?>TtOdOSf!ox2P1!Vi_u%pAJN=;D71!$&V1d7qV*+qIXs`_`{!4RSh^Q
zosW$Y^+keZi3CGcve71kv!vX?scf@a*Fb}j?;aFJkf`}FDi<bPN+0+R$0_EmHiq=m
za#TJ44s*zlKYb6>{76sV_9F|jm)Yq;B@!M#2J~Hx0**rGmvLH#66f#1X&EY<zXq#s
zsdRpMFi)xTZ_M6r8A_kO568V_D0Kc_$QbgVBP;dDHPn7I=tJxMAbnq35;Q*=)ST$=
z8o`o>#w|l-^Y>b#{0PoF$zR_x6fu9VN#n<1&PfG#DWwNjT{0<k`rmTYH2+@E`4OM9
zGRb}7LTV3!TZRhfCrvN8HM+p0gN0K^5N#vz7sT8}7p@*gf<(@b5xr`3Iu<K8DpvDU
z_}Im3`nkse*qILOnMSY3T9;df+UO@oAoj@%oqpklhBt_pwQ@0~2E*S~xf4jDJb0&k
zU&SXb0!5AoKT>saJgh3Q5`JY&F&Pt)+WP30p_=-u>mN`~q0$KXv93|$G55F^w=!M3
zK(9V}e=8Moc}al$xYw&w7=2^d(di8T*eyfd^Gm9`3bn-S3Aa<@JEu+ziRw=U<ukoy
zsF?oh++#&sYy3Z?l+P_g_4L;_C-^wRb6?~1LmQRS80q$Eit29wsw#H`BN2gROCsaP
zuP(W1+irBrlGyn%t5=QUBfcpd4Xl{QQE-mbQg3u?XYty?6eufd>%?`=k6T@`8p5pr
zJ2{5HMAL;lIC2>Hk*;?b1{B>LrF-FM&?CW*oLw>!(LxKMK{o`dP3>EG%TV$ClF^Vw
zAsXK?1vU-3z~z>e82tOJ2I-~K+jWE8ugk(Ki}!;<FA07G?~)-w0d?PJCi-p20pQ00
zFVb{?lTt5tZkOn)=gPcP;_FvYnj}%;TULtlG^M~JVTdM>;C>{o_+9uCD-rsH>Arw0
zGnAPBmL7M80`#xV?Bp0vj-4@7mp>omY<js+t<<#Zf}wi+8F%h*Oe5s8M3`<FYRkWd
z9H4GoH`&k_Imv8cs2_jE>|SW4Fcf`113Vffg_f(zSd<uw`!%}ltlSRgm30CP)L5_*
zjDH`C?Hvc_$KrGEs=jv1P=@|`T6DJzCF##t3hxrCVW>&}+7JXjn@aT<s>sJW<ri6H
zu@J-eA6EtTW*p}wlJNM^xgkIkvKwM+b+4E+>Vq=$3L#<g<8H^YXss>N7v>K{)sivs
zV_?UoDF#53=Zc}4`Y~Mld4;|62Qv$28&izb*5I^6svZ14<N)wvOmw}4i+ZQ}Jva)h
zA4BMkLDe*L3L!(i^y7EqOM}`)Zn`jy3d}vxH6(RoC~ZC*eIvq}yvgumD(_H~cFR$+
z{KzVF4V_$REUv|5a6bkw3C$Leo+PPk-ZB&{Ppw)45@SvNOjpw}lp&YTHbW=ai>?au
zV#T^9!;ozC#)m$D{Uh<*E#T)X>~Zm|3Q1zS7V9Wv-F(o7>R@=wP~6)sp}N%@xZO*7
zgc(u<0N_;|51c&$e+{;rB&iQW-EP<KO;=8UV1=#Wc1JFq*~tBtp>p?0y{_o$ux^T#
zEx!uaPj8Sl^(~QclfV~9><ozo0Q0JI1?Ep|61;B=6}%C}s_sGuYh7WTKB<y%%Tbsc
zr=yh(HeWWisNk2^#?UcRhH~7mX#WO>DCTbs=PLz~p(=MIKXzwZwGl}(#ZglGEim};
zh$F`piGm-Qh_2@#uRB5&Um-#9V-l}1q}ahmTT>=6h^y&ZAE?X0j5MmXxL1SukXwzy
z+_39mqTUwUcqTPqy5*>7?KrvXK?4w7_cxiaDez<lxVJrTtWa%U2vz0Hu1;EK{OE!6
z7KhnzV(}e%il>*6Ggtw*lU+g#^{WfDR2AMpP6`b9`QD|tE5fY0k_ieULrv?rG-DBG
zY_do~;mIH(3@Hl|0YCD92!c*zFy~x9HQ(%%#KVt93^Nksp__#yJ#!qTpkHAQ$u|r?
zmjl8=7lR8>3@w(O$`kq^EL_Va=``Xf2|e8kW|fnXgC8FBW}Mu)t_H_RX%dt*7^*<;
z1C4?jSbtLD#$mby(Flej(EGspPT%4mz|@`SJo;)QZ}(fIpHIKlz>;?THfe33s|iJ?
zqsJ2(MxfC6y?$cf440!ybRZ#4&!wj#G21D16*ClqKE<v=DPi5H&?vO<yO3(nCSq3;
zjCKe=1alN6k&grwM}aFa5gJ&tnd=XiIqzs$3iU->XFZTGd9oXqd@)82D>$VxmZ9`>
zOs@=$QM0~#2Q0>L?VMU6hU(8aVaKI(NiaMqj@w#d0tTAg-fimA{^f8XoD-s}^ye;B
zG?$^)bKU5zuidJiCr{EBB~PMr%C-o%9f^u3ff*>9rzm-)2_$z6m73p*geMtsMi4T{
zazP?s>mNCLE_iYW+`Sh&lZ1dDU3m5UvA&;}sJjI)BcW>nf5E>49jC7FW_Uk|o+p)v
zk>tc}`i`NdGQt>%7m^70ae@<D!mQX;65cPs$Ouv#*fRkBj5Cu}wMGJ11TF;s)R^E&
z;^#>pTrIm$&b~^NVYy={h>TEVt)1PEE}gDjn?`>{TeudDtX5=t#vMc5V?-6XYVcOk
zFnE#&-0s6(=jAbU!i?}_5pRORlSW)-Jlru941Nz({3ye|f8~v>8SWU$1NWXVr^rtN
z;K?F_yLqGRTF8azNH)MwtJm|Njj1%;I_PB8t95Hf>09xV*r>K~^hh<NXZ?<$Zm%r1
z+5*P#uUH|A!<<z`IrHuqit{=aJ4j~>*cDQ;(C!$j@w!{d)9Db^2mydZIhs3$D!a~1
zLUYw;qhUc#ld#Ts@&yM(Z!jsNt5=OAbM5aK%G<u)opYgz#^lfOU)Paq;{q9ls!OxO
zpF*!geiXtRyPFM~u)5lsXL{;*k_ER0aaOQsN9tzQUnm+$CSu$%)Rje4OZl1n<qSCk
zE~=15F%beFv0RH442KHFoePu4s4{$ml2*a;g4d{!@*O|zRb()*ZDHE%I@iE$WZhzP
z8R(k+0=t*7$u0y|+N;6z(O=zHWT8xVNT1F8wmeFx&0-f`%rAyd`3{6$2`5(h20zjK
z<G;;+H~)RSdh^j;A;*U&%LvpxA&=*dp}=atwY#XZtz>Q2hP0y?N~by!Tbp(WQjj3H
zvV{<%aOIUG2!?DS*`iJLpD@%j{RSWz@{9?{(N=#1rUWp%uk?Cl=$Cj~h?=49X!KWZ
zB$!&2!YGE?=x*Z*&Cq&;?{q(dE^@wOs2uv{WUxDiN}w)u_KYp6tm&FOHdG{$@T3rz
z%2?bnl;(UNTntHuuj`5HE;Mb;hQ2}3vgsB!Z?qS;h?(6<EmQ8Urqy}G&TOTfZ1A-y
z2CHRsz0_M(VK}}~ve534^G<hl=yFL~ryQj_&nA=%#X21buLkJI{aG##jzXPhPs-I)
zITxi_eQ<TOZDVjV`~Wu>e8>D_cJnct-)1jsov+1q<6EtO?bwxt&>~+OgY^==pcrS3
zyn8qbZ^A@<?hNc8!ajG_=|jL5&f;bmUPIq*+P=t8dQ-u!*NRo6i}29@gcNrMN7c<y
z`Rc+nt?&nUN)U^o$YxA?@#k@&3KwcD#M;<|wZ@Qnywz{bP+9Z9)+#jc4AH`O(Nn{d
zDBx1-%C?chVIfiQWD2J!yVv;gTQ~`gCuulojd=5(Ld8))6RqH_)TQ*{0`b*U*aXFI
zc(4k^!K<m6zgLsgd`;L@i?NwCdFqv}#TwW|iB)^4IgT8aIj1<Wvk{zKZ4b!@h46>C
zs@jFbw&bNB1?+R9+StoYZDrYoT=1r#&25e<pVPsJ8g_8QCgn6R)c4#&w1Jzl4S~Ys
zo0B0qdG+R8n-^G_0~rfW@mcRiN$AFO$5F>K0X6n9iGF?(B13BPmWd^Caw0!b;V)aL
zDqn9TmV!IzxU-gyo$jIT)dJ%?erZkq^Y7+=a-YM0C+~*~|0Fl{KQCT?&jMX%dDCqc
z@C3f_!#}L4X5%c$(NEA-81ZMd6I<-wPL4SzR>phG2ZfQYU85>R)H+a~JB`hku%@q&
ztrT@BE0v~Kb;nUkHD&)ImBsEjs;ed-3*8Q!2n#)X?1|z+=Fh4sXe8`e-qG2r8#LhB
zo&fusG^tI+9Y=B21jr#v>>S(sYBH_KNY}uGCUz+ai4*VReQ-tBdL^Ce8}0~QEpl0>
z4mErJ*(mIO;LSi14JVeFe%FI7Bz!Po-7V<doD;1}0cm~h!m?CfG%EMC>&CQgNoz>m
zaa5B{Ay8dwlH!ycC1%qO=B>6q&7oYn@Cs1mM1=*8qO?=Yp=QX%Dcv;A4z7?Oe@w=8
zgnrDN-Wx!N_XG0M^@sE?$x;Lc8q;0Ky^Evr?d9n`v%SGg3vRQL%T<-=>?wEj!9AXw
zq{~q_cZzP*j&b@535^qT;!RTbbOD@B@hUBn%}TeI_bA8F?f<6NnoW!_u#yPoJ<!1q
zF;Zuw2A7o}G4H{R^4>vLEiURbhbu>Y<UQKu>$H(W#JsDsPMxc1Az#+kuddN?-r}!0
z2=IpMVl*_!vkSE~wVf5p3GFostHOb5rX{Cw)KZ?p1_KI@MB8?SHX_G7-4+I*(X?-q
zp|bKGI6rr8X~RQRn%d_os143GZ6<J3R!%UVHl3q6qX3=_jdgTN>H<dz=C`3Hk#geB
z$CEU4tI^mI=0)1tt>ku%(IXlgC&qf}405uA{%ezMIgT34Da+FzvnWGma#LE7>v~Pg
z3*563YUa(^^hP|P2L<)EV3%Jjp}y3{B1<;QQDZyrKl9D}$l>Qi<#-SOUOx>w2lAek
z@HOwjg$?o{`bA&VV$um?sT=hoONy}FGgRlc3iYMJKXC7sIs^=7=SFMq87g<bCpvyq
z^fbD+CV$^E6z)Eave#peQ3uS8v#OSjOYTu-)yR6S^H_gIg6GFZPlLBR*d!ZMVfmm-
zNR#+!D-H&QM9q(<o<=?7n+Eak7^lH#RBlXD=*p=|s?VLGi@oj{YJ;B!k3lxk)s8(O
z%QBd%SUO0U^g)7UB^f>mG`SgFc9oL{wpsrugk7U$f-DmAE@`BkNaMFf%89{^k&YJb
z`0;@KFqd!UcQC(OV-=Hh6_4ohgJIdZb-(DW*BC%40$p_pCpRlG^J#pwj=MBm-)h*+
z-Cxnz7MDcDiEX{M#E0@*T+lOFzQ~;wWW?{Dm9F_~0Ha6{tVoMZ=;guk&PzSBYl->e
z@y&^y9`9L6p!-p1QMVKu8Ey<px%85T`{P1F<4CuBItT1BVgtL3T=nhVoz{t0(||oG
zn%d8b-hMdpt79->UMq_`u_)yZMWUj0tt$9Um=XiizUekm-kJo?ky{-DKE4WPPP|n^
z=h=yuG_|_)o}uzO4Sv5JZDM2AdxqNV$H9)Odeqp16GHimPM5C0sxf5<*@T?0;oHcu
z;6%t?8;hvFI)1fLOVub^<?f!L;QMiulir!(EhIQj)GGDf)wNh^GzRH(>U)NI?^f1X
zuCQezY{5W_P1$)Ckr<V_XDI)kkPv~el`X%D*Rvl;@cgLMiz-Xe_byO{gBp@J;CPil
z8$%hT!%ZUO$D+m-?!<C!)DRkQZzaJoWJ)kwxK>d&)E-uDdA$(|7eCqgOns@bcc9B<
z56clnLtI(!fy2QylOBH}Ci~SYX`f}KOz-jcMdR5@RbZ=@*&*yzr;7xs+k1|}^5bSH
zh{LaBcck2{f!>ms_z@dVK`YgwzX;BFWsh7MDiJWxioP=$Qk=<-bGRyT4&97SS|gA^
zIZ>T|Nb!$)PX{gb$lH4k)(6>Q<({F4{W+ZHh%eW3p8dHe$AKUHnXYE^e7bXHXcsoo
z@uQb9Kl<~H?pN+qs90>Q$0foEN<m^Mct3@NGj+)DJjNHh%tdgBp{^VWmLKJzsH_JX
zCGo{nDIZwh!gQ6pUn}3flw89MRr4pH_L>2#rHj7}3826D63Cy=%eB8}D6xMaHhNCR
z&();$UtV7J(11CqDvK^3C(VwNl>HhA-=C52iBGFWxdb*Ve*N<&XV3gcg(-0&ywCmu
z)4lrnhD6PYFeS{QQ$0*|5?xJS{|s<B>Ogq!0SSj6?|H|$;!b(612h(R@6d^rhm6$7
za!GXDdCo=XuBN-s%rIf7&7a7IFwxG-KUhtvz}+*H=fBQ$^J741)7`9rLO5?H`pAT|
zxfQChFai=aiFAeRn05#<Yz1(_4v(BaMgRMrVMl<yX~jv~ZbnTTlA-Y<M3i5lPmy$U
zI7<b3Evn=|9rXjMFLi0qO<fwW#o#7`P0F@S=bhJZ{uc1iip4I(mB@sut2GvARlY`3
zv8!N9*~8l2XH6HJU$P!2U0@O*7KvrJM{h8XeFt`DY$S-SIuLt|hlbDF9ju0p?=Xdn
zyv`P2zGm~A`Ns!TKqN+pJL`&fa^HZ^7Gg`<Yz!L|ybCOT?1_$Q$E-OL96!#4Z85gk
zJ_7by*j0C!onA=%6SA~Daf*4Ky0NXhC1aM@8FD`N9QzG?NA&!7(gAuau|ro~d-pI#
zrIf@T<cZ=G_Z&MFygSBgu_tUVXFtG?cIf6GZyvLckJ-)K2fE>`#QHDXlQ3hoF}PRx
z!xdi#4qVt=*2**fFCXqd{xnf-Ac+RYW(DWY?QF>Ep1uKHrv?*6$x-0vpn822+$o&A
zwz*TKMq4%BbZ0R_v&G%mEp41wd>e)JYWn;u_?6vafLN$)Zpu=vRQBtqzv6Aa$TrUY
zajV!ZOO(+q#j-Rn*?<1=(;xow#}6CQLBmm||MeTztyS;D=~E;7qjs-3L+X;|DCB?s
zC?uo(0VviKt?gXJ#ZuynSj_Dsuf57J+JJsAOjYjE2ZA5lI_aH6>4{y2Cp3b^B+IdN
zk@f1d@Y}{h7)gyR?m2b{IGwNevNphCda^=-<LAkGM{xWIm+#>l+x(^m^;ik>V+}n@
z%HRX|`Kmw{Mf7zCXz=nciv}*Nf5v7Cd4grnP?x`-ES*1l*O{)c2aXNBnA4i6++R(G
z|Ckf?-QA}QMflH&VvWxRS%rE<5;H$a<Xe{v^asmCT&GJ3bbu7F;V8I&EPq?(wnFa_
zmipsDO_{47h{qgRpCh`0!PQWHm{3K*N+191sA_T${b~~V$2Qlx(K)7@!56CrEBv>j
z#nX}m!H=kv*ne|vI;)av30aBFdlX$=41FLQ_XALT0jwk0Vy4x~XIaPV!oS}}XJAOj
z`rZ8Zhwnh)nPdXTN*?~$%~;Bf^dzn<la4@En(PCjus>$*)SLELomR+_`1sM9>5KvC
zR`9DU*GOpT;gO*D@s`OHW$2)fraL|k(vkQVNo@QmOjO^0!OaG?pCK8(Uz4dD$kjy4
zN50li4%Dxo{)+Jt_eA{aTKZT=P5!IJQ(P;Qx=||INL^+Bx086X|9-7<vIc^oYWcgA
z^K#TBFSgp^F6sY8sb^FI)Ejgfs<C<=3639gvFPKjR2h;C;{K6-tMQ{TnAS741YmAT
zFR^4>n}N;X`T|N!IfQ*iCuJQn)FUT~I~|u6@K;oo@6IWYdtfC-{%#qT53EGKzn^LQ
za5epH`02VuvbAxF_{E25NbQ5_Zf-uH`{jeF3it(8;p>phN>haTfuYLvK~>7IU}1gc
zr5b6x`3pi?N|WT_YJ%4n=3BxYYPu@cbYNUL=#)h4@Q2-Rh4%=BKUCvJC4AdM>oYEI
zALsWs=*}m`h#?o!P9WH)6HlM@Y!+|hwlN(XM|N!t#n~Si>Sh;(u`&4v-QRo9Q(43V
zLsjf^_U8V`HMN25%U5=cQ$<Mp3|Z87#sA~ct02#lyu?`vW7DjPgu{tV9jL{QLmuJS
ziSzd&tL$yX=MSuOuutWRhf3_|PQg)$OEwOHJFk8GIo)`DU?p*VB>7<kc-<|8t<5vc
zI!w11zl}us0|mf*B2SPNMQg8aF#8GT6>nze=hQ&YiUP&O5=;eFa@YqqbxbmL`NnFa
zt!u_Hj>!9r%pj*aVPJ2)<M~mp@3<QHk+L+IvO<;0_0zN60$w0-@*`hK+j?Im;`&1E
zx21~LNByOaG^QH8>u5_Va_smKw<)V}&Eb6dJ?tM&Y}>%NV*faw*qf-I`M^+Y`&5gt
zOv2(wXQm95wNE2k!kprN($R4wZSOO0{0P~yF;!a_)A&aMAEx8sN4*Y=KzJ~&2RW2)
zCn*I(UF?07*p#5eDt}do;k+57yIe4#QN>!4XDdU+?AK(<Tq4yLSW@zu<;RisXER!V
zeX9+Z$nT<<x)n|bltg(ghO|+A0b*saYH<GX=H5x55I>kZExAPb=;3OT*KeJUt7%lf
z`3LhO4e9BiBshM&;q|IZ5)eP)a8ZK!11mx4Zx_(InzS_BBz3<rIJL`PKmGOZ|Muzs
zeER!e|NQB1fBKLA{7aVK6_5Gj<E>oY$vbslEYxE0aDVqyJg9kbx4g^L?aj?iF^9|d
zk2fE0?tZ$z`IzUZ5p(yjSl%u_tlLfb3(72(>StAn|N502558pLbWl5lbNdDESH5ue
zwOY|#tR7g&PTS9A{{;X$qOw^m1QkPfSgf4xd+kMOd|wm(xpWtRQNn@q@C!1@pGOzr
z|L9pH#)Th;36>6w(c!xAxkXu!Qc^`&2p+rpAbgI(d^H*C%Mv#~ZT}nlU;o)BTZz9Z
zOYVJF)36Te@cs6uDqnyB7M=^;!<oCW@m;-Do57kWcP=$oz<vgw$K8ztc`X`sVe-l(
zUnMB8i@rJnTPDM8{Zq_QdAz$PZ|1A%Rv$3n`;Q;zx0Hz4!_{=Dsm7?t6ifWfsEF1v
ztVlx6As|=Np+1<Eo1Y$jdc?#_;s^6{rzGZyI8mUla_~Y7I+7%4ezfR2fab)C-UPa5
zgo$c(4-Dn1zcu6^T*G>BDWV}*xm-@4`n3reCgcF{i#-KKpCNxRRkly?f#Ef~I>jx)
zP_g>3Gh3>oo1yHqr)Rw+K`dJx66G^6zMuOygl_36QEi4A(}y#MZ*Zv&ZE|Jp14ET*
zY=bOt)9jmJqe41d?Nv_W1?wAQ)0^rKOOoDeQ{_jP3bj;K5tI+zXk`EBtm}i_>Wzw1
zKMgTXKLm>aY;Abv3@}MYt*$0j&1N0&BUC32*WpkVxY2C@Pzi>2>(@b&aL@xQf$DJ=
z#>1_9nx01j<HwN(NE1!h(UbIOCPR_x(`VA6)1}+B@GUg7Ymue{?cSeIyLW!$B@hp-
z(cardiLX4cl9l$3p@T$W2T+Oa#!eD~dpe=81^io6f>~)!_s_)b!+lSfhSL`QTN@33
zYIx(pYu-a|;0rJrq%2+%sz0tKO8p&#5FZ#SPk&$Dz)*C0tX2~%_`x7}yJXD+L+$BH
ziNe(+roT%o_y>jp)91jOp?452_u(cIFF#^*7T%@QC0+s!1z%)?L?*q8`FWa-+?YPN
z?aY(VOsLeepv44a(ZczY=;>!D9sNGeCWcbb?*xn=`$=7)B_^FFu1kJ2=v$!V$92*c
z>8$QB3O<M}kVvmZcn)%F+<$-n>2KoG|NC{6MKhEdP*AR>5q(D60W3$vEN}OyFZFR(
zW|(__a5XIzpP_*CcZ1H454~Qe_9B;JR0rjw7ucT~I}Ors`SGBkylZNh%;eT+XJIa!
zCq}f5#9t6&a?bu7MuJ4nj}e_jj_IK78VgJ}a0?jR$V7#YotfUxJr00tj%6C1AaBJ`
zj{4*Xpap>T_*%)bUE>W6ZxAnQ<#Op7Wql_VOpx^8(S0hb_{3Esk>kOSah)6w3+Hs+
zij^_NWK4R88-3^VV_vVWe?U2fN+aaQx+)2CCR^CPckXe|vrO0e9zo{_8Znfxesv1{
zMqN0k+Bl>`;bbLjJ<bzF6~R2Tee&|;t*Ycm*wpz$C0+N=O4|AqLe+|{b^^PiQ3duC
z#XR&w_1z%g-okMtn_^a}FWBH%k!_tGSZQIO7==Y=u@u1v>vYv2>eKG2eZ7okP(pfL
zGGqG2H>qZ@Qr{krCNlSs=myuf8nz7gSDc;}iHZ|#I}sZ63dga*ZdW<WnQTV-a5c5<
z1KWA&e8?7-AC{WbrQ9uydA6~QBbd>(gj-;VCsv5<_HPouH+Ey}AO82>w>KXOlYb#$
z^P^q4gCL5<VF~QamXhAc_;IV(Acb&&01^V{GmVZPuX+uglUu0aY<_8cL1|KefT0%m
zg{$(Bq2%@e$%QklFKsK;R+TgyPMqmrhP-^gXS}1r>^z4(vz>(kMj#b2enq0?#EtgR
zg6$2YC|2d78v;8L8j|-uGE~?eP{D__DPWEQu7K&BR%ee_Q`Szr=a9mh&RztOpBu>q
z!9!ccCVTDx)Hq{5zHFLyJO-o7BxZh`Wr}%e%F?{3#@k}KUCV~@e?2nP$DV>ZW_w}t
zPfP?289B4?yg&4H1#BF1(ZDLt%MQ&n`eflpaLylym;<6FO&z>vi55(FWGI$>_83qY
z8LDN|7<-pth=@)9iQOMka(^CK$!lMT|2*LQ$kh43*9P5cK(-dUGtu)SU1y*-mGFIB
zL`ZcDF1PcBfFCWJ4nd)|hIE)dvXaui00wt9l?a0qe}ZpmWTuh#1OdPn|6aDSsLh{$
z?lh(`N%%!zr#>svA@ayjz<NI?L@efcbiU?D`ZqouLOZ$cq$%XYdi)elN)Dn^w#7Iv
zszf!oNWo53m<#Jvqui#6?<iEM-Od<No+#|Bw5O-bHyav}g%B`&`%*QCTG&#K`#g~_
zuSI&?n%#qmB~)3+)xqG}!HRa$zefU0qqvEfQ;~(otI1Pe6Z5rL&NVS}qBVQBa7bI~
zwZ3|-yKwIw0bew_q$+YBSxH@gFU<T1)1FpeXvPjp-oEmZ82sQ-XbWpsq^5l|3^lQX
z9BcG~e~sm#=QvZZCW3v2IwvgJXDeFxE_#+Y@u?GVVpfuel~|tfcr|(Ki;>M*wW&=b
z8<)63(!#6BYQIuBKP1Owhv`S@Q^?N?bTEYzc$k5e433|Z=T&ed9!}JTR;x~)CQj_-
z#5CoymN~9Jus#8mFG5HL$d9Ug?o2B!hIiq37Va59``jr@W=%i-5bD`MB^iGTCZrWY
zZ55pn{>Vxr`&A{MA^nuZ#E*dNVRG_uAupttk)vQ;O~RUng*k$DQcO6AYI#uw5*$Cq
zaT=V{XHUe%k8d0^SyZ(~L#z;Em?<449<Qc9O#*c30N!5;Cg&QA@UQ+DgSDBfnnuQt
zeH@!Qz1eiFtCMo2y%F6B5h9m%9@=aL+7dk#{`2Ih@FOopHS)3)n3vq>t!%x5XNfuy
zsR?(iRIpt*YSgSIi$z3HFg83Fhb?<jlU^7KVDE)KqQifD*=EJ&YgTQgSW6NiKYlZ|
zWJiy~?L1PWtZTckKX73AiqKDi90z`!=#p_bQJ17EUkf|^@YtbFjT1xN>`TUJtdDcV
z@r)T2M-nf{LE=Z&7!DFY=4WdcO?5SGfhJfWvmG2IjZ&CngJE<RcS`QE^vF@adwhlj
zB?UV{KRr%HulOX=uoy__{21b?`(Ol-M8%Kc9a*@dL#;`d3y0U;T{^5^5+f&~cZjjj
za#b0NF|x$&zmE*1xyOh?ZA?tqLyHp-)UF|8c%PS|45XHX%a7L`feSPR?KH4WT>O&+
z#gC+oL8ZEXS?Oha7}~UA-7Vt3U^s}PIb_r1UB*x``#7{gmRDE0)vj+|suj#oH~Toq
zDRHB5@nb6AVDk8JlH(u|5IV9*K-Z!pm_~|)B}$5qKmBySnBRR|ewcr7m@J9_=C~_<
zs8s8^0#@+691<{NZG3EP8PkCzfZM@mZB}<~HzgCiSV>~XAAMjZktjIvleeSbL_6M&
zf)me(C_>rvvs^yI{$N_TuP7X>WU2ev7>ww%M7AGUsZd8W(b}3q0UlqLUL2H$#feQ2
zu%t!DVyTxZ-{mx4XC)|2K?_-zv{!?bZ1kJ=I93|b#N4b(;IT3R6GtWxF=4sMvNWW1
z$V&a0n3%+Fn~$uto(W8-+JOhH=cO*lxRkCSfkerXHk_KdT)Ix&6ed=J&(xt?!ujO&
z6BD*^R(j46nN^k5Ug%Pka-m8qmM#siYRerQzt3Rlx}>}mX2D9fd4KNQjfD~%B#U4r
z$Gi_i!+fpQbRHoqW#t|O%t2{ZLwloSG@QvpG6;@rAyS=m6g=rd?06N0$VnJH8Nxmc
zI5%CzEeVG+6&UKjaSt{xl^VNL!@HwsevE@th*{|o?<2OVT=sp$9qQ0sGO4feBP%81
z)3cdW&Cg0tIEt^u>=O)C*tXgE+&<h2f!?`9{RBeCO567&vcpTk(nws2oOr}JAo~PV
z*Qg7-xfZb1*fj~56V*5gxJTzDHsGaLXZWmk^gYRmiJY}^yLOE?XK2C_F~?eO5;rIA
z@;z~LB0J~ccD<MP(gR7boT$)Au(C4MZi9-Kbyt>w9?XVxoTIN3(4Sa}3!lHf&ztZk
zmKww<s6%^Oc%{(z2W5E{O?+Z0M|=Rh@7e3=FbV2MWmU1rW&G_YLH?+$Dy&c6`3O#+
zAZs=BhN`;-EZulLb>I3SIM<Qku+JS0jvv|TJHw;mkxTR3yA+Y0rJM4^P`kJ`wp}&K
zelD|RslMn%=~I7HlbSvG#88Mh0o81rQSXwm5315g;QWZx2zcoA6kre46NiN%)3ikF
z;uCvwllLwwapD;K%oeK3*BjY9_f@E{A3N27SeqZ;D&k8dP<|ZhgzP{(W>b6YJu%c7
zJ`@Skp{6v%6!Tt$pmzlKH}>#evlMYuf_4Et82s4P-aLmecs!0Gz}_+<5%Qx}gm6LX
zLBvpK_&p>Uo){_*r|4)TPa8j0^lmaCPYeZ#-$B~tiIoKLu{j$=CgKK}x*S<43=;xF
zULf0%8HJsuE4w5kyH8is7EZq3;*sXnu}7_>Nof42%!#?PGFbxf>1rau>6|3U)l6c!
zBrLu}<dw<VZ<ZR~gZ)o&@s3)b&i1n5Tpw_>zE=2!<mhlBGgv>A$y&z|8H$7YiGR`U
z+NY1X5E}`PJEw8{EG~eNvb)XU;BU0CGuaio?N3gb)(-oLp(OB$RUeUIz%*D{<G=%o
zxX3cLvXb~Vl=;`e_Db{6GgK1Z9}T$o&xgf{9-X{-!G?57*Kiqb+Or}nR}&T<poM<G
z+Q3W|VgFIp3J@uGqxSWTqvm;IajHUXkvR#2N*fB6aXack20tj*wHqUJ5eokXi;0<3
z`QsBqE#is3$g%+@g~5lxVOA)Y1QPH3gcOM<R=UKmEb&sU-2UWO_xO~Gp&CFg+XTl6
zE3xA5gP0RTJBc`+K;gJb;8qOvjQ1=cZ_zDvIhb|8Bn?nYQ$_`~nO(LuHfh*sYhBh0
zz@@q}JTa6yJ_q}AWnL-)fIEc@Y?Afkly%0!ndDe-;$p9?Z;Z|WC^*{&w>RF>c+831
zG*-kl;i8i;C?SP$2zMlD@;v=G;>t01SXFtmtCJ?16DK>0?P#jv8w^h;nYtj}yudhL
z-gKMA=#$hKvR8B-mcx+v346y@7ipQFPwZu#hrBlzs0~MYAN}zbTCmL|wpWIo!)XM%
z$07S<{88W3Y0u~*hlvyWOR{3S8i;>!#DXQEa-x0jBRK!WP$~KZrbBhhRi}%D7J5$%
zb)V11II04QXF{T^(i1CX=re+$Z@57{i_6AP?Z5tiP)h>@6aWAK2mnxI*jRZ7??sFQ
z0074d000;O004MwFL!TpYjbF2Wpr~db7*B{bTTe@ZETHJU31$i5dABRo_iz5N!*XI
zJQF8P(>m?FlaKZpODl;6feNcQ?yv8HY}Jzsb{=ej#5r&dy9?8mHjlOjK=#~7WwWG4
zY(J!_&1-15J<=^G`ci7saHOuOQrjBfg$Fe<9gjwnwBbS}v#EdgpJBN!;2UosOYYp8
zF@4e<N}+&0+OBE1S<gZ0RhAql+ZVT@s?onlXVaEfa0mF%5`enthIuwEL<7nSt(bu_
zOU{o!EG8b|M|>BsvO8_&<Sn&+be+#dmW<pgK|+p>g45#(E<nmGnG=ou<w@r~V>;06
zwzu?G-Vs{fl3TdY@`os}&XRWtE1=|^#9O_(hK;5(Pnc_I{XbjvgO5iETY|+a(F@Nz
zi@Mn`QNIx?OUCr%&;IEa)sy%oTyo^IsnIKD+;F0HjdN!y_31&ZLOI*-(9mZ=K%Cvd
z6BvQ(X^KSW-lh2lIzI$Oj-3qvFAe}NI6|dOXwJ(6&|4_MfXabUMCOlDSoD^&hufO~
z-NyrTm;L526euBpzdC@whrCu=>PkS!h))OLH(XU6#dZjL{VMk<ylien>jF5$^5wMx
z)~pl~7$tKlo&!XSS4!z=Y*+q|CZ*6E;&VL2=Qu)mP011p%5lGrQ3Uo)BXbd53MfMH
z6`Rf#I!l$#@YPWzu<n+f1(R!qpztWyO?v*jGmsj1qO|{Kh(7D9UAof`g<)*g2Z~&*
zfhC`tRvToJGJ_&|V55T2AyREZ%_^$OZtP|ZiS&g}myEN1Rey1zc#5szz81DevYK0_
z$iO9lVv-6a6pSNVLx^w@BLuZ)<4=Z-KZ(G<LLs^)wDl)`>)%Fj|F$nD?sdoJxv!~`
zFw)NZ(obFrgobfzbuP%{!nuxvJ0S~V+&}pq3r+_MPGiZWS0VkUUjMrY=&F;HdomdI
z*Rh#iY`)+4ZTh?+X9^c`WD}>K(yZ)^>+kwyUl=BWu@amAQSUM8Y-`l~Y_D>c^9Fu(
z!i2@2MGq6oYq~%b+^gwSK{<t5lX6Nsp9u<}AYIEfoyLX^o?#+_VW{9PVw1JFN9klx
zI`K;1$CRe$A%T-U#_+b4BIir0%5-fTWYD=Gs!+ZxVq`B*sa`<3bN6u9w6EM$LRluE
zB$m+;Wvl70J-&^)^(}H~sj0Fx+g?qVNHDHPIaO+nL+9`PuWOk$f>!VMD@$C-G+bbR
z6&miYvp-Nv0|XQR000O8P-NIxWfu*^-~<2wEhzv14FCWDcx*3oba`xLb1ryoZ0%ZE
zkK#BG{wq=5cXB}zuK;Nq3GGO`qmjB-+Sfn~SnC{{m|mD)zdk|^ph7r8Got}@6T4jX
zeJ+;|%8YWhqxf}=G1ImYjq|a-W-R^HF!IG3M?wB6NpZ|2%Or~e#*5j?$kPl5VJ?&+
zYS^af8c{%EeKLwS(JW%Qwn#QH8|$X78I#d6iK{AWsH+;@IEb+J9?-Eq4JessM70hg
zLU*d(mNkonCYi=K9nAG*RsKyiu!^GKTG)z6oMf`rP%yWEnWxY;s+5y>MRC9QH+S|G
zuM({N_4#VFGj_FC9FciK!!7^^-gIvuJ}+$C){FL`xDey2ak<EU*9_3beH%1E{63<9
z5wR5fVtyJRg#3XwFulRhcI|89W3djhoUdRt$i7^8GnCmHkV%{;G{}$aI_-XRxFdbn
zc3syqJ!k0OFHjyEZH*z9A33*2C@uF7q^pX_C=D3HSv=zfr6g;QWySN`F6DTuEZAB0
zQ17n6$Ag3dbTyU4v(<d8&*W=5Rd#B+H(NFNOZlvjkT}F!9FBE&aBnozd@+apqc!Hi
z1Ayui!{!si^DOc5eB?Zeg7+vO`*I-p!Kc+c$wHi!6U)~3Rg)3LOD6O)vRcarmZTCV
zVJwNnQ%HhU5(jGL?bRCU@?bgE*;*b97xlP%vBg_46m9oF9aUsw#i^qPZ(5S?sG?c}
z9W5TX6Bn4$S7Gt*W$8(W+ubfTbr${{%77G0nRw*Zh5L(IWu_<?u$Fa|Rt?LpYZWVb
zox18sy$^OvCrp@5O5PLpvf;jqW%=Jt!tmD&FUeMxx6AXq9oT%3rgZlkC962X^4mmr
z#K|bw>uKvGBi}fh*mFbx>e@Tb7+Huij}=|}FALH)yk(`cw#%pH`|%WSap15AcJ@=V
z``(B59HH6@;q<UV)XWe1HShLo-s{1<+wbb^_dZ$Mro)0az}fi#Y}qldW@+7b(t01d
zuIwGzSPI4YQR0~$JluziZ{&ZD^WgcHa;xQV^+30trP;@pbLR<W)egY^PmcBB?ZOg$
z)Cu<zk{^5wKRdjAtT^}IEn7|`cRxQ~!Rhb_`3#&6&z;Y}>F}`nSWW|Ua-$tS(?(n8
zh<<Xs&%)bs5bU~Nl?kab7bP=Ojg(qhtBHGuvHnHeNYmPvmidNIM&jx#%%R4OTzNQ@
zYagB&%Q2RWwRGlW2}vA7D2^?%ZxfO%!$~e{GiHpX$Qddc^U;hfCFU5JI1L9UjFZyH
zs2r1ovTq|IWXVzr--|11uJc{j_g>fYKL5P;{l3rh`#rzq{o|ggl@82cuXhka?bdAR
zTDjP&`PaQO&P_7?O=^Aa2D;AKqv~2c=?Nume+RtlIW8m?*F2w`HnP8+nL}(^RUrNo
z0=pG#M;ypBFaOonK(><xA1!BeEX)Z!op^&k;Gg<tSu84T<{0{j{w>Fu)&|lI;=0k2
z2coFP08<lkHM>6PFQ&`U*NnHOSQ~wcPxXrWSm?{U7uGD4`$)A0a);n0H6b@-EnApY
zeHtj25oF=}7LY_S{W8Hu=$Hmsu$aDJRw7^FYtpBs!Y{W{WNA_|+Tdw7Qy8Q^s34o)
z*ooxF%PBs^`m{c59DOg5dT`vLQ|33qF*2<cT*2Q%r(&Rlta1aXABWVKNn%~2Sulax
zKJIx%NSqoT27!Rsl7>V11PK)zkcUzSNb{-0h^P*K(Rq@PB2qa~`YNjP3Vbx>2m&>v
zjDueWQD6{V_z%)VXs;3^SV$=!=$4^~T}y}kAH9%!C9Zs6o$vcl$h4kJVF4jf76Jl^
z0P~hA(54npUb;ORqAhAxCK=%C@CO^BUD8!<aaE*-`1bZqHpQR4u$0=xQV5c;U#C(v
z%fxl_qu>#}^spxgws*I?UMc9W(1U(dY=MWmp1qkSO_$ud*ag!V`=IhnvjP2@=@9Y7
zc0rgjc|W2uAX->@5&ZGbhMfI&7M|T$!eRUM=Y21PJ96^MN~XRP>CN8Zd{|T<7g$?{
zYb;O-9Y|3bWhT`Ay21~1|1*^_gX8NTT8pKPKRwDr(1~rGmQYnp`6q$z7m6Ft3Mm4E
zK<Yr{CcYK(H^h+6U@)PZ#hObmx)&k3D&s8FTJ(w-4V7dICdqn<h}Krw>=WrO*spYd
zkEBo0>WXbtp1~gEf~`?uOiWCnV_-k6a)}JD(utqOsS<M{b5`sU$JW~P{me_Nog#!=
zr(L}|J?g7UJ;jpR!c5k44UxI6d$lU&!u(=IvN7=RVHHrY9x^yBN#@pxZmn!Lcb52{
zih;|LtMBQo^vW)_AF1`zZ(<Uv*TyT3Us=ewXX4J1Ocm5Kx%8|%R|VDc{)u5+byCfJ
zM(#=VKoan`-r8d|yN+Z&bAIA82b*lw^>g6N?$Zi!hRHtHqSS20G`yahQgKHJv9<}^
zb{&*5YK=HHI%RQL&(L`_AEjC*B(KPUBkh+CsY9ZlL+cEB^@Elk<_uXGR@`338%eeI
zMyt>a)fS|g&<QW?Fsp=6?sYGJwHhz&awoZJ@2a5#)7^)ryA?v*l=7|kl<M9XTo{f&
zs(xEb-f40!{j*t7SX?p|HEUJ?^DCI=aw}gp)^=xi<BUHWd!gH)(b%NNeP-^BrZQ>q
ztFO*bOA{wcT}~-3x5qKPb47nLJvq1gdz&&)xSuNlTc!feyLZc`TmJj4WjB4fG2K!4
z5&~vbCW!-CpPMKsW}y3IwP5%!_3X=>jCa$A?jva=bRlEb@!98n4(SI%8uNZCo`w@&
zjwiTu>(u@N%GBIznGkuDbEIm~Y7Typ&nfd^2#kw(kT7`oY}VAxf*bHP^UBEn%#Y=x
z%|k3-)@*fMkt~I-mVqI=LT?W|;cu1@ID9(gfgSw?!$$Zc^F$mX<%O;iRk!WVy)ldR
zQBFK{kn8@49U0@@97!QG%ru*PzgGJ2j~?=X|M~%SixjX{FAEGBAArXDx}6UXi169)
z;YPP+rv?P<OXjmq^{9yizK{zvZ`u#>Eah8IQhevp_AAR_lAcgE&$|j(qRh+`C+6w=
z{2~l|ujTZ$D?wMems~vbhjjme)kn~GH3f4AD^H%tE*(hp<h)(JD@tX#IvFQ>Xm%ne
z^XOB5jGWW0->sBjNij}ip%^ejt57>f?^Ch97hRi7Wt5|L?Fn;W%kdq*(_$w|mzPOP
z)rz%gawDI^7X(i4xnsy6?~+BL#*U8YbW|Or36Hj5N$eYDr@BDodpPAhAByTeo&OBh
zHVF#mkWxhZ3t<#j`|#QU?X0?At~u}%Ihhtz<(skdP@40D#CJ@t(eN_4M^VbHLFXdJ
zH^O9YFy!pq?^XlmLF+4zml^n;kJrI^Mj8xpq&*lS&9^0w<_yTAJx**axDM=O6EI-F
z_<9k5T?T>9V*HUfOn8LWui@bvo6C!q(pIAiZ#)V3p2SxuFcZM_-=h67xPX6yS6GTo
z-4q1Sid*LV%0K|G0HlCY8$KxDT)@_SQ=aYH_iu>14JnL`A0$CQC7H0zE_9n9fi1)<
z^|mAO#>>Jh5x30(-k$;ae+1)r33;32ZNh{L?Yx9LtuikQZ-Kte0ygU0WZ5a#d7-=s
zZ3k-I2l+O=@d9}h#10VAzy0N3(*-Y>HxliD`3E<_|06E(^6;MW9iCZ$=U>h|(p~`Y
SqK(`w0(u3wqS-KT1N|4GT6*sQ

literal 189336
zcmY(q1yEdD6D^Fpd(eagC%C&4oPinK-Q6`fL4&)yTX2Wq9vFNA1b27)x%d5F?t4`X
zr<mGRXLa}L)xCRfl;vRI@Svcekf7L|7Bvt>6^sJj{;GTXV7+}z?2VP3>>Zq$4ILbq
zJZx<gVgylPSg|BtM;$wxMSI1JM5a}0>oL7an7^Bd*Ngde@%F~rk=qkVt)ZCH|0%=x
z914uxq>RUe!Y7PqQq(Q6BTca=GWLYx-;JA$n))JRP%%edid>Yoqws<eBbDQXL0;vd
zxN}hFU`o?p^Z_3I)yejE*&OF7^>s4E{29Ncp7Q?#SB*x&1qJ#ICkzx6_Wupn*xt$X
zAG{%Pa@PGUSi!Fm=eo&T(zJc&d7lLniBULzTu~P)7+DE^2WCD!(pPVO;+QTlGwUX+
zYpj(gLadq8aL7Z<IRfVj;<{y>h}EJQGrQ%sOc{wuI~!;I`5*)#&}QnoBXCe0MqxnG
zx#&5^4nGo;H!s9P{pHtg2=gVt5DK2pL!LciY6(j5J_9zP;nQuGzRD(#nKA3O(Z>kk
z<&@?!frCa&9n>!wS}4?{X9hZ#HUgh)Z7LL^nXkO`UKzg1|G^=^Aei4D@nj|^Z!h^V
zBBO|%M_a?!W+XW<+CKI1(CP&ZD0P$ZB5d^SON_+~psze0e;fWB&f>tMHQ;f2vhR80
zf#3gFrd`PG688UfT%9EPQ5wRV-#$P=;l4S}!-m<#!qnFE|NLhC$92b=+OfFYcz!i=
zuLcv|soqTCU*l!^YzeX2mCyIGc;4Yo@ziJOQU(KiRrTpX`5=Az>ncnTsE`u>x=0uS
zdF~g*412-~kE1~VJirx~j=ibd`RP7$b2A~$nee0tjSS}l-BfzA_h22?h|%worCLkK
z@+s(mARfisciclNeLnHaVc-3fFn`!od2k_IfDiT5pW-B1P9f_Rwop69sWa9Q1DhVn
z2z-u#=@V2RI4@N*?-<oaRe5$)Qy%!n1w>e4+%4YfSbB$Zfgd>)&6CX32W)pEiR1i6
z)Hi>OZft*r==g8#5b`Er<L+TK6vJQM-p>fNmN5RT1+q;4$oylxv^%vV_o29HIC;x!
zz?_Mja4)t)Oc4z;IZzY}0X(nL%{|-w?Qp&gZ0A~51GUZ*3Tj8l;$%kIS;Vn$vz~^O
zx%#O0r(8Xf+^MDdb9Qw1A(GtbF>5W=!lgq(N$zSP7Va+38z}mao`p;`no`R<m_(NJ
zXs&5Rjq8E|tCa81<|$EUQbbo)ze&5qmWsY)jF=zrIHvq**SUhy;UQ*7|G-I>039Pr
z-4{iU6ydhV67ZgMGfHmHO`v4=?kvMU=uh<-laQQ)jMqH=SafwJNqk+dG5AOISG5W_
z&-0_D%P^%J;iu>O0_iD=7rq>C)f1e_P}5d*Vc*LsO#S?B|HpIiru~G6=3w{Jc14Q+
z(>>p{Y{4}oAw?;t<L>3K+t1JDYcre>ZU3#M?58%Vm}!OVJ{WY|@37}?IFHE1>2Qir
zmQZe>eCQelR`!i$3GNMBXw81O4xZKuM~K`{2>|SwRlHS??xbc0>ZVimj&o89`$*`{
z$UtFK`?vEv%M*)<UdRYhUrstu3VFujx52utz^8WrT8hn&VrWM0wBVyQIpba`3R;)2
ze6C`tgriwlQ-U@L)w8iV2`rteC9_*DD`zv6wGUx@I8E?o)JegXW*y-)C?!&ZJf@~w
z7;4|XZT$xROz$m%QNl#tEM1{dNjIsEER(vWHz8_RabMy9$BE6vA-4wcGJoXv!K30K
zBjKH8q%&q7!w#mE;%;G!Uw^<DSy@NSv~|6;m7QC$J=FdlFb*9bD<5nrhgE$#L`Py^
zr1Bf5ELm4Okhq{g@SRm&r#Mo-bc+&Fo9j~WuCX1pFI7OL)3;O`XZXXq^k#NSWO^&o
zAmg$*F}GN>djg^M*~Xvj1DX*7ToVgYUc)XMiR{I{4jIWU%Mv4eX47SKQs{(|=Sh&~
z`{?cEoI4aHZ<@T(OisFj&^)c*eK{Ixnh-MkNy_p_go38p1|RoL^V6DQ$l_00?rHAh
zQS=+F&V*k_(F0RjOSpcS^}9j%0yO#uHga@_@RMAt{<W3+>oRUZJu*&O;7m2n*P(K=
z6+NLUQ$_2vS*@J{Fk8jN0F&@J-H*Z{uP650sN*uakNowtfuFVl{4n_<rSc5!w=6Sz
zj(x1qx$#<BqysCMOJ#3x1VZT`Mxl9`738uUJ2<1X))goDXc>j=9m0pMkb!<htR5>c
zrs-lnMFbb;Vb#2v(slAd<h*h+a&XA6%>-J7;)FBwPgXDIUs@(*>MV#f<{%4owQ_m^
zK`0wf_nt)KM52459=FcI6I+D81s#>_*^9eurfNH+9E`H(za;i4&;U^S;V|N_PjGKs
z3k=;F%?kk){z&>O8La`PUZ`Zf*_YzVxSNi%#61+WEeb=qN;{gU4TkeSj5xWk+D(${
zzLy7?vIXIbH(Zwhu>*({KFp8V87xI)9D*~IQgr(7uNcj1_|wo3KB;MYsVNX;(6PpJ
z(eT)xA%FiZ_aMFZRpF-sS}2OOon4Pml9lCz5Ps3Ro~Gkx-HGP>8yvGnNmddX55N4x
zgnKl-Rp$M~c>s&9ev&QQMsKY<PRU6|$b9@xGHhWJXQXe7c-PNS?go_T)@p#ep1*9z
zYk+dT8n^1@#9UJr8I1;3VsV9CT}CrF<J6P5Qo2gFoHcTOFvH%@fsnErHt8^!j@Mh+
z4O8~q;yl|a89Cy&q+4srw8V6=>l(7Q=vD||pezg`yN;+>MBely%Yf$FOwy)Uax4f{
zQ2NQWe`!_lZgZ;mGUZ9~bujY91>lzR&C}{KpSlTk<Bw$bA=#;<aK1s&BdBKKjO5s=
zXrtLHDR;J7ofy!lyALeTDp~l}=T&gqBNhhFV{s2qKAvX)aYxXLf=5zR?15GRyN!Wb
z6~EE7Fn8P#85pZkRS8L_UQz$wO4cqyU&|W_1C^bG1x56KDw(^zleM#jsi})I^S_UO
z%h^$<Z|n+B)5#;qg}9{z_q{x0oL2_BAPLyh`c!e*sl@yt`*{kQ3IJNJ`y6Yc-bPHg
z+d#o2TmP9bC52KQVHbvk=&JB3buRwc{9IBv-v3zzoRh&{<Tgoh2rj;td+v94Z-?A4
z*XVIBWoeD=m^Ok)s_;Rb$^6gezK`Yf5p1gV<u=`F84w10E>u0R6_vYbqvgq{?WL~v
zN@`oWZIy|gm`2TV`F#DV&uw#e`a=BjNV(24<-$SOsZcLNb#nQ$9mp<`AmiEV^I;eT
zxcuRw-~Gh>8MQmP*`5EgucG_emBAiN)A;zPMmX)?bzt?fqJOEfCQ?w~W(9gWgG4{3
z6dktOez+|5Pdt!wzOXN8t?25g8G8!q>geiTa-UQz&Y6=n<xk2ueAWaVDy8Y{dlW2<
z<aGBa)GQNjs47()umgFg@`!!WRgr&EUcW*r7OaZad~px7AIwQ~?;xyRw4M*ALc{KF
z!f=~5D%Dx7)}3;HqNsnxPoo~PTH`jf@TcFpTTS0j1%gP>aW!FDZv{?$<<nnoZf}dR
zSvx9sRVNoZg21kp+-5Z}aqlEGJ{7#qDUEvlmSeuq6+ZL%fzw>^^N{|W9E6i#>ZzWb
zlM+23C!Fbc+jsq#fu&3KrvrmYug%D9pWuQ1sT$?A1Lb)?rjl~69Elu+-H8U#92akk
zsjc`ZQ1cOOxE`R+Rj;G(;YSpGPrF$ie+Qu2?8b1Pe=RkO?E<!)Z4ln?(a=fx<J-MP
zx==iSf-H><-%4Ud-*K(J4DAa&xE@%2@g^<b_s=;gps;wt@4XTR+@9NCSqJX>7oQZY
zErv6fyheNCc4?lTO&|zZ34c?!9c8mTi(Vb+er~Mp;^9o3PwE%`EiTwrIn9jc{}`ro
z47yzNyLx#jzgy8iU7>Gtf0^r2U7H`__viE8Wzc=ypyXp2&dGkc!pK?qP<8{o>R}7@
zK$xq~#62DEyA0N1a@}h0?o60CY1T5!A%jTpar>WGZ+CR5F71Mrj$R(DN@|ep1%mI5
zwJDxhTzxZcjNvvosXO-J9GN<f;a+t-!jMnfGtLonsGEJ$vyW%D2!#~<?tXfB$4PTv
ze5CFe4CW?nca`^81L32cC@-FTUpZ0MX%U}!(OW&+y8XrVduP}01vYT`xj&4O={3r)
z+jG|>#gEJOUi$Wt*z+0v;z4`s+FjQtR!GV4QNVX)m(C`q<T&ech!ss}w?FKr!2b6z
z1%%_`A>-zHeMaG9O}D-NEy9OaqD8yOW=Q5gE9=nhn0QuozOItKt%7Rh-MY^C?zJ;~
zNU^f;K@KxSpT#f$8JU{#bKm+ba(m)YH|ZhE?O8y&Uo#WQ2ZHw0q;K^GQ?{*IBg-mx
zoPfK8^3&_}iaI=BalB`cDOd~B!--wF0eF^Nx*ly+-?mCwv=$e)R?)U9s1eas5^=I+
zXWzb^Q(7~!T6-*)j!Px1)^_}vThf&7@l-++5}cCZ<ZMm%;H=Ie7133*eKV<f0<wL~
z6jCmF74kQxyQ%v;Xuijtu%8`Tw9YKiyO0EiLOt+eA#X~QD|OoTvi{ui3FXCwosr`U
zE?@x%k(t?LHJ?k^V9jFzRKdmnJW;WH4}u)5Dhu<xrI@hS^Jph|@k;$$d#xYzSzQ^>
z`2tR+4p*@sl`3Y~&b<XzZ&x|ZQLL0V`99i9&--gdH&kTWR^k3M+ughRbUh~7x(udP
z?R4=ga~oZP$UJwo*UuCLgAdMbnuwprzFL*%Kex}!gF&MTjqS5}hnQmB(??s>s?4@!
zkx2J6&(5_)pO2pT^bq590p+X7jR-0Hwu;&T?W*xA>iY#vce{$=Qz4kJ8|PpX;&#?s
zHUdJ;afy>+d8wJG^V&1ecLGh~mGQf}s`(5-t4G%Vg{^1qoJe(OZE{WmoFcCvY0AwB
zI5^(<IV;mh-=LDQWs-Qm$7DN6?vC9$HI`NINW20<j&VL2E0!O__c7WJDp=QTa}_|}
z*{~M(lnxH$C3vh-jfrL*8dT@u8YCq#j)`XG=ejjtB{Up#`XELP+^So=rlb~k=VDlu
zHw!pE5gJT2{trtXOSiN(!SCxT0XeYm$PW`8w}to=Mtkly{IM+m9{WqtjPiC?3pjW8
z7`ruj+<k#rVS_UJ%irF1>`bm%YbOt@XANEsFVL9qndaQWubZs}87sa8P8PY>-1%$o
zv!oE=U!E)1tcbVe?J|M9k6AZ&IS-xt{oU6A&l$+7+<imJu8os!joqJJ=Wwb=gw}+)
zuWz}%{oNXTGcdGPa>u;X3D{ORnX`=dlI@?<URHDXof^x#I3~p#!^Vaoie}WsQfbx)
zb&^%<TpPt#W3SY&PtE1?uL%>~oi8k5@=fz8c9nvN2MGf>ago=cGI@@UbxZn#M9bFF
znj1&9gQTG)i&BkW*o0k#mr)_m3uNJ6!{i^j#@K{2kg3e<jvkv_=D^k?(xvqxNpPTK
zF4NS6RRHhEb13h((nll3{6At&IDn&L>I#Y`{*n{>ehnQrir6k;TLRk!(u*KYLWSp+
zExm;r=Wuet>Rb}TJ`1K#VO;zH#|j5t`%ib%!WTX>+h~P~Uo^rVg9P9{q9fm~9_3=r
z?nD%4MH<p@uck)+xH$jF>pO&si&Z#o)(!4oYJ7M318@y3l5Qgm%EEGnWc*?t2A8$P
zW0p73eEPHbTzcWu-BkRE(eXRoh@@(~w}PzGOyX8P-AHF<yqTrY<>k0>`LM5GF)}Q{
zcAshM?v$A(bszBO{6A}uRS8Ptb4Py_qp8Mo(^Gk_u~1>V>dVUjb-u__Mm*~_Z&C0^
zPB`1r9usBZxER-TwgZ+Xqh6B64FhvCL|x<CR!z3ms%>y1?T2*g-CcQGOpMKD4JJP<
z)u`3P`#SGFJ#0=`OPi%xUFB9(&nq_3E6C2g6WJw)oz$3+mk79F>L^pYQD*R7&{z_$
zI?7YKVbbQM4^9b-GcwFHm*-Du;F%Dl*4+=GPmGH&S7Y!lO=2|-phqrev>lxu^+`;+
z=l;P4xRqp3b^M@49dX?dR3XbfGA*zc(5w}iDib*GQVd?L-jZ@{s`pB5AwVNrK3v^8
zbb_VGm?MKPty}J&Guqs;<zXr2<@hx{YjINkOdlqS9_2Hh7&@xY_Z=T->Gh!-lmi}|
zX$-i1x31xt13ho$uD-31lUO-OBPJakD~L-SJq6gjw2pfF?L2q)RDZ6@sVea6nQ43A
z18#LjeIjC}smdrvlqz>jWdo^hC)cL&C=3V(sJWb&cRoP78EJ3flYbI9Sn@|KN(tY3
z{O*;yB5%p%rCrDVRr*nV&2Jto+g!VxZ@>&`T;pkOoEw2I#)*CTeEOIO745jdA<VNf
zRwanNx{(&nsU#xy-S&<qAYGdHS#srmVxgOFNJz91bRCkM6ON<+Wn=||WdVb=@Chn_
z`kx<1Ug$GgpkJ}mj+ZC`CN)o_$wtFmhN&p2G#gd`Co~cVw88(d8p51OQ$f9wP(!_e
zMgAIrDgz}^7c|5L-Z9iYCNW3-wk~!lR4>L`dIlyK51W68DZlQ!TgtH#q-f0ckG}Sq
z^AfTWe67F6+Xaw@$#S=+*?IR1n6NRxP{S&<*)bZey#(h~ESL$(Yv#%Z(#vJA{m^3>
z_3GvRLH-urLxAIl`HvCTie=y?D_O`7!CLCsV^u#J8CUapJF)zOCK8|d*eM3EP1jo5
zI~EU{HLmPpCHw4Uer|62nCM-(EFAJStg8xer`?>Z35z$P=poM8S)L{TzSE`hzG!bs
z`{;Px_4!&^6HLYCH*JxOWrOlH*tyeQPCrcLZp6~HpfNv87k$3XU&fLrmfa=UMgY9Y
zR0iFtTa}`VzTa~QrECAO@^pi?J8W(GR02ZytT+&ImqmLcWvdPr7k0LzE-Y-QxDG2&
zDCD{|)wRX4J2@V1qY&&kjH+tyDQjcM8$x4uxOGD8-}TW>T7F{L)wNSJS}G;0Osa27
z4u^HM<pDQ-I9SGF{oP$KI@M`ZXX3FGPp1SLbnZoAYOxDsPZ<yx);xF&Asn3sjYe#{
zTrV?zqeBJCD4SZUh9;9ruC}gWwH6$7S&UdtlYwl$Kp;;KGX@+eXKB^jLD*ZhWR1%S
zEt5tKd_RhwKT@-7Z&*F|`&cMZ=>L*;+-~y(M?XMs&FJ@SyaO$)+aZR>U4QhH4)Mw>
z5ybBx(Q{hgu%2%3(u$k_+}V|CAhbGBuTt)gM+R(vD@c^o!>da)54Z}FFY2mYCLK6c
z{+q@-1w;b3Bw`*w2%)VIdVfKLYq*Zy=!yc^LY;H6ysfjb|BwAX$s+G#l^t{JHE;BC
z8XfE9Ct2=>H46S~d+1c#uG5|Qu2<##!<(A@=EH7RCGBc*d5!vGPIIm5#v11$>owAn
zjrP)s)rGcYk>>}c9>>ugw3dC7S*p?su;H?w`tSbR5{6(@QJiv+>alfJ@ThKqTFCP~
z*Lj-GFtO@J_XZWB<|gq|P0f5fr!tg7sRnt347Q|ZwFY(mS7hdi<uD_=^1j+Lm~94c
ze=<oZ!2e8hAls%zn|=%>dJnoSsuUeGogxO-Eo3>5Drg;ZhuJx<EvCD5oXY#tayPwP
zXg@S95B-6pcKBbxldqjzznbr=A7?uspBz~Ed%K7JteorA;=Pnuc?g1~?GC(JpYzUo
z%I;Nd&==}-#~40suUFG|`Q?GZe0?^4>zhJr$^0tkeox};Ijqs#tYv!zF>lI#;XjBu
zm)}qbxeQGan85qZ>7b{7yeU7!5X(NG?CB#qH4&2GEtD~#0_jc-i7%@A^@`07IXwHL
zNhIAQzmexaUe2gYC7M*E@Xjm(;E;Wbz9CS45}9U1oGFbjE)b-YA6qq@4Lb@mCeubZ
z9mwKoZb2#BSpd_zK3}$)9_D2IoAciX`Dm3VTyyfa9$x>)n)j}a+Ls(gwM($59eoM1
z$ZNa54%8C0#gpL6Kb6-1pc8M7`7_^PKV0?J54s$3*hSMLv>-)w&$K_>pMLK5vPe|Y
z-4c+qYMd|rdaGIIfADZ@BC>EVREE|{{xTiaHVuENNCg&11YTBu`1hf#GV$?CBV{B{
zY^wp_K(s^vGj;qa@V=VRyNi68@FvWRT(&&#f1;P?DII6^oBI>Ew2e94ow!U2|1k8z
z9+(%l^x$Rye0pdRLL6LMqH^wkJiTRjPUnc+ls(LUY2Fk9i{jB#1YhYN<ai%%;0x$j
zKM48B)m+c|_?E`*91Vrs#h{#vn?5S86+EVVpO@C;JSA3}5ZC0yGzAMpfD(8yozqx*
zua$M+ye#mx+bTY9&f)gThtoDSuh3S6(*G}`=P3rtJ=ea2{>kWP%SvKUrT1WwE@%fQ
zTQ!S+$ZE?m=_a<zV5Pt5{FO2zLGIlHu-$cbVk+l;R>acv_XJcI;Pzot(`KWUSH5Nc
zW`(azYQQb;IeRq2lh%I6aCq?_l_5t-@Pw164nCz<_d-*v*dOHGkq?D7ckB_@s6vPY
zS7JySvH}06*)DsuspF5KEbl<Kl3|KLBc(>u4ZrP|s*To(Q=NYIRu@d5np1H%d!Oy0
z8pyce9}%0&gXWy7#{EjwZev>BUlm@57(}POZ1;ENqcigC^UW^T&=~GnuN|OP_m(z&
z*UKC*Y5t6jcZ0T?AzSWATef3ZyYw%}h&)fY(D@p2)31SS8;53`uC8l*W4b3JeTX=7
zR$6%C|IukSrf<3fKtycgw%0Mc-&yXRg42$G1AZx2GhNAD{QL+8Xp+g#T|hTQ23G0*
zes(K3EvGXa0N$*BVz`I$-pxKD64g1V3OiRjEq%}Q!&`NOnIpB;9sOxL?<^&(PoEsx
ze~J66V>`M*{ktaUsJCzaHj;bwfU^{Cl$Qsu6l|~x)8j#DCDTW%0JB3SC~E7ZQ|{Ja
z5NKPicg4UrUK0*|VsW1_(b<`K3`E#=NzwMBbKs{(nLAL~qJa}1A|{^ZJ}NPl=aLfk
zOP5^Koo<DIiL}Y#oXKwEPo4|m-!%2I!-H%`=eKwLc9v*N-0k9{uh?Z;fbrgZEm|6t
ze?EgWsj<)$bg@g#6>t)j?>nx<vORXJHK{gq`?<JTb#ju8-2hI#pL2X4%5&~nLq;bQ
zAx($hNGnKKFZRh?X9<^k%7_Sv$5-1C`VT4^@304ILq|7J2g@BUMI@uVQ9{FHW6^ZE
zjpIm)sxynyPTSOk^N9%lqI+<}3*C<HtL^$7`-YC9`wblh^McXsru6+g4J2JbW%)*{
zh5csZ4kas4Z4N!V0=w`zq~>v=T8Ckmf<j?s=~QU3DbG#a$Yh59V4k_fiGC*-f&I3+
zH}k>jbF~C(NuH4<6?}@_Cu70&OP48*NtEQ!vavpaXo0ocjk;2B675d#-&`WejP1+3
zqaEL`(3JtnwOkw))VIc$!?Wj-UvEFYV15Q8UgX+{_DQW>_qsA?y_U(Xjd(XGTA;hi
z(o{5IvalM<zKRq2AE{+%hGFNVCv_0cRqiD>CTh+Y>^u?wdfR){X?kzhX@*6Z5+VDD
z^-wWfgtPY=LxQEshG3X6FUFaD78-<LH)t*YgJeb~Nqi0{oLR_7DotiPRF^j8WB`nH
z?9t}rfcra_K5Z5XKfq+O@#P4ue%-~epLSdA$CX=5;<m4%U2&vxVz8HnGc0fQyquK5
z2-0Y|aa0u_rt*Zh#(d2D-rrV;sNrssol1&3kvBb-Z~?_lar3-SQPPL*!`RSfRW7!c
zs>l|d(EA{<7~^41U4G?ii`z2y`Gb-oz&=3}mMZ&>^CzzKH<}n6rOfx)UMzvVAAuT{
zjA?iRrkdaBxG|{&L>tY}6FtQKr{n#VtPvi63c_hNr<(n3)E~4<hl<ei_2_MVd^P4f
zM1jt!TfUEBb`6Hl)AmrHADAZVhQQXP{=R2Br8BqKQ}5cWF8|GWA580H7yVT}L`mJ(
z)937*wurXS=)NsCZFMvM=}|g70eenDebK32w5|rLq~>#xD89%m&L_0B+DoOywlzS;
z3eG&w(Q;H`%0!cuf$LoLasC%U*{^whs2XN7x7sIH5Y}hb$_clS2h}<=G&FCosgii0
zMUt~0y37C|KBC|gKFybM;DG>Eal}B~>49H2L+VzXfgkyhVe-Y|_D$i}c;Mf3PsNjp
z1Nx9&US7)tl%~j{=u;$f(kZVvftFFHeFDeyz8>e%?*_%Uwf97z5D@N@OsaX$&P<gn
z0DhlXyU1)MDmAQ_LE*%y+O{`F56O+$3P0N>f8k@mUHMSxCKq^eY^ELPX5&ciEvL~7
zomvTlciCbe=b30j|J=oEmeIH@bGKRalD=ImxU;@h#eC%<W6qSN!lt{6Q9tHZ!R7hL
z$Xiok+iu-wFg3elm;eET2ai@)bz5UEi!L8^TUBUMra>ewl}qH)O()pBk)k7;WaOF+
z?QVmGO77obSL&zIcb}aaZs?iGASwJWo_9Ki;!OvUOCWS1ghk-Qd%O1PnbL`QC9^3S
zXM2Y+?Ih#8H0MuhAm>FElpT9D8n|{l?A%6P1W1Uv!Z=alO}5hZ>NNfC6Y*qpK_-bb
zFSnwDo!@)GsaP1baF0QW_d3*<0_L((@nMF^6^Yuo?4zxJYqX&e`9SMAAaf=7r~I58
z)lLoOSbFL=E58b~9HTawW*j%>BQ&&D04C&0QqQGq=)P21Zkr&+b0$dOi&#(2%_Quk
zB)&+MWkO(M7x38<s~)c1m3JV0g2o3v_9kPW-N0XXXAyFe+_MYzL+n%$^h>Cn^i`j?
z`hMKzTHU6ve!7C57Le1)zCS;5>)IYTam0veZ9XQ|=iBX|wrwu{#GrY4^3uAHC7W=t
z{I1&nWX#R~*{V^vvLPw#moL{Zy7txM_BdC+^x6rSjw~yR4`tD50&<2r82gOY-m?#c
zh0Lw{&D~+{8DwSM3uR|KH=LdGo6WAP&JEVG>$9KppxGQTx_Xb-Nq&^bqCI<0mHZ0+
zhp!VSuB7l7yeOnjFg#H(+zN(<)eMD3VhC;Ahr8Hg#v`WLo^~es`D1`}EYRNpz&7pr
z_gEMVnnKyPyaf5Z<t0!?YDQbeT|)7;@;JE@wv2zTGQgdirPQ{a?OCe%?4k?$GDDDx
z;R{(C&|D#-{kK!pjCUCQ={@j0R+ZCa%~D%T!T5XWG*Ly?H*cFm-)bhq>{UE{A2Aqw
zcN;toOf;=FKh4h_fB#=eu)|{?9-8&k-)%q4?L{`!^pys(b4R}o{6*P4j0i1Cn^c;I
z85-;P5Vzp~+k!cx(D|Urdrs2#(!3%uPG2+Ep&+!gijLx3moUefVukV%B5dT&n!)hy
z;!|zF%mUK?-o$5)hd4Zh>#o0>c_`BJ_NFXx;3Wn@47ezbfJZPTSJ*=KmQKBG2t!*!
zwEM^L2kx+!7xW+25$G>dp4964TjKrY6PMVt91>rPhXhLp1fn%LYiBo6ZY*A399mEH
z`SzZ-%(Boq2GL#ZclJ`<USP;SRz0#tAE!8^g1(=<FTIcW&4NJFwX5nW{bQ83JJfxP
z_H-EVI}W#_fMSH_vM+TY?JV`n?AL*NM&p1y9*OTxc2l2ePs9HftX5OJ)8V0n5d9SG
zYFKibVAF}u5}c`oaaWEf7j7P{MI{K~EJyDOA(Z5lhi1a2BxCEZp#yq*hS!s<s!iKF
zU0RU-m*hnxqHN=|{LztHCs$JL46qOjxK!VA2)xuKbW*S0jGNv#DK(U~6dk{VR=&v*
z%y(sHu<_!xmWoS<!CtA$)t35|h4@l12gT#xFnl%FucCs^`?{-KH=*N1=d?Jk6&m;r
z3FrH+Omh1<qZ{lyxEtI&p10NiYp@Mrh~Ygh&S|$7sB#aHrryGUiv>Xclxz6=-bwu+
zK$Lqwxmhn1k@fiqa_?i7lI!<N*hjpw5c8uKhXinEZ`8OmmQ7W)dMv5Z`xKY=;!~^6
zDB}<fU)Up$kZzfLR59)qj{>^27qo?(WiiOxZs?3-2ihYeb&`2nsoxHmF|ESsK?HYS
z;f?mAYK)WAe0j>5=dz!!fQ9Ce!+P($k*-D?t5fAUr7igk#PvA@4p2N=S<mqpUrtP5
zFgh_g9+*8|&6T!1+*XNJHMgsmlp+F8dU?9^`8s7>ksSAcA|7K_BC-D@$^m5r!B4Uc
z(X&Os3FH2Zkp0VmYMI`@aX&b&Xe=~JJRqY_PMZ<i3Aqp>*pa=3|Cn9>#Vqq)52ZzE
zFO1z=AFIgg@3!(iek1@`Lo_wz2cj=Npi(&xuC*ykEgwvd072LUKI@gRYZo8f&>FB1
zp#9R4tu1p&|4P$?&>+p`+GyCSMM17gnw=iC17FI|0vYZXPcNq(cVj-DHJs(-uLSwJ
zm2`XWRX?XQjvqfgto*r0ZIQdYIY718F79*>!gW1es3{XOkI=oX-04`e%C=ZIctk*`
znO_k&b~BUyUT$6*!4+F^BJS0+mU^Wz#!QWo%YE25>30^;lwb)_ZntNh_%=~blY}At
zA<Z?AX6693<Mle>@~E@?%DzS4=&tPZ^;3~^kdMq6vi&W|aE|HBZ=1)>S^@M!oaXAv
zc0W0_PR~o|LBjsns<o6h+p)ILDrv-Zb>xzk&V9QUTNuL}^u-U|Z$r~>^FxRRZRA-?
z?wFJ2wNKXUIr_GKK@?>#iSOmrQd;>KO#OaRub-H-y3OVy`i?YWS1J5FTku?#2rpyg
z)!Nq4>5sn!3)xY6Z9C$!0vQwT>Jn!dZ#1$cBffD=Y9<zc*eoObqK}X#TgBKaqUrQ^
z2V_GjRkvj%(D>}C@Y9v$KDf400S+*6+PHdiNWAjHo-5?!Ha59&$pMGFvT>@cVl`B@
zi>d&Oe?=6hTJ&1R?=|5WN>muDnrewk;&UZ1tNAs0pF!wKa9&Ha-{DC7hIi5g-x(3Y
zkD&weDXd&;={fep>gfQGp0vt|sXDK(tncl(w&{MXLjB?Q;l!9L=5+UXx$EO{Mb+Hr
z*9tcZ074Glm>O6pOi*`=VT{V3fYy!)X>~Q_oDo=Uq$6TPCy>+I@oB8J#3eK??Zj6L
z7d0ZI;BT%Py$i{Rv=7cuy;k|QZRy}#p3aRjndX(Zvf|xX-c&U(=IW2)-8@3Dh-n5H
zzli%N1AD*2Gh**|i?%-U@<cit7x1GNWEO1a%frkv|3FsWL8#hm_hYoR1>vX|WwuLC
z{a){uTVLi*>+##XTd6J>)6KkKyybnW<HD`+;z;nlj->q0hH#l}Nycc2K~LgBLlell
zT<$o}-|E5VjmOT^h0U%Amg9Z2Om!?zr$|ygGCZKFu;bp&VHut_&SW;@_{BUD_^!ma
zHIRxdh`MFO<uV)6>4H%K*vZJBFNpHWIgYwCTt6qi**r{k0+(Q7S8)vuL)=R*^yCME
zXXtnT5X-013;f;*LmN9GR}sWAdM@iYl53smzYk55ylsTs(Izk=QS-`firuFfoXGdw
zNE!_qz4II&YeAC4SSiyeNq`&u^w+6*=hCbrMtE4>mzO1|{C5CXW$F^KyZZ$2oJ5_c
zV`eUQyYIgDUFY)vPwgLX&`5`)!N<@-vf-Q)A8)6aByb)P%R@{Aie>^`aejrxCuc|W
zHhN_jQ0`v&`)N?x!>W7a*Yj{WYM-P-#kc#6r^wlDqS+B?zE{!t6@MGmy;8tlInh8k
zP7LM2ml!3O%9wmH5mHX0l+m2EuGRpVMz8Lro~N=v+*}R4L!reT3x*1F<@&@nrk%91
zMLOaU9i5;o6g+->S~q&6BcRs|;}nWuW~Ql^!MnTG6Hoe-bIQqj4nol*O-K6xqmut#
zn+8}cBN}kW$^LMlu{Q(a$2M+6!-qC{m!G<nDrYyLs=+QZd*jkp^a}Zc!_NrHm7sIg
z9A{N^RON_&qYO7btsTAcDiEusj8Fpb-J3lbL9|#qjm7lW!X`JjV&oUekevG)Kaz-y
zzr`lcSZbr#2ya1#XNT`cA{unvc(?-9gpekMod$iwRNEs$vtf4P2O2VzC=DNJU9=TO
z75NaF8ReZn#2zZSXNB*vMsDu+P7Evj?lvB09o5zrY@KH+?6l+kVh+4_U!CVD_)X2~
zu8}H(Mb9xO8+I;VwyS}S)r@hbFVD`;T^+%*WbA?(llr8;ZCWESft4RJ>5DybhjcV|
zAsP{ht$kVBfkS>K!XWuv9-6<D_HxIYq?2+?2zIX#=N`erI>i}~cXrpAzuOe*2Jtsc
zu8w=#RNTM?ZayIjbTD#L%`<kB={c<1P~uf0XQEK$$BhqgDjVrn4J^_o@&L*8S)4m*
zWjzOB_QT{&BnOQ?z_Cl?JMfhC_^qah<VpOMu^%(Ew1BAmS0oZ$#P{(Z7N;n3BgnXZ
z#`n~xef)87A`$X2VY-G|h_S<#;_2Nlk!$lai(RsLG981QFlcleso)5%T-9&v9Eq(h
zp*)9glL0iU$$usT7mR2gqz(wuzC9y4LJ8G1VU{~C&^$Ul&DkH{EB`_J+lu<^#8OT^
z0W20wa{#U#)s<72dI<|n&8on<lRW|ODT!-aUx~iPqh}6%kQ#LP4=s?HVD%EisLhj_
zm_MEt3#`wwJSW<pIUvyE%gVNrq|5Y|ofpn<Mg3!ArRz~+CG?~rLPknvxsOTpv>7rQ
zYm;eLKF>9an2CviY-H<|?SgQO{{mozm%kZnWQe4M?V6jNUmficL5q;hw(8VAHo2TB
zQWTx9W>uoMeXyPvt#%aJ`z79eu93B0-c;+~cgoAXxt@jA>ksbUw_#7cLY3G=BTThi
zhm?``qndGq4FXpv*dFsz!_qUje|^s}PJ8u}V!#6{^uvJ&y0|V0D;nVFmcNl#D4&lJ
z+q5<|N>iaN>3R|^I+x*2=$_wZ9m@T#jif+ZFqo1O$aBZl{{jq#LpM9o5Bh!u*0Kq9
zA{XlQ+?&+O9g>bOY73Y-R)l-x-+~`A3&1O*m;_oiV~={~{!iueqNN<kUubg!Yq0@{
zRv!<R!=uBEE;svWkym#s*1iUuzC*7CGq?51lv{24EL%!<KK!U?Qaj9DgvW=Of08$4
z`#*L|z1hu8OTB@c8k`cEoheC|f$Tmgk&MWgJ&;+Zi6tY<(4nkZa^!=TAo9Nnf%sZf
z-=`;<o=>HGOk^%!^eE0T0B8?3ka<fere+eAmr6vTYpG*|r$3I*a{S%azGqMK(yd7J
z@u*c(Kn|FH?UlNtCEmb=`iZMFkTOxcY<p7yZm@%wDN9dbo2pPyQI~8D>|Sr@lz-^I
z^qWArpG+CeRLFWg>#zP@QIo!2A{4-rK&jFe5bdK;u<NPQ+)Qs|dEn(kVD^i-a(Cm7
z7AEj-_q}9<2lGc58b%E4$f_;BDZD4w_ae>DsS&WC^8J{4@farbSk|sBM3II2qFg%x
zu3yN!BE!(T8^1`rw3NvtrtB-y+t{od0qYzf@{@+;I|Eyon?R)k^x=HDuGK|X_00+)
zNvj(3`0aVWrCJLpgUluQVVtG1507{r7L>Z}Ej-+ojQMI^#MRv1ZeF~z`{jTy(edT+
z_{5**#MzqdgHU3w!}Ax%fln!QiqvUCD){s}tpPcXkf4;1T58<HXwm;Uz2Af_BKkb%
zYjoa0OR9Wv9IHv4fcyH8^^W?)Y;S@9ba!lj96yx+)%b*8xEj%{H0wKhgvvD``~=aD
zX^#sAY(fzuceK=-xT#TSMcNV$sfy``=haB!1kxdP3G55#ebZ9{ra9)4tndD#_Y|%C
zpg)X!X!&NoXE7@qkoEHE&rCz_CQQ)H{+gq-`=j%4v(V^-GPI6`OG!Mt1&i}5vD2XR
z$U9+)32|Hgof69Lbp|sw1gsxG!@rb~lOv{;f*55lf7GTUZUg^2RuU-S!GA^O!7q=A
z+{vr9_it0w!&!g9%^+G?Jyj=JR3Rn5P8r@rPL#~6_UQer>WKF?$Mr{#`K4~{h#FCV
zh99YIBsd7`q$%k%2*+#$nG0?kB9QRJ8fHOpV(33A;6eE-5pAY;F>hRmdE>&&=eg^+
z;!xTf1gOvKTh8fjPYY}`J9U!nm^<u5_^Is5`qx>_>JY4-^L76G9a}wLa4m8D>1_i;
z*=}p{6yC;`Tw<09c^7wqttTnltt70>AvBw5B^fy!^Lp_CND<-Ebw8?EZvo42f2Gm}
zFDhRlkS15*Eo+v-JGvlJTU6*t;23A1nmf?Mn|%lt2D81t<AuXr$o14ZGM$R630!3#
zmLk-Mi;wr430@U|%aQ8ofNu3m{c%yb^I}n1eBc)oT{fZLr_|A}T$7vMWwH?%C!C&N
zU*wCjZQ~z}zvff_E#elXfKr(=xKd=$kfgXmze1@IqSS?Ib1HS&n1Y(!cKPvi)=|=h
z7`M7)RXYFT))*ssD7Wo(P0MJzb7gi~1L&nSrP1&8pm*5@o;F)-Ac9l77bpaeZc47x
zUjj#)gOlqcD{@A+AGO<x=CmWt+cOLp&lgZi<41KCMl&jdu|8!MxySoUEte%)Au10T
zp^!IfjTN)f1M6lb=h&tcRIkrH$Yo9i8^@faZR;NlBab5qa}7}N`$N>M=u-m`*fFc2
zRblYtk(F7f-uK|)7qe}}H>6=Yqf2ra&oI)ao`!giny0DML4;{j|C4~1cksn<N>Ihh
zt~ys!96TZPZU;G)%N(Y5sdyI6;~0^;)`hPc_P6|Cd!PX)Rz!)i==<5#UZ4Pcv<bOR
z(3^SLIJq9OBI|VYk%`KE#_UXRxORNTmUwrJZi3bMi<nM!zU!p99{(55%<-~u1faA3
z;hEs<8D9C~VV?2tQkWQ+%4j(~ifmu4iNHYGIZoyuT&kjPbbgC!I8N?++4subSYM?G
zDi)bh1_A}#)4tmc=Z`a|9!`4TnLF6DL6~WC1O5t|-#d7VH>)iEv1*J%B#0g%HiQo@
zmp`?S6dzH9)kaYtKe;y^EJzzAD)}|Wr8u9+g7$Kq81JJ9AZmRjk4O#YPq>~76{fy|
zv_Z$Xf$$zgAncHHd!eeO_(W>Envl4{n=Z2>!)y6ebo`H-T3ml+KKPVY{Qm+#F`x{m
z)T8_lfJctdKzgpVqd8kSlVf-HV^NMF)n+@p-#k;x$+*<w7~k?33fIhYc0?Re=rd6j
zc7geCb%0z)90*4Xz{XnrIlH_T<1pIM@Uozp6)rFbS!ayGLoGn7WP&A-nKG@@)FS*@
z`(x6|HSzAhDpV0mDHKTaUg#~Kw0w!rMe!e%tH*TxTLdb<Oe|~{YZss#_GXzkTMa4h
za=&9gt@9>@7cS*t^6;U*3;35w!Z3JGNXlm)-}hkd_ac96iv#N6_3_z{P@cfP?II|n
zRIw$Sw4aD_*Af3J$lEF39ku}Uo#<O+#pkZEF|h|iCrm*p{@IPm-7g-O%T|PmPq|E<
zy-cbjnEwX$en#E84pr6<4PWk5#gr1GBg#}@!j*7VL6bNX{t{-p;{7(CrzWNXhVljM
zU#&Q1i+DoH{`!=A&|;BdxrGQqlS)9WFYqlzC_$VzHJc<sY#@RIxC8AbG<AkT#MN-~
z<`D6b_)0TneRK21gRDzq-%j^Kln;zcHA*o74mn}(oLiAnhuIfVexatJLGqRD(x-g9
zBZE{Z{tARao&(-Bwh;97n`t9rTi3?~`4PR2AekioOS>_v-Qwe(ECI0<isbcuguPok
zSg<j)APWn(&G8^Qv%eJ`Jxhl!N=ZD01<U0b@kPPgAxfFoc3oL$!~ifmecO+mZP6j7
zH`$rd&Act`q96DruFubzOErY{{y#bu6HEF9D~b5M(TM}haS=p+Q@t|ot!kUfYgNf_
z;tql&XABad3`*`O^$F9?hz>aP3ah4Jy!qGzeHJ@kUOJqO>_e{$UK<&GpvT~9;?xxj
z?RZ-7=P!Yj@oZ6Myead3x^GMV+Pjwnke9xLlSh0L#8-J^zEUIm(LvH?lz{$Zfr^(W
zLF?wv60PV5e1rmQNh=~jX<-WvBp*g?gW<BykFycBj+?KbyK*y59@A<mGui@N2=2?Y
zJ)+v}#wCc_7)Ompe*M7ebN%RET=|$COsn^w7O9bkqy#H{O?k8O#|1}6Fuj{VQG)=q
z!i%myQk$vCPWZ6jW~kf2^nn8&V;)oNSE>zQE!>+9>A@xk(`w-48_0b5N+s~!l5b2k
z*)o9z5FRxE;4to3Z=g)pt5#u1#?Lo+yL0vbAO1g>;c4IqL2LY@L)^1HIOVAjZWj1b
zc6YrdX~)}!W5U!*tO5B_B$h*YQ~9@caDy{SCY+7>!)R(So-yTx@*|ajVJ3n6-F=h{
z@1<sOJ|!wdxwXspDunI-DlA!mD49FBsDBE}p}ettxY0jX()Guq)-l)i^OAVI4%?;8
zKVR=M_Cm;}wD?YRd>+qdqm4Q7WV4l<gWg%udjv|cVb(w^iQx$#`_3uj{oH6HPca<)
zw3~^XghH*WggKu0Cxq~lk?E+P74Oe~=`S7~$kRvjmFF$}iLHo#isA?DqiGmvQgBW4
z!iH=^L%t&4BrTJfAy#3Couku#N8M~JyF(xz7wAA(Ljw4GL{rAa_6XJvu4WML^}zD-
zde0%JNnC`Tkj;=UfYl%nRYfg!j`X)+am>&PQ2M|K1eOOaa^#>vpJM}#YTqC2JU?Bd
z($r)|zqoR_J1kbO@^G&lKd!l^D8^1_^viUp!RFb(;rGJBDwuwpHhA-|jYN1o_J>ia
zU^tSvBF|6kN^E7nqL9m8@gsHExRp?|&1(hgTxo`}Oh5kDABhw!hMyrXB9&u|ip-uN
zl`m$@v+e{WV!W2D`N?JKPsq$Kt9ninWDrUnIsQ>CJxjU0)PK>hTAgPx;$t)xf~a?&
zl*hM~TNw+kc@b^&cu5>Be*EJ=ZyFH#=J!0tw_axOqeeu@n!v@M$v6k0(~0wyLqEhR
zGKl8=DBIBSC)8G}E~lILJ7t4cva-I+5ZS`o$fPNg?~-U->-)`QbvvYZEdRBsnd~Sm
z$T?6fc?a)f@TkN^oG<`KkP(A(9%T+X+A$Y>LW|E?x^oy3TUX5+oCumhEe|0G-t=1k
z)b<)txi>JLu#$425%5TgrpaNJ<MnB~hY0*{`#$GbPe1a)G-i*?74HsOt-l$Cu=7nS
zk7@=tmkLNG5u^}mz>Nv26sE(DK^->D;^(IDbIBeVENfaRpXpixNhz7CnkhB{=EK(e
zD>9eE+Jxr!q*SqSI1)Ww(8c~~tOPnQn5|sg-~PWL|6o?leYUvCuL^Ukn_?TK-r;%w
z@};%Q=JnVQ(noPHsq$`zO&&keSRd2fSe<3$WABqdOh4mx-I!p;{YSijzb+BKj1@D;
zrx7uDW9r1axCQA<VYkZ!u9t=GasA9GVlvFqhaXDZwXs<8<2TYDG^D$*Bl?xk*U>FG
z@WVud(xeyGS>C>ppvAz&=84+HFN;{;3IdL&B7u7Uq#YiFawzETKX#$1RHP`ABK)l&
zog64(-?E{?-gXOnMV35hAT+I+!WEh8W9l`vqNQ0oZHD6<t!=aM%h>wg$J^zn-^k}@
z$WeRJGjBW%DYt1#tlud%OWTtmR-7vjhN8R#o)@!my@~rC@gTL>yNqG+Xz3n?cT*mj
z1K6m)=4^D2>V{*foOR=F+PyWS!}=Kh%B)2Px!$>cXiDZS+!YE45gd|*P^&zkw*~?&
zL@I17l0)KobyJ3ys&7Ob$hkPlPk22o?ynBpXnurdeQ@$dB;3|6-J8ZZ0rvdUYwE(b
zNYJk1U=xisZ!S#oH9hC-@PilFcB6evQ<7T<c^P09!X|W`iiR5efO|}z1;)NLgtu28
zZkM^T(Tc^9{>|obgo5vxd&u8O%Q1}D!qK2*5F}W&Yntd@kD4bqAR7JU^R0dh2OHDd
zf=rID1v;k-lV;tDuF@^^>pvYEW^;H!J?W&%fngB@3K*)`<o}YV4>u1<DVS0KJK!uh
zgi%K+#D)NMQUcq70NIw4IYlqivn*q&*(F9f81Zk2s<==#-a@pIcaU4j75yhKLKE@3
zJN=`;8FtH%&Hj<V7|77Aber9qB+`i=_^C9yIFSFXgWDr^pb_iMLV|avgjt<|mDVrR
z8&^qVpl(TIbOrrnBQImz5yc8t`)3i^UxVMKL=H4wFb-kmn}2#7iCe_+`8`Vc!-6Jo
zcl$@4Ackm*LR?8hsx}WzNACpe;rn|#n`@RJoG>5Q81mX0#z_QCI+HT&eA{0trgb@`
z-6yzqtn^RH!TX$s$JKtFa2RE3`de1u4i~?61`^dmUYFt6b|sO|J4EKs(%1Qdn$^pV
z{7QRnt=?glKBk*KfQqEcN}oih>~5DUbDq25oo`HrI!HMShA0)$mm#XQxo)^iQqs9V
zyFQug5^v_QB+dC>x};o{_U?+mxSb1xEg-XCarh-5iFC>uWQ44z`%LY*b3`DFX2GnX
zvcdl6&yO1xhkQW|YRe5Z%lA#s#CD}~n{lFKEGE42P(F0mkOlfRbF1$<8<j_PJ@A4_
z33M<+Hx5r^*B?cohArsZ@$-(<T+si01lMb057?dCa9sv{N6r#*_1C|XM-iU)<k+GI
zdafhfjMyYX{<}FLz!w3D$o>k+KgcbHF0RuC)+tSoamUuTc{UbgWop^kfpb@0D^~+T
z>=|ZHYci9TNOtE$Xnxnz029yiDJ9z(RFRqgWzz<JUa)#FjvltC2XZz413Na`)YwK(
zCy#O5$w7m_9zR=|YeNeXRmXot!mI$PW)B&O`E3&oNwV}H1ReP>*t3^bciD`SYVj|a
zHKL4~00@5)7nXe?ARZBDLl}9x2gE}qmL=vO<CjX1O+vsp+z|flOU5Usq@liHOxFaw
z!<|tt5shFcnZL=rmk7{Nxq{Qd0U>e<We-vT1}1NgPm-%XJ-UF*rg^SaWp}U$AD3%4
zs1OD}FvYwxr%wo$VvDUdjQ^*|h^7_3-SaV0$u1_{aR{l2{^-JwTd`{DM}Xf&IKWQ6
zn6sBFkMp;8A)+B4_%xu@^9kUJCCJML*X~$qv|}<l5de3R{G;-R?mFYW@K?ECo4tue
zI8apVYJyAIiye6x6S~br=lf^hdxIkSheyrY3_VJU3t)zF3I|mkso$DKAN0w&H<@>T
z+dsRD4+O%VTM!gE_7-N~w^?)J%I~nJIKJ~1P^H9c#WxHGkRts}R$p!u#E2Xy#JAA;
za7QEMM?62*M$a*Gck`ZZEBeM^vfQg2yIVG{ZFL8@j{giMCkYq;9!~3ij?DjYe166y
z<@uhTxDY<Fq))`+)8!p85v`PAE>TE;5e&j;{oJlth<r;xAla2OL0Kw$j`QahM}bJ6
ziUeh%{{Uohpdh>fKzIX?$q|j19}$r7Tfk;Z>-K63g==`91~73{cyb1E{oQ1K(M5l`
z=|k;;2BvUV@i!U%@P!rSK^dTHkzE`p^d{nW#M3lVqB%tHzD6)t-x4ECp-hxeAY!T8
zkqtejlxT^ElZ7PXM-#Xx5C07t%cPD~aD}0F#leo2I{_U+e`xa;+nwMOoca+;R$OnV
z+`GFUwkfz-@Yg6}Ec-})30aHex<7E6!;1eNq+J)644v2+P=%&=W490bI&Q&Nr6+&X
zb?4=&>6GQeh?Rn%OFOc~g<hdKUq>RU(M8j|Q5EXMaE)}Bn}lscJr8=>W9K+ll*hk#
z45f(RAAc%AJ-+qP<4Ch#D9RT%X3AWejx$FU*xZ4Lvt2w#>`!;+nVxoth%N4zALF9F
zst5v22$z@2bTHq#z^>54Z-8nV>b)$QN#v%+!WA4OOHlJ8<c2q27kRmNzNQ_wZz?4*
zhS^I4fHIYHEN!{SaM<jxelKv3PtMFa)y>2k$4`16clcPRD8ncI?JEPdYj=)Jl5`qY
z+Mlv(Pm`!WfWLW@nklsbILBQF0LcgwW;wVb=n-JQV(jzS;5qK)_$V~PndX-wP1}tC
zsZrjloPNK=04**)?$#_mUFqisPPgU~vihJ)P}*=4Yl$=OH|2IdQ_bWd!*LJd!s(hg
zM#blMLB=DG;z?C9a3TGFC4uEzRAB!fny>wDZ3lInr2`RQyh~wu-^$&7XRvtV!Yq5?
z*c@F1Y+cqa4mQjKsO$@GU<vPC7NUHqUu|>NirU~iE#>c+-cB3E$m<>7v|h|3G7U2d
z#CoXlxeRy+XTv8TKcd_nco3!>hoN?+N<)jF`~%2F2=M)b6H@vginXY~(l->PZzy&$
zEaC7$M^*Ppd*^fKSjmPM{~uA;99{SGwA-MK)!2>gCO2-Jrm>C2w(Z8Y8r!yQ+s2K}
z_qN~n*Z!4raz5wm?BJPaW@q<0TT$7vHeZ#DGL(;msU8+!=4KaAOoR{1bNo?+fJiR|
z9@;0knf8rmUcKGe2b6Y;ME;c!f?XZ-Ui{&!8T0y!h;G8U?pVT~%#=i=C$<z6<Nkj;
zB;f?Twjcztm9ba1duB-wq59Ar`>C2hQQ{UaKqJ@l6$@#6!&ifL(L21y*PXNFsN+eH
ztKcsGQWKPB@3BFh=D98R*gI^h`2A09mt0baSIlU+=WboP7jUe4H?V9J>b$Zm!u0N;
zGHbAZaUzW+_%1lZ>n;n#yK;;xFcd}@sK?IO&PJ{-=&86DgO3*1_bZaY_Q-Kub%TCr
z&gjc@i|@8fNbg;INmcrD1hM}GbowI=rX20eE|+<^A=5a1{T&%r|Fa&&Dp7DLb;gg_
ztG^isyt|=V=2wFAa&7!)>c$-`4zOn90h>Mchm@n3tHO1UBfZ0sMGq|2?Np788TOsp
zi_gWB9E03WTvwXOdl>?~5%6}A3>nW$v}`5_;4;%U&+A%?H#4onZ}Lt33+0+FT1rnq
zSis6fFS-Nx<E9;^3+Nu;0&&6myi9`DI`d6`oyK17x`(W8v#?3}TSf6k)ac%Al5_vC
z>x)VA#l-XI)h2~%X?=5`p*tVaTeVM2Q=}_5(7-V*Rp|~mUi@Th71AVU);R2d^g>py
zt=u|&Hcgxv6B*%X>AHP|VP4@IQRr%XzKN^#^k}5X^-9uwq#6HkwI7b(cyk880S|3?
z$Mjyu{TPuKu-*;VeOE_z2L4bSHmx4a0H-YP1a_-$ebYg7t+GdX_*4j`XO`>q6ij=F
zmw?_7yD>FIm6m%iBcAEJd_(yfEYWuWRe=h+s?Vy-1jdWo=xkK~VU9O}w?yD)wMk%*
zJ2t>*NMhuOf@9&kTr~#_B7V->(9v7m?3-uoY><|DWDsGP#)76PI@4#ORl{*#FKf1~
zp%|Gx$T<n#$KX;GJbg85%Ff(e1&-mP?0dzly5s6cwB^-FWNno+io3^Wrznp}pz0S#
z11Op+S7pm6&QcLhEQiG<%SYhKd?0Zs(EOcPQ}l(#(TbG5#)Z>fD@!fbSL=D-YbPf+
zG8O#SzNoW(=1%Pp&V^1Y113?qJ^ix%$4WoE(-TdBASHFx4OyS>-;3?`YGoFRK^xX2
zrcyD}VYB|)2((D)Ym43u7a1Llv(VGt4|c$TTEzz>v3f$2SCpZhTZCPe$P78J*1wFY
zb1HZ$1H(}Q-A|XAE5?M={F$#;1u^GPQx7;$1A)1PWdhy{zIwKJ@8dq`AP*_;jz~2Q
z3w9EdId`hyHfkOPc^UfKFIs3-&e~Hb27ia9qb;3EIu_2%-7}wW4lnStS!HR9rMX)=
z(N`#5ei5514zvjClkm`DwOX0eW%H(m->}z7nX4{F82til5s|aVs+TUQNyu}7h5U{f
zJ*o!rY0#O%jgEb|>YXafONR0Xo-3}T#>!v=zR+uY848rYR(Cc<#WG%VXs!P#Mqw$@
zO+09WXY#Id_@(RzR%jYbb#+|!M;sKjXFJ7<37%<5N0wc(rH?{HuEs^~(iE43izfmT
zUg|?udmovdv{8KAiQ=i!t2;vUI$vgnOYR;j%NI-tVn6oeLL|g19**#2Cw>JP8z>;p
zzi5b!DH{LuZLNE|ugu(s-QPp0_T{!N-noADaDO}7{e{y)dmwk4mU@97;a1u8cD%L3
zUZB>+NoR@qCU9ok^X3_nt8~TDmFf;3Xi68maws)+Dv3&%V+jppmxP46FakNnY&wO2
zQ>57~$p-tbu=QR)<8X+|m><0W`hFvR8)aFbnas}RgiD?^$Oh>YJc0jj18$Meb|4!p
z#}xQg?X!f3(|nBh!h81Q8_FA-@<ITVq)!VRf!Tojg>5cZ&8F>YgfE`k@ub`sUmxhW
zoEC6tuV>dVormJ!!~z19BNo&uPEpo;<Ox-2zodZ<y`gzs7UT{|v~+ErlPioSE-~Wc
zrR26B#naMe@ChjDs;arn`C<I?Bg<uu*fP+&HO9}_D&ZDTQuWuSj%r|*Uku?lF>-k_
z>U|v6GtF@DsE?Wp?Qrl%TN3gf5g=C(qDLJew)VQd;drosQ>aI*w|uRVANvuHRz|RA
zjr^0L<_ST6#md<G|95&O>}>(s=@ZD?E>~HW!e|^5-`Z&%XXh~Kl$I54tX$NKz1LjM
zZa9C{GQT~(9KV<-nPg~ii9XOoX0GR%dm9W%)ZoDM-%QCjXF9F$RV{|S+c7v5M?75d
zqU<#kZ=ljPMs*f{NJsJB-*eXHmS_Zd0~=~o_aARCHez$cCEe$NBo$HMUkD3*Ux}k|
zdSZ>U0x`ms{AD=h>8RSLu>a~NPmveCoaOuz8pIyCBNJ`l2j;WfAde&Jy8FTe8V_u-
zi1MUBz5{*DjxO!J&Tdlxl^Dz(%sTAmJ?nZs(EA4DfqUfge<MEMS~U6zRTM=5dN)5v
z8btvCUB*Jmrg~C<#olsGCj-wNDiD{0&2?3>wJ_IRX}P)>u9YQ9#)h0(3`7(`_9RV}
zvC&xh4guA*$`vb{M{_NJ=@XPVD1Qg%o-R@uytM)kM9kN~h2YDDq$6#psSz{O#Qx~h
zAoboyI!;<M`KOQc?wS#JX;JCohsV06KyVUPtP>By>NNJ2caJWzY%-&3;&y<=v_-mZ
z(0s&lnsY6@oU%F;oAhiTIO>QKaQ<$L`9Xza{aDM0_9jE|`T(esD!_(P?-f3>GFSqI
z{o4_ikPU^@Q_-v`6-hGC8sT8~8ZBU89R<*Hy?-#AVO|oUeHKY(O-1`Bp#yGzaD!B5
zFi1j&)PZ2>UG3A#){8oL&ILn{iU@F$U#kLu2R;o9^GPz_-yLnuWRuUh&sNY)+c*~f
zdF>@yQqB_l?O!-m&akWdSMLb4-pb3DpF>;XBJ)>b+VsAbFnreSmF3+Xp>>MA@By#*
zQO|`?^lJ+2|NVV90$gDw|D8gC7{#y@ghGLhWzp$_x6ijk)!Kc5w31_g|G<g7<UpUd
ztG(@yg!IGwUpVz5e=<|a(_nObcVx=*=>vI0VbZ&Pd39VlYiRM@{uWHGNnN5V`*l`&
z1DZSifh*kGQ~p$cU8;hbj{ip@m2C#JJ4yz$B9tMOPmE|qE0!FEX9&x{#8G?DFhn8h
z5sFbWdy*Ka-*h)6U%w$A93n?a$CrB@QHRA9H%;7W)+d|kwio<Wu#tQtGj){~5a%NX
zt1f0`Y#cYX!W1rMo#7*vNtL<66eX59^inc2_b`>TyFhAFXOpnXPK`;<Pd&qB)|BRY
z=B33W16=D$LZKp@QHzN}0o7#m5;y4Ku?+y(EfmpjZwx7&+3!|SC=+_ctY7kB<WZf^
zNjgqxaVh^9a1A>!wn54}7G%J+<e#z9yF8r>I<%wNH4662HNG4R7wE4p2r)E3pnD1H
zZdp;<Yme(H0gXI7O|ZxIU@%U8p`t5lbxzlV2xS^uZp*6C$AqM-Z$NF=y}qb!=4%F}
zc4B%jRY#`mt*y{tSF}HWLYS%OIt%U#2?o>!#YeJypwV1t_P|&bU}X=5s=263)CzCV
z)Jj2L75v97R2*@$w|F44`4uiz-;{xQX`=bkyOQ%f-3M?Skrf_u#;i8WD+&weu!iCV
z)LC^&p^3jbM?gu&+^Q!h!L05xQq0$#vQWW}Sd4FE+RM|*HVEG#z)lUz=(*=DaBvy_
z>7ouRFcGASM363M*93d~s2rX4R?TiKXSiUD5)#3)Yu^Xts8i2Typ(A;mxn*mE^_<Z
zlE@Pl<dfNw{1@Vssl<n*Dfv+0Bv-i^E^Ynlq!6D__L#R;bh*NrqXLbQb{!ZNd)ZO`
z2P!Prv25YQ7wJC4nN**-g!;Ukf~g$OQT^7<<0e#L#dFn)PO4*0O%s2#)h-!1d3%Qy
znCh}#l5G?JS<WcC?MFzM%c0h_S4W$^Rk~7&2V!^v6ZOq}lT6a-4bDsp_ptW!Q*#=v
z%~L=}0s)gWfe89z8-Ww#m274rl1Imu{0<F_Kb%nPhxbhHZmje^#Qo)S;noA8cc=q!
z3ea&JWJJvJjUMXGO&vECJ1Zl5%JHeZzTO4+NL}9yC+y0H#$i}rCU;L~@KrocH<jVh
zNFE8-Q$}WgO@gdo65ZK|jks^Z<x>o;odHx1DEZ07tt?L5s~0<(IJ2sC_#oTU<{nfM
zX#3?~gjsDjV4qPoV1pve>Qf_j(Mmqvvm0UDao&%c^L%X8ad9yBxHAtqYJ0Wet=Z)`
zKa~_IvAIROEk4}5%&k6d09GDf_V3_B++qk5K?3EUfHqY&gO7As?q}-`3e}RE{IbH%
zWF%J*h>1{gV_Sp>NyqsX2d;&(Lp((1R_aiH)u5kb-4J<)+JFR7gFe|7zkFkxif7vM
z>T}7Q320Vx%tNVch<CXbTfy4v;zZXJF+X5nc)P)i4GWil8zjJtowu(5et(J?SkGa?
z4+c!bV=^^o8voJj)d|=xLPa5@9tY-4LIf&WtN$1+^E3dd-xUTau*i>TS`aCa$`KHK
zZk2ilYq*Ma^7fv<ym$ro9bCl&e!;wXJ=NqXHEwq%QR7bWASMF#`0qRp({IIv+kF8A
z*B?i;)i$C`!xaI&psH15)F=C*n=Vv#?Qg1Oez1x8Z^^4!032vZIM9-pvx0DeRP$`I
zAyN~84=2yI<+lO$)2-_^wuSmcRO#)i*Cozcj*EcHhJ4j_-@WgKn%9<`-qSey=ngk4
zpvyEC`A@19aNp-2_}gWDhVP13R49{DAO};-OEr>!BV%lZO)+=+3hiEWdi5|Wjxe8{
zPwHPJ4jnsT8;2A@1ChpouSKTS<~R4@uSoPceuE`Zfz`rm3V;6Kk6}AQn3AaTZmECk
z(;rLn>IR>RwB7sQ(Wf6@gjGeF1^V=_`_Pbv>V~!CYljtx6~r<`eaRX!=ET1nIgo^;
zAHmu@@7hp5*Tq@6&WBrZyPuqlFIJVkod$KE4)Yp?@%vo>UV=i-gSIhPBrNH_;S_g_
z&>7&ngA5maIzG0Q+Fvq|JE7alpeO6(vs;Ga7nR}cU*ijhKSr4OH!F>Y=|+Oqj|63<
zaS6T10-KCm<7~A)c|O~@`p~hoXlfuUu+IUUt@^zEz%Y1Jb{BT}vkPY2RXE&!bR(G@
zztQiS(u6J*<<d%QfS4jvx?V@j|NWIOK%YN=F~*}nx$Kh2VLEAFe_#PQ-%t84Cu{7J
z;a`)J=9edpZ6vD#IqNolyBA#N6dW@_HP!s?X@e8^hsaSyebMj!z5+A57b?qxJ4k=>
zzA7|%pv#~EsSmE0yH2=}ffZd<UGxr3cxz;1)TMlS69b-ZJ&Gj4zb#US5eK&969$5|
zNG(AU2ui#+h#yt+1U}u2yVu6x0Z8VDQVT-?Q2l-d#hNDJWHJA3>gaPS>Je#5Ae3xD
zMwuSNT^Gb1X-wrgW~ymoq0t99dI!YK9Hjq+1GdZ02x9+xxk%84`~n9skq~8e*DOYC
z+@}v%%-hSkAMYe_zL^)j05wdh4`5l7)G70q&X(@FXZ-nYO3-mMowXUMC~Bg%Vz7u<
zl0l|qQP!&L)o#^eT#$Bg8}(R=?i3GT#T+rVNn%cSZiHbE41z1}1dL7pqZhtm+s5~D
z=PV$Fc9LDP$T#YGo(VXYvod(Tf8kDCrykW>ZW2>iHX58QTGoVDv>>eOD#W5fT~UlF
z#QL*jEt=%0Rci7k#22}rL>ZlVl9}S}WIkQ`#z>-hTk3;=bN`wQwRI)4-{1ZEudp;I
zww{6WgfR&yA~AM!@NU&UX-ob&D!u!<X0G<qw5_L&NIuQ8xK98;Xp&ZHn%LZqk-_-m
zsb3Jno6g^Gq%mH;xHD<VeXQbo<M`p<6zCLR*fEY45<8qku@ySVf<g0>+x(g(MpK(t
zGJ3lQ=6~Aeu)PQT@aKiB<X7P5a3iYXk8?FYZF;U=CNOEJq+m&~((1n<a#-FTfU$QD
z)!mPAM*EL$aE%pPfr&lLJGC9!UI|WrVneoOyULo-RY5YH&gU{<3g#z!>5$N;6G|m&
z)lV(?mu>S1MCQ)(2~7*cM5m<$O$%(?t6$|n;~!lSR=Xq$9#c)-oxf7LZN4`jTBipz
zJ?GYWFiH9T;cIRE&e-8sEU6pDFqEqRTGS9*Eyw6hJ-$Ka&L3=JIVmoUAvC2s04d*p
zw2CD>e^aV+S~@P$A{lB%dKcliW9I|w$sA=PozAiLv<YjIvAa%s*;&z$%HX47rv>QY
zkLo!AndbTebBkZeO}++gu`XXzlF4rzAARS`Eh7m0us%2jj<85pkDuZu+AOUV*5VhG
z!{ttg$LYrxqQR{xoZ5YSJ)+VA9Il=4pHFCtu#whAYdng+cXu@5?pv$3-#HTW7YE~8
zowEVohhC6Ua2Hvl;rW#gw`7G|v#I3Giu=(VfUsl*R&$YS!yP5oC#1=+DZ=x;nrj;T
zh-Du%v~W4YgFIqA@h@lZ23!Av_k@`UDDoRY`}7T`Xr;w!?i_Y$^-ynf+@N}_r^;1c
z<#vC?%T-Uctj4rMBISxU?(_VPGxVyRxh@Rc2EblGDD-xMoS5xDHp7G4xCyZ7hTaJf
znKa7-8_Y>=6d%dy-y)hN*4!Od`Q?V}bW2+c2w(XZF?V4C7WZ<5Z1SWzPh?DNAPAy^
z!gB+cTv8ZQTc~|@*VqHLCwF&Xkjc*7KLp|Kn-@q+t4RcygHH58HMb(btlN4a;8TUf
zi3nE;+Iv`oD11qq7kWzH*j*tga`PT$w%X}z+(7exm{;1@$@)yGjZ=g&rTEDhrwAAK
zT}4q%+|i2xczn@g{#P%n<M^W-XO24Ey@Gcl?KPmsUugp50P@NOy<`G_Kl?Oc#O(sH
zwq7VG@+(7&ND-`I9~uMDonZ7{*-FBlqC_;I%|6j#e*wVX3^Vd$n-KRE6$wEB+PE?Z
z6#-=ItK#Z(ZC5Qz?Js^<Eidw4$Z0X#QgxjMGporgwz|o)+5b~14elstsp<j=H@~gS
zVRq^j3Zr_TSgHv7{t1ajB?yy%(X|buzu6g^<9n!pZI9e9b`Szp4-g_5%Is>>T>}WF
zXw|DY4U}g)7-tkFzQHkK)%_tng2UHnYBbZ|*Ejh3>&jl`YR4&$rqiCZ-s#<Uak)Ki
zUR!@G843ixJ?1_(1>dwj>YB!1rMP29%7J}#Rrz9hJ^!qRbFln+%oYfi3IUeznz=a3
zQOU!s<2K%ADc}t4$>X^RCty#<tCPvYt^7ui$59Nyh`YU=PZ#1&uV3;0D|WsIs>*zw
z#|d?vKHC2{u3fxB--YNFr4vaJ3RAH-M0A18*^>Fq!lL*wY_%<^_%z3r&}E_j)bij8
z&sAdlQv*qrJJR$`@r^szyV|vuqrG^Yfclji4d1-d2fIfMD$dx`@t=O!Be|ooWvtOj
zxAv#E^+$T-vFd2D2@LD+PC)mfn@<}CIo%7JP5jLeD6AZUA7{>K*pt%uf0M!)nxJYq
zFvEO^Udd6WUX6C`vg1z57`_f7OY{n5R82)I%F878q}q-}%6}UG>#LO8qFkT^Z2(eS
zFTcPh66_Se&Tw4!np~#adPf2FodC!ElZjIIhY9W1A-H&8Th}HP6>3R49a)URe?CT?
zT7rUaK@Fz7WlfevC}(9N+Sx;Mek}^POTx)5)Y{QG*}okm^9KL^&&d?Gy+|)mJ3##g
z<KmzW6qVC9D%<^PSv8~SWV{;nRWdLQ$4h_XW$fy0B|1kGWfx2a&T)&^=b5E5fBY|=
zsvb_8EoI5}xheX!!zZqe(5dEGM6F)zKL?#Y{UM9ki2W%L{b3?s1+0-DiAL1XgBb#+
zUF}@a1*84TkXEE@*~Wl!(qMrB|AOtJk56EW^4DijusMCo{9Lp$=)rY1;&m)n|Gpz+
zJ5-*Yv{v<aod@#*O<eHha_m}A3Wxt4<jF9^TDm_I%c@<SsJKDM#P6Q#tQ|m&#Hvmd
z$t;T852KhxFCF91ngp@-@R>%}BN2vDmTgKRY!&p8-(L(DXA7rAk?KU3iHpoj89<lW
z9b@fuvF)(8c+F<Nz%%pAUbj=GHW0RIQivVPn9ak3^ti8Gj_HRxeU&M_HNDX_W*vMe
z2zl9cR5`UvxY1ByYn}&&tJ<3`H8s)Wtg4tVFV{U49hYsU7#)|JOh>&$yrKZ}F5PKH
z71QCrW+H95J)h7YWjF0S59T2KQ6L8axj%#?473kwu+xbM(@-KthmJGlU849)q`nY3
zlokZtUGC}wfb!oKQhCEsQL;rd5vx|Ak9ao{Tqq&c>p?>{&p_db%M*4l3TWmTq~^lT
z#X|TIJ)hnY8mbl5X7+&$pvOm`ABp%EbH$2liI7MF)RUfC*{V6q#?|r-ql1qO7BCNx
zYx5FBN!y{~zzxMY%`#_WN9u4i88-XD(wIS_Km5R+S`r;Pl?DYu1$B&RKB88pdIC1_
zyecxcI+a-}=QH99%dNp}z9<-Z$UlRt^+yT)KviK`DxC)&381xaC|2pU&ow))is<I7
ztFEu%{>+L;i(k}m&3h`0<Gq!V<QN}c2bf#uO!hF6P^sD(7%>Hao~HoySnxsr@YWUe
z>4*g53DI3;G>F<4TU8p<i0^YA=^~<DG1|*@*)X{y4FCL(WFm%lNA^&_8P|LaTB1Ni
z>7{pyB=U@X4dQ33Z6>(KJ*7Ix;_qfX-|p|m@^CQSyhp}@Fen|oN5&oj)k3PU{ShEa
zOAE#eL%iF>h#}rnSr=b!gI-9aCrh=CnEfNKs>^~FmzV!<w`~qPkRV9re$vP^YTx;D
z{+SFUePS?;F?QW*+6wor!eR$hh0wfy8y%beG!P&9Q?*9M7k8_=sx@;YQFqLa3DfC%
zSd^Hg|H_71oH3G{=ur!Zn4SHoe4iF=KIDcbHWjBP2|4_2x;q>Cy~3>ldFnBezq`#`
zeYO^l<_-RaZOT?uCq=bP44bGK<8M7YNxIxxpL2B_!B(DTA6Kkk`n8eDk`4YEx7k*_
z$bC(>o?#m7%<a%^==wX*PG<T5EZomS-*)PN{e!x3ek@PgiMSu!eZYG}8nIQ_N3-<|
z@voV`3-c_#!m0mVoMcE{YvI~WodcSd*V#DEw@}S5$2}yf@X{C_FW-cJSsg!&+dbkX
zuo#X84~X7n&!3<z*@umHK5r0m3La#MbMZP11ig^W6b2*~BOw3z*L_qFFh!6avZ1mj
z*}V#YHVA|;S_AKA!o^Z%eUmi&1LRM2Xcx+svF5xS#?BO878$AgPB&Q8lk{iXQo6iL
z!ynr>TSvd=ySpuoQ3{0hXBylIH=kMO1qKt`z3AnA3^Q2!F6S;4o9ABs>C7WHS?MSO
zD5e#hTSdt{rxO8BZF_&~fH>lY^Yg{pWq|zP^Sqo6vPdeLi*hlL;E3*P`bV0v=b7=A
zj;l!BGWS&ce|~UFAcFXieULeMn=gsfY~-1B4*4XvpL=uLZjNKJx;0!!yWTaFl*brW
zYa7#T4Q&QHu7Lyiws~&B@SuZU=(7~M7wdnjSo6lk-T%sWw>-bM5}*K|Puvlc4iqzh
zIYio!MzJ@<cszO4qk|4J1Z_eNT*k#L;nzz^M9|ka4lJ5h%L+3u0V$sM+(9fq<p9av
z-;=uUIYHx9sJ2%OP(IQTu(D5d5<Cdpf1Rh=i~+&rQiM+`yZXJ%@~+ue)V4_YfoPyt
z2NPeaLW&2w)19wP-E7gwkjHX&*dVd}({sH=1nbO0=8O8wURy~qd>e6Agsrsv#DZWV
zFP0DgpWbD{r`&$WcXned6}oS40P-$;Pnn-r)<;9+1=JbE6zM|Il=MT1KLz`)?|HS2
zF-Nml=wdTIkM$Q)|IM6x&(<?>yunS_K)0;A;W2U;Eh`?CDtnJ7`MOA}jq3-ijp)%#
z9EQ0gfV+@TkmD_RwUW`Fvk&{MYp3#*%@%y)V?}hH$AC`5@i~9N(6AT{9zKUgX5{@J
zeMzC*0Gl9K^bof`17@~p6+&HqF2-ByD%ii>8!T7c#oY*^W?`I^0$^2TP!~q1M7&_i
zbq?Lxa9oo@BlFo~NWProc=SX6{)Rb-Od08e9&ao>D&kHYJVBmz03RVDhE)4v{saST
z>tCckBBQ(6{Vn0|^8CmRB;o!rZ`g&c!@b^>?))pDg#Ys0nDYa~{%&wbgv}{4FO?18
z!;r3Zs_=-d#{4iWy*!NZhV|G#`F6dnQxo2DQZW>kcexmnF0;hOU@;Brf03ku{aTJZ
z8KXQh0j}sZU*d0!tLlGPc9AR1#ZT~@I&GXsXH#29%!#V!=Uu<<lDV^~4J1V|a2Kqd
z^PQ+#Rw$wxc_uWwt}7y`N*wQprauax+w~jt!}yc6_8_vZ?^CT#uGhJ9?46^L+G0~$
z9;XryzbX)ad*46k21b7DdJE?QEq>qu7GlrqZM`Z1Wl#T}0~++w%eLNMc0xlL3L1AK
z?;R{yq9gYo1igM`)3#WsRt=b+;s(&oLfRhhRDuhp>BFp59JxHL8kf@tdM00Cx7&RJ
zuL!?)$W1+UBLHN!%z?v-%+2CAA<UY)COWIlq-Met7ulsV+P7I*d>6=2x+z_;+fPlg
z)fyG}wy?b4rgdf{JF8l_N@>27s!3U_NS(F|N06^oG>b4IXC8SdlIoVtv-JJYnCUs-
zPpNna9k}j>>v08rKROz$g1sB<UyX{7aTFy;qt}_m6<$r`JL(g;34zf5FO)(V5j?Ik
zP(89uno}9cvMuEYo!1{b+SDp;I!c%H5MQL<Ii0Bvj-NP?>gY}ITr!uf%)JDtcN`tm
zQ7Hu)1{PC2sRN@#d;y<DdV|N&#f5h!{+uUz2_AaRCcf{#2#D6FG$7I2>BoW<D7#Ml
zJg@tKZDJK1>qA>8Xe8VLcf8-4>u&%V+*$+D-*N!>3d{P{Qo@%5DFEk0&&TU>=LJ0~
z-lb*f@(4~O`&_k`TjMO_z$jMq{>y@Uy4uQ^O0GXizZM|l($Z@SnQ=Hd%YD|JjAyrJ
z!Fc{L@GT%3^7+D$OP;Ui2ZH<C$c@U70EVL1V;O~DJjTyP>wCoiMG^ccUa0Sz54ryv
z$kNFvRG}#;R1eLI-;398%2(M3er%-x9cFpoi5?wAd^8%d%p5MQ=F1g9Fc4cZ-Y-~A
zTZ@o_Um|(W4X#lz;~Vz)R&hrsZn3SLex|g!8n$d~Nn+MUupCu+Ts6$SVjV|eXm7ug
zmX`MJ8-tvN7^M>8^5SG=#><wMpCFU9lO9R4>seTm$l_T0J8!WU#P{ccwuC7xypD~I
znyZ#~=S_0qkV4p}j~9Ej>{f8}R!D#X(+nuw$}e<3!^!8P^*4U0dh*gOyumXJ{HWvP
zrPXr*(?KA5q=M(uqu?em#G6fr5*pEVjq*3ftDq6XQ6vu{Fwlo-4(TIA*}f(OHA)IQ
za&u*{A)|&5I-L|<B9F{Dej<f=zNjRUtrH9c<ohzH&)ZooxyH!ZbllXJ79vV_XMQL3
z^rS(Ht@2!XC6g>gSne-XPv@-_X>KMsrEXMQD6M;n|8~kBch%8eiXV<BS&hElG%8H;
zbwmEMy^h@bu4HP#{ut9i)~_vz)Mnri>k4<pz6A&+PiPDe@tkyqX#Fr$ZiLA1Kf(k~
zU3mx9&^X5l!X4<K8>oA*wNPl&YQD4MGw~Qh+Wz|aulPcK!(LrZioYU{;JLd5zVu|j
z|Modu>ip#F!9w~l_ijSFws20wK8)8R=I;LGwOaidc3*M~qwSLX!AC13!}U#eA9hCM
zN@nSenoHiR1{wH`V1Hk09VitO=wKQ>h`H^i0z?qOvTQ<bvAz_3#j~(-yCdP$IIGu4
zQrzzzua|5#45yL#0eYy0=aU^GQJn$O<m8TO6+E$%MGa;@gf7@8@gt6SdKgT^tw?_^
zTNN^@F~P*(s_>nu&x{#3!PeqPAkUNs4V_Sgad}{oVU7nw%eG3a-vsqFj0XioGWc*3
z@R(VqWi+eRvgm1krAiQ}Z$uc!9>0kU(WTr^IY-f)-*C$0T22YzI6ftoX;eeP*$O56
zvQzlf_=W6`pOhkNg+kZeT_NCdeB2y9-3MS|e$xJh@gWyO={-XSZi{9Wjrc~v*W`;C
z_!o{ZyhNea4F6<m@xa2w9EbTJ+v<*fte{jmXy%yJ+9H#@Dp~XNNe{~6EY=F^v2D4z
z`uq60rS>BN&3Robsn++iZsv~LMV<M*kcFA$)!DU1&N35{`Pqo<_weQx8ELe2WDt`V
zAT`ypr>D{OVYMY{-}}+a(izUu{FIMBqtLaYiJ&y9|5n{3Hqt1no4P3gVzp=uH7sJp
zh?;%pz12)^@|M$gYQa6n5)Px1IWe_-O9^3-pG?`uS5K5a=Et(4PW|#tVi`$%vNdX$
z?@CqPrBygSot|o1y))&_t-B~qh9-8@#@)>R5Fzte`K3J&fowjyl>TDHm~m{T7eY=c
zhymfKN>4v-$W?b&ptrv2N78uruRTrL`DO#HEpfcR-uH0Hlt-5ySD5XRa!dLpc6@Io
zNWNL_w5QEdmDhT|G^2y~%-{wXYt{b7RDeW&_Uq@c6-7Aqrz0j)A_P3~GE%jKP4@90
zK7yR2nYOP-grs~;hl9%&IKQ6u8&E`_)G$$B4?J>)+$+k~`X3Bi>sF;a_Yk`pC+TJE
zIcwx=+TW@d%IT-de47$d#e%MJJWx`aySZ5sigUV)+w6eqt*tIE^lR<uJYKKb7OB)X
z8m8?g^<teStvGAvj>p|+mbkoF36A7N5z_57Bh<`|GZD&r(CqYu#nHK8^A!Q)OiaSo
zm`Zz(r;Oo<S)lU(7<E<bT$$%)ID$~a-j9WA1=p4Gu5Q#`M)#HV8lFqsinYJc08T>#
z94j|x4o^Cb6Z&wIgQRC0LGm~PXLHNZ<^4}iW7*Qqp11i)h<=KRD;-}7_CseKs^3TW
zOxzSmGJd6MDSiITTHmR{dnA{r>Y!Zhao}V_yZAvf>!w!<wrSrFIM|J+_k40sH1{%f
zJqB(A#@IL5l}HF%OeN7OU1s@%tx)+u0d3pjPLHwlm_jUN1XtXu>YqRR4C?FYa8av>
z-U#Q+W+!h~`WfB#PxA}P^)T2TIbf<))jzQV)Yb+UbcSan<j{=YmEFHy3s%zFgSCFP
z=&$5ANtLsx{{Z{PdF`Lfv@`R<B~iUSM4ia$ku$cXH>F*8niwu#IIfr#opV!J<n2df
z%Y&4aA0u7ALSTvD<8Mg+L#~HsrUHg^G^!jIVm8#E+lI-Y0MDbN(QXY@ZY=p2pUJRS
zyCUTbHU_SlWBr1_&VxqpYEABv9rX=`ou=|~1@dI91zZBL2NNvnrQW221)pHc9lx&4
z8;ryZ@TPP9-oO;9axNtYLj*EFm#90sTxSoq&VT5exRC@|d+lz@TC3b>H0wau=A<cT
zPk(HI?4OSHs!$eykAH7*gOS;eLTl);UBIi=8XzB4j9t93U<nrTnLKpm;>S;ASY(0#
z>gXXU$Q+5Ey6D1@qLdUGbAHyi@tSG=nd}iBq1&;)$rV^ays$CmT=cNjke*^{^idd$
zsk|#oi46Suu`<Ma5r5EhCMOiW>p<Sj>#TS63{$cnQ(|I1S@#{5;3pHPPm?5-d)R-J
z9ZJ@uE5I^21;_dINKT1>16u_279g)h0YU3qc)_IUuOGrlo`xg8=-3PNQzI{Yf=a}9
zqD5j$N>TzK(^KJknFQm~o!<bRhu?m45%2Hcvsr?%5+-8?ORh;~aj=-p-isA&5;XUO
zxLQlgWfnUE1*Y*VlNBK4euY=zkGhpDb(PvYPM4g9n@mk-yiY<@BL^UU3;WcYh+>M3
zf+tZ%x?JI-Bq;%fe{sg~?eL7$v7K$99cV86meOcmKgg9@6B+iHGJa0_WPe`eNSjAr
zex0x?lbF|-F(6egwpA1gn1Mh6jit#juUSPjdK_F0UF|+&1xW)&gFp=<D$p!NtT6Hs
zQ!;Z>++L1Lid&b^7qSd4IlKb2<>_0e+E1&@<(*Rnqqx@YFd|(KhpSJm1sjc54*7Y4
zY9eMutJB+?sLM{x0?m6;Kl*nZCsab{e{e6%0W<E~mg?_zG*Ybg@|Oub-L{{JwB*b0
zSHpP$Pp$xKj|MH^joN!fGLeY^dQPV4u13kDPf5wfDlut)qB1}*^#l}M%%2CwR2%GL
zN#7SARs7Hax`s9z548{)6Co?<%qFrKqNJV({>AThEnx?;>gY5OetYCk0ir#~IqnNC
zxsRtYfN9cdF71u7f$hyO)8*PRif-E#)J{ON9VJ|Nr1G2Y3;YzO5&AfcbM(M%1L8SX
zLs-P2k1rij1`EePi-e!W*5a{E7AF_ZKSqCM`3~0VnI0x#PVO%^PA_hMN=1->;*g*5
zKAx@AHr|3o7rx|GIdLv2%90<$>6!`|*>6WlMG*R*kl9YwSa``JVu7Gc+z(6jK#WB{
za1wR2({E7B)w~x`<aCR57l56Hc3GpeI`))5Jg?@?8e4oAFsZ^D-p5kYXpTMDgN-62
z0%AII`}C5;57E^c&|{fo5P>k`+M9ahzS(Is*SV8&ppj)U{CWLowr0G2X&KPDCnOzh
z*wg?p!Mb3u1ea=dxn?=2@7@4%5{Z@ig9t$W7NEeERn1OA(|m=?+17Y0D{$QG;Q9`i
zB1|cRx6QF-<a;HpbSiW1hoH5tQg%5zhQ@fa(w8l+DEcbaPEbOi&sin`wqe&>fm>PZ
z*p+)MSuJ)J?=z&jj2;_GNMYhFI*85&y&S*Bk7yH)dwLLET-S*=4}zsIKXSUe7kLyH
zVN;Hr$xl*z{A!_awgW(}v#ij{)_m+hoNe`*YH-|2xzZ|s-KQRZA$Z#!)!NMxdc7EW
zN=VdydsKSUQokp@$C!VbpBEeZdb=h6dUrExYFLwC=aS*@b*~h6D}msvKVrezrht0{
zLorcb_K;ywk4VD(I&O=#GS**?<a4KAVZ%gSB7P&>=_2pS<q<O|FurfwZ(D7laTh1R
z6mFWo*418==G6c{TzR{3V)C+6@^CtKUenf&V7KN{`S8uzCwp|};Nn}#m*voKP}Vos
z^R%uT#}IO$c6)q#i*mo;<GpyXByVszpE_n%H-}n%*=uj+d|tcwv8|!&W{bJX8E__A
zF*{?);)OyZ?Um~TMw6*TZljM!E<USmOymVK;-7?)S}Oe4nXKHg)Y3+V6y;i@#y^-Z
znp`qHF3yh(A9a$rsu7F_N$|Qk+%nk^k{5nTwa*jw57aT8!uo?K3|u&eaO@H7h!&Do
z4eXyc_VTE!p#pnQL~Bl}nP|WFx$2{jTJ&ui{6#dID}5_lCeROt+z5A!%3mS!ri=&6
z0JQ~LwJ>v=&$?FmS25>AUTTV3)fEU!OM77u+dh0-T2ew?&BBgO@OpD?Ey%`LDeP5U
zDa194l*=3~VR30!deSA;YH}<?9ieZ(Pw}mJhq(cxmb|^ea`Rc7o4NW!{vULP$EW|0
zuZ6^A^}_{Jdc@D88UBdm`6e96qQ?a#hJF{!oaFmaQat-Fg*a~rO_Ves%`05Xt6%-u
zXLLZgq=CutLG5^(_C|p>AT{yO!DO<|iy=#3$nXG-8=MFCjN#ov_gK)ElhEI_kNG<%
zzP7pU@bX_XeT^pFdlk!F-f_1x@~w;27Haad7Mj_RIM=&L{O|d&0yWsl(Z41IFcg5r
zlj@AFXtI;rQgl%2{?!^B<e`47HRv@tklIFw3-**5el4x?1e^4_DkuaLB6r?t$X0i^
zDg#r2^I=uDhr(|vk{@5c)kSWvudJ0PcbmR53_n(#_tFH;OhQ%qUYk=ft77PkOlku*
z_*j0GK`s|cm44Iz9g8#q-lq#4<3@uU<C%I53L%O4e6-5)AzuC-yL_v)k-3^DWExfS
z*}QV82Y;c6*i%#ZI<Fd~Ro*g|H)yYbcaY;G_;g<c>u~d-jsv6Elsx^cMp|E`ZO2<6
ze&^<~kUDB54cAEUM!r;v96Pg9Qhr&Zm3KFKV!0f#r71yR!LckM-hYrcN6|I@-K3co
zE_5Cp+A5T2X_U4d3kWV=IF)?lLmFG!DCE2dy_On^yZbg&IAD)Sbc_?@Xn?ai%paj}
z3;v3i{mvRoI%N!I285JjyM=wc=iCiTxI_ajB>{(y^O;2>dC|9niB?0p6_D2sBA8er
zDuwSQMuy}}W6|)WK<t-#o5D0WyM)ra3TE?yDws>r-@d1-!9@A+19GtjzI>EgKJ;Y^
zbFYlzUu)Sc=~I|;P!EaSumV}KE^?;n2IM$u5}Fw6C@oX#J>UjmX1B%l3RAX7C~wx}
z@~Q&9{c+GQ3SKF}UL0@S7@y)ozPUp-TmCX<%Dd-`VU%gFRX%6>q(2h9K(CT0?33%0
zKLUDL{wTUx-+T>Q)EX7zFZgV&>Qh*7PzQg%VZ}QuFe^UeN!G=iJjFfcIjy@~zSb!Y
zuAL7*nQ&eyQ<@dCvtOvw`gN<CpjntuwFtG}<)d3msqoU{`M8^~1q4#s3M426A<D85
zd!riK7s95%<jmF3aipt%uk*GeQ&mcE<0T(3s8ufC5&Ep`5$xMU`TmH%%piSG8Hvos
z9K0|YYsbVOvP6YM1xTv@BODS?5b~EPRBkXyv!$WU<hrDULkjA$pi2WcYBW9V8DXG-
zh)@1$uU0&vw)Arm98^aA!{s^&vF1n;l2RbtZnx$!FJ4c@zQrS7Hz22aFO+j_+yN9W
zb6PT)*`^ysh9vhZjQF_fSVQJF+4;N5C1*zNS|^Y^=c=dl507sfC#K6s2eawO&oWTK
zY7mDoMq}}acWGmPvkT77{!0f@CFul2rd1|ois}!o_*sOzp(jrTp1$(2o{b%SMG*Qp
z)OdPpMPm6RL27e?7DH?RKi_JIintFyY=Pa0TFM~#1ZC;Aum*jzmY+3)l(<Arc&R02
z#i258$Z9TQ+-S6L+8lj1@s)t@s}GE1zAOPs8;*%YepWV!65uGjX4;uxZ)f^<;J$zc
z)h40#NR!lS1y%aQHs|0FK6hj7EZs#;_~?fJ6IPY38+TfTQ3NFH#E)TsEd2N|x&V99
z4|PccE^hXOIA=$W7!r)xh~>B~lBJF*PxY*Ne59vsc@lfPhL_Sp(LZ4Y<o$$ZtfWEK
z+c*%rLA1)EPzZ^+gRUK^;iXSxqfZDGGlbYJC||kw3c&bB_-@-nL&Obti3-;!hLTJo
zMBW`Sb<_fTe&h#uHtkwQ1Uh`koQL9Qh2oVNdn#M2lnXX!HqFSuC)mY6<3Ujf!he-r
z1t)vyQ!z_byKq9Hg4Em4<ZL?@VZbuJw{{1#YbjOL(F#4(rj*#7%$mScitR`vnq*D;
zDB2tnkz-d-aUAsdR;Di(j&Kfm?`@KQf#dB7{254KTJ|5`J&)OP9R=J1V$<6V4?pPa
zy4aX(G}@RTeN2txquD7UhSEhQ4LeJb`kDi{{rS%|H<?Zt)6iT&BsLv;!61mVJhM!}
zB4gCSGji{YDW~vTN4n=B860P&qTiK^t792!zL;dK90Vmdw#j&_Y}jtZ7<8U%HN2l2
zK7!MM)RwB1r>btmff1-ge7x$_Khk31?y&C9)Ps7j8TZI#lt^%IBP-38nya!^?H9su
z<4ZLPwv+TBobzuns{=Ja*Ns=LVl7g{b~HjYn?Az8?=ZpH3?o!=`Wd2xRm%?!0r>gj
z?jz7+J<cxx@SZciyGz+sRQSBZQL6O?%4t_H?|yUOLtXv{?u!$m>Hyq7aKpkg`v{q|
zrFNiF(+(5YH+tgXZvNp8k+i!`H&%fU1uDMa)3N4Bb?C=RDgZUc2PE*368V7ce-+ct
z>#+8anPMWSU{b}E1{&Xe!aI2O9h%I~Vgff+D%P-9$Ge@klHzU6;e@arqqGBZSrvHZ
z`wS|QGP+JYcx-0Ns)g`A^GTv31g;kOwRFsn6<JeNa-Prj$=tElE;?uBL{;#qPrVVB
zf2bNO{-jY4_vlYYAoN7N9SjffFDO5v{zb++)qb2E>3v^Acf`%={hcG@$;i}DK-(<b
zMl(k;1WbXWg~us8`yI2BQMN73mgNku5)&FbZ!|%tyi<*VXrLtrTm=0O(ZV^;i1VM>
zIRb-Lc{T3mTg(gm`k&3R@+yL`^^+vGjd;-GHz_Fp_EY@(hoz^?6k}tL!cuWtS-7be
zJFRT&#-@tIv^(>+S6;6Oq|Tk*Ue*wf{Ni!Nv<95yh9dTkivnzOB1iAtydSY5mJs-e
z2*R^uF__ShOJwBjxIkHr7;N(K3>g`!>_%|k-7ydGC9PqK*0n=D|0V13aeZtyp?@@P
zdXJEyO|VVljnmOSYkjA_O8540X5F$MVKwHGp1RVNZn*uVEUnIVM<dKH?ezRDy1qq8
ziTC`asHw@J%mVRJZOjqGXhQ_?rwQ?IV2{#O8{uy2RG^xdNlz@4B=CL?D5x#(HH7;1
z|AUqUdhm#9l}_EF`n%=U!-UIpGtrNFMc_1q1Z+hNKMPbw5m&f;&Dmm=%q#cPsMMfj
zo^YcT>OJE#7<*dW9gWJPF+zHDQ-9=@fv?sNm0%hCftqZ_F$Tjc#*vrE5>Fk>G1rAI
zgSS&O!IA*pk~yjJ<q7H?RJECNcxj#LH;$iXz+&yes<y{AY@!)|vND1=or7vJ^dxm`
zHb!dhavcS9Qk}itG7PpoBVXP2e}bFSb$e8+RB9EmaV@p5JkiZ|l7F?nzUY)Xua%kR
zZk)jB!4O)V?Jsi2>w$F&Qhi9n7%!fbDjO4;wKEuhxwx=yj<FVNJ!hxm!h}SLw!%+r
zQsyF2neO-#$N@P>h~FS$pYT2xiYRKZ2P`hBu#NW#i%_2KNbKzqw&R_vo$c%5%%L4B
zOP-AudAOIh(}{k+hv_`t;e2t1l`F>rE5onaOnV}ZX1v+MRobn;yMFA{U++-RijcEA
z!k;m`Jw%NdSICkqZ+G5U*GzkzRS0GZG}^*g_ahp7PGpvWj7ml7^SPL~Qjwq6+=8@L
z>E9!w!jjbe$6tT8h4zgZ<W?504Y-SEapM&RA#lV-7iXiuWmT#>4p=S|N*)hE;Wf|r
ztH~e=(4r_?(<Ear&nzt`hYJ5`fY-DohI%|KJxxIjy|vw*mbZTH$J82Z?3!(U^U$wc
z3t%HuTJ0&%^X>hy2T7U0H<xgH)>oW({zD_DD>a3u8_WJLA%dw&U_4qZ3FVl@X~YrJ
zrzG>Gne41^8YSc%bB1@P=OtArim}8Uw||x9Iqejxh4YDXNj+(_<et|Tlb&8Z-j9e`
zu3{A>=~J;e0?Q++{2~$lhhUR<FiN~$iiQ&JVtL1sxBYZO9uVD7K!eS$(ZfRgz9*DU
z-sL4i$+o{VVwHpYmmv{#>WezFQp-x-2n&OO^aA}8VMbTCARjt%A<qSSuT$>3!b53O
zvnLn+xnatf?=y?{YKz?BL?Gk#60&(;MueLu#RgWHnIaGO<;&}0cKmeDsXVIy@O@W|
z7Kz^m7l-|>+~=NTQIS77^lM2J^>l{nth^5Gn4(@Euc9hZkrj?Cn=e&H7eWqs>7xfn
z7Pi)=+e_P2=J<y&k;4_&W{NavM`7xfGRiI&)$BG%zzy{wqcBz{X)2Af>8n^ytc_p6
zfnr_7!8hsD%4t3W#STQ{?dP-DU>~{?5&FN>a53&s4y(y+{Aq)zrW?IP?<CuN>uFj?
z{ow#cRzGHJquP*kyV*BfrKPjW`m)ne!Q{HC_VuEj%a!LVZRk&G#A6odDiS?oN+pp@
zt!{9i0-dP+D*#M&P0*-wBol77$lvl&*#S#9V>EaYR6bUQ5*=153)lE6v%={f;R3{m
zZ+)@GsWtHwwR)Cs5q}!4B5HFGzxDh;AM2G9NC{S%)8qQXC>f6}6Oj_bRREa0v2c0e
zQ-HFRSOp0fAxNh_v4ROak*v!ulF=48K3!`D{Qub!UL4qr;eBzWU!9bE0`Gbx!kUB5
zruWfVAa?825DT{@&mG{{1>cl?apZh;V4com3XTXX5hU-48&+lMaS2vI?p%}^cXRRk
zFr=Di@zJuKpIu}5>K#KgTnetHYMf4F#Z;Kao``YZ6iaXteU+Dp0`5oei<Oqs1*CUY
z|LcWNyi@P#D^3{2eD`xL51~IQ?2yn38ngW3WY(kEf?yKSfoVJ?-4}?MhK!59c-BiC
zm|b*vg*l77WX9H-aea(b^OSj0WW2-W_zd^`V*;C`hY@0Xk?+%2mZ11BlaJJa`GZd`
zPrnRmi)`jyXg!IgL$s?kfEf!PJcdbWDimFJu3rzbv4x3Dku<*4h6+*q1oiopuMs~^
zO3fPt3qkx$Z^{&-=_9PhgpFa+Q8|2qll{Qg_e*{zlN~*ikb~}jCv3f0Az$ros<3pC
zCztJ}Y^&Ju!YJHan^o{~z6TnfF40EZO5-Q0ExEToe#a?TTKwj$UW#Z|I|-jwr%#v9
zV08p}!5N%1y`6gAOluGx0V;n>*WWf19}btqJ;>kfGg&F@(SIP9Rz7$j{q76Uj_m(9
zb>HzGwR&Bq0}FJw^}oZVXAk6!5>3|Z^`JG1_I4y&GET2F|GRwwlciUN?1_m*467Fb
z>H=GH^Jp1mD?3+%`S68$1&O)H{_S&x0ZIu^wXN7Hq#$sLHSusyDue~FvHRbB`M&pA
zH|xX*5Kg#+6Wax5TQy}&==V|DI>`_vW>c|W3eWtrE`;Q98d+B>84-RRF#dOllMS#!
zb^!^ai%aN2?0`OaYe(2X_*C&g<Lff#tVt58v*oVTT(O!~l8zLT-N3+JMH#XT*8OKe
z)#u(rUoDG^H{#BnBQ?$S8ao>c336iEHv~JI@QJ|;4jjz>T8w7;Vlh<nu2T(0+)B4f
zi<c%u)_wc8AS5^S@ilWl1_HJ~0!P*5^#X#HBcwf?gLlrNUn~lXbk+fFg_lp{m#(>p
zpP2#3{ru}OS3N8@m?Un#ZkASrV{V>b8x4P7nf}v1ZsJw%;RgAplcy8bop@dT8KU4v
zD^D+*ne!I#SF;TM!43L^0O=(cH${C0a`i93pazH10la(g!B?*p9%+hX-1`||H+pd2
zZ!EjLowR>`ZW;W>G`a$%Txa4V+#}PAEz?LdLNq2TqeK%DGvK(|xBsQeM?gpAuLL%G
zLKP)0i=ksAF2rdM{L1ksgq9IWm($P+YkBXi5nxP@#|Z7}r|Vn>3H@OvYLiXn;O%W<
zfy7GANl4$b>}c43JXc21;)F!}KK%NuyAlbJ$f2f@_L--g;VB_@iLcqW8)DyCy#2%Y
zvFXj|J!G5AOHyPe>iC2IYUqfvjN!R`%hXlfx?;+s0d2Ccn9g>~quDb=6gcKl*sP<+
z`9oTNHl38l>BbLjNh(9N^Kyby{5Zsr(`Ll0rnTJ7a@py6kMeFQH-^J5S8v#-fq7R*
zi;~-vZ5Qr~qxk`vu%29QwxXg~YdQd||GBa%Y3jvNLUp|#8yXuv;T#^$86*W=*nch4
z1I@^5u-8;^mPH(_bFBfv7(C2M?_;|6@|N=wyz$3H;0axY89Vcy3ZS1nmqXIh7NR$_
zXvrvq$+J6pSmR@h%L;9C<oEq>iKmL5w_Z|gU$k#MmQP#mde+*$Pqk{%?5b>mc<0L`
zXycxf7i=TOuANwh*T%B~zQxU-v>|iwpuMWoEMy@^;Vt1Yc5glu-`@AT_j}74w^2_S
z8-o9Be7!ncHo{P+Yb*4LMtsUkKa*Zrk&O>G(3?Q9Pe8FrSGVMAqtXBO`74Qly}|68
zhE;4#ib%jiWj^~~(}@FbZ%y|2XBoHB<qJ{ePv)Lt_}Z#J3%_aaOY1Ytb{ebk&oJT6
zfYq^$9q#8HrGy7?*kygeEKOE*L59q()jRIR@S3zWf1lT|5AD%#on2#{9UG_eNdRv)
zInG11n#Pu!&0>Yh2x&a~nc**NIrAJldq|2Vo`hX<O{U*+&GH>T5Gd9XLGJ<;uwS<w
z?&8j7AU%+p$oh*3cs!io*`{ux<V$T8i(2l?u^S!Y;GZ}-HJq&GlivhiYWUtUa*LtI
zBrxi`s8wMS{BHhCw*&TXhb1B|dx;Mp4zM?E%R|A?+4M)ds3euKa#M3<(gu3Hsg)q1
zG=E<9HvI1}$;f4#J7p~ejVRA0TU@G^TtdqJTr&ZifI#I$;lvjQkTd5`e|g8fc08s!
zthq}Hb4|H!6$xH1w=F`xoc=}ZPtP}Z9#ocmEI&47c5(;xD>ZNpbI*iQ6^P)JF-h>h
zr!;t1;pj~D=<KnkPaflkqx|K4QS+{xZEGbh46`_$C(@(F#h>t6=GhKBtl<@SvLP)Y
z^=?i2kk%V;wd!|6FtNz33nwL3>bOl&F#c<Hy={L}cQ+@a{zPIiL6TIUkpLP|7+Q8f
zuM}sgRWEam!uf)Hhpl@AzFIjs1PBTd`|mhl$YXq{daF*}QqTjuiW{hZWYcD*RD0+*
z{_si@_J2fObwJe5(?+_H?vf7aPLWc&;Yg8^?hd7!qYk76q?@C=JEXf)x{-cQ{Jnht
zCU$prW_IS8XXb;7>$cj?bdRKXLLQY;ipc!gfTTDFp3B6*vK;Su(Ywcuc5Ms<OJT@>
z+52}MJYTdRWk{6f2Gar^ce%$|*;tNq#*LkuxTD!GkUy3DSFkf)`C+yK_zftm?T-^w
z+W<N^--F6#Ojq>VhFwfb8*M)Mc_UB<u%tW`|5?iacF3JNWT<DYr)S}+WQ1?CBYO6*
zc9_xiXveZvu1!AAe_N#9xYe?>bQ-yR+PER+Y39r(OmS=PWZt>@DM@bjx)`AIoVkd1
zh65JxaoPp+5*Qd?e}_Qm1k@OsAa=s*&gcRsv*<(S(@4p3r{13YZ$>rw|DLt1_p{;1
z;L0jUIZ4^~ix4SpK5PeLYjkH?<7JHyX}7RsNbjMCy6`1*cMCCtTC?A=N=C_X!>@_U
z<@#oq<ksLjT%qi^C9$3CYi;W*1Q7XZ<T*N{MxlGxQj~3!Ws9YBrG+ZBFrq!dWWcvx
z=&&WfFWIA*iHZtur`Jn`KiAEx9fofqrnGN4r`1TuD9*UPzBgn|q|nV!ST2RLlvPhH
zvL@S9jJZKoz))?CEx3u`7XF7{|MFlLzR&uByDk>~NtB8#A=)ldtcUwUM-O3{S4KgV
zOtgA|OQhs$$YFm3f;0YiSU-(P6m2kcI^?io;gG{th4kzk2ApqPNVf=Db&b?--Phpf
zG(0@18Xl=u-GtiyN%Lwpe}4wDoyUQ*o7Ex(EZffXsygI|@t;hj7Vu)ce-Et?pn`vI
zZh4FQAXW{5Blytwnh_Clw4Wk3UMZw{z}gc@E5puB5d2g$ihdV)TCR{JBM+MtdOxqV
ztK(_~`F;Dae_BdU*46CB#-ss(Wg$}w?+fBizkNZKO#u#Kh`L^z3BQ_a=eY5TJwEVO
zw>^fiW<IUkTDVM<Dv{XdDL?}gMBQue?Qyu#dsZ|cBS=_+(3_#C^N1O{m0cIbn)$I1
z?a)CDDqj3X!<qkJJS02xsT832lq0_|sIxNVGP7^^v4-j3KG!=!H~+YOIP!j&yxUb>
zl#;a@WuIAAHSxyogiTIjpbkHP`N~}-PZ<=5*tENL^5(y+07TZbJB-W<!LfsJvre6~
zD2a$&<d7+Fff&|P#|`?<`5ophnaDF~79Lbry*DBj5)g3jM&uv32R!#Cdv*F?eOPwh
z&qUvN7wBWqPjv>(I9fub$W`25DK|osl?<YBO{!{SVqBv&{Qg}Ys2cK;P8;8n1?~>Z
zP(s#DN&g~b?U8lrZp~i#$a-C_o<$3@f4QeHmG3<}9meK^pvVTg5e*rh;1h^`^{N-O
zU~K(WI}wM(-{*#h;-}j?3dGh{>vw$lE5*0nkFc#uAt)!F_sc)t=?3%_R)wm#@0U>$
ziebewmlTDZ77irGo^#-Acjl5sF}xsR%1XP2Vavte-%KqyDNzt9BEV&_6XBd;bRRMx
zYq^u>p%sX&E!Uc&J=2^neS$nQpdKD;mV+bmdz<esQ(sT;VvK%%*Q!E@2@?{|0G=-)
z&ac&;p+qSXFfnJez{^R;_q6$)C{p=5L^b?H1OzbmWYxQ)GH)R==z%IcHAbZ%79Z$1
zvRk*vh6;8;`DC}gIuixBooLJ`%Ul%3Q6WvYS+ZS#DbCXibflH+`<Ml_TT`Z7?Ax~P
zR6wh6e6C=o&Lfq$#*LPR;#~j5>9pjx)Ze>e&JKs<7kX6}Pu19E&FFG@n(87Lw}@7E
zWuvW&N_qN<nivMVn$2-#g{GG$yZhCSIW0-I;qH$W>)&j;6?{;n${u`=DQjFry&rB#
zz8~K_p0je$mtCEeOx-98@0tO&r(`cpieQR%sOloE=1AMQpJZ4IeRF*ZFbo<DP?L9a
zzJzW(+%Rg~8RTr(j!e1cFkv*`4Yei-?hd5uJuFP^f3<(Ae%ro~;P~f_wA1V|`Cycd
z#&zboYtJ9h-b(KLD?L}-k@T-I9^zE3szEa~lCN$V^j2df9tJhM(Urbel8Pmco1EzE
z167~2fCMb~He(M*3dD|kLzNZTDe4nVDh8CNCvI*Q=S%scnOFMPrC%>N9?oYTe0N*L
zI**uUh*R99GWA^@VY00h-|x@Vih5qDi?l9Wc=;h42z?l5bHq-_c@?klL8!-FwSqas
zFaM+DR_?ayYY_#hmq&8UD@$7H4jenCW(!Lw&z+I3tfZ+j<4xwVa`+K44IYNVdnqR2
zgyj7Wo}CT%o)XF*g=!3v$%FL<y{|&SOcv^}YVBCtfg!;2iAiTUD3lg%(a67u#G&z8
z_x*(|nbIwvz#;ao)4HTH5iB<fHm`}{rtC~((`WtPfj*!*Lp35<k>62~`n_Z3YX686
z`p20QkHx!OQ^Z@&SvOTP3?JN`YhixLr0Eg4pFa@&$}jZPM+*7*ht?LajPiAAh7dg#
z$|(!FqUy!~`RZxT&DA-=)ckl0pXgz0NJcKiHy(y(Pl)&`gfqLOFtPypWHSPt2{~`#
zBH%s}xSyG(aic+A;k1_mFxB1FFY~V&PRV=L9>1TkoRTe2F`(<ur-54$s$503d$dL4
z2ob5pdA+8I>o}a;P+sgd^6c4v%N3TtpbR3gNlvZ8PZNuq5Zp6TAN{0dCGTkX!kcT?
zoY4?JUdK*+&RjW(n_VP5%B<I>zM`qe@nTB!TW<aQF<%bF*7)ORk3r&IU~8Eh@r~g5
zg8+K7Tsg;8=Ib1RU!cjM%gP`+WxSuENwz2USH%CH`A2qW10Sx;Oj;oXFBm<wyWf3M
zdIL7SywQYW^1=dASkpwqAy5X^o5q`9FVMM9qrPiD!KA*XtXAaDtKhd$)#}2fE)GXj
zk2A`kuBG=P^u~i&2zdqJN!r0${u9rLNl*W4U>x7n0k)dsULGjltKAJ-li7(WBM0qz
z>kXxXFy;EYc+<1C-h%&X+m%K@iz~C7<bvf7f-SICxkQ~3RIF8Ho7Ccu*=Y_{W;hgP
z^}0{CQ5YsEtr~lWs&FQsz?pUj--$-zGmHC;o?&3LK)S3;d*)fX@=vwf=1K`<=P49M
zhCRd@QtCY_{3c}`^jKonBf_g2T5K;517Tq>+#UFHyPECKO#S!pafw;zOked%_QQ_%
zng^zKoEpE33$g*9PR<(*Y(_!-k8vI&HSQ{NNX{H>S5{*a^(LNu0ENsN3`WtI0~mYq
zky{m`42KNv!|=a4U2<nPKLfPC#=Nk?4N_mM^K-YS#~&8DBDju?txr1U9rsf=WpOMO
z<Y~ajGgJOY*R3y;9=!#RgCQHb(}(^QYujQu;k+#4$=B`T8jS+-^icysuhlD+NdP^N
ztR(wGDO>$@4-Ed?LI&!>eB6N@PuV<FHd3Efq(Q~KH$>ZQQ8;?+>0j^{E>u+KhB~=l
zN+_!QU3j&-XXsq#q7l6E&^vh@yHfNEiVkOL!=3xbvK={vIj=FCp74jk!J_wgH++k-
z-rA}@wLPBCm5)oosOwv#BUk8DdB3hACWB>bDj=9`%{R5rgEBmD9|Rcgq<)`U#>e+x
zxzgv@7yMYf$~;B<`#P~4thPZuWr)0!s938cbzGr`oNVn!RW_Nj>S;LL$0U#pDUi~(
z$7sGyl6(K{rx-zArcUmV<A##LM<YtJY`{>*ILiAO*?R#F&FVAzXq*?FmK%rp_y7=7
zDdZieW;Og+&{N)X$0&oax4GP(V$fK*vDekenAzwqK+bp=mE4JK_%L)`?yajni^r)D
zr_$LG_5F65jX~f$WcAVxLzTBlx{^PV#1c$cuAvj$mAgCg`w6c1ze!dY&^hY{ntYbx
z^d=d8Aw7v}!U=P6e#agD>5;7~S)Jj8>(1cm41FI@PIM$zG$Fh@@2-0;uX$C1Rm6&1
z@N3R|1Zcb>EV7rBtH1V}WhjUk-SQKkMHlu&a~n~`Glg&5vBAiHr^@(bQHdk99#1|l
zr0(;$zC#24BodS4uW~;0=7F+-ALzq_jZnRbe;b(or4o+9UJT!H4YD8%GFln#be=^g
zqn(A$ThU{3cN&{Vm`!4s-E+}hq}APm-J74)3X_XivZm5&Bv{VEs!^5O(ZBvucAevc
z1(AaTprNq_I%r>K;W2MG9O5*X4{#VfmN0XYb;qP|FQ)!@+eS(G0#Q4tVPGMf1_tCW
z=aODxNrYH<v3QlM=De@-xtgX`P;rmnlu(j?4dFA>%yt}*@r6GeKW5`Mw%U$j6lbJ%
zTDVcH(djP@@^T%k!1KM6i1Zk6n!b4b3~c6}+fS^0QGEA9SPb`cQr=Rd8_?A;fI<lL
z4^u~C#U^tvMI0VQgeE!s+o%7JKs<5zEB%v3Rq$RU#d-erL=6>DCx2?fFsBKU`Pba=
zh+5C6Ju+T7W3N2gcn6Tnx3Y`@mzuTxyw(e{pD@GWa&PR}LWqQFEKrK;DgF_xf*r-g
zzUctl6q_0xI_Z%CZ+9-4t&(F;*|3=l*STJwxg<{ap<?wa{&x)?!uQnQaYZvdvWu^=
zZUZb*_b00r`ioXpW3G{k1?S+umXogjM7-?Dw=QPKd|t%b-{{S&s8Co~TCCtV_IjG-
zKOBtka$`Q_RAClLq;VPIXwdLxNMhK@!M-TG)kLR+AAlVbQnxmL!ySLl<3Go%X1+OG
zk8Y6|7~2jXOkg^%VPnDC_yxRv=yX~nS{p2fJJp>*GjC9hpfk91#am$xj1RFT8Jb_l
zso!W(e!81JjH)U0%sxLqB#$>(hym?eUoJ4n=T4xPFF1+W1n?EU_om)e^=%_k6Z;#G
zPLFfu^a+|h9{JeI?NEB$8EC7lNi{Eis6^ny!hZchj<imnG(4WBC3-^7pe?<CF0WBp
zd#^Zod)1eU{UtKQ5%TyT$Hs&u4oNJ8^tHW{ni8&({218sOMdx?DfE54tJCrJ{arCT
z30%N6?ok7@+!Z`s$~JTs+NK&DnV`DA4!$c%MS}6qj@`4qV!C{1ur;QNv9n-OJi;0!
z0Y{RV$>MBbZxQ+H$HrfN0Dj2y*WhueS5bSgu!S(@oY@2_zo*SRIw<_b3rvP6Y)ua(
z<u`Bo<Vd8QU#^p$@j@x>lZIL_q<@0(btENeAV1M-G*K&FO@!urQbpK?wqM{DnZl)$
zjaw*PUiWR9HhTh#PpZq+J%-N)b;$xLPC6>q4ixPy-XEiIQt8GYb=0$)(R~+jnGlqR
zF;fXzDl%p|!(F0Gy^_7z_$_EI6vF8<b$Q|>r&)CG7gRR2=~BC)_*A3O`-R2Q$#J93
zZql^T|154x_4x2+`GVpG`(_^!D4|Y7fG6PyDiu^UXaU1bKjr+!uid+b3BzDWqW-oE
zKHEn&;(~v+A7G6hqBn?lSR7$C5u5lt!yWV3Ptm{J%EI0t>bn*{nS;sCDhbA6`e|m%
zj(;rlMl}`R_zqSR|KzoCb;rS<YY`ihpBE|NX=RwLk3F2qlJ9oDe4H7<OPBW2Ye#}~
zJI}Rs!l^6kO&R0|`%Bxv@Eu8dJ3!j5Emu+gq81AaP=94Y+%{I3X}roR*`cZ&T#Twq
zNoQ}~UD-3LwRe+~Dg+1mA{QQ&0ZEZx`)8Z{FGYSYhw&E0RB{mFYQ%?R_vs-NS^oh9
zX&>$@1n1BE?k=BiU{z{)*};1D5fMbMS}=@;V=|vZEsa#FiSgD9wHo09p&>$-8^W!X
z5{%YX`}<8nAcJaadCyLh0_?ZfHf`_qHJKv~_ZQCn1rWW{-A&7d+J1|?xH?oTL*NmL
zS<YSlGA#`8)SsONQGyM^sZzbvqkvS0s=SaXJaDN{9)8y0+LmMbPXmPdX@&4v7){`p
zsS2QKbpq>I?2u!^+AO?SG|^R8DovHt-LsOQ`a|f?1e4>ahDyDykdKS!Mb&-&eRWYJ
zQnYe#-W75}{57w9D8<L2!KX+pUsW)@5R`ghv&M~I?RlVItnD*P&SEh+*ne3{{#l)_
zws9{@VIFwte)qYy*$SsY=A)n!9Gu>*`PA*yp`eZHiucm5ZSVlouhG|To~w-*pQ#Ky
zvqy|dk~N!GHsn)mG!NhI1Mjx?MAN=PkuR+x?12d$VSA88#{dY545$bh9s3it&L>9B
z3j+(Y91XG=N5Z^iBbuj;jh)9+SWk7n(;t@mk2%E`Y|0nD&8=S!M_SgEEOU7^<M*A&
zZ*hypuv|B3$BSuzCxb2E-^gw1snrcx4}=U#`X-)Dx*en1%lya4I!Y6k;Y|gNLzqr2
zu2_*{o^)gA)6kWN=V2xu*O^6&v+`(VYbWQLl=zQlidv#g5A&>R^GxS|>b4P}9?~?m
znYU&DA(7xCk+RmlQOhTy`jT}oR%c1oT6N2oXV7k8VNcE-o~{NuqUh;$aIiQunZlYc
zi_l2qn!SydB*O+KMv_MsiV0Ts<UJx?*P7vrB5-(MkfECe216K*kqTT=k&u2FNsmec
zcT~p2y)HPVw(_zxWZWg^0#EdTack61mZy@%!(tm^3RRkNpy8X#Jh9v#Ex$1bH=Nj=
ztyL3hbHgFg72WSS-9N47zmJd2phX_<zxu#Cf)qT;MaLezzM2ilEk`P*e2m;7PyEr;
zYRImj!omubq=MO6Rea`6&o%gCoEar<-b5(sO)jI7i{kij3?5z23+b4C{3_(sPUCYb
z#EFeV1o^>JjO+t0DekH;rbea|cb%g4U8!*G*l>Jw-JDCl!&KD*!D4|inABh&K|s%U
zU?Qpe@`~xKn5N6zVed9KtAtzWxr}@W8~){i7p0G{gbb@n04F}sqY@Q)ppxy%GGR);
z3x@<-+Ax7<o34&hq39)lj5+kI^5A1CQMlx>_RM0p@XXS4EmRgmBwr)k%{$a1h9P<t
zTzu3mE<64>UVl!S`oLGrh>Lhs$8~Q34!&o<yK;VeOgmgM66dx5XdhZ@znRt$!eFbT
zdi<Pvc-(cXZz<y_q}-=^Ay)7!%ml;g8Sr*s#A>s#qRQZT*mrZ3DG=-c2wic4=eGIu
zfG^Y~p5w90wPGjXsRc7iGu<tVNP)C3K!G$C=GI_`)17-IDE%+R-p74}g|{<Iqt1F(
z{xHF_1+^Jx`P@CvvM7-@_*TJ0rd}pJ`$gx%>B+=Gp!=xSU~aE%GP&DI9a`(DH0<5(
zvei?+<(+d~y<Hw26D0!h-9q|mL0(+{alAXX*j7F&2k%8}vZR<^1zRzv2E2S<As5;`
zZAc{+|5u{*cOoxoOLq!cH2DbfrfM^0@M`|H(m^kYZAeg_+XNGFo>HXnVp)8i;LyHq
zUYq+Wu}|KSi8WRe!Xxp)Y9BsBn-Qxfx>xOd2LoBXNU%(Z9hvSjLeWy8TCh*UNsZ=M
z$<y?^piZ4CUU^OutaUyS=X%xCVWQrDHTjm|pbhbuk2ji^@de_i&bxO5ynPoibf@Be
zT^Pa!)ba_HKSC)HB)*qVmRaJNsjEqW$nRSCX*@&X{`~jkqkB;M@G*rdUP_s8WX*4!
zuKI<Yd#(1}85Nk49>N`UrOmG`S@>iwB?kJt`<t<z;krV%$v-USt~3cxbxr}q=H`|>
zbR6_p3$Lg94&V`P3&K+zTDgA#|D{}~_X&o6I&tsnvdbgDu`|qwe5vuFup8>B9F&O&
z_9S$^_}}-d1Nk~4Uv7T-fO2uI7?F31*jzqK*hW5Vb(!%VAPfZx?~zG5+EZ&(-<Z9F
z`H4R9)FhzpNlG?!sOz4dm_BdI#BXm!ifnrs*HV;^eMaNuwj|efppXjAEyWPTBG(q5
z-u(nAqH1$?mxN}Iiua$Ks1n7Pb(o}w<Zw^?Fg2l`Iq@}c2hgT?R#?{1Mv44qBHW(4
zj(kkFa+f^KywY4f-XFKt<H1|14MS$!pwX?Fg$IG^a2D392Br``5s8YutFtXGz_NP`
z5}Sgws()Gooc8(Hvo+jCe0ivSTb;{lDFRFElZ_ba<x@V>3x9`!nJIMS3i8YA$(U3=
z3{@(hMS(Q=m=9Od%K%jALalUjMI6FJx<ZX#{9OdEGVnu`DNQT{G?0H^C`{y#AM|iR
zY!^43XL3{8U?5h<UxT#hfpM2UT)MC%X`J$v@0(aaW)Bah;Ty{fg1@i+AY!&4&mtrY
ztBb?P**Pwt8)vq9<2Hboz>Mv{PjbdJP)Lm=@p;6TV6Evt;FiCrmq`kI7N%y~<w7t;
z!aEJux6ZbvU7C^7o~yMYauU$&iS|df$I)e$193n2aKoj!Syi&fBkvW7I=Y_1C`NCo
zTbJ!Rl8V~FFROXXAb20@GUI`u>HIg(`2|mxYK#=0JOL(GCb?$?`AI-G=BU;#jbD!Z
z>q<2)9~=!ImEdizOH2jq7yL8^&6CTJi%A~RVYa*)a#e@Huy<6IU3_G3p~Js(d?(qJ
z=D{@2tbA!vMg~k2tfy~9z_0o0=wZ3xivT26FOc+5o!1jSn6CQFa4R^yM_-wbX}c~*
z>F$iZTxE*<FU6)!ui!efx5c^#tka!I(F<vqmSc4L2iVVGB<+}06W?aC;y0VxuHO^B
zxC3`^Z-ylJ%nSk=@IpGxcv(OFT3)L3BUh{Em?fW9v|i0G(?zgm<a?@*{mNGaGbB#F
ziZWf?U8_E~ZMuL8=4~&jes|?bl}ei}C9uV5nT+~eTgq7b{gH~~PZ;8A5jv-Sz0J^O
z{G^E?z=V0QBYw))&b<v>jucZskM8xi8~wR=FlN-FO_Pi1MDkJ!qI$r)i1i$nI)t+{
zzMQJyaJ_RCNGa$N?+WveUgMHr3rxDB#RV`kJ!)*1S+3mRRW-_t^<0HC`fr}sDeIpI
z+%vIxs^L4I!=q}3baZaWkc|+intS@lK`!JZ@;-pYcP=tn@uLcXh`sW{hc-vdl=U{e
z7m>_WAy`R*p>-f4k%x#xzF<(P{&efs*0ZTG7>B=*7LFO?j-|mxqk7enzaZczfmk9A
zOa<16t+KyZoPosj1>Q3hA=Oc|C5352?I!`z&O+j`a(X02ydM2-x6~YFg>1P;1Du@n
z8(2U<+=mzUX8e;Z6lYlGjdHWRh(sn4exZKAoV3J*;(H&oo3!Px=AI5$(cChNC5$KN
zLY(FrjQ!;Uy9<NUZ+XV87vu-2o#%4q$<BuN%41#IS*?>eB`3t*BcT5dR`(9aP2ghe
z5Tn|&u%ps8l6of75n-~X60e~uNwB?B2IbhR-!h*=0|S+Z0DHkm;ga9Em3L1Ic{Dl0
z?co1T3H?`7i<pIc9~3}HQCMqEr2;h;fXN^e<S%*@HBPy(6gQtgIhs_cI$rH^>#jgP
z;~_uim~&;V-iUrXHz2uEAAoAgle$kSEyV6ywe9imZiq)NCHQ8rF?AKw95QAgGl_pj
z0SNxEZ^$2j^VbdOv-rY^jLWchJYF)YJ{#dux@6FPrbkK*F&v!yY~+{QjmNgZON+0f
zhB;RZ83I-36s`Nwoc6UKgH_Iug{2v;11f{ZNmJFykvLw#oAW8D(mM^iodwMW>7T{j
zc3t9hSooY<5|$AN&x%X8P5?}hQ=n!eTfx|brYO<+eNzaPoa!r8+Pj&|f-KoKNWqiQ
z9BLPV@FJAd*-p1C06Q5(D0C_yXS&o673>4@qn7DusBWxu&e5?FAp5V24CFP0C~C^c
zrzP5h1!g<54xW5g<l3YOUxyhC7#yBDGszrQu}i^0|0Lr~ntq`qOFN_7?Wih>9j!ka
z-mJF#v>tD=hz5wYTN$ooV~pXD!$b%F9Z2_VKbiaMWJ6e^$Y7;r`GzP9p*4ZR-#0Oy
zt~-`<4(b(K`w%wjaUKm`V{=2v$0u*VA+DP106BD?EZJJn&DET>a?-EehP7Sz(roys
z)4~ewEx*5g&pBI8z3_wP{h#VHjrq1PVZ~<uP)_RmGMMeMA0?(r`e5DI;{}ykjtt;#
z#G|~}51>@Kz6-3v0x3o&P!TBtj-Ur}gi5CoYUWdG-U$Sp+A|${?lF)WN6!|MQP?kQ
zZ18!N$mA`eL@joIPSt|Ml=k@HC84;_!0g*VY$kSv;x5<<m9U=*5{SHPqK1aLc@Z<9
z!L0n^<k>-qfnmjNqg1W`U>w=Y5RjY3=fFMdc@>Eb23cjzF%h_LI%E9+0oK@-iss<P
z`9dLRj_IS&cVSlaM6HE?tGP4ApPEVuWLVo}6AAax7i)bZ3A%jn(NyyaXb=!DCCDYK
zp+j=@*lPIyTr=vlGQu_CxfUL&EQlYEFioYYwL&eUBDG)HrUI>n?_e~)wefe#J<6tV
z9QcYBoK)hk&yCmIK{-`51l70Sy3bcMJF>QZw6sUJlt<Yuaq;K(J9y{aw^#hzVnx43
z7cWC}we**+_X;$co$$gE=}Pfq78RxLhhf)hd+~j$o5t^9uG2V55vuP_!|8tz<bC^`
z3LS=oO#h{lOTIGX2J=As#$kG7L%`6ce}hq0CdMR&e|Zh(@2t^(C~<cq863{2%qxhK
z=@ra6Rcp!~cr2X62@@6-iT{jHy#EPr#Xv;#M0+<>pwc#n${@v0=C^hHd_iwvXU?S?
zK1ygHAD@KYQapD_JLU5gm4y0>v!kPT!}4uHzK#oT-nS|il^Ui-Bg?5+T9*CY)8~7e
zBMF$>-tIp?QalF}ybfrmgqVyaR%BlB$0;rwk`{Lhl;eXn7uuhg7>b>Ayz41VzxA%)
zqFh5N40SXS6cspflACBaHeathj6=w!I|=89$nHZ++R2}HVSTk8q2%BB<zzNlegCk+
z^rVP`TrAu^i=H+l3lUicvCL5H`+GeH(a!)Hd|c<<@aG8<+aB2L3ON70L0>&3l!cg-
zB_JI{23e=^Uqf@*WLu_MNOgxV+eVk-i6I}nU6*<K<P1#))hz4|pm7U$Iu=GRtP%Vm
ze0+Zq>=KSzAG0om<@{C^y_Poi*~dBaDNuLw#o%B|sKh3;9K(q)iT9b4HqvYul9o4o
zOrc)2SJB+21G6hU56JrW6k>Wxs0cB|K(=8m;rS-i!XpNALGs+?&}vYWDXOMBLScWc
zS9)$&hTmR?bZt9a7%I$uK7{CZ{BW^5)jwebolCKg5O>4cs@YT4F>!3Sv&a4_BJQCw
zC>Izk{Bi0{#+x~3%4hp`VB5b+7|;Hx)M;@OCZw};_`sd25c1E+Ty@kLy>hVPg-U&k
z1JTm1GoJpuN=VhLUD*-ua_94qK=T=JpWek3NWZ5h9Pi8?7tNrKD?u!!XX=~{7v{HR
zj>8JGFhf0y?=$~NkIjla&desN8EIeopBh+AZG^1@>faRduG4c)H3<e=x!{e}$Zx~3
z9cZVbGnG*~mk+QO@LvW;dF~b#9$dB@+#+4+b!}vNayjMRG+@(Os~1g7%xfN^h&-Jf
zJ?!uQzTDv^xlt*b4fVf&Wwny-VnzN*=aM3|*=_UPQ@V8c;l*kj*3GHHpBW;p_s{IQ
zk&jim*y%O(PYuT%I)7Mp@4HT1T|{(@^`q9+CLt~RRdq}U105W80D8Z8dv_gEKv{Va
zf7GfP&VTk4LxzhxDkG`ftZX0fIUsi(Q4iOpQLrjzBjA2{V41?II60v$(PDHcdpK7n
zhvA8F+Cll2x;6EV7acZls<ZR-2buF><MMnk%ZTRevWd=R>K8h<VX{xM`=_uW`4QQS
zK2|lvw4&dyVEKw|*AOrkv>Q|(5KU2ZW2lNfA>T2JChIyv>78!m3zhU4z+UT0?s`5M
zPwG&-{_l7f(|C>0v^rnm%I3gxeewSCW}0=z;^btwH?gPG5$|W0W3itk)a(!77!;$`
zxko%-Y{5|Iqeqh_2h%YmAnU>|yeShU6i1qp%Tos|x@`Uwp}ub0a{Zt`R%Gzi!&_i{
zUSy^uhZlV*GyRb>mv;nsi)nMW;o93-lQMKa>3r?;3tMzr$sHtGLkDMAnVG@nTmdJe
zaF~G)_9N``7_`KFGM==cwBi?wrCJ(PZ=OIbjb%ZDOsAE5e4yBf{$flm@EvC4M4T9w
z<m|i)M&a{tX69c|me4MLdc}ZEa_5r~hARd_mQ`2_vv?Ju%qYUNAwMO`J+-M}T0(L0
zV#sAViDUIoSm~vgK!Se$LaEkRV={6tGK@#<JstJDZtBQyAkgCD*qdd+KAl&a!>|0h
z(#|OgJzD^W<darwibe8hAt-XR5bUzows1Lh1Q^Cg(7T+^uE0M_<SG7Fo2J`Y^BLw!
z-$m{5w$Jl5d!nF7{Ly&8=f_xFaVqF1A5zD|A}N+dEHB-V^TL~|813Mb2WZf-?Az0t
zmb0|C3%sOE9CjGRvZiqR`OEY$s!2ay!(b1aa-CeceUm{jQ_2y|bgM0TZL|SM&#zD<
zTu45CzVPW;R(h5j2cr#G!28$6>U%vP;@lzNpu}?0eh|nI4r76+7CDaZoXT-M0+z1t
zMG$?n!hXz2Ac|~{><D>vjsq3oBT^In&>e~zd12vNIeE2f>w-gd9P7?po?7?=mWgTa
z`Yb+o6hp7Jk->AKC~(z1h2ZS`x_ME+<b$cf!U{A8uqU%J;M;&eF7xMTl5c_0WZ%R+
zzLBY#F2l*$<)gj?PK)#Y1F?WijzZpn5*&N(3X~7k-s!~Z>XcU6`Hk|i$hC`U-<ICH
zSM-tM?sWH!DgK#A#{Vbh47aR&*xm*#=>5GBbr5R8Pv!vd8^ToF(5>XE1X&fWm}Jrb
zBfXcndh-X_G-xQy8DgU7Ss}R$2$<Fxf+1zyM|J|)tBaxXynNqtuN3vFStUpU&jFiL
za(n~HqyL1e%$EUL_0o8M0`R!$UES__|1O>LT{@*Z+GeS*XWSg*$AK?CG-~e@&|eI>
zS>i2vWc_3ZoUtp#>(3K!H<t%-SM}}?=~uiki9t=<iKJy}{Q~r66D!mjWS*Mp3)vn-
zZ+ZMB!bgOkphq)ivQ+X=qkwj@*p~%9xC9zelFlXRKK(j|WxGc=rwwmdMvwa%U4=ls
z?@1!FKW*mmuYIw^`ImM{Z_sP`Wq(5Q_2bS$FQm6108%D>PL_x`Z!mqu>i)}E{w;LZ
z7$0)be_KAv{M27ePcTIcl8do;@^@M~9Xt4vWj;D~$X)HNS48(VZ=mk7P&qVcp-`<?
zTHW2`xaqcYXTfr(^=pf>PcJ#y*JH0+uREfeFg5HkNF9Sh&s(WJOw&`kW!_3O6(KuF
z)I`*h?BDM0*7~&ksEm+&BSK^I)Hm*!BN*MZRQh!+32BDP7?t5o64W}p@>$zs*k25x
z(g1@{)>N_wf|-AmD`c;k@OZ^Et=}Em>9^swR3e*WFo|3A34hH}^xV$#TvS-*;WDqL
zZR{}~L4o|udULGw?ILuO*Dp*5*)BrXz42Tj^I^AV&#~W+b4?v(fJW2#wqmfZPa?tC
zAvT3t?h$M(hUMOL;r^SFz|3z$^FIyhC-Z@5kO3rU@{BEf8|-$*VTwYMm0?9Z7IMB>
z14A{0-mrUa;aN8?=qmlencJ%|%HazJat)hg<3=`k+&nD1v423Y(#`RDdmhlY;DAwB
zceG>ay+p>jSbJ&c{E@o_KEH9W=yG<XGx#*OB$LyP<);Ep=d4qkvSP?>Z=^bIMn*LD
z-R7~;n`o^Gy-r?I_*ncgy#^yyiuU@V%nQh;$H~I!3$fvm=m32ts2?*=JW2krQ>O-a
z#cjXybNufh1Ruu9TtOoPddkh1MJ9#(STgyhI}3M*dr%u?t2c{rXa2YR@xz4EA^Wcj
zn+wapqJ2r%3bo_7%h!LaW|;$x1DXy4$d%Y76OzCb0o+t|lrN3}MEYH;WQuw#0o<yV
z=*WNbC|S$BD75Lx*!E=c-#4Cn2=u5&m&^f;-bk*V?qJrfX8onT$Z0wI4@fW0pm@$d
zejGqa191k)66c}ntWy`piZ$knM=pc&A`1B<awq8GpV?v(SV1+7E`EB$6p_E;Y-(0Y
zfq&Elx(#U{(|35lL7;zWC1H9tQ@3(f{QJ=P6x}|GqDtKj9ue7xZ=8KM$P5NcRqw5W
zvL#;b))-7C6F(A$1@R7zvTB|Ocpta~@d^HPXztrU?S1xeh837pJU(|Z@up1SV0Kd^
zZV#!j(+VLX(PpKnmJ0m!w~eJ5HyxR=TP!^u%3VdYG>b7p3($d#OV)QXd7gwgkZZLk
zF~TYfF0qULFKe`#f^i=Qh><~92O4T(d|euolKBzxjT=%qppAEjlf5;o_301%C!69K
z;`f(yT|#`d;%KjUf!x*pe@9c4xStryGmK3Agw>2wQ%_Q}8OrKA*V>&yD<0T<^H!FK
zw`7Up9Wr_zpXT4u@c%-*?ces?zl(LzAXp_?;Q;aH^g$MAp)(i*@%eT=9lmT=s4WZ!
z%1e;w<v7lOZDQ(UyUBjX3Q_pJ1^}b?((tnG=rE5Wy%RuUv8l=_W{LMNU!GZGRtN+0
zF|@D$%-r#ik7s8^$=PpW{=BHDOS{QPhxjmr+m~wr`HdHGZ#IyH$BhiED>W;luw>n2
zEPHb`Mm2;qB-pIGrW`&(CCOi!()<(*M0l!Pxhl5=FNmO``%iJmRS8lE(A{`krYr+)
z>K1I!M}iMsW|(}8?9Pa9V#M6jmWa^1JA?Dcl=e2Nr<(J9EJsVo&>e(lMBe*;<@IXT
zBuv({h}1&ibL6i`^K%rNqzhP4E-9dR=4m!Zs){ivz~#W=#+$0+BDr&J2^9mh;G!Sd
z@&Qx>%;(L0K%=e&KHUG}<>ez~vERjNuOYtPI_#jmNuD-5)|8M)>+ON5E4$Vu9h$me
zt=*9~)wFFY#sCQBxWoQj5Y!J1@ABHt<+R*i&bktVTVPgWYv1|Wra71@1Z*!7a_g0Q
zv@q@UkH4_obMpgd$6v({Lnir`Jb2bb{h*f_wJ6qpMi%gzR$ZGeNoUG5h^PC8;>B5>
zxd1U_%(na?&XPPxCGrU%#NP@XW^~0nc6(2;F$rw2C13UY*;Iu;rQpQeaIb?l63?pu
zj<FjLCPMTHuiEzdr^}clH$VAy;;>Q`H$4h-as9J2lpN@c0DESr11Ilr(<u~&38hq1
z&;Lufi7)vwoHRxtRqlBy38M}v{8bUN5F6us7tssm>!Y;W5a~u?51HAwGZ`tuwyxe+
zxQR@o+|-COWkG>Vi`WZZ%AaPYv-_6Nq`mV8lN%ZV*&@$@#XOd@cU6G9VxrBrVpm;@
z#^!U)W}Sx%dK;V45rh_n6ewE++}EX#$klWdD2huCc$(r5haks=JJ-jxvhrGl{!4fe
z&e^TUNkhhsznx8L<o!n3NJcH>Ytai9sw>5kj<aNI3};NjSKeQ{MusCNh|g`;f1`Ne
zt`t5MR=6BD#~vf3833hDiChSSMfX};&(~ia05LGU5Vq__$RCv(HhPrhu8U?AZk+nR
z;}B~KW;k1#gEfmDw(Im;iJb0l=k3dak1ua8*xArkfBCxY-3-kx^;uf4Z2ujv_SMz(
zPxD4Ij~A|J%nI*OP+=^QzlsGjv*k!71tLY66XI5e-!IM?4;g!(|Kg?3-av9$v#nl8
z1=~n??0d+i+Q%-{imKDDk8}DUMSpHo97p~tX*@DuV<Q>T{23`Dc~jxj_~?A?f=lD;
zLwWH_Wmf=S1r(5OHmlTxu}z0c>sik5ZY1sFvF6K?6k0z0>Y?25X0HfS;f-~vxm5`*
zD8%H`-Y5>(!TufQ`V0c1HGjW+U2LTR8@^{f9<H`w&Z<%(Y6JRO*F<{yAl6`ZX;O{n
z8lA4Hjc`O^vHp`RhZN&_K~K}>Ls~F?BSK3|iz<E1Sz(jxVcDfsA>13L3c+{nv_4-j
zZ9tb%Wn12|7QMog)WWtp_lTh)X^_tLz0f*mw~sKjDw=|8(?iJv&vDs!354aOQ*CUw
zufzcrx0I<1@1CXg-2rGKpTGf%g0CFwD!3U*T2uQE)UB_UHZcLK03e{04Gj^tO%BUX
z;m03{(Jd9X684Q9b0KA3-ZGjcM@7J1m1PlxVF6k4h6!8_*uIP@B~#_nXj*hpW4;PW
zy^eUelF+yRu&EGi9YO^w6W9venNUXhp4EI-6fpB=^X(wHoUCthIO^sjxJheW|Lp-#
zE^TE3#)1IL6L{1_*m%_1Pj$ht6-5ut*-<1_KE;X({`@<(@66DSz0Q1GzMo;ETPSZN
zoyBn%20j<4GVIitI+aTz-c?@|xWRX^Z~o}hA{4t^DJ)&}!i4HI6<y2!Z?T(#U<(s)
zmNsNDpEpF<K5w+2W)twNH3aL7N<j8b=o<2IPQdQX$}*qD(oJE7WK`3_PsQh>^A>pq
z7wAnR&|jA~VF;TF^!*4hgIn@Zk~p%sul{WV)Bb>|v!X1bt%Yl9bQP8yrTLrqd-3+w
zZ|JF`YtH5(yXkAQ_%Hb}VMVaF3HY-CWFJzHLrXPLq+#(%B<g)?AUXn*$o6z$?b)%A
zw8fz}9<AKYtAA>wc8c;$Q}eElnHb)CRQrmLHI&K%#ZIRXtc=fVqF^cTFPL;(chU-)
zFeDTUcK=v{-p$U(*47ag%#5u(RGEM3ExKx_-)5zdivHhtNXM()aw`o8;tv_93-MB^
z68jhprI+qyRoqd9#Rz<yR<V1-DXKI$e}11{d~4tXG3{o2T{+nLteB=MY&~IMcQ4!t
zVA<2oZTceb_%DW(Ox+%^OJ<__!s5*m+|Fr<$D>c(jOaQ@G2%Blx*AhG7tS~QUv{8>
zFs3_K%!Lm@Snxx80`Nnp3&Y0F&G3Pr5uMvxJy+vzUGGwf>~Thvl&O*(;<?5D2|L>^
zh_REfFyd4Gg}5lZBE)9tFl9H2y-Ac^exD6Tbr3SX_<sjAVCI0SN&YjL?oCjbMOsm;
z@Q7yJbzh@uy<iUeg3prEC=R+^>D{YJ4*}wvskffND;EqfS|WSJa?vy;{tPR8^(><l
zXmxl7tJbSYJ$jat4>iMJ2qCN?CDWr%%N9ahl2%Zo?8nB*@l&Yn^>0#qpLcv*s}lkX
z1U8m5ofpcJnb_{cl(`%>U*CMZ#4dn7MkFr5IDs-ysNYI?<Icg6ij*xfThR7NKJZzF
z!~}MX%$)`05kEREIMLu6OPS;Mm3zQHjTw7CCqB)PKz{t6|AQ6>A`hD8bU@Ar(;1%6
zR(Pq#Fp~YM$%@>6azu3L(TOl1ln))DB_C6fe}w4IzXZ;n?<9vNZUd2rZc|;i=Oc|7
z*ddaTN4`fThPK!VJ6-J!!ywUIRQDXoe`3@H4)>dyIQ|u*G;XiI9x-?!B!R7hTR3dy
z1}q&|SR)`@PJq8`#p^fk^1a(`Gl*zAzPmVv_@7e<qT<!&07SgAdEa*ll|=SwBPbB`
zfiTfhCKnGxieOzs@b4=!&q$wdH}rMHV%y3Nm|$)pzPqo7T!QM8#uo>|xjN6)%sac~
zvfAGHu?_pMLw#JEJM-^UsM|F#MAKi2#!{}WC8JOTMSl=!Cn1wVrVI+IrV04i6vkaF
zszG|@JR90#p+6Ea#&QK%lsf?WCmSmL7v*xtNr~kGW&b}Q%sunSO^%D8^i1Kw9dnyk
zlh_zh^Rg-u{T+ePO^EV#y2(V`b_*Kwo%5_n^Dlk+>-SNwYZKpI`aL&=HY@FIQ70Wp
zDzS<UVP^z0SSCyLd1~xdG9zJcpK&;Bu!UreyZNcRT2<l8H2<$JwlZ-AJd-+!GPh9G
z9MUs!mGuLELl}i~<}tPV*y+t`qi)bR+vYp_#JNhgKYs_eG@zOoD#Z4iz@o%aXOeS|
zn`AMrDfH;|z?BhTxPf5B)YZ2g*Bgwo2bJ*P|5rsE^h+PyHa6^A&ebyofkUjOZ}z2!
zD=$!Ko>+J8HCBpW_x_kgzL~BwvdYBu`a9N&)c-vbUH>KlwDxJIK=@#rNd?`eHv{VD
zp60^O&dfx-Z;R-WA{THWs~9PLf&1SoMjh!!+W{JoRY;9M`5{)h_Beg>r6}0_vU8$`
z80%}gA&#j)4<!cFD`>@9t~!%~1)_Dfc;U?8up`a<+ypZ5IqbJ{9;haYkkc9Acw*&<
zQAl*Sk!mtW>_bKE_vfgq(KIni5;$}j(R=#6+!tB62U$v-Fyy|jzI#WqRUY0Qn!@zz
zI@e=)yIlh+0^k0ke#?<Na-|y(Nogv+hIOk#H)M*ExcV0=v*f{H;r~br#<U9!A?hO<
zXCrr6>ZDcxYzO0pH}QSUV#E^?zhYOagMDcWAHusH;-S-hf5l_Xlf~Zfq)?OUF`t7)
zB;;_jvR5EaQzby|fB0)>BI-d5`9op)7)8)>WsjVis;q71_s|5Z=D^Ri5V^jE<~+sX
zm%Zo+;I^lx3$IS8s4Vt^Oaq<$<9h;E6YBe!_N9Guv*hPa2|qh_Wv#g_W+YvcWL4^!
zh9|Omn|$GI$)XRq1`pXHx-+FR;cdR}bE|u`lF|lsQnBPWqUz(*p=(P#b)i>&;o!*~
zc9bky2Jf=dfu26P{iw+4_hM-O%Ymk4Jg1YfCn-ErYVfACM#lf7v8C+C^5Pu|7n)n<
z94{P=z|me`FKjfx+Z2Hl=HAo0i=jiW^p$V1oczu6xL*(GrBcWFA|7Qq!6*m&FwST~
z;Wk$2+R!+_f0r^$O#rBK`?5!-LRuy%;v4@r<J9;^vDpv)dKAdHV3Z^CP$f8sEuPB8
z`{Uqm6rI?&V{+y@c#xUmnOM_yHWveBF5JFkqSiBax}Yng`;&0l@aZ7K{55c$&P<%1
zj~s+iKiHb+H=1HmO1RL8@H$F8_cYNQmj)Dx(`gpDy~%wbHjWmoLh!#}4Q=O=9@SO@
z*&o8*qGOu#!eXJ;fjM%LLg1!wlc97Sb>%Lq*%P={5>naX3$mRpWlC=n)wos~uI|Ma
zD7%=OLeMMOt4lQX+Pr(1IV@dnZ6TwTFb9THZIkG?x1~;YXKr5<o1;HBPz@Id@_bj7
zg?B`!@#kNvidtkgT0FPF3sUOOR*<C?%8-5&{(h7<Wuns@{l(XEm;tv>ShDz+aosb>
zk}G$@_Y}uE863{HMW#-M_Qij9Eh!{#>Pw|^Yn@gIclBWGrMuNGCyZM?lj86?LeVU6
zuq`=8ljq(&<F68Y;I*}(AZa#Y=h#4fQip{2il$D<f~FZ7{l0rz>+u25b?ZFhC`2b{
zJCe};*91hn$4<N~In?9&J!BWifyqrWDM1a+Wc*&pye!!wN;j%wU3ggmuZ0}T)&Wyh
z%ZQ!*ML2jd%#PNds4pH^T!8xQ_PqmC3CR>p++aa#2{v1__Fc)e9~vgRYyjYQ@jgnS
zT}*l#zqugYyV86h-~V;*N((b~HiiuRK_|z2P!`Dw^1luFf(RLFvUwq0|L8ZkJB;PJ
zuIvO%ryM=#H?IDok)ocM>81vYaPWnPFv?yjJC!4eyU+JIFzmOB?(7sp2SV}l#alAz
zxmD@*FkcY2%doNl=GD{*&#4D>jkMoFmN(|>`~T&Qg`+zg5jX#!$3d2-%?|QUj`%X0
z1{Ihb1hiaEu!$q{jNTuFA&FKqt83$(c|hjYOe;+^+7sFZ9c+~sP9OGsWKh$P{Q#$r
z)aA@KFNWqh;5_{W;h7s#+Bt@fAuT8beVFezDeI0`p|!lQDZqpTNS?;UE=U0x>Yfw5
zLKh}EeE0v{Vyc<TU+Bkgsx}05ud^yuFYJ_NFwwZDJsE|oU2Qz8^SXFXCJN9ep?28>
zk#>0UGgt3$rzhc`c@`oa1!x#~JVJi+s~-<@GY0`64N4SAA~yYS<n$oPkBkGq&^W<B
zI}4cqPhcXwCbM~(!t*1KPsYM!gvL6>yd~a{4@f^`$=#S@)FW%-JicmCsOCEX$!M4E
zzfBSjI47KB%RQ2s_JV&t9!tj!D#i|{kl*NsjUh|7=t?%M>QtDH#|(_Rp!_}N690TW
z(_g<jZ%|*<+(8*Qdcv~K+0rQ~@ijg?f9(g$8={uuZ|`TpuNyn{!T1<w)0=A1Idy*C
z&abL<qLWC_KPlNpt$Zy$MR^7&()>5@$)XJ0V0|zp<qzph`eVOqGH)jJ4lsWB-gFqk
z6)A(6*t7Q$@=7_{-9v-^l@T31{sg*W`ka!ExFdZNLx;aa8!KPfRV6fO2)M1S%?JV}
zsa3f31u3VfXcnOIof&{8DJr5m_@@<@DtxALU7~>8#sWOV7`;6CV;eo-9-e1-fSWAJ
z`b)pD5cC3KC7a7&gRwrW=YjJUXF4s~xrDYm8S4_W_!Ydp)qmoSnCXOwyFBukZCSPr
z&4DfdbXS0<uxh*D_EO=#EPJ+g!QW!^0aS&mDM+;LoD$I5c!pt0yv7F4jkhQ@&Gzq>
zc{&VH-zHf}v=O{HZ>Ao^!sE8<qVBgykoq_@-m~KzS67k$`tRSoq#g5p$L$1<l59O&
zJXyCXRhaw)LsDwu)Q1r=^vt%hDdH(&<b23(ZaLcl<g31{BzF#BhevJ0qdvj5Lgm=p
zxuH4nwrEPv)PHmOrHXbXZ4LqpdP3TO_W}&e{6!r2$lZNUKhM5uQOqa<bh&Njz9*`P
zpew!5F=8@3paMlX--%uFTGQ)z`C0t&p;J@I)i>>ET)O&GcbwO)S%0Q^2O8M9fSs#V
zKRaHk5z#<6KO5);AX|J;^{F&vc*Zg>u}4(?@X4-WGfT#W(IYXn-%o<hn~G%szr%yN
z3o?vzQasd+hHi=kd2W%+7?l2%_-_h&RsL{-an!zcO~dk&Oe#x=*GWFK6|HpTE(=CF
zC2HGQlfLR6<FVcwy{#*t1k>wU&$YNXNsU`Ek`(`t;x=KlEQfxk!>F!(3IzJ&ioj`f
znIA~oblnSVoY8^;m{B+tJ(xep%xsB;Y+9Y!mqWi8m)sN#(|uAqa-ryeTFoc8sn>FF
z-R_n<nk^zO-LKSp6zWqwW^Gbgmw;0}QjOg90ZWMd2$QLSb1HmNVv*(pD$@jT&qkKe
z!H!JcOYa4pZRbCJo-Od%Bo*X9iECUeM^vATJjhk*{vFPjF!j<t;=i?-r#k8Hlh~09
zTSw1&ewhwP<oeW*K(-LY@AJp2<eQeW*3Y!bP=uQj7j&k2eU--7)o!}B8QSq5LDHgI
zzeK#21a3n?BkE|t^2!7Ggol-p!#r2h!8KGkZpch004L5fT%wI`M(>rHd4d#_g`-Q2
z8NX3%X<pw31kCk41$>O7b$%^nNSN|Am=os(@ieX{6JHx0Qc`+|NdO1Z=LeC;CqjL&
zmEG-#`MzQ5tfYf0%zMh}RedD2dvAgwEw1)?6zzcg=*NXA+La$j%aR8?X4mCMv>QKG
zOd0-^SnF!&K-^!+^@MCa)1b-`C)-7wUsK5rA_E=B(Y*Tznp@yBvPN&iY?p^8><o@)
z)Ja(p@gc?VizZ+G09@79WXj<S*zg<oZ53(7?*Z@9Xl5Jsb@WCDj=sb57+3eSCkdNJ
z#Rm)g6sPp<%c{4!c<ONfvNPw63V6rRtKyrJqn=D)4GZ|AhzhVftdMfdVXi|7_GXcM
zvboy1<TdYcZpt{U>Gf|JvLThzu&WI!+Hc|1e3cEjh%K^b(_Awu?bxXcn=c#G%6SvX
zxWwwN&uF}<skSSeV7NgCfQs<1N2cG>Vl1z!lEL1Hs6&1Vtw$~up5`n41n0W;uH4mp
z!K5VE6D;K_-H}Rmq{;Mndb(31;%60?mju&uS)sBGwub)0ou9;pw7#f!)X(Z=b_@M{
z%CCmE9laNUqrdPCf2_MF1-@ZmimRExSDB7flIO?R=ZiK(o@QtBew9Na3zv|fVZL65
z>Afb(?%iJ9TVhmqhQAm{+SsDpb!Cl|nA5&ma>S9poygB3clmahu=^oA^ZnSt628YO
zInczFXK(~2edS?MQ|^<ft+m1C%CK`(ZijK;6Mbct?W`%IoJOi_g2LeSw!PHO`99lg
zL$#YX)=hE}p<(Y?5ifs@roZm&HHM3KV8+$b*3Jnnkb?YamoeOozWpt}l`Duzw_V@u
zYwKe!f@kC5S~(f|ql@sY8@8om6H|4{MU{CQ>lXvJvWwt@s_~nW(YIT=o?W_oyNsyX
ze}K?$>xyhKg6|#-^qa@AXO_0N^jaY}`}}gVz`<r%)LK)+!gO!-d~1WPIX>mFrf0>{
zudm%pC$<M5nr|6FbYS<y!ICxAmOKjVNI4nI5wKP~KnWQjWxoZQYO3-{A-@eOS?=aT
zh(~6ATQXkn>W?{sDa1Ykk)V5GB!YWlqn*Ur9um=8HkZzi;OP(C7qlaX;qQ*k3~be9
z-M)97Jq(0+r#%TpaFRP>>Yv!J4!O3u;WcmWZnPN69?#0+1*gd-NcM7A_|daSDh)~n
zAffSd=136Haa?YnR~8?Nk3gN1Dh*VqeKI!((V`QdlD1=?lj?dFcj{td9Cg@?*_Ta6
z)-4^G!vze8e+8{X1iE;eH+d9Y<%Z?lzejj%ga%C|Gis8dUJ4F9B5GAB9zqX!+u7@%
zC2?NA+W4!$qiolhpN^<L)d9IC&jkPpZw7X?9L(FgxG;Um{Ce#1dI~E2Ltkx+{D?Oy
zXd54Al=tFU7xAOp7OA_c%faR$+XW+hBVV!39INz3kcmlYaWPSf_GDXaUwVl3Onrqx
zFq)O9yX5~02n9p-3dYSXQf8kcB7h4tj`U8hC>l%P#wQ+LooZ_Fhz!;3#Te_%VBKI9
zQQaWMcw|o_REL6}!t*<D_m)%`q_kh-u<s@ui+8A#68Y-(im3ibFu%Fr@)O5dx^<2@
zr#@qb5YpM=*CVbEt8)I&vfdMw^N0Nok3>M!#WW$HU_!rM_htqY{|#6PR>lM}G_qRo
zQ0M=cy6Uhdysxi<w7|##(jXzoXlapdX^|Y=&5%|~Qlz`PJ4b^c-OZ$=OIl+1PW;LD
z{p&u@o^9velb>_$x%W;y%oDv|;SFz=s4qjFXv6v2-;Lu`ivd0pMy=(}r*cY_1(B5J
zoR5eeekU^s^n(HxDKS&fu@SGQ#p~GkqJMsX|Ma1ly}tve(he1FQD*r17f62+3!#I`
zP<2koPE8e?CUU~^2bIsckL2WvxhngDmeJA@mY3&^Y*uCM?TJ6*yh##=E{zlo2QgX9
z7PNdO$dkha<#kB-wfw-cXg5db%?>@51u}3P4Jh4}%&SZ~;x#syEbs3U6~uCs`z@;>
zc&hnmjSqMXmPV50i@Q_VZaG?M+V_UiepV5>3HAY84VV_4lfr}7Fb$Eeg;I+2Ql9Fb
zo5I~s^Etq^$dx`lhyd8x4|8iAI85^W!x4*n-_#r6cQjBl0Q6H5&n*!{Md*|4gbEom
zngmgAZV>$Cgdg;6E(wSrkoTT{Slqt6z6^o94d*Y?ei-_Fv^9LO7k4?YXn}Y^o~i55
zQlxLLTsLc5fAXUSmFbB0RGWuwJ&q}71KNwZ-o&B5M1>QE&_KxmkhP@xr$|1e#O^sA
ze;IKSludf-rn%;jYRk0Qx%>y!B=@#)PEtwIfnQCc;}O5VCTnU>3^|{3#-4K(J<X?1
zhaYbrj#w0S7!xm24utQ-Q=G>bZ;Vz!Z5~3q6nTb<#*d%F;$ey2SYdEbWyfRBKAYiD
zlrXa~xiZ_XQAxJB#hzDWP9mRM7|$d~CezSV;c^-bxdn!aZiOkD92Jz&SfHB!oNOJS
z2H_%VI%-|#Y|6S(T)~@lhV@sk8ECEzdwP_IEWO@9RrA8WE0{uOu+TNH=S)4eP<&Zs
za<5;)avw&61N}lzqWV%uu<uMqAu!tHG-}8gOBcWZ{vs_x=)GzcEz^dVTV$y$LlU6A
zV+GiQ8#X=qC+^0+PJk{zm|Yh^e$3b!^v!rNz)sU6+N$DZoYj81_s@%YW6LW3_2#df
z`S!eia)3-u+Pg@Wt#lR0D!fe}sx+K?c&OE@#cU-zd5~X-)+HNp)!ay+MMCe*>c<jw
zUj2pIl<r>Eo*agBoeZXQ4d+0X_$R3R0Rt_SO;G*vB)e+-oM{SgmOA~ZgNf32<<}>)
z&pe!KwPAj-N4QA1It0Z0$)hA6{z_XM_yLXm0f6H{x6TER3*Jyb8Vh$*b>W7ZI2|BX
zWlFGw=_1j~MzH$<@_h&imV6-o3-Q4Wg&B?J?MLWO@#93qyGXGqtUN=CJC|dXSuDWU
z2Zhpc?sG!qCZ_#oi#vjcSA+72<|J!F?j9v(<yLNXIv3syhiVIc%GYKtUkjA9Cye~8
zC#X@LH}p3BkTt9L8)Y>OD`>h6B))whRR1DrBIePgmF*)l{x*lg#6!hJD^NWKInxUb
zXjpMCgYH<`3K~zt3SX-Tr`+e79lCGLd2JMAx%gMxY)sqA&T9|_dHWL0g*meQ-f5+s
z2qg8g3CV223&{nIL=Fu1B$MO(j>i|cV)#1t@y+X43V*#AE0%&kFbR#soTlv2HbYbT
zNtO7;dvBfK5{n$^HOZ++O~lh9n>g%T|0!ZAfD54sTz_KKKy2dj3&E+hU3U(Cz@_QY
z&XD$e56AO>Nqugs-IXHO=<|`(wKQ~E=M6>!!B9O%7wiqj*MrLbSW*CS@S6I`s|$&=
za%kR5JPSH2<)KZPx6>|bsA(|1gzS5F<}e(Tjh3E}y*v+X2CZNy3vQL!*gS`^C3bZN
zMgTW6DHu*ChwH9Uqw#gn;&0Xl75^@aa!}DfAr*}Tk`>lPg<1W9pPZ?)09~BO%)M-?
zTbU{Lc#|o?3Jm#=xgxX>1al$2R)<wSIvv5Nurp`U?1clboOlpVM}SkG-0&>&o$2az
z&WZ<B27l>z=1Ia(ON`Q)j5_~jN(W~-s-4(@U#a@-NCN4b8usql|CB0Tau%Ufv&b{w
zP1qU@@fQPND&07ggeG{C5KGjkysX8Y3Yt8-xZmejs^GMm2#0ew50R4%=Z&|0UAJmd
z!#}zk)Ta)s%l*+*b`tBxaag-A7J4fRjDl7$5BOdrj*_(gRd;`2D;m2efa7NX#d(0}
zq&Q6sHGNuSEF<j_zRR8)SY6U3B#sH>c`r%BPJkyulAeEDihtS9$F7;w4_zp0VJ?qJ
zM>sYQSc^{<Oyed9Ie+IuRx~dBOy@dhtvqGNY&qq1?IZQ75;<M|#`+<U%a|NbGW(<i
z!B8|aiz;>Wvnifpqu0nnaA-~ccz5#1bC0t|Tvg(GugXKFOuT}xN{sNTHXE|K_QdB5
z1lw4Xx1j5r6NW2Si|HFIolKsogN2sDH}b!8ATS6qJ;P$(khjZwzTJx$#C{6X(L~(!
zoHfBd(*TT@fA9UQ#)1nJs8V`hS4iMzaqA6TDnI=SkzEt~<)qp~#D$(p^5ia_vIdic
z>s4t*fw^wpF-g#la3oJOuJjX=&_6C6=g%nNu}u4zi#urk4>R!B8*>?QWigm?A)?N^
zs3#~|QBZr&G~@Cja^--LdHER|+1<^VvR)U8mBhn_<;+7GvkfFkM5-XQboNBsb4HG6
zDOGN1sanPae^QIFc|L!Tvri`nytt*$!6ru|a!Pw$!`3;7dhdP?B?qNWy9ZGbnzGc0
zN4Xd<Nm$p_=U!K2Ve@0uOz<f&-nh?q6}+)wh(PTO(xC7K*7^_yKR2`<gw^@@Jvf7e
zuZs$lCc)O&gxN&}2o$A3L6PB5igS4vLYJwh@R%ZXx8L7dO|`fiN6w_zgBHv0-$Iib
ztdRZ0m9YHm_jMuh&oMf6r4O!(`n~tN!f2AG6un}1&-Ui*%9ljaW8r)<q&A<6seiW!
zNbm`vneqZR_#1!@o9pr}cVNPjP2NR3VJ8S!)OE3`{<iOJH~Yg-8J&=EHrh-9*2ElU
z+x|(tuiTw#|1G;kQcda<RJ3;MeO@R)>(ZwkF&Nu{;)Kyvr+9S!@F7<d>bMty36yHg
z7%#U&Kl$|a$ONNX^Gm{~Nl7XPMGJ(vJK5y{L~n+*SfHDr!;Z&cRbi6D6{uLIh)^5X
zRUzdMjtKfF)Zea|7UQh(6;oUqHGZN-xl@UGJ3n#8ztt;^2t4~Av~i@JrF94H9laV5
z;t)b1!?NPbdl*d#mHR2qS*(N#FJ7E_wlHzKzIRfZB|&u6W$n}4wsdexuuo-I5Wi4f
z{|TaHoD@ot;}-&=?ELCx@oQ`F)16bY<Qe=Vo`4e!6c!IKSyrzkXvHXa>$n!IwmoL7
z@mNK2TuEigJBF{*6YX9f<|I9(PeH;zKAL(MM?K*IPFu?(iCn}6>mjcGf#(-~8aI8h
zhcBX>?mBPgA=#LDYVRcS_AFFsld}!EC-K~G1Q00G@bc)*I0^m7u|J^85=b8mlEq_Z
z43>{6UkzboQPM7r%=}WQAM)*D$4%>TuE@o{Mi(Rc{RE~Y8D&mEF+V<Pco=6AASPfb
zkHipjq|tY_QU~isL3$MyVqf1l$;y{abEkLikF#k2k`gp1ghw}YDw%`gDtHh=wU1x4
z)I+72*h(i@LUYKWAt2^Q_sL@{fEiB+i_k4YlR}Fu;7Q;a23b33pCiEETwKcH!Pe6F
zDa$~eKL1nLlr3|ZxBb!bK`+V8hr89N0B?dozX0sZQn-DC#aZwCt3IDevpqkPw)-B$
zEWg8{>afpL5%sYH=RQxC3vZ9u0x$O>v3}+1c^85iSW7U`UU+?Z+X%^Drl=A8xPtux
z!<x>l=FW&UX~8ww@z#=tqu7M`>Oz{aU!KGsFz>2uxv9`baitCLN1rqyue}U|+*=XQ
z!XF}zBPKv$PM60%E$vB<-y<!Lbhw_{3SBI{oy+q{g6)+1zwKeAcUeji%1>iYd{V9e
z{W_Ja>EW?BW*Cq%RouddZ0bsq$K8OtLX*K+^3d;3I@Jd%LAcmx_6kX@YmV@2*}(}a
zJn&X-7E5-F1|x^kPFV@oUTz=_mes$R@bhX3`f{&+>LA78B$)x4aqs|#jdhTg60H{{
z&WgQ@hmfSaH(dp)@rcp(Dh$mY{B>Gv2&dINDM!SXDo6BywgBFvnmOv%{KoZdFu}ZN
z<eS#INd2$j>2vi#Mpy>_C?&nOKsM;cK>|^1(IeI@rvoa9Pe9>+u=Cr!h3B!1BYeN)
zoU=AFpm}~U{W~SE%@ML!Io#TH@l7F9^gQg;z^kh3y0#|WI+)$R<FPBakp>b7`U@6-
zfgnRHa5t8}GQHY$KH?^a(a?%QbXF`+<)ML>YFgaoG#>Agfnvb>u!2n{3Owqf3Pa`J
zi#(H_HF*2U0iC6(#D8s*k8sR#Bn<xT#nsn@8Uv(;Wg4^Tzc7p#JWbP6A~9G&#KG9b
zZ)q4QZjq}SGex7CM&P3I)g){DS#&N;BBAy_Kr$9o8<ZYZyG&}Nd-`_T*DAwxOiL)z
zcKtA|zs6gctab^%bW)V4W-Z4Ds-L(=raEYm$=2AI3tx8d>t09t4c_s60{8u$(t&x0
z#NnShLV<q7>_~cQGUNpXeg3B$`)yok;<8)Onwsm2C#vh0=bX>kQP}RW@eS`Iw$*%O
zwuYX!zlDgJmq|fV-PX5!0ALM|c^p5*iW>9+^r<5toJhdX3=Ik8Pu*$_j7HmoD>?WI
zXj0(YQ%)<ynoanXUzvs#E~%!RS}2}3q$2}80{Q<34VnS|01<ls4sHlw*@PCX+spN;
zOdypzvpT^vzF45pkaqwnDTTt2gfuSMu8SSWU&v!hSZIEAyKe0~2e-X8QQs9UN!d5a
z=C3Kz1H8@U(bs_P_v|r^vP8}E;%dzBdub?fwH2McE8#(Pspb@n(;6oEJ*BL^y*5-D
zyy3j5WapEl5ID&&wui$^s=H88cCp9nuj!KF5CvSLJIc2IGqCr_7@{!9_`T6cOf$an
z&JcgA9FQ}9A^}noBni-a>VEFGi1^Aq+w@3jQ|P>9Q~a&=j^)-WS<q)5@ZE^H)|rl_
zm0nJ(8!i>}H+X?U;e^K@$iAU28Rlu2`ec*)X?rauFOH4KH_VO<f0GM~jQ^#4Hvnnb
z*!>XqU)Dt-j{N9f)}pDu=7X+Et9>kyo${|zgY5D3e8aqVqv=xL<ZfcVVb08&h=|0w
zu8=<Pd%!O&EX!dml`zM^sSwH3t3Q=vF)v5*=mCYZiLs%X<g=bI`5VT&A&ew30c@O9
zgI$#uM<XAVVA`Jcjd=uL8F5~++?XKtyq}BR)cAg(f-en?SM!aH8+u-N{H*+dHPdd`
zmRs_q8eR_<h3zjOt-0UGeQG{Sh>POfa@&7t;|Ke^C??!+Id=>3Ks;8w;W^c#v0Hh$
zxnDAU_{m1Q!L|H={z>u3Ek;P~;$FVrrfdF~d;Ck^XFJ?rNPT}zuG#Kc5j*+O$DP9(
zzFCDLU{SLZKg%4^-a|X|jU%?w7(Uupo4i6kN`e><cgX5m7(kDlUwHY9yqyM<4y$IW
zt?tH4;9`(GQ|p_NOK!5xveuhh!UsO|{a4R$Qwqb)_{9XEDytkg4DLM^(Lu7S&*M@Q
zQ8*0O9`MUyoj9wDvZC?uu5Y7w>zv=_DYBqwK;tFS<P<NKCnv}roZ(?My4g=%7+||)
z4~0F4U%fxq^U#7*2cz5!?CtB{_Wm|MlvaQbY~p-v6GUx=u&v<>s7fKGd~udtklhMS
zE@yXfela)NTA)#w6q?Z|E0q7jD)MU~+v?l6*weL&zV_Eo^FIG$f9f?qiLz9ms*043
z5wX{hWanj)RlB?!FK4aDH^-LwrO%r!5>Tu<&RrcG>9aoAF5Hc?h8f~*-LMbK)e<y%
z{jS{mF#cMvEj88rSABKcrCrV1CtAIUsaDg1^9&E~=;_iXSkmLhee1X7R`I*o^~GLo
zL=D*<PcN2~nDo-U*s3)*FE_57oz7=4F9LMmx6ln!O<yXE=&|)>zba`35A5c~vy{g>
zZC`ts>S^@3ZHM+}GlP}$P6<R<B#4k*@aZ#)n6E3SJE(~MDR1Ad39=!*61t&7xUP4L
zU|i=a>DJCs;`nn%$SnCqG`I70=nrtI$`EnY{;%YngPc#7pJ0%dgFwtUvNm&l>iq%9
zQzno3%E!4)Mc0eh`BkIU*HbMrpI-G=G9m58?-zY{1&?-b6kB7Wo%bC+Q$DTZlJcA^
z95f(4Nu6XXoH}nvSBAO%>@jF1X?Pm>(#Qn8r$0&x{Aa)mi>1fXkj%yvLO~Cp@av|T
z^uwj5hb!WUHOm+A7w^g4AinfZFbdy^X-in#WJ|&j4&ZvVQl4byRXR#l%(ePi2750p
zsWpDIwTsg4Tc;!0-@h4*RIj$}imdfH%7t4lU+v=jxM;GmT3T<XC8Lyo7f7wluUlr$
z>URrz2L_@rz@ZXP0%W#r^EJa-r`Xigdz%#t9(r9TQhPDtr0X0GB^!B^^E5?b-)=9I
zId`4fU#TvyuOu}xI^=ER$xqNnWZex3d2+y{7e$-kb<L08u!gdG$!Vt6uvfOhpYo;1
zxwb0W1VIX@|6tScF>uVePj%c`$0%N(B0^%j0fnMM<R#sFb(?$w*^Q~A*lFTrSYzU~
zm)Q;VgZ)#92}Sm%sxB`m+b}q&S|P;y$;tK5w{sJNxfVJ)%|6m*yaa}xa%8i1wvG?_
z$BcJ_@546#hc{Pzfd$o7MBq2F${Mu<q9g%Dr|NuC<;YmSME~t_G~-DkeiZY8a%Og2
zv(so>xa{L<gI+SYVY1T}N7vAY928z(?pN10m1=9Z#3qDoR`dO|ep-KJ$kJ!l%Yz-7
zpD_Os2?I4DHW)Q|iUdO*M35keaW@z+g1{N={L$VqSHVBW=ZV3(ySE-`zi4Dv<qKa9
z3tB9NBEF3Fk12-J0K_lp3BGYd=1L+09$i9J9RiNf;n|R`)TGjSUeg-*i3W}<uOnO`
zVp$YtcyZOP#&R?+dOtJOo!*Yey|XkQ)x#x&?hIvx{OghLH2Tm3PbGj#*_dBe&7=9@
zr2y{e{cmmKir>fb0>>5X6i=SOS)N&tx%?nkF8MuM&R8<DQ10Ob1=uh8Jc&tN#&p@<
zTp2p=-HAgS@!K2;xGd94DSclj(x^XxWK#w4@w~)qHd@?GrXMB%`!aR@P`(?GRsGS$
z0C-zpQ1lp?M?%p&g8WZo3B>tNp(*F}Sb1of|0?F+IcP&bZn7a?5c;gWQAt4UbJ3@5
zS}~RWeyHMN6zSL_de`8}kv#=Jz<}qOWc}^$HHC3j=_Jn5wTr$Ds7<(c8izLdxh3pF
ze1L~WSvQHYJSYpn_q)MBoE?lSkwqRw#d79BGu|dG+y5p$oN6(1iNCgu1(bEqa>Na0
z)FFMUG$DWVkSIcepb_PGEpw5gwu5KKfaeJ`w+%nX`Q2K58&d*V^Y+um$GkgcXjA89
zdqd^W-@+p6do%iz;MsaE?E){P>((3{%om9>-6G$;Z$4^J2p<|xj0#x1$ATw{K{+!&
z@wMGtxdYW|d=d|#bh}sctySN)OJ5&;zC{w*8?qv3W?Qrxq91-~;_J}=L-}q%UW-BZ
zQyu4FDCNO;XG;Laoy-c0dNWFj%qohUTf^WW15!l)r##24z?GOj)zuipN|uNtzA`nU
z@H>4={75`$t(;KiZqGaAD`?vk$@he(wO_Y|7v;Of+OV<iVL>xC5CU@j?bBo-+sl&D
z2|OrYV`_6@i`_2HF5Q}Fu?zb(usb3)hiu3@&)bF80&F4b$;Ni4-c!px-FnRnVRPMY
zDp3CFUMqsw)(ISaN5FPf|7GrEw48=N!X#s4LQ&eN=f!k+*^`{#aubI=ejM3}saGH4
z)D^6pPu{^M3W~{gwhl9|ixyU*i)_~edvrEd6i?0D<ec1<DK1RC@^w{HhtgW~>SLp>
zO4F`kJD32veDbt|xO}#5d76b5BlilWQ|?_fyR#gHS|7|cB=e=;PY!-;NVe3Nka>^X
z;)`xd;+tWe-F)6WoRI<-cy-lXJnwlkLO*a_8)v$$F*;w0wt4D3l*48|7o-us(^NxA
zA_EG<xaX=jIk=!t)v(|XSIZ;5zG*}uN|wUzO*p?^neF$c1d$4?b<8VyPe#|m`hO75
zw^cO1sW}WiP+-6LQbcu5=kD4CD@bf5(2n<SKDh85wA6^72-4$%ube<OrjOaOQ;k7f
zPOJe5FP+LZ>jixr1Vfzm5g_9wXw&@<$Z%UtHZd06{icTel7Is(H{&G7Ii*I0Dd8J<
znDAe1`!bZ4+@Wk+)v*i_vGt!?(=CSjS!D>#UoPxkY@Vej5V-3Uf3=m9ur)oF9RFhA
zZ-2)2MT~c1XX$C1h12H=g;UxBTQ!qHP40@)LxoAZ`h`>qSI;kP6P<?_`0Vf?;!T4^
zTG8zM;qL8A){(F@;gFYz83J44StLc`TM_U6U2X_AWFW1?NOF!#;>2Y5<v9<l(SH=u
zv<V4Ty-!@TBZ4MQnSxajAV|`O#i5_)71D0p%DAbW%)s$NOHNWQB*LljN>R~jUjlCL
zI-X;f@Jt<XwWNSs^LKAp7+U4NDZI2z<+{!bN1+!7hm7-$(k(or<G@i<k;`R6Ty-!w
zFJkp>NWfPhQJf5=b&}N?Wp@C?_2ZkoL-qY!bxtM-i8oRt_{X*Gby`I(FImMHtG%iL
z%7Nfx*O}CP%jzb9?}=it3vHNPk_5_O?*97CfdeaPhS6!uS+?z(!Sbt%9|47&wuy#|
z99{%>gGqv{5aIT(S=HEu-{sG%oqs{fO?}`?)szPsQ?}40o=@@a=f@#=OxK$G@i%_A
z6<2E+^ItiI1hX9dd{Tv=OE!nwbZzr(Hx=`qdWSwXnb$rod^ZdFXZmwaUb-z=<eWmn
z+EZ+Sp{yepoY%ND6LOn#kIBu6!D@jt(JqYU#q~=om2Ipb;D0Jx2mF}1t?HZkM`ej3
z9*Z@i6im>+T#eoi-!Dha3+9CjUJC|KOtW04&L0rJeqQL)n(nPJGJa;S|J#F$K^Utn
z)5o%Gns{fyhL?BOZklsvqbq&z=Ld)#k4H3S^Y3?NBi=WsmlICz3bj)6ThbvEj}osF
z(znKXF>RXET^7jemPTaZ<%UXc79S*&jW%n`v9HCcr0%r1qU$PDob#qVmrLTW&S5f@
znUJddGpM2fZI-M@wx-T!+UE7FMG`(PatggIG4p}%?xDhcZ$92u^@zOB)E2ru>e{<>
zx;=CCc)57!1fMyZX`_HhoiXTp4o-}gag&b{JHOWVpKHc5c{=4=S9+bzb52azqkkW9
z^gL;AxV>a=Vi6H1^sw^R^O<(LVi(;+n<(ho?Pz)guQrfN%stxY#@L69V;?g2U<-EY
z(jf8sI8$RpN}BCm%zBNeI3~pcY{%4u$1!kjeBVAs^7@mtafsUlV4h+cDspg8zfTrv
zdvdeBH_=ig&rex2Wv=&bgJNT%i*@U<6l2)cS}W4#_K@T?^EA}&BKf&@GXGjVQ;*$*
z)XJYhHEbyl%Ue$BU~951!|3-$cd9gJA#!TtZp8GgJ`u1j;6AI+3j4Wm%5<cSFetXr
z-qm^?r1S`Zci~hGKR!eBtkfx<fK7cQDkStq$oM>v$WKe>;Y+b|rDYK|^nthBqNt1K
zHDXZyngq;nNMP#ZE%_LZSy5`#^+9{8;8Wu>fzlZ+6*4!+q_VcE@8i7-oA3jNYvz8K
zfCLY!5CP^yA_ejOsAH(r#?WM9q5?Z-vT(@Vz+td=mhZmbR#XqypMsX9e4^myc5L}w
zZA7`@;Jzq1npTN6z(`=S{ajSa`zjjce1>Gh^FQgB(GK%^$qvUOq_ewMnZh>n>e|le
zTqA;##|tl-7je}`TJQ;FRq`urUeek*CG_+@0il+O!}dDn`4x?}TI}o1s}?bB>FdMG
zxVb~Jce29!OsN@!PM#I;<n1{;ui92G*UH3;%nw_va`MAp9t12->7jkMJxH+I3A@Y#
zo+wZT+zsp-$s7rG5uefKpAmua%(B!RShl*A(_Ln7%i0sz?vo0rq5ox`Qt+iCBB{_6
zBsy6q-D17r`OUR^?riarBj&*t3PsJOm_Z7h`zWK_iVFI@73Q4;A2OzI5P?NXieKrD
zf*If;3aH*C2U|PBi7z8P5N|vLngb?gac$@i7mksitB$0-d;7dG8=&4OG)`rmug}~y
zecD37$&{_qTWmMg8fn@)<lr-z{(P$RrYcK!^JF1`Q?e+veaKsPANzDg-~H-+F=Y<<
zNo>Dl;i>V^c1DM}eyiO4>8d#O0&kBt4WPMp5xh1@!lTG;og$2JHyF;oG%;99(+1RR
zvUa+yqRaZdV8n4x*Pgqb?yO+HU%a*zGFiS7I++t<@m4}aJR7756t>fcfv^jWnzoXJ
zJW8LMM$8R4VtG4PP7cv0r@VrDZC&Q5VWq4?GZeX3EA_5E*EPRx4%$L|Zf;I|ScRK!
zuc5#DeY`G?+PvZGuuaN#tB-ESa^;WBB+qa1Hp>H~*sBnsd*+d;F(PzZWoGLj+eC$e
zzQlehLVujAdN?7pppTgl`JZ{Ph5_eJnMkw{=20Hd%Tc9+G_P5cmNg`0;fqbasH7gY
zSN>>o;|e@R7n*&rYVjEIwklOeLS%`2CU9!zymkBdIZ}NSgMmV7$K*+J8uU!rz;dZ#
zs1ztK6wktd1!bZ0ou(59=C-D}<kW&rB0s;Yg%bJ|{;T8-!;-?=C-;~-)XFMDZB1xb
z7W=tJ*Ew#o%r0yDf@MAGHL`^(a)oDB+}?GnUO)RvO>GS`xEXLLy<VR17uA@8Xu2}Q
zE)}s|?PhWXT?p{Mz_N<9@6ZKVZeYcwEu9V)%w@Naw}L~JJ^BnMo%*UIM{_9&YKUpf
zdBu$r<I$s+Y6LFKxGe)aRQ?OVpWDX~6H@sTfW27W_H)0&?K{$YTIcJ@^<!eTEunOM
zV?)~L2eB!0TWQ@cghS{DX&vRJ$2amq)La_0YwF^HZC<G1&-u>mm#0H^r{sv63F;E`
z<b5A0LL{U(&78Tqw#?5N?}os!u`n?ysQd?CM?ds_>}STQv7OdL&YJ^!!aZAz|CA^=
zLJIK<D(BM~9DOG8-}(Dj=7COjQ{FDsjpp0EZ*r{Pw9Rh?)bF{#s9`g9OWsLS3j#u@
zLgZu%LJK0i+^B(j&Bc%}(4CX*a4Y{W(!h)OgI6W6jfPHcVy5#XP8y7CEv#`@+e=p#
zIF~dJExVe@a`C99D2rgZti)Dst~Ar8DWRKFZhopB^FHkimTK%j;XRWiRgRtWE09H{
z6+)>n_IoX9SVl(HXZ-_mSq-h8?G{ZV^0p9@E4;SA*5e<N{#q#YTnzEdrT4s;cip_&
zu8~(iMBwr^&Gk&`%0C%Gw)%Qz(MgZAnZG&|l=hWsE-a{{o26aSn6Zs6DPL=S<m|n(
zUMT1UKQsSxr1XUJ2n89ut-sYH7Tk|>k5z(b``J8j*EbEidms2%zxft4=;EbFl(g^V
zmd%(fz9}qAu#hy;p!Qp{)<YMc3>%%qdv<GudaSj^vpC<kcL@C35B8?Potv2LU?xSG
z4>)A_#TwH2R40(HA#7#Yl2BU9LzXT!ef$ACzSh&;Ecq;BionE}<pTRazL)n3BoO|x
zVNdjFieD<CQc)>NEx<k#zHiJ?Q7ddY(7UBqRR8v{Xo`vRRr01=g40kM{N~){s4uQ~
z4MrE{gw&W19!!bk0FEFi6LmJfB?4oz@2RU_H%Y0~2FbAjz`A*_FC;R9gx2M9eHk(K
zv~fvH%kL{6EL?`=Rj8Gk*hKDFfnQMqSh{u0q>E?HV3rdXG+dfH;nfA9(_BRY<}??1
z7*nb9umXiMn}!XoM%80ihw8X%ArN5I|9dsN9!Df+J@T3sR@9I<P_`cw6T|*SC2>kr
zMQ*<H`5BvodT5Oz2X*y0ju8w$H-k$%Fq7_n`S{@(IeVfp;eNpsT?~lj<5#{NFQmL$
zpYRFdQD`8Uf0EnJPa3p%f(jONC*{hyrL>IK-3!32I!+76!C6arNP5Th^A2bE!0m*v
zOrxv}Mb%i-taH5nC6XALGZQ-Flmc<nqR+C|4uMz`?DxuePBO+m=eGq!y%t1?0sFl^
z2bWz}?yC#m?w=*k!Rj>ps|ue?^|7~FG=+HopoH<d;K0`>geut}#Z+NyLSzHEtvw{q
zKOV85^qCS3h9P=pSg<&0rgR?5<oX|T3K^U<tHg-@2$hx9dZx8)Qb<le0OGvg+cJy;
za7GCQkvM<`jD7-m7>$WG_}8L5YN6Wu3%Yr#irlafYwZ1<4~Yk1c>UvU6h(6|@=neH
z6oYC^QNqKy(HCyLB*%!oeU!cpa(R0MZ2_zf>Ve6DNAuXWMe<6J8du|}VF_H`$dG|N
zma!htvzPxwp6bSsl8%Ob1?O(=s`Ka*@O%R~teElIOcl;-I-~CGcDhE7^2xXnoi~mV
z-ue_*s8@cV@dMhz@ur3dYaLw$D4+FIAk6Cl*B4G={!2`$YGBSGJRmn6W!u9?fo{NE
zhYKeQR47gu*kq>?_~lsDhNC=@SC77UcAgipgLD({FZ)|%v-?qw`jHs>)*ace12y30
ztImv>`m@E$1`+E+Q)p>nm$dqL(Y}`mqScWf$V-8B$W_*By`TK-Ld5km?Gx||XJ_mj
zYQ*xN2Js`5jt^^RbW)46oUADCohHp-R6^Cd>Fci?eMxkRULM?2t>9uOs+|vi+u$5N
zi#QIuyg{vlz1|O+h$P!(@8b2;`6f8%5?U7W4PvG;GD}&mzrwTrYQAw?uXLd$`?g!r
zN@z+kiCHFi54&1h2&2XWLj}jWdsek<66rHyE7{h6Y_wtsf*Y0~y|l!s8m=kDOeijm
zW=QA!X<eP>Y~1n1CjCP^$bu;7k=(yFIY`Gh$jn39S;)zXeKE|%)*RVGcgCdUdM#~u
z*E?s2)Y)KvW;K4yRs~han)kJjEDps&mvcTlIDW=Oy7jcnoVIA9M7uhAYj|igA-7Lw
z%UoC*!HH5aznm_rxs<P8u#4oI8?o?|V`CXQ-3Wqf%4n&psp2fOo~a}8b4l|X{43GD
zeEyVgmp=z-;l(Bk@AStOTgJ+x77{E(o#7y|+E}D(hpGj<Gd0~<>B9++tQF9L?RY5R
zvn;SNo18&21_{kRiv*b0Gtn{5+C3}}PLLxH#~=w2ts)`hAn-HhWbS&im6><k)iV=a
z^K44jKqq(*@qWs{V0^2*TB_DuJ3=tZ)M6k13WnX1i(|(Hh*76ITwqJ^*aMc%wbMZC
zS)x=62w<Bm)Tkqwofkr*#ybCV4-a8y`<?oWqJa_e_rvlZ^ViEYb9VxKQlRQ|rU<SI
zp#^;77_aVZ-0aP$_Qyqu`_~JMx)zCAjs&jQccgIc0?qDvL)DY(>XJJg5jBs_7kcIq
zKo8q*+%}FULxag9oBO>BUkUr0>FgAFgsfz)_hFQjX1u!mDABt&#w%v!BHosop!9{|
z#O7pwZ(G5Q!k@q?!iDy+KVCr~$ObVr2v!~7t0>8|I?ZdDO}TLnA}w5LWe>+Rx5}_J
zTxT!bh4z1$N2M-D70jjLNgZrpAl7yk#RFz&H-1_^ZK*TS^88rQER`vGVE(2|ThAh%
z^Kc6ZUTNWdxO`e@2o>1+{4??VIIXHWp~xzGA1xZ7I;C-Ibj-CW?EFJyFyOPW|4lE|
zoG034glN^}mlYAi5haVzSECdkd5k1N(~AJ67I^|t!wc#kA{GB?h@J_bJ>Qex`q^Am
z;lO_3ob&hiAHOZfo>zAM67|$+{%6`e{&nSBPxB$GdZHf^v$K`8Iu?MZf8yV?Z_PKV
zxstD=H0lKmuA=f`(zu}&ih_~cdNft<%VLt^wMf(<R-*5a?@i&|+_!f#nG&-QHtm6M
zB5=7j7c7cyW^BJUeap$rND+yvpNFAik6fKMo%K5eRdolS%`=I%F38BWBOfOnGy2GW
zrfK5#YwJOD!?5?_LHN*2m8IXjHO@05=j3Di^TBzubM^CA`REoz=fzMiE9YD-d%;lA
zDmSum7C++?9<gdVCY$O3wO<a~yDL^t(dGtS>b3fq`{zraK<lZ8eE;XNwig$^2bms~
ziC5e2>z(qD5&YzFg^h4o?CvVQed*0F#)ERk<i_u>GHeGiC3t~7``CT>4MvzLyEIYq
ztL=Qzs@WepSHiP38Vb1{!YdvwRIkg=C3x&)BM0#dIp_!MZ39}b0&RFc-YY{Nn(R>-
zaxQ{cT`+A-r|w11se;fKL);1oDKGzKRw+jqJ^Gf4qYv(dSNxn!O}Tt+{4FUo6qL~!
z;FbwJN&yhwVFKaKppZ`h!U$2do%WF=IynigF`3Gml7KMtp{j8wM0XHPc^#4S0a@J@
z8ZGmizh?$0!*K}@WrHwg4ooQdj+qu+FpC_$+ZK|%#oO>Tlh2!v6=6?j9P4lMY+OK!
z*=5p6Wm{TiahoWw54_I@@_)Zqq?P2vinY3q8SHwCLA*uJz~{$whtN{|3-NJO87QPu
zCu=DKy`QNiZhcHn-;vRx5dyfWtHotvkg?SYpsO<62Wdr8Wrpvu1^8vK0Yyh+#fIIc
z`K*v<YP(Y+Os+$&3?1|1ykd{3`jKkC_q!vWQ``MSc|KwWT{9I^&19W*sZPdNd!{q^
z{>x@qGNJ>?&$ybPN5Q?%lnI45c)WobK8RnG^{#WgSR$!gmP>0bAgyFac5d@EMUTS2
zaH+t;-Ko(0eC3%AG@cdl7Nz~n_V6}&_?&k(vb9&|scG%Bmr^q6WzCyea@uUCr1bq4
z9W|)LJ-KDQiRXXgGrqjX`-JnKz<Js}Upl5@#M=va+kIbh<ln68FlzNy9%u1a#3$||
z_>Vk6@jw2jhneFX%GRJF_@Dl=iek~F?Fk%h=jEU`2RX5ooWTw_^~z7SF|jgDra}^_
zDV)DK=PItptk}z}_Jvhp8Y8S;+VRqc$2cx!`tkcQnZq-$*1CWV(~dG8dZpH(bKRE)
z&Ou<@1G0AVL{5xH2rwTtlmUEv1j1NlXAC+u(REj+vJ@FL>UzsVbCxap4Wy=*BB7wW
z5Hb25`1oEw*|*RhAC>w0BJ`7|fEKM&PbyjWnM63xxcdSTf41PG=+d&OyhV!enRmQt
z$JI}ak6nAFDW%@fU3vhG=2<_n;~pedtf#Q!-hsEcE?^Miqlk`IF(qnmW77)MWww3S
zq;u3qgZeRJqfBtk9wvMSV<F$ec1K#QZYUl~XRXJa<7Xh6k7{-7q*!pf{lXe}wc&6W
zb+(PL;e^{ERm-32q&+Yy{@`%I(y(07<?9c6;qk8bXcv!lNNf3#5S>Ygyy0ocLjVpE
z4FyuruSATPBF~lFn$Xl|Dmf=~fN{2LmazVJfsj|-T_65yz7muA5ade#%HQguN{sv=
z;GjuDGtg=&zJ^qNb;mXP%x(#ObVNwLxQ(f_A3=XvBhqS9|3p%xq2R?_56SJFT9}ey
z`5<5$57rF;8LY~i$iOUu#<X9~X8iP$CivzhW|tdDoWUk$7v;Sr)RA;heve(oL0Cea
zgTF|_?z~ISyWgCpSg8&^hOe6T4WjjKM->Os2+MsuY?nR#0%iqDiQ$ON-gmFIg_}6V
z1}K-XeCh<AWCIudbR3g7Ll7;R2+3Ojzi!bdPXGyM3y`>#x?cT~(Fq0Rv{W`q5%{cm
zBx2;|%R(nWA^-Y6wihjK(Z2pH_cufc-kFq)z@F4qS2O<D1s?D@e5QIN&%DGtsTEO}
z%`DHee(wC-C%$?n{kvc~3!?IMl>W)xl=Fb;#q6M~Bp;%a2jLX4WJR7teKp;TGFdAr
z>gNyVT<NWx<gAsAK#HyasJLs*A#0^doPPySW<R~>1P@u})7#iL*a%MWIEnK$>=uaa
zPUDNTvYTESe{M)<RMqzKgxf&G=%4WVbV`xaxIrGNlU+cnb?xjlHo^wy6!ycn_-I*^
zy(efDFD1&RPbDkFf`#+M8|;>&BvP3Ge{-p?F+mYbfb>l9&I;KgwFtgyS$7(1XV-+s
zO$;&2$6YEYVDfq1RZscg`*x?d&f>wpG_%AT5OHiW5^tq!7dzT}{elEdXOYqZ2`n+G
z&WfX=v{3}BuQQbMTC62R<6W(2Qmr=IojR<!q_Q<nbkZn4Z;KF7q#acnNH<GgYW28v
zJl`A0pJ_|!t9jMLTjE$s>ZU{aftwxDDReoay`Vqw=U`N8_h4{DB0l4vbX=cfP==Ig
z<ib}zhI{=j>t>oX863)@qENB{&hWGfSw$c&Hg=~+e-YQwdJx}Hd3Opzmgl*&PMx}D
z*a_GNBz#6M%`A6NB4U@O>fuZmFr|<XO3SsuRu$EY1-N&v$4f+*G3)$_uKOb_vE2aS
zR-FJn^6q^bG$@>rqA{1j@fd{9)2ouUyoV$30dj;r4jYABh>IbwfSmX4!(j}K^QhcE
z5kVOeNo$G-Z>CnjWnEsw9Qp6=%$oI6bU{n}-;=Zabm!Vc_|kWK6XPOt-<8{bv(5YJ
zntuDxolU;XUI}7huq|JPXrV-Sc8X`3p7LeCup06Dm?y~n*&eMce@3<|D<vM3*y&?A
zjT#O8at3PrF9T}<G_L9g>#WSf3x0FgxtM>ve!4<<&}7j_?55<@3JZB^hT>^wfz_yb
z=AbIaf9jZzUBBR7U~sgzw)=H~8nsI63|YAIJvuS%;_i9s5#F62d(rtmIN}H|y+iKN
z6kU}fGhjxPrju%v{H+@OYmHott}3;o#Wcjri|_wyqYRaNAM8Wl>~9tC5=jg0)a7*<
z^Jsjh%HGzc@!L*ePAP^0R;oEKlIQ((@aZ=$G9+1Y)1|sz-CZ71(70rWBvX6XuLP2n
ztZrdPQ%M6Zgh^eZancH#N_qy86i#rZ<SS6&iHx-<BTfp2$}!zIA9#RchFU;%*NAW3
z8<a39JMC?30-#KHTI%yGnk#HpYM!84+X8Qf1Vhf1$Ff@J`{MBJjDyD)*hfp!>nG_Y
zO_@2jTj96-3Kj|O=aAZX5B|t=W%Zh{%TkdgdAbmoQNs0d+5?Zl#H$Z~pzsE}yw|UU
ztDhu0*^1RYnie!sbh$rDz^oifN_FD}A!LaXCPaSpnDSotw)Eaw+zVk#!VQqblDF1x
zzZnj?7=^kBOdBV6DVFiDZvQ%%@F~Hn^vq%9hSA#W5>FPp1ZzP<<=u<nd%OEZO{uVL
zpR=aMyiAq>qUG7N$Gd`)PRWf<G_9NrkM8`Qc>?}6eexJkk*>&3O+u8`+(*IRg%oqU
z_bR?9${UZTrp1((bVK|e2ZZsgir+kUpwWS*j6IbB9PnG|Kf4BJERy^jd%qtS<viIW
zkUfRHQ>j+(tMBCj-jO8pbj;Sx<0jQBi=AvkT$B?1s(7DrTa4_?rEYGTihjhcd(+z~
zU&7Pu9db`KkS=)%#5yj=)5cyS-KMUvCMkqoJT9N3MISKJ?LzP#upc`I53~UME1GN~
z9?Pwfwx@rG2tnbuo7OI*WVi@V4EthzCh4l)#5-ZzB#^tZ9ibV)p!dF4%ULA<6OiGg
z@JF7Apyk=LTbSAR)y}r%(smNST>)d2^^fl$vO}B=gm2nLXpIKOQ*gO|{9=+CRF#5g
zEsCjGGC9-u0Jx`*Zx@amxhxxmHuK^<j+UZRuYULFODadB(vWfu615f#gKAy4WhQlO
zC%x!QPh0z^xR0QJ1qP_KLm~)LZ=j6%T_6F527*3B6b=v-j6m4d#mC1sP8NrBX<wK%
zI@6`}R(sL+9p_s7=AQgpGX7!MZ1}S59?HzYR~Rb~;}6P>Ca`O0kBzQg;R}at+cOD@
zm|t$Smo2d0HVW0bg&G%$`tR&Rf=bjMOS(MldET)6;!JSZ|8bZZyEM;*K_^YSzeGDO
z5&X71Bb8aG=EN%!r3nW^#g5{#BZa4E@1Vo~zvH7GlKv9*^qsy|@y}PfdjhadD-1cD
z6B?D|-uEMy_=s(1H=QCGSGF|o3Y2^Xaup|3``GgCB({WI(fK=}Hs<|AOPRyCa}c*3
z))H)UH(eEkE+ig$tCuvx8<`msOt1Shh{UHykRI)d35Zb|)cya%Cv`Lpc-kGc9*q|c
z#?Kpe`2%lh7$Y`cv(B9EqHYj4eLzQl(JDv&g_HVkJb#t&1r0<E0Qrk2#Ch+{R2CE!
z0Khq=bcIoJaYYR;s`;fYuif1czq;ouQaD=hvaCNc0&ODktpXNZX!*T0pKQ`xFuZOR
zm^FdeQ*P1>O4*C*IY#~?B5_Y-1P}c+y*T5p__qdZaXe(br|RgDco1Un>;IM@LHio9
z1nQ330hYjOFg0c62mkG$?`1!ROriOMlQqL$`Pc&R1!4N$bpB{U18iSR6rA}KKD0Z2
z*>*e?|G*dYVTEeECJ~hb(N8($K1zfd`^7{nm`f4P5@izWmNC-t^uH4|+LBMj?dh=*
zqH+qQMd{GJ(14ZKFAaKbZ0-;3ok^CpS&ZzNmD^2jsPHF!I_FNXTYe3loOy|leFp^>
z{m?%>z{h?l_R_y-c%xQrUPxUQDw_GNzkxtzM?KeCP3K_<W4k}neW@Lx8Da>{_=q4E
zLA%nfJ5ve_JJ;E@aoHOmPSCN;=HgO=9={ja>$j}^MD#*F?7bhj>SO3_R7Xl5${o%?
z=`t2$o5Sjfd}5*TNts4sgCQ2pj|HH$?`C+QS@k(rEe#dLDZ%=_$(VgM$QrFooCgs&
z)A0BlpDem?(HjyI6qTOOh7e))GG){a87Zx%qq^F%xcXDuO9Jn376~RTR*NwwkspY0
z-7I)BHVd0Z-#<3SeKFoR>$IvS&Sb~rBRLoi)cN2(+kLx&21YCQ2O$V?5s?vqh&)m=
z0|o(D{kt+Jxsl<F)g-!=>3vPM^}1}0qdRFQXv2$Lk6k;2GC6Y|{PD0~h2C6Qd|^4@
zi*LoL>raxs5X)tZb}obFHUJXG*IM&fIMt<2s4(!0Jzirm-TQsSNn9p>O<w{8hJyA2
z)RxPx6%H0o4))V<$<<Z#e_YK@k7n(w?^E_a<+Mi^a4|Z@vSb+RVWBvfGUZ3HIKr*Q
z)ETv>r*RG>z6*wK7+sjufyA#-^a=`qak5^bQ*?z{#SHy!Yr(P_4ltswDx9;|SZw#?
z-&-QHA;=RW$b0ky^bE=;Mhpa}*qy!RFIv49_vTvZ@fEp=^oFh|0qSLDy3o4ukrS<2
zjjAC_NYdvyxc^6#7Y2I_W+@LP|G4yY&@irH3bnC)VC&DKb9_P*g%-7MjVYm3A<c~#
zNZYyRu`Rf3SodMrn{)+hCDtAVfor`TjY%4IpGm=%Jbzi7?}Zm;=K4%`=5f;pm`BGY
zB7IcTv8}Tl{P^k&wrH9E!yD>WhicL@vc~6%hrg41l*T!KCxRh4pbY}t$2aWIfmPgO
z5`vmS3<1MN`?=kiXW!V0EX!F@jW6&d$?k((GuLaf&gYp=bfAO$lw?GX`0+2ZSYK-n
zz-=01p*#ytP>EupDlwDLUZ%oYaywg`bM9tbqbEAX4P=giq<0M0LKS;L9Z32b#d6C%
zNnVZn$!?WwFvkm_$VrnODP^EXf9oi&VZp=uM2?@ffVvrPvb}ads~2FkT((=1o!-OJ
z(N{Z9er~gwB_JWxtUZEV?@r?a)t%WNS%0H4>-o#DKlU1*x!}5fm9qLzPlq=D?|9<s
z8GTz*%1IdHV*iwLVrVQq>auP2vKcoUu;^#V!0!hDB_VRXl%S3vTt5Icl4Q3DDKp_z
z7JBqMfA7>_E`>9ef#RKlb2S3lWpOOYdyRPMfGp{+`G~dw!pFexi|~#x(<uXiwK9iG
zJHxPfiqOE1JuLf!meSlBMYXpS(OdeaDy|>vpF2&;U|&X|(AGaDoVOc3;0#l<kND`d
z5vF!mhBzUSWPTl{=8vTk`Bgd3mxX9sM>$m;w%^B$DNZ0IBXlv4_mG53EKKcw8o#Xl
z)%-PIGb5&v&PPMI=z=6^>(1}~Y(LA?#c8pS{n0{dO#-~&N7A^IGv(4`%qPe<dt{Wb
zgreoFu5$-d<~!lcp>h&Zn=-!+EDY*$)H4%hG{)U|Xtdg!r6%)iry;E96^cW`!)t@Q
z|9rPFZ5~ZCo+`q3&-F$YE|+;sBtOQwboVc3t!&aHn{ep!_WxBVXGK?R>9P1!@yz49
zmvVAfMDO_9pEdpF7sP?g4L{jRO<#%;{!O$4Geh*M_`*Ii_rHy+!gj8w+m-egRS#xS
zO)Hpq`8k?Owg|1n)S%!$`e51u1bsCGeZE0J@p73qSM|HXYi|YL;Ud?O^Yw`qnbs^R
z7dU!B+aS^PTzo`-41ZcGO<vj#AuIX$INQ#v?yuHkrOq`{kn3s{Sp50Y9;B<_@deA4
zwC&cQ)?My$Lb`!C|Fpp!Sp994u7pNCl#AKLj>u%*N(Oi9#Soj&HiJpjhwoTUME~q`
zxP>VEW$2b{%Hx?AYur36%iIS|)ZC%`BTX~PA0~;FCF~s+*)Gja8eeo>o@T=lPg~Mv
zlJ(z|T(!UmvN_%tNC`xo3>q%dwgZfQ$Q#}1!x1pXo0KlJ7jY8WFE&w=xf~t2W3Ndh
zI+GDz#KYyG6-QXPrx78M&~qOKj%I^;g382=>=9LLryuMHTo7@V8lPrE&KS|}u72?2
zv*7rQI1h=Id@0|W#6IJRes$nj2~V*f>G1Wug8vcbiyq9b&Tk~`e~S^cSO((2_8{Pc
z>`yG>q`zY3ziHBh3Mr`-#>Y9$jrLT+B!TVsq$|hJ+JnlF4G^Sx9K}Hh(qt~i6L5&#
zd6^oNQHfj?wE}07U#N~r;Ek%Ax|5*yLW+wMo7thpv)=AEpE8O^#0a%`{RdRZzg+J_
zSPL9rxG-3a1uxYGcSAnZ_?4L<(j6Xt$X*Em8`2sEg{Sr7YN=n-$XBbxxaeTm)o7aX
zQa$6jcUo94X?U`p1IQ4_{2_VblY^$iki!Z>)GeI)rG8k^fg<XR+4h$$s-uR%>FQh5
ziZ>5)Sr-!7hFe7-w`iLv&b@*(W`qAoZXnK5A#o&pVvEH%&G%PxPI->T5gBN~G+5}#
zA4BP8Ko!jX-;pt-&!C7c*#y*?7iO=d2K}JJLmyyibKM@B`AimCZSc!a=MxZDFt$G?
zJPMj3gL@b54?5|j{bjxcQHyejU@*o86qw}o#*3<8Y6W~`EN&=j;qNmx9l^l|<Na6b
z(xt_tYr;eCtQ}|^h(ul~)3!$3rFN@&J`Rh#GMajpvTu13Hf}?4+AyXgOsapI4WDF6
z&4ZZ(PnOeGqsCH15m#a$s`8Ru8B+eD5kU`yZa`_D+<!3|&%gQZ(*GedN=?m##V@18
z3*FLR9C&&!X7+isQ-qk^5n`5fLKbS+RZKJvfs}qZHnqiSK=XuD8Q1GAovHhU>Yc*l
zzzqd&jr2LJq?>IKS(9KxeuFWW+4x_sj)ArT;Bi_*X&g4?VEJA7!Q7<KH<!j->zGbe
zQP>(9<DX}x68=BkAOu};1YJGxy}67pLlix3H+^G<X5zg@u>cg2279*4J`(uf;wnR!
zw>S_U1U&W2(^n>t9#gY;l@G6t9Umvo-X`8^0A2m7TUo5;1FitN=<wzF^^oHV2WmO?
z8J9RqVp65ub2v@*Ns~|yUqjG~#vYQ*zyC}c=7gxvabpdSDHL0ZGCh(=m{j=&V*G0U
z?y&|dX!yVXO+sAIqKm${Ja3}A_RYzD25zo0QZiFrPpQ;ZsZ}^>s*@KYX>(lj-Yz5n
zm{UKHZF`InSK}{Ak2N?|Tck0mN`6?M{F~?cFkRUD{n_D8hF$3oSn+Q)XxI5vd5HJ#
z<Mn~x7OoV}1RC<2eh8X1{N?EhXc3{Qo9y;dIjd2hZ!q~!ls<L5E^5!t*Kz*Lmv&t!
z-~O2-P~e}9qzbT6bdVp#E@PMJ4!c?Fw7V_3<R?xu?Dz*3**!ylFqGZOhUWTaYTp$4
z{d>Yy7!2}uq35-%Ht_HnIHfTt^rvsAp_%6$>Cn)O(+Mgq9mGi;N^4F#LH-|X=1A}S
z^~i%co_H!xY@6^mr??kRNwD|)cRz;?S10f4^A&`JmV`dNd~(3QmUTWF-`DV+Z{3^K
zg;x@N#;gb?@ttQgkCY!u%z0_DVCzf1{VH+scWXX)6;|1l`&*C2mC~rlFZ5}aawX>k
z;sOao=~6pkJBWP(z$q^^VuLoXO_Z5K_drV>Q)Eb1y_epGb)h975&J&Nu?tW5{7Y6I
zVXV8XQU!j{&&?8Pjmp}OP#2>0ZTOSsT6Ff`m3(>WE~HkHTc-<yT7k0WJ+=1h$QqI;
zjF|l}4^=LH$ea8vHR0xQ7|NS;W5td|6Z=9wol&uci9b`PAE)|u^TGrQd!5jKZ$*`e
z3U*MrxQYFK6_H~%N5k&7*R6FD6I*VR8?R)>AY2mjOL9f>>P20eQ%^3M1eMqZ{bk|Q
zOxK(Grr&RJFWWTrtWCjs8*QhnHNTZ3G*b^oxs7<qo`D)rJ6d8nef~1SGNBCt^QM5e
zS^7WlYt&gfS=4EYO`gfG`!Qpg=g-=559;3oiMKZ0`rVqVYz+{tV!lT}#NI;b^zIy@
zzp_uCvR+Ck_v+eRdxv5-JIbAIMqOf0Wx|>##%LeY=5@Hx`!;QuvWO|(9(GF-Jb4Gh
zs220UqdF3CSJi2_1xed?+k(Tz#MjHo2hO1f=r~;6T>r<^Ge+0hblWsdW4m!qY&KS7
z+qUhbv2EM7ZL48pqYWE7xu@;-ruWxg>#XOjnc12>n|B@LlEyqUNc!=9k4QAvA(Ld_
ze_r2tdhvikGU4%T?B~|p><S~qK!OZnaV%h8+ft%}45Kz#`q4M}(wjpZMbw7e1Iky#
z;jo>}cUbXAFAihhs+wcg$6pWDSy~-S>ub+q2YOl_GT<Huir04Yv^+0IuQ<Z82u~|x
zDITZ{gU#T#*-7I+!rlMSj}b7)r5Enr4|6&V!0~O&yT+!iAfHZ~k>}<qY31y4V$@sx
zSMnVWSOs(<odPY8)ajU8pn+<}S}&DK_pqbpxK=Mcbw@LY(0bO|4|U2nl>Bp(uw$3R
zxbUxxrqRtJ>K6ixk|Q%$OlEb1h%1ukYEei4PD!`lPf5ld-bm7H+V9Y>tj7){2@9JZ
z&Z=Y5s)N(Gpp{m-Oq3Nt781#!?#@Rdw=nw7o&d)Y_Q^Y7rx>6Q<4ET#VDL_8d=tws
zg~)z1K=M(K&|*|hL{YdmzwdPBak;|p{Ga#aDEwE%o!H&S?=<E(!e9N`toV3^lGOUJ
ziE}O!``Kg}KtBCSiC_9)e<gmuR+nYLn66LW6~WuDM-3l;06X45x85TdJ_FuAX#uRA
z2QDtI+X$?GPTXFMv_e<?MuM4OS}dSsESBt->LA5<bt2rWH~z2oS;eg133xz`W+%+}
zBv@#+(3aDVOajL=wW7IS^=k!1S{_Q|OSJ*<Cl6OKOKY-^6$%<3k1yX%cI+g(0h|gM
zb?APFYr$tRI}9%2_>CP<+EGlA9|+6i;zyYk9+EPBlXQrJe!~1G>j&$iLJmT9#O!|N
zN#}4_Xusf`aW15~SZygL1<O46bIz_CAJ%qn3;d#uI=XWAf+u{Go=cr#_`Rsn3uTPU
zLY2N}1bObWpO!=)AsMFv>tr#A!jArGJ?GzAFQ|X&`kS@XilL}rixmU?m+cdAKgdG1
z|CFty21_nmEafyd&>%U&)`dH5y)A<2Eahg=dIaZ!XjivXa$c4)Hitd&^&tKpszkO-
zbmerZqvZz;mpX*`-Mi;^>Hu!IIT6Np5mpVrhy(}?A8NBeGFWG{D!)E=RlXd*o1Nhl
zT7r(oKQ842XaHJ}DuG;@G8D70S=pwOsSDRY%+MDPmi1h<v!EcMIt_Q>)W|dZS<@*^
z@KBF9=K~{_M)Ws<$?lJT2#Tz$1L)}%>V1cW6JPcLbsI?+g~VZ!73JgT^|(W6O&SC!
z)_(>t3CSlAtdRt7Sm0$M5ZV6G8HZsyEafn+MpTb#;V_J;dSI!0ic0tjvZif9Tb`n7
zOia4WyN!>H!)S>ZZC;wIjlj-~|FO^MRyWwso&5*5ao`^ur#;g30WY;%dKh8w%LU(B
z(Vwcy`Tj6pxsW(}+MTxPdSL#wg?JQ#5w;@^1QOUj3((u6+4O@{v2G<V(_<pip;Y!(
zB5hegd}+9iCU35dhdZ{!s;O<BM_v25vNI(lNkcx-)lX*RxhW;(D=cKqV*>x>*5l5p
zXPa_Wr28hLgs#mL2=Jw*^Y?XtDMW`9u0sUloAXpUn#+!2Dj0Smx*t*-Yd_tuh$3uS
zm^<9Ln5pyOA1#alAAq#*1=8YvJf?fI5<qcIdTn_#unWbU$D^jaLAmDY=(<aNdRQvI
zK87>V_JDFVVAW8fwA^HQ%R;AQx#2o$db#Fm<Pk?-VR(xlNZV}ekLy4}`&SAO;?N;U
zXpsWje;lDtmw0_LmD?{a6dMSJi9EsW-~H#Z1Q*^Fv?IO%`oS)<0WQD&V9XDsMTq$~
z&^X)QwGJOxxg^zPoh;&*^VB&sERCS=3mtP$@w;G?n!<23wH_DTNPKQ6)1`IbKgf?(
zm5qLJw>z3&3;kH1wxhX}nU}-T?N+f+ck*j~3Hp&Z`DU{d*F@WR?k^oZ=nrFb<^Z}f
zQQQUI*~oK*`Ev?x>ndT0mKLOs$l-2pif_@`-;GH53m5QF`^X;qJI);g)&`|FnA4Yk
z{?%M^WiLtkm4MrvW1~LJd|xItUAC2ltMIv9j$>=W>Z(9{uL-@d-=2qlb-J<VNRO{`
z124Y(abbCtog;54B1jeSv?u#KoevRX9BBRy_GOFs^2PXr2tJg5@NN9jPp&x63s1^W
zjRo&V_{P|SSU!X!3A~7vYugIkQ>UE5GX8Cotk#02tw)vd(60NtJaw@6SJ4*%CFgo*
zmW_ce*2=0kLqb#F%1mSRUd$(>CSJ8hUR1a9R*oA^-5#m9M+r`pdfoo+Gti4l+vCZ9
zt{;1V(eGfHP$2!!+g>oswVzhehwtUMDN$kW=u~QY!vDpFu!O@!?T80|$A<C%2EZ5@
z9ZThBV<XPtjrn>3L1o6m6M&=NN)D8K$*0teNcNQuwp2~sDP6h%_e}9jdn5Tju0L0}
zI&z@i#O^D+;@I+adJ_0ySVCr)5{hU5!x^-M@}@L1#f2@z+=xF1067L53;h?i^BU<1
zc^svcf{bZ}aFlUex93B#7cXFPexGUo>FVYLEA=%c1s6xb+<7u+-zZ^K203Hr2R__Z
zQqX)xDi@%#Ak7>1JGk0iisBIf=YgC0-O{C37SBQoWeaKN=IC6C=HJkR*q_jYa;A9W
z$*ohE<~Oul2=Y2<(G(A%r&_K!rO+kR|F(#%9J!cqC3Xx2wBf{rT>{!pC8GkTNB7Y!
zx#A>TUOSYp<v+HiD#;F#%S?%7j%Yfzu@@imYERc$(FfKpo{$ycRHF;2H-DpD8cVVI
zv$zqhL{omUl_*<l!Fg`2T<7UteCEwa3lf8ve2hU3-a;oHX^BS*(}2Ujdi@R|2XQyz
zRv?xdk^t+yK!<NqY|EUGu*~%u8nqoRd>zOA(BY}ecN*nW=^=h$NRf}uuq)>`^KmGb
z)Ee<g>AT_0f4KljNJB2XIUi<Q?(vc#v`mDkAoMDp`oce*r37LIzciPrQY@N`c_8@T
z(s4q;z@__vORKgR^!-kr=CG{Y$e6J^i>&uyq1g81_DhTW+yMCqf7p`DR?E+0zH7E7
zc|JF2u{7rHt9B)#;2ba&_&IB~bD+aY6a-YSKft|J{G&sm#$O*Xf;<h-M~u(k;^Md`
zI8)Zo84?enxDd>Am0w(18W~F^vOSYoLNpNnZ$}`)@xUF80(Zo5I5-%9J#0vkvm~#6
zw#WYxrivM}zr@a2aMXL1b<-*iEXZFiKC!JLHP6%g)#bT3mHBhbm}j;~((867?KS!N
z)`mMPL=}4C_z<1Z+RF1+-Rg8?Pqf>vmoFbtpjLB{FQ%`Y@gW$ngHpjeSZSVbvD0Gk
zC{(bo9PZaATQ*&<V`a+b#Lj6+&K`x=Nx(AF=cTeXOUbHn<-U#J=vSt$h2F12)HXy{
zD`!#GRaEp(Oq}T_INb=Wit)srib1)h9@0~22O+~(SF%hFPs~(l?8PV5PN9(4|1n>j
zb9ZpJXqCVw(2_rUC;TC(&FTT}o4%r&Q%?Av=6BKcg(#OM%aU1GHdnIviWk=63EU_h
zdX_%0K+9v8$-nK7^!Lry2X8NI+Ps*t_dmHi)BX@&x7<||VeH4mhI<M(&5X}+m4Mx<
zH|yt&E`jjqLNUYu&#fS!qU0GnHnx<PxO~%`cdi1L`O3Mj%}z@{O8}F7noTC`EMrSm
z1GM~s^v@D=j2jhJtu>cnDdn%)>{{j|MR?q={I}<?3Px4>!W?8r)=u#x17xu1%LN2A
zjFO<g{q>e2;ijo5vrOdtv+;`iBXq@%q$=VRf%1?kGvtK^xGbW3iUsv}Z6frNp#LTD
z>SZBH#%YBVZY>+0>;%u+e4lQCe&003aOqe=6@+KzoD$J<vy~-yc^`DKZm>QJsCmAe
z{izY>W4$SDDk90hv!Qhacm0wbG=?+J4ik71*#`rA%anwD5I+4^M6d@<<ie-(VTAJZ
zXv6dB(Ht>|nINwP_rX%g<Toz&J&BJn98@s!{v{QxLga~7`A-8$1S%sO9@uue_Jeb_
z#QpHlPP}gA+i|1wAeRwg-l>wiZ@c?!GHRCg#Z*yLhiTL{9G;7k^#pjUhd^9UfEi@j
zENl-I3M1pHzGiJEBjX?ZOt>Yd03*iN7)C;+Ek$~Qg1)983)Wv^?mJH(pXx8fs!9PH
znd*cC<1lZ*p=+UW2{&S+K%lP31Tgk#8t;3a0B8B7-;5nUhbC$(uaV$WXU#lS;$mQ`
zI6n?VN9W>r;94mcy7(OPsEqkpNIQpP$hoo(A1(kJ{bZb~elHvcXo7ysN-o;UypF}o
zaQ*bBQ4DE3MhkFfhM2oTf;m@=qa+o<H;MBa@uGWS^_8{wp?UpTeiI(ytN(Eidy~cI
zFIKgb1S~)c)o`iV+py(mu%lp3e=HRZQh{rPW$nwVWvH6GQ!@|Dd=(J}2V7;R#>*9F
zKI5$Iv=*J_e)t%WJ{`Lzt-wN=pKc?1t@b00dmH|;*ok^t#y$}Im=35opb2x1oKfxF
znXn{%0<do=`6(nI=|r3hL<w^SK(<el<@1{RS{UkujrhJ9x`?Et@FyoVE|*c%XBU88
zbs%tXhmgZZbD(<CvSTJRvSt`xH-K?R?$=G6&?goX6(p1=7Q_TgD2`Qgb)+buIuWJ;
ze(~QiQ!#A&*A0~Qtby+;0DCRVs$<{w{!6ud&|#t!Tf_K)s}@XMVT-akSN<H{eW&Ld
zdEJ$#lkak?MTYj3w{u$^2LdRY#t$0~fc>B?(0#6Dca2Bl#2|5O08@iZtc7Ak62+A8
zxkO&AaK!ASivdDxFA3P8kDF2A_-zAs)&j={%7jk94ZN}ua;!SSU*j$Pn4PL3j~Pdo
z2iu~Y7if_$t=qo~4*>e>+PC!jh3p5d{;b9PiNu~kV&4EJ1zAb=Q<5$9Ol_qAYZL=P
z83|&HT*;NMYhvL|I|e3+{oAu6{4=3_EoBTF(91H7J%WAO8uY1R^)TkgQgfZ!Nhv^<
z!&1zwPIsDS591)?#C#Q3{E=Ne@Fy0Hodu8a!^hvP>69P0>X|SD^%y>ej^q-R?Wo+^
zr`+fyyF^6W5<@CX)RF;PP=F1lV1&L&T+IeV=t$*<0ieX)*!$}>A7yrXHYsQnQ$Niw
zJRg#Tb=xGzZRrgJ+V30uJr?#PU!1NPv3_v^#rPpr0aY8{NeJC9071b)SarCf%G3^1
zE%!kXFiB~PuHk=4O7yG2Y9o~b6~HwD?emqIk0i(|xf1a3D4K8^%^Mh3oPmuQxNa+}
zmD19y4P}O|TT0biT7D`iPafG;q|zYM{=y|uTddBxO?O56)99}wC?*L8K#S?uK9?{W
zOGV~*ru1{Na;|HPQxQsAQL8vUT+x6hFh+M5>@7;=4%j7jN4U6nX*R7X6}NIXaLndG
z53wY<PPE*KQzbTq?mG0E2%7a<v%3B0n1i%mCwICMFllf8T-M(9%EC22hDTS>hXIWa
zXiQ=32WDIX#d(76AXayhSf4fN8~hAOy798IU1eLd93<O!ehF<ORT;yQ_>kx7uYqjn
z|J^{yX%VbR$9(BP#c(51yEi5H-eR!+oDqbyzW?<hOrxUB#OSqUo+g+7xUI7~L*pp3
z!p{q`(^Ck)(V|MV>G8~=^VY?ALn&9IBm+m24gSZfl|=cX)#N5HNg3D-&#BKsoObDW
zu!dTdUAp65W6rktWPvE2ha)tgsMM7+i^Uenr$B7H@r}6`E&Ce{;PupT4Vr{!sJv*9
zbXW=_W-;%U($<{1(D7DkW2|{*;-zrsB-8v#mMh?vO^+~fj8v=*VIOG5Gi+ismR;@l
zrT&O^1M<EUFe{fdkRzm)wd}wL$&GL|*ar6@_v%T2h!0heA~?1fM13=v<3GN0Fe)<f
z+?M)rE3Hr3NIWRz#eh_nvG^Hn0z-fO@P5IfW}_0;m4W^Hx)CgPBxdquQ`Om75K70H
zknm<!$II2}{c)Hj@$ni_X3fT;jO>9Sje{N5pE?dJtWPiNmVQ?qD<rXo<;lY>`NxKi
z%aN#DF|t+`31GSv3ef^N*E&`k)dQ9)|8>c>x)ic<N3glTZ{mWZzmJP~*Te<Ga=+!6
zCQiQbL>DMoyplWW+Ba(!lyL#l=*3Muuwc*9)`u_N8yJMMFBZG`r_VB-NG#B$sS6{z
zP3*Z@v@9o?`twCXl$?P=3NxNh<+Era#beEPpj`Cfi~9brjwPALZqZL97M$(a_INle
z`~z$F7!E+0i3wXh_<_QH@%hN8yQa0@i`F>Hd4p_2Rvk=9hLq)AB<)~tHFgL#<6~|@
zf;BK7lXr~LXzjwKt1$^I?SrS4_(3@BzMQcBm;U@DjR;7@IAAeH9G^sQ3(QmTg`k}5
zUWdd0VZ@Pwf+teEuI9a#DUQhvtUB;R<p1?rr}vAY$Ma9-98QiB1HB{#1?k*9d=Fbj
zR9Mq=D88Oq_V{@CYp2G7Qs6kgJrCO08m(%*-IDTjL}(3ruhJ@sbn2_7rTI}yt0>)p
zmc7)e9*yJGr+naxY2G}V0h1{0JH}`}6+chpe!{Q3d^BCfNx{QMITxP;Fw>OM=9HC=
zkL1Wy|24m_3IJ4b1vA{Iy@VYPDm!IyMUv}Q6+ND9J#W;0@7hS65onXg-~ui2QnEa|
zx++iPPYDX*ylflcn(FBH2X=O?9EOPe-IQ6&cNkdG(B6*^s44FQCe?i@=||T^^8XSj
zN+tHQNK%to_A|Kr=iqRi|B7l{$UnLM<Qs-KDi{JGJiZ3@y*t`~D<j-%q%EmlSK|8K
zC0`HKQqq~CRjR%9U2|qF0CXcREi)}7<RCUh!xjPicN6o854O>KwJ9Mzd<xj}6pC)_
z3kIl;5)H%KbLh5IV`2}siv~If5Vi<!r)3-fFmgeF>rPy;-uZQ8GS6mtK&j2sWgrx&
zyygl#W-VplPN&=__EcHH=sQ|f(}X^crLb*Nu+*KL^X`mVD&jalejbzUSbMU;U{L%X
zI<q=CXVtWpLU52#VmXtjWs>H8?_tcE|Eqj_P}8~ltF@;^Ey9eeUuWdf!d2D&JKqss
z%L}Ej&p(zTmS6C0)*D7FvDIgvDZ`hhSDYjWsbe=QIM~_0RwyaA2(oF;&p!6wzl+r&
z8Hz0?C~z<wxIYJn#wUsmAr?`X{F)lvu|m^D2tjeF*}vDLb_=`0J-im|xxA)+V6P0a
zJzMpwe<~9=pP~Y;9j$H(FBk7|{xG^PHx>&pS;VEoqzQ|0-_Uu|xfY1W0AKPHVn<)P
zHJ}9pEkMR`Q}noBw-fa&R4IYeMA??s$;FxeLpEtv9qpBRGuWo8q_)y|r4UKp%3eo6
z6zAw{p`@ENVZP^)@%zkNcW^B`_y`IHb$Mi(0kL$b_d7p|_jy@yM7GGWj4YQ>-|az-
zBocG5K7SO7pYJI^NlFwlMZw6^0xG%amX%QnDm%sfxexd38bfX#RapCXF6Vv0E&xU*
z-!b=q#(7A7Op`??cl+@w?W9R~L|t5b1Y6x3wD*EF%5i&|ecAXE6_?ft?<alo?sHKO
z;MarqkMOWkT(kqjEgH}ZExm_0)|IU*ln`7tuy|x0M_!@`z6kWT(Fo^L3^XsD3vud=
z5wCu8S}VCN+m42A+{oQ_n3wZDUT%vDYg)4d;ZGvuj_5qrrAkRx6xL#=Pt4|xO)MNl
zLJ?sXDOAw|iR~ra?;OJ4uzSy#n2*4is4BFoifL32BTh@7Nk0vXr4I>3v?UiRE}q8}
zN^DD;m>vL<fhAt4A6x!iU4LW%9@LagM{LH)Xe^Srzf3CvmMfA~r}0@LV5UbCo9*-L
zJ51UrWzVDhN~_hCDM@Oor<zKv-GHbs5)0s*hBGA?$m>}xiG`^s1Ici)Bl&3ICF2+2
zlgTa<vo1np(9p4a#KiAdTz!UmhnbbIzQJNihU!T)$8XQfkVQzOUP-v2aXM6rRsm9g
zn~^kY@$CGWA*D1p>-YSE>;yREZ&0K!e92qK9y)GIJFV#2x0rRpgoLvSswml_DlF~~
zYah)w#muL$yna-xK>M<@-SGq~_Y_a~h1ZLueQ_dESd{Xp$#L{tUX-$($DUf!kyA_!
zhbV4`I$u$>H9UxlFoee*lG;@$w%1V<VP9}J!HTbi9<;z}@rO%%eeYj3`Qg$etkz<D
zE@{lZzK}d|-gsmg*`x^%HtimgxV7h2eYlxmjyngJhSxmgbbx$nOByF{;<c}q`U7{Z
zx`#`Rq1l)$Wi?LNvl~jzD8)va^HN0UIkuYcYKN@oo{Fi9Rx>^Q3vf_WL32Hm7~uA5
znEaMX>!-%82Bh>-WmD@=;$9&o*u_&$Yry^EjZpiCfiY?x7)AT@6m?@7Eh#9~ug<rX
z>Zlx%=6ktI&wZyZ)6SZD0?%=u$i#zL%Z`8*>k|Vhlt*zHHU|cWP$yFw;__=D^2#()
znk{ID6i`M?w@;Xm#-6;zSdT=ID!kkHP+W-zTT~2xKFOJRpCqTD_NgF-!+kEn9qq`W
zlB4QFmBn}UHPg1tv-D@BNM=WJJPbgolH%wBjcMW%7wad(woCF`38B1iFXIhN^S~eW
zwoT&A`SLU}r<)=4w(T>K>0wX?Qw$m9T$akonzbkGcGm*)WPi_-`6HIQnYf?!G6jh;
zjxvwrPF1RaIIw#zs*F@T!1XMKo`gGV>T{qx%RrDPWr_+R++rfVaO-s?Q$O%5k<>nv
z_Tj(`{K5fL2@1|zbn#(*GL>L~VuXjS+h78<)l?AI1JD$R$h5KjwlcM`c0BaB7_+cg
zYXN;S#eZ3Hb>1&$wN9tle$9~>*|2T>kY?<f?(C3SW*9Ja@fBlJMpCQC%6v$KkD1Dm
zg??_uQIUCBDUouaXrw!?X|k(3zTuZio)YJ7<z<HpG|lO$gMBcnZTjd9QPH|%oGnHD
zA0`Au%D1pe?Wx(6=8mhXLOr5t5p6hT+URRUNAFw7K2YiH!*I6h=3&{ULnZu0KbAWy
z5dBh)-(`P}hD-*5XL@NXo=hH#ipM!~Zm<*+(Ef~CicLg=6K35az7=cu?xY#}6M_g7
z=H^J{N!f^UiJhX*ReJKdlVa{uSS7(PL3C3)J2ob+^;GMNAZGJUP`;7YRkb@m&&He0
zczsevb(%?w7G?TBfVFN<ExDrik^q{L*mFNnK;lv(R?w!L1lp7}k4Y-om1BA!h5Gj>
zus;gM&LV2bZYno}#=g8@WHz!RpT}rOP3?}33Ity(HmaJUmt~-_k||NAZK4RetNB<I
z#!9?V`y?G))mo=*N=fl_Ts{a@FpsiVsX}AN^z&EYPs2lCc|X-jJr;yXwoF(}-f5Gd
z*Z914R;Y6yH!mL}WG!=HH^5)JL9=!DOCEWEx>MSf2_hMl+O0&~C3zg#kd?RSGPH$S
zbd)JV+X_2(9hI}?N=S$k(WYZa+suu0Ksnmk&W#Mnl79DPPne_3O%|?xL_{1V%%WpW
zN2sRTMhtW1i@29_=o@tL&6D~clWdE^JK9a<`O$=uF0AqvZI2K?(+?qwL$9$dx`EN}
zE%|UPHu*EUQY^NQDoeohUUGl>kp2S-6II3PS^5Q3>d^7Y?|fZt?pjI!<?dl`>BKs{
zQAv06=+PMuID)F9IR4D}zGB&3vjVOKBtyE7s1<)~$e(u0m1Vaa&)sGqx$&_abrz`w
zO(&9gR+rS7;dpnuI?f&S4+sP1;Db3`7_UazWg*jsXna|d7$^P0Lz;f68gJl}te)H>
ziXN09W9lPLPD33rLza4_Lwd`}{Ug^zk3UgLC{FxAKawO7tre_(r}+gyJ7BKukLHo9
zHGZtPeHSw|j@WP4)+Z~}2Rl%vrR3qLqIBlmn|IPUTBa5blPonsNx7n2QF&PYi(*!<
z$Jku@*L1f5oSDm5j#t%ownHDu>o)eB3`6+GR`z*4Jz1B{4NTqhaZ=eTsfML4R`B1$
zgvD%4P2+`LPHbgPU9sl`UmB(*NT1zBy~bY}>c8FJCe+8ebe-dP6-fD%AHtj$7mQfj
zH1abEE7(t_@*_=`YL=<;9$`mW@X~qbX>bUNj7*^)E(B8+&5Hdvt6588t=QEPr2H8u
z+1YPekaP8v*)tAr5+9~a5z$O%j1jvSh8eQDRPJDZ8VI&6p04z!mie{axYR~CqLf<u
zlNw2+A1-oVFg#4nK}yRs%p}CqCeM!MvsS3b?zLaBb{7KkzPz3^w`W7ODMV@1gl?bO
zef)L&!e;Fx5$>CVS55lywP))piK4qddy$<8{M2b0u72p#sNU`DSMxSMu2kmP1btwS
z-DDMs_mPNOgIi6vO=}B2E{^>D#TXXmtHsyRPb0D`P_3U!k_GF3nK_38hc@kH1rx3t
zn3=oG@}Znp<~BO?1(M|w^P^yj1x~yEL<5NeY@hSCueH$T2B#em1v8GC?0-BR=VZUN
zG5bCE{IBZE6^UBDn9OUW2_^h|b7+9llFzeGrZ?dl@F6D8dLpL(MrG(mXu>hhs)6#m
z*EAl_PBjukjIx<2y}WS>d)BRfaHoP5?y#S{TY0v%=Fuv}evj`7`8R@g7R;9mo4c_#
zs6U`@i+1Y0muwaoy|~@BtL=MZbZA17bwqL_SBwu#S7K9Ni&uc3yy+7LSNNBUNxv={
zh8ENwcEbxGe|~N$0Q*|3V}JiM@b%1P3qhnX&Su>JX|hk0^^D>VfG6GJgoZq@&-%!H
zDT*7!og*p&Io9j#BADF9huN&9N3zA4?*Dsq_Mba9Pi6+N)qW|`9QGw7!k7b7jOJ$)
zTYP#@-_MHABCQuVk@y)+F2?3umUnraB3zzvesMWg_jjLJs^Q5s(vLd4J<1mDM@vl!
z4Exkz5b|wIKDtp!YOzqf`ad|=Rgf;U$DvCxF~e=TDucM-0s*V{f$F>VZfQMSv~-kA
zbVRjx?gxg9Nc)-U0-~|i(W#OVpe}EBp}`@p_dy2urlx@zmXPzzT+-E$g_$^X5KE(r
z{HgQICg}pgq~-B^=mzvF_gvXFYP*Cs-zU&qs8ptH;&zag4!gz%mmGfI*uI$o+cP+=
z^<OXR3zq79P4&77MO(8h7uG?teG#);EmL+Og_P$Xlhl*eOt$80)|9J3s*}XS56g|T
zAHyK5qiu~=^E=7C;qt7d9K~v(YSA1|+TXuamu#ky&7TZa@Kqd=vdX7k&L37cl>91N
zHzH(+Nm0R((PE{S*|NxWMos$x1VMEnnE{e8;)kFU0%C`I{zCMmqUmA01B7@8V5uL5
ze}Ebz%f2Zlnd?P?v%Mt&^|&I?`FV@nih!!p#hA-m>y4Q<tfJPvrnPZj4kV;V<5se#
zVXb``rw6CRpA)uXbsH9GZbeX@U%s!0T9N${nH8K0q-O8!c`1@mZ88^FCD--%Fbvu`
zl2%laUaW8tjD0MLYh{-=+2@E^i*GeHt_+VLw`U4!k;qV!pVMxm7vJqFaz=qW)8{Gz
ze?Y(m4G$SE7b7p!ju~`C(IU-28xnkEREg(;84bQq=5rbSMmZE>H_rUq3(owCky+Vo
zGu)X4-*K)X7B@9~zktgJ6Xm-g78WVEDVJjPGZe=l=8)-rtvg5R7ei|8vnrma%e5qF
zYdBJ`L4Ig^3$~)TPmJDLHCvV$-(|q9`WBvG{h9j4g|A<SK$A#uHW7)=?@p51nl55q
z-<y+IR>YoG7)G$EVk`RRpLiB6jYPeE&?$+B)I~r5#k7+MAm|vO%Ma>{URV4BaN+pf
z&@hk?3RuzX^B9UkAV_c(#3rD(TU0Rx8F_X=YWaNo{@<}A+~|PEqWgWUo?SDHnT1~3
z`Bo&qYw!hZ6Fu<Kj?yd2s<ZXA4#dcZNtO%ED!mAr8`zW-9V8t%goScvx&^k6)p!hf
zg>h9B37)W#-5lFDho`md(T5otLJ9hz;GN5(RuyFtF5x^b%2u_{a7t4H$R&o-#>D&V
z!DB`Gq3Z?`(|z=UXB2+`{16HkbRh&8GVPP^hYRm^4Cd&?B1G~F{B&3Pu+^FLrvc!%
zZ_4Dt6<+>I3s=6L*>(9qSwFN9&65k8)TQX6#uEiOLWAjUxBc|xd8g;6TS;zR`qD-t
zP1j>_nmL}sXk#qb0)okIBMFkjGL~Ws5_c{-`S^MU6q#Eb$iNnL&}0Xc%p7c5dKhRZ
z{|MbG_#!zO)OJ#x@3(hwG%jGoG`IZUCob_vqvyr3Wd#0HJb;6ncY<eoAc8<1&v0kX
zHZk8qpIpvZZ75TE(jwtatD~h5F5|=tznh&YAJtj&J(>H}UNZllC@u|#Wzs|btjVsU
zrimQ#b^LRiRfu$!roa7|YXhpanxm&EuGXPrwK}vn033UKGL@8TMP=-~b<`U6RWroP
z@Z|PpAqIfF)X*o_cm5&X?HbsCDinb1bjDI0kFTuR*1l%mcz9<#ji~yiI_+Ke4-iav
zi6P345tqGRg?+`oAhECA1zGU1<OV8>qWEdW(9^xr{bSrl^yxOCqOtda$zZZtg!i1B
z=^1Y)?Tg;JT@-!YTM|`|Bjq0ye5MbCQHP#cIeZs`!PjSnPpdoh<rKH~V_%0axc^<L
zJ9=4LjFp%~=Vejl=eE0WSFr9G$jifRj-hYhDjV`cgkdz_YaO%guvg3Mleecn-JtKv
z4ry(gHgP5ma+F(jU$UC8BnRVMbNRzyLbg3!ilN3Kz=_@oqWJ7CTEeBAZtWW?qaO~A
z+*FU^C$T+(x4DvwcXK%vO}bYQQl>QG(XrQ`lg_5}sl)k3d!c5OV14c<r^eg{nl2XO
zADJ9l#vpXiKXgOK?%Ikx5#`&WedN`|*olvtP5CGNMQ#p-uNMx5KryjBG-ID#@YSu-
zZMP(QFKgYW07t81G#vq{<@XGu<O$#powN<>ubRzZ9IE2rzfJ#M)mj4c^u3J53{$Rf
zL|d^fW4uy9frHdoJt3@64po4nyVHq%;#7?o(|=@INW%ND$&N37x9tgpL^Lw^v$UCg
zg0pt$YUBJXxv+A=GL{>{MktJY(DAamRv3@frqk5t^rgzNQOZsc)f9n`+^8(}_j~K?
z&UzMPovy4+m1RA>@LSEK09WQ4&G7Ml>VEGAx#UonxfkhrtihT}Mf)FVqvg3<Be)MX
zM)O^vs@Jwg^Ft|$8@=Ub$>HzPzmNr8tppsz6q9Kj8Zzq0kLSP}EB({zSJ%mkuX`zq
zK#u3%m>(~#2#}S7p3jzIg2I(0$Xh?|Z<ip6Je*!XA#Uq#%p6W2@Zi2mdgxrKs=yJ9
zNR*zWgb=K<+MH5*?s2Nx9X^=nf8J4KDf}78F-#J+%fre^@pOzo$_$qt+J^4sLCw-S
z5z`g+DK)nx27GlRnbf+Gbbx=zKxlplQ}LDJ55O~4@PN)MjbVP@4B>Od;-4@FU?XY>
zzQp`Sxc|+EvGgBB+1<iRUoXN-ffUWzF%z0!_+ss3d?Qh*AI2G)tK_WJ6CMeCmMDCX
z4Rm8LuBqns)wi(tdQq^)p`x^XbZCREbviZ2QRt%_((deWmJS?dE%@&4Tnv%D|D9|<
zZ}FFJJ{LnFIOPvaQM}vqB0hbMbmsH#La;xLoMTvc@`T`y?0l|;-}l)vKHAAr0lgr#
zui>5?cu=<e16a|I)SFcz;t}!1AgJxcl38~8{l20_Pxekk(?d)S<o@@Jm&N~STk|qz
zUjsB^!DGu>RMeq^=!d;$Wy}etRxKk@8o5(f*qfUYKyoSJR&Q%HC}rmbTLrO#-+w6y
zRo73erB1OwTk3@^*Rh7v6{2Y^9<XM%Z$H4oP&&W464bnLng_@Df&EY_yN+spx(5X>
z@5eanCu(=|a~`Uc>b?D=A9M9n<cHj!Y;4aXt7TF4RWFKv0QY3a1KO#gy!i(c6#Cqd
z0fS<cX%UkBUzhK7Q0(!0Ta@24IFta_>AaWg>HNa(PhJP+TQl=5gkb+)9qJ9IU&|8(
z9_ro^AxY|Lo@F+{+3w;dX6)gAB)hEujtT!Y^zdlos#<u5*$*3x6#Z2=oQ-G~F6k$P
zerm1b4o=-`k@4LXDRKq3RQ-c8;vc{|eW)I+1e=POtpKqXAYH4okDT(ZzX*|+!svBJ
zfD$;0nS7w2K=#vpmvH?9t#tizD(A^-S%{K4^q|jhGt?&Kxvx^tg&o=4>MzSRB|GgO
zDn_addF}Y~h2SN8&oa~5%VZ48Q`oY<O1m2m*bK)<9LSb`d(u837x8<f!(CH56qEEp
z@RIqr`nb?P?uDa(L=jeHcV{O@gv{o=@uk5yF3w>WCytr<MLm60A-^Rx_Ec+_P<Q-C
zWyq=$tmpA8&p1eX?JzGh`%Ya+#U`lz!_iFiwcPE>?IDRYH^%LVrNBg*NoY9m6|2mF
zFkGiXH1Wk|WV6a|94hZ$x$b7HGF)9THf|r6)eWYtAJ*GCf-*ZjZz9%`^}a<c7hA(S
zE-=g3TO3Agr76{+;F}Jten}KN6&p<(LQbqg(#FdOZ+&1rJk$>O19pnbtobyVQH0<5
z5yZDL7SAO{;~Uw+k$+(z%FBw%t9&~aO1)cg+3Q7d8BpB#j?Cuf-Q0EShG+s_LDN$?
zB$fugb(Dr#Eowyvv4gLq^i5)No&?qfzC)hTj_{W6w)6U!2oF`%HdNOT@M6}Fy#OuX
zecvO1{Vo?4jV(p%%9{vBlDZK4qJH&Mu?Z&krne0;_^U*-y)w7s3h&^Q#)9;oU5y~_
zOF+bi5%`l9v9qbp8D?&3zu(<C$}g8e$D=1?FNKix@?HA(E$MBE@JdN*+(;j$tim3H
z?g|zisk*kq>PQ_6;IeCxo@y4#?lwK!N>j=MWC*|=EqKT|OC<-rgPO2~8p`N&)~d-%
zw=jOmxOqy`+C8&|ac#FUMt#GkV6h(@8Q&v_BHv}<Ul6f@!T9$~Q-cS+(Z&UBWOijQ
z)r<g9SC0-$8%NBexch?QL6YGgSZxoXlVYV25xEN?uo&MU`~+Gk0UP8K=6kN<j`5x^
z0W<`)RAgR|a9V-K3rfRlvC*kjz{D;?pz@?wO#G<)cDqUy@U;>t*Y3DJ@+3rRqK#y>
zr7sO`!c*}=eyw`sn6;ZDK64{ZC{vwCOTrF4kj@n`dT|dVXIxxG&W1-6fesGb<xS&%
zJFW-+HIoGHVkw!)^a#B8Q`Z)HZP$q{xHS;wCy(JqagJiroh|m`PS!D+pt-zno0F5v
zZvv8Ys{<?U;bfE{%Y8Dkt|5iKOyuZ@fi@52FtlUTDR>n#2uCFM1mgo({93zhsl2@9
zYa6Z41z5A=*p{{=!MD7%21X78VYhh218wMlyRD<j9S?&(AG`%c{NVcyP?MD4AJ#Qv
zq14aKOv;+iN*ea&df3Vy8ktEtFaYis4qVy3HW7^~gnc)+XndAnXtY<3?xOQ&Z8(K=
zWA%4cY^k|JU1s}HsP)}_UR`$@9Aq6RkTHU`k8n3U!FVZO^Ty6!&jqU5^&ipiCzY}C
z)#*#UJ<D1NqhF8doWF?^g{Gj_y&tJ8m4E3@3B8{yOxVF=!;Dp|ZIb{A0$<n|+`@>)
z;2Ggk3z_dR9?yeWvDXLo-Z6NWu>Fo=0Aa>!b7l${@t~t}D3RV7hxU-_&4qx>0HX;>
zp?yj0H&ihw|D}If;u$(y@K31d+#JX~TwCXW+SA*XS<|fJ`M~;T);whEbpF$PX`omx
zFLyl!7x~v48DWXcf|wsAjq*(h?~bz4(I1X0HO%RRVa30rxDj9_3`pr>^0qzK=#_G~
z^)!B0?=ZL!BgS)Yu)ejp7E9!rNwz49OBX@dU2yf{?4?S3IWTUyxwxKPYodu4Iqlr?
zBahr=anl~HxTM@wTRLH37&wF-_vuF;Q3Y&=uv|W272RfxPEQbUq;k$f90XkX)~Wd<
z&c|QX*4_!4_Irg%<H1p3!&CCHI3TjwSEr7)&y0*y4x}i%p<asF?k8-IQ#R05l|wvn
zM%neQy*F#57fQwx=r3T>Rpo?!>eT>^1%C0SzrpHpFU7PoT^oP`m906^u4YXOy4+Ml
z?7!8roIGt9KRdAY<Q1(*90+m7{p4$LA_vp>WN|WF!Zu)Vhy2H(juX(Ag%ZS50`?*?
z%1VAg2I$PP{lc}6v@b{;QtMA@HMlk-j1BzejS#!VxKE<mxG%pSBC^VTSqo^mM`9i0
z18KrEoosk$+GlVm@k^|Y#)qBRlMxkW7uP|BR_e7TrS9}Rccn#l&hRid{2LA-a0BY-
z3?OX8$}K^=kFtP09v70bEawJ<^jwO)!~v-yWWQx&$2BL$u*3?slKJN=G@+!=6@cv=
zeU?e*$)*cmc*j}KwZ4qj@W3+N1u%m`I%aC}jBsN)?5TX^trV0YM)F8wIq1xk%Nc3C
z?*LW40qou>#$FX%<is}7-a0DVl>2VTfpdv}w=*giXIv*|rm6XbLviz`srrUrh>7<L
z+jx7cT9QZ3cH^u1RB+^6y6qalF~6j;dKS5uGz8F@$AV(06Fqn0I)I+OKHKMc_?tQ0
zvo&HE;%d5F5=NPddhg|88(zhz`=~7CFtCeDy2{rc<udhy)5YMIALkd~h=Fhi))?vI
zD?MacCXF8=2is4@gu7yjRt=W<r?t+In<j(SBWm0Yq~WS|iOPqP9mdEJbai=5X4@Vt
zd*EUDSPZlVDw^w-%?&N*aUqkeCW(>TdG(CQz<LZ}Az8Vp^bM-C*IfJ7zdM$hNtK=K
z?9^=b(0V1kTaXFtZP{QHA?jmmgkWS&qRf!!luQ3wpd3?$LaI$J)hP#ke~3OpWxNV-
z#U1i*^%U5y4j17bV^q5MRv=>L78+Oe#t|rL?z@y8t{1-zn{RH+_dvr2Lv0UkbfuJ2
zAineYfeb5g%6q%Lv;w_|ggMSt@lPP30eP}aE?v0*O^cZZ>XQH`0k1g1Cu8~$O=qF@
z^gRM&Y#qqD3>z)fx4YwbZb$Lw*kviu{9E~HrZvCd+auL-FX*0_N9S^0*8nKOX2vWO
z_#IGH5Z<CA9?%st^C4$e`%vPe`6aC1PuELmwH<;p37nTG8OZbTZ@UNbvjmWz3;)N@
z@j#`i9_1FN(}rGm*q+6B)vSvzoc!Q7^p!<Z(@#%^&{D$?awVmn^Cm~+LAPS7D9{ow
zUAoI!xfdeh@*!FD*Xz-{>$TZL4zK63OS1~-vJIyW*OliIj_X64iAIn{NS&M4g9NG*
z7!J6SCz|yU>#g}$Xvx!5F0Z`O&s;n{Gfv0;?ONdnM-#K3E~2hG#SQ#96WsITT84m6
zb&wwvr?M;-P`s?StiYRr5e8|{51&MJoBy076#>mAsku_wKrp^0<tPOdVUp{g>HO}{
zHtK4xMOZyf`@U4pwJaLLf%yUWWY;<1Pw*B#<CPKL81*0c3f|72B(8wQtZ=nma_aSI
z?dx4^(-pMyqQN4<$pkR?h7;HqsK&rH{vK;zb)1omv0vo}h#m%l2sB^6w<_wVbF$j@
zpuWI2%>Jm(2FLnH3y-y&TF-WzO9RZ)G2hy(&eBnQ>gpWzxX9X+er}xMn1SDR*2;B*
zni=w7Zr|%xZd}jqgd&l5H?jU5h@=DtB9+w`?##$A11Ib7$C_CHknQy*s&ugevI70V
zsc4m0Lbf`AE}-elZ(dP=_H}W`=3WVxdYqEBChV!I8eLQ-PoIkl%ujd7HFl*cluTco
zmNcyt-1TVMwchgssn77CpfH4w79QV_>*jSB<^pewD+@{z`&ydb9jw2HzTHotg1E#d
zD$l0RaUcnd;JgsoolPIq9c*9J_(a*=!t$m@YBi$Vp|vvI>zGX&R_A}DRRpZ>&!Th1
zxu0hHhTZRvwvXWGe4RBunvljcWv~wTvy4!$YuUSliucggio13ADSO0_e!j?`!XT9y
z#O-2@1rdm~FpStPPJ3M`-<DyJi)w<>%517-Hf5ffA5N$Us6@HJiLZMl3!6z@^Q}{8
z<Vd$0Gf4bj&=mLs$fO(?T4JaxA~hz0f-3oHEQ$}t<pkNtb2^Dttg)3*CLb89_`fKI
z)z2CQALf(Q=fc?H6C7j77n?#|stPq&d)=z>%o?T{*FnEyrs$wAr%hv5aiVr<Po{L{
zvGNq6LfDrNsW^cIJXsabJ;rizAVl>nz}WRQIvhS2t2c_uJEBA1HW$9y;&i_ATHk)x
zK?p;p6fg~mI=y~vR&W0|Q|9FmM8t<VZJEeR)f`#<$q~5hOD)sP{aDwqwzY5^b-y9T
z^ZC+pnfzJJ2ouzwx5ooak?i|)AxJ7FF$E$%6*S0@ZIx!q!fmcZV&V~F?hN7><$f9l
zk6u%hH#A<TMhQWdtB#S}kI$6O8>8Qh9y5vqg08!rJ@}uMJGLtFXP5*jwYBw1uWzdJ
zb0SP{Fd~Z=-Tb>oNI)t6@aG{NwhW{VFLCudig+|v88=K_#tlGy^1VMjZrF(8X_6MV
zK9lge0c*DJ+tJ{TKq!2epBIUOR4J#_u$_QMgR5h@Q0+`VRjg?ZM1KV4yA)v^K(8Dd
zR^p~4@5oS!6{=q9D0XsGIe889EPF6ZBx?Cw(xoZCtNb1nYr57g`{)L{G?~G?!8He#
zE_|dxf$UX(=qA$e!jV21#2mNKa&XOcoTA*)nX)v^N~r(%QL2NP6u|H&(tl`*9Rq12
zKvIp*0CYP(rC=maj?NG>g%QTm>DorM7%HHE+#=b3x_&2Y@D_O+p5+4mK?f3<%hGiI
z@F%pp;Z1!(jCI2-x8+4p;W{t98Q3T#2Mz^2&eLklTC}i)YL%?hx;6CP*l9Go%=}bU
z<$S^g*-@KACC%FDO3+I}EqOxtu`09?i~iRk<D<GPyGw)h4}atR;g=+83@uB&X?JWW
zSz%ngE}8GFzlh2O*8FO4vA$#&3mp%S{>W<m54~2W=OjL0KFL4!DP!Wq-3^`U3S#sJ
zj;&!S3HBnF1*7*;E?TWZp``qecA10oY+C!BUgaZG$CI+3Q_M|E^K3c=#7Trz?_yau
zIT0HP4L1+;l*k9$G2u0O`K2%~^J??=4NyQPld}KwOXTGB;%XzQZ3dY});5^g&lPkq
zu#YYbyC-^WSQ95)Cya5%(Qzx{y5B6?yO6JsHl<5ME-|oX=i7NfgBs;hpZm(6Nfm7x
zHpm9G8^oT$t~A2;Lbswp<YS@rt$WpPgGQeZS}f?kf*Un(ePZW=B?VCaVLTH>pkgdl
zV^DD<!$k9DIGt=KBjJk=%b|kSM6y4PV}-;37OQ}dr<+jp$DqD3e61P0DrCi;cvM&2
zTJteyoz_T&#yV}Crlo7-72&r7>$CJOXzh-wqcgi~*9BPa2rIg)SqDPmbcy``&_hVv
z9}@pfD8IRdhqB!}-VhB@Eil{w(l}Zu>!1@oNftW=CjgoJ?G6Cmt}#ezWqMK$a|tS=
zd(R9Uqcak>@1Ix<N~P1>Is}Cx2&A$Xt!zhG;~-J~7zWI6QrZ5jK1ga1@nn-8pGfF!
z`^EuGP#*LEN;ca%BIwxs%{oFlEO1hpfBeYG^`5vs8znBno;c9XwQGE^hUpSFa;2{%
z7yjBv+480u3k0+yN^wjLpS0_uJrT7@yX*DW`B56bV_>C5W%*j+$J8+DjrO#o)8vyN
z0Ci*J_D=T*FZ6QS@8lqOaJ4VkCXm#;;wa-P`!(U?Px;=qI()I&!6LY%xReaeXuA7-
zK4@<^X3&N=fu!XHCXH_-h>QV`oHjKh@mg`c<#XaG*5%XHPiyI}$HUcMg1Q1L-O)#4
zPx(g>%>e1@khWID^){59=+z7;eqHIZVq`@G>6(|p2lrG5wuvp7u1&Q4E&q?2vQg@g
zwD<xvwbKc^zmdB#yfFTB5)^e<U-sdVAc2LYGXLwR24<!y2MpqLn7qF<bhW`C?$?d~
z_C9YsHyx}1D`p0^o0B{LD-81XfL1Tyv@OS6N(OzK4(jcdkx~Sn=Z~&~hn{jEhP`*;
znKGe2CL_mx4telc_)@byz!hX6#4gJDieoo{sJJ?4L7L7{vxXslgDo{E^=<NZCXG0&
z6Vmpgs7a616J6w@M7t;9exm<ih;(eZj{ifauz1v9rTO|Cl<o0{H+!#ru21TV`#i_6
z5Pl)*8U9}OMa&YHaxO{Ib^kH8IC7CpWho~eS+uys{AAyukU#68?hz<AWh#tYcE@i)
z4zu|N=;w?2_TH^Jwv`})3n{QVW*{uuzzQike1<bMfIf>rQS}S<74KU_1O1ve>RYHn
z`bjS3R^*tQo>NQ#<YHj#Zo)Vm&3GOnMGH($ZM>L#$N|+27NmVj92D#sQ+-SUa&rU;
zGTI-R1d_1&TkMDsS}!4FEobI=x<3<0Z*PIWV1RJ{E2-{28vPgo)|Nlm8)BD=g;o5O
z61Oa{G({CP7Le;As3hNAllhS4u5(NdRk27Bq$}`<nu#*gB0no}nTYO0ZZ^~^h1eO?
zzBC=eE6U2g^d&Y_P$?`>esJ%q>W&ua@zu==3QSLZN0bg@@)r>Vw!Hk}B>c-r-n-$`
z47Vbx2HPD%9#Q?OBqUmh@TSQ&YWOmC!JwbsMAl@u7~Dia31wS@e_5>-^P)Br1J>01
z{knM;)^y}$4H^m3tFd=RsvCSm3`dT5bVk)78j=s0^`{Kx_WN$tM$eqdP?AfOzt$TS
zP)Vt(F|eAGVLEw@#iCNdZGDIkH`#t9qRjIhx1-SVjRy}gpUgzx;{1mdwz4640VS&(
zU}vVG+k*;?MYX!tqw)1*55pFW=#Z-R3jBM6m)(5IoA~)_=Q>FniC(8P<S>tE1Bv&4
z?u-aueI&$4Q2{gw--l>}SfTz)D0-5sZH;!{)pYDQ35I?$RuZ4L>saWgE>aAtaPu&k
zaxdb+&7cL!*uc(S$oirGXpM<Rwv40USo=Cl_f%5p4}N96w!j%+N5sM7&*>G_*Qj3P
zk|dPh)_-%jIjbt-mVuxF0cG}Asxjkqffn?zd*#e%A_!0<S4LV&aaH-5W9IbofBaT;
zJsdhLMyIjcK<OH4@2-E7db0o6lU~Zfr%8F+ZHn4b{PMta=Imvg!9oWrp0<4D{%Gn@
zmJ?QJ{2WZekM#HU24Keq+lUa>@*>p{o|9ja`>2HpwD%CkqHcwMsGRz$vXUHNRLRv#
z0Qsh#E@a_jgUji91-V<1B3OYlD)CflxZCSGy;Fvj8{*GtSzj%T2rOVromz<zT_al^
z?HcF9t{IqZjyUJt+3tNWippIK^e(_r<;E%#&7M^nw%v-0pYV+=ZsAv+rL0(ZK$>$-
zD$r!%%&CJeGrtW!mrhD_Ic1%|+w{)Hg+xG*e$Fim{tXDz7lWz#11Ta#q2BL(gp7ca
z+9oveuNg<*;Ze2xc5Iry_zzXmx4{v^VnQ0bKPlNFexs_sqBi=6qr74DH``xfOdrBI
zCkh);EthK}@*W&Sl*%V=@;sg5)d@q74t%<ghkhc6Fk!wAv4J3Jh57?}38IJJ`}ET&
z+(?MMAAkzLV_a<B#~sliQz|w?O??jL$A6QC-67l$NUFMFVNWi^54Kj;<DT`JPw(cR
z6k58JI<1v!+0kQ!J6v)gHk?S4lnqSjcjw)EJaAP(4ST^QtNJ^XD`rm>Lj$CvzSgbO
z%|~4Fd6|$3jpRyqZLm7a%r>vDvYrJj<tSXNMOHNLChnEgYsy=nPIzXfJ`<&e=LoO{
zB54Nv0b3Yi20b#da_#E+pO9%cdnafzVyJGpwgvgd`6qSN%$yh_bKY!{m^63b=K(x4
zc9#icqb(iuZA*4Flf+9E-+qX>uy52XwKP5v=)I#13p9AJ;q~OimN~{s$SNMImOIm}
zUR}qPN*n!NduIioAl5byU^q>)3XQ;ObL1u*ov3Sb;F8}H{NB2g(0md)!fMYbqUkgX
z&sQ3$Yc1h*JH~O2zhQRZQ`MN;a3*7|h%S-fhfY@a9p;v|OsUW+NU`23XX4w0)n0fH
zyvT=^9p_&(8T?Z#VlXnB<851GF0XT2E*JHc&6`3}D%s28ld1cV+z`qkA3t42m6s?{
z<}ZX?J8$*77&GXhYz50Yp#A~=0HGLI`dq}KfHBcTLC74>l<4ws020Y+#=RDrD{*b1
zH$do(o+t$F!LkNm?lhs%%6dXTdB-N8Mt4TM$Piml*o$O$^no#>iiq%-a456G#6d$)
zbM@A$hd%-zf`sQ#Q|Ko{L|lUUG6Bl-*|s^FZx~V1a(51Fbwc27*tu24v<m_H7pBLP
zP5Zvf_yif@l^OBCi-$q&yW-PU!)<$+e3Zjh+)#Ok8mthUMA{>T<K%HgSZnrh9A#U@
z#xgvoHp|C@CTrz%=Cl=k>aupNGB0<^k7F`F9;lTEsv+hACPF5m1r%Zy){uRA*-zB@
zNj<qaGswkMA!xElL^F43Y(2X0=O_WaCi_Te1_M-7;z`8AtZ<~wZ*~%y*fm7u@TjCF
zN<n3Q^W;eco0uw%R6-HXxv?U8BblM;F%}Gp&f!NtWK1}P`Q6ETF<&r=VuEombnRqp
zOB}Jj2^O<*kgT?8bUt|oGQJbtV7}5U_Eff3vIZFE?LOEuJ@JKt)mZ?0%A9b;=<tLf
zvy_8Vdc{yv;tqDP^;dY^B%IcnF5^DkQV2jzU#!I~5k+U^(wUx3!>PyrG4+knc{W|6
zO=H`3+Sqp*+iGkljn!C<ZM#X@*tYG)wr%6wO}{tK`8#XYHT&9{?UA|G;;O$3%vLIp
zn$fSn8rPDu+ydWBb=bZ(Q!8;>C1SL7J<0mUw7}N9&p@H=Uprq~+t*FI$X#tcJ^qRX
z(lZvG592O|)!opLWr$Vm&vp6CL{_C1RkV;4j2TD<<4Y9QO!A%E&=zKQ=N%smaJ}4C
zbhQ&^iGKVV=CusYR@Py9<DQJe>beE_oVe6o-L)7LWYYmhg{-sQ;1Hj4){_`jGrWex
zx=Zu4(|+u2jETI?!DnQQIW@_v6@6SIcE%IYyoE2;!Vmb)fVf;{B(=oFPh*BvJAL(V
zSXM&g9Ek{;RkUflrt5T|On8=v&X5VuBFx*swOyvtue3cHD99*%ox(>EU0Zf1G#*N+
z5D3g&_-MPMJA7+;c=G-^$RasapxC*F8NgB_2la#zCGvzfd@jqIO8f#(4k{+_+#Rka
zb@7oeh75IcTn-L2hbxpDXMB8n=MHo8JL$XC(bGn-jJ4>}nO-#)vL^SOHDgGFd=_>y
zoON1UX{>V~P5v>C<3&yV4yuB*OojTa!8r=TGcqE&)O>+B&l7U{H2FcNQW>)uSgjGH
zqd#$vLGqDf#iyMXs#ut~`Z`ZO4^k}T*hPlJi%BH-Exs{Yr&-eGaK9YUdTpt&O~TZs
z)U!7ghs($=W7vy95=+jH5m-!QD`g@FGKlG$+E2+6nnPq@rRloEp&f?$UtNOX2|+aW
zB6k1Ku!o47v3;fzpESJW@JcO9lweyVC}{pKh`<3vRN}dLGiBK`SI9`m>l${}atZ-v
z4OA04%ViFuk%1}lw@86HY95_IT4NaP6ghlM@?jtdNIMw9e4L+=i%19{tc3y1%Vg)v
z45N(Jdju^y({;+oVi%A8auWME`Ps1Htd8CoQ;kjmd~)ks{Q%(_--2h?LhUGZa`0<Z
z-=l+k&FUhqiNf}VS5Zk<NVfN^?%|o%OYadyT1&OVVO%OjRpP(<8@Lc=d&5*)o=8lK
zx<e5br%jT(A}$x@w?jNYnqSvzY?PFWs@MZ?3w}3PtPUy?E7BdChow!bO&nvl1s)d%
zTutI<NAyNLv@kcgYhsv(!cIMH7zHhq;8W<Z(^d$7xR~6E_)gcslXaJo6|HYclivzI
zr2gL79>(fI=GAZmzJL~cF7_`jiytA{3n0MOIO}Hs;bYSGL-)pl*>MrVa)L$i*TcH!
zk5e$?$wl3CCVS_n`O-kqUPq#Hrp5F>8S{<_uwzN*=~f+@{pvjMzbY2c%>2cg=jL+m
z%nzsRYTOYEygqPXpmNpV2${&pgBX2SnkozkojVW*$b~T+?ld(EOB&uEZtez{YxR7)
znCEa^46+$F&ne1OD2EBzXV`YX@nsbylDsNGM&3l+<FZX_&<wK+QE$%ByIix`4_~sR
zfr;0}t9&J7gXwN7bFT7@r>Y5naEe)kk%Idbirb3)6MJLQvPAL`k1n90WZ0Ch@6W_}
zVMnd@5O{SO^~|Gp&4!@BUW$`8WfkuL<YwE@)t<FgkMG`6VxKkW=!unj16-bN)WrM@
z$xBBBv#qvG0#CE-BViyx7~0n@G4x9;UnyP<uOV6C`GIljH+B<I8=Ah!l%VV652P;X
zLG&}6HUqbJySu$PevyMrZI|_~c4=Xq=;kHN_=7f08)b?0hh|M!>LUiEJ_C8S>&7GY
zIsxb~TWDu{+BJ7CvBtY47jnSe&sJ+tk|=!5yud8#FywC{<RA%~*-cM5ypmkC%zleB
zPDEyH&WQB&-huU+nBbxY3I}%-7I|t-p=9NoW@wgjmPB?j4EKfr1)Vbvn})2ciyPC&
z&^Mu7snslLdEV@c)Hqk3J7%Wyc=kQM2yEkiak#wQZoBk)y}EoEsGhpN%-W>rS^%iC
zZ(8m5k?s7(3J6X{46gEt86RV26pHY{5~oJm#G`#@7VO%-KfR82*Gyd*KxQdVfUT$j
zTYTPPkVGIRYxqD7VW%J!_VLH=L@Agr@Of5Fe@(Y~|MRfBr`V_b7b!Jpm9hguhO>PN
zQ3jY8@E+aq>5-VA`8H<=z#?<n#i=3Rzogc)dBekklRYF3UQW^cHUJh!Lv=igk;mRe
zOjQb2z(p=<7!h^@BN(%f&YqbJ+9|B+=evEdbwL1&v$#Jrr0EINGKm^=%?hnd8qZfX
z{VbA^yFEo1D}NrtZOm-1te3HI!rXH(4yLuOt^@Cq(lpbU`%f3#QcDhsJ(>z7GI+PC
zS6*qANkQ!l)1w%<Ab34%JzerPx(%`Z0lC?Y&alH_E3l1Drhg(@IO6Lp)PQY(fB}f%
zh=X%Gr^}0LfQAO`pF5=l(KAAh?hlQnx$z}}l3qQ;TrOu+T@$1D{I3RB_m3cx0VkM?
zS~(zx+rGS9GYB49M#ne;RR@8RU-cYlqK9kOh|*O=9fGxa*rpu3=;bAH55M#<Z_H=x
z#(7ct`u@{JI$V?)2~wVw<sLo5=`I{Y(9QnP=%;!yLAMN_y3Lb9>lm8-Mm#&`dEPnj
zN@2p_5rtFQDLQl1bZn1u(LX5DB9Yat#&vc_x+b37$(!Sa7-A^OdA*MQ82faruh2U-
zizH<i(WZXi(&>INFt4}(hD3XTY!g>onUh32#~n29_sh)LMVWr?@)@B%*<F9;Mc}j3
zw<}&n|8RUg-0XRii+YNSFeOM+2lzt~|2A<a+2G5|+&T=^jtin@eYDl3k@KFotk)<8
z1-Z~z5_K^!*D67ow#C*z2&B#jgQ4a)XRv{0+=SiuCx<%&_rjitA^0EFUI+%r*KY>g
zFP0rwQ9-DZ;m(0}85G}u5>lqs9MX?!LnuDrfCX+}zjLB6=FTV8=5bS$SU)!c+h-E$
zY?{;tZBsZtXoT7KmLvHO2OSOruw4$j)g}mhKpy|_{ekHcRx6!xZ)SdL6vU?1PH)!b
z_Eu-r*JC=@=gi`Ki>qApq`3Mwg%Hi3qUTfV@D5=Kuf>YuXLHb9nfb}*%x1*1*`orh
zrnW*six%MPObex-4aXl$uS(z`aB5HQ<HjgS-Tsl$p6gQ2$KEm6zbdqnY^^E^mHh)<
z|7IAO_(t>+wR3-q8kXVCRulB-{5!bOV{U0$7oBO#9LLEXRt-p(4cDHj%FV8@N&wA=
z<{$hn12a+7)tg6y@y^@kLY_qltLzT+Al&2~>nNA%Za$<=wLBS>Glp9TZ|--AQ3G()
z<46~i=4qMGQ_{@^z5cjE+E3iw73hc?a*S$v7`sGDG#Gv`=&TAt{sbKn=eR)s%s*7R
zJN}JeqL1&^S$`*YHNA^o^=aD8Fh)ke%{<+s1Es|+<f-ay*+RE{_~6TYG$gJhV_1Uy
zIsZlN=%rmXtv8s*a2XvwCdRtQuJ}`SE&D-S_}1rz15eU0@?H=d0#SDtoXQ_{)aFws
z8V@I{yc~Q^_M7{OvN?S?5Pthpx=hJ9Zz;s7A3qd)p=IDHFw7VtRWoc;qG&d=uoN)C
z^~Cp)2}I@5CK>2HcIN|FgWj)Ykz;w^0ayiJAj#PZw*`jt6NWHSr(>)1;SDQPQjM48
z9?mwNsegSzZ+%p55v^@T!F#A$eu*=u5cK*-HypeNNt-?T3O+BI;fpjE>?{&IlmiUx
zfhPfFzu&e5+qN4ii3zB95C5gPX0Lv>ZTV-l*)K3R_1Y2d;NViLcEZ5Z^!EGfPtc;x
zwoo#0f<x9>)NyUc4Xk0jT}EHP$CQ)Sh?Mj}3ND6eb4Y@qXjYJL{229yBgOe+0c#nM
z=Iq9KYeeYp8k^%c<X3WfxUcDx8S|e^ycL~>bcO>ejFJ4}M+@=t@^<kxe<!G~?&z;T
zK<y@%8$Gru_xdNbb=>#0NeH`d@y@$GVm46a@W77KYDlj-#zhfDb0A(<=-MV)HKd^C
zmwa#Yre0_(@YV4GpYf!9`3>M7r3Bm>J=)3o2MjD>z5yKo!F8?YL#h!BK0hH@3pV2h
zwauK5kJatxmUb_`(P0<K!Lrtm@eZ+n06}GZGef0=jN8sQ1N?lY76i1q=i|ncQwz>v
zkjnxBMAm1?4)dGxF~5V?$HOQ1qY0*X2jZ0H{WIdKSeuVSGrtvNQlxaV-ckawXJ{_a
z5yIqbG=&;y<TNlnHr2n%br0-N`aC;fMAoT7=EVUR|7Ff(4)o*)U=8GfeBc-Z<OA`U
zM+e-b&kba#wT(>*YAjCoz6xhG!=>H8>Qs62ob3?P=8hxcG?_|=owz`XN%4QokcD-N
zBm)ai-o?i{7D6V$_0gVFpyw!pfw75HO6o*{vCg+3eO?ei`(MV4;NXwI0PLgy@Z6iI
z?M^4&)nsYI286<=U~}@()g7C?y*;92FG`)`MSR`%M~tY>+2>!C3_i5#$;c&UTQ(KP
zbV}V|EP+S-Yk1KmeR*kY$)o~r+4Q`1yyyfenX2iT@67D<A0zp&nLqjuLrKEOC_+=@
zw<{)vE>i$R-vNP;fi)40fO>g}k>M=jj-4#VTtN7&fqVCr_XdGv2q<EKtE7eivM-;0
zNa#+d0$N|f3zqqFazvbtIR{sWr{pgt#3MTY9?T-DR^}Ov#~ygX%f2h-x&k7>d}2aJ
zs;$`TXAIp8!Ys39AuT`Zj^QTKFUxMhKuPz%qQ>OO<K#;t?9{3S=G4ouD~04cVlVcY
zX70^aU*hd$<)?%$&$I<slOl9HpZ(&3$bpqFeZ!y|<eyjK56yB~{TjKNdBQoZb6()2
zIg{<86J=OvB^th&7MjWrZWAS^8E0u;_zZTLk_{O!nhveA_V<i4+hSh>pT{-Cv&E5U
zSo>dMD0;FvV^TZ8j-!aXYI1at;@YKcpklfua)u2-g|qv9a6L**+nNo}@_aJCCrgi_
ziuz(AIDmg1omQH4c=`yYHj2~v_WH%Q+;aNGQf1fcIrdhKjrc_f2RY<!?fBJVWOoul
zCv;#E<A{80bME(_Fuy9O!iFslJ!S%w!~lLxG?t)-bF@NWJFqF5+y8ZqZ<)63?kDzW
zkD84gnF7s4mxT$D)k#7kbpOG@ibDHh&4v7dtOCkQN+2k?BKN33P-?ah?5pI9@bQ)T
zvQHgn%e9ujQ;>gnIdV#aG8odrvTzRFpd;OPp={~Dj-|n{mv!1fRyPC}2T=ETT>wX~
z3|Ln2%P)Z^{;yFBPQnesLv3lh_+}V_n_4`f=Vt;N1cXvBwrZ6*bTL>*<p^~?I8A7V
zWsk1PlT3@<;0X%E+<uAAoM(9+Zv0HH<fP6NFI!Oxzb!L_zmF~$ZElH|qDEe^ZqieU
z;EeTysj1b62JhjQX=A=BCG($4jjZGxPcM*ehReiw%b7PKVLe4p{OiX^hK>w7D}0fS
zXuWl3s?@a&t3zf)8W~;q-QSzEYeE{SZ(QmUeiL9~1l{LHHU)%wdFig|DUTnD@iJpE
zb&7r>K14iFv`CeJUjM5i%q*%jJ@_X~J?Nq>?qn$PqX+1nef^l?_;JJol3ll4Y>v{~
zT~m^H(LjQ=2>QWmXynmHMzY|HqHNw<hT_0m<ZdeACe)6T1?Sa*`)IO;Cq#JTo`>(1
zOH>K7eS_q~2Y53@;1RVrlEq>YWxkV3keQkmQkRL5PZQeWjY1JXU>JI|twbm6K8iG>
zA(>~7PXc9zu_Z(rg%=JQo+PqcTRA2Mf_OwR`g;|t{2uf>Ns6&=itj7OCxJ(oxL{lv
zR^<K;_u`Lfv@%e(rY*R=V|39uWo?a>G&6U3X{MG}V2K|#?P$!_=`;SmPAE=tU~9$O
zq?HJtvrsSrXk=4WsT4?0nGfOjzHBUVE~WGR9JGO0(9X^CtBu6`n5xF`SzE?GvS143
zt@AzrF;4x97=^V)J~^+L9q$!KaEO5OB0P5tgU(Ypc~y`}*keVs`UE^~OZZpG|LgT@
z#=mZUuAKUdsus(JGa74+g>jXxvpS{io0B5Z6_=2LSX#43OoX3H_BOZSlQWfHrKW4$
zJW}9!KxM!mw5J226Av7>^EIo3;Y#E;1|GojGy(C>Zz@L-GrN0|pQ&M78Lj$n1s==~
zaD#R3UZ_jopn4E#)r5YOePiGj)OS_Wz;M!VW)z$UR5eZGcI#?%)io84I|#*nj`tec
z6@+jr&eJJv52+~@Ljn$3!K=%YwbT~_3#S_~quO#tiLZ2dBg6M+gn>?#5}#G3qOw(-
zt2`FA`o5;2=m#_v#F{O;sSa;g<9WJy9p-1aqp~+X_p2Q3*KnqeD1uNGY!yi~zgl~3
zG&zl*9jY+Eq34W0Hn!>vxCfT4e6JB^r`;+;dG?AabFQD3J?+8Oy3%NFnExDD*tJY5
zkeuIH(BzI^UijzFjQ^AJchf&zqz67;=B)u?s4zCs!r|LpMVn5*uJAQpRfOGj6`L5(
zrfq#I+ov=O+*TQco~mx??s^a&`T%-PD5t`Y0e6sUQsoOljKLC+?t4$i0%1;fryQ#X
zES<m!FvDZyFH<J>J!N4y^5~BuBp`txQze(DC!jWEEA;+HxWDvP1_}cYOeh}I+4TjM
zfln-?cwdK6N{`lT$Q#)qAaHzmNrYSQO_$wu=pgKweN<(22=r{@kUP31X+34;h>mJI
z-jXT(U2To%MA}d<SVg`VP$tYm5rWAS=!!O6wXmg_p9!<`Pg3(mJDPnBVXiS4=s#`#
z>dy)LkiwUbD6G_yPiC87lYTvkcOcJz_%0g)9uu(F^sqbW(-|C78gx%I%@y`MGdo<(
zyIR`7mYSjaTI(O5s36hh2@h(LR+cUsVBDTNPiR+<6$h_N6IPmzZ$yk45+j~4$6n-3
zj{6GzbuVs9@v%KpTC~faiS?lk)dDq``%>k1uX)YYLS*lr!zX(xt7Y_@Rk|t$AxCwY
z9E!7HW-mTscV*%IyiVmXIx4^;dXpR+-0csDF#~fL2y%i5V2;u~QXwK_7zPwEO)dyc
zx#gy2Y;1!d8~?kDvMQDdAop4sAf090L<|<`s<9r6hd2$qN^Ut#x%v;<4w>`^d=A&}
zIez@`YIfjJLNSJfJ+14EbOm#<ze|l}yFQg=w<}gclPguNrPaP?`Uo`^O2lBXoH~*=
z8=ASA{~5kA`z$vA!Vq6CAGdgECA>dGG*<$le;o}@RuKji`x6naeC+{K<O-)8rD6g#
zk}prgJt!!uJsFm#j<1;R<7Zi+k4{W&L4QLJ!O?u|7C~U@OhP_?+njO2iORWQm6#1s
znoh!;g_Zr%;>$VB!@%ee@ZZC8@??AbfhVwnfk5LY0xSVm_SZG{W^M|8+)`O}>u@7{
z&MkTzX*9OSx}{kyybRKUmB%1kEVRJCfERF~5x~Ev4%Hd-Xhk3b4!zk-#$reuoO~GL
zN5QY^C$6~F%cTaKX<%vNgY<th4J=*3vK~9Z)`1R_CG#iQglEqSIab5tD9&rkvMJ`L
zI`yg_rf275A;mkFjg9EO3r;d?52LcvZqq*Qrk3-u&hojf&hU+^g|`R7&U5JB0G|35
zQ}bERxtBpFh6KoOZq#vLLK&AB#iN=o@6LH=C{rYw6&{LuV_3KLT68fL3_)*LZ?p^O
zN{=4zyE|T~gLq@FgLT81$6fVIgPGxOu4esZZOe$3cm{2BdAYB{dq|P?xLx;R79A~!
zkd7#s)_?LxtyOyElpzk%+o81n#yLQJEU9+Z?6b>)upG9<gV*`pB+O90I~dbW9c*~a
z*~)lB3vcW{Cq(l4jO*6_ycy_(Xbjq|i%ZUzH$SL4`EOsOdAV&~$!a(XYhMI5`iI!X
zt78VT<D>obJwVh@8VN5*)_wT^U8;V*v54<9a|t<GyG$$#2%Mo^v(QESkiuf^+yv+`
zb}LoLNRz7gXNpt)(NuvP*b;{|Nl-YE=N%3@>|%3@1}FQp97MJrX3sMe!o;U-4=@RM
z_sTMkY>iJ~?T!Ch#lN;YIjJ5WYB()T9dpB(P)C8|N3M4OWJfZA*Q>6dLp6WT7`Nqy
z0*gavw*Zyvec<!Uf(oanghWbJ!_Rw)y_y6$1n|df__Fqto2GAOx*0o*-V8s}{73@B
z(54Xq8Zz{<kAN9RBrx+J!i2-fdp;jFI_%dNT4nGaUoxyC;M{3t;B=I6Gj39&<GP38
zI$h{GJROVpjD99p<b-;+U&62{t8>~7OTBA36qfM9(l|NJHwi-P#PsuDy&yy<2rVXL
zwI=LOr8{kb95RaJ!(P8$eV^WsBH~GxG(Y1Y=$uCWZhB`7COO1$I~}a?FF?ldruZFS
zsbyS>awgvz7j!vigb?NMba25y%h_5FXvW{(IvVSWMND-SG<-JH1KM#HzLt8!0O#A_
zF~MbRVfd>>wizTG?!oc2$p#=ub^k!x>29FK+^yAwt&4Z|mn}#{;*IRqod^|-5uzdT
zPKBHgvr})}8F2@0`Om#i<F*>|(6c%Oy7xQPn$EY?dW#q?P4iZT5^g4s8yQ7@ga`c@
zQcER;5r+q>at}>P%slCi+F2Tv5O=7>b?&=}*M(8r97CSz4(EDmG#^rYiBI{>+IRbB
zaAjua2oB<iDJNO~QAsSV^iRw{6h<S(PfxsaBFbhPZh@|5qKZ?-uMo*9J9;tQJ3`Mu
z0VlR?g!n%JCwBWD{@D3_1SsI}rVVGmh-qg%AMow63!Cp_l;s1#1AOHi=6+Irc6gEZ
zkc-bMWZ+zv3N4Y$J7P&T<$rUV{w^d)IaV^#g4{k+$v_>AAg2T(4|D=3jrs*58|W-X
zl8^nEY2O*+8)aEvwKM&2b=qXcADLQM+4%v_$&u0mmE}VzrE;q7Q+qn|-ep=Z+uE9_
zDoT@~sgDw`Pcnq4-sB@NGKjWS9Rb|fSi>^|s1TPFIV5jC{*3`xexa+*gk?d+-Ilj9
zOHuwv0TCrHvLP^h**RfUis@W_Z_JVum_zaog<(0t=ZzMI&vroe^qrTBR)DC|ERx7C
z2)9z}lHVXctz{bMT~1(Kjm#0=XY?#)Asr}9*Khv;4ap!m40C(HJ=+dtd+k>bPbp==
z&9hxQ;0OKYz&8RHxY8KTY5am$dMU~oMRm<1%9qB(PDZgJNe~|GjO*6@px^!Xh7!>v
zXL_k5ASUK5f!e%r#8H72Q{z;n$&A{9{Vdr%7QMNcE&hus9fck+FMQxp^b@UH0zj*O
zIQofNI#>AL^d8{C#(H&-NtW={4XgJvi$DP(%FY81bSMp!1iQ~MOI5s$`hVp{#Zx)L
z&6v5uz&NG_IWDc;phSYX0%N<IZb@nA3@bS6;0!t%tv|DP8L*M!K_mia{fHgyivp!k
za+UuEdLy_?CmNrr*xgqrxy$l-Ck77GvUcTgA!N#psNiE$84g<}L!Y;>x{P~PoC4Dy
zP|B7~@(usmLf!efw8xGvWQ;MN@;zGHkGL-S5Ljqr(8~fRTi{h{5RcBrnVV3s@2I(N
z4lH-34=ewRn%!8KLN$6{8p%M5g0&5^s!i!COj$64nO8NF$~$6ALSKcDvri4p^YL0k
zpIxj_0}2)n{JF}V^IeEvG!ht&RCo<1*8PTjH=~%<Fn8j(f24;t7i>)wfSURdaiC)$
z*tGWCY~^)!7`B4H-3?tG(`qTX0ibCa=QLMgE0vVxw4bye<porC8p$G<=@GH~wZ!cK
z?fcm8Y6k|A+qKtC&vgeV;_JF!e*+GUbRMtQiE?}yn&+JX`}$3NpEji_wEocxxUjMQ
zE7XKo>&lqRTbf@F{s4Jr7a6(*a7BvIp7C=Y2eAKNndi)2G~EhpEFDm>*9HK?EI4fa
z;Ev;7k0g1){y3Xf2M~_OYi;ZB^#PO?&Io}w+lCWIczCuI4(oCD6r^<jf-HDL)31-(
zY5=}XwGTKgh_brYQR6|7e&?O!+DVwqs|Mw)-)_he#{Vm;pm+Nae%txsuU7Ejfd5&c
z#YSZcv#Bug8z~w?YgRu&ojs;9!Bl_=;mP=nGF`}!G%yLJqZI$kW9)nt;9mc5<<po9
zh0ed<tx70*y>-FZHRFO+$*DVlw%|iK5M|VhzDwmIgz5toH0I$yT-Stur@TvT-!xD?
zO#h{PRRS#InEGkmJma~wH2e4x+=Nd1Ql%s*9Q~4ywYpe8>8*h7y_j<fZ%4I)39;a}
zBR%?n()5Tv=h$<sH>1a)WcvVCYtiTweU%2e&O)`x{D#9qlz65GIxXv}*#HNYsJ!Nr
zc3l)(oJ(4NmA_4O`S)mW(zJH|_iDMr8z{Unfe`ntNTpHY#V!Nj91lkqB5(E!!Zy2n
zFbl`>-}7Z8jg`edT&u>U8l{=Dt7&bg%)16=G@>RgFA-%#&}&(}^_P+!I@?k8y)H-{
z;2B@(KnTBj41lk}Ie(mkix-YeZ_>d4zWiaVvKbdq66=M@&FtpNl;eA246M!1=*7mT
zO@=cm;!SkX+cAPG95wQT(Eo<(wjPEiPH?gGyVGZf1fO7Z@11&C>rVtZn;QMm!2wmQ
z=FDlwuBq!5v!T25-kZu3CQRqK!_TW{ZVgd`h3HeLDmiPsy4Da(JJv9@1Jgxu+#!+Q
zWr=uoYZuE2L7V0qgBC_IrH<Yz?6Q}?cR@6n4(QeaD-TivgptYRg*0bT1t%wD#Y8rf
z;({fYfAmacCa+ra$Q->x6TR%(9brwq#rDT4!MMb+O4GV#aeiMr4N?DUDyD4Egs?4S
zo?<J%)hi|ybBvvCxU_Q~Peay5MVi9?U%{CYAbE4sFv6PHUcVPs-IzSN=Oqk^_nu59
z#>Y7WOBNz7o`s3<*O@I7<a<e_<}|6jJFGC%v=Z>h(n?Khhxp@%ufr#`MGxX%e@7WF
zB-dR__~f-*{bE0OLM3BsO1xj|5!Ev+X!Dlsi~Lfyy6oY)$(0iG>W*`5@{Lnc#dc9T
z*ZChfj)0!cO|(es9Ot>>w0oYwG<s&|WPkn2UaA38EKF?s0(Ry+%?sO*|Dds$&2e^z
zWn!9kOfbg$LRhuGeb(XHFzt|V=;bZwTaHn9hkG6c%joKN*)WZ;04`-RYf~Eln~r!{
zN66zCN>ARl+O^Kl;leq3_A@4K-WpJ1aJUtWj^)Kv;`^p*Bf1ni?*Ou!8qO)>p_=Sz
z(4pk|*&@th&<cjg(1Sj~w|KN&OYUj2eJ(if8p}>IGVh#LQDnDXr|x3z@KdB3PG#!?
z-2oKb@t4J9S`*XbZw)WShi$qu;0=^hzof}sPSFu&)xHFpKsR&`gt8lx^!5c~X;7Z4
zEEy6&yfw|h2kyF^+v@k!AyG5)Tn_!P7ZAijJ-Fu>s05Hj?^3d41e<F3VIfc||7RK5
za09oGW9{OO21LxkImwF_2UJzxWC%_?iDaa_W@9!7ceifuq0ESGF)l6=Ecbft0w=qD
zG`jiT3=_e^N>n#(Ri?do7UGAY$Oxh}A=Vt(V?vyV6UQ1;#29!%)jUqk+!(^Q%+kC(
za}agPT{e)QG_r0G)L?tid*i>hlQF#XuX41(cBi*58F#gFX{%}}^r@Jr3LBJyRgdgb
zOH7>0R(vunIM~Q=cqB9Xf7ZhZf&He&kLb%0OVfU{lh7~vtaa$mF7rKDY5f(~U{2G9
z1dwk?(elqr10toj4vCqE+92UPiVvKj-wZi=Sk@h7NAanOaD)r&;>uPZ;{WGeV|UmI
z+twl)cr`5tAWljvt8cvA86g7AEVOzo*|7`w-TpRzEv^q3y5qT?(~e6jla-44ro}DY
zLT!sn&Cwu;#Ra*n7ynWVHgvtP-2;FBw#BTkwmWQWmNGRDcPBjtjY1kz#_xir(uab1
zhlEf>Zid9yN-YFRx(g3#<L{c7Ui4|FAFA_7zUo&O*eQLGTsZN&zSt2LzsUEf<F|UC
zeKBlm;8>ix3sr(-?MA9~GG`1sxjmRkE?Q7Vg55Hcdo}=-&5{T`#9=x{nE38A64b|)
ziwKAqaMS4sk3HVD(bzq1=XK3j*E3tXx?V}KQ}?KSsRm96Y}4Z%IHZ8UN&9$Fmi@y*
zB~zy#R}9{+7;hMcifZDd8xv-Fu`%qk-*(i%*f7|BAd4^?EGinKaw7p|SCC&wurszD
z%49x~+!<%^^6&^O^XTrT6w>?sB3w&=x}{McCrOeT-^GDGZxQT36McNOy|Z>9{?sUt
zf|Of0aWotF0fNo6Y3>4kf^evqr>&flv3xdiz4_&4DE*5zOrmYSoIZlP!UNmGiiSzo
zjHYLyKZ(zwV2>cjdLRs^mhoI#R{<;bHkl6bm;L%W<{l-(Yf`lJLg8;;Bk6X?lv-oA
zy&Ch>?I9Yn7ICo!y`9i{KNq>}MTF(%^6(Qjo|ba@&R!o2^(9rU%LP`vD!tlK=G4^}
zoYO7SF09B}IA4c%=4O!{t(#OD3#*W;vru2A;?u==<6uaZLvaBMV|cL_aaO)#`IU9n
z0?|k4$0{%aOg~pjORgP~AI1<PV+M8x#ON7}QG=$qKnHh%6~a}@g^>$?h-gXLmh0sX
z8t%LFz=L`BeY=7r-Q=)peu`rXX=*4?l9nFpOLo`r^craGd&?>a3f$A(&r^Mx-2c^-
z(3E75SBy%ZqmuYIjwfS9gv{4cctNRzj_%ia|M}rTIAY|4AjuiMIaV+@^M3Mj8DZMp
zHebc<TSJlk9P3NFdU}Gq$VqMdVfDl3Ka5bREup(juTPN-Q0}kvatBCXae}B|jLL{B
zJMB9V_DWU89F#l~WeY?F%YCW!kJroti8QBhmoH=xB8!%@LNp@n+8jLNd25|cdA>+Z
zA1n)ME}O!%;`%%7qqVkr-SR6LaeYS*&Z}KbMm>*{*|`W{$M05fMNc$odeE#+ANX3^
zlBrc<0x9G^u%WT4)J%R`p3&xg?Peb}9cc<xDY)+<s>Pcc&yR(Y(m>Kr5r-n;>(}ks
z?GlHkN01WhB##IFK3pe<Xi*TPz+bV6tbbv`IvuXE_DLgw$h<*Q<crq*&Q5Z4`VGIa
z>ge}qlbt<NliSp5GL^}Q6J<%`E_zXf0ipa8bZTeaNLPU(dyNoXs#HVj-RtG1CfsCM
zIE>|5>6(Ee+9`J~_bqrod<Wd1;<kaps;Fh_&32^I=#njdrD>o09-D_$#x|^0I6?xu
z1pzc={6A`-8XSB6r@yRz-Xx|-cHU071>^A+x2jJ21ts>GOf6dU5kd+bhJ!gE$i8Y!
z^TFHf!uq<-$*FDwOB_<Q_oaX4S@#m!pZqMYNebrUz)X&>qh9~iR(3Pv@;Y^G?y-V;
zdf-Nv8U^xv#?V#nm4?i4Z)M%o75XfiFdOLw-_(q^v5ttop>j>&Auc8RL6p)U7p+ff
zUn!~J_}~(9`GJ++FN>fE9g|o2+0*%81+$#Yry1YoSG;<Za^}5WyHA=B%^1`+3k41J
zM}bQc35m!)c|+~1pMZ&w_n3%vAi;zLE#Ee|HKaykeXKR)P)}{0@3x)lD0-XV@hHdB
zVE#QjO|~tE6?31mWYa|nDP-Hl(Uh%J5$e889$I45BLu?N!OB3U&>|9)#u{%GOZrM4
zx6NNI-WSBG1YSf;P#`x>&TTa=E&jxnBv^&g#02#}qFlrvnl>Wcx6c+IHSP%(%Y;o%
zQeE3xyd}W1*CGFuS1P>fL>$s>=r}b%d)`?*_l`>we@Pzy4akx#Bl&I#l-7#7)5Z9D
z^Z`|kZK1aG2!8Y1>g|3K+8#AsGd*tu-k=LUIGrvrFj|;?G}y`{zv3VR3HuXL7Zj?|
zk2(K~gUUA_RJ2ch{H2XjX2EeU(@PEfb!Vd{P4XPA>DyZ*Ro$O<stLtxk<H6Ww}H@w
zB7SZ8G%#yVX_o6$HtWS4H0Fgq;Mp}ZrnmQ?Qbv&-d{2k)VPZtKC0M&?(=r|?boa^e
ztI1EY_Rh^`d5rZ1&Qb0)n8=kgKWl>I3)v%=iOM)PxekD%1Fl`Hn<yRUo;|uwxAleO
zD<0wT%twCrq_T1v(t~0ZW4<<>x$OmExgVU0(=87ATh^FScj-}!9`|K3qQK;JO@3$M
zlD2hD(FT`YEah>E;7uFjMLw_MZV(r?WlB}=KN^m#0>ChJYEtnYk9J$|B##7*eOup6
z6RBoUphu&udLMB?^>W>BVV31fAM90YmrA*rxvj79R7IhRH}%nvA9uLlAG6M3`uOU5
zE<SIC=5mobHgDad)Npfzo{$!CqE;kW9ri}`)mbz5!x8iZ*3c(z8V{!BEEky6UHI=1
zjT$whcqm^&JW&`Eh6xSp(yrzeiYfz|0^)yvBS($wajE-e3X{Bf5(KN)COT}leP>^8
zd1^@Wn$ZEhRqC(tCvOGAi`JynY-2H;Rdn^DBDGS+V0pc<yt2jm+<$x@nrPo}Eq$Y%
zvjxVvPV3prEF!e)dg|jWBn|MfI;wSW;A~_pO4|%dGOBNBfogH}{tZc=d)8gwO}&t0
z?)nV%pNEqAxg~f914*V0a~RAeYE(^0YSwFhFn%x%<H6FjZcPJrE~U#C&7UFv1P_6l
zz%K$D;vs1~1lWG-0?T`U72~`JUR~CwK#Zdtbw&z?D4gIb-87$M$joTuOa2)q#lNY2
zrPrF(E5FfuIWM|==n4V$>l_h*(%q|;^>i=YtDow9e1-5)VlQTcEZP@m-Z%V_x$%Lw
z1!k>I%i|>Iq@QU2oLg<R%t>fWH44i=6ZvNXGw^|iuCxG<U{r!27fTuuXHP{WUS!fQ
zvkomJf{vzV%pc$FF|-_46R>=6y*4rtEf<M)#}-;CH9B6r%EzbUbmy>I^%8&~=Y11a
zMKiGDZwKJp^;-Lwez9fvMEK_La|ds}qV>HNz`r`d9@z1cm8SOTlYp@Xt0qTl4hO>=
zP+FxW*)z)Fy^6kjg<V%?US{57^o+ytkRL2&7vT&V+y@I3tAcaU8kC*_cAT9ajdPfM
z;qMWZA}zYS0GTf<xGH$%NLV`U-$B>-0sEk&KT6|{!!P9%8JoOsZ!2z&$Jz$j*<)QI
z#hiXBXExif%x1%XQ&_ScaVn<9SEY&(^4x~8S*dYX8Y~E+!$3^_v2HYzjUCUU;r03M
z%gt67Ja7`4@1Rm3?)R?TpFV_ESQ2BWYK{B}_G9GGd12$&V`3;h$m02;uw$?}SO(;0
zUGV>5Pti3HcW(&as+`pb{_||Qb-5NoQLiqVmaIC~>1IU=5nwDj7sLDK9zvtF3n`{N
zJ67Ni;>*mE7LMzPjIgtux9X8}{UsTIJTI_Ye=^mGKM67`=@N1SAHN<tcxa9^nsAFB
z&o~(~bqq#6E&o3>a$X0yKG+Ghlzb{mFZDgJOw5a7MSZ$JElUSBF|OeSIA`EtEU<WA
z$i&Nw_n@J@OffX1*`(kDAKa;fq;l3OS?h1+O4HusWPcdd3hu<M*_&?>wC>g+n=kzq
zN8rk_hdNv~e{S^haEHGPAiQclmo2wmIzS0x2n`sCRzCTzlIqc7ts?u3Sw`ZmE9^8P
z^a`=WHGHssG{`5XDqEvKjZ+?^9ttJ2#q?toajlpb_S`n^59^AhHzBTn3VSN0TK0ME
zqiypvFM`&v{8bB5Rm@}ff}l>-DGI`Nammz2q1)wyDG-|kz9)LPU_&owTiuWobhS3O
zAFfe2XhrEyAj;$c196Y5oJ>T?DQxjFJEwm~4viPxxdBHG`E2+-$uS{aG~hC@XGV)r
zK#EH+vLsieZMh%|1rz$KMZk&K2oU_wwudMEHcq<bn@GB4DLqe;f9xs=R-^Tz1~zv4
z<<A*pI?9?BV!DE8N)yq-vtDFY?c>UI{WyZ|>z%`vC{#w}a1m)395ds27P=In(2t`r
z7PLPq!19AWArg+ob_A&5^aFGY`YxG%6Y%CPY=xPRG72+hCcEnZaqrO6Tl8N(+xV5G
zw_mq*X}oz&G`N-AM-+c87K+{O%tTX{YdtA=Edg{?$tPO~&FyZ8WC17Y@xSjd*qTlT
z6o*fl`Oj9(+@2V8j=()zG{8N)7+w?HfqsAt9GdTd>eE@SF9W8gf6rk6yq=6?00aBq
zaS&Urss8f(om8lor9`&kX+imkXU-UC{3zS~{69aKO#P?zhp(}&*S4`7G!$kSobYq4
znx1m-)bkx=bzjqBk3Dc|*pn3JtsDlaWA}C6!bR6G8GdZ-!OQIeM-&|NOHt@i@XTb@
zX^fp*2Pg?-(69!|BGE4F%<aKi@9OnJB61GiVqX2)7QzTcas*k!T)AnketD#nk$mjs
zTgz9Hrt6)I;w=!m7u6!8Ag$+gYpd=@_ygghki#>2GqQ{#-@1!T|E_NKiixT+(tVq|
z0MCL-2u>?ZUAcV|^D$X$Yo@J`H$T6(YjPX{;EJO<K1p-=L=<UEwq`}vyP+q}q#fti
z6SiZEFuj1hxxV-5-POS^3(SD1^(#xn9-By+c4oV}SQg!FG09%wRWEz~Xs@kG1W2m_
zV_&w`t%lA^OaD63-2?dp$ETQJ@#LG^t$LG#h-JQ^YfptRYeWg+@nC8{=~OSUqCi<s
zzRxMI*hgbf=!2c8_bUQYd=i^Q>X$^mAM*>&tr~~y_MHo{(bE6Yj%*pHZ0!Yu?E*>=
z%)CG4PXtO-8AnFD<TCgvqcuh)*mtc|pI(nzJR&#i9Zw#W+<omQm-#9*PP0+qd@?-e
z7oEn!w)Y1t$oP@uP?WZ-Ejc{*GZp~#na_6e*)#?9%}d{BIXZgoNjbT%lhC#cP0o+|
zgdbTrdkZA~(kMbwvWTVP=0{-|G}JL}iS$&0j;5HGXhPdJOPJy*aVO)#Ro|1ZYG6zX
zR|>lIVEKzHsV#1=q08LP2kHmwiA$Tq7g@*2xC7JN&KC<<yNCKdWw1tAeZ*vjyQWb1
z2HiqgG-!(A`+W{akjc+*YGIcSf7L2pVuG^iMh1uuCaU5Td*f~|T&?1L=t<T@)j{a-
z@Pk;W0nZJ`2ZXA`qS=e<^wwh&PQZtS90jMU$J~a%%Ykuobm_}^GIBt3Wh%TZxnvFc
zP%t{D@3(ITJ0f-tI2qz>y`L(Qes*s#Y%<9kjDCiiMymF4OY7=15y!q$N(n9&BWaqn
zk%0TF95yE=K1-*u{p{BFad;5PTZRge-+paeP-c*Ee_XL*%f9P#l)k#nbTE#*slMp~
z)=axoDkpl%cocF^-`UL`e^V*y+U;6Cx~utP%CN}GH(gd!l<2fcK9V<ULG0Ph!E)e0
z=ioVthqI8;5UoiYZ2ygMG^+<JFu_^Ao4G>`9~?dOE1g=eUYE!(J!CKv6kD@8veB%+
z6}fhr>gvCP$szI7rMAtV*(6tjvgNlwNq#M`NIeeSbdi63{YuZ;ic~AfT>S-4#`vpp
z$<)#D+!3KkV4vlExpnQbWxb>C`o3{NuNG4hbF6=@i4~cO@4A$77_%B<hv9(YSz!nm
zEO)&T2d$to81|Bd3YZ>B+*gS)D~7azzf;4v>#M6JP<`Q(ij#B$TmR^?>#Hfc4C)Hm
za<^O59jZRQey__5Oe<alQUxNgEZ;=?BAnU%-!ZFeXYtV%t;B0ZEYureDlyYWa4L9^
z<kZ=f`rbOupKd#UMMQJ6;<f&F%qrYkQBtGi-J-iash4nkTe&PBzoC+Y%;aSHE+cdz
zf@sBjO`tG!EV5IzM~jsNTEjhq%hjCX$vuOC2?3<#*pgUjZl?<#>AaNi89*Ev-2q)0
zP8m+Grrc2TnLgGi<_-k2T=yG0`sn80$m<(!D+*#jB4d%<JL{4|3d5Pul?d3;l~CAL
z8!OUBOQvlZl@r4baT@$whrtucMgfq235chq|GBolTMQ#Hj2u^Fl`gre{DxX=qEii{
zKM0&j%Ds)oKzlCn6AIq$-=5Wf2uy^tiP#!6_oUawQ$+v8x<@e=&L4M(xamH|xp7q6
zIe=IgO$CzzuqXUx4&+`|^idBoz-=_rQXtjyXXu7Lv(i`>40KdA<ciKjrqYSwP5<Y1
z4Ig{LcQMj01i6jYbQwA&S6GH})BFS0R1jqM%312|TL#O}ZPEZj*RhU#&{RJ~{-ulb
zo7-Orp+|@$18~J4orz)1iXRn4j05YMgezsR={MsFu%qByHjJ1m#(Gik2>yoo|NX@+
z!dmp!;Gz$G!>x$^RtUx1vSi%j=xsAOAf3Mk?DRHm9<G|zp0wc$qzN-h+K3nw8)=LZ
zRnD-1(td%b>|G4Hd`xBig%3lKGoI+pCl#M6?DrqoNCQcYmb2(ZA8k0t*q~0)bwY4i
zEuXVCLHzJiG-}+|*fvYI5JYQe$J9bF(X)mHajm*UF^UASkOGt_OCLcjXaqenFh62<
zox<pbN^#`hG!lxCvCz>>ywb5^xlAGc&&5W-UGL}V$Ab7p%OUlmvo%CF*JndJrpl3Z
zjZ?UiL4N;<Q;uJw1(mr527ax%L^%ot{&t9m4=EaSgd7=|fV_!PM^U40Yi5DB>IS-$
zm}+5A;b-LFub^%p=fOm&{)TQj=x9qOx+y{ZNE$x>k;x2MwTi>-fG&Lco!3Sw>4k=S
z{Vj|62GsM{q|RQ6YSP%1LmOZirT|sHO9YjnnqqrjVwDm`u>OSr)&66dB*o0{iq=EB
z{FBrin#Jb3HK~5m<?U4eqnaRk+ZZ2L{-wlGy#IqS*d7gfRGth?RNlV;s>`P*OQ%qe
z01rgcqXWiB{6tv(ShybydiVbWF%dKZ2x2DU`Vj6ubRpOJkh$ccfBOp$OqB|F1P8sr
z9%vlmfyv=bwTagRepoY8p4N8++*qVt*VV{xc?o4@G8zEWhoB_%Jf{4**6NIPDWjin
zH$f>NK6*`2L_iMP6a+f3p>N`2sTFEe*(kLjhN7nQjKu2hr-|?lMTo!GaNqCWN-1*=
zd`4toiZ=0D)`pDv7k*m76K(rFZO8JNCRPUtTmGDuZQl@OFT@>cEf8%Ew-M7r%+e-1
zsrpXnV0dqg2divCH&y;D7jfqA5wW2t<DK5>-=57;<m`=pGe@ZWa_k0kvBVP_nzJ;t
zxvr7zb20>(Hx@1T!<S-;-Srb1z?b4pDB!^X-}K2esEGJbc}rk3f_@B;gs6c9J617;
zsp6rj5q(_0gn|a{`I~th1U~Q(Pm!hjA%#rE=$=@hBitEUDFX^zX#bYdqbYXZ_fgNr
zsYtKtRAF8QRTOS=;{(yXfQipH)OJNzb_1lZQWIcvol)6l3QHDi<C?5i?RE8ygn%SX
zl%NvZDgOsYy7>ic2mVE7_Lw5zLXQ}mhC+TQAvqTnxa6-qh^-pC@5*k()YD=u$}^)v
zL322wTJMZEH?#l2K^)p~6GubAL9RA;P^Xqvsj&@DiJr1Ue$pE|b%S?0?WQynEwog!
z#dmB^DE{{nA+b*F!RzTl7>(<RTdVLdR+eAB-pdHj(X}%tpXD29ZzDO=agCPImZb~M
z#_WIP|GF2m|I$eZdv*1YI_speD%lU2gABUt=7e3|XtvP2kUF`Zk7~~TNM{Sj#UD<Z
z^5;>e5C6FA*5)(9wr34z3bOR$rl;HmZFK&lYomQ<BS)ga#N91>i1<|5jewLydIw20
zw>>FGFPTCGIR*9rN^I}Mq>1rYVS+LkRjhVxxn$wupsyfm3}2I>+QM3fabmyX(Y)Uz
zu}Lf+LMMtYx{(<7MJj_n%XX86NKSy>&#P2$Bg{-2Z)k@<AU?ntcpS(TUuRKd^%55C
zfMFlbO#C`Bk36i~d~NE8zs4yXC$zxCb<E>l>T>rKO9VOnU{csyh2NbC$P#LyX!J|`
zf-3Q*uN^35sDQDlI26CHa?{#qm^{=i>J7{#0uZ7oY6<ZUF-B^g(d5l&lyUDA>P`n0
z_|$ShC*GOPP9mWQY`>jNP+p#ImziFBnRC=yo729X%k2p$`aG4SJFTcYHk{fKUsF!<
z^UHCcbxJlOt<+UIz+0$=%+Utm&>K14I~=}cCXL4{Vf#cyewI_2FPwmukrF409cuWs
z3U2LsFxE8p%gEH`%@XUU2*Upi3s%TGdDm%S4?kAxtw^BIu?A1PHv6OAiFzokP4e%$
z)~MC6H&L~vV{R0QaA3rICXnG2lP-fdnVFjU&_LZ{8aQg!PvEv<0V(OkM|yzGv(;~z
z2WITakb(1E@MX5Dt}kclC_)QCl^LrwJO5xuZ~yG46GE-)M)@lH<7`#KiujM6RJXCL
z9XhU~n~P8a9L?pgWKnAXjB9Fs&|v0pe>P()vROW#N!3p>2EW0=$z4!P;!mp-T|q)W
zqknbomQ<#&-BR(VLZOLTV|nZNcvB@{F(Bdb+77Qo$YNIA75NuJL=Cmo5eN*3^s<j0
zsp6wc`!rJ@S`d*eV?M|7KXT>F%tH`eFS*+E6cD&{eQvSUYZA$~{1)c?ZTCpHExUX{
z`51ll&?LiVQwsaKBum>#Wbh5)2M&0jByE4ukVjQg(fO)EV27cYarYSuI3r)0X;a9n
z#r-zn?Ty_K!+zIs&K^JFeyc2}iaI}w<N{}}I;T^m%jUHgbtSuaYjLX*TTF@`q_bj;
zITblBBZKT2KZ1=%p*~y>D}VYGvEr~RI|h;)6@^By19eRPb38uP+-g)MP~FT=5!Th|
zXOss>e+X|1Q9cZ(G$Q)X;XQ~<dTK_u+sP-Z1a_V6mq}mELt%eSoj<-{P<XjHtp}3S
zcB26NH;dE&EMoFEKqe6dkgoD*i{b(f>rr1<8UwvqA*P0&kIXLzOJ5}57S?Y2<=tBd
zMg~oz`)%cBexgGD%a(U|Fw{h^Af%tq)<N(n+K1{z+@;WB7xHoXxyyEDHZOK(UovDJ
zAxZ#G-Dw}Zx|6K>)vaRwdGlye78YImdx&~H-5<{v;+_sbVf0;L3Nuz<Es*jmf$O@O
zA-=YsKzjX!KX3esp}F}ODJ+gwPC^5#Y-~!>phAXjN2vtd@qVpul!IU;ex2>oIxffE
zuRp}qcfykAvTkBe=PL8-s#^ZjjF95(VbKC832cnYHs>p;0W8JhX*+tY)8I}EE$NJs
z0ml;p4T@*~Sc^|GmA}CTFq8{+&$IQ#L7;VE=?yiZMh&rp%7ZrJC~N&dc~e75UOL6u
z6#rcXFE~*apZICDPRnp@Yk^1KV#+^p5>DdsT3L{0lh=o*ePVdCjuxQu+QSU1kcGYD
z<Hb<5nX~GQbL#cEKETivphoutdzV0F(em2=QxzhhFf`;;S%;S2Nnsp41drIVCn%=P
zv}-khF=T;KoXe4G7iiX_*hTsxk1GEPEjKmfqd%o59hwg>4y>wAQ-4+nM+wtg+#mP5
zismsF$6vdCaT{bdtUx7vF;II`U)R_XM%V*8%pZp~yie`bdZm=b;R^;ij<)WkFto{;
z=$=S~FpO+y-X7Tb>nVkM^g^m)Q1&Mld59=gGe{<|Wi~$sII3ETV4Tu(&xA^yZYTP?
zlGf|mI`|oc+1R(+()U2XjINBVHoL8MCS)hvQr7dR%C?VIvDCY_o0Z#2ia_Mxxadjy
zaw>?t-NV&M1#|k0q-r#52{b0S*+k*y$W>CVnrbxh#b=d%_htaB3-yNz6JCiS+d-&z
z2abmAXBfbtVq!CITXxpyF1s-M3v;3SA;L0I(@3eb$(1eb>o{l7IR8M)@+ZKlpr;XL
z+J@BAKYQg9;JnLrBM`M)w%-MNkk3J6=~9)f@Q0BSe&v^96k-qh8yL3>g9udK|5z;!
z<h-lEkZpAhXxb4La_ysqgzR(v%5!O3I3zA9Xgd<=T*oWK-b;$$oaA`Ja}Bc0u1(tL
zI#{~GfLzdEqEv&p1E6wP6&N&;6y&Ahrk9z>FJFYpv;Y5T|0PhN4#C4W+{*8J{>86w
zDvIv8y%qpWu54o(b5Pw7VmVs{Z<%zQ9raC7Z!1iP?HB*2uk_!=M}NS)iFS)0=x01g
zMF2?t9aAU?a*quJt&u#Hg0f=pSPT(OCmBX^q$c^GE#F)I`^^n*X8E9ar}SfRO<Rw(
z?guW!ZDf_s7V=E<RQHM%ZMLylrx4m}y>)Hh{9|qfeCtYV52p>DGQNaIU+faIefLvc
zCJ#J+nH7A?GsS3R%V8OY=Q*nT!JR%>jsqU{Qk!zR#Jr_HJ`bqMjCLp-<&un+Kr3C~
zpK_m;rA};)rbychKi6|f9>)OL@f+Z!c3^<Vvkq|YgueTA!`0tQqIU56Lu?>2>KSiv
z*am<~I9}WkC7_G)KcZ}cxObNM$fmhVO+ASx<Z&<XejQmjHun1Jb*$rG^5j<e6j;*A
zj9d&y<}#E4w^~``enXz*@i4@@IO3;(Gqp*dJdixW_hxk^2TdUMZJwMVTCWrndruv{
zV3f`pRhfF-7*j?d2C_rmg-cS5>M%2~JVfq?Z+Cd@uR>jJ-UHfSk0>Df`qI;$&$^C!
z8qgPS#;!)zDsGSIZ_fnc7msnJUrRp&x~t?fy_xxW+sB-cl(yHe*Dv>3HQN#L*M~4O
zKX_t19`Lq;(VrO8zdYQKJ{?Zi7q(IixjhTDs^A4OMhbTd5p(Z6R_bSC@Lc*(A^j$F
z&M@KK8MOWJ9~n1>Kj^NjZ2Q`UFq3_?`!pH_2+cR<4Pk9h>;K`M-+^QLQ-R$}6iMeQ
zO0(=&?P}LvMSm3Du1Y?I*8gMbtD~aozQ5`2?vj!YfdQnuyE}&xL6Gk5?(P_n22rHD
z5f~cjkP<0r-Vwh)p7*b_)?G9Ap1beP&yEu%JOPLL%sj=I%5_dK8aHLvP~LT+HzVJN
zPJ2f!8W9qHl}4h}y84Ene7@;Pv$|(!C{0A$`dVSJi%eV>K?prMt&aX?lOsk#4?p$&
z+UXuZHTcD0j-!O)xd$m~D916_bsTx%)KZhH%sRQ<`<Yu(y`!2@;>q4~(i$-~$*bOi
z33xM>z&p4&I^%{eN*WT2VHF%N`gOV{s+U<%aK!l}%<j6hbzSktvjp?7t#6|b4wEV;
z@af?p$gQIe^rES!4cJ9YdUkCVZ9A)%H0-*$rEG0K7tuZY2}I7KKb(SazjQ}Pj;F`U
z@<fwt;_f_2xtFViUmz0A<o_~vd=1N!9d;L^+)oe}weQ*1u<yuz2&Nn<90@#DJ8fQ&
zI5YK?JytSZo_*x7U04W|%x34GB3}CEwZleEPx7%-wNiR_KJ{YGPok_xc`xkF`D2~S
zk0Zv7Zy+rO8e`BS7)5$MI;O<!uYL3P7s?Udmp85j4U=sc-aX|!0AXFC-`o622R~Lk
z(ziY3#OZt$*`~~Eg0cJIV|EswyKgdi+qi-1Dx~GO67a2mU63oa!oB0raGN<7wCuy%
zy4m<)#X+O)3EV8AivQ{0cITk(UEK1F*F%H-*cZJAZWAT{<6{@Uq-Ae>bj{#d%8`2J
z+FjrG#@}xFp4LowmN#nanMHDBI+`@E{v2+JJaVAYL@>4hA2<|fY?PZ}wjV&mbQ=*M
zHjCQb*Ql3eHdv`Fs53#sOf|lFLroVJ-k-ygonB;f`V+b=z)wr~O}S%i#m$G$(mc@z
za}~6<UpupeeA~LCQg0iVA|ITqyg(*?{@xis!R8s}OxzEJkzc_rHnXZOS9@!Iqb7b{
z@IMt=jtk3sIiwOvKKJ;tD7vg04P}1hlyMP#2$V%ns&Z7zU-j^T_Ef$29I``4-&tnY
zxK#6ob9u)g5ZClBSUCT35XCWYY2u{ROA1V5Gi<Wv7ed+XT|1I|P`+WR{lyVu$_R4K
z_`~N?Z>P)icTeR7G?|Y?Iam68w}JxYwj>NT0vQL!lRxBI@87lGW@pYV`_TnoHM_4i
znOqSrEKz{JeFqxPR#^TfY~8UdRmsaf4ux^tNZYMAREvr|u6mI5YfeWXp6J`WF5D6u
zQ0k-6y1hXl24M21u{3%b)5@vRRiABTN!3$wKyydN%*$zwQYn5)SeYy{w{PnAl>O&!
z41DJ$Jxw6)-iHiw2JJ?FPjeu^eph+sBvzc!?!V^4RSVs%rGkE|QRGDRNvIJe^Yyt#
zVMow!ILf#R%#KVpP)j)QXv2A><~v!C-5I<$aH5I!8QeNnN_~{}&hO>dh+jbk2j<8R
zwOIXW^<<46989uepZde~bDo-crrK2PSSAKB)lv>ST@341ZD+BzW7LTX_r(^!6^7z!
ztYVa9h+i85Cb1SfD5v<(1K$T{zrrj%m`WA7T$dg*rE1`RXKh{_rYJ)cB^n3N{XR2n
zJRALrVt`*6B$WR4Xw13j8BFMv{0TfP;)a3mpL=>TG50@JQPF{s*7&;NdiGZE`0>NG
z4d=R6Hf+Le#;tbCuRi4z4%+)WZy}-k7GkPPqiZw6*+fQSL*Cw^zFNIRdU({5G0S~?
zKh>pLmQg1bf|osSf}x_vYs}ShH^H$fEQ?%B#@IXKv{StEHt(xEq9&It@ZyHl-?icu
z=TPhY4NkudFcw{$_cI1H`aTkshG)Jb!?|nsxQ}l(w&oHEx8XkT<XpgF-=Q<kw2Yki
zOxYMw74gc>n1f=Z0*Q$tJW+_jF|4=uMLcjE5Kf)k@aqrp93ryVRRSV<;7(-m!*3?>
zOdSTL>hcP4&wKS1voYV7vOjA1TVsA`=jJY1eE9mhPrvp}`^_6&27#kKw-)|Skg}eo
zw<SA?_59cv)Ec$UueJFlhMwK3SS<)4^KdtET%?^QxW<`8Sk(y##JXs(QPWDftb#_F
zn8a1WWNA9k_HzEFhyH<BSFjWO-n<i;pqqx{_r*DtoBl!!+a%Y<3}v6u_*3p=;wW|7
zLvv;7&6~+*Z@jKFH2mg<@9IH+8d45WbIJb{)#zAdCn%J&5Nlds5&@1CeWBA~!nluP
z{zB370b(hBy8(f)U}9*^@Q(@3BC3rE9LRc_@;tA9&&1$6r)f=BZL&1a5I|;-{jJ-0
z#%$%fh@ilWjnH7t@$Hfj#wP<{UH+vXEDj(-!1NnOB@h7EAAm^~gX)VdbC?U)bMfJD
zl_HhIve??@0gGOkn(U4l6@U7hu9#a(Z+p}>*h0SM3Nm4<s;GwPG^N-Rj_zr)&Qz4Q
zI{k`bbtL6%DH4>uanJP<#VvSsu>&Uu*fn@eC=e4a>JNC2mFeXt?DxO^32*6KmDkHW
zY)#46SuS3AZ@`dEs0|sG13){Oo1M%XUyJWZC37nPhH7p_H;ksh@f^<Pnt!qvI{4A?
zvkb1&y=~&x&c=ED;<$0g!^1<Be?vGtS!CG{g3+pM{`0Bl%tkDVq^$sxL)Jl4S~%ZB
zE}i1N($jk${rRanC>+w$*+613f$-2QWZ8+#2=k#^lYT`wvGF8E&_Pj*X8`T#xYIQ8
z3%{H92Dnb-#k!W+b&!$DDig<|OAfD*<l@x{=C%sGLjl|KUEX*J%bxiMIIJ9-ZGp8P
zes^1%M`Tui-Oe@o>^eUf?6~QyMWtr8Nzv19>^Qqp9IgA#f1b@FR}=N~;K`LLO#pQ;
zI$1?oN4Y{H60m^e8KDmhW%NCEvS?oX^l=kx_J*HBw<M%Cr@1p!c$W$rL8g@(X5;E!
zy~OIc5fJ-|KuWA1MGY^8kVbAsbigX&$aNiw@8wHKW<dAk3X%3GfqnRUutF=fkcvD$
zj}{h7c7{w@tB_U8R{+jv-p>SA5&9RtKa<Rf30~CHIJFJtPK$kxFDc#e4KSpMezuWi
zOf#r4T{2%YMF-9(F_;qggxP$!BfXb$*v52nJ*c_s{&s7owc7mjcyV(P%&-5EPXqn_
z?LbCb=b)kgHABKL#m7q(8T_4a$`iXIwlH6z`-R*`!7ry~zSJyO1LUUF23(>cGRN0q
zRkb?!SAm8V7{9{_s419P<=<|nWqUQJ9Wbk%b6>_jhW}{vTs&DJ(?q_RR=->wYs;=b
z)iPPmoO&#*b#{$8-q}~U+vpF!5;18am14jAeBL{yTWcKKxqn3p>3GHVw-!ghp7a=q
z!aDmfkU7bf&rqF&jcKXt-3;8@;>wYh{y!)`8A+%hu@P9DSeeBxV^hR|Us(D1cDnka
z!=ira0QcgSwH#G+4^?Rx-{37O0~qhExFGkZ=NKk-%7Z}p)#88<+{XhtG5m8?B@jsU
z%ZNrYsE7dj9OmS%VW>xvCc6gk@o$OQb6_l8Bj3*b5#`B`LMM^O<O9CmbwkzA=F`ef
z`1fs3utNyR=KekG!9$+IK+u;9q{_wG6P@LGyC1F#5f(QEyMj(uL2Q-mQtxL5pq%^+
zNA;Y)epd0IA1BR9aNxHVH<}s_@%WoF;Wjh*t$}+rt%0jtQa%}D^{F}yY1h+iyr^d{
zX1+8lP!d00Q$+_Ml;>kGB(@Yc{J*p(XQ2qkhKpID<@lGCs_sVwRfRUp$g>p8$jx6m
z$GK~m>eca>93@OkEFrf<gT^Kg#X2$@y3+QYC%at?Y{#>AzAj7DH4?UJ4Y@;`rEGgP
z0(kh4((0d6Df#Uo@0lEG%}ZzZez;2f=*_<Jo;PW`iKpf)E$28zogO6IU{v<@!=B&)
zL0{S#42xvxKkY@U8QHz@sVT*OgzLGybk*7q&L5$&Lud*;*Jpq4H%>Sg)}5okqvZao
z{gDd8f6jlI|K7G&PmXlq*6A@Klf1HwIr}NTSra|;+XH6fQ{np)TLy{n8S9xJh4VEy
zY)kGs@l4QVemC;@b|iC7d;-|;kb|-4R+X}R{%qra;>hu;Oi$i>;y5?ZwAEbm*e#Kd
z%kxc)eD&nlPD4QbM;`oo7Cw5q$THNVw3^9YFI<ihXDv&0M$_S#SQU!!f693h3(YHR
z55{RYE3)0O;VqaOtG~@2bdp_0a*1IVWO$rX9DnRtz>u7$=PxMhtpDkfx}fIzOTiDq
zdH$VCPa2n*d(+Szctgp~;HvYMx~`xL2F68&4)P9%PtgKyuNfEZY3JGCmHd|#TAazm
z>IR&Xys*<12S$pqS16NGoyVedwbcyat$ymM@oLnAKQVSk{m+hl+UWW;DOH!mlf2cM
zO{Luc7%P9g-#EVeDLRptdk$Dy;hN2K+c6b&55RkSx>(7N%~y29wCLsPx`$G;8T;2<
zMA=-e7<;vRU;RS_ZYM@RECW1v=w7^MXW1$ue0qG(eql0Sd)BFZ=5(*r-UXQw0S}ap
zKY#{R*rV6MVfyzL_pf$@y4Otzdc3=X3cbch5~-dkzyOEvXcyz<NwP#+jZL>!^fs}f
z=;=0QXGMLY#w>Mr{+ApH`DTN4mKXhl&Ym8Taa(Fql7y=vjQi`;=<=FZ0YMy_yjC-b
zb_@mdm(b-DEN@eZi_=n7|77_axSfq5l1E`m`cK4&fTF_dqC{rf=+A#aRiyA;{FBmO
z2`T$>Og+LhmHacCuJ`zUQX(-J=V-h3yL^=*q5X|&T3ANk-U~oWcDzfADyS(6p;O!7
z>;%CxPZy{MGfpJ4j3hBN)8}yF8w4ZEUv2&?BtWMBO_lMMa8Y5-hku7(FNZ|fsQbdt
zAnIJ$)6;?kgMY+~lca2A#$gvMx8;{cw!1Kk(C<I&-fa=f{P=Hky1~YAs|sr$-+*@;
z-~S=a3D?+?@2~=VG^7j*F6hqhwZQ|^n>@4xolesmJc$krs&A!IdPC9r!52+za%o`K
z$_FP%eWcYL0Ba_di(w%oYIcA3l4_`2Ac0atAo(AgLMb9ZpMD{-X|QI3!s)MslEw39
zx4%p_^V{u~#Of;f;E_UUYTXL|>+)!D5W_0u>D$Z~Lo-rG*qZdsx**aRkhObGrD=J%
zk)5{Z8$!{2RZmO<|00mK5t<M%SB&PByl67Jr|tJa{GfrqV1m7aWU~05q<7!LO_P1|
z<PzziQ5$K4i4*crkqM%syuYE1EcxvvRxTXqr6>*juQFoMb$xNqJb5^a{Z|2Q=<7k8
zezT#XTQWBXB3B^}J23>N+peUf%UoGl0X<5N**Nxj=E`}i?C)HOHr@jpulxM?E0&`^
z8{qXv4u9@JWUt}i{P7psM31rtp3r5BAvf_Q6f&Tw)dA%Bqwkw6SJ(qweoNsGkEEww
zo(5Dd*s0<j_y608xvDV7zDr@d<#;-}7w(b*!Ms94=R;bs)%ufv5YIfgW3(d7<8sCp
z5fRmToWxBvhCO=FWsw(gtE`P<Nwb=8+SR%|cFMh`mJ<7YQ2@t{c=}fr9Z911fAjSx
zlGq!@4PTPG1bkH@7zudJaa$1tm|mrU&3d9rqQJ7c6&SN#k%17(DB~UW{f{ye4(k(p
zJpvHQw4KveC$s!$=z1rhG3xOLQcduk;h{X6@?AWmwRe4cI>#X4U@@bJ#kohy6|F&p
zduUA)!!sGi!>04vExAd>yb-<)m25*Z2XR@AxCP-`4d|&4m&9>zSaEW7O4_Qt*a_Zj
zkpiIyV6hOyVrIoMDQ3hnJucfu8yx#^Vtu2iM*U-N->fUayS-aCjcCohIF5$h7@N(>
zMG6+5b?D#*NB(s<WEwN0SgpB}`W-BW&0EG$nT*rM*rC=V8;IDpLAp4SMY8Pzte`$S
zUdnQT{~T}!SkR0=FDMz}fG;{q2vlwwO<E6xNNN0JtvBL3tu74+LE6nhoyyVHX#s{}
z6>m^6fCW};CTJO+q3qbO<eZLp(%2F8OoATFqM#cw{dz`5oU~A}F7b(~R-~w+>f?pj
zc!>`$frxn%H0_=UDXk3HXVK;}_6JR8bEL|zRr)z|gMN$Wr(Rdf!9KTJH6}Boto<Y(
zq*BMNVMmM8rPG8lI@Qnzh4y1Q3ZK2}V8HF})_%51!Fx4&E@MRa<kE@F0gW^%zcHK*
z@6bIhIkM%?j=p5Re>*7t)fZr5Oz}M}PVs?uM=8F=dKX7&P_WEWo>0ZN|2907#4^Au
zaVZEhYDSlWXR;Q`aV=hoHkc&-C}Hq7M|$ZrJC5mms7BZ?Q+e9UWFClQNAR1<oJRXe
zWAJTUG=Q-Ii5R$v^k0@p_kDor&19IV8jnfK4<%&0;muv7HT|_y$Iol7gDT@kV=BsR
z@-z5F<B=%yi`A5E`P#Pvq`&pV1#puSjZK(cmVWIJu&pmvnN@dKZK_7)3K92gqYnsw
zRF12N77)OfX}Ql%V5NjCNbXGCd|I|z+E$62wIf_SuQZ>SLKrg`X8@O$bTeZeb3eCy
za9?~{z{f7Wo5=w_$hO=L-nru5XlwB-!@4vXztcX(5O*=#IiLS7a~W|l^<IimqK4^`
zeZef_=Pd0YuV>IBG}V@>>>BmrD*g8#RNpyw>*g`}G$1EKR##8k$e*_^nPLoZG9Hw&
z^DhvGh(BYT!OmDC@y>|20m_MVfrMunH&%3d+vizU9a)|z6v*tu9;y}^N@P?2m4F~(
zLXkf$LXks05k?34Bz4r}<3jb*MjdYH{l+ghZ_k7~_OoAKqq8YyBh>$dk7yl^c+poK
zM|ta1c`~9&Ad2v(>mbbEur(bvC-1aJ!IECv>}|9y&WGc>ZVrO=w**YIm(GLDTA(Uq
zVv)Bg2isR<@rhiSm(L@^ugV151;FI+_P;{xXW#!k3^sIE?EwVt9cBuNuD`*$Wd4Fj
zm19fw9GD{@<sh6nlMFG~6qGRamc+pB-q;~gfSWBd@pw?h^=_dJuQV5JsVK_>U!Znc
zQ8XK>r$rko$eTfL@{&X_3D3(gUYdF>2mE#m!`~P9;Wn>Md}Yl0$GhGeO18^Tda8^=
z2c=3Up+GZP^jLki;=X0Ep~Y@7@z(posVrVXbavEqu-gZSfb?z*qUc)sh^Z)n0X{*{
zDEx$GJ94{`jFxH{B`oJr0ijy>NUs%$73|L#AudZA05(MaU+A3%i!kKRix2^keAf3C
z0YgCM+Uf%tp#|Z0BJVda0@9yuYiq4X42}&BG)aMb=&Z{oZ|y0|K1WtcZ#f&(uKsDd
zl`9q`RjBtZtThkab4UJ&#l1C)b%}3yV4Yh@{Y<G_;&RA|E$7@~=$?6u%xqj~mbTRc
z8*1YoDK{*PmN;I-lRZ6NiA50o3(O%A|DXQdgXY;5A?1;TD2U0=MoLO){tZ7I+P-h~
z^qjvtoB$|FHj|pTyM;wg&HaV&#mMNnrrqUE_yfM4EU%H}?zo(XejMgPEXQt3wz$pN
zI294@-u=O`JYsZbpFY^46)f;*p*!fWc;M0g{s|iB%Mu>z19<laq}%S8uYW7z=MZO<
z)>G3VcQ)2$rqt`o+dHF3`g?Hne9%=sJN01-!U-sLY+u+>2dsLiLrr=-Hs)C_52{Z$
z1z7FvQA9NAc?dRD37MWX&Xz6_T0zbFVgVZjLaR@JKxn9yXEg=L1YGRc3|lQR;*?;;
zHy7{|HiUn5DVaom<pR!aj3u#OOlkS#wz|_#twa)6S*tHJXqgE`rfLLpav3*LAq7Uz
zac=)5*>@0ZbWR;?2(`|wMpxY;x%K>D)XkM|9VM*-f{isboR|57jsN9`$T7U&0sHt^
z1?dr>C<d*e&94NY@+~^%q&^F)*X^20zdU1NZehtTUg{ihm(fLQ*B3?EAxzuScFbnp
za39L@z>8{}TjPJWUf*d*UDHLpDgLY=JDnn!sboJrCD%MXl^k{o8HwBgwUKyOksngv
z&C(hwqNtqxcerbr6htaLvOe6YB|{;?yci)`ZOnkK^~C^D$b;&$><I9yD$ml*5G{u;
z)}p+SoH`P`?og{f1#+83Ji|JE&<tp>IUHz6Jsc?Z)LSgph9S_=K`a(D!?foI9E`;P
z^|Y2+4mg0>--((3vZuxrSYh3b*kPLE>FtU<(Pw8nXUYq(ybQNb3{P0=5w9*szu+<D
zV9PvnZ5RrfGn!K$Cl!_q`&lUi)5LU-P9e=O4gEJ7t*2MPx+7Hb?MoC)PJP%fV25}=
zlrvf$x^oEx>|m;}Rx1o*d|JZ{Kyq?R^dd$JK+5TsYT|@odbc=;gs^0WXh=?+qYWIF
zo&yIYNd=aW%6Dy)-Sa5KQ-3L&cB4g2hf6vPwxWLy@9!NbL&&WSA-6tK0O_T$SBCq`
zz`&5VJ=IE5!{h);I-(VXYPg-BX`=(&>N5+#4TlyZ3sa-NZ@thXo5hY67qQ4Je@k)3
zQq!QDRwPZo1aSV3G!qn9;Skb<Lr9aW#1sAD3LkkWFXu^2X6?xU69yg-E!)0BHz}|c
z@eJ}^vc$bY0K^et0nF8J^|X3fcOy+;;&hoNy*dukAtP#gMo?iaU%?JyzkJ-jMp!aV
z4_>lFQ0CCN9B<4AR;><@HCTS-Jt>brYj=Q`GqH~wmWed6C?|U@>5+c>@7_USmq9pK
zpd!{Yq$AwRDfVj7N7^)qC*Fr08yeM;UJoxKsS;bh2gGrPt2fsWCDAtNq=@zMHGFux
z;DUj@aFtoF^H<Z1V|;24-|_O7yL1}?9%Xp;lG<{hMW4U)S5!o(SW6c|=sc-XyhK88
zmhqwxDHt4kYc8`;!fPp#G&3@)S1M$0Uz`XF_fXhV79ZZz7*M7Y;UY&7VeyE6(u414
zy4UME15EJ=;qJ6??V95g5|IzvY#<)O6?_41>u1WjrdKXN<`?R%@T9RY^NJ-&T5Z-d
zrkZ)L@w49t{bq`rp;fl*IgZhb;I@8omNsjkEeM23Eu_JUUk+Q~%r$=peqr&Q;qycp
z9ITKwJWJsg4SO!SRoQ^ji-5JHhEDj+ShJ<i|C$+=XIXwaBJxdyo}ql6=i4jG^+lmj
zSj+!zT?s7;xwR<d)}D|vjbfOdE`s2zw{G9N%!o(y+RiQ;f2ifo`*-(0n;!Z^>nC)H
zG%D6o33ZZQ_|cZb#PP54J;ijr@+zuY>wcMq0M!4^<@_gZC*)L88;#Ubn&T<n??a+0
z&g$lne~bwRIe84`7{jLiDQa3E<RqB*ql*5;k_FiDuef%g=Ozzp&s#j`SLK6dT46at
zh8k!fdqhq#qR6t;M5j4s8pM+5h`s0iVpaQeVLKRncss&DH=6`7i!3ABnh0F&Tjh^_
zOZLQwtz;P>tR0{){BfZzC-G(Ppk8BWUJc96$@K*<Zo7`nPaVv1bLMz=65J&Jh;ikQ
z@m?;!(^dS%wGG5`stb(|ljL%TNuJpx3y;Abat#@|p)AU>JDJvshaHt5Rja>2mY$`e
zk(QO}j{fs6;t+t|e~CzX@&ulZ#zY>7R4I8GoN<7zC+qIq0{BQ*?p$o%Rk-g;2gLXq
z;d&{w{={`A!5B%1ZCif>)JAybc;#NbOe~<4cu=ZbRUJqugTR``GV$OkgAwc>_AzI`
z7=IwOY0Z{wvl{I`$L?L%NXX>Ch$_UfTZ*kl(|R<S%{e)p%9#TzI*vXRA8g#VEoPgg
z17;YHC=S0kiHF)jdsQ&H?rQuqqx3l{$j-uawAXlvw9Ps?ki)tnbn)PleuFUdum=44
z9;jHQOx<xO%3n&GBeM~F<gXokP#}hfZ*{0#bqCQ=z}E7<wt=X9XYfRqXp<&~xG*oK
zZ77pS?Ab&_JDJn=MJ6UtN%w%T<f;+;-o`M28D5J-*5N7Aio-Qio;TGo)S)<=KTpbe
zt`;zS1Nku!a-<3*7TcFL4q<w-cmK6=%_P`n;dC49HB#!F!~GEWECG}27vYHxdDQ!u
zDvL#I(IK8v$W;$-wN8-jw9{;f2lR;H@Tbq$FA!fS=3y=BA2KQJugarw7|K@`Sv1n?
zWtOfHk?FlNT6Tk`5I!Q2TRI?vTadm~mAER#zTghq5xg+u*i=r)?siueqN3ZGhMDXZ
z%eo&I5i${h^qkXXjd(>P-Jq8sDj7vHtez)1#!dr8E;W8ZBE6exm4r-Pwctm_*oTe%
zQt8xU`bJc;2q+;5c||t^%SI$v^_{jA$vyZUy=KBH)}wqa2HyeG&jj-J<?2=HS40h5
zKWc=`g<0AiG4zxCt1)hMze_ttT`{gX8MoMHHG?y@uHs_k+EE0uVsaL7{#FF>FHLJY
z)R!i*w2&#J!9NMaNB~Or20wPwQ1g!-a9IZp(kOyBunQkr@{oWE|A|%_YzwUyZ%YU$
zbDwxPOl^R6q!ZSd^7^4y?W5O+&TwU=%Xp(s57ibQP2WPhZD`&~9sgvlWzL@Zwg-7f
zh2_4D-t8|I!PrVY%F9v{Imk;H&xKDe^w<-bl5jxv50{BcunwqmZ+$30k@|&41lH3E
zGj;3mo9sE<|HT9T=z!$?MF1|uFIfE%n}V$MDA9aiZTFzZM<sG~R;Lk`-iY{`39t(K
z)7@uQ>eKvQ`Kv_mWcS*t-;5vSS^SxpiL+tFFNqO1g_`m3LXl+*`D5e0ZtMeiwixkO
zKqt6oX>;rAPDDbKp@AW*^gPm1Q*RWgQ76Fn8;OcYS1ei4;EnhOr8gDt<n$j~9s!_a
zih!^(6<ID{=KW``{I<wfxkeHtZ`{c-xRx+AjEouuYj_i^F8x;V%!TflqWy#cP22U0
z^{=iq(b+Rkklgq9z8<c$8%LTqYl|UH^zxM7g)jQ&YVQCw+*!2`5qOv}idBEP4OdTa
z{42B>kLqQ_#weDAiz$M!Bfhm8AwsUT#wJVHaz5rZ39(i6Qq$6j&~qmGuR>!?AV94M
z7_3&2CD-_4s91I9GI6eb0rcYoX1F|M>ME6QS=L(RqIu+}uaW>JaiQNyp*d>U&)QBO
zNk)o>3_lV{lXi$|SYNy9hHQJ7r8nbuz#YrbH-OSsLV4!Hf<ef?QC`n|Hs*!UOgKWM
zOyXc4&udQ$90Jh&mqu<QU1|(FnDQUL3i-*XUG%{YP!eH=QC@goAz4J`Sc^&wr-Vjq
zBwX37GA6x0_LXjbHm;GtKNL<}24wz~=LnNgMmqV>(wrtzDR~Si<VOmmv1}$Jh<zCT
z#>fl~m?4z179k*n{Od)iTi*x7OHPKx|5bx)vDZjikGWY{$CpXNM>FO5)^wKGpEl5U
zs#k*-_G6G^NjMG+r^qeL;}A6)o>YifdNjWuDaO>}^5m^7E1sK8_tfLBx)e)J93el;
z_NRzO2JDGENjPtuc`n6G8Z*xDx5t&$n(4Z8ELX{@<H!;x)JJk5jsMjPnfF6`L&)L{
zA<JSEUju`tCz0$Dz;ge0i+H)QNRFFV3bM#;6^k&>i23mdO7+?|<cr@qkgQ_M$0f{U
zf|yUc9_{+uisc2*_%INVi?iV>FFEzPS+<A<#6&P))kVWDpUJqDB;~9{$iw~(RL6i6
z>m=|W5BTsFXwbma4S`P&{n$lV{j(mJI;*$m7uyi^{ETZcWZK$fSxQV?>PU|ct`;7o
z@SfyAoigC!ap9UBO6G;1cdlmqID6_9dxi(8IbZPpc}(zo>M@ossNJQs&Rttnfuvp3
zcPg5*ELGw>qT6aE2=Q8)npX-TuW}Urlj6^4ttk<v)E$eglD;JdHIDJCtdhTfu)gn%
z057rNKiW5@hO?FXWg}=XOdRf-j%c`XLngF=(R^MlXR`k@9jQ(oeX_jF*glba3|4yK
zb~SVs-88N6%v(8)EEpEVaIYtEENeo~>0Z1Whf<HO^gg)u(@)w(2gTK{zTVZ^MNxmW
zgW!-5=WeAJWxBY&@hZ1{x!P*`)2aW!?bkIVGTX@RDqYWw67<)e$RI+%Gz_k!eld$-
z7=k;gq%^q^6yhq1*H_#FLKIvz1CE?3qcmejqsN?aLH`-WU<5{4MXR3u<agWU?QT;a
zrD;HPv63mjNG#m3r3^26Kd=1&ede#8v;V?M3G~;V$uF`MUd|21rP$W-=;ohDcy0kQ
z%ng>H;KcCkgWKMiw^B{_>np)SjxHgY!v8jsfn=qHAiOeQqauT~mGGZ60|22s`|uRk
z_sNR%r}-ssq9+PRYWlU^Iezu4jhXgiwp66#&Nc43YNj<9AR=;AAQlC;ED#ThK3isI
zC$d)q&M_HXoRS-Kl>riCnK62rmdIPwhAcFrS?Q&eVI2>&E-_pGUxP~ybR4z@>0R6a
zHRJ^)>dDe$BvMzS&yaF{4Pt~*h1p7ed_2^X;esK6f9<Xqw7GtHv<GhQFtE%S27XM*
z?qvxX8(dy2#9QuVA@ON}r`h<>C_l&A0)9{=!*EJ;@_9Tpu31)U2nU~VC`|MSIgOY<
z0W{3SAWi>5-rj)flh2JGKH1s2!(Qwz)pLT+&VgCSYQA!?-_O84B~Kn~t}PRqvN0Oe
zzm=XBPUX-(IDGZUzCRl5rg8{+6NfbB;vx8`R=J=XldKdqvv^_v{(oH;oED;?eR#v`
zMBEW}!x>`Kbm`^@S_A^iZhsD&vdQC2>+c2$MuWx>jatr5V6Q&j5&<PD2DglAxru|G
z6ThSzma;L))SO~rmbQ@5o`fu?+}%a8c-4%XDZk&G2UVa1(Mo+a&O!T6LP*hv5;DYb
z$lgh6DlA1X`hS;})LTIFKGSE%XvDlt7|&Oc$|lfzc>2)EWVw9VoXc#P{?;vgx35Lb
z_xOivliTMF79_B|gAR)ug4n-ueO@xSNM|fsdeMXuly5Z3@&pVpY1*xm9@?`pI)(#Q
zW63nl?8*ZGr2pR9nlyll6P_H96<d+^hE(mbXfdLJGW$~B7kAfJpt0+iWTzKpS}5=8
zZ0a|KQ)RuiI7(}m#e8f+q92-!;L!V<o`5Oh<A1e{U!0m=4SbKw5Eb;$OZ8)s*Y>K+
zl9bQn+z6+@%{gaL=FX%a3c!*P{LkAkgl&3N=BVuahER>wmaXVs$_3j>(4}4DsaBBi
z_A2sI&2O9u#{`oDcy|6R(tm*{PTc!GKnFJNHNqrL=53y-E#0~gn#XHprd=5=U1_~k
zt4d!9fq~!XFRs?_X{fb`*BIU375LQ2Aibc*G$U@tUa0f6<iJBM*3rQathHyD7_JE>
z+we~SSn_{Qfm|RO-lc@u4~QP`r6N#-3p|J(DY4GHz!|X6(@MoNG>yguO#MCL^Izoi
zNDM{JnYz;RU4-ugIpiUag=`hJ53iI5%LMB^V_lrQg6~n-0fU)q|0w0+<ku_9yN7iz
zt*_mHG#b)vO%i=Dtuv7rM8`GEWNcNJZtadS@%}}@)Vm}>cP6S%1!lWc*uCCU-C^es
zXIkdp8+6md9B?>3<M-H?S(4Z~kfEUIR9umW<nDg<j%6?*+Kd9C%_J;-{^TAv<_`Ad
zAt-ek)=QBiAk^CoHG^8V)5fF&bpQ7v6eL(=!{=CJn$0EQj#Pk(hGeTSkxXBP<NW&u
zf2X+Mdm8rZ!OX3HuK~I6s+&J9WF0V;#vLp~PjFK?=#d2WN=ClQFpVBQq0HI(uUqj6
z4G_2O3BUm9PmAz5kx4EtLfA}%%&jOz<bKtW{qhT_Q_w=q|J_x-{Z4J~*a;QcUcpk#
zrw<GhZxEl|$m8G{GGt{JTDWmDHxuF`)_O)Z$W)A*%!6P_>S#ddC%QIYr!3ePG~kH4
zfIn%kkiWuC?rufYMb(O7HJ<<Qqt>6`y*8@OA=K4)?!|!T7~*N&QX(iB9a)Sw<DCw|
zvJ?x`CLF;U+^G4<ot|2+W8$g^U@_qT`_u{O!{-U;5DNJ_Qju0P;6B-8oHASz@B7sJ
z#=_u9FxiF2<hMZo$4FRlJhXth1T5X)MJ1~`=8`a{Iy@b(*U_b8C?Xf88bc@4WcL5j
z2ot?7Y}>OA0YW1QK2vl}y~Y@hhUhXBkyP_4jo3$~U*PQF_G;_=tQm@CTxHgTwL^G8
z{$SMSM>XSOu+aiq6R_5U7DcS;IQxob|76HAcTbC3>*Z+Hv0HwI{NRP7B6AVe#n0ZZ
z!)USEmXmhDgQ^z|$OAzd?w?v3MWDa6h2p6-ep{pr6<Tu)+CtfO_wH7oXodL~?1XNi
zAjdJ&!qu3zs1YCG*E6D-(@SF2wJILSdLcXDFS0^@@M4n9E1_!=-eT5>YANU+AQ%R+
zESG5nD`a6-Z5^PFCHSe&tXz@^l%J%ve<wNx);BIAGY|~@x(v$AiG+XlJeD9AaB_5I
zk<7b~KwJx=>d9qwmYF8$ij+e^=ek_=3^}q+=FtCr^*2-mNqf`;kgqPdD$1g2H95Hd
zaXL$7Q2J@!Zq&`b@M|#&nX3nuK>N22qqE_3Q$E5t?gXWtwDTN2glDWy02N3Kadil~
zxiX9(+#v4+N^DfbqnKf6S?|(Lq;msqu)w}Jo&ftUF51anE>&>S#MeNpf|09<>D;OC
zUhIWmUk;j1D67L0gca?`yu-YRc8P&e(9fuSUiWK+SBq~YtP1zt^oSkkD!a+Iiz_61
zE+Xjwb((~UtK5M87k(SalS9OlxP6NUtHruQ47#VARJGdB3~d>OR*ybr2B21$g}EPu
zAMX0mgQS7yjkiF<JBUvc%=uI@0SEh6Zpa=im|Cs}WeJ}C;>&N^s?n~JbW>8WarN{$
zd^M4knWTCqCQAX`FHfX@B*sGfd5(qlkHd*78rJh~2;!)C?yeNqHV?H=x~1I)*B4+e
z8D}{s#$cXhlRTIk_4Ncx30$KouQu@!MLnaeIz7%MyYCOAIMV)=yk@%oO!ya->^v5r
zCz~IxR{)|TcY$pbO+A*ewYDrHY(u|w;nVvnxFTfaUKhWkP6njP4&fgq28xpY&Bir4
z<xuxKhoy88kEJmO3(<iI@n180RF+9NEg(&h$l03c$vWr!#|k+-UBuIS-NX=90Imjb
zt6DwLepcUmAJBvv9xR;f&Ir!OH76o7qw0L?!^8Gbn&@BfK}=>Q>l{K&hlSACKVrHS
zA;qPXv98y1QAh*O&@|2K#zuH~jo)KXX0rK+W{}qqa)Ip;O<U!=L?LKcJThi#%i$%h
z4=>(STCM356Tpqk!Bue%2)t)v2MiIL{!^a8P65>Y&|xW1L}N8f!M-#ER>V^)X8jlS
zGypA4dbcpae(3)m<vayt3VD?2Uy8ZHc0nlSW|-fRX{<ffNDUCF5hz)#(W@Q7pCjM6
zh5^I5-tUgF{R<!D0Bs4IN8<8zsMg%6-2~Xttq~cr;A<sH?gRC!#oUla)E7zJEP-xI
z5XNkSNUFe31h+tlf%%ziI6t<+;FId&Bp>KSdq4)1{Kvu*-PoacGI;7RY8-cEXe|M{
zwBo~2T&J1BhO;|Ije>|Wc>fuBeppFrUkb@UP@3xmdIXGCi_3)fja7Z|SP(bTtcGeM
z02b-F2$2UBgQ^4&kbnafw1{GrH(>~A&`d*?FH^z!IDBwq-3<-*LV3<nC{bBC^#XnJ
zrR^T(T*KCH4oRfl!BtrnpOMrW+D0DVk82-fXSbvV%m+4qCXn=Cn63KxG>7T=?y3HZ
z(=JENPr!t_=YD-b`$~mpoH5Z8l%BQw9sWvOYm&D|PqO?)uY7%OGfSVm5O7&D0apqr
zpRZN*HO*UhVZY|y(+gkh&o-<f`aHe1zfd+M@F04vx@EIM`1{1+QpxAj+ovVE_T0$c
zo0?XmMs*dnM$y(QJPPm+2Q=b-j08DFAs8(2dgIByI&4s%h0D_C+Os8!ASd<UTh^lC
zdv%~D?7MMDYL631h9|}{S_}@v*(%e=yiS4bxg$jLI?nDzh0CFl6p*|g*7Pwz`-=U&
z6~uo<B$@Ko<fwwRRYMG_%Pqi(x{Gmn*<!-Z8vp~k^SUZ#>6e2~XzX7CQE`xyQf;R`
z@O_x+QVz;EmIAKKXv3!*YyTXW7%6`!O?(#-ST{3=Q6`)PiXX35eOlpb%dIw^^s`S{
z%huvC;KO=7M)O@7?2=-CIomSa>yB&hi=@#^%rwI<lKRaKq{T1j&<}wj$u5It>_(Sb
z4)vGqGcWBcMUkW~4JZXnt4D{!LWsy53jO5LwaaoA37%Cw0&&he&Lq|$EC&U(+t)gQ
zA^k87s3|m7Oy5FSu1fQ@v?|2W8(N|ppC_6>0}y1E*8%S~XhY7F#KLM$J|uhr@y}67
zq=t~+hzy72%HZP;1|$o3)BG;`n14Ij`SCMx?x7vKz*oxI+71wYjC!0kS%9JE8^=FG
zNwdsGb+qmSR?kYnMoy!?KS{bl_XEo!@6!y`y4aBV#vsetXhtMW5(~)pM21?$%Hh`^
z{<zVXuK}5-(Tc|KCGCCVb}Z!7<?(uhBu3AZKkjv(pZbaReH!UJCdcsE;-P1oHdK;(
zn2B26Ti#H$RP{=ytFZ<!ivR~}(XTyV{p%##-4l3Bw2=Koj=mPVt9G!?E7KjR=oE*8
zh0xg6)ek-jR+6k9l~B;G!{viYL-cx!Ng#mKIBBnI1?l+3cxLyMloF_=;VmdD9`kP3
z_33mw+Ca?CxfS=~nu=;i_1p^Hg1A*4q(po3u~VQWGyZa4Y`l{<!Awfz6S>)bk~N;y
zL6{8hv7|hYUO&IafbfrXz?|fRvmuJ(geC5?{SPKp=5@|-*o0f8^&qCT(yrscf-gy~
z&{YHRD-VQH4sfAqI8wfM%5iwfC?>D-Qe^`osV>bv8TmC0Hj#?agYJKc_}^M$+Ddji
z^7n6#Gkb3Z1^3ylsVjZBgA%E-?tDTU^t^;Gmf^_sbZ^Uy0Cx6MGJQrw(q5V_KMuw_
z-0Iz;t*D@?UnJMcP){`Xo~4*}hN@=QwD{#pBnWy6Mq<>2nmVLXVGizn&GgvRi1Xlf
zP~38Tn&?C4V4Et4t4qdEcdZ0RFo?_&hpU@IRj2+ly!2N;i`)i^nF-VRpj6*xOt`I4
zxj4<D4ZpJKOX5`yjtEOPN3ygg3W^U#NAqUQzvV8Uu`KKj;tpk_$C4GarqQl6Q=5%K
zj#16yjY)ax!O>1jFZr^1=aa))aRJ4n+4|Y{b1g(a0Z{lOI!n8Tw9aaKfK{aPXx2kJ
z3Dbj8Je4t7jm<u!JI4dZ9-l~l$HVF&9rUvns|q((CY|F8H~)b1hnO|VIOiO)Edc)j
z@&^`>2T9}`^KY^^1n^otkiiAIM~F0XMKSY351+^w2LDsUhp-=Fk|XA|j61RMibpJr
z8KSzQf`~!P3is!?t%MvUPb>P8i`4?no-1k+xGLAPC;Ved?llLQxff?eo+srhza}UB
zYV%fWGHT`<`!Nbsu8+!Pcm@}2n#u3%Vao4RbejQ@?F$rEf-U}7b`)3Mz@vNvi^(6&
zxN!t6+PNJl9QKuEY>h15xese@oozov`f~aC;#?f>=_g{ha!3dH`IMa;SE7TXT!yF7
zrm0G#MjB|4G9sjsMl_xD7F9-^b6j2$a=4wC06t|HTb-K+>FQXf_?ukDxsSCX(Vtp%
zjQL6TT?5cVCfqCLBbSybn)3m!htaFmcLiS;t}5U8{0v(tGVp_1bCd89GOJbgZv2Jh
zr;~`pmY5Og4PAWU$ei44khwZA2>r7;QhSTd&H4y1vG6;aNHC7ujSP4M=w84tWS1}w
ztH$7}k=_^U_J9n6thWDIu7?dIp0?kLA%AfWTRplKoN>b1M*8_^K5BZ7^-I?Oi8W3M
ze|W1qaI56#wxqeLz4eOdu!CG8`|_?KrL8z`{&Tk9;lS6~+dv=Qx7CZiS$bf^czmaA
zEkaQY%<;#eb+2(hck#=XW$V$~*j`7a6DKB0D8+?t-~pI~fC<y2f8w4LClmtt`39}j
z-en#<xoiE_2SUtX_8bDW<uvcYm0|Dr`9ba_aE_!2@bk=zPPD}{X`4`pSrzmC0l0wu
zlig38CdxaA_C%5LLyqt^-}i8`a!h_@$`3)pDaQCfTipgGCOTSKCgQynpxsFRtSxaW
z1us|EPl*@f9QhjdHX%7<U5j%^dLe-+z8^0N>c|ChLS$UmoR=GVusay&PKvM^SBN4O
zFM#HHpK|%@5A0%qJGucMhw463gmt4J`A#k}jeFy#w|?)g>i&FZJF%CkGVUBFwc%iD
zO>n(N2ryf{j1KUkEz(E3WAf&)Xq`WVK2=@?N6r*2Wb_D?<GM>T@yBVNWhcnTy-FpM
zVd4+e99f9pjL>0;D8gfdRngrI&%u9t`fZ85G=Bki;{#dc-+{5u<r~RJ9HLD8!yLx=
z(2lgPE6;S{sG@uwuG$-yV;kKvzAr8j5G}<uprV43$$htzAN-CmEhS9Vit=-Nd94WD
z@@6p}ZV#rayJt>`+sSPiNB&m0r6nwBokoHJ*(kZ+d@oZ7bKAuo#3U!Zr5FCL>A?MF
zf*}s#na6~Zgy_hPTc)M3jNlZ08+%2N`cW4yG)s(1&y#<G;qOUA&y6aPg@`^h41rx$
zXuhw~WK##xl<>T(%sL)ymyg}hwa*J)8S&X!t~g8@)?IQ^?ho$k`FDz}6^Fn3kn46a
zg;9mBX{miQX-&>L(dk2Cdy>bpm-~n8R~|x`U~-^isn3%=BK@}p(tHm=pO0OcL}Vf#
z9PY9s#5C&1uK=8YG#1?t)IrmzK7av~Kb4X&b=yh9fLKri3y4L^?bO-)B^Mw2E+0Lj
zJ4W)Nre4Ts)M{B{2YXqgU--(~VCts(8!5q3;8D2n*-kzscr5ebk>20KuzT(*d(Hn5
zB>k&)DI~^eZhwA_z(S%&Jh)$V&PJ?xLVZ%vZnI!8qI<)Rclz^=)l>JHHYvXW-c#lL
zZ>{9J$l)7bN{Z+Q&~&Z-TQ@c29!fGdlXoiPKha>ss6uG!e2^|D<?HSJO_&{4RNBc&
zSh;{1&i6xVO+$`B#7g~XHfFR6O+*SR`NR<=j0)IwG&SIFCf7-k0@b>y{aSsaP1~6d
z-yp43F)!{i4l4qOh4gf=j#M-$u{7u{0c*|B*`@NsYWkG>BZyreXV0%~rS?MHPsDV;
z48h2Q=%g*xi0-OFv}tp2&{1P*DMgT+*px>F1RZ?!cw4`$yq_Q4^rvQ3E8y$6ez!+j
zEj>YaE{lQgP(gy*xu7-YXpUYd8t|bZTleq6m2)|YG*??OU37XM0Jcr6XH26QEurLQ
zlX%_3f;!UG5udP8P5GjVJp8+Et=2*>i|whusWkYx{le|vUCr!-B%iX1r(BNybY?xY
ziqD-gxTYYs!>+j}d1ahl&D6T(<Eq^M{_P+`E^GQ^&P<IB#j@;vZ1V?ispY4I%GdbL
z4%<DC?|DER10Eb3(<;+aaS2L<*@Shcm0n)a&eu@moK)Os6s}<~NGzvlV1frCo)%FU
zxYRQY6Um_*+b*<n=*DcDzYBK`!Wa^XDm~X}Qmbj9EH005#VdLop4x=BsN8CijB-ae
z6_B6&C!$201<;MZ#9^nKu{e8T5lW&STu@glZ?1x~x`Gjfo3gE(W|0<F+TU>BcgJN3
z0kGn|&LY4YK2B#qPdu;wCyjJrOCKhv$EZK6JZnWZ%7crxI=rNo#h4^90sh?hMRUi-
z5eV`0?*zgLE^W-hXm+EgoaK*hfA)8ufmg;gtF*JhYZus~U^D-vOYTIlbf+p|M0I%W
z?{x{Ew*CFSOr<d=Ue312=cRYCFUAx%nTe(74FL<AMt2cToDNW`+Y(0$fAX8?hr9MV
z;tBc};g;Jbu8UlBH^cp@A2B46Lb-}yhAA$I{)-~3ESQ{kd;<U%FwSe**}A|ch=F9{
zf-Y4kgF8M)HMR$j;obBVCO4#cxZ76oyaZCkcUZ1NZxGC%HXCd7hDHsfT4%zOJUsh%
z&YXi+yFlS*t65PiEsABmG0#gF0tIWPvkLx6TUOJVizXou@KTV!7D#CjgS-Bk+)BU?
zl&W>jz4uwuQt;!T!c*8caQ=GpiM0u(_73dPB!Pefh?1rj6mBu2Vf1x)FIeYT<_Q_u
z_9PR58wkVQi#&Ej|Gc0vaBv58y|HJiX4?4rL*SEc8a**Cm$C=7xUp0Z1=tDZzfRAh
zrGT!n4%9%od2z|+D$~JewOEiCI$p{k@E0AeZpNqVGZ#KkP$2?`!7WiT*Xx{fyo4L%
zG<N1|fUX=mGW}j>qO5fD78LO9vQUwnfrBkEq_q*fvO<6cm%Oq`W*jk?T<8moB05gO
z6>R=F^aM;=fN2l7X@#!?Yb)aorwf7rH`)G}Bh2&SRKWczK$&8c>a-W)Frh`GOai}Y
zKaH6Gq??X66C0qwb1L|6<3T-8`;d)KK{gHtUv!Tz7Fbaz=v$e*p!JFPGPW`oam|gw
zXMW!z2DH{<kmn(9;&V|jF&*CM54`MHgiPxSmY|H+oV8QXtQ+Kdt6r%w>Z<O2@>M|(
zoVPaRb71<Vc^n`1_j>D+?xcx7tqD9&8@FxdMv0Xh?(-6soJK6BpOvbGpuo&>mXr~x
zTEc?;5l(@*uECs7P+9+l&mtEQORTPpWEH*=^c+dvFpnwE24uAB^1*M~7xhqT$+eZj
z(`r^|n`q;+cy-|};Um)dLMQ3JZ@hS&t#AIpV$RSNk0?fFX@rLZow>+}ChQ5mzKb)~
zYIn@g8sL(-+V{L{j9E!@q+7$Mb{E<cq;?E8lniB1hT~7#<!RA13<Pqg|EEh)5yl|f
z$$)H!h5&0P9GH4s7*J7w3SZ1U=^Gbn8(=e!99tVU<2}xA(!<@cA#^nPE8Xy}U3>W~
zXn`VYTqn2q#6z?B=YCx}J?}*?;saH?9K>NT`myh3;yOlrw3K77*?IV2(Kb@tfyzxT
zP7@|LpULl%yA>W6JfLJ)Ub#T<#;L}IMX%)@HP}-3S`p56oTg?|D)9zBxr6WwbS2&m
z>pj)=Mft_aK_-E%;l5)tWH3U-ep5rkzz&aI6vV%6J<CA!=Hsw3BB0kvK={oa8)A<s
z`9;o9p&-yRp|r3pAa04zeqnEax}le|zD3l(uZKdlV}sm;?9`0}p;~)qQRrx7q(kqx
z#ohqv-KtS`434?%U}C10hHm<OgZ`-ZVjlS~W6HFIHfzxsVkk3}&h8Vl?VgaWaZo0=
zf`H#9V0NW1DJ$w-Ap%ftFewy+xrz~aGzed6SdVrjAX1T_dJG0TH1(7@kVSEw<#}A`
z-=PI0p(H1{dg|AIjth6A^x48l8s6gD4WUdFT6ZkwEEShns}&7$barJ%JKB5r7<&V#
zrUt((^GwXld7!J0@qlkWd~59g<h(aR=(jZIcManztMw`Fn0HA3t@y~%SM;d57(GR`
zR5pYr8J)YBZyd$nYtgfNoD9nnR-?PDXF4c<DwYe{vB0Ux^ryRRo_k%9=E&R6YhxCr
z1<Yx!_SoDBHA&EnPRaAVe?_r@_@QyeR&?V&=N3>xJ6|=p3_fW(QJF{o(N8iwR7)6X
z`87v_Hv6qJ(QwQ*!SHQVzI21J7s)Vv5^GXw&YjxGw>|~4GA%CZx5GFh^5(``YGa=g
z$21)xEnEL@cqq>By%_BsMb069Gge{@<I^Ldy}n?>3V%Q)i8UoU_ndk8yCx`V9Siuv
zjSGp!$Dr!kB+R={{J@>g1dp|XcM`IcB;Sn^xk+k{F8{PR8Xy<vUCM>W#~B{-sR&H1
zI#7xXPkR3F?Fe337T_#HA;`Xh>x?2Z%KD_R7O5=dIB|3FQ^Mcp2m@|uCRtpmt)|S^
zWF~nT^Xmb^*sm7<<GhQR;--^~E~-JDc$7yN@99h9_M1md3h+!K<DT@z!G}0C3_7pa
zZIT_;qR;6LYH?Iv;~6nxtr{8<BIcPW9xPhFYcw}7igJZU3MJY9o-+G9wL<cXDb`L0
z;&*Q;R>_oCBZv3e{y0u955+v(oO-aQuX|gI23h~Si*5YiJ3TdM%6pw6{2e!+t-8*y
z8S$Wgu#cIf<Vdku4wr^xnOu6j_o4&m^0jY3J(j)F6{J~PJ6Hx+<*WSh`J0ByYfu8)
zfsHTTETo_DQcV@I#W@C1qejCqQ%?xg%0fgaHezRN$#ssZOWt5W3IEagrDgnfqw97J
zcDB8UpyyWd1~SdTp6{*NiLW=&Q#!Abw7)3<W3pB@_^K3idkRvj{#0gyUtmKI9K23@
zb?gfm;}tNl|19*qx>I=QxEd~C(g6iuT?q*><A>)I)bR|%gISkp7(?knj~TqKirv@Q
z60f<^we^0}`{{8q>bE}Fhg#s>+kItXSB=^R1zTZnEJQF4xP|@9<LC@7Tiwfq6r~d3
z<7D7X=22&J_->Q7)Li(0A|nF>al!h``wOamYxLkZ1%bc*_~yAhbjVhG7~=<_3Lr40
z9P%XD7l?oPVcY=E6m+-~`pd;Qq*_t3uc#zNu`ls9y<?hoN+)Xp7JuY&^Zx<>xq>K!
zz$kgp4R5DUDYag2k;!n=Amdl)E25A1DEBq(1&S`L2TEg_2+EJ0cW~QB0eA0Bji+k6
z9r}Ryg9TVC#!VKY2emSbX!^|K1w}O!R(fs@86l+MV<mDry!>uxd$DoH>*oGTEvz#J
z;P9)frkNI_FP>*_k_+k#bnN!twu29MXQj&A4jtRxEm_3Y0-vVGoi5ttif(CI2HA|V
z=yNY`q=hWVDHI*Ut;T<gNoCg_!~Kre^2U<?9M+t3UT`z#jZWVQ>ZUxDIs5Ek>#;qu
zx_J!gh2%Ma44sJ^T-~7je@tCtbe>JLZDZSw(HM>Gq_J(=wr$(CZ8lCC+jbf|_x;*?
z+q+hNWF<eInKOIN*@v^yp(<Xx*|m{EDX3j8wI9iiThz6}k`5;2i@h<-qo7^bWsuu_
za$m&dgut=zf!O_2>?E)gEZS^fx~l!0+!V+K^(qNeP2oCffL2<nO3t<`8&kuc5E@b5
zP~u_%?@sm@F8+U+TU}b*04~4N4#G1;CK=smD<7^i%|WP#2k|tRQkyQ3&Kb7#9NgE}
zhLx=MpFiGD#Uh!zaJ5dQJ1=>d7@CPoVy<mzndPD%R&*B6_L3YAzodIUeNxu}>#$z1
zT=S2a<-V!vyw>TwaLJC^n4bDGPiuaHpAf>WlI<x_BMiSPhGyfx0lq{KvMYiyFY~{)
z6^?pxy?3qg=|bL<4WmDi?Q_ItaVw>ACaEgb5{FQ*ijk`xC}YNZQIydiXr-xMRxqKe
z6MYhU`rl5;&`%@yKnOL5sEAw4eGh49O9G!9-P_jsA%$40flo0l8V!3|VO`McLzzWp
zK~9MRyAl+!+vUe={MI%Wp#<<ta)S_l!bTS`-d<F9Q@<m+&pk1h%r|Ld>&(quSoC+&
zym;2L1jCGz#Ml+q6EUAVExzD+zZ)=*-@n~So`n0_*ck<!e*^CPnfVGvI|!q^fd0EB
z?;Eh8r~8PJtKVIvhe$S-kwk#$C?O3{QlQs_9(kDz8a+%P6KFc1L(nzh?*BRjpB!{t
z{f;~OuA6PU78`o3T=UkfYbJBiIak&f2r`N*%agV5vJdsUrGBxtjPHpOezixdnec%r
zU73K{ukm}ss7;(W{uCT$mZB5t^#Fd{GY!2v;@oZ^th|I~J=Kw%wRHT^TiAUYH(?4Q
zsxAzg+?7q?-D^0mDBBy$9$hGexyYYNcT;(IA~C2`oJ&mozx`yzzkFvQ(5|71*M+CG
zW`WvgL+p$QJ*9p@H%BUbl1b?|59IU;oab(lILkOXv{K55GAjNhlrHxsDr-1%U$*nE
zBC$#e9|ytNbLcqp>!#v;4Wr+h(Z)Zolc4e=m!J&tyi~Ksxt*heWAmOBr$WNvFnP+@
z3_706loFqSZ<TLRuII<0Zj+X0QorDd^<vF8dUX>wG_ON%ua_}(`~K1DLo@BE+bBur
z8RZnB;QTquGCsiA=2CcU79n}&_8}*V>87X0niXXjI5HlypvUqNw9m4#)jJvXBn?DR
z#4@_P=ijfTfwl1*2i<@D*J;CUgfFJuC|8R-6x^TgBp;pGeCbBvQwamnD{<K)QGNS^
zTZnIZC)9v1Jbo$Kuf~8g3b+Nn%%^cVWzZ1Oy|CCTg-{knDEzM;Ck`|6CljN~QWl(E
zt=TbG(}~U#Wb2e?*wdxL%mzQk%(lR29{zDqAk6h942usK!eNxRF?S1&6A$Of?;KKb
z5NwGtr@FMN0rVVd8A<8M7oa*}3Qv$wH}lzgRTEgzq(^x3m38TG!S`N0Eq7Knm8$Ik
z23evt$Iwl$2&fTvlAss5vnJ~`QUeRnVbkyO-_&AQZNXz}H50Dy<d2p0+nbp3Tp?Qa
z=kc$NW3`)2*J1qQ$Rl=Jav-?XV!d*>^EKNEHRCr#N=d2NiM3&Ng-irhfF|HMnGnoB
z@flm08*qer>8&gWnS8SxzZF#K8Zf51i~t3hdU)?M1ryfSm5ivj^;t{5uR3PI5@OCQ
z4I_p?h}#)e1(D&>scl)l?(N)+&Tic%<vV`Q5-h~PRZ`y<bOkOZZLjg8-CBj1?jBx~
zjV*GS1S7i#WJB`0v>iP5IpTYMxBI}zC>)D_E{mkAdpkehZhjDsoLeSft)XqFMh0Jq
zx^}d|@``XA-<3M?lrX2Gx3+*3)*qqoL()=n(;9tczfnOMjeyMUliPXHO+Z<L)_=KZ
zj<z5E$I~Ogu<N8{Qk6mSzhLfBs_DQB@7YfzT-AFp4uN3}!#JNEm;$E0t_mPLGgGNv
zII_Dl!O4-hsVzug!AnYyD9Pc4VP`g6Fc=Y5eYb8R)dm69_cW$M`<)dp8tPTS1K0Ni
zim3D>ynUrI3cT#!fUZsznehSbfCw9wrq}JBTT!rR#DV+qzdbUw>z^X-Ajz(wR@Wg0
zwWfjE&qM55&thtIlb;&G8N=Duh2+;?1>OmC$lMkQZSM<_RBl*l3p+k+)e^Jfu-n)m
z9YD@Ogp5U8Mh~l_t_Qc}978g{b=?v@foi50KTdW~{?2#cMBY?!PqsgUT%HUzUb>Ht
z^PQE-c9O~~f%F**#R=zyaH*m$?9CVHmFL@TpeFta(&dA9luMIn6ykUiow^A@pGAEg
zoiMLgT7h-(jvZ=lUq2&S!(OIcyH_tm9^H|eT3MYlD4xh9=-wI*D`bvWpSUeM*f`l0
zySTiC?`9sj!UCq?iK7j3YM68&{he^P6is+9I_?Gwn!jq}f|$4S!f`0{%ULS5Wq!3=
z>aQ~B4`{arDq_h|z9W(s$U`M=nl?tCQ`S>AeHH)kT;d1g%Tm(CcoE91Bi`~85(WJv
ztX5k_Ghc#F6-QVHjKM9H_19Gt9ma?$exKMQR|LkS$DWoiTcbS}?9g8SLPC<b-`}Ll
z@(>MnPSZwNt9yB9tImCvPMr}t%hgoMM}*<+Rqkwuu)7;UGOyvGbuOWj_q&JpX*0g2
zqlW93Cfd6PcIz$V9z85lt_QU$wtGxxkGP7`AmUgbyBrY+?X}qHIx|47o3?vM|0~x`
z@Zmyl20PJt-skn$)`HPq+el}7CQ#;=NTVwrob>KjO~;37_TB!kbQ!BE0vj<joy%%x
zD{sO1rFBFN^WAN|><YTkpIC`RJ3rxm&VUsCJv>v`hZ1sx(urnOste4-D_^wE|6~}x
z44M|kk@_A`{#Ga6<DHT}vxx?5b2LMmGe#`+n)aO>x}4BRR?|KSG;2stHqcN-P?s>q
z6bMf9pWt9Hc$42Jev$wL2aKI7UWWY%X1DynK@Gni0^Iyon)&l8%zkF0wshDjhvC*7
z`rfgLKR-{DkNCkH-kDa#3(x4g1f|CJMajpPv^yutaXqC~+6iNXTd<SxySB~VfbRW!
z7*&p2lj$ps1SGh=vzHUVn2t_oODk;UI-w6J{jWw&iW>a~FW->uty@l~)tk%J<XYQK
zGwgSNfQa}pJCEfFCur=yox&sGlf?-`F&|~6!jtOpjH&@a$c+br)X>{=oUORZ!#+^!
z`0PL=c<(+8ij{DCxzQF93-!aszOW?QWJ-Zd!oE@OOm6K+&eHnEr#3nu<4oiQGn##y
z$~k$Zol$XV`8vm7!mr6Ari$58pqDG%hhHHAb=RENFuEm!Z&;<JzrCF%gQB+c6DoK?
z&7@BRSh9pg9og)pcUUATO-8=mxgTP|bj1M^W^trI;eeP5s!JSWj<RLi#8s!%je|yf
z7B`%OwGgCGrJUXiLY6JUmxEywL(!FaD?Ytk=1d5#c;lX*cag_8$<O=p`CvWr#+&Wc
zd;XgVDUf;E#Btcqy)R>#4~}D%B`y8L+PGDcOkDaI<`s#hM<!@cb&eS@l^+fh0n!R0
ztFz3~=sKDZ@`oW@$2UUU7*!K@Fe__}HtU3k5y=C#Qv58iq8Cr!Y{%#;x3n>Z7Ia&f
z(F2oM8~Sn^(bDKPc+*cO77o(f=l~BtGB3_u=oix~D$JZ3gP#Py52DuH)9938pd6gf
zBx<mSSB8bP%Y4YREpQjkay(fcmBY8nYlh+md~y6WkZ$(FPjN(Dj;mdTAFY6U;(Vg^
zf-ungaM3p|5ZY?1j@Z?CWES=AHi%M95+0?P#axJzJuT4B;`p2ir4q|6-_KbGl=gs}
zzd73Qy^aK*#tcUwt)-pS;cfIr<TKL%e>VigU3m)1w}FEK#^_tnX~iM6=U$;ovOoLy
zImJ77GJ)0z*vCwCVafbl)vN$hMPMb4VFnQo*cz_t98|JmFHlt{aJPj^3vs|bVQ3yJ
z1upoIW=Qw8WI#imKQueX@NCN_|L}zg7dzC$sbLYJ6TC1{QhKqVsTsayHi%pmP@$A^
zAy=<8I1udZS^%_?r1Y1=ujZ{3zxUC4%(PclujB`z9SZ#+Z}TSo{{0<qV*jbwJAcob
z<Nd=7|212W?DgXu3>Y1nd-U_0{MEZEN|?CGP>e9Yx-8mZ1-@5?3-LG^o;9NJ0Q5Si
zp^zFFx1C*(xQVPur~oClntATGz-M5{N*;B7^OIh|+$jv-B!0>BE($f|75Z2Y*tnl^
z+t8Zls*t5iR+(a1NzN$b%JKOF;4w;~C}{HI^Tl8BvYNG>vPb$K-YHM!G`%$7m$Bnm
z8r`&lrnN$IMyByW;{ihxlxW-tv3XJu5!13T#R9q-snBpH`1z6qP0YB6_{4bfVHZ+Q
z7-se4#@J2>OjwO!Oj(OVI%5nGL*rQqbSKxFI133z>c~R;atds#Hc4-63#p)}ZA}6N
z%&8f-GkoP1vMUpq?sWFB#S1G+GokW0$vpxd=0R0~8cXK0$!vaFbA@&+t^u#$8qi5+
z-<^+K{2+(FD4Yd_gsA)(FGT8`{^%F;Vw^t2Z8#s_GI;DbRF$*CxF3Wz#MNTcA+R6A
zjkB>Nlo+aRFrk=^$or!eOrxLlAy@{l3YPiJf%Q%`+<$tS3dKO&Gic$%@l@V%j6ILR
zB)*dZ5{Y(1WHcuW`i3mmR~-RuI;CCBH~pzK>&V8E{_hS5+I*RpvnwT;?{tXS#VzYf
z*Nsbz-xBPzgcz-T9yU%YG!qkwI#+aS{p`TqQ)A)e1UR=p7Za6A$E;qErYbc{JC2|y
z?+a%U=y6#wuLpU5Mt(1>U!zYnkEi8t4irJ7N$&U_o1PL$|9Fv$!0(;MHk#>r?4e&w
zm7Oo++A5)h_@YU|Q8<O+{Ba=cY3UKn()}8g;r!f^w{ly*Lu^u6Ed0G*CWaakOYNgM
zZ1vVQu-RJ1WtMotpZ-c@i-ZQUf0Wc!;VW?z=ZUeR3Q8ikepWPP$6tIw(!!x^yjuh|
zmx2?~s!?=Eo^uOGjVnRoabGVA0V?5VwowQfoRh>Ju1rl1-Nb*OE*1H1C0S7S{{Ctu
zNp}&*7pjEe;!&Qjt4892?lXmI&EK>%%+J3xEZ|1+(?W6~74q@+QNTkQ^6|aaiS_k_
z=M(ZOS+^`;{nbbqm%QfZQwwV8Zgg1Hg$pZl7o<v#Pj+oJ(5($_ZNr%8$1y;}8-CqF
zI%k=#V@pt&$7Fp#G>^_L@iy@0xtGor@|Y#!p%a<h-d8RoLjfhof*SqN1hK$7pSOUl
zW*K^1`_+0Pql|L#)i+!uKReT^5@i;PTo4!zCq;TaC;tMgTE2%(J13L~Bdh?DbF~ue
z8>SV(5{@u%-TLYpBm6CI`QCPd`7a)}BYlllvn!VYc-Vs#pJ*!8L|?eev=V}4h=qj5
z(2+o%oG3oMM_FS+VlH)@wMm>SrGF_CLvNd-Mb8KDl~rB(FMRC9z^%oJat7aky-GKE
z1imAWrg{<6uXLQFOBUx6Vh4y1OHLsl;+sRV{Z=$=C8sLL^T)e(mYevCQmueGFCpHw
z0NWem!0*>(e&^Z;q-@TQltC@9EgE0`N;Tz!x9WT<$s8cnwC+NU)wv7LU0%?^m*?-<
z?xEFt;Dx<uu;$;%Q;Le5j$iwhCR5cqh|cQZ*W#4ew?47LC9f~I7e94*n)SJj4cz@K
zQXizARfGQ{#xW1rk=yKJoUIkp&74dcy8~g@$&gDU63G7Xeab940@1i2FBLbfjH8?5
z=N6}b2mQ03mjiInQh+7R_!l|>4%++Pl$}Fb`*ORvb4Rru3_*1@N?kTxz>@Idej@rA
zR|b)SAnt7QB7GMwJ<is)?)d9uf!bB&{>YIFz$7xgVO|@Q$!%%hy?83W`G5WIhb?2H
z#WuCZItEg?>(Z_2G;Rj=Y3*_*<tK4|fkarHO(!Rnyyq`|ykyAypGd(<tPKnN$h)}1
z0dLFny7KVCyG;p@=__~BGG#DR@}z2(51X@iG0nZpxPZCg4XsG238P?8D#No=yHW}t
zCp>YTmP^FN;+n85<bvC{rTH%#WW~J1t{E@~Px`L*EvpRoO_X~SNc+-3V1Y2b#DdNd
z?d*YMi0$Tro+iT<t`AFLqv0_IDn>sOV{u+%OE4A=AQJrz@=7#sG_xM+-rmX3zY<CY
zmN~&HCv*&3+O!*LuESdeton`68<WI4`>vyA?08u3#T_Sbwr)vZB=OBR3BLj+1duv)
zMVw|!T0>p1tDa{6)_r5y)urC=3>u^wpj<&&a9rW>F(jamVyY7Sw09zDPc*jm6fkd8
zP{0yW{^dFUltVk5!q0aL)CPcZXjd!Ckvw;E;yO09$sUUBnvKt#l?Tg&PQ5`ZnJ{ZM
z>{z~bigD0yX%YAyA_GOE&di0IAy;8I_M5yECctcx_JX$Ri`X-d@+<AdOwstBDSN5K
zG9GrxsR+9E`O%4%az_?KL)-oRcr6n+FrO8jdJMqw8B72y-$I(?x!36)a)~bld0@z@
zMn|`USCWz@Ge1K+@NAMPG1F70d#7dcPcd`T-CvPZ6O0aXGeG8=RR3KeDr!l`idsfc
zQz}as)4X7@?mStI7_y?8{g@zPNlIZP9>_jIiCyg4hEK`4d4GW+{$*Ikf0<qZ01WZ^
zgxs_ha`96TA;tP-#!Vre+!fV;PgzxJNAa593lG{{+=`Y9tAeuxnML0c&~(~{qJPBh
z1{qcM3I3;^D|6qP6?Mzh7nWQ30#nf$hq;mwo6881<dhK9T-M}i`Z{h)lwJ4=o9#6M
zL;1zA)wX}CK}()_<n+N9mD5RbVVtkY1)7=}#~F+7H<m<vCbYlO+WY`%-3)p^Va#e_
z`0zdl-MgB1FCD02`@%U#azrNGJK?=g>Aa0oUN9+kHDT<qQRMgPD03iAMqaDIP}%Vb
z)%4h>#p@&DOb@K3WBRsZ67b6c(02z;Xwc>Bv20=+4^Xe(`3PUWiQ!SY$$ET(RCGF|
zHZ8F_!h2CHgU=J|_`0$=hv*s;A%EBVXqaOJST81Ey-$O36DDS);ScP277xcYvP2<B
z!r>L&UqU%!kwUmQTr1dAL?0UF_;<u~Dmb3$UR%PGzfe}*3Hp|kO0sxGkyYHq|GwiS
zVV@ozZIAVIVrZ0XQR;~!Lev%5Ac?H1N>7UhA|L6~pS5B^Lkf3hg#HqDy;9&~Jv#L^
zlapSP(xe$7`F7FLiz@D>Vevjm5zKIkb?SIR$C2o&1oNxyu}F)SK-bpgta!LmA8<vT
zFz**=%FON=|C`TESI#eOidBQ@wBB!5kfDkYHidb|NmI)ujY^0(Q~Z2Q%+H6!>7J1z
z*vjN!V2OHigQmmReg?9lqDS8&_I$GulM1|2>t`Z03~GJKQU1ajQV2#Ntk)tj4{)c1
zRLW2y7rCqk-yd>hnko9nK1zY+FOQR?s|)SzZ@M_*=19vA>z}Q^yzB7`H}GV9VWZS$
zUjz^C?$!Lfy&oCkjx&BSF$-wwGovdL)}F+lg|GnU|7E+C&#gukd@{h2U4_WrD->Kb
z<bTPj5)Su=1%0iKZC1j2-gr``)kn}c!oUcKvWhd*N=zV*s!IqkJcy%$;k>ZA65=}(
zHsrnQmHbTOAec)6S7~EX8Tb{39)TUKJ}{~XHv&eF+<~zXm_*)q%<M+S1u0UFDpagD
zGZGKiSptIK#ccrL1A^VBN(E(a-X%ba2FFSi2M)uVCo|Z{K0s`je<UNEKj~+!A82Jn
z(x-FK0R<m3G2B(i=>QF#i0)!J=}{A^E6pyxOwhwNvL!GlmUPb{cOUX1Gt}N*282=v
z#ky5pPpR5vH34QORrBv2!@)EdN?gHhsNm5aj2;oiFzbXcPIJ6aOaroPeNHVgv$yg)
z7RJ<jzi%V;>I8z_$()9>M;H<OLmmD0udD`3QQQu6L|mG67?_y}VluJOFh62Lq&PZi
zdH(gEB&Jwy-*&qc0CP-jKwBJ;{~B3@4c<0D3xE~C2|>y#beNs1l6L3N;N=30$z%Ka
z`QnRQb{t&<#mg=2UZMRgj1%*7=CszEqnIejEu`8FpBZ5xX(kG5vevv-v%{Ae0@9Qr
zsj?^=m?}&rF0Ksy3e^1H+H*gJhcx&6#@rVM36@Jz+kBiBWeZR(jn5L<F%CP+O2BA~
z2}yYp$5}yvRI@bo$`~PDK&<04CixF@1h9KWy%w#d0L&4nj!H_NZ#?jkX!>qgZ5oT=
zSPQ-{@(I^LPhd%TIuXgE^zvU+ZUO70WJErJD@A#>Zl!~9;?;gzU3hpEkDFF=V!Z%U
zeQSqMQR~%{BDrW`b(O$h^pW_!BlY#+la(Bim6Cyh{66?Cc3?R@!0kIEGgtijhs96~
zHoMyL?P0jNNk*f2jlgE2sAlo1Ev4+uiHG9t;TkfE?!qh|41&gzH4NmU!c{i@9C!!!
z8`f#UpPB1#7hb(ux2LIO@sQ_MN!3(4L2DPwVgYaCiAfhAic;PG0h_(9PDN<%5m}px
zLE~*zJ+EdS5@ie^eFD9WK~OW8VSMH(PqN2~rhFRJP$D8v38{hPL<t9p;+<hhwcJm}
zKIX801y-9I09>ids%~y_@|h{YSVPU6tjGzP?S+?~^r~l{!Yd=Zezk(La5g|P!i!#E
zImyauBOC6^v6F&Yv?czUFO<H&V56lh%aA<HRMRrHAyA1HR;|CL>~?#3BwWZO+Tpi;
zXnu^A=a=fsP3fYCOQ!6A(uhW%^o}QoN@6WwT`&mJHZioC4H@^29V-^XVLjVM5LCth
z$FnH#+ST6Ahz~W?I_E!8JAKy3{nz!HJWC!Xn#zSJ+IQ+5seu)P;YFu-cC)PpcmRpV
za#Ad{G1}=~fd3=PU8WEFL?$A@tuIn<xs@1ribewIKYm!xNcOdkj;Kq$1u-0&g%?g=
zK*Q^w4H`Da2NZdY(Mob{?dg}cGd8v#ggcpHfRy-hOvKP>x}EGAK71h$VZU&e9NT~^
zkf%5GKMI7I;<562I&bi#`zBEfxf&emeAfd4d;2Pn*OPkyJ!|BBG^3EwQWAI`yvZ|0
zy&C`IjX%>y`)mnrn>%}dp6&(ySWWTc)N?|)GNTH26Dau?ho8}j%J*L?-x+%}39}Rj
zs$3sJR+03cC!&9B0vE!Xe<Np40Ynx|`}<9SmF<JTn2eLYilPdB{*^yYL?CY8=V=;E
z*L46-q2yLo{GiIOG4XGMCi*!CFvjI<kz6%9EkjE8Q!O1?>@ertSLpiihZ&Q}*;Sit
z50WFyeOravJR$Z#z!SN31yFH&;U=|?l{+~)+{)R<L<IaA{D8svZ8~t3pb5V(ZDZ*o
zg3PEKWHB|@ox#Z4`I|38frs+#{x5zFQcNs|I7QJ;`a|f*x?w`3BwaDG0BWN(#2hPB
zblD0X3|QMt;=lez?V7I?eMV(G<Gsy-9kozgk<+N1GQBz#DpWX5XCg9J3f%{7Hum6W
z->Z3{!iWBR`SWylOut&wsC}}nn5n5xA+A}~YB?>V>4B^*D96O)ov!5?k5x<$v`u;^
z^Xi;cfsE^$sg2$M?JhX<A5)p=Hlh)2B&qhQm0#YNb?Quz<b<^3#=U@`hEg0c*tEEX
z@jYb_@aJaOlW#-+iU=q>;>|wp1BI3|5=9%Z)k+W%R0=s|_<NNg1z>Jdw=F!2YJ=-x
zbjc?f8`Voj{HuQ@k2YAhz(&XSjHFr0q}z$JL<hH-WIF4t)aevH7T51|F;qa(WMsGT
zv)KTV-6)P-Rz8`#ED7i<wq0mGN>#n@TlL+&SSjxvJl~KG?Eg?qEpq1?LR%=4_)TEy
zghJfcTd3$6M+k|M4{#?!zwo*hQBjDZUAMN2Fz`^?O-YIwT>LQnf2xKayl&X0iE3u4
zUv;cuPB3l7lp63Buec7ECi|vp6voL=+wx*(CZFe0wzs+u9~LakB6(Vn$7D}MV%Q&V
zq=rYJ^wEJ`>d9gJ9`qp|VlSXIu%^+<sA$I}Ho;6^uOfLtdbB0$8{-isFi#%UHPQPC
z2tmvFw_L=V&`Zz;9nmazZhG=vH{pLw<{6kvpH+Rz<ZQd*SUn6=^89^F0uTK>74Y5L
zN<(+Rcex5mzvFco*$J&x?V_(Zf_8^(6xohwnZ%qKQbqU0B@v72FA3g2#gTj_QH(jP
z`l28dw5JDWJA(TUU&p=%v>DXP3;=u;QQx^0IhDOCRo0(}dcvI!_BRVUVv^-{pnii~
zhs@dtu$9a(4LFooQbP^?Pq(fvzc4A<ewfy?R0TrAs<n(x?GPKG+O|pxjQYp@Tzhy#
z!4<MnX%RX(6(<gEL4*5iH&vc_q0uK7`Y_#D&5x7#S>-uovoh5y#WLW2P=~?Zgt8t^
z`F5*Et$DR#)b&<hW>6lYH%(!B%U4?|b$dO!9(R}yvIxFpRwPXpzh_&!bVD1DS)~iC
zn;K&7K~=22G)uV}^ibaAI;xN|Vc=cy8RvrpnhofYyz|fyvDk-6!segA&E+Ir*R*x8
zZU;vKxpc`;A2e+^3GLFh^-Vca3PNb2F%*I#L_Q|M5C?@HNWgz!hpLVp{QO1bCUO{z
zf#O&_Ad{Mu>#zn=KNf_z6iqOpBrVgTVhzL9iNkXx7d;c>B6<{0H_0ETs3=AzK3V{i
zTOg4~N~Tc}{Fg05nBgx#8;9RTaAlB?iT7reu741eEQ17&p-KWi$EP}mI{gcvwoeVW
z?Sw#&OZxDYBf=SJuPKNLWj!$3G3Q{NM0@HA#*nL}iEwu8{_$T4)M?%-jEN*lEO*xL
zr~q}AL?Lnhg9Gsm$<WnvFR0{kw?W01N;GCFGF`5d7LrO8H*o0yP`dW=%L&v&IcB^d
zdf&Z-zN(0&^DQ!%tBz+DC$qMDSgrQ=iHpC;<CvdG^I^Sw5x~;)%qWn>R1PrurY&yp
zZT~)5ctE_I4pkIc-ZL@?LisHBuP62Lh3r0WIgCpm-uQe<uF=@6cpVZ%HGPB1hAr)w
z|8TrdEjH-4v99kyHASov35N+|ObZZ26r>RytMQp30UZHSi^Yc??Z^?83kXr&3S<0t
zNzj0W)EL!cjR2QKRfS?k;{17Q@qG!yX(7QW@Ff=>ND(<<CUukPoNs~kt*+$>e|^;b
zF7NzuaKNFr825mxEiqwcaLplBJHOt{z^V__qG*-fIA8&Z`L`m$%8mX)KtmG_vr|Vn
zLLPn{me4RNk}`lh5=Qn_@t`<0*@#A4?<5idJ^9~eiLgV)@|Jh#0h^8dDW_p%2EM>>
ze<X+&xlw$2@;2Y>9NhJuLj_xaoX^)5cK^wgc7-G53}LsgQLkt_i-E?x5`#SpV9X++
zr_#~4+bV{0#`Fkw;j-}J{e%dzx35$7Tr=W3^0X3?O%w4kX^1qE1OH+w!aQdz%;>ZZ
zfGH*#am}RC%!<{gWUepRP;a-6j!^kQrLYESX8Cyx-CQrx`kl!y7|=`veP*!l%aE+|
z2KPp`o;OZ4rZbm!A<%tp@Nf)EPC38m9moSU-wHg`c5p869R$JjoS``mPc^COPe((O
zoa=nW^!2tDSvs~q196pzjC_=&u5F8Dx+QvBa$>tcWk{~b>*CrVs$qI9?xXPZF{1}~
z4o{SmqVqyPBxk33&Det&Q1b}<XL+bUZ(r8~{wM_Yq?%yZb?9ftDXxj61d6R=ix&18
zBg`1KPB@*dC)Dx^^H+}`{N(jQn@GwA=n-+=q-zFwj`PuYhL{Zsn~9WT_QQ%kHHJU9
zD(?|L5pJQUq$jI4*)bBr4ko@r66TK%B-ZB>*(n&;pe-`hAmFC08t4D(>nMGbF%qgz
zRQ-WFsTNpBKQ<@DLcNJSi2V@TC%Srt!0!cmkTHurw=YJve@k?bmNcdE8lF7Kl4@<q
zNvYM-0UE_fEp9y4#c_s<q|Km8CgA+WtzX!IhSIjmSw`qnhkseiv11yg9vl16P~ezE
z=m4DtL&#&eN?OTX&LB=2LUbj9wehA!gm-y!Y8ofdE0jw%>@4E=-A?T_cT#VOtCGcL
z(|w!&=mIUZz!oR{7@Yh2_XYMpsGUJ9@_Q)^c5pC2NNm;GcXgGE#i!1-Qv?yeBL1p7
z0!5qeib-dH2ZNsY54G%AA)|TAdGzw|;;LT4*-4k{_Fy@r!~z@(LN2v<9$UOD+0x%q
zdB*w_VVnEiM9}>qBs-tBu;^!PCR3vugJ6F9#0NKJSasaZtfp-H^fPDH$4&3;F634G
zc2G$qgcwOM0*2qU7bqAAHQ3QG3-o0^C>%Y9HK1b`v{HQBV-e9n*DlGRLPlp+8E9|>
z{+`1<XH1k(eW894uEf0sIW9w^{Ff<@qM%5Il$NLVI^BI2epFD?XY5BkO)i)8fxegA
z(y=anYVFHw=Zl=U3wWSrzR$JWXSt3A+!8-H4uJYAbGDaa8xf%Y%W*VG&<T{2#1n^!
zDD#gAuh=&p^1u)ackFb@Ke;sK5<-*uUK1+Qe~q#U4$->%wwm!-I3Z`Ms3glL3JeB_
z8r4M<A1orE^*f{^8*GBAg0OBZFGNZfn2j&mU-O#l>&r`-M*WliPABiPcxX~?=FP6x
z4efap+S%s2?$9Oz0?k|h#~b8zA#YsVHVWJr@V8CYAxmoHuf5rXyQj9^Voh`^$-`y!
zd2$;yL?t$C!})u3UBs>1Z~GI`;oOyDfy2|6N3B50LaABElc)=6WDbmg2##G~ZlfXS
zN$hzy*-&SjJPv6J(vTxTHi%!p$S`5H0UNBKg9_F+JiY$g3?Ir`nZM~K(g9!+B~JBF
z!;{_~$SDk;BxH$m?%}n94_ga36#Bu-Ko_}-*x61Qx~Oy4n%1oj-Q=|l_>N<v7|y$g
zsSH$Bp%8n^;R5!P?aGDGp?+-D)?+vs%IL~O<=>>Z!A{=1{yToYpcI>Gz*J*5`;*o>
zi}0z>g-d`%4pi;N+B~)SxF?J$++sVOv>b`hk7VG)F=ZgF0a%_K#t?cuXu?q2ZS=pg
z{r2E{MVUqY3Xm<mv-ojx>ALd8dUar>e}Y;`Vz)=j6U95yi>Vo4e#u;G|A$QdCGerv
zwIC%Uoo3mO_r3FVmtZ8M8pX+^-Y%?lo|A_;Jq>lEHe{-KRSRk=0r3CG@ceFH9R_;R
zAegRdZ(rDfmrx)6R=owLVSq3r5#MpE@6?*l{xj#nHyWyccr{`{NE)mUGz8$)$e5g(
zp;27{_yc2MI_)_IU7Di&_5F#q(x>f5pKn#LBNEnd0)%$r%>xe01oq^@Q(e~7Y()o1
z^*b)-W0#<nbC_pYKYa!{jn1`_C_?klOGfBS!=+O9h`=MMztYSnVqmj~u?2}}nCyj0
zA@koNX0p*}K-<l0Tq0H*qf~Pfm7?Hr5Is6X&DBbcqp0Zft7W~1dW&+62w(Vn=%K#w
zg66+0rqfEn<9*df7bMQvS=3bfbBZ7##4xz9dkKR2%i@1IUDU=z`@|V?Fy2(%`l!%q
ze>_jO+PtHueBnR|Dcr_lo?WsPuUD$c%~vHGUYId5;9#&QU0>7-Z@9_MJ;Pl-C)h*W
zAy8zqo_V98RTUj-X`o>iJ=HsCuT74@m(oX?p&(X`b1e|7$Im0#m+$s+rv6dr_%{*|
z00cJE=F-$KIp-e=L^bGG<n$(-<`D5hTnO$)`Dz%8kI4^Zo$l%Um0?ta0x*W&@UEMc
zXFh#m@u1HYp5z$b4{_s)`x)D$+w!!375cDW$M}4rOghHnv*^4vCZo4bx)C_*$Gvh1
z_Y;_0b5A!-#wp*s(Bt0uWB&dFwMV$~3yTuA*S?cq#k%cX+Hq<o+j4m2y!oFHW%eSO
zDF<n%S%mqXp1&}SfmV#0haw!}Jn=0VNosPyKy*D_Nf`=I*`0)+`QBftL&n1}+WoSK
z%qRtypU*dr;FTsRnyIj;m-n5b|NP9l>xxJ38u$54Fq|ifW8WE{8;GWaAqwISv0~rh
z&q2>FO7uF>&rQ-IOsOhQTcjb~8Lpmxqqz--<>$e>U)NcrMr*esfQC40N38v|;ELcj
z`y<fnuRsSH!1=pfnto2r`A;`cH+mI0$(=5`KDV*YdQJeV78s6b{)EjQc`Cm2zIKOd
ziTUC{in^t<f%e7roUg<J@Ho;269UPsMFz{FcQ?&eesc}DZH{-%_EUGs=}e<}yOWGc
zp*c}_k5fB@B}<hTr}V?ev(whW?epU%4+o%wA9)0&q{N1Ud@qlbM#Ih6ZR3y=#{3xP
zH}5HhPTm-7xuszixdd7)_DWPH7U7pdU@U`x-3dWaJ(i`VDY+!#2yD6i=T0CD@VcQ-
zC2gd-(Nz*s6*?C=tqb?%b{X?8Y_H7<*bc35TYy<~#p?Ul1E!ovqK5Mf77_*pgkMPj
z_j7$Rhs6CIpPC@+oq$m87z7(sKT77?vA;|OV<ga3P$I4_OL5Ucswueck2sEQ)YteG
z^p|gqo8-8J8&hsbaA6#(ijSn1uD=+)Bv<)}C|{r-H0loedWBc5`XlEx>)8j$HPDBp
zzvXPbX|fg`MR3@%b%))&k4aw!4wi~mUY44#qch++FE4(@%B(G|t~BYrcuMF{h6Q7S
z8+3Y)#$tR=|6c5OB3A6~Mh~TG7P>~YQC_t{XyG$<B@z9w)?h|G@P|d=jU()2sv@pU
z+d2vVF0G(%##7#iB$)WcD?`jks}biCV@)EVA7}LWBYCW2j&hd_Dn{Q~!}XtIa%7Uz
z0oc@~1Xm8~OqQ)F7d$5IlI!5hu9At7*u9OT4=`&Y4?l%LljM!_f+C+^Sh$QC1}j)o
z>E&tnLwnfJd23kl?sNq83Z2X?=einYFx-E+SNk6~!Q>*w(qQvgung4|VKD|WJXE)x
zKGiv$0dz{Osws-97^m{EKU&OS|Bv2bt;*BORFc#ynit{1Xk9aa<up>rw_BlB)}e>j
zTcpCl7;V1FN@c9WsZ!rG@)CyFa`TwVW%D9=FJ6s2UXPH{|590<=zpu#!kb(#yG5?k
zReq|8e!eI+V7=x6jfXajWWARccpsA?azCbmo4jy2A{;aPhO=LIrD(q#wii@(4yuiX
z(r`n98>nAv3=d0nVVJ@xIAV!67{`yhgE#hkb*uCaH2o`Ytu;yQ2hT`|nnd>krZGY7
z!cp!nKnccaDhy#c$;Jd}{`fg-eh~U)P%9&DX$&7&atj&Dm4JMd^I@!HI7|dDGJT7X
z?XN@AM*|$IL9b41e9}8WlSIfS-@fVQ|8A-5*E)K|vK@<VBQRrr=wOFZ<ib9~6LvW!
z$;n+BKG#xn2uhyYhHN0qu2O-E0^8UjeW3=Ve!hHeEAWu91XmO65uQR=mBz5X!Y1E<
zHu-yn3n;La+I!6(y-QI&lPB?!ZiL=V*FstDev}VL{&uufT(MNK30^{?7`6{w;ijT}
zj1IG5Br#O7Q=lz&@c(y8X*RvQt;yp`7l7Mm>sx3y<*_{Zfg7SDGy}D=P`MHUoI6=E
z(?^<82;HXNKfKJ6ePsNs^rNtRg8lJGVZ<h<d|#p7I3275^h(7k8eQfdLBUUsLFQc5
zon>4gSO%1)hhd$q316h*&iP0OkoDaUT`X~Dmkg^)xPO@Nh262x7Dj4$ru|m(5l55#
z?J$^=lptJ_e=GsXIc7>l8t|`w3ym4zeFH4?1F+E8fWqggxr;qI538m|dIQ~zVnH=n
z?R9Y(?90z9+4v8EgR~hOU61%gndcMMEO^hALZ%-qr_!Srn|*-StRJ@^;G&MDRGTFP
zkjF?72RA(nuyF(AZAx>G`7-T!Dh7joTZY2KMXE}6R3ryl;DF1nwiNtc)ZkD)+apIs
zB~g&xSAuY$I3ppxFup`ZuJf%hfxigg=KvnmrB}BFWUvG|lEMV!+iAZqvG0wA!}Gvd
ztd^aO<@M07O%>vD@Y@>N@R~p)?pB;Nvph#atIV;kQyw`~=iD4TOj(03Ke%ibJF8Th
zfZd_-VtsmgRB1Mfn}(&ZoH7E=?Iq-+8K7HZQ0;5n$Xc>>QR&}w{W|u&zb9H<$}W8f
zxtXg~G@$jrq?c;`P<Cje6yk5f+yR)8HCS9b5SOxa59d{DC!!<4<<*DB^K%(cnW4<|
z6-+UIQ!$H#Z4Vn_jEc||1&tU}A#1)KwaV;Y7RiE1hUsg)VkCeeSs0R=F*eK^<FUF*
zQ4W*ck~vEe_m*Tzi&A?$SAZ&>VUooNTGh*rSrOIeH%&VGf%It7=j+mAUuSyHnl68S
zHr;OyxX{b-T^X@5bp=1H2-Ntj)UdCl$&wzmiy^|8n-|XQ%I8N(BN_daQEpJ#`a8x+
zy+8g_BW#LYlX3l~6)cN<J9*_MxRVDBfkQxw(z270z4tCYl#d6~k;y`oI1VMiP^6Ag
zZvbzuW<DOGD*N9)i0OYyf33fZ2ke7bk31WY4eN3tZ5AJ3FI1ns9Rc$;1ivcCwB~1O
z#H(s+8L?yVI@5&Rhr2@(c4eiP4Y?v&EUXVWiktwOTe`}uvvU6Od}Prcp6OP^OSrWM
zfA23`PCG!`dly**ZWr~n;x6(Jrb3OCruSiNz@vZ-vRyOW$fgyYlW5SS`eBp;7&weS
z$}fies;@S~9lFt9TPvM+KK5w8w`oVgc(;~k#H}YLgZXm%FVnv5PTNNEg<(2^o{K>A
zqUYin6GNAU75Mu(xmEQRru=0I0p?(G;|5JAvjEy<PF0vv<V4xZy-k_>u?6Ts{kq35
zj2Ij;a+ILusfJQSpBQ~e8!P@<;zG8{J7_Z)m|%O8Gs{U&VY7}FLfGM1M=(IZ#<ciY
zc*-`Uu?6|JzliM@&Vj74mWnZu2`Q+;?_mh@D^WMmu0O&=R4~L4owJZdLSyY;tRBW5
z|3bnjoI{eULW<I*(@-spL-IU;H6E?ZWRlgtSL-aSgiTeX(oMiEuKSb2JZguPH~KLQ
z_~)gaie_IR;Piv`G_p44o=^VO%!xJ2UU*8@*)2;m4(*Q{{*7};zwy2BBvHCgZQQ0$
z^VQ+k&#Fh{fMfMnKC6ML<*?<KX5d#1Ci7}I_a9X`0f+N<z=Hkp((AWxiKg0H+Rv+V
zh<<!pn9g@+B0}{k0iYjvYDMIsV0UM?0X}1t|03c9Fnft37OsT=y1nv(N%Rxh@3`$d
z8?3jkB`k?XYoQn7Du{ofXSR}Ihh*uDpEbP9_5f>ix9gDc2@&>a*QG#hn-I7&6~R^8
za`?~FFI^G){$yBI!O_<3un{!mX+{_%<tLTnIyB*V8p#Sq8ZRaEC>c`0h(W!B*+qxW
zlfX3#-g*C-rzCwXB4xeiP5h$+j#Ueh?z^5*J|zgQ$}Ni7Zw1p{E;Q88T?1q{F|%QK
zN&!EFMAkx3NyPIAuO01=jpu8Vlxz~op?+tDe>B9wDHI)BB$n0&+bd#b*}75}r>ta}
zC1PLXDELARgQa7G>SRNqt%U$9HyuwYz3hfa-O4tTia6s}FmCH5^PN#&UtV6|L%S0|
zaSrG9;2w6dZEP@o7d34ig|0QVI^7u&2Gf3}uc+vK{1&0oe;Y7aBWzZA`ui@En5U?9
zA1N3#=c><m2RE$4OG{~Ohez|xMVgBk!f@fZt&r%G+PI1HPeDKJ1cDNOA=Y1v6AKF$
z|92jxFaw3h7Pf%wXn$27fMgV-3badY2w4Ym;>@kEY3n((>Wk@s>h|Y#gu!Sd_h!12
z>Cz9kSD1A<06omQFOmyh5Ufgg!gC|6<K|q5Idkv$c+UbnyoqqPv18OarOZ$&%*}<A
zuV+lfrHuzDzj4p_D=kfa6g@H8+gOlOg^+S1=2c~*&L7F`lK~~IJUribOfXop1Ox68
zHW5Bg2%}1}T-*uK!8-adF%~KyPYIVWbD4kZH-up<Iktc;D+QnR8e$O6IfN15u))o7
zo6Q3Fnhq;ANZJa;yRa!?D{29`FwQ>^^MB0e77^&4{G3z63H!~>!hh5=6t!?OFdZ?h
z(@Coi5bl5qN%gHgKvwEy3o;rCDJobY;M>zwP5sk-V2nSFi|X%E0lM!67*L(F;gd!E
z6PtQ0n3*`QvNcu~)nxD}sCusb+_%oE6k>Fvyoka}EEDVq4(?7kc#KrC+1Bc7W0Lf5
zBraTN$#b(Q88+J`?;FOG(1c0A=83RuCus?Ph7?<Zh8ayLfXpX`>);d>!<yEh4U@2y
z{eStfJ6|&TOzJSkJDm(FYQ@+hCp<5dbbWGumcrw*3RA^S-F#H$m)@{lJ`gM0!$&9S
zr$c`IVXlMc+zmV-L=<jU_HgRkW$MSvT(_B`Jt+><_h*@*;g{|8bpdu_TcxGT`@4LX
zEo;;IWMhaN|2S~;m}y_zi{;x^B8;`57{)$YI#H2nL+umo7bP#vh^sQht$7}6xQ~^E
zeV$F+_q(uaA>B{U?X&eLG>MFFpAJ<<)u=*$hq{yc#F2_y=)N&QAe&|lHH<>V6?*aY
z<z0(l0V-TxEAkYNzo8Af{pbk{{ilw<f%OeIG|^4Z`Nw{vN(?P>@?07aW!X{qE``@Q
z&0kTx6cFzO?HDeMiOH6&u!S>>-Nz5lTDSPD@Q}h&XxZ<HFm<QN<Ak%*aVQmQL*7z7
zjd_3U7UH<m#y>le7uDWaf`Bs)h>8`3E(%H6wrZQjyr5QP^S&F%1zJI*$}q%%^NIRZ
zM7)K#>7t$H)5>dH{PP+l?C~D}@y<7ZD<nB9cWG?KB1*B8I@CzPUlFw`tedpRlD#R0
z^NmF}vG}Ti=PNuAfwte%Pwv4$*P__$bkNE`*WdPysnHnfCd<A+Y2$`Rx0Z4K>V7pD
zJ0|LN4BJJ+DH+SaSy8lnt(*{v?netSUSL3xkg!-%aaMLs2d~t+oQBiC^;me}w*%I5
z0a%aahMcpp*+Z?m>_Zt&BD?55f8m=T_0**hV}U|M2<#n)NH$en#lo!<G!kxSIQLep
zwdP}H3@qR=h^yhyz18Gq%@*GXVV_Q4@HVzE65yqo_pJLNkM%*FoD(Dp)9|!;LnGnC
z)gF5uMNOnO60fn%E{8>j(fp-Ulfmsz#4hIQh}Gmkgayo|Lq~Xo_2CW@C;fxGzhW-8
zqXxV{ZHPVi284Tx9MtuzK&yxt-)s)arqsUwsa+UNmo0v>PI$FkL`_Hu18=)SFD19E
z2BXE*RRm?KZw|D&JWYNVcDyx0patVYOqA6^l(PQ}N!d*7irGr+#MMjzt@Mb|xxMo*
zJH&4d{7a8ry#v549o~&gH5nUUtQ%27&5<OVea(>M%_RwcJHym(sc8d;nXlrg5Qv55
z%bx2{&PIEOJw?$gC41f9WO?SsI&d`FSc9@Qq*IL)QwvFc0sl~Dbv;5#dx`+@N;T%g
z7E<XtL`kOkS53!`A%Z@;JR<~1i!cc%wF${{*f<J~z^mkDIDLM9zB@fR0Xu6+4BZGm
zUiU5nzt7}mhwoY&z%KdHt?7+jmhcHpHo{TaJ<PJ#p3kf?a)|vau=|sa88zM?N{7>7
zRJxC)r_f%<Ay^7|qpN^adcyV5%lxG?NoKuhauQaJKSVhoZ4@MoVk{yNp;|<cX`zZN
zU}Msjn&59hvFXMlhh*Hy91>8$R`g~J!)t#0U)_hRv>nB3q2tDf8}RWqN==}~Pe*9?
zfVH7w^`9V)r#@cxh}a<8{2C#3v^hvSNpLv6gYfQVidN(zzphH^2BFFMguq*?w`;8w
zCMn4A*$Zbu4osT9Y-D^;FJj%cKh~V=33xjD1&XOUK&6Q()&tjPs}yR$`LjHo|5C*6
z7HAQKHMDF)d4PYN0*fMTt53UhzS4D8mx1u#G<9~~fs|y?=73c2+=_0_HY;p0n+i}S
z$(k=h<7l?=t3MP#<Cg}bpBTbHc74Mia?<48;HEk<do7P<oxSDH*d8BO<NU3S!~u!<
zEZd~^^Z6TP0$GID4!v%XFvG_2QY)qY3_!gIo?tz_&5fUn>u73xAlpcJ9ii=on<!d=
z>yO(Z227fie}-Y44MD=F9`rv_JZ?&!!r15!I!nIFrBVgcx8tPVhdFY8uhQ&Hj~fAd
zy4{!oa(yrqNC<fJ#URFlg)D*8qu~9r`8q)1cAhsCE43%+jVuM`M+vy?u0OS*<GA`|
z=E2Lt)0?u>qcZrlaL?Td_)pU;FfaJyK+xX9aRq#ieuF5y$f<MeUX?ML-|16vx@z)v
z4{E>O{X{_Z>HBH1tQraVuQf7KUDPLHX%peRwaPxa;W)bCI}rc>Pttk;ByIT*Nn<|)
zkTiw}*)bKFRHFl@**%$%u+{2%eTz-Y1E_U}L(zHooD4KXH1~x;F9s>8oNP2l_7bv1
z1~GDbvtkWwo2Hx_dCubmIkJxJb8^d?G77hFgsb2Y%c$1AE09Usz{Z?EWLV=@+A+8E
zQzb5|Y|MqS_q38^P`L<$e^>%oEZOY$94S1=^(7+JPpW;UsQkq2*b1kvK+3WI?pGE@
ziAeo2g`7Nmk$)*5o;ZaZ<P`3&mg;DDwU?Gxz7Gyvq3zv$A?eYEOnL2eJ*BXA#PgAl
z-u^-HV0?EU0WBm+B;;(&V4h0$TLV-+rP9lGxmg@bVSIxyS)t^C<eZv4w|Sk3Rx*wQ
zt0grs@-1rt8QqDC=?fB*3j&d=FDdA7iys)w`fIKRh{5%yESi=8-h-*7PU#&03yr;(
z>pyy$Pqo3H>VxIUwXdv~AE3F9FRTs8C#<qAIR$F_dschM&ys34V7Kf+2jnD-yx3@?
zi}Y1X4;}EgLI&0eFZ!OoCWB?LCOG3m`*@-=4G!!Z<W}cHJejo~+OCy~`_njVV#8Am
z=TkD!hp+@wmb>XG0?&)(T=n>ROFS4}s@#4*_8;=2VzpT>J|1E{6jV9o{sR>bhB$*!
zf9=G)2aa{P4@r|r?{8d`+kP|S_+<Mq3FxB7@q`e$Mm|#_YOW;CC@L}q5lTY7tWYgE
zD1T!iH8Z?2X%lD(fP%o<xWcTtxhnKZQFGv3#nPQQnj#yR9$(W;mNiq8&3h~VJe1m9
zHD%98qQ@i^J8X3&tx=xrhUM_W@JHO5v8=bD+Mqzl%i?m$IcFj}8~)l{>zeja@;zEE
zt`J3O=VjzY)|dp#RbB_PWJ>twHkk?{r{=(>H`+>j_X=@>Cbq&(AfEIWe!o%SQrfol
zc=ASq+W=^7$?j1$x4MO{KOR7qR(*(TvS_2U`%w2Mj@1IcIpLiKtgor)Uood_AgzpI
zw%R}`?W@Be4Q1NsZtUX@wD{$^-b)Et9(Irj7&QFC{{}*bE%19MjKpmuxl)G5<$TS}
zSRASiQtZk%XH1-B>?N+H9oeS|I|zL5;2zmHgz&7JBrjhaXy6YUxnxak5@v5c-tOPW
zKHxjPiqt_{7W16E?0Qa>YSKik|H7|=Cc+O63X#mXki?sJQN;Fe9@phUZ=JOC6u(J}
zb{`sW^{C&6X)lpVuSb7_TsEB*R<yyfMB`hixfqE2khdU^PJ>jAwGSIMp?U4g@V@P&
zVFR~1d3na)1;0HD9*dRa*=4)0Pa?|y?G(Lf2}D&aMSn~Z#-_ONxx<~Iy3-~S7`MQ%
zF^t5R%C?vyA`91t1lS(Mj#G-s$+GCnBK@RaET){Y!Ti@VwB6|o!<J4hz<h5bm2wj?
zcB(p6;K_ZkrfQ2;UM1ou2Ko4Ms1*t0yf7Bj?wQ+b%AnWV(zd`z>>)j*rXK#gRpli!
zx6)Iuo5Ww+XO4q^%nqLL=)97Q@#-4E4`y-62rSYv`I?p_#ymJ6#*#G9f<uN1)U1%V
z45#ya2TT2LBuTFwIMR|?T^~?GzgMqfW+8blC6p|b`ME}^#^C9`$7uM47S4l@LVV6l
zkodIgDX&>wgWMbo#;SP%V2%FEBd(mo6jpFYcBfelA*ptvNUbMLvctwL(u^ny=LjM~
zhR4M*hH3x}^5rm#qzVm>hly+b^-Dq>;fSl3Ek?=#ey*chn3m*u6<%7~8PIbN^2X0~
zE4@5-3IknwVXaVxfKw`}2cMH#8`yGFg_cw`N|oQG%H~DYr8=Gy$Eb^SQ3R1mOjLr?
zxIl{TB1d0IMu2z-Wl{u=HSWM7%vJw>GWN6ah3FX6N0xC9AZ!2S3Xs8O(9v(Vc6Ou{
zA^T!g?Ae1u<t-FfA8(aw@WqMJPPu8wV{FeB2DSVEx^-kEc~H8GL}~HtJFMv0+#)zB
z{%iH=`sCB_(6ko&VlZ%f@K*QiK6%C?EBwU4u=4We>BNsxlTKex8H}$~tCwF&(>714
zqcy~b*y9hG3~+Yy2a@;mN>MMj{sUH&b42BY@z+kmaC>gw0IJG^{8?_pZrxiTv=i$O
za%jn%Vip7jS}0Xs$Rm1@qhf9gS^Ay!+F}ZjBNY+H3S9#1zkR9v8$N*tC;Ss!8LBxv
zhu3a!ZcdT+(V8xxDj(F3$R`!`Y`Av05z6U4uh5-Zp3t{M*Dk{<>28$W>bK9gQbO;(
z?v=`$Ibl90LEZV_t*Z}3Nl=fvrr#Wo`dlxrl%&y1ie_CF50CnkW<#U@tDkNAANJll
zpsJ;795z6@6a+y)LILSIq?D9&m!yE?A*7_Gq`L$J<N$~625A)$>6Q|Z7LacE_Bq@u
zir)9V&-;7okME!5aql&=V%DsfJu^JTkj~JQdw(m-BWi;SE#SDrR!SG!DuxCxItC?5
z<2moxDCydix4?r7naFYmMWC73MYT4BOyF-oo*u8c^9@OgNwvXbWs>gNP!>n<vTc#I
zZsmj;UqHf=<5UP=VWWyOz7Awb)UQOtcm0GDo4nXkWd9jyXl>yXPrV;{@3fBTs=(nG
zF}pyMJF=OF`Q#Xi|LoOu-HXrn>nt3KjpM!$JK9@S=Iq?|XddGGh;Jh#x0SJmlBAFK
zaEpo$wv|SGCT>yIO2YZA+A!{Nf4gN)|9ab?yL-jq){?JIy>{7_GWHv{>xSV(I^)DE
z98T8-XA-Z8m(Wjkb3RIud=gV7*Lv@kdNe{Bs#=_?i8=z`l<cc@nX?fgZ+s>)`+)}-
z5knjva7NKsL-G&@wo#A3C9+pIep$+brQ|A79~yarhnPlHGSIK7b8$~VY}l_bJg3g!
z<-R2xL=^2wX!-S}^+<r=8f?#(*=RvHtL+ySbP8+bAoeNxSMl8_X~VVim=}=0-WMXC
z@-DbF^+KS`RykG8axU{RuJ50Rdxso33pc9b<!yj{R--b^rsg}*$Bj2N__~%aKAB>}
zTcO%inNY<imTTVeFf~=1vuPsXE)a_Fqh7H_-Q+i1wC7`gODcnskI)m(=y}7qs?SsS
zE5xs%Y=Hn9B*>ohuEill+MGRU7k2u}FmjO2`#3`U1Rt#W3ettLX?wV6;MK4~gA&L_
zVWRQ{;X_hR_B*Fff+8uLf9~h@wuf9?{)p!j4{X=rv5%0`=dohU)S%x4X<?Kz+`=!Q
zLrD9mAs2-F$cW!Q7*{SB#Ke%el&5)z&DHkq3F=pi0i>*KTw+w8OAaam;Z;b?(a-kH
zU06(Yas$@&Ydv~KGQ#m}sqU{oL+02b-PfdSH%RXhQGO(er}W0eC1h^5Mdi(@Ngq2(
z<IE+$<IfDSxnwd*q7ks4iGZ3G!L-F2vF9Q7s;LMywR;0Ad-~1yO(=)guy&2|Lwbk2
z$efnBD7qB8SS2z}k^y@NijL!5V-8hsV-``AB)LEH0{BExG#I51Y1~Vae5Z!!Mn_Xc
znnT5)<j3Wag!$sOU~6Tl@YLOBcY{cD3PjwbUWn;W=!>YweDe0s)~B~l5t91j^p79y
z4eUWpGH8`=Nl0WOcJI*25)Dsirf!2y5x=l&zka=5$s&unOLm33_&qMVLk<D{TNC#7
zL{4Eoqk5#Ow<US2_<M42w2t1iepPBxPGkhX`W%0F+0!9Ww(z-9T!#DOhwk2PX^3f|
z%7#PRU!SmaV2wN({5Gul4STFKn3sQ5Y@Fwr=|pAV!sJ*M{pZOSRLwp?axG)u7Imn`
zP?F_tW(IzE;t(Hh=RdXY`&MkT0pzOSY2DwphG5-D<yT#)SWkG<%MLTQl6|3ZCGB;&
zgTdBjfT>}yWjmKsnR43{JlblXpqJ%la|%==unB8i78bS5qN#CMFzg_|`zldDc9onO
zatnHqLL2kyy_h?cfv6I%{h}RT?1rlvBbEZnnuA=@_(NHo9K=>DniunmkWx#GGhVTm
zAE4tpNYK$_A&$Sopbp_=MW4D<RRi6H<Y;Xi%&B<OVD`32E0VoFS=eZ=YATH+3u&KF
zctT64LCAl%N;xcVtut)YG*Det%%V|u&&8B1oti0%Hq?}0^AX_YL>(@f;BMk<xH7&<
z(?wDGxZx6^@<8yGbo$ltd6WzN^HbmVJzjc$1%XL5)of)lx7RSEi@hAUGW8{N50_t)
zIw?jiS=V`is;m~F=&h;VogK*dp!3jD9ZsCgOU9sjmxpuh2MLUpWHp3QZyqBRnL2M=
zG)6eyvhMBj>O-iHUa!4J8#;<3|CVuP`~~6QQ!lftTDgy)Z~ay|S+Vy8mZW2iP4|~W
z8fCtEhh4kN2I3!Ot@F?8BOrwxUD{;3Z%SA4g?~-%^C0>9;3YCFzd~U~SGDy(pO&NL
zCAHRDywB+vqY4loC_G0&X>OoU*Gxm`dF?HqR5H}Qnd^-jYW;o35Uu0o$s&%2PtCth
z-lV-Zy{@6cQg)C$Hh^LEf%9$cO(|7|gZ8cVPD?{K&xGW}d#|6cNJff_<aj<m5KVkI
z>hnJEk#oiy)J|*dn{Kt`HQSW61(k(rqpj~37(~*l%ab(Th3W~@L#b?^Yw((}GsAWW
z&}F^t`@|BQa1|>jL+Xv}1`DIuSjltQcfhIoQA03AAs430)i5>#5)_5bz{3WwT5I~`
zr<L9W-*fbDtpY+{+heeSW2p2tNz9k-rN79pN%29xpIr)NpgWAJ#0W|%FqUaGPCucj
zF!Ijmo6+(xzfibuG8xLJdh^jrCE*a8lWp9zx|zpmp7NEow4sNT8q{7ySsG=OnD%Ky
z1e0K2`Qf*jxjG9CY8$7wpV}ufE+T}IAG<$gOQ~?uWZ(r(Vd^-dBG@)lqN|A(Q$Fyq
z;@qA>FlctlX_;v{tDqK<p6FSYYYqXsG#2UcnxXb`c9+K?2fg_-CVCge<gSqzGwMb&
z<=&^pAWdtyMd9X6KP#j{8WoB0Xt7dwknM{NYfYIjK77sj9Uq0@5@$vHleFDKnLfcu
z{`HJ@`YK9@_|*zm>U_j2<0m9(C-<sbbu3pZ^9Nbyos<zSaO|*=r^Kqr&2x~E-@ibK
zEUs1i?On57?HPlkNY&bw<@tjEgQN86wNQH&@KQlrfmdlBld9yHw5mOpg=MDsf<3Ja
zNki+5gT`^${d!T(L_^89$(eT+5Bmi8NQ;E#vGU0%b(=A**vgE^PcG!7yUg|ZgrOzV
zJm9VxVfI&h?9<L`M#coMOKA+AWAE~}>og!XCkZlrO&5u8(H88X_Eh#H3g?}Tnr*Qr
z5TVNz$_sZ<AvQxnz(-F#z0X7F*5$@Rj)zR<i<4TZ;N2Cj*a24Gltf+3IB{zwk=c9`
ztm5m*cd^~vv-wByh8-_^lkJct(a`|=-=C6XH?<opTXU~0EBcSEVfq-cNPuEWJewYi
zS2&r3a`~xavOAasK$Xp|QfqgYzY1Bn29?J2PO;`-7}5#9fzRpdx)2y8Q6PqB)hu2e
zNxXo(b=$WO@iVov*ks!K!hDwH5~oU~;mzqu;Dnme>2dy%b{Wxw<OcgnnPJw2sOe1c
zNTr+m-rkW!6mdGxQD+HHI=^PROl${~L7KCJ%;iM$QMJR|hQN7MhgOAbbJL1UZX43%
zCFK1*CCgC$mm?J3_c>Vh5WaaDFxN?V62;_Re#}^(Cw_7Fa}u$E%y6624z@N)z*v2t
z=OZMidNX22T!gQaz#bDcUug%Q5|1)-0{AyF^KaS3liJ8n#85IW=p6;E^GrWJQJZBP
z!GBxUlq5)dvzo8Hhv|;t7m?x~L?46$ksFl^I&9XM0^1_ic}(9I+a{lRs0=0K;Q>X`
z_RF^l)aIrciv{lLqb`;E-&P(!{p#G^x%B}hYvcjWO9pY2AnpkP!~AecwJyJGdTJpe
z1B`->NCMn%ivw~W+@CGdr8ap_MRF{UFeKPf<XE<$@p8?Ck6h?T(6MxLb0(X)%Yw6Y
zbYz_~8UdyK)X3PwV_&@M9Q#P+PStplCeuC1$zt8!RQ`%~eR?!e_-15TJ7T2X5cdT#
zVtInnDwC_}@)5Tw1IR<Y4ROPGWh*TseS&<nqYzR+(Fu!clDM!NR!-Ah2!XLp?eHf}
zMXcSP_X@FQraM0O`o7i_#@1_}IJvUC(43d`-4C1K*FQ+9Z0NOhbm6Xuae$-(CBlHz
z)ln%cu5_a?MHS^Qh}PN>#hDFKhnim`C`MB-FR4T;6Oe7tFl3yqwLNADQ*<hsiGq??
zu@?2o0|%5@v-Tu*B~`B+;~F|lm@nNg!EdBt$%W$IT|*-m^=c!R_Tu8GQA4AEFL;=N
zXe>aL$kxEAg~x(95qme1Wi&O`wv6Q?*l0ATRNP{st>vod`V%l1gnppOicRKJBH{;Z
z$#J}r%zUACjo_2rI|>MfljH)i5cBfr`}T6#Y<oK$M+9aP&2l3`biQe|!0j&B6&z;V
zH!Qd-6)ezAZnD-(t(O|4q3gaw$&&18XnzpKGBNXbx>x8S0dQ2Comi8`R|tLsO3}jZ
z<@A^Q4{3n?FuL5pmec`TV1r_>`ie=Bo@;BP;vKXqb|9p8XxRXN&Uaw^kxvKJAkmEw
z6KbQ!#1k4(@a^A{z4F9nQeuLHy*KX1t5a=xv7u0}*{FmSexqrfW~1z*Rg+L(eBvu@
z#?8lodbX1j%8Ko?S0bVZEM-FVvrt&eh(2<UO@8PdYLK~8e4N(d?>ZQW)7H491r2{$
za?{KQAHIK$zNMKS314OJie7ZGk041b&Dw_sFW$>HQf^C%M-+4JO!u@sI_mZaMa%iV
z7tntO-COzCTrV0Zm1oozv!#~VVr+QXcF47*o~LtT9ovAexM)%v5;k)s6kV4%-MaJG
zW%RL?U4*3^)l63B)cZW~mv3&P+<Tv%<a0YK;1;zpZgEp@#>_WsyQ|-4Tv40{cWZK<
z46t9e_=co)M3xrm`X(658Nt=>Hpf+_s7`E8j4TJ?hDhGnYYHjTwTc7Fq{|5t_grK2
zNC#2k-gz_FxtJwlbH|Hd-7E4q!S{7rAWL*4DCH1*f$OG@D`!I-k~S8WW`Pqv<V)^N
zl3o<bsb9H$<$K_L(IVhH-8nG+!igzSlwTjg>40fw$t!hMzJbJ`Rq2VA!G41X1+*<O
zfiKsP0{%59kxyup&#LUXrGlA(^_M-7w^YFd<?mm6e^JNuDR^D^@!p~$Wlm&h4*QuZ
zUD5jpkIl=TXCbA!s%5iFE$2__;@PTLp^?tJZR}zci}MV+Tn|^K6PQE2l_^`b@M<{7
zMN?Cc@C{c^QH<&<SXw$@nnY8;L>2Zt;C*{Oo_gA~L1|A`^)y#a?n$DwYwF5(l$D>S
zrIF}dHk9M!5Z}#J77Exe^y9^fE3{fb_^xf{_a3%Q$@Ga#Te@uGl3U(cW1n?xZ>HVd
zM!AKp41QN8@rZ#!HqD00cAj6WfDbLbFUjM$p{ly7s?N#b2#;A)(^8l4D_3*b0MRK^
zR>^VCzb0)xt^vQwEnBK~i#I6B$hmtY$*-GeLih&N<<X{4Y-cnXWjS*1E6S)Cz6Xkf
zj6&CO^JC|wui?|a`ks^a-t@ye9DaldM2X(gKDrm5XnJ|UBg--rH*UVOhwiS7%@Mts
zvYPZXL7$`R(5QYEV$^-Vx*soJ@|(4mr)AgeH^7!mi|B~=w0nzp^+{4j*Ts{>45Pbl
zWh=PGQ;`ndKBE*!Fn{%MxEcYV6j&HV_2QF%e?J?7f)C=n@<G^0mg-6~sim7%?)CcP
z!|Tj=n)$kfqg;wbF|=@b?Vqreic(Q^+GxpitCDWoTw|~!xF7EtLTz0VaVPC=M1*(l
zqfunn*j>5}2vck1t^0I1vD|00C2xuo9}X)Z!R~G-?c;v&NqWn6c~WfvL+ACH;mva0
z=C|n3oJ3Z7Gp@_<Su2ee%StV7L~@1e{<~sctiY&3I^-%xZ>|(=xv)x!fHY)<7+-FO
zwUR|OGm^@e7f+qN{s!`uC(m`uUpDr6wekX~WS%4MMm5zzrM~TDi6@l_<u*eXc6S__
zU9?Y*tHuY`d7Ov{bsP-tL&*}0QW`V{0o|tDk|a_fHZvC&BqSodPl%H(#+p2f(@M@k
zp+|C?GB_vT3j@76wli1E1-=G5jI+G!`ITybaDL-ZbJeR5BTa2ff#>#U>U-BAWA*(b
z#d{33oavXj@v5o_?ikh2Pjwqcqu}UsqIVlJ?z=2neMUp7uV0psKi<K`ddMW+>kvU=
zXVmmr{)52^1hbR!#Ye6Hw_U_Va1mF)x|%DKZ*HWoI$M4P)4f!i>)^Z!0r){tk<O0H
z`v*Ex5_}d<_J{KYve6m*2WT;@1jTf*ZJ(N`D~sS^^Gl&!triqDeu<lAAoAf7YTJEp
z7Arxd?{g$2$m12o3;KDcZL1g-x|y3$dmUkB#JD^NzP(?jouOY_0+ATqqkTEsXFEal
zPvnL#Mu67`5KkC%?pq`g6zazESO_Q|T|U0*k*c+)nNe3iH%o2mh#x?wG)x!X=z`53
z%5*WGoOx`Y>rSCcINYpaP?F*-G9=x53iyY&7mvejleLeEz;%{tj%}*`hl4eXy>tGg
zFU*H`uJex~TNO#@V&_zvTzB-Ji=a&9L#g5sG>*f66Wr$goIxi`v?>Y9stEPFG?QK)
zYPVm|t1tu7V9}-D1-2r{A}Yu{%%sA4mHSZq5`+3wDNqW`mA;<KuME4<9A_ZU*0P+E
z5uBu6?Lv?$$(c@l0;wA;tF`4bm!%0XQAG}P&q7lk)OP5+v2d$I)AlWy@D#dZ+)HKM
z$LoAbX@boOePQ~$qpr6Oy=bkZLiZI@6CB*HFVnRm;eSRbxw?f=DN5DA&g~(XIz3}T
zVn9X__148&X0kMrgIqA`OE@XhqQcR*@-s8r@9q<Y79H6BW*!^@9M{d&rRicWbDoGh
z3LUG*-!XJ<0TGEW-J5zAApf3||4>Gi<-*-!^tvIVO}Ao_XX0S_iz3>(7Y)}kOQvli
zrJj})jPUCQTYp$;!^arvP=AKzEmaX{I(^B^5r`nbqMY<boVsC>`2(c<*gf^<z`vEH
z)J)=m<neF%X6!W!St!W#@mh@uu-`w8e#@NJ*_%;|YGs1+UD?b_9;MVT=;>L2bE~=Z
zcEByrq~&jqtsUedysd*OUNVg+W|dM@9vtnIE8*(vYvF&cDVegMeS)FIJ$Rc#>X<Cb
zYP!w2ic#=@rTQ|+c%L5S#X-GLTm>;6O|fuFI#$N<gp2FR<Z>jQCp7_LS|j7fK>|;3
zd7+2(I?<aQrT5(ELVfy+q9N&DF|5*~7K)}e_3|Qx#9-&xTtAB6-+-hkg+)K!aFFOb
z=+9Ug=*414Lq!+Lh6JQWqz65{Xs#-hx56vI^1eD2A5m#h^hp;&Wf<!BNC{kSCyw{=
zx&rK68-L7QVAr#}NeNjbdH@EEb?V_tY<^P0hWb~%*3BnxpO=HRIKhMRa|IQ}yo5Se
z4iN`#nJy@3bMxDwMO<_DL$kO2{3TRQ>=_9MQq>Agiw{jgF>urN2!uw2rBjbkPZ=Ar
zhRYjl<rup_lQi<KFvbC%U&L5ymwiZc$riYM$c1L=C=boKFzAhVMVesCSi2~fQeLT=
z5<T!)7t@Bg$`@^tC=%S+ffDq5l(XcCj<w4hv4mX@ScoqUO2757Z>3_Kz+Er2V^w#M
z++ikV*a5deC)qVQ*rrpW>Qh%O3+WwIBBE?CcS3{4wde3}Agr$KratQp9=4%z4IR>|
z*<Z1?#YsNnJH`!9HI+5o(xg?3i4{z`R&ilc<3dI}-42Ry8?&ehw&A{b?*;t)v!iV#
z#K?o5!%ghK&V%*=g|f${RM(tjpRBuS)EyXxMQlszjN2i#I*p_bt>lC>lRs`6FnMbc
zDt8h$zU~m|zEzpt(yUcdaMHoUurj|LQx+R?m#;4mt8%qb3&UEP8spaZQpg>Hw<*w^
zl4^bDOa6|5uJptNE1w4>3U4V6`=i<6Arh|8_2s&5$lR&2*=~PM_Mv)Bk+3(owwR$%
zW#ClXR!Ld8&etccPI4#+lrL2BY>w6k8Cj{16F6~?_I1AK<b1oUeKm|p=8?GfjY!Uo
z^)Tm?(zN#%sTtbNG|tN!HiKAV=m=<hJt+N7XP-rxCCOs>iUXI7Ow&$vn-mS|tyuKp
zeYEKb;++aA)|J@1NOJ3fwT^sk9%$X>{W6G$*RHb^hxVAP*RRPIxk_rT8CA#H+_B8t
zg&!@*YwgVB-km!jsGPL|cGgv_9$W+xXWmRV!YkSm3WPpyB!w6yyk32{Z(#Dw4D<U(
znWAOi%k98r8aBW&_Ls~2zzWd_N7;dYd2y0;@~iS|cWkRO?(GnQtgh@187|h(ExF)`
z^(bF8Pvlr+n+`Y%J9)Z<J$DbmerzL$YeF_US~Y-aAC(+_FN6Prj=5yhb*}+reyJ4$
zVN_^>a4d03*)#Y~<(Md4(<4vr)=0>Es_tu5i2ae&)SKj@avXVj-pre}Lv+-@b#y{k
zpIQqyk-zeu{dikW_M<}y%STODb0a@m>hJ8MP@v;RO`0R710FF*H|rI!VdlyW&i#+w
z$^B^WFseO8{5}q@={;N_wAi^DyD32DXsuBsARQvpm&uj-Sz5#@nA^}p86`EHdPA_v
znQRCd#8<<p$xTW$sp*I4YrNmU*dySy+&V(r>-RFB;UIFbzvkw22Fqjok#+BsvKObD
zQopWCG2gyvVE3RID^xMYKYzQ0{#(%d68_P>+wCz{4r|$#0v}fL$a0<a-@CRVyZe-a
z>m^%Plx131?!M=p2(?p}a9<z|3-L#9k|MkV+|D*iPeb;BS4JTs+D*h57hhhgjR|8b
zA`lz@@!58QJA}xr&BIMnz@&+LukgaebSJ3*&%%eL7_H~Bv_eJPEv+lSwJAg=&-xDE
z=B&m=@K|FCzE~oD*-v)!85)iB{kL2V8lwL2d5rl&zU*5o<o-=PmUSzB4XaIv1WkZ@
zT%?B?-F>fjEO}~ERD$9GOu-LcC??BQ(D@M=CUIZuPXOf?ot2%?dtGYJOW0!o<Bl&+
zf7jEO&r`k_LQ)}@Z8joQ)F_q`T)iwTU$_PT4m8|-G->@R_j*}PH3sS)=Jr}`>LYv?
z$0r+0H5E;p6O8%pv+nCu+Z&dF75E*op{rjmF0?NWV(~M+b%5_g679sS{Mc<<@!}(M
zX$%*{3#bWVZayBQP^#}%w)<j_NkTTZITv*+R1OFKg!3@>s#vV&yP2F<b5}G?Zp25$
zcqHJ7$VX7O?v9eSaHSwpA$JL7MoQh|_$(p${mX0<#^rQF&W9!@Unl7})b7#)ck)Qi
zTr|J4ZS%C^DSaaUP-<>f(a7KkWW2jwj=fQ*O2{<dn@vG!Q{VM=qBYec|1Pk-F6PDj
zWVW$4ajx&XGz3p~73L(%$F9mw_@Y}AKQ`{t%ifT><cmYOss11n_;W>mkp!3&pXr1w
zH!CsEE-@lF67apzF`x(B7htv-!z~3II1yH#q(Z{x0YzN*uSasmm|DG8BO)R~#-PU*
zjO?(GcRT3xj+2SO+_as=?Lf2}_r1d86R%z6l)FXdb!lFE1qXHuf+*Qbs`+Jne3mn-
zIv_^A(L5|93Ru<hpu&4&)15MTq)U%JEjJ~S*{xc+UB6a<Y&pLv$`ol?bwah-*Zd5;
zD|eKa)!^uoZCuTZQewzFt%zq^B=N%KsL6yV1^k-7oMk@1;>`l0uw6;BmSTAa^w?`F
zZc$+7sm+F}H5T&lXH?PN>E_mV8ufl~Yb<t@K6=!hUZe}*v=qBnGIRx>?fD%+eQg74
z?3gs<`|qhbScFm=Zqs2jhdDCu+(x}O^4at3PL3wfWkKLhjxNBN(T%8~5(48!BN#q(
z1=r(s`lo$Gw#_Rt*CzrPOSAiiXd+U_*xlbNOi2_`8nkVuWQoYy(Ol0rRrL5eEc#_<
z)my>opv5N~O4PJGp+RsuRSw*x^$aT9Ib-hH$+YlgylpclRTX)DMLCVzi_(f$potRW
z0bvZu+7xB5M7?M4#oFcRZ1L|l_2}TTvH|BqJiw-Mmmg-6OD|ssUxv=VJ~^yU%lWpn
zIyl;}(_TBoFd7&?rc7#zvE_*MwP}Hh@V3ZMn@dmf;xZ}z2dc@2S$Qr-h1FZF!dn9y
zVkg;)aTf;Z;w`X@E}6YO-5eOF`}|RnWP35=ifNZ`BPpbmW#>8<F*=_`!H0wTojLTE
zp(rN@CtO{xk2tJWGx-#~s*Q;82)qLqvBMgyFQFV!-crXA(tf&_VWHk&;+ceMHA((G
ztxNIruws5muL)dt6N5_U69~0m-4&LLB`0oD%MqyXjpvC>Sbas~Df@=sX*%(WT(-u<
zPE@`9!+|0cOC5YW8}oFFXOY4vW8%eOCIpxc&Z5kC(@!_`uQH7iIO*!r>j}e-_0l8p
zDmGDnb#1!12d%1&;I@;y)=)5TWb7SzSQLvWzWVAQ+HXHPfAe{0&h?hC#}!>0%`dNz
z(d2O6)_Wrnf$xHItLgSF4f6LCwUg7?XIm@Hce@432-;QXfr(_a3tYT0@J)L8mI#`&
zuAI7>@HH1BXJkiCli;^51#?&OLLOK)PU{8H4Y3J*^rSF*O9s2Zh>m`!Z(rot#kGD!
zJXnu$m+R;*0_19vsh9Sb>715VMXStdaYO1W_oJ?P=wG~gMP9V0uhS1%@fo!br+?Wt
z@g$+}nJr9Q#(2c`&<l2VjO#;FZ0Y5w(1OvGNt_EG>ttDgKdDjQM_zLI>%bN%Cd<9;
zyB;@tO3Lzj2-fkdvKKEs-kg0(>qW8>;<!p^+y2VUQEOCC^E%ZFdiOlTJ}<v;?1!jc
z$5h}%V*N0C9cZuz|I?9H2Mr|8(p};A)o(ClualTQ@+RwBXO7O`86&niezl+Rtcx(;
zj_rtPevz_xfExl^?~ECIOc~-rXmsS|OmieEvSZeWul+`=($pH=BuyHn{jd<(pA?S|
zr8bwmuRt^6t%!m*9vX$tYJza3DbDvy*=q2+&fBzNvVq(FLfh*q_!YW^m_9P`2)So}
zE3(+$Lew$xOBAnSpdp*nNF?Rj0~2cSaa|x5HM)QgzJ)|z|I$TE_EHvxLnugyrPhJZ
z-}A}?tdNr7p75qc;8O0T#x1_}KvyJBmyPB9>4(ZG78DZZ$q+gI-Xqelg(Gsgw_Lp?
zX@M(Sx6*Q>qv5C23}31$t9a5XtA+|cj-AxT{rXI*iDSPj<an<>D9kF)(4b4>d7P?T
z=rsko=L{%Eo;LDvqLjXecIq)AaXGOn!j%J8zl(_7BVcx;eLw>+D@pMf4N1kC0%`o@
zEbj;kk1sTOTSn>xnf$a1v7f2xs8`~lhIi}Ha^BuSw%eAzyjQS;WMPB23l75;O;5P#
z;?}w#V%T;M(LWPG8PaK@`hHx(JCIpAbUKKIws=7QbW@nZ<9X&zx(@D7^OA!8#^_ci
zx;-XE7_s>BXbk;9=nCz*cZ-=muuh5cy?omhkXDCwcvZ~pt!Dk*O(SL;hW@jN-NzDU
zDk_>XbDYBPVxzanuKFs?6=+=Qs7s^qW{|$|2@!d<ZG0l+<_#?Suom{qKJUe&vp9}6
z@EzPnEsxX3*5bZR9D6YCBcL34eJEjn`XML3dK1%gLUI5Tsaq*^O^aJg*@I7CWkbtY
zoxvL|t;eX$*Qw+NWp@OT>^F?Opsl7!Z4zG8Pq$Iu)GxaDCfPujHFsVy61S%w7$1(w
zskUhp5l#m58^=8A@7ur07|`jY@I|{f2K_~mq{~NAYMsd(+z{aaw9SVdI1F;Z=$Dl1
za&v^@4c_GR1bGX_M815E@?a{;QE$>wKDQu;VDggk_o*jjciF?#AS$*lYH@a6S%-=6
zUVoxxfl&gM*7(iEh8o*Wbx~$QHOUeAAgN6hJK32_(qq0Gvr8F7H;OK`b6zatwmH^)
zUEx5%FB@HxDpQmt$ip+Hv@}!EtYa*>8dq6w?J4kpe{S{jx~2ntuKDWHeGUS$I+Hj8
z5tKSIuaDWD>ON0HcjlhP=HE2xh~<y%7*up4S7X7Kb4k}Z9%n_RT})Z}lzh^bjrz&?
zi<g|;4R6)#D-Mqh`i6^F4||$Pw<F7wX2qtl>^s=Yt`mz@&U41!<_49y@gdUUVAD@}
z>rS+~uh0g3qi3KFLHC@>{6-KAdFjnO<3a?*(<xLCjbPE!Be^3V^4^79Q!eQH4#8df
zTht*zPd>-4FW+=sLlaG%d#Ko?MAj9#Nih(R{l?Skrdc>Mu%9ts;YGoMHpd4nXwJO4
z7Nsb*?Iqvih82ygRTn<*i+&NimK@W8&nFj`zcm}OuKrnr^V%(u*;M6ze^hbYu`T+@
zI!}i|2egbUcC?BN_qZKOm#;QRkboZ+m1SxOuB0Dj7Ku~xOWe*-8AGZh|9Y|f$@@pn
zS6Lbo?+RR)4kjt*^jgSK?rRFhE9HKn$Ur>DvBs*UQ}19*Tg|)P2*v`|!fb16gszk0
zeB_)Uo_+Tz!z(y<rVoc9Bjj;wmULb_+uf4d_v{Cm7QQ`-Xw0-b2I@Q?4<U0Znta4J
zzVw=Ce^GvOZ^%<HAT}c1yIN4Bm{Pi!Nv4f+fXX$%YLD%E6r3FJaN%YNNY?p~XVcfm
zND!R#5Mvp!ahb5=_TF<XUS{KrTC<RZs{<(!?pdiZFUQcfsVV!YDDW}+uTja-WpIgM
zu@O3K3ep=Xqb@04*FYYwtHK`f?`o#`wy_yqk)icb@hgG3kOi^T9LfBZo8$RNM?qG{
z!?$WsQ*V6!qQax)hAVE;yt?{DUB^a>{RW@9x@(w>k8uQn@{@a8h0*kA<;j`y%3Wwi
zM$kJ#jzX?2T+Yq=aStSn$YN%M_%d5$dZ3Gl?CynN+R$tyjsf$%n}}NFW4yiT7a@jK
ztLqki*OnUf_s}=K(enm3+NRCf9mKDPmr3z88LoHJ#l6nj+8EP+`_;RCA8YIRTC9Nl
z{&ZnfN>Z1#w2ML48!8jccNWp%mG2*2?TNVNgd6<^1C1Z6m|Rl-iyzY9o3qcMLZrr1
z6seG-bZ<T}@)OVQd6cm(l5M>d(aFYziJMhVeC{#EImyaCpF6lWO@g+AXYTqrTANy|
zGwUh;m+LaOhaPBPVLqs*x!50qdvW1$NPoj{p4|Z+xkFKAa@uTmxv@P}xJ)hmUL>`L
z0iMZ+k|(}e<J#OO)&^pHTg35NS{E2GFMBf$6yt4*4R{`}-EMiwF4<*idgRif;B-U$
zvR0VIELgVG?&+u=s<xd2_d6Exot&Y-DQbF@KuDCg^7XKfSgdvLuy{K++FmklYz6s9
z?wl2+`WR^k;qp&U6yC+BesPC+R72wvK@ug)_=l6s&wP7V7y3t#21pi1EbJWbn!du!
zZ+x>;80=8|bynpz?Zk&oT{(Jbx5MWSXd*F{_iYr)kWZkI<zK6>k*}C7Pb@n2SaHZM
znDDZwZ&VeaVjy8$s<cWnMw+~Hoz_p76B#FEcRYP#X2BKMZ57bfJu*@&p8PI$k-c^d
zbU2LHw7H|DZu+zuOD@R|%bbZm6W7#K?oht0WeRiP+apq?uaa%xF6YUSB9+~V`;Y<F
zbk~*H_uSv~T)LT6J5XJi%G_3}U0;j3<63ta$tHZe;LDtbVwKOEd>ij3oAPK1+GtpB
zs?PdJYo*v6p5fOeNq*s{&n|zTInb7;*q^b9ny+b#ht6Vlc1;7GCS6SN;6X!gexROG
z8`F&@y7nEK9Y5d?8U`3<Tw56yDaUcn9IK9Umt?GE4qB_4Tg|wt_=q(!n~YxN=+V_H
zniU;F{xnsV>ZAT1Tipp6Jh6^*(LoQ1?Sq?Yo@?&g3cRLyIVtey6H+-T>AS!lN5_)o
znXy<GB`>c7QS*!s&CrgGm%IzT0%mIDUI7wcYAoJdzgymG;zZiP^w^x(n5Aysk9k_%
z;|_G-<N@s?J9olM#P<meuNqpv#EbH#@p@AG%3;$r+0S6dab?dVhd)1b4f*O>ta;^y
z95F<2vZin;@tWK^%*gw?>Zs%<=TSPadE$2CZLGNIAatLIX$2BEZ{2-`zH)8SpA0=!
zXrQ-nhf0$#tAUT$(CZEg=4)RZ(jys7yV16;K4^{DN~!;|-M5QmH$$K9KHzZqHa$*1
z?ruH)+AG47NC4p^Vh3aXV<KZa&cKePN7a0sa?ye>XN%@Q3gvWQNSv7pwSU%@jcaY>
z$9bjbx$Wbwxi%4GG%TVU_hpe(x-y?kf1r^6aLeO526FqM=k9IE7prgOappS>9`TwZ
zoTWVjCk)Fg@iU-eT8tAs^=Ye*qd|TJQUWV0$Y}4`p2+B;7E;V6l~c1fmr^T6)w|Ww
zNFaU@UEOkOsw+xxlA!F=7K03AbK7Mz5}_>iA50j>v(v{%Kyyv{m1OoKSIJM@*=k>Y
zalJ(SDd~%7rj9YA$)IheZD65OimO~f%&};1u1R+ko1t_L^hpGM3M4l2H8LJp_6bEF
zqj5~B8MkJ&h+6F{u1tJ;w^WmXQe%nuVyLnrS8JeLciRJP?|^cuDx5`pQ;ARP#0+EP
zx!RdG`p}x|y4lP$*ltU!_hx6k{34P$KSRkVBr*~?io9i3Pq`eA8Eb)~QgDR2C_?iS
zzw6{mn{Y0cA6R(r-@X%JFYPN?ft(Zj0%7ZLgCqX2bRaa1#!Q1f8pb6cmPn?ta|BU}
zn}T{z{({xQb-k^$Cvvhau7Ay{(eR)2JBtyw=o<frPVWf7I&Bpt$T7MEiKnmsNho3J
zg&9gJp$8)XC%5mh{UOss1EquZzwT1o=uhHHQhiH7Y3jWY8j}z4D$+3h)OHBhc8J4A
zY4FB_8fbI+L+^g>Yg^nDKkL1KRd$`c@3aG7s8;V}4}FtqqQ6sO_|HlojLQW2fh!&8
z;&jk8j359H?eW*8A1Dr#n%<>y#96evvuG#UvrWkXa3KE2Fb=@mmOw=md!pF$;y(Z*
z?F1)LdapHDu7LH=fjMpalLcwRNx&@#knn$E?~M5U-qX=5gR9^N1BMCu5zz1!Tn`H=
zFfj}$ZsyoMKBqolBp9i<a3lcriBO;70XD8-BnrrMzQ5n8<^Kf_&L1mGiDz;I{bo4i
z0lmSe3xN5jy#Gyj@bQ2v_ROqq{FV8AglQ2=8Zgt_M3YK+tdT$46)+S|T&@0cfL$>P
zo#MgGnRNjW{+zws`Hk8Czu*BTkU1Fl0MIr`{2va)?s3nr(@hE(qx1Is--O2tIN1WY
zV!!*BrH^TV+Rx2PN5F4u17|Ke#GQ;`^EVDTLA4;?adrbs*iV;r=u%7r%Mhvx!$B`y
zqc#B98q0fM@-~v_@(fLm-0OvQC}DzrK(k?uZf-ZUfIg|_YVTAE;rIisyhDkB^Jg^4
z4j5V+3@xAQ548LaB^mCY(R$%%qcF4%o<Gp)I+QGUe@1)Q3F~bchPHC=544mHr4YWK
z(Wc>O$1pTZfj`jXjP9!5D!gHSQBwDYIU;RrRon;mc@_@EDx}0&qr3QIg~VUKEhm}e
zvPPF+522SoyIqK0?it-SDmBAv8<&uE(@$oDHToLP5T^aEeWxve#)I=Snl=ngGYE#3
z@F!X}pr><a&tPaT!(eC>SK+<2m1a4lU9qP$IU9xzmgwy#aj{vY%WNEqCRl&)R!hNN
zNbw+{@p>UbOruKSleh$$ui_YA#e2$o52f_PBFepp>&95~&Ua?R>O-96LHyv8eS9*|
zpvS(jxxyK`71GxbLJ7X|u;HrOm4}TV0L2zk+-q;gwTJWa@1qHmX#`M*55OT@xuxUb
zghSzJ?Yd}cm)dk`)v7-J$<&C68^Gj)kw(mkmAC;Oh08n<r9X~nQ^+QuuOWEzdkz19
zoG~U3SH<Z8-8?Qtr1LN=#LLy3HN3k#!@{U&GGbx@?fG*eIEk48iUxVn>!Q$k<>}4<
z1~e3|0dNb>*o$id^ohjdQe&j?OJ|Q!c@)q9ZkO5kfd*;Iy1te>QcJ{HFrj}mHa#(?
zc-W}Ic=`9ygvnG6OaoMa!_#R{OHuZ#slk{!Z)(?nvRjy`Edcr|gg1A7_7BKO-<v-k
z&i(Vaw<&#UGt`CxL`S94e;CllUkumoH%4@>Gnf%!0^FWABBZ}CB3Sc(AI(0POg!zK
zxB!QzKG#WXQTG>9gE4j9)QEq!Tfo$M0DbAfn{QwEK3V>EIUhn@YbmyV9(TY80axQm
zrGqo7;v{|;P~Tq+ckwqybgna)W#9Xa5t00b5y6`O`)FptWIFF7n}0Di7*pr{mDA65
z3o|u9Urix>K=b8`-~ICcE@y?5uag+z&*KjGAjVk7IEfJ%AncwEXwQXT43`b&(a#yt
zxz1qz>dJ47=<;6}5v=*YktR&0b3W4K*)OIBW9q!W!uZ*4VWuVvb4T#zm(Bn5%m2Ha
z7IDv=#DIGG$3XiRvw-H;2#WX{-Cq2~yx|Sc4b(Z3-vxl-{$NADjympdv;kw|Tmb!z
zYX3X<KaJU!00TUYc=Ww$tKv96>FlraA(3CjME=!+XkdZ)=R^nA@Vp=WndDh0gW;Y9
z0^DEYKlyK58jOvfQxjOj^G5sM!GF>$EIsiCrrGH{G2|ZL>G@dz!2LK^eFWmMeSAVz
zDbi^c3?yozzYYLQjpt(Qxz1pokqtH`=Vk!mud0Q!25<iFqY0DgylqhY>K=b%XeKZn
z{w|$^H9t$|{)U`ww%HD8D1U1XNdN4rV1DD;Zw&J1&fuQW^VfLC_G@Z&S`)yUpVb8a
zYMQYA&&Sw1znU71sq?0W@XN$I^)ImIXS4W!m$Uuxr`Or`X*zDNSo(j+_o)=YjImsC
zrT}*={eK2VkR8-Xtmg+T4#irE#M#Hd7y@O%BJqQf)50c?wVx-V{71L2NW1`4EVV%4
z)v2^9{^_)2(Mrr34=?@EeFN`+d;&lQ3Lt>eX+p8QB()Wi_LF0C660=f2ashq;FRFG
z{DPcOwgV;jthlrR-t_=Ux)V@qB*Q43X6g6;9@XH#Co51P|1DV+{}xpi@ZxC+dp5a%
zoU|5JqybK(UFi?U1uMK@_3#f>9L%%9%EWU?1-u?U>kO7IoBk$@vi~}_;7J9%`B_r&
zucis>|9s)~^MV0vKL2xT{PS`eegX<^SP6S(zJC=IG=80_url%7Og+~bJYD`xQ20%~
zeHyP|yqpDve>F{5|L21OtR6mRYX8(4|Gb=Sr8y4p683B^|5ajS_p9N;%Ea?V1gnS7
zI)fXL*RMeVUYq`$Kb-~zSo5=>@UNx`>;HUE;QrOr{;4(oc{yWDbXMUd><{Dq7YjwO
zdibZ1Fcj|e8zX|%!#{Ke^H*5E@mIgr+ouafu;yo(#lM>7f1<`eFDHF($~e4){UJd9
z#X=Fh9{$;IVP)cZBf9dd5y48fbN=c#_4a9I0c-w4X7OuH_)n$zpQ!QA%lQxr3<0cQ
z`@wMkVix?Ss{M^_6@IPpVGYj@)H#yhSGr)hXX`}&>Z<lX!2hWmf>rRR5wDF62*y7b
z8-JA#{aV$+%i(jSR{)^Fa~~FdQ^%bn3Co&JXD1BzED-#QtJ?nr|M1m3SOtHY@>|4(
zY@L>{XWj)^r`Bcw;xSO;Kfe3Jg3Yf30522IEi}UG;j_+QOX$JBnE|4|x+*wpu;%|p
zn!mA)e|e36UQU+8MPd_J344~t|J59T)x$ryDwyAZm5JwSf^(h0tULZUH36(PJvUWO
z7aC!_oYe&XYMTFv8vmS}C2{2i*~AO6q?uA>KLq1erI9v68R)0--q%uPe+EYBzg6e4
zg8yDkYohx1YT5&Cptd&oakPMX7g$CI3Si)qDXe;iuM2bc!He`WLmCC%*#awF<KaoO
za7w42Wd3F)t^fCACH{M|E-3vSSu3OxfNzt4x&DxH{>6ub-+VUhJNMzBAkJ;8mvrLw
zUghiK-F>Wj=cA35oxSCnP)k0SwaIpe<fdR9(zU_lxg)HJx})9gBdmgnnH|#OwXK#=
zOZVO5z~tkFjpm+RJ0~|8mmLoNdgqO|E$#<v?W^^N2OO*8(aCj(Q!QAQ6YftB)+YFl
z_LD8vj$1fLwcTA#7IwB~lil2oR@xZrjs{mhRMelW$2uL3Wh5WWITW0HGd$iKbFiGK
zb>3Kxtv^`Y!*}25FW^6L-_Nlv*eqb_tN(D~da@Si?zS<x>|l8kSTDD6ax!`7z?Y<Q
z!jic6v~EA=q^EOYA-O)!{TN`^&C1=QV6-#z<V){kG#%2(W3G+m4B0o9+U}X|&PR;y
z&knZ->vtDIS5Ib6YTb4=GJM^RZDwlR-A+a(_5f)Qq6&_CmfVk)OLoQ%WRrU)PR26a
z#lCd4k1^_)Znp7XtUt;<84LYV@U8%BmGl|M$^Nu22mjIL!YT`?tc`X>R{jD1Ny|jq
zp^^LA%Cye$+a1!A^$o1!L3cvvF5agN)u*@JeHiO)-JR^7>Bwv?e6!>~I+5M(#dkkB
zo+ITu-p5gMBAF>@DL8T3Kh*w~OfE^v_xhyJbw9E0__&?Xy?3r&&24vWE_6%B<!EK>
zz<qCaY>D)Eas$i#2z#RTXkmIwkj;JfXl~bizl8r}wsWL_|0vnY4Y%FWU%Nh*e-DlS
zXwt#`aI?hi>CU#Vd*;bb!ATu$^0D#mx2+LbqXW4*FrRzCC@HgYsPUNC;d;y5URZ~_
zxZ=IE9nu~ZtQ&{Ew*B`#Pr~Y)#5YM<l(23b`FbysMV?^WRH+{8FOIMuJC5u>4R-%r
zUZ*{+Q<>K}xJzZRbijTbJhFe^@{ppU$SufyW?;01-^OfZdZH?4wRhiPW$~c&II(7*
zFVB50zfN`uc+B6Zanhl6bYlSamZt*twgdjw26)SQf_~tz($4?pIPqY=Bhh`XuFhs|
zqN-qZbkAXBiO1o8d7M&bvpV6(bW*;#%G>9#a>RqRmFRrZao=@rynaJ&qH5=_9^YK#
z!8%R^@EYrFnB3|195A;Mkxn{N>NY-4aP>Km9P;??cX+wa$xS$ZTm2C^clG8WPs@G>
z&<_4nY-6t8eNJtHYu6!UD-me%`=3R1HUNtQ4k5>hK;!QE4FGN5fu!Btc+Y`kiAU_D
zL*I37e!>yx^N1&OD>2o5?zBn21IZDO>{g=KT5>x8PdXG`=YZx)6OKTCaVL<iRo?F?
zKfJ^}IXcYd+oU|cyszxK&{}W1k<GW2#x3Ex^q@3Kb*qS~TT#1zFiBX^(U8!4{%*md
zvn(X<bv72Cf8Ba^-7Y1Ah0~|GgPKql!|CYCDigEhYgVL&s4cYp7|t8i*7k}ce7>Lg
zKJ>+^PJIieVJdhtV~HpGay;g>>eP1mY*w9dV3KiAaGn!{6;%G!e_*I|b{oP0%B!k1
z4hhZ+f$)IJc>}hGhW4rV_4U!xjKidjXv-^WX~Khz!-KQJgXhD8X(ED+BZ9Lcg6AWG
zX(EG-BZIRdgXbfIX`+ISqk^-dg6E@xX`+LTql2@egXg2AEs-#-ofYYcy6K4&8Hl<W
zh!h!#x*3TSnTWcXh!mNLx|xX-S%|t>h!k0gx><=7*@(K?h!ok0y4i^oK}6l4gvJiZ
zscong2x1L_J^?{&Ku}u{#0~_t2SFS_(5E1XBM9mQf;fYqE+B|22<ircxPze2KoAcQ
z)Dr~p0yTy>106gEL3}|_KM=$p1PuT|0zuFq5F{7`4FN$yLC`P|Bpd{d06`)_&?pcj
z8U&32L1IDB7a&L+2pSK9B!HkVL6AgHcSkAE*((qv1q6kFAgLf|8VHgOf<i%%3=lLE
z1jzzHvq6v?5HuGA$pb<2L68Cvv=9U-0zr#GkP=WTaqHV<X)svW5-ep67PbLP*@1-}
zz*3H2VP~+ED_GbaEad?f_5w@!fQ5a*QvP7!K(JIWSU40c6%H1T1WQGOg=4`|abV#D
zuyg`gI1wzJ2o_ETODBVcQ^3+GVBu7-bShXl9W0#=7R~@mXMlyXz|vV@;T*7Z4p=x3
zES(1yE&xjxfJOeFVLxjMbg+D}O0L)J;huSBRjm_W-{vQkdlaTl;GCpu?6u{}odNOM
zBiVBzr}UN;Qz3)p+pY55W+NlLsZ-nAC<@(X4-as&=F9S2Ba}8j4e&|dbpo3uQ{&Z^
zm&ry4XpelNl046;KAiWz0g;@Qt(|+-9s)G}g-`_E{}~)HF1Tx9S#3-U2=ZSKjo=*q
zA7M@Ad|Bc$1Ttt34YdFF!$rJ$fbJqY94f=$x?TP3_F^>rK^YwO!{HVj;x%li*DSI(
zY`?7mnBAU%!3z9u0V5-^-vCP+#$SWMSUALAhyR8{{0-oD+`CWy{{}dx#?x)a(`)u$
z1)Y2IxVz1qot6It2h4y*MndH`KaINuK?b)Yj|kolPP|wd2UH}xeRa{y>g(+{%hC?3
z!UexVVky}3Kj7E7*!eQAg_Xo#U@iQ~@8OYxO1BwO@0jzy1Ac&0`JbR~hqm(Qc<H+K
z=BLJA;pQ^z`Cq`43RS!c4%Zr0oek4{`+~Z~ez(2c{c6<%#L`7to#oiB4+XC56{<Q%
zP6sR+*3Jh$z+>Iz*q-bHk1`!8TBl{*`j;v|_iloDFnx`{_4Qu^O`gN}IfcLB4Fc!(
z{|*~%y8+eeRvR-qftj>Q@oPaZ7(NAR6G`DOixgl$1GgcAS4KpDpXGr8u&2bru&0>7
z(_RszZZoe1h}V2sV_iuE0BySkVO`DNf^}t!4eN^A@2?yEgXp}Wys*yn;T#mfIZ%Uf
zV3G^tfNcOqn{Ww6JJ=3J`yHJ2FX)aWj<C1dJh09R;GGS^J2QieQwHm7^AoHyr)5}Y
zwf6rYy4>oDfz$G<@rhQTo7(0`*Bt6C64~u`NM8-_a7CcP>W0AtlSEx_BoOQiGDZ?a
z{YOSBf)!SG3??`w0J0O@aL5aT|3?=7L5}}v=&1`Z^>xG5XAI|^4X(a;xVEKX+75=o
zv@O~T(>8z(=-Jo_3@{L{O$2{=<@@6aHnqQg`4?^e|HptH`*?070MHo@Yi^8Gh^VX@
znNJX?*QOS^ni*^*z1waN@2?>osSt}<H8Zy;7$4r<zTOI?lF|_(1;N{3I1GkC=-}CS
z{CjjuEM0&B84Q6F7V9+w%<0rh0HeC)v<$Zud$wATpEl2@cXxpYgl4$4_H4oI0opwA
z?+8T-h^6&|VeN}VyUoN75-orz`Nxw$*ppt7)cG=f{nP9c)>4ZN){+6<5+C033@>#7
z0)*#o+iq%rP_^;D3q9rrObmA*DG2eZjjcS=UA=8#xvvi+e*`2AJn_c_-w~kvaH&WE
zsZtkU$wc>N3yj<U2>SNJW!Sh_mZ#R4g&x`SEFNqRSyraj*@Pa&@GLs-3|UsE);WhB
zl>={fM(fr>Dr=7hfET+%mUXFhfuVo^Zlt6(K&~Lx`wvL8mFOzv9<=Cu@B*foMBq1M
zPzJ6TDtI@MaK*I36=RSD8)O-%A)q#@5f%X5ybVxnF}>pEr`FPsfC7JlZjwO0Mz!&J
z9?+>l_1}ORvoOpb;r=x2$uF>P*x7$1;g}N`&$xdUoMRCKxb20*4NW*Fe~0J4hqL>z
z;AqihNY;IKEVQ8By`=W|+tCQA+y2y8!YbeKahvMNK`hqn@{YU9@oMO*`{7|d-;vDm
z%25ljkh!*(%3tSrw48ude>mTZbU1dfL)uB|vb7|8SYgR`d^nB2%KzGRqq(JX!sTd3
z=Xm$Hxdm9^bvs-SB-L@>*E(Dtad+Q1VB~jw1FQ>Xy1Sn&=&i<(P8_cvE%CczKHqhz
zX)8FMIr4P})=e$PT@IVwFUUz=M!>yr;R5mn)+a-14|AL&eE2S0(7bf{0tN8&sX3#A
z<r6a-V?#q*8%CWchUPYm@c%F~JO!IG!2ZANY8E+N89k$8T?*MD3W)w-v@9bl1|A8C
zLw0Ui+WzXhH}y<hT!`vHA&P=}wod)dlwi2i7ax`q2@ZXZrWFbK&dbjlstRmQW>&MK
z5<z8JOYe>+C6x!ZGe`%t1`l`WO7=9Ad)%0UvnS)yO=yQ3o9(07S=^&&qucr2UblT(
zGdlcMaKdu@k^fMCBr{5utu4KypHzBWHG3t*#j5<dtf{0H|M53p_xJYc+$TlX`6`r(
z^Z1pxErZ$HR_<G5OSvsSjGlq6q~$BqYLxYqn^mZj@z6-<=NW61c`$le`jPIbDmD}x
z^~TDSmC?EHHrM0xA9Wo&TW>X!vTRpkGNSBgbiYuTdw6N;Fj461en+WBOw*z={q<S~
zwC+uN>4sW2EGr~)M@t^XM#bpd$#U8^sh>11O}0A=JT-6M9wW5;FzPz?Ob!2OQEJTE
z@=0Xo>Nw5fK-7oh(N>?MR!e2aER@Wh)r;A=(zSU~SYlE-F+#Id#r9ViH5c)kc=vfP
z9!}o7K&86v7<sgi_(-KpGwMQDpU*qSDC>~kj;Wl`)r$^>rWkXPh1p{bstPa0X?;yK
zYQqz+PRsK9tkp(j7INm@RUU6FQp{OtEe*9-F<w%6(#xnj_HN09XrRC5vznM_Gv78P
z$n9&koTM`Tv&(g8<tn}S&avcjw6<eq(D@DAwmAiF)ASm<daGSN9v8{NPa1}HS;~o)
z2?`eY?|46%%g2kTTx4OANJq?c)!Hq<ZVr4i$A7$+oREX%(^@b0Y|olzc-CyJG0`8Z
z4_}?#O6=23%s3UI&xFOJO>3qlq8zAv57j*?@|H*AJK9CdzIZf;Ds$1g(%5k7mB+EW
zCe&=;UblGQG1(GT*NncNDltK_`I1!jQnRMHfsXyKM58us+t&+GYFpJ|?5!_m4+$b`
zX!>KJY<Z?7Vw(~M<4Sfq*OEctxejHm9pmXB2F0*FoJ^W8=`@lXX&RRAzSz@`Ja2jv
zdPSO<-YL)_8BgznZ3UiVPS}Qq;`Xjq$+t>RpS(5DfB-Gwm+N*&nyD>Y((+KQ`yXt#
zIZLx?x+9byRebfpaB#Y8pG5BaEZJf4E7_}C>#4GA!lN-98u!{qrS38xQB{KtP+g$H
zi?_dZHnoS^B!)VJx%GI|@dK9~Kkr!=ur?%U;C@?LY)bCEEXierkiUmhw1A9js!wR@
zTsJFI*&}B)Cuc&vTXbj7xMck98p4+rUiBi2C#VSgAExiEw$<5pkS1Wb`?t7Vtk<^F
z^}UxZq|n76Vu(6iO4{I-=0?g-GBqIEyMX#$=|Ko1Ke<OeX&nY8LT`XiaiXyXFPDuP
z^R8Jyof17_AgQeQ21-E`PWU0!OW#8Rj}2rr^%w6DU&Q9+;_k1P%!e0Qct+FLH+5r0
z)(8>Gr6ympe{He6jpX7f!Sh)R5j(d1_KUni%Rz`Isf@?x76j}!*$cHOnA;pzm3w?_
zn?unmTjvb|l}6Yg&q>D#6eEV|4tE<?uC%%+;qL@%vL|AMY7H4W<SHQFi12B6`gOoQ
z`|5*@H=S?SuHqgJHHYg5TxtvzQj6Znv$@-t;Ym|?88117X>A&-vm5f65bskwix0=B
zW&p=c;fH#B8vW{{Y0Qc(rt+nP+dLPHK!o}qFz-bNw?v|EN_#L!3(WT{QC5+Tu79~)
znR8D?C6j^CJA1=^gp#iKp<7zRUVM}0g@fGqy522QryFseco&?lwB$MW<e#%XVRJ#f
zff&wc#K~b9OJ(UtokmA};gI_BC1jdwjZXJNEi~2#==s+R6GG(%yBH{EJZfBZT*$T_
zPtIuzD9y`I2ak?zKze9N`LVC(&qO@I8e98<ma3(za+x6b3p+xv=CFUh17Ac>E}I>~
z#M+l@`Y)L`O4zD8wLz|9@-^>>`Av&L&0@Vzh^%a0a?OPYOWiYQsvh2~LC-Zp4{4l}
z`@FXn?E38~6X^p9cN~qnKK=gqx*N#i;<B>ZO}zf^nI&eRijVO0#e1j^ucTF%Ecr5s
zXy0tWYTSR5+wj<`C=l<KQ^bh1E^3hH_3LzM8Cnwt9Vi+xLayBd!)Uk?NiVPH+<w=f
zw?}>x6@%Zjq#Hb#nl;;oz%r^WVZdDzaj7BNw0>;OfGcE@&cHupVqh-teM~XtisMzH
zikvqu`Pd3;9c=HQabB{=Z@NgfuW>Sdd1e8hDFOG98?KRNE30EzHTkMzPlDoraODiO
z9Ir`Rrdkg^+JJ!}wXEp+rCYo-ekD#}>@jGl7ar=ouVQVCWd2-UI~0$5;ZVG(WG=*R
zwlrw#c{R>AjAOic(y{nD;@YH3osj}>sI8}t4;v!6`-%h66E8J{qP!f!c>K0J=9|++
z6(1CXQ93<54Ws{$tZxd=EZVkC2OTFJ+xlXg9ox2T+xcQ!9otsNwr$(??Q`${a_WED
z54&ou+O_8#wbmG8&WT##8C_Td1rGIPfo!RX@16iuRBJ~WTUE-pBJ)KF38qkri*^;|
z^R#=jwbA@Uqumy5tk;dVz(C~D5GpJQA7n-3p#;0SuQS~^9GGEcLgZ=dmx{X~MXYH+
z$9G4LPz&4>Lw(Yr6fuymnb7C0;!c^PS(4)!4RZ4MkwK5@_A-#j4W8pzbfGyCa!QGC
z6HWwaUr1rznoF%xvy_czVmv67uc&j*5pOAR{Yn8u&08^t{ng)XSfrh-woW-_@f=RU
zI%0tTFsGK+2aHQldkUxEg#zaqpbd;AU}K9Ukomngijw7Uc0XQQSX_jGC6}^ee*%+8
z`)0Z*$z<|{B4l_|2{I^%Ry9hn-)+vFHWoq!vzTNW$seK}{1Fz!ZbPj$Q+6KhK^oG=
zcXt3~3$a(IzZt!7Y27N{m@rY>`ZkitNppC8KyN0FZm$pm7w&WxSi`3qfp~#{3P+7W
z9{bzq1)QuZ@DO5J0cpP?_5uLnh_TYdfascSrO#S_%HRpdBjXn^IliKt)4M1pTS<t?
z^H%X5MuWO~g>1;&O&zOf+|Yxn-N*3PDo<+Drjtpkau(h<?{(NO^PA(FOt<sxq&jZD
zKhaQlQ-n+G_>9EJaTj#FIVD;LXUw<#Z6r>IFu>+tD{!$m!q)nbU$OSA38+xOwZhY4
z>-^<|h&=UEc979HGiiaC<~I_CZ2t{4&rYTX@xK6cpFw#i7EelQ=oHl|2J1YkO|@!k
zI2*AS>1XB>#lwn7%4pvp=Njr5s{GjMJ_1(d&Wt0?(fWcnQf<bhpFXfe5&vH0*#$-t
zjovJBIc&ae9JtcpV$o#!8r-XT1w^DZU+yiC&UU6DpCEBJB)Zo3vKOyt&=#B*Z2?Ng
z7O6Dcedvx;uXN0f<Mp$dl%aTY<e3&eoC&qZ(d4eC9X%Kp-o1MZwIi%(Bpcp#sEj(6
zc1&M>*wVd3y$)ZT8L@Rw{aNDDi-ebl`$TJwYC0VkG>@-|?zM!{BZ_Je-R9+i9=`4j
zz#9mk;Vy%G>CxDL>vuX?m)XF0z5TW9C{?Mc6U_f9C+=XzpuCKWQA8)b4(;bp0bW~;
zX=yqnjp2unQEsm=Bv=_OqizM4J}mXQ1P4KjXk8@;HvJ3F8+|i8h(e*KXem{PI;3AP
ze`gd`R>8Gq;jqOX8C!17eh&Ngh&MbUXSh$J7pF|>v>#%xBEZW6osCC5WN&A6fM>fR
zQo^uH-~mx4#zqx1z9*1JI2~>5c&lG2U9Ua6+~hLpqt25*%TkuGHBe8ZFxwF>gk#%S
zS+HGTtaCE9>F+31(n%=9m(8h<Kf%1mDb!0esB0*44nCj9a-LGP=3y3g!%ef(HHI$@
zOb1IuNF#uF2LddxTsj5Yat8o&cE}9_e?M;!OSBy6SR%jNgIsD5W7ZYy+lD9OnuILy
z2&JLiF3QVy$~Wy3ak5m8(iHgP94;%nkM9%#&;4blD9&h|heabXnYEfjGT{nw7g@`0
zS8ZetpXb~J%ld+1*N&7&jSP$95Mb0E`zfzV@_D5%{`Isg)8Q^^mr$C593`Z_S*=3|
zokT>i0T~g(-mYwP8>LW_S~<I@FOhJJFUGj=*-_81!cE`4KCRyP;l8<>Qf=>7$C!&t
z3bEM-&+FBk&q7U2?qG(@$<HT-XIksJTX5!`xzd(cFmdJ(rqrJ_Fc_<ichx8Zh)xgN
zEkqsv7q(ht?#+omfV3Eg>5O#ogV-HYEI(~0tL|O;Wwa{n`xA_M;wYl;XSAA>s{~a(
zZ%sZ9L@I`vIMd(e^d0ERf5cP33&|{ZMl_|W*6J`OIml$p<iBMs;^c}cSHw~SsjByz
z*ggEM5u?&JIA*JYa=+mIz)nv05|>w9<!7L!{oYJeY)bRan9pzuy)MqvLb@+d!Vj5d
zn)1DN`8x5!xyb+6R|9vVa8*j0r>GJC_y8>Xrk`yYQK#HJYtUIm&4|uKD~b;Sb?}}*
z)mas-<&}QWT5`apUi~>k?mWgFw2UpW8rr|SFqVlCY_5?ze{Exam7_>O=6T#@w>n$B
zy+-n?8AeM+M>#J2^DY~jkf%#uM*=b7fI|G^&M0wVR(llpf)5#!zt0^z&9c)YN!iM8
zP(C!ZHc(LBz;Mj;#NRbvtv$dEodcT^HiaPdBWC9nY2X^_4*@s$TMZCc-vK9lJSC5Y
z`MJc%&;GNc!EA|YA{j5Q1dki8$Vb9byI;}Xtj@0T($rh&^@0z>F;ZsB{NZE7Ktb!H
zJB&*efkKnBEI2jq?b<C%0qEJwQQ*MlV9NM|xRF>&GDsf)^*3&*t+=my)G9F#;f4>j
zu_MtrqXzTro3Ct8_?Hj##kE9=33+OW%eO=hm9O^+OFP;JJsuW+{k`hQ3nSK8x=$ap
zH1VOFmVXF*-L4?5iJmKH6a&M+88KtVh<xyi)+7c0++E+!e7hdhdYahbBg<U^jhtzz
zlJ{Cc+>+sbM4t2QIpZw}J&N?y8@z6Nu<yPaoJzRdG|~(ccc!+(XOno;hx&v?)RaWa
zwNi}c?g9Fk{OAiAUzWpI-_8MH-8~6kqQw()2RKSWe4`_X(C5Akb7S(DAkUnNdt-Ue
z!eaaV?-3TAcWR*Kh>?Fm_n>CY(ji+?^UPs497Oy!6<3b}l85xHYsa`ihui`9uG+bL
zsc^op+`pcv)mV+8HW@EBXhP|S&|^&=$aEg$<e^cDgvg0<STHnlgm3v6SzOM(hA0YZ
z-Z()ZU5P8k%|UXE;KpXJnkhwnL+~q}1ueE{1FDRP>__dB@4<wuLRiPC#cJ{Lukj^H
z6pH%c1=Ol8=G`l+XQNNbk!94tx9RB(DEBW}YAHn9V2u%Qgzt;ypPm8tB$_oiFvtx2
zdoFJ=x-=3^3_zwiyY@1amt#1zQaNOc7JhEZT>(j1jdpbnK~OW<@uxhQ$~BdmNN|I0
zPBGqd(;Lg!l_vE-k+hwoY(444x3(E6jjOEo^01|#OtM;{zlp>@jm7;x07@UHLXO5W
zL06hdZoO>Vb@pn_Ix>nyoYc4HlmphUUID!g_4na(w^vs0Oa?Z0`yyb~r3e|`IkzNi
z^uv9z4Os(B^CCiEdt#a+;MrZ`vH}^*sO?)ezZ{qwYd<-=6?S1XB&0uHhI+enPgNpg
zG;%enXYmi$Gng0Z__6>K!ycMOZA}q}L;X&&06`eWZXB*iOT`t>DfyK*eY)EL&>*>{
z5$TiggK;hf_`Y+sI6}<(2n3}k7VEHnVYH?~o+Brq=2F2?KexQlSYS_yQW>3)&-whZ
zqgwt^l+9nGu;8aZ0LY`5yp;nO@<dZ5T$SpaOEz@1a}HiQE*Nwe-#^I5>E;+pe`V9O
zr4i{E!gH)=`MT4BA0^#t4O;cSS3lqQFAJf3T@=CP-W1GozVGz*?DDp+Y1nOqKs^zy
z3uhcvaMn+={t)`I?A!R@VI;Qm^~c;M&(?A_I|68+(DI1HrSlKOq;yY%jQ}>En!+EY
zBUVVaMuf^ID(Hju3<RZGJBdt;yyjE#h+ck1;W%a#Y8?p?t8wI{L(@w3SdymQ<u8sj
zKe$@;t28-%`cdB|<(<9!zT9d9?>AOk-6^0p!%=0rIfWFi>;e)9U_HSmp^#bsIo?Rm
zX|UA<m-vR8$)AmZ*qcVe1>K4DSjTXSO?siB1Q4Eh_`cvLUKcpt>4;N%!kHFvhWP@F
z3$=VrEQ~9;RqBoPQ_He}Yu~IA+aU8RJb7a_w4&E!VgdAJ4oci*yuV}ZlX9$pYwXCx
zdZPC<16cO1B3>Jq<ud#&F*)**It7L8YZ9kMQp6zm2fu@DNH1hWuItHepw-sn1!l2e
z6l-SSDi~|1?supEO*-ThYC2W(-xagg{Q)GX@PNRSO(M^5UIlf1av|$oyMHO)==;*I
zIukv+WY!38>#0^MrfUJH%z&N|uZEAw^SvG3kI2)!v80u1x5jZkB~>>zy{O32E$}9$
zQ1!{<zM-LvgqNJOpV%C;Jnvex_Rqxr%;E0#O~7GAtmcSZNzz@!ll0@pFe2jS?7}yl
zd&~@|p;*Nh@;GtwgoPiW_!32Cq1a-Q{&aWkr^(;BMgC$ry&sJoly357oTh6IcAO;f
zCT8*_36CZy;{?KAkEpt=d<-n`&9p;v5$g76YJdJagMM)4<Po?$I3|TS*!2!ZjsL+#
zTe<)=u4gqP%4`>K#uweYl}KE-1c+XGZuEWhL$VhQ<z+m|1cYZ6V907geg)vt`hG;*
znlqy6#l)vjgkMgreGc!BT`h2j<$*dWs?Vl|wM8XagRi%c26lh=o+-wDWhlS#ngLdM
zczL~fwO=TF0$-6@b?m0)>vLZD!0j8@;8OsJX&ko=xr6I%DV<oJGazd29DtmeW)vZZ
zL!os_OE|L%{QkG&hmSwZsPbQ~CDZ0oea4}q0^#|KQVA1GN!owTWaRLR?8H7W*9DJa
zeNeuT+WLeSoq0YuR66FXIOig{v9N@q4>12iiS{=xa)gHx%u`0w^f=NxjGLFl&Xt4{
z*m&sby-3g*l(5#iq5o_ivhYol`ms?YhnP=>Y0~6aFtGGMd$U<2Lp9>%wl_YF7^Bie
zFFde|$%p&14ES5on2JrP?ntZ&4F|PzQnehI$kKNFn3czOZ^4kS)lz&u2405%Jevq@
zow9`GG6VE~Sc-p`PgD@y8Zp&`49GLTF2=por3r~MK3lm1g$H8?{(9!WD8#A>c_M!7
zN{eTy56p@a5O2KVi1U1`2uZHL1W<$=i>G~HisYrFaV~rMA#$bUw@3%?eB|bW7f0Wp
z7f)01H#>k=Q(vZQKWDqqerV<UGj#a}kHv=I=B%zs5EB$SD!r(mlBkuB{k5vsY|=QH
zMoRAXtYGTd#ME&s*uo<f@C7$%z5i=RPeOEKL}Hgh(kr?1auRTioym^uG}<B|iw^`H
z5ZXFGF5s^&tZURj(3gS0k+8TM4tY(u*f%QW_Ga38^s3QuXB&n%KXR0)fM8O_i2=bV
z(g-fhRsbs?a&R0;f8IWx3JYoE!tk;q3iT%_BI+}m_l8-CWh-Zij*Mt44zX-P+m9^L
zE%(k$wL}N)DgPCzn+o9*dcV(KKWnHx&*}kCUe8BusEnLL8wL+SL8jopYY0U_=~Bt-
z_>nN(&_lq~KVT;<gxd480dObVPID+{tH0=+UT=hGqtIqnrrpAc0)e}NRcn%!xn>pO
z+~XClO|Fpjdu%X%{~67Qj3(6la4~rr0<dqARbR9&U6m%pTZUteP?9g$5jPY$Viii>
z!;ql~Peke9(r`dQ`FqKC*4rLl^YWkL8voSy#a8IItS%zPS7v3#cb)qeD=g3ceRB=^
z4G7;&zunS8gLYH4uHlJef(B<&cp;Z}jm9Y89^Z+-zP=}B#wzLo*yE797Gj6JGh#|<
zmAu6AkdgP~H1|bTW{bECmz=8<7vgInK~=g8H<<U#V9181E<%b7WSXIDfN<3b@-iUp
zsgp#oViO;^u-H);>7_l%5P{CAl_EBggGX#XjEm#A<=cW(LuD;1f(04;kX$W9VD<W1
zEwA1zUL4Y8My-}@JMTpY9pB`=!g#Qq3STPnZ`2iY*C?mQ9ydw6Z>+|G(V{>q?P5lM
zbd&JDP87{M@Nb^-$r~fncHXp_BPFZh9MhF!e4Z>%4skTewZ%4rR0G7pC0FT*^P3Vo
z4*-|J?&gXH-%5-rLBV8Ha$396l%LoakuxvhO%wW7SgDh3R3f+jIEoQ$?3ev+vI35+
zd!2}e@64Ntn`fn=*d?@Y2ilQ>$;L2Ihz@%t$%zk;i(;xv#NXqe?1bK2{vO0!9PK?E
zF!Dg8b2Swq$vef+zlGNl&FD|gQ+?;V#2%~fUv!eg^SyXA{wcJ;)+`&?9YEiw=k#j_
zetFQ`JkAW`AI-@Pi>2;GNw~nki0Zf<1pgBiKfL)IHhOZdw>?ZJSKJ;>;sG@)hr6Y5
zc$6}`+`id@IUtYFE8<o8G3F==)Sd01;VfwZA_nx5UPy-ca3DLD!s0}>ppIlBu`ya}
zbQ8NkjD<}$>Tv<95g2`BHBv0qbclJ@NI@&-H({8NJ1S!#Qk~gkdFt`;okg46a4N}@
z3t434vc;Kf^jO4*u2HXHIMdV<$8~`;<yX8T*k>~kK6Z=m`<)<Y&OU*c4dyW^x$)<D
zr|+i+#%F$sF+}OEDOm^q?L+iCFT&oPq4#RcyV)Sph_+B(X~)9ng-;28w#1yq>5Uv-
zZbyuP&?2s<fX*KWN|am&;#wo~OYs(R*E0NGG6#qJ(vo891+)U8Yz*op$&^ja9=mY~
zJ$P!~&%|H6Ww*P&$Ve2To{sNWukeBl(C50?)(#l;_o6Ri<7vXv;myeR;ZyXHW9kZb
zR_I^$J5EXkf>kKK6bep;H6?7hv)g7if?1`z#-f{CI!`Y66)rGlh!|HhX`^=%w!K@#
zLHLy{Z{3r0<C1OP_6U%i@;h889xcj7>B*AcSTFW;u&e0#U`{cGoRtUfh^Z%OZ3r6o
zhC6L6JhIluI6eCV&Ir3AymDlf*{v87+F37CS{kUhF3-cce}$=Y>$LP47VTjqH&jif
zbc)es7?S4rxxBoRiBU?Z!sAhbI0rB{@XX3Sw3$)6_ya9k$}Tn%T%ow$^Y2b46kD+*
zR|s@!ymb36Td{^>@AYn!BucZyC!HXH7y<S_6Bn8+bygp~K=g@?=2MGi(AIRv(YJP2
zXK(mYPr~-F4n}Us1$C@E)wf-3q}f${Whna&OKtdfYwe4J-&e-<cNahzkTL9@m^WH7
zHC>L4Cm0u63HD*2c>&_8<F?`eUPwYa@<uQ~iX<1t+XQnCk#Nc$t{Fha&k+08F>8oo
zvkEek6h>=S-D5tlB|~8g+``h9w$W-_->e+C{UdQTSv7Y`8%7aW{$xhzLLe%5AQSRr
z<jUAIL90GtN_2Zm&O%at+*oJY0sFhaS-y!P{%)ULY~U9~>QDphyOmW0pUBr)Mjo4w
z0wy=|&6;1<g`G*MvLDcb_&gkm$(T1Z0HlCy@s~lVwV!qgV%OGd8cMkUmgKq|aq3c1
zr&guDh9rZaCPP)vN*|4SPfU2NLPv=3SSA!an?z9O4fsZx4PuI#$bLKOqs9+{OALf5
zGsxl3=hW%%Upe2?HTvk(aGhtK!nXhb+~F1CK#oqkk5yM|H_)2QZP0~_xAn|3D}jPc
zNaN%BXEp&ISH-Z5{H)ZWFr3RH9_B#8B|GyPrVb%IIB_hw=Cb4mL|xqSVb+yspzu^I
zakg;G#E(Q9THJCF1a>Bc{q1TPGqoicupKV00EpT-QVHXtCAlbphxO12u-3d?h&_ww
z4Z|u;>jBkNt$@)8{J-4c=Px~I;tBh`u?pF^vAI9GnTpe*B-*Kgc_-fu=LGVyd2>*&
z4wdmF3!l7D1esl0nEI2%=DXa-Y|wEzIj5_XQ4UxS4B1M;1Coc|Z7j9BHM!(WGv*D_
zk)I6-@88YhoVS%pje|dK^Mp6y_{V=%CG{`Jy3x^lMnWJgy@EM!QfzEhX251iA}BwK
z_VZqM4SJM{D`&Ycw~U+`FY4}a`qz#3D0}$+{d=!CeW968W9eNt;lxp5?%7)o89)G0
zi;=Y(r&4^<xjtkPaS;m(9gX57x!R5nRL0R?MA46e_I<Bi-r24m3~=P_(P1wI$S0@8
z4wh30>}@Cv!>+I!;nCMAnl6r+%HT1u!+C+O47qrOq6`fI^;Bub@Qb{Y%f+fZ4AtP;
zq3(c2CH{3<oE+{K;Gc~wb`KMr8FlP%>(E)6rzBydRI(E%2YqO~L$}(0I$;kysuBm5
z6xre4A)**%+ao9>K(}ho;OxVovWH4>`M_^bo7saf{135pk0I>m4(RRF!|!r}tyGrT
zN4bjG;X<y4bCH8a*ejJUQO5R2-uX&HDFPh#xDC463p%Ir$27~q?tytrK1uwQq*<FB
zc3n5v5*oUak(9^pcLm%SJ6BDn9@T9w{qhigc7HmPS&dtwqU5?a6QEuh(=C*^y^(K{
zVbB?MB__?=49Eg=f~6NRqlg?BjTtB$E~$PbltdF{OZca9xWSE%JM;He=Qw!bx~d?f
z3%xO=GwZ1M91~|d1WD`0WC11{C_cyAGqxC#61O|H_u`LGzC|58VX%deUQwLPOzNXH
z;Dw-Hd}NU&Ig_tnl9ii1`z0rNJ?fuA8v3l{;bAeZ)uF7g+a4v*F*`MPArlJv!zc6+
zcqAhRk+2?2T~V&j)xD$k72-vCscBz~GUN8m9DW4%ak9H8<hzl3U2x#Y$)=}R+4oES
z`CL^Yi0`#t(>K9`Uv2;CFn3B>N*|5Ttfu&$hog#pHY^5q^?7gLkS|7Ir&~)DFxoDH
zz;07IEeY;Una~)7j-1>ynuXf9?x)-dDqIeajkF%Z7^@+U%Fv0oENxiL$wXnmpu2<0
zR>IrpxY^3sH}gAbM|jefs?wuh-u|P|THQVkV)VxScppzL&$tNVYXX@*8HEg?!pmDS
zL@I0}8ITahIa_-jl!hY29nSGbV7FCrM-|Sb|Cxr+Zk7{1&3p;obE1xabb_u!w8u?l
zt$oQ5t*0nS#SRlDJSXV0j!mu!q=%Qh{u+90VNfHViM=v-I7eeUt?3tXEo2M()|~r9
z_(r4Z0PAi99%KKeQ=?8R32ps|eC<b)1e@~2@ny3_hP7<g1%U1P+J6!M-V5)ZZ~KOa
zc+>l3uV8KR0Q2rK`gPK%1$TfUqx#tp379B668l#MX>4s_9cGk9R-b1s^kiDSz?^)1
zjtBapzq;z1`vD5Odofw;dU&+dz_4gK+jtNNOfq{O>@p~7lX(g1Z0E4)szYA)MV~iF
z*(zTSizltA3~td2b71oxvnQu1qPrC#^?u^Hc4v5iU<Xj3W5B-5?jd}KDL8IjY)oCT
zR}Qpp<Kqb_x*~51KP^8xiJzl-^h^3?3ZB***1fy4U^CFKm5a7dK{8UT#Y0JFkzt`x
zTiC+<-CTNYXMF@D9ah!^{mzqbP&_Y|=l-2sLj>fZgmCl7DyDUgPK^C=3?6@uqpG-t
z>V5%5<e8%q#n#$81YHyqED6oBBIQs9Run^4sV0zH=cd~g{bffmc9)MAoh1J9zG7!;
zpHKi%_g1ob@bv$5`?%WIS?aRTb(F<qtFq9!P-%1=Qe_CuAeH%O5(s{FPa`gd49$(T
za+pr4qDr;S@!#s>2t~*{Ti1%N+%Yh_q5XSKDGek|NukC`!rqi`teW4*wuY}-z{IA&
z(MK6w(=URWgI_tIg{7ku^W=#H&)9OsHc4ZUw<AQ?TV|8N6tR%qL#gxBlpJSKvB3Rj
zP1QSvCXJ-41}wHkEAC?!I+fkEZ}mBQV*smf`GT3AH<r`$^SP|vgeKNlVz()7r65II
z+JnKk&TP&$A-NrTfupr$7Uo!bw`o?F1pF7g5Ro%5=%Ko_kXMAvkFlBQDfXK=S(0f%
zY8nq*fu<fTb!Z~RIXFE}`OPU#^H6y<_>?<}C*kD9W8=@iaW~g;Rj#Vm3EP2r=5G~h
zWc;8lK?e)W`Z$9^ZOS+*bM`MtO|x(wZ20S_k{kksczp_K?fN^zCp@cp)ADdWp-T(u
z!dP%Mb<`n(gYqxlp)gyOGC!P9?M0qvuwdrc;Y_9}p0!!P^uXfvSR4{=!e&{L+mt|>
zF`)IBRnA5?R90NILDAYS8It&)A0O%&_#O>Xcf$j|Y*ZyFR<5mc(#|P&Df!8X;UqT_
zkjb-%Iy@qg0K3YUOZMzD>*zv1ANr7PMB!`0kaM;m{z?2;;Sr24N@lw@$E>v727p=w
z?j4SG?tDa<5N7%qnxx>}O6RI<K?Lu8nyjNH=!D4GWO64iK%ac#r%lR)_}0FDnKZkm
zV;Ckfm#xr190U^%G0^j#n)GFaQTgcHDgi<jlWHU<>$=wK=*EN=W|Yz(<3Pe_gy=c>
zPC-K?)p8EWL78dcgi0qQC{Op}$Cku%{HIwbYAagZ+g?;KEimGiezPCwvXf|GCR3rU
z(gh(!QoIziO%v>n6>eC{=vPZDnD<4ulGQ$ZOA?0i?r?%gSF9Q6aL25Hs!j@{Dvb0q
zAb27c?$11CaPV;K2wsmByyWtq#kyBup8SV~j0{2sK~LadO!Jfyr@C)7r?pIKLR~^4
zf7Gdrp)*n6E^wqX34A!#{gs)G?RL;(Tsy|Ff-8$r82CPKst8V8?VI(D{FT)K<SR%u
z>do?k{UhhT6<^R7Tl|kOsJIt{Epd-^SlNvg7=B9qoO<3exHZl`xHlvt_8TjQ^3b84
zn8R%~w^!o$Bl?dwoOHDvt+azV$RL@@mSj}781>SwGulOQ1u9*B?bjWNGf4u4$1XMA
z4Wn1hVY0u}y?={0ikFEP7vX<vGUp^)drzc2p*44@$dgMg=7S8C>V3!ub3cWy36sPn
z`+wBkFM_%LoedsRL*@T#0s!}mVsVFEK<YlYnAQUBT?a4XTkd2tIEDSVdQv6~u9ao{
zT)*U?yF9J=vT!7QiO&u1<SODOnIUEH#Wiz&gLFiJ@_`VQ6Eqsq0^VJR4iCr|+XuJB
zgS;waVn7<XA+_~7!I?%<ch7X;ySjlDIN3-#M5@xC+C&kE)$>tL9>>TM6e)IV0X^?1
zgiBm4idIQ=0A*_jDakwD%Bf<gNYYoJ8mIR|u|K1I0FZ-Vqvb^{*S}T2q7)CcfMYjB
z@geFX$Sp&zZvdZ+m-zHfi@R*3_+he8R9h^`UjFsjhJmN-?4CImH^aTv=9-_*q9y;n
zGU1k<3?k?n#CM&;Y*@><A&6Riwn3>U1ALo7T#dLUmy=IO;jJ!}|EUXaEyVVSl-PIR
zSmucyIB+~7ER$YdZScBYeTm1Jp^-{m_fR$ZE>b0qJ}zJQ<xFS^@hz1j=No(y9ao23
zLeL^jGbwqT=YW5aT-tGRX8>tD1)69)agmZN|4A7<JT8D3Ui}Q)R_#<zYufY{ScQys
z32t0u<!6YRK=loYRqk`z8y|A>_hRQEggzekuSrqRx9Vi3oyO>Pw}slamMZA;KJ<Js
z3WT@ti&|w7V6B0y!d63K$q&{$3+msfkuDCTrk3@tmw1+@-zfH*^cOu%i+S)eZscty
zWY&KElaz+s3W<ugb)S0H#%*BHXw)itB4(iBsVElQJsnmID1+y*QmfO&%M?sIT_q5k
z+ixk!Tc5Le^17GW@UUD*xt`5uo8qL>vPltt9OML^?%B=qybG62Lg@%nr%suxH&Hs|
zNJE2AFt{;ee%)g4A_?&^g-4;FaSNd1EbfU76od&6gnQ!=Vo%1~)&~79QS7_IP%8G*
zg6N(0dutIMOw|H%-3^!2S*R54(%@yl63kd^>mSbe2q64$f;q(H%byn@{&)Kr+=-n&
zlEh*NA6lIyWm!5f2e&CR^f9jIPsoG%AT<Gr1%H9c1wqLTA|bX_{uf-tw~qO|)uN7S
zd_OzPL$^~^R8x9fyp5K%`{<FgJ(P_DR%nGfpMyZ_26<w2i*gmQ(mADfhi0l(R28p%
zVV<c5_YwxiGPVpePv}dDgRCdVX}D8E^css?Z6o4dWDJjmeTv83vedBVLflxLnv+%v
z$3C;br#u-&+*?ea^+B&S3<f~%g|kH;z9OE`{)ASS#EXecNTi+)KJ3zmzbbwl2c~I+
z_g!!Hy$^OM2(xc>i1lDp(MkLql!X2AGB_HpWcX(>qWr=M1Ut^8g)`ZX6<SYju;j>W
zyqNPk-e5v?;74$z5|Y~A6VB;cJ#g5Qm<|vYNMn%(-9wGL_pe=k7JV{Ftx|?}HS^HL
z`=k{Le-sj@x8-#mm*@P%b#IVY;WOq@aL1y`%?V+*rL9|+%MiSw6_U9pVK1hZT3M#|
z3$I<e96T7E?&Y?nPCbJ*0tkGG_PijaFQ93jNxFrfClFM<q61!UGa5y>tUO-?mix4d
zPN27$k|_NeP&I%Vhuf^2DR~jE9TU_>rI}ylQB0~#r*_FO<MNoDYirx%*8ey!Poy=C
za<;b0n7oJAdw<!1bC;Q}JLhk2dQ71o&W5;uVTL?A%v}QTb~~@yYDS%owyN*TVu?E%
ze?CW5PuD?UQ5E<tk4XV7k85afjRD$U=pjLHgF`t%Xl+YUuGGF+=iEu+Oi4fd3Iqj#
z89R0%Q3M8D&5E(w{ZURqf)GM=9*sFCA!D)1(QrwXb1N*WyAKHZr$Rw_L(f`O3clba
zfGE6IwI_lSq5WZ<Ez7wVhcu^$=4{*RUX_v+sXt%Wza!tZejkf@PbHi`o!JwUlE>R)
zojK&NbRG=(6T#4HbI3)WXohza!VGZTd$S{xI{HSPXcWxXscV$2Fy#$(X9K1fo;g6O
z8JjE~Bdh`T<ML_m2T-|UXg;WXDyVkm?g8$a)D#=@`9tbDwh##bL|qO)8Sfoq-;vuL
zv2xj%P!+Of94#y*=^^mMFq{Ib`j&rDy?SM~%%7VjScG(Eq|<cqGZN$*-`l468eN?z
zL?KucqSqLikpJrO0#$TdU2U!5!wAl#LvLQNKwc`T)QOw5%kgX=4pV|^B$rU=@!ISd
zKN5#)|C{K&Xp2et&DYl{u!V%@nbCZRJ43Rg>l(A%F9*Eb(hZyhDZoUEcz?J?*J<AM
z^CX3=?%qgs8hcR8TZsdEB?V5bms3$^Ej)YB3RcNFz-X1+A^Uz`wMGMeSJgioS4l&7
z9kNcr5%VR!njI4ulI}b-IGZaLNWkeeDJ~348~k(gS1FOOc<fJp^5=}%I1wVvnt71S
zpR{K7!}1XyO%=akQpIMfdO375>+KEpHgjjB0ttG(Cgb$+I@Majd~qB>UL1PVSf_##
z73o`SQ%}x^*LW89&eaq$3UR}^fpaI*3NSp#2@UMmm}iB0Y4nUq>VB^6dcRY!&Z_-{
zV&CzE(jSjaT^*xJhNiACCG&C+9oagyOJyzRTpWhwnLner-Q1)}4jQN)t}w^S`9pDY
zRae*<&mu_EX|JV)KW(a#+=?4~2LP0f+KWSm1k0^@1?y8|lUIN1tH<$J(JPZyw}%Y9
z`g=X}ysu=mw72W#9R0vL4wDOR|Ez5GD!NC?PvTMUx_Ux^=ExLzRyMAeOy>SEhTpEX
zT(#U+iB;JhKo#`}C*|>Vw#CSWUWHef;Z%;evMhIX5hIoM-MCaouWB-R>+=><ro}?x
z|LJO-VF<$FQH=>xO3>ewqsGDE$IxJ}nr^r-hb=2rxYqkEgaE=nB)qKETIyE59h4{k
zrVzY^sca)v{A-I5RfOM{ov&$ya7hNESRtT|;w`1n7EWZ!O>8@?mfVi%BW(-^wP=%Z
zft|k@M(5Ey$iXrD9~8SWX5TZrMXTo3{5q9L5P!fEV!dA|CnIEBI*2u9-NX}WyBk`u
zT`X5yXxL^{rjrw3#j!%@5WaQF<oUN2E5Q#$Wa=MmH%b3|qiA9aoW(HzjF?DPixLP<
zjIU0OqYi!wirya&r>>0MudN>p-#enc`Iz!Cnxq7lizW=i=h*nE+)XDdcD=D{vK`8x
zt+aoaO=YfCp^Ic4h9wbszfQoK(2yZ04DTILvrZ<)73>Y^kwWB5QDPlm0Rcv?&ZjS%
zgDfLC+3+R5_Y>}>U=MYqbv`&*43xHmK)Jm%%30`_2f+vQK%_L`CX+qO?rd}uWKC7M
zc2OI<`e&>JvEiu6ZZNJLDjPe)+cc5|VvIq_W26ZU1^qVaSx8gO$kt?}rJe8o>2`C0
zC}}%EsQ8V4Qn?OGi<}QPNhM<%cNZoO>#I=`ay7zTl|pTykLPzT$>SXgQB)UI-vy<9
zu+>sksdL%+Y$j`Q_!6iPWnJ@yXw)WLZ{={)FEtkziC(LhIbQeAFz8jVW^+zU8hL^I
zaFWkRjtjBK;-<xdH@l023nbABQ>MU!kZYG`EgFjZjoL?OaAOSh&akt=0$nA4tsbs@
zy-nC*>e33CS)v)uogAz-jCyy{M2h4@4x^epPV_yHhrpZ8D~^mKR&LLcNm&JXjR~U$
ziRH0OI)_$BS!>GtjoE<1)lhRF6JT6KRb@H5j#~QO8><n-IitTgU!{4aek$9ITL-~C
zj-}^e`_}Gs&0&Vhahq^382t!;IyT@2H&|ihXarHqz>Wq%>T~<bEC)~5f;%dE9HW8x
zvusp$(hbg~!bdOaM$R7Jnu<Eh(tDNyZG~|mYb%p4GG<7On(KweGle5Q7sWpRBQ`V{
z+s+I?mK|ojR8}6q+w1~QRQku}-zG)t@x|wPK<78qyZzsgN*n>9@u|x8aI6J65Mq0~
z1GYT)sf_4BwDV%8^8>NfxYGYRRiy8~S)pOe^IcM55%QPcdD(GUFuPOWPWSOfyv`g1
z49Ua2>398c)=8r{_l05ep$uLFXnNkp<l#Cq{G5STO6TI^>4!5e1?vngV|m@zzv#g;
zeM@O}#EcLSQ;(dZxhV9)K5CUvPp`V^lP2ZxjoN47_?r+BNwCdfT3_lJ4OAx@VmR!3
zFs?@uT08=od4@Wp9b<gnTx+ajm$%Q0A9<;ZHBu_6D8J5nN<TNjoc+9DPtJ+UR=y#D
z`QEI~&a9ZkF_)U?eYmC&3nB2Jw9Itj-KfH5ma)3P%VnQqWVVvDj>=r|eve7Ma6Hjn
zEK9C&7z2*=@65(%+=R;X-PI3Q65c(S0sivHB7{zBm80|e|I<QDMIKoz*cB_u!sCd#
z<7HC%Aq~|f*lPDvI^PEl8vTHp<6S80zvOkB>lM>pSr&M-AhlNSsEhsGUJ^yy+^S&+
zY2$ho{o82VV3pAjEX@^YwIEDGJCaFkk%{=JSX{d<l4&j?95<vS>_1+9O`%t-(0ByJ
za;!)zWh8Afqspo3VXsizz>>;_9EJ%>Vn%aV!<@g7#cU%X&We@=k391Vg&+1mO_g}<
zCfvN#{Tclo&ha7XDmDgR>v3lO*Q_+?0?Vd~3pGaF@<PYU-6HHH)v`bwsnH9_H9U`Z
zY_GD1+m7`}h27gC1bQg!;+weFVmhq>k$A$<yJZCX@ZpBM@qWZJ%;m&A<z)Kx#Vh2p
zcWU`FWuGZ3<PxWnUv*HqEKGOk<7Aq>U9U|k&rm@lRw@`JDR4j@%N+*V>@05ABTCLS
z{e9tpm`vPrTAng3zaIZ&Celsrz@YnDu5WTo9_NJ<FS5xw1FFOR7MdOlI+MV~QzrNE
z%TTaKPEO9tyeDhGFw8R<jeMAg_%Z1d8){oG?k0S?LbdG*LG|M;b$aU0Yb^G-o3MNK
zCswi7<2+h;28w~_zP7&?aIHJ^w`pQIr{A>v%rpFP1ovTYaZxGn<pYl6wx)@G8!6Wn
z&#}r0X2iAb0E0nkL*@ujn_B>by0M+m;EseRHQm-14q(&1&MFUed?`$j9>>-KDslpI
zX}M=8$rPT`p=MFrPjc)w3P(!gn`CaM=`hEZ?0=2;6>Mz&0fls^7WUCQy-S03QdF7%
z=CXiT+Qm}zo885t2R$egj*W7?snboDolj{iVvubh8E{+j9tnMxUx=0w;RCNVhQD;h
zX7#@Fkua&Ajix170B!~Jat@*O$cl0UATur*#oo@`_;!RW%I7t0xweilUJJ3Tepr6Z
zCd2(A8OU}S<Zk<SBk}67fUP64VFRB1wF8YL@X9Y(3uhvH#yxbct7<~l#a?S%w+?SB
zdO@pi<j!;T3!-z0%x>IC3D&_hS8Bm4IgC4bWh}Z5|3e_hC16+7*sA6A%ph8nG*DTW
zrX*^3AeOO(zhAU65Bl!o?N4wyGs&;JX-06}P|=3y3|S<zk+>5Kuk-b>8!-(ANoP%m
zbBOhwir7NHFSFK}C>&I9a^2>{9r=TUte9S4xvY0X-4XSLv-A%Egc}S+jm?#E*`jJR
z`=&<J3`Z|vOQVC~tqJN<q{Ppf9kr)Oya7R*EX_ShlWyOyOsV>5Dzooam5UUz+;Yi)
zGmF*j?}yh|zt8#52<I7wq@U!r>Mg3BC}!f(xG|czKR=icR*L9OBg??LPXVL_K9HzZ
z5lc_9VFT0?22HK8fBSwk&#rtU*a+}r{`2#kg7wDQWIxE}uRXH$qhR+MCLFG`j~J>X
z`ERpbopf2s$eBWKHz1Re-#`9YDpuyM7Yy7#9`zKm|A0~}#e4iFg?v;$MK56SBFD*o
zb<|bKjU;|+2V-%6I~IY(SmGZ%(?cfVKVp$inIh;smtI~$2E$CMd6Th>aPVV<-#3z7
zV0X)@pJU?Vk6`7)F~%Ev6QB41C;*OeP7qVVY3z%Nm36lo5_o;d{j`pnMXwdwiKlp}
z84vE4kHf0<?VCXPmWxgxw;GV8`MAq7aD}_m4DaeDn=D*nPEBum%bR+Bvx9Og&U*p)
z^A+=*Pu3n(i<Xf8EhzK^cq{JN+a&DdRBSY_72%Rjp01Bs4)N=Zp6ZE<dEEa<?N{SK
zsz1ov6|*g7H=?9ImC)88#|x+=O?C_G`$}t5q8G;NYqAKT36CYHN}s}vvxVqxZ@z-M
zy%CrHa3430U~--jo8M$T-fHqBs=F;<$OB05?3(VcyM-9P7|0ac5@O7o<G*V1bIbqx
z%Q!<~8(_CqTb37Mz=Z>TZk|Ebo5pGts*1wuhVM-&o>f1Mimb{2{i5v;;NjoO;H-Wb
zHS5Mfow;uu6=9bUS)qk?Ov%Q7IGYwJLf}?47H7=R7$MoU_%e$reU7CC%D_%`C!Kng
z=<!H6D<RDp>?2BHg2$xnKpw%3mx_KvTRzodmONaC?Bv@4C#4!Oxjoz1nI_8o;e3f&
zM7_YmFc@kfei?LDQ_YwAei&2+`vT#zdmc9-nHZeWP2PY<tFE5oQC6?R=HE?NSi~Z6
zMPK~)W6WEsRY*o}I0GSy8ZtW}46keDQ*{AT@kNN$R#~5tE9QWiuIBo<MGX)x6@?^3
z_YkFNVcg)3<5qRL%TaG-BtA7IztskaiXP=Z`P%ZznjpqJ<IZVdM-;2JfV0-?syE7_
z65KNz$?u~6dKRk*<dM5WHUl7i;#Lsv+8ZkAz#cIxevIX=&zkPXiCw_|I=YtlS2Pnj
zjWs4la1=4zwPldKS2{q36WWu#%=hIDyd9I*@=W+(0R4M~(Z_a#WQtepMQk9R?=AL&
zA!lSi^|_I?pd&pyM+uCV8U__ZiUCdCLXlu&fpK)@5T`;?%jB8(j*ny>aU?0A^C9L~
ztgUO`az|`z&Uj2-1dB{F<PyVq`N<0ivm&wnCQp|C$5`WQBmJX<;MmVqZFk!p?<?4h
z@55B)k~9pXM7OC2BB{lv39~Z<m)m#1X3TOSbx1wO7x6vx{I{9D_U_jW)+Vt6|NWo5
zji*G-D4S~oN@HYnF)n5kK#LFdD)JHPcVbKoiG^3D$G+G|N>y1$U)s|5zoNH)HnGy>
z03;~CsPo?&dDt(aD|r%0SsY6aNh=i%15|!0VVfQeiB~XGPlK8XX4FE17stk9+Qf@L
z)fMkD4u|8P%$PO(>daRt?m7U)SHbf?$P{!Vh*T^A0+sNp@KgUla?9|G>^7)vK4BR^
zz^g5N_ZBjLYtI;chViZMTS&x<_a7FQok!0_0(4IdS2tPzt4C7)Efb;<pN^aso?U|3
z8cz1|Zh6}8{kYrbOE2g9wWZtpYdGh7|JrZzE_08sySqDO9LJ-;HZnw$=E~L%KZ2W;
z-Zq6jy}hfwo$AQ`_37(ue{r&8y&~2l2Ah%HE%Na3uD`uvEJwk#PMN<<^W(VY!2N~{
zr6g#LD2tosW`=llb=k5=Lhz$U(sk`i7lFW^HyX5DA(I5P3RafQS`<C=K*YjZ59Q12
zln$gI80`4U%s7ERny&9#fh-9V!xxuaor^(~Vx90OC7DWa$WC1cd*3@?0wb}`S7-0&
zc+xNZAJOn)Onr-JGTM1<h`sb1&v)fZ`4X0)r_U+Ri^GW;M~_v#39B;P@m$df;==64
zcVkmLE;V1FMp`%hpaLAil~Gx&k>RJkmR|%X)iZm`!K63i<{8*e@AupNj|^l+uhulW
z$GS;Kgz2rAG{f*~EVNlJAezJoC-{LO*8*gN<KyX7qLqp8hraJs(f|(<1<ZrW)!$#-
zcoN7g{F)DV0#1e^^q{;9eZo!ckU+=9ZR|Vl<=U+_)Y)H^I&>v+pXGu;Xikt1Lph3e
zeX&49xSCBiN?T}P#A0anDl*<CBAiJHFE0)$wBhO*ox+yedklRopKbiFMPL0=MjsBR
zec<e9!^m{qLcTb>Z3e`XNi58%y^B0&G)4~(qrl>+%;RQ4VauBGD^jr_t%?r#p%6Rv
zs$J)xdijZS(cXfbP}Dp-yw7F!5AxB{#s0y<^3_T(-{7->-F9we2wP_~5USprs}C-5
zWCTxrGI`#sKKE7^x%qo>{SS^gggN1Pmj^=Lj8XZ*w}<q`6PHt0T5o9hOU1%dfsSVs
z%jc<@zu<d$tX%FLfZJq9)%v+DM&~%d1qfAL*##+)doBu$R!=tr*-Jq3(Zh|n_Vy-1
zu!Y-NpC3-aZiOp7kNcF@3A{H5c~H_Iiq7Z1SXVf^CJcV*k@t9ezxxTypEqjCQ13<j
z**i{Vh0kFr2Z_<2-;y7wBv$>``gbMvQ~+Zp%=|)DxE7&WzP_%s>zj63ZRGOOV3uSX
zL{vYMD(eS%<F!Fz%^OTm30v=bpM1<4$IYz@^(75UAN&BA)sYNN5_;#4tY1oIrGhd+
zu@zjpk%}9n|3s9seSNVvNK0I|tPt-&=oTJn+95fT;Xo8#FIyTQuh)Y$>_VXmG$g7}
z{OLX*Q`OGC{&t>N85x(~R%E+lZBf^S>UZ1$5tNLXQSg)AH~oKCv3o#Xi$sBefDFTc
zfMEWARqX#;zs~fZ`t@j49jA4wU!T-bf4oSBB{pK~cu**0=D99A6JwvSq^QGx2EbHs
zT-96$S}!KTy5d_03~<^bbimFhv&A<56nNSYH)$vowdOA@o3t`-<(;DiyeV4F+ZR@s
zDXwGhgg~+~;l+w3Htq_NHI(^1=NPon?cmrEN?mPaGWyKnN#^<UtyNpJYE1t=Q%S+4
zSjT9|FQ4reH=9pUvxj_{LH2Jy1$wa23WJToRHX$lNlnG_(~#ruig{zy)^pn&9nd!U
zI%iLdq(p5{{T7Ug37p@DrV|*WNk@tPJd`-*HR77NXl{8>+d|UZO3-SZxeEo<P9?ZO
zQ|BIJ4`_9^1EY(X<<hJyKKZpCgJQ*?wE_pJXJMzgBimOQ6uOb9q=p_2roT?n7ZYE|
zv>gu`%4VreH|+CWqn*qsA5VW*3UaPr&&-(p7RcJ{MZpX>w}=ov-YR<i$;A&Y5|a%N
zLXQAK&mmYOV?H$wHlqdT^&bmR5I%}kRDVcm2wl$v*&GIQPW?P$Km`!_cXRo7hyGRl
z#}NyRgvmkfuxqQ}4Z1>keNsJB{<XFhJ_qF(xI1hDU8+Py#w2s1`~xN&sU~@9VXgKR
zOI|dCyXV9+aLgg-E;EV@Gv?48qX7OSL*j&_0|OAeMa!H*<C03Ax>-~ptG!CehDfvu
z$-MzA%XofuFvnrL=Qn<vh4GzN=(Nuxh8S2cK}Kj-29V`ss^S<YFa;5N>K6pg5GmRS
zPEwVR*<P5!g+GMIrA9UQs`xqNxkps(cA+<m)n{lGkMxlF8z#Vzp+=Et35D4sk$^Xu
z?aKk9`NMm<1&P|p8y_ir&$mVGznkePu3UzX+G@%Y80Mzl=j3!@f`JZJE_5RYeQhy8
z+(fX38~m^Mu(FV_vPPqYYDAwUy5Aj8C*_GrUQC!z%XR6x)?M2#HgA84%wRAajZsQ+
z<|;3u&adB0^f1W->yR_Q6|Nc2tgRM4tZN)o?|=Hb^aT&*h#;bjS+xtGZd9Bq|K<$Q
zOmvjw&Vh!>CDa*b%^m_G{4pR7G$`GnGfZr16+1PS=em{L9!@GgCJIR89lB{wCO(!b
zA9J?BF`j87Dwpq~F*K%^E7KKdcY3y8Zmii*7StfmBTbn_GO0MN;q8iUf24J^C@ZUH
zUDuUK6=$dx<5aPX7COHEtg%XG3sk*+rk2tkWzp96L&LtRZs7m#3^u`lAJ_p00imS?
z0fGO&40dw%ur_h}PugB;YQ*kw{Q9E)2j`Bzk!wIKaG)>6I|}04)z+2;;MC7?Gt+d_
z^t$;35po4N1eptdxS(`sKl;$6B928lHW$3OL^IAeBSqiWb(zw9E;8H=VvGI$qLgr$
zAR8x*1RaW89UGa4gEXK^BDP#9KE+lLF!W)HV4tNiY-<*0W5hWxuEt87WeTsLvMQ~>
z-r@+WeZrrq<AVpJn+Z1|5DU7MZ>6wC29u``ao|lnny7rqu+~Q8?`W<>h-VqsFUd2s
z_@|f5u$3nzx{Ek;zp%SKq17N)em=fhHZr?5so}<Z2=>!~KyEqP5%SSnZ!ASV<+c9W
zFL!7g@mq$Q8T7$n`TfC{?~hc6`eEpcO&I(Uz|PRwJL7t3wQp31P@h$!&pOhj?ZKS1
ziXA7BMZq!>d%<<->)cA>v+Sy~%*<<cvQ00Kk7E-}luE$aA_ky+Ml7s|7zMy%_G|F$
zLllu(#hMJ>uhSj6SJ13zJjq{I_YMaIgF3S&4>T-#S56;TajCdkwzF%ozDm7T{xdHR
zXyL}VxY^sW%zHD2eipDE^@91Iq4Xc2^xxCm-gzJJL<Bwq2;UtEUwcayc}4}Zl2OK&
zo>dZ&2BpX!nCmsiAyW#GDGX@B2b9DERgfVqk1iLn&+ha&msU0L;V>Rsz3K+F7*TDW
z1@KgijRwmKe%fg!T$ko+g5lBPx1wOA&8ZpOUYndsgsyMWvAUpt;g0#EN~OCWEQP#B
zYMK-SFl$p>l2zfytF6$eJ+j-+#5)mPr6{D+WF@yyp6YkIB28YmW%_QG;pj(IQ(DIF
z|KhE9#}zw2<B(Nw^xdrsyA6y2R?aQXNlCUjGFF^~LC)5=r!Y0bm}1d%-sxfI*#F6|
z4b9^vNAI_&b`CqWkgiWk4ewi_&$xMOFuM=6f(sLfZ>-l(R$J%2f7h?iE}r=`){FZC
z*?U%BL9AC9YfLRR-R3+A+N&?{R@Gq!UlsP!@pv{uBkd0SV(xcdQynV~?H>hN{uHea
zr#Kx$n=T^se96T;?q2pG`z$~|BPS4e!|`+f^{M1|-lo-(C3WNH*X=#MfqI3@LYU5;
z?m4}weN&eOb9OAi<C_=NIu7%7{5##Z?)dAXT`w8Bj0uB`St&Y6Q==l>E41!QWJ7#@
zEj8s8C@;EqMm>=?blrh!mNf9a;BO`QB~e75<<NAuw0<o&incil*ihwUkxM<KqF+l0
zsGMsvIa?Ekg7+T33ys+)nQzGmAN?c@AG7?GX(1WDl`L3mAi;^goQHc@Te0wP3o(3p
z;7nl@eeewL8gu>ImYpqA=6a?-GA;a@=SiKRq?OaI)iNx#7g*n-$gxy$%<mx17O&I%
zMs;L0TkiQKM7j~#!HGqUTiI%vhAuMIBDz7NtGF*;cr^urR9Y15FAnvaChlix(StxG
zL7g7o20a-#)?0}PU*%!HrsQ>@In_2HdhXz|Jh(F!(XfNgOy}U?6;d?iiO@2dpa1W;
zyqO<$;A=&H?4bQqYB^DGb^t9v_?5$yUl1J|dmcof-T>!cpr9ZF$Xq+Q{zzovAnL>m
zAhg3s`*2L)B_5GbMDnD8sA0OxA-IPT?EkEEq>i}3Ao0IIS#Tjy!=cxSK`o$&b4L`q
zp&1aKn2oxpu@(_YDZat}8wy**&LevMK_EIP2ng)I=l?a~`QO$%*$Gm%pp0+=HOMA<
z(q#jnjFl_3LSeA2;l~B(1Mx-!4^Po6J%r{+Qs006(AFUS&rBAS$rRsSnsdzHNX*SJ
z)3pqnvNaRt6)uX<GWB-QU1&1l!q*!DI?q0<p3ps<cWt{*@gL7GToYgKD&CS>&L#4d
z@yEKuvy{D@qiz;97<>Oed*?jYm05GwuX*!lx#@>xXFh*bn6Sv*wLs^~#3er6WmDGM
z&AYpA$>*iXNn0xJzxe<8!U_@FpZn(;EbY8>-IY@<f5T5!RF4+Dn3lDik%2)A*mC2C
zl=+~uhm!L1v%!tEpxb%34S@U7{W&fyzuH;ODRhLbO)Q$5XZKbQIqsW_l$CZ#2*ob{
z`^&RzuBAl47f+id6%`dreADkP-12RL%vPhiw?%55vr1?E@@jha?~+-9)7ou*#atKO
z21j3yIJk9f6mQ$59J~K>tODj-kka4yF(;v#dwRZ1!9!JsOw)kOzBbX>fj9N1hlCyA
zU#FP<UFh$-r3WT$xp5?+`@+w9UO~0~7aLt#zf9R|7j{6Xm(A3!`NYjRs&Tj89kZ(0
z*0y8U>N%lW>D>!Au)0V5oxZQz>3!wP-)9Qj-EQcmzZZ{GsIh8~?Jv{tc%~D5)_z`*
zc|)~l<D<()aVl~DI-fm#<J@9u<^Oj<oZ5O0dBrm_0p8!VwV2A!a_+OdZI<zE@2m%I
zRvQ<8FR>B6e7jtAp_RrLk?ou>qYZQ18nYiwj!xFt5pB4^PjXw#)(7fuZ)(52sgM<-
zw7`v7Y2Opes)uzJT8s7N{a$~Z^xI*1PEC7Z+y{q60tt&gJ$kg|;?dnVr{65H{cRha
zcZsvSu<g(thp?meqJ4FLuO`h~+w^*EP`Kjv%Qf3$=J3echkg`Cjnma}MS5F+aoGz@
zyi$-jg`{8Pm<6Zhqmz8OnhgZp)(aIexaYoHv|@GM9Wi}@l0OHJw49mp>aF&!fQ8+8
zOICmIJ@H%4XOeo>(YdlK-pX`de9;(m(`dIf!&F@<*TzzdGv-^rx_y+XW%ir8H%s7=
z!JfwZ#wpX@%v>}>=AYA+(z{cCY<PP5!GZV#AGYmVE;ezg#+3XC!JLcl9b-8y$Z8zf
zwa07e`PCj=Keh+f7<8RCQJQCRY1!sy&i|jDshfBIQP}<?r4=!!OD8rQet+5y)vrq*
zN=L{8({BQ>-69P1YqWEIUP)?RNqk6UL27X<C=DMCIqi4YK;X~R6W6uMUN$mkRV|EJ
z$X<6qW%jYI_)mG>zrN=PMRA5itx_oL6n+2ZOvUj}pS}t(Zax>;-<r|!s5vOY?19NC
zfrG_M`A%j&y1ykfaQfPNO;Kl_e_zEj??AAhZF_|7^?=uNm%dr~IM?K$xKg9*MBBat
zajONa+_JrVW5TQBYlBbPi>j3KN#yt(kz{sRcFv1usk~@kuYR@1$&d-TC5zJEN-VQl
zJ%LXwAnuvPW1}luH5YO{Jy+O$WQIfd4TcGui&W;uPE?aK>bbxBBpchT?k=9YO9Unc
zdl&4!XE<%2b-xcw=b5R_^HgS5f8t!|zo+Td_D41kzfZWOC>(OwsP;^JvE9e}St%dq
zyWMlj`2XwB_tho0eoSUGwb5D4AK=Z%B*Kh1jf~yVH>nXAk{f|o0El6r0T{{*3@Q1^
z0Y&)*#rlZ_1)#u1*Bz$rTfzlW2~2x}Fs(qkfpI;u?&SQURBYNey7Io6$p+M|2#HRZ
z2@Q-dfQAAOMk~ok%}s@n;M361?ceR7wZXERiDBMU0dOxAZb0KE4)l}N5NE2Pn}U8K
z8{8B|#VJh0oX>`CAbRH*ZeZi{OXvn7y2|LLpf}LrrZBF&1~vuJTu0Z6UZEkhZn@2b
zT)m-dM6Vza8t2}DyBt<sple1ii4d9#?}0VrD3{R9LC@s~b7Jo^VaxLY-mJh>1gg8a
O8Lk48;@Ss5f&l=&U2f<A

diff --git a/spreadsheet/macrofree/waf_checklist.es.xlsx b/spreadsheet/macrofree/waf_checklist.es.xlsx
index c341a7714a81258b3cb51cf260ca3cc3f2f6df39..dc3b30b8697bc3858b6d49ca444ecd05e6342c61 100644
GIT binary patch
literal 176105
zcmY(pWmH^S6D<k^ch>|GLU1Rz1$SwJySuwX(BSS4!MbsGcXxMpcYS@n`%cciKN<!-
zHe=PAHEYgVtG2w<2WV^v2ncuxdBX+OF2CN~IPhPC;14?ZV`yU_Z*ODkz@TSqOYdrB
zDHA!22*rdf;*&qJX6(5kc;s6oHJR{S8OIe^M`ac8bngsJ(wyeOAu;m}(9?rkO}Q4>
zVkNrQ06E|;yl$dqSJWea#XHZm`YXJW5bX~M@rUkQt9jo*CS;D0Ef>A%Vy*D8qfENM
zGef6b>7d?9Q%8L{K4p6c${*>+2@kZgo$btzD$;I4Qk+R3_P6hd-s3I|^8e2UUc#zi
z5Fx>lLqR}b{NEceu(3D#X9s~XI#S(?*uCwNhaRcqr=bC5Xw-baVLJV`G{n#9^sj@-
zrcRgBX3LgsHw?x&?_J~?YAdAi;mXHUZFAtVPG+-tv79r`1S^mY7@V^k#`Oio91PO8
zzVNN$YS6bm;4+S0BhtWYUUghz{5}zsHu-~%H09l_2POVX4+4hERhrpvd=WzSG3`TK
zHQ9Zej>0yFu>sSr{#QT#rKI{|o}*ecO(gL&bwu)y7rL6)mONxumLQo3h8uV7cN$;m
zElgZg+_}R+HwI$j=E9mB&To_yzstB3D)oDZn#aE$o4+9|ir%HY@#}|NAx>6(jmP;$
za{zM*ZF=O|`0IIMtm}32iQDH?qM6V6`osSVT%`!gNeV0&w=WP7SYY5>Eg2k5jjW9R
z&rha*pgUF5h{9sW_AZ}!*B$jp_Mrdm8!OReg@@iOe|eC>L4Y;RQI(-Z8lc$uQ-@k9
zS4oHZwiHcC=?^K+Z9YFN!ps!OBum^fhn?;(7=RNN6-!;a!^>m(_I6x~1KwFa@+ZtM
zRO6|M9(|SQgZgWQixp<8OXo^QxUq;PUL&resdMq-$6b%({M^Cgz<@u{zdXsuw+a#{
zS@|rMnS-op$1j)$buBwYLUF$LPMjfmLc9Mo_K5sh`%{_)$%q4{b{_5nA=VCOSroPH
zB~MKjsD6xr{D}EsFn)wvpZso1|ITVEP}65;505he1M2|2x&Y?-{&AA8v5>Z>LXmNz
zCVk6baesVK>Ptc0K;n*juL(Un-a%B0pe!<4qMrad?ChLEJNtBd$njj$thG~dIm8A>
zkWw>j1}g*N-U6nnv&F<}v6H7tchb!>(Svfb4{J+%7aY-pHiP<N1$63a5Ya=$s;P_P
z>n5VkYR7!KGDVTu15`X?Y6RPatm<uEuX$25q)Afvg(&`w`P#=e!Nq*>v_X?24!fkS
zX3ZN2O%6hu)Gw@`;vgdh$h*Rc;X|Dd7=L~KxE(Ha;LKCF|8SA!<G)pQLC+^;E8#we
zGaONtP83_2Z7^F?=Bo^XcDp=TybhMj;(vL4%o7_YdE?6R_<4po7G%_@!tZrGj;52_
z?(=*(yKOV-s@B*3vI|P`d3ofzmCU<cjZ2ctYI%4&Zuj=K^sR^HqwKynlO$^rjhv9l
z?1DnUivDovjQNaEkP0meVFux>lnYrd!^E<=B+R~P1*z5z-NMlbvRjqv5e9s?Fpo9w
z&>B-qL)x}4+jB@rVi^qD8|?iP-W+n7V|Hdb+PON2-<6fBD2gy?x~98f#Y08_pd{J;
zDu}G_LOFZVBxTU~jfB!MIG3$JH11^jgAs0%@Xw3k8DVtI(naHYHggAKh4nANT$pt*
z#^ebBX2vbQDG&=q`#6k@c2Jc=LUz^^dr~{|q2$mIwu_c26jBY#!iq)jsSWX~mt7XW
z&&CK&#vnBMb25D8_Qd|i@rj6YnwH9dVHhKTQk1=cId<a-b#QqDF5SxM-b!+2+3Hv$
z`qv0#Y?O3>nG|~2c|R4AuD-$=W^tmHh96;G9xs7;POA`nw^)N5e3R2+z`lVsx!1Q}
zCH5i7mJTq-m8tbCqzKgJAN>uAX9S(2kRNgRnx|`fSbEh$d)Y?kMcoG+H{)3frjBWe
z&5GkgJ*QJ8G?S?K66c5z=DMhDq#RmgMegc6kPXk;{E^)(2*gkN>qhyEdp<Hg<0B&f
zY=VgiQ6pQI4P5A<WS?L^9YVQNZ;hKeiRc|yU&QiGuiE#=;i1quvXr7ah8bg9@u?^|
z+>mhg?~t%ppG{Y0eeVYvFKhFa8p&FuOsntZ%`$_odg=KuscQc8yT7nxho2TxedVsA
z^dsB(<&DM_CYq!BxMP;yaq4M~!j9e0Am#^RD3ZLx<O!l$)ep)^2N6qt-@_cDv;dvu
zBB%XnZs9+6TJ7zYMei`5MKfB+B?)C?JuaP7mb*<n3Y(KpL<k6++K!`?DTup3Av1rw
z6mJ-ls5He_omri)tdP?F<&U`e^5}*?f-i6&;Ck=CKe~gr#%m{M!&1;@IbP8sYO9|)
zCm!D=LjgeShDMFOJ;S<l%F}bMHTeSo`M~Qer#1dEa!2~qnRzWFkF{+#P1r#~*&x%O
zEw`tJRIN8xqtD8I(`=Yn84dI|V)n-os=h5$#Q23T^JQ+>T6Zxt?RYj_E=jZd@rKr<
zoI3>>mP}d0U0DV{jfyF<je^7G0wH=$>PhUtSEfe>ISA3h+PZ@;!Q5<=4<~;^Tg{G6
zYqUQ14%4_+go%j4)jKyn?h#pgh2b!M4#23TlVHWX*;(O&S$LKfI2XH@_~B0-YnWGq
zP+QLsdo^N2V;R6j+efnH{g-^MGW*Z#(V4o8PZX-?@dY63%C!2~v~xGY60uS(AXC^}
zUz&}#Egot6hlJw*Dozi1XEe!6)5}czM1;^a5$DFj3E_zXr*#Akft^4=Z*lOd<OZB<
zK5^ZPBn`4xJyDZv;VCafUJ;p7_u>lg!}fT=b<&H-dtca_BfvQ;#LfIVm%I*Xb4#TC
z_|v%vf39x+vr_r|1<|Q_{${;<LiTi-3L&6Y>rgRIy>LFH%RTSDLogVI!}Jj#e>z8_
z#2!j5Fguu}V54aMYrob{9khm`j<)9vM?+hN^b_yn_&d`7>tu`*`1V%1P!K;M(IN2v
zkCVCB*jqT58W}k{F#PY=|Lp9f6)A36G;#k~$(Fa-ib{}bGse}a-d!-!kce&>TFH5Q
zB_%mo93lkMDpvP{;o|PX!nijJ78+)WgX`xCHx~+hefJ&U6H6T2=l91h2D!J#dEi_A
zBiZiSlU4N^n@@?3&!t)W`s?K^i2R+5J=aa`bVu3DNXe#0`&E6t9XMp4Fzlk_y)bb4
zmSC~m2~scX^;WV<lLKj8i)bvzH>GOPiRcL~lq>_;^lM+Y7<|}#q%3I45g+{*2Ih5E
z4%;~-fvC^7<}?WlAK8ci{NCT@XUogmZQBmsFYKJ&&1~K-ju?E_LOk3k?)gs@A#aaC
zWqa)}jjF{+riwGlbi?yHEp~4Wj+%vZhT1pv2`{yrkBjDfO6}f1%R|p+mO;nW?G<;V
z&2bhf=SF&K=l8&+m0kVPt%#F29iIujR_phob9ZH>_5<oTL6y9<ZpB;!j3a)ut5Qvn
zN;|^rx7XGP`j;*IR(iK52a=uny*c3Vi162S<zpW;oM*Wsnf3}qwa{*NpBD|Dms5k=
z<NB&*y-un178&hQqU-Woi)VYW*%*>kuiC?*<Fr<vnfXI+Ju796>!gT>()MEtBdz;<
zqQ^**20rzWX{9aaga$e4kijZ#l{sz(qU$7YQ;)I0`*Q|A7pIGBE}plk&AWW51JFe?
z^~*K&%xZ?J$b=FGPcf-G0hjYhpyMY!6){(BG5lzwyfRDZ7Jipk##DQn?XuVhiEq>V
zsQqW{ig$5n3G_UkU$Z>FJ?=zx9k$1e#g+dtXb<<yf}0GG>ppBxAB(do1P0ag%gemK
zI%awbY>&eiyoYkhwdZAFNx!o?WqS6Ldvd(GjAUF6Hg!`FxdJ>Wv}<J&&0yC<S|5h9
zj*nD8bNNcUPr){hyg*tNAIkSD_Da5iz4ynV*K5!fgO9f<=s^3?>RHlBjiUVJ?j)gH
z@wGdxsKfF35ZKJVQlA4j{ouM?2U%p}`*dv%;;wA=D&0v4^?Xk%7pZ=)#C>E)JR&V+
zZznM~YkeiV)|mqtzwfJf+-5!n3MK2*-X1a(0Bx4nMCn?316(pX#slv&HnNa(47%7?
zdmr+e4+UJN1J4RvHm%*eKV2`eyV-xy(d*KXcHP%YibPm<RD#K)*_ps`pTN07QW;o2
z55vmz)L9x^_FNrr|Iy^^(?IodHGiP9=4rK?)W&A@NHPD6`}oYgbABGv?z7r^zvFFx
z;Qci5x-;<_pq;`Kq34(toOYLBqkX{JXbOI6sU1#^p78OR{d9d5FrWi7(fc^jD^M<-
z*~iw@pxe*@(Z~UQ3TkI7y4@#iChoJ(d)sTXb$)*rT5?5405(>lFJlw8-aOeeLm}4)
zfprmq3#bZ1zcQ?p8KAuEP_JGtf`aWWh20i+>!0e$`eV{XcruE)oXx!JXL1Oke5XgQ
zpG(!?@hmFUD=WdHe~HSoSoQ(C;$-UrNw(Bm;#2Ynj1Y-}VEjv)g4emZhVqZac1$BB
zytbvXy89oKXj+r_R8KN=&RHe90&^2yPm$EGKd(?J@4Pfdswd^hRlcHRZ=eZx*5jD^
z!rXeh^C8De72AVGQE3~<5WSy`HBD!vg|*~9wzM$XhArJezGtr5sJPEruSx*+vr3|_
z1Q_r%Ey;g#wQGl1)@tMA`lg1ABg321|E6wZwQ0wDJVJZlu|Jp707WNS%pS3iKTlh?
z4v83?3e%Oell-YoTK1@{Mb*&50U4`Usc2mQXO=>@@hWfmmsQG@D$OZo8C7b(R!!C(
zB}56)Ws{p>?;PU$|9%^FM^n2eI=SUnOtj9FbW(y*ywISH{)59~A}chd^z`TbWdh-{
z@nTin^~rjLD$v%jv#O$oU|+8@mj^2xiFmo~rkeID8#lLft~Tpt{%@L?^?7=KU!sJI
z&$uoA&LTiJ6wXDQ_`OCKValss0P2?}Feo4^+wo8<`Jtk(V=|SXN+#hMNMkUPz_d5?
zP({;CdgovDTMb`iC=BCXExq^KuvOHu-2rZlflygElZt*96qbUtDpc1%g8OPjUB34$
z|4Nc#ep19^;}?OkKS!?BAP`*f-cp}*yNZUMrK53+T*j|@5vRQ+tYM`jI`+t&83)5~
zak&HCyl+#ErnC};Bh^|ur$5(khkkBH;AHdfh@2%^_XV6bhU3-s2Sj6povzTVuHf>(
zJ$ILBceoc-{Yb!8N{nW%%VHVy9-})EQ<PjdXAy!r6`Q&AwkYP4At+{+#Z;zKS@u*C
zzm0m^)poMff9)Ewpel`6Ans9@gUg>yR=WY3(>5v@EDbGDYBarNrItloKG9DN#cwV9
zm@BTU|Hhj$SRS^fky7(fnQc192G+B(QW~7o7}?v&XT_!(y_X@+C@V^BKP*j^Bfi(r
z-F(!B;{|Gqu|V50fS#LBq%<&6-`YslvjLzVD_k`+&Wz_%qfofgQ&cQzFmP75A8XWX
z>DiIo^nx=>MF*VKxWY~J2J~~(5mY#gRI%F}4d5*Qd8Q*C2Kc9_Dj?pjdPCM6cSYkn
zl5oCo^+n2;U!za}G2o~9qQq?FjEnOj$G`<5(E05AiNMU#y%5qx7uWZvVU>aPnfs=*
z3<kw=+PMNp?P79+W(8&CJ06CzB~&eKmv@^fVeY5x=Vp>+E@h3|s#c(0(Fw;?n<|y5
z6J9Ns9k(s0xw<qGCeCq48q{1gt2J|UW(4wZ`*=ZVpAzj>A_|dS-GEGL<jzVTZIp<k
z2BE$xQW{Bxq$mL}LZC7LdBl~Rt#%y==LgL4vye?334h|R)$(~Ry6IOpWgdLew(M;!
z(ZJeMQo;k3+Uxx+rdLI&K(f7kd3`7qh5hQ+ffB@<lZO)YzxDmyiaL2_bk~ghMcU#k
z?FneS7*ygkSbN6)oHG)L(+A)sehZ$nY(GB=L=O5Jf&Zlh>~=jPK7dNEVjLOaJ3gRa
zteC4zGxhdQ%TlqPQ%>;seejaB70Ik??IO}CA1f>$!3wdK8*#7HF~zJNPyvW#iB}Uk
z+iF+&qGs)Utk<*R)IPvn|KUwA5p;UwXk^J7x&>$#zwI`^YPIQ~(l85JY*L<GFO$yZ
zDw*{^`t|N!{{U%8#IeMNevg*nb-gI_0axlD62L~Xp?tI=eAq4cGV;fuS+D1XQKj1w
zgM&79$^dYJl#;-F4^y*n>7~Lj^IdlcN=ZRcO>n5e?1F+7h41ncBcE$E%g-PFu5ED^
zM!%mXp9IcWkrDZ6UqXSdcABj)%W%05^X8r{^=rkbn3e>;r(9@QuaxE#g;vg%msI(^
zT}(ps^Jo`OEUxibMc5o}Zil2>W-IC~a3gKra)|_v&%GR)`n(isZ+i!kdD)%3E)`fS
zdpGYj57^~pt(TMy^J|*;PMRv6=@sJxO}{cpK`$R|8q&3D;c|FzyZUbAML^hrE+GB*
zn{hh)B)E)>X*TjoeWU82-gcF<YpgJO0u6IM!G;GDn+U$=^})5B1CheN@hsj=DntCl
zEsD(@!c^!h{lQp_18+Txh>o*<>qWW%D-Sqzo@3W%@WDa1y@;eO<JxhCk&5^rtpil)
zcWllsalYTAU_s_++&L>Pfx~lD_2mlx{lP_*aam855iBx}_yAR#6w|kdqgi#7#5x9c
zP)k`VaHV|&B=cOa!d>}3(_)TX)7f*mSC#wB*Xq|1_h!$S1RO8tnsHaU@=<H|jy*!W
zi{dtG^|tbIL)KsR2Iyq89D6;7u;~Epo1320_B<?<TIA_k35QE(Du&&y5+$9ssne21
z8G@5EDktyz-S2iYyeUbKw)ja_7<5#1-iFi4Z{^1Ol~7m(gpr-p+Rh(i7@)|R%~-_v
z3Gwo6lTYncb|Nj7*>03x+CX^bo{UDnsHuRoUyN2B0^$g>E|eqC0GGRc!IUpr`LI_y
zA+-y@Hatu3qT$?B64ud!pw}adIa%5z4JLPshGw+MzTdwQZNj@2BQXA_LqvJ#r)S+h
zx(=1f?A*uatV{AO-gV`3v*lIZbL^PoGF~$C;+~HmEg^pYXuNr0rtvaHI%Fm`q7UoV
zL=p8Izvfjl4E!)IAXo$WpGtjTM38r&BsO>c@I%qF5%M$QGzx^1n(l{emF=*ER7yt&
zU$R-rVv~>3)}u?E3-7$FKS2nAPh~0n!ABxbzuIo4Rf$+lOqce(6})y;o~MUy!sf<x
z{AA!I%K`I&>|d%O*}f<DG{Wi~gJ4q8vGs{)<klJYGKm@@bz|^?!{ORenGU{r@(+LI
z9}raQ!cOzoxBP1tcPC_tqhD-`A2YvEx1Fd_Q|tHrz~j$C`EJgYeUezrkOJ#@`_&zA
z%-U5t`;mE9f;U2iVSTnr^Hr08zx-^rMC+*EhUn6ic-hRO&7Si>2wOETx7Uk<NKMFJ
zBHbdJ6?ieahXef#i-xV;p2-J_Za;P62DKp`1xn=XVLbyE=Z~7-PYm@Z6U3+LXX_N#
zBb!zu-_GxRT6i+NlO?swLaRCZD(~KnUNsLJ2TgijD}cAxt7r4qkg^&M*H04IO?#ss
z;@VGpY~422Wf^{82ZokN)Z%!vbpBGYvyXa`oMCM@rMpSXa|E8f)t&{+57{kvb#CTa
zyk}FZC+t=$RhQl^ce}rqAnoDLU1W}r^WWWhwf$_pd5c38_X6B$xv|=K-tJ!exV&w<
z)$+dLH(wQAPni5L@=-m1zge<xRGQuJXsv@P>!wm3^{&le{`w6W5Z`E%1Q=);s3UN3
z8`EbPNv3_73V|Zni$rs_rbG#){{M|&yR<Csw|r6;=DxGFVlN&yJ2P-NgGh<z@VWeL
z6R+hi-<?kHZ7o8s8TQXNAw?gPObONm!a&^BhH9qjB`a=!CAOE-N`LVk8!Mdkw+Dl#
zle5NOnlpIQiuv9=es&`7^s71}3(D<L+H^Xv^xku5!;TCfxbeJ$n`e^!$*0x(EARXk
zrC<KqN5ozfvcwqS$<AI{Kr4V&x;N%Tm)pHPjRj6kqjsx<Y-(DC&TepR>Li-oCj>s$
z%yAKym{+G8n_LE?hA#|DVo(W>AnW-*#H%)R)vgt4tVB74(AC>knw`_`I_m3(a9^J0
z>f^@;MFiG;``;wzIy4-!K(bK!#ExgEQ#=ndpA|~?zI%+arF;%*F3M_UGe5H&Y$s9X
zzA$)9eNvr>iR4bhB5vP36z^{h!YV*qH~%xOGdBG=q6#_pIhPiGg;Y0iJ1P7*ayTG!
zrUyWPo$uIM0fB*lmmdxIs|-7GxzSpFoEhsoSU5V?SH(rY$+IZS^k7l24sh>Qn~!8`
zPn&BGDEX(A_rz>KAz@~n_X*yl2(&*>mU_cWR*65?Z+pQ|Sg|g&b)GT}!T(GOVn?VZ
z&;yrUYY;{OqK|Q0#izCi=~e?eMIw)h=I>-H^x61TQn~~A2K`f1yotefeXfVLxQ&5^
z0(<*q$DAz{Un{hJFc~VUWlM%qONkTIBgHWqCP66f*CVOq3>c~kcmIeTIpt9_=Mi9Q
zR1NdC_`$6RFi0K>Z$RGs18Y^#yzclgW&Tw?Re-?<6r<Z*S!Avom1oO{^X=?%(Uy@=
zdQ1BQ+|NLpxl=4(raQ77A1pN4cDJS;rc_YoSX|V!_3iDX&Noi=U03VcY3nVcqXNtI
z(2OI7yQn#mv(c9O>VmqNQd=H=n#KV&0z4ouQhKbBUNn=+kgB`$UIS;t_@s!M#edP8
z#Hm^&ZT#A=H&MBq14r*6icPXtck?0|p%L90t-BrQH?Jt}y3I<|BI+-(V$op%)&)Wa
zsI@k)?b~MJr8<=OB8$t1EQ{)jxpysgp~P#qQgk~RXWe~)kG6ZwDdVnxQb_@#1Ytab
zEcL%VqxyAe0-z56ikNjEIpiU|2=Tae;O|g|@jA-fS5gPbgt@p<2hSPgoRRP5?e3<_
zALH~S#;ZpX%RK-ZQHicRrqIHU$0}9C4EBe&)haG?uT4WEg6Y}^7%4@w4I`H0m=qd9
z9yOncLvxBaoa|gJ*wS#s{s~^y4tQZzs6iQdhRM-{yxoOR9qpEK%uMguxg{SYEnKyc
zVj{&b)ENZXJNX|08Kt`>S2Z>d6nm41f<U^CSE+OEUM+l9xWt_~63va*5*inVlg(CW
z>fc|@wsT=Q`d!@3ylTr7Js_h3n?`9H2_a|a-Wqb6%~dSJrVEg*<>gP(o2Xp<nTfdn
z7gU7<I4C0QcuN<As#Tg*4*Q!nJBADV@%+?t4!sd({zxP<JnxTw>7ik<r~lz5Pabo6
zRyyDe)YoqlisxHKMP#E9#xX8jT5@-&%Fmxm{PgI`GlgGEDi?%x)P9OpL#=XV(<D&7
zmQiMIwfwOG<Hw-uRkr|Jc4Kv?>-WT-R@m@D#PvE9_z5;&h>>f*{lH_xkx0^DI|f=c
zT7S)2Sffpe^*uhcPBsXbk^jJfm4+Hw)qvasg9C>nym|i=Lu=}Jq@|Krx1Yo5SWMuk
zv)Y*@NHUr24WwmqZeDb&!x=?71|L3q#<CQ*FD1^kR@p#;M|Is#ZSQmH<jgc~>`g|+
zZWZNi6A5ZqxE4RNh}~3q>)-0nzPxcSzEqVv&sDSgc-+5ab&`MBoi7f1mwZ8HC#b%3
z`rjUO3K6Ge`U<E~fnMGT_hGlvFV=5#q87A44ZcK?=vEx?jH|;l=|Z9ySSwKkNrB@5
z$BDEXEtJ(OQJO@41nn*W#!pKB_G>8pWQ?n=ILWd~o{gKI5w}s`0E||_&%IxCQX<Ni
z?|z+$)=`d~eLgO$XP7P7QmNDi*>wV6x1$p-1CBYbc<AW$8xq<in8tlwlpJEWDl=eZ
z%uU=Ai^lcyDTMPx%M;Ti`)6yNjnBRElN3-raFm-FRCqGDZbv`!L<_{Y9*u2Pr!0!|
z{38ecJwF2rBMo5*pK9pLleKM>?p;Pl_NS2Pa98+p(BD)c69E~T0d9wk{5PE2D|D*l
zRpBBj@LdxL-e;X?4)X9MfA@4cO$NW-iW49Q-ji3Z{gk#g-51F$-B7Mz(e@T5buL~t
z2>{)=XkqQoE4*fPzJnY0Rjh0V-MG9KUbp(n#UaZT;)ri{<(;R`=2_MrhY3CdW1Q8a
zMe-zF<;>h>&`)g!CJKau81~k0cc!w^(;f%fjy~d{^Pnw}=j&C5;Q3eLX1qkiizKGZ
zG81{wtAV-pOGctj5yP*6xvGichuy=lX2M<VQG@feq(TOdoOZS(?GhuQNSBR<kR9k(
z;@-=pA_f(hJE+;)v$T0SLOx}6;g@)^@}XIEphm87;8EmTp&RpUi5K7OfhYU8FHlGI
z4k^rSJa{Q`=k++JZ_>NZBrommY54xMT&FIoJ2R#E`e}GZRT6wb%jd(_HhKC9n#2!d
zo%xFvaW7zmc^oyFP>+k&IoB5_R;=tsvbjcY2R;8k`g=l8kPWRg;~0TCQh8f|sAJt)
zJatZ@OddBx&SEyYv0@S>ml^kq?)IToR>S;ijFgVm9sa|jLS7}=8f$~C&gpbwlS*b}
zL?7bK??t+of$2wR-d%bPndK@4TjS=K?E%_5C<H$JJNaz9zbQORg}!mGhjK3tWoQl?
zlJZ>C!gAGSwV8hLF|tY+G+&H$aYtA%JodbTc$zdvRaPoL%U?stCYQEiVi|r`WcA3P
z<0x+$>2aqviGH(6OBF{cKU%WXwM6xp4eXdMu$%dsrI3ZOH@%3=Kq$4P)qQa{3&ke_
zxm<a5gW{z|%?|6gSf|3A$%zp*q$y+QieWcPwPy`${C*+df%`W`z6|IEaEzA4q5Qzf
z8S}hpI{}hI4Isy+V(tz1qGQT!zFNI0(CW)_Elx(9yo~CV|6rpHt_^>PShZZityvn>
zL{m8$H%oc(5pMJBazvyr+@eSB0v!%_UC+^If%T*+<~iX}T{*7pH%R}zUS~|L0_}Ss
z5g&W`O<`VJn3L1OZF@Siu`$;le$?vTT28}NVwKi=C6qB4+<oBpc5hCgR76QsZA}-u
zda|~hO5ozhl9OEHpUb6$CcMp0%<a%0rmxv?QY8|;A7lw%mtr5k7S@z8)A@&A6mCmB
zr6eM1rM&r+<Rk8!9O-Dh=gpl;a95f~jcdQsm!9gy4Z2TiH@kycxGe9-Gc^{sAKp@A
z`nwx#pYG$(4tv!G7&0|Uf1?4z+@0^<%IW&0Q~PcsO!R;|2dxYW0W<USW1gEL&SmZq
z%mzFo_KBP#1EDSP`FO6Rw#*gBKh%u>I=9QGI920wWm*=c%UzRa!^2@-IKa}!1#4x{
ztbB>j(;9tKR`jTqkNr|c%`?Mu!V`s7!0laElc%;+#xF#l<};b^RN3tfw*tn%IIcx1
za+e_r`voLsyXU0fso5DVLA;gLMMqY!{AdZO+|NQ~V5iP4eWlc2M-xmFi<Qu6%xre<
z*jl+)+Z*<K4our;gGX|w6bb*gLpFGq%l+M|0q9Zeote0#j!dR5rErrA4kPSzd*Az%
z{HJdJAqdXnE3|l;bB*rX1S*9{bBbrI9Kbrc3Ez>HlZZ&vK%&K>VzW)XqX4?`IqIX~
zD6vo*AqweuJ$E>q-uv4(M#SeU{<qiRjJIyF;x@+7H!&wjowt663^&8_wI4Vc8vfp{
z+3ihvMu%Uz@Z1BRcB(oz(Jv9;`)P#gZ)RQ==hfamjOpt<(cV-~Aq~^U5hVA_3oV-c
zg_k`zZo%wa`Q*D26Vpdh$vC&0BE(1{8gJL@?L)q@TLGa6a=Jk;Zp2E$oNdoo;c}}l
z>{t6hT=Hq>=KWhkc*nvc*fhR)TXKF>OFIj;jqtu$*LjFBui78eVvK!RF~LU?siQf?
z3VCC_dhdWd*>bVw3fY2)S-q@cJls7cRUvkuBs=$=iPdT@JsWDE1}={-<hbP?cD}CK
z0j~KDj)=g>b~b$Hia0T%V&32Dl!O#$MUQ$YU~y>3hYv+tJ=qpe(lY6|5D_hrW^eO*
zI1!mYQXDMq_eLW7!w%n(Qc7W^i^pI2KXy4`qVP}(Ra#tq?NKjSTwwjD_WiZMd8fmY
z;2Xz}uT7)`Ml|Rf*=P>#hY#Hy?>W-4dP3gWf5*3&M)%Pc@S3#Jt>TNh{IclUh-gV4
zBKIS{GOHixMJqUO(6Zy#8<Scpnse+<p9G`|JbGOdT6Fji=%ly>2Qbi_N=&nwn7tu;
zv6Qc}Bvyt6QM~CqYp&%IbQ=O9VNqG>B{x%3NSvu(W>I!?co|QHeI||Ye~ymHk|=YK
zDbOsFTq(Jj0!63l;T|t`vJ-0~FHBmioS5Z3Yk<-wil8hq0nFZ^ivo*=L6J(QqoB=W
zrRqi}@G+n{NaGv?v!sblaSxxq5~5GF)nTOlvB%xdxWL@+G57ZgrOS0}_wg*HY~;V}
z-mcTdls#KTq$s3r3nxPl3`z8*EQOPGFHuYunp2c3?6hS4Q|#z1<~lHg_bd7;*GqHh
z)8LG%{s?op^B;Bn)i{)FH9%_GOM1oSq-8Qu#J9_`UyaY^kmb3ix2kSWL1j0VF(KiP
zJmL5*UFjmS1q7sG*qXSJv>l}+#G%T6)4c$Sn=n6DHf2@1G%D8)RQ{RI?OBv4q|ZM|
zZ+}n3ldyW@bB4a%wx|?Uwfvij!|@>2DYoL-e=#-ZNN2TtNvOX*a8a6TjE;OsTcbwo
z)166HoegRlL4I9vSf9t*;sV=0)$eZwW`T7ifE}x-)Bvf|3&2bPFWKi-CWn6ql?W49
z4!bXS+q!}9l{j=M_g@|kjCx|458DJTDd6ZhvM4=Nr4>)D-+9JVeP>?tE_V5Ox;xGl
zcOK{2Ey8U+hhS(}4^Mq3$gt{<`Z3ty=*QLG*Hx-4neE(4vKK<a`trMCNRQoO$bQ6$
z3{f>&qn)aeQK5noO4Y=E3?xK?cyHR11-Qb_kNI|g+fvI8iSP97I1y4xo{PRJlMOqp
zub!s#OXZ(7sgHMa+wiQcVOeXQ8oAWizDLpB38iYa-Yb+4IdGU&Gl%`IAOh?qh7&q$
zTkhdTeA}F7tp8|a%{jDU@7L&LuuPW=9%d9AQV~Bt^|boI(Br9@Cg~|dXM_LgKmW5%
z?^(IhV5$dq#jCD3c2Wt%O+u}d`JPGVM*X8~?j4J}pw$feyX4s%{}Pv13F!V9Q@Ha`
zK}V0YC?br?HryI2#LZX|4CCoVbb3OmuJT{DoQRwDc(qgsAl8w9?W=H3YgNWGW5_Vx
zc_VFX9Pd42HElmnEU`z?zg4yDh`Bys)5{LdK;5B|>sO_x<)74TI;mE&bH*-D(saA4
zqvjUG&6}XXQ}0AGr<2=7Y>nf|A!)Afw|Ob?b=z94v|bDP+uHE}GJd|1u4)XC?}-6A
z{*?CEfE~)*0R-Wge$q%ub^~ViN94Td-jz$W&mXy~Pf0JlF3dQ^Fhu?aqTz~}J75z?
z`A;AhO1`8@PmWs%JerV^iSp%BDSTDtXlFW;u=D*h-zk(F%TGNmyoXWuiiX83zRoRF
z;KSeyq9L*zTgqenlM3I^k1#l#Vxy7}j;LsX+c@csU33IdnqvXwZ&a@X_blt9`lx7O
z0AJL<orrM;^u(nGq$4;Jqu^Ul0I){;S}The=ToAk(~(>?dKeEy>%#rf3|HgWy^(Cf
zk#V^$D|NtTf`(V>EYPQGnE|>UZakTy%KiLMz{GxjbXe9Bq;4s!vQ`2p#@uot^G6di
z<2~Zb8Se39D+`8=yRfk3jofly5hH@|v!dxDWw@d>cE;#8*DmoM3K&Qp5aO?y)uj&a
zG}4c(vik2d2SHwG^`dM^1h#V64eF|hmI9AmK`-VN^J*?`;!S}v&<aGwRu|@#%a;A3
zwXoNl=0N%g`w1(f8Nw*8!|TMHudT*41n@xJ_gUR?RIO=MjpbB*!St(8GaXyG`E0|<
z)1X(<vq^g_(SvQ{{m0#%B8}jBglYlK@5uo=ABOC(<F_G~$k8EGaN){MMfe=91ewo-
zzlD8brNG0$b4C}l4w3Ex_#*v9)vAlkH*6hoBbT~ug<Lbx1|z?8o$Z*PjXP#|p36k}
z>oMG;h>L2v(}LlXv{dDq%c6fRXufn&k!GS40E+1rxD%VyNzbakbu#U*OufDnliS$!
zm(T@1z1GPTkNE1(z?STKY4m&77HijVCll|SpE9NNJO0wJM9ihX_<pQ63_^~GZZxfK
zuF`-zS*p}hnh^raZc3ATYi>E(Zml$w&Y~lMXRj2JrN6vw_*3>Jn<*Pd&_BuPV2boJ
z_z2U_0T~G+at70Q&b$nm#?VfT?Nx{$xivg%c;ab-g6`))jLi90%NkHpp(8Ifei?u%
zw44p<V7e+*;kpgC{NBfP*Kjr#oYC9eNq%3|#NQ@K!8}K0rrap2+_W}7`$+SYF|m5F
zbJ!-{D*L600=kM5*8lQu8;Q^@xk1qqi!5t2F6SSG%Pc9!tzaCAi%2N6IS`4tK-6H?
zu#K`~fLF6Lp}!98!co|pO46-jkGwMcOPIO~vdr-HP>MY2Hp@+rD>LxM<CR0kORCww
z5N(k_XR1hc-tl6t+UL1`-#u2Z1lZzgyjOS6%U%>TL0?H{Ro2+K-j5)vv1&%)&1E^!
zVV33r$FZ$k3zf=&x6DU1hlq-6{Y73pqAAXmfuBeLd?Eb68m+EFHzAxIz4VVk)zMv%
zVlp9ZO{lP-XjlF2M|EH!aCQFJs|`!cIt&m;`Ijl8G6DPu3fDF;#Q+=~OVWWN`m7Og
zoO5E_-|0(n0{m?Ftk4s7qVK;c;J1%CZyDY4qAB3tEJsklj#%Eg@?@T+-k|dK<?xrB
z0@Qjv33>*F>vczyV>3mX4?DS)Y4iR4O%ivbjVNcLwrZ_+#7aFNW9Ble(CKAg?GwZC
z9bBs#>O$%M!Kr&*=<F`4#L4?L$b5a5_4J5as{MJZreK;(xo{bheXHK2KPg36nZ|bh
z(=9@y5!qKUW7=4OKXE>=v_t8!fzAXbbvi+A2;}cKfEDzA_tqzKNVYQ3j$<tjK1@^P
z=aQx><UYI;bRn3UZU$j}!yH`pV@<CP5e8pOv<Hdb07xgrLWHwEV}7L~HN(@4aQ(w<
zx#uP=9>YZJVYJaJ+o$)x2mb0Nkuzq@!Fs6pA8?9Qsj0gv6z%ZQMdkD@y<XAC1HG^X
z$h!MIIf(>>4J2MH(1l4v(81r`AV32ya)0}E8F;H9&c=vx4*PW&yV0Lc(3}he@00O`
ze*Wvx3rTV4!tcuPq~PX3N83f6N6B*t<LkiWWtPj_@2D#O9UT3&v{6*B3BR$PWP`up
z6M%oaSNr<zH8*f;5+T1{C0#@ivmY>WyA^%ucl=WfF?dlVlUo2IP!Ia7{R)7J^B1Vo
z2Qt*zcAQ{IFi@Wgb4i!%fDa#QU{c3ll1wx`<2~}vzBFB(jKk_o>SDeVUd)Phs*u3w
zctLsYYE%6od8Wn89Bv@$mxiu1bUtk4yl*ro+t|g#_7q9@cb0t2h~Rl^1Jeff80$|(
zMZf1Z?Jv^=>21GWt=CA+6Xsyk-^Og0PFf=3p^#se=h%A1cijRI=P4*P)3~Q_MS8kM
z0HpwQ2l5kI#dq=fq^aE;Ex%F>$<4oDHL#`%Z$8!M+JaBr^`eT3!WP1<_dcvEy<(MW
zM+!_Uy;(A&|3hk~Bub&0Pjd7Lnw6-(5|0ZoGNe!_7pm1+#ep{x5;`#Zp5^xCKrcS^
zZ}64D6oBft(jqnB)-Z8FE-8;R_B($^v+sw9_u~#cl3tBsjZl||>PuyCtJ)50a|>vh
z6}wc<>d@dNM(Q8`wAcL2WW_-rcNw^Nk-Na4uM^QM>1qentMRuPT2Ynm(s<R_ECmY~
z5fU|ZZsq6DcOmw*FJZXvcxN3%>xqD$KUNr9sFEWFb34J=PPPPBI(ByQi7KS{{Ypq!
z)kO+?x~4%@qdB6bSj6Xa+Od`{XRQY}tkA*#0HR6`7<{VlG6bJI90v_Gg$;h-oU2e*
z1`PH}uGlQEvyM!bO0JLyYaM)`0XiE`B>#Gk?}Mx%4=q&K+@4F1DE!~buI4&)x-!^u
zpTJ|Vitq*lxGtlz@Ne5?11XfDzBt4#P$@}O7rYaxl$n1=F<&jfx<0d^>`JY~q$dM>
zFbc|O0cvo?4WP0{p3X!o&J=y|U#y@al*ZKjkajoA$7)#4!@8piseI}{)o{8@8}8Q8
zFhLb+Ku|H_oI!hIKkm}0=in<C`B!S$cE|>p8gO>Rm81!-xJF{A-`ae#$@$C2s{>f&
z8|N~-qgxVe3Ev?^aEcdf*GG+UCUs*s2$h+BsP#e^;e7B@3Sa%a;ik(%EE#3T@BCde
zy|U=ymGR;Of$(P#es&2dkXHViNW!;2;a=<^O32o|)CxF1+nT9;NR`}UPi5oI<(!ES
zKP!CMv`&-x3<jx_6<XgH^EagAXISW8_;&3#QoEHLF0(w0@SIpV$1MCw086npIxQkc
zBFX=&)~({;dp4AzNtKv(>yGh-fe$7b*&lA5-+QB`5ahqdHaWP07}Fwz{U!V?76u@U
zzJ5Tn!V%9LO|;vCrHyv(Y#8~9`?#W4cf4CiH`F!Wu`dNVRQ;brDkb++!_;pr7KIio
zZ*t{EP`~}W4|max4W@s%X_yX+2qHH_0>CdgQBsJC1T|Z;QGmS|dfrwaawr6bk^&b!
zUG*@4`QDOsZ8wMTjXI6#OI7-=tXh0*ut;XN7t>J4-<1}e;y5Zdl+*E*E_>lv4HX0S
z2c{$DpPvq=Rf`d*r_<^h{a9k&yO6(^&imYa-6&93NgUX<W~kpcQ9Z1APhrkI?9RGd
zBNQ#Cd#qkLnVUtr-nnn%J6XbTnO+aCOQX}J$P34DYHf%!VNo_^l(0oHz{w6*@?}<r
z>{P|kGzOptl!RY}U$#)Hju>^UFr#)!@6$$h?9)OHss0z^U>rVZLpdA=tg93{35U@w
z1$`Z;ZLbs&9_H8h@<Ley%a`Hz3eVFI%B!rEUV`FO>t%JL+BXyXHAb58@wudZr5r>F
zg8!sKz8FFz9|}7G5nhp+wk5abHk=KYcpHdkM5@y6o=@`Ry!jaD_=6_52>UOIN;wb`
z5Um3x!FF4><y3^N^pY_$bK;;h2NAL`HAgt0jdR33?_3Hr2^<Z~71_c0ta0GCXox{5
zg{dio3qz@fooxvC5iLRrFWF2>y0_=Ya@G_pB67$yfBlJ=(>fUm?*>;A_rJYr#0}(b
zC>vsc_iCdhh70J8s7FS5X||u&v$$>kjFLW`ab+x;+dhQMhJ$z*onugtI(m>@2_|v4
zEV$CC<0lDdAj(t>NiSwAn66xNxM+<SHh29(e!$l|zEF;IC^|z99c2I8i7hC`;b(x6
zMFp?+Q%meXzL(!QIB_n|UtZuk8z1GC_`%kOP1OG%Zs~sas`d4d4>vA>Xx4}q7~(-n
z&e(l&6UC+`Y5X>P&3OO9;j#*K7AqeP`>#uho*_`^ecvo)Bm|FCc4Nbjt9**KUWbgd
zmD)>gI#+v*YiH#!0@s#uRk)qu)XqmsB(3L3&!eZ;oI0Fw9M~!>Md1?J-~i>+5py=m
zqXmSbG2MW$=B6Q|=?n|xMHkO6g?IV%7_~MWL`?$z5?vPAX>Ch|cc%%3cb{lF{DWzK
zcT;YR3^u?jiVTi$Nm}l^p(A}kB3Vht&7DB`o8D7ygeC+Vm{oZkos*Y=BKT|BQQ87c
z)fsylZ?<8ILW|U3XC_A!=KWHX+44DSy1LVQEk~lM5w>~t@{*IK51q$?=g|Z}5@Nhm
zwVbO{^68yl3aMVr!`l3A-$8lgAcJ~jBz2-)_krhNWQ*=aRWvX!wEb@bDCe+pRprEW
zd5sPqGuNDt9*p`L!0)jQub7Zt1>#|Af9AO;szdK}m;ZNadvYS7D(6a55)4c}N-mcY
z6vgq;IOf%FuCr*>v04@jttxXWq&gPm&r#7PerYNutTvLlZ@Xe|RWe+FTEB10)6d2L
z>;#A6E^`x(k$X?5#$FI^Q3!`*p?~uh^m`c0i{{QRo#bjY-4@PFRW}|=(xyFSys4t}
zkNAzr|DSSik!?}5;9LrU+m5i-$orhob_Qjwd$%Uu=@C{EnejqRa^^=5pFJ}=B351N
z8Q;Z*Dn*omCC5KNmiXnTiu0fbV9it580*h{{kT#f8;YsgY#J8Z4}S1~(ZcfQd`<pS
zCyS|G{CG|oHVOIop2LJLI7~hY;m36JT?awGajLKD^se$%Qw)NAEEI+WQTF6r1IlN6
zbx8a(@Bluze~H&eoY}J<P`~9+1ime=Tu01UZT+@Qsws`_v#iJd6>|>1X6aN(wfzIE
zSM2PrN{ZV3G4;<lRfFy)SBbq|FLn@Qr&Ai9S8Ysft<t^CYZs=>Gh_8P2oKzW@C_Mz
zf()*koKNQLuiu+Io->HuKuI>Jg(+pop}Kt^tQ2(}eEo!G=(^MV7dOzs7ODLKHIR}6
zJ9k4~+*e2eyK%orjRntnuwiYP;4#1Z<7S|>^>r@o#vTMr@ZVIge3XU??$Y=rq}Z$I
zVEc(n80WqC@a65^-(E+#zV$r1dw%D7_4d%SK7x6P*!{-^pRgV=HPnh$wI1>JWU?06
zJp@29g|J>`w6EKWs)=2=6syv#guBDINemI^NQ4zXvKIrQfvt)0?=GIdnRT8gO9p3l
z1e{s74o|HvGT=ici1%EcWwNNeZ0{=mN<v1ZRPw#1lugZQt~6A#oY#e$l|)eoh*vt6
z8CI8qD<kN6X=p}xLn-+vuj1$7$hHfXjevQ1zAuuG0hGH~nDJ3Wuz-)ds95<71W}HW
zSOgNr*BmMa`eKGm4QedHR3v}<bPq?&U97dxs~qr4IFrYeB)|ua4}+=ud_yArVtijI
zdFMH!mdou8R#&~|m#PxM)5F=*6l||hfoppd6dZSL5EivlyJNR%#*bSQCRz@X!!M2^
z`1!#_Qr$A#L?mDv=(4!TLGKL~#3n&R@El;s$9qugcoEN%#26BEs&pIlq_~)Yo)5Fc
zCqV>w!vEz|K}G;tV0~9`Q7A*&9hc{Cuq8LMBJ&33u8-$myU;XdsaOXN#*_n`S~c@s
zJe1t>eO~ZVR+SzZ?8|vTcs1GrIuZBV6{5;yP@?kzCM;s$*IHds9A;FII53PN`w%NK
z$)GYXb9FPbn!}fQ3`y@D`d)KKhA6AUkVoV{=8j<eRjdq-5Kcr2CNZDqH<g?>2bEH^
z45GBz*SRN366GtEiQsv3F+*t||A%ZBLniE>>}npft~ICgvanS)Ypu=GoGr?)oj6=J
z7j>&fQ#-fj>_@gT%s;l(Zd3322(G(0pe0#i=6~_BWT3Es&(f_|J!(E8323cQu92S;
zcvS3FoP0;@uEhC+2UW>V!gt#Yq`)GNS+Os#fbcI;qM2djF_M#H3WwFaVoDy94u;Yd
z`vdw#`!|ykd*TDcdW?N6L2;vPT5PMt^%}TdnX3_fUmV%p-o(XN8sKE;)4#!;D!}Xp
zH!(F268@aum@olZwecO?s$JCatMod=skSgcrnq?$$&N~|es*ji8Z}M>>x8!3k+I_A
z1dZG(kFu{7dE2MnMvH2WIqm`jcEc2dXWCH5xmbl)2Dttz3`F|>>~=J+Bi|IW;pWl0
z4OWBHKyXDG=fmntwn-kBSAJ#b{_7xw=%e;HiO8|(_R8Ca5X(JuiFt_`s>n;OjQ?VK
z6<T1U9%0f0l;h{n&oOv`j)jw!&<GLVLKs62%8RbP2!b!WH^LAP5da*qfsI6m@i0tb
z{-43~hG4e+N_30{H!i_P(!abXvc=TFme~s9Tlby+Xe-_qfFDf_>r%Ldd`J^naDu$B
zU%_t~g*D*Z?qJ0Ge72f)bH;f<9Z!)<+WTC)_yYs1HhR(%I)GiFfGI%?5hR?lqj|$l
zC=`MV(&>~Ro?}pAO@fl+_q_09Pke%AU;Zw;3@i+MN!t9TBhwYgx2`hZA!sQ5yZpEQ
zdI;ZjRn^$ClN06I0jts~-mR!)Xw7QJ3bIFsI{J_DC}Jd#n!eY%pT~HWdZ<qF*xYo-
znIM3KS{p1y01~hib(v<g=MDuA2(60jE`}g6&<2pNvfRo=<Iz%gC5Lc0xMeq$QU<LC
z+W$W~6iJcVbLrXESjNd38IHh&r-Xb`<K6JAGMBOL&1^rzv)bx*l|9eBymllY**dx7
z_)A2t-}`6TiuPHnymJsT0TI@is0rBM;PZ6eLa9ke<HJJW>HF?ODPsX6h!i9EXszKQ
zWfP0zLIk0zxZbdQjZyOSe|wg`yVRau;kbt6@%nkzL&t$+bPtT)w+lJhlb1tT;A27p
zh`4Y<E0(kFr;{>CyZg2CLT<jpbTM&h^HFefhOFA{c(#K)eNZUud5W<E6S(6I$f5hE
zfG`kSg`saq|IoEECP_Cv3IFULRNZ@|9}YxU!#9yd&N3y;nLzqm;-xGI?jhs?3|TfA
z7SVXj<UL%%OkTDdvU6z(+63Q~sSM}#;uW?%)Q+dQpI+pR32%#{jxk<Sg$-n{hBT;W
zKElAdBkZaaUDz^=?x}!_171k}e^6k{hQM=(7{*|ESeLQ$^qQmQxBL;X+Jnhw@Glvu
z!e5yr$+1QJ8%67P1lbVsPO7Z)e2WQea1>I)l`%;(s-p|VBE3z$_XgU9*GR;;+j7cp
z?FW&I)WE$k=PjcqCI@kwB;;CN&W3!&o8okuM)o>rt=~{oJFgvme${T+-xJBYqGSId
z27I6lDHI!(=km2%a&@}HY|h|-QRTMiP>8Hqk}Uld#My-W0`$MK(np>SohBTo8#m6r
z$y$U!fTb@8#OIh@Qh5qVazj==q);ndhMy(5xA$1j3|@A(i7UO+Qm7LxpH{iG8?Ll#
z$n;~~PQaY7r*sw6hBa<n+(00dnxgUDl?VP&ffxoTN?;^81MG2yMaEn|!qSF`j2M3I
zYC!fM812jm!jMe(uV=Q8D~df}Q$$drtEBoBj>z;0aN-CxH{j&akO!GR|N6aT*|D4j
z>Hbk<QzKfXR`$n=le7DJwkh`*Tls?>iJphDX7%~}%cj}Kq2%a#D2ENpK4`FFlu0B{
zs~{y~_saJTO|yp^9b&hIC+`80$rTjai`daQ0mew&(;SGV3fMvd|K8HXNNh{sOL`I^
z2Lclp668c-(&A}@csMP_FyY(ZWwO-PJxfrB3=?kaZ{S{c8V}fnirVC5AW$&$Z##Yi
zOF2)z_e>ROJ383ocHpI%gPNw?)2BXodh(*a&lK+jevyqZx&8`vsdAoE8nCF8^VDvt
zLe^av<rp9_7&Z=S7(MfaA$rLhoWPI{RWUMjwlRx7V*IBnwwU~w>p>(rz<f)NsLx-*
zez7U?A0`YtuU?HXQxx)~jly?ZR*BF=X%#cdZ8c4^zIjgsd-9YVy`3mN&^y!QWq4Rz
zNIVsZ;K#-oDEaM)E@B@!=g|DPwB&$6ArAp?z$o$cP^M#I*@hB6NhT$grCKG%92wp=
zg38XBRC>y6MJU7Y4S5Z)W&gre*-X(%b!oMM4OAamy}rP%THqgB^&)vjyS_PG(0HpW
z-xV$2apwP3CbEck#I{kEG1`{hNyaqPmOT`VZ=|E|=S9^R2WkY4LTS5)i`9)+@m!=(
zFzbw3SoNc9@DUj4{O#aQmLyW_x0bUR6l>!x_B$CAE9>DZ=|nY$B|-_~F!w9)BF20m
z8$B!}k9Jk;e4;7DN@-Rrt(xh)J__>}FE9t&@k%I|xvxcWZSJ@(yjrgE*({cfP@T=C
zMY)W3Y7TD?6F(+3MJ+_TvuXPG#oi$5>R^{0;&ik@Yi`47_l5DynA8JPtm0v4?|3>9
z#TF{Det+JuEez{o{oC)=os%_?x1neXDS6oSCV^#^0nFmd!v-mdMb1(spZdi6stQd1
z(G!x=#QMo{Q;)&z*b3(>JEBVyzFG+yBdy($GAc%?9?6fHu!kf)b35^#sAWHUDT{>G
zSVw@>0-wM|E-LUz@ew^QTUOea>({pElK}FxoPNBHL#qO<l(BL_Q-ngc5<vdHrd>G$
z`lzQK(y7RtLBol-NC;<IPJ9{K?$tV95G`o=Y{bzkz(j*%^T2+TBK?s=rtQ6@m<sVJ
znjO+%&2kJ5Tta{`xPLgYkA;;kH#XZdgY<oM8zvktr+aG(LG9y$f+Tks3qM>&usz>j
z7@XJ0#wglQ_Q5bLx?OXST=A+HJ1)a_=`G;jbNGLfKM!_J2Gt*+5v7IFo9uXGq<2fM
z-6C7~lvMwJOkHJIT+6aO5Zs;Mf#B}$?(XjH?j*QFAh-p0g1fuBI}Gmb@+LX=B=7g^
z`MSG$)v8+6yL!9azs4L&44qNL=mxH<+LS~aneJ;IF&*`uCwPFZM3vm@1iQw2LtZ~h
z9c$!{ls;CMRr!9jhLcweYwmi8bYm?Jgoy7YFAk(6F#N6@4y{NL$&5!xv<Hz=8a(=S
zK-i+xSKUY5ca@hCRO`ccWx@Yk-oc7KOgY?6h*Dur*A{;7o1}8pxoX<nLFFDx^>Z$d
znWIe@chV_UObZwP`;SOu4-$1V&NK!=BMHOr41x)W48tG$z>Lt)t4CD`hP4YXKDxmq
z^|_{0O(FzE<_|W)`}+c)_?sQ^#(&IxV2wmpIW>76HHs`Uv{RWdP6)ACP^k-iWY2mW
zs;8Lg$$-<4TfAZIDmjd1k!rDk>|UAc|0j_1^T3d(=%gLFzOc@Rb-gjt$X`hs2wVt?
zXdCFq=ueR_6Hz1d(dvoEYheni^jpW^E81hE9QWRkvfkLafq&Cocs5`*Whe9zxM0>*
z?)Fg1yY@p?L6<i9rey@9f#&JV=@9T*IYpS;*VVzdP9zp{8fm+_Gt=~eny)2q{MV<1
z@$)s~CKKfYHJCilTW5M(T|~ne3JU>gcC6aKJpein?|0lI^iFRy4rMgjecMrEjFPS#
z*)Z&oZiDvtXN`UmI=qWmz(<n50?n9rATtmlC26hG*SHPyRZI*VCzg7_#I~gtkKvq=
z(J~L%cUA&zmh}G2KE-s1kw(kpK<ZmjW(LgIJ@f?MsIP^Rj4iLQ$2A@bRrAiF7%!N?
z_dSpi$*}SYZF}<(18!zx%up^mKf_#&M&Xe<k?Cu*gGY4pS2NP$orSgzlCXOnQ$gT{
zNx^DMI#@tUnpLC=qX1{qo3OBxlbzeGE%6-(-v>7&$x~6SV*Z)e?U4Mn!}=~x<w?(m
zuI>Fn?82gV2`A>28FP_=WFH$w#1#UX5e?=P4#k)pbOqXo4z8wEKLzv2l9$XmynfVF
z5l!F|UdIIt0uIcstG&fnDGFK|fx}Vx_)Wa)>a>qXsjH06%E{TGjvHTJQJ-FZ`mB=q
ztrUA~s%DWDJMq>9$Qh7$vNt6>C(S?CD6uQ2%;zK)G~Yr<_KXk=Efo&wwJ;acaULGO
zE$&LvP2omc6+BVnYxLlBj#v1eSRMuEwCz~`fCO5HcyN|{hDkiO7`jBPF=sG+)hOt=
z*ud&XOtSN9I`nuxYOk*b+NNk_yW!+4`9i?|ra2qGh!31*@>6OrD{z{{hqJ6^h}bPP
zcFkreW=k?5Uym#-MVRVOqXTi%Z3wYYZ_!Y&j_R@2QzvlOa&QrSCgeB9Nj)y?;{^P@
zBf7Z*z#bDjJ@N)gCYVCd83B=2NOZ$(ak~gfipIJ~UYpJ}KR@2kz}##qhD%Awb6%ek
z7Y($YkhZr$90Pa8Tk8As8B|r~^ud$1>C9S`w-;jv_nE1MaEn?Q$6+)V0%E($9NdU2
zY^y10nU2!2lBL$PYKZ*d+pE%C5jLe&F6i`-*2=2`=wX2ZMrf-ECd5XK!zb=c<JeCf
zxx$m51boSoKd~ides3B{7mtTlAXhgIAw;#^8(5uy=@K9<0?v&~5`61_b9*Lc90bnI
zw<8!nC%5~Bmm+H7nHQv+Lixw#V)OFx*DL#qomld0BvYCrU{`>xxJ>5UwEY>B^0VZ*
z<uQDe^j8Ji(AHR3+Vm)htxMtnuqLGZ00?MD!Y)V;e7XomSM@W`y;}98uueCPgBF3&
zri@EC@4O{7xMn1hKzoY5d=m1ECVLbTV_jENOx+&nDFp*s;^EiXTFCW-5Bg#fy>g~K
zcnCkXGH3RaCZ^fmue1+?I0D;FF=HkaEgPS`r}#F!voZ6^cnQ~YZ%<dY*cN|~mkQ|u
zzyrn$TrS*!`vn&c$`t^H^_}0fwL9LmmuD|npo@JWhTlf)T$w_LEK!@CF#tZCk*l$`
zGaoG}@rSeNq{L>l$C3=3Cw#MzSP<5C@_U;FnrNn%V_w@?zHrE@IcopQQf#7#jX9{B
zrTc%|!%9c!cI)M3sY;tge09~md?KCFLZ*qaO0Mo^=VeUVn!KJ{U2bNOuUukm<&8sI
zQ8BH#)3Cb%5)jbU3@`}rD8@#hc;VOFR5_naZIKRyNS#=g;XQ@|?YGNrwu$b(sZe~!
z>&^$K&2Ov)%V)xo0}UM=u{8u(ArWy>j`j<4tWCHcw-Rh%qplYhSCq8~@jiX<IN~K7
zrkJH)`8q&iI;Uz~>f*9N6UMSes5RzL^}NK+*~mMU(``!O{qdVtU&)fnib{RrCw2!{
zyZ+3q5t@`ZC!Ux%sQ@q!e3K*y=qqjkI)}^<kG%eQ2U^^IsX4!a%%kR@8=Xw(7))Fb
z-H2_eKla;ulz@u|+K<~0zE4;z$isL2Q7h|y@^F&ejSceF#rFDB2ClM3Xd5XcqDz*a
zNk?3o&dBLe!4^BGyD6tjhRk8!P00|IRh^Hy5)7}V+sJtt!A6_k+qCDM@6B*X3!CYa
z_J~eC(-CWPL567gU25$@aTXFFcM#3vyfXJex~r*OEV~%!r!j^~KtIj=r;tdGvjWgZ
zP35e4H0r9ZT#{v|m-w}|iA;z7*h`P$zzZ#-`}fW>-?cGCWjfjl%PHLI-tl0eZ+n%j
z4!vE8rZ>ylnI6B~b)y_d4er)kA<b`R`z$+OE#Fmm$HvTW^cu7^VB4HGZ)E41uBzm6
z=}dY8K8nrfc8itokBa3@0%-%ZEJTt30=jZt9Tfk~)AuA;w%7R6tw2)yk@wms<FB#Y
zP=;cn$gM>uo1tiwH2-r94LfY2-BqY>IY%UAY^dLIhTF>P$0TK(#?Y1?a=Dc2%@2E7
zIff4!HQLHZ95W1elW%9Z-Hx`|AnB}O<3Vpg=h!`@-{6+CE99cj39Q>Xo}tea@X}{<
zY~gvoyY9tnnsX0*5@_$2pn)W-!}XuN62W&`a7iJ<%P8rqO8Ci>CK4Umgz7jj;2jmO
zS@fTK>>XR=B|3dpj3~K3PB=*afa674B9hp1SDcw=zf^0b!TD_0l3mMg4Qmih${C&5
zvQ<X@UCxE?c{H!~{4VDXup46+=N1a$P!!$@1~+cMC!}J|4xGkYPc|iFNC_@z$(1oy
zIMJwvygMNvv+zlUZ=q1!Ebf{*{ww^R<{=ftYlx6a(f93Xl<(s&Z15$HwqPm>w~B9R
z5-Q(zD+3-h;S>oLD+)7Q*3Qrt)vPoc=D9eI50WeLkN2_X5ZUsvAr_vzEv%@VT>LcS
z1b-Sed^VmUWj`y2T|qG`7^D)i;mAr6?D^%FB;(SzD8^F$DU>;(D+-5Ilkh4HgV&*b
z0;I_}OBFq@i>~hf{Q8sppJ13clT5KMI*O)3XEKs9iKc;2n?F9XHXV7oCGOecR)<M8
zB5t!CBDBVYK37zUeO|FlVcsC4Jz<bA)}jpHk$=4JDLG`^KVFrvp>5duIy;|7WhGqm
zv+Kn6e1g{2dO5`+7KrYGzAiFI$SnE8o=*Y=B%Oss;Zka%gs?s0W;=V}z;}zpqF%Vk
zMNZ5d{-HzUV1Edd{4YT$$bjJGU<1u6@(jBPaMn(?Dt0uVPLQO#u!iknITTt=@KAkp
zP+b1@(bNCoXDQ}<E<O0JU8(3k0ha`t`;+Bs+?s%0WSwv^0nOYzKlcYO=+0Gtvn1xb
zBWvE_lnJryU+kZPzMqSm9^(kbJ51Lq{-ir}^Fg~mf?U5FewNRJb~QHX>5;}-H9bb~
z50}-*0&>%FE)|s9@-)m)6pfq6OjUH_>kd`jRQ5T1DqGIzR(dmXz?th!sY^YjZquy2
z)?I0vZLhKFNar)kS2Nuj$YLC^eYV!zn~vwKth{0o6J&FhKehPbrYGf8Jop>zUn~B`
zd2pWx1>}A{u7A>z0SpheD$^WyxCYw3KZl9@Lnh!j<Y%RUgDy-0M&rNOg5!!xa<uK0
zQn+nb*>C{q^0qsSrT?k8+ZkPVN^om?Crx(3Lz>9mg)Zi<QbF{yc~1A@>}6`_b=JqS
zrDU~TT<=1{k!3NF{asjR6<lk4KWp+=FtQH2mO~il;{bb~y+)Ac!&M2;9WWxI5==Cy
z2P7I4WJPt?_db#-YyK~DsM%$H8)`y+7oPJPN@Ut1D_N~{c>N(4sbQn?Pcs?w2W<_$
z&}}qf#)?u`FP5bj9Stcto;ti3Gr_LJz^XR~W1|*i0YHqve!SRkAG7Tl%GLE>6^#|+
zG3mUymfx+PG!TS{YpOpFv_(1^$gW(mzk>Q>fmPNhZXg-rE8L>Q2$;o*DK`<^LWclA
zb_cmQsfre*?$#`yBRr$J&=E?cO7AQ|7fs71ShhFtIh>fuP8ia!vbS3&^T!6fe=l4*
z*oe0cEG4qj+cWdaVMx4X<6$%PmGb_cNc3q-W_gxOH)#(8!G8<KP8-b#er#mx_6CC0
z2<fm9Dec>C(Tvzi<keb0)E(HVCf`=9R;kwZQdw%$)5Q5){pkm<#Jf<M&3>E^Hb#6b
zj(XptaWn7V%<KJ|c`w$~LFeUa_@icVlfbLSQr2_&1213-?uQmL*GYS}@EB;vAAU@O
zCMjxb`cJ2v7clUiMSUbFSqC<tVxjMG=HNDdh9I`=a{A5*I>G(3wU!TJVAFtU+Ze$`
zz@6@3oXqL>GFL<6IcR0~8o^R}a!28TjhG&1z(&mBBtZfn3^7LX>c)$1P~X%o;NSj`
ze3Juq3Sd2SH2a8Tl^u07d)TEI^jRs|*lBf;M_158X<zO>G>87B*d=Yfr5bB><p-+3
zVg`G?kj^H!+xWigzr%((anX*SHi9+G)Hq0g;Es$SGA1JD#_-HUeefuH!~_1JA>a=Y
zoTc}lHnMHI7I_vAU>a*D^MyIe+j+#n55aNtz1E}S_^b;W@gR`vl(%<hrL>#lPA*zH
zDd4*Ch6e=4!=daj<Mthr3|fGNql)C8LhI7A(ajbyUpSIhQ=2IuHC547bGyd+B8fTt
z<wc7bdE9$Zas(B+!`c*T1QlAWi~37l8xwK|x@T*{4VC-(v~qPm%2F(|*Z1kytvq-a
z70l+2$0B%aIY#kV3WwSLJ_Vd4ew#*W!xkjP6vmhvRDtnr>Ou9793G^SSUXSz``bnE
ze=M5fh;0d2hpGcwRE7h!j&S6w6!R%%gte1)7Gqh=-aSSn77x;D9nzzNnz+JlNVJI!
zHHV=V-5F|EL4MZ0S$coA?I1YcM4`iP+rC83u+z!{8quOq`@rvox(wMyvF^8H`+@-U
zD=J%%g5m=L!8Pnrf6eQgDGF$0%W(igcW6%<BZP86hLw(X#d$p-4!UB_N10a#@9Wj^
zonzN}Zx_zd6|K7yuX{lMFU!i{wmLXm^pkYrP^_^#r$?e^o-<~`W<zuW`xVKeVZMpT
zo^)+SMFg<@4aQ>@n^9h$FM>;wF7~AFf+^X!cQEfQT`86aaPaUO5{~wzYw<1y1G<UZ
z#^*^b_DS@5Chm1`3$wS|^y?ql|26QEeR_YN19noU#Z}{|%0yBXb)@wiG6YFPKK5dw
z2F6Ht15Z{+CGaVTKin|N3Sa187dRt-i(;B4F)P0dQ8NTt#aqjhes<Gb7?Dd8BbX)7
zaaKLPfT!-uXTNb8<>BZ*5{vb0Y|e#^>IV_T)Sg-;Rg4oz3q4k7|I1DNrNfojfei8e
zhrOfEVnL*KK}^Sd;Vc(*ja0}k5n}jVrHpYc@R2`DH=VXXi}v~q6H<~ye<%$DG;@lw
zjzGJr?(}g<u12nF4(q}pL*p@m9M96tV)Mh&0dc|Soa>_<=dRXe){wEI7nTdG8?&t#
z9f>vM*@WvVJmz$uf>PUFl%*4>$g93~-XEh<JE}SOOlH`P!8+o&QAKheh)M`s$6o(u
zuZ`3^XDac|MHdlN&P~+f6bLKwhQCn=uKT`sd77eJrQ^dF>8(r`*~C54@)Ssr>W`1v
zsB(r3@INId*_C|F;=;S_)++1&8uKEqgUXwDyLZj~D^!653j_5(*hfcdkO)rh(Tv!T
zvccCc4qWoVaCjA>b-udnrxbxd2zk=?1^$FlAz6S&E6ydia@#Bs4Hl-U1f`W6&4AHJ
z#-bz-2{XpA2WWh&S)B?~_t;RW+pQ$Lo7*W2rSq5Gn*<z0U_S-b0H?4WZ`Z#L&X>M<
zY41Pq87i}4B0@v=z`!zHDiJ)Tr<*83dt?9W=dB<dL^Aik?(H`Ng?}yzh6r@;jubdV
zm9wz-Ud^oBNxbaR_JU_uNsANrMdLaTjFg3*^?}Tr!;!Fn=BiU}M>{D0f?>-gQ}~ba
zI^6raH4TSyz*g&fzi{hgzxGO2N2R&av(DQ1j<j~QckB|qEoUD5@z+>3)Vdq*6G-@9
zrGRPnJHXarjF>*30EPp_tA7GF^+&geWD$kDf-G6xhoH|sv`A8bMZ`bUpy7#q2Uvr8
z22ukJ59%}FNHzt;_k}T`@%hq1+A}sRw~V4A``cvKH5n>7#V$*PY~>ASmTr|-+XE{m
z*Cr_JYqWfxfZfVdY}gqVHA{YLMSo{EtUD?M#BXYmPcFRNfxj724Hy52Wbh{#HyWfb
zbsM|>H=0|H`w{{Sj}r#Ii=J-RnrdN25ifS`zqy%j1_Yu9n}0}=r$oniV921OdBs7y
z98cz#Ja~<Y*;S8G>>E1o+WNV6DRVa6oi-*a!RaT}@Y^?3YyNaJB03P3O>cRq-zNFO
zPQJ7CBUbE-AjrfC(H%P~zM9eIB)mFlPck~N(?0V86#p|suK?kHp_Y?rlUaVS1({rU
zP72$elw3H$YsEuS)6D%ONa-IhS^ek9yX+_2P1cpfB^QsIwf2&}w%U@j`+G#m_q*8J
z*HiZ~%sUd<7kM>T0|#^7%ilz1ES>&vX}>-2IW&tJDTSPSjv&0-Y<0v5V_@1q1Px5!
z;L+ghbA%B4<sU~f>rWSbac3j)1scF;+}O9s(T(bqA>KxoZW$krX(7GrT{&O&+7nm3
zMBwNw-t&;4+-UtPt;7kiM{R~%YD7D-o#82YeCsFQ;OkG7*N6mb9G{i6H}5VbTqNJb
z?X5{f7a#LX5If%Me-SR5{&;D>H}E+*iyg}2Y{Xy0x1d>uPxTCrNA5Pmb`Oeev>WM=
z)nO0v58<tHL_J>G_P)s9#+{{0yvFX5?gj-hHQ|R;d^~&W>Be>DS7zf37sj30W_g}*
zq_N2Ja?2*juehn|_JO~@6<`$~h(HzHX%m3#y$1RGn`z7dU%rKW5XA@i7`8Z+r{pPp
zZl&;Au}ST8-ED0>R876GqNxvj2Kf(mIlQp-ch;cjfod>=2bF<nB%5j4I-y+c$$i~5
zNIgquo-~psxLu6^$@EI2qO^lx*&1^BGJx&bC9kJmE>1t8^b`i?W%~um1sxNj;~IpB
z`B%jVb^9L$IssDRe{%3q48QFk1-e!kJ8ZI3$E1_jh!lSVUkqgD{|i&nbO<C5HqcPu
zE}@PKhYmVcLd)PIkI@!|?UwAq1_R*7A<G8e5=;+76WB%qWEqMNKQ|WoTD*32-}HWf
z-Y|uzmY$b1F;pt!lXMOh?Q2Cn79`7_XAbntI5Kw|m>Jj{O#pZ?x;~$H3$A<9Lr4Ac
z@l*EXS*h3+X!_!i81-~aT7W`&RT&iHUOIPZ&{}kW#D4*S*_A5`g7gyStAujf_m!bW
zq=xuiUO;E(&^|m%;m3G}LPGK~xzkjYg0ujDK(<*Ew(K+~H_lrqp8jkWWC@p-MwaYU
zK515cPB6iAwB5+y#VlSA{KS5M+`p78_M4J@sd=L2(G@*c?~`La-AeZRsJ9jRrFqda
zWc%DU8CVCp{^ssXFU%KV8&KZB?Skh+^(Gow8@%ZGyn5PHGq5s2(9+?ncUZ;t9qs0I
zi6wH4gR2TTD@NqEhH63`$YGBbaR7}7*V&knh*T#uWO=yj_76+<q8<rowGXGqU`RKO
z1gQTl6f`+uWAxbtiYWX-XPAh>ZXEDs3Ff4lNEug?q;ol$=wny=HGqmf#L@K!=$6m;
z&In=gxdML6#SZm(in31WUvthn!9Prd{P>;mz(oql<A(fT2N7uEu57{<WkODPN=MIl
z77s=qso{6mRc!?2sEGt1{T(069UH9A4om<zK13$8fWodX_HOH(85wu|=fyc-s|*VX
z`t3e$-<pQIw>6CZCZ-(6&cMtla+0HGG@XUD>b50avI{Rr(61!OST+3%kUY!4Kz0Ke
z(G-xGw8YaK4lQdWlTv7QJ;gj|H+490$$tEeK4mjd<i4Ll!%Ob3DsUMofd@~Ig~y`Z
z0W%G~Z;p#m?C>Hwli+OQ1KIye&;jze1KI3fg$~1t&%OK;Ja!JbsfI%p_NwE<D5hPu
z+5fHzn3*F0tttc*K>ILp1_rL_39Lhl3Unk{8L?};Cmgh7diS*<fFe}%JMft?v5emX
zNQdOg;)-Rkf8}(!9`ipeYl;jB()ahm;!3e28WCVW`s+*uX~CSAIN7p5xE`9u$tpL2
zs67$G0j%nak3z_vOEzeE@x2raZBq>jc_(XPA4}9-VhrXzo9@kSdmb1RCWvfzee&10
zv&#KCo*!OIJBHg}6vD?!{o-%iJ#X2H{d^y<cKtfn`#8vtj_BOoc%goqcSi>|aGM>f
z4;pDWNua>#Cw+#u$hr3JQzt*m@$4f3=t`6@6kqW!J5<mgxv-uAAqaFUdEh+V%pB#F
zo2HbnZS%Ds6!sFHTzT*IOUrJXnjh;m)$UK@F&T!spNg%BdUc+ARgh}La8+|?H~nAt
zW+Z=W@Vg!hlIR)9^dAY5EzZuW=mlZW{Tbb68aqv8lVSMInIVH=`p;XnD1SI_$qu``
z*G`xUSmC)#g9e^J`%Ztcqb*<4-1Ny^|6U?}(=sHTbzDmgS;eYeb>IY&dGphVpuKXI
zXQ_d1xzwv5TcpZ{LWBi!P3`GqeYkOM=ezo6h&~C@t9gB9!Yo9_>@8r?;t>@x#S{99
z421Ev5@jax13++JJM7xONg;iRXpnjPpJ(9jfAN+z!%yn_IX0{$>1tm(I*jsOX$F6{
z5F(|Vqvgfuz8X6td!?3j`b5FTG@;4#*@ZKqDP%O}GY*$6t4#0yjPP$eB=%V3==xKO
z<#QZ`5*AQ=U?JM&jR+dm*zu@Z!CMB^LMROTZ$Jxc4nJ&}osCdZAdygu1qZ1|Q!coL
zRqzUE?(mQnc|7<+G*OzY@hU67&pUp{z7R<}KQL=rDlg^JjDDSd*`OkmuaP8k)#DVH
zeK**Akh45F29e>2_A!>ca@Ak^!AI~Q@T=N&K}_lMk+?J72zt?Exjch$41*qDEUqso
zG=+nhVn0(9mS66P{o-%D&P<1Rd0+zt#%l_>@g1Kc$3n<0R}a>5yLlDT`6EN&Hwmtr
zS39n`Bo>0w9$f?u_Br!8Ya@n{a<Lj)#FX*4Jh|&uXVPAYxV!<QEJ|JTME&xTQp9Kc
z2NtbUI1hd3*UsJSAkP)CjKX4=m^5eUiO8M(TL<^hW;OTo<B5=v-@cX}-6O<{fcOZ;
zJxjO92v0~q-n8C{oe(S-YW&dx0>qUQ0WtfJq@OA55_*f;BrMS#K4e-VELk=CxeFTl
z=2F@)e{a{`>~&keZ2d-xaQs?&zN=f7@KvwkNk#iOAN=R`6FY;j&OP|TI9c%TVYMSr
zg?MG*9>Ex9l?0?`pe$3d(K%U)lxtMkMq6I)Dy<w0|5j17xuQN^*$Kk|5nPc04X3ah
z{5hS}F4w{>G)>8SEVjYVr2$seZPMrc#bXF+AUm3e9S7`cKY;%?PVjpLe(3shi+|zg
zIhn!7?_z3GRt}9!x&GW-dtV9Zfb@45ZgzOED?2by;4t{<5}*pZl}57#k5wB(raY@*
zr?5`#nsrlVJSh@~dDkaCxKG)J9h<F>lZd|s_O<=Nz(6)Z))(JuYB(F8xIo|JA@>v$
z>A`NZJ^C=(B%Tv)+^4@%V_zn~_XS6Q56B1Crh<IRO|GL)>p%8V=PYVaRMr+10X3ws
zKgT;2k9S}~o(?5K3T?SejX8#L%awxadluI;PefWU$5zFSA;M<(XK#O`sJuMVBVo$|
zl|Gik$H4)EPg(w7InBQuilsd<=co6HP^T;*Rx|`SVXng+0qBwba6^g%Hr&nz6hzKZ
z{-z5f?P!#6)4f)_mlAW2fJq@_RkDTAJJ?l_$;US7Th|^C)Y~Cxr$Nlcb5ajQbZZ{m
zy=?!1a<;79-{`N#AHRBF9|53J%Qe^tR~GHi0z^I@DkVDJ%5~TXfBGz+zWaCm$1+A9
zFE~{|sg-wY+Rd%pG*PYVyTu)5RJA-TP5IsO3+hq9L~8jE=q>0JU(ysGTJxml9mQZp
zve>pbk_(PK>I9kpzlt{!Re)C(>=6uk)`qNV4rzWqhObAPj3i=d$Q8vH1cS`~KN2_`
z?VSnz^e!rlq(W!0og$8;Ld$~FHtypE3Ic7iKIhOShG-?my5ekxS;6|Gt-rK095dh9
zX9s`GgnJL_g;?lQbl`A4R_OD4*w&C4U@6WcCda3H5%+26rZ_8dAag`m`v{~g{_q-R
z4i|MC<^WLpS2TIpVV?pvLhpd0sf`WwK6_Z^fPW%#QHIVXTDuL9=Nqd-x@JiSw`cSu
z!xA>CwkAL?mlURtxc!3Yg5C(Z58(S<e8lg)%=(4pO+LIB+7#f$yAD|)oL(Si!D4Qs
zv(<q-p#Z)=sob4DJ^VYgZQ#2+5YEH^L2mH`uKQ2!(fh@)dg|NL*~nV%U|J(}-sbR6
zU?1h}JiP+|X{vI1kIoVGuJ1kxL!MOi*rMdKI3=G1Vq)z21_8i}H+b+z2f}_A1i7Ps
z9mQNcsC#1DK(=8@7eXtes^~FpHCfhr1+E*Euy#5S{gFr456tQ0jmWY<dF1I$Dkq%4
z<)PbD&YH4LmxHNq)x-kzG_-}Z$K8{-&2f<Twb0l5eP!S-h$}<Lt-~_OeI!wCSj}o=
zRI~+^B>K2*uV`B5xn*3q2x2J2C}g9Z(0kh8i;}=BI>0vr5&Yj^gdXA#iVFh+MK0d#
zf&UC{rcgmp8Cca*t-V+V=g4=FtNz6M@`a=``_tbk9y5~zr-%le;*$$0x^Tj=YnV@L
zOyXC^C#9L?^t3wDYs+FLGhSV0>xSGio}XSno;kZ4`0mu;6JeWX2FmN?j9dYa_EA6l
zV?O_bTu&DbslfJ6!?`!-zlyS*9S?2OS)PAV;8i1(lOYUW@wnH=1iuRP2k)2Dh#7(Z
zcFoyz!@^nK{xfH2NmA{(G<PWFy=-D>xvt+_J);;AXlc{1AJvD+%(8>w@`TU^v5ib>
z+$icMj-9O0<mOVO5o<<cRsO5YgX_>+riD9>vwFN4J7XOUPUL;v+NS1GfDLo@&-|mt
zZ}>Qc--^<LwS0Laf2(a{4_r}T!gvK1IlIqkz{&Ojz=`uCRT=Xna3O?k3XDDSZ^o6F
z1@Rf2&Ho!vzKl%deH(N<&J6j<h0x&_2P2csg#o;E>@?C3_>$>e?vhnW$n4s16^F&8
zzN{Yg&7p$T-1Bi(eJLbMk*jWzZX2FZheZ6$P!(k*>qG#;{V8j6{K5g7<@G<^8r&an
zEpu!^Y&RdJQGe6gSBC<M&Xj^L`l(N?6w-XNCIi-AJ_HlMAhObrGye@xUke#zx}uUv
zOV(os0{jd<Oa!L>lEGF#*XwjZR#F2Z<zn-NfR|!%uT8COlkv<}+|(>g`8t@}SW64n
zQO%7B_#BRXNn__6xBiEn*`saQg{P9Ex<Jl?_4U#A%eBI6d6z|>KJTZ0(?Dz7SQvYL
z%1{3kXZGqpN&GxYy+t12bop@up-iCh(hWlK2VG8g%>0y%$e%>!q&U4uKZyYA1JMNu
z`R9G$Za-Pd)p4(KLA`Lb-&I+Lm*sm;zeS%8;rQ{D-T13@^!prImuyYV(T9_(K9U&}
zKqTR7fwOywtR=zLXCmtT7CTGWAwNNJ+hL#{O3av&eM3hZQN^fHm)-}~pC1~dsH}3{
z!z&TpzHPFgzP?pKKI41FjdH9H^}2fQjT&M`fRiY!Wjbj2kZ{FkcDz-ID-;+f9u~xV
zoqxb!XJ?wpl2E8VR;qeXQITc7<ujabe1Hi`WUuYcu0u{uxi#4?z2OS`X??9ZwyfZ7
zf^+|^1M4<}qH*x(bk**oa06sHz@d;P(uIxLdY5Z`YRa~)<^FsFuO+^xKiMzYYol4B
z`?)1UHF5GM<>D^v^N3d+GJ2O5&p%{bQfIAn%Ff%x^;gTUnGOgH_buWM5{ai<=~Xsv
zG8oO7eNZXZI19%4jigj{=GEWt0y?*t!?LwCp?9ZiUqGF{_Mj~oXHTMpsIu3x3No#<
zOUEbplF206=$6`WSyo#E){BJ~$G!G2K5!1nHg+d>)vQs=B&MnKaoU;(Y<=z3kR-Mk
z&>Qi3Bid_mI!DJ1xV&#>2eWF^iBKn^ovdCP#*%VYGtWNOh>RUVaR^HEmrgWSGG`G`
zRHfeesnXxjH)|G1>LFWAgaF`#o1qpHTxt}A{bM+dZ4;RC8!n1kpy6ny6tYcl*aEAw
zL=+&ul~K+`BQfDWSNX1S*DHDLbm)=KfVmJe(`k}ql~&6LWqa#9e<j6|#^huX*ng5P
zZsCX3nJ^5LCJlwHMKfj;h~O_pcx99*4KyZ^dU#`jhPq8l7xwtBERm^7qG-s~2d+t8
z+nbG!P#!fo3sy4%rn%&XV!pIj7nE3jEGRw6DvN68eB#T6HkauZ{n6U$VBh)8hGR-u
z@G%rXUw@modQ_@xdGT)hfUBH;A2p45u;l*bq}_K``*yu_Xmro*@Wz!a*xC!Fk<jdn
zlG>Rk0-5n6Bg`waAcRn+U;&a7Ix%xmXckFiZ<)C`KIC_06%{fKWD^Su+N1AVl+<XN
z+mkRM^P=XagGt4e)#rKL)nir?X?3))HAX9q<#5cetuM|@!np+?xkIHc?DbuonK6*k
z`mV2gmz8+UlxH6kv@a#o5KI9{38XJEZtrW)Syks=JBty>Fg$DSU+La7?L4QLFt8gC
z7S7wAqwP$V-UY3(F)f#}U=#~!oG>l3M>NREyGh@hPWgG)lS$v~=BE&!UzOhV*4x(@
zmrvKZOIV5Q9%zN$PEU=r2p;b5Rek(cHQuCN{A3Q|i_*aP9Is~U^s+Xv=Pzd5ok%^a
zLi<bd2D?k5B~(H{HkhBWC?052nPc+_l4S7a_Kd^fFr)rr)U!#NInjq~D%nOCr;XjR
zzYO5)xiwxFslyXmce1<j)lM{E?^A<YjL%vC%*`TY=js+|Po4H%kO9V7#japdjeKlr
zke28Q%}dxB!Ba!7rWo6CX6MYAtFx53N>w{S6aj;awtk`pm?;TtD)~?BZ82sthmVPQ
zku#ynCK{?7<=r{-`!8mVop66(n(|}<T64k$J!*Zu?7BPeVo-03<<_9!K;uy`T7G}r
zi2AT^=|070dzSF*2bkJGl&=VQzV><&->T`_&}@po@O|4=(*QAp6d?%GAEQ1WrstW9
znJ3A*TwA-<Iq<~zY<#um;FIJpjbTQ`s)7y@m7Ch3Xa%FQPbug$s4@CdJ5=(6vY11P
zvgcOk4{ArZX=mI_HY7Go(iSWoqMvA28fT>Ys#rPR&*R>BOWR6Na(Xv}l{g-SbxB?_
zo}C`SrcB>F&7T*N)F3utCv}{%M^~>yE*EaNj~Z6wE)dW5(riAexi8^&W8t_ax&Q0Y
z!46?+!BVY^5xo)l0_mh4GDqw~`tNvgM4>Q>dj?1kgdHJh9#-2Zbbk@slO)kveNKD{
zM66RR9=h(lgZWR+QxOU;0T>$$X1JoI)uZ}y;0v#ssSf1`15|HV4zAim#JgLJ!^&)2
zwpctOuCtBWBd%FyWwSaJK^0~Uf}~V^yP8<E3&YfoG{Y}n@*`X7kONzKNJ&LLUSZlL
zs|jE!yP%{-92qxi|379qG;u6H;Toy~Zduu^LOGC<WhXSSbyKqz-|h~Fo*kG9C>7r{
zR|nO$rNx7WC?+~g4fb2{Jg-BcO^~!(<*Ycx8-uZ2OjyeOfSvv+F$qT%gb$>zjy&##
zhHjxoQ6r7kh$oRvEhCMSx727m%^m%~Mv97?VQNXb#9n6VAI~5Gt1z06d7~w<J1#21
z5~;@7cB%o!jnjXp$k1&f`SXN}q7693k6j7}CU_w#z$<C~VPe`9mu~(%yDCg6-Xf1q
zdE0(Mc0+ioBWkI6ZQvYCRb%bu)UUmkpaFyqj3bMhc5A}ccKImjx@9W61R(Cg1^F9$
z!PF!Qr=f;Up)ZQ?o<Gof>w?)N2<7(XHi4#lo+<8B&$8PzE3K?fF0-~816X6XV$0`h
z&hPfzj@Uvob&jd!u4PNF3>@1y>P!`9)oUkMR<3GpKunMi&ZRnlB>PLxTO)rFvCu~I
z9Tu0!UT_{Kr-&~iQc<n>F;0=6&p}7o1FruUs;P9SUw}~k$24uhbS(ObZlzHo&m%_@
z-`n14d}eZfGY{n%+{U`0`ut;S1tG{2`6Sxmx9ZeE%>JYK^iKA+>|%zMOk_{_U0PJ3
z-|kHVkYof;v0lm{ma6^~20KLr(i}d=(c2!Ly5fi>LIOMTg(#Z2f>`LkB^T7E>lF}>
zbi~Jvvi|H#EFTfHUSd6i(b_Y0)4E)!p@zDUApUgi*QCTE{G(fLMWQ9B7LpgQXzGTT
zJhx6ZiMvYmSgEs&#cjd=7cmY_Y0mXRSgFKzX%<c%vH&Q@XBf*Rbm!5-Uh_WHS~AAb
zC(eAjir{9$1Q~W{`UpegU>+o7^_jV5eq_h+(Jd|l7-lp|bG1iV5z6ZL>Xfq=zR>C=
z7f%nMTt%?zxF9u!pdvnzKPZYRO`3nTZL^e)n2xC$?JB`l^U@%Iu&h0^q;uwg1#iNp
z(QTp{5K(Uu2~;80P$;DE>%&-e1W=np$xy*8pXP|iEyqyRw4?)w{$D_;O$w{LIw$@W
zP?$8ukP~fI-54~p(bo>2O_pGlYe7Y%(UPn*?C@9=+?p_&(}VoAWzc?(CjhpKSBWx9
zwsUA5$*=L}K*DnA3BN-ShK+phtIOI8Qy{soNnJG0X>^AP`Zv))ZIk9s@FTnYZljwP
z#%Wn-4R{kcFJ8{V9=_o}({I_;QkEAOb1Re|MH%;45m;eJC*$!#XWN8-DV{<2YTCy7
zD30hEQ5>!ty1R`+b&M)Nv!G)TL~EA)No}N0M4f}Sdzgl(tl3aRRhYytP4#70^U9A3
zR5dPEMPT%!jE3QO;IIQS#$VH~jtHwiiV&4?6+OG3ukrHSnvLByv-;I<EmMw~K5u({
zD;8hn))HEBH}KjX6?4hOhkG%l=B7fW5H9JkR#CN)w0#lkIE4rYot@mxo{R8ry;K!c
zYqL2g<ic`{%(k5bC{Z1c&nSS9=BT8z9%QZ|g8vhhQ1{Mh-34WJ*Z&-fwt>$_q~-;e
z4ZAfY3pVg6aGW5p2)^I$I3RNgq>qz>(B)<8R(h?AK?Sxn{+y@U^Yh1xwe8cE`|ap{
z#UT6fH{Zv*^R!n!gaS%z0@ICy??dT9rcEuAa5@u$0u{=^R#T4J5s6y0<`x+><ax1u
z8iDd#4W!I>QYa5Hn*B1%f#B6m19j$qTrzT)b|z;R(_)G?zxo)=ynaiSvL-TQm?TZ7
zqtM7?a;8P8Ps}x^pq-osEJ4V5?a&>p;G^t|N}jc>xOJIPx9ggKGNOv<tCSed8?qfa
z)Ir^Pj84mn*ZE4lP%El-qG`)96YD9hl+ePjXe<L5uESNU*u~h@R8loL5qj@qzn74n
zN&T*Z8oxRbKo4z^3cjZa%~7HK$74-deNr50I>eh?i)Hl4)N0@xmTTK!0j|qSTC;O&
z{7v+$&16@$guKtCYeSsIFKuHoH^CjVyH#u(*3d#9MM|*)_;Ep+3v7pbm~begBtgFr
z!8tO4Uh;4t(GseQc_3a@wSi=P^&Ar@jdHDOaTrMI#*6YivPh-?OKM)izruoXNNWB~
zcL{>_#ahu)YmO1K<rbjBimBg-u0Ei!c{?f13h>9(mef>2A0?;ENIPmD1q({yYHm#~
zLyeK|Fcxe1ew#g2glUr9FvYRWM;dw1BlL2L%k-#q$hJwbH6A_ps~OsIWLe1>Pfl;q
zhX1{fq#+}7j@lK8T0539N+t?|R@2`}*qT-mC9uTcvt6)vHPF?3!&~bdny~*Mo2hAJ
z$MR9cu}(_nj58|L23VH12848zks{){wp{S;17BzA_@;xO+i{s>O=4A0`P>s5de^UY
z;kM30;OFH=)gMNgn`81=dkMVp-LCcq$wzRGIKxF}1v)F!4)h_5)r2hJ;5j<+#*NxP
zbY#hT0uWi(GP3kL=2@OLrppMBS~UzVRrkh}(qBm&i9v@2a1)6LqQ;SFU{9AwzK&`W
z6AtWJ|H0kpGF^PlF6Ph@ZQb25vo#QRRt=GUX5n{sW+vZ6J2Z+EL!{bQ>O+>Fxz=j<
z4r`VU?3Yq(G|VE$b=-n0ez|{ckBb=$BUXlp8%8DL_%SgVvJv_gEp-E1$BhJDqOVR(
z(IwRmdc^U#ym^=q6|N>ucJUN?(&2b`1hAroongZmF|`!D5;@NLMsPKo>akBfhC7UX
zlW9Nh>TX@w7jB$>Y$4@F+48{yM|OdYL3(9+Di|ZEr5jFXTu>m|wV0H3G2b7~l_Lnw
zFo7BY^sWE1$?`05^aD=S=8BBsj>q&Qsi}g&d;msc_uu?+Y1ag%W}7HzDc{v2qimFQ
z)iNpZvg6LW_J`4+sHUOTu;(35DCfO>+3O%@J8VL#oW~ZyvT9xaj7_57rb4Ntx=S?_
zR&VyY`wRF<-KK15;}pC$Otb9`pf1tPEtC*Y!nD%1ZMWF1<NB|Sr20+Fz-hUtsH<z5
zi_K^3XUcn|TMdM4hdgAa8)1$}bFf5=e?9Qm-4eZ1PRc3|Yi-rmTOd_mt9GBcY94i$
zu&?~llTYu6x>mVD4_)y$3_b0sBok)5e%fxVt+hd9gpsRm6h%^Uz!?s_xD0cYqDl<Y
zCk|yQp`V@=*EevprlQOVu-UM=rg#CmL}pnEIPh_*Q1_%kk`&2quAq)J>dLozyR$gG
zcFw)jzl3_>B-zIjo~PpDtnwTyIx&>wrPudYYSi#pA2IMm(wQyzW|I}(EAPZABMN0G
zBVX@bL$l(e3>^)OA>6&y;CZjeVRmp;(&ZqMJ;V56=x{%T2bQ^d>zeZRka*T_bYk&3
zEgbyo)Dsot#r;`)@7S*QMr*=%w-zhWDyUQj5P5}id1|B=ckibwLTXj-%M83dp8@MR
z4=n~Zd{JyRM9LB3^s+)76<3j!MB@_LRp~np$#JBH6jDcJWlm1%KRQMH|3E!bo(>fn
zqdwf&Rj{pEV;`J~9`#7%sy`c+bUMtpU`-)&oIi_zt))jz7No<*)#cgjUG(LZ2f#OL
z_HlC!fywcFe;}H-ns4O{u`d&`?AW-zM8CcMSxrIN!|_n^&8w|xpQ{k1Q7aQV6PIv(
z@IyfPrxh`FzVA9=!gVfPYEbA~sX{9=TtXseIYQ1nz;r?Jn@Md>&hyyYmOKmu3SUe^
zC%y9v_L#DNDF$qW<+mD<?uYj9JcCg;jaq{|s3ZT%Pq{7$JHDz9rj%VO5r3B@NvlMI
z!J7XgL$V^CQn&ISCg8^jX7H?duuyae2j3TYhyQt>)WlTW>HK;~7G!FgDx^W0YWsfM
zY2%l^t>J0AX*|TEN>zwE8`?b=@8OOlc8IvXub1feA#968>KM`6YcGsdG|iSf<coQ6
z5rv+U9g=6HV3PiU7%%ZsL_kb9ufq8&BHxC`Byw0sXUAYXYF{!NzS~Bt<YaP6l>OR|
zQylgl(X(cO-)pW$uE3$TU(+|3f}a<d&y!I`!ZyJQa~fvzRG5qnoZ>Vji6F9^hsS8N
zMfxN5z73f)cXb!c)x;0E7<R#8=#!$3G^)65>Lo7Pi$|Q9IIho#x*+m83!1%H)0<bl
zD)1ej4T4t>mS%Gi?n7`CeK-gFGri{n>y<ndJfLpY9xRHK8b;u1)D5<6vxzOZBE(^|
zafU7UyC(3xUMM?DbkMjJ<EuV;5(g}3_8A56d$26o)R%-AAlu~@N??1#?BKLW!vCeR
zru|+i{FRkqS10{m8I%|P;K@-7jJ7N{@Mzx@loFZ`HG*gNqPlf$Piu`jgsehv+}j!k
z9M4J+FP9FDm0ceKBkf1MBUKk&+778620)0ajjW)>g$_ujZj=gAoJCeG8rURZWg0#$
zip}B`eY*c=-Zd{V6%SmlvO0}Wv^Ou+vA`WWXym1&cA09Ra06DRKU&aErOMQv&(>J~
z(Dqf~JH=+^%;}xn)2i19UWea<#Vg=$rrhlwZfDQO)F|PO4ZpYFMCWt>MUnGnY!S~I
zm9M5`mx*`7UFW^E^ub$4tNta0$B8o-ssR!i?i+pKeU6d>#TF43n$EO<pgL-j%(8Ek
zxvu(FMXK;`C7@)C<)ct5KEG+!g6}W9o4xOJ!?X3XooA!O?rvg7Ju?djBnVe$8h)d=
z3C-^-6)S9nVU2YBCxqPa9SM{;_A)8Kcy>Yw6;j{bYd%w`LO{68A0^v=m_)$}n<hCu
zez-8iOsD=OWyVHvCc7gz5_8QrJFT31+4t@(Br%5Yy88>y0fr$bYSeAifw<Q)4fY#Z
zs-lue!KUk1=5l;i-5DiT_t1%8L>Y^>C^yYI?eLC#Q5oGTOjz)}IY%Y3Zs&Hq^5l|c
zUT5?G&4C`8jqCT7A#TQOnRg7SkcH6;(na{^;Q^U<@qFIQcMx4d%aL#-Qd-YCpE<Kt
zX}2k==1gFgjy1#hByxHCnSs}ShE(}ECB7gb+ci|rR!bA{R7w}ae!!$LNF-Rw;$WXe
zd3X>I+-s2#*NteXs3Ib-3{5saoW7#9$*BEz@wrJu_ONNrbK|)S7IwcDFGd6S4if`!
zBc)95qgv%cUS6RYG+cdrlXvZ3_hZ%l4!SzX@|rljK`0H?K7s8f%FXLWz)l&&d@2vJ
zRU*_8kJ#(zm`hLEvy5``umQ?O<L%UTL^`aIaq+Hvi#M-@{^PFzTM=oF<r9relF#sH
z;&x%u!E+ONV<6YgeF}9dAyLYQAm<N%8-x5N<Gpo0OV-c-$;gyXJCQpGPM7$$X84{7
zg*gZ@;T%?wV!vw^F^8STiBA%V1cO#e^pE$PxTR1xRZ4t4J#ovxcm#US(!}zB$3ZT2
zP!#Yk_0Y=KySx+cx_rIloIIE(3Mr*+zirobhNc*`tT<X^vu~#o;TK9H9xz3@%gmh;
zh8yM4*rpN@nDU5%G>vadcjERb`7JM4zgIHrKaz!R%xG)%VW06TfQZlpsS`vWfu*ZD
zHqZkr(IFOtnd#n##{QA%Pb$Z7HrXNmM$PM*;Gkv3Znv65-D$i!??7NYE7jM{FX?=;
zSkh5M$G~I<9#^`7<u<sI#^CIXf*MZ}Cj3PgtkyOdFrcZUX;VQ;7HRY#bs|Q%w_(A+
zmC$qJuc53%tOlCGqm{v57K67|5%$d%&i^Mcn_`2&BI7lQMdmb##d7wP;j{4X+}}Ya
z<=w!2r2cFo{z0)oLwcmw%*BFQqkxo^9tz<<Eo&4T5xBf<q{cX?a&#hvp>G;H67HL6
zVdb<8D~9%gzBC@<d`qE!$SqB5oR}y9Y5Sb<VfM2U6EbHU%%sWyK3j;`mdWhtR0lsb
z7P_UD9f1>gFTa|QsLL|2ps_=hDv;HyQxZ}iWD`tYG&-1gxz8Jl>t-#N_2B!V9pmak
zS%!1C9Ugik_^i?CLE2K)=0`kTaWnizm#wtIZdU)k0TEVOFn4&|4{OG_U=9)o%>Y@7
zQi(O?RlBg^+Q=wQ5|*lO#`5qS|0{?PJADh*_CAq}Ybp^xB!Q)mkF>#!|LKD~zW4Ky
zr_}YdzAcGbpbap!yJK#Nk*zXdQ$0+0Z`15r7#=3W6C_Z`>^#aD75<so|0uVdEfkyz
zxD;%G-6<Hy{BL#?F}zL{w=~@i044fwAtH1cK@_{hUE*;M92<ZK3W_6QQjyu-Re?*R
z4o25gB~+ZD4|7t0e~Z7O_?U<JeFGK5F{Q(Wy4C+Md8qgMEP9?}ob$z01ppAX=J=XE
zTxzcDpDY`ARjs&H2Vx0}a{RRSGi~_hL6Q!kz7W&K6I-lT+d*FgP3cg-&M;0o4rAv1
zt9DR56a=#m8$FSKKgBPs;hwmX$&XaL@}2V4-*xW8J#z`q%fM!HEBU*jHv%bdRVeTl
zR`^uzadG7&=&&?WGVl$9*uZ%O^aO|R*fan$pf%;>r<ng|O>f6<=9)lj@-|5_`wW4O
zdK+RvYNmx1h#n$AI(#dN1ipVQHy)R7<lwPs;F`^YW}}L%R{S$(0#aVyVqw9{{b&mp
zIeSjB6*m9-N$~WDEzC`0lxG);UBl$Z#`3(+CeN*CXmE4*ZFHv?&a%pUU;Wvytuq+)
zO!^v<Vr~#Agx!a*+tlPdjl=E81WewNTIcyNspQpOFW&Z&Pu1$ujWgZmaMUs0pW8jJ
zu`eIx4;yaX0&8k(u5k3m4FhEpvSFSO3-qzotaCIY@>UV!)91d)VPk|4M{fu3XlTR|
z+rh9$52x5E(-((DDMv^S|F5`{yBtBh3v>v@Q<b<YphFaBjx@SGrQABhlJZc?)IhN<
zISbJN3ImYd#4(m^D6w8`4qR8lOTLwlqIsB_@j|ai&Ka7j?gFY39*KmUN;LE1Ztzdp
z&m|#^1{-#1_v|7;M|eg?_ZzArJ$w9C-#+z<G`O9gwZ5+a-rxJ5MF0;tv8GoZwdpNe
zSM(2Ts-EYMLfOyZe*bKdDL32tJh1a|P%T{U0xOkABATLpZW0RO$~otU$uk)=8xs7N
zp<PrwDc2$h6eVj}0)>bqG2R`N98#u}Yh-uV$=?N%Q93HFA>PV=3_@VeodN!wCMC9t
zx6tvrl1S<1uXPxMm?qY$UClAaD^|Ft=CFY+I3Q2vRsY=k0$*X&;>CSn(cYc!&)nj1
zt4p|z%NSwTyYw1i3OJxwFWxjMxVAO-^N&PTL-*Yt3u{@Fg;vIFlw#DOK5tc70JReu
zzs8ei_X~aBF^2enk?wLvd4{Lgh{lAP>*#)r8Oc;tgNv{CD}G47(Cl15kQVq8xmmv#
zx~HKudsU1i*{msuyudN;a1~Y&unO>(lo%5ul!i`LN=PIK?itFC5HnG7%=L;E2%}&A
z??jKmq+n{RuG;Mwj+N6nzD;XjD7Q<el#*Clr@Bi{iDjs2tXd<F-0RuZtC@+wT{cj1
zlMvxh$TRLTiri2{r00W+d^R0&1%rF;Cwqd1TPD$cst-PoizB-lV8mIhT9(#S?H1}}
zR&A4)Z-_i=9Nb`m>++Y)udqUgV;U{dbiZ`2=QGCgZRy=G)NUB;yOi@Y-B!$tU+~Cv
z$D8cXx!g;ZCE<%+pW*}G8pa3A2;c9pPe})_BGi#bhi0(?avSoAiDg6vso=!4<a%}q
z7{sBkjAkmjVuX&sI{Bf)f65pOb{`v7k1DlcT;IrmZK~B}b$|mMfrFU{^gSPs8Bnc$
zD=%OLWRcWN!e;0(yiIbEjH^2_%@ugUP7l??ajJ&$GAve$ZrTm#(<;iO3S1AS7nx!4
z<*g0~=%I^+jKR+;XB(fIv$VCqz81Qz=C}dB2r1BIT4EWTuRh)$NO8zH4Cv!mn-<x<
zgmENUquRMl^w)mD$=#kSIo+JwuwHRy>c|d%#4_G&poBM6B_<x5j_f75XB<iI&m)f`
z56ej{AVH}UM!#nN?<g;F114&tBB4*qtnxA~je4Ea)@9U|pn4i|!(OQ&RWK?_Yb(2p
z;2p_~eJczv*H<395VPsr9;4@pOjSbDT$z8GSnx7BOoDFRq^IK+E>XGEu)l|<Xl{t<
z^g3*#^Kf87JmkI}^jtxCSw1R|UT@V~PiRa`+&D?uYd0=fsNpeXI^zD^y#32<gTGU`
zQ~N*dzY3^L^Ndd$4)4(gRHHv;L?C4_OaxS8(@o&RH29&TUcxH_3sz$yUx=9N0$(&_
ztc_KfbwK_-tyMCGfB9Skp|(%FXj(~s3=T`rSZcE>cEmHiUq939Ls!_4#I#KH1F*mz
z5qc$58HRBPa~u3_7!!b5s_^)k_LZ^y5+d_uFazcsvN^v+GLoW?{EX3dcd2<dr=N%f
z31bic>?c=UT9Vjax+B&o>PtC#5S|x>_7|_f0vcx|I&nMY?|e+Gne%p6QTGw-;dVh-
zeD(31l(Bo@-(9I|dCLF!ysY_=?(OKTP;aYa^uQQnC(`#RAdSA^v>}wyZ8Nj*>#u^X
z*j|0qTg-P=K3?z-DRP7XY3aKr%3>g4{-b0LtATmaN0E6F{5?5gr6mmWRVt`ygSdaC
zSd%L&x^@P>VOp2yUi2Yhy+Z>}OA=a_gjV_tV$=zT2g`~pT_ETGG4+jMnSbBcgKC=W
zCfk^7Ot!6QvT?`BlPBA@ZQC~Pnrz$k+~4N+Z=M&us_W`}&e>Rd?REB<{GGLH^~d`$
z02aKOUYbsWJ+)g$i`aDQSPXmD2Gk;{Ik!saem^TAe%8C@LE7XX(*3hCF2q3#25W3K
zo*&|C2q_@E=e^iDIUzuy*QYX{P-j^mfRZhSnsC$hKDEU2jn{+WoQ8SWkA?xluyi>{
z4wQ#9DbdEbn^QOS+oLr0<87MwIfXeA1$9WP*QIVd3>9CDoS+DLyO58xdAC;LAL=PO
zWO7bH<9;yxbQZP(-*q<};A0E}<0V5zd6n!6bw+Wj34ahJu+Ymr_wf}&nqSb^a!11t
z^sm-Mil}p+Vvrs849!ExoIq0V;V305DJ=<Re}44o7E_JjlKw(5*grN%E+bFeLexIR
z`9^<X00l9Dnkij6Ngcf`q3qbRfWciMx%m+4&wNE65B!XiBp;@UN4ydZHT5kQbFSm2
zQV6*URUq6hM;hdHY?nt4GF&l%Hp)@<G(vK8<YErZjT8{qQ0!4H7<a?t2oDek(NE5;
zeAAX_Yph%k-Pc-ckK3tkUawTWI~FO+X6>h+xgtLXF8l9tiD?Rd-(qY`cNYGNmikEG
zhGs~zlF9@F&_9)ge=9wNX)1(iRPt;=HZK>X$Kh{*{c^@#*;YuCgi%YHu)C<I>w}`T
zD&2#1Vl>gao|+n?93S=7(p)dsq;RY@Y|K_B{U@&-5fXZjQ};0B&s^^##Esz9)V*J?
zD-ym%8$ei@+UTev{2-w$sKmfaAtB7)mM?~l&a?8+gE3Ia1rjPiP7bRYYfG7DlW<Xe
z_+LXqU7Sh1k>jd^#XBSxTLI5}gJ;jTh-^}G$ubNpQE&T0YX!S|q7B3n?3p?_@$!Yl
zA4mTTFORX7IMYfg&gctoR%uFY)-a=5iJzEWM|`U_HXm-d!2XgHeW*^5ip<AOoDj+@
zaPST<lBu=nMt;8zf6AM0f8xT!FW>ygq_Ycpu{dfmtO2+_6+K>@o;_OFc<#+mYO5!s
z2f|-?r>^f%{*uqP1T(j5rW0)z5LmoyfzK8jmURMAomCH>-iHZ|Q3UfM`NO>R(2pu4
zEpcdz5Q7uvhlft*tdyY_c`ZGDLFO{1?pIhLg`qTXW@@dUY!%~4q&FO}%J45Pn8{V(
zlOb8UdXFDd24D&2lZIgpV2d^b1xtNY59ihTUDCB^D#sEt3SV+ftps@oLZggwVuVXt
zW=|dS3rfV}mwqaqP`?Y!wI*T}*Q(9oWU2mvsjluG&l65YzC!A)-?by17Vz`KDr@Kw
z24z1>*0QqbMy<dMNv@lttD1)D=gxzl^4?FMg4unK#b93@JLk$OVfvIinV+kMpgfxe
z#RRRY_`}z7Q8Dbz_X9!WWbPB)099gu&+pL>Ts80ig_YLWMFh>1#UG%savxd%TMIaW
zvs0;?6v;AjWt!kU60!seRzUD%QDo98!H`P?jmqHILgo;7R_kF)`Aj$z9%j`dqKCDw
zxg&CPMSU^XhLtut7K8b_qAHj$=e6_4cG58;`XcfC&q;hjeRNi$-)(N_OCuTd<dV0h
zRZss5^GKShVf?TBG)9#1`QxgoQ!D7iqSyv6EH?DJ(mPzgHxD2OrZ@GtkVxNrJK`-z
z{LL+~sFa)*Zp;)dKPk}%{f8b%RBBbXjBgoseDCnu5?s^^1rpJcrSbb^_i&gSM=BGG
zQTVu=$8S1yiJ}?GY4$j&>t6pJ8j$-x1dzaOYIDA7%HCiBk;Kh0IAF2i9>c(H8Kp<4
zGv?N<1GI5<3d9+#kRAyjom89<A@NAVt;d6=52LXOM<=3nuU*El{C&J`^tT_m?xA{C
z)o6eWui8CkAe6;$igA`iN<eRbnxWM0_C!g0@C!l-f!PqZy=Ux=PK^G<FZGE1oyNU(
z<j0yPh;7?^53H|RK-RGJZqrEM)8!E6VP{Ch)=ep^ykZqah|qaAN@R0*8oF}059_$(
ze;nk9#j{7`v9ltu;E16dK6Kdp3ChWG#!#gOy>ce|ni7eDA!_<^L0WY1dj1UGc9-^2
z=)ay6k;H=V%R@zUqrpcBsf;P1Dh}x(!a-3)!QgK9@Tg32fk+V{K?&YLRU`~G%5J5W
zxAg|+FezF6tSOuW#ep1brIuO%^i|Rt(82Q7NT4Zm@x8L>0_H;udsDwKfAl$r%Lh0<
z?+nK^)vumB@-cU(uI5ulqgL_Tw}jQ+&|wy1XD~<gRACeUDG0<l-#1Ep{<w5Zlet1F
zB_G@K`K&0H7|<EQd-IfhD;Cen1XD=Je~63zl=+6go8|=D)@CxbLHVf35#?#I7q+h_
zi?wnA@BlO=y$GJ4n0FKsSMFw87_>dr{v(dJ-L=zHMGF;6%fYgO;`A|1?dZw-xCP#N
z^L*OEc?;Nl{}=|37eSqYpmMp0JA}dL5O<mR+Vc-?lexRLTH{{T{WDIuJ(9>2rluA_
zSU?fb<rBdG1>IT6RV<<W5McFZ!>2wT{ms!Tev@v)mZ4oN8kSf5&WfL7Iqn*#dm<OX
z$wYWUFervsCyxYPEHAt8ad76R5pYx&tz(a^8_$o!<X*WipO5jo4f8fPxdA6!NX1bl
za-fZU3CvcoKb~FUD&%Py=p#TFe`4WO|75^(cVe+)|EN+rYLNyW7r?tB-oUW5L6)Q3
zipBB`l4Olg6UZo>MVrwCiT;;lx}*_rPa1N$JTLOVfL-fc87F+as>*~+EG9LP-y|-D
zPD25pSl9Vk8OZY%5SdC#!2s62zR@&U1X8zH-)SCeMt)=wh^&=aEV<}xQbuz)lj{Yf
zx8f)wS{FAs$=kD$3VB@8#+}Q8Nej3mp0DWD*~yLTcJU7KUgj)QPV`zXW#%hguHRmf
zZ-j@8#qj2gN`ToepAPisSkE}%eDu%HHRWZ(W1QwdyYf}^+hT$lJ~0{UC6<_A<kOdg
zypKHckqM;X7Gp_PrjDH!b0IZtz+>cLPV~*oA0$k<xAe=DerircehC&G;Kgali5kJ@
zFRG7RxK8RYnb8^ueocnzE&K!KlY~6uI3(J*1E)Pvtz`pot3tzpW^n>R4(vgNiIs(f
zYAHR$qX)^dyw_r>eSCxUJ1U#Kep#lvL{;mH2LDSr@k&#){wij17L4=pGjdJlSU1O&
z${QMizCO~S1;0FCFN;v)*+?A&PylLMj_Uj&O&&L&PM<?{cBUwp0UKvZ?`BpOQ-lRt
zl$9(eGdF~r!D~yzZTmXK^Xh0m?hqd6dq?9#0Z?m>s5%0Mv;;$57r%bb)3fx|iY_<C
zi<4&Avg955I@IBKX1lakXV?W35z_@m0M>pKgC!<X1rv2Am$aF!h5;y1Zdrq~K>gLh
zQ0GyUcNL+|*J7Ac@8q}FhCGZ@DU~xhq(|wE&a;OihCp6X0?GvW#7dyHLUd$`o*iz!
z@yWq(0_WN#^{#@KlbfX<iX>XD(K1(E2?U}HG4MZ4;NdnO-1#|B)pdQfYKMEdwhIr!
z9-_<G3b*um_^HkWrYTC(;CLJmW?4Qi`Ad7A#Z~992R3AQItV(&q76COdD(aLZyx!B
z5_YzMxiOwe4`+-zo7^U<6paxrBO@l}o$MorAuC+PMHBvox0L=LwOO5O65Lh9+zXmC
zR)g@1K_M}#b)MxIjf36VrZ9VAg}W<sq-kSlKB~#>f%tAcl@ZPec@ef?lRHrecimYX
zC_magy$oLSS5t(gDT}r4wKz_gPt%zVm)K0`J}yX{yY!WOJsDAas5g&K;9y$wgrgh0
z<}EM|n=|oQ{H#fzW$9wC0-#JS_DW%u|5kUN!kiR%r*4j^n7(H?d=gD0{Sgo0I#p!=
zi!_!dILA;$m9V)5R7SJeI>Q3?xVKt6BrB>|1&eCOC)`LOd9+5wU=IOqFF$!-sC^YF
z3-6yNjux!zFA-0@p9-FLujAS6vl2PscRruC6Rh*X4qhzqHn$*)L9}(HM(}!?3i!`n
zoCZi6birY@P3Z+-(QvA`y6qr8vFc8g*O&p&KcaI2-G3RQ-;Zk@{`HB{?w(O720)I`
zVKTV=)`ODNdOl=B(EGs*LR!&X75C1`!7w_E_p}cG_Fc0eAf>CQXS5b$6p)iOzThsV
z#-rCdmafq{6pORydn)sV<`%8wX8){w*(%-A_mR$V3pgik!WKRI{uv9(H!wWR@>owF
zvTovt7}bO_Ve^F$4r27YBUqth2`|I0d0qnsD*JQSBmo+8Ds?i&ZCBcStT^Tw&l2{H
zYkSEeqK~P?SLFwBl%Op|(gnL=rJ3$8W$d0sg0i<CC>tNle#VeXGc^mLgg8w@H;V)h
zS+~?5ee$wRX!?%*8Vfa*S2g{hYxBZ8PKK(A10sL>h#`i@Z;=dSap4!AZshCOuYUTy
z;tyT>1{o;ggc5&nHma9fq`VJJ9>*UCpJSa&uvj`WL3AE}U!5$kesTd{cj8Ag6<^>q
zO~2dP{a$*>Z~7GLXbPct*EyoH<ax%}YRW+RaK!nO>Q6!&6`rhDRn;H!EbVc(y)Wq7
zxCv~Xgkd*fE+0ZlIr`gJdL3p`Fp8a_FnmIpVfQ1gHunofMK$}_Gr}FUtjB!srPN6Z
z)UXiNJ{Y}K5r#8~?d*-}tL7<d%}Sj6NfsM0%CKZ=OCK|C$UL@r3GC}<ie?I9Pt9)(
z7!}D&YQ{PS<_?h<${RVOH>eT=Ush^SSEyT%L~dQ{>(Vcenfq?b?uO_y8^Pnmn~!S(
zh9y0VVk~69;Rn*Mf4)~*HQm~!tf{o9j>;Ex4|*^nB$|jS<&(Fzlb>8G_rR|%RFtVH
zT}})DSCN&;nBoj*h(qXB<5yLrla+n2?g*R)$(T&km6;=VFxH?<-@ZYZI?;=xQJv2s
zWsR$X4JzMaqq;kwsflEMKl{)VveD)v@AYl#^2E`FyTa9<CJUE*gE{N7vOj^Gds0B|
zKR<b4q#l~jF-GZGZaD86m|qBvIloYAgtY~&nC#5fo!rqD{rQbExO_B*H<Ie=Gn8q;
z>f-lx$zb9&1Z)K%*l!VO#$hkm4Ft#x{fg}lOW*t+F`fPUPNHovs62nLeav(-C+r~d
z%`g%yOdB_MO|>fR{Vr<v$R%n+s^+)TihbID%^Nae^geZ8w|y>o7@7Ftv8k~!^24g_
zjKJf?9uSeRCa(=_9E(qAnniz=!5Ch1SGVSsZ6&wGs;O8w!=00PtW2~x3rv}|-F+B@
z!@zS&&83Og9<3*2t0eczqRXKEj4VG%4pGKS!lXm++55LLHPsNl;CIj;e0jqnh`(|n
zLrayxK&=&-ccETCfb|~QAKHZqYVFeq-Z?5!{->l*X{LBd@@lQK&-+?^4AF{QWv~%A
z-JdB+qngnD$SPjR<x8$58$lREZjxDf`IKJ(mF@A(hf4n64j7mPPVbru6@qpk_J~}x
zCM0Tv<BGD;+w&rY0W@uWV|G}v%HnKc*0mD~me&y`!c4ecbE<Zgk@To^PVhfmdcgUl
zvCsT6@@KDJoUt;WDXCnvDw?@_hXu|+(UgCPZuRRm@!7^;*?Bpg22bhazqW8}Spid4
zky7F;#;8VXmgp3VB{+bM?gwJHchfr;k843eh)d`{p)dT$Lfg<D9V^&kURCXRj(;>x
z$Yx`LUw+)R{VCybyM35+x$38EM7|qH{@`%fTEe1Ed~)LW$N()Xd7h9S<urGWcaUo-
zgeveX6NWs{VRjp?pwyfy&Ry{Cp%=>vy!JGzn<)MVl|k6clhitTrdWS^dm4^~jRw{w
zDmUk~E($;*C#o&Nbm%*pp==DcfB9DQdmZMhgy&7f(!^>vfYFz6EtY^+&2Qee2AW6D
zUJ2b~Qoy`3&sr=Z<Yl;nks+&QF@{=qq7KUD`yBeum2AWS_3mur#AMmn88sXMvfANc
z%X(Ghw^Of3BApE`MKe=3VjHszb(R9wzjRr?lpgvOX;^44VK~^T)cr-cZCx`Zh^3Yx
z)cdp5gF}Vpx`gVH-38j=40${Osu8d_V#CW2gqq8NZ(Pt%VTC$jl_HH2#^fCg5ziuv
zWHgL5G^1LEgz}Dz>-sSDKe*TMA~qbB1^IL4n-EY8DK|;drkR)4&?5H^WKfp^-9nmH
zV=G}^CBIfp8!z;uPV`Dg&bgNrYErPi`p17Qt*hn^W86NVt$#I)qPul33GjsBIl_7$
zLq4$-79TW<6);qat?eW-;{GHybW}rITgD7Xbj^R|!Nm+%+{BER!~x9C$ef(530585
zoDH5XzBrsQ3zBBPQPVyK5kTequdG+pnk3CjQdn2+e1dwkko-*SdmpOZQlTi~grA_0
zVjSv7C8cmM80fG6uli6R3ScJDcCCpV<LFW&YFND&CaMVGBrOT++aSz^?-6afhSnSG
zQ{=~;9gBor9mQLG4rog-RinMSSU>JsU98Pfd><B~v>G?hy-)eg+6-Rfc~P_fXr)-b
zYA|G6=5)lWcCSP_c=j5_IxA#(>(^^kVp3<W=rBgrr(2}3a~`3jqL3K$o35r1P0o2w
zQAkW8g}5yg4kB`}u|imSeVzYd6JzF#@2)knpp`mh*`w?)^hz<7Nvl6V<soSbu?=Ab
zrpr{-W)z*u3g{Y>Sjykw&^#+{elqC1HIFH#H@yf!^zIRIswK1T{jn_M^cNwiHv1R{
zL$B%vy$kILZc5e>r;P1>q|wODrk;w7hJ}r+98H3uz`@@5!1fl-4a*bX(YC6;GXkZg
z4i2c*;tiH?+PtHA_gjOUYqKK+j|h3T@D5L3heK_6to%ZJo~kdMxwwbaYuZ$Dmd5?q
z`hSXgj+V{1`R&v_w=cg~uh2`W7&U<X-V=uBqx+@*Wq!KS{kxX%bc$!8<{!gn`8W-2
zmR;AoMgx&X=|-IVF?uFlCp3!ppp0jXPu3sC%j>@Nq;reSeYkaB!&H>uNEGQ3TGMnJ
zXNyomqQvKbvBp>mmcgL;)%d|8IfKEm1^-oOPyjOr-CO^iu67qZDiiV}-ucJCB{G0Q
zM*-nZ6>+c$f7Emt!^MPd@B#Q+Sj31iaqhS^ZAk}(MaAuW^y-kRlS1~o1Pd_qhXq>a
zUg4!4_t#ymiGZv_)RafpAhu_^2%?nILjng`XuGa_IXS6`GP-;CB$oxk3wGS}n-MZ%
zO%U6k%|vp5Y}}$-PTmLyG)IAd&K*Gvfmfcb?{KUwv(F3i^myS?cKt^`PmX|ZWSbvu
z-o`^A&oOZ2=ZX3P)#+xA3z4(dT(~IFHN*{0lfOO&#8!NI01dK+<3*tVENSLJsjC0d
zU>CG<Z|{QuZ}#o=;$o=5<_{Bzh%MIIpA$Pw@K0(fWG-@vKR=aim2EAsh~&V037qO6
zQL>`wSHh%n8RWNR#*qdAp^M@vy}1hIXwP}at`&lMUTfgx8h-1$Qj_W@>(SHXrd-6=
z1jyx2LFj==fIOxK=I1^R#+SfMJZQF?7yk{LP(n<zijv$|O=K9GD;VHO@K%;?uuJ{;
zqD@0rJyITB)6z~mEV)BYUmX$!vGAEyvyhoZJDVnq8x6Lg4fg?RLO_n*(t7PmaaHG&
z4hyZOma)bG#)gdw`rlYs-&)XUZT^|>KF|`wq{*dmqYQa|y(MITXnDdV0nK%##-D5w
zPyEdH9nW34oCESkX6HO1rH^HB10H{gwdg(kI!tq-S2^+ev9uB&OWMLBK<?i%s~n^h
zLCd799{Ew@AflFGksLfeCSBan*Kzc$V+~<E!(*XT**<S*%ygpWCWImWNQgN$Bp$pP
z{78#UsBV=#hA$AYtRvHR`~gCmz6!jwyK0$A9UtETef?FMA46R_zCW;7h6?5hsa?->
zm%Fh-Htpgz<W_xucNBYUDowum^*N?3W+2wbX7@-{=vP#?5A(2)uAXK(x(1jtWnSDj
z8<48~7t+3MZhla<^g5;Y5<jED>Id#OH||AA{Pwj~J>4j&V-O`2iF=6c<Y42v?NX*%
z_vMP0n~!<w82UlxWvt|P0iY0p42~?BE}64%8Nr(s_0TcZ-{a^<U#CUuQC}hcy}LNP
zbz&}hjIu!tqgrX=6P!lcHSCJ$;eO>46p0@s3R@%SB_A%vtkr#1U{yCpkJh8#UlzL}
z*gfJQBRbrC5aFw-4AMqq(>!5=0!ANLC6d^1WH<^*h@iS|YB@qA(#Wu<#PPpgfUR+4
z)2-=1iUkCfEnDC*NR>aT<+c1BTY{f_^EBTSo&Rc6pee75@BNXF`wR+A!GbyOnK<JO
zR=mU54x)RHbgG=PhJ$*jq!Llmbex~}yMjX01Ube?CyQ+uO&cQ@Og5u>s^jth`pknE
zu@eqo1#_8ksE`9J#BQ$ZxiNU?7gAvg!1SA(mJSim+rd2)`tgIlRK|!!DS@x#F!8LU
zgMH46_&rHZ!B2fa(F^YJ7QutLm^whYW_66kJBACJ#G@8~SMZ6!?f1s#LIkgyGpjV-
zrKils9b*#X9#XK)hWl22Kc;T#N{5HX-wI%uLc{i_ygy1U4z953_d}J6{Z&bk2)nO*
zYc&L+!F!L-`Cs`<h7Yt~6~hOJY0f(Xdthn0{JQ13S9a{>5faC}1npNv2rh_}6M;hA
z_09jpf{FT>1JF@LTfQI?fz+u3Dwxy+r*7>}<9Jn&^AEo%feDy|K+C>AVpV#@G#?n^
zE|I4dt6Ehzpxq8}GFldUFk8#pQ24mUjVN7%kgo9u?|yE$$u54(waLo4{`M1x28Gw)
z4;_dAhFewaEXQkLM`Ptyfk17fD;zbMJo#C7ujF9O!do8UOm4$P|I|skr1wB8XGIK9
z5zG9qqKa^t?uIy)3-@%%1^o>A&GIQnk_NjW`5Oor%kE?cB-QIuOL-5vazw0Biv6>1
z?nH5h26Yk>kbQH9a)<%zH5lzBzi*9I9>va+{n~{J{RG4{`)X_Va`nuh;1<(sE}PSk
z`$YZ6`eCmR>%_zQU~9Xj41ubrCStZpxMW%jGvL)|sai6>XOP(3)gumccg1FGu8=$J
z<5zu|3^f28(U`NWavo|U1&Uga80t=$=Tcuz;S<Rv<`L&gNd^`}ibkP>)bNAcn6?Ov
z9n4Ap%z}q$#L%Y3a0+A=JlIM}wE)WR6wF``uw<VS3|W2fj6x{dMONGD9%?s6M<o@<
zPrzrsfh)3oN$J#U*ieBrCLrq!N#x7+9whIl;^v{Wjm{u`M3}k!o?>TaTz_Fll*nbT
z)wJB{Zy>Xya*jvH>6~{jI~-WmiUt_ZgKgWBX3mTE*zVP^KRPL1^jMc*65&PC#58&M
zaEc7<27Pzwe~o;~2Q-}RvVzIv)epnngzdp<2wQyN2;|=1)_=*%gQ-b&R{ze*9ms(4
zN{F+5Px>#OlSuta(4=Vx1<Jj4$Bqxf)%s>O&#v$Ea7+>C0E;@u%XEgs2LXza74GRX
zc>ZMFH|@TOvo#s5{!P-zucbZ215FSEu9U+mYxhT%tA%8A3HJqdQ7<Y{<RC959|Te`
zIt4_~as=^x!~|h%PbG(iL#agHl6FFb8Pw#aDR=>>GZ4WkE?Tm|vKZPqj%I7eo*VmB
z!<?o8y29Z5LCXt4^BG*rPg~yd(kL=wJ(ljMp9w)s@Q8gViPR^SB5C*j4ks;*PY1PL
zFV5U{!{&G<eIo__&$I$WXrzl$-1*OG0_A$!B&RfEbWwG4O}S~;Z2nrPOLDvfj844H
z<*0~bp>Y_x;=Q|JgJ<tN2iLw|qi?*p%gxa+YOj0A0OwqLy8!5}uZb&$4$xub1<ivT
zw90rcfXQMYkV(B=Eg0oDPA(;?H2ofSGSDxBJvnLBOXkhmg(VVK85`73LDt?#W`p9o
z*h@eVLx6cV?ttL5ncKXegkKe_W|)asB8q;auF87(9zw0}Y|OYO18mMkJudK`@YqJ?
zHF_i}dnKWjmP%6Z53&_!QE%dMhZqa5XIqLcFj0K=qSjSI?geM0!b8&33V5p_BqbD7
zNL7lcK)mUn+t77!Alvf>a>aYUo2k@(S|PaGtbA2viySfjA%}$nXB5uE)puTPHjcwC
zFL(YoOZ%7bVJVpYK`>>#RZ}t?tx}v$sqWah+7p3Ew|M4kCNpEIYpz=d+Yz(g&eiMH
z6PR;Z+)*kQ(5?{;bdEtcWr#=}2I;j{Tf@+cTAu=6O%?4fmKiIIGw~Bg3AM!TaRaS(
ztwo1#T7b~4nvjz4&>)%GJCe9{E)pliGmi_k@K5%M#1U$q5v!g5-+t;Qo`UxC)+A|7
zGHeK%){>O&fCO-od?9E5&R|=WCD%}0Q+`tePnE)8qfgm}knO(v8cV8|g3X5$vmI{?
zSMUkX05K?os%}#p&><GB1jRD^_$!FRf;D829?4OT?Db08-up7+_|@~lZo;x`0OGV1
zYSf2B)?OWi2tpW!PSp)`zyu1wv@|(!^<4bzpbgU!n?YgiJLsVI+c*cQK=zDpna&-}
z8pCNxhoxo=8o~=xHyvL`5);!^(XJZLrx;&BT00ou)i?6g^_;<dc{nnlUA>4<URd#=
zYe|B=6h_*#XOrx_SZ{-ULQ6#^CI%)mP|%JWD;dW=m?6JqTHw9EDcLoh01+c1b$U~6
zn#XysOYG-b0jq^jH<Kd1K1zwHK*M@FDsdO<P#48LYJcY{JYu724$_Vk7bwW6HF*W#
z*Nx!3jZ)^<julnR7F*1k?%02Y55q+ilc;SZ1o(7&AU}T;KB<yctWJueP)xk-A+qM-
zKLg8`M0O!n3F5Y3R4o{mJ2b(%F)O3KpCdbVW;ijTK#zrh^Atj``h4MCe0#4-4GlGF
z-a}AQ%_Ox-&<oc|OYA-$2-}y?yEtYv5MH+5nuQ>?^@wkGP<eRpt&*9QbhsWclYgX^
zLT~A~K>k`BgaAP*WMDk+7Z<`Y*E}1WV}7`GM};<XBJTs`yl?_cg-@BT)CFCBk!)*C
z34}S!0T=UQSh0L}s*FvmjY@B4HAq{Kt07f3Tk>DyXb5z3qB7{IvAiNbeg1(v4_@^b
ze%N(AZcNYp$E~JB6RealJCz$$H~DNZE9a9Lk$XnBr{0h2lP+_!ro&^3=V9A<c89WF
zaUbAjr-UDEfydpmM%fjX^1)NXI8(qBYyTs$bdBU`t*h5GC9+>0;;^rtF)5D=<eswG
z((cCE4~1=}_m!SYhGpJhH;5()P}@gV--*6eANfgSm0iD$^2Rot`Q@^MmYob*_PJly
z_B6}!Zp`Db8x)<D8m&svSsv2LLl^STixzQ~jO7-X;8Q%^fe>lLE-Iy>`(6YP4Ssd(
z4GCw(m&6j|#cS4G{(S39Jz)DxtVFsNmQdZ&dcFA5wwz~PA`puGv1?t>>9iMtqjRgI
z_ET^ZLqSt3>TB)bdP(yD7-J?4JD2#?{b*InDE2YAjGA!nhw+FMQvN1l6)~ZcoKp6r
zx^2=O6neuywxD%Vuyk*RPz4C1+-if;u-NN{5TV8ryYh>Bsv7EajvIJ&uN~Y(C<JEJ
z?D2f)7Ouwz&6G^Ey7rBmseb{Zi$NX1-x&o;Tvja>dd8yperK#~Cr5;UpJ7li7}gPG
zV4wALEN#WwYRJ0jhVo9;2XIX@O}_xg*+PDgWrrFEvkcf+z@7?`A^94))ugPf6N|_0
z7MYm!DeVM)i_w?yE3tISy1Y7YE*RG@?^s;@HReWc*U3(%qTz)X_dCGb^|hg;a3|ci
zAU(T))4E|Otv3RvGn-)jrT4OZ<VgWq#MzSTf%@usc8s83X}lSma7^McON+XrSyG31
zOlYUZ5Sy)BR90J^mty-)M(zZ?x+Wv)lN*{H2`9d&b|J?p>-{{8IfvAz0iVndk;Bx#
zvOPNlIF+>+0pDp7pk<XB%p6=<CX*pU_k!3=?-a`=i}p#+(M@aTBuE`13)1`&10T0J
zP&?f9O4B3P_jQ5jj=fj5ap+n9^;u(jO2g5E+F%FXRc{<)dF;9nrqX&C;Nna8MDR&~
z$0!ar`$+gI1Szs%VAe+oqKF3^#G^QMismz0vtA(4qW<eiG-r$XP8H>J)?ySlZ|0-c
zhG4CWnM#my6I?6Fl;eVTmy4XbXFcrmfe#urjU%fVN!&FdN<)9*j~}p23p29XAea%%
z&mQdf+7hWS46DysBZD;|bS5`#t1Do!7*%9n%p*KQ3Y6~V?zFG375V9>wq#%bTEH8`
zLO+byPX2s%v(=8bc(EiS{>Q<8S^5ZPPY(JI^6{r5ye~J&wXzWCJp7K#o~xa)JY62g
zEHdkO=Qo0zao3W#7)N(?V4Ty>7GeWaK>RR5TkyWL-afrdvLJmnjK-SCFOkvfbTp!f
z%&-GBmL-PHog`iVz+fuVfVFdt{yYc_rec$H)dJEo9tG?T{naMuud@lY1g=ESI`#HL
zM8Y&kOLi5cc0RewM+B#hNkQC9zIaC6@xc-}T6hZ(n~v1zev}Psq3I<_oj}Q{w_dnz
z9}SOavcY(DFnu4YI0emyWcBDF3}R6MXFI692|$!Bw2ZNopx<S9iE*v9W<&5>j;GdC
zpv_aE0`*2+d4x%Z(T>TrYD17q{!o?+DrBhW5VLxN$xi-4d64>ZBT4%54U^9*-_)ks
zl|Zp@0*cNfAhM#1G<eynaU+`KDFydyK2m--1H-9>DmAtWDiHSzZU_J!^|gI6)BY6&
zb;ar$-d~;#eZ8P%D-1#N^BLZz^t9Q5FByUO#R+S%$50FJ^>u`$gOyd=BmA==A>JpI
zb#%jO&$M136ChAXG#PG0Lrfqjx*PR{SAB<Fta`h|P`bmn``;cbFcAQpYr;W$Oakf<
zg2z+zFi8962-&hD(nWB7NXTYe{EBL^=kxm{KG2Sb)FwmbOuYWRn+xMexzCdXtUT`o
ze_%mk6zd-xNOWFXZO^2=i-V2=*}L#wRA#LFEqw8=el*QGW>jX$W;`WWWGT2`)(EAV
zwcKlr-~F2G{vH7FCC&Z>+!;!ThzF=73C=)OHuKdRZuW-GRtWmW0q3f&;>xQSN57Lo
zX9+1)6o31<$TXHj35kL6Wc7o|o7?wtCVt~+QO5^0SIl=(p-ZiDafaARwjLbv%Vqaa
z3kh%ry!A=$(NhL<wg?*TH!IvmaIk+K#k+sY<(T^YoqGy!@f#+;ge=7&&EOqc=yspM
z>A`8(FS)_T&pmb;><8Q;=|eJPL!A~v*mdZLTVmD1BxXqg5a?*Y)IE$$06N-Vhc~9q
z(zd(4tj^(NaQD0HvhtihGy(DiMLnY9v8?THQ`j|Lx*FH=t^P{w=0mvPMhz0pU<T4%
zAe37Eb9S!mf~2XUnGuk)%OQ){S6M9iAF0|D&QeN+<e2SM#J67h2x=8bU-n@uditmA
zE*6D4gxb+<vtb|X;&BFxO-?up5e7fFc8Ng32VJRio`~fC6f;mL+Xzqs&F9WJTCUzK
z9tqV}Kv@uohfrY$rY>OQ0#w-luHU3JXE5Ph>*PW^xLx4*vz;=KQ66{SrB=lT|5x%%
zQ2o9W6ozh%8lu;>zao<l_N5;Z=6EDiaeh?x^#&zFoTDgU=HCSvgA_>xZX=bVR1h8}
zWJfP<@8_rmv<<4$lTHMq6(Ab1h*~Q}M!3J5_O9k9RuL`JkMA>ongW+DUa56Z%u8-K
zh@SY5c`$x7)fJdl<b%*i;?JAA++Z;JECHHwM-nhZM_er?5ILT#BsFs@r|;fnR4@Op
zL9~#Vi!xfO3<WeS7i6PV{k1SnivUHGOR9Yp_1mkuNaW|#@jO$WSkVy+N>nuM(EOu%
zA-l6IT(ED}Xxc)i2^dCh)YF7>+wBm$?cC8{B8{gl$I>xTq`f6Qw9Q-l@>%J|WF0IB
zb8d`{Xj)7#6EibaE+vXfFFIRJ)=*6fSv_&49;38Z=<T*ra(V%vs%WMjbh0PfBFv?r
zlP#OMK84AdU9FZ=El{T8^C|Mv+(yRm8>Bi^s_@PDQ4{Zbym^qw8xH$8=iaq4@BbW9
zH-83g$pJWCm`$O!kh#lVmc^D5<hxZ2BkNR25VD>>PH?v?B%>OeC6CXeA@QDZ)vH2<
z6X^5%PHS!CrZJcecDtWHjdy{1-6wAob<QG?!>PlMMMrRVCbiRI0e*SSYjxvsz<TA;
zy7F>Fvto7;BMTIuXT&RQsc|bXiXYQ*4SKCDwxI!IVCap8Xc<&AL(wckLV;YxqMFR_
z2eNXB<y4uf3qJNnP7m|fkE6c9sfut?yOC0~Mi88;49^;$VL8@x7{_1vut&~@A4w;8
z31GU*>KRfbG|nJ0_vrnEAUR*NwCSkVqkf#rg_He33g<kK;TTo-B}uH=VNQI*j|}fN
z124B#q#3?kyCF_fSN&X8YtsCxUUlXg;q2&llQQaS-7Ji^CLC5I$`}+_eclB_35+7W
z*2|~V3TFs3MMAa5BxU*?G@X2!yhbVi7EBB;69bu=)P+owI!rG^DdmA|W`LPBEf-Ef
zD5?`_j>;&M9bi*hpJ@f9%QkT=8)iy6h&w(0&>-Yj#A#9Iunm4#di=M|L-RfV7?iSY
zMJsieH91T72XC;$A0p$9M68bt4JRyFm@Nj=#YDTmY&=8|lQNY-$yYJJcLv9x+F&NG
zE&jW_C=8Y8z}TeT1gdt#p+XlyeJ}V-1|$!;(1HG}cuj2Z{*>MyBdp%twnd;9ibe=2
zo;<Pj?SG!Ru5t#`C^{FiUb@c()&U$1i`Lwdb4Kl8*r3kq)SZ43xZOQjHv$qRpZ2fo
z#>#pSY11NCe3K=EqFgh8Qb71lBz?6?`RGFRqJ4P}eUX^mjn#SVEz8DVzGWRn@F|c3
zFiQIM5=_bErv<G18M8tBjY}pR-zqFCaQBcctZtFbSk?<n#kfxADTvS7r@pGO?yA>L
z;lP2UOVTsf8*Bna#~ezpn%T)hgG+Yxr<BN*G(UF%+qM4k31TeqhdP;J<hDYs9!RrW
z3(IdKhPkqu*hy;L6>^Fs_VO$~3MPW<y=7u*WISR|?N<ANN(90g^=xQw1}B$K8VWMF
zK9IrTY<@5Q!04;q`}D#%8f2znaT8>!!RTl~^;&?6t!bbQ$Jk_W8-GvZxUS#xbz}xK
zJue;NDSnCfILgLqy^dqot_NeO68&+|Y`jlcCiaECm553&ZJbb_80w(%_at$L>5)-A
z*uVcx?@#JEQX1P1>Qqt*HLczo{wWXEfW5b4@%frPdDZRnayIm}sLru+$p6py#);k7
zbN1MuI0SJa9i@jIsJb1e(XTJNR&~5^M+g~f{x|s2L)Z8$0`(u~vKNo<f<@L!#r{^2
zPOi{W`>H_j${sUmWLe*DVu}*nU&ELl&F-Qs>kK_j{h$>YgTA3gx^8eti=~#!Dxdli
zYZGFo!Ap4$7yp7*eB*~OsEj|%9GZF-T0j)>u93^tgaUu5oIX#b%mp5|9}y+T=Mz#e
z|GE0YUs6u*Oij?@Fz=HLrpnDhde~n?S3n2^;DK!h7Y2JamzF+;Umfm_x^OANBV4at
zIKsXVTunM*ut<^hI0)UX?wAm)w=M^c4p{X35YkT1s|Y5+AyaD6>|<D0WM_BvC-$?*
z0N6TyO(APNa&cYf90=<Q7w+}!o1|CowDZ_K)=A*sWw1m4GPYLu(bq`F9irr?{yD}8
z%*5e$Zj0N6cCDMJE~<R2!Iqkgbo!OB^Y?Tal1BH0fnc_j+ewQf3RG3uY-c#NF62GI
z<@B^mHBXbH<rPiVf29iMk2JnbQ=rEm#xQsgkin03vtY6YoQ({ndwUuc`VmO8gmCT*
zguEDbl84tLqotO^t1rEaf1g+W==a2+o&EnJeQ|(&RZ&kPDAFe%lF!zJC<MBfNCXUX
zV29K}_&y)wO6Lk?Zq8T5@Cjl3*0FHLr)$xm5;a{Y&MV^DoqIWVUM={3o{(?e)2b{f
z(aBXC#Q14L>8bS@U!qAt&ROS2P21;Qh)GYn)sXmNRIgV03H7GAP?r#d8}zSO(w?=J
zms4b%Ib=pPR@<f5e+`A(O`_(cE|W}ihSL{j=T0YeQz|y9T}B*<RZMg+7>$_Xi8M5e
zFeqzMQl`G}pX75=p|rsHq6j36#h@1N0_l16$$)I4BtJL7+THW|BJC4>ZH=;!O!#hq
zwLY6BC7025`|0m9i^(`3-M+je*dCzo<48NDZ}U>n)TD&OGBJytZ@WyxH5$B(9)k5a
zQ0mfZ)SAtRh72>fQ6d{waMLBL**H?r|3^MxC-kr^R;d3$m!{ebpeGN%$vlm2l>1mD
zN${~qFu+(?A{~n+;E4%e2<+&KF|q&wBm(jmHIlxop?~03iRsD4y~cfk#rw$o6g2t5
zq=(@+YF?%j@dCG`x19#X{rmbaQ)PSwV8sV?3I{s0NmpD>)w#;{8AU_=R&V$!&UpD>
zTifI04#%|0!f_xu2h~SSa%FdYD`(I!c8@t5vMY;tAwGn7T~6MRBIbk&AsZN_gmhaj
z&)GBLTm<pK{rGQcq)Nj}=Dqcs|A0wC1u6SzSu8dPm>g-*s(LO2(`>A|?x%UvJUcvy
zwf>g+s^g?ia*xTkk+<yWmhlwgIHrAD1L-Du!^aZl!`d)@<N4ASfwY!Ig&(@*|BC^8
zooY-VvVGto1=zOhMOQ3TPbI5;uElvM3E?PM-Lz!OfxV4J^~LO~opo{ViTohA5KJNG
zVT?rgicdMpt|Vt8;kj^)lIWF}Xd%j8OkerWl5;v5+F=Y&g;1(si<LDD{~j%!;Mb(z
z*qGT|#^tRNGxCzn`Lyzx2I$>jE*UBjXB%Xfz^I~TU@uxo?pI4gK;(oxy+olS7sI%y
zh`JuVIth}N{%;0iuVJDcdz*TrIjA3D7&>VHthc4?4Vj($VdLizyaG4cUnKL=?8a?G
zgcx-!^uk4;#>FdC(s;<1S#^WBD4p{3c&H1SV%RqZE54`q4Se?eTN=$p;I(7)*EI)D
zr*|&ON4K!c@ECae7v7@ZN|vf5J-W~Vyy1VOv2DYG>$nZQhoLV6&XM~f*>vAMvbKeD
z*+(1LZi5AnlhRJqKB<n5=Qasry%vVmPD0!|Q#|m63SlH%cb~qM3MN`S<SA0vC5vm%
zGZOaYtTzZz9;+17dXthw^F^%?Qj2|uz!<p0Ef;%a5H<7B2NbZq(f>qhQk1FMG^lkW
zKS<O>3hFJAk7;oq*zn({v4_0}$XYszlRSgOPOTLR2IfDmH_BC>4Ds9a(h?^sk~nPz
z042&ObL*=ayzLaJH@qHhFLxdQOK|75h$iuts4i>sd;1GEzkWq#$E{Kp?^Z>4(35Ff
zQ=@yQkc&jb$2?~(F4BoxhATl=uz5w}YB)R@kgY9zdIsK{?9~`b%X4FWw-8WhBGt0A
zA<jpw0^4|vhA`|rxG4T<7W;dp&c<89$&4TPhwFc=Tz}*g7(VuLd(GKM7j+1SRJ!hL
z(V4=!FVoNTe%E2nQ*lsNwwn2AK%e{S!pCOu&sjqJ>r8N>h>FZ6`P${gLB?8%E()9V
zvUvZpbS3HZSQ*+rNXb=%`d_BxuMLjMV3QIpSK_uORi?7j@@}hHeIy{!*;3Z;lv8BO
zq<UKW{KRsZz(0(O9u2ho2;bOnFz{L{m|m&u4#*Uzwh`Xd39-od%-Z+e;|>-Hd`*nY
z+up1%<*M5q^vBF+_vF_h_LJ9PkB0I#{60Pez3-DigF6?K^?za*#-KU7t-F~<8xVU&
zHY}%NiRH*6rZVt5pTSw^W6;cMhIwCTzXJ{X^8TOMqh+J2t&L0oaAY<1gceiezd%v6
zrA>gz%IY9jc2}UjRD3ZExN@|V^MGf5hWa3NE2=pYy{Wd2y!#CtHh-Ux@6T@iJ=WWP
zEY#&bkCrKWfa1eqUDh)Yq_U3-fl<KIKTnb6anF!HWAliC_IUcdSWxY}-DlVqfyb+a
zxL}U!)UdH=34B^5J*GW+jaEeg9ug)ub*>E?geOa+=b=;+N}=C0*pVL8qyot$A*-F_
zKUi0tZ4g?$`KIAxVn1h_`lba4_dbRaS^?{UU2x5oPRG?aNQMnTaK1QA^tP9>h41!a
zmy60jC)b!^y<lO~#geHUQuQMkbmn7ohcd&=Bt>}WJ^=H`PWnRFel{rtSIUuDSbv$d
zxA;{0fiC7ZJ!mQx<S0}FeI2lisDHo!28SuiV?vK+A`xTGm!@-ArhakZx__)2due9$
zm4+h8r<xv(bPztmcXK8j5k^7ezMG=wq292=nr-`CYW;M9!qMUx4K6lJDE<vuaGegG
zfN5BCH_y`)PA`{A^W`6TvnxKuyQ6ZD1`>IN@vs%9S!{&T(0O1pME4pKCDZrsZW8}m
zR7lv(VAeiGTU|L#1BP(muIrO5Vg1e+Ed8q9fuC?qDp3Cz2W8>o4^oM6;N5e(G@&4Q
zswCS7<IvYxPhXe$!>)+6u-HP;%GGiwFeb0l$_dZ?mpSrWp#v(H7B6L0)m2EfYil~L
z`W5=4=f$6Xqk?X!VRLl$EH!<e4F1-JZhRw;TF@}46M7KwhR!IoP!e$)>ea(Q`d4Z#
zO=~wIt@+-BO2xF66;<{DZJYvq^0^E+f=wOJU_piv!J-xzv%rr#XphllV~?z3A%#}3
zGXXD~b4p^yy6?ys7vgMo#Yjd=3R>kNchvoYR{BrL)6Sl9Junl^dAj(5#JkG;p1$NY
z2HLBBzT87jrVBk<TMt&Kmxz14+S1QfI}r%Loxe7Trk%BzX={0~uTclhMD=LXaKGQ`
z%G3UHom3|m?I$Ep?0&zk^HR^u5Zs9Tu}hLb;FLJsq*FI7y7*KqIU127k(yAdd%tqv
zfD&p1PR!FR>g|Iux{Mb$*G(<{6Q9Ct<V)6ueDv2(?Bb~>!?_V{zOjH-{%msO1xM-z
zz5V$ti%zb{$e~aMJH{gs$ncX~<it1d2sXJ+I!pr*uDxcc7RcN6{&?NsHEh|m*X37p
zopD?yI~^lg3VOma;;drsQ0PPE!R!!#c@+|uHXQI}F_9Q3P0>lX{w_$|dpF1SFEDV7
zGmZAlU>bo0N_*{cYvx#voYms&CdTkRG<0=(#kRQ-y{it`&O{mU&4@yDE)HYa$0M@M
z8zDDcXq!XZA8>V{S~sN{_6(cIArHUw!xErqem8gdWdzxy_5E*-<!|8s?y95~8Yd_W
zr5UEFdfC69?e|SEu3PDQcyqou(ydyGpw5T)T8tN~&iZej+spN4A6yq~g%K7Tir;T_
zb_%oy#NOl0|LV6Gu-pYs<K;T=jE73H{LXB1IxOPapU5P&Y9={UT{M|x746a|fF(e9
znER+L{W&AjvN&Q_Ox4~Ci9VJaxUA5+*(Lo`XkAsUk#j@qTkuV*cl<@U1%sRlr(K=G
zXr#fMH?)(**c}XC1GLlM`%khf^8F9XkWh2yXlOK6ogQf8xk=yBERlBjz6H`jiQ>u@
z%6AQe`I<TXJ99o0^*`&TG-VbL8fgCw*iwi#Sb7nAxrdK@R$8@D13LcndtTbAe2ob?
zZB`)VI+YF>Pl7J&ZD02Gb49|5b%wbP;$S6pA;wLM=%V2G3hSyy2eIU5Xk$!>;=+SP
z&Cr^5-^zag@q{VE98e=W3(^t#56h98Vbx7SnRuE@b0})ThSZ1Aw1#0dqfS??*_{EZ
zuo3}Nh3mxlk7ROtDl-PzQGSX1wpBSUl)Q{!u?Fu{*(KLMxbCPF^53&=P%NSadJnw(
zgoicbndF^UwR|}-N0%PQGwI3L!3sMnV*TS^l8?2V8p|Bj<5W$vfx90)AX1*BxP4tM
zb?_)Tl00)(+*4NrOj=%mufE?nwbRVkSwB+rvL1f)Clu2=8t}}aVZApH@bI_ttLlw2
zQ9!KkKAl|i_|n82#x2e6YxQd%e$}k*N%(6RE6m)?6y3mXK+*z^iV)Df%4mLB3oYao
z&N;l`RvKUNlgLcsepc04iE=9n+zZt1hn|{&(xlK*jh>W?5u^zD@>yI~zLJYbNL~(!
zxR`c>TGDH<IGWZvhv^O7WVuRFXla&2gD(Bq18`y{K^MD4uQaySCIT%I=7&t(ODk4O
zY%D6a^XSUN;c<BaYt-=e6PsVwb~t_Lt(j}C{OAh|)=G2#Vr(6dc4o;tU7f@ElX2I(
z<C|Kt8e>`&N;288EE{52O?NHT%{f^uRv1E%Mw8ER7N6KDN(pT6fU+Sffyw%g`E5}|
zuu|??nlx>-qt<_9>`=6Uy=&2c$_C`d!<11RJdM`ACr`@^Xu&+jfqL{3B@w2Grn~RS
zqCXuUclvo>63*~;MqRF+k1q~b(|=?-mp1E$sl0qqHHloUQFR)rMSYsr{@7shL8|1U
z5{jG>k#u@KC2zyb(H9&prq_%C?zd$V`W0>3;&OZx133j7da53mrl#dX>*%fM@xIM#
zAd>%sx^J@(xY@1X<;o==xPqNu;&2rDTdlYIInHbZTGQ;iYW244O~5$~{lGpO5da%J
zTeK+o+gctQg+%PVZ^E8+3H#f}>TyV!eb+2ut{b&Z-NTOAt_4t493gW}S3Hz#Ry-Wz
zA4uGoN|E)Um06xVKPPh1r5!)>DAuF0-=vr?6$YAmKP$k1dpz0oLPNFTxRLW=XS%Ys
zRg36^TsCu(vL2d>xD+emhpP7a;)B{H0~TSIFc=L~1AiS|ScQCGEILfF6Ob`5f0#Dl
zHiw(~eb;R5{ER|BJPdw@@H4jXyN^P|VQSwpxgaCypjN3nhriXk{+kOxA5Mz*wKO&i
zgm^5+vB5WM0T<$tO3?Jr0Y+KPpSpxif0qumM5CF_1p=^4!?Ba*kJOh%6qK08uSutp
z5|F&Nc+T7snlS&~fN8e&#nj}$nyKZU_WAlKhAZIUssfRGTDyarw_ErQr(vbi{b7!4
zY*THzebt;H8S`j_dwO~#39^&$i;5-W`z^KrBIR(xAsYf58E>YKYxN2E)*b(FJi+gN
zUZ~!+l`<m80~j=~dVO$Gukuihy_5|;A$Cgx2r_<~_b(}+m#U7lhZaJNO8~VkC8ti#
zdzr(Ws&IW_daezq{1au5axjdmJI+-uQ+J)tz<eSC;YLJ=R#4Hq1lh%Le_k0HR_(m%
z-I0QSO8V~pwk`c`ICKUZ<<2*=hcLYRRLC0M+aohlM|aOGo?Nf_NntRaFON0-T$IgV
z6Ev{1+0*hG1Cg0AU0?VZ%U8uz_oKn;8?GIMWE!kjes7u5A&y~*X?;*HBQcWq%ko=}
zvF~_btf}m<q3LQ<mPf{1Lh5P%uJLYKtn?>HEEa}uFijXG9T9~kUokqH+^B2PttmE9
zlH<~8M4=;cxN$B&H%*BxUO;&*5G62#=rx$pkH;9x_SAc625dw1+_ps+G5l!`Fr*$l
z$1gi)fTfHi`)scD=o3vr)=DR}L97EnRuN|ROq>^G%&)}$-`fU>pP3UIl+`R#*0g{p
z1!4<l$B{uv7`+U~*}Jm>K;8=V+@?ZHBj%}fIOIW3r0b^&zb7jE$hoLr{!V38APl-t
z$1$ci(MG@vPJ_w@B#4pal`F(7RGvoNgMY;Ep34bs%+~*=^x>UQbb%xx6VX1Os=fI;
z!eg0e#Btn}is=C5`ES!Q#WMQur-qYKJ9ry|SOS0)_C%6_rduU#P|0E`Ip??kjiWG_
zETRIuV9`+&MyK&X<hUj(I>iQ6)y7+|>t{nABtKZGDGHis3c{|JXNWstzm>t+5xv=S
zlv^c?syHmHCCzS2hSZ-KxW6H%44|yl$cBUKCt3?$35j|-%NpUd{^|cP_32n~Aka4x
z$}>Algk`*6HbDdC^jmS2(>+q#f{M&bk`+$I{N9E_8T8Sews<QB8099@0g<^U)LaQ`
zNR@AuCC=+a9rH6O`-8099Zw`_L@%5#TQ|KXYan3|5;?BbLN_8>h4Z0*b^k{6v{-n5
ztN==5tRnM@_?ZRH4y0bXs+9RAq+)UC-!ZHhBHfrGnpDblW7fy{`;iAp7@Z8q-ltmW
z&>1R3{%2ig&;MNv0K%UfTf&TnDhDS#e2`BoXpH|{_YH%a(?TbADNpZWk&gz<KE}_B
zRAZ*+I^+g=c>s22*goP34NpVLJKN>^28^?&`aXRRF0yilNRi<u(=wjrr>CoY{Y_UV
zm?B<W2jsHf1D2LcVF%YGwH@4h<xF$3-&gq)3y@G7G}@jRJLrreIRA4j%?6uzwnUl7
zDaeHW!Az#HDq@*RLL#w9Fyhjv-_ZuWPi2IL)Nqm1fg#}7pwU5<{4v}A8yys(lo>Ho
zBW?=<e6@a-47LaLV~0bzc(okkGFQ{GMon!U=g)wLJ!MOiav}?fVhkk=jksVJ!cjuK
z*U4P!Dqb4sl=~@sez%rUU~=lS*`=7}rR69+h@V%e1QE^lNu?1~-l1Ntzq#mvIP*cH
z^0ZmXTC#n^o>R$&@Ij=3%$-N@*J^qiB~_H>8y?#mM5u2|*cvyY&>Jcu!H}qb)Kwg|
zakh$^d;TjnicoXvQ8Os#Kr`S*0$G@$p`Yc?O}ZTaC`p|cp9idf-h#}N+o)PH7s?+*
z_5Z&|Pt@dc)h22vRSsZcIkMu4+s(ye0U`>Gy#J4=YYMEh>DEod#%P@E*tQ$nwr$(C
zZ8d1rG`7<?X`D2+ZJ*tK|4Fabdog>@%$jF$uwZ%A+FG0CXHin`FqV{Tsr#bjSW29g
z?^}VT48s3DZA3L}M<sxo#5A~m5bUh7%R=M~c2<z~NF4i|AjARVZNpDc8AZbk<m#VR
z|KqB<d=;=aXo(|O6)J~mIgJ7H(;RXfNNg4of3M%aQ1)zxRGX8BJPk7Y8}-vV$%vHE
zz9S@4YN-0`2JcWS_x+vax1FYM`3l{bMsE5$`bnlpB>F>?$f^V+#u)=a5U3**Bi^Tv
z>C$k?(EoU=NX4w!szPa&-ECoEqriXE)IAepDqLb-NBG5|@wF70Qh-+ssh7XVYtA`~
z0mqaE?=N=XO1j`6lYfonO<RTt<0KydE6^;la@Y_(bm#_8Vz-{gDDESRpAVtLguC$0
zm_6eUTTiUElgVU#5HF2rkeG>6a85PkeHQ)*CafUFFKo_s+wX0tI<E`HpTZdb!Do=#
zU=ytaX6OrY4>Ta2d{=)rI5;zC@D@7a*T#Pp>adFPH=1~Y#@jLSYwPuxvY0&dm~obz
zMMJJ$-OLQ0v~LDoc5><cJuYe0!!cY;^)woCHj8&;N>+cpj@C0z);aY;Oiv|r*M%hL
z?=jxGVT`H}NA(2Ap+~R~*Ws5h-#Mbm<+T3%%-N!!X#T&NLs&)e<~MRocLp<~a{;q;
zqy;7oM^d5}b1UBrz!QcHOS!~8PZo!Rj8<%q%Wn0$`7(BKWZ<OiSiY*A;$_dj*+r)h
ziQ-~oEh?>#WW#&qucW(9#V0@Gruys?CxWQsQ|5{^t8Q~_5QM(GVUk=>BZ%$utE;E}
z_{9Y2ObajnZxA3i_>^}BVZ(C))<<tqfHb&42kkPKlX<}^Pj9glE^g_FD0cQ*!`8QO
zBva11z+2O*qHjboq1dqF!%eIzq@O_NM^p{6KIt!xM~kHx$wB{uiySouFp*hL!(qcg
zm>SDb^cNM$V_{0gCfn1Q7+cY(!I=<J8MdC{9*dRJ6vkHQ@V;?vXSlA0Uzn7PP=cZt
zF0_m4b4I`^wMvCOtRqHNvXPCNa`p%O?RnRcwBKNYqjT#)u-@8e^TCWY(u@1T>yDjt
zqz;jCs4PsSJRl*U*&rjCFW!k4c}pDxmCg*%M9Y}85d=+1WB1=+)J<aL?CD6AfP<lN
zBrG)O{H`N+24`&fECs?%fen0=a6?pIyFywWO84+lUaGCbH}$p8l@bn<+5YL_s&(n^
z%tzP?yM)$i!m+2JL=oN0cUL3BV#%}^&1*Z`*p_kw)7G>$9bHs>|Iy^AKOSyAz$%P?
zrih85N@4I>z_1fP3KbB(m7c12y2r%Es7V)NmG}QJjK8^!gS#^@>IGuLgUkW@_Njnt
zM6drQUvugl-ZCmXzQZ?`VTX3yWTC~m2dbnO6WDjQQAXv)c5q}OdR1^6RJ(FRMx_CA
zQ*c@($ufx)2GLMWo|^C|g31qu><pU)Gh%jke+dd&n&_!PF^}zFPX>2=%Wex|lna<8
z=iNmO-eky}_^r{z=M>WI^wxRaiRp(4S6f8OUIO@~tL*9q;G2ZMbDL9&;oVJ(Wx22}
zwOm;x+s<zb-TQh$5a&Po-Saa`LZihi15kr5QPEwF$HE3s*z)Aj9zGe2vVREpudb<i
zlE}|xP`>3z5JXKF6~i1TzlF0UYi*{qFEs>__wJ48KmF1$;N2EZJ$m|zQ2_t(*MNOv
zV>2k!l7JgI#|U%Gum>d<nkgSszbZG;4s}QVbb!0CSnrx_rFv4zt_L((K}!QDV(HgV
z2zLfOf7mHSiVV1YVpJa#1Td7<tlERJ)8si&x{6GL2cCa_d(tr-4BVo6yDM=}+&zaL
zT{ITK#l)I5O4*u0QpuFxpbqs!8p+3I#Y7!<fF%L#IjZS1ROd_3OF_&4M+)zqjWA+T
zvEy}O`g$D%WU><b$p16B)C2fah7o=1jcxNBrc+y1iY4cw;oj=r#<aKg<<GO|?7bEA
z<k_$55VEm(7S;^{ncwFZkD2VpZsQJQw4OS+G@`O5OgOFuQlL-E<ei?j0%dPy2=5$6
zhZt^3<3YbH;u^OhsU&>A+sW_1m*T#Wmfib?-M*XOn>JdVck3L|+l7gCM;OxYa)XIF
zvBaxe-@IZABS!Q($a<^;z;6W?d;YeqJ32`ZKLlH}Wz%f`Lt}?3*Nu7nQ})9ref^}w
zfIWsg%uy?(*dRg1{}r1PG2f4G16Bsqh8<GVWIu=>Z|a;RTCB1(+^DJ%Y+p;Z3(;0~
zMye(4<p8+N_3urvjWZ<<oUE@cwNpY@2U|@O5xD^FCS-J|<~&q)<!lNL)t{rSgwcuD
z29=m9QlrY22lovIM2f&OU+AfV7S&<by1LXCbl^{^+YXfA|DcbQ6J}}lw>tCFNkf_I
z%1oNA4PLJJ)6x<zE3o7#-Dy8q3d?hYq%j5AFQeX0=KGLXALhUj42gm4%zp88k<%!l
zPghW=AaMG^DT(T8LQ&&=#GHdsw7tC>c>gQBR><st$#Xx@it+lR!S1)Ql#s90JX|bs
z<Dwe;Q4i-nxm#g5RH<OUCwnb7?3bC-34BK>TYq&gJYxt4!OPUu64vB0o?k1QmB4E1
z@cIe&`v68KF&#9<tsR6zV!~B2w+z8gS+5<a)7Ybmfcml#&kghWu<0HOvZdTT&s(m|
z+G0f+GgqKeIjprq9PZ^OpZF-yte*AoX(#9+4tZE_i~YiT6H*?{?TaasiB9yD9U}C9
zwbG}^qqD>jf-Y$x@+)YvTu4zE$d{b)IHxzp=TF|o@FI8pzt7ud<LM7+Ny)mj!Qo_R
zYdV#hKDAS|B#^`<h`)&B2)lz#A*Kh_VZMoCYs&e3!1^Y+x~$p*^9}s1zRITOR+yq#
z<7D!O<1Q5-#(Z%VVVK%unu4Z|%aKO9ewRs+3b%6PiHYqZ0Zcvh&aP*q7EuQzQh*hu
zn6AxLfP9ZCf&LIhj3PCNz~~3_Uh<V)56t_(x%p$yFKJ2JfCIk;LwTSD4qRADzUt6L
zUml^x!jC7OBd=T?J~XR;p>^v4g3<aQF?${Cw+Wlxb%k#|6e{#;RUh+Z9dq53BYo&>
zYCEUcucLy)Na})5=KOjWS2y4BzI0%s^M%5X#C{pcHRi}6yZJ14TkBuFy{KPStiw~$
zW-$DfzEp4idmUkG$k%f~`)fWzMn?5eW=spvx>}l-A++G@Pe)F*^1l|}<VJly3I9oZ
z)VUbCL7io)zj3LI@tJ$K??&I7ZNf1DT>fJ-LoK(d&S(6^4DPI8!6I<lqNX}#2_n2X
z!;Q8`b#_ab67K~e<Z+jkU!icr`~d2k(t@q3sq#FF&0iz4Z!oHu-C4QYW!jaOpMTsC
z1)dp1?ra~;1tz;Y6Mgv+Pev7Es&AW(U?<B{q9AiH=ubW|vlB-7p&2C+V?*6WY4L;d
zy4rXFpj-f}Sxb9-)<ar8B2T=?9ZSwP^tUXIuVmO+kNTG--R(Z)ai<i7lL;+J#q4?I
z5ir}!NB36HPGX&^YehN<`n`=0d8QyA(no4gWucM5`lIABo`NR(NW^oR({-CVLXDCy
z>^>mAFQJwS!iQ^Gh!2%O?5U$%@Gd!b-o$=>>&ngct$t}CIjql>=a0Gv%(g`vcB%T?
znlWu<RHB8xS!MSS#T*>t{mup&7OWGN^3Jjq%z{;C!H%TX(1xfjyytZ8?zLTGktooJ
z9B{c&_XJd*lz4S`zXAlVQSK|KtlsS`241mI(QF<ZIiYt}6P<!YtoHjA)CW(Ca3jgq
zt<~o$acZg>MA=q0=w@qTHbZ@Cc+xlD_mL5AKT1$#NixH+Zeg|#XHv^XnvR3M4co>%
z#FCLyg(LRkrmd#g`as@5O3G!t3IR6JzG=xzyZVMN8O7|$&fLP|R0t{wt<InzweAsH
zgNj?m>QIX*P&zN?UisDvO+dnvl~mV$hyv2@q=5XF*WS}C&|?;B#Km2ebY)A`bt_U;
zy1NN>qf@ndDL+!}Vqt8zo8x88FoNTnSc&yFO_(q8Pt)BE7ke2b|7j?3p3$jRjM_S&
zh9Z#;qPCuIM*$SBtn)zA>RkzAy>@+lXbE!v*?sN$EZ+pCE^gEsdRYEaHZx2$B=o&#
z*(n}iq1Gb?n~#_u1^r2B@r*Ib{0vfN<e1oQZu<6|EUV9H4&^^!^nn+tza4>MWU<~*
z*L~Y_??@~A*%w?hJ>zPKT<eF-R$znp^h#McNDWpZEpP5G`JZ>8d2Ob6X7GFFcaOO(
zLp)2p_MQD!#qB^bWqMq3(p=fJG#gvXASJbM7h|wQG@Yu*WqX*>wSCe2$t}FubNS=N
zSYwRNq@VH}>s~uWgIkDmL_^XM-CC!oubhyZy&5S0?icnc3s2PhWmC?{2$w%@X;rVo
z4Gi>RY}p(hJ&OZERtB}tE#rhgQN7?n)6()py8){FW~)A**(p;G;};@1-pNc7aA}j>
ztpPyHOu@Scwzp4EzuGTW34~3KA)$h0>*<RAUZac8lrH@qsBX9|Bp)%O%tGS;IzjEr
zybtBQzKN$gi@n-<m@l|g{g>Y@lbW0>Xfm0q9gX%Ru~yyR@9rv8D0n_R`f(`nYIbi#
zG>-3G=G1dn?1MP1^KG(vhS}$^+fGQ0?CNW_oNVN|8Wbzr#0gUOs&YEXpaAQ(!jy25
zW#!z^7MNPATJC{yz;$IGv+bO^AAb#4^5_I%BY|<LuFM*iC=o1!TjV)kI{m0nr^`wB
z+FIGSF9?8<QBk&TyNx7lw`CG(X!P0i&@q!heipn7kct@<*kr^KmX{K~R^$T&(?^Ia
zxKZ^4&?5+_{7NGvhLzcTXG%WNl_znPFGIMc^~P5suB}%QQIpnFP~FHU2l1S!R0b(>
zbxnE0!lThQ@3rGWFF_v~ydAWfZuAJ-f-8Uv+nA63La)DWwKL!b=G93K?POd_66Gb}
z<Pd$#b-Rj=Og1*KStfLB7qO<p%3FxHv3of*LEqb`pNQ^~V#pi^IfEg#T0K5dJ+8?E
zd(rIli_GNv$l{yt$Ti*!BIbZFbIcW+{9P4@`>XrQaemx7gb6oiCGYl7V2w`A`g#>-
zz(s!})t++^<u*>)%6=Y5Oes~(S9=}b*9ULO60fw*R+Kliv(wYYhfM6fRM|6O>MM?y
zhpiO>?@imz*9;%l)=yc|^*qeO#RWh(W_B$qy%Dm`y3}VAPwK3zj9SB}Z>LnYdaLV6
zUV~)$9=zF*G+KyL6u{_3N=!FChMxYA*69fuc&sI!xC#K1CnOA{AB7qTF8>fGbhez)
z4i+=;Z%(QE8$VwA-70_()G;6g03iq}Vldd2ZpZFAmJ?KT7XYe;UHPa;knN>NTRj+8
z;Ec-yCFsR+V~eo5qb^{(kL$tG+TxXSTumR)hrteQ>4|<{P{x}bEd0bYKc#eL&!0Z|
zb}6ikM`qy-BVX?7^Xa%B@$e#mej+*yPlVvOze^=*(S2Qr<~?BIhy}<W=}OILXtJMh
zlOoqQ9Qjx(#oswh&(X660PNz7(-L<@(i=6<<lp?1V^oBXu?8fqSNitgr!N%#`UWgV
zmUE!(E$Ulw-)#M*ZcZuurBMWeQOHKev^F1Xj%)mSa>5rY><2%;+mg{1$n-~a!Qwff
zEZqnV&bVkpZ@IUE_xM4b;C0!G9_@ivvf%6+XPh(yH05`k6Fm97elnB)AhF}l@o9_-
z&1YM56%ghH9xgD4IBC|PQcod*r>av#Gq28PK_edWrR)Wxo^^Px+IZSUDg{1RlMhR*
zWNPB!;c5-hH;AaP;V$y2@Su<UuSt3=v_vj+&uj=D0cI0jTLuX>puX7(iq&#|^45sU
zQYeM!Lh1SFE8-?av13DC5Vw3BXBYHuA~*^N1UGadVt<UH7z&cYlJkN7w@Ww3MvJTY
zdU#1=%y^g-Ov|(~24E><IL`{(7RKQ7qZsfbhxpQydFva|OphSmA#1$o0{$sKf$<uS
z<GhL;&M@NNsP-Sr2~2GL3(Fcp2ip6clu-YOm1288i~Ow1j-yymy}VTRk7whYk9$hq
zFePPdMxU%)5V87``s(b$u|@3V+^80g=slsc6oubSrtIXF(n}<VGSEBW=@*ijby;b>
zB|po!8}^IbFZ9~pJgVQ#puxkz!Tj1CbR(6V(y;h#IEru>ab7j^vN~`n+OTp!?C3K5
zgxyH#u@H|AWIJCyp*J7BUdsb)qCrNy!OVq_UCF|mt`sGGJgMNXSB28-M`4|a+%0nx
zv&VHGN-a3SM!&KD($Y)=cspiQW%Uy6>wIf5RKLRgN}<0CM*Jlv<q@q;=_~|!L6Bf3
z(ko&6vjsmrT@EUTReoAKR7}c0F+xAcFM91a`}RkSj0iO>T2I?Cge1gP34TnJO|mFt
z>69_u|Mb@1B(kcd!dujM<z7HNfrpQcIm(ggUE)V8kY31N+(+CJX+m{RG!<k1_(dwp
z?O67hy(+f1s9|7$O}@Cc=s!1|dfZ5|$Pj}g(n@<}4b7{yD#yQb|Aj<cvGNXAET1s$
zc7nK=W|NNiXS8N*XqUahT0o-1d?Dr)1%-;flvx){!j6FkA;M4>CMGY;DB$CO_&+l$
zcx|WfW{~yAj3O`~k=1LHrHbhtIKl=qC8L#=^DMFBRBXy(GG)0?(ix5*mJj@pTO!&}
z;l+g!Zv7+d<(&{{WqX(_8(%?Hie4)mT0g@V;h?C|WqPjX?aMI=!Es-$bL041BMH3V
z6WAY<2<0gF3sUNT&hY*SAMuZsvitr8ul;$YKvsUyCnUFMt>V4IaLCwtWS$V~K)UE`
zCLVqm|Mol4kseR}n_6Q<d}dy?+b5*3Vve8}<u1>;V{^BCcv@>n8jkp(*5itG@eiV*
zu3r;~011%fa1qIjD`I2NVzM)I8NGM}BtvJ%a!rM<Y+_Yk$#g^4MRY$dwchpouy(1T
zEgTlw?DF$esskp$mG1n$ni|)JjN=0A%eAT`5Eeay!$SKOm5%T*vW28g6(>)D$+=lU
zow&uD`>$`RNJP$(44W$gEy(v>k!|=g>F^|=E@(gc3OPu0;yi;|h9c-~S%}2bL^-tW
zvE0Orf)tDY1-#(qv5ZCNihtCRM>jBxzYb_P3K_zVozp18!U?$ssi>XF>^&VRQSjOn
zA*I41RioD9DH^>!q}CZ<Z_>HTAG@cIy@cOVAfHn2o)Kq$fO-wJ)hP8*{Bm)_&Qh1?
zqHOHRo%LLb0;iyR#x`D7@qk{O&;yrq4>OT9|Mq%1oe3gU5@}oY&^`3hcgTBh(`v$z
zP;7L63fVDoYsz29#hIP^cfp0$j9VX#%LfrxlgmvDrf9<l;ZwXs_Iz5H_*Zn-g{!1H
zKLuK1OB8$Cvzb=eS^Myt26;4}TL|OC!6HkLiX#&<F`Ww77offCVJ*$r(js(}df>!c
z8^VPuPdE?YL)_K4a8z2;T&x?%wo3ytHcqExdyZX|SFDB1MHQ^`<rnJbXocM(v@LxJ
z!4xNVatY~i#M_Nr2+ub|6M1429#N|j_KFGwl~)_#Pq>(;aBTdV09ixz?W{QEh12<3
zb-ciE@`eYUubIpwrP5d4*VB6evY^ztKLSEi-y<HO$9*N==~-%sQr0Yv#0br;y1QS6
z_|{}Stfx!!BE4~V3|s5-p7TE$g1m9lw%F0h?E+KC7UX*tH<A#!C;3{zHb;HG`un&f
zp?-wZWWuP~OXubA**cd4FUsf{^5`a47_qP>SM00r*tXPRzC}ZuUguTef>Gu2T>CxT
zhbHc|M(o{&+Nszj4S}YU6fCKEAFVW8$nmY;IS|>llLzdy{}~UsHb3@$eKiYz{i{(J
zCOX3)k~l&NaxMMzji}G!fSww}=!ib6bavRt_uN>@Vxa!F;JGY|^b`~86!Yd~;Kz}o
zn%r|Xu51_tDO8@9_7O`V0EOxyAp_lRR4}l?R|T8Y3gLCWj)|C~h%fhYt29;6FbjHe
z>Hv}Ezo@D(7Mm!hS^=h~1v-*Yq9Ck^7QcdumjE-`utq}b5Q4h+bu{ZVa1)B^-R5H&
zBIp;PDcP4XXk^r57VbEdGiX%tHg{4*LDz)+$gb{afU<;lj`Za3kU%Ge;N#=YXb_-M
zJ0d{%rj-|GLXk1tx816n8<OtmA%{az&x2%>Jstm_Gf*!Rp-DFGr~os8$)xj3xq+~D
z0UhOl{Z>4S82o&96pmbTa?t7V<xeV)(>@2~f2lm@TQ?aCe$Wz)k|Om?XARm$jgn|&
z8h!86IEG*GsF^L)SQemp3UO{b+$nb-^x4lEmQELWZTh6jes|4|AGzl8cG%}gDf9Bi
zv@q5+eN!XNjxqkv0`+fz|D+ffR)9fQuU@p+eaiZ5!yR}*PyETyj+HwqGOBqdGd;3W
zAuIA<Xc>8AA3xJGDP7MlSqsC`(RHrR$}w`Il32Up&v+*Jnm1qCXGq%+U0v1c0D00d
zz_Be*CRIoAbL{SF=?)LyF$W@31hZvK^1R({-YTAb%gi$j<w$CpK=d#0S%whV#BmtE
zq7Bkt6VAh#_CTO8D1Tjyimw<XM6Q4){mIt??Z{*#W<U5Z@|LQB#8iN(yfq~0kXnDm
zCgW`{wK4~$__9|JYCma+54^ccvat)8d184vWyK)=H*bo~qCpCoD|wi)JyRr@o`6KX
z-SA0<uYjRvZj=<vVD21aeWZ*;e7UUMf9VUw<4LcXfVgbih?EekVmBAw(PFc}r&rU8
z*>&>V6A-(j%$UpnvL!eDO*b3M%W{lrx=3Rt_9}7oBRhQLCV^4?L3@C!TKuq0MD_CS
zW{&rGwx$EXCQ9Qr^)P2@K4{`?de>{^oig%PLOZ^`oOTj!=a@Af{oh}6kT!8_ewdfz
z>?p}Zr-nA{YA_+lXC@aren<k_pfn<gZDVKNgDYh33jTkQ3faZD{!rB=u$*Nb(-1<v
z>*m87wQJV;+-c8ZvXJZ_zUUF2p+=8uEAYo=3ZVeEE~KO+AyBX-LT+RyoDFjzgU~l3
zesM>M3lOEATd7nNo7n7TN}_|Yiv|6E7b2u{py3~3)Ezp))v;<SJG0i1YNOR@-*Ri8
zk=N5=PYBL;QuR1@|Jy)e4Vw>!w~HgK_G3m$?nlm#nWRQz#jsBpONeVC+`isIbq!2+
ze<11N$NI;fZh#odLP9Z*Ad6!Ct$F^VmGmM6CpK-tIp==tBDD3qtID7!%Yv%qD=NKq
zZS%Ta<W2j=E@QS0|6ixyvHKw9Ly6``n3c@|`%_0*SoI4l5ppW-gwIsD70-l5%h}+y
z)Qp)hGL8TCBAT!FQ@R4=+xoO<i8QQIHOKm0yiIAVWdbU!_WPo1=Fp+QE%ywpX#ACG
z)i=^2>Q&9~*>M&5|MNR~7?M8>D1C$}R<O(c(X%6jp$eNmhnx_kFGjd_bG1kfMPxxb
z42q-3|L%O2AL>*3S3(`ZR2(ug_q#ODmRZf;RY<4}lY1$KD;?cFX98cnzWnT5R7gf0
zk!Fn;DqrCX=Vg{DQ<(SiCqIX@$t>YFP3|8oV(%_MQAmh9`VuCWD@sfykQ$Ve`=H;2
z%*IIP2F4!!Zx=#jp-}!KHWESS<J$M~3Mz4L1IgvN-v>m1y_=$wkVQlqn&)A*JBJ^F
z$)gaCUiB)GLD=KlAghH+2klOHgh4oHlRm}`j7yF<Tpuv32{tU+ClEv>joe#!CekD#
z$!lq9^xwAQKbzK0h?q;jn~$bR7`n_j3r_H=d;0Wzl7ck)h!gjT_Tyh-$46QX!nnDl
zV3&%_>nO;8d##lq92HLtW6oa4ER%*Q4r9j$@otr~_z>bgSrHG7WOWIP_l+Noh?D7=
zcV|F}?e6|Mfb<N`ZHPmx_*Gb2NrYF4%RgO*km0f&uF@<?2s4iR{F56Okmwr%TgE6|
zz#TwI82H-lz9+ihd^2feEk$mBqYQT2_C>;u^;lD}l0dqf{RlH_VEYAmgAtE<+l|gu
zYCflVGF@vaA>(|{ua(u9uFqfB<pAYT*78<Yk*OGbTEE~!Xm~)R-XHQ2hZLHcelo&C
z_;chS356C?Z}lMA=oQ8%HH?d}{<bbsWOk{4GIUxFi2}}QvtxXERB&v(ceC^Lsixk}
zDME*2$?SKYh%qT<)J<rcu-%tep9!NE>y0BLt@Fbll=m7~<v$AUTH4jpJ|Leh;Fl$O
z2L@KOoV)5cV*cO*`E;>m5|_R0#MV9gd^rvG{D$Q4txM8>yP6Gt3El3CVz7Hp>!tSV
zZ5)=dV<`fx^Wd1RYFj1bt=A?&%iZsv8hf1z^*29bB+@cpmbRgLx}Aimx{xZ@3ICE0
zqIDm!3s|;%lAf~M#J7<TO#tEoykuEd>PbfY$moN_aKLl_?@6)l8^p@45Qz5CZgq`X
z_NLlLhbiFKy{2U>=+e*2(i6&abh7r`Mbkw<p=M3@sg^OJ6!M$j_r|bTkHwE=QvE4X
zriRF!77YbI%KY)+0*U}e#na;e4SL+UH={EKtR<<v-jF+-j8|c=G@AvZM|M2cB-kI)
z0OI&mbORL?K9PJY5jE~B@j7U?v`H)FdlOEkt_S*e9mDtnz(ZT0|C*ZqD$FtW2UXLJ
zb$ZO+YG2JuphDNq?zdEyO<yE14M}xA)NGqK?}&=|r_@R>a+hVOEM#BLlxl`m&T8MF
z_TwkFEkp9dE>0Dq1l~K<S-DN;ljsJe9E3=xL=_qf9^B`2k0O|X#gRp`+tCq(x2MGq
zW{;`ZjIUG!>)VNryz}c<LN7oA?YCJ8x_V7z{d9_#j;;*wD;S~8Jxy<P6Qzkl^Yp;W
zTg!LJs(<ipg^C@%`-trIaN9!Get%mp-;m~tyr!0WLVrU9HOen9PZE(Lw}>X{rnSjN
zdxc%v+`!F<1-p1o?eMkkl)dBED}=}I%IqX;4&~q9qWB6mdw2om*|b+QL@^%|<jTu@
z*eo8%Qok1=`+uevr*!c+!q84T`5xO^ZO7Td)^^Yp9E_gt*`gl^Go8>K3`f$-ZM1_1
z5=*ps!3RdPj7~c`=7`*fY0T^h>S~e`8pPfb`ffUCD?(3$S+`G&X^#uM^!~sernZir
z14BKQ+kY{AabM7d@UuD9mQ&R(JM*HgNA3sF#+AFv!2nC7@hyLzTETlp2P|#PVeD=!
zVU}fIR$<9ds6m`(wKuB;YSOH6>=1Ta44uBeWV21*Yy<AwL_it|$3+`E(vMi(IARz=
zh0#lTD6{=a?kkE^#67rwp0oY6Tkkpb@R`+sz5L|L6%elWYSVGj5#9|g0&C`-_K&-7
zzKGXr=wQ+z{JjVCW?{W~8^V7H0eoNxD@M{2^Le`LCHwU!X#oi}G>AT`o@F={|09xJ
zsXJhce*q@lQFq>kI@IoB$8iBx*B=(p)z<031_TMiv~ug2J1jL8S^!_(t6zB}N;*i)
z>~V|BCrV7&<7l~vRy01k)Y&ZCoPIJv;Lh$1(v5$$ff4SrNO$k_CRbE)B$DSE+m2GM
zbxez>3z?3eLlo8Mjg0$41aZvaXv8en$rwUwuY(~!NksOLgr|;)rFq&Qk%;#QTrCy@
zTm9n(+jZRBId$B%)ta3=!NwnMuxZ8FOVdP0fVg)WE@DL*(>D1>;9B(e@#PVYT`7+l
zJ6E2XeeMj!FXBWt!jx}*fEH$xfHL){ZDch%I3r=p>ejI-TF97#oT=OzwAmJ~><ubU
z2>*&yay^IX7-kn}+cMV~KP%lFAt_Yq)ETd`_SUESb>4H+w`_TWj63gGSrT!m3h+wK
z_G^fB{!884AgdOH<2V)O=Upu@eFy0nHZq$J#+d{wj~X6}Hy0`{p&$f`J>SgFdk)s^
z!vY63g#Qu(ct9xHIlGoTUXwsgfew7X1c&&hR+9wU1K-&%V!j@79B$xl?Ef~fR2M;G
zd&>g`8s@00E)C8X=6dL~7R<Hh#@BpaSYEug2K5N(jxsl{VG_W?Cq5NMn9?jore`na
z=bZiwP88G&Q${jzi_o0xFJ8t$m*ko~%9rJ_T0OI9Fjo?uNVu^ecP0s7wdU}EU=nxd
zYzVT{SAYaZJwt_m;bz~NFQ=<Rk8vkk0bxzg%)q42g8vfAevhLA_Lpp~JDLGY)WcId
z42Q98<=6={%QDjW_cf;<LFz#GMK6BZSZ8_<ZaDG*z#pP|HPoBf3!n#1%%RO`&k(P~
zU3uuOp0~2qSj2KW|BAQuWVlC1{miT4RbBNP-je70+S~JKNvt)<ts+6}qV^)!@+5<U
zc<af}YV`3V>6^4~0+k5LwVs9XoXekZbAC{8(JnsR3`{g$_CJIBz)?FF=J6kVcitz%
zO^sSxFKG(^R$GhY=zKe8`fO~8VA6ga?8Uhitfynf*@?6H?BIs<mxNu7<Ol0Q1kuIx
zSJ)>{3%L;>AsGAUAWn>_$TMFF0`QkC*gK=%b%{>t09~l+PO5dKdfTu5XP~mg>mL<Y
z`HggHsQS{)=Fp^@Tzv>@Qa}jnylJi);O^^l_aN;$#mCU_T+T^CGB$gxNxgz0V)Q7+
zWR+PdsjdXMoO54tTp(3?e_HF{_)9SF!>rPe@|#kVwqtj?Na}!GkI$##BGS%7*vajN
z<sTDT$Y;$baAbT2S<GyxAD)LEamZBCONcrNVxB|L3H}oHOKgoeUA-r_4Ro+-0=^Ij
z<R@lAVL%WQok@JFM!NUMnCE|*L3W>@b3-{^SJM(L*N)-R(sF~%S!I76UMcZRPd}6k
zZyQ-wnV0MP(weWEBYWJp=Y9&XUoLlekU9G+tq2Z87F!hyiT8{n%5m_A)=4E6QB}~l
z^+uF)HvOe=SfeRCsQYjwpzXb$@NiFrd8%wyj8-`NxDp{0ka<4*@`%1HRC#V5Ldf6q
z`gVNwTigLcm^DICpzZI8A)^JJJhnE<UzV0*1`Ft*?G0#CEnbxKaS3_xp>gYZ&fg>!
zh9(sQs7~^`Ii7~BI_9LJ2<7O`*eoLCR5x?a1zYDGx0dIhtap^QR!r2}w4=7^HF_UO
zsS)eS0ijp3jE5LbO5<os3J?bYT~qmUc#2dF^qXv+8?tHlrdM;5lQL_Ha59pIe*U}%
z6DR$l!_jv9h|gA(%^g4FLz}7g7TrI)9=sKgLC|a=5(lNh;)G87Z*542=0FIByv0cJ
zIwcH6tC<;eos_}=`ecQ?5Nk2UxqlK5Jrj-wkn8RYUQ)=Q6#oC#SUz^R2eZACa>l~k
zZ*w*Wpe=4jvV^g8X4LFkuYMj-C9zU!3y9OARp?=z&}+?SdEHHRVt(=rZs^)Wz~+6(
z;Hek2)2Xx2Kd5kzziEVXJYG3bwmL)O*op6X<=$w!-&b$S8#uPBslnpVf+tI85y<y=
z5plYxbac_hZIEx*R=tz*SUDAFhN99+`n_#%8THjJD(10me*xZ0owxD@?ppf(05wRf
zr!}l|@T>x}b?eq_cAs{zpz6gkSV(QsNy6Q2!hbE2wjjy57h=AYB+wE^B1HP$FND?=
z6GS2OL%CoAH+*<*5c7D?2R__F%P2bu%y*Al%P>|Urb>chNu##uXC#HOCXDIX>R@u>
z_)d1aC=n4p1Bd}Q7-Jwigo(uWT+dy%9?dp>uY-dUrl%>q32)>*U};Ln6`W|6@2l+A
z(f0!{wQh!Sx4Mr6&3V+TSr#sC7SEMe%}$K=m~GI?znf{EM*7QN_ByU=`QRHMNBUtZ
zYF1vqDMU`rs*tepKI7UzWZt)T%AVN)i)~sf`8|Vye`z7P7paoKivw#YAF<MPAu!^F
zQd!mEi9FZt(d`IzcAmWHz3rqVsbs}%eW}?1bliJ>@B2PSlX|0MbNS+Np5EJNm}P7B
z3vX0cHn_L&z|JkGcVklcFF}G26-8s$5=;c!rx0*gi>o;2Mn(;mY`20qPg>O7vSWYO
zs}Dy29Dp_|d}F=I#XNfNMgv;KVkj*5P7$4jwwv>y1<eUu1hn!aAC#02nI34vm$$j|
zZjCz)6HKeVlNrXeFT1o{R70bzMK|R+OkU1gZJg{9H*`0#s)Wd1v&GFm6*}Stt&xHK
zcp4rGWTAEqf>Do{zhz=RKu+}l&eo#L7_&>D7(*~1t7UKLU=M4GnbwiU{Y23j{t|Xj
zfI5cVm;-WN8q~HZk(Dq{f*@7_doD<yk&8MzXw16`r7a)u6IC_t0;*80xqjHD`e2t^
z?--CBvgIWLwBV*aWmC%p`sWrJQPYu`lTnILEA3ZlQ_0$fv#?*{c)2J#kWGVG<;g-h
zsw_?1P<hv2>Z8N4Ol$z1QT=Gyr>~9U12@$a8>@i3nsqom2n4Ba*@uoQ{cc%yRkhXf
z+=Uh_sVM?Ss5k}gRFaC{U2tenJK`PDj&y)(zOIi;Pd%w03J<tFg0A)_h5r(y@j_8F
zfOcRK7$2EHWR`$FwhZ?mDcDfZGVG^HI{@xGf}fRQMPsXm3xNo}{}$=)qzO|ZP!1w$
zbO&c3V0p`xLYuYas#oJhZ*|TL83-v#Kxz=IwSeAkt(d#x$&hQYx7ahuU0-gqxv|Pg
zj|~W+8RWr+8?%ioYO%QYJn39@H4Dm-UUmEwk-5Zf!C%D#pQA8tEPU2KdKb^5>YNEa
z^$f7-8msHZuN#BDux)<pM$~2FNOWe#C6Bes<8FcaOM3h-2R|lR>Lh-U0e7D5XLcaL
z$&t$4-UI)oWTG1iy7R7gw~svd+?|y3mgh41=e1#zmNeLRj($61Hfv91Tz8Q<OEObB
zQH?4GQuB1B?n*h9u8w86gzL&EmTyqRXYh(=IJB`?T{3s&l*3xB^W>D>BpTHu*?M$4
zkTsyOaG<&{XG6u>5puVL{Utr&=Ys-4ma7RL{DjHryb{2fatCLmzeM|WGI}CqL5aRQ
zM|4v}J%#1S8$jnsXWM{qd9EiNDN*YjL|s~s?--Rt^W?$b6@YheHU+v(e}<y#wVINI
zxtDty<HRkymexNqx}?+h$udVqrSNY;gJsLeIVf>9KDc7;D>2Angd7_pgMVj6JmI?h
zHtOd*s#;(JmUq!pcZ{t7Dkv4;@~U0+8`W0^Ck_~EK5^&=8VIR)-~02v1)j`v?Xlp*
z@_f!WPp4^DFGBN}4Z%Eyx6u<;gFmk(B`|n(F)ed9Y*4`_)9J?TYYRQn1aP2}%R=Y#
z&nNQpUjKG)O$PsLdKY$LnX=^3wkSS+X!mpLnlS~M6Te_T4|ckz)?-5Sd$V@vm-Yx!
zj#T|CP;Tj9K3iB{Mh;o7F7&tMNOr5}y@EO)ipia$13UMi-W{Nd`9qN4Q$^95v>c1U
z$QcE`aS>tOpdj~Aj}r(hh7c!5+cn|5!+6;Mfi|`ZI`xkt?vLDX(1gLuRBoMA+KZdU
z9gjNP9@AVsJy#80HB>!9c2{<FZrWxp!$(LC4|*_b?_A|kRELP7VwPG#V7+>+xW1^r
z2oiPfMOv}@nL8=Tf;WTZ;+gO!k|xmsftE+nD$CZT@(t8(mIyM}fk{I_VGy#7BwYyp
zv8d&B?g1*=c4;=vi)?z{GO1$Bohm%YgG{w*-A;RU6PYpF4~po9V6B$4xXf&5k<Ny%
zt&+sOoK<kK+r5lulocfBI0I+PVq@c|0k&Z@;RB2fq>HL^etBTiZhOYn4VI=;F7&<V
zG|1ZqPw4m!VV5qOl|vQ#I&V_U*@18sp6L%!E!SNnN(k2kyPrd&I|Q*5U&n>!^6k3t
z-uaYeiEs|&(>;(+?DLTzzLqcp^`k-HHx#nQ!os%pi^swzNxroD<qh%J?j0s8<<^V_
zS$#q^A=(Yd%aTQct&K8e7y2hiMI^wd!M+8Xu3z@|7aFB{$EfL2EWWiMzsgJ*{t`Rt
z0o*+Zb{<0$C-%1W8FBJv$m}85ayp@)7lF>hWiErkpCc4)c}@*FM)pODp9;XHpo4^K
z0}zMXf=Iyc62bD7?ET({47Vb*40^v+{_(kCPNp>+7+(!bFKDn!f2-=tl7_GK?#y=`
zW)(YNY7YD!a|ln9+rEvlDylgzyY)=j5U;O7p<j9X>Avbq4t?VU{$%9_XepD(%B`xV
z<HPv@0FiRHR(ZulH!eRT49-;w6lTiRSvZmTm+duI125*O>*j&e^La67CyK7nz)=XC
zkEkR>Clip{&6EYBkuXR}_x|Us{QL0>BPv0Wc;>8B2DurE7eCo?W8bZYPl@QjfNIee
z&}ux7_dB%}1*ej6E1(ostOP0~f@AK$cqR^I#9W$<Sgj4mV5iGt&lRc3!)?K^D8?ZP
zWb=mk^_eB(Rel%Z%CXTYGRPY9R^MX6b-&WF3G8IYOB0BOcOGt#3#~k49q~B9v0t_$
zR;W`GM^+k(!f&_9*MD#cu85aZNzPE{{W0ipUo}JZ&8gs0A=|j^dq2!)6pjyBrBA6A
zUaONhLW?>}cgL=MsleNchFLhV47X2bP1k~C={U*YFn8uz?)ekqYM%-6Yr9AouKH!g
z+n^((P<^b%BapY${uz3XG5{Jt7ZnC*=<Suz4L9bVd>>g}RI<^&Fm|b~#B&X@)a{Oy
z+uwpVX-KIPlhLMX!y}*Js<SRtxigJD4j$<cCUxube~gypp`-Ae2Pa8*;imSsEEfCn
zyF4?+bS5u>wn$FZ?i}fmgY)|bqLq^!&p5jsdeFX$6W`ZsbuhI~ujgmWBgTGuyR?j(
zy)c@P8P9LkU+1comCtUg0kgZPshTjYH7Y)eLcTi<&e^M@SGGpq2Yi{Di5N#4zcE&#
zw>4Taq>0_JspVNxhYqNeTRj5hhq0OZ#Ivm&R94?5U2*8fjk6iBwe8`B^p`{>9{mW`
zG8JCmb5BA!MU$gSW$1avC!{U<G_t9_j=rm~#voJm?kvZvp2QzrC=WRU<CgCp49zy}
zo!4b}vRIIAS#wFN?Qinz69WovVhhtwQ~i4nZ-GssQP!_UCo|#UvrcnZe-GZ#z?fDV
zX4S{gR5;f}Bof9lZa!g>%^1?^>(mj-r=0hVHML$Mjr6Enz9;Z%Dgc(ay2<sxu=Ynq
zq`IXhOk9?3rG-^_eZ-SKml%A&8G2_|)eMoPMDr<3WbSBI#*jy5q2bp@`ZJl+o(~$-
zws()-+AMJDGdteRNOTR~Zk=fX7yjMb`_jByv|#uzeV~k>SsEkO6aJ;ljv1_RRP?%T
zbHF+QI7z}3jWtHIMJ!L+grU8u1cnu&>S{H}FPoW-F<}|-C3<;VY}KkIQ{o-p4|h{v
zGVmhA@Q`;0H;F0Z;Tb_PGJvoj=N@3c!qM&fOSVQGt@LvoJ1!F!Zp2jN7?>`vqUciw
zf_7{Y&Z#A}OumGoZH@km=O3~Fz@H|&11EmLfzCA1fcB+MIfV21Tz(u?sfINj(9&r^
z<hXBJE&^}~oz+usaj)K;Jg&9Y=C5AEad;~XPx_+4b-#5n)>^c`id;2pRQaWULrXNj
z*id`((3GJc@wGO)U>WwVzLm%FlM<nHeI&Jm&y0`A>+8La2del^RY0xzOL&Gsa)^?0
z5%)^QNm@pC+v>+}U#a+hu$>SfZfj_sU1u~Mrrke%_S|UL!EDsZ2Dd3OUx94JZSu(_
zn6u3E3329nLD&!Yy^dF)CsRb0aajiw#bDVnt&Rl$a@@Xu%CJoZ^32zxdC7i@)?st5
zpTaWh@jYN-0}fKT?+g>?)*Ss;6nGh8CohYwJ9oB1ti1$JN7!HTlj3GU;M<ch;|S)R
zSk3@LeidFkyOuC<?hdBr#jhf<>~xHhnSW`nvpe#e`?92#N|wmA&NPL_db{%{PD8#4
z%WGVDE{xLY;RKJvH;9V^c4nKS`S9>%Co`PCc#Vb${b`7U6-)EWP3tprn45s#HUaav
z0dnhU6tHR?Jjd3D%d|gj{`J)4@ypFi+3b%K*F+og)0!rWxoRtHbKxgqZ4dsM>>MDQ
zzWm@9!`~Yx8L05M1ME&Xnt6s}9sB{FslNy>^fD5V*yuh^?11>unbh{=8@@{dV>!SH
zM;Db72ndGq$b3Udn1*Om7G~#UvfsF&mA`QY=ls4Oyuk9rd~<V)o3d8&M3vz-K*jiR
zVzLy8*nNXCfoBBud~xKW?Qa@~jkkg|qCM7tFn-kX;=1)*a<u~jaJXyR8FyXdSmRD{
zr`Z)KUs)1qpIW+o+iWg>F`4(8)&}k7{_aX*`+CP_)n3)ng-*EAOXUtp_w8Z#jW4m)
zV`2$seX+xzsBk~=PQ_)RIJeVgy6Ua#QsSv59>bGz09$s?E%XlOu{@GpXQg^bcLV1P
zxZ!DvK^z6iFICeQsu9CXK)p_Dul;>6g4~d4p6Q7yYwO=hF5lTLH$#}zhYkyuaf8-G
zV}J_@wa}OI=h*tRqYR!o%#$C#kE_Oe+?JB`O<ax5H_&}LO<Hm+>uEyOU*IFLdbf?X
z^&6L1*H%}nILg^<5lm=JCK_SCl)Xy+)(UUz@zIw|tjyG$BqnmNPcbeohx>MCDHHVl
z8&c|<{WWZF+{eVzugtR$_F}9ZPzm+gmAd6#?uGL$l_PD-%WGx)!af%nn!Vb<jEXIz
zsb<eH@!)10Dsjw#l+evGSvY$5{g=o>d_$YI%h93^gRI8)X$d;Yc(hp?kSOVzjPKQj
zrq!NIu_7Bh;5}7NW}Mue;<K`sG$ZjG93DEmiy=^4I|!5FjN4N=+TJcQMHO<XgGbqJ
zUt*-t7%UX|+ZRk_Cy`>2{XPVqMU7Tuv%<iyH>xhpH^N^CG}?XC=kx0$OnRgOR_Y}Z
z#`&p(5s{nj?k8oJ@b6$Bb(v@a>D*`^U0o^D?_TO*hXY=zWRfpxbWf$_&nh(apFSIU
z;>hMWm`Eq5mLclMvvS}U@J_6)MTwoU`hQ)tp$|Jpp<NL-FI!okF>sLYSOSB@M!~U?
zqSiAMQ~l(KBBG*`fRX_QE^Y=$;Fee>Hmy}ogEVRF?iP7Rc}*r@Ax({`uj7}^xEVri
z<`u>W3en`^qRocZ4uDnmwHdv3UW&8`Z7claX$T4{YVc|3-uLZdWeT0p(Lgh-pELGv
zuf^V)T{ZFGpFQFN7LgfPPyQPd$tJy)0}^cNI=xmvuU$BJ2n<SB7?Fry1QGKDQBRX*
z964<7AVNWw!c~G2u)%v=W)#kYLHi?4gRY_P4^u9v(N1SRPfUGmAS{B(FI%2McH$xK
z?lg_AnC=FYwah`l<bJKatw2-aNDybRNcpi=bn>dU!ga=K^+Ih`$)U$M*2t(ku(8%N
zs9BNAc3Dlzd6AT2-I2>`Kh7%CsJ+Z`L6e1<+)>i+K)kA$R3UjVtn4rsjWM8kMr0{=
zhk*b2FlwOKYtzyVS{=JV`m?2tN3}Oy;OXf$rREiu0%2KJ1m8uKBT|+m+k&N79X?K`
z27D0jTz)(V%m<n|dS}%UotlFxO4P5oeyN~CO*<5Eg`PDx?J`6#T>CZK(5^aUOnbVv
zGdeG4&-SfVt8LC<j)yZ*lxuLFb`HL|y?0V15mUZo%5tjnl=$PQs_^h^sfioD4+^us
zgLIE#1j0I*s{AN8yFx`=6w=Nw?3L+SLYBX)8aiE&`c4Olma0ABk3o@qcUUUey3R6}
zc=(v<v#FulOb88DY1pDmc%3H9uq>#Z%rGXY*M+4%qCpbwqX<d^y@U;bV>-IAJVsjV
z3JE)I#Ji6wC>;wgUD0f*%RZAe31FSc0uRl>v9O{E!-wUDZz^FxI<UI4!;t>zRu;lX
zBwKY%Sv|$;dHPm=iMeu+oY`QP({UKrx%DHV8823SGP-u^K|AgMJ%rw;=g$P{y|U7!
zXbnh#$J9sOE_X(j_AEM=Otmy#&>KeZULUVlc5O%A2H&<$LtkpmZ*D@Xwn!Zt{8F*@
zNf~s*2jxfC#IjJ6f_!p}sbd2cgb77)+WsB5aXj@;4QJswf*E^=x}|q)(2A(^Ry!*t
z67(KauCyCm{Jb6z5yh3%+a`bD(}4=&r@<0GG`l|iGGX*25@JP}#&|sEtd9}|SN-%Y
zu?=_PzJn!`S)|1K@3>jaaY7|&dp4|8bve_h{LR)htw%#*6J5iD+hEc^`awmS^OL7y
zlJo`)Y5{(XELZTM+1g#gzsFgyouaEGb5Uh<%+El?!>)y#WOt!c&v!g8w_ydu&O7ui
zTXj;+GwOp!{hB)8prW%XD>E(-W(hnv%ov(rWSFS&ZD*0jzdN;^H!w-(-LqVM`)NzS
z|C4EQ$f`MT^n)EVV)7qdYQCPP>wvUt+WM$aLhxE=03qsfoRgFZc@bCLX!Mxy@{6Z%
z$Wg7jr)MXLk&Qq<uFlwVu`Ems>;cV?7b@UamJ>tw4}o{Zaf!oILI1<V);oWXy^v?r
zQH{1=AY?i<J^N>Cp);)aaLWc9HG@-fM@!IjzrJ;GCw!u6eTCyvaj6+-u<xlPd4bxT
z9V-@tO_uOq?6TP4uu9Pez@Y$%-2(lOu8{uGY>@AgdTpdiQ47RKM648jeq;S^aJ}`5
z3w8_t&Mie%LSmDm86EZibP@4P`=L(TA2sHH`If!+#L7kT_51RvUQ27a-^ZZII$J<=
z0|Ki3n`bjc8QmBrsFi0r2HYj2{oC$sWXtvK1_ufOa66M@=sx88FfP&-HTp&O?(26J
zUGD)_;jzxJ>dSE6J%lITyh&dqH28W=s3pW#<u;28{mW}|4S&2D58b6|8z<%2ukB><
z@I|k;MmD?1GACW7&PscbH4|BP8d&u+Wfmra-y+(%gA840QaTf4$YxS#Mw7^bDC8zl
z1C!~hdYKkt)?AHEmmK-HhP28OMYV@cYA7`G3Kua`*S|!2uwC0sPYTt|0&h8au;ED0
zBn-8x{}K`>4Y3zV!;6#)AY~A5+C!R8H8NmzjQ?EtDTeglE{N+<e)v%GWS`^j-nPsg
zh0)gRj!_(mQmK<bxVV_eRTaAk85@?irzP99z-C@1<^5(;JrwSo{l(X#%1I9KgYR4^
zENim}UhT#ccW;O7p?I}>W#+!m<XbzdblXEc$e%KJV^&A$)w(GLj5v3~8aRPRhaG<^
z`dbVcjiWI$3@7+a2*@md;G>LXN+1pwb@;wcaA%?)mo95h#-0)O|M~@DSIQKU8Of)k
zm?L*KXECcXH3KNGTsHWMMb*=&p49UvYN65nG`}e)n3Rec<;&}#@UBbWJf=07KNFJh
zyP|Iuyp=Y3qxAmKCQJ-%e;AdXc5}$&qTbryxf&}3P!GWqa&l4oL@#~WYRbjB6K_Pn
zgYW7t0Gcp~Pr!Ujlu$`1;+7N|oI6Rb_j8ATrMf%G{{8Gl(n=16ZfZDpIS+8r7~<zf
zd@Mag7k%Y{uOW}38p65-QS-$`K6rLa_oHGp-_29iEorz#hi+M)jJ%l06@Z)`b0%+b
zc_`=kYx64-p6Xx*r0AF%8av1F@5UWm8Ba}ruyhy<Y&O2L#tr(JMQnRr6Osc~#8$*S
zo0xZ93|w;Lq}5~M#9+<+F>V9*pXLHJQK5vlw9q{X$)avJz-u_YO;Ct1q6gAi8tV!X
zl9GkYHFn=kH|C4jCM*zY?M8~yf|nHJ1pv>zyB?<HC$G9}a{|RG>wO(hjZZ7OLF%s>
zK4*xv>3L=(f1L{8M^Q>~#-|7smxLiHD|d)q>WTDJq!#22YUju(qmJriVsf)AQTME-
zpR+c9E=|kTA*cTD()2wKQ!}lGyNYL8I#4l;_Bkwu%F~)*76T8GD~uGgSOI&%!1`Y=
z7#V+h$zZNdlrk~s?ztS*78XWCQk(L(I%d!xjTPrlWM9vLq~bJT;{QSaJ~c*^-%N=|
z2KuJ;q3J{J9H6PZ8I}DWhS7=4MKvEwzY>q`suMn0`*(s+yJYrC$U3u9{(g3})+%|R
z$|8S}q1+^T`w3|DjkjbytYwtYl3hbh1|wF#BJ1b~Hr~oU7Hh>C|74kQ=>w|D?5n)D
z)tOj7W^C^`RGy&?GF-F)bo`22J|;;{PbsPT?Oq-cCsI}88+&Y^A%{Q&U8;*QvW0!R
zW4}u53!KHTrQ(Zcd>^(0IR6By7CHqN5JRX^0>c%l-dZC<R-WF2rj?gwM^oJ%>2nVQ
zvg2<KI<=wRq_1ah19VqxF(Uo=lUc*OKU@kHJIgK^tP@QH1<dKSS`w#}{(R6#vk)_L
zXpp7D4uzQ2OBM$S=R@(Reoj%;mf2j8RqH0lIc2~`jxc+FtRkKum`AXMw!j&<LIgma
z340JwvqED{A{qU>RWf1y5HG@QR+~VAv7?W~5Ql1|G;M`gS|wrF9Ti*H0S5<7QUtUo
zd2$L8l8SK9(qVJrq=7YYlI}UE;$ROMeP7`zu_AK&>SE{_$~D8qaYqkEA%YVmo9eoX
zKBuOLm>bE-Pvlie(q_*BOynB8%y`qvV0@}|AXzkax{I<ZcT8HfU{$GbxdwlNN#^i+
zeZi?3rXqimqt7mPUvq-&|39X_IXuqh`#WlEr?G9@cH_pj?W9Q>qiJk3W@FoIY-eNJ
zdAEJOzxMs>p1pSWnsXn`IcLs%=E}8ov~wp;;_dcQnn7N5!2!F0+TC^uU(>fdqR`qq
zANRZ^<itG3=f5yiI?v}jP`}7VI9=m`7Y+KLp(6yhSwf%|4W|V{L_nf4_W)Q407_e<
zHt|#&!Lo2VGLDu&bO8#Sd%3F?pBb%FLki30S+}pN%Uz17^hxueYIrV5c~g%LT(9{w
z)~=zjY-GO(eE7zAQm>x~OQ|r7l(4t1V3L0?xH(EcB!CPWak^DwL2zB;Tq+Ei$YtB{
z+hf@lFH8AF7x;~32Vw#aqbzmOXmW_)=xcOC_%wG@!uB-q6t)fP;nJS#VMgt8ug#3p
zAyk8L>I3V$;pdPChk;DRzTEMW)Aq`F&J?zQ)+4-tmpsEc-i<82FKu6IoLP{JCMn?|
z9mQvW@EIl=Na79-hYB((<AmZ4b!>Al$`D20<v6T`9j?BN<a?8i8Z(=Z8S(*07Ugv$
zUPT~UqDVO+Nx1$>%c9l}soSwCYBOVoz^JxCcFyC;vUB(+pciSLW78_pJ&>#O!fvEE
zg0%ZQ+Kt)9)c~v5g|Z;rE%5geAl6!~%kRtW!K8WjCcM~S^VU*!b^bQ@OqP!PF8L89
z;$d@T1NS-{c)vTgoI6#jS&`$(w1q^E7MWR*T^1V04zZ&p_K@m2Gbcg+974Jr*58;(
zt}%4ANkhVJ!V-yft@dc?v)sb8gn7$`o8;+{sNX~e0Ld29UdvsHV45A5HKsD>x5a)0
z4w|rXX&cHEacW=IPLoav(%jAul&VZL<|-Ufb3*QT6<Y8H_qZ1OrEwNSMueVT$Rhjk
z<}y8lF|~wIC)BsI`E>ecLrpf#di$ht{)R#<V+7PYdZ`KAMf_t-lOxV%%yP20ugtf)
zy0y{J`su>35%zQ2HWO+M@@i9>AF4NeW(PfC*U_EmtwzPbdEXEch}4uaA6O!&&!fvF
z@<mqj+U#YC*h>d$AM!*lGer}pO4Bjkwd^){2m^DH4JL`YClUJApX>P)>Kq9k&(-L+
zT^E}ZFcF|E*dkXBvdWm=&gG=89;TwB7RVhL(-!xU=xHI=RvXz*In|We?K3x)7cRQ`
zz2l)maAun}u5{W<)U>7TPRk$n{E(!>cYCzQP3d!XAmrCpKJw2I;jZSES($ZT`Q}c{
z)|C|0SlMPFH*s|a%ea3^JEC>;8*UHNuhF%=PmEOqWk0fOMVm9}b!Wkf8zbwn?qlC}
zNwCh%x7hWJV+!cv$x5+9|6RNv3TdOG=Azq4)g@Js{0AgseKMtdmUvhUj8JrTw8Ho4
zDyOC;HrU^0lbXLgKH6>EQ;_H=CvJ^%g!L*HyGX7bI-vi~y;W>4zToM;dKB;;FNTos
zUcNa>eq@fH1)Sk9i)C~=(Z3|>(NcyJehr5FCTYZ|{S5;_ByBvRuV|o7r^PUzc>4u|
z=D(Bmq9>OcXNiwx!1>`X>E1?+!scmmtaK|Ii(KkvKJ@x9N*kMJbG}0OF$D-zn-iUu
zxe3Z)Scakv%?;lHq!6>Mmid`3ZEZ{UZkqK{^-K_4c{atmK9hR~!`+drQ*)NCXVEC#
zJT))Gzqx?7elVR&l0!M|RP<-9dTr(M4Ee)QbBC*u_OLc5$E%V4VcG=|y+`5rXJ9#9
z6}<<hDOVD8FEU$`CDLP{i7<Vb7K^g#Z=d53%*_z({mAYd_o<=6W;sbICZ$2yC!R`M
zc*>(E=GX2%7gJ*HVI|CVN52ixHoyEby@nF;h4<Cuwy!E&J%W5Sm-DXPa>*4Qh_&$Z
zqpD0tqo3FDVEP=>;Qr(eT#jj@?O}UPz(>C&!-9yju+<)4EbJzcv0;1^${rMoBY0Xh
zog;WBQ<B;O0&X-~QS<-7_L#@+IaSFyXU-6qWtgkA)L|DDMEgHuaXP+V;f!4H&?cSV
zxoWWA&mrFR@7{5YC0gGdRWW6oJD8jj*q}z$Ejcqoi%zV(rX6OWFmYX1!M5;~`XPQ;
zc^Cies12d%_v7PfB_}|lP$~ICtrMhHyeXk7m}#?{lIqUVJ(l`ehQ8MI;0lt@c$R)^
z?Gk(`IIXZ6y3g_I<yz~W=l9MxND_UNhjop)*Ux4}FMH$K`;sa5oISo>`LIY+#q3|~
zO}EiJ92S@DosD+A)fOMmygjgRtkHJ{GD2n4Wzg=R>v6@-H3~-9I6RP!r^-CfzVXMt
z{46B~HS}gdQObIo5}TST^^T<BG^(969d201IL$_8sV|mBepmqBPrR0>*uEx*l3P4B
zZ;J`8xt7R2aYI;tKL)hXzKtmVanJJ{HkC378bP+UrkZ4%lC|r=<b~_kI3MX3<@Cmh
zNwsvrmRHpIQ`b{>WkD!8;pNhyV>bjS^_V8Zg5uJ5>i4hWYMpaK{?Dja@~xZsR?dwf
zy52b?HKZqP>U&@}_G=vjV4vh8q+E1gZ{^)xHak}NPguEw;w5ARSPwj%Tc-zPuJ!`w
zv`NmcfS6G*@Y<`pkODDs9$e5{5I=Y`1H`m5tu2p;g3;m_6ogtZ!C18VrN2qyfHnjv
z2|B}E=V64`1|O?d?+HUw68$aNS|A^x#GNI=3<1pyl6bTr+iL416Dg6~_1ZHTYx~H)
zfP8pWx^%tO3FJP`)>a!lr^(dXT=VgDM<Q|0;<_o?w+!({;q6X>a^aoTp0@6tck)fo
zbUd^sQ2)KcYgd~J5mumX{n`!q!isZG;ntkwBAWIR#345l(SGSQ#p@tsN$Qr2;(p$<
zYC7}-<CKLl0cC4!VPcOI<~X6NiBfzK-;;kYU?r6xl#FYUL$X+ujJg?ZF7&$vg~Bd}
zuCN6Q<|xB!e4)PPi*6jPU>W~kjX~oVDdQUL_hevUu^DW%fJ4J!0x*Ix>rM3u?v|t_
z0=Hr~EIVXNmaR;_ng@}|e%Gg_vO~ZfP5u-_jLZY+XIYEXx>$&{vEpTj`BlfVLWm>q
z=-#Q}XNvp^PUH&PELFY%Bnig*oW3fP)P<3yAq(lg1jU-=4=Ph^yAc|IFAZwBzEX&-
zD%1DuZQQ%z2c;I}3)>T6`dy%(R9o^7^ta(V1HgZriG!5bE$(7D963|rZ>Z!`*v>ut
zDEp{yB0jV<B3?Rh{59GSv`9etKcK6}5Q5u7z0@Z@;M&Hh$-w^&`zdN=JF-qUnlE!r
zm%hP`w6t2~a)SY%t!6T)7sxruDf?xdLg4UB{GtHZLC(YF!wuX8#c|vi?=2=W%&3A!
z(2_FRYaz>(M#eM*VgNF~rvmYgfIkcW4^--xOB;dDp)O7baLPUxn`9EGyA$`55gQn|
zgP(9#Be3CWyF(i6JiJcX_KT{LgVCxVZx@`*GL!4^jMZ54+PiKuTd%x_^!vO(9giZJ
zRSGQwe_qYnMe=z}4rGK(>4Yi@FlhkUvF<{FZtGfE5WZK6%aKx+1i#0V08d*(z}QB0
zEwwd3oJ*VhZ4r(y9z(plH)V>8r5BC>QRiPa-Fz1ydp^<y0J_^ftLB?oDf7-#&rlmd
z|2GFsjTLmOsd`@Z^wL{06wkMY^|=F?q@@N2F|<Fv6gZe^g`S#4NVkDAr{ITUrPd*g
z7Ud*uMv}B$!y(l|ciaxizy!T!%}Spn_TXX-|G(r|qG8UMqMerYJ5axtlIZ0ZsaI-r
zo|P*MYVUs0b%l6~gA!msu&9aH3`(&>M@U^0?0HtJclaliK%E1mmp><xn|N0JNLdcC
z@mQ;3g($AVrUQ*KP%^pmtC9j+>PSVsa3J}wQpDy+@~brr8c3lWn)w|cTy3%n!@5Tb
z$^sNe&Jb99`Dz&1R+O{AXoOk-JP^U?UmJSilJQ*|Evq+>z|=y(^kkgzHC7fl+qDgc
zk}Mqc*y_6P8(_~QgGwupgMRap3Hn*ydOz94@p-fgu0B~EykMs4itqEjmIjY_@!{_1
zpmJlVS*U2hx(hV&Z&8()g_=uUJBUoyB6~FtYIrJ%k-5OZhC}ejkD1{NTlBs3nX~e+
zW|Levh#>t96vrwh4?Hy}Zhi-fyrTt_l42{iKQGU<Q%lw530j%Y9sC+96p2sTozDCo
zeTwVN8wm02fER87i;=*=HN%$`KH$TlX}q?}HsqX~O~xp`*-p-aZqJs^AR(B05=_Q&
z(`ms*kZbkpUoqXy1g*5u_S*gy(_~$pQPSvGJ&C}O@}c&A_;B4dR7^gn&SA5b2B)MM
zDH;|66=pjX_@${S4NK)ce2&3rp*FAKSCpS0R~sslE1{u`0i{#<NT(S4Yi);ZxPJnk
z-yirg+^^}{w6`$?3iL!?_)rZCu|mnhHHE-9k!o-NE`T&;aHRdUfAN8ycU!u<>H2BL
z9g}xGMvBjRwQW$8d&9~+9(*{bx3rtusaf~dO~J^+G=+`-*9f_mo_3DGhRRpvG^h{y
z%-j{KnDiY<ENek@)KjXd4|z56w?oS&`LLR(4BJ`V3Y)bm$!*OV*0o0(Lh9@QG!ak_
zF62KkqE!JG@~$ofgeUN^B@|~4`UUK05CzGp2X29sZ43_enSiv6=vv(~g^c;res^ym
z(ciGTW|{!_PaJ3-pzD#LPtL0QG+IyCDdMFgkYiLQPoq#Ljv9N+)d<Cr`k9iy^mE~7
zWAPHiZle-SKD=t--x6e}$E&_%0J8ypzI5mss0HN!y?>=rfVP1{O$$XC?%|>=iwhxe
z)?LJ4OUFc9{C8~4@)iX5d?a8TXxxRS%{M<Rwd_|2QjQRuk52l1+cgsI_W`ln{vj_l
zu-?m@@qFJ#sjkKn%#=CQaLq-Qp_t=y0Wx2GKYm7wDe##2iT<Zt_xppzu!%e-o%ne+
z+G0K0mPx|5CS<g32LQ_g9N%Ict2Xc#|43lJtwui|(HsGiFmKZPNkQv7V7Zf7Gieo{
z^ra>$wi*wJ+u?3B{XjG(2e0POB^1%K`ZM?>d(szL4Lc)6eB{T>!~^tK8uB_zmv2ga
zXAXrQ{`el?puaWData~+1kwES*Xc|CTM4c}e10%*uV8?mgp>P#2fE|pFV+?OiMqeU
z<gPvP7xs6u%s44{hpjC!@SD2Nuk_TNgwK`cZOGtPSt9wk>@0Roz}`NhKpHosZ>>SO
z1^o_ZEjTU8fakF5aDinsyE>EV^js6oN*m5*7@I~Enb$a`g?njD6X9wn(nVX=<>=U6
z@_(B^ocv9Foh&-Q8B^94H{(^@jN2=I2;Jc>%IuuhS=G`U53buS9#5Y8dplD#EUZ`Q
z<5p>CSg`WpFs5M{uS>wY0+KMwb#((pJm_;+!gxYCJt!$mCbwnAXdLN)te~>uGS?)J
zDR{s#q;4pi9PcA$wR7lcaN<=de5QS930~81MnxnH)$@V7$#b8CIk^qT(N~HCx|`-D
zETFToxlOet2-W*%U3=cYBK=Jd06^<X&sP65>87R4cKzbgL?bORZV;QJ+fjZWt1Z-@
zW)DdHl~!VkRW9$z)2U0#uR6T`K4Asp|HZ#}#pPqowrRRfS#jK#G<ZbWQ=|!)=^&xt
z@)nxf*kLG3Ui#d*C#5l%YjQ5hKioZ%b%+`049owi`>MY$>mW1OsKoOThN$|SdOMVg
zn9f-jbucv<DhdcNxs<$_fcUq~?=haBU`Ic7`ggjTELX;B(R#9W{%qzBVJ<s!{K<+)
zq1)yQm&%_htbl_Z{l3`;;A2NF+TPIWrb94rT*8oSmUL{A6xGY|K$0$?U845erX0fG
z32>xiOD?O%W`P9*GqNOEX40QJ9HA&PK2f>+ZmXOqw#2$92i-8y^5l6}cSG^myu1$R
zU*-AqGh_2P{zP78A^99{;>FRYNAE4)5TJnfrw!$EzQdgGqkg;$VA5;qgS$4`^M-FA
z7?+3);`^sFb^LLIoh(DnK%JRV0Qa;>-XdKIXO_Qm>_K#1rzloyUe6jaQwqj9$ga@o
zwf&i1kH+<W#J9n9B{x^Odh*N-t%?rEeP%MBS}$ro(V2FNC+VW}yKwS*@DhoPzcTmk
z>J|eo)bRmi`T-;`T1n)Uih>SRaF{gSL4?I*FQ`ud5#(Pwn|TjH^gaUe3uwY_0u?^F
zr!|DB52$;`z8fL{cxRuJ?BiX0rE9dkIw#b!X_dwhcu<A&PZT(VH~V%=Wyr6^0O3)y
z4e~-(Ty}+<|LPaO!2=cwe?ytR#jI`RzLT?JAHDS!{xSb<=ysUt&aXK8z^`oWLIx`8
zQJZmYNuC))GYJkUP5_c)9WJ(iXC#x>g1-7_Uy3xtK9jD5F&?#FzpLYN^?~-6jl0=e
z+UBw}5zpzYYgfHDp#<eDbxcwfHf@BR|6mf!9Y)b<Ff)5`fn2mB{y1QgNGr4ly_4?U
ztT3l0tBUf77{5G<Zc<OSPVA#!+d>|@%wJfEwD^QJfwh!%MX85P{mknLP!$Z=k$e+>
z_!he(DG)>Wi1|X52C$3kgBd18deCO3pD;5@I+>!o$|sU-OHEC_cYJ~VyO>ASg#!Oz
zw;v*5WjSv3Bk5QXyX2HRs)$Cdw3{Eky-db*Re3j<snM^dZ}8Pig8+WjVgYI;NZoH*
zRQ4Elk8lh!oK&WP@+k{P7IR}5u4tJQk?9c&R1S!$%fAgWqr?It_eLiT)|JGU9PXew
z=281YN~&(8-^63j6op;m`pz)`<}WQLKcSc&F|YPR?ks?`!~$tq%s=IBaJ}ujhH~Q~
zSQ7Z``Cjc^e1~uzpG-)HP%BkyyM-NJ;of8`ADZy%53opsgOs!^#YzqNdU$h~l&_3M
zJoE~zhp<sc1hg?9be;$MPV=KpL9D3EUmds5u7jdhhFiO4S*fXaGs?4UMdzeFCN&ra
z*Hi(J2h@W=rO{Ui=7iHK;4V~?g74JaqQsINx+K8-Zm&VBkma<gW}wF@x2D2z(~4N!
zG5krgMdKn)*8F9eWR<kz*gGWo0q1`FfWBXu;@>)4NiZTdSqkaV;JRc%=GR$eNZ)5;
zkW{9KopMUOtU5trmN1-7yPtf%(Y~+<8WdZWxMWr(NaP$jdYC?P*R*8*QUP9)@!H8}
zR>1eAKj&f5fZ9T%Q7U(v9A0#@wkeeEq5#t2Ix2SiCjM4=fwxbts8;?DD2`R3hEaN<
z8crS;5J@WFyJCO!(T9XxJym2Geg(}WX6Al)5>99neDGSzE>Oz9<X%DWcZFxE`CZs3
z8pw`0FQaLyT<2tUL2}oty_$S7O(oUa>NI*A0u?*aDjjhH37(4JyaK^4-$nOUvvSZO
zf&Ta@>_^*4#q}kOl7FhN$(rDo`Elm)q}W=Cc|l~W#~Ep||F9}w%H|$+^c$@mY2#t+
zGtfMFNcIt^;U2utvWCw*BNIgmxDv(aRpXB@EfV_#w89VRl%z?}13rsN6PO5}g=96d
zfMcN-#s6DEKyQl4ywtz7*Ww4zzfM|088klygIDWtJAj-jRe)J?r!3GkDuQDOZPa^a
zuP6?G?r#gc(LS0Duo2O`dFeI0Y@*IIr*a~e@WruXyXYnD%>(rX1C0cCI2pdnpxnMa
zR7L;O1l1Bmn}};8OYA<t*ikO_sVoJm>l-bw+uj0`0*BUTn^nC_m6w7pirX;~*q<Ra
z2E%ggNfbe<@mB+PLA{1B_{&;0mI%6%!Vl`8s&#yOz!$T&n|ef*MPl5vgdPI8BOe0<
z9&Pn-?Mk*Q%NIMAdcVfdC=7{5B9*Rtc3wsLgqUd$YSFEr<-+N^@RWr7!QLzMV=gI>
z^y88eLCo#Et7@aTQf&P0-!iio+p9ebX8%DT_Pf>?^!;|muN0B~DLOJO^vP{HtxF=w
zF~ZQse{6j5zQE)!tK3-Hv$q^KdIPFyO6Mu{*ay9s9sg!cgv0_DafQ}`D!}_hja$Z0
zjR45UeZ~Fy|Lk#@aj(9v-r7hOzQG#>z_}~i>`fF)`!$7Q!de-w3NT^u=~t?v=JsRo
zo&Y%vy_pGzvvE==-PX`o=6+B5zY555N>C*}SqkgXV7cPNkjY^?I!7tDa)*A(LRj+*
zQE+QwP#nW*cYIY6+}6gjGkxsxHj}Qh<Kw+3u<w+qOBjOs{X@gI<_xE<hO7d(gU^*|
zex_KgLGq4KqjznTMlXj6SpNy~OC&YpDQpT|EG1r`-&7k{@QW2J2ny&nw!>=VX9vb&
z2n;Mgp)VffB5zW1PiRzdJI$5H7_^MrQm`NqJ9_^FitW{e)lPF}YCXP<P0_12|D1F+
z%WST@Cz@#R472T>cvJ%BpX*j<NYRyv<fNc9H;E`JNaO9Yb3vI}K%ep&Qnu_AYs9fU
zDeS{_<KhB2b%N%wJ$hG6>C@w~4fm(5&-V-9=-Ri(kl^AXBm8`^o7jh%Q~b8zn`}^<
zL<U$)vND`rVURDFA$Tr{15r3MUKr!{SE*nGWcHLy;J5!)RF#7*)0<L{RA5`7N(y}P
zQf2Ut#yz|J<%BmhW<p?@eGE(JGCHczV%2)L;#^_yqcEbjzf~p(OI+1bjIgKio!d<_
zhhr1OaN=NGNQ4FruTw6aX`H_Bo-f8VOeg}{>LI}>LjRN&YR6QRmA6dG7x*!rH4}2a
zUlL!OSYTx4&ct|d3)O`XpEJFdN#)9Bv27w7dt$AZg83Zhv#e0uOBw)P)oVbUF~U8b
zBR!6qgYX&G2Ejv^eNOx;(LWd(`=L9opIIJB;q><R%Cs=CqQq+98z}nw$a8JPw@IY0
z)CefyrIF+v+x|6&yeK18<!kgG+W?!wr%akA+yFYU1~k?YX$C^5Rg!ueqkXyxbBw~%
z&+TbBe2J&sbv6i^Hm-}&Hp@3tb2wqh6B}CZ@CQA8E^ml`(A}aZoo@XXY#_{EzfL<M
zeNU<3l5#>77YOa8G~(F)N^)VKj9uLq-DGX{N;UEHm-V^1Q2g_ZO*F^m)~9v3E0qHX
zYhDFp;D}4>_0b#v37=5|i=^5Rx7MEk%k&tI>5@?*=6$Wp2+tJ!J12vK2B@ykB?BI~
zu-^#m;YoI_Pd>7YTrV()0~MDfV8?PKDPmltuO^VVgffs5R4I=rNXGFGOwB`U0VaOC
zsFRW4$(0s*<zpNKn|;K8qs%3bST6WV8NB7swTllX+rQiZ-nxOQ_@$YvTtcTG=dm{M
z6^MCD=tStFJCaw5?Rwwcc0lva2W2RV)D1<zW2wK1wZ|%}+BQ{9mdP{{e`o8Sx>*38
zy#<8au(bztT74gDOvfI9X&1(WMx<U|pMZg4$^0btM~YBRt};K}PuhrI%3jhBGG+31
zVER%we{C!AoSCDbGZgWWRmVtM=sb|YY-3R84Fz4zS4Ua8QE=7$ZF7*A_yI)^sS$z+
zZ1v9wr>9?;T<v@DtrisXKKk1D!NrsDP;4BI(ikD7m1QUM0_XUsgZ^W#;HO%!iLA3D
zhSc_Tpxb|NEm=T^ZPp<&e{54nXxN|YOo|=Ts(93BuMFq<kfC44zXwyqgm3U4%|#9c
zs#Y}wk3fh#Uz^u*)?-iw21rb&Z-ZI`S5!nGG-zqnQB0f{;XOD3W?|#$*uby<6}zww
zzD0Jc4U21AQ^r6qG4$&OoWev=1{0BB+sH$M??o^B7aOM6HY-ch$+W*#ua#}HRr^$H
z)#`BEUeabL*!z`;oj3&fpAa5Sl5{DZU#VzaGuj}C-6%&fOX0vUe26Q(Bl?cWvAMu=
z|KUgTx8tHjJqh1q9|nBQZ+v1307FL;C~dCNxGrMcmWP|rY(Y{1m?El*bA0V-=t9wi
z|M2tTFJ_%UC%7RoCzxp>ej)H@GYS3(t}&57&0_7b9IGWkR*4((IiT+1mi+6dudw(h
zn44(!Ev&~;*%zHga~XP_a%CKH<xYD;k7}9JnxU5K=C=A$oHY}(i`G29&Z|g~)zn)k
zCEgErO=y$aWeAqZ%gTuyEnF!|Nz84liVng4l+Ey{<6jNeG~~JZqwFPLJ=b<!7{~0<
zHsg#90`YW@%<WR1LD*TVU!%y_zFZ?Z_H5(aMl7~9;%vr|{?lzgBq#VvSnlP|&%oYu
z9S+=1z*YA9<%G?%y4VGiLCrEsVaK67tXFQ2fkmZ4><*`rt4;-V0`6nx@jS^wOh(>?
z+v`v3X`4H)CkyXNG&8|W-~ZI0c5qZ0k}DHi^FZwEG9?^3>p^%I_0n-DG^0rjY`Bbz
z`f4ZxiM#7i>@SyUh6ysUbrKco>dkOsZC#8QH91xaPwxsMtYs5x9W@&3HB6_eT)#B=
zBMHGOitkqIxu^7%c?#Iie#-Z<FHN0{_Y;OR!V|9JNAS8KN>L#C4>?MBJCPJT0~Vf6
z)nLN%082}vh7U8y<czt;Bk6me@hoGCc9?Yi5|Ja#zeX?k8p#ik8U<iLlYyU}Pu3Sm
zKm9cUakfRbnLQ2PTKbu3{?whxdA*VHgW7GN+M_pM)k`^fqj1UG%E`J3o0&D^sMZye
zv-VKwKa}V+oU8%*>Mob32fsi4*nyF)U6*U;9nX8n=#5k7wzye!?=~GM8ev4c?pfy<
zHBBh~__=Hw-2@RA8RYis4V|dj-aaHR$Lc=bnZ4&;3k{vGsr*j+yszIHaW56=3od*g
zmeIT$4aGqxT3?6!d8*qs)}&wWBs-cn_`3ik>&xwDvYZo~jT>!`8)xr_dP1G7z*cZ6
z`^t<*^AaEDCMdd>a@mHZ@IrlDy9fK@HT@3fwu9)VA5`hO&6b2st-mhrU#6ZUWmoB_
z^GJwbOmd3Ev%Yx%Du*J(d)OhjfcKxYGI86Hd1mQ{P}btARhUY72o_e@D8`oBtxAy;
zf4W~BKUviTfi_VdC#!*}`H@h6YTkJP4S@sFyQL-NcE7lEl1~oEMuCrWiCvgn%l}ci
zhKT%o8z)+poWV9@x)1a-go%#|Sp3nc<Rie=RffJ1j%<0y9D<AwrbF@UU=pVMaf^}C
z70;I^;~pmB4ELxgx(dt1BYzbx3}1&|h#>^2NJf0^E_N+DgqsRvd(r?7JQeyF4Rk+Y
zd!IOc@$q!5d-Juj?7>bG?a(f5xMSDHsaRV4k>K_l;lO#x%DvZ6nEAjr(Ie7~rFc3?
z#HmYkiO)xA;q#Ln_1I@r@^RxodEtxEa61T`Wdg<Y(kNXj8lk&>R@RQi?ygf_PN#|c
z>9U?7G^T0I^f}J&*|`US#}wBM6rd(^C|GXW(RDF*P;W}zN&t|4Ebp9swRjl3&e|Ol
zJqBBi-pYU<Dd(1eZnkR4-LB5q0rAqjRD*)tSY+r1nGAE?ks@W^#yQrTV9VQ~j;fn&
zu^(XjIDIHbmohpG_1Zt2O>DHlHOZA!DT!4e{A*Wu!m9HN%a(i(OJ}r}>W4TB;oxTH
z(2MrNMN8n%!est%d$AHN(p=7Ng!NN9N@%pI^KAKW(W0)|`Z4wAOlb@3@TR*~+-VC@
z3ExZx7zQqPukEkZ;h^3PSO_!hy=9BndK-b)i^sT;P|%}oOz@c<uSzS;j%&@Y5$Cy7
zwMG@Y4gyEC1AbnjEnWccEB=fuvlr=TK7?E1?JNqd3DrNZ@oOd}249<x)OQ(E@zge}
ze%Skg>twB*f8nBr@MctoxJ$Sj_ogTms@dUH-f!?J*46#f3hC{nMwQ0g_f-&L-eP66
zMc#_M#q_hxy+(!E(5>(~;IW-%()i$Ed6}-7>MKoLa%t5^c>?h>Fff=2_q^$k$uc_2
zTm|8iwGR`!g+7#XxPa@hy{1Xhk8f<3s?%GVF-JbgKSmyfR=GM~4%NukLcI&(H>Jqg
zb8y~&;+2REs$g4|yk9uJ3oAusJBYb}_*dlJDNp9=vD~2_DQ@_D$*%rL#fU<YeMDYt
z^F8_oep;02n?}j%Wmtro{7TKQWb1q}o`MngY$i&srf?Z+9U4c=odgQK9x%@D>0i=S
z?GutUW$Zp781|CN6N=CwSYB$ChzK=?UXRDt2@YOKfv&&QCNexM*qtlV^j@EYhp!ZE
zicvh08{DYW;0=j|{w7Zr#vxgR=$rondARQ{zH+8bhXtOJH%0fAEeNkRF=E^$%9&Q(
z`_XI(#%CGg{fi%h_zFGs#ji0hH%DwGz}ziLgT$bN@#BE@87pHLnBH@s4n65Q43x}2
zGv(D1vUF0(NjS27dyBM^*OOAghtH*PAmUx#KY+k?H@_!U-|)YcXFS>}cU?iG-k0=~
z3ynQ#Bn*N5TJ@N(^XRgNtiC_^#WYTWgPqO|MygXR+W-CSbcIpf-jq_?&wmri=hop%
zkXd4=<bk{W*h+ot%p`tIUeA)^k#nk+GJUAvf0p^?@W9%=H5nWrh`Yt^nDw>XE-y`7
zev|dg6z96PE?WGPr0cQ3cWH+Qw8Z%))$Qp4YI&QLFM>dzo@`b7U|SVw2I&=wT9aj$
zp}1T`1%61Cb@whUa0;s`Wxei7@fSKQ;3ZFpdigb)ycxaLzOmq^>^V;3MRLyO_@Q-J
zMnzqpu={SBOgZ^?0=tg3h!zPTj4rv<WPCp#(0kY5(TM+%M)w9ZO}oHO=44v-CYPni
z=8rrW{!VF#(P^P-s-*YtlpT{tJQKUHB&9El_yI|qT+}objwO8s(JE;kXmFJBb`jr!
z=D8j`k}B<mc4U~LOyvzN_yG&FWA9t`j7c=8lWXlYw6n)T{z4D<iCZZH`VlhZIfrWo
z89CvHwPiXe>8UNC53@Srr15H_o2Tp6nhQ2i+hV}Xlf?;6uAz!+$oe2Zs#@4a9MZ9}
z>8OtJmr?NRMrz;FYf6EP>Q*U;opOfD%ax87{JCW&mDGQKFB+IG4Vn?YRMy<7M7+Pv
zHMZ>l^0d=xukLqdzDP|Klm7{P(EI|xMZ=TPBPBcjBw-qhmBt=e-*Ka4!bOem&~zVL
zP2mF$Dxv7zTv?{COX_^YUR9NrWyo7|n$nK;YW-|u#uj(nneEB%ERe6Ly_o=6NCZ9C
zshv8xdmnmsQ*0olHUiTJ#?)f#9JeC|-8I!6?R5w)I8PXy2Gw6x_I`Z*exG>$TJ?V0
zum8#x_wE6B_wKoRf3UtdCwL)!ai4sTU67d&zWXlsc78mmUqulrvwuGY?v#CqtnUYH
zDxXs<4I(a|*A{~ldmK>GLLmwOZ`>J3HB<e(^C?^ww}{Pg6>}zIHNmpbD?d)4l>e-y
zWH3c5pWVrq0x=F$D5YTeRz}|T;V1}M!~Jok9cBo?gL<zw0dWz3>31nBC~P<A_?GHJ
z<I>!a;V<z=Q}q2EKh0o0-in9azQ4adJ&bqmzh+N@+#M9SV}Yz}HJ$FgyZFDXjVNX~
z54c#RjN$FLlRa1;;UeUMA<Sl%<i5%6a+a*BQ&OvtTP$Nsfw|L{LhM)lvsx|f7gr~h
zx3r_^76P3JeHDbF@J&^>!dM?k`y5wf*dP7@ER+;KTDj+T#>#G`^RxEsb<9&wyF(4?
zDF=fHye*Hkh1+kO&_CiU82%{GdorV9Gx2+4ds^a4u$GnoHF>J!g$g$QNs1G{nx>3q
zpkn&Fo$=tI`Coo9yG8mb*vSa0v@74R&b_S=u3nm{wl=C0QymlO=|11Dov|&8p98Oh
zFbEuXkg2+AM1;wFmW`+2ovjU~=g63Nzj(td;yA_s!oAr=5YO3V*xHnw?sPLZuc<ez
z@7MSwm-{{q8z6Yl^--X=;gZWu-dCMf!+!LqwF_U!w<NE4EaL^n3o<Ty{-nxK01|mQ
zHkohy8CfJYQf~ygIt*<iWw$5r$m;)udq-B%uU*6ms3=+AL)tH%Pa(`*mN#lRiBL(>
z{)yM;tULCd_CCMm?YwdP*QD{niYxtWdyX9f!(dZ3;nvzOi|b49m>00ylO}zsWYOsZ
z4_H$A8#vWt?oJ23i&KI;x`|u*fCTeFJ1L~46YoU(&wi_=d$)-6wuS_gTf_tLq$I}0
z!Tlms7APUELsx88DduWDPF`W?Mc@C4Q&iK%$xDSN^(gwYwbH3Fp>W;vgqkH}jE`8w
zw5VJSA1tl*n4TRQ`e4Ipg8Z@8yW~{)TURXYqtNp`VZ$kkjHz19A+m^nfVweO{ydSB
zKW&#dNfyXpW(lPj($fr}j`fe_;)5#i;trc;LSURk2Adm_YOaRGi3^{KcDIC?`fV48
zR%$f5ZmTl=by}K5;vb4Q3%-=BOC6If=g&*mJqPjF{^EUi#=-LAaT86MMiFYcPJHmB
z_YZI2m(%0N8|<ku&^}I^B`lcAJU^c3x6P>{c5t$w*9F;is73Ug%rcNduyq<jU=*gq
z35^;)N9Sb&@^s+90m#$(U2Rie-RfCI@KrVBFgq62N@EA&$vg^qEldE$X!(e%okk#O
z%fAqehE9yLojOnUR)X#}d|v;WU?OmB;>#Gvb2;Gt0&|BC`sqy)BVih6`;mJBgxNSF
zsbGM+mQ7z_^uMSp#_=;pzvWUwj%mn+C;p&7Sw4lC@~6h~tDY2g0;J<b>l*ZCc6rCo
zn18+K*jS$FO!{;U(2J&id)SLg<tNoXT8#f%VlQ=lV;Wb^;|tk&S{+TVkoC!4(3pR8
zO68BXepU?DMhXmgbN@m~)BXJk15vQ204FP6aqL3O*E)PtjiEHSKw9Z1Rpf_Jh{+T}
zX97-)`%*}5=&o+vzbfo#gV~h6j=oypMT&<z^`zhFweMyn#_M2pgsF_>#%E8xj?eQ5
z_tbEVSXPvHvZ`!nmPYiH5jiY_;v0RQWv$i?yQ@L}wpElp!njceLe%7U0zmC+@vHtM
zNveQh?o%?D?N~ZWtpA5zo;h6M4$*jvvOak0K08`MIM64RjB|OI4y<XBYn`VMs>D{D
zA=q&udbXgpUnJwWf)$?{^}8PR{t|l$hq;lyo^TE%_62O}<1O4Q>&Zz)?-1^R;L?W@
zKSuf+EP;d{+loaJ<WkCSTY7kvqk<OR3ytx{``}r7J}VBM3ykXeWnPJ2yquSkS6}78
zik|Hjn)z_I<sIr$o_<}R4FW8f|7djPaP+TjMRy7hg0%!Ag)*W|=Hy6t(BVDSsp>XZ
zeu|!Q#1*2+m#)l3p8iyozXUo`U^=I*CvXD^%z&Bt=t?2hdfwz}#?@j7;qCuvY1yk)
zVKl$gp>b`LP#GzL?b<mv`Atg}S_RRJ3d|WjEoB+WbBls9>7wX(?knEXBqcP%Y(W{N
z0{odIBo-7|;;P(`;JHS!1!Q0QW-#reicqX@GFs&y9d~7XSLy+36`^QOyl_fzy~T&?
z867*5Z9enFi;s}Z6Uf`E5CYrA4yveswazChM5d5aoV;Wmny@w@;m5}w1+xaPac-0h
z8dui!I4(^3O$!Bzpolv*Dfk(+)AYz}#~(k$SHWUb<2MM7Fq23V|C<?(Q-mgYu9-O&
z-~<PudT5$DV$nrZ02=fIk`C)9CB9g~yfAt}p2DgfXeiA;$3(BGWa_0-9Dfu|R9v#x
zq@R;B66;e`p+dF!xT9{a!&4+z;|Z*AiRI9++haU&ElFRjsapswlNnD#VYYNcpGg+P
zmFI%#LPf@%IRq~h%aP|o(R*KdtilSFZFYh&hMluTxvmmCT(~)?Si|0@ar#0iIt8yP
zc}uxE=s}(;f;A}Kp~^lMP_|!#c5;y=d^`$E>HqHO=Pbh7ma8)YAAWRn`mJ@RbTIpA
zQD0e*c2=Jrit|sDbX4W^f`_|LGdO+gt*(bXm&Le%-9fp4Ej^@#K_PNx+(U)pxI9ud
zd@AQq`Ip(znbKyCiA(a$GNp}=?2vOGZ^?H>R|$7<;gU~<Q1jZ|K-%+I6Fk?mA99ts
z?Gf}Hk$LB25@)_dhkTCqkul|O7gN6F(JvXWvQ<&Q<nyWsa#+~e$J1hbL@}68ryr#K
zLzzXp>T&0(RWDysuW%H3Xwbzm-KOE_7p6Gts6qhU=uAL?j+hqmycR)=y$TCnnOFfk
zLt;~%qYN69p&^jApE9MKG)+lXiWDNmgo8LH&w*ts2#3UHhOm+z(aImmKWN0<6UK&~
zcB~6HHH)RlT4ftnZ}U3cJhV$S;AQ=n^rWIy=*P|K<<E-v6VpV}8Xa@};7-B|O>@)>
zwWQK41v`8tGvG!-Q<Ky<qv_gS+g1B2n)cW68XaT)NL@pp{^3RHhN<ejJR6Q!eiBA_
z3uD^OKU+kffgdH;%u4Qrw-kA%{xV|h;*@=n^UD&$8B`i2)Wy8oVRNvzfu}p&=k*zt
z#=bOBK<Ad$=($EMfHiDJ2}g<X62)Jb&m4yPqCWJ?Q@fKa*o1Z6?!ytkP2T2#*iGek
zwEBr}Zf(4_NTPJZ7D288iCY@N6jsh|NR|W`#Y8c^mKBf4yZ%FypggCFuK`7|D$>*T
z0-iJ6_fIh|O=dm^PB!elKj%)w7is36&bLGzz1T?)=C;l#4IDg1Nw_-3Hy=1AoWEyJ
z;}<7w-O&793m=ps^~UXFsy?-UJ1$5rOd%&6Y}SjPfE;^!?R-)G{0eFp@d#M$)w-A^
z7)lnsoxzN7)6|neJNM_deLmgfe&~41X;UN@RIHo`pU8&VrgKD0@|wjNtj-7$|C5Ir
z6McT?#{&nQ%L?ySRM2p$+6sJgo|*pg0C`F|xA3m#`*!L0{#eSJ!}!hK{QW^d5Y6*y
zf!86JBm7~1CIC(5k&@d~fAmTp(VcdU`>ImmXwv1u-{!tdBinx*fcN^ic65C&`Cv<!
zHmT1zB*B6N^-2GigY6zOmzX&UUcQDylwPAem62j*ZtEJW0)PJB<l4KTc>knumUV80
zQ`djDl23OdPTq1-jvwYI^_wX}##hIOGMxlLo7kftve{zxfR@TVZ(T+AZRgyXY(*z?
zcm+hG57v)kDcAkXR#%q4uFC-E?0-DBFQbC8d1HRDEfk+m0Y4-<A>jTYlB*5ueRgDR
z=<KlGt*&|nIr?S2*(v_+xGVNhqeSg?KU@7V*z4CU+%`=F*gOSEa{3;JVd8mX`NR&}
z$ZOyA_xV$8hYRd~t~2rjfjQ@gSYX`eGb%gt;kzOUWnOIF8_^hz;(2S~?W`QakV?Cn
zw;|x;n9SKp$Si^89qUPD#fJ@7;U;BK3{Fq<>%J>fk1)j^YLhD!A>U~yXq-P0vjFvg
zFKRcK{};tl-XSvRNEARsC8jynTKhwqnDgp;jqUo7{S!2X;t8J9PCOO3?2-RZTfL3c
z4X9~U*xIh+UEbH#Zkc09f(7`c%Za<NA1c1ij^%4_S5H&Moq<Ii=@c03{Kb<et+k>Z
z=#4y`Z{y(aw{wr3U%@o&2<3e)ZONwjq`1&ru}5$9Nw8yI0{Z25iu_Vk<+m%}<F}Bx
z{%NfR9N45CY#=aBm&_1zURFfIM>m`Ns^OHP^Z6vPGYO8jIN5WLcB=er1iUwsVq3?N
zD*fZrn4LFwVsuOq)AXnFCnK6?K<nwgneW^AT0{HFR~K`i)^ng%-P&g}E*kdY#y#6?
zm*H^L1wR@N6l5dp#<bpAQ@r${&pS}gOgab<{FTN_dH<j}Ct#;!eaKiTkN?!71W{tn
zV}RR3;rTFY2?Dq3VdP%Dvx?wZtthjWXWk|OTt#pGzT<}fHJ-OT25Z~P(IC?+1!ti(
zLsRmP$sGGK|9o>=h%`RN39Kjz3<F1znYlks6L(bqnIVaBZM=b{JhT(l`rXfrt0CrZ
zd8W|b@EGVtT}wHqZ^G~D4$<)87lxASe0X5pDEA5Lzm`5s>ZCP}K)Vpo_*qi(I&p`!
z&Ov?GKEOYZB^UJj#k;DIjJL*b?8^D8s%Q&VT_t~S7U`0NYeT`8fmP3hdo$(_-x#lq
zx?TZ#5JjuN1?b?2Xy}^9O7nAn9M58z7QrC1>=%w=5tM%E0|t()tpwh`^7255bego2
zX$Hy*mp#IX(cj@2F)tI=&rvtD2Z5>q2bUZyzA{e$-z#ym3>TE9Wz50<j<zbz4(WV~
zFm#iLYs~lLPMaz(8nlRuL4kic>XC83|4(_v>WxwAMwa|0L7Rl*L;|^&viiC|Rc!*7
zb3u94Mf;9&v3Y!hfXmISssaK1{q!g%U>O@lk$_$6<DO+-jm%k0UQVFwmnPGngcoEn
zSLO1nmdPx5O_Kk&G#Pg$X?OYhscdE)MPFE}I*(N;pSpO(6L8h;+~u#11PHQroKQ`e
zf&nJ?hTI2?+qdJCbDlrFi?-BmbrO0qz6UlHUn)s3M0_Ma%ew+7@$qE!NWtl%&pp{6
z<&CLu&r=u=8}>RTk;$k3Y#GmK0G-tO0O<R!IqR2T)|}nSy@Y4J{V!zsN>3rsNsXp>
z%i%mF$xhD6sS0)87=hhY8albp*rqd!P<=8N6C4|xSdqLW+(Fm^ZX%)97<yLSfG0Y;
zF|~o=7M{#Vx%XcX0seN`*XGHQOi2{>I6HYn1FNF$89w-hYg8+#9|lg0;HpU>p2;Qj
zV4sUQ_OFIzb&>2{r=wo0+Fx%ut6DGP@FAr%!XaPScGgzzOX|3B^53yhrn{FZt8ts|
zwg>p*F<>BNxW?XP?wmgvpa-Qj(Bt)tun%IDo%h8t8HCM!V8EY_p;GNUB!Y70Jn5w~
z)8{9_8x$CZ^l5x;0`QD?30DS%T9purw}%K5Dri5-oG_6O5?#3ON($DhY9SWn|EV&|
zzwYGT;Dt^*gUL*`NttpR$L&RlTPD`D!Gb~JL=golQ=|=@7CKPj|25dvgbxM#oFUUC
z>%}L>s@}`W%G{Y-53^+OOhtIT+q=W1BOF)gNYj0)81-9Kw6FUj3{Gc)c;0F~r*A~I
zFwAy%bVXlzjaNszo&Mw%AMXVT=q5#1n_zx4!}2G(MhPFlM84!0X{7|ie}WR;BMRel
z#N~`(`?vNuYD+o$sr&$D#cXHEPUEUj4h=-|58jqDP9*_-rKewc(GMXcP{{T+U7nS>
zgNP3g<Is1{bR<oSTZlM^w@dBfr3=EEK=B+432X)s=*%<zD>Ooe&HE#9B5&CR<izfj
z%GVT5Xkqt#5eHtWQ98~tZx%=x&VlT>L$TtNAt3R83XaBUFg5rne`s9Fd1P=|0KqcX
zO=zC<a#!l_LhcleeoQ-iM0K}qpx;0=5MA3d>tP<{%}p2e#}n-MISy<m<KFvAQ#HTU
zTdZ5KG;7LHkkY>+nm7f<4R@jSUh@tXp!&?`@wpIgHC5roYIZEv`Pqt&iyP~I=pJ;v
zwL|lHtP||u$FA_tf4i{iO5PBH8akb=D=1xmHN$9<ne&%?tCU-04%+0z{LrC8WR^Nf
z6pptW7qrNEKNi3``8RT7VbvT1GIS5f&@>#q5k3|Ct}&1W`M945G8R=27mDA%0k%wl
z7%-B`p+S1m%k~1g2qJlqVPAu;FJ}A-M33(rewps&Dm$A%b_ZG<HJh2m0fg9o+p4U2
zT&}TXlXTYRC<j<V#Y#1Xv`(%1EWvlPE-i|*G=TI+sH_FZHeok=E~?1Cb~0cYSo0_^
ztX0Z6!lgel{0YCyH@=d#gs7Rc$_>_LDqNwDo4$=9c3Y-0kJehdM7grMQBU#gCF>l8
zv~NoDYDLICGU@xz|7r)_=#9c)vh7;T+067+#ZSqz_rk3~i-Ds@{R}VHPYM+ge({3r
zhE@J}xBd)_c=Lu6ECTu22m5CAcl)Oup0#MFC{JAFdanmB5Z^rDZU+qDjcy)w2l5FN
z`Ogjv4ajL0G%xh^Hw0;F>24MEEB4AId-V%2ZQZJN6n*Mud%Odoya(N<?{?){PVbA>
z?DpoWzSZNv$Uf`oEa2?uIAFqT)s`!8@5mD^*ihSBpT*!zIBI_UXK0-tWPyfOP_j;S
z|Ncom?WijdZB>_inB`|5Mw3%B-OAamZzfy%S+-#e6UKC?)xi<ZMdRm+kqKJhEg74c
zXYz0IEk;AA6XVjGfJG%lDe@OJlLoCRUt&Q|UAv_lkU^+H`dR(iqM(=Dk7{fIDa3|J
zQC9sWL==^|6b$BdGXw*^!D79TeJ3F>rUZKBVU#DxV3IY%glIh8^prJ!JRy&_>BC9L
z_i5w9C;oJ<Yfpj#x?#_*JT^Ejf)8H+^0*Yz=#a{%i1j0mpZ>j<PMEmNJ}3F__rek>
zxTVmAzGXYZAYSbqeScS`>{?%-e2^`BFH4TeCj{P~)}=%`Mbmp1peCxJ<I0tXO-!{T
zjED5`(<gIWQIgW;>9QTlkGLmBVLbYX%Ky1EBYhC%jiXs)#WVgSJkB8DjC#F{pEUMp
zRF})uG(#Vg_Os5(D>Opsw{aZi|3-z;e4;11n#K?JE1r-wjh>T297TNKuWUnl$_29-
zg^QTa-D)mnR^AgU^b7b^9e($x$Fd2*Fs<7(?W^2@9{I-GMTkZth`M-R-2_F&1MCW}
ziozhN%{V+&S4`uw!H!r|M@<>P2^9^0m@)*}yf(Vy?3=f`;h-IQxl}+m>Gu=ME|(fA
zXZ|RUV4bLGk_L42eaA(m{AI!8)&#Hfe-%qdoDKksT{y@0c4da05D(U+ZceKftjUP1
z+2cUF+nfbhH-bFH4#(iyDyX;F?o4CG1r)G$=M27{MGQKzbhX}sED-VZ=(<_7m)@zp
z>)K{M&_E7KX}u4AV_NiiapHzYwdL}ksnAgiY*7Jv$F2OJ5ga>zBYsL~Iz<QBy3~{C
zu85(#I@+AgJwq!j^(iC`-?*Ygo!7DedGL?Te1kuvh&`FvaMl;cl54t40iSp!mkfYa
zyla0hTpvG<<V-XhhsDBX3%=M7dYZ#Hg0Wf*%U{Wx3B4V0ojY9%t(ow7Pw`BH{<lA}
z=xMR^NWWxI!%3nGzLeGATpASXFyUqxfD$%@-T1PUc{kG*+~67u8&A>@o!7l<VQ%Bi
z{4px_cZ|C77MkC^Z|=Or5ePXbOohN>qXq1!jC?6HOx1Xnds|YRp}Du-YSZDs=e5NZ
z|2w0b$<iJDltE47(gj(~EpIc-d&s$)U6~&wI^Qe|VGDPWbR6rWLh`ndH5g*^$pm@8
zd7){<<Zbxex1J7_g6PoYewv(|wX+yxTnAn6iwd1J|7Of9e~l`ateG>1$@`TJy5ySU
z2^6);$e)eh2MN97Lc+fTMS}<t5&;xVU>i1#pYT@IwQ;i#R5uzfOO)_u7d4%POQMJr
zU}m7THr=K5FzRx0gHNRx^}ii;_r9d_CUQl&JBbIxc!{iQd{q)a(62-0IcB2O&Wba4
z-2#oXYXwti9|C$ruWK?<7h!WrWcbL?T>s|egIns|S3MzHg0iF>nP`wfu-99r4$Z_;
z7AnCRrv2ReGVj9@1t*7Tt=pHTQ*97Kyn5CN<po&hnO=)fo*`bxDiQt)JJZN{AJ`RN
z-(TdiTO`3{6S?P-Yu5lYCeXF3Zp4>-0cCtUqZ@Mz^1M<HBt%t^C<CZKQfnIYeu~cX
zRQ5R|bll%|QNVE7PjwfmV-(dY2KFP`Q&kv~7t->Cs21P64H2vmRZTdnbif%i7N{V)
zB(T%l|J$Jn4+o&y!%WAwqcD8ybJ*7*nR;--&WrexItt6oe14x%7IEUMQFdi1B#Eac
zKwXyfwB+tLd5^aVXM;hu@bU$h54kD!30wn%N}<<~M*YgSO`R2v*B$w8cWN*u=s~q(
zPmt8lm^mO4>9<OCUT#PAF<#+P?eKoXlPqz>6J6(l3_r&HQEAL)#ZrhWEKE?G<EU=K
ziO>5AIr8v78ZU860GxKi4?r6Ig2;mRUm&L*Vre-0USsaf3i8cdqwhLae4c|~vf4a8
z3^`HCKQ0u_H44IiNW3*W@*0KA`r2#ztzND5^Jl8gUvv0e49%M#Q4@l&ju9zV#+U@&
znrao@ko^ODdTtgX?AkGVdmet5&2O=&=zNmwK;Y8Jca13ppDKio=N5O5I{X=9BrS1X
zv5b&}EKB?t?135S8<{`}4Z<Up-|Vhuk|$k&#V;xhoE<;xpJbbs-}_w&nqgFCe$G7R
z1XKU7;<W!=Yhphsn0g6!%STGUb>a~@8sA)~V71Uj5ow2Ma`Xux%}7GW5j?6Ex-Ikz
z04}3HO~`hHh&hw|hcs6xDqqi}H|Ddh-4_kA*Na!b&z3Y-pjI2!M*4N-<JUTsLfc=}
zFz!>>{1s<=Wb>(9c|j9U`u_%9lyTY$n@Ler!092RdR!)8kfRxSv6{U+4ras4W!7p|
z){lKweKn}<v?s_rn-Mh(O0E)HwiDlk?Tq`{@#!siQD;4gD!~ClhgDFn_>s&?K3u@v
zqm~#vcl^dtm)0&<JV87N!JZMvd*6iv%?$hgw?maRs7qv$s#=bT-MrkuRa8sOpXDXS
z1IIk}v=e1gT%=+0g9`V7Uw-_z10B5<Y9ILHO<wp@X`|=8aDA35q3VwHy|RyXhdXb$
zeWE>A+Yn{cAnO&(u6fKOgg^IwI3iHJM6wNd+#VoEUyXgh$a?s1uW+9*i44Q!pSQP0
zI2Xwe_k6)`nbg)j<l$Uh(kYCT*G%X}#d^2L?$I{NzR)-jMm%vbNBj+=I=V?DUei(Y
zf!h-HM8HDVhR{@@w_2|gv_KGR@Ech&YV^Ul|M5GvX56UhPtp!C0N{NlAnxT@LvU4E
z^749k)-pX<oE8e)mm5)RVxQ<}w_xf2G4<5}ReaCeh;$>}-AKo!ySp2tJ1$6<lyphM
zr9@h~ySqz~Zlp`P-uuDd7vF!Ey_~bNb0(g7W|p{K=)z_AxuzkI5^nNrtG7pT7Dcgf
z{b)-K&$}r9p|}Gi^tT`$dJaUD=*)iB2+A)*(GQrQe}hCMQ1*N<kiDY(W@fi=)qP-&
zfx$|5j-5nGVYN(9OGxDcvF$-;UF)Pz<Ozkk;xYYtEjzTM-Om?zOycppsWe^X=zaTx
z{?9zpT?ui3SFxuZ)`3s>ii7zGnb+cDl3=NB)}1PeAc_%EI$qIilgr(Rn%%vSjMC|j
zYN-zX!Bl$b)68<0GU>_1^TWeshxc<XB3J1G$wnUGRMovx$!C568>W^A3y=_<cgf7#
zW&)dagJ&>A9p6DWVC#Ad#|MkX|HaC0e|8r_L;e!(Gof&v;}~(_Z4DkPKa>20oBQsj
zDAw`u;qS3}d!yp)I1dkg!96IMeHW{TpFb{?3@x6X7Kp=cxvc;XTi>giw5ax79alPO
zUD4V++nyHZly1)*deeiQjQHhiXs=b1Ey*x{N&EJD>ecW^^)!x&ADJK1Vv|_@e9dOf
z6iliPo)mt8;fe@@!i9+n*&?YXp+Ty68T;bA8A<+OtgiB8jB6UdPu}1vi=Vs9r<NK`
zQfCnge_-Z=N6x4+cYuWal>?$4Yi|M88}<OLr4b~Mf1%(T(C%r<#mP%C)4;Md)!%=p
z?R#wAiC{o`q2H33@q8uiB^!2Mz(-u-iZr8J73D%hOs#Qz(*o1NjLs={^}kdXhi=i;
z$BeHh>W<$sNEaqr;1MWSWrcvh3R4*-_skC+;2hoxy=g4D(U2%?`+>*K^a&&pM0OR$
zeln{Z89H#B;|y$!_TssTK`8;-+&n+ln<w(T{xtXO4=WN`9`>2)j2jxAUkhYYALPcn
zIlkC$ayjbt76EturKnL0CM%B_Y~T&_diKhtx|gsnxo1ISp&ecAI$WB^r4}Wf4fWO(
z7!k722q}F`=^$j0dMVH6O5QMK3%5GfkN6KI`z1!&nV)=%QtzHv*OIGU`OJ+RJb}c_
zb0T{9c{Tj;@$4;!R*RC}7w=K#ZQ_|{R7TcxTdCMXSAEA@3oOcPO`*7l@xUAzav_}W
zvXDiQCEb_PpFRCn&N;?=7+p6B1!K1VrL^8Pl|Ih}+JbWgSmjc6+3rr_n{}e%2Se$7
zPWkg*P~{fKsD)BuO+S}6-MFJy)qF(+V>1;W$h;0ts)Md-NyHutH5giW;nl(~XIlj0
z8WJq=`KJ5yn>#>qe=#wdXrNMr*rwo{XiE{zNM5w42AMJP3KZ=h=fVzbUq*4r;U%^u
znSBWHU$GmEpt>C3bHOBFj=;K-xvRgp-yh0NZ{eWtAwrd^MTG(L0=7;%K>z+ylQqjb
zvvya6kaq+wH$9anm{zu-Y@L>ya~e-iZ`}EBNd9BeY}j(h+!o5}h?5_&bl6gaV25$o
zbEKqkT!;GSqbueBx!n>EgAZZtzua1{M%ebbAcqsY0b6E~vf_T;7~jGkCf-|q(Psi}
z?YFRloqWgykhfnQ{crXQ`5ptG$rP%SN7S&KhC`Q9d4KXeG@_<_sy4Rh^=^ggZ$`$n
zEG!<#V4d7P{hOR3V}=$!Vsa}(N|xspDe5Y*2!(I$fM^6a{d8HGQ3Ew~tusRhcL+n{
zUr$}H@O#`}9duFhmy-Cu<($k)&UmJvI!<Cz@YDD*nG5vVVDGCYmWZHB<&z^+D8dwt
z!ef2h@hfbm2q3g#@I5YQlt04D`+lv^s`nPuqRL$@@rbseA@+Fg+kgDQ8gkHeMPFh6
z9))vuO#kSQw{W^1ZCTDrA<ikx(+Ni)3n|Lxgq*)(tbq%QY4Eqs#mAtB#%pb^%rkd(
zH~!wAT$>)rrVB3z*OeboU{9H{Ne1zoL;kS<Wowx9iYHQ)c=)oBq)ObwFNvF9*3=9u
z=I!Jw1hC=32(i#X2cd8&$(xlzI;p-XgoMYS;c@4NigDi;=YMzHwrJu6NPGA_`L=W0
ziR}feM}`Sah~8qug}g=1ql|2&H*HT5cc#mPYl;}hz}E1?_4LE%sHy>hz>Gu|z<K2V
zF%myOBHki9L_DarslbTUWpm<|RQ;;|@j!db$3F3=)JQx(r6rbrF>tBOO-%UHLIa8?
z;&`~(%|4vV#-9j6cuIU!8#AX_k14>`2cFx=7q=P2PQ-^aE{zgIAcqn(a<R1OH|Q)>
zu7laYvnhg64S-LtmDw+nT_&{u<Wl?k#3oMIQUpthdEjC%@-Y?V`?(u}`Ol(cA?uQN
zHpyT7lQ8C%_kjb~CWGaMkpokR1(e^PeA>NyI5>l0oa%)XTBMNP!5S3rcKwX%a-PN_
z`Y(XR4o@f#h}EM^dZSTmPyZ!dW;4OIzfwkrsymrVX6vVjL5RZE%6Axm#OGHhjcu)B
z)}=tl2Cge+n3Y_%3XF3bKHgQ{?>?zG%&qvq++ISoKOVM5`TQVuvFtlFGNp3x?g?k!
zH?};q=Q#^`L6W=?oxFR1-#>L$ofjd8SV4_6EoDg<CRg#tJ!@+4#3sy-=<PD^d4of^
z6(>T(q`&0IHXVSblNw><espC+N~iW#5P$*8XH7{g5oW6$BnsLoP#d$hz~be}_npnu
z<V)&5*u);rDbmJR1_>b@%#wxN8YwOcG;C-rSwsZs&zg>>?m2%(e360${)R=wTg^9b
zv_o7+*_my%Gq+eHZG=qt;cYbwTV*{Dy~&-8s-XZMLSCg{Ve>|_OW_Rz*qNn&TbLlA
zpThlG`YGe%*7qs@yY@xL*k$8Ov;E*A4EeVjn>U=R0)u;Q6S-8YE}3VtyT4l~NmkLL
z%s+|g%?7RO4Q@|jzi8)sjL`Z(xCZ$^<nxS$$PIu=^pb96kv&6yo_=McVzu(%ExT<T
zG{ZPd?rVx`u4||4q{bDtA6+||QYoUo+1-mLoYXczCbvUXGlCb~Itlgu$<2|*k(-Ok
zgtC$DeWBar3-wMGP=~QLt0=6@Cqt<^aRG&B%WSNIji@OzV^U`|%@vW?ym1@_`$q97
z=XEVQomoXEHJi}=XzfT<(<YE-qkXtdEY`R)RmW<vSeipoRk3qpRy@Q!kAnvNpz|P7
zu~5NLd+34GU^n%ZO}MS)Wa!5QUa66FCohjJ_q+NtOEQJl7PW*j8)x40r0bBo4kNEp
zhu^z~6ru<``1ha4-V*W4)g5dJ>A#u%85=ZO2e1|QYn^|Tt|a6XeQ|z4jVcR+ayw4}
zffn@j#@;@6=l(V^chO!=>^Wqexdop-rKe9`WQdzFA_wa`!a~M``8KV@)C`+_b8R6f
zv=My`&$Y}%6uK00sY|%KvDzwy`5#&8KpZzVE7=@h9fLD9^-_@96`?)ZE_nv({76up
zX^>Zb@0IYTXqMYt6>&V-tTNvJkZBVVeX<|PJtV8Sy2N$UESL56k7>jMrG6D`N?X2i
zHbHn%HNVeRkM6Ws@7ByTh2wPM(zz5#%Ul!k84+CIvdZ7VG+7e}IhYCwU!eff{wbSb
zKY2}H#upuMT%1Ct`@9Fc9szrsY)9*Vy6f9KY!?lHtBaXzA5a-9Jwic^^VbzNp6cmw
z6H0vBCN7e3%FsIq<PG=wghyedNR#`5pbv)s@Xzjpdc$X2EckTIuI9_n;6Jh-&9~g|
z)0l$Q2VJGSd93vT`W#E_H07=-qTzn0DnV{<g$RPncWxO#Z@Z{Bq-H_T{uv4D!D&tD
zxk+tZ4?OUGXKXkKt>Snx?5){lW2?Z40nXKGypd6&mrCL`$edWXS|PcLevDwJPy=66
zq|@|R5r=r~JN|3MsL>=+1JPl)M5PVA9Q?(3{ACY!e!z@w=7rD1`?nLP--j7dE>o5E
zRmJ5`Bzm8C$*?m~<W6koc$IQL^1i>l(fvHKCni!^m{lRG%|E>E)3E$}i$Xfzf5>kR
zTWNJTx7lfRGCN&4<E`j7FG?Pr`%P~3i1(-INys0SQ&l_7E_lIx@CZ+hWD1`bkCdrl
zsBiIvU4wvv7()eXz@VBHPHm#`8@|b7)F!z>WSmW?D3Ar-cB=VGaWx|*lNd1+TIGcx
zi|_q?G7!2aqdO2>H6aG`kR4QtQAm#sdEswI_U?cXe)}k$+1=NQ7epNggFZt_ID8)v
zQZ7EdfWNhdGgX^V3)0U-0UaEW{vflH+p6p5TE3^_F?wks)`zUS?uAbm)L0Pt9%PXo
zYBh`j1du{-87v4M$1R(1qM+%26bmIwmGpH5It8#w&!Ct2dpvtL1m!IhyULWJTjXME
zrexHf)oW=rhH}dH%vs+(@U-ev9clcT1~NRW-S=Kd-Yez(`5eTsESS2TqL|tI2<O|Z
zB}}I1q#7Gl@kyEc8i^zV1GF9qH;zUF5QCg~fFiL0?N-t@hZ@kNFHN`ZO92vGzL5zG
zcKGL?Gjvp`i7b>!`n{XKGpzekx{qRb@!c)9CsJd?@qV)ge~-|e5av4RC|iT(1og6p
zcZ%e|_5OTPz!9^+A)dH-r!DK&nsaCFj;N)FMu@xiHvZ(KkCtTD+uCb2qRr<hqnYn0
zcJV6dQlNbbzFO;4j)mkpW8!&W8})Q5`YA^+^33SN_fwpN%?l9A$3Jwfg3r2A{+cd^
zRTW$F=|h<QS&b{L&HQ~r%Ow7V<0OjSR?%jjj~u3xN0L%xsXDEG7yT}yLyo%b2heOj
zS^{e)(hS#+lIq4Qm5iSdsL5rwF&X)H>NG~Tv3n*wcCtKxxCF0oIJF^SKZ+xQsahL4
z2J;ktrboD2WliJOcw@Rq{9WkGCPr#ZpXXa=_j1<Kyypr-<jZ0{jqC+i_shmjsdCg-
zBc7G*1_z;8)u6@uBgY5JGyF6Va4F+X+k$#`yOH~)UO}@<Ky?G+$#Tk)4hF~(zhm@-
zN!fPN$m-PaR3E_GWQ|R2ejj>X2Ha^MM*t=hzHV(Pr0+{8xA_p5jO8v;E4d6kb$sMd
z)NF^tPUx(oVN>PXxis{9PBbMn>x}=L<o-yiYNoid1kVym4+@Gow4Y?|O~J7|m@*Z>
zjMwt6H(^bj_cDCU<IA=<FK^Zcqrv;xXGe<1$7QHD-=A-cI#L6M8HIQ~@t#&zTOu%#
zHob*>7;X5U8+D<tR7PtJ1AHLN+N6A}J&B-{wK7DE?XmNt2Rz;l$YV_teSmIwJCKK@
z{MwBZpr-<}u8@aRv;qgKSSv|%!_L+??y+2G>FKx~RtJpmPV!vV;Bo&k0STL5(KL={
zndKs+SsIkR+-Su-N_lk5@y)wND!{{qKP=$x#-jE1oEGM#s#lH(wu<bbv7yqz;$cv;
z%b%+kk@g*GXyNgbx&1~lR}*_xvg(doF40iqg<m~KgGq>VFgJ31ju*ue0+@iuAl@Q0
zAC^F*{0-SfmV@r<ZjuvU@u6&oZ_L`i?q_|=;?*L9DX~^t5J}q-xgmcDQ+4<~WVH7Q
zXW(t=lUA?LT0GwDF3ToKa;Qbli>VeuD>D)n$Co<G$(!3^CIDi2z)4F7f8r>E>#ju~
zjqQ$*@Kdc>a#Zd2G^Bc)x9JA{JKR5$iogIx*=h|3H@DbQR;@d$g*K*Q1ZL#Q9G+mc
z!Zk&6PTEn~5bT=vow$*Hc&lY}o3(2^AnKtH&G`rK!jM=y;3ZnS@DuqELY_Y67O4>P
zZDK}9Ep+-&>>6>AIBnreQyB;@_vYJz<?p6OUvod@6j8@4PuUo(rQjCZWek0-3g_Dl
zXUF8C)&}Ea3BQF(fSnDtgu-}9Wwdstx$)#@pdlIAFEV2Cz}LvCd>8>8-VvW%^imSq
zPxUCbJZ(`29l2xg>ajk+h!Q04{^)j^YSRHJ(@Gk#P*TD}2@x263R-aM%LqLpP8Od5
zo#r{?DKQ*JMFiy}7)m%eYRsqGsgu;l319yl=mP%GORyGM232g`$*g|l)=N04CO94=
zD>(YHH;v!4sI}2WHcP|3$&dmY`d9v1D~tf~3Ol9!dM7v}R);@0?NXW|9{SSKy&>X$
zq|;mz+Vj+LiBz&W*c`}m=e*?`ywZW429D&to1*_zwoV&Jwyv-#TC`GBYo_kKRELHf
zYQlSYo73B`K;2)Q%vV`ay%hR{o7jP8^FTan+@R0Hb38aowCu#{PG(2Vc~S1LwWe;-
zlJX=zm)p4NiWT}16LmpFhob6pBxCC-_{$A7=|Jj{Amz!I)-ZWC!sH<*Iht;ijUw6e
z2yR9sp5TDKz%$;V)VPc+N}1_N)MW{FG5$k{S98F)jKBxyi0>wRDXGglMcnX_e#O|k
zqMj$#nMB`_WSiqDjRL~B(h}&g2C<SY1}E5}zUc-tXxsAxmbt{Fz<g}FkH6dQ4*_Mb
z+frSRp^R6yZ&|E%2lqw#q91T6`wnU{3TxeYf#ij9v=d2l$oXZ&2OdT!p?}zAoz;kP
z+NY+{SYrte8>TLMS0wQ^e3#1z)b*O#n_fgS!U#3f1%as${?#&dlF=zP+BWTmtK53<
zV%eJXdhhf_IC#r?W^*P)=BbTNmh&}_Gy-XiH6hys$9^w0P4(vy{UW_2y&=SZAA0pt
zJhuu4a~JJ><u0@vA`x$#O1z+AJC=qP042W9h!W#f><GI7P@GS-;RHtFfmD8pm9*pd
z$pgUt1!{#L+KOt3AszJfRQ}h42B1Jph;@h<0vmeELUorV0u`kIs`2&E4p9BH$j~YW
zcVW&~A)8pU)qYXwwe7~b=ip24;I8eHLF0*=tnEs^7gO$wiqaw_*bIRy_w&U1$8Sa(
z)5e7;`eei=V5|rBu50>da@RtoXeZHsJZ`&ja<jaQcVHg(EE(w>F?X}2aP{U^WMBL0
zia!8_w)gUORar}l<e8{tz~Sd|EW%1BzY`j2Tw6W?<IMiHBFUY|6TJpoq0nvsPZ59V
zWsJYLavfZ#VetTnb$WY};bm9Rm=i$4b$uIgr(%%}8j(S@<X(Qu_-usaI^$lpDHxzS
ztTjf{h>bWP<sXnMX#*^tQfN{y;kGfMOyA^crtM-)9rqmb717XwezwS0t-Pe>8Cglg
zSc4+4N!s0es5noeklPm1F6S*diN$%!5uyoLY>C-Nzvz=u+s8;{UETgh_p+NYoC#mT
zkjC40>L&Q#oT;${OPv7}o5sV9IO3zI=lzj^v~d~s4YwQW<gf20wL*eQk~{w$xORI%
zmA<)ikHmCVdi_1on~R78lI+;o$UK5XiK*PJ$KuxEvKMxQ9SJa>edDTk1RnTddZM+w
zuS8Yf*q1A8bIAU=fe_&@?{s~=IGO^q7zyW45$<g0ZP>j<{?k-NW0!FvFN!nw)MN0X
zC_1k1{rJ(pRBc^n$?&6^L+pMu8~;}x2aj1bpYvAF^8PB4m_Fj$HdjJ}Ge2oX3(@lX
zQl1NXj4{gj1>PC1P?MBY6dqY?zMlT%2B)(*(k5gI&{m#c3SOR};`!fjzUYi{1YL1n
z0?HVtS4Y(x*t^v&QAum>n=G+pses9?vJ91bLM9oF;r0(on8h~6Sx&6X^U8}#w~8U)
zOf&TK?g-s3eR#hw3xtd~vePKGIIb^knX5<lDFg#~JQkw8jZQH!ge1v=)VeWKxjp~&
zd)A+-{#FTG#107FcE#r|v(f>5=8SyTVZlGdo@@qWdNv}oZ0Cbu>yBr6Wvo}dM}&`b
zhzJHp`9DR(52_dKZQYNZ&snz;uT^GAM$_Vs5w84T{bmO^uFoy+avXi|ttFaUS<UXS
zQxJgE@uxHU-<;#+<hGR^3Q4e5@eC*4xN^?9|5-&fDWtZL4iChoMRAOu2*dyF?1uPa
zZD1l&L}Q&Q>B&36$X(61a>!)xl;N*{bw<RmiB#mni-2>_<;DX6Nr3jhgbT(dKx0aw
ziyj<23y1%3fsqyXob||oewH$WU2S$<Di9ngJ)`o5R9G)_4bpyIC95xKJip+(o1W5q
zQP*_#XPmUJIy({z?PI0r8NGP4`&Aa2-$w9gU!n|rs&QewA@fA2w{vFvYYN-!LiX>l
zLqxhgGN2gCJu$-pLz~z<S$%l4uM%UGjSPrz7#0RgOj4#ci(NLV-!oF~WRM$lJH`wf
z`eO3$G6uTHD4P5(pa7UqWEB#cHN&Xtza*MeqXe>tj<gBG<Ft%7Vq7AeoZ$Xv@}vDP
zs-RK&xS>OfR(AX^)DO~D`EPMQ-{XwmcI%Gr9l&OuZurCuxhpT{qF=%vzsaSIzNuTu
zyi-9yPWUPML<?<39u%$L5ppr<a%Ffe&q4e!NMF3$UB+gp`0hn5C+QUiP)a$z^t>?F
zKkLLHN^|Vd_)%Mar8MQaCQmNlKRxG<VEC4-7lpy`PcxISMKD$qb8@{XzJIY2uuKx4
z8L@w=%wmTVu$$Z>K47M43$Lj*F6~{o#|q6{#XfW#<aOFt;%$kt@7P~K6aDyoV||%Q
za|#`4t6m9IpPPl2Z@;-+iTnbvjA4Y@n-JEA!_QMA^sv|j!O60AiL##Kq0*0UkVXel
z#*$CC6y`+&=VAUQC56$MK>Ll1ZZ6h-b04wxDbSH|TYF!=`xe3YDECMg=F2;M$^o)a
z^>-zvLa5Qla}|euD1leSrUHK%NX?rurnFh%LEmi2w}xo*1H!9OddPXtLe)-}`p)!Q
zH}@97*kg{&p?D^zF!YK;p{o261Mvd^Pm(&(!+~-2teV{pT4Am%M)@DFliY=pQu~D8
z9)s?zr*!F*EhqHA`HM$KpF|S-FC4HsC+JG&nWYGge&2TmkQzw7g%ZH3*zQ0(rTf)k
zh;_j?nlBZbY<Spxza+kE7cI;@(29s%>G@^z90KYrD~X1f%XFD}RM&TgE-t~PpsXOd
z_J1PXrQT~v;$`4<ioTmSP2Z8)56~*QUC%mk1t|#Kj&9wpRZD)Nc6TB{SWZ{6Iydi8
zuAhTPNG$U0bnx-vbZWC)abG<RVqp~|iZZ=ld^p)8y1h>Yc8{Eq&srf;ym##e7-DXE
zsK~EL7-v}Oqz^ELt>4haMfzoN&|T1H&3fvF^T#eL;toXqi>Bc9JXCztT50=>k{k!Q
z(_Om7XHM!-#qj>LN#YR)OWG9j9Zyw1ld7Zt*=c<wzF%Md&aF+<cxB(AV0+bQ=!50O
z{cA9mkR~{RLz&^-*(RV!+*gsEx|L8}^o5KIznP;N6(r00hW@q*$J`j3wQ)86ps3kI
z=Xk{42jnCarrNjy%wR#G|7Y6a^>S2w)Re>bqvsni%67klyf(`?2&}cI4ZqtGr79SI
z-SUpC(2}S=R{vAF(qyDv&|^kl|MmAJq2D}Nt~)CVhKg7=YwI=(`iqZ4KIyaWlFW5i
zTHfp2H*mK}eK2g~TVv{{%TLWoG%4C6e@G5dp-x@;Gr(A}O<Wuf8Lxp=F*9#)PSsCG
z^=dY%tRht-9A)YHaPcmXZzWxJWI23GQ;J);WrUyYr6KR;sA&4U?VI%9e8Pb;xtvF?
zeNcINxTNm+9N-?KB@g;Eo<M=Dd(5tGL8J{QjQqasM@7q9z#Gom6aQHGTEMEfz<pF3
zGc4%E{MeiT)-X3esmVhqT5CcFkidM8Anozq(1?;!7)<A~or$BdR%@xSF(q{Rhq=|%
zLKNN<e8QL`V4Y%u1r-%!TQq&J&RmM_-YTj1*1T_-D}tCg3o||!?Tb=~?=;p&65<sU
zPiGowNN6sazsg`;T(w@Q`arHt*KeGU8=7PSsaev5wuHfRLAF43o{@Y8K>I#)!D|=v
ziN=15i;Gb6-_oWvAM$SsD&Nf!7~72)Q<dx$;$;{@*zz}&O8B!DI{H0qHcTGY)Y<#4
zBK^32O8aq*XW|E_6Bk$=Rc{38g0%!hCH44L{Vt_ui%kGhX1J9048y3LyR_CsC3P1`
zwQX>_ut-%1rG{UeDG*2r|7uI*Cq%z&WRT0KJF07Q&-sN7x#^K8Qsqwb-4UIw{&A*<
ze}M?u#}OlN4mc`#BiG}GZ$}K={S|MJp2zXe8V|BQyjfdWSpPkv-At^@hRI~1g5|~d
z&bYr3G_LJ{#pJe#9V7Uvl~wjs*msFbn7;VeTnh^-jvSU;>Wd8>f^MOub|*dnc~9n+
z?Q2MuZ}35-Zq8Ek1JTnt=_s>AW0hfvwz5?l)b4vY3^`m|t$psOgwDArI3$aYJ$r*>
zKQPKANHx}PKS~kRbYn#hhq0M41dnaZ*l>T7!E?qvj#(VYtgQatwdgX2l)+BPQzCne
zcPrvRs)cI6PU&t>ilnGCNZ<A#)qe12?B|DldSD(s5ZJB4_(#u2%0IG*K{h#0`vrmf
zD4~9^o5gr0_9#Ntl1Axb5+^95k#e{^Aipz2*lxwh6O$$mZlzzWRPLR|kpMys$U9eM
zM)1l!uxu843uUZz;=Eeh8*;=OSqB6kl{S?N{<$Zm)fQi@zBFW<j$z+H>(XuB(M!U9
zUS~-@!4fLBa_uwl$b^o1#|UrjP@&Vg)1dqLGU9Jk=W-_8ZB#d+eqOr_4?_f(rB}6D
z==}7e%B#v}YHtmH@s9jh_I2fTLv=<ZUEaUef4aH0v9BNzo}+R#cW=EB)!?*;(^JNo
z5%WYcJj=c`$5H*Eu*`j382Vm)NjcVvO@RWH)O+_*1xaa=#I+rtr*l9t$<Iz{<CI_r
z7Pu9Cmu&g4=DdUa7e$V<dfW@~lo#c_a(Z^69KN6gXr`cPFGG+?Fd|I{ODJeom0X!v
zh)5ro7{SNPy{bewMr~#DR)IFr9Kjw`F`;G{hL0OesgU4sJ~9CPlnOS}c2i{5r{jo3
zaz{uv*Lwd_{|>RZ{-$ElcjgiDOk>sly3l9>&ko&oAV7E@Xz|^b2QBOcBCz!r@ziX4
z!&l54y$8Q`YJQDw!ErY7oG7>YG!|$2)MemB(G}klEQ|s>PxS$q0L3U<9ks2n&x+^<
zqzHwNA^bN2qe^ek*ja5W4$PExqsPNGImG3-#7<d>cjPiv8@XkA@wW@Jh&E~MO9f7W
zjAU@tycb^<BH6GhHRx$33(Pgtd#H2{=2X(RL=F{;<JX|@UbSF8Q6i3tn`*FVMLOdv
zg5`c~YpMVCz+I4Vj8Ku8hVo55cBzb!Ruf6?LuQHTlgIBy!?4ZEy(Je)6mOLvP}S~s
zCC-a|KDzD8r&oBys;S`H^|9#qT>-0uv`MQYnq&4>2Ah2lvy*%ftCLLYlf;)MB^nGu
zDzR6zNUvVGdaHmI4_qG}!PMk*50<G7!8+5Z8U}v(dFz#6a+4rj{vCr5hawx1dwIJN
z_hmT+oC$%XHFYgfWdpG&&AtyKL*!vTLuBVv@!sQ-4m`#Kdt6MQ{eRYNv%08!t3VwG
zyof$#4~L~bZp0t31lOlel4}3BN1Lh)MOGF;4San^7%2<KIBW;P9VKRje8&U(4o`JV
zxBxGef2qTkF!J>uCal(lNKkS2eJxrUT;<eAaX5BYD3H+2^fIU+jQFU%&dupxq)uA-
zAmFPGI;(FHOqjz`y5Fl}B3xS`n|l_77-<aZrpQD<Aka7p)DGILXVv*C=x}{$T{uvP
zlMLH60NYl2(tJOs<=yVh>u}&F&E$X_iTakjJ7h&su%s%Jxg05#5w`v>vH|1tfuSp)
zEEu9*cPiMGupx>jPM1~AwBK{4QrS<%IHMsN4xRhcTfNtCas!6(149#CrNpJ=H_dP9
z{$mG1*~H6=pS)ta;D7H<5iOU+B$V{;zw<0DGB2tIas&jrUKf$=$c=4ibv&OvF7L1U
z`E=a*Ypy=tJYDh>SB*#Tw&i;TH|J8zCW;lH{#vom1Jp|hY(+&g4gB4sO&;KvIb}-p
zJF}D`56uRV&aaK1M`Cmp7c@ZCIpq>qnx49d?zKjN2?np5G|9vMm9&(2_|+>Tl)m`K
z{2t8|5|^7*SS%6jw*p=P1!9GE$;B1<Nm3B|L$^UbtH%4nrw7s9zOw{)2Gx%d_tU?A
zp_MybQtcZmZeT6xijC3maBJ}$N<vF56e-#FucT1ezgW~dcmAp5c>OEINek*y3JlNm
zk$lf|w%cqh#F_bBjZOv<G9C;N*Q>gkdMmwOU~Hqam%QY1JW;ppT^Zt*xIwwz;z{?g
z^oV89BT*qzJjjE&%d}uF--E-HjMoc4QqjTznK9y@qrYJ!7Z^#10e`57__Q!f@OP;c
zpF5<TRe^XU!f^T$%t5y}uglQ^nT@J%*24#?*ao@yVIh|r${Rx!Qa**CC?CdCXV|cw
zWW?;VM~<5<GXJ2nuP)oO0}ZnUc3(CN7Bb%i+(80K(wHod`W<=C<M$%9`DUtmr0|E<
zDgNt}<>E&NE`38{16GI0U8mk!_k3ZICdHtk-1vAmh*`MyFPfCn#nkswLx|ar=55be
zFf}~?B{Q)iRuW7ifsB(ScFaEYR<-n98Zx}WAJU0E#4CDBIn<o(M$MZ>=QZJiOQY{A
zR|DgUH_m85w}w5I)3HQ+fbL2qE;Q803**^~iTPt^L8KR(T_3qCE(i2rpjvzHLeuvl
zvxi)JPrY(F9x+q4++~(+z`h00`Y!{mx9!r~Q&@iw?(K35zhVzXQCF)p!m;=CO|RTd
zh*m0eBld0Ji!P9pQmd2&7C|q4Hn_sKS;<;&R0VB*&9dpIPjS)z`_5(gtMnq&H0dOC
z_GH*i;@ZJoWdxOsa6CbY9dTzrM{IiOfx`%|A<FmZuivLLR5iggBpK2<!VKkNOMq6u
zC(nZh2S)_%Ke5Yxd`MyXVI_?1SK&{mtCdm5t{b^|!isBZpi6St*d%x9lsv<iS{5fC
zf09;2kT%^L6LS&O0awhLlE5*+rNOgN)Ks|AdYcUOa!ZDWU+bjUuLe3b6WS!78@j4!
zg|;S-9-7=jio^R}#r*D0r(7j=M;<vjF+q>X8Z=g1{~@|94Qlz`x3}BrF5=<43Zfp0
z(O*cS`&3?!E=DRJ3f!*en)Ji4dt?4u2b1Hy9oF_ZtCAkGZ7YlTzCj^?_@At?E!I``
z6wYYD-5cFSUp|F}2%O;Y@_74>x%)7u1eF%fX~o*SEfkIRn~2@OdHOgmd%MMyRZ2f8
z)-A8$FOT)-zKA<*#|f^Amk{)|U$7=iA4TymE_3MQMBmp{oCr}^J$U`VHJ+9&HGTNN
zZ^17uKpi-Wm`8dI<s6Z@v4;8oOF$7UfkLpUH6WgP`foY{7ymxp@iskL+oguBoL|S!
zXJncIF}B!y3?U9N!8`O(+5zKtJ%((*xP$2S@n%piTV|?+?`nM9e_svEH5e4y8RgOc
zBwj<jWWC-`wZye@X_q00wH&N^CZ*YtMX6sc7nDZrj@2*!=qgf>XQBV6y?&by!0&f>
zS2k=O=z##@q!6<E=x3<-^{;qU)+lu&60GP%zM6X)42UX@fuxWl_tDslKO@^pB<%)}
zz{&&y5J2LuMg&93INoYcL52gY$tq|^DpDdlyLUw=vB4v2_Z?+pVqNzq$bKDO%zVjt
zi@sHN*ht#xZLHR;lww*>hqP-y9<4$-dp>M8chLuXpn~e!Z?gF8yPMeeT{3it7<b42
zW*>h5?#UZVI<iid)&!n9SsvdN1A`@03|NnE@euQB$J05k_xqzY3IXo_SS*r`K+8Ra
zCiW8UjhGCpN9GOdOB%n0Cbn%Kx%wwlM+4~W7W{JK&|ccmuA74(fSY9}MjY#4R+CF}
zNkf7=u^v`<k1_k6vog{P#v~aMWFqN|hxI0+FRLP=inXX8rY^@h*-~UYM-VeH6d_?W
zGk~j4g!MH!W2HyLlygLg_z%;OsHKkD*J+){n_W7-r+`)4BP!tfZd#TS`^B8!U>qnV
zvwm3%E7kNEmlSp~8a~&)TQ^7OHtP++L;6#tjP2npUV@^AT+vTuLWrG#iKgSPNIC(x
z=9G4`LMU`>q%`Cy3%N#*u9t{ri$+A*#C;ju*+$(63cS%zBTwqZyhQZHle_*Q%-F-6
z+@(hK1E{4F19vIe6)Sqr20r&%fba($rYOy;gNPl6Kg}dt$<~(^bt%s`2m8AYEk=)?
zEsiUP;@*dfQb6rCHq(<M^oo^M9UarB8jm|Tp=sv1=aMRvleVN2*vwT0$uqCHBO3o|
z@Eop<H~-C0^P7Ky8SnDBp=lcQq4=43o?T&BQBt@YB@>W5wl6i~wOC(K|M*n9*oN==
zaObeS9KCvQd29NC5T#6VqsekU?U>Xz_V8iul<TERo_!qKp?6zBB-D2@xJqzMu7MOM
z!YPccfo$oC`#CO`Kd{8ic&kM&E+3#6_P>Hte~qZcdhjm=peUHpq!VBxAjA--<ji#G
z-nPO<xR}a@tsFg2o&~PA#4d}Fb;i;(er55@89(DqkC~dy@)2@{WP@BNC_W$ml|(iz
z-9e&DWA+f7M;GAb;Uhbk9OUp~ghB7*2V&^Dq+>XjwVgZJu(awR@u0r4!AY3we?wN=
zizU5RNoYEOWheaj@7x^J2{#-T<Pd<9)HZS3Zm;6&6<HU)BQlk|d1Rcx#n?rn@8f?A
z_&;1O!WPNG)CFx(xJNJw5VZsm-CLYfF{tr<-zR!5LO3+6*W#R|m=U^Pk-Z^(pHWJ0
z?tJT3j@V(p)+pX_15vSuHFl9<Q(7aL^^Adl0gBaG>E=W**#Tfk`O30ew1dLMUQm&=
zO?my#>_EJ(-ZW)rm|r8>iNNe_`z+R^8@O{~sx<E}<4)8luWn>?$z-ECgAMrKfEkQ3
zc=p09GdRsMtb0ecuVO?(O|iTgEOw<=%L8Wy!-IClqCX4#-yB3aG(i%9^o}rVD+t9H
zwwLACnS0HEA7Z>V@DdDAM*o^r@CBxxfTk#joiEfHmshyK(>1gcrpeoez3NQZ(tWC0
z$Kv1dz&F2=mWFgY_1)AyfZaQb&R0(3YVm`HHrbyKdSgfAFeybYYF8g&XLcyfOR{`v
zT$oHu00dIePW`>fJ;0Y2$H__<GvWkbqF4hYgay7~LmAR?*6dRjZE>)Hi+O9ZWN!i>
z4E>)bQBzxV0e>m11HiCxZ`hCEaP+e0oQ5<TMZ0b6OPux~0ou_xnuIb@!Ig^5RDiFJ
zRU;7w%+E27AS%xJ(gOe4$Do*$#f(Ki4e#LCaW)!eemzc;e!wRwUj%lGR#4~P_kgzv
zW%wDx15acvEe8drtCaCv45f(=ItYR(Y;{9nTahh(9g6s$KdF*fGv}r{1=q^isdX_d
z9-^SkC&o9OlUhbGJBUlRk8a{o`P5u>08lX{-B8PY2q*mq8-*j1IPdg?>%%WD;W&7O
zNKM)RgHi$yQI|}xw|}h*_(IA$sgdL-AHRhnu=b&oGnRPvI-}Dt#x9b=iK4tAcR1)1
z5qvdwRfdRLBMu1XU~~6Fu9o_Hiq+$L^+u8pg4V4Gl@9k2XU^phW(tY)rcc|W2;_N6
zj~oa~^tzGeDMc-)cO|OO;S+_igHE6ruO&QhgYlWas$dArV(Rg1j#}H3uf%>!_(`IS
zM9w>ej$8hm1<^U@&C*rG#m9dkb_KRl%5q|1o)^Vol9j?d!xX-S9!u`jgB$e1VE83H
z8TbRCIp|!EB%KhW+0Scm1e~LIe0njJf0r6}3Vz>%ULPeqKe|j8#DI?tZ9Q5|`O}?a
zPC2LB-V)IL&#|~!klFoGK<5JMz_?*>W&BASw75pmANq~TeI)@xNP%vBtK=L}msK=R
zB;z<pRrn%NeINWppTiGHyq^tn^~dT1e8`nKzq8zCeS}Or0(v`U|L!)?TAkL9@CSbQ
zq|V&d?6+Nlq^%{>p`1;6bnPd+=zWWaq{ZoMw|}&9TrXs+FLg!ZrM7IB<1HDGH6c^m
zNpOpBiOs?WFz}l^LESa=ataIW0t)UUrk}BlcnZEG)LyutUG^^{J!t&dO*h6)v!moq
zmKOX<3<d8RP;@$$iD7nc{{_rF+WbatYFXeq)+r0~#%<9LEofJN0)+i@Ig#ZjedX(K
z?!Ulvqc&InnI(uC2_%f&KSjIgtfSi?;=kx7_(Iecn>=K3gh!^jjP3|$-4e2teMXJE
z8C_{>Vqu+hX^F^qKJeRXP#TTQ-Vj&vP#}#px7cc|T88y`jYGC1f4KgH3D>gvH(yw&
z#@P|tW`U>}O5RUHtzq{39TD{ws|Mtl0p4nneO4!e(Uc&Sm-AdJ0?rX&qPHr$s<tY@
zwM<AI*)^mHiMm1D6g{JYtM<3>C$(LKuzCNU7Un$*eFq&bIDeccox0PTitr7>EYHQy
zuK0Y)=;fr#sI@BHFWz>ulue&>I1wd5utyb{qCfYxO>g4c`7qEf{DG_TQ-TjqT`<aj
z-B<*@#rcGV$<Beg=MZ!-IRI5*AQV;Ac71BG@0l=Dvprg2^8dfI4P6Iao%qYrUMn!+
z{gwn!PsRh+V$EOZ9uDLaLl?3Zp1GDqEYa>b<a(_s&-p~&19_tUE+yA%{0+<mcZQTi
zz{rB(AJ$&17aji`KXA?=n>J87FZY!thQS@pHKs@U-ysRdj!Im`l>F*N!5D8P;218x
zIbsI~%QcO8*?r#E?=kM{y&~>ct*~+P?)E5$s|jTImxigZ@kcdgMvg~>Io}$yx2#r1
zMT<qkITqMu+b?EVXsrE{^UFNxz~29dP0K_Y4m-*+gY5xV6Jrg|+@W2x<Mo(n!!n6h
zKAU)w4+I;uenDg4#dX;FS|{2q`q$4jAe_I8t*^Bz$6Sc=bRj~kB+zL5uIj~cW{d0&
z26mL|B!vAKDdAP5xIU8w-}3Ld0NBiltBE+^=R&g7>1H}th=;n-6#Ublv}*7(u~GJ;
z5~hStv%Fi`!-S*Ta<PaV`hb6tR638PPR#RP76>lzfo9+=8`SN;!H5(hjpz6!T|x#!
z^rmQOv(I(-Kvo=GDhm9gfA0?W{R2%0-ILg*B<?2SFo~*tM?6JEY`4zghsJBQgB~DN
zp<jNg2hAz>nh(UFOZt=8A^L##AnMzOfo%`ezbF&<f-~XC5PYjt?|aHYYaIw~6qR%{
zM%1tAeSTjGfSGVv6qZbYm7rJmb7i$IaI0`e3^qN)L*KN1FTeeDuEqpaQ6Q9*_qO~3
z3ybnDk8ARg3Z%DLbuLhU-vQdnzS@r-MTRkn0=yL$n22I!vi$Vd!h<g)ZXziwvIzUp
zrxf`mR&#}K%hsJaYihW5F3^TAkYWaO#uzxkyp|IcqNYqfooBEKgIzxByE4nDc)MGf
zez;$m{_Q2Iq<r)CSoJPkQVdPqkfyyrynRoLC?F40&<l9@-vx@MsQ6Cv^v+#RG!Aeb
z6hWBSQl}FGyWd_H+V4QCj6i(?sQ<4h7d6#wex9+x_TO5nW!n+4tB4Ie@9aA^z5LW}
zzkl$X>1*ARoh^swXJOv88AxK|_p6K=x7Pw3iTZW^wjOn!hkgm$Ekb&jB%RZ+-n6J2
z(x%f6ZmpntI5WrVb*VE6)Bt3w=_?MnJ{H=H0_UOs7uiIQ(w{L^B0k(7jYb^W|M>p<
zN25->{gJmDKXY9AATLk!QOGc?vxu?+`nv5VL8^+Yw^f}0&D+4#vY8w^0`52Lc<uHn
zf4GC^^KBYOna=*BVq2u_##9`gGa4*zi#rpIZh?L}Q>0QEkB~Q74F)!wXKBIej9eso
zmm7^;7np_`Y`lgx26xE@EAKv$c~hKICmdPcDpzynSXnyMG(qx*f}&l27G)o<f0?lq
z9y@NJM^b$pi>X;?SbXzDSWUmk@p~Uj72>y|nr$o2WWqC_z-HDRhPteWK={DnPGCL_
zs$l(oh;+0~<7|n_w|;54GJFY}@h>AK@Zb8ctEsQfLBLf<ZA=mK9O}~4)3?Nt{4oy@
zRW_K#U9V7QDGFn$AGYd+hR*z)=I-I0`S#iGv&4`Km|#0?ZH+dvu!AZB)pAkaWq3S#
z_q2VK_=>B=SZBy~Fu7^93H;f0(?RsyMbSCuVu@U<sQ6@E%!qyvRf+_<m3+cZ{Hi!8
zUxR#i2#~;Tu`k7FRl`*(z!S+ePKy9;8ThKq0rP+JlqEuvB?J(oZ=oW|?<n3!fEzJX
z)Ww=mXZOm#m4OiXjBu0VL-r8iZYLLg+xP^|+M4_4iTq)4qKrx~OGFoG>WL+QIL<lj
zpX*cIyI!K;+}zd?9cMiJt`?6ZEpO|0HTB3dWRHznoQ#+nXg|m=87A=1ta;t=@rPU1
z{&xGa)(*1OTAndwf3Onw|CXz=DS{kr1^D*Iaa&UjFN}J!|A%>n9O{P3@2INBed9$T
z+D+Sr`=f0y;I!_c#;^Ccj?Qro7h<`1&Nu8k4XNpWw{e?0JF4THMj|riL`$LL=_Fu8
z#fYHWMK4sW{R518oN`PESPJrjW$~bF^FLYK_9fp6M5f<DT~ORnjKzXw;fKjrGq*;g
zo#5j>DD19Hq%^E~%puaFp&8SovZ(I6;95Gd;ttMwLiV#VG8+Q3Gi!`om3fuMlEuth
zb@jGH1|M_hxt(@TxTF(7WF%Joq&NxeH~-BP<pf{gkz)#?98BXKeTdp+mD>uYZEyz9
z-}zpgHrU!4@$R;%<yHy2KT;Lv|LsqNI$1<85_Ag{<fDVk@5Nsv@(wvPVWu?on^JKY
zjUV*E7VH6WcI+FxhPhlHq{qhJw?iiUFeLv?eU%K|U<J2oeS{+Jndu)PkFDV?rN9nn
zG>dD8IELEfz|h!|Xj=TO%ny_Dzj@11Om$JmIv%4mxXUB^LsOd~(J@xPIe1&H^r}u8
zu1Vx?Gs**PLwhtd8rH)wuydu_7s(m|6Q-h$?C9>k>N0V1VEVF7tBQ$D{Z|6yfb<>u
zvgGKQT1AT;t?$qsZw^5jRg}SR+uew+$Ta)$kOO>s*WYpLCRS<YRuiH|f?bngPtsy}
z{XzKnQ>O&%kwlt4G$>9TEADe5313n1y9J47$<OTMFS{1Tz{jCa>o<)EO?lrR1i}9X
z7azgrYk`kr7MvGV%p$dPX+%DJg-)+awuWme8;?;qV<bbo`uK)DxW!Q*_YcDVwLp6h
zzxVdSZaas+`t!~&gc#XIL0xQ@j0ysjr&n`*(vk6F;WzX3K7IXQ+CDUI&_X}Wlv9#2
zqzUl{?nX6uBM)S5k4odEUr9n7!khJKn4!5OSamaf0HnVg!t65!Z%7fIka{$)w=_NC
zmQ|mI!?n{RxqcK!=jgum{G5<yTO5e{IvAo}ZMEC@!E&8tqCu^s!;_CnD(Dy8TxBat
zkp{3buJ5BaKPSBv5etWgvWoTTXvLbDWM&N4!~A81#&E+r#qAI451Ro|NKrn3(awi$
zeZ>Fh9f-)I9}ihrD0q<U7<nKG&pVYa_|1WcZ=|fjTx~^+<hnPG3$t?KM_eo<ySo2e
zbthwapFj4`b9k7mFSAU4td!qU#A9cUc<UPt$17P&KluiyyjlF}f`w8W9&SRrerm?8
z&WlxjAO@Sk)5z(rM>L+P{C42l<;nRJ>ILYv2o0hUM9I2=@_2`6?WoeHlj*G-Ap4|5
z{fvsZZNa3p|D#m*+HZWI3*$9EV&y~RKXXLNQhr3YXu#yl#rJbToBj-Lpd1(<pW~tP
ztJ-7;>j}ZYCTh!>Q6OyIQ6I4$vsVRpiXz+ee@jlF`J1cKf%wmW=e;z830xRJ{JB8r
zG@6tM&&(=%wD)q=q+<-s7Y9Gm!WY5%2)<L~|MXE6+jC<zl|T0`FGhOsEJsp;<6#qs
zDC5>;r(P{wWA%{!(;xf3AY0w+W5_%)c<vgv7Z2T7*_Zctn74D>@bm8*W5sA^Q!VWr
zc!C38ym>|s874`nvJZl&OtrW}pD8v6Ps)roeii?)uXUiYt|u`ng}W>p`0RrrQ|SL|
z?HbcTi|{vv3)zpYZOTVOm{Tqz5jxL=q%cmYJ0V_Ecm8sAbsiClF`wotOs*9}QwO)K
zrxCww@wtb3mc??^j>qor((FCP7$l(zK9F2z-NUFG)D{|Fw44*LcfQN&HK|3GFj{*g
zhUOBeT><Bz{^!pXMn?k`9te7<)%{QEeYB&R%IxTDMLAm$eDlvcR?7hDWH^_wNedDe
z!?Cbul>!2^?8{kAyT&^hV04&12?{*60T-}J0b-wEC>0#yE>+sdQ8PFwA8=iBE9LJP
zxtM$2<1!^w$rTL6V>gT``Ws9}0mb_U(6O?G)#<w=@WuMp3*s#ZVc<)3Z-rDAEUYmk
zf$CHa?EUCi|MbHYQRU1rsz~`!#iBJ)ITv4-it5IJ>KR&5`RaoTwb*g*DQS1x&sy2%
z`J)NGt|^1&+JWm;-?|MN^YJluB(y?}BAQgz&h18ozbP2nfQApD))~CM#4$X9kPP{c
zqHUWMakOKMYW^z^hG(NKiQ_dWk^zl>hXmrieqRS`x#*=7-kPdzh~4kjtNYIE#_FD)
zy~br!6`|NgnPa%p$;$hf@qu+rXZ_z;-OgNpqb$vk8al!8f*Z_?X()xHuqbojdm8rD
z3EbGA^r0c9brphdo?+Tp;|2d3%`|lE!0NySR)^}6d@F=Gv~Ck-y$0h0cV?VuG5O4C
zCWbkor<>(Jb`s^%B#K<(1@w6$jmyfvoCt@?=_7uSaQrcOx64)N1?Mn-bQ7dI)Gg``
zx8Nd$8l7!tSKTW%F&aE_i}SaV%sAeGJ7iu1_53b`{H%oE#9E`&uIbHYt96<c1GCMS
zI4L}5r=Sbwf2l+b_A~gr_~+hHpgJVKV^Qz9UYs+W{klp_Mrq)%^sVaZTqqh^mOxFf
zCD&wFkt%MUThBhwouTQfRqOW4XCDkczq2>=_R~@~W=~EfaW#a5R=JW-oX>b*`j7C7
z6_Z0oh1CTo$o!C2Ly)U-&Vv+F;$)E<ydQK9b{Q2V2ycxkf98!pFoBKx`noV8{mVpE
z(;h^|9I8gvNzu#e&Fz6h4t{6;)b)7e0S)2H<70l$?z0%eA686+MhM-&7{eaHupr*R
zDr?+Sfbm$f`_tsAq9k`UpUv7$6b>V-!Ak~U<)MCnI<RT_JYnS5gz-@MywNp@Vl=zl
zlQQr&g$d~Yye;+<^bPhwb@x)J`Z>1E-QJmCVEUmWqW-x`%}u<U>dTrv?|#T)ij94X
ztopCHHi9a2B2xGQjeJa(k3bDgyF<(8x1?n8^8CEk-z+SQ<mKh-j%eTmWd%YTADm(u
zjZSo0=AK866^(iviHL3%_l5|sh~;AMv4eR}bP{VMzfo;o@Ee;GC&?!QRiVu}ne%PK
zu7m97%^hjqSE+xn-cF>xB3|QIPXgkX2u!cE3nRO(f11%$Jkruwbhw&-e}JS&fal76
zzjXY=pEjt}*dZnTG`<hkwWBm|J{{)d(EDd%s#6Qm1?Q}bzEg{k(cAl)$}bg*tVS3n
z?bMVv>D5sgw2HFWb6<`5=QbDhWs|9j2Lo?g8Evm`xO#n%6O*;+D{Gx)F-TBu(octd
zkmrc^#EiN>H#=4S@bW(#m-~&$v>2T(jnD1paD81}&qwUFQuH&hd3Uw`@#e>Ogv>~1
zTi#aH>=6h~qEWMDmr=C0JhSZjr#V7#e|G}Q8i!#*N<;Yx6jcgeKr4s6dl%+oJvq&2
z9*@6EEi;}V-#j%9{*kh-Npa`&Fr5NF0K&PO;VqB4cW*P=FCr_Eh=E^xTqI+W6FJ<m
z2o$c+iTj(LWpDt5O)m8mCcrRBL%^es_Rvoi+y?LjJdAgZ3X_B1nLI~(^=V+|I;}K;
znT_(%iq%Cn!JrnR5Fo*;*kkb5xWHm3C=nP|X|F|gH6D0Vq!Ye`+w$j^&f$}fR)SYE
zCPPEZX729tXSKeVwR&de#RwUmBEv9>!15pz>WsMeI`V$!{HBFo7<{=xRezsXjkOBH
z#Ds=2EHh_xpArK^C6oVH{EH~w1zRS~Wqfyd;JEAw4TJCXaY4MKZruzReCpnbYQEt_
z``t=2+bZUDf(_Hl&4qFzn<v!KvG!uFxJQ(qpFSZSj(5wpmv?=V4||gq2Vv$hJvzf1
zk!ttniT|f}ghEyoW!a9WZl9}Wz#InBps;m#KBOE2_*)BO5OMGoNQ2-x_vL5MW`l^!
z1I}}i2j~@=i=ISTKaTR}OB&LP4GY2@PGh<`kbW6harxuIxLF!g8Pyo$QungROLww#
zwT9Q25m#HRY(@RF9zN&5WQ<Lqj=!Lm-}%52ZjAdXRtthomh~iK+!6uj@ZOZqxlD%`
zaBdS9em_eFJQmYu{4=tsIV))S%n3Z5Dir{D!OaSvf8my-;J^evIUyZRfS-@4$4NeH
zJvHu==`>)_Jh7NgFF9%09Np6MOQO7QjSHu!yjk+w6k`C4tQ;ejwk}V8_y~-XyoWj9
zv(3r5h)^~6q-k#mVyLCO%ozLoGVUw+9k-ev+KW&pH8}pyD#V7(N5M^4C1N;-TN7oS
zPmJHUY-vWzw1>=T0`-b*h%+c^tiMd)DVb(|axt`t;my{PF&tClw#7DafPP&t6J|-)
z!`vanCblwxxlYsopgnhjI-$7ljR)IybGCWSd{pxEq`hy0;5`z4gxYd><<^!_C%Zqq
z>gMelDmZ76cfBjf&=KJ{XZ|RM7DdF`Cn_)mO>$?-SSf_aaC?Vl%Bbml8`r75WBdgQ
zh+WNA^0uG-GP_k#PLqlpm5sGRd`r-dz$EH*Lsh7GZ~EUE;F;zwv>b|6a}S2jhU6`C
zW_UNN_H?XH%n$!Rrmh00s_*NHAR!&nof1leGzfxpmvl>acXxMpH%LCZ8z~>%9S@|N
z?}>l;eKU7v4|m>hdhK=g-Rm5Shb_0FR#i(RuE24#OH4qyIds~B5)qPm=5h8oY{W{0
z1z!Y!=alS1Xf`sMZ|U_P6e%P!??&SLHn`SbeSV!GI+Uy6hXX$)b0h2bj@Cf2RxBt<
zS+z*$%EQsG3H@dGJ@BolCgPjWOL)2>+os{{*VLLC-du$B+l?`@0??OKJ6#-B%1h#K
zd2G30VoCK2Cum^rE%-V=VPgbmya^Ek8;192s99grH<OF(m;4xpv3KHe#i4CGPno2;
zzX>_hEsB_uA%wilZN{-z7{L_?A>g@9%rZyxoqz^1%wxRhSXYZzdfM@zT<U?l;wS5Z
zGT`DN+c#U9%3GLA|I1zKqWe7^J1B-9b(_EFqox!4jV<wW*MCE>B?iAE^?^(-O_WdX
zvn`<f9`3@f2)?@ey+M53Od620HPcm*uL~dc1v*0!KSk{h;ls`l8Z&C4_%;7zihgj(
zp~k<<=W4AzzDk&BFs3?RJX9fw2ypymaKh<0a{!isI-j)Wg^=!UFAvcVyFO6yI5X1=
zHpxmaQ?YTS7Zb#VgF;b?pPXxrBQFl^KY%1J_pi9DsXR>`+nYax3t;S%fs;@@QQlns
zS)}56C=^}9VnSZ;72|phavkf>gdeCz(GuQprY4sS$0%FlS~D#65Wjt?u{bh+-0l$Z
zTX2nywb1;Vt7fTvODc0OfxqJtK0kUyEu7(yZaC!MySD=2Q;3j7F7h*5jZK}0$gPLa
zX1}3l)JoZTHfs6iBA^C{7cFa9W%8*%&zQ<P26Z%@Msm{Cn7k07q!QrwsKR}JT*`OD
zslrus#`**>_8<8PgJHWVUhr>`-Ag=&wwpr1HSf-C4{g7z^Hlt)#x<!`)$MM(T$6f^
z$Y^wX_IDi5x4lc`0*RtKt&>PT!@s3@G8m%ijF6Ku#J=B_lo=(v7<>Eq;;p!DLT`@Y
zj9bQOO$AtTy!hCe1ozVNCj^Gr-JvA78NzCnb@62GwJu)Zt%pNl+o0itHS>T4SIVz&
zw6248%X6hxQ_d#~o1N<X7Uoi+M+UfOY)a^25cSiE3Gxyh@)O}0CwpK+3+tEcIVD%N
zZJ`VnCo%Xm-hq$YP5#n8I#w@HaQny=T>bLhWYKQxmmDrXnHDgry4uI;B>3%bzlpu6
zC4ZiKDG0UXsD`4XJ``|YVtzqHsxU;xO_em^p61IA#F%Al1*iD4W^J1KsiM8CHcGrI
z@`-p=H1KNEZ=-{=*J*!!+E}nD?EsO7o3{s0Bl^|Ab4fIE;jmc$Z3VAItB45GGpIjx
zM<YV*p>T^&)06HoFCe~T>uyOl0k`)Md}jjM`)!mviK0%*k4Rh|8P&3_)bRtEa(`WH
zQIcGB%y1D@eojC%cSvfIb*H^BxokBP5~LE9Ku0N41@jMXAL@56wG$?gp_z!Meh02y
zQCr+wdlE6Bhg+wgRIMUxOIHiXiiyWdbq`t2)q;1WES5w0CYxt;ZmfKnd8zn<_O7V0
zG}BY+Cpmn@e+L_ju~?TP5erU^B4Wq5cQ`Eg$6y@Rfe>Vp_pQ9rmMZSZPCP)!z)$q0
z_&&`|NI8G4WQ9MN_yvrKq0|15^d*&>&gM2zi}g%;lIGdcM7;YWX*11p_72lpwM$D$
zj`jCL4(+@@Dh+qaujHKr1l8&^^695yME6xe3*pmQVUM7c5pj*RxD3}haYlgU)qxG!
z()ZzO4iRWdKCT}E;}3(Fv+4fv+z+OB4%a|2q^Agq{;Y-sx&7Z3$>SH)r!@LaQYmT%
z_Ic>kgU%q$vb7{L?@2WAHwjAMJMLB>=DI2+>Sc~lA1^4>2H<t_+gi&U`ef+|cQQS1
zG8GCV^}+(&WOn5|!~VMGMBT6e@GEp|$=G1Z65BB!&S~e!NseKs$)cxCfs8&9WWB5D
zIK8m{T%|Y+Hex%Iuwb1?<1|(d*gHp}*(>%;FI|wIvBZ>1iwa0@bzcVTnMr!vrw@BH
z93%X4$G@vnh?SaKI6K$1<3iG7RVe)3k#MKS`WG<4FYxtP(>hEhxls(#<LM+XLS==$
zd7BfNCk6@<j0eQ`gsV9EOtOCT$a&|-%crPVc+H&9g8z%F-<Df8?ta&pO{!|`^59BO
z-?TQ0yM+LA>%C+`E!LCM!{gTXhZ*}IOSzf{S8JIMyb|LO%}0T#*r$VQ@Z*_Y-b;UY
zpL>$m8u)>NKo2+zQ6|+9&1srop;pC7V3eolj5cI49vac$Ptkk*Ul-g#Lm_zLLfCrp
z9b6)8emUTwM~0tEw53<ayS5yJUjCEBA>n|B2k_*ouumAsrS@<>&0$Th*K_0@RKPB6
zzCTS7K0rU@6|2g@(gzqUmt!ow9oNj5^sbM`ExkmSVzoMwMnN|IBtsIVXA$6{ndFjq
zr^j5y1$OM;F!h-6^_bH-42Rywd86Dm%Aqh;M79~JlBp&sk&c{Zt&t>&>YDvmRRfq=
za8=pPgob(PN#N(OCToNs3onQb-leWK@7l)lj4U4^KdeiAaHu@jg5fI=`C;;kYazH?
z2S#E&xYg<VDBIwJOLI0;88$?WwAIL}46=>R`TqFoU)Cc$vI>4@<<lA666QmLN*5RX
z@o*W6F4lx0RXG}^8g`1#E;Do|sq<xi>h?kSc4zjja!-Vf51)O$^k*TP^ZFoHaK$K7
zm+KMy!^DxR*#BFaO}stAVraU;v1Suq9^Q|HN3^l&L|z-B+#PHni7OIJ<>L>eXCk}Z
z{R6502NKnHg6JU`%6P+-*9L9ER+KeW`qtRfXEh;1R)o!?fyM+cfU=GElk?vA#~AwP
zRSW4?eXXx&sECd7@^*NS<{SgH<X13P%9l%<gnBT}wVxI<d;g-==cL{>@B<Z!?q^Kb
zG@$y;Wc5P{DdlO2VRf8<l94kZS35r6Y(P3@7adaETe@=aMVg->F$4L+d!2LqgZkdX
z%es?%5Mr^)c+$uS^p4R*rX=wH1S*&zBy|63ai-H2;AV4ud)jZR?TD##dO_G{TDEyg
z=nWLA9`L29z`?T5>5FhK?u$4JP~<KjR;RQl?wp73GksYPPL^K4lfpGt>2tyf>@A)W
z`n;=*l(&ZWw=Oa04Wq?pI~p*P7TDP&M40oVnOT45yhTzL7>F&P1ju5`N_J{=b0#hx
zhB)<1JbqQNh;QeN^|pNM{Emvw^3Mx}A7LWHrd%6CjZPg3vkK3KAHo~3pFXZjEopvt
zlRRGDE5Cen0%>p^M7-X|_%Nk7?s5+S+q%R4u~>!(0LAd2)A69QQ@_&aOLiyg9ypv(
z&G!lt@P{Ejm~|uFsSfJ2S8uA+mkCBwSodzLVla>ShQ%AC?XkvkqwFiH2!ld&7@@Ua
zT0Cp{s-s65Qaj^2Uk>Athl1AEJJ~Bwv-WTf3Qu~Z9e=dDN^rCy*gbpMlF?9kpkMH~
zVK!6aZ_BllG=docX!3_*3W1Wu9P(r$70Z^z+Cxf=vDv3eDio4Q0QO0}k&6HL;jEWN
zaAscx_k^~PUR-BUTNHFIu9c0U=k09n`z{5Aq6NOanJ9};ZA0ddGe^n2ghw5wx)NtA
z+w?r9l%CNuzkf0s@5ei~qfRB}Eu>-FW@jMK|LA#4f`6t1pq?c0Fvi5B4)qd+#M2T;
zHlP)}rOBwLFiGjQL6?E%Xz6Tv7Ij||{0jkbL}Ez1HclEwU%F{Q`wX7Kj&fm=nZ>rB
zD)6U!Qp1>}TZWa(4f?PRvYQ<{bsy>emV?<%CmyDnkfg0Dq;Se<ftJvxnopMiq)YVH
zw*N+9KvPSJmA{~yWbofot%evz(~337#?7U>R8R0X=`g77|Kds5>=S!6Bv<GMxVy`(
zSM>A_bv3@|Tl8>OY1po$@=S^KALD6<i>aRl0UI)rEwU*3_~9>pVuc+@|M-g;>JmSC
zlD-GS<>ZSUeC?AQ6N;kUFqG|K8qIrSuQ=w*5G%0DyMUpW^RhDuwuTWBcazNVHwj|`
z*#={lcxOuQC3145ixlDN3P|ls6J;=KKixSknX5>&${>d(+T3Sj{qdk~4<Xr!*n;$o
z5Up|Q!jdZeCLYDgat8`EWe9jmz4jmFqgieDIMYtSv6MY!gjW8)(Sv(VFU@t+&-4m<
ziO%LVw0RoA(BQkJq)6v##lQ)tlnu56eff8JQ%w&O6VyD^tbwRN4eGt%Y^~9Nqr>?-
zhr+-~O54<BwYg-8CC<S>-VgR=FtKa>$ax-{+>RfCCXWCmJufwP-pMlcaA0shH7R>-
zq~#Oa<Lo!)mE}QU(55k_RYJe~Yb^Jxj7N=bgAbkqRDDs>_jJ!Dj3hJ3%dI9Tlt!6(
ziy@4BBmQH75;RHZwlT3TAvw1d6-f}|CS*QE!ZQky&ms_KUZ+GM&tRjPWei`-Ag1+0
z7v`$w`l?c;s4KzLR?&@N+Q1N>2569^R<<uWE3G;J$V?AykEGpie?C5X$%R4WU#mVF
zY)G(9@O|;17e;iEs)|4B2Gh(QC?-iUx=3u!N>+^hh)|Co?qzrT0OKX+CdnUc5?1wO
zdqZ9VaU}c+MTQM8Z)vg#c`=N0Zn)yh-gm2JhQj5WLeMMeTOaXizDAa|o!Qv&*NJA`
zAEkAzjOjQWQffGdQok`|6a;5f!q8Rvc=a0NDraL@t2dV__hPI2yzrhuh(-)8boCru
zGVU97i(s=XuF1NUb5#U8`$?_|#9qY4A6N_h&LSfj7Us)#pwrjW=6u&n;v9_%6*IPv
zOA=*Qc!;va#sWGtp_Xjs%C_p3dV?NW9u;Qn%ZR2&ao*QW7xf8O&6EYy^Cn}z%&toK
z02bkbnQ!>$(FiXldmq1-FsFfRKO$~R6#ih-gO)+L<hc>mRAD|ZZ0cht=+82mP_Nff
zM(APzs<^m~3r%xxoP~)d2hgB=NrTJSKiw4gHEn>tb2dca%P{)p-|&5crhrVLZK53g
z!s@^Q9j%eAi!$SN%lr23SA~B@Dl$(ccixBgi39KW6vKvhK^)WOb|Z}DhXCQt-1KI1
zE|qd_BXJjS;@4cQ`9fgc6o0`mg^o>qQO9}CcSo1l2aw0q<H6xk`{VJ`gTTr+)|(Z+
z2bue;M2m5GX&;`<Ycl<f)ClfOZg`SfL@sViiol)zn9$WQ)8s*p(3BSa78=t8D%F7)
zp}2Th^yN*EeLobL{y%Ra$<4<<5MxTJub}6*lPMl0i+EqQ5|{F6LIk9*g<z0W^`(7d
zIK1qaQATfcIgkK0$hDn$Ef1}51{T=Yxu;pT3;iyU)AScI3{Tr0P2YKYRYPqj(Gyym
zto54Pw9Lh()L}_KB(gi(Mv=a%WQ5-NK^$g_d_%l%MqNRzVW|)zGm;Gu`Q$wJd@H8_
zCsNIp&56C3*uP(h_&aLmt$)^5<Q4_?uy}_5vtdX83(7PJH{+8MNlIU9Ofrm748PW_
z;SSlSlxn)w0Km||^_{-B9;kANghX}p;aprYpI^4c+$9iKB$2Jf3GVaWp9uD5AJ@i)
zE;j)KI)l`LV@SNcB3Fv+Jcr+S$WnO1I45ApT9Lj5mk$!NldcOOWwgZw!kOnPP6hIA
zrAe{PeaQqU1#<J8-sCu1*jW+SEgtSC;g)3fRwYj1Cm|OS?J*QL*Tt<j1-jP^pG|pM
zT*18KXXkv6TQ92ty^ely#Ba(G%$Jy?{gKfb^VxK&>wdNhc6px<Etgj8t<cqoE6PZ6
zo;j^TGvHr#Hq_c0qx})}-<lP5!nFz>WNi{EVI<||!4l8I#g5mo$6|kf$6Z@=vOi_%
zJw$~7V&H;(m)a~ad?(%8u>Zv8P(5%z#ixIxRN_3*-9WT*pVcSC*&57N?;aq#rDAN8
zc_{5qKxlY+by1Fwao-i6sm7}L4cHy$VS;bi9~ZG(czY^pVd;<5G$SiciIUEbHWRjA
z?a~aeSvq=UZoVwVDnsLVpy5a?isjOP-rHF&;B-1Fop8;Z4rj<2YsC1+ppV#5LQUZS
zZ8iNBdu)6IioG$0r};zPnBc!F(upJd($tM^$eI0b@8DMmF_o+yyO)Pc)-`1tEmZ;$
zxwJA$Oj5|DDI0k>wlp`o+w2#5VW!h;>qN}?iZnO`lL$!3YkwfJ<C=z9Cmc0w1uRyR
z0_g^&lxBa}g;$%^@UI*Ft#rt*p6yZ2P;pIG2q!ERYee$LpogVVLfM!YX_k!*r~EF$
zC@VAR%wgKDK``JDv3^5V__AEqhhA|=Rs^TXg`-+;HT6)>bO2T^0*1&<!!nR|FHo91
zL&6uU{Tq){KcY@gNXRtHj+al<vO9cGF~a3dcXZ2bCRc#xx)5F2U*KKbeVzZ{XXsAL
zwl1pi=3^nR{;rLu3~OhW$tm5l@e!Eud!=}w?q`izKsT@-^}AUqH_#ck=98oibu2lu
zpKC5>XBN#1+ek#_pV>^wqM5;7JKgaqQGh(I*J_R*sTXVy4{QeR3AAsH@}+KsVMW||
zez!ELY|uT++NRUy7x<jC)D@!nYOh4K?rP_a+Sc-dxuaw2>b#VT)zmoZ=H>7=4fpS+
zwO9sM33mPp#Z+X09urCufW^^_Y5cvaU$ne5yoWsnc=bhd!4EQ=3LbnM0#jR&Y39>H
zUqE*I18^3WV{!A$^V0WU@AC64;`BYqJRi=B8<X!B^xw>ptXTF4B$Yp<&Xp<?4>>EB
zOWdQ*L6OxA)}s6|aKifNucK$Mr7+*5DGH#NzNa!Ijq@=^>IcOFy77he|C=pM5TvQ<
z=+XJ$*|KPhs#*epv2DV^P$aER2D&RiHd*?)fw3;!=ZUe@+%fg0R_7ka{*sTvZ|{g!
z5@K%4sdal%59)Tcqq(lOnJT+!I?#~>bY0s7XJ{L1RQ<=Gk8D#yrIt>lvaIL7<*2@m
z{7J2`U!#-KTJ3rPYV@5`f7!QK8+B|`0`+Z+`+^$J)Y%eER+qHP?Q`WxXKGt#XXW&_
z28CQSdI+?G@LKjN5`7hyrVynX@JBrrvfcw11~nBMu6S<Q-PaN?q_9Ld4c1$6WE^u-
za&7~O4Efq0MCm_SO3h5ASX3$PSI>dID|@O_=N+au*9+r49N*1jxqyS-j}ba~DPivC
zQ8tCpd?L;ZIivRLQ>`f8_oAD>CHql#Rmp42XWw}<1al|gQw93|EQ4Zh#TaqIm?;aB
zA3L9n(3}evTa%)R*G9v6K^!RDsDVLNQGGDtyyi(1D!{$g+#NCH%#HiKlvBk&%8?#^
zI&bYtsc&{aJI)KQ(ee4|YdN<{I+Z>=#c}<lyGzi%tPZ8AuWx|H_^sNkR~Bc<(FYbN
zxBb(iK19@7LWxon!^Q(Crr{&uqLt0aN<K-?8u!mauOS8z(hiFTd(<w93D4ifxA6Ud
zrY&LXzmSTIiECE9+9?5;j^s4R3BS<?^xpfY9PWkJ5Ej<Z9u?-qXtN_e$VvXHno!Er
zFm0E8Xp3FYGsl{jZb-5Zs$Wd65t8r}L}u@fx9O&_TPz@{Kh~$HKX}jp@QoWyIOI5I
z+i6U>?HqiYpHF9(o)2SjPNkbH!Fsi&;d=Yw{FVO)s7BL+4WjrY_vsb?z`bbYht~N$
zUEl3c&^0D$bKLcOx8PAQpA2u?&b8txUDhJop-a4WmKz<1CPf`X=#xa{BQr0sGDh7`
zqLOHTtGoH*63i$XLY&~guQ(p@d5~G$t&}oStPVGdpB?;N;$;v&LDw2)+-!Ez*+ceg
zU)uQ=A{*K_A1%3@)Yqi<?QV_AugADZ%lzJnZx(F8Zc5*?c_$|bkKCO<de($7D;+A6
zgj1KA<DMjk4vG@;Ap3dwWq%wHdCc)vbg$OQaiNNgTy+pNrf+h?b!_VAp#npzVy9Eq
zftrvygFC)vW<aI>c7|4Al4IaMCWjUS-QwyZxtwki1}i$gwNwo4axKtW|MdIz!Axa1
z>TBIsR`tVqK^T;K(o1)JW^v=(;v;HKNtr>NsAhFQHJ%dZK2rvCDwqAi+(P}5`@_Am
zJ0&s0b%BfIL-HvG^VVK%(jP-@I3({wP4D|NuU(t-$$u;#zqA8Iv;cYN!1k0We6e^$
ze&oM?gF}EU0C$_b6ss^)zz)+E7zEpPaa8%%EsxJnw3<2z-nPW_IqcdiE2uZLvzcCS
zzKu^+dhqhbh7Pqk>I>ulL1Dz4%D+JyKrfA#!~Ihb!;$|azfs;ZgsT_B@s{q{giwRx
zvKoEK+2FwEM+J2{Q9~*j+V`AOy92m(kzkY71711^1scQAMKUB6+(EG8`HjWU%l5I3
zJjV^<IGl5}qT1F#ENzXI<gK{Xc-oqF!0CtEcO+LC#7&OE7jG)n3m>&@Lprz5Ri8~<
zR$}jiJJ!SW50e!_$Nf9TJHFZ#-UEr(fq||Zcc7=Swk9=Y6NzcIKxLDWi}I9DgAWZ$
zFi+vPIyV5^rsQ|LtO)YC^>dE3ST3jeQ)vSar9{6Lq*EVOE|OCm?&uo=`8*3fT<K@*
zFTNeuD+SIqw{d73I<+Bh3Vtu*r@GYUtcBUI9#s8kGRC5)?f7b``VHCai&NAce$^>e
z8LTZIj#|Cd1j{z##bIx{e1bc9vx`J%7r&Q*f$c$Q_<<jpodwCc%~!+uu}t|#9e0bN
zC1x2Aa6xaFud2m>UU;yac53#1q3nwzF{q`>#N#%X&<o!%b9&Lxa|MJ{vM1)=78p1e
z+U{|G{@b8^my0|6*QHVaG+!ynSooeorfuF%Yr}eI%R2%tlRkr6<J&iS%zYE^qg@|O
z(<o&$+LsuACU#0a;2dHw&+gS?|1s1M-yAzZ{t*r<?mHp&D<jk2?Jn1Wb+^ZkE2C|)
zjAyB;fK<e%HQ_p!`-jxI;Y2&3d$&)E$B7H0-Hs~+4k9=4)lp8kh@87nWD-W$I^3Dc
zWfJQt#*>{HdA9wZ!@^(IbFe?88F*f@f#+pU*N*On0wmGxQie+_0p;mWywCL&52;(y
z#KLIiw627AL(7-gZHLFdkSjkTm7Kd<8X`Yb*RGAFKL#?h&0nT{k4!)KNnTIMGH3iN
zRMIg>$t)62XRnZO?OW=G!?q#4*64Dwg!p#YkR;aWArH|?@j=3*Kkt!l*BUY1{1T(%
z`|~$5@}4q0y;&}|bk8P4;3DqT%*C2odXL{89p(1nhhZC%WL|gE$d0Csx6m^$PPQi=
zq9{WXU7-+{Y<<X9z`n%0!Da<~R9Z~Z@Le?E!r{2nec8|C8q#DGnm!e)oEAyHz|s)@
zrsW+k5>3wHU<8*864u3h8C>Ss2URjt6#zV`h^^G6kRi=*xuSggmFVou6M^4t(*v!O
z+ht4XjHmE5854)-ZMnUB*L8)+#N}1Lz%Rv&QC@KBu($R`sw~Gvf3JL4XyJI*vw=c?
zJm$N&7kwJrR8u9iv;;0JII6X_X$P2v&mOirtbXB+@NY_5E--2d<DeauVRDxm&p5S)
z`5M;vGEQ(&kUc!Dl<R-+V_=6AqyXu8G=3#r6V5`=nQN$9%bt3v@^o;$GT>fQxMXit
zSW$nW{ZNuw+V(TmU@{I`QAf6y;CJ9`yFxnmu5G8hrf67H?H3(~S(XO<p9SWnrHZ=}
zR<~Dm4aPZlZ##DKZD)(++x#pVs<^Dk9kG}hWr=$IDcC*Ld3qbcgY#@ctS{m^W<K<G
zpSN*t7{}DgQNm3XzA{g6c0}lG<orkeVzHSzW~NNn_Z9Sn5S%|&NU^SlkfiqK8;%4&
zK)_vJn%`AtIwLlTUBp_AABhs}M~$Q|+a{spucS9D%@T11ES`D<u(!sx|G@2-AlBEa
zoRD#^6BTxiO1&@-+}f?m#=CVwxph9U2y<wk@)oLF+Mh@#!Rgg8+8BX-JG=j-GF;ST
zA(!7hY$5ro#c<Mm;`HLOk#9fKowaFaIp;OcN4{$n%jrccqy7j?!2WMiu5LCF4=EVy
z^Ik}nb!)@6RB`OrqkTSBd!xS!AI%=F3pT87=<1i*4&NpwffZDd$Hs7E1;&tlJH{P$
zt%wEi7PDpdAgkaxmlxKxX4CPj5U76uW?fb{>h&2WUSiQFMJc^KL!h5u7tdEn_+HP9
zdzcf|Icb(DM*~k_Q22I-!#NUn@Nop6&LbT?ZyK-9L7BbdM7;O5zq=2PR~~F{t{nLu
z&W`!o?#`)D99x)O3m=Iu!F6jqqeEF>I}G8%?jaP9Xq<wSkPt)+6Uov2%$Bw%MpS?5
z#Rbwv!TU#^tQQBNi5(myQBq9~Z5BxYpL+?wfw4SM_PO-by#t68W(qY937=yGdTA3t
zjL_7>_wioJ<M`T{lY;tufCan893jt~9CPDc@!nPU>+Gq!#t%|Fko8X6$ZV08oHb6D
zbX9X~hgFU7_?SfE5x(8-0Tcy^7TA%sGLl_2Dam`P(mY%rGIXk5$XswQjJB<VWK}Xa
z<a2G?X;=c`D783|aF=NDxL#rVuzA^Uj)cBAe=}wDn^=l{isBVOzoBk0U5)Tc<MknZ
ze>g7sENO9qI`@!<)^#Pb3;SWw`H*cp|Jhb<S;Cd}pubB9yzmuFJTn4~(fI3UgRL+I
zD>G*pW#EDyx@S(8up=-gA$<6FQn9d$t?=S5b<ZJ+(lpQ&3UJB7z?!XOlU1YE?DCbZ
z9SI)J$jHTI!e07q{mBZRABq6RIaNt1*H)_Xz^y(%Pz$+qv*}E$N4uSVs?^@E%HrK#
z-wR{bo~3FJf?WqHPyjq!#qz!)vh~kFyy#K)y^WDf-Z2LEG@j6BqjUQycXxvqm3B(?
zUGiAzfKYnk$l>hy4$acX{&U8ED-1mmd3WPb^!&Hhe78ShNPAQ{ia(%u_~Pj5<kE8R
zfUks_Z9aYWU`F!dH3%73ae=o^^$NQFqEbr!W;nA4AgT=Ao^+*8Pv0W)V5~En366OZ
z1Q@T;bs>>qt2@?}`o)uuq%?QUR4|RKe*VV-t!KSDM>Bd>W01(cW#bF0OL2xZ5{AVM
zU;Z@UnH_Z3QXL{+V4{X#cdskjFJd17%v{UI;59U%T-{_GuD-Fou`T-htr_072&aFW
zG;54kQ88;+Oi@c-iKbhI>ZNJ6h*@KYqB2y*A9LOfsrPK<HML!mNN}K~15UO1$u)BF
z$a25^dXV;XbB{CGbeKwbh)7~hUOwGdt}z#j@R%6fT$v>}hVdQhcNV>UV7c%$%ytJ5
zlAkRhCKoA3YGsrl8y+4CXE$%{0X7)Yb`jZaOD%4`S(e*Zc|CZGiW@#G9i|>V9yR`Q
z=P4QAR4SP`HO{O`Whw37!yM!UX|t7Nvl0Ui`yE2emRxSek1g=W*%#T$7i`Z649SrV
z_gjyc-?nj;WMaDKrP1x!Gt4#c$Qyc8H|*GbUa~lrMKrdv>UBSEUi5^sU@<D?tis{G
zEK7gLzHQF*_*_u2>JDIK4xEw#)tfp4k5rL@nn2K?(>@$s#g$mhMwGUPIo0RU>Si}I
zVjdYYgyO>6G$1>>{n3Y#{tMfOsq6yR_mwF^Qo8>O?Q4TMG!y0z<15y>^SF$~<=!<@
ziN~dNOPHzT^o-?-Kp&O0zNc=r7O`3%YDd~1LO3kZxCvaNLBN?gI)u~Uke1ikcBou@
zG9x__Kw|$bg;Su;9;LBfd~_Q+&GymZ)WW?*KKeWz>HG?Cq1l%5U{>;7F%yuCVpb~1
zaen%FMiEM>GJyAJinv+~OG3hM=A&C0Eu5qDw7KSD`ITcARJJXl0uT1$+f+@nbKHHV
zw;Ah(>`_1R*(Ht%S0?<5K!=UVi|K44M+^ELk5V6JT$=$OR}b2T07|Vi(3z+~wy?48
z(jKxWq@jFu@P9rGStfN)TO_P9h@e!7;u~5Qopqcz7eC62B><!K&%(|aBuzAbX}=AE
zQ+WYv9Si;rL#Q9ubvhB>Bi`Cd?}c-X@Ni7jjHTr%vs?uZ=8X$ATlh8crLDh(b+<H6
zZ;>Uu5eS;}Q$kjsUHZA4$6nx;#dz&rDzUQrI|oONcQ?AMIHyAGxZkrJQCGuiN`%wV
z;owV(QyzMMr0snBzId%?HR~V<pm}7HUO0wyCKc(iaVyij(!vv-*H>AR4~nh+k%=L!
zweXPbF}{5tybH%qlteg|pTfR$t&E%p(0hAvle=FqPwYT4eZh0H(9R%yCSs}M3H}C%
zsEOS=%HWcUx@)fb#<<`$Mrbd$tR71=)4O_7Oc<tt15P;-1hZ@1bIgD4K=cGRs{zLw
z#l!rBG$q#uDDSd?q}dZ+Xvfe&AK523Rh(B|m2V{MPFW;BVuQR+*l;7l-fq@#kz2if
z?oj9h;zY^V`EH?1Mta6`Q>|`Q$4Bz^PXbqEDI<vqMPe!3XN3e~Y(t$Mx$FZeD8&(>
zL5dB@s5jh0ayY&uaFjwXWUkSLKgbX&>#DATG9_32A#S-*L()5?n`AJzF1{agITKS=
z3Nj8J8nh!@X-JguvoQsOpkc?YWl5v0tYOAFH`s$Yn#25&cMZhu{+150*>Tt~2ZL+o
z)~R(+^Kn{=&<sbHm1>&r-TmA&{bF%M#qm+PnTtd}jk;%?>>)Cj?V?;JJ7;Bit9ju#
z8}?Xndos?xvBx~c!_;utLciOgyhk>Vuq)L$cg651w@TuIU8qmN`hMGdIiUT#yTG<V
zYTQH5;{*dJ8G$_IeY6pJxgR^x5BqDZ#PFC>Ytj1aWq=X0rxWI%l&O`dur*cMrq4_e
z;~`~lV`=DBF+$|14vJM(i$(P^f{8;6F!FJ*zw0=?43YKMF_;rGsaNr#ms5w8{ikS#
zf~*35YgFeQIDW+knzU2y(VR|u#&F+o<}2;XVc)TU7R(a?4Qdw0q+{^5WeZVO?r;Xc
zu}<+qVBZ6tbNC_Wx2VAf5~b&4k#a*k2bEDVq|$JTz?qUPsT{Mh6gpYk6ggGNO$s9e
zVgvQU8*bVq#ReOM>K9K?J^xB~l$zlTPKhift4#Q+!<==!+1SCS;;le?ykQ^Yj{A=b
zhjPuXy4}a4z$u)YGon#);YU)(c-6|KQuaJ^;YZEEJ9(uyTvroUbBGq!noN6`=76qu
zM}=oM2@7Wf*%S1)-)8AHjJ_-vUvANVOKn+ob-Ki0LtxnPSlbSI4_@&_*Z!$@=oQZ%
zMHoV&aXZOs6t0UkB$XUVzi(ThXs&_MK=oZAT`)6_!60{Hu<I3dzaQ;C9~1kYfmq$v
z2Ydhp260MO&Z{LzM-1W$uARh%bNkM50R6lJC!qZ2McWrgm-ABS->q}KAf@vii<y><
zL<gk{=eUt=z=99#m76p#st5AjRN-@q1t-c>AxD9<tq<>3O$7P)PFcnId=4x*t#i!&
z(JI5x0bN8Bm$*m7p8N~)AmRTk<nR{a?e!iPl+OGK*#H@Qkgx?#cfC6gH8Qm~0^V&9
zYSevgQq+<)7H80Sr8UiR8MGRL?^~##Ro!skB>()ivemz73g5Pnqcc5(I4b^qe1lj9
zQ$|sP+DD-w9~Q|*35rO6z<a5PrvJ)a#<eQs@HgY_R2%n|`crO0&_Tvw`GnW`Z#9b)
ztAm<5uOo&SF&^mpbiU}fe^9mZh#@*fkCc@vXqvKexXeNf6RHVUf$}T{P8CSEZl4|`
zRGiHvFBuW6@Y1+?Je1;_SnaWf&!eNuq5D5Ugf1{+%j)Vnh4c9>*E35tYOy2gCdw`>
zg|-TnbsEZr*WBxiR~PRB7FLh>S_zqCgxHrQn;9L_*+rA?V*Q>+dLAj(kAo7<)`uL!
zfN(RKH+NQnW5YhnEYScWbdoYbl(kaK>KkJ}Imy3)Mqfbu+I26g`iaNviaYP*0I*e0
zFd?DkUA!;-W{P3e_@mJ&4NihpD5l{OQcoD(&B#gX&Uj-d=uc`c|48FjlJziLpJd<J
z`)%W1lZwF9$;~%GOq7#Wyp}#<3c*}kG7&iJFD-_~XRx@5t>JdTK5?#E06GqvcMOk?
zc(gCvA3SO*oC5fk4qkr&(4R{GinrWK+;VR>si_qeq|s11v4*p><=3KuQ?tAcBdGMe
z&E{)9rmMeuxIMX1@mSy!cBE?1VVwQqE{vs_{HTrfoB$BftF0W-S&{Y%U^540Ps)tx
z&t%9Q7j0uEQ%yH8#6L1jgVX_q>Z|b*7s2NO|J3LHx5MEXY-Qzf!a{Xosx{Z8b$qpl
zucuMk+%enZf_1r8oV#X)Eu+PjWNiI$VeaX1ItyN0=E6g3nK>szx}*J%+O>L`g1RE)
z9UsL9;}6elq&&p<18q~8*u*z(GyzH*rI~EprESITp&tk;CEF=F`2C`@UZNBQbuS;o
zRP6apx1@)5c64TTbkwv~J~V(2)2^bOfxmQO`mTlG-0XU-3Ia`cT+bX%eX{^Cp%bhu
zm0vA7l5L32D+H=8Y4&0xU#MWU>_`57P7XLw4EwDzxTW}ZBRZyElw3vL2z5iYLbFsA
zr-r;NwmBsA6YP>mjBVKOm*k976HY!o?%VMvLQRT=)<eZei>4MawlnJ`#lRcEEYyRQ
z&2B8~MSKe>1N}|I%Vuf0{Bt5ih$31O<gtqRP`d9{!2H+0`o}XE)ZE1?5#KXr@EuHC
zEnGF5j43&4UtU!#EI2qM3B{BPkOLq*h$5u0S~#DoMfjxyZN~faC8a8v9kQj<%|?+*
zRk;>+Ls(M^RJbxgJU4cpsO_IN!kT{4k4b<y!kCp#LzxQ$i29Rb&p(Yx<n>=6=w%p5
z%GJtE(~RZSY5Ry!l*Wib+tUbXa`r>j>xiUvzVJRHAAz)NSW@>E^~6xuZ+6a@V?vsb
zQajL&Fc>wBjc_P|m&&zf7y0FOH{qag^Lxe-ZCAZ<Gi-HZ{*8=pPBI1Z8;)~8RQ4w&
zyrNsFk;{YdV!}489kXVdkoW_e+F!xr;dsDpTb_I%SMo0cCt^Dx-cR_1Nwn_f@Y!Uv
zH}jaEMW_Z1)Jh&5afGeo$5iQj6%e=3S>qDzyM-v7;uY)48qZe!&1a3(U<q{oW>A>n
zA(@Gj@M#$>82uL6+^W=SPk*3r+hD6u?zISi&6c`BPXJehe(cyJ#ED&fgxPaxbUL14
z#YF7~>J=_*pKf{73^_8!+RKv0Y&<sd(g7SQHEb|GS?!rKi*?Q^-f^cxO{8sFELMZ~
z-Jf1*MBaAiI^;TE4VAq;#LYHEJG#wf3G~o;^Z+Vt(|K3${#a<1hn3>pw7w_ieS-hp
zjhEc@NA1Dx!LPqh-n0(mEpah?2(iH(AEqqYRl|Tzhltxc^3gZXp`vynApJKasr+Ak
zOYAi&;yTP5I(LnG;%|4N;Wc;D>Y!Jjv%e(1hP6Hl{Mf&JD~?5LM>q_6Wp8S`0=jEX
za5rz1ybIk$m;IjF?tGWKARiS+3b5;xUoOG`{gEkT_!Lcx+Bk>s=ab^}T9bb&tznrw
z)=#h2#1S8zE$tYYJ?lB54ieM(w{!cALF5$jI=*d8emtjOV3__}NaJPfn2|0zA+|y;
zeGDT$a6gxApQz*l)OQ2^U`wBVk<X>WKnS%m(q_4^5Z*Eo3R`2gpp{N#LrFm38YQL(
zYgD^Divjv03BmN61=mG2s-s~2{kVQkU#C5Gv5xfz$OI9Cju;w+*g17cLv$m;ZwpmZ
zJ}9YO|I5T=AXJI!aA=$K8TZK_7=Ef={&i$|HwQjK4@<5$dwlP^xdwE4qkdJB-M4`H
z9kbr;llL65%7b>MiNk5Yb{U{T-@!Kj(dc=S^-~Fcnav9Khe-4)*3Fs$<gKpKnbhIu
zkpcpvhB-w)YRS(;@1z+u4XAW?r~GD#r5i8d5dVT3uk*e!D7}}@yjx03@FV>H(qIqt
zS503--->DRh4zus7rIHRKhi&GML~H!f+w7}eckHQHn;5xm5hAsWV#1jBAzoaeUf=5
z5U6(XaVbS{x3i>)y2ttZMd-p2_kdpXQrjxGB{BTfpG^530pbJlrZf=<)#8Eu6nM<h
zd`+SXQl$XrA)hRST=KHKxUpK+dY!^E;wb<BX=gM!tq27!-15&d{B@!e<;TcA9{1Hn
zU^K=qR#+VHGljGqzd3M<m2LbZ-1r6)BMV+{1U_M6XG~+Y-)ag%Yz@+@bSWxLFrl}&
zN4I4sd!&+P*$#gok>^(ZRe${&g#JbHKDF}4Sgq6h(^GggS`1OeN|EEF2Z6<<D~WaI
zgF1@~N&{CZ!QAc4bp#Z?k%+A<-5(Y;T<D-nT%pu~WzCZm_IbZ&!Ve^#w~JBNB>P#A
zw`m|R!a4<?>LOb^xwj=pSxOGqC9!KS*#Q2H-@hc49@Co+Qz(kFcuiN#pF)}*ou)nU
z2|q0x+VLCQ<r*~_>U4wysd%qXWz8CjiG76}4t$DRaL5<`geoN8;N-<_GQI00o(q44
z$?BbA-^--u{GJ0Id}n}wVy`Nkl032ROF^>=on8WOGobET9vAxI3;70xVd<mYuNOoL
zV~Y-W!9rBnTZ))gGBWQ9_hn={)3Zi)U#QD|cjcgab?WQNqeqz}bB>1bJ|4WAuzeQw
z9|-rT_|MGQ9L$_&N5qg)!zqB-wVy(KDZ#e`!kO2mY$?*I;+zyIJks7Q2H(yFXt4SI
z17+P>2p@Fra!g7c<{VTL_=rQOQ=B);=XT30%dPI^wzhLVWDz|?<x)qr90q7HT6RX>
zfea{u_OPx4nSp<^5CxM0;TVw7QMkikYnv*3dQY7xaHQ8$;_I`d6@PIL3SKR%c{%?l
zi6X>3Vd$J1l0YLQ#Z`6Cqp5;A2>?NzqA0Fa^FdI89G6_dm&wg0xvd#aXtw&qS+i{i
zf<_2aJ^(k^kP8HgGPKXGyNRFKZ3;{`F+_mC>(|h5v2^15R%1it#nbTbKO_g8dF?gR
zB#)%1gr6^NcQX8^PB}x+j#?F+!J|Ioru9Wyg4rZkZ(ioYV>HEUI$*LnpyIIB?rJgP
z^>8}6d|SXhK<EoOWW0*(-0_Ef9lS$uhJqUWy<n71a(H4z-+l*51<2p>J#b>}i#WQE
z)>vNbC9A0_r*1rEJzk{FJu&{AuLp(Tf0uH&TsrK11a6dee*-D#`Ktg|S`_${OM`D+
z)Cdd@Znw|7BX+L&9oP^}2#auV;I|czm(@>V-f$-Yxra9BU_iaI|7kX^kg8%=MdL}R
zuXrQbNbbBA#npiTWukKK5;$O+)~S>F&%%Y?HcM0aUy@HUQ`uP$aA6l4LopWZdO3dk
zv>xoY=oHVLcT0dy0YNGD+UI?-55w?Kk#2C1d|zpSF2~N|bUBJF!S7G6W0@u5Uf78>
z(Ca;1M%?cJ8{io~S`D(LhYcW<{3}Ab+aa3sp*?Ha-O_F7Ez@$Em`@XW9&m~~qA-MU
z$e7?=PN*gh(<XJQ5d<agKww~{s^==?vzl%}XO*m@Lxleok!(DrY{qUETJ;!>OuqzF
zb;{hRFL#8s4jdSv9k8#x{v!0O#Va=`=^-b<xrpzZlBK~~4O>NbxmdW#x`pH8?<php
zuiYo&lkYB6hQ#bEu6}ud<5s0%+YeL$>hU}rs}Ao9IEp;h6O;KyAfC4mr3@pe+DT-@
z+7XoSrA)CD!zE4H>hC>+8I(MSHiX_r&%A@7XGXC7uLEXYZNp~7^#$0xQ*A>8gf#Qn
zyt7WXj>mmUM(f*NQXnd=ZJ552GeQS(3{;?`&bph{cXOI1mzY~1>y-KKzq^d$oB3OE
zAj1r*b_p4A5t62ez5H9&!6ADvw|<-SwI+qtp1E?WYE2Y&St4oQ>)#q(&xV*mmHE^Y
z%PquWGblLy5FJ>gHve{cy@l2xcbVSs)wTQY+GKD7R^HnCDxyV1li$1OwW%Pe^o$*G
zfbq5i7BolE<2sL#(;)hxzd*#QDsdoKb4!n46PDk9r9j4&E~!-|*BUxaOCuiNx*wo;
zCUn9iwNnFi*+mTVvTboi<d0Yt9n^mB8okw0)mn5%=86g|Zc5<wSw8k4=%-}#ns&x{
z5|HeUsKK}!^W>|qqnmeNzANH%zrNhaZgotBgTz-jJ}Di_T=9C=Du^eoRK*O7L$#wO
z7{A|E9o*(lV%D628{Tp5+2kG+QfJkn=^P^7X8%Xgab2nLPw>`QuMtb4BQMWur=;|;
zywZyfZv8t!a3M;g`Gn0AODogU#trc>00!&Q$6B5w{b0((Dot(>t+h#%$$5cIv&mv?
zbZL>)y0XIVxal)dH>O>v>Q+*^MV^1Ha@=sF<GN_3xy$70a`N%2Qb?m=K^Mq&5dN6@
z*t?RtayOie+c=VO8e6%kWb{x3Mu4pK1E4vb43U5)T!!cc=9n%H6JbEK3-vHK=Nm=%
z><60l#>nA!JO_W|mp$2<UPrzka8<5IIOt?eH2<gLOn%mgl($CEp5t3KO6!t*I@T!N
z2=KY05m!sgg37CRY4+=CvE1upbr>fWlabaZCsK=Ox4tyb+fQg@gc3if@YAr>Y>7%}
zg}zoAw}yTV@ZGL;{dcM5jj`-kCL=$dEU>XH6c>SH)Oh%Pl1ZU`N4u0ImyJAbg?)zW
zYngaWtvqfXI^R6ta)5g&bM1?SkKFL;M)-VDnPQVr&EyICq-aecREh&)$zqt$qUv8v
z^5}8drEqnHVP0Z(+&B!JYpmD=C8(qsPH3E)_6=P2S{EObR%W{;cHL|!brB%@41bA)
zSZGh?$4_v74hJ6$YO`W}fAYotv!?>gA3#_+@s>?T$>k*R-VaiMk}QZ7NT~a{gAcx?
zKHP;%Ss*IUSlxfJ)dx>k;icH%K<FYVCq#un6Tg!vs$xM6BT?CY2mKxF^bfi}08Ud!
z35^YWE0PwU*diSR5`Gdb{}n;-U@yaw9TL8d58jBOBHf`&9cS+ImrzX>8xzauGmtYd
z&|tH;(pLCSdEyFPBmpiaz{JlAdFD-3qO``9g;sF6OFDi5<pg}qmi3AO!M)AmF4{Ja
znU`Tpl6SU?btn5H%3ld@TPKP{5D8eqtG%u+dCwyMftk^W+r*CJw?g<@Oqmo~w4vxx
zL8%}@=L^>S9)0BlR|(N66OPiB-R!l@*<)|%Dq~hvn9Y28wAoGoyt5xqJ-V>74r>o9
z2&ZR}m?yGZs&~v!5pv@qd~)YfH?}e2fn$Ue<mJ}Y{_F|;S04q`fu`(1kod~LP=`A)
zV;@yrH4V5>ELv7Gs3@aC%V1HB+v-X`C+|T(cv<v7MC_y!Tm*y}*fmaRgn*Wc{@yX#
z>Uld?)uYX9@m3(uBF9dhreAdG8A-N-QGr4LS8WqdxcnXEbmoeidSiG%HFn7g*0SZJ
z`rodQ>Q<KsYD$V))z!tBkxa9uqz#t=Iu8jcP=XT*FWP^rCxBx%f<aCH(FG|yE5<d}
zM(h&QF5`^v2+qKW-}n@%yjupl&Pfw&1L0C$HW-F9hGX5Ja}J=1x!Ck#sb$Tmr5fC*
zym;$s-4tG`<5lXVp~GzXu|#}dxNK)Bk|68m&MPhZM;XLt;SF?;jAT%DN|cw$kh21i
zv{*H5CZ%S~CSk^Y(8u{(zi|wFvKItpz<;7GY^zr@en2miB4Joa7aP`1jeeNX_}1IH
z&#lCtzDC(ptTW&mDdGM8QfW6JsJJpxVqfcP>YtRKee1MVw>>`jH#|TyG6@b3(D>v>
z8&gky6*40{*ovS`tu@PFp+lN#4%?28BPKBqQpJ6NjSAc<mNixtTyRGyW_&_)1{Rl2
zcUZMo7&vOKwJl|ys->iJR;Sui<IID!1)qcuO5Z?!GG7d=&USN7`I%Yxm#ax96@s-g
z(ooW5r4nFI!WQ|-i2MCc*+@*%mH_r3Sj5ix8gD(R@I^UsSopnTN(i`WTqOMQF8J{E
z3A+6f-Vm>)!Bo81zBpAndd8<#=C+jqE(PV2;rFM7hT4B({w$H^vpR&d93#vLge$c}
z288V4`l1>zVWGs}04O^h?6z!za`RZ!0yk=b=s$E%NiyP(6#{07f_wGMX_9=}o+pfr
zZjZTWaE5Urb)%dit<aWo`w}HUWPnPbmi+pIr;k4a7aC6}K`_`n+*OlF*=>x3oGW7j
z>TszS;X}h(N+d4gzmy+0XnAh!+3j2F6ZjQdyA^3Ba#IT$+>skOH-zBqDM~aPF`h%b
zYymDIcgdQe&jnaN&n~0iW>u(t8baGAKM>In|8CbPO|QA{15Y1t(Lt!lir<HD)hy~~
zjZ#vJwOsPZ4f`AdBY`+0Mul)!XD4rzRgk?}Tctgcw&PLk-V!S`m9}qo$O!T?AVpBI
zh`^_8;<eeW=i63%>490#j#6-6D}sCA&h?aL+Mei_BiozUqLFDiJ4{gI@&4IaEmp&6
zM>EB=Z;BPjC@eV>;<2yi?My2C<0X~SbJt(6Q!0^4lnFsqlXeLQ6uTG?F^FI6Id;~(
z|FxP|mdZl!oX~V&_a#Z?Wr)`^A*#_dd{we>N$xk27yO%%+Ibh2iY&Z6Tp!O9ftDlQ
z$VMhtj<KoX=^LYELXRVFpBp;XIU?ql93P~ulvn1I;rFgIr$#AvJWJmog^f-^pDvb3
z?l+wc7YsA)ORz7ESz9T`lz~=(%+HoP`Q3iAN86kr)g6Sr?i63Cz^02UfQ_DNRHh_*
z=&1QfJ&!VXM^Mg!SqIJEjr`N^b1K=tk}@<(SyG7{A&lUz)b|mSA#YHnu`6lQjhH2p
zrAn6vvdVTCo#1uQ{!`o}LX(TxA)@(%Jwyyu@MjI>*+~`9QNz@Lg<R!LTlw8oQ=tj;
z(|5;qi*K^yQcc@hMf8_Vt4j}Kh8eGX`NHyLkgeC=ZAa!muUb>CuzVqG@nBfGe59?G
zh=aI23{MHF8$D+RWy>F*J~XZ7kDct)6ZFabH>MU|`9i=Bu(O9<aMq=swm;@f5kHhZ
zQBJI|<omGHVh%9#^hK+ngap)QWEh#xtFdm}iWTbI`|V%7DZDwOdUo=hh-Xx&+tQ>y
ze8$sU<)Wt?@I&7#3RI0p{l<RBuq2}xvsIEoK!+yr{WqvTAUwf?$_F0QwC%x68DMMt
z-8l3$pF~GY8)(0v9AVy`M11%fQ?K1AmLi%@^{=W}i$PU4|LHnC$fXrn_=|6MW$Iuk
zjc(~KO}j87E6vCnhlM26hhKSB3^GBnN!wt~iV#YbArYj{g!=ylZ7#1mgn+NK!7WyE
zea$d!Z)xT+h9|G6)6<2ZMBZ<<bLd%QNuXvnS9p;gI^oXVbTqr)HX^<`-tu>sWjE5I
zGI(J~o|O0=)qtZ?T#34!VfiFvOO?$?7JW2T-LH;r2|?8_8S5W1_F=9=Zu@KbI%nfH
znUU1McYL0<r-GLxU}1;~S*gd=Xuo$##=%>$-6SgE`pLIQ<oXPSQ+)M0fu3cXC*vwM
z+Vm|_@y2Kg+XmfE>f^~MXGw}orX?(24Nw3(R``1KFH`uQxkK}swF(Q2!F(CB@YYL*
zSAfy>eTuI)OPO{)4y+x~o~LD{1_gFIaZ?R^Zf-obcks-N(|Wp|H_VKGw_V`BxjP<n
zu49N{$)c4cgk*af={V2@ingufge8+i6qg%~Eb!0%I}+fYbyfVD^%@Oaq*jI-oPD}#
z3b%!{bI`5)l51<5Z21+&dD#^8{e)2}Z@H$)m&!-WO`V?9#?b(4^pazz<^Bh2^yh&1
z68Ht7ZUgEkk)L@2#ByUf<cKqVCYm)&w9J%UUPks^;JZoz;2$CV>sCq&yjA>r+)pqw
zu(F8WhmbXRU!u#(jSMT>wOX1c#3NmVKR9S~jRCK&R-ObmQUO$3h?_}USuQr6+>dlH
z&ls`YNe9zU2ScS2QBuY%>+b`nsuTu)QJ4nwd1F5(WS@T~3YfCC8L@fcJ&faCTdP2A
zjw0drXHH%C)Asv!h02?waOP?zg$sGhpa>Y(vAfDl-gmk0+?r;JYdG0l^rVXS6DJP)
zkFoe3$0zRg+#c~7cn610hRnqgLZUJe=NGmg(_sG|71NUjOQjukV06}!G<0^hW>u+M
z`q)b_O%Ezm`m%O(G^`5f7Ufw2rk%O6>DE3CZOQJ-PpC%uNth;xY3}RmGNOydGp0ii
z7Pwi%kca(uq72+uNTC2N$mnd`?6>1F>HMg{jTSZCUq|@O3tZE0dec^lrcvhbm#sul
zB?e?3non%5MD(A*8j%b;dJX(Qk;W$EluR)h&2Wd!4D(bb2OUKDTc^h<j^wsLlj;4x
zqJB@lie3Zq>lX<ZB?73(z=W6ijGC|Y@gy;Mk*GO&w_d682+OxyGF5eMTo$N!u<W{%
zWJ3Z#UTJ@ff`9IWzRoCks;>#O?ViX-1rL&-0Q%K(?)zULk2<3imb!DSYSaZW5bvXl
zTd_syuyfH02$-;vM_7(w{9#hAhC6a5?i2DSblE;t^&RJL@v?+M*$da$lP|cVdk>M<
zT?w%VCa&-@8Bs{iz>kg+S5TH7>fCE_4_Pd8k17twa<x!qp(<Wi)RZ<wQkqVgx9A+t
zFc<JfV$%xz_zb{x7sMr3sK}mjY!sWR@FKsy;QcVn-(yV|GigpMvH3Dzs%N|g)_}w|
zf3U_GjbqxLuQYo5!Fs`nT0SAB9r-6~?1@7q97=K74<%2f|0C|b<C@C4w&8J9&_P8k
zD4?K%Fo*(DrDkkkiC{;hM7l@`NC_=u6cv>wpwfwjB3*h35S0><5+U>ukZyp`2_+=?
z&Pi+p=6mno^St-Ge=!+1Yp-(cwbr%v$>Gx8xv4T+9i#5-HsHGhgYY36?yJul6R9WB
zH_|eAAX4|{-khy#ydBA`qUb_@yP)g&9?e*@nFVA<`I;xs3>jjdBM&6MD*hz@{Av7Y
z$nLCzb!&NkH*R;nWsfq=`N<X_+&4F3xvn2qJQje^XcHVNLPX8Th|9FcEXI@0wM6IO
zZcS;bC&nw$Vl;L$OfyhgMsWkhGhZm{E6a8k>=oe+^rhbsV%?(#+`l6vMaR8%33Yr+
zPl>Ec%^xyOaIR?y{QHqF-<0@z(-`i==eLH0tO5jA4O3nge|oiN-G`zz)u(py{rEoN
zu0MKK?b`-h&G$<1<@4Z=I)7jL%cv#jPA<`|Bq=Il?j)+h`QDL-YA?Gg-lJ(23Er(X
zpY|lb&uR>}%jK7!(P*4_p?LQwe5Ri`TH+~zNF#O9k;s<zt>W@A*Dnn6x;_YWY|(z{
zv#4<X>qEM}C~FRR92hU~siyY1Nd)c330@YB-1Ag2YEa#@`1HQ#juz!_`Av-PTb#e6
zKssz0@S{@hbbKdR(Q+f;jn*kqj|Qzqm-MQyF-f6+qI=?+=WbGa{93~U)+!#jDzhGW
z>IB_J0fCJ+g9-%)t=~PME5y1U9hQX(RfH=&Uf+JI_KcbF0~M*Jf`=2Q)?MY2GrRJ%
z>OfG4*lAME1%GSNA31K5&}Xd)#haqZ!PVIpvv@wj8jaLYF^La9sfcj#_#|kNuWz))
zC!XRz34v`VQ6Gs1EVRI2O{Z#%ZHey<GKsXcmZGY2ZpW>j`gBEaAr3_*UB89MH?_%H
zx6={zRA{DWd%t~2)b94{>O+_Ex0j$5hxkxiqiPvVBP8REb4@&@hQu|!Lmn!B`_QWX
zQqCX!q^{BN#=+@p*4fB4AC*J-Yw(c|r%mB!J_O!vuhx^F@%+sD8P%9D>(^5+(_74y
zp{BX`h4Onxt!<b6b-GW{r0=GXqJcEws?L0(OJT4^WKt2KKWC`!H}dPZbX+?#5?1@1
z8~Mg?(F8R%BynyAc&CUqno>$~wLm8K+Go(>P=3lt%~^UT4`G3T&T$#)o;R>QgULXU
z%7iTcQq0RFlpp=N!xCazkk$SB@13DAwTA(fj6DYaNAu?NSwD9A*dAV+b+XAzSVFS*
zfOks7A3+gc9MgYy7p%J6eELa&9>r`!*3s{mK<oQfKRHy&^-)Xl*g@D6<X^$j1*4Sf
zCu2*Lf?Zp6Y~jSC<C-+*Cnyh91NTgFh|u1sb7^b$scL=sXyscbf%<(DYmV4r^1F29
z8bj!22lb0iAu781JDZDsH#g3N)}FZ*(|YF$S%+(<+3%aak18GwbFDG-+W33mt$RB)
z-G6uJGrABtORv8H9d^wLeA78&UwuP8U}%;1h524<R>{83)oXni_x$A<c)Z0{F5quc
z6@A)?e`=8R*Moz#J(o+8Z_fxig{Ar(e*NRyuH|y8wWLb9UY}GvR!7zlI5ecH$3M$h
z_r#<Bh@}uoD6z4ZKxhw7;$IWkTM<rpweWz_7i7)8;g|5YuGmR<ydLToc0pguBP|m5
zNyo6{!EJr+gXvk~o3g!x_mA48>@>UnqbC_rc$d>-bL0AD(Z&M&R>G@vS{wAe#QrQD
zsEgk4AVP7TKzv^o;Uq~_Iy(c;+9i=P>fQM{^wuWj>${GmjuGqQ8YzF(cwWH!AOg)$
zUwFU=f?zzRU!-*2u9duT;M0J9gfeu^mDgN%oa#<!@Lm&}luZ`Xb*G4{nQnmoh-BuM
z-@+eftb$$$IL|*VmH-UpYP?9Ii*pNv5l_b_*hjwU=N&!Ofj^C4fbu99(}NZ1KRZo8
ze3dX5!VnMnt|KAy6J-ybblHq;S~QVlrM^S=O_Fw&T|B(%?3F75+J*`K+>aV_x8HhR
zrEcoDO>*zYDR+JhutxI7QGPD??&5^v4asD_PZwizwz(L=B{N}N_7tHMW4Ky&M-sfh
zGqa#RVz^ooGG(WxzJJ=SVlwBqVX9C98hC4yo9{e9msN!XHxYEN-WCXaftHhW3clHq
z)L3?^<UzRJ>343CANPd&?TPR~>`Xxa%v<(<K`L5apn-AT{SCTvkBUa=9!_6fRXX5t
z>EZ81#+Vb7AQUQX_P6OGdXC}ku8D}wzvqxhseF5w3H6beYJuigye2#NQZ<_TWJnBB
zFz{SsT41utB|(E`dUsJq--|cge$(X_`&ON`xFRR*Uis<b)(cl+n$P{2y(P`wbkiT-
zvF&*N6xXiHw>NHje5>#F`8}B5?*8uHGS%j$Sf(JG6?)R!=->lC1xi5eNxGi{W&4m(
zIqkJ{pzLqYFlh||@}~YYmB%|9MZYLJ_TbgugYSY9kh3idd}0#MeDS1P73+y*yve4I
z7!M=IOE&H$k%`B)uHv3gu%Xr;?o5Pvs8&c_4(o8a))DZiw>w*U@1Eh46QQl0pXk*Y
zenyQFh7(74dXDJvon0#%dm?1LqRowC&H5GY`(HPdh(z9S-tgUq(<6c}%&HVW9|lH=
zuI_iu8eOQ<Jx8o?^Kliudu#eHoW1)}c9QS&oBb2MA6S%d<I$aeoLx6LEU@<tX4+<C
zbdy@&++fPSU@78||GIsbrPGs>htzBJFN?<uQ`bEYn~1KGdz$wlU+v)y)gMXW^k#w2
zj#Y|Zj{uuKbZc-dcNsNA+^+~#rKb4Ca9LA6xIe)QH!|;a*V>{4ho>d>H=Y0bqSTVs
z{c_7o?Q^4zi1l|LbcX68O-6co53^h+<R)AGbaPw-YHciUpVj56ob@hS-pT4QyRDze
zUO4;yL<2BxYqAI_Xn|~nI{i3D>(#-p$#Vf;lRvgbSU23SXfz|egAzGwJEqNa{zJm&
z=56UIdC&Tj&*8Na-3hr{pf<t0+&D!>4nM28>t0K^zW$CmoxAb*8tsPbGepn1Px>1s
zWF4<2UU}}DnqK`vs`p9a>2%A(r$hAaT7_WrZfvOu`?33@)vHSn7IMLWd|bXtx75EV
zy^G5+P>@S=Y!gyM(Y!hSvRX#P(6$#CDqj&faP7|Hq9U6se@AWD$Qs{X`}=Ut8nc`0
z@4U3g+)ySPq6&9OQdU3q9PiRhDp(&P{!m_^Fl&r?L&#N?$L!{L_M0}XHp=Go3GNgG
z28;)F*98=%Bbpu6Xt?3om^;E&e-Lie@HmynT?qXf88+5;Q_e8oqiJjL#lzlOnj3S1
zA>Lf9o16ey@8>rb5AGe8f4Mj8Kxzck;tgWhEP)|umUOe=)XC50g|x+McPHe3qzWa$
zFIH8G<MIHf(u$oH08+*4d^j;EI|xbrvn=G%g{vVv77w=gKfa)hm3=>>UBPPBb9uBX
zw%p~WogO9j>S*s#GgEwB&!jzjeL?Zd;>iHf=}~{{QJRrwF}Cfon!8g*r~*<sI-@iB
zj*kw>JR6=oJXR_@Pb)DFSB7ZbbVMC&I%R$Vg}7N;iKp;PZOtfsgQB-u!(oAm#K}>{
z`1l9oHx;n!Mud&(!w!8U-XJUmYea`>2feAR3QQcaB*KTU;<3CQr<&}!jWi)8!`!e=
z=a}6{C>;`@89jwXBH{MJs1T%6M)OQ{n0$a46>>O&Uwwk>M*N5Q*Ih_unwHE-uU-#4
zat}7wU7sg5VSRPvli@|>JCV2I4yPQG>?!Db^pUj3@vfxS54Qz-{dHKp<;Bh<t%s*Z
z*B=f+oYdBb9`2^j`d$*YLQ0S5WcU`TRIG7&d|6~qV)&fXV^;aBbgGdQU*kUqn^?s5
z%rku^qUV~$x9fgV|Gd6tK(bf;lIWD`>1*4}gEySKdjF9c;>=yX>p!-f@cR3+c*|cm
zfi2xePk+AHQt~pyb*R5jEwk;RiR$~3L!`cg0f$N-QbZQ6J$m^!@OO--9JkEK#JsdS
zK8jdvc`IqKP_}i}>K5x!WTeWCgyu8pg@@laep2`A^{9)`IrJvfw;w8IQT5@#I-esu
zRI^_Y?}R7)cv8LR-KtAbhCWI0g8H4q7aIorhNv$juADWpve|eb|51QP*+aT**K>??
zP?eEyaZ=c^CT8tZ_hbc>P&`UA9OZ3t(ZY7qZEEGFb(TC9BSgG!XR=+=E9`<^sMq;H
z;gQ&_2hW*MpD%9s((n}G$$C^ggD&f7vp<Z!&O`BZ)aAY`OGkmV{>m3BPc)u5h`;-G
zgZq{%0kjv6cga`2yQq?SmV5e^$3~B5x9(+$w5`7Z87fk4RvTi_)u4kCasnO;Wg;2F
zGQ%Ygw#!^gnjN|1dcIOaaNcj|U^Fd`@!|lOH)0uC8`Tyq_WNQhLwq&`T@=>dXL{w?
z*OsUSUFneU`!C<zHME=(L-5L8f?oUa#O*}O-*2HAN3UHBc*2-8KbSNe{q(N!yqzyo
zJkU1}g&`v%1=NPxuFjT}T)V4T@p*rfvaJN_>lRkare^Y0ZsXgSb<MI{_Ql|;49DW)
z+I0k^EG}n@)tuN`VR7xWvQ4;Y^XBh0;ZY1%s)@(O<|nuA<%CMuoidsQUbTP;<;OIe
zM-qnN3(*c}f>B05czf(8)1jy$ks|wbtB)AF$~68trGu_I(w|6hSLl<O1l|)e1f4S4
zEmpENc~q3P_iN|EjPsaZ`UC08b)xeZULCa>(v|(dy6ZQE$|me}J-lkPYEN~_5xhRB
z#-`FNIIB3lY1?_NTkT;MN1qm@m?iG)`0*e`PtU4?Fyqx7uLbuSjXWB?(9-6^jTN5Z
z`kJ(v`tF!(NnbfH>KZ%<8)a*Yj691xc8f?Q3peem7cOgvh*SPxq3u$?pp!At{(z)Y
z{#In(@h^#mGH=!iQspc2w!Rm0>V?zk(5uA_;!iUp851Y0`q!!WxyY3(Jj{}F68Y`S
zVO8!QQ|w2poux~-RJ9e4sn&0eeVy)U6B6sHVvC->N|NGr$xyI}(>y%%_ml{p*)i5u
z(nwQC4+9>`4lfXeY`=L5)x++qkDK;LSCku_*^Ia&ow3Er>0DOIylMEltB>95lEohq
zRN-4<6YPOSKZ@w1z1-zS9vgdr&RQW(!b#f*VSU!rE?eyJ>DXlIQ(^n@q3GzLOBp3H
z9t02O(=8;)%BeTp??TU@)OlH`z?-PcRJa+R`QkoxBYhy?=!ZD}0e@~e6N~5fp_MQD
zPVa1V=}G?_W2(;k0~do_ZpI!P)q`%`n~s)vp>3pXzd9LZ49Dg)xykD1B0O^3RXY>7
z6GuaH?1N0+1P#ej!yyE2R@K1C62in=&DI>bl6YG1s>z22bK#)?SED0P2mbLRP?uWl
zk@ODXvM<|y+=T^ge3vvW_+?wuI`Uy%=f_3%7hnHXsO24;aJ!4HWgG9h{=$jusLqJg
zD>FLw6*9N8-ZjLE``cqp1|AQoQ==eGYgyZN$vQntXoat7-Llr@z`Z~91rt3?aZciA
z6jS|Qt5#b)Z#g>Dc~$pt>+e5;319toe+gIXF~wsGwOj38rhBIFRTyFFvya4-zc+8^
zUqGp0FLOuj8O>{|ekFLFoai}l<7q1;-pI1vzG*s4CpvjvTLaSQD_(o6#wZE*w4s$K
zwwpnwwfSAJ;O!sEyWV0KHZ&nLQ*i|`Pxh2BnX#X|VHR}}y*+w#o*=^lVEZ<L%+=d%
zPhY`?+%Ng%n3!ySy0FgaQ<hvXG~;f<g-eqPzh|6;Vt<Zh$bWmE&NzxaAMiwJCJy#y
z*t-(}&$07NoW);}p;DR;<~0tuB={W<4ZOZN@WWp`O&W_mQ{2~C-JHuduIs7O=qFGe
z`tK+~)8uSsLdwS7RBReA+Nx`Dd;krL&<yl=s&L@-`SQEgTYMdZ&t9#xD8DQIDf!JK
zg@?U?zwLbYV;r?>Ro1G%LycCy14eWEersF5c@?0`h!Vexcfo|Pg#qvqOLb>5Zbs@F
za{g&XUnze7Jl2>w{+>KLv0K|aQPpQvLk;>Z>&}=k4vdSt)B4=*2LjJb<UAE5U>^JH
zWeSp;YonVoPrWW`K3&tn^-0#`#~Z84|62V)9K&S-jDZ9{hQ587POG=)YwtKV6okIq
z=z1TI2yLz$7_YF9Lm9HKXW=&t#mfqyT3_T`<zvW5O+}v6fz&=Z%T>B=SA7lPQ-vjW
z90k6oeeuqnU*y^p9R!m38iZmCHn@;@Z*4PiIHyr=hzgF9R;~=2S?7QF*(QUjP|^nY
zjf4`xXCv))%6ppD2g>B;L?G>F-ywE7ycGVORwv@Xz8eHSSIK?};rrW<q-y11bF?JX
z{M~Iy(HXsnj|X{X>h2PO1wTC7gIV<@#AvkxaKV5aTwefOFc7`T<8Mp14W(&{nLlvI
zqWO4g=8uUx52DAmaATv}j=h2WDIwfWN{w-GxlXKg%-P?q`b1&q?<%R{&|5nTozT$z
z5WbkX-m@)^2K+8>=Z}2C?6=P+b<JA3Tn+T$UiBC&fw|jz7h)f3(jo52&-zhTa8B!s
zlB0mcs{w)DsZ<lgguT_G=}s;C<JV=o8!3+Zy9iX;{UB=P_gC2iSjc}V=uQ|qU7#lB
z7NXSX5>yu`;<?Vg<O;H_{Z+-qYoq6eLO<FEneKZqw3g}*;bXnpFT+ZfFVtk8xah<1
zdo6c9x_vMYUtj4G*k*VlSo3J`3CHc_`!;mMzCZEv;vB!>VfcvP3E<*<UV28%^v$p|
zrA|*x(lwh%nke1f`wF@Hc1#d#uz6KsN*-mT0He6Ql%!R*b3>DjtpaKT8xXHeHi(z)
zglgT8y>hTe&i^?7sXBoj9((s^9Ov(MuNcmOX0@NQu-fVKBPgahtGECQeSn|@3_N;&
zzQw5g1{Y?`G7KJ_n=Bu$c?d4m`;bULk6p;k+ptv@_{K)b;`*H|x=p#iKHUGEVS4f5
zZk-;(7D{u1x_f-7`;gy@O37QXCNF5|HRS|Usjk>X%q0a_XU7Z8zykrjN7f7RKR1-C
z>%G^%KSTfd?cm8&=oSUu%0}MrSu^yB+zan4oAZ#%qUNV2;=F<98->Sab~ulz)<PnF
zkF3~_TgBLc(@*Jap+(&OkS=vaV!=IYVN+*SnU(t*iFtYG;uBu~^LJ~|b1aZ5m)_`+
zC@a_1+6;MA=N{|#R8jwp<x>msh>yuCTW^IQ{BUht-4(4+Cp+=;9NMhzk-%_G0O!!7
zHgs-p2C?JO8T<YblY}6>uSxO7t-Gbg?P7-ubZ?8o5wGT{F_Tj!M##%$V?*)|B3$lY
zwU3TYal5l~6Yx28npsCIDIrE3v?@PKVzg#=_HRoTJ8@Od@a+@r^}W^tnd()S_{%Mx
zRGLV}uOY1VKk$=Y$*jICiQ!5<p?IuvhwkM^MRldsnA7hvx!o&9&P`<hp)$mam`o?7
zReU`at|oV5&!eI8wST=wpSsI>$XnsYzN$0nJLHefwTg;Cb>BAm=|4zqy#L2t1!#j<
z*tw8C``#NLemohI={UKnI~3+K4rD(6<F3E&^exf}d)VRUw7);9jiGR``O$HrQ9LXY
zdkV33fR?9pV{t;K_Vw&Qv6y<X`sk;R`j=%gvu~rOxv9WBNY|?E!S1@OkTQKU@`T3f
z_t}5)Z?AUWDVNT(eO*MYzQDbDb)FM7t7lEBcD;uD7)(Vg{)L*fc>zQ|E?d1`WJr~E
zCbF;jLRsWMK^mp~S=-Bzi${{{&o*seXiahSFW$Pl#rqn{`jCY$%-}Ly^I;nX4xtjG
zcZ}t<SfxF~2dT~Q)0vMj`2&@~3bj+Plg-MPEck1-;LU?(PKs|@js8=CB!%&;9S970
zb86<qsmzNf?5&Us`%k^^o^)gKz6vkQ)^nd*EBRRW$ZwintHgF>doFY*(;`25)I?3C
zV(<iBv~cMNOhy#7m^oG?wO8Fm$gd?)jZsR9uz^9GCH!0=8EV%(JpvJ)sIStxUWfwZ
z5#g>9&yvUwQ;98vtc*b42(+;9>_lN8WRR%|8=Pxo#MEsppckM<Z(&i$g~|Lf#;Eet
z*^W%*bGEM1=;Zdv%S}|oxhr<=$+xO6T_FZ1C095XM&NmARbD7%^uZz_wT{%msVe8(
z;+Qcwd{c`<)u%(cSN2lE)i23P5=X><-+`DW-x@isrL49?=SqOaXn__69vDcQ?gfTy
zqkk|})8HN4nxr-a&)if?FL!z`1jT3(VN!0P7R%{wMep?T^_UYGkP_p%INH9sx<&7z
zPsSZYqs0nkwGLy=)AuuQGtT7ey{D58>0Y$c7EcP)u5KY>=3Q^2@?pCmF6k|ybkn@>
zj&q4AGnVdZm@eYhtp>4i$J!6OC)~K0*Bo*>nIdxdv?5jPwGHLN>EuiteQ_qf>uBdl
zkj+=G_!qdusoaSNDZ6*=s2kp=9%h_~93Jk6O?93%^tCxV1)2FOwLN8c(p}6;BR%n~
z-VVH|ox8BLnp{wh=4kOI-<exkhIVjqKe~rnn@o#u6{&mFTdkxpw$`2!lwc66{auZs
z5cfDhjUWX;jg;XJFXJ+C`**;+$@Xz`<Nd=VM-95`%tUctATE6Htgo}*==kKkTfv-V
zn+w`F?atT%S`~apL%bfP%~<pGJsHp;syzbnhwy*eX<I(Ef9^*hrAv?~=|RIcA!ytD
z>>2YSm6}ZmWkUK;W(yzw&u`H((5~`tpaz9s5cCYGcX96aZ}{44oKYESyt{9h5XLZm
z3U}2a)n<t-IL42r>dxg<Wow&dXpKCQ7Sa6B((6&=ymn%|{<&{Zo@kjil24Va8dGIj
z+M!D&R@gR>kdxH6g`)>{djgC28Um~2*M??of4V`$j`^_rb*6-X(a{~7L;^HN`^USz
z9yXIsXd1iU=rSt)LY?1R7(W%}J9@S*ECYv4;Z02M$!S=qaKVhFyNy>9rpmf7@OtB6
z|Iu*Ss4Y1=cI%1-Fn%v+De~I49u_!EZcxN+Jx$!6Q5Z~)F5MU7e81AM)@6nafH$J6
zZgkV|eDSdSh$4=la!O4czYY4S*-$Pfn=YE*R2ka`_r+m+oeo)L6!IiGRSF|Y5BK9*
zt~kw3+Zvr8R7>a2?^lV+4BO*+C5*TI%dn${QIW0NXG=A?b5p3k6o#1xq{|g?!JWR3
ziD$MdQ_Zkt)CKC>>z%vBqsp8$^*i8j30f4U!aO%7?J6ybNVm1<N_D8-di1*{2syqS
zx~TZw%2;z}B<u*E0`&;Q@SGTy{x|Yd^E~lBA+|9*30HTI8(C?*H*msUMr8VZ7#N3{
zsTaDsOlCS`^wVan)qK$6mZ<q@*F1f^czz1SalWf2Ka_5n9Xk@1Lat@lV_Q4ljmB`h
zK5>P{N`^l@#5BKQMbq9e;;&KlbrS1v!)nBlo_pVIR&$p)c9UT7F5U!Pz4IuQ5nrdK
zkt_J)>Si*~k!cx`p7$&av`uZ+)osq4{J0rU_lA%<J4D2ZnEu;YU+u5uqr0TViDarP
zq$GlLuKQrlA>N5StVBVsHElQKJ+4l|GDj;E7Q{sTtQSwV`dLpqmQ@{w1&JJ;MN>)k
zP77VViV_)Agl}(qp{EC8X3k*|ji$=*l6Gtni47Vik5idQ&0P>;sb=SOgV!<x8ID`_
zbZ!}2bTUq-CXUU)@Wt*U#v_SzxGsra)I)QfiE`l$ZCT$%==f0G)Xm8KP18BF4C|tt
zJQll19nZvU_`>KnLL_DN%Ft)LRE8M1-TA;9PmYvG`7#&07F&1o%6JdQE)dFkTYTpd
zA)~r77)*l~B&8mnlB$1q!nRv<j(jJ~?rIh~!v3m9k!|)C^c=DFOdMQUN&rcd52KYi
z=M}W+4)|ecRi=gdI`;Ns_7c97TGHaczyfu&GPPtuLP<#q$_A#A6u~@uk{c=;pjq|R
zvOjBmLOqbGKG!y=izu(-#o1N&zKspCF>yyCV}wIcBeb-ZsY$K$Fwas{+Dz@Bqd^nN
zn>ttZu5;nb{tzwHZq-<b#(2Z_hh^#jY=3tQmk7!I9XI-Co(hAmnMw_%cYCPn8;)6p
zQs}i4p_3+sSmWK#{hDfuPh4b{5ByPXBFs81SHB$8zk_-wi~kzxpZ>1;fxDJSVx5Nu
z0<X-APkisgxZ9-trU*qB!Id;SNPQjs?7`g6e6tZ9k*zo58ert65=U4qV`O%uoIr@T
z+2HH8Pv6GY{Gk=5qXwQarWe{YGcb4B*?Tdc?(HI9h=C#Uja!X%frq^c8INie9~@U_
z0X8kuJ*$%O_uklgAd8rVZJhAeteds+g~VWu&hUTih6MT6mNDlSf!9ruCypbS(`BL~
zrCIb&y3Ym2lJqN{lx~0gSD6nsV?BH#-YP&6ZxIfhJCW7g`SBs1GU-uNMC{P9*UKkX
znHF8wQ6kb!vaaKKXMrb5W(kKzx*W=Vt#N%3cTcyq8;IGA@$Q@uK!()kBHA9}zxI|E
zj(+}nw0FMc5HINvrgYb6dSqf4Lu<&)$bovRGd+z*=A5&~mv|c<oHuZ4?Ydia#cb>X
z{OKLio2F)*HPIcq$|+M845}}NGV$AO4|y~xV^fQ(WFsWAFwbGcmz6_vbD_=6BC=HZ
z1)zWpXJw-6aWR6;EtPR<hKp2aP>xpSjtznH{@7coYSOWj-K_lZ{>xL{I3{nYx{9#Q
zt{@qmE~I+m4inUD0n^!ScAiY`t;WW|UOEq|Bf^Y^b?<3vRwTlBnKSdwS<bVG<hx@r
z^zrG7n#GG_0IUBzG$rF}HbM(Z9L7k<#L?=Rlau}P1&(wA*<vxj3Rv+}q=>mVg-OYm
znK|QaBfl`}Vx^Y>4<tTq%ELHTPg<(BNn0t0j!q9nQEG2z7s|^-Gyn#kdw=v#7R2%-
zQ_Q0#xi=gGaj(>$b@WX=4(a(iu4QA5S)PhJqR76OIFHVtieN63b@e5DjY^nXtWs2}
z%786K2jZ~1(lwDK^nPdKPeusO_XH7l#0-(4@T{rj3Ta|~LK{*d8HRVdmT0A7zY7Le
zar21mN-r{apgC*jc-!Lfal}wtw=-W)N(S0K&~HG!k-0d1U)sDKhDer5fazZKd6_=4
z8-;mP;_zm8`rTRO%p;9Wg!rgyyM`W{?+*0`2rsNlc!1DPH&=~uQI<DM6OU>GS^}dE
zy#3f9t%8*6u44-vC+ce7B6h#zof=BPiO4o80?{M}RX-@w5*dW?BqieE85_JxRiP;A
z-~@AV(xF31Olr1R!<}?*(GzjeV3uze@3iB9&Gh!kJB$iZ*y3$N-7x6`yXGI8A4<-|
zB-z1tL^V-fVv@?~=8h$iyCEmK4oMJdYilPN_9aH0NAKJZz5FfB@HdI;Uq-zXYXVNR
zbaJ(Ll9q@bec>}@YiJ4?8w+>UY@?k!J!61vHlFRIrOTHxJvt_g=wuw0x!6yhcMG2%
zos*;uj<+E6DhSny_AMTBw`o4^yW>Z4ON^{VWrVm7=>!!!Cv|&W0W?&M&Hyyb4Ni)u
z&^-#Tb?Hb9S1hDsVyYdPx$Pqo!(`LL0F67BkNB+D-MEFo?i%9r&OL7zk<A6_#Ot$^
ztfcsQTt!NJV<PVj2&xT{cnmwAm95P5nwuV<Axz9o1FsX&O+1hC7z%WO;fpS0U_Tk-
zh!!s7#RhV4n6y+hY>3=oaewM;aH@r(99F^Lpe3=a)<Z7JE>J{jaJV<?dS|E3^Wmrp
zZ%26&bjN^E2#}P+w%5sk{bK{sLh;-{SOThiv7t58|4>T(j#bsSMjYYN#~Pcqkp?qG
zm|^KYcux#m`;JJE$a@`^iC)Igm~IfwEplc)Spr2T;uC{zGbg4eh7-$ld2wBH6US-J
zh`B+g4Rbu++ap~h7FN0~(ME7Ln(5V2kH_nho*4$>UE8sixRk-+=xFa|3Sr{S47GY<
z-K_IFLDUd)fru}&YF|`Dh#1T&(*}DXBDx}Hg3w_Yt8B>OQlxyBtx#pBRi_eEM&uZ)
zZF3-ghGb^ieXVL$D&B8%-VM_+qMRSvmW=Ufuk})D>pIvHN~95+Obf4_8$3IF_p=?d
zyg6^xx2%`9SKwHrcgyAm>w{mC=RHL8H=BtbB~cKV?Kj~fTEe?wcW0C_yO48OZ0D#Z
zZQ70I$h7f5L}2LF2v5~%4fMTPk3EYHT`-=0uMW?z=}yjuk94~<uBlVEWH5#aIMis}
zOO3^92y(P;yBA|-T(_&3X_Q2p_7c3kMP|skFy20UZgOUZt7@=o+URy4qv4sgNKtJi
z*<Bb0_nC3jg`XiRH`4w4NPAu3T@!CcxnsRA!a~Vtr4!?2&r}pto*(fRL>p^nDfS1a
zk;eqv1U;u^V5MH(^MlyM{$3O2;@t5CqxXqZOj>nfA|?Z8hQm4|V$kYd3yTw<&%M=I
zn4K9{S1Ij6@WOO@9YYCrV#W;9;^(syVL3`qMCDC~=?rgGwNwdZ;;7ufY)Y9q0jU~6
zva=%APFs3-TE%vD0jcgzpTJ=;u=iAYQsv(|jj=2*g|Aj|o!?(_XP5hQE7wKHt~|{|
z0u!x^JC2J#yg>t{Iy)1@i>4+vFMci=wLiWM<;(C&r4Q1FV@?ahiugv$n$QeN283CN
zmhp6VLT>WJxK~MyiB|<kZHXS5$$wPhY>++bu_s7x@OWxVtxmoQea3|8CAbAkdC+gH
z98Gc^o|7^>hbqu)C)=qQDfSg~Ye;ANj%xWp4CkjZyXGl0=K?jOo-7(;Un#_q*hW&J
zbh~x5)W)JToYmsHd-f+D8<;jQ$DUZ2#E8rYesC(zKrR?Wm#L~#v7Z=+=daY*>dK_j
zvJ;Uv5WV$ShF52jdLS0~OG(=%S_T&5#)?QE9Cx_P&g7xd5W4^1puNcWTy58r!LoVr
z9#6LkqtGUcztjTGW{A0Z^u>E_6h0QsNZ(tYsf}V9_r_zM;!Lu-y3PfnHDY1nB%@*p
z^yutczb||^^2dk0q!I7Jf(Sba(*1*h=#1HvD#k(quC+#qMx=P<UQefF*d?m>Jj^kh
zguain-4X16L<ehAK0$NkGt=8hz&y;vC<l)0(-P@?Rsn+r#lf+zRv!&D#_%=^WAr=Y
zy@=gB!y;=vUk7E(RxAVte743k(8(hm@96VI0*Pu1yELbF=u$Khki~X7ZlbCPZaAxl
z^7L3}h~<*;W>_%23TP9~<<pFDgON3*$n_AzD>ArzbGOo|{Te#7u&@>yLO?l7U86f}
z)KJQ;8LivW?ml$Dr&mf%GmpkqBsBy>`4ZOakTRyviI)YbmBe-#XN=7)W@0}KF(_-j
zC($mkQM62T=EL+)N1XE;H0a{6AWV%6JbhE6T`-eM2wH3BB~$Xb!_s4Z+tAa*^NCoS
zKU_xYdxg62G#PC1q6Kr7@Eoyji0pnlb}mBQIiT^l@_YGt2d_c2$ZSwPck8~XFT>8}
z<1VV$!ctiJ)zFIC>4KA;()<7gFO0Dr7%np@DKQ|WkH~CEP@jAJ&B=bz8%hBukI&HZ
zKAM@m@$gfh{F-@a^6Q3?mzeem@{0`O*VtQiqglAF^pW0>l1CD{l#Du5Zc*>&d~~s{
zZyNp6s17f=^Z<%x9}~D*L|4zV6C16p&_&2|B_`Rw>7Sr>dtG;JzQ-UBieT2yDWl?0
z0g0;z?RSoLlksIzLrRs*Oy<HwbrWIuJd){~UL^V%HY<X$D=A^t!w-5T91(V|oK2%q
zLJ`seYLCNC`k@tdd}o3ZHR_#E*@Z1aD&DjweSa0vI^IHz)*mR9B5Q~DTF%eO6(J@S
zhX}YQQ(gDHFOnVIFpS=rI#&vV3XoY{1{u;0!FtlZ^oEj9NOdMo66h`3(SnWW_w97r
zFk^a793qUGYB3myNza&b7Bn4lIx>oBXCQWtra9Jox_RtHTA7b{h9KgZyIc$#VKohO
zX-{oDenD<QQy4Yb+ah!@PK!UKwZuqsoo4^haUi*^5%HX!Mdf`(IE3QyyjV>yb>J<i
zGoE=}#<R|(qXHu>ZeP7r<(xIU@OstsN!Kjk%hgbR---lGGX8c}L5Tr;%*wacW2413
z-Wbtu<DHEC#|H^xf~w3?di%#q0V6G1!Wwxnp%@6{P{Zi8N#|8TK{Q<4!02-uCW72O
zbA8p|)m2>kwY%~dJ||Ie3~6#3@1W-fXV^w>b=U#wV(%!1C!kn;chKk1+IiBvF4i02
z(9z02p;pm%u=)}dV(7B_%4FML^ltARlSFG}#+*mkJpwtZDrS(TCgTi)G8P;V9pYFu
z1exis4xIyD1-VG+ZYnfYB_ZOaQablz+Ioe8u@4ZRU$>#At0}zH%87;uCb?gpc`0@t
z%}9>`UNwSZ=1n*sdeqxIVac3yP;=ishZ0Z<B2}%rOz2fSA)i%>Gfanv;f^mhEflyL
z9^}Q<PEA_M>r=**qAGf*ve-<kT?y){LEo@l9qwPJi?wlP(DM96brrKLb_w~2w8;gk
z7poYFb$cCY;tjw#<%$TSG>X04=f<gT|GZiUF{IPZVl}MM!Xkm%ujw1hAt;rmS~%Q%
zfhhZ&F>3f*vB0IVp!&`ddKV3N>QP=o`PzH~@{GHj&SN@-BHA@J#>{s=-d~UC&uF9X
zA@ph&>LcBX>2ovrgxLi8>)wd9^D?gLrv3=uJmYzHA8)efMCAKk>y)WQvfVx0@vpo=
zgG_G~qc69Z-E&So+<7v(r1wsUH8cgoe(J3P124quxqQrLNK6m3GjQ(Ed%~3+QxucA
z*v08bHgh&S#M$6`<?qM(t#(1@{e8$|s=YTx>br=PVv3`8)QHH~v|fgnYMFDN^Mk1Q
z0n2RTPAHW?1o&^e5yHk3sX^8;5APD@A6^SJ)}43eirXD(^@q3xaT-`pM#R*OBZ<?Q
zG?ihyg^#asd1O)Eu-U}1Kcesx$LA&rDC4lIlWT>&Nx15-&Zx{l{Hq{UUF|0_*y!1P
z?pre<cD<Ttt5SFo{sS@z6?x8cesS6@Kff8JNL6dUf5yE))o!>mmXd=CQ`X7Q@Mtk8
z>C}3Q;*LhqZllz4FOp;$XKv^vW-Yc%=}@MH3r2_E<I2KXe8%c$bD5TNb4o~ey2qq*
zM^_2fm$6aE^^Y#E+{IcRH{{2|F*u?VZacTRcfrEph&L*V(zxT)OLnv3SwTb3c;Q-l
zW$Mw`05XGL<D!it`M$p{&>)x9TIE7fE&7Mdf*6pd>*E3ngkbrb&l86?j_n97BYCUp
zcTjjkYbg}htYQOOdp+f0%5+`vPHTWoxJKh&9A%X+wb<yR^7M51o276y&B@E6#EJTB
zlWAA4zV2IU-kl-p(e~O?Pwiby-W|6u!>7SrwVOuGn2x>FVMZ_EZ0DuF4!uH&ct#-?
z_u~=1o|=mgT98N(q%gw(t?P3zNF)&3$0!y!V|ltrZODs)(d#hZogbDsJJ?aMXvO?H
zA4|^g8{O=}oa<hE?&X84o#~C5vf<HVP=<6XCg$e)3$kE!YIjc0Pg^s`-DdI=Ghl%-
z3-}!O;yI|8*GGh{@H{jQfX`NI06w0EYBf8kiPO58$hm2Y+k&Dh_IpfHK1!&S#KU2&
zjD@#FM$yt$PS;$+Q0l^ibuEa{d8(VCT8xerLV0}me)Pz_Z|5;3JbFZdo*o)g3QsvQ
zd3okI%KD^d_L0f)%-Wt-ncIRw1@!(#{Tv!DW3V?CyE~}9D0bSlAbSBz&wZ<W+3O6U
zm3PPR)a0ee@tJ~HX(P1PnM=COJpwB6)|w>-P~NE~bJY^kE{I?{Ts(?SukEAGNlw@w
z?$S{v29&tXJr!r;xx`34yYFd28zQD*+Q`ppBuR@O-&&^456mI9?7-s~HL+7Vz#r!1
z=amiQUMQ2unQ9U%Iy|O3N1y!|l#8H~oC)OKa)tt_F~}xz^;I-puM*?2=y8O!b0O+@
zbg~L^@b-dcp<1L$muxA<)N^*G4nM{$f$&U{hPPuzi!77Rz(qY74NQeK+h=F!xVTb5
zwGuNR>kv!To_@_cjNY`H8iuj0D;Xe*UO~j3P*>ZhGNNjPqfXb3lh1y6Y5RIAb!g%;
znHbpCKX|c(9syT6lilSaeT7+Gsg)#Q_ImnxDLrDA&|gb2QHrtU^#eF3vLM2?CCUZi
zyHG*0&ASf2F?6$X@Z$Gdf<N~UUaVyl0Do*D_LlAIX_`)gpeMi>qP1s3uXq?nWmM;g
z^tu(P;OWt$>(GW;5}nbcPT2{?NSyKZu_3E4^n?%V5+J$9Phr+PEjf6rgJp|y^%aEV
z-*h8HVphMiT3ZL)GIYkv9n+C&Z*M6?JLV~`xr+N6he<x8^Dct!DDlN#qp3A{0ci#N
zM+d3{B3xSd^1|%7W};v9C_d4=cqB+9KS-^C*Ef;(xMHEmgUS)iUSucMIrQD2Q9;QX
zZR0`MY_lD|4yDYOu(^A97S8;b;=MzL&@}cXRAU~K!iz)Cwi@{?0MiG`oq1zjs>2+*
zp?<tuY{+@jD-5z+89z5zKpXSEt;{v)u=v{)c_t@($D%tLEfR>f)fC~iqK-=x;Xjcs
zKoR7Iu7!koXP93iOeExJZX!+>Mo{Wi`0S{vF)(vtCM+?CbXpb#$<?aD)58}Zj=t-k
z+k{e&33pmtPm&p*F57-$-fT9kmn>6CO9|1stv=*cQlhP1S_CQ0YPsINfLS0W4Hc1J
zA^okI6LB_~grUF%9qiTFW_9(_O#!i;)AYnBUjnb&>D5En-bL5OCQUIRqW_n@ZT%9A
znz?dx+nDM^BFfZe@O|PyO{Gq4VT|-FfjC@M6tzy@b}Wb+ctantib5gXE{Vy|Q_god
zRhc-zo&-x0-Nk_4VH8{f2Jp9R2PbHCwF1CfXHujF%2M+)hG|~Mqup8p?A;bEP^EuG
zmK@cv`(slE^DSbBXhy1fZ4Ao&s}6CPtGRBgL|1xmy;0?G+utPd?!~m`LRZFQBdKW6
zCAq}LHArZ-TP0S9KIz5iLXR2a&(jB{NbYZyNq=gn$0CA&P6Iw%Z9U+Cigb2&pL5Wh
zM!Kn&zRAcZSK|jLFnsPKtM{E$*xJQ1&uJ6<LgLi$LbbaDV^Ac$NQvQMgJj?^Eq?C1
zVFSba58y9(%)`BA9lA(i{ng$5xrdHWnEt1+_Jhs~THR5)Wo5O&b+8AUAl03}!Mv#W
zk;!b7CHNB&LnlBobJq@Ba<mjp>`C1;MXtStRMt;}2Z}rnBa+RtHSC|{`_|4(+7}vi
zeW(hS*WCUc(fmhLwp&qgF^}b`m(2{mbRnecTFa{49Go@nX|8P=Sfx(b2yvqoq?=;Z
z<%d5MZscvhs#Lgz5bx(JBM0eqXSRJTW>TpR%0`qiaYUkDO&4rTf@ZcWl<tZlWhl{T
zGwqB4ugWRLx2p<%UAZv`E!~~DFx+d0FybwA)rz&Yr7RwoS;PPNs{pqM4Es^z*?W=M
zL|tyIdWn~22ZcE`KF|^8ruV@f=DL6-Ck`aG*laFVFCHC&l~Qr4xRN$JiquvelyMCL
z2=(=?PHdUz2Xijct71U_{}iuf`DsV?{D8M(NleWq+HjSrw^R5CfTqwk$N5@#eiYr?
z4lh#YmayyFDIYp(`N^tF@e;!*1>P4?d9@2NeeA|efCdhMte>VF`9hS5N(b8RZ6Z?>
zoAJ+r65mAggh|jIzm<<1OvAx6f$28RkFCKSucK1}y1(JI#Q&Zp*3MXZAT<gN4h2e$
z7hs}BFbCW`3QCNPU|ku_XKAT{z`}3cvca9IHRB@~@xQS)YXj8@t$!@~8m~)z*Co%j
zSO77SxQSX6n;S=N9G<_VzvwXQ@d`KPJ5{8q*;LDbpgZ|jQ(yJ*yb7Xg^}Ly$Y`eg|
zZrl&!Lsm{jXJ@+CQEqu6G$7DTG<#{L$Kj|BsMT<lhd0Jhc%XV_va{5(&wo%Qn0>>O
z_Q^cfiE1<z-IaSl8;H{t1`wyK{jDd+WUV~MFKJjLZ1&OUd_e{gQtYKp+J&+4h)vhj
z@NyfitV1m>&JPVvwR!0^^=9zmb%RK+GZ@po_$G9Qcdq>vLkpRH${8WrImcPV{I-3i
zy8uk_*p=}FXs_uCar~{Q6E-&M+dB$(()=w(CvTYIe7m)72g0|^tHkgf4kFBV;@h?C
z=McX4ZHRz%-Yv&y$gOvotvq+`D^YjJ`0@^3_+tO%4N=?W9Pn2H!j7mYqY=8y=>=q?
zSFG2`xu<Au-yOMcrH7w*wL_cJN=~?Mah#ql+wU>Ihpo)nr`&v=S<k<I+|%Q%5rtR6
zDY|3ZglF&j(!H}vO3^w4%2O4!bPtS5$05r8Pd*RX0QbP07_8dUvxwp1!&*HG)F6D^
zLdO|DEIEOTeZAmpXo-8~q`HevT{u>CV7RpQT)Ku=>A^PTmc{vQg~wgH^Mq&Pu$sul
zTs6-$?7NQY;WA@?o3#~wzLTnBTziFKGEao_cP7G}0=4U~#oj(xEK)UnQSHbilIB{h
zKVmkvO=P}K20dN|-mf|2&g$BxQe*v_7|;E8PtJI28g$l)4-<z+hx?8rd_pj_eXe=2
zT?a?)tq4N2kBGXh-rvsXRZqEYWoG(%?AUdRC_YC>r!Oyz2AMu{qcBKAJN4dz+8_hq
zuq4GXl)9ISk>8@i!0dc=St8+NS|Iv5&urMMkp%r%bfCy(yz;gp4fvi>VNLb6UO_nE
z<<0JYI*cGT^Gr;>{EG$59s79K)&c)hQ*N7^Q+9aT^A=#BIO&}DB5JtGQi-UWFh$N$
zvsrvwgv|q&?qkzQgNIe;zeJ1Mc$*#wKa=n{$?{gXVI2G-0}UM$)km#**dAN6&Rv0<
zb?vb(v_4t|smR=V>HTH7D^SHtWqtef`6kWZMN6!H0xq1#AXziDeb7=Ony{lBa(Fv*
z|D}q{@`_ODknMX>5RJjH#9-D+A<OS8O=1c8{+uhTR0d^K*eh+$d|#OmO=!8yx$>;i
zAiRpbyQlQ`m4lH4gdpe2c)7uh%j}hB`M$5*7IDddvDBd3`dy*h_g)}|3hZs6oC2?B
zPlh*AoNir0{o*4rsbkVko>}|EZh6Xy_NnrN4(ik@I5pI|_KNwEo%!}Q&`xRHJ7uSP
z_1-sF?1QT2t$il7WZCw;2sNHjSC)Q-F)S`|@IzdTzJr?2W!Y!Y?U!mBWeZPTz1LB9
zups6rYgbpUZ((t@d{5bM@z<c-RwDp5<jeEeTYbA?J{g|F`t(OaNRnxCgrNA2s>e@=
z5o`110nID{v3tO0Gx$v!Sn_{@0Wj3wiXZsrT#X36+iE`Gy_^2M(`wmYT)C2N9EdoO
z5Se6hJ2-V+Axqars=3xj%7ze-LGp=HYVHyR;_fDyCx_okcu;jRYhNE*SJ1h@&TQwd
zs95ZGiEI|}55AZ-Klzcp35&Fr1UN+G$e#s_{>99Po5@Hq(PMFW5>m&$aa&NckmZ_H
z0bb<Lj6)Xavi&Q#42T$q%RE@N0usMHcd;(i)e@AyG)mchfEOuM{!fSk-w@f(lE3y+
z)#bxY(2b#fECWGZ^CaYfNIU@_@$r+jwt5bPWXb8uXW0!Nu3zB;M2r(Yz&~@sXSrf*
z_<+{4>lX;06@0;t60iw7O8I>0A+DAcOUxAD+gB1~e&Qj3jFaDHysTh4F4HV^1z<0g
zr4Jx5yJxw}wgVwq>M|&B+B)h$iR|hI0vr6q5v8ju02`Fg0c=25PGCP?4j)ig4){nd
zg(3(aP*;u<w}N79_y7`rfzNVZu%iTS!iv(g(gzp7%%xxikUtyjzYa*Isq4NqBVaIX
zmTRWCf@Vu)fw`c01(yvha~YYHT|kNKCn@$p+athFOQTd1xg6M_d=6lPx^e>BX*qmW
z0Cw#XD6-%K>dJBAmMiuRK7hnu;IrHp>?i@7u%iSNfYa>}8<(1S;^DMr2;W`+8Qb^%
z63nvYnsqPNj6)Wf>>ez4nbLBXX|QYsB(ghkR>lV9F9miRP+d5I4a(=p*r2W)z!q8#
zA5d2gVB0P~aiFf8rDVBcZ1{i@f5K<EFW6B6H(^Dofw(RoC`|oJ%mk3%sV%qf#4Vs$
zf9rI?TwuFAn0YH`wp12alG=b|$LX@?%UqTK)Eav$P$Ij{0y8%Fi38XM%YhBb=g8Qg
zuACXWdO3VRT{(b#Xeksy_<*`{l#&$`W5WlK_zQfN`+^-Ma1&OPJhpaIJ#JbRp?udx
z{H(uZ;<|`V?FFS{33(Et#}e4XWj>wIb(t|HOR}-870^wZ0*#Bn-aL8MQ${C`oZVOM
z`d|rYGh-eBb%X*1dY0BYSys=|t^Q~;Q6S-0(3ZQ30}W@MJkYb4s+F;O7C*6LwpQUk
z6{~u@nHT|dRIPQ>=2{Oa8(33sKI#8Rv4S)Ikz%U<kz!H*kz)4$fnq=bux_Y>F2(jg
z6o5<1Pq5_j6U-qCM0LXQb0Ysw*Z?K|Ji*{6jsoy>IUGUx9Oneom7@SeEI%ipuAJxO
z)3S5I(v{<!ELV)3T0n_E3&0A#U>5*jlkWxK$l3M?fu&~tLjkB<u37K$6U-qCJi-3U
zU1qu5Wvmk{4@mrZg27Kq&Qf7a#0s4aDF4^91hnj+t{eqGemQ(VT{#Ls&GG^O>dH|7
zR#1$cT0n_E;j`Qq>?nbod@lflr`6;Kmzenv1)yf>ApwCsu!3ewWq}1C0_Z$A3qbTT
zm$3@~DDh_j06%d6+i3-0FYjzXT{(eWw;Vp8t{lKtSqeoEKA^4~1z-im*zf@){sN!n
zzF<cQ+=N{Kgu3@xv&iBvX0FJ8+gZeuBNu>NkwY{7<u2n{?y?m~G6ymI-*M4@pCq&4
z16uzRJ}dZwU8Vsh&W;jX)NmQG1zH~uk*bHA0c1Sh{4<y=;<>aL)L)^q`5%*H4r0h+
ze9JTT!4-hLoQwWHAjxd_fYyKOSC;t|r1$J7J^vmh;3_`_nAj{Ow!q|POcdb2xj?MG
z&D_9d@al44gEWq#$Z^Q}PH8!F!T*sM0u!tpc~JhZ-Oqo_ML}ITGB%5ZbHHbXQu040
z$!z!l5`UTgEcGks3wD&iO}<ZmVwMrxf0+J&#FL}Qfn1TJ$brO@!)5;&N#-DiS>W{N
zf67JwACP4BTmiKH=k#X<U$CPD)T{5)AA4Z>vy|BW!}JFvo}4TPsN$T!UMlN5rR6Mg
z|3_lT8f*TKx#<4`lFWt=VEzB^z<?bkkcoev{@5)ew*S!lgT#{q*dUGL=-zCX_egmw
z<br={{(lg|PvG<i{KQf4|1&Q7?~~+ja|OWqpUwXYzF<cQVB+7J{}V?_N`;3a2&lgv
ze)z*A{_UA-hf?_lxM)geO~$xsO6N@M6hw7R)J%-8y*-3?j<kGyKj7`LYm%v3uJYL2
zD|}xA%`6b8so9nib<;KBTIaf{4|na{6S5U9**e_Y{^5+tv$xl;iPmhiw0wN7?uKPT
zYyXLC`3fcN@E!cN)$%ck5vK8?shh9<k#eu;gP@7Mto)@^S1x(^irW&AF_O({ABx}J
zFo-4ZtKFt1Y;ynY#cTUh`J2}{`9wsRw#bJ^NaktOk3ciW_y+E;B~C)atP`#+tdqL;
z?85<*+_zfcLV#Y?Xi!DQBTK8tYoEx<9Bh4VRdhzag8$UDy{X%-u1~qI_@M*Tiwjf{
zd0s*7lI^{F?k4Z^)Cn$;lFi3{^$DPt$4x-RgAZS|MVOuxtKs3v>yNN+fM!Z;xw=m3
z{*@26Oaf$;0llavK^4um)z)oO6aD78D9gtc!5pspOAt^|Dh_nrzV)E%^b-g<+L4ci
z*QfpB6sb!&vp)I}uX5{ap!Ke7pIEnxo;w+IZ^^bvUxO1~X&<wB-4+2zsAXxFpwV!7
z`qa%OzI!ZeeZWI3M=3G}_>Ipj7ypAe4|)0RYysZ@pg>`5vBbxK{7dzsFLQxV02;AF
zL11sO1Slti6t-(@xh_;&2WrH^)4wCGBm(dU%j6g~0wSp_jhEo_fJa<s4PXGMW4jIu
zpK>wr8V%5;-UGr=B2x2dTUr2sm%Ob%tQ7|w%4zM^<<?pP@!@oy{0h!nL0n^01Q0Gz
z0Feb1_XO)81#pWcKz^ki`3OKyfTa}>Vg(l70c*i6IIWEUV&4uR4-m*cwEv2@q1qZC
z`k+3PZ^sP4JE-w5c$Wv@G-GKAL<H244fy9|bxQC6hxa~hqtI_$O}J^NAb%<6XKbBT
zu(ogoYj>>RJiq16TS*)nDu94*P?10983%6hO9o{f9YX*;c0f`AG-4+ez*=w%4r^<H
zgVU^)4IH*Dk*v)4uZX({w*;aO>SHIt&SgNh05#^w7D>urL_i(cfX{;Nunx-EywrO@
z7{<7><xbkXj)-{mGq%?sF1Pm3iRISbU%`3DmOF1Hacro70)FO3a0|}d$Pb{0GdF@;
za9C@-cX@977sRnsEvV1WR10d%nJw7K4AhYgc#9&aXI%VJ?*U=(goHnn1afW7wqIg<
zaRqB7SFm=4!t#6t=dB=)4V6PbpfU*sDgn3!M{dm7wmdh2TX0%?7C1PZh2_65j-6^j
zeSW4|mc|^ZmYvK%9oc|CNVw82n#KXWXOiu-_o>kO_M4Uozr^<H3f4-kVD0`DoVR7U
z^Hvhah6*U)XKn<y;H(7C0Q7KFf*f!Q4r{NkP+0y2ajaAe>hnvg1vTbKwd`aD>c|GX
zMMOFPy+cdA2ZW)M*V5u~vzEO4$zNj2zk;<ZR05k7oR_<T^HvbYh6*U)m)y8QB}iML
z5`bH9Sle)Yh1~ex7spPupguoSEvPYPs%0lLP)Bw$t9A~ho)Y5lp2cITw=B@xDn&*}
z{u0}O6|B`-Zf*Mtg~e`#!m@%mHdH_XzvM=63(iU)3ZRFhO9r>#v{q?_-1y%Y$4<4N
zKEJe~pvD}jmYvK%9oc}_Pax)KxBq7p!)}Gx=B;4u)fJp4wSx0j5XXiJDBx$^1GnI;
z1O@<lI4c3T1&6gcD^QGoK^!~Pg8KYSwV=kFsg|A0eoze0DDt!_Ik<@V0^0WL374|~
z>UXfDfl%$Ir{6KELx2`)n=Wz7Q_nb{sB{3$vehSzEm3Sv9UpN!sC)@TC1+0o%&|~=
zsJ8B@r<f9p6sYRT_X|H-+J}w?zls2UxiKmR_zhb&;SaV1BpWQL1RbI$<$+&LQdYY(
z8r;fe=yJ7y<h&)ZDAayz3H<U!xGSJxCcFE+5(!FPa?EZAZL6&T4Cx#J&0{l>VFgg~
zuMPqBlLXSl?5UDA&^$KnQnm&qFL5!jAHW4hgFUiA^Vk&F{y%b@T+DK+{7+;LWY0@%
z{l89a*@qV7W<RSGi#;!i1kk*L=a_@+fn;NeQvf0b5`B&m|1XGR7d=p)pGA*zxbc(h
zfjWLCdj}~jru!?}|AFkuuVC%}WopYNdjQq`rAmQYECDDmCjmzVoMdkWYFoQPmHO|C
z`$qPD^hf;>0Ny!<8{nMe8`=9&R<fXjz+ixbD*pr7`xmG!y8{8K_RkKac7?J6jtV%*
z-U`&#T6%ev`WM8piyo-Y&!WdU+yLh!?6Lyt_?_&X@{Hr4%Kt?6{`=JS8`=8-6&Be8
znJGtZWQ__q#(w-Olz1NCD07zh|GqeOss;7=nQA$Q8{nLToy<TTzmq+ScF{u|(EA6n
z_k0Cw&#qwY|AN}Gp#lo{*@1vta8?3vRKQUQR-(4oS12t1f;e`61Plj$Nwplq4REgZ
zjqCwB{vdk|!qyyA`Jc$%f1ld2p(6DID(b*cpT(Xz#(rrlRDu<#ZNr)6h2>um$4<4N
zK0i|}sPU5C5-8g2WCrT^o$SR>PuXxl?;ptCf1lcZgUZq&C&)~fbfLig05~e(AbV*X
zryCr=H?L4w{`=zCsTS1d7qZ7O+yHMc*vSmk@jKaz0>~Z*RsM(jB#=sS##U(sYyTJ2
zmJJn9z|Xn|Zt-iM2i84sRKQsYR-m>ye9H%6|AIJnss;7=nQA$Q8{q8)JDCAGeoJO@
zB%tNupvwP5G5-71mJOA>A5a1BlUVGTgJQ5o1soJ(C2E_tLSX^P_<vU%JJo{v{G=Ex
zjX6>+JDGtxvXU8*2(@ZC9n?tYw)pfb=7S}PwD<ndw)UG>6Kua>6u9(ebKphPSqvuO
zNQfFwFYKh{?m$x1_IXtGF=5FMqVF~fUFT6V9m~8gX1Y`H!E>t-U2K5Z9^NS3+6PE^
z(IfHpL+0y;!md0^HP@DEn>gc|6%wOqNjTi^9_MSTnxG!!jIPB!9SlC=i3y3R%}zAC
z)f+ykzQrm-FRSd?$j$v~##K63vj{lW+UY0fz_p{<^Q<*+y{v3^sxuV1>r$+C&&bRf
z*MgAUY34YowyHC(3*oG_!dYZsZ39wCgtdlp##IR)8))rs_G#)=bcu1*CcUiJ&qmz#
ztLazih-9<Y9#`58tS!P1u-6z>)eW=}4%a$D-Gv`zw@9^hpK;9z*_~l7A=O4UW3Bc0
zm;kPwZS!KS$(L$tQ~&?Cd&{UeqDEVgput^&26uODf(CbYceh{-2@b*C-QA&acL?rI
za18{P*L-j8TlbrL@65be?|W<3{HfJv*FO8~+EraueY#E^Z@wbVDB3A<r&}*de%+BM
z^}5}}Q&UQQ-|>HNQI}o8+#{j%=znnBDf!ba6owk2|EGQF4T7_znAEQ}4WVD2mUeHC
z%d9Xhj{fiRr0MS#)-A68!P%%XwYWY#N+JHA-THV|yIlcgom9!*{}A%TAXfdG*SNV!
z_;ULD4o!J6qWrgA$u~*fnCM9{{-1c$*pFQq6~HieAg+5zsTwCYy8TB2217RwXG0MY
zXWI|A&+{G!+0E&@W94T96ZPp4cWpgq%#)9ci_1P<9<3c~K73t#8*9(sI@k4qkC&&n
z)dpPr+WLg+B$yX(_YcQA%eNPcxXgF2&Q5M_UTt@$kNeIpF0C(5=Pw?5wpGmblg;Vt
zi*8qoQwJK}QyVYOuQ%&s9sI;yn;o|Y<<}bCL)q0E2Kst>?W<4c4=>bR-mib>{jT(U
zvNtJ*JRUA4ZkIQi?3p$VUgI6+Uf<fTt52h^R$ES|t~Xy)sxO`&xjJ7-s+fi3Hn$#b
z?(c*8_T@Tw%8Q4_+t$C|zdTIb{~lOJjd95KbANKWo_)(O@ZGR`{CzO`)MeNCGC{)J
zMf9hyc+&6H{YKx;J>(_?aM3AAnA~;SCK-AD3ghEF@8_lfY;NaCe}QVbe|X&Axplv5
zHuYN(ZL_lkPvv_SEjiTnI5B_Q-1SiNa+Zwxx{C{kxzR(sVMMZN<lyl5N3~l|t!;<d
z<89NddFr+9;o0iR4V44L{QGV!Vw2e;<a|AbXv4M&l^fs-div4nvvV{1_uwpjJsJ4A
zy|W!J$<3XfeieV9p^={5*~JHbY3w?`@9IJM*y`D?exn9+7a?kM*W=$i@c8Anx4Az1
zMhDU7`+=8ig|*Jd^WAebhbkt(3(M=n33vDG`c!y2ZgLy3gZySA^U(M#BT6u%EofkU
zYBog9r&Ef6E9`-a%Qo&>&S$A$KfS+3D%&Bhk7~>(9-oUh#bIV>|Mp<@YumNg>XJh`
zuB}Or-9}9$a<k_Em-^a1(dv>@da|v_h}}kABxAGZ1lPjazToOo{e*W@tws8stux`2
z_wD<qQ<EvKi{+s#yN&v2!PRyP67MF@DWO~2>nz{X<$b}YrTTvmv)_qA7rc7}gY5@+
z-nX7pthcAvSth5;2ZBTIoTyrh>^s7La0atXHe7xR4!skjJg0bX39qwMI@zbZCu<K<
z?lMfKSTA^o-Z@e49K!$3$+*sPIpsYNJXms>^scHs$hgxrnc}@@-ILsEKfw2%^qk_n
z1#@iPIg9@XC+(fXdC@wUWwYTz;$7uA<$Kz?FL+mbkaoBBTNm8I{}~+0dTKuqx?MXE
zWHy;1l0PiyM=5rlF%F66TW&-tb^|#$8W;1!6}#)*qR5{oU9lWHdNu#VW^e^^tJieH
zZ?F+dA#!y744Hw9WOm+1h-5a|eJ@8c|GH=6>J;8}7GV5!-?MZN8A<Xpl0<kH&SV$P
zRa%e>2=Q+K<Oj=VLxyVzd;s2<fd3%sARFpdzn32vnXI@gl;vsMz(qan8~NKAYDgkq
zefQhPFZ(mO#q*PJs&6B<p}B!;BWlJnuE80UWnhgRNgD1zlW$3<Rr#+D&882Z<#<;8
zW2o}%0>6H-6P1v@gC3!-3p$@~3Y3~>bW-+}$x+?Lpq+0ClvZP^RnA1L;YeiqHPa75
zcC^Y{hi&JW^@KUp?_c##q1w0em&N?cWmpvEO&~lg)`(nUWxN2p#GzyZWuMm4_<@Jf
zl?oPw+r}ka9HviDGb{4+<6OK3`OwOE3HF{t$rcKj#?$mcSdL=VKZh#G&R-F8g3GX^
za5CV_9oY&j7ALD6)X%h%rVo;Gx~mWcRCRX3%9yKM!lhyM1T}O0&B%t<WNWY-oUHax
z8QMn-6t2vZb`YwVM_ixF!rTZx&x^Gor&#Z-!zyy3J3y7Cr8Iv~mz!JlFQ+oKfl$Y+
z=lopmmI)PnF5ZQ_WWBQq>&R(j3<XN#sr{fYm$M{XO{Hwxt$|6$by*&UO#ra~9f1sO
zlQ#ex*eGtXmHQ-qux0f}7X&wu7FzqkL~eMgyOzq_7D5Y?gDa*Y44*)8Autk|!DeR=
zHih%M3Dm^OcURO5&MPyhsWgcC50-L)%fby*{kFo|xF%dIm56KvISXp3IocX#kT$*s
zAh<=4=3I9p6Aq_iWrR4g?uoGy)W3(=z)+qn7^0c&Zro^KKGc7<+|tGc;I}LcM8j6O
zUFCnb(fhxG{%X^<Ec~?wFS2!+gU<hk)9SI!+Z4G@t5&D&n5i6PF=ZSls(@U}7Uhq2
zO7#T`$BK=W@)1kG3mNd@pUnIx{{FW@qa5In{wWcre}cRg)sNgiSz-UX$e4idbx6P|
z?nr{S<$fBR_5Xk(nh@6it9Abg{eM8DU<JESuqeSh6#Opw52%Esr!f}@y%_w6u1jz%
z`OYEICGg^BYT??`E()*_O*q<GK{MlP;Sx(lsX}f|dM`$Ri~V`vVr>bS!EpR9fNu2l
z9qkU++qYJJJ$d#tUhPHcAL?Hm6{ZLLt<nbxYF?Za5(NI8)CY-cUYrf22NrsR<TM$M
zUGr-+=Z@5kYD;D(dX1HeSAz!rB|fX(BM_?qM}S@qj-dZNg4+KlP|V4@AE!!iCEXKn
zrN#Fs8~>L;SnpZ`U@f_Kd6jqh{~G!LX4(1MsAO}%EEctJbvM#hAv@ZI+d%22@2o)l
z3n1fnc}=i9*#cNTloQ<II|O<^p8q5K&&*PVf*)Y3Qedk>i3nA4zD(G<=?Yo0;B&*W
zsu!AiwtS(a(ccGEFFf^Z#lj(@zn|2+KCAcR-+!%W2uB^Te!sSG9QJ6|TK>wfHJ%2y
zugL*!ALreYIM~wvm!YJ0tCa6n!@yQ`-mU&uP$3S?Vv;u2I|+I*iOC1Lim}%6hm8zF
z+SUq21XW8@e;)k*TBvpKUAh)5Emi@RMz;aC*8i`C7S$jZld3Af+oq=jud4$BVYD>4
z`cgXD32GU^gBCfHET^gU%)*j<XWWu3x2g54!jga(i&TuS6jgHCuTr|{4G;+}Tu$&b
zM_D-E-&a6UR>^_GwZYWY*;xVS*22}(_`el$ce49o)Aru1o^JZq3e&qC+(mGv5nxZN
z1C8)iXYa=T1C8;WhSSn?lGgcN>)(nIHi+-FVBTv%zSsH=7H{eXi|hRVo2Dm<r@QKg
zZRBXT=oSbLQv(Bb(OpmG9pnUqesx(auGRDivlv65A{IvHigJWmwxOMsyr8IoMsXRU
z2%88Tew;-dMh}K6M%_zI@O{p|AUxdn{qg^50k_Dsvw~8k*WXB_+jdx8{^8%3Lv8q5
z+|d`^9nZ+B&bC&>bys^DBU+jQ-kbWTivPF7*NMg{60SDizw3V=LL#^ixJj4*>q2dy
zZ(Y8v&2QNr{4NjMyD#A1_b1GLD`!vH+^c8%Lr>8{`WanqEv-+M8dpyf=1-SB*VW9=
z#Sv!*Cl=}HV-X6g%w6@zzc>Ewn|r$eTi3naeLJ7%UR@ueBa*$_s$X~Q%l&NK)Afk-
z4K`kgYXW$dUWDIn<xU<H($h&gpFv$3Z-|OAP|#Qq5D*_B6it^j+p%}CJUJmC^kX0)
z$ie70TV@XjXB!twGc#8gW&>w4TNmbk6j+(Q+1WC^m(P4{;&)pTe;XWGii6+uMW0xG
zo_TasV!6tSX>{>zJ?n+VfDjE{>W~5+=ZkdV<6m!Ph|U|3qPhBUkqP-JQ<zr)3Iyaq
z=j2OsSE(-7N`iYO{nL6f8S~lHW_5beqk)w1Y$IL4iy@s_FTIQkZr%6dzjURhj}#ho
zseaG*F>|{Y_ph68cF&ocFTNV3DGnTCh4S+xvMV@cwoyJ#b-@m0E_y<~Z|j?89m<h!
z+K8L!^jgUz2$>6mX=c}?oZ@6%O^wnF?QvCo0LV_ov7kw}`t-`b){J`+#{#-Xowv+X
z0S3=Q%#md>seW(ke&zr_gEtHJ>lcp^0DaQ~e=k=sWoMc){Hl6lDFNi}8Go;4gJ*s@
zVNR(Rl-~-1Uhl5-LY<Ov;doinyms+rF7_)d<l{R34|@+YP?cP17hUX#1VUJL(~jZS
zkK=b2A6;w`9WT)37_XuuM3QPc7V=ohIEyA-!!QlXrz-1^VP3Y0z8G|WAzP6iW(zoJ
zVrBWr=HZXuL2B_3OEgDWu}&4hD}w_esoE$@pj%}hx4n9`BQcNj8t$J>K7%8S%Q6of
zWsfZbO<&GlRzg3LEa!qdBX<=fUFn5u65IN1FQe3SYEv=40gXebx!EugQ^zoh%pPT3
zTWB^euk>>3kk`WNCi{DMWhw^=fJjG6&a!f?bLCC98g8u>g?7hWc3V*F5kpa0;pUMI
z#!7VIYHOGI@;Z%ZCR;LkP?rJ<dkC+%9kvfwg&L59(a1zPMUqwU%Upv+7@ff1sScHO
zIOhv-x`oe6ze1rYg7kTf5mUS?_KckRqW9ZpAb(3**NtoDuoWrM0%u>ZElr<4j?v3~
z0_^{2aDk%2+LHRN)`kpId^+Z8<D_A3Q;!X&F|aVFFqaEB7_#3$;01tOyjYpp(`|n%
z^PGs~c#_dUU95iRUFUGjim`mS%7{-&TEjzjPoTvC_2)ZpmPqKh;C)2k0T8<`^t+C$
z;ncj!k-E`J`~0*qO7ZOPVrSH3Y1BW8!-oL+9PL4vu8fLT^=pr`Ywb=TIiRgJ(mCl`
zf3qF+p^oA6JU!HiH@h=cOK-{x4j@V7<0Vx8T>}%I$hvI$HIS};^f2y*V&cK6qCSE|
zSUxrm;=!p>nX3ccKbjwbjoq%EMflFhf?kF~KmFs75Ma>F9g?3~Gk#Tu(8vY&e3DoH
z&5uAu23aRzHUBD8B{?WC_q$O}FVS=8@^WejBYemDd3HwHg${7-<hc`?MAG%#=9jg{
z8rJLQplhO9CN)q#?gLzf76KkX{cjvWla*vMJxnG^HlGbN$(87~VW4J$Bk`;*E~vKt
ze5Kcv-%!0NTxahYZ(e3Wqy^OwHQ8<>6y(M#6KB2tCttgo1p#q3ke$dcl>o{4^Sx4C
zGLo1@e9*6Kf)Dc{5F<TXL!0_+cx+>V*Eb+!C|ehVR{(CcixY4=&LxdgGv6lOg6X5c
zPx#c)p6G=RQ!(|??kCobO;0PD=jW77naf@D(q#T-(T3kDR!xQXk7|2^ez=@?&xhN*
zbl*dI&^U5xI;ey1aX607eXj;_S@zmI<UcZBS8R4r?=(wO4SCr5oSq9hfmHA;X2(*k
z3#bIKJubq!iPjqXu6~9VGb?v*V!G*2`eVKNfKVR3DJ6}*c<&g)xjeD;?Y#<K)j*wE
zhL~zsNt<kobgAS=OpZ=CDry-T@4*7!vNSa_B5%D+t~)i?zC2fq6G}sG`r#r;!HecO
zBRqMN*`gPXj=}DN8xIJ&#Q%``bT@Df85T+L?e6*GhQy*Ay-P|p#w&=<tkMWhg|<B@
z%&iU2f<XE3KDLDv3DX&ukPSQ)h1Fi~>(3>T+@G3Fh4suM9cd&c{7HB=cEoLTBpc{o
zB7*v(J&4i^nEF2nsyy?|v1&do|L7=&yN0m{8u96bd^HlFjMay;Kn=<!QOL8Q)>Y-7
z8N2F^Mk0batOTenni_9G0VG_W<=1*^(Uj3x00^i2(+gMz-djWJ!Q>8N$|iTXz~?<|
z=`rH_t2h%GN1FA4AiRh(-<sG4^+Rki<sY1faiD7A2c@{BWAYrPg#rarskPlkno())
z?h~Rq1(ejMi|XuGCZU(j&A1|Ux}Jo?0##(<CD;3hSW<e=^qpYIV4uCnm}_#nO_uwc
z;pqN$Ijtdb3*a@58Bz2z-ZbYJA6UKAL1W=+I9jK}UTY}&S#zO0$?bV~3h{<<ln=N!
z)MfiyWZRKY=O(zI%(_BzukweUL=P~bl#ZJ}`P7;~7EjX(pGve&t=J|qOq=}Gh<a=2
zBBgyNG3^H%c2EY%a+xFuI)BJGFa~lUT7^if5weL;jlU5W7rw_YWI*Q2-cZ&c8uj)G
zO(S?l^V(e2&m0yRSScP|J5s0+TgWxd!FPqNR`tW*7NVbrC(#=WdvjPce+lIFmIMCm
za+t`*>Q`sqqvO(-Q@EWVBgIH-#y6i6<da_Q(!J`(rk1t~>IJX{b$%C;w<WSRyROdr
z(G?6BVeBV^eqPsaW!+P{!~{Urt9dd#_UV|RSQS<1f2h)yS`suP_g=yh2F{uJ_<J9H
zRS@6G?g`r2kT%+tly|Ih%r$O+=rlI?%_&`UMh(0X^DXrk(`K0^z+ND;&(Qo7P}DWh
zQLIjD&%<9kZwM0w_|O!*(cP*+n_MK_b0DdgH79RdqsgLGsyxr8fTC2booQqnDl!y3
zBr6LaxSd?fFLS<Nh^HKLAB$Z*uU!TkcCCD12tlNOeC^=esAQUTuYhzkW?Ijy8^;r1
zFXTHqt)85^97h&Q!poYmS$N;EGKPydo%?d2&hXm;W9@05FJi%(N0=oOJ)TcTK$&oH
zIosQr@ct_6$Qss51;kEe8B%VWHY>$!0_;B^Sg&5wQf#8B7^3XGk`mb&@-K>UEJ7K{
z9BOGCQ(bE8XHZYsrN&?Ybc)t$qBh`?ZOB9}dn6C7RXl4>x1MG<y0%g@MWa6(%jpy!
zTeK%4-ha~CBOZw6bqld3{f?D1oX%v~eRZWxXw|lUp8G*mInhzGDsH@ht4B&2i0E@M
zHGJ1k{S$6$vu>vu;OE>l?w81`jvjcoY+wk|0BkCjd^!%v&J@2{6+bCrn?nLXB&RKT
zJre|5Z&mYXtkI%UJs7&3qjYGLYGfQ~F@;6(PkDag1122M1;dL@Uw-A<>pf(uvv!l{
z-IM%Q#lHTGr?}?2Xp@6BIU7dIMrvmbLv?PUy>A|rM=BS{eHom~^Z?J_zWZF1M2~?Z
zI(^k)H6XQ$1^EiRq!tt1l?<in64~4wn%HK*IczM6gL0cgE$LKk{X*?#-;J|sgB)<+
z0E=3wc`71COUkMr!OBUemtVS+R8x3rWOp79LY`#Sio}dyjl{sD!(7Wp#A0whD%fbu
z#6PL^aQb!W*%mObnA50lG8$hR2a{4gLTEn&H_k*Q5z2pZe7;wv9%TQac%nbJVHqzx
zunU0!cp8Rc;Sn@V!2`@V%GomtTL)e$46mVxpS{BB9pk$VZY2fk;aRE#tQbdX&nqR-
zi{@T7i%msS6Xi53ufzny)3DMN?!mfY8Ud;}&;FXze0+Vxs~*V0q51je1F%7q`|aCx
zijR-1{l3sRvPEGzFi>!0k!)N4H>!pY5s#y}iWcqEeV0$m+x;wsTp9&Fl3Oox*6MQ1
zI*%_DNFKQ+ijx=NnNamWvL~~5+9sV}&3U;bU(SPz$?{T$fEs60!ngy+4?i)6FEn+f
zfNE-9nzGCHk$z)8qQLPsT4%ss%UDmHDXDdt%I|5n81Vc%ngn6yOP}IddW+Gz_Fwr7
zA<8;{wG-Z@(Qs9S{>+8H^K?F1<Smh61+DgKQE8n!?UnfHmvi!JM}IqxaA*|IgQ{01
zug~|jmGK)=ETnaMKd4<7U0rPTy2pe#=(n09gU<CvNRJXNX!d=nbR62aTJeVw;G?ps
zPq2Hg$aS-IX8l`F-ohM$$HLf+pzg)g@kzR;G(Lf7_zXP!VVU3RO166+EmCMwB{Xl5
z66>EvW{%=LGLJ9{#r(gtChzo%*;f@M_>PA?9-pfOk1i#P)ec$&F#KJlQGgaLJPne~
zUa`&rXp+=*C(?aKiODSfgkVS_x0zJRIPI;<1<V~BpXc9Um0UOotuk~3Po5d_99fam
zVpQVo`$d(LFBHfbc4CrlqjrKdJFyj^X7@e79(vS0-kV0$>6p;GSSx*@Yzd>6Aee2&
zE;08~11;ML@Y%*ChXH$ZxKH(g;p7~2dC{E7&Qf6V!t(a_l1TFmUv3MpOjf~RP#0$=
zzC|FK5Au_=IC)+Tfa-h>Q7OdHP8&~VXIIjuh#j^-r>B~!l3zqX00RrK!Iqi_O>~oa
zbgnv{KY(J7Hwp;Jqo^I2fNjbq{nTj?KTR;)s5$;!che#JHT(+wPV6~p0l!f#ChgfH
zptuD#i!1d0C0l)G<n=_m&=eV3l<07=WUphJ1~${KVL)%@js8bc0Mjq4Q0rk|CocFX
z5|<+{qCkoO{UhpIb(4}mKdl5!WFYpbB(siYeB-K$tNRl~mn>XW7f3}bE%I7sovaq&
zi)B4<6Ngw;zXKzYWP<-pIT)|#%TeP4LH04W*d-Q*b*Qs3D{%80Yd*qvV{j_wmx!a|
zi=>~lkFJ7qWpBQyjn)_%`4+WG2irpUefcUA7Q3b^$Nm`fkmMMW)^uvk$5KUzCCztw
z8M5vWboVg`pt>sola#mnRcQCmtrO5MfGz1@C^Q$MF&^e(CaieMiz}kpNhKX8ioA_0
zc<)pLGgk<iee5UEU%<K_@dO!OnX*A0_nl-_DUz*0XWcI3*%(3a%A7;Q+skzM=LyWN
z{!QF+vTa9W6*<OCpt~}jEB}fq;h&E~lPw+#>=9F+j%7&p!$YJ`l_dQ)>SvI@^H=*m
zKS1s#=4RYbJQzXa>Etet3iMR;xkg;AeoeTbf!N3NeEyR~ht-z8{J_iktDZsBsP?1E
z_r$@Q9=UbOPi;OXYL?}v`eGXvrjH*|*=j5{u8_n_Hyt@I$<3VT%u+|^M;mLba4DBp
ze+TEPyUjIiXoR&)e(K_&dU*(W$X-(ePiljLx}AvHrK9p1!BFO>m*KStiL0pHJYal-
z?tFTW-b`DrWI$))`zUxylJW=-OY=-sY<e!6!1H^YAQ)rmz$<g~oB62X!=sNk-m`)L
zUsS=F+kPYoskaoMjUd>05l-T>0N!Fiizw%1B#+uH7+QLwF-z-(56>iKW6j_Wa7{*}
znxoT^`D1HVlHe;}G)}2(=TA9Mr4?+w^i;pB<)=4Yqp;_pB)cy57qzW5jlw<m5wd^A
zaDMA~cj85`NFE)K!q4a#`)7K7uPR%RXwevN>b2+jtEdkj4fvpR;4yHMg4~fL)K4%J
zvY@1SnSj*3E|-$&lT-dn5TMfbd^T(Fc14o?dROfC{C6t*^|cs0nV>=34U@Ml35mn+
zKk^%;Pqw)@5g|`)B=vBdQ|Cz@VW5uI){%Y3hu5q9-HCODJ8qI$EKcKdVw|zn-yv=)
zdtEu>##KP|!uyNO;j1kfDtWj@QJ!XlE#U7V4}|pkxXh;P>sLew_mEL4J<<~4Y0#GG
z*hHR;&{5)*uiX8?njVA%e8lrMu4x<~nyL3qsWBQ47f48@$;ToQa?*Q%L-|Eo%FKxL
z+v$10B`*eh0NH~Dg*|ZP8I|k!xn7|O!%rg#JWZu|*bhFRu9wmoTth<(J=fTtRGp=B
zy$-eX?zCYKCQglRAZ+%~dL*<bBmUpsy+o-_X+=X^UpFyi6Nu)&3VKnayX%6!>;@4o
zL@Zn2NpKFD6GE4ttwD1`TqHaKI{e1ryg+kRu@gLXNf9Q}&l<D2LMhlRu|O}e70G8q
z;CaHZ06I0ojT(x6=oiU2=!s~Yjt`dd6^B|m-V%7F>f9DI8ZQ&1*NAj_ad(_8Skq_>
zdQ8O%FLWZo@VpSu#tPr3sfS5qQ%^B{48Q%Y3U`zl|3s%w(qtCl>N@plRNmWbK?cLs
ztXwqD2XgRE<qh^^7YAMGj8`=Bs4umTyG1pG3RLGlsb~h0h{a#yFq(Cmk(DPUs=B2s
zUWZ{(KvHybRxvB#erZZSo_8&oq6jZ9?A>2uGCY<bf9Pn$lfjN;Qsw?Ti?(|sTJy1c
zA=qLPBHnb)8pv5{&2{2WlFR4Rf)Y~J9a#k-%!{`XX#l6x`^7~aa(<WTXNb-nhhQ}H
zU^F>$3{_fHKK1nUIIn2z@vOy6-hAt7<0T_UgH3D^)Y(S1Vw(qWml6%Na(ZJ`Jgj<L
zYed?6=+~FL8mN-~qMG=?tt@$()92Umge_kBiKExl7T=Z&_*uu5UO)Q$Z3Scpfo~Ju
zhsZu3r~>wuld4`*4CE3Xkps~VkP?eGlek&1GKtIQU9q1H(F6?Y%qOM2y-v3W9}hS_
zE_fLg!lFe}d|H#0W;5{wat<8Hpp{89B*w#j5EbmR|A_a6e-0UbMkV+AafPZu4QB)y
zjMYJfX{o}`-r9Y`5V<f%mA+LEz^tEYpPSIK-{auH-qV!Uh)%R5W;x(T1WJ{ItDW?n
zhA!pju<&@76X?>b6$U+<n5G-MA5xuziYbrtTs*<rvkss})`Wauayq`~?-N`*iwfu(
z0~>Oal5cvaEZEkm<;?i-r3&ZaQ6;)^hmWoP<{?r;mii|%skj(jlloQnToyE8azCL?
zPc?;Wb>{dmsZ=8atI+WvaojbEY+B3$gq!X}S~PyS6g&o!J6rP9R&KP_DEe2$XwqOg
zXEL7lq(JlZO9#NObcjLz7VDn$Dl6A^_|>uOsc`svBHEvb!T|?VZXx4h#h9`6q%@zE
zJ`sGEW|sXzH#^sW9?+v??#(y#s(GAgO4O|niVz!)j(7XWYOpNdJIEBkd)sbI(<b-%
zI*JSfm%2%88$T~+dUi0Hd!RcagC9s}?ErA1r7`k8^-#mW0Z4OXvg={l?Y7sf!+z=@
z<W)+mr}nKBY6e9R(0*{2wMs6d`tYZaZ5wzJ)qq2cO~$U-`&nA+*H|1$B5z^^?k1D<
zq>_|(bbQ0a%G^@>+A^9Dg<S8BjM${?LMH)DJDebY%Qs2+%w>)+5!=N{r{gic!|81?
z^G9N%4|WEw?6U35^g3hOW+|kiy}OfERE;hHNmntPZ1HwQ>92bUP9kwG!F=n~>b@aJ
z=CiQ$WBfllV0K)x%$J0bzs0&*DILoc2Ap9h!;dJ9csp=xZFCXhP<y%l*@q#(NU6}-
z6D3xn=(dS1_@GS_ItOb`hximtr{O<5mZjdh#`x1y`iIA6gS&3s1&H^93&x<hh~cMb
z%7<;ZLXfk`9@fh<0Rt6J4A3xmbTfV~UdetiCTdr^!PP@(<BCFBUiD-g169P^$Sqo-
z)Db>*?Bn(XFFpE2^Oy0k+)S~xOyTX8@GW(uf%ZFw&kobMnx+m5yz|cSX}W<k2dR2o
z*kyCLE1)VRCfd~g$;@w=L$9i7cC-+V<uTvo_;T7lD|{|cnnqO5+pt(@c1nx!`fbeK
za~9dmLF_^{z_h)d<{0#mg+@=}sDa~WC+q!etp#pd?F<wkeBy~;ac|-(W}N+E40(#2
z_hX0yP@Nc3)c5LWpOtR*P!coU@Q4A4IxL37Go37<kk$hxPAj8Z>9#BS_2-F_Ios3(
z&Td!A{0_0k8JR~<{dT_mXJ>%C1PUhgtp{7jN>GRIF^={JoT?z_AN_iAqNJ#;bebbk
zlBKpLOuWRXDO<m$y|?^lqNRo{P8uA^+^6n}*@?L!MGbVFq3>e{52Az>L;mO;^ecK!
zJES_R(ObYx^$syHd@-WY1eP6SbtRaBB=`-a@Fqo)K`NVB4~ybfBI_yq+AJSaW=5cq
z8ix!lMp_;VMoT{vGbA2K$e^GD21o2e@6k2fMf;<ZQ5xmKJW3^s_1IM90KA(<cl|#G
zwD<Ag!g0}zON!2a@JQeHb<edy#~-;?{lW{F*W^lJ<N1T30SZ-UH!dj$`g??lL)=rF
z+N0|K1+5v{LWiu<Ac+~j9ppy8@Lk@{R+J^m^a~FxPp0AfX@0yCz!*?$eK8adT>H79
zf!#KwCs!>v1FV?GFrUXRieg#?{=rN&!^4H9CqoPn7TK4CMYZ>1I2PXaxGTAM-L8tc
zyhm?^`X-ODEn*i@PTL1)z8hC(8YpQV!8#k?`5}G=V~YmR1nR}RIdj~jS1Ng`IVLVz
z2lcVhnS@&Ba9Ggr187NxRyfmJkjk|=c}%DpP}XFhfjj#l57pb-KEZYz5)MOnVNV~k
z6uxc5=J!Sy@nZLB7c1b%U*U}XeT4fSb;kTOIh_~|yK83lbLu21clae&?fdL%is?Mr
zR#XHmchIgCg*0%^)=`G4qsVEhm7I2vQMB^0YC2M-RQ>PkwNsiFhjg&mu}&%R1{+p}
zUsI}|Hz(x-du$P!svdnR_euXq$*NF2x|Jx22ho$LT?YC$Z%*-trR#Yp_jdFq1&6b^
zoO{+hlY$<doT&SUKjzO76kNbSnzGgkW<O-sZX*R4k&h=>#1BM6Zu0jLeyN1;KnhFa
z>hs1~B4L&8Dk>Hdw?{Z<%#XewBv84&e`dWh;RqRmR%}#Nt63#9vZnxd>g+G~ERm8e
zdPnuxek$lT&nMt1sfePnS3jX_jbv3V11wh1B?+^r<^y6akW^7mT}}lsSE6{?8=z!&
z_9PQTt{Wf*$2bS42mtsTx4DGJCjI2QLqRAB(1Vv>1)lGxS~qH@XZxeaPvzokmf}%7
zbzQ%1C*?Xn|FZR(A_`($amJ#subEAg*>Ja51wtNbwx#q>MgJ8@#=7Z*y0_cSAaaPE
zK&j%1y%jq0#PB)c7oR1}&ZT)-8jBVu(&4?w?KhVv+mZCqH+eHI!S}PxE0R@9u6edo
zX^tYCs2EGs1ew{aikE)H8Iu;wLJ+Im^1HeoiAL+dVFLyps@0hnFKgjaajoggxn{|5
z{bi(&e6%rD*{s7TJ;;>v9a9{8b$tt4s*KGIehKr5)u*rdLFq4&%bpF>uog+xHk&L;
z$2a*o<iceW60XBmtkkd@pB%^W(18>7WlaSaTFmp_)lQbUT+L%l5$3HD1HnNnY&W|b
zrCF>fKy-GK^2!4aQ0I}tz*X9LM!1rvDP7A|19DQEwMikldrFe(Zm!rnGT<(~PD=dx
zQp&hK0C7e$pJ&jr%X6o{i-N%m5RxP^uW{cl&)D$(slCW3O8c}pe9>-3qx2ST)!K}d
zxC@^pScc%Nza=D7#+vwD#|765Cb2L)ehp++$mRE?&hys=%Dq#$vH{(<9!Q(K>qorN
zX^Yfa`BBkUr1Y1AX?yJ8-Ww&%G;D)-XQ-R6aUUP1^R8CX1->-FNyu8y;j(z4V7!@M
zYA>Q8{?_GahY<>H`U9!nq+FQdlRl>C9&%AcMnqe2bHG1~rvxqjI>l&C%UwszCXj&F
zwJR*)@Mi}(ESu!_v52S9>WZKJfHE+vunr5<{3M3Wu?o^7x`ou_RJPp`oy-gFb38gP
zr82#Xhw6)om7Dp)u?Ao6X7aRK*@o7E$d*u6tl}s7L%*%Ys#5U7p|Z4#-r*o$YC5J&
zsfN1Xt4IIFlau%ZGi68|DZEd$=t#692ETImnw<#v__vMYOG8Zku`UU@D~YE7rQ)V|
z8iV*vUIbjq$4I@K@tXc{h9T|>lRfUpVT{87V0sANdO+{zhMtNhlE*Y?qp;jw`&0&z
zzlmM+$ci_arBzvTGWb#OY{_T|(Z67DX}3Fbpi{gi-N_c?e8!A*50;{~$Mh41U|-e;
zEvu_H-vGK07nd&^sC~g79C-7eL$N0<xzl;-Qy{+YYf)#3i|j}i;>_?Zs@`)0?f#G}
zJSqM<kCNduDH-+CzlM0j1gJgV|DrEU*ON<pTLpjfOld4`;i*}|5&(A7iFkK0F?Jgt
zS$ezC=<A0q$><qh9Qd*;IBpEEe6*Vpjp(nj8YE_P<Ch+kl4gm6&=SBWh+PKeq5kN0
zSr*<C?r%qmLy7%;(Onr?<T+;UT&;2G3G)6XG!}mN`7SeOPYG=z@Lq_&C2g{H`#u#j
z+{mL~@B?<(Q_TVOGAyig%N0@_NF#EbWlL9AUp08t%aK$x#s=X?`*djhk%D%HAS9y)
zw5t~$m=gNpB5fT$A#``CyZYzWJ&gqGeRt0uhR4TsjxX87jQtcQj8#_ZW*vlkLaM}8
z%%#6=nn1`V{XJAx$c!de==))WKHm$9t@uvhqgMywW~+n1YELm9WL>>0<F#%gy(*bz
zFiKg~Y02pPO+abYEEn0=2}R|X)+03vRp8#yTo{(-&SAJ3@(Qzi)5?nb7ZJ0`#3F9U
ztS)1+CMQSoaS<xVdy6IfLzu~E%MM!_nr@_ld4<jC2s4QtBl%{1P-*=AgHv6+*vi?I
zz6;Y=s;nB<+PXmK$&92k(R9s5n%0mWSqut*dN3!>cm3$4Moqd;zxT~({5sV<g?QZ5
z7RJ2!jKl~su=Iq3p@*Z{+yEU4Q8%MWd8JASe3+u!RTb%RMbbzE6HkuIe_Vol>f5iv
zX4cm=nmzkh_J$(7beT?y8Fwz&f&Kffn&)`O5!wB0v!6<XyoVH}Gh}~R)gM9^@CV23
z^ubQs1$PX_TwDtq?+kIH-2N4*wsswdocMEGN<jmB-f_%hA+cy1bhepKB)F^Q&HYH*
z|4dpU3Xk=Z%;=h&6wW1#8VAp(Ou}45fx=+nyA_%e#<m9%Wv@3Ha?z>P653PPsI-*l
z_yrz9KwtHFWj(QKcHQU8-(SnXPEMb0TG#eUcunXp@bYq46P|>SkzIxqADv<1rRr&e
z%QoX_q8`Z*T{Tx#6YCbJj?_=k&xC6gFRv3?hQ-=UXb?9Pn2O*mQu-CRRy*6$bnm3O
zYm8b9F1(;9{0Iv^0$r4$bzTbM75rXFt~3frYiKM=OX)Fwc^i_aCY8@DNfh5eU*&(Q
zK0awNDf#7VICMX1xkMPyNdqzx6}S9|5l{0l9hc0z4UW&P3kw}U_eVqw$qZEbt9-of
z)lf*Wxf|Ea)aw_KXyo}zWZ^0gK`XvAow;vX3|^Of?{CSk`l>#>N;ns~HR_caokmD6
z<}||{fH$a$Edg+c?gqRFH<`rjMO3cPU9<2=G)%`2bLg-%X3mvSwxgf)q%zqiIy2sE
z;0ve(hZkYu#J3?uy(hD8_ewdq+eRfmFR)LrqR1y#4Dt=BUbIx;K1864wUu$r7oFM?
z@GFQip&R`;q&6XDmu!`OH(}*Z#pQP=&$X0h&Sm9Dw!~+bKdx|NkQqq0;OrprwB-rf
zBh430RqirMm)e|o72ha7*4Uzdi-ALLimTx^s~k(}#?`fxgci4;`TBB7+~)yi8$bk;
z)Ovov16J%m7;0LHdQj=r`Dgm-eXY3_=p<{b0ce(|#d<x-;utg4kfhUI6G>yw`SV4%
z=dmS31A7Gi?6Md4xQ+%PrXt+$i0GW=9}qaUXzVD9<AsZM8A9@2Vd<Gy+GXquwIg}p
zJx*_VA2jQ<DqU}d*N4g-sV(Q+G`p~x*TwFh7*XkUeY(G<&@rJw^_6nSC4T7N{Q6_R
zU+1xuWXe8897{mIR}>SF{j52zI);0F3QAI}@(ffE8|?aOyenxPWz@%Cr;f}8U@b&#
zu>XM)id%!j4H)-BMm=D^$&cEIs$)4PZ%J`lj?eE+BXX0orbZ^tzq1Uko7k-K^wu#;
zY2o$SZE)N2*t5La)yR;HAo+em#;6l^HhKJVuseEw$RA2#7J)$jh{2j18~4-jDM{>d
z_@bEU?;*2N;U@Ttl3rXKQXPW$)~~<<faJcpMWTEPyAXxowox+*V+#wz1R!d+vxwGA
zQyhMQ(%rVI_7Pc?M;b^(wJVl4;n8ZuTgWC{0bj9BPggUA@)_adiHgq3>$RDs*v1r{
zJ<GTSJ#jjSSm%`Whi^(NdjVu>DJA&PAtc3RaO-KNWYGR6Jg-}ZC9!KT%s-|Lso(F;
zQsnJTVUxV0bR-0QaR749mSdj2+m*V#@-~JS<4CrVv(GHakURwncX^a}W{uAI{gVxx
zm+OU*bi>{rJ7WiMLuE6#WIK*G1}Fily`O2>u+wujuj5z3ki$2q=+%0q@Yk;&!3X`d
z6-%DhVv&`zcExT~F5fk2Rm94V4b}uBAT333+8A?ifAmN@9tHs6+W0GY-;owD-Ie<V
zi4B1Np#7G2uM~|d>V^8eE%G%(vw!+42^rxtG6ga4l(fjsXDYtehC&wjlT1ZsJfpm$
z3yw%8vspH9%cnXAx+wDcL}H3glyZ;UQO{~>4|LIPv%N_O6L^ITKJ7E?-H#{9V?2CL
zOz$5Gi^D4W+HO;)IWKiMHBIZ+s7~qM#s;#L=-~hA|NK$f@4$0YUqobUNJ5`c@<(F#
z)il%;Cs#Gae%wV~h5!;w=u`U$rG%fZl!<*jR(BdCSKL~G0^&90%FvLa$GvI$iA%ZO
zH?9GglYM8YGMEikRf2N}Cg=K(QvCU_623d8+3Xi@S^VTUGsmi@zJY|0z=YtB(Q?<c
zhJcllHB~0M{WP4idHJ8r`(C9pdTHfaA0f(R8MHGk_J}4GV>H#Zf7*bk6oSfZ5{#3~
zlG=7savVj#_vXM`N8{e+QP)|~Kb|=EqUI_0kyfFQOIZXk)qAUE8D){<Iv3YmZW0&p
zNNN#xu;dT{PrYiDv$JE-_-CX)Ds?#@%d;t0)h&O<mf+PD)^iu*=5^2W8L8EGnzIMH
zvdqy$eTn=5emPDml3I8+XDx-i{OPgjfL!vH-JR0ig4|t{0e<}JbKkSVxy${<-izb5
zfvM8V$<DJk&bPs0Hyws8c%SW%%}QE}(lUaM{$IZ->g$*>!`$!d;*|CU_kpHn!9=->
zct^<JcZD0-H#xdvCv=nOs;mx)M9&UNUSyQliO)aLeHr?U_%f5Hs(A4!T=c@I-<GZ>
z+>+u{Yh!vDvaPDOqlUa&FOhJ;HYR3ywmUy2K<5`{1cs1Nve;-AKC$Z<DXG(rZ#!z0
z{9Hi-6U5wajZr%HlI80uZO*?;Rb01OxsGn*dZ<lkn&;=9Z8;t;@(oO|1%LT^$8>$C
zHJJ!9i`}Lam-xbk8zXB=x@5LZO6-X|SsWVN&Jh!txARW)F{x=ir<88J!dolV8^;sq
zq1<M9_*+DN_+<Y)`S_9&_6wb019jLX8Rx_xuJt1lhq~|1tF`j-rmBo>6L*Rdg2`Ql
zYLgnRw)ZHJuVeHO>^yjr9WHVSD1RszkmfoW%ePA%0}(r8k$8AVGw_Hml!Qpp32=>C
zEGWe%y>kLcdYj>}O;oAjk};!y3$`q!Vn+s+>G=;VI($+>S@aIpK6`2?XC6b*U>0!0
zL#WFhH#}^Jtc>5P-a_53=KXjXd}7SOF<j5y$eNfLgjCUih31^HbnU>BbNRJFF5SvD
z31vZi5hfgZC`L@7=b_a_#ycZprUcR=oeL8zH<Y3vequRE<8L7<R37zJujPQ|*Q>xB
zg|htG!?(C#dk%d5UfaUTHEH_=Ji)wLC*z9Z$sA5w4g*mxy$Z%5#bQBg&qouScxX9m
zXL@D5N;SEu-M0hV+6+0|9m$&<jz)QcV&{rZ)j={DE*T_{Ii7NeVDG~emTry%xq8`k
zd&p)NCFTmUi|B#yMm<LJfnZC`7a>>Rv`QW1o}-I#KBmHE%cco46Z2s5S&N@KH)NO%
z&D;?aXV<sQqbb}tS9QK;6}ZD+tQFO1qNpWf?2~5D9P-faNR`A#3$A))l8#ck88pYG
zv;=MgmWl@h;f-;g^*EQS$}<{$(h6@BVhYwiE!krIVX;|jKnY*~nrts989`?)=(HXE
zb()Q8+9j{D-zV>SERRi{`hgP>mGFKpp+xZ{a8qh7W9g(6+4AN-PA)Xj>&;YRolmdH
zY(?$Fbdq>-EtfU^LH)dYgDil!g5$Akf@w^;_018*n^$p*57V<*(<C)f`VHpZk%?W)
zBJYDsQ~__r-V<u_VM^<*)^*-ND~Eu*?EyjeZoezawwqU$v?jk3b6gA0Rpw$H4bSm;
z^cT-Cbzu{aZo}|btb~@z@g%-zhO`z7nnFL<+gmzuDtR>oa#5)l*1@gwmao4LvT`q9
z&}I9I*jgy<NL+8lf6t~;I=L9LSuC7nB|CE42VeC)YdouC&`~S9oOfT6p-mdbfm9pm
z(>F*UWKAnp1aLvZt2SDF)B^m+fCCI7C4m6KPa9$-rE-WTt5uO!gQL~x;w^WCjc3$^
zIFkvEB;KDGGPEHic6KI!k5BF@W&3eId4uuqOms<e;b2Cjmv7(;lOgsd0%84)OAB0b
zrv$E#L`_*Ioq}g>sEg2<J!V_xCqT_od`9#b^r9V)4lMadYNrb6I*4a0Y)h$h+aBGf
zT&>t8?6^S*+>~T7AZBvXKSd%>tZht<<BXc)=A>6wR2<}G2Mx96eL*=&E9EQkUmvd0
z$&EwfWp<Z?UK+Wy2*~}wXNGhk@V}Js-_8Khx6N#-WnJAIvA_F29@S^{3HwiD*o3mE
zHUX+;;ruopQpn4MKS{4DkR>ndRq9k2YDu$*ShG}iFZD8Lc1MNPWV#~;CFJhBD5V$l
z>VJbgp98^+mFGA)<q5G)4+oL5Uuhj}M6>odTv#BH@IL^4Kbr6s?p1wbpV1hRMglmW
zo8NyTh#{7kzXB32wm@3282YH&ID4Cw<dW#BW4zXo!!<&-hxwiJzlBLP;Z){zORK%H
zxO+k#cMcC%h}gjFcNDNAXoj5wNSvtA5C==YM=tyB#3>mL=N=9q-!ajxfQO2E1@FA9
z@N7q)8`LI|m0N`9{r+nC{B6d`QdEOc?^vP@DU~v3U?LTAM6u|NXZQ$RY<EX2wsU#U
zX-D=znC!D`6~za=2*OHNsIG<W`#nbny*}^q+Bt@GwSRO**U4-1({|6v($UruR-TzP
zJaLC9_}$L}xVTB!;(?^-?54sdCbGU))}ne>R%F`;7u{q~@hTdfSz9saaV5M;d0V`(
zEW0vCs~yl+7&mlt!4;B*H2ZHjF2gY!?H{axJ_j|~bGbpmatCJ67G{NqsGG`T1yjt2
z^c#o~jSi(3D_bKrCRtcSU$;v}x)!aZ8TPHRb$5N!Gi`lowyD238w&vu?vC@GOIHkq
zF%zq87#vhNi5o`S9G>Q$k?d8PfdO#I{gYv6a>)*C*45|iZIal=T*;PNplnR1WPQ1W
z&B|rLl<rV<sZf-#CJZ?Gl_1TiZ;`64(~Y!x@H-jSj;?;3Bd<2boj7tJDsy>L>kFJo
zB(^vGOy;A$?(GdhNTG60y<el!6K|C)*W}6=r~CqbO`!4dg>bjTI2xX-!d*3$7xJq)
zrmX||1SL=9REiowUAY9Ic(s=gANe1kcv&;2G0IqiLoE2<{W0}ELEP^^*&=X_XyV@6
z)NxV2D5E0H@1VNGMC*cnJ-l=)(hErlA{A*aKhxLPrfguJFH_dZXWNCQLw5=r9~|_4
zF_f3r?7r0thXnG5{lHwsQ>-ZC5>st+R>b&7jlh}~C9$xiJ*Ao#XrTWoUIq3PO7zR^
zHWfVb97t%S$)O~;a`)*vF>pAB3;GY{@kE|^c>cztiy`<4P01*F3>W}g?PmWs;rR}c
zA3H-7ldJ_C4w<wCl_U9h{qtgDsF3<!B$4i{Z_2bI%?YK=TF#+UF0taB@4A(8*PQ+!
z6?#gDhf|<sjYHfu755^{7o;khX<ry?w*YEpUe23a3eOWx+c}Vvx@4KiEovYghp3pq
zYu2M=02dzODf1X7=2Aa>mivH8G%!K=y&S?vhQBJGi1FyYlK(&hq3jcyj}0Bc2skEq
zom)^~VJ#v`dF~VQl<{R7p-gil0g|D5MQ}y!_e${B%C~b-dwUyI<K)SsoF`^04b_d6
zAla7Do*b2rL4<_Vty)%p81_pR+Tj{79f#$PMb4Ps5;yqnV}JS@if;e9=$>;r&!}$N
zJ<CO!pRiCI8Os=D@<9#DBDr3YjHc%JDO^OLQG3bO;v*I6FgNqzg6_#!gO$E;@A{O^
zR7O=FI8Yb`()-GZi&<MPh4-ZB!Xn8kV?*(AEwLvWQp1pJuEv}dZCyR=I%>aF(V&6e
zmpqfAq97n-WWYnNAf{G|P;d0ETl&vp-?EK-;udi{`N8)Ap0elY#sf{-Hx$hMmPwKQ
zLyRi#L;wboLilbI&QC5w5JlSBh8<tLR`5XmdXS@hXwzJ_&SE#}eth6~^yyE2Ik~KU
zX6Y=kg9JPDWC5`JvWM{q>?lrIvb40__V+~Xi-?$-nSG)d9`cW$OglfL*Zhsv6~Gl}
zg*xAe$P5$dj%Lab^s8X6F<Wex*GO^Q-~1jmn`w12{UmiGP%4Hi6}4W(TXqQfGxiZL
z%%6msr<QWOPLCFGu4a51d#9vTt5>99Qda#pKD;4Li=wH+FSw{5pkb@pi8{r}P7Ls)
z^USe|-<)A>B?8<5AlDx;3@g2fC1$O8v+O+9`;cW(<**Le@B#S@_Dkp9;#rETA|l%(
zWLYpl)REtEuez1SZm|`w@{yii6D{a`1Rdvc&jgGh4iHDkcn~Iy2lG9+aYw6ybW@T{
zp$K8jseg2Xpz%BHPicJ1+b9r%yfTHORpq=Fc<Cn03G8Z}Lf$kgVg`&R%g8c439-#$
z2T&r3pidE$v@8i>Os>@bxblf{ia>l;=J@+PUw|P^%ChRwmV;rq^vG>c>7@~BM-6Ay
zT1|#;F)M%YM61U?Xw*7h$nDLYXkHBmUvozxcaao;upPOcCyc3{OmHoxK%`K&weWco
z0q5+i-qa(a7UPi^Qt)GCs5LDhzAJ;&qFWq$hK5f;dTrZ<QJsa54$os!c11jKn;@Y9
zAqlr#A~@k;q?9b+yB*@J`C=)oJvlvAX_bG~5p#|ACxSB(!@?YV+3e2^sex?kq`q9A
z(q>#WAaxuc1}<rt-}ZGHUDY~!6gb}QNv=uuyWBM#gh2Fr_m`%h^w@hs1&Gx_<=#4N
z5qzu4>h5v~!$LI}>O`?iqa30!KcIUO83XZx=&LEdu$UrF<JeWa1ttz2aYK#7SjY-T
zH9eBEWbQ0#cy+Md$OtftO(@niTx;N9$W|&FVTodc7{!XK2&%nrx)m#K9!3n2u%-15
zPe&TJuOLJ9OTxu^<3-vv2Y0Nk3pVj_MdP+lyg+UT^~onO?dPw`HMT23ayDlJjG%FQ
z+!m@ZCeexMu~KZwQYGl^L<FLVj^X<Q8Zxhk0^JBe4#g^*hSJI$Y;zE5VedtXpRBzQ
z)%B`r+rp8y?N-ga!S=pZI@eSn&d~~91>t33Bacl%azG->A&V0D;X4SVr#bhPE%yaG
z#BI(S=fN{Hq~BlWVb!kH8z*~3-!P4lyw&+~LV_|7Rk(Xe%viSx)km{tq0#)<%;;Rc
zG>`u!Exx+k!<qWCr7xFu4Ovb;i_-*x?TpC6&l3BPtewu?7{Bzh<;9aNNM+A$4G<bQ
z7|)Th_j}_PrP9@n2;r?<Y7jE2dM?j5PA<5lT*o4S;i91t;SFveQ7wImkFu)y%<g<3
zdwxw1in4YFS?t*Q*KjGM97Mh2JVuZ%A_g;{h_!c>8p7lEq&uSxLnzABO_{4)sKxBb
z`jF3zhpF=cxv2P5M{c*XVKQNZ0qJSJF)vk-qQ?cf==UiXc4F(*JLvL0q2QP23=CmA
zXS0s*MsK5g31^;r^qgr&*Pia}xWmK)DbwecUmuqXzOkqHQjh`LEdwn%BtaN5nyF<)
zC*35~MXwK|zVWa3B(c8n#Gk?giL(cp)~18j%;9`tMfLs`z8rzkP<a|vr5;Z@e7WLO
z0X8fQL7{XSw9NU}5-}9Y($H6OQK#wMUrBU`lPOD=m*k=&(^k}0$t&^s`onmZ%#nbG
zyb-KF!WhidD=tfmH!1sFE{0Q&^0Ve)tBgnX-tB2jN2}z&`yGuRS?@w$nD*fMFT_=|
z&0T|-wIfhiPwMtumuFUlqbmv&sUwW$WPRt%V1L6~i{|a@iSsr0!%eX<9j1;qJ6pim
zCDq4?2*TBjL4U^%)Ba9M#-hJrRmFepQ%%e6>*r!D1;oOam6vQR>osieoYGk*!9~zU
zQ;-{6I_-J`{PW1I0ReuQd?*MAI7A2ty#FwA>mOsb*xtu%MXFCbuX3S1V<Yj;7B3{2
z$;cTivBwc<l*Y>rR;?ajdQzYVKtTB?%~xN1NU)Sc{0b!ffY#Qc!-SGzmjGnr%rj$-
zjG>aTwpm5Bvi^flz+zD*E@dEH2!21qyqdLkq~bS4@|i134mpA?w$!QTCGH7lwJi-x
z78&BT;S{0LNd%@?p|mP1VTWXzIVzdS_?K?MYU>lYnTLuX1d?AuP0%^^Ad{>qgpC{y
zU8$nl@wkD9khW6E`%ivOYbgO-E=QG#Ue1{c;z>Vs6KGhPqaY9e{#>LH`)`e0XHZky
z77h{6P(v?<DhSf6l&eTl2tD)?MG(12krF~vKu`oj1gW72C?$Y~E=^F1BnX0npg`zF
zI!GtdU(|Q6SLVK%cjoMU{+#bSv-hfd&a8!zK(*|x<hEzZ^4wq;yuAZ2IdQ+5`d**j
z-g{cOb6Z_Fo3*CM;_HDzujC#)%d{Tn;q}KMYulm@ZVFo%5^5%+>^V`^q+wi6zhxtW
z<IqoIQ%EiRWU0&(mr92LLlM_LYh~SM#?sfOy4w!y6@#ZKE7p$(X}@3c!`No~IJ(r|
zlQPzj?EgR++9wj)XJ2NjS~2||G<zOXU^3m>8n>M=)^e+jIJrLq7=FuwRNC)!z`(;O
z_Le|<Pg43!K^ES0pw(T_H|JOjoe>5HD^JrWi%y95aOW{_JD;baeY>7i?8iT)w)I12
zzeYdXP{<QM)Jcd}JbovJe4h%Zb+BknoK%Z3q1>{Nb)Jo%frYOqm2F<e%A3zCxPK7y
zSnwF;`t&lM9ecjrB0=h4P9cx`iOcArYJcZ9L^AJ&mfFLj9cXW*V)+-d9<iILPm44#
zy!{1&$X-+L@+b>)%<#}KM6bt6%|gyT*u11BHtU*fkOF%FRH?|)t#!NeLbSAWaRJ2C
zQ7${e{9$%s*f=eWo@U_|hoep)o|@wxy_DdJwDrnUMyXefA?TORMK2jpV7N0CyjNE{
zk|IM?$S(}Z3whvR{^5*IJoi1seIZoQCQl3$p#nv4g-MU!hQ;ZZwANXFTuQTC8Eb$O
zETfcj{F@ifI>Kk-(pcSZybC}$QS%rYKqnJfftt01H-V-)$j6JmaHE)cbt)izLP`z=
zPerdQ^Z6hsZ6YCzb@rWB6YaPAl?6#X4#xBk{S;UdpSAGuC=ET+@PEi~v2<*dfVsI8
zSCOwZVD@Bd*Lq-1FmYa?m^t<e!n#h2qGH#kaE$uO#Eg||GE_90bLvjQ*B&V2SE;XQ
zBq}5U>j2ch#+C7rx^KU-t-8oH7+qm2F81(!y;YAeYvsbnV)3MMt(nb({z?NEqXxPm
z?^NO93D>cz20eQJ(d~xc4cm!>9zRA207#wz0O)@jwhuDU-O1;>H80uPJep7jABdZb
z_#-r!O8_n>K}*oOoVZ%6fj)IQ>jlW;6uXqG4QiSUPc@Y_<#Q-}S?Vrt21_L~zI%wM
z%K7FSE!$JY6un+n|EI+MXPGquw~ofa8C~xV;dUW3umw$g*V;pO+(9Z)(6v8rj@v~2
zTCiM{(npDFFRP$uWlt{T6>}wgltbaf+zN2qBgzj-w|KkC)aXT1oiA202x|I2AHgW1
z!%wHSDD!k|I$0bTDwalNkJ<J|LDR37_rheVLsRp+&OT2}2)N|k@J-2oi>-vYaDQ{#
zwL;#n(h3q6sM#z9I6i{(<X4k+AL>PKWz~QupL@S-z0*h6MF>8rps}Zx9m-V3x_2#v
zn?HOnOiAW-Q<vY8+oWR|LwS0My<%(q<v{sFB6qBAx`;ySqea!F5M<4%U~&<2pZs~}
z*->d2@5!6d0?B+T)jFb*B*t7^RGTP0XS2<@Nh++6+ao8!`k>TQ08XOcW(&4l-1PQd
zI1s6rgn#ilsIc>ko2rGMYpoJoaa(`8Fg8{h4~N9~`g?gQ^aRO9?&l~@HysO|XK9{h
zX<nCDT?_hhF6u5xlz$h&zulDo`COZ3dJ;=}FUcZ-iJ*UaL%!U${WvC<S;RpCg*SuV
zwO~H(I=%Fndw$JcrI%>SOUJQUbGwWHmu0<4Qs=R_?nro+L+xoBzg&=QdyGetw}yoy
zrQ6D3b=hf7H*#=TO3|170P-%BRX;W0OYi+%w5?N~C}%0gH_4K|z1WRSJTRkn9{QTm
zPhZ3!#Yk_2WvhI=9__R}YWQZQk50PH5>ws2{)(qRC^ipCIw_1(ezP`s(I4L?+P~nk
zAarU}Ij!I4B4B>tj}M$S59A)PUD=hU?N)l_gnd!fo<F_2%IfJoR(jlT%k0JONF)i8
zH9#}IQL6c=gK<Z3dCP5Nq3PA&^86x6&1NvK`L0qUaU0-Hlr8zwW!S&_7GG`gA`j7;
zhOliik;-#!C=%`Y<xb4{*mg1kH|4ddUY&_0zQy>=fd2f<(0E`RvpK%>hB^2Xh{PPv
z7esgAk5|Ek%A`?AxRH?mg$s5~b1Nsd>CzcGGddgRR!VoQjgBD^IXr4T+VGhNA&6I<
zZw3+I#oDV$pl5O%!t!R(iMBR4)a}T!gG)ouo`Gb{b_7g&VqUx>t7W;4)j1J=_$ky)
z??4wTo$g(^);qXt+{QNCCOTxPqF|gnB_=%(A6D4?(rJF+;tBeo_O-~E$x}VmX{fe+
ze$+cx@M9M})JT$Mse`TxdtVl0sucHWW0mUd+!v&XWAqmiy<g0-hKJJG$A-&Y&FB==
z;khkqnfw|R&l=YU$xRXE)uzh5xS0#y(6ez@s&>St-9A3Qb)Y3QgsxNJ5{DGlxTdgQ
z`cSPsBw=Sd3CsQZ0l-v%4G)E$(2$6wF2HW67xI-|RU48PrsUemzob?;)oiP`oO?rT
zl%M@6p$|rh<Pv!6eWmL)Vd^VW^qE<$KDIld8nIbj6lIhH*i27QD5g|}<>Z)Xbp(C?
z6b4LHH#89_01OgEf`LE)o>_J5X(*F06ksj*2_X5FX_8KkGCvS~LI5Uom-T^N-+jnb
zl#-0ym=FRI4u}H-6(Gl1QJ_IVpvwutr>!OpAQ^@&dB=uMuFs4@B8SI*cZJnD3sH?^
z7sw6-0LW<$;AcJhk1F(xczq9`ES-7@v(r_BXLz7&VSlOC1KJwYOin63&Jn+{72V&+
ze}hT?Ff&uKgi+zCAH-)6>)s-Rzf81LECQ6fow3jK&bAg))K{0xQi$!^><3FsuM4+I
zHhc6|8~E($ZqURn)cRC7`O~m&QhY0JPCKQiWlQu9mDfLfKh#O{DJ`R<aB(kRaV4)~
zeUm>nTj!FO#711M0opIIL@jf;K6f4Kc&#E}boOw)tAO?Vc0+~?7S-K%33S@Cbern;
zg(7A#uK5%IfEYQUWBlp!zn9@(^YnE4k;9n|dJM|Y?Xwx5=*s_$@&_^FsUz6ov~+cq
zP+nSM_9?+yPUb85`#ZXR87iEx4c&9O0RaKIhR(xT6<e{8O1Y3F#A#HTZ`zLD-RXnw
zv-X-rRYpEET}x*0KI^8+B3t^1Zg;iAbX8b-7q@iTs=NJd+GJ0N*SIjiMG@u_6T$Y_
zgeaYCZrR9KEZ|IH-v5eijIZd&+oQX-@6a=yel%Nl@%~2Q3pL9|=4fg~wR^3^bYZ)J
zuPv%URS`9{xO59KXLMF6m5%j(ay?peIdE>b!#h&DU&?uz!-hXdHS)?MKT+tk1pNJl
zOoUSCZQZbm9yvQ9y93np)S_0nqN?%!Q@hh8C-?+9ATa$caWSC(dr-Z~;Mp5nuhYh~
zRm*Zn$a5?`gZ{!<s-hdL)u1`Jth;uY+e8BSuXGJuw$zBL>T>0n$P!U}iOBD2F8EaY
zm|*=Em0RN>%3?Xvd`1ha@w@8z?m>~>b}Q=HVEgQ~iHVAjggRm}5pjO^Jlvxj<nJBv
zW=P$VaDgo*WdHNE%%ZysMW$8)q@JMa%jtAH7c5peewQiE4k1-RmSr?qdAWbe^r!y*
zQ?fsFnGkPCb591WUBZk2=-iykF2H#Vu}g!IdrkQ8j>P#T@mg3G+9MaYV%WONYY;Eu
zO32_TSc0HF&W4#1<?8+bBuR2#3iDO&P^#S2UWEi7GfH~x3Z9U86*ek=9kZC4odP+~
ztneL9`c^vCKGt}(aiyw0pFIvMn&=s82Fe*}p=@WOlDCO^rHAdrL215Kn*_;3bt(vE
zDs<<)nASR+>Ilgkov>`c`vzQY_l*l}UT#<WeXZE>lh%A>{k13OEiB}<!nHg-kWL=R
ztLA}TPCi$@>oCE*-KbdxyqDD4C+0U7cFgrw*5$0@A&o+hTcWP6dFbzu+?j1b=C;rI
zy-{q-iyZ-P*VZ<{6fZv5Ji345!NfgN>$77D@4!tyScW#2iO~uRljNe2yS5!Oq~~;*
zjb=vYBdsO-U<(=8#b=W@6`D8%!!E_0k7=~SfmOBL^b9Xs-M$)Z)^>qS$e)4J-2l&Z
z>|)*rJvuBOTTHa{ZD^Z$>`i30^AcyCDlV3R9cDMJJSq37@=O-Z)CX@gK1JQC9}xQj
zA(U|??liC5!_m4nYU(s}6y0zxIL=Jpt8PRVQ~$>!14>j!l2)cr>g_d9mhr2*^VJjQ
z#!0aQ0xagua={%}ebiP*U9Yb`(H_yfak%q_ghLK|OQ29ZCxK&x=~Dn%kNs-Q@#Zce
zJAu5DZR7zakH4-^@-71a*F7C!2v08`X$LQ_@0)uRy@xKRqWS(NS@)R!f|8%16ixp`
zJ9;9V{taGsiGDGanv53sDbBwbLMe90q~snU$Qw>Koqo<g8iO4DzDyS<;-)<iU`7G{
zaX9^(APj%vXp@m&?M05V9BoeWHw%Tc3-JGGRdST@=$ZL%!Z3j+M+twOppUW~P0;^l
zq1eg(!SX9zKMFk>(0)Ow3V{C%Z%2Vg1H>=jS2FOwU0ePN7e~QIJ<%`lo992k|HCgG
j<vD8Qzj%sqz<;xOm_8L*i@wKhTEJ(rDjpP)C%}II^p&YY

literal 175894
zcmY&<b9CHY)OFj~c4Hfjlg4Ol+t$Qx+}KuQ+qP}nw)IV)_j~%h?;pRJm05Sz>~qgP
z`{3TlN`Qc(e){wY^3ycolxnwcUv@0;uOZ-r2z(4}3}gW|w)XUTwzhOGR+dr`BhX(M
zVTHZ(M%Rr!HU*A<7D`OTzf{F?2Gmnp`9D86f#SEMy0eSTlFIe=qSsKY2eev=>^FWM
zbQ9VzQL`)TmA(GHz_{iUR)vj_i;oA=lWn!|Gk_76eRSJdZ>C5qZ2UNbHsIXQF<UaQ
zugcUxUxr5+U{Ar9b`t+cBi+@(^rRx`IxNAFSi<(s4DB`HOfUO?3`lNvAc6i2ME>Q|
zC#3&vfPoFb=#K>f(K-@645)n_;z#Z&xo5@x<p@+fzrebDw>5s8*X!Q|kxZYhq|TME
z$X+rYq`kC|ud1t(h52Ea&@@i^$=sVyW<a$_I}@q~R$*|-u9`4r<uox$Um<2%htgtX
zdcd%g=XOJXN#wTm03~WcoWY{(^R3mfPWmLTi^=B$k2e#xZO{5s;eEnqNG-;FgTBb_
zYfV)WpbDw);_T)`5$|ppq8uz&iWUq7-i4vul?g9~wSF$YAH(f?#Rn1}nH>}i1kB0p
zZY$aY!kWSIE=j>J*|-W$^(y_o;gv|@6Z3aiMUnf|cV7MA9|4C_qT(VF%8D4hD8Gw#
z_Q1~txnP`wPA*>S$<Lk_$JqYw##IT!ohE|=_l@w=CluhuxmeOWm>O9b{m(1opRGGn
z(}+Z2L-ned{m>nAPjaXG^)p7S+X@4*MfU12ogE8hg1tIji^yNGOF@T9DO*X0>aGky
zNhy~I?JkcO9BOtNf9hN83cH=I515=I3gx%@4*S=qw4I&UWP6PBJXl<0LduDh1o!?b
z#3B9lf~88cwdD(?WAqqk6VFi>k(BwkA1B>U6TDnO6UF|ypgtaC6WjUm6f8UzD@=jb
zG!vJML%Noo!XaqPeUs-f9-wXt#_kacbqbQ-V2s$o>J}hCuu*n7$|I?4uefV7OB%-M
z$&Q&GhvG)L^vUkG_3y2w12nyN_c1u)kx&j1Yx2Qv9-gLnnhI!oD-{_gYtyz3mJTMC
zBnb2C2NQPP`b_B9Fb*SI1*BmS5`6g)!RO}XJJ@DAf=}j~=d2xzDn4zp2P(CIr?b#Q
z?=K>oI$2Dv6*+pS^d#QC;5;fPd9$>3bVJ}gYSXJPRf49h1>!tbu9-SJylp}2taUD=
zDU%nPJ${K}NC{`1lvcgV=`&A^`fQRIb}52+Yrg)qU0^BiN9vHtF}q#jc8liiCrx&2
z>J&m2+}O_%{AAr>c#t7ZhYUUhUw6VJ4xP9Q4jwO4z5TY!FX?zBY{lH>(MH0{({N&{
zejCiymj6^P0d>7PUAhU9$>e=~d&&`=z<=k=bXPb>9uG8XQsMQynLyCV?(lxOn%l7%
zb5ZN>c-<>W^nQKfyc5s4TZ>JU$!vXmKk4xDvi#Wq%0tofU?xt|ED|v(mC^kL4kZfY
z$_e=eDnA8O`jgowC#CGq6;h1fww8t1wyZv@^?<grH<j3}N%RWIfn1u$n0IQ8tEIy1
z0Lu66;}gFP1?~^^<%YEcUuBt{n~rs@4Pka?rYMR)O_{FiZd!4ZV98P7?+^>X>N``+
zoi<AtbdlmyI0R+0=8MFh&VU%9Hw!6Tj?4-nYL+b-Kd_qH8_RDH25}<SgBg>>`<ofJ
z{vwAi5b0+(GTMb#4i4U3SL{vc%KIXN0JT%NLN1?TSRPs=@<3&XS+nB2#5@-*Fcl5e
z<i|lz%;kYf%8rY}F+)RXKtF=yPa(qA$P}~r3_rB836W;y_+TYIyJB^s5#=-bIVMul
z-%J9r{9=F-M^|5d9l0n$OT!mCC+9nsc~+YsWRGa03}mz8lK+8$HJK-=PbnZc$<iL|
zq$;K18xa(h`By)KqFDi_NZ2QIo|c)q-fw+sA$_c43nFfV4qI{G@~2N|@XU(hLOf<t
z#55Brc@pMvpys=&Y$WVkrG@Y7-C+&S+x=i&EwFx^4%CnF825f<c)^5*RcHo_4pt-C
zkPcYvrC^(6I~#_(S8t1*J`L}iP+vmvN~=EbL*pjbIkuFbJOLYLUG=UkJ=zp=^6L}>
zsL!P-vwRE`8?R{dlo?4|B+sbt=gcvcT=&uOUQyQO4!FI3`yF;xL`lq5P2o$j>*IyM
z87h*c`?PD8)_LY(4#$St*eL2-LSHC;kIWrNxuzeOl~#f$&b*I2Okq)So(-Ft+tSK=
z;<(n=BaPT;K8Ikmn2jI8%5qXRuPk$ya2z@>n*ik>FufB?A(bC{2}ff7e)XeqT&&6z
zQ+0N2p{i0s+s6-j>-EVMa}<;Rkl*FOo_A~)WBt3GjLo<FcFT#%RuNnMjQJmN-BRRo
z&^@5=F?Z)E_l`MwPIV@^awXo7IxDG7K1OaZxLp}Hg0d((b~D(W_!Ny&1HWbV)nID$
z=4<s?*lt@46RM(${fwCW&;)Dl3KWriFr^6RN33<1LQ+rW(qs}fd!BA-Oe(mNVZlk1
zHQbb?FjFZRBihN?Z7!jr)+L@r4}VJaO2Gy~TUc9n^2D2)jq#x6ZECC8(Q1t~WZxqj
z*9kM?kh^$g$HhLuYOm5C#m&nxXz9dTF>Q5KIwKdHrv}W&>?eTa*0Y3qHVU@)4ztxj
zhc}hWIcs~1w|@A@W-GHP+>FiEr{j{VBF5#HSXZSs%%xtqVwZ}RX%#bu&iAL<c-dkQ
zb%4a5_)~JY%Q_*5UzuKI01}`=)`gv#3MPdn^Bp&!H28M|<ob$&*2Fg<r1S9VU&X0m
zJsWVEr3=o!f66H&aqL-I{r<Q!k$;o;D*VwO`tBg-lo{-5ev?gB53{u`+;M_?A<Ubt
zoA;trv2clVW}dgz;1>UTrd$PEu1@PnF-N^%A-LNu=b=*|2#nqINlx}`o?3}5go=M|
zC{f-<(cI^t&R4x;9Znr#-wA@6rW{5A<Lkr+%>T_~{y(7Z#dW@XGWd-63G;t4nX?VR
z!rs)#$ibfepSOR~S!<h>^Gbcn`-_qbr^Q6>325-6q!Vu$vzXQyGa6b$dh(6V0oV_L
z2z9kvGSY_g0^Y{YF~~-mUj#Kw#!9UR5<l_R(s94rZg{`66?<Foz*O14H?CQx+8lRy
z-?=ulyzJkd<Ui6_yWSKxqi7VB6+b6j?DC$ZF3g$N(e<_zFK&dKo!7CY3RhTEZM8Vo
zS@Bd{q*ORq862CRn|Ddf`LBeRA172a=)CRN96PI>p(;^&?KW&*=xEK@Xi_S@tQohV
z$y?qxG_-m>Dq9wBe7wiMC_RMAoTN^0-GwfEJg(q&AT8)W+@#YGd^|OmJ>h#(FI<B#
zSI<e)Dtmt%hrf(X-)U<7Xgf@-du-!)UNYlR>Cl-wxrTVUzrGo32RLzepySA$3Kgwi
zOcXb_(LIXPvnAuc-H1L<;=D<?9lI*Mi71Ur6pOS675guD?|rO>Hs}-Uypbi~A8j-{
zUa17lD-7*qwupEY;FZ0maoF^(nBQ!i03OuZk5r^7l|4F^aJ>@mJ6;su-rG#^Rd1;j
zZ4?w!Mcx*kv^rMf9Z_G5Ro3eFj`S|@4(;7^I2umMp2uiEa@>zajlN&RC;D4sx)PT5
zT2Wsui?@o#=gwDqY0UG|rh->=yX?1^tarR1@@t6Nst4h>0{oVmA}5uQ>XrNplm-j9
zszVCPh};x~uc@3&ittxXeywnB&v0%Js<WDnkOe*<v@%Hda}U>+k$5T&J@N)|owO^~
zh<Yo!Z@uF@9a3Y3y(=`Xu}yp4#ygl)#4x~S8}{n-oVBN&=hzgK_M1nxr<}hW@jUzH
z>r5t{Qy=rZM|g=DG*=Y89CER4N6vT-v_g5SReX$ycx7kyTC5orSzqFATzS8im3ujx
zQ_)fv;FlNTsj)_NsJ`uBv@eD3e>~5>tenj8zB^TvnCd*WdF8#TidMY7@5Wacy}hLl
z2FiUL4HYc#Hnc08VPE#oz(s9*dOEpF0IxdHqTQ>rd^*S9xH5iF7z^F_$|1yQ^S-*!
z?fRmI+F><6c5YMQeEt0>!1G(j+}#w0!hFMAWVC<750?e#uA<9!v~GnhE)vZ;e6p|H
zQX99--)ClSC%C0Ly!G3?Vny+HHAq^8ySeZ^9e`_;g#BbNlX$Xhp8dO$WiSsfLUHgt
zb#6Dy+RqDg2#UX-;)~n9TikBgwA+W+>)>d;PaSx|czwXXzJGswbGCZH`##Zm%Plx_
z11mW(b36RB!wQ>W|1sGPHwW`3ijV#Jp8oE6dno9)p>wq1?nma0lgy)O`fQu8GLGM1
zb-9)O-Xpx(<FnBb+8G4W@qst{4Wi?t&|9YMR`wAI3Wmh+hbp#z*G%vV9ft?Yyq@(3
z-(0Ikg4EBx@%!O~YQu?^JL4V;!L5db?uG33#L$X<+1vEILvlIA20)iWaX?Cz??VFg
zdT@T>g7fcN=lO(<P`5UB2Gq7{w6&|X_1ox<hPUKd2-dgg{e&2NYL5HzhLT~~d!2-8
z0Hlu1!U~Sy6oS<hDr#Ht)0&A%6Gq(;$D1zo+s$iw)}pA^Xl7T3B%uj*pf9gFbbDDC
zxa#71<a|#cAh~Sy`F>p0){OG;EmbdzpDntU*zWdtw3l}34dgvz&2pjE+_@aAB6MP$
z+)ic%%%lZMB7LLGwSB!*LOZ27nBFp~sHIZzs?F^Mmwx`^3155j!|^1p`zlTSedOW8
ztw9Z=)$ZJ7EZzGepax|Hr`_>h<2>$UzkIoTrGG>ohg?c0e_ZFbgsocDk$jg~<(@b@
zOWo|iK*wGok=b<j>TA#RGh1r<P_xS69j`LHqYU*^k+?$Fg`D8N`sErWu9(JA&ee?|
zb#6g70?5`?3)p#xy-FNSq{=sRP`jZRq63;ueoh$Sq=R6aV?u|z_0uVraDOmlCK4LB
z?#^FFn8f)Q4B2_(HzKdy;K^a8Mct-CA2A{hcwbp&i52n(;}T@9<>D-IsHYZ|j>TtV
zT%SQz@(1H70Y+}?@pj39Q^k^MX(ZF3Vu;nuGAgA>PhB+OZA^A1WPeuuP$eJ~?4Blo
z)f9WNcG8$G$yiIQ7oWhnkw`TJ<d;RTIXgPi@2YDgA5EB##D`0VJv6ag)|X0ax*Ikf
zx9$bfa@?oYh3k?yOj!<@b1o*hmPpoUshk;XI1U@^z@hcHV8#hIUIY3~+6R0A``^Ze
zyQkH*Dq8jX{kqxl>hG{iA>zRlnF?v7h9|wwDPEcqD>L)tL*Lpf#YA4zj$Jw&cazA%
z6)DN>3eZois^|h<5#Dx0;4M9FrYX${(=^)GZs2Gk0%i)8Zkx@&R>j*d4>!fv-*$Jf
zS`kh;2<FC0kfy!WMH^TQ>2M;r#jPnv)V^ye%`6V>nU<JG^{*>U?|RUGhy&u^3YeqH
z3(<$K>I5r7KALIG;AFz_6lKbeaBPW-Q`Ol*OHI|^+wpmR^H=D)I@nS;MLVCZeK8+x
zRU&hOp*uy_T%>J0XbH$p>wA|Rk1{EVAMxdmP#ZR)-?DQ?OEjWron`rFT~zf?aq##&
zF)SyT^+M~e7NG{+qS<L$553s1HQ&65u&)b)8NU<!E;FYcNH-`;E_N4AGZuDV+96zy
zPH~>E<F^r>+RC{O>^Z1z!l|?rt49{g^WyWq%Y=@!`wh=revqZc=J2+4yo)VVtq&)j
z8NzuQ1ts4viH9pc{GOwY1kqSawRD_K0=lWT8KUf*zr_8Z>>R@kl_YqekwTsW1oBHl
zdA3lB_Bc#0)x-!lllq#Uvgq&^DlEkWG9yz*@3^@)3Dq_EqP}CDMUtF3TF2MYATLkF
zXN9p~NdV6^Z3j{vtDc;aW7E1g25bCR-#yS4=JSjW{Pwv{-2@R`zbq8amM&R?{W7L0
zT^{Bn1i1Z7HdSQkXz|1<r9%vW9d*HC6QmXy5t8lsK#7v>a?RV~yaf}cJi6@A?`mdB
zK|in@Sai*9-2`!3@Rx2fEI8w$o!BT46~b9BdAYSAGe@zRgH+G5gn9%(`|>G!lgzkJ
zBv}K5N=E&5{7ubQ1|v!i$YZ!NfM<>-jTc&jbE;SWDtyOg`kj9VYRR3GXY03mtlDiK
zZIS`KrpNW8rd#DgGuAn(ft5OQ3Kk1bdeKd9EqX8Jd$`Z1I5ZOo<?Vh$S|H{le`o;w
z2>Z(-3+O>hAUnqSXebJLe?Xe?&7e^*B9Fv$RHz4ONK`5-7f=0NN;7ya&F>g~BQyCx
zEkX8T3rH&-OQ-Q|>xTAt9n%1pj0;o|MH3#b`uN$vR|=E9mSM#%E)B5E-Z2pyjX7WL
zCM;`l=Nn6tOA&Zt*v2PdnH7HeslLK`0ieIGSh7}<-RwDbl=s|ms*K@6n<64Tzu+;`
znxF(wR!l{YFuL<1R&|v5W^~muRZLh*C10-IXcmGcmwuz1Y$_tLb?#F<;B?J*VZMZK
zZKFLBp~gcBXVk%pE9`8=_Q=V7VUZE&ihLDAD#j2i*k0>!+}EC_KyH_0&!*<u|8`oh
z9a|CoFUOxbvG-06T|K{Nb8cElh*>q*xL&QikDFSYaBZy5DbYb_02=V<LRoAuiX#KH
zo1F6W9P3ov&Dt(fJ>NTF?pkPREzE*7Zl+t)arqO8_J+gBT2SXWY~q9I!Z)L^_$`DF
z%Fz6eM(=W>;=PDe5g)1hZ-`8ckV&;shccT?YL!9D0^<Hv7xgO&i@phqGNifB7HZ<}
z*Hfkx5=9R<OSbCv%4e%F37KyR(GCzcRA!a(?>oXx*3ip=&vx(kc?#uwoy+IQV>O8p
zi)a<?tk@KR-~z*Flqhii$7v12LLhyUe2mPp9_xH^mEujQfck6srms>xF?sw*RYcNj
zwVO3civA*hR{c=pBlR1e&V_|zhW-I4`!tz|Wh&&@$;XN~z{;w&;kr^Pk%f`e^cC>+
z>Y_~(<>0Q_yuo2FCDO*)>~O2W;;E!K{r5S`s%<N)<*s<`bcsMuXTG!7oS4)}*L`V0
z^h8DBT{i#%!GNFyG@kmg>MX&ZFXjc6sHkLKS8R|34$Y5rCN0rx6pLPvLyRUQ$!;rw
zCL){Ses7rpQa*>2Fdp=;6366Bk}QOL@k}NaRfM21qcqb2&#3rm?d&zPD%SJ%R>IXb
zil}oWwyV9H4HjDL*02#%cIz_$mnb8}8R=bq+-y(R#+1b2W|EKY)=x<u&hep?{1|lH
z?^?5$3Sq`sRHjmmA9XXbkK=d<cx-TZiGcTvH^CpLm5%QlyI645vb}TTAf|f|*6Cw=
zMpbhXz*$3BEjPPv$<M*jDmm3Y3~vA!+O%XrJg-G;0E&CwN_g_}p*o+nEe{o#EtVm7
znl#sZi*-1!Ki?P3FykkV&8O;n2o^|OpA>c?KXE_iN8LEh;o~WhSVVnK<1x<XozFsE
zs`e<0EV~O-l^SucBg`*3&tl@-$_}cD#YKL5xpKdjdO_C+lJ46ZIOu>r5azUhzmD;m
zu{!sB8`c}ol1a32R$&qSh5g1-AKpx;IRk-o`&~n2z?=MT(t&Y_VxN2GynAbGuKJ00
z_RjP<JCmZ6#(aPsoR1lvN~Ln6Hu5u~w|!=J#}f1keq-9?`C=JoAmOI(P{&2!J;~w2
z*vXsn`<Yp|8k1Y6<hb`mm<bbpGlD6mJ<XsNDugS=uzvtI)E={J1V_=ufuzgoo_5-R
zoawro|0u5F|Ch}kn1Gx{t_kQS&#9zu`J6XN2GnM__N8cpW>}8jXJyuuQhPKd@8({f
z15ea8!e33VUw#lv$!vY?_rYksSsZ?^pIW278wiqzn<EwH7-`Lu5?Lxsm!{3DH8=5%
zw=-gWB^c29q*&fMM1xmqfBrq7uLkYB`R9iB$J?A>-Nu=H*69b=23qEa>&L^{!^j8i
z`@?b1dsnU4OP0l*feu3afK6I+ldXzZH*!^sy;xJNftWTp&2=dEf$&$dayz;s{@(~x
zFolM)YAJD96{4R#GvYH|m~<iw;UAafr(1dTy*sSSe<YB>9BU!gO=idPh9BLrT4_%g
zc9gY8D|~6IxgKuPE>XenAlqOwM=mH(aU=T1V8a`o9V|3(o`ite!RUr_?IhcDO$Opv
zIo|Yu`g>gYv8bm7U3K9Nn;ypNlAz^4ZL#f_J)^yFuM2V<4Wix<fR`#+BVRkFadk{$
z2RssD>3iY7lK#Du!fB$$7oal_5>^O*`zax20l=5&ZDYV@+fJb_y4~l47l(iGFle;m
z)v#{5sT{FX3_$?$!&~W2!ckxDq-KPR<Bo(XNqb}udGy`N<`%*u-KMzJwJkbyd^>CL
zmjTEslKL%y3i8U_b08UKf1eKo5>KI~Yb@4x)q_=c=o}O3*V%Q!ce%alh_gpH4IAE>
za6NS$>=wj9P&ah4N(W&?TQ(!Pq+z;V8Nq%Pqfvc&v726m9tNh*Z1~>?K?RIH$HP)d
z#4?=<h%owOpmn}f(-{gm{)VZF1C9N4lQ-HnkSgkq%S`+mF9!+EN|2crV%Nd=4C^hn
zEhW3yLhiJ=1ng{fYr~!6#rAxG1*y$AQ7{6LN`)aVXl)M>^)}-Rv>Wh^fZ|Y%uM4n0
z-s+1HCSr>|$e5M~fHlec+8yw<%j^?dGrX^_?7xz!#RiRfTdKI8*klcqOvi*6;3L1S
zB6sTSW-lG&_nY*pJjSnRdHnmm*bJ7iO#g>_8*Rx(Dw3eJhGYbCpUKnv*vW?D)Iugc
zfP>2fusjZ^LMyq8K+2#nfn7=UmQUhtr?t3hNpoHg4cfkWXDhzt&7I2&bqcddeiY;}
zdD3_Crnbn!zuni>uv0lIE>?TVki4V0W1H3M3=R&F<jYZOVJjK8b3Soz4q~{kVs_JU
zDlw*}=IoGvNDA`|+ly4J<%6)A&REx*eoKBen6f{iL}*80Q);Q`YJq`vAoP82p7pf8
zgNV|ZaU2O?=Gw_$bH@9ETG2W*N&F|Gz}#*LZV&knr)u~j^@fEpNjY}Bh{!ScQz{i*
z@a*51=y$j?o7RUH$M_GC{*4qpHa2Lt+YAi1uL`(_`!uBdY|ia*t^od;AafVXX)DZO
zcs*+Kx{A%#r}qP!p$CN3rJ=iE_UdK-a+!L|j{yq<`n+84bC>nkws#s<=hv-$`gM(G
zM(@Iu`+)~@0nb~Q<FBk13?*I{{9edZD(i+`$nzWz8Qn5YbJ!kmS)vnPzW2Lghp3Sx
z;UFjPL5)u{->GiJ6CtnDK-=#q=_3e4{`Ics_rE|d>+(o0>+as_9T0wCJN4P@J(dOW
zGIKV-(vDfFA67Nve5I;j1qe)yfoNMsI$`EvR#tjr+{k^-CCCEoN#zshrQ2UnqUM%e
z{@PjcD!4opCHs(czw=8g!gYcP!}%Ole@jzq^cB7QhhNkle^NEUl|e#<{<x5)P+lg4
z-Qbvea8$kjzvb@Xkz8%wLu>6`((%s%@~MP+c|VDtnYX%Hoc7_2D8~F@0cqRwt&71<
z5i5l`J>kFK_yRO)l`F0!J$39k;}&g-B;CKL7CSqo4_~EQAN<Y|6s|k7MJD2-LoRkJ
zpfaOOa>6U4mzr!Gjr3ue+e54&TKLi%K277dp$J{D$Tml9kocuZ_D^6p$^H}A7{~l{
zvwoU|CR+lbNf=F#@(Bk-F*DcIhTK}Nk|cIt$@$~rvX+jcU;_TN!1PW|v+$u+^AKpk
z94)EO9Bp2CiIk(mkB!v&?>wiX8#qTwUnbt)Guc`?#J%5Z-{<v2I`~XcfWdm1vqq1&
z3=CE)pg&)~WQ}F%H}0V93G*{D`o^anfm<intS07*^)USiY5XC-&?*X_CG}SUy|BQn
z+$LbGB8uQ2`{a><&vClx`Mq1&axKo1(u-c8ZmrqD${_}1BmW+BKXu&;*ca<{g-;FT
z>V7%|wycV<I}*}a2Hi<h?+7s66nbedP}F|RPyq*1_mNZdi0pp<+J|ZHiE6vgOK;1X
z&sn2mNqT2_>GtF|#CqRw_84becE<O4O}trVTm#<9-Z!g_&QzliTPlb3V;z&t@m&l<
z<D(q)DduCh!P#30hx@tC{7X}^SAVgrL_N}j{!I#Ns&g^n8D6t)tJyr82G!JSP0_t0
z;k!0Mwg?VA4{YYXUFN5FYRr;_W%5qWgLj2r4du%No&p8j=O}?8TfHS~=SH>8y<ZqZ
zRnG&VP%<{XQrv1C4UbVgAWQiFN-T;<m-+imx4A(vh-Wv6>X`EJn@B_yTzda)P!}LQ
z-==*yvt>-{ATe_M<E(Wv^P%Zg=fj(Ktiy>DvMixSiBlpgnl<B1SWEP<n3)qAU@Y6@
ztK;61LtwJc8}RL<n1vm>Tc;iF-JDGwE0UOlS_`Ze>I6E0#A{drZ!(-HCx_q_>~Gm8
zm$OO#;ks49IQLmpP5g_f+6F>qZv9sb+#GRHEgcKioaoGIwJU*H&g0Op%MOjbWAA|p
z-sT$nF7PetALdTzhLyhodosqAy6N^Gl(5PwWnF4f!Pm5sigLR~*adhw0r)Vx(~)*f
zw+5Q!ugZWe(G#AW8UmF60I208QGB>27Xks8sEM~f*;>^mun?q7F62YE%K=44RLdrG
z(5!f!;?35xaal=`%8*K>CA@mK{ivb{Ej0mW5h^6~ar^3fb;Nr4k+gNq`jM1)orzk!
zl+HtaNvlo56?<>cE~;Yr>(DMLP*r&Y(yj?P_5=aL4N(dKsV%}-Zlh>=onOxL!V2<q
z0i)E$M0BmWG-2!hz%TvVfZ9Y56}%ph7W6AZw3@*j8#T>XQ-8?mjSiE&SXrbDJj@-P
zN5f0bZx|jH`rW_p=@|{DV|3VJ3;NXPzA_bRKE>+c0)yEby3~OBm4-jsWAN<}{hS;U
zuysIZqTQN(nN1m<-lXfGQKUKMk>MiJIu*2v@b|}KBeuO>5B9u(KQ3ubDaJuy|77wp
zmP9@B-fog#IM!q!U^bVH2tXyZK_Mxn$1l7{pDFD-)1qCLm}_n6dp$mlH+@RQO_#Th
z<O=GlEDvt$vbEyIy(L@)iKq5vS_L^tdy(;R_ketOL_EKuwUv<rKL#fpff=5Zn}np^
z<z{zu-An|)j|MEYBA)yF8-%9oa<-8lt+o?Dk#Q9jW`42mpq(t=;nF};RE6-@9Vefn
zr_RIa!#{oy@#7<cpi+4^B!U2@icEpsMQE7~9z57g(GT5M>$O*V6*TXU(1-M5fp_{s
zA*$<u3NNcs3=mJqn@9Ad0*aVkxNWRZ<0{RrX5p?!Nug1=YzE2^0!jZX^GXCgyua#$
zhX;1^I017LRs`>|C=Un=qE))Zd(ZE<a{je{f!g|5YSIg!)2dAj3@;Cqh5bVZS=c{x
z01K%?<2f+DYgusicxW<1NOz$;Kta9b;~8ysq$K`g)`23)se$|clak5M)&s_Gr>{J7
zKUj01`P*=RY$6Ss2k8f8wi5Cq5p&KJkD=}Ff4g8#2UNcuUV1-Z;k_v<F~kU8r)bAL
z++JkS9{+8{7?ETLr!7wd68D>8TiQv}nRnX-9ZGyQ<y`+9ZX()guXh_@9ct`s=ptVe
zy+bkCD`Go<?HMvaVG}qADqDWsLG}4n-_#s`lX=pjGVb1ekH*COOZYY>fA1x{d9>Ei
zy01csw&2>~OYy4If-~oN!;yNq$>YbiynJG&_HnMe|I-N7ecwTXK(_HYo10lj*>JJz
z-s>t);Di7Vxucz$GIiob_N0vYTt4UuJ5E*GlEP~)E3#V?{rugIs{Gpw=aZrzq*GA-
zu`mSveO~+Yj7ZmTNw{m-ry+_zWFMmVhwNBJ)Rq^_Hq=kfao_d48&a+MqyuQ>tE7dj
z&WQ<~SrlPcAgd1KNI*nVy#S>0fi!l)g-&nRwWzfRCa1s!e-)xK@@t>g)5M5YcoF<<
zbdK*{`USBSlu+dJU?eA!&vM_&S!4?uhmTr`u9L_&fm7%|TswvS!!=*6CFscXuG>V~
zmtg3Ywx+eJz-!eCX9QzWfoh9FZfoU+o^g5J5LLu}Jc(A1K4pGPu%}YVw@ys)(I7*N
ze*+Li6g+3JeA9KPoN+E0*NmE@J9?gq)eYt1@W=5KKNj4pC=!`_PCIu5&kw<4lXpHB
z?>W2zD`!Viw0Ou%%{Oz)0u`1sq?FfdRweuQj4J4#)zR@q7LYi&MKRE)d$7M^lGcK)
zikguQ`g-J~)=F?V4OCSeGuJPz?rW}kbss?^xxN-^g2g7&sUC2<K+nu6y|@%qD&ReU
z3+`RvJnN}HM$@ZmCRDT85=Z8(Ch}f6pogZx@G>%KeKu_V%g1~0oFt$P$v_)?);r|^
zk~X?U+YlUQc%#Wj`WsgcADeYf_}T+JbMxz*9p`3L735oIW10FBY#-|tlu&9~LlN5v
znRq@83xQAKs8qt6a*zSB^_H`#I0uKHi5h@oNF|136hFstzXDr*tvc{T0cp!ZOl$hM
zEFDxku|gxFwjp5giusKVRz9P^`Y<tgDlZD<Z$>|ymP=E;Y)xAPiird*=|JPGe4qDw
zP-?SxTY>?>+S;60&0Mwfjz?XN0ZY1IX_nw^#k-h=mo(df^<diWyfOW5r6i%p1I~It
zova!A$D}5C-<fPZZ}Y~>J#Sq4ilN~#>D&-yn>h3Gd#Lm_-ZJZ<%cQw?R;jegVaLtg
z_){=jN1Gct>+4nkSL#@Mz9o`4#jN;dygjLtO-hi})pm!eIgLp_o04OVTr}&)$%)E1
zLM_|mpqD>S@hKH{TjXUp^q2sC8ln%YrD)YgA%g22?f1|$wv>#W@q=RJf*`7J?0{13
zvIeX2>70W~4p(Lb(Zb2H#xnDej79Az64t}Vz+6kyIo>|jkL&i|;}?xWFXXwZOm3b+
zxK?u+1?Te*qCr`J@oW&shAlKx>Lgk9^*6alo*U`|lP5M5Z`AF>ZPo=Y3C>lP?~Q+o
zzx&)@c<WOHe0JHp_;tX@R;}BrT%p%X&1rg}bISCar_d~LUaNiKu5BTKZ4py?v$<oV
zDS1|MZu{*C*;hY;;;k_h{WB5QXO%E&lW)m2>rCLM-5O7S%(mfh(^3BO!NMC$K<eH3
z4UdWh&7PdoSkd0tiPC|RGIOS@=fG~uYWYJ$SU<hqG3Yu(RGI%DYLxl^p+;r=XG3a`
zL1l3CdL}JWGqqk0ViA8ZuXCpJKI(+sqQfuC*rLRP%71&&ui+w9@m)97@xVeUCz{sA
zinhh`K+7mX=zFmPC5(3tO<p%QCC!uc11K9R;dwdP?Nx-0DJ<tG&eKcT`1k4l46ZZ7
zmZFWNjrP+R@K?$poW11_^rsGBTisxNxUiwpupO~c7-6S!A>8s=JLJXOp1%2AT-v-%
zjSs1+A;@x82gNZ#X-V$z<G#O)h8AMdy}Tm#<QscRYKT>rJ--jz*f+&N2Z24Rq)~@%
z&Vw$6r14Ko>7NZbL11Q<<VeFJ%Jw*!eyJgk=_@x1^AF5Bm|LBq5X?aRTYFW?VD>qH
zPmDMKE9P6Mdc~H57k|b)$4uFay;<LC`_)@YVfBl_Oe2Kfsuiq~r$=!&dFtl#bNC2v
z*tI86yQ`Oh#x>1RZYbY<xXzfoFq+&p#w(}yz8wg=7bKQEEi5p5udJV7E!)vOudq6w
zKi9|DG%DSY14lV3N8F7WIts8J>6l05R4wDVzrWGWL9u3YfL0#P_*=4Gr;p)+3Mpg(
z&?H3^^wMuODNW5)%Ch`^a+~RHiE$YQOcim!Ompi6pNuD|>>H6hhQN=7<AUyrW&NA}
zoDg$drZ-((r-5<<-z|SFnP%~lx{bTW!>fx?r+qPcZ&1oy`f7u}w(P=*%2x{PJ-Q4_
zQRX=iGJGAu5l>(V=CM>O$5kJ#k@`qOWAyuce~Hp;m5)plz~wNB?^HANTfz{`|J}$*
z!JNwRP1mY%U=4{N6|!XP-N93nRNIXNl9gD8`YaqCpfm&K&a+QaKbONL&B^@=Q};|a
zUx)4J$Wq-td6!;t*MMpsj6W9tO(!CoDhf6{<6zuWk>Hcpumz?kjG4k8`88AcM}DoA
zl`Jl4g*ZT9hKIh(x!IjpO-m7>muik9)8DFUC*=J?#v`dh@`WTA{tsP4jw}$J+#hrs
z>f#wVFQqn|=j9i7cP%|+tM#*7wQpzZk~Ta;Vn-9HT5t_*VPt-n<cj6KLzm>G_ITW2
z@2ABqNwCvNJ^}r4o;p!N*5lBb*00Uq#;@7YM?-~V16L=6^;&Nb`LI#`9Rp+yiA*JR
z-ApF|BZsUej@yJuV(P(dBelWV8A@Z-qWw}1o<xCj&}nwICp*o5eNsKjY4M?f%6dDz
zc~awKHLR6gydWQe5l0TcK$$3C6+RPG)mFU8y=Fnkw|GMmhi@J@+UYW!NBrZlZfsz)
z$PI1Q32YW;5Fwv(bJCi47{QJ3svY+FX~K;KeyM4f3*7KQn(_Ttt>FrTfKNz(0GaPH
zD}S9L5a5LjrpJyTQlL&XXzKW||2#8NqwoWayp9nLA0f;^v(ApkD0CsyOZ_mXF{Ltd
zXLo@-RUow(#=*SV;l^w6*yn>l8&k3$<{!4Y=mFah@2EE%D)0|ieI<XRQKAM|3h3;C
z=_MKyS44Z>yC<3?EE^iosJFj4XtTo>^#y~6{)G+LReo5KPJ~6zvk4P#vr%1_YwO<U
zY;IxOqy`H<w*$&~wD6JPQ^J@nd#j><1JI=V_jS{6E-4o^fk&Xkz#~v%;1Q_d%)>N+
zG)h8?b+@lj`I*Zg2s#=Of*%2-)>cXws(>Z@Ur$Ag=-F@G=-UH5C6a;)JtjY#hPIQA
zUC?fK-V{>e{Yfwaywdt@z5rStY1T07Gy2Tg=HzS*6RF-s#8(QjvHA_utw6?V>{hE(
z8Es;e{!%SMlA}MU$d3L&MWO{M){GeAkQI<C(Ke0nh2F>uX#}e<QHUnobx@!I@<xro
zH{QY!L*U2s-v*WWoFazKLp#P=(y_C#-XRr1!)qZ)ly4<<-uEkMN}GOv@qOu*Et=v$
zt{L$(uPiGSHnp%+PyYR$v{%udOystVX=!LlUO|2RYfLdaDwV5<!rryTNW&bhjbOex
zs`xz`TbeW~ewrI?3Qk*2iMQ~ma!os%0T`iB_#faR;r{?Hl!KJZLChA(0%L&&;SCm6
zWsqyegUQY|48E|dhqkv-5;99k`ljxW$m09ADOr#!lzVI~oC4MnTC}7SOLOwKZ}_NZ
zDzGl8<7wE!Rz(8?uH`H4Ihq&cJi}}G7CU?D8+~A1`U1bs`Sz&N!p?y`{g%RHI$|~#
zp^&oxPBRMhMr3T<)D;m-2!*k09I7SS)!<IKL_w%XB)<d1Ump&LWN~fXWOD(1hzE?e
z1IClo`h~g(a30UCo&0r+>{sA`;x$v=(=M;-K3rdYHY2pTYEF)Br8wPJo*SB@J`0wX
z5LEk*@!;D37~d%Y>63`~g+2?+<p_QkEB$>a**L8xH!if#bPuoq^PThc+cNYQ`oF_8
zD;8)Ms7wqOECt-kcsLgh18Rw>3l1yebG!{4S<0~70LiP7^}&EWlOr|`m$!Yyc=3}F
zmOchgc5v;yn_Y1Quo)-m3(rGl@s<3MbaPgMT%$i=@{RrhQ!5E+mW(*flogP0Bt4In
z4$H)eW7v9WuiW^JZd-M->-W^psD%GI!%n$c$;Z~(QJ@n(1D$|1d7oeF&~i{WZqqoO
z=)QbH_BP1Mpjo8j{bex;4zvobP%|L53Js{P9?<p30+yuyi{hqT%FPP)A_Gn|kgvb&
z79P|T_w^b92Ap-@up#xS|5^<^Q_}!itpT)}Aqq}|!+_u<m8#vaBafJ4imt7`#L?5;
zq4<9L`D{W5Uml^}#yO4hlA>VR$;C)VnO?N3?Ca~ibL;MzGHf20<y2yqzr!QA&2IJ?
ze*);ee<zG$dG}B!3{Zi2z+9@(@NlSw`aqGwHi|&x&`K&%Q(15~uzURd5euMb*`=Jn
zP8^QPmO}%N0HZaE1$%5+M~((3O}&22@cldWVg8^<BlFNsGX@6LYeLMXe~*0e7%3-D
za|Qg4oIR($Dckpxw=>)+(=oQ=2=lQ!Jh)<o060@;RfMD7hmLD?pZr<5S*uQjc*t5f
zNM&V$35o(PjTb?B;m?w$*QKe&MEOMs)2!;BtM3S-(GC>}vOwZXY?-ov?R}68p@U@r
z{d^JMyGbEteTsVj&#9-PG`U{Nou-p&lA$)D-Osq0*j#9XAAixFDvDh3Zrxn-0x6w7
z44jA5%iDOZv9*W_HD2rD--6u2i_i<G1N-_dLv>(ZkB}*F;xLE3zY#T$MU~%!0Ef)L
zSsP~!#ohl#WE`C+<TWbDS;O26HqH6hd8^3b*^b!<d5-;xCQhMcxl6S5^7hz*V~G^Y
zFOvh>N2SvyBY3L_OUi)m_4Txv95aNXX+CJbGdLWVQ~E+p;aEaEAZOg5dkv^PimJ+A
z*dy1t6!97gbD%KO^{NTb33sv`k}=TsMjzO5^-@-G_=O<<#;dz1p}^D)kpR%R^K^g6
zCGoAQ^HGWdL~gS|f!Zr4$KTB_j^BRBOKMJ~FF#rNWQ3z|dfVY?a~_*7Shua=i;7L6
zXhKgGeA%^3)7^jVGj)Od0P05y><3UkrW7{uHMT;r@Un%Y!Dx?NKt&*mX)bsCuT<Z2
z%PptF$A011u!|zn{-;`xa;9>(t)_oeYm1!JzBc~ZXQaZgY6)LMsZ2ly1mzdqIAoqc
zo@0gj;c?}PmAWX=_6vhdzubG)1~Ih}m$~Cr&C-M1UD$bGDWYO|_E0GzkhI?e(5lhi
z1)LigOM!Q=$Tq4Ha1GlEOqIJW?S2spqkk>xA;iQzA7)I?J_N`xIJU&nIhSkh<g0?(
zk^Ifl==cG|!u5s`<}de&ksbESePyifMmNsB`eR&~pn0#X>TBQ_!Kt275sb}i^Z7bq
zP-JC&y2yj9x3mlAWTS;dm6d??R(EG9E)CCB<8~{9L}qui6fawz)`YcAX-AN2mgg=j
zO7xDUl_<GtuZVEQyK5!pWL;mYWKl?gXADIiAw-!FOP3h(FEWov_G`XGFr*w3k2EI2
zhvPz<_H0}I-0Vobv42}!H*3@k)Nt|X$Gwc2E)kROCKf1{X=RwVnl<ZXbHmD2$bHS<
zX^DDpT^<D+tEvsWY?`ot-Syim4EeaVtu!2HdUOy&WCRj&g~*j{izaYFMS6|W&!YYm
zpuxm{S>WW4WC#9N0#=M%J;beCT>lHZ%9NokG^;Tl;r)@0>=PnC6;-vYoE^Kwba!eM
zb9y|@kG7<}a~eZ2<UqUHm=BxwJY0S%=)Vk16_t~V4xmUmHpba;m>;WW{mix!g0<%H
zk#L`LOdJ@+G>688#;MJv&hbzqQgR!%q^o2k1t#F>=m6odaSC<*`)9zl4^r$${FD!3
zc(oS=bDA`Gfv(0rl78kpSUdt!ZZ;7Nni6#8%`{qAHD4tkDy2jYg}&?8{u+WG95Tit
zAOimj%x55&slu=@9c#WnXnq3GfGme32Pv%Y2XbTIaw^n=pCYRr5qP!~PgXJRkr$?6
z@V2_gYT@MI2t_4U*P%vQ#M)6UCb|0mD)i>x69iQ&8tfKF%Of9Pk*lU~HVCndV&KRI
zqX7gA1YGt^vQ@wmQvV(AOe*K77MUu>^wKxPhkI~ZP-~?AETif3VsDSSc2YPSVRNVn
z3(OuDy<s{58Lsd0Zr-&T2-qX4YM1*|aYIxA_7T1|=xT1jijkXcdDgd|0xQ_nKg!jo
zONY5k?n@(Ys26=*d%F{ZfojogYU2~%3!mGBAq1Eem#=9e2>tK+gJzCu?%<ajNtVRC
z<(vKLI;f-(<xzIyH<vfw)12WoS8h8J$fH1X_wSCXDi6L+S`aVPwb(C$%>Z|=OW)1N
zx*=0>b}Semcb!AJw0}HJQi8jy6@DGYi}^)jlqbQzX25F_JRsPgquR@jW|V}}BQ6p(
z{9n$jkW-Xqreax7Tp2+(I4EtiwEA*ijd~Ir>ap)|mfTA0nFF9x951lhXq^kKFs>LU
z*!wl_b^LPDGLen`!ORJv&sjge8EwYY2ZHnM0@crvAbW-q{6rNIm(I955~j;Pao8;L
zWS{0iFcK~8hFjX6O)4z0mFU;uU%juC=7ydMrVSerI$13KZh>o&Iyzs4_TqDoN?DI;
z1xr;DN3>w#8Mm8fO+ojw*?#&^X%+;jpmimNUCPHI!j>CY3nyBR`Durcqi|I+-blNi
zk`{U##tmp=Q-Ra(1*bl1cTFor50l2-B1gtz-Q*}yWP8LP6kRoo!TMnR6&!7Bu+iQe
zrcTeMM4GvbhnO;{PKkO+hXL&vdln;dT=JY2t5qFvj<?P??boUP50$6<m>Z$xk`HnE
z)>(#nmGj(M$M_nxjdEuzZNlxr1^og`GY7(5!_o<mQLvpMR5;6#Rs~ox|0_Fv$f{oS
zUwN=5UYNaL)V_T1rbJh&$8JK^jU`LNv@S?k5Ve>BG=FoI6g#wjuqdg^3jk#~do7J6
z3kb}=UcWzYUM_!Ld~G?3SflQ2X*zvz{W7QaxZ%ldLBYmhsY#h~ZWdP(H`q?=xa_G%
zI(Q0zs9og+YuGeo3iA(?1V2V=eaQG;^g=_W{1UY$XjLJ#WIyHz)r{-7;9mnrR1wG%
zVXgy+RR1xhNlsSG1FNuC`K&;YLN4bhUyrn2e*mUZ#8N2B`r8p7&KZ-WP8aIH(5JD;
z-(!w5@J^yW(T<wUQmHys5?>cjn`ymwn5-ACeL%>G$gT`~LF<k1cu9Xq13RYNC;=?0
z$PETG>IPWhZb(r*(A+`0DO%NSvZt^KK(<^MSpX{Zzf)1c*obV|?GagudUFg;C`veT
zkyz;++0wqwF14AAG)E-x^$&iz{S=uwZDFZ5(wAuX3`fgBR^mKxfwTw=xhFN2D_YSh
zjV9xnV1Bl7m4-QG_&i4w?>D;snG?)w;(3I?G)^phAFJd6M0}s&Ak1yzDlmK`*VFMv
z{2C&9P4v<3C{iOVri^DKnQLx3<^3w;ZQ{S~vSNqE52p8vTr93zvc=}pr!}t4dJT4>
zyKCPIHi8#j4v(;&D<fl3bHx<Dd($I!g$r77GO2a6vEu%Le+$V$?_~f;_*}xAf|E^I
zKM>&jldOgk$Z5=KN}$dQvXa(UQUZ>tTXpw_=Ju(g{VWwLXJI_|uV#1fB88K&<tF|t
z{PzyS+V>EtVEUeXAe1I|>~wwFdyn(;{za3U+pATL*Q$~}+OyqyUMww`DU20^&hqrI
z_RjuMgJ11@dxEf2iHpANrC%DNEatF6ed8y54biJxe+lg0aL1i2C!ZuMbo3*7{$<AD
zvfQDB2i9$$a@knj%qE6LRfA{oOoT<W{Q}QV+`Qez3m3nbi$lx%+P7gFie`YfjN0+J
zCF@KcLhPX^TFK;yLr$?ZRLWT(hCpO%CI!rd?ebf8c()`JzashN(X)lYVkG7?%lyHw
z{MpzoY~ZC|*e&crk6(nEC>on74A(cmY4p)Ale%~JkR&`aYo_;VX2V@j!S?wvx>^42
z#u*oMc`!Z50#IT)cDUfmtI)XCJvcSxW1Pm#Io7Ru!zt36x{aL>BKEBg(Sj7q+$56H
zJRtMm0}5ExNXw|xmz=<?sxx}b5Z^i*sEoT7_C2W}k5x0VtB(z3A?l6RDZxtwWD68v
zmFs?TMxT&6Aod)Rh&<Q*PS>x}H#aG6BR8t00(JabF{nGD7NY2Y&sHh9uNTko;c8Uj
zD@K(mDQ!3<#*3%GHi&^a6c5&9%-ME#?e&tUJ+h~IzgFi_f_j!BeCDuWIsjQ=0*dVo
z!2wWg50;Qk9D`2)>5X(wLBS`}t7(mNfoXqF@jwnpbJ#O?nbIQ5mTSgq>W5CbPu$Dr
zPV2YOgR(fz^}tqg)*rOAeXngRieLhsyd+$;4=y+Z>(JSlOO?m(1~RL2V$LWLtOQPO
zNx*pho6EqA(6_yn$*=O~e!eDe(-CBL0JNDEwaXKQ!~69VOc*@E2GV`bKKG#6FeNMc
zh9^4@@2r2K!spzxvtdw#O~gdWCU)s=rFfvIuAO)^CmYav8h}>tR5Uz>L;gYacM@<4
zClW0_Wb}hnqwc`n&n!2lY!Sht&WW4kW%=g{eh6o_76mS=y=_a+A^sqy8ZQ*4Wb9BF
zlH~}uPZ*LS4@nfGI8B(Ge25a^fb4z~>VmXMmgXK!MxSP`?|~0Txx*JM;=kH|kJX1s
zny43MIhWBe!Q4NnEZJwGl8iJfn+J76oc*I<;J93>2<hB(*sV98+FS-<pm%!xIQY`Z
zv*eQi^q`$X<kTS>B<2zi2wnvliU=@XL6JpdpQ8A>DXI`fP^}#Es+G_kI2eZ{hLt%C
z<Oo$_`8R{C%|?}z`MUpW47NDCDLl|J?N^Nufs%fJ%Ld0#jpn{l%a*mQ_X|Me5IfLJ
zq#*WDCrW9QIVD{MS4S~tI|ugjyuoD|SC!+|>Y>S2yO#AOC0h|r`*wTa<b!bnolw*8
zg?rI6_J{~rAr)Y*LQG{zGd4~H!pG+o$V-QC-&5@6N>Gw(r307-D9KTN!T;TThYbn`
ziY8c2!;<^fr+gp5dVMR!J9`x*80=E@w0aGCd2EL^V=kI&ya9UetC4|<7UVy-qgEc}
za~^Dv2jSH4AyNR+`+>l+5NbE@_cfu<s;vH2U^fXBfZj2gV)Yl;Dy<r_sBhVHJWgXP
z1&p3{6~Fa=djTP8Cpcu(NC@1A@9g2&)o3RO9PlV&>g{FoI4nQRM9mteSZJC>h*X6?
zNWV=<?PP`>z(axBThew5E*dgGuo`FZF+fn^BSY?!pfiw5zp;;p#_V~09Y(_`z_fe{
zgVGj>w(Xgw4=<_(F8N!C)J{+^kT=05831ke%-7?n*XP9?z;h`th`j2>cLsPiI1aOX
zKJrX3MBDP9cB)8wNX<Gj#IpJkWNOunSybb8D^%*$z!tRGI*zsxyz$gCqWmn~K6l|!
zV^_=y_oD$roPSQ(s(mq@PjcXyc?yy}c^a5x$fKr#Nd{D&GdN&+3y<Eu;Zp7BDNZc8
zLUlU;Y=@s<l>$zM0N3aXCGKCkqT>l4ktAk0{Gsb5v&ew*DTJ4s=Hu^)!<E>8Sj4=y
zxEpq!?3BFeeO|TVn<|iQylGBENp;7h`u&mpBE<eG9){iNAqMzAvBCfkj1|OwF&c)5
z%>c-dRinH?km0_s)w!1{rM4i1F6W{}HrmtznEwr&Bt*N|hm3T;0)3;!3D*y-)VeTV
zby8}k1eZGVL{GYV;Nk*LUbM!hWLK)~_YV}M7))CzOOz`OW0$vZaV4Y*O;6u7S*inv
zvrtJ;ZIm|5cJ>J|x4G&e0t=>MpK$+&sBll|K%%a6U$_)qf|1TTpkzbFB-I$A4}`h9
zCV}f|Uv~~(kVI|#mx0dZUZnw8UIWT!uFf($&X#?*RJWcO*_)4xnV;sHm#5+yWUwZK
zm?)Z-8QmVro6ik`4(en{I6Jj<X4-1T+xPRRL7gq}LENpGn*OJbJs@ZTO6!E$Anpc&
z@*b6=+Sb$O0E7q3NP)<{EQ~yUh7rG2k44C#zit7~kPwaLIx-r>)u;n@fL5_f_CNx$
zaS}q1%Hj9k@~HRK58QyRe9a_pA6$QBGiuC3iRKZr@~)Lj4eC!^bKQ|xW(72Vazq$^
zuzB%LK4pLXI^b06DPTI_z{L3nQ`~@)|8S7BtK~qJex<=ts2cL)XlPCh*k@efam{AN
z>g!cS&{Y<bpOS=}Apf58Oh)8PCf_n0hLtVfIHd)SFNSz-z`OQbJ~Mm4_49a5Gzfj6
za2_6_`%oAs)$urGY8jkpM_!SCHdmU%ZgdsHYPhb8_);YBstA_lNY#CudeWei16wJ>
z!7WBuVc-tGSR3o}$79ewxP=}+2rFaNf2P+`Tr&mB?+YU(mP`wbYwYOuu{+Or>=hVc
zV?RX5L!SN(H|8@6UGg^A%0J;|R`8jtUY|Lz-n}AoooYmDgtWMD#RFUGJhd5y2QZ2t
zdB38!qH+(rVy>`Oi=z_W-Z&Ns=;^?$AJ@cRP%U51I6s(|Zn8cvrZp;MWrC(8@wY^P
z<MLo41jYF#Lr4f3j{y8g9)=JVR9KS)kdTJHYSbkjF;;XT-#<JF12~5;(&fgN`m^xg
z`}<ot`iOanpZ$SB=KRRaH>eH^!G`61T4STg!};_!hZGocSInhJ`xKGX>bWM&x>VM8
zmQJQ$M9d!cN<aHk$}S{AydpIlFu&rCTYAyer2W46dVBu1P?3gl0a4M~;gyrnR`>sy
zy5_h#+_$}jWxHkD%eHN8*|xE4+bwhX<XX0EF59c#v+eh7@1Lj7`Sjep?(4oEoTf4g
zRV$%St4KfUh=VfysZy=r6-bujpHz8~^M}df#j9zrfLVYOC!VQq3kVdJ6x?*L%&uwu
z#y|crVl*iEk`Sbi7OJrUGma_76G(#m#*dSuiDIXQW5gTG$6GwHLk+2&9pzd!`|<Ln
z^eS3(IXxYQVZK|PbZp)|w(kF|e~k4+L>Qw7UJm7eO9h--HxDG*&rbN7vtai`T1Ezo
zrbm42Y8X)p`3P*Uq3!Z#{6E_9Nw+P?q=W>B>4i}Qd!W{agcF1*s*!}+<+BAgA-&0w
zAK4u_HM}7Tl;finwzVPkZ9|@6WuB^()^5;EAq;NKnNZlu+Mt_d(Zn7KJq5!cp=u%L
zgPB&<6q=<J8v7M20=v8OGl=$}HIDZ@E-mny(IU5|;Njrym-BC~OgDdgd-L13-?9{8
zZcs0Y;JC*P+HEPTL%HJVZcS+H+_0PMHi9~PW8B|HUO%@KW|Z8q4hL0FTrAc&drh~^
z7UJtMn}^*{_jXjz*cAe_y$)(tY@{lu?r`?nPI?lOrxIC$+U51um!HyBNA9N6AGm5)
z333dd-@Wq^CkK@TdI=Ro5?JpA`6=t)Nw%x^wno69Cwh;7tS1{7tM^0zk52k?V@!@<
z29pH({_|2}BuK*4@H@!{b6V?kQ3{Rl+!04?0`2u9rLpF@U%x7sLNq^~P&|zj`buyG
zeX@_RQneS<QtCD`p@yEU%K$l{Jp$0p6Z&xFW6MB35FhOel4XqG|Mt`X{%=n`<j-{D
zCrTiX#3hdF(<ce(%9GGU+K;sw?g0c+##RWJ(hx7j-srImdl;W2{SW-b()tuzY+plK
zV-~{Rf;pTVS$N_3%racQrQ=CIgj**u8s)Fu_Iu59QvJ7SEEPNjCCl>5xMBBa&&_7U
z{Yu9KxWnaq$V;WRI&e15^^DDnPn#wm)n{%?VnxV>g#QGzI;x;>rhauXI1yF6<8CO4
zv0a8d$zhIR3H5xEgt{;_@V*arDw`dF@V{it%O}XYW<rdu(3EQ8u_*Huv+Dg45*yZ_
z*HEAzKw$u=8){~!A=4W3LwA0y^*-RXRgwSo-I`))PC>nOTWwnE^wtq(W|Nw8r6e;8
zmKE`~Pu%^79E<Iq@*G9x2=?Ehjm!YHQ&?9T`Wyw#vv9ym*rXpN%n*tGO8AaXn7@Zz
zb>5X?{wG3<H=#PyPAyR_zv()^chEelZ<=1CtK~V_#d}a%lA1AJX)V)CSJ<-0MszZi
zti%ebNJ|^qlz)->nX5ui!p8X}`j$4bP~U?y3oo;n<+^M6z=q3me$1KvlsXJWIjyQI
z!?WBVUXzc}v4o0aw6KZiO4r>|na1m9LBA?bEM8;7Ho9pXb#l5$Tnz~=yMvkn)}ysJ
zc{W*<Gup?IumbQTCK}qvsZc$!P4Pn`494<;wZ==XF&W1dEsyvZHLKkSgAzRCgCS>G
zBr^m*l&JfT_g%^ZNops3<rfE@`5;<T45e(oH{m})@kJ1rmywx7=MY@_lHw_eSF+sb
zQ!Swc@^zUOr~I*<s^90=N^-O~dG%c}8N2a1w5eoFD-<jy#eC|X0+GT>N)kQjNy_&n
zzNracm_o1GkDx7jFE(fY>~+FZAgp0y1Zqm6?4YTzes!7hqEK0O>TLh%p{NeMf_5+}
z_?wuq6n4pdd=lJ=u^9_zt}=L0GaM0Lo1y*30B`rf9afmzY1~I<&gul~aGgF8k`y+W
z)rD|<&MKA`ID0;I%`cQcrlu$|o2*cO<?A{lHS&PJes6@v8dE$am)vB_kcV#-(xZQn
zt;U~QUf;1m6{}7b(yWiS;Khw=BQVz8SLR5WK4uhOR$q2A7Egy=*|;6?7&K%WSh<cH
zG(<lv<T^KT%%Uht&+1413~%kdH6}QoJ!zM>Xo%R-^`^UF{=!F~?kOXRRixwDZ8`(S
z@o^!z1@kk6)5{LfnMBQnpfKN^mUJ?gogAoN_s7l4`a9vj@F0FLiGVox=rP=dUP8q_
z>w?&MKpKBW;6E)zwyr^t!4$2{=FEd$Q0qG>L*EDZ%+&15ban6|@uk&#O2zUTx5u_R
zLC?%ALDrKEx>td|CFCp%WP3p?P}_vkq}5R$Oe-?fUz0@^moKZu-+$4e7K>2C;F;e<
zv}+It&U(BxS=u^)LWVwd#njKtpX83HDneZ$fEqnuDmla6qaZY7h@1Agi3Lx~5$)qD
zq#ZVmk-8>!0Sa4`p!v)&-Bw>w0CG(uG+<J(GBS9+-~wrM6Yts<W>-dsyWJ5g_1fTw
zHPc08x~0(%Mxd69(9z)8*JOnwwWaGM^)7BO6R{1bDi`g!OmHn@o~?T4aLPsTwZ`$2
zH7Yuz0K2h^;Nu4=nEx&55+!K+d&#k)-OHLrn1^Y_F&0fcaA-v(S?}6eeIY1t?ET#R
z4f6-Imzn`yayV>FD<Z9YXjv!hZx+A+Vi}kR`qB)&n@mELIU9oXDok-qlDOjw_c%<F
zaA<N6H@zZ8#8<@c|J-So&;Hw;?4ycRvu4xkA1wfGa%FH;LQ+B(A1A?=9&?-R)+`_P
z1T<whj$V^D5o%cG<eZG}(<7$;MvtWU3~<E+^g=R3BTi~SOd$<2ClaiBnixkoO5?zT
zq;MdX#}O548nWUi^`YuI7D@6#9Fe)=WSyP_IRlI16T!j^;rX9B=((UA_{1d$hwEv9
zSU8YtW+1<8{qoDhyuu4vqcC$yO{yGoj1H0?u#nm3Ang0b<FRo5B<?R*#tdDihs6(D
zBxYCvj3y-*7&Pb8DFp>bHL2w3_;z&K7}6$$p<n+4kcshAcI^H(#7Kj(yI=a#OH>=i
zS^($oZqCbvH(8XIYofej2h%rx2tG^o)cI_|*?Jo?%l$vr9E-lPRRbZ5$rVKs-+gdn
zH21oxUeML-xS50cdBQ-T3y|@ypK^GWh0-mnsl?`kjW+BWznNbFtdvx~<JPF%Mx+Pf
zd7o-kZ#v52M=iihO!oS~Ea`mzM_Rl_w9EaBqxY^G0+o4u`ybIZFEgq}_n+wc%q&lM
z3>psD;Vgg0ukjD|$Z$LCdH-qDgVGq{&%om<se^tDn%|WNLQkm1l@x-Q`C#>H7a3$h
z|I;;ev2T;*G|(1Xs|~$YhQ!=**S$8>qkZuRDe6Ppt)rdo=UAn<8<~&ZZPpr>>3BDD
z2zv@?alEG2lQYf?<S!u5{k^DBH}7+430*h?LDQMfNaH0K1Gn{|`|IV|!HwckL;EQ@
zm<#k=G<dZD<r^Z(hn8`Bi>2X|I25%1%T{U5sBSxY;mw7^`V>c^Km+ReG-Ypped0FZ
zr_!$~#2m3BP8s`7(_1BCE|~S<pJAuqa1k@-#SX5*%$JXC=8LKr$u;=QUM3P7$U$^C
zaF_i?e`i!8=JEkaJhfGq{Zhc;RAPc9j~z;%iD%y>k)sLGIUqfS&0Htq<e&YA>=vRt
z2rc`8_D@8~#ns}lV2N(T=VPZ={+6*l<8rMjlYba;Yy~EX2E|VrWHpCsolovHGi+0q
zmCcoPgKeXd$>RA_Y}ka8IXQFes`C$OijQ11rR>|$az|&BqFdwil+$#FfY*v+GdY8D
zl);5h&1&3^1odzuB%uE<?1OOnubMEn+$?XFSj{R<1e5B(7fO0<t=;+?{gVQQ^l{~K
zwvNji?L}NYt`A$>X^UE1+#zNYtTthstr@xvo_B2dGi1*@_kfVS!zX>-l(Jz*3ns_4
zS5Qu2mX?O@zpHRs(=>uY5Bqfh?aTHD6mI$d%Ei46PS>_>$j0|si<@=fpnlcU*w_1@
zDa1NT{oQ%TqU403sHf#tRg+ke)pf69@$5>R^<jvz`B*LyL>3iY7+mxmF(<p9gBUio
z*_p4ci_f1@Iegp>R>GD`bsJNEM0r>B={}m!yqZPSJ6sM1CuLz;iJ@hfn?*b~VLtgy
z1?w_tEcrhRyCFj&C0U~NkixVw8A-$q>=tPy=pBSHY;;cj{@Q<~b!xjB|4wirx<a?C
zfLxz%&Yq#v_qv&LXGWLD+0JFK30HX6SIS{Yrlp)aY(NsHThe=a7gjB*#ZKJV@&^LT
zA*x6b!=ladm>}F}Vg_Pa3jT=_>l4}!p*cC&XHHx^|33j#g^6d+$i1Vvk;?+Dv{{5C
zW$cd(7`98nC>igjh!{>yu2S7&7}e<&?a+6Hl>A%stF|`??*z|dfP#G{?-l|IX6V3H
zh=&XrOQ>c6aK@|ounL2pVO4LDKMBX?Ry7+HW8045S^H$kN<bD^j{hFpmXiYPPZGUn
zq?nN)1J&fur5G?VI)sRL^2-42*X^-KDk_h-tUd?egHtjPd<e{`>r@OXC{W;J++dd<
zXhWnhESop)49$tDSXrJ^>gMP&82>hM#O`;}h9^WxSP5TLV6B7a*;r=oO`K8seD~y0
z;?ptSa^c*xZ*faX=53jMJhC_8xCPN*vL;1lpubfVFWpy%$miDMp!;agy<;>0(m|n~
z2A!NJfhzJHzfS~`HJIVz4NWFe*4VfDTM#b{%I1xwEn0jTt#&KtcNo!Rqgbu(!cr}w
zZhcD8dQEwxX?96&PHR06*v1G?`9E&nyu{~(jC3pD2jRi))*bsi<u5$z&USEISqVkA
z9ZX%}Zu{=lCTs>{E==D(e93rk!+G@wY`${kUgsvmp5jOrx>?|$=2B=N@7XWFDjke1
z-0dzL?9$zBaYv2*C=5=;f5V#<j;MzVx}IM^ylHkIx-p<-qZ%pWU^vn{470t%$DjiB
zD`*xFMf45{m_LphHk%3&b&(Y-u^8%Fp0!mv6EVPZ<&nnJ$c9Tp^q786ypRE;h8dCX
zi4j0Wv%nd)O44CmcA1;!iTZW$s#mBboxYQfU-?(or(^=Z^Cm+E4?M#q9T?`~VLhh@
zk-i}<gxa?U&h>K2mWnmP!T>!^BFn|-wuD5f!0Hv{*R>;4h@Jbj^i|#|?`3caTh*fz
zY-w+v5rjov@T_0%)9;BEeiKybkoQCgpu$<;1cwBKN%wf*byr|g#PdcXzqgaBAT=1$
z5kZCDGCsu?hkr*0lAvbR;?t&Zz<}nMr68JEzydg+THB&MXI#dXQxE)3EzKJ<aZUS#
zvWH|+Y%lgP@v1{RvWEw%iWroG%DjN(JJp=g(XkfsvS&XVsYogrwqUy~e4R@$$(Ox>
z#2+S1j!!$Tf@_WpP=5ld(SV^OUfR0RR|40wXDaVnJ?0z7@GynR>7+pU;t8g-|67Wm
zY<H5J34VzKX3{cwp2VE}=a@ztNAsLLOasL|Ww5|2jWdni8C;wihpZlRcIcz?yjRkp
zPcx*O-@0^X`lTENcBYf&_k=VNzRER_JNKPWcai_G5o~l9Iq+{;;GUOFh~9{g5ire}
zhfkDJ{v;+;S<rz>P&y3#eH$qM5E&nW*9`+C+ww*ejt|MRCaEQ6^ND!nq@*@@ejI;k
z-MifM)M~`g=MpREGy`X0AU#T?>o@lA$VP~`VTNDQs4E`^@`5w!lgjPxEJsWAg?E~`
zA)ys$^-;==>h*C)hzPt<fH6Du1Q$Y@A=RqcOqA~wT7ZX!h2!)qg+9@in#enHjQ;v8
zZ5P)>Mvxn`(@xeh(B2sKp~Z)*%nTD4tpPIxX88tk+rG|eLW;kdMi5dU2+3!G`(OH-
zq7Rs{Y!8MZm&zX#BaxR65T8D|9oRW+eXrEd_hSSD|4TyjH|!9B5<vczpc91<C_y#^
zqYb4?_t&hh%0>~DVNyy`0Dd-7OZ_>6Qdn0fJ-)*LLVqmrSnu^U!#ks=I+GF3Oke*$
zjJ7<*_mbiLt_CCp8#<%hP{L?a%6EQOL)A@2r-BUY1dJ6=>i!>KsBeZg#uejt!ywAB
zyvgcFG_XPgZZN$Zm@#jz9cT?d+t+?%gfn{LH(6oF4gUN8BQb*yN#Z}!vZK;U|Crdf
zR3YK*)rb|9wvWc8mF}7dwWD}TwiR~x;7hsyp~XX<Y}Sc28pD1Gz4!#+y^;r#)Oy}y
z4oh;ri#mvW*#_fm##P6ezo9y<Hv<gS!rC0!6Zcv})KAIac7s?5zcO$u*t(n%MKk{c
zUhK3n{9w)p48crbh)A1Qp)+JwXh&0f?S);a%qt(98>%_Y_Xa!2X=%!QI{6lnSwJzj
z+sqTRIN^L&bs4<LsL)Sj-77=7zLh=p3V6A`xasJTWmPy|o_~!lc9}i;4EFr%aJKAq
z{^#nZ7>?`w?ZJ1K=K})N-+T{tE%0~cbakP?I;{?)C|aP7@UNN}o%OW`A5tOj^$9W7
z?KZfQsE8K$XNy)Y_<&1#FhL;jxVaEP7*VsSo9k8;!0?6U#jTG8({&65A@8IAo;UuC
z$KW06c0A<V|D~DTba_=KhW|sd0l~J<d)kcjPlO!@n~~yAOST89YL2SXiKyraOILT&
z3MG-Z_e(-w^V{JevoS6sOiR8&&Vmh2#m?stRUqWlt_!OVs-BvFc*1P1Sh3@MJWwoU
znarkQ@)FR~xb@7h)?e!d;l}<P%<FkDU{W(pzcgqfIzhB<E~!u{;DT0gRFR;iA{`3H
zKtYyT9{pi5;KeZpiuHHV^3jhO>?eq~d7sLu9*VTx2_nm=HkD_n8@HDiVK0a?^3p@_
zFTG!IAebI7KvIE(>la6?K~3TlV6x=b4vA8FZ6u#Faj5|Os_1gaLcV4N6^#B9WyVks
z%_TYQM^0-dnH{;J&@Uc)ZH6^Cg`u2-h8$Wc`AL}i!dL@XW{5Qj;r^uU+3r?T=(W2H
zGGK3Xd$(^=_$APkNUM!?SSBFUa<`dqG9PxT^(TYC)@BRZjytKjS24w_R=9v^XENv7
zWYyNKwUXC%Q?1(Jt8PoIwn}r!-B4uQDF#o!kFtSU^kPEF{dZn?c34>m?=KEOX)Z}V
zczeSBx<}tATIMq9L9Zr|0h5x-VoD?_f%FuF8OiGD{Kq%5a3Fr&V}N)A)#v7jz5AZX
zB^$8Zx9C{OsxroQ`Qv<xnFDy7*TtU3f>-4!^QVFB&|+zGUtWV2g7NC9Ls*>fBKP=i
z06TQtwJoO7gOolLYfZCz$C2-6r&-xp2>2q<WDmHT!~C&r`M_W)PIJQ#7j9m#2#Z;>
zsgo|8++fSU+l6T$$ue*qXzUbP4WcE6^aB^*$54+?%tJ&*BJUwc$&A`0e9PnvUU)oU
z^dbPGm&1#Q%aHo6*8}iD_|>eXajc(hUAMzqYjy3V`!0R;C|bXtZK|_sZk4X`YUq7S
zQwnB{*C}&lrY!7VeAbkPeMrH)r0tOx182-b+F|-cNy$<iQ>IE!w{(ANJg=`0DfwT+
zJs(9J^a}<_sKMQ;G7}PZap;CJL-ce0BwLRP`sYu(C%UU^{sr%wKW2B(VCF^(5G)t5
zZ+9IKApU8}@OlVhfPY&D0dcC1mc>KbsZ&wD%qaPVWVPT?3&9BaFE$|h{rF!3`3Zor
zfgnrbXSpknU2o@oY+b`~H}CnRxT{uXO*tR0nGiK(!e_ZL;TE5Z@56Zw`p1e_4A;{V
zWcwO9+1%0FSVnO<KcvyiFEi{Ef}}~~O$`>)GlO&gQJ@Sq_{R%+uxB6z;;<pQHlQxr
zFF!*wmo1Nql2opDkm@#3LDdcGR8+DJ^m=BW-u%7{kE9W`WvWyx&lB0Ue2zQsGCA`V
zj9Oe8bdeV!qI^p(*zZsDF%bv(0dqn0BkYVIXhak%Wx8V56cd{CDn!xIhM!40?4beX
zn_Y9UzS=R!+Y(|9s8+%0Ha5UCO{$(gtM;z#$Yd8Evm=FTvO1H;(Bt<0+_kSeLXn;k
zqaNke{o<0oqo5*s1gFJbomFu$;ojw#1o1obKO6}h2+?Devn2p0g>9_e8a2?|=m~a$
z8cEO(*{4g8Y~%c(BbRR-pMIMijhroE60qZ&bw|;|(*n@f=-QEG_vEUd>`<Xf&i;UM
znid%)tKo0=b=haS7Lo{L&4UqO^}@yaLNaiRSshx0B2di%?DtbKQ3T$T`Gde9&FGS+
z4pJURMDcC=`^Oa=|KtpH17+<LMtm!CWO!m=;21>yz+xf8jRaMbI6Na#rL>MGz^|R=
z;<a#|Yj)CU+-P;$eM7qojxIy^{PSA-m+E(3uV#$eJBAYj3!d9G$E82|lAY-Ruf*5M
zeaZLQQYL*iOt^^$FF9k(sx$>T+DoXCuVfrmcn>Q5^rrDvn_V4H<E7skd!X3iYXOiz
ze}*D0?~?Wo6nrGVX)`50Q01y*!2e`DBx3m88l{VSjf}|y@rtiO&X0#3_w{dQ{T1^S
z*jYo+-pdW=!-x*@Yao7L6rqPq*_za;uhUND3Ay+eXx!}ZuTXRWufRZaw<UTtpmsSF
zFu)r(z-V{82Yf@)x`J&$|7ceQ_Xvp@W8?1n^+&pD^yi2BFjl~8;gCq%u9iQN<U>$R
ztZ}qK#=vbtb$`*e@E@DI;cN@P?+XQik)07dBh6><v(Lqb?(>oxb4HkGNiBtAko}ie
z{r#K5U4gbh%vFt++W}&3)EIT+td;DYh$(0Tx>jHgK54N01MH{X+M*o4es9m$e)8vT
zuCUw|ts~mC#J%{in?8lIN!I)xy$-bks<!FZLh%6mxK=*c`$xFZRCrKn@I_w6+apH`
z$Ug<BL!W}8Q(pdypMQWFs+sx+8p@x(q_R3m7@mEq3P_@QabXNB_|;&T(Er$O)pkzK
zhM@f4zEM%2!TyByJHl3%g1l_<Cz<}0^3c&TaFH=jc8i5u(bTc|)oCx<&E<mU#Q0ss
z6@}(cUf2$7+6eRS&^$5Ug&05Sa}V6UtM)3I{u`c)7}Emp3%`QE;Lhv{e(NM*DJbmp
zDkIVp<M%RbpfCLTACuwye#Xv8(S(TmyM<g2bp^JNT;DZq%w7{M3lxd4ogE5Z=b&?V
zmL}1(OvcvnJU!~{SgLnU+V9KvW~>4!Y9#PA-uLk2diFT(m5$pry36`d9}ea6XK+;-
zIH?8q7pJu&*>8LxW-W{bZc=J_b4L8_baxpeP`_YOR(Fc)l%t4#$5Q8?e7Bp|Y$(>+
z{(vmwt4H#N{xp2>qR@0;#6a}d^d^clq-{KKy>H$<Z;4l)Ms7BW9T;_Ic)57=S&%!d
zq?9RH&NN6gv#YA1PfFl1Cl>R0G;3*3jyJz6z?r?ld6Z%0)5RGE`RIgK*D*Q&GfG#;
z=G*qWw0u{1zWs^LBr#t&?o6}4lYq_?Ga%LUqm@>|U<;hgrQ;F?J!brs@?;EZPzd!_
zBtWAL()?i<Wg6W1aFJir;JA^@YZ6;@xwsxG-61T?kg@OyrJineOF36_^)8rY>Zv(B
za91$cP9ot#DcY1)k9U)GWtwP9wr9Y7y_9B-TAaaDDJ_~~j6d79hd)p(=XcfVGvLPj
zCBKW9F+hoGX?>N&^cgr05`~xx*b688y3Z86sviR1Q~qbNpfULV_llc=?<j#a#YAfv
zJj06mPIbJnpupxH%f%){mFBKjfYD>6>6O+3wLUMzNm4A+ZF~Lcla;HJ$I8CF(v6tf
zGfkd0Mm9hbJA<nM+xy<H!fG6RnKJ|a^Pf8U#e%}?C+XLU;JD2#?O|gEPGMuebTXQK
zx9+H)KD8A>u%F-h8~r1@a}`&@``_Kg9LgrO765-|z_pdBfYP3glg&b)WtsNKRo#rb
z)_OUh!oGJ|u8w;DakZr}_;{y|A&EYz_RK(P>RtzqSPG}3>`>>lH+w9+J`7S9*QWDe
zBu;BTt4x|3IE`_sMX5nx+;4$oj5G3JH)-X`9Q<pv<&;5a#&|T%l=7(OFOKY^AkfK4
zN=<e7PvCp+f(eal-tyq$mYs~c6*1nZZ2s^hR5}SbN;xI6JmD7aM<mxMD`8-2UC7do
zPi&wPrj4A#jz%<z6u;Dj2R<i-I6Mou@{j7;X{v<pqB7BXPp;2De5)|VZpWDm{-;c%
zFy^A^3sTo1X;QO|z-$icsSFq~W<&M;AknkKb`>~qQ^-hZtPzqneY4tDk6nPOE1}>p
z&}yM5P_)2FH1(4JxRZRc%BK@?k3KKnIX>V^x)aftPf~hm6j42sG|erZYk^kgpu70B
z_~&t5)wx12vQguxvJiED`6|JOI$(_!fXPvDujP&ii|GYG?mm8U#LBKf-Xr%`50Fsa
zA?R@qc~ARa7|GJG!%sldgP8&|&x%%SIgrMb(gn<BX3Kc`!z}M8&ZK+U=)R+O9S%bx
zD({xOv?WfY)^n}|+{0O7`B#_uC->{G_N=D|&Y!25)grI-<(V<17z2zvkWC`EGrRvf
zXCS2;nlTVflY*v^W+kQtJiRyfi=Vg}4V3m+SRTa>_M2@AHV7x+SHRz>bZozZ`eq;n
zjaFNdMeUq1A^!4^)wSq!e{VGX@@nyB(Bv0Wt7t3vzN;7CP|Nvpo4a(@vMp8HRkc?3
z(kSzIn=;y8&&#iNFLDg&9LF)?u^>Ecjw`8;Rsd_|F?Gq6rFNg~l^J_V>X*+OX0Yaq
z+0Y@==&}&?K%SEcW`O2XZr<ImRv7kbMEmU4*kaM{_UumV+UDi7T!7?8s)qIGQe{(S
zPygy&)zXojLGxPjqQ&H0v}HV*oUu9!yir^QXLUc}!>)9v@7EW`5ZRUotFGW)sm(I3
zpERVxqBTkTOz=6;+pJw0N#7LqKahz(HNs&**M-EcowYd9C1Wy}v+rLG&(J<<D;qDR
z<$Crwv~d@bQg~cN@;MFx;rRy5VA2G|IBaBtX@BpS1OqHj5=yw%lvXbHxa(flx_5PB
z-zz?f%C)Rr!flHXrWLaBRdaqA5rp}Y1RP?K_l5!AMyc++vQL7D9S`Fk4-df5O-nob
z6^zO7^=(jdxc#p7T+lbQLiecDljw^vwM*OSZT)p>jpG^qv*bo{IqpxJdA8N-*Mc8D
zt4dAq9NFs^TC!D6ubKym0aq7A*-l^?wBTOKooQHS(2Q$F7MH1jC&zY}1|Xv=1aR%O
z2#&Y}qPJ7iD<(sDQwGn(Da`@=F9J?!`f5$lFsx%8u4qdTuXNseOm=IWbu`_OGhmPD
zv?AO-ta^GO)62^W_~kO@!xP%Jq!Xgpp(L?;jpBwh#CT`mE!Hw>?^>Kz)i3rT297-|
zjhe}U9KSF7$5rvG_Z9JTbjDsfPXrYGvJm_B=0OO?UrOH>qDG#|Z7I+yyz@aJC7~R)
zJ7sPiPfCZ+$ZZR7Iuf5v2$D}G+WHSs&e?l_h_VGl6jp&OaaWDuE^Q|<(1J1Wk_8$`
zO!+XSc`K^6is$X_a{S&+SHjQvV^J_(5&*CCvC^XoN6{Z$Vc6T64dZTo1=Du4f0}RY
zFuMv_Ccuopg&pv@Jd&NdxuO$m8?@?~tDVjx(!bB_?B#G0_SOF<1$HwFcCdvAMt41s
zd}^Cpq1%=Kk!_nx>LlkOf1wS~;?S;jr-lZ=L7#UQ=YC&;DC_2(QjmC6I69h7HIu$!
z&Q0qUZd?BeFMhW5my?`9Elt@$rSp}{_;57aS#ulLRge3<@(1Te9tO)hQ_jBMfcGu*
z=%`X(D0)I72v3g!tM7ziLsxPU0c^Emqc>vLZu9#$8b!W{?uGPJvlz&D-8Uy*LvD*#
z{S^F`T%oHK&46@WlO#0xq4+C7dg`e-Yz=Y36cM;i%TFR@ynQ2|886e0qs+7+PfT1r
zrr}$&u>~j2)IW=tIQO2b25eRge6Xqb{n7|WdSc1AzweWkr0M4#Bdk%uc{YfdFoxED
zkfPJyr8OD2K?|&wEwYA<<+~Bi&rxhG5of&kQ5laF2Q}#|T3((zPd|1;Ol+A8TP*Q!
zBhrheb%5J`vcQW)u)ZRg@4{)`rQm~`afX8pbL^(cf|<De#3&Du+DwAl=Vn_E4`X=u
z;SIvl``>?=41C7`T#rp|r^9mh1J@|1IUw_E`Wbh<862L7K7MSUbN*G-q^%4_4uWrC
zGhRu4=n9O2>K;r4(q2#bI3%vJ$TTA(a0*Q>bHhY7NF*I6f*wZ`vC1H>5(YLzrAk(J
zmzXp)3^?2G9@c>;n@S=1m%GE;;x#`7Nr1VVo=om<*kCVrUQ@T4E(kx)NzfU62y*$_
zzqWkN9z|ki;3J~GaoW5&WPOp|+PhSI5Uta;%p6y^_k+Eok5GcFjHL|uNW8?v{L6hK
z7cn12+>m^6G4>f2!>`ANB0M7|2}(RsQC=j%S347n5dOgI=1FH5GX#51`TU#soRzt-
z@UDR(U(F*&TFmB*z`#OHYC4Q?JAk_MKyNpZ^fou0Mp`mB%)UaOs{$zvGSRLs!}!#U
z4j4t>u0BOwPc9mKMdrkSCVhN(uTPA2L|SsqT&O*xIgYx8hk1!))q9<G2BqC-jvWlE
zw5=R_1PHuqg>$3m!kkHv^|3HI+ESm0K(I2~dW;7K`TWevTfyYo>IvoiUTT-#CP->B
zVRelJLnEAFHA^yDHtE)|i>8g7)v+21s(n4brr{<?n7}0Vy6)V16l|;$Bck$q1Y|vh
zD@9Q*g#eMrC!q*cGZB~P=bBUSQcXW1vasR$0WC2Z$7XF9ow05~B^lJJF|_Tik`zQa
zG(A;g$^<tA$>=~oe8w@J>_9h~ZhO3<SS8ZCip&MGye3!ZKvniSXF+0=Hfe6OSAi``
zbKN0fa`U2MJD=^ll~XxfBX<Iq>a`(Ss^Xl!79|Q}sQuRZN#~TSZ~GdAaIT;}=I+7#
z`MT-$JFxEIi($GUyIaWAm!UaHTsnGzbS8SaB}w7o)%w~2XedPGHHaE<-~i8b^vm6}
zVIQNcfmC{EdQ|^@B6|}-pke;0t#SHWZ6YLeoXo?>G<J*19>WBHq6J4~cRkuKaoKkq
zUBMNnO&kN8Cr%j+qQA-pB2%z5)v2YDULQQ#m<!klhG5eobzWf?cBGEM=Hn{o)T`^R
znq%ng#3$t|#>(Hxply^DR3vYRv{YbWXer!<CryVHSyW8y($KKXrrB{M1!~Vp4}8Du
z#K`izs$sYRp=jByWvKwWiuZpq+fyMVx(>19K!>KaGYu57AZMxB8{SdB5V0?ps(9dp
zLkFNwrG-Ly2k<NBdb}@ncfK5LGVj^mJBKVVdUBIE+u-xSp9ZIPVSWfp+N)yz=tAog
z<R~(GP>b8}h_gdNM6aW5C9*n@ijs3+PVLA810z$fq#a{Kn4F31Peb^*P8Z4HAq|cS
zJt?tYF?LAJ2FVuBj!)tluq<mQ@K2_?=^Z8kRr^?iBSEeLGUDR|Z5X4XYcSg-MQ+nv
zl2(C4r^vOe!m&tupZ64iSh1@L2~lOcFXxE`5EVyinij8z<KK9|tg&`%-9Ueks71N`
z7<AM?{hdl=O9hz=ddcYa3%iK+kfbP^;Y~3g)gCGh^?HT+l=w_y&l0a%A?>Bn6E|uo
zP&KzEpo8aRO%0Qi2lL{>4Hc4?cAYdS>}kL0AfphhR;j23bK;XcpRIQ6$>m$XMq1Q_
zQKnYv3(o&en4@kLX{btlNl3K#eezgHH?q65%UO&MBAu>eE}5~2x|)R==o~&c>r0`T
zbAe?k^8fQj<*>5!pa@l=RK*eJ0W#1V&2+_l1$Sxtcb?+Fch|($E$S1w-Ndb1dTzvb
zGV|%%4(v%BIe>QlB&8jduwnl#AdXms`zoy1kdWTsAi@~nD7ueE-TiHZ87VnSe8o6)
zI9A>?REQc!lPfn?LzhfUk}i%|$2@7?EM}lS##lnyxAmHiX-a37_9cawUz3QAjK~JP
zzUM%n=+7$k!rIaa8~S+xh$x}#v_k-jochqZo>uA96&O_-iER#gW?p)Sp68xk;eSYk
zOpk&>iV+%0SKo7lD!ij9F7>T)9G@-5*C4FapQ&mB{Xu;kZ#PN-LkhRwXm}HJqt<=>
zXNCS9)B_OJoLdYq8jZHP3C&MTzkEui!}$wG!##mQP;@wwkei4zTyopRU#?g})G^&D
zhp#9CCuH{Q9zaGxT`JxEVS@i@YotqtBT0u0uVbD%UlIt^Hc3L~b%v=?46Pz^exc)b
zJxm9M@UkN0$Y)?#XgzHDhVQ36I(nM9N7D;=*9{+3?rVwvR24T8(?M9!WkrfD87-ZD
zckmvOi1tIO)@%I6BmTdL@kl=Ki3`8xOI})Y%EJdn%!vXDdp(a&GxO{Kfa>M*oR2+u
zmm?+ZZH1W-`>fvl(evc(k`Lrh3>J^2%ZsvEtHvgZkmg$Ei>!lEf<JlmNn0B&VWTuB
zKoOkOP1%pY6t5QxrfkYY1MR*Xc&dV;MqgL>bPExx5?U~q6u!dN^dvwu$Rm}C0w9j&
zShA^04o);Lh)t&=XQnNqauZ{7*Lt)%-!Um>20J9-rBR25aVtN}W#BcP$n(?vx7J=w
zHRN51JW#pEn*w-A3TU+?k}zgoSaqeh?9}l@V<@qzST1Z=;<iQz|DdFOIDu!-g36<K
zkm9ICbx}xWqo(~NRB&Izt^AjSW_swRBWZ{gf?F_jah6jY&;9tAV|LotflQOsr3I_O
z_C@{q?#At;JJ>Tz)9D_W?C%E$k9dDE#7ukLfG}AG<uQwh5)?@VYg?DhiW3eb37y+m
zS7XOvTrMzphE~qj>;K7eFnkS^<?y#G>FuiPLNe$1v<b#ER_f-M%uHfvSA6~-RvIEK
ze2de2i6y5=`TzQQs0nO9kWPt=gx`(Ae~6wKkQ}IPlM0!%=iM7tJR;mZZBDmBii@lb
z5+Eprqq#Y;1O+F<(IyR&&|U}@l6E|nMa@Z@sts*4I0Ke^o9BX!#slC96W9-)&a7PL
zvGh&!^{(BA*YaUI8h03x2-K;u;>?RO6QCYIFtXY9au=F-&RH(nmq&!>gji#v`k@jx
z#}L<MbFZeuB3T5r;`Qt4{QGR7xglwqfz&xM_liN2VOaLT8FqMO!8EDd4-0r#iZ;nh
zLvrWym_QtEmH^qR)DML8OaSV;Xa4GH#F8Dtag#3Y3s+QkyPp85jH0F;sJCi;F<}%}
zbp44`ZpIJ{L8r_$kBr?N_2bXYqJp;FZR19>I~lc=LBo2%pXvA&!=o}g;7*Hu$)8V~
zMr~2LQfPI7muQQknSM9|RDm^ps%%G-l5Sqo4xlPIP``63c<!4#LjNl+kSI1Cjy_5q
z>6{2dWx!!mmQ36Z@DKL&gNAoB4=jf2iw7Z%n^Y@AWZngZH6zH^W2MC&;9njG)4QCa
zzOzqs7u^JI*W)K-2{z*NXcrANO&u^*q9)rFs0}tLYWF2>F;ynS*r}Ld8KNmG%Ee*o
zgW?TCj~gh&2?x@<qVDD{YujOAyhSb3{IH=maMdQ@st#?cy&|$XSI0{gs@C<FfmC>a
z+mpnIvR$ql3ky7t7FQ=#ozlDQIjhbdqYmkoqys|Oi$LQ(Hd+>Wi(Os=a2Dc*<ws*@
zU+FH|^;EFUN(xzeMukj-8D|7RPwQIhUX&Ra#8S$8W(@#3)d}k8UP;TCmxJq6cVqtW
zl+vbULJ{G<=z^I&U$0|x18r};)q%=V1L}N3K~n=QX`K}#{STImBI%HxWE`}Bh+v5x
z`_lrIR5b-w7Z-CWJFAaxD&-Xo*I6A{m@flWa&J~$5|ugEv1)_R;;xZ{5UfX<`?L<D
z1h*z5)??%wHG@-;C7gl7EckUs7my`0OY!NbR$pd+$hlsxZ0y-AQ1?{TZZ2JA)z@|7
z!c6P+>3F;2b^P_ASGo2z8NXfUc~~m|p3KEax(Mb_QCmJ)m$X>QPCzFN_(@Qne5)9>
zB&9ZI2#BL@gEj0o8aP+28{Rmosa(K2gZ`Xvcqt5#40Sj)k2<3ekK|}ukrkD;A?DiQ
zKhUR|sl4>=Bl0`Wm@I*IwB9|6O}_+#dwzPRgFVQtrR_rIvHZwWP15<w0YGmlgRxC7
zTk}raLpSf3`|Gd1R|3lIlvhf%%YpQ*8J$U<Z;q>D0uA9%$(mSsrn7)D9gPa~GI)n?
z4mB8&b}*Z&GoNI$Hl<xEtwiB$Y~`RgnYT)^H){`wdQmYb3)MnVm9)R5Y!US)AW|CZ
zs-C-@)^>lDja491KMdp;_RlHLBS~2Qw6(TDB=V+Lk4bVU>hwG+rD8mir*nm9Y+7fg
z5NM>Oy9tR--^i)Uyv5P<t{M_6ea^~C8Rz<Qk*mFq+oYFL8Q$#pR}suC#nIFID4Tws
zD%R7Hoan8i%fae30@tVVXuo@|2P7Hk=ug#z_fnrXEumZ+8*QCVzm@XxoWD?!dI_Lp
zpQeqkiq$cdmsc3q&JPUZP&&E1$~SrpR%mSuXO`rK$<NO$Ssgeg8i$p!OqVIAQC3b#
z+a(%H7PEA{k3Ur#`1XWWEC2X8!r?yoy0bMRoQXOHlt8;6^grN>OgUmoG=5B@k}+rU
z2UMb&DWZ6yo_tTQm>x{qEd*5j%1>{gYY)h&Vpw+g$(W;^InGzUHvIZ3JDu=2Jx=sW
zu_Jo)@VpvqQ$P+bV%fQO!c)8^G69Z0_BEi?b{d;c6qo0<0iY&3FW})L7rfd&Y;^4O
zl)ysVRvtO%aNNpv6v`Q*P`MkdaA&8qr2%7@Q+X9^lPhD|{@p5upu6A^>Z)~-g>$_O
zsXx=?Yzoprra~uKR;{V9sryr#<Yw9y^gJr?Q$V*$qW4X>uaP7i`6_*q<XyPi)YIj+
zEAaN@bbxIj^;=HqR}Q0A9#~LmmkdJgHLGq&$}nvHbT5lfL68Zjv?$hMl^|bwX3*QN
zn9%C6DL`<dA6gWoHF=e$c}IvPLE`dJM2Az=sZ|t%|6_>D<Gwy;X~ltv^-J~D74!a?
zJuBcuIdcJVD7RfT!M+g2Hh3OKaZCk7o9lbHz3ux`M0=c?)CwHx+Ezoo7>6VbQWF8Z
zK%zSl-hK)QjE%er<lw)J&=5e{H@&^^U2<APPKL!z;|y4~_gCU<1uKGu&-}+CX@}tG
zdxf}L&4pgu0w=C@RgUxol7>Q4q&Cs1h4?#hO&Phda*ud)PoALlHKXum4&y2=s_rF_
z@8uD&NPQ1#RyRKdgV`op&dVMXz0+>s0@fD|<CSPdK0RH{M;aQb1BVfmY!QhJD5U<0
zsTG-bO_msM<pr7FIn|QQLuQfg)1n&)L9!syyH8z3t7^FN74@RJsmb0@XI-D<eN;og
znG7*|mYkV1a<zLUr4uxM6kO}SRX1!=;B0(6z+_7b^6HpY3vROE(d>#`bPQQlGreuD
zl5*0V!_xwGmB-e%WX>b~Qgh3UfP*C)f@Uxtx_ebFF8dY({ID@fQ!x$k=Hs81)GoYv
zeqs6ftzc_6?j65k(-@L&D~{PN8}Yr>S0i3np$)k<ifGpz3bdM1+dTHk_z#D>h*uXK
zyUx$^KtGIBBEv3+;=-B|LV&{OPFwi5Qoyywpk-nBEl}vMU}X5U58z#LVKMvw|MA9x
zL*CP)z?xK1ViuASW1eevF?@R8=Ueb|@f3B4xbms%Jkwcyh4zDNh@3;*9)R}~9Qu=-
z9vk}?P^WkvG~bEFNq+vI-ol3Ep74O7nIBw264Qx8Se43Sm5Nj*O^O^pfS+=eKS(Gb
z2LKH7#b5B@XWfQc^>Zj|1VPzIHzkeU5J^}fnKH3<UYSZM9x1`GLNPUMLy3N;C9qp<
zw|rNt;7VyI^VGD&Y?YL|7{+sATZF!8MJK0a=Zg?22g&-eXp!0DhW8AhwvP6=Woe9!
zCwKGvW5L7u)p39Hy3mRTSMA4U$re`*SI5yV(KPMA?&HL3ZP3K-eHmi!-DTPk6xqXy
zYYEF8MnB>u@#F)7Qww1%ex6n49TuJB%+2QGV=5izpraaQ?c_|PW=ljce*QE8;j};j
z`5JCX!4G;QAw=LDF3Ir2wmPhDiAhv6?6|mSaaaRPO#5clWEq)rHTZ(N9P1RO!QLV0
zz^KH~Z&-NFV!P1=NzS*Ox&6?d-xBsTa9mu&aaq>TPhn}yMSzdNAMM&5CZ<ZMSH{4A
z5APF%o+ho>tt7=e-j*Bl9PqxZo*-<?&0)l#b*l`m*0d+(=|3pnl@iyuF3n5QsaPVU
z_pu1ATT6?!;N|O|AuH791UWIG+uuQoxrve)gTD0hDgmD>J(g0b-~139%ev!3JpWAL
z96Z(c)FL%f_eF<A=OF5W?b>r1VSzd~FsYR4`7xj3-g=sM?!@kE1g>kTOQbHgxTcMi
z-d2Qtvge>(300SoN-LrzYP8cGE#^(|q~*Y8UAOzTjasgI;0bHyuuYd)&s{Aif%z&#
zq!~p%kGc$gRvq2!&CADQDmSm7;Ui{k-E5@G$Gn|GSpP0UFqr-Gq`{_f0#&Hop_-A^
zL3b>=DzUdt!X|Zi=VsAj=%{2cq;aJF(%l>+7^a-HGP$L*2ONja*2QmF=L^Ngnx#8E
zQ;Vs#mAeC!(V!Znh|Jjzn&XB;(UJ*_yf*jUkK%qXJjYDc*W8Am)|=;7>X&}ivopLa
zi;g!wL1nMCWizi>l`rGAH$I}pulu1@@Y0wWDb*8Sd8q{kuuzG7Il%(OW8t_eU;asE
z>6H4&=OJ^$_X(>@b-whq1S-N_sQuWd{TVi0{D+cZg^c-@iqcvA<0i%$_LP!dOP4Ny
zxH6WrZv1oY5PK?lw<m-BNyM!r?Q`PUZc#Q@!Rx-LuKVrx%JgKL;$3C|b^~*)4a??k
z-XCbUiz?7huxbk?P2If2sJDRqvNRIdusD9GQ*nDy0?Y&oUubY5sFmIeW^KLbw=&7T
z%@pW$n+ELxER)QYDho;|o{!L4+_izl_<DSVaJ{3*@zBr~gq*IB+M^u`VjuYB9~zSI
z<)I^V-&L<sb%2*UvDT`{=x$tV?=5goM@6Pn7n(2C9;DsE&exf!nJqDEPiJkW-9}8*
zdDwj`O<<r<>h9KdrI8!<74QP{@IKgs)}D@flcs5lNyg(gEzKDy4Rz&g9Z;GnKadc{
zg=(l7NHrA^JQ=>N(R}Dt*E8+2uX0tMP$*vZ*_u;D9`P_(Ceuc1Saerom2qw+O(R^y
zbt}IPBvA5Kit2B2V>_Z3Uq3zFyf<e*&d%;RrhmOVUdLk#y#97*{wnKkezq$sU3Yf#
z^_A^G?;`#BPMJl4(`ITu{n_aDgR_IYhiKhd`|7dxLIa<`r9#`&{L^#xD^W*VqrEo3
z?`lJzZ#jW&^-KS=7oiOZDw4capa1|3UDR!WNjC_V1nD+nN`|Y60QarhOpY1(Umt%0
zKL9o}C)(8FMP%|4qeJxXE+#Y6)j~L;n1WxJ73?5v75U%0xBA2R^6`Jc-FQh+?Hy$s
z-NQgT4|>nM7Wp)R#utlTzsXs0j`>q1yB)OAi0?_jI%%n>d2zS|=E3uByq3+U<!SS@
zB9!Nj`O!Syhy0ZWH~(Wjg%V_6@w&^evZj4ay0TV|rjIC%s#!=qEdaP&M=qu|Yc?KP
zm2W1~Xa~TaZSjIiq&ah;H!9#*`)cDOL3hWmUXib_tns|Z$D@3#m#;6o^tC?mj*m9A
z&8au9w!|hpziw@68*R*LJQvQgmv*h6ekFGtr+;-NltFd@rGhJd?9MrcfvI)tx@4!q
z8ep+x%}Xb<L*jWu%)G&2;p;_<u%AH0OlwsYmXkT}%@9jW*Xd}6#?hz`I^?D45c?UQ
zqNRDN*Rj|QS_6(407$bN8f(_KT}@xCl~_H>rtQX$l3ZL8H;9D9R}Vi!wOI68POlhK
z*lYQbq@|J^TWF;`l-Inl>{2UN%9JFz2bi=pt#WfGZKDZw5QkBeUNn&Q@ZL8bEU9_6
zY_{}q9VL{~C0%YrX;DW`K0yE$RY7ZJ<s?0MP0<3@T9$2p0sC4RVn-!-y5+aj|B$df
zP9Jwt7Tt!v8xx;dfa6XHwi^Q^p%vCB1s3b!MShz<G;Y>XQ-oxHfv1mNrqS9Jr7M>_
z=WxFAW^E%p1noyo<UyJJYF#Owxc<(YRBsnkY2nRL%mO^EOjTh=T=Y0PbDI3Ro;5sP
ze>QQvvkgdh6TK%^4AhUHdxzYFAK6ps#d$q+8gy`+n*_VNL-^Pt>M9PG(I=E|aSMFg
zblSBz{XQX>^JjKr@-tpL^M%4r@YB=i>B}@c2>Q@u*?ogoYK!Pv6j}-61ZFiuv|!SH
z`<Iv_)9GC86*F>YTXOjSX0%&l;b5<a237r;^N=qG1u-iU(&ubS8hXkgg;PT$fckW=
zg}LC%^<W=j*-N@M^E1ijSr2+uW7ZCv4R*QWtj0J-Qqqfcw<lFPdjzw216*``@dI>f
zrw@?sG^C45vlFjiVUJyRvrEWZg-17x{?T-$Wy-nZ%udEhrei8&MEKy?Yf8jLibPav
zjT6d}!o5$pj)!TH1Y+fD#qpRSAnGYSSi>SX%md%*Mxj=&{lo6;{u?nOwP};Aso{I@
zxC2C6<>&*yVd#Tkv{}kMVV7t^@my^8N8e-u4-gi7yNn+w*$70arx(TfT>H78PaNi$
zY3Zx#j8<rV+yZadXLCe!zuRfYk1B$FiYmlw;U{~#!;!uUU-DXbf}d#XP3~si^$!3n
z&Y==r<Ig@y34n_HfCsVEQkh*4&wzdYG{p5T@P*hk%%bT$m#5QYJ+g99GxMti-cO#n
zkAOwX@_w^jLs3?v#$zhB(qVP~E*_nJv)JBr2W)6f_y~rB8EMc@_EhnCsUOhOhQ65=
z3P1o-5(ZeRhbTWNLZOeLL<>M*e4y2~WQJh-{U!GQc40y!=!aP3f$EdBkxl#RLJxlH
z0aLaMi+`aYrgo_%vzz40VFIt0b?EUOb>(J``BvV8QtaGa*X9reg6pLBdVN)7bBfOA
z`8Yls{ki?u{?_txhxg<7u3UEe>v(qi)Af&RM9DPG8=c4uNr_^bRY4_6sKf%7nD97A
zjb=1sMtQ?(h7IuTJZP-zsPAypD+vKZQ~z8;szW06+clESqDitq*O2J@p9NA;m7+vQ
z4@)L`)}lPGL0Rts3{M3Sl|JH67R*=|OiC3M*U|2rHa3f)9<S{rotuq7Sar0W+;fK9
z$kAR_ipth|EALt5mdr&DwQ>y@JuAn$C?SOlq=W=291iQ~XfoBWGh^E}-sCgc;Jl63
zpD_koXZv->AFE>BrlklgvQs*BP~CDc?n~K($JS1h$N4g9KW{Er58&N1pV58Lp>nF<
zRz#B<L#UvOdbz1i%nGo&u;@*Lm`qtqNCT~_RpfuS0`|3iEmZ#@Akd`{T~v*@$o?JG
za>Il&JipO0?#|Xb!3HZSNM?3p1KWwdnvvm@(j;s9{8b#^p@x6<fzT#dRt4GzzDcw}
zhCXoToxVT*CJP?7uYnP1aSMs_9mGrc(5d;Mm(GlqN|su^pf9M?`BkD9XLzr+^Q>S;
zU57a%zVbfv#YaeG%jSV_4?VIy$My4m?}_eu&5-JIo`j!0m|ybHwcs)&-xZ@T3o1dq
zo7D$;?;QngLrKqYjx*WU!_<gmjj@^3I0-E$ly{}QeQ%5mEatjAV@iCz(ik64_yS=-
z!X=%R@yDfW%?7KrJGgavyExU$dm3^4+s=xW*=5jxi>1Z%Wds)jc*{f!UA2aHzIY$#
z4Ik(dJ?DyN6fj{9@n^s00QNZ>1|43)-Q&+#KX1lhM>Vhk4}Bu9jcyR#Vpp`@PWCbc
zLN##WubY~MiP{d_DF^Nl&@Fwc_zHf#L=cf=yI@AW-A~ZRZjd={FV1?jP_Tr@+VEIi
z8ed)3aeEYS^a!(3=gWBW)OVp*KDbicf=}b^g813W?#j8!O{Q{SZ~JI}w@^WP8~AHw
za2XexWENu=H^5!3#JZ44$-(=xvvr%@Xv4cx*F!oVjI-UV<j+4&U!Dzg@JRYQFgkdw
zc4skzA%>xiK9ujumDiJ<zxYg(Kl&($1s@*EKd*jo=x|{>(U%dF#Or%$rI`u{rID7=
zI-Q8tKnqb9Hi}Cwsipp!xiFYkoPhJcetJ&Yqg+A)_)APA#snJix_;@O=oOp4D!5o7
z9*VW|%{%mF-C#!j0-4e_+vl@!HhQKutQ+n)vW8^%;%s4@z?C>YWrNf)H_AsN!W&XJ
zX~G}2cDUD(zz?~aGAM&+8p9F{d`+cZ6A+t324RDi&ufonU>#+}zFULX-laU9Jy_%t
zWJ6Zg^w$P9A(Kfqr)*EbLY1bX&)jREk>{rtj#naKSKz>X$^^tv8fuN>U{V-2QuVz=
zEEL`DVIs+WiM^5HMij0GkXhyJzk69d7#h*^6cx;)7(KArY^($ug)r{#t(yt@ZhoZO
zR+nlFYnGKJTtU{Lvak8F2T3-|(|ap{EudfF4#L%g#MrzZ5x}*kZ)rSz*`P~3%yO4h
z@>Aomf{=K3SO*5L+WxBdu)ml*oHU2mqlyE=_$iVz%HP1dAkweFX-W%aIr7?Nqb@tW
z;X`ToDoVE3uf1iipNed}7;(|6+0qzcWh)6^C1UvE*E_L>QfWf_{_LX-36M_W?&!mo
z#sQL*?a&M(ASAlG6P{>bTEj&All=yOzbj~h`<d(e|1tHIVNrJ9*GhLvN=r!$Ee(Qn
z*U*i0cXxM#ba$!L(B0kL-QD%_=>NsvSGcd4J?HFLYwvZ=9m^mi%KUfk5fHXE6dATA
zE2kgBP>2K54bpxu)t%X0wra<Jf?PG1oNHaEz(h%QclcAaTJ2ZM(zem5?o2$ux0wB-
zh^EYi7}%&UQBzt87)Q@zkcH>C1p%@e^%iQ7_HCximUZ0(-}UDXPC{&kD;cX#*ZBv*
zV^=gByPXIx&`3{BzId1%et3JiI_YpD;<*~bwwMXdeW0Lin!eD&^>HVr5qGEkwRW{P
zI{rPY>9$Z9R@WGw%pj8{PSb0FKiJx3X9dO{yQp7WIo?mvF#Nlv>TK~qJ3mxwP8I7J
zJSCOIs$khZq{)hU{6kK@{Pg_QPes|l=-Nzih~($Ft@m)_*h7%LUCorirQc&^^;J{a
z<}hY{*A^sL4l7Dq@D)_<vmG_e!A(ye2#f*=C#f44tUqR5dE|5~N}aClI>W;jL``N&
zo8*4d@iTNhpriUp>z=uARPk7sMw^8Wc&vJMcvw0*JjTH`yKdUOG(H)|yaV}aEZx{N
z&>6ZlC$St|lt*2#*lP|LUemDG1{ANM0B?ajU|VXz`6%HrS9>DSHV!UZ0rwMnYE;M*
zXCCC9;YPD_DFAAr|C9y-HvzcrvJgALCxr7ix-<N%<h)f;UbBoSqJ3#s1}}s4+<;gi
zA}x_@o$x!U6;4(?0)X)~jHoSvu;wl_q<BuRVV2f5QD>;K!sb}xj{#nC80(D~gSQ12
zSoDYleJ)~<T<k>nU_AkEh0dCXxNH)_LSd_QXHcR)FjDy<)0r=c9T8eJ?Qcmu{M$HV
zf2o`1R*2frytFf4hfh|u+$73+;75&wnenw~$GzSuN(Me5u1#G(HGUPlrD4kqrv=qm
zGIfnf*4K)s-<3@w$cF^*q7{nVrC-cqq-jl;2unVKXSDQ>0~@p@Zxov^K*of1sx2n)
z;3@Kz9RkXz6Pq67E&EJJ8+PIJ_35tykZ}@*dqMA`PY>K?$As7?PlGDJ18mmL549|G
zudjykkj-7_01gmjsctW36zI39!~|f#Z;%+w;mr?x7@cN{IaC1&@)MM+3cVGN?>Lve
zF>>e=-$e(%Mw2zYV^xuhSuOVq#$1}Gye?Qt&uyw*nF(w%mqSV-$QQk<0o*!t2R>(?
zCrE=y7$6sY32T~8k{&XE{@qlzkEMy%y0>)dSjk6gy7eeJjvjsuPkjE}B>i#*ny?B|
zt|ot|z#}fLQ3NaeXlY%#<m6eak(TvDr+sB)vo^rhcf!8+&+JXiwR6|Ds=!%%m#)E^
z?%^p5qx4Gc`pUS+X~0JFapN?Xvf_myUtz=bjC51u<ap^rU`Zx7KV;g4v)teg>_xHJ
zaQoNqVYZ?UXN&OdY|=Y?n^M*nRv66xXb<S8uyq_qQa+n5RLJ@+B<OR*B!PHsH|gjB
zUTAnoVhTR!=mb&W*Or$5RvH*%Wpz^(YY$Sh{mtj2MUi6cQUCKQyE^1P<gR=ZiKSUU
zcZEaOO-FX@&K=|$vINItk{hYAvpb6wmFKFM!3h;vWgvADw|d_ps@V4Uh;Ln@Ak7UI
zo2EE*_eQ6oNAiR7ZWoR;TrK2=*gxm|-X=TZ^Vy%lysZ-<4)WDG)#w?HV<QCSZa;`v
z)XU7Q#=8d74k;2z-V2Jn;PlrgTMdh*7AwTB0l%w5CRyMmNveuZ^0plC%Qe}M^spt*
z4L5yH&~&~JrtuCA<&BMe8ay_spT*G_d6n82gJE&Hf@bGFbq-$?o;TKghv7{gXc|-}
zrMao=IcI})CKwV-YG9)0RzD1T>mC@99FIYe@#h=+{P50(eJvcxnce0@ryDS3j>mV7
zy2vE2ZxAuZf{F?ADRc@Ww4y<w-s9(ZKfeA|xD<?^ma)40C1)$DM2O1*DY9RS@*t<c
z>jyPC<g>&w&$C=cxx}9YpkPWS)Iy0V$2G}v2v>ETX72BHEOb_j?)pqx3w>JsGqAwt
zOb^ZVVcD=g$>nNLOxEnH%W#N6Wgu0`F)es`@-@tq9S%fvq7rQAQ(PrIfNvx=uCx?x
z&l|!yHPC`PGO#3H_KlvzUMfs1PZb-RK!u2shvfHJ=i9WmRrxH1>MB_txGv~DIMK7Q
z-QxHQ9qA;HBrCdnmTZzAo1rCax(H7fRvNML%Rwz~#b}#ETz~Jk=cD~cBe4}S^8q4*
zoy8>$^tl}68phvhy+@tVTU(Y{dMn{OL1k$ee*z?sQX|}%jV=|x<*-vKpcSK?@~>!$
zK|q@LP@@bb-yjoPH~Z@k+#6%gho85%?zI`b9G8|JG3Bib%Qd;w02o1|OJljF5>jW8
zk?*x*duZd+f;lOxUOQeAPuWLaDU4RKboM=L`Vupj*#j!dMpXLhg?mk_5ULNT7=AYK
zksxy%2!~`zi%K{rc`ma|ALPeCYktiHMePjVP-d7UE4(hv_yAb=elA@dU>?oIjxFXH
zBc%@)f^M!rSm1!)za=!j{NBDi#i;YTgv{jqenr-qqBus<rIaH<R=LR9BdXF7dexy;
z&h*-LS=^q3tY0RJ>_r~$-ihTbUk&vQc;bJtx^_eORXAE`(GE^Gs8X>Lz6kqS^8m=*
z<Q813X56NAz~3M+xpS4&*teVRURIk4z5aB84|5tZT{J<jXv2Ej`;s+suJyZnE~UVu
zO62(YtI|_L^R#p*MqyO*os;dL0<}pW=}5ymK8^UZyH=xZ&DSU9`(Fq}PP%u7g!;ko
zh1fG3YQ1E!q~AwhX!4K&*#!I%UXg@(*$CUEXjvoeM5W5fn>eB4RK6YQ3WKQsJ@J-F
z1Kjp+1SX%SNK8zie5C1=y<(+{tO@UXnmh1guj5_7ctCw(_6TX#3;E*mT^91YKTW%8
z7w*#l3dLwd>0L?E?EsYd(scUj5Zof>Am8BvI`aSl&W&(Vr6Z~zelmMB&opc@bCps<
z?u7eROpiTBtYUt)t~YBI*DZsaFYc@lS;CvF`B5fxT7&8YP%kv+bHaBrx6M(6R<Wa}
zu*f1oF1M7hcN5j~e=_VYvRuxK)n53B8TtO+kBRWYMf9)uA{$!igLh~%<2-WE7_ZZe
zz!<0t=V);%iFIranF8WT;;^|!nhCh)c<URF$)2hGe-n+@j;8&KNi_!xxS&7!)czzW
z%S*=eMrvX}Lg6FUz~z*myOP*!dO&2L2SKq-1d*Vbx|!x@T*>`|aE@n>F*6w)MdX@#
z%d`;F25+K`Nnm`BqwV_b)VG8~@p=|LK!RgsJQYbvjLnHx!Pd7&QASJzWf7A)>f8+1
zHMvE*Q25p&I_!dlJus_3L6^5MgW|=xn?Oyl82nVRAK!O-TsNpyHBnQ0nEj0(oS<uM
zv4SfS!+-HU&;ynJSc!pJx3^y0nSjhfB`4Cf^`ATAUo)>hPvKg<x-$}mNo$eyy@Z9*
z!iU#)9q6Yrkoj!W)*so2-r2!s8H_j{$98*9Loa@frJs<FYLb-<02Sw%AS2(4`<Y@V
z+U9dCrXb!2jcxURHPcuaTrtGpb({Y&AGA?zPBpe0@~N@m<=cQGIsq8JB`7B4v0cU`
z1+e)y1-iH*65jwDH2uye{a?sHPgpONkDd_&11-<(b9B<@o=5zfyi;<UFH&j<>NK~d
zSeJBdJ)z3jScwmDpvHBQVZpXXwlifI+Kh9O;U8GT7YZMYac+<G6bP{rbKa(fn8(2b
zPbFPjlL#N+r9ULfZ#0J$jgrO{dfm;;8<habcIPLp=c^a5A7r-9fLggnrBxIaN72&`
z<Ud%4a~6{bR-05UL$Izmvv{Th_Qk&}C$$(q37J0+7_km&*-uy>JmXm3ug+7YayD+@
zHmUV2;kf@OsliNE*xg{X*?(vgb*vA=`=k04y@A7Fm&FwG&{J<xbzQJ~U^SsT-ey%-
zIY#fd(d^Wu{2kOKn);JIQPUv(JW5~Xg8-k*Ih$h-p}V@uzs~k;Spm&Wg<^s{lg#56
zSrw^pHT;V@NrIX)L{|N!*nnUQ>QY#K`@30V=|k*!-`{|;{_6mF3?n=hBh^B)$uTm7
zBz$xy&BlQM&uXv)h3PM!f8&=*5%Oh7+kdgY8#1iwa4j+MDF#Dht-NRkJv2*f@rf)=
zE4XgO44%#1+U<5dII7!7KPg(3rvd7O|7d2*$%J0eZ%#n#D-<7IG~*$H6Tj17h<5R>
zS$F$7w+VFW?FmC&3_4!hyi&9z45i1M|D$N7++8i6)$19_-n!GlA)Y3SSUj$qBQ+U-
z+K2tbv4sJgBgD}&wNya`ApWdC$@g~?sl!N`r5sri^_K&;1_n;&p>|XTE2p$87$#xI
zE3Zm}vb{i;=j`F%cqo_&1jmt_4Jk8$D={{ZgBwqEit*5Dw0vH!ixxH-2PGf6KLYa_
zQiqi8Sz*(}Be`!04*0fEdgI11(i_eVa)x!(HrFkWpPxTHCVs>p^hvFGaKeSSQtM1|
zb-{%ABUWZ)Ww>tvM$|>_=-&!xLP?KvQG!Q8YBCz?DBsaU_WN~3_dJ!tg=X6*$zPo{
zBK!m9+f9uKFZ+!MuYos6v8^w&VWDPS@tHrSh9hhyT8XH_MC~MgQ|O~L%A@nOb~3^~
z<1jV_s0?o;od_#f_3rWz_OC$kd}c8H-GP3c%SJD6rACvU30G`J>E@CogBh1(JH<FD
zmyuPXAAv8FBTeaflr`#yLAnxBgv>n!uS3r>X4p4#zRxx>!@le@!<s<#|D?zleKn^{
ze2VvrB5<-KK-|{?>7Kcxsi$GgUjoQ*r9)Ti;Zh~Fxcu18_gotYcE-tI%1ShbekwXq
z30J<qs}26X+V?&~%gnY8JxvA+8zMt0zKs3u!@B(H9oA;-w>blsXUIRR_j|~6TT7Wx
zj((%|x3DHxFAnr^*T5{4blquiTqub|2uUfJqVq+Nf3((5<}iqXbM5p^KHM&me*ee<
z^~|@(uGz~|zf~$wmtm4IV`A9y!7~ikoZ?v8Er!eAh}9)dvz$Yxpf<s^mQB23A3dCV
z+OjHuiQEtWw&!MBZZWOwcriVRhOX9UQXi9390hq*7op_X)w)b%_?s0!qq;!BUXLm;
z?VV-M$Ij&;lE(mwP?;5sVathF!9N=0_?5xVh(T-kx<Y@EL6NO|(%}%VA#_x}M7+o?
zASAK-8b#e=x&oN>_tRGf_Wyf;0<=x940^xwzui|QCpVDU*o-`pebhAT>iy{&6P(YJ
z&t^0Rd92Ww;$Cu3vv^TC4(Ev5g~(#?gX3Pp-7QrR%zr0~BBGvh_>+ZDt1V`sa2Qkj
zWh&$!pV0T45iz~}#7)4}q65Rum99RR!-X}NVMqqwVFtMI&}ok$MSS{s*~n&%6?}8{
z2=!)_h&Ufz3o(eJ#XH$MGY=kfHJ8j}(eX)c2;3N8QQLz!#K8T2WfqTjhz$H#q7hS!
zqV_!IW~l8$zGdDG<DsHQZx6I(jDp7k*ZM-<+7eQ)uM3J3S+cgv@Av=FI`ZGpEXe?;
zne&1h4ehHY=bsOT*Hw_*Oc382Vs$BaXVq*^J5V?@)VCgNEqO93Z3x6_^@sJkW5X&L
zKlke%Z|Nj;OL@Rpjq$!Qob|x;U0#strS#C(vkrkVUY27AQ`N1sC1gBR;Jrn`x1W(R
zq01onbEUkdMBL<=y|MelL+8`l@-D-X<srcu3XJM`$;je}@M|#*R%lxV2-JckhmV#-
zffuxtO2{!VW*^5c9P?R&v@JOX<Q1|<spaa>Onzx7rOts{ipA?HCUIP+WH-xdAbu20
z7p(9zVlTn>3<R5~DeWB!yD{DK%_&;!4F@Kg-%0(r=F9)JUa$u4?6YpfA!5MecrP)D
z{;uVhsff&1F&xVpG2B{~tq6gWhS-7mb}<yqo><&nLi+U&*^AEa%Qi$2+km2ole?ZZ
z@<x`6g7*R@-!Lh%MBq-rDu4KE?*C%G*fC27>g*cIViRRozLPfp`o?^7SH#U>%B9RR
z4KhVMbxpuojyt?h`c)r{9>XH@T|Aq5%|B93w;I|BPF9D!*EgOTEks4<Hx?l}!WNd-
zsY;_Qo?Qqk5vE`BK;`I&#V)LXDyZBOMfgi#4S8^{;H;cIzV=-RQikC57n94-jY(4{
zY>&Gmgi=Zippbud#1cZXa^`v4G2NJSuGbw)f88;LJ^^PQ7OC1^hV6@W$#gl0C0ZU;
z>wARB=Ya69he;RtQICECIa%kjEuHo2__f^Y_YV6|)~>1LmVc{_D}t44=ho(XVv0zy
zmUUV6pOo7u$D-d7^5eCGGaz(O^Q|N1J^?7+#%Ds;v$3(zN&|gGIFzobloSQsPlft6
z<Kztj?TYt71`9TB&c*oszt#tX$;W{yJ>;Gl1R%lzJjW;9D6CHakNjf<*3P|k!#@$m
z()m)ezVi-?7uxTZoz5xB)wXRLi18~b)aR@{w%G%9JFlmy9iEC6d3D|JExJ0vxzB8^
zs&A8$z1O{i*9}b;=MIC*8uFIPhKa24KV{(IAR_%5o*B4jA`RN5_u53|o^IS=ZLs--
z?>J$3YVnD}J?`Yum9n_J1I{IB=+OIHy4tTfj4OXLmcqagzc7@TcKhZ@Jzn(h>3~bY
zKfT0+dtbliidH#LF)NY6>lwohE_k#AXK(GbMR66yP9AYzn$<fl5rGdN6*#4<f3m8C
z{UR6N5@6FSP!g9^xRTqzyk`AWdo+GJ65s%=1}_CM;5<yRH}neePaSZ$f+6vNPxMxl
zB(@UP4Y@h-T$kGJup-#Hq0YDY_e|PyedC;n@A;##7UN`S7H<=5c~5*_woZvDiv7!3
zc8ew~_pIQ;xqmx4LvisYgy!oZ0oKz$TN+M+J$y?9TP6|WmZU#C$!!c;TknLMIgCHo
zaK}0e9Tpy#WRp>wq#m0ZKPKMH2i{#iEvaBZienvd$QCzxp9r!)d|VmfX^S3^uQV>R
zyx4wdaliNZ4hsp&PIRF$9CWJB#ro497`l!8T=a~)3=Y^vgki9h>oTT1_tBT_Q`r^v
z+49a{h|cv$3bi2^isnWFYzw}{7tJ{O1(Z^#^Q%)~CQ)wZb-Odtwny41p!*w1#{J^D
z<c}UtKRM>18lU5PLYRtO#N2UG6z+%s&|Dq%ls(dXXnX8Aw9sOG)GW;IP~8Jl)#;sg
z?D=Z&gd|mPq;7`-Wd!|&v&o^|=3HyvV7gbUj=R=fQ9b|Jtz@g;Dsn}o`aEs!9dVpr
zs8x|+n6O5EsMXki=VIccgT|ENZj7#!UKnxP{ae26+T~r44m47IR>9N%3_oBt{G0wX
zSM5_R;~5tf__35Eg4G(`TaadFrJu5bRBy$HzK)FwtkJO?=P=rQ6g%RID;JPa`v`=<
zGqp%J!;jz_%kan%ai;_;Am*jKJNab~qB8mwO&CvjuWDIlq&H(Odq|~f|L78Dy$e{K
z&iK7U7E))ixw%gdDohdb`levhK!_X302vN+Cr;5}M*tsioeu%@$yKw-;Gl;z+bt}`
z>WWJzBL?aRv)G?278W1&gpCjkwaZuOM@zZ03d<Has1J#H2<2^NL@b}T8K7hV)%zr#
z46Ibs%D?~R6{=1AeTU;DJg4}ET7*e=>naNghb1>823^$y-+I?pAqD#cWq;;M@MGrd
z_uq1*Rx%?tDT|EIi7#<;f~z;Y^??wRSPqR7J4&htCJ`ViHGjUNsFd5_QJ;=+9rzVB
z+Q)!#TH)*A3P~Q(r$HsCu5^c=AQOAM^7Ov3MQ`@bu0I`gc1z{8Z+TTN{LQ?gcrkOX
zJKP1{%rs>?!arWhQVn_-INb;JnUC4+7<@gu87&UfzDHv6C()1sOfCtRFH4l*j;nY$
zRo)NtU_lQc68A(mB@T5kOJPfI`}kvIRC1M4VFt~PJTixg=Q3FbQUCnM?*^_u%&twr
znY{vyEpn=#Mb;UrC2-T-NOm@ZIGjBU#q8QGVv8SvGQXAl&%1vWRC_kKu4YmOq#dbg
z=a;*5TS#aY(Dqkry28s^)uBv)sX+JgT?Rs*sMcjI?H`>Exc=y9Nk?*t*1#dJ!W$2_
zA(Rdc@PeNcKgM@mPy1NPjJ}FB9k2ew$=Z~J^=h5paNp5K{=_be=@0sos|f7A{f1n?
z!moFD)=o#}`HN%#oic-<GS&6-h412q4~21Ro!%pHIm256La1tb0y|L2G^_}RXA;HB
zMt)wvoq^>TlY?EvhN^08g}Wod+<_wTm!adsz34?((|5c+@<xWDP1<BZf^`>Flg~~P
z+^K-VzxlDU4YHaTP>2Z2XTB|*r<4bo;tFi#2R!-ENI-6IRctSoIN>xLXas^XG2f&%
zNs`hsA2n$U^9<Mwzo2(jO@eg5F@fTi%HQT8GN<y}ppq@>AEmh0nNQ#AoLI+mG5vZa
zVk`~)XlqAH(+eF*6Q)7pCv}&ILLq5QpH!>;756{!o$lF4nP@v6JS_B_8M5cfSueCj
zT8;#CR7ZLd9wJ`}*Y*q+eO$1bOQmQ94-9&tr=&A{xqOx)!+8XA6}p26L1g7#SwjyW
z3SjxzGNBioqUlh6e?LrdZ#kK*W2&?PfC4z=dw3Z=+*tkB4gK%nVI3M4XCP>nowRc}
zSPApOS@t)5uiKukmklL6)AmTHGwHf60TH7Q3Kr)-{#<?-oYqm&H9U#11G32;O=`{s
zWH2lno|Y}@AC&Kj-4=vlx`n!2Z=d~KvdpybfBtE=bx^BlY$SH@?j?yoi)wR%^#;J`
zx3KFF6~Y`R(eGL4>s{$azpg-kBTR{3ag8bD&8)3#p)0%8*Pi6Vdme0FmmfV>kg}1E
z461g7&{-HNnQE5p(j|*G{&Hjkbkz;3jcGL}p>%r>x$<P8NtS?)Z;2|d$Ha4C5Q&|*
z=3>1M?PEJ<*TnY6*KAaRY;gdyNU&`V3FM*}0`D(!2KBN;Y!jf0dIY{8`-;UaFMfOE
zQU4kK*8K&QQp_S%V4B4;wML^8KqME=<aaNnV`f3)f2IALm+t;DbOc?gzt6}L$q~>@
zXYGZ~8jI^O@xTm0ovfH=w%}QRgqX+^>*y6gkx!lRCofMeYks>cZJ@*7XdnM1FRXlc
z_G~?pIR*s3n>n5Z0IZN;y={Ru6@yzs<ut#8{Plk@B00|_U8>(UhJ;c&n1b`Guf8Rv
z@X~q;t5@^bVwqBF_k-^ZOj0|F*GR=(h#sFeN6sm}BiE`ns4gsO95!1>_>cd-VQ0I;
z)!>I#bPQ~C6|}wbthFa*6}Oy3ZN}qKv+}r6)IFbhyuy}U@)6I|ylDzvl<+QzFDkGh
zCuPzo3oHNcc&NfzvVF{vb<{KF&4`3>HnfIs)#`3;ZimiGtCQ?(x`||yJvw}OCK4>9
zJ!KOFodgNFkA#<x3lbKMauS&eN{_QFiE}z}dFH=p?i`nw2~?sk?86yG9}sxY!cv~d
zX6;xDp@tvFEyJf|yxJqQ{GT#<*)qi8T1SmgYzbHW$+jj&$_2<8$y#YCG108@jIe{9
z@{sntsQQd@gNQKw)Wz#Z=(00iOSlCnSuDiwUplJQLXjp&6qILm4WP>($bOw*zSc-O
zw8i)y`#$14@rZ4%8>ivz_i>8@*)jTAZhKh9+lGS2L$PSidmHuN-w@pQ6mAV0r)oe_
z>RO|@R2-T72F$`Ea1#YvX2C401GEzSG$MB3Vaq%_Vq@CKaD82gcRoXig_VQ@xXPP$
z?;gxIb^r6#Q-jYiWhZ;4?C}-)V;@o!ea`z<SlujFMjK}>n|*$N>k&>5G=@J;WGaUt
z;4ipAzeUB0Cj6BOP3-i<un~QlbOPCkBAV{Xb8gd((e|%F`OYO|_0&X=p1s2v><1-G
ze)p3t>^rPHxdWbW?<RmnuNVy9?mYjI5c58#jMF2_Ug<OqMEg-G7l~LnPHIz@(lduf
zR4-`U8FC=TtCFhs;*P5@1YwU5Wj#dUZ3&F#WTm5VHOfTD4B1TQu+&$K=O)>fN-MPl
zXRtwwpMBkv@f}AbTx-gB)EcCfv(|Q`h-`+|ilN9QX|Y-NjOsPf|3h2oD|?f>F9|1h
z56pN8yncAmT)d&N$_i!xbG-h-xUijO3avv~X5>)k==-FJ^H2YK3WKJlU_7i`(KzPS
z>mP$jBuy6K)~&Q#sfeH*-(Np-$)n<o(hWMCW7$+NYHh+lZ;PPCKsG<nyYfCX7}*ee
z{yficEIHwMvS)X_poD9dzw3(ub69T%d}$I{);ihL$ISc@$HYf*k)OajEvZsM6>#op
z7$bsIDTc%j?7ERJg2vEZ8LC(FrhOzjgCU<ancH}I1|%C6iw4QAMn-(eE5mUYq>gC9
z1}={8Z(3H(|DN*4F(VU3ufby^D$VDb$lz)R#!g~62D~pAApdWY-n%v_P@(dOQBXT5
zY6;La-SSgwBO2}4PfJ;{`eh&x#PZZC&OQ8Xo9wkS&jzoe2>iT3@;R2#Ps%L#zbDAw
zP@8UTx-wI}YN_b3Rr(V7K1-4H3va`d{2ZcEt(?{(jzdbh#owy;f}~U{1gd8tnJlx8
z-WJsKm#8L%-Ei(cj~h`T`rT<qYVG(j$jbiTQIPed^m>+h)g`glPc|fnQ!lb^>J6%5
ztBv3DLxi2`ai2WD{^`jUGhr>>WjG~dnMpL^++tisUQB2aEuwa!;O!9vDm*yadXW8v
zfui2$$h5Ti@WZt7vG-=tVyAw9csulfwrIz?+pPc|@Haf%tlRYc-~pfbtzd_IvKh;<
zM|A68`*i_Btl>Wr6?KZK2J?>%_)!5Mfj1n!y@0MRqy!ImO(ZEN0z+gh7Hj2O7P>@=
zNV{Lq)O&?BuEL@vl+LpbUPnX4(W_$3FiPiweld|0I&u(Wsd@U!Uwg`Y^xsz~M?vaq
zo|1m%?-a2jBYaz2#+dXNx_Z?<;bE&~5pt@#LhGK~t79kiuFEWJV|h=E_WK`-y`Sb~
zf4^V6`?kc>$0}bmkmu0?dibusz%fI$TK)^}5iO;s84hJ}zC*G33zo|RYw@I+?WcQ+
z+ujsJC2%?EwXiX%MDXlC2961V#@6|pf>8D`M27|Alu9>&-R-2;%8CLEC5*g7jm#+n
zL%$Y`tg{IISva3A^J-z?e-;{1z+DwucMO)qPB-@#K`5aPpG%-#>P&yJ!}!8NDnV_X
z*neVlRzSi_iB4`vZ5J-v&nkp~iM1swy&Bdgg|+o}mD<+H1U{+1!$JjPLxtP3xo4mj
z_|RW#Mo`HWX`7(57<$fFhL&q*<p;m|@62)AHH6jJ6d0RLzy%bi>^tFzg|GGMmOa-)
z$kYv5C6bSV;%i@_pfTrzUO3D$i+%0~+x;XBe^&Z=Viqq(_2GS}WDQ+tsC|MNGloo_
z&}()7<WkSEjz*M!zy;CuE?Gxgo_gNe9tY?MRctf#Wh1eE`5rFkBK}|+e-HP_A(JQ2
zxbwVJ4y^OI#F(g{SDJ^{dF!doErRgc<*A9eB-$}2#x<h4VKdQIri{#-&jEkUwj3gh
zQJqfY>C3RpD^wu*BR`PCDaQ)4YSI?ih0LM3Xky=l{=S#$4}4z`5;H==yNMdP?i@`d
z917Azc|(P=D$;b=8f93dhHTRM=vO|IY%WT)bwlQ#K(mqcyEq?{0N3CCQ1XwW)*su*
z?7#I^7o{5t;sw&2qP6i$`_Z8D^{(d*Zfg!sfcPJ6)#U=;P>5MBMNw#Z!esPo!ix@$
z;jl^dSfbW=;3MO6+qR0BOZOCXghX9ksx;2(^zP%?%IEJp$?q|~X{L&NxOS{Wu0F<a
zIv;P6Z7LTR$(42WeGppw_B+hWMq;#6v9PScwJX0mc)z}6I;-~l)Mx6~+4X4hhn1Sz
z8a*6#<#{>%J9}Eqd)xXz57UuYLq5DAq)OH11mOj|6vkCbDd@ziraU60qLRZR_@Vg4
zRJS7VZP|jJeAH?x@L!gLE5sm6kom0@iq^XsW;xzeCN5TuiJ(77f-CSd$;&byApH|W
zfNjNjBUh1fRKln<gAbbkTIJ6V{)w-xatJi8PRM|_@)otTp598|tg0<C^mDShsTGha
z;n)V3Dj^&`0X0X-s$RnKMXQ?DksA}gsO43ID1Z#?V%uoHk@p@#YByHzfJ6)nRi(C2
zKeMwZ{?m=b#bUYFKTjzqgD{0}#wfKozLRQ}(hj}h`5x)kb7HT0>Ml>1uI$=7g#~uI
z+95R;?hb=wO2{9vahm$Dw-~6p7Ik^z59`E&gDy+7l$Pyf##2z;11kLI6DqFK3fNk-
zRJjI3W$xLfQMd)4E_2XL_pC)4Jn4tu(d`$MNn-BKBiL_q7grR13)TW|IBNu>rbcVU
zed`<uzs9kn{LOyoJfqRt_SvGQHQs5mDH{@OeUG2(4>cqUrLJ<Rzczi(M?{WQF4=6d
zc>{Z;xgt(j=H}6|)gXrk_n_gibz=XUYy-_@1&A6&%Ak$t7(I)PwcF+Qb!7XJQ3UW^
z=h(V?C+2fM4OPxh5u)1Bp%0+1$ZuZFASj)QrA0fMV?dOon=KHD&H8X;{cv)GPS>gR
zd<iinky5cP{c=ziQY2a|LxDt*sy&Q<WFgX;0(Z?hvYml=sGK`AW3Gge+mf*l&89I?
zB34r0p9D~%_3$o}ev+~vb<o#*fg%gQ{=il*s~=%tA=EZyIa%3>qhEiE_=l(9_+vkj
z+;mV8cSR9vPNtJ~lQ}XF*Hz;5ApAyCp(M%BXGd00)y0J+j6qu(^cFvU%S5QQm!yto
zQ!$(-P%-S}A;+(Gq{IW-EGi<%h(FjkRaL`hxtwP$+uF*se$3Od7Zev`n3rzcOL{<*
zXh^)EY|$+kp$si!qZKwNiALNP@8I)NoGKnHMD1&|w}k@K<)lLm<4j;U{^^7E<8&I$
z!;cwD_Vf#wsEs%BT1XF4KrNuhinZ3H^b8RYBdeccq5JTrlnoZ=_HF|5k_Qk&utafT
z*^sjbdw!?us-OOg_TC(d+t3QkM_Hz*O$OO>;qZrcL!ya5w)AW`GN+U0>!*SSLbIDx
zO<2`x*!RvBo?2Poa7{2Z8r<DFi@?IEwoM+9f0(L`%p<DXQ^1Y!(@fx#gju^2+lLxu
zwK~-|qWoRe_la2DphkM~O@DtF>huQ;c;BzhBLkFrT<bXSVwMEAx&%RsO8}DYE&sRh
z>m_wPZ@)EhCT0OQjzNbE*aU@NPRFNfOo7{`5)>Qss@rp>r!jMO&yx_@8uPYEvFwLV
zHH|hbqc$lusCFowHIM~CKM%%RMt2Z&auA*vWRzZion164<Cf7BM(mRA8XVLtj0I<l
zw>lKIi0G0WiRbeNgw@z4Uvu)5dQ9S{E+LoZ5JccfcY-8h?g7@8-|NND{!&?JCDCq>
z7-POdjB}SbU7yNUpe^RTa~DV{zZ9<ICkjbKQ@c9{>IRkQ8;I@X=8pgFRxK8j?7f*D
z%pq#BSeC*8RdH^(<RE^8{?!h$$JaizI+4Bp<>{I6n>#RaE>q05Z$Y+k?Yd!vwelru
zntI4pi%2oV^iyAhP?=pl^IucSE<;@W1vbyEb7F#r5{MI5C|ym6DzV2S?5&Sz&AzO1
znrVFqX=O=a$eRoE=Z$RggS5u2j8Y;Vh#AxaCPSjq)m<7z5s{bA{lhhvV-sfGN~T|m
za76BZ6wc>%&pG8yqa3ov;Mpao!SY7n%6ml;d0O7se@aV>F3en_F7}2iw4&$mYq06D
zq#ET%^81+QB?3Jo8^!u`TR1Em5OYdi%<gJCUX~RzJP~ekKFNIL08cp0owl<3B0D$6
zxe%zUka|@X;>%;cDal&H-gV2wS_zbYAqjbMv<Viu1Wy!_(`rpZU)UQL`EyxC-tU=R
zdQZvtZEP&<ZohX-A2g#}G&?g9z~H%uRkq29FE(fpimCjmU@SD-A%DF2Q&6G{*x;?n
zdvX@=G4B%}NRV+bw&R1_J3ST_7(b39s~d}5#+Zj-h2&q&YhAoZ(m^NQ@GO1RS<O9m
zY2<$xJuVG{i*ASHhGil2;eI7MAmOpy7Db(p!%ym@ClG}kf?f}!6+y6-$gfWUVZw>r
z;!_Vs?%UV*_PWB2-<m*vW&zjVL?_GL1W8&7uNj5T)!}^`n4zsn826tIQQ>~L4fkZ?
ztlA%XB1#s@h_ahQk>1xYALmlQlQ;ft;K=zr$us%zDl}iQgukt*&DS${>iuXeMSJPU
z5U%WJ!g{6s;F+x5(<>gOM!+;-wsMl}F~5Q50JIW5@*2E+y7Vmza;j+v3;xWW!~3NN
z9D*v)bxBL&`60Vp&7!#zGGlVat-B)$a4YZ!JG8(41=D5>jrbN}o9CvaQI`)*Om$th
z%Lzrev{x+B)w<1{5O!zXNBYgtMZ`s=Pm|PXZ*vVYuLZD5Tl>T(*+_GBv!jvi!J~zZ
z`%^UDGn%I9=i`nQ+nuQ(9t7~T5*@HT<CJ}2Rv&4t>CMw^7Gcyl4*u_UsNj5k3WpyF
z{&@K;es~s5T2R4s+%5#Ce*Us5zZ#2mx1B|aV)~Jp))aY2LG@^FMI=d4S|drlto*eM
zF5hC&w3@4QvfXXS|9bCzGeOV`03zMy6e}y5Rg3ZuI4m91qjMgvzT<DUan!v&d$8mY
zD>?849ZVVlbTz{b3kdDpK02IpJ+Vo&tot*cdBWI^&-3c}U&OC`iEL!vALAbvI#QQD
zNovH=S}hs&uTyh#3yp#Sfaf)1JVK^P%y|ES*Hod621DH&5!>F#)B}vou7C?Hb2T(%
z3I_gL6$ruh3*BKfWHErh@!&X3)Jrlv-BmwZ2v{xHr#AnLH~$IhbZH;iG+Coy=}00-
z#8O|B)ZQesK2blHwSK2>p!6mGLlY>szm_LReV{wCY*WGNQuL6O8>e6$WzXoHC)Wtk
z{!3w~@{jVxWa=qMXjw(tS*r_hz<#a;ZoD4pgkaj=2^+GLU<X8^61iVvOkk3dqF^th
z(K7bEW-H^0_z#pRF8E3+cs<9h*SlAg{!L6C4*RHMOSa-C5prL6WHm)27Q8^-wKB^J
zC!jVnyR5NmZ2CnT!{r1;#biD2a(drl`fubl`#(Aohn_l~vv{i3m-@6^s)@CM8ju0M
z5^dCRQYVZ1q&HQ1x^0UaEO>#6OhL40V^!^JoY&Z0g-wUw-Upf#T+`=AC&6K!YAi+Y
zIy1RW!`9^2ntf`X_8<GTKVDUg16U~@Cy3b~Fy|P^T09Kj48!Un1=&i!*I`sQ5qn}B
zcH)?*&i^|k(s#1&fxvPl_nT#s-j+S=`W)JXV4@Alvk{H;JA2T!B`l;gXp#LI7I6J9
zODasGyOJw~a=&ItsuarW-0r7Y)zIfN(fV}V>#_uRQ}Do6lAzkSJ3d7>XPN{^NW+@_
zC`C0@>D8=mTpcVl-qNXn4GF!YoyzZ&O7<&OLAhccGWGTv*HckupTl99EYw-VxJ#J2
zxi!9o{DH6Cl3^ZWU$zPPxqcbe$+NRN>OfyLeAcRoZnH0e%~C@YmyVCr&(pHT6tZEB
z?Rve%0C#voj8ukadI$irz<3LdU*giW$?9clc?Lvt`q>uo%>XkRILd1ex;=2r%-$TH
z@*aa<9vxfd2D3st@GJ4=Z5cG5+fqEPx8YwBTHIN|*Y|JAX^(zb)@^5`XN(7ZL(+s}
zQ<naC)w1AHP{V^C&f=?^3gft1EWIzfs+PJ}Ed2*K=0(gH#d9C4>P*NH95n52^|yqv
zS`8WV8%d$dGik~RrB}*y+IA1bRXSG~G^V`%>+>7QTn|s*X0B7U6&w0`-YqcnndNvl
z-i_KFj^0uOP^+{tLf%{(NO8KYmSWbP;);(Q&D*Jtn?@GETBCRs{>jPpW@Cv018>>q
zi#a8v=P_!>{lG#w>BwEILYm)-{&>w(b>eV}?^T<o9I!W<P?4g)`{TD=n8aE+<l8W6
zCXJQ9YwvcM`~>R3jTL?(`>Oj~av*`GzL|_dqBK&qZGft94kP&CCo?si;-#u>!yOz}
z-M_$S-VaufEfFlAL?G3Y{80Bg!71u3-R-w*O*dACysd4Tt$u1@a}-Q~SswDZceoaf
zjHZzhjqnNtzZxYnEPx-l^kH-B&dP+C(XW$P>Q2dMcIO0e!=c7Vk*}M9^h9es!Fk;u
zq+HY@7Mg1NdZ@xGE3zW`rVlTDR!2sG>P&W@!VPUDSb5?bjS?(PH2hUOH!nr6@wji@
zTzfOvQ=N6JP1ME2-G^><Ztciu|5Uh`ZBt5P=}=@N#Sab8&9PeI8QlI)O^kQ0kN|fa
z;ClUn-{{hPzWi%U#fd5#pbq5x)E2FfuTP<}UZQ>5v+Vx#<1clpj<3@^xh;V;T83eb
z$<5u9G9rxAxk+XYp-^$1oR*Q0ayw{<BXJDqJE4<gZ^Qy)q9hsM*YPCCC}wT0D!nNd
zteyDex_8y_4MIJJ_(Mgj%ATmgv>AvASH<;3kN$Fp4`k>chbE=-^RpZ4x`lqO)KM2A
zWSmEJ2GJdd9k6O>{_P;sIQTazKMj$Bp9<Amo@bpTxzwM>JA2WfwuL3YQ5AulVH4qA
zPs3IV=6iF7DrCj|L{Lc(^0{k*I(|hDd9R}3|GVz-6+OtUZJHF(vw-)BqgS_2vY|`=
zR%1MZ4PLp2olf(@zJ{sHxNCO$>3u#1xa^#ov$?bIo8bQj^U3-6;_R@DGZz;o-i-Zr
zize}dE%=<&)r63}tee7Bs$Y?$t4*~~Tu<S=_Chd77=)DQ;%E3nzaHuDm^f*x-QyyL
znV{93y*Kch>pC|3W=N;D(pA`F(x+D9p6>ygn7e>BuFXI4RHKgw^mA+EG^1fC_MY&`
zRrg-p)gaQR_FT;e-{gU3=Wwqn5z4#4XJe(IXCs?}pAj#~qKw9mG;cJL=~Xb@HLh8!
z$jZGIqw}wvOB+iwrfSmSysD*l_k1we_JVP5xZ^x2hY#uDm%Gx<at9P573jEhR-7I|
z`uiB}RCl+n($q0$7j<o`iVwV2jFyuqE;9yrBtX-0#gAUU56s7C&%*MJUT<#wF2GHn
z8aBSyum1<tk$&R*wL!Yfj|Bfpd4I5yihOgiL)aVBi5G*9bm~(GsOnR+Q*{cVPJEj*
zM*H8y4eU+z>zf3eM9RX}`b)<F<Tn&bYQbp6fV)7PzVPUGCb*-zEo~2)yPJd}pN#N<
zk`W0Neqv;*@3$R+jMHZAolp7fQb`wDw`V?Iyx~570$+jBSpyaSaM3nmCQk!U{hjK9
zx5y~GzPOne&t^-#u;5yghu?~9((@-Lu%Zl@?ngD$vJ!ONbot!*Aly9H)beyscs|tG
zjIFc|y;kMj;#j-4{()ZvFJ-%|bX{ezo&T9oGyij_%aGbqst<hd+s{EQxb*AXo8s3s
zfg<_1{)$gO`(qn+j2G9X!u{CA_m+}7JWMR9u@mcbln~?~M6VkyaLQTqs%geCP;P(D
zgDA={Ato~$>Pwl!hrwz|Z1!QE*s1L<`gs>Mi~;;uxRoi^v5To*OQyskVUS^t7@Lmw
zZjDI2PJ(-lNweE-kMU0<DrVGlGKb~tLzi$%$WelQ7KZFKTo1?@8cU?W?<>dUb|cNE
zN8#YNK28s11_CVN6ya=2K{SkLy2VCc_}qWL<m3`!d~XWO*e0Md%@qJ@PH_NO-Zise
zV1{`3n}`S}^ZiD9NkiTmzmHn<IG=6aMnY<I$oBkdz&TN<$=zYS5rj}!2A$@RVgC*@
zV!J`V_n<e@OLqSecEC=J`=Ci6b3i(0pxqpZR|`bl;;ZT=H*E-p!orjvxkMO~z{1S=
zucJvdrY_rgy?MB2Jm6URfM7ag=^ejrtj1ds`<O`ZB@a~3PBuAIWL(p>>Xq)Fj@8c{
z52HM7TC=uItiJSb;^kCWU?EkZ$SThiB^w*OZ(y=mV6J3Sd<ab57n?cPV{ku$EvlCb
z-;Xp_@D5DdpEr$kh_D;oV#7PwCFBe<9^X3&QNX^r6N-=_NHB6eY9!2BC!3LMil9&&
zLcl9pUM@>at)A;MEhce=nOLPV+)ql=N#3I}{1XuR$ukP<wsi;Y&l>bjy|li=Ca!Jg
z-<;{L6_FrD6|QtcO48-|ukgr{kdp}&tq5&KsfR&5wu-@}Vc9kWnBEPI-(H{iw<iae
z3L|?{#fBzOj4@2IR}$e5vNIvp!3HkTxb_CV5K1gKSIAzfQHq6|a7Xb!oKX&X?E5F@
zWz%dpGz!B0L*qr=kxB)U)_GQ9l>R$9=^-KlgYY4#{&goznq54hPE;Yqh1+~yjce9<
z^lzo$cXhfPTa)T%iJ`B8Y~*nMMb?HAk}dntsF3DLk*E1f!8%g%6*VcJ$%`}+%I~Tb
zZL2czcHxB6cq;`bVC2+m#g|T!5-;qQ0Dru5e#dm*A<!9O9NuJ;^H%>vOFcXV&1BJ;
z1ScyD3^NYp3ZXwPFL;#(sgX-mjNojstXtBW1@LCfx?egjYm;jDYh7ygq$sw2RVH{)
z*900;Rznqp_lvngqAP&<HyJZ}>CH5COhajZ_)M8#HcwQT-hKUYs`U`=rbjsMSlK0|
zX*E%3J5q0EXY2}~Fqg1q#(<2L=T3*wvd3)GX~25Qneh01ZWJEkysyrr{F(KO+7>-?
z`=yOHr|E$@1zD?7PxZ5M`A_bIn2&L_4DrWtu;#6Pmp!aQhwf#WH!t-|FLg_CFD@-F
z7p`?P3Dj$o->jJk%bW6=Cz%FWHQYk~;K9Mf)pS^Zog{1)^~l8!C6%_{lXS|;3IyW5
zREFLez(y)=;_TTWe$eRuU_Tk@-DFK#yI1U|Vw61^kLw8F?Cq`n$^nNIM2>*rekk#5
zbjA@6qq<AEKzQ~Z0^OmS`A$RWmty^AY3Q=Am4S`LVXoe@F9s+TOH=cpwLVu{&*Pp8
zoD_GTr~amGw3!%5d(qmd4PD?q@%lpao+|JU_+z>M!0Mtd_)3y1R0f|Qs1_=zQUhgx
z9D2?uaWuXCvymVygI}C$>|MbB;mW(NRO6Q>7_VH}_!1qMJIVGNRO~#noGhZl&@d5k
zNYr(AeY{YvS~`@@9!%ySR6zMvs<}bH!n=gCNR9IXEWP~rFM(BSlv#4_lPwVajW(pr
zX>rhBi#GZYlXxU-b+rAe{PX~xQ{5B?LGr`Y5eD;jPmt*4^~#S(3utN=WPu#e-(YhL
z|MY}~fs!fftLRD&qzx%0m)Y$u7azSD`deJ+xN~!#^6Lq67|RNF@J@}V0US$c)g`n|
z)X`ek1>Z4!jm%!r;^~7%*>d+#Qd#%m0Hu9CYO8Ei3-F)={%GK2Xs_Ft@hW8@qs6l%
z!fGq-9B}!)iLFnmd1<l?HGybgJU-iON>wfKK9sFkfG}LoHm>0clEwzH@_e)~Dy)d)
zlLm=xJ4wMZrT?qWW>2hO?_F2@luMO#Ra3Nd>3m_qy!g6z&oFT?bh-xsH^+1i$&t-M
z75^Cws!HsM%}RAB|3Kl-5G-1;Xl%#m3TxQInei#0yB)Q1?EA;zg&XN?*_L7r;va>Z
z<`!RvwsU1%bCBTh`3uAmeMqQs8g*mDz%dmsVz%^|4bK)+l=O+=2(v~JuzLRCV7Q}T
zy~>iVUy}%ve8-T~R`Qe#$1kzg%LwSP9^@xjQ#A$?)n$MACtQUJz0!dHb*8iX>#fN7
zz~!mdqkH>G&!0Nlch!~MZbx)B&4&|K4A8{hv=gONl~vz8h&Cf=kaxlio3*{QwpCDs
zQ58*jJIH?iLvHLYXtReVur%x)Dxc>eXB;n}7%cQJ_uBpFs>ZK6{a&s+kV|eH>j#8e
zvU;@cG#~pj47J=TG5mo?gw%`aJ?t&#IlL<#Uye|+)_M;4(h`pN%mS>S%SH2!@4|!`
zG-Cg<gv~SD<jL|H`0t^KG31$W-tmRoPmNrPeHB};J6R9;%1C8~V7#eF?*jC(E1A)n
z%U9t=n<ZFySS5WIOTFL~{$*<FONipRDKMZ3)Of}ZN?EcV^H%EH+oh#a#U<|pVK#<e
zf^uSw2Mm6yI(nBszPXgm`K3ZA8#ap1jwzw43f9E(!1Usn<AA#_HJ`tZfHoTDHnN<&
zenzIY6m23GO$~?6F{gc40B-qa1o{UpxRh{E%=mj@xcjGfb0pZMPF~v_^#|D=Z1&>E
z;MVwe4-GXrq;J-ooQWQjw)`NDj{tYf({q8HILfLE)Thb{-2;rKbzndvjkG@@m|XQ<
zGA*-b&y~5)pH_M|SU?9V$*?N8nC55xT8!*}PoE`acwZa>Ax@Q$GCw3=R+&qBhF{}K
z*%kJa0kD|oVQe_-RB!bc_Rih1_&0Q*yT<My5W*z+J3Pt;j@dOau~Ka4E`^~SC~{Hz
zI&0F?Nt028(i=Jh6={ZdG-Du*(_wGCRRTio|E(s)O=tbwl&;2WTRxT|#J<Q{act#4
zF1r$mbAy&ItEC|@);OMW?#c{9Mixp}IRz7@bfpY~v|4v^0!Vmy^Kw3Ys!(z#0jxo5
z!N^YZb2h`;LF!((cR%7wbl54r^wFv2rS66r_oiPBPcBvTX$FkdJ642W;u0TMXnu(S
zE3&x6DZkDmxW{oxF2DXe4tH^ptUfUvLoeSSf&tRqOi-4^#5rG38tP!&(MUUWXS-?o
z>qL?1L^bTe{;x>Z<y9nG`9~z{H-7pG59flhp^G3QW8QVrJu3e$H(VQ^qf}5GeX1EI
zcCJ@)5#zKUeJ4AE&caVf?72ODAMYY8M^JbtEhcU*oWmlC7}K~#Q0;9o*8-EA**PpU
zXg_eR$s)&Exhkf+@13TTuqUVc7ltIv&^Wu5CfoqW;at(c;5M6Rxcm<infO}<eMMMu
z^hd)J{4ZwpRNft7J7Mq>!=RvpR3K;Q{;9YW_x2JiORip(jGJ?-0`HkvjybC{{61}S
ztA_KbQa(0LzMm@mYGBy|r~ZAeO-1CQ?m$~(A57_6QuG57Px!I6$otNrHQB>GUHw1x
zMBfX(t3PsGV<01L?Zjj+xA`Wv^@2;uZ0BUjM8iNrBqECn-7dm#lq20Ak6%<2hmmsN
zduUR_5OyNoKbx42MI$Op$a-FFTGr3r{DBL-BhQPY_IP*A`9$K-<acEpzi$c=p5Xv}
z7GKL+>3Y{r2i*PEfL!lP+SnK0jQsc#o&ZCr@!p=s60F}U$dVgb5{%-+(fFkp-bW?W
zMk%v-GjRS;B8)S8UgMYyKe=uSu6`aK5wE1LVbX>V!`B4K^#HApm6!&SW5S_4sCjIe
zs>+3r3|M^GuczEt<^01B-d1QeZVgUvpOb6jr-TyrUr?)|A-k-U(YDaP-Eyw+vJ$p)
z)u!=<yd!S_hgc(FFdj>EuaX2N%RH1$S=BkuPE0^1*GEavn~e-)hx1m<eyK>;r)tn@
z<iGZS%(Cs0a2=((Kzmm#*r{3g8@1gy&KFD4wU#|*xw_+J`xynKp*sbX=84=QcIock
zHS&hMy!FcFy*sz;IdMEt3fi>Dk4Zn2s#`W}U~3oJz-L2sDJ*xFzq`$je2n(exC{I7
zECg6zj#`$&w{;Aw<u>pQgTE{~NAHPYGkNz|+Ze@TKdEoq4G}g<4j9Y#pfNPEtrz<E
z_xyA$_S3jKfkMHtm{UKpmwGU8;a;gs&WJR=`KO^@lRZ`+n%tQ)asOh8ZZ{<J-Oyud
zUR~l(h2!@nM(M8B!BI2-jDJ#m(uLR%LnZO9*M4108YM<S_tjFD9w9X8D$_Ot5fb2N
zxVSR|iiVWcp(YG*&;#!}e+m1X^SWpcui+PyVTkEeF(?57`RKjWnZZj>Bw@=7FIg>E
z)5@-feoL$``<Ey4i&_6(GZx2#az!DndE^Yl_N|WLy;GR|Pr1iD$s@;P#@nywYNidP
zl(H&0+}hFH+<m+I!#IuS!{(0<cJ$l=e5O!o<HR>!FJ>pYNGZo5?=ghxS`$ujX{IJH
zX+lj5^Fm<)%occP8wNSoYZLxipWr(dh=+t9gh+M8(X%{LFT4B?!cBYP{`c4U8gUY^
zSI)A76C?&chN$oxqk2h7ai!}Q5(1*F1B**3Bpv?uZ}rhD#`jLP5c#D!B4!U~*tiQ&
z*BlzvXU*|p1|7}JTsqBrib^B#tQIqdw~CZzrC5S30#5i|%+raVH-$%Ds*<p*+VXnS
zT$_)T#VUDf<G+*8$y2d8THmkEF+R7@);Q}n(tI4Nk<r9=8Ea%?DQH-e4<+O)5dXp=
zBM;@@t_+jcE=P$0HPo1yh&2gotJ3)T{(!T$`<;5%o6@_qN~kFeiBf-xE3UqN+~OUn
z2KA@)>0Mex8pZB!a}M~?#<c7!*G**$4JS(pks;lEDQ&c#zm4#;{u7?kzQB!v8h(Yk
z4<S#jOQjh)ssSFzCs*>jwYoE53E@LyDw%_~5jbS{z>66}Q!VW{e@!&YUa|h)1@G5K
zH-`_ZSFG&d#w!z-E1Mu`EmjT*_t8E_vAf%N)2@x%|Hsr<heh2zZ!1VkOLup7cXuou
z(yeq!cXvp4E!_=DHxf&Sw6t`?yN~|9`2M|nU7tB;=FHspoH;Xqs>drT%M#TaHX+W3
z=;zzAh_E`3?VT9w_Th)`3SM;$cz?uDc;qNrt-f=Vl2{`fA~{Dw00Ck|ba^l*5);h8
z<2NiXOrd^$+5-RjZ|S#z*=L4y=ad%2(Z1<J8Tf8r7X0TcC$pL;jWpVRDKFISvq~Yi
zBF25{??lY_rv2sfmT$q<-2JxfBQ&dc7Bf)F&4fVgVSK0?{b9MJWN|N=*S)<ys;-vG
z&K`S?-377=f;l;Y<q#wbI{{zBGQZqQHZ<(=o`5~E`@)1_N|k#)n4xD}sdOpLYuj>6
zBsx=8xpZj}+(YRAzOlYIOObCVCtIsgMM7NZ**OaNkb70KfhnI({e?e3@iQ@|!G{Px
zwjb|me<*pwA|mWgnoM$rI?P}IeFt7EsGKpbe;w#Nu?h6v{pw}EV&gekfVik1RzAp&
zwjanXNDO>qJ?fG#RejfE`}R5dv2}G}i$q3aq|+Z8cyd2Yhg~?c<_xR(teO{HBXjY~
za8Ior>oirC^tWVPOg-5yX3Wy_VNE<=S@S1F5sH!RM4n!nM2eBy|9bC_&{UJC%;{!e
z!pq$x52xDMDGQv#I#M*9dl1(JQOLj(Y>4i!x;ymbt|K&jp{ZNY-ua<;REVG+8})at
z1FF8bKwFDOto)>XHe>N{{IEk6J!o%nl9Xt>+Ev|n#AQJY)?2H>sYZ|O%(%KY{oq?G
zw9rno#a%|KBxo+?ps#!6aEY9qLpUMrM9#`nwam$8ZJm1GiD9t+v$MPU#I3`OU>aq{
zr2P-$ncoQYM2YH}VbC=Gf}R0l18KDS8e}D`NVNLkZd(Jb%59ItO-fnLwH1-qPph%z
zpz{Z!XQJ!1kYPLgVaz8w&w5mw2g&cdH-n1YCr-;JgvZXh>g^Vsn<uMWZxcRh3((d|
z5`n5>q92x-(1@wyL}|;Z6($EFqoWDj_ECtXX^_#r4Uctq7<%3BZ<XY%9cg^-VTL>B
zj_usON_|>g8fPx$^mxa^spOU2M|!SB;}|R9fK%5YBQ_V5&zMnB)$_(dTG@^jiNU_~
zTV4@5E{nV|%UIEpX<O*Udp3nM`6kFvQ|#WgRw~{7_%Xo-1}%yp@TfxUSq5yFzMCF#
zx}3!_!CK8{?N4%hdH9`JRViHdYrOoQB)H#z7!zZCLm(+5Q_s%E5ZRL<tKzLZe!48M
zTuf8wmA%9J#4F4(K{iyIHJug8yr6ET!k~{#NC`(*o(^Mm^gSDxfutPG_A1wui1pO>
zB3uiwT+Yl28}dzG=96W4Xe^P38JL?3CY{XVCHGwMT@^(gJjg;mUT<nxu4a&V3?43W
z*~Brmqq~<fZpUfvSo7&fd>@DjTtN{P+3DX#;1{D#-08n{--S+>rN$bHWRe{{tH?rC
zj|Cr+!Ox1;*hjzWN=F=1b^ya(OqE;AVMb!}<NT$BIH8!_>OX%>!$p6ks{gvDD!{th
z>#>_wEJ?YX*7Cd8+}wwP3eM}}+x%1taFylE33J0mjH`2v2==oNW!FIgq0RjEmF-))
z6j$sk#A)U%X)(CIXV<u18l!U4<vr<4s|ED{)i3m4YFl?4heD&zBW7#sT;1+V`~=pP
z8IE||Mk%pe8ueZHw&+pI3Dt+>y7t)KacB=k##(&JEqmvpKytbsovX}n3hUS+d2aF6
ztPN*&-&|$)fgV{j$4qdKl6_1;xikgqbrG<%&9Dcm3`~oVsQq_Is4X-RmN)AghA$jF
z-I9j0anHpgW`NPM%g_-supXbQXi_EEjBW|>j1g}KD^i|oGftKBj$nBSYNUI0q}L-U
z6kxBsy<0y-1qQ+8Q28?f+p4nmwG;*wyTpR){%#xM-9&Rx-E+UFc3o&a(jxlFsVN^&
z--u!wVlmUTw29-xreMmgAmeZNAq%qo%?D61-N1OcY=Yl;j(V|SVro1xyfy9kc=~B;
zSMjpe9NxD9BUP?Ay6$Q6>F#}{sku0O`Iob|@N-_1FSPg059{Fy%);F}$w7pl&5aE^
zv%U4oJEo4Ubl9>o2X$CaNR-lipfW_vPtqDK33AF>3wQ}DpX?6LB$ciatDikvgpg*Z
z&OE6_xFw&(5())xOb4g?0tG8>Cx4Gi&$(k`V)*MiC&oPHR?n@>b0>f3f&dEnRj;0C
zxO#R}wN_?_D0(Wb44?E8?fR{jt<z7OJUeT%^JcgDQ`Yf;JQEy8<V%kXmdPOLR*o0C
zIEI};OxqqC)=zx)%Figg-Vrqsy+NS?cNEk#5-D~3RooXQDyb^CeLg!HvJWk)xWWH3
zMCx@_*#|7TqB25itQ$Bo`$RzsM#;K$T;y0yV}@CsxpSv1xX;lxkr+b3J__#kZZsO^
zoufAA8yQ4`WKsU*Wy3H7g(=U@92~rvt^UPm101UMZUNTEzX)>QL$<6R5|jfRTBo`F
zUGYKU)8BUH#fDG~P$P+di%rnRi@InCebi3Wct3rJ+nSicZhyxC|37~cA41W6&6Hx8
zD3E!BP8CsI=E`lBNq>^W_{GF&@TO94%cpl<8Oqp(O{N>OQbB?pqy0`KOL|OjG^e2B
zS&GCrGh=ZSImg%Q3ipHjN=!1>(b+jN0UaVl$8LXxb~BLhfsU9<F4qcRz=;<j83f1U
zI=FE=r)Go~D!IjB2_xRTR_>L0b6gxNv!C=K0b!Dbkdd*ZtC~%4+S!HYKP42au0b6*
z>PKw%sRg+6YXH~rODj2#L&^;9zdi5SjC<?ZoS^GC4L$VjBz!G$NvflU_fDY#3=p5G
zeMl{m?pPUjZkfY>Rl?Va>GTIIoAF`73AR=7A|6nc@~B|Hn65+n9KUP3z^}(?KDOdS
zlgQLlLEjr$UgjJ@-+8kZ0LzW8ehY{k1pQQE4gY*^6{{ru=z5v=!J+hW^?Z&E$z*$P
zm8J6|7u}LcF@#IsH1azVGCdi^&S^GNc72(cnE#Hwsq=Wp;^1YxBzF}%PWcmA`)X6@
zgT=j0i`PoY_LhE=G;}EHH(`=d(v5oNizjYaZ|+EYHWWr8sXQno4DJSJQ8MVd?XBnj
za|a-dqd%vLuwo;gMM8zn!WNM`=fD?x`ogwVm(G;B>!nK5l^A^TK~mR@x$7x;OvDOs
zUmBy3K4E^UF2;;1XsJ*(t{>_KEy9RZS<%+3gw~WWKGm@#&5i)*%-`lz;Ksjzx3rGk
zsO?wPTil6K$&g}oGH%ulZga|qL~9Z#K_6FINZu!H(ZfqjoU@N7IrE<-ehAw76z~md
zi@M=k9z<x0qNO-W%Ey&%EoQ|lVYEK+VQx@W4c%a1M4jP?vtrOL#2uen#&Jd>tpyjb
zVPNsRX=HEF3d>CIdmW$8(M_r@#fK+a@biS;G$#QfEGM;C?}7NQjJuM9|H<9cLX3RH
zT)9P1-8D4uQ<3>AoS)z`T*RcUID-g=VW})Vgp9Lc&?WOWM)DfvTvrIV%@9<J67@F)
z{P4mkdh_@k4&`w{Gg=Gi!m%O#=HDZO7(f3>jgtZamijGNYSjU8L~hW@OwTz@F0OK!
zEJ*{f5SP3j2lsaOm*Ij(F%17SAMQ11Y5$E;uk2@(Uh4r`dsD|ln~<-a?R1q28>+)J
z<V+&kahR?t*Bvudwu*dKa8UlSasy?}!Cxq6Ft&c#{}<EPv8V@p*(Tp<raT1ItxN(d
z<R2r<9Nx=eF`1i@hBHYgP{&BjiYMzT{@faI{Gjtw*<VbKiaj4kPW!~Lg1*Glef{Km
zrRd20B`KpFC&bb%!TC_Gy&bC&$&CXvVQqBG_nsO?b>TFI=g1Huz600Ry=9))rX3rn
zbJpW1@!92!#uE5#3cf7pF<b|v+(=tJbV9t&;;z42DkldmPx(e!ymgvflqH`4wmb$(
zc=n=<9b)c~ub8(M4X^Yu{3@LOBeq99`tQkWnaIAYxHeSE{>Jm!Y6y$zeN_)<ZYM|u
zv*}1ShZku12)Z3_S(=<aK#KW61%q({H`Hh#Z{o8q?yeEqj!_`DZHp@5ze75!Is*2T
zJ7t8@p?3Ki*|yCGY60(&f2f<Win%k8o4!q>#8(lZrul(1s~uX+#ryqIgcqC-&l?fV
z-T$TN%sy?ltAS`vJg2=XBwl?3dNSOeMoq|CTRpYS>wGLsiWJEem8mD}!ECY5^0drk
zC_bE<+V~FuF;oF{PdNk(xf4I+Er{6P*(P8T9-e#P^|xqw!}47FclhmTC)My?o9H`+
ziGdP;NCHZXhvZVk|NVjBReJ6owDJe6ND$b?5CIgDfNIBrwChknlnLu?=B|ug-%Q`<
z+uf~)NiHOdLD>O%@3)nc?0~T(-H%ZQnJLU{Co{F~b|shr9kTkOiH&8(51!ZP>%XA(
zhFqquFi&;l0!_adcq3nTHO!d+IVhug)+%ucN;@Af@7gsx6I9N39CV*fYH-{oL^Yif
zeO6r8br4n(;pI#achL2uxd5A_ZU@Uk^*EgR+kd^1-l7YB4BxW}a_dlpa=L|8X1`T-
z9e0d3CdgrEgf;nDlMoK|&H-2Q<Xwzl75l3%603u!FY>Ujoz6Vi7@PhL$K}R~0XmU7
zt66f9BPcELv@R_G8CrPwy5H<)8BBkaTH3ow58cB3ip60%iw;*D8TDt!r`qHPkq%ko
zdfP(cOnjTepO|TEG&B*lG?jtdVe(ZNJ<9AZ=>4BGiN8s7z8+Fj{ghI!7Oh#iEBlEy
z$^(xw*G`xHhLZDGAJM~J)ntk99XAEeL?qy(SFLkw6SId~Uzq&{0|%>D416)&=c)go
zE-1olCBi=W5QVqXqCZ3DU2A3%|JqQp8=#)Pl7E*&Bzs<F!JX7e7q!Y!;??`o)u~r~
z@2AxS!q86sLYMr>Ns+%gmGlW&A2DTduT}*FnR?UGY-LX07iG^u#X;-En9jH>{>RnQ
z!Q0dIU?jcG%N+~gWvJJw;SFk~-Xt6qtu{5Hgiz8^{zhj3r!Z4H6JZZU0sq(6)75=Q
z`rZ#O3xt`DptPngb4_V4K^y!oIxbCos`=P=r#qxl<?=gQ$9&ifd-rrdi?-*mw<uzE
zXi{ElrYPdqe}LKAn&gvpi#juLVE_O#NE_D?Gb!I#1;bv0QoFCkFgz-9EU_wQdDgy+
z_!SJKrBh(MXH0=t6^JY5RH2n_Jd{6n*Ko#_EWef#Wa{R6i{ZaV6}ItHRnQvW;=M&%
z3Npduim)0YRSzOe>JO-(AjYAB8u^2$JC|Q#b+O<ExrOxO;;PUx$9v%q?iAlBod0Q&
zJ0*y*MN3rbN*H%S9F72V(r3Sxqp0v$^ZE4F=ZcO#moOmGmDC=D$1%-T%%Oi3@+XKE
zV{8=%%Z)>bT5Fj5OB+`k$)wNHpXX_b5rQhpdTKTu$Z6NJM5(?Nng9EePRcBOi<Y(I
zm2mo;co`080wbdNq#&X(PChvAghWL=l@i+2oQ~ze2tVqE4u)s2D!}fpvPGBR#GL8n
zsGThlrsZcOE?ZY$I^(TqDBEcsI^CTn{yq4_ybnWB30Bd8asjZ!!*ajekfwM5#uDC)
zjNE5Zz1^JMAf<iv*sR2I;uw1L`T3r?G0!>75Y2B<kKw(oy9p24<_Aq%do5K>2flOg
z%|1<zanDHb{m~!qR$<HcpE_xN(<9q5M=$`gy|i~t$B#+L9&kl(o(dVg3GK<Pbp341
zlr8<mppY2ABUL}rSIXPhYJ?p4vwscO!2z!FamUX|NfO<;KHYwfv+=oBoZ$MRrh((k
zqSNk1r66Skc}0V6EZ7njj605V0iFyg@+Zb#c;rU}Pw;eOfl{x1O3)@tvQtAW&?Ykm
z9keO)l!r5T?b3OTIc|1X=|V~OjcE7kacK?20Y?u*>LGOM|D<7M2$r?46%9V{Zx{>5
z#klV>7h6pqnRAza%TGhJSx~USXQkgErwuD~aGa&*?tM{pD{|z5%ld0`d~fn}t;6>Q
z-FUg>Aiy)5tw})N#s7~1G(Gjr2Ds%nA1TnKokj0?h@|X>6SY-hrP{tHneWiKkEhxL
z!LoLXYiqGh9Qv81VX4Q%(oHI@&PB>`zDo83JaoGb)qs96*E6@`KP;}p<ZXCqic{hK
z1wVzgV~fz_bK&W_N&5LlCyb;tA_7;BeH%9<!DL4$emTbnu<CiDOkuNPIN{Rk&eEg$
zeHb)tT7ToD4uCyoRYp>%Lt^VpS#Zla#A{55>Qglc!lGj;C6p#hqwdaKYSpxHrA6i^
z8$>6&3ujaxTOC!pFn-=|*9>diAVoU3o6uTzMuqu9LKHpJZJb9gyeCHkx5uUSqOdk0
z;^I*Jf*cNZIFz*2iZ~+0$qETz2oc0j232&5jbgCb7~hDzx-FBYcf=e05GY_r@|6l+
z_}9a=)I5GltXHYTV~3EmiLm^8EO%u$0TbgH48p%|!?>k~tPg{bB=7f-gh7f*GE01D
zJbPlP=?XGk3cFRZh7sk+&`#9zM_$)-xT@d6e*vE<Wl9fOht`G&_>>Kc2g7(9R>6Ce
zq7*bW^dJ)J2=A$%L>Ie3Z&Y`8aN(R2d+jg@RdANW8@x@>r|fIQpT(ZU201hQS#U8f
zM%50i1A~;bB@b@S-diS<ltF`ud{#y66m~>90fR{9Gr5XO@h}^nSA7nZ(lbc8*QNv>
zZP>C;g2^f;4RBR<&uC#wYV4(HY4(^2rMJRNneyp7Vm6`3{L+yhqv5Ho6SY~!gGn*p
z;<Y!CPE?=81-xXQEYuB%`u^hVd$I<3U6zUBco|g|{!XGd^;UF4g0;66!68CV&&*2F
zkQ&w|F6IFqw;1*e2mPOYlf}l`D_}hjalP2JHx$D?<LlaJru92Q4C^D(*u-k)ii$K9
z6(!%YaG6n87z&^+*V+!|*^<$z)lpA_<*BemmF$sVeRW!W(karE9a`jK*Y?@*l(MF!
zu31bgnyw3k*K}b<^8o#A;4tbS<Ye3J<DL2S5TJ$N(cAZj#M={+<;$Tk3%Afg?M9H!
z;S(^x5xvsvj0=dR7Uxx<I&M#g1F|mYh!h}7##|u?(I!Eu`v%~d9pw?joB{CsT?VGo
zm_#Gr%6jv%cQ-p`2A5lG#lz*eA=fdJjmr866#aTQmp83kqn|n6*(j3GZ#aiDCFwBV
z4*J-q*&D6&3qOhJJfjXqx?KvF5i%vl{H<vPoR(Xd*P}q)i}n(P73n)fIH5KmzK;z0
zgq^TrX2NrVfLBt0$)_eE41+;LZ0_;P>(@+<$S$@`p!PE%0NPRN9P1FMP;P^K+3YUh
zWWfr<C1c>}_nttO2_fwa$i$0=N`%foUi&V_`&0k;+lwSAyXJD;;Rc(a2K!|6t1GWw
zUrBD8wh=gj32?yTLBJ9XZb6|X4^s9?OEw~e8<0S&4eR~xKo~+FHN%P|`duLAXkbGW
zJYo0$AU7$x94v+beGusvZY4@|GiCL5<j(!D#rcPBb+@aNNUdta$*xcar&j*O$O(sq
z<Mw>9lw)0n`vi)(1Q}m&*gX-p3ZoZoi+U*tWS|y)lVz)E?6xe6IgR&hqqZ7EbdaoP
z?UHArq*MKqmEqtiH@)A!O%~ygtd)1+Wyy-yJ7SZQf&7ElI}X8`($pQs*_11Z#Y~HQ
z7V#*EqaGhvrD;;B;7n_s_mUADg2A&R|CcWGFZvD7q~RVfkZBPRe$NP8mD*RUNVjXQ
zwWQP*_?|tC|6`s$l-Ppj=0u{=UtX884qZC;&=pd0@_23<P%6=kUavMa{UcI>d2lr~
z5Q)4dq;xPp!ctTRW#Q55ZYDIgdI0K&(YJ$XsjGD${$!vJJoQ5>Wb?MefQv%sam{%I
zU1CpeK$gCh1R|o`hJe?T7*c+c8#RnVYFl1!8lELBjDX64tAi)k(0apja(!E*<x%}}
zJJ0+19z+tU3WLPH#-Vo?Vhih)z=&jrbg@rkbwKyH0qLe<l=+^#9}uDN_&U6KsG-_A
zEx(N!@E3bMkTObx3YHLgY?YDDEz77d2yQADp+E>Qbeb=*q89Hmo^oA}n|PH_4c8rR
z8C>f!tyftVfYzV4G4L?79opc(2t2&GVYi`GkfnN;pH?=B3JBa*WHctPU-<>@iT15l
zM`E?Hk=3!WU2p#>-IF4VGHcf=_nvRg2kll@v;|@QTxESIjUjViN6?uc%zr4V%TwUi
z)RzYz1b!!YwMLX=Cx4vaFN&;#eM@}fu^852?x6RDJ^~nbMt!4gknDpq=YvhGZ6>Ps
zCQK9opVr=TKPV&#LmT4TFXOkwi@n+-o;^=lNfM0@i3F;TQfJ%`Y(f=$5}g}3$9+TV
zQyR`b@9i<{#ZqzRtr~mzkSkJfKO8uS&ouh}VVjl>>W3CMm4aDD_xh&`Oyy6hRZ&}p
z{bXPKPIt8>ZL^n*`oKMQ+`>94dh1LLpdk8D6u(N~Fo*Si2)JOLSk0S2WmFb_4J>3$
z?;@u9AtdTTFC_U@vZdESinRJwx;%q!8aA4HbCQhu0S~=3><w9J)0u7R$C$G0F-ZEZ
z`r&K~S@ENBm=j^@@2@aPOP2}A{rDMbDj(laH&J5ol>?n%2`e{k)|u8`RFbh535YE(
zpShz9v{cI@;vL^w2#j>%E4QnJj{g+x3>vYywqVFliefg~Y~C&(Ac(MRQ$_oONL%-D
zgUu1ShAHd^C6*@`j*$|ZCkx2+%z1(oLo=XSVS`KyzA1@eQdmKR+n}dx`{3-5%nCRW
z(Mz?Aq5X4J!wK4wSflh{CZ{$n9!~)}$uf;P@w@43_3OnlyM;`|JjAGAiz)8La!Wu{
zr-*-mR5xraSGCbl4L8s{_#weETN4zYDf(Ru2LsJ=G$$EvW))d_Q~|AJF46OrjhsdQ
zF#HduA$Jh5n(OX{3@le56Sc#ACqkVH#JR{ja{h3SGwP1dA{70|jnG>hwNf4jtC^Ai
zYW2EW)-%718)?8+-}JSVqiD%{Wh}k7tc+G+=u=Szs4!z~^($$44aVE$54;>*OE_gn
z(}^q_vP|t;1mF5JpK_|7&CFfdKc+U0dYqm!5E|v=)9u`Eah<Laq3#>t-w4MwA~RYQ
z89;Sir&U=>{Gl=jEs`Vv{UIOq#%F3ZljdACwf@QMLHw3NPEztl(u#mK88Xa!nX!D@
z?Woiq6J;Tm-{-s|0&cesL2}kA|AVPvJoGYl&b5UpM;rW3@=3F*$7=*iKF#$+W5~AG
zBJAh$Z%NU1sPNl<OAOh*fE1yG#%!yBlt>8p;nl=ytJ(OgU&*qbVM|8oJ`?Db#WCF8
z+K)E#7QuuGend30pyO_G7kKDs+sPu-h<O8TufBPL^mB_JcB)^#{A5F`4R7P4vtv=?
z60rz9Dq~L3I;W)K45<EZHbzlNeNt2rGB>f;ywMjwQT@^U%fcIlvH*fd0|qmU{TkQa
zYs0>buD9jwL<EU1U)Dz!Lsvlo9LIBu*I1R8K5CAxFO*|X#L{{)0WS;P#8~mDvU-F?
zR_PMc4`n2=q6y~o)qx>r++~|V^D3CF$;_x#egF6+X?;@5RKKhq_&kYos)WlmJ`m5H
zcZt#{4J>0b(r9a{n3x=ly&M`fTU;PMSh<wM#1ZIG`-azpTLgvwhNwy^f{wlDan7Uv
zlO8_rfs)Wwn&Uf|)vO6^|E^P#I<E1vPSDBso#vEePz0xqIBua)ACOv3Oa0u>p}OiT
z)?OEnq-zFWRsKJToSM}eruu1hz!L2Wsz}H+2BQD?&T~{7_Y+!!pR!VDdpNMp0QmD~
zmjLS4sG%lBQ)N}0Q-!NZCN!+d{7Ay;(axUIDWA(o=w18i_WJp%_f5%NdB$SwdRJ=K
z*xu&M;3?*PgwW%q+S#H4dJAW=r=@xZuEKnA{-400pr_{us`-Z3+EfXM*X=r)G!xM^
zhOmDgey&iFYP6;3MEHSOsn>lVbRBza3@1y7=jj0ea751Nc|yymvKq($-;jj!w7S&4
zV~qW`q?DTN+Nu6?E%1`)SyTwYo9su!qP`{%JE4C8W3`{+^yW)JW#<RhVJ;AKq$3UQ
zL5(=}d5M*vK;38oT4$bHjkW959siw!$-6Tadm8#H#tB=X;(Sm3)_<Ywi=MLi<!N_W
z1f4aRsEUoE4^C!(4K)hKmVZtivkW?Sq<;Z6m&eZtoqwnTSxyB{zoL`^j4BAxF&fp|
zg^r!$Z$QQ6Mn@k!g^5R*sm7x@KX)?Zzxe6LAW0nIrlzX)_RS;B>=gYmS?f8hA-R`l
z^XN$V&>#CP<NGv$V(6GMXcj9>-k3o?yBFL6Z0OC}Tcm2Q-(<CsGsV@XX9a)r^BlTF
zv3fhi?!^ggP$20n(zjFd!@&X_8}6xc_GNu22Py9jlk2w^hPjwfB4rV&YWW_O!9-_6
zhXtgDk>VsaVMh&mhf5y{MmfrzcX(~2D~poy-0t}$PovK{@E4sS)r!P6Fyo*d=hF8c
zAMcQ1i8c~c4xTo>*!5W=kp9bwdpRrgTY`%0P=T@@gNj(FXpAHTqA^*cbt8$)Ky3^O
zWkliasKLBJaZHK$-{||n>Yqe=D8OZ||CeQ!mae5BiDpWPOAyGUD5P3hmyuR)-)sSR
zcm^!H-W~GxOlwQdhL{bz>CIz@P8#;$9F}*<lX$Jze81NtzrVfeda_CN6z4BBAtI9q
zEPUIjV}`&jqFwHdQe-(Ffxdv~P}lz(4#rkQfPVz@%(;yAzoSK22L<vRnb=cCo%3K>
zPSBh*hQAm>D#jK?N|SOU9{pJpC}D+JOAqwkrLw}D7lE`OP%I8}$fEs+$byU1qM7E(
zz%pAzg!2M`tL=<QZVVNyKc^qGR^je0bPx&{h~CA#pZ?h6Q>-Z0zI-?mH9Z=4ygYv3
z9<V%VLSXV?83ehGFjRV}xeQM0hE65m2O3<u?uWZKkx_sOGQ{mwXzmP@(bB4D{(5b+
zR$;Xz3W|WlgU-_H-=VZ(Oq?}8YXsLi%T9fcku^DuC%4yMoF+$Cb*0sMR^g<_*xI#%
z;!@IQl%XxC>EWm2b^z}hiQVHoT%e?=KVg0^Dtc8xA8AShdzY4uESRWBP|C`cxt{Kj
z*9B}7$X+j=$VVroB_F)^ap<=9fLlM(bn~iw{$fwN1cMaY<1$&YaV&vZr^KDNh>f)+
zIUUh9Oh%6T7AcX9@C5^5FxtU^=IZtri7daq?q6duJrlPpBMm{-PCC54R$w@pKPLOd
zRPj0Cc<Cw+OVtv&@F9J>PQpjbam{_p99B;e7u`{H14d=IHw>hZP)m);K}Xk0uOh;V
zLWZ7Fn?YjF1AZm<Ka?CqK?Sy>#Q$^>7VfAD%vvJ#ubix<&OB@o_C8)*mG=WY0=+^m
z3eWlNaEz~7=#xCjR}M->MgQb6K?l_&2poq|g53Mm<<o}cyo|xQNor7Y7juLy%IuUu
z`L)!LVWB4W^ga2^6WS?IJZdVmD1`}y;Th=mdDO2`I0R69h-Si!086nK6fUX)%<8<x
zK42fbvLcN4B0JA%RZWU~syHUy`zVmFR=akQ1s*m!F85nFDqU>J5W#bj!515PRb=MV
zv?@XxaB>1(9>UStU5b}ylf}btAQxOopJnTTxF3F$&$Ef7n(#Ol8_ZYHF5*a0f6L3u
zRSbuJx+ZJ9d<4*!%nCP!Mn9363RnxC?uDcfFg%`PZrLJRvl#*HlT>PkF_Tv*P;`HE
zM&;1Y_^X@u9wO%RGtw{B(^3b`#^7na&J_0F>$Olc(*}Y@*uh=w#Q}W*E$~{~dx%>i
zTebXU)3ny&A7H{Pg39Ip;Q}azWGk=Qkt8rKKu}aqQ#}qD##6f1Sz<s5*?hC6doX@>
zxwD+yu_;MGhfAqdVI*V*AatfT=qJ&u?zUt@+MPOLW(>|Bf=^Mb8|C{+RJ$*Jl>rLW
zid7SvjOYSZ6osm#PE3m&9QK;eRWxm4RVDTyX5V6|Oc*>bw|_Q7>~k)@-POUDIf3bV
zDqmQy_6RPd33qs+ziRxsw(9)!H?lg;1Fq_Su2rT>70)orOd>UTNjeC5%PYSi^2aXO
zOW4U%TNkWUw=k74RFK6=h)`%(P8e&5iVpKnZml?t>Kp5+ME(!iOU|0pSZ_sQG@2ss
zmD%Ozr&yQ#`uH`pF|`*rV*lE;T|Q>13@4lMiFn*+{nJArwHW!afHQo_T!<>U+7aJF
zBIDO<M&IO^4cNMbMVUc4e6lYmNe7y$MWq@#1i*`~tLZKis`f2Jl!Naat+O`0W-e#W
zDvW>bR2?Uw@>kgCMq>;w-986+e~Z*<?pQP8lb_rq)~m)t_gw8LJEvxJ+U<XfZ+{kI
z<_{yD)F(pLky{oA$*5QTZvptG``}jF$7OZ>r#k_%J~;I+P%`g`)jI3dzjK*>MnGw?
z6mw%kn|dZ|q4=aos$&h8{m3IXFJ&BosQx)-8mG#XVH%Wh$O~%(ZN3mWUODo4xm|Ve
zjU_ddqgyv%Nf&8Euj|-Z5Sdo~jvLxm3RiPiRmmenw3yE6PZ~d2^ta9?OI2hvoWAV=
zz$ep!r+k|DtrUq_k){}26f2^dRi}SwCecQl*1zDVDu;!q)-%3`Lo<bERVe<zCMhcr
z%BJ6;<KtHgcPBQ@+KA)!p|_Q<;-<X7pYQnI@=GrpwF1-y@~6N)ipE*=jnVM^1f4&3
zTaAP7o2B%A{MWr8EhzhPVn$UlS@39VPLS?`*TPDT!)F)D47b$=Ww0d|<CRk!O`$am
zB-x*NTuWa{E|Dc8U^Gh|@Th<Na@D`oc|>UE@?iE-1a(&iXYGJdhpSV#++^=T&B43U
zR6Hv7*Vi;Tt~A-(?V>o2xupH}27G6kY!!qX7f)oJkiaj|-U<ggEMr!Uzw$J(Wm$SV
zbJ5|)Y%^W;&!@{-dJ4Sb5!MkI7<aG}R*DrCUh^7sT0qfrr{<zX^mJQ?wU!V_9BeEO
z$(2O;;!&DEJN^G()NIMuPC&%ZBFd%rrDmH#)@qP`%p-z!i3=@)UEN57tFn0gG}&R@
zWfWYI@0V;B{X)A!og5bC1Dcch^6vfjNN#ovbCnZ#P(&glSS@-mVn;~30VXsFCLr)k
zHQ#5d;i~R#IwOCW<hL5lt~&hs4v(&1T8L5^c?~YOKPa_pdchT=Jf`@lA5}1<F>3w2
zW?}0Tt|=8fWK}0<j*Piu`h0rrT?f;=Nqy!(nG1}Na@0ZG3<JDX$B2da?yl|F+83oJ
z6ysz-n%?(rp8OxFLf1;~3zEgV<ELzq&XH~u?0qLbD&(Tu((YQ>_@?}!Nmod;u(6Zu
z$zUEnk?}K`D=j~stK)%KQDpL0h`0Jx)W4)d)trka1O<h6$QvmHsQKrrS-?e=<;cTK
zu#J!V2V#G1=MjNb*LswQs5Uhrny#4hl4L<7I72u)^=V6hl1JWt*ho|w=}EXyAv?Gt
zepFlLO_?*)0k4q<Mydk_xyX+e<T-Rb$JZ2r<hzeDNa(ar8yB!YN$*HN_wV1LFu=U~
zp#WNn*GRn6u&7!U={j<2)=j=CYnKfVCtmN-@y&04vpN>KwR`pns!`KLRvvJAq$Pw}
zc2x02>hX<Uvb4Y+j<0tcJ?bAmz5f$JJO3EgIX=GgOst_0-ntk24Hh<K&^Kn<#Exy3
zA<+pNEo+M?DrJOH#YA$Mo%CF1iw;G5f0EbW#^Oi8EKf}^e}VmzwDvy{A(fR_(3)qr
z-e2o~DAYrqrOQg~@8qiRDB%6w2#h_d`bf(;cz<f%K4y2=(iP)L>bymlR#h$bhlZ+k
z3mbA}-kr{S^;RTq#u)aelvRJK?rOW(jioz86V=8FB^~XIVnY?CxS|JY5vIV=&5VtX
zbf7u}e-)~#5PQvGTr?-Sz$MH6_Sp4}ABnN{9(XJ(;pXsNs1&?<0hzn>mK!*U>fY--
zU69)hVpwfM=K4H4OW^)tSUL|-5e<2b8M)>>i-d)#>%na69QZ7DdfF){BdqI@=e*~l
z15QINs=?q#-b*IgdlntC?u>DeTi~ny*SuA{mF`GgP#mtnOaqf@no8y5SI(;stDHoR
z_vDDGd?AjeD61X%0u^(cu0?dSA1;UtvNHDiKTVD{mIf_ZoO->}qW>K|(Lkx*sGRH9
zwWlFPAF_YSRnA9F;vIm{SGp&#wWWj=miLF7VCWH};Hmm!dOQ3mJiuZ&C>ZsXSBgb}
zWW14uZA~SjaL@>4iL94wdo0tt-1A7Q{dV(|`zb&j)^uWU$KVz1iN8--p=$-ML>@#F
zhYTAtop+Vva7X5sM;AGD9aiQ8Qd2six_(eC)u5r&BU>x{_(WuZ->Dw`%bb$%RwrjY
zTyX`6Mo-ZDp^`U0w_9^{D5Yrm^9#3UHVKuyh8M*QhT)$S^avc*wlThAj|0K)o!X@C
zS~3#n#TC$8?gD9{-{>fssDXK=H}ogSNa3h#xk3Nn>Ce(d%Wn(<Gd|dR;Jn&fd;kTL
zToo--fhU=?QC&-vHIJrMrUDP1KAo|fGg<?Wtv=&-7Q6JR!g5%VPNg>@BQ{-ov}VJH
zwXXWf{nNul?XdW;T{cJ~!KIBwL$23poAOxT7um80M*iok8-%x37R~$YKz+jIrg%L{
z^EN*TIvmS_AV=Psp+bjgi3PVgj}q-`Vf-Oie46cv&39%~^MPC72x0g%D#<C};6iYf
zoK4cbf6n_iODLpgU_p#UgnG`~ZQa3I&Lh`}7DKtyLlG<d)nLy9q^>;yRp<GA$K_QK
zeNrhMjIF?qn1kq_1;d-Xz@3$`j|V?<bw3J2|Kh9d1YCKMv~SiTwO+MmIVvzJI;Txt
zyW^H6F1T$>28qMYug4ogwz072`-cAEVFPX=o&z>jlJ=GBD30%POi?E{JB+Px;ahRb
zcC7o93b($`kngtUz^_+c$=O$en=JkxZpQVrwtAW_w|**Jo514*;c_|G6{$i?%kdvU
zbGGT)ZCBgQB#&_nMrUQa&X-5uL!eRmlkHTulq_yg!-Oabyb&BPo@w;^qjbxC^}`Zf
zPllg#+_-Lra?salg>2!!qQ(+=Y`tK4oF!|qib;pH2zxg3&rLK!$|eJdBcDpcfo%@U
z;5Y3^uNZP@fT7>W6VOir!ZX@R#0XU%y@_c<;1#Gh@jY9ueO{<oXfh;v7_+!J*0@_(
zo_IP%BK-EyWpl$@OWOiR>!~4wHqIlt>U#1_Tx>AE8gx9tbbMkk8(~Es+D!mhQzH*b
zIw0%{An})H1Z62|()=a<{(AaF+|=A92)Wl($z!+ZuxUT@`$?R6CwQy8QNx423sOeb
z@tS&Ma#SeJ5RZ($Z(><B4T!{i6*^3we#+PrFhvT&6QLA86!Jx59AAgICuu9iYh*0d
z<a=vl^>X8Vo@>&!%R!BHy6p0$T#2BiwNOs{9fxsLVIJRXX`dvUtQ&<bRw+QR@Hq&n
z-OJVxOt<DL`ZepT!{Z>T3=0V_-qXlqG5?jAMvwmEY~ha*4UR?suN^xna<QAa^)+qU
zZ!{T;gB(>%&4$a_&56~`RVL&Hp14hQCf-<wjCqH}Z;nX3VkzUda;;wt0Ikwju9V_o
z))8uNuHH?+<_YTRxUhdz`)PzQnAwhZ2N{CfuzS1lOx$Gt@DXxRXO?C_GfZ*)X+d^<
z1G@WYvY%@I<1e?nN|~h@K^i(|q9M~vMDkvp=4g13Yo2QG4o_uF2H6+xo++7e&cOVx
z96_?opmOTrn;1K*!WoIAzll2;lD3?$o4kWbKX{5=vTkKiSP3anBi&DG_0%)NsnN{{
zMk%BZkUV7_vdCU-_bj-`NxmBBROm_80iDmGh$AkhW&$sN+#7mb&kk^b297yqdb=20
zp1mhfqn0tXnDWzUg>a*ko2))AR+E=Sc5S~;exYB1>qBYp!-$>j%{s#<mLvRIU&73k
z!f$Pumncjy11mVL`As5*hQ#r*pyo1>_MHkF%rcWUVG+t{+z$Ume(uDIMFtI{<3H52
z+$<im50Hpa|GZx1zQ@=eon!gDKY6;+q$K+;7M*f^qOk09g@peO?fc^0>qmYcw&luC
zSJ@D=m5JT0K1`~B@7^f+%f3hL&KUxX-i6tRQHx6Rf`8NwTpYahiYiA}6V0NAh<Dik
zUeB!PjoI%oLA(@4BjT92<C5HVu~yW=i~5RJZKqYKiZuaLs-378EJcb9nP$y)s?CO0
z-L8#$uB^uTIyzD)%QwFcs&WZ=j^+ul&OEc2TwN)+SH~@id_*XX^#Y^?5OF=@6g7$e
zr1gLzlr18gz;8*)P#UDNJ#F;b+GdUk6%Z3G)O0B@{O~p>^NuRVoYHz2|IiJzRT;!g
zIS`_34K}cF;Jlz5`yS@LiY{yNOw%mHoS<yCt(Q<^f^vDw2$CZ^12lPjq!4#~XXhF^
zoy5;;74;RT>YxBRGGozMh3HS{PRGd}V4&!8_O7j4^qugzgWw<{_PRM<#*!*&x$s$c
zK9RZEI|;TW$%@O7Xw0cRz`Hw^Hod`|P$t$bS?D|wOqgF4U_QGtc=ogyoUCYCEy=mf
z`r65n+OakygsA@QbfX+fr+LE#aeGz&Jcn&z?ew%z=*htL(~V(n>t*vblie@#>&@{<
z&6krGsTYW&?;Tm4%C=R*kM*Jk_@{62glvY`nc98!TQ-EMZ@PW?5T-Tj;0l8c?Al;X
z@OZl>PluTpZbmy455Mko#SzNrC)3+JhH&sF&tg-l1eku8cYq>)HFDJ4B0sQ^`xSaV
zsQ7r$WvPxT_=|t>iuL=Tl)a6={(SrcaDOllC%X#MO1neVy9GtCMm-N<j3|X1C$}-0
zr>@f6hH2WY@+P8Ngw^mk=e-TdWiuOIVDn+q_TdB-uSQY*JjK(*hPS3C7A>=F=*{f0
zo97TL+g5_u0Y<iVf_y6eUw^}aUYX-%J(Z=BPMqQ0&H=DeU^EaL8!CRsXpb+7<Xb+%
zDwJT8(<euVc?alkna{E|cOe+mPHf+Y#^U~m%~!P`1}}jSQa~<RUt$np310q2j_ZWp
zntrVe;I1u^)rNp9NN=BiHSXx*kWd_%4GFN~*)?q!{S&A5lisv+^lg-j(mea$qu^qw
zFk_jd*lGM7Uy%^qfy_1f5C@z>{guxSd%!=W4YhMz094f4<zk5(d4t9f#_U#w;=@e9
zcZ@sFmjAa3v*B=Tn$27j#0EYa8PV!avlYW7T0|CWGc-EKG7W?2(zmti3aOI1I!>vK
za7f(qo|_>x;fmK@#eUOAW=9^?pZxea@B229dRSv|Lo{-HN_SQ!$o<q@-f^;Z@%W{C
ze$hd<t|7UYzS$PYlxOo&gDlQ7Ae~@ebXK7FQy9V;y}wY~$M)kQ#ogNOqEKRORjk>y
zeok-IEa%cJ7)4mwK5%v8M3J|ud*oEhSE~`Gkze(t%Zr1KXa@pTTLdxv+maP#|C;-;
zv(LVG=X<3>Kpfl<K|DEq1WB~ImS;tH0y*syZ!Br*^KY1$+Q^I7a*MDFdT$F?fHxHg
zuir!5Df1#ML@4^JELx0&`jccFtsI2I*5mEesPuH`vf8k{3<XCn+ars<>fg(*$BnH=
zky7lOT8RdzE)A6jYNt}U5cxbo&zJYvHMrC%u!(zh?~?86QpSjJ0>V4wcOs;~!%;Ir
zg1auG(PU(cPS=bk>^HzowEqu+)CN(kj8)OD6nYkD83P>?tzi)et?p5bt&%Xi>C|C=
zS@SW9@i@jNeam=3svDQt18R%76f)GBZ0>&0i<j|%`+854!8r7nLCV6}%aV}CcbCZ-
ze`a?hgtk4=;RE?PG=m!zhcd!14y~mbR4*Go^S2yjC1my{J~s%!rm8&%++73N%SOJ!
zM5U5`>|(MWz&l}M3WG4X^S?|%b?t%r|B|JODY@+Jz}%#R<HtKJP&$8HG4C%?z(+CH
znu#em=1-pYsP#l^o$KMiWgC4C{gJ!3vHQPK^$$=*mv1{Sy>#l~$}dd(@n+|5pgfNt
zr(;#NguI?_&#sONj!gSMH$TQqo*>msRh<8Z^}bnJsnRC$`Ggt^KkuV@x)UYEq5t?-
z1DBzZLTq}EX{ei%I_@r+B_!nsrN$}*w^3iT2OgR2jN{c+KrJ_>ta^{(ubHYQyKtfU
z@(3ZY3tlcx&`W4iFduFJk?4o;E?oVR_m~Noz%|WpiakfuVA!<Sx2;&lYmqdo1;3b~
z^NxW$ZWP{8&taX&YCN4bC<WGDKtQvsed3`>K=cQ#O4bO#_H8-<Xs()ms9oE(m45hB
z^?>*+n?F4xuy&z+!KSB}j_RnY5}IvD6<}sXto32^Wf*<k0)SyL9T+An<O-8(){^<*
zHDoRHB_x__CMSZArLE}B82Mt5C$`0h5$GNze^Ni26OSB98){-rD!v=$&}P0%trqll
zf{_CFMub4O4Bjeo3L+@|C3&obztO79FjM>@L971#JkUHy17pINq%BFrohA~(>QGym
zOWthcQ1w?kBH=vn)k(#F*VO?X0d)XCuAZOabGKbkQ$NUui5BfwDMmLlmaD#vm%f=8
zIs&bHwg$P?bKCko-yT1t<vidtAw-O-l=*M5-8%F9xoId)zv_o$VPdrro%7r;mTp#C
z8r~3G4^+Cvgoq;KnyxN4$d=um<)~Inzc%KpJ68Te<yw8znf6^+QRwu_)7)3`wCNio
zqPz$S(3g$vbi3W|ON*wlFkl4k8_&=$jVp~9bd@(qoS$Zk+`J6EQLPC-7+SoXM!uXD
zoj#quJlzXDvB$l1T)qex-T6LR{5~aoM1OAIdl{sI+I#aLL-}$8iqx#1DpvI+5+J_G
zMmpOGRi1knk^WA3mVBiA>sbr@SD?)_KoC5>yvj=Qm2q!2v5zkTIL6gKCl$t8$EtB%
zVOw}L=-gWvBjCIVasVj`a5VlbZxYSS+^OcIBu+h)UeV=2|3=Y!wTUMrqB!XA#CE4%
z+Rmx}67`3<boe-^&P2L<C-mLFymSb5+#!42%p3R#v|R2|e{)4?UVY5@eAAtC7w$BH
zt%O*RX5ua->Z{;gK%$=Of6s<7n-l)Xn>>0zZU%g(fF79eO+S*h_iFx?XNk|HJoB~#
zpVJSbc?mOVyNhvS(7%@*$s>CyFy*?Sz!&=Zu~JbMwhO9*d$)r`<OIeo^eoa=--do{
zqzVlrtYg2b%%vC5hmZavEWI}e4ZEq2Pxk#Hf0B)iLTOG$)g}46^rE;=ydTXpQlfN=
zs8$DJ%5z?s!O#N3m6I#riVcKU<Ws!ld%GRORj}mU0577AcXqJgJ70wy2)Hcnq-##8
z!ExOOJkK%aU7UO^97ejL{}_(gevu=1<6ynDM)DPs^N7R)(zYp5x0PC|x@q8C_4#~x
z@ighuQ0MJ0WSyFjb)!*tJy(U!ayF^YGiLLDnK(JtXcf~(G`-IP;KGR=H;M{ua_<D^
z1c|6nqhYl2pyUi0`_6xFiCASm?N?ruA5@mDO?;kEsbnF{TZ%SrI*L%ktkimUrXJzp
zyyK%j_|gtoy>ePVIcmc^&{J-P9$~q>AX`C<<|GpQ>4#NnG3Y^(!<ZoXUn#1%L9R~D
zR`63wH75#~LpQ%E;$Lpo_Z;%9SGz0TIn>~&p0~6@xNt`b!4{1Pi>gAyM99mP_@F^D
zI#X(%4S*XRM&YSa{AYe4HM7Ha0MIbl{HjG7rFa4?Z#v7T-`n1W$rgoTn|XZDX!;th
zXGu-43<PjiT09X+2s}W7$G}6{3HoYte4$PTj1=p`K4I!0(n#JBJ9^Xkk)l$5+nJa}
z&&PYZb8ck&12ECvR=IM<jq<_)YM9WngBw3OFo<G8B_l%}lBV2+r@FQptj>j(2mI4A
zF9X2d2LNCO;aO#gf0^YCclA|nNA%oTPj%P`^<EC9ITn$gCknsmdSqF0<!ftOj)7|a
z2-r`bMV|h3f6>;}f_MpnQgp4PfD%UHvPo>V2w>!B7$%w5571&|WTos@vz;N%VPuv3
zlRT5_(wLivtMVcIsV*YzoLJ>Z5D4jk39=fgqh``J2UIz!K`~DKyD|sXkhk3dDB9FN
z2bC)|JcpcqBwA3wG;La>YF%Gt2=PF<yo;r!E@JDu5S)0!Vxq?&7kv?BBdE_18S~#2
zuWMAfnUfwv2D-I2iI+it?If@?MmtFzk*<^3ym7FX_WFQcLQw(ykAJrc=H_K)7v(@R
zaIj$`+sUvPJAzwO4NaL<@YYW+;SyoBxgvZ7_G31+oF}zC;T)zh3P}8CE9!^g_J<_o
zxi48i!)1RL`UJ1W+FOT|Y^UL5mwskI?HH3tt6_(e#Wbt^nD!Ir!enBrZQDSb4DW4=
zJ=SaR2pdN`+11220SAvh$%f}<xAiueXiJ#FVntLJqd^~;v*V`Z?p$QM_AG%3)4do+
zwyk$l-i(xV5|?FO&D8)X!XZt>=Z%t_2(BE!8x(w@lR^Yz0wJxk0#wz0j;`6Q91_qz
zso~$O4~Q<@tDSsGBOFH~@=8_^ll0f5gZF2}UtdTV*e5BN#LM)?g*7apt@3cTgE6fP
z9<0*ZJl@XVyoMT7CawFmN8r5ykShQyY>t{qd9tP{6$z5_2hk!_Syv+FJ;JH1>e-+e
zc<KYSPYcHK%sKMX+Ev+hoR^=~{Y=P~KDcO6<%$-{#c45B?<oqR#O=7vg$1vNvZdjx
zr`2uDma`ShAA?R9PA=@9q(bM9{iJB6I7<AJB~>xR&-5a#RNEkg5Zy>4SRu~B=cl4=
z)>itzN&|4sq*J;fz)AK>G7fGEmjXS1^=4&>4L_4Ppi>BFYsc5FINAxcZ(bTAnnFUc
z+V##$T}{-3RYNMKgQ&;SVQJhy?}>J$-zZS~EEaRL2l)=`U>Zb*7I+aKvneb?frWm)
zHGYIW?)L+s%AUd({uk#j=U}=&@=lKmsc)p0a1WxW4in4w$g&6ASutX<I%L<Yx^o0#
zTfjP0K@x3X>(Ty0IQS+q6c^>P6kwx^NdqPo;`Yey+Fqp#qGr;%u<6BdXJQhk2M*`v
zr$L7s@s@czZR1GE>I7ke;qBdVUIQ~2-u`j%4fYf=I}N;CyR~`^!eO+X^lCVW*oEvL
z<7WMKNUzC7#H}#IRcL{I3J5Kw|0>NazoP-bRtErE9lSM=X96Lq^xVI?(FNQ=-bZUc
zO3r(PTo<`hBOF$}Xg4`QFh&E-s}oI!*e-!(9}z)+UGk<tRa!&YzY2<~aP?#ZH@S@b
zGIvLD<x~@*5b#^`C)8Oqrpd9U?%FDnqP4<?fz!;Fj|l?XAxpx*z%|4r{CD&@wpem!
z(**{1Z<t)+irRQd2Rv9OKf7AC;mK+i%c*NtUat^n3V0ogb>;hLP#Y>>efnFZW4LoG
z$XQj651x5M-^mQ*H@wI0qVkR+->!I%PBPD8loZBow>`g2iLR&ly4BF8XdY7f6puGo
zLqSK!6|o{s11&*5Vat^rwf2ih<RnX$5DPReA*_?jkn3}_dzDj~w*5MdsyhuIjq*C;
z_tfWR7$bo5cd8s3T?#DV$pF<`bNaE_Gff8f7{qhsxQg`#UjIEkt2d~-S_duvB05YW
zmW&G|exyZkU#KB|Ul^;xm1*XITay$?jnG3oDz;}8vA-aK!u`Lh5^<C+36%LHKtd<#
z_eRq%w5ae;+!MshOnS%G(jhIuH270C@29D09CqxV9J=-GfFOZX#-6mo>jDy_N-t}m
z7RV8pR<J1pslefse+4CT+?b^Ei%HzfLBf^*!zzY&u-H6P(+C$n1t{z(1gAC8D-N1U
zE{CsiFF7A^K5B4LFAV>`*Bo<@qjS|X)8t?Hy6cEDW{MS^KblE-{oqRiS?dyL)VMJ-
z@606)IhZoFrJbP<Snlv{D9V%o#-PY0j;6Exx4zvh13dgPye{<LCUYg1AWJ>T)_UvF
zek1J5D}P_A?-j%pwntA4(`8Owx=xo$E^Gjqy0vPdCH{Rbe4*7<F)4@a*xg&pu3anP
zJ4E?<@&=U%rL}`Af)!!1vdB^Us?G)4Hqp6&a7lY_RbmOUn#?p8(ds3Br;l7$6&pUU
zb`x*gew-Lnd}TtVF9MPTsGMvF^&B|q0|A}UOdoK({J!b)7C+Y=O_slPu?baZ{sG``
zy{jZXt`5GZ!WHcz-aeE5SK|~P{E}|+Vd$~v3!)eDN*@HO{>PTn4SIKL<ZT7brw0Fg
z0!%rp{)cs>@>QS-Qde0Q^)=1T!?tx!sV@<%c0RAxxymF;uPFh&;D67F(IBVpn~9-C
z)tBj@bF!+oH6meLndIf<`sR&<%DSE>kNSI`z)zP~^HYbG7lpd8I!TqDJ^2XoD#afU
z^AgczZ>f09a(d2%nz-0jc^oxM4kn#%Un)53Q<=Ip9AkVO*uI>3Aa@_zJ#B)5Y{@P9
z{kO4Z2{Jt1b53c$TmD61TcD{x5V4^4<<}=qNx<YkqnnJEn4DJ^NbKzV?DpkkWacW{
zR+f$Jiv0gEb(K+ZF3UE--Q67m1PShe;O_43F2RGlySokU?(PW^+}(paygB3^&inDL
zSqlcHrn`Dq)h=l&CQ@s<<3PJRMa~_U()PuJDXw2M2Xjguc}EA4?3kR-_e3fKU+s}-
zREJFlhA<Q4re*w2b)=N#w%)4fZgZ&*30izZ7b(_HX;$=nH`|{GypflZx@00WBgzPM
z%yI)}1B-WVC(y+f=YZj6X}rqwrdoo`5TsN)5nUdYt`v!Vv#B+T@`G0|fLl6mS%#a>
zY<bxiCd%%;oKr(TOrzoxH-$Ub;AhN2*upG9X+gx?2a@olqB*TCH}gV>?Hu)z`l?)r
zt>J6h{NG(QS=LTg93DmB8xZhH%iG%NDzt<_LAEFWfx<PA5wSR-p}T*&V@JdoC&c_Q
z?y%Dp>!Zbx(vgLPC?^(>UAT1eOe2?cl&>}JrOt9TLo&WutD+Q4$39f5T$kcrK7Lgf
z(8FkwUOm{u;4Y_OsKBn-nz#ujE9u}tv1sMc=KFr!_-BS~D?hgo@_M4<4EkPm8PNH1
zg8%wZ^IA${yR&P$8D>Kgv&-L;Qrx5Z;2omNeF2IwSD*EuC;vO7_9g6Ke)v~06yE=e
z&qXLPM06Cuq;G_+>`=zdGATHd(^zn|hxHsytK~dC<8u`!EgaGODmxAJ*^opfR#A+X
zLU<lCcdwzwCH$v*ZsA&A>1L<&q{!Iw<!rX0eKF9{#G`&;T)XX2hn}LWY6D`MGwsft
z6JNdOiD4_&1hje6`Y9Bek1>EHefSDEwjopK`uu;>F21wYf4@n6_+G<ij~j0)gZg>4
zI~!+`0di80Nt-E6cMCh~e)YKZ!i&v<g`?DJTpc-CUv15O%l#o1w=5D<puJc(!y}n#
zhD)tF@@-bdjC-~Iv;Cov(GhSE2pobSUa)LxhmI0$Xl?8cH+2f(V@I$6fyr{p)wJU=
zv!`N1<o}@SifQz!@{<OoJE>HbsZ1L0FMgMB56RJ@Jl#3_7dc+VVc<lyHYMR~uj0F$
zg5x0}B(_?5ipHOf9*y*OFJamn4K3UI574VxMP59PB30@v=FZPZ82r~K+wL5_Byr%U
zZxcaANHAfS=}nLocX)lJMO47~Ggaiqr@jQvbZhrtut%z)F!N)FQb`M#RNGBg#|g<M
zaQ&~59%J}3Mswjv#&Lvtu^jd7W?ULquru{tzY`t|W%j(jWi*tiypYrUsiJSCGm-2s
zqd*s)%C@p4_+^8}Gv6a!rrVB{vg}}13U;BL&F#Dl#@AstJCA?L{aIdNQJ&?Yd3Iuh
zol24W{y;C>Z;w$w_l(!0vuP(jV=G(l$spp<)T;aj34L|57ykM=JeV@-kQV-uSzqmw
ziin(SFERge)jZ;N6cN|oWD|7~KxnMY@pb=SD?r<>hOhf8z}Fq<@y!+QVpYnWIJ(8+
z?~mP-LN>>L<Ym%q!1PS{dSAP6S+7@?g!cue&gP0QcA};8>|XlCPj<$Z3N$oVI7A_y
zPYW&TAOAcAO{o5*RX*O8I>_dWKOQTdiI_Yac4;b{IqskI1X*eB5TP9rv&6?{4a%df
z)bH=fpBg<0)H59=RGDk%-RvlHaXRZ_1m4Pc{ST!CUcBBL=h+pgqnTx*ceWY}En^55
z&r{aKOaM+E$H4js0s~Qy8J7V3&HHKe%eVZ^$j8_3{cWzSn5amh_cN1#FE9$qZXtud
z?4xRl{m`(21Q$)>u?&uZ`)QFGl0Rs6<^DGc$EP6qwi1wB<i<tFD^g!Lyl&>}+WO%m
zuw3o;`P0{=mB>b(@rm7WOIamp?0e}hz9oZxP?MEBsiQkhn{fTyLM70&s;NC-xwy6?
zG-!*e*3W`(i^$}&l^R3c%g#p(619~C$PEUBMxY(qJY`MNOjQY9wkn^m`4wrfu5PMg
zRrJ$7@lt@iCVE_(XeJ!wI=;E}1ts2XR4ao*2fW1MlWn3#90t+5;X-C9HEnPp5ZK{F
zK5`U?LsAM&RR6V%n~tCqJgT4<D6}Il%njc#%gJ$M=snJm!7;SrWjI`zDjDH2^k*<L
zDhZW8Iu`O}N>J|IjCvJ`H?3F~d?p@<fE_K_$YeY{=&^s3faTP?t!f$3Zi|9!+-Sd~
z%m7Y6CYd=e)<_TKizq%=iXYKMpVe|xKK6Um6TTG7{HT(^tk51a;8{|Ua`@o}BOm&e
z$V$BhMzn0Ph3i`k8AC7;BW_VCq!5JG)HL0vAt@b^g3=Zu%;C*^>sYaZ;GZAp><S5v
z;ov3b*z?|M4&af1mLDhB7KdnN&~AZDO>2i1PQN>s7G7<^5Zj`rD@qVGxXGDj$wSjK
z{GDlJ)-8#8E(JuDtQJS~OP~)aLV9y<T`Xz8u8VFf%9lmSj<(MSmwV3pVzE`A7Y?`&
zG!=yf{LQ*G(NCy)G~2x<p^>ZT>|JY=OJ>R_Q;>f41~t0ClcVs<#L8Ubpi5Y<Md@$w
z{BhEu&#v!UZT38Z!7^#_NCl-mH@qTzvD0h(YG+ZkqH*0lD&6sf!TD9XXyCKb^=V^m
zmlEK`{ldklClVX1vzqEpfnTx_uOFFx^fv_kwPhyI3fFg{AupwSiu+MzmRq4+j;Xf*
zc-<suGWL2C^p^&H=o9R-7Zz-_Qv_#Lje7L@6?2)Xj{A9Be?fR8c*w_%pmE8d-&VSL
zqhsIvc8B16VRK9NIGOw;F$LdN^$>2#=@^Rb9Cg`>)W1dvm6arf=6CRjfgFKDVn~a=
zYwUo}9?Qqdm|0x9`2T|VtvcW|AEkgAAn#$P4Tvk?{BcR9r6M1)ebc5%qZcOaNb*qk
zr-eI|ra82t%&I_`Bc}c2YJ0-w9)eLo6Gy@eci-%nqtV|A$VJ`IB_d*pc6G+A9ChuI
zL;8|4KWE5lP?58Kx~I!SVOJr(;jGlEXF`!@Aa#>LxJwJ<G($QVRu^?t(jHFKncepd
zxZLmaF5yYeF%AcG;q?E!L~hAN6%n}nVE~5igs?9UyEob?MmgROBWbk+@SWluR?d~Z
zY`nJhf3(-TJ9aG0-0dl}PFRDkAI4@Yk=DY|Bp$Ujm9V!oZ84xXYRkkqww#DO8{*l}
zT?XMEn^gZB!n41IA^|*U62NV_@-9&Z4i+P(Y~m1$HPR1}$hJR7EN6XalTMX-q-PLG
zhB?q;adg7FvnXh*S&hRzhF;xY-8P90C6-`k<MJ7_`o=+&@JHoSZG_0JdWWl)^}^MM
zCCEqg8J(F{zo!a3MdlyL#Cn>-J9gB_sB^g#bS8DZ5CiQ&g1y4Q&8QUd&8@1RGOMJZ
zG-IV+l7B8(w2<JwG2bSYa9QoP1y}zJC%`x1oy?0T=Rj1AHzpp<`&!jz-9r}ALj+jP
zQRc0Pe^)nBnCkec7o~(LMH{pLS+jOAn4HXk6XYI_wx?Ifj1TS#`0H`Puk~?#)wuK5
zw!N|vxk`a2(#r5!cC#B_`=R);UGzI=NyzIPf05^MD!4ga34Zg-pv@KbUYDs-)f7C@
zA<HdPf5m7GG_^lN-e$*!+blcZ3{P;4`x-Krn!vAI%YExXZ`MX_iDcYWKk&|;4#D{p
zupm?bSPI=plYPvkzkuE|52?!)%-|KxW28k=FRC>kUOG#3ZtbwGd3|>Zk7dwP(JV+h
zLJgkdr0|kNGC27e!@&IPi2iXgWh9HlJU@A1Uk);!za2dNi|;|M@f+IZ!vU^szGCk#
z;KeigON-0}|9CXQtI7XlfuSTeGQz$^8+N2vA;H~DWCx1_s=4?d(!}eDrTLYLr<JTy
zjWhv!K%D+)OWkgY{fb*8G&ONqRH?c|;(6>tzUer<Gk`UT<T?<6dKzQws_R>uT0`GG
zg`6%J|7*R#UcZ~wzFDuSU9#cPt|*RDL9`kwNzX(UG0*^k+&Zz`WeX2B)b%Ojcl)Ui
zBC&|4skA70Ej%1re8Y?`ySZy^j;Z_$QN=TQFy-n+sjCnfr#aa`F+Z9Y3&z%pf#rgU
z>BZ5C;jMso@t#i`7jJ!W{l`y;AgR=_#Y@%ofP(b%%jBKh61CXJYD_l9TU?ixzz=f}
zdH*(y#bjtKuCD_Yb%FU)EzsG_1_yv2<h%)&`442|7)I;+S}w~0S7@sv0yHuqOWY&~
zg*+aErRjq1H!9eC3HU8-e@OU&3gF;D<}mM9=^3Fs(q0^;8fot^-B)K78l9^2csAj!
zPwBpY%Ni>Q9N@Rak-T>1<qk1_F4y#b?U}P^RN~`DTb_kJYdM%E8%psgm$1ub`Pi!I
z><PV|W|y+r!CSp3KVJu^vr}nR1xI5py(Z8Hm9{|iieG(B3y6N@axb||Z&=dkP<u9)
z8)-Qq1!zJV5Q;?c8Ag|c#Q7cM>c16Pl1GOL^(Uddz}WKGecca<_!7>q?x>_0e@+yd
zEPe!`wldYFbw|^6-S@7refWu)>`j2oWMEkpf_#KWBv-NEh(^w|0l?}jyLZ}3#ge@H
z>7G~ttOo%*Bo`1u9r-OpkQ^tz&2?%@9AD9Gp9p`oA}CGF7LWL_1kyUK*OrM6_(F9y
z%kccurB-8D5t4&lOqr`g=L83-huz%dN^VYkw-7j(*(rK%Q#rs*ePskA!WFhus(zMS
zVuQ%PbRy@>edY2TKKY0By{^Vfwu@pbaH=apxu7EX+D9K4B+_~Q^<bF*iRzNG$8Z@I
zt<Z=!(l!2jHQFPIc(|Q7nSUK)l=zVTAW;OqVZ&Cq3V)YkF7=RtlKbf<@<+P-|4f8<
zoqt`oQb3)e4H$Xsmt}`|QD$E2z~Wrp-710bu}7vo0Lf!Tx#B&utjMtv@2Ap4x5*5?
zKk$&};Je^rSvt0)h+r!s*8!z4XhGIY=rs4dSF_;;L1222O(02bG;4pdkXMuGy8bq#
ztTwTeo(r}4Sa^U6Y^C+t!MPq`kyRK(w?v*7Pb7<jfxBk=E~-_pI391qYi@-JyiK<V
zW}}U;u~mwopT+IQ%@?@Cvq6e@&A0!yTyYP)jmlhkZfeygiI6vCeVCNyYa*A~hz_9%
zA+Hm7!nOXP<1mC|??&B_Iv}G7BNTHH0KOTEppul0r&_j>YRR;6clW%wy1;)2f(aX^
zL(_7VN{8{6Ebr**@9Dno>lp}Wv)L)tfv(ezDA!y$<_&w+Rv$R6pZ}3vC(D=AXtTrS
zjWk&*{*5P;aMm@`hya!dhgn=`povhJ7W%uoiCuz7a1V1Adf~gO3GycPFgF2u;(?`<
zgz{N#ksiSVkv!P~bPCErt$N9Ozr0;%r2PxvH>QqcIgw^OyJnNN!-NlXTOLr}%*4S5
z6&;*?!f%iid!6!AE^B8@5(;vNviI8fkGXnMnR`>9Ar{Js%LY?VJaW+V5xFx`AWg#m
zB}qlQrh*|<W`lu@BiUDK$;p@xzwVmsV^({$N}Uar4im2rmG`z*>kFo=Mw_=)=5}G4
zsLy7QE4Lw=!;u@E>$0WDs9cF=e2%^jS3(v<9(<8~J8=b(ctw#%MlBg%@gM0mx^LGx
zD!ffC@WU?oEeWzD2>ZSTw~eH-$4P&KZzi9rGE~#*4_8rIjZaUCu@ymrY>IxD5B`9(
z&Od)cDIj0bX79ky+%u84c%bNt@m1EtIj#?~AATu}U5`EUBW3g%-j=^@%LM8_i-OA0
z?RdNn2KsEk{t;z^!1)6A;RA_Yu#~%}OAoxWSj*+|S02ffIqj9N_$w`us*1DNqhI7|
z*)N~_Zb!1=meX>HE3p1M5Y|;_c^gXTdB6j~7VS3eu>7?|iVYBGgy{j{4%O=CNN!%u
z<bA})`FZHPY93i9_u}HUIWGEXsa1w8mdcAanbRt-%2bHqXOh9U{5429F8XWp)`yha
zPp|F`zGP58&rJt=6N{}fHUp#b8owA8mpmxM3ubo7HoY*niF%uJIy0gXzdTjq&{{dI
z!+0n|>+bKHJ<mn)wHJUCJ{GOjJuXPln5xe*5eiGK0dL~WD!vaO;8VURoz$oChRn0*
z+~8W@JDpakjNE<+IP-cELwPi(v?&*e8qbzFL@t&XHz-xzGq`dl)o}i`bXs{OHhVFX
z<aYbhlhM>TTVQWu0Y6K>{;}53w{cK?d`k89x8^mb3#67$8>YAG`Qcjo>re1Br4z(+
zB9S_qPP`F1nW)s!$WH7%nUT!Hs~^@a>fej_$Sh2^ZAR?M=?L}qKKP2DT+5WZA<FhE
zMrDtFWWM`-Y?m4}9=u_vm)h8R)CjB8)LNU@SX$^>;w7+o>h)TTN>*|!`&e1FN2q1Y
z>urSC_k_uO>}CIZepx%D<@7`Ys{kRFZSH7N+G}L66`2>BUx!<=mg-hM(S#UnLDX}=
zRiT<YytipsaL4GBDiLX};y+6$qi;6XTWUTBwEZWXvoCEb0z4xp$}NHv^#zgAxchR_
zXvZTNO+0@-r{~@1-=-OWEZ6V&hz1G2Y^vY8Wsk{np@bzLuOwRbQ?ZsqCC7a4KQUf^
za5;oucZ;-bdBK0HnSTxsyFN=w9}R4};vvgFD<Pay!}?7t-X1PwM+Duwg?=f)2LqT1
z+nmxepzSL-`wtmV6R&vM09P4@5&6)$&#tN2{@XOesDn<S93c3F0~M|7tn1LxrJ<G7
zoF@qr$#!T%YUT`mnReq`EHn2jo~=sF?90MDT6d8M=D_@$uxIt3XOg@DmNViUS4`JU
z7A5(b;G~aXhhOwA;?e`m&>rn?Cet7o%{4D0--9q=E3;ML@~oDu20sT&FrO(Ju%B`N
z_%6U)nzgi$M#Lyb)0+`ODb?B3mF|(XPwm~(h4;5=gQZ91-oNkBy!1&T@yburkjb6g
zC>z8J0eB^G3w)&oRMr9AfeNv6?^*w@^DB62>1+}FFv~7(^T5?Bs6_a#`Y%!o{JGC-
z6TaIi*Ptb5v`~j+7Y^McWItMpsWs`#Q}*`YWwyA-<QvmT`;6}YTQZwOTD~>_ZPsA~
z%v|1L7A1S`xqz5pY0RX)V?i<>hzL{TQg6Flv&zY{IZx!8f+s(3RK4^QvGeb}8o%8t
z?9d0qT484=q(YP<y*)Q#LXk;kvZ>*gE87;jzk8X&JdlEh84=`f$_-m1uIQuNCPt0n
zs?=2z2x%V^W7vTtMkU^OMbanq-v~s*szg)nHh^jRVFdHMgyELr7N3u^#^TYhr`-T?
z=R9t-OCNiAqB*a6d7Q}z=|u<1hH@i+S*bBgfic*|@(p=w^L!IatCmFEH)XPdmnp>C
z6gY}TQg>&W?5Vj@`{~aSX1`kXrNTZ@tg|z8Q`Nto%S0#`w*0@e@^9K4r|(KREWos~
zMUrTF$pB}hXL&E3`aQS6E2gR{Jnm4o%OM8XMJ{62>a$}W{T<;H8O=c^;D^HM&cICb
z#KvGd4@A5Z6Y1&}Bg1d2>?Y?_w>BmSPA%@gZU#hXSWzz;o2)>%rjT3$bEd8r%5Xo2
zjK{!pouM`XSVY|vHDXLZ2c7VLfeL7S-_V9q|B#|hzK=GENFmN`2*sUME8p)S%_9%S
zlVhg&sP?^6DpjKzMK~OO#|KI7Ki7Kuv$>QXD)3lrFGapOLQA&iRq`ys^Qn;QHOimk
z?5HoFuN*DxB^bcW`K^?+H6+X{%d$B%{J#Cc+$gKgzhXkU4)JnU50(?h4!4%%C39=l
z&SK!7-&H!E;jw~Cn>O*M6&nTdygq|C^Wcls-_$IDW}y`k<~b6`KC|R=3rxNV(qp>N
zC&U82QxRI^Or2eps41-T9=ngs?{#R%QRF`mDye?}L!FR46lmtzJ4CGkarDfN#jZXt
z=IyMG*W(5(&2-5QPDfDSG%4)A=LG_j5_iam!GD`AJeKxiB>Y|*MNEYgc`9rI6(hk5
z%hd~Krn)s<Gg!jweOG_#l1N<OYAIbvTnl5v&Aya%%SMdX)Ni`mEv32|vpovMFRrw!
zEMRP#*PnoZ%(T>xYW$>(-Kgam3)v#ICyO>^FZSt{+Y;J}&N~><c{AJ0?9<h~>u}o)
zO~k;5dy?lgi1v0XRLBn4i#tOc7MCr3lpi`WQ=S)Lix0e}@PCze*y#m%5fy;E0yk3l
zQxx*gvv)kS-*Tb_Tu3~>NDRyD2s$yf>Rd+b*OaPkdf9fXLYJ;hwm!Nmd@DwsI7Qex
zMfU3psF=B2=QUu~ItYF9TQNdtv`7gXMX5mnrm2c#=y3y-o&#0VYM*)n$;Gx+_>}^k
zwzbQIn?m8<sVmwk`4}M;r5L&P3_h_!^{mFh%Lo&lv)`{Ztw|E~jh%i^ZbTi=T4%z%
zW)aN|`gbx$<ks%J=sGjKnbnO4q4aP2UElbjkxera9ofE&+gyOyyxX2G$s{Jph!%0%
zJHcpTi|poN;9lYZ=v~wS-xl!KA01ky<xqB1;=lm58rUQSR}VqjDO2C|5Vlgm4|#H6
z*rmovvlL;|JJw0KS8{!xqmG#Cg&D~%Rz+P&Uvu&@PwIKH37QSmIH$H|>JQMIG00?`
zKER>-%iv8Tu_<Wkq9cQpR)xCm8nKkdavRI-h=fz>^#kIQK1F%T2%dgRgu+z)ua_uA
z9i((0073&`6K4^t=d&pmGzhK$S;;3giFnx$a;{x$Tw2I0LCtk$h$zNM(z(3ONVjIg
zQ@?<p!>)9U>@c`EXUVA!xBZ22t$T-J-(vcA`p{=oOe-N|>lA<1p-LM1(5>KEd$aD`
z!cW*y_T8J*!ve&6lV!qq%9^<T@5Uq1%*-#h)ZDLlRdlpX5LXablg$oVT;sB4G|X-6
zd=L;V!ou&jcDl9i{7r#G*f(v;aTeikT{cR^Vu<amv|zDwtZ07b9yErsc26!XMp=Ae
zKeb$u6q<<A@Cr5}iDtdu`-c@8mN@5@0-TFip>*PLM(rkhtt1rP%WM;A?w{4IM(VU8
zq!N1Tlfb%0><Z-hF|>?DpHr37@bUNrFj%YQ=qfV!38&1C@IEh{Y@BAU?N1M60dFb3
z5teEI4C_srtXf=q+q9`IT|1PL3y9k@Z~veJ#pjl2w%*~Z_;5Hq$iJ(uX(8C5ee6M&
zO2-164hXD5@okb{95UE_kp>@EwCpv1z1#IR$G_HaYG%qN?h%qgCN>9ro2*2Qsb)r+
zT0;P{M1GuFi>#e8%y&{irZX3Kuau*%5tRC+BqRlNKhd?+i84Ks#iemPoHJ$2t4jki
zlr@szc%{Hy8Ll~k>b=ey?aARSufEG?NRU#pxGUm#*IOrg9_6nhMtd)j#KRl@=Ed(_
z98of>oJ3CTMpu|g<EmZEtVkAktDDIrR)2*k5FpV^K}Q~;6_vuJjQ-s+A&(Kj0Vb0K
z?YCT4PsmnHNMr%2nG*26@U#Y>YI94eYk>=&2>ko|INN?d4<g(VLXS>qm6UR1Us*5z
zT>=r7%EFaZ{ui^40YZ%~rBW&gS6JXyJ(WnLgR^2Ypy`Yk2Zv;TRo*`L+Ga}<NuQE-
zcJS3z9}q>kW0TVERJ6oScxohM$4@&`^@y$N)0PYSBG0FCZl|!;IF+#44B9oIvI3V^
zqs&F)I<gR0N%ReT&H8>z=Qp*-ky*rQM}{lX=B%|vbwC-x;L>HrQ5TTHJqnYT(T;OS
zbR~){uMJNy(`MrPJY59`Lg3)i@&{@T@P4R}(KXcT_W|lGz<f(6y&T|I#N1;!Q@K*s
z-eWrMe3*%nv0d??hinjuz6Tu%YY}wyzN4y}R_PNrdBL>VaM0ivO=&`LF!%X$wT}~d
zcoVm!<2p89!8FnmijF^|4`jIEVVy+S!)vtfZZDyeP3?=f94|T@xgAGD<AEpX*TPh+
z=XC@z)s8qq6TY!N6V#YVDV+mlzG2`&(ciRa<TFD!^^NwS54erdN7IN*QV8Sull>D+
zH7$w=B?qMkdis5--lpKgW79PB`JOBF`vSu$>@agFI=K=AqEqcy|EHb0R=p2ihX`GS
zVP_e;Tx~~P9>a}cRt){q*FWCqEz|ZwgF%EkpBF9=Z*#C0hT+v|gR@uH_SfenwP;?Z
zr_6_*)E}3e=tSb@0vP8l`f4DQU|vYS_0aw-y9^@tHHo9XV|DU`yxD+?k{K}QloY9Z
zxw_|K>y|r-*O@Yfu9c0PJtwnjI-W&8?G7qwUX<eNM5J%ej|kOXtlZ8@MSTpo$$~t9
z=c3kH!M>F!lGft+nq`ehHGrNzL%KyE%dOS@x4IcGl!o0vpzt0Jfn|GvL#VOpP%us-
zwbaX>heHHss{H9GW2Exww=}p}BhDW((<2u^!WBTHX;<vzv^7j=6tVR=4(9;R1rOqO
zV%KDLc+cuOU;4^|$4bX?sVJgn=JV9IIk!s6j`Bs#^0RsCtmoyQyCNOU=zbpQSp^54
zNVu*iO8_3ro6_BaYo3l-=o*th5)74(Ct<I4Pam{b)<Li70<*eQH&ElYYGtrEzr$8O
z=p3yZu<VVq72s*`q;5Wj9G#4ADLh@Cyxf|<ZdCdF7EPSn!}hagn}_Kh+nil$%rubp
zTKaP>P1Nf$3;L2-XTMe{guTl$3R0{~lB+1)-D9AwFrZ1t_!Mq(8iI*w@E-L1>az%`
z-YN~P272`&Nv09fZGv2?YIqJN>0{ZV&%Nh2(2|3>IzN`LSd5*nUWaF8vs#p{OSDW>
zZh@_lZoQ8MTXdZbX%&e$>8q7qJA7d(L)+n_?Im;e#`c+Xw{PW|z~V}AXx>Rn8Fm*k
zeN71hRP_rugwc&+ZlAo1;!vgm0|G`Tb%Y&_tufDZ^ey%OH_;kaLV`d?NkaNs_$T-;
zoC4U~l|d&Jrv*CW`JEc-gxdE0eM8&&pF25|3{g)ewQfij88D^X--N3Kzi#jRyyLgh
zJ)G#HO2f1rjuuCv=te)7!R6{Dn?^qXa+f@go5ioCK3?vrL|{jJFLU(9*<VHxowZvg
zT^cJ$z*p{gT`Gkl_6Su<yH-Q7=V+o4f84qEB_*oxe{ibDM*D3nr|uq3X*Z@wydqt;
zPGQSE^5I>hp_W6x1Xto1eZ3Y&Vh5JE{h>6p<>_sSlF_#j>RV**FCS?;1*E$tn(#vw
zL^VHzGs$oemd*@Jx~bM-8pj%Y?oYKZ<b9pTL)6dKUc+Y1BIy6|<_LKa|9UtRzWW|5
zDCsZyb;XLRbv*l&H7qvU*!5&k@*pjieWZ54vw>iX80Ehph(<YB&|?+}8VFX(z;eKH
zq>~q2iS*+iBv#1=LUB{tHcRSZsNUsw>PK~JR&^&8Dy_32jEJSH-BH?f$Wf9xVV0Yk
z**mMapSzy`uc#Z4++Y0M5KZp%+)N?f;O7EZIs+n<PaMjHUryn@0Hw4}OvH!`BF{zw
zHLcFT2P1)TFV=70DUA(mAa=yTXZz>(|4E0g3?&Mb4hhg`qcUPHS3#7Tr^#RUC}wG$
z@EzG6*Mh$`q1Y-p3Y~As=LbBV=Ye}>kQMBP9s11A$>iIsE||Yo;tUpqCO&t8wsGE6
zq9yAkWij4ZXHjR~d~zms%xXsvs=wAeE9Y_ZCgxrlAEw=Nla52#7ImV+Nyb)_XLQGA
zq+K=lVl}WC^WJQHv#LTBZI*+kmqK4DF@PU+z%|6*aPWID)Vqf(mw--!qQfHS4-6}x
z@)y5pF|ny3!>=`_tpEab$c`l&Ta^Zr&D%l5+K56I0e}Va556H)GFDt$*DL0rbidds
zpRzRvw!*pcHi`BPi%1$(s4b;f0Sz>w*^k#9q!Z>wUp^PdU8Y=RU5U8>FA1kxI$eHx
zt+}m`vc_F#+11(jt}nfWERKCUda$1?D`9Ul(2$lro0NR{`6HRQV{Ndxw&7^C_tQ4G
z7)Y^4v#J`m$wbgXb?@hca!E2(kIRQ`^+V|;@~NHTozo5!9fTa-W*X0e*Bzw!%z^}u
z$B|Yo1V*N%INr~Abb<5MS1KK#wL~8DWaOs-WO`&56|}0$M$}Xiv9%=T8i@%~>P1rV
zLNQ!xf}v*tU(EsvU?ePxn2*$jZw01WS7CF^^Lk?CcI@T^(C}gpnD-)L8LhuC6=j|l
zJIxk9G7$Qm+63Zty0<TUHj$2G`r<CkhBu}Km8Le)W<qIiu3}sp_Z%|u?Y!#5qM}ER
zJ2ldLCRWa&yAM`JAcwb<CL`pP9PLeNt~ik1FW}Ccb|*wqhh=51qnpX47P=+6ZNo4W
z+qsmZHQWdWE>mM@I$S@dU?k8Je@mO~Uj3@~yQ-K&C|(pTLfxsJE_p;qgKQsjjXhd7
zz9b7ex52|ig5V2#CRJH~zK7{%OR`*^fV~))H{KF58N+K<b7qt=XMWHE?{iMCFRhO~
z_H>R|(0?9|w6K2FU(R{})9nkL$+`&|S5qIJ>tNTdOwha`$9fV-O#rq7<qYL}hBX;E
zEy7@kNU0{u$@{CVH_#jZ$*Jp+4=AWtNL^&ZWxQL^!u9|(9C4*7nwe??bdB!Z99Fqu
zupXRp^2kd_gMa%wCF4GLKram(c{&U$J<@i?RWbSaEsXE4RR1b0&-fnghRhvk{PL66
za&k&MlOkXIb#mOsOy|h!7KAtJ5VUKH-lWC=&&lJZG&Vht2WBr23`luNEy<Gk8tKI{
za+o)kNlyDZS!IfdsbL}qtHtO^5{T2#Dygb-6{wjo_iWd;>R%{Y^{swV!n+lo(a7%N
z@OV9&7Iv1s;2J-nD`v-&iel!CP*MS*Un&p699v@oOM3mv`Y67(h1lAALtDPRbgMhh
z1G@pHOU>h5n2}eTFERVeSiV+%D8RiZtj_X+8>5-a!#ogLjjFs#QP1oo-Z&E%xn@BN
zS`ENzjv7rJCFKH2#s%New2aS+m=y&IbMEnKGgNBO@EZB7(0M{g0c|tGUWFM&?Iyv;
z?w~k|TYFHnsd5m{5#)fE+#XrGXnBwM17L*ZR-k<uD)yYC@}^8up$2#+$r9sGbSxu1
zw4tsOHStNb&<@?9bkeHCEmTseR5qwC>Je}bC9>*zB|TG%pT;FQH|1+v?MoD`X1YYt
z1_`cVY|F|VG97eeXZvG2b@q`gA#u}<_QIiU<zdb7_YR&!?&DC4E;iIFRsno?^iSOz
zcwp9hivY-*{`^nZ(3;hid}c69wRN$To_5Duv;#Nf#eLi(JEGJA%1P!?;e#Ao{P9%`
z)JsGmv7&ShD>wa$B=O3sfT}uYai+(};=bbwMG_@kBb{9KhBJ80%~qMRSPNDMGeIr8
zq$BFIr|-_T_4pX0HW)hh>)fM1XkJ6sSg(Iyeb{Qf4f8sWf|0UjL=&xl4n2R$`TDjb
z5kcQ@O_G;Jp{y&V#8<)i2e!%Bbj4QU%V^_#>#L!@kB#O_bZuiexWBJRINRn;O{=}T
zqE-BP@aFvY8I88@%iJbg^YBahGEaJS_*$2}Na<tR&Ai;WOj$y?DOwE#CuU1h)uR~*
z3*rYEdU~T=PJd>7=L4}R?u#dPLQ9^-c>iusgdeR*a@8nQ51n{e8Qqlsa7dW0*lIwT
z==Y&TGOM`4h)sqMg#-Th?<=AZ1=V_7;g1ho5%XMjRu*h+*UKt}X_b2|=9Eo;@rK%8
zC8^CzDmEBt%74li(lh&#LwuSUL_``81EPkX7&+(Dfxy@vppavNeS_iSpCFalkg>0t
zItVXOQ>DjE1Dl9$_UV;RD(t7{$1lC2Snr=}6A@i?Tp^03glmT<7+>*lQfN0wN2&7-
z!Bt1_a^Vy@1u(N{GZ|%^w#)A&MK~TJL!)Ilg<C4Rwi!!20fF+;!hWE-JyoJvu*4x5
zdj`ihiGFBadzS3I7FJG>tR#x2D+^~6a|Q)}IBDIz3p`F1vgt59y}C-mKa|WAFw_)8
z%HX!5$;}4TkjXhl1?8R1P%a9c_T0x9RKW|-6RBy-Gp5F}Nvo(^X;g(~g|XtPJjb(V
zERugsA|b!>S}DdK_v#l_goz&Q!xDuyaF&49=?S@FU{WNeI-eA#RLl8IcOvi^#u+aV
zetBu&gXa#xraG*z7!!TQruw^4z#q^wONuebT6L4I{w9XKWHk`OGYWT6>zfLs3=ysU
za?*7}Yn+|^FX*M%_kA^TG0HApgi=5$s7yim#ZFj#1$y5_v*zk;3)Ns^M!t5&4G~nf
z{V;*LE{oRRhAh;3$S`Gwxg*I4FF=uGU`C>^J(%*CsSwyr{4Zt{uHAcpA?&z-2Nf??
zc<+@=sdQX!Td1Duun&g)GMvEUOa6hm=PB8tw1BVvD}9C|TU?yf%c7yEm&`vf!h*On
zUO<RM0k*kU_#`MZ@3uuG*KCWjB7YUO^~)_~h^~90@`YnT`TT}B4TmO2LM9&*U9Nob
z*El^4412N>808BhJ=cl6Y}&Xwh~{N`$)E2w(qSh!d-zQJr))iP1(~>x1G(IleJbDB
z9<4wnhN*qT^;w)+Uqr6nQP*NCxC%{Y#Kjtt)4C&j%KjIF*F%SIPC_Q}+-;r9N{*Tk
z_K&F3tTVU*i>$XnR=N&AiRvi>t?c2Jw!tjp`s~sj<#Od2OG5Nfz7Wi&7szD_tEG_f
zuOo;g8O%fc3+O34B2`jeD)ST~ngi|^{BvzV=Fh<eghP<p*fvkyf30liPb|q{#^hL3
zUGdKste7D<=DF$QY8niytRE$&TMlZf(7;`?EcdV^ef~AFHvt4bpYFA~<MCo(&W0hi
z9tGm&Lsl(hvA;i-BQTz4yZ*Vgrz&y39(=Y06fKNx059E=YGSx-A9Tx$YOu=QB3|w9
zD#D6A&Z+G88g%Kr6!WN4`-#V}M!LE!qJm+2sovNQN7y;UpTQnHz(5aE#6jDjFUp=H
zjorwZ!rp<)<rc_M$)LA~06Q*nHnV!TQI6LoqK1pE=n^S)+qgrn96b@r$bW$_{V++m
zUC;k8E^vl^(#-EUV3j&3!bzo_v+)So!E|ehP&+9(fk@{7rnDWwiKsNYC}Vmvsw}lI
zLz$2*SP9xNeNyUk#B<rvns^q_zBOIyZ0Xhc@_gs><fVDw|9nnjx(EaiF1>Kf9W440
z=r*d;k=&utc%hO-uh8xMEEB5<-&7N+l(}451sBTjbCQ2G*Er)36#d9qDCSPEx~mND
zzB;8O+Oypydp`dfcKn7MR=#t`W~SuhtpFvz&E)8r8DCrbA};OC@|9KRq{B^<*WJQw
z>w<vSlpWxRtb7C=`oRv4S}toE9rn>ryoyJH=3X7kPn-iH!5%~rW|ZjDCW+pmhsZ=;
zYAU)BRnocHKrhws?0Mu;50;|uzZ+`2fm|HFhOU@vPWt;q@W6tuh@dT|A!Z=f3mgBa
z_?IGlya(InkyC6L+rv$%TC<L7;j<+b!AdTh!JQXu#p(_gMQ*BB|MwRL<bQmUjsbTk
z)vDpy*2-tI$y6(E^OUD{+uMLvJOyzM{!azeMPX1}7?c6J_P?@fYGN$%SwjTn=Gul8
zTt<?BZ+W*hcs#lB7p?N*93%#-afmI(D!Kb2Oj0|LxL{Y_aQt7_wDjdYzD(@kd}t#=
z3M=x;-if+6vcbSM!1{i47otX~ySXj;ZPY0+vMi4RggPiO<%sQB+X<w_jPDs7t}fXo
zcl9}R?fE0+8>l@;ek{TRmFD=!z9WP$q=#3{DTlmTn{CW(X7JltC~1&;bZNj-G0mV0
z`u${m7WtvzrP37wh`=%h{u{vlXnJY-@6p*}9L@0<MV(g?I8!~}#bQsVqe(rLZ}<-9
zlsSY9)n8Jt^y8t$y?@14E-;kEcfu%-FqXv|sD7f<EeM3|29>LkU2zucX)xf90J9ja
z32CL;R7+|a57Z-nS07{CZt;8I?R)^%9?O?16s0R8V<uExzrC9XcFp6fm%UDJ+5Qf-
zh?QF}+qELxm0S2K!otMj+tx2=4+;`hJfpSSL*5?>Ub!Xcj*vy=)hN}H1MEB0_E;n~
zYYeGp!qUA$IT5Fus0?h8!ehwZKlL{*vDm#<3>kp+P@PT5t10fpnXoW6`wH|~@G0Y_
zDE199@$Ix@+UEUzSmfY>WGB{a9)ldZOs-9ShZb4ADoK4<mf#BKl`7bi8V&60r!Cp~
zK~6%4mDGz(BN7s}vf8tc`mc>uut6uiDrus5U@o_+smmj99A{Nri0b6Iel+>DdS8`t
zA*MV^=-(4<3|FB&j6ch1jRG;NoIPn8D3+hD5DMN{EwM(2R!=<mxx;gt8spIRPxS&%
zW~AoIwc;QNwc>`Wi-=7vfD{8C*(g}K7$ZyvbBS1T1gY27eVN;;pK2u4jhk((YUNvO
zIbbI>=4=PV{(Qdio9&#kmLC&n4FdgZfQ`Gu1&gW{r1i`vI%%wa-_Cx*{WX%~P#AAC
z*nbS#WJNHw=g|bp8e5iARhk+DWnmBH!Er3)Eo+=7lZXy;0^X7&iA8Log&M8=0w%dx
zZbQnpAs41pVt`$@!>wCGR~P2LYf;-_3g&_C0^U))SZtR`{Th|E?1|o=0uR~Q@)+H#
zJUGrWcggZw%%pB7PE&s`9DVI&tLSWivLBKK(R({=1NOE+hg+QTLPD3Vmh3wXU;8EU
z%Q1hDkjvr$F84!VHb>58k@EFOUc05jO6zpBcf7=hh4Poaoh0v~y_;QdM{Ri($3Y35
z;@U#^IgG3Bt7rnhxhG7AdGM*0gUj9C1G~I0*83`TF@@c*LyN8sXuY_2krdhymg@?Y
z3VhC#)vx&1eps$~UZW}x{NB6pZ`R%`n(FzYkDHYU-`(RoH_Cx4O!zE1m@?Z}QRuKd
zZUZrmnKEnN_y{60m*15j22SsYz}bzgtg?(=nrBYR#ZMiGz7J*-se64($x$zt5qv0d
zL-Bhc&-BjP;d}bL_m^)>Ge;cPm_rSBlj9X9-b%NnUdzYQof)L_AdLn@(QX+u*0+!#
zdjD8@r$?Hp+Enm)vDc|&><>3<w>mSy6kgArJ2SU`iiiiE^0=;rePVijzal`+lk1zM
z3DFLR`X*QrR3RU43M0UV;|cs5A~QWganPQI;>p*?7#I2KeXJ!lJtR%^A|iC|S9tNj
zd_%`fHzB&|Id>RTLva3R7NKYse)%e@QU{J74fv&T!uYXH{BhfA*afH2IN%gR?_QLv
zxnMN93;7T*u9cAsVUki^?dQ9%zNhWFfkZD8C-*Yz(^sCWosXh^&X_QGsXJ><3Ep~g
zJY_`b)m9{}yjvi=@jdw`W}U2*Rx-P+oOfE`*kyX0eRAtE#L6=S_lbokQyWpt|BzU$
z`cbnV1}nz!bY&PM&+vWm+qeaWLtAqV6|M4<K9wCVVo=B_j|XRwm!?CwwrASN!@ZJq
z#W?xcF<!J+IX&AkzTs+ln1Kv>@*y=8z@jNniK%|uFr?*P9*{<#qUq3JKU|`mZtb84
zfPDwmW?@AYI~70}Ac7gQpFxWWQy_*{{{WKqSxBN|%_3X~y|O142Ka&%Mh!(fLYJP5
z!=sujx-B0wL_HH8%A5y*czcUuAonhG#~djwpos<p=m>jNmb5v}b<7#6=Jy}y+9#Hh
z;pZK(!F!io3+di_KIC$2Nxgc={5Is~8EbT!g*e5Hem<+!$8MxP7p<fZkg9PmX@wY+
zvd9zkTsTgh{#`dINqg%n!{&y`cY_$_!qxHYw#*zv+;ms0=3$Ctr?tOzoR|8r%*CX;
zfoR$N78b+n>XvqODf55O$S~cakm4F(LRYUIQW$Vus!@H(-K;oPNA|P+0IKmWeTxrr
zmC`c$JkTr)(8%|{j-`2LWG-iXxF+~Usk=I;cx7ytZp89CXb4y8b15yZh`U_XK^9z}
z$FSPdiH_IHmGL>B*Gt`<HwNF!(?P3)tN|*zlb85){zc%TMy{sNL-fuHLH|6)b*u{a
zVU*RIkVkTo&T7Lua=ynXEcB^#p{lX0hgEqoe$E-YwB|T+gH9=IJ)TRIU54-Y#1s`d
zRIyoMh^e&XR2)kk;mjAJZ>|Sfc^7{6@gQdcE=~lu((ahe-Awj`>1jl(gwctvsP`T+
z19DL3q@F~os0lG61AG>_f<tg+n7>WA2-pM~hnIHrnNzM?6c@-ypSSW&LA(XcYj)Y6
zX_}v;e;Ts_NKuWnM@n2XneOLO`(1G^I5(Z3L?=L|jsIOdsb}p-)7p!QI&7d^oeBj$
zYr{bx9lbo?r6E>n+6I{_Wr`7s9*YBCOy|S)9KrnMw&nF5m>0lJki!DM3&LQ;@QkWB
zWF6?$4%+Z||FX#%s79UfHI}a1mr$#n){RRZ60CT(Zel6nlj$G?k0LB0Nq8NbrR;V|
z1zEtsF`OEt*0!!Z)f)|&1Wt0f9{%<Ou@t5)QN+tr&|nsaM>%^61vNvDbQ@E^XTj#V
zpC3i5)4#Y7itm}9fakfb==L&}XhI^jlwKm5PP<X#PTSLFq=siijZy^DcW_K9A=%CU
zFX9}LilAw_s=!17A{INcNAk2UcC$^g6pQ_{gz^x$gXT>(v!m7Vhb*D?^>JJgbgHHq
zH4tFx(syC9j1lmL>Ux*@2YagtAw3qtx;rK}m=>b&-RlDwR~J6;(C+pY-*#?ldGo^k
zgW5W0o5`l+fsNuIt2HL_lH(4lxyGFJsRu(L(x3M@+)}r0=mH!6gDV#>n*^7DMj%|B
zq3l#za>@!Ncx%<|T(0=zXMOf?YrkN>TADU&azs<AKzkG}o~{~I{}#2R!d`*mpgE(V
zWmmvA2>!O~G<Ld;C<@BtLTV}eOnTHFED}?6`a)<9g#s^t;7<NuA5`>5VBP_QMkHRz
zRb?a;5HSy(ADZ_u!7a!E1B%7^dG*Y4Gq6{oa|sTfgff>i^z6Hc_g!nMFrnmnPTmKu
zKjg;kLj!qN2nBqH;A#I*G$*!Hl_-9y<RA6X<$mW&#n!Yahj}`Y42Ci2lT@^}SU7NG
zm9I4P5@GynsF{``zLs575Mclb2`*{{qAGm3<1I}5gCk515uQaJ7M6na40|z$h9YAy
zi{oRWeeE;QAiamsr?Q;hrwy7nHUdA8)G7fhiW-`m+9s9L#y7mc46BCBoU2|jo@VgN
znQt!qCf0T<9V5Yik-i=&H=vD%00?j#;o{Ixc+N{)SN2yAOlubz=?HWkbgMiE;OQOa
zSD0RCofnmR#ql~T!wyamZs-gOdxX=_&mGA^g)4X<6}{_dvo|!CV&1keZ@ayuXA9_C
zR}}l9AcO*;my}3Li)z+dC5at%@gt-dYLko_^rLgN1f2A{BG#@zrBk25NXym7lyc`j
z@vS|tvl3imAlhR<$#`Bb$MPMIt<6rHBaLls^xd8yMR|cRjX2MDRV9huoahQM=|@&R
zv@^Q+jG5f`cC6uJ5<Y0VuVqtDy8mc=FyP&{%FM|*xhJz)%p@Lo$-_&wSeWlMK3BUT
zdK%i1oFg;j#2M%>v*7AbN*k1U*2^<U`H=}yYrGu<KWO5O0?+yn#}Ek;XG%`-OWaqG
zW~5Lo056q8Mm>?aI@BM#u?*EoO;``d2z#H3Aq3)I7Nsl?E5>w3ON<%7T9ZdK(i`a;
zK6%}rP6(Z}f%xjcQ;D+rYIy$GPpMXIxpH%|>G!3ouD!kv%Qxrf<(O)w<k8NfT#ZF}
z0#`T$i4e`i3ZbL&gjMe}{9(Cb4B@Gn=`WiS)m)3>U_#!Vv7?28W`t2i5%wjKOltf)
z5(cgGMWN~C7gKdMWi9<vxOWvl5Ls4pRXGg@M6hpBh`$!ywcJ7SS!u=C^F|lEdST&%
zXO-ea>IHRCJ$65hYvVmKt(QbIqVqT$9RqkLGP#}5Lwa*!W(d*z-Z*SUEVSC#QAIGS
zM2H;efdNHU)&y99p%HR|<W7+MLC$8Gtw{D~MymHk8B-*cEo-Bp5}p-K4yBSxKBUk-
zhBLQz4kA@i=3p;l9WxN&<AqK<zpjbmf`+jP<f%_^$I3-HFJGx%#Q)AjU7<X~1#Vxg
zDiRU-XOJ=yB9DZk69_Y3s2}2V-lA6=tT-KIf$|qusF)mm68n-9#IRTOCqV8AeWXrS
zU)IZ2&}h8?uJqQQ=MBXpZhX$-pM)<G&-zL&yUyoFyLYbVK_xHGgcw=E-a1})^!2Fs
zVd+?(2lyH-*Cf48EA5Bt?xyuAU-vpOI<L}JHg(dp9*fHNBcBhbZo+J=mJqiv=wGgi
z`isY3QFJ<s=?`unI$O$nYuPSb0T*nw${vmTF16k`eBS4W5O~s2Q68Q5T22Tzy?n!B
zyII?93NL4kYo8A*8|%dU5>GZwG~A}0)~pd)r=1^9@;A>`X?@wIO*~y*u&`9plu^$$
zYt>V%mF@`C?i+gzUY2g|248P%pSDPzCeD?fVxBtAiGB@#NEv|`if!2`3*S-|qLNWm
zu3?8>`7|URj{5F(Vxv#3`=SE))@&4sELu6KqYEk{VXo5B6`pyrY}6vH#Ia!$B23bG
z4yXvS9@>R}WJw<e_YC-OuFWwzhUeUDUtS>$ftjWSjc|#mD6>V3UCL%gFW^Q7fnDru
zL}yDpz(Y6v!z;i;?}cU|LYo}ir(08S=%%C|Y5GWN2^t+zQ*V*jq#$_b=MvTjTzdRe
zKDMP#{Fk`C4J5r?MRg>#AYGP-r&yNYaVI@-UM%?<q0fZ}W!+)fVD4-@v5BtS>8hwU
ztawUvKhjPiAv5U3*YRk)MQ%}gf;pb({R`Teeza70hm=X@v6pJy&yjUbZDjlEBpuUh
z8gPPg+3SAI1Sxg-R56-b9JAL6=mXocN{l+h0-wkGVz*u7*uT3fiD&%}H^CYtxvXZt
zkgmIVtYlx9n^c{@PE6BUqs#dxCe%G1eS&{c`M8e5aPxne3DziK)=o-Pk>A4e=~Pnl
z>27fwHRgE>-nhtGJLhpn#kB#mHRf~PDVYV5mZcDm2G6jnCf9N*x^#QLHQ-N<B6H#{
zZp1g~b=9E8Vr)G6YgW7dijf%51r$Rq@xyKn>)icKa*O!nHXN&w5H^|QpuSv=YU(0(
z@GMXgTCm;!Ns<^LlGskk0F*>EkqVeyqIy2h?qzvh{bPsXH(KtHcH>wYIIcFN$n-EV
zpsC9^G!XN-O`p+*9ij0b;~mD&eoEU+E8JzriUh7O)CAKZU&E>NsV=QSE@=ym@w5TU
zf2-<W##W6MTkSa07EcXVk1>}S_*{7>8x<0uay1J+C)mv5C`Lq6;+6|^tlCU-+3i;S
zwCB3P(ey4zPL-$W#CZ_O;!A$C=W<`Hbcp&hti5{-IavY08u)?W{*z{PHJeY+n^}(_
z_HjwnWTk-Ob}#WO87-xSHmJ~dfhnZ3EqT;vE6?Dku<Vz{{RV>gH?L>B<!HF&j`H2m
z%0D7x%0I#eO4iu{FUh2O)biqpSYtJj@V@HHY*0XNzg$Lgc4yO{aYyZ^>zbcRKA#oq
zLN3pPsU5xe*R`Q8V(7j5+gFJQ-<07rfM^Xk96ss8eNWqLBXvp(aZhX@Wf_{;z(`$K
zF4gX#Z}3t((su8^JlXE5<@Tz(uLn>Hcc2u&hfp!_@#AjXZidzo0U@LIO+sfRgg8Fq
zYmG^PwQv@~rN(+*emzx-;IucZNWw$x-RvLaT9?#^S+<P=x`QK?p=q_@xytAwE(y9$
z6z+`nvVJs#u2?$B0-f1tToWTr!Ghe6%U%K8`0vN5bC<MpHLeJFoSwwvDS(f1UU|(=
zLl1X|#UY<-wXb0KBHcumyY!(Sn>t=Wky&d}R6KSgsy6<KK#rJ#t1`%wCZYVtGc&$8
z3HHWP$*9F7?1mQ-peQzZLLjr!{+p5Gr4i<BrR)*@Eqr&(0)_j093h|>fKW+t6V`i>
z&FYgmqiR}|-DA6UxLe%<@kx>DV@7b;Bt1EyJBvg{PX)Esc%jm{pyKbUf{0r~kZjAy
zw4n3Iiqzv&g;a?P`U)%}tx<l$PWudqvPz@QpXrM8XDdG%2)9ib@Meb^4hB7!t-TnV
zBFkj(ES+n8PE$0m+Q@%`*zCycixel8tn7$fderk7<3PG$1z*N=X4CM5vrWFKl?@`O
zYe((&p&nG`B*7Cy{p=V@v$1j8m_;FIBZ6G#3J=`&{kxi9Gwc)xHB(LkkJJ@I<;MNc
z)FjH`3oqHsPLh91kb}TVoSM<=U{RLv9@_~%gNCl;&_T?ZQ-AVmI>DRv4EU$7s@Y@5
zeFdPb8agGi*-L*`=@pwxC_@sOI3(J0CB0~|?(Sd~1SatQm;c3K!XsAN(2Ai3=6?tB
z#Vz2v&BOuukqu|kSSES<T){#87rnNFQabPpGF~^Xh1_Z8+97V}CpYVL<*11Al|DRJ
z4}Nn0SV>nmAjtm7PQW8b7e_z@u#;1Zhb;Q(i;=<%>`Wyc)SrFr;o`y4XZX)Ch7{3N
z{I0?Pbd3KH$vyb(_f<GiRuIExMFrZT@ziV3nyeA&=cag^O4lRYm@Mf_x`k|#n_P#k
zS^?c)HHjjMd@tPfo)EhIBYw%x0hPIl0>GDKbr@*#PqL!bAfc%6Xq43C4VoBC?Q{e~
zLXD7&^<e+{QDc6j=AYVV>IG+ozeiJfuJ{RV)Iy@aR_(MBYYyYRI6;i~txg}UHLRsU
z3D7%`6vhm#K|AL1g@e8M;i!z^X!=;6$aM4Bw_N+;e4Vr?w@s75%Esc-!P}($XhWv!
zoV9Zs(77^#_5P2kuMCT-``&(3TDp;z4(Sd@TBN&Ey1PS=9J-P2?ixCzyQRB32BhH~
z@&Cj3(-yA-XU94#?zQf<$*G^y*gr7DnB-kla3R>N&3n1qMvUN}3FESsv!Cgbg13r?
zUBW%xwS`+}V{moed-IOPJYJw%j6h67TGxeq&|Yq2M#4E?@PxFRJX`I%_pa^rt4JHn
z*5_PSNj-$K?aGH2<ar4h|ChHW7?)Vn+WP~=#%M>i^ywROdM(z<JQz7^D$WP-Tz>;%
z+Tg9nr+B~a>1ap2K@;4#1`AejLu~0gSg;`Jw!fe+4lufIXrD`0je1izz6)<dZ?b{|
zLrZo_Dv9d&C=L}Y_`iU5IFxnW|7X*=prWOpZS!lVaTMrRr($Pg8Y&*nF$(Ky8Sd|C
z)@KHFXZqV(SAOSXyP$0Vrs%ZhjL&+#pTSvnvL0{2&?i64#~5r|df^e5WOn-gc~vdq
zIP>P3epiJM^0oF*+^3f;k5LcWBgQh;Q>Gc&&~Ex;B>kOsT{Aa=an<*=MVV2Q{2wWh
z1WXsNPur^<g>QWMdw^B3(5pydnBUoe<u}hdo|t(VL%*4d{FErliT0Cp?|aAf$W675
z0cz7k`ota67<g@8ew@&&m*g3E1MUR=1b78Wo_Udf*Y2o>t=g18hDt~B<`E6#8JSUx
z<RS<Ya85W_go%h7ojrW?jDD(_M5&^}Z4XU+m9@MB#CyOadG@P^gYYs?SwE3>{O8}0
zk`*96(nuf2I?X|?rp1YN5KX_Ar7HZ|vPl;P?!~Rf6GN1BQGp363S%OZy9MI)M>Dcy
z1CQ?qtLdSue2+xG@*4Ao`_j22qHVBD-Dxss0~r3U5|5eTD@6hxyk=gQpth*o;6%U<
zLf=M7kW0^c&ENs`;m=0<@B5@ZhA*-44_m)MKj&^kNJ5lVK6fiL0ssdh46Xv$v9|8H
zD4Th(_BU@zI;3E@=xUG5g_~RQwG#grIiizniX>)Q3_A<d`kM^I3eYOqtipQLG$lYk
zPfoizFLSmjK$+m%km81I8ja;R$EJ0NIBi1bG>_29Ap2ZJpr9c_HcQb+cPKdRw4`jX
zM^~3M5I#C*t4YEid1;5c08far>6<Z6{&RGglPUZ5!bb5o0pjPSIUb~eJZPw)ni~wA
z=r+>L!9L<|K7XQz$%H!nK*rL|(=A0i%c0m5PCHUn1KVD7$1z!9sb1fVU|@IxH;U#;
zQo2PqgU*Y;3f_YI7JQ7*4moGrnEvyb8`+{7!SRtrqdUY?0(}k+&*HYKI|<43SM2Vy
zyXKL%D?L{wPD@7L0D%PqU*9>Lefa#}MUSlcJ&B^!8u4(DJ5P#Yp5KYl74uzjLM~b8
zR3xM}!^}Ge=1<tCqw+O}^5<tMVG?#d*&0*Xct|tL!DwMa7_*S1V5ap#>Phm@Z^g{=
zZ(g+3G+7R1BYdH&%7@-L<?@?b$Gx-N--;4f@Nh~t+ynci47U82LVZecI?kd214?-x
zg*HQ$wnGTM5!ZPRgRF$~SOUz@w6R4WO%R{q-teC$l78cfL7%?PH%tEHSfejz<(AI#
zCtwCM>B*@$h+y=|)i|zX1u?z*Hw8H|HpmphTz#^GZa<639r=W3Aq+TXz&lg4*hwFH
z=&4d7v%;dD=W;d~x!(>r-{O9Czt85;z1I$u#p+2n`3SVdDaup{-5za%q~akJ1Z+c1
z!imnoaLW`0-zod5V;!|pP}X|CHyTzJWY?p)s=^+>jY8YjdXZ2(%dRG2&NBu^rgw70
zrffz0V<y5Kq&ePH2}$!L0iTi^&G{IYLa6lK_Yh%6BzI<W=z!)d8G1viC-n0tt@;7|
zqK!v^nRrDvDu+8V!++-hkQ^3HObUiG3n*rbcFYLhIS8eYqf#X_VyA1&D`ZVeFkB56
z!_hPQm%Dxtosx9GU<bdxL%WRnojw2NNUV|-|BV+dXMcV%oWouBSx(D&4=S6c*w!p@
zSboxEosI{%(0l*tw&=KF)|KXZnEO_#Tz+S7+^#Ql23PFZUy~T9RXlRP6wtMacqyoY
zxF<96cXFR4M}!kog5m7)f<r1+4F_1bNd|H?(<-t|@F{^AB{7iD@!L}<6ZgL(iX^k6
zYz$6u^&!<scoSiT!bUD<Gt2GiM72kOch+S+km>>8>D^KI)N{l$)Eim;_Dbgd4EGu2
zkqSIZgxg?7^XWZpMgo$rme3^mQDg=EK+wq;ftqYabwnr6U2wpS_@{^)(TFgX{Cb<)
z9m)r(#6Yk~;ncfqOI%kAcFwbW9(8-xx9Wtvhv|ln_;p;<<QIJ)4F_6Wy$gS{-MH~#
zVo#rE;NJw-GnnZX9c@=4Do(F=!<VAaWXnOpQcV=-hbE<gZJAQ{bJ$-L*Yn?NYtU}d
zm;73r+f9T$bH)pPf67LKURjW{Xj|2&RM|NQY+c5ezZm~C+uM>xo;EynC|1l3%4BL4
zY=tMNzu&`pUhIS49u@?%6&|BAov)SCo}nLg=|tBKD6v{k=|B5|DWV=y;zVg(jm7)t
z!T+<~>7o~3957nWUjtfzI;0wJmV~h!tmJ9G+1r`@-kXd7YvKnEHZ-<sK+Z6WR-qwG
zCToi)!><vXq5NHg@YJ7kA4=u}E@)$j7$(E^4s(NPvsf_wc7y5J?%qOvR<^r|ZP#08
z>Gy3cRZA?|@T&{PWjqh}&ocQLIU}Ivt0f)U`C^kUP5FN6ttZ<gE_i;Kc3#RiFprce
z^qmI3t-U2G0qQq$r>T3IYU!EqWM=)E;`J_eGP*c68H{*X<0U+|y#D-=3yH(BuS<7x
zko0@^qvqQ`jz$^`WW9(+6oDOi(Hp)(c>b<x+w@0M{@KkIYEj#Gbd5nEEh2*~TYUN+
z&9^V;;`gxn_-o3tEoc~bB@>(~_Ay=Z34MK68L$NRIt@}sTf}}Z=7PRH7IIB+OSf#{
zaLiHUo?>6oRg3yip@Kc=fXP{qouGUtgVm~n5JqNQ#fOR+Mn)eotqaN}8etEVvt2^-
zCeG)}V}9gQuYN-!U3K2u{gIZm5N4OxFRIar?3BEf)kSbxY<2{PHxr?C<?UW(;KN=a
zaqoT#MceGTe`8>=lj_hBG=`P_3MgL`+1yG(@7&L93QOW9hU#y10zwQGGo_5aFW(+Q
z)V4U8sv?wKktzptG1+)!Nzi!}GO%KAF{=KnWZKIaR8Ix*1)oT!$zIB7kQ=yX6bAWv
z1FRGywG8nI>Bpqs{Yi`jYq=*H8aQZGE`|KAF&}o2pD&H4`0?f3TpE3h#wC;#vuId_
zZwDpw`FlU$M$GKO6%3|<qo8AHz?4y&iq}N`>iTma2Qe3VqZ#=%5fur!8swK=(%)(L
z0@P=zkiYVA!oC$1K}mL$xb3tQhHRSFd<IaY)vwmIFet;97CS16Pj0vEG7&SjL`_$<
zV1&z&ndI7S^jHD^Yz#O$E5t+fViLbe`PL(6*GQ?Q#?@-(bW;?ArOT$G8~fDLVr>t5
zV!t9L|6BYV97pg8VzTVzL&aLB!O#(l&M!aO>%)CItfz-z-(vdBteX;{CS2_sQ$`}r
zd@;+(;UDfqq91Kdu9X9$WkshrVMcb~cKX2c(^NMV+vL9~r)mq`l3=Zxs0TR>8?M_H
zIeLN+F1aDGIUwux-`Jcv3;nAw1tn^nx=mC*?S{?57yMqio_%S^Rc%f0tvAS}_J=IL
zh8Fyr;~AV>@JVO^<bXJSQz#brX2+s?G(~#L@>26|QR9<38}T`IKIodnK>&E(awsa}
zy@`l)FAvZvmF3QFm^b?B{%+stU@m%<{yM58Jxcna#a&Qk?`Qlh6Aj_bFCA(vFdUbt
zj11qMN<Vs|lOGSlGxsR{vsX5L#a+%lN(HynZ*C`O4Fq;7SBxLy%!!X>dWWs*FTpiG
zy2EiP-Z`a@cjHQvE<i`1-p^q^D=01hxmet48s_f28aWN)EM1ZLz7BfCw>^^udUh3q
zE)ycIcyCnnIG|tr#9~p4FCNAm{zVaXag0fVSc)_Hj1nNdy(<!`u+CJTQZ1t*@28vI
zn`K~1)W@_Q)E^_Ed1VVoKalb{=Nv`Hx2t`$EmjwQPa!7Y*J(T!7+0BP@oLW7uMj1*
z&P`QyN$B9gKiuFvJF)yBH#l?+d=jUO;`CJ+3>fh<Vd3%k%p(io!DYzN93igq-@@>R
z+Fp(Ud>G^%d@|G~dl`k#*$RcIbUJBNi4n$S5x)PWQL|pWnrKs}^i6K>#e`K~V%793
za;Kvn)ze|Y5q@Ha<{Z-Hu6Ui>{|GtuLT(KnHx$3O5Fpmbet2Sig2o*sHhFgVW?XPh
zDx(KopvL5d^&;bF!-bQ(=*5$Ru(VXG*l<kIdxBFU8aJA{a7|v!h*`4%R1LW^jC#SX
zSF6X5)E=^h@1bJYDMqi@i<`i!g>}vb)s$b?E@WjbcM`b|vu6)JBr+pq!$`9mFLAf+
z5*wE$Ux%A<5uKrXk3s)QO~`D><pPK!WCEWaAFd#6Cz?PJ@lGxa7ZEGOSDH@2O@SxG
zcfZNq+fSr4pU5_3lHVLS?|aW}+?ZdtWWRcH^<oWd$)5n%`9ttN?1YjH*Wu`lAyus&
z_6^4*cD*I2S{tb|uPUsjL!=kAw@j8o*}y6-G%Ys2fK!l(5YA<}H>Iai%ULW|UCP>M
znKS*cZr`?Y&w#{`-$2Q>#u^d<X}U<&I*Ijh-c}_)(WZ$I%s%C=Y1;(Q`5QAVFzdwV
zwo;N_CpAhpaSfYcgPOmJmu-V`QA_&lwEYBRXG-0@l671EIYTI79#VG3tpP<57nzKD
zLRbVxwI5T5JmIl^8iL~9iXZiiKCFq?{O%Ge#h=!WbbZnS3|U{6jZx5mvO4i^8bW0!
z$G`k)>5*iL6l&?jLb-jz{j81MP~ULF!`Pv}?xR6(Xy0@ko{-myDrZ+$-=vQRFVfS+
zl%QJGuyuSwez8L+;onj=M?N7d5mzz_bHJ)cuG=DqcZ%_!nqF+H>66END&*Jt4g8kP
zWF^GD2h6^=#ebG%LVw$2s0|Kyp9Q~E>Ukb<JQPJ6S?Ew~sjSxt{d3}IoP;<&3v#%i
z7rEIkK(mTj!~<pSXA^8mEXYD5!IG#@=ocTc2pd=KfGMdiJ?NAVf9G$sH-#kt16J$4
zCzOf=62!h)_sd`%>o`QM%8%)%N}SEqz62^f1QR~bA{7{%3WdQ7FL3DRIBo<jqZ-dX
zkPcj0GyJJfIzTS|dhhF%oVRZ<;fvmvCPd@yPYot4`Z!S7+J&riY7IV;Gp!}9o7gbQ
zkPz4+Hjb0A6k^9sC8vD+hWHF4ly!WQ^nLZi?>~d+lDFp^;Xih#ZalI^Fd-nb+A@^k
za*pNrw<Qe3zL(F|ei$xN{1~whqCLybpbh$bkIftGR^57vYn`+L6C7bXob41R=LRvy
zk$R{lJ0pkvjlh9=&oLl7et;f2VkbEiA_k0>x`9AfV+Nht#5Ok_IH;OsxKR>HD;8Rp
zC0GylWj&DMF{b`hJ=~&?b|GB}0htKMub_tS?ki5V%sqB5kJ^qt#q5&~Fw9XB5fEaG
zP-a@i=y3#?ZN&v=00{ny?jRFEj4l@?>1rY$k^~x#UB5DBt%F)h1<RmWyoef&anKLy
zFRLtwz5kXs2Nw=mUa#z>R@<&v9gJHjb-ja&X#Q05*u=iBjF{Dodsr#bY3ucGVsEV8
zlSQYWiwM&hbWZ0x%FpJY7Gql(66j)dl(Jby@6%PgD#OtCD`0(NEx;1ff{{|@5I8m(
zMjtADd13WrkcRm2P^s)Cn$vl%GQ=8bJ*=G{(zhizje)!$E)q@-%O2Mhi!Bgf2ZIU2
z?}m@{s&y{pS@x`l)s}4GYUc{U4Wkp~_wH&IxKJI7XbSXG$(m=GfS$kB5rw%&pCSPT
zK9nM;ie54#XxbLPDkt)ZW}(?gs%NlbRiN|hmEi)^SNi`UH&UL7;Y{%tBe-vsRvd|=
zO9ejWAV^EkSRC$&N<Vou>C)W|Ck*EPwyNeoCj3}Eu5nmdmu7S9=E!Yh?;6lZ#zjcD
z<dwqVzAm;ORza-b-S}4v0_K5)UNzC35ej=ZtkrzM_C#3p17v$*MC>KlQiJbCCUa=s
z(=?7YDGa5)><oA#h*$h%C>63ZUKhF21-`^x9h6g(L<-EkoBQF(O}<C#{f9+U2>kZE
zurcoqvd0-d@1p?QpR3Rb5P><knBwrVIl}|KAX;ldMNE3}ciahxZ$<`qhO^^)4F{G~
z%oPxUFK=TVfx{F(K?FkNnuKkR$b^vgb?7_eO=sKB>AefR!_xj<X-2#11W6CudnUTO
zV5y9Lc(v&#+TZCPLrQrmWP#kMMZqdPl-|ft&l%|uJ!JB3g3n)UNPGxV=J}8kH8ULT
zEX-cVp;H@&p-M&8&^D*Ls{pzQ;9hi9NElb-#RvhM60s?>4yqrm$&WrgfE-o$gTB=X
zK|r<Pjpe+3Ee9`qF9g6>ddIg><^&#Vn`ZPvRg{NPT7o?@yv%vb!M1i|!qm9g7SgQ-
zr_RgG?~=kt-KSqIJWeqz*WQbZl|Sl@5_gwBJnC3Ud`0!Y{amIxPb~a5=$gP47H1BM
zMko1#fn&N<7;{t=^VA;_ij@g8qMUD(PGXC|U|Q-TL3o+5M8v1qixCn8$c#;O(EVvu
zk8%aJX5?-T9FQeQy?B93TgXvPO^T0|+yzL(GQBbP6O7AOrCegsTw?HtrSOb$R71pR
z9ILcKz%}%uOO?ePl!U(???=Rh99#x*_<C}4eWEQpT%<uw<N~>06;%gZbXC$drnB(`
zT~VKzHUByLo@DjpEv%XlXTNbYfdOLm>U07+jt|x!&hM^>r=<JWYIf_WIu(#jau)!J
zESYKE-GIl$zi#ehN1`~8IVQGUa-D7OCuPu9B9^Ef+@QR2PP3sD>ZbTooff2T*pu!M
z)Qel?Et)9qW<2Cq6fsMGmMdvR&DEt2peNemR67A!iH%!Q4K|8@a=E-J<tcLhumgZ3
zvTI|V4dSMVDgW-YJT9d;vt%?nlXxnH?T^^XcVS$RLJ=cF<pFl>gj{x<_Xr3TJ)KPO
z|8_b|H~M0P30{d<k47if&#Q!cBu#X9it^yZie)HTcDPxe#XJ75<i+U4lXugLf2klx
z8$IWc)W?RYbWq3WqtPJ}qo?!D8rq~Sc|)V4Fckey^yh*oARk&Z<U^wb8;TeBb|UwI
zQ=$P2NRdXEc_+5^i+qT)-na!D^;*@g6E1)Rz>xROD9Wf*sK#afG+@QEs5NTxiyC<H
zk=)E*ANiGvA_AsouxH1X0R~lIYU}7!!E)@EeVM|)=!K$Wp=!UOqOW|^WFNV7Q!E9a
z99oo1=RO;PTC%_1#FVK<#u1ui;lJ7K2g!?{NESk7CwiF+ao4F)FPkRimM+p}FPI1b
zY?RAQ2iF2;`n``jf)TNFYW+JR7aaAAImuc=j_znNv{MV3XIX&4zv>W&xe%fbap2`C
zq`o(c@B5xL)8*hSNWMzUyjK{H6(NEV*pQa{p)dd9K^NjwqZLLk{ZP!@Z#ovKV($x4
z?1;kIQaP{U<VLVs*lozG8e8$Y&v|dpk!)psSkP*8*GqF^aTB+sXMecDz#w+AbAi~~
zx+j&#s1<{}uSR@ZDw`2{d%WK#L1{bC-a-JS!*>}d)q-VJV|bf}@g^pnkSAmGz90LK
zzt8tzPUmzz^9A`ynxZ!cge6#TW2FVNkL`+4DGxnt3FJ`ri4~S@<TPiItb5rn@JWzG
z|FL8pWWOFSDKz?gnG{w8*xZi_tkZkbA@}-a^LgU+nDpWJGhFtXJR4?5njRCD&~XDO
z(Mhc4kOdY!J^aFYG1qn=`N5|5K*i7`b+G)^1Y0LA(u+JMgfk@_j^H9G5wFSX1O?D?
zX;QGLb!|>gzX$WhSdIz^jP7+JC+!_N`Z{6_dU-R!uoCy`k!@xvApYh<3AO6gD+w@T
zOPe)%R7H9YHRC%~r2;CGLfg&GSvDOtrszkf+o{)OwU+4cPK0NGd|%AgL@QWBr(afC
zy$Dy_e;hguS!F!f->ks5$8JFcG#8?Cqr9WLDr6zh(tNKp6=MB#a~ya=c~@R0;ZYrX
z<h>@QwlQ<V{|WTK^jfHuo8a^w{x8n86bPS)h{1#>&@L=DMvgS98c$=zHfp9U<~XqV
zsTVA0pruuh@!2@>+dr4D7422bl5qQd1At-ZhflG}6RX-=TY*&CG9vG95l^4upK4s0
zG#KyZMvB9GZl+Fh&BKjAHFJgL$lFfB&Q_O(qHYf{*IecUQ@YEs65BEje^nooWP?GX
zT|f1JKS(?Z3L3+XNkKdUy(f26bvQfAJelFc_nsrjGcOxqKO1D%Z<VF_Ik1Jn20<ys
zVYbw7&>^wtE?aH8umZU>oX=t8oF2y?X{AUiA!c5lP``VjKonBQ3Kd|sie-O8#`Nr3
zC%q+O!V}eHdF_LyHV+i^qdy)9ppaUsVxfD_opjc?CKvCJYyRUtrgYYnA+-I|U&`SS
zyP$4WGAizbW_d`tAQsi|<wSyPGRZnl12XS^qDVvw0#mVm(B;tmsLgDKv(};bQ)gZI
zrS1BR+-?OZ<jP6N9&X#1q0ZU~Soe`Xb?IJo={&}NR3j5okl4ervJi_DvSd^fG?i26
zdA+dnJ>TN{a?uZw`K^HHh4TY$%0-&#Ja)oEcH!2iE7R=xqEDBw;{Z(tHajuJI#7uC
zZQb~i_g!VGJBK~g-BpA&!3h;WYEGYhbd^VHikl{xCvyn_V|A(r{n{lOFdUd>hi#+z
zBzkkT?LEZ!+oxC}(Jb4%o+&RTqo~5F;wZ1bGhuajeYRNX(dlA7#Ou?Mar)RAfta+X
zGlMvZ<FNai$Agf$^FU60m;Yuldh4+aedv}z0ITP+K<le8+hW8GWjr4Zf5WBVDk-&j
znBc?Kjes~q)vAC%$Eg6hAgfYCT+j>0<(FrKO>yXd-#)?}<(jP&cg?pToO^N1)_(Xl
zvsIl1WV~xDl*9``nWl2~mYz`2h|?8oly<!oFPo3!5B#jU?KWs&tZUxr3wtD*?74_{
zA$P@E1yT^xs(MmrvMZ`4YV^FpNcYlgC=Dk4uy1+V`VEl%w~mmNIXg~Il#UFyG%vi0
zr-*waci=3sj+8EoUe|KYAPYW*+<K{Z7|*EY1<l~L?=mrjI@>sq%u*ltA#6MGL-^(k
zMfi31A(rmjB6G9O6frR-*Th9WLZsf`k4YCqpON-B$Y3f9aN3P7b}Ifx24ve6C7Uc{
z9eR#x3)_Zi)l8xK@eZ`scJi1dbe+P;Q6lKDx^dsR>HkFr1h%SpKKIv2Q3dfVWLWos
zEM#(zo^1-rFz)>Qzl^_h8ZDxFNN54J#P&W~S-9|bS0QV?H)@DVhh?|^9WXUT2M6M1
zP7-NBbIJ$&_`7so<{yR>3A}}hs+u+8D$exO>z_neBh=*LKZIlj1)BbBB8N5ZNgR4P
zqWuvMVWTam(TzRnBK4oCinar(iZ?RJ;$y^C$_oRA4_-5j*V`HBdx@w!59_vIk~VYA
zRE^Y?hYe{4k}X=D)E&>e<H_C=Y#mMG1Y!vFiYwfV!a?(RRQ{PqxyPkZ*=eh6$7KcK
zB^wQXX9)V*F<${U<&sz#4fbOfSFT}4iJ`V3#@k8EeVNjBJ(@&Z%$nmpftaGi5^?T8
zOni1^Hr0(_){R9&$Qpxb+x6gf!M@|Gf$gL{l`w7~to<tw%zVAspX=59`Qr{VN1unJ
z<QRRN?d<+nSt+4!L)*KmDE&=AEjCaO`!h;BZKO7#jWWn_WTI@#4pFkP#C9W$8z%on
zAk^%jq_;SI6aXnsVMf?x4Uq-G@2<3`P!pm6k&cTMKG`6n3t=!cKF2=StpUg~$8_9E
zDx8$|{BrHv?x^hZ;txI!$!;ZP4!{S{2CrvH_(qHP4!&Y8gWiC&a}G){T#SX@afL8?
zj0#>}+F;!!yT!?@$k}k>*k7pq3w8BlQ8<{Xpw6_t2MB$c?8P`t?jN5%YCVKE39^fK
z<DSR0JDI&uf%%U+g~;7mc!$7V(EyzJ=7F2`8E7L6;x2;x7k7u;Srwe3py)57;H2nn
zNY#B(r7W8OHk4L;e$;|bV)nnSZ$}f0Tj`Qp+H9YxRAe-Vvmue|eahoy<u)oW;A~`}
zyEHC;4iFtFjLPkXw6~z#<KorkVC*ufT_!8ZKfhNFlp8s(7gs>bcb#wGl(rwzekoRk
z&@@{Hto6&S?6wZBixb$P>Z1!bytl#;VJiDL{X5eEfqx}<oGCEwD>5AwR|)yfs~yPQ
zwf;Z81(Xa8Mh3G;tCOztNi9Zx4gdc>B2j!>)f*|eNhwix!jQ|Vfd8^xb6ak=CvA{=
zB6%#I!rs9K;v#a)+w*3q;XE4I4RNVK>a&($#w1pN_@x|Tt&SR)ogABY0wK569MAa*
zb<AoGZX-)OU~PXk7i|tzQ&#NP%+-`Q0i3G(@R-KILBVf|>yQUtj!n&>Ykrf{pQEuq
ztGv@3a%{SCS>X{86Gju<F#n|-SxIZ=eHTe*E2GLU7P{^IZHGT?({GJ4m^$($pQ(@W
z;de-@iyIH(D-FrYPOx1<0m|%-2Py30^7X^wS4ic9dYK*U`)JM<2d@yLR@{}$kA-xs
zI^JHe&jA|fs~1)8y|nZxuXy_gwdMPGP9I%y8Wv>(%Z?=Kh=Ux<tO^)bouQL|hW0LK
zrJqK2(+PyZ9+m%|(G0$VSE=^{71_h2E!ZSet<65F(t1g>YZv(vStWFL^!Ts4D?D@z
zad(A%mkJNa2PQJ~<dQ)90fOy7>UH|iP9_F3$L^6-F2>%&f0z|n_-txQmca$#;l@md
zZ^%`;2)O)c+r}aJ%&`wy=|20*$%YdNmQcSi536m&?{$e4o7&<c%Np-UvVGH<R~J3u
z(YNXiY_mIhNgicu2fiQ(kJ@i8hF?tK-D@6;x_w$X@70*%s>{4(tDIz{X+Y}&!_)0#
z-rQAStG#Clv9UF0ZK-p8?jrI2-&my%cOL?x)<I1v%*ds1xVFoqZPV6S^_q=4h2rp;
z0`stt)W`G-VE-2z6<UU%O)1D;4~1ArOpDIO(>@+A1$L)rUrBF3Zh2_OCX7>0-f`eU
zQt{g49Mq=b4w7)l8?RAHtvj_W&ZhSCOq+CF^Gds)G`2c{>KCa>s^fGM{TSlPMVPB3
z#|_W9(PWiGutbHlu&08j-ConTsLO3FaWcH<wbGBgm$6{x`y(mWCxy6RN)nck&YLlR
zZ{+doEvd{c%09UFL2NC8`k6Q~=RFG~d<cvqc<5EMJLH44P1=;|izZJ1pHRktPYPD)
zQFt46t%MV6k3ao{7L9$8*GpnD;ld2njD$;KVM|46v!eTHWIyV=Y_`A#$AUYcSZl(Y
z3btPYgtcaz#op!q#}qmIH+4@UPa8J;Cl7&bjr{(2WJTgCd|RWqe+eu!L%3Lp%(QSl
z)R3lpJwPzsxoTKH{6;OC@|2NOqLV3Z+_485v{C5G3|!5+aIv5k&IM&!!dbI`I<=T`
zzpd?znrE)$rM~@S6s-B(*zc;{bgld(R6W;bi|lFi)x3(+F%7Cs?LPN}xNd!T9hQ54
z+VhE#b6Zw-EXXYo&;(Y!7s0uxC4mV8s`!XP!-OFqzQcktiS5bNtQ>H)!SA+HUj#<R
z?N?BlXH^VKX#e`bYwhSGK=xvdu?Zl*_6pQI=3D+ftYH0V@o@fergMD>7WB68lUzap
zGm3_lwL1#u(AK(QxE9CNUBw_>FGsB_A9U1E<uD$dUHp@BylKr$_r~_cwde}&38R3_
zD7+&vgM>-#`(+1x>+PcdzQ3;Pxj?_n)WlPNIHP#RM?J&Na$j#qK>IKn3PfX4Fsdd9
z^PnZ^8jeHJ@3?A;p~<-HBfnA7_4r4FEf>3%7dT~Rytq6-r7YswGS9m9z5{g9-*4!+
zW0(mrkfJ>Gu8TeLo%*U#a@ff=s(iO;!HQU<M*x|jm{IjkEb$eZG(`=5!D1))fXSRC
z%zg(1-=qDVO==)o?rX9y&_2|`DL9tNHrTL&(q>>vBS*!e;xtE0W4Y`sm?p?W|G2Ru
z_@rN;vDEeqN8AbXgt78d#4tI*>S8%bYH-*fM<#n={wtv4eJ0uSVoSegX1^8^gMLN0
zWtbW-LZ>>DlUo!11v{PXL&#5_z7Ud;#wkMnoc1xammuvRG$Y%0RaM(0b;d_b(bl6z
zFwSGfit_8wS|4$GfB{p&?nldVLB`93f@Zsien#1&neM{YQ&>$U)AyemS_0Nci)vMx
zw`EZNiYmJ#3RWT!Eu0&5aZIE6MtotIRBhp0h2UdCFy-LSf>kq}$s@=!FIEdYA4Ei3
zkjTXdo<D$lUv!OCjz$sKK5G|!HE7DI**~A0jl|DOu<L+e>YR)q#G_bUmN-B>@mJ?4
z;!e;o<tU&=hV#Se+Tsi-sn8-Qi@w*33aVzZNUAC5utErMc=;xNm_hAfVxpg4PTuz7
z6N)H`aPL!o76bJj6(_$U#E+HEbv~(E=ftJ)Qs080VAN7;5fguPGfwCPL^tES&J7O9
z3KofFk%M|A;euaTb)^5R+p<RlH%9=8gNEtLzd8yAve>)~*-)I>Ek^<*rIebtN{<XG
z1WR>43*OGrcKPEx<~--jTg!gtgv4o<z5kq`+?4{#)Sb|TmJn7b>e9y>++ecuB^f^N
z@^r3m&v{9hE2zYgP2}eM=f9vOq9jreq?K*}(gW<K!ABplrY-X)(=`PZlO;M}yX{W`
zEgBe`hj%YlYcerVqT7(TYT_R2;r>L?X_Pfsypkpqf$;g!8+HNIF@97uboh>C*dZy?
zme^JFzymG`SG?`x(opn`_y5Cthb6gwiVP%IefL}yE0eZ}czEpb$5vw8>cin2v>Zx)
zvq0T?(4`@wZYo4{D6-z+4nvMFNcVUOa_-6GWZ&2*!Bbdp#h}Oq$o&Oaj+o@+^|Nxw
zgV41T^zg)x=y<sgDJ)f4wJ}LUzzkSw7;KL47J<R&FS?@+AB|#5szaa8;)<tkb8Fac
z;kb@o7l||D*REhJT|nV>BQb*thEj?1UN?>i#|LH^!B*BJkN8JE_~-luOc$ScuxoVm
zs(4qsc$KmxC1qBmL?e^3xK;Ki+vw*0#YBT(*MDz=Avh!7k~-7pL%imx`tvsYQ#baI
z6(Z2n!)X`(S-!PmAA|+`zO}N9po|G=A&jy#S0GEvbrt1S`_#6Y@Kc;K;K@LyNQpKu
z(A3M!@xwm2@X^aoZNO4h5-6KK9!ENvj`>%FD-$tkm}%tEb3W5FRtyVwtbZ<G(|aEu
zj)br5Cqj6hVKp&ExLewl^AG>+4gVZ<o_Ebc6z)mLdVX%yK<M7`4)ir$#}pSkVcYIB
z@tQ|<bFe){VnfOv8chChNA2(~hBQ{wJUa2B_rdSswQ{!!{N<WvWf4IA?_nr0tIO-x
z<m8M+lW*&FNc^gaN?D4R>fLWfR$Klh5}Rj=?RcE1NFgfm@+qk~`o+g`LZ_Zp>>rTC
zBtS$!sp#F|7w-175g4TyEl(Mf{mN1OCu*u5YaH)|0(YQU&z;(>7oa7H4HHC=-&tZ+
zt{?C3R!XORX{`3_?_SaxseKu$iiH~d>Hm3xe!IjxB$2|FCU80{Tot=kZDDs1>G<xJ
z!bt694z7+}Rk57irDv!62L<tvIUFfvCCMari%V-OePm+#`XF<58S(|{spnod8w6Zt
zr>eBRbhs&xFMnjy*SE+d&Cx9X2|iRDx$fM{o2FedBfS6G=%rkJf&wTo4{nlpbW8ns
z#C0I<WLEB)xQeng-q5}<NUStpJ9+&2E|kUbDx^F?f{;gbtc-c4bb6=y$Z?`(qvy;C
z5NQp|XcPNLAQQ};cCPe1pxg6NbesvB%42K&s!9SOa9VP2h-+3;nhVcvrzEf^V(5my
zI7Vs!)^(RJzHB#Y$c(UawTT)P!!siGE$*&_efA3Gi~I<3=K#s}56lvg&dbB^j_})d
z%yt@Lq{k!N4<2{)+6FhFy||97XBiYYBQ9G|ZobAf%#l9a%4u<U&08a{AFZF5G1$U;
zf7^fe`9j-Ja_K-qtI4ZgKwRfl1FDZvG`OCdPuhsu8i!cvc6zDdB$eEY&ADv!2f}be
zVpv3$#tv7aviPgvMTvX`FM0ZDZp&zdV;dGU1kk9}ARo2xY>uj;C04|P7wco_;tyzv
zP-QtC%;xf48Rh4IZDClis;J9ANjy?X?H!hBY`>BW`qVj~R@V^!EjFe&`j%SqR4K2A
zP;fu(%ZI<T7*s+FFSwh#w0N*vl&rpSyd4yM61dzaypDC(e>1xa=^f+1PcZs`uzUNl
zfZHGGKfQqi3}1U3$9iF|g*oKz#EURwjv}PTDTztv{T$6+hPxt4fSI?v4XYZyRb7(w
zkb{+xsDTjC{^RFgUQ+;DtHA}4T$If=i*Td8-v;Wn)>~rU(j{(Qmz-rN-S^vDZTrjj
zvw(r5Au4;eJGQDg^_5vJ450zgAXS$9F*4!g3^>1XC22V6D2~MLxb>~Q)s*$qfcjXv
z{r5j5YasB?l;k+gRGf~6X{kh<s_*(VC@k@8d@3c5Lld%oh6_DaZ|!%q>6v$4*l8u;
zceYj(9eOP_U^l`8Cx{TF&LA;oUsxfW4p!fc@j*I7l`ItIM(v~ac*eV<Up0@cNQv%v
z&3sIz8zIhT)m;cGOPG3PrSf$s{8qKBem=eWc_uT{iPaF6+%%Li)jl5(NNvQ8q7d&V
zHQ<s87w@2lMrj)rf(hw}WDNVil7X&iHJi1=sq~Xwv#Q2}ver^|29+2JDurm{*d_b7
z#3QD|qZqMtFhsxPtW!CicH)x5V#LNzQ#CJUn*x%x?B@rL^__Yj1M=I(F=A5@1Ubpk
z)@l))tCNjfK;71sn@nf2T0mI<)}x#?;*p^cr_670j;{8%H$vRG2RkPmNhAGjKl-4Y
zJl)3VG{+0RO=@mwU+a5K1OP~Mj6c6R>zn40_SUAYv1*&S8phU8tJdT#zB5@LJLKGE
z?5x?FC;>OMjRRbcXHa&e?w7!Vus8jEWg60hDHx@5IL?a{F)OCC6bI2>S}cEf5MEm6
z4eL8v=W1@t6r<$5dG6!FY6`#T!|T7;X@N?tHnS?}U2yZ?hl77|k5^&wHX6K;OtkE{
z_M@#OX9Kf0qLpNqn3i5UQ+cq;xgNdl&|_`nv)OJMfsZyAol5TWpmb^Zm_&3d5$7-R
zl*szCuf$WKTuurWpQSOQe44}*Qs-MNFmX=bP$C)?FEwjqi&jzAx0#d|ue@QHTET<)
z-V)40ZDt&;sZlv;7FpBvw;i9_hj(gWz$M4;)7sEV%M-6b)4RG_C~i&8sy!A`k&(TV
z<5p<JLb%n;`s)rfB|;AiH=El>yQpFx^t%}KS9TxfzY~yJvaf?g`R2?Qc4{NsM!YV9
z2IGV0YS>eP?;QetTs?Xq_cV+RHo&B(d%eW~=$KZ&TE0L^uoCJWfO^A_!{3i`Iq>Zu
z%zgd2LBQKji(vW&w^y&PLMIs{gybqnLeb-c7>q??w&^9_qT#5?0*CrF7J#WO|8?<K
z{-q$aeB#@OE;!ZWym(#yp4ZycrwNB-;Nj#4y5+CKLTG+4=Du$$vfp)HoChJ?*>Lry
z9f^-MWmcGoJWPq@)be{2=;9c9V^e%#+c|90B(4pvSzs#UamxSeBj(fJ=cAZWj!$q+
zD-Vvxt|$B)t1&Ick6wHdq?w^p;<#&mGmZCC6j1ag==)D{^;%QFm}aMmXZXD%k<=E;
z?=Fz8%lCGQIpxC-*30Oef6B3~1(qSl)GTru&xa_|X}(vgu4UA>xvOjkfhb3-g*V@e
zH(-Q8*c>g;t`dKn68->9M1cxqwK-i5luWihe6Vp3p?0nYQDRK&WT(_DPny<bIxKm%
zJ4L3FL#k^=@Kd|~l%~%(p{7Dw+$^B&8mQDcjytix?Ua|Mg|zh1EXbf0Uohf}G20YQ
zf^f_h1RT)+k7L$kVbGL}+bv@zb0&~G%&W=1TI?cTbzOjEMb>%^!P@K8FSYEvIbvMD
z-qFX5<GWiHFgv3mKhzP&2M*^cvkrlQGU>B`qr2ZzY&Zr56ZyY28rT$PqPw&w!y;sa
z!r=%PtUviUfi;>pl+*It+S2O=OiSn3+8)XBYGXX@le^tTwLEJ8*}wgb593_lwB&Y2
zaD0e8=-44(r8JIpBU=vD8=bzQ9FA>j^39y;)A=1IQo-pP{HJ8k+8Y{e2*P_RFOW4W
z)jSk!*0q%rrSBh%w-urB7f6^EPjHljulq^j8~i^FRnj&f_Ao7VgJOMDt_`gl-QE8P
zq<$iECN2qE88I@LL#lMzA~rhvB!Jyr&ciuXpU*?(jMmhW7Ld|%2jV~3jG*^g=PjFP
zxeOux{cv1=J=W<8V}Q^PYSq`YE<k<e9Bv2}oYFUhO8A=>C-cC&bPnXmp5<eTEIGi_
z`MwXG2r_ov9RldlIlaRX^#8vuha1>r8|YlW21D;?b0X=b-z88#oz3}E4+92&H#g|7
zjbAr#VpdT4eNeQ=wB9_mpl%!Pl=fagvgA6VM83`0uV0zUFR$XXA>>8kHBgZTEf<Za
zCwqh?Yz>5A1j<y=*bR(H?;sv~y*_u}4D`rNKi$5v`O^UAh>D~Q!bW_6>Ns)K>Jy>F
zc{C*Oqu&!A9^gP!OJcVqa@0!>8d;M0<b@*fzgC$5x$xWI<gCu6d6{P5GFeE>162QM
zq1-PPwh6zrSk^RSS;z2AD;)vfaEmD{9ajv8XAbQx0=k27{}!EZ#z7-xgu-%FSy^s5
zkVM}R-8r;4W~*5|iR8@&Bl+$NW$c!g0L_6^V6VAPMbXf&ykI@Hyzks>=P-o8fgrn7
zK$Un3u8`zPtU8l2a4;YlF%Ttxn9K6!I}qk^Z;67W&jQ1G76F&{JS>=d0?r<Ms+kGB
zcKMi+<~zvUbe}K9pTdSBrf{5TcRPV0p^y$+=ddfI`y8B_nnKX>31vG~w?Alk8jLtb
z_p3n%)w7BqwIAoPSf*(r&8C|U9FFQdT~Pm8AV@^Om7M1NXAe@pb)?6JgmY|ij}Keh
ztJhYkTx=f23_X(h4J}F0$PnK2k<8IL<2|+4*2tJswXsa<7XG|+!i6I?OxaJBS1P11
zWrB#B{!lhpKpvX;8r@3NFu@Nwg|8hsu%-nTfc0<RUFqWKum0n=Rg1POxhNnuXrx~9
zTtI?7o)Bv9)<gGU>0^HK7C_5%!e{A-?Ao;oJ$ed9Td8-o(>hK}WqM=5W;~6C<!^73
zQ0%4Gin;Pp?WIY#Qv`kOX~E=(TeIE!CFW}AgO#PR5}%Z@Mdr^K&}{cUMk6rq{A0Iy
zkd4qZ(|9eGZo3nn2}4qLVzEz6treygc5`&hP6yKsl|WFY)qf@yr*el|17pJbOel}`
zD=4pcD0>tO(K)j%^2nz4js%f&X~#wkJGaB!ViC%1xd7&udl)u!Mp*@rX2Ht05M%I%
zf<2EVBu5&MCHNX>))e5JdSQ&e<yI1!qZJZwD2`F5HDtfsW!0ol{cl^e#AFp+6i({_
z)^~1ad$T7u-|P2Pvg%|w9I_Y6IBN|}0v0NSkw$&Cx;ZsA%2HQDl9El-V&G!73n>Y1
zot&h=_@KdpD;FZKrQ_EpGT9qS{tCx3SsYhQ4G8g9{xS>3R<DnwYZJ-2<0WQGkEPgb
z_z^EA^LW)C-^`uUrG5jnVClQjd0;&cT^Guq$24fOZRvjcbvqVVX^D{*+mHPCVrns&
z-N^e&()tDHIDitpP<ByJZA|8UmBo>TQD68$1@f<e;^wOPNlzZg9cWjtyqhdmk8_{Y
z@l|}y`oyY8i7y@o#J23lf!SGVv3e_##YFnXG=d`esx24zgI~maK7R-NDiRvMg2qZG
zMZVR{#|k7J+4iCex5feN2VqPV<K>Au;X+!BnLSR-i|$Js|DNAg3_kE=_HRBy$ve;Y
zWYl0D=*wq}K$vFnY?8071P})WOCS<mPIXf6q(6$?A;f?juXI{5HFsq?{1biO>WDlK
z%+NUUn40LduB3L3Q?b>4JIot$U1|f>nvj~9Qr@tT(%CsrJp|-0&)tiEd4^HfpHkW#
zZXbuN&z3psfaEM@8X1cMj63*`n5%wF5fF@%kK`-T%Kq*QF8+^=QZhXS#{)bI(qAC^
zSUQL7p9|gY5omH2p|X%y!CM_>O`Z5F#kUv`{vX@i$iXmMR2%yumG_tfJ>cnP>5lWQ
zml@|dm}8P}t_k=R>{PR0+qyAVM9q6FqvEBWeltVIX#1!c*zoI!xKPT*o2yV_En)TR
z@#8Rl^4o{X2Gp<iYsD3R2GX8w!Pm(OH<e&YY<gO7B!%7w98<MLrZ|!Xqt{N(Hn_>(
z|Hq*I)e%<Fa7t-$yp0_GdZo<S21M#H!&ASojw9XTsW$I{ni_0SWUSY#eTk#u4scEv
zY3aGa=60)ET78A{X0v(A_cgJiEO^`ATQ;WVj8vaDxX1+UE9i<p`)1F#^;hqz)-~-Z
zL)WTSP)Aeb>yxCKq3pc4;wldLUnsbYzKMJE{6hNrpi5?#7f*fYmh6<F8NRt`?iQ2B
zdFd7;@NK3<W@@#jbv_3#9xlNfK)dcW3R=Ns{dNAvrkZVv3{s9HXEzVl-@J(#nL#>S
zN^5Z~`jDwCgAlGVml4Q?-rl!tLO^f#J%;%mPAfuKHC9tf=y-kM#r+SV#&lUjRGf(s
zwI1LfMBK5FI2CE`$RM=mMe^;>;lkcp3vO6Bu|R{goX;&2A<;Mny9a9ED3MV-z_xo}
zCVg*2*3J@?-@;~BHJ&NRURe4|!!2#FN2=WT$xME1zEZ1g5Z}J^1V_zkp-nEzxNekz
zqMx{ItGWBI^00TXaR>Z%VdYe!S@u%Ft<Zrj==3mZpE07vBlnSI!^BZl_Cc<hc>xgi
zsOrWY6`ebR8Q1g{oQImZVZHm4$se~BC|HBl)W{@B3MruB$$7h=h{+uyOiM-fK3+?8
zmQ9kvd`FxxPw&59q=|xl|2y@0e-SbS=Eh*b=GwQ}W=+ffOTXgHwQ!ZbUl|zi9>Axh
z;$2=4-^3LLF`wlYyMAQnJ`x3-9iE?|T3oX}4KPk7sO8(14PJ<vMPxy+8?WWALBu}(
z8&Ype6D*9I>hMWpX`b+1rIPH@*>PLd{&8E$+?`QL{WR=m3sp?4+?2bn4|E4?#+G9S
zrbz`Bk|UUmb^0p3uU=fC4cyA`ajBAxVM16DI_(oKs||*7M*?A_G<#zFU%*|?GQj;)
zI@AMWGL)Ro8$Nj8{oVxJWbSzJ?w<iIPlC*sAxtDChdDw`!GKv}fL^Z|a-T}A8pghb
zQf@Ls7?T#l%c~gi$8*P}9QKAi@wx-GPX?{Xw8}3HL1(#>;gUS+w^e{y7wy~GE6M4_
zMraBC+iVEy55@nCe1kw7x=T*QX3+`U?hFJjF-Ql-4763qsxUfwQ}I6)yyt@4l1(#H
zvK<yKXY?bbVgHzb&z|SNx7G7afKIkbM>$%64jE#bDAavYk0EK5as>y_F1`ln9=89@
zPztloRV|)RV)4(jFRjWik;tyu8{xfL8mu!;rw=?kElG}RTi39Bo`!zyiuQ6AflL^{
zK-g1K%M>I1DPfTXaB|DojkJYKB^HWV^aKFI%u6-~HdDr2>OOva-!ic(bTk@8F!1vp
zk_PL=tGmpNf)zya7A>1gm6%NWZGtSfcH)uRrw;Oz9S-@*7KV?v!GL}3laOmIoLm-h
zRo~B?m**1W;`$>EMI%0g)4c^${$Y_ZOf6JY$SOo64n*yu7LJTfo?fw@!3ZbEw4T|_
zqK~V#ejOXTO3wq__g=JDM8;a^bY+o_;!_pmj8JqTqE2yq5m+rTu{4RIdZ)Pm%eSei
zaKDboZu0F_v=mmkF*{8xS~Di~Y+O0Sc{&5NDWxydUl?S~9j-_w=<Kuj+;f{2y(eLz
zZQxZ*Cs^iWM8*;->F0mIUKyk$;y@rgjQC0$rDJ|sBhx~#Onl|xJhpdlQISHr5-Y_+
z)-)gmQn4As2X_UAg;7}A<?Ul1Xh`sA6zuyk;+bEII}M51hr!ctdvq#8mSgYNu>)Do
zp8@XsDB7!!bUYQ7=p$L53S1PWhV~1FAU6)`rHIzPwpdI>g-L%oN=HGmQ|?B(YsqO*
z2f=cf^!|5sJ8Ch<0oW_jhoz54O`Mb}r{YIlh?@)I$d8ug=qK+!UXLZ`w3(IfEL?ee
zUO`GKMrhQvW1o)VVbb?-TXOl?zRm-?K~0Zxq@1(~+TL7V#!)<r@LJ1f72NjyA#D%W
zd+rY%_i_)_`h_Sk@1`DVQ*ZaeB}P}K(k+Z8NKHoq+loSlg@g|hyhs3xr#>0led#*k
zOl<@ZzTclg&x`y0wW0qhmcJ&ula%~`_UDnn{d!Y1%wJk*u(p))SC#61H-;~;SIbzC
zPWbTvqe3lO%UJP^VNn3_*1#TDP6_YtCv;x^MQ8llgAxmUBi!wtN!#qhhrOlzlMzlN
z#IJN-te~74ttHR5<Dq+@lF)CIig6q*>ZV-@9YD_WKPdNklTSV(IkOwS#e(k3SGyVl
zCV2Dj<)9a(yG>=XZ-pAPp#{QXK&aZa)zh)y3fK?G84{<WUS!^zoIm@lFKC|!zo?a<
zPhMCHRP*(Qh2hBW^C?S$Vp3|QlAz@}z!mne6F{c(w=eoZ2A8yLTq{bah$BnJh5cM&
z`qbH8Wp{!wk#?mpjIi=L1LSi1Fw+g{Z1cW8wj-Uqz?nh)w7&<CcFS@;`MCSNU@2=u
zXEQ<V#5W~#`TJfW@<`d2RC9RlYSbOVY`uw9r#i+l{F^r|XfSTsDzE+wWQZ4{P-AqM
z`w2z3OIl-9<VrK~SsZ$q&v_xX@(yff7`GQu!gGhZ5Os!jE1ZY>+V*ZY*R0@oGGlTn
z(9oT!qwyRtU^||IZF%I_xi+yH{j^!fIQ?Y~zCcR8T6p&AynG*}Q*AW4yYum4it%>G
zwtb6FFnrUjM)@w;?7QylW&L9Luj+7dp-Zz4^0QxBk<wrn`RQFk4fb_n=_<gD_ni9`
zF(`^0(w!5{1Lc=t#>6(+&AgB8+F7<(KL3ZJC4PGw>=1!y$@u9~baUat#^TC)@4MkX
zgD>QCLZpx@kVjtMbxJNg0{h8xgFHOn3l_B1l^Z+NO<pN}HxcL6+og4v;L0(JO{Kws
zib<EszT)JdOl<nWKV&tnb^A0?J{l%TO8KU@!(r9MWim6rBXaF2SYm~kJOQ87M8Ey0
z9)*Z}XzHE>i>8Y&kDl%)EkjmLNfd$DD`|}EiPs5sn(92cQTTh~T^%tKU5e&@_zj7a
zlp3nZeHQGnfkyzf^3{xWXvzLdN(urnVmLm}hP94~Saln-$y<*{ms5qZZciLvuw@gr
z0@G$Xr@p8&C?VsjqQ6iG;qJf>ye)<@0KJ6W+c#jeX+t4Q?g-=2$AYZo!Oz=N&RWUb
zqQ%K6=)TnH?}nk=KyBYg;Sic*7s?8DovtLjuJQ_4H{VS@pJbP8h;^1*>0>lXn|AKi
zGMV0Gn9XCjss3rCI!Uv&#vkZ)^8U*l$Dv&qS1w;HLEtG`gy-H{m>lFc%7KQ4@2Z(X
zT-CeKzVTSi1St#@)U@XkB*aUb?!N0J$|d+nlPg*4G|!$klb}!*Wwv%WiQi&xXX9#|
zKE8_=ss7&{!EPrOPDyMTk=wS*PmN}~JNfm!#nuaOgA7ZP+qma(g(${RhzezPkC9W8
zx2!cHORpIqhck9MnROUByGLiVwZy0!VIX?m;{-Ge^YK4J{Kp2swHgVm<+~Obec`Js
zDV2l0ksSYzUMMr)h3=QHCf`a2S^>j;kT~a(HV&UCpL`*Xg4`L|Q;w|A_eehL;tr;l
z{UDf+R;*HV(7WNCtfBq=$M0qfmw@ut6ZMD5#*L~*yYtSJwBIw#Bb;ozDC_0o<{kHr
zT!hHP%l50~ogu3>3l*I@8vSeKffF0<>L$^z_`B=<=Fyc<D{_iFh%kxT6{Nih*KN3H
zKiJUp=H@EAyEz~tAo@r{AYChZeGsx{Qv}U&7unFQ6Xv|<l+uCY$j}_pv1{k|WAl3$
z5}Z%>36#aReb!Cx!xP7H6z=+AjzlE;nbc{6yt?|MLy=Lu*7~#-E}k!7PH+N_8Rhl5
z?B^4I%0?8h?xl#i3=f?ikNc<4TfBMc@c+aneA7;JB1~A4^Wj(mxL_+}E>K_`)h6*y
zQH|R>Lva5LLMg9M;9(Z4QV^*rVQ$6~3tZd3d=`q0C;B95mEh01`f}czRc?qb*Ext>
z)9==*7>wHcu^XqaxM392Y^-}5sE6FO2`r>A0@_weMJo-rosMIL6cfDb<|g`n8=LJL
zbne8?yke+|HKLM>AI8=slFT@KtyVffY;48Xnz%ufekopVOgz(>7wg`%bnx@rH#`q4
z7%$qZg%1|jG&=|j?hEdfRxlwBeFU#_V(A?zcdXW7@cnqAty!DoP<Ev!?}I&buCaBw
zQpHegiTIm?o`){ii^$dS51;%0bI@<5<;L)#Qu}YtkK{+B4v7LCq|!1M`u`Dim0?jn
zUt2<u77&mw>F(}Ex|eR0Ub+#Gl9Fza?(QxL>F%YLZlwF&pT2+m^z6c1JM+w(xX*pg
z%rI^>);h_O3(bHhdZ@N0ie}#kIkQA5)Y)5Fa;$}XTK$0yVbaCSz6w?xWf%n%@Zj-t
zBi6kwx#(-(w@JK1mW^L@u6JO+29>9Ja2Mh(M&>gN2<RY<*nKZ+HorNU^=%XSf$qZL
zPR>DnYztOK@;CvW#(6N5cvNV#H*91rxBy5%C+m32a$LAy>m~A@%EyFYHx4K*s!<DI
zwn$Oqf^ne!Jh+vJFoc`7IB?h0EEN)p%}mP(G88i3C18!K*%}1HZ2eoJ0}o;Mn_OWY
z$Pyhe!VMN-E8I5Q8b}f+I#CLo$^<juu{oFMPHYkv5v}PsmUF0`nA<e;RwNdUFw2_K
zop8wW2;#Z8;~9?0!*QMxU60)9vjO_Jyn9@z>Tx)Duw1y)-=G1>_*+B%Jbs3rekbW>
zu>19@(^yx7l#Yzal-F5x0CTNkSs#|FTlur!M;=Co^vQv+i;&Y(nNa&;j_xpBxv#1W
zX*?#A_<|&<uaQIgK9$VKvz1)`9^m5(BNFxaqB19e6@N&Z5P7ahEXqqnNjx0%{ug9@
z(Wy$^c>xhu7Pfgsv*EEbqzW3rumBqw8MtXIuutwbtkF>wZHx?t8o>{`1`e<($BX&_
z9HUB6GviA0waH6wjjK~E*G(I(Erh77l_Cc6(N>3oJ3=2lxLW*A=QRxKd0BOWi+k0B
z<)GduL7gId;>F7_f{J;3U0G+^9dzh=L%HnXq0GvxvA<V2E;N{1+VB4QLF{tU$~Or8
z?ff(ZWHs9liD^HN?!N~EJ@AL*cnu|iUs!eV$F>E8JVro*7khf_BTdMu#A~0;5ibVM
z;yLmy^8%Tknl#TVIWodx9+b0}=BCzvzYQLOn413{Vg!t62#w1Q`N-6)eN87K91GzR
zMbaOoC)7w}%pm{#C&vx*0Yg1hfkO~EZg6AKRj50yDr*VIw?W_mk(y6a+O@}m5PVe^
z*j#FulsT8ux3Vu-i;WHNaS+a<TRQ{<*Z^>8eC*xJXsG8;pR8{d-MUPgSyVwu5ke*n
zmV!wFhm0}L+R3s_aM(Ze2n9jVI%d#oDLS8v7ttExkbgtj$xuZH_#~IRnr)plgOVHy
zrsj0wN{8G_Lcbm<oal<!>rJg=@TPxBkz6EMt-;RE|MY8t$yT_vjKkduRjhZyJ%w$U
z5h~+2g$P_f*kd=M!vVlB>^T}ZPGKxusdpWb1Y=X`B+jpd9N{fFWg^}LPeDDug@5P?
zd-dN#jNlXvp;Jiuftg|Q%WXRjb2*%Af(&W$&X86<fr<s$y%P6Ylq{0&An@~EoaAU7
z{7tYT;*Dw<`sk%`XQuT!kb%ui#Cvc`OL=BV*Tqvg<u?<D^$dqY8Q5yJZIP0^Pln+`
zgZ*GV^!4O?5$FJ5duDWiUPsYWTEv1s*11&@CiRQ)o}j8trRG_Oy18(V<x{SsQN#Uj
ztBym&53xP1KTUas(iC>k?0B6p_atng;cv<|9WY@#$6`Axs!7c9&>SnPziI6cg#gh_
z$x2L<%xq;jenR=EX|Jh7e*9R#?tm%qMaWC#OQvOnJthv!gBnr+&5U;0!UglvHU3qu
zbwHfp6x9u-n(L?A4V~^&K@~lri1XB@hz#>G_R<*vziBLODWvUVT=r%TuUD8RPTWtd
z2udEA$52^HOYTc%2IHz699+u?Nc5jpovBky{d^i$lhb<m(iHk3L%!g{nK-LAN?h&Q
zyUDt^$#9N;C!$>>BlDid4niJ(49GTDd5p%<j}KZ-|Hk!m&+TQ@7ksT!{pVD9;G$WD
z`}FfWhryG#3|^ky<TcE+&1}>)TH`fdW_G-QsT}@A-lc{ru!hBSkT;DoN6&2_fMyrB
zyZ)h=@`FOjgLFH_fg9=pEnEM>a%ugItki02;?kO84O;gP$$nllSEb-G9)g6+MfaaT
zG3i{(s)-MU09+9d&|vp(5GtUgp%kwsH>h%8=2S0Pb8=pMiw<+htwx<miDC1V{l-&f
z3a~ZD6GNhnvv!t0Qy~)Vgy+;u!$F)od-59o*Lq=4446N&K;mt1Os_f?+p&b;M~T9x
zxIAZFtZYP8SB-a(ChPxfaG{45x33C)8f2l=a7@-WAB7&{o=ZZpeN4YFp_00OxBA4e
zgabZ=x3AN#{-mI5*Fr$CfCO+^D!*rr@Y-}{LLXey85ah7kA2)<A*7^8dE~eC*2$L^
zS`0ggw5a_N!;n{LLvo6~&oiq3O0s$B;QGh<pb=b1f5Y?o6b?t%-5EGBlQ*#_$PYYO
z+97$!oV)TdkfBavdc>t6__2_&qES$LzO25_u6SW}zuYn159jM#^Bnj@E;9uA+$Kft
zApS628yS1@5e9oVg?hbegfTT@fLDWZF3+1dbH7uyQEyw#AzhJbjz^*VJZ!)@GWLJ~
z@<pUPj23Z-l_vRut}vbs7Skw>IrCiZT@g-Te9JUf|1akknfP5S;E*mv(*!|7ZZl!O
zoPR$pmiX|0CRhXVs(M^M)i`7{&~1^f%Q+@6wGThzY!I>3-(oJ%cp3E;)XaYJ-PTC4
z1aMo80B2J$OPw_e0P2*lk$OZ~iQZ&}k`w_{Oj*y7_U1^9A#EaF^gUt5r0h1fdKLoD
z&Gd$~RT+dGd}>O7bEPA##E}6PBsV^1<Y}^?Z!US)-bUxDjjC+X4eswGEd$(L@7}?U
z8+*5uTrcI@EEu;m18k<lY*HWV)uL|HJ2!UKg}{t*!grzYPH@~ciA%kHN$idZoa21V
z9lx@dmg;$^OX39wC)E>YH*g{dPz{1IOhEhHF%kQT%dHtjfGHM4I9?wV3unso&3p5u
zr$&Pz6ZAckZUViupC2Ygu!U7)Kb`Llv-Kxi_@JK;1GkgG!)#PZJ1VnA33pI*kTZ8B
zjR4G~gK?pgW2}I8$xO?@PXrbj|6K3RMUur+?l2n!5I8cLXB1%zI;jVt-mI7D(<PbO
z@CrEj&Pnc!cUWl?9-_8%H9MUfj^%)GT$kV|?~hong;J#V$QQcCqU?O;za87Gr^wB2
zt72^M($*00eJJ-)`iQ(G)Iu?Md8&JFZ(imnn_FZXD^U^EJhtoW>&4U(X6m3RVy*3)
zWv-P+sy_2xu>qUUNP}6^RhV`GQE5XR2i9Nr<K^gaXli89Nx>prLz&64EGE)2!xSnp
ze_H3|J+fn4`5ydyLyfN=V-n00DI%xUp{S}<OXvHV1in<P_4%=tFhTwxABr!;pWHqM
zo2+(?p$O7{s|TEnY&yF2h+v)JLv;y);8JRYu{N#?wi$M&Xq+Qe_aDe))4_4P{WQ)B
zO8Z9f?s?y#=!V$MmeDX1`kcFEE9k`;Oft!x&AAnd{)Kp}C(8Q|GBnN*6mw!ASER~7
z@Yp``e*7HITWT5wj#3+-s`%(D;>C*^q58;M^*t3eBIhv~;vRwP<J|pOKm}p&XZ17c
zXk3_>;Imq3!2UfE()2J-f++L=n3ItJ@1Gk7?~8yRWU_#ejv5(*`XC?<Zw`#xYl1H}
zj2Pf06fMAOq%oCcQY++0C(l7gz`M=uG>ou2Uv2k&ZN;K>5Lzq$-7r%L^{E-`TG&#l
z{qFmC?8Z3o<RneRa4|gLIaOdJ1R&HjzvrdY{(+h?GVWB!KatM8oZRDQjB=AAFjfgp
zN=8FdX^yb05dBH6;fKy=o3H;hMR#@RcS#1c@57@l=!?ZTJaMo<0;E>-_~6iT>9H;S
zvH!54;`Dn<FdvWSz01{a7j@ei?ZTBd+YvhNsYgu#*P7MC#l&DMLsq7SmU!#uqdcvO
z)YUck=#%yM)_}z6_6OHb4h^6oMtHX>J5tkk-oIByBj+#9=WLoEiRbnA^f_7kGX~Fo
z?-4Nd^XU7a_YVOh6Tt*bRNO1vgI~k5<FEj4>ImHX#6Ng%-;1cL$&m63+27NpfhAsW
zzV8g!ji<}Z$JSP3>ktG=uWqiWesC_sZnD*sV88fG!TYNBsATjwcu6_>)md}Tu(=*5
zOL}p^=Mz&3pNWIrF3H_Rt&xb8L#%lEYf!OUWuEpg#-U50Yq~f1HWnT@unJk1M!Nxm
zI8Uwid=$tEkK%$Tw%?`zfLgx)R!Sl*zAk3y9fAfYJqEf6U}gY`KYz9!>fHd1Rx(AE
zTpJnWl-yQ~egNRbQnL0E(G4M}oq4H#z{{39JM?Lkk8b1-CfPM02u6cR4Y0{On#I-(
z7WbOnU7I(gD|yVv;O&<D<@+k(>BsYwNFL>v*WLqBIr^w&c9w!>g6Z!iTG$#U)ed?>
zmFb#FqevusXwO<}3$=9PEI0JsNIwQjC)2~AV=KqyR;9k*;%52wKl>Rpi*p$=5n^~S
zS}#~k+I=^A5<GQRIHX9qy)67=$(D{p#*f)W^EeoaOmCt=qi_tWx=s0cV!KHG=8c~v
zpPD?@Mxwcft*1qSf+K;8r(xtYX4dw5`Cy_6$XO2T69hIrsE&~H4hVu{$lV%B#W4yv
zOdY~-ca(c4Nj4#cxLQA15hmwHBqX_ULjN}+$?bVC8M*%w?<zrP5Va$J3$d+Z?icB{
zUA-=v;WG2r^4654yY<3{rHge6sBk>5QWlQ(&5?Gl_957p*HB|r(Dqn!$s9&=tbE1$
z_QulXgm?9kdw+2JXTGSzgp)Mt(de?QsyuS=CK*9Y*c)j^6fdE8v!A9|bK!}=LDq~L
zIc$B3YPB1QT|xa&duh}c4U;Q{|0Mz2<=h^Mj=~W6D-Fcy;v%)oDGB8g3?i&qzZ6+v
zIyUUzYneG_y6;BTW|%ij90NpzpX}JJ_$sN&##Z&G6<*gsHBG&`G_SP9{0ZdUCp|sd
z_{6Ia{3r6^3;{c#M@~t=DkPqggj%9k$$1o2cZpYb4;gQl&{!nRPDb&&?oYny-&1-C
zzu-K%^_;M~^L_44#g=F=RXSEKWxdPLYKS+F8_e$yEFHm|ve{;n)S(ALMIshl_v7q3
z4azE}tFnni3`RK92|KrY=ZS*S6Sd?qqD+s&_&h71@Cc;>5!)q^4Y0{n4UWLu_Gz0o
zH-UR)2C`@B-b$yUNQLF&lV*<3G$eyXbX};S(OdaVCxC~t`9t~bl&9Fn2x9PnU^LUg
z*E7YP#qlSI6wKTJ%Ne?x>O<BREypl{8ZrrPp($WWOAorWXX9Tv)JlrUGCv`0P+q1w
zyraKP!lKGFHvE~aFXAvU#mA=rJG3JdzTrr9uHkoI8dO(ubObZ3>#MBR)#p;u>=jkl
z>l9E6=bTWaEf;&~uRVsGy|uTCnN9Kec-X+pInZ(W;~baWtco>PMO44CnWNRy(MbBd
zx6NwpTM-7x{dC3}&O)VJk@&v8Ze+upW4!N{k}?ldS8VKtaZ1qorsWQB0LSJfgYU`>
zU^2Kom-uKsK~K%TZRicBLFSrF9fv>jF_!j;ue*j07KS=H?qPjBIIQ=_W57*<v13>g
zMsbp4=Gotg&b<LF%1D{+P-x<N@EJQzW1eJbMWQc8EOW}FIJ<^BUq*0;to>W_og;bi
zLT0bF^|bK874LMcvi{CMxyIG>LTf}<TXYxUPD!Cp`l-m&E$ttFaVf%WfQ9~chRZ#)
z&SNLgd#ljb&9lyGcErxX)6Bbv4y3<y8<bd{8=m<q!vR;)Sy^fr<_Cs<Bp@Nqavwd=
z=-ps(q1W}5%U7`e3*t4s7Fed^MXE|My~fEhn4Yni7q~Q4XmPcmEiwXhZA#h&qmB6F
z_h>FlDQX(K&~fSE`J=k-alsL5lh;9!6OiU)9DdzNiu|7S$6fApqF29>8X$uv9ddjB
z(~n6D&l~}4$!<y}4}*<mhSw`Wb}&tNjIsU(_a(qjwnQTh8||*AOx~B^#$8~t1PB`l
zW&Cci9JLc324lM?uGfQb-bNX94>(nA8sORVmEaR{pe=1FIp>7Y`eHWLTL?w+a<B_!
zcTf%6@uCO*(X?$T-AAu5c<5pWMWmH>0pC3m-&Mav^^P}}UG90<C@uLjd&cD+CBetv
z+@DtRy@Fj9eb1jBoqZ#+@ZH;rC6Pi+4xU-=^ZZ^9a9!N{)CH!&feiYmaHkyZuaud7
zY%O_G`gULj_d7o6JVS}A7iHA(KChlMJB}9YwvjJ|cx;y+-kh{g7S$hF1h5Ix1%v8w
zh}wD2(TcOw^$f}u<!hD>=MGBB+4^k>k8dp>>Qe8$G)yjz>71k=m0UoVmcX0strFk!
z=STILJ>Lk><zw%5d`^`w;N<DT1^X0G<GgZkM87?rZaH(Tky?|G{#8QF8Q0x8rIPuQ
zzYhjAxhcl~7j5w)dxFfK)G-T6Kk^Hv{3Lf^6of8OD^ENn{rhAyN%ArbZz|+q$7P=P
zU5)Fpm56e&AmR)UGLld-th$YA`9--~;;bfvUdtfn;GvH%_qO-Ayl~_7OrmDW_*-5~
ztWCheVh-J>+Ln*kOdga-*M2CcGsMCYg1cRp=!JRYm{EQidg@4Tw8irq-!0KpE;FAR
z(iJ|p`hmPLUs=komZIq1Ub|+ltvY4nsiN#^sa{s@ROFxJ2}d5T0Z{EW7yGzfm^ok>
zL=lMFBwmpoi@LuW$oAs0UIVr$Rmy>IRs_T$#~sV@`9Pyx$;?LTI2jyPy*eW8P+YJk
zt*T|LYCP`f70cHYRt5cv5{zCQ3Pl)o8g+7;T8G^s8;xteyQSpj?&Xamz(@Iv-Y<ex
zGZ<yrM=oRtoxseS31A3dE_!PZU!e6edjnI~)U&&#^d+(Uj}i+8zkHN4G8&(D%4OlX
zXVHl9r2AecH38QbB~US2Ec@H6)~qM0a3;c{(J6b1@5cP>j+#CdXo@W}N4Bb<xprg9
zS?Evvv7VT3HGOla<_UZf<UkHco8b0kn%6*hZVkRT0*kcvL=hDd4N5?l+mT}e9M(Ic
zutAbH-umvxULxp`Gui)3Vr21!cxu_mO{B(xpk`R1uA&LaAE2Du^vw3ZU@jzx_9uzz
zgKhPz15UYA*=rNuoF$=1y(fUGubycgvp>=rj5M-<%a^~z<T`TW6$<-LheGq^^&YJQ
zTD`OF1eR}}L&(QZh)zt9v2!1LPk}aNJ`$&4F#%=anrt=ol!EyygWGM5syV&KMpsN+
z9>9B>1I>NC8zZ%8-MG?G+O0n04s!_%9QyC9v00ioB6~a_t#I(bixJxF^Wb*y(y*MC
zu{~rJOg?<S)faMrhNR_zl4DM@is6R|=4YKL!W6XP{T}{DzXih@?{2-YyV!*~#_nLY
zYx<Z%k2LrnOv<=M4m$#_lW$jdy+VS28&`zaB-K!lb7aQDV>oM9vd6W)DP~7(;wumi
z4_N%yy_d%i7cULC37OHI?BV?B8CWt|Jyg14mZKsnxt__PN}zEyj2JyeZl-TiXs`e?
z!N!0c8fT@U-Qh^$!bmgC1!bxNpKb`lrg3}l8tCf%q$#F0DJE0eZa&e;SIkrer@yfT
zCV9Ef3Ws{Q7?=erV(3H3L$0)z7AzE)41@loX}35no&MJhWK~z?^!LGi|3r@X;>X#|
z!Vh4vSvRq6P<U)q9p|2#$I4n44>}8$GI7%vsr&gpl=ojAsuY!{lELZvVuRRQl*??y
z-eM#}S<NfuC6PHLj(Y<0#V1{Fh5UQgr>%I_rSf~$|3u^aQXwUo3sGwi?sBI)MufuJ
z>UG}`z~9eQiX|d4O-n<nOJnr0%tG<mLxE2OFW&n>I!Y)iGeW39J0F|l=a!I-M43-(
zO~<#0Mv+S9Vw5Dkfy+ZZrWI2w;{?xbzBEnbwEmo50e2NVNLGWA7Fsi^i|Iv4hPo)m
z_uL%{K4Myi=KO>PQh)I6l&`keqmDeWVi_*xdpE#YHR6N6`{#W&B1(=SQ(amrCC#jG
zexkFVHh0``kuQKUf3>F*Y|+zMln_b-3%r!#R(4+Eb6%aPGz=w5wy~@pscIeU9B^iz
zm#m$u@xAqZ7=Df&9rL74Ma6IStrMC`K3=qbGCG}g@Mf*>>7oQwY8_lTQ5b$qd@kb)
zd?r~ka2)|1?t@kZTkm{98PEm8Mg3AA#d@bm9sh&}m+yYg)D|?_&<?OX=hwEJ$~|N~
zci<gnezJ!?!*Q!0PwMRN5oMq^O=0cI2?qis<X}Zcj7LkFsdLy*m#a2dBBTCAsvW!Q
z;Io=_u-eeq4w7=gb*2zHN4A2w&rL?zl`K@%4U;77uAWUteOKBHgg%%Dbt$h)H>)yu
z>A5`kN27aK;)46+2UQoe49gr7JgbnumyNfihh|kQ4KBgm&G0l~>wnIn`+W4{O6BuD
zwvaY4;3Qa1$KF2Oqk$@ceyYp)FV2wsIkPjWgZjpC^>rPxi_(maKHK9_Exc4<BLzWx
z6oT5y`N!zEy0PpJ8{y|aj033=6R^n?VuU5lLI{S|3i)4rds7|}EwK<jtzw;ABgKZL
zCDqr)Rw=CVUf_XoCH~?Pg)*vCMDU`GNXo3IyPVMtbd^ooH!1_3<`2oJy*Z%&;_uJk
z&!S+Nd0vc>d@(=TOT7omu#B^%Xt2T@R{{*P?(<R)+J;7ZU}OEkG4b}ylDf0a)5F%>
zqYnPHi-0QOgY%o{9^TJ&o&%S`LIGZ7K1kVGL;FJtho;XxdSMO)v!z@|2T%Rw&J59*
z#BhLf5aCLh=Oj!m{G(gR%v=fL{TDnp*CQPmdo(N<hwGxVeEqUK4+_hpf|XsN3*4!A
zp3jyuSic7+E-r^#GOA8zvg*i*pRdL@Ncv7KPbXK}A3i<ZO%hn^?KPZVnUymjwa+G2
z=%X0ax(6JC={GDWO*^OPN3_sIEi0(c0ow&EB_9-FaA)<8nh?6)TXg-i0iUn6PHz^p
z>>)PbGp44hLTcmkG={2BiScVy_Vc)$bo%*mqI5S>RJ@!|LK77@&f`;A`hNt|d7S3>
z2k_8^x@j~dfL2zlj<e*4M`gjRxda3Ex&QRFS#)5P_-F|55c@^9!;6DKePcl&6$VU6
ziLGpk@O|X{D<vP>9BV5&6l#m&xnKRa{&Aso_hNaxg=S`qRxMx0`3kMoIF*j;S+QDM
zRMdE}#;?A|*Mm-`rTxkx?57hRvX#!$6c)4ptf>3Of?3%nt0HtjglSngGxqR#cgk6}
zB0xLQvaY)%u7tD_8PRny;(fp2%lnV>#}dJ%^5esOtb52wp(&G#cvax1GKUE#tM|07
z^s8%A)-F|^Vx%2m+9lx5*i-MD+)2L=78<WpZ<0kK^0|3S$5dD%q#g_jU08}afPgMo
zkKjG|jHlBad-7=CpHXGAECvzweWG~yYT}5EoG*BtpGw|fho={KVZL;Da%gZTouq%>
z*^r$hzvMj;m@4|dIK{7G`ef}of7aKV=hH{|%&4;W>wIrV?Fy_!`}b&jlt1R9sAaY^
z->?|)^1+3%&v2xt?Edh@Ix@)BI%(ft%73*W^V>(j=O<%<+FbnYb5xxgA+EsV(!#US
z^Qp6ihT_rFm4>yZ@4$k&ug*YO5#my@&YlCgW`%ig&*|gdjRB!993$M*%6&|^lwLbz
ze~ZGRqQLab?vtHGyFM<;5<X+ybbNqkX3$gNYK5janOvI+3bu2Xn@U{i7vpVpzz}b^
z82Wvn<4<Y(jeiuAWH=EpjUOK<S0_g>8k>j-0~e2et5qbH$kw1v=6N|xdZUa+{;2#@
zTy$~dT8g~qP;KMffsPc6>C<vdX+Mo7G<~FxV{#;6mn@qUEF9q|R*ezP^CaF*<%K4Y
zJSzOh4erl>r7~0Sa>`D6TWa@?CTF9_lvSl~l=RkJLlT{i3~*M6I5_E8<Bc$S_X2LB
z7p}EdHy5-Fip?Cd-EfaSLcDWRf2^3Wg<$*r+VF#ARZ9;#=oJV`hw#vE)z!>Gp8eW=
zJ9MgT8ob8Vzh}?1m=1{(wW%`7c}Pze3({2NGg#Vj<#79}-t^GSb+kDRH|am!ceJ$z
z_}(ZNugbUF%LsH1`TD-55pvmw+n+3A=yZSe;1AC?5=^Aulka#^1&Sr!pnL11MI}O5
zEa8xAF8p~Ifc-0kLRmRjM(<s<y+xnAeK+olQneaJ*(+p3*yn5KQwsgua%$!+4m6qW
zK|Ar;@7E~1?j%VumNp+{v2q?clxo@!H))OUVAqKqS^1iIMagfVwqzR>>^QLL>Tjb<
zF~wr~*XOvoMecun<<~)aGL`co0Uj+cKPBw(SjsSN1(htv!>Y%;gKiq0?vZA=10@C8
z4(zSNjdfWIAoFkDU<q?yXXz+@O&9Y+<-C+Vf-R$0ePdK2Zf&0J#dPx|5?w(=;R+%O
zTgwII1^HSQBxB;;-gEp1Ni@D?LKEGz2tIk8ESySPr)qGIve+ds`leGmO9RC|cHe2<
zqe{iDlJ9@d@0s}I3L*XXzjGgdm*#ixepk9&QgK#qY1{j{#id8G-3+x}r{OVqYTdOm
zHlQf+*U`NVPPbTU<S!e=J}SeWGU|rJ5AD#(7Rt#q4O$c;18yU)hg9l5$j6erfnkh?
zch=02vlsmbOj=E&-YRB9ye-hCZ2JHd*rEs>5*qNRo3Ii`LPHZ<^{aG96L>$+qDj7c
ziCq85sf`~Y+G>&K>f(SgD$#+%RcZU~dwD6RFSVvsfEyHd`@+z@6ota<c#nbMTrn4e
zR}#nTO@<{wS>6xD@qJ=*AqBnb4*T)x^I<6piGML(Nv~=W757E@+wq1>a}`ryXE*(*
zAy)pJiN8d)Y+EhzU<$d;IQPZB<ObspcyFpPIB!*kOmoD-5*m16UDT-$Nw|C8l9+!$
z36@bZqnIi>DSkhsU_5Q1!vM`NTUr>uAxHKXvoN-qfNhA_80NS&%c{xR8{qgO<tfw|
zbo^aVyI)`ZfWh_1e)~GiEr#`&isIuV^gOYFnyyBB=`s)(0af@P<OscbwY$0S>J!Ah
zh%>?bC>r8Bw4g)#eExNzslF;<aBxk?;H{^(>m2_8qwI!ZQZUqe2O#LsdHJiQZ{A16
zU`yCCC*2+9z(i(~+VLEx5(vfA&dMca{obOas9%s}R3W(JZ=4eXY~+=(C#U?PwTkI4
zm2K{W9LVkd3!o9qLbpMy!e*Z(sqJbL2@7xhV)+L`JcX@)TMN_Aup0eLgsPg}@~zVS
zUTtcs^5|h+(%Wz^Rpi<7ZRUHWgv))3F_qypAq#(6GDQcJ(`nl1@Lz`mS|2Wr*L9I%
zt`X5TRmq2<^Jg_0gnmsoNN)zD0P_xhO_UhGz_Bp@*XgmxFr?Gr|2lO|WU1LSd91cm
z)Yj8PceSH!x<+iec7eWx`g#1l8oQgMw|RzwZz+BSM?Cy3mB}xk97*o<@V`_o`OjZk
zbWP#kNlXHUk&0{SlMP-S{;YX}IH^vL+DMI2q415?1)o%*@5Rhzq2~**a(Z*JCRpCq
zqN`|PN=obbynisvlu6cUiX{Xsc9&KUJ$lToc1++4dN#Gy@H|9Kji6Rx#qVZ^MX~tJ
z5A4^D8dbp0%J?WIIp<F)|0S<$6(BWFyk(n}qgk6tDU^YyF#60w(zJa6WafbPu=H|M
zw6y-&)K*-PaU1W*UJL-hB1%*)GeR_1o3iwr^-Xm11CzHY$hNw^O>dU3P#{n4%B5~%
z$NZ+fGL(g<B7$(*VSbp%JWzo%|EUls&0GZufA}7Svq>Hp^Zfx;c_<wf<L`28ZIBp!
z3;0R{h4EX?^fTc*xddJr!<5SKd-Slt6RZr)Ugb@}Ed}8Bw=c$%z5yO1e+&)-f=CiP
zaUpZEVxY#WAVpC3e!769MsngXjfKK+PH80Xh-1RLo=x+y!MFlRSa8_37cccbpIbrN
zN2f4Cp&#K7VLc-WOk+l|$ERTC%B1Q>qZ@@rpAIj8vLI7=)|C4E4og|dbXnk99yt7u
ztF*2SZps@AYEovv<n#cLDegPWx9LSGu%V?^e3w+UD<a!TrIOMfFjN)gWYBXg(n;n`
zRo3J7a)7DJ(6}<4wcSgBX1M!+l`VAr9fq)VFnyj~2T0d^a9JPQEc)O_F(?DfkMvNz
z39{oQEEc=}kK}LZ&uV7>d6YpiUYtu?QazBQX_l;gUMz$q`c5uRCeF<gG2ZkTW%V7^
z_&=if*b`R!&KedEBDB|uXBL|#AZl=c!{?HvnZk_DHeIf~eAV92k+rdni#kxPyH{n-
z!3^PzZ~B2^ze|r%N#6|T9c<A)^0PS|XLF^sW^Avu9g07aoT24{b-ZFz4bnAZ@2D+>
z9SCbqFmh#l9P2I9$yd6h$eO>rA6+M~J`P;|rL*)KJ!&g+M3R9<3{a>Huw8OlFWq#y
zL62f-?H6I9@h{{?^hi>_vrfXAVO>XL3@8m5vglYXf39o8%=1FREz)jkOJr)su&jBs
zfx0B@^_Zhrdu^hRkFVOddc;}c-mSk#dq_36lHV5jlbe&xg|Cu3@tPO65N|7j?(@Zk
zk>Q<{p1gitl@5q=jxuRi|H(*JlF0GYrqVgcqtl00Bp{K%E6V2+;p#l3D)#uGyr>@j
zd4@C4!(%=*_**So`lCj@-kr{w$F_?A_lkt~9F^{vQ!CQZ7$mKrhZgCY$GsAd;ijn@
zZ=@>;1-bKXd(D{vKq)ceuaw~PN_~-*YbAce4d+FZnlgx1;sx<nBp^{x#?UF_?`^t)
zQ!<?&a>4m10oSCt*GjK8B{{kJ6-5{g2Og?vNzZmX8f^M9D@g}Hrkg-hvO|#&+X{pF
z{?Q-EUf)y=rhBrDLiU{Yk^ba47;p;ORnqQc5%%fiRM9muOf%L<!A5D7!*tNt8tNpu
z^kyGGxYLjp|5)guBV~iV8f61Wh`FUN>8+gT`}Lgpa_CT&@gxi#b+VXL18t|K<oU6~
zpi5R%r;xQP8YQ*L#X9lJw{%fuIp~G}0I?=|e$&%;Q09kMD3&VA-21JxV0c7bYwN+H
z_?DUwlTKyUeZ7qLQw2Gue`y9>`#Abu<?1-$U;K)3>a?ub7BaaBn62hCV_w+rSW(;P
zN4mT9Y&m+BSzi)pzmWyv=)F1P!Yz|ek<~gvSOcdoLG>NfMW=7>UKtubms<)cI%0q6
z`Lx+0ItHEJ^XU)Lux#QEH_xN`Rk<`&>}k?Y#XEC+ByhkwdzEc#=S-=9>9q7bgwtdN
zj~iZYp>qQ{;z9p%@kXj6!Z&=;t&PL?i#>-_YZ@AqV?fXhn5eq*89X*p{t;`jj%(1+
z6J%GENmfk!-IdO#gV#r{AXK{vyi!;}U8tITS8Z4nt}302TT^>#mEh*A;ijA(SH~A^
z{!Ps9pU{hVDjD8cE0I8iUWBRCKvD167f#yYM)Rk^#xlvRxsoqWI==WH8pJo$F+js%
z#OaMKb39qRe(%hKBrP99_jd#u#J-x!$ev*)?rxNPZmy93Q6NDsDVL31hYO7&#amM@
zvR7f1s=qzB+QJej*tZ|1-=9<_!Z>~)e#O>r%}X8P@*lsq{R!VCDJPy_n>&tZRrR!3
z7EEiZtcS#5olilxF>hi<)ApgXm0c8@2p1Lc#YIK)TnR&Z5f*`91p=nhC<Q%V1sc>`
ztvjyS%>n!FC@<;h&3sIszf0l3y`G5ve${tw^X4RlKv5|+;4T?Ul)+O}$VeoKB3zT8
z*ilXJytw)TOe-HVO^6u3UQ7K?Yfgw5QUvfBWFcB(S8Nb>pI@HopWBGd@O-%thg_gq
z)DU7vX)$%C_J^_{G_>dE=sBAX?^JcyLc%pe|0waEnaC6u6G)k?87%UPyxc3mlkP*$
znc9ndIUow~b9i#{$6F@bBdT>!7uet3Sp=#sw}U%qunxZ3Yb4ywDspG-mD2yoGVzk8
z#gEu)aFS~QqV6X#)dyp`H5I5wxiR&l3!h^}KA3f4R=Ds%8vRRIQ%#$g)mWIA6(t~0
ziC=~}h)#o^hm2@(Q5#gy!i;Gboa(XurYdnPblB2tM&8tO3{^9qO@+^Je4rYH?)p~x
zZdkE|{mU~}R?C1_P)*s3B$+k~)I-Kz4;eeN9%OR%R3!GF&v~$RYB!z*4Jmp^)%No;
z-mesh75-H}a{D(NJ*3m&UzEf$5QJ#Gv0rmo@L#YcxDV=l{fw;+$TipDs6P85R`}Ax
zCb`F3%PZ@*v=CV(FZ59s+z9^=pok3<Y%Tq;`W`uPou2M;P{HlX9y8sa>G60)U_N4>
z#6fO2+jvn^Tuw%5+yR?Zr$*FyKI7HJR83aeN+PTfX`h7k;@A0w(ac9OP|WkR^D$6j
z1#-MzIk$nleyX5o(gAB&eBs~ZECCxA!faj#65_Ev+Fc$#5oE5_OB0ag5v_fdPzaX(
ziz>;0A?!V*li^>a5903i>7lU)<XDM9VnU0*0k9l|63iG%sGW2^pho|bVTmh}$-@N_
zm146=vd{yB&NQ#e9d>Ej>&Z$-F}@FX-rcAL<XL|v&Jwb5(2^pN5QCbGDQ``Gv+4tw
z1q>Z?Z_a8Sh;t)>kzn+W#L<L6Li{De$9I?&vQU#1qBfLEsQ-psWzM&j%J}z^WMgs?
zq1M6z4)-lc`UB{(5=qRF+{3kdIUh6dZ%?+|%AY6_o6yCLuz#{JnM9q52Zc)|qix!C
zP11gg;r?cp)*RZ6OojLYQ#+S2PNd&;XJ+;<4<sNsl2-@`97ZQ*n%O*lxZJ^8*d6sI
zC+7>qOKx{aiC+INJC_noi05N%3cpts9q|Faekg~xIR3Ml*^gN_V0W^#e~3h$92-*v
zKdu`ic?}9*ICA3uDo?_PPjD9;f&QjLxzT!(h%s}%s(QF{^H&C~ox{7YQPR7njr;Eg
zi$-5jyocn1aeu&qMI3lwVtCI@HDFo7@-$f(hvM?kuaj}U=Iw+we?#1Xinf{GLsr^H
z{{IaaY;Qb9*P061s?8>Gb^Fqz=bo3-M~J?x_k3BZxNx7;e6^|_DofHAG^uO4s_=fv
zGzID8KVKYylGlV9Gc^AurQ`||5R{QJ{abtl81KwN`Yk5jM{g#EN*zE(&Lr!&{=Y0q
zbXA~$i6>)9nDy<Z3=)WGaC+cd`vK_cjHVcNR3<8&a>$l+&>)#I$><||r0tS9Xjq))
z#KnP)aTj*)49U#b<EIb51`KX{`Y(gcBT#eGELA<%(qnqEM#GhJl1QB>@_UM`0V+YG
z&R7}h);}dahH+ncr5R!JtKl2~xxlnaUIwJTp<-j)L>8oddIiLRt5jYzS?eAJ7)crG
z|F3U_8}@{I(Eadkfz_xJ#|$NxxMap!bn_8GORf@kL|qtV5tXww+Av{J*L9?9o_`}L
zuBn{!NI{G2ycA_YxjzV-n*)&9?oj+XTR0X%dXONp6Mjg1jUlY65~zOEWyyg_3bq_J
z%~tb8IiL=0r46UuqyK1!@A6;6^}pq+)t!YFeq*oMqZu%<-Ehan^`AwsEzO#W8&KuO
z-;TeMsi3{2V}mKelR{4wg(A5l{Z7K^y{;B3dP@wcl%a`x=8<NMCA%R;@2}I;q(PGH
z!bOArHCc=bcq=KW_((z{vBn8$)b*k=vEMu?FLfW#An&V^cqX)YxtPnIbsx-H{Ag|t
zM&%HlQs<qT8d){<o5%PzIo>8^^O;p9!1cdU^7^ka?C`(LKB{Rq7QY4NZU=oHpyS}D
zDZwzJNeT&kV<{vX+ntO(%6V8z5trNbcjt@gN13sNjIdl%9ZKsx*2th%2>&a$<Dzso
zWy3~&D7v!sGtHLu(Es|s-<J&NW`z7cyILQ+8ICjH=P;ct_jhSbGeMD&K~|a`YPx_Q
zqHrYdT>iaFj*O?|xo#!W0&5ez%w;$${)R^jJb-hgf{t2F4^+-+e@8{q2+PTQeC5zG
zMMv2L2&?W9F00~!mUKebT|kv}s`sqY;}C9IEni&PW>)7{!);yS%(HHRZnrIwn0Wu2
zR8i~5lpXGm_?KZzm_Wqe5`jG*a>lBR$>@VW3_Go5euE@y1wB~q4M1YFka?+c%2Jsf
z?*A2S#$2Gpn~^=pI{E!RBaF$w!TnZ5aoKW+!9}FBud9PyJ;$8F!;)6!-NB(P1Lrmu
zW3x0fp+<AyNDQCqsfUh8_+Zv;4@;*08I5Bb!>e~nvMp>~hxW#W*F4U~KW)WkY$m9^
z#X3Ztj(Kt0yZ!)~0Lk^#fKAp<(CtMB%!s7JQ&Ic=KvLC&8MB|_c%jVY-CAEq9n9*D
z3Pf^FQT}e}5DU2SJdJp^K1G>f<v@-VAeT#NetN|AuQ?tT_NZA*$`Nh?b-$%)U?3=@
z!xT)~vzgl0VtH@1b@H|p;tCo}j@DQU9#Qx>Dus$Wv`X{a?Xw@V{-d6=9~XiMuPi8n
zA5rr9uj!}0-q*n|;~)0id@f9g2xRSNj@6I(DxuwYG}hll@B$O6JBSj&LimYdbzUCA
z6!#JUV&G%H<qS%~qrG%nq}Mn&jg?V(K*&0Ntjv0*v{Ajr*e1O0H-VLab#a!WZT-C-
zSCqPDiLW0l<C4lUc1hod@zT^In-gkcR8sjO(O9%TT{DXT+o4_>ynVn~Q>9RPw#c6t
za0>Dl;(||J{@F!S10`;{HN3?beMmw^uN6O1#!Rb9j<mhvi9ZE?gM0C(at%@wH)E0$
zkjude^IhqjKvx;ZxMr<CFHiWmw}EGO+qMO~SHV4u#Cfu}^4K-0&Z>p4i|gBu&ay6o
zkA5IttSoM#8Gr_ltaJ3&?>s2A9p8LD<^OoN`?+~^9$JR$WW=kv?&Ie1l`C_b25|@I
zx<>M|gK*SSzNRhH7qGzeN51vf`Cx&+faA4&Yk&V4QD&!SZsFj#CY>>3YYH$VPcCQC
zqWw+mj|(?-%@CZ<GoqJi{tYeA+V9KR8f=+-0gVGKIDIM9ke>YPSP@=6pHg-8{X&DP
zv#sXVj;pM?BHha38N4egmXi{`d@~h||F@WumZ0ejxY<YbJ(VQjAsA4WkoA409+^A=
zu4v4EI4tG^;?xI6Nzuiibjd(+uEM`Hm5^k|^37P#vJwMk&Bjm+TJ#(-{Os8&AVlL)
z7b-<{P_yn`I>%{&yrYiwrH0x}C!+%nu6u=~!hA4Zx<v{>Ag@8ITkWqyPWiOntc<O%
zpA{^Ce+#16f!O{10D??Ip#KMjn%axxLh@g3h@oPpw8{N7D)L_5%BG`h(h%i@G=z`;
zyAAR4l@`JCf))V;TC+2m0t*jTt?bo_m#M)#84Jiarx-ENshM_s_rJGls`|=GueL0$
zXgTILz3#wYuGA{c12@G%2F*>hrUZ`?1oe?o;b_eb2jFnDOM5D7XWq?#KY8=|Z(@Ri
zsJAz;o0v1K;W=dH%7}G%7=R+Ex>CSqf0lM@P*Je(e=UBzc+9dZ65{6t5@N`xG?>16
z6(0C<vH(8Wz~M{3b}x&!o(sp%QXPQdK;=_<Yd#Z)@^E%ieKQ%?F__M(KA+<OzN7FW
zxU~A@hlwP)k5qt1q5yY`6D=YLd2r)yVwx&380()F8yl&?g?sWFWrxf5<rFjS*Pa%4
zC;yt`JY*M6Ll*siyZuFgbwDT#`R+~Aq=oMSP7U$aqwLdmePfss$^O0=j;;j@@xaif
ziapAbP|vzO!|~P^JLVSpes4{-%p(-<`0->HF3a&&t2kU&+%s(&b9{ux?pYos@7(5H
z1x9|K=eBokRJ@lSS7sbb4cOU@Itb^vbBi`fXbqOj8f@+%hJG$<xU~l8^B;M>x)}7Z
zsN@Kep!wxk=)UG+&#i0<X<Ry^v!{f8688Z&cBG)1-Ezlm8Niw;Yx;tYju(Bs&&?Tn
zUC!^cszoEvwpUk{IkBdLJYfp1t<9{WnD6zs5{j<%%3OGnHJcbNKiaHv-~E1EC)GoZ
z`O%3%YAN&`fsVCY1JjwFRIc1uB>pvEAIE2}oYD;6g;zQaTI}x(ZIXDtOY+5j?UE7j
zA%%?K1CV2jMA0D9jaWc{g=#Pg10(2HCTEF`7XO1P!!#es=0~BgBTZeLEq9O#LCt#D
znNz2cBd&rA0*r!>H*@hk>1<1Hk68M4Zkjt&MMN)08leN0mn)`wgmz2A0=0>7`w@IT
z3Um+q9?{5mV7GZ^5md0&V9^KYk2$#UPqek`AhZrs|2$daBfY#WUKTMn$4u}IIpj!9
z+@_I4n>c9)bnP)2dA{-67m`TqF)<;Qu=a@Bc(CpNMY--b@}oM757rwX5|JJ&gg>>*
zfsAAsGI=m&Yxu=;*929M#Qp|pVG!ng?U4Vi!YQF)K%Xh~+qTVcWtd>-$FLv5`}^lo
zD0=QvtfaK{n%L9Ts~Rm8hxOP4Z~e%F#eSjt;7+46`G->|!2|@81rb~zSicElMFMln
zE<3eFkq5uTK<wfd-^HHkH&0thH^}<FH>co{4Gj5(%)7GfG0q&+55YbMr@yfqO+m_R
z$701RqREoX9<>);tmrJTFz&G8O|0iLEt|0@`(F2R^O$eee5sR?V_3x3+FAs}WYDXj
zadHv9=efWzo*sF7c}RXr+<)aV=qt<CUTaR^U^A5bu30Gr{_`c$IK|*6b*p$m&RH#l
z<w5=cLBk*^kBf8yyMp`kSF5OAepWi(Gq#<s-ngqDeHTtvyqO!6eD3sRNov<+t~y;%
zF_HqLp3cTjR!l}+Ew5@}FDWg!4G7jQn4r0fN<Qy+Qn?r`ac!U-xknkO)tKe8vQNn@
zXe#}T02Oj|fI{SH(4)fHa>Vw4Qje9V`_z$s?#e_w;4}mxGkO$En%L5BL+^Q@JCl`P
zEcwNNNE9y0sIlbO?*TQ{0s&TMj`iqYsbVwbWucz%1xR&(Fb?{2Vn99XLbl_|8qKic
zM@Q;__=b#n?V*)=k7tvM`U`#~oJVdFM&4+NlEvkHnT})01~UXl-?n%JAK6>wh};yd
zzRNO)Q+!V!x67^c6ckh;<NNuZDFZ@J*wGt1<BnOXi01kQKcisW-8QX&3fD-XpJ5WS
z?<^<X-Rz=zjIBqgsLyJTmfQ9UGiL2Bq-*PTqxJokNcNs6+CneNMmC(i=pHG;9fpeW
z!G%iaI$z$AZ|UO%R976>m6VPCe9~0*(d(kBc)FU?oa+h85})xgd2;X`I5TSm*S|Zk
zZ7IT6ocRbxeY?U=?+nMBPB!j?R>p?8kn8#>Cc@cMGP0`RTH}zn7)j?#qQFCudJdPR
zw#~2W#vtoYuj@%AaOnhFUr*icuFJ#s=-8tZ%j<bREq0^YAKJDw8<cHDlpYRTjYl{!
z(>O+1UELCZ7nK}-o_%AE6j!Sj7tY4{rAqmY)<2F(MgyKz9^=|v?Mu!4KanoK)H+<F
z$G&d`9+5$=xlF;E3mIwwvm|}AEO%hwY_qXt*1Xs8KS~Fei-Ma$Qg?L=fr05o2G>^$
zc{C|a%8~M8qh_CN3(%FlwO1T>;%}W?U4EpM3C7JmmmiE=@u$!n&*|W&-Bl8b5?wI2
z?;(Ecz9~J<a#s!bVO3ES-mGF*pd#oVXS@H_|8>vh(`?#;!F3SelC00WQSxeHnHUsb
z9tWE_dV~0VzRZyK3(?vu4}0`43VPn{c5xjgClc=cqO~P4$wsOpS7^uR#cJeB7f_MS
z@UZ(CLCPwUmfwh}?k-eluL-bd!X)DJ(-K+fmq|pv<Q%_Dz$UI|p{G6ezE6flYc3;;
zJI5Ao=+M1U1}8-g=%c34yywEP23ODL38SIgOJqx=WUjM0^O{8fW&1l<J_tKuW$!c}
zHG8XzCX-n)0@q1`P@A5khxQCOr2EuVa)mHOsj8!OkB}rs$al@$`rA|ac^_3aXJv2)
z=pDH7aF(m1XES*DB$AoBSdwMSdzirQ!7RN$C-0mtz=i6)-?G~tFalO0(R4<Dx}-)$
zsyCVF-+o_Rc(TgCItwPfko8S(n*(xFd@?`fNc`=lP_C)lpUJSXO4W}IJ7t0d&0kN_
zNL~M>`EI!_eO+)A1~YYkbHeHiJR_|5nkag{M2h%pOdkN-v1eN7@VOSX8&*OLRV(eX
zAR(Hr@Jlq7xq_toW)xAEd#u19E+now<@esttrNw=^j(zHmL4*%_jYKphA0jxHu#r4
zDrIRI&Ui8BCAboOeCT+vGf@4}*9FkC-7cyf*7a{!=dCMCyMMAZbEydqBwso2i>Qsc
zGGhg`T_2o9sy0NS-fQSh$lSwi-&VGud1xXMy}9Zl>em`sce5vV1#PB!Ra}|Q$CGO;
z;<ymJBO+uF+81^Wy>sErTLAOEVy&<^@eq$#0V=DywApao49*sK_;}$~qSUY!u$<B@
z8n$4^f;Ij3&gh_sIxuwKb%^RcX4YBxL5}zoFO~c7O$FAU4S<k&CM%tgVAhxYt-wt8
zL$X1<tx#nD;6L<3e9}7zYtcKHw$smq7@1X`|G-U%A8-c*%V_AthS%>nqj!RH(YRXL
zbM9IqLTNg1tOD9Eu4%s8L{E)@uNF?^Bi6-Ky4`IXbQ<tX7lfgyjh2<7DEz+tsMm!(
zt~T#(C9VNG6f&`RO?slLs#P_yRBT2UE??&F^^de?`rZItF7-#Ebj%jYaAD_zAs23P
z))1#YDmdR^Z4*)TzkNMr5(3R1MBPXo6araw_oHYgH3N^D)r1((%JOkipLAS+cq<uE
z{=2tEvfZ)3U*I>i4HDr}MJYQ$GQHh$BUaw4XvN*$lDKO|vi~#$%hO1<3t%L><1Ue1
zq!?W2*r1bJoPcQ?9c~3}{o|qdn*NEFQ;%bfc!t2ndsqoZ|Da&(1QdxFg`aKf(=Axg
zkMcJu<h=nDgCgR3_ZBFYWdJk?VmW_gRsYzNYgkl>q*1JH+}ks($mZI2|0)XqUv2`t
z*NgJnq8BCIf?r%U?(A)%YM&S!9suljlrEIQh@e*I-#c&QpGA4skCjq11DABo;Pd2t
zSAU#Eyqlj-hft0!jXmcCt>Gb290V*RnrY1ECVtKy)4gzK9X2=gAGdZD)l5k7zJ1yO
zw8uA;JRV&h29(w^6dM^_b}oO0F;j0bG;-7Bn_V)C0pU&A9bO(%L8&67rz`l+%NP8>
z<mCxQ$Zysm%qI7kD#z9@6vUkk?(84o1l4=aGII<$FbgEmcA6CVhZz?^^Z)q>O`9+n
z^-Tp%aOeY0xF_VU*%(TCFjR#<iGs>kUc^%^+84j+Als%@ytZdtRG3d)-~?dCa=sla
z6S?-(D7LO)Qw;;ozwLW8|IRICcNtg72X>Kj!!s||qzby*Ll^qXAga6JZNEb6L<o76
z)=8J$7;a2iERAv*omo|@0F&@l88;883|qwKE&m06?Vo_FUqaja7a(<JrDT`xSHB_H
z|Lw)V>EL#p<BBxY#xuPa%-#8eX4*jqC6}wZiN{v{8#()SIl3#AHi_TJ+hb0V?99yd
zP9=^a><RN=sL0%}E8dM0Z;f1^t{B?d>+we>QBT{VA3R*hNt}=N(NukqBn?}kGw@M6
z_H)+zzv+0R8egq_I-4=N3Fd==t5!iuT4JQnmpE~4&?|}`NlzJlvx!-$5d;`6Zqjf)
zc1c;UX&8AdhA&<RbXsfM48%JyJ&(6Yw%wO|Hhc*U^XRc6Ov*Wag*M)rL29tYcLQX%
zbGRwG=)mAOh#N<FRt&zKVHwFfZzw*`4~1@D93cgY`?kBxPx%8fedygdO61`odpl79
z7?&uEPdL*hjhv!-AXV1Eh##uedwxPao~ZCqVbH$TJ>^|6Xd}3?k>hETQC|%_=%L8I
zTGXYaxo4Z20VHIwDS^sls;vC%@Gqe`T$KJNg;S?29yQhJH6Xwm)x8Np6~{(%)*2R4
zzVCg)K5yiXjuO={*m105-8fz@?D7mm!x0~YyR=@kHQTK;aTwUmhU%h7Qe~()YPFi3
zG#8lVTN`X5Uiw6oNAFwP&Sq%0N>j#Z?&c*BFt=#At@LR!PY;w-#H1FnbUfs9E!FCc
zW91m)&kz+z*Z~w5iY(R4H?SKfdD_23b^-I***rN4v;@v_a#8kTU+89%hi5iw&p22?
zi;vj)5j_*+uGWpX+<)R&cAnTS)+0XIa_NlC@%7)E5b8-q6*!fc5Q1zlhwl>u20>0$
z>0`YJ<1TuymaR5*J#6tgpTL1qm8m$Jo+f&2;1yc0$p2i87#hKqD6qQ#sW&TyjGx(=
zXWg%8NQi(^%6#Q&{;(btc|Dq}_ypcX4X9&sc3gJr-m7~3N76s>*Bb?&Y5g+d7u!1%
zs8P}Ip{Lcj{XFb;gg`kx*Cn1{My4Q<{^2<G9C9Ps3tv9q=F#fwrhj~S(vilFpN&3f
zT`1^vLR)z0*LpmJsFg03bjm{dRY7phMTQ*lER3_DqhcCkgUb=_$vcswljJPryMJJ^
zHgl5mvO$VV;=!ayNcwu{WRXISjG59$?w(<LIf2$UstqVD!^pw?V$ei567M8^2y2*8
zjKX8Eh6bgpyLXJ%`_=!Cy*H1Cvi~0c@9OSuCkZJ_s3bcTvP>xyqLMvC8QJ%pnHCX3
z$iB7Om+Z@6iX?kAS;r7Uj2Zhd#*E)}&2$&T{dnBp&*SlaKYo9_|9SUzyRLK2>paiv
zyv}*OF4y%=zO%Z<#I{yLvUb4nI_-@H(2fW7wX-v?n4xZ_sxAf0u}Msw-Dbx9@Z~86
zhM<bOrvu_#&xr)^nqbO?OL*j3q}zFV{Zk{~(vI2Adqhv~4RAfbxr620xVAaxx#z;g
zUqW97v1H8Y>sgrVUzcm$?0(1KQEkPq9Dn<~yq=VtXp^+*`3rp4mAC+vd%^?X&mW#U
z*K5n!E`M{lMBBgcbbfw(eEz04c0=z_fm-tKLM+aN1cGOW86O^4Ff%$TN*vkVa99IX
zwo^{$z4!&uqg$EZT$?F;p<!-Ndno|z;h?zh*9>@^rgG7L)SQ|BaljqF_|dDrZ*2m~
z@D_-pr>w0K+72cEd1q^Wu1z&kG^M}Xc5B<@Wx@gUmpy4OJ!xYU^zfQ|a(4(u+Sx4N
zx3k)pRKSR{byM_pK|f@1`+Quxyzl&r0>bbF1Uln>$~M;}zWY?-!Ir+(+#ZvKJa@rz
z?T}$JZQx~!3c5Kx7%MH{FTKW>rcCRdeU8Z{aNInSH<2yHTzM0=jZf*o<Nbq2xPKi(
z>f48X-_@ojt)Vw*zMH#yTeDXn_6+u+?_iaPy?Mz=F8iYR!-0s@`(#D=ylmZsc1QT!
z-N(stX+-JqPoMe%s|RllxqM}$9`oTiRmh4Q^SgF@&6|60Qn)6fj#u@7C^o`8(V3O_
zh0T;@=J*9x3+eHIzt41)JKE2aYi6(cF?YDKe^((4ki+b-FCv~K2vw18EoX$tS153V
zyX=4a(ng`)*PEH#{#v^Ggc|mQa$|_hsWB_tt~NvqgXV4x1-UcL8Ufv(z(3e*pKyp3
zes5ax<ZgG3L}0BDgFf$zN7K)OVyB)b`;S^MeJu@VDwuy%Yx6r++~i}0<#s_|HizE%
z?u*Ji^%VU*opftUk4)g(foz9F?p>*h=*uzclbyaiYU!r8Y_g0nHgh5`xmGT$%w-F1
z4$x!KD7;F3zpZdg>=5liOcsX1htkcg`@{^B{xT15y#M+&{{gnf>I-`_Am&$v9$w6f
z;CsN%Q26}UCY1L4&5|jh*pPw~FT%BSlrY?dCkD?LTH;E?chtC?i+gE{Ip5Cy$Q|co
zk$d=)J4u<_^AM^heHYWAn#1v$xAPnh#kbBqqdtDTXFxqH>c;5{V)B(cvnuvlg-2~o
zoIW`h_Xri#u8q^abY)ihtn#tMv0qt=@6foo{D8hXqd72D(rg}8K%nQp3UfX@!f>b6
zo!I8ZdF<_zrNXy%PTS;y?&_V89}?_5mcFlp_=PLJJZIOIBMRYUdB+hs&aSi6ZQa?L
zdwT@Sn}h#2{k2&{$6D}R(7qQ3F2o<7&9u_-%KxVH)T7{R^R8{De?8dqsnUb7>zl=<
zLw=rDLlVVAXDE+6uXbh>cZeswZ201Ka^D_*&eCb_uM#$*yDl~`5*E&DHB?%56pCh|
z5K<;?ElH?Yf1?8jnA>Gt(g#t*J=BLsi;e=1ghgk6fAjkJ_pVOSh_fD+@8s~_PhN{d
z<6<7FdpVwXQNXZotdIS>H1giBa4h*cB(<nDb?7=@nlslEqqogtmHR_Rb~vSf`ed%W
zVl13=xGo42EB%I)n%c&7I?UUHbn}&yAxo(Bm8ACp#}$$~X)Y+N@!X?vmR-~5&o@?5
zEp~+_d3lFV>^nAD;47S&+5H_2JY_#%KULR1Hc4(*zkCBa>N8W^`^Zc<tJL1T5eY-T
z+dRLs;M&xFvmL05e?8uIF8wd_xPli`4?d}>GPUDB@rODK{0iRh3SKvM!gq>1wDNP{
zX3p5Zl-npHeb$w;*37xRJ3DLdA*aXPpVgEi52@K#Ra!o;ZqJd84IE0`*<Q!odh1O3
zed?}h>y~ZW(&t{@_$K%CbJmWi661s&-x0QjNJQTwLr>qd5p^88`c~Oh7&r7<hs^GT
zPi%Y8_l`9}k=<3=&XUtpVa2_@6V=9J(Iz~7ScjGg6FWC}JTb4A;^!ggh*QbfeU$n6
z$EOg1Ejk}B6ub?4DREuW_o{O#<Q+Tbui|iqUtT!?vi0TpQ;Lg`fqo30oJZdKb)B6L
z#<aK$)SfT6g%#^4Y}JYl3>1#P;ySjqm$F60HC<#tYiTT<fja3b7&+Ppq%&)GTvs_#
zlc#kmpe;yMILtHRjZjYej~h#{#3NVPFD@{M)L;Frwct5dW^Kym_U8wAZ0_)8oHw$#
zbhX~`Rer2nKZ7P4qUbGts4eW}A%+kOCu3m+&OX}71@_$lXR9NY=Stl16COemt=HPr
z*x9b=N`@!0$OQ(KsRw7KV>%wZl=ubdw!Hjxf5_Goz~J;4+qZrfN~yr#GE`iq*hrn;
z*Y!l0pxTZuCKbnD)$jVlaC&g}?)G42H%ZR>G<Aq~JO@J0izVK@`9fWI`EEvZ#?%2u
zta`|q!1&raOP2c05=~`eR=^d%^-0NZ2lV|3=<C|kzSZU{PcG@xJu`9<+hyGgMMkcb
z`n#IycqkHjr;X(`-b_KISG-aEmQFd_6+*qvoJ3^o-ks9=mX=Q12X^nSXFs4JCKeU{
zSvxAF;MrZ&lEjrEop1pZvv?Txq`G8ySq_86&0q8R<G9!E-SC}%`CIwDsR%r<+Y|FL
zNY9$H*T~MCjYlCjUnl;3Uch0Vq`R*KbIcVd5LV1a%;Rm7$YzYc|1I(BNX^IgsPY5U
zBah;fiNOQXY_&T?jzySis|Z*W{OMQGxbIjEFH}iCV?{YxXtVoM>H6{mzrv`Xh>NW@
z<$f>#RLGY1;Q79GvE=#)_bN000D}VZyRm~2lDLP)L1P|Wu#5`Xd9~9IZn}Of_BfS3
zU4+iH<6(A=p)j$JJEZ&jF#fnA#hH1Idd9cq{quu@<-4EUwc06~eS%3>NLBDzHtO+f
zZEdlBwanvzl03I=-w!;0>NkM9^63D8>i~cQ-!A0(S7OCJE%)qi>&8BPx$S&*@9Vhv
z9k0t`Qj7Fm<pp);Suuj|^$%u-@%tB#3GJaiZeqaF3VzW{`%g8#NW~-1x5u%)b5lw3
z5}F^3S2}l%<+-kE9FNY!!jr#L-qF4q_Bt^6{_E!lWo)%?v+d2|ojg;Lsl{^FHT18@
zi09(>_LO|g<N8Bf+O{j;-npxo^HTjU$K>{abLUu3q-~d}rjAn=>WWjBR-CGc=iACB
z&L7A%x0DX52+cmYlB&O7_c`gTT#e_!-@Z=c(qxw3stHCJ>O!)AMX1o``EwmkTjrB&
zHW#0-VJ^je`?|ZG#YZeCRZEiA!pTXWVkVYN?>%`bu0bf%x?wPLhMf&o^F<;vZqnN{
zK8jax^Lr16_&-;dRgo7o&qZDd+515<{MhqcQrrn41{n%L%FJ4o^Nfy}-JzNRrkP7`
zw6C2^;-ukXuIUc{LF{7UuW-DrR3Ye`@TugyvT?#-<Lpj+XKuClnIta`ed4(n!U|Vv
zkA?-Gjq^>+Z=Nvoe-k`*+M8qP_f}Ei<T>uoT4%Yh^Z9ja`YEJiM~;b)NSl{*O}_m=
zdguGblL&kfvs)V?OR)0s?6)XexXjD3?fDsRv+GH%51xUKq-3hS^?dT^u0nFh(Xy-8
zue##D9coGW;q@Z5$vi?e`qj}`<RkqP&y*iB$UK(ZF5{8_Y0diGx)K*WqJ9W?uw*jT
zEc4Ht`0ARXTN-8+YsHMOap!@-++6wGn{A%szuqrQ5>JIZ=#tXNzEUM)+K&okp-mtA
zM7=-<v!lF^SeU*_T>Sb>;K9jzKiuDa5!>u=O~*BYMeZ_&{XJiz-tSs~G{z+OS!=H#
zFk-TLGfvScfH9@T4fwqL+%mYsj=dY^&fOdRKvM8JL_@FD1-g~`%&71-3mx7>{lM)|
zrN#&g$14RALMKj<=62~ExzuuBPgz1lakx#fbog8I&fjIHMwmVjt@_|ZwcssOH0sQe
z;vD<Zf>+PmpPA9{TyT5d!COjJ;$FKWoDMN-ym%7kCnA>?d7M@)t4Rm$8#tnRA^dnH
z!%H!NIPRI)=}bSlgmX0)20M%Af*XUMT;0xp^><E+_Bx_ExBtk__U)!>%$N3$S5yir
z-{U}XLfyzMoR9qMGeypndJ`B6ky2=r&X9EIY_7(_gev(B+F0K`!E<xm@_^pX`Mv!9
zZ^ra?Qs-wpXXxt-($V{v^i)|c<^^T?oeP5eb%~-k;%#*yIO6^;<Fo#d(r)0cUn7n)
zVpI!E-mC_UxY>?3TG2@A!~xXVoq<uD%?6%D@t1Y=Zp3g|hO&3Po4c7*Y-jg12zy9)
zPrYV3Eagqn*zyiqS~%F60;C1YKjGK1#B)L=!-z^hGR$?ZiEolI9z4Usd#UQg{*Skr
zMm2vA{fpP~rMdmfJAk2EG837{D;NukizobVHgFY~mNXJnL)?-+evzoG`(%79^5|!m
zf<LK9aa;M-vgcCZ`>y5~JTh3>-H$?CQ;9Co;_b@dKVEtA#PXS&&nGP&^9Qzlkzmd~
zZq@1wnU^2aIL18i$L?Q4j(6?da&s{4kDKYr8VRSmx4zHL!1ke+6FVz1YwkWA!(C+P
zZtY&Vjy!X^|4oWcDc;Gd7R{iZG|tpm`5qO=MyuppfJ*L5&i4cC;0sOt^N;V$JE4~`
z@o+jmMo3L7?4j$A_PFgQ^vl=_4p<of9<`rWv)c0h=3T(36`AAM#w#A|2oX-VINJ!<
zJrh!-=Z+3bi_1SSYMhS$Mv&z6rX>#2yZo2~^~Pp9y$7^kJU#}!r1SN$N>shy6t7NW
zkq9#+9QNI~woaOG|5wFGK-C%#roA;zSKdyFdsMZzvjv7US`oB4*H|ig_#7hs+ebEL
ztku|2jQH?eiwUwap&Yl%!YsZ1J<j?J^8;$DNq8tJ?syl?Ru{7f+Z*)iHt+89AI#sy
zO>HUmkCe!MAS6`SQ{@!wSp7REPGr@`yw`je1LQ=)sc_NfxhTU(QVS2`Rkrp$?N#RG
zRsuiDvplU&pn5QBS8guAh26LGy|=ZIwo{zvG+C%aIWp7I!)Xqw!1KL5+Y@W^nETmw
zSePdMX?1RxCHrFV)4;c*mMqSBsuHEe1Jc`m0o6BT9DS6sdGy&qo=l!6zHggDUR>1a
zfI=s$6Oc&%92LE*!8w<@h<H36fpl;8Z~J)Yz>v_k_DJRrl1am~;&|wte&_)U8MFJt
z$AeF>m>-UPqSR1!1>Wd!G}eU0RWIs^W=~S6<Oh9*U+auSGFKB5WNXv8Q;O_u7h)e&
z;J0bn+)%lLz9u{J#H$c9X_L5M0$UQ`p7_?Z=T)PG&76Ts#<=1T#7Amn0KVr#+O1`&
zzNO=WwbrHjgU_}T?cNjuF9G1cPxZb|pfj)drU!Dqr`sYk<dAqb_r}s1wo)yV-ms9F
znuG-1LTE7myo-r*^Q3;TD=7s1@~h!Jp^J*gSk#V)9*)y{f8j>z?k|VCpNiTA`0@QN
z`My8#dZfO*|IzOD?b;sE6Mv3`Kf)^WKYqXSE3_h@S@aC-<#nywoRtFvUTL25^Vs*_
z6gb0a<(|}iJ_+&AkMIBFjokktJA(JtYqkqk4s9ony*P36-1Ryo_Gz)KCvm_PzZVMO
z`Mq(A0(;prnXDXAK7PE?+1>2ZnB3<}nN=^5E!>B>Zq-#izEvv6La9{QC@O?BA^$;u
zt$_4nQI^w*7WuXBcw%A?>nD3GV@_d5q{?xOZx5A|a=Iy2x8m;_EEVbnUlu4efnku>
zN*_9LjibpOGYMZ`vhZeHxOOqxJltTPg@OgIx=e7UkXj>e^Rk%3AqC(g&cE8*frZ0K
zivou^Gnve`Sn<9B%ChgF;+j*G03!QULe-bsxN5Om8GV~el!Ts4@8@?)*GN8~nZ_(b
zd(?*2fwx{YclzmJr~A)DZtr9f+=&-Y{upnbJef6JblitYDg4o{QvHDo48OuOPCM*l
zV9NcEV5+s^4L@(RP#AC7hm$gjmN36Iv%po6%G_6S_U=V<Rp4Xp#rqW@{cR(+cc!%9
zbqzoEe{E+FQrmHr^g``TNBhH+VMU*N5t30Hqi`oQzs4U|HNAlo0Oqr_awbK3)9s@%
zzWeT6W{)=2feHi%E2gC|=p8h_PgD@KIdiJicks@hUuN}Kd^v9&k#^QPUHK7Fq<h=@
zvl&>0TwUak$~&bqF;Lk)=go(*<~%&q)pFWoWzQ^UK5R=5{tA3$JR})UoO&a=rHPlD
zF@cdEb?*>0HJ%g#QsWySONVuYjJzY{S;-Xkq<fEj5$~7YlFFs*;X0x6WLsK<)!3oe
z#qpbJr?2RwKA!~MK2}y5zK?_H_mPC|r}KV*S$^rt>9$9Joifp9pN>dw`^&m?J~h{3
zkZm#WUO-o%;ig;pD`|EK83}}OiAPoiLYoSOb<I*?0pA!83g4My73q(4T+p#Q<XuT3
zjhEyz9h1D6vz_<=le@(t<YVc*iqNraCR(4yka$Yfq2oA@-pg04#oQnLJlPr9^M;<h
zzQJyGCGfD|gBsEBlb9W?2Y>I5@DTJ~eizW=%Vhepm;a0MSJ&LSA33>^$J_E>DWgA6
zj2maqzq=pLl67wL{R>}_{#+8$Lq$x)*z|{&(?V#QLNyLO$KP4L^m`WaHS^@4(vy6}
zmf!=74{tsc)zb0L5GoW49eRKH&{1hyzh9}Hwc}+-MB1|uVC~9NZ4kLhP{Oo#bvg#7
z3ynJ4-@4Ly+$bXuCmwV=*&VBG8mf8s<hVaFH#0oe$Tq$&{Z1>4=@#Fa#l^E0Pac@4
z1lm4>p19aTP_}Vl-6UM%U9Phw?|4ZT&ZhJF;MJ7ot1hxx?R=DD9azHr#I3Aj%T{+q
zbxyx4t1u>f`(`J8v!f%m8C6^CBqbYZbdCRPHCOR7NS6E;?JTt#hQyw%PRV)sw_9BD
z3>IL?kR^#w@2OAIl;F}s4xNQ1`chNp(w8@B?6c~tQ77bfX9pEed{S@cj6^lQ|Kr?o
zn*{?z9&z3#|G_h-=>T$HJHPAviR`qnK3lYnx_*ii()PLLl(4Zou@_zCh?*j(*m8P#
zENhQ{!Dr=odbI3L|IpzU*X2xBOi`J0KYiouTmBh~0JE13E>DEtoh$jyOa151ZQc8J
z-rl9w7Ch+ZIE-vpeW;>7bzCb{ZihK<R#zAXLD<1i@S8T@<UN}Pt-ChY`MwhBE<6dT
zz}KpJCbK@?E@UHkTIzC}CpWGr2JTg9P;QX$T{$)`<npfRAJUsu6lBl%#%sK#J_?!H
zKJe#_`^*kI&b^(!l5<He`OV?<XPa;96kN|y)nh>iY7c1q75nW^j$d<A-ze;^TJrt7
zFAwshYBFz<p2^jVUvSG4Pt}&}Qn`Ms3Vqu_E@XU@!j;SQC|XDX|3Ns=A@aGZ{ZS>(
z#Y-)Nnd<DCQN^#Sck4wcTlqYRJNTjZD0W}s=id`8a!lNyK}*cwI^Xwr81G9ZqtV8}
zzK4Hg@YLt`i1BG`nnl(2#pbg5`3)VFPE(rSBb7E5%SxRz@ywx?N2ODv_QtY`*1Xtm
znisFqm{@kuUqYWKbOLo|=a=SPw-)lX@82@`)ezp+kXIM<+^HUH<rlwj`F&A37S^FQ
zbu}=1i<Yewc{!IA?!eJ&BE$BgSU(dUStq7nOsq`hZ$D`FM&^wn=F|hF4D@ElzF;q|
z<?qsQ3_i3Y&mDtrbtAqVySPcqbo{lFj^sd0ar~cNiGhu?`o{|n3mw(;7(OPuk0bW?
zn3*RwX*Fp5p>>__=?;w}sp;5?W}guzn8yNYLN-4Vcp;irdRg~m5EPjK^D4u-nKWmr
zrj4OpgN5hOr_el`D<(?>5~E+7c@$=aG8Levy;A}l(FGArueR%D3I!kkE@9dmcJ!-G
zy55PxCrYO2e?ponPdX*+XHfecQJ3a#W_%a8DUiw3`0Ch~YhPWHE(N-|7UuKm6!#ps
zRj!R}?8q-SeT=0%Ng<|=sqB#N%a^lxTY=k?mXh9=a-cR9rAf>84$@>G-@jv;(>h^(
z%<OH_&RFFdE;F4E3PYEKeEXSU6Fj#LXh41`e*W&Y{E~q0&ZR)B?{mt30R?bhI#wa4
zL)N)*fGb>G`~gIPOm1O>dvCM&<BdH;B&OHZ=dW#hk$HCCKUnJ4=I)*d@;PGz7fWhY
zpgrKL4?N%tHGjP_G@%8zdtq0sy9fKFt6=;-wmSU53oaqQhp#{SM1L%}c?0-V-qyWW
z&7-cn9!72M#;7|o?EKYICn|<LP))i2;Kf0n#F`5`gDSD&r;T&OPCcHu9o|1YOF4Gg
z+1B~$3hxbzhYmp=r2&K6<*#&eMCD?*wx}ehtGrbibU8EYN8LCS*<z7=ZL^J+S<FCC
zf0d!{JsSwx-GPC!Qt0m963%B4J&IJtM;$5Ld1{EWOWY{^50zS}hYar83!%8)?5*tY
zu31S$o@!|B$*t~ctKJmxN1}1t%GsTtq0p8Q<;-T2zqZeOVtT}^`A1kS&vzoK^m)qm
zMX%gsDN<J0GzG`V390k0oQUw{X7#>RZ*Q{lrC;%z&&)tueH$d18@}Mqg@6JdXAzD@
z+j`2F88O^Uz${ft8ylYz3LVvQEbRuq(OXI&J>MD@%EKAES?i>LtlQC-x9SWZhql<>
z9_ex&{?^qy<gY1OT@9_DyA*7aQq!DRJawgOqV%qXa3|x#0sP{<T=_qzujq+O66YB?
z?k96EEeN@j-bi{=X5Bdhv$Jxl6J#DW8wF#5g7`YVscy;59i2kpU>n8}ppMl>NddAx
z=xt2Nq36$tZB4y%&28_c)S;l#*w6&@$L4e28^_Ax>bpBDcGY@(nVsltdZXo}k7#cx
z@L6aYUeU>#?2`{2JtLa(v@&t0Z`E?Vd@A<|8G^-S!t2SM2M=07k=BlQXYyWVd>HqS
zo-K@w;w+Mpsw>#HvuWKapD~_r<hbbOvJ;{!h28x))_N4NOd5}$40d&_z~Ck*h2Jbi
zUTx938Fb8iTk`GrERSHz-13lS4v$=pk$CSL)<%e`lm(x~v38S?fXMH6BrqeR82gkk
zp_RG0$Tw-lJCi%&$s<#hBTJUTy_}Fw#Q|)|9Vej51r*s{!+i=71cytLG00i%=4Pov
zVGR=E#SLMNH1zPSEk`3cx3V&*8`p>!N|m;Mc5i?v@zaj_d$+5zJ%Wh^pdH(C6Gaoe
zdz;XQNA%AZw5CAj$T{2+-qo*qzSa?9{vgjxWqrO((tCUBPGSFHu3fp@=W8+3Ta3Jg
zzKIvzum2PjCthUcZJeWnb%tZc(Ud)5?Jp|F@+uHjCU|@dda$x2x4M7Nq0_poVb6I$
zG$jQQ;zfhPA3lwomMAR9<xm8bH!cx~7&ztDY~@{;@9Q@(v5`_uZt-$t<#rFB>b{23
zG{GB?xg37E*E5UV6YdY1ek@H(QoYgisJ?9{7eo;Hp)HjBqzN-#Bt6-dMZqlL24{5Z
z%;1&%91HcszE^uvxCK3ycaOc@AN%4`w}k44wxH4j5HLC<Dx8*V@Q$KQ>ABoMF0E~9
zf0+zz2+hk?<+YQ%K9%0p%f=?^kjKqZO9qCGxZ!a<J2q|`X_h!WfR3STKUrz!d*%=s
zzS3IwxoO9!iRdU386l~eKpGWg?1wGkXQxp_M9Na|NivUb)zZ-L`{zg(l*4>W(-4GQ
zDZN6{^c7#3Yl{?CfFY_90~b-;)e3S|)3ZbNDU`ZNc=a-lu}x<MKi`C#O-re!%%BJE
z$y4T^BhwD~<c-BGG>uI|s+QfVmZ#fGJ!CXbS2vC7qUXn+!^z}g$ZM~~#EF?XjN!_Z
zd%yhTL>4!y$)sv&KpnoYFxldcq+F`D!7p%YAW0YmjAM4#<hJN8$_LRuE<Yq{u1p2E
zBge8H_3O1c!{f<0!uFc=Ktpc0e<ABKoSZN`{Q3h7QD&GFhQ{Hb?n1b8gZI-8gfpn$
z6NrDx*$^r4VNf{r!02fS=Oaj`M~;N7FDm-UcE^^dCXtUj9q|x0LdN8IoJ?J($&dL>
z<Q|#2!6g|bD$si8WG#*#aL%@s&gtb9;HC0${XG~A)ZI{ov?~@f!Ip5@QAQGia|@m?
z&`Z&+AG9kj%uBj9wO#njJpnPL$bunH2}Q%oy6w1LWoYQAuEwWU`P_KK9SakF_!-!;
zhq@^LqI7RXL**&L^ytv&$`6Rn%*m~DW9ZSbp(8O!PvcLu{u85rC1)g&VDB3!^OD77
z5ZE*86b_G6x5L=t>1K6Yxljoj)dKx&V(<p(p;s=Ax3g!<LJV7#3x|=Tw&GYmN)}(-
zmil)8Wv{BuO~A)oe1hY8%0oC{<Mv0%bHP@*@4A!jo|0ZD8!&zl)9$wH;ps1<Q0?tg
zMxOEEjMQx7vyb6_h=_s6V@AeuQ;<fJE2z#iBn5|hEujFDM`rmm-*=}Jyn!z_b;i72
za`2W}GNBO01|N`%x1}I85%FGCwRs)=6K!`hGiH{$4MC?yHQ9H)$zT3UBD&vNBKePn
z1=1}~1>urX?68?LQiQdBp6qp%wW%FvRcP3cL35uJ@$_Q(Ia6lTQgxe3V~vy0A17uI
zPB2%zWBVI75tEf+nQWxOXB3N<vBL6nJ*thHi)5;l|J1l+qJM@#wIMRoSvEM&w-LKd
z+tGdbY-g@0*LC5T%4+B_p-wCricrX9b9YBj#&9!`VaHOVY@K?9xu=Mo+iTzZ`ZIn<
zf5M!PQrC;N7dMqD4ey?J9ezCAJJc-ju$t(5aRtAK!`3zx8m=S~T<~4U9xqB&ROvHO
z&mT^9{T?z#5SKv2(6$OUndwjF<%7c~C9TU8xE7?)n9C~~jnyU^b%TUT1!1?WK@VhK
zUoO6tkZsyf=uhL;7_B8?tyf)_JpjZ|3@Qrc?;J+zoE_y(fmlut4~(fg`>u4rH5P~C
z@xD?sF7|Cr`w+{i3aMEloPUWWPr$ronwG!9kKL+NFoJW2%$l^Nz?K$2nOIVY3Kz+S
z&tmeNVKQ5NIXbY5#lx8&w43=J7eZ9!#wua=ncV9cU2rExc6@MZ$?||YOjZgtB5d_V
zG!~@N>Y(1eqK&ArnSE20)s+*1LBn45{hWyJ@8o}G^(<-jUcr7d2YWld!mP!{&sF91
zd${Em^ZJ*h&ek6?<yX7&L+t}`0OGs2jO$Oy{XlSvYoah;OW`&aS@7@-k@nf0g^ZZ1
ze_6~S%D6O@G3gPo2Q3&LK!(CO%J$`P6R2q)vCp$BuXjo{kv$2GnVdZBPUe-f7ZqJO
zji6+5WVM)~O?EpXZ?Kg<ByV~ap)&e}mJxE^-*(CM3I1FTEI7IE1p`J$xO5>#b92Ol
zC2&;X_>lP?dB|%c)-O#DuSUwObmpy0jCR*MuPB7fAF&p_m|T`X&iHn}5;n*{_0Rq9
zfrtoxd}CZ7!W`}$W$TF2EHE(^&2_7<!%e5&=*5VZlC(UL=!pdaaH;H1_w160D+Am!
zXa~4w*Gyv^qP#w%^oYW4-Ai)N&J3>uqKq+euF#ZmgdC3Ci?k#!miE3te4nl?x4&z0
z-58P_K#ixCX%FLuA<yAvkG__fk(mm|a>K+nY(gE>vrpJA*sNIEUU#&`u2?R~jlfx<
z#?|(-9w`}#n68`={xAzHdWex+j!(d%H-WwzgQQFmM*|R@{E_aADNBVd(?ho8h79s0
z1MiUOEB(C;vj-8dR7UEk4-Nr;p4(<^19ccL>c{E2XJO2c2>p5cq6H}iSv%II7PsQb
zNn$CcuiN_ZwzR(;pMTpS(<k^{2I%;FL6x)-t{BYAZv|GZkdzdBFYsZ&p;2d~D%9=;
zad`$mmZ_a4I@(r`OfI}XZ0hswPM%b9c|6+F*uJyv2DL^rvX^r{^`y8D`j=rx6N=&?
z*C#?i`>xd3X^DiE#-JK;OV^){zK|1MAfU&OGL{^sRfC514L8+@tPg~p55*bT>xPyz
z%je=%_9NwdCQRz)*&ID8z7X<PRz~NY7F^5D_J%R~3imMPR95zSFWvk)-8AHxuD{gY
zqY0m9)4+{#lR5*)0mo8$Vl_+2GQ&hmPl%DrV%y3xzBCU%;i%uv=+3Rd*cRip+%n9z
zFr!UbZX5B7YO2ofY;wU{JQQ8XO@X}wD;R{j=aTth>$uj-$V5B5W<8l~R(zw6z-`(m
z8idApelC4RnkVC+NdGjYWY{@sUHK);+@Mz-B?>I}wM{N=e3DHrF#ZYiGo&)Ow+~F2
zv^<poUs*0-3u8=4X^cjpQ2KD^AKfg&!$FM%9;2&;2o+5qO~y()rD?F>HM~0H53hQm
zyu|GwUaoc*u2FxzpKMRY_*W}XAl%iIVT^sn_zHz2!YxJ0ndmIVwmW*?n2VGSZpoJu
zwJR;f*3H0-dUGZ_$%jK-|2%NohGSFg&lPx6bOY13J%2esr6j!nEVKK=g5bC^v;4sf
z?pxM5c~zlTLBU53?pwX=v9jNXIE={7njLB?KC+Sraf26h$})5{<99PWQIMbM*&4=t
z8gSJ&#~SD>6Uam895zozJwtfOorNs{fg4s|aDf*}+lG<m$G)1p-_5#Lqf6{3^RrpE
zH&wm!Ynf1nvVC%8K3y0_iWv~D8R$`rSy}FEx{5yIQ(<GB$5tOTBmwxu&GuVaGq6tV
z;fP^xFgPSRBvG3%7EJN2ZpwO#NT|b&R2m6MAuc-_*e;b4CyMV4NvKm7*~X3!XY>!*
zi-|}g!n=zdF=fpYLlsT>?@?t?co1=5bhduf`quLDK>N*RR1yPsGG%yHu=2LJym6~)
zwVV%3fd?n*kX<r2jWOZkGQ|wsZJLmJhsBR?V(SBoZ7jpK8_ES8nC81pQys(?aO;7Y
zL>FU`##v8a;*h7iNRakQ>-{Rc!`p{H*UJj@5iEYsUpD~9Bk;M09DoB+((>%AM^{tM
z75D_?$ehbgcNm3{G~YWkyQ^ZXA7UcC=sxLx=($@=)Z+X=6C%L9ZNbuaaS_*UxUXYd
zgfZ?d%Jm^KQ8X>wq**hyb>+g+F8K0t<xs8d)krCB6C-!*;?U?Q1foz}ING@_EbiPi
z)J=D>%wfLlGU1d7Hyb6~F~PC6!*Nr+t;EuNXK$aKdp#;u&&Do@R5wy-BHTEiigd%^
z31uhjG~5?PSg`(k66&{dl$!2T|NLsA?9JuSUG`#jfOE&6!<p>3_vI!O#rgK;DacZA
z=G*bLqfOO5Ty_RN3JlKnqm;;xgoAZ~vE5bQPC3tC*gY8v^h>86FpKl)TSK9|&{7%U
zusUd|bY9Sq8Or2ViCk_cng6&O7Kd^2z9EbQulyTovxvT=y%-Y+b@U7Nm>HBituF~l
za#DbKE)2!kL*y&D*nG<wJ>l{cO3xVwTxJ{NWVJ7GdW@l;pjayom@x9tZT<kwgopmO
z#Q5}g*+O@Z*m?K%<(6dC%~W;^ovyFGD4>~DS0OZcI*p9Wm5$TuuJvyLucp?q!bQFX
zpZad@hPnYO2Cf1STHhcZ`yI28=1w#=DIWK{H=h#CjeqRC?6^Fc^3Be+o1x0sSXbk%
zocvVJ@Iz)XVB%CdY=*vC(XdzVVslhT;!*$>86tUDYH}vnK}NH@ven~Y1-!cDeLrQ=
zMC6E5f#_$s*^v*;VMBIEjGcQHscziO+1TbZ8uOwOlgL^JbMCbVa#N`BwxO?#C|bdL
zUNxNKTHnoa3&6^Nr`S{&lzXAJG-b);lL{8K+^zOD&8cDWj}?1lm3Nt(38Wg4?I+q+
znkiddsZqVm06POGHxU!amnb%q#@r?&)usoIdU$;+u4hYJWdG4Kv`b_8@ojnEHudF+
zCF|svdh%eko{{m@KGxB?{4#_-hiF<ueLJB{pmc;kBw$a1^&Wm0bpycA+Pt8n@8%$A
zl{Ky+Fojs}yX;aa3s*prhK*LHgD9`fO(s&!ztqEB>d08)5V2mgo&<M_nO~l-#W2R8
zCK1TD<F)6KkpqU$+ui36Gg5=8J>Y>HAGvLIf-*HWJ$AxEQggf(LJCN38dZ)8tsitL
zl@ZZNn77OC?$2c#&g~VAMx%#ehzj|XwyBvvRHA6<ac*g`KwUWsC@eEimWG!PHBD%|
zoi@ii);besgYVjlKB%mB*Iq1b;u)RcPH9cys`int2HxuFdE0{=Wz5Mw;&y-A{^(B4
zBLfs5iOZebedsj9o-OQ}&3R*;CeDl78(zTg`Fffu<gu2LLv}`!+U<~nZ3_q^OOeE*
znu~ugiP8;zZ8O5he87UhAvbX<&ie*D_+$N$3;!^<9g$W?et4d{x_4ePA1;q}zeyPz
zm^*o31&11Tof|@p9v!P~>dvh+*4GWA2<35;-%)$h0*^V1hL@10xX&rWj#}BJ^$4YM
z{T$W=it^TaXUD=aqudUux|uSJPz$3P1GOcm9RAso19uocrZn5$b~87US&{_069EB4
zN$YUY2n9Wg`eY<ub)M+6qrR!T2{Rj_z$H2=KB`$iT29F0hQSV`PP|8TH1{o!Ew++T
zjH33=jd^oj@Q$T|R-|vaT<|frLhnT~f?~^y70*+!z#x+WdbOQHP3GT4O$Z2z>UKu*
zyFqj3n90(W?>(j5B*tKZNgl+|dr_hfM?Met1fE62*A6e^5iwZ;KE%11{0a9MRI?_x
z0(ZTwQFSZaySjB+i?lG;eHRf{FY1e15M?x3@li;IiTA%xB0UeRZJpQBR!hz_pq!`u
zJ9E9=37TnD*vpEYCzk1PYhvqCk@>YaSe3DmI~p-RjVJirGAVHCdgIwOka6M_(9AV5
z$TnPWpAk;Y1c-Tel{;lx;T>a6^&p*HJT;Kn0VGQ9lqhQHgYP#KKMA&JWezuUA3L)G
zS#IK9na51e1d(P@TdS8W<{^|ZQcP3aoc*6E%?oKpCC+&%gLzfmrumhyh@A^y{ckXI
zDf6i2HDQZm86p-<Qp1);B0zc4GORrcLrUA}B-B}!_u_(am~qM-O?4s9h@C&z9s{*w
z89-29It6q~#csn#+Ixp!iv(%8bA4Q*)<1}<=Tf+n^FpMIaNi0Xj9CYq$L8mHmz;>5
zl?#Jd2Xn-%7w}5a3_YXHHa==(8yU%k6@B-7HQX%sg);NqRbkRS7?)dVWD`nqa_q&o
z1*3>ACL;FsI$5$FmW{I)e>P7#x)NbUKEa-^z>+gpFdzabIdAw7^O50$0eSrzG4pdx
zh_E&_yi+LAXY2{=a}qbaB2lE;z>S=xYyA!QLLG5lu>$yZ7+4c<PCx!K!ySLsVCM0c
z2#crDl9H;W=oS<vmkmhQqSzm0#!rW>kb116?L-&EL>8AfaKpZzy`$^X=HtTsX3Ca8
zy^sCT$o{&!zUoE@f7O|fr2%=hRmV-_+2^I2C}NKV=TnyabQ9#fPnJpz#{F0t;OpfE
zmVUuU0b$W{K1GS_3I~HeDfN#DoyOuE9fhQ_l;8^u2xmu>?is?)!2!OX{e|Fhb_Ij#
zx~b1V)2RC?s#c{i%v)|{(I=>*{{pOX=50RG;~gf3u|YTq3H#Ci-Dla2Xhfd+sx6mO
zWa^0FBnfgY4-Yg2to-O#^3IT4a;~va{bcMS7k-ko=UZXNJoBY8SzsfglSA`}@IvJX
zG}YNZ$mKKJ!I)E>ooU!1%lvA?q*l^=#iZoKsd|*mPZ%9HB$5h!g2xieLzaol#JPd;
z=)%t4D3pwIn0K}KaD9xnv)7`T(G?4dm1B3OXO$Jy?VOyp5#-JT64*U=Pd#fnyK=sN
z9QkUY)(FlP6(cnRY#vqJf-J~Cm2w}&5L}G+j}Cj~my1ra)}v9-d_i3VW}1L6>xq*R
z<T!1UYoEMb5v(L^eEFHr0UHV1<AIHYrD`YMJ9tOaiuj8#(k2q0VcVpLoP6X#$@#9h
zsb_7yT!RNhDGZc7St;9mqgOsXYkOmAJ-^Z>_G2~&De)dsuxwEsXjWBe$U<r#w9_??
zUcpt|;0QJYCWm_ydT6Xnz<yvXX`36Z2b%LD=0)5~YB$_H0i-uOVjKQXp%tJt?qnTI
zTNpb@H2?H%+DU@!vUR?G)^RC2zI@ySKChbvv#Vdc1a~FxWdwJ98_gj$U3!Eq?4ylf
zmY=0~+=wn+7*+D@v13c1_`BB6W1v?>fWMBNadS1ON&BQD_x^#)P3pkKkDiyyDm^e5
z2MpY-!s(F(-VqgWtJ=u;J{N?Ol-4o~KbR*&#Cx1E>1Z7rK)9zsZct`W)6?fy{NIO}
zh+xN-mnLCnOpMXha(%{zlCraDj{9y_9_^d$^z?D}@d{fRj+9CvC6Qg0ho2)&Iv1V2
z7lK_GBV%^-r<FgfcONCiY+mfuWB|7G)2sUzF~nPN_P0Yr?&Q~vBK>ovqfJ*CP4G@d
z<x>G^DUHN_ctzy|m!>FeOo}{KJ8IAU0ZyJ?EJBl`MgsIh2K3BZ_ccS+MBnLlYKrA}
z+_#)(yiEPKj#)h`ZbvF^y7GptU0Cq^hzqjICKxwJz`K-6$CRec<8UpQv5wp-9l3XY
zG{;Q5iBK2I=`*_zPSAiTLH^hgu7%nFSoBEK@ZG5aCmW(%&S;ZCS6^@MtF-Uj0Wj>a
zv!`TdlW#RVXTEiGSg*YwMwn@QtFSb6G-9NhQ!d5C2-5t3+NE!u5o-$y@YIp4mBYR$
zE0>uJ4IUyw%e#6xbc1Iogc((0rF`E+E4szb+=SP%u2$~v+;vl;xzH=vG#SiYZv_K9
zN4U}y=9hZq`(cYSCq2Y&yjj|uyV3@)mb1QGdLOTu6J|0S(=!+ES*IoEEZb~7vBbkg
z-Nm$i9N+=OKw&)lpg?Ke5`F|$+J)I4qx%Be1m_GxpzFq9{rz6gEA{(&wm1uN4bs}n
zYb75dc#?rgody@;5F?rQz(OqMb7pyfh<SbcUgC<EjBPSyBu$i&n_FR}s~<vMW>2mz
z7_A~PD%Z^y=-`U$B^8|ex93%1ReT(%+ivn))B4ko+N_}ONA0`|fzNg#>VVH5-LQ#9
z;9eXL8?CcLD)jgF_V<gbdBBF4xPRs{Yf<)T{i?c0Z9p#T?2F=405-tdT?3$+2UC!k
zrQZGmES5Nz>+8W`_euf1HP2(h!cN80)(AqNx!-oWt1YM=rXzU^;+`<;g}jl+w$Nm@
z;1h=&B3?JvI2;4CvShr^`PX~H$bZ*Eh7Db9<H8?cU_Dfl%R!3s?$xSY`Vu>r7L264
zQZabhwadTW2fA<&8;VV%4Nl}h@{E4V<C*0x_Q^Li_(ew9G$(z1E{WDqFr!0hv+fXi
zIUk?p^GmF%D{-Tg0_)ms&qWg!=VpN@_gZ@6vXVD;f3k{98OWzhEt;&%d#YeG;W8#>
z5SULzwRZs@Ifha@)F~SC0BfJ(HY63?FE`mZNrF)D2=_eq`6O5;6ra`!ukeC<%cM>;
zQa%U+wdRZ7Tst;$eU^O_+V*PVgj#C0$KJn}XYr%#eg;)_hra?&4HM91P;8OMcS@;x
z$-MPxW#I3ZH<Ie(t^vzj($!j%@6UheUY?#6?99Ie^Bfu-^I66cF=_VhaL=V1jTy+Q
zZzu@x#H?t2T1NKs-0`+HQIn+s?eb;0fcc`RrgziB(GN5eh{Hzkrca{h4HIv~4few4
zCYD{82HpD=FvhGcvsYGP0`gpVPy-cOzT)H=(^Ch>4W_Sj+C1`jR0T`lMcs1Zi4LgH
zk^5R4&puv(ESJrTL6hp7%E#@YWoY4`_7=OVz{l0x7qCMkF1O&v-0IF7{hUUj+znSc
z$A$eXz*1?s%qiU(?>O-KiPz%TeAK;^JO)XhrP&!NIMG4o^bx@YqQ{KWc48^zye(PH
zLGJTtTwb~ScV;qHrJ5STA}6?r2R|BImyEoQow3uJz_*ewAH}mJBw)s8c$bQdgo4p%
z9NE&uPV>sm=_4#ZSAV4_^=m+KiLe5aOYnH(rOfjBa^PsIEwG_|&P2hUuxvW1d$e7&
z*1+47pg>5PCYLrb_api#(-7F=($uh1JP|XjO<<hX?61n=;)2X;=8WdKBTMsM&Uy74
z=M}|aSRb%<w&~IeB`Y}-U{mZXG&Q=BM0P7g8j28r9ZO_V(=gFmmxGNo3@z;IOO77i
zv2-HYK#{hSgneD2ks94$FJ27xAg@m&nBROI;gT{Ie(mYCiBQ{lYvt+>U3)hM*6KuH
z$CfbW1Y4?yTP7<glE<DyI(>;>LwevbxcV&fQ>DR`*&Us2qEuUM=+yd$n4fx*pKTmD
zU*J@DqOFuvXQh3^SSNQO#=N)+VQ8~ZnlLotrY|H#FpB7qL;g(1Hu^_r)v%?pCg1{H
zP~il##5?ARD1PnSPsZj$C~QXCAP_X!YyaZx@X;<Uqh;bE9>N6_;9>d@llkwOaLT~g
z>)sXO)HFJ6c7a=@e|nS~5r87XSK8_sO%eh`TLMJGOtR9f4;q!M_;h|wsg|45bt<>P
zjS)}Dn)p_?HlR8yyvq`c`+Tbs2NaUtgqqAFmx%#mr);a+$W0wXxap?h6$qs2cvYn_
z@HsoA*$vbuO-Yh7YrQ`<;E4kqIAh>C<gwkd<@`l#9M3B=BfH>Rj-`6ICE0XLu5R!U
z&J9_HK%#9+5-?6x#Uk4=z?o#&9yvch>VaTB54)lPYH#C$I*V4z_t=A}(G6j9Sx;9O
zQy2L3k$+skoQ3+y)!hfL)%R=I-xLq!sJ6(AwK`V+RjgPYc0^E-D_?K+(bj8HPuO`F
zFHyTHR#S;1`KiF)>8`yHmIiB?{L1ILC5~yv8+Q>rFjI=H?5s|8zfFJTd5;$R?X)Wm
zEB?OnH6nFkJN=cxPE|wO11s(|Zzpn|q_!)(>V4-7QQmv|CAHO0Mc%TCH8=)|VBtY-
zEf^_1`-FPs<=uZ@`Cd<Jh%B#FcU@8@)jz|0hEJc#X+Yr#3(r+>Jh~%4bzdK`wz@{A
zTEuBv0q>FVza;p+pI`+~;EYwuE@gJ@DRx_<nTh8MDf}_;YVdp6+kYMtD#d<<9Xg>)
z=SRHT>0aDn&^u1D4`}|rBwIM(_E&~kW*moB?N<q6c=q=4q;3b<2VeKxR{n_FeGNQY
zXF7&!_D8e73d(>wsqfKh`mR#I``rzCSWwZ<;&gB8&t)c9%#!-k8lRL(9<sBbx}-em
z99Xjn)x4t0zb@Xc9-3il6}Nm*$FH~5rYz|kb)as4QI8t8N4i040rhL#Mzi(M$Hz|q
zW5B+VSG^~0PpRa^-+^^o=_AcnyTg)zbx*(tCjP;&EdU6rL|Tid@3)~Z*gpn6K~t5`
z&K)@iPFq@(0E1pN%nbn)Ng4wBPo%~-h@Vmyj^u6t<p=}Dg7FUA4{i>ynto}u0UWa?
z+U=;~=_w7bqeQa|lt|mG1)Tx@MCXiXz*lt6pfjI^r<7_d7`Uq`0YO4f3HUWVrKa_i
zKwIf3ZD810DtAC4?Xi-7@Wo%$Py>|E79U^+sP)8gt{vuuM{}?ve2Ty@1r>i*SzyS9
zt`FIIz*unF0r%6ALy@HHdP<;pI!Y5je9}>(Sq4b_xh#Sq3(BVp*`f8$pfeu~S<qHG
zN^Wa|45S3wN>9mg9VO6KdP?gJlLS%_O(N}FLn(GcUjR7;NC<!uT4&M8ga?M%wq}^@
zOuSXx4UhH$%!Br>noOhXLbls^ePT&oPYD!HN6C9VC7NY`M4DyP!~*<87qSx@gzQ@L
zsc8VTl`drE*9I9#3AB}t5@9_h&{ld%>kZpYO;w;o+5=2r#BSgVYLW$&P>+7bT>X^3
zwC-Q4^B>aB)^+x)zgzFv|LaxF)aeUaLOYWJlkCp*knXSd*#9rCq6UuuFj0OdA3Cps
zvxB-sXaTF?-@zY!NmgrZT2%JCIH@ARdtn?%2N!+|d%6}8DD3F^tnz=pie?yK$?w<~
z00NyZL#eJ0#Q$GhMa`V4-`)QDoh<0Q3N8)Q38LQccYZZi((6;lsju|!<ylosk<Tas
zWhD5&c8B>CQ-4k+k;v`&Nv3POVPm0O!22F3S|k;1EU3pQ!46Ru9^rPc5~j~&CMyXP
zawU>LiDV{QODmDEN5DH)FXVgCaX_7vpTz$0@m@4L_&8D{Z|@QCjy1`rtM&11rAN4C
zV7>2Zr9L{zI&eA=ykm7C1=s|XxHc9*mG|DwpH}?1Ujpw~RbhZO0fi%A9<X?oNK%i`
zl*%-L0r{_~-2j^!f&lY?l^k#Yt={7OS1OzS#VEZv2P7;lqSuD@KV%=Z^|@e!2_UpS
zXhHGx#SaiFYlc}4xE?I0K#9MLAMhu-;wNH#`k^x)oSC4lbO~F3?JNi55ww+lSp}k#
ze!T~6rCUihFpQc#L5aUp#s<Eil^DOLfJ&KaPaMnIVg5t$69kNWb(jJ5dfoc$FSwo(
zD4wqP$^NI}2avd`_yOh96+eUPok3?lxU7P<(k-hxYl94=1lmeZX?^hn+DcDpy<xQC
z2bB1`_}Rc0)Kx-%Rq>Mx6hAF%hWSs$&&axv)!(4_iC<3%6i-+DSg)r<vusWA1Ik~M
ze|lT9Hwf9a=2MFw&{n#TJ+(H-KuVykbd);QQvz+Jr?lQMTJZx){9XKP;0tQ;11kBu
z_(@pTJpRM_YqLINPj8S|{@43bAKLz3?@Jf5-Rsl8%?5Mnf4%Rj^uNBvEc{>ZyJ}Ny
zgY>^azxTi1mu`cRuqyrkulEI3*T1(k|IdB&|9an_=L&Wf|NRd6|JeJMRhGw%$E88e
zKB_rkS}ew&&D61THj;cs&2*BV<QiX7@%gdbLr%Y~rk_jXQ0DOhtfyCB7Z+#dC>a+g
zpd<CNJI>6LPiT8^$#7im7xnyiOgcNV9?F=8ywQnGX>Q)1kl4_yp5MgY(z+kbVR}xl
zNVv@<2^tg?`bJexxOs=QUvbUyZD^_<P8|vj8g9MgmZ~?oeOJv3ThG*llUfrVe%duw
zrW$&D*(@Xcl9F|~77~(LHr~pGl6BQ8dV5)In<O!*ab{zD+52>MIoBLC%@KnDc11%X
z0TaoR@ks)#XKU`ixnr0-CepIs@UUsr8-rNpj_uYDiJ)D3;sFy$&puD6=QHhN^;1I6
zs4rNi>h0Q*<=0-5_(oYzuvrtZYyJ~x;@%LbMG#B)o5Mmq(G~`;;><LUtkp_T0=3>c
z321dwrfIc|g9g=w(~b4;Wk4p&7jUe+JHWB(r#2O-7zA<c$XPXtD1jbQL$><oiqFmJ
zpBa9N>){ht3iDgz;_Gu4)jsn*cLhiQ5`?KFQsuu~o4a^t&0v+niuTLzGmwf;%J>of
ziRu%}jm15P10-1rcpWKvKpSj4fvRE+3Kp6Q3^0lpDvC5>mNXSdvsp*{PSqHg!T?yG
zsTOwtzB>U3r26i^Bkm>?Fbs4m?l3JpH+IU&*f_u+(ZCpFsd1;Dngy^3{8ub;F05xE
zxB&~*4Or}3&tfBSG!{qKumDxivjA1lvjA1lu>e)jv-mHFqp<*-x{AdHPNA{TS;Ybi
zun7KlEH;=I)*G-e*nkD=1}ruZM`Izph6SjCo&~6ao&~6ao&}(Sp2dGb9E}Cw)Kx4t
za0-n@$0`;HMJhdy{uK+`4d%t64Ol2|z=CN#i;cw5Sn#c30ji*90ji*90ji*50ji*9
z@m~-}WdS;M6^jj=LSu1y6$>=L;@_<owi^Vp;RY;pHekWB0gDa9(O3wsVF9Y3X9239
zX9239XR*P&_%Dc~u~@raY~U0ci;`6=5CDsRw_e~jm>04eu+Z3m1@n3q8;PT_;9tW6
zR6)-IR6)-IR6)lAR6##4{tM!0EY_|U8#sl=!fh1`62Ri$trxfr0@-^57RDQ}VB3Jj
z2I6QeMAxtYRnW5lRnW5lRnW88U|#$e#L-x+T`x9p3XKI}6$_;vJ{I7|)ups~5CJA3
zs8wWlQc`PGarqD^NLO_sVELJ`cfF74r9n@4y;5B7yX$m|6j<N=B`L`we~o7iivPUU
zo$KR?YQvh==Y`6N4JO$J##xGi)ime?TBYilY8m!##%gYmDt`^E=2xlJNxd`4Unrr3
zRhE=gS|yHdO#xk}y1^jmq=A+8i4CIj^?I(fK}4+`#D83C#s-}aXv6B*1fvOTn&@WY
z^$m=pMbp{_>0gXBPtvIGi2SvcZH-S?H+ta$Xi~#t_3nz#+3MXt8@(}!mZ#oFN>&kr
zruOoMK%tHDUv9bq|2Lo3nQO-jEL^l%)900|9BgTR>iz27gnGG(8LctHp47sJcdeOX
zPGKkG<A9qVbjLY`y{GlQQkJ0PHR)-X%MzHY`0&39C5O2JY2BqA3Y5IYcYs-UKnwRk
zEgI$b8PXc_*P!Gzy((Z9(9HrCHn)PqqjrN8nxN#>4gt-283){aGBybu9(C8C=;FV-
zO#R<n*5nemuB8QLgEu5DN&x7P;{<xn(KZ(@d%xNUEQsFjq%1HUpVK(3Z{Pp!DzU&`
z1z6-zUGfj&s1qA(?A`X#K%i*t_Zs}PW;W+gODoXv-=X^CB#zp+t|0+LF=%lGu%`hC
z{4a_-*xdYcE8_2Mqm7+Hojla-iEY&VpeC0n!bQ3s^q*KnZIDpF-k6>RT{#A_&;h19
zJ&TRRQCZ{w8F>{8Pz5~;Pz4<ePz5~;Pz61U|GYRF3(%>nSZv@F8Vj%!|C>b;;UZlR
z`cEu?Z!6L-+LmB%OwWR@90OT&Y`|h8aWocd=LM*Oo&~6ajs>WKo&~6ap2dG&9E}C&
z)Kx4ta0-nD*optmB9d_N5OCY7eEd%=LN;Il_QrH9=-YRY#pw-LY$T4#!glSv09DYj
zpsJu_0ji*90ji*9@t+q*V*xt#H;av&LSq4T;(xP9AY3&3cPw%?U;*~V^ei^0D@rzC
zv5`0$i?#CtR6)-IR6)lAR6)-IR6)<;KQE5P0(9ys78^K)#scib|7H<GxG4MYSR`%0
z0_=_HS!|FR-8NvckvJ*~uuWdIUVtj-S!}RgfGX%&fGX%&{O85dSb$Dl#bN`e&{%+-
z_}?s22p7Ho9gC_BSb)7TJ&O%eBVhv;8;PT_SUWF374$4NST8^o^ejLX^eq1K;%F>D
zr><hLfm3KKz)t)pi=vC()OL7PHvk+T^=U%QgMcj@XwdHfr8d`ey9;1nNnam<&Gjm2
z%|Jy-Z8+(23fShZTBN{M`wMl~0Bmgkn_8*OHC;S`HmvDEfFkwbdaxV0WDoT39R`|*
z+kkreUyQXt9XQPc+u_w}8~5YLw}Gx31GGs$fq~+{=9<oR)K;B-5OmVON_&GUpW5cq
zait9cY;1oI;y<qyY_92}X@e6<YI98&O&b{ZGn&>+?0+#<oNH=U!Yh^Wm9udLtDP)i
z4m5h<0)|rYQ3B|njh<2JziU=i|4n-d9&v+h@ER2OaAis0W=k<y)Jk5Fw`~xgOrbPI
z`*z1bmv13&ilI&upOVL)dhh)^YC^jfx)k?`KR$TANs^G(ugvzbb_5Bng-P;BzsBcA
z9?gX5vw3g@7D@?rcguOprHY3NwDCC-oQ}#GG=%CFL`F@ttGX>cxm^ErG#p<z7CR&N
zrPM|tRW9s(cS6*JO|m=}iUa(ew0C&~XU^?<!R`iCg4I!3-;b%cfR}?Tbi1f~a*Y|D
z=GID98JuWQbvxb06=oR%{w}fVMnkAh!BEu1?W5ks5lITSQR2g%uShm$0P%Ce31L)A
zphsmBEW+xG!v3Fcabf>|Hf#*aLA7&O)vYLkGw(LPV0Tv3#2ilo=oO3w)js=fA7Ds-
zd+cPYZK8^m;OxcNb)zX1ubV(}6?Dg%5tbAH2~fCRLtpl7i`j|k*wERFw&q+r3S$Jj
zKdZV`MkHn5&eJJC1ps3QWKn<Bxd15A9SIlnE{sTODHOf6G)JhdtHb~Bai<I-W;GGG
zhT(Sn;7CJD9fJIgU|~US!rDNptANjhL6S|9Z0uoj{WuXwHQb5R*%r(x+7^nmWuBxg
zj*SmC;3qrT+88NLj;^j=-c#R~Mx4Bz%Sj{(dBMmgPt>l}9ZepsSj48yW<B7yhr`@~
z*Yv*Q4C}|4kWlT!;0KYKx|1S#xgvdBJ_~bbDWvz(a65e3X!%M1(Rz2{Bo5!uFJdRs
zZ$yc-|4LcOn$61&n?{#qx1svUT6vSpOQ)+T+_|C(8vWnKTu6%#TSi>vWwYwh&1ka!
zBAM8-I6Y{$ZDyXNX$P@^FQv?8X_Ay6le&FmThhEe#e?V?$zAPAneEJ3utM~|>R<6(
zksN%r{JI}w<+3394Vy*DvYtT<cXv;4zpZQQlwvC_B_WSuQFyfNdBh6E9xkUqY`4#K
zLy}ua7<&kOnj0w{JH_C(!Vs{?ux%SECT%l5vxf~{zOwTFarYLmku=?wpqZJOsm;uG
zeWo@uGqstSxy^0HHny3WnVH#bW@ct@`QNvr_jYDyH1lSq)k;;VxF^m%k@rTGQW=>M
zA=u_~lX6}Z)5c`=XQoNXw~PPv-LdI-1M%<7#KVjE>)cQq^4&9j5pfmZT<;R_^86b4
zYDcuWW^FfUm!+?3<M;A$^0tfYc6sNLS;c7QhHSN<$N$+bu=a7XwE4M`b^fXRShmoK
zbln&F3fOG+xn2)_FWb=3^?fsZyG<eXFM9PEn5Y}`iQy`;TRpTnxJFAigiU93XaaQT
z_a8>q8^)zF8TFCz==X<;S$0YwMBY7<@zB?fW0x4lO?bx%a=LNre_zR5S{?LVZ8yM&
zx4jLqv2LEAYpmJfyj&iPUTyz@FKv69Y-8OrVbxf3z<K$1Fw176E=pjv-7MkUeWNbs
zt3>S8=rJYuV11kAbN2T@;B~of!t0^NEdBA!cnat;l;!h9eElLmcubK3m=6Somg}ax
zqHD~u9|?@71TT38fgGn_K+Yk~7l-A6;5N(njOUB!H10K7bC~*=ag*S&;S?<})P6|d
z740#_^Tl!c;vD`PC*v{0c#7weXDG{Q!zoJOu>BCvYtmzivaQ==%IA#7keY^)>Ktka
zE5Y?=tz|V`q6^(J_UI_)8G`h~m3_0~uBnQBx1up5WGDfLnu7hb;%>6aw0l&#lF%-P
ztu$oRW6gDLP)yA=(pL#7YV2V?=bBMmb=sX6|MI_icw*(;$hkJL_RiVusJVv3(;pnf
zHuuKG*Z*@Z7X9O2H35Su|F@cn<tMNxyTL)O=_gZbZ;{Yt<6V4nZ#K@(fI+T*70EsQ
z|E=_2K<-&V0{qSHoQE8o9TcQSWHHoG`(_`SXl{z-Fbbpq&QPOpk?x5c^Boj-r(#?1
zErN(OqyX+vqb8B!PK&bXj;kh68d-=n|3oSn+n-Vn_9ALhWf0N}%riG}p*da)jMqvX
z(%mZ8Xe<luKV?*zSd`b{r`eO36z2Ln5vwh7H=)+p=RBZ}^nel>R8Y45a_Ep;21VgP
z_}z1&y@*E^M%z$N>@)V@zG?2wp#R8<uKE9=qO$c@fY00yxEL5fB(Wshg~H&daRC37
zcGL_iF6+Gpl20XU`;QVjIoCfW;qmy@^Znh329{)NQ0xu!oqt||UoTQE@IPrd6`+c;
z<*OhiR4X>!D(IJ-{-v<+_zDaC!HCtC1$FV$9mCb2>aym`-DOmq)*x!=1e_>k;Yj$g
z3qL~<$1QjIpv*ZyjldhyU}`|MWy6-cD;8bka9Xh`IAhDg(eS4ieug8SS?=^hxpM><
zfp?@y)PU;C7B6>KQK?yjXrR+`qLhbY;iD{KWyXbG3`8QLSb+^fMR1@RgAb;~)&v;K
zjxU4MQkh$mXrgm){wasW$Jbcwk3wX&0vm!#<A^f`pG=#s2{4mATL!78a<?YYLKom9
zsemWOPhDJy@z+uZ1X}98!<4(+lQ%C8#6VTLT;~N?>Asn7X<-BK{te>kumqYWKvV2D
zkfB%zWF%VrH=&f<N+6@A7|5Xia*F)Y$o==w5?lF}){;}XGuZu%rrMF-RL-oVia=yU
zkzxT8Z(OOF(y>ZumUKZvi6>{0Tu}sZlw9%Gp(KJBQRj3=9DJ$uX{Nh@(U;x6BJ#fn
zWtedQ8LU7j$I1nu1J;)*1~iQnff^d~|38FCfic>I0b|7fiZSFX#(zP@Vm%ExSdd>x
z4-j$rA`$A~dzLUYbN1&VRU+0D2U&^GpKPt5MDqTxL9w@AI;dqpo&GPK8lcWz`<JZF
zDbQT{l5GGo94h`jbjNFGZ*!E?yR|ZH6?|;8Ev^nP^61&Ytjk=kjxa~r=Q+Ww$4<XK
zXVT}n&aBH_u8uTU(6^&i6d5|uAeVw1X$6d8M+<r>q<Ik-Smjq>8bF9l4G4uT^fbh+
z&^j|2{Z}yQ|4!(?q|-<d*y?}G@c$+#0@z#WUs{D<^54E%{EtuxuyYHwFo2{P5Fm-Y
zyP?D_E6_@r9&c*}BND2ab08PAQntq2|NoOvM+~M;x+gVVGv~dYn!U}*dimChw=;mw
zxyr46wxY&Uo^G9>%&lSeyv9?XZk?pet#OB;c2;1Wg3buBRaUJZ&pEF=jN?d66V(bB
zVE<RlHNcp~%7HQe=b*_ioq-0Rj)M(QS_dB}z4ZSA#PB6A{UwhElyB?@w)p=HrGK%g
zzF4r83_itZ|5kFa2?R>~hsys+h}8zO6}twgELsj!MzsR!^``+F`|m+D=0Fzx7c27X
zlyZTN|C7+{5O{!<bT%>sFqlbTFn5yDTPw3>3_y@r@(bJmf<yuiu&vmUR00rE^l5iE
zG&Sb4L4W>-t$E(H(;eykr_SzwIjny<Mv9^9tPTK^a&9yOvE=%dnKljfo(A2ob7I7j
zwYLGr)ZF+l+CuKuN+s}r3}giWS@qowy4lz8U!Gw99;4U#@?`k(#QO4t|7rm8e?S}K
zSp<rpS^<T_8i2z6Um`|dA~jzk8bA@Ta-ay=e}i`TRXflCtle1wia6K+MVcFdB0AbY
zk;*TTr7sby{~Rs50T}B`wXVI*QqeguO@g-AI;-~{ZCfiJM*(fq9fA&Db{x>IoLU2B
z$>)giKi}y8)(|4Uvhu%l2(rR<uz_A;+*v`Y)V*6;^8fdCe*>XTTbLDJvn%S7tNl4y
z<@wf%n9gd?S5yDN@qbACJXtAvj9l-0x_EheA2_{De@r2^%hu6tUljmwzfH9zwRnGS
zuV%Zgo=*9#RJ~?5wXHt@cV+Tv=JxY)aC%(m+;LkyzxaqO(${+e?yWArB;UxDf=%p}
z?H9Um8+3X;adGhG=mxx<_x}9$;rtvEc?kU~|7qAY4`_THsEn>;y7XmQrs8}hd|4va
zlJ{HLc)NOD`s{epSC9sWzyJXOfdQE%ozW1A;i4Jg00Gg91p^@mqVCpAZg!4VPUa>i
z&Q47FjwaSlO#d=i7~O5G8NcjxAB%+D=A?7|V{@@7E)2RP?WOeN<6`qw7Ied@rxt<B
zK5vJAC@69wDV8CAYnJMNUJUe#N$b(Dl{wF$x~7OSlz{tpx2(2&K5(gy%B8Q^x)^u8
z>LfM1AHUixaePvbS$C=?)nCfwS-P9ptVp?D)vy1E8V8I-jV51iZkn9m@pXPa`lb6G
zy7_H#(C*_;cvd*wLnk~Ym9~-VXV`3~uP7~LcYa=6)~**%`c(v9G9+1_x+P6&8&9-)
zrKHm)=)b6$VCjuCZ4-m)7w=1@w5~EVde&jy2%WI%gzLXzD|a(}>>kQBG|+c_UH~Gq
zJMBK}nqNNJ&ayFAZx9XBd(re|Dt?})57rX~T)!Y1mcP`_$-+*nyn^_x!0Gnwes8Q*
zHp&|>Oqx(TyvjlRfC77&zz?)_bLq5^t>~gr9F~I%&u-i?kboI)vV(E5OR~R2)up?R
ziIiHb?r6+qBjYM$aE?OXEZy`n;e&fw#}Dib3=+MIigf{9vN1D2`Ed;5@)D4-@8zn1
znscGDv7I1W1)tPXuv((kn?15UwykygDRWSHz^4e>9uM|P&R6YW@gh9j%l;&0v_2{&
zkoJJ?-9+!I30qfs8ns$bC#=~~68tmeEi8<gqV`f|-xoIEvkyT1frfNyYh{4`2WR-z
zFAemnjqnVV61bjz-LTg(813@YUZE<S-wBy_x$2erw(zzeD~HP4vX-qi_JhmY28`fs
zO06(>uN)2cRfN>iimPvo#?z9R4KHHXm~IeT&czQoA_(<2_w`eHoF}nT8?C6rgAd`~
zm(}wy*T%tX-@}MK_Be&#iVp_)x9rNDk~j+IpBek$k+lSrG@cxW66y#!CkZ|@=%nkh
zx5O#sa78v!$u}`SaG1{-g9@JiNH-`3`xj`qnO{T?i7y_(r5tP7ZOvim_>NzLT(pMf
z5q|!pKkq3snoH}fAq!n?j%-9*d4svJIQrzzchG=jg}z;4OjFAdDrQ*5QtL*>R+0hG
z|8&Q4)4Iv~4Skve64}!t+RjAc;-!6)7tH2WqiU6^yxcf&S4&tZm>^~t45neg_{#DJ
z<u=bBx~bC|Z>IjB&P(Nc^l7ES(bG&5xO2rfLnw8)Wxu(dvieKQkr*d|(xlYMNxUn8
z(c1C7*6P1`I(>pr-(l&cmO~E=u(8ywEI6^&HS;RW9AuXwR(ew2ju!d@k~}Vfi}v;c
zc41nYl$M`n82lR53Ky$A*)kf&TMV@qw!KN2*V2gQr!sZ^X1|frSNdvvpb;@*Yu|GF
z@X2(3!Vt;0Pb&uX#$;^6lxt=B)!KVLV)<TOk;GQNa}Z~0wfH}(9Ca4FYfJmGpHIhj
zkDSXi3W?wS^G}d^Zw(t91wfdSm!z)qTdaYcyDM2;^MQDp<-+zl6_E+FU)#DL(WOH>
zow5*XzPxQ4SoDt<&KUG1(*#(0*$)f%p!>E(yX1D<s%O+9Gwu7OH*+O}3!}0he{I+_
zOB?HY<EYskw${S;d=H-MEz~wS0AL&dbpbtbEW_QqMTX#TVr1Sy%=UrfWj#>q;j=3y
zrRk>`l3t0&;fj-&?>|X4o72JIe~Q7yyqVsjZoXoFvT~rj6;F)|W+r67n!;fNOxbwu
zzzbjrI>FeWQR14&0Ypyjf*^n~RdD<X)Yk9&zplvHr=lC9g_?Rq5JKR*Sv0J;bs|S5
zB7N(5Dj2jn3SF!5eaB(e11E2xBaOKHl1CqHpB(=Db!FED#Ts`|?MoZ_6;GPezgu8%
zlP69j+8^Jhp?Xt(O%6~F9TED-l7$+K0TnoEJT+u0p`e%ckI#&A_UMbbPyCK$L@B+7
zvHD!MC%GeT_&_DOtkcTh%gAGE-xt%x?MCOR{V4HUn(C+BP$bA?YXaI-eX8cJd><HR
z66dmNKHw#Uc*%ni8;2kAYPIk$_XdPEflg2Vsx7`qblnwR$hK5IIz>g-{!l?-=Nlq@
zfH;pQdVgO$Sbxk#d+(ylSnLJC??N8F1&(r`)rO8dQTWpvl11Bz6<<}lh?b2TazK%>
zEdG=JjrC2QP!+_P61#a`n@yLadxm`9=VMBYA2#vlW|ig=ZIYoVFK?PfQ#S(u%302S
z1+o>XvK0keGqXE}(uZ#Et$1Fu#^zE}=wX@CJ>2%0r6{3aQ4mM>kNS@SD+-?11{!n4
z7;vG5KUaDD@~ozAdSIcyev5Gky7oJ!dh~aJ-@wc(+70)o^Z8;N?}1>fjH==WvADDK
z;rH*V@m#Ft2J5Bp1>`Roi>uL}KJ~MhSaLr(lqK{T1}q*LfZ!;Phlm!pn*XXi2BY`Q
zI2jp0COMRl^nYtsWoQc^-QATa#45a0E39%bE3?7``-LIsn^j0n&Af7_YcW-GddYpw
zv~2C^C8tDjlYm2xB<_BIaI1!yDx>2D@Y4P)y1miA<aVh0Tl~vkT-(Qr9u0NIze1X9
zx4)xsxbS0J%1$Tg7J>mX5`Bc1!;rKeg1YE@n$B=H1ip)*NNMMSr=}zU#wRB&MpMC`
zyCyGzZ|X>u0BwTBeA$iV-Vn~OHssq?Ml%Xax&)$bn(?m!hF<Vc!c!Do4a_4_$TW0n
z-iAjRqU@T_H76sHx@YG|=k+DV377;YxFL8rH!b=fus>j11cGDG@n3jf>9on%r|`f-
z*x<9NJP|JcvZfVnZ_8lSLh7ae@pPC9Un8iT`lkJ!@46%OU_uRLE1kRB@1RGx9+UAj
zLE4%#sidJThe!{HMV)*r#n~T|F+7GUBiIAqy-awOY{~tepOCJ3sucVp2}e!cdDFi(
z(z$9>AY0BGSX8*6ucY+myVtLcMEY`P=%BX07L!ptDk-t+8{agV<T~nj*ISvt@VwEk
zRLygpLXBm0r##@fXo2__c})LG`&)iS@whT|@Kn>a6ho`p`M5k+qNCe)b{|bR-JF^R
z+imnLbi{0@g5XB-1RTFTS-;lByXxli#Z;tUQY|Id<0HB`Ai=*#?|)ybam(}yWXQs6
zz-SP=J7uxp7ON3zsAjHE>__=+O?V8h{j})cBJgg1o(hvMPjZgF2|nbL)2mwWh=2#K
zNqochTeO{k`dTrlg}5SiUSl14gW@RZAc2b^ZB?D_Jf8ksc;SlAfR?2cQ%O_uPkT5D
z=)4bZa4Z+-3i7Cnz~aL2Y=s&rzHHB~tTENwq>B9q(;z%Pq&1>Hl_`|Z){rG!Lx?Uq
zP0<+k5X9+o!SPz}<VsrZ6uR7a+2dQPoFYzS2@=k6fZd8;)`>=k=T!PR%0XDUSx9IY
z9H=3QN}Q#)PRHR;MEU3|RuC_nNez@!TB4I%Tq;id9}DN%wA#mSTfy-Lp7jRuIr9oR
zL?CU~4e;M++0`#Soc{D+SSYjzcW16V7}%+@Gy2vKjZ(qydtWK^^T<?+wt7y*Y-f}Y
z)cC73u4q7O|Gj~4P33!&G%D|M4Ns~zM;!5~+_)tN#FWwx^;4*F7bisIkz`{yB)~jh
zXFoK|R|0Ey`MI^5)oKi2I*q#QLYNc^>{&1l)Uxpn)*3ld%Xd<Y%WVM?$5$b@cj#aP
z;ytCdiBbw~%|^wI0uZEi-D7nk%QR~NC14c%zIz7}DWEzd7ZNRhN44UC;o%>uKq5t$
z0iaIK;-rH>l}e#oje9Xg?oXbhotkMKkk)^_Yz^mC!rw}O?~A(lChRnsRz2}9W4%sQ
zXpC)2+S{eymU~97fGle2w_fPF;yPx%w@?oS5WoMfGL<2*Ka?>a$&YABhU@tCJd<7J
z+~rs#JWyIoq<&|u7>jfAeTsBjhLDv%=6a^m$*`$=dEG~n5<!neCBCq@9GZ7;{yb^;
zQhkJCtsJ4DAX^D^S&Ev7dvt=oihnO6=jcxQhj}GqA?N$kQ*$WPxTLD~uTxB_CR{nC
z2P+b9zwf=&f`e*=YHu%xF_T%(m#w0zDOZB8Y%-4rMRaH!)V+z!kvQrSuF`DtNrE6L
z_{)Luwds{Ow8C9GIu1qr8mm=wKOyfJA9uLH$0%nU4tbb_hZOFg$wFX7439)P_iAr+
zxCG1K(Wn5uPQQ;2hWuv>+t$H??KkA^;$SVD=v1s&NKrA1jL%WRv)j}ys{6<fxhmGC
ztDh8eJ1hnyy^5)PI^%P$$wd?O4Z}QJd35r@Ixtin|3trlE*uuJ9~CkpE*p6Tnz(-$
z;e}(C>4wpnPz*}56w2*uvtz#EH6{v_uiGp>^gL6hmt>)+Y2-#rg?Kp!zgWwOQ5|?_
z#|R9H^c{-a!<~uSghmoH7>Fe>R3%?tRud)QkY1G2ZH&m4(XNBbX@^12ni>~NzSCAe
z)ll=663$sk*uQbl&2>PNJHT-rX*D%EHSH<X$7Rv`4k&27Xy+adB_K^}e`B~<+z|Ms
z_>EF=gM_Lw9_Kl(aB0Z>+e3Zt%^$a`Ji^xf*Rt2McOTb=y8v5mI>jN}M+zpPFs~$l
z&b151X+w*3qS;&a=6dHRv$8l@IFty(Y2Be~d=9@Kc&i+u8g6`E_mt569Zj<`w}*{W
zkyNF~{f{|a8JBV433wU$&Zu5b7Q&No$MPVJ;?T9k<u&ft`(6EOPJNT4I=?kq*D<tx
z9O)Xy3FC(*fbUzM{>M`#86i7@OG!BXVuk8uKdut_(D$y}m5X`G3B{q8H${o>uTV6L
z1QqAHpi5dik*Nje<W=_m0_OCN!uZq3Aqnd;L@>VAr>Dht3E(}k@tKoLUTbMeQ9ptq
zhNcqkBetGUD>uF70$NT#C6P{Qlv)O7+hjQLh`XoMAzNvnGU<^K^*%fndV|m9nH5>(
ztIu#PwUHBoD?Bq#WtNtcuy7K+zEybbEe!OR#qcQVultND{C>%xS-i83bxE6@z!Z5t
zp5C$g1E?HguT+6`_CHy17*H^JG5=^Bw~5-wV;dF2jgZc+6Qp*A3@RHDV6DQ5kjq9@
zl|{<cmvMesK3J*e9dc%SGCDg(axE!CDtJ`z6)pJr_qegJiMAy<Hi@WSoW-hpqm@|U
zj*>Rn==^Y6nM)7*<DHWiT!eQKcr`)V+-~ipL`DQSvUTA~Yf8%RjItiX{3sw5Aj9hi
zT+gGk85Vd1(}%|pSNxvBiM567Y9-RT=^3M-@ohJ$^tpd4+*B{e$PqygC-J`uOGmT@
z7_+`rQz>)BMurO$J0HIQyN^Y1Co4?<R*lPmk%Z$p8%f>)k>BQQ{oc=uI`LUL(EJ9I
zPWMQi{?McViqN)oM@V~(^1Z9Ki5|OExQNuXU1A}t%cua7Fo~C$P%(*ggye$wxCsw{
z7i1xzEDdr{D4KOV>%&@&t8i48km?BY`b%z<_XiEAEQT8|<9XW5;`2rM4R=W3bXA<;
zhyuz>dTJv!dQ?buB_D-0rX^nL&N_eogWSEk`sMWd&E!1fTVU&zi$sX+mFs{4>B}El
z6P@a6!CS{tn0+P~3rX4d$Yaqi=1sH<g}J4gLh#*Dp&|;SP{5fl-9xg{lL&{ciorMD
z=sh;Zs>_t7i=U)}VWilznRv6|hf`3TkxkbsX(>NPV(>bW6Y)h%j-4J3wud>Q0?x<O
zT{C8GE+TUL@0tcaAC6RG4<+?>5GaeXjZ`TJ<g81r3arx8RiW0SInzV<duz}SFBKR6
zvPDkej>;1sL=2f)DA$}<|JX%ozFis0o?_PHIZ={NAg1zfdY4)r^bXVvJ<e*Vq)_b4
z0ZEnLyB_n}DCt`tpPVWQ$ijq-h@?z~E6*=QwmnJxads1>T2N8zh3b(VcMSbwvOCLb
z=r&Jh)1Kps+{A*_B$yWSWEOt4Y6}vL8gP?TUxBPjcA}WPKb1M+_hR@=?S}agwX{vz
zesjTPb>bJNdRtYde5th!HoDrWB`YW#O$gZGG~+mNGA@_z3VrXhc*Mt1PrQ5#?+AbS
zEgd4fl5>6Y2ON)@Euoq_{`YZwPV|Gt58w^vn>;UXbpE-^K@>45K7K))I2du^?zVUb
z(y#6gUw*x`&D*GIkpvnZhw@#Tnjy(>)sIq?1R|Os=M;FV`qE{o6Kh>om2qFG!f{F^
z0T5{^y}CE<*$?aQr%YIgucE%#1M`{oyniT0rCIW&5Fx`FdP;@3%WdsyPJTZ1tXYgm
zC&naWC$#%sIP1vdz5E5F5?e^fLsRx#?;^^p>&E*(p@w2prZQ>5O8GVTFWwl<&e|ui
z_YH2%Gy1(hE&06-4Sl{m#dLi<?{0qHZTh`RCvRdrJ_9!~*4Z4!chN4Nw{&syx;1tv
zN*<Vap;BH_S63fEW8B=(@91iMw)eUhoKhq|IIwN#)azPxRefd~rB6PgR*n38P9i|=
z{ITP#!1vQB6!Jp7)Bd4h#XJoK_$EzbS4tl?$XVE^sR$FtQrigMU#Yr?5o+U24t4Yo
zuVY4#yr1BQ7iK@=0kVv}pAP5fyS*`e5Yo_tNA|i;Yq|6i-%7~nA!62jPz1#dJ5zt%
zkD+k^1mCJklAh}18`1pKlh<Au3k?b9w?oh67dk<}R}XR`5hmA02i*|WY@n=i*IMRv
zKwojaiQKr*_6p4B;S<zNpJ{8FwiF0wdU3jK-boLN*EZMUxo!uX%aC!d&R-wLtfcy_
zJy>*4jMI?`vN|%E2had)-*R0L=;C9YV1@^ri;+$DPx{tFy_{Ll0jb%1lq~Z7;b1;-
zdDuqtaTG$gd19L&?9^&^^wZ$vGAd=-tchhGE3uo+A@@g0q9WC<Eg6FMWpKDudmvYl
z0+8Rc_bW&28|AM8wj0{01{iu2YF?_@v`h2SbI$6E%z`L{=(P#a_t}^`0f=_hg0^ue
z3wo^cse&0i-a*nXNAYx4DF~{C+88B0vgn+I)DwFcv)d<s9Pya^J&gQI=h9EoDJ82K
zN^Zzy#8=Wk7qx#Cz*$of6!{VvW%$v!PPuxp2+t~(MM|pHX+pojEQI&D@T)-DI%9&+
z_FP@O@k*c}Y1N_?XSo{kueBZ?dr&a@5?K6XpL5RSmy9uG#V8T<p{nrIZPkU}6c%a2
zu;87(c=uoF7^7nfa5s-a+F+FOHW`spTj2{qLJKDRhmwevPa1~k=w~n1)szgZUhQlK
zQC9eA+iC!FR1w2l6ARwQ{L^62QhVq|H?{$*geL#&0`XX6xRM_@X+NdN{;}N{KJfY@
zzhG$u3BZAvN-5W5ozL>EG%8E^JTcJO8tRrbF}xm%dLLguH=<q8_fRnk#a?+ZqcMJ`
zC1;jOj3e)ki4|~z5dO0P?;m!JGT!sRj=2(FQ*cb?eYW-*oUMJv?jd`R#)45NsBrK4
z=H-k!u(J@nWT$^gm4KLM;AyP|U$2XWX)mV#7O*1l#E`o>DmM=YRnBGvDTAs(PP@FV
zoWdJvCf&(VNYEKcAS_4EQt&wbQ6_Yu{U^{4n@w*P!6BOV@9Xk*GL5su&9$54%X&`?
z5m9$KT?NUC4o7D3BHC@IOG@JXgp~Lz#B|{TGM<+vhVfyDB*>qcBpelWiS{>~?H*lC
z92suBIY%Yz^8uBHslT&HcBlX;d_;Kl!DKqQ1N*@j$-TEH0+-aDmEfvg8P+b2IFx79
zMs$=ZCvV63zk<sa`05%je+BSpU)C_uhyZC~SJsEzRyv-Y%6Aibv~RUPirWO7C>ks)
zwDxsq62_h;%GBh`cB`jxPEP_jT=pcLSa2_@D);Jt&`f5s=ZM`?mJ$0CNurSgwAgjM
z>Zpewy2D1IUJ$-d303xk=|yhTt1YVaX>S>u(^XZgXO<3}tzKOqS@I$tOBfdKoGU(2
zyjkSME2i4LL>pYt=fbl4#huW%{V0BxHP_OtN$z5D)PxsU_6eF?5RJxFi^9mkz$3!+
zJijPmWEUcZ4k0B^Ken`LM(13$MOj6;7QSH|R^xpuu`WTOI#t&TLN(*1>PXTkv&`%t
z4llrf6u}z$j9&HvRMLDF>?yEP1lYOIJfq4<nM@f+r=!5e5~t@!A4nY-JjQiDp$^V<
ztDH{c)oZDTq#bR_7+H-d3cRld9EziK5xPf{oz|gUZh6+RwRA8(6cSHmiIp)kIR$39
zo-rpHQI|L%O7~<A2zGT(aGT=f$nFW-iU{C^XA$$zTSk6jAIYWYc89CU(QccR4}CD0
zCKA{5;zrelvqi$9m}iNt^P!;uXdB`eTMB!-j;#`iJyt>kUESg}_TzJuUg#q3S>}cO
zC~E{m;0~*P{>rK5*&i3&hM<bODPm~FHSP=6GLGm3As^>zk&mQeRpI&6x*dtB=VyCj
zhsk;k{M|lJ;p&^XUoTDyK`9~g#yvL1a!t;}CNuehsK;wv{e5S9NMCLWb(*y;RoB5$
zkK(&8{Q>*;%~zMr%ZQuf7)NotoHz3cCvWb##NeJ0A%iZ{Vi>`6Q$U>+GYj5d8%cJA
z5n1J-;M8Du3RCw!2YrJR%k^iHAMWtL{8s%2%izZ<zR<h~Y&Vl+67}UjNXi9YLg45z
z!>~~bcgYv&v&LB2Q{w|dz4G!$sg>Vo7aDk*^hl$5`6_WOgQgTh1iOqKhYiIo(a4+{
zcO&)ePo|$W&EZ3XEyYdL)dl&|&$pBjK>vz$CYh9+MAi0|i`lKycGu<=s@x(Uv`%>O
zO8EG&R9r8~SCQr1kjodz<#(e|tCycl`_@EG<ejTy%tuNl15Uqlt1JmNqhgVwbHB0K
zBJP28rQ*CS;lZIX19n_qqV+1^(U6^5?`LH*`=??OGAU+l{X!~A?ZCeAm>e6Kz`|zm
zFsz1h)>$f|k>)&oz8K}6$unP=URla7H)sTjrEVQ`n9`K_mUg9I?x3Wv4EQ4evttqg
z@R5k7S5Z#OJX+bv<$ls=rdzEnEI|`txg*tS{OIW3(){}@dhGt#AW(tg?8DM?3!%e!
zT2vK(Sr;jp=7&fR>`h5}cwKgO65sq_nd#%mJ&1fOwZQ#Xe9<+8(C-bwbU!Fru6OaF
zUp)(IBx8idCF6MyIYeM@`@(y@Glm$FwaYYY`P&bElI5d}wN2}*X}kyLt0IVvBOjp2
z(=$J*M2`Q=lISc4pCf7ag@g@cslw5kL_k-a|1mUR6%xO5RR(=(4Z`tYK9r(d!YI;l
zHFwBLn|Qp!xxpeT>?NHD?lh!u-~^r^S@$h^XM2t&`h}j(SwozogT8Xn!c)f?qa5Rn
zpK_9I28T8RIU(}62a@VK<xW&DB97qB>}8im?5Zq*%zZxF`Qdu%lkOve9Rh2gjLSv@
z%oE-^f7($QfAu&ci^P|G*TshrL99c+OY)9GWd8!2cUz;xsSAnBS7omt?1=@1_Kr5v
zh&vT|p5aRDcN&p1OU1=q6s2uO=Grex%t%sM2^oFr?Hh6mCfd#nDSsqJjWSNTP3B<V
zy4ia{!B3{kJ>Ln1=2xpfdqaVGLTrJe6DfECqn@#}*tHKljT{}+w|PR!q6tG5e}5q?
zH0Xzf5<`0868S<L;h*6naFiF-anG6J<)=z0ygf~n6omIc*$k8>xpcaq&40|$`+&<B
z--gjPHKckc6F_$656YgGKR^idD*6Kd0GkqF-nbJ9DA?V9G0z>0i#gxtd3{B{xkSaE
zSSHSfnnZR7@rPAM{p=_?(rtw3+_L0Dqu~`1I;k0wI_S$Ti5Oo(SSZX!4#{c1gYUjF
z=3oNp3!g<mELE$nv!jDu%o<YP$9jOaQsq*#(;t?i7qd%Zc4-kQ3B*#s9+6WCxtU=~
z75DW%U{5X9X^wC4XR54kcq+=!DfXgdQ2m+1eFsk!i!MLoGP62qanUzsADTmq*y-l+
zPD4D;+Pp(=r0l8e*0$^n&zB)z75dxx-E?az!8$63|Bk047;2Brj~q4)-43_Vm$%Ij
zOYzDb5n1-d`^K2Xi9vt7E|MWf=N2YA?3Z6$@1R2WGY)4vx%PtLE&AC`c)%hwhfN0E
z|Mi^ZNIbKh(8O>}+@58(mRdZRgRhjrpkzUz{<xFZBgT|w_3doK4m=8PwY~T4Py~Hg
zY!f53na5+d-DS&d&-{8<JwrT_I3O}ESv>rFa^?MSZuDZ0FO1kk8jkJ-jb)S56>PPM
zB2e5H;8G&)CrS5iO7oW=AmA;a^F-|v_>9_I(_}{TcgmX>tXVT1N;*+eCgVwSdM6k+
zFp5e98E*?t9(o^r#np(W(%YO*ENa_&&RE0G)m#|_7mmiSW6rFW(y+GA`j6<$35TR9
zt`y_ceWBS@d=q(y)+pU?zmxPUd2`O}=uqM!OY!wIYbpr;Q||XIgW@=XAnYFVYBqNY
zB43#z_F9m!j(&!`On`JYm2dsNh0nHlOGxHo_l73UGTz~{AtR){Og53IH1nwCeh?bp
zTvNB(5@!j?<wQ6WK!96qp%Vo))cDB}Cm#<=GOlD9VIU1qlIi}>%&K*sCAVaPm!3Y`
zyqO^4cjwhbXWic<i#-aN&nQcpHbPanqs(16XaKxhBZ;@v@kr9^JZ2`~hKmCP!VxX{
zeRLGGz7z)o=mRmH?KrdATgYa@JN;zQ-(OI+kL*aU)|eBy<t*?4SNT_XunEL@H1l|D
zhgz4HLPJV-$>As&#2AU)^$x!4cbfY{oYCDb1p;-aowt?2e$p5ygIuu+&o!~TY}$O1
zdqFC;XvEY~N+q<nl_QpOra1s{m5-B(Q4lv{=XF_6w^)#8)Wq${+s=+(Kf7b1+SQ`_
z5$OVU^Psb=tT!aaDK`taJ#2B{P>?+mtbTno#}Ce$^7wOLT2mB^04l~0RfsncMb@_y
zu7RU8=e>12j2c`iR!R(4Avr7d5Y4m`v=rwucsPjR2_lp2pI#TgG$hNMY93J?VV)H6
z$oM&@iu~V?gpvv!6j_$)6>MCMJZt8yk}hwQ7=%GIFpU;YYe_EcLjwD2XN<JwIJ{_8
zR&z1x$|GknhaiH{zixl)LebGXRdd=v<EQGniEF$2?PNqSx*yhP+$lFx9ZHFQ{PoIi
zvWWaC5P+`C%ZmewvxZ%1nVF^MJ8zDRYQ0}Nr~gL(w^PXYm*_w&gMf#VCn=mx1)Ev}
zjwPqE1hh!h4#qqUcf3ZNN1sB$lP0?K&R&0|oZ4DHgk4*VXSMAPpYMgt#~kt)pk->i
ztM0Kc`2W1&F50Z?WfQb}wS<)4g5P{MmF*Z-T|MRqVKn=lB=TFLwC^z_=@;uI%Og1*
z{25HgfP@_k0d%SEQz2-yb#kqmg{+7jjwOKlTtEKg!M;xcmKRd<C?z>R(6dj0z!RC=
zR5?IZl-zLYCVCQU*#+?;I1XfpmZ$tL329wXfH*01(;q7=O7C9A@I(O){-b0O;7{w-
zomfY4K0lce1ml*@B!PGS?AffW)ip&8->XldnRmYuS{sJm?Xg`yu8jvcW>_SoRYl&;
zxL_8wUpwNV#f1=DkpQEzi5vOSM$y?MnWy0RkM?1w!ag2j>jj5Jd^{I{N!4NMtLfaR
za0{yfS5#yW9mR0dNOSabOfU>#&Gx&0yR${j2c>32_dm)D)V7RNN$;u+{a9W>zw?=0
z`=m^?7jm15)@Gm|-5nL8a&8`oS|!Pz-Z0Vds1N$n^DmmV(ue&M^2Wnwu8H>1(Q3j`
zq12T2+M#)$NWHxjSj1c$?Rl;>Hi9BEHD@HuUobVi`;y}h>`jUnI_29!YR~NN$CX2K
zNM1(}LW*syGa>xI{b2kig#5X5uoH5GvUH1~=a$8WyH}(^NkhX0KB2(jVnkQ(g9lBI
z4Rre%6)3nvC_IrSr!uuy=JpchRJm8{e|Iay3JiFcdWt(yf%4<uXu3$9fQbh@9Oh8P
zIqpmjC9pde%`BrHD6R}v?Ab=nkmKP~4|<*;tn_}rrTj5hu;Pf|vXYQo1TbZhoZc&}
zCtI3OYuMwjjdwVl`0GsRD~c?&bkgobI|Ll5p|AZ>H~7aYfYfD~JmXWQ2l9o}sDO70
zxaYMtT+TYP8!S(3dH=ZwGNW~@+YFPZl$t+*t(>*<$*~nREmgvhk%@%J&!n&q4D`2$
zoONtL*S}MvBj7E<HAihohs5Ct=$Nt@ZIHf$Q2AgCmXW|kzoTO-%@}=a6oK6ta%St@
zC*|hHi&OCTh~QE-T~pVNc^IaVT1tE%SA0Gyo&mSnu%OTnF6Tsa^QllT@8LIhBI%6<
zTVs&1dgDN@T6T@)KQkrr<v*U}fAy9&xpQi?*YN2+hP~LA<hhetzMo~IB=DKmt`hT5
z9oX@EepkpFDMjw)pJsFYu5uq_D|`MCQQ5W_Tg-iJ90MGLtE`!CVHMM-#V@1p=yP3P
zYN^U4&2iYts)JnxXXS@;I5BJjUx^AY-HVzm#qVAcds*aO_J3l2j^o{&8RxAPh!^Qk
zn(eU8-jUjRNO8}BI~1T>3)CCFQM@RZ;MQx7ul4b-@paLg<JR5qD8Y86W7!t$)I4Z8
zM$afJUx97Eap;eX0xhR+#&b1RDXKl%9Pu%6WZcFMpY&F`8yv66>CQ@v&|tXb_UP>N
zrkOx6q(!4(s{N_V&7S=j8oR(KLCTz77CM2Y>t4DrI?`_3kisW%MF>ftbdd^Mqlw1H
z#L1!CsjPZi5pU8o5rXB_n~e5)*PJcVwAR*=dex;}=f$jUKw~1bgl;nsgc)V{&EqGp
zOtg9pg<E0d$fG{mZGpxtCClxOLY;OqGbTZu2$UsO-qH1j09dCv$9cU;!SQDWvlE%(
z2YsdM!y_xcC3O3WYN`J@qDaqY5hw#vL_vSvMI$de<xR+DPEiaVbchdVn8Q_vcw?Jt
z89Zous+-2E4*8~?jryVXa&K-t7*c|tm~rbgN&#u;fzrG+IG|a-1@-yp`;T)^H4n1n
zOMlHvwL$M%IYR0_d_k-H{$KIF3ca`+6oMby@}KU_p6aP@Y~iWsr0~DIq`ohh=`&;8
z4za=l{FaW_OrvbQC9dp4$rYU(T_9)pbSkWlG4Vy-L2J(zWBEAx20=HCka#?bI|(i2
z&Q234&W@+yVPnu|(mX5MvB7bj%RuxFvR`ebUT3(_D5y<cj`I0HU9uzTx27}@=Q3C;
zGK!aOQ7@lK*QqCQAVV^t(6AoA|8}Cm=-U8aX*N1}s#*?2U1OZ2o<#6MAqeGkrJZTG
zsE;Hs2W7YzppfvLKjI$tSc@DSh@tQa9@!lVj}8+3M}tWQY)9P9dRM2P@sgtP5WTEc
z{2OV(NjST`%D#+5?~mnngYTvyjd__l*`3A@qnc?P2<ZeFaDDP5@x|OMSqbp!cg1xV
z@x2*JIaLi(iH)5m%dZ9z4vP!)lJQ%~hUr1ya=V9(oTMo+M$7u}%OkAj_y%V8xNLD7
zdAPxrygrp&RBUlM*;50h?$kDGPqbrWlZkEeg1o)aXaJLr!d3!m9z#@!cdorL9R$vI
z<<1KF{uLrx^NO1(0NjS9p~tlQ7D=9_ay(LkOfx$K<aKeXZ&JQ(l&CkxtWJtPW~vya
zD%D}vQkE^747<KC)UhRaN#Ha(XR9PK4u<Ui^a`Y}l|CdJMh0QHhdT|$wvRuepYgIj
z!R=N`^%_a&n>rPim0o7hi?5L+q>xif-R?<#wpY?NA-p1<t=nBo+=fSzy5uKgcF;d7
z{zi8)GjYUyW#}sed(EJjKcvf^jHU2#8mo@`r}xKsib?RJK>;S?h6U+G`(eKOT5BrO
zipEv&-jO{So5r^o$_WS25cW!k9bH!G;h&%R5_wrkv!6Ax!`F4qAXJh~L88;b56jn7
zSs9Emag3TRCdJi$MhoIUnA15mG{xb)GXCjsmL-}${0_ZJC;9P|oJ0HhVcy;0CrB@M
zceFPF&q=|o*)*(*%6YEhpF$={ULX6bQ1&3dc<m$a1d&AP;(JuMsU{6ITSw+7ckT{4
zE487H4=b(rI7hqFdNWJ!v``|5&;&E>{Zn#Y>?gYvYaCxBQXPpV)}?p*u4H0H@gll(
zyNVpfxAKeQZ<vgvj(;h+<uokb{P6oTa8@MyuOZ-uRKc2zXj;3>Ks_RDE5>HZ@$dfR
z3ZC><wn4FZ(b{CzdqCQku#anpXuTa8e5#}mX@P9%k%Ff;2s&Q(lqliwU}ZEfqo3j{
zOMuJ|7KB4Lac#`HkB6_-tMzki&*mvi($e@NZ%5Y;lZm)|DpP63vZ=dlTqtQ-Z?dXf
zZ}xGrgGJwHM0;f0xf9Jm@Oa-kIST=Qda$W>M7xeCedetj$YMBhz%j8KPH`G5<x5(M
zI_`jL3F2J9hA@2NZ+hw5umYOYlQSadsGVbRpN{pc8F3_Z>W9bHK&d7KJ`iu|Zw1<F
zHeef-VY3Wn-$9sCC|gVlnm(nZFq_JqFWxCyK8Th#$kX{^GmC}7jRrE^yS;tqokS}R
zd{*p3Dz6!&-=7t$So6aWpCxt-CCPS%Zl%D7&ZUx@$s2CXMubR0UasVOA`T~?le(Jd
z2X>HCe&p+XlvXY=WC+<@dRxOslA_kR7N(x7H<00Cihw>V@6`NW>;9ZoX9Nh|YYjiK
z6d2Rp4>yo1V(P-MF-kJ2_|}`I!CuyVCQ4((7#xcP<tV+;RVb?EUgd<fGcS7Fsa%k=
z+#ViJKRKi<rLp@GnCce|xeZ%P96o>SRMIn3e{7X@r=okj)F}~t4o*L#X3w2^=q{fr
zRu1Ij=O7bCl3a-P?GL%jrRm-D9Dxx^(3!ay8G!lq#Ck{PggQ`2?7iX4Bz!M2uBla;
zQ{msnGmFZkF$8ffv=hk)BmngtKi-4s|FG4wMYcOq9X|*Ru)w6vO6CiopoOr=cu@4-
z@x+VY?TJyzBtR~ck_lf1zNj=v(XsP0solNzWiz+UoAaGQ*tfhadEEeYYd1%4@NOLr
zGHp6ftE``$Q!Q{8RvE{~n6Ocqw+}EVW&4I}cJrZkpxn787j>Dz$CB@2^FGY7Ek2W#
z;e`=){_C?S-z<X|-pkV|FovA}kwXrz;NBGj_73ryN#A-m42E7C4Hw{hAD`ZMO5H>s
zo=IHiIZGqBlioYiy@Evmc_@J>aJt)&^sSma)&^~f2Vi?2zkp&3xjdpcAyeOxkee@w
zEwXT<jsta;!f{*|k|z`c0dRbXj|;=nf<bI0RS*e_B|`L-xuDD=jTEl$9OH2nt>B{g
z@M8=)OuEdZC1~_(&{oFMW4FP<@RYnFcW1&yn-9@GMMD=2+zcTA@g=yT1ox*d(7Rk?
zoLLeKei*}6Orxl2*H+UyVK3+=H~d8vyS0I){zl~;o|FHQF!v5tJFZ~;Zsoa#Ygr25
zsH-#P=W%sqak*Q9Xi3#)RH5cLZ#AGv@Ey$LBbtNp_#g{^V~A^(g;Lm_I$Wi3i2c#X
zjG+K9cGWj8V4hb5fb-)~vgH7}^!e7gpP94NvA8vRIX{x0G|~nhB7$xkpVow|D;No6
zL;;p(TIG&q$2)>*Y3Ef2P3`vV8)$8O8gNx;rG_*IAM+>>g6UHCIHk?v`@Q0tW{R{F
zFzlFenx63~61}_Phl3!p!?s~)U_!V*%9(Jjm?cu*npbP+wXDYOf}cZ*wOFZq5zdy`
z2SChUbgqq+hwRS}F_9*T$LV!c3a@YxpF*$eMN0|a0Kf-6#xl+w!I7RtF9J9bO~hhH
zQ9=ui&Tyn6`wzQryW|;2q>`X>#ocS@KGKR!d?C5#yE9y*<>Be$gd!sk>NHYq#xxVY
z)|jo|kt@e=D+hkq+XbaSJmcq6cb;YU55#2Tt1*Cv*HC?ms?DvlBwDE>r~Uz<@}C%7
zgc+g$NLatYj6tL)oH;157pxhQnyai33#qp*s_Khv5{IV{1AcE2VlwBoE;>|H47|O_
z6b%nK96|BBAvCN$hL8=jM8P)IfY)=ObUc1NK3?PJ*wu3~=#nzuW~%bkb*=2F`lhO&
z?ZEVFQvwlM<o$8P9>QiGmWY{uu~hbm!+l8M#V3&7b+)@I%oY(174V&1i2XPD`mY{N
zwE2S6X*#Zqk6k|s&WuiD8ZbX^ymU2Hyh){8{MTnz1UCee9W#tk3!ZQ}@NklxYEzkn
zzx^ogGjbg566WP2GY~6U0q2*0<w`*Z6-a!k@*~B;ydf3*ai@j6XlzxM`5`<=fZ?6T
zRW}*!eJCykd(<1PDzqfHAtbFoisgie?<jW#W>@(q2JWj$psf}>Ns*>w6;zH856Ad6
zQ_efLD)lDc!LT{Ef`B|(ReKPM7DImE%@gOnHMn7;%K)ORtWAD0DA+7rMC<U@)jSZ2
zTsv)AD`5?u2FmSC8Ph>?4U8u1i`vqwaRNwatM&QadS$`%NosEMaAC&p^DrQ(eAJys
zy9w!j-=Yo_9*gwp>E<=#*hJJQF=fk$Q){d2utybdr*I9%hG)7VK#mQiQ~a<&uqiag
zf^Ov<yiE!mR!HHGCvL0DEENTA<PeYH2a4d!zccJ0mb)cR_1&$xw{jR=<r)(W13-0+
zAu>9)A$e<QHA(^Hzyf&zZl-MgvV*r5wq{v9ao<-=L&V=gL6TMf#}3Zf7EJUoCj~Yg
zOy1PrYqe+;Zed@{6X4Gm!n(vLie=hYlJuCm!P@mJqX(`#^X$7}v50^(lk3aC@YEyY
zfG(;jN5RAiA)U?1^XwY(&o~8l)-V{6(LmAe7=98k9TkSgScd}wsJuBm)eRPvL?SZ^
zQS{X$3IQhs%KU62q!BIzKni%TFm}*bX#{uwa_UBJgHF60c}Uu{mv&FC>&ntqpU4w%
zj?CQs5qHlb;-2QX0+}bVxe921?lWtnWKI*3FNHDja%##gKC?>(-(gu)yU)sZMhaex
z&N-}a=AJ_ew4THQS<}p5!Go9g=&#nz2x9r<unuI2;F#f*cqL`2IU#r7TruzD(-t*3
z4Yn|RvGH2H3ejsKN2K|FCVUhQv64~;&@rQG{SwkzxR*U>&olWpZ)THu|4;AUh^@}x
z69!ND76eZ=U&zZ$4HZJ+*Z`q@%(uAPZX<-HNfhp8V;b}*bl3JzXxI?y0S9gAaXj&a
z)izn(idq7upH9Me4IdryXLk-m3hy3i$DHzB(t3&f;gjE1$<|ycXtN+p^R2UT_ZkXg
znG<z<8PT$S^y3N*lZ;`8`&anwowaO@5ZXWLoy(ws`8scp+z#=AYY%?UTH)}2xcq0R
zL>V4uQ$F`llG2ER$0gmg_{T41s)$nxFyD-={^V*J*M{<Hd^6m8@R}K1;6;q8%rg?A
z8b*iap@8c8HXm8eUz)~DpVCr%gC!CFJ5B9OFLgOmgSa_7S8mdMh}@JxG10GLGIhia
zT0AKE8~;_G<<oep9-Na0L3}uQyldgzfSia6t3Ny9xDW4iQ)kp}LkfqkS3g@gjVM5}
z=*gPX=}el0D`n(sK||o`vp#=ni96SxOf=Rd+*P<ss+3w03Met0YnsvgLl+5c18V%F
zZXG*dI9W=T>49)>LKsQ-`VO;<8DBe%Q##zLJu-KUvH%0>FN!$97jjcQDI@H(V3ubn
zB$r-2>3#zVEvlZHIK!2$Hrw)mK&fknX?s#vo?$ChoH(pjYA*Zn?c;O>Mx8NMvAB?(
z@9o<i@18hmdyTfLdGE<fk9TfSG_|I^6^a>Tq-(w{c3*IAk~0~U$i0eaLvmL_R|ctB
zw;1Lujp>OAMY42F;I%?evy<Tsj%tXV!Yr+Z-W49M(m@e#1OikegG~DR0bX;IHSaG*
zaNW6V!$(%mzro#7&g`jzLgG~LCauOV)(1`dlEOAv%YkD|A@UxQAo`9(W!^#A=FcC1
zWB|QixO&w_8{OX1)el_7LJHED&^!{0wH4j@zl*gs+9E582qqGQ;Wjc{P~Rj_bp8s5
zDK_6op+Sf=##+x5zQ}XKg?9={gzy_fIo2)^2Ydq^zku)1!+oL5!p!Y7E2hAEPfCJN
zE>pu9xFQqOFb`QI_bz(Hb&k6g5HXxFqYhekN<@F(n+H{J9=)?6YU@sra90XT8P!;G
znn&`%)IpF8sX7fmoit-=`n!C_uEqI2dQkDOgT+$ES2DFLAVN7)SF#`=;-LWD8|lH9
z<`sSIH>I$9i<{v1?W3A@;vln(=3FaiwYN=c+l_wHO#QNM-{qls;aQDerBj(qL(xYQ
zhT*1yMT2Kc+R9;(hG|GZL{l!K82IKKD8g$=liWAZPJ7g*;43^&o;g>TMzG9uHSF!2
zPgvNHcL5QHNej|LIMsxA#blJpmabG<>P(Ow`9fh##v`?`iW*p}DC#EnXz0hR9QT8O
z1x0gsZC&V1F?mG!Tz}~brZzRW&|uM?gl`#SReI;6cH0!}S^3)(OphUq;SojHI||ZV
z=03Z${3<K5;{hGWy}$orRK7ocBLBykU<3So(s|$@Akgq2AUOZkOt62=0b~7|0~Vz=
z<G9L+@`j1PH&?WnXd*3Zq{tRes9usFGg!HLi0(mw8UzCFpS)0Y37Tjw3oqeI3X0O!
ztj&m&YLn>8%8_fr6ctM)ZE3ZNY+-qWhtF(QDkiBfRRCNSVnNkXD@ws#fqeGboLv@w
zi}m-^+cMXLqw1ErIkPm;+Hk61$s`<OoM2j|#Xoi_H1kx_lL_zL0#%l$(6i6w!EnUW
zf{hS=Y+H@9rr<XIu<J+`){MswJcqWGh(F=_Ijp4yaXKAWBzZb!%8Moc(n+LYZi)sw
zy8pFABbrPfKKOQ(KbFNpXpXe%^`cz`6Wjz9v?TR50k3T~()JTmLzw!kW2M|aWv(Cn
zKnmycN4oFLGmW7Y`$O_$_+e&E>0cJbu5DK7!MhObPgkLP3c;WF)y&xz4TdYS)Rs#c
z+>#~oOh)^&BOeAFJ_iu>x6t0-C(d1ywQ`+|Ejoi3<%JlQCn5ZosQs4=YLs~E4<=xb
z1d@vt4~B>1o)fkPJxBiTz8`|D51~7Ay-yh?YX^Y7ox{Fmr!FbMsyZORUcbUVnZ>G#
zZy*_}+bLzAnK({pn{A<t5!=Zcj7c%Z&X_VjOZy*PM3vmJ7t(!-C&Y6=`$Ypk<UipJ
zRfiLI1)~)q9#mP(j^Ym$eqM3a-0KvushqG|Ptw|++OFfyx5Q%=2#l#FFn%1f7vg1G
zY<}`CPdz!N5Z#Fg{;GJ9SZv^^-BX^UwfX(0LMWMNxtPp(QOTh;LRBSseQljUYEE5H
zmDRvUrK&kL$B4z79jjP^t3u6c_<0Ht#l%!uOrT`Unj50>E4Msg8(sks?$i_8Slpu@
z3Ofjqk?e{|<LVDGV>_~MWQ$ov3sN|Wwi%@MqU85b&`cT%*8pcCf-pms$!|{actMWA
z6yX*3gwYcJM<Z7r4prO6$A}t+##pk9EK#y#UlSr4OPW%`*h=%pkYNl%D70uyMA^fa
zWl$qa*<NJHjEKsTWso&w%WgvWrn<`8T<>>X-?^^moPW;mch2+N`ycm>)rMn*LKTMt
z5i#Zkjg>ZSv&q);Lp4aMb%a(XzJ6N61vwFu%;(|y#vhAf7d>SGAC2V$8dgwW1)M#J
zdo<&Vw2YcEU;}bJOw42vE$%`?j|IUwW2vEhpWhhOaelpBk{j1?@if;xKQ-RiCk<kv
zn*C3X<L_~wC>$E3#$TO{Db6wKwffKMhE4CJWbBk$J~Y|^Yg1{&QoLcCH^lBRGI0T&
z0GEjr9J}%GO9y=Kmm^=2>1;SE=_1hll2B?Jd-rBZQ`s|gFtON9PWIm0>I)sxd?nLu
z`Eqg3jV4yMdP*$ZENj61-bvE=Bj};h8Z$2Z;9AX}hK<_CMH$)!04N*=0Jwe{whu1A
z1LgDGnrH27?~iCfw&czX;IYS{1pqe@&@8+%Gp6D~Z?^&1W*YV=(J|4fM$eG@v7wfs
zY9@;>Z>9Z8@R5YQZ|-4BGr#&qDtDCfL@pIo|0TcKskBHHK6!lWu&H;8bh8u@*g&Mc
zY3u;+zIY^765W$MDSXD@Qm{&dW}Ez_zf0j7$|BR*`9crdR0w2Q_gu2@fY#l@)%~qS
zdR#I|S5B00OB&*z4#cYyZyii(&=PG~L7m?^rCu13F=W>h0Z+O7ybGaJ7Lt_Hs_``T
zp}(<r%~wtQDt`eqZ*yf0U99R?asd_-U|4?yuzLW95!X}n=<gz~rk6uTpL+k@c%vKK
zN(~lKJN`{CBZQ}j@7ty8!s55Sg=#9jtZVg~bsu#p;(ne|;H=(QZ6BZ-OB0SZO*y32
zcz;G`_ByWoKybI8L$~U&E1w4y5&K21MoJ`zX_uXpQK0Y5B1bgIa0%Ai>W;FJq}=bL
zs7rlE#{9|hJ+`Zex%|4<H*W!P>T#48ok4l;Ke_9i_d{1`BGuQ-*YcvHwJ1nflrP>3
zqt+3m9KM;UK3>NfGR0dz&Rf4EzpxneNjD;lE+f8y6<@2%>C|m9Oo`)d?xLT6$U`+h
zxUBlzu6cKS7WB|Xc>=`>9(EqO8$CYTDLl34tldSk+YjEiQXW`DMJn@Mr5lKzzwAPN
zlF5#-doY)qVaF<}u)mylUt;@(iwkq8Nz?GYk4Myf1-4*sLio&+{6BTw-XPkcvSkDd
z<9*|-xtjCc`Q-vqE2iKt_xhP1vPiTv8{l1iK3q*itqq=fHQx<ZY_g6oYhJ1n?Fov`
z#?eKj$y%=#`%d5~O)@>xZqrf+2DOrVd`<wSdXK&nw7sixpWk6ak+WU13PpNR+MF}K
zvA~D%9xB}Jw`%obV<4OkOYh|vUM@8J(6V=3eQwo#V7jiVZ*FRau4mhqT_2`dOIrhY
z(3A`Qa{GvHzb00ZKO;)B;h?Ua8A%e=?GGnnKHZ2~8d^)hlE=JO49e0-wAb-I6QI93
zxofvhN39IczJdmS0MVfj#Dc*3N2`MKwCIBhNJ}ZazP@AK<oupBa0>VP)c3WM^M&g+
zmaI5zrl?+r33B4@b!^r9SAAH>OodY%=!wccX;rJpSUX!XAuzmX%eWuj(VGyzb_ZcH
zG9}lN-Y{3mcO{mx{UOBNY|E6SnBrZs*wr_8x{3c|lT5$0w%X~0F<Hgl2cdcGf1{>)
zPwe3eYF-SF8a>camP}~c6eqkvLms)A5eDK63on{#3v{Q$#tO+FmKWGwPkzE3a*6yz
z=kkl1JMO8e@#xfCYdtZMu&ujlqm)ywjVVXpO{lx`yzH!27kNV88?F)KP`WNV?%wwF
z+Ln=2Ke19<NDh`)j!qOXephDFFYkDE6p{7i9e^j7bSnhD=eT?{doF3&AWy8wNv~f~
zdY908j<H_eSiPOuT$Zcspt!(eYBypRPDtXlw?peo>ev^a$ittFy7_N}9FI<KWhvU#
zOG?9lLgEXxc}0d~%I<LWjKxFPD*HzQB!EFOI0z63pg?to9*6Kq!vQvu9{>ukc}Br1
zyK(}Edn6E2VSINTyKlqBA~cm8horEuTYwk{Pz|=5j{xeE1iI~!eB5}Z2BgHjs_Ihn
zUZ``g)S+$GKV4zj$?1q%h6@w`0sxFOhmpX3?{ELn)t>sm+!Lq_HYk9ioGhMDfXaD2
zg+_Nd%Lx;iNt75D%JOPtPp!BskNI|5nnJ-|wa0!ipFWaDgA&D_X084V@Z9~dbDDRC
zjjX!4fkL`kbn8kFM1Fipx>2Ftv#ZR)=bPy=N6d7EPcaJ5!MDQlHNQUjfSHjU%{xTZ
zeEV(xdyWsusRem6-*VLFvs;!{#G^A#8hgnv$7ER${bCFB(mqyaEs<O<75fi<-d<|W
z<vX@kld41_w09eW4q^(|*#6uo_H#TshXnwTWh8WafBO9IZT*)p822AJ+}S?QJ|*xb
z|LHxgIh_PN2ufkUBY@-tSC+u{bJ8*nNLC0!9db6;P5n}}1rf`px>^4I{#mE4d`vH1
zjfRz|T%W}rBqaMLubYL9Z?$VU8$K(w^x<fowL*5=)RjE5<GR!Cp|_o)gGgx=RxDcZ
za1P{5z`(qQr2%g02)C#^{EyDi6cf%dTC4LVuF#>IUr4nNihC%|#MZSNTs#Nwe=a(4
zdpY)no^>rWl3iWzW+N>{+OhXbgHBNCo$?BD%6Zu<#PmY8lQx?P)kMR&fXR&(?{Jfz
zBUk43*@_40gge~#lYx)RBj4($VKqYnO+!aIR2-!ow+Q27Ge)=6bxv<Sc05?HM@*sx
zhA>~1lLg}6f~vLqG+b9-CJ&kD6lKzJy1X5Ic<FQ<nPt8*&?HjX!z9#w<RQ{UrW~nU
zXem@`Uov!PmL@k#6Gxwud~CuhS^Y`-+VFKP*-S+-%jty&8wNQZLE+wx^9C6Z=ZwXX
zk>WOLB`tx5J+^TS>Ddm#d*6B0Z(vQ;=a0I+*?B4LS=jWmvlk@j9YJOGDPU3k^9%d_
zlquN}d!(2l%SeXu3jdVpPyPL;WPj)~^}#8Qn@SLq0w@-6^6F$pF4?nRKoNrbR!6zj
z5<4|3SAj?;dS;R5Pc?4rw|H;}O-&WeorMwFK8K#AsZ<^X#3=|Hhx%%@XqK#)EWm<U
zE#qFIAtOpvp@XWI<7bjG5@B10#l9coz7~!(57j!=&X-o_2*i+NVlmNHpv-}WUClgf
zs<shTW~BFIILFtrGeJrb@6{yJ)Y`LOj2mr_wOmgd9I>vU`1;#7`^JRS&o%4)xmVJ#
zh>aLSf1Me53om1@NF$6V4&{k+Iv3!D@^SdC!_;%lmi0=IZ*h&?vVN1Htmtd$_UXH?
z*GfHVh;Ul;G+(ECK<z;1?4F8y6Zq$5TKr!xF0MdWUc9rtf7|u$$j!4h8bfMtAay<@
z?k2a9!Q%605}pl&*|kj2pMukBtt^j)+bDD+rc+5XPe!k*)$NlEHI6wJRqIHG=$N>h
zowC0W=oD<#q|Yyf=N9y^pa`*^$bM%ACW-M!MJfiuo6bdF#bsQX70lKlM{^4x9LKdr
zRX&s)PUjeV=S`#}8eHfBM8CjFr8>kM+^=$Pu(FArJ((B*{+I=cu`>6n98iw0K6>9`
z7ojE2C`~FUa1oS#x+-j{Y(#gM9^EU!d#+w3xW&mwZ($I9dEq}M1BR~K>#yi!T<_P1
zEb6-QWJYnv0_0=e8T9cgjGFO~agt4p1!1gTR|w;j0f5UG7X%jL<)e7f%j^5$GNY3!
za8exK-(=_>&o3zB8NyQcPqYgLi~2Wskuldy5<3Ge@l%|?7(!Uq8KjJvBRE&oRn*V>
zk3l2M-@gS1t(rLj0WK_%AI0f!f>6pH=Ak7!<4TxWn1`MGW??zu3jBXYpD+_L*UY~O
zLoL&o33n=JW)|iI{WlBCp^P6aJLx(zlsTa7Kvi;p{|s-;K;{6k0~E>q{pY{J1v8l0
u6YYTKp8Np+55L6B!))a{Jbh1r|7P<Db2f$+eUIIofKG-g%H=U`fd2x1{+F}>

diff --git a/spreadsheet/macrofree/waf_checklist.ja.xlsx b/spreadsheet/macrofree/waf_checklist.ja.xlsx
index bf84a59b912825976d2795d233e048039333bb93..469d571cca3fc4e5a463a0cce1eebf0facd030da 100644
GIT binary patch
literal 193031
zcmY(q1CS+Kur}JZZM%Egwr$(CZEM=Lrfu7pwr$(?>+|1u=iD2yt8!!2j&y#Rt4dx9
z7z70X0006&-grg5KX9lZ@#oX%&w=oB7~2`iJKEVh(HYp=)4JPO%fyUB0WrXc`2CsK
zGWFgOJo7J=noWMMOXLh`rnCuudv*oE@5uCGmslWG7#u`vpx6rOv=KdO1^nwNyltl8
zP&z1o$Ft0^84z8E1z&`Z2Ru+<v+N(j0K-19=VmZprV~ANmh&s*%GjkqI&`Sc+}Ti$
zSJlypf<Nm#`GrQduZQtfP1<8jiX*jx?TZ=8ciN3k{{IMIx^q4R1^B}`5C8z;{}#Z=
z&e7x_2}0uaqz33whI%AVy)ueVBZI5qsd&Rd`vUj0#IKqS@54yuF4r>`tJm#!jHWoA
z-Q-%EYNav2Yo^rg^TBg37V~(JU9+zQYhjG&T=QC|4F$!VjI#C!c{kCtXuDs~?BkD7
zRS{Yb0``d!RzuRJ#3|8=K3xYu;(!JKpqy{gj6rf60JHAcz{$)cu6%lmh8-qEIS&nq
z1NqicTgtf4n&7pe#WOXb$Z&4-wePLDNo=euWPZ~<c<O#r`%CX3p~0aoosN2xz{hSX
zt)X}b$ji#torw>fL?*lCiY+aEV3tN-uzmUsA|0Yqjm4lur$o;|??KKi+&Th3=Vyn!
z4?MbkttGnpTpWS_U&Ymlz+R+-{pgJl008+%aqiZ1&gLdICjWD0_(ye@8d|Z)Y$(1p
z3*Y*aUTI#m;r<B{{Wj<b9rCv)+3c9e)9m%xIz++BeM)*%Dg`QfRF75gDk?=psE>d6
zz#tdq@MoD4*V!HP13(pAkSUp(dz?OAv-bBB)1A<-{=ncO5mHWPq<9V2A&eSsm8{lU
zY_46aoS`K^nfXk(i)Jh(iJ$ksPV;evO_v83fdqJyP45*aQ?T$_tuuz&(oEkljOttW
zibSF^56xUbdxLl?nR>-2H7Q9mL7T9HHZ6k#V<8`KRL4@;-*PwRR<umfk)1KVj3!NR
z8InEi89v#}g=qU79HDb0BO;$5G!%p0KfliMww2Hf)+*D_G-mA?tsYOWN)Z+}|4ljY
z95SP2LqCb_6qJR5PYD!209#yA>|vYli8x<sU$k{8s{z<y4^`;^%Vwd2I$A+8ceR??
zEOYTz8%TY4$9_>w^JD4k=?BMt(WTQ|tp&;048?w_-86S|{@jJq+w5J=QYA07cmYbH
z&-l$cBdh*cIAoa`2WXZWeIttTV7Z0UEx7teJag3SjNKu1uS5F*K${(lI)jh}HxV#K
zfUG|n4<gd_gg$@(XFpo%#Fe|`_~j<kFKDm&hL%^#Ucz$;b^LdA7Is2ip3!1swZCcw
zh{x^4>V248F5k!JYoXXQ{ugJim(mr|RH#Xt8lTVoG`wCxkKg<4;=bLayT)+O$6-aP
z-^VNGqh#UZW@4&bZs*I_d5^EJwSNl;FU7#Kg(OM4Xv~aEPCpPVavbojE7Ch;aR!Ji
zfCYf7N&#Sv3<J~dnlRh04WPyVNGE$+g~O)Qps)h)jb(ymug;W4CiK2z^^sF@D${7_
z(dbZ7bVtN(zQvXKWZ&i}Mt^RGvMA)N`Ii2U4L1p<0tNm)u^^108^z*9yOdEMDL#dB
zSOIIXXyU~@unAhbu+q)=f-r)1)vD<;tEH2v;x=IzCsH%0DOqx`g=uFvIaG=0FuRG#
z0i0??#KD&GU`F2`AUSx*{nB-E#SG)>s4~%KDr1a>b+=XK#dyKlc*wRO4mx5kZxm8?
zTx^bc8cHL&al~K>QMOjbgq=6I(e)khEE|_+8_9)rn{%zWfC<2aSm|I3DTM0l5lU=*
zL&YtmvJ@SyK&-+-9!$&pE+L2ku~s>Vc9+%QV<THKAJTwI$A~m*C(!e{j20#$NGeO5
zAfvJcLDyKAS2W&^`KCdpA&tl(*2!g2&%e&QNle9a=QMa0Wl53V^BEG_sg%4aOW2T0
z{Zw{RPMxwMPt9I1##h}zFdkNz;uj;$lf0&bIP~urP%ujEpz#qJB-^qfD}xklGi;Y*
zuuqy@iE|gfho&`Gk$to3kAqOT$@R{xr6|uqr&u@qYAa87BwT}fB^)&uvs78WN6Jmt
zb$P2yWUbQYHIE7x87uCFX!&j_8;eFfKbZ2OFUu&2x#}qbNe%*h;W?v3^Yvd3EV6np
zy)9wcP+D8X0xRfBC7+PELn${6L-VsL@Fba!kj5yiDy|A(GK)Go`OaN7hX!O3dMy{>
zO;!r<BUxF_tCm#d9#hVumgG|)gG1)_6Deeh6K`NiEWd8WTc;%I%rVp#Hka#arE~*=
zpmslAJuoIP1Wp9ppPl$7574)G9OUenio30+Ydb~l4Re;nllo=I6`%${;1V9Mke^%%
z4P2YdiWDmRAoSKV+X75Hp>g|i?uF!$_Z{Z3dhsb*Wk&Mkjx?Yf43-)VS=b&rj8p33
z%7aW8gHVMU9!r!F12AL=m&R@NS0gje7qjG2wFh1wXv}K3(qX_zRJA-+WiT=+8DhH0
z+3jv1<F=&U#7_KW24!GEp{#6edwG*BEhc$U|Lo{$IQ-I?Y$<p`GHnuJz$SP1El5gy
zh0)!hJ55?rpx4n$wqe}ut93&vxylS#N;paZE^20p@@W<79vow9fco85t>C8XC)xQO
zAYY)$rgT5K(437+u8xpYTwz<6*|L~<?SWM(R;5$U5VbU%Y3FN?PSgXOd>%~6;U(`1
zFL`Tzo8y=Q8M!6m+Ey|nJX7ql4XGt?5TY<t7Pcw511|dqulYlg8pfvuyIr>Ak_Vu$
zl*DCVb%W<+f4cZS^+V))IO@w;!8JF+!}7j>tQmTDPo(D@_gaLnK>yFXO3m^O_NC>Y
z-4@T}y!mQ1EQKbWQ{_U<lI4hg&%)<k!7xyE^H&A=%Oz?Rwn!?0#nDtnJ7vp&<EB8(
ziY-`8_#;<vYMN?jC3KwWZ|MJ9$+}3P&I|K_00Oj705JZilDXMAS~;1Um^eGp{Xg>m
z%GpJiSK>i)Jl&hhnWd2pr7gb<w}fW1T=WrP@~^V;1>dX{>}U9HNhL9!O`r01(&^#P
z8*~zg1b}$Zo7n`}U}9IEGf5;6ft}O{;Ul{5m-~U&k@5F(&$W;9fz8iD_+vhwyRXyJ
zTX;6M)IFa^!Vd4R8}&`8)!W?<LazkB9KTi%c04(e$D@4rFZoTr%{U4qw&OEeFHW8f
zy{%k4y4=zw!L@eooQg{8_M2T<mPbOaO~1QiKGvSg>CC<S%I<MqWxuzB<}XmG*@64{
z&C~9L{_*=T_|@0_)Wyw#X}>oRzXHFPuZMy6lB2LpzVBOx_x$#%oUbnmyEwnC#$VsB
zv4;}fy&_MZPSr6#|AhKA0Ek>^Yf1YyQug-B_;NjY_&G4Gmo0b5c6WRCSs=$Mr{Sx$
zsWPOb!aDta9To=PBH~K^o+%u}*HfYQCi|%#>-lwaW3+kDT$vd^ZH`s;o-pd?Tdu3-
zc6X*$=l$oq$`jph?zy|$>1De;@j4?v`8wS!_3UwAlTYq&-s^Qnj@86vBIi2iZF}yj
z<r?4jtKAY@+IuQ<1O?tL^~jHnuVTE;y3oCwo5$Pyx(59H)aWzkAaOEm-sgTi>_X3T
z0sI;1jzfa|DA2wZaf4NGP4sVR{DK#q&GnzBF3R_;5yT<2oEp8rCL8(=*fHJ_n)WBC
zcE~N(zDu%$6EIf7HL}6dh=Y3!G0NYcHiI_Ub(^9zozG;KT@m}Q(Kqanm}8ALB)BX{
zUmW&D<SNW>rC*sHm>d}iG%rf}JjA!=l6xoj!A@ie{xt!Q2ZM#Hl$p1*vDKJ7e7EL-
z#mJn6B@}qmvy|Dh^C+=L>b)bgPSF!D^+oUXfn=5>wkXCd^e<#yV_zR5_XE?JPChNx
zonNsvXRZfb(qHx;_k8so$7gqbJ`!K<P9OL9eu^@UYQ9y~Ni{63cUI?P*sH$J2&;8i
zd=WTZwi}%Ci@5G0%HRhuaeTQ~R-~@)&MA9|7q9cV+a{?cJ=qO=Bfpj7Gu6I7y{lPk
zw$+AW-Acyi@$GUBn9iX)Y<<htD#(kiuXSOKe!0U!ZZ!g#LT@z#*+Op#1lFvj?hczP
zE}J7Qo6k`fN^~F=o)H$Jzak-ZhJx5pJe<YtR5Vi>bP_ss5xR5{cHD(ZPom?%A4Mr{
zO**%b%WraCgN5kiihg@P+A3*hvYvg-zITK9`T>7@p}l<StoO{iGcLP3F8_0Guil7x
z*N=8$GuOL266Ex>*m-6<b7T02)+}5Pp4_GOKRRwaI#yG+>~~|*k+-KJ_l^Vh^dSCo
z_JeI~0QLP={nRaNq<n!xx*+JoL&CuUGIHKSOL#rbr-pF@UR&9`+X7KHR8v@Wvg_i;
zmveJlU3Iv(nx1S~d?jytZD+Uj*>8J%FL!?-VB<DvP;g?tS(@+7JX6e)i|yUK?&SF{
z<IK(B<+S}Ab30dhdbsdBtntY$^DtNzTl2j7coI0<n*Y4*bGX*yewIY_ZRgwk-f4ZT
zxvZkJKUX`xxcxl3(azS{fB1cU)nm8KZu_pfDN1}ZjxslAzwwfNJiH7)1zLO0Q?mun
zb+!I}#pUDfyybqg@$yK0PX<hupo$zdU4vm8(GPwSMXhu>9#$gL!K+idW3lh{El|je
zr1x>f2Vs)sw+jR=hwK7Qs}H^<?GrJ1{RNDiLFST5G_3eaCo`9};Kvm3ir$nJ(fFDw
zcG*Lt*h4;w9`w#JGU-Diq3p#Tsp7?MTeC0IA>HVAKga@N_d68>3wLXmR3X^nQ+kzS
zjXP@Q?_+dLbt550^|qWJ)!6y78zJ(-bQO|3H@N$nsMy<6O%*{C=r%^+?YyvReXs~*
zd3hQEno=ku8g!Bw2}jCMe2K!YAj%?5gy<XYf415!CWL0wG1&E7gV1QrA>)Q#UI%Qu
zfM83-w@W3?*Rx*mjGlzvYt%?ht8kH6f0U3|s1}=J<*$5S>v4Doh+GG6gl_o~00gqZ
z?zM>(f44K%CMVB+ORWdP08#N%nsp_ySdU0RQ!fS92cuizNp+ic0hE9OjBsll2msM^
zRq_WpJ7(1ZAfW{L=XL5rPzFL*QPdxfHxE=tM5jQ76d3&XjwsR2OPUEit_UHHKM<E>
zMJO;xNFPArQuBdW!e`Nt;+6#|khGhXTc7cjN0W*Fms>(n)tcEb)%gw~D%usqIITJM
z+_*2;)C-m}Sg3Z<V-Jy`yScvn)*k$CkM|DIi6_1MTam^dD{f-FjbPnY1s$^#iKJ$^
z!A<ZKeC;pkHM}O+1hm<;cZ<rn-^@Iuh-zf&6Kgs1M_M!CbD}xLzXV<FRz74P<ghqY
zi&u8E96u*(SM@^v68&BXFTRY*xLo=~UD{~<3Q_Jri5e~<vA~J1xIB9{Be9)HVIw0x
zB$?A|##Nh&et)~Q%9ZnAiy>^tx+_&lKpG1qKh=k89#ihg{}7zWveMxK%2X=L)VxIR
z^Q>O-Q=;NCxhFl;HZRFqsyni*RLg(kai~#bReo~qn8UCe7O2iwZE4n<YOnUA>lz+r
z$_!$9yWD1r^W5$Pp=VDO`0GrdkWk74jVO8P=0(6lgVlDZ8^J|(rEiGsm9s0TjT<Nq
zEs(9SfMw7hc&RSO>_p`Co6%7AVCrPfE@Rm8AUKrwRV4yT+bKvKQza<X*(m~3=c%f#
zxgv`?h;^>wYi&bG2(fgu7qi`XkA=skJ7e(Dv<ab-MkC?~1e<tPrbHaxl-Zomy2uu+
zmV}Elt0yrOC^od8WwPCF-p301G+7keuc6V$3DA!#RmN_ORj6>w&OJoy5#x?YhT*)g
z+E#0ndq9_stNEhI*m^B9;TG5-1HYp2AUqW@v6<(We8wIMD&~|##9{E1cFIwUO$XdQ
zUeX2sC|(kdHqw0WhyWOGH?K&y$IGs=wJr~@Zgp<;>l$SJZP5E3^KBOoMxb&9qM~I$
ziZWr#_63+Mzl{STq_lNjuXxK=S+l)Xlwy?~m12Gz?P7|iC6LTA<Zp7pYrMvMV?Zfz
z4+ZN7&mssG014yuG*}IE3RK!TVGBf$u!uIr5H3XUpz!@%u(FwU*_c#h3j&z5U}kyr
zmMUYiIei2R`f%nK&bb-xsa6VV64*3|(O6M=*(e-T3z~A0F%e2h@_!Z)jKU>d2#ofT
zGQ@|15W;FeT5w;25X#u=Wr^=!3UskfPKGr}099F9rU_+xENE@=cdVJROqSn<`mLG9
zkY%+Hm#xnZw=}051*TusuCdN=GSk9%L4@;sMeL5?)q_3p>ufY9q^}6^Ul0;JA;3Q+
zIiQewL<sBZ58j0rkc=ZKqmmSI96JzY;Y~E_pg-{^;8LsxB?L(s8p6Z&<Fz9_xvxR?
z=j?Q|*Ntokr6GNVoKnq&hPhx7O$Y_mjZeAaWpKUI)5K$tv$1BfZQErerVh)96ozAi
z6I6Blb{rGOfRRT4`yf6D1Ed(UMuPbtcIf#9F!BgsX3pvTqZp$^9EC9>Koa7#3xuci
z2Zt1l3nC?mHZpOc`T<B*0}^;BI9f@_U}_04^r`#&OR@<tAg-d2!8&<LpK&EaqD)8Q
znHBJyiC*kI^!S8u=-%tZ%ueW&J}<K(?5_Pdv+=La)r%%eYHYWCn_nYrtJkSgj%$a=
zFDZ+vj9R&<2)u8Ilyz5Dl+|!+WoZluQeOBP@ugO<)PY<a)+J31A%W|H1JwJgjU)u=
zWy=E#%TdGzq2lwBhA>n-lua!XcC#4CQ|J+-{<C9UFt`Dv9;6iaWodFL+t(VYMRuJ)
z%tcyT9eL}u?8WUyRSfEuGT-Gv2llxf{;WjrinojB+ZzY|o<LT4SDe#zy+>D<$ET^g
zM-<;%R)juMrdbvitEr8`#0lIuz2l`$R&T$6{;lsLWR6BRSTDcM=8u5^1_b<f33_kN
z0g$CWdt))hEKo_2^!K0+6{rwWu+cJbs3(XoKrrBdVE$8SZ#aQJq5vVZ8~p3h)9G&3
zr@T#fjW4GPAD6=Ld>Utz<&lOH+M)38Jh&zw2cWQ$06FQBV&3h#x@x!3=2gKnGu-sD
z{F#kH7@wjlxdmPrXEEDF^|w(3w_-b$P9wg<D(pdtQq3u%+3rIDeAexp$oqlA-IqoN
zH;=a=b#PPYuxhT8Ikq+MkAcG8x9h(cnkm}Qk>@xkvhOpfQTX(u0|F|QfaO3SDs>>r
zpb-DOalloU;%GMs!7SiN;pz?4Pa4q(ozwn1tvVuX9D)4LqBvu4$)~)7orJVJEbsu!
zPO?%@ENGy`JUAWTMM_xf(05)6RhQuC&G;U;^s}WdOi;ey3Bokc>u1Bu8b<BGdBEjw
z9pNNqQR2mBJ+~L$jfp^^k{ZQ$JgSGm;E8~UwoPnRQ#Q+AgKlQAHaLN}Gm9gm>V??r
zfEWwjuIRpbE%&M~(V?G5uhjrB*3r#yxUZKonF}!&9Zv<Gc{+$L6SWkg`J3@&cpc9V
z+1+Oni0gePnmlI`e~1a%u14&yng$FAB>lWT-3nQd=Pv6j?U4xZDzKa5+B%Ji>di6U
zg%ew0apn<II8!7<+~<VhUz%DmN-%eHz5r!2-C-Z`gU<ML3%-oxKS%Q3VrweCiHS|J
zlo=$YaEMceP)vf2!_A1Q_h`x_Q@9rWV9Nc(>w!tV<Q?rLq#yB<W<v++`+ydE_+H0q
zzJfTNWj^1z0yJpaM{QSD)mX8M$M&!^(vi!~QQKdQ!`reQ!>iIb49t$$v!+CGJlqKL
zFL^76?80>EiAOuc`)Fyy(*3w5VVyMA--a!0U-$yTOAqIesDzXDz<>{@BHFeEV%Oht
zD_fkpzwZ{UT$mJkiw%b(5LTkK3(8E&*^QVY<a>~#jhGJ9S_)MViQl5qiY1M_eZDV0
zA{gb#bHX9M$^C`Qn=lI(z4(U0-jv*M9Oqo0R-<UMb#K3r-1Ck{#w%Oh0I6xc3wuPj
zDpm=F=IKVg7biKHdD7l3C2<h(6-4#}Rl|!IL}89W{sf|xmX}k=I^~f4c`rqu@C7C1
zlCK9R1y3DZco3khWv2mWm7jlaApXqYEfrd3_Td+-q*MO_U4Y2aW4#gTE{j?8(a477
zqbeo!ep_NfSjP8yOp>6+f3?dXqcZr7tOWTsC*O`?^zN4Ihag79P&Lnnlesl*i}8Sf
zZ7>wvyiSgU-0&T63UvK(PoeMCC>m3<iU`b{YW#X;ikk;{^qPS*@>IHGAsvZSS3tsI
zE=nOq6uC!SBRq9yB(X`@u3t<?@o%bB(vokcgB(wQ1(wk>BFw{F%BRjdwb~iCbJcV0
z`+7tZCBnqUqlTaVSg3O%$*|aLCFj)uo%tYUsZxVdaYib7x_Tf4l(Y@qm368g6{)I`
zYUFl&8feO2buQfE&HkH<O*|=$=Gx(1ZJ^bg1<eXGiUlcW8WxHnmO{dPYC3{ZLTVJv
zM7j??b_rtUfD1aYS01yDNI@tOYKS8urmd`=BpXev-;ews!^5DY+=z0aW6aU_#T_8}
z+VWx523aM5$osy0s4~8M+GP@JI7rjIt^OC4yu77DXg<0)u)mlrUS?7x`5&9df1d#P
z5+J20U%O2vee;I+A*M@Z42wG2v9-sehHZ8zOlU_weFoAu`d+i!Qo=p7)NU{;V~Do5
z=;UgFNgqN?RM;ZF*4RF0gEJK-GEg8a;%vKeD`B02eEPC6&j>83U0=BRY?=Id<!a%K
zq5<auv=jb?(0I16oljnRloMw8RX6w$aM}f4YWMkqUTwE5{!XmFhOd$EB-Y!=2UPrt
zsJFI_nA$06C`?8BjDni{hK3HhCo#pCGOmHkfy)3Q{SN$}v$Y6V_zfl|v&d|FDs=)q
z*!-yCbUp5&M_>LGwFQ^DXC%vJ?1JfQ#uxJ0i7>fbXu&z=IqCQ4(LAK6^x$H6(}zfR
ze7Q?D=aJe7YV+;RN!h@!hgB6CJwl&^%6MLh-Uo?#5}ySB(?k&IT#}pz2~nmTV~c>Z
zY0X68B#KFo=&@1+7Y!gslBov?pklee|ImQD{2R$_(Spo?y`8TvKq$D&309~V*KL&H
z%ZH6huh)l{*5kF!Vo!_8x0p@E2Lfhyl_qg=x_{Y(u>=(ppi(+y+L$zV*+gRka)K!e
zYDAv6A+nGLEj!U43VOaViEOA6Nid~!fq%h}ilaOg)2(r_tkUS0wPBAW+}R9E^2Oy~
zRF)q6sciMgS#w_}+H!9EzM<W)vSNXf!+Y4q7SP`wSl!UuboiMT+d>NE4>|nZ%{$?u
zvOm4jFF`2iBWQi57s0N@`U<?u0(6IgYM%<6z<VZpiD)>68V)iu0H9=fJ@;~<{#DCZ
z7Dph`Oyp8?6Od`9vc1esdlF2?jzcOeR;m)>(drt8NeSG71q7|p^URaMOp{su7Dsvi
zRvvczBvaYIgeoD2tz4Ijk=LK%GvMLZ-x1SA=&)9JezM^1s2g`Z8lw-ew$gv6r=vl@
z_$Y{OO_hI!%)a`W*xtde>H$x(_)g#kW~t|06d?2J*=f^3%{FIIX0@?ctD^~Q^;r-0
z7i{f(^D*Yx8?koj^ov-&S=&L1Ujuu8a=YAz2Ykds0SwSh>^;kVYV!DGVWanH?b#So
zDMbj~`*Ja5k~spo$;RqBw*}J!)20G!u%Wc6B&B6@Id^13WWf6>1LtT+5cm9gp2m1W
zxZ@+7h4>I+89I4KxKB6(YQSZ7?rz+UG|yV731vBgW|?~Af=+_Sbj>5~^YC}`Es=-+
zYCV_-DBvjdU!*%IpaeC9xXwWLztn^Avz)0|xR{g(QHfB0BnT%{Xo_8iQKj0vyr2@)
z{Qvc}j9&r=sKzpPP<loJrsIk~6j<;3((Zjd|5@T5Y^3gwIaW;QQ{`W22FyPn)$l_Z
z;^x{d)``N2I&--kla<LYw8i-i@!DqvsIYQy>kHd=qVQqlnJawSQ#X!&rQHqA$;_@v
zsFX-HPZV90nnW5Cn#cUpp~l_r=Us<35?qr73&=Cgt1jJu!RI;ZDy$E>TBW_Sw3R*u
zsUK?3qn>6i{`Fcx%EA6cM8=S15P%XQ5aLvV+(kq#NA?=EF!813(3hwvha|rdhdEMS
z(v~^IWKF;mBL9<*s)Ilgv7W3fyrz!8q$NptaJg4}Rp;<*)mu}KPp8d#qeNlgj+w4S
z=d@-Xeuf!bovn0Qq(lBa2i@TQ^!!@a=lzKZe)|uoOcZi*2`b#JToXE`Zs+g~>o-ez
zP+X&uh)j;{ff$FH5{1n7)8wTL-?qSA+!YRgMdIL#&lH=IrDbc?r%H;DmpMJVxB04s
zZqKW2I3R;9hHz=4NY-E-Aoz?cB-8Yl6KDZ^J=iQbU<B`9qyl&#Bp-yhlOXqS-ZPYK
z5=v@k8g(j_`i<bDMhe8fSB8}4oYGdVGZd0HfPd4O@~D6?zOhUJ{EsE6JSb<wY68}u
zSKFxAY9b5TwOLzA@UI$5+DGN=^fsIIO9}gm{qS3(Sg}qa)Vzc>y$-<m{jog@bmh*J
zcr0Ye_veL5mTqIn@SF(w2?c|IyMBAm?mRz~?e`f3IpMQ1BUfL;=Zi0G*-XAGz&qi=
zWLn(c3JYVuOF^LC0f8`#j+ZToaZ;~t_&$n3t4+s|W(^;ysWk*3SD50RG+j{;nVP;;
zi318O<@wWd8K3x*q9C+uguww&5=ci3fTuTfQdvZtCG~J_*6>4`Fi=6$5+xWj@Zx22
z0u=fGC-DNH01AS!3>3tV#GLw+pusf(c#Yn93)l`dktOqTi${~E+NgJ<_-wh&Jw1@i
zShmcMrGVS|ou0@K-WA%E@?!PiRP!U6el(z2I({{9IyM`uVHE1~0G56#cAZq<#yBk@
zIgLh+phhc@!PGMxaV#e|6EPS7t-(_QZ07*{aZ`Os>>r9QoJ@35!m$bw7&RW(;-d)F
zrM;~b?pYm1V*H%o^8Y{Rg8?WKaE5c1;ROGI2>=*BFahAiN<Y&F+utwgoPuWw)Rz?Q
zycpUchC!ZVkdNYvqRqj<!}9MVWewYnp#w&n#;gs>-dqmZzW9h5GymT-UIOtjG`;YW
z{yX)w_@sTuH5=yqsAiWhw(Dmm9iE+2=aZ#6@6?_=$N+0B*5uKUMM&WcGG8M6d1m~P
zV%BdgF@0a+Jm|`{`T(blD^Yh-^je~x*3&sG&;x%iN*BYz0tRq2VXZfMQ^T9Aug{6j
z5ROY~*s42mXM52WP^tD#Fx<hqJ2Wx?g`gICXV`kA1|cEXYEoj-4|MrEwO^POW=f1#
zPT8L{?=&n8+En4B8j6XtWE7JYl#Y1lBmJ1f0s>@6|0+lN5ob_XaM_sXmIbXSCzUb&
z1?z;HSwN$wr?$b%$iLfq*D^hh%)QDBe*};Jc2`&J3kgecC_tu&u{x8f9thVf+yb2Y
zOM;;*4EtRu*qRvlLkZYV^*f0bAf+WDLMJkf+QBXcG%tO&NrXijIL#FDA+i^r6OiiV
zPp)7W2m-jpV*OtB>XP{o>$_8{o$Zls!j1cl;|k*SY|YT`$3vomAeu^KSuc=As*oT_
z9C(N8PI5n1t{xOID6)4pJ$LCty^t?l&Q`aaqHO_3l=fhpkiY{96cVv~JjWzX4?Hz?
zAs0^ka^yF8O%k9*;^c$C<yCK4WB?K|z<;Bc88Gm#!b!#fMfY%^wEv$2iZ9vD#x*>O
z83_T8?19@zG>ZY&4)-%Oga<HtB458H(o70=Ot2kT`WeKE(*>%YOMv#4p09}&@3)Bg
zeXiDn#A(*yG|aI@vSBw0na|5wp5}HQ9@RK1iQnhRCi2I_Oj4*#@dBK0iy7ZOLrtoW
zBJqT5Ou!KH)sa_PR@(`vT?KC<f5@5`LH(<))oZjqt%HOLTVW+x?n#O6FEnWB4O-=q
zDy1gb<wP!F!6Ymag@pG8SI#=hU_PkZpCt@Xg{k$##H=mG>AKpF)?Pu6!8jNhP-HoP
zEH{tu5p6sw-yhq3pQ;4=IIc=&7>XZhOMPM#4b*#LXN;^(n#{8#%`$ALZwO~uUg9YJ
zh6$(M5GusMM+AC{FARhgL88fLXGf`%N+zWS=e5!>5PK+-A9GH!#=%4WH>t9Q-V-XY
zx+8qWf@WM#xg!i=xw#zplxSw4EPV{wcMcn5K(p$j$XDTW_wF`$y`9V{0~?01E>^@*
z9)AUe`Bf5t+Hb*9=pHcYm0z(Yu=TXv+nII+Chz(=ek~;^i2`Qg3D1$vdk&PCJUz<_
z$70f9BkU@w$o%1W_AKYTKOD~Kiq<rcP_K*{(;v?(<dmauwxDO>=`=4JSYO{xYAl-n
z`?4v5h5kc|l)t4$pi)@CkhDEmJtA;W5`{#y0MC$Araa&bMO7IcM07PCQF*}yIFYEF
zNj<wAmqZolU$<Gf6d06rmN6v#NrCM?lywO`$US*drnBkO<kg{oN2CH;s)f~KFR0?#
zvZe1)R8Mj6FF=JzU#l0{ZmrEvS4e=<p*BMnHdnEZ3=!SVlWz`)hN&Y(yg~)VN096v
zx%b@Em9q|DtPcz3ikKPprt;eHrDc!g&wrP+JFns~E$wlWnVmYxQ4gJe`JsXuYhe(Y
zS;|gciyhqLMX^w{P>8pQq{`bW#5qO<CTT4Qwf%Xel+Rv{QrDnQiZ2x`swP)YMILPP
za)Vd24fq$5XaWc%X*tV`{rZs!tyl4f0-p)HwAGs@Pf=_-(i$w&Enhp(c(^6~A}Gx3
z8Zn+e{FMtNkwCbv20zh0#sP9dOQ3blQ}vRbXXGl^d8#5c0|R0IC!z)sD_|tdl<rG(
zVAFBN%}td0@42wuhtB(OQD$Kkp)1RuRo1`8=MtGM2-sl#o{@|2&byH=u!<B=34*hv
zMe-;lAq51KD35W17PK(RX2)YyE{X*o6irr2P6=ox*;(hxl|MiK+h`RV!V-lPSS1Ml
zIG|#sltexdXTAkaS=ajgYp3cB;vIwb@4y9?kBO~yPvsXok6=?fTR#RniGoId{7bR0
z*0p8qOdj~CE$G$E*nLW~dstf7BKS0;zH&3zNHQoz=2=n{8I&UP0s;}_M|oz8DR5<S
zP-4|&ltb=<Qc6%s4eetPE){t3SrAFrJY#rCINFFZ&p?WdlMED@pA4fstr$t>M{emp
z`v3{R(0LdPL{*@!j1XK>21jXez<wquOLOO+Iy|C^8&4s#v2aJH<|Km87~@noaYvrr
zL$e58meI*_Ioyv!Ewt-d8l^i7=>uxLtr&iOq|;ju5w^=>?$KLqdy1rq2Q_ymAD0s5
zY3{*%2~@6>h&Z5q1#rS3NLsU(mQ*<<?b=T-J`VgZlaK=fjoi*Mns`69r|(QkA<skZ
zyIDoJDJB1EdV7hzc)hYnlbJo5l1JKow0=sFkja%SGQDzumqqGowgZE!vto#v@Rv0$
zsd1I(Hf46Y8wG=L(84ZPb*GYFu6#JS@vc&IvRdl}y@kU>wtaaFU@vjNG51njJeFbG
z?~3-3p^SX;O2`KuWrJUm*t<80TWnzW&i-^<Z(WMF=6+a%n_wZWDM{4BPt5_H4WZ^w
ziuq9dtvjTxK0K9N4R2Z=(~PG~^r9k@;^qqg8UCaZL_Bs8ZV*Sa8$LJ534;_zJeI^x
z<e`OyqD*c?Oty`17+oAruA#V)$WiiVo&b=efdAj73^suvhN7KJEa?Zh1{qU|CG{W!
zbDvXrS%QW5`mOY*(8UPjOP%Piw9eD+H(e`VQM<IbIe!J3X@bFrK08<Q{EXd~=u@z6
z4y6(<Q5>xM7;8sdvJ6F~!DTJYU9MknB|C5dvOv0+7-W?n8!?vo9Z6fGw{JanlePn)
zF&mo2EsQb4ug-+!v!Y_GFX5z(B-f%VPTu@inLMA0F360o@9-9e>e=bm!yd_^a7mIl
z!3%k)@u$Ibs(c2;_hnr!kiH#YT$+!ZBf;QPTZ_g~jpnItXGZ?gA;PEd^OFm8EmI@3
z&ayyk{2;2OQ6wO?&B_5zK*$a0(U$;{VdhcfK>8R6LlM=y#xW|CT}fp~VpQ@gV5PWT
z*nd;}0H=Wfh^@5@5Ze!=T9Qx?t5zrP2BQIrNIIP?8n%JY6cOhDO2tH4tFeXOwvPXp
zMd$g@qQR9F#<8|h{w@q|;Sl>h%5-COVzfR8Dhl^K5?zI|^&odr1&a@@F;31nmIB1X
zAgUcLEc553_M}uOt<0&qA>Cms%i`~`<qIBXM>W#Z%C<Y<`&5TNDEbAwnbnO~IxZHF
zH+4GrP5UZCuhl5Vj?9ldG-R#P5`j?Kc6?C@g&=A;b<sr{nyQXy9It#B;(%cPIsc6S
zioUfB6#b9$1N0;T(c~c~Qh16nKng$sOr7NR)AX!f$vo$7`B^^Df9S?+`0G*X4L-w4
zlUfPZ=N3#}WTqxDhEMA<RAM>tn;~`gKHpt^Wj|XaD<kV*VPEF-&hK?z^EAEH_VSX{
zYNKB2*3$)?LEdR#up!r~4xlbzfvCWclp0Dwlw*j?5Ag?59TAptrZ~tZC|+?<q*_Km
z2O=flE0BIC9x9~Er*NR6h|7ci%X?W~AVm2}28hZ}c0pNC45acSFAj*&4JW>zjmm1j
zVv_nDmgYUql=Vy0G|gJ~!A#+P&8ZE-zz<UU^lTYc`_{)jT;5^IIE`(J=~DsWH&ZF<
zgBzBkbend=<n}&{;N&Gn3pSUnhN;@L!y%O2RMh*IRW*4AOd*b?&FF*!{Ss)EOaz^_
zrW;Bn*ZKQzi;|8(+~Va_UtK0&lG%r?lo7WHA)?BjFbPGe<@a6|`zEAK{cIO+$L=`8
zL&b=~U2Y6sIW3g|hd%mL;O6E<;+|9Y9L_3?9@U7_E2bSj6RR6$hPaXl0c9yaKvF*w
z0!ZZhIQmi46l4Kvk}*XBG>7Pf=&^6f#6pVu%A$ydL2O`&wEtpRCXoP%teFfl@h6t&
zjVXU<z`C2?`nQ47cTE7Y{_k8@AB!tKY`)g5!^W3Ask*38&-~-Fpm7M8LYv|f^!sf%
zazW_oUzIZ)#ZDQb?U(P7xi7rK!_O>%MhU!-v0N2qi>5amYvmAQ(HP1D&?LZFYPfdZ
zG;8&~^6?bE#%oPqrOub%zsA*S*gg*uhiylEvwazUZ97+5cYA?@LtA(IdA+mgcP8w*
zd!V28KHgo~z2{~6Cn)WsuHcnCVP(TJ*YCr4Dhd-sXc;oM?Ke%eHi1feg2X)$Z8GE6
z`jk3;&5|63Vy^TLrnzlk5w3^M#S<>+j%j$O{ng0l=0G{GmAm)FU#=c+Rxrpxfi_*2
zp!%x+lvIpL(`^xv&pSH2nK0LX0Y)A8XrJ=inOGv|F(i0J)e`g_;=iK?OVDG0e^pU+
z)I@Ozpwb==H_-@X95V_&yy6*844-FoSX2I4{9oObK^68LS|aJWV?i@k`bGLfXV#UW
z1OANMeqOo0^Q~*+Ta9z9P}%5qeGUJecr=PT1jh`C0KH7zVhp$csbApG&)_wEzkyv{
z##8L~>Ep1&0yfwu27V{vB{tIR;V5LNg~!7bMh}Xi99tysb@q#$fkDJ!ga4bBkO=}?
z9ab_n*nc7cz>tzHrU%*6s({SPZnND8m9@rgds`L)H>t`kh7%VNaIn<fi*tzg`nLS^
zrle*XJ{5W`TaGX5>X5C2n>!bp!~VMA{`4zs`k`rTi{8epp`g4mScDI&%Z9I45ym)o
zDdnE8Vxu<T(i*~Mz8nWMt6Zlvn?MiT#{61iMvS1{w&{AJD(V?0+aQ($D6@X6X_l)T
zxfbu}8O?+3x_A~tS8m4R)4tpL+gnX%BIP$@dUk|W(l}0KA}eQ04hJ$k#i!N0U0HP>
z=>R`1W^=GqXn-~&%t3+y9&LI7=h$=r<d_s0LZL`ZeWkd(>fa&7Lyt%%av5siHsk-C
zA5{S%6-FyjYIs>aj!1Ki6nQ2>A?^K<si0l8Y0TTmlF$&Tq5+R9OP4%zL=sO}^2pD(
zCZ=6H^6Em~Y(S6aU^dfyOoDSBv*j$WSTBv1LWbVfEDNTLL1It|7cip6JE<-)AR11;
z?Qw$=T+5Y@vqiz)kKc!ZA)eX0ll!v)&eBUspr^$I`V`pBHYCQNfV}W(CfQi`5v&Vw
zwkRi(f^f6{bt2Kwm^Al{fWVr=-R#k{)|DF&!Y7b^{@(cUn%m7+_Wi1%faQ%jeudX{
zXJ_7S$JQb|flRhY&+kKH=i#ctVZ40Vxlb#sP@c=Hs9R}h45?v3A*mcmvde4U%epew
zO=o04%`~4Jwu@`a@c`hFti>Dt@GMy`2>$9k${B9{sBfA{d&=}IK2p>{MdMCPhh0Xu
zrXPylV|l06kRS|ItKVRVAC4N#QJn!k4E5K1>0heANFoV@0cOz%_Tkd-NNz4wAf~=7
zGP=J8|D|M$J1__JIu?#f@86*5ol+c?AK4f<%V!^npqjh@&mY?UtZ*F?D1qzgMxI>1
zbmCGeca*|9T$XoCfI8Yuq}<an{*Djw>yjPqnn;c*$`(<HxC|2-O625$>_fy8Q41%l
zxb){EYyPbGua7r}+%qw>x?}voyn!iyI;DS_*sK6fR7vi5&+&Y~0$dODo3j3V1K3cM
z+6t}aU_ueLbAPZn!l9&S{L=eqh3tw@_4I_bkrZO>Bu7D&PFWQvLEyh}K>t=5NLT?F
zN^6-=l%EPYQ=3FMv<<mYawW`3p=a0b@`jm>bjZX+GHGPgD`88gXXS7r*{W!UE$Nhl
zRcL((1VWs9tmJmAt(V;}@+=C%|NW~b%)o6_=QrKS2CMt(hhJvywwfamua9>ntKZxF
z(KEj6(ChA<z4zNk!O@Y-yPYZu{PeS2>bBc6cMd*Y#r=F)`v+go^wkxfZ*}VO7e@~l
zY7Nxt%i;64-R8mkYulT(JADvwlPk9fI%KiBPmQNwsN8-xSOTZ|T+E!pQUBWfbOu~e
zjSBrOw*_c9Y%|zm=qjSn<gfg-nMuwC9PuUt$zgaD?n$aC<fIZuy-CTGf@n1i1L?8O
z=zE&}!LlR%a@c=$55qDNRLa^)uJQd|&aHFibUVLU)=tN38~LnqyT5sQcQEJFz4XSR
z7{umw)|Q9Y_K<lk`iDTz><*T7B<x<aE2E5WB7A^#hDmZE-%YJy&~FZ=X4<L?!-@NH
zdNFMNKI}Ij`7f0OUZ!%Mn9P=Exy9F8?{?)JtJ`2Ums<MuN7Ey)7{TuQ8M+zN78^0m
zb#h$0GE5PxThmi|sMn7t7|}#o%`jN9@3M<947`UnBVJ9rvx?mMd7YGTm-`2Ydp-E)
z#Uba);uOaj)>uVW23r~iDmN`M<n)@IoF}1YV!OBe$x>995~gOS){@=EZssx#t#7MZ
z-vd#FKkY*qZ>r!`@|-Z5`H;uIK$xd7hPgWyTD*(y(%r;hW+Dt;D$Oxv*AiP0$E7)8
zTu&o-xb)iLh80-lGtSloktdmv>q4;?00<r}t-Hb8pjL){>Gfw9Wa3&`|H8DgR@$3e
zA=#Z%7mOBZ`^fDSw2+`C;cL)NDKPdpJ&@fcaD)1<`V7PE$?oDk1x8@4kB1=S)d_hX
zEUXArQq$^iM2a=bC0A{8!Cnh<A&taCg;`N1*`%fvVg-=%lK@0irzBq2lQ6r9zUR^6
zAsmRhfzt7hgt#M2uq&e{iCOBmTesK(05<(uNZcTvW&I_7*(i<#>l4QMU`3HUvmTsw
z<}MmGJu_x|brA2{eF)`0tb$FCyBzTv@ZgFL0aUk#Z<Fjl5Cl>!M$ZwGuY%TW-rax$
zW|>wX?7Kr3ou}#bQF+ZrBDFXUr3+@u1eKB9m5zc%KGd$j&=V*lWQXtR685A$<Yuv^
zk_aZNW=bU8!d4FUAsAD5dzU4qai1at!*KlpfOj=^WEHpSud{haYRrm5(y&XA4*MLp
zdH@=OY=KIUBT`U2A06L_O0n14Z=s=R!N#t$`m^f4Ianh`;9u+3FiQP`p`Alqh*}Im
z&x1w`ZniIZ9_y_4A#}&d5R@kSH99p3<Mx$_9OwNpi_Z6KuSF177e<u^uyF}pB>V8t
zmE%F~aJ9W`KPcJWP8JIKpJr5RRC)qfgOUAjLLUzerV1Wg)-Q@FdNCMu921TT1g<?0
zri?*Ux9bG{6qtWwN_qm?aC9ffcsnBPSPu8eNLM^IEA6;V;T=Lxza{AmhHM-sibRuY
z1+yJ%GWyR<f}m5gx)qO?`E&x{WliJqLdA1+Hm8JDHexk#iOwM0DSD;>ezX~!-c@_7
z<IZh^oE(>Dpg{mmp^2Wu#w=OEB8ZNuRs|s^ozr@^ip=gGK9ivD!HtvP-#Ie#b5@qa
zk6fqkRdgFeHExgH5Bjaz6GAK-U<YSs^~xQ^B^@)k_v9BK0*Qm6p1;U|Bgst!T1pZD
zA?gf2c<^-4U^h`7J-VhIF>C?eZ9K-8eEx_B8gO|OEa<p!-kd>T8dyD-Z|<9Z{@iY8
z8y5HOEw{<R-tv|>@ge!C34?>M!%XSE41;LXc~AWSiFSaMMWC<N;tfd-0nQ=7{ui>}
zCyPKrKsf#=Jb^|m`j~VKI=+B;l>QL)kHg*;OHdZUe;ama#t7sP&kW|BYj(PNELdHQ
zNUhXRqr?W)F!&_mlV{9~pV_V%X#&o~H5G4hZFSyfsXg2qJbc-BS9F<jdR^UJpVos!
zntDaI6)i?EiI%NnBZINaO{nB(-Yy1J00u?WDqU<fZ*sG63`|TXUi;$suQ9*VJ#lsn
z!he~RK{Bvl&Nmq(oK$o7Y`S{CopZsfjgazis;p*2O&-g?XBh0w{S7NG3|BgD08L2>
zjUGolPaQIzi3Mj0ZK)Vo_3p{omW635W4nbZ7@Y0=!(*5H-mXw)%@bQ&<&y7!IbAcn
zkY{6AtKi)!H*~>RSGhTG;`C5qfy^oL*ypj3!lGm<$0qg*jz0Xm53z=A`4^ny+e@EY
zV4z;mJov>~3f=C*?dHcn_vhb*WoC9zac%o;jToZA<J;y;t)6~4e-BKCh1DOmx0Zc9
zx|8FF)_X4H6$E%WkK!qSKeBxb4S9T>YLBAvDnFYneO#Ta>2Zit4e}HT&S}Pu5k)8@
z*Mrm*NXiqX@^Q{dD*sdw#$8!xU=q~-=828;f#M;pVMhaY2Ep|El{N-1T$exJy+p#$
zV3f|-$v#hiubDTlf80Ck@qSo~O~N`zUt3r1m{b*Nb{3QufcBBpD^}^zPgGs)XG+pG
z#yY-o+vxI)x6RTNOm;Xu<-fh|eh}*m#xW}ZstTKL2OiDecGgrCioLt~(9D6lWd^+X
z%giW<(?jjJmq=ATx$t%Pu5iveN~=Gg|1S7eH{)(&qb0Q+5%WZa7mmK4>LDYi$YEjk
z{)z8bBsl!-NzL02dr!~rEVj2|jeWKz-qCi6Yh@e)NQCD&0Ex}s3g%z&1eL-xT&fg9
zCXrM)W+r`!6tcu6djJyt{|m8-A^coGGX9Pl#<#xZm$Q2vtc3W2|4UJ2t&0hsP;8MU
z(-mSJ!RrtMuIijC6eU(pZQmYQ=DuaKcR@zn(AI7(&A|eZS~a^`oqG`YB2+g@HEW?S
z78oR`#Y&z(!LE|sWxQh>*N83YJ#<Eg+`(H`@%!s&+|Dk{ew)wfZ|S^UzK(~nqbD3M
z@{U$WiEc|GVx(6)yiBuOJn#K@Bh8z^(sE|UChbFOMY758wFmqnp=XraR|toILsj1(
z;7{X{O7CDF7ZDUBjk7T@sId1!5yLE!j^j3%5S^E_N4%$^I!9GQF_}eEietR@zxLC(
z1pc|8bZ41MS27f!YyU^?YY=-|b7?Hoj`E=sI5}$_y6C1qcm;zYho9+&cGX%cK7ecE
zPc%#snFHpy%vRvzPk*XK@nk93S$mORJ7}dud%|pcytZSknGdqui68fh<$$VD39xx5
z@+kn}W-4I*RKIB<`$!Vxhx<Xv@c(6j5cx4B#~|e0Kif!f^&$4~TH<|oMg8n4d1_|5
zNgfgPkzy26(7qESjKwP&C~-m7g#V?M8}vc6ex6E1-<SJ2S&-h`9%R`U=pE2m*2rvC
zJ|1Vmt9rZK`gcaIRImzle0#=6fEBT3)(JuX&%bLm^DoLfaBoo<vYYYr1#nv83utQd
zfS0E)wZk|1j|Su^l9o#HBd_>UVwMxjta2<FyX?HOX)MP%`DZs1aX~ZAQpClAzF<1Y
zY)z(D3*4wxV=jKJwO9D=;6I}$+lqU+MUVTltK*A(lZKA%6OH8;;U3?|P3mjFX-Nb1
zw}(+U(uMmF4EUw{4oJ$%XBRd10ikln8YBxQi~Eh&EWo3uTC-(j*e!_doE%Hf^gRLJ
z{n)pW`@?-7Ks8HFz61E70VB7zj7eIvKtHtDQmZCDjwaLVpC=yfW$5hI?+e_n))aUq
zS`zKaLdRS99+s@rH}k7_2jRjQmhmSn9s-mV06EulBRarDQ2xO_f{2G5947#`3|^jo
zZDm(<k8K8D-tjitw59H?ew>?pKaUm^%!iG1l=EKmAD$-spv@sCu57z3TK%}3p9!a<
zC&<X$8LfOjhd^`^#~Ay5I66mcr1%#`hmAs94%EM$@;n-BLCGGTBzn)Uv*X~~^@1;1
zcAHrOGHQQ5!nngWokV-M9>~Xb<_w!O?HZ&yum`)W7fbmd_@`Fni7EfkOLMcfhU3X*
zl?Di4JQ$te)|f|!bSK*38p_kUFW*Ls0i9}vV;uV<vNrhSZ@F*JY^D{%Bm9O;ZG6<!
zwtbGJoQpunQR3QZA4@mieQ60r>yr2Ki?zS$xGmOC996*K&1c#8BIK>XOZqE69nql_
zMzc4Y92C>p?|^5;s(fpJhm)5)qL?%K@Q$#`&Qkp%2?sHP<5WrqVOBE|$uS}!hyIxG
z2*Et&ei&4d$oW7iqXK&|)}SoCe;pR1IS69!0}0O&v*vQgieS(c;v{(7^@b1Y+06DW
zd=8FcSk*Q1$>ikks{aLwORg6iY64rnfgOhb2U5CdBI8J?26JZ1w<ot0_1AmYaY?)1
zK67FYngTe)Ik7xETV#_~l}p`Yt(9pG;3MMFsI3kr=p}hwVd6IrdCGKz-$hR*J8HET
zu?r<$_;n)_w{u@p^;odQlR)IUa8&*toIm|_vu>q8EvTylbqa#@t8I62ZSru{LIU@)
z)ZNjmVm@?RUM}9Xf~$as>c`8+3dQ-Z$;qwv8>Lq{UPXCz&WYmGo6E@9Y7#r^lLiX9
z0t&IWH1VK$asf@ErKb3MWCVA-{4U7>3PBh8fAHB6uHYF7j~BhiQ8!?gIuBX)@WRho
z%T4s^B%D)g2{VlcH5T(`uB7Rt!Rda&d+^f?fs6xZb^uHDENn&az||?wXG|yPmxX>q
zS-eqdTG*SD993~{$nPMKEpI-+c^fn-cOxv(7d~1*&``j0P4SE;PJg;Z$a4bh1V6AP
z>(~R%%9_4FkbfkuC4h_rmGGw#?;i+MPRLqvMHyqL4l+$79ut;EkZ??3qM4&{WekLf
z1O0E)5m`M*JuWzmc^JNu8UY{FxgWA}ODs&Yw3^r)w$zoTi>qhm$+Su)y0$e4m*70m
zd4su5EFvrCQ_`=zSmvX7vlM(s@6Nxe?;u`J(~CJXr}NdZVXB1H0$bOXt$-)w^Y%u6
zx$evAlt<?T#6#n`;HPQ$IOpByqF5qm|8Y@NsqktLac5Hg0_t7D_Q)5+eQ`_X*X-DE
z5tV4i1cRigG!u^4az?srOIVWj|7yOnm4L8X|A6tXniaLZ)(_WZOF(b7D<%4z_{*}1
z*X1Q@v9XzMCDpE80QY(|ES+#A6~_TRR+a-+>l!8VnIO$D&+jSnws_!l3+fL2v{|O^
z{FY_6;WB^t8zDi8HSY<eqWmnu)bFio8~k-PB1tc3x--eM%TccJ@hs_NT)s|~l~1bQ
z%G#}%+O8`~E^ZNV&*h@G_|U|^T->M@5XWEzO6uGFIC1$3>ZxSWUx}%vN=nYW9YrKR
zRQx9x`Uh~76x-VGjG{p#7zc$lN{)v}sbWJmJZH2ICem}r`HwLE!}H>BhB1gz=|<kL
zAOd&XWEkIt4)QeH2qnc}<Fqk*^PjW-A5-rDTxr`xi%x9Y&P0=mjfrjB#>BR5+qP{@
zZ132%ar6E6oS9R#D^<Jdt;+NE)7@(|HxBTGXx@Ub<+ib|LoUOe($tx$64$BJxnMXg
z$7A6S=@?cL-IM3{9g8cY|GkR`R#&<SzF~CU>LS|+I-zgS6{6{YpkYguXRm7lp>n-O
zF_{TPp$NIuW{41&6Yvkw9H4*6j0QeXY<)`KplV;joJ^6BZST9EyR$1EF9>Ep<~Ouv
zXk8mk8+*A%Yab4d>DtY^mPOmteN>QUx@;B>3z?R55km>E)Uv;p;AT=CO$+v7;$7K`
zIBHP~{2)`bylAxifq~C<lxcE(t^iy_4yr4q!zNI{%vr|H7-r$x1!!p&EO}>|9my<a
z*NUGr*sbwLA)q5vL|hffelQ-Asu8BC_5)GFpoOGih*RR~(;0HHt=v$A<)D9Ul{^i+
zRy?Gz0=Wy^Z`uLBJm9fO4|uRZvYN+dFEC#a=Y{v@<RqDFXIwV}c3SM(5-r$LDT=2b
z)KK{ecpD5&;DH_P=kD6XSak4IY5s6IT)4H%MFD)iI!5nqY5RKG13wC5LxPwYafHT;
zLZIzx^yB&dy!^cCYefl<A+Pe`mL7hUub^!l8^v;R`FPqn*BR_S!5VkQgv0B8I$voo
zpPFDUw2{sE8bJUGDuVpBN5{{CzE)m%7_=ymEQns<>|=yu#Ro!9;crjRiSO7ASh^U^
z!1`TJ;a7;}ZyaL3fcJJ0@p+;|tB%SFkT{eh2-zp1DMD{iulG_Gw*|z|*yDXbM~461
zW@)Ye6Wf4154;WtAGSL_LGb5{!buPnHpc}dC$3Gpw1kjlZC~;)rc&kh7Y&gz^;Z;X
zW}%Cs4>coRGts5ej%L;hUdu%mvF2<LT;0$nv6kx)6&)(%f|pB`=IY<9pN~Z!I+Ysh
z2eGNxv#_@5&F*AJ=4#dzXf;fF`jWa5*j^+mA$HulpA|Q!E6+~7s1{p*-QAI9up_8O
zZU*@Q--bZoJr<~6z}+wE{&S#bJ57n>>*a3NUe}=LeoXBbPg%8(S2u4@Pc~lWk6rmJ
z#g^`T${5>vj$)>$XswEQwTSHca(%K<p}*wR$cJCLXUES4LDjVWk>*5G#PV>}(UTnu
zLebDk14pRi_P$<Q<-QaeXXN(0OVV}nB|Hl4Nx+tId<Q(sNPH7>QsNXdYnY6I%pVpT
z1;j^?oc$j^hkxFF$iBr*x9>jV9S#4knSfA>)q^n|+2g`zJ~Vdv_2$wJ09Zd92CpKh
zGLmodWIJ@pS`obGe@#2qjTuuX_E^ONl$IjnunN$Z5*V4rGnYOBgV+NcR?T32GBAKb
z4p_k#w>rMHx1dR|{q$g+Vg|1hme^F0;bjft9KGO8dL|`c7IoJX#~mNOagQMxDxtW6
zrk9sZh|T{MSQ1JZPjgty=&0n=fbkc^Q${&L9{6brJFl1#3n~t0w4bcorG2Yodc5&V
z0L5AzYNAL#J)?E~Cp2xYFM3AW1koUnG7s$q6FGmgt|d}yL{@l9`l64pc`$RlI==@g
zVT*)O=KfTiM33ZazQ&z_n#vY47ao@}c^_`>RK7#$0h=NpJF0~`mdxX94LlxYuElWO
z*t0JPB;qH>IGxRp-oRUk*2tj-+8coMQSH930mlGe9;{UD3*2sh-p}0k5t`w8;yo_^
zB)#1GWXJ#M{jP)cq7!|i13-GtmQva4zU5Hhjp$Oqdy#n|9~c38W|s{0&)!W@BCduO
z6pTQUs25klAD|hHFB26PU%$>L<c0X_5rSe-Ag=8PB%awl-~uq&fii8d*t^z%D`0M8
z>NyQB%$ZbIwBeJlCmw%qo~@R=D9bD)Mf&||!ZOY(eb|2J%)`Yo43~<CI#=XPj7}JB
zr~q41qeNWV%=)r%gCEIV2A?HqxO<R2Qww5n{SeV&%|$9d&*nDY$jge>tPq++4m%l(
z2AR^Av@EZaYn8NCS2dFatnhr$w5{-}`2v8PY;k@P^<4ova(-pa+p1-0m5ueZR(s#N
zUTKBNMfa%Ery&RH(|{T)jmCxuMX1s`f4aueClqziQfM0!J7+l$6S9K;ebpj;*qxz}
zWIKZ=Y)JWt+ZK9{=2ZB7AgF1V-LqYAR)-YV3X6EHh^ylJ*wtKZtHSUEVXI!&-54$(
zD+L0#;)9PkEWWlVEk#1O$Db}uHMG8am*C@55<JqwnO4`L2>!%DWg&u+nOD0Z1^%bS
zv#w@4iu^}C3$}p7M(pbY=HKHx#~T`0JjF67r6B;ywC?o|%PwuL_<b10QLh#Nf@(>(
z-uH~T8lX~L;F^u!%N2ZJApgC8uHRRBp&U>D=+QBS9-kcBBf>0V7nMxOL$IO`Yt&RR
zC(MNZ;$dGle%)-yN0RBEk{e4RqDXZlgbpqJios%x4ka(R?AEf}^iW?D$aaJv-NxKp
zLaC*UX8uUU8Pq|1B0~85iDRWlnrqc`Kr`L`WSzj7BqgMahdi~2J+L_fm^&Cdqiz4W
z`VFXketZv^CZAFaA~WSt|3#6|YE&SODN6Iig;J)CW$}bNOV*s*e04DPsCajTskV;O
zudAM#y~oaRo(9DSZO`V!GD6IR^Z9H#g3vCirawZ7qrfH90gTf9y<{6F-qw=m+?u}l
z`dsJpV+C||?K=D<1<6rcWH0^1N6zz|NjeI%fE0R~+pFFjj*7S@e9Z+4E%x$Y6M4=R
zHjZQv->!g0+D=_Qf+C7!U^zA?Bbgo<*MyY2E|1NwxDYIk<o{_}Qs>(fy_UBl{c`_F
zi(Gc3pZR*fUD+bc*2GM1R?gMN@%=~mE1@;;Hr$FKhqUz5(QY@;L>#k2X-W@|1L$Iu
zDYo)oh%DjMiT-zr%9zUoF+^nnlu;ZZGH>BWgvXLrf<M&J!wU2ujlVu}miq|;7-`Y4
z`$N7b5Ic=yjZ&!-%Htad*KUD1wzu+q5dPyl^Uym8VaYcT&)AUsm9B4mK+*75e5tnM
z+#D<GX$MI3n79jxS`X7BsY9(ydBIsTU8J6?xH*d~-GhR$DeeG7?IvTCoLX`g3odx>
z(k0E)MXb8xx^6oHMO4wvO=}{DDn_iRg8<}GzWm77FqpD;Hf#8o{<mrAHwgBqzQZH5
zHy!_7$g>?5?LOPRc314m_5SzkI|0w2=egszy9_`sg4(rqlc{Qb{1rg~a~OAnFj#oF
zA08#gP6!EmEOY{$b}mz~T*g=^)p~<4y{N^%hNjR@z6RlId3BO6kw5W9FH#g-LYE)9
zTn4!`heYND-=b+I@)$?6=Vo&g&CSxLomUjAu{LjZV875H=b=SML4^rmDhRyU+ap|8
z;rpm7-SCeipRWdzOtEB_l^iZ&u&bH9UgA)n=N^t2WpvOa>cY<IfaS#KOjPlCf5k*!
z#?(DK5hYe`5MxgDAS*={fhVLci#nJ%Z=>WZ=f$;1#ElkuyE77<=pGCrFZEAT%v%V{
zN?j-y625339BZ`s=%*=;dQo3b%w-Py0z^EfrS}AdCcTe+S&(&w<uh$i{+P?TpPf`x
zClAeVHf4L-<OXc6V;W22Z>_v*h&#pm?@GBv9BZwd@aeT$3P`dMl>8(oB~~W`Ix(>n
zx{*)U&Tzv2Y4&nIrvsk%65$WGUMu(!ZB+N=@UV_Bmn@YKL9<Xy36ca88e!WEx<2s;
zp$xXfZzJ0O1YHX1w;aAxcqa74^b&fw9`bxd!V78}+Vn$-XMCNd*uF>F#@8<?q#iqX
z!tLOdh#aIcoVj56H3aOjV901V<X(^_Ym6w0r9W$zx^}TG{i#aCpo2z)iy#2OvVF^D
z>v$0F0B3|>Ua;y2z#4Y0@0Q;qbMH8orvHsUh49JYSt7$maA{5){Bn0IulTs~e76NI
z9+OM{KsS#Yx;`i<7cd$kX2CuRI=aIoV5FHK6kxAR-UpRHC;<1@U6ad#)6Wk`V3~gr
zf1rJ?AneclL;aBQtB^n}l@jLRUuCa+W`azMOd96lS{1xT`)MjeH)Rc3&bdA*At7-+
zuZpcgREo&1{E7pS;@FSWK4f6yn!cR35vuvKl3F>f$C7D7o^wTT+|RlPWg=#nZX2_2
zOto@$D1nX4zhA>E{IcgAf*O<9ht_d<80*tXx#Y8@tn$v*z2cgd9BXxH8l7+e7Xw0~
zY*|47Yh$}-#(N_ddm15qW0Mk2yVsXfGvXF{Ev)=VWJ!4~{`Lvg=oGWyh@|3+>L@ve
zsFf|FX|E-*F}qvJb7Lcd54FcQ78MDJcFqU=di2YVL3RjDR8c{xg#64<M%=;%jj&bW
zI!%xBUyO@Vrg#i#n9;bgf(}}8+Wsx6K5ipkd~0x|bkMRcAC;Hbpu%6I_!=3QWOJhX
zVG*N%o`GyPs+ibVNps#Ephy^m5)qdmNFg2_5u3mWP0HZMB>WFC(6taF<vJ3EM!pb3
zh&6g><nxH#$zO>Qn&vL}b>i@6Yd?H5@6kxi>f7tM{b;HQ#^@OrIxgN?B@a|X>ykZq
z_Z1MfXaP#i$h*2F95LSiykcyW^`fm0xcop0vWTwzU>R|Bc<Qj@f=V2&TwF1hKG@W*
zxVoB{a0WDJLCC+7k}RPZqL5@=0`V7kg#bex1xWY?+`T)kCAmXNF<@=?oLnfyP_Ku7
z_n$cK$yt3{>hCmGAd;(IEE+=KV6nuG%?Ysx&OGNQzZHOsrPO_JiKSHYXZm8$ENcAN
zUo}FK_@s!~KM8D@91?cpEfk0tYMy2BbP1%x(1WB!6}q7#fRO|rT)cmh89^PGiKW>;
z`XY=0lDBLeZ_)UcQ6!oAdi3A4BvLWc6g?}H)?(z`kK7b(cAJP+%TqDS(}&s^1YX;>
zAFk6wh^{;R^RO*&&&px?W~J6HA|;+AVG*QrD&CxdP^J;AEf68TVpDR75D*X6PxAqw
z7f-z96C(JL@Q4GpGFb;MyMem0UuwRA4KJ$NJFplj_?gSl$PoWVX7nu(ZGY7zu=Onc
zLTs8OfxqH)gHMd;B+^ubpV&%qUr^~Ya{*@2>1KeA5qgmYZ(b9sm|JuhwKczcAPbdC
zs11&MJ$Hax?83#W-I5_nnennqgDi(Ff4nM%LGtf>!?~zCTNAH&0P3kO^uS$<&az)?
zfOFgA`ZbBtW4%AGrR(I>Lj?n`F1k1}3*O!)m1Jo4YW;EVfSD4P=^|fO9v8}0NH0!b
zi5PC<H_MNhFr8rRD!3b_Pz(>EQ1@@B%`rv#&q4O^Qo{0VhUFJRh+Aq)H+|07xiWk4
z5fcZAe47D3c2|HK`o?g{h0ivc8H-Y~_J}v{p1^meEKeTNcj5_opv63|IxM_<`Uoc1
z9OWvl4z>!hNB#@0DbQ;RbX)}?%`rEpOL&9h%X8I{{?=kWy=wEJ+ztJ1^hVKAqCX_3
zh-*Lal|Cd5Lq@fY!)5dfPiT`vlf;7f+r2Hgkdtt2Xg1pN1qHI1$qX0m=P&SEuVw2V
zncP+z8@x(~!?(xsjqW}&-JdV#tl4lE_Rp|fEY9hWJnRZI^BEBp3VnP=GSqDY)_SP<
zg7ZoHMFwt}bA4-<hZ|>;KXLUgC}ajBTd^gU)|gytFvigytHYs|+l43D{&!@Pb?4h^
z6IuV2ozU+ZTs&a`O0K^0+Qy=3*l44aVsdET3&zVCc4F5kL5;)x|F&oId&@St)G=wS
zf2qga)EN3BpvVG>$$~&b4%vw^Ag%xW;UTh=vg!a`A$HcmXUprbW9oI?y+U{&BZCa(
z!|OZ7)Yn|j&F=r1f_F9Ds<NY(Sgyahcks&c;$APtx*SJ_UK$x-9dbT`hPQ<o8-}tF
zNZ&lzJMCAw&*B%sN<$*i5~C`fj2%^@T;cPv#qs<RG{2|*Cyo8|+<8807z`ha4u(V5
z@mU6Cal{Y2z2!@V_+G8GWp%dmlm|$yfQ+@jXN{jyNGo_mNRYau5h@oUiDM1gjmbi`
zrXG?_WJI_?rMSZV&C`_r@MEZsFHBwfg1?5rj`7o&E>`rr{&(XRvm;g*EpEf}DZ(mI
zs0n7)J^Z?}@q)%D{Xlv-Qt%Yi6AL;ST-0@&U!4^aIAbZRHAi+{3c$GD5J|oz^qSq(
zQL44I>$3T}oJ)yu2HoGRuZp5@3hL9mhC;D1lIY@<9mV&L^j>LsQ(oUQuq5*&gv{m>
zJ>1H=U+EkRR1N^4V$S^fQ)3Rx2;p<FBhOXcD94e0x!Za662d{@rsbGUe2L?@-zZu}
z8PYiNi7b8LB7iH<D;VI3V_PB<EgW<D@>o}~7G`WL%9S8y<=51&ohwWze_N$P8tljK
znR7ct1y4W2+FNMr{9N_QINt^R0}VVMwkfIZU-9jK-cNa}-PJtl{Pm1SfY<X^v^i4V
zSfL>AHf0jBs7#E@5tP1qf|?R41+77lsysPGxN1OLfS%kRIOjA}X$h!;@Ba!<4GDfn
zP;rHKpkETEDRjL9CGu3MIgmyQD8I60?U<rDShMcOb5azA)$}20+K<DvU((skZ+Z-6
zGFK2yP2Xh@++4dj^&wU%kV;kJTxJt5)=1`CA@nbcY%VS~zxC9Zb6iMECb=M_K4-ks
z@N0^dZ5yA6-K#N5&YJU$Kmvl<sP13X4g1OpNF~t;Jy~ZRli(+!f|p)H7@><ix|CCs
z6HW;3<fd-1MHXaY<kLh^4MeF0*g0_#tA}!wr-w2)QFFx@1OKgSC~SkxNRmpJk$<rb
z$_`g1ln)UEpE8Z3@iz^S;K|}8AaEx^XThKq?DCxJgE_uHt;jF~kvhs&&+N={dDm#T
z0x9<o*?4n%JLAwf-n=z3Hgow;Jt<@TPX-$0_Zqgc%r?U#38&j#Eo!ejP7;!=F~HIz
zO1<3`#(OS3eS<R&D=%%`vh|4DaG)H9{TtD_sm$sk*Gb~lY7u{C*L2hX1@L#Q3#0w2
zgmNu&3}75pG<PwukaBFCJt)XuG~Gkm{@?$1zkMh<>5hW)K9ny-hHt+z&<YaF5zx%=
zNra(&Z(zTNOyim;p?@cK6#4Iof9SSKM<K+kmX>#Ek@K)5RM700xoV>w<|Vqhu=7wz
ztVW?fTs;!#z3YdC7i@Z<Y#t}+7kcyh@FCdl<YRM5vgTByOP)AsDEQ63>Rrc*zhfA?
zb?K|s;7{DT1)u^1t7qLpVTbUNuw!7j;1?2)`~ZU)eKAd`Y|{QPMgMRGYAniskNgdO
zU=2n6?W*SrTfc0VKZYm=h1L-A*c~H)MR(2S`DICW%oI*d3r!~Ycfd<DzeVg_BfM5i
z-jsbo5bL{q&_%Yf^k7=fiYFpC(!D>;g|Fjuwb5FH$O>BQtk(T~I_oMc)5{T0+Ve)x
zoThu#UB2F`Bt~kkmN!dz3U7rWfP~}mPy9M0B?}9+T}VMFG{JX24I(x(@6QKg6UpB(
zVLe5|NasvTC(<RmSVIf86mqzgz|^ef{B0|Fut%x{&Q5d7#gAI4PWQP=5*e7OYc<v^
z(M_V`2V)PMydX*~p@srz7r{%tqQJtQZQ$%c%Y#;J0U5toIh6tG49b9_0ox+~G2*Z=
zWct>u0y&*Syh0iwQYvEYP=4#XOkq#xIFx^oUv@!g=jTAl?)wEq3*6BeJ)cKj>H-h-
zJXyogG(s?>K{B1j8FAEInY)s)Y%GRJ0y~1D!_q*ap)a02uc$2E_hEEEO4X_@zUdPD
zaHrUvOUzr)R4<jaKkR!;B^n#(&bWRuC@5%sx8fdXCg_LtUiDaA3DA+K-#U~eo=cx=
zr7DoSs?9`FkntJF(1q`A!!bOx<HF?+v&~!PLUTYcM|1pWw1^s`Tnri(m&0Z+ngBYz
z_dArXgs4-N^o5W;t?X6*%I~Dp>Q#Pq&NbkR;(TTBa283Uq7xJZUBZyc<8aBCdP~Gf
zgrk*0NzT@5iU_U#C9;baVe%qHlV^pWuuW_D@xTP3>?hZkzOq;5+`I;ZBRG2odneBR
z>cdA{-i&vh{hQQa-9hJ$q+zv{V;q@ii}Xr^oxEOpEE4&<K-h^ao8HeSj^V!N0QJU`
zeuT=NfYjHma;A8{3J@TIKc~VnOS(A!Ihy1exF>6Pjwi42tPO<d&Z$J`MScRWr>g*3
zrE8BWGbb&PB}!4M7&lR{D5IdUH&HpY0^Hg-GK%tJM+LJ>lNmWwO}6}1g&4(ef87qs
zw%<udu>?EVm)jv)=aL56w5q<u&l;OJ4SszcI$&U#Q%%Q^wx;ETQ6i{Y43$5DK=C41
zNt~A(#Dnn}#Mx+E>%+g8IGHG3qiM(M8Yg5?b<ltdHTi*3Ap8Tr*&%vW{<d!P`(*N&
z)!W0SLr5Gcabzu}TpX4N!kiq6<S9ameXj`IF}B(Jm%SdxHF#}K)H4J~7Y<Cfjf@v^
zd^%7S6d=IMuLzJZ+#VJ`Qc&*|VkmO0^L{N2%20)ohbzD@10s(U9oLVdN>gTD_@&5O
z^~(smSTUr70stCKDa!oqFCvFF@+pEG%a;Lt@j6w`X!9QLwdPGwGF_Hm<sG}#FA;O#
zZaM%HXM$|$L8Cds=BCp$J+mAS?__Q~f=Pmgy|Kgav!VUEKfKl(ipg^bkNxiOcJREJ
zM)tx2XZI94#cS8BZ>@MOv{ks8DleS?_BwLPXgX$LvSnwOqBV%|NE=B_5&-_$35!;o
zb#=PqnQ^bj<9zbvWIoNXS`@K*GMuDqs64q<C$X5A`W{=DL~|v?LHj=fwId_j<=)1$
z3HTyVALC=rkDDw&-a$TB7k4&1_nNc!GG96T2^H^6?cva`;+r?i0Id1&kxi3R^3wUc
z6B5{XH~iD;c1WEtKFb%2Ya>NibG{W<Rwk~jIMK|Ym3R46e7Bj*YUoWwlPS(VnLb-&
zw`A~Uv-&}&!Fg|Jq0m<!h7xrXQRk*ZEjvW*2U(;hH|R=R9ENh*V`=r*aY|Oej4nzi
z8(X|$L-w_~uB?8neMCCm*1${V!G8UB)n;J^vgL)!qzKrY?gEP>#~@!xNzgh2?$ZoH
zaB}&gEWy!+QFiKj<iXIAXaXDG*%ad=(Oa&tqgqjzGf;ZESmb|NJK%>*Iae5(@P+-q
zEVYS^L^s_vkCofvo$R*^>g12wM&t1^XhQK}MC9R8$q_OUst&-<d|d5;Hd%3-7Duu{
zzCwiLy{TvG52-X$-9^olKWUtCiUWBZd7?Y269YPVG~ZQM%`!wPLc#(Hq#Z!&5B}9G
zW`0mu&}yYIA6gJX0uGEO0`EE*%W+NOGBXQgWJN^atUP!J1oXj|8+vvpU9k@(k5j__
z+<OSYSc>5Y&th4Sn<K=JezmuF-Y%VFsMv{ZtY37yzb;6t95A|YgD34E{x~&vfEL<~
zvNai}Xm~zRj&gzd!vQ6iLX;Gd?)X5cG@Ts1P$q)l#}iH@+}UYneEj*AAwp?0A{g=0
z+U|BNx`en2jGT(FxLoL5LF@kMj!|#{wgp{n!-cPrD!o+Z6&tGdKK4Bj2TqAS#{esF
zQV$p>^F&xWyUdJMF<oOp!Piy_9;BEDqW%OJ@rP!1b*vVIlVdqqlvT+0OKUQtOpe4x
z2`L>ze`mC^DTwL*P6ZWzcF!-cX9(B<HNg^KGY0*mXGp<~kCLEdi<OMbND-CUhCP1#
z|Ey41;A8hZp3UI-GQ>7FZD}3R&Ckm6zn|f+r=8(`HP~o%3U^WePg^&YSWnq(z;3nv
z8;r^my&>jh7`W|-Q)d*H%Q8gDQ^Fp$C7x+Um9B(3X#ckn#Z(FxjI4tt`NwSf20A~g
zi72aP+MN65#lr2}>%{f;85=odc@WmoHUSvE#+|vrXU-okkQcPZotoRbTCl5nkoOeN
zfI9bhZX;h(gQZr{*V7CdQ*MYzsZfUN<$*MC0Yuo;tX_&`rY21A?G5WjQ+z}xxaim#
zl*rs^WOh|P!Hg?;T)Ct$V6pckF&as>zCW>KQh~dqwtBhN%RoUjrV!x|HAh>hYCf0=
z!poXXh=}jU96&y7KjZ02ULA*2>N~(qK#&i?$uoiMFVG;2sRKJc1JIg<H;~uYD$ysj
zY;{lMzuQ%^$=t}J*SEy@N5{qeK^vY0E@a{)PMc-;S;t0;S+mn~MyA@}FXXQ3U=vn>
zhLO-Wui0cXSQ#^bIt%w0cDrs87zaP9VfA|x+aZGsSl%5(v<dtbi}yMjzJp-lWe#^2
z?={)g<#<)JbTeI168SVEFv`FRnqFW+Yct1hy-4H12S0@N)L}%4RkSLs0dJ>XV}xQr
zCGlhMYxcCMjw7>0%FuM>ey)TXtYeaPGEIm)t4j5$(aaKz3oO32!IU-&8B?ZLl2U@n
z%NXfUZSa<as@@<>m4;3nhIX1hkrCp%S%T4cWU+1)D$Qzd9ybjKn-F>yIGH4K@{fTz
zH2EU_w(X%gp9`5)k7dxsaFFf{SSrT)7)Xo=I3nXwrv{Bu)nr%%3HfY-V?9qilwxH`
zH*;(apyHl}??2MQzgFGON$>Sh%B0B+Qnlt21EZmt%wCLvjoQcNzoqD9CI6v!S_)l+
z<FtjAWb*s}g-DYDEzV+2s}Z6=U4Rql&>yJ)1lVi}_Df%dQ~ETSQM6iKFJtWc!b6qj
zpjU6rp`qCD<z+XW4=aMbd|O6eM|Q!VxKYN58u$2UB}`OPHCh~X*u_Xo_J&eWGmX!C
zme|_)S&rGk?Q#BR7&Pj-O$aHS=wc1zzZbK`q%{mU8COL^v>zunEn7C^6b59mk>)^`
z4&zVKk4R`c<4!t5OHCF)W18hA5Dk$;hCRJA#sdLBC8wfJgUL<bTgxDr#gnosXL=(#
z5j`?<W|l@){N39Z@>;R+B-c&_X(KPh)_0LHZ53}B3&aAJYfJn|3)K$;jJS4*sq{?>
z3apn)XL{$kRU3kZAc{w3kNA$=CyZd2U!b8phyXSgcRm-+=1XWQco*DY_N)BDx_xOH
zB;{}y=gQ#+RqXK9>~!Aa$gLg4a_W%1h=aC)m{pkK)T1#WV@!R-5(7xf=l)oR|IEUI
zmLjsE)p9#cgD94!0Ox`kWBPsVFlcpKOIc)Gi<~S;s+L!)sX)jAUzaR`xr+sAA`O`X
zxg?rIPY0IH@XolK8D;ufPW^xjNv_<YOb}Axn)3z?)s`+wjKigIHNi|9%iw~Rdy$jA
zWkzUtc&;5iTderp&U18wqv;%ynDtL*-Xv~^tDuq|V!6w)W4`6?#=~=YfoD000&AUX
z%KZvEg9NqreF9g%8mW6WtTdLgVVO(pCHt*AUkp<Xq@qdb%u3f}$%WzYkK%l$;~b!N
zV9SYT<5}&gQqs#N;hu^)L;zhcwi?ML>i-0!P9nQ;qQe<GhJ9`5C;Sv*i%)<gHA<p?
z!<g3)0;X@Iw8b<gp$=rys!K)j*A$YNkrNPBHJhffuZ>}MvLY*t+VJW}fwjw1fELF(
zP-lH6#jTcq5$9&|TOYd>%W7D|R$P=2*FG;MuyZNEK+!d}>rt_$F*A{uRHUG;GBp90
z_?YFYGhrwyOTl(}mrX_=a^&yH8#<%8v3<q>vOn6dqc-U7h}x&TWKk1%GYGN>X7<^;
zQ4i+~ez4Ly?WZ{SZ}GFs2$zg7#tDLwEKZ+`D=A&J$}8HkKMBdr3z}IcfGF_m&A_9d
z>&^61*2&UR{A_5oBpP+SEzt(vKPZd?cSu4;rc5xv6B6;qu^TqEYQcrVut*8Pn<HJU
z*vQ)`>iC8l<t(lYSp&C~PaL0*M_@}8pe%Pqp?vmATxWh!szPoDizX<sy8t(+%b_z;
zd_Vij5?S%BSC>2+eIjrR?AWV}%}Op?Jh#F__Lm!%2|-yK;rT@C=x8*n^NJ^>9`^fV
zzo(-D3zIiRd|rAKgerfv@8Bd=69BU1YAJrdSd2n$0yS7QiZMY5*?TM@IRnjB3iWVE
zhi(D^{akkjA001)7{=S*?mcY`eW#k0^?>ZkS=&ul)kFoD9gM2~b=XK*1KLi?Ca-x>
zd79Y9Bbfyc`%+mTWwD>b^w1>I!uD-aslK2b!T7m*5nokm#rhSBsCWs60L=OF3xn=n
z)9&$K^DQ_qhpWgVG)YHGzsu)8v|qPtaQZ@70-^8<a#qH+fj`=n3)wfuA6|&z1ng{o
zxV+>R`O`N{Onl0^9mzO~-6Pm}%NnaRAf_;xgyL4H{6M2DV}C;|XX7)=nh6^Cxs6sz
z`L?bODVgps#QA@WeV(6<#u5Ifbmnd26|p)+&YJWO)cKVKNvre~&p&!$wAlrG1oF}#
zF}qDS^wLxj@{gT$F{6SyA`NRi%0kU~X|kUP)NaOmL*mKf)(UG<taQENGq5{`vwVX*
zT7ng0+bW0H<`N`{&`Ms{ZtFbuc}?s%u=5Wx3E$?2$_-b2JJ-!;B<CLh=bH)?i&b6n
zqPuPEn|HJs577OAb9Ui5?Q_9%@i<-g)SO#usO)`v8cs?M5#gxxUJ<hDdbGY7##sB5
zK&G7z{j^Wuf8WXPvPO`%gKcJNsc)?3aeSaBXHwg@JF;j1lOPqR1YDTk96p#Zz{t!$
z2UVnU<*X`wj|$_W9IFq{^qB3reAlx3YXY{p*WF+jYSbso&Ed5U;?=q&NP+o1zE4N3
z%FGb#>kHF$9;y^<v8g_r5Q@7zQ+OC&eFiR4zG7M%nT*^}J?f0Sw3@t7!zc`^avx<{
z&R<fXij|ZXicxI(qV9rKk&!xkd|AO#&0!x7RUyzefeAL}&gJ;&&8<%fDyxx3CQWyV
zzJ<sm9OW|mDi#5pf1$Dl+8J*nMAagxNZ37p3_{Om1etpAQbAi{on5cr_{&Pq9lCQd
zxohLo6O(0hF3GUWQBEpLzsg+W;55?Tlcit!!Cow7S2u{Sk^Yc5J;{3=Km|4FbYI;W
z1L&txtJ3}1tj?rD)~i;9IcYc8MYHsllE^kWBd0DB68jdyph<o-5>-(`MP#!b#nfw)
zL{0I3u{%i|ddzMxyk67uM@NKsS}NM<rRBE{EwNx{<HZpCa<4<GaBjlD@=hW@mMIxg
z{oW$Evz607G2ru8AzR5xDAir=CZ;N~>5qvN>yQwKe_nWvAp0ug2w)!m(|9CnKD}R4
zsi(mT{ROLSA~z>D0r*qQmF5$zFWb)-$9FC&oXTD$-0KRso0!t;gIxn!a<QUYm<w%4
zwPz!;*u|K5@d-B-<9p=2o^N5>16s2GmpIWJ!AYzShNC!tof`ITQt}S&q{69Wb^eEy
zrbC%N`z!@AxZv{`k3};SF77gD!SD=5x=c400PudU_ie>?eh)`nG--N`p^zi=pp80|
za3_2UT)D(nR-KjT{u{Fakb6x7g$d32l1Pv^uPoGU>@@|I3qWGfxcq}5O$U{@VD;5<
z5WIC%fsp?=I_)C}8xP+qSbt)rI65gfzHnn_u>Yi`(|$t7Q`3ElNvw1g$|v|-VB%0&
z$40)yn_V(wW1yTg(619<KBLKe(E3_f?(h8jU{)+^UO`zeO?O;w;#(BvBtybZ3K6lq
zaP)8i`8VfNQnq_k)c@<xB)$h0X6+1?7I&ea+4D9>rKY-_w9DxACaYcV-Wp(@3qYnz
zN`abk*w7pzDT+xo^AycBF*XGWY6s9Sp3%9rr5Tp(ev{6Cd-4J@zNdn!|DX0?L@!o=
zu8_!Eh_lw0Q;N#stU4p8x!Pi^XQ9jbZ7XV@iS3i!iy3;tQ>NLAD$6Nm3+5eA)G@aK
zFu{v&{POT<R{Qh(6%6%MRjGbzXN;a&5W)5v7u~#E%r)dUx;DgfHnoq^4QaN9|L!8K
zzcSP1^;F^Rbn{s6-~=f3&u=^8UHjWl2eKHIRh&Oi3S|Ed@8FOZdR6_Fd`E{{kH>HS
zIuB~+^>Wg!gVy}GlF!GFs%Uu8{8BgMzI>dygv)y_>R_^t!z^-mEP{u7Dpe0Qy8wW|
zjE%A<?guUbP)7cdSZXa9pd+*&cQ<IRr56UyLhjZ~DO*GKiC2E7U^5D?6Q8A8{*TBv
zLT(i(!G5pQmzkxC6cvtoMw&?x>rB5U8QuH9LNg0xqzQ{a+;YJAswDmOT(j+ZV&yKj
zvt`v_U`ZCQ^~U6tRkLa`((&1WDU$g#EUtjNdv!RZUAJkoYK|pge|hl$h(HxC6&nN0
z43g7NQKI%#B|C#&?XReX)@hK=skgLbIX-MuRLsB+B~(={0`q4y1us5W9P2C<k9dBb
z9Yn4H8yebQg@9@Alb5^RQB>4{(Q^+<EiEKMh;GxhzHRv(de1%>tiP8~_Id~MV?Au*
z;RThr`*vf1NDEzv0NwNry5QlsNtWZS$g{hIb#v3>a~}s}Zq;N>lJW)5akJCl04u%K
zV09nml;3hfId?O%HYx^C=an3#r*DntU^!XyneM5qNKi-MsFmAuOmEdprlWPC&k}YN
zj6E!&k|f%ra!(89Xgy%t{aaD$kCMaMtY%QhjZOHmxKoyxju~-CsX*rzgAqZEcpT&Z
zguhS-6PHo#0={WtjAxqw@TR%_+Nr=+zJkh5oMwt-;);}uxs(`OpcN9AF!~urm9Zsn
zBkdai%2tl`R~QnB!A8uxgK869=qLSaA$NR%)=E5#5-XoqxdtY<Xe-8O8k6k#Ud65s
z9{IGm!BpT@R5U!MNt%3{8=WTf9!}1Dho5-s%##9v+t3G^$FR(YDr5W8#uE=kz18Q|
zzV#081U#gnx`{MeHOU%3(qO7}BmaB_EvzzKmP7KI_%K28&x430DR~K7m`V%u;%aV^
z`we!xI2k`-!klVM5yIi6V?%$F(&!}7OeWtqPFDmp0%(8$PCI&{CTOtpHnTnAI062_
zq_@bmjxAE*p*c|d<?l18s?%TPGj<idADTyH5%CE8U8UXcU-JSIMj0&>VPFuVU_P^n
zK_D4($~kdOM(uvR$~p2AzFVx}3pDj837&5k$8<Ht)IR}Q)~ySB#Q+DEhZ~enFT_0^
za|j_UR{n*d0nC%LEV~PNA(l-qR&MveRVfk+4rvOZ-HYGm<H+Vp?iZ7~T#XoQv)Y;B
z)*g6b1LIoks@n@M@N>n244BnfW~%O3N)@0;z{NUj!!RQb^PFG1RnOYnastgUUOwy$
z*0OUKZwb%0wgV+#Qhm%)FuiCpYvM`D3zGc*^MsNL0<33r%nc)YU&E}|jJIq%{AszO
z()n$m*kly(Lo8IIT;Iul&ib{B%|K<W!Tpt_k$J$rQ~Y2npbK4lXg(!%?Yv!vGNYS!
z)XJ^#S(zSAlILnT=nx8$#QM+4i)Pa`l%uFu@alL&$2MN}Q_E<?L-~m<eilY-0(78<
znIWe1R%;}@fHJlKk51>D&whKPn*zAvdTo^C$x@00T3*A+t<m_AzqLY#jRI!WxD9x#
zccvuYffB=?-v1H~v<&VSS$hVrwPpA-!@-BQ6fN-FtT2rkdqyOf%5YhVPRct)1FTek
z=mjFefeVSLkt9?TaLZe0ug{g?Y^XT@fwDQIgwgkKg_Zw6**qn66#u4e)9`V>a0I{6
zx`ey?3(Wp>P4xBmDN41S*|k~1mgLixwC@~37d^M2|0!%z5wMGP;?(Mn7xO7#)dd{%
zuoXeeN6htMiYAme#9|gxSqUOiPYE6M2-@dQ)1M3q7<WorMb7WLkbpxZx9Sm0&OTK8
ze#<6MBa^^6+y4p{`#KLV%;o`~ZXNM50%;G&{rw8eTc=q;_cl>%*Lxwu|4RXhr%c%o
zP$A`3NHU<#P(|*t#hy-PqVjLy+Wy1s3WPDF@8R|X|KaxH)Hu>3pxEbnE%<eAuHV%@
z;Zp~pXMg*mHPs^C88nlCT54C1xd9!4z1Gh-(2V@C*3eO3&vS{6zXQR>4n@z>`qS&x
zY1Y-<e<ApHhpH8>V)F&YC=}EJ*9VX?nc-@7B%GT2B$+d+RSz86kb+m^EdlUh{p-?5
z!jB#**K^(9|52vzG$R&|<XaxHD8)s{I^0mfJ%7#z;@6{2)8HM2AhcB+bkT|_#KM7@
zh49pOY?~*2;@9~8hD#2@s&<@e8S57o+eQvU<9iP=OXo42*Sqtca^b4J!zru<w@jy8
zCh7dE_IDS4%Fjn%b3SDkKbiH-4bPG0xB|<Nf=gnARxnP-MWQY7z@CnIyWTBbs-kTR
z1iUqhTcs`MQz=#l4Qh?SGAWMzGoYvzb+_y&NSrbGa4Ch8Xs^LWb)c$cJkKqSOQM*}
zp6;=>sA<{G=HBvb7q1IxvvXf7Ueiv_lP>D_t>%1xH?U%@s-iJ2=AY(#EyIn3Kdzed
zr-NO!m;(1Lt?Hi4L2Z4ZGTv{M^}=1CPv%wR9lp7DV~wD*@F742*;)BRWeM~@p0LEG
z>i<Jma=)s<+wqg9{b!k-DVd^M8X>!sdAeSj*f)C^M1<yVrDGBELc%v~BaqYzQFfEi
z^Yd6{YFhwupz$By{uwWFfGteS;5zVs#!H&=M+k9o#RA&E<4CfSjUDiezs~$*9)=3(
za9{EZE79}d@?-l#(F0b#^~%_KS~PkI9HdzKJ2KLcaDJxMR_WT(vpCA2LchbarV@rY
zY1wjxD6A(@waE`DQk7bN^GlIDMTl5cQaCLiK}4Y&!VAq#0=Z$`GVq3*OE@un!`G9w
zIcw_%%h)Axh_><Jq#q4y=ijve3JO00NhjJCP$h}CvtJb+>dIrpeEvt>92<Qk^PVe>
zn*L1M@xCac$%yitWN2kgP7Nwl*5Tuq*U$1=+u;DC2p}TRgH}^V%-;*SDCh(v!WKeR
z%PQy>?AJO|6Q*DS|HCbyKqP^f!2!fCX$S*Nkj7mBmXJ8-@#7|V>x*|h4|x>mC86!i
zqypERS{nl@$7k3}*#IAg3}0k$bx}ft@py5SPq$Lr^g0m|H{Glu_cfV4OLo_pM9}bv
zV=-%%GCPN}R^n`<y<_4-&Qye&DAq}w;=Bl@qwT84m}(}#d2Lj$8y5_Q973%p0Q_Tt
zQ;52f-}Kvq(|@6B+@W=4VnLs)&ZTYEKI)6<@1m!P=jTt8OO15A=1R-Yu(G0^wJMDf
zB7BcX>O}MQbCgH}2|G@)2@f$}()r43S1mDs^x=}u6%g{buUzg-mPg9Z&{s<&KT&->
z5LJuw;_r>IqdMA#$V-!gqO?g>mw}qv+*~7+<sXpVWwMTK9b8v3_q^HCKPNsLul(>^
zGz}87r}MWko+lUA8k5`o@{>6;<W6WUUOm0tH5Jl_-HEE+SIwJQl-nEWQ<rix@S{uU
zEhVT!o95451$8gM=o<V5+}Rv#f+|XXjJx~NJZN7vUbz-ErEb6wWol{Ojc%V++fOEH
z@OOhMsLQ^Jj?ag|TPL1qQ+^vb_f@_mFJ@6#llQUHOJLX?ZGG))dY?9Fl`|h^)?2N1
z^IBcTuF=aQ5StPXU;UU&J@W!omSy>wf^<2u`u4YPjwbu{bfJD=xQr?`gz<uX(H`iD
z%rISVXy8``#Ase2b$7uf_!+Tt#EGcXfyWe;68g{!Nlw5M{HuabE*|b`f382H;kJ7U
zFPPey%(g`?-uB$%6`+M@Zn)1mGhcRb7CH1+=c>l!z22ZY$DQ&WLw~r7G$5V)^5I~c
zmgsU`EY~YFL)P<^^;EEzt)%{hi&iNS{l$;6nX0}A4Ye;8%Zc+UIz9#^Nl6pFN84J-
zl$IEx4Yz|+Ytx$|t?}0_!}=fA{K>a;@0?~S?m>z8r_X&iH#RMq9Xn@k7~97Y85!ql
z-jAi*_+Q=^44>J7D5+hS-bEJ3S8O<>aJy~d)3Jw8`h{-<+D2GmwoZm>6D{E8jfl%D
z-(b(Trt#tNGKegYA?;ZR!!zMLet@Q;f;sfVU3mF&#{Mw~$2}+djS${-8|EFF@pwxE
z-{uCAk3zsqrt!**FVgCzo!)Z3sKaWuIifWG%X34U1ODv1xww4!jdb)ddgrZ_Jn2_3
znL$vHH1bmst!JI9)^*X{p94;%mjWV?qxf{OyqwgRu%mLl@8wRd3RwM5Go0-=KbvuV
zJHG=59R%!;P~oF~!3GtR^NmKnyoa;l+_-;tSTMwV_C|;}b=_{(rEW0{<K8spc8H2m
zubdJc`zDf;AQvT8n7*7capYJE<f8`!r`Eq)oOEUyKlY<_YP)Kj&O%|mv<IP|e5TF8
z`TA4vN@cO}ma|bmp>geynC)={xj5Q0T&V}@yzUnTbke`0T#m(z1~!xkS>ehYbtOr@
zX7Y~rUMKYXq{#ru1D<i*!B~8H%A+)qqoC?GEB9g&8$wyYy{fc^{ZWPH6FhmXn{k+A
z2z}Udi(N8HX8dt2MFx0C>&b&(g&zBxd%IF@>TT%diI_uUGQ>x~%T$g;FjxulPlTy#
z?6_A&ue6u#sN*5n$o4EUu<vSuvJ+Y&um(Xls<H{;svFmJ6{V+>$3cD85W1!i!4Eb^
zTd-<#QYmXdT4zpM7P*1GiBqz`ZRc58e(Ug(h)ZJzv5?gF68dRzX+xl_=z3XYR(SHm
z^cKy@>I-Goq;yM|O}!DM64-l^CHj&pj6Npe)u#kxl^}{H?2I2>+G?xmRV-`Tlw<%{
zLo{qWPH8{`p}FQ;+G}QNy#17D`*GP4j)((e?&4=FI@3Y9(Il(|Hl9xkr<Ji!B>WL^
zKFH=myfOI400GatLe9;zU1!b>&685jj=;UNW@23_`~+HmS^8EQ8P^bmZCbo~SAe**
zdGQsA2<|N~o{;vSEn00{TRE=m^3(sLz)6sdJUQW!2p&Hg{v3#Zrw0N!PQiN_xlw!%
zX{4q}+s90AnWN_9=pZX%R_|u4Q|)6g#$`R6i>d<8Qe6%YW*;|Yb?7q&0*W5^js8o8
z9_E{St5R-j3{<j1agAoS+ujQjH3L#Ork*-_2wDK4mn3AEEBUB_YXT!h%y6Hb=U?|m
z69655IyY$NsRP3|3<?CWA(4rB+gK*)qP$2K5`VWEDHI4}w^6G=RW(>nW47E~w^XG@
zCfKttb(&Ulu89z9_namWZ2t43w-T4Ah$bu4v}O<RnI$C#t`ghv#oNoKH4QZsZmd^x
zL~+^1GJdOfLBOn(ij3eFB1@E~5UVc)S2c{vCP7CbhlMj$x{Sj#$7J^LJN-Kz6C6t2
z+#tV`4$SF+J0sW`QRbbv&-X0KAtqLDrg~^Oq+5G!6N=`DH4apK9I_y6ga>ecaYW1e
zdWCaG^lsGQu$mS7c*)U2Sy>4T(zy!mwL}#8z0FjsPXGXejES5hVCf|CqIG-CYtmku
z--@bN?KZ<Os~XiVlg_P!SC3+;;*egFuM^GsXHS>XqOHef&^wv^rU2!+=q<OSl5bUZ
z5MSZjqVZ@hslMB@5tl0Iqmb>qV^E&$i%ZD(qrRmrZZtXl`+Lfc^xTk?SY&z63<knd
zHEr=pxbxD~$H^u)Ya;*U1#O3u^`1KV4kj{@Fb^~`1&MfT!9Z$!J*H~>W$+}W+Bns!
zM@_Q^T3Y%bor@><=~k%-#8f!(_Hc)wtFZXMD2Xr@H+o3i+ekDTI<fRR7FdNpga9X7
zL$CmZ$;c>0pTm_yE&Rq(pC+BN2`c0L<%jg>_H^22d1`9y!1_uxQi&rYiQMUJ31826
zMSeB+oSVPnVQK%xYs14Ha4Fs@eIZZb+V4Yd^stL}H`ZqOTyr?^C{e*UQ~x03$z7eb
ziNZ`66DdNvNk4KVi1i+r^6~fIsv|+mR3~;{0Wew`Obb2i*Or8IH-}9l!C8YO1qVYU
z0oYqyv;^gl10{a_D7CDX&M?Y~SMa}w241HFuxeGjJ~Y<QZcWa+2fs=BFA``c;A%gz
zk9{>+gk1A@I6t2v+{|2`macbLu`<FU>@WS6@~)MO=57B?5~wuz;cOuO(i~QXd3LTG
zc#tQTQ^pp+sm49(tzETa`Kpy6)E?~^>+2M3u{w!ffmMV*aaFrB3`}4k7>F41hcm)O
z`Je<@C`gPd3^_+dUX>9x$jQbOAsBu#1}t1JO|MOr@ytR`OEseu?Ln&;L^UVuSFz>q
zZ;kUUJ;`Pnr?KT&8fYMa0=0qQ{S-$dbE{#h?iM1cXhxZ89Q0+H^oucYl-39a<~@OP
zT@xt+Ag558Rl`=pQqr-=VX$Z8y_vfUr`_*&g<h<`TXkE%)4XrEN1TW}O3$PTKTcXu
zEMOTnqGRECivG|vM@O^T<aG4NT3+)u$N91TB(_mngHzaTeR0ElURg(ax^)`<8-9Rq
z$lxNzaeb|pYL*0-2}_A|bWJ2#RY@9a@*YosU(~XTB444k>uKe8rxuvR)O!v$nU0!}
z8~hi!<F~&>n_6hTN&GxG>ef*Y9nSo5ebhuX6M8!a2xlY6o{Da)Bt;(HE#+Ep6LGc%
zJ_VGDTuPf^so2^IGKl1c;N?T3DdFal_RZ8%35n&bgD$rF|79ur<a%z-ZK{_SUo54{
z!rs>8WW#gm{pVqCXw_$128624h4)X8yL|^VPxj@pFB%jG_~q%ELb~&|-a^d7o10wk
z!ljiKnESQ;=-$Dzx&_fLBFCOpxTq3G533Ce`!kDbELtf`DMYpxky<stMH)1(fXXgy
z;6?}xv!(_X?=PQ#N$)p2a;Sv`Eb*t%{4Rn8I0Lf1K3u&YA6Q7s9P<{3iQsU52SvkB
zMlYdNLpV21aCe94JQq)hAnzTk=zKIUZDMg6HpR#orD<aToMvJgw8$}woszYv%-+^Y
zQznK@_)pWQjN8J(u>Plv{Abuy2VH)nbN4i#^%Xii1%eZS)=$Av#q}O!1o-Q5#`la`
z%g3=yOOy2#`cR|#d@-8OvWlEjd8=+oxN{8A(Xlw3dSZ;2tG&70xEyQ(<W6;TVvHIz
zW)F>5YB#Gs)||DA&Y4c=NLV-$4}Watvk97TB>5b_eoQl+mDkDTqCvh9r`-800uMFr
z;Jk@n<_Sy9lsZp-F3SE;Mn+R4$`gHCvepuuSeEAvautA7GspTy(~zg{at9|2Z%y`|
znLs=0##-(a&Dg)#E8aZ=av8~vCvQo;t(QMLyI!i;<;g@6uKzkyqOo~VQNnOe8u?;(
zHZ-XuoF<abW|2^E@W|(fh+H@!8MAk?N2y|NWneJBO|D-A9)2nD%54_c<oCgs?^^Bx
z1;4-SiivZjag6N-pyu}M-~%1{u=hMnef}+U-O_4b&Z~Lm^#>gZf0(mf;Pb~4D06@T
zo=FehzT|$nxakR%7@dz^b(Op#&s=ej;&xetybh|&${gv9ih5>h+H-1rXzcUz_d%#s
z0*%4n-~PK8V`Hzbatuf)j{1Wa5ZKab6mQEZ!!?fZ$v2sIRgn*qAY79wu4+@o1W1h3
z@lQ}{S=)*z3QA%cTS98P?Sl{cWrKeRPyGpVi>VvV4gQ7j0xsuozl(-_y6c(3kYO@T
z1s3oNtU36CtZY~qB`uudOeSmziNrD<hs+nbkD`<2tqT*&v4TvU`ldetR4d$1K5aY3
zo;DHpmUY?c^j5{nTp1V}abP3vbNE4K0b-pHq`&u@PL3KS5<g$^TfpP}UmO^wVI31N
zAK^h_JY~ZsrqqU4WdZp}DvV=qmx|5Ux>hVZHAdg+UMVRP-1Ys>k>5Z}M+ch1w1EHr
zSYvsyK|<9+-`@)9Yw69rbR8RK5muj^CZSUV6qS5deoIJH#0-~FgN=-3%@5$eTDUlX
zZXDi&zDE3{4vCBh;n2@52j;>MQS!ZZRh+q5HF%-p{`q6soGlXjN?8u;h1*2`2k5I=
zU7_-_MI3zfZc9B>ekr@edY-ZA9@)EOC78q<;=+R>X5}fe6?!%ccZ(C*cs&2R_PWna
zY$b?I{mWyi#@Z8xxu<)J6iHnddWO3%2hXpXLoy4m_|3~KVqFc$&vH(qFx5eP;Qv{j
zG*VW%NfP)w#UaEUv7i>5!)z*%KR0E{aJ=6f+xHtGA>z`<&V0~(&8jsyt+^apGugRY
zz#Pb#7|>tW&&(a*Dql00h1!L#9-tL!fjzDD$b@{w2xy^Om<eK=X8u)!`fHwU#{PC!
z=iZ!&NVQ6GNAc&kQC%A>aWV=!>E})L$Mpc=?&#2Li(cjH#Q($EFpsFODZIS5f5IX2
zaO;r0#U|)SXqi}SK6W~8rw!xf(KZXkWe~Y>8HZfIQ2eaKEIYL-6#D`bTZdijGx&eU
z3$)O?K(wso45$utvaIaPW}GAIa|UE^$)9tW3~fTV9D7mW6KaeN%<FRv)wZ5;jY=#S
zix)xO<%+e*2Le-;oqwdaGEQEYf-Gwiip?uhD`$ba6is!#@$xr1iH0RMuWD|3<-8b<
zyswQv>zB#!tUlZLG+Ev*%{{;P@>+iUe@tC-bX{MtZeyphZL@J>+qTWd4IA6GZQHgR
zo6SvQC-45+_uBVY?pir(oqcA{%>L#Z?7OGoAGc*|K3YeNO7jm2p;PXzf_m0BVs=R~
zgTKmxl6>W9MAiX_cX8oU;vUMrt957g9eu5{1kMY`v}C9)N|ak`hq2C!C{Hr-MFEVj
zv6x@8IG5WKdPNbvOS0<bGzX7A{@%zUw5)Qw$_CA;mthyiJiW*Gx2+J2X@d1YUrgXN
z%RC6k%>9&O4a6k{5hRby&<S`BWNJ$ONvYezbzrJWHQ&MhYOLxK(jj3lI=A?P<^zw$
zurx(z&eS1#NLl{n`rXXzGAlGIpW6~S9WqxG%WgHqr*eVeI2v#=5w>^z(+MVWvB)Ea
z>z0COtFzrn8u#Rz@1-ApzD45EKdt3?2YtB|F}|swIxo-?;>0&{0d3V%%Fc}cHFtjJ
zFJ-;`0ft8%J89_93z`5{Nv}H6A%8K|+?M>iG)>vcdz-smEO5A@nJ@1$Em>}4#Kj38
zdt8TRYS7?U-L!?qQSEl8%2(=ZwdgX5%Asu2n(QzFv*LaB@`o}Y?^HIk{xalryO6nm
z_V}2~;6l$QfA(Saa_4bbHN!E9Gx}w_pwnb!Gtm8~PM)GNI4^lfc!4l21^5_DMjox?
zFQzD%3}t>cu(kGoF{p`<!5zJIZD)9OAUfO9RFLUv$3s;;Mlbq#zc|7Z;s)FJoPK3;
z^on>k)^ena*I8*l=ko?fRzI{=DzybGDGZ$z#Zc;^9^TC`>l&5S{$zP~$K#1q45O`#
zIqcH-$N8t^)%bX)z`TC)e2O1aA{#;xT!329CH$?I*(g;X^SoX1%TiBu9W<22c~%O~
zV_5UlY2#mAHD4I_Wuo%|$AWkX>M(NWY3)yoy=7&I@do=Il;;(Ely@?AaynG)b4-n?
zD7*R){FwKZMczJ1^S5uhoGtf<j>GGs@fWW3!BTDa%5Uju<Rl7vV}vL-^ejqztX9=h
zC7qLO?skwa4p(v?l^nBGv@?1(fmDYrpgt%(e#~nVNOi!>Bqtx~dE_l_Co(Q}hV}wv
zCXO}-#+k>)z@W2+#k&SE4_Yc_V#QiRl*Y>Q9L>Jec%uA2-9tIt96)bpf7E;+77oOj
zfp<kmnej45pGEn!25FuYsH6l3p@q$AgNLU918rlvZhhYdK;IK@T$`G#Sl%jIEXfsv
zkr#<rez3Lvj;Hs6$hD984XqgCH{uSrfX&bqO;HUUKiNRx>Lk=vF>`1gA>`uCHfxz>
zTDc5#$JJ|ly2UChXCzi#Hkdf&icr_Zf?Y*5__~Mn^8w_q!wWPsh+?p=-2?7D+p>ly
z8vFd^pzFq2Gar17VKq|%T&>LD=8H1P*9=7H3zzDn*v>ow_hF5`Dwpukv6ms~eBL9r
zDx5z3Wz_e2c)uDIZKXeaQ2?F2jKy0~#%C44qM1>VPMB6-wRaM13C|sc4%rIsEGg9|
z8k(p&)~HVmj10tSYVL5Px;3xRe}#uGANV7?X7G-p3!N8HezHO8(sgNxYbWcO-MZ22
zi@){eOGE2x>LG3+LlpKckBf|J!)J>G+W?%kn@6>&rYlK0R<l)zboOas)^{&p;i`(X
z<ezorRaz+4nJPl8C8iJs>p;`YE7DWT>!M@UQdY{->!}O`YR7(6CAY2kelFQFgMe_p
zGt-O3TuYBoPZNr<mI(ABwCWf$HWW*bRr6oG8}WG7-z4gX@Yrs-q$qokREWhk&kqd8
z`}h?QpBjs}&VOzruQ;C*RsEpBpF;HVG!0|_oMAhr_v`7v<a$E_p$q<|ANT0w4#Ro4
z#p+#tIkWjRw*Ah#ck7PtCgt1Gb5MU^UZ^FDDmy4uqhq&Ogw4Ts6F7@*e9JY1eU6=}
z^EKqdI<50J`3x4zCX_ZZD+ErXpc|p#0J<M;XiAX3<4I1Xr>eX8bB|maA9sOaB_-x>
zH^n;vPmc$WJC7R@+C>xTr$^j}GAyibA47YXP!jSr?*sO0h;DZp_(|ieG}4S4e~xn6
z4b@D7{@t3T4lL8_PYg}&zZyR^a01o(p69r=3Vim0OA6Q#-)J$ySnwJ%jRcjkif<!F
zQ?-@7<XytR$9idBPsLgoL6EDdRA$)vly(WNzA@44Sm<@n?r>s_O8(V&@2N-LK(1SW
zbSxgCH@*JyNjhUJc0p4C{^i%90)HInclAP)*YzU+TUq-ot_w4iTP{V;Beg8VZ$1uV
za@n5QoZX2&j};!ypUr83!Rce;a8u5ho3Kb$9_wTZm?b#|2Zw|Ly4q;$kwhv5;Ixa$
zTI<7KLjYeeXac`9Tmu0n(D}d2H}$w?_A9IQD!-1uk%vvD&x>?f9C$h`?flS@Y@Tw8
zBzZ*|)+eQFJd5UdV2`h8k9Vo(lBk&y$>GSmJ8aAxL0AV%UaZmtwOR18@H|R7L5P4!
zJV=*4>YQ`Y)=-~xNwOR)uq`McL%Bx_6A~ZWt}bKWIMplg=}Bpq;ofCJG^*{DfosPA
zgUg1V@1q8Q{~;YUp}sP>G2rWZ)Y{%^>jF04OuDyTZ?3nxf4n|iH}k!HbLHGn;1s^*
zh|b@?zo?Ez1Xz4%q6qnN2gZ3QL8~4B6Dt-n2rlx-RCp{dqJmprRsc4#Y~Ts<myW5h
zAe_h|)U}q|wj#2|PO;$LZm$|&o}QLlo=iVFst<zAv}u_}|7PjYjlDdvZ=8blU^=pb
zhn{(Ur@S7|92_Ov)UJSV;moPf$YA7nWjh`+?DCVhIm_NWa03xUcNBW2Ee!S#1`S-|
z#|Zcpp~cQuJ<wlTO0grVu|i99mqJE~4Otc~j|40+n>4Zg9#*$Y8kzqDwisDgqwx=l
zqK^fok`07UB7dU`$o(mO4Z7vbI3`%C0aa!zc&Y%lI+UW?rRfj?9Y?dRW~%32f4D6u
z_=*n2av%1zr<)kOddFKJ*Z$p<rPVxV>KRZG;ChW^N!4|Zk(QbXkXVRHo%ga+5%Ox~
zlZs;s?T+?Tu+%GFUzty10q+fa^u6RVfYB6TLi`;&7w3S7J&K@llAmw)BR{W@)T&A2
zD--yUsG4$)UDfe(NS3F>weWs)omQzC!2cVMT2;ZsuMCHi-F2b&9hRlWxo<hYBddQg
zGhn)3=U=24QMXEz^RRmRRQmq4;e2t*O90*(RHm_Rc)*>}6HsZ6swRjB+fwXtyzQc%
z6Zv?ZnZwECW8SS;Z_7G+NM~+K8vDGut<wvz<sV-CRjpRe?*!1gYvQ^)h>PM%KX#&#
znOk2cy6)5w$}@cD)%na@M!s8&xU!&A5&u)44T@*E|Mc=hM>^wjbsj$Ce@t+z(`(x4
z<uu!JKgiVz31PJR;K91`vQZCeEu2xpxGRB4ij&E&qpUN7kDUMfgf;;=VKfHph!-8E
ze)B>GYfd{LqsM9EJ?;Lr+I<W7hm(yP*!=qb`QrI}^4U;*`#kuV>SUA}#O@CjmQ_LZ
z3xdXC8!ENdsM8^^45)wH1b&4ZwPLGuikhJfVG51~5;~-;B0S{K$SD+H;dN!yJ5yr%
z7VLl5pvsF(ejbG()$T<XaQ<Z?!R5JITL`(oKEqhr1U<A--k*BCm70p(t&uOAcdYRE
zaJslykDLW{jl9d-jh@Y}dfMzwHYGNQ!}je2zWZu2`;kFVr?wSCZs0QY!i|bArv(e(
zT$T+FDo*d@<eJ0&RBuMd2zfr{^n_8M!zpD3Zfzs5p*9&dd1iOsfardla3y;ViR`rW
z^UJR928oPx4t`>hJt1|dLl>Cd^;I$=18i2lO+bTj^5{Os?K5eokzcCH*9G}$fti`=
z+*PTw{XX@08~p=GewGIZ?E7o>Z)K-HeSY0MuFDDegnI*9O^0otrJ-Ge!^>W*QA-=>
zYj(|J1_Q70r?;)R@Ac9>i+nQ+DyDZQy?*>c{dCt0l>%%H_bq=g_ya3Ze>puE@O1Hn
zh!Ht;B)d3@bkGhS_*YHqK)4|tMHf5f%^JXI84uux!)Xq&?kE##F93`33n`<eqU>qQ
z1gii>+HG{qhAYINf3=*30j_=|1VhXCL6ecl;DmQk+A1O@yYvV%JnXpR@hP}jXDGkv
zZBaLQ^h8CeXqrZo9kr|)OPD${L#wFjvBQQ~<$DM40-M@7+dGMxRR9y7)%iR`bM7$A
zX5C>tORXzBXtWy|DB>SP)Cvp7LyN50obyKLR}Z26W-ovoFn(PsA8xZ@U_%b*iy|-`
zF_1xp6=XapK`kBF06|H>n^*L|U{aLiWB>2p|1uRVIEN2N3@$Ig6RrtA`(%5ky$Za9
zkMCNN-U9zYi3&n-8KX0jQijC2<YW!Jg0s_3_6n`Tc5@6viS0f<rut<5a524^&+9}Z
zBHg`QYiMWn5RQ9D5A<omW#~;hQ^+PDvK?ig$0}`9gI|tOB44(2nPFt1Vo`$mw8OhE
zVd-mEzmESJ<XUn?Quyc{X5St0MJwu3cx{Z*_Cwy{8Ozu4Wp%zOHCxS9keV+`(Q}7b
zimebI4xhF|k?#DUeS@IG<5XVsf1_CdSZfdBVK?W~Me^m`zCa&3HTFu`V65D<T!}^D
zy?!<TA>X^pO82Ivf8p~*i#Sb!Dy>L_Lc~?UguKp8)Sw7a9Hr}Ycnvq)Uz0lQNC{}|
zCk@{)0H)?9!+{Bfsqi-jy{4gKOz9nNrzO=`cSiMl{p-`)wP%Ll$x(u>O}mC`LtLzO
zK?ALgvx=hAe6GqvF?R41pT<uvL&)Y=uee<+%|w-~(T<kK@Oz=?%Xjr2K0hF&J-<K3
zkc=-+?lIp(ciTU-l%u)$l*2#0ovR5KLRSrcx!C0V`C-AKsuOlSy&p_A{1A$@Xz+tE
zR5p6N%7otU&p&K9Zuc-%u{yY&gG!TKmOI{feC!`@_?-7N8Pz%i#|Z?<#7iaQ@rzDG
zB3LMxvv5X_hr4M~hZ(RaE0^GZ_1KCY&gq*3I(OHDrumLzVP~r^pzR2FKUvTc(=U_D
zA{>&)yez!DC7#k%owMl_IM0;NMNK_{%4$*VdLGU*sZFBHj%ml4ps1kZJbjw^Tz57l
zfteaF)2#Yd^csV);J^Z#z(c{GAYw@_;0nAvJ|&;3v-C7Y0jYdp*t!?=g>Jh?^VbJ}
zK0Uy|!A^G5_)>8ZzdzU^g@Ude0U2t0EjpVGlh7WZyb-)?L+evMv6y?BX{48we|!U*
zor4jb_3HnF`;7)gbfbpz=)iP~;kmR^a!htBkJE)5TU#G5>!|1R0K#pNO7;z)DuoO?
z<b|up6?gxRHJDQ7YSqa(zM|Y?UXpug#FN_s--Y}9^L&~J&Bh2^dj5mnJe9;R>O;yu
zP%Ia8QsD(Wn85u}S692Z?|7$GMgC=N95nft*68-h3H8V4QdD^A?u_hr2ak$+qsP#?
zFB`Vk#_Xc~QPiQs3L>dy5)o5|1NJV!<cH$If?J6ck8!LPUusVj^*<ZM#5*jBqjgcf
z1SSwfr@!h#pY9twgUya!?^VX%5pp$CPqolmEKB(fua^>mBTUDBk0#${=4}SIb#Yh`
z_-JsIgR1E>#nbWn?cOVl&@A+!^F9~lC;Zj2#YJ4bZ|<8d6}Fj`o%I|?=V08hrGKHU
z0kpN*9)Ts%c!G+x_3vN;K-$tXbjYq%)Z@Y)It+j?Gf^dN5!S$6))G{R2oshaBbC_a
z$M`uS$sWn)cW(PPo~SG8VQfz~uHA^N4&=Is9I-b)%UU&E-3a)qm(3iMd4<pyA*2?`
zrZ4}-B=6zUarW)ZldbwR^<aEE)I5=j$r=Ilu98)?LGWtf$=wp7F3i#e5&?9}y2dG0
zR|=K>fYT<c(~H5{vQgWpuIXiipDLwmDdT4~&x=0KCn>n93|vt*@LqunoEGFUXnqGW
zZI*2tkh?f8UrT&f6_Bh3V|HrrW*<Gxq3vs2R_`w9dZ}WIq)&;m!O8;ZS0B7e5v}u4
z84<w>c*|EPfIR>}I%2`h&uh*u>8S@G5jy>aDs-H761$F6h<P4~l0qe@j5g5<jB|OG
zq~<AjBmSQd6tfxc3yf<$<A9_?;*#d;^jD25o%^Ht`Cy-~<3|IW?ZXS2%K~IEJaxai
z@a&k$1-?q(!sQ!nvOz3({}k5s+;YF=S=5fAv*{?}TpdArd7d8^yL+~Jyt+R-QP8e>
zxjbOTbQcpf$bOgTE5QL6P~g3{6M)>8a~%8rw`%Pcy+wgy4D!w+al>z*7ydq|W}#=<
zWro-XADbp6c$zqAiFu~g{mU?iLqwoOU)(0-HAYqV$>V7~z$g)GY!LqXL-dj0ABUvj
zHcmh!I{R+Ax)bpAz4(01?xO4U@Er9XwwSX!{t&H0lx0~{XGmg=^ZU(>)gX3s9ouHM
z@QEoc=`{8{j$oYn!Hej<n3MqQB}7xQn4u+C&d4UHR@ugSoG^Sk@R~V8rc+kZ%Iwi$
z3L!aKKb+y$*O}$Tb9deH5S2+p*oNsb9yoo+Hx5QlBDyB`?9<_`_q!R_;_AzaBBn;h
zc|^#bNxRQSGApf@tmXia6tkw&A1mQjucVlpsxESMH3ZTh?xZ=ibOsS2{t&56I{gc_
z56`^&z<I1iv>MoE4r#@dNk+J})I}wfimf2ysh{A6sZ0QM)6mvq|GdlRwZPOm(r_6K
zpe)W0r&vucb(SxWy^m|_1%mlH-!5-Wslnh#aPNl$NcO_I99cdeF5J#ptw0cNbAlBt
zmyf&y%b!)u0U>fbNQmR-DADV0ZV6I#1tsz-_-9CRVMPF@JkCO8+;Wm|zZdkRwSQTr
z$Opz&uR3+x3t-eTFr6^#S<S68cu3JoSVp6DEd3qFwrR3EpAEEt`KUxrR~a3NItCHx
z4C??&?E|QKGQdYzY0g*W=H!p}LS@E8)u(I0!uBy6jZP$N&A2D=7OtSANhmZ4$jko*
zSr&j#65A^9amoMR`~3t{(0Mc}!0#JpWTUgrdrHw}LEFwDVtuo@Nuir%&DXLG&UL9(
zrR?HtO;O0%=fScJbO@K3W1lC2$Se~J(3$t(cbxqomL8u7JjIu4!@4kjp9vt+2%vDZ
zWuJwjoFPi*h|9ss%rl)C@rfP>V1-$TYBh`llEv72dh#^?#&6QT68*xBCx!}@)q&F>
zjKHE|kcf-6sf;{Mtr=B{`DOIaFwR_g>bWp)mi64%SGmrnv=1T`>8>e!Q@)_@LTNFs
z1?9&$z*1Hfb8^~}AiSC!K?HS1p{Nd$@==@w62%bY+Bkb<QY<0dWa2&I@O}RQXjrNW
z2C%<*UH?EvFJSIe@7QYRx~ES%Gxxr&KRdA*F4W$Tv9#gUcB6N31<j?LX9@GFW@_sF
zLlNAg%8kpP=yt@&ZKR*Md4a@<gfm}6(F95jb-9tsaexMR2?>gXKpf0bXu5E0A2a*k
z&#fRLAa|0&7+?QJ_brQvPYH0?ZrdQFk^L#=4z8lPH#-i+nm29>3PnFK`5juOH$Vkd
z_s=GyKt({;R8ZfJl!ZlvkVZvOO2or3WvEh4YXnA-6_Q1#Qr5OB%fO76{c~81MAE8>
z^hqi}I*%uXQAzip-4-~bzZfxk2uWo6MaCJbCb&7S(B-5LaR_3l<!#bFZj;(1@o>IT
zpe#4igl+!9Cjww*+jQ~EYpvsn=4}q1p~iIRy#|yGZ%&1k1z1?=Wex`S{xP`gLWq9i
z*RedMl$2s38FFX|Rw|N^hVl?4kp|I`-4qH4EuKCe%s>BQ8gL>%H^_ym2YWuzj*P{U
z({5YwYdH-Z7lBFLi+6#s#?@32_Y?mBQWkTM@h{&kP9hWaK-52pUnK|#M4y!K%%_$W
zcVr_)e3QJG1qyTy5fNQuN-BFrv=kHs<z^`ZdbYo>Tl$5#XILEGy3&Qdg!jhMx<Zus
za~hKP^Ooo<BSFDjCaYV_N*fJcgjGlbYeS0}rj^M0*--bvQLvoP-tyJ!;q7-0J?Fzl
zr?Ko{T*m4ZpYS5WVd@vd-w|IpuHVb<{qD}eJ;vMIr||NlE64jghUZs6arXP$Bw#qZ
z`}Ojuy_|B3uUi{HDYGvWs+jij_Ii8SJBlZ30I)yZK{y(w{(?^vL><Ls_{b!XQN+wt
zN=)sjI)n+z2|a=L|H=;v83FcfDct|1_~p|^nGhaRtGm5B-vzV>-JQ@GrjgMBn_XUB
z_mgMY6l#@EG86c#&e3^azizW85_&wtTDO{;zcmi2!b@Y`cH1k>IHC1X{?4q4O!t8J
zN9PSs6(5zitcxfJGq>UnEks5$uCd<M$e08LX^_UVsV?K`V^w}SLKDzHkBx)Y6y<Q<
zBbi_W|7%2j!;DQ9Z7DXVz}0=r7?r%$xu0au3|of%4xjDCfr{N@v|0VNR%QtlD<%EZ
z$5M&k6fFwaxne`$XtUk}wtz~WQ-lv<DHt`##AQl3q(T%=>W7r9|2>SjDvGN3lF4b=
zQ_=v0`tP2iLj@qo&kuqDdq>Xvd!+L$N2ayODqBs!8F6W;u6+*?qw;*S2jLx7mu3$a
zqt{;VhMyVi`r#%#Zo4s*^i9#0XnueDqzRAO_g1(eg@pKhfR-yYD2wT2jL|cvY<|Zs
z6<3l)U<wBev_7ez@IHsBMeJC?W~3pb5&B<{4LjI}S$|?UR8bx1tYA&9#I|q7CjFy%
z8FBIChcK%%z46Jx(m02{ZrS^xte?NiL+Kw&hSB#fgJ}(_56(^t@1RsqC5lxd4`!kH
zG~6IO%0xFGXPT#9wK#)VW^iO5^jNC@r^16Xqn^>*vMD7SDB;B&+!>uC`#T*q#Di|1
z`9)3hb+EU${*x2srS2Ex4kx3qpSvTdaEPV8ZP1qOgT&3grl}|feJ`^R(hmfyU@0T2
zJLSMuuCf{F6nS`VeZfFnMuQ;SUCs%ozHrO~hXfMU0jjaMJtQ=wYA_l5*bl|BSQBdh
z_S!#`u?x78>QgJC5nSRN9Kg;+YZXy`sn@cLwJeJ%9?k*+MCEyRB;E{^SyFo5)znFN
zNx6yeSsI6ndrWvvcV<@Eksia4=5Wr^a|~(6OqR`$x2Nyl<ghbXX>i%#V@dNOlfU=h
zFg4k4u5x76e5q>2u-%=J5$<=KW~{Bgz6EfW!5-mo%GAs^T;Srj$K3!>R$98osqjQH
z6ZnP}BtT7hAmMhP<A<mt%zj%bw*_q#W8X88<NZ!y*?2kM6~$W>6I)xkN*jUPuG*0%
z>vyWf)L_NP`cpUBXw*@RN@3bO&Rq%3JjsOAoQ_R-P*buLMfktG>t~ukg|hm=1WO?A
zT0bWp_Er4e<^jI(L`9sdDfjZnOG6{%8jC=@YH76tBt2;lo=vxpH5H&CFJEJ|fu>#H
z>$qc@BC^(UePS#@O06fTo{dqB)R~>uTpG1<q!*WAZW)E66*E2`(KTI)J%)>2dw=qJ
zR=;-Rr-Ourb!cpbei8i5E_H1#vhSg{ANRiYE!4x*;{O3bU;GM{=m~T!{RO%wsj>k0
ze7S&X*KVFK?@xqft{{toBkf(5`t?|0Sp(G=Dfe-`FRv5*ThVpeT>%_|7E{oMj-df=
zDhZU5WeN4-<mwJPS-$#jynl^u2@G{;Ya0Ff9!O2e@UuKVY@S7+tne&T-R*c^!n7=o
zNrpZwb|)TCx#Z497JgunAB2t%f3~AoN+>vWn)en<V*gZ$>6ZqbHl5bl41Ys$Gbv@5
zLi<ww+SOL#U^@_8xSru1*YL{AxokXy%v>a`0IeyZAuKI-gPD%&u*Ad)si>T6{xG66
z=J#eQVmN%Aej?ufEh+Gp?4v%aLSs+B4cQOsC*<GM3U_-SaspgZjxjzo41Jv-aU8!k
zDIAk7%NHlfSm}=N6!~5f059l-KJ>p+X{iB&TwoMkN*;&=Wjt95$-2(oF0bydYTG(6
z5D^WaAW7<&K&h7a&jKvG#?8AFO>oUGpq_DTM0fmH><Gq3c+=nqC85o5b<}U}YqSc#
z@95K;F21KJUuipZiO1<X%~^bLJ$s+N9i<A-U%GCliz#IAnrO_R5?$!oXm5vr^?MN_
z=3h^)B>n*MyKZtDI33MUcryoS$^-!_hMifRC&7I{h)E6wU!s6sB$0%C0O=q@K{>g4
zEWV)X@VLq#v3Hl~FU+9bMnFL{2_F;!vbDaRMU*41I(pD{8K={AyzoZTuG|j=8%+Hb
zYXWCvd`lqW=UZ@J6j2*izzti<S3!LQ-rW=3@AM0q<-N#uT)zhN{z!m6#_G`h{wcbo
zJ$IN(X)4#7_quo-mM^^6%ILn~@vfA|$I^1pTKDzkaE*b&i{(bOq(Yl7h{^S1swRFZ
zA~s8|(fgw2owW19U{>>_#c)(Gh(;~FUAhppFSv!bHB@S^DpKB`*bK{BAU9mXIr6j(
z1Mz*o<g{WUX0_L8+P6lL?wWFO%m`VH7zJuRZA3najCz-~x|{>uWK;qhRE3^dy%ge~
zje-VIE!GW6eg@ho%eFLl+C>|BFdn)Fdl5xB?jW6l&Dx7xUS)UPV=m_m&;3tOydDqo
z?~*5<eb+EKzfQL_>9BI8&(36)XoYR0ha)$}n=c^XqC=PQ2&g?6y~$?n`ulRb1M>QR
ztuNdZGkls`7PQPvr;tOc!c%_sYKsj7Tg>oBz-|0&)}5jv#d3RdG!EYI7Rzdf$oA}I
zqz7+&yU>F@vR8bV#bH2a_@O|WV?$FU9O^eaPcg$!XDDAtIeYl+cAZjh*0d@^8JGGy
zctomL&j=Gk6mhjYt{ReIML|eCZhi-?y#S3gw0>50FNo;h&9AUvk?u*MLuY)_gi2>K
zgF*3HZe+agd}w&2dH-df+4NQ3*C@GH>55cJV_}g~l6bYxbq?LcY{L&C6phf?)50br
z4k{W8*EYxRHsme%Q(SI!o)Fk?rTnnh>Ve$TkWh)OH?`{_(4AFvp%6cmuQxz(Q|ql!
z^bvtJX@bXaRB>NKBpgJ<gf6Mz^Q}56*kY8MpuOzg`gu}nuc5@>b<*}gqez*C55@tN
z^n+Ou)ZF`lrY<B}j@7+Y+v+0oR>ZJKw<e+ec|V-iqRSnJwY>FP$MfNHB<w<)wi@~6
zrP?7?K`QquH~V2}2gw?91v$vE1x=C#+gp}KhfQOXe7D>=jA5czS-VA6)7^b8dW99c
zUMk!zqCpA?TXmO(uE%Xk1vc~*q|92|sgJ+T{u)>Q@uQg~1+;iV=_>utWV+h7y!{Oa
zE~!<G(&`6WfX_*{*~4en(fF70^l{K<Kcn)cbz@!@+H`pS5NL~g>N<@-#|;g{nCW-Z
zK}3w%N&h2Tnw&kh>|&Xqn!_bv?Rk2v_9vnv0e_{i{Z*z?sd{qCQHNef?CUU49y4_(
z*nbL)6=Y#sKbWQkRN(j>X}ZeyaSPmfh#9obVJ`Pd3!%x8QRTu3Ehz47$Wh`Ye4>(r
z){C|ol%JviNCq6-`nKKf!m&zzyblqGXSWQern|H7_LKbQ(uLw60}oxgHYqFPvC`?G
zXm*x7EUq8$%W?ASl20I^YTP)t=`ufzl!qk$j;QDfJ*(cbb&7hfELd0p?6Fj-lp;a)
zexce$+i)g4rclLj!&rsG{vV%-YrbLs#YHHo*Nl%}yVQBlt%#sfLECnO4}BS2m$LEM
z#3h8={I)>Q&XeG%g%+-r)<Wi!c&Kw6AK6RqpvnVr($(1bPOEfnjL*$&-*U>B*fURd
zvdWaAygLmmTyfjGX<4h)>Z7<wAD?d7^@FM>SuIwrbF9|x5%`@!N*{m05#I7G`+8-4
zL(^dYU7HCezqKgv;i<3sg26ShCE-XZH*Qs+ICyhWu#@6VIZWcA)Vl$cZ*rz(%|EGt
zs|ZdZV<03kfkZb13P>c2C#cazuMg#NR?z$_UGAG^)N$`pR|5cB#re!m$AsG6!3nqC
z1Uh5W*>@@RC>%C%v!~PTvdfZz#L#D2tj|+bwpS(*)7(=ok#u0brv<2n=g>5fPGwJ^
zw1-aZ@*PjQjo~aAtZd{uA2S(CbZm&9HA=Xt=T+;+>}uFe!go-@u~`)f>7PC}>m|QA
z+;p_OHEhgDG@J#u*a+*UJ0n0Ul#h?d7*H8?+V=9=WS5#T4(D*fd(;vcV{40)AOL3?
z2s#z_^5=S-d+Nw(6J!B7<-4z#TbX=3izvip7Gf_42Rq75^Ee*fg3I^2Rox#{@HB~L
ziO@VMz~W{OI_{R2@^`DYj}K&beFyl}9=9)^arV=gzvQ`286zh$wXT*}R-cnj%In6G
z>^dk8L06{?c-<#Jhi~@&Uok>m(FEhHXP5d7P-NC)8B`wkI*`)gTMHGf-jE*G1XqBZ
zbCjpYh4cKaBt5EBOqa2KF1l?xI^3^ZGirieseADqsr{#obJD}jxJjbV*``n<mBgVC
zzugfb24yJ1Dy>CG0*Kc)RyIiwzpqr+Z=pCpI4hE;zIdGcq*RPk43bPD3qi{u#8)8;
z+r_0ZEy8Kn?_~XpYS3K*PYSOGJuHBRw(?nt;r!iE>}eIH)5be}^oro7EuK`?p}d%k
zV-(VNt>Z^m*H%Z_#o?=7lU`W{p!lMTNfq=<cP&ZTf(Yssz~|-8dzl~bU!Cr|3(8zG
z{x^!$lR45e)^TTIn)c^Cc0EgFMe1elg$cP%u<?}_0SJe9a)-0UbYqG3!3`Em9vbLI
zxbM)3O0&30+YlXF-q5yPVPJolmAuv?OTJ)TzuS$=?_h@>#X)>G);(z|)h~%}GVg1(
zL{NG06XsTzBcp+gTlaix;D@|uH67(98mg4CPN|XP5`Jz}NS#G9G+jA369#CE|GqyZ
zxYYN0kXj%3{rbF0;6LB5n0~me#1D~|pm=~1NpDm~DK}HDrxT&r)-DaGXOdSRrbd38
z^2_r0wdC5ae}VB-+G+yGpJ3Hao?gAS?+8?B{#dR55Np&G_JsZ$mhRf-Jl*;1k1z#)
z?r0V3FJFl+F%2XX6%OR+rOJ~?Td0UhL){J1QSblf{lMD|us6Te1}!fOV*Z?3`1Mrf
z<UlRT_5rq$kZmxMpT2x*+G5@>(3nWM&G`d7y1^5H?FevoH?j1e;(lXT;goEG5q&CC
zK&&D4A$FMrYDlOeVH9kH@l%WeetnwI4g|A$81!Fn3vO(nIPt9(bsqS>n8^ggr>e7?
zSLV#IwY{V_%%aU6<;_XD3@;Zwj69$GcByU!xrstH`3*c(EOMj1K))M5V%&rKig?Mi
zJ6um<S<i!6iQ=r8Gwm0PJmTWu7+Z7&AHR54j;kMMC);=43Dm-@fuqp^ICE{Ah1{ML
z&H@3=K8_I2OHN*}MczzW{aJUc^7IkvPT6y`Ov)MfiKRwN`Ra)|Ve{;JeWx;fFo6>-
z<t1!?h{uTbBFp-pr`97s&Pz{M*v5;r)rV4_jWa}2DH2pljIVq!(K&aSB4b7{jX)?I
zO%&RSfe-xq?#~B7qa4?R%(B4ER{}_5nTg+LXR~%?rKyS%rmP(DN{O(HsUUMeeQkwJ
zMY)*VlL~(U9#Y+K9Bwyua}mxmvUuvK%>~mTbLgSgMh&6d?^rgmw4)xP@>U(DXM+nL
z%QC#vrjI&jH7O;K(fgnD4nD2xiopFhXhqP;!Bd9G+ST5Y+NTX|zIFS6bs{LSrd15O
z+&rd)+?z1T6waig4~oJ9U2R|ens+?~p2pyxPhsSihE8Wt?E@m5{-3Fm>RZls-VfEe
z9+S~NUK_=uVTri`SMHlEL)aDK&x4S&7))dIN?oL3Ugj3EYu)p-3d<HaJLe0vz$E%r
zc}e)mOJ4E0#X?Vd+<sbe6nXY1@G7sf;Kl%>$sO%<jwQz46(}i^*J^1fwkqP#KS*e$
zg&+Axq8n%Og`Ap#?wL=<phCu=Qm0w|>!YLEm$&-j44zP$xc9fcM2uv<1-939o1SX#
zdRW{qW8xxiLZ9owMsGifxQ{X?plZ|Km)DUewe%vXiu(WULhv(6VP@8=h`4F|1QErO
z7~6G5t0i(Ds-Jyb+E}Uh)acBEs)aL5#d0Y=8?u-ca_#Y+6<C=o!Ob(4G6-_9yt#A_
z%4+J_+-)}Z;q|9G9lKTKVsMQNpGA8!V-|t<!YzSTtD~ijM_|&5!_|O9oLFT{7;_K2
z6B`M(syal+`Nx|$m4rkf#YfGGu?(7+2p^=?qRYe6-CjO0-hW-320xiyRV?=Qi>4ad
ze;Sd%L(?f8)Q2atn&1J{V;}ifHtAA(FD|-L8qx4*(Kjs^S*)@si6C`aYUKoCu}CE8
zb5No175KxN6y(340dztFm9)s3w+U*ZlP<v59XM!FAOF|EQ&l-2mxhSQ=DyV-I@Q+t
zqySHdOl)mRWz7fS6DCziL+-1SP=a&y*AN)@Al(p4Yz;UC`~Q}WnAf2ur<s(EuZOSM
zXjnbs#>uz*Xg29l-pMtz8%ZT~`^FaWaRP?3PC+4NH3w!97k<DzBcGOp({h5_@*;{<
zM*Bk%w#x@h-2dxnK=%bN#Y&H+1FJz>h#=aq2UX|ylH=w~tGir28KvcuOV?ap=4Kx4
zXwseNZsfL*stew2v58q~)Q6Y;jxgpCe6GzI@yQIEvyqRwbD*@f;-Y(t;_&C1nun*{
zMqkwg^wcD)%S7GKE9yMPtfu6M!u8bZ;Y&Yni_CUIwG$t13D<tY)6DheP>&3axHLA;
zL<Sr4_|~SD_P1fC$Wn*n&xl>iqKn6htm`ARjhuHGS&!Hc*+K3Yb{I}Lb6haEL&5k`
zS}`_<3N#^l>7uG5`TUpVFq4z{=*kxO>Co>&^v_S%krWP<I=~ht>9It9ta3C*@m|F&
z6jf&7-8jOaYm(i4%v>I-`8d45Z|<4lUlwav)Idxs{<i}ukp_HJ9VnfNMAewups)Rz
zG~i#~+vl%=2m5C0F+J=rs0o#c%Ho4-M^D-_mZTJN&G{mU&(-Nu;J1A_k6xXU%k)pB
zzIye%I&YrCS)#Te3^IA9E`_WLS}{6RNv@_)?mRBxR?p{p3}^SnK77AomaOMS3$t&b
zTeBT$Aq$wC&LO?uM6~tr-KbcDQgNjs&%`z;Zke@~GENV)ast+0WKhFd#?wu)gjArN
z%O`agtM?BVw{(4u9E>tgq%1#%a5_Pvw%=X&R^%QB{RS5-_hn%K57_;$F9EBoTntA?
zPc4(o_NSAXPt6{y0|=HKl`-K<ky23y1F|&eM52<M#cCQ6VQs=C-{N<998Z;$`=>(j
z7To&(^usI-;1^ul@;2EU>Iv-O0mo(z09vd1hmMNpZ(BFyD}CgBIP~ouijBU8*X*H?
zEfY^J$XOAh9b+79eqJgzif5@vq9N^_tSdG>5hXwVQNEvE?$pw`Gaye_&3t{YrA4}#
z#sa_|m)K0wjj69pgMHQKJ$s`)E#|_TnG423Py$Fmq2>j{_30ZJ&#%D5BT<U0<+jGp
zf(SfCo<G?3S>y_)(kzCL1)J&W<gg4##3PreGz;!+B@m2f42neMr7Vzgc?+k0%X2i9
zG;~Bo;!Ki7&a_<Nr1H~r{@<Ryv;_Z#)5&4m&dDtvy{hz$@!K1>Co`vRFQtTTbvxun
z%>dJe_F_sok|E{2tcs!reNA@`SIvVq3P8u6hhROlvy5g0+sAdv*Mn}9<ZxW1;?=_3
zOMS|00{k}6vU=RloqFGK3i%(|aNFzzY4rcQp*FWQ1%-0Rr506ps<<vFqrPQiZE5#=
zyyuMT7WgN8mCw_A#8Pg7b!jp~%mNC!^`q*sg$}(AE~K(*pBHOT2>De$|8HOVN8y;V
zw#SvS4?D>_5FdnNRG+ML->!BBBN4rU6(^C_i9$b<FJovB_^oX2O)UwI=~Ep5xmKQ>
zr?@tjWb3n=sbmf{@0;XaLov<qjO;JIhE^P3w*pjs3FHMU1)X+^tx{IueYS$NQ+7}o
z#|vqbez268lYcV032{?EFByxAAPs%715_v!V!IeZQ0fQ$Y4WF?fI?<uC(uG;c@gaU
zF!77^YMEeNeCHidYhKKbJRTW~M@@ytfCyPTM}z0FPQByO`Lx%>{&@``(;*+OVX9qm
zG3ZlTStp9dwq3t9^3%l{Ks$sGS%ag_FGKZPh96){P=R%FJ#jrfAY-hRGY{M-E)$$n
zoLq4o!nDye3H8hZCTV*e`?E|`e)UZ9MbN>2yA5eegYfYme;D8V8vg+@LsBAtSQ*j3
z1{;Z+YwBTsv8igX`fOskUn(+|;|JuP1C44X*XA4Py>ynO66Jc)Dk9G_La}7KRh8CE
z!$$X}ti@Nq>Un1bf_$Qk3J|)NF$ezuLKY1?czhKxefcMI(HuX>>;4KW!o8$UvdXEG
zM#5+jw1^|6iky$DU5Dq-IsAn1e@*zXzRd8xJlNHvANH3cz(2$k$NGLjl7pq4V-qw-
zz5OO6m6?|aKNIDG;tYl`cjuv-Hz+Knb-*$j+3B6i*bIr~UKCd_^nyw;8QZR_U#s$^
zN!6c}IEd@$uFmwkB~hVv6T1v~E3)#Tl((c0Hp04KdqGO{0sE#W%nvp@AI<x6vQ3;A
znsm$Yu~D*6!Ea}%94ac4X~j8MjG8KoPt*|STAxfN<)qpZnrS2jSXA(GFFc&=t6@be
ztAg1Mj&~b&3G!Xgl8Ma1zMCc`;&E8D0V^1!7p;x4#sgk%?mSVGjY>idr8hMlVqBQn
zH|Zm^f()-c*{iRPT}g@}bwMmoFO-9=94F_m4K{GQweF4b%_vBsAu>L)TXI<xxF@!y
zeQTSfY_io^c2*H~xa(Qoz$UFp0q`LF2)SIUZgF47e8dO#PM(t=cP|#xBxC5p(D;|l
zeb)MBHHmHt0~QEKpMjzJRALRZJgON(6DO)8?@k0&2M@Or*Nn4nJpk_la@=^M%SEXj
zM_a-)0|-YhNaBR*NUURFMTkgZZi-p0_Vs82O>qOizx{-SW`V@d3epm6mm=+)IIKT~
z>vf7%+ET4NSL35p$=!99{9|aOz!1>Uz1`qQ>1lUJ7Gi;3Qru5XQeqvwfIRj96+_;>
zt%{iA$Gsb&L<(O?GB)WU;^_`Aj!W~+BeL%2Cbmxn=@;S!Mc^p~zY1~o_`fjzaUZxP
zS3uRr#3;FXy<OJxc|UpVzZD|F{`Q=xH-7K)@(^6ihxb<hGW~qP_stQH%X`ap9b6lK
z(KZU!FPc>-m1C^Ya7r=(4NVA|F5Dm3Tx+0T303B@^M4^PvmdM&sJ%fnr4zON<0>o&
zy&g%AYV&*hEBAC}j8N2fQ?Fk20)|lSx9`+dj_ermqm5zLsSWKe9XW%(<zY8;Me*(U
zmMez&xA6J1HQ&(@yrZ0P0uj&_XTKYYYHT7YA)=|(Wi;zDgF5xjc%f)UwQgfr1JmD!
zPgS~UYSc6%h|5Q8Hm=0=PwoiDY(h~9aZX4Ev4mNRw$a2@@&fTNJJb{!L7eo|_e>x`
z2P6L~ltwD>1P!AnteBafO^iN{{8S<wmsaGpVCQ*O8QGAxue~hpk<PByu>TxHz=*-J
zt-%cg*QE6o$<xjni<TsgUN1#&6;kcF05!QicwQkPdkiw)_-g#Rzw{-*BVLW2r>{+f
z@wa0XQ;!V6C`Iy8V+a(x9DsGNu71Je`qGJUG~c-NxrGTii6|}Cfq{k=bB{wzB10-7
zp_+Ghm|CRt+h};ikV6JXIA&>3CMNXwr`|uaH(*IZgJSUoCXFL*lC|M_#N|lj?@n7I
z)ClA-MD8kVe!M?@_ukB1>Q}H`G(=d#TF!0SXu{Vb4*Eg%A>-xbh87OCwC6uTew5UA
zN7W^bR)pt9U}B;b?!zZiMB52T=n!_s4@j8^kf&!MQXUl+AK@vH{k|@QgHG)C7qG+I
zl)>9XOB-Cx+>PN21~nBUnVUl<BzGJ<%_h4Y2X}a0axpiu$=RA)RTQU6pJ@2|AmdPB
zE5je(XNO&vTH=PnT#`l=)5MkfyS0r_0iw+uUO<7vb9dEJpL|fW$L<NdOL1P=Q^mib
z9?|T|iN6T(Hff4qUMe)rVK#h*1lQ>=n{7jPzRxTn7Y}E_-bhO-NIQUsQ4oymvj*Oi
zxV#gshk3p=IB}zeUmllWg=yb9%Ulv*aXOMWEVh068dggdT&MDrnnv{|la$3ajEfVe
z2)}&)+i3^Y6;&(3#I{UAD*HM2SyAfs2=y5GFW4sFKoR`hUpydI!8Kyss7KlZ5~_r<
zEUCnGJVLF6U<R6KDw?QB<YM>#J@Kz3;Si~4l7t2};M;lNBuSQNjyq{iU7=)m5bGpZ
z)#fYJvY*41`r>It`kjs`mm7|_-unrIo>lp?ZR2M3m_!~b9CVE4?!*gSRD3+=by`O?
z!JETThJTv8)%7=TV3WZ^v1>QU*225SH;=Bb?~gY1S@Um%-Dd|oV6>-QjalWXCw*L$
z9bpJCFaE&BZ4pWc5>#5<K78O!j{CJC$bR-2pUH?g%Yw0}CCHEk@<{1RaB}r8k^fO8
zf`izCl@;<=jTk}lS)zmiS7&i~Y`2PF9C16s?nZ;Jc}r~f@)Ntf8>h@c=sKq`+vk_k
z{%FY(i`?H+M?f9dtHit92iq1LXE<$keQnDet?6o7qwSe01VH{f_5yPetzv!=!^d5m
ze#nydQOtQYyI9a>Kna>;z30WMaPGseRKiYH-=`G~oUlV0HxCOl8jBSlFUSkbz~r<~
z`e2p$PtJtovxKH50`b+Ij3KEM=2tpJ>yS1%y)1!&U}BYIp-xI~TkNKWc~0(-UAn*S
zx>Tc^g!+mMVXAzhCtUPj=YlK=6pZ&T>3nH3wM9PMSHE9(wMI9P)scs4s($VywU}ee
zB0c@Nq#iZOwz_))r=*kvPAk;TV$DfZlE6IMOedbTe^|%(GJ(Ei<d^$Q-T*Sv=Rw;c
z9vx`#1wH6ieI<XGT1gk(|Dc3Ym{`qMCD6^ARNUAi&D7CPZ}7uIuLteF9Ko;o8+A96
zFG;{J`E|_-;-}{eGyc_7rC<I?z}0~Ojhx`Bj*xa%O~>b9ccXErGFwj1F2+;751Z__
ztHDgD5rt-$qcl*@4={*CzB5m7Q%oSE05=qC-85*SmKQh}nb-?6G0`;TgpdX3NB-OF
zrJMy;NjH<oxa!UtffEZb?1Yb7U(UZ)xuh`5-g?|wB^xj%@jKy7ctQ%@llmqgF<0ns
za_bIws=>Dhp-l*}3q`e7^$a(JDJk1|5~EXK?Pi#k7`mgw3ZCl7-PicLAOCZ^{gQjR
zdx`GHU3Yy!DxVNv&v&K)vj-P~6DfmB4cDhC>S@h#UVyHeu?&cD1N!%i-qs%v!>b%8
zh%&<7`><~hS1R?FE8b0&%<S17bLQML-ybOP0b}*s%S9v`y_x(kj+~vIWz{VohD_4D
z%EBWFRLf^PI>>c<ab4`C<@#w-`lB!$R#f`wJN!?MOh+8XwlaHiJWx=XkjP4U98{OJ
zcO2oxPrt~s>-OF_{oNSp4r1)rj0$PK`$miawJuR#)*hc9hwnkz4Zthynv}Zd#KvNS
zyFCVh1DM#}U4`DSi_eq$FD26pif1o!&LUp$u+t6^nS;nN+bE3D%2*!2fm1m+SylR@
za!UoHaxH>zU-kgUA1_&Bv7TZVhmqBDX!AL%Im#!&GKAuLUX1>(qawHTGJ16E#YoT7
zKxlp*ik0<sE0fIOSyI!n_D$Tkl;ryY=`mcZ-|BO-w7iFv59MC)DQT&93Jrt~@9Q$b
zX4j&)Z+7u!Iu4G076az*-~x2wnk?L{tIPm{t*1k4cV{EXMB%_fR=zVrOqzZlDH+y%
z;DGCmGWqhBdNUFpI5zn&i2;klx=E*z>Uw6y0Efd9+41&PiG%yHY!ksEvWAhn#m*uV
zEZX(a@4y9;jlf<S$T?Qr?T>tx>ACLMkjx=vvO=aJw3_C)J(&EU(|RWpMU5><gyRO;
zwg)d3P0On3r}&fCmW;6&6K;b&7fm1b5H(&T!w|$N40?i!9ADNU6joc6NkDx7j!D*W
z;98O}btWNJTq;h*mcRn|&_D7_Uuq9EK9O?}sBii-CG@@UW=+1jZfxS;zN)$FJikj6
z;Cd6Ygr3A>L^^alj_~nlBk=)gE`mVYA0T6u5hMX>qPxU65J9Zg&WJ((VL~D7BG)*P
z8`-VJvlMZZ6e>v`X@wye0oVy7iD)cC5#1w}K>kLaE-ujovw=zuLPjOje*(i}Euz#&
zr8)%)3=b%<9W~t%$hYwE!UGw80_{UV0Y&>t0OfZ0NAU)m+dhu75fA*8r?wGy=k}rl
z<0f}#GQ7szq?3wGK6dK91jXMb&o7dqD2c8h2`x=U##or(Mp<Ywhz*LUoPd>lR?jty
z<XD(wG-XbvW}*E-9zsd-pICCF^Aq9{sS1H&$)O#&d22_MBU8pWkP#Q-Vz)wGE{|9W
zv(uKX)#5VI`9hYtbAT_)D1-8QD}qp@=SjoO)4Ix!vgxo&gYOUr^kkFybhF3#UZTD&
zvl6`%m<x;UL;AdLVf4`X_rS^R8n`8yBpD=$QijeUGifJ<h!G2@)9crl#ld<3ui7MH
z>__=4BdY-`IJr9J{`qCyl@P={OApa+H9nneyG;5bVV*1uCRZj>KOlxJ+WWMu$*I2N
zYLgM-e`fLH4ADRCg0A!>WQ2^R-6edg>Ix*B+ydx6+`blazaB2`ok(=Wn0b5gx`y~#
zo=gOn^COF-DVdv7fhysL249IQN?#L`K#l)|t1T;$r+-j*Qz9LXP(T9BV+T>f|0lE=
z{(K&w(4v7tn;{(W-~0~o7R52U9ps#S@?cA&UEc*?RwlMz8VW{I?M|jSKfcQ`uzYTM
z3Rd+1yz!VE(ksXBPCI#h-KuuF`llzW^;;7ht7JNvShM?@_cWgz!;s_*^&qz|Rn2@Q
z)VYpkkxQ)T_PP}YU2W5mDjc@>pv!V<Z5p}bKIXcYUBMRdqtA+F;;m}(#E&h^@>d6y
zb1XM_v9z(D<?q`BkA*zhx>a}F8+SQ6`O#E&l`O8CC#evH-AaeHm9LPm39CN{;DX|D
zT(zt8B-*2F61Ro>RMaS08Ue~fwi_Sce~52yJIzx+$AiwPYE&i9+WSpT(&P_I&f8`k
z4%C`3Y;Co+1?~{hSGjL&f=_~KZFsvjeT*;vjnIkKd`B0Jky=+>8~N7c3wb;dX>LfX
zBIh0U@TsTx9X~2HhX%LN>4__P&g4FEfY;WADFlhEXB4Bllbz0^y8idTKat15Mz+bQ
z7TG?p!b;KeM1qlFyhTOChcmI2cYcXW3FYUuDmjIw8*7JTklum#4J>+Lm0CuLVVW;a
zXA1k|1Jx>_X7<{LY1%@r`X9f(f<@@3kl6+e;VGGAQWi`2t7jl5#O{Vf(aNeLsc@Ru
zHamjU5Bz(*Xw48Z1x@{c*Lh&%HephW85rb4;(e(+-y+NPmirkYt7NNYX-i|HPx#CB
zp>rUfMMSioH7H`TLPD%EzX=ao=8Y-0)vK&#G<H6okY+SH40K~fQd2RWa8*P`v#H<`
zOu1INjb7fhmZgHsyzOvKu7ehN{#!HGC9|AgP=_?%lFPGI<Gb#ALfN<?orL`>Z1<1%
z!3sE=3UBkQ5|(lRE%cMK)eSO7TX5_9Zxdjg?Ope&3wf@_cEM8w{sguT%VHlDN|S;~
zmP<|vau87-DZgP%=PRRX&rD3dQZU{V{IxwN^gQhQ?5c@Z;3>xn`-lyl8u)@o#2L9z
z6%)8gIAA=b0j;TcS7E?DMgxOS1iXA8JNQcel9YXa%Dg*p3E&!C>|a6UE?VDVrm^L3
ziEI*z@c8xvwX3^w2QJ^HumJZ=pX$QS)P}6GWoLIl@w$+u2K7IWa-a_5-3uK4VpwXq
z;#Ww$-=oN~AETtkL^s}07O0deEI)-*>=0%@;i$XMQKWJ>pa>KG`5*YJQAV+vNgTum
z+GNeby!fXi5AHmd!vpn*bQw7n38r2hgN`od{L-H#*W6;nB=76G*+rN=99GgxurGXR
zk2*A)QJPGykcyxjjrt|jv!iz*UDFk(oJ*xX&Ec!Iz2j(pwuWJL4{g|d;(5CBx^rq1
zw$=5vDT!%5*LG7Ik@%R44g%9J%J@0xLe%rga?Z>pNkpgZ6RW!<Fy_izn?75=^d3*z
z9#i$aA761Ud-yv06i^!jKcsee>2!SK2rahiX7^yIs%FT}8dG~O-qd}#Z*O;<p1#0O
z^ALDHlIoXSUY!|ou-v_uC+U#dKojZIQ-MFvd9FSqx7T~9A5TvQMSc9aZU<^#d~mjg
z?EuUlb1hiWQ2^BSWL9wNFOQzUjhh)3t07S-I9Q}3+L~n<tXB&u$I#Hvxc7MRK(LCY
zx&ZkaKILYwLd9IEsW3>By^i_l++MF3&QGRlNvhMcPtP3Fj2#gRpT>998OSv-lH}PN
z7X?s0XWxs-H-T)p9Y-Y-FYz8xzrq>B?y?U6yVZ%PY@gLU>EPQx-cf6xNXFfDjxW$L
zaqd{GKK5>}bQ&Og6z#dfIm0XPEbWo1!oV&;%}%@JM&d(qx!nE_Q{Na}SKGDQv@sj2
zL1Wu!8r#~jZQHhOr?G9@X5+?A8lU~7=WE}886#_rvDZC$T@yDyp(0*<vD!(=?N+j<
zr4;82A>Jv6gxl`*LmRh2p&AnG&<0*CWlv>7tMCHYDGM;*q~Z}&E;h63Xo4``Q2xq`
zd8QvnRq-1Un9zSv_Ij>i1vopkbiBzhsr5@r`D|RdCjGW`QfLOFpgn(h0BcY0-#P3h
zY>9v7ZGs7s11v)Zo<Sx5loHR^F(A~)H_xxCiRl>;I+A7CAEc@rsrz1!^?_bhyHC_r
zKqUr7k#aIaq<7?hnvn!l<ymGD5+Z=wh-4y7xS5faRRP>{@EvtBdz8|}L8~d%eQzVJ
z>K9Cj?qhLkm8`!gqaHJL(dntIbGe5bHLj!kSqa!TA|W_SAcy~Usjj|}PE+r7ot25#
z5937&jy-Vv;FqIk8-E7B^UMFU{N1G6Eh192GS4@wj+iJ>gGP$YA#c&4Mg(L^=`l@v
z#FYEbKc!O(twCNOH#)r&Qr=y}ht?{FI2t)aIY5f2jseLn8Djz&$UK)J(YbXfL-T?F
zG0kY|p!#g`dKC;M<3CrZtt@W{{InF{r)e+F1|vA~)8J`0YKhfV-0gfdNc^anH5;g}
z|GHYiY((pFQodk$$T<>}b9?xqmqf8e8o6~QQ!m;+&2D~^KiBx$^!_C&uyM|suq@ZT
z3$5?MYKMqnIM#8z&^VO;qvgg@hey!l8G1Ww7D3dsgieu_8Bx9#_96}zkEo;pC24uu
zE<?TfaOxmGUE~&UNuBz<1!<jX3RRf=X$5RhNeJI-As*4lJPV`@k`2Db5vAEny_|}_
zC>k?sV&HL3uhJsJ3^#JOukL#al^mkYORqshrUch&NB{tn;HJ<fPUK|{!mVx_k_oi&
z7g1CQ`8k-%cb*xd{XeY)3ljN1ybni!tpsj5j4?$qY6i+LI2ab|4)e9UGP#NKBBWZU
zMcHX8xut6*3B#)a`6xDPlySGk7GzXjVDEv79(Gjgkl=wbV6PG-u~RPUnHd!&NmMn5
zh%zden2Q&45Mz%jDvn}!w!~gpA*bpY^{=BggEhNSZmD^m2PR1vnaZ;LZ|fNPt);ro
zJ37Cvx2BPEFEaR(;(qTdL3nhO>Tz_e<SQY1^ncN7Y3A{;h|O#xIbb+gkxy~h1_H=q
zmm&%KRalaN#9x}{2^@k9?5^IWwK@oH*qdl8wX%Rp*!Q&eH^gzmAwheM=~94K6-Kga
zUsrl?Xg(M(>I70>WOAMaNmg-ji5L-Pl2vqCj<gQ_|MXnEn&@h`)L<+vYGS;)U^S=o
zI&;#UFX?UKLckUcdAT%YHoMTBRB5fXwO<v5W|fYwHd?(JJ)@ITk^TwjAn>ChhXm}^
zrc2CSIv%vQzuYKgM^M>lWJJy01i#oQ<p20igjg2JPAzbFcb{F=f&TBDyv-gpTWUHM
zf#>w$p2^nEJ7|viGV?gLQUd;aX9?Y2!5G)CyL?ur;o38<IF&W;@Kl_Txru<iui5cU
zN<YT7f&kdIKl*j7GmWB&Of@6}{kHGc>Q}d>*}yVKPVZioo7M?_t|U^(O;(}09K$z1
z|Ab96LLwhERYVjU)&Q<JminzVP-8DYPfk?~`k&0f+5*55>|?U!m`{4t09PX1v4gQt
z4<kfiCB!@RS$yGFgi^AZ0(`;6#gX*UGTpJle~}+m+dNT}y}@uEkQ!*aWxBevM@`ET
zczBjg=V_K*Bu#aHipyMQBNpX3b#mf)X=6;}?X}MGlrdYPU&7wx*KtE{uKH#=HQ0&w
zz;{9`+^h*$FWY25_rJ~klQ>IOX~xscgp~wpEP;lxk4Jw>3ua5SNyr6NF005Fl))7Q
zqX3MUNV)V8G%msf^r!#B^Go?5?1v+|Qb03U+BMlVq`|=7R%b?kzAv;lG@HnIdZYYY
zOGUb3n($(%T5H+%c3AGI?=qXR!X2nX{^cElhU);Jh0#T~6nZP@Va2z`qV>2*uQd|)
zF)8RKK955CI*(zBiOKeb4?~bwxxx0zvHd-iG5Rqk@-J#C&<AF;#;{LVAS`7so2Sck
zXD5k|C>qqcB0Roz<eX<wwFb~tvQO-#((^cCO;Y6=O1xq{Ul$`44q8%Sm2M?>PKj8r
zKOji7;I>=JIG(2Ih(GJ<eoPaqu$;fO*G+opgFAWWtk@lWw5ou6cb9<0EA1p`_Nq}>
zc8uEm-0+w$(+mk_gur`arCq{x)dvLoKsj|;^%A>h82|oOs*{;~BXfhp6rcc4u7CoZ
zMfPfLx<>GVcvNkAK@+cZFh*6QS7NpmuIH9R4rU^ep2aoWB8V8P=M}Dy6_)$-qmbJ;
zD%VjjUpcmZ1r&<sbQsU_>61ofno#nG<y&!^&fLf}p_#d*uIiTx!j&f-r`^0nH8kRq
z4}=0Q^=5?__YfVO-AwY}wNLL^I!LLuBad3&nGs!UR`-eLzRvxigp?iuO-wNzFBLgu
zyll@jJ<U+H#1+?$Wh%Mf^2<Mw0}862mPbxJfg%U&ne37%f!S*dJl94JNM1#ju#z#N
zn0sy%#+JJG6zUx<q3!lRVY1wDD#)yIy$H38*bmTTT~C3Ml>5DNWvN~H4h_L|6WTKz
zexkrN`>Ii31ty7ksaF1gl>B0m8YCR#%+HZFlB~9QP!g*DS`+z@BkCrUNXmh@fFD_!
zkafCm)kn2`=n;O7IgRykrn}*`4s-gfE@)`EjaqVqAuew;7>YR$iRfEpDQIlA6c?hM
zT|DPUMcVpE)p<5imC2k;XfnF{KV-uPuzlQG!8JW_yC}>tZbRI&>TQzT)Gop#ITN26
zXd^OqUCmBRX0JiG_c#8Q<7Al5=+#o(PJrlM#(ix^&3pT_t1IDn(9*I5%54^!-H^3X
z%lSdme52#yns#M+Zm4{Mk%4#dR3HO?YmN_B+%0zuQi513Bc?dUDi!;NJxZ6Yw4_E#
z(eI>E=aOF1<d+ayG9ui&Hy--Pn7d3M#N>xL4QnXCh(M@X{VFs5g^$?@@-h~!xDOHC
zgu-+?8e2tM=zp63YK+5;8yE;zfR4Dv8LK&j3Z(8AU6C~GY!T;VIN2$S7L#5gJyNqB
zKC`Y_Wc}WGr!(cJ{olU-$*CtekiEkkaWJX-ix#+@drHtwsj+AAej)yVu`gR83b7*M
zpm6%a9LoKF&;8RBLe-t$H3{q;z??y-E^5ckOaKBE=16s^&2t+8*i&<*Tl3<vTB>3c
zjGCecD>s^^_T{$0Dh)?KbQCsxMLvTpZ~gI;y;UC)eK=mW6RXm`PfEQVlAfY=&!vyD
zRp-MfKEPPQ-Bi+=a@#`EXn;FCl7Vjej|^qNNw8`K1@t!Oa}0MQ4x7IJY5hc<pt!Uy
zfl{`_vjv|`P6-+)E4C}%ufkUvKpjC=XC_Ky3k^-}*&d)v9{9I#Hb4g}BBfkH?+!?X
z>i~ItJ*#sk@i~*y8lv)ZCL)zC)piVng&gtb!KY+9$|6VMmBcAG{PWZv%e739;XpM?
z#Z+eTOd?sX`Y&cO@(6bIP&-#?cHiUphsr%A@oIxx*KORyM9qd6qMgb@$wzil0oZ~b
z8p_$*GFsph%+<vP1j9S8>6N0G!W%0u;0ZO&{da*0t=r;S1|(-(ckx}04B@@c27ii8
zHp!i1XqQPI%3j|vf|jSpdLxyn_!VZ8^(j*KgV8bas3=7+?UZVh*XZDD^ZqBdQ`Zx&
zO<11(FSlEpg#_K%IA6e@+rs4jpk%f^<FYQ;OiXB3$v*CZd;dLfxZ@AfjMk~4RTH>V
zglkpupj%#qZHBK>W56#_VYMx$_hqA&kB_FxA&)YfiEu0K*4O&$2+MK`V?35e^tJxu
zFvo!$=3LvRhSg$2pQnME*o<0cT4RH)s`T1K3u#EP0~)+$kk!B`p?S1?5ho?*`C#M1
z3!N~F1c+g&jCVKf5^%mf=Ct|oT5=lLw+0*WlppL|Y}kdL7>Z#dt0NFw6H5zU2}NhQ
z<_$IQS1VJR5Y0e$oDF=dE8FqcE|@?541BAZH`Lx6Gc3yqH1Aw?3h`>h48$4^CKnA=
zb<zyc)^B^AQP%23tmSK1VCGat+4mF|BgI01kmZLXT(&@anb<{i60fzKWFKa9#@y;7
zxz5C10{zcWZOuP+YM1gcRu4Pf8ugOghJ9Jm4;=82>*G|oHu;=q66j3vR$6`W1IHcd
z%yBJL=Og{U`U{H*=(e-LN8pd7GrwZ`s3ZTqIkZ4g`zifXNmumozN+hlew-;dYLQP0
z(v#|Wc=ubWe4^9Sic4myf3v~72ly0r7cH}=?uF;8!XY2*tj`~>zo^Y&-4+ag(&|c3
z;XrIFEqxySJi^$iK8ZI{8vfxYIAf$9!Vci_gY5WeOo+0EeH^k6mRIIV=0Whf+8X^B
z+yBgHvPRf^af57GJ;-A9dXzEuMEY;Qj5YIty<>fJA@PUxPD&@9<@am#`$s|^?u+dk
z>lV+IXW*>^O?BTi@@$vy5?SV1O;1xl=vaOWR8vlE+@naxUe9n^8k(+K=DG_;x3u=P
zwPRd4CqV3V-|{XpKcV1U>9oR90ZG<2v}p@g`O-VKjbVs3h-*ksYm+cV#Wz?+Go^-t
zy6w^};}Z~E$`n=8Q~o1V$MAm+)zo-wdx^gfju(z6h3y0L^NV#};6V%CTzV~L4NU9Q
zG@Fj>?I)pIVUC8&V*K!aqLTr;)Orly^7qV;APhRDW%!@bC*Rnxt-Bpx&fyolv3!v}
zJ(ZEMp7WD6q>2w$T!c@^&V9bha6U7Z7$N35VuS1!v2?j_avVHHZ}ebVCu9oORCewI
z@sEtSy<4|8u|-u*Q`y1~Y+iruE`g6S@u=*OYi@Q!0tCSQnE)mQNruDiHNRNu1qV)s
zhExy95LtcJ-A>Le3zv`YOUYJ2+9R-GY|~AKga6y#%M4`<e1Sg`J_Ym{^uk-TYZKv~
z=;xd5V6#Wir`n0b+ZELYKTpWu`nn(EX)CwIhQ_S?M4`GGFr2;N9DzR;LGH=$kJSS5
z;odt}A-E)FB6VUNPrjNk%F1?MK`I(3By|sbM5PjyRTsRnD6Ro~Grji?5?%RgU@D(9
z2~7rZrR;{h@2_h<fwy(yoq?Rc*s>R|D5{>{G}`x^v-Y~47OzM!;_R<S`ZAzPgr|o&
z7J(C;HXf5AS?DGw;9OXL1b?D<w)ivQwxsjw2z%YAhv1c_M<u2?)U8>CQY|oX#(qE^
zOL^rVqEMCGO6{ea-1$F)i%ZO}jwd;sL9mWI2AtYePfuI8CmXa{98IgWRNR914N0Xn
zD2d~fRxH1DYV5mup)sCIr%L`b8vhJ>Nz+UI{lzVKa<Gk}<_M7OY6pOSEiR7Qp%hS2
zB<6~d-ToFCrL+BS1@ywt#o)>6AgVPnu-CDylG)i-L$zBHc>iS5du9w&#DzP+2lzBO
z@SlMP;+-BXnHp)gR=zE(*s4EbGC+*fr4At4!)w{E6s5B6nIl&D-#Vxm#OrP$LxNXY
zd|;dB-b!PWn$MW%EsI$3S)7OYq3AOf*E&Fj<US3rsjXqPLYUOJ2*(^qUWc=My`NVe
zW&iS32e;;}J-G&|2HNh=(rW_ZleRCtYuih`)KYm!gD#1A48--VfRtQ<5;B4^k-azy
z+Xs%87^Ho)e~S~o77S2Fa=WjEh+uY|Y2cA_Yq@?R=T?TtPB|6X=t!YU)-crT7@s|x
z82f1Slx~4f5)OrUM-p}RS`qer4W(q6q-_6%rF-~kKY4z7ExQgH=D*vj0``58#(I>#
zqLaA*mO`FIU4RQ!KaU~ip$Z9V?vZgP3a1O^i>Mrd6DJ4!6DOD$77XVdT@tCUT=3@Q
zQTFb`40blk)Orf!mV`FP`bn1b`G(dek5^OhPkFC<j3AYTS1mM#0p%?{zxORD^zdp7
zrO{^LZWyyBB)i+;Bl9Ymqx868&<3}Num=Q@vnLoKGZv+|z2PQ*Bh?svrg8XTUoS%@
z%Ya8Ym<^IgM3>&e+wE;~9U3}?+E97Mob31`leYP$W`5J)Z}t0%`Rk9@cbLgrowdkl
z)Wa0+Chs#+Avh&E5RS#spE$>&`3n>c1c>Gli3dSP1xI6sBzQjy&=aE$n|v)^9i;TZ
z9RFuUOF8tZ$Otgb1dhL7f?It>h(?mH=N|`Fhu}^ibC~W2Yfb%>GDhrC>tNAuICx}i
z9JoqXp%5GZ$=iu!%eCq;=AMth$)Pm0^5T{wlA?<{!vL5R6miTFzS*5nTRQng6_Syc
zt=baJor;5bt~QoIx<xg9x5EfeGM|nW0fO*bo0l>Py&ATol#-{d0p4WlQ!nw44UKV%
z&hvj-rQejc760ov?#pv-$*pbT@?uN+$lc-AmK$j0(eg1j26SJM6j!s}eHS<?gsl);
z#}|(1<1A~fP-qjn!*(Eewt+6Dt;zf^;Psid9rX>0XM$I2URgl)xnebgRBu#vN|w&D
z%Jzifj_4CvWKiUKlD5659~4g$3tJq9MIVnzVv5yBRL+8&W|uOu#uC|Z>^RMx!mGCZ
z;G82twANi7x@6s3*Ix{iDI;aBuTcJ2+y7!E0l8Mug9h>5`D%UKyn@geH8~#yVbhHK
z=Ij!!6#(tYo`7UHi6>pqlr2w857?$|@pO&JvdyCz6PM;{vzHKX9b*iQgo-dNLP%Ls
zQuMuIpxKtwl!~-`@&Vm1_-8*k6$8K*xaLEOv9(!Gg*AXcMP~8o7K`Kt{;K6uT;5OZ
zOt1po=$v|<J@rV}*K?cvp3tKWn9CLq5k<mmjS^DX!Yr<Zso4cM%#(vebba%zFcnA>
zHjZDO=(vxqP|ej5@vCft)mFFKs9SCV8pFt~Cp~j{Gobrn5aH=it?;E6{qLh~XG}kv
zIhc+;ccq^*FurT~qHGtWL*VZQ4gU%W3ZDoiqIDKT+-oao<Y(-QlfYLm5RJ`8neDN_
zPw&#V|7#9ZyNg4>=Zm=zAKL2<KJNkvl}`_To@3~dwib;p`$QJRzF1j#*H(EF39yr6
z$KK|em|pM)oI8?B5!b(!Uz>!U%h*VXdMGv(a(`jlsgi=!lu`l&Q@UPIH@{Ix_#-$I
zJ{!>vQwTV}`}{Ed%+g-umH#fc3A6y!<j%~LN-AZ`yHbhlS|Re`SrcMScFA&1zNbf3
z!8P~-6`K%jP$s}mjiivT5|8>I+ehqeNq7Bkqa(~Z)4s>Hj-j*wD-XiA59?eJYu_8Q
z@vbW)Egd>*9ETjKIK)&JD=s(s+`sz{KfVTG)bwZulp(ywK#*ZO2R3|im@g@3?$O7`
zFpt2?4x(_QzI?|6Ku0_0e_+#fAx@GHKJX_{k_)s|5)|2Q#iT{fgz?@<?2`NN?*MP6
z^FN42U%SvfI*06k{k3DV3;yU_VNXQ;bbYvU$lHcIZ@6l3kcO9P-k!P6QhB$EXI~2O
zTYK<sK=+64=r3`$*g}h2spd9w1b>KLi2d>Cl}SuXU)$elO-mlquW!q4*oMs(MB+D<
za}!}z`EYrH(fE-5{MD1|ruTD^rzJI9XThhZtliQNQd;Y!#cDO>k&!Q_2>4J)A7a3w
z!Io>0k)Ng)xCK8ybEJsu4vz&2H1eTFR<UGX%3zPRGudCGmeE2wpHL?H%i4qgG{1*l
z8Bt?RvQlnSd~Gi(2XD{X=ynPCZRrXDg678zH<xG9)gx*onV6UEpc?={A>VG(CF{p1
zl1xIQp3)8MNd^DR(KUq_C?z$dOD{S5J<k-&Jujeo$uPqAUiWBpUHbIwcD=crHtHZs
zZ{xJdvPW!#Nx2=%PsXv7verCNv#MKUqSHn_HklK>1Z5i|BY$=Rlo`$0B{2fpI2<l>
z1*`u0F`!g&v-eh;OGy+j76ghpH_taGu;odw|B=}prWEy~<`k+swqW^(3CGIpa(6eo
z42S;4>(tx9sQCve!qqHb5oRze>v28h4)!w*RYW$fiN9(x!66R;0hdT$07MAG)_1fX
zulTdPG;19bP)Ho@Uy%Hyr22>zBoW!N1&AHfJ&;bdbKOov_zp5-*}hkHIGB`QMUSKD
ze^ST}i~Z>4&kCrPhZwH^`Iemjdwi!iBl~&%1QJ@<_V<H?yRz=fs4SnV!<bQRzYe2I
zYNKxYYVHT>xrk-L3~`Z8;&^&ZGFz>N<LG;DxMgwm^F$J>y(tDwj1ZksiFDzlz5@Lf
zUAaYiOT_VZ&C_G-hLu1ISKiYS$=f9*{~KN?YBrnO$1ky+TR+CYJQTNmInKl;RslOh
zOpEfq<`s8kg$)Zw1#O9Vg=Y$hB=*tdY7R$VB>7mBC>VHzW>3I=Y4?n4qHx2qt+x9%
zq;dlg^6-<0uYT!RuM?x1i75~zNDP?z6B8H&0eW55=fjhzKX-ZG(&5{C=MchXq(>Ws
zFmc01lmuNypc#g+9IHJS4Q8s}Q>LVYkP8)R)KXwJt@cZ0(xk2Q%Ei^K!JXDHoi-}u
z51L0H2z*;pQOBeln6YJ(ghfV6l`o*63-4dJ0#(z85wg}{k9y+`6tK=4a_LezL#<25
zwY04KOp5eTJV?Troqs}v+}tU`-)m|lwUc~18G5jd%2?A@y>5vbC%4KT(jT7A-ajV}
znc=W%DxY6a;V{~&4xi%&?&ECExk!|rWs<Q<8h$;=v@jkI9w&}O0M-H`VzP_@YkXR}
zw%51}sZYxNB7T)ODc+eGs%)L$yM>78cjWbkl$m6mZG0PBE2ue|j&tUwJypYR*VIVy
z>ya3W(WKQJ$t{4rlo&uWP0ypCq(f3-8O$eim~AF6^G22UduD<<slGpgOSG>d(1di-
zP$fW$Ncs7N+CLj~7S5RNm7IHQ==zS(u1#%rpAda3cdoYa&dR&7ptBJVI=v#0-K(}t
z`DwSgg6@diSk?TP(TX4-!g1K-U>w*Lv1suvj{oihGuAcx2*qb+=I1)lC&w@&X&V2L
z?d^062~y_HkF!(1d7@DRNkW5R(oZ#c)!-!U5tA0~51{Hh)mN_5-2>v);4p9ivj%*l
zE-Ws7YBO>~jYx<(l7Y?>9CIiEfJ7yUGoqFV__D)~IiFy0bbjsnQ|0BEw1gI?(rg;*
z2n{k0A#65OkO)-rPe_4t7fCG5HP&9#u(?_aV~(A+lWWPZvM>@xJKn5TPc|@mMg!;<
z$@e*l49S&7=Y-OaW^1?ovn1OW=7e^}QuFrYpwP&Vl@Y=~VK~g$4DF4F46UA<%UU>V
zI$njy<;y;PAMxLJ#o<tPiLEb#Gwb@OS&dqTBM1Zj?g+{}YSGNKPp{P9oSjUL!;VZ*
z=4Oh$1+@c&K^K5KY>x?q<&481X(<)9x%l~^%g3?}&IF=9qWSntfdod<+1v7=NtzK<
z5tKlVv8u`#plssPNj}Z#b++-qFutzu1dRfmf>m#e6xY7HbTx;n8IR9LZd!hGY)a8u
z&sfbGeR{I#mA3H4{EDE{Cp1IV5SvOG0c2@)MP23#f2^(8Embp#2C4S>>vXvKUULXF
z#^s=z`BwtnxYiN7e<T6jB8uHAT5x5j$EP*Gv0ztkuD>Bat`3I<b45K`l|I!^&THY`
zFfuuM>qIv&i+Ut$vzU)ccBr__%F|3JvrPO3LQn+6(x0u4k?Q^H731Ps$k)J3p#kGy
zd=MBMJyXL_Dkv2{nnR0C|C3r~gVE>Yo_3=s#8}KvIJGbpC8z+eA_4Z`{Tk1bOI@4f
z#xlR{CL3zHarIS<wbLj=5I=G~UySGWc&D+;-1XzdC@UpeEPOM%F_ArOeV3fG)`Ud8
z2BruZ%_eVDLlCP&Xeaj28Q6D)3%M{XSf<AL4g*kAa;`H-)<-RLAStLR*j<6PksCUK
z3QwZ?YSO!A;tEzq{pqiYRm|5J2r5{lSk+DPxqkZ%j@S{KX4+1QU^mhLPFgI=C0|L#
zD6&OFH2abU<&J1Jse$P0?F*Wdlu<gs8b_?cQQE6WGT>jhY2X;_e!)Ln2lAt_vbBT$
zuuukoeBkwJM#dD%0{{N|$Wbiy<-3mRd-62RW)l+>RS0#E>5=frglm4I9WmGA>_}=T
zSbF-+oBcKDeydd1^57E9>j<=c@y9u{m68ofdysL9oB8tQ^P&I~r^h1bL6i1rfvrFq
zK17D(=2bK`46OBWdqTqE-ZzF4jv9VMh3&oGtq=rckJ+MYx0&=s4wouunxD6qNr+^*
z#hZV8V9HM#POvf&O0Lkl7Su{TdBx(Al#8~bIspT<`QRer;Z!76gX6Or`L0l=e-W8P
zGDb;2G5<jbMvr7OzQb*YglN)+5;)S;X~<rz@e9Rz>+y()cD854uuAP&btc?|RAZAj
ziWj{qnDS=|_>>^ZB^ui(FgDD9t(g{H1Q#l}%oMHjIP$zLh1L#<xm0R$rzwZ;%v|hA
zI~|M$U3oqq%re^aJzei~Hr^UIExNzn<RA^rQeGC_pFY?wetWTej{CjdnkDlz>UN2G
zw%-X{tK#+2;J$dK`6KK3jQ3fdchGKi{Uz6D#bl%~M#=7Zn8(r9%addFVzF{Hs4)p|
zZ|nU0oMzJD*Y$dB(xm1y*qcKO$fLgIY36O#&_zJoVT{o=d!Mc<Ea01Z-_#@y>GR3!
zRe!05YTM@^CMRiNm;a@2(I=eAYqN9you+Nc>D}NRrKV&_jjsz^@D2uF$-Wi&FVv?E
z=@el9%LJMW?J099*4^_kN7-da8`LA3p*HOp*vbww3=&D(r%1;oe<-Ri&cz{qNbpwa
zY?(xcsZtFjyY5m5Rsy3<&@-hSss}R3SC)r&y5-4PsE|sWOo!T2R?96|<=LteX*3<U
zZ1B~tjv--H0}Iy;=)*z2;Q$rs0vvI0UdRdH-fC+~7_))r%B$2WUX*c+_h7B6HaXoL
z0<E{PB(rp^u8BLD2mL9cP)X3h=cCpUw1zlH6kmA-X0NVfsIlB!@Xr<@0|vv?>cU~W
z1)D}NA5_!7>TAHu6rhTzn6r;9snsfcytK<nZZ7Iup#c@kdHL3XvsspH&^jR!N0D;f
z!y<a@m|)od1&j(k?fd}#agR%Gq&5eIdW#|nK%ZL>r8((d1v>tgTc*=NCdXvm0Q5`-
z9maA@1wWG+%oQsZTDNdev&gz!s$j?c6Kjzj87-VgWFsiIm>1y$VV&3s6e+};8!%~o
zBs~Fv;Q!~SQql*RFtNfY_<{CSce#rVx=Z)AT=`VfScEq&@Y`fIy`ouvD+ikrkX|54
zpLmtB-DIkxw+|~pJqJ^;B*Uy7Vw0|NtK$|gY;cvD((xE;xU9+7e7&VvF9#NRn(@T7
zy>4f76Si)bKJ+$C1?(f+?w0%9SfJKkVA#<f7;w?KL`el2mV5chs8xAN2qp*IQ6Lwk
zjs|HyNZVIe_S_STUqaQ`_<8x)$(L0nEHoG2B82megoD=3#@72@yyHOx50s*}%>!D;
z`N4IKPoS>h{QAL0q?%HkeRkYEJFS?aYIEdf2EgkM5Qh!)LdwKsgvp3eE!n=(d|hKT
z)lMq^7iQH84&hW3+H<Vx=+yQwK^qi7;AT(uLE^rco0iczpvt&trF8qn!BZDt^)^Fj
z1_qmx5apm?oS-lQEcQEj%*bd%SN^zQa)jRa14QR?$d0Unl+O4B>&&k;$6mUzYHvk6
zW!WsJ-kD1bEs0C+9wS)1hQ4z$qop4a*OZD)Ti^`<O<M{Vz*`2~qG1>6{sqcvlT;Qo
z#o2vq>hPro(-l7WHKY?NBo;OgHXE0gRC94+(xI3BP7FfM-FjK~*FI=HiB9Dn{iw83
z3X>HN-#W_YW6Q*z;ladT_aw$ov*TS=wp2fvugpLIDE%1k?uWq&nz2&2_O_HG?NRFB
z7w5>jphfA;=GtJST6W>}A-BjTR(q${^8>_=k=9+VflI+=7Ec}R8qry^n*;AL1+Bb-
zl0_(;CANYiu~3Nf@+cO}YUT$bc*>3MzdrB_V{ov44eMj>#||rT25MQn$ToIg+IEAX
zclE?&iS<RxN>@d0pf|r-@^r>Gn6oriujf2FFRR$^#j(TAj+IV_6XAf}!lH5lqBJs|
zg2T^_J^Cjm>1bjOI+(1&Ar0%STCZC_%5SmH=wcVu+Q!!>gNDR7m>;Ub7_d7(9dIWp
z;hg)`8*nI1b%`2ISY7gg(tg#ZSL-6J(}hA5ocoi^1j3@#(*x!PxN;i`B~#PUF-x%J
z2xsy!5}@=TjRcb#>qs09BAplkbARndg{nMc1)w0C2Gp0tyLz(gnmVHo5u^-z3PDP7
z^+=>ABZiByu}+hXX%H_|G_`bLX<8@h*KLBb?S`~=F;?xx<mKjKv9u)Bx|q9><L7sS
z!ym{#<-_lo;tpUD7MBh=^aS+VfoS>h$i@mHj{DTEQ5sWD3n7hD-&0qzIvQ1}N4o6V
zTEr1I<xuMit`J=EH3Z9t%W51*{QjAbw3(3BuhabHuZOK}B1zJd-LnN^Ex_7h==kWi
z56*JWY%{~Rxa!yYuB+rwN4vIYzZ)s_m;ybVjUVy9PwE1PBN)>o0+x%a$ptzV!<wkY
zEYTLY0kYHG<8D>k<8QD20%Eyj>wkjhz2(_QCvgiL@UX*VVF^;?Y5itKqT`IOvC!Lk
zCbKymZZk_B>*JnP$?*S&9%`1Pk!P!mbvb|u(#ZiPC_Fku@Gqq&1=sUDAM=wLifE$#
zlCCo%YAuazSb3ITn=>0QuV<w^Cv<}nE+te=X#7kLFn;~kAW=MBCSe4DpNyK7r<AT*
zno-vzclQwI*Re!#owkG!N7L>NsF~@K2KRUP$-$jFP+D#}U8>paV~3ohm{A!|XJNRr
zEhO|G?nMpqd{_8`RRbH&@q(aJvd-tYA7&ped!ICWt`)M*H^i-J`)QrVRmPB~PBEs>
zUW?90#9#87x)1Iwo<`5!Jnr7O2Z!HYH#?soXyh(=CNH(fw!L12ACm-LrSFnJ-);pF
z?4ZIXRi58yGuxL`VtyZT_4=>*SWos&a-<UX`0$&|%IM@BeMxZ1AV@9L_|_2Yltv1W
zh5A1~t+FpFuTWDQDz<6-DN7h>`?nN$8vUeCqf2l2Jx5Zwk$g!iCfU~?l-2}q6|duC
zJJ9XDL1pM%`nDf#M+f{lJ**t)Bv{EcGduh2WlPTjF!8aVZ)kg#%_?Wl*L$y|-(WDd
z*M(!eeE(ClQlGYFr%g$4+qj+^o=zVo=~u~zn?_MD)90IO6|bWz@5imI_ICGbWUY+R
z-zzK&4Bh*f+*k6O$m2CN=2wY1sWoVbYbe3;s`%aBsE4*GImxZ%xKun~fAh`KqG4$j
zg@+$jbyZ(7%WG!5YvnUjPU{uF8_)<cIjyX=zgjxIuwH%?dt9N^heK^w4s*Gdkl*gC
z1Sup6Z9q)l141iFQ6`JLlb#l-iDH@&RFbP9%+~O#25~!;x%}vIEqR6N622O$+Om<c
z(GhAR{i<}tznX_38pl{uY%8>BoOS544*>ols^xWD;g95aIB@W--XF{MBDT6;m?NH=
z209@*hfhFE#j_n0$;iX}o8)0UU`sCdX`*y`0VD0eJ=(ZvX??&>48tZKW1ZV;fikF{
z_1+p$E9?0#^MUKKG%cs%DZW&*sTaGNz@Jr7AQJ7>w?FB1(N!{51m%+WJ=KuA9^W3t
zF2+>SNS(4(ZK`xjq9dZ*g7Gv2O;Az#s)|a5spi=F1Nd*>|3gkB%yyCv!+9k%9(iDb
z7ao4!6|f!2N06Dy`bJ)*x>0a^VuMt~2{<y(Jt=6fUU|4TO0kqnQai>aD9WSmF}GAQ
zEj~kN8Zca2VoRW1p!qXmMiC%^z6W5EYaEY=VVZ-hGv1QkgxKe^En824q`_)9`Rj|h
zMpje=oQ%PsvwbE97kDYguR*cupUJF5d~0Hhg7qB&oq4f{X59cPv$2gKakFe?6aN5)
z)a;xKR|&@?>k6q2s|P6<`xLFxPQI0Ex`D~JbLKnH>*v;n<rh1bWt@#h1S`+BW12;c
zYRZ>TiC7ht_GF{s=+U%%!wNhiH<fsPU1g26e6j&FqL8zlh`3~Cj)mcDBMhY$YnNID
zP><NqN(r|8Xy}X5=*6zigpoXB)b4kV!$qe&*H_*C*YwR+Vj`89YCNk&popp-k#h`w
zpov_#<jI;nq}k)YfCbMii5FFJcpY(P@@vXYE*jpCMuWZ!pzcgGfKtQ_XCRsg$ICk+
zu_^Xr*ILK1H0Z`V)N`8|ZRFG8d_95I1iyupR1|62`uZV>q^y*wax^Pv0M+6mMc7hk
zo79&Imb>7muNZJbj1ob2vTY)3=$KM@RTool6%YcVE+|`H|DXcnG9?G>#BHtsmleX*
zJbs5p*x@n`fz;gZ;TO=i5dyP?aiR{EnSlmwf78wW*;Ml=;e=BlB2f!<1Ap*%AYwgS
zTf??z-+?TxbH%1aVNWFsQlRl=aOT-t!Agt;<61y9J0_E3c+V#bNC093I^>x5BEu_a
zNe-EM3UMUD{tGxIeUw3|`C~_1CIFCKb{l}$zc@ISBRcG?Kn}!?bo&>uwh8RMG{Q!a
zg3RmQBj>G2<fpBkTVIXDOF=>^XJnd;Kw#oOo?V7cvW3b(y#qoXy^mf4z~K=uMf-b2
z`}59#OZg?$nT!gm!!tM2I%>)dB@|Sq^3OUhVE{D-|LdBuv=WIDa7gkV2HJlx3?RAR
zpEuG5Bu44WjG}qG9um?t{Al({uk)NOG<m*d7U9HYVA!njF^9QG9}Dg|mD51u7N`+7
zjBMrusFOnglxMFGPv=pzdsquw7aGS*%}S?*&*GRm^2c7ak<pc|t?PkusO6K_Il4wH
z#Kh&yBL8Jj3F<o0xnx6K%RmNg9$!!{I^vXM^xl^eqWOdA%2R9B3L}2TUX^pWTc2J{
zxBf6#Q7m6sje(aa5w--uvQ7=PvtL+=wH*Z&?*Ev{e4idyi8GK9!6<SC2VrOaC8wUw
zfv+`DIdvwzSMbvOjL}Ar8Db$Ns?G$DJ6N4!AQ_?g6U&;b_2+hV^i!T7*XcHkL;@3j
zV2*cK_v&I1c&a|!Ds<`cu<A}Z9aTK#O_h+8b;hI4x<*$La+L~-pcBM|Es)iX#}jpG
z%)Ht{b6O)EDw(Mp6W<bQtZAk*!|p4k;<Xq!Dide#{n7eB5(K95SJwm|Qt`utQT2hk
zmghc+kH7a6#b_JBV7LoUoLm6T2<-e#?;ajbSG@wXa+d5&p=2;!vng|QMvl9;#<Rbm
zXg*n0;}nWds0&R)vsx`!AMBK}iXA4qx!2x&G4Bgv6^(2>b?vnPqvE~xvi-`bD@$bj
zlM2YDn^JnpLt)Ws`)y4#h*}j`wxVtMDhKbT=aooe5y2D<x0pzVg7|@$rTn$!QEg*Y
z5?sa6U2N(xZS#4C0FBXiQiV00^_x|D)bnc-XC~gBcro9e<7+EV#4u`I$nZ+ZPOL7y
zBJVfm!8pG44}0_T`(ma6HQDxx!EoxN<pnYT*F7&Neju}P1N|P4$eChqOzj(mUs1B0
zF#>wFDUnsBsC3F`$wTxdMTttq2sZXZ@a5&^$iE7z$+Q0Vz+e5%m63Gs&kL<|&jTCg
z_3-OL!OD*5_LB<vTymUWlaCR18fN~RBha7V@;tLij$@Q&FcCRXjos-;o!`Dh@TIM9
z6OF?fWe#Vp`%94?`@mY+mQ-MewCF(mH*+Ed!9?!HfcdZT>ZHazNnwz_26*rt*fl?Y
zp|?^UzH!PPFr20Qb~D68-n)8KU#uRonxReHH@)6r)Yw>Es|h($4P7R=i#c}xY+9_F
z<9L;vdhcvCNYL$ygayTxb)3@7<W}MOWX+Jay3y5A<4w!bwIMJa_nxhmwr^daF;d+#
z<m|CiUbY>B!gyhk_GA^Rgp`Cg6pu6Tt+xG|nbW}b?zR1A$#mep!2N0XZ=9L*7m;Y&
z(ryqw;k;eT{Xz5hq)4E#SF}GHP-8`0E75nJTNYdGVJp%7(&dK+>OFeKH~a5Av+j=}
zZp8;<wZkeawCa^OE!9hcr-Kl(7%Uyu8(IVqcJi0gKQ~U4H{do)*?qP0OWJ?rwJc<J
z{*UC#V?UqHnk&zwF&oZD+trp+udN&7h&TLUU6@uO5ROhxF_KutREjy7j``J88zQdf
z|AH}EoNk1uUg%g`Udk66H4FOlVRtZJWjMOiS(6YH$20<&xXKDL9QAdBUn~6!n&b<=
z3=LFb;rj=Qt0|NA`1ypz$XPVDLxio!4&5>~zl$n&VIyT`Pa~lD9DFxP@@=?EKlp|1
z%7`$s;^@r#1aI?U*$0UM#`a`&uMN$UH!QRxnxK$;+koV?bXRnGA@(YL29&uf?&LcZ
z=KrUUYs8sr!pOf~N1`F|U%+pZ(!Ws+TuB>pj%4&(nov0B6cwNxmkJNP*hX<oX@(#D
zTI6e9tmPIWRUWn~pT9HrF1(IHopE3<x4XrP*0_4&5lvEr7sZJ`K@g|K4vB<s(qomw
zb~4{hmz4_Am~B3l{X!k|HY+>rdAva*krzANOt?ycRmT+bavK3Qjs``>yX9GK9hd-L
zdl%7O&y%xKii?(jxdYg2i=O9KJP_1d-j8qN+)Nd0thgK}8MR$O##?(llCrP9yI#Z{
zKs`8;-_#Q!W>yYXbiG%cm{JA-Z6DYP$?2&p)OY1-ET(H0e#62=ARDN|7anf;ib*bL
z`w0uN8EkwP&3>ZUbZxIJEFav_l`9(q`40)5I2dPwD=k4^=)|=Cajm1RwR%yv%e-HB
zt(Gq}(&8R+f??-))0R249ji84Uy+?q+(ar+*3oLEK4n;;vnxr>%_@S!ZV!V<{g|`C
z?V9$@mEUPty4f2vA@8fS16am@Ok_{(IuN>LxJJG*|C%G@&&anZr4;SNLCVg`{6WZE
zzZ~qb8FlOBIO*y7c42<+4DLlBRpdoINphI%+$-FjMw9Zi8YFv9^7H(B<r)d?&F0me
z6&5~yo?Ke~(`#dE(E7DeCvDc*kx|xpW_vSaAob*UEjl)|pq65_3*J;RT>^dzl6SBK
zbg{nN_jP8KG*S;C@6}=-4jqjDD=RXX3NV_|JM?T!6S<M-36hG2Tk1LJjShRO6c>V#
zOSvLwP;DjGR~amH1OdQ*Cq0NyS2z1JUVje|#g^D_dsa+q?<KiJjpI-y=z-0n!#w~f
zsi}gc2Vwpg7gv`#_;M8qdNR^C#oGIhEUH0n$B|KZH_O!0AJ5dinp(Md<u*rmUUnu=
zADW4FE8Lx&-Y)yKRaU~-glFTEY8s&*&xvdhI%C_d&a#$MwGmQWY3f8~+6agQaV*#g
z41{F^Y=TTP(f##OwO5*lQQ|>+{~Bh>K32*=JgA#64B;#`ClB~okDwogT*1uVtz??P
zE?lUpVKfJea@xr9iSxZr(ya$sf~I)|f=<B|W0)?heUO&9=XiIaH;jBwmA**YhaoIa
z=xD^$fzu>j@?QDE=@nG);;-;7L7#@c1v+A6{s&2hzXc6%5N>Jk-rer>_D0vP+dcP;
zXW2AjTcK7tKV55FA6@;nXNRGf!R`--39|~CjT{ksZf)HUFeh5T#{4;SZ{e2MiEQ+E
zFML=lOlM#^63KYXh_rAtZ(fayx4(&<^dhEtd*BGe!p!G2*^x=LJ{#n8K61Ujx%zNl
zxslMxmGye7tL%Z|*AkI+(Cw5@?JOofx1d6!gj6R;+)X}`29C~_r^qkgc=@S*mF{nq
z@wwRWS=Y3&Jukol(iQv?yVDyy+p~9T5@J=mk>m$DevTeL-zRZ{)Fp-|UHMfP;5u`|
zb)8v9(BSCaJbC)QA)wj<qcXoG8sR2x2J|WDqt-MzHwW=*e7qBabgPlpYo!r3f!r17
z25{T%bT|b{sP%xDj^qqzHT+_6f1O1QC~KWVLyXcV&T=R+n4te(`jmtoPwk5ja1%Zz
zr(7`%JJ9zm-NF1o+RCGNo>kY+D<rRozP{ueKqzu1fTD69oE!$*T+%Zvo^DJUAd%4t
z*`_$6yLOGgrj8eDLhJEEk5yv%xV83qsm^XwJ$JI@sZj7r86BV#qbriR^`5{HtW&vk
ztP}XO7{S<rCe5%&uS(DnRG1NM6hU9cDu_@`+KAUM7!}m&rD81&2WOvQ{{JEtAwvYB
z-ce?IUcZ6B<nVL&FJ%+tScH$I_SW9yXE-~}8r3T@)P;sH0e<m(sSN7k34Y19vwK%4
zrWlM?qHtC)9FJ|s%xL<@FH@pVrB{cxR0b}?DL*RbMj&Ey)YTXs-HzJqE)&0{r+PI`
zwyaEf`(8xfdj#Z!e1#4A53won+tt!NJMw=j>7_PiZ&h{VEEDw$rAR7gkHfm;nnaXr
zts7B|oh`G+#*)E-=l{RzRA8W4AW0#|8mB4%f3OIi$Md)W`>O{p|3@-4`9P&b?u<T9
zM`B|4`KB?P&|o{y#j76XosUVKTDGfa4_7_rIB>WI(}fPsHW_HV>$Y7x>il8!H>2-*
zAQr}Y(|h9(^K|&~32O)Y!&g`RskAU_=^Xq;v_PC+54;1u6;?)^y4<vN(Gm~${e|_k
zbKA|fGgSmTV7z6yC^2<0tqU$eeQp{v>DCLfMx`Hs;q06jgzZl_ljs;s{qRK?)%!^Z
zX4`EO|MTXPH2mdbZdWQfXSy{dtAj1PGTVJD+X3Q1OMW7UAiy^%ho`OM43ay>*0|_w
z>>44yk5dX8^q3v<3*Hr^A3LrvqLtr&E}C%gDe^V{OJ&8#)=g@(AE=#>$t=BslLSiv
zEqh4`iy)Jg8Pzj+WV6~tu+AyVUurETyKsF#wtlr^+E>oW-Oo9X#0(q~rXVmW5EtV>
zbvq<p>J~5iccu@CcxZ4HCVuj0M9(tg$l-b{V!j|??1DGz%LgJ)&z8(lOYi`LEfCr)
zo&#{<7(c&v!q4vY&eqz&g68#Rs2gVNC{!P;1Su8&633<wASJtURW@cORy(GWAP;x4
zD-D2$=leso@-VZrMN&ZAN8G81pnl!N_k6t>?IxdW>Uedyv66PPs{PeY_jZnYf5m&#
z_Y0uAJlSq1Z0P6Ln2@NJ?ltbYH9zJ6ZGlL$11g>tOFSIUz#*LV;_{%z0ukgD<zzCl
zj_Fl-L`e;;9V9*hAzupLx1(285>3JVa^+yHSQPh-i+&)*JUuyDh0ifmHw~m*@bt3B
zl_&7ZJ{}$nq%L2!iEI6~;KPy`vp<*;6<BVuNB6q{X20B-YQdIzR12SuBF#8u@YbBd
z5(p~dYZj2lwnOWeeq3PbvzXGZr~P~Mm`swVVR<DU9(izC`fF&*8*z_t*-i^RE=4W*
zBEPFm(_klK2?eKGeRA#*w&7kbuj<5T-H4+!1v5xXIp)=5ZZFHpm?u%squhFkux|l}
z3*O*VHMg66%v5NC`Y`WBZmPT0FmoI5+GODk6$8;t5wPKHu;8C{d{lXuv0yg_FYYR>
zUE{h{ZODJgC4fYn({}Nd6p&mB?6*wtdo*fayO4V_79ftID(M2`MAjFa)q8rs2(18g
zMD6I6l|97{v<IVaulNpz`iXni(2)W{5J3Z(b3vla!Hk5aLw(=#2c!S;2e!Db^g~&j
zeMMmvdAs-mmoR^v37L8NKn{{J+tmV#jivx93?-YtG!dGSDTUM*#r{KVYIB|wCDbA>
zwEcnPLxE~a0c#JFZ*+_06f(6v06>4c@k1Ae5^Lbvyme}5uI)P&q?Fpy%zt#sbc-h^
zsq$81r3n{1@?t1TY`t5F|6}b_tXT8n*UC-y%A&jHS&env$ta$6=F<n`3BWS|=Y>yM
z?+lw8oqwaEf0=51FDPgfZxY(gb^dMZp}5tZ7~;bW{|TW}R{QB{YNz$S`|k}(#Y))W
zN7~?gKp6~1uZUwnjHHhK1A1eGUw`UfylJq*R80~|v2X)yhuN`2HLJkvQrMEFx3S}q
z6|^H&UbCFwrUqa83R3`^p<8Y~A(F)?t+YgbFUGr~#ijn)&yi+}dz4+S)?oGCl>#rY
zKjT%|Fyb(r;Ox)$&a%UwkbU+hKXGvr@N!6UpdL4yt9S5)oD}a{DHKXaYi@GVP-XdE
z_Yv*oUuA~UB$wxl;>`iDGLvA5di?;7vF^i)N1@YHPer+Ch$NpTMDjK!+M9B~zoFTq
z|FiaD_W;Kp%ukp{g6@=<(-pIHYJohfScxF8-V4M^{=1SO$~fLT^@F4cf}9|1-N;V(
zd$>eGcO=gZ^H%=Nf~$Q7XKG7&d&-GtIKeO5fBm^JdMh8`erGYL7X-RJ>6Z2IRMTSR
za1MA8N*j3YofgNV@%YByX-oI*(r6^<ZFQah`l#cS#y0%=?7?Y*6B6>|30Z45B;tv6
zvZ%A|)ixq5<``wmXVmNE_4FyTKL1*?1IOLtbmphlElvBk5|=?Z;V-y?noG)iFY=W0
zuTIhkcxUI8&yQd~o81hu*@ll(b85`R1y;}qmC%VP(iEI;1efOvS_d!!4YL0Ul8_mb
zERy2WEl`kzRtZiOm_G|)`^O#TbG9!s6F=%D!b-U%X;`7LVbRI+V`kUST}z%Mdk$Q=
zyDN;$AS`2vF0eMC+z+3z!Y_m|VGZ&hM)upcQ&58~nPJ?+Ui>77lrO3gRWh?GHzy+0
zBFz(JK)Ee)Ictg(X};(MRj{bX4toQj=h6Ti$jM@L_}z?uly!dJ2NP08{_YVUn*+%z
z8Eo5~P5Q0m*U%KJNlRC-^xA1pcgf0!8W`)X++ve=K5-tn!V(6eR9({8WrD=0X*d6S
zd=fbU*yv|clQ8F5gZNk~VB2^XY@lMrzt0wCPN0k|vHkC}g}MEHpZ*F3>587B(ddgM
zLQV<aUFjbVM{vHLXj%Z>U`KV%3z4AqM>Q!j?dE#zO1zNX$BAu!T{xBnz#Mz+EPzhs
z8tc4!&V)J3sh)uqw~ub%YSDz{B2CH~v5X3rkpz6l;ELpCpAVp<jFaY6AfidBF#l5U
z5?2z;!^T*O3`f}1!CW4G&cm~;UFYYingqm3d3!HsrGwX#d(E9~i>C&^udg?~ZXf%{
zd@7(x0Xst7Bmf7+T40Z*L#Kwt^nP`<b9+V~9MX0mmjj;Pb|&_T;YcUDU#j%Hw#=JZ
zqc86)nV9@Lxu`F*Io<iuuf)ubt{95iXtCZTq?C)lt`tkaR5hEzh*;M}eoinYUgLB@
zyr60W<*!S{P?$|Cl)WtkR<AH_l-hrIp^fZF4CA}2+$?7-Xi*H43BX|e=$oyK>(>8W
zr#sIHip54d#z!qa$<@X%>cHn8kOyKF<K>Yqgc$i=-k?N$z3Y($hE;+aNMZ851m_##
z61CW`1Z5<;IH#WnpvXDIoM&`c5qo-M|57vre3ERbLa33CLf9SKLzqV$agQN({U2IA
zckF*&(Ni^9#<W-8t`}>a<MhXq{2=en!kj8e%GEDA6RQ?v0L`{bH!olWeEa2vzVO>g
zcGvH{=}pY6v)!F8V9)P|@V8_KFsn2oUXxhGp3WWiZHq<x5u40i4bANdjdEt-BY%}h
z&@9!RE`kE@CW6KKd%kITN8H2V7-JX0=3NR+36q)7a#Qp7;LsOp7^jNKi%g<Rc^;Y4
zi{q6-LvpICYo2Uob!5R^i1*m0e!Uv@EC<+4aux7w1^`zZ9LosWg+p3m^~GWlUK**R
zpbk15OQnhH#Nho6xi%3bSK@i0&+d61XmW17tV7C92X_ZouN&idyo-5(fO3L`m(&#4
z@)xzP90t=*lBS#^#+IL#R!XpKRo|Xp?gx{s9Ita_o|)+z=Brl-F{NtNVei7Wt`4uR
zCQoO9v(x<ojum(k>;VICV#wc^;Eo&p^i^w+e8ZF%hio8AZ!Y;N1tQ4l8&lP#a?-MO
z1ascX;Z;_JWRd;|mVUF0$X!d*)7|x9ZXq^sP@S<GQzZS0YNPZz=#k*FcbpEQ&JiLa
z1tM6iq<xHeUf4+d=Q&p97;ec>CL22jDgw~IB`T=}0e=$(#Q)j>r0!sCGveAAlhJ*`
zTFk|0V+@rLQ>(ajN=0ISWM)3d#>T5gl%PJdWl|XGncEfbC?fwf1J%E!hH91xN=U8o
zFWlx>I0C59uf-kfDwdTg7nblAwUCyLGs=42wBhZhPR>B9>RY{N6xeJDoNmDCK*s71
zJgApCwGY*`KJ3+zCjgx0#d_58>3$S_JK>IymJdw69YE-LF6JgFwIZPoYz$qs#n*j=
zo^>h05Uoyr3myET)M<Tc#;xjc?Qe)}tWw?4$uAl@Uy+Jx-sre9<{@72ea7*jELZk*
z!-1d4#2RXs>n0YITwJkdFutO=W+$F-suiUNQO@<FL+=3gvCD^@*Rni7bF-~_hI?X<
z>edHnt!lpTTvYIP1R}g^SbiZHDFV+)fLmas87tNR$yXyBZH}#wTO%bu*XSILgPWS~
z$VpH&^Dj;Mf+%^IBBbd0C<J3Cz~!gzB=D>{yC)|gSd=os<4m!WB>6HhaNa=&<w&5u
z3IG3?`o_Sx+UM;yZPLb#ZQHi(Y_hT4*iK{HZfrHSjmBwgqp_2BpZ51p-><vp!<_rf
zJu}zf8i9362R(_IL%ZP${N2WJhqHSRe;5+Y(BAEl>^bgXg1Z6_^0oTCj1>PuR(9(%
zTTV^g4Q?;<cZDQX$E)!>X)C0U4Xiq(t5zSWU10C*{P|L48^*>S75ppyWR!;=*_;{L
zLT>eFEDtBArno1J25^ZrZt#EAeoDyGE3&@E=i<qOb-d&)%YQSV)T{HgwPwmR<sb!F
zy#*=At>>pKZEr5Gr_7z6#kMICle!@uxsHXlmz#(*yCQYYl!9-vjy7>aeU7waDxa7W
zP=R9xd7S2J5%~ufnnu`2x@Y~=R>_Ruwe;iOp4X^kv0ULyi@|1=l^*X=YJnKj87i(=
zge6Pi@YLEj-t7dF6Xcslf4UP{ctI<ABFMB)`=hR&x1O~;*@~>SP)r?2PI{)(ZtM`4
zAFo<&1fVpd_6Br#CEu6Po0hL+@4I;uuI1}a*^C2y71aVFkZFWS#y{tnsWDSma=b^b
zq$qRw_o`9_6x!28p{k%#ec~w7praJ315X?ad*+g}Gv2D@52#YG9Ln_{n({^c<2|m5
z)S5dH*x;p?Pw=Gvxj99be>((nbsaN(y|5x<$EIm(GTNxw=-X|>=FD)7FEsfh;z$Q9
zgE-F@q42n@<pBwhi0SdQj%mpL$X3R_EdFn{uTMHPkUpY>02BcBOJ@pHFe&*IP^V*d
zBQ>JEfZ|8EXOj4FmyO+GOm?MURqzA*5gcXhryQo;WgCNAw4MN`ZR!_CHrFTb7zAI3
z<(LTxPQB-Av0#GERKC|s$nS&X>U@6=G+!J}$*{E|9*g|qVylUU?lDNp{dLTM3E9|n
zh1Ww<DlRk3)OD;m9Wtss2HY{MOt7rjUU`n?tfZz){D_t{x!YXe&2QulNh?7cE6n<W
z@S*7x+aMqnCb_FpAntK~fK6cLM&e+&6$3)+{!HnemXU(L;~#YtR|O@QwJ7!*zEk~z
zyXcu-+3F#ddtPY)w=^?K<My=mL{mB^HEX6715AGrJ`5!2Uxe6!F$j&LELXf8SA&qc
zdMkW{)iZ}^qXKgNi%;u8x2%w6qKgm4@t2eL%Y}v<)9>HnYgVJztVf*5=fbnW!#IUM
zm>q3wyJ2lRWo&txQuf0a1fQK%Q9FUA?yU8sDv1W#M;h;yP}cM2U>mqxi`!cIjEgZ}
z3m6j?txUhin#}r-23N8@Gx-Vo>41B95)_b!*8Z<pj}RymBc^(XSLc??>Qjnnpi{Z5
zGj4k~@4VJ=0kBE0c-c6wajyW_#^=wMGe&}Pnb*YG?7A=Zl|a|&OmFjvIcsknUI`)Y
zm+QW;U!ku+UeDXMs&!|%%^6P`VU`1t*N2zF!<xs<Fnf+6S!|BPI0rt(?DV{?@9mFf
z9`w2dk6ZGG&t~nRErodg=PuVz7cQ@N_U>LU#Mq%>yYWwH?mjOJA?{b!pq59H`=c<g
z$i17Dt^8++(fy0Ntsrx1sx>Z}ORg=Ce1|OK<ez&j8y`o|B+^oEGwhz~z1zZLuP<U3
zcOM5{cw4EwU3o`!snx8xSv)fjC(QdV?DF{v;n_~muCCcKKD0F-HSaxB&9u9F-?PtL
zo}CH#>6p%2KTAJ92k;_X>s)l6Crt0|I`KWOwYia)a426Zci_F$yCm%Wa7~wk_e@ah
z`YZ?4t0o#l4@6HeQYFgVQCqF9mrZWr6^0ne5%|A`tC9N|!$~z|wOZ@iE*P;ykw;m#
z6*bu8^Fs%d0_51axgP{}bGN^>%v8)+p+9+AI47C9sS%5D2->5mp-k6Kj|ZA(98@WB
z&nshVZcFFa{jjxI+Vg?MO;@J79@r?>>^nq%N8NqHH-KVRsfLWe`lpkDQ<p8Q%38vE
zSohg+cTxw9-5Qw45{wKfv}ylEIyIi98->(Ni<r1llFhsO!Q$<XY|6=aXNb(|Jc>Rt
zKOJx!IKIF%d&S`v*L6~BLa$4A3VmjZfmEC@5tN>mE+4COgu&2<R*|cet7t-Rl8pvt
zUC1rWIq70hgWYzJ_-;<?B}9=O#9kh}7UNNa&36(0J|;zIJlmHWb*y^fy4>&3kd3P-
zKp`|rAe>T04(YIoN9p!}vW{`a=>$E1^%iwD%1(QmC|s|BqE4`chW(D7ih<3FpQidR
zeWyl}<>@lc1*?R)l|MhIBB(<fS84xxMHU28QMelZ>rn_k!U0{8dnUnD8iWhOdGWY-
z$g{Jznodr=Cizd8jiv`F(YE9Y!0Wu$=TCZ;Mxri$^G4?g{g=b{xY?w;tCXKcP_=;q
z*0;#sn<q{6xvl(=yygDEY}qR{prNd=p&MIJd7;Ei-qlJKmTppJQ%GuDHT+NZWK|_s
z69vF(`y_;ZnDWkmbIlP94*j&;@f3}7d^XIDnpI1$*w*(N!g3r0a#gQ!ga*-cho5Gx
zOyjGivE(M)3IPHzdX1JbjQ!Bu<wbS21sbUo0{69!^Gp8v<ovPu%mFlMOF3O&z*nvx
zq=;Wc-u=y%B+>-YV3o;^aUUut)-;z-qbA^#BS;(~S64{)F=j9>*E3sCIYSshlq$Wc
zX&66?qd6)d0|Y~8zpduzU*oj$K_Em}Ot`Y)J{GrX@C<0mTuNq7647Ed57?N;I~V{H
zuvBR}1lqrWC%q);!LA7-X#Y)-taajuG67LiT$N)alxoUK=p|diiMmJN0Ip*QNF&>+
z+pcLWr{+H}%0mA|dF_+RF>1<yJnPy<5Bo5;Dd*ou)*VkT5h@vdv}UAiC^aGK*?|N1
zGr@hsSIKq`Ur(~LOZQ$q*Q1&5^;LO2u;sFchm0w82eoh`(|sxRx*g;O$rI}1RM9+a
zi9YRYrPQiGG&on-*`t>&U3TbNuv3S6!T)J{;DDJsGXfvg!{yPG5tnJn6G@Imj)~P*
z-pmn%l$)0QqBh2azx?TF<DV(-Vdl|91;B$$Ic?BNPTD2Tlc?uTwy^7OR%$p2SJvY~
zRB1Drey4ZDSayv{7AV9Vq8S$U1eSZaRd=VqJ2fyy(Ds;Bf>l5r=oMv5`{ivXW1`gN
z@XOV=p81B#`+nc=`SoC;Mz+qkzvk$=l|K_PzZ`3qG|LGE&@<37u?F>0N?LA5i3U6z
z6}B>1j$9D-#~}g?tz2?84GldMrB6OKnHMaGl<Y=gusKUIcaTk=-ig#u9m^uikp8g^
zi#WizV*I3)^CBGRa{*>YN{>D4q+nztQk9cr{6$hwtGGlcHn6nET<py*)NrLPGK7^l
zf!zK4>2gl!70%Q1yfsYW{BV!T{ks?RwN5<a=_&z=?H4b-@7b@rfycNa2vC2Jz>zaF
zG&sukgB8z3OZaDfS;{~g!4Tl(lnS*ohe%#GhJ;NFtLx#5mEJwh8@BOk5RO}mDZ1cV
zGgau&SR1PFYH0U+T~^`p1aP7VWgD}MIEtXHA125B7IKWM`Cua|f+?nOUg{`kf~JTt
zIP+tILYhJ3+r#xot}nZ=te*#86F(|*5h>((|8?s8AgBJGVo-pebQ>T4+>3-{{L6rA
zg!rnha)C^sT`H@HkcA?O6#>q-0Ef4LM}$8$I#L*A>RvQViofCWsmCYi0RhP^ayf_*
zx$5fgLqSGil-{sGE25j<K<tO115f*OYaMG5&8Q~YtMxgmPK98vcD9=pWv{7yn_zQZ
zT6@I654+yBD%9rU$TWW&-R+Rdz=_azNp&8Z>W@Mb=fr<T17{3nzLl^ZeL+#xEObm@
z>BW&Isu~CTXBj1?)uM|yq1Q|Wn(W&JD(q!{UQ0LG>+L`%8G-emEl+N^VBp$$7gibK
zuaj2X$>xef{ArT8=91YsLmuBF%k=P)Z7#D+Lp`q<js8uAu~~dqS+Z#)d+G0--!g#k
z?ehN3J{)n)UffH}czA(g&$R=Z`}_AyK=Q7Hc}9^h;m6t37=&NqbhC_lEM$H)ItM0L
znMtRohI^RK?wV=nPz;-F@ttIXR*vKuF>XznJ6ks0(c^sd=6$tktwiZ#lyr0Nv1R+-
z)$9{(f+K6H;PC!0DmTTDHno}JJtsafan!EyXDKS+7R&4Zn7~}BpcM~L2tCUoIhFnh
zMt0)&R%!fhCh<sYKGkkryD=S3Eq{@5#rfXK;)1n8qutd5RO8I7`|2-kBXAQ?EoJaE
z<KBJ#!4uOtW^4&b>s!dr%*r1Q>kvamTb-dwab1G8b(j7P5O%sazOQ{yklVtO1U`Ri
z0VZ9X9|d*CFY;Qp3Q$ow$coI4P-7}e<t1FgE>dgCP<YWTeEJa6PvPD=M$_~2TjGii
zPTMDWVNF(IZ*Up6G!{DVbWBRNTLn6TTeppsIoO~ljD*1W6XgsywZ3;1FTXr~5rk4u
zZ2a3ZhrEt#1y*Q-BnQPtVi`j$5mv+bJ-Dh>B*BHT$SN%dsZvxc;q)-_qwEI68*o<q
zsn{qngKP!*U{p+N@w-KZk6iHLINI?C>VRE~Sp8r=w4Odgb3J{4Y8sX>c3~j<%&@&e
ze*duwnxru!%2)u`S(AN#2rij3^I?JUPN-{`+0)$sEgEt4VeCLgvO$!kV_e`&a%awd
zT7P28w)69=YYMylQXvd|%Fl<BG(K0v^;tyClgWc2{;4`F!N*|}ttF$aM59y3Bm~*k
zTW_BCL!XExyLtYkS=EEYGa`5A_Hubqu6^%XMh22z4dff!54}&7yO7xHvRo7&)2O>(
zEiouTrlV+D<&;goI(u9#KXtw7<V*S@{M%VOiA$Z3DJVU9<_7#Cn85eO#$34t-&zhN
z7uL-N1yBl^A_)s6&`soR8x>Sd`?<`sj><S5;inGvgH~!K88X<l({!#42UkiDy~-6U
zoEd<+p;>m*Hi5ASdqE2HdDEG^ExkTo<pw!u(b=`xSM@#_A;PM0cf1)`3aL2#WoH@g
z8wX4_$8aW+mV)l+p>uLoG($8L*m|ZacEWWeEd-Sa!pL`j(7O8;$D+0MDi15(=~7{m
z%%j8Y&HJ&y!uTxTGJE`vk#_8YmR+cCBIvzD-O*atc9dKttY!SfTQ!P0A~9b}=hs_D
zY@z%GbrB%m?4}x)jK4rmC_SkAP7P}UzXtio((p%d{)*W}CiEE%AEP1#=aGvcsb6d<
z6eylDz>c(n{PSxj_|Nbfw2e9Z`Ja+YJ{k9)=|cHmUVT_iLqSF-k;D5tEB4d=s&dQD
zed^_VNy{r))uEL<#m)+q^Ul)Ij(II5b4_9x$CG^Fa{^`jQl@uv=@K6=^BLY5?gJ7h
z)WSl?!*Us={cYYXL%Z8Lv>J6ich*SMtJ7Li79`jHY^fHZ)C_lK+6^`I@pvI!mL^B6
zjyoP61tOtKjxcqMc~>BVGD@pJV^L_C<TNAQil;7Q+2Xr5B^SysW))YS4FrLIA;&OG
zqGPw#gnQ?;m)|?YOHeY}@?e5xi64d?@*Eh!TZ$1Z#aHhZ0|sANw4@3Xpnn`YdwZzc
zaBk<>Bsg>k9y)WcJu8RqY|T5vduz<1PR7o;x=U)((0}FGi$>3JwNPez(32rvE74Pt
zM!9WTyzeI9M~fT?L}ySrtI^=0Z=tgw@~`5i@DWjIq){-G{A0up>s=yW9G6jnUyKCd
z2n;mh%Pc>a)a0R9u&EHO=3_IYt1u=iH)K#bT}NOpm?7#3Ab<WdY$_d>Y~fqPU4lQ%
zrXDSE1-lu6`~dMY?r9!*B>u-lp`Zn&x4c4+3%7Aik@0!RFr4d6@fa1GOaH4Wm=oaz
zIVJHQ0KJXIQe}{(F7OHvwzoi#`LQGAaz8q8N~hDhnBO-HmD>JkF5l=Ea=G-jETiyn
zfoS+JH`w_DD~5zr<Vwy3_FUk<0t=eOVik7@>wg`QXrOl1o3X5A<YT`3oTSt#DH=+}
zGE?Y#ze!~>diDZ0OSLqT`32|YQK#UR8LNImebyPyN$7qHClU;7-L|ZLve4|EDst-e
z?*T12uE+|1-Crsc5INC3UWZCLpavn=`9Y;WsWVdXP<3sn4N~l^^2gm{lIQKPs@p5c
zGkFj8jDD!xvx0ui9l1A>!}8<#z;jGx7OlW1mU7}7McGrS6_{(kR*rcAKbQtb*QfI*
zbXMr|tfYa5bFbuwl_uB@jfjV9oBn~z!=uCj4^`e)%Lr1SHSNy5<0HP;V~N+(Z=0s0
zOpA&0*`HnxWNRNCTXc9H&o1${%b8w&u0dbY*;QQ7l~m8o<c~B$(-kz#-q~9(-ohs&
zYZ$mP#(8>Od$fm6tZKLK6Gh<RZcp-C)H&ky*rX#|`SXUMRce#K&2IrzSNZBXuXGxp
zp(j)$ZKqW*tiK?kzKcmj?w&S9igy5Lht}a5lh{9^Rki=i);&SXtfh#}I)k!xmvr2I
zJ}&{UjeyB24h%X&j^q&M&3a9)I?Z%PB$eHuw(C!!x6=m@@G1TFSY<1CBZVU)e9(dF
zIM4CrU$H~rN`ghLp0%95;c!#@@L5czbe&#t)8iIvNw_=IY{Q;gglPRqwVXw+uJNa2
z;OI?Qx7UmqVh^!q2OLau_ivRh*c;mBri{B3&tOvCB@yuS(*Cb8<Fq#f8};H}>65@h
zaFx3xdLE=V1nv;;AvubulGUo+hnI6y+^`lbe43znX%&0HfF33gyQ42-Jf4(TIf<GL
zayl_606y~3Z!<4)xC<J3<&I&(`%W#83|?}kb~?n*`nNr7xWnyjPQM*PgJuWbXAMGy
zM&<B=5}{eyeVEtYl>760)=}*DEw6WDKOSZKMZY>eJx*(=DjnN;S@$nZP3$!sMU;Qi
zIC)vv1oO#{-1~m6?jhYuT0~KT9g`y=FL9}v`0H?rL1)rZO;3d5pN&<KQOFbn#DlsX
zew1Yj@Q)nwjgt$%>KH@OD`_C{GwSsyi#Ei<h9jk(#>b)=&h-X$W7m8w_UbATnbbA!
z<zu2r5+vF3U#$ZiaXx>l@1#~~4#TO*ywYrHPiQtefsnfV(Ebx8kSA35uj!q)%FN|U
zISIOcZ4!Ic88&oIIg~Xl;redo=i+BSW70AW>dk1fhqMR2{&Rt-qSLQ?3fHe7z)T%(
z^5ti@OXSg|9>H#-dL2=o$KdIs{Vzx7>r>De>&w<oh1cQ%pH@}O99>^u@rOMV5ym-)
zcTfT0DMpKDtP8=V4xB1Em{f8!b37{fh`-jol7SUoYza}=Hu`1_-DXI%+FyPzmS>NV
zi@^K|EfZLI#Mbb!6rb*`ih7B7U3>&K^dXxHfr8U@n-Xj^-NdC|x@twS*}y5Kv?mz=
zOJmtK)gRx0hQ53`P!P8c=xfbfZY!qq+B237I%9}yyoPB5OeH8G&Nw+AUa#Mz*H6Kq
zK}O;b1R^}CwNUWsIrTY?GLzf29TtBCk$Jd3RTY0*zlt_A#F8(cYMl7V_@J-dv-bxE
zvL;u+ul2sLS-T(~M^Ei0NSS@G>NyNC-Q)eV0a!06bF7L%U=1gZ>vYm=Ek1o0P<fyE
z8|gDGX1s|^1c=F|q$V;uwVL{*CS8?(s0CYP|6k~NZwB?uT_U)~wz%FYOpCX}bpZcg
za*s^|Ld)Iz6cAv@C>@0BG#%@p*$I7XzrT@YSX_sHTbOv#pI(#Em=4+icJZ^oATdB;
z7d;ebDp^Cn7;`<&nKMyfqSwYFHT&iF;Ebm{xE~A+XJ1>_kPYJ;?~t?!%Y++2(bqv{
z+`Z!Jiy_J2-Kx2j*P6;|0fpMrKmNzuFUM@<442mAJj-)xqR3u#_h9eh{clyh6!+7Z
zCZzOwkpYZhPRbG5II!wkvoAZ2+B<c}1t(TESv`!-Z{H>7tITeuSVGeysOYvUUXJBK
z=2y(QpX%73GA41zOqR0J*(Fguz3HvAl;VHw#6P<~g?g)$w+Q7~BI|vitP7+2Y(b*j
zZS9wdIQ_~c2SKyGoEi0@Pqe<TyYQZ_reeMlP8YKMHAA~+RDt;JkKDtfFtYf@^p<YI
z^Bl$GmBSE5Y7|ob+ccCG!}3&f5AjokJ!(4zGC&8|x5%%yIHcmTD92*W)Yfd;o-vt~
z=hMryH2M<L=caKkB}2!Y+0nbQ{M;Kk;~w*T^1-00ZlK4c3h5U{3fR%r^jM3eB!>B-
zhPv^TK6hyY(;uOmr&v1!#}0P&XZ)GeDOMvTT?)U8_YAv9O;pgxCS=c2BWTzXx@&Y_
z-ErkrSfdC(LHrqgg9>Otr5qIbjvGUZ<ga$YD$tnkE2uV?O=+zjpI-;$8^UHxZKOa(
zJ$SQ`qydUDd7xsR189oqgykOMeetBXlWIf9b;2?$z(Zby29?8t+YuM9nT3}&h)h(C
zJ}{%Rkr3R#m|C?Wqs~Kh-r{~<9j#U*>HW%)X07P(#+M&)=c9$z^xB;k7^mD*<bp<j
z%f7s8lixM&Jkjd`=SJt}M7G2B_YNFk0qx=ZTuIl5HJfJNy`SWH-p8(UNXg6>9AMaX
zv{-b0u3^$VPV=7JhP9FiBPT_UNoNV(;}FtPLf)LM1VSM@<X17Hzd=%JA5z!?h5Rm1
zmi=bf!><z+zsPK75z&S6$P%n-D4sH3DnHsHW9u7AhegNOC?!@<@Ph2Y;c%Lu{z4_#
z=>g_NIN=KTpZNH~KfeXp&ng#^W};YSKG>m2T7eK{lg1=Co_fzw!O(K!6iH04?O#PS
zCa~Z(SK->LeKN3;{sK4dERTNZqgIP~My<C?v-{)Lj@f*OH-Ah=^m=ZZ5IxW*j{XSZ
zeTT-)Sp5SlN^>Utj?fT&6OQt}w_L1)8kvO)KI;T+80C?sXie9o^mGIV1oGU*y-qEQ
zCaOr#|LV37x2<_q%8_n)b`*WgW5ZyRt=qxtIU;2vpY<)tR%<zFFk_pWU=oM_MNvs+
ziX4~#N>J`-^!)`4n0?${r{{f;*3S})@cc27hhz2xLUJYHW7(%0OSp;BzUY2@)dVe3
z-#g8H5hEcjqA6FnoA%(Q${M#FzOT_ttB(<p;ed+tR!fOfd-(APM-B2a^UIDgi_c7<
zC9r=&cSxkuVhN^XdLF1ELK^?Dd3|NurV~YDaLTxN{PYV_geX=S3*ElYRN4RXTl6g8
z$Ppzz|M9jYXA0<cUulhCIZzuFSHGGpqp3N}?PGm;w!y~XOn~C0kQ$Ia&J1EqMe7;=
zG&>jU<l4G{#rh*)7Y>C<$7=8;MI|#Ajg+s2m&#-mYAQ^!iCbYo3HEkeH$UQ41}Ma;
z5YPG->a*G~NkfI{6^X%2f6<<k5R3uZk_IcYh@~S1rk2SJmu=?}bxI<k_V~OZ{a>c~
z=$HVQEl@$_t49uM^jGdr73bsF3?w_g6b-%9+*SKm27o10<w+&vEaZ^3B}HN$l%WjE
z>GI&D1``rV%xeox8fu56$<-T2!|yQjF-o&BN=+I!a~AY|T{&p4M|FW+Il<b0eOlN0
zcm^_Ru6z_a$rwgCP&V2Hj)qVq2!V)16m|$pk*ydg_znglOyS=db}=(RMNo=@_=5U%
zL1zfDG*e^WL_|I>@C#o7ch<Zoh@<xN7jfBwC=Hcx#m5ZunH{Ja=W*?VU%Q8cfm7gH
z!qvZQ7z`IHWK?Rv%UmE`;$NDFm_w(){|vaO`F2ykzXjys&O%g%wH_?O?TDxlZOF_Q
z<)sr0+tI#QXEGhrE(q(*{)2|q{soKK3IHrnNPx(|?T3wbc4qEuu~t=z0r9h=#RCSJ
zWN1ACnAP;vG=^gykCJoj!PJpbMN<^xyKSM2$3O{I?@VROtDxd=l>s*oW<~6Tae37w
zRCLjPbZEScjBGqtJ?R?I%-skzZAqq?wfdfWK}o<sjh`@mK^G(7^#q!rp8Nvx4<sR}
z2P0(#F7fj$2Da{o&jCUk>7#<TYlWq`)rB>>ThiBStTbto+7&)<g}~0S`uru_B4m|W
z0ugRufsidinn|=p?=DY=N^lx^Kmui)LH$;sTa7H_Cw0X0Q6tKI8f=;bpEQ{e2+Z8b
z(FQ~IUwA62DAexXj(QL5{R=+xs(2(}pfzNw>LT!W_UKf%h7yAP1>|1eMBYK!orj5i
z{8`0FlLkek$&8F}u997oOEG*D8_inCedcq*1^oE#&Eq`fguF9VM(_cFPp@+ry9k|b
zcUGC0C?lB0y^wsvStaRGcq%pSnr(QhNWY+Gw<Y`7^CSYR_!4=xc>0nTS!f#-0V+lm
zVrbd?TZdK#yZ{Md1}=+9^5Uz%mqOTvvdvdhcv~W0Zn~^YLnT*|8&VkYTqhrxpPSRe
zVfLd2k*G1`vuysS|AWKQgp{?)4}|8FZ6GEn!V6ftfMBrkGt&sRV=EcQP$+Yc9D=YC
zmi7T<=+H>S8-aslLnT%)Wj{17$SHMcE1aYqi4HZ^26WA%4=HSG*_l3jh_XB)@tRJ5
z+(#ZROO>A+@^&^Zl6s~R=D13|b2l>6#s`H!my|Ec$oVj$v90FIUAbW6|6da7aMG?Z
ztcYV7q<BRj&LoyY$mUd|-{h@O<g7cMdGt)J0M^Nzh1>0tqJXriQ*u?~6u$?%a<biG
zTq`;pG2;|Yxs+5JlmzvH_eHG~JIpA%C_)jo5u)n$>|;mLC^o*XokzR#M5qdgBYzWR
zL+ia4V6xP7+#x%gM5E$Kh`kJnr5wHrDJmqx(}Z#qXg7?uY_SyUy>@TGjXonyb!%`c
z@DyZ9hCsDh1IE|;0l3Z-m!9iZvm!j(L{jB5^7KhTv*cOMuqD^!d9dE^c@!QS;YS@v
zvN0<}ON0Qxo&F{($(_>u`tnBa5FLm>);_Aes~8!kXo^Dhv=haK*QN7PZ9`gQ=+mb^
z&JD`<vJ09Wul4t~pQ_~~GEIz^vO2yXR^V`ftbC@bqZos=+JUS!^}2`6o0vKHG<YB}
z;r|oU7bIpbzBjKMd%k9IXVs;BBxNQMM+Dq5)6-cpXy15tw}ZuT_SGN?w^U%_kTLYA
zOLd;eS%n7ln$8gf6O3W(uJYHhMX=B1Uf8mc@5dZpkhpKS_p4i!etOJ*nuEAH-RPDH
zdbo$u;99OkE*<+iV&Tla^RhNtMnj)6+FNF{^A)k`^~FsnkHCOqH`X|!gYlpz)+07B
znd>I20!6tOu<-!x%py{SNLKDIrPPxP<dtG#8dg~sNa|+%%C5Q9vEx895PjgPQ7qkX
zuMZm(0ht0fFhAE*b~t_o2rkyz7!yG#MXmzoH%gQ#cIqd9p_U@!R!h#=_CsanGAAwh
zQJ}11TSCPvla#wE)TQrPS;L{0zWIhkw!#oVXpue&DD%0R4l)<3>9<b|4Ik#&0rM8>
zH1#MSG^=8?;;o_TZJcRUiLCi#htNhA+9~6>D7>L=S8#W;LXo^D=?Z5XOL<s<{7Ao@
zD)2kW!7%^a0up{8zfvbyYBy1K7dL@)tEM=qe#p*OErNdAKpR=9`-(wsYPR>?V3=<o
zj*wr5Ur89{=bb1t5&s1K{O6zUUfd%lq;hhV^7z=9W|Q0Fg_t<;U%yO+(xJ9s(~=9C
zB+<dh&cIOnvycWW%0{>>&-Q&w6W7I&>QvGeAXado{%aqI+1RWZpo~2|o@_*~pSOY_
zSa$Lql7=XCze#T(3~rMQh=g$w!&rrhC+!B$n|;HKtuHGXZXSeY6Y2uPcoR>bTm~N`
z-XKUk19Fgf=)>+_G_i~c*z~1ec7HuM1w7cw=kH29TQDT4^%xn8<2lP*eyj~}GCo?&
zKXc%riaRdMZ%$H@DYR*Y2d_?NYC5?a%L+uOupG4-RD^bV)WuQg#Om-Z&)pCC>rKn`
zcog0rg+N7R7U=>~H>pKXVqn+J6u-wZW0-T!p{PlO6*v|4p;l$S5!}^?1E!Hs6t0Cq
zRz%#fC3DdGWi3`2pcyV>s8?Zl0#!D@doWmzzC7a(<BhlFXrE4(oQH<-5OV33pz8+w
zJ{<9@3pgrC5cQ5bc}f>tq4TlccPfYcf8tE(k|?~V0*Mn_M7vZktsYrb#wuhp{hd)x
zW5!0?L@PD1mdHxdFG2WUF~}@6wkWuS_`e9rY$-wb<x;0GbVZ%EWwFNq&VJ1BT2A4Y
zq(u2FZk8MnLs0dVnIgl<`|eanM`NdzI!g|Gan$m2mwFE=*2oO2B(<Agfb{#bRVcSG
zLPN0s(ih+Y&vNJwNsxB7Nn-iERDyl(M5uKD1p>lV31X?UFcvEf6!r=92_G0OVE)H9
zU$mTG93NUlNdjV}02iiBKIA$8p3lfQ2_#i|S2)3SUSF^*D%wyUWP6{I%AI7w?>(O0
zg6LWTHd4Vw;F1t}4qW<Rry-uMZG&<iHs_G|D8{L2BC%A{B+Tb*92*EG=e7>Ds;oDw
ziuuf2{Y#TzE_+Ji*Bf^%E45eZyc5sC6TW<B*X$$T@$BL1aaB>xsV$!l^_G>^z5-uc
zu{-(h8Vy}np~Z*&6*6z_!>ozILK?_MyhF|RU%~-4?CwRdIFW@~{f$^x%qJ#aa9f0^
zda5sPMji(ml)SC(*NV*6*7&^QwVGELw1L<rf+NL~IW&@Utij4^zT#;N%1~K2wt>@<
zZi<dar#8UOP4+kauJx8i8mKPXWCslb^uFB7x{bXANCQo3Q=lw~HdZSZH<V9Hkjf5M
z;6Rqj2w&MswsS7Qf>u4`8`~!4NQ1EjJwU@_s3|dBxcUi2_K3r-O318h?0k2s<>p5^
z7vHHD@0ynS)t!99Vd%K!uWaX?o&gjryXslt&3o9bv0q`Lya}=P&_u;hzisVhOgQ1E
zxz!jA)y4(Ca%v|Hi=$Jvg|ji`+j|Tz(`#xtvoGMM&~@lVKdtpa`Ss=$Vf^VUp2WY8
zgj+GCp16+Mgsr4g5yK^RUyrYWJd1OmSI|o7Axw!jn6J)fDQ<x<vZSR(912->Bo0Ql
zl%W_0sx^MthMALo!<vaAQ_OMHCB{>1i-pzV?YtaojS-WDKUGiRtih%{l4jo*(nmGB
zU@W@5^sv=nXXV}%fjIJtmKk}tzG__t1M78b!*skFxuLL#WVYDy?*#iEFM>cs6sIRa
z8@bD4mr{LXOkbG`geF!gKFwvVd6xqzU;KwAGEsJOe!tFW^)5aoyRno~{y4lwKca=Z
zUZN*G1UpZ_Vp)q0KNKB4?*voaTj_^Jt$66TXX&R3^+EXqVj`0E_T{%6Z%>~+sph4{
z>wJaIR@+;$dEIwUFA%CUt3(rBnQL-+BeJP!$O&Of<pE?IQ&(mwOLkqDYHxZ_qnRq2
zC^9?v0BUYY9GUlktkM)veW^T4yC75p#-9J$XKgyBZhgE2HRj)4PQ%${IP0wOc-$F*
z5{+(vI{&MVbS4qh7FZ>_x@IQMDB2&l1+)@P6w67@Ke=C!W_L`gB<EfO%Ql+GDb@Zs
ziX9G+9v4jpy_^X7QQ3Ii-zm8#uC2Z{#?MZd669S?w~(=ob#ZF$PHseYM<DOO${>6X
zCs;*>obt!A!lCtZZ2V_$>{H>AL}oYslbm_)XzSxo&7TS0t`(}PeAO)_R5(H^#LF|F
zP6D!5B%AGV15AB-@@3JX*Nbw!pX9^;qbHM}n9NEP&^y7pG+i@4Cz*lNBhLpAVD}XW
zp%fcQ>L$(PWpj_MWPCy|^Zdtx05Mx@O<i&`2GSKh`3cahY_rJOi>CG=o(BG1yHz+K
zuektYS@!i?i&CZ^@rkEpOIO?^pbO>wxw5f-Rp#hx@BB{{WFCw^Z3k0{d#0~ow<`vh
z8||KMYEcSV#jczWt}fL+bu?uv2Do*L<SHXEWtfq{Wmww7%^Rt}u{OCu-8#&-)T=^b
zfr^2`toeUcR3leeH^(e`eixR*(}VTX!H;cv-eh#6$?Mo5;H(>0;}piz`bkNs6LP+e
zCIm@%vg`^DCV!nKyUi;x#7IxF7%r=dXK8e}I{_gTldW1x2y2=7VIJMccELv=?mtqE
z`0Sw`pt5VSb*-EbWM-Up{zva5{1(=wR@m&;*uKJvz%{yhRbxr|q;O8AJJF~C<f`2v
zZ`C<^(EJF}pZ8`2FLTwe+6{4KmZPNf&qMnbjNE2V;g)nFW_XKmAl#S&Hpl%hKcHlq
zN`?x!+{QYYrVrT5Q%xb<zX<XiwiQ#<&?(B6lpRe`$74|e1dhI|C2A2?h{^9(eC(dP
zGcQyG_XbvC4VoIChI5LOXvV)@Z!N7P!S6f|jA%VOC{6AE6y8bX;?Oy#HXX!P^+#*-
zDa<P^hC_)r+(BS0vQWLOiY-PxJ5E;W532dR31BNtTU-4+gK1*HXAf~S{Iqt3`2#^j
z^)E-4@rStt2B2y`cXLgJWew*9m$Kro>^Kw-%8>#AHMIn_ftG@?cR$`A4Zq>xk*}uB
zjHm$BT`Ws4iVEiaE7*(2nwO=ZTPvzB4lF&Ojq0lGKZe<O^$yUoXiAtk)x$<SX8AmC
z`}ft$tl1jH<#wW^^H}erd!HI8aSKC#{>tDj41FKEetkuJK6&d(;p^Lrw8(?@Lz(PV
z=hEBjc?GLYt*A`r*BVE62$#4^#LzMfgw()O<vb=t7$MFdiaQkuzgZ(FJBDO2tvMBv
z(iUbB;z}b?aT?8aN;-M<dCLSqYmtU?3>QS{$lGg#bul|)gq6^OsA$xJ8RytO*Ir}L
zB8MgSuUKnJikaMLi}r)XjvMl*CUjX+KAV)6?VMBCja(<cFt*rY^GRKPf0apvVeo93
zw>2#;ib>%~;AY9<&h{9o8iF48R7*6!&cREh18+^HYNQMG_{+-D1aH-nkB@fi8ZS~3
zL~icd)tA#j9(`vL(5uvKl#qx55nl(Rg8HUFq_?&*YQ4FXVIT$z+bruZK95g97+|*&
z8<K$VF3pJ)t^gZa7Cq7!+68D+x<&h~l5mT?Tilx`)Cid!M<u`V!28AdCPQ1*V!w?S
z8m37CKBwEK-=cgsiLDk9#W*LWvp*QIW|mU6NBlb(?gOPm7Mu)@s6<v0l6dzHj!H<F
zO6V)#u&w78NDYfPY3ll9FIza&t7yJImPXTYF9-i7k0r8~3`E!fQHsoT!V%@*2O%(k
zSSiwC>s?oo#hv0r@{n)*HgW`%xeb5GsIbO4Vj{qWeS16qkziAOd|Uv`HkPGs_+X5|
zngl^ElEY3<6052W#z`0aA8Jl*NbSI6N{O<5eia$a{HSyncZw6$?*<8bg;omYFE*4P
zie|W{zm4En^?Bw7U!M|Y>C)JbbTiB9R)Vtx&2aB&!l!b&-n!K~TAgw^dT3CzrsR$~
zX(Q;S6qI*G2x7oN8$GS{U=BwR#=rjq<%R>e+H8S+-8_`231fbFuaUu5>r@9_VTFp2
zuWin2EAh~!z_&LDvtvPljw;bV2ay?(&)ZK?DJ)i%;tk4(&}vz=WxgAPsfP*kpk3Lr
zsQc<<u5RXgUIoour<c-d=gt-yWjICy_M^gJ<jFbkQ)x2F5-!bepg}%`4Uluon`WL~
z2l?PHzcnM?vTkHgH|i-;J<JQSfTb)4p=%OhqA^MASdY=!Z~xhMmtEbcZ;nx)S7xC*
z7fJ)9GAC^J5Z}_p))JnSS67l|SDsgP47>?){d-ZtUx&GVwVhgr7F-?e``$9!Lqm67
zMEQvIQlwN4ftt5tJpVMu9L>YC5pPzJ`?(8aQ0F^p$6*5!!c~VI@?$rU>(pieT1vqv
zCOa<=dJ6w?Q=ZSM<bGl(Mj!z4_`u`Guha3m95&iZGm^YgBfR`{y?HQog)98BYU-Jk
z-2^>>3}|M!_3tqc^;tsc1XEB({@dpXW}}J=cZA(2wkJR12$+EsagAgkG@BmsQTm3d
z?Eq;JOHH*rMGbo5-?so~&iD{jV*eYIqyx(oz(@Vu5<5`y>$$y^4)0Jwk0tMCo42>O
zDm;gSHznQ4#Ew`{Q1s?EQbQVM6huV^?-u%nSZ$|W_$SVCSKH{FA^Bo^b0O3zC{=qZ
zR2jti7L+RW?$?=lYTBG4lE1(Qs9X0jXclofH&J)9+a}50p97)S*EMpuR$M-<hL~tG
zrMA<F9Q43H$4{NA?kfh6x&t|WJ(LNF*QXs-E7A)pl8dq^&OC>r^cHE^G)3;ff+BRT
z7VCrW+m+){@JTC2VkD8`d!h39O=D?pqT5>qGQu01R|u#P#3%CMC8FGx=VtFcZIvpA
z+xscwe;p&ZQd%?(U|2gyiouW4dLNBJ;nE0>pUb2CNN$!P?XhhON>a>(aojI%9#R6x
z{21P_L0Z2IL}H;<fplT`z}-Pki1IhHX9~>g){B9<4OT|4JZeRe)lrLuh~bQTM*jif
zXi1`iyt$Q!j1PJU><zShEDuq3QH}}y&%6H2jPw17<8bgQ@%b8y1Yxbs43BnG@~qG$
zF6e9i^-u(o4w=R$j7X!8pAeC?$(iyoV})n2m9f3tsH#pBCqmHepVo$zF=D?zn7ZYZ
zDl_T{xPRa>iKyHK0LM1G@8{V&6=tyigaE^pRjGbG=5VJ9_Q*IA=!K9aW|9a5jse3T
znc`z|jAgpwnr%k{ILdbab(wh0&R}zwr1r3>19`JeqP@*PaX&fVatqW@2V85mS-9hl
z)N$Sc1vVREY+XC<rU`~jU=?n@AL>^HKYoOtJ|<?qNsFwv^KevnPf>)uVWBxL@BXV5
z%~fKnaFY*SC%7ZSyZVN~?R^Z{DLXC{;@G6#DWX|~Q5yB{vb_!8soH%1R$ytjlR59q
zrNjlLLOpjf1-Nxw<)yNgYNUf$rb0a#%gfr^MWxE>ly!(sQ87~=&wvWeLr8TyO{dW5
zO1VsX5g4HgrN;dF6c)8o;?vAnR1<2?I(u^wNBed$P|kG{lgv?lPjg%{Rl$VoS~?rd
zA_xjTe`!;?38BCR(0;D~Gw<N_85E(8pK2cmPWSLMY@0_0Zcj>8Cw4LAOXAO`M+)I*
zl|0+s*HkyWZ=zNnFP?~Z=a0SGTb>%-jW_ACPF77{S36KU`1oGjHFTUF&Thu`Km$fJ
zYjrKEEuYRojLXlDTPr=M*3R%_rH}P3++K~fdn@)Vw`89EEvl7Hi|Ma(UQZHUg>;Xv
z9a%>%r(CwY9Cv$j)Y`|rH6u@PUN0+SNG=b*PqkdzA6xRw9WVKU^VdtYXkKsc!?dm$
z3}sK~l5W2L@+^#O2TcI{9h}X=`p|Lbk>p{OdDQ2CB~PK61i>Dm$=8kqJz0bIbnlY-
zU(<}o&CNw0T!&3-sE+$u10#a0atdj%eJqh83(2Nh;t<@KzkxK9Z_1Kr&oK6zb*-8t
zPD$Xn=-B#YdS*(%y2v#Mz`~&qpq_AttukNBA7B$RFZ@s^cS7Apv-WU~s-+FK6Q#-t
zNgbNo{Ix;IkR6;yx=^p=!n^^AwJ$gft4jP-fz=^YJ-`2+6oI5JiL}B=;&4q(n|OCT
zvzdXC$Fn@5ZWUssKd`m5i?tr_*cc0X0<<l{lGO>*#ms=rw8^j<U##06uxl1mD2~c3
zRFj86xs)T|N#m_H+@Uw#iwDZ_!s-3r>_Qk^wP+9n3+d`)_x?|&;2^kXrEDP`xF+1Q
z4%SQ(q2`R7+~SGcSZ28s{f9LKMv_hPhZ+@_nY_00%m<tFWjyRqs!fLlvUJSC;*-*F
z*#_mbLciJYO$>d3IJvb#)>Q|-3u!ham$~)@LX7mo?>l_Fn&UfGuMg%&GiH%&6_jP4
ztQfV0L&W%iANxO$;DQ!-xMcSl_-cml#kdq5hKoCq2>2(UpGPvyBwZ%~o+<1(eav;q
zw!R_4|Bw7VJjpy9O=)ujhbH`-+s_4^4nHFcA&0~3Ff1#XBzJ+jmJhlwv=k<fa)$b$
zClYJ5C(ubUPI{=3reh4lqAE-#_?1T52|dNub~OYcNIL>qjv?7HMRsnC<rhg#cn)Z+
zp~Z(03dH`5CNIh$K<jiqNN%b`T!Z#G)(9`=_lAA1i=ey?pL$|c1(nGMJ`jI~7C#2~
z|LCBchM1i~C~`sUTK%-3dwh&ImE+%>7{ohgv!l8c09z@dTv_e!evLZFd&rfRmQ-O3
zEANDGA+A~_3Ud$6{ofvo8VK@^WPCIWmu<8XIO^C3B{iAUTuL(FTzIh&I0glu;}6gS
zKL1x6pq|6WwCIi3aS?+yfStg{o%?Jy!cdX3tC*K-BS~^3^HtwSth5&`pC>~yy#x?C
zd*r2Vd&N7H^K0*+_Jj(9&0rE>u9ZST@?&H|mWv6_v2;j7<$$V1I1zoX9<nTWLI8So
zCDp`zNjsjJ*x)oIfQgwr1oGZPh28<i4Car#jLhT_DfnnY?s*K7Pf>>Fw8Azj!->{3
zvDa#bu8B3p={vyLPT4?+e1^Y!Eo#s?=g~O}nEScZ(S_V0&gmWa(PF{R7GO9I0Mz|B
zsXpO4A-W-7Zyw7EaL-G0Du2zfv7z+i^Nb^j2%>T=ZqRO>Z9>X$@&GJ5QC|F3Hp({y
z>Y8-5ZHIsG9w(uOqoWXZ9cpgmK@NKfuI{7cVF=xP`0uWi|Mv^&phzn2FL>J2b`_M^
zKJYKaQob%}O1+n|yFT$X^*(9L0>9v4{%?ay4C$;mQ^D~7NKP{lZ%?%G{-m)?r=tfW
zox$wwS4+8%oD#lY0xiGIJgl0eM5}btNAm&>xKr1^w=(xZ;Ykb?rC27pK0A=8mzx;G
zD)qKgKkFh4LdLg}n^JLniv?u@W8%avazaz_Q|dy*gX{%lr^@5>-4g9mY7a=s<S)S9
z*krbqO}CMiE;d2xo(@v?L5h9fuc0-enajzeW@IM5B*GaTEi8~%H#HJ-GR$hkIaRqJ
z6%O<1h6AZEg8TwVg;CExb14s_$A%z_1B0<4*IWnliVUqA6W_IjWLJF%{NKir8lb-!
zHKNkOfA>nn3c<-=`dd`Z9K#D7orh?a{-|55Z8`6n4{AxOddE@Y*G-1o*{TuX4K#(A
zMOc-hw9<=^K8nh>;oe`0oU==h{ZsM<%c@51#pceba``p0q*;<HY=x~UmwNL|dmom@
zFIYJPuN%h#n^>cyTb2A^+|+F-#q6fi$Rh72TKZA|n+}?Hp*!AuyhiC*m$=SJ6gb$L
zfkBTxm)-0glzDLzz8R&%LV|W}q1iwi_-Cbpi+rWz>A??EcJdGwv4ttI@}&J9Vmd4v
zhi;9O7KaVm25FxG#`3pU=VWD)SfyDijRfE<N(9J1x}*Dl%69$d4ND2Y>y(hT8S`*Y
z;w9Sz>^|Ydl;jm{iv&EZh8TP>Zusx-f2>a8O~&E|=7p`f0T@#nwMy@mI@PTcXP&;2
z<y5hVp$hD~jv1^d7<=sPCf;9rsa1e?&v@%D6aTo+t;~Cvux`JHr~R!drJb!vu|1|P
zpv@33`Ip`Y^oyCVCWvA=A-bjjg~nXjDF63!OC-@;4H!T|0o74M8SvqF%`XS>jbDtI
zt}H~-Mp+>QR2;mxfSn>c;0zgYCQjZj&BLHAL_gH16AW}^IW)6|q;ux-$k+p1T;@Dq
zsbA2aWeMQEmt#%mwn2u3_%Ex$8XJVUAb<;H7aau2F({;>nRuPJllYm?aYSBi1NnM#
zNI~(G7#>E7{$H@o%?t?<N!bMowncF>1+*Kq9)H%3M^1pI2&xgY98`=+dYfqC<=lCY
zKaUiO3Z!;QYxSMN-$vo3uB6q!*d(%ikBX8@@``HyZ@&0!@skkSsZ1m!85FQ-y(8$Q
z2Jsmm;WL;D^?DjIG`b44F0k5%Cp17<5|A&Sa3u&JEb_GvSHN?@2G_Lm^+AFD7h!)%
z)qgJrp#HBm^BGk9fF#VO>8}*~q9Se$^_-$cY7uP6{+b#)B_&Xl;bw3h6f7=S)!Fr$
zE+|eOTJ`=<HD2N~DyuGV!H1_iFg#I29Wk)E!Xh9^5V03pF*~p9!XIjaxiTFE3}o35
zeFI?e|7`535f?{dT`%f}09B}nw=uRkA;I@Cy<`wmOBT!ow5r0HG;GGR@Fu)ll6J~K
z)5203x3izUwQ#?Yz`tnVbc04&;QoRhqN<tqJ&K=>V>pq)B`#%ui)*M(<x(Ii*BeC)
zmz9N4mmV!@nJI%vi4cH?@BT+hB*t9)A(GPZKh#5%#wp_hzm&9t#ZRaEh`M?Cx+Qe^
zaxP2FQU=fd5(H(^{&;3Q7=%f(h4bfC`IOnWaC$J#7UIq`V*{rtrM~o))87&27WFzt
zU@kgAmL9g^pC*$AGOhj_8xfjiT(zAEcLu#F9%zi<%Qw{=#wkZSPf9eRB|&M_2KO1B
zXGhynhuYH%CHhBS-+<_oIkyoSJgRc#V)8<o%xZ|SpB_!g=9>%V;w4Vi)mtuHLiUvA
zvaz;d3(`z$s~$^k+N45#(o6#iQ=@-rIEvSq?O_U240KXm$7{+gp_N%{Mg3V{`P|Re
zh#M>|!@LsO3#~*H6Lb+ex{egv6!R7i&<4ip)3@8~50#;a1zaP=rrnrmxMWwFv!1`n
z_{!u|f5H#S*j~NB+v`o8jezjh)%yUnuwE><>K6Ykd04_6Zst?0o5Jz=M7PN2yXTjS
zWOHJsfzshogYtX^KweDd*KP-tGoQg3v*QftY%+k)x0!j_*%c@sZb-LI2~U<!QE@8{
zWX$op?N=Wm5`D>*moYxpgd$@fpUeqJL4Hj1H2^|I5-HmBq_ILe`-!`oj^xRcla&c#
zLsPhtgpYrNRRKc5338!R>YC#DbAw?>be)$d{svl@eMB_dj@ep@--Ld3SdpNEMV7o_
zIctUq@Vh!^1RLo{&t%g9hVsza>jc1SvvVNiCiPl;VIlniON}Atf?`}XMj2~c)u8c-
z#s~|@7^yeJ9x2{mT}wqdN^JhI0lJiPL_tmEBg;*n>1UQ+ey-vwLu`L1dgacayq{ga
zGR1~(0Z6v0=cX1&rv{0>B0b-GqtvVM<KD%DJMVErOrzwg)>!{We$0OgJfw~}$(RK~
z&25pk3NiuBQFv$<mdgDSYmmzZ9OZ-a3Eh@cbu*9@iL}jrVQMfd3PTIK5=r@DX|n2_
z(Sm#fey!hku)rIEL4)ELT(ruPfrz@qe#IEk)uo-_7u{~|guMQ1q|Q5%;$W%DSeakn
zb&53elu``YQnWW*ZIrsWyajdiD2yhYV+W?E43qMs3@dD^&afcSSkF&~<B@aNsEz1c
zP&}y?MnE#fzAv)|$pl0AFvpl%P!DZv=%*$HkrFK~)uOC;0|iJ?1qk`=glYB&F#24V
z<NrAgnIWI>t8zntr$t#EF=H^x1v*AAmkl^0J050XK^tdG_wn+{h#mWw__xgESFcA^
z8T}u;8lh5?99Io=_EU$>XvSnIyt9xgeRwWlDKUVndeA~kICXL3ij8+E9OV4QO60X#
z=@wc$u!_E{!F48+p~|qsHK9eKdx|FC8E(YpZGuPnO+N{N!<_g<iy0HO(Wn8eu`J4S
z{T(f|M7^(UO%yL0$Ofc_b^?quf_SVBe{sLc;OnieOT<p^Y(xvcqdL2B3u8&VJ&#+8
zzF{k~6rvOL3^%cA7Wcs{dFDV@q!__tqOZe&DgG$7%=Lt$O)hulnyTl_yVs4ld)Fzx
zu?!#{{Uh>lQ<Z;8C!#T84E>h$Ecb|g9zz9!L3nPB3JGJfsg>P0{d;z_M0&rUaDh<h
zi=POh?8W|jIM(W@9{c1xDbtM2+M9khs(}rj0PNASw(e4D(siH*8`JFL>SgF_E1oB8
zLf<E7H@p>!sUHW?Q2bY)TyUnZP@I+ruav;k#csY7JW%t@K7K3nP&huFbP^2@YV)kr
zql`m4$%-)WGa8*RIb{9(C@Ko@QYwi59vNT}#s8fhZ{;hNog{mhY4VNkq(k>eOnZu`
z3WA(p+X|;C#dFuD8CY1MgfO>Oq7$<+qtJ5g(VixA5woLT?Npf}z>*Sm6*RQxg86nc
zuGkRe;)21PNT2(zYay@DrtLdi8}4abu}C}f(tq=p=$%@>4CJsR8O=1vHfqt56}B$u
zJ44&kJ+^dIId+5gkzG|&Q%5dhgGZ^EbK)8Z0FEKj3qxzUIQ1LeX$(ue()kTN;o0hZ
zP(p9te6CyB=cQvJYl%>P&%TGO)b(OODt2eoK{w4KyVJ2(*5oD20yWB7Rm;nZxHrmL
zDt-)Fzll@pQ2&kO=40YQTyXDdJ8b$8)DpW!y$TLNG@&F>NLpD}LRU^j56DVXfBKFC
zgF;^mFSrW2?+bCs^q#9<<6?*Tl2%Jk$oy|2)p{x)miD7~IH~d-u415!yFSlIW%Jo&
zU3IS#)Qom`Jf1Ewl%IcX{$(SJSU*Jo_YM5{T!S$PR|Vnb@A2|<c6)(AKS~HM$ieQk
zjwvZpNG$2b6KJVN;@1_?TOYf}h0*`_%$LP3`S(JP_}h~`;tO(wn1?A>UjT-MA9EQ3
zUJQD8SKo7elv83mGptydY4b#bfzbT96&hA#M(>m|_2sA0!sJ8iV`puB(8vax+LsnS
z4^MWFMix-P{$Myhs3!_(GbEEy#?Pn$$pwKpa)C@4>%n=|Gh<597b>e+(q?^bmGaQN
zDhXsK^O1m_a=O<%Aw_3Ro|oZOVZRo6-}jpPDacBN3yav$*k>dWrZ+}(9=iV%cu3q+
zjxh8v#Q|~Fr0}OiUQEaG@@!BR9;@|g00zm$HQ(!`l*=}8=`{8CXH=bzp_4ftp_D*{
z-K#jAf{9oToYb_9hJu6n&d^#-&n8#x<+LcaEWR5_HopA-N7PkDRn@Fv3F(mT?v(D5
z?oN>g>6R{$?(P!l?k?#D;lQCmy1V-x@yfTBKX9{IGxO&2*6fWh?40k<&uV9T1Fgo;
zP1h3{;YJ*}Y4p-e`~qEKaS2;V44m|?0dF)qzdhf;vr|ES6gxq_a^C-*m;M(136}nb
z3Z=7SU_P%xz0e?6{Av|DzJyjpS>_|^kCZKz5v|JKM6W`f&W`#J7tH8EX)30+Op}gb
zPTr?=DsZ6`{itWV-XlnW4`W5`c*vnXW{UA_J@gg6rdLljjlW-<<Onx1z4r^vv^Fhs
z|KsUFbQ0EQ;MIAka}Y}te5Pnax2VEp=qK97;bVRZJ;&q@efSR#onxyNYV?r$wjdig
zq*od6^(Q7cYSlaJA~hY>2(!-zsPgLQ3FJvI>yrY^$~Z>VOg^2M;IH&Pof!}oA`LxE
zdBB+VDLB!{jluSzxPb}OAzur8zDQ>J$OcZ!vcp??IJv2|2i+Ye{5ITC)1RmV%(3s5
zmeljb9TIF;!mNDAwkJec9d6xdDn_)R&0MgTr&X;k7KcnqQN_VPgf>R2g!zv?>z?FY
zR46D{Bld(zU#P;*CCQ=&C}Z*8+Ado!6A0|3wTyZ=J_F=TIO5d8G*~PLN~a3SG^n(|
zJCoxEqZJB*%jM;4iPyHBT^k>jjNcKSR(1(Iacza)sKsBs(1B;oAg|3&m`vbDEfxh`
zS}L%RzsDTejyCt;St1`594&8wHT@(wDB<d#t2E<T+m$p|Ad}v7BNG6AoD7a)2amd$
z<y`S<z<Cexa}#nr<M6%b9{9c=X^!K3=ipBGN;6JQTsbKLv`356udaz*T%>S$=(pnA
z=*<suF7BabfFbNAbF{bEfx+3}>&0uu2**y!nmn(tq;-NjHWEO-dy^*E>LbfcXi09Z
z*yny0biGP~^Ss;_u(yPr9@js0NB}9%%G-OMb4lgx<I0739W=zpH$q2>g!pVgM5Y9k
zFkp9l$fm$|``YbDi1^du^Bp-mYrymfx;iT$I8`fYQ6O2IxOhJNaB+&dqVWU8=i1r_
z#cKM4-vyPaIIrT$#-z*&$n_s##+4lS)|y&QI&T!rsLaD%=+eabNlnoDUIJn6mfitn
z(ABB)AWH<Ufoaa_>7>QQHWsy^cNbh8tp8XWPN($8(_4=wr(ep=U#C0J)t@JW?=;X7
zrq#NYGS#4%J1tdd{jA@`XsBr|43islz73e}_(%PLoUoX?B+5Mb$O*B~EobX2Ezk#w
zt$SEl_Z6;dVyTc4-%|~rV6UAHMX1IALOTx+qOe6TF~Hl<LT-k@fX01UszbASVqvgX
z4j^SUA_5vJYlcaYeH^LJ%_x)#l%Ck4+^7~!-Ns&RwTf3lY_JSGnGLE-eq9~!o{WJ~
zPTB<@@BXy46_zegQ{j6R{_XO;?Xp$h#MR<jAytZq2Sh#skh8D#S0^hMquy=zk3s(y
z0#3$BwVv1)U(VxgP(>a=P3rU1Ihz>O;mJ~=CwRYuZl$Lh)RI$A)aJ8OZ>{IWr#4<x
zvM`P;aX(|4_T0qm!<*XTu0kN--P|_e(m%RCdLBe1=wsi?d|h89yfQVeJ3BtjiQJ#o
zve(#Dq=!U=^r@e7VodrIt5u;8SBbm$AUhpOebo2QiHB-POmOrokpDaoVNUo)8XHZT
zeYg@((OTRCoLTy!fBe9HdC&149w6O>btfkvA1-|uzLp}ph(k;qhU>o)6>qh}zw!9l
zpU!`fM69t{zmSQn(|z~`Q6_|1eM0+N+ak!rgPzF1?K7B*+G-j6P?e%1XG;oJlM8U@
z!(N-!m$ST2Rn$KR18RT!hgobNqAn8IXcp|P9x6y`!ml<CT~<$t9#2mjuNb<X62IO#
z{OH5)TNiuEOitozclpghOCohkt{jrdcD5T}fcrrB2>^6F2csdFw2T#08ku&vAnpBf
z=L|=`ChMw$CS0x7llDS?>93Wpab0V2xG1)h(r_NO)Um0KJ(8m_eb$uI2;1o@6o|-a
zMKtuw|4|4mvIj&VZO8C8>+Vu9F*O3*vR|t*g}@XyJOsTN<(yo(uJ()d8B^f3OVH@}
z?H?#-)(L?2-Ho3CKG%<t3u#N3^0QPk*YN8j+?IDd9b?W1v4WzvZ!xv{Rs!SSSYp^y
zyddN=c>40(%Enmno`eWewIbON)dcgNS`%Ek#>a|u_?)_8Iw(lZ%0|>zZG2!s)tC%M
zeIKE>mO2FK9dZe|mITSXIS0*>7gW<YdDti)@frVq)11<j<rJUcHfJR(m&6l;=sG@5
zpk|EQ*1&2X8q=W9_7fa(DQP?8i$)TD?M*_0I~5Z39JKhzna3F8b%Zb{#w7l+5SQI4
zZaS7t_8svU=$%)USoe*&iOt`|Ame*C^NI3AsFdm*at}rzShn~!HD10c4dr@6##7MJ
z$5n<&&xEbQpE_ovUs7nuO3(1I+O2~0mmiNqa5?m_d_wUldT-t&no%zP#38LzBTxP7
zrr;|@0Ut<ogC*Gx!A0z>*l4YZ_17UN7~W4I7PDk)4VrwG{)(j^LisO(Og#g~lVZ~n
z#YygguM&@SC7DP2ie<RsVe0LE*|s}FROE+`X(9{pwMs;we&Xyfo1=HtuEot~>bhU!
zI4Ve?CJ(Qm{`*4$fR`EP{*)^I9ekylf7XlGaBb;y`!XMY|CyX6>}#~BjG9q|YH|gK
zQexqIMqe;sENrgJE}D9h4eu9_^-3MQbFx(`ZIK%s%MDH%xA7c)-#*Vt4D_Idw7n#i
zfMG#T#?i+N?$jVH>4=MD;&dc}`5S_I&Ie6{Sd4Jva0*&3Z2Bu%SH)d`fVS8L><h#|
ze-kF4B|6u1CUr8}y|n6jeS39vTX5e^<>=GOjI6iQEU<`i9kjJo|EO^v>&?@a^PXd#
zBl>Lc{YVC*t=!|?<>^yRic33w%Uid+6c&zZrNwtWFxecxnBfxgydYS$%$I*NO?R%T
zzdC-UCCSAh;Jb!CT&bMqfFIL0QG)Gsw-&8(aB9;5SIkgPXV)sRw*aiR7RS63fzg!r
z1&=smDd{etFRAO9rg0skVZ%G@mLZ=rlqSl#YJWaCq%GEZK?9rGn(V`*le1JOWt)S~
zECj1dX+hoF_d}juJ~t1$n;B1Ly57|!SKa%}N#0B@{TwIGo;=oT7kTEq)@akK=S!z`
z?Hw~650}72FRrJPhp998uO~srR^I2UH=9sF4lSN&ZFE06KjBzJ=kqk6e?n2kHGkLn
zO=F6Y%L%O>hgp*e;WhM!BZLi{!~M3ZNoJ1Ts`v)~`LrL$xyIixC@!}%|JeFHXi`J?
z^D;9=T>ZsZe6dPzCjurk6<>nC+9vIq{$B*krHMbHZ_gAK>{mC{sN{^3l2m6i+K#$e
zT=hXCpk=7L$6p~8n;r@3pWR*NA`0=F!(ICgT65hqn~Upd-9BKrX)2GibteAFDzn4w
zeyP{(F09}XpH)*d{Y3S%KU+y~$lo}lwcF6J@AoNT%#njGOSWU6Y9dWfZA@W&V0NsO
zZm4vE6Aoiezy2=cKeagPyO(Sp21Xx&n22{=mHB3}?Ix;#cD|457eJYG8$EA*H+iyj
zc&N89d28DRu8D77AxL#E6jFVWa&ZHv+XZ8j;U%$vq^IdNtiQ<+Ms4e+tDf(4jFZRO
zV-~lt`*Hq_PT@xwhJ?ay0RbpF+YkT3W=>CuA?^CWGY+8S{7J+mWNJBDe8VrO&Wn?2
zhKHq2=D}bYJHB)XH@FA;kAUr^5QQZ9ieU*!`y`Hvl9&sNBk<p9ds~iNe$;-w1*d6=
z!~!NI!3v$apkON=LjRNo^pu`dpv+odcSe&$xqhuObat?HgaO5@Q#7Y=$cfAG&)>bO
z<NDW_oA@#kfe7~4J}~&+f~w;-uZ|3zYx~q3nGC>z+mp|+WIu*+$mS{bTky0aC<Pf+
zB=~2OJX)e@V9*?RVk{-!0!~afZLIR&><*%)@{qn1O_-!~Q?^q#hDg2zzlRfJOn#n_
ziQ2;RW(tk(Sr9^E{Hu$LVi%89t`E#*14`mr(#Oa5`FM^^*e=#~zy=U+*Q`AG=(xx4
z;0)8-j^|LAzZXf*Zd@;9<2)9|H-z{Gct61?a>~tmT6w+t<kC!IAUKENU+a~Ul3;w7
zo4<&TML{LXQZk_Zmo{<wZY6%g>F6;Hi8y7J3>H0VOLs78k*YdLFs9X8${X`A`s@(H
z+OKTtmm+hc(-v9AwIq*-!yM8^^Y)Bsb*iSZzr*icix2*~F`4(^#kMNh@NqubNG%J>
zQDbwuJo>IHM>LX*@P?dJVAkN!qH8GyCAjp5&f7mock%<Wr3L{y?gh$WaZFyKs!IH+
zGjz2Qj&h3GJF03%b9EeuDR09{XN-UDOb(i#$Xw$VcYa!vOv+DS9!>uj)x*t?56@S2
zGmGi5C3_2_3*G$+Sy5ZLevXFM(J{{s_c0DbZ<hASrqRC{dAR4rRb|+rtrY}&Vp!Au
z@u--Q<}-Hsvb@wx`2~vlvKm87-7wXixFQHiIJ61BsT(+l3e&?<1K(=n1M^>bWGfq0
zTjYsoZBZIi%iN}zhI_xv3rKF6U(D)TU-)oTZKo*?yut?tP%h?P&?Hp+fd6~iRp@<T
z?!X{D(f3-Ll-qJf(S?@b$$h9rp`0-5;l-_!Zc<-CuTZ=aoby54U8+4$m*tOMXcs1h
zKi^;g_iPpo8*qLL9AEe|`UDI=BtaB}I3F!rtxyncJnwc|x%)2WryXnerV&6ROXTd2
zX5;K3p<i>lOpj7|-M`y{)f~s}$cEjwY7dP>IoJf{KySf-%xC+%*nTWsH8xexTPGXt
zw`*9_hY?<r3(b#hL1`)6eTGR!7A={)6F5~9kZ2TD>68xfF8%nm{97=Nxb#B*p`d~Y
z$Y4)IFvHRqHhFDoq44KMI$~Q9KN2;pTL(a5D*riJouvcM0ftRx0ZZ(&TyRELPz*j0
znR0Oohh%`3NBBi$@~|}}2FMIMooFZzWG9>y-m~tKPdb@vP^oDfE7gl(ru+h@kz*QC
zpkWtX&Yyw-z?M4xw}XuEFOi;z8AhNT@Msk}f_Bg$CMo4%QMs#pyU5N-)C@zB_8GpV
zkZFtKiSmf!8!OPH*G`K&-!K$;E4bJLaIDJ*8Wy?iPviaiNq@qyiy`v^V@WXPi%E?K
zJs}Me3*#gGIF-vRIuG;n9mN8<HZIMOw#2t0yp$x_A|5_hg9*}ClL~b#SvxTEj^U3<
zZG}INpnTw>qGHYtgB7p(>C)kKj)?%%1%Z%=L3v@^_eNVx9p=S-|9Rq|sXjnfEo?-a
z2(O$SnphXnXdfa?gD2|0Djq*o&47r^q^S<`&o{M#al~Sru^R_eiBCe!3Tqi0cw{ED
z%0aL9VGQm{0TswI3Cjg}Hl6Nw7@yPeZO;UYX=RtlVWKQGNwGWbY2csK$iMxKJ2DMI
zh=VA;@lm1}N9cSVgfkd|G<2HAd?H4ztGmbb8|GR6=?^Od`JaepN}zsd4-{nriKweC
zHA?uiE7ynXO5|%ZRS&o1Bjt|*`NKHHe$HvZyKnvG<@vLY6srd@Df_qk3<E*k25w0E
z5NL!4;qUY@yog`ChcZ+t@<ydVw8VukJG0iPWyt)-Q=!~(ltcPl@Yms3bM^YB$L@Hr
zeTdgBNZ^op5$lN%VS~&P3+5gKT6=@Jsli}IL;djbz^r-j97zBbnJe|ls++4y;SU|h
z6+(f<#mDu2{?axXS02{BM_OFIznO>YN~m#A=7DJ9H#-N9nP?`-r^%7>GLwieY4*x&
z(w0TlsTRZ+LF}%tz5?%>43SVz#19J;a4)`}`c2_!i<X|!bPjp39V9aH3&ML@OQEL1
zfhr|#{X~!=Jcz;()&&&X=!mgEzcAVeJ#mD4hseiUV}-A_D7Bqi_3lc}X$bMGlH6M5
z0B%V36qOTFDcrFqw?|T~N!(;^78aH+J;hF48j0@yU)K3oymXJ`92HRUsux%4N35B`
z8(OKGQ>~%)(P!%w-r6>il@(96!6JGzOeP4}w-!301E%f~XlGK54~_W>r9XBd{(ySn
zNqa<S$^H+%KlR~so+vSz>1&!r69}4v*-M3+lyQC_j;4N!n~yihDF4dt_22nN$>g#$
zMF4-!&-Q-mg5u$(b%GDLdR1_7l^|fk;J9V95Q#R^9J``{H&7|fv^s<abw;}<^n!*6
z1}b?Jf9?sPs6bbLoS&eJ9vOyW)-{#f56>AY%#YQ?9qFd?04w>A(VWo|dqP!#Jbz?O
zNVgCv-0S!~r_1H)cF-vIWR}KAiwqJGDFmj@uFuW-y%fXoW^Vyx>6T36J?y$020PJ9
z{1j=bIZ6e?muWP_Wpx~!h%p(j+#@>}-PcpT6p@WMXr92iiqY~l!T!G^j+2?BYl`6f
zIU?VC)xKUIeB|B@9%e=goP86zN6n*F`lIkjCd`3TX03PygnDz-=Br;PKzz;x`P}<q
zv+HA`?M{?R)c30-`L>wBYVocwF^e>EC8~mAG9jrn=b~hIo$-JGrlH2FR*1A3ZLT#N
z=ra83k6Q-rUlVLz_mLA6GbvY^{Uwb3EG>R5eIirn;@$o7%tAvAYS(ztb#${NQPy_W
z6r`<y*WKOwIGduQa3wBj9+xn=W_EO_OgY5LNXDl(+lt+^JUoA`ER?1Ml|Dg6@Xk(g
zwR$rtuDObOu=%|ncL{r!)7-CSi!j*$8A%vT3Fv=ThR*_fcc%xJrx}Dsrz#aCl1|!2
zk2{{*XB#6P%^Qzn&#s`oZ1nV)Y{y4Wh4cnEbh9S&rWDBtL-4{fV__b7G<FK92hT1J
zXBKRqv)Z*BPCay<TlvB)F-B1;e=@H=hQnv~&~}Nx2!{!u<}5YoUhgH{XTFb&>p|<M
zaTz$awzOWY+>2f=H=eCc_a}yqjY06H{vD3x*%LbpK`8~yRV|a0uG8Wm<fLAolEFRs
zL%DGDWN%V3aF7uA<<)yf9Z00gR|V#?0ww!V9&Kc{97^O|^zf6yhqwHx0s`j8XRjBp
zepQ!cH_on)P^(f)95w-RZ$rL!cRU*}1%1uSJ`Lic!u%vg3iqPKBQP?eZ|PAmP(ljn
zoz#X|B-F$kBi^3ln(Ly8x-txfvZl`bWI;&`{%?Ikaa5(MKv59F`$*rYNQ(PxPijv!
zp@^O(<K1?<)esfccn&p5<BNNYR!{}_MO2_^R9@zYRHyQLMrPRR!r@2j5uE{D{8y7y
zSWZroXf3hKzqzVzj6~DWU?|5;p)J=&{s*h0{+N*r?kCU2=LzmcTjb`avi510geITo
z^=+&xQ=-Vba^Ur)EU(MKq%?yigN)x<I$DpzNOXQEiSBk2s68WB1vMW}Qy1=)|IIjq
zGQGHGlOX=50pU0E%r#D~7OWizgEc=f#}o2b;Fu@Ea#W5tk$8?pu2y%0fk}SspZ96O
zSgpHmFzB@CI?qIDEG5-^0Yl1^{%=c=;NCK#bkdT@nX76))*9m&PO?#tGu8XbXc>-j
z&-_4Og{9Yg`!5(Gj0=Y>F+}VHfi5;mEo#k(=bLYEY^5u*0%2+dL>mAoaYLZWH_c_G
zC=>kqBwha_OuQkAp}~&Dhuf{E8?6<a_QTJ;qyAsM$Mea!CsgA%k0hidU%RM=+Nqd5
z3b^B#9!1Ewt;G^(-lUy~kNs{|^Y8eZUvR2CnfX9c9!70J_i>_i2m{r`t$0u@daX$u
zyJnK&0?Cn}wD5J8D&=uxVr8F1l<+Lc&0{bRVShTo3VJKG=gj<urIpVP9Do+#yFbI%
zADz`dt@e|<E__d2s1TgylG4C!kW}Z%G4409953yMz|=;B1|`|3c6yolNz4oWPckxq
zY=s>k`xfc0U*@UJDf52&a2uJ^<*Gs6Dc!XE#1Jc|MqGcH^05?ABD|!p{N&?XVO^R~
zW=bcVW!uC`UF?4t+U*njB>XV@MOT%$`jTzr74}+fE}f1e#jK8VBPz-!K>yHlpfEoh
zI6&dmM=(5}MUr8|j1`BPCpsjLp8^5j?g*1u|AycUDa0IRV58AB&gijzHg4ZG3G}U5
z#pWSsR_6hV(xk`^XPT*&P+i;?h*^XMl#$VV&p_sGKDPsfMy8a=8mdV~tvrH?Q^Y<<
zr@RJNSVd{j#`cPvf~|6s5-oS~j3P>9jNzT8%{6eTstXFsJi))gl#o$YQZAU&(6NY#
zFAA|l_MXJyfv$@I0<yWHB=xhMAF2x84blo*zt|B9RLw#LgY5cnm^xT<E;^}5X&t<t
zLSSK!cy=hQ%BCs|Nw=^yEPUO6Xo8$9yZ)0%ApwYepx_rRm>AW6zQ(z@zIQ8af?0a<
zXc!l4%Fz^2DoXhzH|9ePjj;y7?hm$m0OxO&U8)b4Wz8chEW;VZ2NR*GSl8uA?9rv#
z-{Q_wOqcEJcom#l9;516Q`eHQE)Wwv8nCbPf0C$i3M?E?9)01&=P@1OD#KFiv9^TM
zbOJsu3|=krPWX5m$^}d8VBv6X+vtcg_-ndhiBl0Ao6i4)Nzr|$c4Quz#nI}2Q=m6{
zGYICvq5!9%+c>lOtyUiMmvsSa-VX&ViL>29$*t6O37dE1<uKzCUvk<TS29)ek<f%@
zqmLqFeN5Z0hjf;KA9}|6vFvw?9JiA^d4j)xm~8_;+&&arJHn-+8zfn<PBc*&6WBaR
z9mZLEKv?3x6su`3uJd`Kk6WUo#R6~}MPEwWVh^x3<?%hQHkAx-6Yj5{5Rwx(k>ew8
z0|fH0bP*1D!Uc|{vVyMgF`7JfX)^9je}9U06OgPX5(E++J+6nYSHyl^DtxO_zE%}m
z*)J_HXhdNUmEg~>&azeYLoLys1f>RyzdDXwBK34p{3;gL+`?B(bClE|3gcCDNbh6%
zrOQ{VLfK=T8EbwSVLYF*j?1oR#dih32EfL-hOM<fnac!{Jp~^TQXZl@H_dG^&sfM}
zNHW6rbBN%h>c0EQQR(kOZy;!hagX%^8mcj^o?|N?WyBBk!a2TumL(P5!)K1wkW6S4
zuCwFCFlo#U^*_{mb=5{?F^@9k2G5`!)Du<xdP+E1haWDBO^*SD$@a?{&7kW1;yT`O
zwP#R+T}VY`<R^L3>;*!;lpDx!>e;1`qBepXf`+R}G&v-v5`<;vK9p9HNYXM|L&h%b
z<ibW7&n`gxv&pS7d}mh!?5+G&;?09rWn`fN%bBiJNf9@Wv{amy5CtVzYLgiq{Y%(u
zqgRYP-?y<%%>$`mJ={@`WWWhZ*EYdkGP*op+xSqg&IW>$f)Z-!&FR|o7bn4LYCLQ#
z!d>%lZS*2Wpv(;Zy!3j;9KV<(iSpIW5YQR%wRSc`o?Z3p5tGC3+X%TIe^(;nM9u~=
z3yOSkcMB!q7qfKMJ;-GUwIgD6OPd0yL>3mb9xm$1&dDr$5;e_G4fqI<SDxI*;`aY6
z&%cSw%yvvDX-xb1r&=EWQ{N>np2@d&@q?;K@d#e7{q$^tR9|#CYk1)pY+1Mt`jmlO
zhyT)t*PW47#_&p(uOfk{FRl;2^x>4K-w&IRvfQ_@63dC3louLn+x~7gQ8bxZWpCE1
z+2iRj?U++<Kj&8KnWcv%t$W+Z?Z#8X=Xsc_CPh>NE&r3^@6Yad1wAqPP@xihCCOiZ
zz9g2I^wFaIg#A&N!PL|SX;@L2>1DM~o5hDV(CwuezMk``@X2CV!os{7U4Ld4ut9cN
zAy9+{W0Va`eF!(-Ju)~*h|-#djsg0*u3Asz8emK0D8r18XQ05^DAtLx`=~KXKfS4D
zLSS(D-Bb^0{w!Be1k-5&3zd*&FAT&B_*f_4=;ESgTP737HjynC+xMhdz>xRYi`4)p
zYbj>Bim{+)Ar|@?!Ss(jW<1N&128#2rmh}bsrlycD@g3)QzD{4BLCs84LD#>B&u*<
z3ScEfv5{!Zi?Eo4!l`4+4#OtUFXMJ-l+)*V?|nu4<9V9a$FLGHp{H#wSc0|LdlGq3
zXU6-4<{v2n?XU*DSyo**VIO-NAYPo7=q4`Gy9B?d-S!N7RSTcJ8ta=3^8<w`FQ}pv
z!pzx#31=*+ZEPu(gkYR}MXh?9%;H2Rk#JgHG}5;ouK!}3Xo(s!<fxC`-Dsd7?=zOW
z<C<V*qsx8%?2`!oNR4A$AKw5N0gx|7amS1&fx;k6u1h<H5Ll#E%JJ8QCst02i#@Q>
z)tFEVt`wwQ*P}Q-=NFH3`x%Whw&>dXoX6=Lb{wX*Ndl6drb%S7>UF9!xbV^LvjvHK
zxE5C)mZlcgc)hMW`C5~u7AD}3KN*ZU$^a8v4w+aa7ciJ6^VKno60%J+BXjlpQD04w
zna75vvL#odVMOl4l`xg^Lw~lJi`I1DZn=v^XoP6quQ-e+I1X%z#X^65M+`rd7h^L?
zWyPe7f;EA*Q**zEUks=6nawJr_eXY@V;T%tpR}Q>n%XvtL@l}rUYSLF5}!yudH#r*
zjwQ-fCf%(0+kbX}4;-JnYzkMt1ccQf8-JN&+-D9O%oD!3%J&m6b7D?6VGTods2>!H
zg&LoqI$PED@=zg2qy(NoMlotTg(E#mvP*~AQH1-Oa*{QF63at;5w;7Ml3F#<&__Cc
zZ?ravgcw9~I;fb%CqYU&-!Il|lRwPS)tqQVZ)!z59h_cE0~70#<>kQWl73KWpg+Lj
za`t*&n*Z8m%Zw1XUFp4hP;LHe7h0U=R>F8@=E1d<<7CTCqNPIqS}^^+Was?R4TKcz
zTa5{4zn6O9Oy|4}28vxpODqy9Q8d?%KGEKLR;;p^u+`$kgdy1CeN>l#en%RI7BdXe
z3O1EMFpr2zT!L36%w<!~DPf=50V$!Rc{VQpRU0eK=w>cefZ9{aa83!ZXx+X#JNXL?
z`-PuVhYVB9S2?lHwW}K=*=$f{@bGVC(4?|ar*q921Eqn^W<JLUfJx1;P^0_ptdzlJ
z0FNGbBq5tp7NN57zeRhPP#a3vdk#U11{-9XffoIc#hruQyLFpYZ|4By?7ixZrgT3~
z;?$!kAiM|o&Fug<Q@h(9E3&Lt=Cw*kouBOPl<v3dZ%>i~G4@WWqFM4alnP(yvHRx<
zoO)qNu&_>p^jPTBfTYOB2~3GA1vsfCCI)sJRYLiI9Q^>ESCQ<ykjyRzDi(scfd_!c
z*n?ex&zBT1VRXAbI`KYle~-yzX(r#{=Gegf^lORgxS=ZtEzy8#aTo`WvSgt0Z($)G
zbk7XN#77@fLZqx?x|Y%}yu<}>d!JLAzE@fXKC?Iz*sXA0Up}s$7bLmd<+$DM+BJH)
z@-IK%=pRK|&x3~khP|KH6$Ty-RXpOI?`{fvgU0hBm>Mqk*H>3veH^b>Z+Fr39*m#w
z+PjzAl5JL!qp~79_+0d?I-hxFvG%#`%GP^TI=b90Rj$u2pVL46(Ak45uU=?#(;%9E
zOwV~-99^}U+B}~Q61Z72nVB23-g{<i;@<8UJsuq%=AGlb?v;C7>)o>BT(q<`NxFgf
zIi_)vQ=w;@S*NW%E?jfOInluJ-f}b-U6S3uE~T<che0}$){t$R0*wb*J01Pt-J5?Q
z$ucC1156=1J~)WCl+gi5zWzjddpctSQnMfI#mAR7l?X<xaMha=GPIQh=IZ&{YIpf+
z0xk5)e#}Gv@w=0^Z`BWZcV=!kLH~SmZYj=yp`jrx{nq9IvZSA9t|e!Li9<2iMN2}1
z?I!i!;z_@nL(YzH1PTj85h+jt`qm^noBV0rrfo^=%(Q4^u20YyfbtZ6n(S6r<~}!A
z(sB`r9#(#KtMxgfpcZh|y+D=#;2&5naHz8Q7N#QRNexKj$Y=syWEZM=Qooo>9=}cj
zbZAiBj#L0Wj&5u}JiDGnMth!E;$u7oDF$Wob~D2WYCi025cofHlg}0t<w<>uD-f?q
z1~~82^_JyhhW_$It(C0)gCE+AVp%I`1i9r)Ml9;nW*(_6U+dCDf8NQRESBoTLG^{S
zi{l%JXH^dZ$wm};a1Mq=2Zxb#<v!&EqvIQ3Ugics=z)~oG|}r8_|_)vaH)GVh$s@7
zfQ6f*^FUOsT-8j7=t+{l?IiQyB1Ddh;fV?D%J^KZl=ekm2TVYXoJri&KTTAq-<=JJ
z?=4ORC!v!86$99;sfREqP43s!<+wr=k<$2IsoQTtRwL0KI7bE?aB8&5<|aQ4-OsWi
zM7joC2%S%+iQncDJ(er_?%WuC(oWVx$jSXm8AO16Dv?l$KCWS}`}L2h+Wj4rfyEsN
z?bE{|RAiiP5n3!=>l^;)(}anS@`ElNFCm1lb$QTW_|2<oLOl<#L{}K#1hYG2bawnQ
zj0UAwxSv;k2W&6JD?lFcop8*iY(cc~m13A<af#4i67E&X5I^ZF2j0;#g8j{?{dq!l
zq8JstUIb)WC$${cHQ}AYphYZ;A(rNhPs(L6u=hj?TYn99IHx4mZafj~JxgQu5iSD^
z?`E&P(~HH%H{l;*WC-z^qU4tgOx{-c?X%VInrE*I;0)33(92CF{3a+(l}Fr4l%)5x
zoi_P;;z~4^yJS$%U-9!-2IA}%f%XObcL8FaZRLv;$6fY!Qu5a+AHSt89&dUV<8vVO
ztn9~QOwb1Y-L#4HEK{^fG7TAzo1dEQDW3$Wg&^3TK}mN8K`k&AjxL~Rq)Qfdf8%x2
z{qbZOp6!A10wC@rJ7kv&6xAqd;cX`!xHx&vU(_Is<yAK!-T8_tJbN!b-;RzhZFlfH
z+bbM;@<KnDtt7e=fcxpZIi*S#)-P#%^B2th)W;GU(+3YT+Y=+BQ?FYz;SwJaP|CIJ
zdS`2?EGes2)Fpm`51jh1b@r!t>YXQ|oEM00?`DM&y_HSL(l}*c87Yvgx`hVM1=#VN
z?-z3Hj`cwI06?1f1U40O7m2>Ld{|eY4JcHfxcTeNlsa*r@qstnC=r7BZV3x>rI#ei
zJ;A>Ur?euAp&YfgBS6dzfdk(Bw{D?0?z1OigwLOKr-c=SKAQS^j_B%YR06;(h2X%h
z<|Y`&hCeZ9$Y#==$bZY(&^gT%h`%TwXF&HQHOh`pAhL-JQZPbv`aLE12*WU9SXn~y
zgstKXRJUh;ky@It&hkKfXZ8&g4Us@rWgPlwW;PK7JYVTN7?yNwN|<uX>@Iq!7To_-
z#gI%xq&={N1jGzYt894Eyc&(+l64H<!=|1Jp-F2}gViB3lZ<6r4MSlhbG3j|vCf~p
z$~pKPMm@(Ca7CqtU2k3@5M^IE>?VIHiXUGp@}hG|!9guF>LHTRYpEnwdOUOS;`X`$
zQg79p|D%Mexb(FrVx9+x6467#CZ4S|&dC#iur!m|LF4@Cvp~g8s<g1Px>ez6EOShv
zB`mlDr+XTVw%X|PgfN8&1ARH~2k(MkqqM1>FRGJ=rx|zr{oRtN|2X=LvZW5`ph=5K
zk3+6Z3)6b7dXth{go)-va(9>Mf4F8;@+Q54#50oJfuLE7IzG~c;}b$<7*D!glft)X
zkBOjko8RelP&}JCNqh$GBS4M$Y#b->L!n)g;LP^><|V7WlIVsJAgegXv~x>&bNrk&
zR>ytwJ^4|6&RE(?l>}7j`M1jr*q8!zY*7T>t1j#B8M&C-BH~$#RJ`{&S3w2q<Y+|;
zs+9-4PtLhkDrKbCP%o5p@ZVfUf{QVdJ<>6iD>Lzf=`%^=k|9-t^PBG$l1iIw-xs2X
z8gBciPQU!|-JC(Gi04ORhj0!DM2GNeKH12SjErUuDBK;RBFk97ZAtdqPiB=KNo<4%
zuo`$#{_+ugZk64CtlXSF5pFyF0mOxZ<dRR}sEd)_!d3@A{^jH8>UP>Xa+;}+=lzV^
z;9X7<skv0h7H*xeP0tq_#X*@+I}tT8y!pLGk&O*pq-ZpRf72ZUuu%i%Zy%j&L3{<U
zJUR=TTK7y4_`1OzETi&Eqj7Cq+rp<lcGy1M$eAWMi#IM-2(A&tBbKfGu0FzVkRwZS
z90Rxwb01F@kk=c2epE4{i^eHDcK)Tz0&%$n@dc;J_1C5?4+OLYyIio^BIEuZr3m{>
zEYK+pjgS~xaRpK2-=v2FF`0wrhZO?r4W5lk*%gAv%;E0{V$^W~<CU^4^hYR!ncp#a
zS1I#*ur1B1R{z9=Uo^jcJOG1391g}@D1uQcnfef}hC`dO3d7o|x&$Oewye_W?lge4
zs51CF$P!3FfH;g%J3Ap>&PtzTUX`<whA<q~HM-0=++z|DBrLEUpW3Lfy<ZMI1dluA
zkhyn(mEDHNJCYBY@0GGe#qnP*cc?CD#axa#u>r&jp*p1X!x|%ouq^%=r9g$DRwDfV
z&R3LtNWM2{zQ&Zd0x#UbsPM4>MVw}mkUt0(GM>8oUte96&}^`fdNj2JUK5fpeH=BF
zlQYZ$1XcfIqZ2H(RqgX)@6&omJ68o%v&T(;_tI!pgKuB}yERQJ;5pODA(N^UaICY{
zt?!Vk;xbT$*VNR;pjsG5Jg~VCOe9die>%&|H{i8SRt{vEvDa^yF?#m0=np}o88r5Z
zH=R-U9rI53HHY4%Ei!rFWFqaV5W|Ly7zBeH&*lN*)mbdO4r_pBK5kDqIdws4nIW;X
zoT|EpT&1(GC6}b@_gtL+k29Ry1fQr!vq|8Y_p1WU&9c3E8cs8XATh_4+Nn>qTY`XF
zr}MI)8)xng=|cF$PivwDr+@s`*<||~vhvmcv^DSy>*!B8yq~r3f#CZu*GOugw<T5T
zvcw|s;-zIX@s`rs>rLNVyFQ`e6OMmB!wUR2jkB&5-ggc+v|>g!1FN4%<AcT{1DROR
zq!Ls9?OgF|TSbo)OHwB#a#rxzAi03n4#M_yQtg|gc-c5<mZUIKLz3jOsPjMkQ-8OV
ziL2!+BsB4tea!@a*eBY6G1FQ*4rS1dZP>gtH)8qC>Wy~Q$3)@j4{`Y*0uX=S!Tdh~
zgf>7te77Y2!b7yBd?z5R>?f!Wdxmuz;`^<u6QG2m<4TClq5Jk1y7|NCU`GpP*sr8>
z{w>kM;GkK&7a5L+6pA@`^XNBb(H*e7cW1Xf+2@^IlGYH^!mBc;b~dQ6fN?MP?3oo_
zhm>R=mVPa6BSFEv{f#X+euTKMQOIr3B9|NxTciwQwhxUC^`Cs*Oa<Slzk~WCU#ARc
zP!b(3DFzjCEhx+7bF<ecIowbB0xh{jrpQ|<&j)uhZbwe+Z8scaZYVUXOa*TMu5q-?
z{D$u_N3ah8^s%bWZ`nIxkHtP+Ia?UN{qrACuX_1+O4qN#B<iAQ^z+5hO^Jm{xz(0z
zCefh#oN9G`n0K)cyD@PmTXGGseW%3!Kf%n;PynUhVIw&l2=cY^VI#edW6gzr+%7Ms
zB40PVUAAajo7U{LO<YeSE99rw;h47aeBp4MY0qF>c+T_Vp-{BE*(lm$6hfd3-54cR
z^hrCJ&wV$6d#By_XIy~-^n_RFna5yxb-laDSctsYk;p??5laQzvTQHZ+;~ORH<_Mh
zNQ@C>iy|>Sz7JcU9iBGa;Qu{Qzv3-UB@M!76tVkpo8YF!J&+Wwl}(8zwyl;iefG$>
z-t$8{53=-q*{h)#yzK#NCJs;4?euS3!{QVP3(`Qre3|ed32O?3px^o~#Kj)K=mXH|
zRBCZD>824;oCCJ@#=_7z0AOOE`?&%Gn*XJT2JqI&vKe(n3h^vAc#J%=6*&(>SG-#?
z>Y{lTeB`N|hWXR6=CBl2BZuU(9I1ShILJ+5I~M61hKH@0hbW|&j+}=A+dGZpuvrW=
z-{AYOZ$*#Mg6qH38z~4h--H{0F-5|Bt*Rf7-G|!@f7dhb-aKE3kWh9kYA}j}^m!Ik
zgqDKFeB<|b-XvyB@=f^6yEh;bAnnqlzoByCkc0)0&Zg;P83;F7pe@r{%qm~g87sv7
zq#H?RI1RbysG^hEIkB@}&}bP=p(iSu{=ioh>te%H=<S}~ShpR{yLcxkLBK=cb#}y0
z!skMdSXpUgs{v6V^N}r4H;^8Ctjg9DkB=jpXSgiGYw=_Iv-ixC;(D;bTBd_>qWSxy
zh3-?{oP9lUFiSfBy#S@LW!zTbZ!O!qXTR$!@Q5xO+kSX+%Zm=-pQ&}hq_8TLl1lYg
zk`o9@#YP%P@dQ%ra*;}zCeukrh^x+^SJg{8($I)$o`iyi9JLyAV=TG2lzzs3dG|7D
z*cxI;F4b=-IcXH}$@GUNwN#YesfLf+<zd!}EZx_}-vF7x*)xOp!FEJnfYbW1b@W(N
zggllXawcruKQ3^D;2jma(uR)LOl*yEb`T78yTqe>*||0-$wBYZ6qj(lce#E%H$UBa
zY_M%#35Qs><IgXE?5N}sc-k6WtyNP!`<pg1uaqY2rgg(t8eE`oPMl$rkSoKfK5rA9
zZzn43)0FI`o7|~1LkGR_ii+&#B`Kn26bJvXtbjpvkjm5cb2<Al0t+@2>Ku-Vj_QUX
zIu^r(?1swrs3MqyVwZx^)NrnS67$*p_@;=Hk4oz3DN}sw(u4lR;c3t)sCN~xsM=iS
zcvoqTbe*P0@9hqJ{Op=+@DpJH_P7&2P)jTk=_NOX05LqtOfS=qqSajM8_TRr%y@>%
z%;1>Y#8$}R6t~VomJ5D$p|AB{CItI4xlF(1z#sYs8DI|0s_@{=<Lt|GDbSPDcv|_n
zgvpcU!M}0G(|PZqCTp^eO{4gWx!xgAZTECvip#90q;T@3i|z|ockvg5l1Y2f1YL*E
z(uUIU6V3JAS}MkV>LHaZJyR4m4SU_)IO=(?(AAbJN_E#2QO*5N(6t><eBo-UQ%t~%
zFQx%(TClUDy__O8Apf)`AdncQ922&v4c;5bS&F03*p5?kMLYj@W|Uy7(iy*d-X4D<
zvIW2~brea~;tY`74ks2aED9f*A3Z%`3aVTGPph}c4!LwicnLvT-R+s}%vV%1k-XTu
zX7GM)Dg*8~SilAc=a~`NXH0F-?mkn#`KZ8(P?p8(lASM+F2hCDu=Y#S_?@Qo&Ta3<
zwjkELiXBIp5P5Z_mcL<)b*BZWTrwX@-Ld3GU~z51U|nbGraBX>p34zC>0H7gt6h19
z_nL#NWmooIXOCY26)a-*<s0qoj6acUH;{42YQSTxfSN526Hn4Ov!a56q*qe!gTE1T
zfE$Q?dGH>EC017we=%#jlKu%3NOuKrsD}V=ANTpT#gkq>9fJehvr?9CGf*^sG=_4z
zBsxHZkaU>rVd(`^^n3)(F2sMi3cew1sm4=W)FVx@edRvkUFWXrL~gC|!LQ$_=7s9;
zA0*wU%*z2BKp8R`O$GuVVc2{wyH6uzRGJJCS-FYMh(QCpdLJ09I{@Qi@N+Z{D4}bi
z)KZER4#V;kqcQ5zq@!;coyxRy!NCwq-CsL-Rh&u5rdhQ_F7Yjm)tp1Gu=NXEskSMe
zZyr~lwvG??Jz8jxE~$~+`4FV}Of#;WyVzi{VhNFA)Z#~9RB?a{l*U-+qON305l-ru
zGmAK{W~Q#-mM9%d)=5@H*yO5UW0Z>UH70~q=lD<3@T1~KjS)>8OJkh+Pld%CTjTtx
zvAAFaQf7<n@(Sdeg?Nz_E_<=E(x?RjttaSRhBz90z?zPGYrTu$*~--{DNkX$Seky1
zI%W*CjV6U0*v_Rf-{~w8acwuL#-%aW9<!9XrhJE<f#n|did9YaGLP}T&gZ9bY59CK
zGU5Ujq|)-nMp#N7Yfsg$JHWx)9q(Y{w{wH%G)ZP)j?Hz+42D+Xo>|k3l%aGpZk5Ps
z-v%^IJ}36#<+;Og^HL+@D8941?3#35u=m-1m(IOV0ne{O9+oFeDyya#wT*Mg#PK+)
z!EIRjEUHS+Owo<=Pk0_aG7;1zcs-44g{6CNDXpdETA$T)0u|t3=(GNtrySvk9gkz*
zIIj{1X3Sv@ZN>4xMozS=xC!9Yc&Fq@#0{S$X(dL~pB57Lj3UZAQ4?jH++`EN<nl_p
ze`1--2k`X{WAoDTN>O6b<UiSCEVn{)A_8XyxaHMRT>q*>LMON_IDD&==x@1%Ar>;W
zNy_eElhp66G<5e0<*Wt=PO)}l_MjL3MPbnrCS<;xS|Yy*ERA(&wW$x}Z<e>JU2`7w
zxH0&l%=cUbQ(D$%t~s6h;Xs#uS?&?E_*AF_0$U_hfSP0zTv}qnh%fcSQZSi9So&;A
z6j-M*jIwHR;uxAx?7HW?I%=h*f%-kC%vBaEc#=y0|0ZTjnPU~>*vY3rv@nSXnB4V0
z9%WQ{ObaUx^o|@iAjt{lQn)x2mUDxu6QJeMkk|;Ju!@sjRgQHEjOUPeN`S!BG$Qa(
zQZ6*bux5X$UnnD&mQhyLr;652ClGM{P{$}1O&|+=D?vL01uG>N$1dmRNUZN$H~ngy
zax!D;Q%keUBH61MFX^XL`+1w_*>8+YGev{|OMNc+HcP1a%MVW{cAk=nDkJdHnM3%M
z;k>JuluZ4!EH;0;g^)D+<n(bkLk1e@J|95jqO)s;l=FmgIN8kbHs<D{Q2LFLfqwm(
zYD+dEU#GMjXauzv4CBLZE=Xmh*EnS)i|AKPhW=DOys68zYAq+7cnPQ{Nf2aer9^`s
zAyK+PBNRR<@_u%L<@I-G@;+?u1qqNEkSqF?137%PwUxU}oNDAe9|j)|0W{~@_vVGw
zmSJA@uC6ZUC+pWb5<b_v(B~72`wJ>0GfEQkS>BI!tqpNw=PI0;*`_)g?PkxnYnz|v
zr$^WKLS~mNReA>}tJ4Q4#KV)YH`C(_M=><EC^U+ZsK6;JL;ou;&~qwR#j&d%{9#~I
zz}}@Rl}_gj9sblMUNhEysrO8>X|;kXX+F+WH)W$Q55)A5*KKoHqI?Hyc6**eURd*Y
zowFw&x1Fz%!Lm)Yps#0vd--$Il(Ii{b8lRnk3npKVUaZ(b=$C~+b8AcapJm2HH-I$
zi?pYjGXkD0?!Pb^4HHMp_br_7S7cHj^p-~PZE8gIE}BO@!)lE-&+Es{nA9v`98(RV
z2BDYhd<z-|d|bE#82PF;p&a-~V&B3tchWvVzi=@ER{t5o_Ys+V&Bv^INO1(upLuW|
z5zH5T5OPRMq&Uz*-E{TSXUHqTum8eU+b+CYq5<5eAdo4ScZGjMHqST+N{YMQ*p|0R
z)a|Veo+ai#)v?Td{;h8t#@)51o$x5@fcd)?Fq~x*b?puajH@CDQ7!h3AUyTRtoEx6
z?S%N-uL8y4%0(^8j<NzdO2^x#k<SpnOq>Y&O;y*?Urp;QKasn_*9du*6YSNe6yw}d
z4&b(j{P8KH!YiW6RB@4feS?qk9&v63##Uh{LsGfFs1moo420j@1R4^7hb;ya8piI2
z7TO49oJoU5Id1Ro*H@Pr4WTVSKRt3D5!oUm6Co$n3F^w88y5BB?}-KjA}J_vGAUuh
z&yf#Sg9U@RhxXK3@&7_Kk;<g*4<v-4T;yls4wQ7DuWYd!Vl<FMDdI|vU~ig4oa1sq
z_!6N0(>k*ukuMw3-z~Yw4I@g2L?#F!_|Q8hE9AA6j-y`s!otx)<9nxm)LoEk-i}6(
zRFs%6q9kaWWFmcRrlUR@?N1vgYJn%_(DXPz)L1XkdR{bkx1}mY^WpqliKNpz4)zC>
z1(dGiB2`BEftRud2=j)8Z{)`pE|Cj`OAqt37QaiP0F?H?v7#Ciz}<8Imr&#(6NJ|3
z9!CKgLZH^pwq(m>yiPQS`dsVnHHP^vO232xZ@2Xst1UVG@3BXGExo0!lwosv9dks9
zIM+KaNcc}!#Oe3vt5@d|=L=~qcUwo@M96iwL_QOo{S`>pdP|Ff_$!1*g!K65r&%F(
z=c6vWyXC8CThL`Eee>()GFAib?nyK#zF(Htn~3Xe@x2<ot7tUpXnsTnK8{|kK6tE+
zJ|x9KDh`mIs)2)zrp&7|fBE|7wu0R$C_El&tDWyCB0<&1fs@6;qJ^z>_-MH@j7rn0
z-{wks;`dMfyz_cg&bkN$0=Cg#r@H{_EWR)2V~fiV#z#JLo|ch<L`Ocg2N;>hPdH+z
zhJts~kE=(GZZ2H@lNs$Yt$5qwt*Wz8R9x5?wFec91<TVsX_8NyTlco|Kdj`{G-Q!n
zsL%|Vd`g)Lp0sE5uOV<K^qv+9HHXOry_8r}{Ie#*mj+dmc<2ajS{{qPt)tx{@i<Ln
zg=CcLv#|QtxGmT;O-m-lCpChDN9J}1K(lx^k8v~|t77?#onxiq7rxUG#8Cgq2ou0S
zcdEn|RI5={{z3v8^KKvpoVJEpPxGX43Z|QN^oX%GK@>~w!ZQ`Zdb(=!n4IRgn87~W
zt09*3FxJU72PRPD5?u2rinp}dhrZRTX*fOdx~skYNHjWrm&63$-y!%(b7gFcs@m;2
zNRU6<1`|DpVL(s9;JsAWV+M1&#%cUt4%kI{-h(<t0o~88mwUjS`<C~8aOF`;E4p5j
z{X~Si{K-S@W0F}}JjM4jw`#wGo|!(O^uWkVP7l?O(N>S{&!ojf9+cxzSBMMVXM2Dy
zF`pAXXOE5Gf4I3NU#fO7JAX)7D7fEO*q9q0t?6jJEq;8j0D0AzPv@+Yu2SBJ$wAGI
z(=|IK$%&gY(k{|m4KPUr<9%Pb1oeu2WjU)CezCQTqUMKb)1f9aP7ZKF>)3ji*k0;j
z$W}fxo`Sx&j6lV@-L~RGu;<rC56kHZby>D%4)$kQMtRSVpMlNrQ;L{;!&Mvg{S0`1
z-pqJZ&_eh4)>BhXE>^)6;oZ#kTo}`msQVDYrrexeyt&9b6^ai{rB>-C{agk4jFt$c
zfd*lSuk_#fY+RLXj+sXB1?}31{FhvA3}kZ(pexrKK&*d3&?c|P^WdfWtGwcg+nCx}
z+ct+(DUN~HOs2Zz#<?C+SCVyma&{B^%Q^mDC%~qA1RudG31fT=@9X=;H7?nvN?7XE
zytEHZCCR>jdwCoTSl<PV3b7eN4QaLbMzAY`rhQ?@=E?maPpg$b#ZR))rgsH&eJ1`d
znp_+}5Cx0~$#601Y7_ge8!m-05U#HvGY~$ORb@7fQGGZv9yq*gGB~on4ac@V53L*>
z{IHm@=T@+O!vYH)y|*VEuui0K`Wv`Hu}x1Geam~CDNplx)E)H;Mh)uUc>~#vg&FN%
z;v;;k$@Yd}q4cI6*OT4bliqgP3jqhGCm<J1=9Lbpd+w`u^=P!T5%6q39twGsxXRKC
zpJ^))Z*MGW>pg4&eM0iKLZpQ{bK*G5<|r!b()w9J5P0}8Gr9gwFr)Ni;k5<-S;Ohu
zo#uLe59%X1$MXi2?Qa^)%@XA(9;5FMgBFer!usc(vnXJ**a0>z?~$U)@BOTI^35r6
z+!QjnT`X@#v7U^My|?i|1@aq_1(N$8`1i*hi+moJ2faSOpFIt<951j%@*9MVI-2;s
zZ{3aNPV9&t%4YC7w<w?^BZ8ZYT!GXfg+nYoFeQreCLyw;+S(N{7)V&Qxs`2*uOfPW
zHLxrWIIx!4IxH+AH(8E!de31?g?$WFG5^k3L1DX}Cw$Zh9xm2N_!Bz}_ZE2yzB#$S
zDUpMdf!a#UDx~?xAE`}mgY{?$WYK3XThQQC7?+MkubdXU_VJk;(O4!0M~i?tSnrHn
zGDg<YR(zhlP9MDJU?^K_T$EaLaZEE1{K>lrrsS(xAvy9Hqvko1Y^$*fbtDBG6zX@d
z=0|G=R}?H&GzMKIr7$AOf2$1JO~qe`xBMCxRL+CFuEUG8-eZ)`*OD^d(nWaM)LZs+
z@>WHM2YU5jd~Bcc9+PS0sT-@i?k@}OKF-XdKRvCMQl+L!-CH@VBxAlSU+-k5(dpe|
zALgwSS*SzqpvrcczqB{X0=S}G8<v)RilROCSHB_{x?BH}bi^>|^=rv>(Mit@J}vWU
zthzVe@AhZOZk0&#7I6ebr}M;eeaTt2&pN`S?=b~^G$GEJUfxJ9tGY<ZEE|m#AXlN<
zyszD>ZTg)RcpeHGwMyQ*T+Bk7jPK6Q6p{@dJWUp&OW5~ceM_OyIecGx$KTWArwEy+
z!hVs`#O8cM=^s#a)Z5jCzP*k1IdwU`L-~^%aLk?JhUNOY$YH1Sni7y1Ri6;cIdSh6
z+~NsoWDmM$0Xpf<V(WkqrmmS#M?7cy{&=bWEl;JL=-U=GG+iLhNK2?C#>?ecDV%4A
zDI*@7zur^}x>XQGUT2l$h`qTBh^SJbChqOhvau6UqFDI0jrdtIW}aB-Ec9KdRz?xi
zV^^Q%s|HUT4`9mx!mDI<IQM+M9P20Xk;!&|_PoPs)Aa>>vfW!k=;tx2jeCd&l$RAT
z$#9^n?<O~5KljNwD`u3)TI~;5JFv^95y*Q@G@Dg~&mVjH|KD_vetUIk*cFU{sjT);
z5xlX#Kg@qt+Z<l7rxIs<hLvWs!g0pzp>edlr_kKYJzuvP1nAoxX`2{m`x&2v2*9v7
zo3F0?iAbAAjlxXHSzD&3V`6|AXx;fAKI*bEhW~6{|NAXHz9n}^K+aNFrCryx-vV4)
z@|#L^l*QgAMq*3OB>V_*dJR@2Qok?UZQo&a`fP6ynvF}a?Os}Cq8W`=+HrOMN7OZj
z*V#1TMr~}fjcv2BZQFLzIE~qy*tXd?jg7{(ZJprD+kS7}U;A9=>~%f+%+BuIbI;Cf
zGu7kX@0~RS*WK(~AupdwpNFH91L}e2Hj;L@jDC;m@F5|UP%Zi%@j)cTgeRw5iM%3x
zl47(%YJ^Mt?~#N5j%i@4EruaEA1gNTTxXdYQ}?MKJG8NSvf{KWl4ViCd0~GHKK-E2
zs6^+MA^LFlI26BYB!q!-p_#Hk{3*y~#hgF2wwfoy{l>dS*sdChv3lF3pL1*YSQhTr
zR{l1962JFYrGicoR%?405cQ7&xbs||9MMj!7(<}%EAH1AitMr^<O|gigENe>4CTj&
zQ7P5}OoB@6q_scdX#MBP#t?m{YDwv2nRUPx<{hm{dAVWY;KipAsevV~l@5`fOfLor
zKe5Q;-P5xffZQO|(mgBGO3-FCzW)WjsXIlEF=o_aG#_(9M@7hi+rH<2cX~-?dOtjX
z>yl5}`p7ikiKa^VXX^&IZ!f8mI?mq@5%#Gr{?O7lz_`6twuHf&cjistpmfieBQ15O
z?Ortgh@<=8=yr*=-bQ!vHo8SlzR7{RyJmBnl2HO#iUSal%(*`5CDma8Fh4Hs8cB@%
zkfi=Wvj9bkNZB+MXv0k8jsivO;}K~$kj>=y1<EL`zoFwAXS^oIVpv+@e!{WY5))-<
zyHLiN9aKv>8zE!y^5Wu+<aF=u!BnhctM@Dc{P@VU@?(p!S+!wvd-J@QwH3TG!P9nE
zD84n?kV2dYsc)cd?Pkud8LK3WUU8q1S&XT#q6=E5Y&dvCK@CcMQ>kbkBqV?NICWb%
zHV3DkwDdR8srMkp>+RZ9ZjPrXt+vY}@Zlq5vW~AkJ)}$CFPeARtrn_aO#*{W;^baR
zLJW>_QaGP4U!fIQj)`U5I=7OG7bxKk{(jKmz|SqE=L<QXb{2%nk{74J&(C*Lua#st
zy_u&7KHptJH!eM>H{l9MsEXyG&HEgCq();%^Z5O%n<=O&j*0O}t>$t5%bV}QcmKXH
z)7n{`Fa^o=R;?}|T?yGP`)fN2o@rW<{PwP;rYMpn*`u-%B#9zwR<1B(D*6L1<SGT{
zb3h91H7+X}_d(+@$Bv695Nkbd*u3VOYXEDp!qvF(lY7fj?uq5Gsgx3}y}Hrjsq)KQ
zdPCv&Y#<lD*<;#QYI>ZepKOdL2+&rm3&cgOQa-<*J)X;=3O|8X=;~Fvf`*RF1Jrwu
z{vK|OHQZh*K1xcB&a@d7b#%oY4?!s6X=?45`YEOw@9u`VE3KChu(CtFNjq+rZ#<*d
zLt+}jppdJONTQIBu7KQ4g{@*hKd=2?O&)cJZCX=R$HaaOnN$*@$exC!*bZKysoI8e
zw%1u1Z#*7n_m8jEC?-a1Z88wUrS6HC$M;cu!EuoQ<+RnmXASA?)Fm1Q!r`{h%op$S
z8!Cs#3vlJ-935@FXMg_8gukU@Gud?EeLhLFU9yNNWQ=(xXt+5_eKfvXJM(#ZS~Pxi
zZ>q+7vOkQlakaIH>Od_-@R{nOW80NU{8`}bGcC&WVz-vVfq&BId2jGkoru%Y<96Il
z!%Z9SemFSb%ze;*g!0%c4d<0Lan~O_mrms#=5)GUjrOQiFtrK@R^%D&$Ur3>=Sm;^
z{v71~Ci5Lqk0$=>-igJ9>*sG~_5kIBhwXwk@7tEs%yCZj;j5_?_vf-kHogUlKHgbV
zIvpunC)ZEi1_=X}1=5nBl%gb~;5FgY5tj`*_SQ*+L9FVrf$7w+tnB|WnunNJX$v#3
zV{gh-5G6)bT}*UvD9{32$+lKIatLD*C+%BO+A<P2WuBDA*l6aLjh5U93%u~iWYjJ*
z2>g@jIC%hCp*EmbiyfXc!^m$@VHTw(eS$bH_I*f%DQ;ngjMZ2s5aimTO8q}fB<N|R
zVyMbg+N&Xhvl$~|Ajo}i2nvW8uBF)<a{i+8tNj@LWWL<IA3gZ?Y6{!%3Sjp$J1?yw
zv?Xs@u;uxS?ipc09J}~()hwQe^|<A>j%A-(<_DTWhf8-?a&{UuNhXQfidP#`v*wvq
z%jA<nF;&Dl^W@C^gXi=+rNU)&uLFffYqVOdKlGYIs(%xli@$XC@Y;4kH7qIf5aVK2
z10|w@v~glbnaYR=6B<Q#u?5yKIM~0Z6!CvXrs*A9$W*BfuT-fQJIEdP8{j56VUXfN
zI<Bd+e=WpdvLo_I<I*HcPR!9ODm+OE$pcR^>NlI)#%t39NSpQPx@Wd<E?_G)?eAj&
zfxWe=`&C=iFYS40(dC=Wf269Q;ZH@%35kxfO!9zpyr**m(-Ev13`|9E@mwX~^>KK`
zY{8X*dARlB-GT79*SZbuTnx~6QFnJ#P3^!-nc~ZoUaYa~a-_mLcZSLPImKo_RAfSt
z=k4X_YN`r9p6Qu9?vH2bif=V16FU0o>C^MMN3Lx&AL?CjP2l(Tx3lU5_8#C3M+uOx
z!18Lmi;9<<-Hs)`C%fYYaC}~$r=m047aLaBOumF&?>X(3=i<ZjhtvC~-hwCNZ?7`R
zi})qLR9TvZhF5%^yhNQuT^%ihiC+eEhfR0DN}A67a83FZzN)pfCzqanWOtuhfMrR|
zkW8v{Xc9G*(xygEvxStQyEF_gE!~LTEB?RERmxbp=l0r`>ebns-b~)~Vuy}|nyb22
z)9z0a?C6Ybp2Au#2u%}k1u>zuJRiWcG+<|XF2Wa|+C>m=a~&>vSl}1MX<@sFaFO5<
z)-APG{Vet<S@;ocF>tj*m{*mzq^ai1_Go_h+kK1z{ZMz?&i*k)hA`}&JjK3oK$XGR
z{~uC9-)I9HUI-l?n%b>EPOq~&a3qOwz)o@|!U%K+ZLes%z@(K_IX*C*1(%iJ9b-n<
ziS7z|vs~$y?I>e#R}+NC02yNmUmUK0Z}&z7ewNiyBtGDx9U+rJs8s;){-)p?8#<;)
z9%ZTj#h98rObpM3yk)E2#TZ(-DfG8s5aahFy~_{`yV0BO&7I$+gO3Au0NFW=*9+>Z
zUv9UVuNTLPz~Hly*SiI7+>W0Z=f`}yb;%*ox1Wwx6B{Nn_8SD<98}n^&y78-*qe{_
z@(4V@v8O};L4-4QIHy#da$|6!fJC@>Y4sFFt>&n17pZsnDUD6UMcR>q$29Apkw;)o
ztfOzN0<)#a9W6*f_H3@h%J9fxef!`veqxp>A>e#>w#2qJ-r&-lyy*qpv0sNHQ$F<J
zy9=Pvxil~pJLdDD{k{%5_2Ps)g5IT1WY8rTefH~088+n4X8m?`hq@Gg^@lOBDj#_X
zi}mGk*Z!5gE!Xm-ryF9`elyFx^9Qv>gxNw_{s<oPlAUoY9slV0nO%k00uxXu6%)w0
zNRfQvdbqlHWR78Bnr`tm4lB3+>KbTA!A3t>1ogkIVMv`OZpUL$!)lkwl@CKqx=n|d
zxg?RoGFO9p>G2NVnh!GpB9dQ3B?&6ko88o(;J9eFZ1tdBD>obePRD5hy{jlsG|cAN
z;Z^s=c{Q)+v@CmO5-TIw2fkI_i0<8zXOAhy*yNrSZH6v)T`RigqogK+PP=QK6(<B)
z@)*&q)HKzmbbbqQas#+2a@Bev31k5%CYKs0mZ!IRsCEK=)`fp-v$~@U4Y&+dns7zd
zd!|E?T;^6oksR1WkfM_9o<7_W+V58lQWvzyn|8WPh>Ev(C8-E~&*cWH0neYdt!ZUv
z*!Lc~Z-%XHfMjRim36<h?2QpQsSgsSfmt>x#$F<!N-i9@lk-$saQ0&&j5R(>nXAe^
zcQ(hi?v2^AjtXp1w|*CgE^%0Q68x^>a60k{M{P^cc+BOIQbgs?iG*~J4TVPB+r-O|
z4%E`+eJw;I!GP8kERK^HvmWPiM&+0i{S78Lc%bAvc<dh`@}cNR>0q990I<GQ<%lqk
zt$>GI5frt?TPV7Ey4c^?9Sog<xEm&k*%P3u&{T{q_L*cGJKxq#F*R=`zun|c&W2XR
z_-PIhKSbhC-e&7xogrH(qbKNE?Y)OdsX<ojt%dv($l->ZE8MAit0;>b&@&;G*esML
z9*CKMrqE~=xT!WbGCe=7pUD%97x15N&>8dnhwdmprX@$@r_9~YQZ3Ev_8WI=7#Q8p
z*K>CuB3QQloOnT{44VSe2eaLbD#S@Q{@0xVzF3l_H6HEWyr~Muir?X00F)Vbh!18W
zWHQ$eY+rPMLuiOeVLY^xA4g0?=k1cu7so=-RT*^t>@F0NU44?YdI=FpJ9Y&uTh07x
zAs-o37~<HJvJ|G5Y0v5-F$9YlUiPu!Yly89!2VxGcrZpiN_UhR<87cMnI;L6EzQ50
zmqYW+I>OS3YENHI;&}j8k7r}`U00`8QIdt<&jIed99s}cg3h#+zs6eczsrO+tJv@Q
z{YePP{58f6&voV2lPs!~jFSsVDNYh&j2<~esVX)t!puFVKIZ4eKcD<x4m&Rv$JPBz
zn)@4oxZgG(Yjq>YQW8l#EWH9Snly}pHmp#{%df(DN|G}kd=9OxPzqM`Ga<~hvMm3c
z<bPsw(UK&9SvtS+Zw^>X>OVPP)h!Dx(iY0fkcs6snLD@#B6DJh1(L}uHD$s{^m;8g
z|5}7gNJAsnE!EnVH-kVFQMfQaSwTx*VW_U7RZ>FhNF0Og3IfAb9kSym1G5-yODNQj
z07#qfUC_)#-w){LIVKC|`w?f~5ta%2CrI(nFOG6%%l#78g9=Nga)eSwk(d+^Llj>^
zD3z}OamF(rN^Iv#-ctn&wsa!OI5#a+($$8=w|Hm8jFt<v@jO41Gdg4UPt$z(X1^Ag
zMCasvdkq154P-*NY^IYL>O$ast(bgrD<o+pOj%SGODHYY4uN<7xEuv*)SoPFG$qRZ
zrRE+d;j7VGwj}gF2n8KE*^>RM5j-^F!avn36OOc4@`MUF(SqcWcVHcfna75xOCk33
z&C`8PsNS`gs3yisSnI76)|*lcWSB^bw>0a0$OZL8B){cOl*?#lK{-`xBuWG~2_44U
zZXpuL;#tHHjFTev;uUc^=z-8w-n3PMwl6nO{+rLZ>0eF>+TDXzEvHAyQotf86#J1u
z7;|#@r6Y)HOj2ejEl^blv_bAYjuhP}f(~uZ0wY|u!@T)TL%1}6w=ryrXr}a=QR&Vi
zb^%0F{O%{iAIq+QbYcuI1(L9S!XlR$w=VO(z6=Y1qP>MIC2RZVMOsN&+@w!DeYDMW
z&j-ju?)^4?-rqu#rZ|uqyop=M5Bd!Z&|o0{_^u8_Rv<{=yL}<LISJ0ns>V@oSN$Ow
z-gZcoOXg9T7rHCrBnL<Lf*&Wo=bGTNMLi*JT6l-Pxs1#A%&&rrGZ3nUr|eIRwLo*_
zZ(+_w*inNX53hkmj1pGnCm!L$5JM$4NR%zw%>9C4jhK~NUvgxGEEi0Fw9%GU@3|Z$
z6S<iN+YQlofU2yLG%1#qf*B_EgJeW36?AiauBbK(vc`s@dx6c+?ydL}&B^D6Sz-YX
zbZ0dnB6s{<K(+y?TF(z#`f(>oJwsW_lu$Jf#03Pxis-))k4IU7Z(6YWzm1q1$gKHw
zamKI3*U{~~MkAynA+<->fO?!PSrWQ=BEjW?Yw$Vh`qNNKe^8H?)wDM!LM9a|@0ic?
zbCsW+X*oVJK5$SxSR&An38Z~sW$Te;M0RrR`>&}rRhe0aVjPn#hvkd5%qjAOo@p;{
zF@tZ9X#j29Ra1DZQ4ccG^jV4yZf9&>*`_6$jN4C)vf$9UBk8t!jzXXyBT2R@45EMI
z2cBT5MBr9Yh)9kBMO2iOGIA!ihz8PzayCxiAz9EG804)Ft2hLH?Lxlei%~Wr$AHEZ
z4#GD!!SjmQQK%ImHycaFN5m|Vd!S;W5K1OfOQ)Ht*9@zCNdOZ*fiV8XgjA(%zhjN=
zr)if~Lx_5B`O^zf*!Dze<MO!NX{`dIq?<P^z?CE8w^-R`?%%`lLjhi>pttfNA<_Pn
z`R3_ZapodOxdJ)dR8Tq2(sc~+8>Ct?g1>m7--ji?J0SX{VmCLWK20Q9_DVia8?Ov8
z>auV0f;TS~vurH-N)5vzminy0!117uY<(V2;M5bjX4gIOrDh!U_r=-nL&vL!=A5&h
z?kTH-*5|pkK%~-ct2!D|W0+vi#4!m5nv6ZjwvH?qOOY(QU&fqSr)%bY%l83H?fMfb
z+l(SnC(n7vt-6Sv9FOFxu`i>Uh<Zn2U1I4-l9dK{e}Wm4p&$)Wkn@~`gtIZ!Q_AH|
zQ9`sFHRE~wL+u<PaU%1j${aMxZU(;PMDKe<DyGORl0D0jSlLcp=$F|x*-R~)+Vc^5
z;H6eUoev09Px4h~hOcQ#qWsM(e9ou&Ok|%_1tEmed&R%Ib)BA1SV)qb2^uyo8phK^
z+sQ@PcLE;)uZ?#3oS)H!T}Ij&KQH)JQ@6T__nwDGy?|Jb$KO~iwko$+Uk>XpdcE!l
ztQRxCu6|i2#ZO_jqH`^(e41OskMi27Yv-x_u{LZkxs?OD)gwZ1vzC#`=R!$shcZTh
z>LHXTFQTtVXdGZc<pz}}vHUri#Xb2#L`AyMKhf7q;J@$V7UBJ3&yp$k_I-myvu*R+
z48TiTvS?JWUqp_+Feq*Gjv5zFx)WdN+ng0ib-US#RT$v^TEW=vzAv8wyT(K8#jwhy
zRG4s_u!ldB<cr~G6DCZF%&Qg~`Pz&9>ihDpAPfTo?8Fr&xMB5aeV^axSWMz<wK=r%
zplJE2j<P+wZ{r2i)j@Y}8ps3sC#m4jw@nltT3)orBTrqMN?x%iRb**hP`L<|P*B;J
zQT#~C-fRcjBl_Ra=0qIl_J9X*<u1?L3xx1~p9&WdZ2&P0TX0@pTN08pbuNt7`!mJ5
zekGQ=Iscg*yY-eJFt9cLj)dgb`jIEJ;gNowT7@MN>Rx1Z_#YuNWi;%%hH*2>fx_i^
zN*hub$hTg8@23Eeu^!sDXFPS^Y&vO-+MPk{!13@^caLswS4UVNL1w*vu0|K47@r-W
z6m#}ZB+BVF2+k6jwQMj%Kk~N-PKIM1Gf7Acx2VSUM`Jh=w5<_jTeoq!t{|5G1a>-5
zMOta17XBu%#(xCndb`uv2_#%Oul%;5d(-tAd=yA>3?{Yii={Y5$@}#$z;w_f$O`cC
zW!wZC!DLOYKm(98C`JunO{!CzyfOvg7_P0BLCJDdAt1hoUlhj%K9N`Mf<@G)vF`LV
zW28DDhp|0VV!kNTFWZwHpGdkTZ~5ytg%u+F!2ld6x7XtHQ)EOLyuio#n}i|xsk+cP
z#~k@&Rcw7_s>v5!apNQ=eOZEc2*U2TeGsd9b^QiGwnpA$mB#U=WNaemn=x$<dhn^J
zDGtEfZrY$E_$!icdWB%Tv2&H*)?XcOej(q^lEC(0RbNuB{w*N1<2A2Irf-`b;dVqm
z%(9CnlEw_n5at+X>hdv*a?g28Iv+<*5chWWeV(H4L{~Z8S!}i6tn6yEGhH9>LPm=i
zRYLj$vjq2b5vf(S-2GgSfT|=lu|9@&7Yx&PVpaPozdu(2h<Dj=LbV(i^+=OZrp-x@
z#-KM^tT@G!48ktaV<ozaAC0uD>H`8+oZgoc(O^ufjLxVuhGkQDwMs=QR$Cfou?W}7
zEbVDO<$)zuX5S%4Lqs}G6vlS#?Sw}O%9h*ci8QhVTI!P&r|~b|()*JnL9EjIvcIuQ
zM!n4V0528B&033NsTe3}M205*h<)gTX7r*0SQtf?f?Z}Qtg3P7_nC}ixKtl3eJC@a
z(G6zIP?;oK-Ls?@p~u^<zXxex?4|RD=PNTX2mKS-_4cKaR_J;{te&hIGE2CC9ZZAj
zanjtUX9JDL>deoJ*DeG*qMes`hjQHBnCj-+GiA)x36<RlvURH?9e9buWy3LTSR?wW
zcjertW6M!OGGF9Jm*o+bbT*^)$BJ}&UqJtyl+DF&=y)p`a7c8Um<HKN8S{k{PB>z(
zk!2!YY-U-ePYV<H)b&rFcXVVs9eqr9X>psVHav%QBU@S<>%xX?dT|u(JYR_1@!;6^
zNa>CCN8#~~s&sq#v#aqhO3C|hR_Bp2RKbZzi3K%~quh*@GAJ^z0D=9S$EqNIsj1i3
z1rH27aT_YlYgOcreF?sT&gV!-c{qLiEt)ls*8^hl)Hr*7{M`Ben#z$S04qG)W!sJm
z!dRozbR!`Vi42cVTjtJlB}R<+TFb<9i#P$x)wDDnVXeu!B-5ADec#R<K$)H{m;9(N
z)iWZ1NnUd(Tp<MezZ_?=J`LwT_ic=Xex%q?0Nw}Dcv`TXm1+Q!8t82{L{7ufZVI<Z
z8FpbdnKQk9rCBC-izS$Is;Ka;`DZXmrB(K#rcoQV3kq~NOGaPih%b5#;{xELQy_?G
z*e=ks+g2>iNW_nVKmfCdUngn7ANT<(%G5;asmwxkZ#R^n#Sur$i7U8BYjoCp3I+1Z
z?fVKsz~k``5Sb4n5Zdm3f~xn#0klu@A)h+&1&N{`uQ|~89rk;Uk03JOkd*uu*x&HU
zNxsOnAM4EzHlP<=e+djJ)%}H-dXF)&ddgCl@Wt-czvmf-ab0)cY;~6V0K<atY|fg8
z<VQ`Jg~C+Dfkq6QGhDDe@*Q2)1V}J6E~o#Ge#8VH{x>B;wBR`O<(_Yw2tjb!MAc3c
zPjzZF;8q>NzKxLSaMf@q#}KX<&4E0IB?2ihVWL?_;vDt!F@cBX4Hh$x2*H#N9tqc7
zc{YdFWI?)|YxronP9=IQD+{W@!eduqD0(0yl?oL|Oj{D|#(;6YPMY(r?xzP_`3}F9
z5}mz#8*IoS&TkdQVTZ}VX2KjB>>Qy~q}gKX${>p{WL~hu#v=Sccy^`r38VmS{5qkV
zOOu>OxnX;5H*NcLJA%jjuu0xT_YjM6y$&-Dy05HA31oXCJe!x^?a9!5QAUqGwKy>_
z6`av-i!cMmC^sC7OKm~30GJBi#KuRhkJEeZ-Kn%#to=%Z;vEI2-^-d`$<8LZrLi+u
zX#xi!R5Nq`6_qG$!lTxzlo!4QN0e5DQf4q$HTQr-6Kl^BKVlVH+`!zNU8oFNe}P_9
z7zdtm$D(7So(stB=sd+?8BO~1s)I%sNn;L&r!LWC&wzB?h#B1-w#M+6Mu7UJgb9`$
zW1{*ji8c{bsU$zRAx(^Qzqn6o(U0fua><X5kQGKE*<kQ!>`vfcq6Mi*YFm>59McZC
z!CJ*e@Ln&K);sKsGUh3}9K2VP!yq1#6{5nGi><IY0tnmFD{yS3HAO4unurh;hj4tI
zm^t%8qv5v>mD%+|ex>dt6}#~uEOfRdjFLd%i0zz%?~xgd5;}=_BSQdZ=6H9AxxOEb
zDH!ka&#9Vjy)>~{eUrbCeLg4K^#h;Jm2`Ih!TB8**Cd-&_7rd*ErOSRsPzQVQm*?u
z^4zG%aybN*pR`l0neE#bbFtg6l=V2*GG?VpKVHnuD2o6}@MT7gR}mCvW17b-GfGmb
zKPLCuuTVqd*%kfDCW3VTJ~cTylzLzyNF!Sboc+Y8I?EJt=(H>Rv?yvsYQZH>RJc&*
zW4}m>H#WP*%lq=&uB}8Yy2mG8d~Ks(@B&AmN#y!_<ppyjg)>_ky?**PaRZ|%1|?F;
z4JbzG^{?&VaQ|)u7pMnoLTC|>mbnRy%WmOLWDJO5U-HHh#`s|=M2*l+QzaLpWd~((
zZPOC!CDK5YL@_PY2!T(yly>`&0{9Q=IeP9)@^(c#jRV^fF}95;-07&~tv+}4r2Ue(
z27MLd5LXt)4sdQd{5%O(#={4#eG4kT{h~UYagrI<$off^IJrz$TvV2gU5bY;{AFYy
z(swM{zfP_9dSzYV(3{%m1AwMCkB&!pNAw(<iw7YXBnC|lp(fZTJ34}v;z)B+mXL(K
zz9!8_k6)OL9COT7k>ncyMHMpQ6jK0GxN(V$uDlS-0{Qn1M_7`H#<n0CzTPu6<a`Jj
z%s#zgaDvlzk_0?rVghX;Dg4?ffRqpyj8Ss!J0OEBZrTrEU*a*S>9~R~b(=^i1^fov
zG<K4PpW?dm;=YXf0h+~xVuN{O&s<dxzMExZV-Gb(TihlGLe!(_O`!1I_3POF?9^Eh
zmBzGYiLeRL`nD+&GDBsD6p^K@gN{0b&>QqxFj4=?lQx(_5~jkY00N;N7i}J*1!FyL
zV(%tl%A9Ty&i@HESp)vq6orwH-}b3M1Jb646Q6GcihLdu)*(41A_dZiMw+oamR46Q
zYf-%L26QI!rbkO`95VfhS*}@b4RyQ530ed=??U++*KF#dwa+X^YB<=1IqFpf-yz)U
zb^)VSADV`Ja-t(h<u1bpd!82bA;a;@z)c2e<N)VnzO;;xu%iN$dMsn2__!~j{s2dN
z*UmJ#)30pM;Hb~r7ilDgDr~We!5S`I@U?4O>2mV6_qW}UyWLdA)7j%d#%%M(jNwB0
zZz+ay9R_g)IJHKom9D#5cAW*7Nk7S>(#lRm@miC=i<R$6wdow5NLUHuhP+6DQQ>zu
z1NXS)xD{(T5A*EKrRWBa$*;q1d%4l+V6uSWyWlMGc3`JYv#wuV<%SOmy@t$R0mH>T
za}*5MPff{U^^&H8PQI3V-CK@>PF0~U`2T#MWg(arSEb!aE410(QcZF2=!5r6hLaHN
zV64%iyntjzEhm!n+~+BfigeL`w;x;1s=BK~lf?(Q;U$?*sust&oJUhv>LEvg35qpd
z860C=86<=3oR68ZrdSrMr;5d+Ac-?r=kxtHn;S=(jJIsR!*l;JlPCZD0zDUA>Z_Ah
zoSg?a6r%`s@M4h-H3A?P0C@Xkn?}&mK8SC8vq$Azm-7=8MZD~5&&N<@n+gxsh|;{&
zNe<w-cIRy3Ns|hfjJ7CNXwn3H8Qj}US1Ar!K_8+sRZiKq@noL6NdnhIrO-FR%a*gz
z?OA>~xN1HPI3<{C$exBbO!$=LhKZNMs#T7EQ9+Z{AU%EfXOEJ!Zq(4;uy96`E3Ivf
zRy39tU&yDyLOw#78A>1)n0XdROo;b)WTVh3e^*)jdUXqDXQujZMLX;kEehrMk54Nr
z7>ex;2VVg-Ryw@WseA3MMlKhl6z%oayPodOqk{(lx+=l<&9jP_MUDu*W4v1TytaMP
zYX}=DOLUdHV{CNkWys9QN@RxF#!2mVex5zRI^T9yq@h3Zqw(4ha1VspQT|Gv>0(VF
zsfs1OBln%hHkDVTlnXE!G3;Fs4@DTK+9>y*?R=~WxI8owc$+%=Yv+79-p#8jFm{1k
z)*cPl=$o~r#PkB+6}!fZu%<=0*k|2fuO^h=NzBwkk#S>$xVaNk4;6LdSQ@Z>LY$34
zyqgPw<5V-G$nJHCZ-zV{Qj4(CF0>U|Y`cXKCEg6XYbpgPCL}G+Spy}8ReNTT(wwr<
zEVql~@_nJm2av?5$|FCFdwUl3>t8zqr@Vj&NyuGIIXB+K1S)*=B-DpvOj0lm$qkVq
zBa)z5&rQ#69l%Y!%7I<bFHnx*+Ysn%Cb1my5_?jZcP1p6r-AAl>2!UxbpA4^+Z$II
z)d0nE4ANzTn2k1FtpS3Ih;9d(`cPkjKU-!o7{)o3)~`xX&==l$K)M*JzI8HUXK6y5
zxC)XAWv?a4Fk_|O;V+1%|Hd0kvaTu*`a*sPNfsHE6(zjFUqmDjU`xpc5gsJx@iZ<U
zq&uQ`1)>FMd$(J7`QoL%($V4b;C{!4Pq1jZhbu2ll@QJWa3Oe}-FBE%t_&W^Sa`Bk
zh4b(>5tX+6l>{}qRxrnUa1^bd(n)fKbS4NsYDF0TcmGW3%)f+A94hryYFA>6VHOvg
zS|cEA_Kc8Y6j<UM1mq20qN?|-E4aTe6|+9TP$_w_C+cWGZyyqKZ4npbXaLtF!pJl<
zmyGE+#T9B|atkttY^Zy2f-QBrbXdVkOQq|UH&tpru-K!b0zjd(NqAcXr5Y4`_8R~f
zDUG`MXJHIOGzw@5B4U7}ZazCzqy+rTqdBrsE2meGPl!#MGhe)9mTf`a1=afU-@3q1
zgSJOY6y*$p@y}Voq*a^73xFY<?w<Nho48O1Qo2oir>AZaeW5>c<Y;H>O2|VHtu~O&
zW)eJ_*m8SN_*N~!>+yW*d1|X0;iP-`G?&da)4LTI`pHG1)w7XF`~XjvR(p8RoQyU7
z<27pjHEvKp3w`!F<4Fh^K9Z6Z;grZ914P(qyol`|Li~9O-90(Zc<B?GgGP&7j)Smx
zX`|U<gAaR7P$+n!`8(7TB=)*D3^BR~vI-$vQ3Q#hyL=)B*x}6jw%7U43tuamt}yJY
zv$l4v7D|mLLIX0-JoJJW1o>P#+^=2;cE-nB1Yf_B5ke(h)wzzA&VE}JXTz(fN=gl~
zkpkaZaZa@}SdI9+5fP~+&F=OO3KV58*l_G(nBdrOL;PGkfOS>~Ex}p*IFL^xnFEMI
z*0Gm&ZUR_?JqkE=f7n=m$D{1iglXh$PN*B;H;D`Z|4i~m02eaP{N7iA(80tRI&W@{
z$UPhmw!P{(n`8^?h}0X_J&`E)rZ^*;{)y&gHv^%o>2G0Pt1FF5E}bf4YK-myfi-OT
z4|cbwA}%18E<7DtDP{DI76nZ|_z6u{rP*6A>ZZA@9vL!I(@SbDBwO!`?=G8KTe82p
zTUmj<2ty3L0osnDuM1xhUq6Bm5mEq=)R+Ks;*vdbzS1U<#BYh%Bq=Gsp|v;;gZTgH
z{(nsWVvPPO0u`5g&nB|fQl03ge}~i_WwE6VoYFU85PSIvoO&M4^eM}6$?kW&{s~mI
zU0dkjbp#~9WuJya_~p3XMxk0?NXGZjQnumjIgAGR?^jpDHGV`BvNWTa%knn^<JUq#
z6jD{@>(3LHR!d<MnpPGdHYCYTQ=p|<Fu_w3`^pCE07n_p_t%8m!~JX|l|b~m+c<dH
zXrVA^6k^-(oI%>q$wDfnqj#om&zX{#M9`px-PS_bkHs|U*K>C^E3|}N3Yx4@Y|Zgm
zi~jxuN1@m+)K7IujI``7VT)I?pKrjL+2ROnML759$=~29Ek-O+&nFQwHLx&Lab$ax
z&ECn^bZ=j<WyMJ!Qkb1$fr4m5RLO+2sAjJhd<7X#JL3xsTh-Y_i_fb9*1@b4X-`X<
zw(Ysn?FcIJvT&I`@^NXMbic|H=qwg`Z*%|jTXSBUpx6Qez!s*g*+&Nr5msBdT2l&d
z*c6|t$hoxk8%8{+u2L#8&ro!E!|yONqUF(iz%^-;qkqa>Z2d9No)IPYaNwi;AZR`W
zdq30S0d~ch2cN73C1R8UNVQc$X^)aXVKnxGIv+5VFSh=g=v_no(SCW#m-z?wv`}sX
zUU;Z8!K;f+Du*Pt1~K97Ry<R#8VU>Oo-ffTLcbcjObWj8smF+t7bcsV+edo0U5zR(
zIN#lz4qs+JRd{{d;dp#rm{@buIW5;!MfmMOqNT7rfkV&Q078+o`T?$-M0grU?{f$$
z*s5<u2~|uSi@cYUpinYPUI`cf$7<=<kYVaVJwJ;Tda<w~whw>(UD2>&;V}7CUo{0-
zQ|;)_y<ds=6<}QmMN|n~2kNE3_tVR|x2?ML=7gAIO$o^svWyleT(nRk(~%<JOIaR9
zS4U9}DwCP7!-fa&Ws50(9n~_C%750_hH_PS%~)D_CJPRHE!^q8e@K&FvmIo3jRn6r
zr}kasB@F5ZsO!N1Kdt`be2#$@J$HYdphm3majLVbWhAp8_oQfUAS}s_%Tr(3F3XKH
z>*Vff*0)3ddP4Abk+iCRt~K!^?+`wwuJQvTo)@!253%>j;u=f@Q`~nfB|NHc;%F^(
z?7s^VM(^um#at^A6%@4WXFL2&kI38(h96l`>X?xLcTiG7u*RtWM$r=)$KL3B(Hs&B
z=5SBv`U(Eum07(XE5E=q4hz9s!<lFHj|A_(+oY<=r9y!l9j4het@&|^JgtkIK}YiZ
zoyQ|*Z&1$%Q+atLayAR<d2|J5O0_?(#mBAv^%R(BT5HH=a#awk{_NCsmXVQv@bvkb
zEoJgkEKT5%8<{J{U;#C4D@~-y$0!7Oxi!%qn1+C^hI60wf0U0VF#81oj2{*K+-KXI
z@bD$!M_Hz3K}0hpjUwR`x1q829o*+3is{$)VdDpihj-<`VpO9x_(8l$=SSBj@9XXJ
zR&=DHR`8sNirR*CkG?@cGR&m;D6`f<6B{^wOOY<o<`^wji{?Gc`9JiD%W;l392mbL
z+xlFVHHlHIMAuRS>9a--L4$bwk0537sk&B43*x7*&)Dq$qWws1<H!~A??T6Kap4*y
zD`IvR!Aw4DETJS?d8pgGLrKLAYJ~H(X!!xFUYw0d@{8&Z7IPtPiyPEvhD12$kQQ?j
z6B_vZC)gkT-H7$(<eIYTGL6LJo#BvL5y0at$mJCZv=>4feA@K>>Gb~AOUU|TY~~>X
zq(P$Wz8p8=X|WK|u5?UvlGP?um4TaWkignuGv(@ZTFxGfN1K<6i;Lb#=33r7DO?3;
zn_?WxK6AsFHQKhMAyC!NzdTy0vnQ25_Pr&zRN$SSYC*ZKUurdtiNn_gYC&vE-HqC_
zGd(HLgmmtcj-mWvZMJ1r=zpbSgEmeDj&;-?9M&9ttFcn!?b9pUlUev7HC=b$mYm3v
zl%dQ9Yftv>#4nq3$eMkHf33iy(eItwlD!+hi$>_qn&YjOq;3v`Bbgp}xkz34Ecs1!
zxsw`Ond)=ep{eU#ZzuMRCK<5$HvRHyB|e-&`$DO_G3v9wV)pe{zj}gRJPf2Wf%yXw
zHhYb%w&gd)SzDKZ3FD$M`(-Y#N?od^3{YU1`5_vCJXqsBT6kDiUX17tW`a5e_ucb5
z7meIse!<g_gU0MDaz}!#zXTAo9f}!wI~DWnliM%rO|rAkuTJ!1=}%v)KkZ#Gj=BwY
zZBN~>{dg`bE~S9GGYr6lywewI#Y2Lv3w;Is11+&2?{wvsefYs%!f7p2w01bMpVPnO
zY*`dZ6N?uXWtmez$m&&M^gd&}LraDqI~`ddNaq?K7rR1{EQklbZpb{n5<35ICDLMq
zT+4-IoELhE{6pCo`G$8;(7qIaT>PY75^+)%1$f8He#2fDqMSkOQxjK|cX=iTj|HK9
z`HwGxrM_T;3(=hebfPn!%MtN2h9KU)sGer2rIPicO(V&2`OCA)%jEu%Uhevkc^Flp
z`B#pWIPpZgRX`B@&_R@`P<;O9`T--wc%^H)4<qD_4%qK}kVtjh6!YgitzmM8%bjws
zooqTdM!C4KC*5Afc8A}LXVv{J!}{Mk^P4tAJB-#`P|Run&~KBlw4?cr%!wcKny`k0
znJP0>gJNmrNl1!QD9Oy{;=Gm#o69~*9v%eozhU1d^1s|)O7&Y!2Z<C*+4{r*V;FOr
zD$&CB&%ruKi_6n|sR_ud6U<%AuT{gxM`ID$<Jqk_itR0tWZ$-dHmqkJJmqJtx{Twm
zl6SVt&soxxo=tE`^%=a9BdslkI7w$Jo5z&$Uq}t4uV-{p8-q8Ych8TI?6+mv<Z1s(
z=6PetIE*UM{A-hz{p@57uF!BCN(@Pa*g}24jxz_b!V$ROK7uOkJAxGTNpMIOIq)<*
zu!Y%is1oIWgkhHBuIF2Ry%(IfM%|IraCP(Mtm4(xeQ*|wImTawnprsg;iKS8sMdz;
zTt8pC`JmMnkN_u{mT3t;Lw2U>@gZ0C&_3VsK2Qt!!aB$4FI6?v9Y2Pu$~omb*@T8x
z=&XV~dl?l{kSo+sLs+tFoSZ<N2s?)JM$|FAufsS~igfe1Nsffe206}89;kV(dUOfj
z%wN%<EzELWLN_cI-4kJUE+}HklO*zGJZ|*TVb9Q;sgb?=kd_ou&B}l4{KGW!*p=4@
zeZGY>D<5t(wq`}WIQ&jT*sSnFp(gB_-#b=`rBV&ll9-~R{y#nBp)O~MoYd&A=||T%
z(u?*#MmmOI5oVE|k8Od$Q8as?ZVF~@BjCwIUHaL{GPLnRlibVpoANJNz}{0ogzev_
z|Fu*~J)<E<iMaBySnE6`R$&HCd?{f_gfc!sZ&YuEo*mx4oDupDPwI-xC|Np^Q#TZ|
zML(@J%?^7@&J5q(mee3SMt8zIsnT;~v#`>XRz(xKWKp<3>+x2E+>xAk6C}9Mt|3$j
z<DaEWRV>H`D;FH};m|Jo>TKJ**esn@C{B8o?t{_{-3LI_G@&i!j0v2z;}1?u+8N=0
zDUxVT>SEgPp&@)pJWWWa?>x{7{hN|Cq<b89B#D%+cM5y8s~p1gSyBsO*d`KoIpD7_
z8(*SJjfwE3dVZ`4(fs9R1@Tpf8MSDJK`j<oW1VB`SSVVW2`-h1#5*R=#As{ttdx?O
z(QxaTv}nTrWzAN9{G6_#rlfE^{;?)NgmWx!HxTS-Fs!vxDZ8nV@cYRKozw8U?~gcA
zDM|I&ZG`Etn5n)TGUq{LhSRKFM#s&7hpHys7Rzd%AE<U9mOauinO;@W;AMY!YDwru
z-}nts6?DWZ6*wy6gxT*VG$aCY;w6;v-3eJa#stJlxMM>-b|6&mik7DbrKYabe4?f>
zFVKK}EdK))T~|R07x9D#eB5^~LQl&X+dh-1;6_@h@Xsr_{OxBbx|Iv5vp7%Ox;Yo2
zCqJF!WX`@FXA+zQB;0&YoDm$-S0n1Po1u7r2hqGjdQA~{TQ!jzOu2cLXeScx+ON^W
z;gc){$#$_7<gn-A#Aw6DUFN503@h3i>AJ$dZY)*fZQRD9BKkzetb6?JvVb_iBrK#t
zU&uKvhO?OQcL`_l6#6cjmPgpXvc<1dd+VP6Gh!#6rsnpe2kLfw)jb0SiYX*#LU8Tw
z>n~ED37olC-l}D_lnWPBUyi2L_0A}&uS7Oo{+;cips0W7wohCYAB-D8;~-G8cI1+&
zPZ$A(HK(6iEJ7^I#Zy|xN?PO7DXHA5wxH$SJ^7C<`5%lmDZdIv_QKs-qGch$>6s&t
zT_BWHOyjue^u9%-t<;>M@Xk{a4gv_?4$~=?K%Q0et|rY=rxm;`nnY2IDT)OdKx^q^
zc|#>kjF3u5{;}ctSX$<TcKIYQ<TOXE8`g^y3JNn*5!-14%_ET3hm_e;4RM`8UO`ke
z@04*amZbS$gOWxNc6e^GWqbk>T-sDbZb@s9Y|tyb#lUOyZ|DjWSib9|(P3$&h`&lh
z))*GEK`DYR$Doq4gJ-FrP|zJJ68lp~rHsgVv51w<II*q@nDN%*{d4zw6c}n~lq0hH
zM6i=BkjNB#QD&CxqWzta&DO7O_f~%HM4#y<%t%kIMlx}=+hH)#-WV;AbFEXqP%|Ee
zmbHXfTL>mw<BB4fpAA^K*4o{)xWbGDo-FavrM@`tpyf){t{xrixyW3!YnQMkw?;B?
zn5%ge-YsV`r$cj*a=XGv!q2%kgSnpZ_V<?G?mOG2aCl6mU}vYLf~yLwCo`XZpMvMH
z!=<;G15<D4Yl0mJZ4U*!)<R;3EiA1GnH{<Grmt5ZFCGSEL&0M#HY5I!_Ybd8Nki&$
zlN4GR^7hY-I43SNrZn@}uoG|yg0X%VZ|XXAHqDZP8IA?Djem=Z8O~|%uX(1E(TA(2
zsT=-+pGzI#89Zb2tm*US+(SqG4u?_Fo-RPN$95#`3`sb)Hv4eoaBp;bB11776tvnU
zw8ZTS1%{)bFMw|45nAvVTw6&U)_|F^FFB(eG0c+Uqr=T_ffE%Ps}7^aFsy&AxfWn6
zAuQRp*Z`gdUD%-$KTwQz`q$+Lx4Tgc!5X~`nMcqB>4kE&zFH$^RA|7me|YpE>d2S5
z+pF3TGQ7?&o+un|Zw?l`S9UOYgNR?SLD_o(KOhBIH6Eq_Lb%6+B84TCcu*6Euj)*!
zlMCWMa0F~Qn7q$Ddk=u=ie_gdyKj?yTZ6+<h;BCw;AKlnVDQS_uT!lg%E(k(WHmGp
zPqxQpcl+&XL{55zJH;lbG9=_c_keKMAsd4ZbQxp9e0tAJl-^UEO+L-Z(m1WMd3<U*
zdb0Lle*q~ugGTDN(Qvle#8?zM)6vLG8=%K12BR{4$r{{#r0ql}@WYBevp(v?g+3bx
z%8>hVGh>MEE~j%V=ic1+La&IQi&_~WU1x4j;uxIr)Tux0s(Csjtj6uDdHQ>Axj#3I
z4~bk0QHn3^mSx5_e$F3IRESq{k)Fw?EZ%^E!dQAo2W(%|4LsWO=Xs~qmIIv1=XrB5
z@DryLOGIm-8`vQIJgamb5T75IY9p#=Wt1Ze<IEy5KUNmjbU!)3oQ7@Dw@zPZYmJM3
z8{S=BR+3UR$d7Gl%{J4;Vjdic9qJ<U@82<9GYtz1Fn7HBEjIET|KfdjdiQ$d<8`5y
zc;>nzSPOhB{zd(AvNe2-t*;tVI45ldgZq=_y!20Fx7_dxtRaw9GF7DkY9qZQq^LBg
zNQx0)Y^<F4?Cc87`>@q$4f3zfaDS_}g7K7G5-6%>|JF9!fOr~+4m`YR;E0@fV;09O
z*B!Cj4%`x)RXy@Y4>}UZtgS%~lrg}aJ;SA(RRY{NGS9C!M}W0f>{ye04@4d<j!AM&
zIU~AzU$oc_pJ>!Pc8EpWZZpPI8NqbC)w~?5rOx~0`!|@`Uy9GfKhd?p_pk7`CNX4y
zVP`z8{JfoUb2YaB`8LV31Eq0wzdlGWr3^#bEsgsX*Y(3i>7T}a8Kegc{<E;MHYpkr
zi*ekwzNREG8k&3>n|4ZgLq$ye$I}l2|Jrg}#yZ@uo|2#BimDq2&ow^D3DI#EX5hsX
z%!YiNobZ@2mYVzlV}7s!MQfGNbq!|vcFf7hUcuiCn7ym}^K($9v|a-@2%4?$;DAhm
z*T!a{u3XcDA23|4Lc=v7ZH|Z;i!A5M474y;!^{+f65gYY&QO)tgH3?jQbw6fINOT3
zE6i_h<3Qpnr{PrawUj9xbVuEbW$)4;+><H6A6>H`3z}(<kIxEr$hZO<z@6JGhhB++
z<pwK;2%fctxc<kV$2aVpXivy}<NcaSmg}kPyX>b)TdEv?nnuH@Pq>cV8g;s%(36!y
zOoWg5<P^gjw$BD}B{kMcaHY;~odw?|f!~1Z=qcH+^(G1TdyRgrx8+%E=BBt{=@!FD
z+mbg_um#7-We}WB>!t(ed0@JRTKV|e!6eY8A9!E!eExE=r|N3k;dJ~osHE*EQ>I@I
z0+yaZ<We~`yD+*FICn|0?m%mF)F`Z&Qq01ss7ko9CfjzCa9XvRISh(X^rM(k=*Cb3
z%>%8Cm^fKus7(A!XqEG-E7^R~YkUkt-SK7WAm#v)IO^K<(W{FGd3_aR9GUmzOa@qd
zU%YF4f{`di5N>=PM^SV-P(nDKDGYm&L}7(OK;G|_^+frn!M*dl^hIE{MwYKlL1DqJ
zdsHTgVKEN44VPG~qzEP<;SSv3{m(8J&<}qa`g!g5W)4%kDsKFOJnV6P7pQ0Ny!eGX
zI@N0hV%uwCkd!nmcscHrv!RH&(l&SI+%{`=I4NW@LrDypBWpV@eQ{5#Uu%wm61J2o
zveA{z&;Vz8eNv6pp-Zpt!oLbpw?xro=(p~DqWsg~{zSX-EmyO30Ej5RF$9$2%4{SX
z%9M*?^~(OE8ja<c|1QZ^_2C+{D;n$Gx1H3a+|s&tLuc7!mXV8$v@xStZQNqaFRl%i
z-8Bu3uidAklz>2IsQpTIyoDe$_%UGTFZpKe0xa-yYw~%(%Gk-tIM7`A_A1oT;^Xc9
z$nlvGzOgRp=b(5D7ml*rbz-JXHpkHM?`&Bsikl#>JEZBBP>9qmbSv-pKTVWomHRLM
zm7*FS5;d73D@-KmDLTxz8*!M&m6lABb4UnV`)KChU19l3<IY`8jjA`eBY#$pehdLO
z!mA`3n(6^Wb>bCZ&?IT*oL-N*-@IsfyAAsCd7SR9KHVhBlyPdYVF1=vlB*)Rwkb^u
zC-$`Q^{!62a}<42tC}=9%H-Q5r*855h@s2X9!+R%SkV-%&rm;3&y^J8k>l5P$hJf_
zycMQF6yTnx1}UsMFdz6_6sLFUnuGh~gt#Bynr~BPO$MQJ`9$bq_8GLJ&hdWFww>aa
zt0heBQ*Y4t*lR09sJ(IFDK;z~+>f%4H0OvsyJHRf&&NmKaAsaP5?YLIST&QD(8<|Y
zFI-!+9ZbhdpH`an&2D?1S7@DH(!XnpJ5Y*An{&D)Dk#)65P#PeryAH;K)G}M&t!OL
zyx6qocW}L#jAQrm4iA2?(og$zOsRcIZ9Y3#C%PNEk*^=G!g@r|_xRQnbnWpgv=?!i
z>-kVJ8W%&Z;u(&?>EV5+U=JvW@Hh@TCQ<8+BN^I5xz<hqT*BHrV{>qVim0b!u3x^I
zukBLr<s6z8*1hK9LW46ai+%))RoUqN=kND8uxl7{0++7U!59JyI*Txb2Wm=AR~x%2
zcblLi`Y!0DiJQ*V*jnVvgA~Hg>Bz7V-HlRid;LaFae{CkpfZ=$W~OA3EM-IfomnTx
z#8^fJJwlQC2G;YEXY4o6yF^#rrD2@}qsL`FXIjxD4XY?7N=Ckg%Ev?Ss7jeN?ls$5
zk*is|DA7@LHcyw=>6cv3S9}(M<MzkfNXH*Le3U-uwU$nm9<N|FR(w23@^<?zWjL1@
zCC5(6x7@bDQibr7>V{CpEz1L@xcnIxQ?>KN7lBJ8rr*$2N!lmiz@}=0d=C}^eIuIV
zA{Sv9Lzu+)elzDuIPwQ=Rc$awsFG-Ph^~jyy&vC7%_#4|Fc|K^cw27;dzL7=0UrG0
zEP9;!?ehJdX&#gx4tJpgl%04JkCy#zGcr8e=%_j0(rPt^_6^a|k}AOxBV{@mLUH>L
zd~SAA-O+ERcXxNqNS#Q$>?}e9ulSc^)Xh+^nmZb@N4*SMy!3tU+&PCr;wPaQ$a1H^
zOLS2Z@+g^H;nSv_Bow@?ObQFq=nP))P;l+>j@SbWg5K&lRk8?3*RI|$Kh?U%$*zK0
zjuRdhT+d0gLBUn4X5<7P>}ci~28yJ$8yC(C@$LRvpB)4(c%pWx@%=iW-^$h1w5}#S
znlG8b)vj^@%^_b729qA8Y@RUv2|GNhx-z_z*Poo2Th1vUtT6)l>|Q`sTib&w_dq;d
z=a5UfXc1(j-@5gsTcj4pludoyI&JLHfYn+v`3zj)Y|~<I7z&dx$KP(qxmsKY$8WD5
zNp+_l$?fl>Un{G#VpItw<3Nd62jt0?v@#>3*@ur%U#FDpYDC^T^Z#p{=vM147ei>S
z76Y)u!`UiFEm3~ML>Im&+I%XPa&m0iYVLkkqFfQYO_lz(3-ha0zhgble#t9O_a?oY
zsAIT^J!=XD-7p913|CF<!T`EC@T`E>Cgmf-u%n}2l-Q%ze$A~Ai4+Zz0!Ov@7@^-D
zHL~gsHL}~^N53>-@i7r)Tr4Adp$UZ_fN%gT)N1h4sWa6^Eb3d||FFbiodbF(jU#&C
zo6X>?996H&0x7K10HmWkwsf>VP=5<vryD=1z~!@ltpXk&Tx=NM%`e=+W&pcZm|0R@
zl-lcF$$f6GUZvJ<PA@K?)(+<hWq*@u&cc|c3^;xG6;XH1-6@Xq;lZ8OisKq#<#egC
z1Fu6E$);Ky8sD#Q9Z5BR9m(zQqaP}_vX5X;3a%0P5Wf%s+s*QrCgXNJ!Q|pk4paJ{
zTNG~Z%Dv@61ra^Z2qF81?`%3)-&#L+?vywR?-!c4X#25G@U43xo=dH$K|#nld!RU9
z#j8nrZul(C^>1LZ)c7H&WMb`T%%i{8S^m#O7}fEbT>58QS2iwBZ_n@b>rS%Q+&>*i
zKH}cBpxC)lGz#<W-UwfZ{TTOHQY{RGVG<e9suRb?_AAVO8+|sC+uuh&W@cu|{z(d>
zqI3bF83l#GpxA6)e{|e#N2H9PkMCBnX+T1ds6k2)<;|s{ZDxg&7NTR!kX~G<%Ov0J
zA}&Po-~_+2n)!Yj@7-lpe?-Va$$itKTiHe}aEtd6NPAM7L{|MZphkQa(a#hPN!1t*
z$!!)9NeoWG`~IApXT9+D;iA9rrFZptZH2G>?6t|`;X$wk*!@}yTtT?IncBKCyt^Fa
zTRfb(dX@w}m3VvZpLPJXUx!clbQgn7RQX;e=wybyFCKzdL<utR`RZip?oO`AbXWO2
zuU;OOZV#Gt>tAkL66bvOGjIBz_fmj+iNN4TW7oAOwk!Sh$971ap7mNxiLM{nq_9Zl
zBq5YI{2y}zRhqk&L-yF-S4K2W`4g$Z@Du6V-qd)p_||^>7(Sogl7BXB>e7vnG|u`A
zP5u}tFv)a<aVoeh*KR*HdU!K7f1Gv<xHYz{&Q0~42M>D;AIbS3;|izKdB5{~(tg%|
z%_h6keHGkanAjeD6D@m3$9Km2c(uajN}$OWLU@1xOr-CQmKkA9>kvoLPPpsZZFers
zu|EDEQ(qYsSJ$&$910YN;_g=5t+-R%-QC@aySo;5DDDoWxD4*@?#?&u^WOCP!(z>x
zwN55G$&Oq}Uei&BOd2+SjCiw2@zNT^&qd2r;nt<}NeAfCFkYz%7jDkBx_1s~-rbK_
zs}_=tC^J|DNHZ2fa~p&;Q5l4FF%^dJt0$OQznZ3Gyq!atn!m27{@l##T)Xpm-9Ttv
zyHR*PbB>nfdV+eZu(=uVd9}W~7}$V$eo9V87!MA<<9pjcpqJ%qfGs-hnt^+b&vE^P
zS-OXq6PKo_wiwgxo6BU=1DwgY4e>5SB})>QL=94x$Uq@F>|h;~Y{Do4tN;{qix8z7
zS69Q5AU<Wh-k#U<2x#eRxr9>`w!q?0fzz3tP6je5(+dw7)q0PYZtc#A3y|HY`SD^v
zAM>QD5-@lAJ`_>PyO_K<z>Y@`XHVyMYam0Y(T{mXFj}3EYK|k;j?e&7ovtUjT{^)N
zQX|JHGuM89qtIo6Lmzm8$jVE*wg)`T^L@(Sez|_aSmpWx%A34Hr{iW5>nv&+=PbHz
z=F+ER<^rDe_g^7`ld%{*cM2z=Aazj#KQkhwg*d|gy0Hxy*&x?N-1i8aOpy8{YM${#
z=5MsKSjV-Yt?Dg&s9rh>*+$n=C@VIi7vUww9TSkAzwHQ$EcVgXirj^vT~pM{pWAil
ztGG0ku~*`&qJd=K32JW?9F-E_LO5-lbeqf#T^0?WQjUsu2r^~D#U_c%q}l!n={Ne1
z$ar&!RBl-}elsXqgE`sgCs~^pRJXLW;{tWfL#rn@7!Dye%*<)1IBBk?m*azS^m?hN
z8WIST&a$-}Qkxc!(UC`<q~XC4ySO0B1|0aP{FDRBcy4xUmF0uuQf_vji^T~`(%Sq2
zc{z825KVv5+VFVMdUlH6@pPS2zS_7Y(LlY%N3RtPNhjJ$JxCBro+|-SLNyylxKKP6
z1|{3=dW!eXokCq|7oa6{0b0T)%KOD-o*c;4daXB+dfC>~3$wew)yDRM<O9UJHszjB
z3unW<I^={?+5_YoJ<lA2aJHzKqv|Be#9LG@63;9gZtc|2J`%hc1&qXA#t@^>3`Q`c
zC?{%}Fg9$NWOX$j;!F*UbW#ap1~#Lgccav7X$xA4=9~o?MOGG6AgmGeysS<97?R|e
z!f$RIHz{NeIE({GoP=X;H$Ms_D`-(RLZp#5nzZcqip!8U_JeXbKFS7cef2HZcV>$f
z7?2jqqLi;!6A6MViVL@ovFr7WChvK-8Odh~)JQTdMnoBM2H!mKkH3YS3BtpPeyu(6
z%>B92>JshJx><sNbNG$c>rS4Rc?WRmru&iY@%EFg$IF^dhmA`M)cP{wolqCr3@G)e
znAJnc?;%HoS5@A%IWDojh_umhA`@Em+V-uWBH>O}TVr2ReTzo@>}2fj;@RB@h{b^f
zkB<k<z%0eD(+NXt{Z(#X8H(RgOU+?2MOrg{=oRj=?Q2}k*+s#6?SXssDlb+tm2B&U
zPs_k{>leA#0m;cDyswRiY!Re1se3jphtf<I56#y3^)Ikif;|=o;m$z{-gtA}h!USY
ztXEQWOwPESswGeCd3ldMjZjYwtA$iCmHAKdgR2aPf*p{#xh&IhO!B)ct>UhHL4-Gj
z4uRC%f99&!3x^x>A&Se01H$^RF)}2^mIUq*M8GJsT%g{KhiTVPYrJ);3;DFFCbO;8
zYNj06+A3fBvuelM4d8+gFZ-2uH&^`fK$U`FNs=>N<&*tW8YA-gGQQK>TWxai{Z9Ev
zW%r1~4QI{dip}fe0sh(Tn&%^azfQ;fCf}`2#{;0~&F=mdQ1!O8RK@$U%N8!gTQvP;
zKK`;#Y)-lgV|A{W{9}6&Y;qEkpjWqHjktUys%&YjcA_G2f4q6Vt9&GLjG`b{-*18y
za=&C2$|aeY8gnypY+j1HjX`kP((nJJzgG?QNoT|wrAm>2W{|O&wM3)|qgQvRO`sgA
z%4Hwq-Y`>qho&}hESG1}bE;}$U3^>RY&%qZ3?L&z*&V>4Tb)c>OJ80=7kJFzZIBLb
z<5WV%l6Av98*6euqs^a{p06Z!QTOpc$qY@NyW(qDk&+mg8JgpFHb$Hl#8?Rt)I@kp
zwxit)*e`CIW@zuO39&47#n%=i^*}iTyKOfs^}rDA496aTaZ`TOUJMbItp^w7o!C~w
zH4@n{f6;0^-%9<>MsIEMvo<|+(=d|z9947<*H}DdeOiiTx8N^RQHS-FPhsj`;n`9X
z0H?din)1^m9}=lVokOpuJ~W@~a`P(kdN7a&ttCQaG>LQip~{NJXeUMy^aGIcT{-=j
zW1@UZYjE>*4JZ6!1>i*za>J&L<g48!FyS1CvZ6lxCl%Z>byG<B8imBrEa(HFbA`kq
z`+>LO#xQpfa(I}u#YzRhC9<0HLX2sBV{->3fJ#EJU+rr}y1E6O2unCotd@Z`=sYE9
zUz}98jeoPUVKjx3&2<`^ABv>6?2d^bK*$pPJk=X5i>XbPr*8Plg7MXZ;)1CUeGp_y
zIu0z~)!z5Ibo&Ek77jswJXn6t_6NbNdqT-)Ii^%NrFij$;;;z$LXKu~Zl?7?katF>
zW0r4!FjKVmwds5oU3l9&y?BY<qMT~IeRypR4v+6ccLVjye7gOVh5a?#<Ib8DKdq&8
zIkZJ;x8j~iwsK*$NjhQaT&+Gl;2=UjjabS{r*}ZR!&>1%%jWe^3|(W?q61bq&F=XV
zHU?p$wCOP3)qxNC#ciM5G}!|9g!U=CqX^?$lwdYC^k%j%NOrCA&m@z8DRpE4BVj}Q
zggDLuacWm_qtNnMJ22k&($KR3<~e`@?Dga8LQgpUG0rc(Zx}4_B0iF1PVicsaBE)R
zYdF-ZKMrWHQJFnnE+7~(@fzH_J+n}pr115b6447iFn(BBo;K{1haHFy9^dqTeubCK
z)3$G~#gyANQ7!bX;5g$(_isjU;Pyek+ND$Nve_I57G>EG`@T0laE{u3f@4p;Vva2}
z7VjjJ#Uer-78j0B5KAp|o4t7}(<9Xj<4S$c{%`RQ4`zsPq^j7iqZjV#?tS?L=XqMx
zc+xBRlrL(+H%;3jRwPV;4}Dw+HbZlZ>~+a2jz+Eo_;Hlgse_*>cX08uNJmTy>$>(C
zbJHHSJp;pT(B3!kfC_?3ia*5&n4X^_BfDShQw_Vdw;>2|wVg8!YZU?bTGW}jsj=3P
zx{YrCyjKu1QWGiV9t}QOuMuLDD{8VpeHYoyYRx>e1Pe!q3rjr$c;`>VSzUX^n;f!h
z4q>b~Md17*g`QEXsZ-Qd%Q3z#``>LiPIw<TSJF3SpiJiR#;eeZbd{UN_3<wK*o{!O
z@PG(_?*uJfT5ec=`$X%uW$E75B}+kuXrrN~RN{}&!Z8sI<(3**g*dSV>z~-(@8A6%
z`=)|#pBm8|s{<Ek=Q$$iK(hgk)iz-O^wE7M55TkS+xl)d{ODs;Rx}f<^$FZ_j!S6I
zi6?Ug=WfXf4Eu$U6d3*zxE;r^a!N=KxZgtpZ@AkrEVLnt3ff<iK)Y!bu>7D&bW=+e
zd#?&{NUW6JM3vcuSeuCoN*~z@quKMnLW4I-<@|@hlq5(sN*&6D;~a(|nYKp#4$c*f
zD7NnaY=nyRRO3xpOHDBt3L_{=W{_1hzV#djh2*Pklxp+U!%5y_;r9vk)iY$I*{SeQ
z$*{xsR!2Gtw?tV3UmR}#?t2mS6)5eW&*&UiFA~_~8{}hycF~YHszMBnB!*~guH@^1
zJ!EQTjLWG1OtfpG6p~s3g-^fhS`R+bF%IjhU_;1(y?4vg7c!IkibNBKu{9hzs)N*~
zU!xOMZ}+<=Ldfo-$}LcH#ur~6&y+3gZ^H>)X$<_%$Mv&>o^i6Qh;&5%$TM@Hot1l#
z1)$cKwcRp4Y0pVgz3@@^LjhWe>yVgMl2Kw=7!?e5CZlHhJL-2erJ?RXErHdmKV|i6
zAs&#JLa=NmgEM<p4uZ0DlnbVQ^5|pAwU&|z4>z63@gV3#yapM`I{9Dmap?(;3buSU
z)>Nc~Sn7Kj0Wjbw!axO^$3Xl|hHMQiUV;gL`vGBhn%S8U*9%6ZC7b@B)n#Z%(y|0b
zbSOQwbXK*cWmH1pDI1TL@1g_UH)Ue-?eQ25ye3eQ3n)7LxpYIv`0G%O$t&Z=$La+P
z6`GvblL<-$3RQxdHx8Ue_J9GzjGfi$`UhUwr#<ps9I*5?cIvDUd-2YNip8+sUobCC
zkj`XA;tWx$ng5&_!EJZq1eV`C`HukWM@(WgH)(Ui$MXW*6+)?7RH4@VJSR01v3o!2
zoOh)+z?X!{6sF8k`8kfByAM?Q+t8Rh?Xh%AE6hW^g4zJN!Yju6I5wY=qu8SZ_X_Zl
z*Ix&yv;2d$0&~JcrjLsYNnf)09%5~3Uyvqhj8bB5YD0oidTG;tTLCc|@Zff^l?9`=
zv{vX7Q_hixafK)(@zT-(Lrn4|^0BPc4l_HchE5+HfDioxE@;ruS~(NbS{1Kcj4G<H
zgq9q&8}e~9&HG??Ku7o!adL<s2J3OoHOkBUV%J5>SHQ^RP&qLbGa0CkVsh``_b<N!
zTN&n}^18B@*ysz833WM%`bg&mzc%o>WnSnJXnd-25)Yr@R0fQjI9Xwf4V0E9$*f2*
z4QmV$hi)f7R)pr)NDSp;Db{?+TR&8NKfTZW@&m?f@&iGOnV*H8oE)(##pYb-5RKJJ
z3bm%yDxGeYPnd6x3!=_@X~ryf22KG!-md1^*`40c7e*pEjN)tPI^Q!GgSa}If3u2+
z*dtfbi6?{3)Vvn-;%WZE@-}DSZV2^6JK0&~mz(z=R$<cYNQ2levq}WyZ*!ECr6I@W
zQ^rci$H`xmCnzP(;UeFzUn;#5CpHvUWy}^=6|~q6FJ6(*TG<MN0)LOWRR0-#Yz5p7
zz%jT_=p}=+kyp6UStKQ;fKO~G1$aTQ)XBV}L;R6h;50Q^=9cl81)kuZTzreVu4QM~
zP`^soYt+24@zb!#6UFThV(L4Ae*aE0Cf)cb=;g9E$O7XegZyshab9ORS*edKG&LHv
zT54mYU;8)UBmd4*mDbJLnb^&`cx4IkNP@#g(`3BFet^!ntM{`3?5ZYK%qxb2b$3RS
zJje4#TD>vpgdre20@5!9MTN=&T7S$}z8R&?x|WeJb)OxHQCwWfgmS|ukxV*SE{Twk
zvQqIMwughZz}}g-z#jObFMAS34pJswp<R>?`>A<T!}8Ti5`cPK+xv6ix$yW<a9LQn
zleIj?9=YlC&XPBrEwJLM5i5X}tc}=TQ?Z1fn#PgL)?}MRn4zTb=Gq;p2xzNCP`lu_
zr+&1&1?RD!a&54nqVG`*vuNl&QyeMvMyX)^tA8K+>wy@53g#a(GECZ`g=3)<!F>cZ
zLm``OB=EE-!nKUU;K-hv>Q?`qoINFTW8LCIWZhzpbKWNj|4cy&hSS_IU`pfirQ~<N
zd;Kr&Tr*ZQ2qiaA(fIp?(yCi_s}HAPMNiqMYmIC5qt<J62=sy%cjBh6f^YO17Q7~l
z+h&gX7P7lMF(-1&Njq*t<?NGmiba^tk(VT%pq_`ZW7)|aub&O+?=ZQJ(Y)`7=Bd|&
z+@k*6$-eD!`wn0r$2(v5aK|a){qz0d(xS3@4mT(oPJX+lG4A1jEKm<5?!6aEs*?-2
z$8GYt5$drAw5b#Ka>gNG1n4c)k`C4tpx9NX*r+xA&(x~l7zq%%Dd7qW3y2gA1yZ(3
zZ_X7WHopI9bfO2IwCe|zvb`pC9)#i<i^)$gN>GuU;~}Q@5{jY@xi$G#OZoCj>b=~)
zWi#(aYYRlOB5O^o0?(W+3QD<jMld@Z8crXUv1y4lIoZKA#c`;$gj!CZW}=p=i3You
zI;l{hKByTri7w7G88l6SI?JekKUu{^$6Mjpva&TJj;&G*;?XLbw~ae-ajYmFNwD((
zT#|6@ysBxTP$djs&3h~08;N<kr2j&Gq>xz?DS^Iazs=lEx+*BJ<ryBln%NrWx1A(E
z-cRstd%3NoxS!?vFX~KN`Nwg*>Se>6O7YN;#%9aNzW+rsc#;}PzRw~_zH+U0H0@K!
zh>y#MIH1UeC2mq%91vX)sibT5BoD97vG~c|#8}C5!P$aRZS|pTcz?{pgxIg08!SH&
zdwy;D^oFvhFX3MnZHY{KLnK<lw#Bs@N@=NMyLPj1lIQ-FZQ^L%yu69syoy(vV%y}k
z@gFl}kQleA=g52%L=XK+U$^&#XJyEUIMVONiQ^R1iI;4+D{gla0520*MHVMtN1V9*
z4s=$&(%xdxUdqu87+oOAI(E}^hH?Wt_*VH5+14-bagqo2K-@fgQxEM)#gz~a{0(Pf
z7;(q;4;hPcb$$VYdX{~MxBi_Vq$FPUniw8F@C31yhgJo%%YxN9a7-SecM08xmaEgh
zSDn7zR@cjIs`V6+{!)ywo!8z4TuRFJ80(S&K4d$8t5{Jb;VQcx8~B+qiL{_5yS7F@
zy<K2V$*&z>OVIbCeQioL5O{@D)eZV}L5M&4)*0w?%Go-3MwM+{#c+0*r65YhHVi!(
zfyE~jx8;)*IH@b;qTwb2`*sdp|I^M(XrR&G0~-C{#Yp0WMDx4zWQBsl2kzLxgqz@<
zkQ1w)-85pf+j6~|ahd012=&C!gcxMZePL!9DCzF)Py0*sERp&P!(S~vYmVc2(=k}2
zNM9fSm3dQ$x!S#^EFOgY1%=cZG=+pZmeCLjGeN_w`g{dkw7T;27GY;%TOO|WP@+!%
zVBre;U_tQY*W{3dm;1g$cG5WgcGbyM8;|9XrYTQ^_LwV+m(-;58OF%RuT?IN)gOyg
z$LoCBuo?5cz-TpDIU0kYI4f(TT%}+)L!=#N|C(7y?#kLRyG$p%3AMe_&Ss^Rn9^(*
zF}}WFEL5ehi#3BaNrmt>>sag@m9_7d)}~8?^XOTG^9U%uVBQ7R?kmEPlftJe`H|WF
zHz~8R-*NRa0-`!<WV0b3ioR~G%NCAXgkIW~{mPUXB$4_UqbNjAl@yom!&4}?`t;O-
zb2gtnlza<pSvsZvQ%QR}fAQF3{czfSVDX&i!a_}u=p(a}W-Swn;aHvz8~mW3&#y<&
z-gHIv5sE`gDp<fARcmpR?9Offs-}cwPu$}t`}goCiPn5v9CL=r1+pn?V0R#xfMKL$
zD+_q66aS)CO-+gEsCchy=l<|elvvViK5A}3szhtyca)~>raJ8RfTN}%f8`-Ee<jCx
z>$iJ>BG>cI-W0A^%F(RoHYNT+90DdY;v*=AIe&exWY2)^O0JPZkcnsx;OvO8)nYH^
zib`a7Mog09<D85r_cnCYq7WAlJ`I$@Jlm7HAcClmrbSCN*1}rfrs`(otl1<(%iToH
zsTLc`T?^T37y>Pd-j!vC!py8_C$bIzyd&7D<~aiLdUUK$jt=#pgYbM?$42>*NhHo3
z6kJkndpBpA2<eQ|(<c~)NAQ!VY&YT0u9xW9D*eB_?Ey~b+&aekZ_Oqy;Ys7}cYdQ&
zf+P=0&6&3bIp(-i+Lb*JG`Cd!5UfNJB=(-6V~ceK;$E?#3Di&@m-#;owoJGUq?)@e
z%|^&^h;bQdBd2b2P^u+T#VSiv>V`J<k*>bq3$f*-7fEb!u7A{KArbkkDSXP``MkXy
z3wdHBT&~HQrlqa0%H?d8XZ7S%dnmZj)7-g}B@oLkO~dR-7e0>+!S&{ICamNp=ShfY
zwXU2^?%dy)mbuujy`k@Bk@3geuBM}O5k<)pn>_{8uvltA#I{-IJUS6@$@Nh%N#)!>
zQI*qhw{jzHcLrKMfp+;S+^ZckP6(W={0FI02l27SR#dnQ<~co>uG75DQ5`;Q5>!zz
zJb3jRykH-1r@KbAcx&(Ly~bV92He|Rw@=2Xni@D46zE@u$QJegMgb9i7U86ov`HXV
z3^uMyoo^XGxh+Bv{SPT}1bKa<zRiTiHJ|~p>J9I(2yT(;y8cU%#Z92@MAXP@w4LT&
zm%mBk{tjl<bhb&$9tv);a$fU%n@*yC(eg1nsxHI#a?|1C;pGDsN?LDo4mff=Jku_r
zWSws(N%)j3SK6CBjwWUTABzc3yOc(dWIaJ#EOU+jmjl3UN>dX=bOE0pDXlCMF%J7l
zLmgUt<Q*Ct9+g0<q%@$EC+}LNwrTzk{?^nh&oqo(k_xmkb^{VD4$H#r505A8>txbb
zS3{~@YCZw>1DO1xG!nqJKl`Nv+h%MGX9aIF$Z0j6X-#=`%5=<}bI6g+4emrqmA!1%
zD7J92<;D>+u8KD+LZ9|NmKCJ48_=L-Awc9`gG^{A-3a`U@y7vr?wG|w)tsW1JW&g8
zpL|<%<q)e;E>*KBczI%6Q{g|Q460*ZxfDq|1@aHBSsu`Sn(N&f>gb0B$+Jh1G`T#f
zqrjW!b<83Bw#;OoBE0GdK3-_RLbW@N&@)L`1;vsYuW4~A9$TQnjJ;jB2qvnLrCR$I
z)VhVyYP0Iq;&2=OXr`w&c{Hr=n8H4g&e5u}S3&#BM5gYv(6jyN;B++QH)cC>rfb)-
z1|NX8_AH~!Of&@*qgJ%-4Q37n(pi~;4XGLk*2jj{m(%Q{vqNfy3z;`soO-QL$u|$e
zN>%zAdi>Z~Qg>3riqvLgE3FwCKL4)g26B>pbT%aVf841b)WXLb^au=N5F!gCR~fhE
zSKg>*90~k<Y*3onjeKVvv_771`eh>*QO47x8*WydsqX9=$A$4toIIOmqUZf&hmL>E
zp6B;60BNO6GKiD=phCYrm3Vr+<?n{o0d1OLapi`WqasskQv2h;GQc|(Td<OubT;`i
zf2hEqo;f(8JDgh@=QN0SjOq(`(B>&-fie9?=C9n%6BzNLuhz52<g!+2VD5f+d+Y%E
zG>ss+?MP|mi*9n6084@-1stDXeHfdw=I#_$A?lL7`qE#+b~xJQZE4@mg#njn+wR>L
z-l{v<9IB1~*Oh?SboUB9x-sIf%1)|Bj$r7~;557|5SRVVO&FIXF`+qun#ZqM75(l>
zL8!ZX0rlIvcm+_KeGggKmFWHwLJ!pt6QI`gBfLXM=6lq%-4JT_wIcDpkQ%qw%jBGm
zNcOrMs;j)zr}}1I?HcY@qf5dR6k870zEL<y+8r``+rOOC^d0VI0k;$2|1`ElN1xtC
zrq=5)#dpt(BXI<5DWCcHP01>$%gmgV4(c6`5)Dhk(bN`;!#!<{gHfK~FY4JW(>^20
zotH0Pc(9!6_BoZmE5F!Dh1lTm0L8@>b73q#$zvnva+bAOi}$;DVehA{$>#jzXVQ<Z
zzbdP3U!40CLJ1P3ub2M%3}O&-HoyrRiN4;gu`l-g&KcV@XJByOBy(#@Nu+M6En-Up
z!r;izG&>{z;|^U3g=A-ib^h9?dTe2;?lHoA<kw5sr@=xpG*tZ*Js0c7-zTLMdu1d{
zmgCOJ?c9r5k@NXVQ^FuA(z1p4y|AWtHv9AUFCR5_meaJCgV!e{`-YJUG3rC@G5>g?
zAKHIR>_LL=_XiTVf5WvflDX9Uq{JgEh&pOd1mHZ9NK~fsZ}dc~)O<I`(b_aSH7&9B
z9Mh-F_N<jM$Zek^qCm5su1{_5wlK&~V;6TkgZA8D>*EbLwa-cfngwU)9YC;8g%~;m
zV3R}5Y$7EKBqJkU3VBe*6%!A@Sh#jdS3B@-Q{{{J1jwb<I|SSs=H&E8AgB6`vU+Yd
zHZZ)qXQLN|@T2~k8%{f~Cg7)3KM-WG>6Q{)3}cLuCVxjH&>X!LAI0tDVkfA5aoT*e
zefR&00aL+c*ay9WC#yl6Du;u>^lz~PYn0Yd<H|q^Aa;(OOvXUHj4V}R^fR7{SsZ!G
zYqLrRiGD>hMDo5AsC)c!1B8s`2@ewHM_EB@-UH1!w=hWDH}fJKC+8XAG-)=Of-!p+
z8B6a&S2*#W?GVY8-l}V4`(>fS|Iv$MSJK*3a7snsG#59m*Pj;eJyRN@=p=5M%<}SE
z8tNOmR8-S6?z_KYUzdM+C?bC+*J|)<h>`}=C0MUUgVIUI<=d=2;xbD%5n%}KI7Djq
zb|L`Mt@IjC?Kezg?&D+B2y#GU^f>)wKaN}^c>`yE|JjC%E=;;5k@w%!TOV1|y_O(i
zI(XlidWSe<pnRu9K}Ld7e0-?{#nGiXB1N~QU-;U){V+h0e6F-6@&02!$f*0zfc9gP
zAUuLlw}At<OO~SrUPFz8rxz2-S>0+4irvAhfn<_Y#1o;jF>m+f`4GT6vRh`m;Cde!
zf=FK?y}kKY^w}Yj!>KjtDnae-XiZ7{!%FrNGU94R)qCO+c4>y8kWfY_n>2CW86i`>
zy?H2Ne<9cUZL<KF(~=3DIFxr={E;Pkq_Q*oB70)`v$<+1rk6~6iGA*;XUkiOr`aIJ
z9fD6|JsTU+hi))D6}Exp>U&*%ltiXKiH{%OqsubTD(#g)5^I&o;sja&RkELn<L>kz
zl9|Pyp1z2=tp9o9od?+WNkeKYVmmnIE{kaV;7=`!kkVs?UsDK_OLKZN!H00DY{H4Y
zo!VYEkp28vcjdXt6u8<lSZ=GgDm-gxyC{ra%hIz<%!^z60OM{#4Y7q98l+tAq|4e}
zKfbYq?Eq{Jy8Wwxh~evtCV>{&O8igDikJl)M)^g~0zsAp`7~~VkikAZQ2w31?av?Q
zc;7?80ivW^AZ1TD=4^DHswH09F5dugo67=|Z=3zh1ZAF&AWR+gK+tEaN>c~h<^~Nk
zI_u<J?jJu8YqzOGW#dsBZQ|~uT6F{qX30?<@e6m4*aCp%Tg_;i1PixK%$1$y+P_|)
zFOApjha!)wz`MHFv!H|RG<TJIrWNo7C+x%F#!=DgRn5KTUT9|@Ntr@RrS#g?DrGWk
zkE|^ShGp)V@ZTy11n`}IMm=1&tB=b<=FlS<#m6&Run)SueV*dPckK9rvHqz2uC7g8
zQ+K7<2OfeaGO&Ra2%aj3-{)4q_n>vrf7x*?MWon6o|WJQ^ZvfR=~6Ftsqs4d0huHO
zn$4Rq^W=PY+VOn4aq+Ozv6_f5dK!GYQ}TB7G;r3@>T_>BrvvTk_Qh%aaOE5<T8-2)
zcU9P<nGI10v&kJuo)P$TtGqJ|y|AF_%5_;l#9V%PY1(fo#>6D03JPT2^+T=yD72>_
zmX$eN**I(b5uw`({Bz#lm4NiTj1j$dvdW!s=5rdn(sq~f7z$E9%j(o>j;mP?M>(5D
zCtHHihO)p+S9g9IHj02G%f?&x8M`%&9N01p?>L6Se%<_i%&o`YcOutHaVo)T9HkzI
z8O5)ds!WW|Oe;|<edgzo4sePP_^1D-S#b-{W;I2^vCW@ax$0-ax$H=*@<i2pP;iBl
z6}HB)^Wpz`pfQAn9!Y3~ZBYy;BgHXyHZTD^d{kDQ93Dr}$vzh806k-9>1)Ula|VuG
z&=(Z0f%FT3M;pX~CTfTgQ!W+BcN0e)wjgR63N@!7g(({*qaIF@w;j#Lh71Khw)wwS
z{g6ntK4<J$%bzPLFY&f}UvfWs(m6+8@_iFf2xi>dQW;e(LKMR{KQKLc{&LjF-yfN3
zC-ZVfPLiS~7ic!}^wU?ZK`v$Uk96vzE9#jOgs6dj1T+{?71a?*`z(bP57+3Z?}RBT
z4i=V^DB&ok07pI;3!oML-^d5!4fNV&5j`wRwkWk(N-5%w<>H!a4$3(0!xlaF>e=wM
zu0h^>qA?TW6*sa0OXi3v=D2#IqZ0SK38PT>#5@B7?4RJJI4p>L$i?>4{D_j^33>I0
zhrH{>Vu{1~(R?*g#SJ>DPD%xfg+4y=vAs0ksYLDm8-8T~qgUN$m5|r%yrrt2Y45lr
z%%R|FdPkIN-W+TFp)f(S%B_twZ;X#yoaHf*%yM(m0;vL>Z^_XPFqDrHY<eL2remD$
z^*HBz8|P5s;@$3;l_k2IAI8rCsT3p9hPg4iQXLE51fdjz1-*%`C;()Q2I$AB7IY#T
zQesS_xDdvod<jm8!<sRy8Rt6j*n0R<g8u)2jL{nM;TqO?1n>>m1GGn|`A9lZpL%N#
zTeV502UN-xULH*bhoS|z{ic>!$oxI@v0Tw+a`DkKZ}ku<wcpN4s5!s;cew8w!Jn=j
zk6@)3e@AamtX2Gd%0rVJ<TuU`6x1+LyZOgO&LvbF2ND+aRn3FL0>Z*gR<I6FenMQH
z%;;-ri_dDsI%(oMX1w+1eBg6o{~J=6mot)^v$U_~56ps0aAunKCF`^zY?z3#nPJBD
z?Q0h~LjJ@<m+xpbLjdPd3zT*)n<T!v9UeD%l}ubIh)3Ja@MO-k`!dD3;9DWpnNy?2
z@Hl@oeZRFsynxzfa$KV#^l9Tha1q^Iz3oqphbHLI44B?i<(FNm>NQUb&tP@}P82fa
z3Exq?mTaiAE;di|t_)Ozn*nV8SB)FcZ|>J`oCH8FWr}RflItE_H&Wa9^>QpOvK7?d
z+^RdV(k4k~u;9pFgbp)f(oBrZU(C5B8nt&h_CHk;Rgo7=!hV@pa>EK}6eO&4o=X^C
zQ;FVDxN7roTdt3nD_Wk3_7_2FBjn@eUGC)Og^$a83Vwxnc-_GyBTziRzF6!Fkkz2@
zy!calK|&}!XF(L=1_?aFA*7UN>!p&Jp)IKii)$+(k$kfFL0c0YLFM@_k;HgrNaI$h
z9o^10g4{=_-9WMhxv4XxTccOeeHLE+pa2;k*l;P~%Y}*{b`W*O@Mqs<QU`)LwNCd6
zq08RXvYwX)Ze^I_sDd0=S6{q2lJ-Zd`a<zH+IGBLnJR^!=#8u=!D}^G3izZW#?8>V
zjpNs23!5VzJ3dDRxWOyYinb*(v^4~(W1azhOT?-ib0aW;Hgq{^lSEXjbk=+nH$iX<
z)L40W`N<Y>?8U-dA>a~w>aBOiTMTX1FBK>H16{Sb*^)&6?AjzFVvOI0$2nt<Um~2^
zA&9llF0a?h(Pn=7W|)@hJdRNR;BQEjD#DtfCOLT4l(cyUyKHLvl$J6UnJ%C|{3W-!
zJ-}2Q>IhwCEnoY{1<))wqM;uwAq`%#P<m_YRvk9fOe`V<S7c4N_v_DX&{tBNvBZy9
z1i8ITC8@Ne!x1Z<jzak4TV0MuZkDtw-BViWF9`=UK{CQS%l|V$nlc4R8R@HHW5B)j
zWEog(p92)Ota~yf_3!o?Jl`(cv8f=p%I)y!;?3QUn52_2Jab@8E3-u(BF*R!vzuKe
zHsa3H5xargGY8rJlpj9O3FM5!gWHC}f?T8)$BEbpNYFhxnT#>Y*EbVMD;KcPKarQ|
z(&aR5|BI*Ts!7(aMdHrnS{paw664NnO~z%>q?Pr!pQcxaw-g>$G_TZPn{Sk#GVZTN
z1ocZ%EgBf=Z+Txzyj&lyq7#dB(nyfMW<)<8bnX=h(7P%kUSaVo6WVw0%rUrdxvOMa
z6LtPgMhG!BJ*RD6T42TKsHmwW!k_gf)QE?!J4q*)Q<@nj8F9#7aR$1~P||h&ixv!N
z9$4CApE;*bt;CEAG`X&uA1-}bp3c3>=CHF=lp^xJ-{q~)i6E`YWD7<W6ZfsXT|41Z
zue@bDyWCIkCicdstk?>!=!1FBbUbfe9GtbjwAETsBJQK5t`%i)hAW(a<c_?30w7ne
zeCm|i$nXHp!<ay-TqtZZ#t!5KUhkqHqYXp$--@gR4b^WLWJ}#Shd9o_@RcXyc9gP+
z84xNL{?QsmGs@Z?Ys>|tb>Fn$7uT{{($A91sF>*)uoRg~6h2y@19_mQFg8A3acfdT
zW7Glc$Sq_|?nsq!+_G5c<<e^T`pb;65Z_#L_U_*Ape62?vCDOSET8lTa-x;xz`YJ5
zy0su_NF<99>FKk-PVqguN~Z<%=92GYyJDTW*}z~-@DGGH2>~i)HUlER($Yghc#x6C
zrpJE)LP!1d*|o?aFhFSBSV}a1nAj_4@-4~l75b|DkUIYy<R0-<K>7i>)_;^q_)v3p
z@7g8@CByX>b|#v(jqAY`Xi?T?o9^g=>sJdjPv}19BTA~eul@a38yFUYADvK;c>dN1
z!+M0TQ86X~z9HJMJE7Z_#pvDYxr`Fxv?b+nHQ0*fUxYV^-2ZckE-8kPCjr=@`+p*=
zT;;ISJkD0;Z{3geKlYGn6kjWs$nE@j`2+wgMp_<m8IZfG&ksTdz251Wr#HzQ`8aB=
zHh0^uQ=H532;H>(g(aAaN_94;B|{|WdKNEm4&<q%RbY<kGN8P_hwWaQcAZ5hnMV$r
zFbJRB>Gf`;xncgMz*TYYNaU8|`N6WlPq+w5tv@5lE9INlgvm)NLDh1eiu1qUi!-#c
zpzX2bgupXa^(qJ^JSBrOV}%O7w$)wa4YWTKEtq)jM-kkgsc$gL>Mzp%)p6k<$2qoy
z+jq)4#r8Pm1u#eUYJY6Gri<{>QO%Npp*1YcL~2L_Clg=3MD(stj@c$lg8G|RBnj2P
zqp)`S0Wu6mz0}~7!$G-3c!04Nb`4t>76B6+?Ac2xti0E>^RELku8s!bS|lkLc(#Ot
ziAljuY#Vd>&8ggDOz58!nf-NSPW>T5y$Sl)=xN2fD-bv4%wQO-^h5doxY<HdO{9LC
zNzhn7g^Il`;b6wZ6-vFO$F71B>eus2Yg=-pD<vRiStsEA`vNqG{%>GOpP?Gjek2W2
z4)DH^qNYVUvhJx8kgCObP>ge?IXA3`*%Lfedp4Jt&BEO@T-3_3VF2r8CR`EK|0HV*
zF{;DM?4LMHjm|-TU`A!^oJ*M06A8cJVgVy*rEmL}s6P3oZUI3=NeH-4FTK)2Z#^;c
z&iY^2x4j4wCFNDr2Hj?UGJ+hj1E+H&^}v7nzv&!FHE^G<MIirhL9ZkcGPo&Sj=Q6?
z%11lZ{alD}Pw~sQF}LU3aWiQz^%IGr)2#e<E9ad;BYv&MDEUzbR!T@+E(`XKo)fT*
zJ1ZCmD}Cbsk)qiY$uEfL0AUHv48*;#hLIShBTm+QZ&nxi<ryT%+1nDp<Se%=@?PMh
zb6^-2>9RH?hOWm>tR@Dg>_ca@rmGra!bcRE0zkbtNYg!faV0`skv1s<tv1R2zJ;HX
z0_ewokgy}<KbUObmUa_wQNJV{w;v~~(eGQ7@bf1OYK3`+!{wn4OLtjslR?*exZeWq
z11XIPxCpMBb%dK4UOf&runB&La11&^e2&Q@h@!NW<iCHQ(+iWP0r_8X9kdbr%QA8o
zXp*m+O%b8s4JXlMAxXhHTJ^2-x|T_h2I%{H3_cDc1Ahq&@RtmrQj@-J&^HFb$aUPV
z%&E}wGSVoZ1NYZwl^8{)bWMEYoK$0NU@J3}4X`!hyYd|2W9NosN7yKEEPi|OS@n9^
zDf6+>d0bjb;%j@vKLHGHmDwz9oMn4n4!#A!Kx4cGXD=gzF7|=@{>|3-+M;~umHt4Z
z3o5o$jx|LePxy8jvnGkCH0Kx5tXLZ`$QX>K1IGsPK1N!UKMBTn<u^DYu&C&(9QN3&
z^U2J6nWB&6jY<5?aXzj^FF4cMZO<}qpIzu6Q&a0}x*9lt-i%~kyRJLlQ%zeflhKC-
zghayTg+RBrsau3{@8=S)uqDrrrHd;|$H;?8%_|FJht7W$RLHLkxQzr!oPTAN6c^W?
zHeNtb0^CYoUVKc9$xskCE=Ph&kEna*<h>?>6k1?y!Y1GNrzR4YXnu2^ycA|xvEy*{
zd*6`tq4@rkt0Z_%>6D*O4;`fkhh6$qWUT0U0Hz+$zSZl+`%~gz-i8_}xk|wCa!VHt
z*tEgRu&X!g=Jt3$xNom-2B}gk+J>Wd1-B%W`nQ%JqHSx$*_(Jk^FwOx(19@o6Np4;
z11@9{dkZOR7%UYSh6cb^O8v`RYSS2Tw#G8@05g~E<%(&+oti4Lx+S>^M$HfB<Quzf
zY?X_>gBeA6;eA-YW;f&xapT1AJaV@R!#9u>7_&<S4NJ6T1VnX`QAm3oze{ElpWgWu
z8=@Ti&7Ke}b`^}nCG*z$UaJkK4-%XmC9@HcmRed6JtbHAoX-3>^)~}c{+FW=#ZJ0T
zT@iZ(<|v|Al_gSpb?_u%H5r}4sGKd;6`C+v<NFdmxZD}YK9#xmS&*fQOw{>!Jcf}T
zMG_)uy`_5<Up(PT^J2c8p^eHM@|Mn%Gsj<z)0>1FG>x%sa)^K<rtf?FMJF+URGt|%
zbtFSvw?D22!nt!2C0K@<O9*3SvH53N#{jyee2+ZdlR5^Vl54}(`DgGzO#r99X~`M)
zdK^cPJ-ND?i{`rxf8%TSDIdCfsZY4Mi|Wxn3(zOUmTJ(g2xbv>+WHD<u?3poud8#U
z(uVypaEUqw0OiOFvSYW{^i_h~0tY|e>T0~&U44G6ES+I`n<vIQOUjA~pq5hK+rzdb
zAiBNhMke*K-Kc;WZgOf_%j|&1nHGtAMb)Nva2Nr}L1&$t2@ZoXcwjV6)e?p9e_V(B
z6*vO?u+}$54c|0YfLctbvxVG<vh^Dc#ggVHd4ZJgc7*>%^1xZbq%K4Ti~x(BpIr;S
za6IoMkGC8bd^-lY^~sFr&xknb@VpvmRk6YMx!+j29Jr&e>af%qx;r~Nl0ChFSvZZy
zwf`DKo!&d{0b^yAYxzH?Pot>@Sb?&FNElUbmx9b8Kq{~d3e%<)S5KOASTRUxur>Ne
zL7fq0`a)#FD3AhEivl1VXlK~;fU5Z%vFh3WA}0zE)XUiJ;Nu-<a)n1?leGvtZ3S<w
zw86Q34yNA2l)fJ``3H+}0aqzFi`d5mf?G3-B^wA3W;wQHGZOx_c;K*Om||j!%lKbK
zy_vh07MHOz_7evXH8~DMO`c2L5Br#9Jsebe+D46yE2N9HrrD1iaHp^zmVfl4L*Fmp
zT#b-k_Bi<|e$POoi_#Gaj`^o%@ge<h8hjo&W`eckQO<$lCoi;T$bM;9f>nH6^{+=w
zYD`0vD9M<Af`lUJH)2B~0L;n*Go+-y?JyvI!M&oxsec{@LRu6%WEfJN1{sf$sg4Hq
z=~lUMXUXO1VaV5dGNzhzINdaue`RjOha(ZsW5!-5&Fj*QZdKB|ONMM+?wz-y#k!~1
z5P1LxjsoKmnWp2^tr`=&IG*vLuZ+b(A;rUK#Uk~FQoL;2StxL0VtsZC|JZ+QIGFVi
zX*izaTtwJet-<Wd@HsuOzhO^5LoUX5A0*W#61*|j7Zl1}lIy(vD(Nb4^N<w*gmV5y
zx%R>{<LaXnc~c6<=BvoWAQ_SI-wKMOUw8@!o&GKe($z5!edsYbaqb{#iM`sLkLj5k
z41Fd$o&G=nS%wCQsWUbNSQ)U|H!RraSY9~U-`3QAhP7H|hw>0Ft(Wt}3RXwiNnT{4
z9)gAK{Z>=Vmd4ap964H;oMCB=i)mxVrQ^%GPzd8Bb6Qz?`3XQmHxuP*Lu6`?68b-I
zR$3n^5S(SoNHCcdc`DwCECtD+sEtsMhguzRdJcj!K)U#DttazICwJN6OoM@dI_b&;
z$6zklX`)qMGFd32UW%_7)fy;;NG_0fNjUKAa)c&RDe0gen^&o?`m$4(zSRo46jFpt
zdpl@8;d;j~0D(KV*ni3;h&CIGHc=LxZemZFWnrZo%N21i=HKi@Bxc|xMbvNXR)3B{
zV3ck&-Tn*CR%`0ko<$b_24@wC>KC>qHvJmaWqfoCb?!KQE5@p_WzBXoqA0|O6QLp3
ztDJGSSPL_LSFU%RES2gUl5qvh{uaM_?|6cYStrB(mL+pBHL1t!D%cTB`%TC#CDUFD
z2wwVP5JJ%*Ff)HTE>|7urghhE{^LVL0ooqhRM;OrjFwL)1#@{&r!m|VA@3v_A*ZgQ
zX0rv>MNI;Dv`dA}y`s-Dn9>z7<jLs97G@h6;P<4cY>q}rB-C47pV46ZdXGboj(V#U
z;5@8ztAI0wffAb4)RDFI=#DorH-5Vo1V?HZ@;U5xLdMPTNc;;1>%N_)&c8~Zhx((t
zH?bEG!?g5sPlCrA2!MILI$ALcxlq)wk`fWA{mw!;U1E}x8vN>cJP#!@wDfsc-l7;m
z>IhPs$tClIOW=WQ!&@5L`m5CHre5#KOenZVO}vb_K-!)H6d6-Z$4@;FZt<VU&Ih37
zS97&AlGV!r)Dyin%5ZE}x!nJwSGwskV{6C(PcEymyi#cqn&?OXE|yxNv_(oRdB!YB
zVy2LiD5&fIL&(|17jOdsL|K3M$5x?OTGa}}DL2odOvJVLQPju5ul~Sv0_!sE$@8F>
za?RHzV%>`Dz`b~g8aoWqbj+N&?Xdp$nZ6l6O7tOh$jISQGAYl=?tvDUN*&{oGN5Bv
z=ErVr9k1~3?KYfSRbHvIrdOWlp@EoPvKE)W8kiq?v<d{h81vupauqGaz`Lk^LMZsw
zqK-Vwk=gy{%XgbZEG>CAW|QxMQ15{~rCAcM<ARbAA|hSbr@)DdyD=ZGltksV%bsmT
z79SEtwxx^z+nkjaYw}Tw%pE}*P+Ua<*hczo0%J7S=ICT#lajys-Ow;<{N6vbpam&n
zNmk>-(`Cg~KvE{MM$@3J-VznVC~O@qQaXZ@J26>n$(URz+vmqnr6p-;TRvopVUjFU
zlQxVLomH;`t;gt}qyYy$C|sa_0hW&gC(uB|KA*1Wgj?8POm0F*&If6wk|0%QH+Ba|
z;Fs^BJJtE~7<yC0IY6$JE$3~$pWqt*v|MeGD!t2PZMji4VC<U#BytT$ne>ZmYR9UV
z(;eI8sHOAyVfTdO(0c7CFa*wSgwWk_iH?p6UX`9P$a1y`<N30tb|uNjlp;M1L}<1@
z^vyg#trTsYEB5)rUM0-;?fd@4Q5OBhQF8ymQO>Ew4HAHo6d^PJQp`%m*{1xCjr;Cf
zZ&42K6IdHMLf3P3<hbvIw!n-bQ0aQBn}tBTAhTBp)MI6x44H~&oNtyIvEa#V)@@U+
zwe?0Q%n!GfU9rN)4R^2LOk7U8j%G3&CIBc!gXN3PAN)*ME)83wFGT@L<}G#=6SC{K
zVduj&UEpM_)oMTf<jOZimW>H*(*vRBY3goM;f6YSgMf)O!PxX9>^)9TGGg0wi2p80
zw`J1>n!ZR&^c?5LonMK!VYcLRwt0;Z&6CP`V<d*RLgP_9v(Rb&0;{P6dy14J<Eq<G
z>r!W<j}oTmU1HR($Re2(il#@W3EasD$k`Wr=F}UtT`z<i7=|$T)|)5-e~Uc9O|nAk
zyhuprp{B7+n5cn5azF&3a-8ZXj{pR_Z0L7dJWU^j`XW7v{?O8!_!?6zLpOB+njS|7
z?6u!Cn>Wo`_(m{n7~(GYl>K4GjeLmVDN|5|vUPrD1=ugxdrK&3xQnM%wS=x|5{Nxz
zaLGJa6tQwT%fO=&=uzSp=}Qsw_9?14XTkCnk4nb}uJ(&HA53SGq^c_l_Q$`O4fJ1D
z6j*+$?7D)JaaN4bbfKTaq7?-%kf@nJG_S<gSyA7!8mjX(IU(2!a$irZhkK|`$iHPy
zkLZmBwqF_JzKG+#6wI<m{I)o#%6xGz8`7wAr<AQM(?k?}u&aeXOd2+ZoZZ{sB3gRn
zaUgN-n7og5FvuOBLM$k#embDIQN#izlvqAP_I5}@+#&10_+K;<`lJnh>VZVKCMgOi
zwN}H=Ztx3XG!svi5Wn=MB*gkvquE1#4tfVH*#F<k9nplOGvVdmcgW^08o8PWE-)_0
z81~~r(9@qoLRnUfUdx&gx;zT6FsN8)ZDfgjyS|;26V8R*-)};Jveg9G>?6O<_f7cy
zjnnvS1;e}GX^C`A%~a(J)H37R%oT_XCB#!5<F1ba>ST<RRm3pWzhkTalY4~W2_kDl
zQ<!?L$bgDyTNNzzp3I%l_4prA2VK3AF(;I;#5(}V28?8I?!6Zt>Wu`cf>cv;E*|%k
zadqPEyv3_ZDCYeL$!{5<FJdJ+PCjkGwcE%JX@}cA4qpaL`q^hv^OLALAWlVKI$<R#
zY*AGHcYq)Jv?xJc3POCT16f(5CDr3eWHpG?XOJjO#SdGor!+6P%hpQ~fKU8m)AuB5
zAe$1A&Dp5nwSPK%E`Z>@+u5MD5YlpE&jD=LMC>*|f&E5<h`6!o<PH=lf9oF!5Ws(V
zI9X$6b)E;#VHS(S#Y`b8+PZ8cr+3#UPBTprXT{BtDc#?gn^Td!U&CL*peVvNAnk6w
z{Q}CCC)6gl@s(L0h3O;E+yzbGc<Aun_U^yt09Q`G-mMpP`nWxuKR>Bdtv2oeddc~g
zf$hrU(JRB`H(LmRaqXA$`RDr%FK;D2UdOw&8^Pp+H<RaD!ku6Qpqp<0xpTW0u*K)&
z4RO8U;9!Ty0~x{KRBErx<~I$WC!{DYqu9eV1+OM3Jj2rVorxNH`Lq9jND@3A^<STX
zgWaTxSJ>S(%^YF8DoxUTUym92#-0u8yO|25X%|b&8|RY}eZ@^uL%%38hJdtx(t(cU
z?yfeu-bvAz2vAhd0OgI9ZRa|=RJjioJ)a}%Km=Y=zy(ZIT}8dmH#wdUuMaaX2>7dw
zd_Yh;s~J!HZ8kk{#MDDpg3}5wAGWz*2pn5k6XH*$*{P`E7GfBBQlto_{6ignd6k*B
z;gxn4;7TO3mRD*!CdLC$s!g~Ex(20<iLU&4a7FX_g$^*;(z?MRso@BDo6)K@!<bWB
z_PL`EsUxQinAjHekAu1dP0&SKz4imn$?&a!5&|0vtP6d#e0YU{>2O1M!(aM|`&_ij
zsU9nPB1Q;w@~M2k0Xrj0DY~n8k#E<Rji=l{mw5?}7OZFuWX6`n+RNV_ZRTb<SbP*{
zN#jZTFGv}n$8>(V>fJjd*0t$9I!lXIoA5dT(awxe+>6Tbj^BR|<DiOz4J<2QI5+bN
zZM-s{Eg%%Z_UZ1yFSsR_I40r%GCP+(T^7<K(L3-jesPj&7Xy4JW=-PgTQf`TT|VM<
zT2FZ))?HV<9l$m@J;}Q+B=+0c<4Qh^J7@_S+;7e%(TNhRY<uSA9c`Fh8rNBSq<bE2
zP1-A37{Vu$wYP;AEh-yL_IbOoYO2jrF*<&`1Wr3lstkCwZuO8kV#l1^<qLL+FuhPf
z7h0ceNDDxMKgcB06H1S(i%i5PwQIP$Es8(Gaf8r44Q_56l>r<n{lvZv<wgs069AtI
zDls?|t`T825D<FKL>C$X;`S_B7X0&K&0mw(WbBY<nA4?YmM*RpsY}aQOGJY~W|A(P
z7bROaq_3*&vcIQFbHBw$4V>yX9i%)3dF6S(HE>9|hd$fv<u<=g|F+;O2b-L$;+7dY
zL1U<jN_h)dVUpuDastP*Dig<|aB~tGDI?xYok8l=+rf|PJ+NosUc-ZricN;<HY59N
z$mMf%c3UJ{z%6%q2>suIC;U1Lx#y~gO7U1R0^9K~!%KSk_U7*Ta&fhn{P+^wJJ+AS
z$dSag!mP|b3;((El=ZY_3-rpy!oV1-k}fYN?fclM;((xYg$9eL8O!4VSqpF_<Ounr
zp>l3f5AzZ2q{m1&?DB49vl;4ZgZR$Unt1XsL)DLzxBN9GV_qW&2q5YE-RJbX!srb2
zH6bSGYB-yw(3gaFx4~DxKzglrtN>c;Mo(JarBWG?)XnW|zz4;!3!_Rf2C<YQh0!lu
z)D0Q#T84vWpfF@d-Y&1ECQaRUvyx$#Ez_OuoIfOM$D|LSN^Fe|Pchu5<K-2zUb|a9
zbn#sMPBm^!Q9+|Ap2H;uC@7-=&pHebH`R4RU<4LnvpEoIzyOtea#rKyY9c(B@cPmc
z+g03E?C!}B?J4K^IXndekH9L0vrwDF!jKUi4=9@(-OERG*r|A$a$nwt-)u0svc4o`
zofXdZ&dpi7zU=gW)_O=PO@o)odb_7JSnQ!|NWlQ5DZa-wSW-X-{omV{Tr2oTEFd;h
z>p_c3_li0X)~$lQTvsd2&KvBSuAC2E*UxJ8J~v#lQZQ7Z{hw~k&KsAbg>(Yczc<fm
zu{Q8DLF&FHU&XLEYu=xi<5(zdPib-OsR*jKE}A4;tPs?oR~~}3$v9jemd=b`w5J$Y
zp_Un`Z}BA9U?<GX${#Wax?7YSa5CQs+P&=2rn^7t4wVt1dv@$SDQ^~)2X*CHqVaHs
zT>6EkU`X{b!IEuGN9TFYyQku3Lr!`*cUZ)o$@=fJ!Zil#9wFEs48fAcuu9=7(8sZa
zU;!UKtJBp#bxMZMMWFLddE1f25!!3y?<l)tkD@PGm8dTimsHd7e!YtRW%!8=d(h9)
zQYs67p>u$}PZ9;)QwTjmP*yF@S9F2O-4SO~36`NsJ;X$rR;ZOivSDy_xZx=iqhfOz
z+Zkxc5P~hwWqoXt2A^gI+RQ=BdZ!s~h}5=Xs?7;sWy;WZwOtn2uh&ZhA9P-`IX`&~
z=byH5T`e7vmYHf!S?gp&cAMpMWSa}DmpQE^m#j;7t~luzuvTwbr=RhCcYmV3(EdQL
zt9rhm{>7Ka2m}nzsBC`{Bm%z)>8i!g)mTdaujqkSTn44&nK>+z>_F5;%(>T%&^&A4
z!W->m-8^9q?LXQ1z%+{nlpU?VveSj9sq#m5&hWd&Ko&ba@9S`RpLf0-zdjk7o_-5Y
zrlq;(r~O=?RbvSfU88ipUz~XH|9JcIcqrHY|8wfJ3hl^NQBpC=zRoEL*(yaPB(h}R
zcXNtpu@p+yIYnewmdPH9WQ)nZOd3psF&JZvF*CpWp3zfgoafc+`+CmrPuE=Yx!%|N
z`n*5Ob<d2K?;mVT7tIO1KO2~m48Jcp6$sfJ+{3>fI{n<y?e2WG=mYNACzxZ9{olRi
z<&C5J0dLuV8}yc&s&5nkZ=oP0NJ!Q9!E=l6ZYfj=S@~hna4%Bm%#EPuCB>g?3JRQ-
zaF|y%!@~_{Cp0&h(z%Kk&&ZG0$DBCUQ9d<RKk>(j1arA9dz4X=+idm>CoAJ<!oJ^z
zi`R3g?cxYc$;dgz^qRTp<9}#$e3CBQVo|L;lCj;<Kss&EuC_>(>Rbxz@vE`GXol52
z6u9o29r-kFACsXp?57ysrmfK$$qSfd0)#RJH;yU|O)Bj!Pr?}tJ-3{X`qo#ha9Tp?
z%C7Spkd@N)I|s(cFIsp><)sNUWD(5sgIWh(&C8sw95lQTb!m=g%0+o_$0>o$>97&2
zLr>`x{F~G`l^5E=Q6(4WzC8Tf>=N(xotxBaV?*}sYY~A7CqojVQ@t0hge#8{MIZ{+
z4GxI=1PkGN>L+Uhm%fLg?cr)Pt8>D1LG{|`4SQ4qwVqN$T(mB^6e;PN#hatL?fHnY
zkH`dhxiQ{h>>2wG@6m?t7U9p{)zbdt>BS7(G;z8PPopgcLhQCXS;1kLDL&nljt`NV
z{eYiK4V#fd{0C#=%}AYI#U?MbCk3M{{K|^7-5}<UBr~6$^}|yS7yBP49TFRuh%B-g
zf9m%rr{>)^PlMgXcTmTk9`#-G7P%p&6uM?Z%sNeFdHt6f2}%X=zCy^3FJpZN_d1O^
zs9x1}d@pUb@P>QQ3sy6+up{JNS)f<o>B_#jE9Qsvj0dJIpW0lJ+2JGvhkR5;e>O~L
zn6Wj{h>A2EP)Tti_#8*7sJ$ycG?aG|?;#PJ)IB0lkqc{m6jeSb$Je0}HZ~KI*zjmM
z3h48-pc|i$%_!Gr9!MO51|}r{TqPyYPq^0<!m#dJjN`c9yn0A3yI4Eg?lFv&xt+l=
zxN8rbM!7k<R4E_jk$(E`$G#F?O05&7L9iFwuXjF`!R`4}*D|sx;qW`Ij-$uIN(t56
zBiOD=j+`A+GH@_MhO53n3V;XvO{zY5Y?F6_m~`@3xfG#rUsUCY3~Kf{(r)xdZxBZC
z^~I`)XljAMh&~}ix#c_LaK7ZR#^?G3<<M6e<@Hd1-b4U0Zz4V{s&4Xi=9f{s>79aY
z&Kt5qk5_izzA`5`jw#HA1_sa<u}u%i=)+V#;k2D)nmN7qxJdR8ALX&&p%L-GKA+g!
z=bD=9r;z$@43y)sNTCku;Ri;+h$gQ`Jc6%3@y~}P^WZ}jTDbaccQu}Ht_|$_?rwbH
zYB;NN@OeRzy6D~5jHoT{us<TVxI-0y5A$^dEiKaU)fM_(Vh|y&xuMPDG=CRW>7lAy
zb=P)X<~C}|LDVDgXal2uGvv@-gIU|*g|`wP2nQ-`*3ZNmSpfxFdn)=5#D1}X`$^43
z`)#zRgu|o=&ld`yrW;2~<&)GZhh_@;F}-Txqz&YAH#Q;mi!3L>B&jQpVl;9;c!%$x
z@A5Bcqis{rZ+8Bi{A~+5SAJ9mwy}Ayw@UHM1tST?d%o@p&9xWZ+|QT~3Cbd$u2(nu
zBI58sMPA0m7%2J+tj4Ef^RB6U1hA;D@m?o3uq&zAV_n0Ht8iL>Zrs7T)(4>jq>^$e
zqP}#f`jhwl>aX=i_uVSL{r$j1c};5?pXYs14h`vzY(bI+M(_QOxy+mN)qTUAjD={g
zYsDRnPLYIQ;KyN>2ypYD4EWei(IA)7=Vwi(Q=GqC&HrskkVc+G3?sPn$IQI6-LN+|
z)n_PZQKa=y!C2XlQg1x@Te^X7f!F*Sub3oB-_L>v{rSygKdA_mxOq=4l~-Er^*!S)
z$;b+~LdxBDOttD+m$@65i!|OWNBIQ>R25dB)(t&;q1gttQbq}vV8m`Wt=;5}*}qKY
z-eYC%F&cxV-djWq^<s6_N0$cI-m>a7HynD^){cc#t89quYD78g%W&GBY<((DRXp`^
z?@6A8Zq6#>bFut|u>?Y7hRM|F_8Yrn@|?U+MH~1zIVI;eMaR&@TXGqm2aa46O`el(
z$qiGPMyeQ8E<8=L=C-RMy;jhxnB?6;u`D~orL2H0E#0-8JjE*82NI6nbgD$B!BK~O
zYqX)>XMH-_mcCqZtfHL{44@vbC~7jGyJo+0*%cZ`$q;`ZeDmaW+4%R}LF5^fp7Hr?
zewjG_?PEK{F|A%xVy0&wDqj!Dn0x#cEWA`FO7kx~^5|-tdt4ue#0oiXaE{C8GK)>7
zX?iWfhU~VWFpX1h`h@nK{!(?GS-Q%oP8g=<%LKZaV+STAlqPJr@3$_JQIgQq=89u3
z1P4UtNUu}3O>TS~{!_l|po&tX7->JXDd~i&j^pH`>M9y>pXQ03m!krbOjT5<Xt501
z?X06vA~ItxiUCQ5*vY|>QMG^gGrR+bSFsLLi169~`CycBIjE|s!qG*+PkVP7+3PX6
zJhfsyWR!MpxuQ;9JWaP<9HF(Bc2gubeVr7(rT#uTwX@$sFXqp|J$WW&L;6G+9|}H0
z@x-+fzN3yaN}PA&p6%oC_{tk0VMY=P7nIJDxR^Sz^PpKS%>%ViEAfKhJf@0nGQ4tz
z8FwKA=M&s??3B9CCs;N5YTxFWBn-<GYl%Rj+~_g`Ay}{CJ*_%fBQtkQ&V1KI6|ck#
zY>denj2WI14v8v>Z576qMvS`^&MIBJM9vyKRO)b>#{h0w?ILiwqhqQmUu=CO=3d{8
zjI8EwaGpqmjk<AM5(DeXz64fS+WMa1IRuvN?a%I%|7ke2M$e|~PvhbF3yXo1jxhlf
z8dx%R7uFSjqg_sCUOhJK+0w=bvE_e$hf>6A`ZqSF{7;OTbNiZs-r(A2*T*(ARUZwy
zua`nU)<zGbVbHCb7*BG|D6DdT>zGiCwC_&pbFrzX-hxy9)<m4?PX9z@KZVwQ_@_Wc
zAl@O&%@10Z7e6!@v}u9d8*i~ygzj;b#w=|ZO=<ro-jd`~1cq7>r!n2qc<E%ju>qk_
z^*xvkkUl&D<M{h_XMYuH)FD-CEX~79qyLmp#GCjX%Pyb#sJ%H}tu)?!iuferbd;P;
zD}A0&`5XE2MnAqp*dG4?%QweD<LqboM#tUW`z_U!Lfjj*UPSNoyv?tDMv2qd`E*X{
zqtj1~GH=b{rVpl0dN%ykbO7ZOz9^JGE}dEvN;%1M;cH~gm^k$r1LOw&DQ>+|s7x}J
zyT!YA$RPSdf3@kwQObw@slrc9=uQ_EDji4%*+GU=+#1Z*xa*qbTv)on6nC<J<&EH$
zRB8%GkU#IcIHc;Epf>lduM?I~M694bz9u~IGR?#1?2etq*uFwx&4+FeFt<q-G<}D~
z*e-oWu+30Fc%={Y#kUrFO$Afumj*JA4kcS}tAhKg2Lw%h+ou=$&1WcUoxZCR?$q+)
z;!Z_g=>|@?Bw+E3h1A>xLN)LZ{|)rFa|Uk{g9;~fLVC)mS@Rp)r9-h?eLBaxVU#Ag
zSn8?g(dj;m+m&veX=xWNJ*vkMfJz7n=l;DYg_?ywWS+OVut~32A?l#<iTHdkZtnDm
z=?C81wMr=-RYfG-vnd^S?lWqmxv!F+W6RGX<0U^IQW4E|6iW6!tfY6gcHeZU1#FJ1
z0e84hY<TO9trRz&!{0k|NGgYHpc~Klz=U2aCgXiolvgewg#``T2Xu0BW7w4Bwyv^>
zCfhoh#&<0x&IrRDHm9ck$XaYDO=)rN&wt=$Om>P=(J$@xtU8UvoNcP>H1so_IRsQg
zT*d<v32yoJO2~<X%E9apQD!AkCn5LSxSuO8mhxnTDa_V=^Kd-?MX8RO8GmoSjZf#>
zFOHaXmv;Nly^9OW)bziOi8>w*2_CgO{cOz_jf~e$1@Yzm$@OvXsTq9beQC#}PYZXF
zm7IKPIgh({n-2W0OjjF_4)#4Gc9fyWeHLRGFyBDx5)nq5t_!Q19z_eoE^<c01_Bp}
zVcn2AN)#SSqlTG7aWIO@!eSi;0ypCZ9(OM+(XvTcG#OfHPTVvb?D89a&io*!iZrz(
z=!<hyxfCf<y^Q$$Vv0{cVSQAcoW2*$3(;3={aT#V|2=DcIkxDC6eIPwRt~vuNYSLY
z0b9{Ea!wYvczQK|=<^QAm?kbQ`8X}VxQo=Q-m+gV8N<2=ZJzFV)T?t%2Oi5#znSv5
z{CjMW8pRPgH41$}R6hC16O&vV#>1=s;JDykc&|*7+6y~gMk)7Oqh8(pv}g9|c0T11
zQ5ly<x;RL6?GHK#2h4&Ld@e_G#aCZ(MEJjXhfcRx&KH7Z$5ZVT{N0e#0~4yA-x5@P
z_LS`wyrERNADLKdDlfSQK}Xzvp{sh0&?;s${>pAX<;lX;7nh=5bm{ApM9u3ZJ)GBG
zj?Toz&FwDZFxgzcD}HQ2)hx&?N?X%-ye6RgW%&LayU~N_{(y6MUexOhkJD%{wF#g;
zb8w&&_ge%cM!V?oIudMqoGKNd&c_jfCYv9>F!L$fs~fFy=5=tz&co<d+hx~?a6WD0
zF+bA!t+d-@=i4@+oslMlYSl({LW0DHLWK03%;^2jh@egZD+wRn^tu)Whj@Ond1#z}
zg0~dbT)@O;AXkMRI^f<4ePP1KAWX4s@FSo15gX~jkF=SGIK;V0&LdFbbHbjN4m`NZ
zLrSp1kaD!krACa3_mSnIZX!v(>~W!(_mQ^Bq1W!T_9^tbYO1w*?*UXtoO?H7Oh8`w
zn*nBfTV*-s8|9p3aFtMn$^p^)sMg_$+3>wHC_j(dqn{f1&Bso4qd7XiyhxdPWYTTw
z?))iGM|Q4aQ&)gaGDmlJREFRd%Lk*C!3Rj@ZLsJmzN7FCSOi1h1tYYHa7un*Jk1`K
zh>LN!TOq0ljSyAxzRvACawkk(NTYpRCibIX6d%d_dm&mNvzT8f2ABdc*UYxlCJsOq
zdW}fYe}={T(TJYEX%{wWT#VJ|@+#U{VKrb^@kJsYzwu*AhebGeuP_&Y=0b-nhZn|k
zp${qMbp-PIg`rEa5GB%jK|-@m$KYWD?-{lJ#>=ktg7wQ4xe_Xz3q9E=Snr;Xm<;eQ
zs`H^C=sbUj``M58-q;w|SUcJnhABTww%R_6GYugHdAqNjxqTeMtDe%Kz*y8{%W(a0
zIDc4Se7yzCGrZ7hmrq0IG1BwE1V7(BTg-&S8b%6~);DgJba~^-yPTRV@3t!>sg}C>
zOc5n_4BOl(iIU@O6CSnXIZ5K;gCJryR)*FZKeM5ZBC)Cvs440B*u-<!D>KgK+z99r
z4c#<@s}58$3&PLL!Ip?Xp^LACgjK^yt%Jg9u!Xrc_j{wq?kGRTpg#HMZAj^O70x&h
zhvCT4aOEe3@sXo*bBanKmnS(dm#9WaSd5HfGL*$mM8hR_Myo%m>!}rN`rfXXgh!47
z<TSbGlgba2e`p3gnUACIN^sNUp^pKc)u&pZlPy-xYmsp%I?kLsALIB%UlXnye4c8x
zWl+Qx=R$r<O_{}6!F;Ks)3e0sQDMAySRCDlzSv|J%WFoPr!`GD*M-F)f2THNK<E@d
z+u6V0M!eM-dNmqcYq;kYqhjLPJg_mzRm4ROxv`>ObEZG<yj^sD1#*(K^eLrtzC!M}
zIW9T?ac1<!7C!kk-yP|!)Sg>~V)AQ1M>;XwUOz-e1!4AHGaC(mu<pY1tdhTlf~$C>
zhhyY2{m9g6+7blj6Cb{PQBk>z5ShDn>B-|q_3!E{qK~6HoBiZJzevibziB*iVC<}S
zV#$YN&Tq;F)*JELtGXR{FHy&#=I_15#lTLmKGhMpUVH00;ZmPl*Q+}*eOOCB?!#r5
zK!E_SMPahqpkKMw2dcv*T<F=MKaZfhmP4Brr_1RHm-&&dVIW$_y;beou0ro`ajk)e
zb1X{cZ7aFDe*YWvGp9|1MPoONng-=LwJ=`MgaGSBD|l~Q(R@Zh${o4Dxo1VZUtjMJ
zD0_xatwZ6ek=`E--P3(2SH~$~P^TEP>Bb7n1^+XNGK@qs3_%Y^@juP*peV=4Y)0<;
zP_dU&zYeu^vI1v;AbHho)hwU9kbGilP4k;ue9Jyt2XB81`0OoTpq%1_Madm(qkBoW
zo^R3~6}vMa&0UeyC(XV2&8gFu^SbVu3A=d&<vb5K?5>VqLY0c{2s$GIVRTf6Px*a!
zX=hC9is0263oT$l&F&9xnC-;r8{5!sPR}|ft)~pjOmWYuUE!0TW#*<dtauWCL<Kp9
z-xnx=XDwi}S6X_ZxAn=T!jo#$hT*2RY5}zXpHjy*d7<<K{k9-M;rz)5If%g%RMC%O
z=AXNjPh`X_Iub{TzY`)0{rv`F3jM2o^A0$NF|f0F51yINlWd;dt!^5%m(>moD~-<S
zRT`ilBl?nsF~=s2%$_V}B9sNZvTb2O9bo|^1&o)`_hw=Aw6Z;I#H$Nv7SwFWsknT1
zXitzz5MNbQ5ZRIB=f__$oQ<FqK?jIZ4~xn9cShw^wn5Ya79Huc=%9tAd9Av|rs;`c
ziLgNbPAIo93C!-Jbn4v91^D39^zihJPX>oC#@s;?n{<2^8pa65Xj+Glp4^al+oVm*
z%e-R~Mt+k9u<3THlbcgbGJWHqw7%+#bv%req3~YfjUwX9n6$*3a;XQ126y$#K|rl6
zqf^lgg(iF{KslwFCWSr<IPu7xLvp#msuxdPCl3Sub<V&<Al!Al{mEdd@KQe|AHy#T
zt)`X0=-3wuQRlj!VFJ#^8ICMI97&A$&>31e|7W`J;SqDWg%&FI;S0Ez2c>z3s-$S|
zc-goZy!F9Y!-grPWXPZ@y3VjnpV<X*4|pcHciX8UJrgEt_h}gv@<0s?2v7I+`jTgW
z3cyWe(h>&eE@-oEHO=@QjD*AUkV}oG89*=!tPj&HzkmsvKECcvQgIFZ{(RW;q<43V
z+%#poE+6s9J2pl<QE#C#g;n)7ayOV*;ty)OOpP5fV%(9~$dXFN2Kp1)=1Nj%(W%uY
zcQWvPP=!FE*sHkrbwmBRMs`Jm_^6CW=4#oci0>V=O>ujF0<;w2IYr$4{%+xhJ2u$p
zp{{oce`Oa}jQ?I6lelm0H)MZUaEn=9Qq|jt;<7mLTV$0J<bW|+$2w=CAckPLsLR-V
zO51=<f;$}8yiJ+jbE&A=>7{k5KIa0qRH`%@I(zGW#knXXsXc!v=K>dBKA2XU)HWHI
z8yswwmEpoT;bc0FUW_4(desTq6Cw1sgI4Lva#OYjm*t+gm}74rM;&{j@*;mH!xJvm
z2EI@vJsy(|d{Of-%^$j1mF{tGOryNh?lnC0mUr2oO|znB3ejiG?!w*8zpq%o9ca&C
z%=VmLM+kQWSTV!Uxp)ydhJr1X`ctxl)Fy){vos<c0;A56-<$K94`A#mO~?iV9(+vG
z%!r%+N#~`Tc(pW5&SLEbPeiH?{p41wo88pTQ46cmMeifhI%gBLvtXF}n;Ie<a1ke+
zO75qMrBIMz8wUz~P7B?A6X#iDGZK00n|Ngov%}gyb)%&;P8N>6p=x^nltn;zrS08T
z6E|*UXa7Z~x%qo|&2q<zwnGUcX5S^sdFnI-kf<3TQ4_hXs(npmUl8!|UHlnc2(|v{
zR_*(~k7i$!XAs@yX1Aecq0m7c3k+|Jh9YV3My2z&FOu!+@DqaS4Tfc>n7K%B;6Q?V
zoUI!2z@CO|4<1KpXRWASyKg;WnBrqJEUd}P_sL>*r(|3h*VOj!P2ML9fNq1S?O>Cq
z-jHhgoKQ`j8w~6PZj|z(j(u()zLCDoROpG&AFelB1#XYb_8{Lz3CM3BiPUkgencRC
z9$g%FyKf$ZH>WQZDsFC(!1-J8KSxDyd&@ahT%{Z4udmX-X4LiMAhx*l0#pmzLRfN)
zGO^U0x+;6;N=x>5^f}c7e>yjA-{_o6qvS*$x2#V0Pt?qSKfu0Jpg)SoD>T77WbQMb
z%gBtRpVR2DRY1z@ndA<uBVTv&Uu>$dE$66MTFNOhE#YqKcM&#HOsgD_xxai{-TujT
zPYZlNMv3Itbh=J6@iYcj4lD0}r2pW;gYtIx3<V_-aCB0*o{Q9EGCwul7FW$#9VnGJ
z_(JTpeqw(<x@|<_c*CvU*3XR&c$tq^6TU_~<B|OKPQoQ_!1QZt7y0^8KAV(|UM9Yz
z;Z`G!4h3msuU~Vh<(oE<Hq-{pU@`J>oJQl!9MlbJfOdbdO;mHBcNyM6v~I~BWs^2K
zMY<urx7*}+YqRjqaA}<&-~!S|nb>f{y?fBGGle5ddoX2lrRiVAqhHr6Sn?`HTtJ66
z^?dLgSZFERkV_bAsvJ{zaxh?LcvyxA@Vj9j-nG~Ip_<#TH=2|!T*2YqSNVSa0%j7q
zo8Ne<1Z8CgBlqmyMByEw6%5*#K=j%QW7NOF5t@ya!#)aA+;&?Xxxe05Bi7cwtXZb<
zT%G*s2#nXq)~cb`=g>8+-Mzv~q`LX{OVPrR!=FW(b1nv+%x@}Ao%8G5sb@?abhzv6
zOy8blEJ3G45ruc-y^qHq<?RlP#9eGn%nzU~4O5+bCSFnFhKbX{b<m87G#*LmB#y8g
zM1azlX6HI(WmRAQM`BxKdd9Q9wclEAVk)b>wnaDFert|byOUN0(nF4*ANSG3ncu+@
zFC)R%G5JscarrPeF#qE+;#&u$)+fZ%>c1jUz<);yq({{?wS^5gO~p;@C7fS!>!ISg
z@zrPg=a*zCSvn=2<&;k&&uqptnm4HMOHABKc6#Y*HE<ZaRMUly$bZtezJ4briQ7~%
z_9QCc^+QYaCE{5O{n%x374Ku$sgIF`fmJ&>TIX$K@@CJ07mod}Trb9Wl(fm@ou;|+
zE&)M1z2PyB26m{)tA98^THO47m`{1jwJWzGvUQoyo0a<2(GGB|f55Z@tTsK<TR0)0
zq^&}0VX$>xxSqzh>v)KEmXoY$&=<wJ8g!HoVkiYGHS;dA2f^cC>vBu*74UdjvOvTr
zM&@d>$Gdb2AtjtLpi?+0qh)n&a<qTx8_vk0=p*tPocz`4=J=iW!)uhU$1@%<zquPe
zd_6sPwr2S2CV${Fe73VL$6%t;<}-v~&7D`*YGZl|zIf)5(rYK8DgFEhx{B`=w`6br
zv%&r-<=$uGwp`U&oWu}Owr6f0;aN96hq>c}6Xn+L87fcH=NOY}vz-`aJk>p9VUmB)
z?rehHM8tEdq}qBD=Sz2P@!*V~$!`g3ZZa;P=AATBFA7%NQbIhwd{KS&e#8m8bSR<b
zgk6w-*Sg@2<gkO>XE^o*;`@2!F5QUJk}Dqy6eQg>3Jy!yc9}b&z{z&Q@C~W*`PU&B
z=Mty{RLEVdq-m{G9=C~F%iRl-miSr^L77Q2LHiwN1XOTev;wy7$G>zbT!*}&;pt}Q
zxdnK_12+(SH&eXpT+2Hrgv)V+Lz&~P3lVFPr1uUw;q<xdX0O*Dp}*eMtibm<rtgLD
zBma4d3Uz_FzRFK-q&T))G1vc9smhe)k@?$(!ztQW=_{|ujE7nDp8L7ld+0V-UU^e4
z?g4&EC_ftw{3Ha<mohy(=eczY?bsk5t-cra#u#!m5}4e=e4-4y9!{5be8n9}FKj8%
zsi!M*>j}{@Q6tu=E`yPiD)(?R-FFj-dymCCEWU!7@<yYkiloT2rvU~kegXBanN$0y
zs@F)?`a&}P{s>q}r-0Ch>?-Har0~EB9p^1qVKgX(`X&g4st`u+4(bZJws`tu$8IW;
z)MlOqr)Tk7##M;S7DPqhIa>en52f13R1p{-W0-$6V;Unf*(OsJR*oc|eX?%Ir6(D_
zXPbsuknU?F&s*&EFD?U4q}c?2V(nM({mf_dlNt2|P-Mr_mjY=2p-QWsYQm=x3)neJ
zx_R}M1~g@mn1>%g@-+`_^m}Q-Yi=EqQ6p~ZH+~&WzD**e7?SuRFah9QtAVM5O1Efo
znREo^a)81}2BBNIez^6)YveA<{8q})KE+dYThkjXMV+QH%q{`{5MU;W@u?a8!Da<d
zn?)yK6;DjLFHcgLw@^aBxa7^8YVwil(c5u6uW}C3y@_{($3M?560)00y#sAOA2y`7
z_8K{*-|zb4;G9@BKKI%6<L<9g8vIFF$>l>Y-QS}^!}d1jWSC~kACE&FDldLFq)5E-
z*V6GAWxTA6THL}YERZ_a-Wzt@tF9sHvFnV6tXB<0(Rp`BX4|*h7=|!pEO{yp+S#UH
zZyO*sz;>m@^JJ70x*G4{Z-l9TyMf^}Ml{q(3a$6Gt(WvkU;Z3bOX)G0wxYxNbh0}g
za|b;W&`r2K<8#iK)_<;1ede~>f@|tNqQhpG-*|p~%q}nSr+I^=W}bRZz8`E3%!fl1
zru`4<w|x`DfGNSx>pK3;LF{A_R*<{Ufk)_ekFr&ECw6jRgIN_cbm-WCSRM9Vgt3Wj
zYweIL6M&4Wa$u_W0NjqV3O$+RpQ&Mk8F<i~oLmT{M-5ZMEGV=(-;7%Xvs80b*Rz-X
zTs1e^dwlv&m{l4GenS%dV)WZ6cq4s!Y-47{m)sQkZ6dtmLj;)Mr*|4bjwaRK4>9yP
zgQ#|gZ49%(3s)fHlYHA1%Rj`3&UAd@_RhYTl-6#fawpJf<n;HOVh0&FigZf}DXEqa
zSk9q8tPwF9Y3Nh)q=|&$RB1_Ws;+oyUi*mnlA@L0c3ab|Z&QhD<@EKSerShDP<LEK
zTXHwSc}UQFmS(6_z-$1v4&1`IZzzExZ{gtZ3(zE!Y%hy(jp2R75(-j9WmB!=(|77q
z8E#6zb3eK7*S{N6*Y=wi^|~lla6yO#{?xfqI7iq6o4IQ!n9J--S32tDhS0@)XbNI?
zJ?3hZSW&0?-}C(idAV`$4+9re=|e;A`=KvN_b`g$d(ADKYVyXwt~%@FNCYVb{JJHt
zuv%0K{N#kcg<m*#qf>GJn9F{5ciH9T^{rA%`^<}uOs^H2mF~;NLlwxUQvBol`IbaW
zK1bau%6s{~D#<_L(&qyepJQ!FQ1T*K8+~b?bCN<eN5kCjJ#@@cKnNs^>MTsEYv_(^
z!$XBz@t?X0!37ZR3fkf<&<ZZj5)o~1XrOOkX<+pT@abFxPk_?ytBxu!Ech888rk}e
zvtLc#fg;V>A7<EzJ~Ze{Ii%Ebfa~&?(IB6p8H|jNFm<p%=beN>C&vTzt?~{c;3x39
zwpz(JP#%;>1zp?dce-hwx<QQlgfzrb<(5^ur6FyUIsvJ6BnDgNXTNt&vE06%Hrl(s
z-U*ta^FWyH7C3gl^N~f{naM{}!~BYcHGd$^wHeQ(Ty8S#%VgHXd;|J8cjaOzQa@QZ
zlBT9;WyUMe+N8!kZ1-W>+ic9n1a`^M`xOL%BoF9EELRWv>TEOSd2rE7Zy(NthmKRY
z^@WZ<nM_W~^5h*4F%+96h9C_ful0L$9(1>S`x~B@1+TldZbt@;G>d3lo4C}ZpA|)#
z9zv~Gt?bQ`r=G`IWpV1I$Y1E<R~B?g=`EjtzVK$Y!Pn|4%hgCzi_(?lVTS~k96nSI
zswtT6A1zNs=pm}&rVzcQohq9mZ>jXS;J>%Q>-kf?yUmLtX4e8=GB5K6PTIF19&Z+2
zAJo)1Wqcy#eH{Hlw>HU)K0vAH-q3CEjTWqX<FGY+0t?M`d>FSy${AnhNvd_`+t{+f
z(Zqk78A+)EJ63tQOsaQm=8A+RzV1}+*R%fOSuX;lP5IPF6_N{|2aa7;dx6=-@J*LS
z)qG%dQCc;>Zg}f^Z3Ul(z}<f5p2Ekhd*!C1ufdaeYLcs5MyIyG{ms5VnY+42HJ|o8
z<<o}HCL52+AwUr>iiG2MF8We~r+iJnc2|ewaoMV)y>B`f?sWgLh=J05G*ff^73sc7
zoASzo-+4RjhSHzJ5l8>Tha-mata1bScPyIVb~$oa*3~=vweC^7f_7cx$h(|6R0ebM
zFcu6{D9h%mzXY@C^*1xCe*DD2#hbh%PGapVZtRkE9tvL-u(*g-kT6N92z)n}j^=<~
zC*FQGycC%=ICV%r;0(H?Eux<$FY81Zc!P6C1CiiOV3t{mU`!=Ka6SVM_kjAS?{um(
zeXYDe@!*}6(CsdD<zK#wLP1ZXOR8VKDqU>wC6taKa_!famBuX&Mst1}Gdm@GFZOwy
zPUHz*&aX{}p6&N2hL#i$kBr_^Kk?GK<a6BLMz+Jd(SC{R?a7Wxf`+a6z_X6MXaksA
z!1J_$#elXJZt}!<Yg80fb*7ngF_1Kr_sMH2HO0IHfA+|`7W>Wi%HbME);d@7c*2xv
zrg7zi7FJW{0STMlqm7y&Nc>-6YTLY<odx>Q2AK8p{#kj6pHV6_imUu>8>+;(`&?jK
zDm~nr)2l2$Zi@{^RTdDNp{lW1W1_t5Y#VhBlAjN+rnLzNEx7Pj1uUWS#|sG!gBj)!
zIzl*zT13ay4Nq{xp<9G2N!3BL=@R2C`AMMqp799uSon%l3mmA1;y)+`Oosv&NW=;5
z+E*1wSelIdQxiq0Et*gT`6Hw4H4h>iYnoaqjq4~XAEd#LmCpL<!i~AUf2_^vT8_Xp
zkLNffkzd7PVyTxWK9RpU-|WrhKQre`s@2BOey=kl@?Mm_n@d5x9yDp**;e)9Z>Nh|
zgF7+#>x;+i$jBY$LG*4Y-C_PTN89N{>QFU4)wQbWCe(iK9HblgmBw$gs=m39uJV+7
zzT~eyij^B6w0`%L&+Ct5WQ}tofH?5CuoBvw>x)WEqZl+Fe(E<J+}!y}ohx6=ZMJrc
ziSxqKDJc=YgZ(OVXph%hdM=O6Af4Ji3Hby=;$GI9alWG6FC$I*9Qiy88FoIDK(yA1
zitw4<k(?))xH)2maGU!>a`m{xmvi{XL!w`gJ0uU0=Bngr=l|p#vb}Gwa^>69$?D<<
z6MFL^#9IjtA4NIajBrNde^lfgY?L$?cNJ>M4}2_kt?g>z9rrNG!Rr;)P4skG6L)B3
z!2WsS(xLWX`7Qo<M1B~=yb`?Xen6UV{p&JM{>H@Uf+SIe`gXYwl`@S6g?TPo6&9We
zAvaFQP0mVbU%$B<v&({c*JY<Pu{nH~Ma}bFmmXM~x<iU>yJSiGr3>@cHSFCY-C=gq
z?d#GgGQ*fqu4T??mY)Lrw;Aaf`%^H@@n^jPXM}8%F43w6<rUqA8jHj<b*khiG0%7-
z++m89rE!5;L9`nSZawq`FPukYZHxH}L|M7hD|zbUdI>Yxd!13X#~_7u6PACrK{LE$
ze3UQPPpJ7j{yq1k+1$yTRt{^JX`i#5k}%>fQ!-c4bu#%RV(TO<HXa~l#G6gM-q~!^
z*kX^NY}F+^a@7fL+<i^H!H%Bfbl}az=U5vvXZg<0(_6*rU3rn8!ny<F5qGXi>)P9E
z+S5%v6DMBpXuuNoTtZ|E6h>7q%~{S|*S+JEqV7R>v$gYL*4WqHBEr7dJr=Mf*Qv`o
zQ-Yz@qmZ2#V~#4pCvEw+GmgGY7V5AH+7*Dj-B$`vftv>knZd}5b<?n+gT~z+6F_#w
z0!Pum7gvdbR~ZgfS3v`aG#XYo3?dvBRUWK@Jr7Hl!X`u)oP-SIMY_5Lok@cwc#NJK
z;mmOFZ>pVh(INz%G$sC?Km7e-C#~sH9skiQ(&Y{v#BhvMOXY`wG<zEF?%cnt1&MI^
zJ~c|O3uLx3-5J)GsGwd+I%0%7=TTVi8x*SSOYnT~nt1g=V<OMN?CIA{(+9K@)Yg+n
zNl^L%VMIf)aueiyW`oChqG*=N;Up@~a{7>(?gc013;nU7K}oup!-T+HuV(Hk;-7Eo
zzjhzx;g>k35dJsr+f>tS4Uv|SceP@C*4}Wfn1-j7)b#2~`s`x=^zaSU$sk{ohIvYL
zE?p`}N#FC0$31L>9(D;z_n&xg7Bs{u+?x2TGDsHcylC~t?0&p~+f^f^PP6ZnNn%pY
zgFSI6QnxdGeYR$E&-7P(q}G@#MP_>6bPH6V+ub$l67?IiD=Ra^;hyV6gfu;G#8dcW
z>qDFR{iM&B!)1aN7cVpj)b)?6HFlytDtf0yO{H)TA=PZVTby?X<%EbyLH3N~O-w~h
zTGrV7nbHb%Cq4KgUT*$J1w~_8uiU(uIyd{~g5I~vHuE7m8u(~CirZf{hK}*HhE+Y|
zB=`*3i9GGK6A@^o*u7JR2zr@7lupIVJCI)S;O6auws2ie_=w0^J7l+ZIfW2>EHfgm
zwM*`78k-^T|9SLjLtDj%0hJ&cZ;rpp2_Z8fmq%F{8?;GvIhO}LxX2~&$W{>{C(cCZ
zJS8UAU;V7?UxWJo>2aIn%~QNl=c+I|-2#`8O@9ey@@E_-R~)?G-jCwbxLH5)!FZ$z
zexTui=v}V|DT~jWbMrkLx~q#1Am7Z*RtzV?%2AcY29-3KKGUn`wqxTGmg*)N$kxi2
ziP;eerY7Gyr;gtme^P`PfUEH|(eT{V^c(RNWtDtp`Ehejug8O}aHZM&D*60DVKJ(1
zxE)qxVh(KwuIV_%Z+_E6=797A8x^#S&qq0x-<|7r1R&*9z%X^%b%Cx1Q=lGpRt^ZP
zCR7OlzdS^pn)Xb(P(dRQe!uc%&Cs;i)81(@4zvePLup)EhPK8|Vf~l{pG4org0|O(
z`UFqfMsfSp2`@hgX%P$Ogx%KgA3vIC&<qW7uL-z5rZG0Qqp;yxfc(*$avg2EwYH<o
zK4qF=lte2dqAe1vkRf;AUJ4{r1Z{2x_=R8pl!sDWwj5QZ&2{oHm!NjKFK=m%;2zX&
zEOCglfv$SDx@Bqo(~8WhWO_T7?X3lq2GfKKt{KWXnfF2$t086xFZ{jPvz%YnPqwIg
zkM^z0{<8f>GVOzX%hXjJRl`CZWUR2c$Z29q%V20wm)OSu<D6+N`3rXg&)2KWJhQ*k
zR8waC6uI40?61hnNFUw2gF3#^Y1^9;3!o1O_D}c^BW7#u<1Rln70%sxb+`2g*Cs^r
zsqwXY4ZKpwX=7i+`C;oSW{jux_+c&7xsLMZNaerjbD>fGHrcSZ<@eV~m*01+b4YwK
z)5X6u*sff8=aKwK_G2EdcC`V)=fMBO@#o!8k<Gi@W{fG;=UuOP9#Q_J#eEF%_Z6wO
zc;82*zO9qT7Ame^iO@XF!*Nx}tYP@EteMH$UiqPlB!gX_IWjfdHQIsCrieNm8Y^pj
z>5Rq(rSvzxZ>mHk0s(T)BzDwUWSnYH6;wZ{)NuEz1o^C3HsW5cYm2Jgk+0K@DV;|T
ztM}`nE~zR<9CV(X^sJ=DU$n=}<;s_KbSq0{Jj3HCB8?aSDs~yIg9XR5^~#Z33^gp_
zC&Z%@r^3|&YbHicsG4hq8FX!-U$|_4;6;#lkBgMqpi{CRiL6qUX;I*3PvSN{@_6>>
zrIW7YHcHvSdj7IFgJj`sALC>@<b(19HlIl3v)U22WxhxXPE~0p%r`sk56*Dd!8a}U
zs7Bs#haw3{zf8jV=zP3pt@F{RXDamC-HN)P=}KE@5<KNqQ>BmajdH8RF<OvVo4l{i
zneVPCA0Z(gtWmBendsb#Kl$cbl_FukJE4Vad6qO9jy+MbU@stNNyz8?{nk*~+i$w<
z)#!N>+nSrf%H`T~)rphAq63!}A@=17nV*Wc&RwW}b%%Q8X-^q_yY9i)B#4En3Xztc
zpVI_6+BXY<R72FZm{+HS7Ux574TL@9S!6!&nH>m>Jl8)#iGo4J4qL>Um(;(pMwB(r
zrf%z>5^k@9kG+6O1dQcI4JpV5QtBHoST3RUB-#eXK-p&e?(Dt?kZlGaTbT$xZ;J)D
zg+(j^QXWj2K*0iuLq_XUsw9V%qrJ~_T6>)rGzzogIq)iO6yunPc9`I_C?nOXM9f#=
zH&7(z(g^xl%a76)BW1kKbMAIDDw|ZE<x9+H1u~cSNOM#-jOyxFW+L)Tb^7vy!a3FX
z#9NQ19v%%it@~ElueCat6u!lvw|xhrN%;T_t*=P6kt$5J`GyyvZ#|fT#~+8xB6H(7
z8*&lK)Ede+87mv#gYc4yRI%?pH1J%a?OJ<!e3O2^jl)+((th_0+yGnz%5_?)vI-p|
zG%D>qkK-5n+w$Et$eXRg^6sW*k2~!_1W>*rbu%e$3q-1Obr#A{XddrfH(>!KzwZ#m
zV!DTcr>U=DWbz>JRgZp(HJ$e{A@fCY4Df##4iv|wMtd*#WG38EHk$s3Cf}&0y(vvD
z)}TduU~yX``my6rjyScaSA~ozRlei-1bgu6kA+zjq_Gzp7@po3x%4V=YThEqL=ttb
zbNm9l|ENdJ)}p`h<Kl^T^to>=cFyZ1-pS&5Qq|{E_(^<_)|x8p>>c)&G^;M-(>`86
zoR!h3RN4GIaI2`@>1<Ko!n4a>8CcAhcxQbZU~cNglfdG@e(Pt1hOIf0Yp*?A7e^0q
z79p%Ldq4lF{-)#P3uWn$+=x!nAClqz?I;0`s;y&v#dff2zjjJdKmsLpa3k|VWgTDC
zx(dZFu^|z`#{CMt@9)V^qLDHr8S&}Ymb-oIc=2D4_BsXY2E9D{HgWCuPkkMglH0H)
z1)=z5Ku3a~qsr0!E!lGG$+OwQ0S=<ZiG|rQN`mwnd<gEXwT){Aj6MqqGl&rntvdFy
zq`DXZ?d(q(KVth>HcPS;8!MYsq<JU9urKV{^(wQP!^aFurL;R$wNYB>bXp)iZ7-)J
z@}TOKHd2xjelz50hxN%@8Om=fmV%ZJ=^tD|d7pUaq4!oeJa<IU8y!gaYFz_&9t`^A
zz3D4f<Ka-Y6?Vc*lGA`LRYAifqONWWm~gm6T9EXE3Q_%?@p<7fp;*`P^35}IH@{e$
zs21mFIqIgC%jD%x!1d)&KJQ+;qDN+*nD7e?3_Wc}B*i&7mR`$QvS_?y2d`}#j9k<3
zb#DvA_zl_`>TZ9plRqKB#&mZ>H$+nQiCA}=(}JAnNNGY_yd@R4W`Zop?~GrfIt9df
zz5dv|4JX4@S*icf>K1vMlAyI$>0To4!MH}Q;LV4wb3J|bvo?@FG1U&cul}WW1M?pH
zOjj%!RYZ91XJOaT=r5wL-NWySX$Y=1@x}Tc(2o^1h<l!Gfx&rE7Ur<}F*q*CKYg7~
zF<nL`*(0=m=<YCK{xo<a7}HwH6Cdx<Dje+W5acS@eIftJ713jP7aw<Fc+F4y@yL5}
zP)y{-eE2PP<9TGD_GZ)E!tttYd8U^yggW&7_BU#sWlxoTMM*#1+DN@wWvAsX^Lm2J
zc~teRnv$!VZ$+1<%~h1s=Z(ZOmJ|L%4tD<H^x6HpuJ_6b81(2i_T^8{mw%h*x;58$
zRmIdJ<#!A$UyXl!OIi*FN4@u17giQE3~R7ISbQF{$-NYMw8Gq?#fsSAQsqjiQa6?9
zd5Xy-_bQqSm~aq3SJ;xt)pH$~*B@tRds<w1(h+U9i$CgAmUeF#e`g_M3M;azEF&ZI
z<8tXd0|8HkpW-(P)n!a_DXOM53P>%b5AFj#>FxffMy-GgaHlD)7($Z+u4ba0HsC$R
zDP~XL=^^BOChsW<2HpiwuMZ}&-(8=})}fPE%{jZiH13MrhNY6+J(#EyrbQDE6j8>B
zJ(-CcW)wE|2H(~vhI2^!?moqTpi?JuCXz5M-mf$aUel{`2dZ)VX1{Q;&VCW#-9u?C
zAk7Co@o9IJ^{KO4B7`F4zdW?6JEk|fd+H(L%E{%MR9{<%;+-9GywGF2bPpK5zaTBE
zo130^m<~zzPDtbat^LZQODBg0*D$Ws&)7~nZR>bG1b@0YJv#GxR{WlHqnHaPp93?u
zZ_nLz@4(2NaxL)dc^6Mw4m)WzSqEJ|{Paxv{Y>kdPp{~m-*j)tF8YjCk&)<=huyV%
z!HYnnO%cUX`()ke?=DC^*4<^;@>!}FG**ceef-ciSL^6L#7)MHAu!Ph_pr<fw$frL
zR(>SiJgs>DtB`?`2aIPZ2W0xZ)W;<$_cE^?jz659kZEyKR{OxnSjof0{)b)n-)(pE
z-*X=Pa`NL(wgw!T;@`y5Z)aL%J-wM8n%N1g>L0yR`+(?`BinU8m})HVCN=v|nu){D
z6dlYA2?#TI1Z*B$J0OY+Bq-sD)bXiyjo63OpSKgTeLt|B*sXTCT8H;7r=2slryRE3
zIl^Kw33n<9x0gYr$NFW))1<d$NNcS#Y`k!+Q<u{)Tl?_7491YX#`R5#$tM`!(AvHS
ztNRYS<$TSB;}>;h4eLJNj6U-L8@@j?B&qdOQtR?PN_NO;r5&zH!7HeCV+=9Q1j&~M
zei8QYvqy|K{qP51vrIexGiV^%4$!sqZ61OTCI10hD!>?Xx6Egz{{Za}xLbxv#uui6
zW032Je+q2pr-O~%3ViSSS%{Xs#`#UlH<TAoiX`6yC|u#Aii{z~@dJc1{Y1;=I)HP9
z&+9XW81AGLyzF;uYd(I6<O7ytnq=w?@MDjIW5DUIa8AY$;2%eU-7dS_zYmSU5a_*t
zgDh)tHE5>+Cui=K`K7ymVC@_r9VEjf<B^q&gvIqV=}jwL_t3r$WxbP|9(CPM+rAw2
zz=Mx*Ve?6Fh}9=W0h}y82@bLPB+Hth0|CpqF;-c=>j&jh%O)3ah}9?mb!Z@3Rwc7T
zV=5WkE%QnFKd{D>3uuxd7rQI9pS5hxuXNqBC)2zWfRL2COZ&j`_bwPdIm+&nz!0lX
zYO~7)9AcFV%bK7A0YP=d;~;2~`Q_;YG9AGG>RusH(1E}qR-gR0p@C>wmCO!}sbp}s
zKPj0V8dENyNrqfHibCQawOXxoT_6nMWi}l+b>&F(nY%yvWIel20z+&*$sWREfFV}7
zu&fD&aAuqYO)`I2;*4#YG~Y^zf^q?eSbg%}h6bW#Rq`s(m`VnB%lv9GsAP6%Ou2w2
z8FERp+vF~i+_=(pfiN^=w;iD0Nc8d6pL{Zj-6z2zR-eSM%LN!>l?%(7U@Bn7Nzf$o
z(f;F4S~hMgB?`&~9Afp!e;XQzmQ~5CKw~Ny-0cq~vqNLb1vJT&OU(AM>|@D_bo|+q
zKh;|vCMSV9(@Ez8a15~zzZ;y3*nVB9Zbg}LT`3i)eA1<X`VDxAnQ*s+|Jt-)vljkq
z*1~_yn(nVz)BQDT&A(=?`B$vz>3rkIhPSN<HGmH0^kab3Pz;oe%U3dBt+lW+Zh<ib
z9AXu!8hZ=@hgf0=%bGtbRM6y)yoPpXs|LU!*6{YPLjxFMjl8QsW2Rhiw?8V>RiH5<
zFGv70@&XmAR7d<@D?`mcRH&O2*eX<Th*hX-*kcGd#2Q0b*8ER}3Yz>WuYF+;Z@>_1
zc>A}ZF&JWvyzJ1JDHq)Bj|z1aXw1k967ao31=1f_aR1a?{X>Pi!;Q@+!68<k1mwY5
zp@KuKa$#BXKNTv&<d3}eVTD8)Ee<fm>XZLEG!QL|l6BdkF;gzM+aF3^1sYQ>pvmtQ
z>IW^G{VQGfpDNU^>^=z$vHIjacDaB<ta4#l^GAgWn*5R1?yi(5SfPSLtUmc~Lj%#W
zDw!SHa<92k$?VXWasf?#uTWn-YJIoTb^obCZD#jLV2I5p*+ck_RYEw+nm;O3(BzK_
z_1H>@f^q?eSbg%}h6bW#Rq`s(7!@jGw?CB34vi@n(B$_Db%#i@_Da|NrwTQM-6z2z
zR-YVZmkTh&Di@YDe^jWT$sZN!_LUL^<pK_|`sBY24MfYT<W-<CD^zf|Ka|W4ZMmWQ
zk6e)3(}BB)m63k+ySp@Ladw{shgf~`BfDIHAy&DttO;ILFyka>@<&;bwo;;?T)-h#
zpZvF>foNG1-zw0Uy(YNZA4*;Y8ndATO)}(?exNzr;~;v4>jI6kUxqf2nXdphQ9t?Q
zadw{shgf|woLw&95UX5Pt_faNFyka>@<&<GxKg5^T)-h#pZvF>fef)Kc@=2PiU-{7
z4<)YxjVTw<BttHGI#2nrx~(f*_n#Vs5q6&hhgf}5kzFp}5UX5PuKA-u08RcVD`MEQ
z3pm8;lm9j}kRdiDvqNJl8Qkp;C9eXFDHqTr^9nomlX-5v&ls-y&uxN63OOE^Mhp5Z
zBI^3uo$Rp%-l>B|NDF(%ld6Ixu9q+cW^(1}RhJF7I0&qm`Yz$Ri*&*z!*HjfM%nk%
z^%lu>e!Y_k>#g;U)wo_7F6gj$Tz4}}mdjpqhy8u+R@>`($C}y?cJD+Agn4pJ+$gl)
zlOX$EtHI(<-I=h9T-kzM3ORy$IpU|4Q}4;XchO9|Y8dV<(509Y*OF&v)wNSvC~Ozk
z5kVux9Is300xy|Y=}(E_2fKD6g&f`Vj^V!peFXpwWCOau015+v{`O%R=s^JJIyY9J
zcAr3?+#LYW9s8DnCICP$eP9JzuMPtJOA7>g_d8JQuAT1t*?{sy06=$$fIy|)mKiMt
zfJU+b{YwU9^dSgzYa;__PQs#f<cPAHXi=@ji@L*Mom}<;U6BVncj5+Z&+D~!^}S1Y
z?zp^sX1oYFQeacA%Oz~VM~mXRJz>QFM$ZwgDiO_-CiXG*;~yS<QVJu!?v<5w7ezf1
zdB#F%q(Gzhh?cEAfK*U%`xWNdueN;G=SL#qJ3xB@nvo&@ag%?V3Zin%)yvBSa7+kv
zHCcCmZf3lb#iNwm7^rfK8$r~zOpi)XjK%}FH-|mu$`&wE&T+k@43MPBB&ArcG#%Ws
z`z1)CsiCyyEQouh^L+=|b+8*i{fy~+H^&&H91$>5%5l4dE2y`?0S7Or7=8Q|V2{B9
z|MKzw`qZ0yo+_UI!ix2RVUc&LwycJUJs^aisM@K(dZ-|)>sF&`4L~v*RcUX5-LO){
zzC1`(nr;q2{bm8h?S0>Mny?B|a4G{8E34o;*;xfqm9VmU3pipnRvD<e`bH9f11@T{
zsC4ksYY`B40gia3`oDv`0*DGQ&Qw3()gUSCUj6YMV2{DVPXhSGsabZmV_MHxu>yh`
ziU70)_-c;$&s2S5JyZr&;BMHcTGathu0|Ex@;@9<+ymg|CkI@0>Uj_q8>`?u*;xfp
z^|7*gXH{0grC4J{+NafG1p_2&tk?;XvLaOdh!qSLzDH{7$X}eAo&G3ZM1vJ8ASi$N
z1VCHGa<9^Vrs@&vp@OWQA6bnmx7Db+52}QfDz@brVU_8C9{_HCa=_K6f~eS71>eaQ
zfyF^oY^*A-#wxfJTUgz{YODa4Vv7|ZDQsbt87mkp{1hvGZE8+JJ#ehQoUGon9x8*?
zSF2Igvno|yt5L<a{0|4b4$AN+2V8Y3h>DF>@SW@t7(~U!>f~yyGDu;K757(-6%3H9
zVHG5WEvzz=l{m=4PqE?`r`}8elGRsMtpAj(VpmO82UeqM`>IsETa7BV<$olrGc3t!
z)u{|rtgM3XWKUKgDz;>GZ#7mKq_Blm*VSSL10-v#07?0$WCgPDQ>^&KsabYF4Fc9q
zD?H#IlNDIyvB^4iwPbZ>RR=u38dYq||CFr2TJ0wXTy^Ss5EUD%;5*rp6^M#00>1!Q
z#nB<Ssf0;|!sDFuUHdj(AN#|&$~?ZmNbm$^L;SOzLg{_iTh~eU-#5w*xsc8uq<WxN
znP93oQR=@&|8HD&L5}ymk}1tBH*UGVBChS|*-|1fHnh_#ZMT=GUH9NpVr`_T<GTI;
zWmM77qbog+(umjA_H2~9)pD)LVoJ|K^QMJnwAWxuwfLk~hfzTbf}l4cn0ZG~`wEM>
z@>2Obj2HSi9sY~CvP6Hw9>zL@Z$WcNy>dUz@oSpVUBR5!M0);^3zi7;m47@xCWTM$
z$ODW%_F8LFBZq30&-G5@0wAmQ{3dr>@0xUv+f&ez5`fs$o8Y`zIl5?<0|6I+WHZMA
z7A&aU=P6H5FA&lGZ|0^L)PU>A7yJ**{g2W8qB*P+cyJ)8|D8M5&3YhpDn(3x@hmt1
zfAA~#-QkbKx7G!tQY3&`@U5(_f?Wd~jF7``{51y)_#70QD*->^S>?>i-bRY%Zs31=
zx?q#TdJ`^p;6OVD2LR{vxCNZt50?UdokM$~W_`gnhc$^cPwM_NgY|6xKfqhJihx#w
zC;uOAet7aK@CIAHbHh-Eygzd6S>L0orCVj0B|i~Znpq+rrYPSD5M7>G!r!yGgzQyi
zXNbCh*Xmnw9)6mAEtQ!=kEX^LuQ9c&9%xu8Vz+|8aX~u(p`T`1A`E<usg4Mu9x*a)
z#ermbrvV2tE{Juafv+)RhD@h?r*ibq_`oH-+?|2h<z&WdOc`DMMSwcL2+(l?fTC^k
za}WX;0OCa_;5SR)YyC`SjDK-q$gk~quqe|zZT-qP<ZWo@%tdfIj01z)Pl4m+N+~ho
z5a`XUzRF?_3~PH<k;p3Mm`Vp<_(|#icXOHlTXer_jv0qQ*gt~qFKkv{o|724b0x?B
zm^yxA4@1ANqTe;_QElBSN3nU8D8!ICIGLH)z&t6=9@NhNwTc7$>)=3^SR?Z);FuAY
zG5JTRS_Pap7@iqBVFu<wnJ(q?AuDTw!3%wfbrp$cfd4)+bm6A}zMq|8ja3-F&(849
zRVop2pn6#mrM{;P#^fKH*vNkT+g3ULe;pji5}W>40moz*octs8tpbjjGr*lNmE(Z~
zg5W0L&!4KKe~M0L*cpyp%}r|97(Rb{l}-G?&M<Qm;N%~h*v@|Z2Ua=$e;*vk5^MRp
z3OFXi;N%~%X%%oD4E2LM`Cit#SBl&K{`{$$9@2YJsn}eeSu_FEXD@z=5_Rkhhpxi#
z7IudDR@uaHc7~ao04M+0#K%>Re>H*q>)=3^SS$Edz%dyHC;wOGm?10{+zCVd`tlOQ
z$P2%iBvz?aS1a;1vopMFl}#LGXPCJOaPp5$WUi7VR?EZxIyjIe)+DhCI3~l4$v@)j
zD&Uyv|53dU76Ba`*mV9vYyz9kpBlpdw3e)u6N|a;ttG2FtzvGua{7;-F#5~?yE(8U
zW{d0pzBy*)1g`T#*uSt@eR<rtU?$KK|J=m?Q^E$D&Yz;#e_Bh{I{_AR;1vVdN3+J*
zRm?H(1i%-5QpNw>-1usK{O_A%UVs4W{FLo}VY5g*2$9j`{>oXb)?Tg_D^_VQf3-Ph
z$hHFvdp}%iwdQ=a!1(_G-v9dUfTcN~)T>i376~M;^)z(+DNeZ?Iy!T?J7obKp0}an
zcVg13fL^y~g*J$hML-W&DFTQCd@c7{qBABjbP;H;J66Oqpi2dc0N~((D=FZ$lG~0|
z$<BLzwWrMj+H29D@qtU?fI1tm1zd%JuN~<b>nEp|{vyC9zX-6e>leHIykA_{Z2XtH
z_%b^~ycXxmtP5NZ4hf6_LCX_3!Vafv%pDUWKd+Kb*8-K(1aNHuM0=2Fsvpu>jlQ(7
zpi&VSM4{q`XtPT)mHxm8wlkwa*gUd7sJytE=9!|lG(ANgM1~>o85st!0Ls$RRGmS-
z8oj@po4?$-ff993n2wDjMdhc^(P*@HKAkv2rHm3LjD?|<{)=-{WT;scH4fpkxUhi5
z5s*!&Zge$ucAh$63|%5OjE3ROV2x;Db6Q_@1&l(S08Bxv{OPoru<mNg7)=aDYRQKY
zs~2+LZJ_3kESiv^25tE?>I|}67)6z@el|v@mlL35+8@-GQv@n`OqgZ@qrRjsKBG;b
z)YO7ps&6?D2n)l8!&-_1${!P=;)TtE_R?s$j74WiAbG<FXBe#$1BcV*V5lnk=%{)%
z&3&{123y3@XQS{zlzryZOazRE)5KFU;)FY()TSnwrtX3HnWl_Afn@q$C|VXBiEo5@
zpqz&2YgK4ubVfrP+?<x*Ov>mrM`W6jU{oSB0%=agQ83l?es~I<HX*!(ulCWMkqDuh
z_&h|_PIOP1o2kBy%kcAE@CN=h#Cx^s#qJDqH5K}zYJmqV7B*Q$ZJ27}9)yVTtEmPG
zq|oMun^2#+p|1iK7McjeQD-X7Ac_JPfCl<4UZ6K3@F*x1OTwdq7V6@hu?ReY;thvK
z;V%-X-sUis09tl6nTiT=Hm7O!R-3dqi>cAZXmIEZnS!D&%^FkZXoF$U&vbG(ea%%f
z+T|H+zc&QGU`KvNUbGxr+7>r1a+|WvoaS2w)0%^(WvYpig|}yMH`2o1jjP|M@5@|#
z*hPPMHBbu!)5=sE`3loAsU8TX9~<+eVjRawj!PT3h->9(9AS%h`04l5sqZ4__0NLP
z^{|n%|Bt)346fsO)`Mj+S{5HMGc)VhVrFJ$W|n0!Gcz+YGg=liGc&Uy|Eg~4{a5ar
zN^T{$l6>j&Y<Exh^qiX6o!Oafp#4sleX&l<RTk&$#OmV(&aunackZC)48M=@o>z|h
z4bFKRz^hB-9X8}ghQV84kI#W>m)_;Su=Csm{*g`nBfH(;O!;8?)R?=#d2^Az!xsL?
zP<RXc6e@P<eG2Dn0RP60`&;l+HsW)j*`;^A!I}0Ue7C{50920q7;o`D*zIzt+~9n=
zNI!9re&;@T&iIGj_sM3nIqY&M*<g6N&^%@zd*{Zui6Z^Tka!DR@;Q+2(!1YinYBrN
zbD_KY%*6OFicR|nZ!Xp+>@@G(O?TMn9~l}q6V4wQE6)gFALCYUfdf7Vjqi4<ub(<D
zbbocYG5$(3KBZc3<Db$>?}Pb&rQ@$8qyNhJZ*?Tz#w$L?lb$oUKQid=xLvl3{(RDR
zZk^-Ltbi_^$ypW87oH^>)i)bY@?A3I-q)|PKv{C{=T}{A(O2;29-f#-%3FaqVT>z>
z!=UFFx^40)#5-y&#lqyQxiDF`;*Dz}`MsR?FK$RR*RoxYLha3FMPaUX3Njd1+l5(l
z+XGTRym*^l<n|995V!wGiFolg|Gjubq(Zck3NdNoy(3s(L!a|=bzM<J+}^WN;teip
z()whsCnkssuP9StS!sn>T3YIa*jh^Ju@d2?>1rsqca)S1?;4=|Sqb}TDH*{^M2J0O
z5D`2)h^j`+RLdwe9~^BdnZQa!ialc#5j-*&uSRTN%V;$poNbw_g*?lrzpgE4WB^-%
zq_#wIb5BHrtzaJ^`g^cmlX$z9k#!-s-BNObm52db!7)N~Y>-8Zn5d3XX(4#bvUbgG
zmd9vaJKxw~xe}>nDY?}`(3-9A0t+cUg0fwh#KZur3Tf);PKR0BE8f*(=2ryt#Nezh
z@pK&{?_%(yWvJHFESKrJHn^!lX*Ckeax$Hzpg&t7Ja$Zu&WDisoJdF$JH%2js+FVw
z8<8-!LQKT))S#mw@vnMD(xqS$EA=+LQoH%~(&6dBdVS*Fdd7yuU=}M$I5r|_Yz4oF
z;hDi(U1HD%Mxn)EK`TiVHX`}7@ygEaGwzqt?K3G%HX<eLnZStPxxraIV*3V0uf<?p
zD@j5&A~o!p;E3S)K}CJy+6Kmq#b8@2NlG>%E$o@lh~S06S$*Q`yA$$4W&8qfz25c?
z(Z#AP9+kflDr7|rFX~>`ArWFr`mhlh`N2#I*IP0`EC(keko~}xtLtGgCAMcvhPD!%
zfK<qdfL_*Rsz(ySmJDJeGV_C(5@xYtAYBeFMj#WymTTx~EFNCg)lhV_VxYwmT!5U(
z{qY}$)m_U)-ki6$CtllUXH}0SI>@ZFSiAJ0sZA<fH0C~5vTwb`Z*xEHB=YVTpyuc!
zmvsmgyLilfB4pn{OWu_Dry6?dO}}YjONK%I-wMa7EdSOW)#7g$HUAZkRoVW<j#hu!
z3;*eG>L15ae;xm?gTnt9L)F5TTKG?fcN#ut7d}c|PYdr~Rqs}OWV)b~-yn5w?vI;5
z(kdg4*}tr8(3W{)SHHd09<zh4Y%rF2Q&+$7*5z8{y=nbJz5ddpWr|j|)XIo|g_QH3
zT;qRwZ_VGpP%Zw(_@4{I{yMHV{p<MuAJ)`WmGWKnwU-_)o2s*fRz?&G<^6}D;a>|<
z|5*5+f<QTWM=K^;ETILmnOwPlfwi<$t!zu^Xj*BKVPsPcBlV`p|2IJStX*?pn1WYo
z*&C1aT}b6UGv{1UYbIZkf>&*so5$Tz<^2uk9C`cl#Gzu=wK=dz!E3sVa-QTf)`>S%
zt+Z1UpT8}s8h5yC7|I&*zYp#&{NtmQ?XM4uzwZ8%;GciIS^o9*AAntu(TB_b{lazs
zD1`mB{{J3)wwL}4>-pC|G*<fl1gnJp*s!ZM=DAk--U7RX{?xFmHRg5tQ-U4R)TFZ|
z>g7g0)1c;P)u;m__Lsu_LlOR=h@X^AD@|y@_#c)36CwIPHDml+$^R&P*|YlZ6c%!{
zV${+Q{A>OH38?%Tg@?P+m5|n1S!kuz*~90!YS9&yYoYPtg{rlZ>P-I$XU;#hES5Wh
zE3N9hV6KF;rP?s28Y;{lh*}$2&$I;>8VlFL4wvWaJ&^vb$jgqzzZLmc<=G@AwlnQn
z4CY3iKdN4w1}}Hva~Ld*I#a4%Vg@g)5px)<jXHCxUTOv}P7!+;Y>hfgs_h+b%Y(;Z
z*eg}mG_8#dIvcA0zU_anBLAPd|7%75$Ca7?hUolHh~xi+nDVz(xc{+i^0!saB>%QY
z#y{=x?<m^{{VlEWkA||NmB|ML>p#US4wpaeQMWcSpRI@fHPZCIj(ujM_44OkFRSZg
zZKw&ztG(g<e6$ucQMC?ye|%j#3F>;e&TxB}nRxhkeZ9Rp@o|6Z{P;a{b2Ec~;d6Vl
zvx1KY^m@umB7eU+I&%B)v+;g|`?%S;p~u(Z^>TlB+<H3cDmZRiz|Z32^>KeWf4VD+
z`do#edw*K<;q!iY-n)1|NQ!!%C`v-~0D5{p>}|X{i6tfZWPjZ2sBgR;9nIi(zQetD
ze$dNGfPtfefPg@Q$QmxHjtC8~jIe@$Xh(yB5Px!AE$Lls>@6Hjjf@-}=ymLkEFI|o
zxnQJowX&r9dwu3*;jqIId!}<_Ds;h)`n#4^W^HXfGBh(~F(SEz+r|CfdyyXH8;qD~
z9C#SPp8VT$8q806-t_3b+G!;A+%_7y*_}-{rWm*DjrU6XB~yjvh{{t$ov`+L;77Ar
z>ah=Lh!lHi^u1q+B1~1eq}DKG=KM*1>`|U(nc@4@4pGTa*457Ede9@Y&*M;~JY$xr
zGId5NFtwgmaS7*X(-166@u1c7^(x3`*u4VlqXzvmfk!PJ5S6PUg0*a4z&uniA-5sq
zb$%WeDEhl#+^G&5h%PbXh<~pV*K_eYvmiWIFy`~R1+2^RDgR(@d%6npCnkE_>n(MM
z+t|dT*T^s_MK7ULP-4whws^!!Ik7o^fsS`5q{upI!t5M^OedOARtJHYP^eS7lRlJ3
zwOT(sk8EH%QCCjGokDF2Pwi#rx1Q%htNrz$p;hTXilsDKiv;ahHizQqE;pi%G<>c~
ztPo*Jef1|E)}6-Uw`Agx^l-(j+rr6X?pr~O#7mtO$*P=5oxE2-$RvfTYo>_L1m;_9
zK&BEyy52Ket0mIeR<w2#mWI&Vbn@*%*1nH3KA4XPGgxL%7`}H?;VXuk;zz6J{-9BX
zVdA`14Ngax=>SBVvj6=F2EUTEla=_xQ>&%9K(?E%e_=@hot`^+z{s-Z5{ZJ6wJs!q
zc#Zk*SuaQa@6TYwqRItU5fTsb2}gy|cLq&vVsOMrke>S33Sd#+)+%y6LViAlAW241
z5{PYz>y6^6DxFkV#>*NhV*=u4nVfE7aG8=7q^KR_h8=gfDkiJrwu3@hlIDAfl&LM2
zxs+^WV2V$?Em9F4QWFlbgbGW{h?jq%JaH}m_O>@RhggFv=Ju=(t-5U`b=k$1ZnuE7
zO-Un_lyODc+=CTn&^~%e03D1HLhAl0N9$1A^(a?7Qynedoye3Lj>_eYN(rf@IdMfy
z=OH0xJw0Ttce<bei$)IWP(I`+SC8N<)5S6vDJ0Fazl6}KtfQ_41qoKDMk~=K&l(U#
z?+fElu`;Uesu(<m%CI6x31==j{)Ci_!V9&pbZVP^V?tzA$Jp==X(`BtjDgHRPO0d5
zG{mgcVDlE}F_}FO!(D4+B4LEByNN7GZu<4A-ma6Bq4pB2WN=GRPZwy~Jw2!82ky5J
z+4?5Nj;+UDtDNGh7@uS@{&}obe%=WP4}pNFHB?Z&v9P?DV#&OA%T0EFg$^$Y%dQhy
z$G*$0JDJ3mth9c&XB9a*8!={LRx#Nc@0up7Lya3=F}lk|itWcs+3V)RMkSqpxZ4kr
zhO}6Qy~UvSW{(?kp+0N+y)m$%P|JG~@|hA&B8qAOM6^Xreb2s$WuFn|TyjP|=eIC~
z3dqk5A|2#GPH#PUc0K<#9i=iwmC6vTgl$Twb=`n5_`TQE8v~_UX?85T%{V25*Q1fy
zC_f7t1?8&W-UWS2(zvp=M5+_v7n&7o)4M_Ut{$*S-<mB==|^Zk)4GuT<h-hl``K1O
zeyYHd*SgnV9J$Q1?yqs=S-ta<4{I}y45P8ab|zy<Nde}ul3yb%P5z6i11y(I>mASS
z&@@j1=w&0Un+g~Y7NB7x&Io3QyLvJ?Z(l<i{xqd0BIx%|7`BF<wul+b2lklM<xp!u
z=*JMyWfGh@coD4ky5jpyncl*mx<xW4T4*zK>B)<7rt58A1lDGv#_G;)X#WtKR0Oei
z?Y7?~R^gA)<Mio%^D^jdt(j9Zm4YPzj<P{eNGP1c8dfiQttqc(UAm^xs2VU${6Q(l
zIzL_Ktz0%bA0G;A+BPSAi0Un#M37FW|EAHjSb*HQ_yaUEPjAg}g8gSZ<4X??s<1SR
z4UYdUjeN(t<S#|zOIGC-$o<c6`1XbDci>!h_JMBL2@_uu2Otr9RKROiUVr~Z5e~nU
zRUV7V_YJYah_rk}1792Y=v&uL|2EHOf)A@eZO|_4&pevrMu)Q0X+8o_LViG)lrl<4
zqO_6<LgJD0N5)3-go9ic*5WZjgi46&@1)5^u2hpfg&@~ERy*G(#WoL2(cM4ag&2qy
zXII%~?+Y7WBE7(sBYNcPUggOhTR;THRY<KAGoVj7t3$Z6AXwef^-poPc9)E{p_Xh)
zd%r^CUTZAvOVuhDlp1BGe?82fw9^+BSxtrRLo{egTD9s<&Lyzh=G(FAQbZ7r&n521
zYnjFFX<05!59iz$u`UezvlZQs=lFJnkVdX$ydTm(60-S9H*hhheMsb(lLzWC(F2In
zp|HG2JHiR0agj9XIw&#T6mc&Uz-*Q}VoTmkP*AhUf1%F>xhCe_FsZaB|GrdPjh6_`
zO&$=8|Byn|>&=z#gtr~1Rj|g0bbCqc>(mo<D0@4%bBgQ?zD}0NB(kmmm+dYwlW1L;
zNEMM%4CifW`pfKD(lS464&avXrq?^c5drszsWy9EzbTUZ^%`_=O}eKAo!Q;peHjdF
zKaYx$f@Vb09OX23x2gO3{TGdlr}n~V0GaC5iVhz)+<uq1q&(6V-wT}M{qq4fEDL!m
z>QoSD+%*v{Kb$wq5r~Gl?p?_BBJE>M#=;5ZxnNQ09~CVEs!hj|G*^K|e27Tywiaj{
zV6Fp#!tU0ZefE55biB2baL%rXL*?|+tE-Hr$pW_S*YS#wa|S{y^MF!XmY-vP)DMv{
z8IPVlHqU<?|2dD`Z|nOGiv}dBUnp5LTH)`0fV%iW!{p5pd`)yqg<J_`62nm?6pd4u
zhX=fC7)5Z;a{wE}kYrHJvQ%hV7eRQjhD5ATJ@1`DLX&*8rOlizcJwRM)95v?twOfV
znzg!g7=axiZk?fLV2}vsm#}rBV<0w!ayAYYlZd#RY`Yo1^ltO3k<GT#&I=7Ji6u=g
z8+kQ;xAPTvdV<^@Z)jE1oGYEA?XFK*lowtG1IFIL7Qc5#F;AJyYen+}MBppfFNwn5
zyQ>=M@vf0lhx_(cMYo(C$rqjFSgbT3L7&h^7Z|fkCuVow?1<PvXX0~nf!Gw(|Ja89
zzTFcSTfGxnI1tV@-SP(It#~v?s2#>k>l?g+c$tRV{4|snw7Vl<&-^g7sBQk6RwUV7
z89OOrmrcnN*VV>YK`r36s0#la=#5-birvwRt2QOh`|2ra@^D%n<%c$dJt<<&K>O1i
z+<UzE0K4a`vj!}U`$uVm($1dqd`7P>nbolFFYAF7isA)*DMGXwk>nC9^J~otrR$Z0
zt`@*~zAbtbcCWQ0XfY8+*(wjI&&SLG@cm8(A9fV`CIsJyh^!2|c->$|g!^9ORQs#U
zuIu~l*I@KD=o;OPFEy#Z8Y(0hRK+}zP^{lZN`DV_OR};&duk*zZ3s1i0VAEJ5kt(-
z+rV9n`$O&G4E%_WZkjinB9J2oTG?nZ?_NR(k+^aFAL<#uYr9AC>+Kvgxbs@Rn$9Q9
zv*@lr18atyvp5(F_-tyODdVUFf&>qyzYcHi=_ImhF22IAkti%jfAmMu-)R-hh+L4)
zkdpC%+1S%V;C_W&Y*?IPv^lbP5wqdD-Vr`XSB!9hP#Yv=-0<8L2}oq}vMlqx*Byi^
zErEsM`5DjoF&ur412>#lLOZ4Af85C-Yw&!G%a}~O;~=Pb3F0)#Ph@vvKx2ZFF_;;*
z;n|Mv#@X1c+#t;u56`DMHxIMM(yS6o@K_U%<6g9sJYTw)-<=kf&JijyrHok`53Z&E
z04A%AJw~*oOEAZEI1+TyyJ5rqpcCBqZ1#S#g<CSVb4LTb-eH>=N&e064x4mfr$I2`
zS6j_TX1xFx1i!V+GMCUhBpc$fZ1BAW?e%!NWU`!x2N@N(&U8dX6ROLdhl>wK?-#Wp
zs=p(m$DbMF+B*Q5m_<0+fge``H#|quAc8kP@paZF>m!hy=se_+w!$gk*z&v7ds~l|
zCYX$cc>%IwxYWB0wVla_Q=U9k(^g<!`#tsU{yGEdeBzR_h9>FThV;UBj6+(%sYt%H
zRPdpwmd|-y5)~p6#M(0waPDym0KbW;0XoUfc`b>t80QM(I3*fR?e8Q!<d442FuO>0
z&5E0Zeo0#@>2g5Qv1U8F(#aEf9hkFtpO)OHGP4tyRhiK*<qHcz_QJp`_L9AvmWFuf
z{iHhz@BJg?35U3Do+QVZV#q7nkqKTEkYyGLr+@*nNe^vC=@ye#CT5`nP=jHftv5=l
z_bnRv;gH|=Rp->(B81BAQGk_BQJ0b{a@T;`27mv79l#}4k0d~sk3AQJAd_`xiC$!<
zkcQq!+{WnWBoyers%C77aqf41(Qz<E^DC$Ip3}miYcF-Q`+BdAeejBq#5<7YSn8?^
z=#JL!ydCuTqOXLCqdd9{bq6vef~U7~^n4+fIP!aX)J8SLA`2G&LeZ^{V?g;R&~gFX
zy6e7Z!URxN9^V)R&KC}1vs_S};O4I#bdJ8WA{u{j2r?FQ`MAYPyRl7HcjI85ZK4(^
zuZL6!N_}+ZC$<)V)&^~$WLkE*9@3832R}WH0(n1;IT2;wv1Pg`GP><J^n4B4sMQNc
zBJI6PZLW3^$3Gi4cH{Ns{QUW5bS1A%o2bRBPtL)k*L-$iR2AP2@gxW(fo-yq0mz?`
zE=oIw9k{(BW6s&w@sblQ3c$G<i_g)$H#4L@RCp!F!xfpn=Xx8AimotMU`t_a@FBU>
z<H7TuJ?Vz_huR_eMlXBuB&-P&h8+mH@IoQy2^=!?P6*NK!c1`Q?(<hS!WKKPfN!YE
zLLqSQRn*WGn=(km7g@geGyZ(?d$8@Bw@YXV_EtWxSp0&%Xuz?;R|!A2UpG<g4-XV*
z60f@F^}EPsd1+-Zs$KQmm1LZ6+xTNqEd4=#v73)qfd>k-V&7kb`;5Nqm$T${ZTQa5
z?dIymD!%n@#?$z`yngN-7&`cPd&=^8`F-H?`qcIQzChCP8*e%&NTa1S&gGa-qjb;S
z&gUV>GG~8j?U+ukiJhH&35RY2xa#RI^z^=OkeZ7%wx-|Gs^zuFBJ>UyO0j=zq7?e^
z9$|^tX}Eox<IFLB2GxxJ)Vs7`USY;RCN8<`J@SGGvWQES=7^aM>U8ug&Pvm{Wv2BZ
zWK+l9<qLq+k|RtfTI`*t75c+~0x(7Q${|_pm>uzTC?JYf{FiC$Xz%yS#Wn0LFA`(O
zk}G=X)z|hne433r417z{_Z*s*do8JSF44}1-&s^%ppdGr=ZARrtG&)Hcgj|v21FYz
zlbT;nFx&A}J~Mkan9c_DP{+9@5R}tBp9W(sgB0Es(FyNuooA+xsl?^;>2^Qh1IKMB
zTWZtF%%m0W=A$Y1A2a1(D-2X|VK{?+YDyVCXRBEA(em-?+EZNlJ+&wh?FgpBe|C6R
zLdX_TWEP<MEo3%lO)iG-Ii_Ad%Nl|J@A1Xgl#QHePCFex2_%G`=>hxa$tohjWLbo6
zxvW;VjL>m*c%>3VxQYR;R!nmV5BGTqWJj|yfoxCE!3P5$zq<o;#-e5TgnUGguQs+h
zU!^>aX$2UMuprEBr*Ia+Ad!<EVhh(G7-ZmOo$Td|imBfQ!>EA0@g)gVbp+0b>cmeS
z4X%k)SX#xECq*LRGweMCAR5@2oM4jEMan8D1;)%@ACXE?(oU*NU^Ne6LE`<k*21X=
z<4ig2O6>Fo`U*U-GDW@^6pQeFPc3ea%<RuHW{S_}>maAq$Y@i7v&qTP3S+@7zVqg9
zSbvIG;Nz(m_OQXA?Ccd6Ugi$`3L1d>owP9^104LpkzbGYAt?~N4mssKD`aKBOC~vR
z4gI|$Jg^GOn#c8z$033z2&CWcl7is<(41lM#&__m&%yC_<r*@Of5xC8mCg?z{udmH
z1prnWAG4Q^pyEsaC2KX5S~Gg$X}^{fm|E_Zy}n42*o=Ea-6Vxp4El1h35CQP6)l5l
zR19r*lvzhTL@!Lc%Kf*#^Tc0rX0R;CZCv?vmyOI#Zh^7$MUGOh1^p6QaHKh$a0G%{
zfqi3LbmAz@oNV=Vg)@QHkkXD9tU=*BKNG@OxB*l%0g0AG(*DtAC|7x5r>VjCM>vlL
z+qhLzK@jD)O(E}J%gC_;8pdkSHD3v71(44DTA>)Yny@T94F$x)rjW!6;HFNdqg|h3
zh7aIO&$_TiF`(l~ZCW`xDIT_8c`02`EEZ*#`#GD8l`72d3g!TF7GC0UfG#!YD<Wi8
zlj2t|1|lXuLQjEgja@AE0}4>SMtqBgU)oNCABVMP+`t$$;|>aQbSz*0u_$;vNuM#$
zp<S$p;)!ZU6;apM;MFfY2hMyKue#o>Qx{454}2pDfW0W`sd1XGs^l&!$uWBiFlw<C
zJyE7}e$W!Xs+MJ?K;Pk|P(Qng2?f<>N@P_w<Z9MM1G3>d%elvLnblX84_2P^2?ixQ
zM{dV1AGmXw=8c$&-l)PB(Hbncf^NEX{gH<EAK3;keVq=D1)%3&UibzNJ_F(QHdS)v
zT{B!G+Kdc?WDnReLlqA^-tp70FD<?3BuUg~Kqc6~I9m7MizSVS5KCo_C;G6CF}f+E
zjPrqF_8FJ+;}JBojvq^t+Ll);kJd_&Ui5zcK3)Ty6~^+#nHwR0DT6w7C8o)e8+hJ_
zR~peN8}CWa<8cfBnWQA85n>C;QC{*LS}*-RK~>XvS?BGyp~NNe4-^k4nOYk44fk=`
zO3(TiD0>uWuP?%gWXp2N0P_TVYn1PE@&W39M3S*#qVXHtuJlfAi55H}dn_?~X^rz>
zaER1IP}$4wLNx~gqZvSQ=x-7Pm1Nd<Eo2cxKOtUl>OB1F{g?%~yFYJJf|SsT;0$~u
zbe$WIQ`t3$d)3F1JWSr2hXixp@KODJQ6D@-U1)1kuft>7>;bVZ-8<V+r~q+)#9!VX
z=M?ch!v$rGV297O=3cK68)(dok%&c?b<?O_;ix=1d|uAB1Ejr{ttcZSTN+h^A`YH`
zpnC@NK=W(9k)AGsMh9dh;PwsH35Gzzl>siRQK>@3S&CB)GBvwpo`2#&`R;&@La5WY
zEct6g^cAt-GK>BUU0atvaZhk+hL*YQxa`9VNBvf`f*)Z?M(Z@}q&|Ku!4qS_4gon-
z7G^{kzKZ+XxIyul7Y+$1zd|f{e^hq6IQ%=y{LLx@Wg!2$O<EeG3B}u6V+*E3VC|-+
z1M@z-(145y{17s2p!ha<?!+^AU#0%y*br)^bKZEMGK19;N1t<g)Gvs*D}`>$=m-il
z7FC0OWXWLi2tx4l5;)3k|4v5($#oy}CI46GwX^_oW<?%g_g4j?nJw4;iP*=bo~X|>
zhMCf%E6zg(xvFBQD+^NLv+u9w@<$6|l*!DB>OKwM>;m~uf+SkQD5~?iE4()&^NjE1
zE5vqRA8{H|dKLqsdi~A2SYp0CAvLOmpm(KGysUsfG0&=!yWUd_O=eJ%CMmCE)X8fC
ziJgq<H0IqkW1-91^cV$nr5xiK1bFXGokmS2s>ss3^@5BCn(|jcd1Fy~%SH;aggNj$
z;>d^ZyMx6do?(S2egLlEwNFSS&DGQqnz~mem9=|^l}l0MWE`HpTHmZG=M(Rlhn`HN
z3<meA@QHTTC*MpCy9Z+^=zEGVxEN=^uy|bs_J2MdAqDhTsE*LrDJJqiIP2(WwrkAE
zC9QYg$@+Z7GjiYCS47d=H|%3DG>jwAL15PFFnfkA%5D4B0jn+b=Pg$7*SGT(x{5MJ
zU*0u{;saHJvDVf~@<4f&0w?EJkN)*Hj@;LvSgDa{@Xm$8T@j8DG)mobbV6hTAe)%g
zp8(08b7J2s;_xEh60XCKepEnO7x~)LLZt<tNipX~;N}xjKRftD6s~mNVOu=x)+%Nx
zNZv+4%L^OeK2xni7T&`@)A^JEwSm0E4o0BoY(RT<>W*WywRO{j$NnS?B<AobrmwvI
zvFp1_t0n088K#^+e8Blet;iD+_32b4dyNSr2<V?W>Ch<u{wQ(U0;kH7OLlL|Yhsxf
z*~#-rI87r`TKv51Umt=lXaZhODzMr{6to}e!;g%ZqbXj!Fp@-jG8&Go=?Es~0ZvHZ
z06pE{1hri=B5I|li<PWb(cf^0Sq!gp%KMBI7zHh4H8*)QMZB<EvcLNKqv|vxL-5^F
zbnWMDE~j&-SVDsEeK^-dzW+Y8v>%w0En;AbcL7FBaUR`!jcP5UwfJ`eaUb&d((Q)%
zFLnuPZixBftnYc-KvD8y{{#y5MXxI6y#jskj;3WT67&wummUR%ZQ(vgpejr-9A0$n
zj`iKPXyL>euo(O(w~CoBf$F>DhMexpUPNT3G;lw1y=4TANhlSH3+GGFw4cKSN79#F
zJM!ghhbh2`m>%PE#Gk-(W!#Tue==DW#J!!)IcWZ=6|;fL(&vcID8NoRDAmlX91*Xd
zj{ueAF12U%GAKQ%FF-7@!3<67VrdWcAC2P4SdIaez|pEH{qZs|J}=X#6)T(KP;eyJ
z{iY&W+l)xoOCtyx1nissj%e#Gcv4$P@a2YByU66$J|V_6d8R@F!wDG(ly;64ZM$2d
zR)zdBkCI4doEY7mGE?hiic*FS!9z?%x6Y(UF@zKLy-MU%y}X+!-1g>^gXbgf#>e5L
zG#>`RouY)Dj=JUx4-uVn==w18vME{>N1ciluveGEWJ-Ecm|ub{@OJgyY<Wl8*H_nm
z<vYE0TBgxTb3-dIaD|r?_G}h*=r$-T`?{z4XqOnLYRpBP&|rf(8W8t|%L*O$r{ix~
zPES>W)`4mjnj0kpQOVcG!Jby_L#K#HwQM!*uoUotC><PU)WIDdD~2_7r=!6)3uy{|
zSVkT23Qpf^2NFwflHF{2yCG0NnYm%f;YdRY_;r{3%5B)Mt4ydL=Ra5gwMBYAPPwV5
zN%t7LjEW}^x>}pY-DSOoe|0Arl+X#JoX@;4B?c@MRJ0oe``>3$Kn+IbM4w}E#ThHW
z3$>CLaU7S?OzK%FD2=M8<zrWf#ETBd_e>~k^PoiJB)e?10PxcFzWGSI>^1;K)Y+?b
zn{_^x-kyO7^59*Zl)uQ|isL4Hp75{O^9dO!OiD_qktaQLiBl3!rWb{a9HFlAFsn{Z
zbScKXbcY_tOjU9G)EQg#1cXgFNXX=_^GGqcwg9CjI-$Y%Xf3EnKuCVvj!~Ku_I)rX
zI8Qm@K&UmQ*+1(#s;vQaF(-rt`tw0BAy+3Pn%@4qxx2r`GJcIiSj;USVGmB)1R}4#
zyaBsm#~n;|wk5x{A~B|VH^H+ucR`7J(;T9)5L3*;leV^Xdc_(|W2*2c@(nhUEEoo2
ztr-aB4arS~H^I*}(D(I4focT?;eT-tbMm9V>CsL%WxkV_B%$zr-JhN8?}M}&s7*9#
zwL_kLpCa)DlQg*Tr)nwybR=0qbmk8_osm3%^Y&)EYR(;WevbM~sV0QuKkKNMcLrsx
zo?Gl*{pF9BTg4?i;`!h;!0~o}_*amWOR1gYl3qe2tswoF!i1IYYSw?E6=*nu>%Jsr
z!}z&1WKIXt7c%Wgrd8{o;H4m1eb3WL)KJZ*T9z8){vwI4PgmWVM|p!QjyC&~E6h2U
zDL$$*8~^DlWk#24ueU%F!qYZ~R(bChf@781E{6zyAcy|&yEKnbl9~l}Q41n{AG`n%
z%k%v8Ud(!qr+J%3U%_3AjpFT0Gd#s|_tE`OOvMJWGt<xlelKUDgm#uV>k*rBvK%$<
zr4s+a`cMd!N4rM=Wi1O{D6>et6JWBC;BP-b>`B1nO&k(|U&0xPU}9K-MdPh6?lakn
zz(t_lt^RM1fRj;Nt++;ds~WZpJJsYG0j%7|;@UE!1Hx5P@J4AmnlDxqC-A`eCa_ze
zr)`3TWvQBm5ull~)lQx35~{Z0@rru9Vj!y9iJVpj`FF<L%fwL1+7xpzzEK#L@-3x4
z9T6#J&pm0#W{i%E*5Q;+o_v=LrZ}673t|=`#(TdD0}zyb_8y+{MT}xi<L5{)<tQpy
zAk`SUJ2ZMKIIrnXYM!$M8Pk=JoaXDCvsp8E@)Pu^JMuKP&ry{7#k+07RIFDwNK7E4
ze4aXXj456-^H@qIQ;1#!z9GKm(NQA+NTdWP#)=BUFDivvOWm!m_4<5RdoAK_hZgqB
z=qA3pG~jB9!Bjoxq{F<sRr6%O%A=h)fdh`9mDfYgkB@avb3`CI5dIW+bfj1RRaCBQ
zov@hF2-(?ID+l9tA?^9}G+0x58xp*T^A;pP{Fyl;6n?;%V*a(*SwAedX+%AtI!<_@
zz4LQK@Wcu?Wos}?<>4>)%i+2qtgIXTwayf;*9kxdVmUC9cuVf<i@s8f4MacIBnyaY
zovM7mhJ@mWv^3{E%0)>KGRBL2s*<DI-R2`AeSL>SMg-n}Q()^n5Zhu!CIbq`l%NTZ
z&#iCxMHY-}ko9hPR%L@1M%<hXK2QN0?Z7J~&QdfV5?p9s|Hyp@*bwAg8xRh8G&;r(
zL*=ZJ@JYw#%L;94#SOGd^Ls@~Kb195eOXPIGGZ=W`vJNuBKw?j;N<}W<BN~&)&PJ}
z1|1S%=TTW~j|E6{hS^=OGNKZk?~tjuKJUn5Ii%%-%%fIE?~-|GrdHMPb#e!`_K{Dt
zb=EKAP84$JYUxypHgt0bn)l&$8(Ak3nwltf7bB*h8tlJ4wD9UvR!9%5YYdZZikJoO
z)R^%=l#6I2q>W~Tw&VtwccAQqwP=?(CheP}fBmUMmRK>)>>lW_4ZNgmkOXmE;$VZq
z57<aTRo>?>{QQ@Zy<<$r@`&yVE&!t_7Y@!f=|#Bomu1OO#B;C@nH7XiZRe_H-(Kie
zsn?90D(#YUqi~yLB0_(c&W}Q%sF9LnZtDZ^2*w+@Z{e@lNt~tQO}RXWYM8M}Z;a#M
zg~lxD7_nC0aJXtt&dvGzt;f!L{Ea*^{AY-L^`~Emm(AL7kXDrUlotvespr#kLtRwj
zs5*)E%SteGP?*Uf8`%Sx7bToH<6}<IUV2w~LHWv9OI96+#E%~<7;X&ouBXVFKX`l_
z3^U6Y6)8i0q3B>?SL=R#O2roY5anr<czi1TLUmQlB&Oent}$w;<TDwlO~t{OG4%};
zS*Mvd1H3z=5+1}ef9;2?f45Ft1E-ZC6DpIiFw9A^MxkcO!&;1leg!<&U|Td2GC4U0
zqMn#D7W2GQP3;rAO1vU`PEqGG3>`AkocIO69EX@8EHnu;(S}AaF-9^qXP7ZpRi&Z|
zEie~PDqO5vc4g5?gxJDSK3P2e@;9}Cs8$enAphV*ze&*RcapBYcX570QEbqs8g2rI
zL&xAF%E0&dr0&fj;z&ys5?F6T{SOY)?{gjezqW@+G7Ut{*0~f!HR41VgUdpY@r#88
zqGn5Lnw9fZ=FC}kbms(yp3yTV<Px$j0HNPJq|fb9zvR|gkakem&SHMGSTWEGFrStz
zW~y*u4BB#mXANAlb3H^zn%t?+Dol!DR{hePhj<APN5l^?Pu4zG7CM|`$}PUb6=2-9
zHhmUNlXN^MMuwGvoa%{=rE+r{lBES8ZDyBB;f-;^^B^$=(1vP1JWd7Yi1cS?3T(UT
zj1ju`UOI3R&^R(SmzTcR&#QFt<AdXA6~#JYG0q;YX}}tjX7?OJIB~q#>iuZN!69!^
zv#_T(rdVr3MD=<uHj7W2#ce1mq#aS6;ts^>eCZAhz3T!~80vKBT#jsdA)S6G(lOT+
z<t7BktGz_#Y+vxXujb@HFhyjYaNqCQKE-~k3SIwlf$Ebd!YCtdAFdT(8d9pPO@XRy
zUnX0H29W8mB!fMTO7-I`{WH}npXW!-fFw)FYFA1Uaud1VBCFHjG!F(7N8Z-cM%GgL
z118D8FKYL6fu@_4Ok^C)&rZ>mbUxF7;yMhM?GJ$nh8LN|w6bpT^a?$#>+;Wl^~v3P
z>ls;+!me-kFjI-o5@q}WGRRE8T7^0HuyF#<ja{+ZY{TNCmvk#6Or9axRd&@{-&(iO
z*u+%9-ng`Oa2Oe;?QjCa=%-l0?s=fSv(Dx2*JgKm7c$r{z}CytcY}^^@x{xe48%Fq
z@LV@8**mk8@$e6Ehi>vA=OmoYDaNEJ+}!{rCNiYU9dPnQf3-$x($x#|aBy>LWrlAR
z%yCLBKR}c3=EhfG<IKfgd5-+3Lx|(+su;4MyF&bX<CurVgW^>QSBwqJ-w>>}#Aj<Y
zXSOim2dt5lhLrr8LIZo^csA`fj!K+cXh~2rX|{!AU8jTLBA_BuE31Bn;u|eKR2in!
z3|*5_n!+b&dB^~|pTujS1DPu6wx`<C;EdSi67J3cr47;!n{BQ3d6yOEu@s65-0u0N
zv@xH(q>O3BJS=qLy-JlhtS?zfi0cM$T*ieC$D5;aD54Ci98gTb5;$FIP36XgE6v*b
z1!OdRQzS0gl?l?M^4XL{a=3(e5L2de^XDO`AJekAmIT*)W{&qU38R`<0)#t3t7M2_
zN$qle)S3<>$qXVD!7azG2w{7T2C8ZAvAqS}NTors$#T?>Q#8rtnAXfYj9T?+UjTf7
z)Mv-{CiLMH82{-<<u8|>r|jdx`e#~Cp~vB1EPt)U{*2nE=knLWFtL$0Xu+_q?ow~{
zl2obh%5Z7Vj8V45Gj+N4pm5taRj~xf84(``{1|_hHA2tEg+G8w@W##Uuq`d^u2mJ9
zqgqeDEYtTZ;6Ct=&spWVr=!a7{niK*m)c}72VNjk(cAR7bcPirbsJ+o?ttvlY|P>)
zOCKQw%r9yUXcJVrj#$th*$$TV+=#oZ>S^XTYXZ#caG2pKc^~jXaE3OUTUVpQB-bS*
zR)ME!KXD?Z3fMLDT$EaFfrsE6!=vARJ*r1>k&)v+S?5Pn8>N-Ll@i5V=6}QZt!k@C
z?uDiaFBUj)ax|C`rClkq*TwbQm;_{1#JSDSBJ^;b8I_(lO?{1dmfVS;T|OtT<pA*U
z0KX@yGfBCyjYu(a-(wX2xzoaEOQ7VEc^^M6Eo$VI&29P6k+`vX>DY$BjjiwxbB<6e
zBP27Fr#bCC*4|#T2`N06<Lu|_M36qdM&-xpMAfztdblmtTYKTkZ?A^|%em(3t@CQG
zhd%uNdOj24P`3;*4ra%4QX*IgGLc)zwyWduC1bd)M*0Sp{i-`7wA$M}9bKs`2bjtt
zg|swI2%hLmtSSm?`9bPw><w{?`9(l#T&dJ{_Xg@N|F}ul*uc2<RqR$0s!Z+RzShFJ
z>dhVsRH!Q9!S2s+#~tSgY5=?1M#M=*DLcMiGeY>TYmt@1-;*pjVLP&m$bpr1BscaH
z81)5_{O6dZcAfll3m$=3852Fn?J_~kad@%tlp`^OoE4W9zm;gM6q@J)4faoQ>X84C
zG5xs8%n3X=>TR%iq<7zCQatpeHH2^Z6BFZ3lYr}|Fj+FG)CM&gr?-byn>ooV5HR7c
z__2D@L2<f{N7G@(F#GIT!8jVVc^VMf#p3vynR9wz;e-YJ>L5FdM4k*6omEbMK5A)@
z+25n&>jt`eJ|W9@`zQNz#%?lKiHO{v!v=+rgulaS<~~v}g(+-9>lC74EGlvOH8|bD
z#S{jXQ^0Q8Btm*f-^kZ}zY<y`Br2oSW8+~Fgbs0eHgz7a&7|1ey%vHCiOB~#0tL(Z
zn+&#+e&6inV*HadLCE!{+_*&I8cGqUP$Lvj-l>+C-)f<OaVcL)P=z}_{Rw_RE(`bL
zr#)<f@Nkq<1oF<>PG@$GSz5uDb9(*=jgA7R)^kkQLcW!N44d+iGqrcdz}ixivym5z
z6m>JzqE+z-7wHVZ=XaW;VOSpE3)HgCJjyQ?03Si|2hAoFi_fpy;5H(z=LVDEE-b9u
zkH2#KPsFmdqnDA80F9_jfyk9flFNm-QfkQDK;ye|InRFffC^uufEu)P;<+HHu~rL-
zxHE?4#!&17_&r^EOawiuZgIMmb|j~;l3$@@TJTPKIysn$g)@KwoqcsbYZ&j{)7ZpA
zntEH7!_@DrH87(O@J`0`W(cTZ<sGp^G+6b{M{jeeCS4n*(fWA{*Z@@BbZg1X7K7~^
zxkJL9s7<YD5>+Xi0*7$&(73o(lVTGOF|bYP5*6+y@%lZ35T&C|FO-aUz!KJL@U}xd
zXp{dIi!bPqEZoDWXGo6XdEJ`V7d2yw>=$0%bNB?Otdpe?HasuqL0QKK&*-|NJxNyi
znM$}ost%K}RlPLf;Ta6E-HVX^3Y4F)I$75Ir`qXDy|NDv;p-if;(8RAo{+9A;!Ly)
z1vR!gI#p9vCVS3{RW!D>!A7sVS2Y}AXLndZIW$+8U<0{vSb9Xy?{(Qy;-)A<BW$b8
ziY%SO)-Bbn>nLs90N5&f#Xeb#rxr43PqxHk##xbbWbaJF6h~0&&QS(q!-n5>nnW;B
z_!-z=P5B)KRK71+U=lXdo!QMLj<4pcSbDFXsiIaixV?6JiYU@zp#UMB%hOuHCLcSu
zhYBONmZPXoGk^d!4r<ALVyw$ByC%U>+*hC?n608N*$wS#iA(v0U!LF%qyIWU(Mc-k
zo4uk19~X9(t_$=JSb%WAT)|3ezBN2)YEXrZpsE1|W+2g@s+jmex$383iqo)XRh+P?
z&2=dHD>Qb9X%tD<gxl3^5o!Ip#Gn1DaeUKDj^!+wN|fr{NPy!OyJ_GxGJPH2)LgkB
zL|x4K3ddB^MQD7&;|<`5<IVEcwHq&-c!9t>a{RK6s{|mamn3}-8cfahdpux<UL!0P
zY5r*VxHckq)Tn@j7Zcu34|<_Tl&#<eU5l-OP|j|fYXafwhX(}It>k{Sv7R#sOf<@h
z+gIJ91Zd*v<MNp?OvDS81?IMx!?Q!{NE%nK3GwdbCVs!`Gt~*qQ)-^-!}yGcl>q<2
zDDtII+`1f`2Lk5CF%24xN{}~Mbr3FO8R7*;sS=M!rrDio*d7>t^1~q)No`IE_`n?R
zyAm%m@EE~?5RnX==3LsTYQYhh1D%1czDH6<dwtm;0J(^PH592wM9$?M0I9VWix^T%
zFTlui3$m=W=BOXs;B6P4wEA<(%!=#2264R`n6rBaP%KCKBR=CUX=PtG_)E{48ALHz
zGgn;gtG9tpSxzB$D83b^V6kpQc_Bak(RnaiRFQp#>qNPtj@^sOt#FSx@{1rf4r6g-
zvi6Cx!AY?WR^0pR%<IIt!RCc2RDj9lcF;xz<%baZTo+wdi=7&EN`aFGjmQO&MjT3%
zJ1ci&0^h?4vZpfgTHIIcnGN*{#R^@^Fv<g5{1wR1bV(s!@2g*nz#SUOO%r3LW7DLB
z-iH#qRr*JY<WOwQaCY+^@xhmPc5|9Q)Xmstj+hb!t@$~$X;Nz?3Tw>To2{mTC=x;G
z*<%vHDw+29BVtPYn&#B&2esc5rHKLd1HZThAb)=-S<P^!4nB(XB@0d@_~IT-fORs$
zA>z1_kR96n_<@AXsxs&_dS*LL)Svj#9y#RFBQE^PT~TXE8FSKCX^&!`5rT_qwnV2|
z5|QOwrD8n5;TgMci%N)(FvaNLrN~`#$9aW2QLtsF&%N;lkG#+U+U62O|F%~&F{pna
z<f1)Ms7E%`6LfT87=*<c3cm2r<wwZxQOg1cm)Rm3gm@GOx55X*6-$OW0`Qzo1%;r}
zDiUF7`2BANwhrkDhE2K@KfJ+bs*Cd*Myo#z`GOy53xr%Y^G(E7)04-TcN%6mX1+RM
z#9e?%d#8ScW{LCf37TiFFz}aK>R37uUC*<E;I%1QWx{D?pEZ<j;Sx&b&`*aHwKbNA
zIfUheJ~bPqF4r@3o((1&r%PePFg0yb81QXXR~Pxaoi@1ESbPD5gt5P1nybf`ejzTC
zJK-|t)u&MA8-y^O9P!h>i`m~*194-{`I4<ld8B#BJmFbwZ>Vrm++GAB@N|u`#xXzb
zGySKqNlYJ22LlJ<PnST{HJPY_gGI@2_&5{eQvZ!F86nffF-MPZf%1DM1Wx$E{JT;C
z_Y<e7=+5GcL~B3MYIDsU=>eh9S=sJ|AfLyb>B`Z*v46)(d2i6AV9P8?=uKwT>4x*m
zC`=mcI2oU>V-s#O>yZ_CO(^xE0fYu->7@?a>-z^+?>HiS5tb+??3Gn-mjE5YiIUtF
zAy%rACD2)dMi_(;V7(d{DPVOwfuvSVL?#aGslT2g(&)CPIwASE@*<I67c6cPqav39
zXKt|Wxu!DJT*&3K*vvbd?s+=hZ1(Yadquo@`gn&luIbHF(Tb$Ng9#vPa!Z3{feVb?
zw1If*un5c|hiKNNKzU~ya6yOP>)vR59RHPr{Ky)1K?6AU_37H?h6{AxsM7E>>5-j!
zQTm7N;1l(i&9quOo#zhbA=BX)w%F}{3R~97n<Aa2$$+}J-WLKxLNz0WIFd!XjcCW)
z9<ORb{!p<Qm%$~R+sI_Y>&xg=IQ*89L-3$&0Ipl6UU|j2)Bz9C@bC?-+J}v>_Qzsl
zFS7wM8W8X9br*aGM7YplFkA-1<U5h3y}+y*r2xzsVAho7X!`h$OuzX$Pk{bd^>boR
zG}|_rSSraLP>v7gsHx^4sj(um)*;~Na!Ot<brA$7Vn6rwoHMnO4clsYCu@?kBXCi$
z_7A5V^STwDJW=f%1B>F_OmUU(0eH&i4o|x9hz<h^BD@Cgk#NEL_2FC*^xd}f9PtM{
zkKEuVaox~ZQNXC<&@DP38?7?nIJgi6CWRM)2bR-cDKjUaR+pl^BWQMR2&+gaI-28(
zZyj63#ac`JpydHGoG3xbQlai3tHJzOtJ+44C0*6{wH!(Vn#Sd!U2D3GlUyAGY`XVw
zJVABuxa>Z_$YO@Yt^bHX!0dto6s?52PWN;9wSm#5!RZ_>p-OW*A{6bLdUZTVmacV~
z6D{+ew0pbfeh(TfiA2f;##B@aNbRX20*fWJ+d25en*<YvukT=}5iLikAGh+-OF=KE
z36nLIOHe=oXNA+=nzP;t!obHp7IW$4!LNkUM;2PQ30yCRp}d`8fOyzN4tCb5v^HUm
zoxXItn7K+(L0BI*F}H8RA?Jnixq8!w^uc~GubwVx_jp^5AAat<h7P;^cc)rA&MVdR
zh?RkC#WQ4@PVbRmhvr)OT%dGYHw#6(4QKFdddtbB!Gt!SqVb?YUd*K|#mFA(1l1$a
zD=QRK`&KJ}HDV!tEfto!POXD(z)js0PWk#y1PT-&+f2G#_@~}(Z|}Jr85u_anHS>V
zWgNlEwb)+aNfkm#*Jj2Tlp5*T^`^uW_YbDXntwV9E=p^+c*;A`EQ!4I>XU19pfw8?
zcQ22aMoY}9<>hVg;9y8i=CU886#}-^Z@byFD9lXnw1HLpI4t<knK|J(N8r29IQs7;
zN5c2XgY#B^`CS7Ox>~JTMEsBT56PZ@V6*;^(JSkBUed^5fT%LnYdbau`moRe25$l}
zKP&qX@)uZ#^IrVqwhsH<)6*ICNVG57NVq^McdRwvLC^AsAf-JJ*gaW2hIB4y73`K+
zX>YfRvDU;n;i9eNUz!MNXlU8pE4VbV4U~86dtlS~Ro2dv6eQ-}Ja;U|gzJt#{6BMS
zpFK?C^i?(>334LpcP3<1kfo{|=n_gTjbBb^i=Y1wd=^z{$$39o=X;6FTcj@>#!9#v
z2ZlYRAm8D$`>ck<UQ92JV3{AQze6v5O*hq4<bG`BNn5L(PhoK4FuTVSY)VD=omQkO
z{bi&hcM4|Ffj-v^uTq(DlR(HDq6^o!LKt7RwamUn1M9{#?sMsrPopyy`AyL3U={UE
zYWoKN<8|WfPtaJtj#&Sz>7wBL53f7D?-?o_z7RYctXvIZ1=KRPh-fQfv#*CK*cH@A
zD2D=yUykEu1DR0qR1?r$+xT{ey4FEif$wuBi6lSnC^@xiLi~rK^biOWp+Nb6R^Q})
zCyrkH+(3lHraN39lqb{82HNdzGXl~&SwOd(tB_56b-klO+@8VR_Ing5hs63pvPz<e
zi6c!r%eBX#E(l*0jfi6zmC)lzHhY0wuK9+26#ufj8o9@T7jL@he%69Nd$4w{MIy@&
zfdgmw2_sja5+9&U2VfOZ;WBJyQKTh^x!RE-HrxTE4coIJ!v97K{}%Bqs-j;o6<!3k
zg<q*$xtZ`M1^6aX&e>OO-E(DKZmwjyC;_AK;d%4!tEc7%6JU>~A(VI2HwzUw2Os&c
zuZ|frXTa!#jAdcZ@~crk<@!fcjmSG94mGM|K2e4TjPo7kWT(DrlPqg*P>h_bz?!ci
z{Nnq|2iU)!1S`WZc;E&H0Resm0Rj9sC&B(X1IG0C3|NJVmctGi>KirI*;prQ?Bv7X
zy(C|%G5gB6bgfxdO}HhNSn<#8{H{)nXjE>YMiUdAa5`JWRgbR=3@c3UBy9eo2L+W_
zj4tf*jafW0sMzubc7y8E-J&C|5v0kUXCa9w?bFgudxRS@?N~E|T4RnI?B}SKLhs$I
zDQ$?QP(9yH427^k{c_7J#&qb#1{xjMZG$2`TGvI_wrGuMwd0_O@HK2fW=>)->d-30
zh$$>^q(@skkUU!@>Vq<`$VoM7ZqAA?6T^8acW%tjpUso<i2@YA0a8uug-XrOwL!xl
zMf|j}1a176-tabU9EEi~Bxr`w%HDISTT<FmPRd0?+QirE&S;MeLRoctsB(NVDpGJB
zE9*%3*JV*$r(i~o@nB9<*&Hx_gy}ezu^D~8MX#*s55qLk2r4@Qso<ki6z>Uylr_tn
zekb6BSFnu_gSwXFNT_0#0Zl)?30=RtPA==OML{1bBaT#2jb+_wWUY#7UXP2loks2d
zB7`o3h9+OM>el{Y?)!2Fz1l!H6r-rzzwP7D|G`bkhETScimXB8&At7O#(wg(-s+}<
zm-2;xUe0!z>dT63XF67QnZk4^hi$UNv;LP>Zbnov;?`>)20T%RS#qqq5Hb*;H}nn3
z^~C3oEP(ug&6lW-+y@zyR4$u<ANYVWHz*gol3iKUm;;;r6L$FO-co9>P{aAx<uBG)
zmg{oe2A3<Fp^%{w=6F9HVI^2Chz{HpvWXHU{2x>H0yqy2YfN+*u+s1pUV?u7Q(`cz
z5=<rtbLxN24!Z5;Az~7~I*(PZzglvok%1s*K?eThnX!t;<PP0g|0<Q{|JJ^`_`~p2
zvVmgcP0|Dy9(^R^0gS)%wh_E|D&o}!tf;o7EpwZFHKoUCz>tO;dH`z}kgcfT50*XD
zU<H^X6wXkM%Vy;>9QpkyK{#@DX9w~Nw#$f~UPOrSYU3ndalqdn3=|JZJ-hMRg%FXA
z@jIl)O70K?hjU#R2g#8w{|u}t(!CEt1xE<$=YjPH@^Psu5=oh|NtwoqP*Dtr;H!nC
zYrl!e%#Op1-Y%;}-@f;JukZPx=H1yANeBWxs$g{BmU>q8QRkoY@WdQo_qZ#w_ZWiv
zO_T?Emx+&`2|V!m`^<y?p+96^M)LPM23)YZ5TeXPL(5p`RU=+C@6x#c(#VxZL;bb!
zL1k$$#?HtR*|TR!h{#fmEZHeZmJDNTMGX}(S+j@NHk6U2Y#~dAh$8#gcUh*%I@#Z;
zPWd(G_nz~9&$;*h^Zk6z_ul8ZpXa&fd+w7$y--B6YHFbP#8@pRF!xC|V!oGQN<&%1
zqL@8uhSRI@!<``cm>BA_OAq|ZEIz7oi<-z(tO7*aboI0K+VYL;APWbKEZX}TEtzZ>
zeUGOLxkiHLMQem*N3ZUBf;SDsyI@CR=HKkq<4v`V@Ed#hF2T;>H*1*r&xGV+my>A`
z@yMzFH1dKKJL&f%Eiv`TETIR_w9Z*@``0oRNr=1=a)ir|joI2RNgGbqJ?K;L{#qbT
z``$EFxb^!@n_cR^1;>e<9y>u297$0Cfc}@@cq0PboxFdj4BpBzdP)hjFK#^M2R{!k
z2Dot3;&p3sVymwX4QK!@mLSiP?UL>5)ifD0HI+2wawvS5Yiu@xPA4&bcml7;`R)@b
z(^J6|xmH?tQ(~`AdbOGB;`x11J+BU-c0m+n3kvt4wFgLj?R30=>tNmjm$An6AlV4T
z&l1<)ROp_O;a<us;(Yp9HXI}7_8h}Cru4XE^F&vv8ofx0^M!H-0ZqSxu|x&b!&50O
zN<1AKPG<X;6-pwqC#(h|bklCU>W4~KB2)6a&J@Hy_1E^Q|E}n_$yy99+}qf4EtB&t
zzY2*B&}=#lpdLfO_|&A_NBU8lSyiCv0<Sl%_XmJo%|YDq=XcezkxZp5yVvh=@jcuP
zR+N6**yW3Nn|3T^c$HS{pwL=p6Cf9l<BHKs6P9m{URJ^1LsXp%8t}CpkUQu6Wn2n+
zg8OzPe-f{9<wX%mB4aKlqD_RJqsdZr`Y2k^E!wGhZTR%8KSpBEauZ4@YJC6TAtgc~
z0sFcyu&{H+O~uUDwOY|yVas5vkd&!ntszl9ex5M-o<Nzfy&Q$PMk?eYbJHAi)0)J}
zYT%4&L<muYZwJn|)tKL>+NPP7z}((XG<(X_Y;bB_?v+(Lbz&}9_?kpG)<ieN3{34h
zhwtNBTy;?H$61{KvTsz~Ep4`zVYyAz;4!=5*!&{r7|be;@I2d!ibwK96*GHs_tk4F
z1g8bPu;J0u3O;Q6kPk=}gB1Un{zp3~E2lgWj*>*51atcKA~#m?fb{A`-M5Us2Evz;
z4fV&EH(yQGp`5nHFTeXX0F-JoPpoWTtK}ICjLAa~xrH!F?^cH|_+i^b2A5ox1W%4D
zr4D*u04xrj{lsDUST>r~c1P-Xw_>dm`gKKn{@l(A3(RYxgxYu0<n_*27!i^+L^ru!
zqS@QQxUE3gbQ@c0tQ{sSE)&%(hx3|36dQ0`0C${B@lBUezwSG{)kVuZI19SwE#s*a
z9@UXB6l~^x)Y`;W5*#z@xuH>+fyTX0^q!}^*~ieZZxppLiGK$U>ZK)u<9Gvs>St?%
z3YCcClGcWTe(LIWjSJsswt#62o#~wo3*Sn%Eexp;@Ejhs9v$oX$M@j1o$rR>pyg`&
z1lkv}>_T!Tk?~fRnDDz{rTf|=x;;ZliCdviovB6fj;t0!4U2O;_MjK(roXR;mP+#~
zU+o_z7`3sEwuy|GE6W=t&5B74#RV63zj0a|x<Er8*uEMTHGQ(DGBvzyk1za#E9jYv
ze)w2|X2~@@WwwDV$ZQFwcYWpP`-K^Vuw&#5k={3oaNa}l%(Kgct|nA+_<`!Cg>-(E
zGOWt=aZ+RGtI8`%{g`=mFWob-wiVlAb8ept?(Ay`j-YCkImID`Rj$cw+Mg<QMkMU6
zOha?OegZH(M?XaB(wvuwIrbdAu2INaYOgjTC3J*yJ6~I^aJI=xpOAY?Y@ClRvv~k|
z1i{Jw-pjV@ZS(9`rby8*S_7>2k>_Kwx+qGI452e%w8+E~WoGUPk;+i|!P!L6(VCH|
z0Dj6q5d?^m5`YD(Ok^UNgmeKG0=)pq_e|43*(3P@C>nmKU<k`&yMafL*$72xy9q%!
z<RKsyL@5uUW(lVq7NB&Y5y)&cuBVk|*pzdu@8s-b6ci@Uy(%v*MKq8kkc|=mI8GXW
z-MjyJ+de(cz=Ki-s8I}dvcL2KODR)0Sfcg#cvbj(P6{^G5xc$_IoQB=i^<?1BSW&7
zQ9jcb;ysLZZ;{5@;LH_X0$#a^I%IfdTZkzbXh>$s$8>EBf+XhFgjyw=Jo+mydGG42
z)5R`TdzU%+(Xnh$d@pKBJ*lr{h4Vtn8612Z>7?sTO)oB7-pyC|me;Yi!55Q#QQK2u
zJvR3e$~V4PEn~DUcMa`$z0807%fVXLbCz>k_36^+@a_R^+EcKSt)qWyKKx6fYd!@4
zAVviMF#gi~ALRzF!(eVdR6p{{u*a}8aF5l9rYpZM+>aKFJr>GleH>U*u6yD*F8icF
zH3!%>e{WmQH(i+nx~`|1>+kQMd)aw3t86m{QZ9QB4?h*2>XW*yA2PS!ea1oaWrd+P
zT^HWOdcdNw{G}CrXt%rCL7ECQt&2;lbj97_?(rlT#B)*z;GzI^i3(+XW{i_cGBs~t
zEaG=2g7?0n8{*0au@0!Nt^4#$r=q`<UU;+~|60ww0UUWuLG3{+E=|a8=xd8gU`1$E
zH73nW%o&wca`d9bUQ!)OlMt}5)8Q4SGkDsWz;4MGs1jxy?JJ@?Ct>|jJp-<YysH;H
z)gx;sXty6eH@mF$P(j6LFVpT+F%2(&2Lx)cDK19o_mQ?vdHBq&&9|u&Ix3|(M1(4H
z&#<3RmWs$aOC{}swT!z?u-nvAYe$hPYnc*5&I+6I31K`=9FOC3H5JIzp%SQ@QNA;I
zPf09Ciq~*yC2mI}-#swQ%kG;-Hpn4+b!w{Yb8`(Y2?sy7bI#hMo7T@O^xcStd9yle
z)V;mF>lrUYmR?@D%1`VGth7l3@~E4wu>WmSj2--R8OfHBB<JP&Wz%2&`%laM^yTKb
z%XAN<K{~}?IN;*#h3w}Tj}bO05Ms9x`>-Q^5ied1%|dzPV!mB&-8pe7PS~|Mo##0o
z68`y1@D-eF%~?PKsTNhRk5Y$X`G(F4B#6o|;jJrZO1d_9T<%8Va!PhGWM8w)XEfn^
z$!z;XgMGudin@HZShPqyEXIU3XRPH&JJV4)%ZOTibSFla?t7(ipmap1yg-J0ci!tc
zt%KQ)dl}<X=Ji+~f17rnSY#8SUG49=q9?g6cuD^2K+0Q~NprQ<f_WgEJP`J#0iI6Y
zwm*Eh*|goTNgA}9&^jRIyAVv}dMC>!i~3%J;Iozp`&AEvZK6Baiq_PsfX^$Om9X65
z|9*9K14QxqlV$XyTaTw6T(LMaA^!o?=#6G*bD0`1Gc!(lITm8oF;6T2W;B=>o(r>(
z9DpvRqnBSy-<EG=7YNplJr~trhXJYRxanWExq8<=$fQl3RnU)t!~GJLlj=g=Cw(BA
zmo+L<>aK2^Y0Pazwlkh1PX!ahzy`IOQ<|3TEf>wAoBia4!X|569R$R@h6|?K#-2JM
z`((VP?bxwYR0MD|7Zht^;8`;!lUR2)`qGi`js&d?!IZnJv{^>AA&Zq$s*}W+A%14l
zCfT44dvCRsan~Cw|Ir!Kymhesj)*}FeSb=!peli3gc?v#vQQlsAbA%;`e#I1$u?30
zk=pMENm^w9;0DYQ3Ws@mOI`Ey{IR&?=$jKu&2&HBB>5iGZzyR*QZ)V(?FfTA{TsYg
zn|?Xv7zxe)%bdR%kQCb_Qc^7x#4V@WPQQAYe<OG+M7NZaMF|MDX8Cz&{zDLqr6Dh-
za#%)%d=}(ISpKk3q!&>BKP6en3CYj$e+Yx~C&&p8Pxj<2<O%v877C8ppDc&zIysa)
zpdCU_E>iw8ypaRR1H>T^xb)}Ce}@ZlFu4*Pf+v=Lg8zpuk@Jx6@<W~uJmtUbd8olr
Tk{A7m-NylaBv*tGNFCt6noIZL

literal 193236
zcmY&<18`<dv~6tLb~3S@Ol;e>J+W<LV%xSRb~3STJ9(M^)}6Vps=ssUtLjtLz4qE`
zqtB6(1O`C?004jhm?fN1>+>JXOZfUX^7TXb`We|8$~oBDInwFd+0nXLTS-TcK>;zq
z2>TR{Z<u&)37+_tNX{g^)+TTUHBnjzzC5~s;J0V|U>Bb!l^+;DtEboq>aZ3$XaW4?
zA+%|#ZeKDWcf+&9u<jRGiv?eRj|beJXT9Vb!~nxSzT>JtSE?O3dGhmH(1nq6o>cH)
zt(lX7EU$`#BL#ovY0?voOm8>iv#ON)s3b>9Iok&_l=qY?o!tMo0pOW$dr*L1D+dAq
zK>WWOFtl|r{<DLiIC;wedX%8g@F%>4l15@R{HEFv27P*cLtDaDYvZ9nlKzKHI_E_d
z&fkWU9FOhfYYG@-4MD2quxgwB5pZRvxX32Rmz``dhU5=9Es}zH@CPcIgI;bcxU5>9
z*SK4Wu|U*US`Jg!kfGyJk>mv^OtYS=HXvetxxk>EuBl`wx^;LJ4nA;^lbPHtE;6wF
zu`tW2&`}g0CAu3!Hzns;hn>DHRE2tdK#wabQ!4^WAx)jM*GW1ur#_&u@@jo=Gd*Oy
zT$juJhPNoHl;V^`D23(0Xf&F&Zx^=%8soaY5@Rl_AEM)klnB~vB&N)!%P-+>U`oa<
zTEkh@<l7%DZ<Ccg7Gs90eE&aiwZgDxX<%Qt5dr`pe*x!aMdxH@Y;F8MSB5{(ovUlc
zAhV%(SI>XyP5emxK^y8DFWzU3j?gZ5eU!zHi9E$#m!(Y<sMM>dOQoErtV?xY39qbN
zK!kc<$Oi^FKZ`%Zl(5QfujdCU?~F{z)YR?x_MEx9n~>&+eo+X6i$q8{m7e@#s1{+w
zV54}s#(aI{Quzce9?H~f+)X5XF;VQa?|F)kD`cuHumHr*lWc0ID2alF*K(CH*oJ26
zieW_0sz*2+m3eUb0@@SAL($|%v|^*86ce;DJ80t)I4~CS9!FISmEARWLw0%dBpula
z<I_muIF|w0!;Zm&^=y!q&)xw#M-n3P5kh?t=<Vb43~y^O%|MM3{d7a-j^Xm*)UqUD
zQPZ#FJ&!?CS~m2fm<~Z182Ds=0R*sxMTKs*x$dyj#kK_-=hA9`E%spLcCaiKI;ex+
zNM<gU)9a<qo~r#Rcdyt_Dycp!9o>E4*iSli8p|~x>FdGRPc`diu1@dUP`c|qOPMO<
zCFV~+iS+4FtkW`T_xXbsDY1a2DUnwq7<U#MI9-Cvg<=^arYG$7DLd_2cK}-KSk&o+
zEVv1P(E?<Bk$4c{E=Tl!1US2ql1DDw#fMK<89o6!RadmUl6K-Ai>PB!RhiiFwK;|h
z4OPA><sk0YXUn%Cve|rZ@6Y+7Q}`d8**_F7kS2qTTUGhIZl~aN^SXUruNQW0C*0JB
zy5IK8Q+(c@IqxO%@7EJjWV1V-K2E#6y{&wkL3k<pAI&95+C-wKrGNGT!6L^3U%Mc^
zLKdZi$N-oFxG3iVR!cK5ZLbKiZCeAX_k(n>x0c(lOAZLh17BIhTl8p8s%Jp&I#eAv
zCZ#Zq1RsnH7DTp(UFVu#m`(Jqk6`p=rz?p-&X{fJZCP`ZV9HbA?-C2b7`Rd_oV7_B
z_LAaLIECb~7KtRB%>f&uwFxO+jm--oXjLwoJhECinkZ}%hHxS^ftrvd1)7_5gpxxQ
ziwv<F8}GrXgoW*GC=I0d76Qq_L++NWk}ISeRYjDFJW?59)UUcOGcUvm&cs2s25`_3
zb9thWvg2ZN%+XL9(v2YoQi!m%Fvf4az>TbKfoEDfKUz!7uUemK#`=u|#>YqnnoA;7
zT@F)X>lr9)AeAO-Yx-m5=ks7%<aU0C=of8~g=lkL4m>opA@d^jt8fTQwQ>YKtxa!c
zB7&r{zzHxcofmY8fq6#bZJ%o#U>Z~pA7q_a67l%uw4KOQG<!;eXI`2Z?m3q(u9ZT`
zo4kk(x!6Z#E9uxFBmB_x1IFm0D*(pb5>xDKxM_mdWB`Z$6$1)Ju?;jXOr2y?Cg}G7
z1=}>+`6%pzMrXq8S=8W^#xk;ZX5C=`DmS_AiIpVfDd;5Ynomu|@s_wtK##bC#zLkF
z%ja;J$*K--rLl}<+MLEg{sLq9%^)q`HDyD=u*VxyPULwhB{5eWg+IxjpEo>bgh;O5
z^PYKT&$*`sEE`Hoi>QA&U5Ug45_d4=x<PPmW;vb&^8wN*g=P6g9!y3-dk5dC^ZH=F
z3__2^0=)6>Jp6E0mea~b71{gblZZvRWXQmv+1&&R>7s-ySQ3kmYq6F|@mezswfXg>
z+8Rk6zW}K1w`X^ZaSVYY0k=m-zKK2b4IX=0Tc)BetErj}5j%sQi(-j=(&X|`{UC7h
z_ZP?y&iVQ-jiv?i<vtL)s~N3+#vahPy+3ci%OUUD&tdi8Q?y7A=g1zYL)YssHW;w5
z-L)Gf*T$9w7&8W-ey_hTRzmc{kS1Ilv(Z})&p2Jklugm<f4-wJt>#LD0V7e-^iYw;
z$e?71?jmQmy@HJ0kbDt6@|7Nth6#qUw6W>oO|meb;6*Lm(owhnrajS|_kd*5D9nIO
z?&h7BnD7jvvqpEExF}Drt(#=cxZPXhid1}&5wsY8kPKYV#1i4v^1W+dl&u~rs<leq
zRmVr7<I_(rPlZkKc4EFM3zu9CA+f03rZ%H_A>+~=t3tF=yNn@XaVW#q+YX(m8#w7S
zkdotvoD00fwb}Jghh)g`4Plqo;%TAjBIiv=O@X~2`N7hVb%`x-nL@m#HwkJOuV(Bv
znc{OEfcz2?=l<n2o~PZZqT7@=;m@In4<~t->@atW+dQ%+=<OZh?o-@LVZJ=Q!dK<$
zr7P@ni^A<@kEEQrDpf4`M(tyze2wCzus)Cc#~#5DP<FFtdAajNYGt-?DuIQO6a`x)
z3%|oge~t1DSPl3C7jSBtDriM?oT*Rf|38vlSXG{g<^chCX`%pN{7)ovwRNy`G&44K
za-{q3_Fp(V>$FVRZE9qFQFV$B-?TsX&uEDs9}u4yw4sjvX1*dmxv|-^8rjsY`7Uu{
zPuBh6iyjLSM(Rs6JW?u=G{%%q>Q5lVZ3(D0RsV4{w*7Q_{QYOP>Ze<a5BK}W)4eTk
z=9FxAcPmFB{tdYM%gI$DAC;y(JMXXhm&5D#iCl^Y^N)vEUcSAULu@3ForBcPvD=R;
zx0f0p&i5jliQ>w+IffMVg`kkvwo>p`pSKD8PdTq9o~qgJ$)6PXH`P9ls^0!d$5)<R
zn|ueOZXVulvBR>}x3B$lx}RX5B0g6(pCA3LFIxvOK5p@sx9x9lOXSXeFNe}|H~62i
z=L^7@O4X{v9ZxT8)mN9Usar33Cz3v^huxVTKDt@FINq&17xmpGtL2B#-u0Ygd$iqC
zbB;fiA72l*uk2Dre=KZL9KGKT-{fAN!jH+z!i8jyku9k&N4AMBh%KX+emtdik6bP^
z>js^~eb}zIU$JRlj#0n*EM>hlVQJiFhH>xP!ae$InjXTR6m_c`yAx(#POY2Tzb?1;
z({1ig_=Z)xIcMD2`ILQhzZ8COs#q6H72j^>wszs1-4@?)jM%EczYd=yfIq|YoOD`3
zK8Fk8I0~@;hOogRlqNQs7dz`nW?h=yZe(~34*?uRzo^FdXR)r)$4>MLQnx!sbVBYh
z_lM7r%RgNXG)qUwC(ElA#2H|AYDQ$W4(w+Y-0ontsEVR_Gz|=io01!nCcZ8~{LBUh
ze<_3#;VXOHd5FU4j30k3?s<tC$X7)I*A>oWLUez_QtQriyK^Zs$(+l#7U|A*yYnAH
z=FHcX=k^vYb`t3>a=VLme`9~aC02c_D|j~sjXH^IDJ3lT?`^)J`Fsl5-A-Ak?a*M+
z`Pgr=64f4?2Oq@$B)iPMo%_5^f7>p4+QsKxlxE(1tNJMNsMuiZ#`e4wY24fpa;_MV
z%@e7{ZAMda2G@ye13rP3!@tCrBzJM;rMlI*e|sCY-9LVtlP}_{PK?m%d^x;j(CvJV
zE#}+2ls)8I%Us|Yqib6C)NWSoN-gUg_P~(r$NqKI#88vFoiWrC5^PJ@Z+%O@h9PZ%
zEp31;?V-<X&SlWhHF6}N^F5d?cKcfp9xme=t2E>;WZF4o={e+b5V_I)tAGE-s{+^M
zi8Fo|zwv1YE{e-D%gbxIt?F^%Qc;)pU5Bmj)Fx2253uKl^<4Li8{?{*!|I>wN>?l1
zV=u;`%e2nzNrcngbkCvf>D1s+uHV$xJ#1!wsqevV?ZK|ewrbdm2~Va0p4>MCnAeB;
z&-D||%oNu1<NLdN*lf|Z=&u?-7|mZb^%#*ekl11ey3dpJYj9?$uH}}*dg0na#>0*K
zcb+Son`8O=J8aPrmp8kjjZd8Fv|gtzciKPk@aFx=%h4>7!Mg03uUPpChu@Ly?wcon
z`i#fC-ja_MHdjeb-Mm@-*t^u?Q@rnK!Z$x}xd{ol>3kjD(QAE}indIG-sHQ$-_)di
z?`mZRqwVAwEru^&cl2(En$y)%{d9g`bXbPJH)aO#NmCNWN{04v(t0}3%L2e&dLO;7
z*>9^nZF}!exbMr_?Yq=TL&u~?WcjJ)=}c%BVd3e!S^pUG>aft&Hnz|3UgMGCL(>dR
z+ZUKWLFX+Qz>YxI{q!w2@-~IFCiV9>Y%}(Bf^s_V2*{|sl!a{jcXINI52l=nZt;8a
zUHe;}ijRU!@Rkpp+Zzsg<cUYIdo6CLvZ)0Hxw{qB&4|96DfZ~GOJuUL(*@_mPOZUf
z)$7X>o5A~GW|$0<@2m7)hTMjHa`vAfwR!?x@U&Len|(`2y>{-EADE>YnS)KNT>&r6
zRj??!zzWj&#G7wkhM^(B-59~w>lm~J1Mb1`H4q4f`oVe3aiQX9;M|AeNb=Y(^AquU
zDA4@DutvWHgR=(pq;7tj#t&!f$8)XRrR^cN8)xiAlO366?6K`L=j5dc=Dh)->eIZS
z(*yv4I4ax|NB19a2(G+g>I#Km2!bEliuwbjJmwf@m(e0&smTMSD=NwXog8xh^h06@
z{4=hN6CvtTBZwm8F@&M8iH77e2S6o&NB!AJ)B}OBB?b^A{;efPsCD=#IP69<VmGi{
z9zQ2_g#lZ^?XG`&VZEnU?76Sqt~Vcd^u&egQI_7O4?t5*?h~8MWfr)mt}~}qHh?aZ
z`O)&s-fDx-;$_5=%T^F%5g_J+t+-`V_TH@_#Pp(O@a@~nuf1z(4q$W`;W0&e$g`cc
zTCEU?wq*ty^D&GRsR&X}ef3f3cmhm0e>F5Y5@Wnvb}@5-S^m0ttS;trjabMAEB-OG
zhBGTP<g6NW&h05bnP`#DX>)_&ile<VQ8vkT_2oD0;h_qvyhwtwJQ%Dv50@r+kq9DA
znjKC~^8@7oC=#kqlEB3hv=G43BDe*Ltp$ANPqjyA)e<!DeJ|zm#I%wEc~XmM;<A~z
zu!AYGGyMr?f^aCC2T8tSzx2eirwTz;1yS?VKtDtshFLAu`+!hi<#%}E8Sa>p>6qKH
z&lCG}J1Zxz@p1dbsi6K3cKD&fkfM`Ejr){xk{)|Akw9ys)7NljIDvtK$BgU^91Can
zcPN(c3m=KndgW&Vx1suTw2Pl$H~?U{zK%ps!$lbWN8-@{CnsM}9YfF`{TWxrqOm3d
zV!(}ou;D<&$$^C7g*VVbJ4EA*Kg-k1oIx<0Kw^!7HJWmaP3u#mecd>KZa8rK^5yA7
z>1z#DM7J)$;i+;6xzP^Jy16q#_}2ifL(oK?!rXb<gIpl;YZSSV`t`L|yLGyS*zF(;
zu51@Ci%a~J0hw__vRQkqXW$*USGHkZH8<&Ul-;c0T`h<CKS_6I*gt068sO^f6Dtj^
zlVP=DB8FQkH@qAl=S~(}I&W|hsXverKC>=ALEgwExA^84oDEx%J|ROtK?ZyrFh9-9
z7DeQRV#nvyzJXwTw<jdphn&A5po=Gw3`G4i>)(c+WIM02z2V+mnNNZ~k-1C;eMGUH
zFUDm>)r-oiyklc-yu6*pg`;K{pr^#;LTU*w@+tP6BTM9{?lSvPGW#cMGwDNewPM8`
zG5!OUBZQLu&p6)az`5p*Sr8HdEv7Vx(-<e`7^XnyNQe&>?zI9B;$uEvIiNRM_D%j~
zw!BPpfMcTLnCcbHab`Ae2`77&>I}!VVs^6`9K&w<ZTt>y_v!~XJ?|1BfVC@Y#%X{D
zR-MN;ETNYl$)MV(D@UFFHQk5P(B|nMu9l834#oqF=R0em9Joh?hGnI|${!o3N(hK)
znuX{5Ll1r@1_i&Zx|fyAynS1u&r3p`Dk{K??hog-?UkDs@8V%SWSt6zt6wp_mR4Z~
zEFLrMZCmO{>9J1!I9J#V%zzn~0dsrgjDGyCZy@51e%a!(f*#5~hp_y(@lO=@(ZU7;
zW?%-ay1$;4--<5ch>r4evV3CB{j=uNG|7FR-&E9b{|r*hmEJ<wR1}+~?!!*5$D@Wc
zw=-+LXOy4y)F4f7sQij@=Nt`(rAw6%Un40ncka^G<^pw*&-=bcHYQ{)m)$1`56{NP
zeeUJ+D7Wig+M9Df=CHGaZ{6sIM&6^v){Ob+$um2@f0$91_H&SPm4khiaLhUZjK>k~
z`$RSNSd!y!`&ztJ3lMO_SEse&*WpLD;kN>?3KNI*-#1H6o8Rnu==%L4-H{;Eaw!b_
zpq5dP21p7lmQjPa<JhS}@AX>Dm%zaP5y_6AV~d{#8a(=-W2<LIgeOCH?C$W8oEnS$
zm4D^iy-j@tW(LU?nFjltmZ;9XL&O#t!b~yp$^!B&@5{WNg&93mtWys1(8JWJaSp?9
zXR;p<2=*_Bh(RPhV3uwh8dd)&0AMgcqQI6&gveowPHOg1vqa({Ge4tvGKvTxp+GsG
zl!0&rAR&lfb%5VAr|as~r2-*35s0+V2yrId2?O(^y5IE%K_9b-HM)Ol_iWNgm4rsQ
zuVn#&4SC{CTta8`(nX@e;Y+P;*xbgPvb|KFR))cG&IP2I75qS)OVNE;)MrP?gR}JS
z(b5-s5$ueI9Jjgcg(AONlZFz&@S|xiH0F)u{|{MuB>(@0PB3C`xY~|dp8o))0mGEs
zxPsp-{g6FXfMCHI6fq$L@jvwFcaq|xvqm=O^aiq^&w~*~u_yWamqQ#v1TKw!yW&ZN
zbe_n%QCLdK_S!fCW;kjS%Vgjl{K~FzDp=oXS<Svx7VnWijgzGYPRSE!Iwv5{UH40C
zJIqBls+Ae-PXS7I$ZvnMRv+h%gODl%|JIyBB<4c`RKI_n>Eym%0UFj5=sss4kjEZ}
z2}>G}sS2IN3>!CYA1p{HB<7yVh^G1VSQ_{@?CCntZ(JFJLPXUa?q}n2*}*~=neJ>z
z94mI0zU)|f0=BCGV1Cnp{;g-*oE@bJIsPpiKMvF`t>BXR0-`MOAjWRY5^0KnOf{PE
zk84UL1pA4~9vuUE*k9owE142PMc`wMC!i`vHAC*vYD3N6>bgO_*7J{0iJ1dQ^eRjs
z<%WL59CXj^IX>y|Y2403J;9zSODm_U9Z*^xvE{R&Ek-C?oaMP<a8DwXZ2A+F;eE66
z-y)NZ5~0B|Qi!}62Gf4D9-S2?PV-ANicE1<h`{sro*ivjKUhL$m|G55bK7HG(nwWL
zs#IODF^>&8x;?u0N}sxi=DOR-%jQw@aNa%dYvDaA`{{a51jk%hfPPtB<umE9uK0t6
zMLYd;ykgkJXRpt#;zeJ=r@z6wm`E>Y9GQ>@;oSH5cqx!$Utam1ilqTt0@&a{!1?=<
z6VEhHtILim54paUp$0{ylY7=tDOs0uA8m`WC-3O6Vx@$#jps*`!k|aIId4r4O(REy
zt(2+$fMD!C8VnZMpdbM`#1tWDE3FH>SD6;CN69R$1Q4sl!{g)rhr{#p@xe30SWI!f
z=eQil{81v_&x*u{%X?rA13GYc@j#kwcQis;;wlwCs)uk&X*n5^WD+UC-t%Hv0>por
zfuj6SM5It=X0~{3N;yaN@3DnorUwUC0}QqM6t4afe%l%tcJAD;`lxd7`gQD2N&|fn
z9xpi$`Ks&_8i6dn0$jfrtxXDMbC7~{2S)r7X>|-EpoSKFXKY=sVaRG?>W~5(j0e1$
zkP8D(k&i;yvvJ*Gc$b|0WSU+UpbXsv4lUxPL98?H=lzswUfiEkQ{p;+>vT7n-cNJG
z)%e}3@2)SK&6|8aby<ww)jxPd=;s)_>?0F!(3u70bxIZt#}!aWF~9p4i4)DmivDi%
zAR*BIw>RY84hYGC5$N<_J)5$4>|Pw}-_8B&t}d4{Y(|(Y<QAh$&@T}r&}~PjPHrRM
z!$w<e(T~%^!5U2y^k(k#8{plU2*&OB?bF^q&+_CtGdZhTx1s`L648Rgk+`NEd_S#q
z7Um5_L^qPHGb^^B8U6XkzN!0f0<(6LIX>}JMI4HxHv*2Bg7U<k%{+n>AR&S$iHW6w
zv!jcN(0r#k#FQxcg)nJ=B&@bWQjf=i5Gw(q!J1<Xt>MBN0Xd_iM6_dcCKX`D<~|HN
z6U};|WL4_zPA${kiagO!GrlD57SP@y3fw%z4kBU-Ci6H68)6QnmQDTOS}?Q<>(LIh
zCVjPk0aJ1pQMoL8f9aC2h95sS@!s`oPWISqBYRsm<kjm%ymAvi;{8Xv-2xkk(WGy(
zW*rDTn3cEm!IhpC`qbdan>?9C;?xb#3ZFNH^U9u~1@`hK<ga!@xDDxG$03sFxUE_s
z$@@`abt6Kkg|RH5L`PaiYBm3kFCF<`iLSZZSw|r6G{#bE!(_9macTe@sE;l;da(DI
zJ<g`G(SAP<`A7@Zp#rzhIIUD|;B7x7t8HIffwS;;w+(R=BVbb$r8Qi*L!kv?bpOJ)
zWQG$`kzWTct$&P=fG)(h17~Mz-v|&+j7m{SL?pEIH^d+nt6&;blmjYel3$#2bU+8r
z-^Gk`Tnvs8%Djv<a9o(6w;Z<Q!|FwIU9M%I3s_CoGuCcjz7C&Vjg@A+J~&&Kw;-h2
zD<ZQgaTDJs($wKjwq~skzhA%6TqgNQ@|BRYufHj{o*wiU@3l-#-%^T-f25+nGAZ<a
zSHIi7e$O7QgSuhhI_NHG>>YkneA#|Jtee>^o8B?><|cj)z40m8l=8y#@|3Gg^eL4^
zO%Ha?AKVU2|B=TSz{!_4Gd+)4DX-OwNScU&9heM^vnn3v7<N`Whj|~8xrEX$NtpR5
z5Rb~rqr=cSVjjG(yX)}oVQ&>&ZH>V#RXxYSXF%|lo0O%2KEHRPmS8xfK?7Vz(bDO#
zpXwz^kUaIpQX!B(EEN+1Awfip6%xWBA;KHWjGz#R7ojpUvJc$JL<lrbHqws=Nkvf!
z0g4ah9|LQ!5*V8_VZaSX4-2J{BywOm+?T_#27nuMKcpo%1!6<)H7nmW8NHIqY}6hS
zLrJfnfk2=mJ}JNacxh|CvPHW&_s@cu_<_J*6GnWiPBToi#LmuAHTBt2`;s?$S6nY8
zql?eC_b7Wa_qrL!wy&EY8=`o-WLpNRdkO4ZUHr;ZbMhMOt3^5OAep=+;Wtq|f>V`f
zvk0V2&>O}MA)}9U%Z<R%*HJ(htCi>Akeg`K`b(U^%>Xr(n4tInXhK;Bgp858e?mD2
zU5P^jAb(QEBFcPk>SQ)Cq76`(LY@M+%lE~)NjV$f8nVz5eGx!@we0-{ho*@%*nz?e
zq_EQ-L_>={Wj+<}-gLeCeDTT_QMOkDa|XLBXob}O6rk@vY$>FwB6yG@R}6zTbZ3t3
zKDFM3zhSn)vYqN+i6s%il_~vF%p8u)7Yb?%6=oI^N0dkmDg9-Z$DQAR&+V&3`Iod(
z71wzZamJ+zRR<k42UKN=r)8YvCXwt<68=QJfQ5A304`TP-HhLpyk+cC9uK|Hrag6n
zC1FWapw?SF@lZc|#!FDoy@bhGVnXy#xB&Y!jlr9$KVF-#L^a3<pk~UvmFdyL+w2MN
z!m4YP6s==5c7PQVUO;K&GZJj~F`Z&5U%0SH&}v(a?s$(u({%om?z{h_TZ#^du@mCg
z9T8lSD%L3Th<ao^3A%-Ss<GG*sDL|4uzmsBJ7#k}!LK`@f0=~<T@ku^^6|dKBs3_l
zH2}p?@1;ed%Lx+Ugy$K#3Y&{6ne>{lg-*__Zmie);Hx8~9^bicb*!_C{~7tT1N0(v
zIy0BR19Dow_w0m*3HdK?#&5~DgmDGtlog{;jVK1}l5&CzC{gZ1dCXGz7^_pS{13=x
zf6I`wI|IHr<7L?|EKQ2Pyx+xR&3z?Jhw|Ds6VzpA#(BIq6`%t@RUTf$rngQl;Q&2V
zUiQFf{?z2#E%dk@+c&h!lthm~ZlQfVN&_t+F$t{P$U(#@NXllh%0CnSWl$A2$4T2V
zDHC?CEQd_pTGsP3Z|fIyP38wPfRn!o-jQP`vr-=1pDT`vb`Rz?S~nsy<~}={FQh(7
zl?-0m>Po6T3GsjGsI({EyJo`;*LQUD#uXC9<-EQbdix~cIl5PI&f+}oi~W>&eT>;h
zE#}LDn;K^Rd@(~2;=bP#uy+6OMshf)UInN9gIQ$;ke1%9B_}zT4jUI3tu-caig_&w
zB=aF_$r^(&4LpbheT<xpLuqnQ!5V!dAUY`Ws=!}=_Zy?G&7#fteeq?nmMRG=SKY=J
zy3booEHLGp2Hth+0KkbsB}Ig8PeML!^72oOnNRQLk2<cz(%nb;CtRm2#Fg)kC{lS~
z-<r41(wIeiNh~<Y!!+0|)AIF9n4FDS*}&1nf(1b@L8;-H?4t8RhZqwol;~?F<>~7&
z|Mo8&qdkmS=Zu*$v?tsr<VCT2aGW<ekUG41z~>tt2>gx%f~TeKj`Kjh4CrI^%%Q;r
zBm8>NiZEz;!6U+WO<!&K*4FRqpoZJyvZ<|u{4oc<SWFuy0K?i{<j5H6T#ptDz~oU%
zoX;kmKm%v!KU&CZU{M=Wpm9cAy7&^LagsvqMJ?uw*_rdVO+c`nG$WZZapcT$2#Q4e
z{(5;?L9yLsWsD;Zr;NEG&8qlnR-my(skmMU4itiIGP#n&!xA)sM6IFIHebz3?p_UY
zbRz7tKc}y@)~-nXiI0GLX{k|l2*Dgel#B<fXYOZYd}{s;v_45-?3*@`CgxXAJ~X0M
zq}NRIUml&0tIXU1DaIs+ILss@6OS~?+!qUCH;)aW46B<D*VSuc{L6SUZ+BzrIpg}I
zFW|OQQXcp!P!4CnhsnaJ<C;*P(f!b{pvG&8=H@RQ(p2&HZ{IPKf}lp@L2+4o=V^Dh
zwu2ByOM=fGvFA&_Y6_>Y0r{F|maGK!lQuWReG90A90gH0DnoG@WEw=sh&m}bEfIF{
zXbA^z6%Zwn0SSv7Jvgd=E0J>B&zUuLl>1sq?^m(*)%8Zc2YRzYj&VP|@RL6K6%o2&
ztZ2{w6PO?r9ujGnox}opEScO;CM7T(uMn0+iNaigM8aZv=e@p<IJE*w!{!)ir0hRh
zt0(!7l%Yte6h<2@FdHUCLrBclN&V0W=55s&7*u0SF9ppUKTicCEB8-^HCy&i&YCbV
zNLQ_+(q>g(Sja>#axcC1d3{qePgwSwSdS8MYp*I&vjn-pvMd2&`3|En$mVP`D~nk_
zNlg!k(y%s5ip1Z0u;e5IRC2m=I+YixSMUf=lKt@Igz(2p-Nc(J(j|O;B8kFY*X5r)
z%fi$Ysaz7ct@-9y!l^-kNCK%u!E-1h1n3auEY^v}7U$WT&Ou*Op#CO*9QU0LqQ`Zu
z`Clqk)TN4cv|oBz*}9qWf`K48SUH-if{%@KB$Ct|I4ON-^4lR-qzqM}=S<`)E~fml
z0m;yv<5-TWil7q^zh9n6;Pzo>89reA@td#g@rq(9#1I&^gye`j+p%D)fU^rsg+q^#
z)R{yv9$}6>45E)p<~xlfBg$c&+~>G3B15_(*Icy!Na8=<*K8$8iKj>xIeqaSI-1o}
zuXi1mnnnu&omu%L1Z1_uI^bj${ko=MOAcR`Y5xV)lV<+1=&H<z^JQQqLP#?GSdrS1
z&qPTOkz%l<aEhW*h1kB^>YndWc8CbE!W6<P;xzM_OwMvl2u{9@R0^(SCpz~iG=(#_
zE8B6E*dTf!D&rOGolwDNtJl90b=PR|!$Dh76(7c6iv<UfBR|C_8GoOW=OTNu-?i;R
zpwkoI^m>VC$G$)7#0ji|<h8ene|TYb7$6I+u7!Tb!d&u%)J9r}JTSCK#giSQG*lZ4
z@KGTAaIgN*ylEK5;%1>usiUxdg^ltD&tjs-?NP|BACfnhgE91a%x@gFiEp(t38#zw
zwy<114c33)7h47U1HbudRm8gfa6jRXF4bD0@}eNTTSwASt>cUX(I1I`WI-8dV>%XM
zVwBM#qxI+mvyu4_haH@r;yW~SF*+6UV5ul@f4P8Z>_!?iXPnUY<u$^XI;0G=qL>#p
zk@=AfVyEwXMB|}3F8FOb-(epY)nUj&0+Kb`gdEs^zok!#!?|jowY&Z1<6d9Vgz$*+
z#oOS^oS~G>{&R5gsswgBB|X-n`4WgSs01<KCMG8o4}=;CoeZKbm8Ptp<^O#6*X9_C
zY3}>k^~SeT+7r)G#;VwOip%R!I(GA%J|-VrRj5%S0&3Dq_?f_3qggeFA<tPpky94I
zoJ6eKRK(-H7O^L9^AYDX_n8fuA|hO1wfNP{Bo8}U8u(ENjVg6;6M^h#Me{0}{RP>0
ziZ?E0E*T&=qo-K-``!1~sqRMe!WQrScI_Lg@0a^A4e2e;J>O}wuO=R<O%N>&d5lzC
zy6>DM?`A!=Y$q4HhJn8|TS2M-e(irkAN9y&m|SCp(M7b#*z^17u97ek2UNXOD=`g3
zIH|Hvf<3}P*tofoF)DqmGQeNFkE1)(K&{kO{Jzpd*FCfTVO)-O0RyZf*nGgq05xRw
zb>xN>tGU>7yK2Q}h?#cWYiB$7B;Pv2OVslvj8*Q(-{eBd+pJiF)+-OB<75IPFTXEc
z%CDXl+t?x(?|&MsiAu9{&FH0=_jY1Xm-sUyOgoGv=lJ<fR4?OTg?=ToWdyJT4QlLb
zn8oH;CZufC3UXAW@rfZ2j%Z^fLzyOVs7eA@5dSo_#AAm4cO5f=s-sTMiCI6mQr7x(
z`=f=zjfJ5SdN4{$>Fp9)Ix`2c@qj6$_5ASty?!WQ4Yt&z!}%vU(@r_&uD}F=?R44q
zQY=(weVzrp<4fVwo5X#CoMrRM=HmsdT)O&jI*O^U_w}}_Eo2)=drwcnfLS3HH{TZ9
zu4jk}cooc;#2TfJ33{nc=t@Sf<mjaCI>&d8^Oa_Ea5grp_vjpablyp1`F!qKyHm1t
zwg@0j+JdEEbq!@NAD?$y*ZDdprmAJK@#fG!i`RUf-X|tr`?ue{lwXfNJ<UVk;aEEv
z;H3#J!*kerJ0{(2m(;bnjvkzsL2OP_S>v3Xf8}{|y{-a8Hh6ehPS_!-@(Oh?jt1O*
zycneBv3}^Z7g#k_tf2Z&ev5|rR(Mc(x@2x`fci}<;<f#d)&Tg}(@b+{wt{GJ79uAh
z`&VR`n5>3lVG5u1HI|nkTSaQ6&v5VIu5W*=(ySuQPKPdbJxy>fc;kT<^7-#o!!p9v
z^{1I{bfA}BQ!2AqeMDI>y%PdVgkekX)TG&M?|$2DTFA;m?;FA%V&iK!^j7m`^v$-p
zPd{H<3Z<+SQDPu@4G_lsouyw6d!`p-Kyfo1O8jVDCGHSbPZHGDri7d4KKAmxLe2S}
z?~i+|y`}3}k77G{#Fn1>0tk39wB&5hN?a>F5S+dE<cDQbass_!y_n_T6}1tSOQaIX
zBXmEG$5h6*-#^~AIZ7Ym%VUAoM;x%9ofMCzfeMS^Z=M2wMnCs|JOgGaxMypg<}k)G
zL2B46BV~$z1^JBrG$R7jc)v{XgDt5cVH8vI)SP%_UkqvbcoG`9#DUhTC)21Bfk~3T
zTr?3nA51eEb0GVpRP)iST|9VrQ{~OzKjamv%bA?*HDfb68ZK2}9B`dTpX8H_^8J-$
zNf%KD@h&p^$}h*t9lPsYG^1{51<L^TF5PbqzdLxe^CdyeZQ|nHkU#TY8WBznn+9MQ
zQ;J`tOz$QP*6~=~tBUpLyt%1$%JU__IXZ740&e_jWa@7eF_qka7-s;fqm{PijPZWD
zF!Rln{o`p{p8kJ4ZIT?ABO7MVlM(z-F#%gH4J>N@S1^S_gmmH#^S8O2F&Z=K5C5+x
z{x&h*?sq)vj5)Hu0`k?;OfayISJlN;v$obe(A#dSu?p+L=IO*l&)Z{-!G;|o^IDKK
zT7NzSrbexco0W-1v!9`2sZ(UKi+RlrFA0PS9qXo#IfbS(FayOm2rCJvPgWUfVUiQ&
zOc|RqK?g^@)rW6DJ-Q7@ew_P}B3MG&8Kk`L8p|SPZ;}sB?V~@mrNrl;(@I|4A%<|G
z`{}qUO#*Tc)`Sq@f8@{Nc0ip2m3hY!EMgP$>krc^*LN>obgOV?(kn_$R2E%$9PuwU
z)ikt`#FoMQF}0HMA5(u<UYyX-Li$B#0_R;zww}WXieJkfCKqV$E0%0Tlp>twXX`9Z
z(2emo8=oU}zm8b0do%cw9omtZp&+Wdi`5vH`}A2|3z-?e3i0oe)?PD%Ei)=SE(oje
zV|vFOj^u!kjFusO0~&wqK(P3q9Spt!hc&{GEHZ-EvW`>A2&WPv7J?cGLZOI9%8wh+
zG9rekTT}w|^Ba7fA^q<`lF<XvVx4hV<CiJOZk3hw)?A157CUH<*?z{*UT1rU?sd1D
z&2j2#pX5k_yJRj_v(+^gcBdYsR@ppOPbg6q!?cI@H7O0|J{7;8dXtn1ZgLiFyY-x2
zK1yUWr=@xMt~C&<{=hss2<vBvg@pYBl9bth{t);Dk}pC5CKLFCT0A$gzMxz%v7eeB
zX}A(bcs$LR1ETo-fg000rWh00-)a{`kS?7;Guh<qt9F9Gwblx^$ZYPuh&0m7#&r^%
z^y%coFLV#LlK0bE&)PR6i&;LoxH#_?0*m((GX4)Hs(?Rq&8xFnWSkQ?pm(GXspnRX
zaLCL_OlFK_kEMX@$3cv%kCaT`D^->Z^c&azOWE<Xi$NTdF~*QDZ=7%v#ZED4yM5p-
z?%gX)<Cvypm)fCXiW$ZQgh#cX&-AYo5D^fXhz9X+H6&2X;phq&&0Y_HVLk5?I0(4E
z3JA?nkvon~Ih|WEK`%)O+oF)>TO+<z^#Wnu70iN~w^r4`BFw<biX)){sw}J=Q#U8F
zmb^Yk20tJ*Us2o;C?hj#HI|fP`O2BC;FJ~FECF?5rOY*GBxq?=tHZ_Q#0BX{vDw3+
zaq`qa+<$_LtJwVr1&yctKNaXwgw#kfsbX9DEs%~Vw(F~7mq$u*NX+wf0;;#R)p)z>
zyW8-ny+`x<TF0xoVMT14JKww8lAI^TMSSyuxM<$yi&hIfhz-P@{5FoTkGF8Q_uvtN
zQJ#OYW)lc9s+IS|0loa6A`r+tuV@fRfrL)sXOP%dWRh_YM0fy!03<YNR4I&_-a?W-
zfi%irF90rRL6=UXlSKZi0f7~&SZReqE>`Jqa6h`rKs2EJ?x<1Bn6ZCp&JVJ!!Zuro
zyT4vk`AoaZGp@3xO_*NDntWL}h2X2=sD8$Y&$4mhPHQygPLqx>E-fa~MH@ntppQm~
zK=LO^feB-lWj8zlAFs7$bc{6u|C_6Dq;-n9c&f)|m2*^&cq$*`J!avyk3|hBVt1b2
zqnZ~hOoiP(Fl&K=Qg<HKx7^xn^|>5b&ymk&A~aSMyzi+qk*aK(ckCO<YV~M~=s+8y
zJNSkKFp$7I7!YN`HPa?hHu__TS$ySGo{$RIUpdtjVWWNQ{E&bGwrlK)LA?BsSfm+N
znK5!0Nci^=#9>NVpyYZWO+`D7KM(!yQ4$CPodULQ^8CS<3k={`uX%YS%98&O+UfAp
z+-+VDHdjYsL60=lesxs}CSgV_O+i#@9JW}40CrrSCOJL|sG#L2<}HTz_qZ+CFIlJn
z5Bh%ZPFVE{ti6d|LLXOmoH9uWosPqX6g)&WB^Sz-Qz_?~Frai;0xFmi7w8ZcvacO^
z?Kix{W}6hy0r&^;E!eMQ>ltSQ0NfoIXAjm6+}4+Af7sz?9(O+oL!1dko=~1Yd4ZTP
zj_7Q9^QgcEz+dShGjqQNd#dXI{F7|$o9!Z*xvzOAinFt;vnBXCEeN63>wUd~N8*gD
z4|B`)N^n>R`-Uk4h~+k|DR5rZ9_=+`kgwVcl?wOOTY5%1zWS<MdC75q1{`1ENQE3$
zIl28*#1dhkx=luq6b?l~EG$7#KnSx>YcdK#rN_nl%Q|G0j@j+!y5p-a0n{6u86s7)
z-{>-usC#%YraV#hQD#WQ#68eh1t!dU`=M=~By93PM@)7QSytGR*aRZvn&lR4GUaW9
zRI8!kD#tW0{%hszEbJGM3CmaM&?Th8^vBF276*DNOyKqDt;FT(<Xm}-h+>s>eIUY^
z(XkXYG@GG}@V~-ozGnPGrq0cn<<_`9{Yz{JBdE)tf$G?8H%T`e6WCePA}SSv(>uyl
zWf|XNt1o`;T_0}vEs8NuF$fEA*yT=T*|GcP0Coyf6Qox3GK$O~=uuHM$bYrR7KI%u
z2Ot-8zpENymCryi=vA?pweCyqX?$tobEcLh+<}H8{ZcxYL!~noAr(`sTv|Y&kpyz$
z4*!9EY6_&7N+_UX<v$T29HL%Ir^~QB|Kgzmj<uFQMoge3-@ZHrd<!ThUf=|nv@Dtl
zjQB%|nCv>^j~{Y=dKWI>sXSj{@)>El|372>NDWx-#~H^vh(6QLVhbI`K_9?C6*G{C
z`-L<Kjgw4CyI2Zq0w3_V#~@=}eWu@K^-%NWpQY!ccwO|3ohR5VuoXHyqpz}uULK5)
zpjDl}OJ??=#z(;H?<cHd9b#Id(ShWPvB2)t<q&2}%z?_p4M1^+fbZJJ8dLR|e`{~6
zE%nuSZV#?!bh~7RN=TNF5G{>wYrLAQ^^e#A7t#M`N2veoD6a3KeMX(4Gm>{G#>=yQ
zIoHOmnY?*97Wu7QffF3Lpp{ra<8UXJ5gn{H(Uby>y*ysu4S~d%DiU?P2gLkuD3PMS
zm54nUBNJ=?(qE>p-dkzw?Ie`<i3DSw%22QxVvFjoh-L6y*xs)6lqGa8EBOv^x_b(m
z)$FLfmqP(o6^o9!Qe|-9beJu}g}w~O{=G<)^yj3%JQ`N3clsi$7^IEN>30bW?NnMw
zGr4`?a=V0H69vs8w37Jw#hQ9|j81<N23uM1asr2fk98XZ^LK6TwfQ>LQgiCvE0J5-
zdXM5Aj#SLAQ2mUQHuImMm{y#xP5T|`FIO7WSSK<Xgq4cEmu@jf#!1nO$S1}oN~)NA
zSHH#?Z~qsm2OO(AEW4~W8o%m3Zr29Dt*<@u&@`54xc*YM9APH%6yVOOSWd}5(1~>x
z2{8ZDK%|Qk`D!2@IL>}G5R*X(Q$?&atPVGwT?nb_UFS0mLB!L8#bU*#<!%_=hdB>>
zm<|3S8p%Q4F&jEqXFgDM;CYZ)4*QzvxY@e4TG<M$p_UYwq9j0P{WxFN8I>3dakNE&
z+X1KB0599qOVZi(Q18s%#SoIuHz+VxsYcX_VdeepfCRmr_CrfXlW!7(UuvvHl(QZ_
zDUCTah(nZdik^sQVjh}!Ob83x7lPjTUrQC4ze6Equ&#9MOGp6r%I1w9l_Q>wzG0fu
zRJR53H?sBnG@lgVhJ}jzKv@v#gBlxkFrU(mw;@}=+Bf#NRwU%FT9<o6G2uZ)GLb1Y
zt6y<3eQ#B7WWk;%irzvEMlI;s)1P*rP8P%aYKcT}jPzGU@L`Mjm5%hqrB^UL%cZ3R
zV89ZSe7|p&P$*GCL7JrkCF_|t`iqfN?2Uvp+E@|UAJ$QdVgrb|C;m>=TyKgJ%qc^(
z*S#;t7luu6<UA<>{0RkO2^k}kTCv^8ma%1zlaA?jD}n5Mw3Mr7#+~<g@G0aH2!I^*
zA7C^80~l62?N10h>Eq4!-5&)PZi&UW*Bm_55xDz3S|;1Sj2FX#O2!cta@EwoE5+j|
zdk7S2$@x{jZUc=Q|D%i$NA;h{A6_Y@uX88b-YY3ds<X1?cSOHh9m6t~YN}fFK{>MV
z)a@tj^}XmHia6Ei;D(jo&4#dOn5ktN76wneZbLEFz+81=tefu?=%nIubIA~CQUr9W
zy4<-Bhl_W+IBo*EBgnZ+1&>SO_~!J;#zRqM0$k`%0U<Rmb@|Qs<|7+)yqZ7EYlivQ
zHK)_$IP)!(2)*5i3@Vw5mzg@ny0o;H_^!)i9DL}IS!^e>RX!cv#%0M$W#)px$pNCU
zA?=m<!jNXdU;1nc`1}<U4^Ll#((Wg?)<&jaypQ82-%fmBdduZUEq3!xiP$R_^#<I5
z0T*~)`ubQ$fSt!giZ#%QFuSyIy?P!iOJ1=TX2kf*ztYUdk_%TJ)^h_(0u0~~yslyr
zAgPZ>0EON0;n|l;HGeVy7yEAq(;y&X$Or_|{Oo2x{t2N8v+DIZl-fw9%%UfzDsu`(
zG$R!fOh5&YzJK-9!-_85*N$XS_U^Y$vhS+l>)o%DT3qzLuDS^~>lyK>yWcOZ0X57e
z&I^^YSh9Q%0dSPg_#|y&Ru<4dH6m&oOM55uTQsbX`Y%g^G&Nxty4q_@Np&1FD+gq>
zFKHmkwDP^}8L;mxDbA_*2WQ;c+b*#@Pm2O}%Yajp@AW_U*IinzaZ)JnJf2-`Roa#A
zw3JTcTS^o;#e|~d5=-!(j2j2pr#l|SIp*e|eu6#FLwRtu(~qcYiNrW?Q5{s%ui0Qg
zaXEuBmN$#0Fyq9AE>x3QfLE;oKSCrI!fO;2i=voDq3|=tVD~uVA$%J?E!+^S6@ihQ
z_UWmr8pL^t0XXIZD)@u|e<v5W$0#iUu*ZZLP{1TYrIu6rxjm%*tw%2kgZ~BoZ&)@N
z*b@FkgzFn02<@Htuos2l<*5^aiH6=h3`uhCY`Ft@r1WlWL+IApV@e6qr+V8;T&6C$
zr#||f-RdZ<rwXpNSN_Cnp8|qIbSOgci`JprADP}3k{9XsLSt&bC=vm_xUVP4_6{*=
zu7@RraP9yOL#6`>a&pSfA)?J4c10@qP29g@V}_}S7!n+qpJAzoMZ~QPQ^lex<BnP-
zj}UzQ7UD}+cvU(;LCGv<<BGRuy#ocLiwchy!}SHKB<h2f_xY}xT&UERafnqCo6#2i
zs=^d6Ui25sJ}qNE5<79bbIDS5UJ$hF1hZG7V)}fAf14rBxcQT{S!bEFkF7QM<j&q6
zK2cJ?;ZMK6i`Z(xdR0J}jso313P)v^V#BPWIc~x}N=BZb-Z^U?B|i>df(RVuJYQ%?
zfhG2~+4Jk2K#Z?1pN%$)E_6ppgc?Vk7wNC*0=SIb&|=G8DlJ(k>eF~EZ9_j_y{F|C
z{u0Ls!$Y>z4}`hWyDw`VKK+i-X%W&qJn@F}xRJ1tKV$2F4y^l3?d&+?$nQHxa;eND
zX5h?q2Z^|c)Sy~ZZpjexK*hgO4q#s0C-5UlUP1_qJQOL7U?>5Gv@}#6N4%oYqXLmc
z><8%I3_Fsb)2zC0kio0b+31Zutg1zoK{J)99~5%5UL!!twYZY72%YjlS_h9&HBR>V
zs<{8%G40VwqtosF;6g^V_e4CuoX-61WCw$|;AHA%`yhKvQ+uqEkukUZ%0jI}Ybi45
zHgKp{iUaP7J`mWnG-AMFAzHG(V7hbT**ax+4u8|5g;NEpX7=#JIqD?DVv>x0`T6Q0
zkl+e-jljC)*ICGh{L(p0#M~o^_Q~mK*7eIHb-iwshb3G}wB~+umypf-p<X!9=IKLA
zb^gxsMs+lM4kV;D1+tK{Uw0F2kKR4~3rE{>!;P2leXqORM4S$2@(V6*Xso|Kds`lT
z3+n#)mcU92wkJ9J6KUvyp6ZeT+{~Kub>Ugtt^5W4W6Y&39^CS+mv`I9=e3g$MMCIU
zGgu+&T7H73;J5kBw__(a-lFHFVXeliSUwZwlXC0LogaV>GeH3nReARWlKBYx3=s&D
zw-CY>FZuolM2G6BMsZ1^r2Mp;|2!>ldr%l14yu`}&(5KT?|b0(MFUHpoz@~?(s{)-
z-Rtn7PXmjQiq9sWNr-N+x}z7)9Ce0%ugCXpCyJ{DuFJPba~os)%>#=(FNL|o4v+ha
zjVMl^x7B>lUt@bJ1c5aXy|3Jt)1onp=PznTIjz5|aLyV0c#Co(f!H@*W(8i`vaR_5
zCI*|#8r(Z|DB5D2hv*(h4+cV><79?`Z&ueG9sGCI{So0^oWC8=?`Wf24&QqFd|YKJ
zeH5kdvK8{holDv};}9ILH>g3hsQ<cUpNu7-`7VXV5pIu`j}yWu>5dX;ulHvL?%zse
z&fYC<BdEMCWzN3E{Nmyk#+AGxx+g&2cCp8ot&DcC!Rt3(?@t~3=q<a7;-kjma{HFi
zqG$6tXlE{@pK-s1l!UZ+@_~qm$(1c7T{vpLYSXUb$8zzsx8L9C-CDs&Nm_@(727-C
zai;U;U6v45jNOM1N%jwIbwBNvLS8R^29KJy2R12-%2%6SngTtjY^zplkAy;b{U{yj
zS1zD_V<e8SNxgrZSg^_P7#G}~vC_;}83r9?Zy`Sb8Ey=`0{)|8#BVtnjaFg)eegwt
zc_5+vf+)-)3Q=4JaU>K)E&SXmm=g(^3g(rIMEu*}e{&O<Ze$NgzCgH6km5~ymaSb^
zZchDMt_w}q)cK#fM^b26D9luz^987jrqM*9R%#nrlrGzC8>5W<ON39%rfKqOxFV+o
z%ldUz(haQi^GP_TwaCxHWAQUnxvRF>Y@swONM4!ew)>SQR5==q<xaj{fY2HFIP;y%
z;SM|M_o0ou^@Ih_d3T7j?@-UgMlFFhU|(BlisZkT%Gv*6joF`Vj`_%8ES|VqS3>tK
z4P8B+Fzpr~NPHB!G?t;sk@UM<6VP8PB7bxkQ45Bw1Ym!x38LCOIlA^i`QQmZI7QBm
z`oT+ZKNrhvd55*N`5zK&8=U~wd@s#Iop0%gsd#iA@9WHm`}#P&0|iZxI=-ze8K_fa
zj(!&M{Q9Y8s2m};C@1<E-%(UzxVb}k<Wws^E!t5W&EeQ}%Fg*|G!a<0t+3P`Y0K>E
z19FX@;V%1aeAf4|wAvM339dfs>-)no&-V8xAL!4=4J+JLcbcl_Vcw4?!>W_OKZ9m#
z?vCf^ljOST23l&pyUP>%9JHI;>}>Wjlc9}Qq%^pje@xbsFt>5`HU-tlmudUBaeH}4
z^`2yx?-FtpgcLuV-mhA%O4)S}<~v|{@NwXEbav`Cx^Ldy;azkbCADvqT-=_cWQKj*
zox^pec~A6xINgjfEb*nX904l_aeFo;gkjU>@`1S6<4(@tJ7}Ld`>Ihp?Zp(|tkJvk
zma@u_Cw?`*zuf-)8F}UF1nzL(9enhG+?{F)HD=<}YT+D0z&UR^S0)i6T6sPzFVxW=
zV+4tWV>h%I5`LE7%WSC@PQaPyFW<)1<|VTzoRle@hw^NAh+Jt-E&^H5oV8r!`Ff{N
zk2oM5pQKC3YeS_AFcPEiYV{(=e_~E|*X^9<Xd!kQ5U=HL>o?VFEZ<rzudwTxf#+B3
zXw2!JQq|_m8#>2J%Hsb(;#pje31(e$h~iwg#AX}uE_wTW)U95Jxv+<5Xl7oJri}^z
zwq}oGDZAl+y^R=YkzGDq!m603wp2`iSOHOS*5YoP&B6&l+PX%;sV`{;iAYydergvT
znsT}$ZZ4ute<je$Lh^$@Cj5Jry;70D8orTBSwdXV9&S+1f$GupTYNl-e6j?JNCm|y
zIy4G+YA$n>eWnAdRKeo-0mA&-zxRhCaXXm11yyVHOwVe3$5TYfD{2F77hAX-=R_0x
z0}ZTb{iU<!J|6X5B)qb`SoZrfrfZgD`9E-^^2Nt%c_U2jC-{CwQ-%Auy78vGW6w!d
zl@ghG;yH_p1Y~GK-NKZ>*O0Xzi<&|5_Mh#2b|BwwhIL!}WIj=8ZA2Nh@KQtsq&Eqt
zeM_YiRR)J6>lX(n$=L-1ZQ>>v@2t=j)Pp|T;mjod`fBSb{{Ip6&Czv!&)1C`+qP}n
zwrw<a8XJvm+qTizwr%^(r{DM2u9g4ttb3oCv-g}mXJ*drtK_!UksUT<C$`CyW#@=N
ze0jPH*#jqLcz=E_v0r$v$|>6Y$m2Scb@Nh!**r<-cdMGhzfAazC*_YP)EolTZ-zri
zo{)w@(P=;siln60FfAyz0r{7<v+N$j9)Xpyt1^e}KDqz-VPe_Sas#d$gyep?)<n-)
zfy<;<Qq*$V^zb0%S?qNZPO8>Q=&{pOWvGozeeL|$!itE+SwvXcVwRE=FC-=@c)KSn
zz-%x@;#IHGAw5$VLGpk}YJHHW!YGZCxSSjY-SjD)Vw(MpHFa^&o)?g0gQz|FLXsRm
zU|TcHVKH7{HiW|WQoKMI<opPt`iML^zfpH@28w7Te10McvEJ$sV>4x7aDHT>zo3@V
zyI0_c&_*80=x+77iutmj`$Ya`jaHxmo8OWT`(S4EIk0cNydV(X#HAW!j}P%~49-Jn
z&#_#!RgoEchxHs3``c$KSUECD)I-62q{)0-Q<duI+gzbl-=XHO2#V}GVyZ-Ms*b{2
zPkx@;2Ldw3{me(iM${y@R=~Dan8WYdf!R~a-yyUEVRFiRP|?6f@=7*a_^5sh#>0im
z69|wX;_Ru%s;^^^IfDE>ay?#X52zGSP4Fnv)Z|+o$wO3WI+%7L<N-PUsb!P;mYk)_
z&0W#CzIl2p0K4BcVadjtPLm0iDA>Qcq%nIe4WJp+<`iDV5+#gkamKbyoo?aEXI^q0
zBAvj81@T?#*8zV5%469v{5WmS1mJ(cMc&j-o9kGK_}!K*zK!YmdY5N>+Vg|H%O-g(
z>RFwKJ16%obUL`GUYGd9QE-Z96nFA<2XW-a(VIe2^lMm=o%iBL3c_Y^w!PGmT;y<Z
zs<ya1a({eCXnFo&Ao@s{5;eCO0fI@vVPLjB)L%72LgYa{6yT6xs0HoHf8!)UccE!m
zrPawJBQ2enkugy8nuiLk5hK+0%ho3?b2-o{Tldi_xgxB}{p%K)-0_L`HF(nEwC(GY
zmdAmlsnKu$0p!TInWpmw&m(@m@i#vUSvEWeFp~fQ5sjs;Esjt~!pVZ&AbOa2kJ1rl
zHQs<qHV6pQzs$jRL6VO!oicmdq8rkz3bEgI^JQ^)M!n-HE$mx^Yf>1*W_jBBo|n<;
zPe;2HokqhSg)@}BP6!ILwhKq4oa*{$(B#Le**=|%qNWSE@;`!EQVtDEktO-bzehEV
z{wk0Z<MYwh3U(mE(?XRM!>-(&+fnb)4=uX+$Tygd3ll)B5Fv^>21AZhDfn=V<`j<<
zgY^TE#x6zhgVYkD5@M2MGZ2Q)Nd^YkVaOwwMnj(IjQdt9@h@x5ElDaBVpCP_o%caa
z)hVLbZZDV3PVT=uK@j6{NHin<JnUb#1W}^BQWX(oTzSAw^s`(K<>>*wRdxb8M+Jo$
zZ?s#R^L%gL-CmiS-kr}ER^@OR36?((-@2aDwifWn2}H*j&SygyBwjD+O@7$@>3(l9
zKcl9ZasYdC_;$oS_RbDBpGt%R{_spwr^NZlDfqnV4q2CSq0@Dqq;NSx5Y{ROYEyRa
z3|$DeZ_C47II_)!VnV&G-|IlDz9soCsFA@<mbDGwWo_COU<JA~(9ozRwhhDo%Nrj2
z``j)abz+A%bKY$PXz_1!{u5?eIV2ML9eMbqV?lYGC2_uN9I(H@3L1)Rzhld7amT6z
z{mIoRN@|6(>Um1;Bxs4wVJ*&iW}YUKN5G=CO#tWH60QhY4^u*J!F>Oy<uw;wS<>#p
zTFz;;Krh~w3B=M(fE{PMi&CYtNFcV~rMuqIqWQj9`quS8{c!a=KS)V%?aG;!NPB#D
z5C$QUq#X@$F7~A>hFZ7<>uZv1*x31_T5m*e>wMR6dlm2|fCC4e-9UC(z+vWoJqZkf
zZC$lKpb&g%;A`a0y5gkusSZ)?`^-t}uH|4`aM58=QQ!4ixu@t48MTL#Yb;LrSq7Zg
z5K#V9GExkP7(5gqDB|SrNJi>P@!sJDPKfk?%G&?HoKc)qD#@feKQQl;gxDc7KTveZ
z3=^piZdkJ>eiBw0ca_s@J$Y?!4c3(N+tS9D%Uqo?<fdgo#Ln%E+zO}-*pBtv%EpoX
z8^<K<J}r0$M`tI{`qO>lb2bG77QlT%`cR&U_Si!J?&U&S+x&wo*&~4Dz+T&7#{p!*
z_4MY=?gy1@S%W>GOG*1AEf}$Ch=!K^#1vgq+e4OlvZqi{MbEclw{2gu3q3vXamecM
zQ?tl}z|$Q|e*ks2<Ds`VN#th2=O=Q>!ZZ2P!v;3X;4=`_E--RB5%bi&keGM^aR^@p
zc?d-jhV7h$Rt(=-)W2Os$rCG*4+N={9$z#bRo5l;*ls<m1@`&{d~wUy;kj~<_Kb8r
zv-o{MbIc9(@?oqz{A33&cl{Yld|#(2^~Y!eHOT^RBHyhNR%dd?yKs}9a*upP{1h^U
zY29G9wrk{GK$Umg3G0qK$LXfmQG2fDw~5yu7{J_u{2Yo$GSvDj_R?o{Yc@CRGh;~j
zis4Qd)1pn-^S{y#RRD`aw*hJ{j`YE)q5c?*5_GyV*`*F6gf#!lTU7Tw@@Lsc-I|W)
zOBcfXW!#IRi_m++N!ZJ6>qI<j-sS@K3%2Je;-1e7R*Ym;UUZAt4H7)OLBB!DVgeXF
zWGtC%UIc>WhZ*pR!@rmS%C3>+?~SYzW`6+T*o<)%W?zYTWUGAuuajJqeopS7nXk|H
zSbK)P+5UQPUMOB>gZ0%^I>)xm)HfzLPqW#18^0T3<s30Rl5x^@6Qi0UqFIfd2pIZ4
zP9G}F=v-Z7qt3S={U8Q-<;h%@<GovRvT%13i2XT^ooCUpeqiL`xaBcmNl$&$psM-i
z<fmNL2AV*}Ro#1DnIzZy6|W-?$n=|OGUf4Q+1XQmD|(%rUz|>AX+Eh;eh)Jgg0X{2
zff&0<CWH@zs}Z99j1yx(8fq^m%M_1MgKa02!vgxJQW)Js4TT&A=)ZOn_QBJBdaa}s
z&Jk|p?CX(bVi@Zux?3%mVrTl^ER#6L<kR{1))4b4rJsy4!`yo;_a!b?G;}F31(xa}
zZYQ>%VZo526k=Y}abB6XyY)NEK={XADngscF+TI6Z)|vWm#>QV?e+E)`1MVTc5bwm
z^!wwItMqlck2E8;=PybnVM`O!Z}%IcCySKfwe3u^XRoK8QK2t3?U1I>R(#ZGu;ngb
zERtqDUz>rbL;ctM%jc;KJs)}MZ+v0@@aQ162>JM65Cir^u^BvJ_9Ox7$9cK9evCmM
z1*U%(*N;d-l4ep38=Uu1MRUkN`X#&h=~?4>pBoX}X(cQ6M&C(E#xTdV@MKDZ<So1v
z-1y|Z?g;50*r<_a<Et~!l(#lwwE(fe1O7vr?+vxVU85uM@rM2f18`7-3CW@!dPi*i
zV(2N36fR`HvZokAu<tnbB(lU}k4DQNVuL1Zsk0qk>!KY}D%26SPFLM8Y`UcrGGh`S
zvfs5ObqqSK+a#NGtbLLheV0szF);JJLahOFwjXnStSY-|9cHxjy1Q+cpD+8s>#NuP
zC;2fi-I2wl^XPdmud_nz1afh|`yQM7N{Q=3x@ju&*foSI!#^|fCkW-R$?b~?hv_8D
zMCfzbpx_Ka_`xRyh}aT|Xw*_s)-cR{PsIMYC?+w9LxD*Zd-%&m`A!)ev9AkP)-Ajd
z$4lah&q3$V`P}X$fh))?JnhRF1ZYiTjr=nnn%MJRBn(B_MaaE;+W1kp^U(T|M-aaM
zEtF&6*RJhXjgTs*z)o>b@6N@Qd*YtosgCq|2Qdc-5<n2_1DB}9&J+Y6MJ8M>h8D{%
z4L=+fEl=etalX2i?F09Bb0V>D1OG1U021(p)tm(<KmnYlhb4ao#1u|Pj4;bo(SAK=
zB~6#*970pjLyC}#%Lr%Y<K2^Q4H3^^3P>?63-|CQWhej`mI8IZ4ZTV4XBJ+zpqAHa
zyKJ$Qki~R2sqmSWQ|?3^1b!)1O%G}h2e!V`mBYNeKjc(A!G>Wycjcj8d4tCg{s}?9
zV@`L>TkV5~3_d%#`rev(Gqd)&-J_4e=5yi4WqQ5k7Rl_7Fbb%o6jkJuwtNWh2@1#z
zxJ2y){OROrORG;YgtIH*|5^6oaf~7C;PmUuvh7c&RuLZ0s+yP7^){Z3@z}hht)IRX
z5=r$#%q>|N1hZ>2spnLO>Z&f@Zu6UUAtBCO9HeA-F;e%-S#1w+mpcGQ*;1LZYPn6$
z+hcX};T-2J%i-x~_3MkjGMv2+f1{-T)S>2g=*6^l26!(s1AnLdW6(!}wR5>f1vLun
z;Z$lE8l_OW0#ZQBjjdalyaJN3gse<25w&Z~sw!Ld0@C02E)2e%New%&kZ!@ay0Kj}
zmu|7)4oEDan?mI(mbvFg>9g%JiLX4u=TH`4tu%aQ3C=5MZxnAS{H>FexLY_vb5N)1
zX_j#y9h@|A{lx8AdP7>FD9yay!VS}A(4u0>N3TMOAunmC_|@zcD}>|F|Eo(<4B<ai
z!EEP@KD7l{Oq*&Q_}mB=4%Ci`-}sPzNk2H#kQz3=(64c~z7Y6CeX8EyC%}Bq|1xzb
zQaF!c)B%V6a4qO3Hh?IZrF5U63SlK-jUNp{@W=ga6d7?r%>?I88YZb#Rs8KB_uX8I
zL99A2coldp_`Am;6E2*?jnqc1`SbT}3XA6h%QDVj?LP8;#kwEK&w>xzv+sznsJfv^
z(SrbOt&xXfyUjGtNnu>WMQIO6w+F|rPeUI$T-!feX%nzUW+xR>c}I3X^gtxuwG6YF
zsCO%og(?jE@c7ibmFls?e2vf~;{(kTLD}@xiLCh0{Slb|@s#hFSRQdQq4?{33nYF~
ze6HEXlR9XLA_|Ib*RSyaP0Wdx3_4^m)k2&*8ue60y#*x^{j8LU^D-CIfB;Z}tE%jj
zT0y?<H=%;*+FZF^6Hu~Z&sbu!gEpLHd@4C5lWIojZnfn~L=GwLnAV#7Nl_*%2d}bq
zyoQiI_BiZgI4Cl2NelXd&;go*!;_Q+YpAQ-r`0`yh1dnD-E9X8YQ%v5yhs~I4LL%j
zZl5zVW6Ov7`{>n)T3CRUn0%A%YwP8#nC-5UafFHtU6>Q}c~C759U~07wCuWWMxGH?
zUC(Uxvo@*p=se^~XM*;N>9VATr>5}Ac@1it#f=Utdlf(u29Y1dsNL`W<0yqS8DVTf
z=*Fj1Uz2jr9H$X8qc!_{glXr34d(A<sB*B&RcLL#5F$7*lP!0@lH};VlH$liGPD+&
z4^&#udqqtGj^IdnDuKjc^Ol8QAO>u`WMSeye$9Fj{ps?YG4!BL5&sk-AqOpXo@-@f
zOc_8`$OQ*B;bTQrC?;q@ZnuPYv*yo_R7$JQC;v#ml6mh5uA+3e#*(oG!=CAy^&MJY
zm`9H3tw|3b6n_a0oVc~~fke3(fIshY{M8K&W=3BOkJ!d!V4qkdu0GC1HQE_l%qNc^
z*{_fp&=OWlAYKjwJQo7+x3b`fH#h1#mJsrVfqlNpxRC4P*Y(zt$1O<)^zH7Q)v|20
zW<*){@L3(chL^0qJQYQJ{=<dB16U0dD~y=z2usQIAHpPZO#Qp(c7(GCx%hghi`Q7w
za9{K2DSW>omvW|i7!|~56#4_HWSt0ta*Kb<iwTS<po9YRk;vu!QxS+M?MxgyEg0C9
zpzYDe9KT>5D?Gw?`4p)@A^4KW5Z|LqM;k0K7{Xw+Cm<>te}rtzM?@@33u>q4Jg+T1
z*ae61Ja=@IVn|}0E$Uw7rLnAIE?%W1<6!ys0^rbQW3DB_!TcwB4!?sn(|ja>gY{?I
z@}0rKh$)C8V(pQUK}05xDH17CDa{SVLP@3@XsFd7Bf)(8>!p4b+HD`#N?V^Y09vaK
z8MbcEQ_Fm#Ajn?z`zfejEvnk&=@O)R_v@5-fa=+>#<q1@{i%(G<U=*ntCQpr3Sb^f
z&0b=QdgFaDF;E{!zUUpYGKBQSeJ5N$Efo8=v_FuWgde2Im$m`AyGEYX5^*z*8qqNw
zJ#Ky2qJmo!=3RWxtfJHpvg)gWB{9!VI5PWYoVDMoZuRkqIi2NdZzDp93h~3}$KfGu
z19p_)kfxJIh_dx3O6G%o<E{Rk#^4?Z4@Vv<)M`V!K3AWTEnjGsEi3<kM1ZH`>J26l
z-5h2@+Z}Qmy6zUgK#u2I?>tT4*oG8ni(;ThdbseUvMI|6;$X(m?VONoaiVgVd77lb
zWd*dT9$yCqJwDN~$)GKy<<|uJFJ?_GeDzC6qej!?aH8!7ZV|wui}Gs_h1dm_%fktg
zZ4prr^_WYYXG1Uy{_Ec1pAV<UnKX`Q!?*&RKSkTE9HpWCwz0o_!s({tdFwh6B|G#^
zZj<<pcEj^=T(|Q~+jNz|Hed}J_9uh<7;7pNXmCKsNT&Z@tUhEO60t&+nzcsGqNT>u
z!FmJg>Tw|981}T%S#nv8V+(T}kOzNhvxkmU_XaW9?pHbK8f&EabjMqp3p#ed5KNtm
zN~r&aNSJ<-NFhfg5<$WsJ{W#DmJ8BVZxa!4c;{aPow^i8i8_oO`0^<Kr<0N0qH$|H
zAM@iip16S;cuu@+TbqZadsz6K0fhm^BivdC>*dPN3zl+`dDL=b#1Ho>lF5_vkGtEG
zi=S*Gk1c{A7r97vejNbXva`2$yW5e*?evsnS~Cc`=v{)Ewjr?9KgU#0hu#FmJ83+W
ztH>Q=b5iJL67y?cu=dj}NmoZ{tz)Z%byKuB)#GY6-Xh(1?FNIO#QYwTwJ-Vth{dM<
zkQ1T)bO(JOS>`?>d5@ZJr{SxR!1#R^4OKq~IEt{pmW_`-PmLN~AqVA_D{qD(1l7Oa
z@*jk3wuRdx4-u-q40a1Y4O#q>83adtyQN)bM<|d#xQ#lp_^m<_G%PA<xtT&3^GJ3e
zEhE4Ir~8ODJ3w!{bAm8onv;x`4bjU`san%F<KG5pyD8v^gH8|U!6^l)Sl7swCX9=W
z)M<Sn+e>yqpUX?L^p&C@!;?!&IST9@yF6EUlHZ@pfk~zr<SASVE^tmaJ0`J?)7?Du
zW^kgRHb<K`qkQuT<uBVlGQ?1k?toCGsnJ1ba!U-B4wM)izGbhK@=wiyLVF>Wqatm&
z_b&AC;}LjN+m}Ga>)wcb-L*!s#$hq<R_};b(agCJ8qZoI?PJ$LI(+&(WzF@}IaytQ
zu>YL9J5=__#$N#l+q44{mpDc7C$g9!f2C6rweNVi#4k@inJ3~QGDT3H{fY#{av9zA
zY76sB<3^c<WMcwBYVpEipj3SF{nfwc{Wv2PEc1a&5&tEQLK19Ov82VFER-ttja!IR
z&yIa4)NW2)gDjlVaFzW-=V;!>!kZ@4*5HLdZ??Fc4KcZgYrNj~11%gfLi~e7M$R~r
zcx1ergU{uU!kFrp-O({YukYYy!{KMj)?Ax-56fJn^%sRtbt3QlLFZ&QHxZzsh0dqW
zIK&fuoDcNZ_3ZDtQzr9WT5C&VmOG&?_BGNfZ%ro3s@7<5lu<#2Z#+OyMHkslsTy|~
zoV|eJh{G|5d?8*0i2CqE%cB7#)a3C}!(+F{g-|p)vaFYOKJ;cmS$^oxPFP?x^U-dH
zo>($!ZvoCA@~l_4@g0tPOwG%9ntW&qhMFv&w)^X6y70YVMG9ZJ-RG*hsP68$dN0?n
zc}5R$m9Zv3pZ(%gmRIy~VA$+${gJy$%vKBxptot_?(cS_^=O!__2ZuAo!X?$Vxu5d
zOc#yItrErflEmKWYV?9C1?{7KxDYo<$7;cR-783*+Tl$Q#(~dV5xm4<R1yr9xFiQX
zRNg>lPIsqtfT9Yu>W4wOX~h}46F$wWtsGA`SOeG3Cj>x1TiV4H#|qdXxmIb*+GkNP
zU)<4nqY?OACK-W#F$y^XyMXV~)nmqJp-ZW@d6<naqS3vuX^qw9rp(Z9d8og-URI<&
zj}D%~d>p5%*Lih@_8w2XxYxDg3jivi5Vetz)|PxkNvTq?q^JwU=}K5b+I|h`{{qn0
zwPZQh>yaAHI7S1At>gA$|D201tpTY9+%vbFZBPSXXwZy<ro_@ZPriael@9~dlIzb8
zD>X#f7aPg{PDEow0?4W2WAtOG-d9?4slF~1RBd};sj`y=k#enE6SllLvi^MjoyEJN
zXjY$-L`}dn58T;_n>*uqyX|yOb0EJg)=Ut?6Di-|n*-};2uxw1R!*XGV^$77!e{nJ
zn<>b>Bv-~Y*=nr%ijC*vL&b(X#`_VC?+eYuEQKe_jzX60EQ!+*bYBim3MZlQ@+|jj
zPJ#y2JcqS^J|Tjr(*ZmD&*%<Bm&Ga@mcdi#Ff^z@C!yO^OE9vNIPAgGI3<O$HV7@7
zPLX_1%@aJ%Insi2%d;?GE3A&2_Oci)sIdZ#SC*(md8^|3^9_c3=acM8U$Fj%K?JC`
zBsmrzkCuf(%M5lh>#0<$i8Xv1xE(5JKPEw`aZ2Q;q_KkJfe>KxZig7qxlHpa%tj6e
zxvg*iAFyl=v@!l)fX!%0Grrg!`?_}Fs@d%^Rgk`s=X8kqXBenPM8~s2hlD=g?N=uT
zTrI-jSvZ}5jthhl1@Dycq-+V494`Tt$$SfjHQsT0`#|l+rEylX&+NybTI=$+g##-L
zy~a$=6eiWxP;Ic6@hJTRg$kW|`5hMuxhG+Y<ge+NgAxct9%h^Vxi}&_X_JsufQRHx
ztjFMJ1FZRxZ06X<6P$)N`=mzBqJG@S=7NW5{0bNgT2$GlSAID_Lj=BVFI#YUsOBWg
zAFT_p3`?+n5=cOC#`2hf`uyy|0YhjtToQ6Zgb_DvdiB2<vGnxhAuZ&)3!$x6dJ8k=
znXdeG{E+4sO<wp}4Ko(txxoocJmWT>9Q!W7*4@$axQUWBRGSRubVMB>$HrbzVrb(L
zPn#Acn1Tc^7u@N)BIlWR+6=K+=6vec_;%+`)=yP!FqEt+7baA2bIp=Sq$~o<BFDFy
z=%&qlQ*V_CA+zC&O|zvJbEgr)KxJ><a=f#>#!e&X?yf$zBV^oOeo__uJP+Q<w(sdS
z(qA?~Fcs&QPaMRmi4Yb`B<QTsK>VEzM~=F%=eAyre9LzYxKtk~%~@vd<E8@$`elVd
zX4>?*uiK(I8e5fzgSYF1iVaLul(LoyRnJ!~wp>F`aHWi=lR8EH9*hJ}y3(LzHd%Ao
z*H^}E)fy<E8L~r_c0pm|9=9+lf@)<yM4(y3O<@-e7Sl}}dz@YQjPO*@`PAoNvN<Y^
z2v3=>)HV)X6is!DjErdOc0-!2R!u<S+r{};EFDlBnpcI7dq@$OudN>^=k;1E8kr#`
zn9nbW33$1E28u0tIRP&S9=g4@wGq{o+tJg*;00IoB{9JlW&d@nu!~1#lbriC!cHL+
zYvQag{$;Bte*)0|+1jZi0rq8UZdKasxo_uUD7LHCW1nt2TQ>6DLfcst$BZS&U=_~(
zd(kZqcLfF2VvQ~{19G#?<$enr7H<9i{jIpuuA>HVmWs{o?8m#|XKIFf)}-is`ZSye
z;|Pt#BRB=fCW^J`A`Oit^yUw$e(4b)sbBKfn?RuCpFEdC!0}pscd(Dn6<@1p^u5ZL
z|KPpbXc_XrSE^b{j&Bq&=)W7Zl(>>b=tF0Pw6g%N@qTv%OJn}u+l%P{zkSgSepnpg
zfj|G0?Fna5nlGP6=w}-*)?-Ge)ARJ^t&!8~;=S?S6Fu)|heCMqVoIX)>cgqA$LAm#
zP;IZL*EKj=9WXD}|9qW1$q$b!Y7i6Fe`DCnOTN3y?(H3KiXA_E*Z!$i7{;nOUPu<o
zjRTaj2Q>TSMz+mx7?3BVpi&tG63ayzqDL{yC53Q5vNR357u)xj7JR(40&e#WDMyDi
z#pk|Wi*_U2m9MZb+M!-}%d>~5Sw3EpQ#{)nm723;A}@6;p4MiFh&dHxo7|k`zV(y7
z!}irNr0K>Cg8D=w{?O^UZ21VtOyYh%DCX$~Ur+SQ{tePnYJFaNvRr9z#}+-13tX-G
zfy`MKE@HD2o@F{_HdPjUua=Z1jo%naUB+=WnL|<m-D$qHv1tFsk_7tA<z?uN*B5U4
z(Y;aGa6Cdc;dI|+j8-Jt=jT#5Y+uZ803X)Q=PS@y8_O4DBv2i;&jzc8kq;kQ;To)8
zh-<deT}W-UqAm^8erx!$y)4D63hCwQLOeTJ^!nq-nElhrkla&)lcV1Z?R#{7SjxsM
zUra_3^MTuOMC5Qns4$R|d|dwws3S?_W2mhQZ)eLh4=+heY9_18DsETH`VoeIkdQcS
z>e;TTx@y(nd^IvGMmS-G_2pa$D_%utT(8u#(ONm$clO{)xJqXccep!pSb7RD8A$EV
z%_>(opdr=%r-5+_pcBz@#%>T2Ck{DH<<<SMk?Z4)=+>8>0;xv}R%Om6N^UFFb9}6~
z-xmn+LAPh*qY+`>=zV|5G!Pa|p4OM2%8@L{OWKPQgSG_+r}*F$v-I@Q_I?NUXtS11
zEP&9dHKIG~G%R~<WWR{BxZ)ArHwWV2TIpaN6YPh<A;@9tRbU7Z6p6-=4BE*Ji5}~t
z8bflH!}{|8@Lx=Cb-cTVxU#@b&--OPcE$!D&AxxSUjE;oP55IFd+UGS>_OW*4dT)E
zwNot~(utz>VQHUjed#xenS8wvQt`?+Gq^mWSb$tNtgky)<k%3Mc_ADe`Tr`bCwbmT
zn#}QOr-rRV(W<?p*2>j(cOGvw<lwyh{GO__qC@;1GBEdSeAW#)rUA$9Ut;INK>|Ro
zJ`bv<XtmqqV+R#nlCs1Nqorl*kL3zB8RZjl`^G23kU`JCaH<Z0`LqHKzd!s(Ye0fA
zhkm+Acuv<ywE*}@AzvdZh5YmkB_A}qfIL58W%5I^TA;6I{(0bAh!>YASK8r`MGq`o
z)gJqcV^@Bj@@$z)a<*+H>Lxm!X_g&b+{o@T=~%NcnzEkFm%uuY@JClhGf~n9%aaJA
zlA7PjBQvxZtYH(TPXNiKACFZE(jW0b2V*Sd`|E-+HeM0r%<*FThAr0JN+YF~N=&2j
z2MD){%T9VGQMYebk=%}b?%|kC_AwJrxXR3P7AF<iDQ+v~n#%K8s$B927PUf@n5@F0
zxk|@Xa{Lv`VAno4A&Cg9Nt>tF?SR<9%{wRzBSe*!Si2BO?xz~#PS$8h(%8OiW|la#
z4f*~pdN?+Zz+Bn^h@gKQwL>0!jbvh}52i^8jhJ$q&zC}F&@bRCpKk9Prq;pE76wF~
zf-S4xi1LqXT=#~S+sjte|8dQoSaY=KH4X(=FyUgk#ZaXuiSk%B0CMmJj?tKXWkRXk
zGVhiC=rBL1TZ=NP$plb_y0-!F4}R<*%GXv>t=RUrnD?nvDJcl#QXL9+I)$={;K3yz
zLfvA8h0SO~Dli*&kj5+l|Gyk$+aI#*t#gyEM0vA4k<f{geOw$j-!5GXqWDZzxhGd~
zx!>MC8F-n`utTAvSu(`uSE<=J&1%%~U~=BBO)R}jxm^SeG|o5#W!4;}w<=N*AHwK&
ziq%o9{TY1YB516iXYV5VO~=gtOtpMWuMsw&18Ci{LbSr0<bDNXG-X;qz_Ii4WgzGr
zy}=8*0DxZ5)>BRWljNmcax&lkhr!G83y55jJhd*<R4+{1hgu-Y>a5)A^O+wk_s`+e
z5mmy(hj|?A0}%JEQ{br1@3e4d|LwH*M|8AseeHZ_TOjrz5o~0{1UqDW<zk~&68j76
z`mvHUeoVj$6#6=N|5hOCVhFOo&dvAB4O}k??R;4mP1cKvA?IBl5Vw0=B6_{)ngOI>
zf7W-R<$I<B9p*UGva_r|8?qmMSl?H7G$YbsJU+aMoljtd5J35ZJ`2X*5BFz391`iP
zTQ>Xp@PoAkE2gZAO>R{Sgv}9#gbSw7G#28I`hi#=ZRaR5{j+N)F|)+sDRX{p1#pk$
zzUb+=_qITvMBIXydqe<i$BIh#-V-C7`|k}C^f2OU9`y|IB{=AY)>TytKMZX1!V__2
zt2DImGa^Ut$vx_7xTQ#I%kCCiGdoCO&9qOA<O=WY<r-^gU)Kt@yr$60DCfDT6n<c*
zwCs;_P-lN==DXwG%b=qm^*>Q{9VT?40*iNqWM5D*bF3;W&1YB{UpS7CoHNsvJ86zg
zrckWYK;7vAbhj(RZqngns0TDb{Be*7A>8Tx>w;0Z2o}-IH&irIeP6S9<dBjq_yKb=
zxX~M=A%<ZynDqT#B892{OH0Pg0-j>ThOH1v$^zX%%?If9$M6m-m4Ba2hl@5<OozAC
zjbN%oi<zB9V^VLEQ>0M>m1)jPSn)6$CuWqSXr#Nh>DQ8_u`_`dyGEq)7Do%S<^PE%
z#Kp~(nIZyzW-biHnb`|&ctnGDJ)WCCO&d7f`=<PV#$Q@uk3A0c-6C>ulNQ}IdsCbb
zCROYqa(_pOXOvFNUlxib!$Yf)08(oywI4^$OE2q@ovl|gsmsOkEy>F^2m1d>p4>zf
zhlGius5bRaocOj_i<1i~VxnUC$OZ~rWb0z&UA-P-eO)Sef<}ZSHOa_u`;;5>Y}<AP
zjQnq~06&#j9qM-oRf4D3AaDYl%)h}yjeK8-lA1$XfUEFR<wWW;;*H8$s9=;r!GHGc
z(E7^!;JEz3)D}0SM-|D5>I9+l2jqG7j62rT3~B0QS-%R4igdp|++4?OY9*xM#Eo0c
z2SSkVFx0GQXC(D*aP6W$>raR&0*~M%tA!Zkp3(-mcB!Bxu{k(DdiQw$E(++=sptn`
z-LQ8h3J>gujyTHQ$(aD2s=vhNi{1W`2(&h3?oq)#o;f^QXLuRRFV!-h+)FQPtk{OZ
zK!MI`WF_;_6zGSpL>#pW9Nsn30G1A(TY1~ppXVr{UOIJp#x9Q19=l5@<??a)8*_*?
z@>?5EYZn=M3~8?ekJmEc(M#PrUkXO!a<AEa1`wZ{3+45(z&>L8hxLcjYfjZ@*fp$$
zXY??n&iBFzcrYg!%8XnEIJla0L?qH!l`tRpN%0aevqu3sCm5z5db21j=jDaIs5f~N
zG0Su8s*qVjklNx6w<l)?IS+CQUK9FZmFM~Vxb`yK(Yu0&hUrR7wmGowtLN?ncaI?(
zjj*R-di*7OpRXV;CUd<KssJ{w7Y8hKJq>xs`@{Vmfc~w$>XJuQlguZ?zw9aMH&AJZ
z&Luf5`XV?V!*~2w!s*WcXUv?l*13-29H6dtORUA|f$Qv#ZKh4SMq7+&c*id9r7VD_
zpir-V{<~R)isJ9HX!JV3WE1qNd@=?3TqMySsJ@|I{}8ve8g(RUg7~iWg}A5AShS=0
zWyq_hnHRKOLI<GvZYeS9qpiSds!F){oow*5bK-QX`w8s<iDnRLYEp0G%=0#z3$GJy
zR+bAnuqnkTYu?MAPV7?s(!$q*D>8RclpHg^KS+~<R%8N~nkIq?GfAxzAj#*8P(VI0
z;Sz}*MVprDs3n3m%glE!4<Jwd_h!{IQMuwKicJ4;p}akI=J=u<rfS7D9K2kybsP)C
z;nDTv<<ovJ7B-tDRWe;~L#CVOX9UZRc$2Jw5^n?V%E)O-0JUNdN-p4=!YNJ&IECl$
zdeo=}ekX@45J=RM@2m2Gjc+Gu=en=vd0f^=MXA)K!&S)@V@c1hyGB{cU2*GeL}PYz
zv)QTXw+b4g+!xMCz;)W|4wI($)!#>v&;C2wauTN-P3Wdl-7#n(2^_Oc&K3|B4T;I;
zLokJ>Q0tlDLIo^(kU|8k)A}d2nu&N5DO1Mnof@v(v}O{@)m%)ux6T2vH%7|gu~j_v
z%a+#_LnvJYfh#U>W6Zv#i4a>H$^=1VzlZ{NRi?S#?=}UwfONR2j`c>`(#bBoE56{Z
z5xl8Y|CgnsY@5sxIHtGooKc3(n|Kfn%bMOfQr)Xa(k}!bzTSQucdn_q>0a2%u6!Y+
ztzUQznH?M$M*bKRJ`P0C4$V+Wh<=|T&LZX;R#$Jo_CE?wor<mz*M+wIN8vji@w@wz
z@(np`i6$nuX}gS3craf&yb*0*4V$#?VP9ndceHk`4%d#ZuFvBs|1-Mcryz(}<U5wy
z5|x~mhcqF$>zh#>BnzzgL}@Z!zHzN?7%H$>MxeDt(VzzJY={G(T@|IP+N6g1AMdnz
z&+6m?P9C~6OL$do5JGbwdGTF2BEh1gIdYZ{$9el7qY5<Fy<X}Y)(+#^-?c9@%?D=O
ziNE1AK5}QRd-mkZJvt`GcC>saNBXm;I~hin@p^>X11idf`n!+VOA$t}Qv~+F_bKF}
z1w+BZGio5omq1!SiqqXA{o}jrO<rc~@|>b7WS;|XTU1M|`$=o%px@$uow~!a4?UvN
zg-C!*thS(OqH^>s>o01W9>14PAl={x)f#$__AGKsFu~~T7Iq(RziNT_WB((B>sLTh
zs1*wqlP1&d&{i(+W0>mX{e5Osb<Itm16+8MT6ldMeM3~s6^t~`PBcnRAxj|dgtQF2
z?hNH$(*BPnbYoE?k|v67+SE__O9@Iki%uHO^-xhP76Z;%m_5nA+MXVmTOhLBuV<s4
zpXX<1PgdVOH;Q0r+u%1j!7|Vl2c7EI*9y80SMjPQl%_qXx)U9FvFp$U9G;bk?K@rX
zCsmKv^L{c2g|wH>ytna`Ut<Zn9~S(|G9g-Fyik6R)H%d;vM-M_ft;E@2Sf9na3FZc
zC_N|tRU)})Eg$M7aG>^RvNSk?2L6=rbU&kX9`j8~!zpho9(jZyU%9&J3$!c*KH_C7
zMz?J+GZfGvM8XPq7!3O^#I(^$r>60P=!t6iv2a_Cm?RZ`|Cd7>y=b3^Y82FomsO%z
zRBO5Nj^?eZ@OFrqVyBZdLC~j=s9T-19$#9r3PoJ{r#(0wrdr8KgxY3b`5i*2KrwoQ
z1NE)(#tvBo(e(ZT`R{y>vPP2Cs)y!B?bpRiwPzmD5kbJB5H&_2Xp<1}NP&E4!A!7_
z$Vz(;M2--O^8cu;mxPO)Fj1J>s&S>k=<3)PDU8DkyJBR0+iW9q$8HQeuob_sc#H{S
zOUbl)N+xtM?tvKWsE*{RmVG^{xKgAoaD10`@a#wP)BE+}UK40G)dMy`;g0d7lXGZ{
zo@Fu8e3W!SdAYPepb5jU0`C>?C4)04rp0lph5h}bs*zzFcW<(_GWzh8{zpRrj&_BC
zO2ZT^b7T^Y6nvEKJUjA<17T#Fli_-Ns<6wiv4Tm$$E0MI+S`Pi1f*PO?^6I8#07xt
zsI&t~{aD5fVS8t7&;5xlF!Mw#(VJ_<M5&dJ*(fWAeHax7iCH-ka~}aM6&wXS{4j&k
z50pK&-juEM6>xB*uZscxZ&{dZ_r1zZIMU|NEONNop~aGv%v|<WYvb2hFKx~u>Ig7Z
zuJs%y$PUbLus7#)v5F|%sVP9+r>I(eI@cdI__pghAUHm4wkub-%IVvKT0WyXT+U<G
zL}o-jB>-u+jzJR@ca#w#df2(GJxDg~TufTIS*l+z(2oS14qIDGqf^#1an7Q6=K^EJ
z=wss*_Lm*#aGkleV{(gE5qtEwWSftm8V*#8_NQu0f~U5!(yepoBo{xofW&|ukrQdy
zMk`pT167;ni2|Q%=lYVy)xt(g^~jWEq3Hd{CBP$N;+5lT>m}wb_Xk;%X(3actIc84
zU}WL~ZS;StyEE!8unOD~muH%&|4xEVv4R9*PG_o~LEhe~`Q0vHrENW{Pk<)y?CyPs
zkK#CUaGBm@Os#cP8Bxb7&{>uB9y}y#YJS#Sj{pf14e_mj5(tc_s6v1kd-P%5ze1ou
z1E>cVrO75mTJGVvt!TG5vvbk$(}A+05a+xws>WvX8rRzIMYYW@Hv+T3LQy}$`7+b~
z!d|#>!|T%>2ByLLSNWoy2qnhjPsLs89F@~UFWA9Zj~tux`L;ch#TcP6tptB;or*)c
z&jc}%M@u=31@*y36~FJkvsD?7ka`>^2^Rev_uA`Ix!9=g9~SzYXE_U({40HZj7=!H
zbOmcs1r93qWpblE%hnC%=EVT4b_H}zY3|MIZdi6Xy>j_Fd95HA#AJ#+EEFSLq{Or{
zer>|j<YVWc(ws~6!O~zw!w}59&Fgn2)=f46hv3X8_HCX+4KRmQvKA>ctTq}2zRQ>&
zOTW1QjQcax*1L_<F64r*I9CRwiZC}$LuK2>j@nB*CwJcoVil$dbTQC<5u0uDMx!;O
zawax)X2tf~%G@o1iknrjQ<$qt5-EtxnXin;PW-*(f9~eeVWsGUwtRA?_>Yy*4gax#
zoWUb9Gr{mxc!czB|9aM3K`WSt8P|fHb`(@`xg>aGLSn7{NrbqBp}(0-j-nQ!CO}x6
zc(-++X_dKK$$6^YU)p2I(KeN85l+Ooh*fdflaMRQQccVlwq@<IF8D^vNOpyFE@g8(
z{IZT!-Bn#}HI9Z8cM=omq!{v~a<9eDn5R<NzG1YirdhNpy|QW;iEjq7+RIMQN)d#8
z(9IZ%NJ67kEMhj1g&<_W0lt-PT8r#1%>7zTy~;%s(S=<*q-Vg`dMQ|a<--P#=&%Vw
z5;J{YB`vYH<M7CBX5HJnRn=5b<KcLBS2*&n^-!OC488~_(v>QVi1tRJ=VvA%iEuzI
z!?2u?F~*QxZYL)zc|b3g-9NL+VRu7j)7W=9;WNQbQSJM`ma6;d;CkEDjq3-+z4tvd
z8}Ej<#YV$2r5{gJLg95YrbcjZx|(oZFH~HxMs2E^8ZL7s94<uqngCjwi?`?FdHMST
zXc_FLN6pGo@x{zn835tL?Txkh2mb8)vRbs$tCofEH1e99e)@h^(<jjF^84oRbmDG`
zc4ym0%^w;kh}K&T9^h=atEfeZ2)Y>og8KHH_tC3%>$5o*N8P89FjDqmvGrtfvvWC!
zI4-YH$!jow*}Ko!`}_RP#J=qdc-QEV!{_)(tArkLLnVhZUj5XrQci*|QgsLHs|Yih
z6)vdtrHbCKkKsSr7DGy6ocN?1P)kLyW)i7NThu&wUM3cleQ3ShZ|&QwqU`b|z1#9z
zNLVaL!ep-1O4a!}CEN*3gTk4Snz1H+Ym2~%RuD+a{`7sK+<q^qIv<Z%k3oU%`T%`O
zg^WC`Z#PeG@GMz1Jz_s?DRgfsIJ7ceb==0p76__T87RL$A~n-3$Ilad**s38qggq9
z0QFVX=FO0&ym=@|&Nvjfw_6EqxygCqQmI^Q(+f}rddo&rnCuMG`1U8tLBlM_K_*MI
zG;Qee{QQjrp&pqBT%wDZuM@{%l8lPby#hFwN6mM_Lg*A1({9bsI})FlUI)nRDZ+v5
z>LT{d64Iv-+iIn+(0|q_5LkZ&@Xq81z~=W!L<Fiig70Z(%)#{Qj)f{2>6vfeE--#J
z2tfe1zEtu>jQBpcdAIYT==y2Vv?pUiGi){Fbe9|p5%eyh)ki^ddA`1Ana`Ze(XI0|
zokJ4GHZGToL3!tRO>(4&Z7jevTJj<kw1)H}m>)qB`4Pp6Ivt+h$2en_p98EPJPs1T
zTD(0h&wi{Q%@I^Jz&Hj*WoVdnt;oJ~78Pnj;E%ViBT*4-dp{nQ8-LYLzL~bo7ZzNc
zfYOH^*ksg7J1d+{hf~prWt_xk&=$!K6gaC#$==Mp;5Ie?>SRa)y7?}6)!HYvt{cGm
zF03{zmuefDib9wX*|7@H(+ihv4wm*%eZ0k_4nrn|=C?rwwT-#$hBYOC558&FQ7xE(
zzx<Z29R}<9QeL5NfuFRX(7YbsCbnb{Nt3g4cN({xij-)n8P#YqQsKnv>*STwr%GUJ
zHDe~YNGr*ZGr0K+A;#`R%~ax$%g<|wrpEMggyr>8z@-TR;W%IDbe*ZEj26~PhdA}h
zOPxJ4DNn!Wi~v$?s{8YP;##8YJBCl)y2Y%**V(Ct2l3Yc$DC!l><RLV0d3*a`tfX^
zzf8V~tSm){B{#f6c)=)GNuuiG<B0J*?=X&p63(RT<8snV7VJ>b0WWoX_N!DyO&IM_
z-q^%RM#XHyVH=mAtP5Mt-1@=;?fbc13ro}kVAcJKMFWdUSpz-tVotmYvIX$!jzSK#
zlO>M4ng;;Wx!x=e%a>4_ZK$C;2XU@@@Usapwfg}u>)hHHJ-o4YH<EM4Tgkp?0sf94
z<-mVVO&>?eQLKF8Q2+qfgsIVynl4k=Sn+MXm&{}^M)J0|@olPZjV!|s*~(El3KlaB
zh=uJ1{NAdz`1~?meVtdOtW+EBM|V>uNwwRf=CMMuP04oH8|@X8YQM^K(H|THR*J!%
z756WYfOV#kh=Pk$z-v<qg=^raDu?#EWF{2Dhh7MAW;{*kc|!aPgFj(si}YAe6`w@R
zx~`ttf3jB6&edFDADYEGS%wQ`>z*_3zf_x0W4oW;FbIabif^WoTs#bJ(-2&070Go;
z$rN{bjqeKZ<1ndr;C}T-LVEVaTV|+l!9Z;PhAP8;>WcHhMrjNi0r<mM;XS?t|Hq-x
zU|F|16f>P5&U=%&81GxyyUODtS8Kq}E}h7)|H@}x(vXs0@|X+-x2a}*zF+g_Ubg-I
z6g?Iy?7B-jwg<#92AWpVN&-|?r+}lJ`y3r1;>RLImOKfw%vOc;Pk`o|g<(0@pY1WP
zP3KFl1^D{$uWnX>XfgS2rnRjL(q=?tuEyWf);AB;N2^s&xbU|;lRMd`taQuQ(=^K?
zi>^rf?p-X5=L@*3ls0=77TMl5wAjHX=PpCxYj1erLz6dm1vFH?ERu!D7`p_%HYW?D
zX{yEx^*qZzi!`&C2EG{{nxM!}31tzyxc@eqr*PpgNak@rRQedA7S%fs^^tWLv^PSA
zhWKC9e_J?0+WfK1<aMR$<{kC2j;S7*de;1oUGCV!C4qW!VQd^@T0E9=;}W1uh6o}E
zpCn9fsAEg8{sE)X`t7gqxN*^!Ks_@lfZY6k&SQ7W!wR?i-~yRIDNtCIcQB6mp7~>A
zI5_-e-&0ku0_5i!mI&Q0N<Flk4N8;Nc=0hA-MNt7vog+hV1m`8JNA36G1r{a0D&v6
z$(5st*px@-5(KuvqSxe<i|H@uGJUQjN~?!=rvz{R(eureU3kN?LC<1`<V#t-9ABSH
z>mXirVY6@P=U;pEOB|;AlI+NQ=0zRY+$U%TClz18&sOiZ8KjoU3R%PI6@c4fY$Ae5
zF$8#}#Y(~;dO`9eq=MKoP8}qt<JQ&nZVRw~G3kOt>fC3&+<6N#C(yUyQ4XaP`zg{P
z-#g+#ji@*Eoj^)nK{0u2gkWs8p+eB&>(`ZaEY!;k@qG(=tD#LogqVJl7gr|Na{G`D
zERILTssNP6rKe<8nI=BumPxNr7UtjbspL(U?93^H=ZXwewQPnSr@w~PmzBDA*a{tj
zi{9!|@b~HE0DY1&3^A4yIDVUOE|Zqz?n@N_TNZTw+{Z;gjyfDgM<z|tCK};QxZD?J
zO#2E~3{?Jsu*srNK11Xs$CAar#VU|=jLG`cBPmi6)05ySi`zy4zMl98*><7it1rkt
zeL)t}s<HvGPVTCkcX%rmZ=tf<EY`qkM`rTu=qfRJ#>~@X&jez$ey4dk%UO!qcBof}
zi>f5TS&)<p1@21h%>cj(x#pW~;+M97NU@c40iC^139iJg;fm3+4=|4*Ohojnm4NH7
z6GBmzCx?aTuc6b%{TtOFb9#?n&P-Z6Z33!)_yyj1Y})<Mve*l$ihV^vF8E*>C=d)`
zpQ}~FzbfusIMW|hbl8%Qd&0|*%-}a&A7mi;@shn6V(qW#r^x|W6hSM*lzemHJ$V4^
zUnaNlKXqDLA@0U%EQbV>t~AC<yWt;tHYR8kWe`|ETojUcUr0%f7~jtz=(ocaIT~Tw
zlJ<K-kATx`rKgbFii1rWB{c|sd3jvOdGq_}pa&%Q8GhWIf{*D1xqWIX>Ug<`QvX|q
zD*A}@ZX-)zkw9opuYX5(HVLri?U|ZKMnCO<7OK@lgSg4?;gp=Elvts7TT>a9!rtUq
z<LAXiI0;4^eZb<`uZx!LQ}+o;o!%JA9`W0BrSvLvdu)35)GWGW%Z1yodueF{R}rhL
z8l2KMn((`f4!D_SBbg3M+8`WnnSd$g)iIL<#rp@(ldkb%)>sFohtMMipEm`KI#Crv
z4SDPgb{`ERIixLF$(bubMRnJ8J9%(Nt2T5q-{-qLtT+NU)-&ofTIex_@grpkgno+(
z0vZc3CNZ%)I3oc$+`Lb*lZL4WrosL}VO}ztPF4?>>%n%9sT)l#1+`piG+<3`FIkRq
zB$;?wIYmvpRx=?)G8pV%#fU5)aJ{uW&gHuKU9x8lTb^pK>y@;GCs^f8$HQbWAZ57<
zzF3)&P`>Pz&Ce%LUUbu=a31vZK{5F3wf%Yyu;jg-y@021)uxCWCG6teowb1_#{vd4
zQcOswo?j61@Oa+2vtDt#9P)caN49z(ko8ue`oRY)6%l?TL>ty0ArEK`2t+gX$|61M
zfC3*{MpRI2051q-N<KnP4KFRp?;4~|v8FKqb>Qj$SEd12qg|%0kG($ps;1eZ+4Bh2
zDwJQq-H6B1d1PO0^N$ZP$LZvJn<u?LsvWIaYPXC-4+^>|b1CdxG8&w$Ts7O!L=0Ro
zLatL*8`!dHTB%3+1*krN-w?MidOvw9oN3h&9%pr{W@>E4sCCPrNoTsmBweJNpq{WB
zMo3X0B(<&|Pb?fJkwTi>&p?}fBazGq_1B-^;am}nV>Sm+uOe#5C_sg$0m7ShhTkBK
z;3Fg(S-)votZa=UP25k-M<@-*_2!fXg7%P^jm}C4muIX@8wiV&Cdx$6s75dk1R*u0
z(KB!L>TjB82m;-LYn2Y2_m8I%NF$+_GJ-ipqE>l*Z0|o=>nQfvbCzFsJbs^-y~v=k
zOkLxw%2pzco|iCk+!u7;R#26ne(0E8J?xeFJZ92pzKUyA)MvGLYi(IwtZy30E%&dY
z?R>$9VZvb)T$taGQIEmd$yS#a&aL-!>^-p`vE`URLl9_w&XscBe>pJivTGdy<|fp+
z_J4?Q4XhI22K!HX2406<9$8+GcpD#eWom>CWk_EiDI^>v8y~ijx|QO{;##VU6P2B)
zVOe(OF|tgfo`gtC%{rFGqqOh21u8`dz?bDB>=Q>thuA751X6v6OS4VB{Fl`rrv+TE
zKac-(`P$VETkWZ>yX)8KCEzaKb(vv5bxYi~;2d7td>$EmbSG4|ll<$}zT)i?^j=c1
zJb_HqFN&RAAa{=8s3C_sIwqBfE*x51N9uqVk*Shb5t9nc`*mCWy5Jxk5_9E3@zC!H
zP&MhoWRjsm@$qgFAgZ*bZGee=OpgDAk`+u|&TX3cQ762gnH#{YtzpGsGw<iq?#IQt
zli1v8|1?%Gooy;q7K=h=C8ZAZiA5T(G3vABgYj(&u=&e;@aNkJC!wGT;<ID^vGVi}
zROs9ch90)YqB8^W-Ob2>F?|$=ZcApuTJ69As6V8}cZUADv59|w+g{<bu2`2RUwr&o
z?Fv?TD9)Yu@^U@i1V%BnC3r@Qa<VoSJl<A3TH{$xiE=Vm!#z>SF6M^9-jGzv{NLF`
z?*yF$V^_+|*_Wi>SqVfk+qBE;2>C5WwanQk|5a@vN%nh*J-TM8+H`ikh*xL;D`RvP
z0S)XoPg6O9^ddo6X_YHMA4++~1gk_G;3?aZQeB1$<U6*7uWuvV%C9<7k4O#M9!8Hq
zTZ4Gvq|lDPvrzdF$=I_nD3NvK>tHAoh@>guDyF27&WSzJ6lFpnZ^et@dAd3lW<4vj
zQ*1M2ZB&Uc!-b(;Cn9c@2}=+VO=ivID|SDjSh~C-VlbCOVh{w%x|#IARTH8q@Yy}x
zzR(UFys+d(!LrpfbARkqb@z4&O`&(@y(pWR^0`2aqsrK{8yvn)yDSY7H9K}e=Pk+1
z@7?<|f>BR|efqkTB(+ro0ZMPFuFR1<t3*++*49agT?c7$*c`zrVZq2m)T?^KXOny)
z^i5?N^M83(%x0=P5J^lnqGhFbcQgyP5$-DYa^qw!=Z8NtXtStc_Q*`Eh?}o%X7Q73
zE!MuWI)03(+BRQo(Tw)%fBma}!BqZ4D`n`jSx*0@W!?i8BR^3rpq@x2^TgD)v}{Tr
z@SK#v8K`=eU6WPLh@?}``2>JvJ@lDRaqcuFIW)}&EQ0V-vFYx-n>3tZIkIWmmT|Fm
z?U<I^{vT7{99?(weI46q(Aak4G`4kPH@0myW@Fop8rx3e#<tNodGFJH-{$vk?#f!9
znK`rPoPGA50mx`AgonQLSk{9$+b)fNSM1(#gCes&{NZuj0H5URLCe_PFX+vQLlwde
z8|fJgD)E_WVDG%b+PdWYX90j!^7&k)5m(=uZ7bFoB=3ofIB~hA+X40!*(};fOOyfh
zPfExA<I^tMyo1$uI<UJTk}qVNl9-e*;=JM&TM)bU-$=5=F^$-waK=}o5x<GP=cf)<
z2DLEHCK?dyFoFf!e&$X1s(uu`1vf#*DrKpL_<-yA^C#<aAUt(x>5NS6XMAlyIa&Rp
zrD;$t$=$ZsmH?Yyb4Xs5WD*&kJm6_TubviA@}sEdiw>oju2+_)oiX`XX3u4N6WA`g
z2K0u>?YVN}k4whc$4k49Vr1TooOfW(E&lpX<fEOX*R47bbnu(L&ihSasyoD8|8ae#
z5f^yv-#;Cg?h;NVBsz0UxqF6ur+~aOQ~HuvEYe;g5zc*%4;!h}U?c7<AJ|eTsFQW>
z0=z&4@?Spk%@by(V1vU_30Ov<x>Rb;0G*x0$%g~M&Ef2Q{#Bqsg?>Va=zJWuzPPUW
zu-y*yXvL<Wi3m`QxwAne#iMWYE&CK~kIph+7W9ChNg$@pz^XnLyM*>q@%1%>?~}y+
zg`47qxM4W6%W36HVRj|_0`C!ub1OZGQiz!<d6@AnKv$bZ<!(7#G;T*!x7i*M5c)p(
zJq=9GFu(`ygKUF-FKhB-*C~+qxUR%=Dw$@YZ=Zv=IVFcf4-tqOdN5BgbJR^FG^tQ3
zqv;3`;ucr}s8I5jjyk{cY@PgI_uBzORh+3*w?x|r=6*Wj4~iZjW}aWNkam9ZKT9CK
zv#s0db2{-7d+G&UsU4ReoY_@&=>#@wmiu4ImVLFJm>hfWB_k$`T@Bk74;t6#Qo}b@
z5v@UU)xw*`k$)#f$Vqri`z^&E+qLzSG84AX9axcLq)@AzTVD^goWXjdC7P4Sbdp1z
znlj8W?0%mLBrMyns0W~W{N0=e!TSf6w3R<hULBv9^YrRMFW<y8UhjujVZwUh&{pz^
za!DfF!lVP>Mpz1TDZa+TC0l$VH;)^tpn=o>1POfg=wFs0if;gi_G|(P`yUzPOs5hL
zlV)Y%U$TZPZ;hCFnI<Oi+Fi$P9ye8!+1*JXPyvM>QH6nl@#_}ak#De`)8eRe>@<Gu
zvnH0UZb>WKS_)j(*}D2>UMKw{i`5`j+;Ck{eZCFisT;yM)V$5Ox64F8GQ%=FLybQo
zm7S5fI&S(M`LkBalZSQW$I3eqWmfDj`9<L`bM&4O+Jvd?&<D!n(-=!bobqq2u)A~N
zY!y=bT7fO>DVD4Y`Q<FYyGdj%+8@o;<@;mm9JkU{omBsXxVhIhmxm3-gM&xgd3t6!
z;ViF!$}0csQoOPp&7LBEMv_*@u8vHCaBf|!aWt(z3pHGyQhYwyAhQ&SKP|zodZGXu
z#AxgPnImC?D~4wicdT_7daDY2MEXScOMFwtfXZ5AQqBWkCmlLV2unWiKC#C>PMi4K
zN}bS|C!Jqey#WnLH1=!|aMp83gI_<bGaty0TJ2ZFaWK9<K87aicQ@@$*{Cx@H{B-Z
zQx<y#GlXI$Q2u(%J0lj;IlU}V_w=}?#HsX|5m_GZDLylB){${4GMBuW;+SH|9?tPL
zu+%R}pUAg47P3uLN0|J{?0Q=s=&VL-8XR|=Td(V@f0DkGWmI$`wLEJg6BbAd(qplH
zG<|OROXvJNDgXDH_F0NK+pP}=m-cjf@zMG$2F_PpRVd6H*SOS<sRBMZ1)gzso<{I;
z&Ig^Yj73vSOv*n+JnmCP?pA?OHgfh=5%|r+;bn5il*N=(O8Hs=;}YiW{cL(|URb;k
zQEDMxX(M(%1{Qf)Emab4kw$9rSqU`27VKXgAL${I;*rp#(LT)4qee`(;%Cm8pAvg0
ztosGeZ;@Ldf-ED=glTarCu;s@Tz@RK`@pyh|K6%0-l4tL`k2RSrEV0iR{;p1&nfD>
zkNr9XcX7{m3UqnH5VH{LPazm)-jQ!=ph-PBc!zv&A5>e*JAAEyqj>A4nIl%rxae<M
zWX`=?<?9`A#1I)a=Z&4vf=oI<w-?VYi=F94q2G`7?+Bygg;(}M<)G~VBA!uZlA1k`
z_}b2vzua9#2CrDOM35D>60TX`pM@EpA>LR$8?^s2X*RWF|DmQ_mRS*VJ;h+wvB-WE
z1**L0KHC~5s4_1NY{CIpP!pd(%_Z*HYHBDC>Uy)8j1)FeKR?!L3+%@6A98mWg~7#<
z0uphg3<+}S1~mwN*2^^WT%dh_hW!V{9~6Rzv%}JN<-JIGkrn6@r7z{@_qaDZe%nek
zQ1S&>>Arn$eoZ$aEVPZry>&hzUHdstm+wTnqEa;3>F^^}%_Fy2fnB}JkR0^x6Ua{h
zDmCaIG!FYwBr%*Oh(o7F;^jbI5eDB-B48e8)R)&JQtF|qNHG^)kicSZgiogi_OB)g
zb~bPz-!f@N0|H5)GyJZU*I?8qA8{Psl~;4JC?2v~Zb>QuR8?Z}rCo;_a)TUc<j01h
zwbPRgw4s*YC<{Blvs_qjLS{i0u{He&PM43*x`U@I#ui*B#fX3PvtnaZ>+j%}v$naI
zm82)g>eK9-6tC&0ke*-$bbR-U32^ft4%w^&?AP6BA@zF5nJy_*a!p20KZ2Xn0O^EV
z)cJdyxzrk<5#0B=Mq*Nc3X-G$Q5w65c}SIS$6u>{&7hY>%Z^?QXNTY)4HgdqU)C0P
z&)VfMNQK^vb4NjQq%aS$SVLFJMl9thCMSv0994>&t*2~U4>BfrCp4Z-QpN(CH1@hV
zgw!2ea;*Z-n?8ti9+PbbNL9)Th7g~GIz<a?;O&|{)owk$nD2%@{uXBC;7Au!*1ShO
z`c%mC?RZAUwd=^BLzVWlHG8)?K{16nF6tOsIJEr|kwlRO7sB@Uz%ieFSw{gN+@b{8
zmH<+OiwUlLAlT>3+x6qzsu>b34n*4&>y#HJIryI)8@^{rg;PJAQAZ~O8u<MS5}g(i
zZ!M&8Jn#Z-=J4$x>Kqdb|3J}5G~I9-Y0)@1S64mI(GTzF2kM++<=>?71IW=}D=;R~
z1Nl;vq&X&4y<d|o>usO2=F$OPvBk{1ty+ik_Ej~7{H4q(3eu;qq|uM*8q=$JvH*Dh
z!3G!%@mV?DW&aa}^o{tXIm?`=4#v}y6}HvfJR$LiqG|WZ`b?J(^J^1^l_`ZEnav}<
zJ|XoJi;irl&Pg^th7a&Fc{Ngt^H%mYX>5pf9YKO-Pa-sa5BC7&Tn6@lo#FkDAPIL~
zl;!8?2_vpoTRYG0S_yrgmpNJ+`F);#54K)kMwiL6?NZ0|o%3sdUTa+ip_3=#y@H^g
zfJmkjYL+4GbCXll?8i`5`R1OK2uUu`hBS))J_*hKOzvRzb-ezzK};Oq6<oSpwXv$R
z2?!a|7h+<HQ5l?SH$Q7!G;h9GG?<vkhT!<yhJ>vW|NK={?53B<CFAsCB?{nHz5Mm4
zEm9-FHB*c?$>^^1Hb|JZ!UyF-YQk?`RR!hG*+pFsRYnvfzG8HFt+Ym%?t^BN7~GE*
zBu*!oY@g!+k6EJ>yqX$rt)QET^VMDDJf}tR!w2d2^hf9yQw@ZDojQ=8XG+we^4Z`)
z64Rh!gBP5WmEaE-_=T-J;yR0G2(=5>G_qr9JBzm>Q6lfp#Hu!Hdw0Y+`|Xa{dl7$U
zd^XRY`@FRdeQnN^6YkQweX1|RNl)bTBIC@n92%%b(MXKcxP5A(Ed1>~5|uHJh6Ta8
z2i~!O!(fIv!25Sa1UZ=YY>$SRX#<g!Pl7`Yt7+X8+99LW;|i!GBk(q<7`VvW)<9jK
zXi^N{iJIN=9;)A4CgJVC&(~{+WjW_L^MwE~YN*q#a!kFzqRmU~Cg`T|2OaSfT6_L*
zTvrfY7f7f)LA597%kreg)uGL8gj}g2SZc!mU^esk5IsdV27jt%F&{-i+6nm}hSnT|
zI05J43cfTSQmtDJCcEysynHk?`nAdl5a~^eX>VaN<Yl{nQnI+fVG<?Z^7Vcc`ea&%
zm!USWTu@&Rxo!~r!X~6zFPIPMPu1%El6G=wdVR~}zrw~fU#O8vy{>X+)P+$4VU$?r
zN=VK*THlquywD5b@P3r&5sDFEai9-*lVa<;mUEhSIju7L?>G5=y?c>vJJ;Ltj{Y)O
z%X7(i*|DzMHW|dp%BzvEK@T8y3;eGmG=1?!Hh^PM5?p+!Ue$REE-5C4(v=rXxm9+?
zsfVSgFj6{NL{xN@j7<!O5==4!Ho#c%TcOh+DO1D8e{?4+!PnlB)ywf&8(@Lb911*k
zw-Mfk#U%{Qz9j@54hgBllb7^nmM1s_sy)qI)@g>@bnt(EW@#0w!QYCxi+R{v-Mvg~
zPcAB?#^ZRq;coqseqN_n@Y(R1@<9Nv^MQeO7TL)<#541#Is}v|xil63Ao$g)8WMP;
zlc(HUK)t2u;fWugrox?0U6cEBgUl03=!E(C?5jYEZrwr{c&#`oi@%QwX$bgF!N_a!
zdn3T})!|{tz8O66YP>Paal|99WVO1!7^aSSi7BaB%EHuXp{j#H#aH(40P-BzXU?dn
zhmW6C+wb_z9(nI(uscO<>y=N-mb0ig&g>K$v!h7x=OJD25aXNd*0v#UmnNPq9Vgko
zC#2jewxuQ`B7w@D8wL4+>N4{}M5_Jl{o8CJ&N)92ogIylzq`s;VO~={)>Z^yTzQEl
z4>Ex9j?U~GF)JS^tb>bdo23=03Bt>XijnuYkMkx=Mk?ukfpOH>vv8iY-~2WdX7Cl^
zUno>GG0BjSc4(0Fas<G_a_p6Y6&*(tf-^Yc8LiBU?B5cuw;huZWIir5Gt?ESwaR1z
zZqyY@KARAgIyu>3wiJy{i?l$yNBBb+jjx^r>SvxYV_KfBLN(?L!Y$SAC9u}GB7(-a
zVS*z6$%ew4Ibht>Ma@<N9uvSOaP8`V&sq~{XGAyaTE$?_f7oKExHm|{n-<YV3os9X
z!=YUnXBL#i#DeoGmtcKaX@aNqc}K%do0Khauez;JAYp!cF9eCaZci`Z{g#qsA?cXS
zhv7hV^jMaRT4-Ou@yT1GtEK4fR<S)Gd7S6gux!&O_UM!MVw>B`S!i-re-ln)i#c8u
zo9QC^EAEtOH0zw{5rze+)k-GOu7<MA1eiyFB%ZTOyN_T|J3xH6Wcv|^p)%Dgv=yQe
z`G>7W<%fh*_Ml49wFM=0#(}6$kkROsYuUM49aonw9e^2JdXQ!77b=@9VpU6!t_5fw
zF?DDP5L^>FDZtM_&_C^Dq$?=Cl(&&7Uq0DniaWR;3Ts^e*=R2}FM)BYcBm&W=M-!}
z=vTfYCg;gknE~=}=?|m>RAQx6Xeu1-M!b`SVM>j9L30NGCj&4{;g<2L<BkMESZ9;M
zX}|B)@;tT<q_UgIgcN4#$G}?zc1GRyr<qY=u7}^N+3fi*hIlv{x!+apxXVjD%57$^
z^Bo1ZJ2hci^<mkbe2^%AlNWs2S8NW^Wy*>?$@c<OGcNm?Gcpm@8b6e|Ynx<U(1u30
z>KfcNE>W#_zJ?z#b>B86ukwWA`K?Vf)OEFU%9LmY_3MGf8iZ(Ri#|jCp*C9jKlbTW
zIW^2{G9u<4x;+G}WfSo8jcb$kgfrI2Ulv*#MjaW}E@3GpGJQprWdhhTR9OzMbf5sd
zK>sE1SHTA1jF;o#j2)<&P1>{^jS4svU*dDU5xf-JN(UtJORAB6T4t%6E<Ey42osnf
zE_`T;JzBEAldeYM-UdjBHGkFR5>V4m)l#=~8tg!7_|6jXmKsv92T=U-HxEVe3?z|m
z4WK$B<WHiaCCpw5Us3+8IDg^c%CIBs!u>hxeB#$kChz)NFW}eXG@FD%7qDkJdRZ4>
z$T8oOM_(geFIr8nP`MU>okT6Q&1t@)1@Xb2er;<&Q@tMYA0EP6_KIk2rHg8Lkyb=B
z!1wD2F<k#1YG40#fcvBn_xtKA{?YjH=fm-;6nfk+Zu}e`r1{@$=~S{8OAANg1;-vU
zN<2kFo_uBmwVA)u%*Tt8Y`%o_D?V2rW)Qhy+GG69!KVDTs9r;Q3G223xtoxJf4&%v
z=G^Pa-=zkuE8)Z-V?iz=2U{sT9NygDZ4YvD13IaeR!`aGT#VQ%O3*wpRO{Wo^&A9|
zh9tlh!hThp+0M1Oj1{qY{enPS_P#F-oKo_nyz278ZG)VdJ#w$4rpQd|NQau-eA2kh
zIr5atw<D$FUD{FHG<iM+b!{>`T+BnP4D54vkJ}*eFcFP$Q$@{B;)FJKo=+6R@6e%j
z-hFloYWIKTKG$(zXTs~$YKg2%;$R=;Y#)y=whGWn>M>NG7<elUrc(yQ)%;yExeF+q
z^mVILu+h~%g65AI7?KQj{%8}&i3)v+42jAVLM6yLwc(g&EU(z#THj;I!Qa4v<8s`A
zqXYG*iG!rKsB*c1KCu-x^>xu0A@vHWCsKAn@t2?CRgC|9-Au)G!?l&}Y}T&vcT&xM
z@{k86BHK@8;qwv%TFJ$Hv2!YQ%XZjD<4|155A7nGfUN81lUq-NWI*{R3d`knL~_XM
zg|xccq)_+)VS}%Vw8fuETOqm?*EnXS%*a7>Xg9C?7T~|z9)g#=G?k-YRFJp+q;7h7
zs<cMPGR?nyAQ@-KDEdmooq=>1z`hUqC`70(M%{%B5%jryh|>Q*W`25VAL^lCo$khe
zF2OL{BYr~^jZ(ITOqgamj*8qkV1x`{39)-@23hfHa7*@nAWTup@KJYY@C|baMMzmz
zzG9WpJw!jf-d`M^uU=_zw(}Ivw;);g@8kyGZMy|BL*~sWO@4P6JMQtzkI2+mSd-V~
zmp>h?>5n3`k7hrDe|@<;WPN%mbbDOhy;sa){54p7O|*lL6XpGy3Yl-y6q@ApeC`9Y
zQk|Cr{-++@^ihS(%u2Z-7KYpY=$8D;)Lp6RwQy`diMOkkt7y0e5i5>PHbsDZ5U)l;
zKT%aRAY7>u3=Q+kPdF-fKV!#t5ES?<!%o?u!9EBqgC5p}xH4i7-@XG?W2=qpZRz<w
zn;849-`pXqe~vW(u<WPjO=CNrHPxcTB`wcg^9Bs*$YgPUeiVXOVD4mo8CIGSYRg?3
z6=wc~sW5xupJ=hKB{Hj$5XXrM5M70lJT|?0=-xo5-56-=B;0m(Zp~g`F}%I#1v}NC
zMFywgT1QICK*3sWlfT_Qujad1J@n+Y<S4>2*&YXFdZ_eXiyVtG6<~$eKl^oLYQ$JI
z$kT17`RnwH0bdHpNoq}FOE>|---PzZYS%2mJ!AXu?kR5`o#YrgK{4~z(MR!$9gJP~
z3V=R!Lc9Ti@}A8TUT+@VzfOMY8Url4v82rh<I5<N#Bs!wkeTI&=;Nb<wVTCXIlb9>
z?cNQk@Swd|(NESrU+qNKn^SQ=18oLNZMxf|$Zkll7u*`bugL!`4}7N^-}mi^1&To|
z+cZ3Kge1-QuWcg6igS9r!|5G^VMU2b8cCSjXZP&>hrj=QfQFtI_Uh;6RGagU#3vDY
z68U!ou5Cl($QFVsu0OEVaJ3cdtY7gPP>EET#oMp*^1~DYykImY&BU9)u)Erv-bm9>
zp~%WFX8ty^sr0ci^ckAW)3WM@%9P?&9$u)*QAQ)s$n8;cOO(z9sLe2k`w-!nu<+jD
z6{DwVV|ZNKZXKr5^QHiN-$evD<;O=6Fa}o`w5rpoAIS#BjLxdkjPW*N=qA=hu)Mu3
z0+q%jcUg$&9!UjQEHgnDEdt=zUN13xWJl`3>+pYK6*Qy^1U$h49l4a9*f@i-P=vfP
zAL*N@1RwA+DiIp1Z?MDRBZy2)r61luM88L(VR*bi6Ub12Gr>zXb!>Cnhnv_M)N`kH
z{wPr_*+#XGqPagFKTE{Ct7I|C%G@2XhaR)N;V<B_AEbE}`-9|g@E9SGDS9bx_ran{
zShiCLaoQikFv*0QC9p^Ah!bQe;xuEM3_$m=0{(HV-9p%%OwFl!2f%KWz5(&%l;_H(
zXC=Kb30<UAnPP`$#fHU~;8nVqPoLdWO!s|396vv(-n;y1+TJ9XUQi;>te_!}M-@cw
z<;kEhP*-^>7f{g}M{bFPXM~{@_vnbkb+K{0qlo<H$h~hXGLF|#7rfceLM`d%O_CwC
zYs5sS1nP`|{FD@nUKE|E6kQ06Z|G@(u;ol`e=AQ4J8X1)P1UVj)m_-Q0C7yT8Y<LY
z`>)f9NhLH?^ehu!{8uY2&{6=9@0<^;L4DbdiDnW|iP;?#d_%Kt|CI3T_I&emG4FuZ
zcbgevF}ty-&}FmdBdI_0sW0nEL8FYu_=6L<gt(c}*YTT&nBf<h@k{&`+jK1c&14%l
ze=gS7Q2cl&^<Y*YBrT^?bX{~B%;<R}z_ar5VvKABB#QbM#5#+b^eLcW;=#u6a1Llt
zz<hV|bEkTb_!QIuVM&|4Tp(M=cP`bR0y^Vt6x_K$mtz;!eRiE2;NQ-YPz4GqfwxHv
zu8lxom&qy=q8i@wC&JB#P<pfZwIed`EozjznW<?oslq%4!3L@1uOYtTMX(Iw4EvqA
zz-mVz{+or{htN4gN{$6XU^o2kT2DO!pJmv`muUKx{fPhCpJr7t5IVfFb*8&MR6;9c
z;0bP95&h2N!nSVaB{{oJ`qJR~NH>dNd&IJMR4)Y2PN(MW!?<9y>QThs9p?ZskL4SC
zC*R3$Dlcnb|Dc|6zV_nWx&Csoz25Pw{pE7Gk$+9+%jM?fp_h260y24c>HSOS=%A<R
z>GuviEGl=4(3!Hx^0F@_V@zUnl@KFl6<`T0c`U||gV<q`8%qZN0*6ikt{h*^rV9T*
z#Q_z41v66fn3}IwgD)xLRXx{mu{b2W>-k!H%hTRmOkFGBg~AZ|v_(AG$!UYFQQ+ng
z)~dzK?72a#42l8!w$sjW$}uTG@o(~z<&Ox#KSIDmNWggIg(ZqAIqQI}%<;KruBd1j
zvwk;4l*Y`+c^&lI6q>Pyq(Zz%fqwi4)accF7`62GU9@F{3$RXG)3!ePXrStakWz(C
z=soCtEjze%+oP{M`Pm8%aiivhMrV$q+&|KN4r=H=dkG;{Qms@G(zNwdHo6bd>`~g*
z!Ozb;O-?(OraF&C5HGnIE}l#*73^c;ep|&><Q0wmou||$n9BQ{puo@y$l5Xp+ydtW
zhK^1Jv3X3jC(Tj`q<0|x1G3rch8f&FokiHSl6X3nZR6AFGJks;606-@`CEGmIBU5|
zd%%BXdyo2nD;xHxKAtEws_Qzpa4JSsiYy;y-KRlX`Z{b?QEd_m+ES26k+2~Q#}E58
za7U|DP-<iEW6xDr@3-=B?5_YOc8XR8g;qnx>`Arf4A~>w`CrXE^oF)ZE3xdmoJ(KR
zd7$9{rSiZb1G{PpAPdDscHS08rSh`IY5Nrtu`<-k*{q|AA?E%fm{|6L=&7s=76(xT
ziw|7Ax1~9M-4VB3p>xGW91F#dz<74lRZl+Rsd`O(`z^a*nX8C?zns3^TT@c~jF-{O
zEa}3_0^2K0m17$q*Qnl4pQFB~o#J<_`hskYBvYYO4fls8F#xMllil=~n^msX+@vGd
zm{1(a$Ee8|q(W5<zM`Tf$K=H7s#1nqD1RStw}^VXg@<E%nQah}eHgHZ%I`aAFUy=Z
z(fVV3kJn(nRN$0oYUy=($WM&3W)`EtMQ&Y0hmllsuCH_?P!r<C%ZrN8m+zw`et!L0
zDA{JzZ>!<oYT2`%(;Ef9HoxP9g@v(eA|d@0x7ln<;>?O8AdJCc*qY+XGiWvqTU@yG
zxWl{k9}Uhh88TmTMUq#Q^tgq!!dvf8j4qPXBs8j;@uSTG|GbGKXOt9f`X|PZ*lf<2
z;%~EuR*Q>kZK_|HJ%`pfdc<5mN#9*7z8>jD^pMY$78l@B8mnSriXMs5qC}X5v!G&?
zB#M%l11M)fsv(k9-o-!eh2P_kZua6W)?o~E%?-Xf4c%DZBPJcrNpL6SUJgIkw?i-U
z3D#9Ov<=`}5c@Cv{QayfX<v+iFS});{Rxrf8(lFo`3iSdW#qHp;2ETs_}6ZRicSVe
z%UT8Tx#9#Gl^2mJuI)o~mh}J}SA)B%WiLr<!o8#55^W_%N;45eOm|Lid&lEM42BBi
zdpXmlELFJUKX_Dn3~QC?@Oq<yg?(c#_h5H-34iqJaW~q#U42*U#i%G7)OOqo#XhWX
zL*&cX>&!^4-I?uibeB)2%19iokYNJB+#n*Pk%~oyW}HzY0jbXG%0txT^RC4k1r44%
zFXmV{e-eXn6o5azY#+qo`EJh5P=mY>vCvhi21x6xeyb#xuYr%MqJvEFr;$r(bANTw
zmzAvW<v8b#ulG08LFGgfyq2uHtMz~N>u{Guhzou*Ur^)tB!~F)JyDBA9<6a-xr2iF
zTWki4j?|RW2#KLZo}<-#SY4HnBUShj7^2=~A|R)8DQ@xd`2)@L+L^I|k0c1Ts0t$!
zv5#a6TqndIQJ05WN<e%MM&hinV7GfbEzmBW5J3EGE-8z;Py%v|i&Diz5$XiA2Lt0B
zP8zYq1SM^Ya_)hn^Mo%Y@7R8Qy=mMsa(^W{Kkr3B68q8%epu!YfSutU?bADCN2*r~
zdWnixbSp`1Y&4$58~1NA>A}&$0z7ywR^kS35;2(EzNO7wX)k!85`RB*(i~rX>^xlL
zBImXE<hu-|v0WI`{Ec-ujMVPVWI>-K_ALR1=&rCF#ji^Ps0E<DhjIx{!LXfzDW-u6
z3g^(jQaB<;zNGu0Q4re_YaE`Eh$+P?rnuTcgPC`>cW`Eq)U!kUK9~(8QshF8gitTi
zAkaG@rP%YP4)is)Sv@juTmav?@r7hMb8p3H&TS&0C1}AlM{lGPEUv3R_F2pCF3JPn
zYSKx93MU9|UCDb)d;>dnbFgg~pOruqc_~-nM(4c~;TN|Nf(iLwlApD4n~TRAk^2v&
zXJ}2Xw+0v1J2IS24l1V<AKX3;jDfMV^G@@#@#d1gS<rj#(Ht30F7G884GIU+eJ*OG
zr>60PHTSWCxzsO5`T1wqrO@zXd8;c6C1;-YZ!ri-nTa^lIJ}L}L8%r+!^CZ>u(~56
zBr?ZBA$e2^6WjG?TPawgVunag%@PJhz{?%}C(HZ>jbKz($iX@X9KL&3FajHp1ViE>
ztF3CHEXVKvq-4$Wj9h!#S?fMyWtR1L6v*s%n}on!KnS`r5SIHCZmA`jpMZlnE}~;}
zqN|g5Ad~l#$4;H>;5UTMcFb-nuMRwz$<>N%sKNT|Sg|e2^qr7JQo3m?j2hIOPj;0E
zu^?Y@4&va?v^u@9qrz05$I(Nu{D(MBYYz6Owwh|_S|1C2<efuhM;^J92y75)R+mP=
zCdr?}NC_HuNEG1+gM2xq`ghb3rnT2@#h$_=4bbo=tUqS=O^t;fb>BD$o0e)sJzP<9
zhqIWx2m)nN-T;jB-{3=*RnAqzmaTkT5|(eGQMTBHi#8q7*S0lNo+6%WAE=+4d{Y~p
zru>W=yJv35A~a@ixzJFpH?`_ze`z%43N}F%FeJ|}QGdOt59ozto9~bIr`RCAC%rL=
zO$UX_`p^0V8hLl10W$N=YVO`4KAH9L*6qPBjfvoeq%&voc9aF$?y)=zEZW$i?~r9&
zI&Ghd#-f(2QaZ+1PN6c4()gQV7WW*>Z5L9P|3A74EQ6@_%XQsH&_Vfdc#sTZvLU~O
zm@V!SP@VMZLl3obw*>igp9X=AkzRyS3my+VG>r6f*Y#)PZLkK0c~wE)x22U}HY0H!
zN29Y5o;-SC3z8gO>wfm}fpzq98?9>ko7=+*qWPc29qD^EmcE1*J&y-_mT|eS#0Wrc
zd@Fsga3N;+C@zP=O!ug)6QXsvu|fRjLiV8y8VZ$iCc{ZGz1MSI!Kw>4dZpSCPe=Mg
z_2n&sny@I%bagcY@(FZwrLH6EacU*w&zlh1X_NGBz(qKbHE^ap`URG(V%46VzGY(Z
zI+yxY{di!T#0kjI8fDA05mJ&YxC(?A#3*gZFVU)lBU8$#OT4NW%W$6X&@X0%;A;Gz
zCvq1dkh5`o(#9#oN7KxYRePWik&|mT<C9<2sAomyLW@<&g9F+s^)+q}(!F4OSc4Xf
zhx-{1gA;UX?o;<DRH)j*t!)i}cIqR@%=qKwS8jRUW>5y?Sq~Z=GJ(kJTPtA$M)CMK
z%6VsH<;fLL&IJxJaYjcDl#0e~h#kz~(Q$oR5EcpD`JzI<6RyYXRvFO4nQ!LYws}G<
z8bc79c<2o>-LO(D6DZL*d$5J76B+KPeBaSi1s~b|=V~H$MDcEU_!TvDV!8!Ibj_ma
zG&G#~QXC3V+LE*yx(<eU`VE0w2yd|X2THN5`>eq3wC(gZDgd2>o$=(cq}8J#u3pda
z8hSOVIaLPvPUYO;<`~nceS7G&cB)C&6Te;ZYEW(65A}6urq4b>fUxi!-|q-YDRvG2
zLR<KX*K(?5^ADo>c|;?DO%<P9ZF;GVINEdXahKq`c^r7l&Uyk}TU^Neg1XJdX>wZA
z0g0+(DE$GXfGGsy=17!DN6EbUFXlTKNORykm*_i5z5f$``#@ceq-U>&Wz$}a05{pd
zq~D=0<W%GO0f)o2Cg8|9zF79wZOQ9N;WHnw9cj>AQse5}pgVBiZe+V4K@3tTmqt8)
z_FXAUiH}g98Tgjw)~&nq2h&A!E0Gp33WG$K2LF?~#IpklEzhKNA`at(&0tkrHUpwH
zC(s4G<X8I}XZshM*8T*u1>`n-5&U!~IB3PuQ3+W?Y9l_|?lo(@0n_gtf-{I7HN<_0
zRe~y^e*^?JOtB@p$GQvA$1}Z`SN$%b&u2G>xh`QP3_K%QS!Xe#$7@sD;4NOUt}mb^
zCsT04NTpMQN+ggv6Gpz)pJ>jm5cpQ9@f5HREC`>IU!j_{i$ZU*m@!4jWh&W6G%dCI
zV5Ov$aw8)GA}YSX-K{d9lePE$E4Q1+h^9S(`&?%auHY`#yh*2MpR<eJM_FzB7Uy96
z4d4oGO*j=Z$PnX`=~HNKxG0Hy+~l{=WH)stunzlR5h*`C5ISdBXdG@kufr-h@x&%9
zV1p>d#`~Yy7_wPF%1NQNfVv>@;98tiaT>h<9`kNe_Di6b`RI<s7c~|NX5$k5uL5+F
zFe7=j0;uveRbx&@SVPGn|8S_Mim1a0_<c2&kR47#Y%7bH(^lh1dQU>OtsUbPSA_R1
zbyRX~yEABX)1Vvd)s5A!_3n!6<NPnqPfCMM{9boaHMj@IA6tczTE1?zzAW3m)mswX
zP4d4s`8L9)Y9V*j^*NPFa8Eek50xEuyzK3kBqo;KB7NFcw)H3HU>u@aDF|rPY$rjr
z4sWe4xvU_&VL@Oh$%xn^g5=nF`K@G^E(j2Cj12$^RDP~F)^~>J2Hxu2N`g9OmJXji
zS#-6O=^oR*R9~)_6$zl=tBPnPh(|L7JxKfhVqm(f@tf1356=_fl~ZM-5s9u9BKFV`
zsy>EX)kmuJGx+CK>f$9J{#~h}cMf9^)*gBE(eBDz^fK0MfWiUY0}@Kc;T$`<YR=p?
z#I6xi1zlng$cLp`AwVEuOaxvppO&@hjSrgWuBc(nVAS&-kM#;-7R-mV1+f0cT*z7M
z`Qx0kLo8T)b^MJfm{(=&u+!g)Ca#j~LnQX)D@%Zph$!9BbWF=tZ&W3bA{OwL)xYL8
zc&!A~A8R86x6vpem7|MIYunm$sOUm(Q58t7>QMq7r4#E>OzQ#Vv3X6-3h)KWP`oR#
z!7sQ@Qf~j*PQn2kQ`Fgnl>$nI#%U8;3pu$hcwo#L5{a95q?n{+oZA&uA$Iwg5@kXE
z0zs(UDG1QWLfK9llsm_=S8&%99bFBUU%!ff=qh{UmH$oChWYrHvHH+`<Qesg7%Q{d
zfB>sY3I<itEh<z7w1Y`K?=|ow#hHxju`45%XQvp<eQ0v>A%GsDeqfz<DUsixL(dr6
zx}95gd6c+AOjCA?5uBT9;Va}pqI7->aP@V;efl|LKTzPqtmU2QaxF)1ukM(=C4yZb
zjZ8gTL-$iOmgsPLA0Sw33<4M2H1|p3+XWraNibVkC0R??@&kJ$m@iSse$3hj^NWrq
z#UMaWw;-Sv4O8ZYKg2kkMUIpVeITVzs1g;fQ4dlh`TPHOT&DV9iU;cTb12h#lR`Yq
z0UOXS7DG3LgkqnZmRx0G<rV{Y8qqZBr%Ata?JGSqw;#{Zi<T4BRNZ;ve8)MMER|^%
zld}QzEenl>O@FYls;N!=bszM@jy%3Ysu)waj!WA^S@|Jl@6Mdj=Yx8aSqBRg=ab$p
zh#m0xN|o;aP@0(YDO$HS)x6ferD2kKGF+ppg7FvVSkbWJ@6{xVycTTm8cqW$19CC-
zK3GOc)dfRNf1KWv|HBIC6IcVb(y2>2P<#B`i6Q4)SB^Q}KG#RNKh2bX-k94(Nz2VD
z@-78{!`OF55^e8>&6ld!1~5F;4P~9Ko0Htw=kGWj6aFsV-ajEZW?=7(1i#?4V3Kh(
z7#F4_pa^=jSbsE7-B9P_RKtm$lVAer$q;#?MF;aMw?q9i0BVr6F3}T@@{DlgL7)Zp
zmS3(mp7KGVSY6Eb^Li5D+s_3L-XVCUx7SVv4WC!x%9w1fr1K|B7vh}I_!8Q21)XXC
z*^!XEdVN?l_o5GH#)@iAO{geEWbXwyF%b^&#(0}Bu>OQ;igi8UnLwj=vhBb9nXVgd
zL7=ltF1#RQM8Jyf<P=vWXTTYASBz~HBDLZ#*HeLe>{Du$Nl1nEgZ08Y6OL)J!(zvR
zvd-hKE|t<+8C024AkXG?G2Fw5RvdGwYd|AdRs^?!jeG>8a=7qz0DF%Ss_pc33$YE(
z7WGe=72rx_TLWqV-*yeuWV!zF)G00Cnj$A}51za(R4{aUw!O__AvXRz+220AqHYx@
zWDPz-hMQUqLsZ7B2`!_VTaGtP%&kR(HPrq_#rP#0H#JGqICyU*YLQ75^_?EBIfSXP
z-6MSzgAqOn_7Zs;9!#C8L8yE@+h)Iu^wf6(ml%x3P9t6lFUila0}&VB&WT!|j1gvf
zVcfuh+L)rb;s4uc7q*;wyP<i!zdY<9f4(gUDV{OHmz)naYFOz{d}FdTMnngz2}Kz)
zma~YWR8bQk5_1oa4=O16*;%s7C_=YF1&IzO_zx%*!lM+9Oy;xy)AMK!J;HN7kd37#
zL>{}TeLE}E$(+A~WQowV)=lDH<))Qg+@`mME^wYy0dLB|FVp?XJtu|Nhl4Va8H0pj
zZ&lUvbp0d|^Kze-e0F%g&;Z_DiW4hW9%p|p{%E4y_^s7!zxGGiOKkcNOQO^56=dk6
zJkH{ntJ+3pra_1}hCqJS;+2t8+w+Dr=fU}}!;lBfpdAZhceTL#km7#DJCu#LU3|LW
zN4#dxwe?`{v%y$|L|#K4V3M4T*(1hjRF%lv_zyhT)LU}XFIAlG&MiO}&bfGpq$_px
z-t++i5Hox=p=YUm8dB=rD4URi2*sEq5}3Iv81~&XrMkNMzo2IL-sc63<TG5D&7Ko*
zwcx`(IB*LWy{%qeI-SH@R~g2C6o5vM7?b&VI?=d_d|OI4W@H!TmFu!b5!H!wnSOjs
zUG4%c6Lm(4Keb%#N^`MY<zGl*p-ojNWQx%0M|YYCs`NQY&T{`$?;-kJ{>^8D*yUGW
z-4jtvyUn>89aoOI&SLt>O+*{-s%bFZoNcLXX<S#yeu18ebg@#W7snJB2mk2v-o<5^
zL*JC4;JSq);Fh-8{qnl}oOilFT9lhv#uf?WhoANU&5g;QkU7dyE96)hjx@T3Y=|<+
zl8d?hkWy$eON)PNd&_%{h@MpwdNHP?{YBl~R<jm{S&3>;hXQZcxl`tr;*!nbnv+S!
z?cMuwwPv`}Zfo)hNT6J=!E1~IyBr{1UYxoF%g?6Xg5EuARHm88ee{uXuI}2S^a;$o
zLU{tgWUle9CywK_TJ0A^U>xu%EmNOZ;>LB)b#+X8w-H<2JaQ9L7Hr9R+H?RbI>Dk#
z>>m{vRC##$4H;YbImVSKuf>^rz+}lAi~UO%KnV>vrBSMdx}pA%kOccsaKDpI-1k*A
zOQsxzZm%w0nQ14dI@ahW!RzX3LNhY~q9blud0`1HBJ|}7d08b6`~eA4Vg)pQXrEFt
z-+A_3cd-+z6XG8}Z}+e2RzQVlCP%+B^p5T4<@U-?zNz3yRBr4x{1{zxKU5Q+J{jn>
zN_VWaJ^66NSK85i2@nzVtn_GzWi~!O8Ayx1N#&6{r;X2FOle3iHnJ>C6GcN(zq<|V
zX42r^P=y%^trUuf`jg6DEFkh)gRQ4)gKXzg&G1e%QIT(<D&|(|L+sWMDaH*5Q7AG<
zZGQ9ZViLu9#}a)p4C9l{oDlHH>@i#rrtUg>@JLsrTgp^y|LCOWuki&*pH8rCX(r}C
zjX&np^RRMn;G9e~<?iZri|jINPq@1>J_(Feq^U<55Ibww4Ed){fHI1M>{RqP{r#%g
zgsxcd>qyxIaEB4j@c1?n5=JINcM-*SW7v4eVY3PM44B3x?hyBZ_pV4R>lTg?GCw1p
z!?Q>y$PjE+)JKPB$1v*6d?sT&lcq)lYo9nda=EAMG|NgR7{w_7R&U3v!A!xYbZ7i1
z5}OKsd{x<wYC?)HP%HU<)xMZQ6n|{)FOSOi$DzMsi-vPKR1-Dm;yvDI(Iki+N&#$%
z#0)fXus8`KP5t1^V<8a#5})VC;V?u=UWo4-)$1GzQwxNjKkhG_X9u>6p2fqR<26)k
ztsvN&e%c&w)g-EnO}8bS^?1I_)$Op=ZS%N09UV74+U(Gx#xwYkcno%F5aX*|EIEgq
z4r5W$iC{dQ;yU9O>lb<&ic$+_jq=|K@<Aw!U=fsfX~z#`W@k}`5}UGiL*iSWPz4IC
zltyISSU!t%0>b|6szgLr8{a#<1%q?>J1kTP6N#8u7S9_EPl4ws1vD0&*OOz%4aqj)
zp?Y_JRk_$?Yv_yZt5e(agR%|N#k5QJwswwH$FDW-Ymet^Bp0?&o3bP>vNfy<;g)!I
z&;8j&G^P*#xxF;pUMcxWF=YS-+x~wtR_$)4sxB+eErZ_v5xxtWa?e?@uRTfXdAw4P
zJr=4$2|yWm^DjFHlV1OSmCoi!7@~N<!I$bf=^qaa<xg?Gzn+OKQI#h5vTawsOBny&
zS-D_-!*!lFxL%Ek@>42?SC}!>8c37#Uu?+s<`ZXoxe=$v0(V~_WEmT}T3_ZOyrLPS
z`@?5H5~JS>he#^*3CE9IVH77~l&pO&<)Pc5l17U()3&D$FBww4!wu{rqy9Hx70B))
z@gxKuV_V3-)}3iLgtPd#?m|yK?m4=&O<rxkTwWPppT{6ySvghTj4IL((?=ddXdf!@
zv~wqlBdQzN1j$%Hfq$U)<r^L6pT)G5tF740pX=E_yeB*6aRTTiKVCl-Rc&4ow^~hP
zXIZq|n|O4tC_p6Cf~`gSeHx)Dp!<WRaDo^iL@A)6ya-gKS=^@f{!#;meP4tW!p#F}
z)%{(ABPu|CtHO-=z55UXa!|p;-NGlZgkw8X_&@?o<R=gXvkV3zV*PYtJru8UwGtyA
z>7vCBe}69W20segD<@p5FP=sVMIr4MY9T;XF8`P;R+7apA9dM=qX?#q_AGBNH(Lw$
z>92`Q2r7^md=CZ%S)3>dlOb3Jg*<-2;-`ur6oW!Q0-mX&t{nm$zkW2xKW^>Amq<>q
zK4q9zY?kMjKrkXB;4;Q;W{xTtat<{eBI8h%9UOv{qT^G1!mQEwxXR}Kco-G8Y9`7c
z28rLj8I#qzN`^<ZbJkmVG40N=*abQN>iHSk3IJ3V|G{JZUW4!c(rI6d3p7~LHp!$F
z710_*q$1#U?V}a7_h2_O;FVB;|3*Ik4juZeH0Bh7pSt0@2DFTDz}V|3_n|)ewo`6<
zXPQ3|yU_5G$u6PQs#GWJRr!91%h(4GZIw%<sW^G19Sd=~ZsKYL-P|i~ysE_^TrGCu
zQ93ISm*{=QDeqckAUz3@Zj$2Ms7wV-E?0s5qj6Pg!eG+wac=5U4o#OFZpy(a8wny2
zQ^rgu=MoG^%%gKF#H(sG3GQ-kdjCQ@uCiY8thC{NyJj(sv*+RF&1u##y`ALA%(e%%
zAvk(R)_#(zb3@?MZN@q4-fuK+T<#6()s|>dOMLFT-J3r$ZJsYyuNKywEugQbwZ^69
z(c-bD8bXHb-OevW5PT&sEHDw&r*FI&lNc6;z8`a{ozv+2K+J7jL)mGcba2g2{n<8B
zbeEzu!IwFZ7GFyK$;YbHZ1i)89He0NqATbWN>>C~d7?RblT13$d?CBRVhxsTjxL}2
z!^6W|=_}f<M(MM>wh5IHn|Lr48N)W6v?Gyr=xF_WzVkd;B9rb0XQmbQ_Susv2KhYw
z#(Cd&MVGQb&f~TPdQ!5}yD3B4p!+!IP;QpjIWArftsss|R#;2GGGCra^5Ai({(P)Q
zGqR@=TZa~vw=l==xx4)N19VcMnm=yin}VVznk)#FHc_*5fn0E`_{lJ$jeSL@;>a8O
zq#3${p4#!F>1QuirMnI+N0M9BveCcIX{DaI-K8BNDS2miJj|40$?))$u(Wdgd|ss#
zNp*s9%A{flnk~Qb(f4u0I;iN#@%9g}#!YLrJmX0mavfq8+~9EqQJp5YdGl=>Asw`^
z!9JsrKBqxXB*yPepvjPwAI}zi8AFoEz3EcDs=st!Uf74CY&uwd+Y1V^Eyrm8Ylc<`
zh*)bFhLp<6bIoO-21YYlfF<7;T0SqmGKQLHa6;G)bHr*61XlZdmn{GdAG2Lq{^5#O
z;VSAkUCs^<HG&lJj7}KJ1W3^`$Ls6;YwvFFc5&TJVzWnwz2oBm$605spKV5!QWDZ%
zNsc{GlJgNL$>Fd`!}Av>VV0v7rXiTnG(HmnFpsckI4+e*d`P<fSZt@t{cnTMb9^q7
zDi#d>)xF--DH|3x6uau+TbCtR<yA+Vbct?U-uDcMs-kr(0N!`*wY-2ueP;XoL*-Yv
zJ!mlP<cq7zKpy0C(Y^t+w!55d8E>)OE*J3crNvhn$*^&G6|p4{fQWBpHaHBhc`5Pn
z1#HQ)I`m?jBaZ)on(hQ!HESlP>_q=WJ)bhdHkNjAlaG%;QOB8}tvBRHh;Ts*t7=&z
zR)bD*KCb3mzBNoGYGt#<&9Uriv#q0bqOP%UifMZlJ+CN5CAn1u^)0y(t{TAHujEN{
zjya@x4R;`-dMr>M&;0rLQTz7y<&Tr5gq|^mN(_dTyH0Y@xmu^B0PnxGlCOWIiZ+SN
z`1)B^?PzGtYrG9e*yoNnH$mC!^6lM-R(rT$F3{OtScMpEz)^!B<X7oF>^Q2?YXnT@
z80LNRaU45gx-r;y|3kncDy1J((kis@39hV)SD?24Vh%eEfyT2g+UyBDWUxU&X{=)Y
zP3nc<s}D@Hn9^F-_E-S|IX$buxtb7;lk*|Hr34HCV^g$;wsOCVT*%VOR=TT6a+<~d
ziAU7uW65!PumUEo?ze%Uu2Y&Fh`%RJBZpI@`Q|)8V6yJIMuBOW>2UHuodyBm7QvvG
zmE)p{Q6#8<j0lE~qh>CoNN!f3zya{L)__a=z`GBL8l+;g>IgSO^e&!La1{y65tIqk
zpVi5yjs&hw$uZvx40;A%AttvAchQ(t^ATb{k&d$OkUP)O!{jzhun}*|nL*9ET5i3x
zGb;IZ<{+-e(ucarli%E`45yB%%f)?;M(JWL0}SEb<)L}v>!cRO^9f=~YVB}dn*i!y
zSV~a6iO7mxnjrMQy=*9(gJ9<97Jd`tU!Gik9bnYJn?I2ShLGztN<znb9OBsfY1l?b
zxbf3+WXRAqSw0B$Va%-1PYW8b!~YBN4_7gZbZlWvXpzsBPMsHs4v-Il412T+tI*RY
zB=+T|d}aFwH0V#dC@xX>DC3S+SJoQ5vOP8#%biCFm^%A_l}}64mqqiD9a}Tpw@P&q
z9g}L<yQ@{t;fyhGb(&ynVSeq&s*7}gYD$b@8?%r4Q1!rjufTDKIg<%vkOzTRTqs<Y
zbaZJ(bG3Fx+c0^DcpR{1jF3geBS^+$gppSWP>(~7Y?Db{)yKDiOd%FczUydnm%}~_
z2V&E7AN&w=1z9Ijo1#B3d@at`;;Sxr`O-?mU54W4bvhzT2Thj3vE>^^OnahwPxALu
zVr>+XI6zA!b)-~6d9r68A0vJEbU)|Bs6yo+kBQ|Hu){^GYnJU|j3^1A(ozXi(~=f!
zt&-7-e3Qx<i0ZNWKfU4`oEk+lluc4>@8{q>(1UH99k@rgXeS7Ipey70Qnw>{*JN3A
zKb=Fieyt4etkHJBJ8~lmKZ;e@lu?JC6?l^iXLO64PTML<5#O0vVZLSgt52_JiKuSl
z$S3<69(k!{p+<FAt{V278WV1aYZWS$<~N-oqwE?o?O@Zt?l}8VM<-6327HFvmeY72
z=uph9!B>0;1%y2|1>|DTaw0xzpe3tx7LGX@R%(V<5W+}iB)m@vj2UCh{C!Ib)u0yp
zSB;ooM12S`jNpP>i=bv0oOHN;bc+uxO9Qa&s7ps7Sbb;Wo|d>-rJCrp*Zz>ogViDk
zb=(SKZmw?RKS+H#TfjV3=58`S@eykRFlAE>-AJo5K_BPqjbCBRA;y*((a5AlyaAc%
z-&p<~^RJq14cLeoTs9bg+?4j=j_&%sur2&>f86{lGma9(&cGrFr~*=Clu^XzCjs2m
zN~=PAErBC4!sMUd%>M}d8R9*TH=;{Wom4G?Z0ni2bYz?_@L?73J-9Sil~o;etqrRx
zm!~+Q8l@~WaaPVoE4eC!cbb?#9wYka2zMVzRrzvDeRpuZb4|cw_bYa%ZD|&@jxGK0
z(_5O~mC*y)xyo`=JfYr}_V_46%5ECKSXj!G5gl%Cc1*TJ&+44TOdkE+CqhyW8b{i#
zsj7O_!m{xYv;O#-m$lv6A#6-Mx?1(5;Dcqhl#r8>Fc!nXcGYYf@J+%Q9r+e9QB9m?
z#<NZUVbM7Td7PQ^Oi3!kW=5mhn%XG+X@`wZWYIGGMt4wayXrmDAF1K&X}1@)wSzl}
zEqWNuNCJzned0pDdf}Bw#hJBQk+~wKWSS(AKj`(l*MWr(_2Z?%Vwo5Ax|v|s5C_c3
z*XQEFEX_OGqzq7Uu_C>|S$NOy%q%%ye<&LSd@Eg@QgcT|Gbcy1^dh<jJwPY7cg$c(
z7_u|S{iKS&$eu?PHGztxV$7EP4OI0N8Yi~fxO~d}Psg5E<RSVsiiP;`5zh{2v0;@#
z|3<y8Lxf2<q`8{=Ap(<zY0|K}4r36lwNx0P2<g2->fQ|F?gJDeJ&3^v_V&*bug7I|
zd9B3x;57t)kQk@F!HJo)PhOfTjdmAs5)C(_TVaY0cmcDr0SRmt1(pBIJ8xKS7x6cs
zV%?*Wplg+~V$KPnPNr3F4=QvgBfO9k7mjHi1ye%13sx|rj90&g&Nl~xIVR3vlkOUG
znPAe6!1*zybVK}83ql%@LZNFVb?<znN9g&$ngS+wj#6$huTrrdA3fL}VjWDS>;rn#
zXMSwW_01h{r{BKSKLDD$WtDkvoLIlSYhOTKW1G4GzrKWpgr1zkRe)ImkNCV>usWZc
z3dW(^xG96Q6zCm7#-wo8zaTTPoT9TFw-{hS?1ZV7Mgc!6i6gTHcQ0VVnWieC{dd`a
zR>*DrZOQ?#bTZ?fpG31lwrC4_ExHc7G8pzYos!!6;wAl$Dn<I@<MR?JF=@8d>7}n*
z<TH4py7c9+{_T`+GdT7wi)9%M>t+UWgRBztUypxtz1G!zo7BLvO3Q1LDUTN4Bk>4R
z9Y1ZCoJsD$T1J@Lin<IO8fpH`wf=)iIv;oLqrJ`zk32<lk-XDeVUNK0gySI?d^}ru
zsHA_e83$hJhW&9Ry`Vy<nycyj{yNoZc%{qwQnxb)+({2s^b!*^-3Dg5|5CYK_un<M
zSRaG5ROI2oB#g$=(4Goxdwz6#ge+CgVrgKzSJB330bxQ+=t>ENph)1I3{S~VGmB79
z+okHw$omoWqbf&sC71w#!vFt-(@hw}0D#;d7*0xJmxy4!^)Y<E?}`%~w)uH|TAW&h
zg=DrkNx}9^(${f^eU>_PysSJ~J9)Bps(-zBH*OYlbVVkHIvC=c4M+=)D~kzLiQT;v
znYTCWUl@^*R9=0Ow&V5;=;by!p%linQ~}<xT3j<<FAcGWYh?2a?DBTmwJWMY7h;7$
z3gWb-^j0g%u^mzd2mXEntah_pq5rSACE3ptojGOv|1tHIQE_lRw=Kn?xND)fyL)lB
z!QI_mi@UqKySux)TX8E6#o^A=zF&KP!eSPgBquxB$;lbuvZ!pP0z>o94Tla?Nfaha
z5DFxcFwnA7imy@64(zd@`Iiqu;@7k+ms<R1xR^#`1dQHqZU`Icu{CLM#A+4YPi;CJ
ze4tn)Y8VFzj?)<Ei1r7&onvbq<T}&Jl60TCif$w2ni`j?@V6$knD{ocGh$ZeR@&be
zE!8Eol6zq5zBf4tH@8F2!T!E@1hPFLS;wMrZi1^>US9o$N+YnvaJ-MYFZ@6SrM_^~
zh<WkA(fwJCn?S6NNH1S<-Ovs8An~6CbkBm-2bJ~{ABCSO^813V5l|^xau(gMtFtXk
z?F5p$<4#b@7GgKSM2#L;KRggEO=@ELe&F|=9y>s6;u>L6v8-ZXAen!UTqVC|firvs
z&#$~yDdy<YkxqYqobs6lG~51JmL;&QB@Sy;MGx;Tg_L68s`O<anO+{>B-HGRdfvvY
zjEFjn&3PAlT<g<cQmeNK(LJJKRO==Jcq8{|**p)>fqm3oN2lC$(78n>)rRR^YLmH`
zCZ(u*M1(rSw4j-&E-N9a*)%=s2DLfr7Lp$p><Bn_SQ%?~S?0NN%DqUnd&{Pg+2+R^
z_l0rsd|?2wK>daNn{yK)X&!^~!!#Z56Q#^|!yV%iag8Y+F8hKxYM_-JZxEh{NyB)2
zUfZW5{BK+djUfWV)B+%!3dAvkYpLTPXDhyI9M)ZZm?-l?zg2-EKFFowxb>LjQlsg4
zSWQM9ImV}q+bg&yESryU%^;bkA2iAZHbH)KqBb$zHroVJrmnL$2VJaPz$<-J4Zz#V
zZ<lSl1IyH(FL>}}l4Mpq@274q<`HFzhTdZb4DG4j&tAxt6L0Y6voiON?cxu&oW13{
zo*ytrx_C>fY#3iG9W3sbnpQ+w9{t`%F7W4h8%(`p7p^Y8?jA9zsxE5PJ&$->pS(W4
zNuFtUCBa|N;-B<ooku01>(6yrdO6>>CB6H+*L8i|9eL5cX*)nR?TU7e*mv$@pVw3S
zoXo8;KTV56`f~DieTUCN<W&Mk4qRb)mDBd)jc@4YW%GGjKE23L!!BO0L}0vjSWbQ$
z8lYPKB@>1uwD<EK-Q4GY<nFMDBx@tZ+yrZCP5LKSy}5;C>`QJ^zq!;+)sxC@|1`xi
z$8QQULLZ1eGI~2seI3(jfSoxfm?2loXlH7ZfP=Z7;XdL(U(=<<3wcxx(dqd1O)bc4
zY!Pq>c4xN<do>iYi%?}Oq2bSBv$&=e-sBsu;x03R8>S`zc`(kV-JBG_uK%X&D!r<M
zI*IZ7ZpvL_W}Y7mYHMqa((-A%CY}r~%qPc6C1b;nKD3?zl?C5}a+FZSd>2wtLda+k
z`h<LHi_4fKMq_XC#W(Okjf(#rFE<1pz2YkXrdj9Ap!xj*2g{>0v|DVo`I7&h`0Li%
z`9$hW`idTLk*P&nzH6KKCw=J;nUt94hu}~9bVy>RltN?jniA!RGdm(v!aO%`Si^_j
zaz<b9wF5%I{~HB{iJ5Y~^#E=F)Gae_;Ay-leiGbBE~=XFaRu(;;M`{wONm86WmA^3
zmxGS~5&AVTPHhx0%VckTZJ!(n{ue?6T)$#rX(t38U{jmyj<7-kN%GI-mHo9%N%)`n
z9@-71mjr4r=OYrR3W-8F$+LK(%FtPiCceXYG*Ae3y`nJgvMJo@x+aP!U#BK??h;Sb
zclg5{_T`yPK>u9jWOeLMLq9o6N<(KWeP_IeB(l=5@8~-E<xtl&&(@#%O!H$PbC*DA
z`{5633;*#Reitt^gA;inU&q%@4xiVVyim@p_*oVG=g)$2TnSI#o1!TEy16TSyPNs9
z8kd)O1KZU1PM4OEE{jOw=p%Z#5(O^oJG)i#%u`Ift%+a*jcCEe+BShNgQtT?Oi{7}
z{yOY53WFMg&8)zQtt#Kg!2iu@@0SUCeCwpxnr2l?uDXT=c`p4PXzFzHJriz`Rq3b=
z`lyxG?1#?Ox37BsHs?M?<b>Ezs$`&n5Ce2;<KEr}e47*&jKAwWXjjlcF8CgE;p<n$
zwnvG?vLBcrZ3m<z&CK3UM&R`ka3<d)LR-2IP8F0W=oGR84N`}KbyM=%%P9nFp!))P
zXK>o?zp#&+{)>emjfh1NRimcBSO{(*!EQ+aK_ligC^rl4$z~_i`gJvtM!NVO{k;!k
zg}+LZ_#mpBN%-AeO7fR~i<;QnIWkjg@B2EeV)Ijt(5^dj{p+!?PBJ^%CDvoh2M^Ri
zj6X3@3;JtSP~BY`c-n5pB#l$KGrEX+fww*Wnx#)_Ptkq$)#B0X>uwb<Ca?QKbRuwK
z<?2?f)4{L#@Eo;<%q|l#en0k0xM4^wMIV_wt-F%W{@T|M{kntLfAbl%;3y1h55QoW
zb$zw~($<$vq$c)H4je;uvpqNUKAO3Ke0<nxD;b5*=M!z#U5@7$cPNn5Dd9nvZr@mp
z27S|F8YiQvd_4$7)0}$CPfaEDCR(f0)4t_e-W)8j8mop|H}{EYSzoa@@LDrc=38Iu
zhB07weLCb8Epxi>S!FmwVX_gNc$Cr#{y_{XX$14&Z$w3)M9}cZ??k}kR@o%YcJbuZ
z$@5~1=!Jwvp!>yr<<N+sdYLMlQNSoEzHEJtTmAoN1vf#n-LlwKkGz1K`YNFm^aAcr
z;WoY}*&K>eixlbA2@{p5#MW9=&hWc+&Fj5<R$eW(6E|qWcj+DDVjXva3Tn^s!7?QD
z`j~r@6V{E-n;%Ue^5G@!xWbu*WtC%2zr(~Gf^>p==MZTJFhTsjqvhj7JiG3&b?v6_
z3^%vm97IDZfwe6!8s9HScqbqp4;?NicPTjVgGzZT0ee8V73ZJoL!*xDJOHifK(Io&
zZ_vBRb<q)NytJc9h121BbI;}~4AhJyb%-Vj4kJHyaB(NUA~5-!hpiyVsr$>z;-k-n
zBVtp?o{`0dA7&_=)w&<1_1irukwPu>+~?mT1v{G)nm?>&7PskABHf1_90}B@odeA}
z82f`kI{o8O&00wvH<mVzAmWby>2KOvun?%f<Nx%RWsJb4iNlwhhN}?aj^Ci8FHy!9
zk0Rl-0j0*HsTV3Vd%Y!!4EBDx!HS)}BPdcTR*lwY_7e>*ZW{#8n{T=i8WZ>m8gO*e
zcWI*HhZP7de98Huq+JutQjE$bx1rF4PYYL~HXZ|WcNqCh!Q;f(NDjBqpnLg9a?D}U
zu74wa%<-0cVuZ9=6Zr{8gXjA)g~8jJ@Kzje2Jj9yGfF0K?vQ6;&{E2aJ&}}I=6jRA
zL0eju*Er1pgrlF#b;rx|!Ta0B`wfW5`{Db`TbHfmytmemcLcK6sdtih#D({qcf{>?
zkCo)P)p8!=yLauk^Zmim{`*5y(miQ^cRZd7&<Mp3L87YA`+3lj3|a_8kR>ilgqvrX
zI>N+%ZJ6keMNjcq8ZN$NLY-M9*ngD)>!hFg$vP}Bu70~^I{sIInNhAkqVi7uTictn
z9v*rWr^mcok0migw)P_Gdc?hw`j7+i?*0HS8gfNzl96vQ>QPpH-Jw<yZ)?zT)*Ct<
zQLA>q8`N)4!_7ZDGIoj%!zg@zcaA<7*)llPc6%$in)AkfD1w7$<9R8&PpV=)DYIwS
zUK>)QS?0<M@;Y(PjW<#qG4zFw5$(6Z%u@`;AO{^+9XN#+I{)QH_loit^2bgij*2`0
zPbJp%)mWJY^|RmW!s1iU8XN@-qY1G%&Mf~dTDn6L-)&GH#xlFpqCS{l)C_s=1aFQ7
zG)MfVhUOE>2QACnsweXpPr~d9Lbx0TLu&<<{Fib`Y&V_~vbjd=6~`EsO2<tT+m6F=
z3K{=R;}FJT%wP_bItXu>Xh$GVn9pE(l6t-_R`?@19S<IEHu;;GU*=X0K$sea?W&*~
z9ihY+C2A+}iN}$!$^;+5P-;jzY`Kb5FYF)8)fbo`|Fqg&K@Vpm5@x0KTA~YDV7<4I
z)7E}Hd!0lN(cXY{+#s!V-)^+-4@c3e3T{_=8uP$~75&w<$QUZvPq8QQ8#Ev%I`guS
zQ}2Y>vsZwdV*{`^+Q|4DkUD!0{d2-+aYDGHfs=Pl$f;oCt^XRoz6Xe>^5vtgw-IRZ
zJ@=nM1T3cujzp&~kr<yj!M@!>N3Tz|g6F;-Kd`sW-@m`OR54f9r*=k2wwBXcQuLA+
z!3_H>#lVt4fwzM(Mq8l9e)*mL2-RX^ebka(xymsLGADVw+O~5OOd6{Etng@KwVGBM
z6e+#&4TA3TIk*Y%k##$;Y|{}!!MgY_!Z4w;$qB_Y7h<&n1|{L^$>4Q2|BgGIW&b2{
zS?!HS9=A;MF*|v%k5{eQXlmh5JQB}OW|j{(I}oZ?Z|RyWZKRKv=Y2J;8t?;^x0DS0
zMul#+;(3jUtb|4t_=4^!!vw_2-`2?@+t7$+*alBY=xrRz<M^lOBwKCV>Kwp3ibAKT
z*wE;V>3=X^S{H-@nnV8(iLSbpxnJmT+}J!-LaA~J1l!|L=;d|tZDMjj!^qB4ms_?G
z4sQQtZa}7Ej#O#?_EFd!kL@-c#lJ6GVhM6O1je~rl+IKqSUA2>j6Wv1Cc$WAd-<ml
z{MAS1m+~c*V2Iu_b0MCLpw0B3`0%*B8*e0cs?xfY!)X};g{S74LKcQv?yyVP?&Gfr
z;ox~FVU3=OSR&_Put9RkE=S%=pK9~<P<IG^Lvp}OgW3YMYG_}?iGNTdshT5e=t(I@
z|0tU<l!W~}6B4l@0DYmw7OU{=pV-^C!HuL!1!usDT0PVq{88VjlJ$6f8QXz<1G26e
zxbP?xM=JhXd{{R0=AnjqpJMIzAr5`Z4(NnG)uaHjBr!5wf}~5af&5PS51c&T1RQ!f
zMKa|o9E!YfG%kubjADBvx&+w2M;V4)SdpQIB4M0W4a3d_yd@NeKZ#K|G9=aN`}Old
zWN_grx|MmOFjn*f1#Ex_8XZ6R54@>|aAg9D-@rRNmE4zA6GV4QE99J&>wZJ+kku<M
z=1i|JyKz77KYp!v05aga7fh^?D`*7O%Qfbb0_^aDkP9Ur{D0SGtG}iusU#fi11TU~
zZoe1cvRu|yaLrNYB9Xh*b}tXEJ5Ca8X1%5WvryOjQz2aE2{bV60(IiXJ!{BC7^A|)
z(6ryncq_H~I6ykhGe{0=Hyk`vjhAnqw&oG9OPba!$r?<!4=eOY&%$C4IEemBp2R0@
zM9b)gfAb<G-_%0*7aP*XGf|Wp9X=|KKJOa4f)v+*kVHYjyOvwgr4&FbsFo|OIC_gI
zvL*{U28m%75l7xEN0iXH{(q`e5ZR-zp>X|Am4$BLAL*Ho<Ta94)wDiWO&`dt2)(6x
zLTMqwceBJ3Nn=4c?=BBBh~%L+gSTgD+ia^0zhWA4S=y!vN?_6T$#v^p{<=H%aZ~GK
z&}D8@DQiOw46-Z0JD7&5{Kh-p2J>JC!V;#mz43d!g8Z;{h%+nx^){MwugLHy)QC%A
zuZb!vy0k&aY`U=MY<@PX7_#L01S^>2@c-B6e?cUWC>I~T1}3GCnf!di_xQ&1STp^_
zxS=)zum(r`3J`vt(JM`RHBQbBLpeO0ri-?duwJ-nkB#vyE|JBrSv9yUh3PHnxd~QU
z<J$)tWlM6$NcRtgw>Urh*H}yNtXJ*=pP`d|58n3#ocfh=vi}IHeI-+neLQBz4hx@D
z5~&2OD(1h-BobakK5D3#tHxHbC`Abcjsre!_)k<jjIT6tDhXpil5kv?YM&uMbL?~}
z>cWUMot5Xp7XR_gtB#j@kv2y<VeRhXje$gY)<|l85jTk`)D+BBFH#xV@l&$0avJ3^
z>L}=J0|IulbSg{^-QDOrQXt<E#XRMozEuvTTve-0Tc6BbNDx1nWG92vT!@g^tf+Xd
zngY^7X)JJUqr49A&NUs{m_RcD3W@f=V=G|7MW{Vc7F*?!2R6g+>GvJsgtskJOFa`w
zUvE4vS8g43ZK(d0W7U`N?gG3y7{eq<a}0{I9EZbk@*~Gau9wOVtpqL`sN<SVwEpY}
zy`4f|MuTS-VXBFj3Pdp$6}AP;9KoDQkxtf97-Zln56*F6g)g$UwaNU;g=p4Tv+>Er
zyd4S0-d#ZDJFWXguYOB}0n~fK^MqboDVkA|s9Y5@G>miGhP|_ewr0{0xRVpzbY1$K
zYD&O3Rhv0o^442SELjZ7E_lIMy*tqA^^{YnLLJheezt^#gk3Y$zz)rX%#?$tHS!oq
zsrd+68k=BcoLq5EXu#@-zS-tnM@A^<shG+7u1BTu!R*hLle4}N3u$+KFO0yBs|P(>
z_c*YbIG;K$3X`G^xlf#p$*6mD;3V}t#?+b4$a32<bD|G(rW!FE(wwsc^fGNkr<nFj
z;KMpC=#UvY#r`>U$hF}<B=@7fqaD>V?JuSl2+J5hsNZ5;j%0`+{ZX^}EGda%V6|uq
zMhvT*&oH!Tz+3X8rOcm;>AcZbpFP>j@#krAC49L%TfG+4&YDe22!-)^UzljiE7z2g
zj%;zzXrXMeH%?$<Z9VsISX`zx5Na^l#`1iB&90;B)tzpfg!f8@29KMq?v;nS_v(?P
zA2(KsY8iwZ0EX<*SX~j@7zG$q48R3QF(`D8e)?09EC?E@%En-_q>dmeFQWBH2cki4
zGIY1g6cNiWTZZyUb+!_+w6>m3H-uHlkuUBU4cPV%>gku%P@<FS3qVLHn6>sZMrp~-
z-ZOOd#L~QcUWv|*0gG|+spF<Fp`9WS(Vj_jRa|u1h2d}r{xl4i7;PBrPbD2H`~ZeK
z5-1SLWSC#9ccl$LG}Qb`K1D4xtOJGlSChlianXkS#0JYIUi6>_2<iQos*?Lz<4*Aq
zVH+68?R3*fc~2*Zc3tavk@e`g98U$Z=ld2>BO`!ob@PS}jO@o3g#ZUl=~ImkH-n^?
z?WtMAgl~m#;)8v&r^2~$pU#&f<_9yd*oRDGBHIcj*7Eq&;BM#SX1q=}D<$({XIj3l
zQDD`x#Pr=sflVkuk!fvvRoDb3z}4MFbTsnjtd`-SC)jGqdfo^q!2>eTBMj3NuFpNp
zl{Q)nS<|Y<Os70-&dNCF1{SBZ-7(P9%MLq-qQ%Wh5Xx@P)6#RQxFFrahL8mVQhF%H
ze^Q{5INerlUv=w^!y@WSkBEj3e>UmeM{}TQ%8tvGjc8kUjA2j-hx%){C=q0RBmRNp
zWs_F0W-nJ~%PJv{#+|QtDn2zOXLv=n79OwemBMw(3TUzA6vhVR)FX7Gz-pHTCglYE
z!Oi-jLd>`l$FF$$DH3<{t&dl0M)R5-J-XU%ez(Lbd+y69@czFD*ja(X-jTMSG$Q5+
zmF1d-*waSxht~%I+>(+BlAq7I<?n3m508BtVSTTk9*}K0Ud>(UC5HO3d7w5OM%J}?
zq+3}(dV9}tm+M~P!)M_R_W0Cs?3<c(zh4}jUtSO3mky;J3>XKYTW5jxDZ!tGDRV*#
zX)D#}!kdUEhXzYRebFERn`a=;K3;2<$R+sNZ8@)#LHE}?!cz;8Cw))+Yi5Ytg%yNI
z#lo%h9WBSiJkUx_KjzK+$O$9Xu%foGH{be3_36^^P0hiAW_z4VR(Do7u7%2b!3elq
z!=oo(Ix+Y#P%b&ro~n$x0z~R1eEyu6rriFQiwKvKq3=;zk18H&{nB#x(*ad_r)m@1
z#KgCotAk_2*e9Nit<CpY?)G^9b>$0dE8Y$)YKeQI$(hCl1!fhnSLfK~A?=Y()+SmD
zDLR3|;Q%8<3A0Je<GIQ&?I#NI3afF2q6}KoOu42PBnm1>uzyX<ut3zKDl10El8T?A
zwf2aZ6%Ymv$QLgdJ56Ib9mYm!2q$o~$Yn{`9k{{+p<R2HrRZ3e$L|&2pP~-kn8EdG
zcx(Vo<D!v->dU3K1o>kAK+Y#@g6FIPUXwnVBCM{AQ60Fvi~9@s!sV*2O(M|B#Lp-s
z?t;B-K0ni*+uG=j-G4kJq;>tUV%?<BxjIiu`!zB5x;y8WP1qqfUSIv-#C4Wmp5N7F
zsy!mC=NI!a@@3i){@Qs*^4*Qr^Vf$$NvRcEBTwO8wGLIP#n+8%_ubm9;j*`JtDZt(
zjPsSHx&rr?hd0kVn;Ywm>u1)BvaZhb_q!8WZzR9g2>k0G?wf{S5|p#dwuDMZrXm#5
zm}0AmMoiMDEQVIQ5avz%N1)$`VKXwK4PThfoX`~8A|ei&2!dgKv3aAwvzxcOZ+e`T
zD^yRwM31iNa|nzXq%1N#Ys${JKGRZ-=^!$A-82an`3A@Ito&!#Kn-f)P9Bc^HK^OJ
zTm?4=@ka6zt8+Yf+Rg`FS|`E$J*eqslxq_bRB>^WbmiXE>fk+YOHq-z%80M4g&A!T
z4&Y<G|0I%PQguO7M2n1IkyWamK-)8DUf>7Mp4pzd3lg!kMJSS75MpiA*@leeL=;-&
z+&LipR#|Ftn<~62MxYRc?$ac$D(Q~bPPY`~u_>W_y8Kz;*Zzdx%W}QFws!7R`*WdC
zZyAh5wJ1N))DMd&=vDKW%0w=0>lmGlIw*EuiE;@QbQs}$sc-$yigCF+%!p(5t5?n9
z*P|Qs)P9arUmSdMkOC*AhxG)d?$f~*xb^b_3<dWL*uL&iSWd>t=?n-%uod{}x7SlD
zVVAC~TM*bs$I2)KN|e|k)bVK3$P@<B-z3goHfHM&w{7b2|JsDlsP8Jp%Ni9=Owvex
z5~%P1_AwfW^SX*AInk|-74i?Z&g!gKn5w_5?|N?OnD|2W{Zaa~1~qKg=5+Uo4YJx)
zWy}T~_GWCkw1N3#F@aDl5s@Kx*={7MsYc7^&*g9sImoaHbPi4eg*hY4jxKnLxRDVD
zsKY(rk2x=krmUB7?%=Y&3SliP-8sTue~OFW=Gv-qpx7S1(Ci184}#HncO5kLjok&T
zaA0wa<Vu}ho)A)}PK{>^z1Ui14{!y0VWywS@pGCYaz3Tf*ztNde^v14lL|g5^+n&#
z{Kj8N4a+%w;};I5xjE_7@1|u+kaDu6l(r~Z4Ay41d7!FckiO@biZrR#VxDm;*uDfv
zy(GL)a4!3fgZABT8Y)m6gM*VG?1K3tQ1TBz$%pQfKj7@RN3q0NX=$UXFd7CiTJ0B3
zPHuxAY9Spm?8qn0%NIdPT&~^+B`x80lFGxKt!KDC`oy|GnE6G2vpcG4$IIazf<UzP
z`wg)}y!u75>ASjTjZo~ObR%>1XZEwVEf(V1sQHzg!n672#g|3UYR&uM?ByHa|EEec
zD6`cwu3{%_><LOo2yD=ZR13^*+V~S~EH{I6i4anG4rY(<JMQ4AROE!YM&EVFS)q-m
z$cmh0grm`P>H8qQ*?ow9c=X^-+JJ=~>je(Ua2=As6GA{3yDCm=9lV_F|6r$rm_lTC
z5xyxruoXTbiwJ&*gpNHF6IW602h8T1;<T079aQ7s_)F6%_D-)rslJqq^xS0I*;v$X
zJt`vhg7-WkC;1f#X&jwui@ZCrxTLN82-xmYURMv#E#k@$r`la_b1-0GbI~?!S$J&v
ziLN!SA(KPh>zJ-%sjx$qsvw+n#F&}XWo&Qra_^9Iu%2;zU)nia`k}FF&x5JqgpY$8
zybQWzcCJbrLfMhyxX)fcePu8NDuvkKkgO4NT5SPus{CG`N+zjLpZ^23DGH5@vn%<B
zd$l_qpU)CLU(B?B!y~gvSH~)A&_XAB?yrfjJPsKIwP&!~su?l4M&ZL+V6_1L&4zW$
zX`Kezzo-S9TKH?iuhg?<W>AK~Cd}eze)C5`W9syK#UvCcUM0)886mrT$R|36+bikz
z9A0j2tJyKF;XGxz!<Ev>J2XX44@z-OqR{&yZe2VXH>yU~?2lm<S82@w1HQo)zfV`v
zfR}rW<)kj!x4jHUoX-)8!Bkp&Y=+DuyG$gt-#g2*XwA`^RbdmIegC@W0F$dRp5kUm
z#4j!?rwSaDtUI?piL*T01g_dr5d8p-#>Cd8r;l*hrV0VX69elSk0I1Ok@Tng36n8p
z68<eyq|nHOkg(>0+;}VCld!p{V8-r1N0=0hd}C%~^kGMqvn6rNI<QoTPA0}hbYcVk
zaF{<8062GBB(6{&j_sq6M&Rg?h5BYpYG7MfxHIlo%2qS;@~f{BV7pUC$2urUO3}p!
znv`_#)n2m<gqbq@5wH%E2%p|}BAnHBBBQ{s82LLMN+>8hi*{rdzL6}%PiRM-rOC;=
zu2YwQM!ujDC5Z6Jlivdi56;88W$qV`Ifwne*C|%Zd)ZV*G+rf<uGxj;A*HE-=q7VV
z776FatMg+ScxZPI#+U8={5FrT5Fcj0{rn2w<<45q?7ctv$hS!es0tr`qV;E_SOjyG
z4*3cFHLZ8}n$`*%B8>STB<wQP7~v_FheRA0?^dFkTVZx9ZcowM+Vjc@*&8dbTTOD)
zg0B<66u@TaS3JhXbQ)w@R4be(_||thv}fb2w)o#uC5cXCT51y|z@s_uRE?v}VG6E8
zP5vs*?kKd!T9*6rWlCoX8}XIdbKTi=HoDWCus1B9&~=F=U$jney)6?!jZpDj$opUP
zCziTRf<S%M&3mkwZP4Sf_&$Q`@?3)!s6JL}XGyYeHaEPNMQq9@%(M4OED7ud%6Rec
zDbu;#?t-p-S(zDAd2Ez+EmR9R=wpC_@lNBarSLU*>;5lGN-DNXE=K6tI1m3JQpONM
z9))KxAJx}%^&srbH^dwAZR?#%8O|38ZfwgVFi!7kpeZ8~7de<0+vDJ(?5T0CL;nuj
z5^D^el-9HTb|1EHwCAB;n@szSmeu(zZLQKfR-X$;%j>Y+?|Ziw+f^J_jqQ8lBWx0@
zMx`yiT?QeS&0`gB`!ij2qQhpHb6!=ICe}+?Pr;H1^F{M^a9`dq%yVh0=g<7r_k*kR
z-Lta*?Jf{5XGL)FynItTd4Q&n%aU9ytEy0GB2*Ml*;Aq262_P=CfVPUYmra#X~J)m
z59pZ|dkxo<)SomGa+=#JITUg5Ov&jCM`T%=f4bFmk9<$T5{IuS$h6iQy4~dxD-<c9
zdQGlC9QfuZVVm{SYgea3G|!eR{yceNsccsMdq<$@)c43tUphyMG=sWdi=)B}*N!_(
zp@X?^rm<|5Uu9`t*ggW(&qjB67Xyl6lr*7hP1dLJ)G1DBqg{P^7C>e33rwhbGlVr-
zbf%HB6dgQ%rZH*jbd#PtZR-FkAXZ$PZTRQwe^3DvhSOfuY8Z$z4Ji}PNtO{)z-4&8
z&;aDrbuvo2W4_5Vo0RLg%PtLFTpxw<-xIkyBcRZN#t*1mHqmlI!3J%}QwRU>O#q@X
zlvs>}0du4w3>h2$@;t+~0;=7f;!+qnOC1up<-)9o>$N-aa_Rs#w&QK^RPM$H%OJ4J
z78}Gw2!Wc4Z7t8&DHaP@^HksGS5EL}lI)36BAo;9iP=lSc!;?y)#U5iiG>hn$j<Ue
z&Nuc{yJO}4N)%H>f=TTwE)2B9Fft}6sf@vQ-t~GvLGg0ovb8?td-yIz_`ZG5748Uc
zug9ROPLBqg?6O{{g=V>GD1hcddA_OohPASKy{iR<mNluZpMUdL8C-o?4jaD>$;T#R
zSryaJE+=&irr=qW|8fI&%-a)|o+U=Ia#rS?yPr>yfO=`Y*k6tkE^$Wr($}GTVrk5(
zr~uF1MG4gEO_aZw23vY86_)L$V8O%--l1e2Iwjzm9v;=31jyQOeJzL$_o&bI5$Ag4
zz?2M>p;YS7&(0xZsFNLAWxTH%w@X3L-7X$d_pgcy`_e1-Cr$6&(qdEV?wtWaj08^g
zg^6g#6z<Y*_nO7F%eV`e_Sf<33(YIABKG$FQx#$k2@bU{v<MJxs@QA-Ih^Fv*;rw1
zFj%BTXtH{J*U(lt)wiUc?t0`5O#3CF-g>_)b)XP)Ix2@w<kEl0m^Pu!=(*;9(Olly
z0*it7{he}Dy#BiG0ZD{M3-+Kpugf*h3$7-s4DePa%0GHa%m<Uo&6lBAZ7XX)tM)+n
ztBm@>5s0wtYkrIRm`@-8^8x9=IZTFb_${~;no=h7^n<wrkVA@JO*HE*+<oqe{Zp@e
z6}?sJX{o5y!|>jG>dhp<!|=b2(Q?p){s{bS6`!D2h{{K1q4hWpDYET)OEEm=_+Z{S
zsxp{Whx7Ut5VS|1zW`^>6r+u(xEB=hi!*B#d-;p@2A4yZVpEgV+hr>rbH5R4&G{0Q
zfyvnx2wZ|3wu#bOfom!TXk)`kVEW>g_q*rg)0wU+N@$nxU?T^>ooLr|F|0?IUW1#b
z<E_R$U7X!AdAR4!kG*KRnV*Vcuu!+pDOyrON#HU$g&oc-fk*2&q1beEqJktz;fTaU
zMJ~8&fyaF9i@3layB?G!_~VxrW#MV_Iz{AflP^iyfFl-pAY3f;4IPMm`9Ru7*b9P)
zNP!3zBjpfcktabh$c~wsI-E&@8MdAd8wU9oZ3aeCgR3Da2>XR^b`1=o$I`<mbyPts
zPio0KK*K5snY`S4m12k#xH~TMh{zkT0F)1=T!8Vx<pbHFGLr5j$l(+99s3+ON@ioI
zi2=v*g_>GDhc8PDrNGzDRRDfQt)%4>jPhQ$wfK9fQ>)Nw2G*~d1-3JyXPe==kaz=w
zj~Zpp9mDl)kNfT9sH)Bj;=SqxbR|VR=iE}jIwJXQ5We@Nn46@`+9)-`8lXGo(|k-h
zewd+8v|{##jaR4r+FMa|XK*)xoNAeEIPkO$Clp?)$xOLybvBstoG9*-e|D`Zly|x5
zsLy2T0JX<;8w*NhOtGymt*p3WJBo;*0lf`L&h68xI~O5@*ImzhN~UC0iNi{og<7q&
z?AOa$j^Jk!@TUYpY*C~1NcbAt8wr_vD@ma>hQ=@W3o_Qyk3ya~JSJzr@8{*TaKsv-
zPeSHj<g^oHDlkS=JO*O<Vel6}4JSdHieoqO+}ydANnQt<UG%Bf!NLn3Mkpr|4U3>|
zd(_riA~Q#JV`UqA4dd2(JD$lQBpOwN>jGtSynO@@g$=+(Ymi@xe-R5?)rBpGmd*i}
zm(_<N;%b~trG>RVn&&2FZIX2>P%4+Z2Rnb>(Sx;vgV!$t%D=s4|Fx_wS!>|AI<b+j
zzTPyJs8%07hT1*YV)Yxv=7E99-4{;oY8J;Ep7H{)zj^<Kx!NjWaUvS_MAUr@Kg|t~
z)8*rsHE_yBmB(U(Qqxf>ZNvW8<Mx>KRx3FvK!S9RDc>G<-NeZ@L!xftqf`Ny(oJ$P
zO~b|Dssn*C<{;>D8+{pep(KAQ=3!U68w~OY?of(Fe|w{H=XYo|i}2&gvUXg=1<yeU
zG}_&)Dw$ixU>D5vePBq9fTz+@lKpUH$LpDoe{OA^nkMIYTFRG4X?lUT<s>8HYlQE;
zwISwX{%G^QBqRTU5?0Nam8^9=3$hJmbS-!ICYVk&Ai`KvngYu{wwA*DCZC)w+l5+Z
zfbuV1Q>7HTQ2SD70a1bqlVR9U;=qx+j+qR<^_~@f>!J=i4J4Q1N1c{z@!;gHD+X%i
zwREKKg6o6d)pqfh6RtlxCR52M%H9ghGq|ZIU76HM#7^F92Anear&LR)Fqt8*-sPiL
zRb1A@CC)pdBKC;MEjh>yx*iyjsC<L`KRO52C^S##8`(Q24r5N<BONlwFtO2fN)Nc%
zrOXel$1VmU&R<Eg9J>i=MP@(73A9l2WvHBGU9ZX}lO_5h`gk#E>c1LaWdR?sc$Z-i
z=q|*4^smFju6#ei@V!HD2)%XTVH1M$(~yd}{14wnVs5(4L(_A%0tvIc+>T0%b~hB9
zpC>#y(TpBz+n(zqNM^#0LP;*-G+ZnysEX4Dm`Bz~2mo^^o|*vWi}V5Tg>JZ1|G(}c
zB_BcZtrTo#=EVdFbB{sF4RXi}ES1Ykwev2w@vwkWR_D+*%j1Z`zZx#{KdT;x_BsR<
zuVyAy8gLFrMX}yH*Kyt5UntiXBv`htqoa2ux0>WNULeaiQIoct+Q%MhO2nqm#tSo-
zrPv=ze*T$HEt?DRhujfTm&~h(M&fp0;$0O0Z;@0V?%@r0T!G{Dx}u(iUFV&3PPXfq
zXoWN4l4H)b8#<<v!qrH(5y7!h){wCx;rQAp`@RtYMyIrznNbmvu&=WCq|~hl#-?x@
zxR%jAzqw&nrx@W4ND;SWWl|WaGZQfCN0)f7*Rq*I0gGmV^8=+5%B}}~BPm2bDa2gL
z7xjwG;?F-y``P9xhsM|=-=EH(SyjM>9#1aLv*2hOC?acbTLFVtb$!4`9Z(>syzx*d
zt=odK+8|Dwyo>P)2r}QEP8ReAyi4)Ap0!ji(?o1fa?o;9Z%e&jFBKeDzFiFzq#Mvi
zrjLrX;*-lt&tA!Hy>oG6R7ZQVC%SoSRPG#HLFjUAwtKX8b-Wk2yF8NNgpy8>Kce4%
z=+j5KKhoA}e=0i4(*A7kakRO`>&P31$-VJ@Ta!6D3NJl&J;|m`zEOlpdb^^_)$=4Y
zTNv1>5V-|cl_XcIr6s@Q<;}Yubibgj9m$w1zKAU&l~wdqms-=VaXfY0H}MSi?N#cK
z&)VwgZT}M5@q(Aj6YKO5{ywLms{XXetMKhjJS+H#*7e8jsHweuTUOu2W_wH>PMKTj
zR+P7T$LQD!!Xa`_6~&~TmLMkiH5+lSj+{Ke^IIreNF2{aDw*?QknAVU3>jIp&wp&c
z?=hHqgDH;|5y_IeU0rK(o1c^ch{Cj%cAiWSm|b;a5uAL&>!h3r9SE~QP;YA!oI53C
zA4ODa9WG5S%y42+IyKmpzLHn4b%@bVSj?1BUrYYP;$|b?!Gt4nXos4n{~;T4ZI}J2
zr~}Rq%%+<UvC;PzhmLYsb(N@hDy@0On*sl6h#`~d4Vx9zRBn3k6hED*BD4Qud>u)c
zi@dVc8|d8<-T#qkJ2I75#-gvx9IH2%q;|7oFUO9rB;19IAdL3Z-}OI65sZtHh<0c|
z#?+`(Owc;QV(P;v$y6CHX-I02idu+19zISw=`2Ptx4@zM)TKw1d2mQ1rOUie_33<U
zhC}h8G@)J6qz35<J>`3C0&DrDJX>r%n|fJl<lp2d-meXfWZdfkZC!KZ{vG%Stg!#r
zgleXlX{O14!^WMUm30kxTf1?iI=_w}A<4qms+%8OaWFoqV0dESwsG_{=RXyYqJhd*
z#si1yCdk%O<#%T%^7*6`tjDI(eUf?<KXbU74FQIt$m8%jq0KDIDYej8J34S1=gMD!
z|KR9+e|}8r`hXxhlQRWJtJURlCv%&XQ~0&=2THYtbH??APeIuoN3FO>CZ>Lc%W-Jr
ze2ER6E2rY)h#JyNZdGl5@XdHiYB9JI18wnj;Q#o^O-239XbNkG`k3Wj#YcV_r<5FS
zqo;A24L1>}Q625QMsp7aJPOL$RYV`V{UjV)^L|x`iQWv`E3E`Ub{aweMn6K}8XEaz
zSokERnPvK8;-I)JkM+i976NRT=zc20YD0T<CfN_CSCbYYp#BKmz5nI4RfZC}W8kF<
z)WF&(eP3#+I#SVd6#<Vqe9v>BpMiVAbg95rnUj%hp<5aRY@y_T#1&|&DJYhFMrb5j
zB43qkO)dn!1Z}SE89RQVe%4sqg8ldc6D=qfqV3EwccExRtQ9+8e-JQc9c|6mQ!q4E
z9bhd0NxS_Y6P;w;4VTBbw}UN+irE0bTVf_IkAmq9D<yTDMIk~T+Y2NWLvNZit25If
z-TGcC`oI2N=LmBrR7t3y2+SC(axv+QU)Rg8u!}9T1=XLiMs^AWnI&LmF6rYDD&>+<
z>>@*paL}!8kG#Tgx-*ACC+BkxAOL9=rH_5R``f^G=aEQS&Y>_1X5p?++G(wJvJE)m
z7Ds<PO#-aoJ~_JM(JrIG!Q^cD{U&$dKHa$krKJ;uU$WWE_nb#ewG(zpke8n+Cz0z>
zp$#r4*ZZ;#ak8!Re{B7LZor@}!JW;Ki7xw3=nWjVOZB@1KcxMcwQ4qh)T`#K)O~St
zhK5f+u9EvE$^p@P7><=20reT~-8*f0U#$mRYdMN)1nR{(kL?UI_^Zw=ty%Qs+<!!N
zT)+_LdEiT?hNC3TnYwaiaAlFRb<DpZVtL!r0yco3NycDhWeMu15Vzcu5hfluEox`B
z9D5=xjI#q6Sb5~`7<jnJx2!_hElAdcDN^GyR-VP1c*+!R^Z=)meo8}1k#GTv)nBW)
zvT^L+XxjXWaT%}p>pvrR+6z$j)={99IgN^~3f0rBh8javD?uzo{tXTFoQevZv)N`M
z7WLUq5S%MQZGN~fuS?dSi<U<Flpa60gj?^y*O@LCqu6<M9khpEpm(+4wTUnV%L12Q
z06FO{b>`~bHbC@l8?f$V*QW_)FSQrQiw|SAUJco|ib2wvOBP|$x9m;dq7K-1{+p&g
zSusE2ex~T^6NY)-(E2*p2lrM}2LDv*Koc09x<J*0s`<T4f3g>TL24AP8xz$OM`(a{
zky}$kROpNS6i*S|01DX2((W0btjbeR7qLr2oo@68P*92YBfu;#w8T4E02CzRY)FxU
zAZmmde_Y^YKCS4$YBCYIc^!+TOGZn80}9&gztZbF69G_|e4sEAd`pn$)qVlHUkYqZ
z5hD_L3kCy?=xNjyAI;f*vLM1UMJgz8?TdI{ZTIQUHn81X|3dAk<wX54HjvV`vu%zR
z2BY%qm=dS+8RKooLS=sXiyGZ;7IvRR1x6TiTuSA+rShVV#xgjYpr$xvEqq>cJx)=>
zwl9^#s)aLIST_UgZ*JHuHm5qB%>iS<RJG1-0j!gD9l7n#)3qOa9aFv^b2>Y)X$1wX
zZ;?}BUN(ndcg}r@{rLM|y-Mppa0c8wlE+SIU-F!{HhvWX3<y3Xu#+c0RJGES5=rIe
zR;6=C&Ua5<piCY@{E25z(hVM7SWH>?*b^6=9VEP4`rwqr&DUxNkiIdvC?fixdT2in
zuO8Hj9_yWj6Rb?d(^Dhbtrrel)wRh-(RX<-GE0O;%MBTJXU&`~J09q8LAkQLx$w+|
zY9eE`wrtj=OsZ+R4^^L$)etm4{Ku^PLc$7y`YgR#Bs%N0P6WW)r#77>Bxuh`S2SIZ
zCMi29N7@n^+DL&!kzW1VUO~$-6?<kfndM<weJ}+_Bhw}Ako^9f+AejPXnlTRm3fX|
zZ{e?E!~fD!BcX4RvE5;An>DCuaPuUntV4L*y+n`Q!f&_2RJ}8AQZE~@>YD5RiM<-`
zqj!x52s^(6<Zt?EOtl)$hlI|U;P|}W(qBlL&9trXYx{+{{8jE(vA6?UQjh9(Ff<99
zR?fecVv~??F5;itsF}$Os;d-pzfZYhw$OR0Vg%T&WNQm)Au*PwCkGtv(0}|QZN$K@
zY+^&f>V@wiN+1f&`g<@U79_n_Y8%BWG~cGEeJq#kM08z{eA{(4MvV(|*1>WyOgXQF
z(%Df2y2$2VzXqiq#R`il0N5X~HVl+94RLGjvX7eI2BcI<8Fm_x2R_)dXi1i%ktjJf
z6z~hOv-XQsaG?Xt#;qK43`p!}G@5TRIgQg#ZS6$z&gaWDYAoob@Zab6eMOWsud9*m
zf7V!9&31=Fm4|kkTDS&#@xEj&#V|H`PJW1ks@Up$WsLn$mH5LfN?HaywsHewRhj2>
zkp_E-%AU3@+-8US?e2jHA5^UQPrv09p?Gd)_Q_+mD3%|=`{wre?i~xY(mF7U6L5(l
zeO4rD=8Y{<FV&WAP>u{^wm9-COo28prd3AbV#Nts^y}}J9)mM2d1W#&<7G+B!W962
zoLfHfBEvXj5##~+v`;t`dQDZDucSE)IR5OcIRd~hXsOIQ`JwMnq%PoeDu4Dk&JXb#
z3*RQqTO>2SzgjV;3P{t4@N2}L?`I>8_q7cXmg2xu{;BWip15D~)b^xZ)?6Y3y6Ae*
z(Mm8tHCpJo1X)vb(>zW;nf`OspCE3xAfWY2TXAtyhR*;ZUe-}ywHbmf=x^s<#ojYn
z-)!%)=G}CPs#-h0I@rKfg_R-Z1yeob^Gf>0F6lgh>S#%0?iWmFpxi-}fD2gT`pQLP
zP|(RiTw9?f5yz7Q3mMQ&2>X{&RK=F^=l2VxtDbo&|I83fHSn{M0S_r!qTv@TxDZTr
zIP*!RDo;+lXF`hn%n}*C(_B4Mr|tpXw(c01GD`972m8D3<p*3z;G625L+*7xAbxwt
zf7)|kgd*=8H20M>QbDZm+p3OBW%1YB5pCCJ`*zG~s936F12|sgb8o_^qi1+tou;k4
z8x6p6_&gAq1A2M6>uJ24!v3asfxgq_2c;@iqnk@H&+FKktk>X0HmfyU43(Vy`?M2$
zZTGp|)5%Q2*GJ~32NyKk9%R&!uO(;}H|g`LGf1fmsv3++#0hoq<ygz6#X1Y%kpJta
z>ZO|bfdMRa@?0?~ETY5cUAj*BDR1yQU$?_l8~4-NvqAk8sUhNzb&f5d;q1SvWwl>b
zz{I>8w<b<fCau?Q^<7a>&eD?>$co)#=X>q<O-v=I@OXLJ-zP~~B2t^;t}5*4`RJaq
zKldX{sOPoLM41ylDn-<d0&KIwGH7u?9JXD41|urm(X=gm3VW`l7clWE4qV&mA$+rf
zfgw}?`7hCsZUW<cQnpo}UtnLfBH2S=a8gZhrY3d7anw6YWX(TP<+mF(!;~;<-9&AB
z68`*?A>=O(GK8dl2?awH1U5QS1Pu_F<bywFlRjFLCz2ayjR!0$zGdeI9=oKD<)*GM
zCg2MED#0ul=*5p1k_Lsz6#)6&%k=UAh{DETy(%M0l?NBDTn}^sdlgn$Jl^&?D}&If
z%b!kF0S&68$Srxvm!+1XnWJ1FS5J-f#sL0}Tsv^{KEA)%&p;|mIM_lUP!?NyhT$gb
z_n(D2FMDNLX5zFBrJ^-C)O+y43b<20l1~~8EfY2LwoDn<2+rl(Fw25hR89qHF{)M)
zOdP)7d0|bV@atETjqm1I+6egt_jdmtV^HkQr3)nMVo8QJ{7Q0hn-NaygIh3P)fwlG
z9J#3tzjL7tyFs~i^qO>=2WvkaOwI!*5+bzI@e;9Qi(iNjFXHw1u;(bdCZ<=lx7Rs6
zF-<qT7BpxcebrbQMT>v_YDDmMbKKd|g<IrxGyS+#q4es;wfow4aGE&ep}f&?8cw2O
zomCn{+s1jd#yasj)K--CR`3gFEBs6Z{#r`5>3JgTz2=2~lVcaYuY>NL@Q~s?7t4G?
zvo*Z!(#%Uef)~E<)kQh1r6G}&aqW<mHmU4kqpfHvNOX6I)0Jsj&2nvs4$l~rJ7;QV
zA&nI{k>xU{+!TdN_o{654)QokZrR2`qZSJT!{;)@xNYiy81lqX(ytbE0670etK&)f
z7foJZq_#$UPdI^`&<l(K!gN=6)EdfX_1G(qM86sr(#o+0g|Pu4R$W7{Wp(dtm#hg^
zmvJVoRUO<n#s9coIlB3Sqaq8#T~P;FAtt2Li&~hUM`9^p^M#5dW#@~OyX>nK{j7&4
z^eX13R|3{H-o7T5f9S?nsQJuO0isD<55ItRSj6iC25uRW!vY5OC{{7)()=BR;i*#>
z4dNC~Ti+f5t-o;zv6f`dkUyXuI05G$4hw=*tE@~{r+1&;lAv~MsZ-^%u6b#jKzPuz
z1HnjV{L32eNMQw`VXxKeDYRVv&Tkw?^z5A|vjeqJt%=XyswoX&7v7)bUTFC+2)~n`
z?D=W6Cy5+S3E$m=5SxrA_z5HZ%r;QTeEz*6TRW=@(e~Qe`+1@+NP1A%!tv>Oms45c
zr>U29(Hg_}Vbf_u1%&$9+wu;`_X4=<=}=)0NufTmv<0YbRqPlFDI`^+GGm3#+_l=?
zP`kfhM^#BmZqk=x^gl|Dk^$00^=da<;P&0H@B?E5>qjCq7D+<~%9U=WoJVPLSAGjA
z52|s3vBVSfay68QLg5$2MLTjuhR6%ewff3AZylI%fr7SWf>YJ0gd_D5_eHB}rmbC=
z4V`5_(c9lzcRmZmd9`T7Uwmg2eAgZ^a85ayG%V$mQI!ZyBrzCvl0nwm>)=d^?s@Y5
zCnAQ_`;_m=`+p+B0!7q~-VO9n31+8JI=dvtw|jWYIeAVyxE#=Qd_F!dbmcnY)vSqG
zq#YP2`Fc2{%CrCu+_x*4Vz_$Yv>Y7fzyZijrI4vu<W?#`TKVCXu9EA;niPd&Yh~K>
zVv0<o_2X*QGJE2S5bW<$oWv57R~7x4{LO<`X$KLXt2^7K1~d>w!sJ<+>$vf2{1Edt
zlcgyCTDT%Wu1KM@F^zv)59)8Y)03@G0fAAY`iL!MzD_^?Zo^2%06CofU<<)rNMA%(
z9pJ%rdzHspawvkMHA@y6j`67Y#3H@Z(NK<AZaj2xjn)g9YYy?dxa(~eSmJ?%0tEZ1
zaAwzK2?cV?UeCSK?j3}{>LRdOe}Q%qHN6=usQ=icdnZ^QL;$fJaadUHSRI4N5=j)-
z4Hw{|u<;SP{4w(qnQcNXw%_s_n>CF55I3n*=1_T5TrRlyCcR1y{Qps;RM&GTPgKPM
z_}G>XIv`0=z0yy8QQ97-MiN!#_>&za(UOvLH9;HgL>Xw8y{|a#55n|yXnQVZE4riP
zoWWyPJF3+1mOMt97=|G^%LEYx#EGRJdEAQ>FmF|0mB*3i@$s_S;7fI)bA)7$b!_yo
zq#9)O=2WG2_#r8<8Ki~?n3Xas{EHtWlUc~}7c;<ST7P4A)o18J$F3H4H-vX~qE|@{
zXTwadlJgJVsEI9U(cid5Rg><7q<44{43k`i?G_t}s8jQ$u~wwkHhyIGFgX8pD7i)w
zdt-jX^JSCWC7fc%PfiTUr5%;3#_0p;bVckTXW($sp&97!ZL5=lk2(;F5j2*zydtF)
z(?ut@LkA%GA5OI?a(2A2Z{w4<x5SvtJ|_M00F$*a(5CXpe5W{ddp`M)_+$6t7R?Bb
zu;-8Ui~`m7$%lo~f{!@19o6Om5<AVY!~(IAic+a@(&cw^OcQ!oOIEA?LQ8*rCx1c(
zS#yYAXldDm-xQe>Q#5Va$GZt(@C~+C;4p)|mSfJ$!een(?wPYrw?Q6-NMA*lqSJ&D
znJp^;+{jvbq~UZ-#cX~}?QnUgLqp%BE_7!bdw&SW!LIRw52+%>YO1tH?$Y#!LFUwC
zIgPYd`X)8Dx-<o|HnN}i)%|*2xdo0O9PH$EadrkuDY%ntu`dpanLs2LKYub{M#$f(
zBzv06N-U!uH$?U8q6|Y2RYW=pRv)3}KP4BF%trWyI@HXx|4Oaq*D>pNERMADUZZR|
zD}BfgRV%k!gg)TfbT;=;gPRJk)q~~qvHb=;*sD^h!D;?jS-Esw)j(rXM)Rq4sl_ZJ
zzMH^^b+-q^FluRb%M}#U6#J$}VE=(4hry}-0__bU@J!J|)#F7l{W{0Z!wmt(6Vu0u
z=2Tx$txXf=b#CYhF&dOs)vT38YAX2oRSHHpI%8YU;!QQJzJ3>1j9dmv<~k8YEH<ul
zg5m09iTx9F>tHn##@|jU8ebgv5Pv}ru-)!%xcsFW?9xoFr2#Z^)Gh6!8AE~iu{`;n
z+M$ciz{RRHW8G*W0Z5}lYx8xa?lFy*OjEQm!ZFS7G&z=(Y9j*kCyU-IPSFDMwkM%N
zyo*$5<uFv$b-qb0)j5N6Rx`%p^S?@+iK#;yNAV&kg2gMq=RUbQu9s-n@vPKw_UgYB
zTSg`-NbBWO=*uH0{sxXf4@f#!lNG{co8y*6nYBXUDU>RGB5d3mf6CiEncgXf>h7l+
zS0_zH)k6lns7MlhPJ38Am7t(56ZK}QV7ULaa$(P1G5h3OFk(h);tQ!N8DdEQ{A?2(
zvG??(u1jI86}qZpDQROmB{+Wpyje1Cbb!CW4hV>F2n>+pQo}w&Cs7bpfF%?Ob@AI3
zTM8lB!r<kMhX_kJ+A^W6!7u0un!>&h@<&33-!utl4dH%u2Denzy6*E@MIR3QVC7&?
zg4y3Yld#ivvpFwcL+UGKd9mCSNak0x{4-LNY$G#~+~*%cmd%g|g<h4HPqWu3fohx|
zia{EWYDt7gt^c`N&mUFx?^z<0l=_GY0pJ6sdWa+pkdn#E4ei8+#1av&O{Urg3#$4i
ze7E1&*&QfQJ(LoqQ<gu$517VAaN?IV3fGVAMr>85P}e&Yt323={F-XNPH(4sT=}fZ
zuAmgHr8v4D(wkY@<qS?~dC95^vjQr&`u%rHex-YYPG1EU`Kw-XB02yW_*NO^WbkDx
zxv1P_dc7?=z!q?s`H50W1@_b5m|Hv3PiHGj4-1?!UeU=#i?)dV)Z}6unH+1^6R)m^
zhNt5AR8#u@nEJ}FI+mu};10npxWfj5ySoQ>cemi~?(XjH?(PACTkrtEAvoN9lJ_I`
z*9^0VXS%DatE;POt+s|M$D%AxMGp&Dix&YyAIq|yuYyi#F(s44xwX`y1$<4J-Tduj
zloz=aS6EI`;?VM|O4SxJK!pDOq$#M+KUC-My4Lq&I*S1y8ivdOD|OX4jVe3n_!D}@
zUD5#v9Jngnmzfwu0oD7g776;^I>`A!N?_|?fvpQ53h0Gzt}s4y7yD8jup^((UA8cc
z<Y<LV7#lc4&{Bz2^qXs;^aOqHM`oAF<=OFQ@LbTGc-@LCgXd;-6l*<1rR$|@qU**U
zd*~d*pX8%DaezALSp^nJc~t&beDk?`ypg?7AlpVPHLXMZfdtX3ZT#MM?OLi}W!(2s
zHGq+6LWcTpv-Ch_Kp2pC*TNRn(Nwdw5DE5kOPdiQJm2g_v~os^wJ|j71PMKBI>d|x
zm4>b$@>}CPdAH#Lg2CAmk0%jes?3m^2d6rI2BWHW7B;rxXKZ-ll#Fa5S2Nj`nz@HD
zM#h><J9FJWH(FV49UbAeoK<ZksLzvUC~c@G=%3by(T0Q}EV8D?l1Q{rT{V_rQw6$_
za!b&}M~F$yMPqvPn=dq0CrfRW`ehA5TH^BmMWuww%(D&(G$8;d&R{USL)h}SYs;Y4
zHU+gZMh+7$n^KCCOuJk%WO}V)|IPkc1(?>$OtV~u<3Uf$;Di@_C*{6&%vRaVR1#*f
zi?W@L<<{2IPSA)C-1x7-`^q1Y|3;mz-~gasVk2}vBJ*dcR$5p}nk^OwMzr`Vd5w$D
zDP_7yXpr*MdO<~ec;6O{(QBcCT;vjeuwth7?t^UWrN=*1t-1g7pf=(Qm8~YF5@(<x
zq&Bt_$Ks=A|B3T#X)QY;vM17>q*!p{OMmI3N4j6bl}20{VVVmy&)ns(CmJNOwW}mM
z@+D!}&7b)zA#9-sg-kUnAWXg&dR^OU(cVea<cbm~w$nphCrP0$hq^hWj8}4&Px48&
z=wC1l*}UwA+l-nAsDH>r0b0bw&(G0|uDfT8S|yZHQF7l+<(r1?QY{6F5(2%HI7Kfr
zqdqMBD3bMW#7OWMnMyEQ254%)+uZuGXHJ}5YO#Kii`8=ei>SbFJ;EsYd`rl&K4<4#
z--Rk;PUo4+Od*19A8(ulFM3sIv(ZO_c=-PXqud)m+2AvW0E1C6?y&-N@-a&bl>uU}
z%KT+i=eucX+g0^pDns3-sv@-OiOynej3=MIFKO~H6uP%|ea%cYKI1mF=vP*<$b!th
zDo&hFOjCtt8D_yTr`={=PxD8e<k4Z%iWv<cO%C`E^+cc07q<UN7H}wT&~^`PxXC07
zE4gnGt*B7fP7E`Fl8n)>BYGyv2z=w8uoBF}_PNarIDo=R01C^1@%dR1>W5nAwma}l
zu^4s}`EnPu=y_@L)CJCp+Ur(&h)^#H#nxT>yf;~P5$71I2qoq1h_toDA9DKvn1~dz
z-rEB&YVJ2tvPF9QNwRJBP|*VqKq#ka024YX!KXh}KvdAvP=|KB>|$4aCv=t#(NcWj
z#(^c)vgOTT;_=^Qa^~_UXk6S$LazJXYhy$NG<eyO(vg5g*kS^sgejEJGh%loiE!vx
zi0p@@I~?)zb8#NSZ&?lzgSd%lHc@zq*{%7Z1$D;tE1*nT0P}^8lhyval=i+zu(U!B
zOwESo51thSPYDHLj#+QuF+7*<zs}H@e?9iD`u@bHTmNd7T2tG!`(mJEZKA2uu}g*Y
zHa)cp+AtP5si87W4l;61&nAq+lq^JN-h5BfzzdKxF%NAseDkcz1+4}iyU|)f<)6fE
zPNtQPgFke|5HUrmDJrHdiLW@Yo&HK&V#yKQmfbRB)IN2n$!;Y%`jx%A8Q(<FrMSjZ
z`V`WZE>taOzyRGl>CXi*LYbXdCG3fKrh%9U5VsZpK;P6_H6bmpXr!udrwJcCo$50{
zfA^-`9Mjc;pwKITw$9BFD5*}4n`fdHuoiaZ6ibb&W^^8{+A!@zTi9kh7dlliTfXTr
z%#-DA>I5ztAI7^4{KJ{SFg}9hd5iTad|W{8r7IWPN4<|A2!A8fgn-=bTHjz2P#g_m
zZcKX2xG*&Xj<xTk^k&j#@hVr^ac*ihpn(v~@0ORCUxt4m0M-l`n}hy{y@vvle^?UX
zY4ZE#1{R`!I}KCj%(Hw<AWV#?>fWGiV%wkitMh~4xv<QPpqiq;nMR=~_u0-)uMBBz
z^w2JqEnz$%C&r(dNETm_(Silhz`Nn&NjP=-GLqc5ptw($Fr@DXF9yyiq5Q3~fCm|}
zg{0FIh6*P+F1dlO=A?WqesbzdEkESDy9QqbW90h9@4t0a=s)GBym{6jHKyaxQz4Sx
zIX#8F-OZJpYIs~Splb-8=#Ry6nYspV401L(Su8sD<iSn&by&nXURJEgz7Z0sIi0rd
z{Cof;22Ei#aWN`$>+q_L9tHXYy^8`j!hh`9#A0oB=zu$M^v|&RPLs&t$nRRLzH$ZW
zN}W*>YlmJKs^*KVXN_uzCt>eKR-`;VI}~aG73h$}9eeX2d%teQD=BLMa>n|###YhQ
z=%?o6G#T2<kO|&+hfb2&bJ!$m7;i`pZ>jrkS_PAE8w%>w5(Ps)tY^&WLBx$bHT%u^
zQ-=Lr+2{1g;{3G|gDJz(%TLNnX`qu9OxUeG6v!$`tmT>QXVj8@ugjR%#zVi$E3ud=
z%=HTyGEiPcr>ZF1hdt8hAyrz=bs-}t2O6Wt=l=Cc@fsC8ywYk%LaIJ&G+Br~&u0WZ
zjpJ_Wyg9IqX=@+-n}%hYxmDIE^L`>=FuHYm;QpiyjfMFWy#T-M(f>(cGCHIkDp^+Q
zM!kt!S6bDOZg(k*qVBF+Y2U$FAd!j55Ss^Ak@zm5G3~Ho1xf$%#M)U=SZJ-!=v+ri
zm)|9vy;Ev@s+|#g_pex173}Daa(&Lo<?wW(51-DEbe}Jiw$t525SNe#9$beIt|6cI
z?MLz-cNQHp(J+%SMr10cLep5ZHmt=PZ(H3le`T=S9LwR*Zy$^7K9^FHv0J;XRj9h0
z<~Vr@kO@;FsxnBrZT;-C%U(#Lv_9$F(M3s6_3A@f((16q-;=DeTtb4<1U<Urzg0*3
zP41w~?khsI={)kh2;UKKJq+2A06tsw2XtAY31kwzTgKDGmd$F>-P-KQcygS0Be%ZW
z{{5QpYwk4ivK-EFnGaP%j&`cOa=at?f-@TWd?!<>-;_c`R-Klotk}_oU0TonpVR#-
zhdf%!KYX`#Hhbiih@#8vjhnoZX;m<&InK^j6^}BZ<2bY2y@h1ESQ;BTDPy<JX+J$e
z#o$L(>+o^b3Xb#whOT2Z8HGH+$8R1o`qSyh30TL@qMPa$K+1GXh%UZOHm8Hn(%0i~
z{PuFP^NJ2RT-H6oim<_J+!4)s%qUN4vO^3}1@s>@lPp<B+>_Un1q>4o$Oa|zPGymS
zb#oJ6nbg|{OC}Kps+>Yz5Kt;j274lCA*n*sk^ig}2nxB=+zUe239bVf6cr>$aXfa^
zD}i^jT_>r%>0{ut(&XB!7sa*`>ty}Jmw^-7VzRD_EasBCo#X2uSKy1%?>LDGV)OJd
z(oz!?+*3CI$|A)fZVQ7uqSyZR%_7N^i#DDe;&o|6N?uh8pC`%0B}aHnxrSfbIPHAH
zKr>4Wv@slc$NkVqiHE*nq4{$$if*Z^?yIZM(pKjayLV!UvA47*<E|(PuE+0bj#^jm
zw<3eG8|;LfIP`<^i??;{!PVzf50(n*hU44RW4h?uHOl>C(4!#SruA6%g{Z_`Kexi^
zjwnok)=<v_?J!NKFZ!R(M`1cN)?Bu`y=^xqSd!;!^u^tsZ}P<vc^n)Zq3X5iMOpcq
z8BuuQP%um=^sjZ2JE4*Z&zB6@Oh8x~y)T`{ZOl<tC`u#|K!8XxoMkt-8eI*|+X#~N
zEvdR%{AIwbwZn$`{l)H-w#VDVE{H=GlJ3^J*YnACi0w_e1u}tmn^AbBGw#8jg_G%5
zd~MV7DeZU^#a8<BT(@VYg?%}_B*1I1)pi>pwff(TF2|l3x5bUU>(l5@Snkg5w>FPh
zAlA~o{CI@TQ2gldF2*K3z^N4`e;_LmH<HwP99r%=6U`a}S*CS+ahtpr5%b;LFqa(J
zCFF8ySv4N!aa6{j@;mCNz77dBv^|DxC~F^K?Et8yc>*@wulPX3@ITIf^cUD>mAs#5
z2@(jPod0X%1mX&EQUvr*HT})Da4yN1k!N6}PNdnxt>r8>M-zK_EnJf^0QN5U;(DjJ
z?;BMtrTK0$fhOB!vzdY1QHdVB4iN(H%Ix$UPQv?c>qwcx_9E<cfj7Sn#q0pmQ!nd|
zzJyujK6DTPY9_MUY<Qm?O*5L%Y#>zzun5f@jsr*cNB92{UKv!!Ol)!#J(2Vnwaq~b
z7BKlL8G{xuamoWQDNX}4>TFu56(CQ6wHgTTLP#tsTZqrKVEIo7fW1P@I~blo)r2!%
zybZjxT(+}w(ll&TE#kUf^2|++AuEkvS9ARj618WOhgUB!6rpE-TLA-gmXp|fRSO;$
zBBQ)zLA<LII593AR5_X0?6$!=`z3iy2Bwx9{@+J)#|GkauRj0xQE=c#sX)$AjFwC^
zn?Vv)>mP5fFYhW&lY&qt$qJ_7mw#@jf-Z7zyBNbMg3ogQMUN}?rk8*(a+8G~NQeZ5
z-Vj5l<lhN~ZyG-#uXqV_BHI-EvdF!A2?nq-*NNZ@-1-GPNQ#6MU886^DST&&vRv`2
zkAe`&C^pmIA4|*18I2%w@m9#f!vW~YtC-Ehs$5Cb_X$Yte(X_GS@KY2_Yqe;-99e&
zJJszkH(%$ub&{AlS>@XfWa(5pp>YgG&}WtDe{dXGR0~0nsS^o8I-OeJt1vDcXJt8z
zht~o8T^FW~50=<Kn}%1`X4an(r5lhHRFlDHlm2w6X2sXZ7}g;TL0EOs#d@7oLatni
z_2*<mppx=hd~10{EB#}01V{tO$@u%yWX#H}t&XCk8XVQ!iH3>u)ga(G&*Js!GGGnX
zReOs41IqE0smjB!7{}AIOT}?y^x_Vq?(NK07fU<F$r=LPoZ<rsQ`r<RDcf6B_(&Ph
zH!7KFGw>yL<>8U=yb;m~&n3JJM5G@AER4O)T;=Hc+^N`NP@kwGx<q5H<B@g_8reVw
z6dC^A&Wn%yZ#%E&l;*DmA6z=o-aej@&Cs79Y7)rY4^f>ESzCN`+)7tp?1<SWrRVex
z<!8hOEPOXM|Kfzrx_a)JShq~ryI8W7gk>Y=%Y3H4tH8;*d&kIt5&M<=q^%s@M)9b}
z%$PPtE>1Il<Ys9lYW|)<YWS56fMfXRTw}PUAdkvKlElrDvtHmi(K-e<?WLV;agx8~
z2?l?5?aJ`dMvp+O`!{=drU=H>Dkp$=#zYiy$9nsbOgj$UU^d5C__=|6hibOmL|F#J
z*cz55;$7fFUg`Ce2<3o&U<p01(Z|rIZv*gtPnC8u%8`9qGih8wc62N=GQ`?-nBR21
z{uq|QUOGG9IC-eT$rwM8MQFx3wA4LJAJQ&D9DZt<77lq{9+;Tdd|9@<s%9y6Zmdz6
z8MpdkYZ_mJ3R<#<%S&Of7F9)$=A^3g7++FTkvv)2-^gj#sjZk1TX)>}9fND?{LHMc
zJMgT=v-<);lr(gYGKfs<NI9N_rFJ5;*B}=S8LUZpl}sW7c||7qLUK7K(}Y%HNGN&3
z$e2mJ1=(+i|9y%u5~pKPB2Yv2i{fIF*zI9)Q5k*htoD4KONOOO;JM#E*gi6JssN`q
zlui;;F(j-YkD3#k?(9nbUGc4M{93UkG>tEF;sZ6yjOP#c5Ka3nQiCqHc)8lRHe+ub
zirOXrbTFoww(kM5S)CpntL@BpSzO)LXqy0e6RsNQTIuV>AF_GUuyDo~=lXE_kjUeI
zBUk(VS(^%KL-EAa7)et?g>SO0H$N<o`XWjc;NHCKwl)&sD%9S`Mx-r0oD8AdpbyBD
zG%h0RP9%Baa!b-yHd-`MwS@Y?F@W}kILGqtUV%0vARQxu63@l&fECc7YI81%j;fA{
z;itY-XZi{?5THCMX&r;%TA4S8rl7_d(37m0N+0?a@{hGmL$djt(%+wqhT0tYN=l&}
zj}b`0L&6b3L!1#ZvAHe3`C$?YPV>D@L!RliWC+w&eWKT^w*8QPnPR^ry{m0(DjpAh
z9~{lw5hVl;VnDo&bFBoN*+v(`pZu)EGCRP*@ZBfCk0}*@aF98x;S2o*_9wQ}<K0Rm
z4;#U#Ae<Q2&?teE9owFKDVbKSw4WG9SN+s(%T%{hxuMGk82|8pMcRu?HDQc%x%u!`
z%sn*(*x-+kmyR`zsCNKE#1j<zi6yB+sd<l&+g-E4bOKVC*&O9xjn5=tE2y|_QlQ|#
z<>h_<?E2w)wcQld4r7TqLn_UWE5j7xNfS|~S9KsW8Rsz63HGhgM$$CXllnQK-gk+0
zzQvB>0mq+!`!cl;*x&{rJv41Ks{;h(Ysb}TXex%V8zD$7Y*VR1cZbJiPeqS=7ay_k
z%mo((6^V$@uUp^(s*d*cUOz0E(?$fahYd?+IpQ+rsI;bQ)>*{2ZdCa$pxi5N)we?D
zCx7^plrr#JK%uHk7DsLprlX7eEg@jm2T}Kpm<WA>c&?5+yv>yyuMrQng6w@{L;&d;
z#0cfdy`mo3wXhCz1U>iTQ^KtZ#9<+&U{WLFZ6|w;97Bdy;gV$yPs#X_ugBZ3XGa(N
zT_|F;MZ{?0HWS6!$PcX+sPe7sLV+SA5?p8n<;XLdo*MkR>)#{lYsz4aJ6(mvjcM=L
z=c7!H_WV}%ZD%Wgj1iMU;8hryIJS(Laob#6sA&ir;yo&D?6s8_tMA)&!d$q$gyCRR
zxOS%EXX}29gZ)#dgu)C^kkF5l3=dVh$~TXfW%p7Z((KPr`)wGhIp@*@1P#S7$$<C=
zi%`E$Xks&&!gxsZGCkm$CqP000ke8C_m=SSm`#${+jVV&Cyb^mYgYz(Me-y8i=tb)
z8Idt_96Fkmvh&+|qJ=n$vf~%~`-iIBW~nYx1Hh#ZjiRx1Fi!qaT(v@25Ck6luXvX3
zG*x{TsMjl7d*6Ukj=$DlSDz)sU+X!%l%qZy$X+a3D4{ONZfl_+!c4(1lioQMUTVJK
zu#KkT==%=8(q&;0!%>>@i#kX_3WdKy+9(-7S{Tt(C3>Lep*O=f)O<kUGIvKDkqI=a
zsu{Ug&lELOqn8n*T`q_8BhE#RQ5RlXWxZQMq#?Kv+ujv{kmvrRwdbmcH27$HkK;gW
zCCY4N2@Hh+2hGz_Aq16!N-W)pLHeAQr~X-X9aW|4`*b-_%{C7Y0hI25;7*;;j6k+M
zC+#Y>F6PKv79u<uX{dX7MPaC0mgR}AvoJT_Y}Ms|ZJ@B2aNNLbEfgJ@#%01NP?_=_
zR9G}i>BWjD8Fy59TPkweWo_3g>eseXV4g8#>6wyEcwoh5KEAAe;*wGShz#*x;KO;Y
z3};!O1lFJZx}%Kyl3>W75M_B_cY6z|=lOfsJdfAow=TD9gEEjJNo>Au?`JhWRwOop
zVCrZ3*O!YtcUQD)OQfE4?w7Bw`a3ncpEfPtc)h8--|XIMw6DK@^Kr4_WAeVUzU}7f
z<X8`Td$=3u+1y&kdv$PJ>TWxIEP0BN+Zfm`N`ETg-5tnagR-9XIpTc*^vo{}yzxys
zao$C-=X`o*vc#xCG*~fymEe2ZK8E4;_I&GhZ+&2sSU5iLL6hoZ3lV)ipHK~XOqj`R
z@8NZFIo;-Rx{=xH>2&LSa`kwc!@6HE4f)A*tyOcd#!ubW&fM#^cktS!7OFDvgT7?`
z`Rw=6^;Vb1<1@c5ht5#V>|IrOAgXd*C>n$ubj?~gn*FB<#PiNv<|vM-ELP5dB#w7o
zub)k4q<|}*1e)1~*-^sKDAAIS6l1v{DyJPc_XonKN8+cBTvCnuYo9mECn8FoF9j+5
zl<k#LPMt&H4|79~m?xEWPM!OUvFx3|RK|G5gQw+bOfqdT<cojL4KC10yl~0ZkFKvM
zvWXUz*tXQ!Y2wDXI0Zx@<THT$u|BwPmeP!BhVeu=s4A+!K&YsZ028rPdR+O02IKdu
zl%nUg^{o4ZJ{;6{`#76d%rNF}Aq}*TKR;rF=Lvbj9xbN`RgZ+!RD~8WY{<^et{=)v
zq#rsn44kv)pxUE(snZ01FYM~dess-TC-@XWqriHGIvq9t{kL-Fbc<3(Nx(wn4z__n
z!sJ#7>!v4Pyc!$o*V*o6V(jsoZ&x{I+4$uHmlF|HiiaFJUFE)H`1t4jki&4qmwyfD
zZ~z%THsEsfV^~P}H1NP{l>Y1R_<VW?#>Cqc<(K(Sb|3V^p#E)O<Puzs1jz7#34_QG
zc>mAYVw^tHZ3p*d^xh`P>_sMdFCvu5+D3%Rc_s@4&Z`&rY>nzTLz2VR57yIa0oqoA
z&$cG@1A~zj*VB>gzb&MXJ_W3#9VPZL!sa}k&Cm%Lq5X|#(bYy02N<Ja6BmfD0ph#(
zLjh0Xfk-*AouTa5$6^y#vofbPKT?4I_Ac1E2=ana|8Yv7V3#4V!Syk7Fv!X*-9qbv
zX?j-atX!$`-NVS%E7;_I%WtjBb$(^C?5&535o`Bj@gJrCYr|Od9z-A~=oy8*^NxE_
z%J`BN3gHweGRM;yqACeV_DgIQefKfnb<Y4n#ybuoNf#Iot%GEQ?#JP^<|tPFt`Pne
zMYhbSD@~^Ims!$%eq)Jam|~M;o%_ZNO>`fHI?K~~cC#1Jt_gK}x`wKW<k+vP2B0v6
zHY~1^l^@6H;>d>EY(Q~$9KZSB)$Xt8v|y6Kjiq`Ryuu?$8F2IFAi(1Z<AD7E`U9UB
zGOFPu5Y1tcy;9V>Vs0~68%?xCk3ItGxuq5s&m1bT0Z}0T=M!KES<a;bN|_;nDTBN?
zfsetze+t&`;AIe*c7+eM8luJ?(I5km>AiCnzLRL(p3ts69u)VZ6_!X8ijNwIajhFa
zYjfwRmz0zvwD$Yda&@wCm$G6`(wK;F2fnB!I~E9%s%1^&Fzc_xjNo?pF$au#{}n6n
zi5%pFH>2=xp$6wtWf3ELkp7JDgnTIl1=6lbkTN4{5H|DvdV=?%j4LL88uK6b1`ee-
z5Xns>vsEya?z?txq&{4JzOtHq@iiWtC~^&S@^KS0Emo!XTLQ20Q73c0q1#a+wI?xI
zfl0IW!7a8_qe<=eq1~w!epvxh`oDQw+1fp_05W=PVmEmanb65q($11FLW-kB2?noe
z*tEtYatgJpfB8m-IZ}G{FJo}Ps3Zqb0O8)AlK`uTx`<r0^g&|+Qy)tH^p<u8I8Lrr
zyc?<v1`O4&QGaNzznvD*(+94H0N~$B<5+QFXu@itfzVrSlZB<mwyn`%9bvV#VDFn^
zKt2pteQrM@5EG8kCb_)L5M&VFBzx)Ny3O=}rns08X^HRvX<l4jhR_jxLXIz`i_j6d
zUmNSt*nB}V#C*sntfG%zDxFDNq}bI}13)ky_fl?7DR(Y;P@>kf{$2Ln%W*s-!eISY
zIy}xA(@m2z=oU5u0o5A6&b34o`=;}UQuJOWTg<0xUFQhHiov7C3-pOMeIUOatl{ST
znL~OsqK)jx6Mw=adk=MC0>D2jVq9n%wJSVV%`WCe@!+b+F?D_vY|i0}sAYVungk_@
zVRu3e4*Ib>tnwmSi;iLjw6e*UyPG2>l_G=%xrwdV{&Xs&@D)Ar0JD-m(prk`U!{U*
zgQv>RQYd2+KFdYbQKc#iuOt^bA1niDSo`nickRHL)0&sv7idxhmO=!h;qKKF4VCaW
zZ2~5rtxWT4S;Q~|e!5L5Zp^OVPfyWaPrTG?!3DOx^)^bFT#tN_xIN$UzGkDlSQpnh
zXkZ$h*qyqfsNoJ(0LF=d*orYJgkOa85FDcufs2QG$_b0+i?N*5f#+Ly5Mv$OBu<IS
z>hs1<8|`=Jj%rH(^yF$zn9S{qJPc4z+=v3;CE9Iv1f#)Gy^@#*_R)mADp*H9(~I()
z(r(|{KrOoIknz>5%Gr`5srheT8nMNSeT0GhTbls|=o{6C5seoA+*;WRIH8@OMefg_
zqfnN?#?DVjC|sApuLb|7HG6pypRaOJfG$4Y6+h%d{Yghhv!jdWuxYJ68ShEuq-3a+
zCZ)6o4+gZ<fv7-wueA2ic1+71!P>xD^}{`(rC`ckjNAaelap%K$)<}-u+1l#=t~M%
zwKm@^p_qCUw~s@he|=E!O0`k_A;D-$3}PzfBtd0fXyvxt@ci6Fc)t;e-hFatwYm@Q
zIePzZXmD;{hCqR`5CEc~$)RJKv3l?Y)QGw`ZcI(mtcc<-pEV^VYasHRkE0d{hzVi(
zK%t&F9%8?I)Cc=poBt7DHL9;K6b+5L(>Sg+<T!WdMbU|dA4j~49ahd6rm&qx-qaze
zhX{xJ&#M<quO&jFw(1qVCLsbs+)4NHEbmz)%&HAaAe{Obrys%{y*qvGC#nFZ+Pv$0
zPE%i^E|&I@)vkQEEC}#nh@C$CsqDq~D?;P|IE^Bg2_@Sn-}sBQ7boM(pvRS0;3y0!
zCk)xoGxHbCeoE&2=f#RKmkHr39s2@FoJgKHW%NSuDvoJ$F>AfxE+5{Gs$cAUNRn|D
zp+3C|1u<=1b{t*jL5{gX{r9y^B=l+5neE8CPh+m8owReD(c+R^`WJ4Q@!_lp=JVAt
zSM3svh=a`Ak^kz(yh=5OJ@A=#@qnNap^YW@{&Pts(e|^VnSBEz&Cr#d-*@dLJ+#qd
z<R^4|5DoN{YS1e-RV|xWb#szQ;SQTSX%^oir&1c)$fK)*r5ET}oj%!`noWyLxiMQK
zXP6(TGH*?9GdspCnF)Ph5l`p%qn3>5nI_o-<_8?fCfR%T>rU8ZtBpk5)`seH5%J9C
z_2p$;(=@(iKbRfgrzk@b@Kq=orV-I=Lu#YgFst>iL2`sqSKDivIJq89zJB#J$|^0=
zAL<pp;Yl8wDqfT}X4r?2n=r3*fPt0xd#tY`fTNJ2|4r(`fXhP6Y%5)Sl7Kjm*TL96
zgGtC}=9Y3)_`De#SgfARY_5vV?~5)A@h|o4XIA#Z?VFMvaAtrCK(^I-MP$F)5}g}K
zB1m6b9lNoqP-ZF;Ea9tNwzX|_#-nL!9F)NkblNFMM5-XyaFoqvSpP`0k5SbJTLYKC
z{#!oR?58-4zGr|-YMg0eAR^)>`pAq7SHVgxuFV#CvorKleZ3Abys)2Y_n&`&OKZ%H
zl+O4cy%*~!A?7k9&&w9<+Al&R_q?4Ag^^w@1`XOL6Pdb=aoe+L|3DZ2I<(A~lS^1@
zy)wdw*1vv`f*o%)a2W~O+ii|ifiR?%NT*KdPY&O!l$6N4QJ*rCJK3z-nA-N#dY65@
zQr`Y9hQPHwu<A_>7I&{oEn4ZElR|DA^&1$a1%q)*p+R}4q*47q;}`WLMTYW>RMl3`
zb^G+l$H20Ic)7`?(p@SuhswDT;sy5Q#i$QaGLsz!v7p`q+y;FjvCk@hAn>GMEVTjf
zXnTZUs19bv1+A7t{%O#rDzO5ICWYgJ3RIY?sY@dBH+3Ce@*syT@2Qdq_{Qf&Vl!_V
zpmD$k8V6Faub?yhkQ2pqwks8WXsk;%TdD)*LNH&?ALO>T)-R@tEvU+c54pF>rotw-
zHq^5UeXngUq0WR%1g@<AP%x%U{_tD_oo=Cx_0&v9Q(i#h8JlmV&^i-2tUQuHV*#93
z5LXZ{vHgz1S(Y%d>!$q+a==J4e`pr@=BWwf9YF!TYaf(#S5MpXYOL$p+t4wa_g*%Z
zpV{6&{{#UX9t9IRq(fp*<`$cpCbiw6J-#yEM!Z@Ku&%j-P*ocZbbhDX*Gz~q26{S}
z)ID%*b$^_@X`c|x@dKVaATRr&7JCr(+h<R9HgQ;{Ki18GF0)^&mueCszF)ea6Nn5W
zL@%P<&ZH=`xlaF@s4SsMn#t(vxQ%A=KBD&3$^BZcMW6qJz-?RKU0lmJra4@8em}~>
zD%!Py9WrU0+@GDw$5)>$=Px;v=A6Gu?q)bJ>1ksj&njELk4=db29`o_vt8AlG=E4E
zo*EyY4=JNYoh;fvxaj2iK#|!Y-<QLrPIEg_&C0#UBVs%WVuEVamVLdU2qx`9!>A=a
zPNB+~UNM?VPL=)SPWc!?KRcgO>C#)s7jt}3SDuVCryILx{zoy2_}JareG^LHNZs0_
z)x|2pQ7+jH>q4Wk#;&_b0G8C3-t*Z^F1O!6WwZbB&b^qA%?GJoHPXLqA2s6NgiJvf
z@frDE<$3sAUv`lpC}(&`i5v{9QEZ#5BApKD8px7;K{i$v2xjWi$h!ZbY>c{~IbR)O
ze5kat&$P&es-lpjIc}3wUE(PF(;|mo1hW$5H}#;4H5HDJ9Mbgpu<j_r6O>3Sx9#83
z8*cWQ4&UoeIMSJpT_@>`M&inZieJqo3Mje>`C%2*WopR{qcU!G*=+BdAWFH3Yr4*>
zPA@7XIqBcI+*YEL`)+7WcXWDeAEUFB%v1c+3p}UW@j~eT7xGgnS251rk)IKt3ilJD
zOW5BoB0kPp>HE-xa}$!YJHgFsV}SGYu{yZGr`{%SjF>2XCW3J6@Gm$H-|or{gdzu1
z{K_rKsZt78wABunnWd2}&s-2@f3Q|!v!5b%!Oa4d<^5;>Jj})pgH*?x={<5K26%t@
zO+gzY)%c&R-`8T?3DGXCt3zHx7N}58y}b05E!;mhs{sq67XBEVC%pc$1&B-yZN0Ju
zfE1?=I%$Ps*`kGk0=kS;e070a2BwHY)7kk)*{b*9TXZQcQo+<ITj<^*O7}Rq#xr0N
z>=F8kVR&!kWj>M8JfNEcN-24sCH9zt%cyYkivfwfZFLvKBlUt%V&P98rSR+&oIog)
zF~t>}GL;~#<C8DSWrjd=ONT%Sk0k~gn(5jbi?k1l5!uUd-hJlpd1T6%IuZ-r-~Gtv
z9=|}bk|c7n>c*R77S!1)XUZ+8H;q38%x0GtuCDNal!4Hdv}b;M85_W!#zz|7O+boY
z`BPckmBXF6Qc1W(5o5&aV!qiZzZ6?;J4m71!hsC;l5OOMqiiiNLi_Ex-j^xkJ@I)v
zW|=k>q-xS|P7z~L^yqoD9QjQSe<o_GL7z)~k{Fj}de&-1S-TFT6+53ZgP|cU)`y=6
zTl<=U!VVFj(dKW?%nV_$L(B9Go}`obSuDzgjj9)B2%l}r@SH@PnBlJz1ez&cNr*{B
z7&hoMQO+%cgR*Zg*jkySyCgv;<PT95nD9lYEx?YL;s3OfQQS{Vin#9iT(8g<@jwXn
zKJuf&vb_Ya_XnKuo>r*N7r16Rp*Mf8GbW405P|Af|Ly<C+0Nmzp>%xum>OUG|3kR*
z+NjHM$p+3(2dU3c6L+r#ewFs@td#IjVdvT}^~2Ns{7xm%tyk{Vr?b-2t@}AU{OA(G
z5IE?1Zy<EZ^6A3C<3$)19&gcTAvL_4QBFF8EBHtg6o^V`PaX6&K4rW-__8~0=JIzh
zb9rqv!R;6us0=;Qe7qp2c0AebK6dt4fDbjkVXd&M6Eu3nXYg&V5E6sd^_<A-f)a^^
z5Zhi8;<F=>%<@@R)n>q>Hpqj@{IWVh$#?qyas^((&btoLATOn;UVIfo(&;k^yn@y7
zaw+fWXUA**Y4)1{=Bgm9Nys{Q!NE}KypIE9l5%I~b-8a+E+?aQ8%UP}0z2~`jUEA4
zDhQ`gbqwCvhpL_Q7KxmAz!>gj9VRUmr$!vB<s9e9Rkt0cIgk#V&-pVL+Fwr36T_IM
z7#=-HO3u`+5pQG2(wPq}Y%(mV_q!XrQyn?k__s+PGPTP<U6UclD4OtR+P_*~%s>^H
z1h`f#d}cRn>SCx?H-e%#3GZF~k}3ycqUPQSu4zUtTuk-{ZaxQ}Y7T^(rwcIBW>iLX
z6sCk71m&i2M@wufQRP`HiY4yj83$#U^h!%%{U3GWEc}ugxn40DXDY#zR+{+{Q*XLS
zWaYT!z3^+zWbm_`D2*O#!HCdEK*|6i$WQP|10Y8uCrAU9>8J>WIELX=N2{r|V7c&_
zS);nxRr+nA#A^OTd1nl#X%z-bZGvnsK=gm41Dq1foG__Fp@;_s9>b=Ab1;m)MXw&k
z$vSowbiXEU-HD&*h}AIn7$O_0Cq9c9^=|;!pYSYip5bStN_=FMzrj#@ZJ*8UsbtmQ
zidQVwkLk$|7ECSjoTYGG{GRafP0+lpS+ekETe8i;7+bd>Go~*uIY@h`<W(cSi9YqM
zE8A#K`>8j9Rb)st%(2TRP5!2e&%B4ah7@OJDKo@uw?w)+4b}nwDb)<fZQ*#pP?JuK
zpDyQQcwOdc#hWxsy{)9x+HjKx1VjGl71sP;pTJTqAnEk-X*pAK{5lwC7Y#AK*Hjgi
zqaQRJH?Lrn8-=U4Z0Vi({dCB(z`7Z>Mk)5$w<qxurxV6#U_npVs~$7RhH{SklsaT3
zKo=j;L0zrUkF$ufY0NNYo*qk{yr1Wxvyi3eT?XkK4}1y!e<U{!X`&7w4XLwz&*Ep}
z0F$r2r-&EZPc_CJu&v7?rDyG$beon6Hi&J`*}87r<^+f^ann{ZLwm87b7_Zu+Mhs+
znKWZbV2EvZ^HXH*>j6oAB9h_33h|?`vy~O`h0ebzRKd77z@<(9N35|EtF;^Jdo=k|
z&-;^uF=xXJfSYD9bYbEPk2D!k)l!gJLbzL|{TqYa3Mcle47raGCIekPy>1{AU2XXi
zH2sliIFm(ro61HQYhK&1CbKmUu0(M~5Y;jx{59m;*SqVfftRd}&*+VuicUq8>6V_?
zGf``JrCsTkJB;a>SN*Q*QebHFb+YhP(~s_n`hfg81Kr6D+23SkQ^rDpJ-fKh?SiCh
znu?4Fb1Y-OuY2hNz{%G%zddG}FE|JkavZfs!c?F+DqI4HoJ6j>tDXu&Ga=l8bR7S^
zHt^RZU>6E9iGw7Z0woGRmo)a9x1qK*bDHd1vT`jxp%$$Dq^klJL7TSV6nWZMMkY>U
zz3YSPQqjUX<oH`P7VLl&D&PH-C!lg<nDN6`0JTeAO9c9t#)#n+Q4>aL+#Kj%DK*n2
z7WJ;*4%8?=W2ipzA?d!(ygm8!blaA%2{|p{zdqe<CBD5Z7`r2=y?Fx7TbF-51dvBv
z^-J?-Av$*vBRK8!M(s@z(zA&4i((szxP!<-b7i)q*0b&p&aeC{p#Nuf8IO`I>LG9x
zntc%tL~4FUes&)+&5QS1aQE1Z`eF;fyR%$>Vy6DtY5^!|oVz~jQJzM)K}Fv3S%PRI
z$In;DIw0b#Xrdg?)XAjcogiM2lX~7q`V|8e026hU*RvqhT06r2OE=0%6LnZ|*LOur
zOY=qUw0lL_abXH#Es9D+`xjk+;rSz-+eI6Teh(MB^-m7gvr5`IbMJwPAIz@@nosVn
z9n7;IjK8LE3V7h>%wxHKN$O!J6hPxYNQ5^OuTl6==7%@@MF7#zOz^}JqtUFq)TA&k
z5@oyDiL|6M*&1Vwcg%H(`K$>t2>t&{Q3t1kh6XEr&<}XP9<W5`$8V@jbZ-|+H`Bf0
z<Ph-MHfa)=Vrot!1Bw52DdGPBR`D~~8jvjgk&I92IU|kRS{XH!RBqm%QkD@N&mOyg
zz9UC2q4{WTC_}jo)#T-4xw56kSX&$j!9)-Z4@9g2%H9!YJ?HlgtrRp}*T<`kURO;v
zm5Ci0nN@hAX}OhSj<e*rUE3*?34;Tg>?7NxN-e$xt3!AEk1QH<kxRD8202VZRdUch
zx(D1u_G?%cPGM`!w843YTwzzmHW)i6fOY!39v;MR?FLw+zIegtjyKdppMuaG(Nreo
zg&8Q8@(sww!_>lnMe;?IWz-M41`LuB<(3h{Sye*%L;qj>U2Sn{0TH_6vYxl|y~a@H
z2%s|gs9NN>_SbmC*Y(ZZ1Y#A@_H}1;jw98rl$xP84=#%1G4!33jgYk`xtgulOI)F8
z0ujTU*}B@`W=LUj9=BhMg-u-<6L2-B<Ubr}jjTIF<Tdmc_*vW2XyH1Fih!|SvwXpO
zP`F+teI>p`<yqBPO|5wQLM0}5IJb&%IGWkQhwLg$b;XzY%Qz~e!I&GQV=sRel<DQZ
z{b8zAxZpkSAr8eggR(Uv2aDf>nJ*-^s2I7Zqo2h;phBMTA1QNwfj!};sst+vMPxQ7
z*{mfeA0qsQQXv`7mWT{21W>A^+K->J?$^WnN53kaS`1c1<dh2(0{JfuJWAe(Ly6T)
zRkO7H2pkz9XQMp#^+lPWawlh`Y&T1F|Mf<ZncC8>vqf8$V?$X%`Mm<<4aYU@BYTZb
zmRM+!{nRfk-Hh4PFrv4Ok5vjaEgH01hG+Us{-fbk0GeXeu|JpE%2eWd1N1#oYx$PI
z5hs!3;wo`1ip~mkRk7Fwf8(L|2td6?dSz;GBD!I~gL;*v@z6aWd&J`5H&PZV`+;$<
zhP{e+XBQ9ior_#j>N7Cuw_9MfqK4O9c2@49?ZMu>u`xe2PtlTe?OyDoR1iV&cy@4k
zw2c~X6j|B`Jb$FHH|us8^@Vn_YC?31f%78Fx=2UM<y@dkfOHuxS#Q4L&qYzqUj`Y*
zSyO2zNe?^EZ35a>vraFRQ8XSv+fF9~r_qL5Lj~x2_vJBeEl{j*6#SzQ4#c{aBx~8=
zKOcRml3t$-SNvuUXN;IsdiF&D@ACGgV*t}-;k2YALzJGW<Z-GZ>tjw(-*8yP=`VHy
zWn9C}y8An<^3cPNbKmR8aav5k&8t+YIj<*YpQ%V08nWzPcDM%+!W)=PSM8(Sk*Sl}
zY&IIWqi=dfb{Pd!PG_dB1IobXI}7@IQ=<4QkUz6{S$9!hBp)6k=h-9Q7maTJ$G&;w
z*&-OaPmkES`qqF!+Ca_4u%!26>4#(m2rjp)k7LE>Qf)8oAo<fCp(ZKkkQF<dwb(Xf
z;Vl_`FSahpKbN4}4YXMosU`({MOhq4)G}>J@uBu`@wWJJLKjUrwJn7Apyo;0QHQy>
z7aMD8&TXg4R+ql-2Eor7Lm98Z&7L}uC(Ty3fu1ZU5l^0o+by93)yj<~slL9pJ5w|<
z6PrPI<6kPEld!%+f*NUYqMXND@nNvbhE`Yr-!T7$hZ|}q-k^mCG?ha|;Vk-FDfLN9
z{VbHrH|2T(e$6{!*i<Eq?ls}QW6$?^KpLe?mYh)ebzR@H^!KJ?PfrZXVMXNhq>K}B
zTjw<v%QvrSAD#UHYvlsL-xCE1={`>=+YxUU))WEvCuqlH5!NR>tF=g9zfGYRf@G<>
zI=-%bO#t`4AEED=Pw4_kE_C}CXd&i!)M1ZP&O93R990BZ>C&2JpWSteHZ0l&i^|B^
z+#et0Jr%WgK?HpavGuv{UmmR|NU|Qf!QXh=^bwA-PJzl`V*jqK0=5FD+^m&kbLf;}
zo<^AE0MK5b13QZ38FdVBLsYo;?+>E?sT@R4srBcUQsF*7&uVmvkdY$*T4+9=bBsN1
zP2YhHP)%d{hR;$v&pi-C|3Bo?WP{4Re=xw)58=QxyN1@&Z^pmcu~(_@nS*P3s!a;)
zOM^--SH$#zgEH5bn4|q10;wp(?=Q2-j20P1{J&U$G%*jiRC}L4J)dH3$*FuFXU(yV
zHV|Ygn$gxUDB!tRV;t}wt$qTs#!gZ=vnM~cE$vhCs7P|fb712kl)B5PC88a99%hQl
zB#|nwnYf#e9}yRCO-{>Kdg2w#CTdB=95p%SA9QXuIowm60;^Wx8dHOoWRRC6X#*ff
zX)w?AJs+C)>e{>6ohC50gn3N%c2$NzhaUm%bsq-zQ=7QfTlKaw)1^|lWjt+%E2P58
zt<_2$DuWCpn)2$*ai2H|eicOsULc9MmHLiT);H5DEiH7l%w=SU?-zMjKr2)E?h-{(
zAZ9x{zwD7ewb2$UdNbe-s9ba46}fC%9Zo=Cad(1t?mZS2u-#|aY2&&pYvTe-$F>4b
zR#RgKfY?o<ity1!YGRDM{w)Bts1c&CG>F;Ss&-{uzmxTQ(0$+5!pYifw4D`beP0in
zoUFM`^e?}^C2Z$r1=-NaY00Ri&aJN-`LGtS<@Bnv{ZeJdp1~D+l-c4~zV6V97-;h7
z_Y`Ix$Z}*==~VN#+3hH6&KQmfF<$ZX6OF&&oHf3ShTSAvBT=RkpCWdoE<WlkH;Kbp
zHs;(;7y0k-rNlZSn&{C+_I~pr3H0mmQPA`HZjbr>URhYJhIeQ|T5*CoON82Jy2!Gg
zPBCg0vI!>}yk4V9#GEmM%l&0UO(zNX+x;?L`F3bV$ABsl&>V+6>GYV&t{pN=wTaE=
zRFs^h94BbMnQ||s+}$DBm68Z&<r5N}L?sV5eDWP2w%(BYJPz4<!;LA3xRZC{_%t<e
zd5`(C?-U>ogYQTU+0sxUc>&x!uU8X7wPXPO)}~gXdJ3pG84hSn?}Q(}TS@Axy8xD3
z#te=QTme!S|56KUO(@&|BN%+E&wMsL&EQC^y*E75WQxBYHOqA-KfMj_bQ%VFMaNB&
zgTBdb6rQuaxn&ikFIs<}T}zTy_40E}XgH+3MX*1wYFTwqRb7xzeQd#=8orCk(WhnK
zL^VEit{(if_EHQooZ?S(z)(fssTz2Rw$|Ma_%w~h+e|5rjRTpIr>~lnr*HT77WgEc
zT<8Ri*rVj5j!WWqH(b;e0s*p59oEQN!T-Q7&Ehmd1A@tUeUR4;B1_46m#HE+C5C5K
z#PCDkQ;i-BQe-|$snA~Q9G$0SpSDxsE?B!i*Qn}ZfY^uh<Vih^A4=R)<kb=?3t?%o
z1Oh2Y1N(rt3OI$27u)upy+|9oFC$Qw1_Zzom<hR^oRAVZg7$$7;Hg8dKJ(n`e4BT2
zJ#R%7x_q15PBAsWvuj=tHsCII&uZj0v^~tuwjzei$uM$k5$XB3*L{BCXWO)oZ234k
z-o2deB5e#5s5QNwZOk9q4mNm`MO)h9=h&R3mkh`}t$5b%K6Z=J3myZEq_BuR`afoW
z&qPz62t(5-l~!eA>%WzGpBO_?8eXUv_1!S6sRV2~np@zw{E~y4=|o-yd<{q5tq*{o
zR9c%g6J*+9J$iTsy*E)TY?wI&CTUsn+6p~ZNx#f62(s}+obuh|f6%#{cKUDc?Kp3R
z+CDx3+4(L9UIr3U4X-b^fpvu2`&&IPuctJpkn*|Dd9E;ut|vx_11kbJ=gpm%{!gn_
zSIKp2wkRqyRwJTmuQrpnjjukxH-p7&aHTL`X>Ji~)uCLmBXaUtu>jo7Oo|!y<<!$g
zP#*Sm-&8rG%w2Fd@MesBUXmn<BMPUf6fBhMfj>nU?Tm=X6L`9c^B!`r%4~LWHaLGa
zK-q%sD;|wBMK2fEJWqe2_Sh<MaUNo1v2T`CC#l>??YA32`wbXD3+5`W4W%9b%+~Xh
z;&AH?KRx~JL8*3UXv?PE=k@h2!{@B{-e+^2&uX3T{;fmB=XHe7w)>fp*YEA-=H|%W
z#pP+@+~@7)!ja4IIC@<s$7c?6hREyo6EQGboD`36g!(1&nw;Bdmz<umaUhQe5s#lT
zwH+@3v$=Ros<N)J?5T~M{!%AX&Sge1EKLx81JZ*=6l2-(@nqxf4BRQq>4i2w@tDr8
z^kZ95ofzh{8dyZ)#MmQVMK){CG%Ta_G|FTfztQ>FFlgNa#7$1I_(s<LIV~^Ww2xu{
zq^&I4o+tY*!+32|ianE1BqNh?rqkps_Z>ax_@wN)M6~Xn1mzEAc#M%J^i4yCpZme*
zbsl))V^7=Xy7y<j(5}=ISv^-e1I{5;1|0)-Yk0o_Yk0wHXP?)dLqx1x+(VAKzat-6
z;$^`XhtZ8E-(buS51?kl+ppoFt!{tA4?!eElMaqPMbw;krdU*4HM-YY%W|d9^b|QR
zQCdTARs1@Y8M{1ybr;)80kc)O=Lw3!0O4vw!A8}kCF<41?P`}-xEQ{&Zp^;Ws-VAQ
zu$&+;X29MZ`=BOh6KiU(et`;c?4M%<CY@TsHlC%dbN>?B3XwWEW>71QU&5W+7!X&N
z(K0g7(&8D;EhlrPKs)8W=A|omHyf27@W|hw543(fT?_efWAe!ocE3G-voRk^-JPd#
z_{8kHiyyE{38`pCi;5|Xe{Bv&LLBh2TW;{Q!#WEXAU0uJ+TwrhesO*K-fdoy!{^!B
z_H^;Py3%HCUh=ovChxR%jHu0sk!rjSikvVRL>cvB{HE3S)}21Z&u1F}f?S_gcfWxI
z`co}mp6Oe<-wonOW%%cuY@k~Hkn#A{UHV(!vD0U{v%Bl9&A#O(5yrlx31wQVfe5!I
zsr0L@Y)UM`E*xG)m%Wy!SGlod6W7r1;29xExi2Qf4Z{T{$NBBLkPJyjec0k|Wt!#+
zoebMwZKy3{#SfQ;Ow{v~$AymOpN5lgm2EI14A_f4l~|ingRn-@ceA$gV<rSd=0A1e
zyGu7PAY$)A8-_Af;WN9GH5DTxY7Rk%Y>Tr0QWs^1XY1E*MMjLk+D`pNK6la@HmWR8
zu0l1(m1#jYt}~2q&0`bz-c8VMmq@$ibW!%Y;ko<QHsBTVktC1d)HAnsDueCrob4$D
zsNQlGM|X1j+KRlBIZ(lN1(vo@ElV%wB{{26M<Cp6q+Q5%A}l0H2g245ZKLBC@ULHZ
zH^1YG4@Qz_$Pt^8XgE5K(8@*FSpS&%;5fMGJ=EQc+gH9QIs%$7k_ZKRR3~KkJ8CVD
z$T}3_`U7VkA(xFJdRCn_i$6wzdrIFHmnk0-{lEikNt5b;wX6;6kKn`gDhH^`e8j+%
zlz6ZHigfx&V*u`<ZTnBD2Fr&!o5F?{IBTJP%cF=RcvByIz5pT<EH0T1EWX1Z+)mEP
ztHyl1hcJ;ea}#ufGg2xc1%51EF3Z&2T<~`r`ZHG>`mN_ceR5G7bQvMFiqm<J6HZoC
zkQ9(`8BlQC{N3-vj??Sq^2IDf$m0{I@0X7V?A=^eGFw?{hUT-qj$SSX2+yw97dMV>
z9Y@8xJzIRwr+Xp^`vY}fOj=SRGgJ{Bp5hr%F4l8yp5IDRLhf%B(q6zD2rHHnqHMhH
z&TZc=yq^Zv-qzptXMA2~PCHb6JfCtp2)4Z6a`?ROeur#Lp*&<(>DRKMhsI^Ib?Mye
zBy3XNWKC;pkf)j#%8^&3THI@2Q6!kAS)>N%je)Z*ToCCoVlxej({E7tr?6116%ZOP
z%oW(U)~tt6psp){1v#@fj^u$sLnMS5miH|(FNCrrv!-z`DUobOcz-U_`<T&(`^o)-
zTm5DsqkS_Y-746W=>{x9wy^iLY<8NF1s8{!KMaszl}>ZGv$nY%tsaO;=pc2i(rj9E
zoqkdi&AycLfOM-isQBSBMloZ$LY*2+bTw#=?g{<56d$fL?)6&`G?0Lx)MnJY!RAKG
zcMP>fnLiH?@znn32SHvphY=OO8uN;emVhws0-o?VQ$hM^&TV}rEk$}@sX30F3l|lV
z_^#C>bi8q;qV4L;`I`IP5yR&mHaO5T$H0}QamAm}*H*PEs6rZc=UAuai2fr2vx#3O
zWELG(x3v7F!ZpCYXzz{E#i`>E#%yGdjEtMk><<Rol4YSjP&<Qrr*O;e&D4{8MgYq+
zBlJb}f@ZIv9B)qXkJEt@b!Wk%g4Kv^pQKhnO70`1a9EH2@Gj2GpUcP>ET_;0QAPGU
zj;GKl?)q1x%ELk+O8lZs7RqTrMm9PtLTn*}d8hW9)h44}*NZzUEVZ-~{fvPz7|qKN
zk(qLGX}siC?E2{e2>krpM>c7h7qj{A>*_~EKgdBRbQW7-(>xPJ>(DFOKCTH#<Pa@>
zhT_Ne*qrpu0J|_v1G8KI<hy(Df!hS}+tc73-KE!*(VVIbxv`?s9;q?T6wh`V2piP9
zsQV^=q=H?LI{Mz_;6EyK;ZgDFWMb!!{W!?L!tlA6{AfOS1jo%V*-b+44JQ{|w_Ee&
z`<y9DblYuTI4{l)_D;GH_<f*d*w`|o230JK4Ddi0gxd~-@2Lm1HmydvwN9!)N>H6)
z21aJkh=mhQ3Ps4ZisaoFPUb_rAgP%8k{|Y5s*n<dx%6BjQ?9vJafeT*_WRm=>LQlt
z8<$MRzc?U*Y>Sb`=fMgHvaYi{pq899m`q`v-@?4Q+&u2S^L`~ctc!Zy;QuTWXVnlm
za^e1Tb(;}&+E>BWk>b<o_BcPYaIhdje8paq>9$uF8DGaAv+=?;lg|@OLO&U~lL6kG
z*`S~~#0hqKy2vkeXt>T9z~sprjipd3+LD=+{`JI8v|V5=R>258Z$(~tr!>0Km&Vs&
zJr?wRz_05J#rqQAsT2-(UBg}aJwKU~auUpRlf<~S_0Ss)NpY{!OJ=mp|Lzq^f=N;5
zJ?Jg9>&S*U?VIh8Y2^tku%p?&p8S7IeRFhO-}83E22Eo$wrw@G%^Nqi)!1%q+eX7i
zO&Z&_ZN9hp{yypZPqNlMXRWi(?7=h7%<RKFDN!qX`n;aajca`{+;UOzG{)1KmK3M0
zzynfiTgE)gh_%(&NwyxVza(e~Nl~#O<9*{~o|T^$+=6Tq8LLk`{i-${-#?IoqU9hc
zRE()GEz0ju@TdwXNux|cIal&}kNrP#Vh=`R6`mEv88X;X`9h;ba`KXX>~|~#N-+vc
zC-OmYEYhpV=8R5OWa9eYNu?X~k&MqRVLuwi2CCc63kkX>eOS%>v%&NnW_Vg%hJlO*
zW10Z%<HDpcGk4c1onQ7U=<DKw_N(T1hd2hVy^)Wy-O~7q6<nPI+AsShj*QI_B94<j
zA{tHQoxHU#BpY)oc_!o}3e(afk#&ePfQ28M94G%U8AKYkb4J`|1}ALKq%^XTj~LOo
zIzE9r_N<Q1XQ}K}n$R-Ep0KmK-xDSs;!Woqo9^*>I(3bjU^F<ZE)#T#cXyG*W4KX{
zBZl)o43r%=HI2iSeDTERi)hO#h0`gB2fC3><p1;N^zG^38X0kXshsV(6z&w8ToYmr
z-+|l6)(ivRe#D<pyi@p0V$wvMMoS_%pTIS~8IPC+{XG3>k2)HWs#DYE-g<vFIhng$
z{RmnlhxrY~l%fw^uY&!kD*_S?V2gaZ^+Gsr5k<H-G1+?q*wl_RRQHTM^BK;rQnnL#
zlTcjOS(;qruK$IYj0vrKDNY9B^e~N(+^{%-q<GyBD%GKe;ZJ{xPovPn|9MG}01l39
zZVE7l_^upR5egJEQ(_4{(+<3t*X1on7t1Yw)J~B!t$fH-DdUbZ`vHE9JD+VKkJz(s
zyWz{qj7?*2`*O7L1%N%ewh{e_c0omeO#ykOfn|RNX}M~+B%HZyAf;ftuS}#1p4$)h
zUE>XA|Ez6@e-SD+U`v^aW^^Ko5bCo!x|K;eBCk6VnO`#|`*`mBx@vPW?mD|yXFT!D
z=Q0TPbh>#M%hZl$O?~;`eGe`fc2Bx)Nv71ZT}phK)wYCbLJ_t0hYQlzg*c{Fam#nY
zDu*ndlU3-97J)o8Fh;=Kl{zZtn1?P&^la-Nl06HKZS9VYaaM38)~09l5haWeawR6A
z3548LP@~~O&dpS%@%gZHm$hIiW&jAh3~){HYU*HHK>>3$QS@Hi)6~~I@SZnm(h5CW
zKyqC{N8ZhfJD#(jbvgx0eC|KKw@a_ZHi7#IGnA~xI>ZKzH=TxI5x<1<refPN+|GS`
z2+ksQ&M5|3xKTLjtkk@{x@DU(%LpW93)rs7iNO&RefIB|;m2rt*Pms?=&gX`XZTd@
z2YVj|18HIgBLQB%g7D{)>D`N+hB7OwM*+B3Td!H3&niQgk$VDc2=?CFxS!xgQmq7j
zY9je=2f!>b17ulyaGO5>PXy6J$F-T)A6D#$pyR(e%Pi=_g|_CX&_gTz*7zn=0`sIm
zkQsV}Uzj}L7~)P_SxqDT@>Ie?$}D-*l>C$n4K;tlq*SYnB-Z9>-tA5oj;uvk2>h6$
z3~{!HtV*O6kKSC!^LAv;&1xjJ#&+MZtz+dII6S{MbWs<?Bu2LQs}0wXpxWd)>PBpB
zs!rBYPS>M*Ag`3|20?w1^Zg|#9dnWRj>@Wrz60Aye&-}y;c(E6XE>zvRm%N|u&En;
zp>kGQXThsYkSbHVK<%pKGFirbD3QnznY{biwU*N;rhW6zu_Re#vpw>vsUOxzkcZ)8
z@?|mozHd%2_CrQL;h7K`qWHJ<iy~r6mOsrOr-C9m#_NYdVw$%#424VAP(*#mYO=;Y
z2i>qce8|>CvO!W85|U15gf5G2j~Rn^K?>I4-nHP)9$cc2%Aqjc0k=)LJXXM_cO;IU
z%ko=jz4rvm*S<UPvU)D*Z*TjBdI>#BPH><pOc8Zs2lT^WxT*uN017%n3D<GfR#ah;
z6wbq(_Lzn|B+668w3f>3@f!E(Gw;6mi+3SooJA^V3&nL&fO*1sd>7zd1Hn_}l;kX%
zI3m5XCwr<r<ip32YlqX+l`4S5I;2HYGF8dmujQ@)mv!NQ_VYl6U|$$4_euEd1OTD6
zfoKXQ|0OB0*nA|rNg0it-8|n$KA7e}Wk<5midvI*rrU?Q_V39@k)Qw}@N5b{54dG#
z;FCKu6y}fB{kX~~V#ZeTl%QVYKl0Lkka1Cm_VYqrr~BV?JOOu9HtUta&|YB$6T{Vn
zacEj5l{KMpmXipyDI)PDf?vMpklL)%!5rI|L<xRGfPw5FdO}64-)k^E&3M3>*1NLS
zew~`}YH4%z2Xwt6Skgp%B#dZnb9eIwd|V|4@GJ=&zqrr2IbMAJZ6+|VY_{LX2Y|IL
zVB$)LS1&tbtw#Rre;CwLTOKlTrqAV|-@yEpd5G*dvyq^|`geN582B{Zn7Kjf)YMv*
zcJ<fbRF_<dT|MVI^UuQ{9{fz<XNAeWV>1Ci@G&l&+qMk!HqYzLCO(Hb!b0d;%F8B2
zm*M>hPSvv6k$GmRL==t`W?F2PG-gRJHd@T@Z?rc$E*us-;XwLaP7of+a&a)7I*d1G
zp7bFX=fiKp!q`__F>lE5O{LA1CVsglRQ<tDLjJLzDUr6%44sJI20Ae|1=}*J>)h5v
zMUe-?M@yBF-9PLW6CQ_f9-&p26f~u;Ic8GP2aHqktX5#<exhaSbV@2=ryx6w7frg#
z)GpctZ_lh!`-n7kI~!z-1?a-X3$Zs!RVF?%v2KLa;9Oioa`KU!6Bg=P@qkm<Vj<B&
z8AAdZJM$#TpM3_diRSzgAJ{KYfUd~*Y<K>5bX8a|tJ{tRva*JvW+Eh8Agq-4n(VXV
zl|H(0eq5wP$4DVgDoO|+*sRB(hbzL(L2cK@b?PZVBUb%HXJW^5l*Y~%BDYC`=S6I1
ztecY3_02ive*}=w*~GU77j3x?=5OWW*N?d3h2K<M;fPj=Oe^8GoECU1Ux2Fq$^FkH
zy>YRDw~M74Pjq84-m4Lz2YIxD=>{I(z+rq!%Ia$pH|51(%Kz2GzzzRN4X_)?@0b6q
zXg}LAL>oMe_jLa9(rsz}a+q3URr>hY;o4&WMP0{L3%>PnP(>0CGUW3k{sawx8qaGB
zTHm!gR1Nod8;JJy!O;h?pmJh^)wG>-v`d?NEhgJQ2vZVbd{yI$QpQQ?267atp7Vb7
z{<GRFWKn85LdvydhnheQo|*oR)g_i&FR!ImH!voNtzF*s)b(aP)}OXvG2@VYmr~M!
zJHNFDZyg0BCB&YucY0s4pIt65MLSAd)<$p(Fbbg|)e0=D*^gTcooojYAQmP<J?r^Z
zc~W$~;}?-hJDd8K+C;lO`K2I(mJ=$7y0@^5DU5UpA3*xDQxPhts&`z`uyDZ4{5aXJ
z%NuhPxnSHyHOMC?0qkk65jy?{`L^s69E1)SNk3=ys#nj%uv5*5`PU*n(2MXdclbph
zYqBW>PJgvk-+SF<T0;tIFGjLGI6kmXEDtJw%Ac|Ueg(qIt$$!oo{r)0hbFU%cNHpW
zAP%XOT_m$h8s?F%)&fP^!506^#cD>M&N(`lU&j`u-T#zei*AzsmkuQ8-C$6`ti`1Q
zTLd}u=z<k=;%u5ySwD2X@+pE&qa`eCAu(;D=sTwI;;?i55?egFS;-Q2SuLXf6fd{(
z>xA&jwckw?^ro*Ruk{xy-AQZEHmT>Zvm801O>9-6KD=LPw(X&Wm~SAykE0?up@~pK
z1ZCV+{*M3~4aZE)-fxalagu{TdLW1zY2uVnL!_}4{%6_0f93`!Fpyld+O`L>bIw4~
zrUpOTmFZp@UGBUXxY`>Z&bgE({8}Fp!fjth$W>yr?k`mAp@^YZcfMGP^k0k;&nBS_
zi0p{uAo4^NXI@wYI_5|h01}O@cwM+yjxtG!K{pnm?2X{^l#Iiz?8J<Oe8J$$r;oVj
zO~jb*u!?9UT4*o{#dRfEM-T_ce5)%s>ggiRd94VidfT5`WD{g-%CNd4yQhBeT$Ih&
zp(005<gZ3djE9&fkyPj<Ai~vhd?k4j!y^1vD&DEVuQrI9??~eaaq1`m=nj9k`SE>|
zB*U1n>!{Ng?VA_;+eY5ZPuDATQEYf8w9u&r$DYv&Q8Wub@m9NYnQvOytXHBmLwwxz
z$hVUdg4t@V$#n`=yfRVAJiFyu+rDH}FZ*KW`x~!@pBHwr7Q%h781L^-5UMLONU?Wr
z4ki&%ZkphHxh5tr-=>r>uS?W~l@{Aswb|2z<$pqsmcNX&aI4ryd#FDdhNj9HEF*Mm
zjI@BDE2drVYC=ks|K}aNu)owxUC3(x;<X(&1AXn`3_6#ckcRWKElKjt`5wI++tKI>
z!i!DjnPsQs1YIIh3CEkel(8S)Ju_9nk^`5pyAyZ&t>l0{KE%csD~X*1ZsM!$f|v~}
ziokw`_;P|V|K-lmq>tR$cUEjQ@_A|$9TX<Cwc*;%j9=&4TB(;v+cQXsnq=R9GIiA{
zZ_NPxEt)So!mNTMK$3<?;{agPT%;}%N_ePW<-47ilT553nOtgc`^u6gL1;_E@*Y6g
z$Ho-~iA8rHurU%9NNse>>@hxyc;4PSF1jZrkI%z72GMTmqWyLUZ8_kp--cz{6lYEg
z`t(tv4Kbxyo_zu!G@nLo_Gf7=JUwEwOrPVU+Wf@>HJEskw+)2VQ>{33yNdiuPTP_O
z6d^7^h00dFJiOm5H6hVZP%~y$>ef*OR)IWUEPk-Hl0iKIb3Uchu>Kts;Nyy_P{pQY
zqa(-y@{;+ut4H*DknfkpxMOwuLs%Ib%^>(h0uVDWgi|sJoNkuIi%wcy&v)4>Z%#WL
zEaI{(Ggm2PI^&z5>0Cw9YC@6FftDzMptZ)R88T>LC}gC`w!Ea!2q&+cc{#0=autXs
zG@cNDoYfhy51Kfi^Bx3fv6IWgO*IlHgaO}^`Otxja6r6I&knP!<+UD9OWW3A!L$B7
ztx^*=?TES=ZYV;Ewnd<2vMWq?+AoSlKLAQK?+@AT0Ik1~idI_c*vSD)iU6=rJzFqF
z=%-xJ1coM9esEt{b2xBBF(EZgRJhU98d6`?WnQIagyk(^>+m_v+%yymdY`o}jsM&y
z3PLbZS-d#y6f6{RMX(h954Bx-(2%E-mRm0pgJVVK$lI7Ziw759r&V~2F@4rqcnle-
zz<HB9*<QR`TYiVG2Yu9KN+5&^$U2V<Q-A}HxD6&(z7RQ7LC?!}6&4zy%2B5fFTP-<
z3u}l*JxZgtm8bkqUoQGu?1YLbbFMTwR}79xBW_K0f1Kk!F1v7Lu6jKbf3-|#hOrMF
zDuGT&Tzy@iK4fTH!uXb^iny|&r=Uw24T};}ez;oAmVmq>^nhKVGH#dCwyXh#F-d+^
z9^lPzEI1jNXgPDyY9+on$OMs(THN$4k9M$TAS@IOQ>ItBNe=nlH5n`*nw12XSf3|F
zmO>!^b||x-ONx9NiEIn;oEQZ52MhdkJD}e%h8Ts6mDHpkNV^omL4Fc|RavVT=?zSu
zMB4oIC2tNx)9+l$XlaQW25wwV;>9Wl1F%jw?mx@p$ESiA^0qcY1OP~h4Mb5WIp3hf
zq;G8sN?$X6&OTJ$kfVsqgsd`7X^A&#7L2O*Kb7IbhA5IilBUJ~(R4@e!>6C#4Mn_P
zaP$J=Y2yz3w#=87EXflil9Y{wEvQsMeJswT%gIT%9&ACIgpYkQP08LZZS;_=9hWNH
z*(_oEA+@pREyFqGPyw*2o2xQiF+$~pYQpY6>k)c*nlP2u&6H5(b6Ioap^Dw%N=#UY
zAPiIDa^uC+sffRKP8Yo!lP;cUL<u2bfA0}8x+-avEYQv$h3HNYAlCLzEx&;B5Mnv|
z%OE?|zjpuf|09B<b%kJ+7MX8Q@EwI#U1UX1$@AD!a&Fb0x9p+5-r@!8?582zpl*HW
z5*iS;2p}}BX=s4)FCk4%u=X;TNBWX4PYI#?Bvh71%TqSg#<tH_heKabZc0FV-@c^{
z6VvJVy1Hs7S)CmXPvP;@U+m=BvEOY9xBN`$YhMiSD1))S(2~Yt#i)hSzcy~dGWVz8
z?rE>c@2AWPvI1tKT(5jjiq<A(@9d?r!<6$XP3VA#vuH%MiBo0$Kn+#C5A8UbwT-kR
z@lT94`JymY9cjt|B~@*S>YuJ~-%^8jmgN_DB&Uj&I1ZM%v+fUD`pDuP)<lvRP&zvw
z`auDf<FXM*b%%z@xQCu~Xx^iZA!SdCm6y#)!N<G1=jTybA~O{X(vWsd7E8}1ua9;E
z6ifHZ!VT4oF|{t&&J}KK8=r@mI{PN5j@V+(r~tn)z04`N8$!RM{uP_toZp}-Dy@z(
z;=P&XHZzs0%t48>$xt3~vneqJY=wlDva5$s7cQVZ^uI_68e_LrdLVHzt=2M2P#j=4
zYY4BG1u_(;a<A3k7*nvsO!9>(uMh>1*X-ccV?mDRQeOgd^6ZIdQB`pT0<<n1?n|0L
z>a2+0tZ9b0P_c7}*(k^gQ{>Rh%pwIK0SoW5z0-hd^zQ%kUIma*YU5fF+Hc<i@olgt
zI+~I9fc8O=g`)Y?zp6%;gzB<^Vr_{$V9@?ulze58+^SmQ8Cd4GoITBQBdIg<6v~k@
zR*7m?8m$~`_|INLKOyZmB)0F!n1eV}<tc%Aj|P;!44}BoCch?>JU+^Irks)~rw5oX
zGKrUHh<6Q27!5PzN)ZrHR49qO12TI~2}4Jce7mycL;76-LwgBh!4N(#xn1K-9qI-2
zSjPL_m7wzzbQSF-kSO@om(9m>QL~AKGnsJXs?5uF|MF3b)#~Ho3Ubu|`p<iv$;5->
zEzH!-+3E=#gPs)_Oyasb!M~lE{Ot@GDwbMZu01MY^l<ny+4mh9+$X$q7o=ai&x@HK
zfYjoF>bP0%-{_Vj2Pn0~4;CQOuq<{VN#P{R84?!FjwgiJB{4NgMpcTJfF{1{sb6@v
z$1FL~((;PD>B#z2C%I<1(sU=q$H$<;iy2%w9>H>kNRx%O7i7tuFWAx>#--T{o2?*C
z^Sn#n+kaZ})(!u5BZm{Xj9T{ksbR19LCa`r&Pybxj&El<_IRiF&*wFi-DLJ?W56AD
zy_72wF9^@A$+sg~o}l#DXXm5ZS<C_Z`p^sPH^X&bAFv1GKSHe)#7*xNtK8osFFT3S
zUnJs4F9^>dqW^pOzo@fSt9n8{dPzkw3UvI{s&)2I?!BJqB;d7Wh7!qZlbCT3<7hvs
zA$e<`Z?uGPeHAgJq^VG&&odMHz|I?!eu3RnnmPVOTOi!t0;?KOKym?8K}C4+yySr8
z0Dw5Y6^A045-VWXmTRM|ghZ>Dv}yL9FQA-x=c<fW=BY&0r~U?moj#~uB>{&lz7~D9
zOdTBL;FhX+_*`Z)wZ`8wp9TAcYS6v_65WAfx@u@*^JgI^jwpK@E^GA%)o?4<>z8GC
z_sV7n6%zXE<ZunoJ2SFFvDgu|K%KSKE8l#zl{4$6c_WojVD))3T%Onri}N6w6+3_1
zMS`zuPGYrUP*oh7&%Ficd?$cEMHYf@MaOvqZq1eykP9eh%2`m!wiym{>YK|98G?0n
z6Mid#zSrk|O~^>_dFID?tF@R?x6zZ}-?a4Nf?|Fvww2n<0A2GPiavF#cYiw0p{Ml|
zWu~o+>IjN+F-LX%`WC69!v_!T0os|OTi4B|QI6<Fh$2`r;FcH^H3q^L)O3qEG*r=@
zf4*|iR=(#gonlT~*Z1*T*VRswA{PR#9!Ji<3G*7A*~DLV=8j@YUed<H%F-=_7?W=c
z5&z83^bfP)s<=NX5m(`92)dRqz%sC%Llt=8RKk~yBf)P!k?q=drC3efQ(m~d!ImZO
z!A&@DTR|b*RT~xTOM%#ulVd-J=^qL=#tx3jisLk!rh<A_zqZfcm3|FU6gN{x92d`=
zEdmQ|V8x)L^ijQ?d-#IxH-Vee$z1p^=hN4R{93sU%FS*hLAWk^hOJr0K{_VrMW19i
zu<vuij!p)M&MG)*QF<BU&?jZPht9A-&--!v_(MBsEPhW1ts8UvX4k#{s4ir78DSPM
zKdna)B5&g4>6<=xmBLwNmV#3G(J;_r2sRmq;wm1JS6@as9!fM#pS^bA@}H)oAcW>d
z0@W=NsBR+Uu+t~!VUzmg4~tsdSO71z$h@{|Q+lSd0B*CSYAid`-JoVf|1l;wI1<<!
zvp6sG6Wo!V-l)@05&9>F)hwSXjH5ad<5-3$-JJevKYyL?;k-RyG(+_2NTIY@AA-bE
z8WoYmGI&H;GO{-sMq@^LnXm=1DFf#{RMu_m&0kXO&l?;Uj1LHSxE(oL5B8B=oE~pB
zeYF?_V0;Z%A4wVxu2t~>dxmK7r9Z?`EbBTlngeZKZaT)9@bpHbEltzx2E&<ECu=SE
zV%tN>Y5ul>V7RmDyG<jUQF~>VIqpr$%Rfp|p~cvG9x+jrMHXu0OY&>h;Q(M{eU3Bl
zTL|O`M>soTMmT4z7QA(eQnj5Fb=Z3=Mp?)wc6FHwq`$3+U>Ii`6df@Y@~;<<nVuPU
zpGFA%^inEJml<Z3g88A;Lru98qv^tHAlxCFX=QzIan<vp##8S_=XL(t#l{A|jJLAl
z76sCei%pA++m^bZE9@e(O}3mCfi6|{jq*dFeqNnM?~;Ta<JnIsc8?-ZVB$BPPi1wn
z8pJ_IRkI#9Vghf3)wI>r!^JbDkW;Iiw+uuEXukcJiB7vsbzD(mEs`p%sO21{7^i3+
zCEQ5E-=rl7G)iDxEimVPk@V#+zrQQKx#&W=j`#u&P+iN=CF(cPGbNmd^eVK*;EW(*
zGWTL`KVw39_`tICax)^#Lwtltk!v(rNkh!b9a}%WHT2713X&?t7*-`3-X;fdrJuzh
zvzwtFGyk<`{K&5QNg!uJnUiic*o^8ZEIz5?8_aVlH2WlG2IRoYnkd<87y`@--(%}9
z`A8?A;GKYi#}uWRlIf#6IXX<yg9^mub4owuO*9Oc-z|8dKMw32oD6Kjm|XG?Q5Si!
zQSt$^1}|LY|6~Xo5a7jg<SG5kX<R7lN3r@Nx~EdKK@6HbKfZYS274mlAV05sXLBo5
zvIRNtcewH+C6e`<nh=Lcw!(o&TL^6ohbA;y4ns}1)hX_hjH_qF#wgby)R;+tNVeJo
zHX{B*Dc@tJBYQM;#5aI~3;C9tE-1!&TriY%e7T~11IfHeh*E(SMq9Z*o62T=vTD7;
z8}BTAKW5Qh6@dA32xpN;t=ps@O#3UTyWV}{5!`{lYBW#LHKm*7-^GCVVFt9<BhVLl
zm@L?i^j34A#Z4`v&nNmB<|)NQ1DwJv32G#isyxLu-7MeD`IDJwWqD=ZEHKux7NH;1
zE7H<#BiMk)?1U)o#-v%>Q(&;0S8O7A4~IRMdcE2u$YH~|eA=6GKYG0crc^jA`!`W9
zR|_xEsh`~$Tt6G305sFiD2?a`C>QkK1QhOT9>!8ZGlOW!VC}N#@tRfzU=a$|c8nWe
zfnV!484rzVKpi4)YQT6m>F^Dcu<Q7`UZ7{jFwAannU_vhf1Tz05oOtAq0IvP)NZpS
zEAP|QSc2@bqL<mBqN+}7OEKOF-f7e`9`0gG!KOd(du3~Q+<CQ`F<U{Q<*BNtI_?gR
z**s?9TsEloU09i&IHg6&z#<+Exb4RZqnV}@b<wFIVJ+1N6$m|vc%doB#-9G(=r|IZ
z5+b@3fiCx9OjV|T+y)mmOKp2h3h*O!n9kHnOohu+rKdWXkV{#no&XG3m&2$e=QIeZ
z9tEf<4WSbwPQc0UfaN%yRFH^LQHF##TA0Ky*=LXr=VvPe`7N-rShDb8M%+@#O#5}~
z)B5+<FSnaaTPZ14ZJ`BNZ%Mh}Mv4^}|EDkG4zTjO^(Qmt!deQ1ky^pZXSB_fntz0p
z?Z%<hsPb*4+5XEzVK64f9S*5Xn}JS|VM{>zwk8#r)$W7Wf8yLGFEBaTucW{m;BiXR
zf8iF}stRjehsuEKGgAuhI1R{ctNd6$BJOE+q8@FiQHQnFumC2iiK|xI()HM#$;R92
z+H!sq)@-V$J$^W-?~ueU3vWN9jnmkGfyXiKn(}Zsyn9<IBQmm=j<E^yXdzhWvBSfm
zGZ{%wL2D#?_rhdF`st`lu98q+^esutY6{lcBy_?-tTvyYI4PwQo4#UUEDcBUIC@bf
zSj;tJ>ePgs?U`;0{^#&N9R$x^#|s_()eeX3;IE$N7@GjyIOVimsS(aok?3ea=qqP~
zU)Pq8gFAf}yNhJ1hLO%n@|pg9_4_}jy62B9I3r3Ykyo5Rb;@#N{<jSDCQhx*0|y-W
z!bAWXbzw?fiDBEK8@f9~JhF1b@~-Nbiuv7~B=C-Rt2qnEm6=slDC}F1-V6&kxH4qB
zUOYCIo)e0UPO6$^@mu)ejcCYdg1RK%U#uf#_?_Dxe$vrGT6QwSU1lxgK~F>`(E==-
zJywzyfe6D89KQWpY}LA!vv(#pwej?IBaba*_?MN1T`d<nT)a)2XIBuH!T8TmZM-*)
zfY@;Jh&a4<6sn{fY(@xY=+azhd7LQA<;y^n9uyb@$c4z`SIoXc9S{gkHxCbzHqWx<
z%ND#l$bw%1ZqNQ<V47lGw16>Toq`}f(NuQBU|G%*M29SD+78e2=TgNCT^$q`IjNia
zpY3V2+${z72t&|K*xc)Szw;B^P&xiqvjXsGe{HW}Ci)!)W2ZItwOU-H6b0_)xu0vX
z6Cb9<IZngKE0+)GrfNhCcK&nK5Rupb9r4e&z_<a6HqePoYgN|R9K1_hJf#qs{v{|H
z4!lgbyaSU%T{iP4k<GW%l!TA#B8X*{c8%XbCx`rTSVebZv@d4K*OHrmcU><+Ta)-G
zsf=5{Wg3L2fDT}$p+xv_EaE%};;}_+?24`%tPv}qOrqDUsSd0DO^G~7$>y2$-B!eU
z$E^>k_8Wn=5<MXB?DVvOeiLgcO-bHU)oqnx72TpNUr<WSWkJ?5=o97iL&U-|UP}JM
z&P437=qpI`^C6d0v!_qFU4;x?lP|~mrdU>@a@^osP~C%2r3IEN5`*o2j`v2_bCS7M
zJeFkS5I`t%jMu32)%;M-{z0Py`1wxtes`n5-nO$P*#_ordRt|HbYeFqD4bqkKiRX6
zwG8^m6H)!3XQ1M$K<pm|>`Lb;xjVs`f?ZJ4Ca~ToO!X$IPwwUb^n$7W;?+8Xjp&j%
z4mo=o)!`e*j#1*a7a=A+!cn-3d2N9Z3M?`7MAw&~4SAy{zs%}u#j+guH!#ST{+DX{
zaBxMSdsw*M9RDQdW{QRwp_2El<WW>Bks7^EI~hX3*yphOeLMNmBY9ezVtBY`P8^Hu
zvopAFS~58Mda5No7q!AUuwB!C_qa-7O%qe);dB=&r|cvbd*Q~>iL04cbdvlQ|78)=
zV(J5?`q5gbuWM3`HS^}g+-zKTLnoF(v`x#AVESwgW}n7c)Zo&-Pf-ksR1|Q4`<l1=
zW0O+B`7OF^1xqf&0uHo=@=ioz7An>3C(1QobHbX5uZmKvwg$B0AYzGV9sijE2dBdA
zhJ?bcS_@g<00A|}@#pSujdBO=M+IrU_)X?KLIMa}G7!n~mjil!05qd0>ICS<tcQod
za3ud(;K53Nda>mq$Z9xgY|h=Eu#&n-OM_S6;z%_#ttTDuM?}O9tb5XZREcHEcsm6Z
zX_*qr+@mDbHa=)0WWdvVArF+*w&%1rzULI^#pb?c-+9bSYhiy2VE`Xu-37br%w4RB
z-`xM=j6H`@?}5G+em!3^6o&zAf9Ho&zc!lbu@IDh{~)`vn*cuVqSUHXMu`4DKSt36
zSmHw{6x!Ml8546uRqUhSATcb}=wcMNFSyX|0k?;tMgJ#@LUz0J4GFt*wHEP>e3M;z
z8S$|L1&@_1T+u`4?aATYn>by2#m4GSsScK#YTXy>JNEZeF}$lw&%@Iz0O1ed@GgMm
zw2PhzzYt}mkvEDRlBdFs)+XK_QJw?KkZ`}AYx%*SA;%S6#YUQG{%eqSGZ_4L!1lYo
z`}&*~rG-%yrx_f7ZUGI}T~%7ln*T=W53Qe#$+;q)HKd1VA^$Ca7u&BKx(xJ~J=0lA
zufZw~nKrzoKM-!DrC(nvqG~i4{-aqo|7ns$C%bS?HiS7&lC;gS{nI%qb{cA_N#?jV
zFw9p&Rd~<>e?=VUVT;dUE(~{=q7^%Z6c~tM%Nso#b;(?#TLZj+&hq?=^1|51_O>L)
z_GQa;XL{K;uJh7xlA)%M!nf#j3*OWNlTpN*TwzK1rne9kr_wGQOuhliS8Z=n2;`_Z
zrLpm_MjXF|(PHSu6h6?v6=#d0S8#HWhFLBtpv25zJG*!BIdp%wBKjd54{KWz4{PAl
z^xEZCQ=JqmaSw)FF>ZuE44=W3--4oN?r!(!=*RRXR7f7X!vJPe&mfI$Iw>Et-|PV3
zedrDgSk)A|Y7-fib<3thG>nZ^U`g9*b%(1NaZjfkf@o?-e}`CrwLSMRs(p8$;9&#m
z;lHCF_#}P>KZVjo`EC2P;7fHER_m@C_6|PN6c|?a3dgZK7z;fal8d{lO5^d)u=M@<
z$;<hE!AhL-@Q%Ub)!6gs;v+ns)d`P9GZu(7e8Fcx8<y8PMXA5?RLh$yBnMMH#e~WU
z4|Y>MH25t!j-bM}Ov!(q5~r+;T+U4OO??_dxa%XJE$ly(3_4&l)zTY3)l%(LDfk6;
zy1jb!`TnJQXIjhkQIhTGcbn)JOfbyy@~f5uYykBqiUd+E;FPK_vU)P6#@fZ=-C{bj
zMj2tZ@EaR}-1KRd4?$MwTT_l@Xc@&~B$?T=IVm^=rE)Z2vY9ffyaX}c%V*H$zwP+Z
zhs?+|X!H2$0hbZn;12w=`e_Im7O!i=)}kh8iZ}%$Lt^LIm3KsxKvPIp1-vE8Ubso5
zOFn#l&Wv5B6NU=%g?s<{Peq(6LaRvP91>5TgFY9_jfH+Ua5-afbAQWe(jhe7AEL`>
zF$peXP^c?I)`VsLj`LSHTPUeF#QB<&PSW#Pu>UvhfX{k>u;?gMGw!5#BfF8_9ZY%A
zGWB)fl^;U->i~9?4xB-{AijN(VNU(N-V8clZ$z~1$nz;Fagw@Rfa$<3y`TDwT++rH
zpNOWUXGRdLP6#vEU??nODx7jsjVzyN*jP6Jt1vFWW|(i<$sbT`it!D2W9a{yr+-lo
z=_MSJOXULL<RD{!X;*JK<zQMY;g0+$Rsp(sn?GFIWKgL8WwN|;#nqpPKzT}Jb*kzN
zv$Ibg32O2jZe|t`34HOnXufKo%8@`yGbGrqjyBQ}-9{;Iz;UJ*??5cHK~oJ_D=<kt
zd5k6uQU~6)@m^yhY3fFrm5&rzlr{)492gH^+m>FhUJmmw*;Z)=A<o}28b+r667hP5
zKfR}tVuKW=9)?kW_ieJbF+LhB2xDLL)_RBZ(IN9VNphrq{vPg#+Yj5;9M#9}QwhHG
z9pgr7OQDF$8k!P6P%4^o5XAxbRw3kKhZ@1H)8XU;%!r0E;_)~X#e*6w!tQwyLNlyI
zz9>Qe^<pm(Vq5);^krVK!fd2g{6Px9#tDo)XyGT3rmLJ&dk!@IBaGn(4sO_BUgqa+
zgyoVvrH_G@eyfK-p?$k5s2c9$_tPD%3DQ}o!49%OD~rT>dkD4WBi&$O_MW>`b~ejZ
znakhw+yrX67D%IJCz;b3m+R7;ngq|ZL8Ox!su<;!wA?PkXe+>FFeC@^V+vfC{a=?j
zGcgWkb7Te!aAj~blf|Tfr=O1q*@DgWhW(7C?l?!EbiY#PeZRGY2me|Kqv>3#7&&z4
zyc+pL2HPmPtCU1>kHNXAo98G4=9K1XU|6egRXwV>nQ4V*s|dAHJ*o|j+qDl{&vI4g
z^0&0A_Gx+&xUbd084a32)6D1`re?*#{YriM9H`4N(lc;0DFvzKdT4^zb?+Lj%dlNF
z=Xg~&?i3{7bOSxd_<Y<Iv}PMAevD;d>DQ*RS<pN6OZ}Mu6|ZUNN9U*Ea4awBQtDKQ
z0=ku3R975|bUP3?x6}pv))QFU`qYB&PsPo2cqx6ulg|Y>{+!zd?WZiEYhd>-Ue1>e
zuVa!<RwvEyTZM(9N#1h#)?LQ2NId1)XT5)u5FzfOu2}(ub0L&=1AnC-&HJjh!pkud
z%5huL`N>BoJ`Mdmj3sBi@BI4t*5`A8=sK1qkjAf-LTo)FaOtVVuQk2gxPGBarQ_lD
zD6jQmj8+(xa8Q%GIp4lBxU}BnUYXs$@M05ETh82`=k?e>VJ1>xNUNQkJWVi2o_`u>
zy+gdAIqgcF)TnDAzYHUtTQ2E*VXk$R$z79&^A)AEPj_fTiS&1cQ>G#N9#7HQ5UBCx
z^lx#gGTY1$mcJEEo~l$LtRWtbBea#kmjz;6Ls4P8IU3F~pBzzJaC+cf?rSW^XA6!~
z1LIDW-R6V9|EnB>HOT0DM^l2E4`We|wGc$@D_a+tX{gE_-q<E3nh)VrS;32;j4HWC
z0eNk_Y!j(x-rU2pod}c6woDQhFhnVblEHzFRi^9T^Eb>dE!|{;AtaB~ibKd*xTbMw
z=~U!7oV$X>)~8sumfn<^9W~xw6KZ2BIITsl#-xRdjMLnn&;gx3!Lc(0*r~y&f)iyE
z!aqshUtE-i^}qf<Z$;Q3#Y&>x$Od;D87<OXneR}!i9I{AmadOiv3Qgsn`M(cX%oF?
z(^P_q=obRUV}OkGy~`A4^srI6edn&kA6+EoV(sUDk$^2U<$VJ}4+-L*MkL@trhp$Y
zVOGn@Ou{9sbYi)b>X$X{wGdq-MO#?^+4wy`0Ot=|Tg(>M%!zW-UqqhR!^QPgxvrwC
z>2d0@@G<D3TkUcl>gTY^qsbG;AA)M-P`Jf84R>qaMrT>Cho3N4l72!0!TUvcFJEck
z+z3P=#I?ctDFtX>h_3rdwoS=SOD2`KX8%G5P%+5A1P&h~5A(50{y>R^3wl9Z1hMZd
z3q@!`j0jb}9qpw?SIYrPqRu~{@(uf*r7h-(69~Y?jIse-H^2;?x8wCn(R>DrzoLXa
z0&*q7sS!i?JD0~Nj+jV<*X_$&tulv8onxchVh{31HU^{aYsWB}JFUm7+sB{|%ZAO7
zhFrd^Q5#P@Zbu`{W00I7uK-i%S*t$Yf~MV-;%L-8s96g|KyAd|QbkT~uu+TL&mzM`
z1e#LXooHcEQI1`$wQfp{n$`h(_MPk|BdmAa;jm@WupiI7_&2JH!m_NKkJN<2#XI{K
zwB!DAipjh;)!r`a!EWe!yfiI&7D`Z_qiTX5pV?uApA54SpmG0RIH=UmPS-mmDQ)i|
zOP6FtX<Bw8G>UnD32s9=F<pB`Uf~<%<qd5v)g1bO^H#%I-8gU#EnPJgde%m(Guw}j
zT?xv9eU;#+RAD0{@+~PjSPA^FqX~Ha2hH0Zr%taV4uC1b?D}GW+5OyU8k2W+UN@hB
z%zd(wmmt&c?g^w1AwN5JgrYeUt~p*C=^@GZHzI5U*s!#BT7Q)mveT;ByK!ba!te;`
zw``-JYG!Y2+}{PU7zZ?m2IIb^@WShaZeaW<sEFfO+1%r4*VBY*k}$#)#VpgxD!A^b
zR8sOy!MN{YL)i}A+m9Ez`YSehSm9go^mKEjs_!%yTTmR7Uc8HBmwxSIS^FG@T3j*M
zkUPb9m&v~$o>^y4u4g&&xT~FJPdGOJ?AeUELU~fK3J#A|<UHDpDw9@2E$$g7@%|aQ
z$Ij|=Ks)3Ai9I>X(%_CH-CY*BOW4DE%2C!XAp;8Rj|#w7>9a>7&xqwC;(#VS^+s{*
z4jvO0E)h}o=Pcn&nm$hhf9FQ3nqy=6D&t}ifQ8PocKRTKV}dKzRF6OhFWm*6p4Qt~
zYGyA-1E|_&R@0Q&J7$|BuIJA+o2@JSM>_$oV~H85^07&eEVqVEdP}=qb{rTQCZ>!;
z02XMe7?%OTr^yV#n9@A%tiND}P@H?)XM+NsIp*TmK*KSQiOfI)+w(>%{xY!tj;woq
z#kxrovzs^sILP=8Cy3MIKDy<{1^q1&{|TUgAH?ml?zJNV)<0m~DKR^p1#db(<>HB*
z-%?2`kY~UkzNYOUOj1%HzCrt7XxWe~7YXo)JRy|jxjncMaYeM{l(bzq3iD2J<<jPC
zX<){ww)l(r6B2R;l8?aK>=~bwj0AX_f`kyTB8xED6&Gv>zut&nARqaiR@|NPY^&@?
zpWuP~lbPg<%xBxUKNa**Nj`chV=q+IL1az7J9L>TJn>ZIXdJZr#VABv;~0|bA#mr`
z=AR|YW7htTl@J8ypMif2C1W2G^A)_cV;c9M&zlk*Cu85z!jCssP%YVNHB(FWaZHoy
z#+O`&{!ISAIWp>PV)ijA684^jw$G9@QZ{1lP>+v`sSk+(Gk(S}$qJo(9FupwX_E^N
zb);135AHE14f9NFG(-o@hH+-Awe=X@lj@u2s2My6uPZzBvy`UbZz4*9l_jD_=mA7C
zgQhgP7N`1tGfYJsugUnSAtK`$*p{xR)fI_@B1`l>&;(-7VG4dFVG3UD6pPK3lir<V
zGA{jW1p8Acvx@`e%$#oijM~>9UJo+AEJpf&@2hZT0Sd++hxCVZuQ4WXi-cn)<(6j<
zCv`6r(U=MvIuLmIKW*Gngt4!Io{O)6)<4czeWv&1mk4qCoE<lJ>WRGld%t5Bw;jYc
zJT6vB#~Z{Dg_t4W75i&JaL4KwsZN#ut7iT}d1FNifD?N2%tyz}d6n9tLMw53D6NDe
zE1z2rhtA?Y{P#E%`hZxZUlnmk2tay^0!`v+6WuuwTCV+O_;ys|JNXa=EafyGnVC8j
zX_W)<M^44U8<F^<WQ2_QQEuLQ_?t?Q8-mtvK@XL$htIdC+Ao@qQ(spap6)Jq7lH~O
z6L}k+UtbPND__{8_?qr`Uv_p7#wf)<yvZF3N)}Yt1?fW=F-X6Pa@#ZG{&S+c7af0S
zGuqZxehFj2AhybP25#tolW*W##2{5vBp^Kt(nMJSIWKp;1jA8y0cw}L<`2eQX!}7p
z70VaD7eyFs#q^x)q@gW$5I#t&(4|kn2HsZF4Bl2KLauqLsl{N`(pzUNoCHkYW-bQR
z4Hp)bq_3CU++igN5|<V&zR@Fy&=pq3P0i`TQ^$QrV(yiO6Xs$eSrNqXJK@Z2SZ3CN
zCB=au;Hr)PqM8`CBUejI^H(6r9!;%O3M}YQ)<h(X-bOPRvEGZHFFQ_rsx&tI7#OH7
z1?9fR{Ef|y=MK+!s@}aX=+Q-&WWRVd5>d5?|LV!MDinR!Fq8eB9!n>K*0ZKLO(~@l
z^#B@Al-o71JV)w{IT503VqE4!XcLOt7x9pBV<18_JS_!G!R>3?PP3LA)Q8iztquHR
zf5*adrHoY-3V`fyZeoDM<z27zH8?3Or&0nIyceU@sQYBe*R<G6DTio|?l}(Zm`;M^
zo61;hHmy&IYT1|Boc=LJ91u7jTC5U*z<xR&GVaqa@_#5NjNelEIv>f*FSH&;i2JqC
zY_ZxavozNJ#KQA4Le6+vw=1RE%O58pX+8e+dswnh7(0>d1BnXe1vPTRNFDBYv?ilo
zj*_`5J?V8W3!`KjkdxECj9b;=U^Xen@GQO8o9`hUhY>5m6_2S}Mdx%_DISgw9f?Zm
z(;juYI`a8_yd6hqeKzUVUG7p)_$uSKZ#|0opn%mu8xOj$J@?^G*!^n<A(UnkVMVmO
zb=S$meK!uAA@Kj7Vvqt-4D<0<Z9s-ANjF=Y?WU#i_3mnnhsV?F)xPoWb@SLmdBy2g
zVTRWg#=RCfG~S}hs#65sJnWz#;M2%&2=b4ev{)*whp+)HR6j1^!!!91Z5B)eh=Zos
zS0opI^Y$H>>Ty-J8x&oC9m|$25NBed9U|=}lxpyc>@Va&o)NItrht>IW4=|@Fp63h
z10RKFowI>?B2dVHJ!0y%A+Z0xG!)XSg2?#4HXB_)|Bwv<Qy5h8un*dPy|0i%sk=hL
zg9{Su0qbm=5`q!%hIir$6w=9m=tx3f2iUFfsZ}lsyW?)Vme$!c&dvMzRpz&X%x~6H
z?dSF9!P#3p-WRo(?~hj(T8~OAD=Skv%Sp&J!>U+Y{-0D?`&MtU7c_+D!{5AkgN-3m
zcl<DQjs@$1;RGy12)W~=>Xn)JOie59A#QhF09ERL422w@W@JsWmiRn2(9JZUQN{zS
zucDHpF|fDi1C{7_DeUFE)J$Brld;^1xA?A?W7>IE<_@JWvjlxQW7rw$!a@IgqOlE5
zjSqfC$li~L85i<2+7i#8778l6l5`#wnLt;_S%QD|XpD`+*b?*kZ_#U%dWxWr?#29a
zX!mwI-PwVso^{-cWjk)tb&TCi0iqKH_ETBptN}8>7uyTYe(oD8G~*kBVC^L7hxDBz
zCIq5V+NmShvRhC*!boM|frjWUB?FJL_)oRawEXXi&68>)>N`|P%nz(g_K=Q`5Lm=G
zDe4X(SaoIvR6iYLt85>l#;O}7tS88+%b*#Y@2pqxOd5%^Z_$J&{9c}*n9Hf2|3dIn
zjluUY_*+BI!`1}%@k>mj|C94xwbIj~L>2B%X@ABWJy?Yd<6%zVo&Fu_$JeL<fr-+<
z;G)446zTDp*n7a~S2Bzvu^!ubruUk`+@I*LmsEc;fb^N5=eEW8-mtC(8v3G4FMBmU
z$T(OHJqyxOC@2he63ubHV;{{fZ11!dE-3ZfuuARlebNPt6j@Ue$ND|#*dIzlqqoKf
z2j8$H4qE*kM8wM^cWopOl<;8ESs**I{M@~jk$5%{vPo$49%IHri1c?<kr?`bkvp9l
z<!c{T3vRm9c5lbT?+E9rMDg5!jc#`4l%lGs3@v$WHH-}6Fr!@cbzw^YYg^o(o!MyU
zgoaJHBx22E`O~cvb>$Vkl%D(r=v8S@=?cPek+-Bcwn->;6Uh=c+9WFEM7<Gd$c;fs
z`?ekzW`nr7`=bqZqRBtqAjJt`?T8TqCP<DZcG-DcE9zNj=P=B!JmiO>h%sMUSoJh)
zjUBB2OnQT%+CfJAq{;e`+E&B&RQwdVfYTh3gD?Mh+(DDsh_v))v$a0-2I~#ETdyxz
zgYmbbPI~SN3x~Zdl}{|2Rj-A|^;YXJPLzaQK3LK=$-(v2ufDe=tkH-*4p-(qN7lRJ
ztY{RWMmgVTw8l3-Y^K1K_GvF!23=RBaFsup7(syk4(>lHCu*4OuRuH6Tz)Q}EQznB
zPL*V8GU9$&QZz9_E&pGEE2Xo31A8{~GFavNkiVt)qz6h~D#pc%iTn>mQtGeAsyKRo
z?|5H9))!H#k;**ODBucG)Qf2Tu7KI#P}WdbE<v2UmV(C$<_nHNmV2vG*wjy%Bo1S?
zVp=uQksFJ{1&qMj3E`@1qllOUT3oMg&~tkCjfaQ3-MFrd(!Im~vDjo4mAg&t!0wo9
zg9mHD2P8(JE8%YvBh7|89M9-7W1CIw|8j<-{k_Bc_$y$4Q)PDs?DbvsYTI+)ZR#b$
z=0x6tny5&N4-5H}=??*>&(G&`)v)2Ax&~6>#znVMhaa_xoTYEl@qshCI^BV(2!d9&
z9qTt2QocCzrj>d4!<X4$f{Zmkt35%u#i|&c_94?QXF~=RDB0FwuI>`!yQE9WN8i?K
zi(J9I+jNm88n;VRdMLo^yVr~^xCKF?tYx%SWLBI<t3jd10NxkB`!2sVQc+i+{J8(h
z&q||6N#_PZDy!;TA!Nyf3imkz(!6^-i)jn)Hee#Cc9qX29KnJ#*{w)ejui!NtaaMt
z`}E<D)!qqjR$Lb6AA1K_2_#=ncapWZbm|xnR19Yg>EvM57t#pHztRSQB}B!NR(M5u
zT~Orx3_bZ@vS_-|>>PQx;wp5@V<c0%0@tYX`8HoZvYu3Cr_NU#dA9AJ&NJgIb9Ka=
zeEpks+h@yo&I_Iqrs#`Fa4%*jLG@{sF{&pq^_^QVVF@`fbHUwYl>N>VrqaOs({q&l
z1rsj*TOc=~XTpz`o%|NA>p)XXY%x-|?*({LL(>tuOP(vBa|xAgY|N)|bDibg0jVk>
zrrKGSAxgYc>tPrZ(h-8i^SXPaDzR2(evimLjQO^?>65j;F1DYeRtjJJ>-^cDD`O(P
zfs>8|!7t|y;9&e$c;ce;JiU31<Rm$Ce2U7#f@uz}a~yt~`%v$)&+;O}@zJ5cAppM8
zo|oQ(Kx?g&sb&*+`~7->2fjl%CaPHfO_@sIIpee2<?>@k4Bqc=L0Pz;+VVbSSXjxR
zcyyw9Z=Po0;@q}jmGp62XdgHJ`o23vw>+fFCXbgfp!pbP{0RSG-M3rp?;pf2TOPCb
zza<u)34H|P=SCHGpr`$lhYk{B4~?0sl#z(NL%}@`@?R2s&rOmh^wBn72$;DQ(oL0d
zk6ZZe^F#E@j;He7QLKos)j>|1ft#wTNNxn6k7}rFf{@5a`drYk53vWeQ8%^dPU5#<
zFGYaRB(lyf)e_{Uea6KRw*8z*w^c@(Vc{(QLa{HgV8yMvx9f$7OZJ;L;fuJgempbm
zUrYwF6#UkeDFW=uoE1H0+K>0r`ZS9obSrG7VZ}7N&h*8nQ2k$uiIvU_Yn#s;rq*(3
zx7l?S>Oz)iV^9V0b3!H87OBQPC)OZ}#CON!2OHv68dX3*q_EzHk)aifB7aEu@Ni!;
zgQ+lq0P$s<A$wQ4bB<@%>Vz}(wR?hd_-~)_Dq_g~4$%?>!=G~_`s{`Ti)92Oa>Q!O
zi-FTH7Y|4vlXc^+3v$bX|0gzx?|WMz!BpEJJquci@aQ{1#Ey0ek?3=ASFV--Wccpi
zXG4LYw6P2a5yxJjO6Y0ig-6aeTKPx%s%)pLt^1Ae>ILy$4s8~iHtLiB>!?453Gk82
zFEb43C0$_V+En<VcdMNYY|N<<v)K=abb4sNCxNGTZDXTplfXf|F&(g*rsSZqf{4+~
zC`9w5ZEG>X?RR3+=y<ki&}%88z$^Uk%qlFGDfxzkDLIg^FkBDVClgO+9?}~P@VhiZ
zel|sZ7B|Kwz0(LZ->q6PL!{OK8;sor9wL|hR5uSfoS;YqmTG@BNw|3Lej{elJbu^Z
zPXEW)G<ag7;4zu}8h{B(Ai=##^0GZdFra*)4V<N?0Y@asxYfrGCO2@U6QwL|Hq`pQ
z07E!XMv_03vbC%rz#Lu-=q5V@9d-Y=M0rkEx(x|eI^YsX1_JJB&t*0QPNJcFFu^FQ
z3p$3pl5fCVMjcvp<v$HB)<WUiDRG(gM-cL~-TC}NR^Nbk`0P~{Gxon7<UR98^C7DX
z788){u8}Cwh-oz=LDW!CFcOt+cJwXFS8)u8%SLq(fPIG@cirM9h^i7MA@yA0{_#;Z
zxom#tVgmV)ogeven0!Qaf8dbAB5zOHH=yr=b5Fj=NU$3Unvzm3OGN>X@17Am%e(P?
z1VMI?k(5sh=@u*2boBap-&KHQPZ{y^3}fhAo<Sxeb_&qj_^VcaW3>w#20%jfzdeN5
zP^SPLl|YOxLs^(oN~j}Mr`04}*buABA}Ky>j&|*|SMF5C1J8)}eXrlaIMgWg#Mdb3
zACu0n33CO>Yiv26I<0aL9V7=K|0YeONNM4~@K!~kpYi(c{Mk?K7Cj!$Py1>AS_jVQ
zpbGw#F4_=lf=O5g_+_cc*1hBi6C>S%c^iMuqMXN$_Exv9*O!Sl{;%8^ec-1*gAiR9
zCAvPM(g_i%h>P&M|71Zh3%x#R#}Z+4?sLyt_X>M?C@d_Lje5Pf*tXQ<S@O6(FYs*g
zYUSneP+s-IemUCid)(Pwyg4`Y@N#awAA{3Uc$wYLgrnf~Xl^SW^n8kug};5h+a?(c
zvOXT>zrqj?FE)&>ZAQ$q!XU{Ruv7R3h&DLIr2IQJIH%6P7Q*n)tBR5_hyW-UNP)ol
zE3K46$a953YVgYuBX8u>W?d&LlQ<2j^1Ma$Fck=qXmUuE(nJ`D-)9}DXwXjEAA5t<
z7W`NWUu<FSL{=bWXLc*^uw>UNl`jOww1H=I#B~sML|)DoUhEh4C9>i1E;ryUwvZ*(
z;fg;-72d2@w2~NVHAY1xEFche$0`dEtLFm=(8C8YMr|`fj8d^_5AVE+l9Cz2WjKgA
zIi<Bfl<%v?XCzY>22iMz%m5E2H-wE<+DJc2U?P*Ti4xtOO~t$YS}g_pt(?Z3<1}`Y
zRUy@x_sKABB>8SwOrkYTpW_Il%9Bw9J+M$lcOUL$^Fp1PppC%8r%56O>~A8F1wojx
zql+KRPH6gBS!+z;tRT!irA8CKCMB-fIeCD|amZXlmBiwK@QnH6JLW|QirvAlh}%Ih
zch=faOIrEibUD(Wo-lFwh2Ym?tYqysO#3A4;kL$0$Ly_voq(g9a_8y7zStAr&$8v@
z%_iHDl`-8UoChkYsa{@=IW1Y*@tdzTRV&(Nq*v2RU!QOHm=;pv@p>qs|3~y;z{v&!
zSuB%i|6mpQ>^v*6Nw{{;!LVrG3ty#X*h(gq#0UWa0&ar$V`c8cNz?tIT>l?a-xyuj
z+O^%rPGj4))1-}^#<p#%vF+?Mwrw=FZ6}Rwef#vhPtNx%V`Qu~_FVV$HF4($gaF$q
zELuztz7$9_J+Su5iLjQo>v`a3kmpjzh|}eNCK=&`_ZWnq*dX9}h7*$F^~rw=pbiSv
zKf~&fW02Wre5~5zj}(S|p8MTQ@Llxe3GF~!ReQ@v1YfSdvkFUyN@XbOZ;$=Agukd%
z&P}%2zzBP8xq0gz@p-i9l3a{mH9fLnO95Ir;H(rZRDOF2=|8?oQ1A$7Q}GZ3rBRN4
z)LpE#_<XrgC6mvpqq*6NAYS^EK95H_01e{`B7H=<vDKKC(Z};ZsDKw|aZ)I&TI_ap
zPtvWFUJ~c7mbj%OB}HRO6q3i?n1#-jblw18$~L^bnF-xn`-fYLtYtIpC0y7;GG8!@
z%1{=NWVXrfG5$~rH8I{H0pO})bt(zv1aPzEb<V6Z7Wq9kl9uA|v$4T+qpCKQZE^Gu
zlCzX3hJYjw{X=p&y;MesPMa(q+S}mi3^;j%TJ7m42)e;MDWYBufFgpoGM2ExpL$v^
zT^U>~q*ig>Qo=2-G2H^C8koP!QxZ}ydO<@e@CQ}5yDlm7kkN+H{7{G_WPoiNIj#VX
z$YIhw+gDiN1ONH*)bw6ZxBOmzV5UD>$Cyp%efh4@WB^WoDyz^*MUZ*7HzSJ^taVAE
zgaYq=OOV-P7D~+?N&!OJc8RsxAVK`;?`*L>P6iF(rRHa>A+$g1?o(?Dk|i};?OF=r
z)I%2X2hx%_T1iIWD_LT^D*vH#tNXh!gEV_EKy+@WA&~3SW%y2lld|TIJY|^}wA7<z
ztcf5v&C}bec_U&m&3ZiC9$bJ{qV!XvU9+-Se1Q|6pc_6Fjs=y1@u0foqnl}R`1bVe
zbb&I30xu2m)^pUc@-Fq#m%n3S5;?Bj0lg^XhNOA|`-)*XWg!JMBvT^yh2+9Bv8H`)
zb2VW}gVSiTDgQyXq1@0YR}#=DKyXLQQ4d7uWt%3>bQQ!c>8|OR7iXEN`1l+3@&0S3
z4p$ehIeShjA8h>2s5d-*w*m?>Uo05DIvLq#V3PMu(hX`tJ;rt3FT#*6MBP-WIOtDF
zap<7o_u;1$l%<B2ytP+z_~$uEUW<=75S(|{kZzF1i0+?*$qrP5y$pXZ;k`-Es&Fyk
zt1o1>lL0P|D2#BDnn7giFB*Er7w8IIw}vZ=2*s;tX!ic()FOF9`$<+;?4bb}$}$lQ
z0+@e;(vdN?Z3gvT!x)lQX2rNoQO<$O3lHdP#dwqEmyGZs)l=qKGRu*a%JEkI$04x&
zT{Iwv(Eh<ss{-A?frM<x>b^oO6WE-WUfn%6l)XQnWNR7I@mdjW`Ag`QD@~*SYq#q!
z!Z46!iDP0({nSyVv!6>A+p>jh$;H*=MTGLzrwk=V&>MJ@U6DV3xPH|UapD*i3E~jo
zjE_2OJm@w?p~6u6Io0@8_4dyM1B&bK1Lvh4&A8hr1{Qjvj4>SEPhU&aR5gQ^lMt}a
zdkl5dvMX-H<Wv{dy3K;C+c4q$$A=qZ>|W^Fw9W1-8E-e6A)s}HL2k?94E_nqv+`&C
z3yCnHax%oQ1r!>E@54&y1xi|f79YK-d|wHxYADFDlAM!RED_u``~NZsd<yvQ<W!fP
zkB=36cH?9<p)ef^gT~4(_<Gyo!#_jdRqt+}`Oh_@pgCNm$gpb<$0D^QTULLfCD$t{
zmWAew+Vc~_j!tyT-(^!TG;a1azV85pn~M0i@F;!^Q0sgD<y1a`=D7`F2sg32&y*K|
zXe=6@N`e|jy&@e|t@UBwaL%Sv_6T#Zv=v#!{YR@CpA)6%d1c(q8`Uh51yv~bz7u3Y
zl&k18bMR=Kk$L`H^?(^$w_ATv59CF++4Yfwn}dcjM<a)9r{&wu+qlZueqT(xSGAw`
zd3;ar4}q%icnIjWgj{BSmYrNY+&-qW)j+lW&m&y{3D&B}=lmAY#>gGPoMS~wc^7{b
zOpK*K@24>w*klCaXY)q^lQd&2vz7zFUZx3gHA!Jp4HN2-DC*>krIhZu|8H{zmMC3i
zT)>_<Yi$spx3<fdv{08koD^nNzX(uNR$I=4m%xmYnJ40oGM>osAc;u;$42IK0~JmQ
zqseqF1!$5I5>b9P+4`jktDt3`a;)pWTU0PMk!=Dc+mwX1*MyUV<1dryjJ!yRQ6dx*
z_DB!v6X=qgdAkK9fKPlNjlaQx;|gTrZShUI@N)NUXM~zDgqZl|@3!SKI|wxxcoZ9M
z!gLHOQcpK#*BxFDo(heCMwd(*{IhfSgP5^!72wsJ&5xrdoJ&6dNFk3bDa&~Vz*!eL
z2B*^;TO;Rg99bx8WjRA&_bzb9OYCNtWgtzBl29z&6*J9qm{27CJbePHm(yLtW{%m)
z*&ftlhU`|D<$qB@Xzrl0c-RRkv6`U&*Ge9!*xqGZh@1RZ|EV5Ku`ubcp!fsc$`3v^
zq}8??25CkorUgFtM|bCY4AB6sdjUw|$NFebeIz*gWSIwMWGEA~)PDw0e3Ot7=;M`}
zq|}8Cr&&$f0MwLRM>*k|%Qd9J&UpbUnu-H$lXUv7g|?~xt)ze&h!rm-O?5=xDkF->
zSilRg-NqBgKQSPb3sFGAH8{2q1La@O*bi0}babd8<#p!CWW?GFzv6-5Cf4D5uD2=A
zT^v|48)9iaHEYA-fp%%Z&}srqryJ=Ra*Wt_(P3AnA3KdjwE^s0cc>htQs(31yEb(G
z@aEbYIlZ)|*V=0e>qY)uuk;d5Q-)SirHm9<KR9d+HXpI;G><G-7iKzVDqowfl2eRT
z9+OB?QS|||etzeMu}I9TlG)za=nnAKzDMeiG2fAXcH^i?+2eLtUOg9kzuZ5R<yR4J
zouoJqT3AW0+-ULvHdia}g1T@eot_cBq<@=IB!Df2e0*dRfa5WD+b^x!3763PiuaDW
zZ#za!Z4OMMLFx9eHHFJ<(dxsBib_iW28PNg<kvwVEyE$kWuyrT!%q1cPNTXNT}rbb
z-hUHYRJc4&an`5FhxwQ(#bka`Y5@C?=Q6~3d+bHS&g-%Ti6dgSi|LwnC3N2czB8Fb
zfw4UJ?$2RJn?-a>DW5|Vn-JCoRR3Pj<p8e<SS2yZzdJaPB1S^c=t-23u&SwXvV{x8
zSN0<ui7E;62hoZp3ZkXG5`=>+5x1E2KSV7;S5%}d&aih1sV&Hqb6(65j3OkM!bEf$
z7v{Q>!4>ZI_C4tH@PO~I6}*DN1bLUy44{=l+087;!8l4~6>5i>!7(<~ZukbnkP0D<
zF?Vx%{Q)Jjhq6@6^WSZ9a<-wB-DDlq#Ftiymg;Nr-O<8p17Prne&0kAfXV5}*|RF)
zF{0-7e=U+CcBCED;@dbz32b2P)gn0&%=gOdGrwR(`_b*ArRh0VQP5%Qr`u~4ZO9jT
zv2k-E%?bou<Ic|Y7Qf<Zkg<Kaa60~#T<l}Fm{ZtQGnH{zXf-7WP<s6ZpI@m;e{wcb
z^*km!SJN7(nNrA&?J59H6%++<5qW)cZ~2sjhHXcD;hef{W4c;iC;>NJ!fSxB5~<w5
zJ}p&ub*naNm|-xi!dIT~iynVwJiz>{%0saGeLhL)=ofkj509^b6FD2NL?F+W>~MAH
zR`_Xu%w-zpy5`0G_`Oj-=Kdgz*ObkBO;^E#^bt#@AlxRS*dwlL0pw|>aZl8c+xJ~O
z{?u}qP28_Vcs30RYMYC##NcXLx>b4vipWAPb^5+o*ZhXSZabc@sTHll=dF#yLBYqB
z=*^owJu`P2$lA#U2IH>&G79gPHa4!Pp)6QWfqVx&fMEv4P_q+L_EYh8N7JEwM8s(8
z`P{5{(a&DSGuMcdZH`alKh(@gjV2JSUz+%^J;y?iRfaOZ|6S_Rgg=qV^aXW6^vc9k
z4sRtVHgAINY};KsJ|_#jSW>+@$eF+y8n8~o>jUut&Dgca^XJAPE3bQ><tw~)Jm&ic
zy7mP`?KJIiayCV?>U;R5BlSKr@^Fn;%`z4<S&u(3?rg`N&T@*&%Y74W_*Fa2=%1QV
zm=O64Nj_wv4^tiqo1OE<Fmb@SkDP4MEXmE8Vr}fr_v1(Pyn`0|yB24y%BH!l+*0ev
zJsYW&{g!=)f%eqv{r)eiu!fiLCQrn5&j6p+ShO@dAs&EFYd&gFb;Epn%K4v`oj(h%
z=7W}R(lEc=5`8y|-4i|8I%(b%U&}n}7b|DN0p2Zi=OGFtRgbO?F4qsUd@)aN70rjT
zNmjAnn%J|N#VOfCNC)?f-15rC#FavlLUPSR(cJ`96{-X>slQTkvj0Ze{ogEb3<1ur
zjGtykLTnN$PH&n-7`%R@kiNewfn}U!#<O^h!5$6EVnhd27+C~UEC?0EI)&Xlq8_uQ
z_1$}Re80CjWBuFcP+sch>j|cd7jWrG4{-U$p_1OM!wd5MYieeH@h2=i?mkoJ7VN?v
z=ed})c)qR-3^`Xk!riJqq-?7eld5bTBN?N*vvPH|ipS6LY5Ja)>hQe$=-GG^;WNrM
zJ@C!XPFg&IVA%<Bv8k12{VQM3FYKvbVPY_Jt{*Le?^;awHs$uxFLg6mOIomUcW!c~
zDYi`7>NfShO?L+B+|+G*bVD*<%TqKryD5_^;+vIvoISQd^0$2pSf7l<r5>F&y9?*D
zI$l1N-(k?-%P2g6oN~B0Ym3aT(CA4ZhV_*!poh?fzE*z95bux>soWrA_%f22IEC}<
z<W6|EI9~`eY9#3GZApMXv|*FsO-v9?hU=8d1Cm2e0D>#MC>IunMyeu=;dCh<%Y5v|
zIOeE^p-Gk6!^6y#!SGSy^eY+}!WfT7cAUwna78c|m_;)qMR)3Z{xlhpt*H_TfAIWu
zb%VdzK~B@RqRXszJT@uK|LcA;%=yg$I|FCVaHa%3gecWDgg15DV~0o6`Ecu%;PYGI
zRkoG(uX&k`hEB^>Nj0Q5SIT{z>7@*g?`6;$qt>%#&VRJ|6L-!>)g-6&a4y8;qhgEW
zg%YRvX?erG>N{l3FyQkp5yVaNeMQf}bxu{IB`_9_mog?MsD<_?fE3LDy}lP6*T!Do
zy2#7iI`1B~G806JYJ0l3IQ$MVaH=XVvyG)QO9Dny2u;3qJK=*G1n4nwSau_NdU!*u
z)V4|gVLG~btbMj?XlB`)kOx$ox9_Bm({*mQN7AH82!n=wJOMkUY+A@yN}9;_t7Jqz
zNs<C53zrW^3XeB4J0n+}GF@{`t+zk;*7#$hDdNaEq&W&#dDrTqcY9tB{y}6)HAw$-
zM`B%tFoEtVIVVUU$xZRKi`@9BseKu{ZaAfLvjFE&-EU$7{fPYi=m%1WWbFmSU|W!>
z*Zce{#7L^MXx4+(_+%DzSMt^#tRgDOm6UsG3&Isn1B?bJFUnT11ftCXxLv~LX3Zvk
z*>59N++V~W_1Y(1es5$wA-x5+76D%!`f>bPdas>}v5WJ)#4F33F<%R|mY^?Jh2MrZ
zilHo;+=teu!%M)SAqdhw$BJ61$__g*L+l{@FarQp^HQmbhpvrI$`r{_CFMl?9Myae
zwGT%+L1bjR*Y4)})ZDh#Msu8L?e5cn!Qb(G_2QIQSp7=^_BqmOePPe)e&X(M>UI4@
z7c*I3F*ww=+U1EiIM{?GMS;NkB}CS4ZV!<^abPt5YCia~^1I>pFJ5+2x~<IgEw}?A
z0p&x--nj@IaM4cP(>;Wzg|agyp}g}W{;R7r9TRkx=lh<nrCz3j?4Cy^Y}@JZNDj<H
zSdCBD>jTWUOB_^o0}-~~Xq7p*_te9gdrGL!PEXFo(0_&sg8>s9ji<p4OtCKv28J61
zrX+T}XW<E=p0Tb=?VIxRqzuPlA<Cxm%8{fw)>qqu>c0*yVx6L%iL?LLT1FV<;u(8I
zN|IB@$)`=nN)#2%iX6VP;{`SDs@es4=x$vWIGI*&qI_jA7@x6vCQ6$W)c4HiV`6be
zUPM%7wz$K9LLPr`g0jaIUm;oc_-(NpH$Cmwgq`T+uGd;2QAB{Jo)5V8Tiy-q;&(VQ
zcjFvdKeN~F8-l^}iH5fJY=&QkQW*!|I*UWYj?1PHoT&yT9@}J$-tvFBu(R%>Mq|&#
zQ9l5@<-b2{gjXaqP}oFqJT__9AcO+%6>TFf`|Y6GDFY)R#1ay7Th`uZtA<`-g3*wP
zuU4ifl2oZLlC)!N_*gqSsNX3QO}Xsj*>XxRTyk|;KyJXiyTeuF`n0DIF1BgEdPf_*
zm|+I&QyumzYJ;T?ux!l|QBEtWnNkmF*+a8jPv2=U`3UbqC~#M5d527B=`uoAxXF4^
zVny^Xh2*vVaOsoK2MbF!K4f*7WpWi^hKFCFNM320`2>U43q*`Nou8dsXPglj7yH9y
zlZ|Rx->(q_!L;ilX9*VU#8|j_)Bf<-NE+x&+?-p*`t4D~y86xnY#W8ulds-5<C+?p
zD6P8|O|eNmVq$g4qIHKH{9HDh>hUF_ohPYUkEXPB=<-);36&l?#<m>3n~A?^*sxvr
z6mRV!(~Y`L!n2~^7zs^L2<ar91`XV=c2vEmN>jK`3_{Wed|JqA-QVMus?#m+EX+!*
z?EE3019OKXGBKlyBj7`^E}TcMAz~jtZR(mxL;m(egZz!_@@X`4?-S;;(@}Ae56BZN
z)p=UD{5x(V#wf|1pVIkp;z(FR9Y?{rvRNK&O~i#fYn!z&J$4hiOw<bO$5ti6ak~@n
zYf_u`I!+2}s^l*RLfD~wT+sNzDZ<fvB%*zOw1}ek;~*UfAt$N9$(LGzzg>U8Fr_;|
zTcEmfeIFy2Pc`5zJxGPX05o44cc17I#L~+|!1Vbo@Rzs#9<)*5Gf(^lqG2+2Iuv#>
zR>)W)?he1w{;q4~NZkgBqqPvcVW}#N;Wkr1Xvi*huc*gfh0H?mh6C3TUNdA89OmUQ
zn1ye-JK^zF3?jyfHTx|P&(1JL+zh}xUA0Nk->HY)HrCc`mmF&Js46;eaz&c=1MWSe
zFpZPo4}uOJ+wHdqEYYeaNv!V+k41#pgd$DFjxLdFb!=8T*GiT;4y$);K1rt*CkvhP
zTzJ+@08v`wy&<*=)I2K*2_c0Bp#`V!h9r*VC2d*omOoN=&};t_KMuU`CElTAHoEl)
zoGkKQz(3+=+=jTXIS!5Jc*TlPn$uEWhmUxX@8j(#)3`86n-F8gs35KXo?!#U_Eq(1
z%upqkgS7*S=NQHZf>UyF0E5K;8e<>4=2}5DUhv#RTCE3M$7aK`)9v!9!PE1^^wh4l
z{n%l5W7UV&=8Sz~<Nd|a;XZpqZYu|~jH$m}<2fz-J8XYq1Dmhx#+6C+gN4j1+r=1U
z<~kSat>kxFjQX;}s`Se3s`MR%k;huxB!f<wwMed3M&7#Udw%{|y2ppD9TYAj2<I6x
zX3=f(akt*y=23MeSh7%hb@6~%G%C0CFWS2~*$FiT0<4Ekq5t)??28Tba>)YWGXTkg
zt$h?5GJu4H|9wAL<;@l`g^{#_kZUBPS~diUhlp#)xNRHpV$_$1Y=Gbx*I2cW3JX~3
z`zD$C*+qi=3#%oG%uqVJUxOx+goQNN7;sOZf$-5;5YCib13fFRrCp)nM^Xi+0US}3
zt-+ANX|Px%8^8_)cFv#vM(fDlaw^%yb7crxN*_6j>_KbUi9W~unbC;Z9RPGdLm2GY
zyO!7-1DGzgKBoNZFE3M?2huC6vwI3Ft{6dndH>#m!3wzFcr%)>zVGGlKe<kwm9g3S
zB3q1ym-sz6dTfQCj9Ym#b>Om2$DO_LdUo2ZRkDztd*E<?5Ut*nCH{xhAvnA4d7t=a
z5#E+DuCEVEkJbcdmRL$D0IwC;;wjq;oWd-ywK;0zY;Tp9;!`!_>;gSg^PVvQFH`q1
zl0>C7W{EK61R+B!;V{jEyf0G!R1*!<;+oVbKU{kO`v5Jg&IB#%yyEig9dGTVE5TFT
z*PbC%oVQ4IluV2Z;}!haYKVSq<<!rd1^_n@24iEBr~qgp@`e7F*A8)anM1uZYU==C
z|0jg{FgW-)coSC^qIBiZKjlPfdG;Duht{m0e{zjU4{DOsmC$BT_d!;1zx*%%c+||o
zbNJSt!KGVPOiCZZhP>tHO7K(q$Ef3ajIWl%{z2yjxGp4m<aSGE=c9qgc_8MU?&RV|
z&|TsD-E2kHn0Bt*&?6De{jOXa&NOO4SipTB^WNF8T_S)*{OCl=r|FEYIvrjw-sre#
z|7N?`RzR%O7vqHIx21MEzc9mQr?o&pCdx&=LgY)g8Ltxt2XrF=F8`te$RUGYnToi1
ztAUa(_2a`i3ZEJhF9&u5_D0@8^^JF7A<aa&w*E|51XHAvS;XnIb=A}u2K(F$7bh0J
zo31P4*OY3}@#6WUp+sI{O)P{hr&G!w^u}&XWwsN>{MDNJ*WVmmW`Wz@Lq}}g1j=*9
zSi88-7CFB@K7&x|vY@vNU1bNvO^?0?v{)bMeV6DFc8aU(i5Uftv`UF5(D+F%#eNB1
zq}}H>bsmP{cx1xGkQU^dHS_J;<e}hC4t;4O@#BbHFY+kLs5N<38VmUaX^i7bO(nLr
zPjgKi#2>8plNrE~t2~Irw4kQ@<C(#s--bBL)QRafW?FBrp+isD!Dt}|q2XoR_hjh+
z(o}>fGI?3VwZ%XmnvvT~BVPIa8RXM5s$ZPd;q!0b7lt@^B&skbs?gwvKVrhcnh;|>
z0aL46?}xnS63gs19UI>mh{u8qz=8XCD{Z+kq-CM97_OV^yT+Hc_g5H6zN{Q`eI+Pd
zt)=OIJ#R8*PUWWQwbvofPyvfAdxhKSK6TTQ25!JhZ`qJ(<U~NemC{V$ds9f}6HGEv
z4Y|Cb15?x9---fvB5hQ9Sbh1)xsV?C$9nn6#`fV0#Xc5Jv^$!MSf`{n+ykwP*bE~o
z=(chsxBgs_x(rPshtQsqcuTfyD1A#zm8lasj@mBUc67O2smO<k==~X`l&d{a!Zfd_
z4)?%Y+V4s*nzKf~Psv8^ynpd6L!6QnytVXzc65^xibdjyJU^PHe~Y?7=C4w4BVh3%
z*p-suRjX4UHDs4qiV4;eZ>J>YojgP*tih>LYvEtxCfQo7nnV9jE5LUqtJSB)l_e|r
zyjo79i>%Mi*=?3r028M@3;<xU?C)JM`)8oMwDIZwqw}d(2RW)=7c>cbIPIr^sAsF*
z?f%=_XZ(I~*`3wF{$FAX<+|*spP8)Pq^7c4BAAz$C65=Ii6+lGIC*4$2@!T)4?(m#
z>VJ*ll5BB!2-b1YBopUGH^mv@i3WH?Mf8bDj)rxgrNNtLW(j5Lv-hl&LHI+NxF*c_
z?V-Hq5i*(4iev?Oo0nAQ)9edhOLtSI2`-m%9stK9fOx8zLwcPZKMvkyEtj!caaaMF
zTaruOFNg2LZv-W$e!lNL>nj&x_8MwAK4e5E4lbZM+z(j0Fp-dI@*ehdTqJYY&w3D`
zBz*bUjU`V?N*eR}z*}z&48cgmA#CE1u*^Kr)koE}oTyVH5b?F+4pt?PYUHdQW|g}i
zEx-NwBnS?N=N}`wtjvd#nowYXW@Zz+PQKiZNZ{N_lev;PqSH-_3v_>a20X2uaee08
z{MnX^ecK37nR-1vSi?0J?0awYnB#!mfKMK+9FxmiZE`YD3c-I~X60Bq#`QpfB_nS}
z<DkMdpHuI*>bZqUlj-Glw^|Rov%XixAKDr^&pj6vU)v`$pD!LRGOb?QS}pk24iSz!
zshp%P3f^CX@2V%(-j`-{_`IEU-exzl*G4czZXORh<1jMMfQ<;@jjx^B&C=3z;1$P!
zKTdWs&AVQgc_m|C`mOwjD|#ts&VQ)wXcuCRuaa#=pc6X&%mxXH`aWpDO_LiaHEdcP
zcGw_hi)6722(DRrZSdT{u>C|lo(Jo=oH`9(hJm~h^+fo7zLJ2`@$-q@j>f-z4ab!3
z){ZkSbTI%UcE;mXTXDzY^UO3Lc>?jAz}uQY2V273$^6{R(@Q%b;C@5MV_1E-wPc5q
zM#C?q3`*Xue1}%X32uX3$$x}#?RSvz7w+FbJ_`;I?oLG-nI?$`?JGIf26l4Ii-D}s
znsr@Hr|}xqlF<DgZt2DJQe&vJ86;dtG_?1MbnIJ_zy>gU8xV~9hFH-G4{Ko?rIp0X
zqmieR+Gm$yPlR!}l8|iudCz*=4g4R@s1Ktt?sW$#Vlm}Wi-Zz33B{G*GIiZ<%SrgT
zDoN6pw4IW|JK$Q1foFrlp)oqb3E&T?1u3Q)ifQ%P*^wB54D_{NXz=#)6R7h(X&5Mw
ze|DfWMi`<$xUR;sx=&*)Wn@#PzQ2z5*q;wKOQXI0sUs9+<03#%fVs#ExERIwF-pF#
zR@LYMTArUWSZLFj75QM(!?Xk7I2>8Jvza*cs`YqMJ>*~Ia3^|xxwv^L5`B`i5a#jL
z*YSL`-B^3QxV)SlpXoGtzf5gE`^t8;q_sn5JyHI?aK=yYBz)=T{q9sG&ieLepha**
z*2cK~kH*_!Wzp+OuzgG0=J^RMB|zl<q}bK6wYBpXH%1%GF@CDZ4VzENd(%7ayla`&
zbtCDPjYi|jzW+=vj(0Xr%W+Gxi|jq(#67`Arw^C&{%ZLlkIrMX*F%QQ@-sn(&k0YS
zPQt<EHBbuMyf2S7E`8dj%gny^UtZrq432y==yZF3c?A42?g<{)bZK9Lo_8s1_HgfL
zm0gAjjR+|yb(<f;l}j}WK~g3WzJ{rXKd(Zy(l)@)Xw(zshQiY=`k8I;<!aw*B$hrN
z_po&Tw1|h*Xg$h_f!&5;vCV`l>Fe$6&9nDidtFu&JwsLptT7Q$f9eXYsT6R<$=+Jt
zK?XXvWKAsqJbDUDE<={<JHz?$x1&kh!}40e{_*Ly=j8KF2JMdHM4bRc1jn7Vs;J*D
zF+xpu7^;e#{N^iT8-~Cx%n{;=;d-@0{Y0)#{&MN}ivfnRueAw(%;oyCD^WH~QJx+}
zOIWu$uqBc66Vg!xUyUUc*jMlQy)N%wiuP|aOe8k)%}7HDq_ry;o9ZmndMn1K?-%=N
zNlhX%E}0`<Z*pzUZ=9z;rFm{*JTD<y&AbJMLHfEZ-`Evq#<z#^;8?6UFXp{ZpZ{RT
zFFZ({(OV>O@YcJS^y>T>C;p2sbxj^&AGFd~o=S|7g(At(_PnUrCl*-LG2WF*5yvPC
zVjpVUbRN=z*GjY@x;tDc58AXuphsP-NlN^Zhg8(nc8s?QmiU?x75B@uMVWsS;){Iu
z67Gjd#6VYH!Znm<4_4CC<JJ2npo)2{O-mc$yxo#&j5=q7sv={jXPzHL7ayP_)?530
zR2uAZ948c9%X=m;Rb<oDE&_=jRkV464$W{3vcE>!3ck3~?mN$HvpWNudhea{Ij{4o
z+SA?pMU~$IEK7&eHwZQ`?$EHL4|w@x1$8g?Xbh=zxKN*k0Hv`s`Zx;378v%2^~%>V
zBAfgn4$V40X;ZdGs^(GWf%FvVqOaUC%hU+hyQe~NaZ}yVRbryH4W8sJUq$2-4bU7#
z2=#*PSO71KQT`3un2@^qyvwN2O($hSULOjMeR8_~jV6`q?hw!yupgFGLjBemvU}`u
z{ng&2c4po5>-mber?+d#$bEUO^qV=y$%@FE)JEbn!w90$nu-3)7-C`MjFCrfwTCZN
zCAac?kwT=go-dE$UXDPXm6BvFOguMiO_d+s-p4l>=#9u##NqChs=C7ZyVZFxp-1`f
zHI?gHb`h;?*%YvvD#XdWQe$Gn2R0rf5cfDjKc26XuU?QjHiv3_`G;DIL*}c)l_{fM
zTUU>kmkqC|C12!`fq|=J{!ad1;Hew;y^TGvZVdKvse|U(V1nt2xJ<=El_!RQq*iLe
z*h5qbdh7mL2_N+Ad>s)kj?+vib!D(dk6?H+h!k2?HB;emFi_JdR_I<G%HFY-qA%ru
zeP~q4dz905rJ9I6=W6>JTpa&rbOLv7LGL`;M7z_W0m>MMsE0QOQ2@2{p}>GDI68T{
zM|aUH?LvTV^HzGbP}k-jLVe^oR(8YLw?fyyGz?R7MU#!Q(q4#0;0ujgsN(v5QG!(u
zby~e*5PSs;dz0Vf=O7qNZU~}iVmklQmeek`d3$VOZ4*`L_lHzm2GQ_XnB*Z#6#aNd
z6Z7BttyskjTq!KUJqiKG$FKU(fo0IWodvoT93G<cyNu1WTyPjxFpBEhQu|djY+G|W
z-}V7b@?Gm^@O4R}B$*vdsXhHFXiOc`QIw&f+Kb03@YOAI$DZjligx*F?8nzZ0rev=
z>>dBnG)lJvr0Eh!(=s>z^x%E8(ZbqXtBtG@#Agwm`F`RRl?ee9UmUHPxANjTgiyDL
zi2mJ%U-pw$nEl!)odpWmC!^A?pSQ87=g6ZptCIh55H(hK&634%6>}BD<MS<gPJ*_9
z%v4PJtmiT2!sX)S7N#RCUtjn2sQrJHf3Po?d1R@?dfzg#J{>)|U!rk?pFe2TONY$U
ztCR3fp6DRsn`{JDW3Z>Wo3Z^LtzxQ`0z%`#vBV_Le2Ptn`h%ITtEZhUqh3SAK}BE+
zsqJC>2>R}?B41zk9=CeV_Aq>2juN#l#AV?P%+cbj88~wTs69ncHSiVgzhAuL6__uI
zr(gJ)%!&<uD_QUT4tHm7lU1+SuGYTe&Z}iUrTDnGPWc85a5zkpG3lMlh}U)1tHT=P
zbK>j*Raa~kk*A5eRA-df&S|OxpmFXX{69EeMQ2mhlFGpe<hb5|IYCbV-s@9-4UrC%
zFpEqcTJz(wGL1f-P-mP}wqY2^tU76B(ZjJd^}`bVK)QnQfJ^#kndbELxmF$j?&Z-3
zQKq+=H7ko}?AoRFMKbA?+~N0znFb!rppBi-f(hteklI)`50aU;yx;r&(tc^IV?Mzx
z3x$v%6*{_=E+C<_i*ZZ6$MAQ~z;BD+*}sh}$GU{RrAUsx-}6wMcY3~I9RvKPg>D^D
z>eb5FY8gF7AjxnD!X$w&87>j1p%%`FPg+3zq5u2L{v+rai%V+NTpQKGx8Sl$ib!OL
zvTUUA@eC`#u+li^JEZ9J%?RT4&phdluq;qfscK7g5$}pRe{c|6qFm}dg#UZWV4%t3
z%B5|K-`+ARd~~p1TV7U`(ZQWuqE9FGp6?0pZ*0!g2Tnbo));&!eats*Qa$<be5!5M
zSJ^TV-o5XWqiv)LGG$#_{C(_xO&Q$YZQl%R+*}m4-gT6%H;%O)Ts7CfyINLzdC%`$
z9kM)60Haf~{(Szkt#~uH8`?~F{pP4&-fdjjnQLs51gLvE*E4{w#1mqFo}~r>en*#c
z4KK-z41!y{*K2XTEBnb*-b2|s22g3AmJz-+q9=3nQ_ClBmij-2O74fNbsP*G_}-pO
zgX-EDXX5~jK7*A5`}yeGzEYL5Nc=Nh)lp=(vEc@a&&5B4S(x&`RJ`Q33yk9G>PA{<
zPYmU%y08Ke7!`j{GC{d11RL2ZbFgp@sLKGji6eUpqVh^%PtOp88}!OYsK#$3WEO`4
zM$Ph4>18gfe<*x~m`JMOrVo@dwm~`b8g{G>MMF5*0~*;vSZG;{Dz&jd0e7}(TX8gf
z_&Gsd61<X@xNNCPK06I6YV~iG5P-Q4x5?2<SDV(7szwJi2w#BEI?lGZ3Pz0K=tM&V
z%|d|d=jR%=I>7cp)JS&%sajzWrohmu77C(xbD{HqV8@iO6ctk(XB9+*LV$wKe#|H7
zsntgh2TD@}_$>*KaphK(>Blmoj_H}_`g=t!>+s}Gnau|2QDa?(e{8CiEtL^yU=!Uo
z*p5{pmQ(`eh-t8DAX%JNd2(l2tduAVTXA=>Iob&r=>K9|gvQX56R_iVFC6Re23|P8
zUgC%#F6L{^2yTii1};KCGlMdU%PL(^bFE998x>3eNJc@Zn8YUv9+6IRf<NH#quE$K
zdtPTHwQQ7$n19@~Yh9OM)>^07>B!m`F0ZQ<NK|H!S4V(ue`<R6B0Y&53LRyY;t}U&
zqa7c^Tegw_|J-|W2Y8+I4&=4}sXZs%?(_X)0>;Uq0UJ5QF-p*((cYTZ%-d-;&+9|C
znPesOL^<5=b9ch_U)7-sB5cw`V}RCYk9K=kw_BqQDCe>bw@ED?GWN_1f{{WWvyuA=
ze)MQWB}7OsJN}IK-V>xh6&A!V1m_xSNasfzCvU-TebEy=Nxx?XGQFt@&fi>GTi+iP
z=J@b~EEaT>_&wWvydTX~Ubojf6$%;(pDxb?WgA{6<^`W-kFN@ACE>7DZ-m=#I^HA6
zQ|z5#S6@M2#SdB;o>X(rZImzLhRfz>j8%w|RM<*v<8uqnmSwKhscg~Gc%*xLn^A)P
zC#Vh-4g2F7kM}urg@2xMB766H^GX5but7JX!y{_E>3ZdWkbZ*!+XDSs{;#zblFz#e
zE@BA52BbtAQ<LlUZdvm7W`D4(irl1w$6&nxL4|43k3|K%I^+T{k}d6l;I6rqt<n7s
zGSxBfxWVD;7DpneIBCqXkyc;Seilf9mPgY5Mvg*Z)wyu}q1)9XoWZn|lVnk1Oo}2l
zm!2Ee2)_egd`$bNj0ql69EX*l``=tGmc3f+S$V(5bYz9zwSt+7d_6EGb5Ez^ZM$?0
z!Xk{+Yhct<|ArBV>=4EOYNu?}dC0Q37(8i-R*T#>syCpK)+n_u5C!S%9|aqNEA!|2
z&Y?kWRn6;uS{Cie(A?VbaF5{&-XH!B{7dkp<GJwGNw89QaDEHk_7JV&MZRtF3jUO9
zq47u7@tNo(9ZlxzOC3LZ9X${3p(y_MP_yLtDB>kMyfewJm~A>yu1fAS7o|Dnu4$)&
zt<Aj8%S?LzW*6k}=F-@WH3lLYGT}GC+XiXMXf3+<`mQ+>?3pw6jiRO|Olv0!J&Z-4
z6_L%Ge0(0ZpZn%zSQOfh`7I&WZRPVXpA#u8FXJ$91h*gV5166I8S!K(vMq_$>72ND
z-zIZ;E(%51H*F_>nr7AGA|&;tXTigOj!KA2r$1l5JziWswrWeg^$*SIS)KBFdRE*J
zuorgvVXl~!986fs`9=SkD`_Lu>H$M88~$S5f~>@4=9op7|3fO29Fg3M10M1anU(kd
zI5I_6`{znIXux!&2Wq{6*WpIepxSwQ?b9&JM$^$%UtGU{+}=xjwR}rq=^K?<9jblZ
z&1F)4_(I=C)(-O)ywuhi9d5GiUn{Z(w|`c2U?=>d<pT`QABx=`ircn5yR8hxKfS%Y
z4Iu!I-|n?0q{>lT5c{B#y{bC@WE-63g7-`{wjSbV{2-3bIzg>W%=n&`{-c*$nV1ZK
zJCy!KLba3v@S|rVEyy1Q#*`=UUlaoHqlqnhb=Vo(>X98qVpq}tMPhobiX4?>AOF!M
ziPLe}5dF-0R;>!}Ms8Y<pa5fPlX61aoFF5!ZOlj|(jkLis&jO|!RLxk?bgBOe$_Q#
zKasYZtEzx!FCjXMa{}@!V*Y{B*e2#q7nVyp)$NfPuPR5JixIAgH9EGz)-NgfABmv3
zIB9ipk|unUztb2MlPn8u^b7<4A~{%JXajk^XP@4LbfQYmB}shA69k((k4V20ljt20
zF|HwZ8u-cbV^Rl35E7GG_YY<OuQ570%f_${wiTB!4we;Zf1S7rWWZT=ZiBDouG?Fa
zYm=M(HeA=MyZCPNWY}Sn1@o=!(+QmHTfSRTzgjiM&JdhZO4=GZMf@x{m(nhe)%lSU
z2hC`3mJ8DsxU?Fy<(682M>7z~zy~{?k@*n<NrE6SJzZ8d3}crh*=ws!5?ZQF88s4A
z4{r^~npkJW-TglK9qM0vYrwy`&%e?B3sBT|x=L{aLRBz$>0jQS_1RZtJH0S;Q9XF(
z|1e5LBBA88XdoV|#_F=eOjAg{2_&6#-aDen6iOdR<<@$|q0G5~e=-%pqj<Uke5v#@
zf`Mw%k5*g$*>?hkO|PK60zS2k-Y?no56)pEJ_#(^5hX>W?Aa<OMI_^O3pj>UrxDG`
z`BG2Wwzn}jwP8v`UY4724#s7vA^cy6PnO>o*T_5~tRZ7CR61%8q*FB+Cl(b?C05dK
zzGp&vDL1{DAF%?hBB+)t0|zf4dGz`y0z(&JF24<g`x+VFQDU|}kOlFtX?X;5+?W0l
zB1=5ZOH4D@5SJA;%QZbJpHrfY99jTu$Tce9tYU!TzSjL83OGP9ydAH>bq%z|mqSY9
zZ2^4WiX--qO0VOXjT^>58nlv&C<!1s$P;)E2}5hM6@%q`jRm+?)N!B+zO`y}Ye^AB
z(4AQSRU=8vtTih?fdHiH*27k5Y_$a_m3He)s;J=#%NWA4va7O@Qjq{?(7M*H|HZn=
zj8#T1Jsh>Ied;pA5vn9e-D0gRznh|r+?a|>f<|LWCoaEKRiT8N;$zlj?L3eRz`ex8
zqqJgr96R~S*siv!oJ2f7fQn<@yQ1)8Edrgca+Jr6t?nugCF7YEW!1%CsXV_wj9wf^
zNUQ{*F!XoD;UJZ~k|X-Er~WD>$dABjXT9cV6QJg#PgfZEd|bwDrUFR-byRfB8da?J
zDPp@LHHE>^+xZm);^{3A(ya&bSItHIgijHx&3Rpbicp1CprJ&IGZFV579$UH44w&9
zY!`dd15T2FAz)GExAs42)}Zb)OwcI}r@oF}iDC^28gMtZ9%d>@AERhauUeu}<R&j|
zc~6xW_y<Ws#!D&}V<$A#Ni!iQ+!_+gbKszuSeyRest@u5>`&*Vnhdt0MxmuplDP&s
zL<7EgIMN2Cu*BZnGv!E9&@YxC`{c@pSfG@`{BtVv$QYJNU0~!DA%P&ZZM}7RAqjbc
zQpiCP74L;Rao1t-64e*Ous!H7A3-`&vQhSLj@lo+>M|r1rPS*AH(iS94T_al-O3~7
zY*IA#G<1mlgw2)lzl1`Wijn&oph|SuGHlbBRurUB(F*VEhfZK~UTbc8eX0L2u}|fn
zO~m{d=W&L;nUU;G9}lg%CD{@d=SS}WsDAtXHxI?pgM}(!<Pdp5mR_Hg)}l&alOXE9
z=`5)!`=NH=o@N7JSJ^UPf_o<W2s#HMlXO5fMj4PSxFT^Xule(|v}~Qsqk0Zf*JMkl
z70Lwn9Hsb%-%WCcDXa7A&*|t@C`*HcP5Dl8u<+x0dtE^hk=%&Y$N1t;oU|gp)@n?^
zb>Z*?$OS#30WU_~m8r=_h|tD|bY->%ARPQ`>dV1uFe7byfOU07X@&R;>s--VF8qeu
zUkZuLlFyNq?MA8qpfl0(<T1|h(x|0ElZiu~f^@Tke4OcJnGp%_Op$<Ry0dg_`57o>
zXCU-jU2gSXeCQ5(b-I%d;zvorwag>|Ub6O`B(J_T`_)u-1hvbu2U`w--6Jm?>xg(z
zi1SBOTh*EAjwOnw0O$)^m*~R<R{p&=d@$!u9c;B=1rDi!J=aYS{z5t0(Bj8us?fv3
zb3?w~Ed$_$);bSUu|}b%_Yv#s*FEFL#ZyGX3@B6)HSUey`ypT;s*D?!`ceO)`i~Io
zqPmN?z9jolQ?rV*=~+@6guN{l!X<P(LZ%u9cqnXED1V>$EbxEMpzX1rS#%SSN&?iQ
zF^+{)l5MZ5AY;x~tZcz6!gga9lyq$^ZFkDPA}p&#ffR%!;>0&}a^+vQ8|TSOEPCV`
zy*b;;-tVtDjqW9kZg=c0HjS`zdIZAVt+*4W0UVcdKigM<NW4)u9}L_xrERb1_k3Ej
z_<BkjEa8YS+~P9g5O#Q~l?H1!9NI!XYy^4oliW}L`rKTp5m8^8{oIiHbdl7BN6P66
z1Z5~uH-l5x%xQ5c<%1Dk_JCzlg&yUy;jsrW+*XCb^7I&`Vxrf*6e|7AjkOV<=f;kT
z<KB){%iWZ3)@`upr9GB)4Cyt23LTOL`L^K)SONqLrp9AXs0b;ApxE9rEc^WwxX(e~
zE#llFa95ti$y_@L{p@b!=zqP@Wq#2;7V8$%`XXtgkN5en-wplT5T(1w?ME^nOG|Ss
zk^}>t=#ZBw9-Qax@TFKiyHc52edwb1lZNPr^m8z&&LerU9E+9h)rAtx18X-@*0mR-
zRS#EE1$90k(7mbGT^T=3(yoi1I{p8AzANnAC_tU+A%8>ti?@)`EoSOxNyEUa_ksIh
zuHU)#b!EPV^>=$I=QL)@1P%r9+T0<YFCS1)9K05`4!qecA7ra2<M=eJJk&1qn?(2U
zKh^R3wh1=L^6s*hF}Rdez8q}u@kS@k^xw4!cxNutEeV64^osB&`gpj#)hg)uw%WdB
zEs_xbvLv&nA=MyyhS3HYf^ngo;8rqf8#$&|?HXalP3P6k`~vm260yFk_ZV<7<|zO)
zfaKAt_xkYz+amy3d@6{auns?=QQ8@2%3a?kObLHR3SNo=x_1GX!T*}tA-$a#Ux6)?
zUQW^#`3AKf$H^sgh+;}%BMs#cs%7X`Y9%;E1ieL0u>XmzCInHEUC8PvC#nTk==Yqp
za7M8<6pngq?VJK1^@(hc3EZQQjd8FeLV#=Z-=B!%mg@O@#Q5VUx2EaaFER^kD(o=V
zg+%U$7`Bpt!5><UYBB&Rd)++=-E*W5Sih*}3O^R$77f%5Ingo?rlSxaZ}x`Zt@n+(
z(KeU9v)>!trGo62M}LL<^mlMOH>v*MWBuq$rO|#R0}FxIScyD?9@Tj4{!iTMpj+?*
zoQRr&ifU8Cj1k)cSdizA|3o8HwS&Q)WkUrh8sen$?Te%}4_7aYmnzj4mHJyFwd|IP
zl9(WekTQlSJ=lLO+4y>uUgYl}He{wUrsYIB72KgX<lYeZBGeLLHBs>~&Y51Ebr#Yp
zJ@^mz6k&k{ymtrA0>~Xqj`?=X9r_MlPFJ0LoHr$gms0JAciVPGU$39gxK+BtOTCa#
ze*q)~gcDHGD#REe&!1R5R?6(idua0tQ9s}k)e?{2&7f^GUhj;xT!(@0eL#Ewds+g*
z=2S#RAhM8va;$AREKa$8Q>y!*(sl9sS5+g!mQfUJ&=7eB-(RublUke+)s-a(b$z-y
z&Rx)u&#pK|sicw5k(eXvu8GZie@7eZNr(1$`Z%nC)TF}b)zKLYpci2=SPQq?2a1_Z
z#O54{$GzZlm1H(mtquRFK9oyJ<rF9m-bHGg_Z;YZW+^0jRU^F~A$>?9$K|~5-xA?@
z&pJ1V$FW$ihG;4^Qzg@Oo<WFQS<LVa+_(Jg$Zabv=ifn`C*>bN1pc|kI=4NGjaJzn
z>w2^kL;v%o%qTKUKKZ8_WJImmfO1rr_cYZ%#-V{wCpnU?dgw8`<ksAO>uF@-i_)UH
z9C)EkheDA`Gi<ntAPen)ih0shJv{Oq38lKB8xJ&c;6srA6LQ|Tx>d(rW9t^x5y6Oh
zyS33jd%a?8%ZDA#mz>H&sv{4q$`jQ_C##d%F$~Ls1jRComuX7?(gcZpPibzW-+ZMH
zr>X*2fQPbw-8HjrCYrC8GU;~h(T!AWXdK~m2|APfe32!#FZOVi>2ZY>C%gj0NiE3#
zP#1h7RX!SfmQ1Cxy_Fv#yOJb9Yp$6#U6@^tF^$`hi^Hg$4`eS@q505%VgAR@4Xjv{
zy@*IO@TDtpM!bT}`XJRc430(Wz9kWx)P?ohg`mguixQw8pXXgw#=2{)oTfU`xD`xO
z&M{&$;F-!su+%z)+u*S<vU9d_pEO8CTB62%q_-mZ!bFR83s}_o`!UY5J$D$Ofg)bL
zZ#f}f%Fwa&-6WBAVD2GWV1|OOHEpMk4lwX<t6o2Xv*z3k^*aoAmS@SbJwU|MVzNk%
zUtMb~XZVI^S!=sfzx&HR1Lm<KN+--e+NB)j1Pn>bfFbF;7NxF}LEFwR{H+plOr}^C
z#r*&h?M8W{I1{=dKZ9T0-e@1eLZs73rGU-8N@%?&pxQgX)9CT^6Z#|Rgv@hF%W*1R
z@4e$D*D*QdNd9a8+bFas)t3D8MG&yUZ@sEgf5&8{x7r=KipF(3F(7@Cz!0+SdGlGp
z+z^4HX7@!=&8-9ct8q$7WuGFaTEA;>iraA#{y}~`>j_m@bQ&3HduSunUoMDa-=WLF
z#XHU-#?_Y)gM_kMe6g?yB{jh`3Yb?@c80I)u7QMk{{Ep$qSHwP0qdiP$QF<6q+a<x
zr0Zs1gJfxoHtb1!rwz1O970kk$d2*?8GGKPSPG*HxG<9O!ve8D?ifflUqONvdpke<
zwG(ikpD`#;bh41%1%j^|3R1O;sx>QDSjn<#%FGpaDh}0?IGo@E?5cb|f7l~9y+@2c
zV=u7PN%07SxohE(52h63Q+-m)hTDll4*6wzvKJRF2V@KGa=Xj4VZOig2!FF$8iVnU
z=5bw2jQaac@X2!v3xQqpU2hYtzgoj-z#~mhSivh#s6;IiWP;b3yKc_*MoovNu%p1p
zsVZh(=+kd@NekWnTiEfhD$3~2amPlQ<0vc7`@(f(s70jA0WV*M7UC$etE3|>7c}vk
zinavuLmLp)bKKoo<h+2YkKb0&B-4iIUYrv#VT79_LQ{l6cMW0)s^?}uzDh!Weh(<V
zm=P0sm$DY3uR7x0GGic2mYzNM`^%E_RZr>NM-JF>nFsJzEoB?H3S`3W(&heT>hEGa
z8P{dmZDw{Un!2}KAAV@CPd;-7P&{EkR~S2zcy#Sbkp!uhjxE@R2L|5Y#|)ej)6|#m
zizQ0wv6K?cSMfl=h@k(r7V#@*e0h57E@=jt-WP4`@;NPrJjgo75aMrgj^LX(imJ>!
z6B5^qnlsWOLM)#Q$0VRm3Wy^10x-ruZOxNGJ3y5gLVSFGu&RWyI}4cu@cR*(<%e*e
zUow}6?F`drSR)<UE~ZDo?~*j5!_?~Cu-H?u23ObMGnI|RTY<YdVN~aEeEg_{szcK-
z{({w^Aj;SBs$-HQ=Gx1O`J3)YBvclTRoPUzc}}4ca!GkTn)^yk>=1!-Z68jB1V(a9
z(xzY^ST_<uRVi^W$bA2&GCs<A`u;i|bwkm>c<40>(~pY@ZNt-xJ-hWC`q&udY~C;N
zH+jpy{S0{NRn|$}Eo#_PW5(_;PEKS$l;>WHn@4XM$?!^!+X^)20$6|3A{-lk|6iKT
z!AZA9+n#F8K7V!5V&g@K(we@gD|1+PLF~Oll16UMBS+Gwzu3uX6MtuNti#9qvR9#{
zNII~~zoqKVK?U$eAkYAHnOb}MGnPi49Vw=Mgo&(?S__*173uC9uH@dm3mNXWgXj$X
zXhjSI@wfNm%3rt(0wz{R2vt)_U{9VgfM)(VVi@69gQk-5f<U6t%7yJVGEBJN2Z^HI
zNt7w;QmD8VTy)IM^1C?aV0-=`fk!SIruJ>UL^F%G&AOW9a21~?XiWR#$}PDv7dTg_
z$tN!xtx;I^pLd%KHB1i5R*d_!M3PH*wI-K}b!#*uF*w;=?FdZ0LHkGPgyi4L);+D;
z4Zcc6RXKA5Q$W=UtDMw-g-AYtZ3alMz7WfrlRMPyQaa-~b?>k;@!TA4VqCH!t71Yz
zusG7Z)JLH#88tOO)tF;OYCye1TnMv09V)cIX_;K`xNRumOG-dc#h`JEn5+n=a6sYD
z(dql2c?ZyB(pjurbM3q3&1MWzcge(3&+g>*cq?4|tmiGS*G)v94384>1GXc^XDYzB
zM!hf*g8MQR1f0nlLeX*mkv1BxQC8edMo@6h(ZKx;wUP8K`eQnR*LBt;)Wn?W1Q8{`
z9#^>`+CC$MMc2o<4(KJJr>{xD0t;SLRpHJI{o=6`0J_3!?K&K=M=a(@+{FoU)=;qa
z%aO=0p2)|pFO1|_goU~>5`0FpU=J2%ac1$3kJ}(~GTc_^Mb>2l{Q~aslS8tgMliSV
z-|4pm8A}XSvR_bKCQc|>%(4n1$Y2dvAx4T(wA*gLX;*|~{;l5eLXH$;(H0sbaXC@A
z%`;AAM{#iJqm9e;8Ac9k8mE0$6Zz@j34HB8vK^Ar)7GS9@GO>~c?w?f&jVmQdQ=c|
z840wha-+P~lcC{zoai$l4$UIIzlO;LSr?FzJbQBdf~8+Xh25u<Afd2$o&vL(`JN}|
zU|*SR+={G@B%0G%?28t?(ei45Pf0yn6va)0%R3{<&JEL^<3$zSHv;nKZOhSb*r@5V
z3-=5jBOa^$lU}C%VrQN`<)xDh+*faFQu&=}HD<iu%a0Ean#_2XIlmzPrcj5U=Eqr7
zc_xUL9~&%>ydAVFmunHK`P|}m@kE;PxQbck9pM>)uep7=SZT;4=ZrNe9s&!umBUSm
zNH2L4FZYbVCT&wL(v`w)yLGu(qr$0dAO3WsBD+>uI{+wsDNDBj!F>2YrOnXdh7be7
zUw8G-e^^u*#);kSa-QNON(A#yMsDX4NW@7+gp9cR4;1&Q(?9(`roK8V>gW4gL8L*t
zMY_9Nnx(tDySqUemhP19?rxBlZV>72u4g~``{MJ*o|*GLvuEzaow@m%&~A6Tx1NDs
z5_IF%1sGBF=?z=$jL;rOm#(%R>?!C;pJ(;+?Hh>&6QlaM%H`o(Y2tOpOPEJi?@Y@M
z8K4^IWqW>b3UtqOgj7FY?n<pfPxF~u3a%g+Btm|-#l*{HRV~jvtDyPbAT@LF_kysh
zQqSl%cS4sdjnf<~t{Esgat(jzdl0Ly5yn!e*WUYGBfqgC1*cs4##T{F)b*ULDe62R
z|8u=ov2v8x%WA7lkf&9zA2F%ECNF&2ZbzG;<2jI`188O3(blrF<=916D(I<o$N|UP
z4Cz14t9r+4JpjLs-vfea(;gdRqsu5mX2($^D-;;fd+>+2fIgiDdsq@8NBlE?R}iq<
zSk&<*NZH({>Ua_=V0Mf1x)aMHgQiZw?C6RIDayvavYFii|5k1?i6q{H4P_YQ=*+F8
z3cP^MLgeyAF|_e2yFST&k$7xlLajPPWYb1bX=N~aWz*9+5n@)rM&A|@uZ1#^-%IgS
z8OXy`hbs``tP<kgSR_eTu_lax{BxCs`I20~CH|-l5$d3VC{>;QGHl_mI$*Cj*CrCd
zrZqc6X;ET3De_Tb>y1xDkrIV6NdQ|uk1yFv?H=B))IO#z>-9eE7Cs2mJ?J%eb+o{C
zXcWP`K$)HJ%;>dV<S~SGj;Eyv+1dt1B5&Rr(ULO^qYa`#-r@Vc9kT2iJsL5!gK;VG
z$n&ic-eWHb&ImocrHPSA^_07#rejYdlm69&TkEiQW036zI_n5DnhL#+lDLWAlE3-R
z@YFO?&^`FuTA+x6f5U@6qWn|9IWt#<<YrH@HJdRA*7bl@^J3{HB$3D`7*~}=)sNWz
z{_v3t`%R1+%umeqBjLb~ZDy_jVH!>4(Q0i?k<c^+_A~kJc?zW4FY|xgqt^6h(G~%{
zWqgC33FJ!!v~wjaq@oh+#!{WNr#UYb#KGsrF$5TAY>+DN`CBH*I%%-&BLtyrCnqPg
z8gf^A@zR!NP&UlrotG{@O}Dd2vkoo<N`oCXpDHns#nM{@7N=G%7M#V&^t5Jk?dJdR
zVkjsNaES{%+BsdzBdHPFemZ~Ioi?Nxs>3<Tw`Oh}X~W-i8m-GoTHChJ7E-yBHsa0n
zrg8uuJaGBOUavD_vH{!d$@#*n_e54Sw@9k|xsmFm%qJmXkQq1iT8}CU7D8Dzg1On!
zArCwK_WqfI5}E>uPIzr6-x5bT(8OzD_)XJjQ(LdOs3NA4xhU%l^dc*lz%Y4sWus@(
zNBz2trLNY5l7Lhhg)*gSS)BAfYeCY3whlooC7Bs_^LWBmpIF3L%6_c~OIeG^0@4^<
zro_AYI|Hgwli*^OQIDL+6Bg(#8$=2&@CUCh&H861u3)zH=bLc4U_?ao$B4=7wzRI{
zcBkQRS$~#tI@Ov8TB_L915^jE+v5ke{#0SYg2g)`Uk4eFd+5tcE^C>zg3U7mx?5hC
z@M?!lo7c|)^w6Jd7`N66;F=*u9;7VItdmxtUnn(F&Dfc{dmETBU<{Fl)Kll{goU;-
z88ngdK9tKXH>g!mRv4m;6ZYt8VE<2wv?p`5UYv4`rJ-^1kE%~(?k;rNpZb7*`cbHN
zj#K|}$e?JfzrALr5Ip5ldsD?~evPf1sJKIS9w=E`&1DDj?z7-x589I@3#_`c?2UWX
zg5VFA(vHSoPJ=m@nc(3DwF>|a_@g||b!-8V;Uuvrjjy3Y$!nx-0O)Xnj?m|^<FMX@
zC(6e(Gxn~8k1)3Run_2iEGituX}ng{`^}7k`J?2+Tx(%rN?L-w{#Xdh>;E=)LgF)!
zY;ird*&cR8Lp_Ps-Y73{-P_^rxY>D#?3rp<Mk7=N+W>>TA^&qPdLJ3ix$2cM&Eecv
z(w&7R%Z+rN3GkD}AdKU@{TRy^X>4xT8=^YTMX5%wC+8fW=X<q62REHv#(b-N*UdEc
zHTEOdO%;wmMb#!y6xYTbzFTdruteXj^j<1Ndq*<|*F-J&5Iy|kch-gTk8j$nc`dFD
z_t1Hwq?H|p6j(ip(>`Inu)1yWalbr*n_iSmu_SzU|4gDTG`B@O@W+IqVD%<F-VPkL
z(Qwd-bYd~ZAe!w1eJE<XJ&8$aW@lQ~9`)y<F%;h{8yjQ1&v36S9wZeZc5NNR2Tx<8
zYTWA{**&2{xyJ)H+7<I<n^+3tg~{=Tx%alK_Q~d?az!pagO9~~vX~>BgK;-An>^PP
z;%p{rCs^XHMh;4SUjt)%tAkD=ZULFxM?qN%QKGA82xvPigR6UtRPe5;t5bj<Y<9@@
z3xFS$_J0aJGJ+^}XtQ9PwPD<t#6vV8iEHNYLu@;>>R6?R?eU&g8eC`Ow`en))cW)Q
z?jb-j_n5Vu+kXsKxQMEw%b4&)gn@;l^CMMw=)mA{#yj-vR)DD(DGjS}I@ajN$+rIj
z2~JJQ9+yyU0N1RHUGESN%Rb9$UD{>l#~W{Lt%9??$LN~-+EAqUUJ+UEgg*rW4!>I;
z)UfH0QL*_9-|8CF(if$3ToyH&tLRU8L`KOidPL;^<AIB!Wk!EcPN^xQla1bs<l&U?
zL8SBMsraf2bq+G^*1YgcWq6SehTLmAx}3&C;yr1H5yE5Qz0#k8<49u%X`RvP+5;dF
zW==sqh1xHx1|2CzWIoFEY)yrf8LGF=_|}uL{z&6!oae|8(>c2Kb{(x&dZ>cA#j3zJ
z=S(?T3oB8EiX^c0>Vi9o%5EXt%*sudRm8jN3F9H8Oq=iH&7sv-yQHBvva1>7+hZEE
zhy0gH+}ZQRS(dtj&+U>Qma~+i@Uw<d*;Yi%9Q)tTHgMFfleWQAz?MsSuHxP}U6%eS
z92Vxs3_7fNF4QOMiU^2B%gpHI^M<2~psnrm6)8ZlZ+bdxZv^kHUN~J6>$ots+iYx0
zgQmtk%Gm&UGFmeO;N*<Zwlab8c+mBpk4L!Up>w6o)fd|=HG4peDO$47CLAgq(HkO;
z8Qnf2QsGDPn2bZ>%PCo|%#^D4=+Rb1rF`zsOqs`UrzRE#&a9Wu;@EX8qOE33x?F=S
znwA2m(-VS^J0$6kDFwniW|M-!s4^`&>8<Mq>2;yU!1*C!9Ks*~4_*ebOeFx6#kzEN
z?<5hmELqbF9~xm^i#L*z7C)@TG%=sE<CQlB{AGRdIrC$UlF_0E(KX%)BxSe#cW9%+
z>jOyRfwQx+4_nB%LBCn2&Kwd<TRVk}N8wMuS5eV^U(A6aS|{%R5Ue11Rw^%P%l@}2
z76v`Zu%wYCHz)>FrPatYEYD3~ENoW@qd=e**+4~k(@(>d%TQ4~r%_R==caNJN);sg
z)Y)e>>Rgfs+L>c_*RJfv^XNZ=H;+fB@Vj_`vAVt6RWo*G)Mz_>qQup*iciqTqG%P4
z9!L(o@XQ+^si+`0k7~w8y0m%n4vhOQ+<!B*Zi{KJcuC-jE3qUsy&Xuob`lt+QRgX1
zz$2ZtOXFn_9=_V;(1b~`YN9-+AMGpMauukt@p=cG-?PYI9JGpk_|{v@cc)a$$DaPD
z>PmbqYI9{}u1pwPFEnAtB8(=-(bLqEN>;i?g_^nfYX<*qY-yWiGx(m<Gx(sf?KG7t
z`1GkKkJ({d?j330_;h+oF9sr}j-Q_c3q(#{w7z%E?WG1dY@BF&-v`rmJU`6l=$Fnv
zhG7)1c1pW0Tig4bqu<_MRl=%8WN7#>=-3|7Jies4R8G)wC;v8BI%ca4arExo$%e0u
zYY%x2jtD+C?BdkJbO`ahpT)OC{&7w*0Xa(`CYF?7-$b3*)@6gD{VP7jHO>*&T4g2W
zuEY_yVB@DGT;Zl|_PxtZq$Wigx)Y0nJL#Onc-R~~Vbg&<-hOBz_=6lf9^~8JH`b@Z
zgIs6E6D_N+OSwC6#H~hOdsgLb7&{4XvChhLK0WbnqRV<@)#-Try-L+c9-YK6v4*^a
z<qbO%Q7;dfQ7G!5TWDay!G{Sa!#ar*wu=R;FTD65B=#U4N5{+xuOSN4t(1iKSyLNc
zAa&+)jhS!#rmh{V6-%LrJh!k(B80ymY%lg#Y-hph<$ZVmrJhty^W(yx`bYq_meS76
z{JK~=GDn%yo>fYbpG|C0_i?PmvkHkhJ$!HxzVys50YBhCn39zs&Wy&jdzv<o*oed2
zoR*Pr1lMIF=KxoF=H35pDa`{6<(!YzW;sEs7J!+oxqOKke2Wc9B?d}PQA?ef2^SwL
z7oAm}hWeKS9cQ}1b)N)YwEzz0o|nnx^L`Zoo^9`{tU3SASzK$}5?`esT_J)_n~N8@
z2j>?K3=snFBF-bmo#tXsdYS2V)+_i6ou_R{D7Su60LDrMdmCAWc#AGJ!da#tSlh0E
z-&o<A*XSeen%3Nxfk#cpJUysJMP1E#?#dqfPw&aJ-n|)~PSpSyeFXpv{qp?twOLR}
zb2MUuVj5+i+h`EyFY!?z1(1_&P(-Z%)X{fsec6&Z(>>O0r6^%nkKp;lRq30bv<bI4
zDn=^(G?={jq~h$ERD-u+CDD{4MwFmCl|cJ}si?wdZ+Ck{F;UM=!2UGPi}6dcC6Bjx
zUAJFg@H9leA@@imPRN8&LE$UspvL)-&(yG{Y9$1?lc*_&nd}vc%Wb(aHjeEobNT>W
zi#U}%{dGl3RmZNUSH-!m)MIZSHzt3?n!dX2&``3jBbEl8DzYkzS2rOmfP(N>JRz7k
z%tfc}-Yp7hY68){fO~DtNmFL@bqK#?V$B3BRZNK~5oPAQ7G5F`6uS=8zddV2r4zEi
ztRn{6vugJTo&?qC1zO3(Q77we_#V5m?baLmUXgJyRxO!dyZG`7+PSwa1Y`w~&2tKW
zb#M%hVW`qmbGL<dVvMvlU1kXlmoVs|3@_Dj`izhpZRcj&);I^kxmb{T$EB@&kZ*|e
zQF~{*^V)<BmOfwUh1x6pE=*)YI?OX{PC9O5Z>dgYs4z)JJW~TB7#unBQg_8ohL%W#
zZ39o|!KG{TdzCct8Oesz&F{gTM*%xl`tAGSN*@0(#NPPpJ5mbC59vKZnh8BZU4N@W
z^2t})E-Sy0uUWZgaL%Jk^1nVm$0q!0ho$4b?4^)=lMC4{H7F$e3MeE&8)NKArI0?<
zWpl2!p2db1lqZ@NhOrYV=gYC5Es9NF+8$W;Y|a=CN32h^PrU<f@%Y>*-{bWxb7p>|
z?Tx%LSO2mVr^2;cz~N8=dLM{hB{ewsIn82;i48WDKmPJo@as>F#S}Jhpm|pD_dKq5
z<7ndpSac(}D+xC!#;l|T!B)<(-2B5o=}O3CWeyOj9e1aj=O^TLuu2TPmp<7cBm#5{
zXWffK`w9jm&ibZxR6hv^FEuwiqTg(cf}az3t@-tQ!&TOal+#P`mC?d=+<b&c^8iy0
z^D6?IS~%PA5E+c0+I`>JZsGjBn<Y)E_%`{bH0#_WNDVIS5NYSLM+2&$qPbOFgYX<-
zHDHeLy$KDniV+R6?cZulnJ_6n*nw7kNPP~!k|5M@+D9gNqxND}-12U<@VDv2C|6Sp
z?<-IX2TiB2g^CG{xW&eD@FUmi4??#CAX=ldGX~vY*J!YLhpTtc#_?<`4-R&+iKs)N
zK&klHIzb1_pb|xKp>jN;?WJNerTx#u2fps`YR^f&zRO0PsJ!?OlJ=&{DRJ6T$eViM
zlTpx8H;#OuSJQJxz3qEX`51s)F3eRqd$(j13WEKl=_%i8e(~p3A033GwQe98mZlCw
zQ&Fb{n@N<)_6>>;$9Di8h~5|SA*<x`A>00~#$1V#LVi3bFD$BT4Ihp~QoMC~FwD3f
zpFWF6DCB!{YpumwgZ`6Nz!z4Z$eOQ{@j|`^?A-h~sszcE6@dNmf(V+k;B%_DtIn6H
zZGiP_$EDjaN?W%Tz{mQ9lgleMvI5%A3y#m7Db7{1`}fW!BihDpy|>^a(KA1i6Ipt|
zw`Z31T?#aCNUfWWh@tm_Bqq{?l(8A+hx=&Nw~X3rKGkH_x$Nq0oft~paKKl7P*5>C
z1*FLaG~f6z><6?o;sIn^eQG-;ed_mQf2v4;2%{;$_qC{SRRt!+*fQa~%JuoA(_XZy
z#9$NyzyHN$+5B!qHVBnMG3Zy9NV}_)jzF`}W2bKS4#O-=O_8v7QZMh+8Qd*7+fP>i
z+TC@B#g<EhKaKy1;y7K?gqM}2kKi-n`MmS|eyBlg<WC~xsc@w49t-#vE;a-nU6;Al
zX*x0OtkUi${3QM_Ty_W#v^)lk?YRa|PLp9rgL*Aa9Gsu*K|xHmyui3s|9i){87VO7
zRpJWqRpMWNtAxdAk_Rv|t>)JP>a0ZvS9$Iw=VFHiY_mbT3hYiOZ|B;M0+mzT0<)6>
z=v=$MI+&4yUZtl%FYaszKen){Lj18y%%YHnGo{uZ3mjW{9c?tdmcKb|;2?y&h>CkU
z@}0BX+p(UQ{@_MIb>1vw@5I<uN^%ZOr}hw03m_zUPbQD7LL!fB`?ne+Bu**}elXS+
zQV%bTHbKsru$D)C+TON-1u32P7HrUlH7K4(%qo?KYC&T)(99Vl--g3eoNNgBHO$#2
z7n&UK+sOKhCIt~P#|C?v5OL=0>s%T8xB#&NWBS&!v#`wQ{l<#K_8fl7O<z0*5zD>e
ztRvlu$M$G#%#%RlqFKk+Y8?-{Ocv_(0yrSVQ7hmA_m9KaNQd1m(of(B2ast{L;QVB
zJ_2)xbFEM-2zzaZ!%X#*9HEvjo%>%z+>r&z1X3F5L}-2DK!*z11Yl2u(IRtd3r^?$
z@g|8c5r3U;**awMQ2-Fs82)pR+GMATzd3P(iOg(j$;ZgbT?-kXF_<Cclrsa<HPebZ
zeUoM5bCht(L#TE1N()IM*s?|%YOA{QZfp%WM`il+-TUJy%}I_-fsE(zLL6@`^Ey3$
zOnmZcmr#AW9#+=2WQZ~!;56jYy3Hi(2|AaKyIDJ$I|<!#7u|Z2Ls-wJ>UTXj&w0{u
z6gxez_Oy<x?g~KbB}$kxM0lk&QhKp4Uz0dVX^>3EzEvVAU9cgG3ua<(pY2QPGOF(H
zj>4k<z$n*WB%qmCbF#i4#=61&VSMXt#a7sf8yPva(~RvwJdPTi=d>@6i+mc?udhHL
z6?gip4I6ievH*^O3_)ZrRmNf1vk!9js{FxYZTyKVQ-#BfDu>Kw(=04{p(@E<mCD#U
zV`qKEz(5y(!=62w9P<@h1fK2;+~L|4yh^gg_;-3@>aD(ZAo-STiq7Wt6v->xV_z~*
zn4gJ`7H%HWKaWZzmlH2&Cq5#v_~-)ua(!=>Zu^Qc^R~WxSW#PG_<UqMCam&Nt~-q(
z^V`JwM+H=`#IK~5%IR>A>>$(1uI_Ld-F%<nFt`C5W~iaZqzqwW&{qL6g~p;y)Z|a`
zTWNV}4z0gGklZVo%}Mt9eee4U`hh$h0DDOz66hXwqL5i5prS?td2hKX2@wt1M(<Bt
z>Do8DMcem2@!CY2RAZVsb#+;Lr__2?SnU?b{?XydDktJwA#o#L+pCy`YO{WC^-ui}
zXeM*FvF0B_f2#k0!-xj(wggGXMAnDvjT;(;d;@F6qe7Q<b$JPLh(;PgV=Z`1zR&3L
z!Vo>k8M044tx9I}qIW52PIrj7oE{2%(e7QkS)1$s!1cn^!Kg959M7NBv7ccR8%Pyg
zYYY6Tt{sfxv~8PH!5v!^zWsqMOiXdpyIPG67qDXACk_e^se3SjDLnkKA*A)Ds%$z@
z$*FXh<y5Fzn6-I3<x~V%QxB(dDPR$w^B#5T#BO>u(yh?&)-EuoZyZ@c)IGnF_lh17
zG{u#U^qotZTkqyz5yi=mAl}PlBz3XBvpMU^v3UNqJ1RM2lI@r{yL*(X{cwNjT*iTP
zCIi+647J;KrRBh$Jl3QN1YnlK?&M2NiEZ0r7eAFS%X6fQPzFznZO1UnYsIMuvAQSl
zH)jHyzKF$^2$sK)mDY&JD+le8ume&5oqZ%!K*bI->|zl4ms7K5dB0axMOcjQ#`OEi
zby5$8B{_6{7kt&O&i;+r;&}PnbF{9a{U_^}HZm}k<OfI#IenSW!_G}RR;n(!D%PC*
z#R=U*UEJhcD2k@9*H@P-_a?}6pbIO~18K3JNuB41j7j(IOIn1a;u3O@cdX%wm+i-o
z$3!6$f^o-^&aDUcV+#B-<2c42lkYpGpNXdOR&E-cvLCK@v#ipl>%rHSpqf;{#<5Km
zmKu}UT^IO=m>zkmIww9T+<0}{9zYz?<d~%8Ufwd}w)L4LMx;uAOUp|$R2bf{6z7OX
z-1q7Jc}hl(8Y3i6vhSyi#IHe|D)J@KF2WFS-5Gx*q>uogu(4#$kxmKy7BPSnnm|dh
z&a5O4x*9^Z4io_(HLd-*<1VZ9#Rt#%UFlIo?(o+3rP{YNlCd9@3?`b!6CZcE-E9SY
zH27)_mF-@+ss+unYpG!M$Kz;eBm?j~BC`522WW5DV~s?z@+5{H=FLrbqN=}kf8tR!
z+Cyf#E~k=U<GaAEb(AFt9!k)Q^Ow0!x?Q#Dyt8-lesqlHGRjlVqPq+o-%aLg3k-bM
zdfMTA%VXP_=hc~$JF{f!_UILJMeu!Z+7l{LG=DcVT?57Lm#16IkEkt!7smFg>+wpd
zUlQY}-+P5xxOlqGC4$>|DbZYVI%CLon!DP$wt}Tat~biF{rkN`y{Uq{aKeDG)6bsN
zDAwe8Sn+8fpIxx%w>*1Kad$$y+l7i8|Bd!K#Go=){E|hqtW$Y}I5vP>LN7(hMX9{v
zwryAmuC!c&sJvnVe4$gud{Mttq^eqCQ69IbD&5+MxN$lwBd&NiMae&jP+Sf4UnvDe
zkVpZWUm-1rX0d@Qt_2`7xuHcky?LE5ojadPnrkt=?N3@~k6dEEbZ!02w4pNfd(YxD
zksTpDAh<zy+9eK-^>54ttnJ4%+;QDFQO1QL>5_tRDj~C3LJ{!@@mLq~O2ty!+24_1
zZSPE~-oL4SbgEdE7g9_Med-dMfu*3bRS%u87sngHsQ2L8YEtm&8qLpl2XlpE?74Qn
zhGdf!w4nnN+)fAQBXs!qnVCN~&QF3{J)T!GKlAd=J<Nf0`nA>9v*D-XPg+eeH5%QD
zgYCaPxyEDK`m-^sfH!s*ppb@8S1+z_p}LT9@0ELVrf+L+IpJ!B6R%K1C=l_uWYXf(
zYQYcOK6WZxAMy5O<R7g^9!{L!Uj3$#V02y7yWH;GoOZ!qZ<Mhfk@g#=`0fOwqz-O0
z0|HMNpXwdF+mj5DU>mxN?Zwi$C}r%}vK>gm9lwheW$c)-D$If*EizC38Zn1PIij9Z
zGiOjxP8m32doTlP0`@-@zU_W+_%7Ba^_*l*ed)=;X&@=UderbBDaz*|?B_Q<Abc-k
zoG1Ih`S#fWP9~zOd{5QgZ5CNJ0EZz17W?v{{}QKGwjjNzp36FIP3gM1bpixa@tBCj
zrA0E-#HcRfxlugog8bviF~MWKb?fKw>0ljO{0hEps;cQbsZO1k7q{T5U8ru&Mhvi&
zX~&bHZh8ir-2I;rC?~cMy9*nJSZFE4(?8tM&Y|22<Z=(Y*Jw{l)>OZd<<PR@c%-<=
zu=<Q!tWOwCcqO229$o%;?u9_`eza)P2+DOdj7u5G;zM6Z^pf-AzDfl>7P(K&+`;2M
zjB^kOXk3sj2qF~O<r&?Jsp4pX$9vXxg(bQ<-~U9V`<p{_>47uoS@W5>>AKm$NpkrF
zf%mfqd+S;@zd3S=1FDK*0MY7RL;~`@b*vd>Fq71_ic#wDhNJ>Vx*27ZVQLO=_@IWQ
zs3KnoZW<Rbxm`4VP;#X1m!i8NhB3|z@iz5h^TW&uHmPQmpt~~9!>ORym8~pSbrZi?
z-&#hu)iskh%d3|HF?LxE#V#0JlifqUXH&b%r4?{P{8yqwW%r2n6No?_$|Oz`>69%O
zXjk~epavjj82?l}qF!gTj04dd0cIlermK9;Rb7m`kg6pEaiBqbDX46<Yc+MG_$EZ`
zf<q4$kF{krys6#=mA1w3Cn{N8#P>28le`ZqhMRN%J;FT-OCL!1ETSH0ySj%_y4~JS
zJql&}8RgBZ&FEiuk^DpIG8x2R`T-y-wSIsr+u5RB9F|hMnkvpRrWWD68U<~*5NZ|2
z@l8Ga@v%Sbb{T=fg*>pDY)6K)ZJ{=EyvqAl)%$LeW0sF^bcFL@DBfx5%ncXEbLn~h
zWEWrKnUeSQB75~eG@0{ht>?S5tDihRH_UArm4mN|P9VgPm;3$xs}#g2MEs?}-PW7^
zb)ERrb-t$+#OmJ$*Dn<>Idee1_PeN#q20l#W2(oW5GK86p{N|h$-g)Ju5An-JUnT6
znQ^gGR)3~k>mJ@tc;NqNR`2Sm&AD5UQRN?zLe_86vNL9LQxbp!MfEu|$?7^gfQ*AM
z6~l=Rp_KU;6J>fZ32psQ22+Ys+6h>s-HTE^&<t;<AX}>%G=ri1O(<R1^U3mscGPs%
z(&KLUrN&G~RN+iKH%iw}dUP2!EaDL?di(*}oCP18%#RB0T-Jx<eL=<=YeijSN)Z%6
zqo>98Y+I!LsMWW8yEwt2`QCfcmZ=xK^zfH_@fp9Ydami9T(?P^QU6A3BLC8aK_1Wl
zLez|!s>!fYg}j~cQ;sePFP6hN#IYu>UYjIA%2h$Cry2E)P*G@QT8NbRCf)ZWLcqz!
z?*R+KzVXpNm(40BMu&FY#4@cVm+tBnqOLES$yQP#4tLo11uE)qC$dzw6&@eh__(9^
zzls4-?Bi+SNeLwGmjk#O10-1)y8fc+q;!3Bg~s`1)b}n+NiAdBKeys=6P6NHUTyZv
zl5)VDRb(l3SzvtC`_FIJwV^)NFQeFH&-W>Lt`lrzaUgOGV}CAV$|RRRni-7u5s|(Z
zam|QUJ=7Y6FN|xfr5YosK4+dOf^s4vBw%MKwG$5j81s}s7FTz~bhnTKl?@rMlbIX^
zt#?f3htZ{YNdE)R2?(wUC}cfv^ZygiE7RSe3cajv)Q7Hdk$O&<D>f<qMWh8?NmWtI
z*-0yuQH2tGj=zcq{f$O$qeXqASV*V$GQvQC#$UxC8oAM4zb9~n{nCr_H|~W!vAI!@
z-rqaw9gu<e;eZlfUzk;U^!s+4u~3jvZ!om<kt0mpc87DP$QF@;w1vS;)32@Baw(2r
z!`8y=h5|aJ4depVlQ6YJk@y?8J%worh^r!z5}`I@Nl;A;Bg)>S>AR{DsFC5D8J1L%
zWHut|xep??1pJFR2C5}8r)<5de>I@kK4B}Y2GPijer#1~f*saoYzXD^B;;VH;G0!D
zRwOk+AtsVB(};NMGJzPSZEa#|g2%|(2Zpzho@mR3%<9g@kni^=BZH}{fEhY%%CIk9
zc}L3UK{-c#4z5~RUXj%b=&E(0*?=~pdWWgdQ^5RoR4{xq5|0BQR6&eJ>(?x$W9ehO
zXB0g8hR@s9Svs=Y8vMBW^0I#tjGvW-%p;JkH0!p(NbAVXHP#hxI7)38k-XN*vcSh`
zf26o+U0J<Rcm{4b=$3W{l_c~jEjjq_o+s12j1CwRWYqs0E3i?Khs?0X>Q0b{N_o8;
z-qK(lZ%J;mL^+C5<p%X{`SenP4PzBd-pdGGw>16={crh@ZhJ$_5W&-k?Y-ecf5_gH
z_($S&#~Oc?lFIEOJQ;{?+;FJ2H%i9-@_exz@EDEEX_-^=H=Iq}S7{DeS#2a_IQ6oE
zz)dMzGoD31zo)3gEYh*>r}$8*vZ7luvTg#)o4`)qEw46047danUl1_CJ4R*iL)n_G
zf)4fU@VKp*5Y$UY68c3j*r5d7PYd2CK|znj*wB32r6nkor(D4ZhyaB5Ire-YkDaq=
z=pj73Ta_k=mFk=QlO-=fT-CJnm4Glbr1YAZu%@K=)6Vmdy#k8jFerl~fn~rbfdT^e
zWA|_Kw*^89C8<aRi0?oM)daS2E>T2_O;s2J<mA1!>4J;BtgElXlv|MG@sWU(O-G&)
z4oi%9j*E-YL~fZ}YmTFL?H87r+O*tzdU#Gx&3SMSQdiS|=-}GZd#>{n_{Lk1rTk%6
zd^^NNKoqgrJbJ77YYman^mdA=h3?PZ2eUUa5ZsOS3zcG3IlO)jE=gctO-l2B<Gty&
z0d_gvUO!(NH0P0?Q}pjr1QlZC_uiW!SRtnR_MxQoBd?`^V|OOoIo7q#A4l8-K*n|e
zzq3vz{9)|vB2XT&NV^|c?ph$2MUXP0i*iDdvRZiZ%q!9Lt6*v`4#@#+Y0DX_zrR!d
zn>L7Zomio0RYnD@PhvfoKM>kn=iQc=)k{GNOqmfL#VYxlkn#1L>1!o}CnEYVM>un6
zB0GT~GOb=h>#G#`gvHkfw9gM!-pm`t)R+%xd!m2PSDg2HALJkoMU{m3mWC2{%dC-N
zQX(&uXyk;K5TF6}N=C@@TI|o!{@1zx$aqNf29bdetapjS>)R9dRg9U^P#~IJhK3`X
z4yeh=7jI)GK$!Uw8Yk^A<4AoR(K%*n&RN9}z;Mqqbq|pkKVY+i?7b)?5A!GX>IqCj
z9F3Yni2+a?ozqDCWvWO%7@b2fjG}BG1WT5f;8lD;-`N!_|F$CM;UpAFI1=Ip$E!g)
zbK>Hg?RdCWg%mz;fV21=_aAZwGwCC)#KKdNy~lyDiicmV#8~KPo;|<&_`y#rn)@kz
zhrYFYUvHTM_7|Y+zb`P#ekCC=%()5PSMZ_<vS|7oN=3u19|6jM$#_XQY}&{iU9|tt
z>)tQ#R{~V}UVSrO*>78eUl3MbGQI%W`7n;|q>ZXad7UEvI)Am>>ay<1u;1&_M`>0z
zxK~9hM~RrkesfuOAJ36tFF6bFs;o|uTglT3M^n3O8zJrP-$xD`yeVvr;ycE*zK!tQ
zNmmN3>SP}msY+&g$)VQEmFi3Xt9XFED0J&fqaiscTP^Nr)`zeFjfuoRlyE-tQJ)&F
z?M?QV*wSJ{gmb(_hz*J)CM#G`??lum4TxCur<~iIPJpen#{uZ9l$e*^qs<Iv$QakS
zxMNjGw~V3|Fmh2C`)Y7eG`BW$8kAv9f9RnU%qu+M0HqdAVhQ8#@=BYu#Srho%mtEi
zhe8<EhVr8R3D+O`I2TN*ieEzbAgeU;5w=^_K^^pJQ+7!VDn({O#tUC!b=9Ft_k--)
zTE+nL5tVQb1r3h#W5(3mO?n!qvoDyt4byiwfYGD(&&+MbDj%(<jP#N|8@uVz8I5*o
zUbAq|=!Kf}c!gy3l}P1f{AKGtJ+ngp{0vIcV@olGP-Vg)3p`<6YPlf*&@rAsd~TmU
z8cYy3(fMCUM~KFhbbWOl)13CwCmpKU2p<p6Uj6%zA%Mu;@uO*EKaasm>4Os{BkDzm
z=lRnPJJp^%DOM23f&P+Tjl{7$fs{HW9Tdkd;D*s(nryhYL>3{~T$8~Bjkub*Yzt;1
zjtQDv)eGCFP68}mO0nqgx@lLzD0NdRqRC}5E`^oJ!)+^-gQKb=D<(<>FI5by5}6JW
zR~^Ha%Klq6?L-(Qt1<y#{cgnWScBJmiSlMUkIdF?pO@^E4qd*9^)QKuJZ4~<wFwT*
zSRmZ?4czt<tguj$%lD2Ki&yT~ZG-E&@205fJT~@(bWU3>h&}n`O%)v4LK;>%P7r^>
z4O{%{D?Y+ZDhVA@%9x;)2-fJKGH9a^bCrFX&={vTa<`ie+=rQKd7HVY3hMIGCDlW0
z3!CFE#OWDzDa*E`ctpcuBAD9u>FTdm%F*nuOBt8lE0sjfT!Ph=o`J)*%U~%BEwIX6
z1E;;QP{t@E)PIt`<OQ~-`FQz!TpzM3bvkWE1|KKJvA!M#XKC~CCA!?Y-14=(>}T(n
z7PkL~Vze?hQS@Yc8}Rw$@iix_;Qa;XPrr2;6?DSPkTrA^O(zzmBC1Q6YROREMuWiN
zuyAY@C*^vnWLMpGn*UvJ_90{w<L=8Z>l(;1b?r2vWNU7|uE_2HVQ2XQS;~Rg<zzEp
z2m$z%WvHVxizQ>N8$`j=QbUKvkH_bxyo-?CDL_)=d!wFwUsIPmn;)Gh3w!FWH4SsR
zdpxLVUr;htIQcWNTT{Pm{FhH0`K2&umtp$DSn<d=Fi35*Q%6)af~9z`j%)AG!X<P-
zOcJt*ni5MlNv0Y5S1tPgK}6=#TFT8g<ZPIFEX&V}+u5npIk*V3k_3)CSx&DFOf^HL
zwxY1$g=0ydJJ*p~hh>^USma%VN<8Zu!a8@9Q9F_mqD<xKq{{D+io=XYN~U#g2w0f~
zcDIx5UMvR<?<pAIoZ%Eju>Mr{22YqoLH*qr!l+&&UR_i2NyRI+`M@wRmLtcVpFBWc
zpn;z%9)uEL^PLg<|4;(fL;7u&DRXm=^DVmuxgai-pOyo2Zc>5dZrItJTfePI6s5U)
zb8Yu`BsF#%NKqBS`?!8d`y4dXyUd;>ugjKunp=KjKrBgsuX7&#X1)y#1H2DW$8ssR
zq#Te-*}$z{11GTndCwnG0_U_AjW_;ls`r+?uv5&k)2Kuxx-5ZnNi{o2vCb<&p2jGl
zQ|9bB{{0lAZuP?P)c=G`(>;j68@sn4zMzW?h>&1-K!>lNQ|&Voje#+KOSb;qNEt|B
z4aU7ru-&u3>w*Sn61pv4^Wl0P+GYy5W<|gU{`NnhDMRRkN-}bxM5Jey3PU2pq3BOe
zGBNGQt%`7y4N4K!k_u+B=cd>Qu_Q&EL4Ol`i6o3;wi_M}O+CyEo8^5nuK3ByPpZJB
zNaCD(Fk(ma<ob!z=CNU-xMa=J?Im);zAF&nM6k)~S$?nIgjd9rku_}-MjeoJR9lk`
zTdKf#uGYqxp$HYyHleI^BRc%0U2VqBzV<bc;V(+&n(OAA>$0*Qt`(hCTe%`8ndc*)
zE|HPA6ka_6T(^HDa?me*DDiQp=1OHG+Kg8I_jbbu(!Zi<0($?VjSzgdb@dm(MMgr{
zEZdYf{NSWk_{rh|w>Ujs%x*H2^)TdzF9ZTPZqS?MDi|tUumKH0bQuS1qny=B1ttQ;
zz1f<eE}qf(@{9h3tZwc8{mnW5`eo(k0nHf-61Ugu;tZd=6Yu#9Z}+{R)8i{TAJ97*
z_Xs=<d{@m5X*a!(!8#A3xI3t_#p$+!No9}?vednQl%7W4FwoYplMt#-KfEo<kIj`I
z7I%O(5`&f_;18IBg_snFu!SvB{YP8l7J8#)scK}yZCU^|<GHk7ddwFK5<$m4V%A*}
z(wDQip>Z}z7rNKG;G1R{@Inu|72s4c<3JwL6{BVa`|14w^McC+Uqfr*&3UDZQ|sgX
z$-U?p^7cuTOVkAZ$Sv1ub{78US4L+VNto}S*!Lsz<9g5qbpN1jkU+>naq|<%hd}uq
z2AwM?7i$*5?e8_xEyXFdv&kFP%Q_`OTEP`;e4+3a(EUHW68UI!3QMXFkqt>AFjRr<
z(CZ!1AC8p97pZlf6{TPfE=AVI*EV2DikI4-dRx~QNfK#Tv1ZF;AuH`f)ct_%u{Dh<
z`7Ugu@(3~*yN<&&WjxDP&^DJ-mh2x{L+j_t^1cq)4!1V?{%VLu_&cH9ep4IJFi4t0
zoaso}Ng&vdFjh>4;#W}?w?K0_O6rj^S~GgTL^F0V+wYE;|HtaT;)QLO#e+etj<g~U
zu<dDFZu7;{PL{SSA44zv+V1mPFEYS*ihCb$QbCxfEj=~JWNnmX8mH|IQ;D9c@j!1F
zgo(RhEwEmH#rE2|pU2%u)bFNsuzdwNoTsoh3USpKD2aXY2Tl=D5)(9o58+VB!sDje
z$f07=%+CpVB1#%;MYIy*=EYgk&_(a~-!sAeA3CZ1KB5Mgaa*-7$DB6uvoIILq|Vdw
z@iDal8N3RN8Zsn;AeTJ3?gC@%u&dA@p{SQy|1Vik#tYW)`Jv<j%0L>FTlar>81_(U
zLEwT5U;PM<1TIf417eM)liWz<2?xyEIeXPY75g2g;!|%&bU)Kf+nPeXr6$-wX$WYy
zRY$YUt)11_9L`4Qd|=-q!l(WW0^wbMUg+@YOdGi@*Dq=2dMG^J9Mv(*sQISf9nT~e
zMaJ(go3)Z;;CC;Pi<4M8fZydGifuz^@<$3?l0z6#W1u$aN8+$3FgYOI#Tq{7NEcNz
z5!+!Gby}XovUm{3-<URl8&P``4%miiIH=ZC$FVI=S#v$hpIC0XpS^BXd3pG}%d)Pm
zzHXzG;HNsvF+|%OcOop<{QCMda*K$cwu&Kjzo9sFc5HC3;IS0UQ~x04w!X6ZTJ_i%
z?D6b*(Bieuo2Za4k3zk7J#tcdQyGjXGj~7bCgsdak>qWKoQr)KImO}3*TlFEblKI)
zT$1+>XN&puKZ6CbCY*$=oshqV!cb`iMtrgKs|+nfY!jW-PgbRV^GpSFZCPDaf7t)o
zAh|PZh?`supsmZ=m(OO@hpdmj`LuZ)Aeyi7_*kBNcGkJUWs#RzFV+i*5RNqo{UOz(
zo%N$2N5EC=th7o(O`$&5Z7ePnBVbfyKFWSGhn=shWcn^wqX#jqNcu0lB);w}MUYY<
zdk!ZW3k{$m7o*G`Z}5{G(X10mY>ov^B#u(hr6mX;>FHgmH2+_Os=IFajNd?|!s;9A
zUPKF}l4?W*f-ZXVp<SI59iRJzS|AjMOGMSU!&$^~vH^j?@B~M@K`!=O-GI$qtXz9&
z1KJ;9Sd^vAs=ulMO|-83L7Y?5L~-Ied9PT<me_6aJLibKGK*AU3Lkfgo)y*q#FGn=
z`h2T?919JQIBZ2!G21ZExw=MfD<f9`)-$dLrP$@DjZ594If>G=J&Pv*)|#p7%H8`g
z6`;|s%Wadx^miwn!yQU8lri-qWtfp*DoIXy`_m$A;t7iv;m&6KQd(?yK!b3`(aoTE
z>vW(tpQ#_`P!iNBaJT+p@~-jKVDQp*rK+ox@2T4;W-)I;^@|K(6IoRy^(+~~c8Ih^
z{*V248}ubiPm3aQPaHsT@sTO4N;`)@*@Sapf`Z@Ok2FEI`KYD}3BR}HpYCQCnokAl
z3#7Z{+YPB}nLRCE{~W2AK=gU|t!39z;$roDetvSFv<lj&&g`|MC*D?kium*4E+!nb
zL7Slz=cQR*ruy)4c?P4-%zGG6F{Fpytf)i^JEx2ublt>p%swt=X=mv_=44PACD0(1
zxCgC~{780E=#jeB=K@>|-y>P&82wfI2>t8JFz0H1ha@V|31e=9VkHf|#7}BO5;Ae*
zi0F--`f;GGq<Ykq-&7T(n0zD9+Ngm@N19ZpvFK?$-0d&VcCxbS4df4N7hA;ZxVwAW
zjPzvvxt^DQcFTaPFkYiDXEgJ^R0!qd5bR(<h~%%v``;IM)SSo=@%T&XN;ML>6c>2~
zQ6hI6xVhKZ`dE(f8uh?paOKc{A~z>>0{NOM3AP0tkaMmCr1)3to)B~fMH^uCnjPAP
zFfYhbXMD<BjsZs!TvYI14Ez>Q^?PcZZK|>`=z5mEFZlEs6qCvd+h68oG4<(rM{{M7
z(-rHLtJ!bx9qFZf>Q-)(BW0drPXgz5Q$3?S6%ovJU#ansX~_pk3N^7`bJFv>6vJhn
zQWE{SCmtI$`cDY}*>o#H?7s>GYk+X>N0@3oA!hN^2CK(@&HPHZ>Jn11>-s74#h<+J
zE@>3HjTq>_x8Wqghmv5E;Dn199FtV*)hT?!8R*2DsKt|N6&Cqzz0aimLRw9IR9f5P
z)nwFZ<Foi&{dBj6-Wp6<)AIW!#wT6F@bar-%7Ktas?kTeHsSUzf7)a)whhOj_DzI|
zK70|diD;?#@;`dv5L3a%y9rG4E+$&$*Kz4YJS$YeCIT<#V{XCNQ0dpG9?ISJKJqpP
zAzh<?T<AI=-w+E-D6hVmay2fOXW3W=&mJ_}%d&DXxKWIA=nk2Amffp+x9pQZ?OSUq
z#5BwCy9T*A6Q$G5<ma^arS06P8~LwqtOLa-#S~Kn?;Cs*YM>jLy~;&c<%a(rlNMd#
zYG71G03nJrDotfznQZ3mBtXJ0>$7lnjYVt07<B1URc;ih(cA8;4$6-w!J#q&?Y`;(
z^=%8#F=<|!!84SFfmRTZvU>n)swE=4-(;>|QEHR;X<g=3z<vHAtHbq?l4Cs-g<AEn
z19o5OVT<aoeKT(0#%0^#(cwP)FiyG-ON1>LirNj>2}`jtL@KZH7oG)M^*~&=m?~6E
z3wp?0ISFjvR++F}u|iguGSX31ey0Xai{z4ivP)j&jYcFOi4%#L{QP=n>km+Hc{1>3
z>-Mx~3;A{BM8@TItarkIpsGJ5SB99r5>ODN|0Rjl?`3;qzuDEZXt}U3qn3*Cm?6qz
zlC;`_8mYW9EOhE!nI({~&h;FGXo>UlU70C~3WYi}sHn<G5JD|C>c9TB{~;&#Mm?p0
zzhsA|ggzGyU8=u^Q4+i=2kp(K%B)MF4oJ;m5df!PoGVAJ7WROf6po#n8zI%*H+E)a
zOUHBGJ$hd%W{i6#vgNKVOMJwB>iv4HqC;FB``huogz@GrO&~363~1^8!~W6gl2-$h
z04*J*2676E(_qZ-0s6jb1Al@gLrzA?Vaa3?pa;wq)Z*=)7R5+ZOw0oq5jn=>$gZki
ze?I0A!ikyiQt}Sj7I$=^ELcUX6*|ZKUBisP*lqeT#=!c1ACuEb5G8SbAWLx=l;x=m
z`v-H@06%dSSyfqrutq%x115(6t0bVvsVG{dXbXm@tVFt@W|O5Z8+ye2t!K6y8Z{a~
z+^ooeH#d%XPZ+@*iYc`y@9jw%owIYDm$dc{{7`XOrbpr=V)Zn<E!OC2YRJrZYt!wg
z&z)6yEF0EjWp`{bHGc+vd>5EsMx3Mad_Sn%`1CXqd^47Y;oLm=xGVp<znNTmaV@J{
zSG*1aFP!W2s(!50dTiXi=~$da<nwa%QCZ_VT|3g|ecs+QnQ%GIwJsw+O~t6ZT4!;Q
znQ*zizC5Y8cYN6Fa`Hquwv5CH(xCh_eh?$4I7At6O=OyE>{0wq#IL{p%>-$HDxoPc
z)mM)s5?Vr{fJrik5+aBEp<bbYfr|gBi*cuEb81d!eSiAXG*ejN-dQZ)W5vBgDxHHp
zjAf>D54*#QKJxU0J@YtEo1Tb&efc>~BC?!ij@jSyOazqL_F=9rHl(0_KxjB@PAr~V
zwCu!u2E&FQx3MV?=q*KFb^p#n{ogdd&`41Mrt3rod=xK|8D9)|?k`%;?xMW!!{P(u
zXnP|DSMY+T_r<2ngeA*aCwP5m>yuIg*Glap{2W&0jM$O_@)XIW52I9;Z0_x1XD9Qx
zDfPet&|07?Ed<0GLK**}3_yQU-oYjp@<lSDEqBO1g%@@kddy7<%0<3JuZE)<FCNv<
z4*svr+c6vUj>d=<ps*tXMbG~!Eykg{h5r43I~c^*n2G0YgV{Mm84(oLNSy5-cA>ay
zGu%vmKhOrdB^vZ2m~_<#r8ZNW`EbUlZsK1-?*}+YXP+iP*&oGYMy08L`yx^a$8>N-
zHBMJG$MV9O_dzwyRO^pWov5Q*Ug{_Cggn{e96OU>Nk#0jNl3*q9UpM$LqWS#6E8L9
z`wsU1GbSbJ6y-bRo2k!_JRw^Uhw9|;yuTxP*`A}n+|wIYu)H$Kh3fkmP)rDuJ|wjN
ztvEbuKG#zWXQKA#a{k;-h6C&3M;7ldND=<ewx^N3;O96=UEq!=G?agE_%3|S*t@_#
z!kqcSj&;Vd)a{ql2s|`1<zaMVCJ3+=S+tZ50R}%n4`QLt<@}p8NNO5Nsp%XM*Dob1
zk{f=iGG9K2gp+^^0ON|{q^4`Dn-+?f#;nV;_`7YzPpqFKDHKgC3e>ROUN6^9$F#$+
z`}KKPjzEt-S=7MMj6zl|F>ib<D3$6yZvnw2)>E{LTZ!w{Qv}WyFz2w&!oqdiY2=7Q
zf^qUjH}3=%2s)99E1z>)Q2GAX_Dw)@?UqlQVy-s}!1!I$^Fcf0`or(QAG;mquMZE8
z&YC`X2==P+8z0{ld=VTL8NvUY+TiNCH%*opHBq_F!{@0=y~<t>alcMZ{S?8M9j~g3
zvO)F-kuTCs^$wu7K?a28D@~72DU&Uz{8ZiI0&WtP!-`U~<s^E+>bWNXYVbzLKpV+Z
zo(2@30g!lTIG4w7z;g->74h`+Ku0=|%;&Y*9RGBA_r@$no`{F^tgLc|$2HX02&RC8
zbtpo<z)STg<?K7U<YQV0?_bFrOm~tDNY2H^3*F(-;^W%!diU}?^3QKxTVwY5Bz!RV
z<izV$;WgHqy*;<mIp6xrHXWbE>BxcCa+}-b(_OWea|doKL<wz*rIR6%o5UxgfP=4v
z2}LDWILX^iL#<V_Nj<;+NpW%+B-Z&FAsPn2Jh@fzN%N->x>NCvhDN}1*fy!8-wgxl
z%f+oi?EN%GdzwT38ShvM-Rg_vuB38@Td-*53aPR|^H+uklub|AQX`bLL<rB;P;>OZ
zfI;ZWV^bl_H!vNu-1k|>UtOb)r+WtnTb@@pdj}D-){^+@v%G&2+)U%7N%)waW<7Q-
zpA|3n?F(9Sd7)hQ4nFR(ZEqUfk7TVk-tuw3-d)UGQ2Cw}P8@k(_FnFC;g;w;N?lci
zAUG^ep(oTSrutj>m$2F(b^FgN(y@=wYWgSi`0Ksh#d1|7m<1Y8LH~{OO#HnqXq-$(
z*6{tA5)i2<)e=fDk3wt)=n1+?J!|u$nkCX`kP51}>1T?_$_Z&9-~KZ5Z(Te3!2WJ#
zLIm1NWEXilBBj~*kZNvGac9oG5(ad)af_)SnN)IWgf~!?HTK57Zbw)<+p?HCyAF9=
z+}Deyp8i{ib)kn^k9$y5)!6v-H2mm>9YS~rO6IVCv@r?;!yi*{q>HMgBn0;w(UjIW
z6{&cC^eAJf>f%n(utpGN;-&aZjd=+z_nO{5?Z3^~O0t@-A?5-aA@EjJ=H0&b(})6^
z)eUr=npx8ezYAvpGnbpo)nM?G_=AD8Jacx<xuaM?g_v%?RgaW5y(gR8+8<%;_$)A?
z5mk9@D&!)uw8YxuR-0-Bj$w&{M{Ae!D@F}c&S<`A4=*namCe5c-;-vWW>vrq$AZ}E
z4s@hS%|j1sn11Wx@nnJZaj=zS^v9DJ*YvZ2AC&E34hyynS40jR<Vl8r^_?$Ho5)t$
znP1DWYu1H5r&ty8g!yx~<Gu@*fk*xA8**1S>E|}B8!9#%-fNyib}4Q~NDhILktd(9
z0rv$JJ?q~|1x^k6zknyU1u+m@IZVbN>+xbWy3b7xtWS1f6~%Y=^)}M+sjLFv#MNCF
zI?`e(ijY)yt=Hh2p9ekR%)eC?n)lafqXwQBk4@f(jRc^uF`Kp<lGV7)Y!}%s%1ijF
zw7U0tQC2S2q{|ja^3M@z1aAxwUqp|cQY8YEAss_^VV~3K*k9qW9ea@2cx5cy>BM~|
zaUZDpu}s8R^5S!IQZZz=Df#%MQp}SQLkO4V3hCSfNz;buy2Si`glR1!4nF$BHg;nR
z>MDsFH{|1D5;bGD(A=}k_n)SGwMY*7Y7a_&Urq&(n`})4a4>AQ50@z-F|>SMJ^gap
zyOR`fPdx?BF2p-_&G_6FiLQqavNmM}RAZe^m{aZYMGU4LkxbHuK9trq{??ugLyrWQ
z_x2>`iDAYKTs^Sd;=H;Z<>aD}4vuj55Ie<g+MPC~-C+*MEnUZWvY^;{P)$V^>zNBP
z4iJ~Ov#92_JDC$*4&((MmosU5%6S};$GhHhY&4@XW%ghH<in4ogJhzK;d3I>f6(1s
zo5ji+e?p1TO;}S}SyrE%`j+XT0)C<ePwKAn=(^tTy~~w$7W*|b78qxl6Nln{Zg*;f
z;FZ<GKha()##Inhj5fr+SHCu^3tXEm299#=Vcb-VyPgX}dfi-|U%4KETqn->pKA*7
zeID+cefGa8jGdq$Zg%uXdGA5~ye-K@%1#VaAqspF*1$Y<^t7y;Ov5glN(=K)qf&R5
zbg(h+YA@~<vN87&d-#sXz3W+n&hFQ`&i+UYlX3OLe+|GE5p_kj0X6y`Ed}*!Gay=K
z{-dP;<EB9RS$i$(A!_htdgMGA{+JdPaU|5@(f3in#8b@XPFyRW4)wM{x$f$0v*Tyi
zZm&&_&PDW%nJeeDv?F(m^v~w%INYAN%@!O!0HRjQ?XR;<Z$KWNLhnqNA+EQ2r(u;y
z=hlqK4xTscBT1po6P0FZ>E;~XXDi1?j#-(axk}aTX2@HE7ahJ^#Kw=!!H2ic`J2a{
zxSrl8t((2m`x}oIIIDt}`{$b*=Y=P|CT{7!ya)CX9mkz+D7_+@lInBvH^FZiKI&9P
z$ypM$-O{XiI~1*yd!5e*BS!6t&kv3qdU<<pVjC#f6!K+O?rH}yoqDn&33;4y7YG-}
zY1=s5B`xD#BoDxc{NDs&PS<_x(*=I)15FUl|Kshu!<yK(w`~W-hJuQ86$Bd~(rb>Q
zAktLqQbZI4q?gd6B5;r<SO6)JF4CKHLPtc1bfotXN&*B(2qgJt0$wG=`}q9sz2AR2
z*=x;O?_TdJJ2RyDfW#pU1YrX8O1nJI3yQTSIToW#tzn<H3y1a=?X6u_XO9>T3*3lj
zY9L(hv)rC}iRUoJEaee;PlfCAvh!K}1&Y3MqH(glp23p41y~BX;b|JXt(s)5tn+pX
z=nV5kpk&Z>LF`wYZeLa8*2qKdHLhtnopXe(!n+N1Fu4&Wl@sV#QCqH1gJzZFJ=a&*
zE$)yfG=iI%BUH@qd}tuI*Lm=)S;fbLWp>wh=A5X>3mx<#f0uR{w?J2+w$`BiAqsBK
z%RIsk7`aqh9MryHe5bNFWxpVocAl|Fe|*)wXyXi=MlmZKxxq=;TiEBZoyMS7FdHLj
zW?#b6Ar=4GvO0C2A93T50|@xVSAlWkz?v#4GgRe=GBibPf-PfoJO#GQZmc%*5M3DF
zwYB4fnMYnOurpf^=I&?czHv}3d;bFI@I_v1Kj$)O#-(}+6XD7U=M)~VPyilUYrNs+
zbi35d<HwCkvp<#J^ZQf|-l+7zr~MkFNRc<onVh~dsYNX?;|ctIsEbVx@eQ=Tv6W~;
z9IBes@vu?cw3s(~pbV`EYxs+DLhu<iGHOI~x19*`M<pI8>$ff0;KSrUu{Dr|lPP#B
z%ps$>3WIJbTpHqkF05w0_k5>_xLV4^>Y3!6Z49Q_+ceA`^v)EeU$7)rjr>*M#o6F=
zV~J>3aHpxME!bwMWmXb$dMs0`&zI%Py?y$g7*_)=mS>~AZ&Bn@HV@!&%hD61r&I_O
z8Sq<A1bO;;lS^aTE&K;W?1g-mWP?XY5iLF8$Zh2gJho-z%ufip2bQoyD@lr-i7l#)
z=U{3h53u{U6|09MOJ9l%;kkwS%B?<(w&~uq*!e72anj{tehjaJL#daD7qsEBRsJY>
zdah!q21c-gkoPIokbK9#LNFEAou(}<OfT#RaL&;m$h*nMi8pW}y-UD-F9ZJef`1`i
zGPov!Cjyf>_`vp3fslrTGUAmcNfA?~xQd5W+I+u<>0G}$fQJ<#eXB(^R{o#9uTk$<
zEDK={u(5QfgEJ02w_}VTD%b0@AIs@DjEgA@zs+ZZ4|Di8UcWO6-d#1|ih1Y`0pegu
zFR5^72vv7g9RZWE<>}?pZDUw0dhk6y5t`n|H_$8Z=#MQ(WU0)U;PcA1Sy*ab+)=CE
ztuCB)iOt%GXEld=GN)t-YsX|+06E+<$Rom4RCifD!j*|Ku?$7E@I*l5$sI`DFV@w6
zeLcO65m^wz?vj^aQQZZ{pm*FvqbrJ&0S4ISB?u2kmRLq7AOi|WZZ_SrUbv`<EeZYo
zu_~EX%dZg9z;9|#;;rH4pXFVDMCQ93K*BGw1dPmgtP6AX4l}u2^-esPDIwCLCh=kG
z8SzCz5m&2r689phb@u}dbNEby5$ES5+pS>HddvN}o9m!8^qy2J*Fnx9TqB3HRRKi$
ztV6eyPA+4FB0PL|1_$2!nBI4<Zmxf_4NOAr1p02iJ+XUd``GUA&d)`g9rdC8Em+dx
z%+L(l0?vamB3d|y;O(p&j8AXlPn&~vxIvuW;%B`yJ-X{9hnnG5a%oNVUer<{XCtY1
zaC%0rl?@dM2^3P0ioh;ue8X-|uqnpnIQK0H2+uR28B;s*MR%{}pqi{UHrCWeHc21{
z)!@n-^3beMFRxmiFe_IJmhR3Q<~6f+LOun`sK1`3SJ#Y1yNH$9>+a|oi68JHFGiI}
zpvgL_6tb0#<vC1c*p*7j=YJ*H4i5AJIP7NX_Ga~zlT))T$WQ37E0nTqcsSE=b0DlZ
zOLM`yIRZHvWU%kCztssQrf#(7Di8x_Cv11LkJ*NGeumULN}+}$zfGT>cSa;-NeXVG
zyak@YF22}~MImfiik8p`eI&>1yS4M&2C<&8OXh#Y^ssa9Tpo>jx-=HQgYY&=|BZqS
zwU~of&S7GJ;2hh%WYEM_)PN?E$`}i96jgTvR9+3K7Q!vW6dJ^Hc&{}N*N+HfNC^<q
zjtMXaBhb^s)mGFE8%1n}zuUThGC&jG8eNpj;d-JyU=y#6)==rx*-y>LglnoMe4SEf
z<TJ)p51gaOU@z~wkQFaS8i3C8kkh&hi*Keudmsi8RXN=6SghTLd=W^r(g({o)k@uU
zK+mx^fP<sL8&fq857BqkuGWi$!(?EhZVqy`$N)_q3Skb18>-<cadjY8GBvz}p~yS^
zwD1GCyVz<qmlMH%=@u#|$XM}A3ZInq(qQFcMrD>K-BG&AJ(-`tvbx*u#cj=Osg2Fj
zIe`-gtyJ$yn3&~Q5u>Y_Ng2|!!R6(>$izOanQxho9u<5aQivv8iS}H$HXj?h<7{0T
zWyF=In_WhyGB<ojYSWPy&Ua7VkvU`S^Wg|u+cNrsSTEGephz>KqIw4s^$gvJE{{Pu
z42X2{l$UA-ScZNUjQ&x2xw8*6TKXMm1PR8f-El;QG^jhNdsmFPuNX2r(St=~@mS$E
zpdW6`nf_#XXWDvfLN)m>le>8F7F~^H^OT3Etl;3oSmMdqYaeF94)T0z=E3-~gkJ9y
zwGsxh5YtU_<h3~_nLtN3;`CfD`IQ?#E(1pHYED3WWb5XMECBxAi5F%liZVyigOL}O
zGvV;UfErBmj9+tpLT_h@Pk>GlHbQKdyuihtQuH#PWx2t-YA@0vUk`qGz_Uv=&|Ynq
z*2yM^Jn!s<rbm7YO@JHQQv~o^Ji{EZhn5uOow@!=#Jw13jKP~K!Lq!c>Cfd`d@fG&
zkGkRI&hpYx)_xIccY*K*H#LKjVc%%f;!O5d&AwD|0_-RTE`E?W<@@}_bCzI{VmEc9
z?9|fm>|C>Jy4ABhh%~y|4k;kCRNUpE-*Lg&iqAVwfB)*n@_M(Wv!^ts%K$Xytu6O#
zMYHNnZ+X{$fWI&7daJ`rf64daStY0TaOiqP;{LHA3+M9N+GPZO@UU)zITCVfG?5S}
z4>#G8bi?J~E}3jTWKi)t8|gWxl&_%^WRrj+E{_T@OSQRHJkAMs9r^FtA2DB!m|<P?
z%rJjbtw-fphCc_4H@K$2+rQHtHr=fFPO8z3GOH$pR4LE4(U$B;`m1;(!(Y~91-~GX
zHe;@wMs}_oEsjvTK#6<-u{L!CA*lx1?KFJ^;w0VrPm}&RmuX=<OS0saQ`O`5hJ1;w
zdu;FSkt|Lv;&LjRFj|yz;f<W~^SbJ|r61G9#?v}CubX`dFNk>vbY_9bp4`UsK2z<c
zi;}6h7K9sN(W@o^)$ZizkK;(2j_*~=mA+u^aC;8d;ia*MKLNMDH*WJ`dA^c~f?g|O
zRQ+E34&JE{_V^oo2FXoCj~H>HM}kDANv~XfjaYoWQ-Y~3qi)})WxgX2PIz*U#Tot~
zEkU!lb3LucoZZ;4z*}ibG0Lx<tX$0e)drqn-L^|$H`(5T9%F}ZV#pv*^NWw`aWBL!
z;0xrw%s;y-zu3Qv(Xo=$)C{w?@$9`$jH5=fmo6sQKTl8Q-B_@{W>4)rvEzH}Q|y+6
z&(NTLxtESL4XRANz4E1^ZAUP{N~@Lp@A!FDWz#uTO|u6*Pao^+%@;vs<X^g~<i3&K
z(D=lTD`YzKv2bu^BmYcxMp@T$bFrdfcSK{ttpKK~++BR#ALMlwq&L@|@av?uR+||m
zO_aMoaH)%#IQJgkxu82fS!jUW;?^$hoU0k`4xjUC35Y)SmLrGPyyagOM2nj!n~IqL
z7U*8hNx$Mutm+H7)>>bI&FMOp)f6nQ@xJ7Wmf|QpE-%J!r+nBI7gw34B;_oa;|2(n
z5ZX8&p?x#*g=C`1wk(A!xK<;msp+&tyQ(GD4Jlge-#YI0@zPRCS7XWGrlDAi5bHFd
zYQMBn{X}!T0?E8rz*U|zRn%baVexXMR)%4vj!`@8rkV4&#oz)iCXun(Xe{kUw~MK*
zh_uHybzjNR0Q=<y^^=^3ha`suKE89xS!5oBEparT+#33oH6qm|iOi|H>yEJ2-xH?r
zM4q0vKDeft8WHE@{HZ{hZHBsgdo3D`m!fr@=N_0iZg?pW%b^?}`n7NLOELMD7yrU#
z7)u(eC2=WufN&_<eVQm>xwwc6vrWTV*&dZnwlDntxY}T$?wyVWmuR%}u2v%xiTZas
zDY?Y0VFdPQ&qji*!J`R3zluX8Oy)M@kQRAI9ekoICwaGF&v=NHvlJJ$d3mewr9}4y
zoYDj?U0!@&BC=`Bwxsp%`e$m*QAfMn?m81Dr?_fHk}Y~_kB2m#ut`1=X|Uh5ku&KZ
z)U6A0H7DM^GZ^8K2s`~EqTl5lHXOmHn6RUK&c%>t$+eq@S2C#ZHXz`!TAD?j&HS%t
zS92x-39nE%%hJDf&Zn;?bY>A5zLmAX;q*YVRUOm<2`S#`*+~!y<!-nH9ExWZn+@MF
zi)B6#JYo|zAa}mxP`~j#QF686@ZKafN;$Pl%W)vytZYU^d!zN9!d@(^?~#p!szsEl
zGHGN&nHof{s#NK^#a;qdyribyAQ2N|V6}KW3}{z%xic(@?Y^vfguLs*yNZG#5A=A9
z8`_!MUsdP!$mlMgYW*icyxw6#v;lG>wCy>yN#et0#~&Nzbp+m=I*8Sb<ba2dIa~}s
zB+XOl-Q}zi{(NR}C!ah#B7B%P6t!?@B?}B)Y#UuTZ~ApAwDa?P-Q$$I`*xrf)Ud;u
zyyTMCuZV4)g-L0VL8+to4@}jfB~z{6pTZzDw+qUf3H1S9?rb(r@m}uNM`!!N266XR
zxnSi$F;2CwBa91VH>}<r;b+rwoLf*9_-sglhQmdTfkjON8-=s4yf#PHx&P>l{tl~S
zNf8M)0@@KF<pT{Pp>9?KT{l7=xYRif&M@s3iFK(~;KW%xl5urq<&}`RBZ>EkaAduJ
znF_DnmRJLo=10BOv&SGw<hEJE242Yp?@>6@j$0v1XYg{KM&jx>iGr@FNng#&sk39L
zgZ--`#v8)kaSaQEJ%C4sH^_%K+~f}{Mf-EK&lI-cm`ID42;1aIa<bc2N|4{y^jl$E
z`_e>YADQrGF{IbZKi&A4Sk)877P&Q5|Gl+emXP?%9!()kO`>4XOXaW9$PC9kw^5h_
zKEbQc4oT`OKro@sFlj;{ShyS6VY#^vHqN7Dq#P4yUAEc0nrG-ye+c=xQTR+{lG-L}
z;BcO9@$}fJ7<l@gugW7|$fP1<%s{|0hCEw25%X#;5&OIZ#vrLKsd8-hK@rVO=T<Z1
zlPL8~FWN)4hyj&yb9K4O-?-kg5yR23hDcVAcHyc@KP9H5*#_kqRl-Yls95sWMTf4`
z+<c8QMZFljHZ%s~*L&bQhlWXfLrA>8P2@IFoi~!<hX9+Nmw~{^_c|U?`^us}=<R)4
zr7uCpHgqu)p*^6DDTwv@Z1+rR9C>uA`w=hvP^H{nhSl0#Qz)^QU)SKs*A^wi3&F3P
z&($mq`<PBK1>W&ckx$nxcymZS+;I`B`#LYTV)4`N)^xu4sdtL<1BQ7SxP^v#DCIhN
zQ4&VTg<6c~5KN5z9z}XY+OnXQ9nTAI2ELHjvq^h&KQdQT=Q|tz*5LKgsg)qSCTAf)
z#-6cIhMbf~v>;KtP$cv+b4}Ows}|uEqVv_usxMmNQd#g`#Vm7Y2Pg5t-{rgvT;v>G
zGreTbiy#NiuHtz*seZt_J)}YuJj9qR&zEi%RuC<8ZEvBxWczBN8)j>=JM){@{3rgy
z=(f4;D?tezUkOPL6~;X$w9Keuqq1tG35({}gxikUuiH>d=$R#)5>XSo+l!1d5_i(Q
z*>0*JPqr@UM5czh=BV{8>v7#cPc#(T_Id-q_`K9eT3!xL&<voo@=S~d^wjVWk$ojr
z9g!~OiXnOWA(2}ra2>7+zD^0UdK+bRU~0S1T8@#5yZ!g!e2=c4VD0Sc^o?`yV^alM
z5y{8G;of4TLEBG-lZm^ATAVS=9HO!wC3zK)QAQ<Eg%4~3VM%JIR}z<k<FhMrB0gg~
zJdqP=B@aIYd3~*IZj<zjZgNL)^D~qtD&OY>eu$7g!5<N@5S-Q8pn@N$M&or6eS{hV
z)><2+L8S4I?7H!CnDPEJk!BNs-VCK4qABrinko8D`5PU=Y%OJtucItcjg!fdP&mJ$
z;I8VH_&SFWJ05N(O;y&m)9l=>Caqc(QI7F4(x+x$oi=R2>@o^YvNax}&S3%Faa@|&
z_bJF}!cr}A>|2chcDC}6uslU`56_VV*@cMa3kh0-0yVDt%6gd1Zz`{D?DU76q#D!g
zB%qM@PUofTxQ^q6G{+a`GGG`;8pN|lD5BMbolMx8eRMIW472c+X({U|Pf7mnLWJYu
z^2q$N`<SUnq0ix3W!Iewsr^ii3}(t-fIY9hIOxDug<Dc%XzdmRVkX*du>N_ihyq_C
ziZj3&Pwbx&^KZgkFx?mDC3KOvAyWyX^uwh0v34;vrnWJlN$<1MIRKL|?oD@VVufW=
z&S3LzrQN9!<yL+=m<;@op4*o8_IYh#Pva9JlDV3}Rt=XwU9yp-Hiwt1>!*N=H7xa0
zDjj;}Bz*AJ*BD{Ele|EWHaGNOWcS#xrwSH7TUuH_^<!u`m_54S;5WJe6hDrG2P9H7
zNxk3Ti=JLr<XmuR;=&EY)I<c=TW>c4uF!g+$$&!4hmGmF4b9D=mnmfX-rTy}j)yro
zq_D6P85vw(S0e`fpn3CNgGliuFBz&)BK2J3FJcXxq7{n^ZLPVBVw!7;p~jutBXF=w
z;d!!u>2&8O@VyBx_s&=3`jI%Y+oHJB8lx1z*?q2j_dFXyKqzoI(^@4G;!2q&P3dp6
zkP)jvED~l07KPi9wGM)dW5W`YZ153|O|PzZrdv^uZLXSE+&FL1A3#DSz#&`>!Ea7%
zbj*KGfb}_?wJI?r1dv_0rqQ4B`&^xfiwSzJlWvo+`R3+kFC?NB7r;XdKn6dgwBphm
z5R@Td4GJ8hV;)z$ocE~;3Be+bLgr_3k(zKgMBZ(AAS@V8m={J-h@{q8i<%jA%8(`!
zMo}US{zVx=FMG}JDgu5>6m9Q;3)4%5x#YsQimPyO{?kHfXmvN2f?;VS3hwMe{4h03
z>QRLdrqWVnWr-o?6yv#pZc0}de)MJ<q_%6+jpVSr(B+j7P+?@I{k`60<HeFn9@3Nr
z4|$Q<jFdH(vb0o-=(L4RKEsWKyb3Ss&t(4OTyn=(5!FAha}eYHL3QM~h6r-c-z!8I
z5`K9;?C{HE5yg8zVJrEYAHSvKZ^I%&Q+^!>HZG$ADoJ+5WG--ittVt()%l)y@{4ff
zCpkCM7;GpT)~Uc0ay!nH2cLN(dwS`D*)4+Gl{rYCFa<}NrNFVliHOdzJ?EENiskO;
zv&f!(87_R;|H?4Id=Rf2%vp3%cTRGE@#ty{65Ja3U-Ox&9RqrhB5be+%cXcdZ5<0e
z<S;hn4BmLT!bB!;(N90D$jNbhB&V2IP!xkzY8Qa_btN}TcjZrd1qN0R?VOd+9BIAI
z0tq*{&wZ&JciC{C4SE07%rA2LsAHVP=}51jX}Q-AfKTE4`VQS&8b)eQ1uJvJYOqe>
z{h^lfl4^x@?ze~apP`~wn<ImeZ=+Fsre75S!w7CeDWne3chX~I1J2U)Ov~Oca}6J>
zmbG)VjV7H35Ji~J%}f?{6GL`G^R9W*EHE6g@nk#GR{rS#=QNMMB!@4QRx_D9hKk@a
zA0)$LQ>~V62+FhhYgXzB*5`j;R*l!_<{l4#^S}soI8>6ad01Xq-Q_s${U_$U?nWjE
z7-ceQUJn%-^;MI&{qW;<Dzk1?Yh7m!sLAxM<-X$bqA(jGGtdi-=pPo)K*3!E)U_>O
zixu+W!xx@2M@~Ln?Y1)1!X^WgMZO!D@ah?zx+^99U{qFtJWE(aH#<1K&lR+gk&f*4
zcbk9zY)r;&40&L;9+whM<B<bHwQb_4_KUPLxJ}@e&-J51S-p{4DV47`_64|q!@8g>
z{}B>6gQBPu9<!B8lg%@RKaSp)3U&ChVfEN)x0~6QzcZ^}KTY&=iExJv>~m*B;4Sqi
z79l%$bP=<~pNkuwLg16W?VDX)vn1Z(8T!5*=jR!hQ@vMk+Gh9sbwfsKedh+Q9AYF~
zhClMh7Yg-0ZydG8ikEPXduL%uF)WTM(AkP&=-9|8;d$85>PT+&!L)v+mc4#Pi(^s7
zi&$<*Ozc~l$h$j7CTzleo`0;II$yUml36axqb*$XiDDfU<97AV^~>tUv#q=iUWxBM
za;WJX`D@lFtVrQ(I@aKHC+6i`h~~Y#UJfY>UB3glJKlFOHo6L4uo>1Sau;<tFNTwF
z8^no4!N`P54uhq0ee>Zbqp$Ptq}uQQT2B8EqhoCN*eh%gpZs&<aZb&!7?$Tcld&}h
z{hUsHvUw_l#2F>-<N2E0tND;Ou1x@*+$aFa2}~2cDm0k{&&is*#UZXY`*u8}B0m31
z|6Q-l+=ll&42{9CTqI?gG*knpG%t*n*rJ5{Hp1j7Ih^fmr49#5ZT~{;yqENKQz>;o
z0j~VbJhMTfQHv*HP|-5aSI2csrYt{N13I@!ph)i35qr`D_-B?f7EI!gO0^+=zD2-v
zu0_*qcw*<h9nRB6Q<LW%vTUD(*>F2Z@A9pf`y>{YG;20xi$(N(k7R$}Ak6Y1Ve~84
zhrAkC!BrcEkJp`+sa1393CxUUUJWF4Yz9i2dl`wS7sBmv6_}20_zn$gkq+-Ztq`AZ
z>>mTi_k-N9A05rLI{~mvr2tBcQc1(#IhGowMG+qJA%1o`RtX-78*La$yT%`-VS*FA
z(2oa~SR9lEl(V#Ex~2mwtCzG`UrfIgF|Pf>!wrYKH93FqC?w-7qH1FfB27YshQc41
zy}7-MdO84Jxy<KxpCyZ30#hwJXFfbvjIi328xZaq<e<Uh<hsWZGjs6h?6K-B_8+6$
z3*#*IAaO%+H2@di`#X%ze*OME?Nh4%%$|;}TlW>74znN04|MWv8|}1s!{7MGG6a83
zAK$upb8s&E%mZJvrd`AP%rAU9smG;fJp}ZR1u?ww*1#KZR`r(ogiCcg1Z$iJPMm}+
zyKy`^E}eLlgWSVsJ!E@+oZ4Mh$<e^u`f1<+cD*_K&>E?KIkfjXPJa}!JYX)7YVwK=
zB4{CX{q)wbn*nKWc&?F5LNAyK@jd7n4SG?X`O*Tby<Bb+GUFw~ZXOT8vQ?-TT+&nk
zv&?{HjKry(k}sYQ7^;=`oW&o6>f}NPPnVomIy-K=g!8yP#`7v$vnht7j?3@3q{5HG
zrMyOVc(XV=JV9dC&NIxzuc=w~BxL8bQ(F{!u!YZ|*y``fa=R@tnmeyW1XK?)4s|`w
z6__G$=!rkt5x^ZifDS+uK3C68c&VrKsq3E%HoSe3&UIBoJ^LBp19GghUkqjdf33D(
zM$;v-2vsGlde5QpWry;KznzV9^7<Z#ZN*>7Of!Rh@HYt!VbhB1UXUlXi}1!@x@nBB
zriMOeevj;kJ=XSP&r+T=S0Q28A+->3Dty0et-^RjU43Z>WC{tJn9aZSWvcf_tHhZD
z2>97!!30)jrC*3Iir_+a9`t<LmEY3N8ID1m&?&9mDvMXtM080TolBZi9HM@2GTF@(
zp&=#@tBPBK`;&O)9nF|1H7FFO8HYm1D^NxT;JM!^xaulmLhq$XtZUj1Sya>KsVzF4
zvP+g&Sxl|wZgMSR&Z^Fx1#j^KU&|(9ZnHQs7sQt#!GqM*EbFW=l-IjSR3_a*D>~=l
zCa-ytFq7C4qR$Kli#U<OUmiD#Q}*R}SaCyVCKKb<E1_VMpXNwxtCPk|M3S%dp1vZe
z6Nlgczb&^tJw(R5UMg(%CYy^tt;nAflP)_fr`N`%$$>g(p8=E8ZF}xj_H?Q6$C;<p
zBT^5Vozw#+Soex@G6pzpKY6T~?aNrXQJ$JJ$&zVtdRTW7&1BUeU45dsgGw{6qxky?
z-98Z-bN7>k&Y_wThqjdI4^6r&*mfV<9yBy^d-$7Agtf55kNTmS!YZp1!|DuFE>ya9
zhmZWcb4<l-t9zK=>xW`>U%0r3ZS<}-7Ym}2dQ&bvm6tcnU&bFSX<#)cI6=p(t*pcN
z&WJfB2?!(!q+K~uCita!BvSNAa#OS~cz7c7#L~z5i{KaZd7sSjK^q}_B(iU!cp}yn
z3#a4+5cy_=awA7JKEM0=hs#eM0gKrMzkn`p{#<@wL|Rrh{L>DozeP>TohO4XpD2DZ
z_;$)fE<Wk$gi)R=kw9<>V>lt%rp<i;H;Z(Jhl>bIb|Qf0-1iW7TB2-nhV0BhZ@h<6
zt*YY7I~E4j^{CtX;RU+_4B&1)6KC`>G7P#|kvIh6v9h=Tv6sK3=Zmb~T}Iiv4ISU5
zH}{?ptUsPBmY~<t1iaa2^F^>8eO}cjk0}OokWV9BMML9TP2?+L*~oE*#u8jm{fuQ0
zT<4{=s^}`V400)P(mFA5jwZap1|~LBQE{9iVZAKurSa{@^s=YBjw%)=56z#Jxz+ly
z&rl#kBswJNC2VG&$7@-bk;?{Af7Epu7&WN}7-5#x^Kp_9W6OTeV!Do=9iG!|k}ex@
zR5wN~1$(0cdAPgNaoURxqYZjLp0hySL0J?ip|D_1XZ%{;(1(tgKO*V2h*2w=U<voy
zn%);#i8gE5E|KV>JSTY4J3z?RbE!4W>o2uS)jpRPOavnv_dUzS*Z4u=XMm}y*{tAF
z^U7iQhH~}X7qJ^3M57n>*bk7kIclcdOBoAPGef!MQ7)UDxB1T~T=JjgtA8D4{&Qc|
zbJ6VTxvTpc-*sCyiCwK_yBjgfH*IUCbiR(iLS^KVY4g;g6KW(TuktX9Xu<)eP2GI5
zq~l-Nw%jlds-k9?EqN+88X;r4Da-G3fiFB`?no@O_Y8<Q6A2lR@U$Sk(Pmwq1z8Hp
z!Y6}!q$W?j8yi88+HG~vGZ1QB<oZqa>>eeJ0w#YA=B+xMd`rio$GkY)SF`=2epLy4
zb$=a&GWgWOnpe-DKdjfru|I6Nxc%g$&fA`sL+`wBeFFg`oE{P08qI^34#Cf0T}W>Z
zX0^YX2}6XVTx4gqdF9GIQDI6n6bf)KJ<z>{Y!-UKqIb;1C6YKMGlacgFg5j%S5K~B
z7R+IOsTH1j0jZmd6{^l$e5VviQ0c5{I6ku*WttreEf`L>D!?7RgYwXM={Y!f4|ule
zV#R8|8Ccz_^lrb?GXcq2JEeCI<;z|HAs<`zbX1e%MfTF{K}%M7VV2G82_;wsF7j-Z
zVnZjdznk5M_|T*&I6_F6GUtWaH*mW`*ydxZ#UXb7D_?i|_y#!3?Me9tTgnXF&v0ZC
zaXs7iP&v8lDS0V;RGvgw90}aWVgwzpDd~?jpRLF11amT-MTJwY@(TQeFL|Y8JefDp
z>!)bZhc9*zPm(ybJEuecEA_b*#gv3yIVWuoYMKMhO-`MRFKQ||4uU#tN}ji8Fgk@C
z_*ivjZlHxzuvm<<euIuRyT`67(cbQ5-J)Q>l+!Qt4KkwRVh&0iVB(9=P!}8jnAqQN
zv_J-~F&~+Qki)h46(93&BJaD9=;CV-Bh<X|Oqaivo^18aM=cTEpWCIYgT==iTx!1a
zj7#cV>`9;$btm3c@WQo@`v@n<){c&#S|Uo@n_srPo^ID)T%64`&(7hKZ!hM5SWz-_
zPZa-}k>iQcvT@PFZ?|JMhEOy4w=#zQr?F>^qBnL-HRS9pbbrMViP{p3LfgA$S}g=S
z3V3&UJUyA34ix#_G94RMaB$anzf0z%*aj*NGIi`v034+Fe0iRc(hE~g2YyIUKX~(s
zVywBsVdtW4E`tmvcLsw;C0MYJt9LV5q>}3~0}8k9M79pFrCh3Zb&r}rjYbwMxKs$Z
zgi;cxzSX55r-{%(k3{x3{e3rLa-A4@?HZ31&tHA_EXr^ajxf`9W&Zfi+L^p?rF}NH
z4`B{-sJ_zg^zjQz-<e=ZyjKDWvd}Yw?PQ#Y+dJNNFfKm#1@@aw+Wa-(4P|ooIkNy^
z?3leY=7LR$;ukjM&v#3XwLMaiv^QS9FmqH8UEvugy#29?<V7i2yNXKuQo~GP40cPf
zml)Qd588c9j?kmuXEChIp18|LZ(m1H12r)8_C+mR$T+7;90qa}YgOjkIW}zGGR}fL
zZGo-U+;BwzULE8cJTu+4C(7-zy3T&q+g-7ZbyBw2zar$8A`r<_5BEyqiTjY1P;8$P
z6Yy$B&$I(!;^pCnZ-|Ib9}idUc;=V3ID$y(L-Yx{5y(tf^4xp)!8)V?G3b@vq(6Kn
z82?tp%umR%7kq?IWLM$v)}ZQaZ=prp(FJ~aVxo<V{ZkuqNk9Z<89%_OBl+Uhbbo|Q
zhVeDCTb#}5s*x*C4`yHFXudHP1P3CGt@*88Epo9~GBwAr+kKzr=3;`(l^YTJ6K(d{
zeHyliww1#fI&2#L#t2bRb}fF?Jz+D9h4sP|T%5Y`Oi0ZNUf|H73Ca^mnVp_NF9Ht&
zjtL>9Nz0Z_#JOpF7NUiCz_X5bXKK3q5Vl{C_ba;@x(Ixvig)LyI3_;7(=2A_nZ@&o
z*rCsiF}Bz(I^i-p2k{LVkjSf0#7xoV2TmPt8&(s@Uj8<vko}!a)C3ap&}=fx{>G*1
zRH&4mlDEUF@#g;43kj?><6HVA{4i|`@3zz`L6n)f$E55=e09*Gy~uD5KU3Q{9JLW^
z=y;>>(pE~-HV#|yzR#J|`<+lTv}lQOLAf-s%bGVildQ11(N2q&)v31et4{$oc-u>*
zeS4#jADCt%B|LEno{?pe7=ar&sKYbivWxRtFtPj9mK3YwVmcPA^D$zV{8Zm3R&Y31
zqlyrcE~aUXvJK$#1Wq9aSi;{;`U;J*shCgF!M5GfdWCix!3>c@j&88ASM^6ZgPCk5
zxr|oNDD@*vycV|?54{2>*2T=;8An-JM~&2ms*(H$L*Em_|LIKd9ZTc*0!fGrin7*h
zEif1QE~gfhFYj94+VuwG{iP*+PR1xlkdd_DmBU`e#-#VkF3iS0Qz=&#3x189?$LwU
ztWwc-9+g|5htkgM#HHKi2cw|MH4ujyg$0u8wUbPDI~MC#Hle!WZIYc^p{cDKF!nhO
zf0XS`b$C#8=P}8p@<m1KFn5Ke_`LJ?d1mrJ4-z;NW9soDH=o~HR=HQot+;Wo6!6sH
zz?O2II8k;mB~4$v#&N*^`~}Kg4rXL4nH<-dYhPi}*LG8Cp1Y|&Dxll|%U3)hTXtMt
zs)u|~>dN?qE4dI`6uY;gXPsd8k6!#t_5pLK-vLabU$X3jQ;&NhXPoN{GkaM#Gh-iB
zG+S%e&3+il(GW&C;TVo%-bSW=n~Tj0_Deo3WtE$~bfKq72&!60;VOtjB5am~?nud~
z7kO7gnRJ<*8xCJW#x(b8MhL0gPuRf=?c*vu)Ke!QCIprL(R<rA6-4%k7eoSIoMXna
z)4Lp<1o}P^l;`KrGYBDA3GntqLX1841IVs-j_}rzhEX<);av%eNwyNyV{3n@?(dV<
zMp?3r-(ALKBzxda0`i_wES!>Mi{-<6q!PopWuRCt9Y+zS9Q_%o(FVg<>O;8xISqzT
zzlKr3VP{U^$w!gBDoE89Z^eE7B^{)T@=oJ%!qdz0au{K^d7BvjfWrrRVn1f7kFbg@
zDX>Ej*CHOdq!`tIO+J)c>&+9{>D{tTPst2cM?RC?Zf7A0{NSjD5>IuyYfkx#4CcAh
z6P1OzOJB#!i{$SNzwOn=yiRIS>k$<-+E}MrSo*lU!`U(Bqp77sj6Pwu-I8p58U6OV
z-I%|o@^zx!#7UWet3Y*X6F?Jt=h-qUDmaW-&#=QvLx^mq*pFhEg0JC8L=pM<53k1-
zMxgRN@~pPqTV=j;Nt15M@mky5G=@X-U3*E<3y#5EC>?V+RG<@8kqUv80IAx2sFtyu
z&vwCUs0`gqYV5;GdJXB8X!Tn!$*p#>CEv3b9HD*-ivUhb^`Fws+}bn-MVz`4#kjb#
zMh*Oved?YgIv-2i@kJ>|CX{eoYuA5FDlg<BmV3|HUChi?(|z0QBCThyBmTNLTTN&@
zgjgd#P=BnO@W9nWyhcwVv;1=Pu3ikQxI<xg|CF_Ru54rflt8UvvvNf9JV!gDL<A}}
zfi$q3rl0Fg#4XKLir2JyRz>-86a`Wrx;WO%UeqJbUIfO@<xlAu&cG9iMQ#p5i}0B|
z^cBwd7ka?CGh%7Zp~!zb3o=wYt8a#gosjcvBluRwRBzwmhj{$J<BI#;4?V&rQTF*B
zog)WKpwS*OyI3gc(ib$cRa^w7k(9KF=wchWs^A3O1P-XM<_@cT5BAlwq!`b(b5p5}
z=j3w&?UemIQksFMzv=@L$q6?##l_kQoI($ng$rPfdO|JC2G2UDlE=ulm6oHtkB#KF
zx8o(+8IK2x&mv|ScL1+DP@=xFIo&{~tW4BSdAXe<y?`;fL`wzpXaj4@-HnIsHc4)e
z;G1$1ctIj(OGjv!Zx=Y#eb;X_w?`>Yq}aEQr9^gqE>J|4M~<T-v_FaEO+}(C&)JX;
z;>Zr6f{i>p9}|#BxKXZF(NyfPs`760p~#uN4F{!f7!R%7Svt?JYed2v8tu2VXAZTA
zSYl)SYK&<6Iu#O+n&5(BofAIveIso%ANuhq$LFXVt3uOkEAU~GKm+}yh2#hqRa<$R
zT~9|MZghW?C+UuENlVIpv@*VzcSom;ofH#Uo<pM{L{p}60g`bNg4jXopo}LZBrw5Y
zNx5gV4_Fq;T|JjFZr@uOfS98!HrIWz2!_WC6zWd4Yr=6gNEoTvPT2=eZlZL+#ubX>
zK40$&tW%{d;BX1J;08(I!Wm=(L=QUB9t<Nb++-TkaSa)Z3?a-3sa91j;f}G!WlU@t
z=(TJ5)+HO9Gq`|OPz#F5+mqgzF7?HVRrV_Q$hxof9oE7^CDx@Dr8cgS1NLc}*jT6j
ziJN&>pgU~!bc}kg4q3AF9XR1#eey%ytA5WYEr-tH?<J`XZ*_Hz#O4H3zRV~4T%GNL
zD54o6Sk0Jo9($L(FP++HGj~sr1nJh4uD3(!&pwe+zLvWy?Pf*TWx;0autzRBv8sjj
zQpq<(b?fF9%q{Bj$FvyqrP+9Kg~iUoR(>`&RNuf1WKoef$-=i<Cy9^K8{u_|#ik`Z
zf^Vfx4LIra56t&;;@S|)+V{*0_ab2-R>Mdsfm;vBo2kd#(i@Sm%X|@SnqOg3X1j~A
zo&q&?#q~$`{1aXY{H!Z`cu_?y_Suk<Zr#_BMW&VdV7%;sGRE-~iH}0m%pSA~7uCvp
z3Ku!bI?5JZbJld~tM!V*-e2C65j9^Ko-^9xW*O2eA<p|)=3|lTt8NZUAw6LVabQsk
zZz&xSeu>X;w>a>d!eT9Iuu)OwEf#MWxxw=b4@JMu^wTZJm_6T#FiNU6S1eADzUgtl
zcC&t_J}j-`w3AEnJGP=(M57|crK@7dk>y9}GRbyi>1D_9$Ac*#%d)pJIU?MyPEoHL
zdo)ZfEy6e0Yj1Uos7F`%Y!oEf_Yu=Ri-giEA2qJTG~T(XYc2m?x9yDsVYCP4N&zC$
zWv}c`LCU=AlJmUq_hu9i@Mo)*hPq}7Zh4z|7O-9r_Kw4vb<Z4m+C0RB90(Dr<d8`!
zzCLQ*4}O8_uP7H>VdKd8F63}v<lyOlm{M7`&NMRa9$0)Wa7jkM-o2CwuPiD51^>5P
z<l!G*AXr@tJ3NpgqIlngcfwzBhtWkfMDy&?7esRYlEb6|SD&TV{f4TRXj61!?H9-{
zpG6(Gu?yFSmg}Q+es3paA1Ta36v)d%^Sc~SuX3QUWAo4~vMWmf%0`W1R`jst_CtlO
z)He`5RN$oLB9Q~?Us2P~N>!I!C$-OQ5||#sePH3<t#J_RF4R%z&EYT$uKRHYJN^hK
z4Q#m$u;o2hj0Rl%9kI3=+pVQ<Iy&I7CwHs9W#h@!HzI_5eIse8UD|`!3L}0j7tM*c
zO6E?9@>GFp`yboW%PQ6Y9Hx1}VUq~wWe1mKLd62Qg93+PxZ!mPnj=F%F8bbFgEWeK
zR|DhO#^Xk*S*+8+c^O7#Tc;c9eHwQ8LY&Q=bPh}p&n4@ee#4=8pxve8wUbHnd8ioD
zLV*?4XXF+_nYyz{?%k0q4F{j}&bEH~@_aY-JE}AZ@Xu>M-)(XKoU%2!>texhzr&Rv
z-FQxCja()Jl%>r1vPGQ&w~kspGr6eEs|j7ttP_xkKI*oF$K?!8nNA&EQiTyFylRk5
zf;CuvNjr*9UOZ`*wLO`UU)cF5>}h?-r>GJgubhv(c9wnQCBfE$K4zb$#>@H&Vz=r=
zRP~fRCXOBAiI9`jcdF^LwoN^wypj3}&DgN?c5dXA>3GyJ&gI@65enZQhrgF~(r}Vn
zY^a4O>0r&v>vc5<@{uu5R`Yv|R#;5GdUhmYWGsC0KHSE(;hm_yv`m5<B^WcKm<wB;
zCM@H<U@&3_LN31zw>)v?ORjHUAEDwY>$rgD_-(^#-XksEgM=+MbJ?AZQKoKB>%7ir
z9t@eeqS+UVyAgW&3H7<BZMf$f0|a(Du&^-r7x&pI=RzBltp~S|4%;;ydlB9NB~=)*
zD2d1^mk%*+UL~Q_^Bl&_z2|q}@9rL`HJ_IDnoefi`Bu@Py4yqFKhw%pyo5=@d=d7U
zLU<2j+=_N6$tuVl<?u<qFP74|j7*z9T`<NWgfZuk;J47|&JLS7iX<&J^Yq>=8NP|0
zsG&Y-bT}`qZ>Yr0B08;as`=2^vu`R)Zj)Qwcx0ChhGha#Skke{tCDY*+T<`3KfYYq
z7BxTb%#zaS2tykb$$cON*MQGQ^FYYc)1;jI#&?qH!o%_g*&!VlNplHa<0z71@86MP
zrUhkEI&3#w{>kA(FZCtW=<5iFSg6Lr5&f<5Nz=q#X-y2RWR~&f4N~XWqq%cfIx9vj
z@C%ZI(^eKPFKQT{inQNF{!=}X<XFx0;X3@)#HRha@87C~%J2?+-yljpU>F{le1>BK
z_^qF95panc$uJ#nxOuYp5q3)0RE`I)v4>j+<>FuwZs7C}(Vb(<%oR5!_nNGYKWN$e
zC~ISpcgbwrP`zy-(Rar1KJTlc`fxIA=f1R)`}x{^yt=lWpIWqz@$nhBZ(!Mp=|<%>
z$eOZymh$bi;2HgP#0inVa6z#%Pq2&$_)~&OwR`^&5dBJ+2oc$oawc>m)vzstwL4$L
z?tK)kMcKy{V8vb&TwPUnBH3+x(w)yrBatIdKX?n7;hZw2<zHCG+KoH2=p?HuzekUD
zu<?GYRN@Ez8IdlheNDG{+zv<hkoKAB`i=st_5s0m{q~78(PG=bfj?3`)yU<aoA%)}
z`B1fc8N1Hc-V-`sspr}58=)d6gBaYsg+^m10?LeG))L+btA>gvSUzJXTRG%J_vtYW
zl<;B4)BQq*D~F$A+&f)Te7?iSM0KPNs+rlh-8-EVm{@ktNuXtjb(ya~L;m8cVD}bW
z^tU{wq-VQvqqc;FFf`VUXiV7Y6M&F&b0QK9C^L%#VbDI-K858$gjoS@ObIj6G-2N>
zs&<qyM{*Djn;u!d6owYbx^1~^?635itu>PS%JTJhZ@?4V9m@N1^!3kQ;qyIaz<i|L
z+@@1IlEKRMRsG1^5$mSZ9pQ?5j@G!M7*LQ6R_AB(Z?paQO7cZp@}#D%zYy1zQCo&I
z(vz@6)(Fn0hT`UMNMMg<?(x42Wvd)J90)x_xRDFlSI*|?N6$w;n77E(rp$C5i<Q}w
zlN0A_cY#$WyW6~pT|je)(J&^7&Cy{%cNpD-IGkHmK{2b?i9fQW*Wxp2Bb<pW{!BhE
zY&~3+%3;<pbjis!;vNDWPO{>W9YA+PAn!iYvVD2;`gA_)4+|@N+k7Uq^hTj-z%RL8
zJN-s&zn1*Bq!Se3c>HD+*oO0WFWhI$&tRb*ja>R5Zcl81&2ec}zZTuEc2ukC8WZ1}
zmtAldbJ)4g6U?fgcd1<jo{kT?axUd*Z36!rY{;4T@Wgv3LQljy9ZG!O%{ychu(Rn#
z;H`5Q>$B81UzkmFgcQV&yVSfE8BzO7tM-~m>t>as!`zH;XTF!8UQ{w$2XCe}ZLcp+
zSWlycW`DKw<+XDq-cvaB$FV6#GM>9|u&-L#<GFyY?xtNSJce^UyRy=V>Bq|NICMib
z?aGYkizf~@f@YS8Kck*(9c?l9BfM6I(U>Wv9eC|rG<b8)N4(&xWkbviciwYd-auFb
z(d#{E(%<J813$fpWj?a<KxxeLJI@YY&YNAc?#;`rh$mTGR2#z^4uJ}l7;|j-`)wJH
z8+-}f9v_r=|Krx6OP|qdrRWtLHH=<@0~4T5hQ(6GeJzT%N`QG9Mw@^|E04}zIVTvw
zC>3$`ONe#+v&07<L&l%RGFww6v#;~Lec8-LouZFLy=~Y681PU{TC42Znd@rve_v&k
zrb<$G8NG9LOH`@4*X(gPRnly~_t9ZnhE<f~L^mdgUi=wfz`m_mMcrT-_f?3SLZ1Kz
z_#QVp5ppU1MItw_2??SAWUB_Qyeh?PLUsP?nh0!WyYMdqsjv7AF?#}lSg!$u@#uLc
z$ji&;0C*FhuNFAa)8}+Nm5w+|>nULJOBzo>Nm@?<lW9HO2L!Y&KLE#SQaIYu6beF3
z<0&W!vJJTRDmBn*p8=@XdP<c9BktD#0d&&_2p~x%+OGk!7LR{fm2~kGc<&YB0s#UT
zKocM_)U5y)t-R~}8`!P@$)K5PAoWyGOh`XAPIT{DKmh#ln}Mz9JP~y1$Lnw4o>s2+
z^dA5tT2BYpdkRRd^VDk1&V!z=P~pfLDtObO0w76Ch4bqJ1eBx=5KuQwfPj*;0YZZZ
zNCi-mmI|QrGy$?g1<=5sR9Fw&3KggZu2P{Ipn}aBKz>JsN;;m>p~C(3o`RCJo{Fs9
zdC=1pDgdSM7b=9T_Y{<*rNY<s0Rl?W1_+>=mI{F6x&T>=2bBt-RWwxa{v8!S1AkJ1
z4s0t_01f;>h3Gg@#<hU_jtb@LJ$+8c(}DG#0+O_zzWQBNU|vH7mGx8rC26U^w?05X
zNm?p^x@o8YO40@h4IW^CfReOS0G+2t1*(BRsjwcl6)I2-T%|(%9hp~av*7Qj5KG5X
zI#js2-cwML*3;u_cm5|8M%GZ_^?FZ1Nm?p=Ssx&vBrO#H-LzByB-aJVT0E#!0Ii~-
zg39lx02=s{3Upvwp#o^&3KdT111|)N22+@hKKP}~=mx(8nxr(<&p^n%e)%Ik*yb?b
zm#J9O)l}LV0<C07!!c&nf6zOre}m%nx8_UWzkjWidzwRm-sZkc3{c$SMZtGAfv!~V
zB>3+&jfk2N15k+2zCc9{X*j*oa&1ll|GlRB5s6>}YGAx5(2)WLtu!n<|IE14O@Cxu
z`K>=Qj^)pcQ~ML+#Dt=f;zWhk2Ip_ml5gF*sACIWA9dC1qYjj$jk=-rQMXc|wb!I2
ztMyR_O46pKy!B)SC27+VsGBA&fs(XjrNILvD=0~mmZ;9tOG{J(|CN^L!A5OXsRpj5
zC8s+wLu*@>-=!so^`6eqNx*XJJq0CcJ>_1z^Z!aq)kD9gCANU|X$h31NlU&p>jMOo
zq)AJlZkn_NO0El#wRnJOiE0&1S^}N_C5wQ=!b-CW8u&9U(SePcmZ+|+R_Lg-I8lYQ
zfc%aM$n~DW>3E7-?<pX;&eQe1$O;u))=*)F4ix}NS}G9e1PC1}fVyd@07}vZ2n`-!
zfPj*;Q~;f)O9jxtpH!d&8<h&6YpX9?0P{2LAp1KiY+3IqBONMiTJI?+N$csxwLAYW
zDuBcHk7@+WZFDA7P?ClU;CN0uw}Fy0RQSIS_Ef8Ar~o=omkOYPKdC?mwv`GE8u+7G
z{SYS#PJ6#p%HL4oe?FnEPyvX$Uym@>QvsayX{qp>PJqy%0;rpY3ZNuyfY9Ip1_&rg
zLj`(+{mR@18u%|N(1C6B2;&zjC;?Phn+1PIh4bq@^`=9GBkMf{C22jSGoh}`ZNTvT
z3l->0sGuY*71mFvq5svvo*%S|h6<qbbg2Lu_>&5BU|XRAXy6YjB*%$@)7~FY;eS1$
zu2A9r8Y<A4P{CQBmI{@00)!3~K;1M{03~Syga!|g3ZNt{73d81D^yrh71Y+lwt9r|
z3l;c*xozzr`#UP|t@l)g4i*0I6Y2^TfZ_WWD$tow!P%CU3hO7-(EsXS&ktHfLj}-z
zx>NuS{7D5mu&q!5H1G!%KE{cH)7~FY;eS1$u22CSzJDHU)0t4gS)Y~)v2+524i*0I
zgFProO9eWEJ(UVn1AkV9^{}lTVf>2<G0X*F_41L9i>$|@tIqh095{LE#+~HMTduk7
zIoTacg~h4yRiE4$=d(K+?)z2U`Tq4?fs?vOdd4lojPCm$RhN9OA4tOTx9xKeEA$qx
z8Z$hdAAhj-R&vIzlVP{DG}DgrOC6{?_4aOZ`Yq#(FZbtrD&O4?vXRV)4;k6X-@dPz
z(?|S(=|fS|@d@#&i#7K{tE_$YA2=y^<92dM*exwzdkmnuBBE^g-TfkijOzO-j}6r~
z7srRp+&YzY%RHm}eq7ZFpH?V~>5JP)P<5whh_=>O=TmLBlHb%P8-Hlur^w^;@Iam5
zja$jtw;pB?&F`y=Ea!u&VGOTKUu=9?#qN`n87l5K_wN4o2N_@Q=T~j_d2=A?)Qvv%
z<m2&YLDi1m?pdpg?9IGoka0sID?US4%h%)7+uNsdZ|P?=-G5Ux4tnk|2C6>9u9kXS
z>HGoHQ*B=i+r%18Uq}b8K^63zwFgkmujF1UUiJ0!DyZ=Qs8X4<pl*%@Rc|u}K|OMt
z3hEWDo5(<IRsZK}3{Vlj;0%*YjDOTsR{1V^YSsV5NZ$OnoQ#5Np)#qZ%75ZgOHDkg
zd~U_mYjl))i{}hqOa+#7?dET93F3`f*{Y8y>P4Dey<^Sy@V>gBbdYIn;5YkK0R9_V
z+kqRKZGB}5nEh>KuUc*Rz>757x_awR0IY!7k5*!Je8rw$;~Ln3x16=$k}e>u0JF1K
z!fJlyB25IU`p2pz129<&N;7x<V8HLRs)XLsQuQAObw*I*icNfej<YrkxYruB*R-<n
z&{rlefGtQq{;O6az{mBrg7WKZU8j_K>)XJsr+{b$ti7`mtxo>K;Kj9p4LEd_zYW+@
zM<6`Rj8=&SAn>1RojnD>WDkTZpf_bD2goaf7w@c17e8(-3(ysa<rTUD;R@QbK3wI1
zCF{Z!ytsw~)NuV$32rG82#;S#Kws-?sz4+d-#@6OhYWO~Rr_0NEz-3WlwW7-I;GTG
zm(ZgYc=31CvRF&4|5$4uJ!*j$*Ha6;^*U;S7uSbtF1>ICFRtML7_KYSnx&x@U9GFs
zy88>YcFl1fPp4J;J8E6MN6%KOJT0}>D+O)ccZ&|Ss26`jt-sb%>p#}IogTHoi|eUH
zy)`Yhz>DjtwTWK1f){^7t=Q7F)S|C-g<4O4p;q%{WZ*ekwZEm72VGl1`E}G<r<6*q
zD0<WaFaCyFS0AmV)_<xs_8T2)Q7^8e7WLM&)S_NoN3G-8bf`tW_#0|%UrR0eT34vG
z@7Jp32T&{XkE!*5F10}Ub<|p?lu9jnRcqhBsah9ksP&&}eL;^};KlXSqTZU8THwX?
z)H*^hT)~UKqt@rO)S|C-g<65XQtK8n@II~D-%_iJuC1W_I%=&`N~Kl?J!*j$snjA+
zE)^E?%QhsdRlqK6dln*H_62{^ChQaM*zzIKea`m$=fCEcKD^s#^5)nZw5Oh?%0h$7
z%?2k-<dauylS%2xQ14IJglnz$SUPro;vDVWXCGUbFX_RR=)tAZx$E&?T`sbH*}Z{x
zIs#+o?``hbCh@fXUY$NhU0>NmUpdIWryg;9@?z7C^!i+!`UF+#4wJ+azhBfHu;(*w
z?^zBj_vbVF|EI1X%vr00YIaZQzq5|k*`DkqXzXslWciK_63^7{iFR0rK(&l5m~iGN
zra+~}lIi;&<EC7ios`G#DF?N=@4Cm^u|>jN(2EM2I{=%VBqctbSLJS*L|=ns$~twR
zVKM-oI#8U&cG;lpf1?g<4k8WS$A0sFL0#g1*SbGdhoOcQ2<pGZj@DTX$>J8-roaAd
zFA7Ti`BJuWlq#h&K4!SP+Xg_EDoPu9LcqpMlrg05eY`2G>}^Fi5SF%2>Fn7KAgZ0x
zH$L7HR%)0&avBe8Xit4H5bLbK&ixE2^d?{fxgT%fDC19Odo2C+#|qlL{r_N|4j3gg
ze57X{^k3Ng+zoo>_52GPY8uFrH0!-4+Y}7BEZO=?&`V3UE-aiz#doF_I!d<wh*Goh
zuyHPxyT4|FYuJkb*IH$pfK&i{*0uf9qJ4?+2aAtTKC@rA=B!oBJ2l!1tOnQtes;2B
zv}-Xwqa?96Fndh~n)lBJ=vWMF3j+Ks<zAQtDlDED@1)%Hi+$8v0xX*Mw*^=UeD>*?
zSxJP&yNN$EF!2u!G;;+^F<ui{<6Op)c;J==VKDHs75+~BAu{N=Kk_&sOk&=@Wo_((
znQBVES3OP#*y<Bg3@aYr!Cu_8KBmP1Iuv3?`}P4WTS0oAIxt+WZU(}9!ki2wqo9AM
zZiOP?ea!Fu7u5Zit@}fDP1MK-LH+mG(K?HckLnHFv=(D*d{Zy?XwNmECg9_L0cGF%
z(s3NTAs8z_f>{aXHrcCBxKwEC=>|Gmv2ksZ1S`x+(ghcDbgXc#nD?*sReU?00Qlb<
z2cnc(xCrzaDxLqvxRoLfF8&!#bc|am98^!9g2*L=RXZuaSexjJ!Y(;GgO$7;*xgHo
z)ODyZ0O9BB5#B}z;l1k-K0?Qd3+oYHaROZYixU8k)+8wpuH!&|v~K(V=f;63(ei)a
zdgE3QrY`=s$Wgl~swXR1$Nb$m*YUD7mHD^XiE%x`%ybYwx*p+6bewp-o?t6ZP#6Dn
z;@SG`-$G~m|L4YmD6QLmI>xOa3@-ke*XbCy!hX<`74{bxr$S?Q0{{J`S1C-)&h>JX
zd;>HM#fiUUiHGYE{z4Do^<i?nf{qiO>k(dY0$lvl3AXjye}>NX|L=_hQKBt%bc|a;
z7+m}_ztS;oh5eu>E9^(d$Mpto2mbp@bNRa>aczAJC(<htK>tcxB*3<m)(M(U`e%^<
z7yoo(|N8AeL1+8__r`%J(H03h#;qU>F8-Nc=@_@deyS&{MdB0C>Htaim#N{mxk+&C
zhJn*S4joKr)KNR99dverj=Gg*0{q~o7yp5}|FU&|sBX1$0xQ{1V*i1&=y;uCUONEL
zU;5|Y7VND6puc1>aN^>k6Dc(6z+t9^UXG=sjyfS-1wZ)7ivK{}f7!Y}RA&n`oat0h
ze`$99z}W&ckf3O$<lpTD?QjmJ6i}45qW~vt+6)B_*tF~hM_8J+Xoa@meELgBfiw7;
zSx{e@x`L*A{{LYfy+ljTJnC^26`Ozc9`wvxsVX2g)HD!QZ0w*lby1J}ch9w7r|Ir%
zU0oI7VI~03J=eN^9Mk>jtQz%4qa`Y=`cH@HKb&ceQ~z+7{<GN^74~T!nCoMIN#HiX
z4Pt=?f1C>q46DFrt0#_0e|Y2IKl9kUvt?x@{v{9nuA35Ho7Sj#h^B}mdgsEB5Qv-{
z6E?EXl~M>r$U!u)5IKlkv6B;FW+ZPa_wLe!9%^QY2@CIoxVhl<om_}Rg(wuB2j(=t
z*jM7#(cvoF3sYYvXd+x39OjpK;M^t7q%<ZTg;Q`n1aWSTJcB0TU`5LWVT&08dH~&n
z8>;JTuRxGyF%=UxA<K(3BVJftSnUvx9=Q|HfhSF%gP9;Dl<9#1uXe=JC|Ll8uTO)`
zBM32-l0@a&`G8p%H(ZajRMEV|(?^kny&t7e5^#{k#Vw?Y^Elk%C=dBAjP!v*j3Q6;
zDagCn!k$=k>+!$_g6nf!3g6(;LV0xE4wK0}TBO|IlI6|Axe&@Y4jBL=BCra}v$Iip
zl>FHt1cbbRSggS#NI_}jmO=<+AqihGR40svlSf7%yz$ISgb`K0l4ZS83s@@!jU47F
zu#m)3HgJ=d(dYpjDwraO!x=BMn|*8tel3ioIW%_@wluJar7R?%5ESB8%91d**77!e
z%HH13JOlHlc;Phe{yME<x#gu`3Z+T`L2R$lQ&6A~Mbm9zuVIrVq#8_}aF4J6M<h37
z7ho)5#A0j$eoMiPII;-*K@2h`!HcBnuc;ZJIS+Ti4^#}n-6#V+H4vA@K({4nm;+^T
zk#JkQ5BC4qd+Vq;zGz*L5L|;x105v6-TfEbA-II#5ZoOa_u%fq-Q6X)26uONr|E&b
zH}}qcb7$TA=B_ns?4P~9`p({8?R`$Is_tD~U3WKgzxO&GQ`aD}_qRI`>L>Y<hm)TE
zwPnZ^rGOWtB~$06SRT0Q^(+h)gggShhld4eGuk~Nml5*A=%aHwtb37-%0P_e$otFj
zDX?%hgjDv1bPy7y;3;t{NTCW;d`6d?395Yw+CCKKfe1_8km5mv7aw<4?|}y2=e$<)
zL2G?p>k5K4TOBrqI*k{ZT+{N)_tr#*oL0}`XgB1XFSJ3A@c>A&FnA;!GL{9}Tko(h
zT;sk!BO0kNfTSCM$GW`s)I03Y*SKfTh@PDzZg}DUeOml4J@ME3dW}07()k)Qb4CPq
zmb>A79aI93y$&jO*uM_`TYB&>efdVGJv)!x@KQq3YaZl{A?fzuvDd+G9rmw-bN@Q{
zFZAtS8vGVx0!fz!k1crZDR$W3t~Dij!91RQJ9Hj<;Z1x@uYru^f%c9&?2Fd8pWbMO
zzjWANdb7h`t3&T%t*LCS^8Rc&#Vhjsf5o%b>d($rN1SvoybZgk;5TRic0N7S2`Yn(
zX@dj*2b=zo$P7tuc|_Ivx0d%R@P*g;rsDUQ*WPQA>GyNHkLkRSbjBNA=NDd`L+8_H
z=l1Ed<%cs5X2|SO$JJ}H|J@Zb_L}~GbJgkT5bP)dK9aq_KFWe8@#3j&lypRLTZ`5n
z$yjz|!Si?+G}ec6?ZL{f1~kGwL#dB#jAUx7)94_KE`64hqp4<~5#dI-i@lP*4sZ@k
zHHB!cOqinRLY}cgu`qY%C^)2=?BcRyWZg5o#Ntk#v0A?XxVWt!Q)XBcQ0n@DEK6Zv
z0FV_iFrbw+G%(<m^*1n(D#JLKhgs^`JdrJ9Cj$be%)=1|`mnXgF{_zJXM=++Wa`+-
z$N^K9;Ru6$aa!bx)yyZe!ATY}ZR})}fGO*6grU!iqC%~0rj24EMg}zH7#a&n5#}Q5
z9QoUX(Fx(EO=3Mp24>|Lt_w*S<|4Wr`TK;?N#Ul=Vj{){#pM{u3x+N5Ar0eB7?{@9
zi{%(q3rWr9B32yvXM`AO;nb~S6eb3Q6&Mo>Nkir$P8|7Hgcup&)NNw9CI*@n7#9mk
zi{>IAj^0z-*8(os$-V%lJi>$j^eO9*v(z%L%msh2lzCt$69r6x!h<LJrgg~eu8+K`
zWN*HjC9zvG#?&&W&j(XkYPJN1HgJ~B2Qyj9&~uQ<0;a;kgQxni4ahHRnMdb?{{cUi
zxtBz~rC5y-y_nQ&A(GFL&j`RM4yPUw%Qc%?px10|D;g2oHZvfs#^_p13bhca=Ex@p
zV3dvawkNtgg?Tbw+~#8gqRYcgd&PRp4a}-A9u||nTZnXW<l_UPE5l9u#6&C%imNaP
z05TjLWQKkRePX#5OdIpTNvQcmfasd8Tmy19jwB}wkw0))k>ON}x`$O5k^mV2j%?G8
z7uCYUoSvnnA#4@E$liNEbX`|{;r^noCR=bhYQCu7e+3rG2c+Pl9>!+f)&yQoW!+u{
zZl0W&pv@GBoa~{^P>P<IpwASDp6sE|P>P+He3&T^JK6g%Ln(e@f+0Ew_v9)vQP)-b
z<AXLpCJgTXhp+Q6vd8zfAffDUYoq=zaMwQbi-RSTHb7(!ZmRA-4aNTYvb}}<SE1;e
z!dC~&SF!&|s8sqE)=T&r_8-B%A37?nZPc?=%^WHE;o0Un)U$=4r3!Fc#Uba*;u^RZ
zbaZxb*Ad##(D7dN<yPnF_K*{5X$`gngj@;stUTm=x3q>>0s>Tm+g>-Im)1~e|5fQt
z6!%TkbmHGa<EP@+Q$(29MBPN~4{U9~|Ciw4Tg9m|Z^i#lK~PuT{-U8KTWGm#zG%)X
z)KYe^tfr@F=19hs%{GrUouK$n!v`XB%-0;MKELLG{eL|?R<kK)w5`+mUDQ4>1HvhI
zWSN_qvwc0rbOwvsr)NO)1<(3wSGSkL+M`Qh<)gPMqI0iDOt$&eL5WIlV%uV7&SSUQ
zlfAOeqgjWsiswZMxLD<8r{eZVbqB9=G4X>AwD}@`5u-2rNyc<ySBjJTA+nxq3*|)J
zLaqC2-Tw`~JpK#(-?0A=gS~J0YRSCS_Me6(e|>S^!rmZgnBw0OweJ5i_J4P1Wc-@C
zvhlx{uY=_qJNM@B??aII>(So}lK*Sf{#u<^yK}9b_<HF+YsqaNj0KNLA1?7NoVDe)
zPsD;xr4P0Ell4arQ{U|6690ml%G&v0Yw=@(e7<_kWB!}nU)0xR3oED37yUnklM8A%
z*4F=#*MBJUpL4L34KtpoD>I#-Yp!RfPZ6D~|C`xt?GIe-r4-!JY;&!tYz+rX^S6Bd
zyR+rj*NDHybb{<HOjBg8{+9PX^vwbHuiC%R`J!R_i?3=JZ))^^)kNRaYJ>mZ?JUs$
zHYxe)Z`EU)zg4gQR=rZ`TlJxJuhpM8qr6V>;u*o~%-5~4tN$yH_m^k<%j>Co@@`Gt
z;p19ccMMlPCiLAtp_EvgS#(TQKGyf;n}<F2{k5}i_IbB&_vCE}&EIzGVEMM&^1qW_
z_qN;S`nO4+dt0G{#kUpG)_TkF|D<#Bn=<dzo3hE9@`=owa{6Co);DFRzsh5O)A)Cs
z>;FcV?JvH1&^FiCKz7*vEyJq46#Az6KREtZ=o4%0r_mR^%nry(fwLh0w>5t7^~=_t
z8ju9!@p5{T+VON5>k63~zkBT{TujYD4tDll7$e7D8z`-iiSgI}-gj|%ycB1Yf8N^K
zx_W_Mdw#@w*$dj!5omMsaD$v*JRErm&p1~I@(b__wz)%|A7=`j8NKiz&o6?&*WS^k
zGvsPm9K5$R9OQ{F&<43&dvugcO!WE%xdm#jJs(^gpzA<}!R-)61?l%N*icYV2vC!x
z6Y55K*QF44D5&pI&`{*BtcwMsv$dVM{SPA}2YW^xJ0lBw#=jfP3@(-y3~$>fp60Pz
zjnOAM$@sm;oNQXfbJr{B>HGLg8{w5_k8Z6`dL3LJF=LoSF)e(R>mKLUWS~3_;uTaJ
zY0dS?k4;0|;?SU=DRn3zCucN?;T(A@`$M3+rUB`vsk_wtq8Is?d50V%)3s!&`17Hm
z=>Us$(>6JpWPzbNDcrNQHOiZN-gd~H7r<-J88WXzvkMqC%Tv06kF5`&NhQ}wvsh0(
z{FWH`+Oa{`s8HGJnC-sXm73jY5h|#wGM;IbmW>`@v@F9!uE<S2kMw4owkxt<IW`8g
zts*qV^PsCWSAa_f*YO}1_Bn@&yRRz11^Kl(Nc3n2gyEr0U#peW!a#j9j5@y3QYE>W
zlxek<^rvVlXY<gzl;Vc-g0erK_{t6G0iR}vO3gJa9gu*UTh<?ct+kWxJE`TTF2+5E
zVJ2JTM%|mzq6PYQdfWvvHK-!qkxWcuLK>+I5tq#A3CR@=4rLO#F6thqX_gfJoUMJh
z{zOEPUFJ{6+GquM@AuIjzHmazE&(|IMby9ftEr#-Y}uIdW`b3Y6r$JX0LCEmItXh>
zOUkLpyK_6F<H+OA{3cUYQdXr6ybu+7<Qv07@q4S}lNcgnl|=IfY0BhkH*F+D#s>@x
zJqg35q;4=KG$d$^@`VWP$k;#^>lgmO)7mK1{R-NxH<8Y1hej^F#XDFF4?Atz06|Aw
z0ae=j5*yMh!DK=jkOe(^J>nA&$QoYYA~8nheYY4D*Lk&2;vxqqGU;JX)RYjlV_4gd
zHOs<KiUh_U)OzZOi}FmSqE^>uZ|{{Q<E(Dxe_thJMcxz1X9pk!Dcf7t-vfq~KgAC^
zHcOv(tCmnAAq$?m*wz2;OYR1i7)9JdKNk*A8w>!Hwp+S^@AFqbRkAhksF}wjs)ri+
z?Vj3rP{cFXB$r<k3dnZt^b?`4muqq@UdRtDleE&z)|t}MDmI3vj;RWz0>5Mgy*!bI
zgK46ulRBJKXOK{ZEW7F}p+SvN`p<f#JvEI}zQ9pFb#wxCl(A2np6{xbmVANqY4c%q
znq6t#_4Iv-mV!4SBP_JoozV6Rk?#VMfUtaxH%2NU#T=O{Ijvibr$_-2Ku_L()KZCz
zZHm0XYV7S&PvyAJTywFSp%=%cP;0RxS0d#sseFSt#|FA_o!S1LKaiY^ZR>W8Ehp01
z=iPAU9Eu8wJ-Q;lhZCuX+{w8K(mk{OjB=+92nViQnwaZJp_XuVX-KC5>Qzz4@SuN}
znU;X8wkKb<(e;=idKc0zjY*axQ}-uK4=?1e?-2hYj*28`7f4=N>iGC$<JyY;dHv<f
zN4+QWc6+lt=vAd(PYJiy^!F3B!otv$4a|dt#1s7QP`@Mgk5NTEBP^_Y%Pi6e`*LqC
zM2~C+0!?XD{G3x=Vo;w?+#s&bkz3jX$T6gzc1t)m6jQUNoVJcEDV@u?kzhdSS{<ln
zd(`E3Bp3fuamR*uEVMly;M0|H?7+8~aGVIftdRG6a^k0y8S(&=o0W5Ng(>@)Ek{EP
z4ms-;#iaX-Uk2a0w9+C@j5-5H&>&>6;XqWfpAM1B#rb6-2$!fW)Rq6J=bjH(a{w>e
zylxnk-giYl${bHo4-)9*+guoM<OmBYq;zf|GucC7xbj|ZF$e9vKd(_%shl9nGFKi$
z5EQyP{&Dod;fTLSx3Ck>uP*R6J7A@CUp#ekv2>Q!48CQj|K}h2eLk;BDyJ!vDvz@S
zAbg62_!f?C7m?bhQr8ix11u@N??|5o-L}6ts4L=?gl4dVwoQ(ixChp1COYq#f0dP|
z;@-vxbyves4Z=z$Hax4#TN!>%VCk2w$`A<4pa5YTTgUjz<_(iuWN*PWJl}`eH)J<B
zM#eQ63f()kBCMD4QeVg%v6w%bCUxa2!ncH8i?3a7@r>_4w-rEvmbd`@sk$|Ov`H>Y
z7R^yx6s>`JjYJ19l1FFvwnbHpUZ~RRl4z?iRoV*P_Y>)A^UbIDlj-DBY(@pm{&m)=
z&5m(DjI~L6hRQUS7^Fp+=XgQedk&?hsF1J>SrFTPy!S=U7m%~ehKI^&Wsyq0<z}Y)
z(V}&-4e=D8cfJxnw=KC!=xpD|m5SzM6&I)_IPynqUAfwW2XAH{V2#R#1sgq4_I(I4
zoDXm`RDHqRsLw|SiCmDu$S58L3yTEF{BqXQfR49)PuyB=QW*Ikqq1<v!uZjSV5Aqq
z7YgP^nDo1kN?O8hJ7*8fS(Nd6!Y@%nM3WfsXz##i9I#P9YPY)UFn7>0{2me>4W{~i
zC>V8?SB6UcIVtk-o6n9>SFRb4d#QbWH;6`?O!O?>V{%mNrywa49`3w#p0Y^gMg~yO
zO_{eU-g1?~T*Y@Vi882=`6tBz>tzNOE04xy;P8C<rv^Y}A+<zW<M{nN{1Ku(mKq`J
zJsRT;#^E>1gTpp=(6({&0uh5`+854DfvAVv;Ss)QE^dspwcPu%Mf>-Gd`aLv)zWRs
z;^k{g)^sED2}w(Ba1w)7qD+L0iPvtC-nzJ3zBECj>;YQRM^x|Av8p+LI@(=vxAvj7
z$If&pqv38hb+WWHY%<WYNhreJLDZ~ku)I?|Qp>xT(^E;BueUzHiLCvSepA4_qhYw@
z1{SB~5}mA8vwNMg>2&x|Bx<_7h;{C;4uC8}@aad7e4@%e-#NJqBci{+w=e>Je*P1m
zcUNEIafho}V;5lxs2<oWTRT1uV*y(<ztV!h!{R1g&nC$R>ddX<FDS8XFQ#%nyCSh<
zyC1glsz?rj4->iXEsA_rD2EL0$OY@K+*o_l_jPfS7(U?GG*62gyBkaUY>iochlv1A
zGzC&$Zl&)0lT@(bs9QQl75DsOOyzSb@GK<t*zNsDR}=dL@#kFGGKIQ;cTwsGzoZR&
za*xi$Pf2oDk57NJBf}{c-eY97N%m4N;gUOsNEia|Cq52^{V9NIB1jY6Y{mUzmlWal
zJiSN5xgS1;im&4?$>MTqeEuhNhrvGr6KS)~MKNa*H6_pzv1O2CdY7SSX?-tdhN}h!
zMJBO6Vg2-*uGAm2<B_PIKp|x`H@q{H%m!X{WLUyIM?YGksYuayy4|q5yL~e*!GD&U
zRGsnE>S!F0nJhoo$3?#`!=M|g@-r6}aZNpqrTJpwxeri@htY9rBG1OY+`$sy%zJCc
z*laP)Q*6BVUJ!JR+I3|h4!>R&hkIvw2G`da8>1EHYFYId>|o`!E*}3Ku=xzGlbFIZ
zS6%ChblS%~+e06G3Nmazx3%D+s4|ASBd?J4dx{fOxp0(0X(%d<GkM5dTWNzZ4OSK)
z^gZ(nGEVi{^B%zt_FSXxe`5cKlVh9e{7O6>2<r?bUSWAkF<3+zQNOH#7h)^=U}d`1
zv$-TuI+rbHejk5g=bcn!X=aB#DGdVObGD8qN^XphG=#2H!zha~s5ZGuy}a~CzW&)e
za1AF;+V~{{7)EBL-k{pHmOt)FB(kH6f37Ey8TNhB+S_^}=R^1{>W5Nl%_W|y&iEd@
zs+2)-^$n;cvr<&yt#R}~>MQN%f6mFZbPC9R5+MY}9Xs%>PW5e@eWb<a3iREoK!^Zt
zJWi*;$!J65EfB27q;>%ATol!l_fVkrp+CG64-N0xTpsp}Q1LhfyF>=rvhUD@(@#Ow
z3b<nrBMu=*KRSOcOGiJ}s!h!a?DBb9HXNj7aom3LDY;nqC=LG9ht6zLm_@uz;r6(7
zjbfW8_3OQIz<yee=55upMe-u1r?}A;p4rH^Hc}FML(hnPq&}sbo1|S7qbkPW+`hok
zJ+;_sf%+!ZIyvSVly>|Z;VuT8!pVP5vrt4!f)dy#!eQ}|zRLFqnBTpx=71kk%n~xL
zSew<xdjZ$m!v$`a0C78r+J9636hTK7v}0`}u-A}~-@N2IL@=b%4G(s^5#_t-5oxp0
ze307Q5;xChh09$k>bbjQJZC`+1zNk(`wVgm%N}^Tu96<K>BLR|2I|yD2IdZx876**
zUSQmbJg3Yy3#q96`V5&_r!My?V6Rg|bYhTr(V@LCgc#*07EkMqDR4ZpOF8bLIOZ7D
z&)_;sLaZt6e<3>%7Tey5VG;@MPO=jtAi}M@V0e}=#{~$?sE_SDQ0TJK`Gm1yPNC>!
zPB142+6RVCh&<$PP0HPu$~Y%Zca9Q-igpNT?xbbCzI2<}vf}e+R6%Xt-c)E<WSLtl
zLPht2#fN9&W}Ve!7C#*Y<M!==(m@6R`@rr$@a$B-eFJWicWDT!-#x>U(&urobfhR=
zBV*BTps`yn%-HCD<CchWnBPEeSqmLa$9_>LP(@D2-jWcQx!l#W<?J`((*KEXm&L08
zn>e+1sj)~Fxj%XZU)atm5NTS&*dp=S@ARx~Z-UM@>)Z7wcYCkxl%dYsoiOgcA~Fh4
zAl+f=rkDFQ&5yGl#*2pDVhOIad1WQPhhsN!fCKNMA<-p5zZ|ERe6>u5nvsABm4asy
z<*K7M$`Q7Bo>ukBhsLYL{!B)u?*vF1@-aX$Z_X3N`60gU(%%m9ZsIXiYYI>n%Wg&$
zSct15W8+0W8Ab#&L83`Wr4D82R)-9O^E-eNAuXdjvP%JS*6ZwKrb?653zUH3jukUq
zDl=kA;e?`ZSzHcj>sM)6BaYMct8>9zquZH)*q7_yoAReL&r8}tLFYrf$LF_<)rBvP
zu7}#v-~KUO!5y9uAE??AU(PQT^DO^)b8uJbrF%$;|LZ(ecl<o0EqXHPYOT!UHZ2Qu
z`*7NPpXuU2B)N1n0uU79VB5fV6pZNm9qC4l?{lvE4Slm^#JwHE=?CT~$_PgyqqPBH
zBYiGwxNrtMnL?HN=<S6e1*E4ml4R-JMQG_z?HZJw@;j57nwMr@z085L?4)K}aKRwE
zJNxL7&<$*GURQBfuRB+Hl*0$XBwl*gkjaT>Gq>6Cj0kh)pC%ApP%fzeaU4v4BxhPh
zGsU|Lax_M1CX-JD;2UU7HKoYF)Z9Z(I7*9$qy7%?)i@Ax*6;Ol!U%+16hNMzbYibL
z+$De{R@;ZFtHmuAMG3=CEla=}_qqWqwT6)9<ng@)XofZZk+pGa!R67l0_xD;%d3oP
zoF&ew`2${Jvc2EHxl$K89Wh&7i85(uW<fSq9i75qawa+@b@_<Qw3en%)Mp(~y3U0b
zlQ_OeaYe{-^~-cE+p*stSLgh_hE`y8<80QKAwOj<3noPG1#x>nY;{NehLMKv+qcoa
zU(PNMuN~?ZI-g&G->|1Jh7-LUmsoyo1OtzEZ}2iLKD}howcTllVZy@RgPxS~7&|+0
z*Y?T$SQ{!=THH!FeAuJUzL}MKgHZ$`TL6fcnrw#wgS4?8@xN*q9uI>F`=G3j(6u9m
zexDF~vg(A{6Em&1+@0ZZ#<?v#n_*5XKd~Eza)XSOMUL=Q#f2EiKF)1wz}K)qY#<x&
z@<3w{-9VwqXjd{h?ENsJ)(?Je6o@H6`bW55+*R2oKBokFxr!@kS$sEYK_iTX4w9>L
z>xv@6l@3j50yiZH1fRE|&cpa&#WFv7F&S0MpZjdgw9xd?cPZpPR-S2==A>p#*A|$x
zQG8LW=b;#))b$X&wXPJf!oZp_rlRxYvcHE*Jp9w6Hp?=dQ2sR+j&pQ`JqkU0-=<ED
z>x9AERo}ZfHkC#=`M|oR=)0`fqfB<AW)TbWP>>Z{%$jCcmGZ>CkfV|yDzls*Oc<1f
zrOPe~lcacAdH&Z?W8!miWlFTU4F#OW2^=UY_}?uTM<3<5g5x=E8pk&`X8C2u$$c)i
zB;MzS<R9%zda%W23Edp9nl2nJpJ?9W5-z@8oqe3n;HOWuN7`UEv)C8iTO=-UREsB9
znH{32j-hC(=#ME#8w;?Iv|0o?KPAQQIzVKWm)CCmO}Q*LI^rkJ3j#SwT6g)c;o6~M
zzg!-Nl)tEdlZ|@>AdoWP)5v=%tybz%@$jpb9MIf%eROFz9QDn*Wm6R>_)<J8O~dZ(
zNYS^xs}R#P6jov?+pnh-{)3hh9=gvp5RA@b=2VD-xt%X$Kdn(DU;xAw4gJG_FZDI@
z9C-BNIPZ$kz|^X7cl9WaqqV2>RAB8P=LGT1Npe(iEa#d>sBh-TdjhFlh;MFe_wf9p
z|L&P*4xUJ8-(c(=z*URQ5C~4LAPiaMP`AT}tFUX*BE0&+8{(?{8OO}FLcx~zeC$Pb
za|`%#J$~}6Z9F+np)ZGhjPRt8xnVT|k3|)Ie&wutw2(WAvz+h=ms)%N$hu3xgK&$u
zTe|2hW<3x!0W%~JIQWQbKM<+mi9G#WIGZKEdyOd5z13fzQ35^-FyucHX(B{6R^B6P
z9FhCp`YG>7S}e~TQ=*14uz9Y61=??(o*O#tes);wW3GoAH8*pk(&TKnTW4WUvns<O
z7c#Kr8nm&kp0oTb`l1h3SmVU+g=s977Y4vf5SM%gQ@a@c86ftq(cG{4eWgFrue0`_
z_$nVSv_xv6!>Mpk)D3zt$0jJl_47}QXuE|NMVpyFpLK*0c9%#x2{r_6yp&|w{_Onz
zK{k<>7-v$0N%>Kr6RklcU%0ukLpu8mEf8}Z{yaa$Gnhj~g*-IA2T5q9XBwRWAIS{}
zRc6*UGmk?LaPtmVl%&xP{@xMUGaQLQvK*iMCCo$OJmP!pv&+gxLb;7s6?yasXk)0{
zH4|$j<33Vy`}v;8F{x`Ypu%odrGY*A!vjV=)(1wUEXMNB2%teZE$)z*@zbvrs2k-`
z=l8EyKa-XZ7CT7%+Sb9_d6>S)5#1XGb5doh#i|VWoXtPiT1#)#P2PPnSI9zCR}#)(
zL&53Qk;HQ7QqbTt6RO#iR<!aVk;Ehw)MWea9!oiJ+Zikw{)i$r{$=(A<@?cQbsb$<
zU_)pBAJy;ra|SA*gAE%i#0~_slhNG@QOh~!J84@9&VD^t_rzVx$&R1@T=#N^WCC}{
zroWb{56aglCkWj+=~N`~m>s_>5exlT{63PU&F)SaYw;lZ{qLw~S)SS-jaaj(`H7ZT
zD*^Y~QKaPLSEs_=DlOM$t6Wps4<Zr8l(VpP@^pC&T>QK*&ONJ7ub*@oKLy2*B6^ev
z4@TN3x{Z?9Hz0n6A}}jc61OK+s(g~reMZ<a)h)i={TgRBv`HUQ*io;3<eTOD$O$tZ
z`4J?1{ye{-Oh?tYdMwgNkgQX%3>eGMD68x?@y~ENW{NYUEV4zE?n>_!P?{O#+AYqJ
z-4?QHt9}=f0puQ$3WMP7%O%QohN#NXZ5UB?zR;V*0js(RPK>ckaIrrA;XA^Pqn1En
zpH7_QnNz;!bhBhp7Fi4Ob#jh7e(=pZelQ;tV8lm??T9$O+H|HBY1gF^k>jqB=kk%v
zeKrj%51hBjS52a&?nKbizjQKWi_ZGzVJ<};l)IDMRnYDj!PqWoFRQ;Nt|8}+Eu`Sv
z-J?+dypwbvorw6^1PsSWTz~lK;(Uv-U=QI(a=L6em!3K%xgf4RVUGRe$x|FG$EIrx
zuN`t*O5wxNqfH+*a$Brl&sgNWO#Z_7F_O$rDGmT8s<53>{ECo_5TBhQXz~7|p$jr%
z6tIHeJrO@{Ay(#@kg25{qX>v^w=VlV3i}Ktwx#lvSMJ=LA@<>Zet1}kWT~KuP>_S{
z*TVeSq8rWM+Y4O^T%Nv|?q!YJ$qd|vanKma9z#-}zz8Bb*S<<YW8=T|c_@2Wl26u^
zP~I(QG)KFZ57kw7m%=0rRCw}|l!~W$FwHnFiop~SAQcL7wuSl+Me?QdL_<pxX;&40
zdFmaTm9N*1QAoDWI|#R#FW6ZZOA3%#KOe7T|AU+coN!xEi1L2GsF-rTwu_H;Nt!B4
zv^t~!fzpmCqMe>tEmSOVBnGLa@o1%~)=?anDX}`xE%j&mW_wwuErBKdKVw!^bus!H
zT?s;~GY_$kpL`roqFcOCUMI!q5agCgL||x_(p)!hY)rKr@2E7X9Fn!|24v9k9Aa`w
z;1u}U-12moFq`s?Nm=pCwy89;KDcB29wT+nV546{PCxnJC$5?SRfOE<{aOtVXiVYo
zYdybx4q@b_%qxIVc~t!C5@UjObr{*|-Ie#LLMB~xnBuqv)2K%JT^Dtm>JEp(pXSmO
z{IT_I89jy~Dj$(0OYnzMfFqwW)OF8`2$K={qdhd>^S`)&kuYHlzE5y69#hiL4z8{s
z2R3h=m$)C5!p{`YA$V{n9J0g_3wko-%$6}&?hp%8)HaB4GdZKcZp|?zv!&{P5+ou2
zHCHxk>-KGrN}cB3RqC5@cGV<sE%loW`WRD)V8Q3hT{EOj_~JY-qFe-!qauv_<5x-`
z<Wg|cT0&U&>zJaF8pW@MPB9kxxx6Z>eTmHtan|oMbGE+~pq@J;F5)LV$sP6rQE{?J
zC1kR<#ihUR`nTv&oq`obUR%i07#9W~mG@PQHN2RBg<9)jEG+!{yJo)27Xax7TMj$^
zIOUN?Hd1C#y8m!wRBPeA9o@Ud7Tq#UUeDhMkDk933f;Y4;MKJ&KGfP?$bD$WU`_#X
zqQJIxz)6AV_Ho$AC8j-!CSvKH@;QYP1p4bK?hFG7R}4gQ`oAvx<V2aN(+La$!nzTV
zfME8ujsYIY=wq8AsYQwUWM3|}I13U!!vSh>hBXro`Xm*e#AB~fnZif0ikB1guQklD
z@rM-T^PLpkeMvUtK;?(#YZAd81fv?ktn0_2w~frosR9iVnF><cIl0Y*xz~CNWal5z
z$t*tUSr2I@()%zrE=C}PjwwXB?awCOpPQ7DU7-rs9pHIyh+BMz3Ivw8zQdP`%eQuH
z_D}azlBm4pYbUF#6jVQE=3+`srt1-^RYg?V<&C2$eCLRJB4R`Z1pB&f_nXN19mF9g
zvf!Ne2Grw1;$o2<D@5`_mzl7GKrb-WlOD51vx|MEr@x17g0g_9?asDW6b)t=-)wQK
zsM{D)wddMrZXy8M=&T2iqq>>QcG&k5$<l7fHv^O}Vwh}{tCR9z7pLEJ+3OcbBq{d~
z+x`0an(av@b9Mf9qvRfBEH9#%06|52lvD>WFTeui3tngb(~QdV@q4G{h?n{^CJBS_
zzBq9kv60@gxDE4GHKlj}J1-4|F13nI?Lj*aC~{XMfnhEEbK9C5;ivWfM_ca)`6s8%
zn))FoTl?!i)1%I_fr-uj3a&_8LFhSA%?yfq-jch_NZJ;IvyXvDBVYAIb;x#E6k{+f
z)?yGy9>CLiBw+U9>!-jh!>jA-^BbFu%zMOL@%6yfj4VUJ3r~b~<1!k$ub-K1H%-2T
z;Ta=vq`>h1@TTQEiI@Me6q40=nRPO4ib8pW`};9gI2C3fGTpOn%B1#_UiELoUm~hU
zIFiN$QVjAp`IO_E4dkGomef=I^+=FlWxZ@OJ`zw`F^PkDOvneQ@-1XEG|+Pa@^_e=
zF1huuF8D|kdt%1AO?!<-(^DoBQ#}fF53TLzvERDn%yrL3P%Ofyo|zJ%xpL+2vOnP)
z)!CKwjMcKAuf&H_545=2Zw~Ll_ZLs%k!{*s>!A55cYma2!AZ?hzsgw*p$}dCY_8HR
zNw{+L7?>q+Wy+MjFr9B|r&+ocn8kBNS{}COyUG-&2V$lGvF-Lo-7_cS32%z)eMbt(
zGQ1?sWw<Nx3J~dy>}hq$zW*ADC+vp&ydfl!rrt9l0VE@OMx`JD9h2r;dW^?*n^VYu
zev&ECzP`w}tplD|I=w;0f8C?v7fgQm)luI#jbObkOgZgI^0&KmXZq*V9B-y}pVyOp
z08!?`q$C+I*Dm&+>uZb<PKdKC?hy|nn44#(VzwB@Molbnw9pwIHYy9-&TG$g?YofB
zdcW9rdU4<Q&Wnln<Ln$26uU8J*=c+zu)$BQgE(Sd-y{vJVzE0@pgCe*Z+A#vaWD4w
zD>&a9wjL>!XuELq!XE9~i5A1IGARR2p&0CIP$YSC;KV#P4KrEKAQ`;m36qD)$DaN~
z(4e?Lgh<&dYF)v_;$>w9n%xxK;v2c2jJs}mliDdI8VFD&GIUz$CfCGcA&^4Mh(76N
z!SK*$(eszjQ}y_QPx@7vx42l`bZL!~hU#L~aQt;^zr=yG0p75af4C-cnQLur%3>!0
zU3oTDiWCCuMmdxGYjP?UaU-eW-fIal4}qoE!SX`asFfZgi6T8Atm(_32nUWXf0#M-
zfvSGy7oO&ZK~&l*eSHD++9{I_pZDnSs#|s(Luq28A$IAD-eQrAi~d|yWrIK6jEd@I
zc%`EClCWK%NeEe!4T4y|*i)-^_vx4>8cB!bbBA?0e&(jC`ixHdu!VfS@y)n;OeBZy
zq~DOrm+yPF!S15_V$g0G1z(`sKm}4H))cot=XF;#2VPMzpv`WHIwTBh&6PgPH|y~N
zCT^S@mdyzsC4XQ3OUTlYMV>v*9NOyvD0Dfo5Nlb})sq(mA0RJV)*-Tk$vQ1VVt_(&
zJuDQB5+4((OUOP~q7ryTY0oRX8a|W1dc~fufyqhv+1|L#4T~IWG0VznE41ykFSp(h
zqre@VVh<m9r_Adod8jzUN_V&hgqjojHEN%QT-&C~?$KS7^I{K;%=_oJd<2R$+4OXN
zz>OtmAKTXTbnto4$qYr3L5`$NzW>vF|Dmnf!LDWlN_<k}YQxiEI|ak)vB`9q6UCGl
z#y_hv`@v|ZBdkDWmEWK`=CO+<&YXc`2Ir}LO|T<}B%WtM)n&eL1$#~_;^g$QrkNVA
zu}QK2nh#+|6HXEeRzMu*C$gw!Msm{2e4!`imUd($26a-}*Kc96Kl=EqnY{%84E`cR
z?bm@qLkd9;5`DAVlP*qrUS+bgeLefu1fk3($yGUYe&D^Tmsza{q>+pK5IRaRi3&;*
zIOv}V62jXFS)Z>i49V`V#`<Lvu~%4>jWR?S$_BL>)Vr$Vbp5AwHGQfA2tIkQDEpxi
zgv4=T99qU8!Scc^7dav)sD0Vm6!)~)DPDS)abonYhsAmWswkdDoH|6C<HL&cVM0#E
zl}ldWH8JlO!O>fSHnLC->)P{8TnYz}|GsjeD@^q3DFTjIqcL05Y+cAX0<hjOL0#8?
z!k*fXPdPLFRVb|i<x@(3aO;ne0i3eHRs9W50Y~QY*b#c+!Ci8jwoQzDInCotF<*TN
zL$P1_uGGRaMwW!iU8gTN0P1Qtr^4DVLR;dh5yF5tIENy@38tN@H||~(%wS{_5q!v5
z%|>b99t8tPW`|aWL{QF-hyuF%n;hl`N*?Gn#o^q@e3f&R`@5L#p>G4zc#650APfsg
zWT+E>B~E9R@dbNWbTKHV?UPQxZKgV{?hmm+se}djjqf<#0jyA?B-rMrK6Z#V1ntVS
z1yUhnp#m7}?-fs`YkWI=d&WWvWfITS{U`RABMwO|7{015gNd4j2To?T6IW7J{F+8a
zc@Wzbd|)iRM0tZY^>&$MAgXiu4!GyO#oVoJDGXQa%sOFE+E}cV0=3S_Cizj#)?!9M
zvu7Kt{Llg=><iHM3Gq@_4c#8}hYo*SmcVz3k&q8S$kSYI5e}~Oz8!Ylrz{&XSxUA~
zf6SF;cCTvRx3+A;Orw{J-Q=|z6-GRd{<7cH7>^o5CdSmyNkTD-A;#~CIX0)T3Lj&#
zX@QAFlcSygbB^cG2ABS1hmVNKEhs)Axh;`drIZ{Gy9^CFVz{WHl|S7hf$u~V?N)7{
z%{@xby1pF5*k`d6F8i?j=N#^$w(G|_+<yH{TViGFyq|MbO||=`=GALAZk*ZCj?cGt
zWHHHt<@3d$5=ubAc)8a<+yPSL+dUmZlzya+6a1$)*fMW-#EfH&Qz-rcfr@LC=8Y5$
z<mL+*f-)rJWRAaW7(*l))q6|PJyKPa>&ED5t9C2G;;_a;so733o}du~KenUjkB5MC
zxi^|xE$F43wf119i~zRoHHx+ZDr3BM?<p7xev0&lIC}=r9BZi}jqX7?ZHg*=Nxis~
zv*)h?Xc({#pBpFV+sI8^`^IO~0AVZf(l(;7Kbw1I$J-B_MIs}HW7&r;G$#bg?CO3x
z=Iev$Xj?NsuTqjzEUyce*1Je8AK9Xzveqc#7at>bZ1whJ9c#oiH=3<0<+y(LJ4Ee4
zPeJRN(t0tEf55X>OvmRR0UAtzaMwNt2jeaL_LptDg2OKqj!@d2-&JZw)%d<_?(`I(
zoja+FX)`w<6iD64R7k6RWKI2^i7kGIp=3wJb&;PVj8W{5ZY~YpNX_{wVzq!`R5U*7
z^1)!yek%}dq_M;xKd=y$XhdLl`#XMnG!dFy?U61Q&rIsZ<j2M@WLqM6Xi+M4tDA~_
z6~W5-%|?X={6cIg<k}%Pr7|kwJz?efs-7PnHJjvG1c2l#J~!2GO{Dbvf=FK##ZB$m
z+sAZpYEQr5%R}bUL(52Rresgrz;u&oshP?TE@^k?C9w)l{g~!`8U;pqW5YaiPk$kt
zLMl2!R0?0;ZiTMLdkg3e91Z^2tdCh$pT)_4(9SGuOyF3Q#+5~?aC0+zaLp9_<8JOQ
zL3A~=O7R_3yH`536x$Th_cS@;>As6;!X^Cm*w&^w%nF4E8yOQr5Ojq^jATtfqm}75
zLwm0cLa3fB5@@3+Soz`DRGepd$Z-=$nL=Z{^ZWRuS~(ZoD;1bBgst%#vZ=-(sCXqc
zpnjl``MpTI{02us+hq5PSUSvTBzT%~yN9>(I;%@6?a^_LO3?R8(+s(EI#0)W^4>Pd
zI-Yq@%JC5(yeIC_Zd^@8YkO#&LN}yP`3Rs4W0|gPH>;)+#yGA>dgTb8;$uY#4h=i3
zUOCU>ikMf9{3)B&)r(Py7WFA^spukIi88Rqqx<L22IlE`0p2@xp=ErCyxcgKAg&Y0
z-Zzq*?~eUPA8!g_^j4RG_!EVKN;5fr2m+lJCV?R6CMLDsRJ?)C2ON>5aI2AXA8d^z
z{$5LWlZs2+tQ>h|Uc=ealto6VMrE3(!+@#^95eI53U+?bGbf&-Uo4B_pxK~s0F3n8
zTQW@;*@lzwTH>7CgpnX*Ob9va3nxr*NW5gb0o4UKW+F=CvsvaBm{hp*ANKtUw@-N`
zUyu@`CoRk@>Z42;WcW~!+9>WZS`$$aja}|rOUA5)(Vzs;?ql9{#wu1gStb4$?w{m~
z-yFuX_(h+CrT`MTAj<0`Cv7&kCKe94puPGOsJLxX@C0j^oQ3_McHOwf97ie0Srco(
z$KmAEui*Y{7gckxBg3v3TOP(6h`EEe-1M6{Jc`lm>2<XFnaIvtlk4L0*D9V-JyRTG
zhpv;(k36Pnwhkyh!cSPRrX4!GU-X-Z$7lgl$R`n50}s;l^=d?E4ZVA4`sPNvx@3=E
z9A@hhXmR3`LH!CMU{R-GWbrNfsusVzbHc0?-oWhRy}*y>3+l!F3hACDNBQyGBkG7=
z+VR!1eREsIBa-xymza_+&-=?CejzTPY8To5amBCmKQw2NNP2Eus-n|8p2TfqTKk|9
z*4Gp1L!6q=07WRM_B=n${O!p#pzR8t71<<U&_nF~iyj|+v>7}Eog3;IA4}VMBYU+9
zgdP!d+W*1LKw*YGS;(bdsuR4tat~7=ETP!RM#FR`q7^$G9xwLvGQmk!T9rC7(=*>;
z_H}V(=6aS<D?n~MznhD@y!VHVwO?XxosbUcWNhK(4zKFwL81!%yO65So)jeqr|Kbj
zcV(1`#WI`$r9fVG8dH@B9#ET$X2tSUn+Wty|95EIIAkiB1>vJOe*GH%GkltS=UHvi
zsqj=z9m_yzw$Z#g9??9M%6X-kM7V1P@J5@lV-eIUu`udQo9itSuV>JDG|{ibUt}1U
z25iJa$~->q*q-vqLpXH$t(cxsOv<8^Q4iZRn0T+>9tqXf4!K_2RMDyUF46Y=k;}&?
zl-xwuE4TA!#T0a)Wn&(bW~#+LBL*jc;kDhii0N3y^}cgwx%uh|bsEn`=y9xbzk-*?
z8R#g2&AK2mbVK6DbKyuxQ_ZAUg@o$mW<R$iBOqx|4DRF~Ok5o@JL77QmCWN5dYE7n
zdS}N5|M>v@_j|n6^HWaqp#`=-+q48<<vqf6BqGo#S>E>xy${Sj70b2$hh3&sNgtW#
zSM8r8Vp{$SgVd-klND(EI^<(tS*OoSGMwN+>Mf+lQ}u(Nnc6qREJ?C}($XBV$1!@c
z3(I+4Mfj!RApF4zUHQoK)ea(DN;ikgUDRmnR=(gnG3ZuYNy1;SU>QqHls`{k@p$up
zwy~CYEJrA6t(eMink|%V(4ZdaSt#|^(Yrh92=N*_(WM-B`Vg*C1HAljSXkr!JQLGa
zU6N0NN(hs%18d-dlIPBk8hBf`B;(QwXOll=l+-O{J|B`~Dn8N7V(Y6eZm+>HQwBO=
z+B!oAY|;2?F~<?E)p)mxHcUR~&NgWx$EJLnukZftY^)|5kS>U9nJ!`U&StO>Mi_h{
zUHOzv2(_#)w)Ju7)UIyGqL^Pk0+y1&$=K5X7!n0P-O_fE&}Sf*n_r);g;frXYLCe$
z4(KL+X&HF8A>W@Lyxt>!q>aPAkjAy})uNx!n6Ll*8BaqQ(oC`1>aWczeN?X=As`t+
zs<W1~#uvE5G;q_sS~a7AFZbH$zT^<4l2$rJqNw5WS&3d1_v(9GWKG`NMRY=&^X%g<
zUo<-PHTf;BJr@Y(BH)%uo7cfxnl*qH^gN99?176wpzI}Bh}(|HYJMb<qdQgD58nUy
zfa5LLGvll4tp!EtkmFtSQhYG9Fs-_485}oDaKdF=*x$~H{|;ZB%iKdwo>7pjF$iG{
zcE+L1p_^1bdsF;kY%L9N1w%WfGR?b)xolaJaomHQTdAyG@YR5(fuW0HNrX-fbbYLW
zCB3;VGDB7!daD4Wz&lZDIC$FV#^`f8&&ct&<d{?kKwy-`9LOWSFVG{+M;VNTEMAaY
z{lOXrq>?|e_87FG1S9+FAuHk#pczof0PDO4e~R4B4rGhtK1<1|#ij8lVBTQ;lui~X
zX32@JG;tL-K`w1Yx)XBDonl2y=11j2;%4h6cE<P=U0o0e&)+T~k>&zC^DD7WiJwF)
z+lu(3N*1qjtWdL;S!Z^rZHN+^0}blYMz2@!@EYX})V$mKqN%>pgjw><bM|{^Er)EZ
zIKl|?bW<dmLY6QJLAXJoG0>ICx-Lw<>!sc|to~gnkw(g>LI()lUaQPJnHtZ-Zi<Vy
zQOMUL_2&@+I0^CNa5;5Upuwkc?GTH(BW)NsLgH|JDxEWp9ngs+3keO-#jlLJtS(Z-
zq2DShYzZ*JRV1M*bjJ{R5y$(uP7*n0Z&c{m5oEO-Y;cM6_Tg<)R<UKVLXkZwmu+l;
zOgtGYXN!MmW&hS|s)<{l9Hq4O$rat<T=?f=S*+i1NdG0ta=DQLg1K`T&)CLLrF)ma
z3G~#j^L8Vzn`))K482HSHcrbx)7lKeaJ#Q9t!`^Ks4pL0Qv9H-8yUoe{rGs5w3M<E
z5{C`SaEzy+X0AIDh(6yw15l{=FfFHy7rDN$Ow_7J{qx9iMo>>a|9)?8jNa0v&`#;$
z8?4H@MXYf*|8I`>%)3exJSnVJG22T&Tj~$l%x(?2aoI!Su$%=la<c#@cIBh7weebm
z^H~3gjgV3HxgDYqVw&Zc<DL=FJc-lGdyP09^r_}HFBYa`^h0(ms?ucfHpQ=hvDL`|
z5=%-2)cVMzIcQOujqw$O_`4s*JyuY;pVJD7&Nj~M!s-CKfnz?cCNl-zckA77u4@mX
z@`ztzevd|l3oOFKHfA^^CsWdL;LI%SWauHoSclx%6-h!Q`0AzaACL&<bA~8FPBi^l
zV^zXoBe&5F2T*MheMZ%&^z7aI2^0mOya_&6bN?B~y*IDspkyt4od#Td7)vI(_XU@y
z1D|~O$<1c0jVa_n$Bca!P)em1FR&;UVV;Q%!NoGdmdsX|_s}8fSU5zp<zXVBC?$JH
zntz@%vRVbR)zvH!xDF>dxVW)D1S*29cnCE()g6^WFhQ<HC<{)z8Chd5HnIMT$jf|+
zD(v+Yz1}BwTso4$D5k<61)WR)D#4A(`uj0%Xec1Q%>i4{>~-<aZmBS1B==3^$}6-K
zR3Mp6B4MekS$!P|OIecMkLCHkKts_Fv;9`(Y1cuqk{CrZWF<FFg|ua!d9aAVl=MGJ
zP>2)#mI79>U0B{PFOeYAD#sd=HPgK2YuHw@bCRZO(`5G5!^@3;+YiT^cad~hVW54k
z@<tDRea}6ySsTNcUCiPtBP+$Tf$eVDYWrnOVSpsdfoZ=u(>)^P#v2MxC0vMXEbVvk
zL!*O_dj!i3_@}>Fha0uzIFY!<BkKt1W8lV~-9PI4`ZoMP9wPlH$_5+y_}r=Btn24h
zRVLbZsJjPE8cQ?<OabhLZCeza=CYZ+e967|KN4;H>D#W<zdpDJW?w#ay1m1=05CbG
z@$QwJxIC%LSWtP1w&jTv@(b=(MUu$>!1s~i6i@<-+C0R3$lO|ZcQ!ehqsA;RW%pCN
z2{GO#v{0cp^+CIE&gCbizM4{jGlDoxV*g|9PiQq=vgu0Wuju(@n0v&pts4RJ*V`7D
zpXHtW&Qe6aR<-+=!?u_d%6BBrWvr9LlJEKS;+Jdx0f95JWccOgYddh7_gOV!>!F1u
zA3^2^ZkkzxCoB2ovDHKj{`Nw(c`wt=i<vRUX%6EG#h|oY0awg6Dgv6B%o_S`OY!VY
zNnN<1U1}*!GfYHzt4ksZzQJHt->5IU(wOhGAOpSjU9r4eH!bNQLY<KeY5ZQLtd&M;
zciHJEm0s{Xa@ven8(<2z4CU-F3UTWxK1mVk)B&?Qch!_blLmi{dfHE|I=@PP{Mt2!
zMV{bc)rbdBcx$W+MH>a&m156|r{U7p2H4%=NGWdVkY$~3qa^i*IteyAG|$o#oC53U
z<{aGMgf|>SW^8BH%d+*(DbO2NoIm}HhOWCSr5Mpc2%rpi$-3xNaC&A}xX3|ydWolF
zoyEB<oCeBAbI=LHp08rT*$Bka`Q~tN8uPh1+h-k%4dj_ha&&%mU%JTrrJw3h-IjA*
zb{a#4J<IuyUy=PpV~?sd-Lek$=Y~#|7;X@ENvOlFE%uBUF0bNHfHo-&a(GS*$Es9@
zTu`AH0#xU1AdS|w{?;IVTGL_8MCHeV2z3*_2jBPE$TC9+Qo0l$0<ra$nPfa~Q#`cu
zM5>iFEGPR<*W`YFG0M6v3#QgJ`NYM~;S>fftFCP|O3v@dH|VS7$3?4NOYX>j#AsNT
zi^a@^#PPm3{#gWU7r`>pSSUm&x+fXJ<5B*(hmVK`-+4@CQ8a!75Lb(ofY&M(823;_
zL+<Bei9BV@Sp;WAUILdh{LkFA$$Z<-a3|7AOhvSO`46TNLdmC50;&En+Y|AfxZgm`
z9z#bEx1HniA<p{{+%rh){p)Y_ogH6RwMqMfD2EZI`9DVn<;>eQ)U_1W&>I<X2G-_q
z9TJg;l*zEdP)mIHwjdPzwFjYX)n1t@qW*^gn3BjSREL;CTzeC7U_#XkCLe~Wg>l<$
zhf3zT^#i*w^~RWvh6GccLPKt`O4d@gbuawd0Z2?Fnw8dZJ@K=jZQMJM!y%O4`IXpU
z>q3--i()X|uzKa>f~V{^6v@DfBiE31u8<T`+NLB;TWovL59Nqu1x<<g5OkD0Eyj$v
zpc2HA*S<Drk47qWalQV$T=||j>~8Scv$|0-gM()!n4YNq5&3qK!!iSrelna{oqJu{
z+;*0VvH!ier%F<xe3>a!pr=E)Z`C`$lO>4%+@E2BI$=I0W%V0ko7uXtZea)(8OjrU
z#86R=(AcMX+dFX$5w1O-93C?Xs0&J^d=@;1;cr?9gy`~C7ewf%?}ag@-<Ob2;np|9
zwTER8W{A8?)J)~9!$w06@ugJa68+A&e|py`RmAF>=q{Wn(mRFBeEOBD9ltSAr~>|5
zz~=hQ0MR^rV0Uuw7-%TAojf%XnIgKpI;f<`NC5B8@h{js+VjcwDes<&nxHG`Q(hEN
z?hsp>FM?GI^gc$2jh<lD?Eq|TcY_w%DOt;*a>2F|Kl_UPOX#KncvZX1tzA_rt*B-M
zJ$=WfJ}3X;xK551=F1CKMeu=7{P`ZWe=!ErnpI7)%4|Y1-PB5S{ONE1bY5%K;_)Ov
z{=nx!^isnw@;|$)>juI~krNK9MW+iN*XMy8xIW2iA&w=s4rsNx8+Zpys^r@H<i3+r
zoFpo-pT%Rbh*RtROL*|GzrpvJO5Lfk(VRsUa!s&C7I&o)&}B2CG-Ev3JhuO0gQb^<
z{%l}zy9N>bx6hBk=d(i?V4$FYXi!l2|GVeM{ysUz^7iCdnVPnJ4hJ@v7KOLQ8uep4
zXT8a0uBlVai9<}jXTn9V>idCsk+kc%JE`uTRo|0^1-vliX7RfWdy3zN!@V`%-c#+>
zl@oG1&PiDcxMtAJDk!;jasFA4jR{MkLFpZe1-x@GjX4}5Z_jjLHwx!XO>*x*E?Aeo
z51(an1l|z)M!J;H%t8soS!yd?a0G=~7g(*ITJcrRXeI+zEvmC<U0`l%yI@e-&|En*
zstE}PUA7RY3Qkqd4+NMAjQcWC>g~=JCr;?Oyk@)hcBXF};}yPSvBC6iz?Nqf=bsYk
zZ41IVSYfo07(?9Pz0C2uE^(E+*(+Z3rRy@9laJ`KaxL>n?r+hWGxXo9pG&3an3z+-
zw;$2{Q><kSVAL#fSs~T?R%3jKNpw&`;P@4{C(cF~CtVh1jYmjc{D-G)9(6B1yogbF
zKKLu5#|YEcQIZW<7$s{gdD67@Jsj=BXXWDT;`sL=bCj4BMZP$A!se@K5}w|eFl?|~
z`vaRz`icZY=><U*?`;G#y<4g_xk8JO;4ZD@w;}I(n>TQDnDNOr6R{3-Ol!<0mV}#}
zO{yYqV*+#mmg}T(jC&mCyK$w^@SOI8-{HMa$1Qrh2kM`JKZ9nE!IExXF&LeZz;3>f
z=ix{oG-lu6PSlr>vO!?LM@j4-!GFfVB9XRn+rkQ*21fhu6*dv6_HXrjr<=8FF-5un
zu;I;AE+^XHC8Tqh)^*!+r86m0xi8j?B-MNK#q#?<>frjp->e%I<N|o%(pPgfzD&>r
zm?UhDA<3KbH>CP4{V$DNc{r3^8y{45##pk9H6mHYGFg%>G?p}_g|U_-ONKFqvV@dn
zvStru8G0K+*<K{e2=OAajD62G*^MQ9Q(e{DT;F$H-*a8(oPVC*?|II-@AJFw^T)Y~
z;IL}+3w!*%4uMr-1pwy9Z%(t?_W0thNvWtR)e?IUW(_4k9~-H3CQh8J)DXbS;j2Yj
zh4oIqW%iGGhVi+sku$JoPU-}&*!26#gH@uI=qm~E!UD@M*ev@!h_aALlXY5bR1Rb=
zRdf#6HS7Z&J*MX;1zQx>h*qywE$WzrsHPo#!lp7e<5e$#NQN+zFh+_GE_@Zi*32nr
znvLnmeQB!LdMd<mYW`tl6obId)NCe*Pv?z?&J&HU^P-Xg%2HEX^P^SSn;7`5-uB>}
zR(6c8B{*(6X?MY#2L4>5$0H+;IKHFxfj75Z*y-`)>HCi-9Rmm=EA1j{TOrN;jxqf8
z#SdR~T3>%~c(`%WyjX&<v_)OP??L+Xtw@_G4QMX`x|SX$8D$vvh4dkPOZ<XKK}g73
zRiceNLGpCmnjO+#IaDD#T}5xlJX*jjWIadnj6%-m$<rsJ+79T##k4fA>o?QZIY1?z
z-R*OsQ6p-5%d>i;#}hwk2=6bc_Z8ch2JCJ+wybTA%x!$`D7>6+ek`5INN+`cnf+XU
z2cu`f)_bc=UFIm{kqtS-WD_5Q;CL(o^=fBquj=KnsujfVS>_HDH9voiO(*5`Gu}Ow
z@kJ_)aX89K7^7&6><IvX^@qlIqVKvoczzQW62c;SLKV1w^5Td$N(WR3a1vl7!K$)j
zE3XaoX|tFwfS)GYB-_5z)Mb0FtE#J%P2<H`Wwqfim&E?zF{&(k%PUf$yNn}pt+?iv
z%w7*<wUPgv&i)BQk2Z-`aV+h7Eb&8gHw*oBxp*<>{@gkKi`qB*6(dwW%G~(740cLE
zU?KMv-;<Au;dp767kK^=)v%&Xq0VAWR;d(6y;3$YUGJA8iBN3F@s#(ff^C$$fcxj6
zMG;wJi2evz+RfL!a7cMzN?zxwm+?=0^gZ5fsd#U47lQKlHnyEhlrW{&z_E9A8{`1=
zBWR?Ero8J=FLpDt0yz27<L~DCeJq`g{sPK6Up2D=If}Wy-U#3q3HchN0(o24i6Oa6
z+849EPAjy7HrH6)Rf;F_#~7wbDmO<js*?iH703MhFxGuaXB=lo<>5jCcOpfTgw@K=
zNy(DgbMO%@QmniU78;X>apEq~4vlMra??I|nSP5+_|mJorUxOkXlMfAO^;uG$CQiu
z6^wJGiY0X0csoBPMwMU*j`H$$M=E#wDTMB2Lucyf0_Qm!W;h$xWL8%FrZggg$x<S_
zD3R^DydI4f-LwSG)?V_JCmfB&$Jdo!BU<Sbb3l^UWx@$&u;42odgmEZ5C8nComwvu
zA;fZYqr$hi(Ncly4q039%1!&mzp{@Y5phc|vJiBFvO*P{N0Ym*U0+#pm@^C=9F~K6
z@$7>?1acXt_)PUa+{Gdsa;12S61@_xvbMf*;XZjcy>cG*mK|d(X_9PeG{U+0db|ef
zuswRdez}iDzU69SdFxuWV835XE}ASLfmf|x9n|wCv`F<YI4y`D8&ys1_tXQ-51el2
zwFpy;=C<CIXYNv|cEG(UYt5V4UExA{j1|#iHqGAbj)aoInFCDY>qWYs+SqrXOPeku
z3w70lOY@6lO^d<YhG3Oi;x@pQs8D#zY1q5#o^a)>MM0uDQ{(o<i4;MNp-?Px>VDMP
z*me>MKkdGuU7mp>HYIv~X1vwIR=a;8YGa&K5Ay%SNCw3T`>|-9uJ+GYC6CHlnu>dC
zY1!1xEi-Jhq_K6Rcht@;7wwpv(xFk=f|}h1mY>4{P}LpvgDBu)rELP^Uy4U1l*}UI
z5f=Dx-_YWH{UKQQKvLrNBe=oD{K>Y=_e)h=j`4(pPk}B*`-V9AG>_8N-od2{E!@K`
zQbSkOlrJPrOUn<$1?6}B?Jz%}$H3~>x*8fad91rUHN0g{B>aOj@Trqg_(+0o(RD*L
zp1w@*bP@j3`pV&^xhb@yedH9G6%)0j<EC=z>G`G325fTpfySmeB(FjZS>YU(RQKq0
z`6bm}{AVo>*r{0SvK{Femya*+?VlAN!d9vAodoAsI4ASyx0f3X$=F<)gy(!|2XMT=
zg#^MFbYx<Vyuht%=L;9xY7WUu9OB!_)7Q+OZa^3<<=mDY72$c_*ats^<`Zr5u<m@@
zIQ@kq^2F@fKJNR0Ix(4@G{uJoa2ZI(z{DaoPJuD0@<*)w(}}>tRYMbZMQQz{&_G&R
z00E>v_B@b70tPS_`vj0};+SMnJd}4A%ODCD59SK9>3ayCj!=QvjESSbA%IvQtumON
zE1YpqjMj-k?0NIWcZ?9WO(pwx9eh3P;*tk+f2LdI=N2MrDH6y-3ji=v#vd2-zhBEw
zk27|oRbbIB1UcB6{6(Nu$nP&Y8^&A_{y95^5Nl6Z-;C_96}in}e2|eLTga~b90T?o
z#JRqQ5Uhw-p#^}~E+_0VJhIHCp~l*>naVMp8~s3;nKg-K*#@`Xaud(5hU-kR3zeQF
z4&F>$8#G(58d8rLokb8m0+oyp{u%0E`jnbpn7{Zn54xP&wzeS>lXXttU1mKt#{`Rs
zFVxH!uE|-$+21Jf8J#^?>wLj=X8T<_1Q*`br_XpCS+srl&xxXD6P@#D003z^0D%36
z=6|b8a07{S`KJ1jmj>MiAuM~`7Z^J8dcwUKL4+fZcr2M&s!Cx(%*3o?VwJog>%6@k
zLrl6FFMQolBge<bC+EE5aAwJ747gM=fP^|8p6ZplV-!5I-*w7Px1h|_lc|$rX4z+6
zS6YBzebnWud61?KPwV8DFJ5uA^JPv#g5Ad@08UW2Q`95wrx%IxNtdtIvcD2_B!l+8
z;A-Pa`U!T}&h7iG9LJ+)i}fC^$G_3MS__Ii0@ZxbOiYuo8Tj&E-LLFXMI}D%inJp(
zv*_?S^Sz`RtnSj?x!pF8P=kIs$EBkdB7W+j*3lR#*o=(jKUx_ml|Wy^powlp8*!Wc
z@R{kwvmsFR3wzIPju$cri?)H`#+xUlX}$kptWg_0b$jz|>X?CgaW)yP!P!0NEs?1%
zwa!(}IA^KgY7pcy@x;<zs=`vC$ds?ls&q_}L_A3%ia1{udu~7{Rx_n`Z#+O%I$K`Y
zbYUfKS3A$uFVw?kSvw18m$f=EQSz~|ikL)1o!LEO>DI;Q?eVC7Nc(D|7I##@UeAq;
zg5ZUMOV>on-G1d(X)J=2i-$-5v?<;OC09bRWhBLU`G45-hyVWDvfq8VG44Fm0|?Nd
z5QGApyEB*d0`E4&BM(G>ts{iA#m|#YR>Cu}ZaMhn^Ub?LCUKI^jp>3fNZ{~~vq6`L
zidClp39|h9L0+nDDy16+D`0;*(}cIqzzIlo(5TYQ#Kn}XWbnRjiPvz#R?&3pSgmdC
za#>9tPb^L<9vNfCm_73TP%Fn_C5wn^BU}d_#<W#_(GL>Qp)8i6+?D%g=Ip_ATR_I>
z#MO5MFCVK`uh_tbrB=;9=ZYH_Fc+ryuN@_C;iSyf@+{H~?cj#Cy?oc*!PEMi4>w+J
zHEn<Zza}*INn_@M=$!9mT4mA))QUfSA7Q)dX1qgo1tAzOBVLMlgmW(~w)r%zu5JKn
z-n3gpKfE0_@!*pAsWIgbz&cMHTZ_}gXvvj}Nd+Uph_=t<mn<2zW~OIC&1L)G3+cGU
zzb5Y}*BuoL(vLk8RcnI>svEc%owvH?YwK^;qQx!l&Bp6$Lg1s*%WXGe!3lFmMauia
zS}w=jL1#IVcyrb9F>E|=n;F$f#ZRRtGMT2^J+Opi?Q8vjm^Uc#bnDpTLW++^t6Gj6
zNySF64Cer2&5YfvMidfjPDh&@3U5m|n<1X!yULh(p*ncJd_rTK95W!wdAUK+zs=TD
zb7j=|=E^gJ5#8GdJN0BddSL4b4OBx0&ki@Hq2;3cU8$r#xH0PqWhGlE4M=G}pFqkg
z0{}OX_HY!^-BbR$yZg7rrAE_zl$~Pw_9n&mIDSGYV<1i4ztQ$cl*5067wfYwrW~Q5
zMSqy{Cqp334uzCbGzERz;f}+P{(Geq>hFJXEto%-MGNq^<obS2{zVW(V4$wL^1I#&
zH4AmMmR~G1I(XXur*;c9A@%Y77hzD)I5pw#!#p($b%Oqjg=TvCJIn8Mof=9V(0)Ug
z=V|{P-l&1p0pd51xbW-Ge})TcFtrl>1{aXNga3yvQS(sm^4~luUugf^o`)MBrg+h}
Q*v$;+p}6AQ5~TzD2NNs0T>t<8

diff --git a/spreadsheet/macrofree/waf_checklist.ko.xlsx b/spreadsheet/macrofree/waf_checklist.ko.xlsx
index 5f8d4c6da74a26b7cd8a4da736cd767e64f539c3..51707f60357770696fc98c2aa368017b972dcdaf 100644
GIT binary patch
literal 187442
zcmY&<Wl)@56XoFU?oNO}aCf)hp5O$6yW8Lv+%*JucXtUAg3I9U?z)qA>q~Zj3=~q;
z-RE|nKDYaMl;xqIu>k-8JV52kf_87fKyCu~r=Q>tI{5R&&P3VK&fbaH$lm^gyN$I%
z^e7@EE3zc8U~JXQdtL0%uULLE>8U1xFSwE3Cg}0b6`HIq!;43DhDN2oAGeNfHMreI
zYPT6;*i&NdtByl)zw)KvJnM>oWDOx&J{c)gU#`u(Uoa~&&)BA$(R7Jk<gdf;Ou?sL
zTyj5#4AhuA8!HKEIy%vbWF95mGb;9Uu{~&g^ca!nO)2Ak<v{eEaAQ{f{{k?%zdb;L
z0DBGz0AT#T0hri1n*NC(IBwjsj|Dx*VBr44XgrBp(3bdTPdZL)OY;K-nT-CKM^ROW
z%UccIAzAYuKfalnb*-3M8KtqH>Sxugi=hcEmWg`N9`mgP8xjoaAB#9-4+KT;4)P3$
zKesY9>Uv)=8K&>yXrec7`)^U9F9xUnlA*`Ve{t=Dj)m+4AUdC?eu2)egUGz(Mxy;H
zd+O7bKj<(vXgo3y4*zOyuv)mGQsuM$Nn~k8m1V;ZZY%xk7KO!D{nE_6Sk>Nb7vwNC
zm(hlyQP%g&yUmRnFFB%gwE)L}{ZcBN_nPJHPXe`-hZ7>EU%C$7sFLZb(3$wfbW{f2
zL<Jzy`Sfkqh3f0<fzA4RRe~1tL$<zv{~x&;NtEL>STJxD000&kId^MjXLC~<)BpRG
z^$&I@I-g^(xUqe!X5I|Py;8kCg!#qG_S)c~w<%xjXYmkVP4Lua=}`u$_ox{#Xyj@b
zFx*t2X=vnA;@lJn!y?Q~kxjBEfOs4X{b5vGu;|$vyPTdMGPkx8(wy*43y?`LDd;EC
zlf4FO(0>}Q7A;m=tSp^r9OA|!e)So1mr9>YlsW2sm=NX<ohS{;hxYfTo!Bf)qT>{@
z0<neIGESVc{xr1imW;sR82EjP<PGhqX66;G)}Z#09m$jjrePiqiV$m?w=#yo{z9NW
zyR7LKGwmVU{m;ZPeq-9(P2*desbF2;_AVZ85(d^jdR-yR)!oCSP)iYGf3-Tx@A}M5
zlf}J>MR|(C#^K~`&w;NWxbgO5+Qk%+(UJp1(P3xjRJ*vRyTXs=T4!xtN~!?sJRurw
zuvwhUh`S4z=B`%1S4v#Gwfa)7pNQ@?Q-PfAUA=Hb_xjAA7OSDtS3-#Ht5?k3oL@E&
z4OY76Gd158Tiin?vZP0G{Z`bz$s4dtiG}!@5_v9#e{H!++$pwLAd~U)>miRr%4VDH
zH9(h#@O?T3CrJWCv?y(FBq@A^>pqJ=Iq_Dc{JyI|(cb-e1~725^8AC4yuGaF9L{J|
zWhPO4%@32=`bs~|GH8#B<Hf5`rEKBnmxny*39?tdY%jG_%wHj<En31pR}*Lkxn01g
zi`gx^ad(};uIHVy6yWm%-;G?}%}PRwQg-|O>rt1lueDzjv=Ck2orN5At5o!Fh3~zP
zC|I#j7p|C32!-j;iU13Mt41zFl>#gK#*zg0h7E*HA9OoUOPRxpe7}SW)VXE6Ww+ih
zoeZQc$I4x&q!jj_A-g{Z@*~^AFLEqS&BuFIe&Y9Lr>jdLOq#D6uG<Ju6R6OUZBdCK
z8@tiX9=FPy^w5yeIfv$Q6-p%>PeYmFwo0g-kIqP->sBn9-EmnunW?T(gz{lF!kEz}
z1zDK2hrL5Ak{aYOHQh$l3=iL4Rqs#lDS%W$L)a<?y;Dv9Qu(b!>W<+HejUhdkz+Pa
zY%&g^C6Jeyir*WXhKGcRcbbvjgn1Mrh)#;TnJs?(5%ni%9WK+x<<3TK24r*eIo5v+
zB0lD0kcB*Y<=GHDk)g5bDrQNt-sb?qygWey%bX5z_&(`oCHPjC#h^VCTUs9)|8mFh
zRBI=gqnh+4c1i>WOX5J2k{L1A7~}_Bp|<IUe)a*Khykwgc`46f=Z!@6!l@%hQj3zr
z2=D21S=|(Rq2xItgt=Y@J9(#eMakPnFXS($oq@<6Rs=G~LyhA?X8pu0Pxy$)YOOGF
z;X2f7iopy0blktWPexE~KXoKb9Y+mJd|Jfv&8*!E#1VLBaA+-0e+2W3YZ+Kwey}d<
z8rUuC_-Qs%lk;t;)C{CARAH)Ul{WopH*c1$>~i3P@CAK+{*dQ0`;W+z5_&5BTDk!0
zZGT@hzHd@Fh7a2oncXMemMGlV&CSvQWz5BLx0nJU^ee_8IhkdoavZyuBXm|}r@6=(
z`EBjOM=mP^eTwMama}N43%O(wT%1Q0bDByw$%o(Ol#>yHf~U3;=oAVQ&QYi>UoT{u
zf63OE<7>~X%-2-Q>-z^HZahDD;E&;p?u)wLISG$%<E;uhDA}<Wc3MwVw@cX@f1i^{
z>{WQDg4hR*8h>+&b?cI6<l68xU!@EPZve_@@i+BEBI)^lC9aIM<uFayO-9$OF!V!d
zR|l!iXs+Ivll!{uOL9$YX`m@vAdYz5O_4f=KfVIR+^DVLVnoK#Y^G9*Zr{T-<JT(w
zG-Oz6&Ci~i3iuiHtkIqCc<jy*VpruKrT6_5`W28v5Up%&yM>Z0Eyjg#3fA>?9GLXR
zn{sb4%^D<GiQc*U<|ZaQAnPwPA0*DHu;>{i*|2T&RJ&moon{2j#qTCV<u`JE^Jy0E
z>>uH-LyT&vRB_V>%C*1wE9Yu*t6h!HG-i>!(?(A$EVHf2XqwG9^B^pjuFxxG{Wdq4
zVdra)N7)6HbQDC->!s|9CU;?e@!c^QA!1e1wWa8{#P33vHH6Qi+rcUWC7~;F>u`z%
zq>ayV?~#3)h*}kkP6PpY#ndi+i_3!dTN8y>DbJE`gWq1ARa~>fJuI(sX&aF?HYK}`
zNX{gMa}5igG^*y$iB2pFHkv$>eoR+t5vnxk9jNDhDw+@P^~}5L77K;pF@I1|KAC&3
z!5zUMI{Pz4)lS{gf3G3nQ`suYC$wExxc7{eNNRY*6K_cWe<y3eDrU-wgalx4V*&90
zZzprJbF^|YH#K#3V*c;jf9>qJ!zy8mE4lJXt6q@xpcFnYqMzi%RXVXum#fI;n`6s~
z)9xs0EOZ&iFS#8VxwbNsq1O|*c0Wp*a_IPYzDJ3%ehJVoE$E(6&+yT}VBxo##n;9s
z!!h5ByO<`oHes8t$KyU<;9F4&v)c~bmCBjE_33!l?BV!r-YV#Axf9q@a^zyMYCRGf
zvupc?`3?ct!rA26wYq#FRDR}`?NTt1*wD5{sMnxz?+(JbQK>o;dK%3Jb?ty8TS~@a
z9`ha!>)gf-RNvc>-ZmZan+&Y<4aImq9auTFJ#3XtOie74`F`qptG0VPzhnk>&Yz9*
z*S&!{1iN4NMmx8=o?AYFkQNp{F*g>z9@c3cWNXqZwgoPcz0`66kEPx^7kn0;FHT(b
zeC(9$s+b?FYvu>|ovcPWN|vr(OzIx)D`%P-JJ|?c_F~2**Ia?tr=B&7&vV#m8Vanp
z#5NQPdi5_uXS)q84PCx8$22c)TKpG_Ik)3+TR^uYZ_w%|udLwJwD}B>!TjuNpy0vR
zZzD608?M0n48qsj>D`#KkHEfrq`B{f%gd)rZ+g#@F9HpwiD+#vyCy(yr@FiB^rQZ4
zCZWo+r7rIopqrbIGvgq0^%wfBRR7?7ABtvX=xprVfT8$TZAb6&T;^06naAOW70KV7
z$ey~eIn1i*0<H*^@N;-Q(ch}wxNG58@p_aZVwok<=_q?m!#a^2bVJsAOiY30*O}SI
zv|q+5)O{!p^JDLa;%H9`<P=FQ@7Fh?1UzUguJdG8h|<2d$6H*Au}QT=x)YXo@lGc+
zP2*xA$K>GO`4+xoF7^~NU4Ebby)#d#B+^S^I>C)`bEDY}dBVNc-Muz*_*Aj|n6a#(
zhugF2?Q-vAH)f!bcL{g(d9+D^_g35TP5EsH&*#a|_3g;&c`xP0;Pu%{OX6+xtkqy?
zl<?)UEzh8{eh2Mc4UW|_7O0JTxv5884@Q5Z67m+M8mPa<Nmk?bRFO2_xck)AKHK&(
z@mcS+u{wKrpbRKrJ-&GZr}paFwtDjR>}WT!_-tRiJFn+4{>@^v?a0=Isy!r#yF(-<
z*v`|R1j&wK1N3UVux*REw$k6(CQI6q@uk@$pa192U~d$JDvAvh{|_XXohRQm6W-@{
zzNhYdpC6-3ak84C9=V!wy0y}II>fB3#z$m}==03^cry!<d|0rWCILEjRQY#xLA<`A
zoZmJ1yeOW&yIE1%ZOfi<6ZYvEQ#@j6ndnn^N^cOReuszh{GxE@=Ic1wz1DT|8vRb=
zHT~&B^uvc=ccaJkwh7<1`UV`<H~qT0Ho6BOfN!XD@1R~^#qaJ03yOMUVylCKh%q%u
zjU3%1?0z0gS_c*Mq1b>{ZnY7D7V;{Ic^VNWo^DPmRy|RDNqFwF7GG`o4frQ=>>xv5
zzl@AagEmT*qSK4~>>y#<S=$`jI^m*yiOL_&%-U9gm&A`Y`@cI@h3`K+wEZ@*WL~(7
zt?iBzwmxoh^U<;s7<!dn*M34USgSZ&^+J8I0v1D}zPOg12{US<nH{w$t%XLve!d-a
zT0mPdqK3%+Xz`iwI}{L^_}+61#m{u#TLHM>q)W<Y`*N}Bwa#F_?p9R@r(i91Yhe7k
z85fdq{0!l_si$@_Yp}-T%hm-tZJxk^lw5u$(oh{?J`sjVmc3H?zP>G=EgfWeHSZ?m
z1y9y+@8Y9n^SZ!f`x-@~YV;XF3VzF`Ky~&tAtAqnSe{3r)7n=?=lued%#+fH!+Yfj
zhb4qe-<JDdo$nu9O)AQmNZ)?|ZR&VcFe<ovjYqEEW(UYECFjBy>d}9^9=L;Sa<iHw
zU0V4-LvQsB-DdJOyV020TZp>_Yb!+lo`CgZe2#r~QqK?@L(5@RQezXF!jil^?@1+f
zja$Q$|630bPD9`bI{ueKUFYwFn0o^+Q4*vzrJ(7$gI=Mz`rR;@Tny7fvC=QFIP^4<
zBV_@!OJCLWYIt}pI7E6eF&$;JJ%YlCit)LX_u52%gmHNX?L#UURv`shZn*ichleUB
zHoE~N+rsMNqCZoZ-jBk^;KMk)iI4Cey{27$h&UEj>e#GWYxi)$d;)^f6t(BSo%HEl
z`Rgsv4y=%BfEr%D@|SwHO(s?4oJR$S2|besP@oO;NQ#k`x)=U}_kam*4-nIb5nJ`G
zEv+?^p(zketV6_^$`6|<W&9T57~I0Vje~vpHz6@E$A^u1b~6mJh^}+kT4T}<b4lOZ
z&A=UPpgsLIvb%n16!eMkpRir>+2OS_&}G0U12z|t{!SJF-2##*<5u<v+@w|anCZ7V
zqMY~4zg@zd)n9JyqpVHZ-xn&^T~J;i%?TbQd0-qz2%;DjWe%RJ^9oWlGBN0HK;vYl
z+_o_x=BLT2ltz3a)TxV?H9)`H@yx|nPyP`fI5JZ7k%~7eV*460j+kzXzT&~q$1e<(
z`1bTk3+b-Vb<L8<W?X|4*x&q;7bWRIc)E)Iu?HP_4G|<A8xu;74V8i*T70TgHHO@S
zjofp6A@Z~pShI5~ypmDX`S`rmx@_y3;rW)kynNE|a^O0Ta@qb|e0J@nmeh2s&<K3-
zz5wFxo_RTGF^xo>AXeS1_+HFzE}k}p;ypDiF7-NgR0;uYfm#)APd9ok2IXbUA!JV>
z*kUd?7Lsb>JaP%O+%N?e{;KJ;I5ZKmJKVw8956CE0dlAe@3YxBVTer;?;#7(>9%AG
z(M!<`5&iov6&lQiI}*JYU%u`0oiy7`75Rt@D8Q4pKAc*uzWO0f4c2~aeFgTmNp&@#
z$E0vn+;ShS+~$yQ>3Y8?cW^&tMU@N`jrX}a*d67aJn5!AfyRr>$}9ab=iH8xX)Xvc
zV58`~pZaVdyfvr-4!_@we5C6Afnik5<VS|~#5SOcn=hfu?r*M>GVBUPZ(JhFSpsj`
z4+=dSy$Ke~XB4G@OG;8o3lR)Q^m6pCMoYZNuST2QyHQ%LM$^i%b8)k?1NkYbJ@4fB
z|8AJjbL+BMZ$dp^kXg>la-Y{RkC17lM2*7uHTwnK0pCf+fvqx;zvZUDc7as^i&MzM
z>s^~|D373|l|w!!<NPkKZp@3j%b?`S4Z0(n?|uV0<R|5O-XM_J@A^|yM)*>%x%cc$
zVScz0B1n`mpV8@InqtDpa|pz-wU7@I2_zEKS*7w>%CA46LomUs{x6l7!lZQ2JN#f^
zMtGe2dT?Kl3<dpgrPr(1ND<X+U7vPma;?5-Gdq&J<^yd^xuwW;mSPxdI|F-Lccty5
zkjrezCm(`yOMz=9LrhD}N7m#Qq;a&W(VvAlaP%e<_?zw3Fl^N5VE7cUIU>%XkeW31
zHKHK@^E4_TKuT0J??()gB$I=Vj2gKPEuo4Hlemf5n*ytCeX@q^iwzDUA<SQp31Pmm
zA-Y23!6#yvV&`}Qq%Z_H`^JBK#fp!-4U801eG3v}8MB!8w1_#5F%)NC-*LEZREy8G
zL3jCj7s3wJ$LsyMZ)2>I@R#yRoqig@FJ$Deup#VT0+|+)rLDhVYW0=kY`O|$oOE(p
zOB3YQmxOrU+_L>Qkm==>e~Oy!s1<IE<@Kf+kY_@fN(4I<lZx=bDUry-UYo=RIiI<L
zbnx$_@vovKnwdSgDQoa0hxTQJ(mblik+d+pR_(6322gw)S&pe}g)vsJ=~KqYZl6ny
z&}P9TkY+T|Q@v-na5dDo+PKFnA0-w1q6?~O#^yRMBTPb=uQ#M*4HiD;#lMZMg-#+?
z*Ay}(yrpC~9)Rf;QkGI*2t9-d^0}W$c<4yshT38$F$#l!SbXk|$r#zr7`JgN&NpZc
zpG^sc7)zjlRm$jPCtcqOFXT4eMBf16*y4wk@j<KKm1~*t1p!FJ{7@-K-QacM%dvER
z1QjCWnhwOtVT;mksMggE_TCp!Lhqyhb>a|RrQFC9Vu3|n>dwr$3bFC+ny+7AjKz7u
zfDEy&gWao+=y7TVXD0*X@^C<3@jQf*FP_XtWL?DBdho4N;rDc4A6zSm_BAZG3{r@l
zWB=Y;X*;?09iw0<zVm=*0KXrszWc6IM;qw)jMUaHd&Q3X&aBNKV+Bc1Bcsi`tz^Dw
z9LRY#=ksJKXjhbO?EBEWe6TsEZs60fCX`w<UIcsU$H191*l179j=y+@TZ2MMrJ|C5
zD^4yqemG-gOiqHp@V}F##SNAz#51H8H<d_R5RhZ@wtQ>e7#06!@<mDz!$p90avcvY
z#4?ht&2=0i!8L(x+~va{RGuwv(G~oJx6M?P7qJx6O1mPO)zaH3tVBX5)9hV*E2~x&
zRRD`=zYP-qriO!D^{I|0s`5d^4Ue&3ra&J?MZ!zU0i%VLYeuMzMdykw>1kK<G}$=b
zT_Z&MljX7N+4xGQ1up+k2JR#&2U8J!?y|u0N!Jvp;`O@AZhYnGCG@M!&j|>5(rBIK
z_BCLOOtzN-o4uNQ7Mn$wXu7$nLT!IBOD}n*qb4SZbB6OKoq9MSU<6a$QCa69@xXDN
zt`OV6j~*on!z8}P^IicQb2rkN^;@}zQl<e@x|Wad_tSy)jPe4(5XY%Yt18pYP6QI&
ziaoWboGtbKo6W)$_Qr-VB$V6Da}9d6>Qe%tP&Su=?@Q@wie3(C1A!4pS#wjaAaxZB
zi4t^~pG#c9BOE(o)tE$Q)+n&_YRdoP{HPPU5wIg{U`KF3SNl_8YEWZ?0GBZd#qTTE
z9~ZN6tMuQl1uVmG1D!4J`Ffc!y*2o7%DqA+a@1I5iZ-#4R{%&O+M+F**gvV`!Yrwj
zDUc<DeH>w!O;vCjxSd6DvHx~WaqbA10X#!d@F@q|7L)qoGj7hrgq$|t{hkP4YHiG3
zj83vN;Xi?hq~++KKyXaoc$5s<*5Fn6FSzM`@}h82MJzZTg~Es_j?s$98HC(?&08x5
z>x{I~2qz}$s&=F*mSKy(7+c6lIi%l1W||d87RMsbLfxkiW~SFppWbb<_$*ySY)$0Y
zfFjh)pLC`XY4ik&!q>OZDxy9;?9jb}y1Jl4Y4t-ww0*ML>{!C2L+r%yW1#C+b!jg}
z1u(M%rH#>J`pHSdq1?Zieje3Gk_-A4;>l3+!iYB#(zTm7A1_l7%>CzI|He)wj2P38
z*G&bEUGh~xfX#W~$Zau<$y#Vw{LOWYpDdOxRLp^fmO8)xnLbS24fJX$#N=zCDiWP>
z5;H$QbV0s{-+6_x_E_c^ZMeejjk*^m`U@j4lM2;7dMvioES^%0OTLDICYBaPT2f~b
zSlf@ikV3KphwK>r<1cAlsAN)g0`~A3s2Dc)9HKFbqQ$aEKZ~z?G;tN+I0^08WuDsq
z=D0|b{uK8;vN(!wCy#a{7Co2u;3_x++F~O9`l>>}h60hooU9nCcpP;aU2kA1O(%p#
zK?(M_y%K6Obwe6`@>erMG{T%<-`;vEem^T~n8_v}T8BEnl%ongL8A`yBLj6=sYs)Z
z&f?en`i)mo*f5j72Uc<<v5|TY$pbzxy7{zF6RAu-%pq&<uv<|%hc4TSvu}WqFSn+%
z9k+r8^dO@kTE)V$X2sAO6O8xBVyPSNW6X_paeASTzHc~@e+2&qKZwNv(94ngJHR~P
zSW;HPDvdntoRF2VG=RE*b%gAgJm?<*^^n3CZ6b-J=CI`k_>cw>I2^j)E^*=(5`2Gj
zh1Jya<XSR7P*|4f+d8U{I*Ce5$jP2+goi)y<d{5IVhPg<v6JZUU)Hz)lMI0nTvb20
zez<5mCfvE4nw&Vw03AglWjZbb1NB##f>itx{Hm~&kG<sj|E$-L1#4|0ttWx48v{x8
z!PZ4=2ZWZ_QkRxB%)BrM@&=o2vebZbg%+H&tR4^ym>(-V(^8>JWV}&vz=YPH4{gFG
zf|NW$r#TOMQ7VTqTOv~Xg;Q=iNJhg_!w~o}pq{+=e^P1i3pP_2vj|eiNLa*Ak9x!V
znK;3RWX!~7GVFbX9SbS}FDz~<R5nkHBow#ks*!zvmx*)U$nWpxu(Ib(uG_<w{eK?C
zj5Qs#Ir>zQq~GPX>t(e0Xmaj>DzcL&>76+X<!a1Npg~FkJ1~vkdvR1(#vm-rP}{#l
z_PYGd#8!R@Y+dOOfcfB&u!}@P!RPOo0>`r%8RBxm{%<xzAly^XVe7&~v`v20bWqmo
zWxsB_n)mcb)C!IFP_F@yCFV|Y8K&Gz>X+z_ZcWkYW+E`U?LI|fztk=H9j|QhZtpFw
z90dwyt#zh^6E&w|oFzN6{p=V0b6x}p6`{Y(=Mqns7^4f=K}y2dp}tb?JTFmd&mkE!
za4z|LdU*46ktwkzL?DHouFIqs`aL??K&kd4SC{wg>aj`-XVOb$#m$MWe{3aq=JNas
zdFhRThjp7$cIgeSPDj)UX_4<Segb3&=iY?#ut-lY+}aVeRq;~s)gcYs8cgb<1?BA*
zNSEG!5h3hS5g=;;OyGfQ(|2#j8JYC<aD20<%AkXk6V4oKGQp^et8QxC{b2jP>?}$Y
zeI04-TNr*jLpR)<Ak`kg8yfl^9{xNI(EatJEY1)OgRIITt;eSyVqt_vwy7I1HMk$!
zS>Yl7AA5l+0I<F8KlWhvAiOb(Xq$;1T*;$N&duXL){=cB0MXhjLAr8u3%!Iz!!Cew
z9=Y(<fuyT;)92Lp%$6+vei8=vok4I|!y4g2;H>8j-KQd-lorX22?`VXge4^rt}4cx
ztFdTZ<OefFSz(octI_+MZ4$c=l|)m#{iF7hUhRDt<>N3+Sf?_9iY80UJ`%}XzP2sg
zL3c<^QHw&gonvJihMrE0O@r~o-Lct^2ei7I7p>;2h`ksSu^Oxk=r1q56V$mn_8N0&
ze^SBd1%CJuBld<0Vy>!}wnUpoIRQw*Nw5$nhXs-|%>9v$tMKSjh38jJ_O}!~MX`^h
zKXgBWv+y#&quik1$RyWwpU+Kqj0M`Q9rukTeUCe&(8RaRqpR~<#N!a{QC=SDmy=#M
zVamg*ktJ|t4D*(gK<My8*1A%6FU{WO88{{Vs3#9UiT#FnK#N6LRWK(;i!=H93oyLo
z|G(C6F(X~$x(!*b2X0Hn*+WZ`#9WA$Ab50fbftKVtdDJOochjj2NNBlBB&p{#VH{#
zN{NZJ?;<n%dN5)GsUVh4Jg+=wJ?E*>AAQvhL0YC6XeQiLY0CSMh)=uN7Eu_oYQe?m
z^zj8##dMZ()9Quc7rP&+$t&UhiY;G^;G;OCbx$zcJR6f%;yE13=$;85qlg{x*Bbyi
zSRW=x4+0{&h0h65;8%i~-yyHWm5I6im)FkHBKy&Pzex~8+=7mBWlABFxO6cpEW#5L
z5hyujEejk>5t;4fMfOqu^*tWMRw_KdQ!#MgI~UmhuvtBct;69Baye0(+94^T7hHrk
zvON!Q*1xBff<DtY5cn^bemQ{!C|>?mVMOS!yrgQ3(KuzvD7rGte3xEji!XW+>Zyqj
z{0HP&|AOivlH7|!`t9+Dz}-l*@OZ5M%$<QtD@Rk_H;XTG95zB%iw4Vz`#z4B@@FBh
zuc2;LgIf+NUKkzP?j|JEFTHmHlyg;bkN=%&em0ozj@Ds^)CSm<QVLVeRVWqUMQ5<F
zEuIROfb98$5s9U@ZsVes{{l76l2UQHhMdtYj!e}?o9iPx+E4=lT)e*DX3x6TjJlgu
ztet;N^^|w#QxuyQy%-mUxnN8n8oWuD7-}->8eSC;y7Ya3VV`beX$%T`!Xl>rp*3*T
z-TL*KSYQIj%MwA6w;`y+(X+Q6*P;|gG6>1qYfaW4QAZ}f#^$HS?KfqFojPd5O}oF0
zVu_$~Pt*Z;#bxNbIOWFhqJ}+!(iY#ZwyT?0LYhf1t?RMgM%W0Q>n(eFvIAyuKvtVi
zBo_Os%?X)=B9S)jwK`Q+#%*u{Vza-wqZ>grGYEsJCU5WD3442wZg^r6AgqO(G($5d
zlaVW-4g#vxPtjFGq^q0O0pr}nArUW~{&@mWc_!`v2;(tq$-=V4<b4C5&B}!Eo=tL=
zP@5tVi2J2=J^|-=i>B^l>}ws#LbyHgxKAZAsOUcT?0o3V(_ND@gLc%sFy|p~J-mu_
zi?aEygRE=Z_Zhe}x>aj1Oue(+sx-$up6!xP9)N$r2h&33sR4}vCWQ%6bowyzDS)~A
zLj@k`irWTw0b$o=-*lwP?d9=S@3ByIwkm93-FS|Q{Az-l!8-HkdRLE-_*=mOGtH8U
zff|`9{YyWxg}&U(7dDp?oDNjfsg%EA9j>cf({uoQ2pCM3{c28(x|}BRn8ia|deX!E
z3H^%gH9e-yJ{`HHo+hL${7%8Dtew#G=D|VX1J-Z&|1j-eL2Ck4B7O>Rnb_z3K?5Ty
zj~I~50r(UlmXbt=&44v#-KL-+Q-?@3#-N`ViK+3xZ%c0ePcf*F!F-xR@=MNP`#xiv
z0jC>MW|*x#A<x;y&!q43b|Z@~MAYDK{lmGdm7pRu)*>aQ+@{kVk47cdJF;1JV{TaE
zr!=_G1Vg>^$sc5(ytjfsQ$3BJ?4s3?a7&+#y~d2+ayR8Zy5^Nt-BfhGAHQ9(Lz_6U
zaP#ufI<UE^-<i#M|GvJso(@?x!bn0xE{-;yQj?x$B%nCau&TvxoAxiorpsfu$TExA
zg4G5g-FIo*L5;VYm_-6{F<YXM74v}My0`XG<Q^|5O5J{EYG!_8<jbs$uh^64%?xW`
z5eZJWEbMK5`eC;zz*@M29{%F-XPw{BDn^$1@f-~(F}X6FCLgbQk5I_h{z0>fKHxTm
zbe;uff_5X)H3A3Artl?MTr+>K_yje+Q#a)?+Nb)4tgvY**(136E`}qTliPQhclYi@
z=UwGZPjEhM_cc$QJvsy?Ru~)has0M?*-jdtwm)@2z2|Y16h7SKWQYZ#2sgmzwKBXR
z{^w*B_O<~%ToeN!IXR!YR2}mo*SyKBSB9-XC4H*5Am^442R`|q%2ko{FSv#@v?z{z
zcN4n{QMkbX%@qe8%j(+Bae=(JQC4Y!PD5Ee^9Q)1NJ+3Q1`TkxYK~V~mS{eR52ml4
z$J-JQz%JC~Y;fx1faV6)=%H9=!}c&w6ZLS^V2-{|I<aUV8kcea^7Laug%2ZJ-r9ZK
zyE^OkESpw+jJX-@nfOXPM$)g7l8lCh_Lp4y(k(nS<l+nID-qv@KfurZ^D|J=zX9y0
z4Y*Imt#}yP=-x~mg{%<U*iEBe=IgPeush)2=y1rpNvnO%3-{oH1uA}$d=*+Y=0HCA
z<RMObOff2?2)GZs_S(6b-z1T^<)a*al@i#irqWM(`Onb>1FiBQ4AEP+Quo1FE4`ux
z_{4?K81r$2_*<wL`+^z<hq&a|s3yAM*MClRNz`;*Lmu0KuL!`jp;vG|=>mBh;t~WK
z6k9!Q<i9P3V9O4^zlsUmr%#Y3hbO)O^!fue(DDDU0ffI^&G&9N(e;u|l0KvQZbY0`
zwlK^Jl{mt1IZA~R_&r^BQA5Ol?!P6DdC!OlZH5Q%7dP#X+<*qpo}bT4Vj7FaF9+`O
z=mVssn9PVIyFTEPp6}SQ<l7a5K}e9=xC%Or@zma+JFMZKD*0*`&7iXPIUR)#BD=K#
zZk!I;b`pNNE}qQ!v|^OB!RV!LuV*=PZt3=-ZJYH=BMd%$k?o|o8ZZx2TKLtMU%+L!
zfeI&VY13PR)z|U$tT~lPbiY!W*!7#U!mQ-H=_%y<lN$E5M#b@>!x}`Po#&H;tktHk
zc=zo>K-Q>HMl#{X{l!G1d{%`om-j=<C;hyUE~F@zTt^W1+a+1;<u=q!oHk84cLtoN
zFdufB&H5YzgIXxC-;94`_<mV%BSUpL(cXM@40M<_!=C^_KHBswMZpa<Et_K2vkDTT
z5_SZf!gCMvBVT7aj|TMh){}LeK3cs-z^uK;OX;bx+B1+IZ*hPcIvHGGo_0*OIa36V
zM=G{C`6P3BQLIoZ<t!^$5VdcZt$=u>eZ6t;+79EREKr7`xLtq6qi7vlY>m?wMKzUd
z>ePykP#fuzTY{{MJ)&hmU%wF91>hSoJT0^*Tp{b$Lj2V>QBB1(M8}ZwT;L6(fRQf0
zHrWphyttOss1)^jGCdC#8+XUCEt-m!4cmiY`BENjNP$=^cEu~kZ6Q`#r%c2tsnVA{
zCp&{!e<TsgQ;TZm;mTG3bh+2yFC9Q{Hw-zlE}$0@NrbM%hAIXz$e{pzpj4t(Mqb@v
zUY@c2Gd+tv1pHs>TaulDM0fRvAqNxDW55-zuS6!FuU)@y=yWI5)VSKiyB4WH9`VpG
zudrdrx=0wE?P0LJ8uMa)E)xs9RuuTnxB*5ixll-usdSc^5rh||iNm)_HWEd!R7ONe
zjp0A6uX1jsIGV`;|D+b5r6{1SJHStwfE%N)wZ{{HL83VHT#tet<7vMhG`SJ6l#|+s
zgP}OoD^f1JNg85uSE?-xmX=w8H|*#~U&-etAhm^=WK?3!M&^Z>B}!hX->VgbCDoc~
zm-aVyx7Q#Uzx*u?!ZsCc;Woe=8MvuOJ$YyYKjI8pA%iB0K#RW}ta#GuOQ?7o^ZZx)
z0<2PETuz72jHH^m(Vu$UZk;%WUD`iRX$BD6^^QajX{jM&lk&GBeJ~1hClvLJ)^kCC
z`r}hwkiWk?K0ZtoT|Knlumo<Y6d#inh)ITSN+X^!7l*c>rb=aJz?+~M`X2&Obe0HU
z1Tet}D6!>w$U_*Hb~mR(9~p|sqRp|DC=MZbZ$X8&g#YYBS?PGZn4S1$ceDDOBaC8O
z=dpm75!!aRr*yZw>;C+@5YaA*R{MgXMQZD#n{)zq^u5Mu!56mn1^LU9j^7FMXaI&K
zbS^#jxMl@TycEV41BCbaa*J@=D4ww=aR0mEO#g^6ep-ZCcm=zI_~;P{TsGxcd8&*O
z9^(qjOAg8Cv0k&77=Ba9<W3L^4OjiHEbU+L5(G!8;4UG_4c{-lymS8UrBp=V4;)ba
z?C4=%$<ZeuMcO%}ELPFaC8wLr&Ct|;s!70bTcqzNzI#>TgYOUgd(Ci`hPXI}6!HE;
z-<=-h-uE+o?}hU}#n5i$g<`*6+|H*6zq0*2!#`&3Z(`A9deo6;z`wFv9~9vb+T;q}
z15`!~2L8!Ka{;JH_uHy~!I%uMTXnR?b?(B(qT)wqI;FmC@p;K~2&@WK>W@0)mc<g1
zlYlEzno>d{9RNE%IW5}Xvh2hS{#l1)cnK~AZyQotG6&10cLj-=ZObbCo+{s65`US_
zK?uo>yUS9fIvtF95+9yh1M&E0AdJs9G6*I=v@*b=%?X<98J<^a$2`Fp-XXPRGkeUu
zJnAKQcs!Ldj@#}nSIfU7+Rb-?^e>Jo7ZQk7FG5l2^Xn_(fkoCpqer7RqdL8}K6Rbf
zgibFz*NJSiK7S%zE+*f>L{5XFfm<4G84xPfRAD?#K><Z@wmgIumf!!7EJ2a3pf$wP
zRzPQ<8VT8}pbg`7x#k<iQZ^l-T7&jzcz3$H$0=+7Q{-NiDm_d~j}7q0S4IN+0nd+Y
z)hz4C3CE~D5fl$mtP2a?@mi0K?>`CHI^|Fwn(AoE(McfcbJ%>0Qt!e1f@mEPq@J|9
zDw&3?%m0_tXt{>+<`mD7%Cq3XvtlRktk~v*{lXRz?K-u_N;7`LiBhKFaq*T3BdPX>
z^G|D)qYBt0XM;1WnmNec%2e3vFFt0x9ZV*5$iijz-{K8$Cc(Y;!U<hZ>$pURZwEMr
z$uatyi6N@kp>7LW^A=c4$2*lYDRb4DETIXrw~7FRT08Q$>MfI1%GtUAWyD}4824C5
za{AKs$Q#|v>|B+a>bdGA`6ca#9|RPv7Fu>jZ)rWSzSze?qpsE4W5pOGLBsyBD`SWn
z-!0Jnq~Az(+`vMvHaIA>tE6=37*ZMhQ!erLMjZTr?23M!oV{sVW@eeHnnkhOc1++g
z+do>B$8H;A?*0%u5>}hyaqQS%f^a&xOMNQ!nmP2_c6YtnW|;=0rX-8h*nEH&^+Di@
zd7R<imPDrxdgjQG{DHWW7X#H*<B|YO>Jt>%yfQ*gvEI87mpW{Lth9xT9hK&0Jglm+
zb!#|fYWhVV360x*0r3-m0XT$H*=FwoJp2IwZ8vU$wdho|cgQJ6_~|oOIXMaJmch>A
zl~Ls3yq2Ak@tYlg-R}xjyT)(AA8X7z6%}k(R(g}0twPLfDENVD(EUI9v~VznwFZ9l
zw0?aiMotgJ=YV51C++^>5=fBTEGC7&{96WjQCODRS)t*#1yd5YC=B@Te+O77+jPk3
z27o|R@aTT{>U=M(FIvr~b=cYOa&tUGp^bls<E4e!3}n!GbfpJsa;SOxy^@iq=H7=J
z6w=qkY`nZx`kMvJE!j{gPUwWY5FGdK>Ocb4@*pB-C;}V1%{QSMZX<r=H&g3(h9JDV
z6W1&Iw}Grz^Uh{FHbo#O>7cva>8%2(Wz$52;Oo}e@bgP&8jKZCh{54bc|k~86TAmH
zz6IT^JbgW3)_=Brd#s#Z708b6O^vyGQkq!ykGeM?dWsN)s&rX)I&9-+2A=8ny$Zie
zF@NIyUUm#?w5pzArfp^iY+7B8D)nymTtmwSPHMP1W;_Zj*#6qEQ>q%rD{`x4J{@TF
zeD$trAv(QLY5H&p-3>^-D*|t!?%N4+9+&ToUWKlwN^_^w;iJDqStOuvHRwt9D2GRx
zmH*Ivf7VNgdU^c!cpoLhHy0mZ+;71%DT720Vz2&^t&|qkS!N}RPHNlF^%N%!HnI_w
z8QcX%6WVJdqH==XdPZ_t21%;m4sqc`=YpzwDA1kzHlei(>|}fMG)U`~AC(_LO5&0o
z#PX+0YFtxwh?Zdp@A;IR>cwv9Xb%DNH?e(9b8(f=kr;n~%lsxOt;wF!`;bEKgU#^v
z2lg3}M(R!o1pBvu#(9?9TqUj|Vj+QP4cwSS3lOWVHizx_{<4o|I~lKija0u4id#Wt
zt2Wf14A&{|=@}p-)-CUW`o<X<AE|*LInD*EFlZOd!HgI*ie2>azzh$nD#7m?r-&&6
z18;G;_sEQFF0K{WkvaIJ$sEj5qT`{FGwLf`t01M5#czIyn>O9IDn8_CI!!tdnO-$^
zm#73-MHa+M-W^*jaNdjtDT9{{R<caBZF*OcOHp(VP4*R^-ww!7VdlR|ET^5@?`zC|
z1&f?}-XnINW}!f&-^h^fiJOaqH4DYc$?0=B<75)j$!XMd4WH;nmog@U1K$(>a}7CH
zlLt(N_F#-mVXriKBs9AoeL6taO0Z($?6EOKqC8`2DWOeG$a7~yC*viagoa87uz{nv
zy=d=piM(e`k-%dt-(R&b;EM+~wK*ch>UVTef=TEk8oN*Mx4^_*WTWy?b%Heeoii)H
zcEP`AlP-pBH^JNu0+S9~ut&R3zfoSI^@`=;0Nt_bYGJWps)TUqtV=|0vX)XAOZX7H
zm=J!97R~m5Wi7Ufa}+MkQu3;P(VsU*S<}&P_DhxHf=<OqCYUF=mA1UQ;38my7`jjN
ze+NKKDv6E%;R7H9Y%Y8VJRZNm=R0mfI9j-p5kI```&w^se7FDgTIVzHi5X})YMfV&
zXk*a4Sm3cyd0{5gvXK8Z`*@g#(Sw+4;XqA}o9K*@94?%}C9^y{e4X}udNN3w5X%<+
zm1SY|PQH+LK~L%wFna3La1cn`_UZlv(M_;lL&dfFG>r$&)NSB<D|n-*X9K>XQK**4
z6=Ihj=8Gj-_^WHEs1pW^s*faw_3v3iQaAtger7fo-qrykfL~oIv22{GSv+*bh9Pi{
z?8d9ky&2dwn-q@EDd3TlQ!u?&bw>K?TPv_j|7-5X+PChm*|Xia#s?jOa%-aqdjnNV
zauAH*Ch-?tzu{&XQ8#$NLOU)E6OjoEqvT90{}fJP7^la+q}&&Z4l7?6c*DQir-WYu
zVqp^!;0nGax~0MyN@wyR3zLQ3R_i%0nR4zYNJmYP3Uq{1Yp0~P3OZ{}?;GS<Ku)c0
zyu&aO(kkfq&*;);zxpPCg&oF^j%hQmue1qfvIL^oPEm+ibn0{TSV^V4IK5Uv<R>V9
zMb0jkq}Mm3->YDeGxnAAgoN+-#j~qrEvoA=r$R16fN4ddL|$j&QMXo3Va!O|j*F(>
z<k*%ij_vfm<)nFuDx1Un{j`v{U3T*>LKFcyADZy|IUu^3!5MW<5Nl6l4>IT%41Cr%
zfb;i-Z*&SHajev$9Gt{Bs>WaNxe~YPOPjAB5#Y1_VUR5$y0;1W+XIY&a2i~ebmo%J
zQVf@1o~j`RSzX@`tFBvvFk3I4BMP5f`Nf9>c_R`*+e-<=zB2^!NzzVHjPLduxg_OY
zw7)2pU}Wl%5Iw~JM3vBZ&Hcm(-`8RH!Q%}Dm1!{?7b9wuf_W?v>wiy22~r>u;o^0N
zfOnl9y#m%e-iK!WxmN6SV~<UmichS~1{QNwj4*DHH!i`2;#GagM0u+bKoOH_<R9bW
zNph_PS0o1mm_|tFM3C@g(#u)Z6uLM<VDS*{v~B{?I~3p_f=(_V`w5}K#Xrc!$qHVb
zLT^C`o+?RQs+0jo|AV|=(7V5dODKlDLH|L-9Xx+x3-Sp1dOstr@;u!%(aPOC5o;rS
z^KAm{?7Cjo2>9}F6(`9t_uKA~{z)cQnkYKnwvFF2QFP4)&3G%T&cR^s%YK6bsqZxN
zXZ$q9uJCzt&Hd^SQZhnrs&i+a`5y0(9AenBfemgFbl50Q$eg(7vfdwHvT;B~W)Q(w
z_hTuB@A;vjs`Y6GzQ|%Se-c9mcln1Iq*QF{kAVBn6y(T=fAgpi3kJNs@BRVKqmN%n
zkqLzw_MXlhJx~VML4F{@Uz;Vb9JZi^Y%fpRRX<q&UtwiPO_Y_0&frO6Kd(p;z+Vxg
zo2x3--b*bld+?h9?weK9Jm}>#=H|6;^NLLW?X0L^0aY)Y9HuATVkWjY%+gf32QgqO
zeK>w5A3~)A78<hnZ$GpYQ2~@T1N;cVa>s8MqBy7TbxljyTR7d!Va-iSO=z)=cnSME
zo6C%aY7m>j5NzbCFY=c}m1B+Xf<im|Hs~$EJW2-y{sNZwI>B1yVP%)a|3MOS7;)oH
zIGm@LG>yfFPQp11pG#9Gm{+Q(JWx-rF-z@t>jgcW_iyMUEpbu22`OL+PUV=?p**R~
zbe6Qp)umskxF2{A9YFm=4&)AmLOv4jH%t5JweLP=if6VO3u3@w7OCxA2Ss;@p@jI;
zF=44I_bJPr%xb1`VTW*UifsOSGJ#T23Zv)}vL8H?OASK;5APjv`cVB{7KpCV{VU(E
z*{vlw3pz6n{q(bYt&q=P|6X+b?p@*9bt+}LQGnvU+btnF;!>0&vUt(Td>4Jj?Fwd-
zYrl=ul2q0NdEwm`YxE5`94>ed4R<VXJx%y?>(vy&ZX~J&rZRN8n2-bnr<W)^$#T)F
z4x&G0hY-;_u-6^1!z1)&{5uD9mGi=OKsy2W9LRTjGB(u62s?%{1M*Tn36+vi8b)|O
zNOoELQuhVF)Ye9H*|%%kv1aY#*AK6X_k1n!Zgk-@x8VymEQKIn&Z7w5(n+12Du~C-
z;j@5*KnD452g^j%vrUphGbZi>t(7}0k)gJ%+xHJ`HxFIqH=E<1y1GCMA6#49zut}y
zYPJQhHhKJf?0nvwd$zR|oWJJU%n9{5EyXW|W>xn<4Pg*P)(F5aMK&xhH`LWqr%WFv
zRH0(2T`Q#B;9=%SmerVB<=DdPSN_*8_HtR&Js^-d)d$C8Z6S%Ny-CX9)}4%yIoVp&
z*q>*&4|IqreeAI$6VnxI#zKZ^h8?7q2kfu)leWOS{+~`fiU^LGnA<$2ep}o1at-;!
z1dN=y<Bbe*SW}E&c7l@Vr+IFqn1>zyrjx}rUvxqTdQ9*cjL0vr&>K(mAO{nJxDa7F
zx)3tC>oL`7@K4mf&bt;eBX5q2v*!JThV#BkAMJc!{XWgUmXWa5b3TBKzSMG5HI!~r
z`+r^x%Ok|6U{W)i`n5BrnZcOh7lf!vxUf4HGenjrrPO1>q$Ih;r9uCc|Eu0z{OB%K
z_5IqB!BPfrH9UG=Vl$m%P$+6jcJIFAkn>X|&olkHRGR52lQ;Arcndu`OgA<rvN_Uz
zTR$o0Kb!Y52$ykeBBJ{4l+#^jDjGJYx|;)dt-9csCRWm>T$MpP!7IKg7hPx51e&jU
zQKVVOC@WE_ETGu|&R!VK;oC4?RhWucY;_P`*E%u221J_jKj+HmXw~)o5Wr6b?Py-5
z{{C%LL|^qi3pr?E{wS|z<snp$zh{3gg!*G7h#^ZMQg5Q?(+NX-U-c-}bjD;`Y_p52
zUhj3Z{F(28nNwg!seCLpif|=MJx!Hd1em9`dGm{*WmOR3bJ;{9F3m#O3t&oVKG-x#
z5$2nwk=uB260$4cT<z|~k<<U9MJ^1<h!LdNTre$K8<Wx#@-Yt5`f@exzG%)fceTup
zo3HcdHSL4~2}V<+SE3_qaR*$lJ}N9#i%*7n2YmP%p1WOQ@{XK<(02iY)=7g6`%fuS
zh||b~i~!yqChUMVLZ?gC3;t#)Pm8=273fc;4drsB7>x!35|W~^n{q!AaY|6Cdhxf;
zhysq^|7|c!=GadR%-x;f22(rfacp%z)4keKb=BnpB~d?7w_L>KT9Mv&J%wRJyDY`3
zWcTJ5Y1OX*?ZM)qF$jK&igv<Cmu9$G4x$kVIad6c?OXaJ3Fws-A7`8^s-#=j-qi9}
z61Tmm**~U&;*KCl!ZVZt_g0uw0W*%u$0}f?KS$29NKubn*I9`>GO-IuwL-)2We?-4
zk8Zg1)~kgL4mvuDa4NibGXptzVUe&0$OX?)DE$2P!4Ewfm7a_nw@Qq3l7?|TaadAe
zspqFsv&}{pu6mPTLQDKBQ}kSbiU))U2Uyloj6q5C6$w4WEAd|JwAmt9bBpjhOD)4z
z1T{xtgn^863^FgxMfkM`l5I1RyO>^|dIVA>O;7L0(mU4E2{y908=+FJWNhF-KlMLI
z@7~Hl-uYrg8$0(-7lor2DQ?#cyn2ti*&?^|-&hpx&s3Q0>Qzm)6r$ToQl8OH)vWtW
z*nWI+>9RLj?)ZAwymoHfvJGvk^P|C1^x5==J|49=rh4`%*MRP~el641r1SJUvar)j
z;PNq$t@V-PwIH`1c+?t$s?_#Ti6U~}rayy(>#D4FXqr%Q?3ws>0q2O-DOT`1!}mG8
z5o!u4s@(Sh=5<<MDd0uvztT*a8ezV@Vq<=Z`3p?{m<G02`G;;&uv%xm0;_d1(#ltm
zfx+wj==+!<j=lsR#dx6+l1!)N--xy~BpK3EQI_D=vAQ{XXTY4ffgCmHCfxbh@?w=O
zZL#oSt2`v<48+>uwdHDb9~V*~p_ilz);=Xpbf(~eO%l(}j9g*F*Nxbo@X|0bmje3Q
z7$tHAR!NO?M+%*AtCNB|Y#I808Zb#hW#kYt(GlD@-=|5_OB3S~N4j!3jhr+Olz%&m
z>}*hIJ;gbL*z(=U9{o8;6tcb|Uh}@`sF(3J!^o*?AoO&<ZQNI{N`B>dztO7c;q}YS
z?dq*b-l{#E(_o05mqfDx&K!80RN`c)2h-b%804Y>n8RtTF^pUv_BBA1Xi%16H&Qk&
z{Zt?s;BY{Kr%GOq^jGF=kis05B6YWd>$%s5w48{qoFL7D-%c-fs#6a*rRI=D{js&3
zrcdUq9*sTvjB78KTSSzU+dHq<N$#*z-~+hLXZ39{#13hY$CN<|*!C3DSJNwtm5#s`
z)5_2@Dl?#PX~c0sHLn6-Jaqr^8p`kD_R>R09$WBK6p$6V6{4g-kYoF7#MU}lbthcD
zdG?0N-mn@Ml~CyMv{*Evz*Hn|uuk-J%ay&i!T+*`meFzAIW}Hd(dMQ17;1+Nzb>T<
zen-n&1AtfVRrm|S9tVD%0lixT0x&;5^usI?SEZL@D#AF3m9-#FmR;fq#RI(?=I?ko
zHU`pu76z~k?m-m7Xx%8;o=Z~SgX-}D$Zl5An4bZGfIjcgIOVan#9~2Ow)@~UTq%=?
z>D)mTP9TUE2D1y}j%k^%nc>f?3~GDmU5M1aI4~8IB3-R%gfo$VPi5w24q=t(^bV%b
z6yty&^9&-7IDeM~6_gRa8hAep#7*l@c3myIJIQX<b{Zl)uC4Z~=U*OYw9uZ$!SA%0
zd9nHJMX{ojL^aQy@7<T~)BV9cFq#3KL<2(PI$O+Taqp?pr&F-*=2_NWb01S(mGBos
zV7@FuZUaNy2Zo5|-pr%inOmd{PN-OizoDzKhZ*b6!r;$?LpNiIafsqMo}`6bX6DgL
zVL$DA+J#0XK=X?3&@(%`A&e!DYEJ6G5jZS`{-f=(#A6v^$u-^(p)Ifk+t|lw?NQ?M
zX_6uH;@?|w!Klc{)5n?#FgX{LFg!D%#X|oxSr<+zItwH7`;STX7-*DiKG&o-w~UiV
zvT-C&kfWiJO{rhv*Zy$?ZjDMg4{(>7;Y}=pq*sDb{mvlbG54vcv=~Jd$0SS>p<%^8
zo-(OawFstC^=;D!{11PH8eyVJVo@t#2Q1VW==M~;V-%VBL^$SDgBHR(Tr+N79LYnv
zXP=>N1F;^=p^W8%qrToKxygiO4a79NGJA8Rj~~~;Mb%ZcQD~$vqO7l=etD`cPIED#
zcy}<fY=08#J6j;~V<ibSd{I#gi~f#zg=J9m;I7Ki>nVB!!1dxX&DK}O<Il5{V;E|A
zjiB{OpnR{t73D3YU)Hv|Xsxfk3+mlyq@uD&a=h<WWMT0sUn`u0cI>vTC|b!)8qG4i
z%k|L(*WnF33aTE?Mb@1CB_|Kuh0B0vCoK6UzlNgHaJ?)m69;8|X<Ua5GLESRWnM%C
zwxp_NFp!u)!uu~JUR$9D-<KkhcY<rX6ZQ&y4ZJml3lw}>SGeS=W{#(BIdF^Djx0)k
z#EyGyzcnd~vc_)A`?W>Fx7D0bRIcYfwX3_zjGFrTM_PJSYDp@CZ{&x>(6eA_CPEj@
zVkmk?tx6ldL1>YXA4W?^rGZ!QqEv`wo6bF)@v7+$&+xZ9r$)WV4K*t~)j6HeYRg2f
z1zBx!XQpo9+S>2$`sKFKPE{Lv9P+I_+n(O8+0M@{I7HuG5OR{o6b@F_ykDCPjusc*
zg@88cV%qlXLDLd;nrc5MLlla76XoOdqx#AIJVs5QkWOXWMHq(pWcTR`Qlr8A_EKH;
zlRJg8R`n2g$B!V-%UIDq6^9~mk#{ojtI3~b1m6hi3VkYdE0^H^Fm=^&QN2%>?(Rmq
zyF-xfZUm&IVQHkhyGv^6lrHJ+2I&x_L8S9t@%PpD-}{-}JNG;@bI#0jV<z*bV_HWt
zJ0q2<_hRYVq1CFy$qnYm%~KyA(u1|!6BW3Gq0%pXm-66kVDYnQu-HbpTEU82haVL)
zta0DC@k<M}!NnC*$*CF)V<fk$4=ukHQ?(3iep94)*s7S^)V+yty$n6{xknX6j-lGw
z6j$ZZ@}ch62|1Fc<Wj#N6xa6mFJECckQQ0L%&&#<6j_A<)R;O}j;~+7lk`p(Dn@TY
zw3x4mR#`&5Svv%_NP=Bd27c!V0Nc`46$|o~E>Wa9yV$l?qg(NoMhvjF!+6PUU|6z-
zdb5M@zl%l}2ULMBnkRtO4&Mmsm-1p*A}R8aPzMa3pog>bfTf_MUsE1<Z)2SG07ckm
zeoH&Sfb)Yl`bG%%K5cg_v*T~<2iw-Yr@MMTtlD!owN(#bPAkafQwukbs+mUK-nQL6
zcxR55+;P?S8Wen8I$p1E>wH?(xXgS&-7ENZxZ*1IRYf90&9`C2{)A^o=Y90#^bdUv
z1J0Mb$H@NrvPh{P9f5Au!#<P<);fAz4=8oy5)oSvTnDiT8mx2-_A@eCHH)?HBym$5
zwRJrTDMll<omX<Q?RC(bZI){H@><bpVza~uV&j*)&N_cV2)p)CtYvarXC1xg`gNF?
zGSR&9-THu)>-f2Q;1_FwC9nhDd6`u}mWgN02xy;6e8xUwv$$?Q5Z`>7zCQ{G?6L`9
zgPq;w3$xU2onyuo;=8K{rybfi4z-T|3QA9SsGR~2B~PahpCsE!TUOpWj9VTOGm_4(
z?s#<Aq<3b@bD=zNE`N5u*k3&V>1y{K>1cXX=t<YW@2eeR%ibaeusWOb#v1-&G4Q+f
zR~WcsemZ0sooH1;Yz3Yaig3&rtV)0mrb2mNrqm$z@e`IG5;x;+P5p(eR89abO54-7
zyPN>TxTUR(cR2xRiJr&KY$%!&s0ZiN_D%cTmIB9(-(7s(HzoSlb*`N@jZ;guZMZ5m
zf*bN8_Vt?BiHfsam-+GPJ&nmYd4rku!4Cg`1i#HFnK5v-%plgZ7RQW<SH~7BWkk@_
z68(aJ_XKlbt*!gNu>B6H0_O?}TklQKZhA9y9BNP<k+9462WP~AUiohphyyAd`;@q&
zU|W>6)~GToOZOMw%6;2c>>C?tuKIhPj}9MLaH@IQVl(v@6KWPNyk<yLf>6ghGiP<&
zl!~_8)xi1A(+2S=`F;mFNFJX8TZ$lhHbH@&3}#ws)m=iXMp;slp`T^D6Cf8YE=y-5
zkz9s=M*&Os&qY&ul@b?_iwe6CH7+0*OQEVaZ3Q44os!<u<&R!U^G}*ooa6n%kIHSz
z>xks6lJCr4tz=B4J8k1#8@Z_Bn7zy?YFYU3bbGyrp}s#Iow+;$4fYe17Rv}>VFH#_
zm40!zZ|-cU{K8EhfJt;vwQJW{Dl0#v5|XKmf8W?z>b<-^zNO!7@E%+Qpgm$_xtkng
zLxq52@9Wx8sRxFOx(HR9T*BaP6ZMra%Ka)wDN{xOzY1f5q{MoI@`*PkbLxi`JLiQ(
ztmP^tK2ZtjHDJY{QA}Y6odK3gX{+D^cM~e<_~KEUmG{kasDjz^W$}lrPcN=@-fior
z*VR030_FA;%$=ke_s_*)>cBy*j{SRu*|qBc>!)s5z}P)0GOm#8hGotc=Ij<G>o^XY
z?uXl)Sc4Z~4}Kics*Qmlv%bNtvaUbzA&l~dLrA(KR?LqeRh+HVEWF0MB_r4y?;rqP
zeSxZY{1=t{1IUIOMNaO2S1N>}a_s(47Zxk_naRiEV~<cq+f%_tIO6vR6fOEmpL1VY
z@`-iALqqLBPe2YeGG_Bfo(C<G#18!7p&Hr3CuPHmp|sO_Z`}8d!bKwV0^8)q#`k4<
z+^^AULLgoTJB&LE&fA6&QH0$<JQ&c#AYw&nOF_J)yHG2iHj~W5;m5E<IQ!-^@}H{5
zSv1QlDiBRkUtq$oZlEp?%K+W)e0wYwqyNBUFPVB0ObokQV!KHV9(rjMDnaUvvSBW5
zNrVe;Pe|YNz=HUdgT;RROeqs<=R7@!Yk%LErV$N5+S3?kkh%m@p2KHZ#MB({wsDg(
zmPx*F)`?m|l{$b!eNlYL=Z%&$l|*nD9V=b5bfowvTe9GATjl?<$P^LK=Sm=DGq}<N
zJ@XR60KF{Q_bpav)Q;>U=1)LNPpJM$(OcB_bV_1I^&i1=Dj2TSO|_F`i;lWi%QX0o
z?ZA+d+KBH%xVn_s@Y8;wY|P^&wlM!d)&x<aUZOwW8P;C=EZC1q9T}Z?G@x`hdVhn6
z#0VngQ7vOLjx5!4cM-@y<S!cz_W{-|iGC2<v*Swh6IEeZux~-yOZJUVCD$;8eCb^3
zN<9hV+=IkBm5h3zEJ3I<O3H;tq~bTRXi~m=Y(7q8#|>pGG%pl-x%k!JO?mvGH6_CE
zF;3UzSZ`eRvC*NaE2Vi(*0go%y54d}v+LLTJ9yTx_#SzWTl~Sa372%on)~#`y$qDG
zq+(XJ&mn1!<Z7kZVyoP?Xbq%zlxB68`qX8)?K9XnsK!86H5A$ZB2AtqhE8cG?ZSPw
z<sJF1L*cvGa9)A440!qL^a-rOx9MRt6Ob`VBu%7>vb<#2Pw$M~tRJ3g1`L*BA=`$C
zpWBGLt_7gvTSDz+pqf$*QXOG`uV<B5SCXf!VJO_2RbBN)rc4X<kpyxpN|9D}D&s<P
z(To7<xwfDF3`<97tUbuGf7FCnAK9uUQ4jGM8tzaV2)}(abiDFFyES^(n_v=tDqD`N
zq7BBp6Hg-BYGl(zcNbsZl{0hpV^NZ(D5~J@)i8z#3kW^jG3ejtxAW^Yv_lANu>>1y
zz|C67kQPrbwdoY21F~V4aGMpHN@$xszB2$B<kklj5~XMw9ME>{bggotj76iKzab;Q
z+{}~p2PXkPxIQRfruHP<-;|77qh1Il!itiI5m&-2y~f-q*hSA9SB|j~j6Q)|;(q+u
z!EA&0J9Ji;LX1|hLTqQjY(};9ja0Ct9rVe|G$JAr;7mKeNy=*C8QkVQfDHbIj*87-
zccUed4I$}@(dB#xTWGS-^Ad^%LevQ>H9=~T`_I$0n@E)pt5l8Fo>w~_(Zl_#QFjPi
zK7R8h(GE))yS!WmIW^l!H7AKsJ#C!w4}@!&59N3Dw-Umur&8w5V|ye@Jy`-L+dM3I
zhtcl3=zA{uCAbwnd%%`GXtA$!NLNMRC5s)5f^=mNg%#;hm9kOwSX{EvjI-*v;i_E~
zh)7ofGZ_C948I}*Kh5%%@T|A@;73!8F{sl`wQpDLDF|AaD_xEKphd3RP#C$+Y~-ZK
z!yL<TE4AnU*v#iZ&>O;9-1hZKAMQPeJ*~Hsv$q-zoKrKpqJuulA5Rp)oSNyzwu-<}
z7HJ<Gk}<;OSGi4s%Hq7GcoVo5G?*~#WV_%EQE-z|YLa?qMi_|sM2JE&2LR1K712yz
zjI-W=9D#>`ecp7WXY6RP*1R@TIuFVea{Dn}v-Xe&&uLRXb_>2pG-=iqT?`NyCVgVH
z!0-6R28p!@&D8x{d=i3=98i9^gncJxZnMO5;31ccCtmnOYWaeSPQ}na%1>uy=m!DA
z^l#NJ2mMnHf<;D^Jpj|fxb;!I4>bk!Co<PYOf_<EnIFu82ful(#h><)7;dyNTz+&W
zrDhnKK0UYHK5s;ij~G&fkhcjrlZ@iiOI?C`O&Y$gzM@30J+wF6)|P3xg(BM2jfuIk
z;RrTXeN;GQ(x$o#pc!bDVKvB(n)X%5s5x~3`lvftzu?oeSY5Jf(+v^zd~C{bY0?bi
zcbtW;@TKu%&7Y6;b=_A-^%rvdTu_;ZB7n>psn`y~`n4h)yiX4>1$OT8P5yWBFed;N
zeG@Rn3%oA%i<)#jM;jKzEm_MIel#q)GSwqkaV(kq@CJu!aKp55s6wj$Nhuh#LGx|I
zy7at@Z6rhHOnjlXlL@!XhE`vchZsS=-~`f3p9(3obvak<(Iv?v<;ujLGM!3Y?q+?_
z;pgE;+sTGk95mxs@OagItOlS*56wg)u<9c60?Hx2+53qGmoQLTl6ll26OuivJL3&7
z{6#-rsc$R!w#VJ9q`fMAJ#W&TGvVwevL(%Izl%p$;T|>7tVQ;#^5F*VS%)td!3W+0
zGR`8lC<yl(2)@n4?grrCN<7lK*?YpZIcs6bcsQQ0Z`HJU#?sQb(!85p%8d7G6(~?e
zn`#`9*}Gk={`fx$#BXO@;9qgtyT_0>G*0X41Ba+%U4|<{%GWUS4mXU6Sbj#uZoo?R
zzO(3l>VU#b`&(RwQn%scy^J6@)YoUdESbac`D=cC?iR0rWm>)6w#eE+QX`;^6<S7J
z!?xIcFaqaSgfMG5-_O(Ck)Ty0^z50zK;p<kkLBz!sTy?%n4iqzTr@EZ!R$q%L1E1*
zOVSwOlh9a^QpJ{#pn_LroNjpX%}{=+)dc<Mp9dz}c#2*|A-_EkG-n>guYztypKe|w
z3#rl*XqEW{!+0RJS%ayIB)ElYo3<X+oVZo0;-&uy^R-OmA<t&w74ZPV)+-z|94IpT
z#2csMiZCogGEe%T7V8IkmRp4DjXq)iP0nCfqOajB^7bJkp1Ky3g}l8Dy!dVIJta~(
zZLCJxF}O|3FMXFo*aIdxz7GcvipRAaD>-h9)#^Re#L>e8A)g6|*d=LfAhKND`^SwM
zR*Z~8FMMpIvJ_jvkP*@tqTPqkkt2>A3twZ$g*c6&pH(XYQjd-*geEv&8mrJ&87(?~
zK_gmTpR#^iTn!$nwMUPRmdS`Nv@ltV-!YrF3hP4}19CDh&pv-D19Hw&eBXpW5pO7R
z4WZYpi_tRN{_xbhi+We5zJ52<{s|sqf#&r`s0chsUJ5&T-ftWo%sue0Dj~-YT@i^Q
zi`UOV)}~sclwddlLtH03zCtZHjWwz$XxTve<OUvZ>tD7Ap@%wbBT{7LT}b{ybztr{
zEPR&(2ML61-BK`QyUV}XgkF;GuD3R4TOs%<mL4jT#&$hj!TwOc<hx{d?fJg<CKB{S
zL#tlqnsKKNXWOL>Pm?BhWLs!#@Hb}eD`RWWQ2O|~t^e!OS@sv<i(Q!Ky?q$@%597m
z&7Us#O0Nn*S7LJ?_2KF1REg!oI>Fbko^0zJ2Roxrn$>5=CZFyAYHwFF)<!)aHsxES
z?tQ+BWw!0*?C+ovv%JN=J#sJ;5<`ds(kVu^QX<UjVuevh6o|&>53df6*3%~T++s?Y
zq)|futqmbqQVH9LiNN2r!ID{q0C3HX_*jxGf||&k_+?>M-#SE^kg8hP^pdE-Te4KU
zcvfID;qIVW{#U3`BqeNFi;zx}!4EtEkFPD|i)Wcqg{0S+`las+>Yf)K%XMr>uBA|#
zI#y1u^eq+6V^R02u<dzTYkgUoB+tes&fHk%37n34ecbfRuwR4N2Ue|8@q$mq&&t-d
zt)^PUUwZyHkSv2ai5*6Uxn4dINK2oK2(4E6FK5EHOEkTV%DB`GvM|RBbqlJ@Ils*y
ze_>P{(3ZUG9_X@O$vSKmpWXGc!}y3-q`;egPCH>`<3yjg!<N#k`n8Wwe!2hX=S;i!
zmg(iq=-73av`t@Nltao9`IkSDi-Q;Lk}#<QAzc9s&TpkfQ&S-SlCRH10ZraGX!haF
zNa4@wlx|iG#Q(%v(S+!BoVKG8CAa!|Vn|S6av%}4USy*Dx%?GhONry?^8MFMeddej
z(7}g`@lg4RZ!XrKf-#lC+@Xw=-YgcHz7pL5e3fA=4e#&{yxQ>WS!r|y!bqH=s=q~@
zmt;!4=y-uyLQ(^F_#!5p{O~{8R|+dI9S)}ZrtG2gE2yR3Mx1Hcz3l-1rk@NLnk^lQ
zH8kdZItaQgMvnXpR>kgfBi7_(F40Lahvnp@Ku;@`P-ECZ5n9$Ier9slGvdXB0bi2<
zzBECmR*t|ILJwDk0-6jw&|5DBE8#HPn0sDjlpbavx&Z`5JEh-wQE)}`92UTUdttt-
zT~|ds%CdHbYGM1agvcM=;9oaj41i;4VeKKLKeMFf#@&kMJ2#hKi3v>`j7~8s?=lkq
zVOm5d6lJu{wOth)kL{?x{U<JrkT9#Es10QN+zZ<k#U<d_UBn8eVGK%>#r2Y|^HM4j
z3Vo4My80OY)(?ao-tA<)G<W3Wn|jvIa_u43fP*}^NwhxJb^)M>TML2&zp1t_!sNC1
zq96W3SSZ#O!J?V=EA~eOti7^^A<0m93!J6t_4e##iMnLE@cuRr3KaeB;|i)KpTXYZ
zr5XK8p(^yjngm3SioA>b0lC0rh&A$n2f@P@`9VSNZq&^S1*%rCE)wy=HhcRfLeI8!
z8}60FnDGtQy-TU1Hi@<8#iG-Z>Jw67q1Dqx3+r_rctr*$-?qCsLFi76E_s{2ui^VN
zda2>BqPYrmgwa1;8^h2TS}vI^fsDz_s4_qq$jgE@sP_#8iboY(6P)AAzx<%zP6Gua
zH7FPr<a^>krK}u|=yo*L{N*_H%Jn7J9`}0VWy!|Zv!nUvG0lM_=RGkyDrO5Ng~u$6
zoq$9u$I8ZHq0Zx%b>ABFYFw#e9YJfw=T*{8Rv&_n95!$t{YR|V#05v$DTW$Qk^vKD
zVi;LAeHTy;#bqKY9S^j?nJ5K*FOv@<{Y1m+gYaLL#6Sq52vgw>D2eU%L*ME>a(Z2h
zeQ#Yugu@M;dj7fAWJ~^T#``LCqQ||_gbktWT9=>OC28l!-HuwOR649Luch>Amj`sH
z%}~WCJLlLD%1(}0$SyE5{ENQ-!S>pY3aUl%O0R?6qW-}QSz|9SO0YoyGVu%gBx6rc
zmE6D|e(o`3Pw6scgpd0Izb9yhQ4pX`mp}6yTPE%=TcttoqH480`Ci<R9p^7&>Sz<;
z%Q4Fjgp5Si)wGz}^nF`PD$6u+;0(rEf((eN7>pJ}!ud%VdpIDFVLsAK<-F?jiLy1p
zsK>3gz=Jo`YHEh|h~NDOFBa1G5K@^aF@4;jKZ`2XEu#e=HIe{EKMGAHY7$=4wUEcj
ztYS2RkgUt0D{CVmoGWRl{?8FUbs~B>=BN>nBTgkPB{sLmp<5*1CTBtj)Sr*fXdr1L
zRT9fbKW@jG;c-Woc=c@_xEQIuGRpuvQYQZ}?kM<D{WfSf>)RI`xo}!0+YfXKoT|{6
z%`@U`CrUozhD%s~FS_56$VQeKDKliGEnKG>w*m`q)F1NKIH~!=X<*COw?^ak_e5Zk
z(-oud0>5zQEpPRnaGMr1=e#uzT_xY~u4yBG5<zzQyyc1a%fEy9$15eT=7#Vo(cA^_
zcX?1>BkIGa<N|H3rKZegY&2PvE#=dv%D(Y~r%46#Dg9SCIFYRg20dmFoj!wdEP!8|
zj<!S$*4*t%^Xz&h)X|;=@qn0~CmDb8Q@sj%`W0S7WATwxm*(~M)yZC-ZhP6Kcbmcr
z==~`c%Xt$%IE9uIH)}~GhDzb@n~rKZ+=R9@pGlAt+u1r<&fIq55yJZ^SMs??24f4K
zE?GiVBjwMQ`#$u<a`b%IcS%=yRpIxM3`;vKiWj$|>K9S97{d{*WR>c+FH+JmrprJh
z9u1YL1bERWVlV`bf`6&_VLMIblaV<mh^jir%p`h0lDhf;RgnlAsKrFT&w69GX9_;o
zu5)ovo?WBPf2wo0eQTBGm(3Xa%N3LLWDqU`VBp);>t)u5EeZALawq$`o-l%ATB>Q)
zK=6))RB;odO!QKWMiGCHaCLoaN)KE56ir#kQaHLXt-mZ$;1|2Ya1eYq0_upsg;UEx
z9nthBw3W~zSk?P@7PnN0eV6Ntt4x*IfN!V}Q^>ijiuhIL@^c2b#jpL3-CPeZRWLx7
zpo<Q^z(tq3&nHXGrgJ`vY}h$?gc7~Jq>LbOj<kVQ5&mzc=X0YJ191oF#C9d3XQ3IO
zC2enygU)*q!g}RJIWQ(epC2s1ADlg<V$m`M#!jMGKTBSP3XF+_RI^a8R*#Cj<|@ys
z5lTW25hb!i9CQ<m4XOSw?}f11j5lT*$m$DO*voiX(!SL>AcKDdaKnp|V2~Dwl#Gje
z>clq`R`;UT`*q`SKPU;zP3$MThL4(G_~5yI7+dfWM(iuqb3v!M16hAcL-tWD=&5rb
zDrcY_A(<Hyo&*^7nThqSr08bfrh2KRx&M=jMQBojGl-b6An_z`#0<Jy_Wajwb@lr0
z`Xm5%UcdFU@k56+=Av89<-A$v$+xL+TyNamQMAXU2}`>`&SeGCtjoR3ylxg@d#PLX
zRJghHK0ju8nCpR$)*_{r7)VM*HB;1#`q-^x1C~}Z95`;uc>745%xupt`ni8Z|1&gX
zHWm!OCD?xbTWneFakTmRVdDxpb=Iu>h+;Y>L`@ls5_A~;e;t``KX~?K&%2K$?Yu7;
zh|VFCLTQ6}{nI}V_$!EW+Oi3!H2Fp<dVw6}MG&K)omf=FM{=Dg`C;z%1g9UubWzHZ
ztA%j0&CH^Ir1h*Hx-0@k5~rUs`vX3MC0RU9Lw%9TPxEvss~3e7*$7S<*<BuFyuAMh
z7<#Dk3?fC+Z@^5LMezaG*A=!)E{I*L1JP@Q>uNIxsi9r?m2f7O8|??Pkf`HXI~BfZ
z@J)ji(Fr-7zKgmDr?aspO$<GWGiy;FrLuE~msO-pci*XAZvrD%ASIY}CjD-}3P(Qz
zqzi-;pqw4*fl6imPfb)=%R5T~imHS&)Mq`Zp;AAAI5_f7AsaDp5K#uHdw+U+ogPk_
zU`s`UTt0wVlqG*?uxtj<kV>-bn|WChwk11frZ{*(AM5zP&>mxt*#qJh@qtJzeOE7o
z!|U4Uon%pC;ngv9z5SjOPi;MK)m^h^3IbAK4$V_@rjJ2+wyrB7zdY_`uXju77w6a?
z)qAtsxK9oO=HH4}tYXM{whFkoccg`iQQ<hs&|@ik@~TEl{?JvPq2#=bP$&XxS;HJx
zDVBs~aOT_?xk$pr@^fr03v}-_6XZaRp(OU-$_-+P0$G-^l0PgFWp#Vpfiqpgv~b;Y
zYh)ih8>4+qUDVI+jQHRMfnsHOR>W{Ll}cD~yvedN?bON86=&UN8@B&lAJ_2@Nr8@(
zCwf((`RN7Ax~L38z)#n|N0P~mB1Je@o=g5>`=jS}aaaY<@vkmY(=r6aF|@IMC!l8;
z!460c&?DRHN>nF~G?xl>DSiLu>it(9-+d*X>7z{_@2hJa0WXDB*`$urZS7Pc?>CxO
zwak-L3Jv{k=zG@_iImtMgl>x9@8+=*M>_QFZO!cMaVKq<KC?t9d27Z|>$LsI&!`~x
z7DBI{ls{YV``8o9m4DS;h1m8A-t0%cZju~8!r;fEgks;I#DtU#iU$H2acCB0f5ebu
z>!M)Jc4pxDJyM{N)_<Ji{G9_(!+_Y8_-*fpIcAYm<!%C>3dP}$TN>QZHLn}LtCP{N
z>Ds9C_JNEEZ+zRC>(}_{s?|w5#l@p6^>X3ucNeIcpO%+z6XRLaGNRqB&?f-;RyeO}
zX#!lW4ynjo$1h{vOcy|osV=u3Re^;)Q<hsI9c`4X9M1Uogae~i_m4aHwo7zyz<5ov
zb`rv+e>)M=1rTnwjnr%VzUQ~p?A#AI>ACcBI6cmtGyloE?QYE`C)SgwI9y&$h`{z>
z!1Dv+>Rd{ug)m!w;3Ahkowa;{9Pe1NfK>jYh1}b8_Uql-)Z$FV%U?!zRI!yYZ{=RP
z27AxE=@)tp3}{+blgOnW0$bLohj@`2ns5diiG4>&^N3KCHMFAb_Ps6*2ftt6HntF>
z)BQLO@0CLu08)rjuEv`#_5)uPwe>73^|+yY1~l72M%|pWX%0~X@v!b29d>`-#1QGv
zw7pMqx%g2sfqw^>nK8XU9kBN3F9&ke8PO%N8$}csW2&hSR~810t}l@k{9Qk^m>_E0
zf6ex|B)yN_=TXVAkvxobPK%3a9z{p4J;IoIt?1F9Bj&7R;}AidT-a>tR3-G8WE9y1
z>dMS$<rwnnRQLtYm$69Hz`ylT1vrR4!}xA?K>QQlkhdr>^k^scGEDZo!25E$^QpjP
zmU%-&7-O|qU0^M(nH1g%hf(P|+5)1;33h>NkTRbBIuTWE8hw$}2x_q~|If8Uv0{%K
z(q}-ISY#I!%>{D>1R#jFJbh=Vgq987oP!ffzn=8qNQ;2^+mK75NlDa!r4X1v8P#6F
zOQKc9Zou_$y4tKZWusF)d2^(4cD$cjB2nMJX!`NO$>ImU6ZQjb3wn_%>QDOu&1y7e
z*pmhgx1*~OTyY3dSXw*o`x#3*vrIHd6MJ#B4DaD97<JU&YmUe5Lmyy#m+8~#(aD@C
z6TX)JXgC78DM8@F_C<9d^xJXteCu7F5V)YmUPEpE&Avz88>hOIyS1Cq{=C5{{I21Q
z5CH0yJ0X1vT$2WgOD4q12Nc{X<W<oX{pRmg2pq7}E@@FrFQaaI3rTAs9V>e+F$hmJ
z-%eJTChV`)@}~sUn7G{{l`=z5^4*udwS8G(vb!97IEBcxomgCPjhO1(U<tI`4SP>)
z^lq^*`46b?SS!a2b<?3O%v9mV-ObSIv`mr1xJy5bLL|#NP$ULut#;ZacGt82l>_X#
zydZP933o_@f?Orm+<o0UWLk)Hq0i?BQZ%gt1Ks}lG||*1(ct^LrmNdvxU=g;_he{I
z&-n@i%P9WMT<@RqVF`Vc6mUWtT~q9N9tN`QRtO6-2es^ZNO7N-@e~LTjaF;~I@W!)
zA5EM-z8zCXbxZDG5N5j6Z<y*_$=Nps?OFO-`GRR<j=@N^qoFT2>vQA17J~(-x^5)%
zKpj71>SSpQ9rZ9=vj~gn?+H`7<Z8wW2m?Xim+ci;36cH^stURoWOHz5j`fTlq<zc^
zx>ijeYXr!V7hgP@VE>h{Ok(uwMQFQMpa`#79gZkJEW!G%)K}Eok}gW`m}e!`BFM<o
zT5->Twn5x*GSL0~-~X+7Sl56qCd8WbpGKr1f;ni{(+wA)-cW8UMohi##qZ&!{HWHz
zN;1V^X8LntLgepKwaz*`7A_UnuU39|Io&*bYHP8+C!WOZObmmG`uHAk09D{+EvoTU
zdREN_HN)lVJ(B#H<mwn)WDE1xKNEyV{{wxRJ4WhvXR=vEGf7D4Wil%79mA8n!-lYA
z3X|t7MIH&SSku=3u}b6?;F1~DFnt;alYSph`dnAe%eH+1gTGxY9#v<%DAUWgZJkt%
z%;e$(_-n>ImGEh`bN`bKelN9v@?>zlc+?6TMUeYyq5o>Hu!X=^2FwRI;d(gpzz?`1
zuRK@e4cg|s-lB~4mZw5}RQh7rU@o05uKR!ngB`w2+wc{G+&ZzgPuRcLi1yz`$2TdW
zq)|wly`%Amwkw~fwl6ulUzvn2Irt(MV?Bqd_|}Rwr_UJK(gAm5rS-9$7nd>wL2{+I
zha2{i6&Y@EW~-EW3(O(b9r%?tuI~|U-UGN^Y>{C%h-QxDGdX<P{A5-^FWRuPJwHll
zel2Vbh-rPhtl^`Ol*|g&m1=5vqI2OVQ*bMJbckz|$tv(16|_L#O0-ZJy}v7KiVL7*
zMr94)IN45cI8`g(Z;DK7Z>4B+|JJ^I8Fu-o^%M0%{KXG_It&(jdbOFE9N~3(3Ob^K
zLXj`%7Zy?WO}<@KTG~=yOm*d)Ry}$oXi6MjZ+H$h27rhDcYUOu(L=*7z&v<og_&id
zg&HD!Uc%l<$7T?&QI3x$8blB3JOYFy#r>cKi{(;i3@{DeUVa79)$fP2xIU}hO`0nf
z>Udh5Is;b5aO|V2GFnnoGf%c-Pd;so4cAAaKdG@0nQKsdwiQp@ZLOf!{(Wl)6Rf!g
z-&olNTDfd_!hG|)Wg#!|@}M`B(c<)UGSQ>rvlte&T^00yi$QG`uVykV-e7u)lZ@9@
zsmA4dMc&D?Vf7Q!eD@is^r*(?+%uBPlapcz%biccHo6_wnwUGm$UkGp->;4jp5in-
ziD^xK2_;T}cL|xT@(TLlG%#K$lw54v%E~^GItBDPAdn_LVaK<@f7ltesP!GJoqorK
zw81y(@*Y3HvOEdMXy=~R>u1+zjWfO3%AETr6K(>*^-&;O1;O@HG{~imAFO2bc`zsQ
z!JRAdjk6c>%hI~vsnUZC{)vL8Z7_Y3T>g)(8&v795$1z_kmP|IcEaC=;{S^h$8BKe
zvOk)pA!$W%=}y6(qSwcC5cE!rW2awAA~hS`F|)X^Uo!X00iV}_dq>tAl^lIv*@)Tk
zU^p!A%qM*A_tqx$4`;3Co^N$-tI6}P3uM6a_3rzNsef#<3K64YpeuUodl9_WFh%5@
zS)zer53n5S!rDb@wwWUJ#%x(SRj$;9I@_c9ISCc;_hJCNoPR8*NF1v43+$PHwv=U9
zRTvZ{#WAwtPro!5uUe1QP;7I|ncvz3g%e!I9<O9IY8;{3;K{`_2cr9X>oelNp3)!L
zWSD3m!2?V#Wem@(fN(x4DNJ?+oC!%Tek;UEL0n%=7^=^R5&w@IK727b(|7+q6zx3S
zsmdE^E91v2YtEhsMBWiy=&j10R$s6X<UTb9#8uB+0?ONz++;|YP)_YT@7|=Fnv2IL
z>$kMs7=J;0e_9>U?{#h>ejW*jmce+;s^hqa9?Pt^lsZS7BOu{!1dAQ{S>HBJ_~T(E
zgH8@Qr?pbGHD7@JUeQ=j7wI?c&qv?WzkYZ?Qt&EBA8;)h54vh71n}2S$p9&uPY2X%
zEj4zVNw+_coY{HqP|axS@6Dk(+oQWu7@qdJOoFrMygRqmU*q6^stieSB(3tCa9DHN
zn|}MN*0MSnG2ue-M$a@UtVkv-&T={_v`7|F`zC9v^&{5umU4`kCt8NXhqP0^U$hpm
zinqJH!V%Y<LhEZ@2a)q%ZAq$y*FMV<Tt$0gtC~y+w0sci5&!Y9zS2a>bN!Pjmi$+O
z8;c8LXuq`{W`V9||16g^5Pr7Y8x6Vi(@DOyfdCdB7t)soLNnJ+Z&kw<D`b-!n3gC<
zco~<*Dj-4j^TIn0#ampW`}KEd`tFxAGOIPsGVG$3^H-T@ROk}w31!*7y$Jyk5T`ux
zTc0fd`a30&X26d~uiWm(%&bzfB)}KN?6slhoL7lV<FK`i;t(hPGq{we;$a!C45P9O
zqHl65lTTH=Y1>4jVGa2`a&W}Qs+2FroNV|P)B5Db!-G}mPd6^awNZTFb?LPtzcToz
z>i0*}6f^^?<bL8+tz37ikQr>Xw%R)1zlRhN42i7eg8B)XtvG(n(*lSCqpW&N$7Ey*
zlHlSSQMad_eW8ncJ~q=52D|bm?M#sb>5=Rh<=c<|O@wj=y>?)Jrnx!7#ol$?Tq!tt
z9*c2B#OfN<N#{O=PCSM6sioGOguZR#pY||5?74#VJq%JyOPk^t1$R2AgDskWnK-uf
znnvM1Rde7SesP6b()7}2;{`3dKbWFu-Wf8KLjvM>b%|X<eu<@+J9bl}2Civ}PD*@2
zv7oU$POx907LnGcf+>_xN22Axsi4H3r1jN;C;c%QA2Sy)nmg)HK*A5tkVI-&8Au-d
zwmv*w%ou_|$yuC|VnV~WFIy)^k2{fQcC6ku3#^8`%+NQ&jbM-=)eO*5#hqMe;yBF{
znLGUUr_&x<E~^Br3aQnKd`2#G(pqz|ruE^GMKUv-{yW@6iyr?xVC->TU!}Ozm&ftZ
zcLCG6r4Ee`{^1$H$i2ePlXbqgcPjVP`t0Q`z(D{r+f|RDfiTXQo{6hQu`R15_xYEo
zmT~rk=FKl*A<q7d;o{8gpFg2%=K%AKFGZn@S1uYW`<G2H0V({<!+Xt?nVyv23M()T
zaIuYKzCBB6&Wq3KxneKuC?0kPiT}2d%p*qG<*kR!8&*Y4G<AyYa{Z}#BbN)A(rWLx
zq<Z6ZHW=$mu`|uivC^qbeA24QB_{4deS7pa3=kOWUiO_U-5~-{jc>S{wt4H_Ws3@c
zSeTb9nB5?N(>-p+(-oUCz6r~l1>)qRC(I?K2K@w5k~6ESnznBR+Z@&h^-mGuiv7jK
z^h;=XUW=4ctNWLS{z34_H6A{jFP<I6%s-9>A3kKVF?*Q7KPvAKF)zQ&l78qs=*=jj
z6QRFSspK;zai0HWQHao|Sl{gp$b3OGIBe!!@|_jCzH;gB{vRGykGstmsh&xl5|~`@
z)dVwrwOm_tOfu;}w$g}v+7`xAEC(*Z7zSSzi%>B>loJt)+PU7O&Q%I&z4kfCq{ipM
z(@dhqxwjj$40T64ycLVQwa8be%2Zsgd<1WtZ6Gwvcy{%mxnKi7z`G_oPvxXJX=>~$
z(&@Q;NN~m5{Sk`D!CS?BB^(r2*jcrV^}7m8%?uU-iBc0BW0UG>p>1=VCBEmSCN#=*
zZjzJBxJqYM2qqN<VSfZ!<o_4ErU#)iG9Gb#j@>givSeZ@9iT;;L2aSkX)+1TTsN;s
z3~(|K#aD|8!FzGP$c-3^s!VZyuxzqM#UR*^r3{f+%z!;fo2=Oc8zXMcoqxd+6AW^J
zu6zZk8B(j<QLl33t<^k#bVAb42=$8c{f)3RX@ba<cl%`gQ)MM_<gG+n<$s+C66l#L
z6O`_6@e_bJT)J=R<>8AGc;uIC>Rt*@6f4k}q7EueUvW!qRK#rk-o2IOcuta}uoZ+g
ztC(%=V?My?Ct;K=wv4GGu<aKq4rylx2D;x3L*jQ*_0cp#B<&z5pQ`wgSb2mULQ<rc
zF!U^+_$SrI0f!NoQBMlO%CYt^^}r)U1&Brf7O0|_Lhx#S7s*(;9e~O(ecuw;U&Er%
zB`<?3E^jaQ3+AwDi0G$lX(0tsk5Eq_CRr238<2toz;gqbf2d=k=<Tb?wlTbWiR?`f
zpfU816o&k)1EyBN@GM^3IX@-J*Fu6vj;Tj_DEez7Y21Iol0upWiz-{ao=ed}0t(wq
zUEHh~Gk6$kG4vlc@;#S%UR2&C_Nzt@H*+1AiYOGAlQ*BU^}6+BhTD?9f7JR|IP8)F
z+frMIr2a+rm=ir+ng&MLIzQX}X5~rj*X`}>TB=F4h>P{oW5SEOsy?`Z!Wly0wa$nc
z6M^39fiJPByOlnG=64x<6A6RsW(7x17Ta7$2l^yNP-0p2E@>ehx=VI~D76mRNP-q@
zUw(IgHf?=x9#QD^o9_v6aF}ip$$i-!fI#UX0luK16#cp65dlIRo>>%i&K*d@gIQkF
zgNGR7sQoABvM84GomxWY>@sCdx$-h8cr7hpE#nXNY1WBG(Q&cwADe@%toZHIV|T5Y
z#eGj9-S#J6$YG#T`&;={f3pYpWvJ)|AzZF7E`$y1XD&8@KHw(o^s=FjglQHvC9|ns
zAGEy{{EvM&J*j`|d5<_7ACc?~>;Uxc+vmk_ZVnRrP_U(|tVb~7+EhOAOpk}7EOy=J
ze1e;<Ecbs68*%4m7|l%r?XBr961>WciZJN`6dA21GAgs=LQ1+3&N9@K(a+tkpS!qf
z{zHP3td$kHLR$v%h>$00AIHk@Nw~`TCH?Ac5%GYIvNu$PrCiq%X2PeN6{V*p+9rXT
zv;g(^xln+Psie0@jD0z^=!eFI?RjmgZ&6E$xx_PW%w74MYaX(=7VlE;8S&xvYJXJw
z-t!6=hyyzzQlDW2?K)`~7LuRyf0syOUcGw;hlA>KX<yLS`gHUGJqQ!JAq*VkiNH5p
zOyn|k<fC}TBU>{c{%QbLy|hcM3d*P7(!_D$M>f%bg9vW&##^GuOowtfwz7(Kwl5Bc
znG>=xic0YD`##SOPgnOvcXM-@wri^-ZTBOAsx8)bW`rvARJu8wSwqDjrI%Cj^f*E!
z5k+3o(kk*Z*NOi?e;rSF%gXE}6Qf7zs4RK<z#bXuCuWuA0$QIENrU5qg+#Hyo9y#k
zs?st60UH#cFr;z=xuH+b{K#Kew~ARCYPDr5k3q2J;FKk&>Z^A=Ij~{iw+r^0WW#@?
z;*CM(K>pIgiAifAo(6`?@sJ|}hgrd3F8P}OP|ayNo5to_=p0%V;VVq#iL5mEMqI_>
zB(yZ3hck=9Wp#?M$3RB-|H%z%c{FNs9ER|8@0}2~Zc(<nGfx9G!%~V61n8{VeX-SG
zJ}LhqYGgHuOXH%8yp<K;F)1~g`Ans6@|)U*!fo{1+pQm79Q;;Fv?H*wFQ?bH$|dAF
z9J~F3?-Pyv%V=cExhJJ^97}|e=sHxB75MRNSPZHA8@8U^_$kX8s<?@M*K@SQ?PUjl
z>)v1~!U+kQV@9a(I(9qn4o0$mGArA%vJzE3IL6ms{YA-WhSj!NTZZrygpv%dRj>Dk
zKzu*4+}lA_Rz+PmPk6C-z;HeD2m*y=M_Rw_CUz7<{nHJ5AC9h8UbLdG^&1Q59Ryo{
zhWcQsJf_1v<pyfBaLa5o$)mKPePs-ipZW0$Dz$JEr)bThe{~r(1Fw7@lcuW0!vOO8
zZba<mjx(cRy{>sgga!?2*xUuln|qWg39@_Mi21aE3=x82FC-Ly0y`-OzF%dAK3&+0
z&otPzz18K-e-;Y0d0Tfg!g@<ZZ&8L3RS!W`Q~v}<WdSJNW>QhMU&cs7SGkqK0->e%
zm*s;<d$1Obsrno2S6O|uOPa5}s}Ego^H;WV%CR4em1$fGIYK*MZhzXd*wBPV6PMic
z+qJsuS>1ecTyDL5TVAzCvng-hdWPs0&{<bUQp|iipT@+^M8n0!y3BH^d!73Rk-6(y
zxCd=pTg&eiq%d9wmxhox+vla_NBnjhm@*j&O;sX{wDIk^l!Y3)DHTSr^oHAA^Yed~
zg)D~Er9oRp{{*xwyf|g$xcXQY=5P%Ip_d9;iL0H<hmbP)<Rw;gH|SA6I=$SDq$KuK
zqO|!?<heMdO~w_)T1!snX(ZY}e{x3FYj&>0I7^c|TJ8BkFQqx?QKy2z_YZa$&5t@_
zXmak~CrgLQ*i(`?vB%*UEEJ$72^`~KM=Vt4H3Ff~9PT&}P8?_l^WMU>Fp~9tpLC?U
ztFvEylX9+zVg$c&)A~t8ct@zKZTqM6^Rl3;6oZMzi-`X!6ZS#SRnfL^B8-2|KDmli
zHpX&sSitD&SJsc|5BBbUY;P8m?_P_L_8#r!SARdVQ_*)>%G6n@8VVyp#X$WfeY$6M
zas`!-I%2c@rTEQbRLs95{%S>b)Wo}yWYZ2%aZb4tO+U+zoY`x2i*1Sq_eRNG{L~iI
zyoHRNg@+?0AIcGygxnL)ONa$1@k6p<d>|eX4D2MoES)@h=s<OQsee`{%JjwBFreRm
zx)OU3wzu26d(WSn&dV)Xb}EuUn<`;`N+qd_(7Qwj!C9146>RPD7>(@|wD2{qd3o_=
z4?2y@QNMxZl?FR{=Q}X89%N&eo5CVnff}NR&DNNov0=%#>&c-_kjG6wl~^~Q2KUW(
z{9Wp;Hr9q}J(-i=<^K$)%=<|g1y01d37rDKWp*ls1CH6<dbVW=omfOEME@4xSFxBn
z;&X=55PU~1+tF*^dLlc8<k^LVX#Peon(&+#0?$I9i}}?Tn4bA&46Pm6Sb`?HvJed_
zDi<~Oo>p~86)IR&l?6_TbW?W!UKWtWKgr<VGuP}$#Z?7L3>e*#fvcBWyhBs^j6=B;
z0&DvN(0sln|2Z#q`5jVq$WdKymF62Q;zjnnIchNq`|>v-`{nnIpW~>*{G8SOp7lHr
z9T{b4%n(*s!c58d6cZLT$)xlUh|Y_knhTC({a;IZJOwlK0-AUX37rFDCeX4hO?es~
z44Ne@jF(12uPC9=OrKR7fe}E*`d<Jl46(^0Flr@0fNBTDV6f_DZX|o;<C?wj*FywL
z+UoJ)&m&+gv*N|;9bb=}!k1sz^x)L&QVf)IciluyilfBR59(ZKo4}aiC;`*eFQ=gu
zcP<j0ui|q-koi8jd0*?3c&AJc%9V(!YCrr@tH=P*g7oc{WtK}}rmSX<C~kP9&p&m(
z*DK!XNHtw;zgol9seDOzzQdpF5Ldic{c^vm3ej0rw)Ye8Yq2e~Q<&s|bs}<>VNr81
z!0otjp}Bqa5maAfjUHKBoqc_F9;aoT18@ba6s|sa4+VVC%8Yoet=&7z>fzREg;JRr
zb2768b@1UHnwSIpyRzbK^+#gzX1xf@N#_BB4W)mBN$1>XS-mBJd!EN`Dd0nig1)m#
z-P^}u*r{fbm)2+9RZXUb$HyZvHKLUV51TSOjLC;DbNmTqFX^o0Ef(KPP#5QW*LK$O
z9xn1)Dq)M#ZUsp<+TjE;QkvNpUMR(GP4vweUt{aJEBOnC)_`m*yQZdwPE)G*HX{RE
zdD()@=JC6TfRT&1A>ATrBwVe5f3YRplk~-r%B%tuThH1hQJ~mr4-@UAo%fhjvY%)`
zt%4}CJa`v8=8WAn>y4s>|He8lyJeegp+FEDv-==Ic1hJ+KM1CD&~Mz!wR(`QEKc5c
z4tGye;^Y#!?ajd)1}+S2I|KM-a}_JzD-*um?lBBU3@ntw8`JJ*n7&u5rKdFtT^LA^
zu{OX~AgHUA)*d(9jp+;S{tI5-AgfW0o($e^#Xy3K5QwXvgvon_HmqH5HHF+XH#A4E
zo6hiU7Ix#OL*vG<BYVR{@)lL%Skb%?i~u9y)i4>xY$eBZvX#Z4&BtGD(R<}=LvM?W
zuM>dl>#ACYLh(R+q5J(!@70%@yStM%G+{@N?VZKgYF{EB_Qu$21r%yQnTO}hCHEeU
zgKTFn6o(YxgJZM$L8@pI4>x-%nA&cus>SOlL_J(Cj|)nrPzr%*CS-s!9$3*P<Y6Wr
z&RhSIVCgiJ5k{qe#M7VDj79KQoT%ed2d6N|<blMA%C0C~{mbAJWgzoxF&1=WeLI^B
zQEO1`LZ^L)tq)ztDv@nZKU~%BVcv17EiwvFgd%(fdyJ~tkbiRk#$mWM!1C1zy#T}_
zE+_!#g=YGcOvz64(urIEEtXcUuI;GA3JYD&4>OW*-}e!4<^SW|xL&H0OspQNr$Nn4
zjI(Akz3m*LF{)AKLt*wZv+4|^%Gk=5depg%&)p{kGp!%5)ANNBWtSDHht?XFV$5TP
z1PW!?fpKE&igV*coTz6)&;3PjPnHiAjVorudkuEJ`+vK{J}1BXI^Yv`wU3wsl0#1S
zJ)q$XXK^(=)OSy;WSgd<G)m-?k=&V*!fHzL0G!&jclZiM_cM@?m%(EHb#eCy7y&n=
z?}IxY9rZK-%?zSEmkVMBu{_T*#+*3H&Yy6E4=XTFCUQx#p95V{m~t2hv&3eV1R>RW
zJ}+Hv-zimV#H7)W%@(&AfA=dZ5+g~}s#`*>rRK{mvxF4+eFzyUK2VA)n-kVxuAN*b
z+o2}`*kC&ok(f_UI51K>OkNXELV`yLtIieuX9ysQB2sqnY*HQ<_<_z7hL2HA$+NSV
zuZvf%OecjIoWG+x@YsE7{F~fY{T9V;d}2PUXea`0Tmu1i6#@p=G)^o|z8?Tanv^i(
zMoYk?2l%uE5)=n=SqzHD9=Lp689%{qq|jz_4=o@?<abo07W1!M`^m@z_bTyw=tWF5
zae(@$Y_=cL!fKJs3Dk+B{{mG6uPXH$C`$;akuCW;c`9O7c+R4VqosO=!0YlfsYH65
zSs?7%EQ_HA!^O0vPC_Yy0P&Bd7ILvvvB(tuP_i#{ELo6)2tajcr=A~#W1=NUeBZs{
z4D&S1hHifkkhI~F$q3<$$zqXOa4yhz0umJ)l(fgJ$SnuLrOS_%hw78?@o*O)0~v!x
z;sCGuL_wQYI%L(?1{>#MH16wLvd6^UrNLic-AG?tkzsY6C6r3&KReZbwt7#Azx^f3
z${XBejY?nNedO)^ob8y}uc92ubY(IF+nfCj<K>-<()7Us&q?fY`a<DxP0>|$bw1+r
zo}fM(O%27J-_27#ojRZGo3J9mk%M|ganST`hAtnjTtYH}*ZQTPEF!H=j3z9=5&>lW
z-|!@;C?IJT6#sdpU_Wbfic;u`A${7ZK+jgH4qs}1WcJ-FW}Z(~>^RK25eU&J(jAx`
zixw{zroA}acX|T>OsUN+Gm{4jbXeEPrn1HWmFXN04!-3$Tx*{1DrdV5)gj~-Yq+ex
zVz&=J??DKcPZK-w-kME-Cnj+rIZ=G5?9FA|yrt-@VjR>gX4$WS|I`%xTj+!KhuBI{
zCGbN-lIUslw9hFA?Wy`nADP7Be;i1RIkMkNc(-Qd&NtGB;c$y*cXYOR3c@Vr4mu8O
zLQu2z=c=CPhMp9sX%ue0o}LyaIRJEeyjU!~BYc_S@0P?|8FBd)d~~C(!UE^Dm=|4G
zfwJ9z|K?nxY^&SxE|=@;fL?dg^mWfI2?gBEC~BKtiFpQ+$yiwA$;b0n;kAp;3i#h{
zb2XhGzYZ~(WB{wg0lEwI#k{Q1&W@ljf1V4oR6iGynkvx0Gn<47C;>};3-SRX_E_iW
zN}8t6veZval~YG-nfUVs?@l%fY!QU|b=2Q*rbolUt|+j*j`75%tko&9MY;XC<xSGK
zwV(BfoXF1Z(AS<r+?xF{8>slCnwqLh1bVsF)yakkf}?TEd95T>D_JUOO>Z^*bpP-6
zvA#kjybAPjhm-hys{^6~D0-lp5=MNzr#HF9+|LiiO8%)_Aj|*YAFfSVs5OuZJtDpt
znOh(p$?qEdl#ar)Ik<-MPSII(eqcC3q&0-Qh_m+Y3sAw_13iQ;>2~4x*gLEnCFlAH
zBMNE>rKSqwLR_PfY?5)))LbK(N$B@fhX0*LBTT@4S3zy%Xq2j=Ny2bgd=)PgT?CL?
zU((}Y%0rWb)lCl-X$HKkw*SvuW(GW3l0TP0#?pHS=Hz01n9RB6IKPVZ%QFk<=b{X6
z*?}gWCQrvN6ZhA`L4GHns~E&y2Ol*ZD*K+0;72RLV4(&{0Gvhq(z45U+7F=bktt%5
zOC-+!9s&2#RAZ&){gni!-tYZIS`!xLKw{<Ipo9&%tz;2(Uf$vq?-1asNZL1=IKVgo
zS8cB+bLb04cI2r~MfY2L<X%NH$k0_$7LrhvrX(aPs>*7sIH{Vth`J|CF;==4(*`f{
zR8jux6z*dxuf8Ve&GDRS47C8=96{%DRQZIsz~H6*P!^FHw(8Wia2Pw_m1Oh;&h_bI
z#rbI?t$oJ$%F*`h$=c4()@7`wt34+tFN+rsr<;S>tCL~{&%kc{o>9V7`}-UbKM%#l
zWc$}fMt8m0D{=cm;V|AF0T7lDFi%-^xF9&05P@Z;gB~BQT_m9+6JfK_?1lN4mq!J@
zq}<37C~Pzvje6#BJAIST?-P94I-T9SvIYFA)NhT=jAtMCj-f#}k$_RMJ_v}gooc?E
z_RSRI-ghaCeU+}7tjykXX!QYaXQUS9*vle|^t+Sy6;JWw%``EXEi`aKsmsy8x%&%a
z|0*4w?lIkNh66&78mQb1z8^5dZCHxsCMO{ljso2_w_|gbmISa-pbyRc><D8H>uR!t
z)WrS^vtiaDEM~h*{KW*tD9%MA{PpB`P+C-~ddbq>W#VK<*P6KE1MTD|y*uIyNeQ%7
z5&R4hA*y|SgBsy~&utVpXB?Ld3<WiAdbhzdy?&%02)I4-<xp?Ym6S@0O@_0F4w8hD
zVj4N$7F%ESUiz2AJT>tJ2`y+Kzk-~Ps>dY_n16Fs0+UIdk~NbsCqsa#i7jy?>L4Ra
zFQK0l(8z)%PugsS_7~*Kc%92H37k_rc6i>5NiZ;v&54ng*`weRfOhMddIl0d70C9i
zg5zcLg}eNQAo*BPdy(7W69@cFjC`TisuI*!K?%8;FBB1ZUm`W9H7qu-i$q1&5~d4D
zE`au}o_Q#b(M+vaWkxrE^|#r-VVNJ*VF5$<y%%UC)FrC2Q5%`Tf7#dxe&iH|F_}eS
znx2R}0vs`y)}|gj!`Gk0Hkj$D5X?|c)zTIOeijPGba2Ue=?;d%S=6}6`^`ApP<m@p
z02k7$5>Vu_t%s$Va^eJGXC<)nE30B_XpZi^JHi6cJGhYk?U#7FRd1$~=e$8^^BU!~
zPQL88yQFK+cX1X{%X6s-9Q@>?zN}-%kDe$!JGwjU<B95%K8jGFQQm=aHX6dk;iw;q
zi>gXpVl?y@=RViPn*HvN8DVq-)0TzdaQ2i{TUC$t3QqCnj3}~5)^<Ej1f`w!DkW3#
zR2hQ@l{7jwI$ilS1VIXx`kPSf=K6nYl4UG|cpy6?3JUzJT4mk+7eMTbVKBvBgSoOs
zzFNsFg3Nin9LeF~cf8r%@zArJ579k_3(O9@!KEx~_y&pYya2x91rm(4KIkxT9-b~f
z9WB4G-%V2(rvrF?$eWpSIJEa01^HP3RV_=&Wtz1FnBoc-wVAS_+A0&6Vti#izp(!X
z_so`kDPU}%hgtRsZ|J{!^?`=boDe?kg?>KZSJ~VE!1S<1ZXzm(e$^~EOe_D7t*;D=
zvTM5*kP-<=>5y*eM!LIGx*LXWkS+)5?(Poh?(R-uXr${Kecl`Ye81*6aF4UEGuB@F
ztm}qzN@xIR=@W#_6(BBvKjNg~dH<p+<%G_9Mauf9UrE_~20ws!66w&`>4OaQKFn3;
zoa7H|y|MZ7H&YmZ0FgD^X%drL%uOMpibz!hMAc0ok!>kh=*SxWh{f;<kAb+f=LW4n
z*GaJ1veTk7(6<!QC>3|~Fv!(is_GcE2tyAiPq1|rRUD2X2uc-_%;J9GW-k_d<1Gz(
z{3r=KzP{tLsO`n|tSkKTI0f&Pdmj>C(#9MH2|F(Blf&+}^wOE*1H+9WeNrPumr&S&
zT~U$(PBwt^iFA!NOnrdZDlzt?IDb|d%~+^yR(*TAP!xY4P!*s#O>PV=2wsEw>R&Sk
z2jtsvPO)GkD>TlsnY#J8>2S2sr;Ha#?_#XVn6>un*>`&8D2<#s8sn0y!LQ(j=dJGc
z<Tq@rU=8#&`dx@TZtH77PKkb%;3Q;~E0(4)$TF-SZas}N(=SVbj8n~ua(}NJ5rI;?
zhT4bN9=YjEQpT|Z5g~<}fuVC-RMbf^EK+Xxy}O%l8j_}<0{$#i_#Y$uI0$s_qmkhK
z6P2A3EHYgX@v<Ul(^VVY8<(+ne8i|FmWC)0$5`Jh;)@cPDnDbbAk{&b=V`6AM=X4K
z4yHW@ux9=Rx_Gv7h*^}{T3(!qh&Tm0G|{lYI`8+<%!+K<KrWhTYARragpv6+j{K|l
z(^^YG;ecBKt|D>kYq2c8KzVyQ<oovuV8G*@5`@W(ny~Ome*rAr)W1BoRE!><kAIak
zj8Oj$7pKk}YP}&4Z$1{>jRL;klchZ4qM^)0%*R>%@0dAjG-B=}OQ{m8)-Vy#n2~4+
zzye6BE2;<&1pzgUH2PwHs8Qj~MA#3Kzv2L9D>y%(2DG{d$6U`4$Wq!)i-zy+&%wP;
zH%w<J0))Sh;QWzeSpkdL(s|M@2ssa5MpR~5l^lq<wl{WM3TijXhb}>KW#{%!r=un=
z>pbYIm#!?%{UzAYNpdd>crW%hXE&qQ*Htt_H^1&Nr%~ks1W@fJaJGT6FWe~d$yB;(
zQ=xy|Q`b(yG(w8YFgjPsBvr*+3GI7)8SnR@c-<wnELQ3*Am(QVPO&3+?WxfJ+!M{c
ziZtz95-1CXir>}pQwI-g41{))@F%!T40||5F3sV1?|Zi9+*qa}vPSh=@&lLO>rGvD
z3sbF#hazcd7ul2`n5G<DY`8P6JoPDMqcsN2yyyltGJ-6`{|2EHkjjZ8?Geq7CSx#x
z@rb;nxx?btbjkkTnaU6O$m(c^i>1WBQNhl~{PRo)T14|!U=WzNeB7m-iMekpFv9#K
zA<l<`TR-XdBSJ7I|L3=vlCfMQz;)L69FZdLXl>?7L?+Xs7F%_bAU19k!H&gDW8Yye
zrj}ey_j(N+6jtJWhD8WMZF$Gv#4L*b2ITZdti(P7zaq@<sNZ{ZdJh|knR0$8`-d@6
zBc)NkCx5T4_b*k|RrxmmToO_VETX_FdA-Aza}8i|LrLEXcNaHNb6Gs%Y6K~Yk*ctP
zow2YaKJ=s2BSHhi!%2iia(T<_6R|yL<vPjvNsf6|MNjqD{>sBI_dv$|O~{29m+o;l
z&^x`qg0d%|_nk%QaU*~z#cV>=nEk9T7@u2O1C*DlgmeV|+biXQ-`9X#a3zEI6YCk%
zqV)X}g*qFWosKmt>j=~8lrmmSD*meGJ)0u=rv90cxt3f;N}Kc8>E6_F^Rk?4aq|RX
zRA5fD0AQ8QAtAK)vGr%4uH*t4(E;iP_FTf8S2Deyj$j0C1x?@oa&CH!AJv3V{J?l&
zKgn{OCMQ1W)GG-TM(q@qxJUKZf$nt9@PmJk^&01lk<tq#>yuGM-3EID3FGMw3M4{H
zp}8>;V2j6>@WiGf+T{g<1|b6Noyxej;^fwvX0Xg-G>@+g5U|_w2MZt<-hOLiN9iD^
ze;Zh|&2n%U0c?&bLr6SJM#qp6*DzL*v7|?UpU0H7yQ6>gz=a;*DLKuc3mAy11_kfR
zU;6tkAVPJ!7bhO<_F}|8sn{z4q_z8gJAaey7$;b~b$=1~%`)Jw#0sgp!P5Dy8G@bL
zS9lKN@Gk_Ae9$gT*$`aq`7{&BJ?H|G{4R*sJO^&Jn+`%yjMMl|YK)KdVWoly{JmG=
zMf^dkFr}1q1`J1{BnaP{^}%VoRc*EPF;=ep@MmLjoJn;~nTi6w9Hz%xyy>}Hc#^Gv
zDc2E_t&lzP&a0Z|0&GEa(4pyHQ}_T~o*`rRWVJOpuDEt4I0F<GLHjV*gRj8y`5>GS
zP#0YcImRbz_eA^p_#s_W<K#34re52Jbq)aV3!A{zLzMB_GsT?=;XimF=UdV2bW3{x
zr-@Ri359*hr6oQ8Q!XkvhAo65;rgRd$1`V@@SQ`U@YJlL)t$hP&sAHvA*_Bh_OAh1
zLDYCub`6P85N^X)KMSR(VCEn1-C);lDMJ5Lx6t65ew9J``5U&NVCvWTl!#m&nsy@Y
zSq$Xd3%J$&?*RiM#M&coWMn^wb5s$|Cf5O>b-C)q_>+-Uk)Yc7GIxG!dX=WeOFSd^
zw-Q0PH?3Fg@|n1d@C}QL%NerRxA`4O(+(41q)~&Mnx6{LZQPSA))>WBn^`r--_*Ox
z(%DH7A7%VdaoV*g9e%IIyz~g_&){pt;p2;sYRKof_S5qkC07~=t??s$nEtKy)LYND
zP;%P#aI&uV+!@ybF;3y@GpBO$*ABJ_wVP5lhE{uWR%B92kA~=h<tGMe+kqc6R3d)Y
zEiCPRdWTeEfU4aT{)(p0RX<t=C5Lp@8~4x01)(c^P>;I`hIS^7F_fRn;GHbuN=J4+
zPX3k>4Z>}p3yZ#g${>UK#ghXvoL(C`Jh8kyv&K}u8#aXUJ|S#pYe?Cy&;cd%Z=Emj
zL`+l_dH?*`()94#+VQEei7smXE3PFUqtu4Mvac9+2P!Dc`mga+y``_0v8%G)`mjup
z4R!qPGf-Ao>|>ddVi+koKuxENrkuRcR|67j`5)kt(N<Yk0~hAlPuys$<efknJ*i}0
zEHfJjBdoq=*c^5hYMcK|d`DKh%ps4rJ5&@+i6W`U1{G_6xIm;XkyqvRR?%Up+L5V2
zIULui-n$fSfg7JX_eh39=UY*D5#tC&S6nkhMc~(^jM9>szjoKd)~Lwd8P^;tR#Y<E
zm>XO1LDk6^*H|T1eW1Firdp|@(<*=l@M?KoZ1IX<YbXL+15dq1;lh<%*DujBcT=Ie
zxiNP8z`SPLnjaEdD1Iva8dTC=&az8)AKDwF(Q!m<q>WADo#y%r_D-Hp_U>JEFxXRq
z_mpl(Pr^aLGUp51(Pat_T3BT&ik95F0?SmR$Mc}zmgVu$;}0hA+RHd+lu%YcK;8ce
zXw)I+>n-36;G@9>nradSA1ryX;!!nNFg{3-7|t4F{`tbcBO|`Dwro&xNfm4dRXu`{
zB|fN*sAf0LQvHNCK7%VJ44MTNb58Bwt_7g8hRgB{a{-mCjr5NvecXHXFuByn`_s?c
zE`I#{Mds1yN?DUGPcJ{S7hP4QjUVwx1Mj&>*a5bs!&C`oeBhEA_Wy~Ls&PeG2&KSv
zC;xuno0H_{Df+OWf##UpQ%RkwT(q#xRR3X_|0FuFi*7O~vnc5RKGIC>!(4!H1-ETC
zCk+q5d*|l`Ee!o8mjx*;)vJ>}7Ga0;CFjb{>C8OS=I_a2soN(GMru3-2^?SSPx|yp
zlu*8E(SOHXO`GSIHyv@V2}`ip6=8F;FaM|n>!!>x#~WAATdaG@H)0}gU@=GnNnhK2
z+?rJd6G{JBU%GY>->g48Eg5Y|EhQuCA;rFtA)q?|f}v!+-T?H@_^&yi5xw)WCGv&U
zfg6ZZ7L&_GYx&TpuErsX=U$g$*7&Q|h6tHSoARFn64VA(Tajgf564SayDU96J=Bw;
znOSU!A1^OlIZK|dPyNvqYb##Qk5cEmd$)%|j<hy5<t3-(r@Bv5EWP{BdemE<CbwP<
zesVb<%gYd5=^<Kc%Ih)z-os8emNbJbEtABwO0H^hr^i01hBR9)OvV(3y5-%&bhQRp
zTK*?tvo7xV`uMWkGH@ja!71&`0)0y(MT)fQ(PCiY@`u1tyvB75QP0Czp}?Z)`F86Q
z+mklywpA~;g&!hUHw-r^VqPNi-A%KG=S`Cza<=SmDLoNR2+P|s%VacHSG@eP(ND=6
z=8WT{;OrNh1^)-HrTz%^*z`Td1jOZ-%ShIu8jHQLplnjF0)^Rd6cY^Xkbgo_tqN?k
zA|nQ8A}`gAvxw$zepV2MYxQeXThg`i<h=1$@^{GjiGWYt{Km9{23KtyX64y8?q|9C
zUolJ!_087c_^Z~7@oL4Vis?K|$o2^?WYJ1Y&QKk2hZINopZ!_!56c(h-NBMb2TNjY
zNVhN@v4w+Xs^b%v(?)oW+Z77s&6ss=j*ZfQB0GdJAdKY)M->mE5)88}>B4}e>YOao
zahUpOFzm5yer>~u#<xoxMhFFD?Qq<)fhQH(#b(X_J-n5_r9F0euQ4B8`Bcky*^?<&
z@`{jBW1;(M1)W(+%<fsmkLA7pC{&8Nrgl9La~>SE5;w_karhYi7S4|X7_A{@P_v?Q
zhl5U;q!^4r=nPwT__pIoAeh6fo!&{G>{lSX?tbGQ>xTE+(n|nq#ow#T9A~+kapPW`
z8%qVXUjxxrhe4MGeY5C}$^#*nU&EJ22<^*PT!;nOnCmV|CaZy|B*-&sZuVt6eEu%X
z51y39&PrKQ2A4<&!N`gVW@u_DToJ@DP4>hq<Gyi}Ex^K@T2QIHPI!1LShjj3xq(?v
z^^Nnr+71j4=nayV+V}9k^uOCqguWZ2X(VSrrKwi|bSj*7|4mJ&%37jy#b758Ms4RG
z=6BPI&}&J2|C1N*#-z6I_FnlEk65QO#j$%`&8`tlu6&{Fjw_RTkeeSYP;&x79uFil
zcnppF$r7B}>li_z?F4E+Cl0JG|MfrD$lA!(3JSMLl5-k1mN0hNPz;;9`z|5<&g~Zu
zk!Jmz0+z9#)Gf2N(?1&&tP*apBAYA&vsgh5%6i0ybA%7?PBzU%TH7X)B&O!gE91TT
zMFN0A6A~|ia-QFcC?yErWA9LgX-uIp@g_3Z-Icwx1)cRaUugYh7oL8@w%`ipZ(`mh
z7cjVr1qy=dmh8@TGanBwVay4|I6M9<_~)Kj@sIIkr0rn3)`x{)+@R0zO$F7%g01K`
zTxA@i*;AZqWg5&;rI2fl&DOFO^=7DUbcl15%#7SX8tXwa)?`?euz|ERAl&6ijy~}F
z9LDKi!eBtE-C9B%@||Z(CoV@lwtRwLU#IAWBvfnPY(yb&I_M+)+J81kobX*ysx_sY
zbPc?P9&vCeIAZ5vt!3T2y8Dwd>w9Umz4)mNmrp8N3v)Fn+nuK-PL9%#bqyjBD>Iz-
zlfj%z%v;hh(2{)?^X}<EWSoSQg%tg2YVodW^Ln3EXD4n8jim@InM<O}LP)Qr@gll9
z;Gs^S>^S;g4BpzwHkZr)Rok2W%!wNqNRIw*Z)hmXsgvd+LW;S4_kh4^Y7&QmViu`y
zR#WJFzOwdN|EMNMKk86E4ZJa!Y1@wp`W;n=Gnw)_69|Z-^t_dMNUln;hX9fBkAGEM
zTAaL}*dMQg8wnx!R2QXk?R9BAEv18>eg5N!efk5-99t&W@5A?${k6DSsf}+rmh@t?
zl}!`HsLIQ(+U1Cq>;8jXmCdCk^!d4b0_!r#goqZBA8Fll7_<D!{^|!nY-yFodd$~Y
ziL$Y|<#b$a-Je*AMOMD^q{tO>n6#J>_bqp`Jy$~?u$ff5Nw6=mQZ5rltpCF_wW1&{
zWBt0krQj2#;=b(nZuqq{CeYE&BPqx_oP9~T6$g3yYzX-nTGEk5l<;;&VYx`q`_PkC
zp~FtL52n1XS@Up*qD<#qc}K$5q29|dZdW*{IN<NWbxu-_Bx?__J5+!LQK#h6^ops^
z6J*jF%as0*<A~<zo&A>@-xQI;Pc6?yx&|9#ID$&&GodZMps}e_)0>oxiWFEu_NBDy
zl`pY(ly#ruWgaVI_a>tWUqrnLtQw@DLzGcn^A8t_&PS_K*t_=3BJd2yM}vP)>ay1%
z_gbG9xh=GgHN+?I6mrWX9&M_xIAw5n&32mL(3>N<S$T75s!c`wg^nmYiJBlHt_$&G
zz@*&NPg)}@7Cj~gx9=TJfl|q@ZX+lbpUbHuF?ED{GxWp#<3*7^mnNn0^-H7AEU0xr
z{qUobiLQpqzE-1%9pk!Oo{>SV?{b8@c7qe=7v```rnt&Tn9V754aG7o4plxr;>HVn
zgfR~vhB^8CMpdp2oeNXlT#!ZHU-?a<m&eK4mpL6yN?N9o9t4V)%_>WgG_%3V7@)Fl
z>Uo4&=Kb52QoJgcjs(r0g06f_i@YcPlc||Xf5U>SvT@prs%UF{#IialmgvOIfOqd7
zdEM&TG5VRRFklTa1kJmSLM?+vmDUqtQRsJ&T$Lcj&2)&_|JGrkc70o+qTi9_6||vq
zB29A*Wu%6t3Rgs-sX!wp)*gs_W&Nntfhz}+f;M1OC#{tqIDWCGNyal(T8+^H{D_iK
zoPz&Edbm-hwO`Ps@urEW-y+{=gJlBnToDby)k~k>Hr8Vc9!h(hGP;2o*(E^{0^MJ{
z!otMB$vgjCn!meQJY$T+!|PzdHS3cGfYa9z@p*FrX(FmkKyY>s!?@jiVfPmRM?!|X
zm9z=c-FG%Mt0cIRF!go(ZmMa{Y<7FQtif3Xf~eR1n$+%W9!Or;f%iMoC{J+mV!w@G
zp&>BkF8LE9)=o_=G9HE*7<8gXG>Q53B~Hm}U;9)ROQpVUi2{+swvI?tg{oh6!#*r8
zwL3UcMC)mAJDlC6A$lHgSxIFB8lB(TYd)d2<WW6tx8b)wIY|l5_P`)uKL*9{%%nVQ
zZQhQ~oVc!dx>;H1bmq7gdjI5Oo2~LlNay!%YH#=8s6Sin-n%{tnZTqMM0Ra}G_%zC
z!1Y%jOI;$rsOSadyhwgS$qW~VY9W;C2Vy7)g(<^zk%epE_hVxXV3W}civ5@RgSXZo
z`RzpZp&5M0ENM~--n?*NJ|=51Pm_#N-qhx+=2Bx*TlNy?s40!txfrVmO7qW&BIl3B
zEE1>EIoUzU*`^42MDq5sGz7N<Tj(X`lSQeye2q#O@3o!JX!l%O(e`QM<Fi?kd%x>b
z>OT==*oJq?hy3I1B|N<%vg<Dh&+2k<{J+dGV}k^MDB!vEp=jP-IbS0VRhNzG;2J?u
z7*+uFd#(y~b+K?WD6df*{}stR4MJz8<Ae{}><hGbM<@_P4xb5cT;^4d80V$jpi|m7
zyh1F+B4^Mt$c)|=LACpp;HSmG4~iAhQ;v?^A%gCS6rL{+zO{d(rzKF%^$)`5kzR(Y
z$I2b!li}^NQ-CV}hU_W;8DgtL$MaXTTitbMIQ}8yIo}EZBGdk=q+8}f>YtE>88u^y
zix02iYs-b;v8rY5>3IH&IW+YoXlUMAk<qo<u9P^w`{YIuijsNiLFmjMR4U5yrlQIE
z$jDH#s(A=X#J%0KQkq0f;remh_BklU{8-p@{Z<WA1b0g7Yv|PPn%WXYnNQFW0U>4r
zg9kny`m3ondGAsTWoQ{_>0umWAAIp_-nsfcid@$KSTDhx3rCWX><Fxqu_4|S2&k9v
zo8@+b=$q(vkE_FcDgvAKhf;1;AGK94g6HeQOP#0Pd^b;()m4IW{yNJ<^p~|4Q<<=b
zhZImTd)(kt_p0r>E`;Olnl@fXEdAS%_NnWi#TKH)T={`<A1Ih4nH+w-8>+gHr(jLJ
zO5MEodW}Dy<>sxAt4^Ih^zlYhU>)9it$X0e)q6VSX+|sr$9tu&Ie+lN_-%@Ts9nHr
z2ZYF<{XIi6gvtXh8E4hjBRuPXa<$g+;{^*pDE=aOf7x5Ng(0e)uMON7<TLHG)-Gcb
zoqKn@z_WtMo?8emb(@qY5VUJN<i9L@9u6WvRlpbjf$m>h;UO{Py!=T;BR-C@SY5I)
zUni*K`5!FW#UJu(NnD-cvQuX7rQwNMJrk;_d_ttdo~6pGH)nz0dI7#PPBOPu5A8Cr
zlg*wQK<n^5J|-;Q74Eh*kNr*({aEgf-00&C`&movD(cTU(IFuGC(m;3UqS9nX5I;G
zW_3Bt2B2(*p=Z-PcI6y(&}ha%Yqt@1tDL@G05+keuF}hL-EY9h8v=sLsQ}g$Ph>Xo
z?o*C&?R(Jew>oK4bVfN<Jg0>m`OdpO(e@)DGYKxt?^38`!Hsty5MkMy$At|cvrrHx
z(i+M~A<4-RWSnkz==m~Oo~t*48fp!Hw-zFAx9T3h5x6y3#*S^QL2aSfz}_0p(JMS9
z3{>nX!@yG$Nh1z|DcAZ34_WHXS5{=JV0gIXDf)JQ<tveDX_x4L(B^Gw%8qWBKhth*
zk#Es2a*Th^+jLJ+a(f-)No$6;_-KD(EBK8k4X9S$)}`AR8|S6y%__dD;x+CpD|Gbo
z$nB%a8Xog*N}j3P_yWRK<_%3bP3+%xvYxO;X+H2Dlf=lsvV5?v&cA8}p1fh=V<g#b
ztZOz<m;~p5aJut?n6=5HU*TG{*63nUlF98)Fkwru$#bFiX#wx+`nv7f*L9X?HE)Gn
zuF!6v-MyR#^ie$mD?_5&lqo3SuJ66_;p7}i4$lO=6BAs2`a3Usgm8g}0CB*E*}TU`
zH299T<qham6|0X~pS8^h&&r`E7McY;z=sJU9isK7=HvVMEmHzI@7QXRc%6!se5oAz
z;*cM$VWEXINx2#z7~#q-mhQUSS3T=<Nrh*W<@Vlyue{TAGdm9ypG_8izuo;k_4A!v
zv58(vzS867=*~Gv^)ubkZ)v-%^B@$Y@~_CQI}m|2<=$YVR27nfhfQcSZS3K_lvqKA
zjW;PJ1t){L)W4%p4J8^$bc49Um*}9%ebYBlU0yvAC5p^`Tou^(#}n-^C0CzfZy7pK
z0^qA-j>u)VAGXdDvHHJ4SqYz-uZNN=B;+z`4-=fBLd!2SYdZgZ*gQt<lk`o8n~_g0
za+*roq8dU&*|N=3%+OTRxg;1BxSHYFl#-2eLP5i;|9ne7euY;{;^YJzlX|B`>2V`x
zaF`s4GZn`KLRTt$PmC`*wd7nZ#aIYgRNRmjcNS4UKlTIslE%ef7DUK8=RdYsO;oSz
zFvwC=-+37Pcu!8HO+<K>{MHO}4r2h^UuR)PC9#R)jwnF7J2}ySOmAFmn~+jZsuE70
z&j5<g9U`SlY0QP*S^%$kl|#&ryeu#xP5hBVE~do+SPtVvRAq3iflQBk{e-$L^agqY
zFgnKhN@%1t@Y*3JcAV}V0Z5rifZbnzP*qcsxzRvJ2xZh29aL&j(F86A8)_z@l_aAo
zhN3W^4)G^fXt2{u?!*B7r}CYt_YLSEPqJRH2i2JMaZ3c6JjUM2Reh_bFLFI>t9wx6
zQMIjvGqt*wVE#fn=@W<CI?ImOfHz>i@W|iC?|9nWEdgQsEhF}}naSy|Dt1VD89O9!
zAUOuV?X^=a<EofySl$oBCoVPYe+et4ZnhF!)Eoo!P%rRrH*(><o|dUbMcsFjhhRdp
zZ$BjnX!JpSQQ<W26Jee|lw)@>w!c(TQhp(PM`5q6LvYshc4D^q(BXfor)llt?ymzk
zj9!%|mgfE9@*`&@qYYJ3L}wu{9l=o*OA^Oz1bzmu`0trnvS_40qiR#`f5cplY0)M`
zo)zDK<`N{xy(Ei0`<6uYN<SAVRBlSl1cU8B_>Erk#I0o0h`U!58LkN;bkkG@jYcE+
z2QdJvc&6}?v>+)|&gUFlHFrAfrliQ$pT=<boA>9wrXRkDfe!n@OqjLyN0ePCXFu8A
z%BRm2C87>VKgybv>*kaepQWbqN$r*XRGZJ`+MPp3Nsat7PqFx(R9K0Tmj#>Il<5AJ
z;4LLbVBq8K%yNQY+2VD({snw8Fd0!=DE&kF;v5RCOjosEFkypi&^-tnD6TxXO^<fF
z7-6)r3raBZ*dJ7qF;~U<VhHO!;igSYJ$EM(>e^VS4xe8ep|snj4nJ$bRW*@K+cNjw
z?)+4Ue$D5xZ+<q%Q9HUkGw<y;sX0!1jeUYacYKOf0o+d#63ku2i9jG0^mpUA-C<^8
z1dg2^`$4Y%h=mN?5U});XwaQe;Lb7?7DajDhb-z0=cff?9NUIVO2chn8yJc^4>k@9
z4WAuT+rd*5$6Iwl{c#Fp%I04T7m7&o`(|10B!5;lj<Q3caeG<yJtmux2<<j^Mz%=}
ziP(e&FQ-6c((+b#Z2BBA?|@&%P)Kc1{Ij1H0fNmXxc_4B<nkwKBvDy(gdzWroHV}C
zDzx&SwL~>M#@zv-%*>I@B@42;fxf0(PYO;caAN{KgkPA6>u;JRpz-9W<tL`f5XZSU
zT-P9OcJT2QCKv(-k{!C<rN@v&ApkKo)GEKSum;c=I`W*pc{N|HlsK1;fZV%It(10p
z?~XZ4mb_RkEpa#RI0SSW8gT2mVe#$QuU{@6lQlHl1K3nc7(&n%6irh|qWSn9d^Oq7
zX29-<H?pv(n`sP0u%rs->LuH$dp?!Rxl}OlD+yzJK2OuIFZggx5cw|Ta|GJ9ne+%R
zzx(HHb&(!Qm&j2?wl%h3EKCYiI+VxO^d`sXrM_bJ-wHHSrzG5^1{=%%0wVMmtp~Td
zK#a{c-x1-B!*0qA!EU<p!S!DXG*S?fhBm7*N(eRUG6qgEkuynAPqE1K7$-?8bl-J=
z7YqEy#|M#&b_32bJ!3ZT2f%}hE1{re4t9`s#-$l+V`*3YVr&!)8+WZ8&1_n5)|3<j
z8sNuM_qUgv0U$1;f?IBtCythZi$p<BR<?>zCqyV#;6bY4EK(GV;_=Yg%d-WKNh<4o
z_k&pxlQa3Q2C2}JJzUydhPki6Pn&x9{u-Iv*lHP$bnC8jE3}hAHqJsx`#=@I%A|&H
z*!3c+jY?R+!TWKx*S*50X)KcSP%e`uj`?$8-~OUClcYEpVHR}ZysgH4uj56++J~Sh
zVqyTN!u|g0e?@II>9&V^`J8Oy_xJ0@4@!35PJKN9?wA3Stm@!bY9{s~9OJw%J<Hw3
zZ=R~8C)mh6h-x=imtGZQZu><2RWGm$-8s|>t?mD}S&5vs2Pw;l&ug_j@y5BU3-7wL
z_<wyV2{K_7)OW3ie{~(oks-ECfkpC8^gX##xXj8-s<d3jakzv6Ml|b{_cmzi-G^zm
z1}W=&>yIbrZH3AFkI}M+Gd!Nw&tg8)Ob4orE_j9*_V|!JMNtvOMB57=F-lpOMOzO#
z<bP`9wVEpl_QFjZoU&Rk^t(v^;&O&^Tsr@4#$u=v!Q+@X)ng%}<_fc7Km5k2z}^@-
z&YT+UF)Q*tYpk=tD4f@5<H%>T+y@!Z6fZDuo9u?hbiwe)N7??^;QjAN$q^K-;n$X*
zM-2s|8T^IhA;^?7oV{!Oz;CO^RP5NRv%v&%i@997D`El(J}$MM(UM|8cEQ7H7DR54
z+Dy$o+W?&}vsFYC6{`K?YJVz{ruv!^XZ=?fY;;*&9pfsGsd%=xEB64u(CVM><ZyW*
zXUNM0-!NLzvTQghdkpb;LapiD^u_gzh<2Kz;z3eR;=Zqq*fDK(X4Xh<y4eZ;JWS`Q
zY!iVh3VYO^TBdjJK_^qm{GK#AE#R7OLm*gKa!zK)VgDD?RV-@L?+z5D?NDv{x1<ha
zBGm6RzF!Lr&W--E7>TE%0Dyy3H$2FnwG#rsOa41nc9`laQJaM2Nz^En9z+og4lAkB
z3=VzGA7PmQnFw1+zkOPWUXJ}A8xW?ft)6G`H~d2YH4v+uT(~K&ifow#9~Tx_-db7F
zzilLvnQF5Z5v2Z3maF3%fo>cRY#gIbCRl={-rUQD9ETBp^~OFEW2mr9tB#Gx(F|{_
z%Bnx!*oO%WyZsF{qP}1BhNRtl_7LcpZ-TLrRO>ObnoyqfYgFgzrcLNPr+HjNW!0;R
zx9eGAfJ_!n^5(u<+h0M~3}*>+;X_VF!Cb94Lf%kuXTkI7V+sFz2M->Zs#Qc(Jylue
z?#s8IOz~|Q14FMAf~jXpuO3Xrr6CED)~8WGd))7M))jcD))hAHq9Dgz(9=Ep=M+(7
zRM~T*3}w}Ilt{LjNHj2}lclJ_BRT^k_PPIsv}4LV#XkHv{U|-KmRpY^h?G1fA&7J^
z$|Q5rt*M0=uB7n|LPDsGuwPDTOMqpOOwqv*VM&!+rf^8dVf5N`X%6p~bM|O~`TJ;t
zM4G5PDQ@-WT@={E@{PQCVVIxc(29y-#{{NVBo8)?HANWthgtEmu;Ds`#!hJ3XgHvz
z<x8E|iS&iEHz?J*PPik>)jL1yWIWPJCp=o!>SfI|`6b-cbxhZMEjDj!JlIwvGa&fH
zLDCM#yNCU_i`*NHlrV^8W0xsm68-KnsY@nPR28O$$Qadmx+JD*r71NuXQ?{pxv4sS
z`$zA1Ox0W+oNJ(@nrqn|^z21GVj+IdwrH5~r_g~Ecz8r1gdJb}FV37b7;mwA6c)aB
zbT5jqteBBn1H#=L=YL7{IWq5-RdF}>=NZ;GwTP(1y~Zg<4WT3|zEQetZ`W?XnwLA<
z-MequYmxDKTHqGCaY634`7wvU^}Hm_OYG{x??qVYx}iPgUYyVw^EMubUY_f>vWgyx
zg%Uvvco3FPDw0d8y~=@zTG-T*+;$d+{ujHD=lGjiZmQz)aS1a~@C!jME2nq0b&Z<E
zVZ>hwzg{uGCTr{;XP$p0FWnpOLRxT`8|}h$#jJN##H{bAsf14dM#rPEpu?r9Q{~^I
zfYzWT8yCYApDM38MH)Fwum5Jv;f&Vml?_{Qs$$kRnqk)4)>hK(4{9v5eQ+0Tn5)*B
z?x>Gso?G%CZyATR`pA$js;l?W%J7@r@6MqCN=dclijI9-Z_lUAv{l__#XH+VA;?ol
zV!G}0#x(vrT@5Y&q=+K5Tu+5D&ET=7jOhrt8`j0g$L@Z$`&q6u-(#KttHwMp3W$fi
z_Z~1NeVH_vnEuKSX|sSYWFhT<W*?AI^8#OevxDpuJy8LYs}JOL89=ENI^BRS{f7bF
z8M>ukfjWX*7$BjCTzEA`sMn~)wpVAhu9*BY9rAIrcs2Pq40A}is()iW+Kltm!^88{
z!Jx6+ke+IAjJvrFiXN{hm4wsTfvQun)=F*Ap0kxpc4&#v5D8x0V&hw=RV*zR<eu?q
zbnrJ*N1yg#DA)}n_o9=*kMI*-F6lG%Hb}r7(|5YX_?=vOjKzFgK+0c(pDMT!&uaU_
zc8@~}+BgzwhClB4oicPdUm!<Mt@5wX7Wma>vGb29sMvTphYa&eFH7c{-{%N218PYE
zfeharY3D{cF<r;1TouQvIvk^*(;aDfIQw--bd@Mr4-|EpSrWoR0{_&LKJ*B89zfVw
z(4VCmzG_pxI?j=nKH2dImo5UBkqZ74u=HlUt{g3zx6LT=QSJv-jP4y@2`SaJKUt5B
zFzY@H8`k)>w@wDMc~x<)J^gI*VxjWV;VE_#9^3V5*t^n71OR5%`9>P61?g+Jk`Wq8
zzAM96EdBaiA$p9a=ND8b?Mis&{Vg#GL{5OfbFR)qb*{b<+7BtmgPGp5oj*Jx1xh9j
zE+nTtwz%(M{ZuQ#Bw0eeOXe^TNkQ;mPu4`>bZL*F{bY~fx|x3J^$z$GZaJHQc^V_#
z2^<}r;u0M=ie+4WTYD9teJ_w&tQAIK4oQIIB1Or%j^AptYM=v9m=F@4xp08}q`;o-
zKu32Kyousy0~58wOyDRRZgt27XoiZzf9HY*=_xb0@4Ony)pugZoZo`P_{+CDRA?`D
zb|aIcg<bRH9<eg6G%D`XJ`{>hF+LnG?7=W~w5_6xkaXI+`-k%e+Ci&5PR*qEZrNj#
z+Ae_5!~rtJk=|yiJxICFSn9yr_6=~N$lsYn?%6fLq~ELoo~*jAT!gqe*};E+si=l&
zcQ#9KEa?2v{#9c~!m7`Wjb_h{VE;?|HF&q(_Ca(0Wyoj8xp;j;<NMy)hB4Oys4z1q
zsS)OY*=oL8#}x;lYWo0?Z?%;*8V{*pkh11C%-@R&YNRX3!42|y(C@dNhoAnsXpo&W
z`FYSJG2@q@enhP4+gs?bGVUL=7Y7OR5x)Q_(<U+*4jUM~?3co;R<UQrzua*i%G&*`
zd4EAx;+0x=y10BZI2kbz4!Wo_#2uX^KkyMXE>$nMC>}|>Urj>NY_bh$dULAwTzc_l
z-(t1Y!6oX%`zp88ftRs1Z&PEJ{w-xl3wur$^nnAnc*3fH5g8M3;2Jngd#uR4L5Da_
z{Tf~xj5jfk3lBGm`{SBZ>8UCw`1&CwzA%@UB~|px*uSr~hL9#c$yjF;R)5wq?C^ff
zAoBBb8JdoUT&GG{P1+wX_tjHF=Jn7&M&4$XEh*&EiU6FGWA#?ni&d>W(bO@Kf7OW$
zrXh#wQ|CJT996e4>eg@`8<daoVSX?AA+^7_SbMlxWmju9>`u7J)+5EkyxrIk+{5%`
zZJwoeKShH0s3m(`q3_sEac=G{UF7@$xt&4D*j?lz?C(*7p)#o?cZFcoh<kTmHLXRS
zOg_AIdyD|-9j92uWA~w_p~<HNlinHG_Wga!jo+(Nj@Y1fsWRZckhypy&(AYHD_`ww
zb$|5+b$@QL`8RHgRd0D2jeIwHQMJvUQ@Ct@I5kNJvTDc-aYeybSPpG59V#a2LA_;&
z_x&&GRSrQ?W&nSY-HYm(1C33juf%2S8yI=Ed2-#1Pin-@-rL1cFpPic<J6C!W3)WO
zlIdg>Y0qSIc$96KgbFe4tg1gB%9}IU3&`+YtS9%@vq<Ps9tA10aL=`%PW2#(<AFxv
zO&K2AIZcA^Q&8hvM28d2FRctCR{6w+War%2%35m%2s}b<^l?E*SJ+koWfS1~Fga(H
zonUVJbhrzzjtA7rmjQq!PNSpKHQ`-uGK{;P-peFP<xAtlBRe3O_5jsKeEvKP9TqdT
z*ph&xxN!IZ;)XDEp5@Cc0ed!_Wr@KmGvC0avwCrJkb!z(QFY?2l0O5#h+tBN!4(xk
z8)Zts2oQ|97WjzFafTyAKiLQ$qx^Ai=CgD9`{fp{Tb{T~p)0Dq1GBsz!9`IHzud-7
z&hGG=&ng{rg*~@JGjmL^vlr%8KR+4mpIG3SkE<e)M=m`(xzE8D_c2-Qvx`vdlHY&$
zWjLUx@U?^MDuZeWP{JeLIuzik7zZ1w<`&}`2YXO-kvT0Zkw7V|uJc*3M?q+-yhVIo
zJ21X7ob;R;`9BKFvY1^;jeL=<Lg1P6&00aO{9*%FUmnkc!)b$)hS(^_eDhHGdvN$;
zJ#qNvnZ*u49Kw2AV3knKy?WU=lpnkt;X@;OD0J3X%HC|~cFEdx`Yh1#I`v>PE2Ru@
z@*xw@-Fjn8FEDc<eWRPvoCjgEs&pD@jfEH|+>f4jXCpfbW75tow<sxCobTEI1eD;4
zw>JBEDgvNF)!1WP0Z<1;Hks2B5(zES?%dhryIHGp_ha-DDlSFbXR7{c?Ekc)YM{an
z){4y^t<bnR0HD_4PA*b+x03`D^zGlJK=1oqvTo@Phhb`OaFsQ4$vI;_Ak56b)EJd^
zN5>aCG!BQRu%VH5CpK|9YDno-C9!NpASuoEYBOYxpE0DPbm=y*`Sw^s4N%O&#JF0&
z37v<DNnd)y6%BMs;tga42oAAGim&&R>$jH2IIy5rAilZ;T35XV)Ij(g%vmI+=z?51
zA_^lSew{dQrs&M3DslAZPkdSo*d!?V@*Si6QC&Oo>xj0GDp#p!Udc$XSz`&ES`_=S
zz)Xo;S!Un>6#>^Zt(tdNV0@XzIB<7<A)`|G=mr9rD{y;m^b<H%Jv*To)qOcYmM%um
z>$b!7`MXmRU*Kddt7NQ@@L}yHPq{|IFDOU6bg_SF#i*K#fnAZy0k52I_A9ZM1Kpyx
zZFkpy3avtL;wY<{OhURX<#hIhyjzOBm-_=7Y%65@p5)X%*WxWH@7L0hGjrnC+hAF>
zozw4hCKo?w>W9x5ewA-q5BxUX#NZs!>1LcNKO`)S9xu;{iGNTLjsyXoZ3XX2YU8`?
zh2NPd=2Pg+dW}u!QTAo8(K^gSM799>XgmO`cbI~MhJhP)i_D$(sq{#j>7`ZZ@QscG
zjW=PXuwYc{JRK_0ISIstga{<5F6oyo5y;#EabMYFG95lN^9)7dp}A6$B1+-et5T}(
zvTdjgsILl%eVU_2C1TJd?O@kj@P61Kfq<CK97-n;L=kHA_1Ay!=A|aCd`A^c!--KG
zTdpWDO1(L*S&}Q=@`f&;%VXJp@hf9?g&279xAxePXD6MiSMqi%t{UkIQREyE)#|v>
zzH_u@Uou^{Gr#IiLie|lCANTAwuzd`Arv`=-lZMs@+gIiv1mYRT*t;%zb|1kDN})=
zTGf;tg>nX4THX0_Pza_$f%3r~)wWRU^bWh>;?SWAZpJpSVSwYhTV?{u@${K%FL3^O
zhB`3miPOutD%GsS?z>?!^C^QqYm{iV1m}%3xRcyD6cWc_6%q%PA(J>m`HRpNGz+Qj
z7a{j|W<9Co+326mu}r1aRg{I<M1)9|j3V`P_!V|0U>P#~{=@Rvr#0$KVg}7G-GAit
zvIB|J_91_NHZ-2r(!4Cqu(`^!H(g~zhHHmH%tfAAHy@iJ1zeVP<x$FvpfVvHEL2n$
z*<4L3uY{W9DQ~(S$PrgmKHk}w&vN`ou5kZw@UvzgU(>&fi?Qk_5oPBxQ{(*!BsiUf
z`MHkdr+kCljdDoUUFXwO#Muo*2?^;`lMMhaR4rJ3LXo@=L0r7mH}E%lj2=%u0JIw$
z=A5pkQXo7*PF5OXObjCbjyhH!=L!M;N^2OaRK5u6*7^q8)-sZNJ3zp{um~c=HPJ8r
zFcHN}GI<|_QL|#@NE2c>V0c8#qoh+tM5wFC(FK^XDt<q%DKG>-DruH)Pa+g~c<0yL
z#t<t<@52{^%l*<*s@oHK?V;&u;!gE`-=%qZnX)&zZmDWmXi?2gR@SIP6Mlhwj&5jU
zY;u)6UHOLq@_TDER|OcX<d?myJ!9I#Icab*w`+=)oP-`Z*ZgI0s1OrA09Rb9l@jVT
zJX8-~LK)C%rT_!xqsu+9;Y_ZgUyP+qv8efiv6L_m3<F0b0AF%Yaw6$PoDO3R4FVYU
zQ3{!S?o3EeTcaoFx*Yes_}%(5@7*pR>{UZ{My~CrQDTfe5^GUQ3_8yw#)LQSW;r%{
ze#KnbW2o4372(Dek0|Su3pDTM`JH%8X9w@|W7qDj?WoVdm7uBMkVpi3pp`6hCL{dn
zCfH*Gnb?blL$424tTJ7G6#c4}S|ifU?et~VUtLUjGG?h+1!0A=nVUt`W#g+IxE)qt
zxuSqnpi3CrR6?k_c?>RGQBwFjct*ok%&f5j1>}h((K+z#e`nK<Rr~R>W&Qfedcv~z
z&zx^o?S4vJRZs3>x3|yxk1i=E{Bmy{WUqKtq$j+;8>(n7soag2NK6|ns%0q$H~Dh3
zt)ZwOro@}+GmYocJNx$(rmxY#PzIoADoi}McAZu(Es3hJktV5P3$Jdw;2ldBqBf@a
zn6#hI(eX{zb*3Pfj+AG0<Vfuv-HfyGKb>Etc;5s{s&GX6#771GP82!{AY6x{$mjq0
zaLeq;-t4lb1kimrD8NETIr?FUiG?}IYniaD{x+6T1&vZFsJL~8k0>&S<De~`vYXAM
z%X?ggY^?)pl8qc&jV!g$QAzpA#E{2Kr-TW5X1g!DVY@m*Mf1`rf3*!?S4?Yo)^^m(
zv*oAE684+qVL?@)H-itzTlWHUH8|vswPi4fbeEvf4#)1UFOJ;?kPxA*fMjKi3UMJz
zS#<^UTyaHNO2cZ(Ws0~NNG96f9lrX0uT9?F{+dC(WR^0nVhGH%>6(^Z++97Da9S4@
z5c@6B%k6;mE}A;$;k&C8!ctxv$#<?2J$Bz8cBrktdvrLS_5TKMLHofBwLK`l+>0f2
z{maDC4e9xCKn$Q)3P@@!q^>Qm*z@?sl?qqlPX^rRI7i}<<NpTUv1mM0)m<|r^_=3<
zSsnAUhVmQX<mmHJ1}blNRncx92<@`BWboP4l6e^CJ#n)>Z<2w=L-?>4KGV*OZr-H?
zxAcoudo(^fc`frL^|vq}t9Uqi(-D+|C*Rm<8H2RN(7r(8>S?CSdrS_>SF_CKWdVX2
z^TeiAzb@S`9i|4Q#QLb?%mMel_~i3rJ7+UX8930nthxhqaWKfV<+UbO`)Pda*m5hQ
z(NH}cZ_aL~6H@jj+2-Wf#hW1gzxFA!=zJ2CdlAyDdvj?!yYn!Jw@SA`HF#s9XNK@4
z_LKt5CriLhECPm#bF`mmizF4%<A_8=@~nmwryyxr^I>5c-mu&e{BQiJ5rTLr-3D;*
zW^J;o-nW2!9ag$~CLy`r=9(}<xQIHX1e#O5q_=5iPIx+JFpG~||BAIBm5@Az`FECV
zeq2Fl&-Lg6SMPr6o5^=KZcgJWJegRE$Ppz@yH!Y)18_%>k-Q|^p^oJ>8UZYC7UYtM
zdIvLjE<*@@PAIiAt+AwWV@?ty6OH-eea2V)Wh?MCdu2&NrOvi*DUPd_9+u^ySyWmS
zN)&nFtC&JaX3<6d?E&g0g`m_v?_4IX$J!lcsv0|G17J~}`yBc9Tun)jxqR}ZF2J!%
z;q!KF1PJZxlhTcqk)-ia5u{5_5Wi|gqMMGYEBp#k3#)C3-?&|g^mqE>51=2jlNJD=
z=~=D>AT0tE456m!<3Ihv7w8Bz(ySuoB)#`586ZbBsSgu0!c{BW{}wU|!4g|V1TD50
z)t@ohj-(ojLPa^QH*3)BVMV_NiEi?rjn_nJn5>dXIsLJ5P`YOJCq0~wYo=kX^qI*{
zXK99?(8>0dn}P8Ka7_cg1FOZmRA+xucurn9yHxMrmf6a=y;GP!?lvPmxG;l5%OlF(
zbwyPZiDMO+&YSE2;nK;y{!;8!nkMK0xJ%WV^R4W(0Q^5D_W56VacZ5BAP`Ei_z*f=
zK_K|d^0;~a$=B=Lnx(h;WqvyyjGb??&y`vxDvh_tDyD)jJ7me1Su(cnKp-5A?SH*_
zbd8sO^BLrEJ2lfscqwwbX!|e`q@7=+N~nAmO6cFq;s|(Y#h-!JOs^bfm*P$$*o+7r
z`eq_IK5^)G+REV1nRPoYWd8!%TeZDmr=#NG@saoOS$WJD<@dH;O4z+UZd-iZL{2fy
zs3-yZR!jGJOaJDRTi$a^VQ~vXLw~>N9`_Bh%gt!_d9&N&ylL;~=qi8n4e^WOnzmX+
ziSt>%>B}6Vo9FFRYvoVn*$n6e!)f{<`@F*f*Y#?9?eZOSb^ADI8Lhsz4>hZO2u8*?
z0i{hXnHq~Yn$3Scz>x|pIaTNQp==2y0m()8h*A?Ey15X1p1saoEA3K0^eMfWDjU-O
z&0Ujm#<Dr4*VkBd=^yQn53HaG8GHGKpXcMK(!p3S`>?Uv%dF0xB<93qJKj!;->}G$
z@>Tj+{<}xBS;kJ1|7QH!ROEBCq&KIjYNA>d-r@~$16PNcHft|d#-D<Q1lHs&@FYJC
z4@J+K>=Rlaf#jh6vfV@{<9JumArj2sX0BW&NF~p!j*V(jCC~qxv=U!e84pkotFYC0
zxO_XVK9}CvI=sZ6lthBg<8V0M=cL3*R~1uyTV0O8yLScxWEdASe6hImf1*fyry~d0
zDYt3*ng}eORKd=Wb-AuLFUz)_Z^&TVT?J3fiUw_0q@=VIH!jZfRxQ-lPXSg}RM**h
ztyiBb<mO!(=u}s|zynC=Z8}@7Y#bW2VVb^NoAM7NzxOxs0aqmiWG-gF_<!t)eOfd!
zUk#Z<6-TNjDW$fYYD4@ySe;!O#$gBxZ{l<4CjcW*!~cJe^HEsyJ!<^Zfgy?y!8G>!
zE$oqDqJ3SUbxT9vg=>(@Ea9wdiI;Q|WXXn^>>hLRC#A${?FQh{C<@b40CW7%&5UWp
zafJk6CcdcJNZb}(M{l^?E?X*C26=Y{lcd?sLdwkwl`&iy11iVBADOJGIIZ4;i_;7S
z;rH@b8wLF3j*@C}(`Nh^<XH<P>%1o_McnI;`IqQDnITF)YfTG^xOfE`;8_b|yfhY`
zk&9C`D^xwbDa*kv8EnW5D-AYGlKrbs(=#d!{Q(9Kv1*P7NoyUyaRWpk*PeRUh9SRt
z4EMoUwsnnnw<a4*<?AoiI;lE+qzm{}o~bqgRODw%F9oq%swxN~baLYB`qNV>shs6B
zTc<MdMg(V#NAzEmT_e_}J$JMrQ4C6G;hFONDDg=KxlCM8VM0Tw{XXm=+d@;Dx0>H|
zBtySUaZJ~HQ=eS<WA28STf=v@)<TpXJd7kLUQ@<ws@#vLWN=<gJ3d%+j!FU)Qm3k<
z_<^d3R7GI8(WarK_D!twRY&G*Ao=mu-x28!W#krQ$BJ?=bHTQRH~fXSk9(sPGFLY#
zp#D#0Tz5fS!%i27`I>$%HBd4XFGdk|8nXj1?;I`dQ_y^%=d&Ih$GF}%(meyj=SS^@
z{@fV50EMtHb6G*YfM0^XIHDotG{%z2b8kpX3k^v?LV`#VX&8vs6%9KZT)D1MxUaNy
zE-P+Zly^~nzqC7szONI+NI7}j!}Z&AdGuPdbR;OY%+nztV-W_-NIjA$r{j>~l8#Ex
z36tlnj*-Z}`dC{pWVg08@p&&luDdjh=5P&7>PM#7rffYw?=@2o;c`?8oTE4TQta}d
zXM*xOz@r|(X3V-lWrr^3my?d(*ens2osVdaEr>Fw3>=^xhLbZ>6j4aFSM8edE$Dd7
zA_n4=qH`P$0y%?m1RYxZi-;+aPu{Y=HSN@>8fkksxttN?D)7beM`t;K^krMr;~-_p
zwm9_3qq_IRLre>P<z+?6TA-{?Nmkx4uAFVQt2^3NF8ib?lWOIUfnx3nX&l)ht{l?v
zSf;@#K}9634RkqM!B@1tsGmwPlc%42U}%`FTD6yzF!ubE*3dkjJol-!3kqo4$d$?{
z0ZhVm$J-Jm^jWYzn$XDp^d<Jw2-=mUYc}Z>`9*;hG&irK`X%*A9;m8N8s?L;9+PZZ
zrZ2s3YUN1i!2mIX0P}2zbmb?x&%F2G4S&=lE2Sy;Ul;(VbN4rT!n9I!YI<)dN2NHh
zkxCObdpMpUyOh+P*jQ0Q0UfUj)sB<*RiS1*!0BnCV|SFuw`L37<~yb4#4KC$*A<&W
z3-kdP)>n;4I_b&fm@Ba<qj;a^zZ%PGv$e9XRKk4i!1I^7hDtYo6I@EO_`hFA>LhzW
zPdHMFHfoO{K|OvDIlR_Kb>2utS4sY`q+F(fjn9<cwL~2zb^TiW(nTC^lmT<F9l$~Q
zg@SO5*i;5#Gsc%bq^6#i%U%^<`dS81w(wHgJ;pM7m-~`EuJSS3fD@~}iw19g4|e7J
zjj5rIHQ(RL%yK*J6ghiqzALj!rKCYFNt`M4S-;AV-rU^J6g)*!wGxWy1bW}!_SW6~
zchO+c*o<e(fPvo(P;LBL=F#_#-%@kn-HlubVoH0_p)F2G9d}(ZH_!Jj?q-VN>i#7^
zZ_k^@tEZoQAJ<x2p4^}8TppU5c-s~{W$-c}inf^0@XlCpMUd1~KUtN*rTo^0M%K}1
z>+Bgh6|yn${aIO#iTk%~Zt?BBfs%H(46mkDUw9#9@|-S8z_>u@4iG3xUTTvZSnwXx
zT2VXvU&%UKRqX<ccq3j9dBTig20LA#jHjV`2_78c$db@luZ&IaXcM`B%fv_CH!3^t
zK78f%@VboNTHZEsd62H@qDnu{J50n_Z0JZ1l{m`dVh|xnwGy{qb?u<}@I?T0*!RD>
zC4akBj$Xj_Ob%`VkF3F@!<fLpT&8)L|G=*=5{l%dJa$ycT;HhR<|F?lO#EqAIS{8J
zVHGCG>bCb~5VD9)1MQ+JB`FY5IqB9k(=ij7lHrBmp4g|~em$YC<$|Ls)LL|>HTVd6
zF6c%vdonNC0Ulgo$wu337G2gXN*fF2)ZZ8jTa?J`uOZ5kN&7XP@ovPuKRcMiX!~E8
z9rRY03!(t}uMcfCh2mSaVel2%L5zz=!bWvODkHJLSruuio`UXg|H@gjzDV851}JZV
zzhmpR;}jBDbXs~qG=s&`x4Z{Bd9LC=wy(~5aq@b+Ot_%t@Vg$po=s_(>#qw^>bEz&
zx|Dv9PYi7KAuT>`RA>TKUHS92XzaBN>ewf3p&H0JO=^cw*;P?^0T+~z-+zXtzjn&H
zvyCSUuVE<`PrYcC`W_k*vh6<+cwH8ia)i<;?HA7bpWP1_hb^Fb^a*4S%?G3xQG_>)
zj$Y00Z7%Qi@7+d&=VX3e_l8XBW_LjOe?(n#be&BTZ`8)NZQFJl8;xz-wrw=FowPw?
z+l_7eyY2hEdC&dh-t(M2_t}}9{mpM?cXk~fKD)i!x_GR1bhdkZk{~)c`XzwRMpI+?
zdx8&oF3E{!E0WY0-J{lEd?9Qex9F3Ni3P8aPhoL9`wR_jrhD3t34PRb86a#$&Kf*}
zxLjjx)ybjs%Qwf1mGNmiMlALWW^ajF{n;}nC-RB+VK6!Ej;bm^y^)F#6oo7tv|M)Z
zr(p+xRJi#igNAGH>u1`O)h*946?$fvsv<O4kP6z7$L9YEWh&^FT*V4IT}_+cA$1dX
zA#?ubeO<h@_)_rj*&+M=d9P=dJ)`<^Z~NW{BCoVo`Ux^G2YsRc$;N7MT3ZzjP!|V)
zT&b1oQ=OQB=Yfq*cc&R-xaN(hIg_&XiQWzEHNf6bJRKfZ<!AE*eNPbaO6^nCA8<Z4
zRp168xtQ$Dz4>lNuP4QuoyW(&SNT?7tBW|TtBzAh30_(r1C%lL+XuRR9?zN{R@d^z
zu1)Y_`mMfk&%R$<yqxUrE$QfVpTFJq;0#BCYAwL6A4|564m1pk%d;ZnHIz!&k&}n%
zqoOIdI~RcS4#wCG{dW+n+C)6`fWY*sNQFxnEM}L0cMH|g7+yq1mD(r$W3X?zOwmZg
zl8H$(%7PEoKZ9E$7kx&A7Hz*_F#JWWIs#gvXdaEt`iG+;FJ;NwqTgR{L-q&SGunNa
z;U-w5Iu8asl&Ei^5shDeXHi(h-^k%AAUctFw~yxvUzM@+at=vM&l*W@<|;*&|5y9d
z!=GHn0UHlTr=KguY<mHN_=A5xaxx(R5yuuKj!l^-Yh63TiuXb0a4{HAB#uIlfG2}E
zPV?mqTfrR`28Y$a!}+={$TsiCxCgSsmj|$(s20}ccg8^5?Y8AV2XDgA?22k(;cPD-
zEEYsr^SrS~m<b3Ia_FfqbNUJP5z|n`8I#z+0-xa{Z7-XCq~l`a3ZtR}ga;!A4-kz8
zI%lpq{NBz%WO5;dD1L>NngeAlt;x+Ud!y9bQKVIsiz09!(bS5kbfzXt4=KSV5j!BU
z?n#!bFYVYGK%xmg<Eeq`RZs;2j&BBJzk4n`J$M$T3krj!8~I)cR%<Q2xmW>*m0e0L
zdE06>)9zlLT`sbud00OtA7QP$jIEt+KFy?rcxMjyM7^DIt$>_<c|2>&Zb{odcsIH3
zKI6Q<iFEVn^k(;_u%3O-Oi%3{jPXew%g1`WR-Jxv)=3=!c{kSK2ZV>CxYr?jwy&Ce
z92b-o9^b#1RX-X%Z=QKH^m`c`Py7PPv061drb`!Nd&$E&c(Qf%es%S5>3FqwxYm+3
z&P;wBLz@}keHn)vJ1yR>UJG1C+b!vOx4%A_t4Dj6d_NT#@tZeL+GrL+nDF~qWgXr9
z-b-qn(f;M4`K@M1jV<fx>C)8;3pw$kBJ@eFa7w^7{)PlrUj-rUBA(gFJ(tkJRYb2;
zCej2g_hW|@T2md=7Cy#%{<jCjF`$l_>(d@@AYN4yQuUrqCBlR#L(cF*2rR4fatT_&
zcRzNZa;GRxJ){2Pi=d^ACr$lU_}*l&($Ef?+EMG`Iw~#)?MPnf1&Hg%0kmEei^9g?
z=UG9LZA(XYVVXw2=+UPgD_sR7iQN~gx~&bSp&!aQduAJl*1V^)J}<kC4(@#Q3O!Nr
zzR-!{N!-PUYGp8-7K&!pMHy5hhW;D<dRt{L=~YO4j%`oJ$M>%fMMcRD%VukiCoG0x
zcf8+5YUm&qWW{f*<oAnf6LZbIl&mBS1k3JKSe9nMri0H4*J2fv=@#U9ZkL@^^PV!7
zzv)(=tnw<GSJ@~Szq=pXNWHX<YwJ2v*Td(bO>#%SooU{lIRYz`K{b}OIb-ravoofX
zM7LTgiz><ch7vL}P^r3Jg|>D7)+=G(iyJ|VfJ*Cx)0_Cz?zwhTh%T!Wo|D+M^L*#-
z%#n?a;t^kvN?uQ0#iTF;IR9@%`TK!Bm;!d)(_|k+^`;~=LpFBMzd3g#kbcSN@PN8l
zR1ESIQ~j;1><NB|v_6cAPCshQHL*!cikXgJ2{B~))v!YL4lj>;hCy<Bw);0Wt<9{;
zyQ~xk@c4-z8Qj?lyWOt@(9PD8D1WhqF>`;#gmJY}-TM3MP)Po*ez(#9s(>l%#Bw-~
zy5<+mAwX(Q!A>2~IX5!2#adjYNEw?faW2l+4AA0(&_ax<t83cHxz7@&w;Q6SxTN#8
zUCS8HpR7~kBv8bbxlgxYMrktgbusSRTj8t<E139yZ|kY9iszPMnk@QGi|Gk_`8!Mr
zNS4Icbzb_r;NR)GbqScRGs6iHL0K~Ie7G!QIeP-KWbQ^{<G=V<Q?}O(lvkN$R<HYw
z!Ta2J=hu@~*!sQXomk+jd2i!tm;%0abu<vuz*UqC3e3|C8Q<_rt|x7qVJ;ENOKd|X
zYYez*V}8(E@%dq?hycVNsBtGG*RvfnH*pm{jCxLvky9a@qbk3_jQP1^D0P#8pj)hQ
z|F5;&{gq>eTrw03ug@>{Rl3JN?E8C#E>C^lx=%VS5>{IpX&zMVJ*%V?A}6;%@cFrz
zVO!_EjUQW^7^}A9?DO^j#pfnAODQ`s*3Tvz=zBl=67vHSI|D!FdhJE?wa}Ou5&ryw
z>KoN~*JZPP`?P^YtJz1UkhY({W1c&D1x*x>45~-^7`afvPmR(dPD$EKd*+@EaY6@@
zhXP%xXSy9Is$~2y5|7U`udcLrp8;kW!4vhMMU-9rzPr{8Wl)(+{7r%x$KZrUH<dN`
zxpbhfoC@3jplypJN=?UDFkvu|Y^6j8jZ}tS?hL3zWioJkW3?6dHJT8t>269-r(F;Q
z<QZde)(gf!ld-xM=HyL5XkVdue}(BhUGF>-Mw*M%RJ*?+mz*XZR8NL|xHLDENq&<s
zN_cp+RR(d9>x&>2x<>EhFNh`TRLu2ON7nPq>Ro))8<s7-pBL3|#c0t<8tiL7v3GJ)
z3&;?~puMcmc$dh&ybEFxDu)z3t;UM3O+k^4(&7{td|4LQAMdk&sbVz>;8a&h@gxZR
zc4}f#TmC)=rMuv$4TrP%S{OWTsJhX-Z=~v_4(r^QXErd+Ii#LB_-dD42%aKnonnw)
z;J@QWk{`Y^TRHhvF9R36Qr8ql2#btaU$wU=W!!k?y3upmd1+xWhD&>4#r~4V=QrM`
z&4)0nOrcWF>Q1dNb(Z?CZv68wM>0s+qN9>&K6lfMmeLs5b6*J()|v?>=5lZ$v7c4*
zX%~r7wRaG1ygZDL{6`!XCmRfmf<`FAppY3*i87}#cL^;hW9OAAcPK-2U3RmP@0R^0
zA%o}X8|(y$ju<<f4=uI1bVl@`gk*^}xUrpS9j2arb8_J0d7meP;VWf&Bm3I49x>YR
z9nwg!2HW8l#aLiFAEu19@7?97m$_=xy7*c>#0)KtU^|`<Uq{X!-)Dz>cI!9ZJzYKB
zjcV+D2G{sT?Xsk(7-|GW;=*}KAjz{%_gt(=gI<GxCe(R<4fcM&euDaWM#thvo8aDc
zYBDVwGk4v&*iA8)7RLW_e(FO-rSjC^@qz_UE{&8b%QOD7A$G;=C;C?E4tPX3el{^n
zd_Z1VghH1(g7Y=S2{!15!Frmrf0<dz4CqSkeVCmYMBs%f*|z(-$hfrbT!zU+rlYgr
zO8&q(z0#AEu}k(P-j4Rsy|EPWzK;1!#=Zel1q-w|Y1hD#jA8!kJc@C4T7+!qk2<X&
zE@d|@UH@Y|;hdohPNb|?T}QxTSC(U+AsL6qQ^WiZEi-OZ{MBRl<T8a+yL4yiU@;fP
z#V!nbV&E;f>t(jTlAg_OKRO=}dOsf?YBN*(8hbR3NiV2f1L+p)pzinHn2`K|4T>eI
z7^BA=E+sR<DH@0vxznzc=Z^-a4>mzA4N9SSf9M5?B`RPFCS-xW%$_%eZHO*9vjklL
zkaZ7VmZ(d&djFUXy2|Fua70|JLy7y;gvbo~Vd9AA<|5Q63dPC8&BkRc|IdzS*_vl5
zn5+>7+rx|-YFW})-U4e}ACjCmx_o-IlJ&Dbx|g@NL;1H66}75?yN#}wFdsyl3}MXb
zIX>$0=9MF-`~CKuoQ)%4tZKBn0KOI2AyW5R9#8dVytgVp9lAat#jwUUu8RPAz6uTG
zkO1uT=jzdzPVGUKms&VBTMKQa_5LQZ;OEJsffdwOb4>v}wd*y#_a+CjW$}FlW}3K|
z+dJ(+%{so59h_H-a(&k&GmN_{tgXU=!-a^0Tj0X#r}@v<`zu`{RHZ{w$3>l9m(uqO
zXjzV1MjkHfU25ljCLAM!15aCXRL`O=E|V0g7oEmh#HqW~Vj`GE;%EB$i38L^Nk6C&
z%y8!7R>Wd^M8)7WeokTrv&xt<d!UOBII<QLRPWX-_0ELa+<~{XNg!)lOQ#c-4}c;T
zSpN2tX!L^ss!H7H4kJM7=};m1t4%I~A4%~Fi_nSgqx|y8N`ZwOJ<60{>=I{7N;pL2
zd$!b&-O?eNk0^r1`0*S3^H`v*GAB*pv5a#aS(#!1FB3R1>thS;g{0+>d5!v3x0((l
z4>9Pngy%G~o*jCNs!}*K-@dJ=xFj>&bhi{<WOdwGail$6t*~h+;u@;b&@A}v%M44(
zELd4$N9SW3TwuK#2ZU03QTaiU!lKoV&yb+FwRSVYUl=3dXz^8q)bvw`K?x1jP*DFR
zk6g&oBQgqKF4el!k76;3W2De>EnHNC0v@PB-w>P^g@hTGsRt%$QV;y7!Rjw#6*?_#
zpDpT1jHdEsn3yAD1@)JBk(uhLp>0NtT1{~hZ|M9&;kkshXE1M*O0yZB^|IjfsFUtS
zvFueaGZ~7K=WVvkvQ@8ff$u)9Z7Os168K;2zk=0jq_|bn9X=uuhoj@W7q!~Dv%z&)
zfwTW~hMSXfqw`hSvz@|5`-F92;;mI~$UB{w-#((ntE6uO_xP@wuA*t@&DyjO#2O2~
z17}V+gG9nUaCL@{J9KSpw?E~vXQ`Gn9KU_O2<GfE#`FEl&vQ7uh4z7bzpVL^m|n3P
zZyo1vjB7rvXmvyd<v#5XbXR!1xNWDeZ;vx%T`O<jsByFTQ1qLRs=mD`JwCkHx;~oA
zd)A)oWO$kBoHfb9WU%_M;Z7gRr|8JiPMNvJqTSlxJlmkzwL3Mh)EfX@Wy}N8sXPzs
z8zuPMM)DN<{cZfIs3eqI;rV41B3Z^16Z$S9x5!PlA6Q*5G*x3;Sg+pVNwbmpUE-Q~
zFM~LsijlZu#lD(T409D|3Ia*f1=?&E^)%q;Q*3$4(j622nYR?{snnYNRvdO}Z!QPe
zahZYRp}u?XS?ri;yrYw24Qnd_nGRb)t#Xiic0Jdk650jgm&~;>i!zY*?%By!CY}Hj
z_s{3_+<OdyjF@_)vH0<vc8EsgbPxhy2q>h=3dwORtZ_Yi3?EZQI6v5pI%|x3&w|4;
z#4gQ^`sB#+>U;Qs<@O?8m)reY8<(%ltgeVg2=z1>)24Xb{Qk2-U5K{LmV*GgWbEA%
zXdJvH9F!{ra1++`a_^77UIF5#(*!f~it{$+N+jDnuffS?<HF(lYmh<S+m_GUJ(}zo
z-wXcRw)zPi-!PQxC7%w9Iw#!KmmSp!t2~Zf%i!-$-t+etP7aC2T1_7PCvKqJG8XBx
z6#6W2BgV;kiAVzQBqCYUZREn6v`vXUxE%iqGf3)T>AG`aiOZogLROjT74?|#{;bjR
zJkyR>X{3t{bKDpG!i7~^^qh_RjA>R$ZKEK}Ul(QXTtj=F&$MBT)fDb%nUQL7d&XL7
z&{C8l8VzPaYR6dXwT6oHg`2?V2gZa2$zMIEeXYQ9rmqdIihXidDEMwNz8}(i^mrju
zAmnXf#7Pf~6EhJa=v`yZ2X<LCr_}2|Wp;?*shXjfJ&Q6f7aRfJuRJC%kRVCxkmlK8
z-zYEdqG157xxoLgZ$LQ2m}lY6a2i{%M^m^%o&%5~_08aKS=A+bP8O#A&mKikiS=4m
zagB8P4Lo=waRL;lmb-LxT8IXV==(kvf}yV32H5|A#TGiLel^Q!B#GT)2Oqb087|)?
zl;F8DQE^2W+`Webi6-m2HXAchMWL-~-BAM_E83dV*Ar-TZTOW-!~2upZlE3G5@{oc
zx%m>|wox3z>LLgQ5`^mfgK52U7x!&?`zN2;K?MHcN$EJyF8JAFI0pbra=u{R%E0lj
z8fVu#CH|2h9KwSlGhB3kv%D|)HO4d`OZwsH>9#DIn<UKPa+Pe$+GlRk?W+`B3{u{9
zX46EjOE`0#NfPI`fpRhDXksZ#q+N1?U%DHib&GNOTVEL<f^q!cRB7;MBlexZ{nvEN
z4^}C_s`x|owsG&!@AZ?RvP~f3i3n_*->tBHiF&9|YZ)mlPI&2hYwX}YFi}2BZ?(4`
z;~p?Q1IhP1qaI3V500W~1IbLdDQ0-J>w$B%&~uvKq!n4*?af8)u+k6ecuZ9Z4pt8y
z?i$Y-NrzJ;+#pvR!Dlbnj|JCO!8Au-&SeJeU9}@H{;GbLwnY#>7)EE&;6YLt^U@zp
z+}a2|9!WDyO^Z2xBUM#RskUUb$N(Cv>%Vb#!3d_~&e$ATut#_KX8Zuz-bNJAB|)?O
zGQf2$C$1Vbq>xp`Z<BvZF+G&8Ev<K2$>Fz+T;A~QguJ{wKJhz;lfpc^Mf1IW5lO6L
z`Y&xHY#E&zkFocsK<dstr)s}Hn$mjmU$a2(z1g+H?nl^9y}%q&_KKpXWf(qY77|fG
zXnowVzuc{AiqsoG_+Y^KbiH<gCJxw-8n6Y`BiLekswU@*Lag2<lKN;*vTVV>ORK5p
zBw*X1ferFo<sX5pmxqD(ar*<z5PKg#vx+_DxD48xX*(eQqZh12>>xb{<h#@YM3o)E
z8c-Aoi8w>t=x|08@^WF7giJ9GpnQ!Q4#<y@x{T6`?x{~J@T3X395dQ0iRE1kQ-9jD
zO51KX0+kBBhzTj(ITEo+T(qOvj#cg^%H1?n=N<a_Nw>*soC4&8?rNg|K09?m2h`c8
zG|#~e_zq2PQ74e+EuT0hK0JveJVI0~%E8}tj4F{N6^*&fOy0;k+xJ!E!_kM5LHi(N
zkLm1Ka72>PUZVwlTO)qrk?`FFuR(85>W4Qwl+>oQI+rW#gi_z9Jj;Bt$JS|hu)795
z`Etcq{O8qhAFl?{gS-x`)_|pP&HN4A4^as(6AnETl9`)W8;&d?pV+8L5~)`X_M!PL
zh+cC)lX{H@4cP6l5o%OD)qQpnMT6xFLR_wtbi3J{m5dU)^3Ss@^CU)O?WA6~rq#yS
zAx08xCr&?C6xE>aSRXdh;pfvARzCd|ULEknbg*9o*9K(VZT#pvf4-%ZAbq$!Hd5jx
zJ7s>!FgQ@6PE9k=hwf{WH?4luyI}!zUpsHK9$ZtNQHPq4k!t3<l_R6$)m)*iMm@Jw
z@Z@vQWp6Nxv=Dv9E$>D<M-~YgEkB?Lq7yWOaAJSa4NKt2Ts;ExmncjFo=nC@L~|cK
zqbuSTqliMtng^=;BamJ3vFHUN6I0kjTQ=$5^8Bj=!x;pI*?U9Q+fG1$$a%%Gl~>@)
zd$X$r6V`5_?9|jk_OLqqPLxG@EQ%8ZXSe?LsoX_LuMD}kR_3tW>3fBg0@ZtN%*w#6
z;c3Ta?~#ORe&gC_keH+X>{^8k>`T0JZ&Vi;F!-ETLz=B?z8l{eI>zeKPk(x9f|z5y
zDBy`{51#`g?NgtxtezwioliM|@aswzY#(fkgoGI}DHm{fXT%Rk&wqW8sjz1-aL#Da
zkNZY!QO^{Li{2`0Y(-qc$>oCes;pUbygK`|3>qm{*Ti+;Wu=I+$?GTWlT??uTY{h#
z6*NQjK5Bg>1-VZ0z*fp}bQUfnRI?ff8^w4dmHXRAZ5@FD&0Q$_UzpCGUhNYbZHQ`b
z=RQV4<PO@8e19ib;a9acS^ZQ-p1K>t6dR{u@bD2yeC&G6U54buA^MoQOcEA&TcR3j
zoR0yPFCvg4s~?*7q6v}TGpci(SU~f6c6`rxMWX9p(cwAm(>~#i(D8d#r(1wIlxyQj
z#kkL>)F=!~Qj7HH@wZ=XD%KqE`Q{}1j;Uyd_)Cw2ZK<_nM10fgI}DpjCJ$8EY;3xJ
zh@*L@kK}Px8$>UBdqQfuBb<rciBBYA(OT`|(7Agu#)B6%GKj-kOApo=QR)w1Qz*8X
z-ZIa3aVWhfH|0m&`xH#hltVpbUO(l>zJlS2GR85<c>Ko$`W`15Ia=4Kc%{VJ)e+@<
z`|>M@is3IG;pA7FlB*%hGEYFX{M9Foa%1C**cGWN&nedS1B&*xk@<mae5-$$!L3Y(
z&WrTj)G)*x3Gk!=^f-c<OLw7NemF;b0%Px2pVc_q3=vMv%B_}Y)MpyOi?)aSIogUd
zIM=tg7dk_2r+-wx%dfU3tLwyfS@Nv-%T+@JSOmLRJQ^bWszh8)Lm2`sA6d8s=?Y10
z4esB}M-=;{+<n5*>?<GyWWQi^@>!hAqK?5a?a7&uuoz2pMp+G$Eh#J4=c(9bTuqr^
zR5is>FYG-!+x2<2sUH1QB)Mr-vW6_>4jY_&EQ7h=Bvw_LR*v!>6r~V$KeB>+3>rE<
zVvE?}qRz|0)Hh&2273iFis*?b-AnuVogPBHZ2VaN(_hxe4AYJdexi?$izbA8S*On}
zW?vu-A8i+fK5meREZC)YB`prMS7f%>|LLRarpvYru}fOefUcV^FLV}@Wl0Z>&5-G2
zkB>QS4m}0#v_J7i^orH8zZLXv=Skez!W%)IX74uNZC$`|%bq($yXS)!6D{ui_Q3%j
zpBd^P{qi>slM<^L@^j6ECQAZk8us-%(5CRQs*%l!qpUR|u6mkHhCjMeN%Lt%3h7Lm
zdUAU9AHJ_YPMZ3qGsgPHX}(?l?LLI`I*jO6a&<?$7Be|zMV0#X_#6+e>{pz*jgtLw
z<5GMY<Lc<?RoMIK?nN!D)x&(2VE=t+d^!Yb1TaHfZ4shuuo}WbsHhX*^4B7x)2cop
z-Fk?Bk%&1R6}lcGZOn2DKyfrKoF>?4GCkey8ZNqXGBbZPA-y9(>7BV*k^N(^t$HgE
zepY0C23&gnObE(qw0J>=k%ZC+XdV1l@(XF1F;LKpGT@e6Kp*xRskbOIXxW4Wu-C}V
z<Lnp)U`~W1+4>lkX#1!}2AOSQT@Nc^NE4Paghk)2Zgql4hH4<NznIGS*^-~21}MlC
znjBjdWuy!_u5Hgg>ZhcVp?cu3f-rOC&g>^E9z77q4^i}?dwm6snQ{T1#Q<98-ZOIZ
z@r?r|2ZtI6X(X~R=hUKp;Elx++fW<p%U@){d9H~P5_+e6eW{+FU`qDB>of*S$(Um<
zDp^X!*V-%scSI>Dp&Vf^Pu;<D(FX<A^#7nWQ{4J${)3ju_yD=CL#sWy+;(<G>gQwL
z5ewgJXe5JRzP_cf?Yx+1gCPBVRaU4TNJ6kygl&u;L@^5*F<Iy(vjF>$LtnjCZi!5S
z0<8sc2(TaT;t$Y&&2ecb4dZi>CE)yGfQz`gah?#$&OXOeEX3tNeoEoK)w!A-avt##
zWe?z<^Dd?tzmIACG(NF+YyFoIeH~wb;bPYjf*o%r7)axb7U`o3HbsycpRkW~Rg!ze
zi-RXX<Ulkh+c&9kf%?EryROZ(VdHCS04Lh^1n4jG+-3VkD(C6l$;<q6do6Hww@yy_
z*zqsmzcY*&yuFrjF)GPzRn3i7=Qwq@q$=ZN#;r#_E(N>4LSN##o3PLtF>p=oKhgmT
z08rKptUp{3;;C()=w|}mgxApxUExu8VwtLZnQ=|&FrTiVO67HW**{^IUT;wuG^?@^
zuA*|d18xGNC~+x6k6C5`cl>NtU8WKT0!j6n-a4SgM~q6;!}?Wu$+CzNFfxIs0E?@6
z&9dFq;6N;VP@PVCH<VCiTvXikc_Kh&uP%oCYiSDjC#A!>vdVjxN=8PRs!k&C6I*qc
zN=fm+1!`5=+k|w}l#+<e`h)>I%Kym%3?r+|no&HwVE?TD0J-AUzF+XeSH^Hn<15-j
zrZ{d)re4~y3Z0wzB`T@2*=#U5=lIF6R89k^{}|_+6dcC;b-L4E5zih%#yBx7=ZCnB
zv(ok4YPki%2ElqD=n$&Qpp_}2ndIm52}?a*dW~^D+%fYTOuY<ihWfyQ{o+G+#g4c*
zUKQs{v74AN#%&GRFCV~3ao*ap(Er#t;0Y<wMajJ@gDr)tLs^h%G*h6PA{h-D24y}m
zt*J&4F%T<n4I0RY6-2rBM#PQn^<Ok%vmVji=x2Jn2`D<9qiU?OP?mkMv#B_OvHJ{x
zJ5VFk<AW#k>#_qD;-7p|v|fntXD(vK7$HL0I_MPjKzbC4`1b0SOC^+0Wno^b_^`-U
z97K$h*iRqmu)Sz2ZdlJj44`6B+ar(;f#1FzBzn9~LA9g2xX>Bij32A~1Lp;3&Qyjq
zngrJ^DCndtrMszPBf@7bOyLN{5CY$ksbkQ?gb`cC=uTAr`|pAUTPnl)R+K;gy$-bo
zS*)|pzWh*qb@hHYJhB2eN6OPJP2_vC*J$SZH;9-Hu)@T&kIPoozzgdTXG{z$5mZZr
zX7D#aCNaYh>8KJ1!jA8qcK;X!VfWw$-VAAta{z_Dp-r5B=9)^xS7`*jv~@h*;TA$D
zkumlBTmcncy~5KhcE{qlvDDFK^N*(L^wye#wTM;<o~sNfhneFw;lJ)i3&R@qxyk1<
zR+Ve$Y9x`=WcoR6{A+HpJawgc&qeizU0#6DF0;tJeIH{9Xd{Q(&^mFo8UvqmoE$Ce
z6|pcQ`xfH6mP|*7ynX8i^_!y$7sgbzhFNH`)ns6+3S|N|EOn96D>CmED9bOr2q%P_
zXx3#qPznd#pVIUQOKi)8gzpjX{KAgf42*xRhnR4!CLok~2cHlt{mnQ?<Y!%EetHsE
zkCAd7b_6tuQ}$Fo#a;iZNjfqrQNTw=pOCR{(2<p)u6mcAu&p9iSR604OktfQR6cx5
zqNUGu!eQPn47(}q(Iw}i$)rG_Y~_$tTsTY;J&%>TnEq2mAK?B|aFEgRKCr(y1O180
zj-sLuaM2fS<#btex}4;=V&LvF$fd#?OC<z}d{Vq*pY><oq?Uh`H5m#7O+uR`9d-;D
z86aAvttT#^(Z_jz;-O#>-w}_UoD-tyEZ?$NAtvX~60@xac&JXFwVL?gK(kb5A^wIG
z1H9Bn-)l+|+=a8aM~+IW&?P0K5o8ek)Rc?KCBn3Te?ic=ZQ(xGlpy^#YrKSJB}|Z<
zo-|;wp3%ZNg*fAim1y?cwX#oP^E9(ung)g-B)&InE~}S{)@4d<$8C8a>bB^X^lpi~
zD+fd0y7fo=b+Imgo<K&Rm5Ozws(?*|YHimetJ<fh1Y{SJh;eUomm2h#Zpwhm>Rl3k
z_&v;{VAr^DQtcbSjGd)JrhDpo55e=%y7znAqjT8{Bb`It=XKG_bk6X)cYQRz@wjvC
z2u_V1ry>RYtKe+}R3rtpui`xVJ>syfZPbj&C`JysLnYX05>dnP$rM8)#HGHaXsAg3
z|Bi6MrD-U{p{2f{&WJ#*m(9KB_EdGH#l-ndw1=AD2!;B7mHfJPX3fuoIoc+qq=wG}
zWXl#vS)Wy8&t89S4Cc|BNv<>Qy7f{*`(6{6MIoTiLZG;>sGrZ`oRS6?sC9?Xg*Avk
z=U@^9-o^k;ko%VG&GG$BiD>2f-^L)%^C`r<)soj`)<GAv{D?aCTPT4+-;-B2=Gf0C
zJaYsCH2CN#Q9k2Mj3evopX_;1Z_tyN51C^ds{gex8K~}^ZxLlFpHxH4O{hgFQ{yy&
z-R+K{f!-mDeges^93Dwq8$M5?bhIsYpl(I|@OO=gJWtJ1nG?b7AL2thk`7KUdC+wO
z3JZbtxD}`{uD^j+3f<=N|KUlux{c&PbNRCcsFlZw-=*V|Q)j_?wCEETNCYwwvW=C~
zFB4nT;Z!32>*qYvY`!CFV+o+2yGucj4X;_B(D<7?y1jBr@9xXdum>=h%xp5x+qfVO
z!9_`AreqXeVX{0V@yhNJp>Bs6i<{nKkG3)QGC8|2)<83effY<W5>hAKL`whZ5V5X2
zWspeeERiG)M!y{ni}@9)CuTkJWkqae+#X>*GmRQhEGV@k*atEb>xC*DTIMSOyr@(G
zlt^jUIh$Uh#BhZ5)~`|wrKB0NOiCP4G+hEWL$d21%bRn@f&*?cJ&38!CZ!2$$(&AO
z6(W(=WzuI;FUE;|1#eUt?(Hx~#3tsl0|%y+Tgs(9OP4aSiOVs4MHLp}l7}7f3jdI0
z^_uTWLbStI;*u7k`G0t!ga`tyemLZ)WFJKYaoW&580TpaN#TEUy$)J}B1>A~$l}ph
zym`?YXf@F(?>loYQskWsS{4Z+90wU^kKDFmt29yk!Ikxzc7-(YP2JwgvzVKSb{h9Q
zEDcjMXw!NQw*UtZ$U~{DM1Ea=qkKhBt&w!eIGiN1USZXdtFvcB2_~^dTD6Z=svW0F
zrYp=7p8OJbFq8E{@~pzbqP{lU{m=ZB*nzYCE;o_pe^magJ5?F1wYrb62C1E7??9(&
z&RvFJ9q&r7FhIU{C7O&-bp-jFSIrUXgYm5nKu^(RNIL>>EA+Wz?b<e{8_5fsgX~-W
zFodkG=+@7g>Nf$B?_aUGYWU9kw`#WGo{I<8^z0_O0SgLmajFsi8`mMzUfo?7PIH*U
zK+V&9iAx=I%6}Ehk?7PLomW9HAlH<4XhZ6z_>Hg{!9@BppOGY#gj!T${remlML{bU
z%9jA6@(=Brl4I2YSdQh~g8k(9$O_Mf9PD7;GTGC(qd>3kHZx8d%XoPkjY|95!9>sa
zbRTxqlX>wsx@_gR3ki-ey*T~?0^|mCTK=j=Q9J#ty^MZgAZJ7dR{|p%&Ms@p2T#-W
zjJ0hCMM$yuMQtUh$16|IRXkMtECn9#t(6cF#XJ-Fk!~ONE<Vegv;HkKdFn_>{^va@
z&)SqI@e7cL@7)+YW*HFG1RF-z!!G|U-Xir}efvD(k|x%bF^J<lK8${u4o<9-ioNR(
zfxOv~=+Tyn*2={L5wP3-A!8^6%p+}vbk`qm0YR5|{?z5;a-WqqmQr1XdiI^uuRITj
zp3VFf0$cu4AIEL_hv_vVCu#d-X^`f0#B7-6xsH99ub2n*HWE~4+==N_bklJHD~<wI
zd;J6j<&dsG?YkAYUV$4}|36j{r7OS?0M<WBL{8c$&ZJ-%T2ll~gOa3`m&6jElF5iT
zM1p`%Zd{X#{^40_;|R!&>mkAc*^Jt$Ab<Uh`**_d_JJ!CJM>?UNW?w~?5MK#sg9XR
zqRyL1W_k(UelsO0qeSdR+KgJClOrMO)YG}x+2DSd8@xM!vtt-smqq=ft3QuEmq(?E
zS!rEEqqUUDNe+V!NdypT$0O<~%!!PJmr$-cRian0e*QoOZru_<dyr>s&-G;e+I1f9
z^|RgMrHZEWzN*&&JYrIBy98eyjTQIz4Ebco5Gss|WY1G8%g2Z9Ex3vPt=Fe<>CZr%
z8#3s^TV3$-#t=csVyj-wjN?;n-@-WLc2})ac;l~oZPDjxAQc+Hj%1g2$+|sWYG|-f
zZBKs$OUF{!C<x|Re_7g5Y(=`4W*O@hYo%HCesHD7v~m_13-D;$hwIfo9NE6MmggSn
zj9ENKV|$rVbn)Z5#G6>jdLYJy^<X>v5r5>XdAe{?<3=*~&zLysO0Wcw%#9M2(nb(d
z#rqRwtBMG*Fqo?(mJE-4O|&zx0u}#~tn?qjnPwoK8!a&5NpXB(TtX5bm`Mfv+Bzej
zIU-Pw5<fLf-wp7}XHqIVhxH4Vyj8(6uIMkX$(|Lgn-$m-NDXIhUV>XTidp8pWjq&;
zHoLa%ETDgUfQ2DiYv%6D$-awlzkiUp8VNDZn#mj<V%hV)9J#x&ySyLxGNhUB?p^XA
z^jKJVF~T<zbD{6i&Esjt_h}M=Iuq8F2>8HMdz1Mubt@!NV;|GqWWEM3KCUP;m7xgV
zCKhRtx!x<u%Hxc&`^w&H*0<&e3RV2Ee2;*G(POrUke)3i=KXpE;kaWqDkTO)Vd<1B
zQX2S~pl15HsPmAL4Fp5Xf5;&E@H<b$Js<VWS#^{I*;C|5iOeSMQH=)sZ|g4rHZ#}r
zSG52(W3KnPJSa_!X0)ZGW_1z&QB+tQ_6oU{yIL-un42_pA+@c(gkFsX`d<``3U13o
zHO6f{Xcgk&FT~=V<%x0&Y3pWcnel>l9%i=>br{PV+oC-V$1X6=b}jj|(B5vN&B_Jm
zb>8Ln(6PqD%j^-Z8Zlw^L$GjySghgIH-3~G4{N+Z^cU3Wy?q<}Y6I|b1c<fqr^?ZC
zy3c<J(4Qw56?De9UUvNjoRW%uWvL=#kc2`U`{+sR2FgDT9_@jPS8KZdo0C)Fd4T2;
z`>hRIXlTzk;9a5}j)>p0l2u#cp<aeKE>G|9vDjp}i2DsMe(fCZW>jxr;VtOvep9w3
zRGw)y*!%{OiRzO0?GAY(-b>YTxFxtNWvu-CAHJIibnL;hlMfx!#U@2OWD>U%+7XUG
zOBfwqmK!>Yk^+UGWm2fQ{Y%%2?t=j4Lkn$;a7zwWW0CY89oD=yyn49MU)+kxzj=1A
z;jL;R5SBy*uZCM!fg|Gh&_SGhBDUu$4FY>|W#>Nix!xP={M{Z>&3kBhr;`+uvwpEx
zu;w#Wd<JFH=e@Dhx_|%7hQep7#JkQWFYD$pdG@HCE4sHbdDz1~nw8GwgkM0Xw~<Ni
zvd<=ZXK~*W(pZV_xFYBfZLC&1Osi1w)K!V6^BgN0b8gmbWf)}RtWTFCQQYLV{gA|W
zx8{NnAoeospimR38Y%&qqKO=r&z)EL9b7a_OR5G_Ja<C(lImYE4UvSbLv<Wts;-pu
zFB;K=p}R!e^j<x*-(FsJc7lAhBjIF!+8v97Eul%8IG?(<=w9H%O4wIw1k{Vt{sI9k
z=G=*B?0gbzreP-H@a^uHolM)w#d7|7i)kNe`X{{EW{;SO%%wB}*2|m^1zZF|*?J~b
z_w@~9Qe&s)GwKH(N0|zNWO&^8k;NQ*>df;I_P~5R^tfk-m0L@91BvdgADCw9=)jof
zzBQ<Od_L~aN!IChM!`9k(Mot|u2#~`n+YR1f_BN*ozwoI;<1N2Rda+CXsu~FjsRo9
zaUIc+$x*R8sz+mTHf3+zGVYe?phV^twv%8U&ya#aX@<K`60@_lc1kv`M??0nVwf?f
zf|Hr<O;2QSr-0IV-a}y#Q*kp2UO5$xBX#qNCyZsYu;e=|B&W}tLP$jwc$=2%&lZ1B
zGc0}i?9O-TYMk>B7D70WBb4?;V^pSxP&<z>)3fw5&L2D3+<(#vYD|Kl<`Yx5xNll7
z@F+H_?jA0XaWYzmB!yT9p}n0>GO`_lYN)ZgsG^`$<Qirupv8Z*7LoxpwN)(Jg)s<J
zN%US(JeKli@oi(KXUit%%%|RGtI+kiyx7`=-22vN^WfJgdHk{)kh_aG*P#2@Y^o$R
z9QIihgQ%-xeu`~E0B8MI#<hc3Lwtp~(grtG64f3z|6<KRFb#AzudhCUC5ZcCls7;^
zUZMEM^*RNP?a2)P?Qs0X?@%YXfC?NWBBIve#kq=@=oPM}77Xm=1pmGOdX*dkF|TOM
zM!1pqO;BkZ=rjrQ*%<uylrc5>SVt(%-|4JIp>IknLWulHa)iCFj?)<R&u0B`HUsNb
zTkMKmAVo}<y2rH4qBPSwzK?q%t(L1LKjX!^y`4JRhx7Bu_|{I1wdHYPlGIGaKZ*Xj
zF0}JY7+j7ESujF3_c=B_+qJf(P**bXYbL$A?7cz)l0q`N&5h>Jd0R&@NUB6?_FnZm
z>d}9nKRDD>!6qo7bb-1r14i`@_%kZ4Wxl(sk0SQg8_lmVMTs*MPknd~Au5aE;is=&
zNLiL|UhjL4d5G<=etb$LZpfxOyu2K9#y%(2Q;p%5g9A+AP=u7h;3l9fGOUTkW`4pw
z2HBJT#(gwd!+MYGAEu?zkA8KzT5!+fhJr*p$6FT;F`Vn=h_XGAh(lJUWK==Ad8yx5
zWnw}{oG$~Fk2GoSqTbD5R(-lVCg)~eF_aFEEr<6|<Wh-##)k9t5U`TWAG~AZwJA?h
za?lPzB6>u=nUqnYTgwi<)-;(Z3?}vCI)eCjmyJdK({74R*VEO5rz@?nltTA~(Bq{`
z&Ia#`-u3xz_r}}hV}umK#X#3K?cL?U;B^bUT^3`XFwMOj2Q2~>Wn^6gHKevekG?J(
z*zw?h9_|^P^J<mooF~l-_=@^@X<!B%S?%_{i3zhzRbXv!{5F3XcSr`4A!O9_>(Wv9
z0#t(P7W-#W&A!!HLoofQU)LRqd5vLsHi@5JscO2%n^s;NPw_bEG7yw_MI92P!&|}R
zi^Ube(oxhIQ`*s#$j9_<IsXdw0&X#V9l?CqWuwy;d;F;{2QFp}a(OJj=7r~eaD!=F
z1UUlQZXOvM;k%$nx-xmyRbXxEfCw09z1}0&$580Y3%zA~B+ii4m*|Ay{K(H1J=>X<
z<~3tW!hNse`n-$YuS>XgY0bLo1mdmB%^s4~?b13Ab$nyP;V|MfYg(vjM}6^&A%^rQ
zmv1r1YMR!3cQ_EEL2TUx?o8V5UF~FJ)y6{Jo8ml(<9iP7dGjt>tIoWcwl596<>ya%
zE2!xS9C~3s-f?{!_oq^6irg21yul#vzD;m={nk`2y@eK@ueIHxXkPBrV9M0=dv?)`
z@lsETUxQq~$qOSTqfwIt8lH8~a#&LQm!i8dQ-idR5qvRxx}h2eIhdINZvf|cV_|dX
zD(AJik7@TNc$&FCm9xXlvH=$SX`8t+3~UrBo0ZfdJ1cb%s$6`mX(Bf@##F=g=?{X+
zWc#taKZ>NkW6!_r*X;4#o4paaQIOEd*Lw@9RprXjs>+qbLy;3K$c|kN@to<6@qMTk
z^FA2Rey~Fp_a3Ou?!D!n892)0-9~XaByLCdW#lf;{l$oGpbfW%O_a9y@^cd6YS+0J
zEk~z(|LIb^&(TxI8cz0OXJ+ScjC7knTeoBP``&hnesksIwRWx`cc{Auzx^pbZhD|~
z_e$6kjZca57FsLX19ev-UXG77<||uk-2=7rmp;7Mhn1$WC|_P5L21fBxDu$X@?fWe
z+ilp=4Plzo(^xOKU`V+*PS)NdY#83@v`qO(kl^rh@S;&(n^xgy_^ah%k)GESz-MRE
zn+{gL`5_&zFJxdXrQhYW6V>AyT&fDAo$foa6OA88>*Ca-jaXLmqqBA|=)=gL-IvWZ
zdV)f<UAO3@;^SaLYJRT6>20YTLapM6$i>R?Q~9xU@$DVTuvnxYs~`v)n89H$!@&?b
z9(ta~W}tw=I~|AW`cWLL2xWdtB_o02z$xU_fzPLfQ;FW|ubUIy&GXt6xO0PJH)$f*
zBPMc99l!RwJMHQ$pkB{@M7*v5?lph!>-Kzbx^lW6*c#c^e!a|a4$yxIc&RLYrm2y7
zG<J+RHNrZX9o%;^|LenBnSu9F7h)qsx$ht~c7%n~_!-Rl7Q=p%Ph5j0Nsutc31d*K
zs*GVbsrvq#y+V!pZCazs?9)XW<+=iuhhRfwjS2B!g}6IxRVutBw1pn7Z1stYDT~kU
zD;1I1#+^6XubZlBxJv_){-0&^YjV~CGIw+gglv+RMm5Xu&{%=#(R-Qukp&)lurBCr
zR(X%XTrYnV%C_3M0XtcCLtwuhWBTs;zWOFW8xkTHM+G^nvy!MH8XKS@jsf*Znh%_S
z&9cR;G@D2yFj652)oQpmj^74Yrl+F+cVA|xihh7f)$!#;6PhTMi5qu^&hZVPGUPbk
zyw-EExwglvxrJ?Yt^4pxb6)aEzs5Q=d;<gl&6YDuzGGxl5K$vON}qK?L^P`r(J*J3
z;er0nSC}VSl`il5^X8&;Xp1b-99*Gt?vS!RHMH63Zc`t7_~96(Li_5k4OC#7KyTy`
zVgu3pXeF3Dh8c7MCQ?viLn*oSB0~FDBnOs<1ZXjCnKUH3Mg+Fe;ev+tDay*B`%eC#
z1=20V1}H$T(2h+%{?$DZt`szGdsTh^iZ*(T8>XM@==+KW@1#=Y3<lR4VFYWW17gaj
z5JMXqUTos>*Ou2;;8rnGQ*^&S_~T&cAB+H##l<MlD-PExS~Ni4Q=d=mrhu<C!UGju
z4vbQYoy}27Ph~cAwdgkf9m_fT>m)t!|F<R&evOKA`_>!U+*uQMXa<Uz_J+L~D`w&D
zy+dsbsLdG760^Q}zJmvuo1tOe|MP{(=@RNURO2zo(#LJSR~Krbfe@aqM$|)W5PF@M
zC%NuS82=rDr7Z-##5njPJ{E$;5;|!!H@5N66QUL$^K5<`=b08v91T8rU{(z}b!kgO
zH9Q?>TwlGpgH*obn3bx1kMS@Wyl|0@Pidwh<eT2BvhEF8Gs(a-d3o~`5vF<<yWgsB
z@liYj<!iu^CzArceD!|L8#8KtUwgZBQw?wCBG62FS12tLWD6*(<=M8chbNB;{)^T@
z{ALZo<3<GZT+VQ<YJ&yl^C1`|5Xywq`Oqi~dg8?X#ctWmaguCMer3k!|L!*K6YSH?
zJ1$G_JPoRyR4?1}t)_XCJ!cS=qRwJ!cW|Y>snhH}qI(?J7i>y=dxjfPWeWgr(fm$l
zdUHIay8I4T+04`i>rvuQxds?7z}Gjxcq#oHo#NTSEaN?_;H2lzG`5%4-rl1pKn<;B
z-bWdTN?GAi5;&xW{<k&(vn-84shTS5wh4_@i6@F*XfB5UGr?MEntZ%+FbnqgK$h|n
zZQXjvvG>#4*|-wqLx0_{e}&a2ua+pp`8k(yM6QAnGk@iKxi3bA^nW4|SSLA^vOI?n
z&Qy-J5G|oKqHF4r{9&`~Tw}cGn$<8OT9>WRktkQ1`^_=dRi0UaG_wEtax{y6w2<WH
zz5<1Hlr6gcI+ZrVvg3i2qaW&AA9ML7=92WHsP0F--4o0Hq3??>73p!$_K~kZ#HACb
zf0Y*6nZk^k(A(})tp;==aLUDD42@$*yp}2xOIgi2w42GV*P6MTJ=^Ao-zYV|KZz9o
z?QR`BIp^GDD>Z1ijK^TVAnueI2AZ8Zpm^J#d3P$Iqco2wR?9juF4w51Y<f&E_W(Kg
z-!0L#@Jwn4ZTX4->!aQ=>q~K^%tiBZ8r$R^OUN#u$~TC#?d?a>3=hfPTUP8mOZaA|
zAZgb;F2A*4ZAu*p7G0)sR6E}=#FhvzlyhcA5S*8i*l>CDJTM`RgPnACbZGZ%yGREc
z6EX4f_~!di_0p1r_pn<K>!LKrKnuvv?aID*YhDI?>O+WiztsE#gd9ttiAsR&d90V7
z&y?yG&u8tSLj~h~E%0Ut4vCZL1X?>|!zJ(~wI-@giT26ta~ExTWDI^sU;inhi3+7)
z3q5Q*`U()IZ^vwhhY!FwE^@w=@~(&65U?vPXQ(4$FO39~8W>5DI5zzL0TCr8_*st9
zZtwE})j8zJFC~Mhlz_U^XfoxkLIDu(CSEVc8LKj2qYN5mGG)IyX_zc2<y_195UrQ3
zIICn7>w3=Id_yhk?)0FTSgcy^J@(2S(nu&@9sVWKe+|O$TFP>eb(?C0)$0`OGNL-p
zdh`19S}5aoNSg62`UZLm0$Pqtkly~JNr*v(1I3dhK#b26h8`ZE42&=6f88wLg2xTs
z_t-%V0(2jN7qj;Fwar@3=i{A~CWyy(ej>y;yq6=N)3q?jr<JYWpRnwMbkQS7iVLXo
zNqX$m330=q``L*q%62@7GY_>Ldud_+V^i3=rqtV17Svv+L3aGHYSX<yZ{L>{VGl+U
z$c|17FRc09u6K<|j);h@?R}N~{s!ssAQh02bP8ZkU0#vc%RV00eQ<d9M}g_8IZbd^
z-&QVrw`E|QXH%83;eaLlO=ZLV#)P3G;0<EH<*N{9I&>kzcX5PUC@B-6v`4zbD~#Du
z`mAoJVYt3<QVW9qzoH-)i?Huum{1r%5kPpzJDW^$pSko)zqb$Jj{hz?_G#|YXmFj1
zY%clcE=A2c6WH>#E%?iQe;BY;vBx^NM+vpOJ(u7u?ZB+##@7h@TZszr2*)%&33#6k
zXO^h~!@+IyKJ^<2#rlc5aMWYt`WC3Kvh8J#nY~5*!~9Rn9qD?CEQy2-4%!G6kQ7H^
zvnz#2l~m`Qv_){|-B%Nyf40egaiA*cbQXf;!*PjmvQ~J`d{IIuYXjm$u8y8p%qmhL
z37k7b?Fo1sPqDGL)zwbZiY|Euqzc&L=Z~6SjL9#89l|ST29Vi=esvWh$Y+>&IhNM#
zqffo$nG(ZC#OMjo{*3?<2&o67=n!|Fx=wSD`FK<&?(K_?ksflt*qL6JHJQQo!={4h
zwc4D-J?p0vO9Ru+0xm%bZYB)v_itc$C#)7mx^$WFt64?+NJEVI1+TJo)vYcpXfI-;
zC*rL$eR<+y%mUeLrI13I+M6ozq@IK5KeT<>!`-OCL=UvK<F3X;f7u08jp1yd?I^IK
zb*{+D-me*}R9j6I!{xx5(hcvg-Ccm8@6`NezXOlHjl+pw$$%bWBM_jbFjq2&-y|%%
zLgtzwI}XkYz(&Om_<w!MAk0rYPotl;)txm0xWw#t(DpuJzgQrDmE*AsdbiPTCVqM%
zuB}UYFjf;h=wW&_$0pa^Hr<McnvAGJvcJ2X7yZEso{D=LZ>xq7pT`=~c6Vo`&|Il$
zvdc-d)zSJ{$Gh|Gddh>BIQVqfLG#fpq)JAHDwhSnV(#-_QV{LixO^$1af&`~K2W2=
zb!XbB7@uO63@KbLiRhY1LcU-6f|TOWOx_}%rdf{Dt6}xu0{-t{6|Sy2m6Zi;bUzPF
z2tr#Mv6G4tHcq&}1gL4l;fpn@=r9&mkD^E>4~2tPpN<4<#MQ{}rsmwz;xzny$u|S3
z=6F?z0{5!ySx8sH8xe8%C@p9+90D6q(q>*kh^-Bc$sKFikAY)d8I!sqTz~B#@H5r&
zb_DV%LxpLKo`}bZd;{Cu;BdT3)JmWP<~H_aq8#$bz*qz~sagN(pSJ(Su6Y>YcMrqi
z&VY#&xMxNjI>~L-fsTs6!(>Wfrb>L$UwiutpZruADZD10*@j5-wMY6AQR2pEgzn8+
z&zod?)?c_jys7@+f-EA;$PK5u=}EH8ywS)uOZ|&k9eIcRrmh3tnyT%z8>OfjMPy~G
z#w1c@m>K)UaeudTX*b*njd%U;?u%2sOQMbUmpKo>qEkmA8d4*e)~O-h+Wzo!<*Gfc
zcG`?&yoqE@kG_LI6>#v(B-_{wdeKOKC40w;j~ls8m+4)PJ=M$R<z=szX32Ix6}ie|
z(xnPBr3jJki=fUa)WHZ;L(8j|2Suv7gK51^t&ZO%t(jUpQ>DCNS+4SVKeG{M!oqUu
zg=JFVqveV$ZRD;;hEad^M4NAW_ChdurDnI)iK*k7&8tF8Gwct$fK{Nc>j!tZ)8m1H
z?a+M*1ALv5$KGG7rn#vxROd}OD;?2hN1d1GKDjGDxIRzuEqQmP5J}?<mehmlzHuW?
zv)P|UBF)}Q(bLF9oY<oaX+s&SN}M5$?SDgEAP7Qt)Uw+meO?SbGWTD-xqP}@w1!O|
zWq-4s=LsW?l=wmDp-Q%5;Al|4qUhNTjU7dV@6h-rf1RDpsTtS>+8Y29ORRBMc9-pB
zWCLSWhnenXOcqwpvpos#<;H}q)VTfq8KzPzzVmUdd>!IV&*R}it3m#kGpCqK2L%1u
z#;m)B*zOzA22Wmb)<c8WTi_i@H(J%xw~a_r4-Y#ikCrVr9<ASWfQrVmEz~>P{+bY~
zJJ*)0^j&2MsM(Sv1epl*%fR_il-9|{@2e4-i@jhU8F<v@;1H^=x{wh7v~11K3^uom
zwf=T{KcH1cyStV2Uf~tfqnO*S<*G|+j(?rUpYHk^k9~|P3+r*GqzcBf8QQp;C10wX
zk-jqZjwb)IFrfeL-EMON<Ky~5oc-`+YJwqTt)AXw)9i8{3Jmgiz-eM%A~56Dyv)DQ
zK51!8ykR1wluDLG<boN5E)pebkDH!&3LJ9T`%XYACGgmIP;l3DxzNEjfyj~u<S*03
z*0WIejBBJ0t~6q>q>12}XROQ@jT%MVL|5#q3(aSw9T7ENDxqH60oNS)FLvd?oUeNr
zo@WHir=0_{KCx&59h;%rT{`7FuCUL_b5ZIW9P>tnyU(k&;#DoRT<z#(m@&a7{Apx!
zi7LA{BQ4q6j^WUq#=qiXjw?tmEKEMlmq-Gx9;`6!G^#yac8#yv;Ng)j(OMr&>2+z(
zOsyWR#IwzK$_>bH9DBR{A5-5PUf1(H+^}h^#<tVgwr#UPW81bH+fEwWwsDijP8vIT
zZ~OUu+xM^Cd+yoinKLsxvpY<MjGy-k7!rALY_0KD*<2FL=$Ah&B5zC4wOouyb>sx?
zXu6UU>dQ@uHXKqAE9{U^xOmnmzOfjaZNlLyo8+nbP_C!=*!!ge=>xN&a~fp1Ru87)
zX|CxMRn5S!lHEt>dgyNqk@R&K$H6-F(5EmzfKFcv9bOCO4yXeNA?Z#;iqdc@ly+;9
zj&lu&JBYsq+kB0IUl4<8cMwmjFzG7XQ8<)z7_%VpC$nDp(`xun4T7+9CL3`^R%5Q;
z@V+#NyrHFW+02_adX)5{aUr%2{M7O&%!SrE-HxDfZZ%kv52AHuWqy^Rnr$983u07V
zg!;-Y6gk8YpN<o+VqaAy`PBp*P~-4t@qdZaK(`x>^GFh{bLX9Za9K4HL2BH4Q%}II
z-HP;=8S(DC$y90At%u9p(68clBtqyi+c(b79>1ENCM)I+O%fa)k{*pX>&C<l7xlg*
z>uuE)T;q1#)z=+D0o5O4H6hX;^;bX)3~GvI-pwJ#w$BhI&yzHZ%b_yG>~$JPk`nh1
zFDnxsY{oIS25|&!d;P~QxR};myQ9{8Kz0Fo#&(xS33I^amS2Zi<}Q{(tEx)xi>T!C
zyi8YhrJ5R!UFtbx#tTL2_msFIm2n4un%-;zI=VQH#1DS-gISaL0z&>AzZgMId8O&>
z@qt8={;&pu5`$ZVT-bit%x|(<pc_FP4J`>F$>>MjJ13ZEec=PT2J%lEpkO$6?~Xe2
z1HqC0X}(K=^1x;L<G86s64P|s;E|DYe~wNdV{cK{P!nI<^7LlQqCiv%$7P1_bB_y-
z-r#GgCD++W-`S272?~_X!ws;bC;Hs&SO$U#;kGculcAHOeSxhsXm|+9GC$;Rj|q8o
z4`kgg5m>7A@_=Q{0QIGMyCe-VhtOy7Nooxv2QrFkqwp&lWI<sO6%_p-Fs=4~h^xj#
ztKJ<&qX$CTzHh#3?O|rY=k#fG{dAux4DkBldI8~NAsyda+o@+uwyS`t#c4ZTmPCNI
zaD{+!w#*<6HsuKCGC}%oXJD$9c0s$Gh|R70ocZ^OnqvgaxtJ8aWe#`@zVfX!3LD~7
zCCj6e5K%x=Yo`2|ki#7gt*k#f$GwLXz0QG*yvzytSHunX)kKr3HAX+K!Vn|K5sRUV
zyuoKQQanXz#>O5|<rb%~CD6{DA-DiUrOLP5tr8i`*1<kELiznRymQDKM9AC6iBR~_
z3V!;AB*~4IOC@73?GPN!ZVFXTB#>bnS*M5!K6YzLV|dRWL@W3=)W9qU3oRFj3ql|+
zz;4^^;j^k+PE-Tzrs*PPmL&sFI3M(_rB}{pmWOI7*H}~#u1M7kRjGfNlL52n(qV8D
zSe8DjO2!3U8b>;~(7ud3<1R+Iot|i?L<VpppQR}U`>76NI!;A;At!egc2>&m$VpSx
z*<KT!GK2n+ljsJ;3ifex6n>eapH7)2xn=XYOBFd7?Guxg&%Ke8b2IGy#kJ#!dO??J
zwIWlyWr_bDmHH!s=O|k0=7xbsC3<(PmglSP?7MEzK|OvUl>VQ`)2ndt=4g&6gZx^r
zei6ukgn8Ob%y0{%wTWf=cp@##O)0{L+WMrl?;we)-A2|EoL!?)ZlbJj)``@qGT9Yh
z6P>igOvnt<LxuN0%iglRrY01vZP5+p)+K?fhW~MPNXXVGa<_<6W_3$m0-urN6*gxS
zV0<nR&I?BgtgjQKkzp^Bh?_S_K7ge-$n2K1`wP0TY%p+To#HwWbPhKx4oTS!_~m03
z`OH~(pS<{q?Rla?gBr_8OtrS)pb0PWy_@cP@uuQi_W<u0aD0)zS+hT^w(=oalpI|m
zA4MH2vwQZipFE0;NM?@=n*|v&a4a&9$cVIzDT|al8apU59Zuhz`LAW!5KIUwQ(FV;
z%#uD54k%Aez<fUX(y+Z5`$n^Q6eyorjaRNVuXU9`*%Un*C92C?YX#$5hG#aWV^@Gz
z)o8-2^O)loPkOn=YeS&5{_)0*Ak|E>w1^*;VLRJ_(>ON#mh3?|7LL^RTtYDYW#4lv
zqTMoL3*su9IY56e`Cpxd=r4g)BS}G3op-(Lz2uHOgGg`iW?IxzjB}5LWzL-*+k0ZQ
z%^urr+2k<Zd~iP;cw%p>KPecS)<D*elfV;Of?#Smgn0VR7x`x~lUdu+3}uTL8#ptu
zd33L8{f8s4#SJoaa~r2Vx;x*7rr&~})=VgB5rV}6y?^WnzX^_=K&e>)o%Qd3|F<V%
zC-6#hJ7lUWI&K@#`|&zOqie<ZKR(S*1S&dwh#sh=Qsyd3aK6)1$M&0FoNX)*!B$x=
z!X8eo!gsgN>Fy-3{P_nd?6y66x)z7ye&yKCu-b4OkX3LTvMz~luq=k~^Zn^aF>|OU
zDgxrTbE0EgIL(w5ivJ?rz?S4oi_}z0ff^6HnK$XU*6-wkU+<P}MvRqHf&IuTs8zmZ
z64~f{X2-OkP<moWwJeD)A>nv)`}~BDP4S-O0um}>PP_7Yp||T3+xKwiHu8k1K)_Sm
zNALH&8ru7;On*raR1GbZ7RcfGXc7oYu;hCGX<A6J(<BPuv<Q7f!)p_Mf_i-)0Zsff
z+c)ZC<!$e^;iz@WASHF0boc%`P4-|cKVawZQu(X_m2yNv1!d+ZL^i@6Lydn-E*`AT
z+EJ&z2xM|XH!P6o^w%!Hn8-7`;W}y2k)+|FSy64!p&I6nwAm}Xfwqqg@~M1peCJI|
zCbr@`0i=Dsxe~1ea+%Jw<RPmG{c`QvXJ!1R_tkaLqq-w8BBtX+4#lHNcfWKU5u;|d
z9oH&emK5djn+(MJrouB$1(~AK?Fk7g!q3jKhjH6P*8V|G4S)0-GEGIf4E^lFQzs98
zPj4AuK7Vy#n{yt@V>dizKNQ_A5`#KE-gf=aeH|R8-1(n!>%l4m+>Dm#0L3IY(5*nE
z{%*7OgfqZy-o+a3!&MRIi>poU!QvTkUJE;>EpXTvw2w1ZGtSZ>zMt01xP+SAQiPXU
zt~#76N=GDyEsH286<!x;Lb+F<5Ya4#P2=#7_W2XBEk$a{Ex&1Rl_i=pv;Ue#{AAGV
z)Nm@W=d8>y<-NyX%sLa@DWN2^IC?Js@!;F=*&beUP08m!K6`^t5t?%m!j+viQ@}<q
z@hkJhsS8*1^TS^di~I@b$}mVZG$iu&qoDhE4h=?V{t5-Gn_y!gxr~A2TF&8<V?233
zb10rMwe-g!ug!;T+g$>L%FQFm?1v6xT(@gFV`CnKGSyaUpiWtjND6<$tBB0>;4x@8
zXoSIeZ8cXdHkx(RKbu>}fq;?zgN$7Yb^SD5k}tPj9=y^1d*!8Kon<QeB}gFz8H&N|
zNj?@zCCr%0jOVi75__*y{xVU&La--GN1f*akcq^Awt03c{uX!1csU0T8<MXv;|QY{
zVuMtsiN`q+t>Uwa<b&buHEyvEM#)_`VS3LX>jg?&44oeFhX5JzniAAM4mm-8k-{U9
zJjKl>IT8{TYWwG3AS2o9m#+r*+IVS_r`D?ePC($A$`;H@;_`=+l$121$w3=ZmD7Z&
zoM4503;<MrQD#Ug)Rg9KoHZuNjnf!HAA#S0Q28)0B;mba(Y9n3Y^rw9h+SrFeZ_n?
z(Pwbb3b+7k&7C8Ir!EW}4Dhr<{%DP^mKu&zydn+&`R=Y|@8)${?(BDaq}H``@n*R4
z=&CF!HxWjoWLY&_l52~S(}L}2&#TZ;CNv-DAe&TGP{YppQ$)c++wB6wu7jY-irC=_
zpC(_1K7OXCCXzMC<VUHPs1~Y(q$Cz0kzx4mH|2amWtQ#8o%p1vn}N&=0^l3}lX%mi
z8L*gE#|oKQ;<DawC!cnA%})Vs_Ys@qdTmFP{L);K6Py{*(%NAbGXgi>aM&m1)-v<B
z2_;75yv4@Vu5&BMyNwcGjUy(|PMJs?U?B?iAE8ehC6p&&oX?0th_JJip>2B}rnzQu
ztNp(Ee+7hfYC;ohrn1{RQ)PC`lO`ey&4cq)A8BOIU}us#Cf0R5e`0g$OWX5pV)Jc1
zP+<%BlMQhkyfA@fuh1k0kj_ig*BqR1OEJSi#Eh2<CdOJ)z)c~V{NUsOU7r4L(>h@v
z@6QuM^2W8k&Ki1Q;h4;0roOGN4J!b<N3jZxe@p7nRxfW9&rV!12|vTq)$4kniy8w=
z+8SR4N?vRrpr0v+hHh+U)z}A!41u^1=|4<S%l#Lh)rX%<ZV4>b!gIB&EbcGMAxfGr
zgLVN+tSb&LURDt)L93U61LfRvW&A%@9>#lHjwLsWNxT2Cbzyl{kd$6sYsCEXVpv>g
z-D(Y$jb-IR(czXUF;9hKt9P&>ZlY<Epi_6fk>#Tvedk^w1s=Z7x%aY>mm^)9Z-L|8
zfK~zGFJJL^_(HIZ0^frq-ajakR-A_85*HAHSF9l%N+Xy^9o~JblvHfVEKd`9Dk@M_
zC9@N8$U;wDtM@fHV*1O-L=Zwxkvx)HC=!JHE;zE#S%YtNUL|-wEA$&3F4z7CCz2>7
z)V79<>XDI@9aC~SV}6I%Eq1|}eXIbSNT*7z&p3K%*f3vitEq1%PJ+(kMo_#;RmV>)
zVpY+(5Q2EU#%PiXj9l^-MRw%w8rnUcgEHlMsi5)!8un}0t<60(qntl8ujs9RwYz`&
z6Bs;ZWb1AKOI=he#*it3QJ=x2yi*|fozc%;RW#H-4Nan#fqZ_#sKyZMujTRbd+zr^
zyrj!8ZnXF{w(mpSQID=P{B2hIi_Ao$9S{k~Uh}38xNk87H|46GI-gm3mJP|UTukCV
zTKR?hshgD91Pk?K2|Y<Jk5GsW{CGRx8*;%&{u}~Oz|SA2=Kqi6k)Y&v12w`J9wfc~
zS4HPYV&?N^U}mX#L?ggBMk0y&f^T)tt(XwWQ2&B5MHxtXmx;@H;uKzp04Nv(bKheW
zUc8P}c%xvp4tu-H;@1cGVb$2M-uncrF|1d$_oc<;lHPp<^D)uTK5EN!n`No_!~RMC
z5M!bd7_0%u^dK2#rWc>2@;i=a{(3AC2Cc115f%|zM=@cs-RKHT0Q?uUC|XY_Fo?Hu
z9+uBRGGX=0?2Z{SyY#t@VdSF;g7IAQyp6u2Nr82!i}RQZK%pu5*EGekSYQjA0w``0
zSMU0uzEg4)8jN$-hRVV(t_ys=%d@_`5w2F+0YjgkzXL-1cKp>A8fWw`p9f?;&BDXz
zAA}m3eNF>yJlO2IXAgWsF!*t<!wde4>$U4n^<khf8pOkNQ2m)#H4DvBOg=Fp5%&Fs
z9@!*$;M2~;R#-Z_KIZ?&lkh@=kvy}TC}Dl{hP;04+)=oM@KbD?@A|TrJ3Rh$TpKpz
z?%7378{2p>HREhQH^3u@+#q`X3-RRc#r(=ZvogRtQpH&!Y!1N43)82N0~ZYwuV<%|
z>V+oI|0MNKx6imTle8@pJE&X_&&_SiP7naP9TCL3bngSV4o_C5$(OWmc?;Mye@-D=
zP}1#IY1@Q0)af1Q^pFt5a)cq%-E8Z{yjuswmc?Wdk*E?&CD9+lD=GG__QiBUiR*cB
zC_wKhA2`BH&ifklSa)Z_vBRXQt-}1FYAM7ddV~Rh_U_O+f*Fb7fWd;%J;zj?V9>%3
zS@SAz&n^nZCEf@2#QL8|YrtsLIz{5o5~W>A1h{+b7ov4NEqXA|*r1*|-VMg>%eTWQ
zZ#`L*QZJm=KAFy#SsHjC@5U-&r)w{;<x6l&y7I^xvZ-cc4uW=Q9Xsk2AF_O@_yOn2
z2CB+=O=a~TwQzeRwP2~OYQ@Z{ZD;1~_a|nHM4QWu`oXE?b&E1k=r*&!m)*K0wf-mD
z%!I{)XVIQ_E68VNSb`civfPe_*U}}r86cTzDRQP{;YcG=(Ntjdpi41K?<L*^&JPOU
zQq({5@)o0To)i>`M&+qlllcW@gT$!3_0HtSuQkSTq=KV)Z$|`Xw;G@)boa^ugCWU^
ziI6l>324w6pq6lmC*wimNUHMkq$5b|wQ3n?UjCIglQx9ntCcfxLrwr6rt3@XUt*$9
z2n^*v+kt$}wEk#PX6iEf;jH16=?<|y_yKu}y7RxBBOydIJ&R!$aGvck_FQ58EMm=J
zOx$9b=%e-uL?j~9&tnd~fK^M_2>SmKgU|yCS;$ku6M9G~IH$TcAvmY$YbT-WRbfjE
z0!j$WpmxI=UWADFmt8Cci09*qIQ(B2FA4OiY6gEYx|qZ|t(O_DSavZUS$AV~P_l+(
zAjQVZi}-DIhfO?{^O5JuhDB5ddMl-gYI>3XO1dadAp;5Sr-nJvHx`IwAgaaQMpB&f
z?fW-wo(=@iY(3dSCg#8wks#MweP=kUqY?k4lSZqmi;3&w5?&rci42ZXA(L)9QHohA
zFp#*cvgFZ3xF%hffYzZQsf$7VHAje+=Mt0PSuLCA-=;AN+Dx_Qv$Xr2Tb(6Oczv;{
zV9T<eDV9*IFNvwgoU`^3@7cafpNMUO+1axI<DHKO0SmFKAaYPg_w*GG%ExbtS8ZDX
zUqpoD)_e~GO;r<u`osReA0ev?iF0H1=1H=TiHGf4R3IVr!+wS^koiI%)1r-mTH4mh
z=EoBF@1P<B3rBcqHYaP8U?~aJ!E;?VQkvq-v|QN3;)`pOjp*kQ+dJFs%Z2u3Z;Bf3
zKf(r}CPN~tV~KOmc5_z7bE094G_WTt@$Si3+4u_+4SiKKb&4-O7l4)mme~1U**F50
z0>A!zFfOZDT_w!Jvs9PZU^acoVioVyQcNl}%0atiq#Z9chvTLx1e0_U8P+xzn=9<h
z>FN!@dvDh%dU=T65sUwGMNN9O$BaP+^<#}r^9ZY&oVLuq8SEI;mMNyX7{;&RR}g;2
z|B<K;wt|?XCOX#DF_4rt)Hn@8q(I_WMeP%?VvK-^va$NEi83gtG3W`@Um%gjFgOLb
z6`C>!8J7}~fU>|O)psM3^qqb2T%chHVJw<uHUAKa!3+fUz5r9nmQ48d?b5)*bzLLM
z8vpL&8$q?>W&0+tr}~S)ujjrYk(Clo0JIS(H5Qn)^arN#a<l)iH~xVd>r;gp37!bC
z9E^4xr%+;zBBPLQu693;%8zkqD)mgD;Rh7B>>pfA7~!J!G9vlawR7LM6h(~q!8mQs
z3?FMYfq4<j_&nd$46_Zo4<1mTnia4_aW}qa&7R18x4Jc{a%lK9O$b?%UNl=WHZP`b
znU(>`mD#_$kEy<a@oO5))l}Dw_)jLm9`K2{z8mr7Ft(Itq5nL`wjG^Ya3Q53>6E;7
zk_alfbic&;?`8k^*>y0ME#7hz+bb$_kSS#p8w|_#a$I=i;oZ{P?=~C+fs0_7qgof~
z&vv<jsZb-S(T#Jx35P&4&r}Ato5jggRwhs-VWE;pVlzGFL_Ys90KQ25&y?ZKa1*|p
z<}RXVq>4C$+x5P>NlahuiuI8HQ1=kVw}~&C8@fTdVk)YJJSdwrO~UVtFqz}wq3R+#
z3BCC>rnVr0EjYN3j*X?$a3^D^)BYi2sI_kEhN698nXbp+;25(@YM<>1c~{5u(YtGP
z=_Ia0J_*!`lfH%|Ycgt+`}WNr&E?{qJ(Fx)fzk8EG|w25gzl`jDyBASo>iuG*1A=m
z+@Y_y?KyKmhh_r%(=)5SaWMG8K~l!5*AMc52$Eu;Y25gOl&qE6Q##E+d!h}RWc-g2
z7OL+Vu-o8;NKtMHglI$O@p|CN8GpYyf22D$Bi>R{)+;JV1~Nrb=Cvc%NQc%<EB*P(
ziyZ+QoDK0?I$MJkt3Q0#8=;p4JJnB1j3IzUD)Vc{_r8~=-9*H<Cc=9v-{$?#$3Qs3
zPKa`=td~W!Yvh-LwfmExv#y{?O%lYV<y)kpnfyl+Q-Vqu=mXcl#r1RP{&#paMo}|`
za;mq4cJhjXKuT#6<K4buu^p_t9J)A<d}#CRyS-y-IBPdJ;UaIyv|TX(*j<gR;J&c_
z+=Bci!CL*Ybe=yzz9Mp^2Q<LTG4K9F!L~1fQBT@;8i>;-{VFq0E9!<h6bj5k61Ele
z^@PBrdH;7+_cR>#ska>U0e=7GNMW6x4}BVKs^U%*tLD?R?m#|VSmz{oj&n9jOBU6T
zQO50&AYvv+&2v$@<V%y4rnOfV{3ZsxY59)(io?zXeAk!4B<AS0f(QncLh2h<Ce=2#
z)szx>t|jq>5wrZrAyk5)rov5b&y90DeBQ8-SU00(3Awq&q82pw{>jiIvris##e>OH
z(&QI+iC*@o?epf}=9n+C;)&}?_+OTW#nUIsNv8Bk-JIj%xdW1RF)K)>xFxS5)nv}V
zg9CHIjNeg->G0X8T*r^gN+j@FU`S1B;&J|}9i*;YlBudvl6w|3(U%me;n$AokrRn{
zrA*k>xan0*KalY?mCslu*6h8$=qd86Ywg6EIy1C+@ua>gUmtjmIc@^SSY`b}XDgY$
zB~Np+E+(~R9hY2ww$W~~SvoPvPoVNWiAJD96I}_o?|Q_4-)S3)-)z!&^nTsBKhfig
zK=Z`D!h-m9(7yTzyEyq3-TZ(_oh!R%^>I8u6CJY@90f`8q@BN+hAQzZjey2rL_9fW
zmBYQABBbTPKe6P4wfcCPw(6#5WboovYRa2~o=<z4lj~HXyE3CmmarF_ej$54YkOm-
z%lRdN^(+!cwM@YSP#Ook1#iM0VA^}+Mtr#u`Sio)=lq(JCmc*=-}CkW<zxltQE{<2
zw#8)W)vq{Nj#)2(DFU7dEe;9mK_sl5Dt>hC3>aXcbx_dOo%?N>Yx4~C^p2{mtQq3W
z#45Q7d&4}6`)~G9FH<Y+WHGR;ZpP@T+>Fb+aXn-)<3?A*JMFs)aXE^z&*Hqye(I4h
zz_@szKV3uvwA^la7v!(DHbv>%jnkRi-Lj<l#@aH!zI8F6?(bAkBiOZzo&8mgn}Fur
zOw9T)*EZt)?uOgS>MW#(1=TM*Yn*NOO4n1D=ZqX+PERmv;cI<c?zT`eSK*yoEyR~4
ztc)nE@|Lzp)bV8HL_YLgS?Y|O;v{eD)9828pX>_w_>#(R+)nvkO-8*wi%j)aUOTO!
znn%trdyLi{#NJF*VYrjC7LWG3=cdHhmlAv8zUHHRnqaap`%a%sYNROIhDj59=yGA5
zKbhdA$k#8$ap6Yp%90DITRR~hOl0qxl25jjT+Py^59_BO{%^-Krxn4b$UDoV#8%hV
zm>(;;#CD;-*2$BjHKimc+~#7Ynw21=1#|PgoW-25UHP~GVr{@1e2@k_E*;+=_9g&J
zR<Dh^!;39R(FL@e-k*LdE@f=3QrpR|xzanV)P6V{(*pgZmf3(4t>aO@a3px>ob-+O
zGnk4YTs`vm1j)V$>NDPi&72~t*9gWdo-kE#;d1-Cg`N!;{$2=%6-PH>iu>mewRf%o
z7T?I%b}|QkK@WSxcpcdd&5lbK_l`IYYI@N)4Z`l?hk`Iow_E>!b<Q_IZ<zs>ElKXN
z{xQBIN~{t%Rv@jg(JH)~^@*Y7t6=Rq<AD9p{I~DxOo*qV|LRUN#cqj?RUL_5v!Jnp
z=^P7Q-*1D)Wz@Qid~#+q^^K-4h}bf>n(F*+1naSFlEotzwX~{`tf^HxbK9!S^Od6S
zdG5&C{-n`01u$-Tf)2J3_u(yTX)mRRuIrR2MGvy=g>iW=#ZB9r^LtQPdkLZ}OmukN
zHU%vdng~%i)V9s?-rwTVQ4edjk0wiwkB?X|I~P&_uQy%o{!RPaG9G(XQa>`=0@e1~
ztF0r&U&^KFX(C<eQvq4MOECx^>EbdyA@LiZ`_3aIJ`-1AP3kzlJ5JhtF8*a{`vJPc
z@hyD=566P+lj{$V4A$!UF9DfBD<YG<u+C_vHT7Sv*<s2v$nDYcDNI%TZB<5CN<9tY
zJh563HIj#LrsaDl1^-@9`ptvuzqA$APcNxs6zd$*+_3xt?1T*bpFuoCTavf|PvyY1
zlr!*K3@kdQqiw#U{h(o0?Ge0eGuNfOhRk^uKKz=Tq22pKZe_EXQ}2Ys*8P?#`+ZV=
zHOz%%uTz#af|fBY{HYM+PR;GIWr<Y7&DzC2sv=9=ss!0{TS30GSJ_eix%r9U56BRT
zGs7-#X{S4Brtdr6WsBE6<Uwhb4L{aIuYcD_klP4bI>1rjN;~Yr8UVO+&UoZqVt+5x
zaUHNbW#rUiJ*R&NzRxAe?00Z2$r5wP)bHE`!?fM!uKqZCp3h^Yv+Fkx*H%Qk3}!Ag
zxA_hAohFKbYUexilaIeE5xWJ+yC&{&R---w$-n*72#a9sEQ3(+dq15h0!P1C^D(?O
zbZNDA?r(f-g=%u&t6y9$T`%0TAWC2G`O4X?m)Xq?A0pSX-Q8ueqd(e>OSre2*#*T#
zHn(JeI`N7<+qy0n9~IDq@q*3P%hP9$)>tbp*wvl1z6O|vSt<vQ?6dqnd3+6vfc<^)
zpaH>_wHnTK_{^LOykUb2?E1JS5VulU%s+trfL!E}>JC==A1Q~kNJ|XZ3zwKPp0Hrj
zNZWa?CXfv}4rP@wPb|g<IWOxuk)=P&u@vq^3D}Gg#$@thS-41bZU4{!G05<Rsg3_h
z@BNg(zAR-ckyR~JWrStZBrV$~e09*se*Z=7hSaJ(epF&3#b=xNgB+y0eat)u9m9#Y
zbHLWxne0pN#l_ZHf3~;#SJ@cN=Y_#GYt5)-W~X0=NxrCEnz#iB)q8nKY4vP1x=?A3
z{x3e0ErahxkmD?lx=eKdG0Uo4^wc<D%6p5bP;|>+Fb?I1odTXAkqH61UUSV{fBDEX
zuz>w`0@~&_JdmJ?;lFntvnq!1;hQv5W1!-4m?$*e_0_#WMr7I8g_4gjlpZfUR0xy8
zP_x)xLY^_u@FLku)bzcFkWC*rvA3H1WNY|kbB~L>z}H+bGqh3f9ay9lz3GL3@?J`+
zD48YSL^FlBPh_chLRQRL?iaB}74CIxT*Ao@leaJ|>MsJTyDuUq9#2MJd$;NKjOe)x
zgNsI6%LF{oEJx<lv85Jn%B6NkQ$t@=Z4fHGkVYJtlQNx+TE!}xEZK?=hl-2_%@Hg@
zz}ZdPY@A?-yy|ODC~u&F_3^qNj2*Nx@TBhtoUJ~N%;fmZy@}q-w45}k!r8IC1b=0X
zqmdp`)z|e)={sb-@l8-;8g%nHn0RdwGT+Qp8s%A|WE=2_U5TpUl91k40;S@`MK99}
zF<#A<OT?#ciZQ~i*lB&OTAkX2l(qpWRXYO4>``P``syZH`u6@eb+?C0{A_cJTY}_D
z@OU@uq%(;!kCVpwwMa#!IYCu{ed)vB?V-7Z*#ddU;sE!61*5g3lV(YfgZ`BCN<IWH
zh@zQkE7jeZ>SclXbh}qS?I`0SLf0jlvz>jFk(+bR-qnQLh}X+JWU?b~MY3aX*ApQD
z7^q<rdN1)H<dn6s#IKj~r092bep%xS1ncK<+~7t)oxJ9!AHC+^`ftkPhDVh4gA;Ea
z$_+7^LzH^}hh@bmeYdty|NMb1=$iX)21$O)*zh%fb?QOSlKS$xlX+GM3YPqin|Rn9
zeaZXP`PwJ0H#d5;c9BMe->KZT>fDR_9d>fuZ|64)NZnqYtD{X_k8hWDA1`#?h{A(b
zc3aloo3nYfsU0>8Y-wV-Por&uNg%8ohhbZ9Qr&z3@t&}QFL!d#&${`&q?v4wAVCTE
z(-HCb^6Y=6@^V)JM6#>xYb6rxfW%zVcta(>H0~yuG%dpWEbDOK%YOkU4rhtSpSC39
z`vp8&)~5U(r{QIZ=kpP~uXYbDxhq-CQ+oh6ShGn?rwLXxRfU{ZG5s>a<!yD|dz`I|
z*?xoV`!)98BYYlA3#zTJ<p6<!4!>A3ULAG6@&#qS-Vps6P@V6TV(R%O#nT0GSUCET
z=!7GoRSQc-;3|Urt>J?+U;pm5&;Yovd>uvgn?P0ZQSbN^;V@{u5_aZ^SEebvkxarG
zw)dgDfBiN%bpsHH<82V#Q7z<h7t<AL17>YK?Dy7gZ3W%da3u0)C>@HQ0NP3c^?<O~
zo$D&fy(b@f??;OFR(4M}<cOyCsqKMcs}_%SzQvGgZ=`|r*E@nco6(^V_vfvkmzsyQ
z+_<#lnCxA$;IY@qwSlo>z)r$4ZlmG*!u?tZ{>43C7(n;j+L{-~`&pIuR_)4T!P#e-
zH!)<O(H-EkV&}E#MxQss&qg_=kZ_G-ps1gC4V^CvUP)?e{TAT0_wS3}Vf8pVimKOv
zU;M6fOnuKX%}#$F8Klk6IXITaOyqILxoEG3@o@;nLB`jBtLZwO{aB{d#AR;jQ|29d
z4rQI(OW_>$V5@V$C^US*UNa`CZJH=eq|^PcYZtzaj&HaOS5?+~@~?J7_;+$KZ2_m=
zkL_!Co$alc`21z;B0dbV2T_<~xO{XJIIvcbA7=7e{7odccotjDu}d#eW`5qDUMx;H
z+2=otnGPGe>Lzdo$sFGh{Tb$WgfGZSQYK(;?<y_5-DiqaydSSs-|o-W24Fa*I@Gz(
z(f0Y;lPh`O&jx^{?%!$dE^S>`tMSgefNfirc_L5_=%*H#k59=QxGWT#h%>}UsTdV=
zMYAgFom&p*m(~6ik=&>6Q<JMcDhFPGSbcPk%Mp$s&e-OK92+!l8AVvBTy%#B^{Ty_
znS^ka?g9-_dSI`knwDh9{gZEVm(WT?8HhSi=&4RDf^No-KTF`Ie*7??iN9nTj?spx
z$`em0383tHa&3+KUNCkJEMt@<oTpf#K7pHxT&!{5R^<{BtydcB`Mg82XkNMB47bVw
zYZCtLdSUa%v`iv;<WdP6)Gj&ty#H*S1sQkR4Fy-8eFmh1Vg@AWzv(Rrr&%2@>(QA)
z!e*z;Q>gkRgvBiHaliJt1f;CvziN|Yn8d(!rg>mMMUyaI7zQus&ft7{(%~y9!KF?a
zMn?@nrrWYQ1;9`o&u2Cf31{TGHo%X?qsDF<_fB)xYMtd+b*hF^wSJMFQcGoJGEGjc
zouV&c3Or&Yr#z?dlHL+6dpwto<yNGzRCZ;pre0{1sQh;K8Pd-tEl*=SIGPn#4R<WH
zLv5z+pl6?t?D|(oDe)_M|L#lU`v>Igr8}GZ8M4cWZ|^{xaF|E?>-EsCH)1v(!gdEm
z7N6%bujj+QANqYB0Da-b+voUv(1Bz1B>;<*vKOMKgaX+w?VADTbF{~{pVH^Q!Y4m$
zNL&RdHOsnzQnTN|yv*NMx1bcu)OomI^OK`@*nM7db=I;BS{Dqk0gkoT1`l75-eN&d
zY{&5K%TwfTj~BmL8TULHS&`D(u{6YfWNw=QM7m*8H!1Netl@4b-}xC-ZDdJ{eAQ71
zAoRk1Xapp9ei*PA(%;AIcB7EaMWX{zc>66iM$&nJbxl7>g>xc0v#afEo@D`A&UF!5
z&9m8*FnS@{G+di05qpC#9LHov(hWWfmQ<j5a=xH3ro~lZE$X$X;gP8md&6IqWn9n6
zqzF@ES%e0Zsr|<rc#rCUCI0-VZ_*J7DyPr)<!xcD)jAGERI<@w#N9KMB&{~pF7{Ch
zjcJ2zU_K=eRhq+m_`KmkZyMwWA9)}nTw;z^aMkXXA=*VL4~GN?je<#VhvVPhR@nh~
z$di$KDY8x`9$fiVF_a3z6{#9;;s<7@f?i5+t&_+X&sIiE-4#*tdREJN&G|96hwG_c
zswQZ0Z^^QoQRX1!3PgD82hwxfGbp%4liBBN`FvI`Az!__Vyjo_W7@JSE90XNZy!%}
zF1raTFBIf1qPD!INB6w1u1#Bhk;Y{`5f+6c9*mj1;-G!8s&lI+S@!x-B;%}*3=HBl
zTAhzITKyAdx&&h3SPvz}ESm8X!-SoTMn;4<-AOhbb~64S_ZP_!OM$kTCW8aHe{R1}
z1KAT!+7)7y%#BH^b+?A=Et^c|Dk-q^tf07|DoyDOZf$!&uk-O0a5ZG}*7|nsvia)t
z_}aDx{PA>@j{o*Fm)-ezDblT?p8C4QWhVR_%x+lLx~mb>eKAT}n)?by9$0?h#LKk&
zI8JB(XV5=jx@OOA@B(3Z(hOA6C8D#4bS2zQQ!yv5c5+}j_54@!M%#)#dxa%)s&lZn
z`APA>fgk8alaWm2G*i|7hQ54~l6e+7o*}fGo|7%*sLorD?3gi)us-0o%Z6-Nd0&?Z
z$IwhSSWpH%W+3J+=zyzrBU?@}S;0!al~?1f`ORXZ2?afMiNa=bzoCP1`EHc1?$4mV
zMt!}k>qHAbAGoA&?fI^Ew-GcHg)@frLfs21T2pKKl^dhldYn$%q)kgNNh-d+)#8#C
z4Q6m`QQ4GAO|f<L^&|z!6MW?7XH3G<{k}ZEo<y!{f5Slk16|z>2Rf?Wc2Te1U<bpq
zZiqQufjKNzEB(1e3r1h5+>ZUFf{s?mYp^OQ^J?CD3Rj~h|F7<~8y+gV!XnH}!gl$F
zaxVCqOP(7ndKc;8_i>-~#Em*%xcNm=QDMe!Jic7D=G|_7x2oPO$ZKHgs67qhF+78E
zj!IsAw9+W#7^j+`H%!|9QqCNrQP>ioLiH4vSH%e7)IeE6(F=O()z~tdgWIF8N@=Fq
zR|NNMRZ|AipR!{1C9OhnN#7gFnX-J|2rVAAf3N107E#>?q6I9!`_~|H&u~IE`*76R
z&tDRR<`X9(<AG`EN<ZzC6#H4xMeao<a6A)i<<WlWuq7yTz0OU8D($G%IW~1>JREt~
z;O!AST7_kENWYBJ6M64{xnv3n%WjEy7)dwHt75`FcCRN?L?=Byp>4KJ!6h@;CjSST
zG*$o9dc?!yo8`5m=F3?jH%$Cej#n#W91{q^EYC-u6{)Ov>|5a?;(no?8+*iqoco~#
z+#q(bsz6IkWNOLgRU@n`J__2&<n4m5BV)U0lJ=5!ZJ6fO%Jf5XZ?zmbVpqbvY`5D@
z`)h{p>)A!8S!gUAaS$A|@DrCm%(BY**i4^ZrLKkFAKp7p;iG6V-!^WQ(cfJ?AFeM`
zl_z}O)|hZJpKA6u$JxXt)MY(tsO&)zT+7mO;WVEOdH0&)+CU!n@(eHiWu3d>s1^W3
zVLdz`)S~YcWmD_b;Xbps<2&;?o|G2j#S?;VPzf8i)BxXxUvuXaJe+b|A~e@)_Nflv
z$1?Q#O`LTAD79~%F89;1eRJ8tRKphU!*9;_&DDB%X*+;xFgL-rp@We9I6Aju415>4
zww<tEg$AE87u@;SkHS<~0K5wthev^pf(a%riV;jgD-0G)DwuVG^&+@YyTwBN@RH#^
z#){+l^Hc*##=qzf{;Enb(t=L9GR3495POQ%zn40tXMIl?o*unzNFYf&`Cuo6*n_3x
z;`??Tb6*|IH!D{h)cq|PW>S43bmM9Jw&Z&cB-O<Mpz1OK519DdS&G3fnmg=VY*DqG
zjlfz)|Cv|fTafS~X2ehf)H`a4Sh7$Txg3Cb`W4Qcu)ZOgrt1^RPFuScqBA&X&jCu0
z0HQ^1_6k6l>QY#{Lo<y22WK*&$6_X4Js7A0pbw#-n8&mWK=>|D)I2(t-J#IoQMlx&
z&CgUza+K!=Yr7qTb!@ZOks2Gr6B&qjV&<8zKE}QqH)4t%r!+L|H$1|Gn0E>n8hmCD
zmri{VXWBul#v9Ud^(dn4wzTkOFjI?SZH7q5;-34(N4V=kR&Ux!$`=F58a<oK?96GN
ztT_^TUaDsMdqF5TGfAF}yBePKW*)5gcJB}8=^w!|*vmf}(jqa$a~lqHe>itx9AXtX
zFA-E>4D)>ChgoT)@LvySW{=qEsVza8DDkT0(`fza2sH^fu`D_TcOBwc1<R&>j92i9
zMGbM^J5X-YNA>hxy^zCy-W`2Kw>LX(dbQpU*<bs)nY68=5>Wn*8%Y%)Fw);cJa6-j
z1C=Ido#g|7UaTI`rARKJ<5rRI1$s)7Q@|vD^Bn{X`Dd0_!I_+by>gU|16`oF{Gm|Q
z=oo?=S1QQK%HeofOkw<^LnTM)Er;5J>E%&d(`HQP<Jp>vCdL@`t6+}~P|2*ECGkmz
z)bzfXuLi(3A^M3;+i4N{<Dd}@(<2kv>YTxIW{n(;T}Hpu$FRGC?(@rf#375erGcJR
z5f|o7Jy!!GCb(7L5W~7xKeh-x6GV>X$jqW{F&4x@>3E0A4+S5}Eir2-6stfh>-4RD
z%rOVH-l;LSWWkIJ&GU-&FvouoAzG5>wT0Ub7hc!4Q}{~VLjH4+Oq{(e!bm-9DJopB
zoDU7$o77PO$)k`cQLU%OzBwoU>a!V2mdBB?F^%#s(~i0J06JD|EJzw}LV5%*_w{cY
zM4lexkwpi18Mq_HpY=ye8DB0(S4Pe)<9>G7j|9>54e03tx;psiy~e{T89{AfA6AJ2
zGfvP>3HKgTZnf#GT(x;K@GO^SyOJ$Z{PcJ`kplx`3Z4YX9XwxyyVOt93%r%pSl&$y
zJl*Z|;yymTr_aTisMSCrxV3y3#Ip%TQwp_ui>3U+96(kj5A4%j$at|{9Xz$~Ppi+f
zo&AFC7r&W|s6>HyB@4YBXl0)#;RA~`JS^IEh1;!h->P>{nvuPVEAjD#!DhMueXwA-
zTT5@_PImU8IP<QBCtEDgO)Cl2E80EKElx80#Nz!&awx;hwZXm9{j{gG1(LS+PLHVz
zEL31J2aYD^yo@1o@h1tYL?_VG<{l0rlS~5b1&tX|nJklT0sIPU(6q%GbFlPA)dVC>
zs$;U2l-4jkGdDOZ6d;RF&+>#QROx_O{i?|uS_-}VfjRG_1wbNLHG*m)fjH#w{eg@V
zpouE*0`E63m~zdtRX~U^P~lc4c=L?Q7L~qtG5?$(e5|lF`LGhkuVIU@Bffh`lO@k{
zen`1j{S-E5{^FMFscQerq%<08d52_w_QUpbo?$HOi5^Z-^l)G(`sq;b)xt6FbW)%!
zwvlGpH^Mw0G=6MK-ex}PYHwT;du^=ry7y|1BJM`U!9-q3WWs}*B>?q!{>DvX9{m%J
z(~x`IVZ@1r&(P}2&ZD3AXQ~l9H9|URXB<z<VsXfYsqQPrR&(wyZrM623Ft)U);D(Z
z5*xWuoWg=hhsbg=y0a@r4jOu}zbHCag%Qy$`W2sYX<uHI+rD0Ai5Q~gGzC&&h_NiB
zxH&_ih%viF%+pIv?N(d-X7~Ps>&%O!FZc;!+Rm)>o_8+pvZ$CLh2v-|)s5J@@<#Ny
zq0jo|<LsNL=$$p|Wbk2pxrA3I<F;$X)>5dw^S7xO;v(jR)Tek4J~5L7_6*e0c;h>A
zzNm}~@1I7MinTq#g*;#1o~~p=f=Yt9O=p5^LZJuj^FNjaaqGh}R?Th&iS0z@Q>-2F
zU9RF~86p|gSn=@@D9uy4t_71I{MZrZh#J$|Mo`Lu+lWVRTIiTLC=r1l5NTzrD)&P0
zx&h0w3FTh+8eug6r{NC)V9rv+JTS>3B_%RgAd<!>BN9Q(`Tmo$3hPOB{_c$rf~M>r
zqL64P@;HN1`XlseY~dtufxM*O!xLiZMBm;U21k=`lhGM5$RdH~enkroXRQBSdo>d9
z{$Z0?xb+kYfQOXvenjrz#0=oQn_RV2z7exZl2$3>1>1v_TB(D#Ng){QFV(%nEf~Ml
zUj#99*W8KmybsyOR#J&@Eiez;bmy=qW#pKXZ1sp>o`u(8OMPMBF|`x@I`*JiYIc6=
zXICVj9`Z$K6_!ay_qa>R?if)IJ!3Kv@Lk=0BIv?}#40AaDwkVjUDZu8J0Fi$r+|B}
z^$CHq8}a@tOcoB6+9yhCWTeQnv_Pn(0s%Lb&lIJ0x`igHflej}S^7!T|5V0L356D_
zcIB!U|6)rs?G{Ko2)T2PP*nkGh^g(9Q*1^aTuUC4rJOg5r0?f+8$0^~OVvBJ-0B`?
zvwYes2im{5uG!~RtTM#5)$B<(t2eydZ(qSU@F+uZ(94UXe?C~hi#y9j$UUdbogX>K
zA?<*+2tD-Y6Yn>urB^TSWP<P&bx4dt>K@@#34cAlsJQi2=w<6rdBS<Oa#3B9$ELO}
zXH^B(xf~F&FapxM=?<(^m6<{yCL3SwaM;5ilouL}8Q3D!l*DWny7<#*M3LpM^tnp!
zj0Fn1!$n@$z7o2#+jIyTGswTYV=Et3puSgXdVET(<+d2MkOmED)ho&9OG>r9_S@D$
zlUGeNM{tm!kYHl<^=r!X!DvFP<?60rA0(#&JwaGG0<YY#(ZZ%`E=<Oo<oEq5clF$I
z-_NbkA%bc+i|pUFQG*PUh;d9wM<ulKphE<rc8JC!);mcIg6RICoV1j}@v|<pj<?io
zr4zG(1Sg~e?Z_v8)jTz<SS5zg{qQwsG?Ou4qW*e{l&<AGtL8But6n-7;F)H_o3!nt
z;yGSPfX2(ztCEBE>FPl4<N66Zx2G0j(SjcDvUt#iPD~Hp>B>GE6)PrRr(e`q0M?sc
zZYkip)9oOXpI)0Gz%jqH_Z7kCeuPMz2YE$-9_f}xG`CPuiX`~-iu>Z-xzJS)=dc;W
zL{t)#Q`YD@{%iX8Y$#Aho^3}|-VRWNiHAT9xYpK-*aK?=EcH#jRKx_ifT!dKdLePk
zE;f&5cesfk+l^`F5EZGa+6Aeq-TzJ5nder&P?nQHE6nKo+fFBz3}3;1X76=EE!2Rw
z^@CPtf@7{Un1f`sswC^Pqf9d&xMiNx7Lsw$PBAZTIUq_yA$NS%$ha5No)j<_AvPYD
z_KK{}u?jN7?WYuu$yqs%BY-PJ;N=St>vq@rL}B|xZIIS>j^YaF3zrTOilc-cC8>-@
zjpNJ(u|!6ru(^gZu~Q^<(@a*tTV3L*7zY2#AhqY8MT)lF!=<Zoiz=VT5>qppR5G3Q
z(g%WZVgNoVMiXc@AOt*)C+~>%AWe=XHU^Pt>RHrR1SO&IUElDA=kfsfXg*eV5iV`S
zN8p2p0acugCrtxmcK0`K2GZXf%)K~ntO`$uf4;Gd-<h;d|6JF?zCCGeKb~ZF$v{=?
z#M(d|#JDMIGkw(1-7S(iY{1HhafBSSi8Fq{uG}^q7_gY9?QWwF&0xr@Bi{Lh@?<t?
z4WJPyQOv0P^kq!0KUfZ9x0I;o1=Ub6gJ_|?4sCldS-bjJMXJdf;O|;_s-uql=+jU<
z0%w@cc=CmBDtPHoR+}2Kfu3oF(i*h%jON!KgVy(DirJ-G?d57b%UN`^s3LI#_-NL)
zd_AF(^ev(jHqm&Hyqzde_<%HslbErx=Sf~~DA)OLfk^^HosC!7Al?Vx>Y=QYMouM&
z3MLip0wz+(#sS?LWaTYI|FYh|Ko#G*s#tt<T7VZsfuM@YoS3*mLxnF7dIdPdUos$h
zP)f=V+$QD#c_5;LPASk{=S>HF#_?m+CcbmAjtJg7TB@d3U9NbyAi-O<IbpibWy`a`
z6&?UkG2Xj<UBk){Q~-fRRi=Tk4Wp|~mg8~=%Ebx61`^lDhJOMeU#rJW#1@@eR0|i}
z@J8DuqhD91R0D&%oe6JLyedZPFl5Xy_x_0hWv$17+YnP0DDpjWf$7Wr6Z!d^Mxk$s
z)Ctw{1wo&^puO5L!!U-;yx)eWw2-!^`8269%rZ=_9jdaXToGSU-0WQmRj)B~+KBQq
zr#5_lq*Pty5~2r{HT9ixx1rpCh@qUJe)>U3QVMj)mEvl@L8>W>WPLnAE4WZ1Ix`|g
z8n^gy!7vp+Se<WD3jg1GK6h7MyRx>N+X%}%^OR32Xu^<o|0uGT4dYCOs7-yLRH>O?
z3&2X~7#W|Nd`~m3>GRNs;x6Q(7HY;2H4+;2-1Nas4P_bJq5@H;@5N9}AOa-4ghV0=
zvCQOF$so5`HTn>LFKL6}%HY({^gZFv2SVAA9^SlJItkXR4}mO47}BW;UJ9}uz-l-+
zV~phL7i65rc=YfrLDId5li079koX9nEk@hpckAl-U2{Fj3^G0y9?!{FONaZWgk6Ed
zjnm4TEQf3!MmDF>w4W+-%qU6_!LMuWWhEsNzTSzaKw~-CqaDZ-9T2mE2vPJGT59;_
z4>s2cEB5<IOmcyatB_m-NaMkN=3Yk$n+2~wP=ZZWdJTbuMoLt-uh2Fqt|!UO3AUhx
z8~>^3hEGHIOL-#J<)p3aT(-hn<DiL7AgSU)&1F+=`i-lJbG-HAjIa4|)G{u40p4ZL
z#{q7f1FHf0?xX5J^Qs*h{h?1%iic!U6j}!|IB_@wjw#W$s`H^gbA%11i%6~KSpBIs
z^d+GGig@OsRPX>2k^75s4%q{JC7fc1FCjY_c3(%^XdvhkgaO!kbi8a;5wk8c`_X{9
z3%m$E4r3Q@-q=Qf3Je*FcQde3&)ne)pi`+0<Kj5;Z9)Fm3C>tW0y1_EW>*@t8Lv$W
z%Jh?f^+&T`H)_4i2-CaWM*Imy3^|x&Ql!cnNzGDy=<EoHWad$$WdjrlSFukF@v}<+
zNHaryn4F#>mT#-wMU@N2A2droq@i1Fpii&&4}S99#~A-)W)0a<PkZL}jiV_A1N|tx
zpmDr0YBF66uA#%Ym$`>Y<Y<qZacnnRFR3<5&QZB&zoJkN9X#AKFL}_^qhL>-VqZKj
z#(qZ14%E|!NREYLUdZ;fGv8rGZ+H16*PtFZgAo4gV|LOu$Ru0ghrT(zPjlL~@CLS!
z<}JY^pp#bOX^F-qp#g|njnqn&eTbyyDqj__7n{w`e!|Y$8~kPeZVtunm5AgMm`Q7*
zO>kRh*nRM?_{lYC9-l<QMMT<iy)x&`4Od|gwrqa<JS#^h`t1G7EfKH$z9>W7^^aa~
zCw9H{4;1M$*6L6}BQFrO(wJRH|A<6ow@##3Y?r0doM%1U=`PSq^zDCEtij``q=gd^
z^&6cIwE`N>j}BG3_r^5w-gIs}J>OKRuG+&Dtqhi@<->~|TiWp4$wuG!o#XnRo9s~w
zb&YD>InQ~0IGmiY<EfYm7)2mD6blB9!I^S5%qaTOT(~=xvD>?H{UKBs12LN>p_w*6
zK#=%8z4YTDx+sBCaK9#fnFwN!{Xiwd8tQ<^Ur*Alg8GpHZX0~-ON>HXEci?cXOy@~
z;Z0PX5RUkVAQ{W$AAT}g<s-iA75o|KAoJ+kz~(1T@cV)6T_;^W%U$ykUGYlST#u$w
z2<GX9-U1FfWGmLHsBes<@r4S$R(ik-_G!SB(2aT%+g?}CZz8Qb!CY+?j5J!~zBJWP
z+HEN4Zx@v!0z{@su@gbc@)=7`$gBgPp=9{qu>WDKRVLBtWWeWIr%BDYn*)e3Ej9>i
zN1Ea|k{_Y{B-jX#C;UHNSXS|=Fl~lrE|txGL51#HaIOhJlB_+xY)g=o(fIjac*kn_
z!-_Ye6txh5#h(?7Kr+JD>BMb)DM0!_HP<Nmy%V~G;uvuzDd9)KfQ+{K-r7L7YAncz
z^Z#8JK^RLx8Fh`h^kQ3x0FxZwQH(PZ;uc__Edw)i<{orH5}EjCKEqzOcs6ZjCrXD%
zd;Kz4fftn0ILK4UPHHUQlc23(Ep7B9d~3j=GS6&L3r;+Fes-uwLtYkb8C?&g5e9wy
zdF}1iFT=K1)BT5?#lbjeW{m@w(L)L=#n%*J%kwK@(uttW-J%q=gPgDvB9&`#XZhh_
z{^AL;zy!L$%}#wI4n@P0V8PtyVUWS<@-?OC>CC`|du8S<JTMtE;YYywu7N(H5s|7b
zM@4`3m-#)<j)98EqhrfwXqDqvf+lUCOQiM7gwF4Qd1bLNUotaMMBGa#D7=vhv8oR_
zjvGNCqd_7;RX_!8k;;jo#>px`<@o>5RNLraV&$PyI;9S5Po|O0Ao0BFJT>yH?aIEu
z;@M2ee{33=$;YHt#%SVKP-r`ApY!a3wfExiK2HNL^LnM6P&~KocE9fE;#EK$Vrhtr
zUQECHgT0fR?*f55!ZR7yrCZZ8yZCf>;4WYt`S%Zlv<NPJ+D_&b+aZOBO%j0&eJt5|
zjIYc^!{*XRgB(N}sNh!WNICQ^7|Y?n7kU3rVEvTM{TZz`@C3WwVyN*JDY0sI@bbl3
zqQzxmslmI%;f?#Sx@|5c<tkdPv}@T}IzOed{q?5y9g+MQ!6{sVBHV$oWwVZQuanJM
zR?MFo75yFv&Zq8eLm)Wd`gXO<E3w@Q+S<%k>cC8f?GmNtsI>1y0_wTk<72VlCP{&+
zPDBhfpMNj-Z-YsQ`O8z%!FNd778Cnfu1ko2@rqX^v4u4f1C>ha2??$`M6T-qUwqaE
zS77HIK8sPV^cwblEFq<EygDV#B;3H36A3_!!JmO6+_D;T>-nu~$O1$CXc38|(V%8z
zlJ!A{NX8}n$~g1Vzvo#fq$UxL9y7)uKRt_7@*H6G?zR6jRQ*4ut~sji|BYwcw!LgE
z+pcBXZrQcCn{8v+wz=H0wOY06cfZ>?>vzum<Nk5)`MmMq^}HT@Q1X*+!wmL2*hu!$
zQ#$9Vt-?{_!M22J55?zZ$_9U|Dh$_Oh(DNb?$DuyOS6F*^RB$yELidwlOB<zhmS!i
zEj6vYI0{Y%pN~K;w|RH)5skR5>1h4|(b0O2RW>loZDDabnse;j(k4OQdE-&z;PHO%
znT5=iDxA_;9gj<#{rAV9f3Ah(tI8>!_hQ?WaJ5Zpr$SC4VJkuZ?-}1`83Q7Pd%Nf#
z2soAjltalNPH#WfiXO7zWMImGuQkiat3VXAX$lTMt?PQ;&iaj;N7i{g$b2@nv9Y-w
z&P4=%2eSLipCVZ{2VqSeD}e!Y=IGl?2DM`AldQNVP6pnF^R|<eHu>kJip@ahr1X}F
zh&Qt7lNR4XgtVe2Wko;|;)(4J*Cka2%*wA$Ok!V+>h>{`4!aaL7)|YPY<2B$$G>0W
z=uT<!gpAf^m!#xhBs9>)9QE?)s?uwxU}(?ecY!9R8&p#}_-}qAY)h%U@}nl>?ON>k
zM{ZgDpKjI<2p3i>`hgWvzn`C<H7BZkw_GjmJKgO)REJ;sWot+ubgH$UEMS#hIAquX
zV$z&<H5f;YwV^E?uDY(t2^~z7dTQ2LP+78p!CID+=Bc84;vSMugXAkm_6|HSf(R5y
z1%<uqwbN~wOi5JMy&<V3pdI!ilh<D1t6v$WLi>tuJTyKJmEaHSeUe`<P0T+V?{!+*
zs>3*~Rr3(54;7`z;SJzq_?8xZznMU~gb#-+=#*PvJ(9Ii8UX`GEdiN@(?M^hx{3M1
zH~qS4jT*q*M7EiFP1|rhyTFWBwqip)W)W}%3rR()r*tWSo1+gLs&Vp1daJoy^!%#h
zzaI;`E4G(R*I!!P#vg|JEk8C~zG?p~jfmUBl@{xG7Sc-k_Qucd8ZvxPW^SF4+WJD`
z@clr65c6fjMpM%(46p48r8=EppIb&5pUWy~L0kLqKI#>v`Uv`;YjZ4-5f3;j_wi^~
zjlYn#_c+N8+sJxCL8Fj(Yw_`Z90t+szQ{g#xs)6sj2(<UQ{jk8ojej-hs)jgb&2<+
z5^$;m!L-?xc^@BRf43t{l(F>?zNLmeJsbTn!$}wXO}a~2_Op+XQ&rpQM_aVMf!<*=
zg1}ISWSU|uIoU^8rk@{j+qVO8IfPWob-A@j{q5qZ&$toLDb{OBkdd}hNkA0>DCJz7
zR-C@|>`cF)S|fMAM75r7r;I$z#TBshlew}m(5O+#D=$QJIdJq9+9{zfL0b34ET|_!
zYoo3>VVG-u{-;XYrG2$9`utE_aRx~mJ0A%7vU#hY?{0M<J81R=Fn5&-M3G=2v36%?
zR8R=TMTamv@I%fa_)UXZzoZ*F(r$}5&vVB+Gp6la^j31k5^cqa!+pfQ(nM1#fIy}Q
zbb6I#{6t2aKnIm*gWC0Nf3W>ha5EmR*@t9lp?OihxCxrC=AvqUa{$rGtD(2Vag<9L
zi7Guc#<P+2kwdCDLM$~W=-TH8<g&mZrjE?d;PpAx9)_=1WT~<+4SJ%0eKcMzCO2Tv
zi;u0(wu`WnDOMWMk41@C_M_N#7odf?Gti@v8?Mci`<L7Wy@MO4baj$m7Y>lOjvjVB
z6Ta*Xn32g{kbjlpG5F}hXp*#tw-jZv<djjC!0R`H$!|()*&9h!Y+b?TKmq0+Sy<4O
zWDZ+FS+vy(aq@y=aIM$T@uI~YrzJ$jb4t9J;vn3Qv1tI4r045z%9X#7x(5clD0y<Z
zC*s;;;25>ul;B>K9ae|F+OHUNsMX_m2~@C38XAPO%y!Wz+~%RU4DS}#v4}-W6dJn^
zyt;Z+{TdKQSj|tRjDsuWWr;cL-SOe%k;OWXr5FL;Qd;~IbCU_y<lqzmT2Q|It_tlr
z|FdkCMQf7it`kg4a!KzQyU3*fc%eI<O_WOkTsjk+8P}9<-f_GHJj`^CU7ts#Er0bL
zCymgT3l#OY-Is!#)&kTV=e+|xJJ%Stv*+{p=;!LVn_AE3E51i}y~>=**_T}hhX8LM
zPGX16oG*QO@iGe#S1zCPtl)&|HFcX2_~Ih<F)(qh3fx9(AtVmD4Ns~(WL4KjR!6F$
zpMgdERSa7UNW%__i@#8b@AtdD3k5V}C*2hlM;BG{n8gcAS4O^EDCKEH*th51-^%_3
zi629K+XgdV^%AbnI7iz|HG}>m|IM;-6`e@je^N8mUcByyc$Am;VdXFLRu6aee10GQ
zODPtQqZXudDTqVAHf^lBIJ5LKyR!TqOXkg{sa8@jg4`)(Le1+YmMLe2E&u%b0o<4v
zumk<h5j@i%bkFn--$eLTkM7?B;soxmcR`Q@zvuKFDnnpVeq2r9Y2=-2f$U!et7zqB
zfKMj#XJz1@-Gh<Dmv(!e%eryRT}KFN*LzH^M{)7feM|iG@D(Ad1#4*!_wB8FiQJ(4
zn6F7OwYQLrks(6}V#$Ya(E;E8Q)**uIY%P}IkIG$EOwPQrjdYu*@(L5OS=0TY=gK!
z?VyQ^zitx^_kY0sXHHxNH6{##{muBrEw&g28MF06rA98Fn%_#&)5sW1u{uJ}Z}kmR
z+I6Zs#tQl%OO`FNObuGPAe4e~I$*0`X+{-XyJqNP#k=SksPEK-RmaKO*Lcepmjl(r
zV38;C;uq=V6H%Ils^~DmMYF(3cy+Ntio*Iw#;gjS!w9(itbHlwt5;$|pNn5sZ_d^@
z{!wk9$_3Q?-Cvae^=UhRO8?%utRS4<-Hxs=%<V0E$4Gv&4!_l~yKVi`f1ym~Qp=ev
zM$W?yoz*&v#^TDc-D^n^>DI2z#r(DW@J@PuQ=u%xGqoO%Go9le%)?NG1>{dpze7e)
zQwpEX_gg)PPljiJ380kB^uyv~)3&n<Fe;u?s&T3q2yILVT(~tdVQzakF&H-jE0iH_
z##<7F&)#-`J%oR^eZfQ)x<|m{S!wUFgJ+c3eg%kI)NiRieU|Z=LDa9R4G#H;Ma_t;
z4<U|P*N`<sbLV#0K3Jy;2&>C<_#{sSAi+pJPurmw$`pg4gj}Wmh2Rxfhf!m)_0_CJ
zDJdI4@yW)kiC+OgI(C=NCwsBT$Gse&il{BH$-{+B*~a*c_aEVFPF8`l;@m<dhh;l2
zpQ`h@G$y!KN(nbie^zsoOq7s5>V}oBtbie+v#K0tCCu*q&Q^+RYsfXn$+(*IlPu1G
zR=lZ|8WgHg&~87rfZSoq4ZFRR-|TBdz?*czg-ijjqR=sSlJ4=a_rr#n$C1A`S#2s&
zF!HE$)>nBko@)r=pTGAcAzTIo40t?l$lDkt3I4FryYv&N@rH4pd)pDv()e>((y{pz
zmZ(VS2q~zr%4z0+Wa*iOB7HjgAfDa#mHjGr93a<RCgtifNJ6{-uB^*@eaLwoIj%~+
zDea|<r_;~hz;{J}z0%@$Xc4HAfq&T*6nd}`mCh$!&PlQwdiR^i%}Yipa;Ho~J_+?9
z&hOT14hAu-iPAZ<Xp})Poy5MIgz-36O}?go;iNK9A1Ey=n4kTcJMED^d8h{yrPoY?
zm$(RUP~XTstZq0&ckydRAZ&QVd7yq@oSe5>_W$UndLDNdU&?!?;CgGv7xP<05E<W}
zw`GpwXQa`pc|=zw#7^Ud6s&gaNmD+kjb1TjQxX~(fFALm@C4?-Y4WxK=+E(t@cgIt
z<b33eF>(|HE9c0BIKp)cB{+^BKhAg8fvBbu53(UmH-e-tS4RaU<Ow}N2I9);{`6eB
zNH%uW{Z98ssUbUU<}{`;9Q5|p=z_c|6M~1+#cA`tEairD4Y<-16_%Ew$3(RZva29C
zDy@FQAO{S?{aXpB8(cg`8({bZxRQm*y#{YN(eSoUmX3GUH&d72@O+LNOD;7p1xNSv
za~2yNM4lZ|VTP*{@0gT-Z3>Xa-m<C4_A3*Ye`qR4glY+!B8aVrF%R|Tw?GE8Gty)H
z5re)=YWjr&&saz&JL>uk5kfESIpK4ukBur<KS%SPM8TU*7G98vKo!W(Bw1$Jol)fH
zDG=8PENH67A$FQ3l~Ex<Wuyo-og#lEgZLN&EdOumu5h#LZ2-&vmOe8{k<MGADr+Oa
z*$9_JW9a&^DEzAe&UxAC#v78{BE3P$K-Ve4ec92m$7?Oir3H-;c5E=(D$-1T?;>&N
zfNu>kV08QfIFzL<OTguJBzv$jSO!-}J3n6Iu1In4-cP4F8}i|UN=E47q_`DBp|$5#
zw7{h#KNr(=Evfpgl)nwq)M0U#PCi8UG!nBIntK@*$J4-iO)5X~%i$n%#pJJvv)6VH
z{@^L3{wUv45Z{K<dknj70d)+!obSq^__9{>T>Bg-tNnKx@n)AhH}<j)kR{!TRPeYA
z&McqaGNS6p0bKYzo(&j%H^p(_3!L1d+(V3G4fVp(n^^i*!kZBH#%C}GlkXwVFUC+V
zeEo?Gw^)`*hsnK3Z#lA2@W8mBwJ{h)KicYaVN6yqC3<eAB#s1_U8W_XW%~X@t21V@
z=UiDtSM<X6&!6ybzJ=@f)2+Nbz9QZBbK>?!iw1I!J~!IcU_2JT0efV`;5yo0&tD!M
zqTlR9-ris~he1D+8m}tHq#j10QZ0X+_eyu$dAj5yas5)bw56FE;B}0pResTCac85-
zw0RzfQBux4xw9@1*J>Kp7<YH%!ahv~a5!t=US~RJ@-_LJGpTUa^SezvfPpP)yyp0U
zf#KjY;9*tpf!c1yaL8@XQ18$QMUB$URXaTuW*!DH#V9#HxB9l}SySY*9L7Wo)H_6X
zh5G^2I47XSr59w3w%oTOB3_3h1~=azDe2b{&<&c_?A0Of+YSpl-IW(zdOsL+XJcH!
zgA!)$-xJOZJn1Vb$Gz!aIo0?Hb!dEi;@;~0`X;E|UcL3n>#S`;VA|TRdxhX$pR5$U
ztvz7%C*;ZRm&YQWGljhtEoH~fnvstUYK8d>KSOxcIU`+ALA?Y%A2-{1gs^ZenLzq*
z_pLdb{PkSq9Z+0LyD-w1dD-dnmwp|QBlFE|nW@qt$8`z8L>V&=0@nQ~>guZ`1nM8i
zlr!?_&LQHQRpz#4FG>x)8UFF)VFfBjb+dzaTFWr=1dDRsm8ZP=V6Ij?^iY-*`~^#-
z-6%|-$C`}-jW0zBN!u92c!%k%4x5w@NheY8cUM3T4s6>TksJ_@CyQ1D9zs`m>!9gE
ze%>4lrP|cM@c!yujcHP_2oOF8_oQpZOD;;+XV{iIMgom(ZYuBUa^*TScq6jEXu{C=
zbBCt~)gnfnG^a2vU9Zt^<o?gZv(QfgsWl}5FU&!&r)jU6av`q`IdCtR9iy(FumTLx
zpW=UIedP+X`qnloT45)hlqw&Z&km2u1e4{Ef<-eRlE$TOFpR2H0Xc8|UTxS>Ct4B9
zRJ_<G0XT@Yn6uVj&iYwM*M;mo3;OBSXrv(xL;3=vG<BGxAPMb!AifoMb()HJeWC|j
zUBE&pO-%}vg)U_c|7b1S>7^X(wwMGf8PPO&<V16g%NA+!$Hl&~Z)hUCo6u?dwRtSP
zBzL-v6c4m2#c#as2}o3ROJ^S!L5ChMIT`;xQ@!~8!yN<%*&(0~1JfK+S75Bw1v}tw
zq=gj22c;C;gIjvqa_w7zkF9N^yB_821M&&E?6PbjvTg7TE<wu5Gvb)T9MZDedPoO{
z|1`SrIZJEja0vU>MW0;mhL32z?ul^Otv_w<$S}u<@Nyt&+jlR_mFJ=%Q7W1=(}Keu
zPB?N12FvpF<T!VIhvc&G0!5p&$7@i09LY4FX-9qUrkLN+@)DMx&7$1F+?e~2Pz{sr
z8x7`7;v|a;5^MkZ?aOQFa2tk2$W@#H#&(2XzFG@P^-H=US8_Ay6sL*LGRQL8bH6j`
z5{_^<9wXG%XHgFXl&w@wr2o)1n+eGB;+vn>C#P|&_?nENB&0QlslG~KucU7<z!BgS
zNOTJn6h+Td+%)-fC)Xx`Z%F?<(#|#JlDF>%n+=XW_IRPBZx=53S<3-Gp-Ik9wTT$!
zUO(T4oDx&!Tkk!Q*dAj#pZ8Whl+L3+l}l0mVE;uYPNa0{1<#{Rg!>`|{xayX7s#)!
zuRY<34M$IB6L}VWDC9bb`>p3^N-%+6UZS~q0<=#JR+MZ(H#)r1{`Ju+uhFgk#U&>@
zuMVEkXHSk*Xsmv|@8W=`$O^BXldK?UmAQs4eItsD^b^rV)|ex{E9*Phb2FXwx2uO`
z836mf!NIBD;Fq%=XyWysFwFK9=^%fCkAC>!#Wz`LiKr68Xl?>tB#QCzmbi}?;o6^B
z?8()r+`{H4D3oV+%dOAlsZ6wnLH{M6$#<1p33j912=vJ1qPfjaxIN`W#}n#vNw5tk
zRtU5lm`KDCA6tR*3Uur+!eMsf%I?hU75AUaPPk;r)hn3J;PGY#YD0pC(QiR2*JNlu
z|6zrD+KNL&p~Xti2+?2IyuS<Oy?ToYtv0n=BT4k?z}9`FC#8TzVk5|>h&KsYLnEIX
zz>GTK>~{iCsoPEm57lab{j)Pr60|z7*MmB+)u_cr3vyKu@zUH4^l0GRPE3rf<O1e2
zi!tBLf6k`hDPdQdDq=}X1v*q1lgZlO7<NA2gzEkfRKpL5nI4@oPck3>5l<X4YJBh;
zwys%q%nwYy-yCkU?*x&ky9;`AQ==2~FQ`1{Sj6YO-?(t`D7|y@;O_haeJ54U>?+2n
zkr~!pYxwaD#kSN@L%k(d86OHZ|G5Ef7EwGn3dqy5P9<TW*hU!jLj6mOA#|ui;O|C5
z;sX!2e=RKtQLuSOj=1yWAxDsZo2y|8QKFN{6m_FerePTjj#_b7&wlX29_vA<Ytflb
zm|9%Hs9$@?WZx-q*h>N|i!soSmLG|R)!_T`#!CgT0`B@j|4^v>kxqc;gLB<2WRS5I
zPru2cR|{Z`&f@PqVE02e(Qpmb%7~vSm5m%z2{D%AKx%)S?JN^jYqHb)G$W=h-TZ6^
zE;e5)^PU5RYNMyaydI>(1fF@`vs?;XymSxF&bRMBNqC6hs%&v>ar4HwRn1{4(Xd{u
z`%e7*T|wyDH!#F=vB^Ca;R19#eTpHWTdn$R&hjIP<P+KqX%XFLf*`k_1w9*l+ABLR
ziQ@=yjQk+uJqE#X94c!5N^syc9vVV(Os5fJ*h=1@Qi}YSWV7J>+)~sb@y{|rYzvTh
zsMY-}lV<`GCR)+&@(Z4Y$r$#_m=Ox-h-SQsv4V#wxN}|Qe#@=ZJy44a=)iE~YJH(0
z%y?5i9#Ptx|M)iG?kiv}VJ#FE*^1;gwd5-nz?Q##>T9FVchDOW5dW!%@dx2n>J{=I
zwfb-g)+aQ+L^OJv#c$T;BY5^!=X0izn@!A1W#_@`R+&!iymAhz799Cd7wowup)CCJ
z>GKK5Jb;aamP}hjDNEfAGla7Gb|KE1<(lZ9&Vest?E3kBxZVU>AhitXjt9Vit07Ku
z9ZwC@ASXaomQc*ayj2mqZyPpz3b<@Xq7>;+j0Bd0#l{Y|du|zqy;OW0QFd4%RV|hV
z+K@zf985tu<Xtz)+fclYp^n5BVm)}{-WXnz`KeP`4jC%=+-RxB-icvS#%EJOHOdB8
zDV9Q!0p^|n1Cb7+k2sYInV9M8e9xbsxOr5?H0g9ACdJ>P4O8cNnKjGLL;+86jNL*6
zynCVhX!};u&@uCUmS{rkj>ro+B1E<jp(umHzvjeeyJu^RugmXNIhc;gf2xWz0_ITM
zroecKmxWJ<E;SmLXG~9{)W`h`rPeFz>FQ&UnU=Fx?BUYYwrCt_<MWao7MmUP7dgqP
z#Fe5ed1jF-Z?*#$i1@nJ%K86@^7_$XIvsNJ%5|>}a^1(%JSnzyQ}yOSdX<oVeld(#
zFboVvzvd{2VUTg^ux~`~r31#~;-{otTBp4neT^%Y#Y;f(_>CM<^`ar>ExQ`3?*|X-
z_4Bn|RUmRO_33R|At4Od)S*M3PsN?Z`)HxmhJTQ*v|EXess-8mqv*~Nyjfl3Z)t%&
zNw}hzp?|l1{em!OOW9bprs2}h`luVMeaeljT{_wZsv&KKGe0F0z!vg9&lA`K*Dcfq
z*t!G;6kyYP56|mEFDDywCFQ@%N8rBI5FwK$n{~{)a1M29`R}@%V4=9+X2P68JdSHw
zu-vZy7`y_>U1Od8gX5S$Fj+u)#T+(F6Q0WpQYoxL6O&z~-v|o$9q^OIwPWa?_+?-|
z8|HKUv!uKrMxjTs%v9d(5&#HcpnC`V;)ABoK8Q_4?od}CV&;R4fgAOc)WGytrK*??
zmgnucS`SZ;X5!m&mnP;K0BipUSrZ&Lo_Gt9^;grvU*rYLT3zw>Tw1l8%7{|}biz#Z
zXkU$Ha&zs_L!?znRYG0+b$9BKq_skwYzDazRCV9M6pKP$({6NG)qiGvUCz4VlsCKs
zq$L(_ywUqs{IM8dQ}3c4IJmWGeVy5RN<3GNO^1eL^|5$j8#0`geq=NV9Dg2{4l3&N
zF!yK%!y-em9PMq_U7!+C3vVqwnv{-*h<~CX#m8YX`1wYmvscgqDsKjY2W6HnMlRGp
zX8tK0-wC~Do7j*n-yTn~t;|UW%PB01#U2Hzj{s90FOQ$eSOv;yiK1>ps7Flf-Jrka
zqM%+6iirWO&F_9WvixC+SDfq^2>-7XDn<g7i_^lAtv%OyG@dGyNJ%&$&V?8~G=`kG
zQ#T6)dn=kZAG;%5hO+Vl%yUZfn3pV%9ywNVinYBvkcn1&bkiyS1lxm~FmfP<fSm|J
zgketkIjVkGxbh}3c2-Lzg)NE&vq@dFP)xsq^KEE0g7@R>Q8eP-jmC`w9%tZ|Tv)*=
zuK@S!T{F;=JS_n8-wE@(FY{$Q{KW3VVWEBXh~)^5!)q1=-6%M^K0Uc5{xT1IuANDn
zcRTllUn@<*883x4n3LT~5prpJY29`Z98D$EvsYt2z#}ZZkiwZ$d3W#<p}6S+`_BI4
z>Py$|Qo1BOVO-Gaf|G#kcU(rjsJIHc*wzbFij!I{)p$Xht@Tq!;2r3MG{nDvNmwd0
zDT4Wc0tlzWzOVrqJ!u31<;Q?qB{fU&RMt9wFG$$X;%5)e5q2Jrg47D>UW~Z#hP`z$
z;RFv%X#N6<V!Y&7x0K<8vn}GIxnthqm!=k>bL2gj2L6mpNE2Cu`ys`6FTeGt?EUz2
zxXh2nLob=<tVY{;ZVwExL9|Z!ls_}I_KW9YGY*;W;KZ_wR@Fz17D@G}jX=<01yZ9V
zMIW2QME}MYsMWJUYt>(UO_`tBxj>Sz>w-IQOvO=~v}5NAM^LMyL6r4itVZ;Tl<_Fs
z<j$PMaj2O8!D`bM(9n(uW-8|Y!UibwL~Q-#WAOp9ljI}uH^bhiyeC$~Z#RyIOkPK}
z^Q~wuN0c?n%_iN={+m)&Jn=3H5y|2OdRGyMV`CV$Mz5vgla{vhPiw|DTLNJYp=g;m
z+_(E@L;eD;vCEqp>bEllFriTiYy|GG`4u1@Ih@U2P8O=m(QFps#a!sz#P)@~tH^S{
z?F*hOZEfRj8Swmc^zls|tKiYZStJ+1zw-ND*zuHa|5s$Qd}z?4{O$T%*B9!bF2Q_@
zCb^kwt%8~zie~r*mAc@R^g(s`^m0+{ETfQHUP+1`(ELj$0H>?2#$L+Cd0(a4yT&wE
z)T&$$R;mFtX8l4=qkP(q0Wm1LUOh1rw+wEZjx77ovudB&f=%n>e!`U%+d~1fH$oDg
z%TkvWB~Xm7P0XH3UtrzVqQP0JX|3au;E;OrVhj)0>pmmF;u{aN^!~(>Qydr(JB<vg
z=1OC4$ftPBgB@Xe*<XKSBcwe}!mi=Y)(yfg#+QyPKL?fxtRbW(M>H(Z7c*9|`dpC~
zN>Dndwfq+80<tkD9gEM+fvbJ*bm69i5&Vzn)jptNd1a*88a+@*I9f96X(-L8DV5kT
zp|6bZgf(zL?tnvAQfg&WsZ=U&aI9>9Ti(9}v<7JKWp>u>-4ASCbbtA%`as*cJl@dC
zulj=u*?h4l#<vja0X^jQ_?JHRs^U~hO^c0}?pfKxn$v!^WUS?xx8;-I1DVAL(!_Jd
z7nk{?5{(j^>uBxUd|Ez|H$-H)**mQQqSuoq4Eeu8TEqIwl)zll7@CijLS0RDMp9kb
zT%Y<3BZXo@8RILdm6QZAj3X;j1Npnv@D1#X8^CTL*C$69kIYNnfSxcFf0BE9#Ye<$
zQ$ym(L<v2xpiIXG&YLvFKh&X&$@i$(3~nN3iI1kLGyrHH-l}bc4>g-D1^y|TS%hah
z4H<3nCY)#^lR2rKq{j%ci($$8pdWY(g{sm73ahJ9azE9IW4;vlFWXmX5UL%{Y`)Yg
zai!bIhU+FcZxQK5Su@g5$t?@s0A0CkRHCb2_=Z=-HTLqt7w=ld{5BXw#mbxzE=L3b
zEo#?)8v}~nfkG9{^8qj8aLk1CW|Wjvi`w4LfIJKBMK!?ZK>-;MOEV2%jK2x_US)ta
z4NtVcQ=Oj&N|#-m;CFMkd+1DfF>cEhP_f6uo>i6Jq_t7?+;7#Xi{@9}f+M&fv<VpZ
zjzD+ZG?6N;A2}0<Rr=N_=*R5*8X9;?Vu&&~i~Bg{<U^n}oXBh>MA%vUa}FufJswt7
zMBs}Y{}kKxg<V<hUxhO1Q&Tdk_mYFgWQRYcgDJ<`X^F7xSX1wr*CZ4d!K9Gaf&8Eb
z3#Tgb?|$Y4%=48*lA_CUt5G}ni-*}OiRNGS^S|*9mWs_QCgN=c>r|$z_;FAOwB=Lz
zuj7a4S*<PL-+&EFd9abBk;PP8^pk7T2NWYRbsJSdmD(7(Z)WL@KXyWcD#Pkx{6-#F
zE-NehB=}u{ekJ@-bzvOYAacbr@0Wy>s~pj?1!;xem*3^~Z8g(I+Fu-v%24PZ2n30|
zYWsewB79)5sNLNe{<X02O`9#b>dvgN6*YeU+?{;XZnW#qcIRV(l^ynC00w(8E^ST&
zuhef&XazL1q9GX_VqTfyrL<rK&GPaAHqS%!fvZjL`erX?v_^&9V5d)BiycVKdmM0X
zZ%Q@3^s-N0C#EmI7keT!_Zceg<&zi*{Zo*P@G_J6OmFmc)z_8lu3M9wE}!QYW1fW#
zs=;kY(PNjbdF<ax9PoXDZ!I+$;gB!$y9xZWei9z{jlX<Xy7`H>7~+`s>v+$ypLIgH
zqCfVR<FxpRWLrOSt?kVD{4hE(bdIe~8MRBx`?Do%x$0g7KdKVulgPYZv@<^rhtYXC
z7svCGh8wb<C|N++olu0=(nH)<hf1rXAa?K$BV6k}A!8$?XNuJmzsvHW13><dTh@jH
zWp4$5oZ$5$*PEjW33TZ>#)RllUD`45sZc5Rz6uxgh{6X$Om-+1jjbeptpL6tc@bGk
ztaVq{yG*e#bRkcNYg!RWGvtn)rt0YG8^WZ|Bdr&o9+t*{(jmLPcz*C<^7B>#rF2NH
zYHsW(9HL~84YU-X>-be&U~YZX?l|M`o=9p|DOHmt&#d8+vJ#)_czidMbBdA`YUv&m
zrjEvs;mI&xj!@N~OXiK<48v6cD(T!bMR%d_AKRFe(6QwuX%X9)E0y$3U2OoV>WG#y
zlq^LU?_rJtri_*IhoS|JAmYra!o;?k=U+b_ZL`y7&9&E?FDa1RJl^gj`F;7$%YW=X
zhrh_a6u+6gO%EOfW?FLJ1DoSE#uNN+uUlxk8BY#co_`MrHWxV@9na`91P{JC{}$+|
zxIlj97Bnc6Tzh%ZnIyZ4(2Sar<35!&3@UvVzXI)DLlgT8mSKjjQqj#VshGmd(Y~-!
zP{Qq2yT~Ujl=iUuSKN@%m9rw$<3(&4hEe@P%TU`i2$OrjnKm{MLOp4t6Rw}QARXH>
zUTW8f-Ff+ce@~9?e)V%BBJ;Oa=)N!9355xL`hbRtHmG@i<0%di2pf9wX$e}yUX}*p
z4@C##3@^IF9W!Qyvq(_Bk${(@FnI{h6B!YuR<f~N&H8gjtwf+kDrMc(hXryT2_5>J
zB@S(lLODnV?T5WXI$0t+YE&OUO<p6_2m(Tt<s9YxjMp%}8##YCp8=k6(_|q&@QksW
zcxn-;>{|o0iEY~%o&M|GNSC;td_yVL1=r+7ZTWt&(GZL!_g#jduqvMxT`vjG%<Fp=
zXb2`<Js_8pX`CcttsLaLCpC)|{QF}XG3GR!KUj?eA7eR5Ve=>#@EN^r;T%&S(_yS4
zw|!52TRRRoohi<pt?m$RkqUMK%K6Pzu+&wT6Xg#`jBTkNg?j2IV*-FDb8`#ZsTFE}
zZ=}g(S&W2Oj!0IP>aPxAnx-qgDXk60o&W{=hY~@UL&1~vCP1BIx1kN#T7?AXORn;=
z*~gB;mEDG5{WPTd`pFFj^Q~eLBi#fXHb2g$@$xo!#PSxoFrK6as}xl8vPg{Qbag-H
z@gyVaTY5ZX<ZQmVy;#!}f6?ETxQPSH=hn`7n0h`H@bjhDm>S_T@i^f*TS<wfP*lN*
zn8SzB^2vzo-QIosjqV52q>ANK0NOpPMRa#UM-Utq_G$ETmAGP>gjEsxnb~Q7HBQVp
zKR+PBtCozu_}8c>>)jCeQ<`iP!y%76T#Zrs7a!bb?)tU45MZHo;V72Drv`cavm&^P
zul0{5<b+pwBKnE==Q(Eza8%TkNX{x4;a*ZO5=LR<V#}x!;%f&H?Alq2cN|gu6BmVs
z&S?K+H7rSGM0#{^k760dU%{G+XVl{9%~|E|XF|HymivMA-btm|tpBf{-oTm&L#N7U
zcdXr+qhqe9AEcoj4{M9g6*f}<!{8EM!dw<_Y4Q+JG~^_Be?+^|isR^@EjREH7sgch
zQx;FGq~y6Kb^g!JPrHE(U?KWe=vk$y1At|^>jQF=$=`KM=~69@P2DK58JTY8dQ<|)
z-~1&N#6FT_mDgN#oxNVmnM>V!BEipgO%rz*8Yey%-GJ7tp(XvPL1*&p9iT9(5BwSo
zz$n(vUa*RmO3;XSO$-Ur%+6(TD3d*TTG($T1pe>+6nH(0;6BiH0swn>z3@PHX#~lf
za|}<%445G#O>`?e{#3-s@j!m1WqoWnivP#>xs*i)GRn#W7-Z$SV!M+}xhr-lguP;q
zRr<w4qX3OGOuKEBQmN`IT?;CJ4$yy5eBA=ZjfD3HuYQi8EtL%EO-KC_tRFx9U*}I=
zJGDIeT$qv(Q%r5H*$DJkk}eUa=EF5FwXUX<?H$SRrfy>M)x6Npn9l5N`kD4Ob&Wnq
z*hY}9!!&{o?6?wK@KRND#G2bF4`eJl^N`okq9+}3DZ0Pq^iiNZjPHWWG*brtCH9oy
zjFf_oam#|UmCY!v66?h|tl&c$*u}(C3QHODJ78|fNFdfkV2dr@3#&dSicU*07hAMQ
zT!9y*-66!E{tj}{&o&v#29<G?FXWuqREgamt#(Aq>cfD0n7#mKZZ1;#`!vr$KEomw
zeNwj>OuY3OJF(>aa%q-WuQ7}iGoAc;N+XpeuME)hHx)oN$iGtpWrouy?F3YB109@!
z`5dNiaksb6oAqG41(v=>;j_h}jS}<4s@0?ohi+`>43BIil5ueKrT=CoJV^`zObNk6
zwP#>s1XNqdkLozq6I7!wcsAElI_S58ZSMIIpofQgObb#PLU3UYCig^slxi0FrRpqB
zJ50p_*zHU!<hU5*3pH%WbPRqDy$d)=l_;X=4ERC>ZJDvfUT6lfp5a40V`agK=OrIp
zj9hu~KY-Wl6dFcF<MaDwF4)mB{Sl94V95CuqqwCIDN0t9oaE_=qEuB&yrrtmo8qL*
zlK&%`X!C%&IkSw6Q55{Uq9m!%FdYwKVE@&{!9k0sg>QP~kWi{3>xw-VMH{Jb{}o}$
zxoF~rY2wMXND+p>Cqjy+6yppUEs+p#;$X_hD5o!qqZCsp>KZn~qBFg7SsLl0EmF)>
zdcYghwPJ(C7M$-6IHsK>meTy}a<?*-wH$I5Oee*Zx=fMj@>r~rsx*Ukq7Hi*#6_y}
z+r*gWmZ$uj2d%7p>aN2@U{^k0ZFX9tKL#UwmOE@VF^T-zetUFGFvz$c(fT<~ZKB0q
zy=3o;Vx+%qJ9KWth@`ScQ^dS!hsVrjmGXo3E%af&@k`p7nViMGv|>Q*ZO+>2gY=Zz
z!es=J2AOIBMpZ-*xh;$iPT<eh#XY~qjJ|aWE|@3owKeCz8eZKH3Xm6)N}62djSv-C
z2{TIjMl*HVbXv7m<lca>(^l3Ol<c++awyND4D-(m^{>*2<=q+Qf3bmRy75$mY=dm(
zTT2ro%{fL^rdI`51y%0Rz>$6MR?xA{BT>M>+(l+eNW(ZdY01f+rUMQjfc``MRL@m7
zyP0BpxmJ#R489Ma-m`j`79?~FpCzdY^L}J6jH<9AZqg7cVG*ZxQ*xb46yx!`MY-UB
z`k3kV!8<UWqPW*b-A#tgedRMP?>lg<%>({6nwGa3^|zr3mH6<>K44fWYak_+Y9P;c
zj4Grhtr^ScKE{MJFNDrSWcE;m!f#r5g+`C4NOn?Kb326rz%kz9MAFs>M>>E?ry>{S
z#gJ6%laR7XV9)DW7fd?waP>=jJu&3i?vdy(bVFdy4XG70RsZ@$vT&14$_9C_?$|qi
zgAh+8pxuW=kpoih?!TtV;ky`=ykfpGT`3WzkK#W4^%w_%g-ApZGxMTZP)L1dQYf%A
zXiMTM)GcGYumpT)ef%iz!8?VTC&}?3KMGKqrMQ!zcU$bQ<A=kAh;yVDe;;-W%s&+J
z_}aam2Q>F2KzwMUG`~_sKs;-`Vq1c<Z}W%H`8E-u2Rc%N#DLbC`4|Ux(PY*rII<ci
zOZ)1yF_mlO=~P@WE??*yJ=P``((>hD*=EsO8qi%=Wbc~b!Uxi?2lY^K1m4rU&-&L6
zfw=1l(Bf6yE1qAtNJ1}z{Ir)LHg+oE%yna-35mlwf$&1HPlUmwjPw!D=C{gMh#y93
zWC;fQCqLkpm{8*0AA<XUC}w8LRH>y~4?54vYgNk>6LZHO(PkC&!?+fc7Z-NwiU~z+
z-i@$+o(!AR`0p_9;RdVrK@^|*S7_G8^B~m|Y_aG-?ro$z8^o*car!JNy+1&G443W7
z5dL0GJAr0<uw=3R2Pv(G_Wk~iTAPEM8TZLd%NQc}_;z#<W0oXQE^Rv6Rzn=?hVtBu
zL(bgi1C~5TEOaz#aR_PMLYAcWRTB=dhDs;sPZT=FZbKRq&DRD2hQF>Q9Gsh*Wzxg6
zX!TL@4Z*Urw_sHdlFi66Jo4-QUU~?qv)GyTV1K)NeYJ4^wD84jNeQ|1hfeyi=TZ{V
zYX7Wh)lJ`JkZQE{wGZ`NY@jOGi^aUs{7bZVBgUxxxD4ojs5PyW7OE)|4JHY)$u$YF
z$x(K!RGd4`>P(#)k_?tsNzcQ-4R*J<(PMwgPy_Ct1%$GttxP^M)`$Wk=auwP8K;0&
zxwz~7k}q?rALxsi8@Hxrw013K=rR2;>g=kn{3_=pW-`B;2_DM8O@U>!alW((<v{ax
zqRJ8<uj;CFYWsFSw(~Mmz8yWEdeXH-`sm%D+er$LxyUNh*-t)uat5by5nUGY=}p>?
zcl=p)YY#k|11rEQsTIIwCVRp{uZ+I~vQuh{3VTZMtz}SszR*f*HQs^^;Pu`c5845D
zOVtkW`T_J-o))YQ{9PSe2IY>6*!B_nB=G2x=hqA{l~q=Okuy-3Vf3}t{yk*Xdh|{8
zZ0S)`gR9L#ex4?s)9l6DaKb1PQ%-NZf+()K?nr;>(Oh`EOzt>cB9G1)tSy$Wlh+~H
z$XO>E)T2Lt-8g<15OUQ$pVmKckP&4Gw)&VB&6&)Js;`V2HP0^&XvD$PM$PAB-VIp@
z87jX|`ifAD_)eY}7Kq}HF%=^M$&>z}v_{g0ucw_l*bFtpy=eHQz_)VQ^QeXD6t>jP
znGz7x1{=9&W)7sfWNL1m6A}4uc5BmUj}WQy@i1!TP@1i0zD6xONJw(lq!L+>!oBce
zb9e`a;4fh+-R)mIO?UYhV4+FqGku%(fJ<SUyfMESeYK2Oz8yjd4OKa*qz`P&dT|Y;
zvmq>|@pFQ#1d}N>XJH;Xgmg=#GHc!+{HwhW+bvHAh+u30za*X&t`^uI{0Qg^qfBJL
zI^igmej1r$8QZlERsBX2fr&2Ae*r*`cc@>I{zR8kY>#^p0v@@z%V^vqn>Kg#DbAC>
zWcijs_Oz*#-|AL_w_Zg*{!Q3&-mV#o$jA@Ln+PcfSro88;nx?JNrMmIM^`kB0VUpL
z%S;mgRij#7wsM`v@CKL3rUkcQxDE4e<SBe7KG~*{*r-D~nRfH+unwmMw7s`VgQ~*0
z(Y6EH_JHXdxyeG7*6LHo{Yhi_2X<t?%F<!C%dTki&q&D5xL~gfnVW(_%z|e`c(H^W
z9}ek)R!2p?GW5ncgL)F+CD9n=mpSz|Z|VVRrd_(cpQoD_U(mgllJ&A$NATqp<rNSb
z0W<Dulm{E1<`(Oagf7$$XNA5fhhZvMml}C7?~UB9m*t*E>x9Qpd$Cjbycr2}7Ho{i
z!q~VELnS%!r+$-U@Y7}eD}HXaEV$Icqugo1G3d~!k>BgZox;kVNu;BtGO0@GPQHX#
ziRZ&`n*)FG?#nJdlKwEoPIA&C|7FH*p6JBi#c#L@?QTE645Y04_YHEF;dn|;ho*zs
z#fu<@_4L7RT>_krbGHe1KDd^9p>z{e`t9`pCVF7Ij<j?bzx=C}@Is;3f^sFJ1g>}l
zix_mrQ>g<KAGynPfr;p-K9=Z=%2>zQ6&rjufWo_4)?H!p%DaEa8UkkTTAZk=hD^}h
z<Hnu8)Rge)n@lz+Ip~?tn4XFwdUX4*L?M}ns$ZOQevwN-&9eO{+|MZ3SUxqPP&u9L
z(fNFrMTcQEdk&gHJ}o4?56}DrtCd`(oI|z#dIj<5L4jIgwPx|{Po>?dkHphfo@CF)
zIY%Pt9YN#cdQHlf;*E7nvVL95Wl_@9R_G?Ev0A%(>>0dV_l;H;k;sYNvF2aMsHxvT
zKK;e-QS|N}IH$v}V%&-r3*eB#^Gicr&#bT#OsttFOV~L(za!$fJBVtcpI1I{#XuyZ
z*Y|xy1%hVTRaJfTqeeAq>QHaShWON;ZfiAul*w%n^HZ{0-0VT&nH?V|$f1YvA}->0
z2jxVo0mXhBL^#YR<=h}YxtKUcB_wIEW45>-ayedS#ox%A+l%<K=2NnIEkCUdRK)L@
zXLte#_pf(77sfVI2_gT$(d!T4CSHJ&!VHER^%j`ZroPf#RLnkQoB}d9wgq-ZKiue4
zD3tplL);0~{|nA(LQ9hMCscvKd2?jWsOnAH>&;e?KPuukXS)P2NMP8R`11?{M-)oc
z7#!)_DdxwU`8!hKu_Lfq(4NHC7pI5E@#FE={T0uUh+D5LmoB+0)#2aXwFrobbr!!F
zj|CF7nr4ilJwQv+-LuwO!VW{jqYo5$=)NntBeXpo#wab_>|Tj+tnoxXL8k`BN!D5=
z_@9Rl%+{_d`B^82rkBr0WFXl04^aF<rj*eQ6Z^V%;zSz2hD!On#rOAiLt?%W&jU7i
zme*bBfRCB&epp9FX;TPMWa)uX_iOFr?M)er&2+4rpikUd{r%t8XvI)`6xgK65?)Ie
zGc1Zbw@GC@EPe1GZqX2X5oPtSW@^;x%9QTXBM8Nl|IBpZ^MYR9<UaQNfgZW%qguR`
zmS6cPFVtE<KyiDI`E|kvW@^y787;$d*BBEcthLC{aWv$yUR-=(L&PTEeNk>eQD`r{
z^@GG=h_57zq2fAuI|B)Sk{8!tMXPPF+9@lBZK;o}3Vv#oExzopb?fomw+_6H)=zxM
zp5qR(HQ;|7`PD(2w~EYubFr7i);)8$awnYkF}8vLZ5f&U_n?}#QRi2saKCsiHAzMh
zZfSb8!a@oC1hq|0?d2bnQ8hdhm*DT_STl6%>!*oJm)Py_8n#D2!TGlY{>9-ae)!Ml
z^)5C36vU$;DzOF>83Z1~gLB+t3&xU~ZIB04YudzF9$%CuF80ZfyQSGt<8U1ujmg$m
z1!O4zeP3kr%)rO$;T)*Ihq@$R;G^lEg(Bd78YC>E70&HEO>|?=_4)EXz#k=KjyjB&
z{Ml2h)M<;i2A@|R%yo+pN0j$2J0Nt`7dScSFvbJ47)Cc0hRf=+R2Di0jsE9z7Wjt8
z_c+Q>!{~M&yWtUN-g?jEICF;G(2BLBp8t#nLiRlzjaMjf%iYnU6j2&yzBN_rLGO2B
zC`5}AF+5GNynK|{!d=4|d<f_cxa2RuS3389CWpyQ*G<rN-aOX_<CxwB8QGFmxg<7t
z3gb<Bfc*MGP*16yTG$+&Y2=*$EdLOh=^(4{mlgE%2j!X7hI<{^3{rr*IoaRlnNXS_
zL>R199X@Y#N>aeb=8}%N$uC!8jvo&tKlemt!}ymRV7)RhqB+23!_X)HweunumJi&8
zAt2~0)yRm5vE^*F$np^bvS^RXr#cMnZD6sGiZg~^aUdZ|t*`5+r#qd=u5=xOdg-w2
zs85}@!@8;NJn%ntgc*`Q6uL7hS)I@KA=s;r7l}_0i=OB3bte?HtP1|<LU|yo7dt}_
zOh-HkTj~faoL6O0v=bb^Ns3?jEit9<fL1B`1j&)jBbV&TtP+nm{kus_`fqZoyjmog
zpu(K>(*nOAsiL}Sg<!?waG4kHea!Pq-mT$00ft<~1YzS?DLUf?MfA8rJ<hUt&=`bf
zsV3t=P=-4+<UHN`&Iyu5D<+tW)!QVlT$I?3ljBZFu8ptw9eweNOZ{Pv<*O%GHPe~Z
z>&Vo-74kX3>n2}~H2wH4WwzI+9a|^%;qw%CstSMoZs7~%o!(c{j=E*w95ZVbb|Jb^
zj0hrA*u$L{mESO{{USx=e!l@&;l~Y$gc>eb8nE_KEfu2mIn7HT89$=I@*Hw+370Ov
z(A>1JaMn%yTPh#=3@=swvc*lCO>lIvyP!rb)_o!zSJE%*c0v;HwoZWKzvgw#BgZ{S
z7&2do{_&#lOOgQ`?lKOh*IcdvVp??UcTfVV%=hduNQ)@<Br{beaIfH3X=19&Zi$HB
z?NqRVE$u&x#y^+Rd4jou7ZA-NbW;}%P&*N+3ps%vk{Ex2jLL};l1g3#4rB;EXW<3D
zI^i%c^?u2bKWp#J_3KBYL~g<*6%PZCG%?(8NhdnF9i?{JofFXl1+{EymnJ~6LRLNE
zXP)efl)WF=_T$%o<<-B}>Dv`N#!a`Y@)NwDTUXjz;NHd6%^d}r>fYmHpa;4T8Qw)s
z7rSfl)s=9T!~^P$T7kERuRqCF+uLKK&&6AREtmjGn`~)U-f$Sfar^h8?l=!hk!cSj
zqT%~6S)q|(6Bi~VUhBEYDpwWymL#2CWu06yd)<YKDpL-9vO4`qlJMiwcbqaMo>y>y
zJ+BN@0iLgEu4?hj4;U+lJKyA_M(#kn^*ELA2o+opkq(6g@{WM-W=^njBQY6Lo-Fkz
zmXe>hmoQq5ZooWHA8b?)NRUjUS`qK=FWvdjjH{FEUxk4n*WmWHB=}!l2IJql3<H39
zMnC)7x=6z$Z&8l|HOsjxm{W$Tu&h+9cbPEL2Qz4PfI0j-0cHs|$=MAsKgAPSwY$$N
zBb+gxv+?WVKf0-|M<6)!v08fO*(+QmY)@a-Qox+jsBa=l$WEba<oAi%b~CTsX9bbQ
zm1XLuNBUa&J^15PnNGb5VPXZ5)%sHbncUHxrx8Eed^4qM(4T@!wL1z||IMtfj$}WO
z@7*jOcaX<@ldl1}&t1!-b@7~U{@(@86xt6wJ$TtCH^^57HacIPgdP+TpAy0|gt#=e
ze~D}sBSsKXOf}YUR;n%}l8LwEzr`<j#U-*h@J$n#2ru!5OJ}~Hyl~|g?%QbTOdv*4
zy+h(JHi0%prlPG0|3N0Dj~zdg%0%RO=)c0rvx&d2H!ayv^OOl$khUG7AD$NSw(xr-
zqv6>fPafx_%8D)#J7FM^>%TrcZC~s1m*s;id4aLTX=O=~DjLJD90C%}su~o9ROz%D
zltbVLqc*cSGR$1{*^)?&_=|2aC3Gr_0b;)p*mPeEOf`S`>YCI4xhyvfVB3vUXT9q9
zRz^591^T*tl~nMWANWMhBCwC?j)lZc9Zl^k;3*8IIie6#LS#<OEs0Vcjl+El<ksTd
z()b4V<xDakOt(oG*5C`-<-dJ<4oUm19e+we=ZA4Qx7+2#JBuu+m#3nFsC_HU?yS+q
zTA>gIt`fu+$TuaE2w!rj?Rt?=&RKq3^qe#tSf-Gb!n*n!;U=iCv-niNxynKh%x^pF
zDDGajjEU5oNo0)1K>S5KfX|KC5s}K=UzdvN&u)H#V&5qesMqleeW9ih3Xb!&D`@lb
zUkNy+|3Lk<s>f9cI0w!<J2gb22lWJw0Tt<EOjKc{@+^gulA5~aCo2zB7Q*+e+=e&?
z9ARS%014REa-0OX2ZSw(w^S!3JeDp7^#my=K+MScaC^A?oEwT<35clGmFN%bWo)*}
zwQ|HOQm#hI6ZwfRJ0~tp?!p6}2W7sm(5ZZ@kiX#iWgpLtBq{VH5I}?6^tfqjNn<K?
z)?-muKd07Grz|W~F3<|*eaajcwt0d59lSGo4Nd+}ZVp(FR-GNPxd+SxK3fErzg)YD
zE#{GyK&3GMJUpO~+2fnnlSuZ2!J=4}PbD9!jA-NaR7)sD@3Ms@Bc)Yd!*EMn0IfD|
z-?alpSA4&?FM6ceSlH-_`s56LtT#Z;guE5{cqWBW15f5g5o!enl{(b|T-#qGhbdaz
zcT9RJeA|M||FSUT6~axb9jc(Ag|Ptr4_PRRw@#`Iu!Y&(R)cDp$S9On!qKGcGs7UA
zD@K)(+ElY!gmSWthlB^H!v53zKoYo;`WArdF`khM-Kq(%JB5?pu(2p3toIHYp~IMi
zRtFXLUT{xDZrlSdj2%M(ev7V<nEMdgO@se{Hy=@Nj9C1`0Qo>0Bl+K2wcS|`+(_R3
z-=5!zEh#t{qk_D`LW3=EOff)DDI}aW2ulXt;%+KQX=3|X$E_2;%uTT|7-o~c6EaYA
z{QbMe*?Be)-89xz(=$KDCB+)bFxyo0zerPv;7Yj>^CcP*X0;$1FXf43BXK+mWJykO
z^{jphF{w-T3nbuz+fKjdOfFNucA~MHp}>WH?EPR<gTnVqN*TM+A*<x%*Re-mmR28e
zh0WUJzQwaQdxDXnM-NE@cA4sJ)h<B2UYzQydqz}rac)j#m9J&sD<C>wF?huK2T6g)
zegR~+FZauSOU2h5#Q>vo&pV1Cw@-ELes7o_9+GpTw5UHJ@w$C}YZ9x_hk0-JAly83
zu=LJ>lkoFj+QFv&4ZCiKt`tD1*szdT$!W)v8^uG9o>fTozLAdoXcBW$Yb>nlFP2tm
z#|{~dc{gDON~CO9*h#oR=i$|xW-1ZSd}xQcm;Uut5{m}Mug@`oK5Y`%sy`k2lPcDs
z{?i5a*&Nvgd>ywr{aqVqv(HEW@AHfr%@fC|=7C{?mQP}Kw40z1ok;5EBrx+x0-MP3
zt|N9<;eYu+hz|%sETpxLC}0&NV{K4JrA0Lk%QVfxW(3PLOegFzQc_zY?TMd2(ZSwD
zSXhY^0w}^@!1V=g%ZcWm^4268lr%MWW#H%#rhn@}cxZV!e;L+v_@wYG*~VCf^<X<+
z9s%2RFV(E4DNy#g)sjdkUvj`zmkIBW5rKqPWJ*^Q(R`75JG@>Xkjt(=+V?AjN*w{D
z_Iyq=4-K|jS}J7h=M-_8XNMVvm7u7BQ{yrtlF(Mw5T4WoWt)5l&`PpK>6qATlRyBS
zw<K4bcFJq^aIiRLDmJ1rpX(hDPAf8;gd+;dyc3n%(JF&hSH8@o7GoAsdO@AV^Vx_C
zQ2#|CLLt7kDjxLtDC*}>k?JHk=GhS@o%%Al9k8$alp4}6U_ad~T5<CBbtU0Tcc%eO
zyI(=6P8&SuAn4T&9XqLGp%BE=CxQ7NZ!D&%-j1-WVN0r*TGndEUigu9qFDpv%lS6`
z^pR+3eb^~je&VJNfN6e73#T^GI)$5^&_+U^?7S|3KGiOXkuJ<Dh`gvmc8GDRoYeTQ
zLfw|VHhbJ+TJPNCaNRCO`M)aIW;VQdxPB9WdiQC%vg2urq2?fszL9*-^I@If`^!$9
zYOJXI+C{nk@OWLjApl>SyCuO%kJ3%0DWYu`XNR*?S(_SECYZ(Yw7iUL1hRi!>YZZ8
zu5=`ij&4l=x>5rUH#Xpx(^ohDC+Mu4K3lPe=bc^&2K#Y|zW{98WAZ+6I^2&rt1&=y
zI{d)N<IIEf`~BX-#&I<Fry^zn-m9<v->D#}7_pG%jI*$TZ+zm2+Jz$5+XYD=vsNNl
zq>PO?Vg+w&z-F;ReW%6$N7OZj*VT0GHceyOwrw=FZQFLz*hyn2jgu2Lb{gBZ&Bo4m
zp7wj&U+2f(=h|y#)~t2U!aanj(}oU=7E`PN5Iw?%b1~nTha!Md++9y(w0bp2W5^E@
zsAVK#odu_Hpp7cxeYV0M6od<UmDpJkm^AsN=4k0lzJaDkoHGgwP3`CNEC9RR;*0IM
z^@Gf}_?-Q_!y{O57SENwvPy2C(76@T^^KnBz^E0%b;JtN^`CUFscv8@xk`18Ecnv|
z!0Y+j=1~%05W&(7{7IINXHmm*8%X$msDI?*>D1IuIh;Uds6)ry&N&M?E@GpKDuKP&
zg<yL0_rPuZHMe`3n$GkH7#D>`H><hPUibww`qMMj`Nnib<M`S7#~8YS#ycuNy&h(D
z{ndFx&(`@GOQ$l?hoXzDM+(ew@h8g&QVQ0hWrPLiEK*pjD#vV8<&;y&qcZrI@;yo*
zp*x$G7#wFR39F*Ym%W%?UBb-hG|4!R?9v8srQJ^|ok@`ET(izsnTOy~T=Mh<3!w!L
zd<c_E*9w}%^x#*K(jTHdcAunJUqe2R&MbWj1suzD;xL)rh<z1JT_19K<GeGUIy?zz
z_g6{=*;p@3eGhbNE3zV*sd2V%PSqH&n<}`eDq_;*uWb=4jK0bT@QB~cffU%tz*S4t
zsnM9?af&o!A_Fo+PcodNm9eDNTw39C1`ivYReqnvurYNKDgkOcjvxEZKVd-5AbS{-
z>z1QO^YR5y0)U}_Jdp@4xM8SZ6WN`7u#^((6SP7T1XGdB6p>FT#9b&Ve>J!6fdUpR
z!t(xNWSjT^g6~({1dH{rxPcUSGY}%-?a86feViyg5o+W6(;vCRrauL$y%xf-J(mQ2
z#t9DEXD6O`5`As)g&u*UxY1lMfPk7ifN34B&6$;Z9TOwE(S3mIOUu()Dq&%7X}J3S
zRZac%O3CTUJwnqfRzV~1mEs4xF(wOdm$2zJ)VAy%iwvdoR@0$fN|py^lhx1gCa<nF
zR@a43^RnC=bsnfYd#ddb6J8fLR6y#eYpUNgaua17Rd05eR9B`0x_t~9lG^z^Ln}05
z2Hz4P8YO~;qfjU)0~@r`Fk_@L)DS;uwL$%*unJLwM6Gh9)S2h(b_7`(Gvji-*v<|@
zunLDtGfd3lxFis-KAn(t1dBRucFL*N0)TTW1}JP?Wf`1ibT#>=@*Nicf>@+;wiwXA
zz3k%{8*kba#4^K-%@Fb_Hc;zSn{sdrg!6#fAXfp`R(z31xkC9m+ETQ7vJZL4bNT@7
z=<Bl%1OL)ad4Qh%A1CYf1#4>)Tt#As;-$!h%#4d%y5kG6-E2rZTpnZY$__;=)NFxH
ze?q0G@+3ZtOF(y4w!NB*)qw6dbC`_((M<cd#|5;fAVp^pQ*3^kFL{&(-b98sqbEC$
zbr=)z>!ks6`SG43?P`YJ?iMCQ2e1(Dh!BwilHUA8R=0dMm5<x@C7^oZ;)G}O9K4y-
z-5=DzARSsa8+2=6Ury|5)o6a^P1v7mc>CKEB{zsai(ZehlIUm)84O0BO$M=a%T986
zf5}M?fu__7B1FMs_uuMJ0{L=+$wC&r0|;NvU=QH0%iUMWl?ZShnvgnPPU!0^hG`2C
zqMt`zb1TzzUvMZDLD$qFpFO2gKig`B8Z&OtfeXH?0xGIsee~Ro`4>O#yL7mWQ=BJ)
zoVhCY(3g)~Y%etOXHAfE+!Bc3q-L;CP_TDJe(Zf2r}|XJk0H*7d@fq!4;!vWrp+^q
zM-wX495<M@6fK+Sn9BcXuZmpY@Evxp9gsYawMlQ-DzsiAKKKcqonSoPxnXtH8)C5S
z_5)0g`%BTN)^8fVlW970n_)>65&E-@p@b(p;o;Xv6>{D6sIeVRiuT#oBo$S$k_bit
zj&Q8RMgtk6bF#{-kUEvmy{iO;=xl$<Vs{Msc620<Tw*p4e(fuG`gCXyDu&IYNw^7G
zfOXiirCra?JD28vc}^PXS&Y#WNf)t2kGiollPlEo<z-I2FT5XqjI<m0$WL%6j`flY
z7kXkzx^PISiJyL6<}o}ZK7z5aow3B%vsK+mL^si_PPO!;%srFZR>3qPpdF9FBtV+2
z-&-RoPa9-M^V2P3?JFhsmBgp1k87FC1$F$LvJ>j#Ejew1a*IGJyC;cnnY7YQue+al
z4QxEhfHi~!*pE~2&Ma`Ve5Zb9Dr4Zs+(+Q#CN*DTnha_NMO0*TLTn<$6I3D46~eEW
zM&)I5D`Wzgq^*9I1>iU={*U(`rYfC6_f|2c$qAIdiYu1*yls4S8ML|2O(8$xTi!wa
zA)jCu18P#2W*T(43<*>qXcSYig&WemOrd-%MjU;jQ<$2c-~G{hjWFmd<uAdd>Op4R
z6WzmiJTGSE-OJ?<N7(pJ1fFR7)n(K5=L1_pZv7;<b(!^dqi7KaBOtOh(pTH3v2ntX
zDLzOmero0k!Vbw)v01+8`(H<#!Vyh7r37F1^w1=}xAAUw1o_rIAU*Klj^bdP>NXhE
z;X@7$HBWSSThZMh#W-zPSGg+bsttiAg@gPe4tHXDg4Af>ZzEq;6yJV(++&{WKh?!i
zmbv`OicjyWGza=ekNT=|(+S!hQc`N{(p<gQ-^t|O!Ke3y>p?wc*xt_+r3h3|cU2;=
z6iG^`Z-hnE=SoNgrbslTk82v9?c`}c{!=Bt;)wSSW!f&z?&-j=U1r$U_q)`N@X0{(
zWEDMGI<AdEAD)x?J%6o@Z)SZ|Q%cEYXK}jFgw8Il;R6yMaQv+uV)cd&c#ev!9exW2
zErwp*CuXnAKCpH`UgsrRPzgWwYq1{6?mqOWoAxTiMt)a6`dT-d^O&oKVD;8`s5P6$
zKwQTK`5so|R35aZ-{3Fh<#!6D?}v)>z!mPS=;fJjx^8K_&#80o6{i|>51ImB_c<0q
zBD=T18DKDmbjWitPza+4aJA=dr`WM|DQN~_Z^hqDmjC2f8*D*0tNnBA{GF^fPuQLK
z6JA!L%^vFTO3lZJK;yAicGR$QO{t)=^zS@UAi~4n5(TtpML>Gl2!^o!&eA7&$ItR~
zq#E2}m!A?nNUU<`?`e20x{N8b&{0_ppQ+@2XlUSZA0&S@5XkT~7DoqP#*h?&7+(ab
zi#jv^RFlq|9S^^}nm7j|_g~r1)P8#Tz7-f7LFW>K#=}_CFcnsCejb%jP++;}O|&F}
zMZCCu&KU>jRmQ)`urHCfKUDOs1*$tv`hcCQF8RY)kHkEMA)-g_-gi8*GD~-I<0VZ`
zid|$!a|Zx=;0<})@VQOAdS;D#pZv>cnC#2h_4Rg73>{c=B(tqpGQ&h_JH-v+mO2WB
zl0345VzwC(_Pj6l9hmHEqDWjkMPbyB{`a;`@^shX(MoaQc8~G<-2icxx22^(=-Un9
zY0F@w(B1xF9iMNRxw1>V@Pk;l>WO@q9T_#ETfZq}51PNS4!?wxTz@+-n>~MW^~mRk
z6?1z&c<p(+uH=-x5+aD5Wr(&Tu;~V6XB5zR<m_f4JC;4eLiucwI<-+-#@F~v_)QGz
zuYWoZ6$}=`(j6ssiQY^)xdw(T;F~LrF7N%JtE4&080z6kvOhNSY3NAWsXnCP$qN(1
z>WmmdW^(<wE0mVegCYy>gM(v@2i0eM^J-yld#>lq{#m6o5y4{9qBi;{jH6Yz!!R*J
zn$*Ho_ki%3m#wKjui_2a%KXIlmS>W!jWz@6zgU22Ud72VB-QLd(X>ROZun;hGc<xZ
z8Ma$CBw&AiZl!b@2xZYnpHx!{x#K!g5lz(6da-1TMX-W@N6s$*dGemf(ga|Q&{t<N
zlWCVM5v?;BKkt`6d=)n$fDV?>k6y`F4_x7l1JM{exkBI2m;veW4US-skW(A$t5Ven
zQ&^bA4kguHwCqGZf(}f|y)Z}3vbfq{KV#Di?;vF(5sUR$B)X4Lw_(IfvAOYKSL)7o
zYtMZ@-F}MbOh~Q34Jd=F=Jr}(BW50NyKNL3IJ9D*>seu<`%@_`>cvFY$pSwS-=KU^
zwzKxS!Jctjob#S@vB3ZO@>ZO45!2erQMB?<@ZIgYn7()boSUpCQF6^#;x2?l1`FqV
z4JAlW0+XmnMqf#EMvL`zOWs8!Zi0a%>A!FU8Fk|DrJ-aYus%dOTcXriXCQE;=k2J@
zy>Wwjb0m?5)-$Oim}|TR2U=_2`Wv9cPY~22i}_r_4;^0DTR(R*d^0`6XCDQs<35`|
z$Rh3BtrvXDR%+z`3$5LvJ1R6$092;)V?C8>s11R*qw6rZr!o#WF)hS&K~`81@f<P=
z8gnGW@!z?(YW{otuP5yTcW^tV?&!KRu-e#_c`2jvM8CRL%z3<)Jj4Y+^^3&xNgXDz
zCz?5)*;ZJzSsuj=ZixFAK)I8fI(Pc25Gw}2X;y;e+G~p<nCDu*bImWMw$lq)7S0aV
z!y|ZKb`sdtxQF;BU<=dnRm?pu=2v2!6$CQ85cn_oM6B=UI0#!*^zypOq)>t7MUgB=
zF(1$LVUgkg1qFU;65@rRBg6j}6u6b%&Yeg>FV`5qDMEE*9{V)N1J@20A2LfDrC*9x
zmOXT4$TyS-jg%o+X`9HhLKvv*CYq=o#!nl1^*}OcU-FC-w;>~pmGq3Uluv=SCe+N5
zfI=~Ogz<&1OBuSlz#2)H4tt=KiB%#iKSwSKpxWhsgn^LHfb-HfC-q!p(16o7=@>_@
zExeauO`AbV)Y;AVl{wV3vyf!Gzoy!YBDL#4mx&MWxB-UmPYx)za%i(PEi^#FJ2$X5
z<y-nD$9bJe5609zr?3c0C<Qzuq9CIy{O5#+e}M*`M8R!nda_^5qVjCp)i_B5ET?$G
z#ZxB~?ca;4-bul(Q%HZBVVfAdk%Ac^5ZJ5~`h|Dh&><BKczg&6jclXkh5H@EYZ<hf
z-udFN%J8M7;!F{wWc>o(H3tHDM-ZH`a%j6H7n>!q!C{%Ta0nsy7mKA}yr_ZFoQutw
z0R>pYlW-~qc>15~arhJn`-9PucYtA!vt?7HomD+sHFaaUm@bG71j;4)?`MHi>1E)X
zV?ffcb5=C|^K4%&&*H<y`VHPwsVUUg=s`1=J^gLJHe&Lchq#yd!Sy3Qn{1-7Cx2xf
zYP}GPav|_)n<WItcgyQ9vO2XBpE>CUw>y9x87gBZwXLv2ny$_)C$4>MRC;yXhy%4|
zS8kFth6@5_O7hSKs0ywfd#F_Ok|uP1P;H@wZ&97Zb9VF-c(K-x7jFZPz><IF(%}u|
zWM^%f_t%KA@AaXM^=5pYQ&qRUEurrU4}nqvErgsatqXhd=rnd3y$st2gU#f)TuA2L
zYPXmV#hP^F?I8?DbDuzY1EN;qb$?q6+iwog(<eLELPCx6<Ts<6xN!i>H-6yVZ%Yo?
z63DOAE!>CzCpIV@5{OGiTvV?zod&HL9n#@}lbF=?W?b*DD(QSx-<*dlW5Qq0&<Q>w
z5yXKAOSo=eV<XQrOppg`o{R_+b&kH`;btobPR4M`QI{fjb1hEh21Zl89Y%!ZR-@Fg
zCX-R*tN05JAIFoVh9v2LV|R0@BWU)>!wF$ivt048;99#kz|8|owJp7i;O5PqMl^D_
zRfq3F;oTf_Dzrk#^RH-$-wl<$edRCZ7HWM&FePhtP$cu-;p;(hc@Yu_=n3awf!9$2
zy9pI1wFBCOu}w<n&*s(WGxtEb(eAx^F>9A?r0VacN0LTKB-B^1x$4^UR4Cx`K~!kA
zNHjt)3S|@tr>K>Wa85}et-J)xVTCwhY|1CYNLX#`+#4DefRbHV7d0%nXp2eu`BGV)
zCvKp}qOQ=!_BuiIO*a<2Dvq5ZP6sEfZ@k)H`;Kfh2(|VawD!SAb;iY-9+di_u`%cQ
z_Yc{Is8}8pxl)-p9XGZQz+l2wc%b42*rxw7k7Tan$564t$nM?k&*{(tpG&FZfy@`}
zy(GFBQ>UpAo~tDQ$Q8ZAp_jL~`tk5(-@2$Q0Hc;r=~f)$@;dKk{%_YF$9fyr^tef9
zDRd;5v2w8`xP|l@9xY&6Ivr!W94w1@V**|ASfs2H2!8xRiG3;&!a1J=N8<YgOdHXw
z!LWno84`OY`=O#wgNwT0Cg$~9MK5d7nOPSrch=W@{Fp~dlktxxB{b_NqRnSj^b=it
zFFGzZznu9hfU6uCwAW&Ft1qpzT<@220=uNV%w<Qk4sFsF)$-eKnZsPB)gP6Y?$+)-
zt4C7veIs)Xvx`SIii=kB{U7AT9NYzxeeeb(ppn#-&fW&SPlsJt=l%>%jczI2?Qp4(
zWY%W<_U;nZXPLL1C#UJ*Yw#?YF{0uKnvOV$EQAqKZelfphy{k@1tp3Hva1mYbm{-r
z@SBBnHCaKw8FZ-*vAc*lu;YN0>^wnePcPPoZoUmj9-farm1+WAezSo|#+X@+ASH$B
zxk{f<xw1MU>$GpfW<I|2t96I&p~cV?Xdpk26>u(0olhgqz0OEQM?4)hk9=4`g_o9J
z&G6~Ni(I?2csJGK=`?tL_KSiR_qLH5a&+|Gjods#mkm|zP(ruc;zmxF)#Dr#hsZ$;
zR}W!2=cyYud&46Wytm%thB?XlpV*UO7cA|}d|DT$SY5FfrpH-6MSd-ATuG$dYjW>%
zE#;i+CU}^-Xl*+kiLfdwJ>AB`L2UPDK@q&@C0G`GkO@fixw!ocb8vw(dX(mLq}fvy
zbEj~(^2#}nUES|O_i{QBr=2_-=$RLmaJKmHnS}V%^V6Hx=SL}Lf%cG(^Z;9<Dkr$J
z0to0B8FSB%fXPqfeThU!MX=ja6`=L3)*_HAEY%}i3^W{IxvVgI40S&Qi4|u-2Og}u
zegF}JVkRYrYtAY&rE4kD#cec;lMbEGcOS;n%9urMG5h7ixpT~J1w9cDu}B}SHQ}V~
z1PYTC4_~83vQWBwnY}sRt(-z0w6BB4Q-mgzaTYmOp6028US*O$5$8H3(wV5Z88WL!
z2dbl%cgF57{i>+*!G7=i8h#<s*RsdX>QyZ6-FXAeLK7TSibCb``%e+Wso3~913`+S
zSc*$d0*o|`|HK9??9M+}H`iMQ?M+@5y8Jv<=2x;kb8uv60NBJ~_Mz5Sh^et>5-(Yc
z@})Iki_dap4_7d&O(f@n8IyRZ-f0~cTdc18!pmgxF<*0vA;MVkDy7*~t-6_j6Q^6S
z%Pi(#qbB3Rq_rkABOZR9$p3sW0att|1+OBJ&!6U9Y08Wzmh+u37wP!u6V{Rww~;!M
zr?UJ?`<I?L9}D)z%_Gcb{Nzw)Ya!vBsAWemHz>NA<UrIXyr3O}^{TQ-@ZST!_H`}Z
z(CcdJ0r5FSIvl8zOsJC~CJNJX3SrVN_BKcn&OCewo%}$}ss0^a&<bPNz}zTUbYBPg
zaHsb36A<RAIx+))ci!53ydMjnkLR+p`%ljn;sJtQHPYrA-l$d$KMr~nG^bbByCZ!K
zWp!ms5_#{Ie~Qz&Yl?mK1MOVl^CRr!R-W+Vw#Hw4lLzK}k|5PV(d>2_hx&S}%~yAD
zuL#CYBKm>u2!$nug`NuQqIQ-aJ&f5zD!%-o+cgunbAC^PI|oBG!YEWR6SQd)j8&8s
zmU8>THY}n@LP14rbzw`6*z)xED}j?(A&wZ!>bZz2mXZ$M4T`I*-P7dJ{YF@>fSc4e
z__9{J4e#f%EIdAZVZK*O^VNRO=@=C2@1?7&d<P6{t>pkkfDI;}3~Vx$m}Y{h#Xy&i
zesTH^BW*0eRlQ(gem{TP)yIPcRC(V-!nw(ux#0H4m?jsmjag!0LG4o$-uGd5#y%-S
z%>n#)z>8s6zGqrJji=Y~u<hYNS>yWDJm#^tW^+YCeE2CFxT--bzi5t3$_b$Q_uv=y
z2mSMZ{q#E~#6IFKn54W{d8idfC}a^XC_<zf32ME@G>8gf2@h+JMGGmMB&Z9?#R*|k
zH5YzLN5RUW4R(!Yh?!WF@GC-DcF7!7;GAAj(%!`1@bP9p$UtWk=6YMyWU(|y_6@*>
zw8G=Htq;Za&>15JCYA#BeWw{;BzmxfPA4(gU>o}!H1b<4d&#3m8n98fPu3_5W!4a&
z9vrIs5&rrCJ_{M6u!(sLU{T9+fte)?Z_G^R{!aSO)-!)v-%Y8H3O@7ua59mpl<cCu
z08{R0DW9Ec>xqN)*0DR_ZNk6p_j5G)B|DtdZnY4R8mi2gegB!WJWE)j3XqWjN`7*a
zrfjDKQr+^s-yj?ZqQZb8G&dR*%V#HD7%qo4&MA7bIX|Ys378i4+rgVr6J2T%VA5dW
z?9}!V!yhq3L4Qm%AWV8jdrmz$fhq-NC{S4Lm1MW%FjeW(zV&??a8WE`6>=dNWu*j3
z6cq^1OWgYE*WXlv^;`^7mh$C)9{x~iepc$i`ZgYzc9rue@*Hx>RBmn9+RWjT&NQXH
z4k7v2;0&gI5pmo>{i1~CRWwjA@n~(374hu)q`rA_to-M@wPTwTX!GHz-}*p`IV2NG
zzBC!55~0$`V-|y=8uU#E6n?y~JIkRhNB;OfYq@WRZNU|HXq^>i1zI&RZ-g~JG4HXu
zKOrd^6UdP5oit;p+aQxCg`w_L)Sq(P5s0T}>8w-w`M;$!^)0p3A4vfajHFl!&Nvyq
zxsNo-DyWO)QUqq?=9xlDDx#%uRQAv`*nJeM?*909Jv)?Twh*!^?12pm_l4ui98ED!
zp-nAEnDtUB!RK^ZYV#q_0abUfJ<A{N+ixF3s>)!2Bsz+dt9Begodz6){Ej5MDU_y+
zuvjSM4$<Ni%jISTqB5u=DguyYf?lX65VC{d{~KMtox0Ru?6~Zp8}M7O6VikC93DA$
zwC|KN9eu{e%Z)VW3sr%Aej6_+>vXZE78oibe237MNdjoYyhDV6nS<6}NKKdkW=CHg
zTI}#6<MkGc`}ACij>!N6YqdIE?SUda@9#Z^6RuhfdM__&ymY#E+bI*=chx=~>a#1a
z8~59qr>7suGg|G+2avd1Y->0<URB^_I^O*PbNO$-MPuPWt|CfMX{(_cG9p{(eiX2f
zSLoHNVUq673;VH#7`q8-`xl(%fzkSNb8-8x{AXl(Mu0}f@{)s7zPV)N$nu@iYW+D9
zfjAu`?dO{)t}N1R69s&}?;451Z>Yd}jQFzG-JBLj&CVQY5mpwGaitFWqX#reBQ389
zW~T)PTKhu<B@qWZ^1n6Gre$a5;%1)#0?rg}X7-t#T^~tl6c|b}QHg3g5v7LBTtIMN
zZ?qaF)dpJYbCn+=Z#w!#lLN1LgI@i&6RGI2l69mm$|yXwlV1{g?7{!#MFpJrEhbPz
z-QG7omGSZOUaXM)lt3VviX;1pn3;{iIgMOfB%5ADRzfG(5jByHfvV6Q?L+%ipAZp3
zsDH3^Bm8$N454Xx8M(N5ff-1Atx;*Yo3yu9{<abR>OkvGywWq;qx(jOMs_#1i*@ho
z^MM`NchVcm5ES&Wp_sHVkM^~MT0>ZS$;<)h%`SrlnQ&lzC=jc|U0X|E{qzL$^5&|3
z%^-lVAHHzISkizRFOI}{bYAs`l=$g`MFh2Y<)xROSHdVc^Fb|0L<ND&H96q==<hBL
zE3ETwIXv~|0(L;rurlY2yR5Qrq|T+{%raXO!T3rnfL<;P*M)CdbH!qxb%8C66#>6~
zOsIAGK{hFJQ@MFCjtU*f{vJRk!cs1Eu2hYHnu#i}G2J2&5yn>9j^hVfJna8JuQRm(
zC>$0sD;@?WE}u2ciiUw*)-gxys5^#M0&2x?H(UEVRC+!yZ>|QZwv-M{`h^8jpp=`^
z+_7Q@zh3p&XZ}0v3OKcYoB(-5wj+QEB<T5-VRttEA+r#jv*v~<9aKYyq@*++3vr%d
zoQC5|stF;f1hD?^3%z|Z-d`g*6`5R!o|RR207Qqnrlv=a(w$?|t=w(1E95fVbM%^Y
zaR4LPo|mAt#(^E=4%-miKR%$_J|ru^IwzO7ht5btBc4ixCKBQuMj||d0U*ChqM|55
zNgZy3dno{G{R*=M!;SC<DdglP8vs9M0Q}emb7q>s0hg?IfZwxdGN|obrQdV4&#LNn
z#9eV8<Wr`W1{D=i&CX&8<WouTp<-3--n&i@r90mJ%1&#CEfn4#F&6BhvIDF)>WM#B
zK}N!$lZs%%G6_qje`m49QU((l%j2NQou5a{3;_QhSQ))YH>Y&pJw@SJfRMuPssWO0
zY}B7LvHdu3d1e|fhb_)Ly^~7Lcvc|UaIal+Sh$|d6T#bieKmPj=YMU(FQ}oaRnx0#
zjl94_I-v_ZS{vCq$}Oa~Va-i+nc2*@?Bk#<5f+^S<$uzWEgbZ27QWS-SyqKsCB1p-
z_~0*A4}0(#6K|$~^ruBTczLE(hZERAOXp|!anc2uB49vEaZ-BR1^0~ZROzPbA|vHM
zvrf*N0xwd|rXqq}(D%+{#J8a`ZB|4>d@ZPG25P3o0zf91S^#vr2Qa7(in-}3l#x(~
zaX%8c{A*eN;s4osYZ*t^hX1Gy6m!xljvTb*g2pACV(?n1zIMa5950nGw>i4TAts6I
znl1Wyp26o;CL|d)bP&ImsJzM>(JSnsD6)bcLEX#vdSr^)s7hX%n^Ck}`5&vo7^kM@
zQdf-CRQOc@_VlHVeHM~m<!vknyjK>Wj-{M$?yZ%z52Ffc{IB)b>?+`2b=l$3erxT~
zLapfC+uq}&h1;Q!;_0uk9yOBpr~QjqIsT2>CuAW(ikqT~@M*BhN#bV@_=|dEj<sZt
zX`4Wnd;=sfiXo^di2E7^g%nh%Z7xc2gsaAux&($yTj>8SvnWY<;Yxh%43JmkA?|Y2
zS?j=|r$f1z4BYZPwUfJlE+H?TDu~bdn<Gj>or}&7<wi`K(vQoF;n$1%?|R0%<EnAR
z>_eJxtPLw%HRv5oDu55;u~=zJDx6*=jP_5)VKs7#htsUImR70-^*j)yYw~2v(q)rH
z7IyBgH~!i+FS!1-b!)~1fLgFu$kT?i7LDaUr_hy6VOtP#M`SS~H}xV?Hv<eRb!h}j
zVOupc5sEyCp$k&#fbI@0LEu||Z6y<zCJ{R)ciakVK+aTJ+Ta=2dCEbj3jFOGb8F|l
z5vkRRcEY;~YXV)NAb;Rvs{^@~TV?=>MDgt=%#@1S;4WQFYv37VTUA5$87@-m>z=C(
zbEb{8g&aKz9YD?v9e87bil8}N0g}b^3-&P*2lo1_re~P)piAx6ACUdVBSj|1mYz>A
zYM=ZOdkl2EfILRpQ<KD@3%$R@&?N-I2zD3>iEyfuAkt{6p?|&i>(8{Ce|R%XlZ=;>
zJ7FDY>0QQ03*2zcZa9uQUu&rvqcckgVGv4u*{Bwou8_uJ%0+34bD~DSDkKo<I0aSy
z<Z*|~nyBT#rW@$4_h!<m?w)oeg9Dpz`ncM>&Ox&VEKak0-+8tZ(b}d++KL<3HE$=j
zjs<P=42^I=DGlw%8+L0bD=aK0TmGDz_!uF>3?{lz4Uo4)dptq=BBqO4jeH@o&QjiM
z?+4)9-))hE`QvHH%}^5fN<lhHXno#eLFQ`Cr8f*0Y-99G!5qX{0c1t2QkYQ0KNz)C
zP^liBka=B(0aW&a{*u$6$(CRLXV~L7rwg!ltxH3IJI;wk39!Xgxl)BQoc&dJlDW9_
z(@D&`zf00EI{vaxUY4xhD_zBD88H!patM(z1W}9(V&e-NxdFl#Y1g0&osZes8}Y)J
zGt~Vt0UTT%As=iy+d&%~?^9+5I}#?x<TLNBHtVV{MP*T(%Y^E=`PaBO>uZmyy%W;7
zceMD|L9p&ZV)&t2F$4QJ&gE9kdUje2asCX{DBBRHDjVYT$Fh$P9|UxtUjMvd)+`v1
zvk-4v{u0GNfsLjNvC!o!L@AN-HyU9Ll@Jr<P(-ld10?mXPk;AWzm(GDw^~#l;Mp%~
zLHcv-NmESyTW<%QFO}{&Jl;(K>7X+sb)0L#v7VII9C)b;329VMi5}YEcTaRk^sLTP
z?T=C}t8TLcd+n9V|FvriI5l@W+(>9okrqM#7Ju~My|(dsi&p4Gy^VL|(QhYlM04x&
zB03y~Qza+4C?`{t1Z7hoHHVk?iYJmAmQxVfqMogOJPH5j&$(H65jnNwfFu#I+@{Cj
ztK{gosN7?^SgC92;+<zjoGMb7j%>+?#iq44-2zF5yyK>fTFrHI(#c?&GuwPtLBr}-
z6z#&FgPzxkoidL6pWUGQNQ<zuEP3@4@k1QYUf=dJQeJ^hz=?WCT|_l3ETQS%+N)c&
zkgRC~*A<Up9%qris`D{{$EgwXi-`bK8g6e@b}G+=ojd_Gg%Q9j;g$J^9oV5l0;fh~
zb=b&G((NVi(t&MY8zT_XjBHYFU)8|Sdy&z0$yQ36fbE>K1b(3Y87A~Gc{|FW-{vD+
z0z@1~xQJW@MxTcIm0K2?%SU78ZYYL-)&n9PBr3Dw1F(O`48fG@Cvf~Y!hZbU!i?(+
zPY)V#T+zC=6JNoXS^Lt{A!skSx=MpDV@w2Hx7O)`jTp15j(PyH2!xDGAl#yNn>tm4
z5^|4h=-N`3Df3F_NcUq$a$y8LHJq^n#{%gKNn=355nznSf-C0DX3avq$xLv@!zhYa
z^#@9@Nmw&Cuv?UtLcl;!FkMtZ2}z$44*LGzI`Oh@;c;p;{RcyM&7kgA$?<PL%?8@W
zQS~5GHbfx>itbS02Jy7mp#gj`kgH?}SxA`7^5o(UGrAljte)?VFp2G!!-wiSA9~I}
zG>C$qvUh^`Lm`JQ@A21tn19)}erRCR;I8fJ7Kqh4N2F+~v`6@@ZE0f;b?CLc=%EwO
z?5rzltv01R-2%e_e2}yw`R4H6SU<XkMSyX(3=!1Ij39!yXnA2k$rq6!5aE&dErK!$
zv_-2lMD=Ef|Lq59!~Ar|xa<mTU`9#A8hGGD%9yxGp(8c84;An#nZM{6C`>{?gr0#v
z4%TTigY{c6hPsi~8%<iT#<^H74W}=bAoh_!F3iY2rID!>n?=mSG*?qI@eHu2S^12N
z4>m5R(m(hRl8N`iVA~sR#!jVD#!Y0z_u|-+E)SS7%&A&5J0FQUVe7DF&TPN0gfSCj
z($ib^-hz$Xc|+i(ford{{x7vDz)Tx+Vs7FfJSSy9tc%weT4gjMv~jA77kp;%?14Tp
zalZnnB{@7o#O14HfBjgJtjD+g{`^w6cXya;TH>*+5&PPVOx;Ndee*&#{6LMqg4O<7
z+9`l`Vl0@9%OH!KN!~P|6DgVD5T94x4@+gPJ=Ijwhc$1RMM2XA`oEJM@kxOM!_g9w
zG!SXeTNHr;4=7?Hmtruoavbk>HT>V_h@Tv&jq2Erf@P)P2*apgVU8qT0)~<OG|9D5
zu^>NT(%i$7rn=1*@Hbjd1-?~MYyAdL+E3Ssw4T98%P&kJ9XuEYLAt%_4hPS@^5reI
z*kzn7(H1>OnZlqdFK@((Xc(vhI=Np>b0yVlYq82L{>i2~!xDXCEt3y4;Hnv=7B?Io
zT025<!FXb4NsGfr+x)X_Kkm!iHa5aW-rxKxZN2VVpC87?be?7D_-X<NziE5Vq}f{-
z*y+*xKAdNCJ-+P3^6$I#Y&{Oxb?QaFOYatGV@u+Mnbl~`-G3Z4r*Q%+=xy6L3{-6A
zscC#2f}8)*oZ}xF6RoQ@04D2K_`TWqfMYq!qpayv=DOQMN*Fofna@jNcN@Tj`JVS)
zVS$`JncN!Cy6w<e?~~zoOuy3aLPx2CVyvPv7sk(g-rwgC9ua|@E#9W`DC1fgSm^xM
zKli$%C&pyc76R?VfD3b>^Lc_+Nwo8iKvx3@MgMHL<%oT2JjERM%@hu<rf@X)m;!-D
zgc$Kdm6(zR+@FOUWd2YpHgTYeWp3j%FX2e4ZCRHewqVITb^5S>19YUq;_Wl`CH=f=
z+ZZlqCn|F2a34=$hB5{J9#9bnq(~pnA2N0a66)-K0lFwp>Cyh-QVS<gEqFMU*biK;
zkf(d}<nkJ-Zdr@8HLv!xQ*l=M_#&0{*AkvBeUj4`=6L_uozl!)uNJ=2pU33K^8BT3
zcq9!~hz6)aBI+R!Vg^`fiD7G2-2XlOYaEGCWnP6RRQZADFXE)MWAgi<*78KzbFNbG
zrJhgQC2Z9^$=Jqco*tv^C)$}u-pNchI&Ke9I(CuJrlnnruLO{!8DvBl?rg|+$6I`O
z9GH$R9`m&|G+9nT73IM}#+|u$WY~Fmt*!i)m4=<Z2kV6qyu&c`x7CRwV|Mmt1d2%|
z(B#rX(YyffHDnr48p<no7halP7gCWwV3ClHk`iFdX))d(Tfh3oKOy`Ri}-jNBS{5K
ztUwf%FfWU7L|!2O!;eIS?(S5t!lbqTUidpWCdBmqu<Qy(V6(0nk*Q_WD!Cfz*XNrH
zUvlpfn!;nyrl;T=5}Io!+W5fiUwa3bWx+2~H}WbtxhvC0)NK->8v8^rGYn2ggc+n)
z>9$~I8Y5PUT|w1Vf%+TFOk>j(tP;a^{Db2;)uY2Z&7PMBE+(qK#U9B?Nz@n`!(q<R
z^;~YPDUscgRW}mB#iC9E-iyM<N+cmEFL{g*><~YV#cr6gJf2nE5A`={(WEq^K2^&K
z?1g@50>-O`eH;Z_VZ`Hm!;8*RBvd3VhA{Q*v%ESlUqk)ywKrn<+h=?frbXz<$E{D!
zI+E$kI#zrs;iMB?-di22*Xz)L<o1QKOGyqXw*o>*(_D1te6sTk+HR4bEDre9rFXBb
zS6|$87!iM~>eU9OA&~}%kDAXqp1KRd`wt`7l^<e1vKQXk{FL}#@;8osjlp~0pZ#zm
z9N$$FFKJKvJSfX4^WbFSB)bF*#jp`Gg(=Fy%rkU0SxTsX<l2ybQC9-}pJNaOEwP9=
zTuLVbsx>HwlF}~MxNgnxqOrv6xOhllHYgd~rr~$I!ZOTE=~wYsoiu}l^o`VN@@|Qc
zos&KUC)}FwqM1|VYq2#>PjJ@yQx;lU%jE`+0Y~vBWzl>o8rDpsFK*oIYcsNy)rW(x
z(?HfeJvC?0-?n4-n3Bsf+*!DC?{%h_oz<(u?};j&ByynVF1P8u8DU94?w;PK!RWx+
zcj+9CzK>V0)@j~nH^|CNS=|h1&~3gWB-DgK05Uj4f@-jmQ1ucTHGK*9VkIsAd*R;z
zqX0)y!0Qf(fdh=<QZn1+<2*?F0tRga2=Iv0RxUf{_m3uHF|(nmXfwTgGm(Ithkjh;
zVyDzmqyHmjfiq<LH_czR_}LfS!SXrjuWepPwmE~_h}%~dX!jOn`sxD4f@tL5lGK$^
z1q`9F<HAfSWE?^?>zffW1|+PDY19S&3L`xn!TMRjyCGnZH2~ejL%K&&<2*r*7hCPS
zJk8h*>sCQ*Q?h>vRpghhj{Jk^06(490h21t)4dBxz&g4Q?=Mg1{VZuO8fmQbCD8bY
zRz5CK4>*+u5j_j53ViU+xlTFfiviur7h5|XWkmirn>XJUF;df$HI#`H1G;w+yLHBx
zM0K~bO*Pr70Q+sFg}e9uUx`t}=)@7*Z=B{04u=9jDqXsU)+2{LeaMwu)xd8W{*C>X
zA!Byy3_W<xn{aKt3#baejam_=E3S_w?N7Z2uH0B2e%J7oZSdk$O_x$MB`ZO+tuKnk
zsmh=Rng+t%<pQ5=L4e6v#kdd$x8V-1Fau7MzfqnvO&K`U9NN(TjDe-uaISaJJ21o8
zsDrn30`9TI@|9dGE_*vUxo%#9KCHvoLapP=#Hvh4K<zS9-q^&X`?)c)n=CIFYS|Ha
zzM-^5O3QTUC2uX^F7NTN9Vt-)S=uV;gRkq>D}3Mi#p$KDp7IPrh70HZX`w-c?Az6O
zYer|a<1brz!>bgl0bjcF3tZB5`pLCf?>QOhom?d+x|{8j<JsQ<@P%$|;4xj*b7i0U
z7^?JIBpYHs)>7!kh4^XVjO7z3^@8+ZvOI>W$RMn|a>55hZHE=5Vw9vjUd3b+7U)xr
zVa9UpPk#}{rvl1_?b;+Opf!P+l-^4paA=>P(l|bH@N!?qz4j=!`Pv_V&}^9w);&>)
zVPN_Wn{bk$ct5YG(sgFWc?2Xb4*Dq+%S_JmYRf3vKSaF#n#NN#YUYU^eb`qmI`Ind
z5|`UPvAp>$c*^0#<RNbOp#;-Khonl001eG~PJ}1C4Ns=<L$x=(>)?G&(J%xpbFU9~
z+_oYMMW4U^YwC8$=cdwAN;*cGjek;iFYJ2#5aPT2RMzM<^~KPu(<F9oLBu8Vb<L7S
zBA&<`^~Tt+5rogFcID$h9PYhej~;%5ImdG&@e$q~2WQ&|x!&+iQ?eviSM>vsDo8<%
zsD}MsOUF@vT+_@7H8cJ_v5Qh+z*N~+(YCk*Rn@Nmppa{5l`Cz^vH*gXaM;A#P@YYw
zYfhGeAO4k7u3Jrec-R@bU>&LVqk>CjC>Cb_l95Qg4>;740<n0w>V^i`($l&6>v|g_
z=Z*@|)xN8j+VZk=a(sVJt82{^Xe5hCLF?ojd=dBM`Nr+@g6iV@#@ZIVBt5;6{aK!B
zryU_&^yoX`qbj`vp#80V-}$CIgu4o4(B{tae!~>j_Jo<CXyfzcAtW!Vk-EWgmjxbT
z&k2?EpA^{Wh(9f@iIMsSCihL&s&)~|0Os~Y&F;GrldTYO$U~#3J<>u!`9~qB6Yjs!
zu)%MZPveV(m^^deT2RBtF%)x}mtaffT6=#eOlP`P#MV<*2AHVpGxJMu5=~Ln`rgg-
zDh$SBtU6h%Nm!MUE@_>ImYVB!a+|T>V)AY4B21!YXf@ctj&e_8htR|qULwyN$Cp<S
z`zX66X-3V@KA7**#_c^q`U@lfgd=bVUTnCPz_sRyU&0KN;fjRFuL?w}kBSB|drZ2f
zg(m%P@g^!9awCjwJC*22jvqtk+RiF0>GAQ)y3N(4i0q=MF1Q<#sZi6mZ95qvk&Swi
zbLy(Z*{m6sb&uG36#Rfigd6>0+7z=;Cw08)(?*|tb+Xugd$)8`kPK6GQe1B3X%kd3
zO7_k$G=V5_6_POQJ&37q!5TVZFI#4=GcaWZ|7MECit1=FcaCR{rL{1JJk=C9Q!=$$
z%{DZ)<z+PqUOb*`LH;iwu{D}M-_o_koFkHkhR14%_}NrSu8GyZFEqdLHwYY3qlX(b
z{}|vt5O7{d!v0f4Fr|=ss9#}sI{8$?v~|H2Bd-{Q5?7s9LIEjM04egFL<ZyYJVEt5
z`d?TOCOh-g52vtKDtrK}0wLo9N)kR^!Ow^H)Y464V$LceNR18K_Em;-8L}+V!Fsp>
z(Ihh;{xd+8Wd<Pvvk-BY>bhBZkRD@L`is(Grn$-|naAAxHBUz8oC(6lGnKxpEtFz@
zlrhEB$8R%d_(wWQnSH{oJui965|Uc(hoju|YrhP5S$!EFphSssX{eFz4X?)wO4vb1
zL)8e4OtQQh_FZ9m)^Fp$&tF24cY?m{IisF=JMZh%eEzugfd{`;C+Oznh%jBIZZF+;
z<q4r+R3)>G01zg=a<zQr@!&U?(5s=<V9VYxNO}g)lTZ*++c^%iV;OZj)ZJ_H+3~m{
z)#30VJk^DuS-xk0z|$Rc5qbWNwN8S2tI<Kq_KiX<JH)AR)HK40v=hT76~!~RVN5I#
zMH593-xq=ZD^LHMP$Q-nRvH_Cvv3-C@uR~#Iom1j>*VK+0K3gYD_etfpgwFqild3H
zc=hdcfV(=|F)%w(zg^$CS!*m%1*Juow}9Gf$)D&1TMKV+`EmCKf6G1)olK^I>$B3(
zF<WvhNbY8tX%Xz>+Ut(WVp+3`vJ}W#zM1X8OIju?UBPOJKM=?55qIUsNHc!#eu&58
zrsKf(2YqRST;tHh#Nuv0kd!=Nr<;~Y+S54hAt{5o1Tj!1P~@8Q^D1*sbZxu;1-RRs
zGC26pB_ppM<FtwQo16m#V(#M(yWdMs`NrqGsxGcUMdercb*-t?aC)$;OOy6?I%2GM
z^V@R6bIeYna{c`B;crNE{audE%}x_Ay>)cB{zxJTbq#E)W+xnxbwn}7l#xu_mOrFD
zK}gcb$}K2OXMnX&`_?;7T`i3BS3TWD62b=HaxcT%wv!{hE+dS-5w~sUdfvTm4_JfH
ze%pgx_I>hxc)6)DTLaJPZO_+#w>3Cwm=I~|Tse_!{B6tbTgNsp(B>sFzV+dYYhain
z3XqIMRMrU%r-Pz?&S#Ox_^J~9+8XRK{lAmj;EOG?40#quVsNofW91af0={Q4aLGXY
z8ne-7{EVb*taOt~71lo_iJ;6tWNalZo%c+xFw~BOkLtWbYq(x#W58@(*JV<N?6v?D
ze@6t3Ay}(}2~ms<AdqX66-$&xw_5}pkVC!uCc|t$z~oaz*+<uw7{|4%NrH_0v!`K%
zEFNat@*!D+2r1t@TfjKG5zOv7P7IMv>(BWRLt=!;AZ6;+OHL1Y9-DQ82%HB#lcCH6
zYZr`?<atsb?R74W)X?4Pe5A>Widxj#hZV3|Vy=RITUU{ru<pWt-d^+Ve7$L+=ry$J
ze3-l!)b;N4^7L45>}>X;6dBlUFq^{Dr&7;4^tHxYDj#y03;%NjQ8p_<Ug;dlo(t3!
zLDd$4&%uN9f#&rhEeB1;B7-Y65N>h{q7(qqYxU}BhD6lR$R}OG2TYe!_%8=Q(y;yu
z12D}NgoF$6x)5RN3c4O*?LuI-6zV7NND|kJPT*K*Q7rBBv01F{PA2Oy&Eaa?a^az~
zZsD7vlZG2w0pwE95Alt0*^8Oz$8idFG`I?|mNa0J*F9G4;L%zuZ~kQOG)`fTbOsD}
zknl`?Y^Y|oyXrOMx!yGF&ysQZ<8|-}nY<#Yi>7cGI}@5pBorcAJ~aLuqS?yU(HWp9
zGnb&oF<M=Ob|a~dg8QqCgVG68q`Cn>O1xHKF`fkivB6PVcgD<u9c=?N)_P~kWV(zk
zL|nI}e!S)0P^G6TLc}f_z1f3;ItjS>8&u{`^6;KzQBKiAQ5m@^r&pEOtay2y)Evp2
zFkL^M<XxYFNM-Qk7LA%cbtI5~@0aNVOqpwEa`^_TqanpQdP=JC90a3o&(hx96e5$%
zBoW-)5(-O1S}6s@VwhkTq=A=12CDEZMuYZ$=#;UjC`Ga@QDi;JBYfSxQXqz*Xra&9
z;4pV5YpqX-``veK)h4E}-U$3uZn^Pp87JQ)!)>h)Nik`|yC6l}O9sOXVBgUI(Wrz%
zb7s%45S!}dsAB>CTRO#AOxg!&_>0F5cVSJB;3tFUrZxOUI2E~<86?J_?KcjaF3tGf
zT+&=bsagVBgdU4vaY?E~5tFE464+@bD~yT{%K`Ny|J!ut!dmIcBn~9oIpSI=haCq%
zjj-|18Re(6f#nXBtX!w%syH!%rwZspKQG>`U2Lm-0QntdEIo|UwIf3<6%|<x^w^S;
zS;{-irTnn&Ux*tnwA^K<r|J}oiJEqJqagxnQUE895M-gyC({4bI3G0G^>0=I@xpvM
zrZ>*hi|9f-uQ0<3Xk>OcrnlpE%i!7b3?}cgeGG36NwaKeg?+tv-uRCzrpWE7NrgL=
zNy3$-$%hpD%)<7J(qTN}kddsx7o^%2kHE)UT={8o`j%a4EB_>We8<g`OsD14xBv(y
zpmSC%<!g9P3lIdv96j6)#_pjcMHaXU!ZRUNYw@7@G}KB#Jq*1rfyn(I$RWlr{}sY9
zO*6G6M4Gy{ie3}vFJZ2aN0!2^&|ClVZ8e(PvbcBoF>A>|>XU^-IvU4%XN<2eBr$J?
z3V7L17?>J489Y9=FtkC3q0%TuT_f+?H2L&hVk|88{l{*r10{JL5`FCFveO%Ia-&u~
zc>JeUTc$q%XL<uOYg+mVd;V)qXL4&rzYo9LTJ6du|H{V~a5G=>m{Gg>Nuh3PA>l;H
zu_nC`qVr_ZRcd6}w5<2dQM-RWg`f7CyV-od(TautEhFpkjB6ST?^q%aUb{?rv}4r;
z!Br8hoTpNjf&Qh`UfHJ}HfhFTCn}jcMy=;0)(!ph+*7etrm1dd+}YGYGKnTBFv#9I
zd5{h31?gjvOk5aEW-_;{Y9*x~A8GUmo`2fphiGMa(Zwfx16q})xjw{u7@0Fr6Ff7y
z;VVzjFIF`t<~nQV;C#JhBq~NPQwDl2PIIiKS7IjAVoT~1iSpKgxTHnTY+EP7a@@HE
zV)oYB>3~n{x;E<fC&goEzuy^P?b;Xjh_5OmU*zH+{~d*r(c32nQ6a8=yarG@U9SI=
z2!H(LA3A8wGkGINAA50&-ZxV-HGA{Q#7n*tzd%E#P$N4XDJ%6<zmD*5348e*9aHr{
z_-k*{5u7H4*a@6cVj8)uJN16b7!_V8fSbWXM+fBh2CNyzq}`*##Qe&NK*o|~kQ`4`
zs1e*`*Nq@y8CAoupY0IWTQ}Gp6zmEs3}Qv_zkI;AA^p-Ke{p(%zkT$6pMIr)KA01(
z#Ri88t56~~vxIe893ByAj87c@^q!1Wd#5bz%pCfIWQnB^@(8}@H$S6w_`vX0x#6Bp
ziK;Tc-^EALWRAFJ6T+;>M;o6WOS}#14lWk_eL#>R=aMuy27_qA`&hz|(2Bz{7&^GB
z1S5tiAQAm?9wI6TRn`_cDS}nd{@Q?Ef%IXb_LAXl)^vREF;xxs%<K}hy|oCbl}J`W
zzYkhj%Y~MkfO6^%TBS2tb1S-qCL7`}2mKd{)L|>CB0A~K6mPYizce_;PhU&M8mhvp
zma*=+r4-lDB0t&1(r4eYOS&1V{JL?lOYA@|nRA=lVKytb8*`i5^=kz52EJF7Q2_}S
zf!U$A&L%(shG+U2;`1JXrcNmhZo#U`Pqd#z$jIsAwM8z25Rq|<HG(7+#EDaN0xt3T
z@kynNKWbJ$)Qv&@hNT+5Ag2|eqoy^9Ue|t(5%7H)wBEzmc+S*06UGjznQgF7loeJX
z$8NAUPKPs>)~1aM&Bm_T)X*bruVR5ysXdWW69c3KE!$(UvhBMy%3U@%D|I}+C^l#`
zJs%Wz)@tQwlyx@}NmsPg9L{O6Qr47L&88^hEJS2jCS<u;EBD!j<(~9G$?lq~Gw=BN
zd2>9qq+|Y8-o3+GR%To=^w#5R)w*;wSUW`iy~@qEM=6(0ZIEwFG|3XUhM398CJLk|
zkXiUd8eMw7zKNEMl%s?vmGb%!1otuhT`=L{bak@!67_!8WrQMbMT#y~2<c(Eq%ryl
zZreIPcTY~|*FeGAK1DgWv}F26&tFP!Q_l-MU@~qy%E-!P+*aq^8XR}KY};5mE602^
zd~Y}7n`}diB&wVsua+XNC=*EFe(@As*(8jYC2|#^`KA-vLhbMFW|`_((QMKAUNDLw
zoZ1EK4n3B*vFxk3`!ZE!^M6)wI|Lh{u=+ch3xs8S%l<x=Sji@|pl}4u7tAuKUh(1K
z^mu^mX&<Sgy8OR{YdHYYayk;qQac}b+iQ$~zUnRKvxPr&ym)AZ+$m0L23v4LL4oQ~
z<1jZ!p(mm=1^4Ugb1^qP`K0mT9Zoy;yePuWW#uWTGfmrx97pwCzt6J|Pv429-Jc+a
z{rLR4b9SDzTZ(O-xykV!Ww&L<Y;MCA-51P$6%u9t;LSQDla~sypaP9JFwlik-YKf!
zIkvwu-D{D)44mm@;7ng7`hrz<HLVyGvo-DxoQplW3tPse_oYSaNUM!*SCnWXlJM+L
z!HzDTrO}%l{VZIqUhomDhmAEkH=odUDA?{#I}mk;qITxVE(bTzQOo`GJC+&rxlv5Q
z09NLBa*|<mI-rV2p?3qfH^(VNI1Y2x@+qCAtgLr^l`oi;<)2Js=^;RwLi$<Lb3%8g
zC(TF1xU<|@#4xKapRD<;P{xRp*=5ZZ$eNW)Gm9(rR~j(DoCevdG0*sU#lohw%UtAY
zwcI!AOUFj?Tb18pkZI-|_+jCv96fbP|6^PY*uO$pB_IsmV=fiqQ(}BGKduorNph?z
z>i$fnu8|9aP6CLmro(8sMxe?0TeC@wH@(YzB(ld`IrZW`$XbYhetNURG5&sy{dr={
zP6NLm;%9G-kR*y#DXX3RG@>|#lt182XkWBf1Lwnu%IZW<=%>muwLeM(_ca5&04^&G
zP|&FNvao$H5tSpNoa6a?H&@*oZ&k{!*U;J{<v{=L^d5o#tIg|4P8Anz<>~gVaCh*H
z_I-wV1-HTao%@metu>TB?DdLfm;%mkCML=6Rh_50PwO^egZJuPS-!()><%4vR#s`Y
zo+0Rp{JkE5yYV%xrSmO~*O$v1EtG%54xXLs#`D+lSlLQv$otgB2OlOo^s42m@6QnD
zn!9uMa2-#(pU`5#`EH{3f<~TuE;i`w9Y^3x8=rgb6m;$VzVCUwEj>=wRF57P6j4B9
z-Xom=ge{QSN+^-WS6Ij#OziSfy0`KEx@to+nbibc<<%W5nOLT9UJY(;ZZQ8HbKQkJ
z+L=|K|6}SJ!|PtYZksk~tOiXQ+h(K2ws~UPW@Fp7PT1JC%|?xFzvrg^+xvbzAI|ga
z`OR$1+H37u>!SueeULaNIo}p@m1q3JjwjI$uxsSFS|=Fdq8wL%K2yX{u?3&`+aXB3
zq&dGEF8hbE9h%#_{V<Q%v1mmXsf{eEZ#b)8OBaMAE!gBR2Rxlzm#D_q=Q^v=BI}p+
zRy{OTVcxcX>0AHgn)(n!W?|__4JEuZN3ugiUbZ~1Ko(zQ6JM&+G2*0x;t-E=TSuf{
z9<rnirNT#s4`k(LV$*$Vo>cyV|L>%(rv!mcYEU1uny_5N4F)Ldz1$!=vpE_yw}#5^
z#JGOl9dvz-<J$Pn!mgluL8h2a@w1&4#iFhUJ2jY9*dd9O0fQ?4ykQzg!cmhP?#()e
z#ojz73ZK?-eFaqpgw@i19(M0;ZH#azNuz!^Rv=?qHU(89g4!&-Sa$${oUSZWw4mzy
zqn$1W%zr<$zO72ZpmBBRkg-N?dhO{3ChRsth3dQW0eL&QTKnDM-DcQ_^k8X&qs$~7
z*#^Zjf&@>-UjBC$M6SM_5uRbGbdbL4z1%~MKRL40Vw};{TC)#S@(p@QWP-{*ZI&A_
zt-ts4=F&o7eQz|ci1>zile{nWq1O2fo{q+1vIVZ?6B|g&fRocpzdg?F$TN)bxrJJ)
z(#yq}%yHSPve)jm|6o5Kj=lD^rBO2u0O~~tiG2wSa_;e+(8h{n!-=q74f7^Ol}aXK
z#OM!d5BicXi;)#@hH8W{_Y_(;XwF^aV^Q$#@9jy#r@(NCro_-T+%bjR8WtiI?3OCX
zl#lKJm095=qS@<awT4tUiAd;oRMKkrh&Fauf4ocOf`bFypNpq1{)jI8{vcH6dU|DH
zV9xdlNe|#yTB6PL^=cH#JRf_)RuLt0ND-Jo^V7LM=Sx+Y#NAYCd{J2{gdo0?hMrWo
zf${pnkoHfwzsS8!d_mnHO-Y?ixFe?WsN(7!)*kAJ{AzC8w&6B)o0?i&bdAS!abD$V
z`MhEm(&eaqU_<D;mMMF3Ze3feeuRX4XHG*WM>|JNRp_?^Ax9EGK8+81uZYd#5i0Ru
zqpL2qtoNAutkURY_|13B?~3c^<6~i_7lY>waF#cO5;V29%kuc>u)$3cS(%ucjzTOz
z_DeM;sw7g*yU!X5_`d;A9c`6m5P!emf^zJvK6?CYgOK_|9%=)GO#y2<gE!Tri%?3Z
ztr}7JIxQx7U!bX#Mcs5@vsL>~1N!UaWi}-H&_`64uPGC3>M+2iVzn(D&n^DNV{z2&
zuy8eD4^`RhNr1ca?P!K#za-L(Y2oQ8)pUKF!{P7?I7Oh=!FaJkFDX&?T<GC+gLmk}
zlze_J=aFMHFuXZ36u#7Cg|;p-)KioBk54RpRgsMCG))=FE+|%&nWhSsQH+I-#tbZi
zoI>%JosvOQ&NDqiT7XrW{_pOUY-*Zvlw*oHZ|tdmU@E;uB;Wr|KF3-)9d>hIC7UPZ
zo9i@AXZw<u=7`?OpzueT`{N)#<{0$g;&t>-H+JW<UWDcZTXF71&@3FQud*{v@s}K}
zUq*rk%A_R$ZreXHku$yHxlYh03E8Qefz^MQP=lv@LmB%gbLVXp7-jo|SSdJ4!n`W|
zu=!AiK|Egrs@Y&=6({4GEAn8ATZx1r%v}Gio+pA-nI)wiWhEm)*BC<whY1^oQY%7i
zLLFi0gbP}T`T6mVVrq=`oo3)f+LI3rHPcRLKn&?b35Gf((o;<HhC_$6qeUT&%GQ?W
z6t|7<p{e_y>Y!=tq{~j~J_I%a$p9WBdH@gk+AoR>@5fy#Mh?n6oawUGfKa6)n4f{b
z-|Q=(of1aYTog6{DwciNA$)REEjx#LW@R(4e>L?8X%3ql*+_gd6dg%`s48=gEpA%v
za;l*KN{_6!-)}Tqq3NI%)W6&6FvW>X-P)kiR380P287u;Zl%|J>CcA##(GEY<gVZK
zvT7$A?Ecy<|9oBb>%)pf?8EZ<iWL0u&bu)^Nr!jK>j(5IdIZz$w;^DtfyX%|1ek8G
zGqb^NtunXUkE_$ec9hBs%FV|$@01B9z0^<dINyi+B4t^4J;-2{j6Xq~E|A^~Z@zk7
zzpnh~e0>14KUUCnKH;)%0QBOX`@J^WAvSR*0e)vZmg;Put-lmLd07EgX@okrUN~2O
z9960JcSj1WTTe1$g#tH-O35gU{biTgH0p+aE~BU*L;S7ASp;K$7@)`hXaxCA5WI$8
z2TQNbui}UzW3uIMUDYGw>=8w(La})$!;pt6aui-<l#wA#*{u@SKd{-U*Um}8tQ@vx
z9VGyDP?g2p`|{8XMwQT`Tc~Ge2^FP$e^~O%4vzDAHRkhF*~_o57Kttw2)!?-t*~Qv
z`-i*`M)Xn-8^h9p>$F`9rs(~@t@N=+8NVr514%K1>yC2B-H21FV=JX((E6cFAFEjv
zwlid#d3_bF|L(Sa6ceh3qbzEgS?#nO`|pyCm70lCbte*H7=88~2`dn1^^?aleX+%a
zS+5jSPguhDm+Z4nU47p9=^~g;Cw!+4+l~~PNTVGcc3|oL|2S|q^pc6jPEILd;+k>P
zpqWB8%qvhja0NNsd<3pXItm2_!2%mHvaC#$V$ETceg+zUjS={s5=IF+dc(|1Q^I{a
znA^|7ZqXkr#H&8qK5EQ6GOlh;I7)4I9dry$3^&+ulzBO%ONjG)LA9RCVG*TjH~z^{
zbV80RW)}eXnIil$%ZYP$OW2m7EMyCmzdK;B&-Q8Ec8KqtG(sX}GZ}Wxz)}WtMpa5`
z1n_3I_#IM={BarOaiyg6&eF=-k$)K5%cjb_Ap+S3Qb2NEL6mqhnpmc&aLMBqXz}5H
zeK)GJRFqC+xThTup`4z3FHn*0_par@g}l(JdNf<t$%O(yabieK0T=3d+snK1`aJzS
z2yWlS#_$_eNOpIqpnPJ^Z&Zj?#fUNT)2U&NW7J_42IoIjYE|;(o}Rhm0_w6bzTfdz
zMjjkT>Af?eN7tFi$2tUTuQOv(+?M$HhvC$VCCF+KLqS@@$zXQm^dwOQK{C+D+a<#h
zK~!`M81t3_h`KXO*ndS<=W0dgOQ6YjW0USrg1dNl6)x#5!|#p1>R<RU?H+tmqJ2@p
zLOV3NalUm~#=2_AT}+(E{G6@;&YUbrWv32?VcQYG8Z~d*9VB+GkV5HUtf-MbB%4Ea
zlDO8N&fj=cPy!68Z)a(mCFyR=*BD!EcZ@P)z#`iL-G2i<<ZE#0=VAwLlk3|=3o-N8
z8X^%iKqKwq`cBcoBQJUkNO5FsLk0Y+MmGLrR%<6Z7;DGGvt$DcHWe|SUu%}H=k|=v
z=s-=m+;d+vZ$J`px{%P?R-4b4QrbB!PFpNx+wBmhB7IoKj>92a9xGQazIvr3!V(Kl
z5<WA<CP)2Cku+DOkE_whgh;$dZH%A%!}D0(tA!)pCQ1e-d41s-UeWl4GwJGi2gvXX
z&<~K|I4ugxS=007&w`6VbJ><5%@2}D$otAcGorq7G4Vwf8v%zx`hdk?GzHeqe<{UC
zlR}u2T5_w~Sff^}2Vb@kdbN(Y7YFAKZMPu{fAmR_0l=7(6;juxA4uj^^nAszBLlZ<
z`dUilK7odY@!BPSQaHGZ3jcy7hTYedlfxu{T1-x0Gn>T_L{{QQP+}}o7|i7$1ZPeR
zAyfR}e~R@lK|-*J3I}Y$mxK_Y-b!$1`9!4>k5)@(6;6@d^~{LK98~S*DTlZ1=giRa
zJKqWlR-b=xi51$U4nQUU&AFE;ezPflJ#Dpn<SrV2gfwNqk-I59<xp5Wy_l{BL5y60
zoKhZHo*?gGHRKRxP>GK&_LqN!`~=D+(TBvn-^M1N24?980Basbq)HXy_m;OkfYe)Q
z>1LfR@5qLUgv>8Sh4K6T>XF#$LQX&WjPOeB>^WCvhu;WyRww4%DQ1K-YI}<ddmSa;
z3+2f6M+d^L_l~4CbB%OT!eDAIOg=Rh48Akq2Fc$UXoxPOTl;HSHj4~zL2#u}BH4|y
zz8yI>H14ED*#O(&`FvXKXkXMGOMpN#eS*G2Qe1HQ^>=@SzrIkVRaUh|jLHqNT4kIb
za==w9QCF`O-i5V=uduX$IVGpZT!T#)RoNiooQZVA;hV6!xK_hh&5W(3hQYUoiHs1G
zr4MP`x5)w6qQ%JBT39g9shn#fndRZ7(5b)P6t8-;MCRYp^*TvJ2nS-cHFPy5eBBZx
zY8@q1!>bvf5ksdaOsx|F7M8*!;mmhbWX{3<x0iaK!}Vy3ooyn1_g6*mevfd#Ei}q5
z8sH8W0f;nEn#TsL8u4#ZJ+x-jk=#l(jc6@9_D-z36|64^gX5D+5Xc#6b*~*c+~`m(
zPkV33@SH^zA}^A&u~byH2TrL3KcnQZ#5JeJ_e@YdYXW3yw$70sk7_j(Yd%Q-Ltd<X
zQa5#c7_PRd;eYB}|5c<52bxEIuE;aWpirG9l!F&j6sWL;_{&h{={^6yn&Oo-(-n8o
z^FWZZT4s<xoV6sZmucP_I931jZ)tXMF@hMm!3vphMONfKX&_tv-Y!%AAb;ciojIg`
zc&j^DSuwZcjfzaFB@)h1it6H}$|7aIC+o{(Vb+c>`vez!VMV6L^y^3@2HK8esAOR*
zI12~-Z=_(OpJqFcaYflR?k<_64zh!Xu*+3Po&Jpi4|B-7L?34nw@+7{ur0$Q@&K?U
z6!TE&hUN)xGO%u*V&#t<lD|B@>07Udym8I`={g+aN-jaDtZ|Ji1!k_a9#_KMJ1Y;$
z@Nx)6ODl_daBLm5ts*b(=*dYAB!*wXS2dYpL#vBUfksUk+K`RXcw&Nw&9Ns+->Ve3
z9Mi~ZHXqyE3$PDi#pewL9nRztn%hY&TtRcw?VVVEj5E71xUTe)sjOy{x-q9K773p=
zn;3C^vuHdXQJiH54M7AQaw7)kLS&Tju&jOdVLSpwMB9Eg*akf;VQ`AvBz!bMB10w<
zkX$`ywnK^VU5JtPn~;_v{CiQbQCDb)kw&fydmoVZ`-M}cNA>kIsbEQlc@BJNW{u0V
z>q2_F`NIUa6p%hzJ?T2`>$(wNKy`17nCR&t8bYcH11=*hgBcy3f+$+Cslq3P{zA4n
zm5bUe?|Uj(-3w<4OI_#+%Gx(bLqgXU+e7n{ie`fUqr^a$hfe$^fhpo|DR=@0`79=J
zIx%P=IV?pJv_<*%d@9=iL1Qb0Q085s(B>Ms`)OeDWVY~|CCe^T@3_pq*jh-B4~Nyk
zlP{lu4GSHzKG(#>A3WlV>{@75W9{y}B(>Q4NC_X~&2JN{;C#*?j<mt{5b7S00v~8X
zudv|z81<Q|n;w7I5_z<QEclDq(u0Xkn5>e((|QQiFG@RJ*_)#?#DtCiZVT)t3~6UM
z3|RBVq~&9pevP6-)X)s6)sZ3bp>%oVC>R{t(*-9rrAV36Zv4<N9OGh-f~T!;dbp^_
zQhhJow~Z`qXeDQG!x5=oQQAk3vZ~5ppV9@2PY37$seA5)r%`8?-)PbHUf9Xj9bobV
zQy$}+PcQB418x!)N&~;uh6G%Y*Ls%jS8|oCKWi}%=fG9u&(2&`C6E>^)n6GYcNU&N
zE`Oa~8<!7dx<(Z@Ou&h{y{~o>7u+)pJZitp7D2f5(o|G|EbZ#5QP2VAdcj>Hgm&`<
zvPt|7)h1%0K|)ebEM92JQ!T)3R0&Nf@+tp~ix%kfX9NqwYYH1xOA*@$bISVC_Q;$v
zcTJYZr+3M$zRfSA{3XHA8B;_tj^7hs4||BG*zI3_y;AFO`m)1iZiX9YSI6;H8PKw0
zbg^R0ssDtJn^Er{gB${%Ud?<dj9kwmc78{hV~6(bpQ@JKnQqlV(fH4`+dcwhWPzQ?
zl56?M;H(0VgG<7r@_~qC8$lKBa@EW2=4|3_zjA0H_T6XCZ=k1_X3b>pmZ?#hnjm&h
zY2`$^H*o9CS^e+ZkF;o;I(=%?u4zm=Ud<jG8eFaeb=%9eTD4l5IIJ%y9j{B5F?!`9
zhjld&M1FUC6fuV;B&hQjucFpqcIYvlIDuL|hAU(LuYv5AYXaXLY6`EJOZ~Vsk4?UG
zJes`PDV5>BAvff&wmjac@)9;@pcHDLf}Q+TQeHmJ9I$9|QoV#jBpRUT?rHqGn!zy*
z9a>7<ao&4j(`?^21)m_{$_Wwa{OUj)`?h#9OYK2@XZFE7OS_U|pz9*eO_b}|nf>b(
z<MJw`m}N-d@$>xhSY71@9$`)Nz?`2j52qg;oZ68`F-`#KGps8v*`nSigFGK*dZ_sG
zjCB<Pbo@%fNQhvz@WQ@wq<2y9{|f{$<;Y7Ke9=-c*uxx+lo~gO`b{57KMQN-X2!^?
zURf?ZAjAJ_PSuLb)YuCw4h-HL=siP)1R*d#A{moi9d01i-A3v4@qE&GkjNP7D{c-Z
z3UM&)Yu5vRWPQJ%S4An$ANu}FKHcj#eQ(k;tLv+~foJIxv$|T2^VUx*C+d;<2brF0
zb5;n_kA8dDo*x_;6H7|YoR%Mym@-XVaM|Q)+0fg!j2^~GH$(s(O-1DDV`bw(U!&^%
zkX&4`Jgqct)NN)f`YqgMAdk5o?X28yXb}*4EgunBo?edm&xa*n0rjC5l(;jNkyr?A
z_+iZ&Ha;q-vL|c(u&6{mL30iRs|O8bdS;{!%$2h^oe$FgQ?=fROnU{O&w4cpaagbp
z(kCs`G|m<gzTg^I;v~i#MjH|1E4#rGNFl4b?mzfP*J54WAEY9p3A%EUM6!)L2u8nc
zqxh3iD8YE-<z1coBaaOZ*BGJc9{O_s^X6=`mlrc(9ih~(uroHC@R7Yp*)RFvtnb;r
zn|xLZ@~<-0Hn+GahNw$<r;-89_cm;3;G^-y%vsKb0tl_(fR5l@nK}J}2ir!QdHZ49
zL7?dir<SZOgZ~!W+>9@Gar-DNoFA(@tWAo)&@WTkSXdZ5H@NGq)t&3!Pb~uHrYxsc
zGTQ8g{rtCdWb^TMpmAp8#z0<n^)Z(=ULWT4Z2swFZ6W$lwrqbz|GQ<aoH9IOXp=7t
z$f!)zWzY6A9ZGzD%;|W41_D7!PTPaNlzkJZG0fDDXUS(rDc;Q{X+AQ$V|)<DaKhn|
zM^1#nwuf1a%_gQBz9OKRZk~iOFoj}t&PL$DWPPbw#k1YJaY^n%^&Q27U33mp^Qckk
zHOe*q`f+v*3vO7PYfTR!q7B%B^451}e=v91zsG_zlaMt2)(pKxRVor56BCkQ#Ou!>
zMjm40Hynh7DeRw~s}oNCAL3S9Ko3V-LhlgnsJ7CXPe01DM7|`f>&m2o7b7VJ<Rp$L
zhykKbO4n!^xcgnH37FBCxy@Vk70%d_H6LNFN-{eu%~PtHQanz7Dbu=gp21;q)VwBm
z1K*|=Fj{*xR-M~8c?cSjKS7S*`=)6Q{zOn)AlTlD>X9ZewQ>J2jU3-F>-(vfhh#Yp
znB~1SB$`eln}8UXU=s!j?Byo5Km;J6(X(!ud|nop46J<mtNBlU3S+(}Z7X`3W?m9~
zI>LnAG`b}kGf82=zc6So9u$tvk*guj?b!01N!2N>95!%geDRB4><_%kzgt?v5W>A-
zoO}7*$_Tl*wb%rO0Z{%4^-s?w`Nz?>hms#<z@bgqlqmlyW6XYsSkQyOf|RQS{04(`
zA>^fZrD=vbhVz0tDz#95v5c_%V3u=1!BpU63j?KwADi-XA?z>IBfGtri2PP?x$|;U
z>QtKDJoytc(yqpM7O~YYv^k@b0lihy7fY(;oJaPMp@LjmSWa@_Z9tVj+qr*Mj~-fL
zRui4WPc@WSsVJKBG5%@vdr|?0m^>!oNOe(`;>c)zYYTQjZ_a-(KuC%T3P6GC0MlY$
zzPFn>C>3S3#@h_fp*oCaZLcc$!|^K?LdH@;pW3`wcl*&osG$!PT->!~`WkON?ZhJE
zRWYIQb&)}>_FlSU*pL-^Nb$FrblXdE1@m%vW=|UN@~05Rh!P`d(%=IIqdMW!^f8;p
z*fuHo_D-~+{ZGYd7G<@*=Q09A4fIg-W4-fmAQd|s24`$O^iFMW68~8}xOsm1J0q+U
z?cEm^_q6jvQ`A4?)`zDXH9=T2)GGecB#69YLT>@W_X05tysE+U$i0<<)JJi%J(eEY
z<ph5Zt}3o%X%KCRqJ8*Wn>{ch8_2sd*UwMS4h+_<MUcH}+`F^89sv9t4{Y`7aH?)6
z+Bq%}S;=c#cjojYFulQ05(E<6UxDYx0wG>Sqrp_P_G}J02lksT_}&__#D(ixT0w+K
zX;@u#4A4tpPa<R`NKiJx4fUV#W#QCN{Lp+&IoLb9SpMb<0#eC^09p!jyYSz_QoGR0
zD>c^Wn9L>owWuTtRmhkmg{W<ap3!wT^B3?0Zp)*eAw?f5v*UV*>yRQN?1PKQ$}BFO
zk#RJfG%fy!iEPui_5gl|kRuN8vl!H=Y~`h}f=LWLiLyu(sZ4^BA^csKBgPiv7yXq7
zuz%s`1}XXUjnI-YQ1hZL)eiVD!u8e8PRK>1@4*7A<%k21Tr{B(OzQz=o@i0idDOg+
zP~~9fe1LOruSt&fZQc2~HR_}3(!#HCG1Ui&iqCb^@#ThxL*9g5;F^oj6Y)^YNe!Nd
zEjQ-32I^Jrw^s)0HJX-VNv|r{9;M<_N<TB`@hs=J%?ZyJhqpGC)4Oi0mU&i0&KK3`
z-$nJ%aobis%{W@O{xl?MSff<jh72A;3HlZFcx-}6Fj@7Ti3-u5{HP9AsqF96h-m6*
z6tlaW5axN~!o_MkRI`&siL`T|nq7a(^skPYv7#lU!c({s!Z6OcwQ_WJgjP{-`za49
zmaK)Mqa}>t)PjXI9uJ*n_0@|EJwzR-w0^r=x}f>^j<?ne=-I9h>b2u+0ndhkOeLl{
z0ll?+aHU`Z3~E_%v#3M5ZP2j35a`T^gx>kGe?6>+IfV%tpn$o9dCUZ4S0>oO{Eqnu
z+`6+(xzIQ4thWJ6!Gt<CDJwz6qUCn|Vb@~2OHF?7*CyuADB^wXi2Y=%z<0PKR;r_d
zzjJ=XH3bGNjrxQAwTWuC*$l)QlE$A1|NJaLZCr}6T3>PVQhtK%=(QQh?T%#0^;(VI
zz3v|Hd1#^YJg(o7y{JMx@TNbf#i;49#4}e??=IUuyICA}Y@+G95B))meaUN`d(P@q
z)eceb2#u9T<rFWA#8TQFk(A|Roi6j{VriI}Mu>`_!Hw$W5Fs-|eF`bV;k?+c=cl-z
z*X+acL(y++))swd6dRp&)LS=_ywT<7t>NeAXuvv{<xhDgbcos#IR%um??0*#^A+W?
za{5+Qr9uiQj{Jk^s8aqT`O6mu|2`8Gv;$5`F*@vq>`GyD=;5A-Xj+}>ZVDfmmyUdj
zZg0k-2sRb%UiH!2S6{DlME<Cpq7z-O?N~3yzhr>m6kU}~-n~7P1uf;r&7M%u#LA{k
z8l>{GEZcPwZaJR!o?vKX*f65|v&pb8?kZ%Ie>XMxicbj{(6pxXEAAI@vT_&8d75y0
zRiPCy`4vM8_4m*4SH6=}HmmPPIVKaV&KgDWGK)qmWp^!kXbIof(7J49I)jzMaB({$
zy#8)F_!AYbt>hNkeH6V&n7E82rz;0Ud^gKFf{09hF!*8&9SGGfZ>=aSic4y%T>q!=
z6B3et2D#)5$R!Q+vHTjtN1#4n5i1Dl5Dn(RMF+c<L~FOhES)SK*n8UBDcflEI~1q0
z-m92S&Lt*B^&199uN6VozJjr1I8DorqPg+S3No?`Yfr4}yC$lob*At|q7M>&vDcKu
zf6KWs^B5^z;>Qsk>FAOJF-g8AOCOm84d!}+dKAOO(&os9!8~hHvqCVviFEd{|Ba;#
zq6|}cPLqQ9PM{4U5S`bSim`_~3p`z0f6`H}7ei~~q&z`i=Q{SJaXij%GYUKzum83y
z>WSQg3WnS$3mP7lX<V?f4VCM&*w3v{$dMQzVYO%kE#2H7;nrD#dv!milko0-bWOpS
z8{7|?OADP9RcK!E@=x~@wJG8SwMa%Y)gStwswH59fXd{@W<eQJ@#e>PCTbb6!#uH&
zEMtmhcVb^=kH20h;Ga@J+f-CA&b(xz;0&xA*JEJ-<O52G@#*ui_^YZTJhhqEz(1>z
ze0{&-#PsoVH*^!NEz5-ihxFMKANwVxgh15C6OPPJTUtZDSho1kKTzF4ZxwRSPqssV
zcR_Q5I7KuOHOPUr-%$yX2xO6SYJ<N{CZrNcN>pb-9iu=}-u;VUPXvK6g9Gek!86Tj
z^QBX&%@A3y)9JhmtoNLI8^^eO#D4YFO&cx<0WA2n=#8(6l80F@cBD2*Rkn6K1Gs6H
z9GJEK-0Gy;Tl*+|nYE(%w@{fy`wsBFvjvHr<QSkBloiXS`9Bq~)IxrBtLlZEbN(A0
zk$6lnEB10QY3GeykFcof_Aq-!r6b;hcuny9o3RgL5Vw;j>uDO*+A4u03g46j61Y(0
z^t{=$pX2*Sukj)d4=VoP_H3SR&x#)pD+mH#LN<eH1ZT1s3h)VZG;^7X_<CNkNJNwU
zQEPUU1S?<u6E6nwPXh$eX953oZ{kR-;VxDk-_%aWc^eK~rjQ<}yXHluIjdsLJv`Di
zKEx9@0f2Kn?fD!<A82mDbSu4z#Iq&`TY*NOUR<vydM~>|NpKv~>eHo0(RH-PZjgrR
z`8}s*J;d=`V8DvFf|QI)PMYWl1gvK-y5-O1RVVSoQoF?#29EkJSK8ah-5TQ-;2O+Z
z8Qgen-kP{~(&|-X6t69p9M;3*)+61xWi@t^|IPYimZHi5Dtn$51vpOd?=X>CBLQ%d
zk3WfD1pQw>esWav&)53zjFqO$P&O6K41>CP<=-IKrAjS#ki9Ge0P&k`7H;G97u{Cm
z@AYaVof8!&qZc}0VXXBd!T0hWhKP&{ILmKte&&gMdx+*<L)=NZm@SGD&0ItV?{Qs?
zVVL<XAfOmBU<{}meNi=Sr9QrA_4AM=ws|PSSG>o|Q<0Y6rxnZR38yt}P}>)~jTV=(
z)-h@^E}C1tD4V*<lTCVhxx2(hMMzz9NB&V|L#Z&q2s;D39U!5^7IKp#tSC68FC-cS
za?i9HbWJtcm>CtNJ!-l-d^Lc=^*|@*a)l`Z2{*X|yvV>3P+i^Aa416#hoJw|VF&5d
zl$^r{vI__70y?#L`NpT-0$!gcFS5T2`qP`5g@qz-IcT5CVRh#GH+7-fHHD0-sfY{&
zf@IFx!P>4IxYW|rH1>##bLW<rG216ZKaHcCGjJ9&M7g6At--)lcKGFhOFjBXIh165
znCa(D{)y15cOHD)^l@fj%AeOr-^{MwpaN=to{$OIX%9$tVlKodn9&d~kNRudaD#ZW
zwNhd9nI=dbku3pjKEC8FkkAZftd<{B#rV%!NAts>%fG~LKoCx5y$?o%E5dUKS>oHs
zkzxbtaSV2uvi(=HsY=43YbwC)g6{bG*nU`~s`H(xx40Hs<^4CG;bs!pXMOQbdDg-&
zqMLj{lta!Wk&0vy3rx{X?W2jzf$3^`PQ~=CW(m18gNGXx0Mk@j!>2+izS$7Ujw4D6
z+r(urv6`9YBKdJ#NVjn0i$I0hu)gXjt0j*8>F=={Xv<(yqztT74|eUF+`QR`AuoTN
zu~BCdV9!1YAmj<%Eqt{2X`pTArs;Fj(5@HwVYle{bRicpV5hkd&<4Hnr5@s_7VQQo
z4kem?K2QH$B@U4Q3dB7Z`q<kbauBD4@jgx$sSM@6M9i2)-kTFj(F@|!CBN^->mT)Y
zgJA0;T%B29J&JuV6j7c~rk|%Tnaji_J>(_Un>5f(r@6}rO^}pmYCB8(k#o`kobyk(
zQmphA=52>lF0N}V*I-?*3OpX}&T|X*%f>>N@#mG~pUWZ{W;iLD!i+aS!W)x(U#b#i
z&Dt|2Q#k_pw_5!o7K<T>9*@x|bg4%MvIb*_>qAtw)bDH@X@k<rPB`&!q1x)|E<BUj
z%?U$vJ3`(eiS!sa5_!xBlo%tbe4XsbN1=zP6$gLrKcIpwhJ<aR*)g-<HhiX28Cw|+
z!qH2&{AxUj^Egg>hM0XssJ3c63)4=UGWEeX64~IXrktXpk}~qp9HJ2|7)sxKzJGmx
zfaqI}sQ-XqJ|E~p7c|B^Ae(cU)af5&dClF<F{Y}lO>%hwYiJ8-{KOc2cwqUqak0rW
z9cYGf6IR_4IfV1Wo{v`x;^UsTbUI|^LczI_S%<nqW$*_D*+pe$z9Nc+WRj}k#+U(5
zF7XXLH{lpyl+OR9lx!w&gvKJ@eo)}yXNO=PlZo*2ItW3e2B}MPp)*x)cq2SKbV-$o
zk}!R!i`Qg(u>wR?XnnEb4=ek|A_98~s)Xn-R3!J2p0ErKGv^>=3zyoyhAF6%=zO`}
z7}`Oy*dELue99AWlnaa(IGLXfoT(@!`cs6;A?V0C4LHB3hI*QOSb%o^$!xr;*wOU*
zu+d)+>;gQ`@^E9Lv8tWZ%1SvYJRe?fDn1^A1}oj!rFweyI|3Fgua<dG+;pb40ajL@
z-0m6|Ue5^Y{g=6T9Mt*5C0(c3>z|98j_M5OW&F!Fgoh~fZ-k*0@M}0{0%<Qgy?cW%
zf$pcC4I#%bq*C2hk8K@pmMI7+F0ZK`-Z%8;Zddin^<Ho<TXpGM5nP<u3+UXr-P5~?
zatY9uqpxRUDgg3Tjy;kq*U5D42Lcm$yEgfRb;t0CYlfc97?tNOc{f~~5P)S9#sEW4
zpZxT0@k^N@6^*j9(1W!{Lksn?A@<&Jor&d=au63MZkr=>%JQR3VExi{q-Vj4XQ{Nn
zb1Iumo9)udQG~{0bG=nBRkN=3!R_igNyUXVOW@bttO|n7&=4vSnFOI6Y<uLK9Al8U
zVg;U=ywrDwriY{w8tL!RUtyE<7ojQPvk$MklEnuJiB9?&ne8LW#9{&%7!ju}DM3t<
zif`FstR%UbNVGe<dC?N7al)`T(<@>n&tnzEN;As6E3_v8m_K{JV&X;kN3M*=;{03`
zna~KyY(Ng!3CD@-OP3b`Qd<218VmQ$UAEZwX+A2kAO}{{Lz$!t$%YFwVGy9$-N1x^
z-op~Hj{o>0!9V>{+ko)jx)9SQqrjX9U6BQZU~O@N9F%?h(Dka^n=It|XU;%r)-+Re
z>Q0e%qM|3Gr1!1#*4z}Aep6d#1XsWR22<&dfR^uUEH^?_kt=p|29}+<jguxbu`@ep
z81znY&1{^}ISN%C5j;Ne@Mc!=CUSI6Ptc4(*d2fYh4@Fn3de8?#4mCck^dkT&U`5H
zK|%jG;N%mZ`7R{+Gf>#6H|tDgH>S1IMwl|2swh8XrYNOh*GY?@l5WC-$3yq~JSxN+
zghwNZ$Of?;^;?q)!d|MQzo?;YVtx^N$f<1cCC6vUB%}!~#QHwgGrR=%&gkZD|4bEY
zt&hZh?|O4K^`8^>`hnurGW7NxrOq-rh{(yQ3dVuf7GV@%gB?q!R}|LxDtu7aA}9x%
z8kRzktr|yiqt6O9O#W9}8l=I@PTW|OHU;8l6t?)AMQv>#WG`IUj@a+?R>IMX;hrRf
z@U*Pd^s-9d-mao8<%IX0SoO7ACC07Jd1LGY_PDhKa)G2CiTn(hk3VFuN%#+@emwOU
z|Ker}oe$@CdmzF(Fg+Z8Ws9--K+XbsnWgpTJIYh{j9j;Pcg>wYGYnHup;J*+(1fw7
z8&C>SOX>IpKPv})L=`fT*KYd}J{?uXrkl@&6wy)rUv|``l|&P!p$G*b8vR<k1DhJ3
zDlVXuC2r}KaYt=FT_dWq1~E$+p?cSHAuL_SoNqGMtQA`cqnmj?C+=wp0V$#0NH{AM
zxF=dd+O23ddp~`fL~^TPkt}myqsxqCL`z}w-DOpf#8efQ#XljdRDl15(*W%S^91O#
zW}wXQ_%J?c)@U>#TGVvwh?rBio_*x2ljqX<dUqmBILe1GaVf2V@U79*ejfviK_kDO
z<n>e@hXSX)1jEVXa|wCXHsUNvzC7b#qc1p2dF-j*i`>tA&IU)bob<~oDN08r-yJC&
ztDsMmn#w1CMl+Os98MPjtBK*~RzQ;LmFz%l7YGwU0`cWyk-;(g;0g;ULcOg~sc^ym
zD({u1w)wYnF7QDBbeVmG`+&n4_Nz7e61UDei$f0?5mXSq)R7b3j<5+5xoK$JeCP@1
z3-#wt4=w`DTphqT+qj&(S3zzDULljSV#Hi+RO^XxXT9`AdXsp!v+Z+<2*MG80fxLB
zaE?n3+IVY{LYlbo+Iz(J@GJArGFnoe<U=}7Wi25p!=0b~d6~IwnK=~VC9Y6U9r~`a
zj(q`w031N%Cq01j75E#eJPa<h4MktiJTQ$SIHnRvcS~rZf)|5=1dtB+*h>XDTt;&@
z4^u{<!;bnl4A9q+6cV7v%m0(7kL<P;fPP+2mzu(POGDQ5mFbJ!-7kZk$V8FDw+jdj
zz>iRGRX7j3if<m?GU+bjP0)}D5t%#@O)~AOZlAJ+YM2Oy5YeySl?4l+|8@Q4IO}`b
zDtx|~2!(b7HC{bzLBcps+Y=1ySE86`#T9l`{A?i;HmAl=6G;|=M8AbHdsgb(6Tswv
z(xeo?Op>x(^i&i&q=+Kyo7@*T#j607=#i3vshcMEuvV8`xZmf_Fe?r}_8f?X-b#f*
zPE&1|OR|A3P7-~c460#Yf-o7hDQKi6{h|(sAI4#ac@dOyB#xc%{@@({)&#~qoGIFY
zS_+k0plZ=&4C$x=z7E5Unk0`vv?Obn>1*)2_xhzTXRDW&d?Y87-_%TJ9W<^@N0Oq1
zXjs4{Zv9~8osskl5mhEO&)HTF!Cf_Z|4^#sAgPSA@g?wq3Cv|C$Y{zzHQ)eR0S8|(
zH0B`MkKNG91`40uegt+6ZvM4I0AH<|t<|`?;h#GvUkoUqpx8eB>ZL`veQolhp}4te
z4@P^(XL`Bbrz+Mj<|V1nI}K;_7zj-&+iaCG9_YGCWcr5oJ<HHPWp`nW%|vgcMU&{3
z8In=nrDRwOBN-&Us;e4;hqEuU`nQ6A@Mlc>8_f3jXBpD=1sT&cbMHNhcJ<ks;gvR5
z5CpH2`Q0o8ClX~XZvEd60<V_iyQe&pZCO=;iVxp$WrR8i>c0@rN`zRKIv*>h5XiHw
zFFvz*kZm{JkN&CN@R20&tuN>uh;W5bsi*MDWl@b#qA7@qf^wl1MP*6A+ogn#+(uBO
zxc`&hK~Kg+?hD37f*Ot<0?42fBR|kWL$jL6!^vfdAl;m=G-O9+iXnMxUS?aW)i^ub
z>SWqh(Dv%AXG8$+$M7Vj91e$?UNmzSyEn6K0!=F2y#6UOs@Ea5@Q*&w@7K18m^Qra
z_FjMkDxw%viE1yRNeVJ5kzSCJ4JQ3bZys~ynzx<(-)|G-SBs_TI*FwTiUe5pQV~Em
zh%<C^>R)D~=o=@3Q-B|JAG3)>eJtRhcXM4w7PrJ(Ex9S)a2wBJYi<hvOW9&VTxJr9
z9-l8EC3r$<Iv5o9iJ=rqq;T1J6fkbB450t{{!5aYOf1>SoeKS(3(C&w)(r(r0!K%<
zrNVMYqQ_>}kqNl?@{BS1Dt`7(<cSv0Ae|5L-oXW-8#Y^Lc-<!`B~5FE<TG9o6Q-U0
z?uhP`Jb6yXwc)A?hOE1=-eE~Mt|!2Y1JV=lxt-OgfC1aLYReP^-_0sAV(BI4Mnec4
zhMc6~p0;J4ol*a~>ws#*v5I#~OwwZQM1S-C{VP5$+yMA=Im`gH#{HYK>(SS}9s{f8
zOm*f06e;3@2!+jW&|TjQ$;IflhB-%iUStLmU6`m9Pq8^{x{G`MJLoHF6!fje6jdN<
z@1`T{=F!C=Jq#)kTaoIs8!v^3z|}>xhmb13Q_>(|kS1v>q62sir3mNGPk4=BnSvN}
zY^47qg}*hU!36hVv~b!Sx)#QhXdWod5eF<?_|4js>2tVD6K{#^JbikR$J?`gQuHLC
zSd-NEyKjlf<P16W+!|Q>xN{i{)MQo0d|MdQn$1<kL}+ps`{GP=EH&oCgo?dX>Ga2Q
z#aOZ{g+3Act7878vqV@G-fs5A|CVv8CdJZfEL8_uhN}}Sftdc1$!hwvX@cX_{g~2s
zZFchsgmQ0!<lG-0_Ol{uz@#qjdB?8n=*68f;=Hn~rPf_8>ryqGf~oXeSE=;gTz3Z~
z#AuITJQPt2C}DiD8b1irB4$OmIz~l~oY$TZqYMHA|9xhWt?>e*8trr3W=?r?toQs>
z>tQZ!Ts%bgGHX_&(B)V$+sx_utDKBN<;byjzJ0Zx8TAR?_0bV2s0l{8IptUYzi;EJ
zcP)YX#%Ooz^Au8yA-LFwY~+$@lz364T+pO~qMn8<|JHddf4i~2PB1`V!oGWz!@dhD
z)TpM|*>^!fd^)FuTx0`2e~9%M61V^0Q`R(vlfjR8U%822n`5|MuJsDZRtXjs)Cok)
z!8yDcfuCquGsa-mHCvmP3DzyzQQUQIc8|B#J&wpHa_u*@!z^Qoy+4*QL)7z89cVeh
zivSL(K1!s0BVw@Xl8KX8k?z;qQ_ESNPNuD*^SwsG!3_zlvDWnX_~vTgU_kr{Y@_!|
zx=B%jPdzaN2F$z$D0FR1Vw7>rZ2Trc;#j@1y_o7$zx_b3<OXRILqNVg)KP#R!b~jW
zE=wF>#zf1%joE{7Z#%w;g1UdcWHzY#C0`xxn#J&*7M)_qaOcY<0bIm+gQt@{R~r!d
zO%~0_4q_ZGmMKiU77w!2lccJ~t+!(?U%Z?>*2AQwsYH!lcVKFuICKfbm?GlK&7g|u
zRV8C>7DYhPR8P<dh3j}g|INqeRRz+)v?bCupu(&_f|q;E!>UlHU5lZbt8?;8bkz43
zPj<<b3u7cMQ}-#iV!i!li_{uYHW3;SkIWp3Vyw42O<Mt0TxCUirMo?>f>P&?wCW^~
zn5v4u&=%~Law?H#x3F#ncczE`Sq$Z(=BN7Nd3(E=*<<Uhy4IdB#*@}L`N?wbo$ZO}
zQ{Q2O(f!uV!0n^oJTLQS3C*Cv*6Cw0j)7I+1!i7z`SjN1YV11IT{})jN#UdAfxE-0
zSH0==;YpZub8Lk=)+PV>T`-1+@CkhH376Y;yN5dHsT!QR(eN9rb;s6ev`tBw`p4ta
zSMDd?m2X=J$E|d)1ivX>a$J+I!ezsnt(V)&`!dzlTV1K{R}P}hroOJ!vvw;|@nCzd
zLmX@2^iF<fO`YZrIAJ67g!DkGw_1ll18iEzubg7gJ*zi&|GFFMt~4}=n<eYb!Js3A
za>7>e_AST*2Xy$GL@!}OsD%GVScms35DKL&5dsy&yL4<2@3A3nZ3-7WAD1Lgv@rZN
zvt_>CVou3^Q$%zOE>?L!x9v~YMK<nQvI>3P7zMC}d;6{1dqwHg3RvC=>u^dSa^B2A
z#-u#+(thp;(b-RbggdvP15&pBp{{@0;(Hd4_*hv+U;1V4x))v(Kv7*Q5TQh6TPq?c
zuQ1`8#UdFRU6fVq!NC*Y@c)2umlPmvTM=*^gdOa#L%b&+-`%#&&LI=IA>BnYUxLru
zDZ!g@wZPfpC9g++#9K`f2Cu74^Nt-~_j)<jWb}PNx{i4=w#fJ%kT&x>fw;FRPP5T$
zvb+abDmgTh8;evj(>MB^au+85?KB8WI5dR?rAk-h>a+(|@aG4Cy(qkwv+;GcnqxcT
zp6l)P+e~w6#+|2=Z3~m#%VmeLnGYUYC&^D>?<!W#C#s?C7>XfFVq*wmX5LfiiU}qs
zLk!z9H3$1T<o*qv`Z-Li#_qDKMWE36dFRVVCfSp%0N7t%u5LE2k}0wrH2J!dVx+@F
z8=gxxiJXNuad|<bIpK=WwM9j{vjwDSN^s`iY~ITxL!~1+bf@2g-KdSnhBd{G5Ky@}
zw2yHco;Ou1zXeoHKDLOql${^UKdboV)q^Coqd!Rq;LriI=g3O=LzWbNC0+O%=#96B
z=txrk=ZQ51#o@Fi#SS1(90yTNJsq*;e<Mbi=ww44{g6aG{kZJ2fftdow;%Y8ScOG1
zUN;D;SDfIKA|fe(^w=>RWpg~LGC_uZK!$a60DYn)yI052GzvW7YcqfhH=qT$^5re*
zU`*LuVO&57#v^DF!@O90(1#jM(F-hVwEPkglY;-EmJsyA#=rXPmH5=sjZk>Ze%vb_
z41#RgyHV)^UlgcAwc^eeR=%M>(P{*-;8d(I1Y|s>$!&gcZb?FDPaX=>*57+s&r_J9
zazy_UcKq_QD2~Q}$c3KZPKM;s!=t@*Oh5jUxYk@)tzNZ6tjMG`29?=b+kW-${9KQ#
zL+f$7%af-LLWC5UPu;wB_lMkCw`9nPEfAyK$LSyxNXl<ilJ}A6i{}->i1Q>nN=26D
zxw-~DU&|@9n)`j<q?vG#l?v};t?!WL6X~P{l^1+G=jwpi%f-&=;BLjBJTD#s3XGY7
z$xbJ3Ui>F#TIw{MtLf?RZJx508Z?jdQO@+?=rMUa?wP`N)%z)r{VG0Hk3_4Xz`Ow*
zc+m`=nL&@6B+|f=p{f3|qEnsWLh1@|p(T3N0?|C<T9`R7t95(ov#CjL;G(6$KHlqt
zmDdxxOOpDzOzv<iUH#A0bz9<<(2d;cHp+30Rafkq)g}#>OqF`!)qT`MKm8}~u9B4c
zM0hp-<_m`0i;IEaUwhJ*uN8+8nIu3S=B>o=8fkuO8|>z%00d7%w+(5VZpQBFk<}x2
zCmh;}u;z@<kF?fXzo(IR&m30{>q4S<NS*OdLfXAiGe4g;BccP^Y_68ZgIU#s9`E}r
zc+y`Er;kDo2{dkzE^ePAt&s=Ktm|RStS=>9sc;V|265_lN7*hJil+ht_0@4h9yg;b
zrxiS>juPg75gaE`O%us6l|g|1V$}rUv~S#rN@Ug2YLAGcr2I^EB5B>|>VXMMLmF3~
z8>jBOX*FJ+`RkWwPodMv4i<B!aPB4kw2MIu=Y<dl)j$Pj8YBH_bY&~7_|EF}&d|=G
z<om`}ZpEUNCcTxhG55hndfEZa^ZqK`5w~^l#=DE~-1!I>)N!9O=kIDNzN*`|%MYHf
zQTmH7EsWo7ByIvN;<2O?>z0q}MpzbGIq}YsCGxOi4N?R`Ao8@Ke&0wYYSUm_ta{g4
zBjQBOJyCTsm-2`=dz5VUTmO!3Af4OeCZru*Hdv<Nxp&dos<=<1TbtWyfw;0oONnQF
z3|do)Xb<s%-#H2Aacjk>Ik4s4eVEN>YFYX0QkVT})DF0V6r_A#erKk#Mq~ZhR{C_d
z^HsP4+vkp4Bq9&VSm#*N0n_T{`kZDFtG*DaXb30fadRU{e_uy_e&40)ES(eVe2L?a
z!A;mcL)yoh_XTFB2@!P%Bt28S)*sbwSLeC>L{@G^+S3uob{iYXzu$5`vkxBc?Dy~1
z=Wbor93sBwAO-~V4vTFc3XvREY*~5*vl0$noI3TgOWwDcJ-k_jC7aOZddxLlXnC|J
z);^s|!R|4fdBfxNyl-#d1O)FrWV_XCU9IkHf3kgLEXznGo&8bD-37(@I=uU-?79cu
zYX3SBp||^Y5^n4<$vR2l?F_#hx?nsfcbq}W{H-GN<9&Qf2)s$ZelkgPPBgQMpmN(j
zMN@um>t00fRHyR~O;1$uRJwb7wqe?4U&BI}sluAfVNdCKwByC=&6;Mcal;vRw<==5
zPJFFG8Q}6!g`S}8RE+hHn+s^|D_Ndl9VTRWNjniIZb$aI<Oq9a&h$5lU3e(Y1Xhnk
z<UheC#U%FQ{qL+Ie;n2uV%5Z{v9FCZTYAd(JA<se@@It`H~2c3O3La^$Mf=ZKkjw^
zaQToxZW#`o*E}z<P~A~G`IQL(UI9<<?GI_Te|K)wC!TsOGHsZIpN=-By0z>~i!F#l
zc{y=B<_uVpLelWaxjzqdi)$ymLeGV9o;H7kcyqhxz)Wt%3yOGKop>?Vhg|U*k7V;u
zkM!--izJ0e)eMFH{@MWqll!RQ@dj#_c<8B!K?X?zK|<+Dv3&PwMGA3Yw?+1WDZf0>
z_G<w*3vRh*yE^Z|q{KBn%p@074i-z`EOsfpJQ*_~?|pt%r^hX_c7d;4x`m#U?dnxJ
z6r@i6W+7Eq=|+D6OQ?hBxNivM(0HhDpSEMrI;-BSu<sqXYlG4Hb5Jqvv(*gx2)DX6
zgBYl#jkNkDZ2_67w;oC)kIhWdEGEy^iG_vjXCE}u&o?3e=U760+BO3B1)+oq5jWM*
zHXGWU3^dOY>!gma*R-D2A$4Mrbres^kF=NSI~Q88hlht2j67?K^G<%a<W>}v4kSG_
za1xvNJNF+0nbnm#2RhBbl=2#Mx1HCS-~VxUtS7Rvn8M>knCTnb3s<j(=4Fz?(xzsj
zcAgng&0WQdDD2al#kMhAyM~l4lSdH_l3}J`lyI!h+UE<&!ed(OV*|qeDJFL;cC@xL
zbty65!gi39sB%^45zPXcHTZfA4tDZ0cQ@&6->%97hQC`|XDREgd)?^WrO)xA68t!;
zyDi7PW(9b~d}?8$lS{)`icP4|LB-uyHG0d|Qwh+EZJ^xKPwh#kGRU|$?2mC}B5QG4
zN+3OTWRH=Q7@3+kbep=3Pm6QW&7Wd%qP?<-arLi_>YcC;7m`L3|Jb-S*VXB~;(8z3
z`Acc(e(L1HS=R~Gq1DuVDSvS^wV`F!3p>ovvsrTAcQRA_nP!ycLs})O5u5DmVr($L
zR=4}}wenL+0_zslx>F8!oBP(@&ksEbpCCQoDK^sWw{XYxc5j{2lMfw5rFs71uU?;1
zw8aD*PQRiSzT2Ue6w9!W_+L_fha~ZhcHMsJ{-0cy0$pj1__z}|{^>s3=g>1{_`R<k
z-0NM=1x@)Z30VaYoo^Dlw{U;6{TWfC?QS=snYX(&_0SA19-x-2JlfV0QI)#V`t-{!
z09?8yOH%{sW%&@nk;|<SO_|nhNQW(L6x|v_n%{dPY&Vwn)ubF_Y|V+A{muAp)xmBI
z=^Gk!5;yd~rX`${>AW@lR3h5C$88kHWb;UuXO->L=M7$0%f3B$DtIH##jkH})2&Lk
z*z7(%xF#;F&YDJzCGd4jNrI)F2HxFu+Ml&5W6+=`KeF@1e4Z3t16bP?y~`Qv>M0)R
z_q*oy_KEr#_T(_lt{s1+<}%gAV)&Zey|AX|A)gR@yi4m`UERjus;#E-{4J)FJEPSR
zn&hb@`9I4XPd|4*lPty|EEA1SSyX$i6o}d^?A})`%=Hqk5O1k2{JY^Oom5Al4cDOs
z<sgwNYeb7Ym5kfNgTSV<!){=G>+~VJ<gt>L0LLt6J9l<EPUi9QW`^F;iD>$Z5zDEp
zogIU`{snvJ9jBxVT@!n#t7D+)^Fr5Usq#~Xav1d~M?2<Qz^U@zRpyB4OYpy+HAy)}
z=s$>Bv6{LBJ?rANjP8`0=e~k+Prtlwr0%lr8?&oS_!cCmju+&>FH1{V(*dpawTgPf
zQ@n9i2EDh5nf_PjnHgN2#Ui1p93qLl{gK3%szaBu1EU}8o6B2%x$e8-S1+#2p4eL1
zJv*#QQEOZhSXP{DR?(}dxYtnK6K{<l(>@tKsgCLP-pRL~nw$UQFqHkcPTD$8Hbh}O
z^;b`BhKg#q<Kq_#=B%^(D~9UC*Do~EL$;Y~vkqD-JOlYsy){wMjuHtb$mEz_zN!PW
zsbhRv-<F!rjW+O>?rIJSU6c;W7792X(1D>B&-&P2Fs5#8CeO{ivGIz815bBn-`uwc
z+;L&0flu26?rOof1mof_JK6q)%(VS2y89~EZPO`#c2&(;&8~MkrPSYK)Fr{-UN438
z+R(1ee28_ByLFvZPz`PW#y-H+iS+aVa9(TpzX%wRpsi+iT`--J7*S_wtjZR|QcERW
z<WL_I!Z17|pK8RYW?3I6@3yp42&Eai+<fdn3Tj@8I3%xWq&dNOxXNq(795|wx&A@9
zX1F7`OUOy+(o1XIdq40vCeoK^h1Kdf@e5-RbzB69W=OP-I~;hClqoGZ#V}Zppjhq2
zwn8ju<K?_!d7$?*ad%ablMv&7d6$<kDO#g-KWsZcxBM#;8hj2M=I}aC=_;J={1A;j
zmAGHvvX;9g_lk1EF&&K&?fApIb{vvxnsFR^YalcatSBkvi~a6cddQ0Tw$}?Qiwhe~
zIzrT=T^y>Bky!y|1#ZI{MX^!)>+j)6fY*cj>oCY+C_Q&N1#<7SGTegr8tC^&iFYpo
zlvA5+4*}uM6y#QDuJ@t`%Ur6`xMY{?1~U7atdT6Q!go2(vA9~!Ic4iTEzRbr=k{ng
zPw>0PWq=1G%9gb=37)%Sn6EWm!&l-MyD%?ztMQt<J?VvMoUI{83_7Ellp{_u-5kuF
z(nl5Vo@nZlm$~$gmrw5ZN3IiHJZZ{bLp?fi!_WE-m0Ql|($HE??Vmylx0KhJu-iBH
z@BWXy_YP~SS^Gv+6cA99A}UouiZtmUB{l?<A|QfF6QxP-ors7CC>;T579=9l1Oe$)
zI!Nz?-g|%$5|VGNp!=ac=k@G&pZ)D~UHcE0YfbK%x#xHHnMFdaRGE4rVc0OhPA$wX
zD82%9LOxeA=7cF@&B&a4k!0)WMtTY<D)R|!c+*T&Z0{YDuT1T?y@+jYYL7X=MR!e{
zTO*xrpe<YX6UMdhT|J`TYW7VmP5+y_cJ~AVbbIu$KEqL>B5}bb;a-%sL*5A~ki!Gt
zahzxG^T`*?_d@aE!<!=(t+UvRd;DMymmuYK&rmHknk_s!Mf)gHPR-)$BUMvmlpt@T
z&CQVqzT?<mtO&{<vcUlci!QRwv@2^Zy`1^ru~WaJa$e$Whvc|lX<WD_tIz1<)G3zx
z4+5T#uN=0^Y0S>_QTm*cZ9P`|f+nW0ikYx6S7)*3KA&Fx{1=za^y;NWKO@dSBpMo>
z@+r8CT*uu>mSI%~xx^q!tuzjRg`gRSr7?;G$h}stWP!^2#Y@HOF9pIXr?Bo&c2d-t
zS%6IDS7F3Xl7LXRxEKSSG@5??-pkYIYEx;rJ8l%p0KMprMFfaInkse2x-xod8?S#F
zS8wd-epEP7qp}Fsl(Z6w8!zcg3C%5Z7$<GZ<Im%9uj!ktcQPr%WzGF)G7DP>*1txb
zN}++J)ev}FFn@kOo_!)g?Q^#l&wD(65O(P<@b^!lUj@H6Hj+#A_4l!%F=uWvFeFv-
z_gK_=drI6*8B#m&+cS%oocEYgP(RECc;+0$y4r!8I_qz&*cc3k5|eMdV<EdM@+zu_
zwtqz$@kF)Vc(n3G0FKK19k0a(_Nn(lH3@2{Sdq}fA85sjO1#C^4I~1(RRO>?#JE~H
zjGfb9i$a_rMU4&eb<s@nIenVGx*Cyyo_)v@a7u!j@t4K&F-Q376inX6fEFvD4WWik
z-qg8hfSIBte1&q6?0depRF-jhNF7Tn0$ra^zKAK;`tI^6-o$^rB*Bu_coY?NgkQoB
zDz+fxS%+>I0$7na9B|?K`iR`=%O?^hI*{Wg!}XI(V}<!jiZmm3*8ShtY`@v$^NL8{
zX*(tVaF}ELHylhQR2x$Yun8bDS)$2L^XhNDoPzGFzFPH}aa;+$k&Y5d`RG&#E!7HY
zZ|u)*RAhEXWRjQOrxsU29<o?{rF?V_o-h}b(`fz<Rg#$7|1I}UOUbvpC+kL$Ls$<e
zW!|7^z5JuZdxdwV8{_tk*l%2P3#f?+kc7_wKlL)<K3vmLU{4qb{k+&WwnP(@+k<U(
zyE}MbDawEa;rn7VyX}qDx|{m7fm#uNZ5RHWg|^y8&pe6d@pX+V_{PF$BX%%o92YA=
zhg&TRhek7=;mCfNKQr_?wkXrgi3{1bc&2(jBaa1Qp!O9KW6WyzO>Vx$G>YDTDFpcW
zC3}y}L?}Cs#x8B<y?cv34UkH#IHlVjn?>lM4oT2j#s+-jq+M5VX4v<2YR*7b4l(^~
zqSY+%lbOw$>A~d>Gov)PjY*<D9BKla413omsoG%%ykAxtXuDyQgDyb(hjSe3fL=lf
zq_U-%GiyL*v=}c4Liequerld>!)P&>Ca(36o1es<l(4D7<pIAdJd4vBY?)oE&2x?G
z@jm8;K4^zai+3^)MQ7$oY4Sqg3{LAgQXBF`4m5IWR&I#z6Aa}eS!wyPNQflyd_sD3
zk(2H8sCiU%?E#&ICL1(Q4r=1=BH>-^L?YaQj|@z=!WboQ>J+RR)L~&|I#N(chQjLs
zEV2#c`#a+p#gQ4VhCenQl^Qm3A9gVC@44#k=qmg5q1F0~SWI{HeBFqgHUoLjENjy0
z$KJs9{1L)m+T0kcTdlB>aMK*9U*|FmjmvP#*iNVLQQ^G#xW19Kh1B6x&;7l#ZMLTw
zQU%%@@5^nBd7>BA9s5Y;j0J5ndixS*Rv^Q$4@K5G=96co-OT$Kff8*r70sv=XU_Oz
zV{*gxMmB0`cz7IwvvwlYdOk8unfi4?rNPabTZ{BdzgI^ikE9N%W{PodMcE26wB4L@
zWIFb?6TSS){AiJDN<VYm)AHaL%yB`BFdLKxyR|y|=#o^d2qb&ek6pN8lzG|M(*Pxc
zs1Kpen;^%oQjT#mtlTP^f5VRVG>``;fEt>uZoCLP>phI3V6`IuB8OccFLGZA$bTL{
zqiwIo%axbQ^R_C4i#uBmd#jHP>794>@QGWGmMTek^R8_A$cf=|8un^MlV6hnqena5
zb!I>4n*RkQ7u!aITSZlR^Fnbb>+p^Io;nB=yBLlWb$j}3r3qn<p0nnaOjbc!SteRH
zJG&s#)4Fmc#mmyCmTqp$LtQ$dk^$4>gBxrclolIzxp@=s9W|_vKos8myjkhl0L*{C
zg&O5Z8Cf#Mw9GeT-)NZk#LZ4)vEvX;#<!S`xY0A-G-hq2epx9Y87=XSoe6U8>w-6?
zyq9<mvl`a=Wj)r;^!ima0DtJ){TXiC)D8s2BVsoL0-l^PY*SjQj5|85WH|m5d+|)(
z`QGQ1<B0dT#v|&O5wB6*4l?!myjB8y!aDePFbVFEGgQH{QmPkx)h=5yIz=Yf)<q|_
zA&`L~1dXwbO<#6&5Y>9pW_)JeRuiE|@jLZO(&dxeNbr*bbj&>Go@f<N+cm5W!dG?3
zp<-7KW4=E8!dOz8G&+%(fGMYQkj=hZkslIgAHz+~k<axI6<%Z@>jc+7g)cOZa**m2
zxVEiy@RAo{EHNktZxe#SIPo`_jU|}_G@AJnAG9@=t+WuzEaOL{LooRtC$RY+jnc-h
z7KYzOyeI$7QHXAn48V~T$dM?J3_9}~*OTTbGFi@BIXry38gQd%j%#YJU83&{xy7ko
zsphrS!%r@I+q&3H&^F3DCjVG!%r`jc1pjt=lPPA*vuAI@Z?}@(JfGsy-pe-bd#<`M
z?{@3B*7+>*wvDpEIb%N()T@S@=L0u0Wake=H_uOrXsM(FX@SMEm**#oWi^Q6LPCCj
zsoSc7J1SPN`yEf-lZF86yEyFFN7CA&X`%Ufq*m?|Ubv|9EIKNjr#0X9owi2qz-QkP
zj8E*yxLx#$6aBbT_yU4;aGcy0wNZbQ=J#|^qMJ0pbh&B3bo2ATbo29SkcLtB&?1Cw
z%%Jdm7-xUYI(z-sg@E#cLZZ*h&N}STYKwyEkERQ&`|3qX^6p;n8Hp>xpvoAby|{&d
z)HrfTYUEWBr8LVH=3Y&2*yyn-UZ&XK#hEjT?)-0~`m9`hhY3Al>d=DA_FBuM?)fMk
zN8wT4#?;1Z4mJ|m2=(V>bs`e{8Dna6wa^-q=Z#3M3J?6!7OIm(A8S`A^L`m}l#qJl
z{oYZ2wFf~E|M{!zD%#tdr3XHrQMtZ27*PUJ{#xK^DNi-Jm8g^<jf>rt;S!e~PwK*F
z$#K|P_=vJ?o06SavB*pPk^-|?zHpdB85G@uM4ao$sC=y5Kd3Yx(cFhDRJ_|0IyyVx
z=%zA0d9q?2>UMF)0)mNyu4Bt8H*|3Jr|;vI-PQ&YQP<2u5GkjZa!N@>?mWuZ({zG+
z(QfX6aOP)~1qr5beVG;QpHC`#_=eTVN)-N6Dq8X9oFBg&x%aS}y-v9IhkT?`y@~j5
z&eflOqX#&j1vwW=DtmqOibMFF4VDsdtXCcsJMCz5H0^tyn4hEj(Q%RW{1{5R)2Dd+
z&SSndukDXQWJXO$Om&elbcQ|D=C^WNt&`YTHfY-zl~F0gWk^c4$IUNX@fs}(5*lts
z^V}}Rr#+fOG9seEKR$X19h^I(T%FD{-7>0omlcL{ihHD=-UWxD(ZJt%CpjJ2zq!lR
z_wr_2U;gs}3><E*c~7GIjg|2t(^5|65}Om2E5B#|=+YfK3o?icrpWnv!m<H$Q0e5C
z^1htI36mHW@kN-kl)xf?b-L{IlymJ&aIDS&dmCruG;DCywhp&aHiw26I$jw=5Fz?v
z3%n?Ad{kaT9o#T-^XR#}ydJb@TAvC((%M-6s&ZyQS$nd^Pd(zR7_=^DTv(^!F@(f~
zx}1Ir<Fs}Yc6Z?UXL!!{&>WF5U%m$@n~6!Ld88Os!H)%-s-|fvZ;VGA^r(|FR*b3%
zF^@`vGx!a?lW%C`xVf}3$vk1}yA)`eVe8_q*oETLZypa6Pg@Wx|K&Hwf3mL8IoGZn
z^pip7ywB2<Aa*;NjFJnkZ5)n04~@A7ox};xRo4~9=S!*9@fs(6cG6e5@JSn4Rdn=F
zhqO^#Q7lx|8*welYm_vHf1ttaS=#sBxrpqBR|#<VZD{xz@w~oXCu86@fsXf&dLI=j
z#f(MHD+>;GE%_Ej2z_YHYj7RM%Pq7N=HVE8J<-c}(wz00wUmkC62b|wfyzhOcDq6^
znz&yyel5ch{kq{7-|S(8A6oA#-qexk&Q*Rq$ka=cf-!EeNUSr<baz|3p2Hk{yH-*M
zVV&ppbe>qz0$F=JsX3K3**)&NpY>v=ofW+}4;rc6K)>StV1q-rK~*QH{mt<qt?@(z
zn9_+~8TbH^kYg@y=31&vyb&ACnD}O-;^CXy##u@Y0WuO0`o)xs#l#*NRgu3o1<ric
zedbtucf?P|rFz4&!m|lgHx&LoXizPi$fBcQBAg#v{k+2=tH`p#?fNsK&QwNHONzBO
znkN_=u(p9nI^Zb>I9E87121AT=F*6Gul2F#s#TTW2o~F$9K)tRlcey5E(2YOuJmr<
z7+ck5Ahq-rZrR+YeR!GS<sl0(X_rMKURu%<N3TCDSu)A#lQeRNptILBU!yW`?+cSQ
z*ie2vlvC41j(rxmt~s1LP4=|Ca`?vOfen9wO!bZ4+Igfy%)9zc4@@u8fMh9v(~R8;
z_bzjD%IRUPnDiB?Zt<?P@m6Lfw?jFqOZMvD<>0BdBsu|~7xjLF-}{<Jo^>oL8l{`6
z_)svjQD}L=xhNIwQ#ivY<(iFqfEylMYmxAq3V@<}$m7Vv@7~3k;a1j=8<3}z9z8_d
z^|R7xCEY8Z%iupri4JKt9(P}Z^i&X%4Cu;aEnL3JE1^{!*=6!x(`s@dMIZx(-vpDg
zG{|BzUekz()Eb3_GWuQYYDF2Zb+$@>RjSP!adhT<<a7^CKYHJ4u6Ss{Lm(p(e{|$(
z>Nz;fZD_#DV5apw%`y;*e#jd@o8%sfh4Dh%H-5UKD2|>EM@2XPv^sr;#DT4<?{bk1
zw4b*JS=QGCiA&a0Vu?2-gNQqb0Y5GMv?a*#K_!Z?W^`oyqRE+9UOVTj+H+XRm~+)F
zAB05^H#g3auV!>7eQ!{52su8MeDgj14dD*7e2<x<A-Cgu*Y(ztIs`4I`y^D_J~B~A
zCrE$JiJ&oy(Pd?(VWM%${)JX7UC|KPtQK44rgD}KjW{YbAIrNSR`{9Rd&u#kSkFAd
zn+5V{T!vPkyn1*MyPVY>jlGh60i;aWJbilJ$$wH0Zf%Vj0urQjQlgSG_H6-6xWY5`
zwww|WS14w2deVEnB;Ypbhk0KuYKtG~Y5au^+zYd<v%ODiMOI_lB}j5JDkNNlKTI22
z$|CYG3A0DXgb%`EO6WpoDnhPU{y_T{H44FE<}VJ%;FBu8<A(Vz!9U8qPR)-#bjNb$
z+&tQ28#RI&l<I<;eP*exy}EL%-NBp4>hfFhG*Q-}mkyg7=RRr|SPMsAA}c<)X$ldT
z4l>30<A7uxt>YdjeArwadkK4zu`Oz-$tRFD@3X?azG&ilmoRN2@0KWC#4-a<?ewsP
zh2qgsB!2_H&Z3K!jXNSGqYkewZoI=>HcHJdP7hu?S!HuDib%&s^H4V`9qVkbo@7o`
z^dIFD_fn7fac$Ab7*H6OQ-+ZO;Q8uAfhN)XXm+%Ip(BuDjCy%;<%fr}@wMCw>WEIy
zL4LIjm|A^)+ucQxGF9`t)YJ^^^EYXIxfoxOsHL&dT)A;20r`yr8ze1pqxt9hl>+YA
zzVfm+7=p&4*6{$H7d#hrP$S*!Gd+XzM_4l;^dpkqkm$O(iEm|$iU!DQkgm8C@msNs
z(HW2~B?xq_ksOMvU0j|m#130jLNJ5s2><iu*)?%cB!U+SVRT=|WW)Lbp(}BW*eu-S
zc+0fQ+5)ms2e&k+o{i1Zaa)sGgC|ICpdoH3#>%n|^1&iQ26q?4{6;M{wUQjVwlF*i
z!6M3VYfGp~Aj<$M00_p?6|+7Xo?00vh3PI>jVn{f3<8wL^2eYM>@YMIez(YF9jBDK
zvR(j*D}<v4ie70~SV%?lIGW>>*ES%o2+}nm)y3N3TE=nH5}CO=SYDW48pKsJ8i(j8
zLRsPhgi<Hh7<B?5Qm$(u=&8nlfFdjg5m1C#C`+|Ciiv`|=b&e2k?XH;LM-SOyFTu9
zX2wFyitXVX=*6|vRQT91xegS!*a%!6AZQ1b7UO7e{i_bJL8G|-b9ON_a_+b^r75o3
z1|{bD>3V~x(Wo0(`3h<ZdHi9GEjlvy@Euvxep|2d=B7Jt2|V=IaPnI2hsVibLr8?K
z6eLHos9~Q=Zd#iZd#q$+3C?pmH1+K<u08@|bDGHWCO_v>l-Q4~%Eju;&&r@y*c`j-
zA?(uXsW<NTdaaM0ns1ib$mr?oP`VGN$RA){63&YXsG?5ifnGE3cZikTEP#XNic4kU
znFmP*Uq3tb1&Kb(?I$QUPY@dIaNx#j<<c3aZZlMV*V5H<jdEQJ5-z_FzcO@VH^vmk
zyTBcNqb$onuO?H}xo9a{o&X_bUU+r~WK3bKwrWAaHRi$Cor8<@p++;e4N@ADCJ+PB
zsC!%qSUo0JYM9?sSoPeT#uBq?sYwJ(`Mi-@9%B(U6Q|ovUb6DarS&WN)U%Mai6Iv5
z8r1dNHRd%ti;g^`dvu>co1K?tfphDy6S{UW_0&qgL;vRC&j*Ia9{583Mty0%TXy<g
z>wa;m>ZA?UMBsGase1vH4@XQ|C^4)!_DlUbZ~UNr!2*g%K&*nB*sb?Pt4cp*OPtzp
zP95gwm!KUgm0Ryvd6NG_n}Hrur!$o;O=3Z&9yKj??_BI5D^Dgf6PB>_9DgeYvh2YH
z>J-g;&>t0?2ktye)0=UEQ~x^1lgvM>TgG`nn3VHC7WrtO6FF)mU*LXlhh5O^6|Gna
zvux*nvlUBTDUND-4LTP`>3zZA!Tpa|UFqU61@(jA)?8->0CBn@>YPN36?dGDWPwjc
zZ64ZLn!_w*ih+(dfD}7qyF$z?A!D>*S?qV<HI&!nxhGPKYO}Nfn}qY(bu-e~i)TwB
zqB|&JkvhpC=(F%>hd$A0<bWvexlnHcZK@}~@*K-!TqK?OlkcB^8*)ca9Q}HM?o0PY
z?IMw>loLGA?<wje-iIAX%L*owOjUgan#KxfUyqU3QmXKDNO#B-8g}?pbhtr#nZ}S0
zUoeu)dcQT(>hFE{xh7K+Izf%}xdWl&&UqIqgQhRI;BS$~IFjI0^ytgzp;NU`TazE%
zNUgxlvPGkolwUZX>0w41QyF))Vgv1|b12rHxVSMJ`372rXk=t3q}MM>ESJFVAvbT;
zCH%WJ8nj$h0OwC%f}ESs0Gzk;6dhdrKB;6;zTh<3WU#{9|IB{Y!2B{J!;Fk=c%S*#
zX%W`klo@-1bQkR<1oflB=3&ZOCp0!^*`+^n@aWa)%JbSA>2%$1(x=?iq4>Qw@jHuC
z0Y_4?om^kAouTAPE`2QH)FX24o#S$DTv>8j5(&WhQzL2BXu7XD^!H)>okK|wVT;`L
zhrpijkI#TJf2n3t<ZQ)a3H%@v%td(+^F>WZO2|q*A}Vis)nBAVPaD|_4?y(EsVmis
zD3LnAc?)74Mmyq~zoF*Sq#uQr%~mZFDp5IJta9;}&o|OTDEP4o1OJx+|B?E!_GVF6
zJJ~-7hM4=dRM|>})nwV-`MBa_{Z4{^@%`c7W}KkgR6eFaqX6nyRVJWgLB{nr*Am=F
zp`3MRCA7q2c<<^6p0nJDidNsxh08SQADPc1*@us_B4VirIv37AsV_ahPb7pxOzD{H
zQYKe$%lrWU)dB3fpaDvuA!*<5YB_``X&<n95?x^R{Uh*965WcMIjc+^Y8U4|pLLbV
zZF?0}`(x4l)w&&llNlqXCwVMx)^m71z#@Z&JAkAztcTk^9vPK){eHG#zy6p<l(=j1
zD6f}Nn)K9Y-i?3*mM*&L*+*Wd&hfN$WJq4@op#eUM$x*OFSTpkHQksTP`K4`_mtCJ
zj_FlT!rDe2L>@<O0m(RZ&LEvPDvHF<x$pKd+_5mhZnElGZ;g)da3M&kzHtUn_A2Uc
zzz(Gf+;#8yg35G++p*&7Qulic7b#_$VHKqpDMbv=iotv3m(Ux+T^*xtOUomP(;rwy
zl}NP>pZ+o@m~>jhBSgZqJh&s+G8EMw$>p|!9N$n4h{Iuq>&fj@ANRQ)xMt{7YU))>
zc~goE9x&Y_m{@o3`#$d6h?n*p8W8IRidUml9WUwT^R8`f9tC-Z8;J&A_xI{rMq$$m
z;IF+~+J>>V_NX-twzl;1A?Q479R~l=jSYfc>`2$Ivv*r@>-ZAW^<@Ra7Ql12Ri)bo
z!cK(@eM(;r8~Re)Q(65Skv67<RQD&eu2`8#>B)GE?n)w7gun;Ryl$EwH3-#EG_7C{
zDxBxC12+RXWex+!nW2^}FDbHtf8%|sjV`d*sCgC$UD6|Hkz5FjVJf#ujqaRE?8n~+
z?d-?vRFvShuh)S+vsV<PM8*LDm5hudu<lgHLyf6KS~RY?=X1Nb&fa@ARXE?WVq(7$
z1-xeHc##I>7-M=Ye{#b{p@D`xjPX*YSQwn2{J};}2_jz|Lm1vs1e+Icq{S<zmFKt<
zOrlX-D`MQuLHmP)_PcOM^3Pf&X5cF`gsWA**=enx4WN~1r2VyLYsDNf9#c3eF%P;8
z5#Y=)fVNiPWydSp%TPfYg~>Zny@+5BX?U6tom1=`oK|W$kG`Cn77rqMdO=(8=R*7(
zb<q+vK|NY=YV+js?VwyAhtiZH4Xd4Dk6Yv%;=Gfqt3<5gt);wp9t8jQ9(WvX?d$uT
za1n}|PAVe5ViAGDg+y_;7P&s~5dSA|#>Qy$dYq@o^6esdfJU#)3Qnf%s1k$Dao}y&
zaW}SrVSLdzvoNw4$`$}44XLbMvNc0Hp0@Y*MkC}JusmIiNbg5+v*a+&*|NcXXqp5G
zC%Rt?e!vzX5nDJpvIs8NUOPJk(;ObTfpw9%yXYy894><wx?&fniO?-T`c>vM{Svo?
z6jV~t#%`oIDHYAL=;OD7;Vlw!Vxw|3lcg-9g3wRd$S$p~eRN7N3K-<+qarc7VDH(*
z#gtqKl|GNidk!U)U+)c0NYcxzD8g-nmjD$gfazr4$K=M9*NYvMN{O>y%Ksku&V4D*
zArqob?Cd+<=<OdT3zceLIT)W?XJ#K2nbUVQ7Q%<X`M?SiBtAHbjR>8aLN~B);;uV*
zs)D1DT`}B%ibm}<eSrQ~XeUFkD>^Vngr}ROXXw@(IkHj$URGQx;QRYzUE}Ggipi)3
zcJO4~Lw}H|BmFXi)@!z;9~O3~?yGS|E*Uq5CY7*Dk0LpvVSZEqGJ5VzW9@y<t!!l4
z$&X2-J5<a+uGqI&Na?b9n9k&=XHi4x(&FV)P&u@iUo!tNICj2x4CWYov7WqoQii8?
zC{1$C#OS7z9`A3-U%QYl;@09*080K6Ao=e!c?)5@F(t?6LPDrJJ|60rK3w#Ex$A3u
zjbw8Vcl^uM^A0T&h5Fg)wa}DPOpYoG)*2>+FOV@*FY%@HzLJoqs<BkjJn|&{p)ix+
z7TC3=9B##MR&obBYbaDUq_QP);^7<m7Upl!5*#OgDaHP?5meEIlko$fQZNBlKz58&
z2c^SzX|3x7s&CcS8OU^x;(&8Z$a2pYi-q3l9>xuOCPzP1>?FDYS&rXQVH!Zi`p0|d
zJ}4Z&n%mW3ydFs9?dGISpQiNLwn*XYP<p<SNI(=?#>q;r1|j)d2E<Q+F`^ofnxG7H
zjem?ymb>D{KS)q<DXA@!9_J0Xwxo{5mITjTF9r4lPI1WR=FFj;a?jt*e(kKF<3w-a
zJN;o%G5mNU=A}nZ+=e}uMtaw}wGOIKKy*_kq>h9zW^j+A#0eTs&$yI%LlH7<%q6Nd
zdk(#1yKyUq;`7{e*&ts?98K^Nnc`-A%%vy&s!M3NnjjzwWQUKrG%mgnKEYM=MC24{
z3aLhO_sY|-`v${`biL;d%uF6`$Pb3mmJOIUt|x7*DPfJ3%`xA3tR$cnqb#GCFeSJ+
z_lHB`BGa1M?Jm8n_5x3niEW$?*7iHtbKo;^<_Ph$3s1!;uBY7(_HA+o-tr2N`&Q2o
zf^mg>yFngM-Pd;}nE`3{y(pw#<AZpb;L|g|-tv2TDC1^^NQ_plZD!8VP?<D~ZUUzj
zb;$k8Ux#Lxdpj@Pf3RetZsAI{I&eO9C86g~D3Y^~Glg@oK|sj;gT?HUX;1QWslw=@
zU13M^S2IWZF&AnPM)&@2eXn5VU*+t(ScjI$Yog$dLl=M095I(TWRD^@s~=b`RMp*t
zw%3uw^oOc$h8IT~tf<g?C?zFi!vGN&EyV_GB)!X3@{h9Bp_?9BHaz4>tK=d5>xkTv
zG@;l)P-H<o;d!F|RD^SaN42B#>m^*na&^cu(Ivr)6wD*lUb5i3FTNKdG$WcMlI9~$
zC%jI4I2B3AIxOcK2y@bxs3$eHWw~BO`7IFKVWE0(L7DS|u@Ib3NS<4@vQ^-S{ErZ-
zGmTT#j(5nLCuCm+j*l{dl{I^*uD0TJ%9Di;A4l9v@J}>69r2Ql<4P<fXc2QbzA5PB
znZ_shd{X&Y3E7L6=6uk~)(hX{=~WvAFPu_RdFJXZJ}llV`+=G7N}<dv{M(+yo-VDY
z`VM0J6CXT|yqFMctjix8PmE%C^aIHhbX`X8nJdk4{BG58LWko5xo!x0)v{K8J9){L
z;zts4$Cvt;WmKMB!;gsb{52vPa_ZaMj>Uvy{o{#!zyURTn8CI55F_4ZH743`oB0`W
zkdza}*=wii<&OV)bD8SF&--JyQ(U*Nq<40tcb4gue>w5@n9E=Wt^Dk=c!-U-=eG6s
zHjMN(`~j6{@YxZ2)^YpaN1?=?_@`}<e2=LHraDdUbKF||_d@?OsH|9|t7hdJX32gz
z<>Q3-CzY*ovKAkf^$qNajP5!0%SXIQBkqoT3OxR$#{lray9Y0h0lF#uVlxK>VO6!<
z1uNBVSpR7%JopI%TfqmPc7V^3vkUzH2&zr+OSXXzJnacSh&FzIG53`vZKl9|bHl(b
zp5eu@$q=?PR{%4nI`fw#>t1gY5vZsJwZLqkSLiv#0=_#deR9`Wps2aC1@M**%(CfZ
zem0l_8obSOm>bf`0s5RVx)ptJ{2lz`2|$lEONKA<&yscH$3LQ4+sd~hPY|*Q>L8w1
z&<g=GZ#qCD!z@5kwt2N|{JKF$0DQ9P)ZWH)0XDV6azS2qSlb?qZE7{R)Xn#Z_r~HB
z;G=r+tKanEJ;b$dV>q^h0U)mw3;3Vw0PU8+&H+PjU!{EYZutLMs+Y_hSIiA>03zBv
z8S%Yfgn!zi7N97D0Ug+ZE7<4%Hq|Dqp@1AWLptE98^EU>@&+9LcRbp^!B2V{lL(me
z7ESyc@Tqr$U$Gnff0k+!{PWwu2cLGp>bo2K{{*T{@NaJeAAH&id=Ty5;7<eK|B>bk
z?FPSoH~9Z7)h76lw}B5n?EwGHZt(vTs5ZfG-3C7Rv?urg+MD1<5l`oRj}gN;ya?P9
z-C|{`maAJ3#F5u!t~}e^VW*PLIefO<{`nTFc;fUJz{$RteF-FQriS=G>Y{pZ`r3<G
zvTX^Oo;Z+W9_u*;_}9*c3!DCx>jluTC0`8&#s(A2ECC>YN{@N4nLjxl0~+MF`Z{1T
zAiFd*r1LqhCtkLh-1#wqvu~9WFgB1{b~cDoFas=a=8EQ?;J8~192^En7Xj{MUjiNQ
zM_1Asgy6W_{C;PHBc3}ThycvsgGd_5A3;I?2T=47i(D4Z7~Gaz?45Epm~MAapqmy3
z1iT~T+%XpD=(>Px310=+6aLDZXX~Etis3(iAfGKjyG{MU@pmW?NU$?h?#{+QUU!Dd
zvfVKpSU0}v*b>8!?6Pq@uRCJR9*p6AI=Ixo(!@Qmz$Zue5r3sU7mjpChHeAnZ*tC%
z-3dYbZutLcs?CIdTh_x0JZ-bL?=f<_Q;`1%s?D6U25`ok?=*l3Kk&38XWLATK(v2@
zPud;%@{ho`+Letx+5`N5mTD9H;jJkrEAX@f{Oa9G{U1TK3I305-~&&4f)Aqo8+`I^
zeDU=^R$Kpc5j(Pnh;|pmo8bSq)ctR%`;W~YAUWS{YkL&eo0|XMQun{5?$#s`*n0Y-
zg809s?&fywe@orJw!(WN|EReBZ>jtH?4T#|-(C>^v!$+xgM*DEVj048t>SdWy^4z!
z&J~0eb*7COw`W>R8(VIhF0+m#b}I5Eb+X)#o@A|~BBk9%sF$G8TgPhP+xALCOqI)m
zD#KUdYei(jgM`ij_ICF6^X(k%oWkq|29yF7tcJpTsx#L4)scEpA0pIDgSi_7Nd+oy
z$fRFSzmu+*uAP3FParCS<BoWSPo&=WVTA^&Y5IyUdLgD(2~H6l_7c8AzTbT9d{=yr
z_(pb>%coCAD%4T+Fj!b8bRyXesG}bF32>Lnr!OmiQU0R#MfHoi>8(1Dx6wvZfK8lZ
zh(N^w*<ULWuA{oov|}Zmg!KTmTOhC!(`Ua{^7=u71}Vpml{gy#E8%(pu0%S1b0wK1
z0u`~cJ65tP4X)(j2(S`y=3gtZi{LmRvvVbv-T*7%WC2#9ah3zW68^qtlFipAgMMz6
zib{e}oIwb`G;M)T<onrQ96sMor<ZUeAXC|yC9^3iI<cAg-Q5b-t|9p{2ICLQvPQ4;
zlJ#Qr3iLen41iU9l<8)dr0AYdXt)hbwh8uw&Cc7T0t_QYDWK*Y{|XrI-#)cjD8pg1
zWmdz_0RMN=<+4Ou((ruW`=F7e0n<qBd>aAi0<Z$%8v)ORokIXdSp@MaYuw2Uc23@=
z5x_7F<?>;hc!>WJ%pa~=8c^<l(DRZM+vcvJnr$%!#PdOfPc<_}?>CP(!uFUNl*p_8
z5n%qq_2-4FPZ*wFl?B_jYj+p}2e62p62!OdEf`RK_P)PGy(i(vJ<tK$wyQTFWN@tO
zfHnf3ZQ9il7kt}RWdxNB#9^oI?7{|=i^@ltE3^gGkpTUhP0OFbx0z6xP)}1$Q`1rj
z0H$(YGFSjqNf0(O*e@6HhlDkPq%QIDe`YW$347Q<%^o@iw(U}#$UWo-w(XQ(bz}q}
zR($}&EY-T-g5HaeLv;^9gKawn4UV-_yTP_y@&j?$DZicA;N{1$hx~xHZMqH0FB%jM
z9=5;CCG<}Sl@pvgnMZf<2)Hn`U{ojvpgMI_TLf(lXvt2EP)Pw~^#O3nz-ODm<+&uj
zZKofr0hMNlj{w_t$q#S(9O?kRe;MkYgx~iNG}yLN(D<=-xLSPMPWgd2?3CY5Z17H2
za}W7}Z9DC6L>?3l2wTr)*bo2=^^XYoxl0)mZ|%@AKq9cNc=@L57J3Ore+l|F5FvJH
z1j!y24Yuu)-@85J2e$2$pEaui;FrAseE$kBDti&0-@{PBwq1e-$J*&=!M2_9!{e|+
ze!H*%ZJBxx`GIXa?T^I}G%gUf?q8V`5QhGUFmzIQCJ6X)r)@+2ow@9!!>dm69*e%e
zhg_QP?4e^|=bh+mx-qluF8SXxwQ<sJ-NEy{(+)EC2$lHGdn*};#}<S6qgB^rlDWjI
z?6ASVNyt<Z_t5Y2d-x}?ZI{}9+(Uw3+uni+1C(V;eA$aI@%HZcf^XaDpTMzp`X{h$
zr+(vc*co4TVuLq<J@SLwJ9DSM;tL4d7Ps>!gvtqOoy=-Gc>FtqIlqS;sC?Y5WB9h6
zs`Ggdw*$8Ak{>?4B&uwSFMAS(?ICEeZKt5|W9{@$;P^Y`2jZ|(emk+jJBb^6*gn{{
z)2=q-3kcg5bNM4e{^T--#5+59{JZ$Vxkr3?3{1K+V+7lF#h2tg<OjCxl;382`3B&-
zCBE!M_<0XQ1>1HB8XRk9d;!~b$q&R~r~Gze1ICxOJ>&<r?X<sN@dbcwOMLkg!XC4P
zsJyo_7jfh@q1%@8sAknz_>5{+6Ofhl{8jCTy0BzzQ!);uY=61@cNuF|!x~A7sLfRV
zh`=a=&$i(VY9xb!N@y-9x;oN2pnS82s4oRN>TQ>wb-;*19WaZbbwV$5`eyNhxBztQ
z+^&kf%ubZREY*?G00*X<<<(iR<NwT_EiJ$e#r<uSBG3^?aeA4>LO|9xtFU{|K~}dz
z4a^8^NFZe!MnKj#)6Y8(KvuWQ_`A#!E4XF>F_87mDjF#C0amwb;apI@4=~G!d;`FN
zFj%05PO{G6tJbX(|DFE=tJ|$~cv}Vw@|{{pyN99RcN2CxZLst9rGx<>gSv<>x&Nxc
z{ykIUHz;-_`@42Qz`*jyyBnKU58|=KgZ<H}YXtWwdjBrqgBuguMg6Oa-BFO-*vpRq
zXz!9B*tWM|J_1UxCE)Kx_{Td3;8;5Y2H3Vs$^PXV0-FUT2-{x)f6twRorKB>cRTS#
z^;RDL&S3cWumgM*yF<tRcN+qm1tnOpZz(AE$_&8bf2XPbXKe^<27C~<E#|V<&cQB1
z{`xY8T}AKT1pLsw0zO#9?hN=~+xCC~>_YtMhQOxjg9ZDRfDd-wX{a@O1bnb<dq@Lx
z6&!1){J^%IhWanx5ZDa(AZ%L#{$4u=y9h&#kFVm3>a9EiCB9TWtG=(WGo^s^7C~Rx
zBL&1)u{*Yh|5qCVn_GNf!M<hZhh#57gT+72!5G<2S81nZg-QDPvNkOLnP|3~^CLMm
zd!1gb&xdnoKj)X7V1GwONk+WBI!T~XzI->P;I-<iANLaEz>9)2Dn*jT6RyTs#R__#
zEVayfi^`ZRhxoH|vY9LIkGy~NUg3THdu|sShx2o?(!D`O;yQ1NRIOy*n^Bt~daPix
z^ocLTDa;CtJdHjWg&1WR)%N$s_=>9>cVOvm2p^lj4RpCL-Gj03HFl9XKjeSyK5sWu
zH+wfrH&^#p5eL|i|Lt;MUc^U~I5p7aPLpsEy+e0@kZ%riQ@fw=3t?YjA7Q_&nfkuO
z9OeSSe{?Wu`hQDm|9F<Z8k|cz^Kzzgrd;OTOnr-fMPsx%cm<Y~r`nw&{SRLGfi))6
zm>n~tGNUj%Vb&Fu2do-woZX2P3njp~a}#0H^(NLPgQnL7-@&DTjk^HYb5LjFIRJY+
zYg<+&4*)kUO?!=2I_g@K^!?SbIRHwqahCvgE$Sb`?Lzh6H>frM=P$hOW&YNxJ&}qJ
z|HsnuPT;lb0qk1=v)WGlvsJqbd!m3Vfa+Xm))uHf@1-kX|6QVr2b6fXTC44aYNGER
zYTbMjZwFw9U%cWiU@uY?P@Q)vz~?<J0JOYavigr))ouVDz_eUsrvBWnc9DYGnz*O6
z{BKDoKZ2GRued{6dzmYqXqRQ-+1hE@|My8Z4dx=K;D6Z`o~>ODW77=rK>jiqd*{dV
zvTT2DT#9>XtS!Y}%6-viFO!km%ep36_A*3XyqAvwm1&E4|2sJVf!XafLiTbncs6%g
z?VijoH-j;;8AM`>+xSBa1{H_ZY-HA#39?lCx9Xyp_~>k20eE#a?pJjB$H4FUIEt7T
zx5rMPMGJ7q?lR6moJZ07WN&)pANDYefBBAxjPbVx0uqXT5(vqo4lMnfarRAj%#t{T
z#r8PAB;E{|*r)^G!skQbL5{zIr@2GTylnpV>;Y&2-8MW(8%Q7AWrlvG4<G-W*?S=W
zLpwsUyG$;S6JY$8n=yF)l8mC@{^H5A_(g6F^!OD4VgOjaiNN!h{NBu6d@j@E&zXh&
zF<kbiyTw(G?MMrp#6JQ81Fx<Cz{dX&*epHAo+%XAe`^3)ZBc}~t}U*v8s|9WqE@G)
z0+h&G`Zii-hm$IMvKwoYb<9>^*@%TXbRI0v+d%}`QZ^iC9veH?zp*e?hI4iA>~s?<
zbXCmXn5{(js4GETpy>K(NN+!!mr=XO8Rv*xa6~R=k0Wsse%{FJ01+kf#-fxS9LmuK
zx88<?y5+gz>Zg??+|igUNI%>a?Y!=YTb;vVSJ53hMNX*dR5)h29XIGAr;aHIT`j<L
zl(i&5;8Ohs1!y+7@)`~*imR!lMCHjXEas!yAS<hsP;|N*x?|n~{(XMn6&kfjE@jrR
z+GbGM7&#vYISzG0bYhp5V313N7)%m5L<%!nWHASkf-EEAI4y9%kKD{-TKdA3P-8H2
z?D}X15<7@eUH67Va14BRr&?eZLhH*)#o^iOsqQRAQ-$66(0%5(b?oA5nfG`RsZ^|G
zq`6T7dLFmhW3}GJI~V7U@?(s3N1=#ti{#;Q{a5qzy*bwzw2SQF612rIWl3`E90~_~
z6|y?iacymG5*DzprS_J4i`z=nTnlUt7Iq|neBRr;C?CB{x{jf&%|kNAH8d72M=_f7
zLd2w`q$IK+PBu{7Lbwhbo{t`eA(uxV78aowGNHEzdn}}&z?WckH9|KKYi$Tz=V%#;
z&YgVR5Vldtb!~N;F%CX8ywR5j$%1aQSUjmk#8C(6^hq`@TA`#|vC(2uL#+~La|70v
z$0tY6R6}Kr7=kyv%g4@CKxH2@=wYu~BLb%&@q*-&7;g<kU<fX-TXC)iN+#dIXkj!?
zi`idkUtAJrY05^2IbLaBUJ_>o{Iv|`Or?EQNu0GQj1I$BX<t_oXJa}}w;@((-_R6i
z^Q`e9v>`FZW_diiTTJGEx@E%?EP=GZ?J4)Nh4JVf@b-I*4bb{`w}yCvRgeI<{TO4j
zI<7h3VDS64`>)n*w={Ty#c|DUG2phn;rp6RmVHA-Tt*3_2R1r6#%6KcbT--#VrVk1
zi4nUmK0egg)h!kUKAVD{XP|6SW~1xlY|OxC6LCYtxaJ^S2qV^E-!RtrJ<CQI+VJfc
zRT5;pyW#sf*a5griLqH3@BL<zf{o6zZ)l6N=>R{Q8_=1;h&gPdn8P=SLmRZj#~b1h
z0FvX4sMdz>h;i4)<Gm;wsc$v_NnE#>12$S|!J-kk&PD^|F#84oHt<>+0$d0~?SHae
z2~DzZW_t=;TiHs1YdhP4uq69VwkyE3o9$^B=TDNs8fs^+C!-|g*3wnhhYY@-y-IY#
zJ=O=!ZdprxN_=1eal2Q>Lo20fz~e>S_>dF{##;J1`7MkD4O01n%kv7)6V)?Keg|Lf
zuaK=e`Saz$SNq#!J5T<6b<ltRsO-eapZ*5}_OHmUoh%OU*vJ2biQvqm7e;pcF1H>r
zy(Al`y2NzqQn1G@{wL=MN*?V~AS|uk7fW_9bpN$e#2f?>{Ksw+-qL6KLN-uyN%s`L
z_Km8UlGh#s{7-lY2KD#p5FV)8S4#FQV*kri#QX&80>=ypEe)7{k}=g^`gE%Jjfbwl
z6Jdfu19nH)*$g5p!Yd8?#>fuF>~B3qEKZOkaLkb~(2!}FOt<mU!l_Gf9t#3bAO!o3
z_IVIq`MHnq$ia6d3pZp9$d4X5_<ldjX<}&t4Z&kC34a<f(H$9Rx^(IEr5hfBf<w0t
z-(Xe@OA{Qbl+``G_>e{Lm3Kf8o$(RKb?byf4nzl9HLNIRZj**E$-a6!e<|X03Ebn7
z(4G8iAzhv&1SO9TdJ&bj5g#Q#_~kgHi1;qEhQzVV>pvZtOkWKwUK%)kdBo$V(9>#y
z5|e{rM5P_XJmd${jz3}`e!!d~eysd@paav(SGx0;m}r$m)%aZ&9GD_rF)dsYr7aoo
zcq06?l;F78L2sff-NY2+<(bF17>FNJUJ?g>G(6Cr>5GE8sM=EIAq{bg4%T9OmK24z
zv$C2|PkMrKggvsEt;`Ns$P9HK?DsGKb~vBj$Ar=mBwPRq2SCE&f1YrrT6w|#ky5}A
z;@k3Jl?X`}-{pm9?np@~liFC;igB|p%8zSx+%BJ~;_~#BUJqqt&rGVgVqfP74+`Y`
z>$&;E5&2&NgpW?{0mOR{F=-Gnzv}>ECtd-BT&Dp-4M700G$Q~p-6jyRe-WW$tSB(<
zF%w{1rgmW5OJ6_+G(ZN@K?d|d2FgJOUI^_bEJ0KP<enw~IbjDtPL=|YpVEwaVIq(t
ze7wWJ((G(X{Xq9M&8U)ZJ|H0_NXR<W{ZdC;epe$|io&1u{?`z?ow<-BoX&gbN2-E>
z4%thc82KW)lLksfOec%3MAk7BU5|8AzTh6lkN&EQxv0PDRk9XVGjr2((Im{rM8N$U
z|F5O|Yna&z&i`LW<OU^uzZj5o))P?D`#TJVx(}q(mw!8?8RcU_nj=ival+D!H3cA)
z2MHrVLIEqYlKJR!yBarp>w&$?-vGT|2m!s1nE<_++JWAez5u<iMW2t9#D9=x1bm>|
z1P=Qi999|_cE2Au{|RseE^q`5LCTKT&s5K45bg27i9a3T1g8J)szT~oU&c(2_9EJ_
zOQdkf;pbNiH%V7=!0))zaBr-tM@XUxH86_zR=LyG+`i64>6QdUy3um2@d0aCcnBg;
z39=dhvdRdu3ISPluPgsnVfp#d>fe5P2onJ;<PV1V_Yj(ZjBdG1$PC@P3ZdvYy&ja)
z{xhKb8=*Vb-k0aRh1bBISGHaj@{P`<2;DOHvx}p4=CO{`8vl<M_6&gJAD4TjPC;F4
z(KL~gYw1Ayzwjave)omRkx=lW6X286zCaxb-iCm;YWUl5pMv6+!LZ1xnZ<9BoqiI7
zNdoENPNf}&dc4ceQh%0fPaWpEH{mB)GSgKn=^;((Qo@#I^ne$2@B}x2;D6ACn(N*R
z6HXBJJ86Kpl69M|Xx=Y*@0FAFRGQSv?2zAyp>E$3=Tef5l!v-WP6+L~_@*8Lbid^N
z_5Y79gHFoKDalNCwp|wTKOOJ5W10Ma`*JJ^;NY)|tJ(tqtyE3`ki{@B9}~{PtP56V
z73wssDamW=r85;T$x|=L8w8~C)oK4csiPlJ5YJcGaKT0S;jyIja3R9<(=HG2x5B`!
zo7F=g|8WAIx6QHRF%1Bsol-HZj)CiO`8Vo6ywGd3zAzC7``YUQ@Xi(k;_LB{ewC9&
z;CI@}j0lwTQE;qH!c2B6GjBi%0J<=c<PP}hJs%Tsj8e-nV2Gw0U~f*aV=~w$lj2{{
zxL)zif`=TvFbkCW?m3ch39Kb@t}F@NldS~LFI;a_Vyx>UhX7yf+){>agsx!HaoEAh
z$w4Jv$ok^y7`mrY3F6GK*yHUDt0nKpEI)@jpqCdnlDsSPdK{GEaOm6ce0SW!+One!
za(TTC9W|~~F+YcO2X;5cbv6PT1J==Hh_X3vq(dAwN(biZj3wBpwYX=2U0PVHY{VHC
zS>R}H-6S|jwQt`(;(f}GIyGd9_m`d(+P6<T@W4K1pw-co*TKTt#KuTp-`0j#$6DXi
zh8O?9$Kz;b$^$<4xfzG_h`yfHNo1F<7l}|D9a@S?Otif1Aft2*DPNHC2Kk`S_7V%r
zyI>Zhr**dL9YrqbmQBGlz-va+J`+4QTZ1p|BaY6CL0jN%eVoZmoV_Emnx~|8w+HxU
zZF?;Q^lRPNeKk4s55dpR)!P%29}y|_D705$w9Rj4xuREjOknWEjUrsnvUm}CBT<<H
zZq#lPlLU#(Prcnozcyq_3U7U#TZqHv!S(Z$V{rFK;rGvXwOgEz$^P-i4#_H_#tK0u
z*Nha@J13QYNFhZSRb*8USK`b`*7Tv+*2JvWqe%FM%wh|27D}ZKhlcZ&J;6~=7dG_K
z=$A2D!BYn+lN3v?s>vScTDnq2(v@kES^Xl;q26M^YEdvIB{c1vP_76UR0{L$j(q|(
zr@nYoCdD1aqqT>i3Qggk&)w?#dNnL6HzfB?vQgXho)ou>mU5<{9&8GUHb^9Kr~~HK
z>jd6sT=JeeEbYl(T0a=i55hj(%j(t;DX4iJCvC3#SY&KJUz^yRU0=J|k+lOJ7<%y$
z;@YvVw+{%<+`GMycbE+FwLHz(S$Rbt=9OaRO?kE0v5|rhvz$elCGhIgpo7Sd(AO6)
z!@pkT@29`}P*>H`<$B7ShUeo4+{;HqKOW;}IqWgf$<~v2gQdRZBXNn7^1|>DB7b(0
zgOF8Swf^i}7YfUP;?$TYzNxn&)~vk8PbzD#rj6Zum&~CmTGsYawv5mp={|bP?S(+w
z=Y}EHBlcI!zp>vtf~J2WK%V=A=%}QZHyiat)D`<DpVbbzetW&_UL10CAjMwi?z`Ol
zW1ky(V66H<i_C}8$iLV{kiLyoYjMc!uj6G_O*^1VD&fGG=^QVw>K^*;mWkSMy=Pr<
z(_+j`E66jk<k8RZbE)Ta8g5nJGrxTXg9)NV2eVncV2|fw--lr*I8aR8_J%*g+)~`^
zS>2$~d;9!zkfjR^-Vm2-dBLH>W+<~ouhuB9IE($t?|9z{TIY{Te-ueZ8$1}i$HUS1
zGnh>$V&;I~>0%?6R8d26UA2iL+9&B*K6V*R5o<4vP^w0IWjXHiX&$j$D~)}yp3CfT
z#JyFICLDgy3cW^<Bi0a&sJNamCn5uhau4@d;hH|+Lo{kKRw-g%GF(DNaLWjz4N2y`
zUK{Rgdap%<V1K&o37fFoXQ@sUL03a-6kyMW%Od%8o2c9gRDhrDnqF5Kso3vI`9;Z$
zzl&_nE`9&CfF<M8fd@Xk^*Th_ZrmXfiST&+@m5@>-Rc3aU^ZBZgAa$LMj^5Hm9l_t
ziHWS~rrWA9ew+iVDrZ|f!cL~_Pq~ereZy93MP_*JrY$DxK*55SDaZ7{8@6<-Jdz)j
zr$r~5idXxaytoF4Px3w^xU&2W+et7wseU1fO3$4NX1qeM?zUi)!B))~%vK;~pz!Rz
zzb_vmo|{<-QO=Sobm$oyv(x@#u~g-EC96)?QXhJf%sbK=IZ%DlvPWAol4>7Dwlrhh
z-)>CMvfKTTt?b10Vx5KgOSp-U$)0L7$AZM+YcDBabBz*-SGn`5esb)?L=*@0=_*UK
zQS|c`f4<=HGD_&nmFbsyY8FAu)E@gvAPNuf`4aanupIfAV#^kq0lU_519S6s{|Ti8
zCfeDTuFL()eeId+0{04E8R-|CY2h(<`ubc}$y3MoT1g21fE1&>*r2tZpd_Qj_p+OT
z3oPWR87Iu0D16nQ4#`m2YjH?F;2P7mJ&&wZc~jwB8zLbZPV*LZ&C2_JZ10)1P)_~q
zD=G3yR!{Cfrz;MMt!X`NPHX#dsy-_t<mDGfx!a#j=-E`bCnbv>${zP6GTX1WrfwSe
z{lS6H@1yM<BoZ$lMZE2p;JR}__*uNBZR|4Bv58~Z#8SY%HkZ55As;p+%O8o2yk#nH
zUTZ&+xcjv19jAQOM3e$&^)r<C^YXX#*{8|nUEfPplN20DZ$EQC@x2hr4MSr_r274q
z^t(6B5`#)-XwE=}1{8WeU-4AyARmj37LBDU;l312$@M)bSBs3s_fGKP6AltiW%u0U
z-9@h^JmEYaFLMnhSMv@rr=qDVA%7uWGeUy!<sfZnCQ18={Oi(w@O1HwpseEOz_)Yu
zXcD{&Qt<Y8_||Bha_0Vzgj~{ot097t)~2{V^+)eM+sk{^W85X={Ob?MSSFS(B!=<W
zA(w5~)K_5|p|lcLYO|qQ*fh*J?E>fNlv`zGA@>h{jSY-O`12)N?$^Ix`@{UmUAd~j
z+e{W_@*>aAu#;(uT>*X%HCL8|;HrP1X%TDgjefp(GQ-NMK&`q9imPh`?B{fy*5zN%
z@h@M_XJ5xKixcwaoZ~#4pq6|=@!k18^%O<2SJG>WNP&sw5k@hqK=lNNjjE6fOsb|~
zLT*u<>1tnRvZ#*5mJfdOrGzYv98Y~-5qNK{COT)rmBE@e_-CIENrHUQSEr-`3TgQ!
zdp={|9&A;hUvv%3{ZW<BF@lo;2}^aWR5x)l&ohTwIh>#z?P=%h$6h5Jn!V>KUK(|8
z(18nXpl*>dYPXuxhPoqBd@2c2_9{cj?JhC*QZiozZr()Cs)0S=hl{)G0ode2i;I^Y
z%)3ly9vL8|v63N9eJ3DbY~$D%aQhR{nsB<Y-EoHXxIo>CqVekUdPl};GGi8GG_K^2
zNh%o(-Z1L*x&5iMqLn0F=(V<y#Hos#n9O-p`U^>c4?j-`e?MC27kx5zd0)p}9s6Xe
zqa=r(vOz?Ds28w=!SgsCNhFpkv(DAuJJ8y8KbD6G#bn1(;GpR$Y{|@Bs!e2aYo_2$
z#82my*JlEZG9$WAX27m|<CdR2p>fS;#n1=kqHci-@}ZBuvp?sG0|5&oK?&oK?^SgQ
z?1vi=l9=Ob*tZG^43E0Jsm8OI6zY?*$*QYdFT9^P-J8adjs_l2RnsXS649p_(yJC>
zyQ;S|Q~zBkAdO#!;e=+1Uy1j=)#H-k7*TnW$6bP+4pGml0z2~`>B&V$=O~4KtiAKO
zAv>)6y#W!uLwmDw3w^6+xt42XV@x%4{Q-&wDTZ-ab<bJg{rVVdw}NrGlN>DFzuHC;
zTTD}kDtqJ1SAQ@Xb5P6sc#*o&(B%VS%$3oUoWqi1ALOsY&6G9IoS01tC@?Q^F2DHg
zioJ^9$1iGcx|^x5I<>@a_=Q&F4zZiOc~VFE*pcJ7^J*t$MOfXun$}O*&WwD|jJ8ap
zVmpHUt0ElD=j1*bYVw83DR|HYzgN6akSgj6YX~y;I9xxYLP5dSUx^;@<ypCRv5&v^
z`1<vcuX6N{S1}oCpPJ|EFHsy}dmZWC;mOV7O7);8b)qktGWq6yV>f?n?(H~1-$uKh
zc3UkuzcX5VR4xi<Z@C$&ybn>Q3)5~nI!0vX_OeJbuZrZ>h+y9nPX9M)Hg)d=e^jvb
z3G%F_1TqyV{IGlC&J}HW>XJ8-V5ylzJ>P@3TIC?&X&cE2sRLxjUDG!APl$U)QneQ9
zebh^O+|=`MZlb_NLP%i6_d~)gU0<%yg@;}xWSA~a7D2^29}(bd%Uv99<VD4^uTpa=
zX!U=flW|y!(&iK5D=oe;5{|q?1S!AvIPkRQowKF+L?Y*J6D6nRd}^Ufp&RvcFbYqV
zxqkGxK#Jl;yOSiRV1jQ=PTNL1teLDH$REs&AUm=&b44=Z2M@_;`S3lj(Z)+cA<fMx
zJgjcf`NxW%lrlHjyS;l=#V3~Sx!*`=wrAv%qXg0TcmubY<EI-fYnq4D22EQG4qT-k
zp+Y21(bq>FTrizD{6STPM)U@A5t)!rD5Zl`bo@K<S3mqO1T+hqpL4kXlA)<nl&}4v
zVPH!OLMO_!)~Z!b@op?OLOP5)B&yk0Q{;Yb1lBj~DZfQS0_P&L^Q~LTB=)FeiYe8H
zTwfn$#0ow_U<Kfw{&en&xBZa|^O;_<RUVH%O4qwsKJd)<b8nLQ_U4<d#`GP@nqU@F
zvapPARwW5*shu~JGyOJN^(an5c$`mmFDSk<$&t~Nt2+I2Xj10sh>Q%mXF0OMn$uBn
zXh=r1sCZ;?_>K4FvrI2xflt<s%g^|~7H@iAH|6Zfr+s1L0nER**<}4^jQ**b$4cpm
zip#H3Kkrj%>G1l3fNcc(1*THz6Q20C{%k7Lw?XV7`wz*IqA6~M%61>&$y}NIiBy{k
z<B4}3UG5Z7+QT_B^fe3jZBKrz-tRK-D7I*EAYI;{nQir?Ss3f{BLZrWiT2hxv{2R(
z%cA93Q~Db#4-8Xk-o}<NjgD>%O&8kh{fMXPp}wkYnRH8=AH&Q_YGq|jL3{Pxg3bG3
z86W=-E>;S3R}U`^vwOF5@|_~MN%-aI!;Vo2&J1Jy46g!-(BY5))N$DGz$|5_f7-|Q
z5l?Gd!edG2kC6DhVa&Ve@61(pxIjv8orHCA<VU7gO3d5L^-j)Q%!co~_b97{s<0sc
zcdCbDln6ORZx9`}c_5cYqbfxHitqR^k$2MuGMv1~j~q8IBB~Wub6)g8M*8=&hrQ19
zExrmRJ(7PcVXV4xU%FWF7y3_mUpwE(q&uiFIXa&Z<NJ_G7Q+a=ICiFXBsZ<=gQlNc
zp&I+_p(GO856zaS<L8M8(;wM*?boHdPGhv3LZ{l_6KmCYTIT7sh5%D~X@41t>-)ZZ
z88~qvC&=eCV_xeMzK)}W#Vc+C$qC{~I((szAQuntc~;y+3?4aRaV+4z+Hi5P+@Y(=
zQitQ;G30a3ei^0=|0ex^8hZ<%I=W?T7zpm}5?q42L)f@(+&y@3cZX~U?jD@r1b26L
zcXxODdC#eP&%OD-uj<=XGgGT-`q?vU^?JIObWbFVkd2EIe<__I2_}JY*kUrQDo(^C
zoWFfY)A@M0uP{%jH2IE13so7|>h{5qc5<6`N?YG)S$UQHBp{&Gjb-rxN8a$~Z)aR)
zLDFjfgf=gcZwz!TXTdX)zh2zbJGSsml0E#eF*xGt2|`3JJ*PAikl|*?n5x<>+tfRm
z*DAL?M?Io%65Nrw?7IvujCJ|034_<>m^<ZH=06d}r$`08EU1b$(2c^MDI$7d*@bnH
z^?ez{<3kiXg8No1ek8iJ)$bFzjgK`RR~SLED&?QV?fQ~DHs+($)TZd;N$8>qj}35t
zdQ3koKH@V=>Oo?4=3&Jw6>^w@sl`?>O;@O?v*HE#Wt+Z^y<$hPSM2at6-$}F6ph3*
zR<jCVBxGm4GE##WN{pGw@;!pHGrhaMorXMidonvjg}bK8)RT7~>X0QXRdzB_NQ7df
zbh>>qrR+lkP38~w2w7IXovP({%(RjreG7qjxRx8ZtZo1cI7&-v(%7wz76?=8i&LiZ
zfW|G}BhkD?!y73;Qk!dIo+LAul`5Pr5ai%p(6fN2LKM4qmH2e_8fU008~UD?hVxxg
z*E0Z;t8BeS8C)-nB4R>BLosbcHLmehVwONSZzW<W{>s8+#2fohy{v6v!h%Lk@Q4&{
z(qV|ylOtZH4wuc(%6rR^t^PkktmC2CUhk!#lRP69-Vu>m!<OsINNPog9IbKsOQpu9
zg36}CLY0P~0h6Q+ZbQnqcV|>bBXbF~eheByb-0x<!)iYwgaK_QE8R%bRp1m>btAUR
zD#t=e>D1hB3{|is`Z0qAtqshR`&#!>D6lh@6Ml83-p|LS3sHm!@;WCew-G72q&mC}
zt(S>?#_~G_wPfXR>b~KZ2cNgtg7~KXbmDSya+}6NiIJ)9pDM>OFUo|RBDqw$`@)po
z;YK))JUew?3r9YFOmM`SwS8M)H*9nNIs6qd_i$%9j5(b`#AnAk5;#}jQ~cA4jWU$n
z`^TFb0>gsoANtW;VOlfm*X_@2tgkd@xDH(M;>Z}(cU)N4so!MfNy4!f3)}~b6S^=l
zUhcBvAxJ7bbg|on(Cb17b`GcHTPaKS;6aY{%18C;L7%9%ReEhD-wO~IDZ4WfX5(Hp
zOar}&&cU-NdBc+s`RMsk%-eCh7wLH~c!Vyg)sGl8oed=MVM?0X(3T5TOAuCSUIXqN
z0Apo>RIi?G$Fh9)VdNnId^#TXbd5DxkbPl}r5mP`ROpp-wMzutfLKQ{d1sQ?5GW=8
z`_ZSZK*3!zF3%Ml<QdagKo4kX6iQNGkFN3C?8!zWrC?n_4;0eMjbe^7;7qMli+~@-
zE*50cxprZ*w|F%s(+XSOfN?#QSh_^~pvbMPdlIYq92lgth>l^*2d*7+-Ne&dtvmc0
zM7TsboC#?xCnFn19GMqN3Hm{DPlu$@@<r1q--pjPF*UU6+X85VM?*1c6KW^LggoGt
zlE(@ak-}{iLfPCCXHTm^d|Nn6$63C;80!$sU?FqE&3_U4Evdx;kCT)ehgJS&|3O;7
z&e}Z9U+*QQ555)1qnP8JdX90CV1<a+ITZ?B@&>lAoBIMQuZVjbU`cmBh<d$$IPqYg
z<S2(PgnXR<UzSu_bJ@=5q&9S`-_qwb2o!!ho=IlHgCF)?#lNNmj6TTBeH4dAd>j8M
z4nAK0t2mrh`_Ij)Z!-VfOgEC{M0I{<B6z%XI`c5rhyl==Ck!OS@WDJ?Z0s*^&$xV#
z-}zZRm7}njzOfBE?v0ds8CgIjYNYwQ4MW(wwS=6k^1IZxmxoy^o2Bxsl|K|NJ|jn(
zxetD}@Dk)j2XOn6NEsyCwF$J$hkcx&<8+dGk5Nn5dWe&qKTLd+cZ_L)RJw@4v*XN&
z$+4V=YJRz2qacMG?owlZU~9o5HIV`VKcb0|d}Pl!a!JEQYTDF4-(iv65+)&1uIV@9
z=h<0UFNhA>$Z0k(Uvksj#BNAj=&?}{m{jI`nsy6V55WfunYyUJ1LLQ?eHuJP_dYGr
z5cI{)my%gDrnz_{%<mvK{7DtP(MDPRp!$Fg`2Ap3_>A=}CEMmD>861VGuGF})U4ml
z;pAs_<jdh_oa^D>qr3uL97NR}g$BodV|>zaeTo=g848;?aFvJaN6unI$`l4fsBMMh
zRdp>|9E@lo1UGhRcm}T8Dm%l4ib-p;-EKEM&5dt2oMS-$w_5CFJed9EEl1C)+9o?@
zwATgDs8P1N+}u1<yK}-5TU1|t&)HpKm!=2@;_OKlK|qI@@^4~5{u2%H3(YZou`^Ue
zPuDF;`VM96#lvJHi!jC?f}AjgB6hrRP#-=bI+f6w3r+ak605hN4?u+h3j?6~2$;tF
z^lQ+uS6b|iyL`2!tMf51B{+NtQ!p3&ojEg6vNrHNln~74C#byMPVro&9R?8d7zo?S
zQnZvPPx_4p%lE;?D`=XOg4O^ZE7>#0R_dq^NbSS_L>0v09=F-AGNu^c2PAx(pd%!}
z*wT`PzPG-J{UscF)1zJ)*YFS%H&aacnPqP0-id?g3+TaO^{%nWl}VGfmjv*T@9D;*
zIXFmy7i?P)cORP&@VY2Ur$M`rrQYh79rh}Fii1;o)&KEDz(0+GVteIXi5oM3!{!W<
z@GE$!Kg@dfw((qj&*!wC1XX*`muZ|3)0%IL(eHdP|Ma^7MZRZdJG^R&|C&j&uIFgY
z9~bZ`J;^8EICok2ql<NSuucpquv4JQSYeMQ7*Z$(g#(|mqiIZImqoxQvw(QO=1Ysv
zMnGxE{bhm7dfzoH*jIO^fZ&C&jYvtpu(}GpM`%CRUq5fDU^e-xzFB3DfPqIeeSu<{
zbW4;Y1sRR{?I6@V@C2VH1imx>n=jXwUT>qe?z5C`5-Y_pRk#Pm-*J7>fHUkBV{JuU
zI{J;kSy(m9WMG^RUPO7UHjokT==^+BH~05XUy($Yb5(ss#Jz9k0?cSk6jkr%*-_oR
z7t&MV1*+wgL`@Gl<u^CoB0rL1Xw-OLL+52mhe=eP<L<eAAni?s>MW6};nV7q_3FBJ
z%>K|+0+d2QWIm{{1M`Rp4+@hwq??!I4xSfUfs9dc==>FU(%brs)rYAG5N~bJ^RgnY
zIY_7Dbm)XaTf5^66F*SAn>ih)=F5)k`cU!C6i}*>VYiM#cbPUfrw$?H)*_F#&dA*a
zH{B&7;e}E|0F{=`KDL{f=aU%%{IE{nnP%Czn;a$$_kZ#B?mLeHDSg+AI}T4}>+GSp
zu2rDMrzPWGiWUzNN1h6V%Xv0eK$zR9*_b|Mye->3<OLfgF87Z$o2IPNA)-U4nt<Vg
zUn&W51rr?Wk+!fb4MEJ49A6Bd)l(nmOKXk+;~CLk53xd7HH)#Eg`iD{^N;|syE7z~
z(?2_`)Rb;Q$J9|4F2yl!swI5}q(N`o78lq><UWEsp}sLaeNm`rYR#c%o?$__8x4gJ
zq(RQ`Q7@6#;Ooz>@2ouNFOm}@dKuFhaOUW^LXm7dub&#>g4!T*sY#EoQnPDb-dNC<
zG!_9P5s(8>OD){EeBwLM<1EPx$>ETuM2M3{4xgF}KCy*q*LcX;8ozMI4#WJU<-Rr>
zoQcZSdEJa07QXEeROg_7{unkJ+KRKWLr~dYkxLVcLB=%;t39<`=6+Qs8S;tM;bryF
zp-B`|MOULTNa-ZMyx0~plgw;0E#hfslWQYMR>qO3E5tn-^&Ji2oktWq)R%^bUI%}v
zvlxr4AHeoh2j07Vf9FSNGmI`5)%)t`6}fa@aU|(93Y>Z)e8vGZJ~6Eq?x$v3zPhK%
z>#(Wh3w_wJpn=_kpN9xYURZCfrGM-$hF**-sx(OmJK(>cd5Tfd=&;R1uFC*57_O7I
ziHiv{UdynaI*Aca*NrLh&I|3Rl{=T!GU8I8jV9r5;o2}q8L&k0SoE>h6~RVbsZ3${
zqZfD-iyyBto^Au0Jw_HQ^D!@0&-ObU(f9I`<Fu>!nAP(azh$@KS|#79)r>PQRcxok
z7yh7B?XdS|aetICYQrRI`fRF}bH!JGVRNN1zm0?xs@UL);>V<=8*5Lc_H?C>z($SC
zQSwVhsw8cw9`Yz*H0{&d2}4(w{BU-QDW$Y;X{BA|K^=`K^zv8f^J^=$qpN<8EQK^O
z=mrW#y`bZZc&I!7tvVtlM1tm<4%=ZVy<TaUHyTm>haK+~3Nrbz!rbNY13&ybeMI(K
z-JdB6mkNn2pv<`aAIamb*CuGh+!vEd9eqX=mhx-)#sm{Pm$Yf9Ux@A&f1Y7l;uPDR
zZFUjiBWMZ^QJ)}4K<xC!wDm9!OB;CmB8TRYZ}3(pYZp6$5_F#69zu{$ao;~%AOrGm
z4$(7M=RI#Jh`nsn2OKTj(ig^X{Q5zMC*1^=_vvAi6ieb;TRpC0CW_26tXck7k6-=z
z1i=G;hbRNL>i%dPD+Q<Wqtj6DU5%U!wk_wZf5xurP@X;-m*O!(bRI6m4ODom(V`D|
z+J<3{NRwWp+rN+5T^MntWH@3QHBIap1r737>lrVJ+_=bv$NFfz1*}Vp?21}u@-d6B
z4@&tTXw_DmRsf>Q*m4esl@8#oE1VIsE>6rJ(o58;i87%3fhu0Sth!bn8tX1rvRtaO
z3ejWjrZm`s`;~SDLC@T2YJlhlx9TjGxI8r?T+NK7yj>Eu8JMgs_(?gH`;?nZLAcMh
zRO}F#R+JeC-kT{XYO2m<@>4?pVEBB)r(U|<QgmJJq>?&)@flSXeOX}}QdWBT(O5gh
zsDQ#(+;#3Z*n@otvUV?bw+t;LbJiCZ*^vu&F?In^VBnNSM^If}Qn6zco6&uS2*2zS
z2e<!}2V%YW=u^E2wIQt-2Zh6Yef+DB`G+UGRns{NhnsGrK-(6YpBXp1E8dwWw!6Q1
zGA&aFJWPXnFe|xHizPWlafjmiO_?2E=^n1f`qP2XgNmtM_>DCMC*Jt>*%Y{>49RMG
zZTH}n1X&PS6b@a|zh3at^6ahQH|4E8D_iLBafFU?iJ9Y@PSst`_tIzFR=!+C8dGw%
zg_c>FSWga;OFu$(Y>jf;2W972&Z@_(#<)GQWWlW+ghZ^F8rGwyeeX5%P?pKs7HSr}
zUPIO#*a2RUOYs5FR+68`n9g6XP2?$LeGm^D@lY1Y_-NC@Kie)Hqp#9-4Mw<g?&{&T
z#}Fd>&|9(+vd|0Z;gbhYu=-F~1|aSVdcSW!338|gWiviNPJWAYVsqi4`l=g-V(kPY
zG-vp@VMUX%q*+R0yYWL4&(W5}*CWA@(Rxl2<f=*HDAIdDb-DSmTYA5HHmz$Xi>3#$
zwh2YSc)D1+Ta(x6WbJ6wWo@aaap3N_VUW~7K3m5Vf70SJ8U^OuPYc$x1<w}qLVs3t
zd@Bcb|2j3rcD}_PQyOmpu5K`BFDRfN-UKOuEq&kB?g)jRPfb5(dBG3|Y8XC;k?NiF
zFHuhc#VGW0iGU@FN{z^=`Du3~4j7jZAH5uAcd-X#GQET!L1R%Dgu_u8!W4>^<N`3*
z<p+~lhgV1$0E~Azbs^&-MS))KW1aKrML1C|M9QMVA1zDsJ=VYapwTwH^%Tj<B5siY
zQb(WcS~ZBmGI=I3&@qKf*`N~Krq*?2C7(v1`?B6*%?(!URFX0?{g2{GbxNit_yyxG
zuCok0!K*d6>|}qT&*<I4e$44~+e0i_9a3%vP9XM4YXR)f2|~gq^o@}p6_YFcQ%QR9
zSTCwk{XcmAnqrgX8`qz~fJ9<`OqRU_pCaa&P(eC>ESwVO$^-@>lrVZD6=9@!j;}>K
zA=#NXxpc!-Q`%U_N1_K`*x7zGe9TW2DR`FeVQ?Wj=h@fUmE}m|c=cwcvGo3S>jna}
zye<7M7Uv8$EA%53bzOXgoZDs&sYPMY+39-Ye7b==PwD-z60ZlZ;vEgKt1%AMP&UFw
zMgy)oU{z{FO)QmDgTxK&6yFn${B10~x`ARIZQCam(&+%M+%?0uqT??9DPbPP457S-
z+(ktJq(+VA@y>&I5?VV%)n5vm{GlE*d}EGux@JY_0{WvG0f%FF%UrmJU)|?_i%>NF
z#5)rAO?ghp{&|Bup=u&fo(wN5veh537j0K?hnLy^U_S3I>kz<G5QJlcdnBW*GWUrn
z9?r$-BX~4;O{hiRDnSKg-wlj-;yGL`a}w|p|9ziyXuZmene7t+@iN-Wo=rkR;yU5S
z^V>3f78pEe9TFG+iVeHI9(@5qsRGquwZEPQR-3(*h@U6Ho>vQXJK6d)ktsTo$--6t
zV2Ph03?v9Sn)KXo_@oU~vVK4UXdbYQVYv<kmf1UF?Zi7)NC{QypcA=fUh_J=(2R>A
zVyHn(QCE=`nr|rSmNH5vzrc>06r_=Sl1@8wLBQ;C=bMzE${Q^MGC+?}aQghj|4!j^
zrkCG|9F@La;{fR1k^p@y(^H>j<2M&As+gBj<V?T70}_(cy2a=wWEArOPwQ(aMS>jp
zU%8wuI<S{5&;$0F5?8gVJmBpqrO%)DjCdz9hU(4f?l`{F@@X_Lm!1Y*%WzKj;nS#s
z1c0n7xnD{v-65JCCkCpBJ%5IVjKe%KEktR_if}CakYiuGvV6QlmMH_FZH+Z;We{S#
zmNE2vvZ$_#4HP7&_c;MYTK2<Bez=-rHQLjh6-ALfv@5@?R+q+BV*@u-n+C>^zKkAJ
zL}ijFECFm;E+_YUKS}?TrUgk)Djo&)3`DVK5N-Fy=T!Os@ctyUl&#&?>XFpyoutd)
z{fl5sdgMp909;8#>p-B8&ZYB7jG5yi&G>^*YoqtG&zyBM1%4@Ho<4UyhE&oc!GyDA
z<xvtLln-+8zC>q6*PvAzpQ=MXc$}Oo8aX=(0FOeRzAd81gZ7PGO41b-;Wj$$j|xG;
z>)qyja!BM|ly<L;CPZ;D=J6E2>HEWVsL<={xGmk(*KS3Nr$>UhGS%}QJSFnbTo(xf
zE_W&4Px0Zz!QX1u!Fp43Yg?5yE)E}yEVs!k?ED1G<B{>g{VK)8o`f%qwe<^l7<o_;
zX%{cOTKmgrXC>8W><Bq3#$h5!HlG&KkVkai6&!$338@@mSf+m_AHc$!5u6keU&Z;^
z-5&Q<5pe2+Iz<QhJO7x`7z@ZIj-9t2%g*yOeTlbY0#Q8rr-cs!NgQ%ASG|XTpr?46
zxts6N&RT_j1R->@ZHEhzzLm1yg1@Lj5dDI$x8)xC@IluT8_Om=;~6X5yMf71@wYtL
zUvPDZJRf2k9w!qqa*7AP-h}^FAz9K%Q`=9rfz~h8qUJc9VILHT&xUn|tDd%&vsHCq
zAO-jzw$X}bw9dWy<uFy<5?GpasXWpjyXijMFCQQx9%=~D`!4#z(4kOZaEElwT&GpV
zC)`k!)5k>$hbYbbFgMQ*Da=f+%}Z7vh<$jNOnv+beyDa)Vs#veiV_9c8&yBj9P%qr
zF!k(#Ti0_hBzw*Y^QTYGD0E#G3!aZg+#ta~zQ#!AL%%JFPw&GIPcolj?FdVCNx8S?
zZe<<g&@(mKiceR*p7RzbNkMyYT!>Kl<4R-0ih@mU6WFd&?-j63yiFp7q;;qYr`w(%
zq_}iTRIG{@iwJ#MJEI+u?ZjSiE6V_$oQCdRAag(1VcNlIk<k+mSTJ)^nj;1Dn&&i3
z+gpJ9LaBzz(?uE6z<Ea^%7ma#==avNCeN|GIIWT{76Yd{Fm3lpYq^Tsn>+%~lDG;O
zH*jWxD*&tna_E*JtmB@lwA%r}w<$@}$oOvo(TOt@jmb~fU#=N8kvY7HtazEr37w?L
zTpqg5>gN_r5PXZ`BtFSZ+EZlNyT97Fdj@}t#3c{Wk#x0`q|Ou~SfF3)n=TK*lnsHO
zGPCq{>;~dJ#kab1JIEOuJYOXcO{<`x3jwfiRWE%#Z|DZD^O!De!&PJKxT}7bLtW$1
z`j||dnpay4kQ4IRzY&{cv{pW(XAj-@l)Dx6WOC3V$#5e3^Hq4iJVI_KWKZ1CKN>=~
zEms6tj|hzL%GM{hMTkBkL3MbMDVW2vSvj5AnC|b-2#<$B^!B35LaBw#cyc+*vbsF>
z6;G)xX8iCnm)(T^HrAo%(!b7%S@ULDvYD9O;+!h0nJpcRzSed3#m&EGFv^S4`WTS#
z!z140(b4QG>%&d$)eZLDc6NiUX!%(6eA53m`*M7=(5%+rcU4!R78ez5+#l62su}S#
zgL^!EZuo9DT8sFz#G#ck9TZ!T<vtA5<8w;DbrRnGW{Qq2!OGTZLX+)HxQM@p`5qS;
zNp8V6-f~I)?RaiR*HHGD1kNitGL+<Yi49`2vxfNFlowN#L>~h{_e3{-A*iy4&R6w^
z)b_*IreP=yE!FRo?scpxBR=v4Ba})4U^3FW)rewMu4ZgnzJO(wq=ECC<R%Pxn0Qfl
z+7OlB*<e+i8XOH?p3a`(CdNG|d-5`Rxn545EQ7~53jO)Gec`^$LQ~P1$kGAZ{REj6
zO%&jl<j57$%<U$WG_So7TJ<<_i6Louc%0CME|1Hh`tOhPDDRJ(S?zD9-RHiK6}~S5
z!?t0rkIk<04&LOpGuBl~C9|uiqfxyXTG(92X|lTdy1H004PMV@N2jx+o}c;LBk@_d
zTuW|mpGNCShO!h*t5k%3YrWjt?zml0V)O?tk*4#}+qGX!dvdM)iOr}Z8Qw$ya}hPE
z)_|o0)-ZA}N>_&sQU|iPRlvP#z^@M}clbNrv#}0lQQ>U9yLF*%cSUtW%E0uQ`|3Wd
z<j_mf{wAY`j9T?Z6_hYC1yZ~R^o*jQyc=6mzU{@8^_)8ao|eNcG+>+`44;*2nL5A_
z#)Ho`N6Nl?%^S>`R#FX7C#8Nd5DFaMJ`)dU!Hn=Qxf-I^r=+P2&*seuX7O8o@*Yui
z-w%5O#WY~<FBx~#+paTK(4ti@haW1DEO~8QoSX*HCO)J{p_LhH!~~^_3N!Xr-<j?n
zy{<mH;#zyW!LZFF%8y{!=Ll!*9t7h$Q%Fs`m`|#Mje@XRVQ)HMF=mf!@P<@<?FU{0
zqziYvBN)ZlA+3^z50%@CqYXun!P*y;4Q}wRV3f_8AxUuco@eqJC~@i3&RtDqoSoR>
zGwwe4n&O8^iE)k>bl?5!1@!SYHm#y{2>$dlTd1wwZ)9BulT!vj!XdVprQLLpT)z}s
zuijwbkVOmF9tgZx-liDwwxIp2z=MV8$PB%AR%=!aDCm?M^E#>hGe1mTolgFhzlZxB
zl^&w9b~A;ogMz5GDOrUh&AB5ANW`Pl4^Z6@R|o%vj(9#+5lFH5OIr<McAD|$v-Ul|
zKon$O6nR9nX=-^K_2Hy!2-$4^c%Ev7Ouf~nwz+u{nVjcR>$zgHtNSh`>V4T{=du{6
zV&zY4!d+x`tEeFi5EMEzh8_UJn_UU@BBLCjX(5j?-gCQpDxBOmjs3Qai{xwRwY_Gw
z2C&^gV8+X%Cq6uiS`G&(`9hKQXon0<>nCwBV`gL)&-TFkFvIFGYB~-BJ$aodV=h98
zcCA&jH-XOMfd`P5<{Qr634qfD6TPB^v|Ml1K-Z6@{tL6xI$WLHc}D6#Hx4~9xSw8`
zy-$k|dTDbzqLeA=&mvgu++q7;K0h|*=@mDgK)o1PQoi7Bq+&-_NRG<yP``)A7n$Xv
zd$LoOBFH0td?SrH3{i=^16cT!PmZc&-4YaqYw>-p8(TA*i-wa@FDNR*t(`f(RnW$#
z;K^N6%7A2Y*A@HbU?*aCA7S0!@RdE~#17u5k(xdmzEnWJE%-?LfgxvkNPY$$8Zj~k
zYr(_dJ{y`+(0TBD0QtI%W%ojN2bFavblfFs$(sZA4q;~F%xFw2^~<Rd{tC50sCLc-
zsoeNF<)JGKb)*~Qn$8!v$-Ux3(b~j;M5iQ``c9y`CyM#>5lqCYd05r`5Jk}Zfiz;1
z)W;y|r`>ruJz@c3B*=L%Jdvbgd3_4&jLC&eo|9e&FO7;Pdn#pBo@~E=zo;8=j?oKi
zFW{*R6yV09dlpBUiQQyCGuzre%~{U=66eW2v(xm2g5QTdd}DF!cC`V5pl~pwRjuhT
zF<aw)1Z$<Z)-u5{K%Q}%t3pel%vS6-m`Wem+)NBL65#7On?=<s>&%sW>O{^{`YeiY
z6a^@ngdw%ObrIv6r$Nt-xHm+u8Pl=_c!ij++ZU^nO@<4WngsO)Yo%GEJ8L&r7=h9d
zr#xm%xO*BeywRH337Rq<ZwY2s>`BPfcFEh2w$|jI58<kZr5eLg;W~37C@$;2RJhPo
zLRHDdP}%$>g7um`ixI4U4)_}m444i*;GYGJ))DMDh_*zxAUMpBQeP7Rel_d6W2vSe
zCf8{h)iyeleU(U5iht20eB(3Pe{INlNs0vwMnn3P00yJ%lz3B!9an-R{azL*oY~b`
zVVeKxK+ME21zNVm`Kl$pGF?YzID^f}O}q#fFR)wckmFHAV`BIL$D?DAY%z~wy*+k!
z^jg6wvluru#-Z6eyiyTX8t`ZIcX%Q;eJm2F)?_#i1a#80H-rfbR^jhB2l7d}9UwJ%
zx=j<B&NmLTc#^6vyohQLTR0r5d8XK|G&;HvU2W`KV?kH@p;a7-`%-X#i)-o%{g>UF
z>S60YGm=8#D^!5jYe&-U{%<s9cWBhipm-tc$x&Pa#u@zZ?~u5L20v!SwAe2rvn?N!
zQpWir(RY~;1d$jJyau)PEYbOdh8$LMQ3KE^sC?3QZ<8NllJKa^UZI(Y>Le*XrZ$=S
z_hHRbbVtg$zY3z03t>AF=AN&$9J}^H!$w_!)<hmBQ<EO-3TP1m;{toeq8>&H7ROKU
zWq*phXrm(m9HwXNNli(Kc}fh9yii$Nf*}TgvR?3ZR|~2)@e0{_g%mhs0K7{!F_<&P
z0-{XGNvhg-7?08s@oYJpMCX2>-^)W#<Y8)#l5UCPF$eKr^|q174u}SzyO>P)XI(in
zXdwOcAqOX&*U1Nasmm~XNil5^t7F`h?*S7a>=I*ZqFL;bTgq%Tsa+3Wc~V3>`x4k_
zbDfE-w9bO5;A`Q51(!hL&g()3mB`&_q#Ak`uKS(Xx}7YWbzl0Lz)+vW_gq{fNOt35
zyn$l^A)RE>V-*PWW1^aQi{<mEWt8L}Ih?cNaz+;tl6Q%hY<|V7D{h0!+eyw3PoSi*
z+pGDGvoumHrWgnL7}*>SDiZ2$Nb4*SFq}6+!Zr*`yEigAEOa%$@zyZX9>R?#1;5Ib
zy(~l-j0v`szNToZtEV{^!af_SE3qhcVu5nPH>!KnFt{i^@yc;(d0xt#duTGwk8cYc
zHhH~Kee&*$T4=#V0Q|nm)xd5tHy3`9L`eBHjWY-*>57Oo-j76P69OnX?85pJoBVJY
z(dykgwO}ffol7C5e;=7`{`e+pC^)u_JzS<r&qb`~D1xT+V^{Y8m7(-ac8V@UY1h*c
zM2(H>RV-#IqClZP=Wl_k*B$`bnXHZ|mm312v;1RrL<G3Cf0zw)=Jdl?!iH>1mv+XJ
zjwTUGQZxq6*Ih=E!s7!rFSjR{T@iylxR_Je(~M|n1;e+B6#j^WI?r^EY*}U$^ovP!
zN_UPcZ?R)UWT!qbHzpJ77@+$~DeUCq4(f&03PmYFw)4;iNO)INqxe3PTz;8C)rb#Y
zsX>A}&^90sPE1=`kl(+7yv)VhzjbDwc^33dyKfGc^7Un*Cj7E{e*Jk%LQD_zBb$*6
z%OgRIg>c042>T&NRu09eXt}kyswbj4F0JZg+d>{3=<t|A$0uk<wKqu_ZlV*)YPRo?
zpkTr_By6quTBs`w|I~b&_tkh6gelj~rxv@Wk4!0q?F2mvi_W2Mc|&uYz33NRJ6=_G
zD3C&eluDM$FF$Pht*HE!m;Z%kqU3^ErR@#=85)3ed`Lf5lLAdk^)WBy<M`desPe0J
zm8D6BZ3bkmFT2b-*z^K_&X6?&RTia$Khtk}Wxf)DuTggKSymxST<B!_;@9*&P<Ae2
zo-4S;azgcyB#P3yxp__a`8S4(WEY=N$i9;s+R}L>G59kzEJZ?wjRB)QPGaL9FU*R`
zKKQZrP~C4+;=3Mr2uX=M53btM1R%T->*QovI-qv{QnfMowNq<WZe|(h54y~xHl?ht
zV7AIvgre|o)O3Ky1N9MdAwfq%SrtZ|LBeNw)g`SLWqHP#*4RY4E+F9(7RCUm@Sy3y
zdY}D%)1;w$A_{uFxy2_Q#S%})9=nRR^>=gO0%t{ZM!Fsf+u_q_M;7%WKEVAz*#iM-
z!0b&Not=7(Rrb}%rJFuy;}V}Z_2zM>-)K*(E!hl5TcmLhO%M(5oeUH~@|!0J>3l%V
zdEo`}`NHVe?N>Q%{qPc!#P*=jVW=lXYFi0S+<P>gk%o^*YQxb;IyenW4ovH&3i-8M
zydlo^hWlmV+&=M9=J&^mKIcg;C@LHIHEvs?2O=J=mj|r<$t{Tuqr6>3qvq;=R>S`A
zJtA*OEXH<)wTX^!`DAw7F@QE=))jP*CfBE>+wr71#}!cYQE=X*vJ8A6ZB9<{r0>|)
zL&0q33OdnE&@rfeuxs4-<~z9nDEJ#;NZxUtTpxs_zE+=+(`Q$A$WkiAS0nXdgcg(d
zys5O&srW{qr7_F&;=Uzj?_BBFdfd^w^BEQ8x5PeruLt>xmNP4I5TOXk&qg+JEXu-y
z&D%e9b^^(HpqT<D4a_bi`CpRdExv&#dV;jYKXz3J%DtEmUq5w4IUw<s`L|XxS8|M9
zck94!Bnt}sNHmC_9fG0ElwF5d*ImvFXt9;|dVK7xD!vQ;!A;nm)ctvuSu#wv*OX??
zt0J@KQ`nj*foiu@>dN&~WVYb7J#)@-UBU4XWEFDA(a3Xyyd{E1KQQDmA$pBvM#qPP
z!bf&*Hu^y^Ssk#|Z*)i6yHc@<g^neJetiVmk`T~CI@I1kp%&TdAww2_Lft&D{d{?0
zj6!R@4U>tfM{am!j2WzDyr*;gDsZ3?w#JGUa2*(cp3FH`k;Y$wm=KN9;hZl}ecX0k
z9_%ZFiQ2~%4ScMM?q<{GliF!ju|X%HmR9;rcU?YcIc=IPB%$(lR5k?WYV5Qs=iwR+
z_J|h0Id<LF`ZK5_DkA-h#1_#P|Ls7SOsnr}k|UJ9()L#^#x%nGJ96bLPutS?GHJVD
zb1IcF@l@^lDGI*@+guTyL!<hd1@D%E%^Y<qZ5ZeCv^MxcEW6P*irGt|YuGFd*eT?Z
zd9L5i8`+E~%f@=gBnC(~BrJYhEbwPR+~vZkruK>T>P(B&x}#5r=j)Zc&@#=ELHenZ
zs<kpATp^<b^ej5rowUFE{_hYge^%N8WXO*YD<m*5-2Y#Q)xUzPSpNyGN>EpH+@?Z(
z`|^`_x?UWXltTaec#qWd%I?x3h1~N`lkd}#T~L_RueZ7#b3E#UE_#UJ3sJkzF6viq
zB{$WY2!@kZx*VqHWo4^gVaCekVxyzMOFy79=@ZHup_D6(swV@OT9kErA&s%;bvP%T
zPUd~)i&PLU2`YLiJe<Bj691l4`-65dQR6&%yDY0>$p?xxZ@>7gZgq^ab?DZuzNNTO
zh{WxOcOG519b77AoM#!0JuKyv;MHWd)_wk<99G7YOzzs+s5CzI(2^{=AVy24s0Gt$
z=!Q0*Q%p69XfPr~?1YWFjl5^q7TSLMQ`pVXrl+>}Ef%3UQ&cPn+h}lkNU-QMV_}u{
z+AqKO=eyW)B~K?>DuS`CNrT%We#sFL`a<n@Dm4F?_NPfGEMYHLu9d4pjS_|_8$RLY
z!Gv7Q@3>&9oRN1DC7V@{5`5m6Od>MRoRJJ2jkOIcjbrkSS~l9#+iu=nm#NxSN=@e@
zX&B`wMzl5N(*B>xhxeuNk7*@7n89<yM-bc<qvxyIlJw2PdgjGDApTff)sj+-1g$;Y
z?tLgt6`^r;-_sTQIa;q^#$g-10cCf%5yuT6qX`Gu+Y(<PAbfA8N7<3=@+g#yt5iL#
zFttmK2ljFalR8=2;AAXll;jO3Eh6iNN|p;n04|znAWnoS!+gt`+e;Y$H^z)W0DH!_
zZAv3JkB3wvK3b3S#bW-ng+nB%xGJX#C%<^R#8;cah(Yg{!pls4$>k}FVCD0b%fSq_
zq;oSi&6AF8d|gq1QULnF#IL}bIT5yM__ALS&8^J>!2LGmV#+NV(c94qCh*V%dnY3a
zl6*K>1H$|u=-=pd`&j2ch>6Zdlw3sM(qq6hC+LO$<Z9XpVHTQ4QWz{z8t|t3iKWJ&
zI>y{m8606SlTg7|rxPK(**x5Qjb%$WqX71KdBw-(EZE~W1WgtSnD$g>DJJgONMzzH
z?t<4XKeE(?LcFDs7^b;=pC;dxSMsV^`EAyWD~{`5(M&XmF*SU5acGuz17zx?r!-t$
z?qFFgK~?gpP%l)@1U|_#b^Y)awwD&9`JDd70v^ikrX~S7atAT?2ZKy_nmCx3QON~&
z(;&QcI0VZ%-hCZ1l=Dx8KM_gf&HXoJ@#k54?>@9-e~-+`mW8k9+KC7Y87Yw(=bFDf
zH(pk;UPFSs56T>boOUAw$RLhI4fKL0(a>Dzzlp_WQA6-S+z}}Q&A>Bae??O7RjQx|
z#0f_;4Ro5WXVv0(|3vD&f9+Q`pcj0gaCs;8+4Z0#2&Aim#PkAZ&<?Gz7pk}1Hv2rR
z)A?Mzrfv0LOI}m`>zpCsPsZh`tyJ?@X&JX;$9pVJ&`P+bqeVB4$9<CJ6UqPP5EC4v
zo{bL<VW0&A`=F73!ZaP7+`pSR{zDw6TAEQ?+#kfDxaR8c6}<w?f&lJRvN<=VNquQv
z7*XSxFfCaxS-)LS1o@W;w+LG<xHCqx&aF3N63Wm|hq~Mc=LnYRI<$!Esy0*l*IDMP
zUVMqKZ?sbOBb37w;Shb{i$ep`h%knX@nn_@1&8>G!baY#VO*2+MvZlnoGb*#1?6~g
zldPZ;I;)}*{59?$m3PDwRf0$~DQ2Rz$Ydg}#cPQi;Xza>ecVJNw<fA@avYUmIU8CF
zVUp?J{>%ZH>-|y+Cpe4a<J`pT+aI`G@31P+OJ8pvEo<0ZYSjs2+(o(>!C=;$Y(EP!
zeP5Xizsqhw-7dCo9Pph-oapr?VE_6enB#|5h52ISga0|`#h;70wR6Jd)N0$f3i(fZ
zg#pJvn~pnM{33p|R5~^LK-3BEsgF|wx%a$_?mU}-*}*y!keI+af;5SQr(S}F;T|Qg
zBy5ld3AbC5e;X>F!Yaz7_j;Le*R6zpLGuoHUf$Us7zE+Ok<e2;>s30wW5uiLV%fx{
z&G9JnSQ;J8-J?wy>FjD}%RcSJ68f6UvDf*@?+BxN52O2<{_@Iehd(Ufp62tj!{^7&
z!dd=7k@N(N;kkR&IJ90FsvEXHTEj4jdFa%J^q?MP$pBS!7|XrWS^T3b1D?4>En-BR
z+Xm07UTqdk>w94$)o;eVzjL8&wPMeUa<o1XF%UOk;3Q9}8(yB997=^QuQGBtW4{p&
z`C-bWxb4gZKZk3X6wu&SCORjmAq|&XVSRDWXgZQ?MRAd#mQ9wIUc<Qiv)LAI^0+S7
z^|6-EG^mzXKYZOnwBQw8;B-$wS;F0QwJhq|Gf1;=Y;jCMzRsPx;3x`qw8S@ttNDX9
z3QPBy31Nz>#U#JFZn$vo`4ZFCexnk`<xaW!c`fvwFnbAp^QKZ{W(4Jl<NVHQ?YOgL
z`TXeQUQlznpgVx8WAPE}`yxw)sl}@6lm|&u`3cdY27K?M;#LX~|4L}M?T&Bc^~Ph8
zL&>h)t#Ey2{$hWk<360}EON)2Lgek{X&1Wp4BS0>EQuGQ5MPUTDfj(4gSI?{tB{ah
z=ivqHBVs!8c*c0g;YH<>hWsZdhg>4TX>slSA3hE(<6X-Rs3%SO32?tzaVXi8BjU9*
zOF*8XRc~S|lG95`iH{*b@vWmTBiViD&6sBKJ?}GqR?=@$`Aq5dwO4b?=L&;ZtAjKv
zYCP-;NxO7ROR@f?Q;jA^OQNtyUc*<Rk=x|c^{Jr2*Uz9KOVl(AY0z4NNTs0^5B7XE
z;cjKg%*`cK|KW}kwQ<DGJ(5f0`Bxh*&NR96iSF=Z&^!N~26JHpk8OkHkEG6!KlMu7
zb0zyi_L7`2x^+)<dsdUh9&Z4OmGEXByf1{M4VKB+Vq^8<EA)Cw+rYfDF)*~E{2)I`
z*st`_&_($-!lfit`hqJ=l#qB&g<^uGyWLvS=XvIIAA4MW_09t!o$yHe?R6(wdw0*!
zB4`f)^H{!qU!$`pz^fpa@-uDW{1Pj9FbFni>O+tgb`w#dnpd{mNg=#woKPVkz<SVm
zH-7n{QA&bokj;QG^rLMfvO*TRhr^NrDFQHm=*<Tc?uKzO>updt5C(z8phB<{!eD~n
zmdPM2V99<BD7M2fBj2$Zw~yn^qEJx3fBN54STAuL*6~4s*brb~2p`vf$Eg1+GCd<!
z#s-1~QMdx#L|^uI4+Kl;LM7k_LIY?&H>D@Wxaa0BVxi-+IhxFSW+p=g3i~e?LdWI&
z?|sZYI*V!?Wnh1-Xbm#$b2R8UWP};A*`p_J7f|W<t|<o?x^3p_WgTCnZs22%n;dIQ
zT;VZq!5_-IQ^}<PT8s96Y%=eoE93ApsTmceCohE@7X>5Nx1XbPB*g6KZ({Of!(HMl
z1T$CL@~-oZjcVN158kgQiZBHp+cTK+K~wW$a8$OHk5K>nMI8<jEepZH!00}Kfua1H
z^ZyCWH?p<0`iJ!+l$LFlnGs*H6ksO`XF;xT=snOO*xCq)&9#!m2#Y!7WKFo}x`nS#
zQZ5-hxWF4J{yaA~w>&ws)$E$PXu?`npHl}aP^xq4lXSq|+Z3mPNLih{BmBgvvi7`2
zXKk4lQpnVI!S{4tVEP0;Q`O~n15bn`TSB`{N-zr!phaW|R+{1>Q<92W2TD1q***H}
zS$;=s%|ees_{5_x5*k(1L6vCmO?<VWS_gUrG>2f|z+yV3-qKkguUB12LsLn*DxF#Q
z$JDii#%oerxX8Kt;q!=nsQ3b-**T8pXD{AR-6$6t$vt}QQK3u+E<aBx|E+0OJqo=y
z(BAF|Ac%uk;q{juRRt^w=?EcE=I#p}gzG3=8_zPQ`CV)3hB$9k?!6N~#`Ll)Wi~I(
z4Q4&up*G8Raeu3=IBjE^25pu~dAvHE+70T{#V@CepDk6$eu;k~Yun-R*!1D1%Vi>w
zKfa887B2km6>6_{A)JG1kaM-QRWsS!yqL7;An+`pZ8HVuY9G?IBCOUcgca%YI%||!
z7I0jqq)vK2?NzUnjz}b=dihtng%Ujn#+r||jQCJq{C~IUzxDTjw(P%jxi?l0K9Ctz
zyaL?;Ov3swr>Mkc1)B-g>7}zLXe9pV^h*;kJKQF(<U(%XnOHWK+Oju;sOXdsG<o2!
zw8+}b2bREqFXr#eJ;GIcD}G7n{YgHd)e?1!xy65-?OWnWN=`E2n@ElGYQjV1?(jy3
ze#b>!TOoE#K25xBv@%@oS|8*v8WfvmSc`Q2c!?zZL%pIGbJ#dLStk2bLG>QseRsqs
zbA3y#y~o*2XV^K$ulsyh@PF%X{w9G2$%p<LeE2OGAMdISu(feAv2oH@akn#Z)cr??
zdsT+zyO~j65(eh!Tn_y|S$bsaWW)G$P^9&R>0jB%Jl%gs*Md{gD*kK_!a6@0aqGXj
zx<v)A9@C5pHvh2|sHDNU!9IlA>6ni^XtA|kqpFxxwici@vVUKUnAxE$FA%E1Fb_P=
z$UphLZOz_^L*_3QBM{l4SAxnbZY3?JqwcBitvo1%Md6B!`(3sN?~`c3m^5NO307nT
zlc(gMO0>08j@c=00dGk(GB!|ek9(VSrj|Aves|11yeC;$eE}@G+JPcNH-?Is_2+u?
zAT)Gpco^bp9%_uTj9v2@OJW;elq@7@Bms~~k>Ys;m#xqea8$p=zj+_MM2ex(&FVd(
z?<jb=Zu#vpOMFel{QarxzQk$iAr72_pS}bIC<6|G`RPB&I=TXSbK*W~a`59o{W$*X
z=l4;|U|`>Dje!ofc8*Mjc6R?%?%&eJ4|j(M|J?bZduab9`f>FG@BE+A#<mV7|0nS(
zF{G0e=nrYqe>dlUA^3qme}H~Cq)z50)+YZx|0`L@-~V5WQN)n_69Np43*%qo;Qt2j
z?}hz4@yLHtj{J@CcfykYMgdPxfcSq&U-CEL-^26&2K0X)`Wx^+gY~~r{&vv+8wDIN
z{x6jOxa)t5{%z3yBPu@w@juPm--3S|i2n$3&Hne3|ChP=TljA#`j0Te{J(_%FTC_O
k&fmTKKREXvIRA$}50ruW(4v2AHv-tlV}eO6ew@JmKc7wcVgLXD

literal 187996
zcmY&<WmFtnur&}QxVsZHxCPhX?oM!bcXxMpcXtMdL4#Y6f#B}J?c?6J-p%`dOwXEL
zht<`)c2(_Dbx@H01c?C#2KE_jo^)1YAP`uX^zm!#<Ad_?F}5>OaI~{`Vl=R~XK=T%
zmW`c&gJ4Dw^(*<gVe0)`_}IT(dN$>`A&EPrmBuFc>E0ER7?9<~DY-zQI5dRSM7<Hx
zWh1uV4nFEBvT3I2P(Gw^&9}@93W#pNLoOyJ`ZQQ*v+N(jjKKMG+s$CULN|KqIF~-;
z+}Nd1CKT9U?rbQ}ujc4PEtq|h@<1oo-^=o-F5@vS&6QTg@x}({JMG4(@c+F)Qly+W
zEcl1z5MW@a|Mvxq>>N%0d4rGyJ?TLv3}CO+kymE%S!Hl7@>l+FsQ$ohZHe<%!<#Vj
zxwEyb#o9H6OXh>@X8_f@mIh^X5Vjdz`%IAho#jj}EI`hUR3o$jn@3^YjJcqwgIVqh
zCC@gB9y`w)o|CG001hIJ*WMeF41h9^O9KpS*0W6qQ_{x~3_v29kKT6r=CAxV9WbVu
z=(WjM;Xu&TknY%k3cNVGIZ+|HU4^NIDwd^(LPv6Es`X$YO8nNkSUQaD$yfJ|DoE)7
z3l9T-@@KaT^Bx&ww7N@P7Os$7$F0?12pnIF`*LFWhM*#Lm-QxK7$FgIC@U@{CatD}
zChuPwn}*+xd`7oUSlfHEmfL({#IgDR<JKUGc$xwI0UIe882Sfp?$(UX<|Z~K|8r&j
z2e~s%?KpG}4Bxticl}APbT5W*|3t|F8*CJS!qs68CocLlXJd{oS+GjKvffwKLRG!5
zw>8MBs>NiOw<QA5unTj<v#d#LoDTW{P>L?-G_0+?PA`wyJ3C1kPT1!q2!v>)G}D=>
zUc(J2V}=`LEA<wj)eF^QtVB37pP%kxnM=tMCj*bu0z6^UmBGc30p66;+odVg?EF@1
zETOh^)0fO+`qq7-k(g}2nR9q=NKa)`uUO?4Wf@j@6Hcg>WtdNR=(}9CabNAPc$@R8
z+NKyOk69kZl7I3TQr>MF-r3BB==kmKV{@gTq939(l|tRzKhE-Zl+g{<t1!(pXKx#=
z989lBla{uQrtW$I%@{ba597Lo<q(il1BFna7nhWJIp%vKPL?_sZCxtrz<zUvssf;M
z*csvWf1#PXTFrneT)fo>)BZf;Kd7bqv3K<jz~DdpVANWvhs*?p;y=`b%-x({x8U?Z
zeaqQuROJ>A5XnrLG2dq7G;WK4mTB?eW@*uvVmN;+Hwb!!S4t$Z#>|d69n!V|I)A`)
zIPqvRN!baLz+;6d2cn5SN4g#|1&|QzL`xsK@|GPuTxR(NZP#8h@JriEdM;s3#MEZv
zCpP38EjHKst5rdIT%E4mgvsX#yu3aZiBA*1ap!p{pQBBMnslfO_}ok*>lOC;Jzp*E
z*iE`?4)?z7Ri*j8JaXSk72Sf8(&Y2H9^OuReSNL{+aUR=2k$MU$UDViXJm5+AP~{x
zKV7+^J;Rn}Ldt<zfVrv`g4fA1vu>@5aBSItYYswoaduQWfTV{+6hB>BCR+CCPHASr
z?>N@(JEf$tj)m@z0gIyn5myBk=jN0BpfQ|*yi64_*je)p{ogjc<hY8|#5-Sv5e(g^
z7f(B-jru8wshz_Lzm<w5oz8zU!Ri!IzMNPPLD8vMF}?q0>13+3NgBqD)(T}xnG$Sa
z+7(U(S0*;hX=1XAq!tmeyP-0a*<S)7j|{t0zDA{#X<QpsA$I@O7^i8?ZG~+yL3lO+
zwj+p(@e7YP1_dV}KG!@QjS=GnYB04JM>|X6?<b_Owcjw=HZJ!zQVVM~C))7=Kfx2@
zWP&ZEQED$nXz=w7l{U~SQgyWh@rsK0a4ieEzkePSZ<qhv>9P`hU}Q__LlIEz7?E!6
z1a;Do*~Ur+`_+;l$f#mL*fkE}5sM!%-!jAs)Qkjvn_L$29ChAGW-XmNp(C=WNRITL
z&y>_jqv20o!iQZN_-ZHZ)Fmf+*Xo5}eBKj;;9-R;aXQjE$!|JD!1Rm*hoIaEl@Osx
zz9|>-Ylxa-hU07;@lLBdY3?)zIIXpU?wj3s5QND~rFU#CO>+V@^=;j+zWV65q-#*0
zq@&hiwi^5UNTuo85B?exIjf9$t^J}!ma1zYgTNI{bMc7h3u}J#Sq04(o<{0G^4$Pm
zWbP=j0{zEbi|oELZ%afDjP`c%z$(UasXH{@P#Tb7XhC)rkrdlL+BmgU)p;R8RxzMU
z;KT(49F#-pvs^?r`Bg|9`HlUgW=T!{HuX4aNg)+BIAm@oiCVTa=@OCL^6g5ZeM+*y
z97kgTwA@fH{Uaa<ZtLaI1Lr4>(4mm~y_3M?F7^hWgS;JUX^-`EeV3TMVeXPd@_;Or
zBHSP(QsV77`khOWfoqFdv0|0qXT7zojsO!+c*6eNo9_zfI}Y=BeZ<u5vLpHO`<n1g
z220I`>>Pgp#;FbQl|d#fL73m0Zp&0q18`(XmnLlWS0b}c7PIBkbOs;)(3#coWFSD3
zt7&_x$>L<uFvs>#aoSzN#&1YJi68pQ4#^^f!dcnc_VK4!T1@g|mi+#q=|HbL*;aUm
zX4)dkj8En6TbP{mi11^b@hEvokx5rC#fD|8zupb4>^v)EDRDpbQ*kSMlu!Hjo}qD$
zCb*c6T1B@Xeo|fU0Sbj`9LhJ73#~bXR2nGBrB${KS#6717an-k;x)RJ%u!3jS$4km
z*krw*Qci+txV#ixk)^K8uW}tzVIwz0T|3HVL}p4|Het1ec0&|_6=5K$-!O6|M6EAU
zv<N<J_?>cPXMA8q<>W4dE9-m@JJY2%X)mJh!%=U}imrJP9+o$Sl&$bv+oHWEgcqU$
zh59AWs&&hk_-B?STWy{x`SZ2vc#18$M=C{HWy=u*o<;Y4!eLOH=8uXBXG^rI9Fbpz
z7RS<*>{KiR4q5`Wsx}a{koR3-Xz6O<m9Yt?-{JrNO7>bDy;T+i0fx$f4u<nTmCVh~
z(aOo(#KhT&@!zk1%h_qSP1Aa73+0pgljpv*q-vnZb_nDSbsNT5qnBYBfPSQc+f1%R
z5H0!6-Rhnn)V)XTV(I$~CFxHtQ4ReRGM3Tts4soID8d*x6ciG2p!slCw+3Q-j#DDS
z@_Ti5>wTX*UsNYX4h!4t^6p^dAD1_LH+&|!NU2#p=Z^?_IyfJkuu%nJU7xkOzmQ)b
zGdf^UFuGmK5!klfKgYEpKi91;39qgSoEB5#WAlSrWPQ-u?)6^J+a}FUK!v|juj96p
zyl)qupOQ2(TI0e1YhD%6&m;1AL+2A0d!V~zbv>Y72C{G0>*dvq_vN))uMZ0Gu9wHd
zd{C$0>rIL6qgyY%-6G;?%5qdr^$(w0?zc(GVFxe8o02@cy}IZAP3-5mHN9RCD0Q<c
zPyHU-r-d{8rMoK$D3m&R@oEEj{nLZuHm*m6`1UyRRC=+BeDY(uZB6f(GR*`O{S;H0
zu!>#q_CU8e%5!_RT+vzbZr&~3d)!@DNAL#Xe5^gva>?uXHNmk45ZFu&i#rzY)k<ze
zi*pNmYpQ-e9XYGplmr=!!7shYG<2_Vyz9NJ`tqsSV8lHS-X-<)oSzP+J@H?uN6EL{
zPg3O#>B-h1*8(4)_UTMvP4&Mt*g~F&T^1+&^rD|#PP}Tt_357r9}@T7T!&n=nQ_1m
z?g_VWKE;wjm*MCimMz~vv?iOCB~PM!h+>OnNqkz9aKS%nk72v|F>%|ne)WvelpN-4
zQi?xD851lJ%gMs1%H~o276ssNyq22#EsmPS!IImR=<p|yRScczlFjhOaX6_>nSF<l
zNSAg0HJXai+%=GOA2X)x;*e%4eVHw{%Lp8Kq|4|bnkouFm4&i#H#C9Oh==1%i?r?5
z3$pRkJw2{c-MQ84saaE8R=O3s1>^xiMeFYZy(7Ionjaj<TciBL(QDOPVQY0cc_Fsx
zU9o!ME5fC=L#5Wee5(ypIUKOu?jqO?e!R2x?1|>(_lxGH=KAFl;AZIeU_lkBhh-V5
z)AhEtBge4eoeX4jYkMBF(<552ThcpSfALxS@oHFkcfMv@jc7+QsBM#PG{~{qHyr8~
zzoqTN`tw+J`&jn$Sk|$aLvq=u_%&fH=7or*D*(X`*7@XP2}s2dMCt+}bpVm_Ifga+
z=xsY+_B1EC-E_w3<#)O)xxn$g;k`cI0z@57TP*7G)-UjX-?a4|Y=Y(W&cDe%C3QX}
zb^LRkzn$D$fT_v@$UXB}^+-^1AbP*GzVc?Qvt2&6ogMsge7ui1*-t;&*V)vO^J%hW
zII?8`w?%q*v4L18xO{XI<dOb;L%cd|mE4Nx7mPqVS|5slAJ%`Iqw<}_3zd6dyY_ol
zySDB`0I4fR3g7b5;LX<Ex!frMcJGzW%a3#ZD&X>l!;$uMiNLtwvn0LyxM{(@`EPvr
zPj-7fzd-z8>b*CfZ<^<}$a(~6z9)b`BuH_!+HX_$>6!She8nXP<HW6&=iS|Pt+7_`
zVFz05A)6bU8-DgWPcS|f&^k|Na=hL;)<k<#i}IV#wQuv+H9L*Os}mBC{29Wcc(L&B
zhaH!bOI%=TJ)2d_gRv(|JtwvTe4LEy?hG&IEj|fQ=sMFwV^LoM@a?X^J-2Pj?<UP|
zYw3HueqsxZPg^RU4?xR*=Xj41r7P5{5-_TMb0!Tgi<p9^5_|B=Yox326WA_(Orqp`
z@^rY_qy}=@BEs76D@654_z1EFT3G2@80l+zSrAa%V&fPfEJM54Ijm8ZDL$JGWYMCp
zwu&r<oY^%zMXAuw8oq+p^-3y>*?XA`Wm3Y%xUA8{tbJ>2MVzP+I4kjOcMRi?@VXL8
zjndmq1Ge_FvM*r6VFQH;uy{HI=yrV?p64=sU#U+ZXZ?6L&W(=(CwF|b4hDRi{7^!)
zdU(rQG5sg%hV5iP78cprvo({wW3%Ta6;Jt(!qE;l;6RI2er@3%TVKE{nY8L=ce?YB
z8~n<582M09%}fn}4c_qnIN8j6$sJw4q9km%_WpCY+uY_0Y1VHGd30)WbiVEMu4}KY
z+z)!mVDGEMTuV8U)#B#DxAKc`dHcY8bUDxYI_FQaBXPt4E2aBwD3f#%-7mFcuQ*GW
z<nzeca-OZ-K@z>FmNM-SU=zIt#;bS|-cv8<9j#NA7k)R_dpQ_@XY9P6PJRUgRd-Ek
zd98apIqSXN?dbRA87;?5kP+8Oa0quWP(r}Fp01iL(REVAa(~<RIZTGbwTa=j`)-r;
z&U83MphhY6bh${g6!|tAJt_lh_7!Jb6pMo>oJ|vF=FnNZ0Tk|1yul8W2D&2_3#r+1
zW;`Eah|Fj%Wvu+@2&1b!QP2u*65W~U3^3s+%OLgJWkQ3iwPLJxGQ0jN*`xesuivU)
zc~6a4IrIs%r^EOfGN;9=72rUV2O#1gV9;SY?quuwhx&d}M97>6S!9x2gmr^k+=x%0
z89n@QU4W{jA_EvMR!9dNte~FzCB-78-M*C560Ro_wIz=>z6!tAJ`^?gyLy?c#;a3o
z)wQy`Ec%<0e$l4Xs%B?ytqTm>1}CL^swkczIy!o@d|lLiHOxAjR3>b=!N&S5Q#B6n
zgHT;1@oa$P5<g?6f~Ob<^5%~zKD!GV*4;fH`K0ogr8y16A*=4vWaBfag@>3UN#qAI
z0Z%5_k?5@^xF15!pbfSI+ujh;MS$ccxNH{eJnHuo&CKh&7_uiD!Y{@*+Op`pR-dZE
zE$*|0>S^(=<*-2cq_AdF=ASbg>d+8P6xfn=Q4l?95#vJdWOKn`6${0o&b|JeoNax1
zQh_x)OcE-Pcjf&<;{Y^|Wlg5cfb$8Lh!0mGFW#_GEZ@qlUr71>KpG@WJX#-!U^QCr
zfKxqFwz2zXg#Wg!7X9Tx3ogRf+lBzy4}v#+KoWjC)&SLkYHB7q-d77(jJ4sd)UEZK
zfEweSR`t(94S9((sEW?Z5Zc45^+KNGjyaJzI$3QMYmmHi=k6(2K%?v3veRSS+SyhZ
zWzO|m(XX*<m!{OmpqDxM^Ve(8pKrss7Q{ivW`v6Mq+)GHp{A}S4NgS$AL*W8RZw^u
zKFQx~=57Yw$*eW&j5e+!H>Gw)9fZKCvCcuP08$AoazG}C`~3uKvl{h;EAKnWgT!QU
z!K6yKAqHlV<(walO4~f|pumUSVB6Q+B+w5kvaGfKQpU#8uuQ#tfbVGPjqFJ2AbdJS
zM$R**De(4on>EJR>-)MCX|N`#{%TphIr&X|3Dn_1@vJbEwaGmzt3I?fBJMYe`rYHI
zYKWjUY%u@3_EZ$NH}>;jER4fLyC2Ql(hvdnO(S|(&DeY4nv%ik*_PV*Y}lDu2LSs%
z#Ce!(pQx-q+$N(FH;K1WBatL?<SU-y4iYST0qN~bu}l*S4Vt>#BMhka3jsJi?Mx#y
zJ$@PxNpd?sp1em(V%vg-n*6GH3s$m=s98G4^f#KLcL+Lj%tbYjC}|O>`Az4c6@cZ6
zz&dokhf>8mu{yRS+?(4ZIQ4TYCJk?L3o!s`c!!gp;>ogG5xjr<Ak%7fh(vOTK7XO9
z>&d~oj0CT^mXyJ!E?uU6{}blYyurQe2JV7wBYxD|(xPXAsh)t(`_rq_Wmsn2ylWhA
z2qG6c4{9j!Kn`W<*YyLyldfp#UhQME^u^a=WBkr`^_$<@*3onuV6doN`-LPjj$QI;
z#p(4&ORw=Yb^;!%o`7C-Pq%q%DE7sk!REe3c?9~}tS~jAJ9G8#0lK?qZ}67DZe^H5
z>Tq-0=UeUfEY!wP^N~8jr@WWwV;)OAvej7F8wMUj*)wD_n@j7~WjQ&H6_CDx%xlq~
zlPw;>`6rv+b7^<qz&4=@S5nkh!p;1oAL*W@R(To(CWF|f5Cg~4`)!%k#-D0F^aS`#
zuE0X@K+8#RCNqxZa9VI?Zqy*F4&^TqWWd^Vo7;5|oow=>sCZ6{@i4B@uzoZyaU635
z2`qZGU<I|K2*sYnF2(m|>iOz{#Ig#fCi%9LNM_OrxaMl1iD8olBN+k=qwOkSdTwf<
zp^Q9!F3$W#Kl#0FKS#UAED3$=Jkg)y#S2Khoc`ct8h1EwG+BE(?wmG=``}P#>=6+&
zS?JY1qn#GHA43)Ws;tXH4}lSO?ta4n8XvP&H%k2_bV#aS#%Bb|+xGY0MN7t(<?%;S
z@Ow28daAw@f*XuLo(Ct?<srN3Qjc&~&aIG$&9{E?FnrMR^wCcjV^f-+u&~Ka<<(AC
z6~vc_OY|iu%k&Zv?<x(}vY@-<y0a-w=UF>-Z4k3@olo&l=e43dKsX`R{~F1OcjZ^b
zPUtjQkCSb1MZsEquziWE_IA4^_lh<Sd}|f-nhZUsS{Y1(IVzn?*LM0@_wevC4l4~m
z%#vJenOGuINt3%rKvB4xJtv$<z;mFEFjW_C0;RQ-Z?e<)>xLFKQ*Uf>UtL~W=%%U+
zar))>7Oa>9=lA)n$<H5$%4^&)+qze4<N>Cpb55Et8dF`;YkLCL7k0>Nx_vBVR38n_
z@RU?LM`8;Af(7<6borWxq~6-3^q|!<)DyADZB+U%D?24Vn3>Uf2>|HHRmjMlXk3@Y
z++kJiosG%v{^nLql=H>c=@_19JtoM+s5b)Rs+#>b!l8STs5SNX!HPK%?t~wnXamAe
zUVVLio;^#_w)&XvZ-W=-&BURDzszKYKO?FZ<lD{_sGWX-{-S&rOGz%P93MJ0@4b`3
zBUeKC%N!lt^P;*apE{_N_GWa|;&i?Jh0xaxqP{=MS%T9&2PM#-6taUn_)>?Uli2v;
z)mv!0hgYnR-EAivZ}h61l#2I&W+EXx3Qln`PQq9*I6R+%rq~mAd>xk^g~`&N?tfEA
zES|Z-f?ypMySo-#Bp$Dgdm(f$jH#PfvxMpdLpD;Hj4uDIV1s0oE9(X@i>vS2ty8ql
z%>#o07$A&LgnU#&m777MPfyf2L5xDH+d6%YfEX+An8eQOIaoNnEz(<WOB4l~pSayF
zU2{4PjLpTuLv(F}j{5bs#}bH}_^bMo+QN(^vgn58#cx`@7am$JI=(Y}9(A-LRm_oM
zN2WN(g!klp9P6gsAjuV(wJ*vy*RJ%p!70;|>Yy88G$<)AD#GMR1TSVyBbh2<C7xs%
zSo&oln>ks>X+6wFjc1UOu@NR%)_JKuBG3T6o80<Z=f!PxEngo)G)`PmW;diSkW4cY
zXI4pKD2nWRb#a%(HCxog0IsMaQ)J*@j0!arFo3mKq8=X@75;+}buSE@xdunGZd0yT
zjA@x=j`kJSp<YZIY#0Y!!`w!bBVX)&6_1$3liH*{JufaeHC4mZh&!4(sPRS0X*_Fh
zjX1BT1O2%>F!|NcL(htI)Al6MFN(M=E^O@?IVL&!xI3RAcFsVF$A@t_&!Ug^lkcQw
z0<^RzYtb)*)k|ihFR78x<m%lEZQtDFaz}HTQr*a*erj1SX+{M!VF8Snu0L4u>!PI1
zQqY>%Ekq=b-<vyMETV9q{@xhaHx@~lS1m%G6iA71CBsszAVU8psYRAp0rVvpY5xf_
zmWP&8`x|RXs%UJQ6zW;ky!0URem%Z9ri%>vDancXRI|Bjo!9fSW!V=w_Do>uuV91j
z6N-$`{!FFC?IJBA3c^Ni13vK38G!%B74p0B(iZY#&q69|Sg)<ClKL_7@HS4?*j0n%
zcH(d%Idv?2ta<i+c+^*MsF<R}M7n)kx7bNYf~>!W7_lPaWgRUJmzI?zeO&0LfBo^C
zvsn_4@GS}Oo{%WwPao@6IcIn-G%EHz6^~fSFmJiOOMmaF^(w&<k6O+Hp5=_%T`UYW
zJuIJfuQS?K0p)znD+SkmG{eI_x)Z{?Q+VQ=?w<XGZyoDdOv<I*%d{RY=|%4gB^Fwf
z4>uv2-w~dj2wJifYWJ$?Hr}`7Nnt~4gCk(6U|EgxQTdz%d0AwaX!7lP0CNz1)=v+R
z7Dd)j&3j8vi#C2r-BzDf?wIk*FOjg@8%hanBTfcGB-%KzsS<8(&m2v3?aDPny+JS?
z=Uz_G^}YyK=s)H(&FV3-`{$%h|M^m~hn9|;)>r*`Exe6mk_adAC8LOLk7k^@lww$N
z9GpfGZc6_zRIC~b6)g{zElb|?Ic!0?DlU^3l7KATxaDTzkn;#h?2tnQLTPU$lO1Yr
zp8nNPC#WU#cvm@D1<X=6@VGwWfhjFPxIaF)dP>6MY$sq~^`%KR8E+)9j;R=QLWRa(
zgH0Sl-GR(fu(UYx*914eV8QfNsb(4>=&fcN9W<@MK7T#K(5q=psw+tX`(5}|e#6Uh
z%3Grv=&Sec!AcK~t|LDhyPt_{s0+<-WWij+7Um3y=VlmZdiM08I?saG-5fvLK0Eud
z05yT-a;t$k>Z{3nZg(L-Cx(Q*_I!LdxPwGTkAF#B%{MP3R|EROcR%G^WK`c3T*<Lo
z%u6%sz1mAvbIBCm3fi}4XPt69Tw&75!(d475z!q31Jq4NC5Jh*2V8}UdWb~@QDn-M
zl-F`~raA?ee6qd2`PRIc6|;|T%*OWzSX+-8pE)O@Ww}@mz}g?Sb-t}COVOHG+}T>u
zXP>9ce6PAK{gxgwp~>^kd!|>Ewy!l`?v<W#Y*-e)6T3}Bb=Ft>CAL?WxYXx(sIp|M
z{2>?yZfNY<?V3%dhAp#XQmFzx{+Bx|SXd7)v`z1fJw%+V03`4C+yX2Tb0v}A!?OUe
z)7!cM(;96PFLNk^G?iMGN$x<V`p#q<hvc-chLqc6!WK23@-<7Aj1s676q74&FtYbU
zyfC4c(jfj5iToAh<--^~S}`<w(q)haJ*}}Y20c}NdSTygTX(ZSXIrf(Zc)oNVzpeq
zteIwGr3soF;@@_ff6*rch-RWDfi=oTKdv3Td6)slq6FXFoorXlG80Xi+O=!s+<uOX
zmOJRQ-QJ0-FW;q*Q0n4qtrh}&Fau*k_IDx=2E&bhwWQ-eb@|TSHi*b(v9(YJ_kK@)
zUf?kbQ>n05;kD{OKI45BmOrPj>8oF{gm{r2wRaNUXrsNHf%1AftIZ0}1}(shritm5
zA_+eWYoLV{P*b-6ER@>3gbQ$Jzl?aO-E(#wxey*u8Giabm=)IFl$y}UM-U43kjSD`
zx?=HJpKczduT{p6DS><{saZra6TW!(N3?q>S)j~ycnX~~yjzGQ!jkh}xRAgDExEU<
z7M-tKoRvP?E83KS$^XQOYKP8FA6Cof$KsbYbUAoIOsRFp-cK|$pVD&u^v5THkp^Ip
z>4G3zj{$v`JTMBUIUGT)h<gJ$`xQ+>AMZ<oNrpsw`P_meHc+1i;lEHhEx=WQ`{Wh8
zYu8GAZkJ{LryB#XT||_XI|%uD{O3~9voL6?;kYiLVB^S@&lWC5o2=i!-Q4cbbS3Ik
zuiAg3rA;6@(R`@fDTO~bajhL`^RN*~=$Q&f3DgVkPPtLSliOklcKD2@r^MX%5y&tK
zBXNA(zIf`wLyaOHTB6}g2L_jgx&2U+WR#k@PTP<l3y`(c@=Xx6zA;20A_;N(o+gCn
z!XWvAEI2u{5A)FpUMQgH?9J6EoSo_V{V<zJ$_k*!>wT~<<6jDfs<-uL?kRdi2&^+*
z@}bH%fkdyiTBdXr;|L|$w9&tl3+Sf5s)z(v0*M(s2)Je;7A^u)G0ioDQe!3zi$vpn
zvAvQN4+=u`Y%yc8sJIVB;Ct)c2&9^ig41G?mmtO0i&n>75a*dWa*&KN@9N`AWJR+l
z=zsRo?RJk|9D`PKF!qGk(-_+Tz&gNMkV+m~hU_xg5k7+C>;@FCx*sP?RW#B+o=TX_
zFeL>0B(+vAzA9#+Sr2z0Q63g+j*Chjyh|Mgr?f?e)@&d4CBGT5xms`nui07$3tvC5
z*yh(4LoQ_fm+^Faf38^}s=fzyyZPqYsT{Y%tqt7=p>=_8e|`(c7_vLcPF6jQN_8oG
zdQyJfZe`o{8C)|55s<0*DHUMF-(!l4OD@3PCk^lGRHcT^#K@*5ILC{&#LD0mZi&Eg
zY|YKhhK3|mA*$%<5-walrue6GYN&*fg3kl|)qfJpOn&Ww_~=(k52=@G!Yl=hQ=ck|
zVVWc-O4M`~Rz{*u&SRJe3lU>Eq@+?LaXKk2GnGgG<@RtVi3!FXwd>SiCv9Z0oXbpv
z%MU*>eCnVx0=sV8iva6VwJsW1ez=ljXB)sS%NhfESD~v=gTIl=_lr_ShJq?tw54<E
zZD(hcx*ra5cIxWMhqNijbM!8tSYX^{*Sp1)XLt6<^Vqla8wQB33%jJmpV_NrcC_xj
z_$ojs1Q-E^>B`7Y|Cq1hfTIF5P{0iHsca`xZUZu-HIAwvNYRW}2Ga(sB~(;jcm2#M
zDPk^<{PbTU8{Q*PCAd3Om>S%ph1>nd`U#=A-aOaBO4}$=FY{$dQHrxKm|@wYp^?V~
z!|`4Fx`G#vVOQ02B>&P9FIdO|1-eA&*B8WXnQ@sI6BTA9lJP|)mNYssmIRg0iE5ZG
z7ZO1qtN*u>of;63BMuO;k9iC}M1Cz$CUi#HA$gtORSQxxZD9CjYMJPooH1M47Du;O
zC_2aLwPs%+>xc{M%~{JysE4D2%Mjy**44uinl-<&U}s$Pg_Vr(ZfLOb>fNZf+YTaW
zRKz-h{-wF|^YLe@xd6O!f9#)mY+0(Gpq_e$(#-Q^nvjY=u`9F!6H=y2I%AT*q+(f;
z(j?+I(7<lvqO;T)_XpdP5tax1b+1?_2_nXwLhI%@H%zm}MQfhjecReI_t<lfECS)q
zmX0Fwo|RR{YlQ(+w{EXnp-!LTxER`e0zNvw2n-_hMXw&BVNx!-g@SmDein^od4??E
z;Qrjg=of%z)N$6Poj^I$(e2>(ESECZoSx4kl<Ld0Wo+mY(tyQsZ^jE_2Mq%LabT_Q
zP>`5_?Y&D&5%7CW>p1X7Dm;{|UTYjc)Yg5JV|)I)R}jx5aa<dqG&zRH1R3>k6Uw=n
z*vFLOJ*bEAielGqzWS4o;B~K!Lve#+_AV#3gt191H7(}TZ*pN1HS)%AD=DFU5#sol
zznLn8pFI3Up4WQzW@cphnC5WDY9ff=SG^S9POWnzQgi?=2q7?ul`VVnY7X(+?2k>C
zd18?1F~5T8oOU&Bd977h=AKHB$?*!IrFo|nm?SUnDfXi6v*g7WI!li%IM(~9r|>)A
zX6yYe()UMqy~yWn>F%U<ltIFgCwMuXMjp>_X>hwB?6lG9XyXs2bp$6^XXb1tHpn=P
zwQ@>*CpXD3wTRrtK^LJ-EXa0@t)weuM$b+h#l=L8PeAxD-Nr}@MH_DyjORv3s~b~2
zuU>B@zF%r1e%ECvWmM#15UxfY;Qlp3$zdQUIcp8k8i-#+Q)*GX937JgBwx)jA}Z#F
z`P1z8b6Uy;+D9)@x_k<<m>WI*ScX@{jKNs4s!RA-Has5h?3Rq07Ij!-C^|B-bSlvF
zV^Pq5NjUD2q>}ZDNq?H)Mtzt2!-SYef8~2EC~x(V66L$amgU|aTqbB}i)bvu&LI8R
z)EB?kx2&?;!Xf8%j{7`2w~t9q$CdR}24pZpQBGx++_$BOOlTMho;Xp&sb-XTdcv6$
zU+;_*dc>z5^0fLA*wIu<675X)UvnklmEkCw(lmwKr4kC1kfKns?io=U-N|yEXy7Yz
z`Ty<vAJB$UDT$^|Gak@{<%#0sa@w~o2E%BD%5*E%wE5W3D6{q-&dv(><_b3_2+@$K
ztWr59((I~((%BP6F*q|$=iLG|?E4|8l50|aO0JDV?#eyqrTYm){v6Nw7qs^Ik6Y;R
zJhHs&N07A1@?=n0nws-IWC7PK@~Bl(1;XfB6d_6H-v!Uv%ryg2+09ql>Atx_I+RJy
ztccqIh3GaSw(CJYu&W8z>|RRtj*U@rbX*;n?)|fBN}(pHx+Up~*(g60GyGrn{Bv)S
zuQeYh@-L(vVf{Ytm_S^oMTGUzUDK(}>IXDdZp999p=FPR7h@(#qGEdNuRBwc_~HIn
zlDy(!uF@oDW(mrWuW4D*<=tkvMqi0?vX4%k;MW=A*-9w~fs$PjzqU+k`Nu6B6;h18
zJjr`mP<=y=3R{EG+;kbN`4)XVDDI$fN=!`D3JCgcwgpKNuR<_0@`gEHU2OO-lT~B{
zm6*XLfkWTFrqYo`mqLA|kwr}*D59ezh`<n6#KbPN#~z{}slfTqE`0w$2_X4ld&oTa
zVPy06ysk6E%$3?Y=F}S0Pgy3A2)#8w|30I5RbIcOO)R=TR-NBV!DC`A+cI{OQA3c%
zPB3KrG~Ok_3-egDx7xopOiKy!(}F)%4-J}48e^tK?1uk-g2bYW2n=o)<lXn6E9}y5
z@Y({u))e}$r$$N|J}nhko?G^P028;S3~(46?1aR}lw>Bp_ZgP8+VgRQn)sUvTZY^L
z?yA5$lT4PJsG=FM=>sCTWD7X*OdLg1qNUJg+Af+B{l^_h@<lY{3N<A%Lk1R=WQ`iT
z#zJ9_%n@pOr`QZn+x7uDx{pPFNveS+Qb{4?JwM;D8`-@20f1q|a*<p{I?MTQ15W)f
z57Zh8m|QCyT-Y>n;@x={dt0UwwTmWDE@12l4an14vy-hfnLD*yqzJ|n&|Mt9pR-cv
z;r|U76WJ!D&!1KrKPp0DLSkd^XO)y}5-Ao;q$`3V$TUgKdZ}(>+aI4tQ=$GVnW6P0
zt#q*5%)gyK1ITpmoUwCI_AU01uP4l|+}-T!%z1g*`!?z=n!ZQgZ}uYT*$PP(8N`n6
z+AWMm_431tdgnad>Dv362gV-vU<<TyoC`D%oC7TIf6M5PqsdM=C=$-sa<H!Fh_Tb@
zEcCd>_}OHryHs$^EU1!$c$2?%i^Zz?5pVSWrmRsa)7^UQIb@`cUrce$3OWINU(&te
zw57@u;##av+t%$XSB()LS$#<TDdpbE*Gw5N{du}na|99sE!Sq^4-B*Nbgh(Ba+H!R
zi3Lr3KDoH4(rCL($f%<m0s>m@U&m9T;EA}G60ulDO$Ay0j%vF;Z{<STi@Ux&alM~7
zdxcrX*tT-#P1RKntBY|1oV^-cxdK2PrP1};Cu{al9ii9as(l9#VC<A+cemSR7n{fn
zI+lV%yC>i{+3<z(mTdYJsEIdqdH%g~eY8tmUwm-JBY?{=)T@Mc;O{sw?(2{2lK4oq
zr(>x_kw<*1WeZGHoj3C9Eyic!+z7d^by))LrA>*IAJqDTrqp8L8tF640_0!YCQ%hn
zkZ4pYWRpS<@d+kVd}mZ-W*-cpW<B~zp%kxz__s*-2o+o6sq8-zoZcj5ES?Ah8jgqf
z^PG^8qdwBl+t=(X$G$y~?vW{0p2Kg_lA!NDLQ@LD1`XJL$dP<ij2Ah(Sn_A)r;Wh-
z<0HvPs`$)+#D~$t^`c8QE8wMa%(3c0#Cwa<Fgbhu4D@68n0PJ{67=wn0;|-csJhYb
z&lEhk9u|?$;M@EPYrTHiysOiXbkOH9Cifom-1`2hdb)w>;8`Dkje2E_V>}0zb^2j_
zoVybUe^xpj@AV#*&t=Sg`53A{*-f98cBT@v-F9EJYUtjFL_kL9h*8&`>_<usQ4e55
z3CH}Rb`15!*iHLen+Ekzdb2$_2M-4Gdc9kS-*|1jdolO6@3-aFvF8Y1p+Gr{(Xe3n
zFWft)`yK|UyS~o=9xyDkJ>L&iaYV6h2j|#Z5w_)nW)G@xBVVrjjG$SUOVsMNrnh%q
z5m03&>*a;0E}zR)Fsk0Jji$DT`8^>XXO=rCqa+0G=P?^kg2|8JDK<)|io?Hwu7DvT
zS|${I=9E7=Eq4Dsp$t&~BWJG9FuwGpRh=~n$;wSc>&Js(hi#hbQ#y@L?mkJcOEkY}
z&6%7~Sy^rAATN<8htxy>6nzGl!t4)x0jD5x3CH{1&)_6nv}1(-dZ<G=epgN?k>@sk
zomI*{&?ta&Oi2V?%<7F+jE<30`dUTpd<T+R!V%`bh!-m%N#sG?_RR~DdMjM_Rk`Lm
z&?J6hbgM=NsHB7v5tN-x*nZvH?yt~gWIhvDjUt>pkKQ28wSJ!)J&jFg6_;hu%_}Gs
zE7hGguDpd`WpX8h8O^>Is0Q0jPvJs->M2fRI`F}sZaw}}e*x-Wt5V;xl6zbZ>SDxx
z9?|h}(5zhCHvkBnE|~jpYq%cMrk-#Ne(AY?$9jE^+S+cm*ag~fX$9QXydP})*_@=D
z!20_2fC!0zId2D?ht}E~y_xQcZ7)ZxiGDsPpffH3{0)C<>Ae--?xe*tJ^X`gH|E1H
z^WmKb2geh)E)9*(tKT+(;F~F}Yx@J|vn|Bsp|(}WM`v%oUhRHe0I$lNBhaz$&B{YV
zTklPG*Sr0L22b&i<e;9n$L+BRs_8fSw|g_V7w9-eJ%OJ}ye@36PHqoRixBgj!W}1V
zKj_i40LmLnF7d+Gn7QDJYEV&MbIAsZJ}b(=CnvCpHyW${M9;utc9I*(CxH5|0(x;H
zB^J$))QoV=H}nQ~`*GiK9c0A59*3*g)svIE5XT!FLR;c3x!A=jHDjH*+UwnHtbz=T
z+hIUfYLhC<&ZGK@vy!q}s3%t-s{GG|wZcopJ8RXBJ<msFxAXVYt32Nd{d9?Ib`;b1
z#C=w0ChL!{&HZXB)=up$n-c_lQlPo6@kjcpL(L721)H8m?|{U9tq)}L_7t4lu$;z1
z>OQ;7C&=9PXA>4;*<6-_9to)J=-Rz&j`Fu4_PEqVj>d<Z6E}`eNT77Q*?X=(SW1Se
zMXtd(%<Id`1g9<AKM9Jhm*o%lQZ<cH?aFKYm-Ez<X4<<)tQ8);E|-?v3{<r*j*aic
zznnOwCz-2w2-Ej%4P-D<UNHVr<3Q5A(7Wf%+_+#r)^#8VoqWWiM;^u*{`$vvf=e#?
zJjiO+62rx9qi3DjAFZ#yx6jqpY0yR)r|hm`7Bss|>2hqk*KW=T{_6;N#!NL;Q9)CT
zQ8D$AA(vhd#>Hx(NV|wv-V&PftC1RMr661cx7Q4l&DRJ?E$)yejD?zj|AemiSD{XJ
zJaRZ5DkWG>{{j4phwK}XucQpw{+saX=IB=Ghm>h-dz3Nd0U~)p^F-MDKZAwC@Opdz
zKExP=D^1=v_^#kchz>ru3p)n#m)6K%_g`{|!CacY?hF2t+JV^@+vo-7J@_UPuiJ9v
zA!kMo3RoN)0foHBsC%jo$z$zg<q}N<vtLWYca#dr&7g+KOHFpGRm6l8iT>)!4XB7~
z^Z4yEf-XQI-SkN@%zanw9~C~avyd24aP;BC^Ud#_y7<E`;#8X&Y@MiI>L&7B%{q|c
z3USEdBNzZp*n_B_7gnHnQ3W6-E1N!c-E-2;u02s^@U6UBeCD*zeqNlMn{qb=YKB(n
zDko0Pabag42j=FaBKWnNxwxm7Rm#?TQIQMFX(iUZ%@d8w_WF5sQPES?RWQmeEmf!-
z=(S}WgG+vrM_l7zPdQo9P-{c}%|dG=D`bdskhwvv>KF{3Ie+qNHdB5_(%ImAW+;W>
z!ll9p^y~&BepTSC`homUrkg$a@FF4{UuN%PL4Cy?Xdvg;*-%>VIy;xojR&G-)B~H$
z&3Y0XOeDE9wIQcjxFeKx;WpQ{$Q(hM4!vQv%RNoG(ci}pH<J*4K}3Vi4YK$ltI`*_
zG9M})y4~?KUAIXOJ&Qk#i%Us%QeGpAS9*K(U3qqV1%|9u7FRF>%rptl+G#A^l}ZZ9
zJ?4xb{H$q$BL*_0jpjM+LN^P1hO2cRF|=oZq7>Wob8iE2K*$z&Sc5yWx7rxN;d9~-
zvWy#D-itsymAw@#ag#_k+8s7|)G=l;6{dhjl~M_N&ADum#LEHLu>7yc|K$sKB+dA*
zag!zEH|zuuVLjhs2Mrz;Uw?#safKh@!-*!)aB_a%4p*5$+@_+v{H@nM%TA5uGtelP
zWvR+ROxRdB4=0voc3u^+G>Mc~rmk7-CPHHrp!w-}7Rg}gef7~Gb+U5m!~2cW3mzZd
z57BgzS59xCS8kICVI^8FOHK+V(UNFMjGaf=qnnVz{b-5iK*~eIf&CR#2HzyWM)%Rc
zp78ihD9)^`oU3clo#d^y39Q*MDOIdZi9hq}W0Ide*mmrZZ~GiYNC!^VQ?s(&Sh%Hx
z7^rg&giKcQL;h<(SWnaekm)iRXN|?BirPYPn^Rm-H!~x#SvW%mF2qz-vKY=0M>Yos
zy7EErKQYftCjlJUSGsz{LxRKPv+;KF`_=JB+U`|=Ux>0v(GY_&bbW~k!|hw0IgWb;
zbmJZTT~BO~n=f1Zhv=ZoMAD$!%st&eUCKHSSQhB@S>=Dp)Be`rdHJk|v=(Oe$^E=_
z7$DA77_}1i15ux5&H}cy!#yVU;N3;|Yq<`B`}js6yS3UL*@t^|3w8eJo`x;RuU%is
zo$FzFhKZ70we7!`q{#bxh@oS-QWgY=D)A%<$CkO&>@Px^q2+YAXgKN;h=Gmc@V8>3
z3$WGsl&JqX9$zDfEy9{Xwy<uCME|xK{8N=4%mK|QX9>7mB-t@K50C3<dK)~7)2iK_
z`3?dE&uS$ltP@(>8h@y&RdHC+<ZUOtW!{7d34M*cP%eJ5{OH`VlTc>Uw2pduVE4Yz
z3}^R#w3z^o)A06XjPtGyRY+iG(yG6t)1`)ga(z%i=3!c3eCyb61g1|R1>m1P{%0Xw
z6$kFA$2jftcOUGq(A%~=qVvq1jxh9TqD6cQfR{s<h~nsLPgd@F5-PQ*2@#DY1~wUe
zB~C-KV(~^nr@nUXm)t0F*#=`Mhx12Pg-E#nWGf#ol%(Q{j*^Prpit6>PLdb?<#d|_
ze#jBDKNgO%ns>D-D>cu1jIrQNvv#wHhp>?N<i$f0##EJx@yBP3VKy<-wCt<1Yw9XG
z^`he9bhk>}t9l0VOnE10Ob-YG4XXJ#($e#p+^nPtM9N>Q>Nf9myy<K9bkgUw`T4z1
z?9eJN>^ur{Jw(-XSKr{Zg)yG&Pi!vlAHaJsUh`=72!sa__-eLMBg3$h+%tyidG#m=
zy*4l|?~7qos3ycvebO!38>t$8+HMW*smB5gzNuDuHPhF;IZ(H*tF^f)xs1KlEAu_2
zg+5<4n+TpRVqRAi9UVj+K0+jz=~{JH|505oR2AH-ShT3i^`3vbk(6$CU;Q&xMRk(%
zQf-QVtC7d+W$Na<7Q~PlazT%drks0)utzQxueCfx9pw=yCCQaq99cO^Bcq=mjP@UW
zyzpQX6&gFplY2sgN>M)!j#!W%E>ULKwrChUaMlb|YsqjOIh3F|ZPZ2Buc?H4nS#ZQ
zT)XM_{bZ^Nhy4duROXLHIO`{BRzso;#pK_K4obw6;tS@n_953&3K#}NBP`PrWI4q&
z(Bsj6qfy)`{%80k1?x3C0b3@Yjk}oBOif2SL=aRn7tkQH-oH5q1nsdZNg})Aki(L1
zy5((Y0UE2|){Q8(SToJ20uAb}!=*_S`j8bJ!TAt_R)U_OT_S$VZGtE!JgQ4zJHIWk
zo2w%%FhA<mgEeQVjzIoH$iwuHW@z&#QL&$2SPUDL(o;WUh!zX8#c^$`7A*BQ@3u%4
z_nk}aAz<MCt?@;=@uMGxvRt$CO31QD$WX0%tX}5p&eUj{n+2^KG8HQij54Kh1PmhS
zb&6=?|Nir=GoN$c5DTDTRt&;n$8+$?>aAMYmGz1Z+YK*X==-*)j2MbMX8#F=+6c~l
z|1GCX(?sT@d*d1rJ@zqMA&KiOrM?LIe0S`{c>84g?g#+9=7)l8pC9z!n2T39PHvxK
zY~c{jh@Er|%4>Ox)#BRjOI}V|E#Dr8ET!pRpVYJl+geDw2tgvsnUbVITIZXa6QJ!Q
zVB6!+kw%WbLM^*VG|#hm!@FE0U~uHtHf!0m?C{v=9Wx0|p_bPB`NB<!i>32fJ?g!u
zs-Q{t@q$>u2Mw^+I|h8+DbqPuJL|5>``Q|JA67Pv^@t64&rFnmHgtPdFfxC==>P7?
z@A&w*i<JWh=b|hx-urHe%2DMB;Ny|auWj~yE{`9$e-h(D4;Bx}B&i~pWn)wzN~8H2
zC8b7AN*3XCKnEK+_?IGPV<ZkZS<(diRuB6aQdu99dTU(gC{mi=&|$Zw%8VT0a_L*E
ze9~1z7HLf1cnk@3+p^$pEix)C^!n4$?=Sj1VQ*74y?n*Bi-#RB7K`sr%&~3fNU1hC
z<k=BdbeKlOh^d$1-2-0neVWE^KLpn)T1T$M67!yu{p40c33F;O>K>Y8DO2(`wUA~%
z&UgkL4XuNsh#VpGCliamyEk(@a%m%{u{m!<m>MpI#F7wDW=vs)7_WBX9f+fD^M{-4
zj1p<JwYA>jld%K=>T0K>Q6}ANgNk=!B)DI(2Meh=B-}K_53qL#W3?^Zf64<HFY6@t
z%xKYTr>U{;-M~&s%QenK@Y(3=W-h1jJ=Oc0ojlPovTySH74>~s-U1@;<Gq<n!%WZ<
zxXV!o{epJktw!^=HE!g*<!9TVHP_*pTq+VnrIL2CaCI4|Io<+lqr`&bJxs|e-n5Pz
z9ct*xi@%sF2*4_BQaDvycq8VaegA0P=1Tpx`u$3*_ihXo>aZXldqx+3^gT)Z82%Y!
zdh7`LNk%^8sjKGwknVZKxS1^J-E{D<`;5HXOx=sC{6JrphC!m$&g=6Sxco>~vYaVq
zML-W@lC+3r=?V=w{sg9!gS?#L5y_vcw|Y<B7mfK0Jxx_iXs-CP9a42Yx-2^(Fl%<z
zK?7$c8tBbQ(~3S-N%Z6yUSS7K*yOTyl>kO{d9@IHlViH3Z2v;e|K=^$f8f!86iyM_
z-iU1x2Rl@OPph0nH=&@+3z3-<A}~0HSC{Uk(o9)^=QrV~*>N8kD`=XIrW}xmW_-4P
zBF{TMy8mdC)cFS`#wZebKIRAs-IZ;ufxB36<7ZS3LY^D8yUEm#_HD$&t)j0UszFiB
zfjf83HS-MBcAYLV=g_8{BCSqSQx*d^kRmA!WXd<f8HR!8qEO@R8DzPJ)ndIW%HdTY
zVl)M}&wopsEaVYVQipTcKUo;|pDavvxCFh{K%e5SWY;h#f>ts(bO2@sNQ@DW_4M1a
z9&p1l7=ar5JUC_FNsGGia_mpY!YAmdQ<!6FaRbSHBq^J>Bnpz1^D0K}hi%=<DB8yF
zCL)(I6z7V%p{9l{=lj!Z`sQrUQgw&&$0tLlkdJMWdml>yE!~|wfO)!j6fJt;^XT!A
zU=kThctoOjSD&b8PL>rcHSGUU$6X|n`YdVWGs~B<U|Unmp)farwrA$%yelYV>k=Vh
zWmuI8k6q#ED13>H&gn-rSA{in27e;+F^Zu!4tmzoFHI<^%zrtG{Z3A3vR!~R%y*xB
z-++W1ZHip}7y51X59o&kX*9PJ5)CBD5~2tyL=nX;O=(f$ZZf$Eq7uhhQcIMVv;CD=
z{<<CoJ~5HPNpkEX90PudDmB(?^RPUfcz&Bg-b8kb{|U<h%Upu`^J&$ZD@O+Do5qs!
zPgwo3trCX@VC|hCl}zJ8gzk>x_C{7l?vin(sO$Q+KEWp!hc|U95}YhmY?!AW8HQOP
zMLq*V0ZFV!vy1~dq)DOh*Pc3*5-3qkQM6<#3gr`}f&u1(j9J)nlfN^y;RX_VWtOzm
zv1NOdSlwb1H~_mBI9?+qZ;}>($q#^gS<<;vuazmRU85h($<c|`FY9#I-+}+2-!iQK
z8{9<w&5RI5aPlkQV`xj6Hd>3O;F{v!ST*zoFu*%qyo<BfE|CyO5^znnLrr6%)F2~*
z>txm=xbiU;|KIV#CFEFbVu!K%2fzFe$W~OtVO-hMZL_t7U%u7<ZkI>(Adv>Lnj!+@
zoXDO#-|5kApJ#&`e<(6pKS$HUDs=2#6oB=mt9E?UQ5gnB28w(~8t@e92=R{Krq5|z
z)C$?lL)Mwh<X;sFA(a!#6jSz1wjmJ|Iw1ceI3kYFc!@E?UgC#J?Q56lz;LxnQh6*s
z4*delsxeCUWG&<6SVjqdA2!wYcqT(t5mEPWExHwt&Lmip@Qw=wHe4<BW#-<*F=CDy
zJVi_r4kGj-IFAjRxs)r?L5nQ%2C^b73U#Z?m}}~$&~YvnU113P|2~^6)|de`?0=r!
zh3aY*+s)3`4&yjt1khwfdUxuM=w#jUcgmbZ?MQ-3SrKjC!5_iGw<YZ(`0WMZ9Z(7T
zkrcr6nkp&(Wo9Mp2QzyF7lZ#f&NL}9Oq=~hldVks62pYelp56`SzIxLY2P&d<InyQ
z^8rptmfWd=@`ITD%c7ML_1akj*y<-)7HB)fu|_%Csn}RLEpXN6L3fE+{X$1#e7Od?
zZpwZ}_DCiR5NgOe{q2y)R4;YHU<{L$d0_vr;E?J=&FDbLFE-G})<>3-QBsI%{DxDE
zr9qQ<tuxGS$ll^DI(NYtJ^9<!8z^B5U(TBXp4_t&1WJGG5qFgQVL(UCpRT)Tr?|7o
zF}l|F-V;(+T#DT0o{R0<&K4tD%`0iD8!FhX!z;RKa;x49T~9_vc2-j+pWVj^s;y3N
zJO$aeHc4Ewm>^>Tc|$heeIc8PPf@^M<JNo4Qm4MEf7n`@Hi{|JqzuWHN&~T)dW4*6
zp_we2TTuR!MWo_Mn?WR2B%zV*<FGF4L9Qm8<MZDwBPvt)+K0JkALa)8V>>(#+S+9M
zpU*Ff;cSX1d)D6r`$JEdqQ=}Y4j@(+4Ac%?{YG+suCjUS?XJh8Cz5Yt30vA$z@i(>
zM55;+<>2K~8K}d^YbI)(XX*BzFA!g#n#9AoDSYa4zF(<Y#lXON&|3yO%~sU_`(QaE
zDpqlRJxPqv=^vDh8=3COU{(z55)rn2%yGlY`Xpsk3fz$t9-6ekV7I?sK1CqwDsw{J
z@IizzI1mkXn_i6S_3eC~d=tXBUQ|cs=|}@iU(?!GoIrK=;79`m@%M+7a%NdRPtYCm
zkq!~GojII5)LGsCtaH%KFv#w7D$0c)gcco!37LdpHirr8R4M7-?y1zKnq_&Zaoxw6
zIn>NXav-if{Pn6a-mbW<L^YFjR0{LNyoFHRyfg0Ies2XKZ>P;kO1%60EUpQ*`~TRw
z#_+njtsC1`W7}%d*k)riwr$%wv7N@Y8=Gy?*mmRZynXL&?~m`-+|Pc_bM{(u%sJ**
z+IxEJ0s0?2E?-sRFLDFD-xmfR6vhI{AqOP+StHHWq>`nSNMwysE7f#qWT-X-ARpiU
zN}YJ3!3Twd?dNAaq`;S`UvIw11RO;=2f-T%oHko!OtU!5<*e}PjT}+8j09QqbxkW3
zUq2ZP<Lflcx%TuqmBbYpQ!N&!zqJ;UbH~Zz>LR)_d~%Hn-IRPx{Dr-M2*KxLcbD$0
zz7E`J#M&jw6(86hfU$sBM7R#Jr4!GZNR5_E%z>qxEXE^VL|+$QA1}*0jU*|w4)T}d
zaG;K$=GvUWfgIO+NxCk$@-=&+<?O0oUu(>Mi5(Y9r$~Xhl0Um6?i}rV_A5v9s@4Lj
zPv^s}{`=i3^JsZgG_r;h9wUE;<hYAWoz=RM5~o|!c2AvB-3{X=#R7)0^UqN9qppA_
zRZ3JMg-UKk?pp6F8h6BFvKJ9@V)tw{BG7;0W>%so?-MEH9csA*5vo`Lb=ye17AuRW
zkrs)31J0IC1(!@0DEWbWC)6G4U*EcaD2kIjn3MR0htzNN&q7Q|MG|_gLN}KR>2d$-
zFWB!bW*7`eM0?x6;`V=t=sIi@M-4Z6seV4&+q!6l-?*Zfj7E)?$@A`ir~T!&HLtmc
zo_8^Ri}olAH%6r#C%Ij8GXZ4=@G;+@c<(dK{Y2*TX(i8hsdT@yu-SX*k_dP{!ftWR
z_h)DN@sM>FUgK4oA-*4O)76*dx8mxKZR!`a<rMv@(8V)X=<2t<haW+o;-y-+c$rQg
zYl{t)ZVXM*6}D>>o@+QlChf8zb-Wc|KI>d-?1zsBFPB17gdaGB%$1E@hpSmA@hBim
z3*o~50qy<;h1^K$Ah8bE^9&;IDUbcIq>ITMqPLoz($c)Vq4!2GVsCXJ_}@V>lNcD7
zih<EsL?{HG7C2s3M4Oik$LlB@A5SWAjQTkuBi`v4tFb6A@9#7^K5rld!;wxP7I4mB
zX3J>``~xUsu=M6Be|%w{(bsgTXmItPLDt(@TCEt#&A&QmL3mA5n*F<(=4FZ)XsB(Z
zge+u^6PjVPQu%0Lzo=2DF7&}CQ%MC!3X9XwEUtl6Nefy0?F^?ggp~GNTM+{=0`mqA
zvY>hS(sG>=o4^?jg3~V~t)7?YQCb59$+Ojn!G2RrIKcD+@n%B6%Z=oTAEAZMW5QB*
z3q7{w2bpb*MHviH87(4P-C=6lC{lUpYWr`RF(i;f;(wzCT{?b+I$Oqi*NWR*_zJi_
zpeWzXMOW}b)pqx8>PSZ&bKTPlnkm*GT?njOM-+3w!y`uGP{m5kLnN!@De?41;qZZ|
zLz<zYiBcG95ZJW!N(RUBP=RyQe;AD(V^3&~`coSF*s?uLq-XZW*n*t#xH|2)Q{va8
z{U?Qt6JyZ*pNgHICKr8+!!|F7?0hc|8Y=pM&wD{r16a7iy$!QM`u*58fSb_}FW9A?
zG=hAS5>E)fR()0YLP?=cmgg8C0Ig>Dw^N%$MQ}S#<^BIixSnYq<X_JzpWb)d-iW50
z_VT9aHjlhKs=d{-v4LYH{eqkAys4-lUZ(R|50iAyY@?j~ii#5>GmShxI*3S*QHNK3
zd1WfRKwhRlJ+fv;nDe-5bJhc5G&2Ll2oacN4_J!=xHa#_oq9o6V?u4Iezg#Tbq!-p
zzq`?f1-++5kZk1;rxP_JJ6IKtI)EvbJcv6+8nP8^Ry6^j7u}PEbW*H_{G&Kx*2Jra
z^oqXac`<gS0#(N$aPcO<wg<i%j!A+Q=birUTEB7u9{9I!W<(&N|IdTyXtt}Wq(eo~
zu$y!$6%BBPX!Bxj=&4MC>ypg-gxawF<PRqf)M(Q$9Y+TJfk~@vp4{n^ENFOe9m(&P
z69gK(Tk?dfS9qcIdKetLOk<~odRBwxeGU9v&&g#l3!sm7d>}BUi=e<k*&_unG19R=
zcNzFL;RnT`@^*y))YNoQj3}^(dRav&^Q@7AL<%x_Vh|U>zeow96oGF$9r**10__t!
zC<=DBS0ezZe@r*}737Hj{tAWguDQnvoZRq@SPKQ-nd;rTNbr~uj`X~MFUFNa!Mt;@
zOP5t7+~QV{62ft1iWE$T{?oDhOXNh4%Qj;|AWot0CaiJu7Yydt=fP4@4;*wSdOs1t
z-ay-eLXgZAy|*p~{6YCEe}Ms~qnJ?j?G?TIgsvbT!kJjJ$Qva|MOCEYwc>}GZ0RIA
zjgN8bL@C#3x;OKFf&HBW6NHXn`lYiC4<rfjr-FIWep?1-wC*Qns1TI59C)1J1~`)6
zp+Euw9fCrDA#5Lq5~!kHCyn^Cs@GC2rwAhggKZFQv?07fa(jd)T8ISVZ$Frk(1b7B
zf>HkI$CZh2`22-URtCA}MmnoiOCYM8-rSdnK2vGzDKGcRc}nk6%98T@VziR^hyyeE
zk1J9fNG4|iW>0`d(+#o8aq~pYwy|?S+?KG3Fb`g}Pyu;!L^-;=>ae!D5Xe&i9LhU9
zw!d!!t>Ew0LWWx`1^5z(3NTp-Bx=T@Cy$hgs$vm1h#O%TDvKtRNvC#jtqLuD`qNg<
zC&;?{N1ZAkpdSw1aIH2jgndTpKjA0bYxl@s;@czKb;l~~y1en+H18~-^nev-O-s`N
z1;w=t^&W7W1qw9H9&lHQTeOO1yyRDT^9n3FOIb3KYcNa)HTA?26Qx#gf_P=5KUu;t
z*g!1p!HHeG1{^~6npQ2h?TGMgUQ3xf6~YGJX|PC1C9aGmQnTO#XnWl~3t`=RG+(Y>
zTaxl$tF{0*ZxWGhbgt>i@tY1A$GHU(#-%}ZBSua?y`qRFA%!rA0Bz`zlCA>CsH5*_
zzffs1Qw|WGx+fU7crr~(!;R@xMC%#miRjBGJQ9n_w#8!2l~Sn-S%q5164`5}>360W
zW)XII{%#x~Q%0HQ$&5NUwc>_JVB~!z9R#mNHnxLbG_SuVFJ^T=VEY*uiPtlFx$#Nf
z4qApEzI9K(mfECUFGO!V3j~sQblL9$RFRo(6dO3+))l^<6il>(O7vz!9_3<?(iC%P
zr$C2L!i*tSD)UQ>ET*T0r87AV28-W?|Klx0NFnkKYsSPHAfHgTM(>`ufrf)sp+Hjk
zXl$bKK9;_RH{qA@GAP9r<`}t9!uWg7`e)v!=8u@}MFn;<HOTxbz#YM!6zn$N--?PP
zFE6Org~1LajjR*xtb*weE;nEvwjilRhY;+h{u>W45GfDS`vp-?ct~IY<A((#jK<`P
z3BKC4jhcLo0bX>?S*Mkv8Gg36S)P)Wj~s+`V^mV%H{bXqqi#2hdI7m9Sg`;2JYUR|
zn1L1CA|X8tOKMDqTsGuAYere_#qt(j8HOB<#2%9^XMc+J9#=Bz@B9McjZou=HKSHh
z%~l?ZA1=e3+oPMnYvXw{^s!$jk!^U1xZ%25Q<PLDiam0+9cz5a;YE~xxVL%+aFK<z
zBe(<*z&?afL}N;r@ddb7Uu_pQ^19$B@?JS!L94J>0#>jI<Z!VUE0jg#UqS<C3oijo
zimBXk5Y&@xx=gV#zjk(+K2KMTJs)bx&6NORQ?XPgygW3~!;Eyr!iK3Tyy|E)txBG4
zH|&c-0qn)RvUF!<@|ZJKH3e)Vq#6B4*(+bs;o`9HUgfLxdBVxaWDBWE(1lD*deN`R
zmZ~PCfkRqX*alYc^c38YstLY{F+PR*WGajyp0Ai#1;TQ!EK!l9qrveMPN{Muf~FLI
zk@*72Lf6m+NCC2naKtzu#TQ%l6-S)S8V=pw%eeGO5-c_*`Yv3xVsW9wr|E3eccg#Y
zXHcY7)yP*h@FXzfJEwGi8=81IjgtrhlW5dXcsYC0aKLKvXtt^6yy%Hj+~OQ;s6c!e
z-ev16UAd-58Bk81q7hm`T`RK1hh=!Um#K;2lvfT9R*j)zCKguF;-F>0CMJ`k2J>to
z@8<vAkq_K(gUpc`6?SaJO>NLo1=G3#$xL2f3B!KjYI%%sn3g>ZOSHYwD(TkYH%A&%
zz5B(vY9CGobNqDFbp_tTM9L@=Iec|@YYKNa6QQUB>Nd8eLYk9q9rJe<xlIbTTS3j~
zvLUZGZPLV4mQeyZWC?&yo~RQ5J!+g>LVnPO&mh=N_t$S)5VN`sZHLuBzXcYL1MT>U
z>Ua^9#K#mB)`{K<8cxcL=~+rc4Xo8gv9g2|m*{zit(4j?m1pXw#v~<NHt2L!EOH!+
z;>R1&_I$u9zL&|NJZ?BY&Yu%ofX(!d$+(Fvuilg!9-{l1xYD#CQ4P3DYn8%S4LD=a
zAy{8w<3MAssXA9Aj7g^=dc!Tovj>Sr6Ngbz{s6H;4>elxHx^egMb#(wNh_c5x{snn
zI8VT-Ty@3O5$yv?vnz&G8;g7pqp^5y1sAoJ!wsEmbvtCOqzU-H4xX*6yNoxG<Z%>Q
z1FXQbFYYVzo(e$)7gHo>A<r^om%r3z43(FgjIleSF4y_FB1In+sv<mYyl4qrHC}Qj
zusI79R7Txu?^Z8X49(S9^vk0_9CeZ)ufqp6%z6Coi?bfEFAze!HNe@AJPeckrDs}K
zbfpk;UDe<QTJbtXT@BI3Drqj5Kxe%_qKh6Sx{&yj-A$9G!ORaw7^J85k4V9w^3Lf8
z(M>5FRAoXuQP10;PvE*j=pWV1{l1S68B(1;Apcl5bfD@US>Lv$8xvzZAN1Keudx%a
zMv`!q{OlR#IzQrVgzxHSA$t&WUcGg6c`iGD#m_3|hi-NkfvXt;QKMi=3nM~sgR@oj
z3D+Mr$8?I9q{Q$WOqd+qN@J)TeyIifSP*yp<gzK=-e-f+r}dkdYyZev-Mj0-tX-U1
zF0=ZMpvf9nr6ma3_2KWD$(e=eMukr&EA70QpLpmC<0$9Krb!u|@D+ttsh6!S({2D3
zLAtL9v8`2yyK+8yvtdtNt2RU@L4FwBXC`fmOw-@a-f9&=<=S4!Z7;CzJVc|UU!Ui9
z*0=7r<QaWa9>3V1&vti9(%)C0n!JE~I<ga2_zpEn#~hj|z7HW4&t@%q5J*0PcP`5q
ze|s5Pr<G*Z8J<uE5IqhVRitbaMV*9e!iyHm;i)VKgk}@NvW6MX<8j(#m7q#O)rDo&
zOhP1n-b8+0zX>QhczU?#Av%Ou(6#{x4<?s>u*V3E>aq=rJECutGQu4&2W9^r(s6~F
ziq98)8>&ZD;dm7<anjhwg=Na}owOu-fD7M)Qh*C9A=jaMzpTY3uU!~(tt5db0B)B9
zf4)r+k~Q;V5_}oonyI=}VlAIg^s>ZlNxiCrt`dpMcyL4b<;bKBC*sEdIAgAX5)SL{
z+;U`ja9_B&^fO`0s(T&oI}X5Ur|<kyAD?ZmqWEqHy5xs@24mx8V)C%2B#m>0*!Xvf
z;iD|U7VW1Mtg4{!V4|cTM}@;=gt<ih2@d@aHaDWJ@Y2yq1@RhLvf)vQQQO(ti2FrC
zszrsJv{J)s!N@prizG3s1d~(L^se}5oet9VOAM(*{f*846B!VwLcxdoR^RmU_U=oE
z+~OX$B_1Eu-;RgD1U6dAbrq30*UtCId&jRS2Z^|_f-ypxkX-|0Zmfbdb8tzF+`?6m
zAq%BnUK7@AGFk-^wZBp}oPWDZ^`7&&DIcZYK;TK*DMa~B*UsnI^IFsCu`iAkU-aR6
zp|dC#=*0x^T??QWM?hJdfL`R`)3H$+EQTW^RlOn?VxLyCPuRoQt4pquZ3yo`z5=>2
z0o>T?zi!-x`C`qb-+{sN()j~De&8YwpNDVRC1jU?C+B<tNkr;+dKLaB0{-QPhQ<v~
zqEm2-43}|YcSBSXwuw@~1*7bxFUYp}Ol5W`5tK<z{kZt1u_e70WuW(~noj}9%Oa)}
zLknQG-&N-WR)6X6CB=~5AC)694cC77xd%!Gg2Uy^&CM<7AovO2HIs)U9;q?_vKmy#
z)N=#{Rs(!$OfGC)A8)>m8F6kN*s&6R2$%kf;33P$(i{RYRdt$eNExMqrQl#HB}(+t
zrAhYFV2k(yq|BvSiyihD1K#kGpWbK6fcu*u1%Hbk0b2kPHMjM(Ooqkcd?iOzhVyo_
zHK2zlQ7?B>O(agM^VPvny%|y5pn-&&+kB9JP6*9ak_j5ZxM8l=@F8v3`CJk@eI<L8
zV~$_PnpTF?0xQ2h{Frp3PLxMZd2kFSscJV`$?Pk`e63SakhS%H31cn@XLWL!@xu}5
z#KC34`NKE<Iq)n=D68UzHi=NlA~vCRf{k1EFJIdZ<32})N=!BRiQ9;mnXrY*J`(rv
z?!JNh8>okJoW9KgrXa!Mjn~t41UK_FqqtK;Mlex!*~QqERD3B#Be&V*%48`_`bXzj
zfN26kuJvDhiD5{!|G^jLMRXP2zZZxv%**cijKc=-^wGIq<|3*ydIi^yrAe_iYG03g
zw*j#D8iH#Auv!E4Vb<SI9RiDQTuax{*eql)GnpEvm2k)^zZ8gYBsb1JFE&XJ7u95`
zg@m|HHJpdz{AxHqY=LJegyPZmnBfP1xW3~vdn!W^1R-E^3n9rp`n3z6P<UkgEHC;l
zH3m0YJh{Rx<fmVc*6m3s7F4J<n`OR1bM6lpVPSWs26MOYh>|hqFN|IdBQrr%!Pz-%
zMs$|Y5s=@{b>d_K%`_LTBVCXxR*Rufpvb|)Zoh!^Pe?<D{tg%zaMnOzz!>sn8AQU?
zm?x9aiv?4UQlKd%lF`>kW8i*HkT@5|iN`?5RIjx_%;c0$ieYxZVc|w1g$g5%2A&^A
z*=KKAgV}L2Pn9cfc!+P`DZ^jOR7{43J!Q;Er``MZMCbG3{E=_{hpelB<|W#t?CT}k
z^tdF{KTl7;{DSA&8^yx2ImF3>#YP*ucl;_`><I{0w`dT`CT<#xNTjYvOl|`Q;FyvJ
zm0(%}v5J{z4@_egcO)2;L<+<fxVV9E=NV-H(R)cgd<R#~V3}w{Jal;97vp1^$8!Fs
zfFbz;Ebs?pf2<5Nnxt#xi;9xcL{^xV8YF+?7NeoTNeV8mLObt6X0s9c0}J9CbBPVX
zU?U>li!b9IY|uM-i+|sRTX-{xh<>KRvIii``6r?)VGC#gUegkiBiH(m;FRTy9uKXg
z)1Tw(2S0=vyW8HqJAVB1OMD13i<%zP3I@S+nZTu-P_35I{9IIUG$cR9T(N3o8OqZl
zwJr$GW&+O3Mmz>cqk(VlVJ~qCfHEB$W>(?6XEw2*B_%0}WOeTdk5EcAWl6-%FHR;m
zX|xANoJfZJQ*9yG4P{rk!)fp#*nP$KVFjHMwLxYeYON7LxaUxi#$-zBC=7%0XN;mJ
z;Vi=3={n9+F{0~h)`g_ydfcy{&Ocw7^k}RLu=qP51bT~gwf9-V9XV4_XlUnE5)Bm^
z`oe{gg-W%9)`)`ePRh(d{*IhOh$LqtKoP!|WV=Ho>^@v9ZB99}BwRp!StRNx>|`bT
zPQCNeBrwNjVJVLS|5J*b;mD4Lg-oJ?W{xs+*5}v2W=5xfKyDfJ;#!q|28i=|7%s#!
zly8VCuKOP<G7^d@>bg`z(b;;JVjUsa(FsM?sde=wH(EqJA!hiCn<==QEM`*?mzGy~
z9)EQs(Q}fa%=Lz_e=c#ZGDF8$KZHR~0M{G!7u)U>HJ*7bX336<Wk%%*jTos53zsDm
zvj3_l86`=om1{MflvoH>N?vLbutT6h-VgkBW1yVXN~1%D_#uwCXl#(B1a$rmW~5l|
zA(DTjkWFVw?q}p@Q-Lwyd-1%yaBl3wBDVV^Z6Q<bQkgb7KX|V%fUq6yN*QLHGiz~u
z;@HJI%vzsyXrc<yV3u2Y-xU@#*2|zj{LNIT080D;_SF@Uq)DepbSzAmhDOoG5wbxR
zENV*H+AW?msXfZ+A!a!&_OAy2(H!Byv&K6!j#KMeM>w%MNz5mARS&Qr=sjGfqr(oC
zHt^*fYOElsnL-IhW3uAqawuUJT1Q!~<Lwrs5ABTNA|vI{`12B)Co7O<tL$z?(Ahun
z?2=@HukJN;RDS#fA-3&kD}-(<#<X1spy>eRKl!Xbe533t^bfH!9``1%<CL5Z6OP%+
z*G7kgpOB&znI0GndQd1i9VcsDs$q1bd$P!`{*BCFUc=;d?#4(*lw+Nw&Xc=|DBd^T
zsceW$+-rm-ug_Q?4@&4h^ND`&(tjSjsfnZUCa}r89$Sw9tW~_AyM3XQBbIiUIK{6W
z%;r_eb#*9eO8pQqst^%pAn(xIfr>&jIZpGNOWGtMog$3@Dg<8KLy7z3jA#M1<d_8}
zm}HC|vGsv4eZihy%qT>CSzrD_D~UNw6U#5UFdu)Mar&jkOs@zo5BGgJHI@i^ZrZ(F
z^hK6Za=Ec;`qZ|c#Qy|5DFvL+N-)Puub%Z^=x_m5)<D5{6`vwTTPJ(Wi$QxU)QE-w
z8|yS^uOsdu<VXOjLj<To$oLO+&chh@kBm8(m+ukBw^8b^o}^<NgLTfTMZn4tbSO=_
zQ}9wsrfi(g!lL_t^TEJ??o&Jko-@T9t^IQ+W|V`MUvvYfR8~15pZ&7~2nD1NDV_9S
zQMAWsLo}@0Y6lMGQ{aC&(l}0@K>T({DEfQv?2*-J(d^OP1Q)MDcT=G@v%0l_4irwl
z68;+U!&u+oI0q}v{kmoz$|cT=3TIAQ&Tk506Y66>1%Whj^bfRgOu<Ic)Tu>NQlhlf
zjo-7>MNuouvq(2%r7=q96#^Z&)%okwJQVTip?t`oAi=E+1YMv{6}camY(v#9pv2x^
z$@r~ZzcDXz=AD2+U3aQ#|IW#e@rD%)q2<jhB26i<Ok<K*lB#05Q{|t~@k=qKJ<uXp
z(UsCWjO-9p{+FP4nJXBO7%cJG<7-Bn?>zTEjBFvc9#VW@=?{MblSVySD=6Q?q9?0%
zQwE=Mv-TxhGO==rp|GrAy#gGGKs&3gU&Z0q;8i(-Bg!@*x;MV@Bl9sW{#!4=fVYO2
z7qPs`nmr;Q6*K}=5x$`mvq*SMxo4|Pe97;R$l_L*-~eg|sFLsh<+VK6!tdKN1&u<2
zPIAp(m)V$RvOKLOwbw8!TqTh1V|yXU)^@Nd3!!c`1oN1ga4~;ZrdWMIbfh6G?R~rw
zo$@wqDn|KcPK6)|reus(D7m@_Hnvnq0GTketoYw-V)q>wDdP^m!{zm@8I|~_<2_r5
zIsvpBEOV+2UT(tqrUQP9bz42G2}6E9oP42=IiPWCxnYAh*Zlt`Fi4-b0>TY{UD$<Y
z5swNnMqxMwZh=~ak~(U1B(*}>L}Z!4d1NTgzSo~nVh77(?xsQ_l?Vl!;gFf}<i7z^
z^yezn1;b>tR8AhHQbhLYpzw*s;y10mC4lY<XHHR;eG^80dxGZ|dJ8*yJu~cR!0YPT
zAR6pypC2;v(VO1>NOO)vggqpo`Lf;qY$xt!7c|WAE8AVqm+IfdLIi9?82VD(Uw#ym
zgEUhMR33(h#M6vm#f4Wb5lbvh{G4w8nWm4q2mLQ6ng?HfyyAGw?jDv0kCA!I21Rr}
zkf*<Ra9KW$LqlTk8U3U}PoQbbUN~Q*TyhG26Jw~ov$NPvIv=0e`?y-2Rf*oPh60hq
z4^HR_0x>Cb5AnOk{d0#!_I{AC-Yg+iw4PRkbP5B)K^TQeG;q6qq!7mm*XThBABXaP
zycL+oTu;?axjMhRVu9jJv&xnSiVY#>p8ehvN(kt}y{rXytiGw|`WKDc-cvb*2CllW
zu5=YCS{+t$jjlG860|FV&t(QClq!9dlI;|ZIHq=g!3fM@zNhS_^qOA=q>Kkoy<L0m
zh7c%#`^D>H2}FJC7@#>cgcEQ6q9=D~ZGr7FsqxT?c>JSbjYkfJO_F3)bSe{+%S0!u
zuY0FYKH2BsQa;(m?Db9Ey>e5Epk!|GQWsAzAO?%rGU{hKB(nyk*{0}@np;(?1*_ai
z>Cg3<?bjayvS#sH)JHv@Y=(yja52kU25Hmyb>YgU_4b|@weQUdQ7s-H?Uv4Tdq)sP
z&!%O1n|vA%BBEegOAMF!K+)}O=5M)p@(UF0u=)X#qVS`Oe5gjE1?*TZO(1w3@NxzK
zfA~LqX`TZ^wz+MEX73XdGKrpsX7{SM0=>kTYBxaQ>F*O{l!XTV5w(&3!R@L%w8np2
zoT8I4gv&22t3K(Hv8V=&*+%bs{aIm*1@>&J+yJ9&ki~fOXo!U<9I13LybdX?O4Dg9
zdMF%eq>j4k?%db9L1r7=|3(xg{=6iPO}b7}^Qjd*%zP)|BlF~PFK*vH@HLl2*5E5)
zp2*N%8mfn)UFfzSCq7UuWSwnx_=n+xa2V^cHl7tia_o|_Hd?HJat!bK<Nesp6TeI}
zR-=iJ{F=l&fL&M>ZZtTTjHv-P?06iE2bProS9}V|;oxTIBq5wx(IZ$gQV2bFl`Xqx
z_;YKu;SLALM<F*Nl<<K!Ah(}ZCbmf6A-IyU6+ROti@Fp}K#HZ*oL)`}e*9FiXQ`2S
zjCx<}oHc&ZM=KDs(~7uqTaLco&are9u%IY7soY8tbQrzQ@-%kka-PR*tte`dx^J{!
zwbi;DJ2Z8AN`2XdixE#T@u?K!>8`t+d-gN=(<549lR`xO49^xGMU{|b_gogp&GD#M
zrzhCWG3-Po6``IF=~(+ObP44W4LO8h(tJX$F|mnC)*210Ho9>%z-Q#Y$jZa)EGAi9
zAOC|aY})nFs~*7d7U2Zk5u+XP7de;i`jgNals~Hpu2lEAQtgIRfQWLLtl_T!9;#a<
z=o+fEdjqye3#=ZRu%!>jNd5jxctw;VK0~oq=%AEigxuvxL+3iXU#=QG5|1x>G&^4>
z-(PY!?BE?*P#*TS^?jcVUzw&s%<p={L1%bt68(Fn!5kBQ8!$T9a0w}5baiP)GSLe9
z8ms0MY8h^EDbj1<&0zI(ug_7y-~KIkGk7KB#LKE^zwqFLmSiv?K=q=R2KjAPgl_j-
zj_qeJoXZTxAe6Ecf~dJLa!!?dz@79=T1X0Fk?75H549y4E$Mr{+1WnXU^Y=3mVW>j
z7Z-D|bo&tJoqxFQ;H}+K=klegqk2NdEjh3poQ)Trvg-68?{gmhc}uByhcf8s&Xw0y
z{Tt`d5?X@e(og9YP^;`TH@@%4(<i?um_X4dI}@?NWb{VFej6Bi4-&#r87#AqaK~sk
zOjP2#8S-tGNhNVf&AQ~V0+2868rNWd5h{R9>WsIN*7J@Dkz-Gj)_u{7el&_L+@jwL
zxBBK&5MGB==Agj!c78;>Himh-Q(dFLw}-UQI=?K}yk=ob%<3J&Y04S@gW#42XX`kP
zhPmgkDw2j+;Qr`o{g_e4u?XyDH=fuoLX`Pxfg-DxF{JF{_vH`s+YbX~rYA(-s7mlM
zeqN<n&D_NX&q&tzfcc+{>`Puyl7VvFx+{zdKT25jP7QWu(12N$jEMa<FjeWKgp;aW
z!pbLPkqb}MLaGe$@hEp23urV`!SoINa;L<#rf~mF@RC^stdexn<ptSCJowB$#zpDJ
zuERhn`MGLF5u$kcf-%F2LI#_QoP0ikm-Es)nY)c=EJVwK%UqK;^-pUyJ)Pd~`(cy{
z#v1NlT~8z#%6D2ophgBp6|j$T^M1NRI<H~{=fG~(w^LRcmjysgZ6(nzf|biHtH@+>
zmO1CgJuIDMxsJ7_lg~c2x$)gK_3-PcWrPSm5Q_5Bm?AB)r)3-%;2dYG6o$Y7*yd}%
z1ciy1te~T2OzA9Ud%!9#%4=Y*0iQDfq@oe!GS<z#Q-G`&a25l{jL(@81~!CklD|zr
zlgD7;q>+gzybek-M?X%}oUqQ<M#U;DtvW5U#c}$FT?nfi!9U|(IeEkHe2#K9IW={)
zqeseeIU7;%IKDxcaXgn^2qmE8gDBVoQP{aYY~Okx27mB*!GXu}g~iIbT*Xcqbh>5k
zo^>uWA~2mySS2xm|4aZe&;5KOX)sCFCi&Y0aKsH3da$pusG53c=2p@w>Lr6EWGST^
zrAweR4rECDPgW6@c#tnI@I3*u>RzTP)|ZJf&=vCrZz#`YOf)-U&cU%tEh1tnyEMa3
zjR|v2k?0oVr}YK0u%_!Vu6OG?k*j_vHEUp<Z``+EW|31TgJHQ85P2uXDm#r{=4HN=
zo3l{8>z%wZU?=pWV!sV+RRcL;wn;i{6=f^NQ0HKHYH_6TB7D@s{78{(B0UxeD8`cJ
z{}ka4=4^_#lBv064V*RIiiTT`%h&sX?YpklXUA5CCt7u~3d4#P^oXDEHm;1=l-Lf1
zQocbbwM%Rd?Y$4z-HjP*{6C3o1xAO~?+1JxRv782)=+SMB6GdoH{bzmXf+M%oRYfq
zo$yVK(t>bGN2tDiIYIYrzw_?Gt;i&HRhp?zll@*nNA0U>YP%k82+JbZd0HU<r6L=t
zLFByDlAp*^S?fn+@A_E&h3}IEzXw%LZiC9Xc|iwz<PU0s%#?*+h_aHIH4fHS(ao*U
zukhVly0&8&x@SZc2eZ0nJH0h9h$~MypHVHJ&8N+=X@unls&Nt3gTI#?*)2&!$$yEA
z<Th=p4j>6A7HmrHQ`BB(!>fY%AB|cVLL)rNftlYu+;7?_1GG@WrtDrC`piiY+xE|o
z_m_Lg<r5oG-?~nSaYP?`-h+1zYaJ-YFGpK{c;B5`6HLP)9$Yx^?TpDFI^Ld1-Ihq$
zJ@Fs=x|qTJFlg8?rYwtHOHrIR_S?SQ@B?cbE*CP^d;EG<$RD6X-ot^|L5ZT_Yn4er
zuA9D{Jfk!DLH1Q)VXu3<Q@H8855;{Q9frQ=Ph&@O1kC|2sd_5DCsy?4U{{{InS%YD
z=3K5kcGJAEa)@?aY*OsO<^HpjO$cpS-#CS!>3yRNcT`hBJ@WnW>tcB|US1?TYQfz?
zDyK!xjWT|;IP1O=+?2KmXw6HyttF%(^Ok4dAbUe>GKz*hC;XH*9S|}7(RX?7O67;?
z=5|TC8z<01IF%Key+l4^i-+~2apC4L#s6?Dw8!{<My)IpiOQ8Y873nxkUVb6V&uI9
zN>;>K&!YLPkOOfxs%RCs=E80)8*4Gb$rH&m+`1|+e&@?t5S&bHMk98&FWSW=<hb?8
zC9r?a`fqm4D+1Uv^;9x|0>c`wT{YvwrkI5CtcVgK(g$f3P6UIvMEib&g$dZujqlJq
z611L2wOt?OT97=_PPUvumvwK}yPc}x07AFJ)=rPW;|q<y)Cn-~{4DI360_KePn9!T
z<6jyhP9z^71QPeYvxp%|=VUi?b0<JTE#+pO-r+zgw>(d}uVMW-4OjB+eX2jNF#9$X
zn#@6YU*c)XdB9RB73pJxm9k_RNkPd!u5bdlSIQLoIZ1=ias+S~%gG=Cja|L3;8bVL
zmeW<p-zoEeK?<^4THj92ZntZ;`54X&jhMC1^_^}}YZZ=q+x6Gov~_<LAogo7Exf|>
zEWZK0yxt_hRCgNr^Bq#UU<Xx&x@W0#q~Cnw2g3_YX5irr``u-S)K?e5l1Gm!7t{2v
zyA#0=pC3Aq@cgiuyC5;Tif`2Q^6d8@J(cz#;XePqJTC84OfJYz&&x0iT=-Ea+%0RM
zYB#g=++dR40q>{OdJSf-)%WidSYbR<)iqd`=^muMks--OaSAqAC$rs+0QU}x7RG5X
zBd8Dl(}MrQ%{cJuO|5QXfF5zr9ir>3eEO%>!}e_Gi=>a=crIpOHG;xci}@(c97DTs
z_a)X@j$3PMyNYX0UrDmfs1{yDxc!Yp559T|ZB=037F1wkRR6wQP`M+Ob`YTw=E#Ma
z)lejd!7Qu(p`CWdK<-AhK%;X9_P07VVyWK+>NOmP0BeE8*<1xS6?<Nor~bz>_<{GA
zr*#PK_r^5%Sq<Q7+oG+PpN4g%;YRBLdC$jn3oHXyK`M}p4eyTi^G(d@T$64bP7m8T
z;&W51&wLk|OtB^<&m4Dh`t|vvG>9r3y0ByhF~x)f2FK6PdkHlTPc+#r7!V;cLNig)
zLW-@wFBKJN!uf{fSe#Wqi_|DEnZo%*h`NMqwfEMl(y4Pj^%oQWEn@k08Z<DTlgcPS
z`k8r{16rsIhmRv4(&b7Jh<pZ0sS>p2+_|npTOC8cG)kRwP@7}qH_9h8xh)NK6n?yc
z4GMiAa8*6tzUU4<LZW>NW7O^6dc<=<I_z{oqSiU^*Hb<4@BjDG^O#@|*6O&uu)X$U
zL0h!aluY1p#YE`XVW?T_6zCtw$=s1Dodjz%4|;+1f=^%TfVdaF>E*}`s{Q*BZ$p#=
zCr<7aJfDtuSPF=}k;|_b9;|sJ)3uFv%Ab(VwlFmYdS|>LO((aczs&-fA~rJe^Zn{M
z@C_QRm2r=+(?c~xivrkTOvsK`$9_yX-tGT>jiB?F+CI}m3v`>Gru9YT4`hXfv^{-f
z4&3GyUu7Ahe08ZBECnLhAOCqH2$AiDU;B@DdN;2o%JxV5Ur#BX$I}ZgduMO<Uit)B
zEqgcTU%tKiTy#ae$91*XIO2bsgM5#?mzQn+VC8%bN!)jIxNe_vX1mUqMsDV^IP9Aa
zvSBS(tl~joqUPoM8b}TTMjQ*Gq`VOklMX1Wm?8@x7UMhE-1L|_f?3o3;JJWVAOT3m
z!K@lCGqRUS%)!SqOyU3ILM-;s^3y90wfpYA{=6&YlrB4ed8O;T5I@jGMkajaang+0
zntZ(3sT!(+e2_;^L##jtXH4`yPp)OyxeEOF!}7?|(c^@=(<Tz>Ch$9%^D0t}d5mzZ
zuW@O9zmB%lYHqg_T*g0NDR|vGyZ=0k^L|<!_w{<Yf12_`qD3P*HqDA8<+rnb*HJvi
z{VojBD9wLf9GGL<a8=}}-XY39roA}d-XY)T`96jKn{P+A`mNTONT2+-@p66)y6{}&
zsS$Wz-D`iF!EW@uJ4t=NnfB9r3Fzn*pm%)^c?;w6UI2a!&G71}X`|1FhcFkpvh<ss
z-`kDD`&`!1cRsgyrST5Or?Se@ID1sJvI)r;UfZ@R?|oMr`xMYW%uc_IrEUT|OEKne
zSIfNYYLOBUueoa(_Q}+-Ln9rI0Ie7n+Wpb@?nr1lTQ&ew+7%*b+UugKLkhwMO89~y
zo~h6zh3Z<H_tsSjD3%<u?NLEW<@aXFdnfuHBXf->!jae5Q#zJuTM>rXSV#t#62i6E
zhV7|3_Zl(#neVnvZ{kQ_H}tax>)BTr2!k+WL_)ZqDZ$*N$vJ7ZEZ!}ROs5T=vfE%g
z#aE%df7B!6Fh2V;(LVcc{d>u8LeyT6p*sz_!13YG%92#87Rp79!^DBD<vn2hlmDNI
z&Bxr@dgNajCPdyrA&<E-<DY^j`m6Pc-B1c}F3Sih>P2ug^7k#%I_BMrs8A;)`Atj>
zrBYs+Ez(7{L?cG{6G!_W9n~SCzC)xto1`z;nTGnRq}U~^Eg5TPU?7{@6?Uk<`?;eP
zg+qW?t@qqLOYae?&ei+G=xl~jqTtLs6s!*p4Z>NT+moAl(R&)~c>ju{QNU!Bync)#
zhS+?zi6RC#v0uFwkis|`V0U}bepvf7`cVGZ{*m({<9hGr;B5ZjL7~dq`e|KtoDlio
zJc6%<OiZq<u#Z#+EqaXALh-YMTq=#@GkL2$_@C%cRe+;g^RLlt?c>q_D6}`)i}cdZ
zsa6THK^NX52O;h1&R@6GuPO-dL)KRw;pe(_RA2tcK)|UFN+&3srv6dIDy#Cn2*XTC
zQ&nThW+po#D>R`iQmi;Ln);vs^IYJoCTv1K4A-a|*bd>aTZe0Ta2@qsts&{vp^(Dc
z0&q9A>(`?u^CyL&(l3$WwPgp{rlsZ}wp1=L!tlSEL$D@zGUSg7gy9_x(vkw<832^u
zW?SOf^J0l3?Q<~8tm_e6I1bDsHNPRdfPc~fZh!dCItC^BrIbcKq~oM8e0N_U$i_!9
zqRnTh!|?2Ec_*~zZm$+kfFk;{BnKvshb#eZ63H7*ch}FGk)mVRbYzKp)drug&3B)d
zIr?3b>~rEnGiKsP422B`vksCV(>usoO+YET1}od}`<wVjV<Nhnl{F<Qjz+(%S>|ua
zFwv=blT57P++k~5$=XaZ56{(KZAi-Me3Z{hUSrf%uO(9{)$Xb+L>I`iyYc7sjMaxo
ztB$9n_D|9av<`|FvF;Df-hTBHV!x<8`?S0-t{9AB<Xf_CN;5;DrYMX7F4*P5igf9E
z4!=Hb(QWWAddMP+9ys~D;$UqmjoMg=10#fwwyn%Gm|$f~sd#itNpAi&Ls>3>caEuF
ziI7a(KAM#PJ)=bK+oOx8D%f%~$bXmlMz6~ZImkvhti*po!QYgnEk$1<G6xWpX&kJ}
z!KsDuU%j)2RMZSsoW16gA4|7#w0J}byj;I^gzYI@y!*U95c&Rk*!$Mv=kb0~nY-cl
z^pNZ4{XS0wcHVE^0wN&9;KNNxslq~`PzKgRmxi%-&y<CN)AJQ6tC!c_G2yoXJL!#(
zfMztoEhB>_%c_T~D;Ww;kz1SNJ!|c=#R+rS%(H;}cUOTXGhqoh)$&5XGZcK#m5j?K
zXoF-h9$oQvr*?1Ss<;wl<?ENptjYtQnLRWQh<Mx-*(m@tA)3q!J}gVYAbqisvYn(>
zMDv`t7+Q!+H5nQOW7PHpj#Hu^TxKa~<CD`zHuk$He{klrW>N#NDF0Eh-v*W*jFJ$w
z_B1=NUG>wkufFPFqqq;0Bz5pQ04mD=&m>ztGlMLIY&8woJt9`9MOvi4h^bQey-&yp
ztx>~c^+eAYj(PMerL3AC*_RFPpBz2>>?!8t^h_gUVxD*%i8_m4CMLaV9Y^Z>b{gpe
zJd(7!3T{5a>#vZnAlfdQx5(R8)=|_Br|J~_HobV-+p{ZUp^arbQ+cucL6M}4iW@<?
z7>>?C_*Hd(hazAt%rOjYCBsWx8aS=G6?KS!kU4<}OQZ8tOc4Qurs5sI)iCNq8F(3c
z!P1-KOHmaYBMyV>^;As?Oe>ArCxA3dz|cXE9U9UeX<ZDF<&TXw3*h#wJ31cTTz$r%
zJAoCDez>-;2&uiS8jcCS4cNFrgaQ;@dr3j{JK-_!C5bvV#W5~P0b>TfkRdMpAO67#
z3>`I)0wB0{>3AC}oI2e!dGO{yDD^-sa(lT2mDwqu>`8FBL+S7*q*OQbuVjs)V?qz;
zh+1oOUPpYvkeTzZ=3hjjf|;UG?C}>=o<s)aLPf(|SGRzZ_oI<>T4t|er-0C#Cww){
z#^$bO5%EZGT2HMJV~=Bz*7`n2OPURs?<z5TrTo*Lr3|EbyF}(!(_b0)GTh)xjdseL
z8TaE0vP0r-M)w5^oLUvbU-_)E>^(yCrs*SlTD|z*%8kSJyOVGfnkApEVd<{6LLntD
z?n!oeAbR_4_B=Ol)8^Q*u?*S>M-4PC%{K~IE8KA;6n~WPY`g2{k<wZvbDAWo%Mqpt
z1~GzJZTwN2^#&xe&*J@!c3ZWZ*g25Bfp*Ho^bk7hj^p(xaxL4_HmI!Rl^y#&;QicS
zkTL#=xO@2@(3Nb;21~xkmY_&2@#yAw%v~Q7#0Ovq6M^Me!i=n`Z$kWbix3nRH>$>_
zC?6P=IIZj$wV0TeDGZfO&=@xzs!e6ZgoYkQLZ-H)K>+$6zhI37!)8eWdT9uZUmSBm
z;;-c3AaLKYFW6JlzDr+*3w=vFpQsf0byWPxvm0|<T2G8rYaJ0+TL>M+GfQB_NMU$^
z+e!p#4><~zynXDn0KX#DiF4}0<!5~YGpEIP?2I^P!J=w`?M#3%9TAxC4$4g1*JG%x
zH|31|K%}bn1WN2fcMN(pX`?Z?Kvu%<#1kJ73L2{wMG6ZBH7Ab|xLd+7>HqRW9(suZ
zi6LC7{mj+41eoAAE*cbPuxi3J>nE_U;kaO+Y8qh@&khfb{O9+)SYto4ruIv0gZ<gT
ziNFY@Br|TB6QS*&WGphGP-=IDGIU_J68LI6_v@?&6~!tUC#6&dk4uD$zL1y7MUWw6
z1r8)a|B*?u!6W_T$eMs%5*!lm9Y~U3H)RyzUo}5zd}BT}jETfyDvD%|S=qFSzEX=}
z>VNvsF5v?pj&Taeoae-H@BQ#7;(ywVVEy~yZM}QFv5<^%v5>YICCj^91TFN%Fi9o*
z&#?u9^nE;*nH7xY*@^8A%T?nBP@I2oS^`5hGB7hlIK6}<oMWBt==Dhg!*0zTjWl_5
zCE+001GtiLtdh&j&PiI5i&7zQjp{)?X}2zO4qCmUII{U3WUr^D!vC8)oU-GS23ofJ
z`Fm({OHz8N)YBRv%yeH=)h%LMr){YzOp;P;13aPT9shFQk}D1a7kuGfXw8`wvr|_R
z*m863tOfL07xHq;FYx*It*x+-X6!UI;UXljs)6c_=w@g|Ioz!$S;~Cbv0@MBgxHi?
zadVzNvW7^V`<|7J47;e@)$tuAaI!RN5rN>g+m#_iJ(Peuk&zlq5WSYYjlg+*>3N;Y
zz{eKciJnQm7wxxtV<pWrYRYv(Yh8-)*-kMBkxFh;6IG0Jl{AF?jXx7@#sQyk-Z|lS
zHbR4zIjCEIN(F3Ux^i8d_nU~H?9pKtgy*n8Pz8Nzoeu6^8c6MauMiFGNGQ!$^T!{S
zRbEvW{`{#U0pyF9FO2&oiKM-DJuUZZG5e$#7@#Vn&v<b{MBN7NZ3jy%Rx<O7nUcwJ
za3cX>mebHBQ$kY(R1zdf?XS<`iKDABLK4&l5;pO?)h>zz$uGUH3ajoL-QS(p8iuYB
zWLxneZwmC!aKOp~twemrjx?bN_>LSBz3xP0hmb*$KavYMXctiYZh-D9^DJvnL~44N
zxfEXasl%$vMigE!%{%nod)Qpyl9+mv(kd7%9Kam*zq9d4O-}>isjDdwsohuo>hC%Q
zCcTSlNu=~%4&$U!rkDc})kCv#?1XVhC9tDgNG5icK^`oG>P3Ub-qCVvVV9%^Ng!;T
zuL@)k1h(TV5T!lIC2gC)J8XcubPt?N1{=xPN+=5U?abhU0$sXeEED$8DAodp#rE-j
zQ)Z(-tE`mp1pPRft0}mdz*f|!IpJo$Rk{_hXij-mdDg~Ty~x)Tp|9<`kN6=i&<KI?
zJAB|TEC+tJip4c>&+DXF7Nix5i>-r!3;j1^fPqX*P8isl?(dkIvdjFk$uDBWi9-S|
zOy~>}AkTG1lcqYtxPb$I1o21xfcZ1qn!1|Ume_SNg8;@SZ}qe74jiti&Nh_&eyF8H
zPU-w&EO;pY5TJinA)R+usU~NYnCrX)AzOps&J4=!pzZmu|A$}!dg*<)V-q4Z(Q~Zw
zl5&dam=xQe@&rwOE`@I=nsV$2_#R_*nlg8x{SmA1RQ-o3t0_k*-B;(7T2~}V7sF9)
z>@pkJ8$PV}$l^A|1;31xUQV{R!dkR^4eLb?1qZ6mipF3n#%dBj(Nxq_@{tj8uaftb
ziv>0wi^~;V)~n_yCvWOBS}9v9U)gC|(2k*5qKG7|(VLDiF}jpe4Hnqy1mXffYlJ`;
z*HZ&vf2X?x@YAHyN$_cW2ov>&a`KT-TkZR;$&|RX+Hc5NE$lUq<6+|yF*3~H|ASdt
zKMnwh8KC=WYM{7HR(1m$`c#RypT(TyCQ2)32TW0!9$B+X#pd&=9_sOnYD$3&>GTS}
zhjZ2vCaq^@OAa7{WtmzVNI3)lwt)p|-yYZoBR+zuf&z|>AOqD0ucCtCvMP&6IJCOd
zcY)Yi?WK%90{Op$8$CL}o%NW)lLc%;KhDK2arD*nmpQVKp2LOMkB&_#Ck>h9oBm?;
z3&GatxS~1sj5baM!*fXPiEo9oFU_ZN|8i|3kZX$><YJ3$G6+s5dCSME^1~A&p%EQq
zQOTq}`>;&o*d}ESv^iNEFnj&&zm-K;9oG$A1DDTEc1z<yJ@;z^NP8-@34iFM#JBZ=
z_SPo4$Z!VL8K+#o_uByj3>O=;d_>?a9DKyW#S|l`7g(eeJ7WvCA$shPy_D}Zd@Fqg
zVDiZd$hvEwVn{dA;J(Iwf(aX`pZ^szO3?c$`^+`$50}yo-+?S=ker5jGS)>IUe_)r
zr!C$(r5sxR@hD@UQ~8g3=oesjQuaUZr#ubAOSgMcK^Da1map7!e?wp1iXTF$2IH__
zsFPLLNY)1ULY7%RQ_&gpynpp__4A=Yu8uy_m}O4L9x}-cp4k;gQsD+CM39;rLC;=G
z?f*~AfR)(qGl#G}C~{l$Uo=r`iCSfm%2q(kax$Wf;s@?v+~`W448sEY|FTU8x*^8Y
z%NU0IhWqzNk>ox3rrn1(sQ~URs(9Mt&<6jIt=Y+Q(s^czJ`sSJJNq`JNo*K1?^&Tr
zx{o$N&#ButvfQnMp__9DZJW%2?N)8oj?x|9hn1EU56?#}&gY?O-P6qXyE%f`upzeh
zjj&L^kwwGpt~(IfvQ}}SxtC@Fh2Mz7W9HaB*c`r}y}i{LK9>r_t`k(QFF)_(*yR42
zc7AvH+{4Ei_I!{}gZ5?m2l#h>mv?df#p6~t*-g9SDINb^I<JgD6YXM1OHDme0!&=m
zs7BE$a!t%MHC4`YS2CUn^8eA^Ma+~Iz9y9AKxz@p7$-+;Z9g35V(l9i!6#ehB|J0L
z7!{M1i!vAFc(G%+$DMCnx<aB(=el8CCo*<}7gJ60su!v;nwRgs$jo&W!1UrdN5VV_
zh~3eC$esN1;Mj;_`|QkJUs~OEe4(F_Kd`bByZCak*lh@HCbs&pbi;9Vj#stx(p;tf
zucmQhuH*>Q{Mr__sFhl@S0fZLm(c`su#Qz>jwjlXHOn12Ru9#z$Xto}m!Bf~HNHNk
zXnqA!bG$iYCC8y{<3K9OP(5H*qw&drcdH4xG?XEM<^UhxH;UaRxfqH_Oc)Wll(gzV
zL%dv%9F>w24<Y7*d*t9@mvhW~4nfHv)Jr_*h@-YN{l8Tc3xJk6ki4=c5>ebr&rByH
z8d)8$v07<j9;@8Fv(1DuWxk_6zROJUXQLt|yk<Xj-D3((9Wd=>V5f_RpUhawP37T~
zlHjqGmrU>G(1=vCD;Je6brMHkB6lyoeq?9a!lPe(X{Oiw*AKAFGMr(W^=)Ak_$`QE
zWn@vJwh6Z6KZ(%k6rPt-uz%HB61A1}*R21mDgh|NiIX)GiFYw>gp?B|<4_aA>_$Y~
z=TQz)$a6Vw$ORCr3Fkj8$3BUoStW?JeN>1%*w52gH;i$o#O5X?|KttRP@cMeYU(L6
zHBT4enk1Ttq*p)mCD$W0e>R;MO2r-A_bUiW2SW(<zq%Jkc5BiQ&h9+_a+u;P+Zgj$
zeML}p?8G=+^jyhN#he(y_L^!NLCNL+Xc`Ti5Uw89kY%o)9>kn!{rJ~IAG2*LO96Lz
zVy@?rYT{<L`Uek7MH42cewLugDL+{C`i_{2EzVg(ackywwT20Y>88F@*UV#Z*nATo
z_~22@Ks|OH`Cf)uZUMP#U^q<oS7)*!8FlV|Htl>G{%D6gZPNK<=5VGOOa_@h*HMAc
zUZn>3R?+{&<K4`r1ioJj^&$yc=Aey4_b=XvfB{-L#)V6Jjh!-z<et&8nD1a)ywj+0
z8#uI*OQv!Ql$sEy1_nrfA4h39!;D1N#TvHArKi}v@R0_F0j%2gLT4hY)anY{`Oy|_
z08EkqBW0`2XXWD8j%Uk{Gb;Sd9-@q+ux5p*=6C%LSDc<bzn7<L_q76_n>IRoEw1Uf
z4!iZ5&0x42P#i_nOY4_s2v2SKe?u}Dj;9u!wrCU-v&6!4GHXyQNjVUwm?A6^qmXo5
zI+;SVj|)Xp1fEM(5rF<@Q&AEmreT(br-^)(U1vvpAPG=ZDsDY)PYZB<`z&Dh@D2OE
zb@To8+4lY9WGK4=|5FK)v3StF$i2{qT|B|-YW>z%)FYwBw-+C;m;TRu+8Sw^oyUxC
z-@AGZpUU4oLg_Dm%qjef7g*R)DMm@IGV*I<1<O$s=$<BOJ|k6dBs=ZLEge)fO(n6m
z%v*WGCz`)_fgu;>&e6>)`0Ru*T(;e+yf1!Bq3ggd()`4DMnv>BhYcnRT~ose@7ki-
zR`%qD+gh#_le=6R$N6<Eh=?j+@Pp20MKuvhkrWb_>W}v$shFu@!wu`|y%-nYHRI~g
zPA<i0z5|cH47i$5hpm)KNqO$OhW1aa_;1jI^xKX{L;hBVC{S!hG!xOqgr?TX#+tI`
zfn$xas3k8%V%ceBV;ZO`SZeex%M1m~Z2yz#{r!MCprF#&a5qHZOvA;uckw8qoyH;0
z4BU?hf+-M+n-HN6=Y}r~^_IXcIZTM}a^kIPCw1AZOt@As(B&>NB;_^J_g7>lS$+q;
z?sUNhw(Z{$dH!ZWB}U1ZGO`-yxI;!mZ~?gjw{TsNu!+iI*_Y_eNXq|X>KnuB>e_B&
zn@wZePNT+dY#WW8G`4Nqwrw_UV>PyY_S3wl`Tp)}t!uA2=eRL$&6Rz!V!33hkK+xH
z)l*b+Gb#lfFN1%oWWtS(ht!>{t;7**@yh%<Idpsgh8_Hk)QSZbSsH}YS{8Rf6KUFC
zhO*KC7bi_A#a4h<YnFi?Kd&|P+h5+_cHmCJwqI5*mb*kv9qA99r;uLl|2Z*r1md(A
z>NshS?bU$&n|1)1s@)4aT0NV1-ITn#=h#eL5BUrPdom|n(<7!MYw563ONcGge}If-
z5w`D99YnYq_W6(NW0qd9UnlL<yJt*ip1dcnmq~te&P{xpbCfPbQQG<nRUX=Ee8X9q
zS{Q1x+8|?-l_#IP_hGRciu+tLuK_KtfCC6~qwAWz8`xE7GYQ&$E#SIb7C81U)mq&z
z!h4}&l;Np2U7m~bmb=}08d{a?aM7sS>y%y&;(7XgT_R%}IumfEpGE|AY)j?XR?Bte
zO)URlQ6LV8fmLK8x)u78wa8h<fJW^^4Q$=B`$>e!CNm$taSERAHm1wH>uh=kllb0r
zxx>wHWlB<`WyXro#5dw1tXx}_z>bnJ6cv(hjMc#2oOvHQ`yOQwt3c&XIKcnuOKQ=S
zdz)9<6P2=`FJ_eok16s%PnX8?TElBajSbqC>{zAk-1}63pbPJsZl4yd8$-N**?tO+
zcts6*%Anh`o~ZNg^<Z+3SLHKw#k$=ms3p{r?CA+<?r>*|)xw}#jv-C_E+n(nV#r1#
z40uTR_zqa!a2@fg@v7?x%*KtqODfPxtAnric%P%B4p1}QDS)qEE?=LV)lI)P3wk#K
zGi1#0O++iXYjFLK)ip3=$fs(SEeIA#L0fH8NwnBUqMnv9`%>t!mgZ6n8EG|%e{NHu
zl`8sRH0lj{4iaugTm{zc)!eI^p8>RPmIWIfX<J+%DP(HyRSUH`?F1J$aQe4iEwis@
z_@VYG1LBOA7vb1TBe&S!{cc;)!^>xBNo)&(R5Ql$e)zWdU=qk+rl5H4460-)BC)_C
zF65)dH}3cGubQXApAc)CnGk2#wWsawWMI@!fmPm$=$wB(oA$;7wdHVdD#^$)SkD82
zzbQZg1#C5ji~jvDXc#+PND8qyP&6q(#2R|+GBwDIB2qpQPO0DTmRnj@<ckP*)ZFi3
z+6Ow_LE?XE4THj;5ig9I84sY=e0ntp^UlJ&R9`M{^-dgy`bzOe9q*nlg>gnY+G<pa
za!*oz_wVV$GAKgv&T~q$iS_ke^cb?Q7eKsS2l4i)zy<J=icuW;#w^WNEua>R6Mc%5
z(CZ|l=|c-d%Tr6e2C)?dM&){`l7#YHO`Lwm!UZgu0|rA*-8mB1gA904J}DIQiV~wS
zI+Zv|9#@!wW<q`;e`$?3bjAl1?$Jf|X)2}m0Z<6kv4_rhEu%jFM2sL;WHA>xWw{5@
zPo->xD?qC1h^pG*!Re_+;uVhZnc||Gy7l_G&YLnG_!}h<i<M-~JJ-$zR-k}Q7Ep7c
zi1%-+fk{HEX)nNGIV_KJ?SJkvRhs6G%q_L?gOJMkI3th<1{fn-BNzZO7^agYbKsiY
zyyiWB!GkdTYPNOh1DE7_oo%*Z5&je+>_R*WTE;L``Ir=~d7Hdjwo`<U=O!jD^l%~M
zB+OB^65+{3b@4qskH)w_Umj*FU$cogEFGl>P?jvAHl<IKXN3Xs8JQMEm=)#D;3Da^
zy2e2MH<Gg><}1r9nu)L~L)z?{6Bt8x=yEORU&BVH+WUPH#MmAKkIh7$U3%6MVT|Z7
z)K>|bs+COvy<)afz#bL-l*Sggj`Jgc(#;e;p{AKKaez$^N3&PU`J$o%jrAEYn`b_w
z%KDE*ikkWo^J0^UZDx1>)CljXOuEI5=vZxzALV|~ogG;<9N*Oc;!JsyM(oSx=G5$?
zED;f%vGl({dvWHyvq*q)tj6Tt4Hy)-y&`OKp1KQ1DXo#EI_9SV$C(7<Nn#<}g-b8A
z=K=y~uQ6{NjB&XS|6ib(A=2E|D6;gg)fkhz(OE@DHmgzXS|1%;gPDz3y3`Wu&ut9I
z&GaT|xc;UP$$Gkr79Vk+YcjQ33>2pciYM4jcGgIu@~#767)Bbr#VZ4Xc2Y4JsV&rV
zxzDx|$s*c9@xk>iXBXh3GR6ig;;40FKb$8FD*qVGFzPr>fRN<$YQ|a&W0DteVQ7g4
zSq``f9O^99JY;yZ!7lUw1gEcz*CRuMG!#mSWKlRCQ7W`|dUqtZ<j1{Uz{r{_OT-ml
zhf^Z-Ljh&Pi09JjgCRaXX4O57HvOn|E|r){`KqmgmJ+huxBdubhF|k<b%8?oO{8t_
zQMz=WkxFnWCt7a9MUoII%^J9i#bBaz6H=<USc2EonshcbjhU7I-upk)!=!f@uvG4r
za?a}SQR`rhG@WlVie0=`h?R$I>#m}44+(A2v4)*JYkatO<M8aj;Tkm-vU{51cu^PK
zB(}^Wh>(VbL95eg3Ocy%2k=JUPO3cPX%$?iXGO&tgH`8*hlPDbAy|8U{uClbgH7$C
zN(~M3e>NK~%*t5w;cNq@m*D^5pfO4J*KHl3O|H}EPG9Zq`$aoOLW;gl9aBhsta%Qv
z@N14%KYlY**|AS<B0__~1oMMCHT80|1qAWBky$;A6q{@$MzuWMu5PvMxU<_mkQ0S9
zg%OcaLG!8|z090yJEDZe!z>8kUiH)bRG?5Fd>EWZ>oGg}^ru}9o>~dChxeBQO!Uxa
zaJfp%?!{422;LZ<C%8X%COpu*S~0D}rSiUNOY1Ui!YwrDwxy2+ag;fwl1RwhLw!BL
zFn)TxnBxZsF7BYRFOBI|?^rryDAGvPEI!?Ih@&9osM7bhT_eym!rJPB6Leh>vD9R>
zRc;f{1Rp<u_!lS>xM7fS-qeH63OV$gtm&F7u#S#1#gom!1hG`Rk!J<LHsGP`4<{n_
z-xdrZT_L^i^191g5nDG)mo+)iB6g>{|HK?>lGbEF)W^ENK45vU{_c!n={`2Gv_$s^
zzR6%mu2S|D=eqtLaQ{>j+b1Y*q9mpMx`k#Hp$t6R^-t`Xq6tHM_t#&BDg)uxeoltm
zwfkl82YZLWX|T2op+4~gYjBegmEbW)Xdys);Wwv038@XfZLbgF?xhXrIJHehO{5J#
zDzold-IWp0h8OQF(Y5+DEXuT3TWJr4MdJ@I`?TQiIJp3S1LTpe&IRDP2Vjj-w*rjp
zgiy@BriEKW9g*xl^|gk`#UwJ0mXcIn`Jx;Bp-G^GblL#_{{JhoFtouK`<|k-km;X=
z)|t<HnV0C7i`?#>^e%2Qu$g{1+VYj!-<;lnKh=c|9!zTUxP^|Acq8T+FroQKnhLmG
zpR*y1$ybCNW<+Op{!Ac&5f}&kVj2oM#$Re$C$O6D-ezzkjk63h5PQsNWj26NoHyIG
zaP^}W9C=+7GEitC%1B@ZeR%tYpvj*jnww7Ao)Cc~iaHK<i+ksSrZ*WQJQsu9BO??7
zy*^ZS^0HnEB@oND@N~CZCKz;N`+q&T;I?0PE?x~({F}Ya+c%N+u*M;6zoH!|f)R0n
zig&Dp3K7_mfvR1;sY-Qm6}Aq+!4E>1?p_dNV^b@K{s<dREsJH3)h^u-rqG*fs27Us
z7G%UqMpByAUNFdw!2ZrZ<GO)*<1-;GzIXmNPX_p<g{h@`P>{>oPUPq_bG!)ry4S8!
z=xF}198QvWDyh;?t%D!D7}vjX5F;RI1T(I0HPpTlSqttEOD+&sKGHw~_lA-v9vxAa
zC^Q<ly9N)mhHrX=+u>HLdL;%iy`7a+DegIb{s+-*(5n0Fq*8tV<q=i_5KsyeMjEDh
z{14hG#J?UvG@w)73!IIvZ<UIOYl?72%#@Q(#-`Zm?g>Cb&;D<N8m9fAW&tp4o_;xA
zV#a7SVTeXTVt|h|3`r13X~gX<sUeo=*T?)`;1k1|J}Zf0k0)$iv!9kBPL0w)-|GuS
zAOL5tZGGg{KH0Xa(&!;SA%P%zd-G7uaf(r1*@W8_%tIGgC=>+lUWysj=HujGV*n#&
zi|~L9%CK9AX5#WUQAJ5Gpq8SUyp_XYLQ1#HRUzlxIh%2!7<}oKTR2+FkyHL<&Gx_7
z0{_WzZ#+S$Jz&%HL$fs8Aqrg}zW7jPT6aF>LqgmZ`n_4(Dn~Rhy~Xue+{uHx4iQd~
z>6Wa;JH!1a4faV?!(Wui7UgfwBX=pOC6=2-l3CEu#r@=F^3`xu&~r$m*#YlV|4Y|P
zvIaY^cpcBdUY|RiXk@BT6k#*L-{oE-M|63)xUjlRpK<<SdFu4haaIUg-IhGV)hTNy
ze7nln$+=!{!7jnb)1E7CwPmNQERqpAcG}Sj1UU-a%$3h(FlMtMiF6EN#t&nkS&ezv
z6>n^61Gst(tuU<q;fh9XLjt|N7aV)afx5yoMlg&ZlT3D86MC=`MftdGauO1|F%4R2
z!NCWG0+ms_5#~WkJoKoDjsp2z-mz=M=2X(5`Afqu>4it=;BcliBb>(6<O7@>Uqet%
z%f8he<rGP<zz-xPBo8$I8Ch?8YY+ndLz9SJkUoHXs)>%|eF%5Rcpuilaizw8i$l^0
znJpEZ*G74PoB3Z(lZ$JrsS77+D#)v?%j^5n>p_&xZp<k@AOz`-H~BrQ@mtne*Xd!>
z&>x%i=j{jEMJ0?gZ8F81;$VbhEJ~sFw=TrCB#-%L*Y$JcPPT8X%~AJht!7C@Hw<TO
zi<OlWQN9m{g3X7&eYQyiEq@!rmt55rPX4C1(=93jPr3UaZg<V>Co<ezCV@|{VdnD$
z3pbsL2n(vwMc%4C0C(g;sSuq(v=9q+Zs+DoZbnf3$#&X7aa#rY9q}gPxT)3du^EHF
zT=x5jPCI*XT14~bXZ-<4Tyn}tYDjSVu7{=>kQP@kz3e@4DI5>Y%;A$Ro9tF@xi|l5
z+KBziR_A^zo;Zi<TJx$enKs)DVmpW~Jc2g&g+iY1aPG^rmc)5&=kau<biY4Q8TWv!
zlIlpZ!U0bJN*w9AF1DXR6OOol8g!;9x0FR*1UKJGpa0Q?vU^%NWT#6W=_>*BKKNmz
zSFUukI7ki0J5MG5K1gaPqA2ss<I$`DR67<v!_}pp908hkuq_^bAS51Md^IZg<uO!=
zEJ3qZ@N_3YieoQ77zR|7j1;#&heFyAu7Yv+n{X1YA-vKf$-sPT24&m0?z+V{iJw}7
z9uPvcd>(Q`!gItkEmw2F=W)Yd1KsadhafYUl6D-1iA~gmhAyt93u_=z4+!>ck5K4c
z1x08he-;%Bn*9on`CRFb7%(w+S6qzVLA~umf@1>)9||gfq3d1LT*3kL7c*`!vN+jN
zblG>opobjRb!@aql2<r-qbQ2`wqas@hxL?cEJl+8Sbz<f_S^dZ8vybs0P2P)#|^X(
zDt5QYf0h-Ay$^bS+B!G9wDXNc1R@n13tIrb9Cz$!iD^m|?K!qu|NPq{s}59S#wbF5
z%z<QfdyIaM7)b_6$B_4np{?5K3q<?p8Mf_{BXHxJWxfOan*_eD>!=&a)L<uYIYGW*
zT4Z=MR*G4$xL5M;k7-OT8>4xu`w}c{w(0iKp%VUWbn)ec$fIMS_2I;7$Ze78yrVuD
zHsDkk?;Yr5sFho${$)#j3U_@8*8X)HRJvR;%`hoKdPdKN>Ew0gR+T3Lezd|<10@s{
zeoCpT{A1a1DqoBl<CU)r1fD<}=eAWsD5^N#a$ivd_x$^3k<L$b2Jzfh&3rRol*KK{
zeSQx|Cf`h#iyDCWtGN-Ox^G1`L<}XYL7YI=HZ-ZDkX?)N*@~jdKlD!k^KDU7vcfv?
ze)m-6W_emqec3wMK0994t8udvxeM#+e7QIo`O)s-)lu&3q8J-SKM8DTV$3N@BN1@>
zyW4h%vCF?!IzmZO*DeyYaP8E1?l<GD7z`y|<B;)1Nr}@lp_hBz5`HI-(yVCvdP1A|
z-SdR2OsqaI=Zn{{Xg2A>j;Hf?CoQpEf$z`HTG274O`cY?swOsiTb0O~VEnaBwcq%L
z;r(F$x^gXAmmXjCy|+_vyKqj^iUgf2<vMZhKLu5~AI{o7UDxt>3NBYoMR{z}C|V;P
zPiMFv4=g*KjgO2xIrj4wj>u&YZ%2}gQwwpH6Qs|P>ObEJ=2M9)3O`4+e7OzLyFvd)
zxRsCd<iPc#yh#aeTMEkor*pbQUK}*MpZCI)Z_^Hsu6GeYC!uT5O{g(xMutG`mRsyz
z!Ts|WawKEy>21On^aK6|EHLMmL(1J6imeRjV%`cl#CEa5$P?y`MTe)iH}$A{nQ!YM
zbQDa<bD>{K4)<cNw8^Qyj-8dcQJ^*k#u%b)?r+SXB5Re|(Fr8?c}>JnoxQQHzM>{B
zg6oEP+2gG%YeW7`XucHfEt?>NiLgHyJw3qcch#H_Q#VCrz*;(ks$_pr^jN8RWSEAU
z)Q9V@-k`sQdi`{ix}pSkq1y={woHmbj3P=({ldb{X^!lk(V$;CsA%p%-{&^aRHd3~
z&*#m-oR=;tUV=*vohX5F{X8#2jQw==T_QAS0+j?e0c}-0*7RnsWJi>gE6FPMwO+m)
zRXEBvF|WP*$&35U73sn3&h9(Jb9_7S$j`V;zG7_O#uVh_a-EIIEZ=E!9cWSZ`l{xg
z11IR%ovaH*Oui~F?kmFIU%#b~@Dd2LWfb=58F38J1PaFi!&2(PI%)hQ`Abq92{Wy;
z><Il3O#_`>*E`1U=z}0|V?iHJ9-wPLsnl+c#_Z2{ucLDIUT)c)zGtQxPiaLjYjwv?
zED`^rQHyt;h?ZNyK<+hDAQ)`k9?s<$P!rFKC$Vw{mSp?qde^Q9m$tx0t<iUDX)1(a
zG2k|}o&PvnCC5yc!ttXIf@JHAku!C+0I~258GZfHR3~ULMaJCf*v!;NGLY+w7>|a-
zOK401H5gO;NM5<v^g11z37UDmj{fU19xjlCozppT#lpn~p-d5Ujnm6D>%Ngn>7B2X
zS4*%4DwWoV7O0aOeI5Y+YP2$<_{kD^I})9=UP|JW0ygo>SQkK{EJ2hhe*HVrf(&-K
zI?xhtRS&39OTqIq11@{x13556{p%+SJBNG(Xho4_Wm}4IVnv{&<F>CeaXp8!BvL_;
zg!i8UIo|TOg{%tjk5-+NR&(ACM!J7n$+C<e_lB5~XKv(m5<CD?JArDqc<&5ZqPM;C
z7#+O<D>!N=gD8D=BFk}SGFAz(IU*cZPAXK4Jf<;5YVo<bf;yx!oTZSeYJC7r{BKlG
z?RkRf{ULG~#KsY8K{N2I?Y2d?<%;xjz<%iqe%ki(-rhjaiGjW9em85}XQ18PGnQ3?
z8Z_ftloW$mnyc1MB8yW4Ma$!y(Ui}#9#^xUqxAWBOP{x7clqHY6F}E8yg!{c${W4!
zpd0`l3E35$$4;xaZWLfXcxmgYqJ(>H=8?xKXLW7s7#^;bNZ89$IH#!fCkb~a?27F3
zx7}~Sr7yR`?CX_%!(AnNo4wzn!dw6FGSV&M7->D2r_X0l5LU^pDs$^fkCpdZ$qB%X
z6@P%`oO$;AO24As+W+d@zR;LU7bWig`nZpZ_;S|1S=hKn{2PAit0NQx`U^#dt&1^O
zH9vS$7znd!<LC2oQ2EfNgo^j@!E{^U_Zu+RZLT8u>PXhxebp-x1Du)9Lidv6O<Qt-
zp{crx`Lusx^!@Wjf9a_p9Q$*r4#A}U9YduiTXdkh9p+fxi9G4on&P(LEuJiU$BY=M
zozZdSUNNLyczp0=q=RWJwsxZ?eTPxsRV&cEsbTPD_4UVDW^~R&PhScbV!C0}dOqU3
zVo519+_{&iXS#hKPB{!bz=L9N)=;AOD}Dhj{7R-ku9i?+zcC{fap!7=KoRE<xP_<-
zw6jji=(%;vB3Iv#kT+a?0VTVsgLpY+BDKv09HM5ctiu+|l`Jx7guRFL5|Zi0a7(Ct
z0tz3Q{Ono(!ixa`g>|Ss;8m%dk~?><1~y&6GWKxnoxm5!aIF%x2mC#`V?*u`i;Qkw
zT%Nv3e2m+d@N0V-5;37s9v_$=TGpL<RrtR~#!feO_oApoGI;D&+Nd6m=uhWHP`v6{
z<OLCzow2YXQPu*Y<Qmi<)-+=aY84|EY&ds3ckEF~@fOO>J8N~)I__EysuJ@z?tX0s
zNcFBA<PSzCYgi~>T-ovPFuUKMW(;Q|2I+z0VtHF*%tz*(G!=#BohW?KYlf$^d@TgR
zr5-mjYUO^bMYM5kN@xO{E>)Z$9EN**)mz)}Qnl3r3#VNRbdGd}NU^1juT7|i&{ZwJ
zf1|J{e6}=LbdBEXNA+mp`iw)}#XzeXU{@Y0Qd)m`izAhqmr7V35x5+dG`oQ)B_aa>
zZk{1Kk|GSwD(Bgy?%Ol#(=oj5p<$htjy?nNG+VOfnG03uIh{hhQ^jd4fzn0+mlt@d
zx16!mUAxZmd;;_{IInv>oxk*Ly=k6%$!vIh2BH`|V<?c(cW@33w_(Fiotpg<kk)k;
zJdHe(-c^<B1wKz}Q+?WMGIw+C*~DX$UfRj>q;SVEAFEd27%!Toa5b(8To?weisOlC
zuhGHy7dWd*uALtC6864^1@#Bcg_Om8V^>#JUTAIgBgrO~)4Br<W~sbrsUmVpcA`lp
zY9S0!)3R9PSfPihjjLYhaKl19p%(wZA|;w+8hW&&KhOYhp>VXi9nvG|cG%zmGw<Mf
z5}bjY23CjBj_TH}@Tuk^J+}6h#@266J3Kv<yXj%~H_}_3`AsgJdqVAM`~0T2wVyl{
z<2s;VI9B}DU&ekl96i1$bytq9UD2o@hTV8BlKQp^I3v<8XJ*r_Wo4xS^aMf}Ddb{M
zC=Z*ndI<$&)^z-6Z2Tw`#XfMl*RqVLX(du0GDNv<7qOI8S;XI{YD(nv-APMi^bOu&
z3FqtDP+BmLN7+~%Q^;i^ZsaHnr^Ld=9go@eCncp{1nG*D`r>IhR7Ws4a>|$MKM#sg
zRPjDibi2hYuHWryxEI)aT_ep4xfkwu>cI9hw#z?7#{`F~2R+x?01K@L!lFT<Ix6Pv
z2_#xHmgQ&s7Rd-?DO-x}hG1adD}~*=Sdi`Dyzq&$*BP#uJ?A&l<8gb9+FhphMeuZB
zi>sI&!Jobd;#JXvPb^54#yBr@81g1-ZZrom<LC1)e*<E7)_{J`bUWHFMptXcJA!HI
zcx`$~ufJMc`n+{*Up`m8^-Kc{y4P69`P*?(?;DRb)9SzsVxRvjs|V&zgq~W3ncc9t
z#)6@dLJrB8fj{ivo`w;4sIB5mVXk9pbBj7OP1#3?`EoF|oUKJw`3QTH+nQTJ`RHj)
z{9EbvlPWzIiUn_^Fk2k)NCyO<e#O{MUO)XF-b%!Zo0+RMMUKAIebSRDg$7)9M{lir
z<yPvU?DP0Ccun^A4TfO-uGY%xHFljQdYxU;dd=cDwe@f87P)r*MJ<7=V_IK0+MknJ
z2y*3D<tI3x9Psu?_)t~Dv8$g!(l;#!n*Z9vMJ#QC!5fwz8+85&$J03VU`5Yq^kE0L
zU#fZ8FZS)#5(b(np++xhM4OM*OXUOQ<j#c?3R%Y_?picKj_f~d$a7@jlr-JK-lGV|
z)Y<sl-eV_wCZ#mOEo3=rh6_|7D!XCgHm@3r8DroT=#Vrh#jj7m`vWk$2t$`Lj|jE|
zAnBFO`%6CQYDwo*yO)!$8`Ep3r#kL&{S3Hx>2w8&iaFV}SWc5)jgs9v*7=TV)<&2G
zTtw-iIqb5EsWinFJtvB=%a)@}(n{JaysblCX6*=1KLI61K=SMH!`W#3;`l4V5y0H*
zuj|Qo0ZK<9q78UWfNSDieN5w;px7A&X(FiRkP<IEOg^KFAKczoo8$fq5sz(Kl-}&<
z&$j{$B=@V-yxXv)gZA4zAF!Fu)TM671*B9+v6m2u#m*za@jklUNl(U|=_sn3@{a7F
z*|n0oE5BTq4!8dBNa*lBB;G!Kr$N+l$)PFZtQLi)+%GXh9d1CBC-PdLv_jdGb9e;2
zf#nLx74B?az~1cH`7?;3Bez>D`S-4|m(@XKQAujJ=&C>GJ_GlWPRNC>Tju!H5Jek4
z@z>>L7NLf1g{|f0Sme*RF02p!7fiHxueW!L>d6k19phDZ3EfJlAU5m-?ah|+V1Jzr
zY;Bj$7oAc=Ly$#VF>Xg3RhhAR8H4yiSAPa8RK-{>QLGR(`TFKkb?3Mdu*z+qe-)|d
zwx*6av0+CX_aYqhTghregt{mqkq%HW#bDcCCwwOUfRq;JaNMDX7wxLs2NRqwC3GI2
zl&E(J-lTn@Rw|=EhW$KEVgnuEO^yMi+C-ZJ^p_6+AElC_aS;d@oh9FA{hU38zF8N2
zj<am5_@j%aNlkb$ClQR*V;gB8WSUB}lK82HtU^}4iBo1fT#+&wGQfiLqfbmPUYVM(
zrCHe*aAFMR#ufhF;x2X6FrfZ6bkug#JjP0;DfJVFdDJ}FbP%JNMB>FD>yx1&f_4gE
zN2>#vub=N~*6t15WSp4NSlYN>ufHx)8Ruk0yMKu|Ma5$MKG~zu>?YV<h40<eRI&E{
z?H9MH^VnQBtGD*f#n;PDUO)7r_NmJ{&ygckFSy$SVA)7Aec{n3%V3%)&9{RII{C_w
z)@50WDP}3?6(pFlbp=5%zkjs)^aAdy6121JfdE*|&69Coc*3SlY5b1EyDUPk4feW8
zc(M*Uw2)Jp!e1890VdzJ6s-nMtS}Jy+F9+W_{oI{_4-`t^mol-hulR#GH87)DM1h@
z?7p5HoxaXb;jjBYRnFqG{zynkPi|g%0QW^{wiD?tg|%U9sz?X^dlFjVpO)lW7=6kV
zNiwO><E=02awX*A*>P6Ws6>pGot}NkMkG5|t+5GG1IrXYwmqj!xqzspSt0<i?b9B{
z38CKN-Jg)_e@_r_;)W<!!Zn7<Dy5e&flZ=dyqNbsdV1OcmA0;;2^+@7d}-{($Lz^8
zBji7A@3rVln!GkuF9{<oV8p4{g}%>0TsvK>Y`%NxvjrvA)FIr^f(9B~UQhx0TeH&b
z5`hBO6yC9^4p%sW?4BeoG+O&rTyYL+n@E7PkMj^D0&LMXefJda542|3M++KkMuR%s
z$UwuVAH?ZFlgt*3U{V4=5=H$}5xDMN@^g6s<q+`_$OR@>d^wTfBw2WmQ{RUc4UBW|
z3^<q<bEbZ!MD1IPpmfSKEjSwB(cB~6gFhR!$1TIWz9&lmXc64w*ET@j{-}~kInBCj
z^ZMT9L@qlOl@Z(cC4)<G0(IHi8K|_U*L{{HLo<y8`OXWulz7}=GT1117hKR$dtM1G
zsktx(dtP_*qZgK}v>^4Iw?ozC3>y$BfK84>od+Sa<z)y@s0pZ~>!VAaEkUT|tovOw
z*1I9Zzvs`zlqtGfDiA9536`zGG=nDs1-4-qA~0II_Zt$dF<ZcNEi~#@-^15-wUHk=
zkX0qRD0hC?Uulx%AV=$AJxd5ja6tBnVk{XBSn_ds#YL4bqY**|S%ROz`=_V_*!z$Y
zOHua%<W4>Ay<a&3<onAN>!Z`cUNL(FWsV$L<Sj9o6xVHc?}h{+)j2wId1!aNZIxA}
zw}v22V_uny{UVB^g)bO89ptX9ugerWsXUyd<FDmz6i6|pEP}aAfHNX3vK>*Ks0S@f
z%N%!0aXs^e*2)^GE;ZpQ7cy6@BvKUDDb8hZ1<h1go2+py+>yvgWy8v`envqLiCm+4
z&%NU6xGhs5{<U<>j~5<KUU!k-)|!dgn51V*Fx4W{+7BCDgad7)4Eldk2*~}sbS@*{
z09WLt)I9pY2{qe{IZr<3qT6|djrMnzx&^^*l3v8%j2C4?H_7DyEe}{|*PGYhDJlJ*
z6CdBEWMV{&<G3nf<WSRPc%DqATe0QyWVg~$k*_A0SG!qD3A{PnNZEl@zKYS8`Vv4o
zr3Z_}!TNYSzCy4o{knk}Z_`$WwnV0VI7L&*A5TNui*I?#F0Agv|7VV1eONub+-f@4
z0Ui_-x57HU9X8^avom4&Wf>9mT&EkCe>n|mdZs<)>F#A*)@+lvYJ87)HDz>{m}6q^
z=#@7nF_5=a88_r#*#V001_FcaP>7mNn-d=sQzne9p*#4-m|Jfto4G?-d4EMg2;>{E
z_E8)Gln>o88y2tzAZno5DFW7SB(0_rG~-{}S#jXam)*S$DHel%#BA2dV3~1l(AF#X
zOatkZJa^e@bu100$RW^J!rxzj^8aa^d9QYbWqLCzsGy{=l;)XPsMR;a5`_=_ok%dA
z3R6S%2YU@B$#Hy(N=AcyuxCd3pZ81?KAT^0FfgMGP>*^mQf6gm?wOY$8*Jw4g{-Rd
zRBQveWNpP%)%Qml#F=#tF9zy2y`laFzio=gk-&nes44n=^FGgFQ;DbpN14SYtsJOH
zCCFoV91yFyZX9-3Ch#-0!iL6yQDbq@*4k*FAU1h<H-rGg4tb%auPLWNy~nQlBI-j_
z&JnAT7;m7E(>|LR#r!D_o`u+?C@e0n1^ZbqriNAEDku+lHz4?9_g=rE5*1>?B6|?0
z@8KK6AcK-!O#K|8*tkm&qDn8y|AVzpg2};y2L7#dM{fow2ZWN8K_Z!STP-uwFa1%%
zc0UPfqPb~5Yn9ymIE)p`jhFmOfKejwnIO>ZnzHeG!Anh2H#CsyX0jVvq@_qL*$|kp
zk_HhT7EACYJG7(PRU)bFz`7~>eGkmX%pIEZS+vN50T@xhe)_CS1>~K%8{0e|RGoRb
z+?14HdKnE3JQW$#d97I^P9VXQu@zHwXIN!byb9=k#|859xlw3c&pFDtE<|iP6CP>Z
ztloVo0(21}GysQ7*nFn{0fdtvr)0vWFb?8(V-xI~5CU8!10=MnobtYvgokV%1y#s+
zy{Y|kdE(>C;ai2}vR};u@7vb1nWSOnc34Wr3ja)Di{W>t3VmR}e~u;OU?5cp@Xdrf
zQqs9zC<fmYFRVXH1}bl5hun-&6XB%dt+f!$F04qaSH|iW+i+)+DqsT}ttsK1OT{L;
z$+A_HaYq=wy$&bIEHa)f4)obJnPjE4#f_*jG@{kB+q%)*+m;0pdL37GbCMZ9PyNy&
zgX6A0%`6a3jwM$w&7AFCnQOHTdkz@kXF*TIl|(o~*yMr+RTcYGtq6iL+Juhs9v6wS
ziNIJnbsGuVG~%0r@7@}iBi0VT%ne>{7r~;W=ygOUjD%%GOev!oA(Af|*Q%rl7zq1-
zj1@mBeIaHT=6{fZFb>7^SZ5aRXF62eA9&m7evI)*8GztfX_LhJvg}aVkM}5JGq<{g
zugPaEUy)L%2t|Z$rijM<83NZ7rjo&HX4jah5%oo@#&I8yI37@-#4V%wqq#=sR%^SV
zNok&&&3!OOe+zC%%lDXyV5MlxQhVjs+}+mrubh+#Fqt51HHS-36Yb?g-m=eW2C3w6
z-;OK{)IE=Ug^<hT;JXWevfMQy-utX>S};u&wcIM`k3(|SJ9GE+QnLGUM7jn{TC`LX
z%u{jNs_IMC6qG2c?86x<DD{yek-Va|%Qu&6eU+`6V9Vq`n8iwEp@cNOa>0Mh;$%{>
zAaG?cgVg3{ql5%=UMa}ESpOAHRotr`lV5@L)OT`w+dW0BaIktCzedtLB(cUkVsqw$
zqs>2DX-a|!Z4*J0ww@>_mFY2Zx?Na~%97w><|d7q_GstXU(3*J1EjHO?%`GSfDv{Y
zeRcl2$VdEEvzzX})0Wpamw!$zFW-sqVkR|R6bFcF3Oy%{AdlriY$gg9_gjX|kV%I6
zZ<S91TZ5Jb{QG>S4)}$+-h2IqY5>u1mj)31wL!iRXq?uNvClBS(dQmg$4GBsnvu<=
zDet>~PNRey3!z)gIm6SroE%*`kFI#leo61J-MQUa$Lp;2P`IP)Sac@0cXf)u{yeeO
zE%hTG_|61va&OyN%aG4CtMgCgye0g%j`c{3J8m<f?aCnIQ+s;5z&;;WFI01@z~{LG
zG}MdT9M_+mU$Qsgqgo)~ywIyfUS46=m2>~959XHyoF!W(I%xzQT|if3xLU#-&b6FU
zyz3(L7eUf6N{JaJWB9QLP}{6<16ACQ8q{4_7Dtj!Ronw?Jxv)<i58D;DJ8?<Yy8d&
zn;gmA>K9~NQ_qE5S2Y32jPC~K40`o$O^-aEo`9d4_rvF5sgDFQOYf#Xtt+d&rv_B$
z%gg&1+ue9ZTZsrAS7u;@ZPSRxU8GcWe-jLjvgzB79geSZV)l)4{Zk0#^JSDr=L4f$
z>ri@S&V{*jhL3{!+GEtAG}M!I!>7R54oe4BbTc}G`w^Gt=X3;G*ri^!*&(Bn(=HT<
zzQk&l#OL9_n7&YPMFO89PV9Hh2rugd1)|AMe`v>Xk^U)qeLT&;V$hJwWYs|49Wier
zqt!;jo8PQd76dJKVG75IElT1`I<wI+Y8%ifn9O<jep5ei={b)tleQXruP`uhpYwWA
zm|Gsi4UEYXXsCpd(6NVH8ndu>29Ayy{sR)&fDl(9rV6*ID8`=V2IY2^k+UMnX~V%?
zN)_g_x8bF2X0Wq0HTZjx8y;$+uf8fwD3AO!cV!txsk#3w(dLEKkoR5{mqacVk+iZf
zWjEMBH5%GKuVKu<TweA^4cZ*LK=M#JCGd@oW~1`nC*kl%@zTLNRa)h5C7qw+@Ni4S
zaqdKFit8;Gv0*^^C!G=b?PT;cJ@7LrDxX8xnzsVs5o8y;kL$m*Bwo2Ag5+W}n%?7&
zj2)DeWbw7iPzNH06`9T;YL6_L<~)cL?<aFrPHp?NWM3<-I_PBe)&>Xn$}=vUa=yAD
z^@J8@>7(~uLQn&HN=dCwO{B{Gg6Y#=_uj?b5V4}ZeP5~-Nx&*pdE)?HgXPz&c4_fY
z6#0HA_Ie?f0!H&ts3J>+tM$)IE<NTN|A0Wlo?BvhF<`E-4%HV%fRgdNZpF@|V06@V
zpRby$CcP7J%2yi<8Tq1PNI?DMOU2LL$;}@`u>GZLYw&3@%H#3$<Swi&##u7-Cv5-d
zUgsYDeWy9b_xtBXtyONi`z#EdU#ROQ4kq8irk+;Et~MvO&gJm{(f5`;s&=*GG@k*2
zW7u28vaS|{q%{phK$_LUp`yP@De&DEFth|RT?2A}`{aR_Mf^H^UOc&i3LVF7moAeE
zd~mS*HKIVj7icQS*n}OGko+yAkdH>U(7B0><<gW$>=nK+(g1w~m3(QWfkNpqydOoN
z{K`{$r@X@?BVx)EDc!KkBI8LY1NqJ=su_9-D4EX`N~jvq9MI3I>mGqeC{(ly=x;*8
zqq!DbueNq<MpWtjn8bprluXx>vgDhHM|(#<9V$wzr0gSc?!G$X#FErzD;S1zBEge)
zA3=zzb{@Pb3C^rEC0M^N$-CV+NlH9wX#t0<P2w=f_-#4yi6(-Jv3iHxQA8(F2dV5{
z6tVa>5AI!?D0_Nuto(6I{3Rw`<U=dJv^q;hKFcAUYEJ9$!vX_!+2>-)06p=K5_^nv
z^H}*GHTeM4eoCK=kA3XAy9k>7#m$q)V`#hHslYL}`m#)Zdw<egfe?0v?@WJ__8Rr#
zMYj-jJlt1PWsR}kfpedL7$p2)DaRgkvRAZekNp~mcek3PRK4Vd>xFn$`qank6Qy$a
z^Y*-YrVff|OG(&dlJm$9Jogoo5Dd(k8tEN}1j#)bGO9Tt9x&1<HB82&p)-~C(qGLL
zb@95C>cv7!!}Ho9w%Ap3K2#z&N2&m-PWkk81QG-Xb3)4NSq3P_>I9%D^Hu{D&(myl
zK<BlS8y*?Ze4^v_^IRZM;N_E0pwNL*8@D#{SKY5UZ%Oc9qnBY|-ua~OihwK!d>#d2
zUaCg}kInXM%|pA1D3)B!Ve?CcLE&lIVKZvDVu7?Xq(b#ElDlD$nSiPwimycCmX&oX
zp-3tisqJVf8T}XsurH;m6V$(0PJm_VF_I3=7r<u*S~BkjzMj3XH@a5CV^}?S{X+WQ
zR$&7R=ypmWyO?;3FVp~4aU!#6SZ&*bpjE9mO2sh&k`}j_Fpr-t{{k9Jt++!eXsMnk
z7vHD^Tz@fGZ3_EO|G?I>{KV)~t>48agsV3WZ4fBr>xI@iv=RX@4;T!Gr1nsd12JtR
zG*fm|_sSkNpLzb*EIP0Rt1<|XzeELjk#(N`tv(ob0VsuR$c$g!&~>4nVvAuO9l8>k
zIxaa#%b$LVs?=1zxd-rw&%cpDzL-B*_;>W-qpkf3&S8=RQQHLyr#1!o%oKl45zMEM
zT|*LuKt+Lt4HUDoku6NLyCMpcyEr(VefE$jQlDFmNccQa3aU{5eDU<u#rjmc348LY
z_p<%eRjwUj2s00ECBG&o5RY^ew&v>Px)Ei~IgKT3a$M;)X>-gKo-ZR0fwaqx1b<>V
z2?v4sHiiEnXp>Ppj2+P*QFxfWSl-LHFb$RWocUby2)DIyp!-JJ<yuP|lU{tRV~Af)
zF&NK*MQ&itot@PZI}DRC%emRmq6sJZM`sW?GJHju3@|IAL@M$;)dfvR<x)OiR<h-J
z)(7!^DVuI2!s(j~IjQx~W<H==-zk=*kkR1N0H+L+j_4<JOG#vlORlO1i}=BoS#f05
zbg+M5*v)6LMQKq@-@zsv7oR{Q50HB6%9!)|Qu5{`?-%DgZ}Vz|vz2dE76|&^p`^6Y
zf|PASl?M{zv1%&+tfkTj7gJ+f(Gmiuq70M$jpiy^DQR<Z>MNtmiu12NA+c?G&SpoS
zHQm~u!I@D39+Sx<Av$Kd=5H-MG(QG(Z)bf7r6MsUh9>FHABO78Uh0_AWSaiJbuc2n
zd^zGaO&RB&JH-9M1nMJI(pmUq_cVl>LO8$8NoV-fX>;xyApV*}1=emwE%gqZ4RF{v
zC>kjuJU#jJ-S|1RFx42P;J4UtKTJ}JLRx2Wtt>8y)&Cy)nCsCkiAoj|79ie<+}mwY
z$UtfMC_f5lBOnjn(KfGk>3f3`Nc?R%fc-bD;9SzP1rHL&9xU44W0$T%8G=;7sAJw-
zEE`jcQ6Q|Igg$l!11brRVf_&%qh*zD|4N5peJ=u~Va_~&-FbFk*uFO9rOw-)bR^?8
z8PJ#`Z%%6)Xn=8x=I%Fpxw+d$c#luDs!N1D85)sWdPz2~wY0uqd|!ILmKw^475J$y
zVwiv+vS{08k#XR%F|~m-#8jDj6l+8}C0(e?737(Z2IQiPhA`Vf0~zXXBpjR+&JTrV
ziU7}5Bq6Ds&?wA&0Rw7JEj%>Tu$UG_y}v&AQ=gTr?=IE{56R9SVIBqyI{>&>*(?f~
z$mbo^8!I$Zj0RIcq|KA@Y~yS4(qnO2n<S~-C@^nRcp&sm39{aQr$4y(e9=W#t>ovn
z3xHt%fgNL5Y!3B@@moqx?YM+uBMq66^fHd=o2YKf$D~Azc2hfWyBf_NfZ}f-kEiyR
z@_M-4oR`O$qG>G`yUSA2@pHRiNMC4QsGC>C;KG;BHK^$saOSJ{29BhRAS8xh%&eWQ
zE|jO)Yp(){elyG<7S$kRQo(%1YkVSv1v)v^qNz%(_D1okQ+nS0IRP*iOSwXyf^KD?
zzDR#@;9P7l6!~%Y*bhL7H5gdg;>)80Sc1MkyX@OBrDBM?@ND5?@0k`Ms5fQ}jR(vh
ze9whz4~+9ArSm+8vXyU2XntQeIk==I6pbw*UI^?aGLn}E)FD+l(TXxIeuz62-V{Tx
z7=}_yTD*{M2<(S+#LbY<?dXSu0i=VRRbdN-$>UVLG6ux2fZ&xJsdmPS8XWkqKBT4%
zQu$2NOn}z|K9-j|$`n4sVT}}t9Ue+HKrwbi6v`}8hp}YY>kIqOFDg$cgr*xF@P!4O
zAhl)T29e<-B7H~x1LzSHN09f)%0X(hhb(wP7<#(D0^NFLJSny5$f1&uL(dmt_2<2Q
z*<1U$WqTwgC6D4g>51SZk`!e=4Mb)p9P-&ugJLo=q0XS+ly8vZv8}2b&+<c4iZ$ky
z?6UWS_$pUHr`2}y@)Kxh!lmvI2HRK<crD&Ga*I{H$lOzA)ZAzG_?8}~PIjL1jj0~K
z)CMJt&za_<i*xh>?x&`%=50vrjdIenjKv2NOh2(~5P#2G{Sp{0?4pbt`{m{@Ah$AT
zo6<y4;JAFVa3bI48fdesXxlT&W$ArIrb_XDwA**q9HbUiiXCh{RoC1ikagd-j1#FG
z+2QM<V#i{LLeO0Q3J#^y8%494fItp$`C-2M(DCFt7L^0mdaj*Db=<#{uuY<>bY4zt
z=Vy+76#VZKzPh3luiJxS_wd0>^J4m}!0RpZ!JyS+6V+UUR2+xKSU~@*E7Tn;gh9G9
zqnpp?*vpNM(pCv(t0iwzu7Bc{QXON4l5wmb5(%(VOHcqi#rBLjL=<=^p^0TCfKyiZ
zy%y<iqrxbeXIoWFSwN{K`}m3=u9KYLI||*mnF6P5>I(^EW6RI%k%mdiYEZVmp*V5!
z$Yar)+Gxxg-O`ZsG7KzP9l(LWd|_QAdQKW0kbm_6nBaQTiw8p)9buGe2R1>)YF(A|
zqWiJudiCS-3$c4Cr*7`s3J>d@AP;eW^MUp}?GAxyc5a(q$`23(5*F#mOQhUPj6?Gc
z0?k3VnqXo*t?1MZsxyfVju-|%M}mK=Qxhvb;I9pHBmijCXq!TW{;Q4wzE0lP<;@hO
ziLAFFX0LClFV+)p_gy$P`TXJ5A&~c!gAlj5=ge$S>{@&vezeTUDnPp`qUa&&llr3I
z&dasx_|tkr1u<SfnwS?@+Bs%_?vgRp2;;U2^*77jEiRVAQ|Y}9CbTk!rMCfpT41`@
z89)N+tVjfYpFdI!s5}$Sn?EgC^*r6#fXH6UnhoOcLq|&y{YrQgoKs1F*b6T%D_2`z
zH7qC|=Wye)!VgPL@nIpnl@(+SF{vqj5c>n4NP!2uZIMA`Bqd23Da%o>SnHnH@N*l|
zoC&cf5!SE=cZ>Y-=@e)%j*fhY_%Re`);93T9pMF0(R3NSXoY?l1JsNJM_}>uMgw-6
zE~Q{MC_;DTvIJK5e|_I{POhCNh<HK2(G8%FJe%6P@SP{NPzNj3pdx;5-yYpUd4DR;
zALf>TQDcB>a8){=u*bgeu$SUUF9<Kl7t5Z(z$(xGNGpLbN{h#6mFJ%WJW_q;1T<hw
zXX1(Fn;9;ZXd7Ed1*dXUQ&SsaO-Z9{QJe>EmFI;!FI$t%Z_X@l*RPvJo1M*sQyDpU
z-P^5oQ5WgtxTQgP73%2yX98kjkeBW%`PiUEU|8i67jL=1w8FK^rSk7fFz+pmhf^*v
z#8Z-(-$+al53@<VTq+|2*Y`)KsQALSDrBb6+Gb}`O$GkpEH<(zNjTL|4FI(N_X)*<
zd-}>)1N{fH+-s>xKr=6HBXfP?J@oacA-?djI<-E2Sp#zY-fr>~r9_Xo?(Cwm>fPQf
zzX_ZE0WpuWWGQ>t*`n9tUcoNDpjSpWjMXLHS${}lP!vZqX{RyMJz=vCrt%tCdmQlQ
zp=AR5U-g3NqPHszL2b>Hby@gb4R?>!92JK!J)TzIR$4AhLz7iHaUkKzh0QO4{R89O
zWt7&nVF~O2jC(s5UXpEWz1+$Nm1Q;)I{OGFbC^Z#@#`8$OG^2(6*Fl1v_B$;3GJ%4
zBxL+lbfB9Al&bb&?|B$gLaG4y>N-ZgEkgTbFPGZCZy}i0^hUq^%BABn=5G}2Kee1V
zKd(B=TIUmX9{=l?=jC(KIGNJ=b5`z8K!ZK{qc*2p{62J4F7+pz-h#g3j&QiTdcOaB
z_)uy02rLaY$VZQXh%{Tg77g|#!1s?}HWGXdOY2a_6x9CaP1-0+S>Cp~It=3&ztyWA
zXKT}q5E!&=7|S(jtL@R`@#ER-&N#=2&|T_e)U4-5t@dl$tk?EU+DObqS(|qqlJu)I
zsVKd?4YLDyyhlshYhBg)zEE%eSi$XsjN0yabvx&ip%+vCk*k52eh!u6f*gUC37=Lr
zS3SZkl}8ASDtNMNfFmOzeQ{E1{Hii0=-;6Gs^8u+yERgB&tcklUT2SV`V0qIF?Cz8
z&G;v(Eu1`(ZR#3JGZn|55jWM35FcPV0t_5>s(Bn_@2#fB&1U>*PS?WdRR}Y5*8%L&
zWiVewKSj=zpL2Mo##4E-S#cS-7_((m%}=o*3KJ{_;D7IKWVHQ+HY4$VFh#vr(W88o
zR`_GH!A;Mq{n<FPxoT^?YrdqobNMXpq2Wsof|dLn?osxurf7eeRkCk^<OfC=3dECY
z!wMw-D|0JJK_Oee<I;4kQ@!AsFu<oywOwsHi^a+&_FVx6_WB-aot1@&-xw8<6UoKA
zN9Fgc&W}#GN2(Z%8#sc5Q1ItmJ(7mCTyoWveW%+~mUUSW`R#W_yPH2m)+{_coQ$LT
z`ipW2>CSHnkwaXs&3jx?uRc;t<u-sCvau(DNTR6>@n4-gTsuS~1{A-Z5YrBDx3#TE
zRPDd8sfMFgmxJmbEQi|ug<qwC-vGzVjvYQ8qs(Vg8nZEs0?t3DelZv|EX2iBhsgtK
z1F>Kn#(;-D7J4d(x^0LVW(!b|Ml8mmwjgwP@V|mKR|@yubW8fswX>_x?Mf@tI1rhr
zsF2e`4^dRppT?>p(c4kE17vs*Q4;+e>3^uMZ+npuBA-~^@Vxulo0#XlLAxx4BQ+h;
z<_HNtOvdCBiKPxP5-ihlI3{PwtWh;tfSQmKXFr^6x@XO}*&WO=GeDLXogG4I2pR}D
z&c;IXbnx=#N0CLv1L0hn9h}iGw~@`$#i{DtJT<)puQqrR1tp=P-$>^+l5iC&CO9(X
z-!h#$o~|>rDQ4uFAj@%FAA!v=+xN*o<$f1@bQnB|`X;OCM<P&ok~yEMG@){9vCho&
zi~tI9YE|`haN53nV$Z9h*E3dSTP4Vv2Jdl3yy&d=7>IGRQj73Ozf!JG1)N65D>`*u
z*%SOfs55&coGmlg(d#7tdWEkkvUYS;4i#Rj?Ndr6gCr)Zuv1n>-dawt<Y$^dqLqKu
zkwcwro`e!#h5L=Opz*<dTO_2d6LiX(E+cGAaNAq7cBDEI&fJMP6EXCEnh5TFGLZSb
z)~Emq<w3rX@l*AQmav8JxxRftHK&&wX0F<rLWG@07FZnRz}{zD(Bn@@8e8Pb>Dk;t
zy4o+S@Y@LK_E#~hhL9;j*PlVrm_t(u6V_#s@4|8q<?J@1mmz=plaf)h-%&$P@jMu2
zlSD=?rk~S1HL)vPcnlQE*`OL{f%4;Pf#VAmM(GzQA4H&j_d`nc!OH@=37;^Px`Kn$
z=T!57Hnj(|L#HNv2=R0!th#fYI_$)3Q+Xl8ICTif05=_W@qOp>;`IF0fs^WuWZPM3
zKRJ-k>sVR^X=W;m_4Ku?pdC_N3ASQ$gAPT0w$eVWc++)rGxtS7MhyFRWKa1kCvm)E
zI|q>*&v81*o8B;g5$cjdyyr<!|48$%X%8x$D-orl5H_rpz!C9ad<l7tL7}9X!w`X2
zCnAYQ+nf6ylY-DdxlMWz&Z`}{k-O2~qY<v`BaQxeA%<6QU9Zg#u$Lv(=2KCQgzk~c
zrMK^b^(_D!X}9`2-QDn?QEsAV#{!D5Fu=vGsRV;f*~O(}OeNw<iv3zBOhHEWAEL#p
z6gRPpIrax2S`Tw6wVdmB5KFI5%<JH6VNrgUmox;4tQdi%4t|5ZWXmG~Ur6xk{p$39
zLRgn<M*<ueoDsmQc21=yp$8&$`!nlBorDRvV_ciURKjZEOVyK<dIH<nV_T{fjh6%c
zrzRTVs@o^ueg||fTkbl(TgEl+bzbU%ON&|VJnOck7yl|>?Z*IxtRzLB8;=&z^`N8X
zvx~sPd?Ub3uL8n@=5sOmrpr58QS9uUy^p;A$Oz4k`D>4dfk$2d8M)_DSjS{~!CzAF
zC|;@qTcZ1NcL;eKlks(aKg_VM@3y+RE|Mu?>1UFaPs51SyyzY-8XDr=Wz3CAthE2^
zS9TX;qLpPHNwVZE)p&t1(RkcXYl2wSn_Q1Nfz7pVeul+&=&rb5sqibOo*@Zo%ZskM
zya`8AmJbi!jq8kCCr?>MdpXpFqx1Lr!;rlmn({wmJm#I64#0n)G!miM)%;bZu|n(V
zx~-A}=6`&g1VdTL!)4g~4}itjbt+7y-*AU142-_rJ~eY+IT@H#z{$v5^byfb0QpMX
zMH4F*BL-JgLX#jH4&JCea+_&Ao>3zy_k4aAbhpObiad|U#^()W-i)3=in+RmE*nOJ
z;Qj0&ehBEdTbJEC_UJL<3o;i^j5~IUVWyF}?m8fhxw0Gxc|VjXdL(kUk`0}prfh0(
zS4S=v1Zp(<C;`UP(ru>(TX7X^Om-6C`eLfNq#^VG;#C(!YP5eTs@ijH1&TkI)My^W
z{+lmS0s7r{Xx(t=?cu)RAS8nrClC(Ola~Zw+>Rk%Qovsyw*MbfUl|ow({vjG!QGwU
z?(V_e9RdUh?(Pr>?(XjHKDZOy-QC^o&Xas^a{sW_Fo#9;>8f43q^qfE#U_oh13-NV
z309Rdb&eO+0O)~cF?t1CiRayyPU3(xKR4pf3Gs}|r(b`V;!SnKTB%S=hA!~?t?@g1
z5lgw&diHw~o{Ja-2gnJ#u@&JgU0_Sfj(73cKhg}y@hMzuaXQyZRKXu&*znk^Qyl8%
zf#8n6Gzd!kDae&n5XPmcj^cVKT;KTfs>qZ-m+cV@>>W-}pE*B|{Y>A_`lexc7Og_2
zJ-Jo!-F7jarr%LOUc$!zsiZGwqhMK}t48vl8bag`QC)``#sjwycSf2sf8SmHQvZU-
z#tpkb<uxjwUBq%M!_=z~gL+D8oN@;Li$$CJiYo93H!{aPvzPYnm0`BrVY%|<qp35r
zXNEIzE$TE+{XtF67v}Ija*}LuNY{cIdB7QyIEi9lx+i;qUIwV&5cojsTrXD}C0k}3
z;C3SK^Y9J@x=X)RQ=mx6n;PGDV>_+rKSfmkXBgp<*L6RNjMK-ntp#PVUi$h!V_lr0
zI^3=9K)nEtmz*>lqrARKQ)ohGl7zACs7w`%R1~K2x^Nn(IF6tkG#vj51|Mx?Y*KV-
zIBtRbe}mb-p#7YZ)ud5E`=vW#HjxfAN3AP13rE94nEQo~n$#;{PvIT~!vsENQ}NrS
z(j$a_O+o*mLlqu*VdmH&&rCXiHBFq{pMMn)okSuR7(Sytp^c2cjha%p0j|%al2;l^
zn^D9ihi=BG!gZTw`JwFcrZNw)!$vEd{CDVi3j;hu*wIP&E`^cbaiO-K+J^V}{yDLb
zJUK~!d^|EI^#SD4=KUdm6UT2r?2M%)vZ@e!cDd)8_<8Piyztciy%L0af_NL?cZBn_
zR0Zm-2Dq8uZ2x}n$X8%`WYu)Te(UmetdCfXRJ%I9Vg~w5vV4PtT0Xjg_NcUchgFxT
z7?2_WKdkW24AMf$#75~8a)IR(dphRbA`lD&nkxEk^Y|$FL(ogd*)OJc9FytXX&)WC
zC#AljDVREbHXxH9)$fSRDY&*0RazXbjqfV`WqSPf-=LhTP~D!bi-l!aV#y9wXz+x^
zC+}m#leY2^^xqMvK0QrsJQ+ro>-Pp%HOi_|lq5&TkG4{rSxBn6?aEmcjJx10>PG+C
zrlCxfV;84F4IA2#>Q;>iQn)~9zhTRMfoXP`+0{ma!#!~~y?*7{&AY_|WXv~lH`+8L
z)WZecq$y?tVhbS!jQd6DKq)A<2MxjcHlbDAZL$PQ@{^9_n~x;Im%k~qtV4sMf$Cs-
z>!+-#{u!LYtT1_Ri52a&hTqW|=lNl&gW>+=(_#1Mn|D@V`}|OLB-^{!3ZGTv@}7<N
z3j63Q@L+U{_w({Qz};*DfoSEW*!JVV`iv#lj|CPP@|0VP9xfqTY9>GGHw0Cs5OL|{
zG3G){3Ue7fB=WzxFLXq6B3ZZUplSB*RnA-Zj|JP{J0D1kH+q7J#I-RZ7vkyg9ryJX
zoSa(Ohnh1YjC5}~Lj{a{hc0+|;x72v`LFhN+B3yaRBz{KVuwP7^@dXWdhQlz_*iGp
z8jap%_<ymEE07D6lT=a5M$Vo(e1<v<Hi}T`b?YQ@rF~XPb|Bt&-Jt+XY7aP+FsZ!C
zL1t2tz`Y_q5V?07yJ;EzU%xo&{J}GM%~IR=Lz}CIFjd#;jHangqxFy5+Jd1jkw{`y
zHBuqR;AU%an^1LCJ=ExelGHS164RA-kh$@HbKoAqW%#A&=f<BzF?HB&mwMk%@1U4(
zYeCkPif$Czr9uPu4uQ!hmrn(G_%&1FY<6=kOvkdKACSA6d-3RFce)Qh#f*U}&Z4L4
zH1j*+CIPc(Dr8z|0y<H3>_={LUyq>@I|-Up90nfB9TKD9=>*~xS|x8Wps5*OOUZg6
zR#b!k^a^=)etJbAr%BisyYrhdo)9RrRQ^45jThzm>k_p8Zq^JjM83w53s_oK#J6A@
zTm$7OG7%A>siLBi2;D;`q$=G1ufQx~VkhrbjXT5Mtu3z4^$pt!1BnEp&Av`EN}YjF
z;zL{AfIYh|y`}Wdn^3?i6?O!TWpgQb3P_<ug1jdrXvsQ944o#nMjUh0Y-ie1F}vHE
zgrdwq&DU7??;%C_L%|{6v`$9*0|Zrr@g8VY8D;WuQo(Le&W2bgaL`kpbPo`3+RG<U
ze;ZfMJ*$7gNieV1^EkK)py%>OiDyp)9F^|T_^5*74)^p|5mbNw!Wm+oU2D;)%MFFT
zn2HO-VZ>04;H82hsAA%;`DY=GsOTC0_KUEYj3*xhM$VIX<&)u#F|-^g-PtI*IUH#p
zIkAO*knvQl56ye0oZ9zjM6RJj#24XSf{eHyXz7Fq^Q8xQjVca*N~PjIxk(h&l_Ypm
zenBSI5yA=BYQ{q*O8Ba$k_Is>DO=8pnnL&bRu%kzqh|$JWJuf8l@4(>Ta~Y*E%VRa
zg``bL1n9r!Ov^mN4Vfzn@u6czPhIkX>V+9Pg5J*~D5O_^e_UkHYr~2BCZgZzj*O_k
zsv7;L*Xr^hB}7<B&x_;ijwgnTKE&5CU?!J2%r4>wtAv84^MI+T4ALl0Kn)Asb*qtI
zyj41(zhl5Z!h>0K2z%JaB?KgG3NzB_dYygbg0=QoEhQ}*@<dR-z8pO-NI=aE1uv_Q
za5eN!S1Wjp&qRm9*}Rb-s^iwt%WwCCtQ57u8JanI;1<J)O7vI1Y$(^O4dQv^s9-o)
zr;nF!8?Oc1=nM0xt~Y4KWu88oF!eC3bbUznjOOB9r;5~w*W9r%Yt*)#q&p}yD#h3Q
z&bOCyF#S2i5_k8dLeQ*hofrSzVPVcWGtwJ-=`u+o?6_V39`J^Ie-AMiucZG3!{T}0
zTgg|TT6W}<%S5qq-TiU+!w<-d)<!h-KYKKu+Qki`4!k@>UsN>#IH?W#@;+a%$;?1_
zx<S}fv97FqyMQox8Kzrb^dF0$FAByw?9&$oz84*vf+WU`t(<aS&Ff$96u!Q*<gggZ
z!xm$w5Ux~ZjfNh^&%0h-Yn&m^f>aTUXl}1RmfHyV&mPcAwe~!uYQGo|u-NBRpq@ke
z3Ivu|A^I5xf}D$e0cM|TgnsiM7++3U->T11ZeTttaXZ?e4l`HtjplJ$z*af)ICRGZ
zMD%Ot3GJcCZr?Be<U^bR^SRL%$O0A>5Ys3jZ#?OPrjE-`EzijMRRh^DTsnF6fCs29
zXO|PV&#2cER6_&xrc2OJJn*8dnyqe0uJw|?*}~Ccx0R#A{WdUPkt}ptzX=uZ-S=x7
zi@OF{jk_y8o1Uma4tgID>QU)whbPO?B_=B<$<zV?4pK};O|&8_No;agB~`?I7}b=2
zL0@)40ZT3h^(Ziy$)1zWPd;~FI-@O$9}<qrFBBNXhbRF{7uO$zb`e$vLmO2QXR6Wx
z$TO-C=Co(t?0x88{l@0!P;+ntw)})y6<HCm*5pybGSwB~EtGf!o(C+tc|Yc5pVQ|U
zEp91Yw{klW?O0c0ELp7+sZcvJO51{YB>4m9S|=m;yf2U3`0>NW=i_VphGdT_e^O;F
z8EFmgR@X=eUh%0v_cDh}O65<VjLu73<32*3k(-!SAyEc}rz<{Ry$^L5x@t%iK3L_C
zh%kY^Bab|+0q<W|CieuB_;sGPhpF#F9JI}FV?5;_1#3KcyrXP<A%J}yxc*Yv-gr1m
zWbfY)hIf{k>Iqo(J}nW=F0gEzZJ6F|(q<?NX92b<7nq8eDK-QFwoo_ON)$9=Aq^F9
z>m6s6p>}-rEJ^-4&;l4b7R&Fp)ofEh42CSE12P1Rljk+>%*;3YF}cz8t`Ge0&q!IK
zG*+dezlW10Z|pzcxq@xKR?w%{xeJaz?;YPwoC}7X4xKM=W4N~e(sirDpnug!MSWz!
zg)~hmxL2CaDTmR_C9!1aCXGO(jsee?(7p-^qG!(Hb_WSX|Hq~f6;Wu>F+$Nji3b^^
z$y8S%IhD!|p4W7}pG-a98E9fbD3qhjr6nWpw!Y%S>?H^Jh9m4$f9QV8yF68&FucTY
zvhXrqNADmdOim>%d)YmO;0-!{vP|kV$bCp}U;ojMh7-5BqX3rchQ`IQ(_X+(`6JGf
z;Nx1-j~~@d<qQaaNY);!pKA&9-L&oad+pI0ABm$|zRq{Z`ej~kasq-?Dqh!AI)<B~
zn-(|wrhcrPJc$6hMC~@t8MHL1rB*6&oaQb>)x&?f>XThCMNOxA2ux7GU>KL&c&wvf
zB`Mt6%uS}68=Ich?y~6y7`~F;=+9EwxZiIJy*rks&hH#!p9;aSLA2t2f!9jfQ{O59
zZ^+PZ!D$A&s$hk?{XBobI-_4=Fsl5Hn#<_Y;4T)yi5a6&O!cEVw@M9ttY0Xe=$S{!
z8lfN_Vdhnp&hc1&dPqrxKOhhEUXYBRMCy>@3qeNY9QLCXYDW>+gtC}byYl{em7go0
z`-Z&A`{8;22-Z7N7Sh=H4(B_rdyUD6BV()2KFz1<w&AJ=gvra4%HWm3sV)b`)PeIN
z39PY#8Xf-B)!bpxJ_WS!!S{i+Wj27N!LhHmh&{k)pn^%?_rrr-3zJerdY)^Hx^kNA
zUVcH#7v#Fx#kD21DW@gv#xv`V&rngH{Yk&XB~2^M5{w;^jH5%gmqEb5jBA=((0*BP
zN&!8gS}G0KaFx|#x`i5*$-R|o5ul*;pH^8N4vaLevuFWEK+;0?yt!Hhr4h4DB|r49
zAy7>Ze7sL&TU&HkoZca26=d)zOIYQokx@yzMTlOB1z?nCRKjzJI&CFmh|ruE6`>1@
zd?&C2>@b&reLLRY^NI@83X57qFRmkv3W{3j`O=_FFeDTTsVFLnFe_YkE$HwZAQTJ+
zHZ-26BiOVmbL}~%GE#KY%F5_RhU>K!&VJ~Z?HZa!rI?RZmGV3%ZY#YX5>MXh%s};F
zO<JuNu_QZKs>u2%0;e0Q;__x}6}1fnmvwo?Eqt_vm60<ha_&RBNxz#;OX!|~N%U~O
zOpX+wg^N1`%r^sKS8qG(6Y+4D)X+G>=e7a&>M98`xt|I%O-;^9?1ovEw92V$S}cyl
z6L<BxW4L4y;njUiMg^67c|^(}kNTMmB%z;6J{AuDUG7kce%>%}xx+1@O#qU`Q3I~K
z**;z<?J`p7XGDYb;GgiHpw5<RWAlhbuUDGk7FLrXI6a~IFB8tC``>1;2nY%gZl~iQ
zEa)9f_rG0V7}}-amHNUU1sm+LZ(qvx=)A6d9|*;9xGB7_ly}@9HNb<eh6cG&m=`Z^
zfda)q;C}Ds?7-IzfOw}%y@rwHpPu;o)@Fz?pB+C%F42CV5LDnkWjMfZlVf`%&a!9c
zj!UK&B0M9^lh2x?+|DqAifVNP#a^Ptecv72|G6$88#jPW)ug*kG{@G>F{j!b?5D@K
z@RR|TleA;TS3sya9E(_=gV%D{<m0_5!|o}4Wj_+Ed$EqxpnzKI%uHE{wcwo9J^ty=
zCvr&lR^3R@GeZ==u0vz&6e*nysBVJ3M2NQqySbh-ieRcRsD$IVbe|2D^_l3s<vKmc
z+&Ch|d8nLLPOD(*kQ6@HmioH?zSc$5?2(5T!l7o-`%FB_-o`aL&+4lyt!I={dF<>I
zXjX@YfUOG~ez%jJnz&(;rkaPB)}Yo#D-H7y%_Te$*4HwuwL)XF%mo%Y>%=*6YyE6S
zz53RUhQEm5^usmXI^BND`R>!wsRUeygSMAiN4uLlU&clmMDc6q_Z09?ePnT%U&hZZ
z48L9b`wSVoH6Packdt}=y8Fl{e*!k;&+-Nr>u}Qfc9Yt#Hp|F@#2K(l9+hd!Sv%SF
z0YbAy;)xLWR$nqn!)tf<`h_+|wAl3?9=3;#)_kYOSy-GU06F!h<SMgmb>903d;G*Y
zCmAP>TS^@H?2dUizh=uRwyA_kvvC#Bq2p$nV)z<A8xpx_C;S+PE4=xqfg#3uH$V-%
z0UDgvrBT6++t;s&`4i=|>h^-1jvlLv-^Y}e4`bZ6O!)1~85*|L@Qe-{VPY?=e~P`f
zym%BapQo-ZkL&8DgCG6Kl9-Z5aOC*P9{-gbVe)CB-@G20Q>L3Kw)8=?VSLACfgfr9
zS91$<&h6xZ^!AqJtTOx-Rq!N4(G3bLpa?n7|Kj%3j8!cb!%>7s&KKt|nPXTbb>88!
z2(n{NS}o&T%@%fSzu{(nh}x}tX-jqB^{m}`hx|QDV*AVO>)E~RY-^%<;Y&{_k%mo#
z%h4bbf}{dkQv@Q0La+%oIt8Uo7_x*VD-1NQN@of5e$dbVq0Uf=*-lWQ+I|oK_!3l%
z_ksXk?5j&)!G@<XSwm4R`}JphL_-Wyzc!*rK2^x%`3t0o0z{_U#nsv4TikjjuKaD`
zFHb71y`H>j@dex^TbbBsUa=}2>2KcCD~yy9d(1&u)*c2SCXMvq0VTHOz%%UGoCZf2
z2VQfz#tlrW?HuwF2{aPp?Xc)fDt8jr@7fh`FcP>}k=i<;RNX4oy-`l*{zJD{<J9Pw
zx{>Yl+WeZjV0>~A#1OG3YgRob{K!Y-`+Uz=vtPqVarY}M)BsqS=9y4S5YRVLQ~Teq
z=-n3IF4DuKeWLFkNtsK-7u9T=%zRVlJX9|YOUZux)+MwKky)^|5N{W%r3BN!fmQ3*
z!}q8<SJQeh&*_HSWffYVM8l{!BxD}LA|$sQ)I_ur*C=Ro6dkm9&)0xb(jR|c<&&kd
zlz3%D!Up!{7&VfqQ9W4Zp&XW*da(O!A~S~e>68}_a6%7+m8DQdnNp6Jc3FerQ#1@?
zg_ZNBE%FyJn}()m+Q&3<+EiNj-+;u`LZtQL7eQsa(C+<Z8Ca?_qlXVHP;qHn9;aBz
zv0e}ri72z3EoBst5knVF&7hH(j{RiNtPC^7_PtsODUB6g&>ZuZo{53Ks4~fDWns=<
zW@RqXJ|v$ORHo@d(cmLM?c59dkvKL>@I2Dt5Y*bsOgpAxWq*gGzyMu(u?QwKIw)rv
zKA{wYwOK3HjAzX^)oe*1As5@_DLG(IA^duNzo_8Vx<x(C$=WT@I4#a{l={T_I8L5y
z;;>iwz5sPd+uX-Q!#1v$=1Xg5E2Ow){>ahtfe)?UN1^`{jLgp$POzD6Xo=I8AbUir
z=B~M^@S>G8R-mB*jn(aWDO2CMru8fhKn@GDTt_VAXqy$Tr;8+LXaQ0mc4`4?#OlsN
zO3<LeQi_$~Rgm3mVLx29x6H}*3b*Vs7{4w(+!Uw7Avye!7`qoOMi*7+YnA*y-?A&@
zh;=|VE9@>qU9}(zJ~SMD3tPt`Py&R}VQZ&1*?o2dat(6)&<L1SxY-^zmGC3KmBs{o
zKaUn%?BIU=s5_FWg*I(vnlT0)-Z(Di7!>c@ho&bd>hSFKJ{haRM27LCHuNVGXByZr
z$|RqrcAjzn#j3mIDs~&Q!ZHy_O-YFZiudafHHSq?`+Jyz+r8kW*kj?G>G?HY4jwOZ
zPtEd*-pT#`JHXSAbcytuN}g|XMS%(}#2%-gr7HgW5U^LlqxL=A=~yCjq=$e&q0Mr6
zH~pn>^T6u939#O_9?~OnjF=?G<s)nT897NofWvHOKS(mOh_fDr0+tAO_<pfy{Pe#k
zp#Sc}F(Tt!w)wSqI`KpAlShG`ZeXisx>qT5<ySjZ#&XYzYb?a$<JtTxqg$?N<PfVo
z#tK7Qh%_$8Qz?MilV=x+<;jLTIVlJi!8=YfyT@ZG2X5DJGO&MT$zi;uk6d|$i3|Rk
zN1I7WEfAeRbHX53i+kC3F%Ca717VpiMFvXlKmXg%Cc<Wjq0SLxmnM9Oq5eUMoII-B
z4F@4e++b!fjx<{FaAKQ66sj~QrBESRbPiv`?HhHpZ*eR`T+c*5v`kPOwy>M!QJy^*
zKT&!j)8R{ce#27e-NS>LLfM)H!j%vef6!|uuk-6AE3xt=c(%g<BFh!lXi5wlr_eh_
zOUJ7N{bX~H>Np3{!XS9#iugJDQEYacgLLK5Oc&D!$C;IRzH9}znCZ$?5`}AwC)mM>
z@bvot%lgwN<JDHsYlN`div5#G!lvdAY{uugql3G~Yq6EaBa`fdO%@OuF}Yn~QgEZY
zCgWkl2wQK}a#|%$yTG=|j=jgH!p!$Ox7WLU>$SI+t13^4pq2hw<+ag7f(U~1(=^xu
zW!cYCRT$SnP}o_5c_2AupDD@>e9eeTa%4*sz381}!Ih}=OyGn#VJ*uh{9=>4hUN>D
zxx_BEcU&ps$JQzLojTk(D%MV%z#pCBX=rb$JpH+3wIfKi_R3<-l;8c3cLq4OGY-$6
zx{mqPu{?6@M+-go!caZldHItP4llzW7*=vjlP_+V;YJOcv~Dc%T(gb(MkH6PmrJ^x
zYCvn*$)iYf$|8Cc?0fx9NVOGYb0E<S`+AZ-jY1`+pLCwcVE&JY5CR521I%mLfm#;5
z+Ik|hfBvne*4<&OwlLy&q@)+aupkq?N8VxkW`~S@%Dp)X!#QFobxURP;j9cQJ|Q&1
zWhRVM$ZR3@L{wXRM(6b5#oUxdmP#+))t(_q?BMe7$>t)*)$g~YyBpM3kd-9{9tsO+
z(mZKj3a{rCL1)rHi8RT8CxmLga0F4C=9O`R*Tu3Xxj_E4gYS4a-#sn2vVlrelac6h
z;CNYQo?!1f9pc4Yjyvf0t@39cp#u!FI?I*Hc&}4&%J)2IWI34T77e>4cr0nhb7WH0
zC;nBqD;M-$)W~^Uymdpau#&l?b}^*MRUsAAg7z<69C)BX<kF>|)CJk3hYX>D!-{W<
z?XS)kg=b6bzoozip|In6Z12e}7w9!$_D$F+eEM2<Rc=j-!;GhU`1YeeBIOlbB8_&q
zyIs%+%LAWmyH=1kr3>Oe3tB-tO2G06Etmg>ybe}lLGIE=Nho8fAszLS!6+%@tKiEy
z@2`JCjhfU8@pr-0%KByU^JJHtVhn6s-#Dp&o<WUb;QUP+cJHM1zn|-U-_R++nHfhe
zkzIe@G&x0)CW<rg$_m*h4r&z)`1IM@{^(a<^#hZyUp_rGCrZL(_mL&1(N~0O77$X9
z$tj?e32VA3jPB%tuBIq0skvjA0o9rpW?+Q>6ZH(GBw?Fx)d$;-A-y<RUL$Yw&{<Vh
zEzsKHg%`m^BfWlH;*-|2uLnyzZ_M1$F}Ury+ic`MN7TMwt~_`4KMQ#i9H_<SOnOUX
ze;HKczgQPu=YHkBM2wiQc3rHyI^`%oo&d4XvKw3H9X@}oHoa@!3PjUwLwS~4R^;Ia
zEFaV+;Ngv?Xjd!l9y^ggx!g&=j9rMFI8Fd4lLXasDF91XM^y9yOlrKJW_#>j!aDYL
zt>q%|BTvrc-Uc4eR%@AyO4?`W4w_n?r{PisBJqEXW;_lBdX<vT@w^b+y4i#)v4a^e
z@7`KXe7bKe^Td4RLavX2$Ac1mtk`3|K&bzke#52LQXOmi6MYDX?_5~lrb+|$xUi&1
z+PpkkG3?Aeg(LCWh;<USY`zSnTOlqn?u(E*J{f<z=J~oBEA@E9fdq*mvy>vPA6FAY
zJR+<z!STJRZm;Xer#u592?FL1DlA-gisI9>b0N&J`p#Re7+|Z8_ZUAp*9!JoQZ3K(
zw=3;itg`WB#91dlV8m`+3xU5MdNov1^q9D12vR=2D@aWY!C)cf4Fqn<X7mgf9Q`KY
zv7fa&+P{ot-KojN>|#6Z+(VFH)vj2>wB0ie$Bz(8yyDW3a0bxyeN2iXz}+lDttJ`z
z7)VjPjm+96=$P>{o`f-N8RmZ!g^a{>=WeUi-d&s6#d4gdK#yEv;G9eGNpFDqFmC-i
zQ1Rq^tk<3bCf<7JseGwPOdLbj?fR_H*t+4$oV!5_w_5j=WC!Ds;f&|DvfC)vWaB`8
zJV4uQzrac3*LE@gIj@n)Btwc?HQ|8~4Zfvqz#RhFEOr39?bQZ7fBDZNDb2OsBGKLp
z!kbZbnsVV=Kvs)f!9CRc12G;wF8cxLDtygOH;A$Jc4<w8b_ZXh%}aW22Y<%X{QcCF
z!lb5KY|Leq`<GJ+&!Jz#_Eop1%X2Vd@J`cvKSG-XZAA=7I^@EpilpVI_kYynASy&H
z&BJg&;P}n`pX-`~A%?)wP5*g{-DTaDl>GDbX|>dOoi}w?nVJ}nOXB#h*)O`{V{Xay
z^BDjh{^k(FUOpac4p2fE7T;D*ZatPVJ-u8XxCgr`*pa}xZ&s%JD%$HdrT#cocj~;J
z+*L7&J1Pc?cHPSJ`szS=Z}ORMMgf;E3ZOG!I~f2rR_uh6Jl;}cA<OzF!id*$+QM^l
zIz&BEwQu9~5<R~M6b`_!6W9>3I*}@tqH7l+$+Cn(2|%G?MuQm~@@|T<>*-2w2%G&4
zI5nihgv~r0iR#V4Iv__!gw5{zvac%lNBT<4kM9_bkis?0ed6B${>4}o8iZ#wDhEAY
zsdX0i^gs4Cz8gi(pCdVIuq9)q{YU9ooJE-I_rVi^GC*IN-7ipf-o50SP@L^%qat{8
ztm5h5KWt0cHofoH{pj6qh$|x*fM|wV^NMjW+2`h1$Kt+9um2gA(rYXnEUrM69>{jB
z;T32bdvEdk+rJy|FgEDiueQ$(41%@+$&X`v(;X|^yfRWwEtzisM-}^4CH(MKnup$3
zSyp9B?|^M3vbtt#4CRw%fmw0beRy{dLi~*Nn&zI3|D0rgFLg_O1VG4hXBXmeyZ>G2
z9w1BfTsYuP_gE3Lakoi<b(M`u3&(fn{J!92@m25<!_c{Eo-@!%(GMk}ns`$k!!0T=
zi9y&_k+^v_L_w>kfl@CO?5++TmK^tQ+y+I74K?s^<YzDs>6OR9yt&|ME2nUhj=q)(
zVY=<v4DEB*R|VkGx5w+67Oiv|M~rwf`^BwwvV25l7A#lByj*dO1K{O!z$uTLe}M6h
zzhVIq4i<qJQY`zPdE|u|F<U!Jx>0nto|nK>z{T*jW;AfRh_~GX;oW(W#mweE{vY#-
zW;)}Y^bS*~WgynVD*G!h$R-%MKjqb{Qyyukk35X%S5g)$?Wv|bY@yaav1f4(=N^t6
z%;zDUg?bX_Kx&m<M;y!}Lw{DQYzJ8=f1TuTb8zh8%r(L}915HMQgVMOjhEi+)&R@;
zIe1HB);c?L@8I&z*kp8fx;n!ixvOf9S;fu$wEfsIs%pl?Wc2A;I?yoCe`IyY1NGoj
zr2*J}C46C$7J{}!Zby<^<+c$|1fRgqEaam@P`a9Vr~WEPHwXFUHUXGmPjmLhjYG73
zf`mkevoF1AVSIMra?n;ai9eZdcp(Q2Ty@!m2!8A2@bhfC*E{eKsO-c*1=wp)yhK_Z
z6H&;H8J#?~YVgWJpD=Pdiy!vFP#4tG-`r45D-P7t!x5M#aKpHplcAm})?ceUU7o~@
zZ=a;czunDgB5Rw-#Y3H@RtEGhEnII3C$Ka&UX)}e#U>gQOyNJTe92+sDJT9MzA=2d
zP5!i7?eVf~`>cQ)@v^-wKo3&dxn=o+Vam9fXB%lf_>(131{>nP>>Qox8jESGTCw+r
zIFq4NjITGc`%pw?=~hjw9ETDvH&dS}qFr;AXpw#r;p3@(?=hEvp-5gO@j7_1&+jMx
z+DOsVAnJgcaR@-P={ja|WCZm-`Au#SV6EeI{gjTyM-b!jv^r52ek;MPSmjgTWbZzz
z$8uIvB30aA_z-4MCCoh~YL;-x-2`)DI(8YCK(4|~Q#?Pnmpi)sbi*K-g}t627?_G5
zShv<tl0R(7jS?R-bTsYuL-UeJR>!Qs@s0HG7k%zd5#OjLT3efgG5gImtJXQ@Gpr|X
z?#i5qKGAausIeX(d~$!naFGUh|1D5QD>%)*G2uNt<JUyD6QglOw}*IOFzSct2~&&8
zEA&pK%M~M{)+Wij6VSpI3jWj4L!9D?ha+W^dC2L9u=E?_0zrURAq$nUn>!o(L!z3s
z?r8O+5u8GVw+SsaYaLWaXSkm|J}-WKAWpNz81ZiqmErQ2!5(A86-wwC)~x7LP{=MR
z!-<6tZNNc`dDa#b)}D<6@xo0rfc&5T>nFp*<_y@J<qW7mYL#9Bdg$1@hji1?efy8=
zmXZ3mu`AFlv&NQZ6Q)Sar~MR4c#YFd(czKjw%@n;#@CuH0*4Duef~>lO!wb*qT|d*
z_4N--9I{I3s1Zr;a^YQIPv(@#BPW7DA2G<32F>`0m$Bh@Q`-GiPyKDtkgqO|A!+7*
zV|b2r>DNgCtNpwMl^BM{AVWh1L#EAp!Cpln3M;*Fo5EE0#CPfyJ%%X7o&V)1&3|FC
z8FILr!fNnbRE31*Ar}#i+R3>7Kt@IlA|Zm!!wPIIJ1u}UruX?@sw9{aXHjZ%c2TMV
z=|$Sr=q~2inQFNn4&wc4J9yfH!rBDaFJbJ%F)#f&pqu{_KO{4mXZT{bE7jS+VeLoy
z)WVOy^CPuzdbR%7!h&KM;>ms_!BAp)gp$I;QMp8t6kAQGP#6-Qc`X6JKO_3L$_CL4
zaTmvoAagMO+Vo`dt(Vn3h;&hWa1O5OU(@<J4MI7oG*vbw{?AZP>PI!j=)VEIUiqUI
zRoW&Z7Za}Fqg!Z^Bw_`m)vt|$AT=UUTcRAIFsd}sJK_z*F`Ey6(+X0oOt{^p%(!2P
zA2g0eU?JwuR|qSt+;W%lfujx!=Tz!9`TRo{8Paezyc+n}S}m+T{MH-Gq;57?m@A>c
z&mH1|NYz=Q3b-mkTLq(TlGMtHesO6E3i|G7$B5`Vf3-Cj4#)T9!c3qYxFnnm%E9|4
z7y4(__tNj{qu=9Bw9xL4@4H4j_@6)VcW{?ZVXB}#POiwCf5K8Vj```EM#Y*XYly8f
z&g3(>+wQvI-&%cNs(UXpQ(lbkOn>*)4Wd-@Z9TH|=Yn;g-t9BQWtAHji}zy_20^17
zf!gfd#d3Bt2Df{szWx2r+eLkPYBnI|+)f0)zLUdxt_!i5*+4cyg%4LzNs$mu4z_*_
ziOKpd?)Cjs1mnH}B*#|OkAEDfs0-01Pz|O@n|S4sq7_I03&A5pLE}TYWYnHJO7_~k
zk%{!6vcT?iXY`_r24q}mj)p^of2YU+MPgOE-Af}A`J>Xr0X;PdQm!*#)wW?Fb>i~M
z8%0zM2%HlsM1J+j|J0y4fQ`9TGxZR=YuwJ*jG32iO-f&!L0nptw2Ldaz^tps0VWiM
zU58q^ee?Nwyn~H5MXhpY%Z+8uYgMp<o|P@vO$t&9llN?{CoeIc;Wrze&*LQxJA3O8
zQ}9~g#a|-pv_<UQkw)1-Odt<{ch%Qav(;8ZRlyy$^w1OwidCn(Q<<(zPk=S}mL9kp
z{8zGW^Z*{lR?Un9?5;>!qhBbV1@A}4YLAgyMN5?^o~`*WZ)|6GSE~Rudfkqv$JS}@
z(3dy`D!P>12u_K;TPL}S5Z2BZj!1;gpFIijy}tn=u?M$f4);#s2KKIsJEUj$Gi0|g
zpSAP}&8OqT{;1JHN(Q(*Iib{#4Ofe5LDy8m63Bj}XnC+U7RHq7auEN+Co&qtgTwC9
zTL+-Us+$#LjNJm}D+gwiaA%ltiD11X=D{uyl$JWpxFR7=yTFG_fSs$xyx&9dIu$wL
z7RzP{<3qb!ihgnlz^eJ*P=bkmt@%g=tvbs{UM738`yixF_4gn3&q=}-<2Gwj?PGTh
zYw{N8)vIP6j%z#(U~P|1`X;A84M&cz8M)rw0rpELr^*#^t<)(G!39DtiLn<u21@Oh
z`88BcA^yV$Y3t5g^9h_z4#+76x5w~VtcmOTiDAqdKQay6JhVs!?S8bJ9P}8C?hpP%
zePR6~(u&+|i0b)&B_X@fFS;3=rQ!v8>>DPf{C(zE)%^Rj2W3lV(KF=^(`J9=z)ooH
z$boIW?qRBvKTz0R)g1x+<(B+HJ`pXnCYgAipCohMr>&$oijr+6Ite0Zvt@{vB8Y|*
z!m=vRKV>8RfPn6ZujN(t;Ty&Q%xF#(>#SrCjq@cWHmRpijRcJd%QelpJ%+ZvI`*ZK
zB1k1%5i%)Ra+*PF$&L*#r`QP_t~}NVz@c2eznA?L5J2hzmau^o2v*t81LxW$|H~J3
z(zlNy_y`*fq!KLH2Bf}$tO^X_uV+75irR=SC3UGlI`cqI0KW1@^MP|sz46dHgES2s
zS?<Mh($XGJ!5IvGE9aG4p1K_(IS20!D}s{M^FTrsRciOq*A~FT8bx1=5<{CC*BM{K
zjo}HIgVCz#g+ik~4{eb!`6L+s6M$PrBw?A<XfA~<LQ_y%u<{%R(M5ULW^H27fXfuh
zM&lfWd%s&>vXS<|=B!3v^0y1OJDYVZb$x$q_i!sqxeF$E1od8@D{)!O%k*3dSwD3r
zQ!kgmHIqqGcGR8&^Jk%qUg0kc60;4aQXuoaAR_{e;wqa1`-{qo>@z7lX7vR?tW?Y_
zp1XO_mh&5vw2#1V;rc;@;jmh((dZg~l0!r#yh?s1Q~3%y<ybQ{GUuF^Syw_}cGB09
zCYTeLrM=l6+rcB3+n`diIcb%B@C)Kdj4?`&2VNV?GQslI+>thLQh4rssfM6M<}}Xw
zSyR9>IN~i?CIm*iHs0T{>a21u&?|Aa>o;yBdhwcnC&<7jaDFx*h(Si6=l2pl>S%vC
z)w_RgD_Vn@A%Si?anGsqp}zU-#ouXs3YM^p9Js<Jt{7l|o5it9m@_pj+DavfDy%YM
z`eRp3dqDy-Vfk;73knLyPRp)-1sM1fK#j*Ob9u9;NjWa=d^yd$Tu<LVip`1P^5b)e
zvO|rnbJVU@ZcN5425GJ)A2TR@?-*)LD<`72j&Wq4S+F`DTzeREDE_EUz^WnZxO<Y_
z-?<x`?dAzBrrjbNx)eb@rK#g5yE-9t1MDi4o?g2+Ie}?5eB}OETDSUrLfIJZ31(rw
z!BA!Cw@=kx{zk~|<G<2NxYIA9D2^fenT{xg!n#hIk}#;MDQaBt;s<CUX;sue2Z4?!
zG$>PnZueiI%E1V_S-azTV0-;n<m~3prjC09QuE~%#`j}0vh=*}*6xS%f^>^jTWIV7
z?TWzfK@}~6C9=`0coy^<o}M=r=TQsk^o{PRn`YDTcUOX2GPj3kMvQai$QLfeXr-j1
z9ocj~vlnOMQ^XSfG^GK5c=W4lf;1ne2^olN4~sv1iXJJiEyW>LBrzR(e-WxmND(5d
zBqwRnp>C9@!gNFbTJMieNw>cdaki|Ggj|K{6j1owv1CcN`EyZTS-0hm61(NzVC?P>
zK4-?cKWS0uZC9clQHKx7b5R-GnCi?UCeV@~D)p{hvGaRQ)tgjh3t&{$HOGXzHe4%y
zkk8Y@JD)vppw_=Xj<U;W>BkgZh&SqBwh>!Yg0;Gfp>LBYB82nCom)6dIhUlEVE9c9
ztFh?xcOGaKQO8AuzBuA!F=s+A1m6=`V~_RPq?U}^)mV^$|0W`dvD6_Fy2?Hs#k8L9
zauHN2&IQ)h=DHCZ%5YoavlPccDnv+-v3uVdXrz<}@8@o2D1XHSGJ;Y`pm3;w{zaAq
zVq%q_U(-uAfr$;yl;o1lCv9gP&NyC>;4I@YTYUBV=S*R>Vvkz`ciB4j!&3fy6;H<$
zNHC>rNHpJ|99!hZn$cJW$S7&2fOBn-jEwayb@~FB{s`Zov~{5$<{fQd4Nmvxvc%7_
zf&_tEt^A<-&@co$QCZ7)N7Ikfxv^5*sqo9}`76nMPlreoHf#=WDhr8>99RRETYM1s
z!(`ik3V>MG(*2i5!JqMez3vYf)CvwoR%=(&nf=T<pK5U7WOCuy6QP}gW>ozYG!^q%
zRw-<%rt?!V1C-BIGuYS$$p644wr_ZFgHX-*q6w&=twu%{O<wcWbN5@<M;LDo-Zxp~
zLZ7Gm%CHxsE4<6+O8Lagi77d{^VZRevfMDBthu}wn?K6V+VU$9BswoD1J7{-;}<*s
z?RgAa5pqe>B7OP@h@0oT2atL%#wQsM(aaRNEvB;{*TMZ!eV1sa3eh=V1QvHtqD50F
zLJ(PZgZ(zr2301<@ND>yAj|bA0<*)>u<apOuYwO|ABBM-MpF+k#5l9jZ9Obn*gYZb
zYSKbEja-E-Jd*WK6Vtkpnx*mF%1Tg|o2A)Sr7MStCG(lAYf=kmK$FTClydmebk57v
zn2hh@)j0K)$tf2l7b5Jgr<;M)+w1P>&}PN+WaSsdR5aRBuf&RR1Fzn(BFfZxe>wy%
zHv9>~@%(xzwR0edG+Lhg(P!6thmq?mkWVGPc7xK^HQwZRJs+6On1t#%-sr@re-4lz
z-w_?wNPPW`8eg%#cC?!qx^O|(BcIHUDN|zJW6(lA8PURYV{)ZiAr}y#+R;MVN+X7E
z6&)6%WmEL|zszA(HffKFZ^APCwMGrZFjxjRNAM(Ie(IB+5qQ$`792!1KLSaP`l;;g
zH2_Bzy=yD3&BsZmS~d|<$Qds%*#BaTk`Q2HO}?ovv(J5}=SU7IEf&%l5zXr|Pi;4)
z)IR!&9qi5QR=Kd()86eJlF9#Sto_!t96ztwVhQ)RNl8p!9=|I(Yp&Oa^Wp`&>tP}*
zgn(^+44g{uhmz#Tg&aVw^^0oBx+~}KN4fv<x1hrt-plLexRn9)S$Ap4P5bQ+c?4Nl
z4#X|62$L2PTS(!eBv{C<((ACtUYO)MsiK$#lFXA*Bu_?FF<VRRo(1|lhTM$x_ttMc
z*Jw4u(4)))C~vrAdEM)}9d4dmt4<&m1~pDbKT#lf@te8jza+}wg8j}L)N*>A_E|)}
zJZxUnAP3rY(AJ4@<ke)|%g_xAP2)c>>HlQLC?>X7h+--`N+L2PhMkPD>4ic1tcpqm
zI~7vk)0Tkc&x|4PcO461BO-2&dpW>$=%*$(A27ditC8v569lXXwRsbS4O0+KSx9@&
z5S$!^7wyg$kW4UpGA6ceTDh4Ol6yH*VINAR9JC(B#^x*C2EB<)!`79S+PV2CRWHN&
zBY^IcYceu<eolno7e(0WE{&v8IVR81=eu%hNs(`v)~{4MiGP-~UF}b_gfTvEJN9QT
zC~l;OE0k%0n>6mzV6#O2o!Fs{FkbqubX%iAoB_OHXM8$7ux*8(m&IIec|4V$Z_Rqx
zic|mq;qdZV=Z^nNe2oXm`}?*P^?Yt*{FhrR>(|qB?V77$-`s&jlK9N8-_39CJl}s<
zl*ST&ij_)<;vwWcD=DtS>VuLjtrATWAq{nzJ<&TYMM?98`pdFQW21c~DrLJI!Z#YZ
zMy0!MnjRKO9++Wd<v89S9XN7MKweu_7&Wzy{3WC!gb}r|F@KR?!cb*COp|RMO+dmc
zSH1Yke@tsQ@LJ%zX|z}(`mK3~<II+m)NvC>!(dN0wy2^9v6xba9=g~e{`T0##D$E-
zBDnp2If{JV!Z7$m_{yZv>LK;tM#s!-WQqR=9w}8R(bM9UW2QjK2F#f4v4Jtu+{46o
zy?%vfX^T^bA%2$DYWBs_^9<I;_f_56ectCb_vfcYz+LLsHnagz!e+Ns+D$Wm&o}+s
z>BdTk{cC#u_p}ZiuZ)h@J%HnNWi?lvxll0ZWm=l*t>*_Nbjr~ml8omFPoIku1KpN0
zPd0ei?zt}p4RVL~s{h0_C%7F>)YhztZDpAx)~u6YUhAca*t8XNv6tl69kb<GP?q`B
zP5TIe<)dsJ=hn;pjupyW$a#hus^aa;hy5Z7J}#6{l}Kx5p0Vl28_HaN(P5K|I39Sb
zha@lni99wcm};iC%4S>YgI@|K6#rC!TPKrJ>nh%M(J9Bl)f9}55J4u;h(w0!9#4F9
z4Zop?OYQ@$Z5a(trFNd8@qj{_cIngw!(-oBXVH)IdozNkn72<m_I^N(rRGMoa+VJX
zj&kzmWEUYK*oKLtij8strz2SJOK@1j|8=7-Q-i6wYWt(j!1VM`va7ugM#mTYw=EL0
z=k67QlJfkOvCW4S$~%?3kNdpM=X1uT%@%7Ye=uh^q_uEY;?tN{PQ(d$`LV$0C2LL&
zYS8w_+^7vOd(qTsbME5KMY+ELs34W-9ZDP5^AM0P7LSa0+3B__<vSc!kl%iGclm-l
z3w}0c`m;=%e!ST^J=C5nlbckF9j|?|xUuh3?aa56x6l0{GTUUBF03ebi#?t^7vBe`
zdulV{RSwgbEevT%@}A)85nSVxZ_ZYAVb!YFJEYDP2k_&&r8;O%?S>&%Xc2?akGg#+
z9jgZFD&4!FK?+e_JzDUoduu2~{_sXZt7Jvx61%CGZ~`jF7w=VMkbTT>!eJ;Wg#x5(
zG%8BVC9F_XThWgs$dbjK(KnJ(&;LE~H}f=vtha+XS!y2!Ow7<CG24f&V9b;LaDR06
zM&?sam~#C1^;OUfS+zx4>X*Ry!!I7<wrGB8gxNl%7UJ~w?o_*^cyzs_esw8?a*gnc
z!^I66oE9=X=}u2Pu;=7S7Y#QnG>OM_h{Z<~+1e|YO8l2*ixjlqJMnm(V5)k=U|d$H
zmT}j<v1_;jwXYsd7)qghm@98D9d42)A2$I_jN1oQ+TFsL-(XLkX7K5MxX`~c6oyOf
z<QNfe4n}`=lN1ooy^2v-ru1csBP4vqi?n1aIUxoFe7^Y}X8q;i9k$|pSyv~yo#Hen
zk$lYJ__SS~&bWQuYfEf0&hg#y#-P@e_F|hdo@=^7RBjO$)m-AZuIX91%)03e9b)R2
z_cjK@7JsJm_6~o81rySL;xj*v-<n4vA3R_6+)?~8xTbek2yJsQxx4Q7=4&nEd#mL?
z@<J3Nd4GN9x!Sr=QR+@y4!u5dZ$R9@tU-NNM8=&-Ga<(A2g@h5Tr#?5fGVlsoM=G)
z{L?<<pQHN_o<`*4C>srQ5FgW$m3E%e+rG~pM3K&s6Pse*kl1W}r~p5jbY=Y+Yx*{|
zt!%`Rmw*6%FYJ<I<57*RU-2{Lz#*j#I6*c&*I6EASYkSzG_`?t%$6OJ?lxx<N=j^u
zG0K@+?aY*1jpK0eb<!0#qt-As;&<3CRgobfMjI_VSl_hX=B*Jt@VvS&N-{(cu^jpG
z=Db$))9GHWZK>Lxjo<QqfZU7z{v^hcfMjzC3vG-UTPVTcGwzfxN=ONpB%)!Cpa|vt
zjwPLU>@PWJBV%Qbamc@Rj5#~Vtgp6@1+-&>nPgYdvrwrFDCH^!eXb<2nF39<cPI-M
zJr48fnO~%{&yA#{9J+)1lg$#Qiynl3YA#c>SN=B<&d-;Z?Zb#i`HPXy+S_-mR2gK=
zFUozMlXOX4Si&RG0=>dWY$_u1_I}|MdX$ne3?h~duCW&QebMPP8?Z!wfi9bd_-BxI
zy1)()=xU6N5S!_}jux9f`j5_yte|AvAhDwcwbVeOo^ZR<5<kq>ySE<KqCej_r<bf@
zc(z@5N$>F{-?1>7ni!!_P@O#;g#EHVsG;4HT{d~;cqo7K%yH+xbJ}%&?i0eejBR+_
zpJpyGYFLxGY}MIY%^caon-&kgoq>Pb8KHv2Xm{LxvBs8@NPc2~41T)*Ru(RVFeQv(
zSIsLE$qg>G0AG)t!a{v9xsa&G5&Y{XJkLk^VKRl^e!v;4J?DPKl(y4*&{L4W)$71-
zd6eL5-AwnP{75u>d@m22sf5DdFGPj3xu8JDA5%qPQkpP_vLFCZ4m{|;Ta%zkj2EJv
z4!;YGREpD+;dhx|ts4QacV{CS{DZ^WpDwmk@(P={L(6XSFobn$>Zo<UQ8{mCZ<JMs
zo7`f7k88K~YAZzw446F)9bhU=NvJ&`wijXx^5#~&sjg6%Zp9XY@sHEBz7wy%lSM?{
zxAMSMYcv{+>0oc?#p>#MKA!-)lyu;dldiUxLf0Q(+j4uK;aXCeIOIkxefe<O46kQ?
zD=MISg+;D>@zC;kyofrFj@?y;!CMh0rxIt<+bWUvi_IRk{r8GV)I{9jPeIBoUsz~%
zmy}3h(PZ57SY$M?7gT=1j(r9F8?k&E9Q<maW?TW(N39=5Mis6v755rwQl~)jv-*}c
z?!E+Wl7g7yBva^fQA#ZuHtXH9^HebNYF1pjaaYT8IL^BS>BG-Eo_28q7{yEv5o>*B
zc3n#zzp=uZ{Aqu)lG!451f|6$hVYwQ344n~tR)9!5M7T^Ic5hK8Q6Ag&w_BdGzDF3
z-tg{;uS*>><(G*^-<)Cx!&E9DgToz*(UgfG&gE-wb#L78{#9E-4`R<q&Z$DK1drQS
zz^vRy6Y95m`zRmmRC$#NrJ(d@ZRV%9^z`S|4jh<1azX~jlf}%uqpDP6s})_RKm$5F
zR9llkglXA8S#>5<0~2;;y^YV+S}uh)?P&vms|(r0(L~Tcm9t_WS~w=GwDNx3MYGnZ
zO00P#BB;$(Mng>|A82U_pWKoxpEg{gpS839Kny+1f^~12Y*Yf~jHZMyY{BC6)L|n9
zN*LnIkJU0(A_+bO4&Zgiqk%bB_9pM9J8~8iCcgb_z1GS_=+l8O3}JB`Po-9eoSD*B
zy=1-nUh%X$VfAdInK}S-S@mi-z4Rx`_{?bWY@>)}PZIAqRgsd-5~ZbpT`g(#4knr>
zJ6uzg$B+AQ-xK)2U-q`p9<AJuTTJWKa6U#Id#t&%=w)I#eYwPoGI)pA;od`VkH1`(
z-Q+n!WRFI0-DzT-f7KC?Bb{PUB};Z}coRMQu|0Xj%c2usL(B?PhwT{h_m+aEb%Mhd
zzJw8mT4=XuD4>BC1?4Ext=al;NHKPsDv%QuYYbWVuXq7le&8@=A3^>v-PtMn3*q``
zc$?{4W-pF)<{B&UV3f9o5Pz#CR`mlLe|1|mfIl1tF<rfR^=iWdEplMf)}qOx9s0K)
zrKR_$9gjx4dWIkr<MZ-D)%Cpf$NJ>LVfR@0ETj}rh)N~bN_CzIFZQV0q5c{f|1h9%
zwxebz_U_WLi!d;&R%#r$p3%-@)u#iWaBX?pXaDFtduOx47dJ55;5PYQz02oiBg@v0
z*5@k>36a0$8#nz?FXU%POdKg?=O-IznE$;}Y<q$4c~!y@JfQS+HgI-G7#zl6Ha^GB
zj}_QZBC=e!8+?J4+(Fzj_Ge~4Zs7uVbn|)+lV|0;Yk5yHmyQ%lD>F;(w_KuB>z-QO
zmn!jhJ(^y;xH&CRR$|`OtqB_BO^#BBXd@m5w$Yl@-b@xfkpA-kMpu#e3*G$KHDxab
z2RA9C@UeNHNkce7k!X*RS@m3ct2)z^{h0LE8^mnd!T%>|iaH>=66ukIhogKo7bUc#
z9$<9yL=LD2kY@whZ%CixsH6a(LWB^s8q-JR$(Dn+5m{J76GSz(T`7bX3lJDpCH*C2
ztb^ktbpFQhYW<1w`*N$*q8zezwcp1cjY>ppnEVG)ZQS`LYlcvNb2LMISZ0K@c|^`D
zY;i2HD-|SE`+h_?>HrR-kCPt?!=g#hN4z2syIkS^vd(TEQ5~Tj`Nn6)NG+mD0IGoO
zi}}6u=lAYQz<LI>!Wq1!52`$X#Y~$?E@uZP)+D^V_O0^?Ccb_7nbWi6_yDWoCb=iQ
zq``0>f}^r)JKxoXY<Q3LcXlU{Kro45gT!|*T3DW3PlF`qiv*U9aPxO)e5OY^%22R<
z36+np@kAWKAO8A+hc0oVAlw=)elHtyXWoY{R+J!u6$x0qyk8a!@hE0R``U$GO2-9~
zc;$fV$dsYBG;B-v9n5V)h&8LeDw?J3NjLS&ni`YeE?bk)ryO&RTnyfmsa#wIqxDP7
z5oL@Hjwp{Lm9m<ne4iez?&qpsJx|~N!dtbzP$n*CUbvU)$()#*dbK%O6dK@mG6Uj`
zYNY6yyN>&#{q$sUBCV&Re*F~tB)HK2_cyyDA>$yIc$N*oOQqN32xLOhQ|re<J4#K}
z9O&PrQuD&9`X2p>K|=6&S$E)NrA1MpwO?yv)ivE!a+!iSXw`9pK2|xY!$SX$agxnh
z1ql!bwvUc4@e12nnLCey)i~Yvi9tBfpS$&qaky>h9oC9`uy&3gbOt=16$UHLk(+X-
zw$pc!c-Y8nE<+};xbZL`uz%B#_)`%N_UY>V5DHElXu?3V6$K&T^DzWec$iAiGzyu-
zmtqq*OkI5e0gXtV<!?!xtoK_Gc&=6uxc1MLN65Z(W}l$0OThWAk@x%Oh^>k9Se40=
z)z^j>k6>!=40f*O=v?C?4zww&>8h>q*DO!;XG1ja-}+c@s(y*V`Q4M9uVn=v-)SJQ
z@cG#|@_99PfuM2gg0!+^Rj7S^cKLa4Jw@)M`n5Zw(O8Vn`!U~Tqpz)~{pqO58#xg#
zs0Cj@(=G+_aGXTiFNn>tHniZ}Ug29abT6rKeOsOi7&XqnTn7Nw(7*x4FxMQB|1720
z!a;WhAKHWS0RtR@5@ebMSnwblbBqQslZ-vNkp4fWzB#zA?)$rq8r!zfI1L-yx@m0N
zNt-mbZQHhOTa6nxcJkgQ{e9E-k4$FH+%tQfy%#=<8`i<t742wtpOHFh`>K=mw;r}2
zq1|*$`w8u`Lcv9<1Ft@gNF53ht>=}C4Zcug=@Zgla|$^^KoZb@4ow^jcH=z77)3Ar
zu;y`lb+_f^iOPVVx8Qy^Oxkq2wYhlLo&39Bu$B)yVg^?JG#x)&`}{fG^JS&Y#l`dK
zPbuF0m(Jd2YZd3S2v4oeeJ3ji?zqB!S|lMt8JA^)SHD8Us;@-h0P&rdh=tklu*wUR
zcR^{KlJgL0kn?DUIN$D18kW87`w0C#GNp2_Ws;@NjMuWJ-2-LSl3k^E6k<_voN&$7
zcuz#QIJ=AEX05pEn_PtY^<pty32<Wke|0J;z$b7^^=9yNlo4ObQJUB#LxM?`XBlN;
zzH#!B^~>YdFrjuf!IXl7{|~>Q#IV(7PSMq7mh(SJx#dI5Zg2gZ*P~4QEK5B-r;?C=
zNl>C%;pujY<><$nd&+fw&KExy`8Qdsrwdo)Z-IU!XThX08CZZy#ve&IEF2mPkW(6D
z2M8G|C<$9O0033*k(qvU9Gu{>JM>`b1wt+Kqg1HOwTs3(wGh?@$V0grDgg4Unq-QS
z)vX+CuUXKxX(;U!k063%Xo9lh+k!L5z^V+%*~mWR0pQ<EHmdYPjF`($$|A)kr~YZi
z@M!8_msFuR9wci2x!8BLs2Aj)%+&6eJk1)ILDp;pQktfPp*puEqJ9J%a||_0!YQxB
z*MdVmUetdkI3<XihQ99(<&US;oSk2fx56INf`{`&Clq>KO)T=Ji?F$AfyFOK`p1Zj
zD$``;)Tx=3CPEU1lo*@DaVire*mF?g3ivB<_~?x9>7$@79OC{vbYhVOLJtT&#opf!
zYe&vWSs#v<XVrQKeZ0kK5|$P8_qutC@((y5J|>Sg?d!2S0K$HIJn+&yR+|a^U6`{}
zBvhAG?^uq6iN6?lg<4ScP;l`yrmccdAtlXy2dxP;a9unVl7H)F;h6Q_p_>T-*Y)RB
z4Et?s%V0R&w6klQV~?QE7sHX|f4CwCcuc{;vFahh`j#^i!mE9-9m=IFQ7;+wTSBOh
z5f6>T>RUVfC+M}_X18$NY4n_1v9LhhsoY1hI~TN(VDi8Hb!?R;Ou!qEs{~opz;cUS
zl!)S$q!m=6vvZ4~NqL4P+Dl?XAQweCv&G*PG!c#<3)Y4J%K>(8goRNsIS>6QRdOqH
z@?N^bYV~C#N4)ZFk$Ur=bc9KFnruA)^+CHcL4clG5%6+lV85s(ZoEW)r4o~q7@4rf
zpF|t)oiwt*dGVjogvCfO+r@<ZR6@{;9JF!&l9o8^xzXozxzRu_xA>l~G`+p`(rt2r
z9U4MKRY5F;GWX>xD<mX&oAPU9b2uZdw*wz^L`<EF8q(kOr18=DfmLoyPJx8NNs!bg
zfgl1@*^Q8LQ9`hJ9HhkJYD!2gk(B<zk^i{v!XFaIb&&sY-OvOoznjLYe7~I9mqnwY
zKaDL4^-hYubs?uz52fuRW*BdqXdYbY#2Bul=wR|Ntdv_?4jx<#O)_j78XY|cx&4#W
zbZCYcObTiK>OBe*M1`H)eutjS3q0O@4#k=M_Qrkswz&&O&F&UzxPo-2oBlIWF8??O
z{F&>;JNlB`H$Yyl)-BQO@`Wr-d612Af0p6$`6g?X*N!gpvAT65I6z;8b%D!*p)_Hq
z8Bc!mvy~cYEDUE@u$+Q;Y<4XdDB&2^&ol`gDBO2kBo{>F6=F@~We>L{O2$lPGrrO0
zX3rk`8B<kF`@m5NINVTrDW`7iXWGjyRKW*hhsw;c=h^S`4~F2DZ+3+Y4KSIX#pkbd
zYzp0~;A=<Z#gUIcLdTCq0n#VFga{cS*DV-2T|dnq%N7TJ3<d&o`p-}J3fram9i}S{
zXdyt7s2c6HpL~&*e?AqLL|({QZ=@8!4C5T+fJ=+VTGhyeweHLJ_3trcv|)%UoeGmB
zRM2(sl_GA<4V-{}rKvm|-*)0QF;ttwdt)$DaFsRF!FoTN!c!MO$mjTyHprO9qHn$O
zz<PF13}w6maOvn_tNO~r_xNJi7#pLK^AMeqb2)$O==>LyPK&e-_iLl;nS}~1oDe=s
zSXb1cnXq2}9bx;hhUE3TW|A3uJ_Ljr$@sXXzeQ(PSDolHGm(8)z;x6uI+=7%r4Shv
z^?~y?2%4=%&SzvPA@C?zsnYy}PA0B*L1N?)G)h<%FxtoNowza@KIW#E5#T-)D2cPH
zHP2Zg7>@w23~NhYEJC6tU`P@vY=vuXfcR{h=aD2d!5|me+01nta}J40I&ygW<`s>6
zs63_ja&!)obQU%57SkY>GVwK0W^4P@jd_l_P}eDp_W5xu1^C)K0lFUqoq+^60||)u
zXmoh0(P18p(qPLz`B-;1Yn*J}e%Q~s5HF;4wzM{x-OOjGN@FF86fTmq{^>VV>7acF
z1_6bRnlS#`wo`pj*&(YWX0WBaD3$|5E76-pr4^MPvWwmN`T#~tPgx+WSg|Vev6A>-
z-34W*+zwfT+)fk3dCt$IVD5;GB)bI<_0=K3L*X*Z?GMPwrTfe!hmEs!Yl7C$=T)MX
zj;fwuj$52Rj5mg8wr@Ph>I6Va=nQV`%?d2pMb;KI{b|Dw(zFy#)0<N4EuUtCPr)zD
z@#`G;+WS{CItd~HzZ&VkZC^B|-s1K!UaZ!**j{%M&GV269|_2>o+k7{#(*kSvFAf2
zcvM#@gLngxk3Mr|L4wist6ds(JS@Ae9*c2LFUm{tX&j?ebKA{60v`O}<$^+=Wst)3
zL!+5?3n|Sc7-eh-kFP(W0F?gK)v)LW9!9GN9%}g9P4!C2rw#P+2s^$~@p07t_&RVR
zx~ZsiJj&Z+fvmHS0l?mGCqgjQs4iuJe}g?wAd=h20PF;gTwBsDVI(DR>byAOZ!^ew
z;>d&wF_|*1fS~Sje`y`le`1bVP823-MHB`UbK^$lJX`z@=JCeXxT>{!yqI!1_P(oJ
zwN8r^KURm+PY3!nBWAz<`q(v<{`6j~4ndNFq9p)qGvBS+LL@`wpBxC7)WQl0jN#x$
zoe;S5lmB$u7&dnE4mvg`P^YnRDGKi2tsN2&oV{-U8I(Mq^K@Sg>CZuVJ$aqP>r!St
zQ+EdUeBEwQH3}Rn5u8Y%X$k6a<G!`OWjr^$cKLg<wt$F)-pZhsT1(6T-vP2MUqm5c
zex!tr(kBZ3!_Q=f-#}Na04oshh@ITZWF=bNWCggbNq16~DUVyz^o}jEb%FJ+6nj&N
zW<E0+Y2Zj~FwKqv*L$A&dg4k)f{xNbzuav#46VlpCNTyzvH1KMQC0<n5@>0%|HeR2
zI*B>qmJ&OO6nY#(86&8O<#C789OW{JsgQdG4?2|X_zSmY$H6Ma;NDSTVkcq|Sp#BG
z6T}qs6;}qY*Ekk`=&y%0=cS{O<4aQQIkk2!!l_?4t#03+P8X)43Hndsyp^s=l>HcM
zyMFI&C0BALbX(n44v%dcx-33dQ?tK;h-IEqyP3$bQ#|U1>Oy2Ke_UJn*g!j=4_C&~
ztt=l?Y|;F%2y;tOIs8sZ*a<JIlGOp7l2tiBeYN|3=!ceD;Gz7Ncxqs^P&!GT&plJ>
zJ`nG3Oez`H%SJa9W#^p<R2GMBvUSN~yL?G|El)Pu&crl^81oFw>D+5JDN%N~y=gf<
zd7WF=iY-jdCdFF26{ns;8}Q#&Wz%DbkR7H&kw`#;e#3k*Z9t`XGd)SLkp0WT(;H!6
zJ4a*Vw1Lbz8Sq-`&S^!k&Zm8HV^aX~Xzia5&f3AJ;exv5MlDSzN52K#=Z!9nrS0#c
zL|#Y*Q9OeBEr`pHHTvB~3#|H!Ftz!K0B!U^shBDT;c*hS_`;b3VLu5ZC?ye#;CkKe
zNOSsdu}C1xtwFAblA}j}q&&su<0UR_z?BQA6$7273Ov-CSf~5!MpDrRNa5KHHvTe1
z!=R$}i4<p`D?>C^4ir!k79OG$r+GZ3_1pdbAi}XfE^v9=Y1TnQtz{{-TzBLPa4J{D
znM;%F!+;9e(zB$^bFrh}FNfoUdSW)JJ0*@P$M^hHrLtEpa`^27)enDx;WBBdtP~z`
zFU}+Wz}oYva}|49#3$RQ9}Tb41xy=fF4wFb`v`f99gimmO|8e9g9Oy=74)O#PHW$~
zwu1-!zM2jT2q{V-Q9ucoO3XCU=6;Ep9H**mM}Fr;j=o9N{Dw(YpobFt%xMf_8?=De
z>XD*}bUIariO??}kvG*`-it`JP9%R^quy$X$l<4)czV0DZA4qr{WlMu*F`;ws-l|@
zk7k59?<bbL9tIAF7$zJx{Xzf02o-!Ulo21zN#dt+;=jXz@`q+_^MjsY4J05NRni5{
z6>vu7D$>Rckg&#*H?yKQ85EHoSx)ONf|;KFpnOY4m3sn@EG)6IwtUa9@_Zh&QL*kc
zf~m1N>5PuwySL=1Fq4u#O}+nw$HDIddxDI{#n(lxeCvL>SzxGK{H82+DFAuN3W*uG
z7ZcI3q;xZ2!opK*w9xY13gMsg{pf#L>{9?<-kllpCxb!08TCOvO&^VVxMV6&N7?Qv
zi!KLI2iKW;Za3%fwKxS8B4{$<sPM_9pQ0%0YDt@>eJGa8;@X%Z=NglJV!84>M{Bgq
z40UNRm6zUqx%g-O`ulaIiKuT%n&m@?xMF~w!<VWDgMqx)>z9M)8-A^l6HfO7tr1&h
z?n08$WQE8$9kKS)Z>M$1_BXXsko_E`(1ZY(5$%6obR+D&xf{%Vi8*42&I#~Z@eMqU
zhK1%72TxN_jz;@o0dxeUH02m>b6f>1ilb4~<J7yaH(|@efwbls<rPG033&*hUs;5d
zwmBRb<{K;1Aa(u92U>0jyA9Er|Kc|RKvqgO^xACJWSF_uwp=e|B*DjQM<F?4RToqh
zZmE&VPO`~xYCp8*e@9E>FTmdBC$IoK+Okn4pgYu6S8F$nPmz`{b7Nno-Iu!}1j0<_
zVa9=h2ij$)8IkZy_iSX?@h?n1tJGlk+iflqEXVO@%@Iz__ErUv@BTtvDJCb5ET2yr
zoV`fDAg$X({|-?XTZk5<t%(*K;kGa`lBgCOwZBg%v5u(nVamTSBLyuzWir`sVp`>b
z;tf*-xi?i#t-BgwF0QElnfwxPcqn)whr{VFJMd|PY+BQ9w#dahXUf)fnzfMkq`xSG
zU)5~!p7MG$o6>7zFpbC}SS>dgd8zvs4T%TFNLkk)<I&v8w>lnM`b}@&Q=V$p-+3h9
zYk2*FXF?}Q<;`KX#_E8BJ`2l;WU|9mFoq_NN27s>lO?$Lxqa<$IOdVDg}omF(*a1f
zkzo56wrdI12nI65jbRpi*ll$&5p}G)PWhJmj*prF(1FptscIQ$h@bH&s|pTRiz+Kl
zzQEd_)OH*?r8&*09E`7gR9Y#mC&;)Tbj;#4oe`NFxC6UpZ~$vS*iSv~PG!_C_MTb0
z8Rcc%cg{PR#!8%jVzu3tst{qPQW956uGyWDza9PUa+_bAHH34(#IUWz7dt=a*kZro
zrch1NN3F?LrN=!`HQ}VJ=ZC+zSJM@Qrau@B;2$Q`kq<3&n3KEYL`tZTc(7nZsw&)B
z0S#Z;?1g@ZQ|C*ey}?)LL1^Xtr}V*U6H=vr5`D|%W*Ib)#373PCt7G>rxm^}l8OC}
z_Txe7oWjn~8D+-UzmprOoy@M4x$l_pN+U?k-#l01aq<|+H~ky66#m5m2e$<1jmqa2
zr_<!d&iP!bAk<SUB<>}tB<v;&SWH38wMl-D@nTm&!uhj=0Vg~dA?*|La`D|t9UpJn
z+rEZ-6|WU6J35HU-q_QSD9oJk?lpj?uKJk{;<NvD`UITkz--|1U#%II9p9fKqT9(L
zBH7Ft^XkSzLEHt(;$g5M=^_>bS^-o^Sp`n8A_sJ{6rv+9I)B*r4r2dMIKg%=i;XXX
zX`+Mkz=T5NT3#4~ISj{Ao|p009-g}M_<3WS1^%Q_XNzk5y1+Hy&9`^>Z}S?+VS>-x
z2aT%X&w1#?<Rka~sI;>S6>0obl-KPY&Nb4FhL}F9PNAi25BL}IfrE=_^SWFAGDwEs
z>Mjy_;3m~Q`e=?JxppRdG}f)N!{L57LC(KQbgPE(B@Jf|Z`=vZdT>{>W}MW6Ra!GP
zhHxf4*8-cfkLYuw@s88Q<iL}?kH8?X_4WcG(Ihjg=?Rn^`zkWbQ$yfKG?;kQeBgF<
zJaGI5QUypTq^zI<^!*oQ73FgL#bLfoIfB1E%uuh0KAu*Dv(E5#Sg)ff$L`YJ!UuyQ
z?(0yo@bP2^rm&s$w*)dcB6tYR1J^fm6D4PN@=xP@x1=@hoaikD0f+k&5nEQ+Q5j5;
zYxDfz?GtV8ci17+e>UHmYmPEOIsz=}Pvw3k7<NITF=lfhOK(g=lM$1Nd0-=Vno?`W
z{`VFy?EjVdB`<QaT0BEQf8QreSbE?lYu`^}QNJCJI*WkY3ewJsAYM6JMDET=bhdA1
zPIVFaICn@_Dnl=@z0*BW$iLJ)5px6R#E2{F`LCI10r<oXVJUQ(NL|)f%ystnY={x)
zR4Qn$p)XPxiI;7sE$Rmt4odZZ=aXaPFTe4%{uH;D!G&G6{M7dRh3l*&&i!bitq1(|
z>1H9p+7nAz*1-z;=^2U##_>>0zyJ7oj9gY<3X&bMvcZQ|95VB#rl394N7TyONzbOA
zYggwxdFeZy)<Sd)@<p7a2|-I~>>|lJkg|-y!fJ%nCf>o>QFRH*8gp4<(2r`q_=^(8
znTdG+cQk3j5NT^)M}hQ2jPC_4{h*go9vUDGb|@n!rlOqSv>mgwyBrVJECnF|q-XbY
zR`gXm1YE-F|I~Ag7&zDlr=wO0c#BRRc<Ei^Klq4EsFWVqK9(1mwR$Q8d$K1<7vsJS
z->%5oeR^ufxydz(d6j*Pme!CNTBlp)#q{L#SUhQXMOBV}?Il<b>A8eiT2PBqf4C3L
zi?$~NABoT;q<8iU456l?q64QYbwlQ<jQhbq#`k}-Np8a6ZrZ%|HogQBJdV#ixofU+
z-JT2SFvTNme3>)EU~8$dC!svPZB!!&u#wm0<Nhzc)P#h3b2|yLy7+vBj9-13HB;9b
zNNoB1Lj~T+9*vY?q*`JdHHw%TJ0d!#R_7zKFlF#hCA5grplIMUjTSE~`2TB3UZi7O
zJb}Q1ALoBswAAwVIda~2hxh#`(~^i0w{C>#n-vcsTX*y`|CP04Bc6)^ss%nKK=+W^
z;ZsxUPs)w)s7T~%^@!WuZ9aPHT)(#+6!jKZ#(!WJP2Ut7V5Sz<2#}uf{~Y%k(QoMM
zLdLNruSr2#6if*+4*6A>@tv1#49skH;86R3WN_G}M=##D<VSVC@Z<Jv+L4=&eX+`U
z5hU8Rz3vPr)vliy`j)N7)WxW__O)UKzM53c%S{t*jEqLEVnxt%)M#N?<7-)P+V_<V
zhE-KgD}OR&jo}I4Wl>%&@TI1>d3M@Z!lpx}#FU70plJP{|2NWWlzLGPb6cG<RMW?$
zD%hU<Ly3z<s;}lM9aKwUdOrFx9t7;koYeu3rh>n@W5ET7YCK6CIZ>PBiCHyMSud*x
z1j&{iA3m@qapW-O4Frg5xaq*ynhx5j0DI$&<D`6b#e`;d%S^_p1!EzkeJEA7--7P|
z(+~fDQYh=AU`D8QmaG#nR0Ya>J;aNl+T3yJ*q8CldSw6Q@$R97+kJf?!{f*GNzl;i
zHK9tY@Zp-rbql4+81bx9F;D4EU;z0j^`|e3cnGi|acj4``W+*|aerY+M<oEON6+vW
zk>*ka4d9Q4Tm^}Ph9r2wM@G5Fy307=82wFB=(ktd4NOQJ|63_>@?r&%N`C_)O$)?%
z%|;TjVZ??sjH#K=EYsFp3VTbv>vm&o<CxM)$M=F@k&!cN$EQi2^dYk2d1y)ZwTMZQ
ze6NJKo4=9xZ@Q)oPQQWWR{?7??Xg^Zc)2DGu&<ZhbUv$SPnu$~o)!L&Rvqqc-_JYw
zf-xebS@$bO5&PWFZ7j^VkKoBJZVC8^&Lal)xJ#bx^?Q31iP+KAuIFr>IZhi8&NAve
z&vz;AwKp6WQ}(wZL+<Weo}Q#$D?h%r$7nAz|I!*eiCXSyeVY9dcBn1dK*`P=-*OB>
zYhA2~V)tdZW91Y-lnTMw`mtx9p?N4AKjuL;CxH2>VZ``y>q@+Mvwc-%BBR0y;khRL
zc#WIk16V<+=L0as%#i$h2BY5a{?oo{3OZVWEpApWys4r&+Q_rcs2mpbIDnrdeYr;K
zb1CPi{~5Lzzh1etZS}%&O`khDQs%ime2m)(j=Z8_JX3VUHPO-vGP>vf#+8w<zLJI9
zWIcf7X*)9l-4`tt$+uZit9{_}(fR>8Pa7d49T*9oU44D$b0TD6!KmzUEk2m?$%C2_
zXu^TNd;=pX3^CPURDts$LSRz&J_x)`jWMugoW}h_H;oI79njG;&)}?LoP|tHi-@hF
z=^f@#dC?tyxB)S7hV&1-&kfS=SP!))8V{vvL&Lkc8re==Dei5r@1jD(N0`^&uC<T=
ze+!5$uyN#p^iZKKMkx?Y`&LnB7Mem$#!kr~MFfNRk-;-cy3QbV$`IN}fWM<%#K0&8
zFY73UP3&An&RoqaUa5~DNl6O8Yn}4S`ND$cG?n|gAtTgO?+D6m3UOE4={FlA1=Qgd
zN_VVhemV9LYnum{#_{0RpYh?Y_=o8xsLt;ifMm&VgmiB&x%hG>jAeg#Q$?RT)ld_=
zaDNR725xcg6%``VK#J6oLv7`fQ%c(ad@thS>)K+W{Vx&!#cM%Bxxv1NaDxGZJGh^j
z5xOqni)B}OtUQr-9MZ_r8$25v^)+`@7{L`ai_5?zWy21$+vrm@etGcoy000=!2AtR
zg4@`A4A-HzDcphzq9RGntPaKY{QA-nD+=pJ#9&JuO(@|72VNTd&J-y0pOwz<(2HGw
zt7?2!L_0g@%DGTWSZrk~g%h=0TJXYA>MdS*yffs~2MnBgu<;r-mWJcKxnM?+M~k+w
zDOrN;(i{<>O=K1_1l#?vC`ynDS(H*P(g39RZu*V>%J2XBYepv{t+&+&8-NU$v?+C8
zf8^W|mK!7?I;+Z0fG!>P)7fe2`~14sQ^2dqfS!n^k5j_R6}{F$OY0E~He1}dXd28T
zOK&@CSn>F3ZK)c6?<Q-p8g5YEc=+#au`a9ye$lyryQbyup(9C0Tl4UJO=+V#T}_WL
zmrL5TG#r0hY?8XX?ctUNN3&|sIm9L7^9zf8pym7ZV^z?E^9Xf=V!&cJDr2xpYasq7
zH7HEX4)b^DoaVp{GGJ3Q1`f{XDMvPWjOxHBDHynQ*Mf@p`fErO){yb_zh3(R@zY^4
z-+4=IkC=!iPCmxhFbLXXrw%Ft1%S#T+*>e2;iumkc6F4uAUWQgt@wyP0$5L=gq>(B
zG?kt-)h%XBuGsNG17^JVd;cvXm9M`PXRDvoGHW0P6^AiMr1wDI8uD(D@U3*Lt*Yu*
zG;=0s1dUU~zEYZt)fb0&lB<f%z)*s_K>O9RZXf$@L)N7?Z*&Kjr_#@!#b7g)(ZNl6
zm4(Mhd@|P+NvJ0<$NLi%wfX24br}ivfXX<Ot~A@b$k>Eu4Z&My4FL_qz!zrLrE=i>
zFMQ{SPxfKXju#ftxegR*&4*ly;NNB(dZB*6F9HTmdhBvYknEicR#fXcS}EaEbd+yY
zltY_39ienh8z0x)z>K>M^ETgT%0mKR<9AR0nIwWk*hz~85fy_(CJYw#4JL(((#gt{
z4=kaUIA#Hn?D^-ki@=(?xWJe;0uvk9NmOvRjg4A^6m4B5$N^OyMK`ueaX$zKG%;Ak
z@rpwYrl+FmKb_#AG|BONl>1o9<;+J+Kn+lF{yYAT`X_LfKBS_T;Hr9`JZ`+M?-nH_
z&a-kLazB;X({v-fP&dG|00gl5Z-$JLPM~{_dZ0Uyh2^`XY%3nOq*<~r5vL=I7+A5a
zRRrRm^P;)Cc$4a%$2pRh*-JjxliuhEPoVw`5S(H89lgM%iw>jr<wGZErO@K`z004@
zYGmEF*yF_qS|oU=QBZh1@-F4kFAQ?DLmC$!q>&hQM0}#C#f76)IO<0V1pop6LM+@m
zzd!e=|Nac5<-Ai0FaL21W&8P{#duA%q*!{y@5goDAG`=W$omCtZuZ11U9dSQW_fK-
zrh{(rW-A*91z#=p`A8#tMtebfWNAxD+l``B5Fc};8k+6z#)EnYpH%xJ18x?uISLSF
zJ~xJdcd}L*%pBoy<Y10Su)SIJ5#SSMU$T@e$!axl$G&ZBKTHhirDRMpVNyB!Smc=I
zOvaDj;Q`hEDAv#yW9v~DV*^rbJ0>**q&R*~D`E8TzH>hG+r{Xi!Z#)!to!}=lYq5w
z-KD&NXV*K}kzxA37-FFEn90F}27^|st)y4hNMQKTlMDC$#pUjY`%~q^*1&>iOQlBL
zk&2!|WF&Jqb{l0jH(H?%IDaF#xVYK$pzuj6=!noiE^>xVGI4=PDg<)TdJ+|i<MZjO
z$MrTszgLjf7*^j@;Scs%jI?TpYGw&2!}>KClPc<VUDQ*zxJQ<Rvrp4Qj2M=lI&+1O
zKU@u>d`F5!-e{CGtTbcsRnEy0WGz<SDvWX?{KnMuTy*$BIdmYmI9YG_18Zlo{JUSD
z1tG|ay)M9d2uu!P8x@Q2(8~ajF}2MGKxi~=9S(yQ;o#=|nkjy5Gt-v9yp=GNXLU7C
zBF_8y!)q4COJ<4idQsAWD#>*r=3m5@M6w-1wE%x0_r3rliy#JY0Sw>*6O%@V0-7B-
z$ELp%zhI`X=a+b}^EW)gqtsNMu4ObcvF`Eba2jD&{Nfd4A^Hg~hga!#0D3}<`Gcia
z{V1iXXxaVuclfpJnmQIPhE8P3+mVY+KSQ$kzo9{JfL;+14g&{i{5M9w<Qnm&4=|w$
zM1fDLNI|4fDLLYAue?*W2`;FIwJxCdUv?YANP>0^gMfRbsQqh5*tai=EzibO_m?np
zhDNY_XK4qgNl%ULi}=p&DV1Gvkpoi)eliyW>c~2WpS=;uT*czfrQCF=E7Y(VE-k`;
zox7z<gerQ^+Lac@#EBQfDYdt7jwG>tRQ__MY4pUP-tJbjdq&`7x2;jW9;83>a8S85
zQ2&y!oK<n!M`3H-RAl`_tL0N09Su6(gsqgdYLM`CC!3p3U-o~MaHTp(6(-&$k+Xrp
z971-cW@b*J;0Q69)aLGar-<kw?{x)?ZAgN&5>`a$j&ODh7|tJZJSx_hKmH#3VY`7X
zAx&9Q<Wqxv+(Ho*n|p9qY0%#7&b=KayLC>wCL$THtp2x@!vt8$kuw+BX96tcpvXeo
zg9?j;L<u*U2_W6|Whu%<(j_zE?p4Vlt6csUhYp>WQ;$|Jqyu^p_oU-VUqz1MK@W==
zSP10_kdMKFvp_`FoGddcgR#=fvdrOsMEk7Y*23spB&ZDnD`OaYk)2uscBAkodU{S1
z;za)f=Tlu*Qm@^pUZMzEEMwt80blUEzzcHBL=~cFA+2d@`t0250(T?;{yzbCvK}NE
zqT7iA77`qL<a1B|usxtE9ED1zbVnFSLBW=K+Orj=$_r46GxfLkF4}#-q@~rnYD7Zt
z(NyV$e6x-|e!`)>SxT+v{JCvBa>^(84vakvu1!DM++7g!RzvFVJv33oUOQCDKxo`A
zGcE&?$_M28rL4?*u>HW%#7;d(V$o{_#HE^8ei8@&{0Zgdm+~*Ns^D)EvntT|AK&E~
zL9=UiaFtP9ACvYI@fAb}Sj}d@pM1=cS%3ssxRK+rCmIywDO>6dAj*HS=RR1g6Etph
zBpcuwbGc1;V3}W2P3^Rkxuv;`1VkC`roM@Rp%7qPT;~gg?ckT3{8!aseI*KAss{R?
zuiR9iy}RRn0io<=+b72#M!x*hLU^!WD4P6I|BK^ujmFwHd+hhX^M$yddrTZ9Y^+|A
zx8BP9`EkFg?N8M|1<?OZPE*JA+04uiP7s0h!67IzHaet-xbpkVbN7!%L$!PIH(1;R
z9&e2tAaWUTTkk}GV98?|5R><MOuaEoCb!F7Brz;ciNP(j?VZUYq3^5am6wDj0I35C
z38VCnDjqm5>L$Ohb3m%x$5DY}!r`x?ex$wD!Mw;R7Xi>d&GU}h$goWL^fgxv!&-kr
z&vsi4P;V2CN6UU=oP;PHB5K{rhHXTr!&K#2A*<X55&<QaHW*u65!={c&R~U>w(f43
zcZE=;D!3?aMRe={OrKUT`=xm}|9L2jh(<2%wl}-9qZ>H?;#jb5cv7q!e~WwGkrKmU
zev08nUKu>|Z1>$oM-2^lml7~6;rc<v78%edj!P{wx=W(pDpd3&g=m?KVHX8f*hvJ1
zJc`wKbAbt_V*4(tP{2g1j2#SG0ni5ECl+lvXg?XO;hQ%uoHgUl((f&waX8c{2sn^@
z%vMJ({2o=~RLV+j=WxLBQvYx!yCq&qeeUu!=^$Y)<AC54<Fq=Fba3Mk)24xw>y&@h
zBoQi(g%`ADi#SjKYmg=A*mli@w{S}T<C_K6(f6&w6&$nrQ2jJqOh<}MUEHGQ6sqx~
z7Xi^SG*uc$tyjx~;t!mHvI-7T$NEJQLOwzi@iXpON>3+rBaGuJ7QAYh%`2WQTrZ?9
z*Go?$u?p8qjv>;%E#4CJ_Y)1g8}*+87-$g5E59ackiGru1kv3>gj5_w7623VRRx>M
z_cBC6@wVxe=pGRO`^xtT1jhH@>G!~SeFmQXBJlJBCQu<;&VH?EYqvk|#`&owi{(&%
z%(hTBH_Nw*s~M@awiLlDY*$Qfo+}|}*D_5$(Cl@#)_z`nQB^K0v}Ul4!!glj(xIw)
ztb6!8SgoM<26dPqY02gz!}xI(^qQVwrh{_}%Q=KESo;HKBD0~lDP;gy^Q+}`B$ct4
z?@2by-bmyab+I5Ia9|viqN*A=OFcInqc3p7NfT*)2>Eq8?RCU!o(H1x#ijX|+HBy5
zbsn_;8cKT)8;{i2%6J_*JQnd9uIqQCJ!=G44jyWHR|ZP9Qk`f5Mk<;K+9Ki@N(%oP
z*tnkHZ@_UPt67C%dFF&dxI|5@sDT$8!l`{A%Gt$=8eqBr5Jm!k{5vG<SCN4erfc)d
zo@WhAh~qK_0W=*sOV8%5WjWT1$DMgp<4oaXMLHM?Jp4Lw$<Rx7R3Df$OV}0<JDz^7
z<dz8lUX-Tx-?kVn=ix8vC16)C?qXJ#wuc52qk=<=DT}x4faRHDlB5R8DS=z*Rjah*
zR+^x{Z_M#D;@Gr$pb>CmmUgA4N*}jkk%|RjaytEnYY3|M=R5=AD&{l$f?n6?FM!jX
zdK#VYI-)krYcOw1E<8P#@mw3=+3_S1B3i)&m{H@0+_*p9LQ5sY4gEC$)4EBteumYv
zL@{#|G=)$t#1fdI+<8RMg2WP0VA8X|s8prYKU!$lB8R5c2MvI<s69v}0cp_}buk!H
z@oTPPCg8o$>ir0I>c41&={P4G*P2rR#f5_@-+eBZPo_B)64u?U5kaxP2}4^l^0!!1
zu(MeMyBl_Mvha`@V;1b1RFGw#(N{GvR+mgqAUQETjYubq`rS$S?3*Q@*DzVw3}LFd
z&DPD(0og>kgr%1+G6$R@L(O+JH)HEedEd5}(Yte;4-Ui4bGo2^uBr0tZ+?2l8$5kB
zYwJl+2ynsLVXj>h4dCgJlH6?$V4)Q5rS?Mhg35OMMy#cTDr|}=+)CM`L3oV&fkytH
z%z(m@QMdUa|EDoOjVfikJ)M>ce&Bj7XkyxXSw&wXD2Akta!pyYD!>HnADnZnsj)h!
zrTx`gR1ov7)1KgI1y5n$B#i7rx5<&cM?MD$Dv1>BBzortQiz9ggxGY^$jpHJVb*CQ
zfB$Bi(5!{rhDr1PYGV_V+@x>&e$*VjR<BsUE`5)@Eweb%8vvWvbK@pN7%)(y`)eE2
zK<D)o03qUd-$s+|Q_<_bn)YF4D}T+K&{l}us@-XXq=6+JQv`(kGwJmvCX5GkwTVEJ
zZeg2`KC`_gHFpy}BiHb(8}DCI-*J4+ql5i}VH(P3r?llWx@}Uyc>x~yciD{}R_n!R
zOyeZVVfZyxP4F>?3I;!UEhp1%UHeL598ytfW{4KsV~gl{zqY8KjHIXK-{n3KG(-0N
zEWD9v?kHn~n7mWTsJznN7W*;f?_Ad}fW~1ury(&vSJ!nkf^r}hZnjaD-YI@M5#$h|
zo6RZBBItNK)fPx3DaHqqN2SP$=P<kU_;@#e_Gkm)5s$W|00@+<Kz{qDOGNJoX^Vxy
zkqa*BtHK(M5RsK#DnUA(O)QKQtNhW|ANYg!ZKehBM@(232t2~>wMI&$>IEi9u{Y{i
z0&vizbQrt|8x_+qRQ8CXs9Q`JAgz&03t$!@qQ|V_Jlvurkzwe~G!3;)eo0j0Gpy^o
zH<!x&O<&`J!U$8*qUOP8QHn<sA|i=ufMHJk44^CvQFx)*<|j>N7}64t?-uyyD{Nv4
zQc748p#syi1B}dm+4vpm2Z<AFnTQMJav5~odr8*3K>^#&kCujZqq$vin^ZF64d@37
z?Cn!kWi8r21Iid^4&JH_%FBA9W#E=9)`$+I)C7hz!{ta9poD^+D8_R@lpR-VtEE6S
z7KJxa;~n1ZWKbDSw2T{!_<wd%J%j4t>MpGz_i|iHSbkhIV<4vZhuq5f(5g*w{1WW3
zr7;DJ;l;@fAvr&j5kkff@=mDA53}3Ct~TA(AaZZ|-wuTK!(3z-3NFZGG&o0bG;*AL
z67kRhEEyFBWpGfTPjk5~bm?p52h{&*xv(!@SRisvFdu==8iS0@IM^>RAg}XytRN|Q
zUd-|YvS*tqEoXmwHgx8AnOc9jQxTm%J%?VMACHfV`wOU-fq>c^II(US2&k8f2&=w}
z7xs(K&IRmeOXQ72z#z{@LH?{{@-fVN2a9?q{-v>N0xJKxPRqu_5^ES4z2XxE7jCJ$
zp8=Z(=cKE;-1Vj1C~u)Kkxw+-NrL^ZeNcb4J#L++@P3_+iC8gUr=5ljtew96iF1Wt
zojoxfHaODbwF`{M=;gy-@#Y)T7L?w`J|0=y90QIyn^+U-aD5`=4d&^vcJIYPF{OW=
z+iXmL>8WwT*3M*TF8aRobaaVPa;~JhACaypTLGLbh!LHTU3-u+0v)P=j$TNGq?8LT
z89l7!AJs(+ct=;8WP)HLRz%+aagHRjaOG);d-_IVl!WP;SzmaMeFsMkj_F9@L7AL=
zJkN#NsAl+>v99UHFYhE{!hWQ1J0ls*Qt`4nTNJomGie-CmbO0SmY}a^`FgD3@O{-$
zyo+jlGDm(7u$gQFH#=MUs`TXjV>h?al<225clzj90pS;$?X|sW6Wo@02H}+T{-x4M
zwXXf~WtYx5`t9u-nX7jY#tE&L_$6oO<UV9$_#(fnNa<-zA^r=ao<>7TCS%c>8o`U(
z<HdUGsF2W>WiL63P(t}Y=GDTFB-?xgzd>e(jc0iemO*XcL>oE5h}QslwLOE%^rpGd
zk6ATeSY%2L&gu$kKr^B$%RDk}eRoyHTg|hL?=(e=J75DIW2Kp=w^t{sZb0zQq60lm
z_1pU8RXxP!B0BocCJEx-hEwQ;XCP`tSONuNbI}AjsGwC;ZHKAd7n8b{4c~VgSo+v9
zYL%r4jFuT6GuMrrhG^s3@mivAqzYnLg1`mr<)Vr+7(zvl*NEq?T<sfIyxgDu7j&Np
ziF+CtLts#;a1MxQ5!^=+dvW2tpjAM=4qsh6psLRcEa$WDTsDnZI8foQHmsZZ>vF&Y
zxW*_)ap8sSz6~6ER^763N3Q_le`^OdfEp;%2WvhMl2wIu^RCRD2C>%*ZeBEc9i*{O
z8Y@c~8=@2EJTYP(TYKgTN#yq8BxK1o?$e<&o2<ABpk6z=h^N~#NS8$BvXmL}=pvDm
zs_{=pPAA4W4w~O?vG|}35!U(uo9%97OuBLXiId8*#QL$%^~3#w4W6Le4^+rb$?tu*
zjW~>vm1NLd6fH;p)X|j7Gh^2<56hK>&8cA)VToIpp6=t@HS6y~zg|3ApQ^~qF#-5b
z&cE_BZr4MbRX(c2(e1(m_{Vg>Sp`vNqg)hPsT7HgmWZ<Sf@PRglzsEa=uEJJ3r@;~
z$ALeAJkbFrj@nR?Z340~jm#+vt3;j}^|QQ}&!ETYtZrezv|mOHAC+pza+T~q%tc9L
z&c|P+yL6ZB2G^kAGB;wHh|u-@?haYIh-eDV6>hE<+b<{xm>@{0fRDJ|Jb!kUb-Wzl
zd&%QSZFlALu;<{-X!mgYj(#__eKBV@)xhUsFrBJ(pP#X}=(r)L&vi$bzjZr=yx#OE
zqwGB#2+wV;zRl>q){)xwvf)~TGOmAouI3i{p&?GzXKlmG<N)%+NC6gYhEd>m&X6x7
z!KK7eE={=^bi~3#3JP_~0=t)CYMb~Ub?#Z-KQr`$|Mz6qp@I%N&YQ)jkr{n^CrSWG
z7UTS22EMH5f~Ciit(&Gpp6tm=83gn7bxDQeXV*?whv_bgZo02@=@EN@YEj2t&7WdK
z^$ND+xj@@grb&_b+2bqp;^$Ny^)b(WqV^drn#OMT2O!0C#;O+@Kb+d8HpLv3R&*g-
zMFgC7**C=5yirdz0ek`>*@#8FDdQv2n&rJ!%pw69Rva74j~5ddZ<<;iE&7r0@F&^o
zKc=zw_f2sXZ)|ggk3)X^gF8Kll`a_mBvS%DJJ9sw==z6NC*(5u@4o!Z>Q-&eqZ!zs
zb43awf(vA3F3x8Db)rX^<<@F{jnp+2dUz+#lB~Q|kdZ#toh>vWdU}7_@jizn19?Co
zmIGdN^g?Q`<($77VjLAX+ks9K$NLWc2`0iY*0Qs;)>0!u`#e90rFAYR_~>!2$mYdO
zdI&L8?M9H!%g6rwDUDn(^Vf@&u6V<Q@UM*%OR_bc+Xn1!4{P1gR&Y)2>a+#c^S(q8
zR9UGZXYs78L&<Dp!c(8)jVvdX${t(%$kzV%*@G`uD1y^zF5=BUI@C*9Nv;Cc4=Sca
zex1!<>iJtAkF&TzM44I<R6`m(-*W$Ui4Q=q&zfCAmZJ$fzTv6D?A|xcV)oyuXR>({
z4g<)wN*^MY9UVv<JIs+ITC?b8GVv5&z5YoNy-;gn<N#YGQEvK_#kPw0P9__~<u2e|
zP3{ydx{!hp=`KT^ZCD@)1|bQ0vDZylAf`L8g1-tDQZAv+w4bd^S2V!k+?Y)|s+Spj
z3k7gz$YNp*r|x!N|I8(5w|H0?)PJ6a_0hf$)q5brAd?JLvnbs=LW^w?XPe^^RF4#<
z9{e>MwLfYxA`|pb?)EV2P$$>%-GjH)a~0LD`nvVLd`8#P0$(;ort4|-Sp<#cZg!6L
zLn8G2_;$pYAZ6mJ3KzoLp-TDTK5sfaTs;jeR1hR@-Q9gsBzmoST{)8NJLtJQ>KTwl
zShFYkrYpnS{^~+JA$@)C!ts2wY<uI0O+O;+A9%x^Ps|yNNv2FH48dY1CLa%8q;Ssv
zxj!VjB|#P$;0`aq_22b1XTIbHCMFXo3@1(OSX-Pn2uwoQUj+RdpH%GQ2>I|<h0wpi
zLX#$gj}mv-wz&Wv<dVUYERCHCiGH7M6EAdEh2}jdM+2bh%U)K)mOQyJ)Y!L?qqet>
zMcmR2xA$^W`gEFV2A*$ps#b>6x=yWGYh(K&b8OKc@02_}OwzU4J3QPF3y2NRzZV8p
zzjDV2(iKWiVn(TC8UGyB(RK8OEa@o}S5NQDMceQutWgqja!f<is)|;YM;0z?F;fJA
zDd9Ky1f0Tuk~Zl(3ajh5MOJ!4&aAX?Bxoc?Vmvr1sBZ}&zTc#$2NU&iq4JlxzeNn`
z`MyBCsV`f|CTGb+S`oyY_o?_zwv6`fYE{E7=3aIKx;Unk(ORfigBqcvS~QoUHBxeQ
zxo(Wre6NjasS<EBzN+rWrU8_j#PW5OuYV=*DhT%k2keG^D2ldkKss3B4@GZcB_|L6
z>_M%R3sr~#a30RcTy-d__<UrgObn@bUu>g;@w|+VBj>wBe$LO5k!_tlSPu=N>Eppf
z0dl3jo2FC;tmUq>FWE=?bcYkQq?lhsl@9r9{@dcW^XU>Jl!o#-gKe*NBypeVv&aJu
z8l!}f7QkCW#T!$yb@Di0gm~sxV^*l={%(ABWX>~5t1Lnv306Ug@bmc}m&kG}1)d;T
z$#No8gnd((_<o8&mh?X9exFi8=~!i7qgrBadK86xwaB<uO91#JI&IjeEWH1!XPgC4
zmYH(TgA!QQQ|kZpF5%buvDo?7x6<!*P+Ep@1%SvEk&{RZ&)ipiLhI^wexkaUVzZ|C
z{;8#7Zc>3-ApE8v+sd|-h{^k&Ha~e{C!yy6^nMZj!&ztb16b5t$jX2@5@U?FXmzEF
z6jXuZS8u}6U}`EC(7-TcfC|Dp<F@J#9-=VFH?yB*3TP3m^J9PM;Tntz4<z02xMkwQ
z_u%DbIZJV?QRZ)`67ul$c-~0&hcBuKNCoLpiprNLO3OFiPP3)s(>o{(NsZE3;81=<
z(P@hTQ_<W;7%{GPQlDd8d@l2kpGL5&<$FebovM<R=7p=6;&6WCXchT@)dhV9Chrok
zB{^}Jh!kH}S1ON>G(Hk4q>Cxyh?6G`3dUdAjpOU|U&+rpl=R@BoC`$>b!*l9)1XOJ
zH%?pPp~GF%QY#N`%Hfs6ljY3Whnp`V3YPR(xIe2*3#%jx;nn@VZG5-o%5l)MIlPKm
z$_$kY?_ehHGhJn!$Dg!9F@&C8l7qMngZu@$oq8F&sRY9?L8sDmfPk*QT@irryrvQg
z_ohm&0&q`cJ-2cH^jPnn>)32C1PnYJB<x$=cYFbP`b5)#B6MFy;U*+v=o{P^YJ-#z
z1@JX23LG|&+uP#<+{3-^_meSYM~rgZ2Eg3osR3{whIgQW4-&&sCF4N%is;)GM>dUw
zA^kXKOYRKzsD8CJv(0Z~)}S=5gcVP!58?cE<wMN2ZHPv)QytijE=0i?lWv$<1i$)p
zhRf(=XX5zFj?|`2xt<o=WNV$lJWAr$meBJ@<{Z#n7sK-6@{O5NHT|r(cBzW2vZQrT
zWf0M)>WOadb=0xi?6RHXx`)MZe>!+&I1c#jngq5}P5o}-oL<*g3zNwTM1vr=vArUX
z&SZ`k9Qw)&g4g~Z5LGMGuWw@EfanwViftE06L`T_x|}(B=$*??MaHP-F=09tUAot5
zMw3K{ow(C8?D=j*uvB4pJ*$f^2+YT<HPlL<ZaH`?PUNR7g^0?e3a{FHf`w4>E*_+2
z?mF>>iWMk_^S3UUJqEuoQ9Rg~nDkpwoe<`jI?0a}^GToPj8WsagMHV%sBZ^*Gi-)v
zJHI!~4L{s`U5q5LmlFvIJr53C%q3zeBkArD66zODuJjHtMQP?iggW;6@IPr}^U3r7
zM65Xn>Q%Sbrvo7Q?4v8%%r4{T1c}!_>PrW+Lo~cq7}GR<1m)cddSH8nK^w>A#qacE
zbuZld_)(V;=_QwYE9I*G<<np5N_=eMNnVUY^@=|vdK5HN<I*8B=Kd8>S~1$i&$fez
zUPCC8LQ0|siBfY(ZIBx}BS%h(%v>L@;&`-|iRz^GbMo!}8Llj-PgwLJ4$2AO^T`CC
z=$zDCQrBySAv#s0ER}zow%C0WP8ID3E6$*>q%Gevosh?hkJhce&fafSI-SbI>9`2U
zlISU`eg=F)eO>RkO5zwdnD!vGymF$n%8i#CNF&>|lHBofVj5i9S^AzcN~lthUdz@P
z=GBSUl6=IhI%<95JhkV!s=U?p+Ta-X^FOdj^;&UCO~w1eE%Mqbw<lnb32Hz-Ptc(e
zIuyKesMmk*xl|30trmDkR5dY6iGH`*d^D#t$?%BODWGWpWYGZRT^97cbeY6eS(9|i
z?!&;vNcetiG#)CpUVmv>52}aU9bfF8;*Fv=Pp|U>oks~gMypfnJIu-s!G=_#&hQEW
z_xc9vYY$>YM;(qMV>+R{UA#v5N2QmbstSXF?>jvg+UaFMK?mzCZ`*v)#SW9>pT0(P
zPRS(pd3nfdZ$TY~it)Cg-*`vL9|gnwY~j|VRBVVud(yF<p3gUbuecd?zS-HFiks0Z
zTus~(gaAdwv_XCQhuwoac48S<TA}YRO`K5lAH}fPMsfqy@`r}23l&6iCnDsu0#&&U
z7!Ts&6aYz0yP#AS@gM)kVkio1qf7_IMp&hFwn?W_*<hteiLs0cV-*?UdXq1k2bV=7
zS@V6>`UafQpzK%C6>NOF8}6@etC<JZtLy>#my+jye!&`_XmWfSI2?PlmA<5nP;)pL
zeyqHIDPW+pQVgZD&z3c!q0TD7%^purICO)L6w}+0&(J_H4&ZTzzrJ~No)4PKoEqYI
z7|66p+!l62VLzTfcj-AdT)(Qf!h2&}GONZ_L1-K^g<iRs`8v$<oJ3ST0Wp&<(C(CC
zLb$QyYNOg>MQ6JpRJPfFJX(V7pX{J42sfXsT^PawQd2y!#Gu}oSp>ZZp}Wtr>hPr&
zjm%M|!*U&kk~v04;P9#eI90_J+>1@nc^|X8(h9swV?B>s0qVGOSJSiGtBw8c<TeP^
z`l#*Wo4M<5T6Uii4VE}9?-n{AyB7|wTp<@;Wg`Zo?8yzzqp6HcRY9g-cM~w}524MJ
zPiyj1p*pVrx9u{_t853wRyd_~9>^;Ji1KXV$5vK?*eJRYDa$q^5nSOHL4jAKaTKe4
z^iGs}fhy#F=fBb^jgD_e&t7yXC)O<&Qy8<>{Uc(X9CXS_=a2eV?Mb-(@Hp{h=Y1-z
zfcH23CDL0`F}E^+T$r0hde*=%(KR~JaZUz{f@ui$fcuAK{}Ht#Mz4e}0^B=ZsSMi8
z5?8&R1PXw#SYkkbB5(5n*jb;2KYQVQYKaNHxvS!rmZ>2wy4_X>2%7w~8w-V#AAw)Z
z@2(=rhQ;IBPfc%7&YaU~?@y2E<2-+XsXP8D*wp<dV{Jb7mn3{|7}DIzALPQv%*rJA
z(wgzPrA$b3O7i@{`K6E%(AW#Y0F1B}AsOfu<FD@+FaY*Zs=4?Fg!x!RKqdY2uktt_
zy#3evv@(BvHhsEI(q{vy&_n;)J;&G^FyvyTOfz!K6&xg0+YiU8T^RugpH}B9K;CR7
z?gtD6F{F&Z@mva;9#Fr-IgP{XiGb|``}52f`)?U9_x4nXCAe)5imJZph16Hu8=?Ah
z+8qqMY$@yy6q>BAaJvKfJWpmnjpiPk<3Y0?hU9*&bN^Y{JAXd#;eMLw*}R(e)w0xT
z^{{<i_@f<wqvNzUwkLdxc16(D0`JP0u1{&nknC~5vANcB5W=29*@h7?8?ZmKDX;m*
zCUe`>BZQX)KfYDQT*PHDkg}>=BDzjja+w&dbqqOKDJ~^V*B;^DN!93{0#((mPFYfk
zlnxnlDUu7`*wMF8Q*5neGZnO>i$BO~4te@*y{33{7JRBU+62ba>&M77rLq#tm}aSD
zX~qjg)<szH;q1QhW>;#b9}Qq`q#wSj9Hn+osX2H!S|93VaMz!Uv3`YbnQ`mMC>G#K
z2z9J1>)SrLNp#+rpZ~j~`gnG=xAE1}msd%y;e7`Og-ZKEa1L%rNQ09(6_aS1B;?7(
z!@c{|<agqcD!%^8!ogpuepWXd(V91<bm*e|<Geo&y4k?*nbIk{CiRP*=*0HAU+MYf
zbv%CKj*+lThSq1&vO_ylcbje#IVrD0<rxX?2Hu6PCE(aJ@%Wj+fN4=;+qQrw@wi?E
z`>)BZo-1Yf*2znWRVT5h|9TiC3;*l$qKLlW<$918SFvlaI9fb0MA@OQf$j(-9Z3>P
zRgmk)<K1pH?EfJG1ABncqDi%~B@4hD<HTJj%u8c$4n~LPLP0v1$XQGKjOoGIh%v6t
zQ;#7eToW7bRN}QT&~Q=e{PS0J0a=?WeUoiNOt7vtBLckDW>7gn(shQic7q4NiJ^vu
z=BmdhT96wT9vhHxt0O{?|HM@QWFC$yUYf;Wsam{2>sOu4#kp}EzFw(*VaAV*S6XZA
zp_L1;i3~mu+Hhb!AzQ`+pNeco3t7Nv2E!Tqu62qaT&V;gVDLH+&algYXY0uh%!%2X
zyezvk%9K3DHxPr7SWN>WH&3r$&A;w0du`5vd2tNv-Si21Z5j=$I5O*&X|kabhII*k
zT!$$RL6kBR4ohl@dC5pCvD@bCCTDE+?OoM1fOyp5E+6&jvpVwmE7#~Sy6A$X6d1HG
z_`5D{)DlQm0#9?#y?Z66vfA36D*YevRQrbVH2mTmigvlsDRMUrsq@#R#fO_M#c_i>
zS&?P|{-<GOuud!gG`K33Rf>gj1Kj+wp+?=T<F<X~f?j$#ejXirjLCUlS`Ste2V0st
zbilIP4|3ckZ7Yc0XXs9to`fxZ@>}>P9rfS={r<VJB}+@Hx8R0E5|UI>AmffR+|wu>
z6WYL#C6#`}$;RqHaT_xiq7VYp?JPd9#pZtKVJRUEK|$*vV&MNV_0?fjH_zLWN=bKj
zH%Nmthpt11bax}6ba$t8cZVR|-QC?O&3nH1d-VMm&UJluXLstJnR~}Zex`axx2Wa;
zfYl@<q6;Eq@Tn<iR>(0#*$N8&(RY&XZvCy;|HDE|JKF-vC^TnOeCwR|NNIoJ2=2%v
zvi(qW)FEbVOr-?i-iA^{Tre+b7C1kEI+R|v6`2tRPpIM@aS>QAt<5^uEe-5uWM-fd
zLvaa<&2_nnP4suTaVA3~BVTq~7~8$9i?4){mCa2GM@qLf-5qf!U!XLEE1veGn>LjO
zN%wjXSQyqx;N6O0<N8(@78C7$!%XOLAiU^5`t3J3O}zz52d)q;W-RkEvBcIX%`oP@
zQ%TC~Wgp6NqR<2rqM2khXUWjZG=9TcLbsUxv%b;@95VIAssFRS(p8siRLLX=!@=NV
z+}LDQKZU(jxF4!{ggolJm+1^n7sMgu@1OmA5n>WMrv)$zb`v)_Uc)Ps!<8<wWaq;I
zUSol4Rt%@t#&}}6)%-OECjca`fd|Or;|^UBL^};<O%ueo<Sb@Qax~-qboRcv0{i%2
z07*_xsZUUi5@BGnka%-}&5u$~qBz8e#3RqBf0>$#Wqu0c?>!zicXh7@^6`Pvnc)!N
zxM1>3LsSI$JadoY%fNcT6Sl%G%9e}A9A%1<08^QNz2}7eC8XFVgZIQfy7p_WFn0^(
zE7MS4J<cglYGiFSBmb;Nac&0aS`N^S?)a1qUxf^SiXJ8uF$5<jSsjitR9J~AKlZ1A
zJfZ;EmwyTcX*?eUG9DtJg+K<dfmc{>2E?lu<_H`yI|52u6Rzs|s1N3;nR#%+lzVZ@
zubhYGM-Cd><lA2_18v$?{dk8@!Fs>1@DgzJk*YP9rM^FYQ4yBH-aG8%QDy$P3ES*^
zp>%Rb)$!6ICrW<vQc&>F&?m%pZqIOd=H(#3<5&stqi^x_+wT3UmTw(5%j@Gh)%a26
zb8)d&xTovkRrk-u{jZmMTT^>->Dn7j+ywjpTU!5@zz3=a7+17XsKwI)!ce6f!R2*>
ztG0WmEARF@Z{2{7*QZSHyD_HlZULPDZ<!CTbFX19IQ`z;-UyxEKhM4}Y%mRUgQEJz
zHEE2<z^iL~`-&A3M1cgSE~A-q2^EBbR{h*BK#}Iojbi2UuhQS?_5LakOFmXYr6o`b
zYj!a`^5C5XB!N;C1S5iok>COYl8TvEIgH2&TZ;aA<TUKjv|_PWAxq?7YnHFfjSoJT
z!OtzHq~%m!RaNHaa@1eO#s!Rk{<IDTwn)`qq#A8ya0qY0>nkrQq0nY`re|q>J`-?W
zpnNTNeOdbATjTX$UfaP1O?h?R^1FcXlinsCW<l4Qp=0e>P~&<fCC*UwaW&Of^3dw3
zN?91Wm^eqL1x<=NlVLuh4hGKu+yxtU6g;L@eKFieixU>=K1B|^RXElbCxP7a&v{C_
z#%_fT0!deq>ejv;w9W%U!-lZi?P&ZFSiJidI5$$~&oMkq_P;V1B29Lf?U!e#px)vY
z(mwMH2KCcZ7Tm-(syP}s{Vj7*q{&+3*n4C}bpu8cBb5XZijVPb!fp!9R$ADWTi|~K
zdvF#@t%c%G45f8Egt(Zq{Yz&n0F+jSo~kGwQ|*=!NAb@~@1t=|-jyWi<i{`Rz0x|f
z2zxOB)-6jHbAunUZ%%)-6=YMBVtGxt5%j2DxuUE^KDq0tZE8*59WFFfefzoTRJMtw
z+-(-;Y{ti^qYCbd?wqty@gwqdz5XNXn+x8VDZw{ZJ*TmxugP+2=ww&|Mj<Dgsz+If
z0g(I10fTIC%6dv16`ivz|H;tsiiV@q$OCABJ)1Ij$Ugg_yTmKe{+?n9g{F5(>0Z%p
z%_7-MZMKC`_VPtQfKMy!Go`eCiLM^r?<~t%Y%9<C;kFKp)D6T{-;q136OA{!-)}rW
zu{VG0NcS;v5}F6i*ozlGv;P1vb5lr|*~0C(*%6!Ler~NZmAJRgj%%-GY(#IY9?X>x
zpJb-h<5y5iq0PLTEeX2{DXX(pDF^!(`EeaN2V4L>71b<sE=XoS^jqjqp0U5v{w_Tc
zg{<{FKAq}KC!4xbuzRr*DEyUW4*#UNb(DQVT}3`seVeU;G)e)&x$RqP7DA53VG*CI
z@f3Fxw^CWR9gFnOvG;-IizALY=&!Ef!a9XEycs@yr-bcg@o;}kz{h%fvwl&YpdD(<
z7?RMVfXe1znDFAL4=-6{aIr+dnZV^*2+fRt_S+eL2vv9H(ywk;oJWF`=)_f9l0%id
zVQ!68Nw>Nhb+pfykyW(KAkqDKl-$48#5b`(XEJ`f_b90{LqXkP(YaWP(nu`6`Mylv
zG9O$T<EY54RO;7}q*$=VZ?xz<@`UlGv_56%-Sm@}rSi{YRJ=804T<MO$77vqfXJKA
zUYgz*Z#MmMUBk#1V_4G-5|w__TJqsZhB^9@R_KV09D9fSK(bNPiFQWSI@^Cm=C4f<
zstsrft~j*r)VNA*APM&X@(!&~axA!ON0@KK<W<2<CVm#BxXJ&`+de?Qn^dXv-dlp-
zVR(t#=})fg_NCxsU^+LR-65NdnsS(bZZ<n9Takt$G&8A_d^bAWAstjME1vV=zmS6&
zOBTPaSm`~;)nP@6jiNxDj@udwthPp=IAlrgDb=V}GyFh*od>H=b=3;%!}QQ>fqC1T
zR|ndQ5Assq>wtgQj?k%&;SB+!OhB4e5<K=-bAVD@D>Z5ig#y5|7bk{YR7^+(t&}13
zN9lJU`+Vs?&$Vry<aAeTj9<zwU@wYuKa{xE7(8>N*v7>lJhyu?HD$NVi9~N5c3^^b
zF*JGInb$Welk-&wl}~<w%bno#%IIY)Qed}Ytx2EFl5{$Ge_?Sy$k9jkM4lxyTK#Hb
zC%&7@@~UGEIg@y+{uAMwg5tBNRNoga8i--rDRLkNW~P#UQP{5R3MBnVsBTrd?sL;^
zA={#FAfkdxTD`0md&w<5G(F;8+4cUf7O0Kc-kk&S`9V&uG>{FvI%6)cQLRF}4No^~
zNP7xehS?mGA*~WNA=zMY1lvJ-bYe6PbKdO~egq*Q-#~3~iq`)WN;dOxxHBWyF+`p*
z!arQ*4)>s@&Q8++^-Z$&$CADILtGdPKHbcHQrMzUv?7KJ{gV;uN~k)$U}l@8Axl9f
zdfN=Wy?T9cf0HBI(hb**5^kN!*(Xj6GstbVCr%~*Y}H$J=|GWAPyJN7V*%Wh^E)`D
z`utm2ccTi67X8w*pG?+xDp16<(lmLj73-$ApB|YaPRzcnj|-ev7AOL#Ijbsc8w1TN
zV;-rMZK!^8(8~PKc?fK)G<okG?CGpweYEf=6xMiYad&owbzs$hL9(&cVz(0Rj0;s4
z*h-6&kw;BN0_+MG=OC>c&p(0v4O*5hlLYRHcM(BHZ>?kgaNd&8uGw_z<We0T%&XJd
zN(g;?iI*}CjWWZ0%0|5;(Jo*9Aa(og3kU4W<(=)O)e6;{r5g;UZBj^xCz(s!*%axH
zL@`uPd<^g3wh_tqCT-RG{zW`RB^paSmB!A2<XHUw!y?$8s62oIu(OMt7S~MOdf^?*
zK`r{+G8>##1ZDUJi(=$~3Qc5vPl7Zrint07T{tFp>dSJzEy-;^uM0`p*UW7;JwrDN
zF;hxh=*;pvYil=~Uu<zioNr}z4yUyE5EaY{pT0E@r++OYh9#NR&UJ0WW%xQ`WV7|7
zJ+!_ts8865kLMaPG3q^-0)^C?wqpZ02KAi5Sg<6z!1PW{UzOLFgQ3!WSg!{?#NWBG
z90%Ca-Y&v-S~Zjg<t=J3B`pp&6%-l%i(YFdcD*^182qElv*{3T?sE%1(1k|tDhy#{
zOdXoJ%ts!wSC0sMi;O`6n-alnGl>F0YKh9eC7a7K<F7boiHO>g^^l@o+g6Fb)$gKW
z<%ECUKC`=Bm>nYunPy)wB*19@a%F_6_xqw6U-%KSNk#lrZ+1%W>4zUYFqoVkKzNA}
znW`oki4DEngoR`tEt(HE1GaFX9*0HeHj({nTRo|J`zlFZ{}87MpSk0I@Fg~LmiQXm
zI|2raQBTzV4o|&!QPJfX2}mx`*p(nlh8P(=PKu~q{KY&q)Hni9BVxdR)rUq#wniHn
zUxdY!0c!aWl3HXsn>|qk_)@)vIzCdyuXRpwmRm3hWs^3$CPgeWh%)2+i(0Jsd)qJb
zt+hgVIpxusmnf!@6XS|HLJ@7*UyRSdEgvu|XoVo7P))m%KS!*P^_Fmk<Hk7OPj!-!
zv<CIGqw^xMIsg=8of@s@0kS_3-v4i89E1pSi9&OgnRN+jwir4`d<uv~vxcn>t(J?4
zA2O0yqGCb#wJW-UX+qkTe;dGpaT^_f5lZZiyTornmR9#Xlj)G-X;9SZqVBBm<O@AD
zA6e9jqA;!*7Z8FM`ZM^B=Q*N(KR;6c`(b9z)e7GCu=riQ-P6aXsKN17jIYn~eToxN
z8J&d<Dd9^wyDNlrO7?Xd@i^=V-lbbGhnMtS3pble-hM~n2d8^^fRunRayTW#!pGLr
zl}TF1(8S~Ri!6!Ajo1A0N&w->#w(60mizS?^ONsxCCs)2#>|l@2?+-SOuS}d@^Z6b
z+K~{$Xf8#w-rhN4O4tAOXTZN!F+Ww9eH7NbN=?;Le;6#lv@Cr0!;w@$x7{r+Wxq!$
zq1POb>ExBd4!{*SK)BgHgA-{eOPlXXFIBiqoio4kg$p~;#?>&v9G}_@3;$72UM6Yv
zc}n218zJBqL=v(#>jap#DgRi9?}7E9knbC|moFUg!k6^1sun>fIkcvz?aV1*jPW`;
zz*AIDz}f1#Vk9(EfUj+y7r!GjXev3gKeQv1WYv1-2Qwe1_hV@o8~Dq`INo06UE)@W
z%o?YyO2L{a$DKDm0SBWl$j=fMV^(}(Tuq0(NAG*+dG;|ZGO=Rbhfu^x`qnR_C$v*<
zOWojKQXhef;rO-l^aA=Cuk*j^z<{f8_=T~|81drbO4MUBrRZ;02P3D-(64&_apu{x
zGY*yc0<mt%4&Bva_<7;R$ySoiW5;2(>NbdzapLZtUUaW3>8ZHEJvV6UPloqTjgCFj
zA8Vx_c%dV2UQ#tEHvR{LJ2ryR$3oQl7)|0i6n9lUcyRIwpLR@5bxkpjT;%0$*WbCi
z-kr1&YNo_;ifdyQWaDBEuK^BEy~#sad0QI`tvTJZ%#f-SJ)m=CaAZv<D01Pu5|q>O
z;sOCk6lJNhf{DcN|8?JtQ?u?n$|MpmrVys<sG|($U@8@3@7<2-`;_<83r1z71~q^A
z8Csb23^NYPS=|K9!Xt`R*=%eR6P9d+=ZW)MyN6U_v^;SbgMOnU@DN<o>~N_4$Lsjs
z$;J9w>I352e&W2bhueb?&cR>GK(E?~K2htBL^zvN{SIm|I0}||er61O7&$n&C$k7_
zhb&2^RR!J!3VSk!jybj>;!#Vb4Xp*UK0n67=c;09J0{|reELcT9mTOlba~DBvf6yi
zaapV@GjzL;(fsxHgz1jg`{k~Rli(!>+xvCb;Noa#qx}?wA7v~2cJ<@EOZY^xEeSiR
z%#6C>IT_^>fUM_)pRbn|=d@XxTaN1-A^zhP^^ejIxW-{^O{BcY)z%F;$42#@+rhZx
z$liHpFZ0@vbEtx<BwA<8{Z29S3Q}`6*aPD~7@gOo%U3D9o|xTAua>9LU|jy!=hE$6
zM}7I=M6ecP^J<dbr?nT&bsgHZb+y}*_<E_|u^7P%*4*jKi<7r6CxK<+j|HCn&Cp6M
znnKzU%)lgCZl%)U!@HBB|EtFae4EAspRFy(F1tUW0zLaY9m$3S?ad&-7s)$^dSD#p
zYBV?i4|>C05)N9yy8s@+cP<;jEhSuV-JLNu0+q<+<IUB~&d9)fUeODhPiF!@zB$Wg
z2A(qiSe_pJvs#G38RyZX_h{o&T;K65=oGrLDKPvnRM3%az5-kYrBJGwEKRj4OKoST
zCJ=aF5Uw3N|MaL3*A5favh$^zT6p;du=$|koYEo0(m64!R!p!_8)>*)N-Ick+mF-d
z;wz+4KsODva(f(O_fOJo4mgTF9Cwaz^juLh$`Ue6RJ|+NcVVrX-PW%_co088C%i5B
z$%Rv!_|V!%faj_7m3sMq)ouIhncK-DE}ZKm*&l9a#Z;TE+3Wx*3X2RV^o=m)7!fPw
zUIZh6R^$JE@mF(U#2tKd=B|^n%e3oHzqv_Yovomq7%=m-Xc6^LV47sah_i~$rR?t&
ztJbv%zGuu<8d_YrNt{x`!5P%iHV7!f7)$XY7ne2i#(`J~<&RwS?X^DC@q4pYI4#-r
zSSsOrdvcK?Bi&%&!qQQptW6(7G0M>|4`RCI>}NKgpz{rYo2zQPR4)egGQsq)M5?k!
zbm4B202K<DECu@C)ap{*VU-fyOc`~-tTVON^8;f)p8woM;?zvxt{3cb^Ve>TmY~e4
zULvnv9y^(dTI}dGgw&L5b|acPDHcgyYz<E?YxG-<-nl6O&SX#b{-}_Ol61Wpy>|Um
zn>C)$D83AO+5QbH?bNq`N}_*$f`i=96BrRR8GskoQ%zR16sBxNA$5R}7H5PS?Z+PP
z8qZ2#-@r)YCj%PG`mcXbEx?RbYo<21Za1$K1Ou8pC$g>A%?IAaj1H`V@7&EcC7eV#
zs8G9P2Y+suq?impAX~JyO2c~$nk%Q-*~k~3r#rmZT+a?UuQyhB3)J(v+S}EYbyGvp
zkZVkFjDdiyxVX&`BIF^?0hWZQ!VSBQViEYn(QD^sJxc0MV+Eu?JwUmpNupiAk!&@K
z=b=Eui(fb$0OT{MG>D=GqwAw^f>h4&m$CaErMc<(LJhN?M82=g1clR|Jw6-_!!`^1
zjDF8zwCd;=FH?c*T{PP(eDcakE~Z@I;?Nc989kPt+Os#w)wNqxkhyV8IizuLcDp9t
zPs``QzGOqdwahy7iYi*ASfot~1LT69@m4(2(qA3NO!Mhk*UF<&UP-Wu2yMq-mpp-l
z-1-8=6KT^$iPc`Fiu{)1if6XBt1|oj3?beG4udbwAQM$by~{F7M$r*NjvlBqVmK}>
zD*Af;{b$HunX^1#>GaqFD@bNFeoqpk3r~ohPxN&$bBzS+$0JT$HyzwNJW}b@Ar_dt
zLai;l#8fvNk=fNec}?AR2PbKps8Kd4ZnKib$v)yeVV0r&x)qAl+!K^-sKfMmD=>3C
zKcD#P!N;QNThea*koqN;o0BrmL=zn3tWQ!SIAl0JDStviIX@5mH>BS-#9HbEhFgI$
zqix5sDugqr4Abesj}t~o;{%dvNjeF4LcOBB%WLEK-KW*5m`E`pdcsD*Qrh$xR%YQq
zg?Ug>iHx`Lw0`x|A1s9%)Is2TL^bRbbQBhE6*GfQY1fTIlCQu_y+lW9h2dXomJ={z
z9q;|2W%OU_e*{0L-dKDDZ*fw+l4h}D;%aj|f{jnCe${ZWxg!q-(5ybjK2LAAlZjp#
zbTH<??@(ck6yFsTZ>V$s{<d#?ZEf>YckTy9GwKqrm025i-38~W3V6;-m-BclFx_NF
z-+?2S+oL9~7mvb}r@QN`EbEA-6@v={&+DINfTh`d{m-lA3kwvxHDi$l0{HB=Px+5s
zQbzn=Npataz)z8KxSX}Xmj9MD0>9NcAQKlc&L?7n6<y9SB92CfGwc9QPU_@K=!jtd
z4<KU09)j=FXe>5B0Bx!2SfdYTHC3Hy)x_d7*`<w>iO|IHG-&8I^bK-Cgwuzkyj?vk
zMX=24N(|h}{=wr##018r&GYkX2ZvS;@l^|Gk$LdFi)B9O?j?=&H^{*8voZot>zE#R
z-$)R9vH4a#KuvTpANIpeDUmv;CP=A|fdy%$JpBs?%rg8R)K<=1s<2T!OI2Do)VQk=
ziZ=TV=lC&X%f(?Jw#?^j7Dmk&X0b-ZgqAbY;~IX?)oc$x=4nDVFOk(0DS3yxd&gAp
z$h~MrXr6fI;+W46tieg*kMP%WnbwGIb9=HU_W-AmOK^*BVwo+fkN4r&__rYL7q2Jv
zfSb*s)iCcXGg)qfzF$iCOBV9FPGBdIqW9xTStT#w6X6$uG=8Uyp1i`Cvzog5aQLRL
zC+BMIZl;T|mRpT(_r6yj!L2t>yD8oDk6yx`4;U(1w2t(*$%Op+F5BDOUyDfbvDGop
z9zQQPvfZg_w_4Skui4Q`253fO-pX8@FH2ZlZQNg6b#*1{u0iOro2S4*r~t94L-L7g
z&4glrW`ZHyC>zciwZIKoX|&FKu7Brv2tTFOSZoFYORKX^HLjM)5nPYE(g%)C(xsoI
zGpx!yq8?USm}3ixaZVA_G}Z#D>uN-8Pp}i3p<0@O7}Yv_%N1eaqS(f&&_=d6&jZ0Y
z#erb&OCh88W7vnKn>U(SBp9;;-GIY(9wgct=QX%sG<J=`o%s7<o7@~NZ5Q9!{aHfx
zZg(b4D_BrSnL@c|>QR}_etp5(p>}>Bw%?u9*0GoW-91}!C3|eeQzzk_gM`~ABk%VW
ze*(f*aSsPg7veX3qL%|3Z|zq(2u{eXF;-WzO^NZtM9wn9K$Xo2IB$;MxrO8ao+_gf
zA3s3+2hGL`_S!!Cmo&dr&NAQ{g5oB@T_5OCl;V7*6npjns;mqKGR|Wk=dbk?>6t6b
zGih@U+Pk|l6A2l$2nXcTRlIfE;VGX3L2S-;Yxvrhc0|fkY+E?kbPuUcHf00Y$JE!Z
z(YzSG)<@KkZ?5;Uxl^fe_Vk0An;kfpA2ssO;y0t*Z7U&D#hKi&>J(dopwty;;4(NF
zjON*YmLp0gCR*=js7l=`s2nH~qh>$_&`0pN8Cgoy#XlS!AjvoB>Do;#*kbIdYME{r
zDSEy7Ip7wONoME&P1KqsKI0N~i(5K_8K;o{HjA6JvDVVv#aGc)htF99PUZE>I8Pui
z)b+@!vZ(-6C@h~2W*ThHQuF<r21dbF<#@lRnV#GIA%vUqyWA?9gic*LroI%WEG90F
zj#i@guvRkkhbe7?C%F%w=U@9T<R4JLs4+7YSm%t5u5)y9wI4oN0<ToZmRlchAgwYx
zg?QYnsW8s6^Z}_V$0!NQWL!9=22i>r?lVU@sGgxm;zMV<cE^k5L4&(8+wuMlK0v$s
z?Q(u#;h;dYxh@6rJ;byUGvi6)oCttfiZZ$(nW;}%yr#k&P@Nz7|K97Y&s`muWryos
z8ZB4R)CQmk)I|^?pet(+-7(`USo|-4tG%AevgXBvpZeGP%$h?S!8;6_l=EBu0>YU{
zC-nr3f2@5$dwU<P51$V5=0(U-9ETH96jhKEa<-kA>(ngSMpk1HJ#FV~x+OE{Cx1oI
zDHqU3t1+|XUuRsN?mK`{C1&d-gmZWBxXT8cdF}EkAoBEXcQX!Zi<ixarZSu6B&!w&
zq8se7g4eqIz1{Mx_n(?W_r>qux}ue@G(u0Ro9}(-HxuGu;9wArQVa#rQ7-nFWTXgG
z!ZkI~J6>r2?wa^xmp6LZVS6WN*8rJs?3W`O^G}Mryp4daBX>vCUAm9-g(a#jbuIvp
z3}-N@AIIU1n-jmROI4uUFQ`uqa9!H`RJEf>rw}Y(F8T<s=FY;(f60v8YCkd^$n{(u
z+~}t4p}IDEeOw$vq;E+aPW$1M?E^RlhxZ!5JPlvsQ<lQ5c4*3G;b`deVtjhON@iP~
zJ^QnpW%s%@DV5(|UeC+QF@Sh1fXA&!+9lO$+ScA78PYcuy%JSFwV$<+8U34KA_*pB
zq9W7>icdrEuV!eCX6W_q-~UT%Vajk+DolYTn4qS&GLrDL0^o8JSw<?ls?mgez2~~-
z&4x=HlBjd?xejn5cD^4Tx6&vQW}ohH&~idrTw~?rNFw_7I!C|NF5Y5PHCBYex0?K8
z;Z-xb(f&wql38%Sp>Dm>>oRs7{mMhCoyP>V9rR4ps0UJYe_RnfX5Nn6R47h`ivMKS
zU>;FpC1I;t;oiz&srmlECe!og(^WbdV(OX)j$g17?RB;Z*1q=HKvJnE)(VIRb41=i
zRx_rGd%CM1t!P3f%sFAmZ9Z?VK_Ty)*(JKVrs3NFx)o3Fxo*feE0A$3=nLDduNV4*
z58ss6qwBCAGP_O-OY4>X$fG;^Z0Px3{W6P46kRlTh?zktZ0>uDq#a~x=YOVS+;Eyz
zT5kem%}UwZ6%fs~p9=RBnupO**0`?2xGQGV)Wt5mar(^N6ltS8D9Kh);g~vn^PvPE
zzXP1OvmliF1Q9LP&?9>ucjw{c4aCu*W24i1R!*Vi`k4szs#=B5LN?PaqQ+_E^y8+m
z*Qbp)aE^Xf0uj71x9LAb74=w^ng6NwSF5U8w1gPyacKE9ZlF-KRTqW_(T#sL42D)5
z=O)$8woRtwEk@-S=(PS<!6R1hLI5dmK$pf9sd{eo6<H{LtM}ti+TxpeFa7VUEGE4q
zpgP)`%(aAPXSp;vfi!ShI-VmuAHamL&$w*{#L74ry!aWzwz<4afEy#Wi2r+idO@*n
z7gpZ0C)c^@u>dC_0Lh8q9%4ubRq%xhxI?E9>`_B3k;%xWu2*HzaUirCAme>Uds;)~
zs5wRW=3rPjEFVH=S)c0;YwoVEZ3{mls4cHL{@~+pw~(dmP#E(zCCFo@6X1V-NM(x%
zp7_yJ>c{6yO<dOGiVuM@fF{Id#iHoPOb$@ab?T*&1uIa4<mvf$R#;4F`V+;n%%HQ<
zdj~ozrf<KAB(sBU%yDo(>VE@#u?UK%1I&8F8?OUy<aV%Px#4*n+enCgJc~Z5mg%hr
zTU)IE0lmw85O{GO9&O_pQkNE-t_-d&&hNKM-4QzF`=ONe<ZCL;07G1u-)Tw!>KI_i
z%V=ys)LasHJ61GH)_;Li0E?yAMDZt55DXq5gu^u^?~3?2pgAcJnpY{WvzLjk26m!&
z7&a$wMlG<uBuNvTT9Z2uR@#^@jgzb*NwQ0f@JZ|;YS}8B|IZb$$D?Svk^D+e)HD@n
zpp;f0S+Kj&QqU|Xb6)TEbfTCo%#ghSoUNAb)~OplO6nyaI1Gu-E_T(#5C!16FqD3%
zhy73ciBtFWyJ*lV%+W!mC=%|{=o*o|3E%i2>&H*tE*Uk}zoc(>)QA0ao8GhbG~BGb
z^;!_K9t7YI=VrAdvJQl3Wo9DEMf%<xBNCdx8*Nhw9)8frRJ!CYTuO+pE~m}{rbp9R
zn0Hn)p^cS<4fg+JM(z4Y@YlTRQFV2oRvfN(Xj~akf$k-|Ki-p4rl09mB4hj9kV%AR
zl!I>O@<2Sel7*gBlZzuupdGm-lc4OR6X)FMC}Z%*9FEbD5=UO&=AKBIw>q{+ta+e0
z)1XyyfF3WM>T3Fhm`+;C@R;N_h0{F1uf3c<*GrQU`R)3}xPOS{*5A6XNVy&|{T2VK
zWJoa71nlVbD3EaNOK^KYiMI#0l@888yCL@q;I=|F6?3JbL}2A&EdA+8+u^B+OV;ZV
zctID)b~E?*Xvg~`&-;3wg9V2;wmGd0OTTiUzO#H<@KD{7rfq;xt%6rn9o0lg9pyiK
zAusS!N&ugf#(6gNn?F+3&h-T_ex91ea9)FzBG-HVVsi@J+(&jg(f+gX)#AM3w>Dwq
zNMC`{Rn7jy!9mxaVjk>i!0Sc2U7Mn@<G9QIOuj(JlPF7bK$}v;+O2=Y2wV4MOv*!F
z!70B7otNjr@6UO}^%*G(a?d6!25wC(EG((G2}7WF1V#f^@fL55e#5d83Z#1-Ik36>
z&iZ&3ev}E~M0{R74tn8m`{BM5*46~kbn0TW+OKmvuzr2^*gm4Ob73ig6*#Vn914I!
zRP3x#OYoHyRz$NBb*1ag`eac|<bYdcFz^52Z_22bwjmUz>O`zxwsPNyR3$bVXxA9{
zQ2{tfr#$#8=tdLFfw`^RuecLy^npx=dvrjbJXKjd40&o&y0~k!;zWhbq=$szG&Loz
z2N#Y=HawDKR0+9GTVgyTM3)ma;3S+N5_%4;x1o;XEvGdbcdYw)fzu=f&x32wy^s`8
zI=b0Np=d2e6$<$XB`Vs<lB*C89T)GPdiBMG^j~Q$W5W`($WQuZ_jUx6{cfXI%>)j#
zL=mVC<y21SmJFzFZXAI5o!YfwsPh*VYvI$Z?FS5=k9e2?4!|M*R>&4gPXeNudv1Lt
zJO^ug7flXwSFZofMHZE;#Hn7OS>}czlNxo!{wRxy8P5*;P&VWj)NYGX5a&<Ay=4V=
z4*CJ)e}Ob=21{7nMX{J9$a<02TZF}V%^3vfk6)@0#{7(k$pCSe$xBfdO>o&&RJ5XX
z^?rWxdME{3nZ^3>7TvK4Zm<(|r!*|$jI+b>tMuN4bB)c)ds!}aRY04j<ri8Ud{7m@
z-YwkyzV<2dOpb7SV`b3~=I3Io>+|MI#YVf(!J76F-!JKTr$JCBXR^%q=wQan;p{?L
z(|%k<3X+!`r^Ho~G62$Ly##h-%{0Aps2&gbUol3N=oN&i)+zn(taBTF;c&^76GYHg
z{2F%D30p!!y|)zrK5bkH*W5oGY-FtoEjgA{jWHIqpXJ9r&wl$k+0Jaxn$+Vd^PnTl
zV)p0*Vk{MYn9P0drdj952<3PmczSKdxjXZz;1y6hix9UkK2iUB7W}yN$}QrK?!JDM
z=Z||=!Qw6bRo{qJ)nlZf!Va8{%9f!K@}(hB*A&r*O*Pb;BC}I!_P1rW4E>wDpx&}r
z+FcaabAoL2ZF4V1Ab#tJi5Bx(*RfYE86I2W{DWB9k)texgzD7~9>#Q8ou(_<XEXb%
z+qrhJo9esz1g5u7KR;|78ZjTwg&?=9$YZK&B@hQMCZP_7Cd8F)lA*?ShOo?b*YP-g
zfq$&~>#VkqIG!{vioNJT$6fJ?(~hy~yDBu(-jIV__xKTr4llI}YA0v(t~JEi1^;>1
zJt9g;C!SceE<Xe`HoJV~-^<#(;8@wx`IHrkLJPuS6x}&u4{4JsK@Z00P3Sh&J3`J`
z$vArQtD5zUNLH>4Y$05H$y-`X|I<ql|D{DKt+Ui`K9EMTBo_gPgn^l)RzgV8&kO)g
zAX@e#Kcw%MJ-Q{~KWC=Gax8pNd`k=xluC0izaRdStVbiRL8dKLDz_e53iLD!<wu^V
z!yLyXv~a*+iHtYFYfSKZ8v!tDqOrmxeQ(s(+c-9bC=tzd=KCyf^iOQljt04l^foDj
zujVhs0K`&~9aANRas@s`Y}42QI=Rqg=+8y#0YWnPM<t_U58U-@1&PtI>P{yx_z$M1
z1^dG>+`2xTOzFCDsa1MYiG6ch9rF$Bo`0YQgRXo=geEN9Dy2L-oLL~*rUV9tU%n{a
zZY(i50M(DY0`B4lyhdVP7V59H3bUFo+60~`g8;5D&+v3up1VGqwHp!hVR#PGr3H50
z<xD(F!OKRE$mefM8c}ajypHvym%y?2v=6EhH<ry2Oh$Ga&_7II)1U1{6&hm7|Bm(1
z0;5TQYkvN3SH!Vg1WqqOb8!`@C*vr#3y14*V1p0o0#K@=lEYv4fx1SqYvX`nmusOg
z<)fH$ev4bP%WIfed6@IAmPLk{jHuk8e7B?iba0pHa5hIdIyDe#toi5?`}hRciaD}R
z^V=SBc0(Q3n-GYv_CXFihxq-~e3Y*n=bj*PuU}v(NnBkTngTv*f{2p_B|5!QgI-`~
z0RBJMOwd&+tjc~2YM5spV-LVT{xbK)rWEENo-BRbp<FEc7kKrQ_uWo`94`6toTH<O
z;atb%%)EsVbW<Z9(=(!L_c|adRp^UwXx~=%9^7?(0LGhs<RQ(E3kfF)RmQN(Eal56
zB6ncuw;|0@Q>QkP>yu!qC;)reohr`d)#(0Be4^<G^&AxI+x@TOOAuwY-wl?_`+RpU
z64Be^MOk?y^_4>EokYoqcWQCmXx>XoQ^+3f=qVyPhQb!d$e!@evLKu{@Ks>?!;8G0
zKdUI(Xj;A9)HK3|f6|l^G8GCzus5xgPNhhtr)HxRlf2pn{NKAkSe#{>UqX`x8iV7X
zwm=)5?^sNG)K>6B8n0m{#hNU1e(d~aq}p@B{pFxdx-PYJm!?aIFiPx~UPDrlxiO&e
z#{EPlghWa0EKER_5VonT4f|~=)MNqFkQjtYA|80ErTspo6u?gGET9A+x*NS{GFuwX
zE*-(?j9E#|<KId^LWn#l-Zc215Mm+!Cj@nsp1jv97rDs5si})mi5)JAy0E>kpJZER
z)|U^jR&z2c+>QlS=981Vi2T=f%Bz@jP?ZS0aCB)h@+)0&ya_!L=&Wfopx>~Rk3Kz9
zah-U6rjA|Buv7+d(=szii}mExR5l+<V(6?z&|+tPc|gqW`~1xs-(%xwHy4Xxf;x(P
z%P00X`M$M(F#*>t&=K*&Jg`OXMf00rgQ#bxDiy!kujxy4*W{yli@UsvDhc8{-IYW3
z6;K!Zoqhy#1EY{SDiNrA5~YgsWi<y)ff%PAMrgA+f4?=5Xuhv-Q0%S@vX3zDXY=fO
zMxU$PgY+3`bS=DUH$RY%NKDy%oLtM(il@dJmNWa(JT!LfB*I%YNRS&{?vpd+7bzxL
zLN!)-%sC2h?=v9$nf6EnfuYUp=C+_6d6y_)?IYm$`kR|cD}PJ>m`!sc#-hhQKs<WV
z)bKm7Ia^@w_t^{Y*2Y(&^Y2h?1UBexQqnfG=TL8g<JK<P?NZB9Qty&5;owX2`uZ&3
z?y!)0x+fb+?Vs0;7L77zhcpX_jb=0NW@9wpevzljccY_qI>G0#>r&MJt8T>B!jjUe
z@hApm_sATRA2fF6axmSSoMWn_PoWM(NzC&j@z9KfAK1(2lz>bH=-;busi&a)g{2<e
zW6FHkzGbaSND*euY~<sIPnAmyryggx!!BDP;!(~jS>A0Z&isD0q$A0p>B@R`S^ByA
z_|()hdsKZG<*R`e1CEvfE5WSf7Gvhv;i6UD<ewDdynmuynBExHqMAB;AOXr#jfA#f
zMqRSI6hPrlgGxgCFimXHBLzMD<A40Ke=Eu@Sp)ec=G7o=*~d2%$?tcZ;x0F<Q{qYX
z*pno(<**))%=@OFrw{^;{zDE3hS~E(wC5hl?9wPZ=$&N?SaEx-U(#v_7))AKF@k@K
zWwZkEo*yA=f=saoNAKEsYgpa$mX}-YOeA<SeLEz|h)~hyM_hvKdl;3)0(S4Nvdmwu
z)x6!gd7UX84ULjs4&&2lHqI@#TX?^&|CFXt!;9>(dA%LqQ9kF{A4!!Vx?<qPKiZ{2
zWsWFd%+NNkvYF_kEF)#xf*JrnKq;;Xi=(apBqf+>i79lzx|DIjT8#dk-!>FsVcT;A
zj&RMUtOYrS@8X?($I@{81ZA|WCk>jV*$@wY0mG^-*2d<N6hvX;Y`Xd_;OSNnZxdl<
zWk3&bLoxc!8~H)UidVbI(&_5ZI`zr*t_caX#s)Fc`wCm`J5FBBI|KVvJUEG8S_bg6
z+qtJe!f)_Rqe5STrUJWfWw2sn1|EZX1KP-%HAh=}yFc8DyLwO&baYxhBfp&>4jqyB
zD}M+0ad#zg;C&Gww6uttdg}+WQcfvJYdGgXXJObTS$WEA9mZ9<^*k3+hb;V`;@a`|
zAZ%Iq`eIZFixCT=P8>niwsRe=O%lG$uk<TnW!E)XdSOkEf$=fbTwJ|v5}^jX<%GK0
zCJjzPf3m|qkh4jR$9WLoT1eP6tcksRG%;xT%ISGwjGBi@Vc12WhKnwm{z)+xr`r$1
zNwiwTnj%m^tB;Mwb^lWi%Y5d)p+yhNJEi&J7c@|y!7qk$|FV*~!gj1GB^FP~*#hbv
ziqc&k@z*3E&!+U33!ri`_jIvx_z3xaVdof%HSsf4Ixn4in0}={l=mjV1$j%EKh&G)
zZ6d6%Wa=)k2m5U?sY<-}$go1F+%5bnNpa~AugMkC?!B;c`_&+!l_|3N?k9@2$7ux0
zR1@VrZp9XV5uuBCn<u{;zA{Hl5!^x(<A`0J#r8_orFm|9+11w7R;(^#cY8)gaY10)
zk-qbpcZ2!!(My<IUucCU!IkjEU0c;*L@N(^U&Bbw-AU@<!PVBmcpF>BR%)B`qF5Wu
zgLAvv#af?0zoyA^Rtx5>uA%OZt|NVH7E_25=4oKV%!31miVdOEM1wm@3OvMVYT_1f
z`KN&A1pT6?SDZM+j3vV(*27lmjqrX=qxThsZ8wU|;^syZShM%pN35s{UihQ@FgKZM
z2@D8pQyQT_3L-(xY9Z<M&eHy6Fo<KZzp-%aw+`E!D&UGKC<Fq7nEZgnwBD!9a@(?J
zZT@>u@)(xBF1V05wZF)x5;I?nrcIvblrH<bUg@*ag@^kyrXcB;EyhQILZez`tGhlu
z7H1^h+f@y+x+CB6nr}T{j__Xs?jW%m>Q>)^6SHqsiqA2uaB8FMw9t<aSer*fxsp=m
zwJ1ds+2}(O9k7zz$tuEIK1Qb}9-#mK4VwKf;dKc$XXXMy-M?<2?%$pJG%XorHmIV9
zZGFhpM2Le%nh)U`se7*S3nx4L5(0Y@aGC)W>zh}IncgmQrJ~PCZt7lPEOJD`qxKFZ
zar!?ERZldoS*w&mW8?*Aqp|sNof6+@^&*L196cK^>j{J_AD6&VWC~sg5uRT}g4B?_
z?<#aPYDyeT%Z`fL1=?NWhn1hd7FbKoWwz_?NIPWNXz(d%y+ev8MGRMsCW;M-;ikvV
zGQ*D|(UZ<kHX|h$cR*CAv_bpZaT-9?#WARI6AsEh5fmgy*OB}QIcUDU4n<-n?&T)O
zZA~&@kUCYPz#y*3x?iNNDk)NY3gl3ko6={=RHc+_q{E$W-9q^y36rkq*`@IF8_(R8
zw1Ue-<%cDmi@608wbrr|^fv`4K<c01z~$1DqZj6_^H&C!!e@%-{=(c*3R590#!YS8
z+1*|3bX0+LTm<zuANBggTW1NBqX$960;J*Jp2G0v%sv#<R!%@VcjSjO{Bkzr49YR~
zdSI3V<c5^fuy%)SqDTM67C-(@dE^q#wmBA6nJCZNpTsdT35T^X9uuY8+z-AKet|g{
zNNi)l@h1ie5Q%8(<j*R)G{_tf@>qJO-dS%PFrRW%AG}#>9RzAA6Y9z(;Vo5CL~E6f
zi<yy0s4T<&E4}{7O7<F{)rgvfi!Y+8`IXOi*X7(`Hs}}%ujTYXh3(o_99qO%*~=mM
zsPMYaOVJxE@=ROVSg_9H?#rTx0gYw87;n<S-h_Q`wfAE()|+La7e}9J(#kLzQLa6z
zE7%bZ(mMNdYjxDsdiapryVJbn%O3^}(NDb&CRX;9c~b|PF_UQsm}jM54<q8yL)<=h
z)l$%v(+Zi50I(b4l+`iBt%hA;ay|4bF|qzGdw%pByaxF57iii12P&0fUJsz|=oYil
zoI-_m%zUL51Zve`EqE7`CvCRbp|X&gI>xzlN|n7rR6c&Wm??07^-uYUpH$F&YE_kQ
z$tlBTd7j%Z@m)G^tc_ab(&(v@s84ZF_~8egKlwEp8z$u|ms~mFojLawCAo5bzA`qk
z`_!<NkQZVbiCT#~w}o(yMQLr({TA3v+Uc{Co^D(?qP;E_(Z<23A`-WwMSezt`D%;3
z*^#F=ol8F^u}r~&O(_Gwm|+LF_DHIT0??XhM_A^4;r_<YwdSt23&jLlrR)aKFqEsk
zIN!}?jx?^t$H#PdSoR?#Q}b$}jOH`0Fgf?7j@y>`#qvmT2PkqTlDCal0Rd1hV=^P%
zNu<OFX4DAEE-RrGv*3o=#jtt7)?F$lIw-hZ0a}rXUA|Y=7X5$1vC*L~2!_z8DEb|S
zASx5}X|f2oWbAM3xrH%dZ2IP@WB{B%y8{Zcc^{a+OY}2TV_GQ2kOp}fAt9XaFavuU
zVO&Q@c?&@FGwGdZR?1ly_poEt)rVRTTP8N(iM`ivs+M6AVo^NH&U^>CE)h>xx?*ei
zbOh<AMq1Al^RD{@BhKwtk{UlBm2?XZhz<sU$ObSu%zo>mONh6a5!$DO$gIETbI@-F
zR1c+d3L?GO572{~DRHIN5_mx3y=XSL_twxpKVAN-fb|>y=ssU1FL6JsoNfI?Tq*V$
z`jV$b7lFiNHRoyxCO@NZ5$)S8Z(ve)M#kz$Lr%d(a`p!zC40HhpQ!5OEEk!53mg;r
zXiqQh-E0F^e4cLsLO<2~MBCT=l|{82%;#=#(QfKUP(_N$*x6ovoGWrFu`a{vyld|g
z+jcBG8)xc957za?wy?v9Zx4rH_O;g7X?{F_j94b<F5kRUlumT<jd*|#{PLc>GW6r$
z`<*mnJ3(I3ybr1fFIN4+@x{hCgG%r-`>~#Mt1f83Onj1^$-fq>A(}dZY0`qnDmrol
zr+KQb1FqiFcF{yg5ay~`fcvLfKyvITCB)QQopsN3BONiG0LXez4`bshW*W_`lV`S^
zdy2yZV;T9k+ZmOD>6m$-_!bM4FJ;bnfTsV!Dj~|yGx)=EflYcfo*w+IueR>Dx<)DG
zI7M!AY-XBi2SDqsvu9~J&nty&N_$eS*2A$iN|}A$HkIT2Ax&r5c`s!C${9?$dMF=P
zfSvd5cY3Bf&GjzchPq#W$QrJG%@m-_=fw~)#7nd~Drn`B=|NGlN#n-UF_WuLiG`^s
zXehaaFF`sN{Ts}<!eWRw1SW!d)Qy-ws7SyX5-pc!@BCb;u0&@1R;_$i#xAa3lx(r3
zwOdTwh7FPR{lkN!;?kx?AEb3#Lt#z^52;hWO6|e6VNl>$E0~)3JNd{^<3_v)Ep`fD
z1V#dzqW7$;v*&+CnukAN&PeJfVIw<;;N+29nhPn~H-Wfbsi}Q}Vwg6aK9gPqsQx;J
z|0Mozd8|0QL54sFNYL_zgV>;1Nu6cRBy`gF;kVfU@%#YbozlzmUD5Sgc9Tb0{Rnj1
z(DWP=Q(m2+lL`#8)EAb#xTaqnlt$>k@G2>PZBe^3^;z+Oz1_Y+JX`8g$b=KhAj|gr
z)<Pd5Vto}%Bn_1`TUl1cJ{kFLr~-N@V~0vh!hd(EE9!)@Wbn3XmcihobO0jDd;4{E
z!C-~wJjT{2ve;Hp;wh5Z&!}CwodxPmE;t71kyMVJzC8ncCT6{R-Jhg(nB?wqS?`OQ
zex%rhoZj>}dAP!<9DZ#TCTMli%;SH%W|tURSajdfuVJ!(M5-mkVds#A^sq(cTS>5J
z_~qu8<^%D2^xmCgl>Yd~EVRmkc0EuG>kev?0X=mAzgsp$>kFo7W^X>1NI6?W#cpw2
z&1SJ8@><l+Hg74>aFD|Ev1<B=>J(-)I%Ep%aEu037iIpJkZ0tQALW*`HSP2t+94l_
zFFxPk<jI5f(^RQTmh#Ez!f8nu8c9SuSxN5VLtjlc!J3s)$SU{o{tD<rCsI0PNyuo`
z>}hN6I|<VJsje)0OoZ!}lr}KZS*$_KJi+d<a>xm389$1TJ+cfh<_6Nb0nJ+}Y}a$c
zGc0H)szw+^jG*^xm0i|23z~khve)w9Z&XbC7wwDEYiX<OjOW(afn#>DKz<wj!pHSu
zem}lob+i2^VKkwZHmRKF5$s+q-BeeMM+Q-4qYTFQ1O=wY<Yu)RvC$PT0y(yLRw`ph
zzf^I2_`}M?&Dy;>P^@nQvc25GI9%c;1o{p}ACLLD9Z)R-t_KoM!=5aQ?F9v<SdztQ
ziu&Xh$wn4_^JUn}+tQBQM<H2btc9&&0R81aq^OGd-+-Xk2SyBx9W~KE{jnKPrJb`;
zq0~s|&gtk13W>xpQ{2RC5h#ka01-8y{9>hF4aPjVFL3@pJ8RmB768km4)hPN+wDV>
zAl*v>pL;&sc|Qv6owRrxp)B21ccmXwWXvz{orQ1ovVNbt*IiEX$%J>eu*wG;qs0Kj
zginS8TU}w=GH@_c^NVL)pXcp*!qQ>MA4;qL{Utza*=N5bhl-(?qC^5)Y|@_MrR<BK
z#N;Q#+Tc(Y*=0946gAzyBu19j00d8`=HfOSi;+;xO0iMf(7yYXx~S6^J(Z4N(cwkG
zLx9P846|f%P1G#dp(QQmaN;y*nj50L;A>X1c75%50qX6s^<a2F)qFL%Zl}O4Lc`sA
zZw!K`*j1JAH@+qRryN}8^T+_aClG~zL$7)_uKEzEbf<LpCxDnMvV2UwD4MOTx_S$y
zlcJjcKRoKmpfG9*2<!)?2v5Fj_7UE#<;L}eThaMnFCmNu3A?$wFqBC+%5-x&LNI;9
zcDkC>?G2aTL->{mYC)>dVpAz<ysS)v52al69qZvs+0a`22?EW(8;wxYS;!)*vxaXa
z)gzPh!tc}u2jm6~`c#7W!$?S`iEK@t<@D59|Dq1^p~M!ls`2a~=tKc-vY*Sm1FFuQ
zHaO4D<5O)iwZ?Iry~&)}g}IRV#wQ773a)f7vZI|5X=At({$d?WJ_f6jZx$)WJK3&~
zDr8@mKS#Q5*M}IsVU^?vYSC$(A=_vQWQj5w1qkt35^*Rg)7aF9G(=(Xz*N810oaC9
z2LJz$VN(bvfP_mM7##-6N^n3INCHB@d-w*rN+(`)R*mU${Gg{V9?{cJHgH0mvF1kA
z*9h;36Ey*O4GGt@AH5WQL-vO-GHrDGlc<D@P7K00vDih>s7G$^OLyIDY|6@O1&A=R
zPxxNlT@z#3Uf7gvWoSwiZMZvkHV#$J6&>1)<+>MJvN_iOR<-jatyKRrwt=JpK#n|e
z^~KcLz3|Ca?}vvMD(k+IsG~xo9b%v3Y+_q|#7jzao852xVD<0TA60toIt8Aa_49&b
zV`9rO?HJXj9Q^Ix&ny=)m%Ao`!K+&ur1N$Cu1O7KJv1I{uI<A8+99=dciwh!cka>Y
zvov_2q!y8>L*6H+$K?e(bfF{?LD;}Mq&O<ky^SFq7gR}9q=XVDs(4Xr$!T(0`7UA0
z_di4tp!TKzVhXr(2f9&uV3Yk#mA|?^R=UDLYdob<)+Sf*Jh;0vET>$+T8KeQ&AawY
z$>3SUv3+EP;-1PbdJ%kA`uy9~kbuoe^F-iH`zO&#LHFduJH+%=m_h7_Ge;yus{1&P
z2GHA;<VQ!{8I-T6xtUL`_V|yXjm^mPbqZMb3R(dhh#@W_-*$y_OJlLzew6i7H~CMA
zFtJtGnC|Ety*3Z<vW-!tMQLA}x_DMuQU+Mv<uI_4Q@+!T_Xf)<PJcKN!|a^AJZN!8
zZS=)NivtVB*o#7yHb%e4cG|z7MPIS1`~QT|M42ijt_{c90LI0nh{>oVh{m(HMBkz%
zT>X^`3_7;`izARr0F->86NjhekZg~;$O&-t?Vi6(G-vY&yM0>H$zY!LxGhbP=>@3b
zad{umFX!ca9Cel~vT;c(gf=T3mQxPoV5!^4d<OCH<oQWiiclY;{8|Ge6ly7xdiR$2
zz#uro<W@=%iE4qHsf4IfM@RsSHm1m^0D?zJ(^j+jcG0;`I~YTGl~V8iIvm$NTbSIE
zW=PO9qN_=h)H@zWm@{cJV;U>InjhOg=q!3<_5$XPL`gStc?Y2*8Xw=Y`nU1ifNHQl
zifSQ|0s@4ijb&(rZ=dIaNZ2f>L=zCry#r3LiH_T%45GoYm1-(h780}X0hh%TqHCu|
zuq)C2#RHsOQJV!Nk{2Mfk<*|FjgaSBan#ig$}DW}u%0-Bz?keppYvi);OT0q=9*QT
zb`HcQFnA&HNt$vp+mSuyJMifa;x}>fQt=(gIKS^#=*04SG5e+k?;~;TM!naYm9!dX
z2I%%nLrrc{8+J}%K~PV-z>2EsK=J$w+Ug+*XJ?kvO!R3St$iW$CzuTyblJ;Csu;T8
zC;{<Wz_^?3-lKwJTr9Zoz>%J|@P4qMKXwEaHCK~Z!x1x!7=n40gmC+*m0DEH%@&hV
zlM(aV86Ob4#7hr`#e<JEG*qOHu3$fNA0={%=WkWHRkx3<7`9K;thK@Z$SSr&y0sC>
zZFtsxtd4-$28I~UBY*c+;pg?#6o-6M0BGO-30J<xw%kY>xci5VgJ*eO#TTBUR5?&S
zJAe{%I>S8gtS5X`PHq;90h&71=mpD?NsAT|N%1q$Qx>yBQ4MdIl!IMj_z!Z4;?pq<
zI3dxTaR$-0vFm&ZPs3$A|2X`?WV9}W_F9h&hG-N#RFR|@aw1x`$dzGaBMj_)!imij
zk6l*Jqu6V4j*7ODDkWZMl5foPIFd)!*t`_cG$D~^KI|7KlKJnq%HOl>-eE=bldz{E
z7Dg+Ao-CX?Pgig-y(??<_P8rEa6Gcn@g`{bFmVHZlchFU7(SVkPE#(vb1T826>9My
zBp35*V-W|_iI^h2Q?ch+o0t~_<MZAd9+6AvH_)H^Wc9tkmS**BL39LW9M>CTz1es?
z_sSek4ucSbn+;p@;;CFRuxQbDu<FjI3qM(NDu$VF=c5cv@&Pm&b?m{o6ukt<i~Z@?
zlBSEw0F++!=w?+3)_MECH9ZQ0NWG>3mAd8s(X8>Qb-tc0ca6#%e`;~5k%<_QTl>lO
zL2J((<+>2<h$VjdSqxFfg$7-#&sbxpTv+{P%*^T9->peIHm=6$sO`za{Xva4<o^-%
zlwnmpPm6$nbT>##cO%{1m+tQF1_9~r?(PmHrMtVkyWzd+`{(!Rz}|D7o!!ZunVp%i
zywW82Np=Bji{WMgf5vl{DJwHjvZ=(CJa`ZdoeJ$@yn#ENZ$~peW_rENw^A5<q}WeE
zhPo3-R}+a%idr|_QE~Rn1{Pjy_o(YD*PbP~;>uNi#O+L^(*H<MCoz8flMxV#`o`qC
zae`<RE)Tz8`AzPxLC4YcMdT@hE+{e+4~zXfL5mLT!~N@)=~q`+7}}~63IPkiATOU7
zPCit&qjF5mXAF86lxlYuUrWHdF~!h^(NJokw1f)uke~aZe*X}No=KTZt^K@nuEO(j
zxqMbLWWl(GhsX0qA&g-EVDhs8_uBnH4((tgOMCE#iykbrZjQZEipI>^wD+qbI@!Qc
z%xdJG2-jN?T7%*Sd|!~gm3i^s0z>knd=bCV6}g=wL$7l$F6x&lqSrd#*id(_u$6cp
zwrW%Dbf%O8lN#dKI0?(73Hf_X1YOcU^&l9xN~vR7EdCeT9;BC4UnnU62I6@JI|oHR
z#BDi}XyZ}7**Ixr0sM}`4g&fZXdc%hD%J;~@BMGGOPAEX{R^X4MCDpb0IHIS1%`>0
z(1_!cBBQ>ND<BfgP?MXIph{TE{(!=WOyZof{gf*9KZY6)sDNP<YbZ$u0|wD5qJ)2*
zg)&;b%BPjU!&X6hsA9ju7>y>7DM@XFu(yb%m+1{}J6mO(6rju}_^x^2i#L~3gZ`DB
z<lyXBnU0<wB|JP#W0jQkAL*xYNq$|^LeXvbN#SGaJ<4Xl3mfpu@f(Uy@E4#kbK#%1
z=fSXe{&&nv$0&%jP?~}Os+jaI;b|)pmj^yb2>aF=)-dPUiY<dwCC=t8xOVnK9W<sE
zfDcTwQO6_Mltjq$rM}v=@Zrm|r6B)OPd)-f`*kFQ0#zs!M^j?@NznKW6F$?_DiS*?
z&nk`Q7uk64SLJ_vS0LOD-SW}pX2l(9S5M>7!lPdMT8a7|ac0oYxAfW>vAY@yo@nFM
zaiMQ_u<GdN?k88CYqKpM{!X>VYN6S$bHpF0f_^Oz9!<oNJ=r&qAE{sjl_=J=<8%7@
zQ}^iOyN&3v7U)QzKGWh;zkBCN6rT3-vz?}JEfUKqBd*JGIR0pPu*JTZDln$$5WAnS
zp4Om*f}>nC2UvKR48*zi1L8oV%o(dTHyZq}bhw$?$UrL;6%*HhSq=xM;96E4ih(3l
zTdW=*wH4hUwiK9_)lygn!^g=))>j?Uhg`)O!8xok1Fp%uWJ+-(qpDC)?|9Gss|Fgl
ze*tls`QGSGng|$M+d3&+Kv;dAr~ybZm0{l3!;~H&)gEf=BhpX%$WFHZVapSXCc;7q
z9b$HIg#<jW>i18Il3$*$+eUJgrH9x}enVmHC-#Oky>sV#_^aUx6{@Nuuh3^dlN8U~
zDF@V&3Ru`n#M5(NZ+j&sj!Q>=J)c|I13aFIn{I-fjW&wuWueK_l)6VKt8BZsFx}4w
zEyJ<@o!BX>8U+MswD{U^rBn@+u!RC@#H~yKguIlh;yEQ|gH79}Gfnny233uq@A!4;
zJ$EuFb>pm>J@r`DRUsNbjhTzb(0=~Dz~lWm8UoVQ5kk02zZ|tcH7f{Zv@eC~U+$o$
zV;{F7xmlF#2hl%BuSTkPk}T(C)_nRT!D0WZDh>bU0>MJDeijT*yE0q!j~3d%60OFg
zLK6|-eQA({urloEH6;}YUu%hN2fK2@LKwifj4_W1{wqI9Yuhc*0k}cXDR;d<nuY9;
z@B%PYem6!Ie=9zO*O!faTMd!i>+@Pb#gbl@g_g{%j!C~N*&XcB+U_UJD5kD`J%B}{
zqil0um?$^7icDQ;1)xJS?0tVY-XB4UYf*8b8PB|jcK9U6Y%t9AOMqpZFO_r0qBah&
z&F%_LoVrDqd&F`lcaq*+x;`w++Ov^3NYxQg0w7Ja+xy+a-l>nX+2}|;?^*Yoz$@OI
zkM$TMh-n)m$il>Hv_%x__hDQ=hhYGk9wZWhxKs?AxIsFDYQZo&ob9~Khj*vuR@4UB
zdg&w7pN&tTt`^R+?cWm@_5RjU(uOo~cjTR2G0a6J5A1X3pHDp`Y#hT^LLu@q=c6G%
zXWDjpN#6LUYFeLBA6_zk$fuJCddE{iFKg<Tn>gI1fpq%hmn6u_UnY!*yElW*aFlBo
ztiOZutxEsDTylb6sjrPn!YHC@i!wg~CNna{)~@{T5kd<Zq3LDt5vv40!-IDf(Ip>9
zm0n39(Fe@`B+rXxEcNpO5b+eNkf{NBS%<@HDh!*O_j;u>>B<m;$J(vwB_LQ$Z-vUp
zc19c66_zLV&QA3Eu8yEz30TS$`Z5#X1(uZy|CP9g0ZDvauL?=ir?})+%oa>gB#Em>
z9LQ<<Qp1%~7J*@a+JR6N@}KJjqf0jWN=a$^PeD9<op8Pj7`G&&K%pi7hO?b#MWZ5%
zqMygQo1b?vZGnyG_dcqConC01ZyrB45dJIhzVnf7jVFj?5hvQjSWdn=gh4*R&QdCb
zA%rSS6gkmyVV1B*Qk)gN1IhB;c-;6XkTU{^H_<QG{0%OukAS}JSyc-WzIJu~BQn%b
z;F@+f!~<i1HigvYMj+nWJK@E<f3sjx=;ndX=L}cb<Vl0|wS7%F`(MrEHO@4)%x)~R
z2$Q0z5{fAbQAlJ)E&kk=cykQ$V%Nn_s<=J2hYbccDgy7W1=6+F?CjlAvm&5B?P)do
zch=d;Sx82R+m+IVESK_#t)iUg!vWBPbf~22O(Q)*+iNZSMF(9C3qTtNW^Oi1Z?T`8
z_u-L!xYIkK_mj#87KWPS?}0Qh=sJcCeYw|39Lvhd|6scYp{!*u8{Q3O;LP15Zw!l#
zQsBcUFwP5}^kLdm2sZ8U|1=-6RmJdM@#+0;S)(hZ_yyoOEEHOl$ot_Eo7LJybC9*K
zux|=jF(y_Ft36{%2-lAwX%%XcbKlpiop$Ic+xgnCF6Sc@Abdmhn6ScGKY&O<KWLfv
zz#l(fE$J}72V&vu)ln`+9S>FQaZ+~>v|=pdD15TeoW3im#ULh|Sn)|xOz*S|6Llxo
z3f5?v6=pR_S9q4P{x_y-*%9pUWF$4f*$$XP@avQtanZ8(;-BNIx{58Md($N%c#Ba>
zsSL4GRc<_GoFXAVd^4p^ik!Ptwk;cq7x)t1yHxx-i_mwa)O!J39tyC6t9;p9{_|U;
z-mfXRv5{8b?MRwKT^))5&u=vpYFtJ%n3R^CRUC%q(2vOQ=4wRHhbGa#8HE5MaEP!)
z^^2A!*kM&u<5@lEq5L|%oUdMw0qKoOZU34*kadLs8FZCB$3;e+V$IJ-Q7jHYyfg-d
zFDW{yKuNiftH`X8AgVjW`9Go*6u1}#D7ERAueg$TL<zqZKUiKVTs(Bf6W^Ebfx}uZ
zr>~%7g7K%c*3b=>@tO=PmGtv@fa%`B78X-@n}Y|PT4O3FZ{5w1{cJ8D#QAHU{4!KA
ztRR?c3@aK|MJTZB|B9#}q{{bYLl8zRjmZ=_G$;{D+F?#&t7`B+e*9@DU<iaG8R*mT
z91<n!Zww1fBB<<-2^R7ms`y6XE)cRvKQi5%Bc86w$Gm%}>>b)oSKm@9w3puHFwZ&X
z+!1C~BkQ>|x^E<IehQ6eec1NgWiZ)XXIK7GW%;NsFg$8aY4p$0`sm+#jOABx3=!`u
zk2XpU=H#*ZytkVOAI`RN&?qyK%1Zk?jDkab=jv#0Y{%Y_%j2+y;Me`wNa5x^)g!>#
zi#?6oLTmp12tC#Lx3~3L$Qpj;YkRRY_LcL}WBg6)S!m=4uvV(v^A->5+pB}i^7H@S
zQ=FRGQ?OrdoA&f(ac^_IGSa_(upY7I8KOOMy!)l8J<|-o=}~h5h}BxQ?g{97jdgt;
znZb2=eZJ5KW}64)DSKY=go@3lN|C%hTzV<I?oJi%&M91}SbL3&;4j|p{JXs<QM&O2
zNL`Qjta#dBiQ*qVvam5}c6<C<;3G75FX5Qd8Z?FOd?ur9(dFJ(dQbiM6V*2>m+&*>
zUL2y@Eck{k&X8GNT#zo(6rFu!ah1Tk<)*4{h7<+|^>B6+UTk8{txvJozd%2e3vFkk
zryXX%jb>FS4l*lcF$RlLI|$Q_AGbZEf*|S0hqYwj_S+w?=ySes#&-3uTiJ?=tf5_N
zst~u<$#JS_<#6XYS)Qd+<=m4h@pT?S>5O!C!ACA-hu~wZ<`sm$g$fJ>w#Uysf^o7Q
zV01sSqm&tT=EMmJ?t&09AR~~c0IQlc7$#dZkEW%d09$U1=)9NO9pU#MnVnw9Eq|!S
zoP_K$azXFOno4A5=k%1B9>V$Et(W(JNclb439K`f9Ql+hR|8-3dOA3Hrb~}W^3$+Z
zuoxei)0}0qL_v~$Qbc~3(hSeHjEG*NCnx=3YlmV(PuPerUJUF%R5+~iIB9jy+lyD8
ze2rt-6yVrTN8GZk*0wI5s#c{OpKSj0BN+sac>8FS1?}HD>M;`9_aUdC5^Mk?s)^^S
zyY6Ub8L2nCE8OpuI;yk`s#a54JnNWwW(BbLRN&EbOWPwdFpW@*L$2fT5pL&O7i<~v
zIP!!TSOaTidrguVKl=d?G)%)aLaVbPZHc>k@@S`;xAAR#BR*sXt#^K7bp-49dk^}~
zC&CBB&K7<XQuL51ihcXX@UZaLy)Xl=tUQTEirRAJ{95@KU`2v&SwtWHza-9G&!@Yx
z14v%=t1Y}d!~pkm8V5vlJZ(pO+hy++GvNdAiW2C)R#)AmG&jbu+=wV1T%Upukx!cf
z5UkAL|7Hb_0B4;5(fd5kj`8CfY4Eu;EiNpO;YgUo-bR!%I~9&s;lum#$3d9)b)*zN
z01K7iehL5LupZCx`n+0{L49pqp#@+t<+s+|kK_*Ro-P)|wrACO)NTBdpNU=^b5@On
zR@%ms(i7+bGnF$A3QodRf16apB>s|mJ5P2=6JccWbwccCE;N3h;}f6St|!!-Um#3m
z;%Jb$wOPN<-&k!0I4maU_NH1-R5ta3ASnYOQy8@BNFf2kM8Ghk+;l!;axQRp>az$y
z|9^Mp82ruWm<+Ojw+N_#bXM<zp5{2!3O`Yn$StPqZHuI~W?=Q(ttmS4Yw!titAHNi
z&he~Z*%8SYu0eMU9*#=H!Bb(V*A+7(U3U}@!1okBGHAD3iPh2j-_8L?B7yiq-F$_d
zY8i4A$n#GdFUbmEr6NeHmqY3O&J@+!{Mo^~<9}XNC;-VPK>5MzA8b(ou~q63DV)q3
z<muGJs%n!_Ub2<_BSSaPSNzOm0N73Fr5)Ru?B;U1$#wAhr*_^ZO-Y4(<?h-Sq3vz<
z`QbW#Azxr=B?e@Zl<{$SqmNR^pxb(+JxtkC$_T|Y#C5RAI;5E5y-<<0!4kIFsmZ)k
zVDC7jQ!t~ON-2N>lCTj!7GKgpAv9oz+G9r+F{C**twxI&>iVsp58bD4=FwxD)e+?H
zY7a!<T0VU0zlkQI`A}{^DF21mB#wdbl&=!us}i%(-Jf6I8GM^)EG*JP3LQu#Ya(9Z
z&>e-)X1IdQ4%cN}&xG}@^vB43@OX~#yssK~9-K4JRPdu!JQ+Rc3%Qb7)e6T=KUu$t
zTn#19QNq_bsZbByL30a-Ouv>@$baB~a5AdYft7H6nVh2%2|7LV5Hp`&pV}<{VmN>R
zrv@)x%wUp|esO|Lsp8*a(O*zxj~W4|p|C}lF|B(zBOjF=EY2hrn0G~Bx9V(8wc$tN
z-j<gZ@@4|^D9Oc*ojI{tz>VDWr-K$QHE-s?hh|~u9^)KlWI-z{BsDZBau>Cjipw|(
zk^?;8&rt9C8HTouK|On&45YJgw7Gl9@!Yk6=i-r#mt04=*__$8zSUG<dlz+8|4O9W
zfjDBz&pF*7_k_v9zc*um2|7Z8auRo}EIc02423bt$HT-D7O6q_O`IPf*6%(cgqC_s
zrVbE?1c3z6vVEW#ZJtX8X;Z?>QpTW6D0_W=Exb3uLKzNW%5qH=qm|&}vd=;b4{pTh
z#tBtpIzO#scAx-`z=HA(Bg#%)l?)tGS#O_K$CM7e{3I3vZ0AW|QdqaNRj6;@BP&g9
zjeiPiV5<WqNMtX{FDOJ;nhH`2)r*iN^4CK$2p^~Ao5@#~o}JZ|QoSQu_yA`+BE4di
zeWFTRwzCHwqT)8ztNY^|J5&d%rA!?6<W)_8tR}z;Lk9{LgldETgT(cM!qalG=XUCO
z0i~$YR2+=$S3^5+RliLNN0i0&akL<(FWc1t`SQSdi-Gg%|KKIEZt--U>ry%)a-&;=
zKUAq&Mr9u$<U%g_d0ORdc$f+}^w*`f%kTL#o5kuV^*AD+3%MOtaEXJ<&t<*NaTZL5
zas3NEoN55OX*4w>|Ed7^*yOOr8h0gY7pZjKzv#^FBk_+T$v1$sBtL>42EK;<orSHg
zHyanywN3Y+?Lf$JHG6i`g=oBAcNLN{Y|EuP1YgRxfQgg%ls!-dj?AJy+1Tc-_+=7<
ziacI(R|9`lPS8KJg$U0TY=VmNP`LHi?0E5?5ptTt0uVXYp%Sig7rxskPcrncTm*)r
z_A!c%Zx{3gW^~a>Rv5%s8q?wY>NtzOQ6fwUMX6ef)3|2T5hfqQaY$3DoE}7T=zEF$
z*a2_ef}Bk*T$|v6<D)g3wslYDu<7E!k+jWCTP%dgz2@bmQ<4)0sTEqgk^n``nWzw@
z@MTk0DbPLIX;}X{|Ij`;lTZOpgiDh?q{ykzkUoL(-icAM<ZXW*b-;|fL$#jh?uq8p
z!|U#;X}xEY_hAaR<L_S{l3Rp3=U3sFQ$rzf6Mrb{FzL6@APPG9l#eL;j%D%;6#?eS
zwmiQVSYD2lz+%}Fnb1mbS~sFxNNAj#iNC<#g|QY;M>Dh+iLy_tEhll4t9xvxn~YR5
zYr-dUrFVz<GycMxFe=ySCEvZtehInuR5t^W4_h=!9~Lx*PX-J>TNm9Pev?X6p~?PQ
zFhmjZ7YvH(^$@)f$`DggIjYaUTWH9XQkescsgID+<zjx2R;ILUwebgo15k4RN8OPs
zR6_LaMLBHKYB<$kSaQoBY9&<44&fbL&TLgoj+%%AWxUF$a(%RD2uB-bB*Ez!Jz;X|
zi7vo=q1}lxl)(6?D368yqV~@SIn8lCh^{r+t*77GH?b#V6&h`La)ng{*CAJ$l(JHB
zVzm%x_xJUSAS6^JYAMcR0}=ZLh*-8z*yl?X@St?EASgp>*(a#2ujvahpEW1dvB}#t
zcGQHOr5ma*y!9bJqJsx%E5iWi{``-uz<fjf$Z0+U$%<}dCqr-)$siM|nb|ZpX4)|}
zrd{L5slseNF4|6yQ0LdW&TMM96W)FzNC^~4T8htb^=KjpzQS+_g6oNIpZ(~}pfe2Y
zTrajfuOvL*#=85;_U77etyW0<B=*0-Kg!Yaf;FwiX5`;Z!wLxc9DUO?@fu;tS4u9R
zMwE)bJM{@cF^xwgy>(5W{8oNf#U8!sCiBkFh`#xEdFV6lfoh>deo=Y~G{dFvxRT(y
z#X0nZ5hT&WqiZM$(-2ThLOYn`ge|hJJUbP{qY}8tm5Lrjil$u6;i8>bpsVez8VJ!A
z-*755fPr==@A7Pg<_`cHGssOpAHP~@mAT8hFPB;*=>02r#dgi!U$?O-4r@$rVam{R
zus{8IGv}XlvEwr%XPXM8U=t`8vgIp^7SKRA?GS3>#Z;M;?*oUntet>{IML&dTf9FP
z-{|R~GiliCZf}1KFGkCM5K+Z>(hduadrj=FpIT--X5&uW+Qd7>w#T5_Gz`R~(p1(A
z`2!g;rX(v2T~gqOPxb^~>C}{!6i&sWtG{i$xSB<?xW^DnsU4RxR3e$^yyRgAV!*u1
z8yKTviK);M34!v54c?^A(LrCFm!o8VV!az(G8VRNI@gMBY=AOcg~oSQM>JV3ZCk=P
z<O+aU8(Z3<VS<wcCM$egC8O<%pW*G{aF0?Qp4Z@F#e-s~)O->t|Etg`S7uh^#aFv-
zlBx}O>cHiM_>P<vZS#G_KO^KczEYq_Di1gHgya(Pa*IgpGN0ueg`_xAlyfM*KbIl=
zdFekQVwL!qDlDe+>(|*4CAUYrY1Y#d_k0N6Bml9u&p-So-BpnDYWH5f#*bz8&=zN}
zfVW&f7mrQAFb>ngmIZJ_w5mJkPd>b%8xAc^gy+ciF_wms?H@aJW1*)NG_5niLQ2<`
zoD@d;IcR1e4LqkQdVZW}iIGTXSO{hCC88szVH3)Rg|oCZf#6@QY5*%Vjaz48E9<7{
zCJJ=Ss$Q>(7*C7n17?jeke=@5Op|&lRjU<2@f12N#=^cu9exiQ<^O={j15j0G|8Ze
zJDGq|Hhoj2^tqTjeJ}O&>g1)->qKRZ=UaqOt<_oTq0@}A%*<i7dz)!%>+X_x1>Mfu
zla0MM8NFr%l!uyid*Kd4KM4|i;gFfgKXK&0zBqw07f}FmVv_iyfs#Xf{-*_`^<hGP
zB>{=5@{Clxk%x9y5IcDV?)xh6{8bhwn8Z1;45F$EE+9WaF`*em>01vhGWP3M)~UBp
zD5N|@JgPpz5$m4kg%=j(3xoS?Ta#@-UA%RfN|=vI>SB^O?d1}JvqLqoaC#n`kXtdX
zrsy@$KkD7GxmExqI67hXwER%Zcv+O9GZjgi1t#ZJs2^MrrlAs-TZ{NJzPl^aWRh~m
z)$gvW&(81#iF|BVWYkY8%2-_ymsfyN{$2e2hh7=ZZ#y>f;@B*&d_W9<B6a>8-NM2Q
z0gZbNz}ondy#;+&dZl(DVCa$^=1QI;Y1}<<e7X4w>hZ+tP80fkT+Ymr^z_jSe|L(C
z%lSdERB<kxae$nEW<3q@8VO7OP)~uL?Zt4!UO1tdA*KlFOyJXEJl^7#Xg|`^X}jLp
zD`?%RWs6q|e$_NSDOvj_+hx9nYj)zy3`+TgD}+&fYTZm<du}3x72;V_i!tR$%v1G8
z_`Q#0YvdK9kx2uD%2GomSO4@@2^3(ju!(~Qw&==K^{ll9Rj>{!v6OW7I$|@13AKDm
zSsIYT-$mZUf&b2)rKA$+nV<4zd7Mv1^tE+vc5jVTrdaV?cN3RVMZU^Ec~&)VCCJcw
z`lCzBiNDOnw<XWKzUng9fmND2;C@hF#}c|mXW1)@;vO?+G?BC6bF>BJiI1U}%$j*p
zQG(!egk$&okhI%Nd{&?MDF}aTFlA*g#DH}LpW8HmmT(R?g|A+Uk2<!1Bw*AQBEPEE
z_?tos9eLBv?KCFxjCy*PWzt7AX^g{-!<*AMR=P|L3^GYbh%IoEMi{Is#_xbPY%P&e
z>p3+Q^nUTNIPE;&g9r{)L@DJjZ<-^s*e`lsYE_4>pFAO?@A~xpxGx;>IHNbM;vl6%
z*%DP|!~OnBTr&CP@EG7I)4K4$_7b|OGSUN$`GdBj$Y6q_U<C7OV)~9_C>WhB>*vpw
zHvjAkQu(3qm`_wtebRZlLEVVRrjl#xKbQvfx1_{p7f4gi@e*To<BV8p^4Ce&j$g<>
zWs2dP^3j^fd~vOqSGUBywpzr{Y|HZ}C8!waPC3|a&A$U1?vaf^{$8=U@BRRP!7u+I
zcGlyvx`34jLC-}US3DKtoQn42ZJEW%ufj%lZW-%+LQ<uQ)%4FLTypu3i4<u}W0J$B
zy9L=(P#(tB_%0IMo?F@QNa`OCZBU+-*q7|K*;Q&u0Pw<b=N84FiiD_J{LDiu)PKrE
zfpfCo7-e27!eCDLgCw)kR`>OK>L5~KR`+SnLInQZp+ci&h=fh<DyDVNQtT9TyGN27
z@tU94lG59G!@*g&)Jq8iiP~KXjHjRi@8WCP;-O>G2XlYEnEjZVL(eSY0Go?B=*8qp
zrRo<Yr`jWCaY5HC_}5BxA@fTyM}ydE^kDeq<&BERvOJ=5lb=uPuilGeqt+i(zIO-)
zJuMLaY=+EHpB?)L&=0t~+We+WYS{aQ7LLR<r$JFIIX*T^uwt{-8)nN#Ua@HBj|=|m
zUM&Bq>+~IC2~eX#{U0>P=^TFhdXJxwHRl1&Y}fT2q(Ty81-W!@vI9J^7ZU7($MVnf
z(`_bY&fy0r;>E{%1Sn@<u<SPz8#GPOTZC>F>^uE(3Tt)6=qygDwj0`;_lbHVD7Dic
zwR+*|TTTsMr6-Y6NFcfdjJaLwaWZce7}=$BA{F3gf7|Q{-igWvh20!m%ySIHabvCk
zHu^j|&#RHa0-Yv00ejpeUm=4b)(w}sNqde93r$!W8_aL@Q!|@f@q-ud!`W$lHV}DA
zj3>$8j+mClHRSV4iguF4yZ9jOorX=;FCJdFx|Gf)%UeG;2PCs-&Ps;<MIV5m33$0>
zoPt=Vpge>W*zk+gqDY+TFkxB>7*j9$ij1poSJhdHuq+wMkBzgqISv=lrW9;gAO*@Y
zgn!1f%v1`<<lzaN#iwVP-M<lWs9YBk6}*YmkfJPD_HAfk-?KjRUWU=GQ3j!>HoBOe
zSN5n%vilyMO*=9!+!J?g<n9Ox+K6J-HF+ZxEBAEp8)Zh3AzsyOZN+J1>QHQS0G<_}
zn_D&9tIgZvkR&tHy0leE^PAJj;j7in$?H&e$?N6U%-^|b?WHoAeb^rRuUA7O0(Zr&
z?tU42>SwMkRQ6D*RxM>x=zk7og*7l%Q!@xX3?QjArB~txmLdUdM1*7+anohRVnlZ(
zn$gp$sr7V2>nxh@q)`J?Ytcfb^F7QcSyn)#TGFGEHv#I7WHZl`f&j-|*)u?B6u!l0
z57Lt?01frCCu!+nC8WNF93BT*P_?*2OA9WZ;>@p~FWoO>Bt+UbG5pQevN>08hvlL0
znom0w<#nrVj}&iWN<+A(Q;i$=9nV|bra|6>+`)8jRfbXxCU<jK9MRqm-5=geAlLEH
zKi(IPJWXa(4;%&}X_1AYD9sqtNK-09N280D=mn-)yc^toJPE)nlgl9&&&Unm@H%-W
z+Wj8Lx{g9IrQmldc-rdy8~d%jltsjeI*E%vo($%m&;R~bfC$g2XF+>J|IaMZ$G%Hq
zSk@op$D1lB-xhb4DXHV3+sq*m8e~IU;4ZC^_Nv9C3NdKvLwQ#h`b(EdH9m&)UKZMu
zMp$c<E*3#gU43-fP$0>In9>*4WTQGyU0DdBWa-{-x30gEWxF0`mRc)W;qRPZST=eO
zDMM94hG8+A$9>D_hl>;tvHH?92cHj<t}p^q)rjznz#@T#T>e4F<(I04X=P>zqF^2^
zujUZ`MKkpT%K8y3?~){@LVB?TK4=<-hG@t}f%080yYw*B*ZA1dXNYuxD|WH7ZMuVA
ziNp!qN!>YKxw0KNf)~!Q%6PxZFCi-I=<(fRRnF0B|7v~=S19oaBO#h8k*XJS$kioj
zI*)I<g#*ilWK$coSu(rN7ZQ|MsA*98dmtS|Y_g2sXi!3{D&OTA>HUe6cO1iSC%78T
zLC(m(L+Xe66cG~8h2y)V{2!_i6D;GwEjTLA@H3TD$7EPDtzJtHp?%7<@C!m9mm)ta
z!V$q2gnZpP$hO!Osjni$&jdD_etq2;TB>ksdRigV1l&50yc8xXy~*^wk!JqJZ#%}r
z-$~ghXz}z|P?kY8J+-#(d;Ge+F=Q#?wxpXmVPcqWgNrakiN6sA?fC`UFj*!P1t-zE
z{mH)X+b2!<@t9o9MuqCyW5sOkqdC?#;<Fo1uO?HgQ|>m8eYeu9b10slU=^4C2i$@%
zAjZl{AuatB%{Ngf(k>J9@&)WfZ8UarfV%lYC`p(mM(B6q=+R-XRq1fDVWJmAnSn$W
zh^sz)DtXu$GEPG8YEM#P=SAHZWMF!gFu(dD-+bTznp!j|ajIiiYxNmVukzXVb1bM8
zDPQ&xh*}JeO(-Pi5MdYa(M?TArGpr4{VkgcInS_H7Rpqnq@`Gla?Z0@TmdA~WSP+K
zU2Gv*stT&`mU~<WN67L7i8y2-=Ap^oFD8Bb*ht%vakkeTvVv*^OaJ>!*<1D3t5yB#
zVheVzT%tPjV-Pw;4BZ0aE@!MMCU=3Aj|fu*pU59j>;$(4?VJ*7(l!R|0x5@7c~!ZI
z<FgHgZcQ`o3sB0J*I6-5FJls<;*V=TRnT?W7_z@pqi|h5l`)9w=>!o6|1LJ(gq)!a
z+{gstpxqOSPJZE7Y3Ir|vF<*P_Qvz~iDcJ&flI-&w@!P%J60Lbl*t0^1#bliP<!V=
z8$xn<8>2>fMoH-@IW$w00P)p<nFA79q{fgE`+FOMybl29-0_<a)M5lpMycuf3r4`l
zMv5icxP`HyW<6D<=*;KlChL?mMO;g<3`5mX!Brc$(tM1H1>yf`YrO9&f8L+Ql_EgI
zYNz`ShV^6q4c|)lW=y8>m-n*<^9ugk+@7uR{7dCqEE&LFw?q{cW1?ozHP1nYJHAZ#
z#&=SMafCnUb3*5KmNd!KFzss5zTPlqeToxRdr`<(BP3-_4PJ|kw_UP&%GM7XfUX}?
z&H8w34NBgr6fPo;t+Y{atv*FSA@2oA_oL0c3Z>)kuWQ-{rWq^47YfpTAQNOphs6CX
z3?-pa=aDBWbTLw|KFs~*gGi^v4ZSMN=9jpz$~vXxrfT$#EQRV9VPfsBj>}JGjik;Q
z{MxA^N!V4t+VbMUdGNgme}$}74sJKn!Z`!-3t3Eco4r`|T_kViNqm#i>bf#%%dyjh
zX5re}CcblMm{UA}JP-%xJER!9rL>pPA)-(`yxHusr(W&c&|s8$xD}n^-QB@w{;rz0
z_G<UOH`Eb=C$PM#@&lkYsbPPwfG`<Q0<Y*aGB&Le_yzYXMOeCUTfq_FiP2M>_p`bE
zBscbDjpyg{Bwz`cS9Pj3`RnuL{Id5aa08ws_W)&jkP+vED>Vm8K0zhOX2h7%q?qay
z2UDR^rphbHFJ@mguEO6bUnwmA!3bpJbfPrLrTNBJNm5a%(7!avhJ=i447Lt~o>43%
zp@P>wVcmvps*aVkyZzg*l%0qkD66043~=#1gRRXq{^U`2b812u;NK5OcMtK&H^3zo
zo7VrXLM*4taQT=D(|La`rO4~$W^T>1_3iRH|MXMLW4)Uh_v^tC{@H8WQ{*mBh4=j>
zEXCl3{{dSMHwd+h*ipo(Dqn~d?VT)%wWwTUnn79dQOST1U-UPW3UHDCQ6SBejRf>4
zXvm8G0@<_{%2NOq-^WtKxlg&-Zm3KV7U|H$jv@@AM7L2FzvD_P?yU^3KIfxgT8e=v
z#3rKuX3|Q?JsxhFcawTJ8-Mk)9I~8tQHrkVIS_UT0Zm^X<q=Ae7)|SsX<tqcoz3YM
zICXcvNBn~xJ}<$_w%PF?&lrz4&Ctz=UuF^upKQTlYl?n;^AXa7ROwbyN*t#lQtDLi
z;+%*{F{IA6OhyAQH(BZGw1}Ww{7=N^B;=$+)J=%g0<SaUcIE(`Q1L&ZpV1=tKyv4&
zfptys%vjS~Q^Q#&v)*)+Ee4LC{fC$<tEMpce4$1g*~idayoS5;h6fet0_k_sK85Yd
zxo`Jf^tP8-pB?ojHnKidJj^aT-A287c)L$|#6In`zKjHU6~kHkveVrC6;v_owun4D
z5<U39l?*SeDAjww%FIC6+22*WH@WhQJ3Z^1BIb<wm}ceU?x9kPk&26DmZ9V=HnI;)
z<&;5_2JpiCz+r{WdiN!AQ%`+>7ww8H7z=I@(|v?t@}uU5e*-290#4>q`<@_b5ni5T
zx@AE|1_6lKI$WbC`LflM+WW(fP7E>KN9uG%kXJBP5WIiIxv@<&5VY+v+i0FXp;xXi
zm)6Lxlu|QMUN3@88hp|66<MN`=(6b=JU2sRF3Vel-tWd)xI6GOP=>SIKF<IPF0ND1
zaGfpg9E12+xNCe?=aZMpNV~El5O+hvfeT=d)ugYrJUQdd<mEB6h@pW%t3yV+M4jE8
z8UHB`l-3)!^6he~@o}R7m~F`^@9ezty8ENQUcmY8D_H~2H-{%4W#<!tyV7N7kCUIw
z_`jYfSs$^RYwj1naYY|SIJ~uCUSda8W{PHxu7hIw-<RmF?7zPH7MaKR-r@y6!4%Z(
z{@`HQYVkvN%VXrsJqHae2)5B`+M_n^N6g_?Zx(HOxxGKJy|wc`%xDRkIXWzUvUxkV
zyxBT0YZZBd3{^<K6`QYjA*FT2K?hCu-g8{tSu%u0-j4^`hw;|7-C%vN$Xq%}2!=C1
z%8JB#Lw<e$_5!PsP~cZpZ*<ihf`_UY8wI}gu6^!j86?l4u}S$)dM_-q5W}p2$kQ@j
z;A|ieo3mj#O0XI?)s#G>t|N{*8-Ko9`{_KZ73R(!F16eGI!Gql(AG!$<^ff6^x@^8
zxCH<0{=B;NMZ@#yeCgWpt?zN^CHHY_N!MTRMJTK4OJ6$HSBG!B5|fap)9c3U%nscM
z;p?}b@u~pZj^r)GN06xP7@Q{*@(G6GDRn0`G*S$5j7h>a?%?mhn)K8F&Y_nmfxu3P
z0)Z9wn`2Qmt^evi2p(&%#M*RCg`BNH=O1Qpzc@luHr~pOytyYH((M>+8%ri5eLKdE
z2oS$8tX@QcNexKhwLfPk>T5^;3lp64vU}&)rB;9!ZnhFVf!$H$_QmV%&^bgiP6oe_
z4GQF)%ehY<5jyP2;Loq@=p+Zdrg^J-s0Wv%=Bm_*z`~n?ec$ljeT2EFLtCA+#}|<G
z=pvMbu3Y>)*f+>Lkw-C3^*`Nl^u9-KZLZomzpcVpNl=^is73D}?N?#RaR|?Kb>fJE
zR|j?NuNDmFmidc+QVI}-eWX|Z>3M@c*RUF9o*p<5l&zE@95bNk(<XE2YM8FWVJ&6K
zjiXe&ObLA=z9H?yGf?Dw>>}(49>J+DyYJ?cur0B?&^2b)U;}*E8biagsi(A=9Y!SP
zRkU)0OE1NgEEnccUUF;1pqBHxz&JPj$J~8X#?Zg2YDuQGa3aC6I$fwdEUEDk!VEc%
zNU3Tty4XZ)q3lF&`%2+uVrE|5u3kbqh>%&svi?{Z><qTukUT?lUBE{lED@IuMsZDx
zX-OTa2kjkIS_5-&GEPRmiR;9+l$`u_8q}Y!{y+F;ZJ-v2=%w2&TGZYYjcEdgo!n`j
zi&y^eAV*<Gw$Lu8FbEQC5Mp0>21l>)Z6r}iCKsS(zCTT%ye<F(U~EO8dzf*^Y$PP}
zEQ_{@M$Icx;Zu8<7fLMfEJDQ7Yf8a<w?hSn<r%M_OOpjodSR=-GG9HdM4pR=$}y<t
zY;9?vR;&TbjEbuoW71ZJwd+|BElOP6XEy5epUZg0B=W!oKa&Z(9uRo2y)KR2!OP5?
z9E1e(y~<d%R<4{3?Pix|1V$9a=0_+-MzZ1uZaYSLyS2StjyrgJ>>HF`S}#tF(`VSC
zE=v1v$Jnlg5AioKrO;A_3;)qF#Z&>tO|u9+{2)rT+{0fyi(<}c21KQV_*&{pRa6T+
z^N@@PG-ks7r_(jikP=E%HB@GB%xFWt^M`*y_PjSPeIs%SqemFpAI8JYplm;$&3wE%
z+)7ky=y~1Ry9q571LLBZ1h`%<Eyx7Eh0`D(uLdzH$^nT54X5O<D6uU%4D`(|A<!vm
zLHLrc1o0_vkg=I`?dp}z*D3F-ifTRTS^M(3ENYVj+JE~w6EhkDEn)m;KWBJ}=4D~`
ze0KG4;$8VA$n1<i_eClj#;OQCMfKUNta-b=ttx*G=&c#_E3^DSx||TISH>UT3?3MP
zQr0Dan;4(-mx!iqRg2jqluNJ!1374}P(YH6r=~5F6Uh(mHazL&9>|)J$>NuT&vv-m
z)&jeMpSk9|Q&EvRgN&_ivN4c~vhhr|XW-8^s_|Y|h6^!rSJGxSKWCCM6aWvr1t$60
zpfV8KJUFE^@Ef*{9a+8i9Jrn5puhX3nMR|$f3{l#kn`6KU52Z_pUSEwxc!h<!DVqZ
ze)eiIb8~Ov^f>>hYO|iBfYO4OMWPCco*q&wSoje={j-Jx#mAhfz}Y%eA#oEjwhbk<
zm=X(4!bEJT$sH-RI-7hM-%#oQ3<LgzeMJow2P`vSd$t?~L3~jz)YI?kOk?;OS&ZYw
zCHpNdMY%3?Osr{#;cqc;JR|np74~uWjyPD9=Dv&u5w#Jpy5=KM9s*GG*9RGBdMa*W
zV%W4^EpLm74RQw++-qyg-@a93oC35<X&Yto+)TJv`@PSP`lPuh4zKo>QVRe=<r#17
zE$ybIg>Yyhkdp29a6v%JM~tPDBz}`h%y54$aX^jI#<2jhh>^XLQ+X;R@8Rc{Hkzk+
zxs~YEjFnSlWmNLAK=dXK<adJTF(_v2{XUbNeY+V<KHi^tSX{CL{RTejfj<$nFI!As
zo5y9F2&*w;wbR_VzHTc0jR2G)p3N5Yx^?~Y@u0H)!w}!XZGSAq#bh1`k7g!~%>wD?
zKc`Z~??WuTsx?x+LoDDlODG@<MpKsrrJ%*BIWbF>UK>*b;VNR3qiW4ir5pj;e?I!3
zL-xKm#xewYhy_TY7ZQrf$IjZPfn_p~0|CrwDFnj4Aecgs$`LENU*+Q!I!Pg2d^Y&S
z{^At^gC-8e7>Y#T7xzn4zbb*sTaaR=HQw8`!`kyj<3VdS)Wa`PBBbcIbLY1)qL?Dy
zbu0<QaTOLRIoW{&Vu{N@n?<HP@s=>zj2}6cJ08=W2U=hi)q?-CYVjacuq14C!wrkt
z+2DeaBtEfyNmFzm1>x9=6`ffa*k0+l+~qXv*0t+U^8Kr=Vn8cCqZk)|1i~W-*S*&M
ztntm$Ly>G+>FHos+RGe%X6nTs>o||K*u(WOm^gSN4`WGkolp=FfnZRHkn)I-M3I}X
zYpI3A5OA{dc2eWnsY-@Wn%E%}{I0>U_Y)xHG*kjG%xJB$MDpk0V6JUMaN@7o7Pc^#
z9bnHo0TRk%j~59r64pQDIHe#BChNJH#v)Km{7+pekF#q82TnvQoY@-+p3Jo3hKQ??
zgmR7^#r*CoQ>!anW29X*%GpA>br0`UrE&FEEQI?yuG>n*``9hj(qQt|7MvL^O9~eK
ztwt$3m39PQLc%mTW?JmF9IHKD-jqGd@lu0;?vYz%S@)9y950SjX-6yhyR>H&#1gj;
z94M6$v&qs5rAS?e4$v2!9_L%BxH$99q=`g_4<C##lqc0*;<cr~S6!0r_pYNay!x9W
znGnqw%Oh!&ZgD76c$9wh=v_2@LH~O!6GKGb4ygre&ejeh>y^1XNmOT_N(STJu5ib?
zEP*qHYlSd?>)H89_~mZLHRTqnNfiGw5qniR%FjtJ_+id)=?2l;<<AT6`<e<$-CWsJ
zwahxLwTy#dLTm;H<7~hUv1zaH8)YKl2Y{Ak4hmTL;vN=ntqBX`FANvqrM|tYX6xgX
z`snSfz!DV^sjBS_B$?bEZiJDVS34WK2iOe#ww=|`Bb)`1$HB|127+Et<m8iXGPfEA
zZPJS|wrrj?9pHWMKwxhttgC3K*Z?(#Rg?%+1gJmPGU6{`-(QcNMB9BwND)w3V@Q;o
zKdgcA78)*n<t>x!CspLVWgo3L-00dd6>P+%FM4j%5?!W3Ukes-4p)OJ#lAJzrYjwW
z1rP0FdAzzkHTsWvh{JHsZaG~}No%I3E9;o^YLtfa&w<u$<M^7__o}K{uFyG90sjPs
z)1^oU0}acFT$jW@7OIL5h79m1*`1yqmgs|*&7d_Yzh|X1gJr0yog8<moyfY&f#I1E
z2X=Jh+ScZ19dIFhL9cQcJ>Mc5{m#e&t1vm7jskP{#5q9T8BQjouw^Q2hDg{jjiX=U
z*(45Td1}K=7FX<rmhlDE743?hj|W=Hw1EGI#v+Hrs_mFZj}bmG(;YZxK;R#Mzhr0s
zu`mSrr(i(?3J840H6U%08~m81R&T9h`6pGBqC<Y9$v(7{w&eNMgNvGAR+zjWSn;w|
zLvD||LT+W<Z3ECuh(pFdT5_eLAqHaB#W_$R-5!s-=_AEq%>)pZ#l;I43{fqk(Ed<d
zYk1zsRKArlDL^AmQL0N93gUsLz!@t2wa5^!IAb=n$<YcoX(8v5-_?1`y{Kq2=}OU7
zhcY{>LB0Qdw&xn>-t8up{U)_z_3*CraPDx|^k(kxB5|$#z^c@GY-fa600h9g(06~9
zvV`5dqtRYf7+*IWr<0#`>!$$@vzL9=W`I&SG~;-8eR#2?dG)ON3q3)71ODy~-ztb7
zcT7vCdT>ouTc}dL?&I&V>lN;9uQtNcqq89Ojqi*>w@;{d$mh;tQ!#DhSiStHbqrdP
z>IIBXW#v#~N~()zPWOqF<`3Kks<wNz^y?LS_2lBvM~&sU;T2EiJZ9cUJ~*uXxE;r#
zcp19fDYBRJpcltCV`r1Dc(tu{@Dk61Se}LPr-Y5QnknEua^Ihp;IE8EJZMEyIHKf?
zq57X)zvNl(EM6c_r;;S06_Hr6hmltbZ77Se{Ma3$4?T+GhvBSXvy1gK5e#SMtB`D4
z#b0{ii^c8B9Bnb40Lui!sR`m>$H`Ss)fBie!rTuhBDSypS@a?qnNF?8<9E<2EQ*Bd
zK65_&yQVRLMHP00!9KR9Im6Z>nEO`>TuGoUgO&hgqJj16br)MF&oY<ivpl@qZ(R<u
zvr_Jk`+K{}LdQuiuQELD*fIE(!c^MKetm@%C)t;Z##Mte8Y^3PKtov&bo(VRM)CK*
zK=-B^pP<rZbi<`>=7X8RfZCK8ijlj#q9N(I7(evJrl9})s-fyb-SL|9-Kapew#7Et
zUg>VvIB#nf5uXuyX^a2mG$!{s;pl=5Z^6!tBA+8a`!Qx7PDa|@si4#k&$fr-JOW@g
z18nAV{gzw$cJkB9!~SZ13H#OKt@ug9bAK4;>iRst)_BA9VwMs7^U_oK#ud}Xi(7oL
zPO*kz1f#swrS9RNf+r%^NC&04P%b+>tk|`mUv?&`36xk<MFEu}?^M(%2&u@j+Fzz3
zX5XBxIi@mK4OAauSXN5_FEdmVl5$HX*@)ZA>yJresxx&<Hms}(7(i@H$o`*I7l}h{
zuIi*~t_swYb}&pxgndbw@Y`(Xi6!Idq_HK3gB53zj;f{)-y*5xDXehDXbMVxubzi}
zy~<0OEWxP_W5g*`FxY2il;PLdqw@U)3R<PCbomTF8^WT3wp1QYcJMf}H^xYj2!Hu-
zy+lv83+;Xs#6^ni;3GD7nmND}#c&VuB=qdiLRVYDT905%kJ5OsaN27!5|$)ZNHp$V
zdd|dz>vr&!MM{{0nN+C#j8-^*PBy`7U8RzvQ5!_rJMYq;{95?KL~yeyR+^QNvFLzJ
zD8XNwruMTH{qSfF#$jN#D)=3^5r}ry>`tuKl!S{adR`PhnAlRwNQ>E;gxkiSpZ_y+
zm8(5`7ruM?0&Og#cwVBQ5NKfs-nbTrO!P;FY;Ce0I_+ItwppjJzFUwf*=_6m<}2}Z
zqizAz#`)~O7Pg{osHRgwFHJYK6Q))5&_}e^HvPJR%LD_VS~9Lu26@Feq~-xcRZ8GJ
zc3(;&gQi}%ck@nQre@v{y<z_QVkmY=p^`A9Hug8s+aaTzAHsxajyen*s5TeH!N!ud
z#1iP#Ut51Z;I$_l3@4C`J*9Qi9)}+ETM@{&zWUWaha{4upWcty2oV0=3Woq}q}p1T
zA1%7U5jKt5Xf{turgH_Z=`jgtm>ceD(S)ev#Y+t*H90XvuxPx-O-u0aAUPN`ztljt
zzWi|z$Yn+QQwG^U>{h#vG3(!&^8@Cl-4)`=CcZJ^o*FKzC9hZ{7v4_htX&r4eo_dc
zZ^M5%Tl>|_aVWai)B{R~ynZV1*Z52R;EZo%+zjv7jexxF)Ip^KVbLnQ%2Y1a{WxvT
zR4kglhbvYa(U_y>IM=cI2Ga=oj+{s+Do!0IT}~Y!wUR<I*+oHh;j*dRENSISGG5eq
zTtqz7Nkkdv*Cr;-LCj%sdN!pLP4FLJ;L0O<tl!6^D9q_D&IK(6C5o~jw4T#P@Wh55
zTpErR)*vt``Er*?i@~8ph{;{p1Y-C9JLfYm^CqMlewl(5XbV(ttMTbA-O!{kE=uWl
zB{{Mj^^0>)iDi&zsgO8yqK!g@v%27aH$W>@(JGI-&?<pistwI#`(;Ey`^i*N_EW8T
zKk@CWaayI<s+HF3^V|pq4&IFfN9@wqpO`{O&ACje#6oJ!X@ygkenegg1FPE4IE(Vs
z^%Q;spw5MV2}}&HiIbXhD7^qXuphKBq8Wh~&$Q86Ff}%;p^X+IHikjWO#Z4(kE9eS
zqk|oZVVNWFe+OHx%c?T{h41D1K+^69rl58T$u)uYQHOX{q7m!;6sNnsv}-VId3|_k
znwT_W%MGvj1j{9B8;bCkhCoppAq|aH101@?d3&k(X~2%PRMalps6?eq`CQ}*^N>)<
zRHtVAhHgktzW)2_|IY|^5N1}Y0hiF~0sJRIu+y?cqAJYij7?U|SP;0i7!S%=8N0FY
zyMqZQcwwG6DK*)}ZZWicKUCAl3(~VtVJ#~hBxkko*~o>IXH%<3SL)9TnK;WRpXSju
z67Tu&engCrcXxc*4s$b_<^C~bUaWmIbx#x<QpT(0z=IWp{`UmFEp$By%xLWoZPE2X
zX9hdZfd<hVt~0bVhznqDUVh0F5*}<r5*!zvhB~{?=+Ya;amM;jKB7|>%6aJ)$^j`(
z3x?_PbxHH)0a2?XfKvxj&(6{0B(R?ex+{QwB7xmTF2}u7=U`Y-F}2l7xK>nL!>}!y
z-%Nk+3v)H-SAU<r)s%3rc*>`+;WtZpisW#y*)7ABS-E7@c~Zn5o<a66;q3O44xHbF
zuqf3BZ1dUvZu@osW$#sO+$MVk%9w4w3!ZGqkXT7S=R{ORKKX{~RE%Ff>Ov^T3ahFr
znkf4j4j|;eq|`L3d>1d>e3w6x{WFkP()@63X3UE?3^88$Nm6%)3Gz*=%ttRuHMhEq
zkmcFA&rc3+>$I#V&wkA3?&Bm1|BY=8d}?Ci;E}*e-<te0wnt!Ew~rB<YB4Ec0BK#5
zHmy1l<*96FDr8z2<-73V&qx37bc%$fGIj9MHFW?^&+>;=VY_g7YnB6IK|X3X6e=>a
z?DAQ1ooXuvuueU1kf6maB^>B^R!`~LcgJ_20)_}m$xgPWo8cp)OShZGQUBQOVi6tR
zD;`w&=Wx(lcALhT;UP8a`6I4dP@B^S%;oFqzAR)YGohN&s{68kL~r>|W)M+j18dG?
zn*#xffP~V7w-syxU7S_ROFns)SK`$6tVoGmIeghW+(=yT<B<gI)`&ECITAog#x2_r
zGC~fDujh4{T_)GoIhFS%2v5dN8@kv-P)%EbF@o1{5B+1#61%T2E<ID7SVovz+iSR|
zLew>?jSIV#Lm$l0<e8~RVWlW)W;nM`ga7;D|8qUKZma4VAHLT&0=aP>$c=orkj@=>
zR%otP@VweMrTq2W=`gi#gA0&!013`Ayb49#RNF7cEnfQ<z8^L6L;f269lc5=52_S1
zIDq2aCUIu?BE|aGuxmZI$-Y!EAxt7wb?E9s*UB9q2$~A{_uRnMj(WwChwn-yz==Ou
ziRQbRtOs)Hl)M%^_6w7JM*po`1Py*fMSqKzeoGXNYR2s(Umlj6rue3Oru|l)*iyK|
z#`}3tynYk_{l>klL%Fz;G0cKwbyRs;vScm8I-;*rm^Fz<GCC_*0m4vEr2Exy-A?(h
z+$RT3tlc#pP!;$UF+$0;4SyO;Va296ZQ8n&s$~UMh%#zhZGnd{WVV5E08SXdnnPkJ
zyu?R97?XE;LqJEcp{M#Doj{BsNf@D}N`M8rgGGIXtG0I6>%%psdk_zjl8mT+WalQ&
zqIH!qJWHAw1+CAmrGj(DRrSPiJKGB!Lfa9urn1b0Fpbnht3j>o9)IU_>hnAFdRkjp
z`l`wD!fPO$&Ok=d9*@}6ti)7cywzuaQ{0@l$v*})&6SXS#LqmCv^k<mL4fKceFfSp
zq~q7?SpV0DfJ9YMIx;pn6X?~B)45r)!j-i+v&k_D?Y<pCODm?NARdw<jV*VfH3y1J
zRk8Sv4!lmal9lJKk`<t;0K+x`Bbq<2*Yu3g!!eo_zJ{N|f?DVduK^6PLPi>D?EXW$
z%5Os;BQO9~=<0rT8CKAM;r2v)W}h4q+BVrDFII_-rJ`m?0OSBdJ91$Yo8LLXx=xj0
z?zxL$4meXT^*AKUq8|@v4t|0<U<gmqN(A+ai87MB_J`B;NJ>hLazqeE8&$!w)_GNr
zQ29TXzJ$hfN+yXJ?2B77Ia=ay%XpiN+N+Qo=BEu;GSQj(xIEP<@tg`b)K6UdwgXiE
za}wD>c<PE7g+fah2>=zqqbyN>7QFV;v}xU13c@<^>`)b@7iYx1BJP9%ui)>Ly_uS&
zK{m3Eo(3m5u0|3v#A?r~P0l+QUD&+_%8cg*Yvn@yNr(00Dc%S>{OWGGKafG&p}6hT
z2TE@jjaQ;?ef1RiAkzE?HgI7#Tgd;T>MEn+Sekb5;3T*Q3GVI$g1f`w?(S|uf&_P2
z5(2^9-Q8IvxVyW<x5<4k_k6#GGpC2GuBv{jrn>r>H9AI##34asYL$B=8UPF>2aWw5
z&A+mpa}CCoVPPkgh0I56<bNW=5f`OWkCr^QusbQ)JPdn6-8w<H!raK^!THG$S3MP0
zLCR=Lys166#mIkFgxl`JQ$x1VBp$YGAlxaM`;QmAXP}`UeV-WO>qAabpc%{QM*OvT
z^Yhg$INA5ur>*EJ4mwba@V8Yhnvh@=kEP9Pt=3L-HSW)uq*R(y=DOEfZB%{r^NP4!
zEqX|nv8>js`GPEPJI_)Xi7<k+TIe@1L54okx(%-2FzWH&?kudAD5m-4-l`Aoal`fM
zDtxnQ1sdz`62w<Llbzt~gW{445@-P=->=I;#gYj2>kX^9q?t8W!zUosBe6(&%oW*+
zrD68M$w`{`ml}?MvHVt5g+I@I4+w}t>ka>FLfRNtio}8l*kaybDxT&uB!I<3jOx-i
zD-PV)=M@_hI>dtvjk4UPmURwPbwc`KWrB>I`R$CDx1q2^z_|!qC{14|1n<6k+}GZ(
z+_)`m?9WDLHgAL;f6>lXt*cv6vlP-^5#HIbYoT0K`g|)}U>LMJzvgLfENR&uoZSNu
zo`A#-$EsJTe*0E*Axc$MnwJze`$Mypl#(ex%ux&wPfj|-?d_|uDy;abK*cW~G3X&1
z2aWPcgtKwwkpp@Ir_c@~rI9TOq#4{Vs_2_kTq=f9KCAmPyEr;4t!G5>OhO4@3OY!1
z4@V!ck^x=2huezd(Es+hq1b5;09K_&NxyIAWG;57YR6O>aIX~)NiLZt7*iJkC<^1Y
z%RdyiCuaOt7+Ow>t9tvExX<A7>By%=X^v@1BUId-E4rYdd%CD%HI{HX_j3ccFg;%r
z0#04=*+BzaZ-kan-_#<@`PlOPvvqFWje4jOerT3@eOBQio6^$-Ws4snRP`J=#VjI5
zN%|YRLW#a~C2r#f_rrdGQT{BC*0k8XFbLS94QczVGdv=WHdPru4XIv?Wk#)rs9gcJ
z`ZQ^dhAd#&H33}>6nRRKn=@Jzp5QV=i|wJPR({gjj#>07KN*#Dg(fsKQ2f1$0t4P>
z1w|bm35C9DeMSoBKqUS^7x&73<(8^dP|UGkOj@|j&r_KlsmEkfDgJZcl8A+?ER@61
zNCK-x!;-q6<uY8rPqah__EcjRQy6qEn;voQj%Lhx+3bytyJy_u&$%b#n`^Qnh37TK
zG-0I&nXVV&9`Q>D5As=Ud@e;6=Vv-e6qH>WCj)-z@m(E6nyv&H`{Zrf!F#MAWH!H#
z+UbK2Xr#*peiLL?IGxH`8i_;|HM(j5oz=npbvlz8Tb#6c`y;1!;{qoh^V`AN4$1V1
zRwpzkODPtjB8gi%x|li<HYE;6tgqPci$nTB8~U<ST+YVe%AtD-YdZIfvR1-d9_FR;
zkHg~Rin}}6W;1ad^6y2Pf=BPN&y90COY|8%uL-2_t^AC0*!f~$aDaEDj+Cq=FthU^
z)J;)IO5e}}3TxRW86UOp*<XsX{15~KQsBNn9on}NTS2-2Zg)=fTApn)%%<5olrr^)
zi@NkT(^LRU+dAByftleG6lxv4(|g1bRkscpN9}#y!$X6Y*@3b)*;%vG?=&ymm{)YV
zw=DsC9s$y05mh-mjRxkhojq%!5(GeJIy(*VNtV1I5YI=GUcAX2r_mwJ1knf)KYItR
z*GZdxkS5TDhMpE5{Uqe!I*fz?o;2%t1<jeV>4$pPT1;CH&{0!UtyfAc9-l1qJ)hmI
zt~#%Sp?}-A*?Kzmv)uS;_gjN)kqp_%FVrq+##IjTisXl=>TMNBBH=bJwosb`+Nnqu
zzX(h^dc#GTow0oL-XZRrOyAfN>+tYO`;_5_>>{bJG@+3@qB}y(R|j$0%!2^JG<UX=
zt=Kwh7oICDTm_N=MJKNtJ>q6b_pNWKW}<VdzF!N3jAl1F$BaVKU)Fs=ZF2Z=K*6wg
zCqczR+pAF1rC@h*zp*)86<{}iT<f(DEV;fxEz;E8f45zBTE(*%;V{8ono%8~Y2~$-
zBFIs%%YKI9@y(Hjz>2XX(+UquIoiJPf`_Qv!jjkX9fGn(P$F3~sn$%v>h%P;gFXWR
z{CeGK&lrFR0h=8J59F+N+jsFfu8r&uD<N%IggdeTO&|>nsjTWkzQU7|hJ^?Gp#SqT
z7Xo4pmZ*V)4v&bz4=e_G1B&^2ygJ#hI#lD#bVBZ2PS@~|#x)Qe@9aKO5GARu0B8(1
zR5?(J0yqvgcy)IV6?M05jC%11an<*$Crzc$i>{oEI;ZyBHU<%BloeSXb7hg(;eS0;
zF4Ou<tWjGATy}(0sb4djXJdktU8tCs&Y2ubJ9$n(ZK4lVr&fR;eb^HuR4<A@FvsNi
z+XCXU+af;1eH|#$p6Oh_o=9yTtfHf9G|)evL}T)3Ktq%J4N`L!m7A37zjEu_+!Rd@
z`I^0rSys@j%$1?APJ#Y9Us>IxfgB_p)~JkTLu;ar0op=oILb16&Lpz<+ZqoizZ;c-
zQvP<tOOxZyO$u&jboIUr6<8i-6ECqmvbhNILTXR}Yx0Ad#|D%ZD(%;FiVI!^_0&A~
zhBT@0dP10po0bUoiFdJajsQFPFfXscs%Cz$O$r<~WO136?bX7vY4Az)RH*B4i$9vs
zJ5Ex_QrzD($Qx|PhT+>O{Cl9VZz}2RS0qcl2&+rb(#PQ`Fy!@5y_4K{agiZxg5h4=
zdzlM-9K+i5tNqZ`?Fvt+)leK?(w%9&1(2(K?^c;uA76sRJ;y`QRvRAss~;y8Dki>g
z6kKg8{$a?dXAb|cD7`rF`byp$HsV;Bs2EkT8%BRf9Fg)H?7jAe5oc4Ge*UTZ)?NPn
zb~rWRv<)1^pLo%^#h3g%%p0eVd@hDI{<LZ51D&SXZuE|UF;9}+^rKSim{DIRcCICL
z&Cg?ZE0OM(FNXW2D%cx*#?(Q$9SLyu2@B~FBfk|#VUczdmFd>GI{Fp+@CghIeWrvk
z_fnOxCf>(?RmZ9TY0L;}tUq_0)4k}2J-|sX3TnVUesRoIa0V=R-GeetYmc0MPQwqR
zCDeKVl2l>y!WkW2KD<K6+qrYpBt?N1b77RGYtpyeU?anG_iE)qVwoy#!eJ83CF^2}
zrGyA$_sJ_yDzXhA=Ef4u1YQ?rvJ^H;A6Gu5>RRc}xljyq2<6z*hBQo8J6rTM4ABar
zOs#adb$n#0Z{iY?lB$@4@-pZz1c#tb1Z5p+yW4t0bw}KuC1rE#)#G+MSrXDZIvUOS
ztH`Z(>Xnj~>RHoZgFY{lgCJA(!^9CG3^u`?CH@Pu4YPKl?#%@SEy|+ZNiHb4FNRa&
zmRVVh6qzhATT{9eg!5OM4yyReJ*QIL35~^Ob=~|;TL9qF`<uh0db2ttch@R@vzDW8
zhaU52Kx{(l2r;<=)lpBV0B^s3BDkBw|FUnX8os72QT`_I0pMR#Rp2WYxc<{-yOVp|
z#wr8^0Z#Tg)h29vbd3bANyEPGKP^7(B;$KHeTHk(T6!#fSSoDsAmI3%bwUihSKDOR
z-80%b30j?dI(7PFl{7|PqLBvCg19gEIQjVHthG0D0IjLXk)<|@)lbj@)uFvvW_pEO
zIcR+O2baO8a`-l!S&T~M9dfpx!_Rwsht3W3jFURu5G>96$z6Q`JO@#wytgY@Y7zO~
z7(mA)7lY(_#3sI>V4Zb_!}o3m$q?ACcH&m}y0L6~2e4bnWG<T9L6d1Lu`?|OZ-9>W
z*c`9E@QVQal<rh8_}sDWAol|JYM}3IMc2fQd{}d)Ky&HwazaKCiM<nxjRUI%AR+K6
zXJHPXoJJu#y*p@YzTZ1SwA*olf5C4g3D{})+9|suw__$qYbC{$shFratjo6J_<4s<
ze&yYoFGW$?^X+r)b2SQnd8XU<!Y<6fMvs||<$yirddvt!p~AaS8ifL+b-QQ7l~xW=
z?sdg<qEnnJ1h-4~4LY+Oy;TK+LxhV*Qcq(y{me((3I-^wgXL~D3>)!l<P-GB!6&7W
zw4|Ks<spZTO1Tf=Y>S5fb%A;eRca(-*JyxGnWxu{)`G9@FZ)jyw6y5L#CM-&3$Hc#
zlC?Qx<kK9z`ifPhXAV1>*>HZn0j0dG4Z>#|C=Q=iU4k(8GG(&2DKp`W$Q3<i-N#Ue
z9XGfmQQ88VD6H;#upR{l#%55$f78dN=6SRB0cfbKI6if0;U0f7DaR51Y9u2a40N0w
z=TDp&ub^hMs+ki;s<RsLt4vqRae1>#Rr2-6rnGz1kO_a^$761Wv2%jtdT?2mzt5!I
zX%YXdF{vh}uJMv1IRqneC&wnp+ekDK^hET_c+u&#F@{g7mah-&!F^y4rn<8pbI6A&
zx$F4dr7PFsd7=IE!=v$TzGQik&-q*PbsabBnER2P&ku#uKH8<-bnK$M2ffB7aihJ1
z4aFrgM+Ra~wzB2+;)6u&NQpSFd1v<6K?zyfrR{0EV(*74OsaCR5bmS*y&H~zjfw^F
zWY8!J(Lo4_T-Ucg2IwGhPcxvoR_C>(bp5W=eGWZkwGnQvEZI38_h#?6|F&f}*oNG-
zb*J13z-OaDqZ~w`ni}e#(^3V_a;l7`wKUD%u{<O*Ed=pbt|s|n<ROS6$}pYU*AokO
zKDsWtR8e0=Er|%1=p5HeO!WjTCMMlSoS`|jB4zZO@oZnlTkrF^kZy(500~b<n4x8?
z=48~hN4h&)2;+X+JkJkL>cHVRx39I6Ty$95D`fEF(7W9rpV9ybX(>kq+ar3`cRo-k
zR~3H#Nc?p`S?GmH$4Zx+qjmtwBWk;`NV;2u!GM`DxhAE_$C;9LnEcs}>+(y$_f)D?
z;u9O!jO%zb+O7S@{BVIhZK1)m8UX#d>B<MQu6jR$e=GOgtcpOH=d<Ur<n*w>lAd9a
zSREcFbQrA|t(T(HSp4ioK><8LI`;;YYaW{X3d-ZaOI!}CIW70J%Oc%7CxvD^Ipd!j
z2S3b0fMk6)Q+yLCHbZN>AqFcy0JLtcgumJ<dqk>4Lw8J5vUY_HBEOhH-y-WFTmEp+
zrGH{u-1oxa;Ok<cBEAys!uVw;cVc*W6j^wed(FKsx#?+&yCwarZnW7<eg#hJ;vgH}
z>{}HDF2hd(+L?l8DJSuzKnsVf@s6sUx1R8Jr6FQT>1E9V^B0LBatqq2Av?-x0o%%H
za1aRV&qKTBqMmkedrO2l*5Q%mO3RL!VaxLnvKHXvM5^oGV*GM~SPAtJm}o=a%0YR)
zq4eAy(MTIcn@O-O?YxpuNRP4f@J$N?u|k6D<c5<fhpA;`O7sgpIn$|($F1rr>z0N5
z_FWb2hu`d<#&k6<x}2kZu~f~%D{PnD6_KpqFovG8g0@n;J=h6Lao{2Wd-=0mTZWuF
zOQu<DSiusGEsqW>P9hV!Y)f_gBR*z+Cf<#+XUicO;1hLKl~jj$*<*^o_Qs{HtOAov
zXZP^9Din9LjjmBIyVfnWDC_SP`Y<BzeZL3x1ka~H-P?Qjsv@lq>@}+#H4b(4|5)t+
zf9y<97b-6+>3AsNrDcld&RYh#Aoc?Nqzf?ykz5)F58wz9NFhBwUVw<k1_%uJ4kPga
z5P1D9Zh1(=J-H^w7L>4QBkiF{*^&sa>;HY=z5Tz5P~98J5}5vv@gJeJBDDN7(&<Pl
zgR_oLY>mm7s~RM+e7SXwH(w?&8J**7;z9nC1#G<?F$Js<47CYw+ZF&JI+WLuV%W((
zP^R<e*8!b!Vch3sg$(QoE%*>CjK+fMeOxn)T0kGp$IPlj1;0Fzt*2}g$9X=j)Slzj
z*vb)}vBzOv%96g;&w1sES3$6F3-xL-erto24|L}n@mzAycMR)ZVX1ytBNnSy6PbRa
z0~Y#tA=|`kc>!=EWd$~sIh@Zit?QTt*L)vk_4snk<Cbrr#stmfpa}lu1{o0?PV-|(
z1%3Ffx%lX0EBEEAEnWRpw{XYU;ZqcYXKWSpYG4WiX@s5mnk3a@AlV7?Hr5CSL>xj_
z22aoE99K)xm$A>VgoX0dvZAy)uBzhP&Vpw0x3>s7?!UPeNn7_s#ucj~6|E2UkbEiK
zn`qv*RH=UaK7E;Y1c1xObDA0@4(Hfnc|y2kHZIO*G|hk=!vL3OGP1|%Q1N(N!iB5&
zaNee6Ljs7Zj}k7$NIDln;%Q`g;;yGf@7GDI#cCzYli*$_BdfTWmd%j5MFO4-hKp@d
zs6OJ)b*}awWMhDkn8aVfMNpDN3{Ezmu{PGGyZHwZ83jA1egJ%mIc`7ccY^u^7(@+)
z@;4eiTvl%_HN3_g2e_T0{M>gNYohoetBEvD8-_oA)dcPd9DI&uGt_cBuBw<7HKLdp
z$Y#qLDM)QUwA;xj*o4F!_%j2k@k3bf3}}R^@WC^Xf}BIH&P=#mCTv)s)>Jy#@@7$S
zHIQA<a$7Bc9<lZR{O{q%0uc@6fsa-AV1G-O8Xd7kv+f`SvI+tvopG`A$^rI7TzaI(
zE}D~ph>LlN>N|%c>-JyL=Jk_gTy7_nRHNim8){RjaC@!OS(9r-DAM0aj_&<d%^bdZ
ze;<jcVor<)h%291d;{+4{&Rs1e9Iey|LK8B^5l@D*$THnw6kBKFXXJ*X4RRk(IDo}
znEx@i1Z4t(d<GWZbj+;3eOO$4!@M-Eh}atxzqVw^obDCsVqd`3PvE~TC1*N#D9T%5
zcG*)fxHEid!9x(lqYG=7nc+n(1jv?S)mSG-&9qD^@(C0lQY$kvz5BRLIsEmBVO_M(
zelc6XvH1`0%AiAj^x`M9J{a%K`4kDyJk&Lneo^WL${b7`U>^O+Hvy);9|DfAW_QrG
zby)o9vk8`s>sXuE!x&M}dF5Hxr@==UJCUlQVF)dBc9d}YXPb^m8=+z60jE0L#&c*D
zjwZh55B{U@fylhBnWMlS&gI@_jd&M5TI*QvL&}^JPJ=ZgU<9F&y#Ov{!g|=(b)-b)
z$=J2lT^xn+aNt+<b=dl)v3HRkNTK`c%9&>cGYHiLb;;{Ou^<D8hl^dIvnAa0#FKmE
zZnxbhq?XDS<2B#DO^C)#l}84{uiXS5jA`WU2S0gNfbrz*Y)B(@=5cROA<5MT*`z%M
z(PQnXNous!-YKexf@X^g)}&e+4eVP*<Dvh@=`&In%)X+_BKfJjrvC1FksN|~>ANLA
zf5?YkdkC1W>n?W{VSP*`pjai9%152tz%-N2tVFeU+IA4+Upk!@;9J`CMfB>7mw*kK
zb9aI1#rI5oFqEY^_FvdEzvMUzE)O3O)yQyb_3rr&_UlD)mO3s(rdP)T5owVt{Ag#$
z&6;_{26zQ$;7uXF#1lh3j4P8m@wg_^Aank_uincKThaY$PEz|_ic{W0pqKYs8?F;=
zk-Uv(be^}Usga-nbc+E|ZQH0LY5nsQP0-vu=*5^>zB;kKACPvjnpjRCjy~~~57n7O
zcilAr8t*fi^yrN_Br<X)&&p4DHYDhg8}MBVIe;QIb?g_`kIe;mN?_o5KX0Pb@!*-=
z{{uDc6IAHGltULj79%&wGT+}>)7!QRa)LKXU|yQjECwo*X6A`Ni8bm38Zf{dBL;38
zIQ9*bw6n@oM3{jUqf9`4kSPy=l#R_);>Un<$?k{Hc^~wu0t_BOxH0zJy%9$6X_rSc
zvm0Ixm|z!u!;`=dU+QXB@d^<&9L53NQ{k7w(*jG%B%?cUH+ejrE25F%DH1!`b0p0I
zjWXK6o^EqUcqkzm0*MbD7YVhF$?|yfC(UVpdi(-UY3Pe8k2C<Jwpwff&?x_IA*ZHj
z!jtccqDusU>7&-`83+y6?Kut66C1QxvP>zk&IrGN_Z!p?N-(>bH<_o=fCZ%tjKnB>
zw6}CCOZjsuxF?!Ilkg)-=HUs66%qS)0gb*4%WZs5PoEZk-?gP|MQ|zj%14aJ&<CGA
z%Bg#$=V(+Z@w$3aJupO{iHJoep0Wug%MOCeJgF4B07+cuu6DK`B>HLgKknFXY;^NP
zX_NOHi$v@Dm6UR>fX?U9;1<C^hjRaFaLJM4wXVP^t09TID;m!No<lmtsN5i$IYc5e
zVP^g<jxGk@MBm#~BbQG<(Li`Dba9_w99cMm_(DG=-3?)rdEk2o+r9^qWj%CI!fuVF
z3r7DGCKpeNzWDrUX1?pURB<HCM%%E*I}cxWmlRyWN`caB8aefS;oQO0LJ)g`t*6Cz
z&#bJ=(_79j+lv=bqTkBX3Z~FxBF89Hqn$JvzB76qE)=KryaV%j6SplVrOq-PxkMQK
zGItM&>er0f|4M_U^mE9R{=54OWcU{0EhoW!$EWd2d<n^R@Wwyxfy7KL?poOQocxqW
zWx!!oZK<Z3zYDT+*Xm_N9{Hz#h=S66OA??jv#H^QOL}D6%<{<J)|@^s>D9IAUA_2x
zh;hn4E--|=>mnGMBo*IcP5&qxwxtlFM7RyPe(Nc$!fj1H(P<1!<e7ti|C6Up6DbCk
zgy*OJ?p3#-0eg+C)*KFNi6+`r*~*-`S+G>V!pYbn<FaQrTp<VaQ@iCHJB7P*LB`A4
z-2R{9Dv_x?m1^+Cy_qX{PA@^F!0iz4YWL+%-N_4r;J4>=RO8Iqhs!P~gtx9q@ezm-
zyF~0mC3JxX+FQ_rzf%&E=izcJ;wqobWazDxb$_ok40Pk)k<3R(0*f%@raY)<ys7|v
z<~l{12>G+$MD6kn1c$1z@@1NQS$(5wldMwGLT_umWjtBmU?c~tBPaK>3nh=R3!Q1B
zUlwblV~qX%lP$(7+Y-hqt(k<-#;LQYkQ5W0`$tByD*XzE6{5RAz)sqy*VMMNbC6w#
zG0ln;On=q6eyEN91FJb$bTLL9%Du^>?fK?e-Tl{$FISuA(@*xkyBz;K5kBEfIcDs~
zrmr_>=pe0`?&!Z<1$_dx>v{EIS+FvX;O5!|iZXa37jbt@MWx(3;HJx5V)gMZki>|X
z^Xzql-|kS0!q-y~-7mkUzQV6IOfVZC)akAAwxBauS+lb%bg+z5uuX3-@i5Wk!Oiip
z>odpUR{@;g%yd&XYj+2s4}Id59`$$jPLwOd8&AohVgeb_(_JG=q1d(s)<-UE5ai`=
ze$}AIagOvR<O=77%wTpV5XqL^2Q69^Ii)RTJa$boNv4rKrQRF=4jUcr-Yi{o*_-yT
zR7tQGvJrYADC_K)OX(JnlQ_J3>e?97vuzUhs_?D<G>D1z$RaJO%uafLDY&j2q47*_
z)tXm-2Lzh@y{vD0;W4dnE&&r^WF?o*BkgCVathM|Rgme2N=v0RI|_QKY+GNuQI|3F
zQ&09pM{fQUb^NPFZq{s59+iCewof}GNLA*w>H9mR=tpyFDbj%Mq4z04>?#?KzA4tD
z<9&RoN%H7nN9naSJv%9HCLqT==7B}-?H_W8aMkw)l?nB!(aRCouEU4r_{M6|*`=WT
zbq1lSQFPDy$viK`P<2c^&F6WO#wXxnO#Q`WLNP<cnR2M=OqCLk(w(@K`X;yhP4#xZ
z4w#D^yt_CcN1)DEXexNL4?l(ak-MR5HT8x6*c<VB`rDvQCdU-VGX%EZ9#oM<<aHL|
zA-s4`q%YnqtKie;F>6Dqn%~Os#}vqZg#yeM4RojP>V;g3R@5M}&J<J0bv(t3>5D*x
z)68S5za(9<_+}ZQMyq{$f4%4+?TFDGB*{()ona7O7Gn@%$p8J5EhhU*jme~nj#Sz&
zs<(M`l%lm`lJRUVH76`IE4<CcUCPe?om&E!<?epRmYsM9E*=5gT*IU6IsNxcwzaO$
zclB9KW0pyi9Zoyp<>lWw#J`JeG65-n|3g7Fb@nYU@4LGv0-l7tVs(i(u8yQ9G4h(I
zPK>Z4pJaOBKx5&74cqB$FL?aF-70q8T6@&Hq9A23IODIF<>kF~+Xy=IX{cEhg%vPm
z^TT$!c?abO$l{xS0`D^u-qy<l*9AQAP6w>)2=;97gX&D?LoF?Z!L^oZ^cE{9BJcpB
zf8WGCpjOTYKoR$wU{*Zj$10!m0Icyq?O*vbXew{Rh_idxoLpX-38rAAfTu&)(!A!;
z_VXfJ!mPPw*4OQI9jF}{3fh7yS%Rg@&leXZ<iVjksQV|x>MtjMwoe~5fUQ2qYJQI!
z`*V5e+iTBfzAu+eeP<6I1<!SsX%CFx56F)V+X)CR`W+JiZ5#Vu4gfA*UN2TJ{MKz#
zb(|wbVjR!6hcCzJ-k!IUE#+<ng#w5SeZPDXHl()X;eAb%n;PQs3<gx?sODL452Kek
zbUPD$>W4?}st}I{f0;E@x^#^n1~ygxp>UH)P^A<R+E+Tp@fea;3X6I#1*)~ZXpAdE
z1nStU|5p<<#U4tO{Yf|O_p&!zXm<Iqz$njo<5tAEv@sIe^yOms<KtY%=+hHFUsI6p
z&Gv}b<tJwx+ww_yN`zELzqh7|2D^PCER77|GP~cuM<G}=Buj;GL0=wPWPhir>B|>o
z?xG&}jX_ZtI;&kt)JE0ASARmPtBqtsXGH=gy5m60;p=<qzzgIeSw%IqpiIu7izgqy
z{E?GQA(}Xq6Z>?+Rb;M6LMyjO{95?ZmXo0Ov&S>(<p-h*ABi~#mpi?sg!aqh5@H-3
zrdBODFiUrAw$J9?`Opr}W7R@q?CXOfI2;BicCdrkMLOe8JlR}QY*OMn5;X)nA`oIg
z&~Z2|Gy*{yaLUr4NnjF%6}z>AYrNIU9a`L}r_znWqchVF=6<vJ;9sn;3kL;Zye0g}
za$lDKlmkyal=HD!#z_ez5|fQ~E_%4-hvyCvzs~Sq&p>SAmJ(RIKPY3SKRy<Aj2akY
z-Y(6~E-fkFFvUiZGg{?5U_y-I<y|lDrY>UuUaXLQQQm$ch-!wMQt(xqluj^;pd=bz
zy=GWH_^R<Scj*3N{J0Dm`W@==n6!hRF5c-*4PjAXk}J90WUH~gavaMLi_#9MyeGAf
zDml~H>NDT#ZqK{utug7J!}gSDV;?g-!IE^N-)52!$rCWWj{z8HOz$mCk}InTHz6G1
zWIMf|I>3=Uf!OwQf8Iz}U${|Bwa(L4k){)6x)^NwI*V0>0hsan@<%CO-`N|<hT~gJ
z`d9q2P;S83(~O(0j?TRlcNVsfn_wtujDqi24Z@|iEf)GWOcIf4^ro>5_BcY4X?Gf;
z9}@Jw4OpQT(<oUe!M!cBJ87#fo0sQwvsX~2bVP5&3f7mn1!<ya%UUQrb)c$Kc|AXU
zR(}!}SX7ISmSDNTxB&$bdk(wn&dC22$eeG(G!=t$C<mfSMyHm}t|-J_ZRlk%EeXR$
zH?FW4v@AHDY!TAOYMb;b(6W2&FpEV3>sHX2H~fN3xzlfVl*ePnlb6g#l_gc;;-em>
z$+*2+b0m||gwU=)zqG<{I<}5<(db8Uu_G84*v%2{hs;*jCP(kUJT|a_Vr<7g5)LPy
z@lFLUXJ)c#r6wnvDfrCTsVAjkXoi}aX`0lg%5O+|T2Nni_VFi@Zb-hd;AJpnGp+@`
zbw$CS2v{jtxVwLL^0Va8Y9!W_?rPXn6@YHn|4zHnAbMpAwJg{}5Vi3F9c?C~anG>+
zqi=Y8Xx|XbfQAhH%}o0;Z9RLI?Sp4YV~&vrD7N(t`&z<Gjw$I!SyfdR-I;2-RlN7q
z44$ujPhb^@lvyNnUj9+Roz*`okV6%0m(ut!pZMv_NT)y-rC(bVz3-}_@LgWvh^%-b
z4QA+Mg2)U)U>|2`1aezY%2`V>1J=>={HO8TUePk}zn6u|o-Jg^_XZ(T-^fzCO*wk2
zd&Ht89f>ASKQuC|5or8B5pG{a@cBoC+o%TWs^s2LxC-sY6lJD<Jl$W!w54STlX8;Q
z)iZQMhc5h;I>eCAgCTuhsY|TZT`1_#rCG>rJt;6xmG=NJQ4N$3m`Bq{S(_jow!5N4
zLPIYoi7jIY=979(PL74py;Rfy@Os|e7{Wio=)Wy&v?MN$Z%Wy~PiV<81F*cI??f~j
z@{*TvrS)YC*d<E5*QMSTB8XZ1fQsAA7&G!H?RF5OY@dH4Yu##%@dkw18sSm@E~lcH
z?)@KCpjoV@i6aZ;yc_2`UU1B+_L8d<Xkt%xdQ&h|NDlta=az13c=bD`KcilkYHUcZ
zhYa>4U&wrout`?~jtm~9B~cgl&E$&Clj-q3(BoQqLwmHm2WECg?^o2hY-$j+Udx+A
zwhEc<MgoM5w7Tj?9)Yj^Lxg0@0BAxwS~rnDbf#f67E4UsIQ68H!T!~NC17nftpwvY
z@)j;723GUW2%1xpiBl~s?@f`k--Z3#q^#YmpF|o*pYs)|hF5M=8JQ%8IWY4x4%uas
z8C<AEDaNGF`)D)uKJq5{dv@rC%IL>}+8xTO%wck7oH|ip@9L4Dm*4ot*o_{ru_1Qn
zWTA~fg~Z>D^-w#=N6BHLChXxiAq#>Z$~)ukq(oLQWhMSwjr8y1sIZVJy}@tl^fEy?
zhTInWA=iL580vYom_lQK>Xgg!;aUxR*H+}~>M_ET9_`19V-1=AW|W4$6`8j*)&AC_
zl!IQaQ_gQ3YD24p5ORapdEB6SG1P|Whkm5A!MM-9Ffzr3V(D={-Bg@S5(PteN(oMx
z*4xv4&R<x>gmpg2TU^@QxX);0*^RrNJHiB^w3N7|86rQ3k)R#4KXFrYYU>Q%P#2v0
zkf<vIK7%PM;?ztub5)mXJ{~d})H}X^O*jb5s43@!2L}|I90=U99a+}bQNm&qhTUz1
zXd-moo>0?A=8)8VLRLJH(&>xt!KUIs>o%?5k6$a4$5QY)=C%RzElc#?_!uUM#54{-
z8>rI9xiSh~BLOPFBVK)`A~pBk7_mU$^HFcbTv*}QX^-q04gc3A@{o7D!o{TGA`3+5
zEl)dRU1j;{r#%?9R3(EkjngMlbK!+i<0qSqCzgc^=9&a4qfxoMocd=o3Cy;|w;{=I
zAu36rg03DDC1v=7*WOhWJ;>?cA+{ZV{kBtSsQ!0_v4uqFutQI1d^)6IQM;(!LloX@
z9%D?5jjIT+u9lKYQw8+KisCZ3zG4m0H-MpfZOm`>sbke)NzHO6oNuB_Q`gUH1&!bI
zR)PwDkH-JJr!IVC<svU`^{Kz}bXxG)ou6(zItJPTTT8@jjw$b64!2@T$4iAD;gI|+
zb+|P`LdnYu<mL*xh0XbO7+WOuk&MWL4xGC5q>$k0i^jlQS{!I1!u0~lYxmk%<2!@u
zT9@KCIf6~eGE<k7PD?<f4!6XlHxwk=S+DeOeD5nS8>~ruZ1b16-t#DCdCkk(%nIs6
zQuoTHs$z~huFBqJA$c`uzb`oc9Ky@6g4`CLvesJc4W?iNBcOfXRufY4Nu|Gc9r%>O
zPOfhC0(Pynlhh#ph-B(Vo!O5rfCyNk<9cuGS4ZhuiaV(c-fa5ex)JgacD^)z5*UA9
z@IY}{tTW^jO2c487sLx^L(v!Z*c#F%;gKy(Om6uRJ>SA^D!@@SL9YEFt2dk8QtzV%
zONg1X%RZSLa>w<`GC#ixP1U4Kv%iTlRG_$-WQ^Ka9{s8YK8BK5gXCMicIU97A6+ZX
zGC39ib~bQA9q^&CdwLv6{d1K+9uK2uqLFG0Taj{u=nzi9b(l6GyDHhB;?FmrkKnDK
z*MP30X=z>?gU2&vOP~YH4?%f4_D{x{;g>5AC2(Q}wob5OH&tM`r>v)Ko>oNyrs;|#
z|K@&dG7hpVUF-vN-z6F5ZCCnxkR&aJ-sagz4I1mk^9>Z09u}rimRkg@r5V5aIkK{J
z{4mxedFcE%{9lxoai80|-hc7`jFCWbKr`gz!@^^A<3B3M)XkxB4fh=`fX15jYRwuQ
zI{r;5GfG=QN`oih8}r{;zHevm#S4`9@SWKfpm}^z`N0LW14+G~q>?R2ZdsTys7_)o
zZSZH%E6k8VNE?BF8VCH-WC7^xy+2mipR{$ZoUWYM>GUFLfC5hIw>N&^J#@xHet3CR
z6yL-(={(GIC1R^K|3OSs)eml{u^y?3g&3;GB06T2)F5B~J((iQhLi0NX^C-gv<_qe
zsM?MMzQN3g<;9ygf1?NQs;42c&>`9+dYuhTTYQ|e3xoQ(g^*;bdcxcJuZ`P;E6Vjq
zj9pjVuTq-8+3tni345+9G$|gU9TIe+P%dHA>r+jAB6<ogMR2?Iofg!W$tz{d%kR8s
zd%5h4QW+*gEYRG!sF+Gw#4$&}dx}KZtvm0`u_5|~zv0@c*<C;KMP*e0I~1Ywgx0XG
zJsI=yFI0br!~oZx-eA_F*&k~f%Vs7eI3tg|Ei;!6=R4?cT~wAU`eno8t~}<@!T8#N
zkl+6P@jMv14eaCjt0EnCyKX*lKibx%uj{5a(C@@=eiLiUaQ_w`u@NMaq6BW!u0=Ky
z3u1_N`pA7la;MwqoH>PxPMNu@>{R=UJw~|LwT{}q2cbG=nvFelIq3@k44b2E`{;SI
z@Oy<ELp(H^Go9?WTnyH)=(DU*8&u*=VqlfORA1qpU4E65K3R0IYHcHbz%yuz098fD
zx%nLucH^x?0S)!Act9|Xcyv(#ib_=QuF0Y<#=XoI_zYbgr!0GO$shKbn)~a_z~v>r
z{ueJV-W#Gl2~sCDL}7lY-YJxy!;4xn)y6>=pXto7M0r-IcT}t<ltfW0sIj<8?U4OE
zm=P09u1fyqj1tJRb&lFAgHZP~G$r$C9Ff)3@m`6=^YNsZ$OT*{=4#<S3!Q(Tdz}bT
z0pMP(HKvsvyy^-v^X-uJ2+(A9A<@L9EaKwiRUpz*?pM|<J<8-nzA~a_bnFY|@cn*j
zus84xV>xt}tqX+KZMJUB5C4U$?T2^9Luzgcc%uHhGSWJ(^6&!9DZUFH75>_gm6cqW
z&N$T-(qprh#~W-aEd;2saFKU9JW;<|)x38y>pb`}4{TNQZILI7+jZs0*div={$19O
z){`9REDkmMMzMtsm(ikI=)B7oq6(~eAC{@mDh$hvpf?9G%A+r&AqjR$BN@blr=;~M
z{S?a4amQJ8={x=FZ`s$S!+!HK(E9!b@ow;)#Eo@zBDA(&CVh>ilJNAN?Ao#FITGg?
zDi-uo4Ewd~<$p)KLI(5qkG@-oVS3=u$h;c1KAWG;LUwl~=;u4PW37-**LN2WkuHqR
z?0K>6d)i_DYrn_7hIaCcnDjEr+tG2Q!dhb@Ii@a$RIA&)KBPkvlhVHigXLgw+NvK;
zgflLUJo9N{q_$A%eem?8F4!!hY*^g9De$+{?FvMT8q$7EEIG^RQ)%@iw(%@EZS}LL
zoW9l9UpIaW96l=Y<EyJKGYVdw7Ca{Q_3*|Mre#DymDfT=5U4n*#@cL})?0pQnw%1l
z;Vl<zbA6s<-fRDfr*0H-B4Db*Sk(JBXJ9LIV5jJtPT~9BYfOKzS(y;aHm2F>QFba}
zZuh*DSAFO%+Jr|mU61!4fyK{xC8P7;sT8o;#IC|DhvRK6Iq<W5LL$oA^lJ2qn#9ig
z^aKT*r{leW@;V^5^}F#TJi1&O234FM4VHHk@{OJKk7un-R^mLTwNxj1ZD0A8dTPF}
zapHb{KV&KN_f;eox)f%s9xDN^`nw5es-*d2oGC!m9n{b6GkTL#Xbw05%q2m>1J^Yb
zUd<I7lnb+kXdwhPS8R8f=J;vPj_;GfW&tQ6OOKcrq$irAKiTnx1$4KDq8`p$ouCmo
zF-$0bhFw#^q?jn+7f|wPR#F!2Kyc<_t_s+g-$~vjq`AmI6}!ZV5t!n+gxa~)E-hhj
zSE;1&7eWZWN*l04JLrEx81jhc3|@RrkQIer8Jboa*c2|<7a2SVKT9G*z}80iFEK!=
z&MEgMp|%Dm1}J=r2ws!2-0z0oXvw5TiRBh=3YNke0vqnxeO$pb<r^*DAC<oV=zmBh
z%`I|63-(p~c;3Px+=Ek|FoTJ)8C-t!&6TtWXOP$J5Nc#C&X^)h@#_!?sS`NrTR!pC
ze!3c2NU>Sj8*MH-(R(s!Hnz-)!jJ#3DEV-g{+(?|l?I!+1@3q6jxPZNvDhZQ9Kg^P
zV!O+vr|qwg-lAc@fLZjr{BP^f2xX~hC6}&6`}c$53>jZk!fmr$;LUUpk})^yZ(nne
z25&05voZ~dM|?}paMUlEpKqDG&zR!B8=YmyD22`3GjH3IZe~9Jc&NSiy4t!PFjbB0
zAt#A$$Ubyg>PKRuR+NK;@AC0PF%aSV&1CS^<YVU_K_K5k1^Y6geZpaYrm|1jJjlSx
z8EUK^gQrVYvPg<A-rpQ-$<a}4hx-hf{Pwk?9nC}+R<0pIN?^$u#Uz*THp^N0Wl$oX
zpRE^yKT#x2m64d`REU<o$D#LtiWj|xw}$GQX;d*lp;wHIHOE54E%>MP>d`~n+~O~{
z?8ZR!lf;RB3i;K^ozqZ^iUIT?sjR>L>43rDgH?YCfX*4qwv^(2$q90)9t)I2A5f$t
zfhm#VmUg6Jit5ZAdkwD}RMPi!SaAZO^DQg@lZQ)VqcxUIe0RcQ@?O<<VZmn1nZB7n
z+=zE!WnO}phX7hR){8@_^MknNW;|6Q9T!=8)PC_&mn^r;%&_e)o$t!1=~mH)_JjTk
z!~CWc9jjhW1KPQ>cwt91os--OAjf6om`Dnyt(0AI(4EyuYKJF>DMkM;^@7siF{p@<
z<C;2lK(f!)<+|kMA0Js3!=#?X{g5~2j4>ZY%HqX0w6;giG%-QIy#(rqUh!Os{i>qq
zuU<03l?AH4oWTfheO!#Xc#Nf-K$4-XC*oSq6dxa`^wj^mK%4^)0>Jsb<R{ccEJr8J
zL)-z7HUpKratuomEot9psV%s81z^XYQLjiRPMJicL6-xEQsYICnURl(;s%Mlz28iA
zev#LuFoMo#5LmV~3j-nzDK*5gp;o$D5I3x#M>B%wj_|s_;;-_c2k!oYPEdi-SbxBm
zWv@TwSoiw+J<TMz?yp<t!(uNZXuH!wb}rOX-B^G>b2D3j4m?jvU>lMoNwd~V%w}Na
z`ao;HM*kY1@_XMehX)7M{c!EGV2|k#{LLL{2-)WK@VsKTx*96C`*us(NiHu~SGAlO
zZLmNfJMZ{d%q->#UM$N(mZ<2vAj<#(rq(nqjt_k)rv&TMvGYA){ZGK)!G#)sKLf%n
zLa1O$3fEwzroms0X$M&a!<1rTL6nr6118{WDO()Bp4RqDB$}SLrTvm}YCQ@5%!IwB
zY4D194zanIScn$EV9axv2-93U?fD2rg&SSztc4ldIU|zUE$c4m5;dIpQR&y98E6<8
zqNq&)Y1(O%Yd+Sy0Y+7o@4e2GCS#0q+I$XOLW?xP@l!y{9HbVb_8h@kDJhpZz=ZX0
zXh-Qx9D!8li14ojAfi9$sLO4R7Lkk2sRSKYsWH)buAvMI)mQ#UAx2<Ko!%onxUJCi
zl$S`U+zq+?9X)Y`a!EzMU6@4gg~C+ri@_$59Gh7pVmRIdZ8l1|-in}rC?$H|qnv#y
zQi{0!nbYtP%0++Wy4hdN@C8O>!7%t@L7Y`#-Nfpik>02##1`5*Da|@g&hNM|x(9eb
zV+;O=0pfILRbVvwg8|}l7=l@@%Fk~yCW2ac6!$FiKy!+)tb%w%QHg<}!eXEK3-2>B
zwbm)>jXM+1@8B8X!oSeR96LD_e0XdnC8ry*^#8la6d_6>X3#`nAdt&vYGQSVNDDsX
z<?L5R<%E6rNZV>jfcXWf4fR@V=A$WRYd0i8w$EQGqJkd^!&^P=={xbr2#GfuM(P!0
zcI<BM#^K2{YoU?VDX7y@lPA18+djsQ3CtL$<tuiew(33-A3hzD0{s1LWGn5#LK1Tg
zxSV25A2H86xILJ!Ir@&JW-zjz&j-`Qr{%r5#jj99IFtI(WCSa&G6ak@@PNK%!qsvV
zR}|ctwTPx%?F=+91#Vo0B2LH*0^9jH^^TP35h;=~)l*^WTqsu{;akGVEqu%pLK+=X
z_dNmpP!!T-!0m^RT59?K6thwO7PFmKh1-RsG8NN63C1R!l3Bm~RWPk2?Gln0`NuR-
zw6a;X^TYow2J!Kf2Nli<3r~aJEULW0ukC~x&dTa3%TFhQnR$}@eH#R>tY-E7tdH+W
ze?3?OVk!T)-1oC@5qzxLo2f7&z~+1qoek?Go1uLDBa37rg4kg8(0rpcV7U`67nkAu
zl`v`<TnPlu36qY2OC}o+A`WJYvMrwGrYyE*KZpRAk1+?gbdxDPxNB$Mq`A5nNld*N
zY1jVAfm$8l%|fKPs{DhL5o;vNw#b_;os>-I$+(T!&}EmUx&J=$3R9e|^zdf2F+r?<
z3K45Y;G*ZPz}BxzjAHRyu4`4;N>T^ZhiAd#<JvxlO__@)b;(tI1P=Yic#My+tYwSd
zIK2hAn9gIv0R0Na%Y>s&HFfsFLjH}XOK~acz#sh&e(|YGX_-#t?ZroWiE*jwG~tcz
ztnNGqegr4i_02CqnTC4B2qSq%#~Wuqp39%kKs#kC0*A!4StzK2gl#_DPkqr@evfBe
zdBntWg8FA~x9T{fRpiW=b}k=V$r9afd*d&!w_~NmCl|a7b1JETMA!?DF~$#Fdzaod
zzbO}%Y_l+mNNJN7mRe=jz;s>(BJ)guUqU&%M}(0orN?Ya+*gek%gc5Ix!wz$SLqqR
zm%1@QfyX`2^~Q?4-BKCqMjZ3<w8PRH`V{PXfo=}1Nx^Zx0<I?`;05ZX4<+W=DVR`%
za5z4k7O0{vD?_v0_xaBKH<A3ws*gh}Ul!$-ZH@GdXyb}aR#Xu`l4zN`(mRVT<5bw#
zY&UzRg8D{K&id5Bs25zDgVLGJ%2c|b_=6<jEV1d<&|P}E-?9ajgExzb2lZ7cF|4k3
zIr!^s_DwFQWdtrE;ZZw?c}Bphz(u!KG}IOMI5jjNqxPBinx$oHITdOi@f8Pk)s+Bu
zaGl)X=QN7wIbSago4P)>U}bM0<NuUk4g<f9sP2}=nBlqPLA<uYrN^}q(N@FpkVw22
zJoc{bIpoTDF>U*7+v0b!P4t&kA|F-{kGs{0_C4Z@jIE8<p8<dLU+sNrz8WqLrH=kH
zpwCFH6y%&tfHg!naI<i<N7mga<7xpQsBI$Ue-a)Tf{TVFwMn4^eNd|QhW;5)#QP0a
zuI0FSYvbF`0M^#qk*C-W7j6T+)Pb8EznCMKUZIt`GQ~9_{f?`iRr<{=56+g<yYSHa
zUw%qXYW@!>S8Hqd@{<VdpM7YF_O)b@u8xNCp7tUQk`HHkHuj(muM!gaK;kiZOQn27
zNzoCY)bGuZrwYWAAp<PPq@uK+n5OC)K?*Bi3ur+sb4}gU+R;3JBKBR5*>QR#2ew6(
zYc4G|rzX#8VPV}B61)Jj4m|q2ByZhx8zt;!6Zx7Jsqd|3pn=EfD7JDH?kjr&eBK+9
zn&|G0W3kl~GBP(uHy*75Sb$2YD$;?v1GYJSf!qP#COyKz4P{S_&QJv4@#lZs(OmZJ
zuLm`^wBvNJC9FE}^B#V+aoHWj>D+{0E(qT02zD)C`-y+??cfjd9o@To7q>#~*A<P^
z&|vs7F8M;Ts{Q#{Km%9KvB7PzrAHS7%=dlzjCM8xHQ0T6gnH{Ln|fB2rK^0*tNAt5
zj!)7GAsUM(ZYH5XhXs3%c`Padlooe9hA)LVaP9Dra(JC*x0=FOYXN~x>t2oakGtB=
zCb%$Z*0+Mp*TCA+RHi^hnMv4V6gayh$tTl2ehE|#<Mh&jP3-pcX!Y1_cKasiQgDCM
z=EaEuyOYOR?~Mq$I8MH}Id0K*@EDPEb!_r@KyL=HnLgU*31$?Z@cRD|3_b#O(o4QG
z+d*2mDYfiok4KL(^vN+XBTj%G?|@CvM+R_=YT?0U+~A$wkp_nr%OR6wfkv&#76{RO
zl?jWMr+c%MaX=OiCmzvzi7iMEF=qFDM_lOKK6V~<c@fpwhjzu<h<m5y*_-S#w^F-l
zjI}{;G)HvJ(_p)KZ}j5D&nF`4v+P*J)Rtd;hGND6x`)l`TF+kAS|ob-l}{-4pS5oB
z=N3CEV<}|_cG(V+Nu^+hU{1n=QKi<=q_NL$%(?T7b;VMKS-$44)drO^UnC~x(U2HR
zPuQBdz(6w-!imDzdX(<Db3=CelzXkPcVHwp#z_NhhJH*S^iXsR4-<_4!?XGL$BDqA
z_RZwZP&KC>Qu3D-)oVTC<)_=Dtnfa++b-Fy3g=|=+1b!??d0|$O4b`rpnQPbi^<b1
z>Uq?&6)-(x)Ngdsaiu}>uRm(K+d7Uo#UF$<3{02yNB3=!cnr>ll8>R7C}D`E9Zo(O
zct}JKc_T_Aj>-PJI;)|<5Acr2{#l*5Ti=}GmHkf6kAk+u_z1q)-5gkm>T3J_%wn{^
zA937BPwhiK9wo+~8S<;gD4V-|XX@>A%h|JORBdLRhg+&!Ptl-z<+zzFd%C!OpKbnx
z+{b6T(V!FS8=*LM<s;7jSFfV$it^%<;cU$NfYPKb2gTC3^|N}p^L6Lms-@%z;|9%A
z)abe6J$PV4^|qpX4syH+o=CV_j{cOBPoCmf!E9z7X^X>@(=z8(*Vzy_f<&V(IXs*#
z==C_gZIcFVxXd10P3lB-gtmgbo_Qv(dT*K^XSQ+2_p)9x>aKmvKK%vqk`dPLRzL_H
z`C<Rk^QDa++M5Heu~`Cr#Z{`6yrn~%<@5A65l4oJ$*16F75*p0@_Yx<?!6rAcjYqP
zlai-i+;LnzzQ$j|{JSpiZm;i#uKPB++|Sn#r*9?8#{63E7S2F*$H|$3xbSIT557$+
z)^&W8_8#jSK_F>c^DuV0hhxo~YCh?wAZk4$Z~1d)ge?6aEOuncvT1<`E6=Z^F4QEB
z@%kZ$F51G8O08(xvqJkMS;6wWpW=VOW_PP^3|33*2v{vQA$}YE+fyq|zPx@9YddX3
zS%N0^qNm!PK<uwqTl!C}*3m@=^q?Ki-aAy|gM(5l-=W|>b#1OYaT}~h*TD-rKkiI#
z@7tBW(2=n|#xc~om;Eu`R<8=^JHe-&jXJ-V$1Okp6#2Zv=li3BBeMwih`b^Afk?y>
zE26!OXTp>UcF=t*S?1qB(R?bglP1nHi%yogWtn-B-1k|D&MogE%)~=eSFQ~qFFxEl
z*|zHH_;NWZ8JlSD-zen)FUB+LhPU@8N(~L+i}U0?FSlJa=M4KM^$ihf5tp@rcD7e5
z%NLI?cEwp4<PrE<^1>Hd9)9lF-zKfsQajZ2G#w~QuDDmz)=kv$rd%DZ+_E1*kHyHn
z=nmh#by~qy`nygX-9wy5SaS}-a3^h2kE8ZLq}(g9o;*M2wg(s%h=F#JOGmB`7sv(Y
zab2uA68IEDY+o_xxjT^dz{bx38{clgV*_aqtm-I0WQ0fqkvvCdJj!nt1TD}GYtBwV
z)ud|X*!0d`(C$4GGpE9_-kK-ng9SUnZ1}-I?+9OilS40ilWsxo4Jaa_txS{2z1^8-
znwvP_m{&ji4{9UAqNeb~VMT^PD07OWVMH7@)4RCJ463G4Jdo16Mla-DD5Ny&pZZh(
z&kGR6nDiT4LH>Jx!W+{vmp;!^kKSSq&z*N<a#qys#FsjG+Uuc_`nSV8CGK<##3tb;
zo~#fr>sNjo;^9wcm`xVTzKfoDe3j3aOM>CEmAX$(%}*j!WgdKQcz4{4JV%;N-q8JV
z(h~5U0}0Iw3RwN67%Qb?R6rc|7Q-B&S`#@ktlB1fG@SlFP`&3mLK_J2dtDBy9IP&@
zk#s&Tjf>?=*_M3u<)`~}^Dl;5u5e`sI<CI6Wo{s4yIFkyFE497VQQDgaSIOMFBa;x
zU_Bo<^Ui^G7~N4TdH0YQ(iv@S@y?Sw<X1K>sMhXa$?ITl!-?K{rEiZway)5q7(vh;
z^F~Je2`-2@e}W67t2ATVPirqepznEvu@|46TBSyUWGr^mrUzoj1xjF^pIJ9d@v4FL
z|5i6vxjs%^J&5V}j~3gPxgvQ_(!<?g8+9F8^<VBlp>|m>w8wNzMB|HlsVk1zxvOVO
zd;L4b6gPw`Jzbo@oavxGH$<WpdWv4RA?pUN6V^0>+O0jZRYM<%+6V90!|S3a68_>L
z8|o8!?bBO^|JklclBrc|(ZU;iUVEp6!j51i^Lc&476S2xNLL4Fc)JcIxhJk_Yd3w?
z66uFg<P7sTU3MsV@I*;3pIouLb%kmE1r!M9V)j^WMn`%>IQ3T&(I7Y%M4~Br3Rst_
zi~gIvpDLB~z)^Wmemi?lZR`Qxx_Jhyrq8v(W>eUF`4Rt%UZn4l_OaaXrZT~6FQOkG
z&Sl3(`TC*{^`WipI)}^`^kOh-BeF4Sar|`YExz?Qw8N&w+VY7{7wAsBC|Vton!b=V
ze<aMzFUV{3qyFUaufNb^@Ckzbg^FU^40QE>+`V}`)a~~_UbkpbiA0DgL}cH0DMGeN
zg>0p4*@>}^vLsX@OZHNctl9S=TlOSm-xCvKFt*u#uh*#iX1G7^9{1<>dw=im?+^2s
z*Y!Hrxz2f>bDiaS%?yWf-h-y|MY3`ntAf(}wDml0gV^t7%k8k!LtX}RSe{?btRx^0
z00MKFb{_DUh<8~=jaRjwMMc_8XHGQP<xGUGB*3}ihGYWu=h$cOhB?s%Vl+ob!RnB;
z>RA!F)+pWKXGN2+u|;IHm|HJ>@PbiL3i{<&Q`Jv)l|8$(Mt|i!m0iz@YU4Q^fLdae
z*%hZOS!!@juL^la)az-Ut~$0{+OQQyZ@B2_El|PzI4TO(k@lIK>Ram`%Q_69!nc^%
zkKiY(`h9jg1qW93Td_H)w1&v3&ZBR}S})Y{?Pc71O2SQm{$~%c>@Dyd&`JO>v+*+C
zd+grqBi|yguX;H8nO#G6_AUz_t6r!cvukw_cI@6OzAWa9cmV%0!}55k><_<cr*3gq
zffF)b7psy_BkR1PCk7s|;OnWpr{JYnlmlXA_)z`inejFcvDKEiu2s`e&x#oQz=F8P
z+WsZrf4HpF6S%VEWs0TQ5*ZL}UYt;37RHS<4ES(Dg994|CLHpm?Mk1=EgQ-p9l|&#
zV2PY<9`EA^<!W7cwQ6Z)ihsGt+F|usI%rHk;3C}_@^*2<@p2D4nB>b79E<8t8zA9m
zrIgq(UY&`r7MdZC3}E(VrMM~_9$v&yIbgmx(uZ1n)$fh(1Cq9JI5%MpeF|UfO+cVJ
zste%>5Zt^o1`XU(8G3?&!`85<g%EG=l{xfC$5LMaoY{9QRA(<sK|J-uqpPD8)dj>X
zb73yqrmDK2wkCU~1E{kH9|}rRwV!lz*X1ZR2|XFGFnedRr86k+DL7N<XZanm=YdVI
z^npI0+(BFm6hAni38`tidRB(XRnB|v7G`!jx$mg6S3J5g>*|N8M2DMB;ZSi58(lWL
zVH?A|kp5tt@2AKMW7TXonx=+j%$-ZGHrY%a^L)Q>57%;-yK#Q?OT)~EyR%mu*VJpC
zl?cO5CM#otF`Cmv2fb7MtmMh-PBW9s-5O&Ylc;?5p@c#kp5*}c(~SeD?B4j4?(xnC
zoX)?>T^k?Ofl<w8CE8h-lFo0B50`fA9+^Dvi)-cUD@>4&?cX0+GAR}{Vd9W`XctDp
zm{UEa)hTkajha9km-IR$q%giQxFc+#r#_^<P2L;7GSU}-TN<m58Vi|ZhYiA3=Cg5Y
zKa90FPbMDh>(Fbcicj%$nB=P0^2W?fETkkpNvvo{+tpUk`p~gXvcbz-pXfIc!#&rO
zKXVJ_7bBcuqLOV7<K>FSn_l;`EUUiP4evp7<<4_g<z}oW&AX)+!mF&U+){eFQoFr6
zxdq*xW?xVT09P7bwDS<CPn0F_r}YJt7fD_vB*5^Ti^W$?^}AR#y|*lnvq~SRLl%0~
zH#r@!e7Csjs!14un8Q{rv^>75pY+0xEf6q#hL5|0I)pH{O1Lu#(vM;X@i*+c!WpWx
z65Ya=nZ?0a=qE}(RnB=+qxj@a<8Z{usBsyt$hbk;`qwhnP2;PnUof5yEVPHa!^7$|
zexa`I<Ipj$IhG8fE;{k}R*JTF)@n#1{1_aDYnn8!V20pV$0i4+j2Gd@3Ni2srmV(_
zGV_(%xVnjOvU>jhnP&c3P6KnqR8ujP`03E0LqqY!GJ^%B{L9isMz;<^uAu@D(nvvr
zvMvN7XzD_O6|;xORVl0@T4n(z8PlYpo>Dt{Y2|zy%b>W(tio8q^SKm@cCFz>_nwx7
z!?U@)O;+DKsK!pYU397AM=Ta!bsJL9BUUxL-7Xf4EA%*;T<kJ*ztCE3tC}!5`S?~)
z%A{o>@V%ART-$l6kG?rS>zNGSsu$L7DGEJ+Wd@{H>hAY2>~`?DIz4dOHVI4U7JV0h
z*BT<s0lzqyl8Cp#G}YS;q3iAXLLl-#2rDBCP=bq$t+#uH0J_KsE`h>~`Fe`J8}I35
zC~nq;&PwZpiC7hJu&panMqgjExvONgXIw@)YP@gM9(JQ%&`rh+fkPMHpD(G-&Hp8l
zbd|LY;48hLL?sJ#41I-OPVlvGuI~w6wVv+&tOk-RPTghx$Td#>108M^6>@kWObkKr
z_|+(Ws?r&}H*S8RT4$NrtH_{mtpqpqo$=L7cM~MSdzZZT>RjQ>RNP$xYJvZ<TDzir
zZ{O94!lO03Na=?}QPcKOjY@@GiwIOO5V!VlYqqG6UTz4O;d6t1{*DHILh{`Q-=be~
za#tO<1(53p<$O0^cfUUszFY_#WZBB`_<QhTM~*NZ@3&T19hNgJdiPyiS9lyMrq$NE
zf@*U$AA-8mfoC{_Ju<TT^NZG!g0iK38Qme1^#KX>x?xz$LbZbWY9Tk6&v$g7&%AVO
ziuq5!bT{AKkvkEeYz`zWXXFoY&9+v|H=pF2xaUR*l~EZ+vn;Fw9#G8jctnV0tNs9e
zV|SWL6tAX_79)(Q+4@ot)x7)r48!Qs5Z0>d0RCKf8sdiyY=O_Scz5%oE?;v8b49uG
zU{kjtJp-aMX}HoAj_dV1-l1ETLPo~b8@5t$3~^4pl;LRWJ0A~y+$ii;7#?Qs@N3s-
z_~`Y|YvvXKyT-OP-V12W(>^{@7`7N6t34cu>%+NtYH(i|eZ%%Wz|L6YE9V)Q-1j%T
zy<o;gk0V~6R-ebjnH!m7Wz5RjkkSjpA{gnE;Ku9rEkEwLTlrvRsYXzWjM{v4iG=(^
zPwzGPS&BhkPnO|monNilWK}Z|XQI2oMo7+kEFG~(@4bM*KB?W+e?&s=tq3|~r=!RH
zM<KL_>pyD_eL>?29rf3=WL_&*lztZyaVky-;~!|_EMMihD`i)~eBWd2)`bbtN5Fr&
zxGj6@Kq*p@k68cSlnK?JSG1KB4D~24TtO|mO`>FQIfIGfeSFV`2Th93Rv#|@<s~<(
z6ag;@1iU1^@Iko)4Rnw`@n~ec$81h>Bx246iIiHr+K^>9Sf?Gg@?tbtfj@y|xHP;o
z=_tJB+)7tjf9^`mGgg+8czjix-o;tzyF@po+($J4v<Bg+FZ-N})tVN_qYNF^=Ct{8
zZtKg%%kO+s+R@WqY#LfP$M5!??q}^me)4DuFH+>LG;l6K7cPFVuN5;2Z}<6-Xy30`
zhB<E>7bb)3I8-*%X4P&Q_Dbc|B)#V1>DBy`ZhYtX#!hudn5I6OYCw>O3~3S!Ce!Jc
znc>7L6YW!P$E=E|ty!5tS5)0{)Rp54!`>Zq9aQ7hN<cEHCwhc)x|I*3^w&*PqQ@Up
z?|@yxCL-S(saMR#p-t9?$I&L==m{B`XRzlUWY$ise0+h3T`7tGu_`m3%;aAm+1@Uj
zsJy2yzx-?K)Wn_`yGI@3-q(Uy3VuwE85tuKQGTaCKN?Tgc|A#AJQP#|gq(7N(C335
z?!~N1i}TVYgRfjwTA6U1t8Tz=V6#elNiZTW(b_RN^7EvtsIRwm87h|9tOMq*(0QQ#
zR<UF1jmLVlcw<kdD}P3ikwpb#T~6bowAjiI)+fm6(T@2K1)y#{K^iBvDPfDIT8_{|
z1?#<pu1`*+C*AI!>19qaKG}_EqFF4HfGzVK9d!1{Udese<Qt-yHX-GdqSrQX;r&OB
zg9g?&YnUjKcGz~uO)2y+ShX7NHeChJoLZ_B^t3+52n(L_XkNlNx_x|R;#~p!K0wFq
z!XY^htu&ltK2PJABbU)V7k-{hNr_WU#1m#wPRg!0%>G8rirF&JNgJ{pJ8UvGKVeSJ
zNAl!DevQQCM_xyVDrb2K^Y}N2A3t1|Ml$8iYn!E$>XVngrT@U8kW_82GQ}xdY9euX
z`ydgg$$Q<wMw5r%#%h<Ms5uKMhg}cS*<3)!bg;!`#G^1G=BXtJYhDP@67pV^&_}3V
zf0w+JQQprN9WVY;#`}h}-8(`af7q}~Lqyq?5o_L#^<!AIPFCG_v%>n)t0fDO?+RPK
zfCpr9Ny-Gp>TE2td|k1JmCvQ9+O@Sy9~0I6bYAd5?%F=E%nGKFyN6m7&qM|y=>5HB
zGlP9|X6sHPf`MPLerH|~A$`?T-00C*JVbNo#*{bhnE8#F%drKaL+G`yqx+%|w^vOw
z4kX-}vV}S3syRW2gJG(+-L+Fw!wiT~!xUd4?1nW{H?%&NNC-0jaOqKR)kmFNT}ACE
zHFQ()(U+^md>o(*MzCt`76zXuSQs|@I-}$|s-6Mo0EV7@SLPn^!`9BY%C<=iQO?cr
zL!KCiEmnEO?USQelZL24g$jb?0#Z|yz40S(PJ*K(RNs&?3868ZhLCgV?p}@>;9x3<
zWq1|)th^6%A|<kX;U&6Hs}B-l%!0qIF~_wkG%#hA!#`92Y4biy$TUw(9#L6H|C${2
zs`QD-0@(IA`mwbnyq>TydEH~P79HoU7lu+G!?!k}T~6>TOMGtr+21+l?T>tgc_gA$
zF)I!4te$|~ag%iKJGJnLUk;ZET~;!CgLr-oud`Ir26ZUid(dmCbTCY{>5oL=lJ4?>
z5(8bcOv*3Q?$u(E_Dw(BIh@yYC1yR-_Zw&!(s{1_Ko+)MJRd#4rwy;FsBPnSY%|?w
z{zg`{iMI8EM_6QPpq`~TXLQ`|P)&1<03oi{5J?F>?Bke=1!L(VKYgR=3%73atng`B
z&^J;GTQ0P%j21S1nP83^kXdt?&a=3K-rJVV7t)m=xS+x*Cvignr*5?DcDkuiNy0&3
z_N?w&jF*E4<I;TBav}d&iI1|A;-+=1ce@pA<-n7AKl`VB&+_(Y>~}0xs2`Up3m>=C
zV=tY_RPn(`-K74YV4J*t&PeytIeX85`BM)d9PpmCV;WCD)%uD_>eo7*D=dAIJa+DK
zWP4C{k&&x3ye(f!P1j&JCuT@UfUm@e&{^*@TT-%ub53f@kpJS0wqMm1IjA`puIs4d
z?7`GCKDsEq?AFEG6os5#voY$La?miWTQJTl*+cC~-$s812K;9#2^P7@ZfISjYd6ZC
zC^mzGO#ibyA<ahtrGYKuGRYC+lLrQ&z@IP1q_+M-5j~yG`D0Y(#N+2i-Cd{0yy~hs
zjiG~$D+Q=I2IGEjy1Tc?gF86iOy)kXU31A~ETmXqJ1|K}MhUH3#_Hrvwhq8boMO2H
za(k!u_K({txVaBBqGX0&W?UAhhp_mVB32v6kZHhgfWjn>!DX!FnOX1!xRnw6LA@~q
zelbxFw=%anITkgusxyM9p6b4dnwXngSZXSSW6Gr~<goK-S9@t!Yxobs+DM-RVFp{e
zSegaLVizX)hcvOPP1PxFLpORpoLH2E>kCI_lpcIZbm<)bbKetQn_Au3gX1!sU8?_a
zmjc@S%oF3PUeJ`J(q)=35x}FLL0NP@@Z9&GahzA*G~0T>e2*7sIDI>&vx%tMRIIz3
z*kQZRkF46Jt{_k)&qmPJ6J~;IeE9J-?4>35bIl7@vPJYxDJS^(KKT0{EUeY`@|5xl
zX;W)PbpR(%n5KPBGQ7uzyzmo!)mnYP|HJFxmzVX#&H;x(#t=>K(Hxvs_K7^>Td>uo
z)s&_%_AE|`*K(YT42TB9fG@<zB3pIBS?jaAkl<_BM;2&PCoDQ0T5sxzUuNx*lRMIo
zq|3A1WRgGBpw;aJ1ax3}D;UsiyPt_1y{v^4c`b)7LCK>>-G$ujvlG<4QBx@hBb|V#
zh0D*#Vzp&)aUm|L5cK$~a7~{~dMuw6x+N|mYa9|~du|FVYRtBRfBh0WR6DeS<R8*?
ziDu>f>_*QrTE8cu;w2(q3l16k@$y06kWZ|?T^;|&#Sc+~P&yW%I;EkLd%c|C=Z}nh
zo%RrOw^(DjVa(l4eg4*JIIUZW#u5fM5?(p=s#>%EV{dtO-rR|w5BlcFbLXbw%|^h-
zGpEJQ$H=K%-@%DDg0C*bLD}f$Y;BklZ;ut4l*h{y@wpSacBd#79yWy|-Vs_;EK|t5
zP~v!H{L0ExnMB}oC&IYZ`7$-<HCKO>Qc%6PwIoj78-lfOMSfv5xaAcko<;AQA87u~
z9Q%icZ4Lp;x@-{ZYKFf+DRmFO5VfE;+hIQ9Pe3-naou)9F#KA`kk>M*2sb|!B45mT
zjo?54>_u1_&`P9&d&<CYw!i^jM*u_%IdU5VPb45u^x(1J+1I4@#P}qCB4G?Uw6}h4
z(A(*=l%yaWZkzziS_+Wqf#irZKtm9(Jq^;sQWhRKuFg(nOFV?imeSL8t0oL76ZfSQ
zLo+f38Z(p#o|-(fiyKQ^^MKpN%Va1cGeeH<<-absyf~s<lghkk{KLW?^Ah?^p;aP3
zDC@dRCY`77)3Qv|J=~*8^K`3a=Ir`v@h5{NnHt!cDd(BVnL?l?ovqfA_m)YJ#{~rU
zbdRq<hMpM9*~oMB;qWWyG~@Xj_s3ERcTJ|fq3VfrwRkQ!1MA@NMMQ;~ON#eW7|yn^
zkG{|ATI6Vg%dCGb`I8iUDDjzXCAl_XDn1#XVg$YRO3ckZFI&SKg~$wr>CJ1WSTZIs
zDxJi`d*tPd*kJV5QG_M!21NIp1BPqftKIb7%Dy34g^*-pH<~(aq%aI7EO&emI?W9B
zJ#xqAzj%}kJKwyc^}{RLcA<9UZi&;^1i9m8nA`es;xIk=%!Dq?U3gzmpEwZRy2%sV
z*HJ7vq+Sl7=nkOhh5#O$4w`#u!}aClmP!-h6r8+K%P6F8;Z*R+;fa=@D9IlV7e~I?
z$rKqcspVf8jH4dlqe;<vNJVH%#2=%b8zYn3CqB9sL**J}vcDk7&F!TF-sgi8Lilpx
z`xpICTcV_Nv<doJZnm=V&-LXqKYQl$9Bdd_B$F4{)VrJ<EYx$PXNpIn&yMP}MEh{D
z^RFZ1@Ef+W<sJQNUl0|u&%Q8CcAFoovC@*jx=?DjNqeBlY8~O7aPPN0&d8$r4z2Hr
zVNilj_Uh8ax3Lb@iCaamvL&kvOm2hLZqCxi)D;e|paoJeXNCy)EYeLXS#6oHmRKey
zN*Nr4J=5@AXUyd)mbY%a1M{R|3@ilReY`c#71EG$_||;i*e!PhX060Bx=G5XJ=zK3
zdM;9k#vrc}wdDX)4qH*+|0ft6aZ_g@J{?ap5#UH1v{Z)yXOo586%GclLGfkaiH|%E
zyKoLOGKNBwPQCnyh>$4RJGrW*buc>s^3urmc`D4zgKq(6IqdAdc=vo{rg;MWV84Qd
zoc4&DQ}7LPuZlxJ^?!7BSzu7*xExd;OJS7XBfxV@#zKA!YEviVGNj-Ebei8YI_cU*
zQ)Ge@HJe8vQLAF7+u9ms6YO3M&O)9IxF?>hy=lxBnbuK%PuXo$WJ1sLC)C$UZqUh>
zckti=sBPbPjH%-n6&^vq%J5$lZ~N>ePDq|M@Kk?R08<}q5SA^xkeiJXtrAZttMaK{
zKnSxYz8~&~!T>u<xFdY3*=D&yic+-MX0^0d9V3uo_2-IJ<~>VQ8cm{3rqw!lNu;xA
z5pF+}egW)j`eQ5(>mKQI_)$>`l+gj)*Sr#T$D9-89ujCy*G$lkKMporeEEI=hBGT1
z!b^=EbC|!AIREtRkmKGly(I>?qHtt3rZopJnzEhY2iN|A&^$klN2UClDWel()6aht
z1k}1AqHS{Y`IZ`BUJ}UxCZz+j<K--uS)j^4k1_XB)(vz>KQ7e*jxi&%#h;XGK@_p=
z)^R7wJK~+YBSzf=o~DKNTYF3w+$ger>h4uwXkRTXXXN3`OjT;oBZ0i{>Bc?iJSy7c
zTbkt?$ur3HL#N>OJZml4yf93|teK}DdIrb@06MI-!i!H{E8Q`9fT!&j;!lJ`mCEp5
z4jAp9iVEmp&DZB~sRthAjrcORePSb~fzLCn5#+*)J@IDWfjn?E_{+G$2Ubz9Lj+Db
zE^+E<`tYW1><An;wZt~se1M^!Pk7SOr#6^u#U?Vk4>H~&B+T}G%9NuNDIvvD;jma|
zT34Q(-7G;98LjWWD!PE1@)*oGsQO;|$1|*h9uVa^r1V%qYQ+p?5{4v3g`S~mq<%g}
zXi^t=pD<u);sttjbD4vQ*V=J>NE~HGtN4+62++&IOvh#qRQU+Y{SY?Xdyb~f+u2L6
zFag5I;(70p)dC@|&72|RW!p-|^Y<JB(EaPa5>r!JYA(Z^prIZRl>+&4GhZrxEj-14
zYO!x2+*$`SvugWc{_ZzV*XHH<$z0&)jeebuJoA~F`=Qw}LOfHPdfYM6u^VOVtl|Ei
zu6)G;-3F0I7C;D&{j&u5E1ae>hH_){W_6CvLsO2#9ny3JIhTM+hl&Xz%G;XG>BS}P
zDv@}tTJbTm!6nvAwL+hHp?d6{F3UvxBjE(}`JXOQyw9vWSGvWW=pt$2t)6X?4-tKs
zWN73&W@v(t=3&|%XYc2qua36Qu<^TmRe!Z}2Z1&wHN(J22I177Gg3=N-rc>rfY2?{
zSF}ye<YT+2<l=Owb~Gnx0%nVq%DO5yIM`Dphx>R#a&#5Npx3PXWL8@KNr2t4a%ag=
z>V-$j&AEZp3)Oht%%<AeyCr$@@v<|TgjDsAQg-Rt4y<c`<`Xry1%H6<7ferls28le
z9<EZ!drKl^7E=<v@$WJfIu6%m>H2aQ@knsE@w(4I=@L*Y!cnzj=o7G}CT1t>TfXJ{
z2*<*K(i`D%-^%QCif-)GO(ZPKuSjbr=;V2p7Y&Yh<hl*7oC$U?Sey^E*E3R%a4dum
zP3#+*@|+WDy1PbKbKrvEdHd^&Smun(*u(_2rEx=n*5bQbyZ6B-5n-OV>2@b>Be~W&
z)S9Asp$B4NnT3bP_NEM>;RYmo*khUVS<~qJ)d9Z6EU(_L3sg&}`O!2-FTDi%Zk%M~
zD%#=btoK9TB~180|4G>Dvu<8DmaM)^Bdx|Mhps4Z!%PC+K#W|k^nkRF)AaDNf<y>x
zq7a|rzAzx~z0!rtDaDV(#&a$-<7l$@l;g76;Dm_P%y;H-t-ISylc2k23KwH#1o_4=
z>}KgE9Z~+dm_g3_pcT*%&58)tF@3I_Kz*)j0i#793np!X8h>Cf7N5&$fk0K)R`Pl$
zw9-=2{kX&J-ke$Yo9~d;;cG$GT^Y1agb^$+GV!_l`vz|bV_ZBryh)+K-U;q&yblu9
z?In^a&RZlIH5|C}gKXjl`6B*8_s7TycL#WNi?;2XBQ<tUFj)S%YPe^QoUGSZd4ojx
zc|#2FV8M<GJ=tdLr;~_Z7A<ib$5K)Dqw$gCkL?_uqxwW|DU>344+4*O+V$y0DkxdU
zN{{CRmL5-V!5HF;1~^kfl0sA~44K0Q@LXC!^}uJ%qzeq=VFMH7kC8q<HLy^iob~x=
zHgHM+s(|6O^8ythx2Zc!md6k>m9K>1aaemb+iZFD!DOzji>bj~1G}~POAgwxZWyio
zFx-9!CM~lW-`I{W>uaNuOB9B$Q23l&t!3zKvb*hOBSP1${r$@U`n4bz>cPG`h@{Ud
z^H45NzZTN72iLdMaT7BkkYFI5SiuaBqgi#wYRTF}(wkQ}+^Ul{tsC_mViKR5d;F@9
zuhnzxe4V)M?Ze`>GO};_#_p7AHrC#X8P}>eyv*`hL@#qGz<DX0W&Ty!;WGf;@t-BO
z#BN|tu5JJGQVBvN)Jnbl>-eaQS9hJwa#%^wNrRcu1CRN<%^g=gP!E9r5a>x?^9VBW
z2#WMV`c#6Y<J#;*>2V<d*4QG-(J4!~5l>;jxMiVqxkqq4PtQbf%54u_-XOHxP$Hfo
z44l8~XEa3)4)Z;<?lL^&G*k|s$e_~Z7h9c;mpdx|(lL{QV9%uksn$Q(3fXDs?P61#
z(>c*Hoi(QZW5&rzetO38>uIs*BU-Zf#p*<C8rHIZZo0~IZEd6;4#T+PM-iq5rhG=T
zk1?JuOP*YltLP-A8)L|o3FC4%)TG_pvbZa&+D8fTYazu^yFax^DvXq}n<>iN3M@q$
z(h&V5N}@vTLug)&M*qq8MsnXU)~M&{Ec8w6TER+}`3jrH7uCue3oy9pMW&Pd4xUlJ
zR8ljrk5Uvv@C6pD_1n2w)qDxo;B#2O!_dGZf`9<;L6|fivxK}XyEyvt?z1-ilJW{(
zxZP^qeFpg&24o**P~skOlX*3XACw3iEIcfJ@O8bR(XmLS90``?hAHiuDPByGhx);u
zS(Lp5Ujoar{hbfu2iFbxc?RP`-7k^-+<C0Bd3okbaQU>CG}=TP**E3u=BC$bgP4=)
zaBw>B=rQT~75GxplLa3B<W@67DcH<sfib`D;sdq#B~G{8kIgEcYkFUUF@s`6X&gcw
z_<4AQp7<$!i}a%&a85{05x#f3&|QjsbxP+1SJSzexIxLLlo@T9LHPWDDrJSuj-Q9b
zN*qNtHv|y{_ltv@?cA~|K{SLqmiHG;`A@3msKvW`x!eK{c(@wRI<Ux<vNSCx%6n7B
z95nV?;e^J?EA(IKs-20v9<?e7$M-M3{*d#4^1y)r8A3|aB(=Oyic3~hgyTXrRqv(5
z$kB-z?Tavt6Q#qY2hFfBjYRR0pm`=<OV94AQJn$jY+#rUcyBVA>08|a!z|vtUVX4<
zZMBR`n%A=Sgx&;ZaW3y`W}$s|l@C(t*OphMoR!l3bR4~`enh+Fi$K0Q^D`8?HDkcy
z;Il=_Ghd`>*v3_@*}>28C>>Qd;kQ^>^hgd$HM{ftdh(M7*D%)co^JBC3Rd)!nmumr
zM~G!HHAP1nC8O_JLaNETXvXBo)LTLculKm^v#Qe8RVil^Je%<9EZE>(@~b-5=|dr3
zVgBy<o#Y3prqj<KadMqakk*^)-+LLU^5`k2@>8&>qP-~~ne(EldPw-Hx~O*b7a?c$
zx@WW}jN^^wI)VQ`AA0nJvGMtz9MKcxhHTi)ORv&Q`0!sM%DBqP76yJSj&(nu5Z`yk
zkDJt1`WSWNm?||5sLU$szF&k%JZ}#YHgha~3}shRA)+J43@SZv{`qb%cTLl=O$-$u
z0x%vr0q7F+^FyLZdwdIoQXD5pK(ytYwB4NwWk3IMX8+G+d!ys}7+!CJ+J$4%h2lR`
z)rHcYC=`|~6#n@@Md@fB@oIyCl|Ig>x6bS*g51aO)4cx<sz+>GXKl?LZOxyqe|9xU
zz=C+iog9;T^G>uB$Czr+(>?~}%YOZ><Nd8a!-9=p(~EdLM`_<Hf}QFIw41&NGH9Lk
zQ$fn^r3UQ&de6^731k)tOxol}g~DpUYVOJ=0LSCtN%g4@TX=!1@f61^Ofv^k1FH}p
z9_;aTF>3%oti2*Es?Muje_KWsxHqN(h!=fw6Z#<k&GHioz`X$6S$FYIME;w0f-O;2
z&>Ml3*Zo^TI(HoKfsGrhn5Z|=7hNcRZorx5ur1C*loi}n8w|cxuytTTRoAPUzrjKR
z*!e{5*VEj<`J#Qj(MJHKH#ph0-tS^oy9Kh`(XDPx!V7TN<{&^NaI*uefFEiGZFz00
zEdgT#h&V|5t{>lD@&h0P`IA5f5RgI!^54AQh_aGEc6zHVL0L&`nO+pHKw?W!R#IDT
z70iMCm#XXM>a6>>;0h3|ZxWE>dh2N8hX7pG>37_}Yb#_{+qnN`UZDG@Z{z+gTWq=R
z{-T@QALLKs{vZJ<WB`8>$Us?1A^Wz~mVm6Jwv5?oOHfu4TW%F>-TgsTH@N>+EY{s0
z;P}h^b$89ES8W0V2t4J>?1~S+NQbfh{FpAdm$<e%#=foa|6?j3eK|^N+i&!K@M=R;
z1Wif171w_S6%p3tVHb*@wG|Ly!7GxzOWYzL+JAyiF{8dY5dR(cTV3qJHsJqLs&(*z
z^zc{c(cYYrK=8x20sr4XwGKXzT{eKfHP@_z51{=Md_`TkCo|2f^5^_E6p)KTXOou`
zjLv@qwk7NBUpq<U;h{c;O~qr43s}b$2m=}JeLV5IAea2~4gmujc(E%zoB_*1Yx84)
z)F#sF-wfMBui*E!RbW#ZFAxT*%=hsQ?B^fO>?eNrfwkEe<hv=TSepY`+62hbj{sqa
zpHEjR+Rs|!@?evby^lu`*98)^wK?(2ShOSDza>86I5=Ztv;)@Bx(rAwLBj?tv!0;o
zeoK6w-w^*U(@n-aVJ;w?{>RMAF|lPUsRFJ}Qqufms&&t3{N))+)WEI;u1LzGXMn4d
z1nYkV)q36v2hzr0c^ACeToA06)*#x%55WN7)8z>>{1*6QTflDsQUNLW|CDMS{JKrx
z16QQrZ>@UN{|!{@;6K^~K6teq_#oOp!5?9@FsIvG&Kx=ce1icf{L6tZVuK~gH=777
zv3vmjB-JDdFR+WE+?pQrw&v6Ia^TO51iC(v|7Q8kzyg7!0s;AN3>HA^0Ln^I8u4r`
z8bDb|OQWr+5|ou>w{0WXx>tju{MB-8gT;Df{by}aNc~Mg`q}2%=x<ssu$v>%5^Qcs
z;QyyoB)uSTT=0q58E(oB>kTmpuH&1X=U3bO-=!kL+OVnO1g|z_En9P9Z2_XaURxAW
z^KI!q|EB06>56~9lO=YVBxe#}U%MgE{Mm{`0!Xf(w1Vh^?IVf&AOWerZmljrSxNo%
zpLVjp*<urc1y%j4?D@}K{avOJ?k(Nt-^8AO+{vEaCiVaUoTQdtk3B$By<U(JW6!^$
zlLdQlQd@2nY(4gXs{R#wu5I0xBwc+Wbtd5co4e1ybN|f|>i0X@T(Hw5aeuIF-Ol~H
zHn~68K9aaUNI>fT|KE19(ZAPXue(1W$_Dq}jO$;AS|G<?bq{r(FiBF~{<vqG{tawy
zN$Q?|OtoJ3Y|6YOefY12n8X$T6;$hW4_Jx(Rdj+^o9l-4Edrwb3w(w=VUj@nH{frL
zuv~y|l7jzFsn)^&vlk>*{G0o5BKTWlI!U+we}-xud@#HG1^(7tvkpFp_B!~7Z?3IK
zbP2Z+$j@F$znp$8{ZjhXbnWIxOG0Y3gCR>o8ny0rXA^>KXmf)O<kUtd-%Qs1dg>b2
zwbNavy12Wz%+4Pct{pWK5!6n%Eo+E2aeMXrs`XReRuM|!S_<X&7v5igfByZo_nLyj
zG0(ZgBwqzan?#Liw9@t+t4%lYwRT7j7SK+=OPfZUcEpO->Ii~X7$nIDsUxKa$JO5t
zUTWqR`$%UV6A*1u|4R3bZienF-89{l=L{Onw518{HR|tYP#oq#ULhve-YXPHbeIA&
z<$|sTbq0wB<p((jMS~<*kQxE8b4=FV!DV)Y>2|QNp?|aq<!cg#eJ?<2s(FCn<EK9v
zIzQ*?I!nrsg%My#$qF*0{>hN{gZg{U%NsG|Fbnc(w=hZmderTiaBZuKVA|K?`f-*F
zW<j-~CJ`q2CXY=rOyW&I^mv|vK<;aZjpK?`3DT>j=t)xV$X31(!Lm1FgH<?8gO*?-
zT-teqvCp}B&;MljmF>-i5Wmevx$6G<%2enlcR)hm-nz;MJcwi5wRdV6Yp>Tz)iwjd
zT?h&1mZiCl)My3i*Nt*>eQXohz}>jOXl~id?-o@on0{LCZwN2HQ9g?(Zvd!iV%FW^
zM<_V9*~~wAm5WPi1NYYb>%ltz&EULQ$6=Yn99(<d%-djN2HZ{k%=Quu_zi$t3(;>F
zmxyDV{UL&-A^JH$3c^<K)4_h1&@{$h_Hr^H$3__ei!8rVjZQ)j)~L6O5$!jsUd_U#
z?arRJX%7I4ngWY<c{~%o>dr2*?hs#zV_WQ}zK#9BF;e@Dt2YD25dtvmJN2ibw<8Sa
z+Q!h}7^$H_UZnN|$F|rH#DUa)q}T`o)@=+2{Fuak#IcRO4cf1@1~45Fw#PrWU-tUs
z|3rAIL+L9UFSyJ`%D>qzTj;>0DYsFYZo7Tuzm1Q9lS$DD69!ekeoB^R!%qG0EdBZH
zHogPOO}Y;(Uv9M^aq{*~2I8?{!~B-k;g&2*D#avgzgBM_3<089m&ajYr44Rtu#JC*
zpWeo8!7);|b=<~+;Mn$tX#`?~&98LzBXm2$%b8ozA&za_`$Yc+<20#%lg4h)$v_-P
z;}a=1#4Vr$M2^AOI53`p*?<^Lz%kNjB6%1HB(Fi(HiVtuAxu(_x*3vpg@k1|S1+a=
zFpj&ON%Dp$zl9Erp1j*AeI3jtq;`qiCgKq%Z``VX?taTu0QA2S%ztTVwQYO{lzU55
zezT1Q!O7b@8HmTm-M^hr5M$m3tuG~~Wh-ANjmwR+GdPRO$w0Uj)Xw`WIBuZ>bHTN3
z0M8(ejUeEsx6vA$OsX}zIany<T?V}6zrFP9h;0A|<t7FE^M!3<9ypma=B?*`5RVPp
z|F^V0)#3b=ErZmCf0Jak(1CzkZ3B4MHh{m*-$rY2GO5--lME0JH@Mk<XX($^w*efK
zn-p-%jICjmIC=Xd1LCnE$^4eq;g-}(Dx?YS?~)9d97&hH0;FluBA7Tv8qD@>V?l6i
zd&6*V_Ok5=FK?5AiDRTm2INJWWQb#=VRX9!g%lew$)sM~nq-J$+b0<iw!f0hZxJS`
zH)Shx|K^5?*lr(O-p0qku`Tx7rir<-T{2p4Vm9ZPZ3!=IV`y-U)X<kfUZh1ZIJU)p
z+vLkF*nmM|yA%VCk?yPYKnB9LVY~bep-Zgg+R;UoNy6FaoQ+KV)O&!c>~<s2o(P%#
zs>(E~)r*x)Hf!w|GOp1a?!j*EnB33ye!W1+70{jy{kqvM{cLWBg(rY+D~@Yf#d^JS
zQ+f`*-we)dXjx!1z*M~zU@ErW6|tB#%F^g>+J3-Ipf2fWlY9m+4P0;VO7?^AH&y+>
z#4sRB&W6S{08DHC?Dv89n-d!#8PG>BtF(@TDz0~+nZKznaB%Tk>I#846>Qp3z=}Yh
zSgh>GVGgJm3wFqjBHJ|QK(<FJKNC_ylm|v9{W^j9*LBETKqI@QR0YR2>HM?XCT)EG
zWd|4Q!2#HUKMT-H$$DFxbHE}V@-g9DK)PtA-B3dO%R1!fZ7K+GY~zOiv)d+ZHU3=(
z7h6s^gbe*;x3sB$vt72(5lh)^QXjDw-W-?K+jr8sAP<~O>fP&&7?@`N+NuAgrHN+>
zB;6-??69Q~qXSX}=?>iXKw`Zm0Sl82jo9yKtrYzYI1?mo&i|%&0Xy)`fg9L)|K~d7
ziEYpU$2RATpWQa;!Ro*3;9|Wi*l@zpc$Z;GMUA9-0S+w7AsUUeKv8KHw4sC`r2~(B
zKW|rvZC7g$8`)pw5W&t8+IOs8?~MaC?I^#}Oobi-CN*#??23Z?C&N@d=X0GE^tvur
zfPXsD#6C9_O53*Rg-$>;(v{u+N~p?drFMXsiyUsh2A_dm9|{dBVr%aT><SipC>A6Z
zC}!6(kXpnRA5*IBpv*n`M6vIUMX*KM(2{fpQbnmh)B>T1P-0SKQi@fKE&MinrJp$8
zMMm5^1tezeoi4;_BBU=<L)m+!+TGhJ+RwLhw13MemOcV~%{r@+$K2L31T4^A@UURb
z2Hvsu<Vp>5V1Z_yQJzBHr99O<H>+9ATISS;(lj>pP76?OU<z+i2CNU6SHX6~K{+Yo
za0b22Asbp78k@ntghcgY<AZ=H|Ffu?MBP9xGney}@;dD>@m=duIVYi$4kSHJ(nxC2
zcLEnp`AavhUQnw6&5R1RXi}{DxNL@OTY%SkCnxBIjaYF2f^Xpp4sHS9HUOMH=XL(x
z<GrVP*?Y@Gp#YTNVBZ$4wq?35sybksQd%2o8+0Em1<l;B9je5^vEo(07VN!rzZ?LZ
zxy7pBpmahk9Pomq{{u{?zVrk33=0HI8kO{?{kOpXm#Yf>Wz^DmF*I{3sRO!6znSUF
z0AF2gXEiN1K(&RG=&R?q1K@v6s!epR$ABBTth*I)v#@RFD@39#`|96Gy6%FEf7yVz
zu|Np7IM(_e6#Xl*xJcUo@!~WI1Pd+~`U>^IS5$w0{O65mk&+T2%>W_Yg4X|*bX~9O
zBzj%jPA?*nt1TV~UV#OF#+H94>ADT_|FQuwx`Pn@O(M7hDy7y=3>hx&Z;>jy0Z2AQ
z;zI4-ih&s5^~vP7+3;VqV17BcU3j~D2#7!cDH2E^7W#_%xPl=|FJ&n(>c?A@TliYM
zvUp~(&;<s8&kEb^#Hr&X4znR@gDY+f#ao00a~pB3Eg6P+yRb=IYfIQBs<0)+`EKWj
zL>0E|1frN*Lj3l^5_1A^MLwnf09Pt8d=cd!h8XdF%d)q#DsA#Nq$f6+ELVFFFd6U)
z*kLBT@TYm9jMMS+(lmCP%`h+hxwu$*0{U8e0osUEDO(T8B3-}```~5}03sk40z@g_
zkl{n2u0O?nN1V4gBLYOAw+w}9whVE>*-$@g0t4c_&3FMstt|rpQG5(s8>T$^Gbg<n
z1m|t`T97EV6d;lk^-jS)srgxyWc)s9tUEZ5Bqw8^+yxTHD)ZDAED@mfQo{!E+h{Fb
z{9V0lQ(jiEk^lY{^Vx3ag7bk~_g6rYM=rLcATzUoFW}dw*;SORVO_-s`{j(}%iN1#
zguMQ5Grd?WqTkCCy5Q=xjGA^S^H>>~Mxnlq1pq%Lur{Cl(n~t7f@2W)jn^4;T0MNo
z*c-RT-(6U^kkXws3$dMLv1K9P7g3334p48LJ=%475mSOkOs4g9XAR;OVX$R1!kh)}
zy_PROWaPErj`hUgzb!4T4Ir`x<6!e?;_`%P_{ycv<b+di@TUk)%PZ4%-BjX8JA5q_
zEuN6r3SU@N#NVXxl(T~^^W)Y632X21Xntgtd<kUuF$RsIG!|3#DDA~teH-YYA4O)d
zOb;2s@MPmnZSb|lfq@W$hcjk%>LtH-W*MPxAc`<SC2m|Xo|ag$Hr1qqoEhkdS`3hv
z$H|)HeR(q(#VAXVA8yK8L&7-VRzsPCgq@k*CEi8&#i=Q8@<c5OE%7TIxHiJdm;ioS
zyf6fgYYC_ys=yAzVGhybY&8qYMK2&DXshKYb23+!&W>Tb1Ux3y%N-q6+6IAm<M#{1
zKbQ|#nt}9A@()Z#psAqCxPcHzqW3v|c|q?o0@l@YEyLKWNRBW*H)p?mkucslGcynZ
zhnKId;1-nE<|T&)J>C1|(&k#a`HiU(VQ9n<L8`)QjY``4`bbky;ZQ$eHBf8F6Ftz8
zwPx?JfWoY0dE=Rev5V%l)qSxkl5)++4^7?8c<O*@>UOW1g~XJ}0CvKOm+mS{5Sp|A
zTEdA`ci^`|8amH05>C8vS3$_vybCyn4G=+(^I_{N@8VDo+$*Xe_UXHiVfWU%f2e{u
zq$?l8GSs`*RY4rn0aC7d_r@xSQ+oX|tYp1=YkQ(o`s6X3r1FZ?(q!DUq_THwYJ$_^
ze|kF)5^xe}fwv=eNAYn^vXkR&lHE?4|HIoKAVDjU;742W7w|15Hohm(DRnXqCmH45
zy8YW)kiY;764WN<b~^Fl<1!MQP?Oek$}i;2)4*H$vXi52J=2o(-mTZ#idUQp+*`ka
z*RkMzYkXWRcwL<O*W3HvU2~KDU!26eTQy|O7yf)ZS(oUf-ByeO2W+vDh3GgY?^YXG
za9E!>+(jIoqjJW_^|`k`mY*z0a2jhX&Y0|9bFxK977~Xu<R{O`PIe_Oyi9OHw5?uj
zD@IRxz6D9-0Jb<u$Z%o;@H!2WQ=#Li)?fWNfw%ilp<ht>ouWs-rrO0tkA6$#2fU_J
z?c%0KXH)qBuX$9vPSd|Q@*#q9ao^4+@`n>XPbdCpc2sz9kjFDR5Od1DiJU=tc+Ql2
z_EjYx{q4CkHBrSyA%DOPp0<<G8h;y=+h^96UDUxEE$be7Pw>Ujy$obAp)UkqFz#g{
zD+#R>d~s|qGg)uwu;2@py%4e$!9!;#4&6TPx1Tyg(~K%;zhCIiV+?!P$y9_6U7*Om
zef;_U7Y%157%HFLzbAC>6xj*W9oiH=jXU1$_lwwRz_5qsT%Fq9XxXnqhYTn_nI13O
zKiqWY9>baE_YVo*6C_hG+hI!ap?OE^{#`LUUo-3xCDRo?WKHqO?0Elva^#iUOUGN!
zd}OGMyZ=J?o)p<l^Bqu%KiYQ8@ApgC`GaAP9NBl_LokXt^W!@X9RGA?4`bzv`^QC&
z8trZPQT6iv8IgO6WG^jt1XK95?_fOO_iCpM;~o{Vha!i<C<H8zpE~g3^BG;n$~X5b
zMeeDSy|lELJFjL&C3V0rWv3_Oo{MCAL=PoV2;4cYa^S_6GtU_-Q}3S<y?2G|<((aA
z6h56ht{?DA+gZlANB3MXy`zwafYot}124MHd}XZ6xL+xH&w%Wu)s9jMpY9#*2mG>j
zVj1_`AloB$=mUj-_3?)XUVJ@sl&SLl{WD_sZj-&V-qA$i)3YPyfM4!T8KylJZ1=<t
zwVyv^bNuz=GrecjnX2;czYzQ54%sD}U7ZvkdiSIssL7``U<$NiD-xsWK7YuHJ@fJL
zE)@eNh4j!OF&|wv2b*2*&yV)*F?kFS)-VQI-KtCt>+w|rZv=xk=pO$FyqIlqTg%@^
ziOoxhHn}n3AbIflCBIX;A~`9FsABb{*WYJ*)P*nu3(>ciRvvM9+@VeE0M=Pa=Wwv8
znG^*Um&;W(U_upZjP^ckvjybHwgB$mXb0q|N&@BBxEvq{4<HAduE<tGvpDW(*%d+H
z#@sD{!*D&wAq3<A0R@%^1%^EWIAD(g9R7bt$N_4t0cssv32J>G)cOxl>s_GMdqJ%a
zuK_n+LV!0i`~ZxHxt{@aLWco5Qx1TxQ5~QQkA7%%_>?epH^)UY)=Z5T&58!G!*1=s
zYh_X(K&}Lm2ZQ8v8UQ&@3_z|cvWfgmG)M>m2ro$R3t{{gSaWyFgEL^@0@&wY#c@86
z!<YhNEM9l%F?@wNXHnl9<#D@5obcgCPa$D+xgp1HM;$WUbm)&qL#LZ6_8x`nM|v>{
zz~DR%HXo4BPlAeqautKp5tplSA};#3(q&r!%G~%3HU4iUqyTNQAG8SrXcJ-3CT5^A
zEkv!WK;!v>@N6J7E>SgzZBGKG@Ln*8txAdpNrXWXGmuvckyjwd>oCZR1LURtH-riF
zAbCv;K>kn^AU|XUkk6HYlZJc2N%<gmE0B9P$UPGzH;4tui^KqOdz;@TG~>4??>1Ya
z(edOx<q>+if-$_j`G_%9qtW*g52aHcsi&J0%D)~lKGJA38<a(9%I{jM^B^axY}D!;
zuvmpu`2R~{{I<ORT|#mYQ%Vq1IuKJ{5Pbbg0Q`b`Aox2$@c#h8Cna3TRQz+W;1D?b
z1UUOFINKkbO$pAX184Jsg!&JGW&ST9e3%a?bI1x%=6KhK!REa~?GMZ24_Bm6dz|C+
z)L~nS)Lf}J|3f3*1!=8l7J{@<9QwMqBB@7TdIZDtUL5)XDq&)W^g}u*8t9)%2Z7K9
zfp`xBVFChCa~%L;<01fJq=a-JArDBXn+HgfZ2?Ggqa7f;4kj&<vC1TH6(w+$U~rYc
zoxB|(1xWo5Umn<nsTo*VTpGQ8E|{j9QTNM3s{=fDKz5>|*U5qz9Ww4KJud31Oge91
zb>k9SrfBwC>VG5I+_5x3u7{m~_%)#TCZPE5LGg6~@z10K;vc^Th=1sRBAfGa>tUiF
zlU~Rv<f~i$W@=~j2-(^+SaEbHF{=DNYL?l(;Rj0Ay(jkQSn1;DLcs?;x#B`~&}maU
z)BWIrzLVf$mHEJ8!`Feu>@xtFin;)q46Fc|GC`TTL7A-nS7c0}5@Mh_HlSjC_kdLk
zb^^-UINjGiX*YEMkfoObgy8@P$OdxIjD5rKT)^3O0=BjBr8}8v^9e`>2XymJWZG0F
z9dNKAW4ZItO8*e-oI&4*D@>!kbaM3%iV6n2o{YD2LKE5CJka-mS6}Bj7l6X25Tqy@
zIMiJ*JOhxC+lklY^SYJ-%&PhTW|V`r05c-#XgB>|*9*1zcCA#H#TK1q9Y|(~4i&^!
z4(9Icfy1K^-Sh+;wxQp1Wp=SU1iH-cjb1D!tj?lPvjH6;6{QvKP~05$RSGp6Ug{x3
z7;b5U&n0F;<cHuT9!15#Ph!s_Q`XkdxPj`i>duxi1h9e@JXn4JJGO@C)`DY@2`uQ4
z(v*OKrDgFpLTlDJIT_r2{Dj?gI~Z_8f}b#+S#FWvc~OmQ7wwK6JNE48IMJ^A2VYZ`
zir9`FMo<6P!3K=FTJuBg9Ic!zOik}P@f$muT08L*F9i8qZLImg>lrW0XKclx6ULTS
z*W1LeToKC3j8C;ZZKawlXf<Qe8G{orzI|ht%2|f}isY<ewQFd^6SjjaQ#Z`6wL4k2
zyyg>fWry6`kzm|Ln6Y~oo*@=ti0H-7nQC8K8Vf-bWDs;BdptA5K353mzZ;HtV=0#7
zpVGpeW{N+q!yOCv_Kp$-eiaZkM6kie%VWKC(!%XTn%=Z_LevLsu5_}jj#?iW`VwB^
zzJdyXH<`V;PROULD7=!BI%sou@TgVfOliNh&}zQbm1LHYzM2yKuRP+Nm$QbGK1%n+
zJib$N{@T5yLsWO@;fwsq_l7X_{26z+_3$gz-n0;JYy7LCHB`VO-kgHahzyO6pv$v6
zBCoo2e|O=e_{d~9rBO&7^6vc{bZ?$htA%NIrp7Bc_lX4qz0*IgiwOjxqK&TR__sAD
zcaPQg^Hb+@IcG+kq!^9CoT)q<-*gSFrbq9ZI)MA!=#Sgut=SW~!>yWm{C2^B^ss6g
zB;wTFSMyyWrP1)R?{|Cl83xvcH||?W9l=$L)A%|xxe16Rf4=A9cV6U9D&y6Opi1X@
z2AzTL$_6znN3uOcLt<*2+8Ej_V0U>VvpKH5N;|T1YLZgn`V<}P-MRUO6M6+ST@jsc
z9{A^{ja<|_x^N>`$&#+;{Pez7??9-I&Jn!UL%hal2ZVqPsZWFYH^2|M%9n+5r8DKX
z+q=Xl8${oc)<<++|EQd*R(wyv$Jd4OoJ9G2=aum(M|8r%p2}LrgBRQH4DY9<>B3rw
zM4dKOY+tFSW;kr(%E(~FCvvvnivJy%;y}s>pSqBNj~vDbx+ix%eRl8kBtN!xIL<Jl
z6dqQ~`|gPU*)HX(iF&8>vy~%|ua0WW1tHbE5B{hRDJ)}^fQ?Ux6!~hO`I=dm@!*e!
zkoGu=;;F`K-EV?!x3EqY>}#cb?U3D&$*7m*d=PSd#O_75anPE~?$Uv)t0g-*4vOvl
z1le1#$Fn!cSMcSTg)#XQ1?V+$wRbk`c+?Ghu_RGe@no*M{@O!t+n9CZXqP1Azd12t
z&VHjxO7l<O_qz7Ry(-=CgVc;K*{^B#t6WXW-RWR?O&}!af!+HX@s*7>S5J;eJjN>Q
z+NZK}TrpI0=M`Sfmwh2jS6__$k=#PvIGg&?=4Otmb~88n&5?quqLNK<AHM`D=-w4*
z`+lxLqjUP*xljHDG;^W?+>)&r&2*{9zOP`G8hBL7YGQwPCH$5C9|={#NW7&6n%_~I
zfEW!F=VLq>Ts9>Z+@A8bYFx3i&UbJ1(L!hu{_V(7dv7Hjn_H(Y#+{1UP3}>gIo#DI
zmi+ymg}MJbwOmSRTxA~D?Wj@ntRKZI)rmB+^iD7X8xzS?etR9(!womj+2u71r}IHG
zT5YZ&7;Uw_k{?8R?h}y@`}V#2vJ{oQnMU_`<BZMYm(6RE^7H5!^SKxZV(s7y$##CK
zHHDd)SG$}}=%-!~&1u$5{6H(E+28a^|HI3#bT?>jQyy<hvK6>S_U&oz3C}a!4^9}~
z`*xf$HZ8eRjlPR@%qdP+M~nIbc4m(q`Jn>GD74?2gXYfB8c){y;r_ZGX>@K0dqqxL
zmVHz7vbYk8OGLKAzfGn}6|megx(9!kW=dA7)iEJw{p87kT-q5%L!ICYmlD#fVAd9C
zbSC>fQ<-)cMMfJ`5yGN)<?9wMR36PqWNTXdD5^dtAQm-;PD>TlGLxKRlV>|8+4ntS
zAwJ2U;eA+2?E!h)1u4qK2apV|eZDVm_})HJVM%Zk5`sONh)8|}aq7{cahzp(p2Odf
zQEM2T(Q@sW!4drqnTrAV1M)5l<xdx0NvF^+<Yf0;<MYqe+QoQEj?$hp{f@qbmP#Jh
zwN+JLO^(s<1pzj4%yai8rbnjx$rN@@*83)i2r)ZFFzFH~ykJQm>Wk<eL@Q&ZJMNQr
ze2+-Rwu@s|J~!+<qw^u@ib=-po=lY41M!D5*RM+O9gq>bT6|a~UdCnrKqI%Do@jDf
z>M>Q=mFaPN-K!tyPF<^`eRhKS9rvAAr-iP#HHF-gEne9<PRq6TDWv<|?LMZRD@AQ(
z!iJ@1hGgB{PO}?@++F$z0EQmlbzWRozt_p&W+8T^ThAPY7fX(0EI3uDJSLsOM;R#C
z?Bn=kaGuRft5wEY^||H<o~vQ?TYY)LVASx~!&a{Y*Jqx@-Vvhn#5~ZAde`3`j3w*h
zA%6r(b8k4%=klsA!lyMvOV)B11a)rYhTm<@5t-ySgWtPaNAvx;Tq@J8<MTcuR|MZh
zrTg1MDp{Uf;%mRlclyce>rm|5uG5b`e8?M7uQ&ci;d^WkEd0kwGHRQgLs%!a7i-6l
zOCH6p^r=ytqw}}$e1F*b=-sQI1_(SxlQgRSO*`zmZ#>S_&?^#{6W|#48CFIZ39;&i
zjjGioMLqb?7P4BtOP(dvz1T@wQAhTQnSNlFv63Ygddascghfv2<eb1!9}3!n!kR;H
zN)31YG8Fm#Rs7?_9~NW~%XWb)895E8ct%L6w_4mRZC%fz<IC%*s#>);eOCM3&>4Ff
zw$Z6z+POl-folxM{pAz0&Yd?3d*eumEc#m2U(qa3?5!sAV~2F_3IE8nM%|)M$S>cM
za_1c+-tq_tx|4aU@$j^q_b7kwrq45b9Cq!<!IM5nIOT&~rytTrn0XT-_vrhi&L>r^
ztnxaP`1;Q=?u<?xqHCjM7YiN6HHQq#PAAXY-n($s^!?ipX}+m{bOI7Spp}BL+wQ6M
z>-T@_@y$v?Ip6&p7n6S&<d$^gQ7fD1GVY;63Tpl}AyDSn*GEUy6S!c<rjMrMtg8k)
zd{=#PA9HzD{DHqIb28Luw>g!6B19|6iqqhVbbAv@SYGHZ?TbSEm5!%@_aQ5SF=NnC
zx+nfmeeSJZx-k@(`EsRqH_X~pV*Wh4sDt-vWk_P#S<9Z?u(I*5G{<Ug+Mh@^@nEuM
zx1)6@4-IEmedjf-ta>>u<X(yHGx?_{9Uv>0Xl>%|UB~LAzd03iE}wh)5T-KZ%`s)M
z=aVI$Gal^asiCPHEmyudUa$D%*5U_kqg#{-+Sx0p5S_%5v}Nq628XA6_C&l<ITNS*
zQIXPIi#^$!JzGw@Wi1Jss~CFZ`mR}7PM>+3P)AnYTd&80zO;|+^svt;+KCFl4RYK)
ze*1oen6h8W#}lJ9UPfwvOi#;lPA`0+;lDES?%=+{7v?#;mV6`5v7gbbndG{6YK&7y
zlkem7+c;^xLATUfl=oN6q9>DIsXfRXbYfM_;zm286Ap{VsL$!DzSXIvA8T^)TnHL|
z(45Tu2i%n*HKfSfX4sq}TEJ0P!XZt&@2a<EhG3>%#^-~luW?VL987!fdG<Ql{nOWC
zCQ_1lTs%J=3HtovlkKS)-=XtP%GX9GI8T)HyWTf=o-R{v@<tElh|v>seD&!>f)ekI
zl;oj&)G@{}2=6T#oc?j8n{rgohk0b|heP+6i0<lQefG9EELq!nHBRGu#@w4pnzPq(
zz71JKnW_c$AEU6}BN1DKx!k9iO~WluX3Rg<#c?XkSTLL&!rw0FG=pXfnAH-I(X^gq
zsvN7idvN5y;}wAmLhq(I9UMlbvrI2#hb_zf@y=y-$C+Eu${S)hu2Y86_ulZ`5|*Ml
z#rbW%=Eq~Hy(PCR9MTkN*f=Si9tsvowl?;`N8cj79$J3+ly@m}<`vIwT%v#8Ta0|P
z9*sCB$3l&}?BI{jm{;C0grK1dXD1ZzBuELIl{(0%ep%;Tv_(zL&Pw&PlGAE0#VtH|
znN}3%OzPSssmg6s%YU4H!aedT)RL*AYOTQPR<A=C>?{ZV$T{9Qt^j}Gll}EZAE;93
z?u8b)<|ZoOOD-Snu<3lK+8g59=&@Y1<A9Xgr!=|C=~9%(?Knhs(5g+uaQEq1R0ltP
z$`~Jh#jExr9#bRoq!VhW)n@VR^}AX_)Ri6HXod-mr^(;C&gzgSPqtnmhm&y}j_9PZ
z!e$=5b1(7!7cYjrq2fn+LwfR=<HGF~OUO^(&fxOg9|708D4V;JRe*`lZ|QjI-fuel
z(Up|>e&vV1r&ysc#biD=Vr<J)dwHsa_T<AfLh-&4o&6_2v<Yb378N|JDB&=A<}GW_
zp_^|{v7BxeAWwg~(y7vE^`+~om_qYZ(5q`JuP1Z3qziSca>8%;iQKrpY8|RvX?v&p
zd#BeE#m3k@Xff3pcB)}b8>#FvF%iBeUz9^=zbz%Kon?6+d37YltSIT42Bz|85DYn@
zm`ZW=dqKeXz?qeE{hE1C-=<z)yHxqvtMj}eBl=WRtF*L+_9wmC{p6L)|4(CI0TkJi
zv<nQ(AdS1bySux)ySwWQ&Ol>>ySp>EyAJN|?(PncyBoXv?|uJ^cpY)hiSFq9x~nSd
z%gQ>LdA<^ZXtOy5O$;5G7H_o&Ll#F{{Y2)f4`vgtJ}<H#uV3mJ#%ZDcCO!#h`fYEX
zyghGJyqOVz)o84%*{(%SqaK-lh>0w{z1#QwM?<ZGYRCHEKB2%s#+<A1syHq`;Wqbu
z8l?ONJbL6UJfFwJ6k1QMB8uxPG7&#!&){yd^R`Lb0FOx}>I<T9`Q>~vWdvEq=fhR}
zH)k0rg(+|H-=xt<Y8u7Rcxx1<j(+%0)(&J+7+IB+LSsRBCc3*cbk$Ti(yNG<I#Ub+
zf(Dccf+3sAO5qB`NtEtqCqs#%m=`4^(mn7mep0t!P#<CCJ()PijBvRYFWpRt)sN9F
zHj-e;(J;SNeA9-caervjj&9`?PPr@+)Y^FS(k!K4ZbY<{SxJP_69tBCN`h0}I+1$Y
z0Yp2H;rGSQp3{5Z8(cVJ1!87y=PNM6d@l^ok5!3b_NctP32(bmk#<*1bi@w_WI#0C
zAS|#V6KY(x)!#`q!@30W9#U3YF@}9T)s|iggouZ1cvQ}D(Hi#Krs~~Sf{fXVJ1$_&
zlp2Gn)wVZhpksO6Z@YOjajuOi;5vfsR=J(8p`jv>owsF`@^s7rDVZ@6f26F^A1DT<
z&OQpAo%6*oG@vqX@D4YFEpGGdu^6(sIGfTvXfC=VEZ<!lLBcCHn5J<m0DH?1mgvb}
zu`jgY?)uC#xn37*rG1cU7&5Uwy||xDwMj+ATku<zoRF8m6C)Ou!CII*3#<5ph99b-
z%%;>B$F&#TU%x;{iLAH<vB?>?$%Eu~G0tjld^tE6r?vGcmQsGvfvE3ZDjWj`{y3)G
zpDA=^F<)Kf$p3a6KMMgAI++lWCEDxDh$6Q<RLiR-9#vaj{%vA&LXK<}gKW&}`W4nR
znr$i3xVR~^j^~Xr+%lDnebG~A!Fq1;=JA75o639!`^s70Y%6|hE@@fAWXOz@YWwz`
z83G;2j#y45^5OCVRhDd5pe8o|fVZhia9y<Xu;eTJu7k5t-X(3s=rh<#W}-dKdUo@O
zJ7RO7K8e;%wnfF5A`QR$l)^?)4@;H8{&#)d^SBpdJKHK|iRg5UlB^zHLxD2f5tPHo
zi*hRmc(n+zgqX>64l89;hY1d-83UcTMb4|~qw5H0@nn$mf(S9B(1v)hj+M9cu*C9~
z<n0daT2BV_0!`B#9w`?Afd}=vGDa>UY3^7%RA;5TYa^-Gq&_c7JWt8d^ug10TAk#G
zS#OCkGjCjzCif^mdMw$jmU5K0PINQ5KDzkCA+C`v7*H4<lxl>LLbv`FBZ`Zx&1;dx
z;Y9uZnRi*R*Yupz54D6n0{(L7Z>&w0ra$Lg85Nhe$Pk^3)PkRrkWnASV0ZZoG#tjI
zo_(9}9e*3C6L}`5rOeWpj!PYG?0~hvkSw;?Bvj#KV1bjJ<J%O<eKCFw#TYM3I0=^B
zJ~-Gt84;>c(9Oc_(Q|E)$nJ4gb9xsq{f-!{KXfk9toajH-e_CI|4)gyL6D&rVDI5H
zMq0Q6QB3KOI}Z7Tvtb9PLMmODJ&$k9x2&wk#xgs-c$~lB(HwX4+_d$SztM=2|MOw6
zYzLgv=>5)_Z_P!2{1e1Js^@;~8Jwp>S+bQTvqh67F;dsR+kfw@nLg!*cB!t$Q=cs&
zB)l>fRF>dS4hBpZuP&R?3E^WT8xO;9m={cCiJ9_F>d|>t!kaJ9$*4EK)GJ9|8#t?l
zz4-t#tyo(UE41t&ulOpVM$;3LKW?MfB(j6(MB?@I**cTmKHOT@gum?Pm(obxqLMXY
z$|>D@5_okIZXsu>MK}>sQTu$H#nqa>*Y;#5L0;5$cDYpY>BSUtA{GW}y0nmm%H?uW
z(|#atI+fo_A<<+qqn!D+Hycqbb&4Nj-9Sil=(w=JGad{&NxH0lA0L^#%Hu(2l);dC
zBd;MOuRViqD=&1x+Xn=_(=)HVVkj)Tuv=#%jIV_9F%jC@1zFKR|1zF)v;l~0ADpWm
zpIr_<=^9HTq47)AvH#|<jKW6LayMu(qhj$147sMhoer{tGY=J@Cp+<_NxyjWJC@eP
za#2qDYQxwxWDr+lJM;a(^{n3Dx5lZEPAK%o1byMfMyXdsp^<ubVoh*;`&cR+N2dv|
z+^^nu%jB=ATX^kL`U#8vYfJ2QRd}Aif`JpknJiWKth993T-tt5sbiJ<7Z+6=5g3H$
z<<#p#u6b-NU(y>8qVmW7R4I0qb!`u19u~Wea*=jl?Z~`niYljUNTeH0n5-?%uf=-D
zTKwofPdCo;y9mj|m**0&FX)>tUv3R%q$(h3pqHiLPjf!Sxje?8@6TkwpX~UFe>OR`
zp}%H+aZy{=4DZsbsR`EH&kH5Dn9XwzukMA*;b7>jNj>q{+1Bd)VW^ZOiUb=;3o)Lt
zqL}4>ggxnMRrMH(1K|T#S|r|`(NkibW*F>GS!7YCx+Ck3M$A%S8*i`w1v%WFxLPla
z|M#Z4TR5mu4xY1eqE$i72LBtX{f%gY<9(ENznx~Tf*NIF!IGKp%T5vh>t56aTmDa=
zAwB3e(A9d5+wpmJ@V$5~PG44U+TPD;DlhuiJ*+}GrPd1P6R@BUy?QPns_mZ3$l}X$
zcUQ;J(U<Nh+l*T|BgZAWUSzCpqu9O0mcbuyl#jMMN{u8X%bWw5UyE+;8mzz26p~Yu
zaQI}FFMJuO((OJNuQND*_Kp4dqnr!HfR+g@V*AVEQ>g&D=&kEFi_2^J@UL{`{JA<-
znFdSDr{a_HiR1WfCo<~APOyOC_IR=+o=y$y0AsmXb@!|qD?SGw6l*WGL8{;0cj*a_
zzU2pEj@$n41}PyYro{em3d7>gkw(u0*Nvuj)VFvA4_;}^Dl`1%-jRpUU)6(Sb&%Nk
zmz~5^SUE#{7@yvZ)2!DHac0Ig!&P^lvzpQDckzZ56gvChxUFY26SSl`%qbE#=K3d(
z3LN>f52dncD*Ul!5+-UQ7lM2{BgVU;BkyKj7kb^Zl^mJ;jY(U4Pt9od#C{;DCrXMF
z2-|v!pm^rCD%&rMT51tWZ|{g(7czg%*Y2*YNLP8B?j;ty+M$i39G(=!mv#60bcK-m
zunz!xr+FRwXzbXFK0uR4A6YVcf+QnGV*L~HZ^sYvzWt9Oo<u(Gxoh)^aUWJ!C<_`6
z8x#qKus-*`T%qJImDUMytO$Vm6a9kpq&yw(t76*o*mr#tXW_l??Se&w$Mp}S%P1Vc
z)EhMK)dVWxSix2PSbJ8r>8ox7h6Y@1Fb4L;tzO+m%tb)OO>kel@S?ek(mbK?okwod
zjH4x}uc+$NdHFSmn$vY<lHrh4=Norw1A3fta8`vji8gl8cg?mm;Ou(I`SCGsi~f2_
zsh_?AY6sj<Ig4bm=1_80u@oj6P5DF{PNVAsdSG2X*-*brpMJ7ElzZ_}sm6@I<K7|*
zivj*n4pb07%H5V*4?9~m-_G^3kI#wApHN1l!628iXP51x+RU+S+f}y0pF4vU5rmxF
z!lYNZ3~Xc{*)N_K-<iS<iiv&3*H`hI3)!l?pN1nHOCdwE2*aN%9yjpXp|5$4q+e~T
zsgU5v+2+^`_=x*AFkHBoZE&t32jtQ_f0x&oqh&G2<MNN9MsfKVW^5PtkzxmTWi0T$
zdjYS8rGj21u6rRbTeKmy)4nCUCfhOkV257ALUef%Md`1@)ZHI{t<7@KyE1e0k%PT0
zr%=$L=~giy{p0PRJV0WcWM9s<Ox21W^MIM+BTxu9ZFcA3AHI82`y$SIMv_t^lrZc%
zTD1nIN8or(tS`CpL!Wdze&ZqNVCOC-;1%)cX{t3cY&_0*AgW1LGs5~~bLPVEqia^4
zL12r$J97)!Q~8dWzHsPmmWp#7oFJ}>V>;!iKfW>Rrwx>I*oUO}Kulfxc-s}RNyX>(
z3j;1Yv+SSVs2{i({+9+i@Y}3Yyc-fH+&t#R;q6gK+&GCEdzH|P>FhsUl3>VKN;RaP
zZT7^oGh->8Lsg=>Vv!b3S%no(-<Ei$exc?ix1h>>ix>G$39M7}1~oFRvT}HTKfXs(
z4h+Q~%}8t$c{+SHid~q<jFe{lW&UB{lTXNt8xKAZ#m=MaDhakNj-wZE;4>zr@SFxw
zS3yrk3(GFKW)F}%yZ+Stw}CAFw+s1?#}oUk_xGZY*A@Mm*TSZWi;K#=Yq9m>6{8%q
z@Ya>ItZ;5tdb>pSl$MT`7OH)Rr~CKgx4E(4m9mHLkywoE?%{iP*J~|n@txVDMkRcu
zQm+davmOlb$%Q|c3DZ~T9XhXrYAff$&OtoJq}-N$=w9eS77^!)X(O!-_A_h>H2Zer
z^sqJ-0)6S$APnLiHdo&QWUhA(iC*!8Y(gEk1`GoVz8JeS(RtY^o>EnWRUz=WJqSMH
zgr*3_yfT0C5AS<pN&Mp&xprtLwe-0+`b-tv@#Win5tY6lC|V}WT5n2g^_8x$HiZWA
z-gv=2^y0+kO;c+O0ljFRUUD1LkUA9fX>Mhtg#lo*;T^$Q<=o!xDD6op{lpJ+qr>;Y
zB`0KKBvh$;YiS8lndXW)k4S5viU^7`*iT0$_}M_Mf^XHkN!%Rl>gQ9lGSZDmI>n?q
zrw8FzTuEpaVTj`kkW^&qA83b}h-9U6y3Fxq@B7hD5DDW$FIYNZ7LaOmNi#)0wn9KC
zPLNk4dH*T%L428nGh{CVkFg3lM`;F?a=z2i#N$IV3huKbO?pX$5w&2EC%~_Z&u!EB
z0a~Qo<plt1A-p-<#-<YP^6v1mHIQlsHf(mY5GpM)&ddq=$e~`HGXlN*B3{nE)IO1<
zeY)@mBknOdQvaNis;B~=OJ2-dZ7qg0>hJYpj=LFzom=55$gX*y`8Y_N%j~g{(wxma
zD8G>FwgWDlsz3JHSC9k)k47I{5~y#wwMfNy?uI<8Ek#G)Nf>-^Ed5xfTyS|Mqs*94
zO8C6VXt{J-bYV7xgj-Q8xhBuw{Fd8qsOkMZEF$jL>7=~&QWMJSJ|87W0?q9w#bb9$
zLfBM<46WV8&rJH5ny~NkA)~Xgb{}ZTVY}5?KXq9IWXEgU=e_;f0TL%TY$UDjtD`Ry
z|I7_ZsK>05`QFjypL2Mt@taKT@~7aX*HEf8aCxT7k{Lh`)JWA>;0z5wKEh1f8>zUC
zkg0u-@i;`gyg`K);w=uaiu3Vi6g(1|ALF(itc}i_XQs<pPEl#d7f;Sn{s!Wq2gZII
zPaaM|Js;h~5fe`#g*2wF0$p!g%k2augZD-L*^eYN4jEmNuf!p2O>!?#OROlK*t$t_
z6NbbMh_Van*_1tvYqOD1Yeb0x5KThtFFg+^HZjufuvW_*$vd(zhNoBTrmu{klr-y7
z(Ei>e$#n6he~eh2B7Q528-2;4BNhR38Yti+bW>lKvVDO09Sz{avpwi2n!71Zb}#!5
zs%qtzn1gq%44|avUKmvRi5cHVKv(GL747hidAfL>9aWX6Q41yFkBQ_$>K9xzO4HN@
zbY+f0j%I1Rk?J?OIV(wfXn<<u&iZ{-wNU+cM=_f8oaJie9q8JvbYk5TRWR|S7-o%M
ztfb-^m{#ccq3yU)<=y363(%o4^q!a9AG!8BB0^h31VjKzO34T7NUDB60&tlC&fpez
z!g!(WEpcKXCKTL&8KLCFYClUz)&NedJ%$h6w?NbpCE&X)Hm-FYt<DJP5zBTl56>F3
z8ESTSOA{Fjr}OYe3l<JJ<#NgbKsDsS-$>l;_Nw)ma+O0yy?%GTTOr&7e~|!`OVT&A
zjaMX1Tv1wM8lz28!rhQUu`LQu-U7p4Xy@TM)SFMIgQO3AQGAopk>xw;O+LxMVnUii
zsFjYzQd22?BTUJ?4UrpTg3(3_S#sX8iLoIXO3d=`8ixY}8Q8G7fAg}NE7}h~$U9MO
zbKYo%?={$73nH;!)f}Xy19kOfG9KspWF!K4p2k%gz;$nfY$UY(a{?SX>kaC1fW-K+
zb{A|JLtt_NTS6S<BI-vIy17j&tiq;SEmKj4fSw82OcHu2pi{T}653V+vEmg8!xz&V
z6w*qT&_Htb?{G+&CViNKg9IZGp?<%8cTbx)hj1Mp^iE}vz<gY`hHeI)D;9Il(Yk&q
z@S?s4_<rM(b1$?OyC9#s$wy+0O>dLEAwf*AA=WQKa6oC`?I0Zu(<R+{1N#L)E^gNB
z5xUhvDb*qdr2#`n60G;{n~39!rwAd7udNhWk$9CRLCH)PoaeG?H<-bmIjppRS;&o<
z3zM5LC}s^WCQ^r8r^5Owf9<#8z0nU^YmOumhEY1mhYc-{btSappW|_AoxLrNdH+T|
zVe{lXrhwV-5SYV7-cMwQA=TOPOZ>uaouX9^3A?R1xyjlpO<PyfrqWjYNc$>wvADtU
zR)RI({0*2xb?Re3g<8Wgs;L^!e6eptRRtc7JLlI^5gi-k=FI4=v8{IP!X?5g1On2)
zZbKwX&zAYCJEg3e_T`IC!2+gy$EM#QESagxU1^L-#T%?}%A({{?lTelp?^pM(vlEr
z#1Q^=r_rPu4%XfDNi=@Y<)8Df+&(>W?-qE6B|DO6t5|)S-MP3WX_~${U8yF}sKV{)
zBK7fEL;B;<%$vE;mMBwku`Z7~GUl!vDh%hRCL!J`m>q(WWdSS%PcKVXASMh|wuZ~6
zTnk;cCTm76n1`wFV692jC3Jyl;Y0a&U(jXn-{!nU<J)kj&6zuCqmZm>yU=ue7`=wA
z>*ZS<;f1<=Ge1~9SoPX}TvSBw^v0RqhHaYQO^o%&D<U_zp}RIDl%J)dAh#Qmrf?Be
z*INb?KtKghYeO<ZtLsSy7!0Dt(k_d948aPk&f0^-5>6!h;n?1Z8%TlFzDQN51AB@l
zU=%kPW|?^vO5NLqTV*R(_2DB9B|Xv?2Vvs6?J$PpS|%~8{^-p(|8)yZl7xq{Pui5`
z^YiEqI65H7&)HbmMA^ow3QX|W=j5d`umzGSQwr%HeDy{Yw8sK|td?w<`<bS%%(IZ*
zfAV$0__Iehxz!by*}gUgxhH%^es)e&tefAQ*tE_+Y4P+JmUZ@w)w1boLegH>cNexz
zC(Un{$LPVS9cT86c%RF_Fq{gTXDESrZPD1lY_Z-t6`mmgg81f$z0x#TTOi@z<RutS
zF^_*l!f>K5u9G$6_m1`F^BjRA_%flEItVrjl}E^GSo1XZ*YY%#lW@vw;085R&DCG(
z-p*c<KsU{{)Y#@bXi%U4R9Ui!D)r8W?YBr+GV`}c=pTS|p<zYnM$@~uW&WO)Xly(h
zLED>ieK?EQz@8NHf}78K&APzndW~ivMXk`&tcwTbjdY`GLLmMZZ1VY5aovNPz6g6d
zvgW4<aZ-_S<#St~@;z0tY>_CEOMB^yFR#ht&f;D6C{^6?kJs7$XJeu=<9e*aDG#-m
z)y@~_J~YR5Zr-Ic89AjEldTjiqwwiw+`-du&vvXdpz(fLPfj;`b}UQP=Xm{SCe>33
zZta#=FRP6qZnWBplo(a>T}zawYK@1(Jw<f2SOo=BCbDX|O<NRlE&PEaaB7_IP@2m>
z)!Tvou%>U_eG<pLj=hT0F8D7wkfPUX-HL}U_;~Z_o8Ft$z+84on?$5v!WwH$r9-Tv
z3SaL)DAe)~l_G-3`UcIlPh{;SV-N7eWoO@7YZw;oJr0M{+AN-~T6$@9x89A6Em$qC
znuAW(!=1xzWeamZNSu7UBDqEl&U(}hiH}J7>ppw4jGQ2I?%@!acYoY1ryXn+6KW@;
z^fuU^ubwqln-M~1(@bIi%Q2KDF|)pq&B6LyC@ZE^X$wd?;72HrRb;~c833}!Rs4%?
zhn*gacRp@tHVNxQO_4pA#}Y%T^<34Fx3TmDm@{rY9f+1zsd)!^8*-fD*sHMV+ICMS
zAARPJ7>8XX?~1UV*==2&B1cSJwo?28Zl=(xT8b2B?>uaCe(7B<DGn_hqY>3}uws_Q
zox%Tj4<ej9^N8EMnj(s9@w|;1nuWi&Oux43Y1gmhlet&Z18EDcOC6+AzA<M=@25)K
zPkaoUEeadFHNB>6oBNQSXK;4a*YDAmk<l=y*n7VRMb}wJ_Tgbf*)4rhReOE<xPj<-
zF@TzYhI~Mg_o5aYi@!zUmhZ=DCqyFPV-w4j%FgtyH45yHLiGa+!<@$r#qa0z95Z@D
zh@kAAzWA|8&@+}C7uYNs2NonW8sVY!3&>1-!Pm&mr)uHskKz7Kzg@svL7=mFF)YU0
zJR?8**WM*&YZNu!Uz0PD8R3?19e!BqRVb^Prz_ztm;+yXEs&d|wQb_X@(#q|!iTp%
zL{U7PIHrarN!#oNzCCJ>Q}7!FF=Lq{o1-BU2$5Ijvp@o+x?wCctf^kp+So9uKrVy@
zTe&62AAvd77izR*(_7L8zS^3f!3SvbZ{*&kk5@S}hiaFdE+(&o<JN>b111#a_fX^v
zq4E5-plI_0K$!Y?-6d#-o-Ty4us#bS;e;)F)~r{F5$2!rCw7E3ws`UCiG$KL3Q0L=
zSC&yiTFhaen$<`Dr%$2OBVb6gvs*f8vi=2_b9;Hj38rOc9!Fh)j~W_-AI=#u#d&n^
zJ*+5^wkm`Pjmkd|%q*vQn1Ms$=F?}+H0EQLWMDKKTajZ<;qa>QfSX){5aoi37eU3~
zT5sizz$AP7X}3<VFg6dXHBRPQR)eO|T3(ZKZm+CGzhNBX%Tp{@wcggfh{z$lTjD||
zNX*)Y4g!u+1%E9RmRzkf&B|wH>!kg57-DARG>Hd`N%Z<LqM-F1Yzn=7b2jG&InAzR
zdj$jh61I`77S}6`kbrw+p@s&vfu*YfCBwChz)dN|i(x@_eM<0H8;CVFAzMk5b4@H?
zB$wZXB(7d=HRV%XJ2&s9f?TK#1e=gwh4grrqn3uZ3)CD0hx-6%e`)V}Lj0Ws3jvjk
zf5qi3PM;WWH%}{!d8EEJEBX4$u_Q@!c5hBziY+ljDUD7oEwMRjxx`l&s@i(&5<}qV
zKB5@ca^Aj7>_(etfJoN#-5%3Q)m~K-PEJ=<<fMBHX%S&v67dVur`E<(zTfh3GEopW
z!Vb3@$e(I7QKvQJmLTy*oZuNXyy_TSmfLvey0pEdR>)|iy?Q7{Q6HO-ZJ57?jNMdU
z?$D4|kGd$%_&vs;F$oq?$0A4DVIHf&V~eZ;Xl;DQ?NyqD)R2(*I~=Pj?Qcs32WTc~
z7JMVGZP%FMfAghNj1DYSRIh6FJMFx)lA{m?C2!p6va?cNd5tIxJ{!<o^@07AXC0I|
z4BZ{!Vu0;AQI96TxCuj3zGtxsc@sfR$miK_1dx`BXMF#r;5{7Bm84ukCp>mMbKs<%
zyZ`HVyKzY1eImuT{m7ifU1+j6Gi4mt@+_M+RP_@MUOFylG-#hpq=OU-0BYsSQ2*^F
zSlr_f+<qf^T$SDt8XMr@guhw;V?Z!$)16$jY7U<3<#xq4yc5XQRJ+Q;3K5c%en*H+
zS*N4=r-6%{{I9ns&s=n5uHHc09qK$oXB!iJ4FoD7;pk+Mp{T^RNvHvZ<>!KsN5z;V
zqU`~J;>j|auy+GKg~l#)Q==b~w8FfnZxN(+>A!VgNl|P0WF>y-lW$!Ulh9Lj;7I%3
z(`l5c$!#zM`7oobt!I6JsySqGW20Yy=V-^|9=VSw#J^}~?+yg$2{H$Wj3r^&nkI<u
zNDU4jEUN8hjw<AN{<65`piH|;%xSqFxxCC1pzrOC0`ZRW{z-q+t(k7Ye5WKsLgDke
zKRexL@Uy{aYLH5w8_Md#BDMpxuzD$X*p^f*i&Wg7zQj?PyM$LT${{|h>}8o9nn<|*
zh$Mu0^EB+fiBToZ#|qb8QA#&2zXdD*wwe?X1pb<!XCCRkFxPnr=`o<}Od|Ub08yfD
z0aQ&^Pk6dCFD1I6{e(dG+Y-0Y0|DZfeFw#miziEUSpsvrzY`0nKe)1Wf_eE_Uy57O
zII$}>3gMQ)q}nW867W?4eMn9Pcs)g*EbimA&yrlM(-h6=roL`reI?J?tneVERSGHW
zcz7UBKs{!zi<)7ZvCr2AaL0I_+VnhF(0(f3??yF8Oq(t%6+N;)FrqP`9$4s=Y4Ksc
zJdkYoqk#9EzAnUj9oiWKJ{H<|tIVId#t=^7(H0m?=FRt1om`SgzrWO<s8I1eP+sIu
zr-adtxK*TKFL#Y1EgL^$0(>3cS6l>o1KJ9o)DJAYaq~lQ+;&`3!&Pwy#+@2+@gP=i
z=rgvWGvS#B3ptac*EP%Om)}K-!cp4EzK`22vm7e56?6=a&bNOoPrC32r?v+wIik?`
z!O)3mwL{OwQ{N7DhR=7oL-0+dp{bvd7?WaRBMe>=MJ@*~is<eR=`9O30HkR}MZuN9
zFdroH48qO(IgRENOA}uBU`?7QSkm#5GU<<+liRksBkKTO3qNX}vjlmImC&4~>zp$b
zR$#4au;H8Y51$Pt6oq%Uq6rJ>9+Ti9fzaG3>DW=Gc%95+S^3NYd+}F{mCp!7UEFuX
z<{ptb7oJxRRp!HaoTL7X$Y1y$q21vIEHc^=aUPG18PkJcG!ICPzs#O#zNcb@k@Ekh
zZ%dF~w1hp)2=f2!n2Nuz1QL9Eq*n)?SFXlKRn4sX#mn6?4*GgM{qcI{r?KiD45A~)
zGkvgNsX;VKO4yh}`O{}CA92{a8MSJ+Wa{e8b7BtPjU_{_E_<Qv2zWId@OU)1Y1|6t
zlfi*c{n3w8$>_q{115TaQ2e0pj3hoZ`v^*-Z^!yM3XCYSK1U*qv$8&n`Hfxp<AHsl
zqBs$^ggxCG0^3^ycuLEE9(X9*#CmoID4^^6Mw|b<curQMw3`xvA9zBLGT5f;vwN#O
zRYwpz=vq$fwp_GXZ*3q!1YW_CsQA$AK8~u%Aw3Z!r1cGi#@fu1-Bb*Xl@1B{Mi#%$
zX(oW4FCUiT-klSGUK3NiWgK{WVuEf(=8Rui?@6pyBXRKk*lhl@U*D&5ts5415Satw
zn8n`QcNj%&Nn@M%MWfa~BA?}{x5rEJ?rM#37MBn6;(65)J#);lyQNtt*2>=<Fb5>=
z`i!R~v^1aXDwa<_b>4s5a5nD~(#rVU8jTk2ike2)s<z~VI2Dg7WvLGjYc343sz=@l
zFVHLXN=mXq1M4b92$xHO@D6s~<}VG%yOJn2z15%rv?DqbaT&{8u6W9Vd7TzYG-DJR
z*Yc^+OTV#_o_Y>Qd2u+Nn>}J;N8=%y%qJ|2MqOx7)>@g!N>!~fqLAE=5+z**ukFuK
zbfrBV<mB|^2g9TcISfced+_YY3#}!|W_4#(W9?_qS+*LJYP@>&T_GfWx8qu@x<Wqq
z1;&q;Sk<((E?O!4YaoW;Ns)1LP=MV8Hfz8Qk93kw)v&f;y(}P<GWImebwFXo<CkoG
zZrKAnv19Vqrt(J>vI}9Fky;78gak?n?e_r%`0s(f{$pBIILL6@YU;S#ygaG7R<HEG
zhxp%FKH^@m9^GAfx|uz$*7$#yyo=f$`|9#s{ee(w|7U#bpyRH{0$fm{%3U$Ga`VN4
z>Iw!DJbCHYQ7z-j5F2A?6q=~>)a>DT)s7OVqg{jIPM#PKKuNnq?W<dZy?s+z6=)a7
zr0J47pdckH!~3w<93!4EDG>`4$TeQc1V%b6T`p@rbQ6)2f8#7pU}1e!;{x0EtdhOn
zPof@iE!w<g>=_B|RQ?#ld8)=;aR7NJ%w~tyf<gt=+w4y}{Y0=yKQ2_eGF<lqv$o<A
zkidy)(PB)&{>CLO2J2M*P1>|&Dpt5JinRut$fqxM4dH6%*90AIr!hsAw^K*&d1y}c
z*Nh)l6qecK5ro036Kq{-mMtpO@kUe(iVe62$|m*e09awkwpWQ=&~?c^%a6H96T!g!
zQN<Nd>IlkHKu}{=Yw+EPz&<C&Y;B7oom~(rEnfg}(RIEMPm~BF$^)MUB1AHLi+XnL
zkSC6??nUU^;z>;CmFbGS4_SB*G(=M=5daJ-1s{{A>1}FCk$r!p4mF@vsAorf7tVPA
z(84o5eAQ}P{NmkA6wM7x-P(~@CAnt19(kz^``nTD(A5Lojm&Z3fa}hkdioipjKeL%
z_V!a?01mo0AdecI7FtDBl8+vUwH2%;TI|oSq=f5%6%?Bz_E_BaArL~GV#J^V;p+_%
z$ql61tOGKdRo&S`A~wcPA_)6m9;7`1=DPEuZ?%SMbj5!oV2XxrJs#B;4!kR*S%5Rm
z!t+<eY}ek#YC*48qaykSx#$Cxwvu8VnvIL;`Kr|)p7R0Ok_N9F<I)g5=NMLjouwG#
zxWWkze~dWX0YQEGf`HEnpZ{ngk5vf@bI+M*B9ei_B1~+6M9!aki!_zR4Gh>BD+_sF
ztyaSKZ9bg96_&hGM|f*Crl9L!m+di%Q{QzwB7^{5Z;iu->n-y7un8x4KDxDqkXCTH
zz@FXMzm{lpjZcF!hr6lND&hEIQXYDLyIlFh$-PdLhO5&Z3vDB~z4Sry2o!8V`VKL6
zg&CHBZz;j6(#k(BDe@XJVSTEPqdFKRGaFxW44v3%n>HSkm*U!tB;9CZ+gOY;WQ2Jf
zmjx&Cd(-#mW+)1w9gWE+(4w|BYsBU=K8TAgCJ37m6M<jsmL+>hFei5L*zLD4$>=u#
zJS9CR+$#kNBiuT9!#XXNZdWsw6v7+S*^1X`sTXV@sft;P;dSNVaXJ>cTIwdbHbQ?S
zdILS*g)1IXn&B#A{41ZLdX%OOhG=*I&hE7t#f!JWpzSTyA5Lk@YBL}HU6$D;_=_N7
z_ezBrJb(|4m3=1f#aV(GQP=LM2=I7I85ANZPYEO@SoD{AEW81*W(%BY<9ldde-u;3
zpS@wy%}iPIM}TXG@+RpxE<ap-V^-6nSNTq4D-~2YK56QB%DPR<d_8M8w#l{Au83tv
zPyn1T=4JZ}EuQ7LFxpHcbu(cSsW9RNva`8qOHoD+#seSu(Q>`z<j9r{WEPEl&$hHk
zW^(zP)zc*&jo&~&cd2)l>|2*ntJ@Fk!{34QB;vuyDgMSeV<x|MLT*Vxdi%IxrYlVI
zpiyo}w;T^xBD4A-7@(zBaNyp>uw|HOT~@Nv86CsG$CJ)Ze?Nx+%x1n)j~q<@vi3Kt
z<{PBsD5I~3Yfx9hUgQQ!ZNKCZo-rFZ=8BWs>s1lzKEl$K5!o!4fY6J^ezl-pbZF`4
zwlydWtNJLmf(VIkRXkBTNBhHLA_(5^g282_>HwDwiOWQ8m~H@|*>UXWc+J*Xu=~Z(
zEBMH+0kDs8!UUiW%ja9&!qp-~g}d{uUy(@3shot8>Xjy}WW65aWhreT5hd9M>;xth
zK0OGIhUR35;K*k?=#V;41E&u>(V`m<6I*abxyTW$oRpzg<~$z9PiuaQ^Defx!G>mV
zU;V&(5jJf|0O`u0ztuD@Q7(V!A&@7?mz;u8Gdhwlw+Cp07AJ&{fj6?RPkW4puCl20
zv2HO*15ZN;SGPLDaS+~JY{DSrUfY%m21_=oW0m>C&IpJH882>NCy147gYA71b+E<z
z?}zpoX@Utmq3<Kbbpy9Z5Z0MdT(XGb6H45$NoqO#uOu$=_;;o!Q)r}X`yc7UKAHzy
z8!2=zZ61r!85fzK2Mt?LUSP`c#Rn2x9zWink1n=nKHhk(v4gy~T~W)<4s%01fvJ}V
z@yD&P8$Zh`7L)W&(;wH|f#XqNnW{$@W49egq)<utC)_FY)c6r}RTL&$v(z!*+w_ND
z-Xv~-F$6Kr+a6FUJ#^v-fLq5!;U=$TpL0hLozFrVP(z5D;>U84Ab2VmbvL3V9>Vmw
z2RL5~yRQRFSD|F?VFMRQ-TTSugp+aLeMByIJp$b%sExyhl1a=TR+(pGe4XAZV^U=b
zvxEkvMEGXkM;ayoe+InmVvm*~E~!`7b+n7)qq}*j#~uSIf9*?u#^i@#onw~vtSn<L
z$*FRqIfjWYQTk&6=Zf37*qElEI54Lxs(*4IAaV=xC;Y)`XF9SM6gm)ZO+_B#6+@6z
zd0m`~38Lnb!EiBp@K~D)G5PN236wfB{uL*7DLG!@sit)n93nImx?Y1%T?~A93Osk1
zjCOdM$|QF1-sdU>Ybq5$Lg9B~{+f`y<%|!$P|FDSa`6HG--&4cOq7Li;Gc<Tupl59
z|5qZ~KT^<`{z^ehP*-%`Awzhl{>3%ZC<aMLqHi<NCpojaw|qn*`|``wW=5h10)_nT
zPPc2GQ+>!y4-mc>wfEwte(h0qTdN6UIAyKNYKHXt_nKFjv2umz*jUhV$k$Aogo<Ve
z<w~R4sQ~&mW!-*oW3&Ywwkem>1)qgt6__jR%6^g`F4W+7CG%=Eh?kRfu48vAGAdTw
zp|KX7mjvq8C+OQp9=+<@ii<_C9DbM=(M3B!<)X&<R?%o9k}e5eE#~XJ7mvzezd4hM
z-P@a$CdMDzl0_CpDXA2-zI7XVATH#Vl1%{&M)~nv&=7Xu_8mHcJMVr8csSej)tA1<
z!n9_Jhz6n=4Xq6G6`y4+u2J6j6_oz^5M8O_>_$w5F}62t@>s$uJH|y?thXUU^pEL$
zo`OIX@PcGty*|<?qn)<n7HAzx$V0Kg08wR&ycaLqss<P5_C}!>l73-}r0r_1Z(400
zmuuFt)1KM!@b0-v)vi`*xfo4Du7Ee9th12vCm<d<kit5l6qkqB_uTa119eC46I5H4
zx_#Wpy!;T3KM_;4A{E6)>`Zs~7*11#X<j?<bVqxM)+?NK+Cgf9-y3O0_YjuWgaYqx
zi?8Grcre!^?Milg;!nm<svVJ^-Xq5ZdA<6UI#u4}V$5fh<P9YyB;$cVlm~$gDw1d*
zhKnN2aL1O{PZ|I<&H#fAdCt9KM!~m$30o&N)`(7Rxp3CTDwI@Oom-7wP`Xp*t4(V}
ztCubRI$Kb7b;ih7^>XcYI7=?!+KNW;tYaVFP#mBXfOI&S{j+Xfh`AQ}cXmW;dn>QP
zL5FfF={AMP-B=|(XmEm~i;*~f0hEjZPC?+;5~PL$)Qb>2-1AW-HzBC>7!b`#8iATT
zO$UCIB8x~8gJn_!u5>@q)Hnp^m^(6qV`K(=GU(cLT$p#e$6LWz=5%usg+E?i@v*s!
zj#y2BQ$@UHeYIJNiTifqndnP<pbaZej19qH?`imkX>K+%#Cvi|UUjP_=B*fF82**5
zxI@U(Blnj_=J~e@^xZV1hHEQbj7wz*N<Nk9Mar29&vNuVA-)2RQhXEy>F<o7!5kiH
z;^3qAVB<B&L;^E-L0oi7ZWvnz;q4<pRM+_L8{olgHI@Fj_>s2{Cdy(jbB^AB5R?6X
zWKOj$3SMX@!YpQ_L~2}UW_xbFuA#mG1HBJ_JMp{hMeq`VoroCd1x_I%y3v@3#%7U&
zaf99CDl3?SX2fPklJ8fkAO*w;MAHv;n{8y(qkI2??SFV1P&T09dn9rD!1LMrL5ls8
zsu~={3zSwnxYCio(Q3z>U___;rFLE0`q7@at~UFEHlZft>daoURZvRW<HY#^l`V8N
zT+`XI7yZXWlGQW*e{+Z_I&9zOCx_5df`EL|$Y05<&Mx0=Or8HCjx#OIsBMl<;!s?7
zcM?RZ1hK@1I+JM4i)m3`UJw9ioZzG->m}=V@(ICZ3vmcB=YhH+x9Z$^(<Q+V|8i=`
zdvuLpoM}LexT)?iqj{TSxbDXi7ksCbbQ~oeAqfZj6TUP&I0N`*NEc6JwODwBr6^$J
z%@oEyMPt<5Ai>6neNtF~88^igT1I7ET!yvI5mI%JH(AXGOOawOQV&NY<X*a-$Qm9<
zmhy)Kcl6Fw^<9>=DlB(XYcWhB-K1t-fuYearD&3^G(OHl)UorC-TfZ55~=*{?#Zf-
z*{xn3C+53QFCECYbr*XAK6;zg`SAOkCWM_*$L2xb1;Av#H#UplD_^c3Vl~REkq;I@
z;Hy77Lwon6+nM!_aWz~`dZhvDV293k=J+M7XvuVPmcgh~t}`E(CSvaeH{AthUh~5Z
zdIdae+X%uWe9lI33fc$w{Iaki3RsL@O`aWy0ut*e)Bc+kx;>9Fnnlffg^P;rfuDh3
zF02WCwR2wO6T8-2s%};-?AokP(of~l(Hwo+IFYXI4)!cFUW~zSd93^0U;K`dd-suh
zZ)mQry>@xR0v;#`UYrP?x{Ky`hJ?}+kVobpRO1l)rO9rYYqUnbCFUcM8`6aKDN6*X
zB7L*kKbylkzBb^TU(&(@px-rlR`+W&qS!tN;HsJ!_m|{-wbzQhD9+XTf=i3ngp8g%
zt!{XAVR|GPys}2e>WcP`Gwg>Vo#L@OAM_HgWm-sqQI+VLpawfqVU0@tJ)`AVq8;8%
znp`GXPHG+bzGkZ<-1KQfw&!vIKtH6G*f?_2hP&t$UFh<FO<Km$bG;(s-Zw<Ccw%`%
zLcGC|y67wda=gqvj-eUC6osn$LJu>|-ey`*+b~kJ|8j+5@3>j@&Fx;f_GLZz0Vih}
zdh51IXm%9-nf2n{di|ukZRO(l^np)vrLZ@Ey=&<S#Ab=H(#&$refkG}OT{Vfk_L4D
zlj3#?F3)Okxc#ng<jv+&l2h59!<|55X2H@xqVoZi*&JNgyL{x`)>#jd_bk){QY^j~
zfS<d~yPV@;gH~IP#GRjCulwi{@(GX*H<2;Xb#z(vtReTs#VHS$Z$?b}AjHS1ZK7wz
z3E{LwKLM(Q37wQ#IU-(5vn<pzxcXgmRbpm2De(!YAhvx>J(~09q7}tFzVBn!&syqT
zvVcC_vHp5~<wAZ4b!~`ZRgIHHK537NemT~^e7f26cv%Dz)@$TCIC6)0rZF{i=#3zB
z*a{)dQYv&kL8!`5k`rwq2WPLUZ1(mFV&G`kh1@t|_W{-|@<Py#oh?oFVzM_pIrM|)
zUW1{iiPOHxDkP~JSktJ)F<*AT?<m0*qucOIwQoID`r}=gWHr2%6O$UJyvZsVO?13b
zY?Ve&X-6Udd>jO^xFFC^0#cAB`fG8)tw1?`wLae}Jt;WmbCD=t`ChM<)J47p)dm4t
zcK?C`xC<uXfTQkYd;i`!Vg%)(@B*r@pI~&(Bxp7GazUm&lwV>MCo=XXMI#V)aW4@8
zqIGrqJ0X}Cg$n{07)T!y*JidKBB=z32GJ}C?EvBqfC;?ldpIPa0!aW$h~7dF&R!Th
zgWe{I6HXvV3<4Mn&Nq}$s1+hGOGu*ZLB&oe2Dp1><IV}pId~HCk1zjCg^l7TVO^gT
zhz14%0`qzOXD0tY^7k`hrR~5N0Rojsrus4^ePE2`i&erQFioKcc`1D{#(lT<5sO^}
z7KqXxnVGbe@GRMGIL<2tHh&oUbe7aue}mLmQyOGC=4w!}N(<2DutZPZEh5nD-;fT{
z_S(%i$~eDD-a^Nmv^dw9x<jMffj(CBrV>jDYb`nYF-w1ptxiDCre;)@pS~8cUKWnt
z+z~|Qii<kX+{Wa~guBI8@@1}d<lht+8`XJi9DdwP7NhV!b!IRWgibGrLXp{5Jwg0;
zL!Ay2t%^WFK&ZZefWZHg^ZzPfU}SG^{TJ&;D6QD7FaX|A<sm1F=0e?}kovv?(X?Rz
zt@RRkFiW|_L@gLdx<zl#l5QEC7z($NJoz3T9{IB7YdLlI(Kz)?K4(s3p{cH^&r$*V
z@6&7sLcbg2oS`Srl(iQ$y6b;y!2+jk_&(CP6w)WL=&P@63_M|y>~S2nNI@)F6)Yox
zsA-Bz^hqjeUGNoz<_}13=LKD{b&Gul;ge6ku!v+)ht(oMxAC7FcU?#kUs?Hn4lbpW
z>MfuD;qqz#Hno(ct5TVV=Tt$6YrG|OgbQ7KKYAH;3>I6YGrvIBB=F)2){Szbkl3fu
z9^=n+V)yfu^xvLg(j(D(58dB86%J(Ol7GwABddhOCmh95kiMs;0&^dO>fl^qv$$_h
z-4x@h&U<j-L7rK0C(YraxJ7A%I?`se5%ag+j?*@#Xwqh^lEZA!sox|&TcSQ&BCt{+
z$`<=V)UnI?W6OtwDvust?&K==MWD#WE7(!*QXm(>AoqHEyKbt#bt!4diT8z9+in`l
z-4WQcDxlWSj~eOoHfNOiJK*HEk~-nTj8~&hIslhn^$PvJ$Fxk(iLUN*EF(UZ7wey6
z`cM7+pCkJZUG9&Sh5pHaAXbUw1R`#Glv`Y8w~9uO;PTqt7dRS!d`8`(kP~i~Uv?=w
z_<|=BOK#Plfm?ir6FPP1ue8L}$_<i0izVvs$}!4be<yZ@<NZZ0q1_5$o1x8rgV`kU
zG$l6~=Uu4IbuHnsYHwt-OTX)~p`!>brhp>eK3W+nZ~YJW2qFZtW>}k4!9<w^^kbu<
z7em+t3sEM^bYbnj@W<Y$Pv*w9T4$fDht7y=j9>4?2;YCVwO|Wd1OHQh4L;W`$e(T1
z7Phx@F|~8iSNZN>>a6>h4)?2!$n`QHye14TP`MrXf3f<Jqm%Q^r;8-*PniC-o%HjA
z4U!g=idHFsV<_sy>8QuR_4OSBXzjRWRFFl;_D>}ZwoR5{gl^{oxFO5!jXG7uq~GfS
zTB8RKrGU&XWjWqp4cY~TlZ=AXk{w%?Zge7l(HP#yF1<1YE-`B<SsisxeQ)I<epC{7
zI1C$^KFlv7h2v6y0({iS2zpP6A(d!bmt6BRj6$xmXgD+ly?u@yrrCPR9O%7q$MC*n
z0rf?Y=vpU|4BZ$qJf>e8twUeGriO<B*76Zzl%*Y7*BKK#xT9piLq`*YGf7fBuc30}
z+X9Xow|TZ6qL&GgReG7cNA;cgt~RVpuCm0|g)BavdmhSMmLKClS$Sy6KK)2gFqAL<
zDQVIZ(4QOk*^@(`2g2v^ub1CvFN1)X*c&T2**iGX8#*}r)wzF{jti6Xg8J*5pSp+m
zFVWAdA87agls2|^GX3Agt3_c?Q@(ym6aI5J|ApWO`t%9<xgd41Fts)P=lLHcRsR0_
zZ~4Eriar$|ksbLTe(=8m{Cgq)UY_MYg<1ZN^7pbX|3(4LP6Ye^Df04nz`wia{|5A@
z9Q!-qf1LHdqx^k={%;ge+o^w`{AaoTchSEawEu{D%!B<;^Y(YazZ;1E2pTT@`=9^I
zT>M@5?@aU`Vb-O82>(BL>F+pypXL9-AzTLg-{!o6G{mPC{bjphK;}MG(Q)PT1oD3X
DoOy3m

diff --git a/spreadsheet/macrofree/waf_checklist.pt.xlsx b/spreadsheet/macrofree/waf_checklist.pt.xlsx
index f5712584f001666547808bd987d02dd2042746dd..ab383575218ef3b899173ad53ae822baca66c591 100644
GIT binary patch
literal 177020
zcmY&<1yo$iwk^S3g9Im7<L>Sj+}+(FxFxu21Hs+h9fG^NyIXK4zjN-tIrojxyP=^r
zd)8d5=8`HDWFR0vf`Ng-f+?CTY4rH_=O%zY4TCOJ&}Cw8tl(tt;LKp?;6U$gYa<&y
z3J=bNDCSo%wqfSIC4BO&SY|r$r6z$psFBJx@cF?NlBg}si&JWjT(PeYs}8Uc)NU(&
z(EMS@Q*_f@)3LZu;hJxeY5jX-4K7MP5g|lxuI=KtASOi4u^l(V*%IBziIYsapbHb1
z+%LiXH5Olu<oVT{oB@LAr-_fWa@}3bPwHPhMr62>%Q)Uy;e99F7!>}`1dJc=j}bnA
zkb{GPq5ba!jP0FF|I8pLZrrMu5j9Z1|B-$)o<KQpS47(r!1mF~;#gKPt#9sGNXhZ~
zUR7sM$|5^E!py8|-PGDJg%MdVqh?DOg@3tB$cy5Pdp*eD(}3QYpkr2lVD!NNXTQj6
zD_x_G_Z6K%>LI2YYV+RrT~gHLpdS;GR9N|MuDy`4;Jsk*Uw{2Dfy}D=kbcd9Kw&O*
z;nS5r;5as5G}0di`);AXQMj#G<+G(FxH6~2xcv=gH`RQX#B#TOW$sb9>hQh`e29$Q
zaNEEzBQyPBXS>Er8ZTAZ-^u@|loXRjt-Sq(x3=<RQqa_->-aZm5}*o|jz?HiallQ8
z_d_bTp4}FIeVv0}v)*A9pXK79oiEt`Wv)gH=_~~rL>vhi7zT(rcN>PU7N)kQ|9NNn
z!`->2b_@o`N8hTs-v;AeKfLHezr{=S*kYr$DO??8aDKv=<gCrm{T!&$t*lS2nyac$
zeOG~^s+#{9^R7Su8g6ceXqqKqmDADSJCvde1{F(Vm-FjW`tEK*iZk{_0U`l93Dsn3
zlGi{D>afv9(Q>ur`pTv1306G3xzCupc<KUB^0en^Qh+C9vNSLs^1C<1<W6BCfQ{dJ
zl{wgscJdd~uz}4_v2aY*{;3NDZ%9vNGp}gn2IVg-2&SA+4T~@kxEOm}l`+%~SG@IE
zWla+d6erA&!@w~fBZ~VSqkG$#ARWKG18lBDG>jwEx<aU%ho@=&mLl4|Y8A$*`t%*+
z<-^Hk8Ir=rp`<;}esg*b?4y`=VL3#UB!3}P==lYuE{@r*u+xRsc{`VqDzGiiVAVG0
z3^oS%gC%qeSL><u5*Kgv-sIaCyhpVker)YsJurBWdJJ02)sU&{!FZ3=>lSWb-?riP
z*MBait5FtPK7s=oQ={0Y<TUQ``mK^<KbR*+{u0Nzwc5b%6kaZnOdB>o;dD&iY16p{
z)8WLWNhM(;Nca#fM9~vT2pjHt#Q2>Ue>YO*$d$L~@bOogU%*b~FM56%2Pw}5%+aXI
zbiDYQY~%U*%5Q3AkRDfO%QqqNSpu(bPk9oPMDN^LUdk8f6Tzk}>H<DDlPLPRU4AcD
z^Sk!r?wSK#ulr@mey>m5chY%x>j}y7S?!PSr(M3jHs6{c`2oETmeORc;?YyGnLXf0
z7_ksnuIMjtg{hEoV3uI6s<|JkWSLmDS426sZ9i!CLbh|ZlsT@;^oc4${IZI-`l&mi
znTD|IRC(Z>n9MR9d@$UfAK4amm1B8fG2XpCjMI~qsv-_IZLwjnWy?$UNfAJ_ODc?L
z<OY~OYn3tXCMN=X4asFM6i+ytg)qfx6;=K<Iwy*%Q?YFJz;5MirnE^C!j0YtWk!)0
zXld3SN(o;iKEP>ex`(V57Phyc(wEv@04|RLw_ChQsg!C`8BrqsKy89kx9YacIv*!I
z9S7GEz{Nny<NcAGlK_uvmX^wxVH7P8AkNXu9KZF9JiNLElWyzsU@JYhYI~|3`+e*~
ze9V_XOBvM4%RwqU10$sk^pYf9ZGYUnJibp>IUORfy%Npxu&pl3frrL+6h7qN%bmi0
z*f>L-)}%JEe1@a8!VfSmnG<%6L43mEZ<}rCW9ion?`I!h6!#qZx(#G0oH?Z>v@8LJ
zd(Wmy=_FI}CoSN?E%Z>^%Q&~oiQPAPA(~ut1|WJ^f08^KY#iq|>%(V!!GT9qZiR{q
z(<IxJ3tH*}a7=NWk09M^btKH3MfFc=Eo1nm*B%C7@>1%b*vL?wLQSx*`Bj%6Z%MfZ
z{FHLinon0_`#o4{wyMWpVJc^xGOKlvH_u#l-A^xYMOB|a==sW$9eG|tMaokP@F&~*
z?u)`5A)aIKv}c+A^W57CiQ{8)vxI*cL$UNdI&U!5x>0aWdKsZK>jC-*z`E=r7cnir
ztzF>MWxc;w4)v$iJc{X3E>So;+iAsun*3eTNyLIe5?o-=%x(fewlLur5}DQem1OgT
zRE-6W#@za1O|^{P_W=0q*C!90F&v>IA@>Jof$=@;4L(PCdzQjZo5|{SaR;N!1xa9!
zETtlRFC=pO-37+IOP--?gL%GUnIEkFYFf*8Q%?kf?#vqz1&m$CS=^sQfM(gjZ21FC
zggV28dLuTD+cuM=n%L3+Q|16nk-EDg6}0a-vLp+mb_UDgX{Yn)^2s{APq(z@RXiz(
z&}3@bo@%l<X;e(nos^vRzu;mwWS%9CzRC8<A_l`-+u8l(PqeZe=f^DA($jRL(;aWh
zy+=1|5M#olbob2#COjePtuY(}7Ze$F^%HHGx4Wy|(2Fk8f)?Trk|6RM*&=+JMLPRN
zIO^b|S}GOY^!%jTe}7lVRpU^;8J}y+AfVJh1s0as)uc7er(JsBmP=IVmNG>w45Zon
zI$(e9f=E0Kq~h{Ya7B^6vbf50N`edD5OZxQni8EVblHT{7TOC^>@Nvfm)?SrD<Euq
zm8L=TX~JujD>~-`%PS^x>0Msqd)%EYyh(l)`#lix{#DU6E6l^{CYPcSVS7ic>y+S9
zOd!{w;6=4+@fY5?Rl#<XXJYnjr8=%+gYL0Po>tLfSdVAk!%yK5C{BwfMTPSP8dZ*P
zYN7ezWF>nQtM7*m{#s=lNLnZdt}ryTl?ck%_>;d8{%<71R-rTjHwFiL_>2mM^PfoO
zX76O}Y+-8p)tTX+FaLzIvkt$6Rq=TCN7Y}R#^Opk>Jg7fOL-{?b4qDEjc}#5_GcGu
zZi-;=>(x^J&>+cQYM%5>R0WfYP0T<Qnr!#8>5C-4G9-s5W~QMz9UklQE<e#vgCSvG
zDB3rg_tx!tJ~6D*^n1HDP2dY9x34T~(2y!GJ|W*6@>_UdD9Z(~I4Ya27HHV&aVJRq
zs>MR+q$*RrQK(F-s;?)hO?9DjuPm(Au~3xJtL%I})t@t$vNctu_uZ1YIw|9M>`PK;
zSf?FHj5Vm!rT2JyiqcRa()Tg-oA>#Z)9$xajH35`$6)QtaM5>A)PPU?`>8hZb+K!&
zp#8h}#7e0c=x;3EFFLQ*+!5auWXW9Ba6Puo^QsWppECcJ)6?77+@rDXo#m-PT^8Rv
z@$6Eczoy?s;M%ls`ZY<kRfzp8;(lVO`Ud~Gh$}R1Q9;;%Ug!M^un`{gdVi|0F=OxP
zx~=}Q+&k3U<(A-GMOe{33FO$ZZFp>A-sByM@HO4f-CFH8`>omjawc+jr9I7Gy|tpA
zJX|W4_ipVor{7c%X|rlmYRW@Mcz?jMR&<ltK&yU|K>mA<?=GMw+WB0x^Bg8R2EIm{
zM2@D93k^NNc-^(!i<kYr^37pqMP8??4X!G2n_$$T!+JH1*99R1whMEcC?ZzgEju(D
z6D>V7v{J+iy^Vy9)W$S$kh$j@K3;<{Y4081AW9xd46|KOAEj{cZ~XgwuM!GM0ct+?
z2l34I_>HZso{J61m%YS#%Eh=#FCo^g#p<@?S$+?m0vshiSEJSk(Dy>S3_rd+gs&7`
z9wmP%^pZVKaI^UtGuvT2@u{o4?!^>>V@7_bfL(J0apM=#?^FGglRVX43o86~Cj_TG
z4S8RM*E{phrSJp44#)TF+Q(CU!iLcMw9OOykyY-;gC>bhZ>s%E`p=Zm_p@>G_77{W
z;tgp(ttI3IJ3n0SIzdG&trsRaP?>i=oqBE9_?COzmyst+p59%qYH8RLiQb>)+OYe1
zw8Sk2GF%isiH`<gE01U&55oS`Mr^kHaEar-2>#CWix9$YHSNkvewK|-cJP*Uoiekq
z&C95=b7(lKz581ej>E1|Q}l<XisEdykj!Ib-B|)p`L&#)O>7=scm3O)3cZJ2Y}ovl
zwvZjZH{7??(+9QtIqST^thGz+y&Jr}8@Hju%hjh0UiryeUZ2^U+b@%|x8ujh_@0v<
z4^tbDClMFJvZPs?N0R{wY2y4{^I1F{R9$diI1bb7CjJau^W?xjv!fTZLw<Ut_~%_)
zbmHUFtJfQs#xegd2<S0J;_h!PACCAks@aC$?-Y>g+)z}W)}3qui<c7AQg9GXTIjJ6
z^zfj&$e}mGo)zsnaeJrmjE-R9RApMWhv&t|iMI$yw!~RAbt~hhFNaeE!dut8*%3Pm
zg6$s7tXuc(OR}WatB)m8(Mh|i_Exkj!$%nJ^}}kM;26~RPc|5DFVClNK6z^2+y$_0
zhOgYFcjk%zX6;}?e9=R3raWRukdp6Z`~_pQwK`G^#&Y6WO~f84Q|!3!WQ)&93GMsR
zDo|`rk?Ts1T$$yt_Su$bs%igb{gvl5z&#MBJE8GA>TTzqWedPLGwtGrj!DZa(u$el
zMKDTlaXt^g(NkIuJ@$n@W6Fqx|LsX1pX2pFk@gFF9_8&6TsGk+Ntdo+89Qd!rDCEz
z0Of08?a!o-rUT9i{=N~iR;3>n`6W)Zb0{O$H?@iRp*v4M6sbGs0i1(&S<qxD#&%nJ
zciJ5^w+}vG-}hzZ=SXEVXqY?IHXHp!gg{69f%h$Qp--fqq7%4)>JM8%B95UY618E8
zWM95nmiTH<U*2xBFkgCRX8P8+U)Emx=&5M-3;rcrPL1wjUuy)rT0F(<oqhlqkveB&
z>=|TV!{L~%WjLEMKsrY~@XyOvtHNp9DRb3d>OA}hW$llCA=K)rhIJd}tAHsPSu0Fq
ztDp}oh?0y3c3_@XP>S?gRa@H0inP+`Ihu10!VN>)UhDC#;H|xe^VMC)dg@cGPnGNo
zsf%kPebT3Dx@yu0_WT-3b$f_{(`0*3n>c)jZf{}u)VNQ@SvmtYW2B#o9gf-y>6|i0
zT#V#hDn;ZHD`V32rm$)b9Vg8l4}!;>#fD~ht2MWpOYk0f8%1VmZhdGLvt0qqB5{yn
z2Nd~Lp7+G_by>bdKgk=-oMP%}{nTG*g?|Gaop29)KC{)T^0mO)QYU=Fll}?gsDIi|
zTZU!S`!Ld2TAukeqMJ+q=590@q5E|Hu6FFCv?P4IVa=g)@0aSEe&Za3UU*?#xaPIk
zjnaiUSAx2Qe3wRtE-XbuC-koAoGRYDDq>3m6WgcKkRN-N5$Po%eOnhbr6F#&8jCI|
z!+Zy$THmTFC-wAGUDMaskf?11DrR`^X8~JW5ufFsi{czK&jRUhW&pR!b`n7>Or`Zv
zrL4hY3S>fYEpW$W^(>MF8Kb4F<jCrlM)_*39K0_sZR}R8Oz(&H1XcS8%Qjo%D4m+7
z1!~tSVTrAszzADKsgSQ#zsA|$g3Pz_waVlS`=}H2OFitg9yjiaW|Wl>TWsZNCe)R_
zT-S?Ds3^hc(h{iDr5CY{-t30asf#7G#TjHCVnr5dj$8vm(}`pK4x<(8@Kx#<O@cqe
zg^$Tf>esCarS9vg)d3uv&Cp2w-ZzTn`-<JNYWo|@E3B-qo||l+0BkZ)a`g%DG^P&+
z*M%kdh2NR^lD&G%tt!h^Q-*(stI}K5;4#V4)(ltb<0OuVCBlo?*`CE(6e}6V7tuKt
zDzy~<^OC1g-NIyQGM<2^ocMwL!WGd$YoLj<>Nr3t7W*V#;G|g46Z<Kg48Y7m;!|)9
zO_k`TS&-YeEiD#FmP~Ukt|kjNVrZMJM!iT*;$o8%5LdFcbAIo->`Heso3Wic^0*^i
zdJzAcUJc)$*6B;rR0%;|_~1~;t$T6V2v_2WR%%l?VQC<a(<&idR#o7C>>CLB$)8tF
zpyP-$$6n-N=k3QjS`(cmE`$JLSY3fJUIupRoDgb~zgDEl5s-v?8>J=zSy9-CtOLng
z3yhJg%Wh%j#p`Zf>yoWcy@K*-RZT<5@uJ0BJgNXZd%m@lV>J;ThpI_QlA%T`sa;j=
ziO=3>-;`utt2Mz12<*^)-FqmINV)D0P%_vEcHUFQ(8{@_Gqc5;dWs6a!w0+`v)^q|
zOD|8$oU{7rs<*TYt0i9>T^B(RHLnE$>w&lzlJ7~T=JKv&GYdUGgHsp^^w%U6-FiIB
ziFZytH^J6xb)@`+QtOnDXB6nZ(pr{?&XKEc?jb0Swpl?8sdAvh3SakYttYqOrw(5p
z5d|JgG;EL7CoF{dw~W$tc-Cqaw~{<1j1asPvI(?F-t7>I4`pGz`uZ{?g(UAS+_+yC
z(R`!3lA>LVIO%8OZCNlGJ#}>NEE9M1iTUE}@~Djej;`*+tYkKOCYPQ+hA@D2&!V)t
z@27ZX?%ouGnq=N!%KFZ4^~$u@XeyUs|H?Exi^Vnjh!Jo+NT0EUq<xLqj(;6iSFb}$
z{P{x`2Sd}=qI6lq$R}Pi3ZIPzrpM=p3uvT>D0y1;oaE=vF+V0r^*z0vYQl6mOnbK3
z-FjFNy=O0OU(_lsYr6mIVQ>8uIQ2`A$+|WG$44WP$b4)(;h$gOu*C2(7iL!_`;Q|1
zD#xz1UMCD2mPbNdOtdm(UTV-&6tME^%4SwZyPeRAoh<u*uF=tOuGu9Ab^2)xksOSx
ze=Fq=UR&vwoF62U*WUXwPYLZ-`ul2k@N{zCwN5rj=_STHf$#PFYW`&PsmuJg@5{rv
zx$?LB%k^@kXMEm@$(juKHV0CyFk$W(r-y-D)(4F(vy!i?A_BGJ6UN_8SpNFqsWYc!
zR`2Ku3pw(lxe*yUR*v|2dapQ_H}{4i+d7Ya#C_k3hALjeyW7Un;!K^wRigE;+`Sdr
z#D}kfc)@eMz)1z_!^*08nU<6UysqnnbcqI4dXqLJ6LDP>Mcu(zZ9(y4ZVHc;&*mrG
zOzvmQRUZnYn0gRjz1-}fBT&(4cn^(?BEDS>jiyk(rWe@7vhc)Y0BTz@4i0|Eg=#?}
zrsPQae|E;0X@U(nGG!M^dRB@M4C|!>XS$Z7Kf8WlPYo&xN#%%t!I?y#c-?z1tZHtn
zSawyW-|IL$r!QYQeF5L_DbZ5(DUf5hr7)+<kk4NDiNkM!J$<C@l|o-y@6i&QHhAXT
zh#FGW`Bi%4tZq%QJp7tahv0_dLqT885Z&|75G@qom03(qyJEng7RnP((KXuW8#&E>
zVJrQ<F9}PBuHU8Ilz}j8lCB-X<gV)&xIhv`UzE>41g}XBM!)6Wb0^WBIEMesnZke7
zax)NdXJr|Z{7gm`mK>Rbq))Q1#NG2FW-z#XuV;op5|Sv{?RMessCmni@9Uh%izceN
z2(YUTr-zs0&ylsi6!x%u@Ip>lq#No69nQIHf<qZb8c#`~-%^(_D0e>vG^BbsHJH`t
zRA|y;TazqWX_Q7i2VI~4eY}8+J?h~ENvMH-v3@?MN>_25*;}r7nEdC}5gPCZZE_Ed
zne`17)PCUam!}u#9@pP$mDeZ6ECx(Iw5Q`q4Eg($gv6@v`x1P&`@M(t^v)D~4oTsO
zfDxnwYif(VlXv^r!wGc{I(}*WYenw~!p1KDDZe;R+B?(U$M7)u>#z}qy1@b<xZm`4
zmzo2m$_2KDmuz9VSVxSU^xHR4@TuSIjH$^p(7+f}M7Fic4KG0)OhTAP95FiI)stfS
z^p7d!(04zH+#0RvQa2k-^Li_z?sQXJYHY{H+($WfI^)$t{Ja^Q`bYI0Pwy1n@%2(h
zJ{o#$W{u`#IEkZwR2)_|M--~T@Ukl6-kX!Vi<?DwX2SMGEr@K3yM<`yG^%mHH*51q
z4YA~|$>=dD!UtxDerEY7rC?$w{OoFlDm2|fD-`!JWR=Q@%%~`n(DWXnyw<XGBL$}K
zS*4hvYzs%j3M&??>+KlH;_+SdAbCOln?GJd!;$62CviDB*O%jhX+o+ad%R5csuP$R
zjho2_Kc|fz{n<&?+4s8)rw|nW*hMV{={`!|Lxb|Z2Y}OQq=|5De9;6Bg$d<C_Ah|X
zG|5qfA?}M2I;`1?V679Rxg$Ogt+NvvtU3B)iM5J5u=8KU@B*QoM><KJlHt9WnYl!%
zn3?JCr6t4=IgRk0b7}8lqnbcuFB!jctOF|_VTkXDjXs|zZgfS3`XT4P7gh5fJQU!?
zfZ+q@LO(Z6NGg$1dz?g)uqg$=;J03U_J#2?y)IfQ?UKB-={n`GJt6?|9;5CJPfZdp
z|1>W-92|>Si!BfvN`b8-c2j1!ZDFD~%HEUu_}@jncq+6fby&M6rG#I(XdXvdq9{=E
zEt50nGpMh)aq!8z0-zawq&n*2OJ^na-J(mA#!WX154<q3c_i_A74^c6uG7EH-v#Lw
zh<N|LWgW2Fl~=^N|0Z3MvjY9CjUidjcZ^z@LR|0cTQwCFdDZW?`xOgDg&vCVwOm!c
zU|d9C^>HML4L87WRtPQ)S!iiYIJ2N9LNhg7&~wjY!d-{+i>M)vxE|_$r)HcY=(hi6
zU^LgnJ%!GiJrq>P>Lx~HxkG)$ZPG*s4TIiJnu(Xw+m>EM)9BuJhcDwCN>qNdn?K|?
z@PWEve+YCX|3jdmIyazgMrb(^xw~>tDAjaLDn(t=exdFLSWu~wwlvuRK&S&WM%CEB
zn5yRvA&Q}YOi7FF96&Tu=T0_NkKb{KA`$<LE8@u9Ep@kMj~k(#*cpZqjE`Q(eu5}1
zEfS|~PDX{4$m=o?JHuTAogpM;ge-(Us?-MSEMS5PW|T=J8tKeo)PgP1>3|>l8^;Bj
zJS^w$V<r$khjAs7hsEtUWPB1u7h&!x>F&VD%CmxhhWHtMWX$kn<Qz}T2vl2nZDbVx
z`VRe6QuXn3*R^@4j$d9b&vTn#z(K@Kj0C23JY8UWRk9}CqquB7QX;|t-Y<1S(VM2i
zm4y^{)rV4^PoSm}uqXHrFYtJOc*&`DF+vIkH_hULd?`l&XMx3MlK%ppwBp+rNZO1y
zh};(y`RBL)V$H$n<9DVX<tOdm4&I@?|HNiR(d2{V&@&fz(Yju234bi)jcp|HJNYhM
zz()D0=;e~Akb#zfSMAJ8(R#s>^C>|ZU?GOv08bu~GgQG6Pa7<q$!$Djl%WxzmV-zi
zV&u>er#8?l*jgS0qo@IxKyRs8+xLpaHkqRab_e|x1ueGF?tPu4Zn5y*hH#uP3rw!J
zi=+D5#whp-n`EVsi;I;RnypOXVbUjpDN>1owxJ+8^=_cVRa<5FoSPM%3$nFdnF2Z{
z$St9sf~_#6bDaiai$R8~5SEhl>D!t!vm^|u={1lT;%%Wc(Yb*8l&sw&d;x1HVgbT2
z7x=$8=Js@w=0yMCpl-f<;K|cM>-AM?ClAfyP{62Z%*PK9zRH*}Mc@)s<XE^FBu!#t
zL?0<!D~`>F?_v!RP9ip`^7Bwli{VtL!~ntB2ZWRojJP-rIAnm}G>Ejw`SfMGx>}jH
zTrz4u65cdpun->l4;Rp;g)%zl^0NFHEFAa$bMLpFm4Ifs3)2=kP>eY*j#CNeVte-z
z<JJqXE<*k|-m*vM{0q&~lu^$dWk0W3So)docS>2Wbe`*7k#n&wz$pTYji6Y!c&~&f
zI7bAjQ}Q_1?xHAsMM93@(xb#dIgN#q_VYmj6Kzz9L98wi8zWgFIu3Z0YeMu_UexD=
zOo$$8O^879QrstLF%&zJ^`>sTZS~A9*DlX_lR&d7K6~|O^x=uuiAtx^Iw$(p%d&5A
zAqQ5&p2H!ud1i9YK$nehw*@c>EoP_Kk5k$Rm>eMJt#ee&jEcCn(eXD=*w2)nGPcAT
zCeVY9$c@#rv~ivsFOV1s(p*%?MEa{3rz^ynQC^yvNL0v+4ML_p8}{m-u;AKrM2EWD
z$Q3Zh>wnw{)pKzQmTH%jPFe8DVw;X+4^{BQQw2z8wi^Fnp4+-HZtvK?+#-ss8a=R2
zqxQO^JnTRx`7IhKDe8OmoIH^3ewa&!mrT5DqWN)IkJGT542buIXA~zZ^xLxDmW0Q}
zQygRAPAgy-TFeX(pFOk|c$?^nIy}%pI~@EmgocgDDO3sL^B3v2*73%&)l@1$@9kv~
zZC<zvne*H}tdA`&66o3r!^&=mH9@$qK;N=Sy~?M99Lvd2clr+aC#N}Y<@t(E=4^CZ
z4u2^Eb#u1Rx`=BF9e;`4z(%~HxV6L;j1Uix)H;n{!tctEVtXw;94xE4K#73A&fCfz
zDzU4VBq0*s>*AuYU039ih-x@9AGnyNM7~!{jd_g$OEl~^giykKox1&erkgyH7r()L
ze8S(>XeT-=s4HJ`sXhZW!3sgba9MV-1TnMw9l)@uwl&Z__`a8>nxbm!(mV3pp`)*@
zytM++R;2!Z2yemf<VVXuV>_foOGs>7aC~#ZDxv<an7+2r<pfvOmsghY(g`J{jX9&$
zc(YD_EACV9+oyt1h~z{|4A@diNzQ!!(5s5)b5Ym2S&A-h3svO(!UMDojQr5)S$vOj
za+HKT+Ivn}d@y(^!?j{1gT@QKKiuvn2qz1Q>Ct4YIq^joIKmigKN^9f((m79UeD2s
zm!)k~T!>Y*MCZ(ULuU$f{OR|Dq9KC7ar(~pCdeK%O%U{<E@n8fQ5#us#ewwyicqj4
zs_sY!t#0_o5WE4Q{-aFx$UxWx!`Dn14%54z6=v4;bUM^F&`Gn!*#IwiF}wA+Gb)wq
zIfCBITxb**Q`hA<o|quI%VfL-un%pZ2AnmO^pq2vzZy2Dc?}-q*o{btn4DI1&kY1a
z#$L_or!w~zfDpo8UuyV@Dm2<bD-`iD#QK=ne_>WjI_w)~hBO5~|Fvq%XV3YyZ`L_I
zZj`uf4D0R%%1?xxkS7J|;MP?-{Cn^dBz!Hn4sZ=ey>56ua)q_9xTlOn?wWijk%EmD
zT_`P(2%R$_cGq63<gESRl6p5SoH%VSh0=hX2w9r%+V%-qV}oD-6ofx>;-&p(PQ6Zw
zgh>(C)jIwm`_GOC(3J*;nKE7mFvt-tG`|OSr2tCwYePeSMq&M3qpJZzytEIsytGRA
zb||57B4;1OMyxzLSxxo{j@m0XTOnmf#PEK=B<ontSK9no*y<%c8+bNFpmZCt-jt-w
zRw{BbC5;kATIMg&8EEbMiNTVC@zI^cV6v74r6YXm9DgjDPx?hTPTP&_903%Y2d6r9
zfcN{k^$f|`K0;52v<S`y^5RM^T;^+cB4#goW3x;5>%7d=On+|rZ##pWQ1r!#LFVOi
z|F-m(Nc`Nsz|b};8da+K{;zxNPs`$V3G?7^X&0#iFKKtk{)pF?4@wLzE(`)TG;a+|
z!NNnjEJv8tRQ*M=GGx0&2V3V|#RZ*PT{P|7e2ItaPaD$DH8iSdDi_zM_|Ye;8jwKo
z3;Uxx4y#j%jaN?}Qmoe-XD{ZIb_G6sZboe&<FWOrnvEVumiqFI`4+d#<Wpzq1$HUU
zK^^wug0)PI^`899y1p`ff&Pa~e{b*><T}BiXqz^LCeIf$B3sKqYMGxEA=22U^sDh^
zpMZ@`?9UMfh?og?a|S)mHu56Lxk$0a)Fi98?4sP3*Ni0BE2$+Rtqebh<}YL6h+*hT
z=lNg*6rYoW;2CFdtpkwQ6=8lj?Ju9n)HS%(qsHzQC{wOdPrboaJx}hgJj0<g3YhL3
zxizR1OD8*?W}X^OLr)($A!+L}_iyppokqthvM(-7w#5x9Z*+_czw<t4sxmn@!@bG%
zZX#l%s;Q1r!Z~iVmsYj42i$Xvs_E`oQZ4=n3g@LluQ?Dg3YlAQ?))O7Tdm_9-G5S}
z#d{*X>*rM?quI>BfwHP%y9(5*<EeB9GDOIAXfE*n@*LlDN!oWEW^Eg5j?Cee`6IB`
zw4l<&4RNv-!&+lNA=8wItHVG?)G;%N3PKp}W^K-F4GsaTpysG_9ygf@Xdd=gI!Bj?
zGYde`g`5gmf1p^dYG%&9JZ(fr&vWXi-9Op|6;++dvRI{S;b2GaIpg}Ax-On!kC47<
zb@2&iU!*Z{FIrZ}WsA9|3%7>vaZeii?T|a}ZBz8QN_Axoh&1Q%)TlLrwBIp>_8{AV
zY3o3M{&s?CABEH0Kham0xhchRjdj)#J$5)B5uK8x682se{-p|vH3zD!VwG4>z`uSp
z;F~W@)MF4sTiH<6k2h@~T=?gv3rPw9DC3JZ^mheid>>5x@6mcG8ps<NIRVLODhwuy
zjBuJ}=AZC^y<9ERjM-ll{swgx#0_GKVmD0+02MMD;@nUXQg8Njh2f)uO9s>9j$U%e
z@)J_Ugk%-nVYu?b!gna_ySKOiS5tDAyJME4O{V<z@%BJv9=^t4>(Z}J735KUr+2L`
zb6ZZrrN8?;`CncTj&G!rvp=r*T#S8d0KZfUw>e!bA2EfRI3~5nbK5KBRXe@;w${M_
zm9{l8A*qiSZlL-w?>bwfopUI04|e`#tZnN(fUh1MB=J!u^`NqC14rDN@_tVG>rhGJ
z5or<j*$-yK=%W<uBD4q_uby<?afogN&KwR+IFy2%f0O-098r-wdKnS&{%tjXoF~yI
zt7pR2Z<kU99`nytNYvlgr%o$h1>e=}l$?w~M~?_csKw&6?a9hMCi315R7>*#RZnut
zm0}DMgL@k4h{rThO`&eU39Ca_*&{lZP_BuQZ^kq_#ziy>{%x0Y2WS**m}(Z}bLzNE
zlx~PebK87en4!D9z$)$k8DCUQfMMJ;LzqwR@)X!wmUO36`E{#Xuf)9uv@f%}TIr(Q
z83*s~cf?6qsl#<nG|ItH-phigF&wkgEsiN>S^kHQ{F;CGz_kXIvAF<=Ia1EtHMACt
zLgdkNfPtQ&GZt58?+ovx7^))!eAF#G%6{m-goGpSgnB0Lhk~jfOmcDlhSs=;YMzNe
z=he2hv|glNLh$yvq|#e<@AXS_?yRH5@&Mb9Vs;&I^@^Z?fG2`?-iLb&x9{i)8N-5|
zf(_+5!i*j7c@Af8i35KC*)!^MQTUmKLdhKvgYh?}-C3f>%(l_SBzz1x#ZX;7gY)?u
zOu-$Zu81DfhNi38v8KC0XQN<jbOkn!iJ~>_nt_;VRl;s!lz8>*yZF;-9^XxHRh8e)
zi|_-6=7|%8)%rF1LIXeTqY8an1fB;x;fSv2ACtME{V|yXHct(-i`a4yVK@C4FG-eB
zEb}Uqt8nHsE&W++f43+slhjQQ2ZJA=4fQX;c^A~SsW#fS*pDG)G)&jX;r_m;pZ0Ej
z*{SJB1gXwX+fdZ`<ZJkhtVi((t0Jkt{}y5PdfFcRgfAp5e~+<AWu7Cy`863V!=PNa
zSK_I^G~1F&T`dnQ7gFqF%iVuECH8+hCDv2IK)xfiv+gl8v4cYrgtN7P_)z2s$^>A6
z-q8BeK8C%~7vEnB_r!l=sr5GTeYTtCJuxWX6*k&aj-c>B8MwPX4Y;eVB`l3<pxS??
z(32*rueB3cBWQwRwL%+d0hO)xWQWNAka58abUw^U=ZV=`+pom%GQ_W$Ya~4ob5b7k
zxu_w=D7o~=v`1Ji76Tk2|7D}W0@T!MqdklUr6ALq4U?gY2M0JDp4&zXq$aQ_>h*T&
zMPBa~6l+FalLfI=FNmoVY^J5^txoJ5E{QG^`&ZWh)msH$<pLhuz?#LRklGW4y#>7C
zQW0|b4yJN$6w`SRK-mPThD%LCTjpWk*tqbq6Sv~eo!FPLCKiDV_Z}J>Qi5&~O_zTc
zRAGRI3ur;PfEJW2mGs&nras3(e{`#bE_g&SUy?e4?rQ8aVe#dRe)-*vC9xBnJ~TW^
zdCZAu?aC3RqovC_HuHv4D-eemE%7>wEw+T%QlT`{Tk}cUx5+vyr&*4;b0KMKD^I>U
z8ys%I`y?bj_zz+!T;V^6^K<0Ng=7?G6hKiV`?5t5@ERGm=K2HMgeyWPq^?Ik<1@kz
zCo@O!FNGP@f6aDGJQM4tIfDu^n-a)uTGEI<4{*i%JKv-sQ1WEZEJb*W-U?l^_lpJ6
zlBP3XZqOC!fUW_bn>Hj@kU(-Cm9zfU2&pt^#_l<kibJ&74yPY68YU$fibN&=U@Z0%
zB4m|49T`^@p<q4xzx{?xtET`9j(1Z_4p5ocP#h;;jOBwubIe6QH*C;0bzGWzTB;@J
z<M1@8(^03Cp;c+$U=2Qdt=uPkn_Cc$gIGcql~Og6HJ9TFs^A6UtNf)ipN$`>GnSO^
zPGUjVAHhXl_=JBh^_%&NCU6wVP+@7!)f-0c{>#aJo;T*-xT0Pq<c;~e)*BO4Eb4vK
z--o;V9PB%qbGR&ye-x?0P#`7oDPD(7ORKDw!Odx3$#iZDc3aT}7n2|ebI8&Og-T$g
z4e`5J2{+R|bwai{rxCyOSD`p<KeA~kkVg-q>Usl@cJf5Avxr;2Qtl&0|Hi=wW6o@$
z8a;!<HUw<lP8K@@rlI~ivx^<-bblA^bPz~;@R_cuGV<u*SL+AqkxSS$m7GUr&(IqB
z2&{E|8SlT*881))Q~W<Sy-S+GgNzVkSojEF>6b{M;_v=)EI0ZoeVS>~8DhY8(Nrk&
z+1D_{LDYQipF95B)Z}IhP1(^;N)ZN?Ug1WCygAA$+jXx^ws36~i6i{hD}k@MK)lMl
zyvw#GfsQ3Mr1}+W*NhKO(%5*MU(VEFwkuzvN~ctt$}bzqiRZX<2$~BAjr6M?cj|Qb
z(B4E-=t0sSW73)(U-XVsh`{D<p^B!;C(77qmtb6)sB?w2Rh@<q{s@Q}pmb+l-{uLZ
z6KavVb;g2mtwe@-8zu|N6Uw{K<Hh}Jsl|68Ufkccytp7sy_w%(=8M10)mQMTrs(VT
z<sDF&FgE0jd$w(ywJhmh%0T@D$V#4iqK>Fnt`&0@OE<-jR3emoXIo;sQMu2tzH@?V
zL2;;FYJd+~Xq5QWd>v6;>a|JR9kJl@;^8yN;~JfM_MxajwjU}Bj|mU33+e;B#YN(Q
zVhT}ja}M-xLo<l|n@7m3B4Y$bPQ*kx5geAx750eSxnb{%Zq4Fpn{02wzrZ>00v>ta
zO`mx4IoE8`=XK(6U5xG0i&<-xq&L6$Fj^6f)c@l$v(SHBhSAm=Xt|sB1ux5B<tr~3
zbWyC50B?vR2ZH97=yyCPB4m=N=kLt6f4lnn0?<shucOSil8(*33LU89&q9&UidhT4
zU*8O=2r830b$timM*@XQ>{Zb<Sfs2q;5iPQHu<G1|9NK1KhKP{F7EbQstr<d^Y(9@
z&3IwqbT!cfcn^r#u}}_Ohn+fby0Dg#ORo$4tw<X1Mc1zwWY$Ugx2-&|TtW!ve{ko!
zlwp4?(-zLb(jB$ZtdQPXK4#cYo$1Z-uaXOXP9U%R%768yW|vmQZT@kjx!&XF#-6;m
zsyH0yA4ehE`o~egk=Y(mludyfyBN2b(fB{Nek6F<;V==7bd`uo4h0}KGwCi#9P|Av
zwj%*YeD9{md?2w+42uh;#>mq<z4d;w^jTTf&Tt@9K~zNK)}_}@{5&l5*2XO36o(aZ
zRot$_7h0=U0EEtGxTjp1H3b&##^fLW10WRy0Kuh&jz_ohBBkAEJWaM^oPDaiw|EMG
zQ5=&lSC&V{$f=QN&GNBjKiYuW7QL1NVHH12I7RSZOj7|r1o`I)YSg_ao{6*F8Wj^u
z!1)Wf=ON!1Pj0Zsdo>_q&>bnUgcr|??;TB!S*pY~=AXDr=90oZ^8#cP?kXy7rZ1NO
z<%!LUnwpv==@)I6X5ty*PeOa+43TO(3q-?&!se`ZgViCRO&|i=5yC%mcZ<(K-7YnT
z-%Y77E>n4uKx~Q}W6Y62!+<i5MhN8l+b;Ax!9g@afr7j-tL9enhjn?a^}v~r`&d(1
zCIO(<)b3KJ*+|6Fkon!5_GzZL2J4~JGMHkVe-p~`?#M^6lij>_e0ohifZgoNeUVpj
z#$FWh%BM&&q8ye~XyYLXkp7;Z#eyynpgl*{u(RR7{qK|wb+94>ECL3NLloU6N{~7B
zYeUe0C)mHL*Wir$1RxIO>1{|r6}3DBF;t!rV14lOLpXKvvYo)C3-{hQj7+IM9gzJ3
z7JW%b`tr4}*cUJxntJ@;spVnmG-wwPXG8W?Z`J@2uLQ$dK^Pb{CxIxm!5MlJM)PA!
z!PR_+i?$&nHpuQ^RJMfZIcVA#Nr4^xZvdp(CT3UqCC2wLOG&si;d4&lt{0cm=Zn5*
z9E2#oY`_}z<w=Dbrg=qe30A4zH5PMf(?V@~m6*Ez_1!wp>C@>&nbR+VSco=d<&xYg
zH@p?>g}f5l*)}k8+PD}n?N1UjDN~<h1DL)Rf)%hp0WzqFkG|*)QKlobFpIC)H)!Gy
zuw&Gm?h7~PTz;ZKf&^s1{iP<+2{nW2F_$n@o{D@PE>2<Osso1#O@K%Z%)_<F`lvnF
zv)<$GEc<LQ!0gHj{nZdJVe!oso)VKH$Di%?I}cTN#*yr)GPli~K5$BupYDsF#7xG2
zuoQt31wTb$B|+5qvnj_6NopIkekVoD^g4H?r7>Au2D%<j^p>kVRzWzae?7Y^09L9S
z`%cVT+OOmyH1Iw8a#AwPy$N^%*b*!tnqUj|D<%I*v6{H9DH7-FytCABm#1Zf0zW~>
zuFI|}VZl)>@21`o&!eFmgZ?F21J(lAtZ173U6RUm9c%%iT*vgAQbMu0*y94}u?*-C
zP&dxA66Jycw1U5)AZlbgoEw3Fv&Iiu$QvWHYQPX_5?4-|r^mrk$#Ro8ocLdm_R!F1
zk^T%P;E%vh#E|2jvO?8nd-h#6{ASLAVHUj#sF({oc73}x>l&@1QY}xeX;xykKVj6X
zSiVYl@%TL54}gDmYCwCK5edOh>)j})me`tV#b>w`R~7U4GUtO@${l|iIAM(&xy=m)
zSfmnck^9i?BCR|L_bN4jFEEypT!4Yag>2qvy=n&({|ul2-Pa=b7hF{-s5$;Y2<w^n
zx;74X1vrIH`C?-#Ptd0{Q*7!rWD>a|g}7GGbG*@2hOf71pq_vLKDaLTP%$#N9QQU~
zbkaJ-0|QmjUN+M-f4qZ#j-5mKvyFn`WCgWp;cDMZKdj#q=A-#B4J$bJe!cDTL+=Ai
zm5PFAj)m@tL5Xd2d27oh57o|x>ve*PpE4Fn?FfV4<@B{Lv9_3jQ;Fj{JO_8vE$p{|
zc;u*^(0PM<z26}v3Ae3Umh@)b*eIpuvubR1!3mdnnk5&C#2V`@ar6Y)?JOsWf*j<e
znwCeAAd9JKfh@M8u%RLNYXE#R%o`@UphIePlVU=*n<DOz%P`i<(hiwAyPfIZ@aP!e
zZu~*0{aF}8LNf2mTI?{6EdH?Xsg`2#yR~e|XIPjZ7?-Os-Su#%0ujUvOz)ZN4k*5j
zhXhMDr!2eaa|tk23X{#qGif(B<q^HIv(mQ>XrnkMgk1S~WELW~dzlpW^(1h1#nOH?
zY_REs=?WWS^MFOX`OyI-Rr~_^mgx!~(Te4Y)1alZtiHr2F4YRYMa)nAigk#9>Eg`v
z`mXa{jKpWB<rW*;PZ?{sw6v-x**+Sn(A8ob{^HIdPB+Di0l!YguOFs7Kx_Q9L$190
zC<n3ao54~+3W4}cHB**6`0?UZtd#R1^H#%P3w@<2t0$oM-wGybgE&}MP+_if>IiKH
zkjG)dES@KU_*!DgN2d%&$cRI^vC&a{v3dd4Pj6b*0AU*S=%<x(N16~le(AOF^E*c&
zE+)?F=q?SeG!GFIa%5@@^HZ_8sKvWvBN2C%C1ddUVi=nRzjXg8X>k4&>(}%lN6jJI
zEDzTMmP}9Z6)aI#?ds9uCjchOU)5prL&anu)&Lz8c-nn*51=rf^RBI5+E`~wQsGzq
z3NT-!_TGH5yx)*-dSdnzstVC9DOi-Dl8L)gU8Y?{JvVL{X+$u%vTI=`qppC?h%iJ}
zw>6T(tB|$sY*jxlkv57Eo{l2qJ<p{kfxnCRMyvV6!L{tPt}8A3p>!zSb$dQa`nw<k
z(>@0MV1o;UGf#`m^mFV9L%3!G4O%NoT9s&_vnxrEAJqtaMYfMOhpxJzyH0CN^~8Py
zR_@x6EEg*6rS-deJCD9gXN5P|XoiH9rG&%f*NeOxD|((u&%;ln5)C76yW<o1(tG)O
zzCHOd`OdjFpa6E14%z~gk~mKH=@Z0>V5S_}0k$9~^JoZ+Yo-n(+2T94(R?&#JqBd_
z+b#Iw$r(EF2{~8McTnA<rM2lDqIuZ;O9nbSW1(D_2PNJ2<Gc18Xn%Ri3NX<+b}uO4
z!51lB`q-80VpWf_j_K1ZSAw(6z7wH>*UKM^24(rOY9s*627lTztvkQ*{1Q952dB0r
z;M=E^*@qVnx8m73(4oQEZAo+h$h4fnkSk$)^T)_s^T+&7p4|@d%f9&iv<L*n4(UO(
z8GH23?W|u#1fnv+YEV5w;{_G}dk{sx2qsRjS7>iEhg%jFuXHvLN2e(4J6|p6GyOdE
z_-yG0x%`pUz}x(Kwx76&Lw>FSO6Mi>cdZwu4yF^j5xfGsbEJG7Tvb;x(~lW5toS0I
zkQ7HOLY2ft{F!l^6FBd4RPv3T4_aErXE<XtHB6lB*&Ju45Td9fl*Io9VG5%t-YcXs
zo<l7I0#OSBVOo;L#X056fZfwS?VCT#OJL0eC{`R-KnAc8=!}cU3r<tX_A-%8p^|?O
z2EehBNoE_8+3>jX9rV|zu;}m6qKgf2Vs{dW_luegh;xuggNyx5SlRGI!I5C%7(z;y
zmoY)xlFep5a5p!iEv-jFb;jP;-kO!tk{RC~_pYclN;>gAkwM|HA)DGN&645I#I4DK
zQVRz}Hx|*BG?I~ZM7WE>EQx5?Ykw#)1DTL|hdpje{DYOs1fH5S_(ctLF3_-l1>ZHG
zIc=MGVo#wV50?hsK)ha*Viw^(DgIj-kqgmjkP?6Bq-u+X%0dW7)uxs%!vK`Yl6Je2
zX!$(?W_f?9*>7R;6FZ{*>lM#MlX+ZW5pU(><HobLa&B~2efvdQ{iqF3I9cvgr+!ty
zNPB|la?&2s=doZ1vPtxeX;%E+x_oF9*)tfejNF=9E!KIpRMEzEeY+phj|?0K(gY;Z
z`-pJVMW@3Ji&uPGb_ZiO_}%WQPA%4VBC8L^nF9y5)YAK+e>p5;3>^Wvx*T!?yvlF!
z6>3y;hcZD#70NK{53j`|E5Osz_3)90W3q+v);S?V!j?yHx&)CmfVz~Lwhz|Q<Q$lz
z?)(Z;a_}zNn$^6ShnxHG1D<Lgn;=}q9!j8QK%9!)S8))}i3zx0v>`0(nh>VjKV~f;
zc#tPu7mod)Hp>bNPUL#cPn)#4@u2H6WrYV=f_xyak+kP?w2s;k9n;5HV5M*-4DH10
z++_MsM|k5@iO~3eJ#G_#_&F;0W79=MB>22sJUe_K<Qf1K0wq$oE!H|jr|O}B0<NSn
z;aqXidVR&b=^~&`k9|wF7{!$YU~y1BG5@t3ZwSU{SbjaQJ<;TCh8YSOH=Q@>LDklk
zKtT!g&pCmU0`a(EpxhujM_ef&gd0_+bLYXxo_Ozc)E(M(YD^7$UpE-?az-YAbH8O&
zXTo`DP$Cj0&cKxrS_pN-N6hN%0X4T>=5J(dLJx3HCJ~Z)VWts+#WNs>g=<bEhL%gV
z!qB5bw!%0H23*f87A@KKRt0epRz!{1Yj?(a#cDl6t-jss&F9fu=U72r>DJ!A=Z_Zu
z2FS#=V)Bl##}kLjS>i^Mz=9BZAqa|@zR-zcJEO5FcWsKl`O2q40ON4bBSkkc6?wxr
zG30<u4A;z9ZI(Z07*j<pbzlWp(m*5rJ!f=afJ(|l=5D2Lh74;6G4_Gv0|!i>pe-_I
zqlZG=wZDC-XY)qy?+{D=5p=RF{zh4xVH8nwR;0mS5GCEcm|bP(RO&kwYh<iv#w{KO
zqyA|P_@+dlO#x62(ci-1_$h`U*(2q&W@(hthPj3`6N(pWsD^!n|6iY^BkJQvgu&dx
zE8RDt;#V3ixyUR|!hmQ<!b`r%rzaW>YQ}D1v-OcW_1f3&nK9y%FWl_1z#C`9%M|7k
zDtWJH0@H@?RPqYg6w@skQ$T$<Y_y1HC0-fVNR)B@No1O+*d)sNn^e;jl#XuWsC{B{
zZzcilobklg-CaDaUP2|cZBE)?DL`uzG5vsI_?5SImqLW;#DE%%9I?x46m7dIr^lJY
z_~4762#xo*+(-$sKn<X4B@2i`7f*wd2DidGlDTX=vUS3!c1~VRFUt%I!Bn3k+%8-x
zsgt{#FsODRO@9B<3Y)bGyxKK<+Gb>1ril=^7Au)0NpceLie2-Vdf2HiOdSrsy}X_Z
zR(SYbj}#_ey97!|@|bAZt$sP+)ou#%ddr<&|NQ1nyC3nZM$u7H5id&8&8<j0A5_&=
zuaYx5F#n)jN5qoh2xyrZg)K<<z#lvuDhe?DpG0Mdctq!`)CfMg%{MfzWI73?^pSZY
ztEv*PosJo`V>KKjm{!bho#&S>B4CMr6*Glg8rewdi0(tWmwpwa_K?r(^gMWv*S1Da
zq$aW>0%_D0D5+VaPl7zLdN<$aqrYkk6}DU?L&2Z>%xWaobCmUdK1wyyuZZE-C<y?X
zxwWr|X%#R!M3?Rw4Qm$Ea*^N(`W}*ze#lH?V#hTsZ+)1n68_N`XCnYoYYW8HDh#iY
zkR#N929hOTSG6xQfJ55!e1~f)4yKwx1gw3>bWF{U&W3BlqJY(ZGoOla;zs?iQjJ8Q
zDK>B=AAzRmYK^t1%Y4TV8O@TM+bJ*<rMCB22|jPH9k-Cqm*g=RXOB@yL!+yLKHtK9
z4puVhfa@u&&uj%4K_l}+BMU~0%7@KmNfkE+_|I+mjV+K1ABUm|Nko#yNcg7LFn)!q
zXOGp!22lWm0+BW73IMf}nLtDS1`vA~Zth$^0)A6i`eBLuKqN-U!)x^6?_OHMWsR~e
z@eBmCo7FxRC@d&3f-zW*%I7>|9!yme0PVO`-Wu*06B<xrBW}DDKDV`vMT{-$(X~S3
zBjITzh?lsLpYrxGCw(Y%OSJX94@nHQW+{k3!t90CMI?<&Zf{j@+tkBw!3T)(?~Y@u
zKq$s1-FOTsIK1rVL#NLr-<{WqKcJgnW(ZYH*iu<2N8a3ZVkRZd%@<AT=0Kj85oMZw
zJM1i<;|g}A%O+0=x4Dp$%;pfO`c^>A1a<5+xjH~?%Y@m%78^Yz?S&qJZN}p7L|FnO
z^dl|~QTiV<2E^mO?jw!_$eANyWNi&DW%$-ktTLv31S)(&3mjRSwA~K-CL{^;P`s#J
zih)lG$=U6<ghW%!lM;eU{Fg%|Xf*0P8FXqYLx?Z%^ZpMohM&ncVw-AYh*nBZzBswe
zw7gskOhLeX^@YM8b|HT_X%$WcCu%G)+F(6BQO7J;i=+Ii4BN20x&P1*pdz~}Pi}&W
zh47TDdsZjA{ab||Ed*j;Rf$7VBRuZxKe*fCae3#IesO!ncG)%_KNlle=3?d4kA!Bc
zh67|hu$~cr%#TI1c#GL=nx=Ams1F-*mqgF0m;S5$97q8ciPPkki9kl)t1#TKR7fiw
zhRYHzzIlbxayf<**%tRH)s;OglbWC{&{jXea?ESp^GS$RZ-radLW551<2>Or*OL%8
z*5#<yyR&1gD!Fbjk*{w>u<NqYNRC3XH|R{ST9K>d>8zMSRRxdZ30eaZD`dU2TmziO
z3C}PM;G5G;Z^rUecKVlV^}$?R(&ZnZ`feJB-HdVp)ln2K0Zr%!;tg*##GvUK67Rv4
zdyi3^BSpJpehY&eUJerkjWAroU;e9p2f!vwlfxwdt3OnJn6JjEgXrVb-O8KqNJ~3G
zu2*(ZntO&ztbSn%v~&V0=Ey<yO}K(pqA<+_QU8REJlCz!M&7rQv7}V_{{6%t&u~En
z$S1XqvyC2^ukeq11Auc|0`*l^f$<ci{;ZZFDCxw`-&x1I$?|FMg@;-~jR<9VDPzVY
zG69z8e~TR19^x63uTnE)<dMbu;z-E|<<s~IO$z6&O7ls#RO+50)eo?q)~;=_`kGD>
z-QTAb=6^=;^6LYwHn3ht!XS^|Z#_@szN9NW#Pv!2<EoB-cJMP5t^OZV-yB}o_k7)$
zjm;)$)W*EAZQHhOn~iNYwv)zo(%5#=Snq8=zi<2go9D?rbN0-vwPyD0eGCZcn-8Kx
zn;oZ8PeNF3Jb8>`Ux(0YT0*xu8CjL0WX(zbGQr9ACvyWwF>?}9%kFDQIot-9m)vD*
z$zxA}$;}-37_`JhTZT_uJ4*QoPs`v36F1!L8IC=PB%PdVl>q_NtRJddE`CI~RNS}U
zoVXOiMLmUI<Cfy`f5Xj-n-g{v2clpDa2ronDZ%<DaDFZYhSv6m$p|>LX2j?K*dZQQ
zJ++-2Z^;~8tCv%fYbE+?RjD~=s5O>OytODyzEWbwL<q;X;2F&IxQ|Uyu$$Rm6!IG^
z+rZIj3P4q9GpjAkRxK5Zl2v<o^Y3np9ZS6C4CT%uMB+h#T78GUpj-O1^v(&o$Uy7S
zZ{W%1WC!e5XOQBKN>$cb=D~u5_mVKdvJcDTF0_(A^NOmGH>nRn7*o}*h=rVu__Ssd
z;qV1DVd_JDQdeuk`>C$w^AVya<#&}emC9TuXDHHRFTe*xn%*0{NVn(2_r^_VT^G{V
zBNu(AE;rvTdyWP-Z)h#GNo{VAtL!_UGlK3dLv6LmIbyrwlvo#7x5lpEFLOHLHnQQ~
z*3FyQnCUj!YSIt<2*bIi_hlVhYrMTxkNCIg{mwWCdgpaNF=m2>>k@>5w5t6>X7r!@
zFbxNmr|3s={)v$`Kqw!!PCTC&OdE2PYGwb(5WTlV)Ic8G9AN&%Z?Vg2G-@iy8<9BT
znGE&%W^Jjr#sD-rq9&=fu`uuKrT8eu<53Ii%3H4R8u5%!Y|ECsP2x}hUh8LbV{`<I
zP4e|Od?)+1p77p2ER9R9Ti2}h`aTl1NT4*i!onb7cD<|-@~~f;pIugTl8Dhii&^Za
z9b?N{JIj310?w1V7|9uW*t?)f{(v{1G>Md1uA88k^y2vv85C}i!1xd3?~IU47&<?j
z#G|lO^AnRoGBfoxXXDuMchc;>`<QOzG}_xrBtq(cF7Vh3M{cNe94vRzcoA}fn4KTI
z%9M#jAt^0I5$A~~_$`EEaz*3=x-#$@@>v~2lFnjCHiYV0^XG<Aa)jM;cXn$~>&B!D
zIpX#}B2IspXdm<LL2V7Jy6Ph5&x!s;LX~^IM4TN71`<j=LC1KU=rT4Z#Ch+Q1@W@v
z@LID>hz?D{%+Jap<YAlXm1!u^REp9fFsYbPMXH3YD3>sjv+n0IWVDq9{i;U_QKW|c
z=cVw=frn=qm9_|0wR7|Z{VE!tEPC074Thf&3KkqZh#_#T;KbVtvJmw&gi&ax-GEWt
zH!A&I&p`x<a6Fx(p&YxuLxa1qtubIt`MJS)OEmC91URN?<0xs>=*Ax6cb>7bie;=)
zp6ssbnMwPTfYVHO0o_GIx3^u_#b3XQ!dx*>k&UH4=V%Hc(M^V!t5~z^1!00~n;+C1
zV7FlpQox}7g{X?vPbj9IVki`(k+t@HwsRxMJL~5k6)m#o8X>oN%lf{LC>%UbW_irS
zrgWesc!-VrRevUFN&XWM=SILroEUWH4rXAOd1&%bHZMD4%11e!qZRnu=@r^)EGV#q
z4%-0QdQ8RPG0kOYv#%+kv$EFyf+I8S6e$)GT@<kklnqfm2Utd~|Hd&ou=*||X@@Th
z0_E<uCEdxHtruM{O8RT$`%J>bX{fjAMLDR0nyXp~<e{wNiGy!UWC?A^%Zj$Y3g-vR
z0EP*{^i=vuU^0MIa)kwI0<_Q?8exxT&W;UUu*n-5+y{|(>AlL$5;ympgJCzPcj#7M
z&g-S+zF{%E5y9ojpaY%k{+{D_%SbP_klQ6i6B6Heh1jHhlO-LH)yudNXWg)5p9`+|
zH+Gsd1E5Q;NMTBV#4~8Ds3o%<n2xhy+;J+?A|pNP9<tm@F*rY=SUQ)oXoDNqAh*`4
zX;b#B-ieKLcC^%)xITLHmIcLiab0$rw$GO**#M%?c_~Wj9M4{L65gwHvEC7o;C=LE
zc$AuG1bj<U!s_~NHujmvZB4)C)zG-LpMpHm-9E6KB|bI$cQWV|4Nx#L3#XRS_ehTS
zf4<+DGEzG?8XLt=zY;^EU-<~91D=|UzR!y|BKfaz(MuPailY;sDh`9Ii&Y|@m7w=&
zfV?=BjGvXz=GJSmx9Mbo$muetAjm(fw^PhBetj&jbvZ`%u|atBTHi%+Bi<Y>Y`;ME
zXA$)xk@%<1AC`_$(fO(<1^(rxH*!crmN2ptUvEn;4PN6MRe+S?3cr>JR9r3gT6B-Y
z++g(Lj!`gq<wI*>nNa>hxg;qEqwjrwR&`W2BuDYCrDwRa+xiKI;eTh+FpQC=nL9sE
zC!(-)|3E?!g%gPMfjch~501N#(vay@51S8|^Pc{`!mN|L1=wu`o7XCRR<C?W%w0R@
z-V<_!c|Icq&WxQj@(aWH&gc&7K(6pbeeMS8=K%xgY9ProK~%Pp2Vj2!G}`jRr&hzu
z>!luu!XdG_^(gvvH=g-U!{^{>{B=JoSOB2$ij=Jp=ze40Sl?ioP&*`UwsF1Twy}GW
z&M7-YgjNrEnH^KZm1(^AdOy=VOz+TXZ`b#QS_2M#&<2XQq%^M1{g}@)c?v)aLhFGR
zDDS}tpZ{!@#2vE2_HePt0@<=r*vnSYgmv{EIab(kvtw`^g!(*qcjTAnW`{*^EVcXV
z2EVWx4*AFz5j<SctfW?5OKpv@rK0>y{R$nop*(RDEydeNd(@5ibHDbfsF%|)>r#NM
z;@7L;r>^W*p2@S}_qUD3cdL--mz|c^Y><feldjD7jBdhnAL-L~_uNe^U5?OQA018)
zJ^cO#=f!DMhTz1|jrAZF`l-(Yeq{988IO_AslAHXDUA|=(<S+qmVXzB@%YXV317qO
zOy4*&;g0Dl7B3px$v$Vgv|QB3x`|nlK%J(G=D1xdGAa04_ktpk7w;R=E{|h8LzUAa
zmMJy~VZn>E57g5PLZryMNRv}D(o`4j_H(J9fikG4{44^y4fQ9H_uPn{^Tsz5X1e9`
zyPXTSo0Dj@_2=XHEH!Jo`;gvu&#uRTTCg2)hxQ!23f9-J+)`BJK6038FT4@i@aiwF
z&IBW`9!L!Hd&QT2lzNsh3otBLZg^>1vi<@NB#wrMP*<b#i!`Q(FlK#Q<ZJ{@zZA_j
zyh__Ud%ch6E?iD3iq{=?X&<%sS9Uhv#-Z}-yqWSl<BGD_%nL+nJFdi}I1V*Qyy$<h
zCiJ}#N8g_pN#7reOdZvSH&Rl3UI>y6S<y2~D2gOxf?z&j7rz<E#YP|nFtPHBv~q`@
zRCGG?X?4M`q$fDs1kf)=;}zeCJ8QWv-+ZWCi0;2LjOi>(g7Q2+&(N(?8VskaeFdj%
zAvY;~3N3;5CNChB&Co_<(Ab0q71th$pzY(zpw83Tkh*BWQ&pQ(RPSS+dr43SXa6;Z
zM-Olp_99^l_pc0&VHBc(=?Iu$7Rom}B#}fG2M$|G7aKKc^<yOr#@|s~W4Wv)KtO5r
zj}<`|=Il(thoIo4;pUPkFolLx0?k!mY89rX1a08&YqnDsJv}x~8%N|ZENg;FB;>u$
z|B_$BD9XQ7Og{T7=Dfh>tFYY2{H0wZC~2b0R7<12AlHV}_$azz-l==ocNV9979|ZE
zMjhs|cGeB(`Atv12IQr+tYLGcNb9OI`2kH+!tIvS(e0_xrQIBf)Ftzr1nYl}V}`tH
z{p~nrXtMx(EPe!Yc8c(Ou@k~j$*}K%6f=AvQZ-)(!LUg+TBQ7rS~tGu(h?nZ+~IUH
z>@GBU8VuuVtZ^mu?+2kF+`1+1nKs&&JLrGY<ut4mg%}@K49tH%#6{S~m=1tpw$B*n
zJ=(!{tQ_Zs+2t527y_SP#sG;~)uiLWq`Ao$3+@ach&a_nX-sq;50A93urm!7fI%3K
znu;SvB-Sji(vppXF$+LXjScw1K!2`*{_AHq3yAa^Zi^&v+OA9rX(d5zw4u^{wEpe;
z39a@C5#ET+NlDGBaKaLQ#d%C&9vKVAW0bPyo+pzQ*|N<F%9qnK;_1w#A*bFLt+1|z
zMWK3pBkS3&FF1=>!)pWN%x5_ciLdgvE|W`=IeRWKIkRRER>}O3RN(u2dPBst(rS)V
zg;SPNvTuwC<F*t%xh=@-wPXRJQ^yvV^<?>GQw5={?S7(-ODVEOzA>*}q?S!VhfC4I
zrwV#RyHmf4)=7W-_<`sibI38mMpi6t1t(k^eO3B94Jt&!27&970Dh|qoo>=;Q#Us1
zwGW}zGZS`F=lNr8EPGeZl$-M$95)e#lyK+2{3}QZfF1%qS#e|<%}~DYn>bqzKTT2C
z*+}cxwc8n(9E$z;WTmJQJn?f<a{kg)(P&!k1~aJ4a(kjmd+@D0pAi?iy|%fCpPd^A
z3m34R-@P#(%OU)WYec~?Af-pzhcKy7IQ1JRTe6Ei<M%~(LHES|g|r1Al<Ic|S^&~$
zq{1JX7B9w=VzG*^C5a%sa_fq9+w8mTymeHrh1yDe4?wd=Mom=;soylx%fbj34;W^P
zU4mM<&#G;FUg+K2ieubz>BT(y>}{`S%9*284H8VHxZy`|Vm@o`D5N`2wJbdFXPh(+
zJn*>?Cq+OMoTk>%IJ+3yS3&<^o<l#VVWQBca8Z|4&fwFsgAD2y!a8tH2{sP!XQ=!a
zPJGycZOS@rIeges?PNkZkU_0+T98RS{)!7$>29P-kGGXl-Enf8T_w)vnkz{j6s-<Z
zt&+GfUeO+wje!iZ<+Bz#8a9rzbGZ(_ETg3W@oJkd_`~!mB7GRSXtvjE+{otmVxWU2
zzXND|D#&$H$2xe*eOx5gk2{GS;lAaU1^6$vP{E1qxlFn(;ZzNPogv4-@^PkaJ~qGD
z4?x1^)GGAtcq~^Wxus45xuh7bZZHLM3U=OrlnXv$K_H~$q;im2q1dD1m$FvRbR5(8
zIm&TlxdQCnoYN=tBRfkuY=JtuAG<w6Zm+dLhVt{KokvS-PWtt}jEBav<2B5ou^fnl
zVkhPsFzacJFkg%%=6tldBm_HARk3~&jPeQpj(o<C$jnbMd!JmIjH-pb4juKQahp>q
z!0UQd&ud=*#-%B{@ba5PVB9X2b<DMP3}0dYW`J<-(Dyr`;qM9cL<@(S++Ue5$=Bkn
zHh|Y{t+DWt9Dwsn5juONQ*=QKDr<ctyb?QaN@}Iff7xh5Ewa2m*uju~RfOuZ-|SPp
zz89b#RMn?qF9pV_1sjcEBv-k{?0KVPQb5jtbe`yZpRO!g0G}E>2AmJERVb!$^g$3Y
z+*lG=@j%{Rv>m07#Ievxz>yHkH@%#5UA2^Lx*EbHof>%%f7>gK*Zm+SlDm(K-z$r+
z6Jx$Bnm=XRq2s@EupqP*eh68UloSHmp;=ML#M~A@PJz^@B~Wv3ak4gJPcEMDGt@}^
zYt2O8Rc?m)if^k=F7xC`CK#Brr4rZmtC{nA4x#z?V@iQ-^k#ldHjcFg2?S0rP%A?*
z$Hn9<xi;Fd5vlnw#l^*-S$k`Jw04dsuBXQ6r&3uB)+DzGY4c^igJpK8sI3(M{Q_BN
z%~9WNZ5Xu{mItv`O7|X>6BrSzVkIUt57lmr1&bhn9wW&3zqrB2&eQ8tea`Ds6<<ce
z+#h2Y|CM>jJ-to&8sM(>)k-LhOR8uqLgc84s?6gOfT7ut4tWQ+s6CO~kTo|U1GC{x
z(^J`1xReX30=u=m0`N)lL@TL`F`CHxmIlndR&IYb50EZMld)xR1D1xmp)Knkyv4Y6
zNo`w<{@h-En)V^PItu6U18J6t6rsNiy>EzRu+T|ikQ6VxYp2j#io;dltKEC-mDp{6
z3mpV{QK&2c6;ia+ls>6}Gj6x#)Sq&u&umpvpm}b3&)#{BmcBk9Rx_uCR4ja_YD~rc
z8@DV_L#Ih_cumDSrg&n$ctm1BX82j4!fP(ZFtR#Az$sZlaoDPkt?@clC8gujAsSC)
zL^0aR{UsDVtby(Z+L7+Uf;e0PeNHRvk`*(VIOns1UGwZjr$*`(T@jtv!a~4{aTU#C
zVj_NWR0+#o?TZ$^d}(-2YYyR0=+4qnN4P~-hjdM~;}hJUjHV%^JJ&Xd*R(;3-}j<T
zb@Xyk%K*PRUrpxKST1b^^KEKPrW8fOnO#M`YH@aEM&3SEmdh$qHB#R{xE?G<kT_9_
zgJ#ei#ycRAN-LQ@ZJtxlU+S;?x<+*;RfN)1(kbcqV(z{1O(wjy#sFrRMOw5`1UbHR
z`W+fK;wIk8KY2CFhYkM6%veCTBe<U#PjuUl@B5!ca1TiH|K<WNM`SV(QIaLa@-wR9
z8dAkTLT~1?SROYVh0<D_?(ee`K3W|CW}vasQMv-n%X9@5)_I9PTi$uEBuSanVzvis
zk-RV`#<S6dJ5PR~&jF;SwsMW=N0Kt;{{d!<0Ib)TYAkR@_rcAVZ5;Nsh@0=YZoFld
zHH3-Z-zVMgnzgy=%5Yx8+gG<v?kxvn6D}-9PdE*O-&(DXGEv@Y&~7QI-sN@F)B*NN
zBye@84_zaPw=YY$>j_JBUr(0SAlI+ieeSj+QP^a@F_#jSa8YK^0nl^_@Zbt;sbbMv
zzP^O9qtdNdWwb`~GvbNcnpy`&pWe|Ow|dDPvy+}xWI(bi<$FjV6k4%3St)?jlUv@S
z(lA;UCCX@&ISU?FX~p6r;ILe)C00*!)34Z$>+A~1F31^Gm+3&(Yyw!bUY4dPR#cTa
z{{y5pJLPsSHszOG5F4K@NRm*SGND_!xyhbRbo<`whZlZa^PdZ$oCi|`kWVuBo`|P8
zZ%OtW*<Nxn#Mi>TVLQcH2i3$#HLDevAQDz>x@xB(+LlnL928@XFy!(7e73?ADQc~g
zASx~9F~Wi@V74N-7N)sF08ub*9&^RfaLZ8{-DM$P|Jo7wG2h+x31H_@4Q!-bSU;Pd
z?)-f3R2q(I-p*%TaZ<ABs~o;T-MtBLBOZV&j{hbD#;k21wtHAm1QcXf;kG+Mwk=)V
zu152)40wf$`IZY|n9YOZ+Us&SldppeJ`H~7RPsIuUn%Z5up1I|o?FLsG@YtGGN3$B
z_T29#dY5(=w)vW!7g;u6Z$%c|dNnk4&zrx$u3L5aw{^19^sR`=PM)@9?ycXKuXw%B
z$NRW<KC7(MO<0bF5q4e*VsU_&5IcAsnL_&8O**G!A2^$~@ufixbV>nPk$zC@h2jq@
z;$z?FefECN`|K@_gB?gZFpH6iG-Yq<fv+I_BKq?(fK6vlx69w=6H0S_TjkU#VdDCC
zDQ0~SyJJpf8}k#MB%T;)D<HC}Z%)5FUTM7N&d<G@ocJ`~hAexxYcem?Exuo!MxJqN
z`mX*$<&l!OhD$jU)?C&Xv3`f+F!+JcO29gRfC03KdVmpI_K)H_UePyEB@1wvmV^|?
zLH=GC{H-VjMb|XNNmlOIFoK4<oJkMea^oz_DZLUGKn!M4URz*aZN;uLlGR>M{`6JL
zOj6*0sxItYrqv{`^qEMqo{^>QL*{aQzy#Cu+@X(e*!lUmZPsiEyoZg*L$qySSan^b
zn|DHOiU(z#*9u0~=xb>D$pO2oJIG%KW<c(pfy;;}!jzq%K;=_vCzApv%CTx3E`*`r
z;rnTwpYK0H^tFH*@I}as(tSMGXWMGHRY`#&&ysb()e|mcO0D#GGE5z_Up8sz+;XV5
z({%xOzaC1bn<--Wg^E%ILYPbEuAL>X5L8YDeIU)s>=})8Sjs0(Ha~am1Q?w3Jl{WS
zoR%|93A-bOlvO+xB5jh)CXHvJJ@I2M1ZDkOWPj&HT{mUM9C{XEa}nY0vvl<|_?8>&
z|M@sIN6!s*Lg)sK!fY-&4(HwBI$-G+($1$gGndb+nV|XUKeV(9%N&%3V8GNw)bo=X
z^V5>RIGP#RCVgg$sA<!k8ZNFQF5U4ndS%w2j8Fy`9;g4P>Th&;!7NIcD(C&G&pX5e
zzM{~8w)IKtLDO(lf(t00VCtP&lTX3aTM+@7xbLsK1pz<f<Xq18<PHaN2lEuIM>)wu
z@)5dpJI^k=@3%{!$I$!mIMG4>67N#0UMbRqkOC2fSwThq^(Q(Fkw`F&Vt6@)V@|7T
zm*s^c$ucd7%Y!d*&xMsVAQMSX2WhNPFQ|;#uJWMF^dqiOQc}FdEI`c|wMeKsm(HT?
zYV0pyNH%n)fV3;rS4-?4{h8C)><b>o194pkUHI8gNnYp6F>tj1Rp13{y$q-s5yoV)
zGg*M4g5VikO8)N555y3PxJRaF11Updl<%*4h9^V2B0H_uogJYMZ*5TI-}u8TnS|6{
zKkZuzK~1WC@}WL;oxx78@cpAf(!zYa8~p=Jz5)ar`AtRCj$4Q%$a@0WywU0?uEF+0
zf9`o>fLB`3oNjI|!BQ~w=7NXp3m*=t!jCH3(xg@Jis8nhi-qMxK@#Oebt)<^DMoNf
z<PL_YfFyrYwZe?Ha)6B<ozgs7Eo$VZdyymjMc&hz!DkU4kVh|~GZnX9JfufDMY##P
zxX>14`c<ZWwU%oGo&jn%U=caJa6P3$oci)p4L=vkW-?#b-gV8K8iLc3;Zu3c-UWL(
z@!qZT)dz!WTSV=#j3+;eds9nDkpHy9{o5lpI6@ZRCK5LIbe{smE0*Ff1MQSxDrx)>
zzG3Q;X7sRC#uYBkfDiw?+o6XIJ|V;iO<^YR{8`rCbVtPQtUR%vME0~UYWftFWvlK?
z`0eC=hvh_MV!Ec>=qRRmraxXr?cS=Zs_>2|31kxOlZlLKa7`-c;oNV`HF`KOfdznA
zV?##+_pcPAxFE%Z$LcZ@gse9iD10F1t3C}5Sz_Bpv;R%(TKHbT@q`fDaYB7hk{*>_
zCQ1%mMbjO~!c$WRo|Ub663*(gBs-HPw>entjFEX|tF}0tl-y!}(0yv844DfD04B2)
zWCRddnD-xH5BLEIn+}1<8V@?YIU9p7!GzucUx$tsRx1fZt}lG3hD#3cV{*KmABsHe
zA0zG1MSeclO!zD<MnY0-kh-1Vn;kkH0{H23x=likcZnbOav2LV?UOMmHJ&*0USnzP
zXbx;Zsl0~)waV)|Pdsy$SK59Rlar@AixVF9BVtap4DvAmsdMWs>c(8~Rn?fdv|I#Q
zmFyLJl-4C*2d{Rb_;Je)i?i}uIsVmXQ~7vXYj2v$alip}*9$r{uk>NGh`LXwiWHT0
zO3Yg5ec7m_Ni5_r=U`Hn5!w>`2noNF;E+EPEdhWM|F1Wx33^43CWOR}5}53-uq4Eb
z!MnFXM69DGnB;v*pw)Utg&_Ez4b-P=PJU+e-9M^-Q1EK2cPy+yPoOzbE<tr0!U?#U
zFV)CfNU8C3`tyD+QDzXh48iO}yU)m+``>NhkRPzW3bN>FpE_WKaT?emJxv(O12{!k
zf&nqu|Fh$Eei47bz?pW$pr}CZSR#siJ{iT<C85f*Bv_W&t5>0B)9OR2K;m|#R)BS&
z<9z3-)f()2{l=&Ze1Vsci|U6*F1pO|FDuy=GDgEX5F9)XgAB>jzZ+?iMrYu-2@L^n
zm(g0U-=Pxm>5IZJzaZH2-bGL8xm01QjPyLk6~oybiesmFo^}0fbsW&v>S(%AJ9v0i
zue?@)le6R%w&Hr%_4F5Ak8Hh!q*?Xwets-jQD|Ce!?raqY=eAvcj!`PPcucAjo#|1
z*xHbP+sK`JL%ndbYDR0Wx%UL=$zJ}FKJQ%Py1ha>W=(Lb930JcRY#?t0XM-(WQk!!
zWWwoE@Qis)yt6N8k4awlH^TCr^s!RcIw(>z<Ap0x4VF$5d=*dz!c?FV$q}Tn+cd94
za!Zb`=?|-Y=c<k^bd8KOlZ%3liZ&ylyfyXDV4ti^VXh6_%qV=Pjl=K7YldMgU00w>
z98jw&7O!D%xi(}#5+EK<ujOUWM4JROitHO^l)fY4L=0)E9b|nmQAY1no};(bNj8J{
zCYx>chDDVys`wlwTXcrGZmeMc{lw$l?;f+wVe}#Y>-1(n!og5mKHxf2cUC{dVextD
zh}nUs*6lQiDzv4yoz7nEl+C~2Z41)xfL+^oqT0dk{Qpa5KyUNOxlqeV0@KVk(vDe#
zK->o6t9Yn{vMhhC=IgR*P!S7L*_-2A-@;|Jip;3(qElsJHGvh{1EEsp4NG^e96npt
z;mPTCz4P%z=xZTI(n9nf>NUTDR(}rCPpJ&hfGb1l+!5*Ti&4eF1o;&+p>{0D7O@k?
z1rsi|j}h9?y|nQUwAJAaeA+OLd=zFxE%+jfD<FgjFVx^p#-DLd9@80A#$+jMx~kVz
zZbh`q+d7bOU#}tpP_(S_GOTTC%1aU7)w5K?!B|afSPR0`C~#6n&Vsf%*cL*j`px#{
zqT~k*s4DRO=o)5%{IBaVtOS6TRnnooAlv55CmOhLCKGLpK&o4k31S|^Ju(ww7gpoW
zl8A4k|4OziEMXcKT5+1<f;ixh^=6=4Dz`wAx7=yz%q(b4Ngc!-Yv&K<LWvZmDd);N
z6xzBKKNo2Cac&CQUnle3LmGtrpVrlTI6xiN$`CzA5xo8ssxWxRHX3-qF!|961Dy|K
z&AGiAx*d4(!noHLb@<=If%i~-20r|AalywzDLH#nFg|G4l~yo*)^U*adQ%IRPh8Gr
zy|7ZR3;6-jRhk)UQc_9RNCOPz|0xfF%SjXEHbC7nY0A7c@&IwRWD4+3>?5K+?g*i{
zx=)R-VLA`1G-C~%!2gW;Te`sa&>1&)$Qd(}MwRUGeJsAsM!8hAmaZL<4wbheezk9l
zA90v@g2nOTBmVpncE~xAT0|y#^rAY!^oQljZ{9s8>LVPAwEP**BzR~d*8B_oY#1je
z95AF9(uZTt=p+p|Q1|ogFb^dE<{n8V;Xo=7kWz~ZJ`NG*3$`b(yvKOf(4BCKB`WvZ
zv15y1=gJo4RAK~^eSIy;5`nO8E80{MIr#XDu>Z_i)7aAD8;^(L|3iNe+j1jJxO1NI
zq3Tw%fu!Qtqmy0i+_%-x$clZz!{ry=lk&l8_~yAP4$FV#l#TFg_292H2Rq0{3A$>I
zJiGvJkg^E6o#+F4C4HnX@WIh77g-UE)&G1_iapQ`G_@OODn0Y(uxCmI0eEkX<R>gg
ztp+c9R@sqv;0C@XHo**ZX{Tp8OH9Mj8UkK}GfY|Axaikb3;KR+Eb>F{!U_J-#OQEy
z1Q&yho`%Gd^^Vr}4>nH@Hs3wi0xB}nn1Jk9<Y{*G4TGs;%%dN6ju@7d7!%H}Y9cMh
z@IV)J<uRfByYdNFpk6b?_Tq950aq}Kd|jnE@cx#>%LQ&8yQwlP_q}?)4gEHDu{aOn
z(!zI=`?EuUd>cp7+<*D1K094-C%3@#qk@u8?5-u5KTZfz2_yG1Z_anjF6B!QWa89y
zSPM}^ghKqkw`ax|7IUT*7X!Y1P0{D_M@kEE_;o0YRspPhuI8N=>AjO1c2uK}YvA|H
z)jg)?lI!=Lq#aeu?mv1!^NUL98z4OR4%cdbl0RC26?^d}wjx4m+)5<{NDq;7VWQBp
z0NPUBIc;1YVXl@3P|~N>ez&DL7+aC<DL4Wgil1YN*iWCi73B?O#pC$sg$6n}^~>O~
z6^R_KyDd#@&zb(GS&mn*ZLnOH+bCSp;#s;UWQnut8Rv9|JWGh6I+t3MmOWw#Meny>
zU-qFAp*@b<{c_`u-;e5?ZUk1S6fdqq*LJ7LX5^`5%B2#O;0`fJ@AfUIF<PtTI5;}B
z6H>pp8aI-^dYmnxUW@dz_^qoRGyjPtGiml7NEUS{EnoMwmXaAa>N@!x>Rbf3?(%(U
z%ba-?2Wn;BNvS!D>*GXE>c;I+93HtQeGfN0k?BCT*x{2PV*OQTE(`$Y7zs}VS76o2
zmZ#QVk!_eBeC5;;aqUEDCSZvw_UHwy$^)FT-b?qycC|}aY1*!ZxI#otlM60>UTSu>
z&5NIBAocpqst%J!<3!gmDLek&ja#(cWLiLYI>3sqGzlKjHTBu0Jw+8+<29DC-@t(Q
zx(!IGjLfcM+CwG#2%MnTM{(CSWx)h2{cG~2M(7!8T;v&Q0GoUceAiCd448eJuSun~
zNlKM32$u{Pd#`#R?s^^C;m!vEfkE{~ZWYmkd&)yke5*G}^*V*I?l*x^e65{sfZ3#%
zL|IhEB!mBYj%ip>tn|rWPd$UfmN@79ZRRwtyb@0|OL1$SUJ8wan_-Ym<hDd+J`U&3
zh#nSEjWA|kQAI=~+{~fw8`>e79Q|v&GBQRMo@gZ$N{Hd=8;j;$C>RH0dFmS%u@0}H
z8t<YEfSD}EPZBT_7_c?|Uk}38Zif#^^IdfZ#3-jJ>Lt^8?&M@I44LheL<|dg+js_$
zy$j*EG~p2ArbbXhfx>n}vVw3bc3cq6)_$^O`Tw~{Ft`TjqT1gsii8$>@EQq43Q#(!
zFivL(Z7vawc#GIyOdNmv&@uWDS2>ccbgy=@q5ZD=`rXY{1w$uH=10nIB^3gm1-^&@
zf<En+K^bjq2Ker`U5@RIQu+YT58b;1C&t-gQ{#fjVS#baFXxA5zs?q06m@N=(6KV-
zfTeqb4uN$SG{O0MDccnksN~~WnITf<=c@PHtw9w<?U(a&mH7d8?^s;K`IzYVovQC9
z$FHZ_KVJvKDP73T9|`ch?myaeyEkQby4JA1BDOzX<}*DTk<eB!jJ1hnJ6_4^oLOrW
z)?a-41;<t^HN*N|5Rj%(M(FhT^Nr4wx>Qg_!~D)gj^&-l!)9f-F>d$S8@+E8KyoCQ
zEXWCVatI(g>FH%mf+^!l3vDwo$oqh%UM-d<6>BwIQ<MFwj3N8!gR(O}c*lKbb4?wi
z^LrRSh@mmpE5pq<N0g>w_A`4l_FuxaKB>5-Cu-c!i*=aqoewcZs%>TIBm_n=2=fO9
z%f`;~Bx^^k1}|c_P(O+USgnpmZV2V8EOu>1E|-c9#d$2yIOB(WD(5_WfAmQqE`OH`
zu&LOPc{N!xaMer!|CN4nN3Wy|W+2dHB*&@3Lsa7h@U)UQFTIalp>?0+c}jVEj_?-w
z#nTgXCR4e{dXpjKb$*B8zO*Yom2LCpe5b&@7L`(ibRN;Bx7!~P+aCv4XvUvzr)@~(
z?6pWs97j#;;29SZf}Ar0n~b8Vj$1e#X{3(j=Q2+RTGmji2d>B=Bco9wV!lAxG4*5m
zhz>_w_GUa^6OwPYXPol!huK8DfPS!+Q3viNBdp3J^g*VR(=3zYwnrNOj0qQ=9{0W)
z3_&Ju2b90l)xI!!j+Tb`(M-$m>0uz7$rJ%W$|kZOOzzo1+{ykJ947LOrwDs0#AHh5
za@MyXxJj9D^fyjUI*>%==7i0eWr`@x(fV%ii!whLMT>7*aMKgBl|laRqt9H5d#4DV
zby9Vvr6-Wdj1^)ZFfnv=DZbq#U_P0$VSfmnX*q;L=J6GwlFih%R&r0sq$l2ia(d+a
z{U_HtVvLgVcS9ausIRVq)&8LYLU9n3H?GHYv@&31?<kC{zdSXh8MgCyUp^3g_Z9!D
zDQ;_Kl_2b`t6uHzGOr6!)<Bs~?BI`H60y~e8SQkRN71FY@Ri*306~Ozx^+C>25al8
z<iquN-ZO$jKIoJ*b%SH6RLDaoSkIo0)rQ^#S??#9ta+UkGfKIx$gH1jA1584<IH(x
zDk7dR-zc2#Lnduo)DiDVTaLX*RXXl`bg>^LJ>Z9qM;%8sMqxT@5GZal*`x_vovBoD
z0J1l#LFU118b9rN1bCeDk%)9IRbds?x8(gLEb^JI184Oq+sg;!Wh;<#)8_VMJovV^
zl}7i^Wp;5tyd{ks*JH+3Ss`(JYFt2k-Vs2JxGY)@1+!r>nC~CYo=`E%gvTO8@<{@{
zXjbC2?Y(S&QBBwGZJYiEzjo5D3u0qk{b9MGFp0*g7Wv%JF5ZVCbA!=7Ptq`2w;h^c
zpPC^=2*PFem@L$i2vns2I?4arOG*8YLh$4TVKc+gSyAtcvd=v8I7Xum6yC@B=-zG{
zY6lEvwO>jfr9Qqd&!<1+gIhW;7Qk+Vd(8`DG#s9o<r}7^SRtDnl}gJu0x(NN+8XC(
z3L8UBU>D<uF<_Rx;%<hd6w=v(a2aX$AtYX@jN>%546`oaSXmGFuWXm`{})&vt){bu
z+n!Yl*Gd<lH412aW-v-4(tknOw|pTK6e_nQVgq35A++t129kYs@O+*<$-Y>IO?^j&
zzhh<Fcs--IW9^{Y`9f%+0Q$lE$zw^{%DjXS-HK^duL&wxf(u!%`AyRi|7=-a0u!gw
z`loKQIs?|ZEJJl>Rx(6CKOM&<-u_j$@hXBsV<>)c>_U2frJF_fpq%YrzcH+uQ8fD~
zp=FpyF|4v-0i5g%niK0ApO14;zwv#))Shs>D2Q^JUr$qy8FVk$P<@H(<%gTVGk-bV
zPB@3gL2pH%)?Ane@iSd9cCd5#uC4BpC${4`mHKf`%L3g9s)v3rNdQ~JLcw}ZU{y7$
z-+!ZYR7*grWXPZ;c6U%AO~oz9y*lKJO)dB6s0-4w<@&*;op+{tO9Eo5L{0whl$Iy-
zS2*pAdPed`L|mJiU=%@k>l{zTv{#WHwu*t!*DJQ0=$K-a>GR4!6e&cfA#JW_5ho#J
zh(f%t8VOOTkmEK)z?If|X=0)M()T@ygUu50aWvbfoe>v9+UnZ{!V2%N1Njxx;w1If
zxdL1B6&KrY#Hyx?aKtuo!eiRtSs5}={L+OxzHX&w?r<EA_8Xc`(}QZJ|JJY6jH=#8
z2_p@-ex+=9OindlnkfcHJ=pewguXPrQO+1|Kj#2HLKc2!dWQD4N>+p=>~DWEWebY<
z1?q{;2~xRY4fu0qgRWD}Jea}49u2@SV+re>>Wo<V?1#~2hez9dR{QggasN?htod8p
z7-9zJSiqQs0HgZpjw$_@3R}va!Uj2<rCp}_pIu+nB^!j7cJaQav_5?Nu9nLQol!sn
zwiX4k8u<WGH0Kc)R)1>mi^!&D7Ef(nicwS5c6cJ^+xuvRG}=$8d)!i@cC3kk^*fr9
z(`Y9^p9!ox6<f9C&~l*}$f%Vj<kvV2OKssWz_T*h)Q<NFYG?Y{IR34~hFM0YkJ3c6
zxz!IMz<l2<*~_o~h2*pSjbkV_?e#YZdv4Iqm*k#bx1Nt>-yE`P>9O>%>*ThP@NQEQ
z<R*ePrz(Hrm)ujc+;(7^43c?`N;Chif4^oWPKOX$&Cj^^gd+NTFdt;h)ePa;K^W$L
zPaZJ~O!HCVk21Fkmz(gLEs1~%V&iUVVEJ@dG|Z`zm8$O|UoJdkj6mhw^0Nud$m3}i
z@4g_t2og!NH{D$;W{-x$dYPSvFb((3nJPEuw3tP3$Z`TOD$GS<G~uAeQg0zatz|v|
zVm$#c-ABzyO@HK67i1gt|7oIa>=6lNJy084Omu%1bU8N2%Z-qh`#-*mW0L_Je<}Aj
zR<uy?Qz*+Uwn}Tp^4~na--jpBeD4i0Hd#Vxtwr$kR#@A~;n=WwB-AgyhP=ezNN|ei
zxX=A)=pVUbKG(}xQ=d6np4*`gOoq08H)fu`v!w34Q%()n&Wjq&N~;tVG|C-qs+4Sq
zxUahuc-V;B+=szY&JhN3CI4~TsWT47o(_6Mo_e}vlfwhW@pj=v6wTR}y``$bkk*i}
ztk^KnuHm+6so)~v)pr<$bP4MJo(9}SCZ$f5jLJy@l?jXh;t8t;_*jHzkGz>X6{?%6
zYiDxdYR2A=!BWzHzGyI;i}z774>PwKiA+A8>J3=$rpLvxd)1wZSO_eca|WI_=&)iy
zZVGF;i!lOz>cKwGKJhrNVfB?bjXz1hyl5uii9ze(xwKvjhVSIr{8@JYMc9ZJLnrVT
zL?S<P8d*+!|90V1mkQiZFKe965GFhqo|60pM}^^c%11TT_AS0xJsgpWp(=1Lv@|%i
z+|1vrwrE%Qy|6eQgPMIp@l@39;py0i`SP*ishM6^kSB9k3>lzuPIJnMgbasIbZ`~z
zD`lfGvGYnX50fx14LjH(YZfE{LsJnoGbIKwYg@Tl2Ed$O1}7I{=2LDU%7&IsQnb?g
zv6WFM4W(+ZxNnQ8gAi+jP<F3|=+R=U5^bi5P^C0cuA_F5gScW0;pJPvdtFE%%}w@T
z4Ry4wBs@D1$9EUCeoZ(W%jx;xSDw2LSCfIb|3lAo5eQ0CTe2$etZ1{-lg75J0!QsG
zvBXP=pYS~hg2o&Spo3+=Alc#_R%ks}=xKRC@%RP)LZA!dM}D|U*j%{^DLYm{RN1DH
zQ{zxLj=IA;kg<vUtp;`;M`Zxw>Ll3Y{o0GMN4V()|0<G+uY$JX1*HjH@-_b-#+&eM
ze(Ey1Lq?jyO4{D*A}exDO=ucyWiD28V=t-1{0fC^(z~z3%=#F{(ud&PnCjXzO8A9M
zaDJbz?W)*1xW>k4O(N}PH;DEVBh1Fd<D!q1V(e;tgtbit1o({7v*syL`smSJI}1G=
zPrObxCJiTTI9mip_s0Xdz8SiSRQ#gc^xwlgY#m;{j6Q!UeYdul-ls<?l?N!0Xgm<^
zMReNPPA3&|GRX^y4`QrlP=-RQ7QV-9#{{1dW*?u%o|>6wTD<-`a*B|$B>Z%hrtg#9
z_jph&O7~GImfldr&C=X~Db@j0L5>afRrTEaY>@N={VKP4+uWW9mY(6_u8-nD;qY~9
z1@4@uy$-)~Vj~KQ50dRzU}tQmFSd&d5sT{9?&sS~xqx|1Z<IgqiJ;s!|IQVFE^Q78
zUWy$aD?)s)dQ20T(I$)?0Y`2ecUJIc)JM{y9<fy~pQKMrO7TDK7j27EimjPASD>E0
z4IM^ySa=PtuTaVRwdHM1EP$Xu9lAyl?g3%DZTe$~u(z4^vMx<{n6r6lp~N_@2tAm8
z)64tKSJ_AOU@`n+6Xl1K{mZqAy}*qWO~0ofupu{`XuKCxn)_Fr267)l@EUjaD-SMz
zvJCox13pFkm7kTiIG=De(PImNCcuV~dAC0IoPv~|xT`ru$g8%^hUxjpt$#KA%JnG&
z&k_5i(KGw1PU)?fk9&L|u`HHW>XfhbP^3Y?S2Ed_CCQ!4yp<_AO6X58y`h;HfPwnH
zLi&{9n{foRh9uIasVey#lbjOb$ZwwSZRnJbZ8W_y6}*;1ax(^$*0zdIEPj0$D>xxo
zMlAoju@EAL$&8K0=6LS3p;9h<ez#O0oVMuh?NwV<bjzQ7ZQhFDR!H7eq3P4wV$kru
ze-LcJeZAI!wd>#UP5D9jbl1eD?zovFq5o$6-gTwGx@j{xN9X>m?%nMPti82|aIOvO
z4dMybXZq2o&9EV$=`!!R0pacYK-V5kqSvTMuNQ0R8aEGDzs?2XMk!b94nn0c1H4Z<
zJ=5aHMgzJ!S38e3y2!~Uh>bbWqs~&(`<Q~n6=xcG)(N#;-Wr0fAbS7?TqA{i_ULUW
z{?!mC^iB%LUjqO5W0vlIvn+*UemQ|J#S|1jFziGZo486yA}pH4LiaO9G4pU#Vz||}
z4831HQDr1LrR>+5(d#ke-6j091S~Jz5$0Wc3l0J&K8kISIPN9UPPd@g`F4s~?uO=(
zSrH?DwA2j!llY^4_Rkr*3;j(zZ(iF6WV~O!^gbU3U$pl{BA-_cjtdCCkUk^ZgN8Uf
z{7X0HBD;qkB{olBx@iZPg5KiH1=K4|hXnDSkRgxSrI?s0qS`t_oO)5ble~9YIQtO>
ziTCGZ!tbYYd&y#Q9goY1lJzu|u?$j*;Xa@^NpvTUv<8nMg$nfOc^zBHA{fzpk8!qI
z5;K{-d#@;b_qO4yej$AC(oq(e2Vk8J*ZWjmNbNB!zpXV?3EdvNca&kjN~PKD!9RW&
zI*oal*&egYiRTKCzZ-+Qf!Oi8U{nfk?WY>^#zXAp{R@XY+|(aPn$15z&M%|!NHh68
zUBQTXC*Grf!*9GEh$<aHY&^VQid$EB!<3~-6cYW2c1EdLbmz*FKQrH;WEriKW_^3%
z+ic5e7~qba0GEy1<mYS!%({cXzImUt<iP-bP+|)3k$HgzcgVftR7?O{gu{vn>>#Ws
zZ8Yp|C?O&&-(OR77^o>eH=D~s15MH42bzMi-P+|uuhwvDfUAE?@LffP<fQDIm`k;s
z8v;0R`oBs00%vwTp&?EFZPkUWLqBS-GWcFY!zu9`;+#OetS(o$i|IYI8J_c3pu6^n
z(O47@-=B1&321hQoGtYdNe7dD%R|2K8*G6m1>@I-ZV?@VsN-Ta%EC9KYP^ZHBPiyR
zKuqm`0$y|f7X;P~)H5V(=K+{y4fln$dH`(tHiT{WIVYsWj?w}>uoi=(UC)ldHrs8m
z9I}@S2ag(6T@HTN&(KajBMAos0e`A-d4()w#JmTKjz0Z-sUz!OCgvJxUX|V^dw!)x
zDNA`_LoqgG?IGup_lQ&X$Et_U+uUr*@EFpy=}DWH%i(*IqwTzTDClihKk9lj9<8(J
zCr1sET7w2_DeN<U-0q--$s%43Vf<AdjuKn-LrIrqanwM$MWR*eoO78q%_E1I^@4hV
z>1kC&c7J^lo6!{}UaCiD>BTpg?y{L{$|Zz5s1iX!<;m_@g{e#4*_~ECM@g|Ontn!P
zY6NAnbjz1)_N~`uO*s|4T>^jpB!5~7A=_p1OQ{N9^N6kWXShFAsUz?V@T>`!teg5<
zK0A$NzG^+@Yv#omD#5F2FwCSZ1Jd-LTN_d|z+*=S;M8_^+2FRvWM0Q$@CG&2KlcTw
z{#6)5b&_!UFjY8x{0+hdA^9|e_^@_*8k$Ep^!TaeX-7k0GD~nrXGSg-Co&gMZR=}p
zOSa#HG7B4|oY)dq8r}6=kP=odc<*zcr4mPcLPQM=M>+dIrPjaE`r4B?80h{dv2lAC
z@hyf8cLe7GE(-ZFt}|L_LQI);=&~S?QSFUT!TAoCD_fK;LPfa#wr=90WFp+5t8i|4
zfdvM@j?H>Uv0lgxk-iww9(|Qe-YXX4-m+e)^~6&Cv<c7l?ObM3T4|@o*T-tNjLgEz
z{QF4RYu5c~d(>g_yB`%kWxM=i6QX+pV>&AVGcOlMRuV}DE}ie)Zyuw@m1)M?#_|!>
zeTl0#Ac%md6Z%BWVegRi)S_GYZOQJ`H4dL@EGf$1|EutqX6fE8%dmLnmjlP8%V1Vp
z!{AU8)v=4#NFpo|X_sNacSMT|5m*TYxz-M!hWEi$`Nz?Y_jQXH4$|Q4p0eH1%&D?)
z!F>N@G<8z*(_}?DjyBiWhfc%5Mjrg#yRe0~+^bOr5mvTH4jjez-ronYVK9DbcXRTL
zsGU9|f4!!2YzIW)eO3_(Rk;6$n=M6h_ghM(9%ant`H8IrE*f(|y-fU`?<+N&(2pbs
zYsUR%i2Q^*BdJ1lUspaSu~K2g-hxa_E4&tX&S*vx{8185pEL3ixjZrW_EM}DKa73#
z1TfsnV?+S-31VIVZ~`iU`;Lu72pf5Siw<h(0Gr<OA5FkUmJ4Q>vu%2Y?`E`uCe5u_
zu{vnR8QU?A#D_lovJi8HHP(4PB1FhJd($@;(+bvWnp;1@Xj>{+K9*_*O2SWwG15tO
zA;;&T^gG?ux4sGVlMvR^e`+-Pot9F8jIfU|WD78--F9w6pxJ|CbpkzkKW<e&!w%jv
zkdJXWd`v<z(U<$5bRJ46rmxvjN>wdmw%0ARm&g~E)O>*4H#9di0^V&spbEWdReWax
zF|n)f+r_rGFe<bLil!kD9LTlt1rCdbg^5auKfW`r;)bOf>j^}x#r=C9$wnEwaXw=(
zivVAA4GNL;ki1RE^#=zSwLj(BG03Ikf}XF(2md1YOj(5GAI4_zD_*M~v2_3hb(sJi
z*XRQPHbcXJnfPA-x&AO~I&um8<lsEc5lHBX9U`4yVM6Z%zQk@`ZCIFJsCVLr0+lWg
zS9$VePu2z6Gf$1wW8uTrKn<+ah^U8|-tDiqxg*ELguaesiMN!GF!UN3;ROU?3@a^)
zpZ~xFvj%6nQ)oa05eUt`_E=p%v93K!r>=HdKUH)`=w79&ZStV@7Ezroo~GbmvZ%|1
zqzP7mz${%5ts|`*98YS#Ooy_@Y9RW4hS|xL=wr4$t!ERw5d(RYun6kExYyiigEB`L
zoqlZD&Qb(|6I9;x{A$j4SyRCYLgIG9Qy}rMmlDuIgiRH4p??UwKOMcLxs3cL&|3YW
zT_6BKfCP94S031zq5G6yWBzV>dUZoPETddJ_qCed?{IzSn`p#;MN5mn8JfPU5^S7#
zlp};<ndKb1Y)tO)plylQkP}0g5pky9%UY6o_*h7zi$P+`X1ehc=g{U3F=QxXxZy!H
z9@my8JM!7w?{0&3WI92XfICGhe;hv#tzgf~)OZT!PwX8&yqZtf29JarF_sRZW})Al
z|0b8I`!v%GP3spkkp`A6!6<X$(%rO~jGZh`3^s4>aQUTF%c9gff|1Dk=pV<u1S1(E
zJYUM&;z*q3&Rvs9wUe`vL?UcvYab=k>5N;xIm7EoexzY+7eY0Hm6P?f;rc~7Bwn|r
zrgrwJdCu}@uLv#{%i~;%o`{1Qd%Xg%8({jgRWCr#Vp#X5!0?A2LpwCX(q8?QhSUS7
z454VuT3%PXEf1DSdk6eEXsES+=w4myXFaXN#|jiu!BR|D33>|km_A5_;fqTGs{lhC
zC{?2_D+5>|jRO#S{(7^G7WTOKBCV{8biK~4?;kW>gzQ$MuHCrZY|*!LaUV-$Ccovk
z=;Ho~tp+nZ%Lv<QYU1uj&TWKAh4dvo0=h{j(1D0<J?{Z7nFqd8%>9mYXsDHc))W={
zSxqbTumG)L`E899YI0{eA}2a-T-a+9&T*xAUep$efV=nPC{NmEN5#-6D&~ftEuxZE
zQ`=%xjYXia5eSBpG9S{7NsY>q`}jbVfz=$N!T?vYmB1eXG7wc~g*?$H1irElpqUg*
zsF`zCj8kGmy~kwvR<5^!N+Yw@jTer&Wr_PYqOk9o8mU{qtOz%-^fyxqp26&p(Y)r?
zjF1b@^}u6OwI;U<S!p`3RWtxjL(e20J#3Eo!)TZGRb9@y9~E6P+lAk}Aq-an`s5q1
z$eV-*%<(+)v*H;JS~mY%C1w-ON2}fKeaR0x*1LV6GvAl}@P}*ILsiEx3E%|IskVRK
zC={p~1cK@OjWffES>LL|vTk6>kLEy@<~ouQCh;!!RURBW+Q|^+d-mRe_iWophvQ9b
zPAj)_l4|+bUG;_%*T|A51cY)3&8LfxSM8NVqy?UDDgo2$z_t>jFc&F8rig<beZ9)>
zzS1y&24kyPRd7>3>!ekC%T-qMqw!kSc=I>=eU97<@R|c^jD5{0<miZheI-(v-u}Gu
zZGE87p-MH~rj*F)4v%6fPSeDUrPQ`0yvs``%Z{v(0uFRH?GcV3m;A!U-VpGGow6~v
zfh!Hb+gin(S2Op_9QDfm(_t;|YpH@h=p^=k78gnh`4Nyi4?I%7i@f93sN0!sETlU~
zyls3;@}q_JFI3i!n60WfDxF6FJ8nuSQk+JKb9MDlA}^l#r47<pP#Z&A%oTUni|wpb
z(OXw5bd^OcQgtaoy%f^}G3Z)aH;w114ExW=$mdggC-EwXsFYc?E<_m8WFB}`plQ@h
zy|dEZg6kFYB9kgjg*Lhpwj}3D)-_uMJ+4=|I0{P?^THjjfq=B9!gjYR3TnZYM#`^F
zMf5|A^@^z2<=ouej>Vb7k?K4Wl4k2|%{6_}(wR9S)!5U{rU{%MrJ0pFSFfa`Z@H!G
z3e}TAzTmd%z6c2f1-)T}nkOHCZHB67F}xZND~T0%ee3nLe=NLW+TnVP$iaKo%%J^Y
z*J+9|fw=|H3Ec5S_Pc2j!V}UvWgHBVk`|%KaE%SIjJy66(W}^3W8-`Zm<ahRr=z`a
zCNQ<o5AuOE_0KS}Ec?^GLLQdk(6qv+t_SO{cjNH`?bQA>HLygP4dIhk9qw<xFiPy9
z%FNGN-cO(|V(t{+HF82n2UB^E6J;BDl3@h@WLRSiqaX4FxG*@X=^z}fJxNT@QDMfM
z5oLt_icuq>?aCEDpq*)jdjkBQJUEjv0L?FF@B_w<Wi~K&R>&`C#^J)T&iqz6GBtj9
z=8Er?nJs?k7#XwHostno4N++Q_>;<y5iSaC-+d_A=flZurvdJ1GpNa333-mB6HQ&n
zAKfIC*!+YG=Fz1*$Ti9`PjAA;W9tB@^2Yjx_(_+S5LOnZO}7#gW*<Fza$Az-%6<}A
zF72A?*Z6HIF&^YUx+A3f2pL%k3npJ7bp;}bD)ac^SRMkRM}Xr05p~URdB5K~*J|13
zvTZIcdo3HwHkMt>Ubb89$+nj5p1f@Ro_+TF*1zwkSGUf69bM<#DjFppmEqDbXLYt9
zG4i!s^ndSZf81FrR;!F++t~j2W%Xs7fHxs0eG%DJgS0usJV}(;M_9rwgFT-p%>m!h
zUF@G#z-hOtC_{Nj>DJBsiLl>=Fv&x)i|liLq$gnboQzg98P*_+6b^C>|8>7|ocpKT
zx^GKcNI@aL!@@MTuBJhmqR(6zKKbo%I%{1XQ{RGDBp0E2XOo2BoFZ}s{UsNaKFCS#
z0=spQ>61N3x*WCu!leIUbiMXUb*IBm<Lc!cC!g_1gidTSQ%<NkcNbmeKYZUnJ(>VP
zTc<xxBa`sAgh^i^QS%S`59T&nMJW&@IxxY){~g|jDHS;DL4Q)#`l(+HTy^5haeB;)
z8v^2^2}fs7HtT6SNke2n;54~%13xweNK}p}#FTJV?>(tf-zWZn+L}f<>PTV(vdgCK
z_OS%CXgWYJOio;{fNF}iMIu$cy<uPR6m{oqX#&a2;`Ak!Dxb9}d>sI7u3?`sU7(&Y
z!|+nfN;Qo>>wMJgYCOHcML2!SFvZw)jgCm;u;P&uP1tKtUs?OuVZLSx9Ne<GlI4yP
ztqQ``52ADSB4(}KXX@!NA|3UomG+Yu6l3|`I1<t}y-uWUeif?Tr^KR*OUi@JvSMg{
z9znSd7K!sR3hiO-$bYtqJbGx^zSFK;)9Q866}*pSQz-Z&+i-7p;XQmi)fSORWZid`
z&QCBoaPAZiz=A*D+`FQ1k{wa7Bpc#+ZPrb@GJ3iCG^JnR%)uVS9l0$nr<hqZ#+E$u
zQvh&pF1qRwl|JQM=^lr#|8!FJ4b9AAGe@4Hcqa11tSgHhrD=y5>~E|M6Ut``Fr-wE
zxAsH+qi7Rz99gtLF<)vlUKbVeAmB^TOYNG4+d#ybJN>S+L2^dmivN7{C@oDk>g9kn
z`4rZt%2rF1S+dBgjNtL3LSQ!n4_dLxnPi(qOrvw#B`oR7B<v{4TnKsgwubDlHoySY
ze}d%ftuf?0aI>&`PEy-V-A}4Qf|Ac(HTsapf|S$;_4y!z<f4|$tn#$r<iZR2T5>0x
z9zzpl-lj+F0_js^K*8(zZa)<I7o4eeDwqBoY>WBy{<ibzx|rWPY8Xn7qW^b4P_=eA
z+zuwv3V%4sM}cv9u{?S9LV;K}V=K>DleotPtazVW{wU?D;Hoh?LaD9+i_;%>okasW
z><dc&vXFuI-c6O`d{xYOI*`wY2?jSYBw7uV`ll-D<dXog{EkEPw2a!awfAz89Xmz7
z#v~v`V&&u+AR-xU3By3udEA3)AJ6?s#-}1MJ!5z(_diX=C9VB*ymRV=r_s>5MiiRs
z#u9zh2UWXN>rdpE$*iwSR6sw9C3sll4}?eu{q%Z^<6<&`kNPykT}oytAEaoz$v4T{
zN!z!Ch#VM49|F!PA1GxKGLWssDX|l-8hCj^+14n0Qx?n!*DAw_HD-mt5g!PF+CoXq
zTgi;z{F^9t3CSKXL!=|(?*IHDu@oh?R!vr-8I8U)aQzo}68_r{&sC5Lhf58Q!?W5L
zbbSUJDSkm(`6C8CMBF0?xuL!8zw`z2N8Tg!bJIt@YKdokJbD5>Osv8$=|{-L#&MxS
zB#aMrkDc?l19u{}Xj5aEO+2H5Vi{0bJ8>S&L((I?qW>lkpQ1$T-4@@`Ih6vYP-l*6
zjKE|l9~<m28H-JS#mZg6h?R;BQ?r#`r`XHw7XCV(ydj<&o*pJYDAIdGQ9QXU7wvnP
zJ)|8sS|DBWA-VZpgaEHrcV>#P;G569M!3knItp;}muXqQzhbFl!pu1I|BpU1&X`$2
z*R>CAt0DI7Y1M0KfEB!7&Ip3b+Cn8;q>=zA(m;T;;NVeDQyUezRro4?#%EJ@Q@5qR
zXh7F4qNsYfs39)wYhuCS{lZrMDI!ZLTQ@>t5<I7ufClsq*%r@O%y(qb&)3>M82|Yz
zUt9vSmA6uM6<G;3*!}Bh0)FydkbGwfmTD7boOJ}KhZHm|T-%MH|1T3CWo3&8#MQ&R
z0EO1AJTaPY6OK{mz8#-M%@cE*dL9tmdr?+0@mi~;L6)sXH8HdIxvQG;ClCEow0)r}
zsb5%e$rGV#bs*VrP*Y)1aaca;3q$Y>5W_;|F5uYHz7B*K`CC&qmvyGU(lpZeD|%F%
z)$Ti^{A@TR2(`<pbfSSX4@d69G-$OMqMeLJJ`RFFsm`5I7q7Y~+de^?;Gk6EvhsJi
z2`{y%`ja#EpJgyPHxEJWWy`#}jR3>Zu|kl_3b}4F&|=M39{pT;$R;q}<4w<J7tgq@
z1A8l1t#D6?{QKh5JB}@ItA8027i2o!ySn-DW32;HtVgwB%cEZH`uu+EV@i8$V;32K
z^9P5BUjsp3FUde24R+_N<H^JthN4E?oQqBRg?y4be$IEiPA>-8bXP<`YL`Dv!oxJn
zxnSAAL>sFkQN*B5>~4ZSaS9l|E9BMET=RSq<2uWC*dOD{WRtH#vjoXEwPAp7Twwtp
zx*N-oGKw7}ItZIL;!24T?)o>1I*Pp`!8d5!2E|3IOk@(Y#XLT~K0zNp<v)#_8gD}8
zJjFc{$a4CH%Zgnu0l)YEX&r6xzm%?O=+aJ(j=meC1E1{ASvin}ifCZ>OP$K6+Xy+3
zc}eR#1)DRRt35CHh-ZW}dN~iD`vtvYyK7tgMH3YRYz5&$)d3G);g{di(k+!%W8V*e
zMc1Z-8U^!r$hx4P{LO=VfU!fHP^I#N`KukYOvv^a&?kc%3~aX-jv#uc7a=KFv+-2o
zb9#Vbl=b|Z*ETq%LE?dt#wA#tisE-UeIk9lP@X7SG&!AZU0n=rB>Y%jI7Z_JIe1RO
z?>uf*`MISH{J#S@S+zT*CllXc&TFnFd-kFlM3*be1KkugU9yBOr<QSkl%x~cIZf^K
z`2IG$I&XIgaadDLJP=4_wChfE9o9PE3)2Pf2Za2(#z$ytAnv2_)P+1yduC~qEm*Vg
zs-PJk-wT~esR(}NKn1;IeZkZ8GGQ`iAlMu%$B16QA~|^{;7A0wHZBGO0HpR8G)5jV
zoB1C?#irvcJErSUelps8jV=vmd^9SJ(fMtn8`4Ly)cHu6x_j{vYguG7Eru*0Z?DQa
zS^+xc5F?90{Z@bRcc5XymBHFb$i1TR3RXF7KYA@zhj!^i6K4Q6cjA=%kgk*vlrJmT
zcR8K1XBdRd45j=yFRldalrZ+q|L~s4uMqB-A|9K>P0aiAfIdVoe~M@UbI^CTVpaJc
z(~pBk(2A=l$^YYUwRBLdDtaG<>#p;*kS>g=@R6vbbZ^KOtjy2<+_N`pn^9tLJg{`+
zzkodE&@VO24s%%Bgj#8jOyaXlI=#GvH$fRR%cXat3<&*CDj9I(s1~Iu5enftO^dH_
z5`ODv>2cFLXpfPQ3sG$AeZ)2Fq$UlO`5$Wwi$4rS6?9>s$LYxBbYr5{ro}Sg^=D>@
zXDV?&T-5r+B9N`*=vGSocvf{NUF{5n_r*;284CkuKrrZX9L!EomJpHmmQ4p;l%obc
z)jO4N<noY!E=3enI5v+6&@5|w5`&X$-T1p?Lw8_0mPK5MgF|Lo1*-U&-D`{uuRCi{
zC%%zfi(D?cbSW~0z<!}wl9>zOHx^wDrGf85%W_RktMkQF5RX_KU2h>G^YId#g*l-z
z57fa^pAEp<@;9_$sc)X!E6<9HBhnV6nH0Q0rr&0}G~##;kyPP;i67ESHiTV?kEf}z
zQvJI_@f`6VwJ*+JTmZ6}a#f;10uRStz*HYY&CGk8%PaX^CdR#-k#13`b>bDIQ0Us7
z#!rQ5Yjx+lC}>%l2dJ-gPHMxdKOL;f=!CAZ8a*~6=E;Y8;$p<)M9o<3-Tr34r)iZa
zE8}I=rJ3#H%$Sb4Vp0h`Cuxu8&6eL`%X0tjy2@}Pt$uP%2<v{uuCho^b$7YbC@bsp
zFLCC(*;Q-lqwyYTErH&fRO6%DF;6~oc7<0t!y<Yh!XW{RS{J1IjVXDX9=pUGoh{6i
z?);$~`fjd3$AkAzzR$LF^8<ptMf~;IRW6GHEvn11nq^UB!q&VKPYF&UTG;yBv%7ty
zpC3DX`N9iFwsWL8g=monxqi}Gsw9^Ngw6?X2;4K|<=x6!A)ow>b=@OiEFDtBx06)2
zQjf9f4S;7jGMVWDMVpMd%z~u0=4-sE;81-14LyJTkHNObbksYjH?LuGQ9N6Ck5EcD
zqNh05x-?kX$dgtYze3!PnOAB3$i-VS1WOoVuri20uxhRQ#kRBDU}hPYmjVZ{CPum+
z;3xbCGVoc<)}5mmvBGZ^(Vl|aiwd&4NEe$$r+W9?<saSP(YYJuV(xqAW5{;{G(EQn
zY9uUrgbY7--6YnwYI2~50oIN|%YXy9XcazZs?e*GlIm+~G}K0``ZpLSn`OCqvRQT&
zM$A=+p<z2%_L7scY*+<cvlYCMWD$HnX%Tk4$R?$tN;6*m9(Zimr-fIS8Dk^F&T$}a
zWK=GY94^N9mj)#ftYXh8-@5>Xxyxjw=AS6?PQ7>wr;gjf5auUgPJJH!$3CZRQ1(1-
zLzRH`AMcCY(L=&T?eZ@XC=OK)MS|1c@35w1Xx?&q(Ifk4HwibZ2<cO}m8xdEX>27M
zfZx`&+2v}F8fVc@{1z!C;nS|tcBVM_)`#duB?bAYWXH4r=l%?FubQI2U+U-Vjtp0g
zU2JQ3p1OZxV;%~rLf*W-UZA;FHOni}o9V9~yWR=-v~YDKwDFMGp2phf!-Sk&VJ7x8
z!**DCb28lc@(w?(eLy;X=4F|+9oOp*RU77P1@zqx=>HYay3SVZFt)FRZYmNY8`=uY
zc~?CMG=QiQy4k*%dc>U=x+O2_-qt5NLk}WbTzR@J)!RL`w?)rS6$^yLF-r_<$-aK+
z6HG7EyE%;x4zw>fcL;P(yafvIM57fk_XoAqS;<#_el745vp;V3eOZ2ga+T|e7}>o#
zCw%lJ_+mzGP;F~`Y3b3~@%B&EO~?uTL(oRiE%}}27J@?JrHSHHvb)8Y=1~(PM&;=b
z{o=!gzJni423xm&Z1MlkGwOqF<Py}zj0722tb!<VC|i(f3tDq4m<n>eUkp$9>8v$4
zO0UiwxZO~Ei`m4@g|V@Z!l&!i_I}L&cpN0^!KKt6&{-&-B`It8<eYBp#DL&5Aso;9
zy($2Y9SGs`pL{w^bbt%t!#-L;oH{C3!auRXeKtj@9r*?4Sa=>G;!(rTN-Vy}z5W(>
zxjw!+dML#p21V~4DAP!e(hr2)$JOwD(1t`7AKcb>(Q}QSJQ9H#ct`OZ4>4Gk6u;9+
z$47-AyY`+0HMAN+Dj*CHxgeCqT}pYk!(#)3z)>Sq&-vTK-)HE^<r7U2tsl;Cx__0q
zGQi~}?dHaEwUZ_4r&q+hVDyzzRe0?a;4|^R@T@n%VV!;XIAyh9W{982m@rU$+0-6Y
zQg#O|K-EwrF!Gpt_HEJ)CpT6vrAI`dNiR{QkyvGWWN>EfBmb^aw^ye`gIUqx7~9H-
zd9NV{o*?9BwC3?6=20wwB|lw-XYrevPMkrO*pnRqBLgklYAcfX>N0_6+~o0J>W^nD
zGCPXRhqLn*+Pye@fK|%1qlNog6N8Dr&;d*Y{s%pWsr)P={wS{5qvAhiVXET<+iux6
zFHpQ_B-Q*Iv)Sf>>y>|zA-R*?cY+zdyxE)x-{R$6eFp~@>*_sIT_JYso^!kJF$dHp
z?vCz)|G0DR+~a0j{MmA+Uc4c2kcvd#pL*!81n_ea*g`p=<X5dgzrU?MX>RN8sO<dj
zi1ab$->UgH4?u+(@AJd~*zFgi5`-**s@6`aw+{0W*4@*hU1zIzCXzV&1UoaR&1j}T
z{dPXMVY<sKD=qKf8&|n2Sl)OEE1VGM63Id<H%8Xb|AJN4IFc~d1i1C@j1~K9nBkyI
zvyL64vgvR>wu_wNkE=MkAmdBIyydQfJqLbxs~N|FU<DCf4uw-zdj+cAV8LneTw!;x
zDVWD4jeL-^4~sS6Qeq~3!%OorsY8nnvbuVi!({v0iT*j_4W9KcQuRpk;At@xb$)D?
ze@?~U4_{a{S^RMp4Jt)daG_e5nYM@`f{3f<nF#vrd3u^tDsUv<zs)1uGc?Crt>^DN
zFhTQBm(_k!AM-tl5luydrNfi6=ZoKrlGfDeZ7^MuSxzpsN@v&c$9ma2|Hhx$Ahz>T
zf^50;)vzIYV+&EvU42pz_Gwgs(<I}$&g{2ulR-Sq*5#TaZ+j7vjFBHTb5*ss#Sk-X
zv&fNz{QJOf3kml3$p3St5aky3fBTN9?Slwd?+Rr(&gyAYG#V2L>>nk+=n1U_-rpqs
z{Q6uGgm$`;XMha@l(>p!<}zcn{x4F9Fe=Ao#mvQkJ7P_pI$J$zz!-o|3gpQd&n2;m
z4xDUQkNmw%kkRnQWOF?H?J}lj!3RoH068NX^7tlXet^wD^b!@e`wqM)f&V~$fEiBS
zqS!XID5@{O<0Y;8q!Cu7uEB2bgVy0#v81WM$V#KAUqwrHR#`&?4T}J5Eyf7)+CkrU
zJDguRkIC3I_KDi{n0m>HK;lss&=JylD=y#Xt70!OA;GW~o#wrpi`CBV>Z4&c17r&^
z6;ChC?Pom;@rI7c$TpIns{JA?X&~mQ^$dRJT22|`vZT?&uwhJg#h`3s!I=F|-d51Y
zsCc=v_fWiY1w#z0n@9Np6lVNLDuw5F4e$Pp+PvFEe>-J{tJ{yerCwy9+uz6@p^#sx
zzB6}1QWr^m;u^5qq!fQSbicF`@~7vM#&rt>d*nPN5`l7z=mJoC9pyjAcoFo07s)0a
z3LkhzFBQNXui^k0yACHajSCe`ViYAZC6k?6ZaF?)x59bV-wUQOh>n#*!63F^ja+F0
z^O0rh@%LYou~#Oa$-Ca0IDMGC^U+q>EO!CAYdZH(*k?p|zz<REZfgIB%G00^!=3hw
zAsqnzffI-Y9sRlp_ta3FWCV*s^+|?9TTW?$UC~$bEdFRidrZxq5p<xG((GsI7>3E|
zWn6LCH%Pfoe6#6t&Lb7g4Qa)Rs#hY``epY9%v-Y@jsE${FD1i-A+^i%D52!4+e>{A
zW*LA}jKva=llzmMAj`qdZHRQe1RCtOpO`0n$aVf`uLI)fG+9#t?PyYPx5``C!9u`o
z2tdm(4hpDFhEirVuy1aTO-5_cEu3b4x%wbsd>18ue(qSs**(CY_-?iHp1VqaW}ZI1
z2#*3uBu)?BGS=~o>c1?YWi0pe_WEtS*t&vEhggUwDqXnfK+d>UHTR`x!+J?O9RJ*n
zievq+fGvf$(PIT32LZItA3>v&fHDD`Qk$Do6B=AFntGjNLM~HFj3FajxRhg3ae7FW
zDUSQp|3*sTCfr$fN)Ve+GT7tsAw^U%rg@+2)%j~3cZ+dcbZ)fvz4X@lx)a9hiQ<~Z
zL_1V|k_4S7%g8WVmQwPSY2Jy;otWAXppbPywm>VkP&Hek<-@LPDCR~2+8w15UD`0!
zKf)|s*Bu4yZal#^1&0=XBxTo52(5vQQPBIE$Mi<-B;n!-rapV5=?vW2fv>S7_35qn
zjIwiS5Nel)nnTo)h5u$zqn_A50H@?v=vkYF<w^X&EG$DSu4FqwSL(7ZW`$xFIq;0`
zN$-eD{!dGUaU11-i2tA*8AlALL?PXBk7Z#R(18m}q!SWCa8H6C-wOS(8HxJ3L`}mO
z7Kh3qoWDZbGc4o!eXcETWju@VdCEHcn$DSqD7ymzpZ~?852Z$dfPhR7#vt3Vll0$M
z+1%WqvAogNV^0yJkX4ysk;q$^Lq8w6;a(h*ynmuc;g@hRwX=hJg}mdbV}G$fYMrDY
z$h(&2@F$j0)S#3**1mgh>7A_Vx4x=YLV)KwBbVHvuuBpb(K2Q5NE6|Vox~{AUbg)K
z_ayN#;TqtD@KVua(a>)o1bZzd0AUdGN4pm8@1@0F%mY<##C&0$-%?~{0XPg<dXmyX
z=#6P#h>uLNJAU4P*4_Bkg*wm|84)l3CQC5_wF9lRntx@92qa6@lAA+RF(-6~QA3?f
z`k})<a%D`4?@LGX-D^ea-U$){k2m2EXH15kfn@CeF7C5kU|%mPUb3*cLqD))YkOqe
z4bGU@EUp_8crTv9>taw8lp5x09|-fmeTX`$3Yqw&A#M(GMdpcT0yCh`JyjTw8!x-r
z$#qC!$TJV7Xne{m;8zS;ny44^KGiMBOd4`>WQ3AF1Y3{)a@556C(p**2wR)<kuufH
z`(2oT-H#3eaP{|OvBTYp@<QZm2)XQIwOt%kWlr{3Z$n3x_jmo$FfjlPje|SWqaq=p
zy>#q!uGE)jNZ#heLM$iHt2697M0qWc^s}bhk<AKK#d(6e$u0I!3Oa#sM)G64KB=S|
zF7~d;023m|JRtx5f8fFKIU~W|Ub*js6z)<C&-gYi3;gmocRN8;9?edyh><XOq7W~G
z`w!j|i1>(DR3`s#7vWmPB-mGd8d9u~lVg<odBLvpNe2-_OVT&1Ukiy<^IH%w*oo5p
zVk=&PZ}FWn-^VmcYe%J<Tjj&M>#8TqkQnQqVgph256h7Q{rB^79(s`wQe|85H7ktr
z`>|{6mOG9#g#UJGhr3{FGa*_=k@uQx=t-P_&1Q+`g1;D$AW4JX(Cv--kabL=9<9Rr
zCKWpZpZYUD?zikXP<xEC@lg0!S7@gN4*0Aj{2ZKYqgpEX)aB*bJ_4h_F_kD#=I0mS
zg#Z{Dp?R21CmwEZeYyKN1}U_^dLnT{^kun4`{N&N9N2$~g%D}$7kA_q8Z(lD5uZzD
zWUn|D8&ji7U*3SJ&F5RP0W3{Ca+i>9?zgG93gGl-LTzd5yRr=<_<#m=kz~(v00<=@
zLqK)(U2HMhb^-D$M4me94!)JjbLXdzfng|un=s4uSz@Nip~2b>z)He)0>F^|os<MY
zhrK-*h@MTb!KA&0z?S5hrJWu=U{G@`;oyHjj}?@8M$fDv=4cNF`zo-JHL&Zy;=wWy
zBJE8#I&Dvq7jUv|`tEC29<`o2*z6yYLt4RLBp(ZECK@;GuO@c31LhTUlCaPHN-=VN
zUfpknP%i0d-5awLKj-j!2^Ll@ws9h+MWOF{6l05kT*Q5%e}Iz9y|T6G6eBYsP(%H<
zl)#Y?{P$c}BBiAneQn+}FoONU+VPqcyU6p6fAP`NDTXiX51`{?n2R*}6VNAB?sDIB
zgz~;n^LfxeZYCETQS~{Xbp~rMk#3%^hGu@P^q$1w>q1J=w_`yf*AR!Y+nED6Dyr6P
zxKQ`a0pu$*>Whqs$A8?*i=H@QhSZUGVV}TV2fj^~VFy_FYg1^M?rBqlEQ#oo2Y;0m
zm9I_Q=K-$}4qOoPS(Y9chXzX5%cSjc-3(i0VL%0bF?6m!H+mSqisLGIauIW+yIBGf
z>wU>?N<e_MNM+u!4%SIjFP8f?kq;3tx}v~m&-|r&!OxyD)I)H{Z<kf%AJTw6NXbw_
zQl^kF2JXT#nu!wuKotx;Z4xEj5LC$LBcKun5ge$DcdurG8058wY%EvUyL%VN!o`C3
zw@VKu?E0mteAJRo)Wn_B2b}4x_MCKy?Ts8dPHq0p#CkU`%Qk2yNQhDh5<(^xyg4DX
zJe?N5-)pZg-At^tma6bCmbdNi*zTJN4-Ta@Vn%80)&>{{$f2!|S!WjD)vKE|Z$zp1
z1r&=wOzHlC{`@2RTU%Y8mzVofp<MIC)%d9>h)22Ysq4d1HP8x>nm(O{bln~m&2{RA
zan1h_z=!t<CS~n!(<+CgbM2-)=G{n7o1t0~bQdBABJz?Z0nod-uO^V|v{-J7wAA!r
zNC>4AtLOPqm}TUph^m?V3NzuC)(`k@D#s+~sGkwmUR>yrA-)X+&&X8xhO08vrMK4l
z=uWtFN7^E_45m!qrmym_HEuHqmBn!8fXRgsP#YDf@JPE(sP4xR<$fRCR+R2ODzQrn
z_n4rva$%GR`j2C2jn!YwPmp&G7fB0x_$l2n-93)Mn)5R^eK>q)2J@CY#!}F3O7b32
zw9*^rWb~Su))q~IW5zVBPb$5DS8VYpP&6#|HqusYFcqrS0rI!)iU<cm+c;_bXNI&R
zqamc>#d=>I+fuQW=>^nDdV>+G>-htb?>^hAbKM4X2jHPRtz6iEe`O{xVdNS_(c11%
z4j)>kf7bc2NrH98VRPmaf6~kVWIQatBR4bPlp+AUZD7C=sm3bBwq>aZT2vg2v~w`K
zR4ur70^KMoALe(N15+2|Elak8POx_}W^f5#gU5G0L4O~9syMrXdy@xwcqcih`gpoh
z93ZCEl8|=}bWr_Q0tjy(J=D!Z8?#>QMooZfjC8S$GSKqPGg4B1$g6)0+X7fP29Y|n
zNr3rggc!u+om1MYs#L_9N7jp$vgKo<Av(G9?T{(Iu#b~(rWIVFM;H*O=kf|8eszrd
z@DD8%xofvK2EI#@%E<2_#Prk4LP{ma0wVi0$Gk|7sAD$gcY#x1kR_Aez~YC;z;~{9
zh-sFJY&;)o+44nD5i@3k6&R+|5;J+ztl`Zr>Mk!BTAa8_IWF$&yQcjMP2+nkD9;Ih
z<Sl7Ozx$77hetlf;?CW_jY<%IcricrnBmTkyiLF+zeC`tR1IR!vtx<aL`+yka`(U4
zb$#<&DJ{}16RJiT@0j8;Nu%P-e+V@RSVzKNAA2li^yr$qao2qmWU_Q~O#SdrV}U+w
zZ;X7GWRVd`*g=S6(KQC2CX7kZ{*6f=`3-v9sBNHzP&q^M?J&C!S!7lzIL%8pMxhc1
z#$tmdo&9Wgo_H{@SG!T^tO9BMe6&i~(ye`qE-j3{_I0uWNkiOnD1Ec#XKgqoGn8|Q
zHp5oN0e)zUWq+LkNdm=lJK;fcumW~hH;h|ct&f%C{L~n6g+5SAj5VV>)Tv}=)<j6u
zZ^A8b4feqn4UT<=$V^$<*i6bZpI5)SzjSGapZLXvtxqU}kBk_d@CAq_`A<w%?KVMR
z=1Cr!*EO2ig+&zaD60_dOKLVb<V8uqjX(0OD{OQohChS*ZH=CXsFJG`wPvNQqdk$J
zHC{`wpGrRw_``nhyH4h-@%9UW+`5b4k^F|YBTrcf%s+`~-uSL)#c(EW++Wu&TB4uX
z<D#8$$v%-bidhs{9FpH)15}pyhpp!JL!jy8eW1>xm-V*z#i?~GGSWik`dRxI(lD0A
zdKkBsaU0J;Z#ND3E9HUxOS>fQUA%c#n1l?61TMn@?vQy2%%Yc$Lj`yFwkA5;bdqqB
z*Mrl1jX&adZ=Xe&CxAKPKNgD!h{XZ}VzG4Q7<0$isW9C{_yzeSNaII3Vj-m0@sE6C
z$528gU%2xksCX-Sz(302c;@(xSIRO8vzyDI3Q2{}-+hXanREu5_0yBxa`!T)6dAsn
zFo$dAcd44sO&>S1!!%|ex<tx|VEvpr-&a7{@WVJP+o!E9YQ#JJz?`uii+>@loK60y
zm<x8n&M9MqKk)5-6Gxx%EVrBJhuk`j_+_vg(BCbEjRuEbu)kR)#R6G<?UV{)91?g3
z+F8Mt!oBG~T};@2AeCDH8<yzs8x{oZL61!ndDZo2%gp}xukv!LXAqB=>Z{kca%q7L
zEcrjfAE>O_fI0d~2N?7h7oP+9X|cLwhab2#-}GtW0{Pd+uirUTjnEx%<DN(>;^|LJ
zzIBb4?Q)c;j5M$pe4F1E^==oj#1P-lIR6<+DbZrP&T#TP$+~_h{&Ou%_W1UIw^NRc
zy|+Sar^bfV`#CgeucBE6U~H2I-O<k9`m{XU<$ZH~Qb^B+!bXApj<}aZI-P}dG#=p{
zI_quLbA^7o>9aQ0V814XFIL3%7X9~_Iw`?UGV#j(x_Pyk@sBD`^p>UBL7X=Ne5bJo
zW`bj6Z+BwtphoJMLzAMkhQ{YBWAsOkACFj#Nr3u4rmUv{(ef5zy3;_8{L^6MEZmfZ
zc)0;GXmC&LH8m#ItaB79p>wLHa2a&5J4YHi;-d0L&4k1l6?H**%{wR)XqrdBup`h|
zevBV=XeNa4mfjKczU{`DYKnyq=x^U3PwkSL?j<b&b7mexg9W=j7ms;dNTS<!W*lJp
z^hmCp8+>Fn^@H0sW*%=j6Bd}taHC8yoE>3&$Nhb0T(s7UVDQ|YVwftnoNQ?2mtR+e
z0ZvDo|LEpOLn`v%6Je*f5QhfTjXedztEEWa7-D=k_p!FPukiC9ZQ2M+eN7Gglr*j&
z+ca4v<OldqP#4Du#*wD@lz*B^&6br+RMhS3)Zev+fDsRWl6Q9*YN|{FGtz1KBi&9y
z1y!}g0eX7|uPf3`Yqe!@rdFXe1w~cDZ>v=WmCyXj$JfhzR-L!JaTG>Jlp1{*$zHf;
zDX)QP7s65ysrarAjDr|<+KWK(;+-(VIsn@}BJ>?9?<6*WXiImmE@4S2t|*9@X+(3z
zn?Ug`QpPn6IsNz*!cx^pWqCqdBFgf|gN1`Y)9%nna4>Snfk`IEhxeSO<6_HF9z-)A
zD;CWcy)4ImJj|HnfbtgIIZbO9xmS?-8-;CI4vUty1x2Ez7~%86hG2*8$|C0$HQw{8
zFQ%<ejV~9zK7nTO$Img@LKH7s(3_;doy+rGGDpGak-NHB9%4zL7eVU9J7ak$A4ako
zeH+xGk>SaVUXkr;l68x|%nmw3V{A-G;M+-yUB>dfqzw>&P8yjdIV}%Qu^F{vRyf~~
zF$!kvTp=9_r6KN9`p}Tg+L;@ebAsXG5qqd7S7NM(FiM8E)3J=BjVZojThm<gDi(~D
z!?owUY4z+wUDaBbQ_hX;8lP>x?Vh+v*UUp6X&tz*gk)@;<;7jS$mE~mKQoCxxm!8h
zvnek=X?>Qv<J(I2`0%0)p6`~_vy<K^8agNAUIyscI0YrnI1sp}5z|{RkqD3qE<F2O
zGS0*gsz+R`fOj?eamNLUi_A=q6X=@3BW8B%D6c}*qK3?US@n)UIZEzK-7!_H6dcZF
zqnUE1wSG{ngkSWf{^KZC6SZZXR+<ZXPF?!Wj<@)TS=QdDLDj7C?60pCRS<Jag$l}*
zjouw~k5AS~%BOAt#uB6Z6Ea_Eu+8Lf{jPgT*4%Gpxa?_5YuA|O>l1@l<$6AjAN^cg
za(x;a&$@C{BQ9rHV?K@IQ(K<Vp4k$3x)65t0~#iE^C9cZ(2po{Svjb2oAM;Q7jbtG
z{9vX+6kk{3=kCDU%N^qT9i5gBNEXAkodVlW{~Dv5P=gj2Vf{sED$T*!sTTK?qm4P!
zp{3Ng$Hq-}Q9k$y-&IkjbFZ{;8A`cFu1U;j^u$+Qckrb>KA5pc%Qi@x#M|5X1{jcm
zLqq)C^(ols>%3s;;)1-udZj@WWvgg&veRO@du(OFLMAGxm^xo{beiZ#;l205Eb~64
zajB$4Hf;Y^$tT*Sdp7Z=PWt^(*h3ORD>gvfYMrH@oy-`-O-Quru?EZj%I~9;0b)pC
z$~VB#{^=NGKgNim0w}}T53<*d@ILL{TwVkv^WbjVz~sxx7k#EEQW;6AqtTKt)Mqqt
zk_8{jdSj3o9n=(caxAET;4s>P(dQG#Y1HnxPKkM402%S;prGQ>z0%6&N88b%Klo#L
zhq{B7c}#IgTk^#M2hXZzLT%QKsIy9JySo}mZFQeABeH|?U=Ko*bJ{eghex2zAPF)M
zP5tY@k;Y)Sx$#lf%XOn__~k)wO4FEGBsl^L+o+T!^ASdd*VpM^4Nvz}B5r(b^o#<$
z^i30BZJjFQ$@cpA4w=DcWIJ=dR_{U^xqy*?(B=x4JI#h=hvAdnN<nL6N0US1g2UpS
zP07@Y>d!gXlw6hvT{2_0y$wDVn!oiK!|>NBY?vc@5be;oI;5BVNbE0C_<XhlN1`1<
z+}#<?Fd`-ld~kY1p+u}4FAQA$;(xuV)k6U^u3wa4G8~+}v%BAafhOb<Q$Ud4Tzlm(
zQk4eXp-Hlvzz;VYGt>GXb!o=|Ce=kT28scDr&4v$c&2ao$zFS;CM;p&rrEUUqeo2S
zp1zRp&o8c_z(M51jC#Af_1LhTY9_#$^d-;<DcTY?1#ud7ZI6AfLJLjHEzSWxH}Bo_
zhD&qj1<AG6XV^}!gXzTUcuP#`<^^#a?MLx?Pn83Nr=@WrDy|jRrKJj?Cnd%;B<(Y3
zuG!(_P%(-&7Q;H;6oh*i?mhew2yaM&OGLW~E)roqVPCR2P*eORK|f)^t?2dl^TgiF
zwk{Fedv8V4HZ`#KFmq7eC4GgzdI3L}W;zBKu4OMi$;bYBNuNFD*ggTEPiqaE307BN
z{qU%2>G<(*MX<}cRHjx$4|Yu1FtnY+sweW{yY~WLz{52g$3dpDjU}To!FsGcGXg7;
z-2it7>6V{gBse0x4pSo0Q1VMJsfBzN*86!9IoOmH3?$sVSB_5lfk<B`2dNQARR8`D
zS&r(-=9W|RM3<r=@Xjn++XgvR@5p}Bm@6k6<7+9W&4E5cy8EnF=VT`a3jo_pJ*TSJ
zZ}<2O$ZQ|9kaQxZ&&ay2=z%4MY%gcmTXkQ=jR_YqJV4K$$&VxQ$*;K2+y7Tu-;dYA
zbhGK&w%{}@xiF@AR-j^DESmpkW;U@6&0hQh{v5`!WFM@kFhFzK$xmepTwV?qiUYCe
zz8YavA3x2#GQDmZSpWuKx;kdNa5<x$uA{`_)mU{97qI00Madxtk}S;8g2ECQA5h%3
zQdM}8l}DUSRM5%9V{$v1&*(WWYuCJpsRPB;OsxY^+O}rxor+wstMRxX;+(g2M&X~m
z)8_yi^n&y+$d{l0AWH^O4Z)n;i8KXO%_>y+3O<0@Nen&l?|6?<s*T18uqTGW+KE*R
zC3*&lY97pR27TVPvZT@Q!mR=yc@EM#&9_9>5&WK^i>Ls!$$B(YMQZS1Mkw=Kvbr&>
zLSJ_Eyv|+%n*~;`eBs1KmOG>UL3F=Xai8;9D@S=3cI{a8K;_Ee`yYyPof8V>XES!1
zX@Zi+Qisa*-*fohO(|RxeC|z}f}FQB#E$~Dy6#^%{XB@re+Aekce~ME+ELtZw4XXI
z2%SeY9mWgQBo|J<oDAx*XT2v$L1=>I-Xj`;Sb-#PLbjU_AQ8Ty-#sw)@B9sMfyM05
zvuse!@UHp0dsZ6x4g`VIYtx*(xIEY<*g2>bkO)T-IEuKIf?J`LspqV*27LG<Hl}}t
zNF}Q$1mX213)!S9JvfZ8$zoM58XJgASuyNk(R$ovs+#1Y60;~7lv8D&*iGs`mu3?{
z43SY+&j%Htc1PVm7`iVE?3g}*5s*lY*o5T{Cms<!gCyuhw!;u2QG68ND@I3$k)#}{
z%aIB@w1*jlAkh$}Br_(B&bxiZnC)&4Y9Bi}jBHD*aOCueO%+6Qj295Ur~6~>JXg>~
zmII_Iv4p`*b=p%97mq`yP84=)COW=RCRNpJx+@YVQ-O&q!WQwO`;q47AHkffCp*U#
zjcPx$Ta1%VV9qe68v{JT0XUDRV`2&{2my15>HN^qoyZ_<U)YdW8^kPy4dGtty-%av
zNumLk508@bb&QXA9f$u7lf#K%h_%rJia?l512jAZK_Jo9ki6!{I$63C*BPSBIj^rj
zPgS;xL|fD9r(J6&<vs|_0il1F7i$*{;)2;)&D1&p<AzN|RCam3r2$hi`wE0Tn6agZ
zSKas6O~Lm;S=y-%|4UH$fCAsC+A0c6m{>|Oe0qV>A66-qA2GC}@{q8TZ(7<SP=G|B
zg)&wiq@^ulpK>x_Kw28{qm<YxJKsCMh_d&@OTaZ(6QklplXiAQh?ByVK!rBg5y$F)
zL0h4gJYLD8ln_UQKO0Z55`<&l03gMgH;b0WaJ!LX<HO-#uR(ZoK4<h)boF2+Rc&{B
zPg1`0Qk!M%EO43J9&w3TK6IclI(IJX^V!S4>FhLf@Me4`@_5$cxw?u-e*oob7<uQ<
zuH2LK(N`Yn$HS+MX05y4w%ECy4+PL=uw^5*O%aIWH{^FHU?Rfj=r9WkDZ52P5$=Cj
zevn+E=Kp>Q<aUXE4PE{z3dsza>lynCzuAC!o*BO{E7NLqO9+afx2HNMoCmdv{e!8a
z%^IiEx1e9dj^!FXYuxxe<C0^mYAm}he#8}8uPmoC>PUk-OQd-^FZCW=)IJo{f6LzC
zQWRrBb8kQT#e}R^vFqFXaQ7#ufKx3xAXEVG>7akXpT0<itF+si5gWSq<TmeD@-y7P
zqHc!l3cK^-wQ_vjDtzUB+d_nHcu9yO%N0uhbhl=TN2t*OX=g51);Z6wp(U;OJTKEh
zY)gTcp9wGCo?ivxk#17ejw_ytZH&wMna0bpnao}9@9f-)HJV4~mX^AosoQ?Xp(#M7
zz~tK+#I^^ypOG0^tna?(MkI7Hcgg40jCtLc=z7W7kU5G&(7td_0*nP_I`H@TTyB<A
z;Gv_dOI;qWMi0n04a4xAfbgWescq?{C@<4ih<{wkcfCzkK5kqhlYqxofcI8hn?UXa
z2%(h<tE}A#CTBV65vGw(H8D0?q60k4_v_CmR`#K%Ykgz0a390Yo48hT3U$9_*>F(|
z2ezP$37558L_R1fpv<|^%n*+i+>2!#Ae$*Yk;-3%aL*8<sS5Qlh@s)YXzHuZvql&)
z;y^JT;)vE|cb53Ps(^Dgfl{Fs${7Wa3K$<LxCg~5<~J$RTiv+X?po(R$#8h$l-eq=
zb31(<-G*+8bNo#I$t)IG`nqj+gT{C#Nrk@pxka^kR*tc>&AQvZEtf31)T-30<(`^Q
z^mn;Joih6`y5wwk9wgB}d~`DvRC-8ICK_5k6O5lc3TNXrb&b6%uL%}X$n;1K%z+N)
zq+^32b=-F-yW3(A!7mqc)x;ZzXtv@WE$zwOE6s!oT%vMo@NFgS&S(<+(V%yv{a{CA
zykiPV$Z-NW4(zDw9D5etmgW#G&;VN6(%+@=jF~)?z&y|HxD=N+=9*7Xz;XH1l|%!2
zgME)y#*UbZR^%>iC1&O4zOL-rrBS7w*G@9nh#!`^J&Eet`GFl4omQYqHOh|3L#z4C
zm?iol?9srzqyDN!&{ifau)10`aWiFw$ocC_e4xzOrhXHr6@-2I#om)0V=M9Ir4M(+
zDzd$YP|yBT?2j9c<sLsGeO;U$dQ6cH5}>jM9y1?V#_FrSAeWrZyXpQq`2g}Z34UvP
zWLy3?2_*vcq{=KW;eXd{F}T!N#+M?2m@?_x=3{&P$#`A(f|KK?`7ga;>=tjW70tDa
zrjbilG+w)@!k~#eEu!n42IXb&+f2q4$X{uQ^jnLYrlmENr{B{C1dckB2a@PGz^!z}
zwk%z$)zmrdOT33f>e*Ee!EY=r!Pq2&EW30P6%vrFIhu?r@<=LRvY+5i&Q&fLZPONt
ztTy`4@L4*>zVMbJoF16KtLpWG-K}qZ9x;ICic)vtX5K{J4MGWY6oV7x4<yOJ6h+x2
zg(4*qML{El!b>phkYct)U3?#2%3NHUJ4}=E1p4W%TjO&zwkV1&Tc96EB?)EViwbl2
z0W<yhUG*!y=geF@Rk6!}`Wv6_KFB_OQ;;{8v;}tW`$0^hGPcqPhS)4$b&Qz3c-=g$
zobS56e0o0Hih23s<M!0u>{}t&`fyvNAk_MBhr4MEEKoz<odlA~r-#&;U!W9?ie+#j
zzgyI1Q-7ZV4+QWVX=4xtc+fY2p79u5ujhHyNIa=T)<nAToPRZvF>n&73P~KKz4`ci
zB2CU&ikY(pJ>)5{en8_ZVd49zGo+WtW+}B|qXnxxF)0fACsm2iqBNE5U4fSZ#4%2-
zhZc<e4Q)og9>9?uRx;tHwo9nv0%@nop_AHsPM4Hj$!KjIaUPY!N~}drExs|6H;eS=
z&99@=G;L0hfB!Xm*hB>}<2%xg!X7c8^e8;#ww^MCCOG8Ie`W~A;pzY%k?mrrK*pn-
z4YTLbZF#^#M1#H&aiRD+7DlBqU;q1WMsFlq-b!gIFRI!Z$c8x4%k0{7fb12>MW@T|
zRXq%rQ;%kw5gV+In*?r~*fsR7J4N)?5V9rOwjj!KYVnMzzRfG~CgtEXO_l>RFS_hu
zRTV_ABCk)zPzzB*D^E&tXSUO`5{YW~iB}DNM<3cX9`tsWiA@h3%KP9)<N+n@1Dr1|
zbw)W2bR<@)wr(V?mW^)P6K#aiTX}z6J|J0g?|wTDBM@+DN(e#PJ)Z!1+lW3`$QAgU
zxcp;c$R7ea8v!=B`K89O<=@Zv<x_d*EViUaVPY;OUacMTQ>B=YXv(vRHH{D|dDb>6
ztsKiHmAUSxub0oZgNG+Wp3mEZf#y*k>v4m_RYK%Az<vmM@Yq~}bt7H1W#1U<g^6&c
zMbQ1%`$sf=3K8E*UIr!|{}W7M&*vC=eHzzXvhh<7V^k#Yw=EgHB3U;_gOXh&_ziF2
z*mIRXiaK|A$5t*eb)eX|^x&Mz<@qI6Qmw#E(JU;zK^}WPi{JupcuLxPgfiG5?_{u2
ziIOwf{9nT-%3$=0xTtg-|BwcnW-IEwL~j|9D!6{JR|{pJ$HUE>{T=cLxk&RMc9u<#
z$)4iJeg!01^$R-NNxxD&MhA)|b@u>fwepY=WIFz3+foeEyiD+<E19p}RuIqI5Os14
za2hs49{dOb;K@ZOqWb$^eR!QAm+NQ_7ARFgPx>-!E-Z%didBG}GjU;31ga}Hg4r~5
zZ(LgYVX~W`!Deq)4+X<+KdeRXh!pc0+=$8pK;`4LI=(Mg32@-Ls<1TdGb)nvpM^v;
z;T5_nd|R4Xeh>uoPluG>**nDtTcE-ItXwOBgtTep`%?z%9c?*Js=BvW2BWXC_Ru=k
zQjdLS4;zi^us?9p{rKK`Zsx?u(Xq?(fzY#H6@y9j_@>sU*u~d+>NMGzDKXHJYmUd$
z?-c##o^m~hE3-y@G&6|IV8N8ImK|~UuL7<;W~&J``cMM&9!$Rl>1NAPyIu1W0-v+P
zeET}^DFUwF`E7GgZtPafX)Bj9OWHB<rHEf<?xhLzotdx~fi-^S?#}Xbsr^v7nJO+&
z7qP-*Jp!=hNc5g2D_=3=+-WH&5tXfI>6Z3tO|-<m!|2rI=`p;=l5Vv;8yCFfWXfuV
z;@rHId?)B#1wYc2)azDl-il*8X)7Yx!FN*HA2+^uzEX3R_5{n~3G?32TcM3}h;3x&
z>+k=%hnRKTEe`YwKz5d5ML;8OYFFEV|J<9&MR=w|$vWXXr!g`Zi^AL}r+vjR_h6zj
zJUJ7!_7%1fSdGCk0e<t_{v*uLL!lBqDguV-?$8v@><kI`ZL95*7sWbcNasuQXv7%i
z`!j(BhM@!Cx72@Wl7rAPHTJdkR*#>kUhSUlhSLQh*3Z`m{=|ZFRhE98P+LWfqvzKe
zH$!$??XC)exQr4*YuD0uIv1WkGtJiNUbQgh&jxx=WO$q2!ecibclUE!!<iZO!(7G!
zzJ<5|Ujg26n{p7EKM_6e_g0q_ZMYu*yw<MBvtc`A=u@mCGS0p&S#7u>ja!-3d`?N7
zfiqKoJ1o+xlo@l{y8B}!3&D<09A`$oj)$IY8+<&p={jh?yHt~V5@in9Dv!gjJ|800
z`%ehVo;?XrxtOwWgH~xWq%*oh`EPrhy8wfse&p?gIab?MWY)eIzvuwoKE<3fCx$QD
z&2iYJtxeA4<Fcu8z7(DZ@8+0D+T1&Xx?8B7KNFZbz;88Io`my{S{q}7N)z8^Cw|F1
zW=`98cg$!gI3>-&(kZUEko>?1fy6Oxs7yk|Mz4zV(Y@2d)NX3=0E>R~8Aijb%un}O
z>G;=GhL#p!6Q}<jSF>8~SM3I!GK8Uf=-LndHK8YiX8B%2+Oq#z=G|iu#7El6vXU_m
z&O2sy)bK=rT4Ly~4+lwN@Qf(b4Iob{V#M)$<L+X4E8Jz>B%;KX>!kpZ=6BiRjdzQK
zU>BfyWbv`ke`?EJqTys5L^k5WD#PeIIhs-&*HE{!!|1IN8<genLNNU<5OUv1iC$TY
z^5Ci;b{95c$2R}R%XI-&neH;k!BI}~$Kx1lkYZ6<vsXPj4<Iu-0w{P?ufWmNE(1K4
z=#s+5aPt>SUcAqUnI7nHW(I~?i5XPnD_)AOWT1!BZTDP<&l+ENv%onR<{Hgf{gN7E
zWWC(iSGI6pW_`i3c5BU?b0fu^$8IrNUGwqd#=WNS5*eIJt)Dc_y3Bg3m+rg%lzn|B
z!KaPbbk{s7?fy&Nx8-v@P<I{2-l}Q^jK>(d`rf`L{4SIr=Gm(4(dKczxpw^GM*1Xs
z@|7LhA0O}GUjsn5*xr7pDlNLxHU_ec+R&DPM{(4kkti$#AdhaJA(w3Gz*AQ=1gdF+
zEzyzPC!E*VHB2+n2Lic*z;^HI^qBYYnRzhHC2mYfPyoK!_<(GJE}#3$CYzf+Hl?mG
zbD=ne&KEzo6Yr~?uLvK)m{!_&D9$~6ZgR7Kx)ZF?yyTk#Xv>1;PllU-Hx71~P5hEo
z#d&z*y)c&gT!$yXX)JgfnJJb&sFpmvqTUN@K!9E0MJS|OrSeWzh+~lHyoR#~{clRI
z;Pzrw^96fI$-b37Ke7+b(RWO-8V)$430&@i4um$mp`(HE!2(b<!?Q1o+ox;ccu1ay
zP0RMqvr80D>#ec(TymOxm{|s^1jmy=q%T9x()Kz7l?a|XPlQ+;DA2yV(fi-JjQbyh
zN-Ye-Ksq6S*)e?@TX@s}xVhN<fV|6GXJ>tIAY_Xa(7g^aF`iHgMAo;#hppT7vuyby
zyU#yFhm$Y`ZUsw7Z3o!Q?~T~w5G4NB`#g^Aq;vhZD$e6l=A9R7#u35J2o>|9j$a`>
zbTW|^X3jL+HTQw{0x*<cb-g?40TVgOr06`Tgg$z-P1GBh2aAMw)`r9Tl;y=f#57XS
z^zW+ckyJiQv{xVc<jbx)jQgjI=dWRfI(BrPfiklSKe2175t2;|GFYps1+aJk`XUEr
z(U0zKJj!!iU7hx?o|O}lJu*QImH$>UH*Bd%coVs&gd5Dky$|Cefu)xS%r>Rlc_dFj
z36@*jT6BkI35~E2smtnjot?_m7539a7TK+pVm-)+q9)nTUi`^4|24`E!cx$ADjJ2l
zME5=f4EUnLRtROBn7zj;d=fvih+^<nbME6ZtS&g~vYego>EG5`Xx%{O518(zRcgG7
za&IbeHE8zv;>K?zo*{FBH4ow}k(flI)YxH{92)~^Ke9ycy_qYnhotvs)BG!Ie^yKl
zAB@MTPdHJRB(ZsyrZNgP_=c(OA8ef3bLP@Q_WK=Ky#FI#9Q+I|d*QDVkA3!SoBQ65
zsKk{Oc5?H0*v@JBAp1i27-Qm__drTyiArBfg2WHxD;aN*x+l^7NE4yGQ6NurS80aS
z5Oa14{knq=LanDkZk8^Gwyr`KDmp51C{T3HJoGJNG}AzeVm+OF^#_Jg_0-B?x@4tx
z0>{MWhLzSu<OYEL($S0#_WF<7(1LS&gVCUk$0D?5)0g0_z3F)6XKTjj=>Lipp78Cj
zvYU}2>^B7{LtRn(0EC64jw<~IL^nJUVyLV{VaqZrL3ZSh%m$I@C$F~SHmygG=VKA-
ziR!S5b}#>YrdI<emBx%K21M#FY6X^F0rrmO&bgyfk>jotHQf61!G{vwiF3vPiohmL
zX+iVxBOSZ^Ob?y}*VKsme~q|LM75u&Jh3y<V%}M<GGuVq5&}-`A(P!xV-HFAA~g^C
z?HREE#380`ANoq%UpMERQNU90d8*jG)Wm`CqxQ>17WVnvSMPN`pBON6Rs2!a?T|ly
z5|}%80NbJNeaW?CoL!vO_k?#P&kkBFdx<ry<IPG;A%cGQ9@Qg+XWI2d|1nv<yg2{9
zxBcnEU*RB2a-jLg1YlHTg(}W@v0SZR14ok8G@!G=#J|S2>l$PK@wFLyRC#+yalbEK
zuKZ7a6B`lsGo)y%QB#H0Wo5H7$yPEy@;k~vcc!Rc6>N^Qv172o$YBvT&85Nfs~@vh
zZ%Dxm7}mPxUqoJ97-rNGujsxWhMzTr@~;US$@SQHYCp}r3`eh=Tz}&l3oY`x08FNa
zR_s;@wR-<%(0oo_$XSQuzp`xG-NEk38!1@(t^2pxwIpd}p}<hXP)vGdb>QOnJFzEM
z!TEHha+pnx)5{)~&Y#UC+Nq(`hRYX5z_4YrWqWumH(lNQRAL?k$H^R=-NiQzU3K~E
z`c`3Uu_USJ7L#^{`Hw~@UA(FI4<jSjQG-);_646M2u|V5L$X6{M#6Pl%On;kKacfs
zl17hNOiHUV)T{^Geee6KhBKuDEK3U~;JvC+dg<&cl5*r9HO`<d5tp1WFwSOSW5Ix_
z^J)D2S$0PY_kY(ZAhfJ#%n~d?eTMQOy2!MeiY_D!aSPW=I@41$19fb-A1b@OnvKXb
zX!LR7CS{k0N5(y^mU>47hqr57d%GBR_u_38xL3E2pjBLeR>4jFe?(nnSd?88mXMGV
zkS=MYyF)^{yE~-2Q&PHNX#uIFTNddq>FzG+?r+6U-s|GeQghCnIWza%GxIz-@D@-(
zKYo&8wtYdg<dA|LKPbO+QFD5eVg?`M*$4q)H2Ch(W+F7ZN$H4Cr)6;SXjJx(QuEf~
zgVw{rkN%jF4WigQrMc1h&ZqaS2l>V%N#g?yBItI0I_p|>0kYg~{Lvs~Iq62`Y}mDh
z(AHTwv!DBBKSs?~YKCI3L%`pQw1-%QegCi(CFg0i?vp*II8>3|rGN{RKu!TaVwF&z
zR-E?5_a1+gTl?aPWRocGkH|kmZtD!XLL@sPt{^UeR2)LhXbtiSw&!|#Z};6D6I2Fh
zIvs__Ii}XS4G+W1YSF`d=W98?`g!rYnb!}`jTsH6##e9e9W2zb!|3f-V=)9XfZPMN
z&Y0KCx`Wm~*}tov(1DhgrM4EAC8*GLizQt!RG=OFZWv*-{olp!@SJhKFEH2!Uwkjl
zQRvN%(1B&XB$>mcnuVgK<ATd#*_&!aGpnz6-Bin0=ayoNSK8;;&$kM61n0WUiO-uL
zEjA&0C|0K3yjjND5TxCl_xft4J=99;dnF#+##h{sfd5Wx!^6(*zM!oQEKNG<vp;hK
zyp>(v8qE8GCDoue+bXb^MIxSNurotsQi&8x%{4x8$wev)+dzI+lY$MzCt8)%{^*+e
zv30)h_WTJmac@Gt^c}(1jy7O3{vGU4;BBZ*l4h4=1T|BACx=O=!?bDpIT59<Z0z8@
zz8Om?);B0I^g+}xee_e_Q%IAmwZlU9nDbNEug;|d2a&ce1UI}80cEws#fVC}vDsut
z)1D~!m{--tQigT(lQzDbEf250fBOz_b1V`!Im$%m8&xXn=YXJ-^sx7?sOVJuk~j82
z$Bp%z5J%_iD*1#;<IJ;GEe*EzVdoZlIkqe7YMZUxr<vPvdD&;oeW*lg;m8B=s@$7@
zAo`$k0Asd%H<f&PDcc*lx9j2XdZhGMx({{vZ#FSvWC96Mlxg+GI7iyh-2PJ5p}6g^
zEX`BeRqyx%74_7|CXRx(^T)^=&U07CX+omk0>O5g99+yqvaXOWz9q6^`a`4Ye9C&(
zdAGIJAYUJQg=9iAfvGWsWt`Pp4_Or_vyfWv^92h_`XdjvJEj&p7*kV6?izZWag8Uc
zOJ8|I?`!qnbN#)t!0Yw(@)`GJWE~F3C!<oQ_qhd6rY8dDDEx%C=2MS9X1^}(an#Nb
zawN{t-I+}@sMPlytWG9}?;Rx{>A6z4>m8}0<YzNI5qgQ2ixIc@oPL!(loyyN9^Ln?
zK5qOlVd9<a$gFd^R-4s@(sxv@_K8HgNz)Y!+1(T;OHNJNjTZ|kB7{-z5{s8BFnDf}
zXz41I^^2S&bA399&hZ#N3B<FZH$FPK=d8aETP~_)p2kb#t)KVyZCvv4YFauLDm939
z0Ii%!Jn0{v@Rat22eJFDGtzow3?L6IL4SX$bC+(WNjz+X;hN;pA6-BaPk)csgp;f@
zLCf4o!(X1|Z(Ns{f2qXy<yOOk+X-JHD%<ECC7~RKQY<?^%1?la^SerF#W*qMLdz?H
z*L8+w=&#_7X))BPGsX(x;b3H1rBHi~hbBhsF}<ZRIh1&={1h7ZP>7bAVKp4+4$U~O
z=>1wAKi=5U|9GfD+ZJ)DQ6e^y<{xGW=t}`VxrVxaOgX;YYT9hK3nsoETco)G`%@H(
zq;^#M<1|*3!3@^Zov-(azRz*|m|n)iYV<8c^YyY`>L3~H10-l?0(Vf?{{~a9L@|rh
z%Nnx;Hu``N1(oQ_aR&u_s{C-~kW7L3pay2qS8|2PKnW!kpu-k&9R?4caId;iQLEx^
zf@q`x=VwH{uu2L`iXLGRcV>7ZjgBmj);Yx?f#!#GeN^|{`LD~Er)yQC{5`IxwZBgt
zw4q1p-SBE3KhJ%1R6aRLB7bOf1v$9h!G8FBn+q|ZrPJm<M6{7r%36C9@S$mV49UTY
zuW!=brtJLQ+MV~__-lbJ{VzMDt*C<&`CYw)MceG|!yM}IbGIz#<8ZGzT2w(&_d!El
z_rc^yeHAouzDvn*&UFo1bhAe?t;*`WFF)Cm-q0q>noo=!3rd|S{$$fQOT5C0xsYEk
zr-|7&v!%5|X_0kB2HdE5FA&WI-Q<UXTI@gR*rR??&Qc}lVFd-ONNXVlK<2XcnvWCF
zSml{I%yAYjNGfT4h|>BHmypRQzRy1uX~kjKt+;GLp2Z@`Q*zZ&Ie9a0Cyy0S&0l`9
zjlqht2%GN$g@ZCmKV7~cLwSPwl_Gpkx;~K^UZ@+7UOj2A!7>$E5Zf*<O+~FsU?wa>
zhB9#S|5lyPg3Fr0@VYpjO>fZ&?LuCLQsKVILRD+@fLT-C{pZBQHkG55;rTQpQd!=k
z#R;V+dFM(&$9xk=*%UO(R0Ii1u!^*?oqp(JuVjqe*-T_wl$jPFl1WN<v=Cs?ose;K
z-Wgwr9RC2{us3fzGAHyk!z;INvN(l|2br#ZY=RwY%U(dLY?20&@oHQ;lonYX(3O%>
z;jF~bMnbH_P#OSQ)rY`?+)~#x{A(iCg1ny*bl)&iTIR1pSG@t^ybrsw^T%P&P)!Qr
zI-GmJip(Gk{~>X9SQRu*r{DtZBFL_tZhYWl(8~Se0D;)<wj&@QFXfs8`H!uyw;S)8
z^_gfxb|WkAgi0#Yu1WO&$eN(Npb5ad5pp2+CeNT0w(62y7sAGqdYvR$z{+gH%y=l(
zHe)<AjqQpVA%l6O^Fzs@cAq_4_Cwd;=*Uv?maXeZ=fGCFm3+EwHD+|(!R_bxpx@0r
z<Muuni+wC<j#I}dcTxEK5y8k0meDrz&{M%bIc_lJ`Oc*G@IsQb%z<sh7v4$QFqGmt
z%jo`MIR-xX91&-!)g|yos$I-u0j}A1rrU`Wb%q6P#6{tGkWzU{xH!B7*!OwjI#pYi
zi2UIb<l#@Nh~(J@*J@j=Q-Tk?OPFAf*LGWd)oYV?Ta(>RdkjS><dpn~uTRN?zSt$W
zshYYc`1LT8JQ)_=i9@_tx`<U@MV?Z+QK16(OA%8FgF}JhCoLq4$=5?e^U%K{-5K%R
zj`K$Th~(u&Sj@{h*j|6+g3V+%8Nvs(NJ-Nn7qCoivvu2Kt$*7q2oH=@Pt)E)Iq;dx
z2!yT+tf431ui2E=#DYx(@0gCb)H6xDj_mW|`!mRtDYi430NoQ>W-LfaOjvE@&}p*7
zh{ZpDla!=RU7^gKC#7`@r8(`(q?ru7d84JM^0w}K7z#+#@zb5n^5u2cqadF~J8)iS
zcmpH`B)S8F?hboGa24wJYj#ZrvDnE4sEw6;>Dv$jz+rAQzs@j3rgWoXH*W*GjUw?F
zN|#AMoNQeXqnZ{G5;MOj0{9KM*DWJ@gAE=9M*C|8RlBdE&h-$ZzFRbR=bv4R1Fwl-
z)SGmM7EzKML#Cb9x=i`hnsR>Z8lbc<s3~5APMt5y<?67&^4ka=?HQHC-tT;~-iC~1
z{BzN*!@r0UK}GUIu%1dAo1-gBPwHfLvKruAkzyh&7xT(>D{L%jTrrKn<&pn&HOBK0
zBRehFBjS@@k=EOSk;*6Fe>xLjzidj31m*2E)nywpBX>10ReeizN0>cT?w~DLY*-e1
z|Kpp=w&7oyrD2t#0<Eg#c05^>?I`4CU*K@N$NgAPcLh?ZB6FzU03#Y<+xfc>zSaE2
z8<8d4tq1p59S4P}<&}FS3HiqM)o@-7_H(84sk}J_3EA|p0=9|<%mJl7o{+Vi``j&M
zbj~?<gXG!|TQ(fRy2Wx^ie)nO%##KjI?OTrX7YM<TA6c&;{*O$bfUJsCU}fA9p*d3
z<oEiY8xr&DpaI8c!V73`In$+$>Gr9OG6$LY$ftaZ0}BC#@l+=X$`V_;beBxXu>Vvt
zfre<u`P5~{3EZ;O^mix2zp(<p#F+cw!lHU_7>}T{+>ki4+Vg2ZZW!B{{6PHHUahe4
zdN^HlBw*iz`~sybboF!e;z@`#iov<SI9;czOWtp1_B)>-E4!I&0nXy>V~~cse522$
zwIYo3c0N1GN<={PF4ta0&fJ#<L;}P=j?Cp1ixYp(!K*eG6%Bkh16-z-q%eB{YxS-D
z4?n~kj@M|Ba9Ovzt*{dQZ^8;ZjQWlDSVoOtm72qD8R&?dbd{%Fv>XwMls4bghh)qZ
zFH&CE7R>Kjb-bSnQKB~F%Q*C{6YzX&XluKQZsD;pngXe*WvQC7F3-8-dK+HWg6an>
z(=KbxQ*KMJGe%{U^yiY5d^RF2Q|*^#K;j`YL;>$80ao623|AK&*k^CNt0KI$cJ1S4
zc1OczoGq_)`t@oBen)L_|0>5kOoEL!o)D9&<#m)`#@4jSE22Z8=<||}yMdO#9N>=F
zr_#?XH+%on{M|spXZ5$hIh4Uj*D;y68vt3rze{4_4nvmmWJrdia>hnC%o`UGrSIoy
zbD(y4LZVyCu~Pg+gkcVPTy&<R4-2bkq4;v?F{eQ}yXAAXMk&hH;kwi$+6V6e(oFoK
z-{OzWyR-X1*ik;G+4xZ_C?m6p#xHV;w~h@g*ec+)vG**bL^rTxt^8_d#mGK?cLt4u
zgR&lIqKi=>-~W+naZIc~<>N2a-!)uYzrH<#Inp$gA1qH@KUly9W5plMlN;tcl2mk8
z18G_|I<+|AUGBLReY-ukSpIk>(88+YxvgBepFxc)^(C@&7RthIaCEzv=gxz5|5e7l
zT{`h4yL<Fm)S{!(u^sDJexpsJ%|&6WwkoCCSRGrm+^e}agOv)lAK2&t1C?zf4m2{>
zjEp^7Mo~kQob1EswbGxu*Jwk}BLX>SH&cfFCA+ed^EA}C%3Er|*a&g3Qt)r!L+bW3
zI@60V%C%_DZ~Nx&`4}Z$b#E?^y`L!HD!e*DKXcZZ+lXovz~pNQk!!or2vv`{m1FyV
z7c<I1vq-jk{C@P<`w3!fHiRQ<=0oVw%KdSEV`6~-Kkt1{2KR3U2ezguqN+y%=bc>K
zi4(mJ?ng`I9<|0thOLN<^_VPM*&7|@5~8bg%BL2eWkT6$n2bF<@(XXi5_15erCXRC
zsgL)?wWW?wN#b1v;RWhz8K9z`3ayI0MO8>QZRve5xo*6Q?gW|h`XHeNjSG7gwqW3M
zIun^X4B-!UY5riBCUYk7T8u4A<i?lw_qmr8f~K4_Rh%ud72h^m*z;zzz~9j9W7{Ey
z>rxI?c8}Z7jv6Z~ZI6K`r|zz<2<;dw=Y0RpTbfGf|A7kRWX<^gT>uv8yQ0)`J31Wv
zRn4mVulN+Aj8Ctku9?>mlH*VUv~dStzcY|;NTdKwsQ$JqO2nscO2}-^Us24jMAVpI
z6}l=l9|Ce-s_W1&z~?24>RX`ce?*m(`is1K^PoO5xiNi=1>WE$|7vW`r1jm5q&TF}
z5_ocmSKv)1OqaxiaWogkRt6g@VP}oO$M-=`poI;+<g~$-g~0n%6(PAKAprwH0C|Lz
zO&M1#|CzDQU8Qt9nKRM!8^(q=FMci)rFU|rt5*eVwsVfuoIt*Uem%jqw=C&T&C=3-
zH|l%dq^jQn8WL!qeG)y4QWZqLF_eGYrU9vP!Y5h`gI2c~6Y0(rLtS(jw&))=1PfAB
z;NQsp=jT&{Ajt84Vv|dO52E@b_#hC5lUs=239}JC2^mWZ2NLV-#pmPZG{n$93kZf2
z20;WnK|zjP{3z!oR!UNCw)wgi!Lq6n`Y8N5RuMw(XZPY;197Z>nkpp5{RnCc7X&E}
zO|yz9+bIi+1Rp=~h*GqY(O=l;i&6j(R@)1~SLA{#*bWMD6$Uym%|rumZQh;Qy<yr9
z*#<1Z9F#M`1w56vcOEz*uKqh^+#9b~t1t{OtBP!T>tN0FZ;RYu1sNAI_4?u&Q?ydi
zUBD=<2R2aAJ+J!`Dz^qg)Eo*j56PY4z7YJh8P@cZkzw_%-6S&UYH`z8!VWfl0`M=%
z|AU<eJ+JbRbP@CNz_;(=n}6<HG))!rFV1N(di(qMtWyL=SE(jP<qk%y=Adjanwn$O
zzh-Yew*J^!Z+~D`6^n{qsfTx6H-!|iy-yshXQD#Y^!^o|Dt2?wi?_svIkrAFJf>4Q
zt4&GkgDaZ)LT#(Yl|^C0e*|v{wSaeaa=iZ_i1H}MGiYc{J7@A)r~c}WYeLNLi`pIp
zRs65lx(0uOXX-nsatIh*C`dPJ#Y4|ZIQ4JLU2g9!D85IeAT|&cgA|zGEK+o}()^1<
zu@bPYmdA#zG%9D46y$rvjP9opw%em-Q5y}Bp$4kd7X1LnSk>nc(A_CsoT%MRCNHT=
z)7I2$B++fu9VC&GUIb9lT~U)z4^em(Jc*t6f|8iGUgaTzbp}RBa{v~1N#K3RK|vxe
z&ps}1u}*r*a#zM|_!70<e5(muGBR0CE<Pt#c;FxH?R|{+q}jLm5i)$xpL5IkH&bR|
z%n8*Q(x7&wvZw-@SY?<J2PTd_E!sb`%7f~Fz{F|B#*~=!DupWY_*xcA4Sq&3PxanK
zQlr->!hpib+a!c-<|xLR1xa)|Ga485Uy{fJI+Dm}DPl4cpL0!|zfp$Sx2K5vfBjS|
z$-)rHi{U0a5CpJ)*-X`fpFN^pg#Dk*IIswc0q?gLE``s7o(>Kl;hCHynyi(_8L^t4
z*FVRqf6jbvKmKveA+sO&-n8<RY#k`8foq@TE~xIA`Po>xp}t5cVnFa8mS#hO(x&%f
z(vAY&?ByF!u!tpcSPo(BoGn!iZzE_Kq>Vl;iPgpny;<Rx&Qpk0I82kudk!SdMEPSv
z(s@D9iBs31Kw-IPKldEi&N&<DuRzn<<zCSfktwzv08=8&KL@hW43UW0jGZVt>D5Jn
zf`f0uds?@3VQ^(!tcII<UNP=7#<%XH5PFN1Uv~;^>r_$HK;*jYT8p4iJej@hfV0$Y
z0=f-5Q1(@+T0i$EUUEgaD4ydjnUCtxy?47Jn2CmG8u`RWwz=By5$n%IQ${iRM$`FG
zP5hNkTrqXzdLWy*4wJ4_A9I-@CaXreGDW1r-qN2xdi}D%RfrLcX6%tqU~n6<ZKCr%
ztYx1;f3nQ@4*7!haU$Tiw{O~F-EvhaBJSh2x~(3$!6l_cJ_t-->qEL`pFEDv-xwHN
zn*$B6FrVe?8NQ<Fe5ES>N<9?OWIaX0hC-;@*{olr^a+Pu0nME`;``}hbLT6}m)pPq
z`%3lN@D(N)voxo}>nm(Nd1ZP@UPugUxE6;9i;?kd64ISpR~#o!EI09o_ZBU`?(Wz?
zyD{Fu*W*mq@c)xZS#S-~1_3nQz?({R+OM-Qn+Vczt_yxsr%sD`ZLo1RffA<)Z8KnC
z3jfb~d%-QjAH0}ML&4!=V8}SB@RW3b;A+mIXK0N92y$Dql`CNWQptED+>H{+mVEQ&
zSqSameIVcl9)625A@M6I-%n{_dS|_SI*N8pMpOh;R-XilM4naMuPH=S|L3nrjgSCY
z$6Wv-aO{X+L%+)Ie>!)&+q3a%DV`Sr3})+w<6{0IcYH?Rn(*;l#1xJ~{(~nqTB)G0
z6tziH1~QqNBLCn?XT=Z&RoE}k-tQ<J|H}_p-#fNrkvf9GtnTr5lJEB-2~Y96DSLGf
zCX*T8W>cU*TV7K2Bo30wQ(9IljRolShb}6$%P5$_(Rb^lM;>#nzoU<4+f1IuLv*zE
z;~o-+Y!HlsLp*r<+Z}NTpS=%eH)3?6HYNpjCNQj;ERySt#s*G(w8930;%txmSD-wz
z15q{tQwP*POEO-C=s<7A?hpotGFwjc<?Q~f@oaNXi~TUqTBfP${j4SonV2m##_ci>
zsmx!sw9>fP7mhu(uE+<-dxz(iynv=iN(TKTDGm#zgG+>qeGA_m76@@2x%sk?ak2Ua
zCPI;BPrDc%EX2QuZixt^(Pv@_iD;3^_-3e2UBH66J4jMvY62DAoUC0vxDsyB^;Zx!
zqW}LLzLU8n|EqxO@GpYkP<T0L92i(%bb91MV+{&vMrqQszAF{4op*L;yfh7ea=QM`
zv0GkjQM=D=cv1Wqq$2S2ds@Dy>7?T4cw%y!&X2e-JR;*w$5rA#a5%KC27|}SoIHe%
zA+MlZqX7O2Z}^*ssX~vOFyBE*jZ}xUy9Ao5`DPt?&+*$A!>5Bie(THR_7!*&wv>bz
z<v^zJ7@)n%lDnv_d=-(y4Z%gBx4IiV^&s3R@O7zx;LuU>mGw@B&q5=k&b454;HRwN
z8gtjQ6B<Cq$RS}r|7_G3zhA=U^`T7r!hF<BHd~GwM9;@4+g*avQ-VUNo<$MK+qWLf
z7AuWiejlj9Tbd%SDCe2(2{D7Z3b^?4FD^Qq`dzFtbl=LewWxX4y35Z;m&qLy5MXZ_
z=G-@;HyiyvgRbN&VFxMUyE~>QZTT#!Zk^}vOgYN%o!*O^E_jYk<4#oIy|(o%+=<s@
zxD*=~#M{ufZx038|CI2X9BSk!Fy@R@FV%WTnpfj}eNy27+UwXEWk3=@VOVoKA$eYN
zaE}`*_>1zGgxr|m)+1*yXqwUHS9rd{I*VSQguJIVI~q3O`llDL5KOf4>Avfj1ZdiS
z%rZ&>^s4X7J0PvQXdNwBXs75q78Or3aVu`zTWqT(JvKP!PCiV9eLQYhL3#FBt_H^;
zM#mxOD{?U@32_>^l!X+Ib_AldNQzmnQ?SS--sMYd@vrwWUB8(6Mj6C)haTd6wnek4
zJ}*l=y2_GE(R$Q)38IQ&xwMNuA2vULEN0$iyiKrb@tk07iXO$6+cotrh_m|gt~vgo
z>f>YCz-k>^f$)*R4<gZ3U0i2E_|EOPkAK3YQe>FK`zVR`vN0b8(F!y)@1$8{4SCs$
zl$C*io@z}LZ*K*YLzXQ3_>V997bS@Kc;6-d{*R~Oj)%_aZ`uDmSKDBl$9Hte>k`V>
zs^)qp;Oe@3Rkx55aYs{qZ^`ohlIw<uDJN0AkUn?(m~t^chOq6BefwfFlhVV54Pcb?
z)q}ks<QV$*K&HAxP<upBDZl0vDj49aFoi2RhKS~TKeXNt{^WzdH){p(@S|D-Q2o1X
ztW}5L&kUmP6xj5P7E?q}Rhsd-K#oUQhXXsJW#QJoLPIvCgmWOBtBf5Tt*0F1IiP9L
zUgUnq6Jyxgm~TA8&4yzN>2t0*)iH?LGl)tF$QAAUxu#gf2!!h9%Vbm#V_T240#cOn
zYBaD=I1b{!#C8qaR{WEFK<?8It^4o%r4!2w^ttrwUfMABS`ly71hnBsJgXKmTq1#T
z=k0!KJ0Q@*@ncGq=rqbr@}z2=?|ch;VM*W7<WcR8g$(Q!EZ-QNM`2q&vMNu&t38`Z
zYwidtg=_&MP=ga%#2-p?+<-gOh&vSBDXuVw@iYw(WL~(P5PNu3rHP_RlNFLkG!W)l
z7JLV*RXOeikoEtYe@SzEi@$buLNnmbL9?(A4ufz%#62w3x$g<NvaRKlp3)mvNMljI
zI2p<K=JKO_F$Mf=)ZuY?c+-V9_(7q>)D>p<Y*?873V)y*6(WL0-zF6#CYs=0A1D-&
z;5((SJ()%#bykp!>U83UJ?4+`NIOJ?7yWQqyh1qH*C%dQ;OIXPh6yP7l)z#JnD6pD
zsqh4?e`cqy%bL3=m~@|-)+1(x_VX)XEEN899#OCr$IS=?n<rn81OZJ0@241U!E|u4
z#_On*iu0BN1Dzr|I!k3Me~bc1dKD`cB|-2n5GH4a!F-o>A}BihSx_ihm`#iWeT=43
zHq1BAZsGcNk>zWMi%A{AAp7Ftm2HM>L&<sj2jg@&^YE=ImOlw7dZZzZ3wD=eFH&@J
ziuc*j3UxKTQ5lZ3Youc7Qo0RQ+4L4}pN^~R?6sz$BTZ$)x8D_tJdVOi>V1dZbPZ#q
zU~9WLzDXt+KH<Z$T9Y~~W;AV9%PL8O*JaAO%iJ))%uAUEq2{~)7h8G0x##SECTs_Z
zkbieBdLQE)>hJ*P=&D)03u^R6ncg`XIlQ(@Y06E@BN*~3)f%u;ou5>abeUX^aZ9=G
zScKL;4-Ug~O&ZnSgAoO@trmEGMQLzK9H@ee6FxEdD(cnhBJk_ZO4SjLzex0MND_#n
zg{~6l+b57-g2Ot@gp3n`voL2=VW1N}MrUKzLKNxIPoClRC~wS?_58*h6JN%WJ(~*&
zUnae*vu!}8a{&n4PL$##i`96}K?4vhnX&G)?Z@ZWuog*{ZYA5OL}1S?)?Y~Kv_rfJ
zZq;?C$AtRB#!kj!hles^f}b-ZtxjnV=pvR9dB;Qu(B5mF#W}yHWxl(l1};W*sw2KE
zjTBa0+KB*Dm@}?$BZKe<9M<=nC?D^Mhu8_JdWfqZu}erPF7x~?GL6@p>P4VMBHgTe
zlS7kPItzlrCOnBU+-l*^$c~7i>?`z$J@T>q<EulPhWg6jL~0JfkqLFnki<XSeC%79
zqDp1WCG@%wo(y#CqZVeD<X7b>d?z<R_)DOwn)VA1En7E)^HjL+W4X-HC7KPVa@A~E
zNVg$jOWR1!nAw#N&a5tRvHd=mg=ngj-Y65;hC!WaCe50x@#W9mu^<^N5dmm~!kGr8
z{boxXsjjA7i73b(7D<<!>g|q~7&+#A<^9f7^~ExzS@l(O_5m2}BJc1{BSH(O#VAPn
z6Cb)XbBF35m-s8M%dVAtQI>!Gb}6sB+S2PFUN*@uv=RB742O9b!yh38s+r+!B}+vB
zwEkhGE^uI^Ne}@d(E2&Bo|T!Q@T$AI60WM|Io=d_s-BfADhX~tNd68#_!r#|!}v)!
z5$FqDM-*;wWhs<Ldx@^mlp)ov&(ae_yEm{Li=x~OTAy}@3DhZKY|$QNAm1Nv9ggt-
zXbM_IrEWI^l{XxNANT|IT3QBfWbMb|BCVu?iO}s*G+Xw|EE1?jN$wiG30MUrz_j-Y
z`YEU#q%R?+4!4zblx_tT7)SG#jv3jQAxE17^If<hfWys6r`vaDcFLxBP#bu6)x;Qb
z$^#su4XJ6A@xAT&?Rk~y#Df@5q8y`q#D<0S<xjq8!4eTJ0*&sl{tz_jGf!C8b8$P_
zQRdB9Q8MRC{@tp+tIS%}@{HjuRsevW<NM^0tu@=l)^d|L7iLkq!Lf|*B6g9|h}o$X
zGwEL-={jQm9Wq{>e&V54QbXlNaEHA1EAEwGKAaKL%j$>vUWJF+eCd);)E-Zl7BSjM
zo{|aFjF1)V<!2D{lx(q|sog)k{X##`y+p{!sx)w7|HR=LpJ24kzvGKDXc8{eDN#%1
zXpi%ZPUzlro0ObG(uLW;`=~bMxmqj}y4K#>fNS)+wq2r4hx}c(!KGbIguy8a$<|Et
z#XE0wri_4v^Xr$#kuwLK%TJc2byp$L<)G9SXqmZ&!8O;bkaDcY<U`S5H#Ng}ak-$d
zP<dleY!Q@dkw|50bT0P<3)HBcD`|iP@jsuMD{A`j&8PbJL4}fK=Ef94LdIO4<XMmT
zQ$#@xKJ&kQZ7$?n<mPjq7CG=9{5D4pWv8dBYRv=4P7gvxrS#Z8#0zGBrl*4b(|1tI
z*7hw1te01i@6bYz)0Cs{swLmV2XGl^%<T~VynNu4$l;dP|9~AJ^iQ4ibQmZfv#&9~
zy;bSMNFrH(m6X%}u$!>q{BzxW*bIPC>~nNl^E%fI?pMYXN^UZ!;w{GOQJNk{u4gb2
z%3p=S<7G@95=~Fu!&F$fR@uub#mB%_REefa9#$PjsemzUPEO<6-H5Hk^G~EGKdwB_
z30)xpFwW9Tqzi%(vMRk#x>gM<ipjEZ(tf$1=f+8UKYJ?0-tH)`6VRFs`HhwptK+Y=
z5l5_cVt0hXBU1LCM~sdvQ)3XW8^rIHQT0i~sN?jINEq#IwHigNe*8xdXngit?W}LL
z11q=kEe7mfSnoR?82$O(vYqmtNgrpD<x5k;n}k{%@Uz=f+`-kaoevQNZ<@Je47HU4
zP;$lTt=SWSq1%dV&-^J;a8W9@5*w4?q&Qzr{Ft1Ee2VoG_ehgUqIq&CphpHbKgDjD
z49f@z^OB$HLjft8U#keKI7GHljIkLv5Q-^13~hKiw<v9m+}G*+v`o`UURhfdJ1H6t
z@MxwU!*88&o@cx*I66G-$^g3VRp>43?k4i=N=G!{Qi}rd(h#PfU5+zOu%#j5bSJbn
zdXYT4LVpSnsfDgOFtj2}Lq+OgxmQVLr5XNxx7~k{XaL4e#tY#`FmMAmStihGCz%i`
zZ)<MdX7GyD+&;_TenO+Et|6-NXHRXz-4G*W@k7qQPg7NfTN*VzXO_wio4iK8c--8(
z4?BB|8N$sF6~$=?+pXWg-j9tq*wGMiyAwKH$vr!PB#Bm1hNO#oNS)fG%Znja0nJRP
zOP@A$75|^blcFQ9q+es&A*=MUQKZA|jxapD8$orsIA(?)%udQTYs9-%ygP5S&q-;v
zbV@@!<5K>n?8}in{MQ872Ddu_!=do}V&sY9La59P%rrzYdzBO6c$lw4ON7c*si9Om
zypUf!?IetstQP`*2zcAYG8;}i$vzgfpv6NqMdw|~=)3XD<*ijt?x2Y*;Erd5^D+(z
zG<`P!8RNZfR`j;vUzoHQ#FT+;#Le_&w~$*!`^3+kn4_VICR)WDzj6>oDA81bR`{yf
zBZBD#CXu=#F=kw20{(39F!k%M{N_?*#svLRv8eS$G^R}BI15K(=zblNscoTJzDIt;
zZ=~n!<w*aMLbk#cjw0`uGA3K3VPyjUdb^yurWn$hH-mJwrm@Pap8+ZFUetJm2uQfb
zlzs!2vXs*MU49ePL^s|vvpanQEX-_t{O-e}Gj))e*+399i+;+r5@<p14Ec-{qyXHN
zV*+1|@Z>29;<{||1O{OZ4C2dgd0-sOb!}U22jkBt)~R-3CCnZ^x~B1#K^{DD8fmnw
z;H18mtAApmhx|trY&=2Gqb);XWm7kFKcU;B0=1j@3O(bO)$oTNWaXlMr*;k1+b%Qc
zW=xrjxDG!0{G30YvG60ujEIs)RrLO??E@VQuG(8P`rV+?JQ&Tr=2)WMD3ZAzWcP#P
z8#UVImcWo2o2!8!F)f1gN^&+MSRYJxcB+Q}*#3hKPO~s%P|f5Gua|{X96sTF?1q?o
z1zfl)9{LcT!00$J#b_jCqdGsXVdx0-J=xPGP;XiC7-1QG@UJ{{UGQn~>O*Kz8hz^{
zx8*?p%x^x}(70SLN=7kV<ZY~U`HQ{|J(N(1q1fVW);Gt-L00Oc=%dceKa^gC-_m};
z68Eet+HqQT^vdMZ*XD-)xWI)9IcwJrOB@E!M3&FfWyU-&z%E-im3dgZ{q>&>1Kk-{
z<Mi9fiQ%yFEHb+UhxRJsJe2p;N+jcgUsr}HYX^ax9hb#o_1j;+I1*l{cJMY=!P|^<
zr$D1uZm<#Z2v)gdS9y5+X2yI)GcJL1>ri{xvU62jcNRPQ&6hW9(**-Yv)4>8e$1GD
z<nPJLVSkoj9Ep?vh`@mrN5OU`OvplS886H#4iLZ3SMVWkf^!nZ{`^n7tf%9zK1<j@
z)PRHSdO_$%1eLO#`r$0A$)<x4k1fys7Tt|)jQ6=1r8Q<33_-4!QC|g+&rGk5Vlqj6
zG!MkC-r}M7p^|Lr6^i9>H#FQMJX^Vv;Ujt5y_C=~1G9W4>oiuXNbulyX5*BjU48~h
zYI--5Q*4k-=ndA3nJXb*CvRZhBY@33KfSj_ev@0NZ2oT2WjW(;zd2FovAsw53+Qku
z&=hUz;m`~hQHf63Eun3zitafDM+%-zg07|mzpsrIlxw**Xyk+8;qfL(oI;u~^@l`I
z1C??xWCRJ*{EJN+S3u0iE%;miv1xtuSxn%9XDx>;bLjA3>a34J9BXMw`GQZI-<u1I
z1idXt>SrMj{t$_Q-{f^|_JztWw<hkdZqc<`N*jes?mkfN6j2ubWCh++=w~09MNozg
zk8z`y0C9hL3taGR{&I}hkNPiKOhH9aG`tr36D>+99axncdhX!#(gw&g8QD58q|+d`
z%^ryA=Bhd@)+s8{BZlNp^sOjT!iQR)%Rao_rf3mEWYFyB-8sxxM3tI6At%Apv{FjZ
zK{7jRDRAF`3-X%&l{hboWkIS)*}$AZ1S{4w_3M!QW*K|D&A2D6vQtmb(A;J<zNY^d
zT<Ux?M7HF-zbKn(aEuI)Cqb1IJRs6YWh$Y{wiV124Zr%SMAcl0(kJI0Zg7uL>V;e}
zE`*SZU+~ZSqe^*n4cwfCwdtYT<wlhO+s6Zgg27kf5A$YAf-WH6lC1m50EB}h-yfch
zc8y3K>=Oa}>vat^NY4<r-e9g<lD=MHBkTw^Tik-8ozYlZB^_R1B%Uv?ouap$+p_f?
zN<7UA!mz=Mq3NUR#Q-CW1@>6&?0#oUDvHVMp_CdX^q;1+P5Q;r-iN{ALDJO<6{;Z+
zHEZmcrmBTAh48D|rhhMJBV)B8_?>BR6rHwc%UJMc2I<fq`I{;wlEn$3t=mNr4V36t
zO)2oELjRnA4v2<;k$9I5@D_-+*9^-Hr%wl57+-g{Z5dc@^3eveqT9wdxjs}5e0sWE
zU2SZ^7M(~B=94+kNCJ7SB1kDPp(aUg8xlV|AvzOqk)>Y}SxQGTYSn;TNdeX$US%=@
z;h{c4s?AG-ExSY}%*vI0^qmp$%a)UH^}*6Bz|zMQ(No?67j7&+tDX<B02))V1ZsN%
z`g|W$CF>S02Ocm%y3YI98O4K5#sWUcPuIREppx;*GaGp64A%>n13|vS6Fv&R>war7
z#MGE0s5vybZ4!!S_!IdRH9lcQ+$PKReAYOZ2qh$>&3mQ5wl6u{C1gAbG{9^6-n!G{
zDFvZ$qS26<0X|VYiApy`*%TGsK7%>lqi-w8zFrVe_TpVE0$`kEJP<&^z`!3V$q^82
zf+7w6=`M3JPg%++a3zz-NKs1C<MQ_Md^g(pFwc<!%0DIb9Shrswh6MtLK8)kl1qQ_
ztBn+6k~jzi5*#(>&JJl1Y|jT%i+|@5sm-cyF{Z`Hrc7=u$B$Z=-G5Pk-2Cu(6%I@6
zddYJm={kQP+^DDXdoa!WD^Txxw%npZA<Gag*b8O`Vc0}pA6(eZPlaP)`~U%3_<_Y=
zvwvx8!SOq|e($*6<tm(yw$>)-zDYgYy41zB1;1s2p^-z4_Uq#IlAt7?COO)NILS)d
z@N-12GcI(4ehso}+M;5{vyRq9IQ?MQf4;pC6`PTFmkyf{oRLjs^>WJd9M5uD&2=>r
zow1-^8Dm)ZmH@Z}Dv5Mkr%GSXdvdmZ#|hw7j!;(P!P<DnM01k*F_c~J<s|)h1xJ*r
z*|2Pt7mRonkOp{{r**7VZb-sNP}OXb4PstI_L@M&P&U2p{o`o{DExVq8<1fcG(CHc
zLiA90oI#4YJJrXBNW3|z<DG7$W)foZAD?W~+w$>tAKhzNxbkGL$Wxne*QeTSUDz;$
z78Iu4z5|GJ2otLIw1eTEBb*A8aDwOz5DW=JoB@*>{cFIzI3rlvNai-LEH(Dkw0R)*
zuNOn8+I#g&!WLp%J~1YDEz}rU<*=jKW||1eyjj6Ru|bQsB>Kv#mTxh;5L8w<oNSFo
zgM6CYyq7h<!;>eb;E|r+(xG1%p+Iojwj%FNU-Xv^(Ev<Hz~gUk?))5mJNu~QJ6Bxl
zQ+jxrHcWtzjzapA;*vBzK#ZDCIBHB3C2B}iQMDi&{1oMqR&I3D@E7Bm^M}w%Sn{XK
zp$6w86b_%1xu#pMf1ga>dS=r#AH@wGM6dBuA5InTyHL)b{kTz{ir^tR+K-&u?as@R
zege%oEnW%JT)YMGEjRDkurfx8G{3GG1xS&${ejKatc;NfhPWTdKY#y@8c9?b=#GPe
zW4jiUr>(^pL(;qV?bI@cnzxG;?FGudhGkXsK)?+J23D<zpoLP4saHJNJYIaptiq4-
zaCC^bxq_w9&W61;9wds5hCN`z68KwSVTd3C7g!h|1;)_Fzp4p#Q}fvv@xJp{X_nL=
z$Oryv=Zr$<@JTSdhx=!dy}D5MR86maL{uDxI-N*-L|V>g43k;9k6<lBy4Bqc$|HAO
zH4x)jckV!z$(?JHIF;Ci+#>o-mT!wz>0T|OR$DjvTE|h=H+ohQWRkCsPJ2UEDAjEQ
z6`n7++kbY}PhJJc?AhQim$>ZN8a6HY*7i0&>;ZEz<W?#O?yf$hUqxfh5_IP8Z8xR`
zd6eR12n)C$>0VykTs0ngUpJOt4zpS5`Q&Y1<!kFYQF_z!`ztXK{CHg6OtV#6*JZf0
zep=ZI(|)io@~FjXZ2rP3fX>4L^!{A`;QTFX;uhZ`ORZQAL14y3k2V_C(MRXrRABm1
z0TXm`P-v-BBc)vUOAr6y(`?kz!2=E<WAfX{o(vz`$!5%3zC$&f=(NeQr;nMcE~!pP
zEoobdcgw1mZ6a#Zx4gFaPVj~mE2~0q&Ezfq*i16pLUzdv-m~4q{wr2pW$c8)cFA#2
z{s@-C;cJ2Ri#7WV2+@EQh5Y$zGUd>?N}>RAAH=qQ+%Cv!y&3{Kc@fe-mpWUOwfFr;
zD7i$>Cr&x8jG+fI5Z)<1A-Hurpkc5Wd0pcQCn;u?P-e?!n?bk<+b~uxI#_*HTOSz)
zOj+hUSal)aY4jPiNbT-gp32K<@@7`NkJ+LgC^0R{tYgHPZ&Ta+B?B<fM}9edA1HnL
z#@CEuDh^$5!y}-$V!U?E&?eHP=!je%{MNF0R7U9pQ|$fbg#pgFYpveu>{u=Ve_1%h
zMiYK^RA(b~MYb<lth7na{cgaA_*-gy30!gz)_@brcC!;hN9Ri`Uu-B$r<x1GS~xIJ
z9p=5!M;MZEPOkA^StuAOqXsQMRCiG=d9)>1;1fq~nh~q@ltqTs&FL>+{~<djC9&`N
z87~u2XRylKfp3O#*rRI_e;g(-lY3)Mnxnrq-wLYq44~<l`A=9P%nVrAZ?G_YWZBN<
zLWfJVnQ?p42fBp}G$U6x7mfkN7F<{)%7w(4Vw-49x!uPcpn>RtUgQNQ$29#B55Ti#
zeSsdiIAlPgWIhs`C^s{7#_`vdknuAJqzfgkqU}uj{=S6qVvO1naJ(;yg39+R@Z1YC
zj26za3!Q$^O+1*G_62`QA-^yAjrkT+1>U?b6dF^dtlGHoS{8p|xpNuoPt$%^p4UMR
zA0hDaN22fjU57d9-p`wfMBa2$<4DlamX+ry!|zvHTpjN*G4@y<mb76I{!rAwKE{AV
z0~i`o>=IB}PE2v2y@2Xg6kMNTVi4^cVY+LLt-RQIV?f(WeTRA0udUyvO<y4~h9V6P
zT(;+qhmYqsuaTuyThw&EzYz81xOzal3N@RMo869Ay}P?Sb|Wm(`+y@9XOm?R78aJY
zH@c;${H%hZ;157VC1o5zg*-_U680Ho6POg!Ri<L2tP?WT<|BB4%a75)AE;k6P>n<d
z{Ehhz1B^h!3DE_qfeZD;7ujj)tG|kd-#^UP`+{G&khPpD6Ud}Exj4$~1<5z3y;$yI
zv3`k{59}=n90+$TqJC}-lkHGexf~W!L4u{f&5Hu99d6l@%WdEC$5-SK(z3EB#NN;<
zICuS6`%p~Xp*hJMEAwsa4PBIB`<s78UzmaYR&|yRjs^@G=R!jhFdoL%GvxWWyg$qF
zm4Z4mmoaa;B!?~26z<Gcm%gxC^@1I{lL~Jc(QXQ`@uAfZ<KmsNFCSL5{~uO#E=+%r
znp7Q#S5Hzl-ibm31u9;gpY!slQ`sGcbe*{uY~r!zj6}iE(>wRdSNFYZC15%1?>spk
zT?qeXtb0#ZcV+RkX~u45d{{ztkxMlm39uP=!>6V=|LG4;KAw7}8I<T*%+^tZ`!6&o
zII@46tkN2>0Oz2rX6T`8z;rGZ^OjxAgxSV!_Tgw_#&A&>WHDw(4c2FMS-&+M1rwjv
z@_Ofv_lGvFy-cHKY@f=`D-d!ph?huJrfUb|B7#)3Q?g_9H89+zRlZbBXEbV|B5wY3
zP`I@uP*e<!uM@ytLWYJJwV$*f%vxg@-460Dzn|7!xtSH(eS#M3>1vuD3hyIm5+Hi(
zNhv#TRJFbYLQQTU8efE2tudG|Qp(M4=zRAlGn`0*LswG0Rg*fGmJ<0XRx6p>YD|g9
z`~WMr2iX16q)%d#$|`Mw(W5`~F4yQE@TJ!zIpoVR+B&M%BB??Hk>{-2)r%N62sjnj
zhA5r3U9K|IiMaOkgY<@(Tx~M7aJhbVe?9@)x-B``2BRb4bun34?}$N>W|pm_yTJTu
zsMq9iEW0-6aZGwd(Jg|H>aM+IxxX`$vFi;9RZN*M$7K9K)6x=4BDE$hXSc>#{8|pf
zwQPDOi~tGpUx&RyzzPa(AYQALG59Rt#`W2&wCkfuLWIK?l{&5{N1{zTI)8&A)a=z@
z*!73;KN5YipT(CR+?m2ipT_^#J0z);1_jrUkynsLLE2Yoj#l&@PRK;jTFrEvOh3g;
z5lSqQ2pp_|Bek{{0i`qM^l%LZf4f|_-oR{uAT~r*9U>d@zt|XaA#C4o9@KL-y2!2k
zyj5!E_&~CRc|+(_^wu_aJ%lh-qJH%c47qsweg0S6fH3qT1tN<QY+RAZYtv!@!&|Wr
zQX(CnNbV_y(qZSogB&P=Af&%7{HOAq$0JBP>{W4=ysSueqyx@`9#73pS_>Ht+BlyN
zNCe-!5)xC<<2J?gpTfx6#{2qB!yIV)-rprDhRa9s?(zpqa@ri16$kBuuYjXEP%Kk`
zhA(v?19<mLyr&f_=?MUg6_*jsDy}@l4HTtky|O{~Tj)wH{D7{z!)aKy!{|i9=#A4f
z;rRo!#g;vv^<uf(0@tR?$AJO(A9K9;kB|MBtZT!i4VB2e`*v_XxRfn76TSnoPe0v6
z`1D<PO$45N7_?YO1$LITYUc%eqveinyBPGY+H`-)6cFkB<cb!!yZ@{!;7utv>0KMA
z=hN`He*4OURp7_z>(;rTGqsi*(~}^L^y~J?18+GWOEAlxNya3V=9d=1+nni0hFT0o
zp7VzdPj9U%otgbE%>Do22aB<rZxSsK1QMzaGV%OKF+bPxvba7P(JR{cK6qw*)kKM^
z3Ajl9CBYx1yHoWgOOoG(e7p7_#;ay*qK+Ug+H4ox+|n|4`6O!1b5a^<NvM`$J67xt
zzs@_^;f&Kmdp<7znxr&fCS|Eh^|#eLal-#cTxt(Szgf3HBuIh9&htkOkPkHRP-3yU
zzHyT3H_dY=mBy??eubYdcDU7fg{9^fF1P)|L`~DTFKS+eF0(}W%BGn!W9^XaeVr6P
zA{zoA^kD5z(d*#D`#SLGNwpc|yov_yr?K@xV?kE)U(6J1KtsU;Sf2#=c<51Uv9AX&
zb1$<@gfk~FGxQpLiuD(y(u)Uu=D+DR4o^h8g4FkI!~l+Zcl24ok1qTC?S7|=Y$_Lr
z_Ge}-Zj+nG>O>PH)A`L$ZZlWG3xtEVC*?!>s|n`cnblG=&&YK7Y1DuDJ25=)w{DiC
zI59jAC<zOJu4o$&C5|iY$H+*O;y$VDuq*|BKsP|IqP+;9Ua?o__~keZ9t9#MCi*uD
z1b$EMDU27bM&D#`I!s^O=A)OaQ{6b<h34<ubN<Vi8Lb=hTHEr<DZ}N<lt}5hFJ>J2
z?-8V6?gpjJDPY2%QHjml06r=DM$~&#Yzp2tpL+MW*&nhVNzv^){Xb6l<SR1#YPEZJ
zn)Wi3<st>^(g@K4wusure8F_%2C*GMKw6=wu!KEtO~HgB-`NPg1q;W1OTC*t4s(Vv
z?=YtY#l-WN>7>HjJzgn#F;rS3Dv`BMm1dVlXzPUuD%1(I$cm$Z3K$dpeav%V8BzYU
zq<`mMHVUm)3h^o;jLFq_EO1A}lkRfoe16+-dC$~(%Qh*Axd^=;%<12&KXiaMXs+6p
zwx5%4LHq&vU}7T^*4F&wnHQ3S=lE)aX+87s^<=rlS%poDmvx<3^dcPx`)qojnX|`-
zvGI|fnDFn*e4NM`5+ZAVJWMSU8Od<mKsPj8;XP|{F0E133E6tAxH?5%CM8gQ7-@V0
z1${ej1$-2d#Bg7qN2EYCl>)CI9<==YzyWOzfCw`Kpf;1`xX;NF)}3?l%F)cIJ_7ts
zEIv4y4$36lW3bn{LT~HAQ<n+u&kEwZ-7Fj{TPk5+)3t_i<{5Iod4;t_wv28p>q{>R
z_lE%=O$Sddag}Z`Zs%<P$k-)@EZ3zlb|pxnWo~2qs(Z;?rSBO_6}O8>wJHbF|AiXS
zE&Pw}k96O7fpNt{T(N_>{W^<1Vctji*2x)W`jg{<#}XWkYNnPwlRY4rud95gv)S<5
z?Viun$)C?e9iIFUM>ktj0ICbb_vHmqg0$-7KO-h1iO88P4KvAX&<)*C{=t#nKq$B2
zme)VQ(X|$y63q)t1s+7)O=f#@W>?TyV~$o=1bo-@aI>hM;X61g!IH@@J*&HVoVDx|
zYtzBCwGe77+u+?c*ci?Vy1&7`Ib%BAM(@qq_VmEq?U61TF<MY#Djs9ir+)J;8cMH!
z#+|gGbY_<~;{N{w6Tk4@`##de2!MB*!4Z3x+s`*E{+k}-C^&JePjz1IfMKz8LoR9?
z)D)=kkvh)oCo2|I;ByNLc?85Q@g-WDW*?cXKlfJ+G|w-y(H!+z@V~qWUxzkyFos#w
zCo@|9*Rz@jVY#{NUz<bSFeiong$AfSYSyB-co2}kKjz44UZz!;mHPWZHU+;J3xP@p
z<#OHej1|#Pp^|UCtl>T8GdbvL@OEH(MhE%;?Uor;NSQVijYVM{2R)IHSu|UkCDC+D
zZef0(KVRo1sb66GrgN_~0;cQL8ZAjqg%Vjb5}a*o*tu*8U80Ml?hHtdA18Xei+#=S
z+#G<g`sYOR9Tw9j^|N~#SrDe3x8J%udYd#fXNzp+%p4l2<8vncj4Aeu=h7B>T`sT2
zUBlHn@FZ(S1%Mutt~m#52oIA}<@e*RvW)v3JFyH8(oNxZ{T#_je|u5QqzA46NhcpP
zMLi<lNpwIimk;jl1m>xf05smpwCAr$z;R1S54@B!XWc&zT-Sdy0hcrD&O|hWsjmub
z!VTta5;Qnx>*tqjb+$j-bW$`WqA#_tAYja~cyDT-zJ5*%8W?ZZ(A@?Qwra<-*5!m3
zoKJjHEEACLT1t_Lu=MVa4_o*d;t6i3B-Dexe1&G|MP4USDhUI|+{gf?4A5~6dls?v
z6<_$HLMH4O?ngRta1pl{FCg?gn6j}Vsy_Mr%QQ+(^yu8zg(lv)Yl$zvC9+ub0L8oN
z{Av3DWw|j8LV8195LF#0fHm-!xx&<^?degElGEo(axyZ-i#y>STQ{9`lNKd`&tr9;
z^s8q~dZCjyN+FWgmmvqhbn=`QdL=$^0mV?um-Pk!%N0X-M${k^kd3!DnYqieEyVHM
z-}K<0jYrdPFZ7YaMJzKVLy&K{giqBTgDI<rH}N(+=G9Jj&&YrEQ9YQENMD2<aDCLG
zMLN)?&|!`t#73?nYb(RX<M&}D?*tK6Rb#nPuW5017N#d(+-&W<53MD5XhL;7vslB+
z>Z(lPSBOGj@@1OGDoM!lc=17q0gf*wtr3mOEJ_D+avZ|k;nhOQY|6-D;;BZya^X{v
zVPgK5S%BR<_{aae4E+HXqJGK>W(Am*ue~G<fVj-<_nz4s!P>vnML9wIp5IDqw=4(M
zsQ23u-`Aa_LC)<8WiBwp#q1KHF>P!9;-t@Ibu*jF-9v|O&I&Y|Kb|oG_3oC9!(vk9
z>ab6AGv&g)1?{R%;Bd;Pemxj6U~4%}aK+_4U|>_b`TP^l+rc#ltF9=QR>>%r6-AHR
zR0WJKq0<C=25W3JiPox^G+qyTa{q~V@E}qqcov`*>fgFW4_f^O;BDGA<r9DMq!xkZ
zZ_yR-f$96Lpp>^|b=(PMJxFWi^}wu?l-k#hzh@5=2FK(DdDqh$82@to+xh^CRz{hR
zt*lJR&EoEZ$}w-cWpEdy1GBk8P(u_B#7K@8f3-3GcU+Dzj52lz0Pu0`5jv4b3nzLm
zj2+263AAT<INgpA>PMBZ=z`Sdn-0QM?}9#KQ6TuSJUmgQN)^lGoB21KBR)HiVgnC~
z)^q8PBP`BjIn-Yvw`hLhV3}Hz$3q}gmuxW?tto^04quJ4yzEjHZ-k|dZU+Z!_oeKy
znc4kFyEu)M*SkzQQ}9MC^&z&Z1vt4lHuSRd$tZRap-i~c-_4}iuyX&_PpBhCp`mFU
z*M|^Xxy?V!m&%l%CKjsQ8cjoC@HOmEJv_dN*!O)(s1X6he-dbc5NaZDM*F0I&q`bP
z!!TWpX@HtuBh@bUxF*bqaUY418~R@zb|MCGBzpyO2i(OmiPR_J^p)B*wS<~Qg`fZt
zTfg+dV~po+(?=TnSaR55KKHQi3W3jg(HULSK9!^%;X!AiutUrlS^^Ss5F-{Pf-_K`
zUKRRJl&r07Q&;e-%<*dtGmH=CLx;B<`#4NrtjrWUMTqWELF+GmOzV)PiOi__vXG6R
z5UTGMAZh;ibNBx-^_5{!zE9gKBHhxZbk~y7-QBQsgLF#?(%s##bcb|zcXxM7*SkM`
z{`!8{54+qPSIwL=bI#0lqg4`BEn5+LDr(ls!P#pV7}2Ly!bw(_+=|w!+;UDd-&bH5
z$L+}kX+5JPB6sm^1NhKJ{k;D$?%?ll`JbM)nx34h&n8PyxLclU)$zIfIANj&li~9E
zk{P$e(W_`iQFle-GKBa+vF`wop`3q%Qx*WkGG#sFDVV@?1OQN+vj@|@+|hA#f{T>#
zW<Q2F_hdLw=e}0Sr+6||Y6e+#4UDd>AV86&^%taz;`ubxqx}v@cOkZ9_(LCU-Vs(o
zDJLdH9Pt1lOPEw??!=MFZS#`ZN0)ay@BY<+H+;C0vw?FD1Ote@baz03ovd|NO$y(c
z=dcbvtCI~a#_QCo5^WPM9VgRk{lU+e;kP4uh~iL*B-xueUs)4Kep3hL04Y?+L=sr&
z=zdHt1Y-H>P^h<CyH$``3K7bl$lnU-iB6kj%|0ZO{3URz7QU0fTJfXG#{n&?gGf-6
zt>yy`_~q=E2dD6>^|M6zv^K@LCkr|Koy!BbikhCppe*eWL$38Dos5*WLy)Xbhh+|`
z>8F}TQV)J&OMQU3T`b3N)}o>(Y8B2|`T_0({(=>0Ks`*|rd=}p*47?vS-+I$I_*9W
zSLP?D+tl-*p~6ee7y8U{ofOO6DUNgDx{viIiv=AVJ}rw*X6#3`4EgXFygvgnVk5nr
z&z=<s(Iys$cPi*~UaM-8dh`~8wMr3oE9gi?^G`+1u&6o&J`47a)P7V(^&bY;OMP?%
zaYf1i+VTGOnaEoJ)+>B8ZPdW_yN(r&gQjRXt+C&k>3GG_AZKqWznjc$f>WAJz&QNn
zrq25Ha<`AS4d3ZeYtM>o$N4{6ZS&-|O()P%(>Z~i2fBf?CAdkrlLq7ZO)S#hJN4f*
zmPepB4RwRN*c<h4%qK=n!)nBkbAUM#Js+r4@wJE;=As`WZ;&A%)c=PHbRJlU-%HLh
z_%Ohj%|r6zEf2}i$?XGquh7y@*}2<~#!Q;P+omhOt9+~5*j~LzX0$x0CiqS89sBOS
zBb^P+zoktmWg!@!wK}@XI3aoqI`niSRze@6N4=+BjEO8;h_TQx<~|PdeXScJuKw!3
z{ug72Rmx__Gq9Z3j*xZADmC!m?6))k>>RNkrLMc=XY%7z9-)*uPv#NiR_MCaKHjUD
z24Q>Nm)~IKWp}D8DFqf5AS=p$<`-5*IV*c(vWsYQLXT2K1BbesPbF7%IieA@q>~u@
zSJp1)z6Zlv^9zGz?W8<N>7z0on>{nP0N4BxTYy$<gI`V)$1*o90^^oY3(XAY2xQvt
zo|s0cA2OdmqzSxps46ZPE_usHAmS4g3N^f3uU<S2kmR$v)gAx0ByNat@RIibTap`@
zj||xJRXThOmmlxq=cf7ywW5Q~T5%Qk((sa9)@T$ys{G8tS*+ETW&V8yQOrRT9!+)|
z&{1Yacm5l~W`I~Ou!3Ld-n~>><PX!hn%XBh&d7;j%z7({V<n>_)ip3Y{q-*l%icbr
zt-gE7qGC)EW<@f8oVeC&$uZzdCmM8AwYuT>epB1Pn9Ip{IehZ&bFV|eTy|qtLj~gR
zs)l@BHFA=`R4-`qOy1_E(=JZ=H#(lHPQ2IfNvg%{(ZQfWaBin6IY`0|!-O9%qzHrm
zxYdcVTM6ZV3|<rnN=e=Yt|$<k-1#Mx7)YhcWz59r20<aav(@P}C(G0GYl8{K*tcMu
z0TXZ3&-ZtsZ8D*tzy>b_iNo?zo?G@~P=J_V8{#C1u4Ag%t*Txx_%*dsLX|o&lrAdX
zi1=MR|C3jdQ^Izh4O(5oBGkcWG;G2mV8*2Bd`4YJc3cQ=P1B6^Zb+T>)AhXdvlfB9
zy&Jv(x6&siYhKKwKNVOmq1V1xM=&rY`6!)ZMIx0_A}CwC=G-W=sYaeEaBZ-;NQhN_
zSV#ZTdlPStV645b<>KU6lf|y&b_kGW@Yq6rjMM(=b8_MIVURwz0=1=<6FNh)_042y
zEuYo2#ByA&ygu?DP#$629R;TfX_+*m6w{rp>5)6_B>;G*_!rnrFY2>@HHvz13h1@T
zNqZfe<T&l>Jk$+aQq^jtIQVSVmYKF8_l0BgsIJmEW%KfunT#LZxEF_HQL`4G*gC#Q
zPjFWbsCccqO|)hIdYrRz!|M=7j?BPIl^-LG6Of|vs}=(x$4Go8ixcos3iiE((1yXV
zTVNmnp%j~|1LBmKN~p@?(bdX2bN^=O<cAnP#dT^%N+^*k4Kbp~We=_tzIaMo{^-AI
zhKm=q>}@$UJ5fy<ZER{BR_l){sj~?9fSY)O>bSw<=83&+)F$2iI*jE(R|D~zOK`zj
ztc)IVd0&H;SGZTG#*oF8VJrKd#)69bUODPqAN_*ehFlhwvF4uyH@~d`OYmYARaPil
z)J)bOx6{INV}<(MgD$F`S3YOni#2(jqpE+{ZkNr^kOf?-Op{b*%%<PY$stMTirT;q
z$-Ab3Z03>{GULjGLk`1&S27_W;{wU<p#Sg{HQNh@{_)>(6;RCGo2HGrcB=vjX!0n=
zH{|j=jd+(QQ!D8_91}O%G}|%PBrCOAH*yJSiHoy0K#jVaX_EryFQ-h6aDDRL27MO|
z?-BoV!-V?4&=(GdKHG%Jsksv3u?QoL>Mv!0-e-1wGqR5%F>);0Q_P;br%mi+Hh<$d
zJho3ZceK!WU?H|e>%c8ar9K+Z@d!7L=`}nAAjYmZ*9d-nAV1xBYd#ZiaO@9zimf`b
zWA$5a8e#3(@a)-A*R9OUI=hhsXYb6G_pZ<+jK8VvtLlw+4?={nga7_lU&?T7*q$(!
z5tLzeih}A9l*^Wu9m>4xku2-Oel*}RS=IP<?4h##j`Tf#1mVi)vH+Yo37k&Giq=Zz
z5fp3NSmDIVn@S6<{oM$5zgG`58Ow4XQL$!xo7}32f}HHcJt=m2^{jo}iSWoIB;Y9u
z<G`6R@+N$*ul<nntfv~%RZJI3Kac4_p_An0dH>B8`*8E#660_MAX*qB!A5IqY~>q7
zm0=_=$7mnlI9Nm>4dOI|?UVZ_ms3pNqwi=lNs3U5%#!+vzz6mDve3+x>oe0=gNGXL
z`>J{XX0yXlS^ip`MZ@~GS_Yqk4YX9v?&Ro$Dc$Ge_}CG7)CMp62T1$UJ@fLmFfZ=I
zs5;lujpTC}pD*ZytD>fdY7PgYJ(TE58P)=pODiId1H_{h<=*H^T`q79lFHu(8LyvU
zFv16@F426#_JLKf|0O5QiGv5Iz`w~vDu<~Sk4NC_K6*E-Fodh)xG)a6piN6t)c;y0
zSK%Nl{(I^gfp67&toc>s<K$?&g{p$7=4z397i6V~AHLE@z<BYN)jSh&FV*3BG4%~$
z<mDe)x%q5;8#a(f;Q^Fogy?ttS1MJDAyUcSH=A8%Fl3(ITg!AS#vJNqn`tt{r0=Pr
zEKeLm6McG384g4KH&JDQ08Q=**ZE)OeO9P5i0XDD<}`MAhuXNXkTa3;A!m3m#ksU^
zxY7ooZl!SoQnmJK0*LmV%~)_dwo<owwYbckvgH-41T3Z@2N}!<1xLU6bO+po`CTf}
z$8gb2e9Y)WJeW+fDSlGzOFju)$!;oVN2j@P%tuk493xSS>csnJDf&L(p|nAY3MmV?
zekBqWinGrL-2Y6mT*3c^)Geb;ccD=`UpR7DuU^1*VtaAZXWf)bmh!WWy=e;~-8B;_
zr=1R;4T)pZK8pBv4SaZ4KT2Oe3VCD>-`E_JGARwT0yhXA?WDe-Og&Z!cs?lWaoS1~
zWU&3OI=~iUJ8<nC2e>K%j}3(*dyw04`EhD;X7j|0r|cF{+T@|}Dhk80<V4R|AF_Ls
zjXUYs#LFW+`pm2GD9^#mYOXKr;n|#8b?K4NVZ-Y+L=C^y(s`}S>9MPc4l}A@rRIl^
z^GUvP-^H;=&g{tn<hFUf3Y4B{zJVyg4gF09Z`vgyuLyZj+We|BhsbEPT;-X$ZAR|~
z^wfR4J9VMIE*<}S!69(?^11yzO5b}Fa_DU4;cTT`7C3!-3k~!SQcCijhk4<y-3Gj&
zK<jBF@J(=n-(iR-{@euj84Fn`HB+tC`b_nD^Q5cGQ{GGIn*J#6Dm`Z{2Hm6Sivh>!
z?D`?!a@ad@w9+_rOr}|;I@jB)9;esL+!1afg4u@@^TxTJMjez!Hr0k{bLV|}uOeTk
zyq2nQ8Z<LW!iQFu;?qZ>>mm!&(^j3vmOxjcLzwf25nw9xe=1P~$0%b+ngB<cS|B0x
zQL=|<tYod5OIKM<wPZAUKJ`nO5&VaCEb_k|ncc=4^3C^e?OWi2g2gbk@dKCqgf8^w
z2!{QZBUF}<T4r^6^W2(5N_ZD@R&J>uSy%~{DP5Nb*RJdO5|1AroEs5qUdLWye;#M8
zl%>0lgKOUD!^CWr#{=!nNPedZMY@@z<A5S0rnz!t=?N;)J#p#bmxFNXR6>JF_<<F{
z*(727&Vgnm|I?KOk<bs!3PRr*RdJ(=0+}|iz1hRW&<XYL{gY?%IDZ+mJgzF9d1)ld
zpD%ppuJff!!Oq==_%S~8o$g7b2lg3b#3<^&5RmL)MCJHAB@WNC>A%}VbR?s?&ANOS
z%GSA}X%GZPv+IL|OQJu8t!Sp87)Sj@hbLCuD57^s4Xf5d!ntc@h}|b_$&yv}lQX@c
zyhtnEH384ysuDEXlADu8PM9g_w-F&DhpTqt-zLA^>RlX`J}Yb8joQ3<&J$xx_Ha8@
zY6H64r5WBaz+O%IDcXM!wqGFqy(e_t#|pj+pg`S($@W`CWl^btdcEdw#rTVElcLMq
zeuWLytjCYez6+%P+Z19<#CcHQx^<cJM%d*CEyBp9u#d8avj(vXj}^yjZr5go8KcWD
z6?ayScU_fVKurLvlh$VAAKO|lyDM(olkN;%^KP|A)f?Aastt{V4K^3gTm7>qB2q%~
zvV1hdLiP<5zjZmi8>sYAS5_e@&?QnREKn`4S;>t_zT~nh@%|eYPF~n0@z@BO2-d@2
z*X(lp%|nowb|0VaE^DTzk!@|uncMs4E|b}>h2{gE(G(eVUO=qdX8PrjI;DHBXvbt|
zd)8^R^>8~nlRsrvv5D0|3?^tOsnS}Iw&+S^l!+yY1f>t(>T%qpj2%nNGp@i~hN?(n
z_1__xcD`2!i3u4eQwEufE28d*D=I*b@{UwV`%>Z`ey*V36ZrDSkOqBDgBJXP^7eqa
zGFCjE#NP{G7T6i8%q6WJbH5xRG$=UM@)b=_>@O$Tp8z37PIRAa)=E-D>LDIW4*tCM
zm2c_>2Lz)pS<|)snXzZ$S`b4U8p@LlRqVF(3<Es^cU~A~74r}YoDbg}3MPWALftb%
z+drSG?QI)c)cy$bBg#zl4e?;iO%uV%J#S;d4}QW!m<q~0BA!1Ke-KIrG%*i~_np`V
zOZq@1<?}SaLw}g*GkdXX>Y&6O*ZFb-KT+u2UoJPv?)#k(Ng4or+j%2TXi)$&xiHdm
zOv#1ro&UFY=3ypu?hyaM*i1H7YY>Aw8p^pe9!V>q+hR=8u@kOe!x+7uJh9&?t1H@^
zZWvV8KW7C4znu-m&;8d&?I?QB{m}<(!((-8)N8F1X{s`!*A7dGY~8Z7yoV>XmB{NX
zEnY+pS%ZnLEmy?aqsy<Bjl{s`XU&jDM@?_Eyo7Sk0~R8NK?{2n+~4x0-4z%X2h=7;
z#^vVSZr%1FRbB=SnyV$>r9w(C=GI~w3HWd$hR*+8qO0Zid7(L@<AzlWwnp2KP`Gbl
z5?cm{_fBT33$2o5CaA518uqd(&H=OSt}D!PZR6TrV~5xB4iNKerARs{ano#VO}y?c
zaxK<NJ*rkmda3@wF;%O;g5SlUMb`{U2BZns&;`B4&5M$ofh^LA3<SN{L(LLZa?1Q_
z#ogsx4BXvve<?%BqaKI?vb;ADV>JZIYqhh)TLQB=uuk`=$!YaxH1>@dPV-aO0YSW_
zh+4)6Y2V}mX7*ijSa(ED*wWZiW}L2@$gzDzFlJY_Bca%woHVYP?%;|Q#)Q>a(ucNw
z_vF+RmCoxaQ*)GjqvZCGMw#Jan%2ZnVcg=+QQPT5mrQ9a(~mMt+T+1QH6ZvWwnY#G
z<gIjU<JT%J6T(`C!0{sH#H+&6M+b<#8NBNF9M4k>d)5;bw<*K#YlO08he+Xgb1Tyd
z`!XuBux;~%Bc-u}KvmrR<gb-*ie9!F*M-BjXj4!blaRk&Rtg(utn-=K)EmP>Ht-KA
zDYr(2U4Dn;IGDs-j3O@j?=}j%re%dOD%G5;La%(QnOTx_73qszN_gMBDeJ}B_@}m~
zZ#II;C3ziMY^{YZBW?M&P$6H(OP`Ywf33uXV2^5TKgQM99q<l2f-m?A9Y&~X;*k!}
z3OZTMoGP8Sdes94xJ%TG;*3E${wDaoApQ8l_`y;C-84$jFNISWm3$TxAm}ri!VFE3
zaBObTCV?~HE%<@I$ezmf#&Pqg>I!()jJrZ0(hHd;`jLyHTvN@1z0~*Tl5p!v`6=(>
zbVYzwr^~pYd`i!~?)sYpb5-6@?aN6GA!emHR?Nmf@hb!TN;g(x5X?SV7@!SBZ_p(-
zmmtO%8||&ET8?=V2z;}NoymG2qr*Q4sCesurjxL|`|StHwU#9V6`d(V_WJsbn*CK^
z!?xX;%Ja%z%F9t%m{D(NTJ65&BbFjyTd+Odf{x`6=BOnm2Qjjsp-oGDWML933MQ>A
zz{X4(EBYdpcv_*9ED{$??L1om{;$6gM=y>X;KH%cvWyKwel3kj=g`ucR@MGF91-SQ
zuz(S;ILjY+<h7db)6(?ld2#M?lyE<xJqE$H2Y9Sn3um|bm07*uc-{O+!Bc39p{{r@
z*t7-*k##zZ{`uidYr~HnZ!8WRw#c?n5{isDnXMI0OLHYO{>ez`NUd}yf_LYTY}n;k
zxk}&D(23a)pCO72;YwNKv9+L?#-6^oH?i@rWK^AfZwx9QO15wD5MTEDNso?NLoZ*!
ze%9MmuE>_+_klkyzjnq7ur-7I=`32+W8r?};n#^<-5i6IAP?TJMPTBG-+mAHJDNcv
z8JR9l9HeKok+B8Otd>!<c)SRinG72A0*Q8s`8o^y)c=PqZ>GBE!1vXxS{NeYE?Ovw
zjavwHOez25ogeNBLBd~7Yva{<$RaGuF$#a&`h;{i3yiD-U~VPFa+;U_*BDPuI$;M(
zW>5fK$gu`w`U5Fz4A^J}Ok`yJiDG6sNg<_&!-}E#4-rbQgmBls^dU#R#W)OmU55X9
zsMkIiO1T>_`4^qxv`PEv7x;khAvpm(uE<AVLEUbs%PirQn$E3=WWBwnxoF(?G?<gH
z7X&ToVg+OgWW%#!2K=8yhIXk97%{vHFjGJ$ZC0TX<K}i5K8#iNHdjmiAg<zCsKaLU
zg}Img-?$wg*umrCfyX@*jw@t`SFUIqyLKqw+Puwv@hdE?nd?n@S|;OInvzU^yfE_e
z93YW6=}n#~ybDUPT|y#eR4R#m-X&uEO?RFIL}5`k9E*Ntw8epn!mQ*o7Pz&BF~J^l
zKj~#C<dXH}3R=GD68k&2<Rd8r30VUps^E-s>2rU5<a2?~O6KL5{tD^wYvoEoAHgVH
z*)c|jOk;XJe%<2~Rj|@C(V(q$f(~5=X8t{0R|5kfI;CE#A>H=7|18{uJ2)GEU$V`x
z2HIxOQM>0SAy(;82a((F*62>|W8;@k&M#{a_@CwiVEq4eT@AB+2S(!x(kXdNbC5C-
zn10FDP5AQqEL+|r58{Sr)GZ{G!S)|%4CL-$)>h+K<D+rwmBNAV#WO%%(Zb#`@N4|p
zbhei4$vC8KvheEAgcd_HO)P(!Dp~cXy^@?v9aXA|<o$pGWmYuBR5g#;=zIYGaFNJs
zM+}*?VL!2UkCn52^uGqJG>B-@2F3w_8PP_2FpG^o?ACX{BU8HM=Lx^klq87KXUW@v
zn}UEJ+s3eZ@L;>3fYHqWht6iy(IEDxF$zvUm$XAnQs5KqH&%*g_FXBboGB?gl>uf$
z_3a>$*9f;|4;7*gF}S~sAtaQTq@6*oUr|KOx>Bqk)!p7{ifM1sH>bNwouOl{dJClD
z(h9|vt*(P2gC7p>d`UZ?;jnoY*~NA{seijHrM??+@4KjBAj|vtR4OH;zj>?#+<OiR
zeM}7Lj8Qu$6Jv_hpzSz^{X1gZhjR%#1DF3soK!OPqcWXU4IV;+c|MjYJLI`&xtPiD
zeDG}coD7_4e4f@~RSbF9D&z#f(Y2L2g*@cUI|#}GL{2V;>XAN?V%cU9<v&z6Wd2z^
zn*KOxN2a8}cRDVmN>!s&QsvUeYPt7P&<hMRN(2eE6fTF_mf{Ti|Jt-V-|j~*V>x6U
zHhrr#qB;>kZ)Ts#G;zHiq-jfBSbWi~sM?5HL>$G_ab|DE>#~))Md~Y}zRqg$z@zEV
zHTQ!h)G3G`?os)}qoNp4!}O}4zS9(kSPQ8x(JS2kyd{rcQF8&nAf?*$?7tSPwoL&)
z^cSCv@pP#N!Ya{=cs4O`nDF-bi*y4-&hW@Bn}+yAoxg|QJUkdB_aBw<u^7F%)i3j9
zdcQDx@A%39dpYTQMdvNCEAXd1Eln);#f6>g`1N@tr53g6M70Ypp3U0fsGccFZuP5%
zE3o)Eg$_Z?Lw8fJ*5qXNDZz4dZHO)W&CAx4Azd5VekkFcvSI+Xg^&WHm0hBW`rT{g
zEo-wCu4Kx(&ga#h_pCQHBWDpX#+c+kV~QKZN$yD+LYynHm<M(l(Zsn_WAQlKJewL9
zK8iaw7+x;BuD$&Lt*;r;IFqY{R9u`<G?+Ca1$1%U*zH_hBI*DEC~A7M5D+a($Gcad
zCX=?4K!9oY*p{)l5jhB`q7!3e)*1CH^T&CUN0z*dSl5`I^&>&I#%W34F66j~d2}m)
zEkV=7)*#Ly5k-zpQ3-#-Po{BTPG1}gOj(IIv=M>>EkZWC2|vuU6xz8T;IkSIIoCCi
zZA`Kovp0_A-`IFigUQ=TaV+4mIYyOd<RBjR4~cn$c<=XA7Cs$Gz;uc0+f&f@WIe2I
zk%P{5b71qR<k{d`pOqx}OzsYq);F{<77{jz@D5=qG=Wr|f2N_?EzJI*YJuo;r?_AP
z<&NuUHhk5IJ%~yg4MU8VJ-nJh#!pK*d7TLFqsG?whk&0drurceC^DDBM0n;rOzh06
z?t%!u>&RRUHxijEX<zh>#3ZvEEs3G9E9rm+g0w+ZWgr|}2QzAjky`K%2A@(KQE+g}
zQO%M9P`1hv_>?DOLBeWP46!_tI3Lk5%T^j~!Vq9fZB2g&YEm=*EOW@L6wgpM5F8Oz
z$7~=NZY=QT6-)|7MMMD|z+1G#N9;L1%WL{#II#oKbK6;y&dZurhdW9pO-h#}D?Mh~
z9o#7vQq$7PMDVDPX06({Byq7B9A|vr=1V$$*`HMTkZjg&tRM0gw_m^A0Q_;)=%qwb
z$HUb9nK{3q-v91%6$8AM*{TyMU+|HGoN1UKF5aR>R?u4{hc5?!BZq=}F^KfysjLsJ
z7LKmZF{{)9jvmk`-cKSRrUhdUwj{@|oc1XkAjxaMel~b43zm9MvYu-IWmX2v)}Zv@
zC*5qHu1Dlif?^sYTZMXc1tBAi`7K(?vJCz#7DP)MQwu*b6~Opd?pR4i)-G|Wahaz-
zj;ZuPoGhc%z^pYSIcEo5-z|lPE4ExflW@9ny`g`z$n<J_u+g}1DLnJss!gR-aEOtD
z0L@l|a%^we7**Y%ni?6*5Nbv>{5LGvx=Vw(Q{%jPwGV!?>@^)(rRd4?OMEmjJk@Ic
z$q~>6kwg3=VOaAZ$it!gm-+r;mnCM=^XH-*N*$zX3$Keo*qL%yg<PBc%tcE?)fu@X
z&{G#^5$DfYa{)DDHW!m)$7e~R5`sR(;WjgmfOa514{frWR1%s@+J*`ze~u5Zu=uyD
zI|wx_2LKC;f_p15RFVW=4Z@kuLI62KhtoW9Hj--RYB`U9Bg|fpHE+n2WE20!7i@Ew
zSbo}>flNtFY|}FE4@n>A26BC6@+i8*NSDcMcdHnJG7$?>e!P6K4`HWX?xs_bv`vHm
zD_x8Q-ZEq!#%b^@YqTF&REY!;j>n)pJ?}bPCydrQ`5#TC8xzziwTnD`GJCDYIDV)~
zoxg9Sn+fQ9C~#P8bkD4sR8(E522;!37K#a*<lRl(J519cIsXPFzz;f0qs#{XAPZv!
zARq=c8GA0mfL_8Q9%`I|DDHJ=ki<lI7(l;c)dAu5(<<1)_}?z*Au<ENyI>671;*iq
zMr`wSQrc|Bp6Z@_v{dYU!vKTli)c=@nWmVT<p(>4l?K<n<eNTsWqY$lC5?>iz@$wd
zoWo8EfEHE3AN>aO6nE#=Pm_}7(%GVdv)qci<gLt#r<gRD!UM3QITd0aFpFceioio3
z0Smmv_3>F)>0yUYj$oxb6c}+1Ng9o7l7rY`ttoF`+J`j>EA%WK-WNYox0CBwkcLSp
zj4T$}qLhTB`Xk^%^?al~kW`eP<tVpkc1UXi&ZlDi^gch!j_uG4<#f}#MhY*dr=@JZ
zL;r^+LJ-~(55w=!&095l7PlMaB#A!oI6U_$2@CAW<3Xk-n5`rhA*<mX<;SR)71QL}
zih+EqB)x*Sx}YknZ-sH_b-$VpF;g5UAiy@(#Ch)~<CgI=Mvg2)BLq_uY8at5NLigz
z-49a%_d{YU1Oht|Bq<mI@i5nMKK`466$Ao!3OFClTT@0X%P{<KOdXO1+<XZwPD>DH
zqJ}({8`uZtu&vc6VmIULksSFnFLtyMibk8QXep#GM#?x6Mm+{Hl;n@kA|@kWzlMA5
zBR$GLWRII%tYvjPd&mc-HDjx_++X;GjyNUNlWI{}{W+TIo*vo{RY|m;ttfq%2dUXH
z#;ESwNW#<)`CFLfcU{$l#F2^0$mp#8qCu~53PLyS0w6>aEFCPGc3O!G3J`34#^sam
zarc%5yh!HJg9R--D{TrVUp$L71Hbd6jvCRHR$}M&CFGIlt*~MF@;65M{XEUb8OXsZ
zw=xWw?u5}Cjz3fy2Y~@&3S*=jLz6kO2cs|2Xi4?`vh4PcsUg&R=<6*XBjp}-9M$a5
zW~ME%o?!U7!pw1;09N*zS^+doynUrAli5PKtCg=I_SaO??X6)ZuiI#O)~DLnL#0l8
zvLkZSW^7czc7f9GOhq6jjNcH!LIv!N-e8IkjjVhxujcB9+uxVGH<S;=t7P6Jr3SLW
zTve59TlZKg)rUg<#V4#8zTRl=>QKMrGk-PM29oLYeQ!(W^KpSRK-|8;;IWL8o4#6=
z_OoJ$$}xt&q)GvcJjPF@dY|9wh~W>X$^@*BM(K>>Li|B9{LV$+7DGh2y^1}CvyBQ&
z?)jeO-K6P&pZceceh9wQ3jjD(@P=1bG;E?jRMU&@Zo#Gx9w(cyasq1wXk(e0Kt<?(
zmIVGGdZQ>VRIc=nOGbhoK5_5E<PEIqmtgVrYIesdnt09z*aQERjiUcg{+%FZByNU_
z{*(V<t1@#xoV(p3`Q5e_wk$Nw=#JKS>&XV_bU0CufNW2nXY92Qt2e6I`v;UQU(}sv
zU+cZ*pHdt|cyAoja6qs#B0Dx>19P0*6keuG_Yb4#P6oZ`fax8@-ex7nKakWLN^Q&p
zWQ;)x#y$w~=T{P@+5Q~sya_o(yk=l@?5Y<fY833N2Y%wmUpNSL%}g9fS7#Ii!vW)%
z@~|8P=i36xEDtXpmOj0ZC2#z?l_-%ck<bX{?X9cnr_YF^8l&eO7dj0qSO$Jwebp;O
zwuSJH2(iL+af5%LT6j|-2|i)a&{v5pcsUpPD)u5*0wf&I7%0GfUsuyV*=@hlxf%}W
z0x|t_eu$tHl8(VF#k6~!+BUEdo<%NyW-!B$5b~tx5<?{7c_;!2(HhUuXP%3|l@tNh
z)1dEp+N!5DX1sfiVDVwP*$0CT??F$H^|X*OIqgtKW!gsNUB|Q@IiSDI6zQGP8<EwO
zUo6y_Xvu}Fe*NZ5Ko!ANZYj7(TJ-765Dl<-VchabhR2*X^v&$0_d{MM+e?Cjx%3-j
zDu4v$8ogo3^-cNA{|PAf|8Lu;0`RuU{n<A3X*q~WM8C-yZrF-S%sj4_Eb5HcOI~5;
zPWXh2$Xi&J6%Z4FgFM(xV$lNj#%wU9helo~QI`8K!6m6a$lXxds^j#=J?ZQkiEjsZ
z`hEpp<%IOlkga%!lDipWBY_QB9;a#t*dyDs(GpmOCMmK!JCFB3nU)-5Hp?8je~*$s
z8btsu*>J)aw$6A4Oj$YC7X@h0??BQkU;jCq>y07;h=q~}xoeW7zAL5?_2~8=ith=w
ziH$>5v#EqP0~#vedI7+he+w<K&O8J!bmqT>UXP&vl7ndSIN&{PbJl(m+|J4SwKgYu
zLB4jPeWQOS1JC0!hNPu(u1u7(a%`iF=<2t>WmQN3r8PasXODn5w}sVjY~xGNce_GF
z<1)O7rBp1QTD?3*Oh#zWB`yryDQrn_@;|cutDjLF!l%L!5MHlU-pkgx0J30SCr7uc
zBrJ}uu>6<0l5S(;Uwh6-g>1S+qH%n0F=tqt0Etn*WY5;PxSE+ORmAd5srI$KTw6PS
zoJ`|^vRKS%nne=;sncFKzY5I8E*mZS0jI{UJN<F}vN)c|G@FO*A1+1fi?rdriUNw*
z1=JDd5xZjMQ8KoPvECn-J}Go-^OWi-Po7yug3^!{VO`sBI6|7yDz20Tm00j<VG=Tw
zgC3@@iFYTvlOwhSL8_zH2{<F4l$f->eINBd^-dHTZ$w_w9k8?7X$_G*FFI6!qL#OE
z_geevz<NI$;2`qysr6X6U_(+2L1%H0?@BBT?^zjAzbBu3K8_LbHnFgMD5~};=-U6{
z;ngbTsuKBCx=>_hA>i9e)z7wDOplQwwEb@jddE#hQDjnvS%x$3%#(cWUUeXeFyxcO
zF#B+{+0ZoA&;$PG4ptPg=_(6+aDXW0iHJXpkDFJIdw2>Lk-%q#XtW3?*JCm(@$vGG
zW1mo3e^MhH%^<<;Z+pp!e;Li7wITa%?e|pasWQ6iF*j~VqCg;5lzW=9iQDsiME=sm
z?TbcuPn$f5QIdUmt6}>w?`&y~{>mkPaN#mde}!8W3AuI5u@+qoTR^6OFSNP*BM0rr
zz>WVLJvt7Q90U&T*?goupl$R6WXp%qjpqb&a!e&XR&N?|NF&rB8fx`pL1n%M7X2hu
zV<{IH`Vb07G`D+bKxG_I&JX+lT<h&kq<%jI--+$266Q%->WUax#?!P53kMksTY{)m
zI<uwe0JLJHW2LjE3SH{abyhss6Z?IlhFSeo<nFt@q_f;CLdWDX;>P}*Cz6vU77a3D
zk67{%Xt@=sFEY*YuoJg!C2fwU)*8!iWvHDrtTYINR~np1*beH&A$~|6;0MdTY2TG8
ze;iN1^>|#7MT$&80$tu_t3X9w_P!%Ur!t)yu{8Ol#3$+r^AUpf<M^M&Lu9>cB&b4x
z{+vnOk{ew7$$(2Nvz_8r9m54ZBsT#k5cvLWoj?0Xx5_(yNQeJ(>XF45J|Rmuh@kaX
z^_td|w99<zuGiVF*2d?dxH^&D9+M4km%_m6e$vk(_an}AE(z0Sf>6ax_DZ*4*HF3=
ze^;+GzFze8rBL3eVQFYJuk?0rC5Z6--0oOLP2GgkJzivupXFCM1OnIV*d4m*b?`*5
z$Ky_(o$(&rkQRock>@)O+RmGW=E`6`$0dgJ`|Zlg_keng(@*H049R{blTuZ5{a<uV
z)8(zM;KRO1lfa_hWCZC{P0}m92`M^Jn`rhx%!l@gBH}sc;ghuCa)Ih1GjH$;6njR!
zefub40(p7r?J}yp%%YPfKGc0T?Gc9dA)XIdo@aYl4sWRLCUio{a41AdEYs`X>}Ud$
zwFYY2?3C8F(xn@>FltMh=yr+utPFYVhYiz^>yg^<_}*ug!vljj@d>}pzwCc6Q2WAn
z%Q>U1>+#*fpKxyN)T`B*fCnOg<4l;))N`kuBMO#=#qP|$epQm2&j$8=wB6#E^JwL>
zJB99~K@6Ml)vpEc#gLx}F35QgtK#k0lmj2;Zxz|nBVZ{HWCP&Z>(mQ6qn?EIKU=cc
zV2fujia?AwS_e+B345jA9SA;Z;AucVZ11UzP6*7NZ;;%sULOF8rGr1lsC*(+-0Tlu
z!L+c%nbs)}>w?iTA`sQyhk}&M={L#J*$oxd>&_;MSniCYCxZ^iX_UbGUliZDG4Z{N
z5}#ybqZ^(iV2ZlJo}IMqD|4H~?t}Bx`29()(}P;s#5NVMic<?+y$u&xhmt3_)r@eM
zm#%GfqJRotjTPTkYQ7_BGkD5P;><<4F6)CWG)*DCS15^EW|o0sphEt_&u<Yb4y0R6
z#=dS)%{-1cFO{CLoB&5q#HH7yPdMhmP=c!4b^L|T1|XI%550X~tEO!U|5UhX4s(ln
zg$_L(3tBKcSn={PFLl5#Ske7I7GXzR|Cg%p0KLOqmgiIZov8Mi!+qvhiMc~N9#LeI
ze?n<E$V+P;Z>C))^XO<D&#n%3G@7|Y4GWWT2uN=z9ObHxBL1b;LKmzeH$p5G|ED4q
zCS1C*64esb<ctsl>Azr)kHtfqKAuG?k@I)}C{CYSqu$@2#*ifbR5l53%3E(5CB;d=
z@gI(EnJBaqcI&y9)7GY}w6vmpu-p@_yOL=9zBqW>K5jX69~e#8Bi|4~bvzSCi&bhr
zZ&F*&9Eq#5Y@L!Z(=&bY8e3cm_(U~M+6Gt_1yYRnVAg`Ep;OIq0fm@^ah-GdhojBw
z2K16^&6|sZH$6tb5JfLm&n>0mSh<48KWAnar0vPMp1-eh30ju^M40M|K3$9;)XSa_
zirJ)%-0OPyA<BA>Lx~_%@PDzL3mx`39_b#)H9XOKo8ud#Q#x^Pp=Hjf&JSt7JCT`5
zYUT4rhRs!hAUDn`?A-jpgl`iS%iM=`>NgY4m>lPsnhrVpiZwZ@-aG|7UqhVH%0D^y
z1p5zY{$LGIAx^k}DZ*hL2lDVMcX1n5n-<+=WI&ZA2-DnhvByYK_ilBYcqTu(?)PBJ
z!Zr!#6zTnyM*WF{_H4>HddrD!_*`MIG-@(~!8k}A|N08op_2^D>H2-!NL6asm%C`U
z1TA|Lecstb3}%iAMo0A2#wI%KwZ76-Pm>!{Dh^#_^CtIqOfnvW2eUIvu5Zy<V%QQF
zO=&-}Z2hqwnc2GpRZ$S1&7E=vuYdz^mmQz$SjxoIPVFOhY*8<{>>w42#-+ZJLMcs$
z{^5III1C}|GKKn?IcO{*U58+gxA_M1`#v8Zox2gDKB%XjW~8T{9cg8Jb?Z$bDEx6M
zxOMCZ{~~v$XKz;m`kb!(aqrD%yvOYX;$LB>^R7@EI4oBC!k_#@2XhBfF8rXL1k#vW
zi@>4lA_L<?u@7laK%O@~gzrz-4yVnWdB=y&AM6+84UXUG13g@*u-c#(mgab-)G206
zRNnawVJ1CQfk9Uy*z4>pAWR1u!5RB~RDvo@$a8Ep106qdY-~vh>_OOj*VKT(PtY?q
zTmK8&3_LGB;8<B#`llp&ZzkZX=<Z;eFSppE_GB%vM3CX>+M||j=0EI92E=z@M-Ce<
zfB(tTzjmJWB56Crd|CwJtFT6%<g5U6yNnR~f1-y9p>UC8>HEzBh$Bz$CrwNjcY#cT
z@{*f$v-}th2SAqwbR#+yVm!+`>D^)KDk7hUe5hiz18^JtSYQ^UzUDyw4aWuGAW*96
z)O@8z_$E80E*M#?PMXzQJdpSYqGWkj!}g68FoVA9L(FIi;;->d+o?(-fjE8~=3Cl{
z)7j~Crg+*Vt{<^NId!(rv`_nO`c^7Ih0>XW*%)8j9K<_+1M`zFN+xDk65}lvN#SSP
zWR~89AxM`)6FcRcZCgi|7+gS&W0c8F_TUyO1T>7;NC*{W$|3hTBNX}{MEzZ#c5l*x
z10+M_|3?PG7{TZEtm>OFvOtJq13*2~>{@o)+{PUe9g_nOU%1Cy*9a$NWNoF5cFO~C
z*l)W7GVXZT0vNv(AKuyzM0{~FyZz?*SU7|JJbF$sBi-)5^A4`ZY4_Jou@By;2eCBp
z^dvUr*Uj^JcPm`A11Miv`u^ojK|@LJw*6O^&o@s<Sxg(ls3aY&E;u6Ii}tJO=Hgp+
z!D}kGx;wqDcc&-9ckkaC4xncs^-$mOiS@HXcnQufN_H!EDUVN|L7J?B9!wnMiwUX<
zD7Xc1o(XebE^PE_MWKtecqN3f>q}6x#yUThs3mV>hfGra$VpeKce;)UfGhsDd=Et5
znN@u~7Vz>j0Dd#m^=!{(XK{(5u3~8=vPYVk<kwc6bjvluQ{(~xjc8gb?zi4;b}Hk3
zg_6;Cow$0ZpHVEtw~*FaEYq$ESs``#_PQcoW7|w^6+l5?M>^p#U_H}qy4c+X|1gs2
zY3qd(G}Peba<%@H5&qP+V~Y1N)UHg@Gl`>PlA|NC1L+%uClya1ai?hg&y<IEHar?d
zha$frRW=gqnI3cVZkVJ&JECFr`_DacF}-81p<<4<!NP9G6M`%YS%^7WyMbUBW)8#^
zX2XWPzG2#-8lN^JyoG?xMyJ2x*%=I>)l{c8Co{rVwJD{=$s%(AoBz&^_CoRPv3`5<
zGtzu?aFJGC`0invIcBy3Q5$26Te9ltn1@QqHql-f0fe;ccEQ<5L6ujGysIEBME@ll
zOk?vaGz;i*;<OCNa^Q&&XhkzSo7<$p%bsEYkwV|!<MHNa+}v{t5G_<qT*ZarZq%J&
zO^0W0G^{=`<pIaW3P`p4XPH*+h>Uf9xDDWTc=qSQbjMIao`m~3%RpQ1I??@x9CnB2
z!7DZSe*ACym~Xc{(W{C4;TvQ3<n>iazSXDW{-s%L=J>`=XlLye0g=lrieu7Y0GKBa
z_v2&=5uRy&P)R}ZZ0Vw_!Xfv)qMOg=!ldPr&dxTTYhQe1@+3@+Xi|B*ZPzsZJhDza
zM9k2$bHWX;SO>NuqjfBBaX;5j!Hc&exQ4;aT|vDIK`!W-^mR}DTg4aAz1|`2I`;?$
zT)NJ@R+7|(_`&jt|9I?#g>*sB7So*IinNFISJdTK%vZPjjGe8W;x_x6$C#%n8le|u
zTHzNCYsPcEj@xhiucR(+Xm7WoZ6cz5Re{|N6p4i71aJVlIn8eDD*-lH$Z5sv6O$AI
zIvCNvJo|gDNME-Q(v4|&lDA{AzKUD3rIgC!`#`Ta%xtkT$)zQh2rcw{LCzZ-9YSH!
z!lV6Pkg)-^N=S+*{>v<TO?mr^RZdT<A>_H`&XGB%kFo^CRN5RCxX^DKJC4$(H+^o$
z;^>BUFFQ00UO-Sj#M(m#v~``ppM#r~(+vWOklerzG9I$*Q1o%$IsefObWrq>-e`W=
zB=)ux6ElcTbGt0&aF+R;K<rbLK^yIEZHlVE9`RJZjs5RC;EYAQF#pH*q!IQcK7rI-
z|8#Q&A$DU`--sQoo6dl^jp=&v#TwKQ$DmmV*-AWxVGv?08MKRz{W#qssS=b`8atM#
zl+hS>kibzd6&iPq(dSk>I&}^z^yNk*Ye;ve1$4W54N<c(jnnKm#0e@Vb+=TUc%4By
z2VTUOS-@#JdN*EYqqK7)n@FMK8C!I&Ye4&gLm@Q5@7R7J7VDX?UbT<qjv%Y!wunTm
znZ%&*yHj50Rw$HJhfue{0s9B5-94w%ZkD^hq>nEr6pp)f<%f)9@9ohf9C!0&Zah0y
zD$+83Qwfw9q8`jHoDSa0F;sU0Q+`5qxsMl<qbM1Nq9bT>IC~V02F50}4bV1?_O`fD
z?4yhKV6aEjIzJVA4!c={N2Br{O(#6ezmmZx^}4sub7X>D6)3wccU$q2<b9KFZeO9r
zOYp$tUCOgM);Bb9N|GvZ3$>_La1%FG2eHI92ja?Gkrwd|?R{yWCwO@&rn-OxrQcUN
zc*fGjG#H2;f5(;O{N$xbfkH3M&i5OEh{!}<^9PSvojZC*gkayxPI6H|L_lh9Rxy;g
z$BP<uZuW0^s`v@ZFTiDgbAf&Tm)zOd<%jjHV~6wsZ^CX8CGvFr+C#htt*H`;q;gZW
zA*J%W0&Yj5B&3IYNN#o{r*{=gZ0TWqrEqm;paJMVwEWswQs^6}p<iL~^wom)y5?Ll
zXC>P+BaCKTN4oIp%d`Z3+Nj@XB(exi;{rlMGIc%GN%huy<WW9pDsvsZ`5!9aq}1^C
ze>ulA!IuNbk$H5%mXJw@HO-AqWFl4+HIjPOi6Zv+jvYe3TZmjKWbP+F*K$xElRvDC
z#9dv1y6@$@&qIrK<fYh*L=3)5L*hXu0-AsnUY<*2$bF@qrvf%d^T>v;ACJ?!?g&B?
z{hGP4s_!JL!S8hfLqLpr!Guo2u3`3vk}J`LbWFnSP-61U;=~?cy`OsT`1NE617&ap
ztlCZk3LJ48_|96G_#N+*ZGM~{u}z-{a=L$HwJ|mc-CYP8W&yUCaZ*w}UpOG%^O!1>
zK-q61fbfiE4agW8EU6_P5#YvNk4=BvxYk7fF&lNNYcgRf8z{0?OetCL%UanTmdZeS
zlBIHeI%LgLK~qLrztk`7w6PI5*FQACYHc$C4cc(Un7;K<T%6>B`%UYCYOM4nZ)&~2
zeihhe&b6yUF%fQG77}Ac@$0)R@>y>@j{%-?Qt90)x^v~f{oj@+R}6g0@6bt|;sYC-
zf#K8-=D=6n<)OHY@}h0!y{>5~dend)Q6lagT`rK)KS`uL*2!kxY$YKQ<SX9LN4S`j
zbDY5Jlft)pD13gTXY^f}wKd{(oU_r?DLNMYEtHyGh!?MIlO7$_Z`_ICGW-2-cN%nC
zQ{rgg0jgGuoxY^vI1hRUuD1I0<)>TfZ~kef%?I^2FPk)P%s)ii7#qKp+oCgZ+3FnX
zvV^nhPe2HPCC<T(fAMfejBVm_c&h?k%tJ7yrS5z$T54|Zv`IU2x}n(eIvEe8x~7OJ
zGi`d2V17RFUkW0D1H<&Z;Xmdr;z#SL)#U*oX3ZsQE8p_%Obuz+Qp4N1&PQL2)=Q5$
zd#!{xD~dFfguYO6Y!f4eSihqky`)|ztM=OSf78VMpyA?GiIEQ09seW^7xQJ0soMO<
zsyZ(f`N<zLrwbuDbQeUo*q0_Ct$@7pdnSn|M%wi9)hwQkl(I8z?ozrLL|J1xE|A7b
zoE8hVjpBQBtE9GHm_@uTPfs@>1J@WcEp8qQ^RZ~UMjl0T!WxL`sXqPjjPj$8E@nTe
z%SAm>ldm9n<EaRXCo8rGKj8GGcFQyEU++qTCfN4qn+5T@FDiGVqv>7c@nnuN1<zd$
zY$A3r>b8Ff<Qz?Sq(HkxJ<g`h#z`YA%|!H9i=tD{tU)ZX$mDn?K0L<N!Fgb;FMQZW
z!oMa=Fvk7OQ=clXb5tX|puZ5O+pnW>K&hwt5>dA64eMikE9{#bc1}uB*4sCc$NGfB
zKsd(1_t*Z71@e!2x3TYiPxf{f86M`y?6n*#67DH5oG;~BiMw@C<|yIKc|{Gn-N;Rk
zZR1Jy@1CT~Vn*i$fHoh~em0Ibv{I)F@~t?emdEcR|DFk*j<CyDIMu$#*e}|?+5K6^
zrtjh)pKJ8Z=vD?Q0xyN$>qXnSebysX?aTRJOoCQ~Rj~EkbLaw=Dk|fmtwLMyD?!3o
zbA&jl3f-<%24*;A4!HeP(t3{Kwa>L_c1x0H;U!~nCo6GD>8SGQkk|%6*>-<O^g%2(
z31HU=8u+C&zo-d%AVc&KFEW@7%`{-*!EMYKdN_ND@|!qTf4w^WSO|o=HnlG45k8z9
zDFil_GQgn1HN7j>++h@lr$$kW#9D?sg|d+ORDsaJhW9;a`waAU2+@^l^NZo3f(-<)
zNbrvb2Js|YEO=v!UnRRAdF2Duum`)VqTDS&2iprL`|VOVF@fL~mcHQlCgLdaub~cl
zMsnzX(Z^?EfiQaoIQCE1mk;XPi8#OO`_{X1G#%EqvUKQt6QF3ySZJLFB{qyKl|gCi
zvUycztLQ;taZqsN<iT64;sY$b-(rUXY2u{zI9K{-`#UbTYvf2|wLSZ$iEUj14^<RV
z_CQ2hzf)C4g<er&x7cd1s@vgNN5UaYp;t6wYP*m=eq{+&C4nCCAJp6J*~ElC&Z~nT
z$^Lsn@i-KA&pp9F@Ckv8sq6}EsqwKQ-F|tDKH5PB^d=T77Yg)x=~;YQ^F6`S<~UpY
z`AE_72(@~6gmli$>u#zf<7c(*pN|#FWPqaGVbn1_lI3Dl$d082X0z>GNxSL@>*<`~
z)x#4vDKNyb80!k`FhnLB73ZXrs7nhsTU8C;>d)8HVg3&vad4d&#&<r1I5tef$Lg(B
zyermI+>#nV?Vc(?Ith|J8V#aX!-4<q)!PWU4I&S`k<qq5+F5yo3K8^~3S4{&<&{MA
zqL<jSe%fySffk={K<liqnB#i!VtwW*H0jpMW@xxK-9mKCrA9R){9n<I6lcE3Yu`Q6
zZZs`3z`qPLP01D~xLH?S$qwToO4oJWM2e(PXE)n{c&>E_#wLpHuMy8m@)l!LqnQL5
ze=;-96HCCkEu&^%B1Ct%2>coHB_8c4p7r(o{HG%Uzb1K5E?#UG@=9SPNIIy<=J818
z#W>4qn{c$NkmFMHK<sOG*?|Lnm`s$Y50RF*y~iMf<u{*Ou_+JNTm4&pe4`ruSCSh0
z$wXB`PoZSO_lc?3ZkIo^Q81^ct#^rl2Dmhn^9nhb(-WrG;EO@u`yPGk8^4xVAsK3>
zqEyE-qJ$e7Hd4oOncRw6N}LZH{Jx|J3jv%9`I`-dHqAUjz&QF=h%NRmx$p?o`^;(;
zz9Ooa5)xp?5If1*$N*W<Q+SG~(AVSWkB^Z?Ub$5y6<$61`DYfKSR#<*IzD3Lv>DSF
zHz&DJ>x-NqIp}4i5pAlw>5!B-xbZa86tCNH#=CIV%>5&0wN|Hpu|hlY+yQ``d^M%{
zMc|kO-D$6q7w^80danFPi?ft<nsJ+Y&n`!FX0D0VZmVpS`)!JZ!{PSaa^g|4Bvpo_
zGAjpm(5Q@&W0JXSLe?^L&~^z_I5It*OP;3;`vo03*B^iTf)1H$$uNZQ&bvCo?IyR)
zb@nIe<Gu&_?I!Bp_egefetA3jk2I7qk$z@LOsD>Il2hX$e!pO=r&mvz+DS+MSsXVg
z)IHtG?j*3qSxrJUF<-{j)U>c#I}VdA{q9jdfT<zN^25`aYObk;N@I8Vj9@I_Krb02
zvZHqF;)=MwGy70iz>0R()amOSUNl(Txf!|q;O7#1GO7H8M}XiV0VAMUznlC(X0xbK
z^z#qmEI!OBakaIm&t{S>IeOSveboFeSqmXhgzuV!n`hhUvI&c!vTWq4rc8renQ?E1
zl^`a$_9nsnAL@qViq-z;QLqH-^p>$iZK16-y_xR&HM}o=n&mBSS;1`D%0HR~i$zyE
zc2!Pw*WfLhudTlo1{!+l(YGYEWOG30vw;wIBfh!#%r_Y@rqRN#yquqZaW}DRgY)o?
zn{uDQd^&MEC^#Hup7%&O6n5?niZA=5c<_*>=%UoKtE5%CQQF)ZGl)O!J*3eT(v&Bs
z>2jY0?YxO&bcoyAU|%SL{X2wc00?b8zNJG#gm$gygKLX@-yKXNn@Qq2Y<CJ8MzV{5
zOV716jyQv==fe6QJ|v${@)6+C#6u|pnmK-;FH)N2F(u+SBds8kEIdJqTz}$y?k12K
znPNDHoCAGb?p_F&`HZ>v$>i*9St1BSuxB*k(D=7sGUsoz^7Z?XF@ykH%Dw!7vRMbP
z99FG=N0A3kv4ee#I>8N{-oQ=y;LY5~Kdi*X**E^t)2MFlProoOH9*61x+gNzZZGAi
z>>{JtNsvHZ6E2dNIJu&Hb{Y^+H#O<_P50~>$(c=`TuDuX_xqBubL*-^Xt4t3AvWRQ
zNN`PDr9wXT`}~J@ALo>F=q-NKvYPB!TSt*zNu)l+J0iTVPpjfABOLH6TjX)n`q6~;
zrrroSnfD9%%fNIxPfgr@70ma9^%>`KLM078+O?Xke7O1R(9OqY$x|Qd=KWYGwxfsK
zEZG9<Yn&|nMhS<>j2x}P)-}f7kb2Xk2k#Ap(I229BL`(L2@eti*5a)f?R=M`CD&H3
zx00`7=yyL*`Tmgt4zSzghZ|IH10lqUyk2DV*T4z{LCn}ysMSi1oRdnVQmT>hqJBMr
zdwd(mRlv#t975hf0=l7(hCI7E7mZn7T}rUcqoEF$3_2xe{g|qe>^D*4%n4DE{S{7?
z`-(2ausbNzq;}R67`{IrbJWi=7X^B;S+C20heB}OUP;^O$|r{k(>@4!!P>MY8~bGm
zzNamJ_wF8KPR=kqzRY>~LO^iz|Csv5@HoG(>&CY2#<ra{w$->v8{2kcn-kkkW23Qc
z+j!^KKL7Upln*m=-MP<MXKk&$&vr6&Wfs&_5QU@=oaw-_(Mcd}NAY?$*21^q9X#Dx
zpgmfo?OKGJ*MSPy<B^Wbht2hQRNSjp$mf>!pD`k}@5x35?7M}C27jygYsg{T5!mLt
z49D2H{XaY%C}mjU`ExeXb&nhNHeqOR45HmnrRSq`yq~?vHewvvQ;roBDVtq4lv7j+
z?>@A4wPs(RSF2Ko?^Qan_5_a17+y~HC=Ic+6ajO?T8s9d6CFo#r6=#GZVpkG1<&N+
zTf_-S=$8mx`VxkW21&orHLLI0>8oLC_I9(#-~>Ay$hc9hly8xS#rS*br2P2H;NM-d
zWe_oG<A!jos&-Shj4jd|Oc0T7Dc`tkKdEe9Jq@XFB|(ne-){Qz_?AdNmL9R@K)vGc
zzy$;A;`bn^?S<2qeON8U4C#vHT;49lQ$)a`r8e0iMscB&U~mS!O+B+?y$ZQW@zNiw
zPQA%3jgrQS^NNuvz`6^InMcT@h2fy8xaslq(?u~k$Y{XSj1pM~gg>aFl006(2kRpW
zn(#*<kkf7`%(Br~x{&QQsu=Lm59&gH8OsP11`77TrW!Og-S=ZO9;N{Wvc<|UpFzO&
zMO7w8ubSlK)OhR1^2w#ApUzqGj=y-UoyMAHUMptxGa?)YOZS>O?K_TJmbf4HE7bkG
z*45sy<v(GUrI~iZtUD-@5vVqM!&O5PCj~!edDXR^Y{TLHf^sYe_Y9C0AN?&Fl_Ua+
zM%S%~!;2$Hq-RL%T+c4kn?YuVM{;9Lay;g+%=gU1&zdF8z2}0P!v2v_@{y1@K7$%c
z9P7%L64t=pnI^_G8nz$773LqeZD;b|&J2I9i|!|lzkL}+>Z~}ks^ZZplBQ3qX#v>%
zaoXxzyaRRapK>yWgB!Ro9chIhR|N<khxj_V@ge*la>Iju*dvxjogri01_cyxUXU@6
z3L0`FiCnxI^^<L~uEV*I#PZ#HJm>NDinsr>SV)k$K&5C=Qu-#OK=N;k9()B-K?F#Y
zz3fuLpl+#CMbhQ}^xo?GHrr3=4X9SX0FG55P>&7@@MA-BMISCFlAgi_b<*pqA>Sy2
zy;^bfFBy!+eJ80P7XKSw1PLfa2Zdwg@4$0nKgpm_vs+Ca*C4@~BXqL8j<*30aYr&1
zTHVy==X>1ZX*iz(i=saJ*@TQR6xS=yb*OlR{?>2Fzwe{#zsb8lZO4v8N9(A0VNzBX
zCDV=(9RcEh>~~P=`cT>Rbki#d*2aM{G>iRxcs^6KPEa^S67b>C-7>Qj>{eho+)Upv
z@>us6@ezMz^lxT2yigIUii~8DcD7CidCa}P^t+zE=;GUhlq2f%BBf=mzg9WvorrfK
zIhGzz5cV1=&%`BfAt7DmsmYa^`g^`iSH}o0w|rMg5kV#^v6m{`>JwjxBuIw+HZ-p;
z=WUBjfK7l`QV=S2yzwGfNy@2wD#R1o{;?e@Bm!=KV6R$W&>KIY6^t@zwQJ9HVIH$&
zTn{Zbb<ZFonxrBxzk@XlKB<HnXo%bf_n!F7xYg4SS!kyhxhfLS&cOYfP`)8L<@T_r
zljLm1>pL9T5&|!w@Wkxb9IPpk!oiYEi6^;{mp%~-{>Jr>sD2@^rEeM{P;&Pmh;b^9
zNJc!bi`^56J2dSiJdIQ3YSXy>c6fCvk&@bins(U9$t!JR_Qdr9W$Hh|7;zf84(nou
z&>ix`E$|`*H0@ygwYUo7LRYv9iEXj0D?;3?fXbOBVPkRYswdsqr#FwM4HaF_g^@QY
z+iA2N<}~<q13E~D3=!)pl^n>&eoPvM8E<N3b(xQMB^<p}zNW8<St^Uqzk*5T!r+*T
zM*wAx#kgp{Lxpk-b)%prTvqa#<Vi9rn(eSlptdfDZf{C!I>gl+qo5@6yTv&P`j&;v
zUjt-V4#sZUq!A%GZsT7+u41CJt>*7CNQ?^_CejMn$Q3-wqmtGvc@h0B&X?{=@FuBv
zfrHs4lJCxkCQSmEXb3fy`<Z}LYD7br=v|Ogi}Whl>=OO;@T=o}uNZa8UdYUvx|B?5
z-ivIlAqjVOdkLge*oednDF~tc`<r2bzev54yb)JjuOwV^WcaQQ4qXGa!RfLhPh<1-
z{I)GlekNh<<#7LyY9vNqEs$^9hJeKJ5GboqMa%uIa^5Xy+TG&mWOjH>5s$S;*~OrB
zO{iuH<xj*=94#4@XJs7IX%=qKW~jIp{fqxZ-pR+na7Qm7{x!~IGKkpaa26*4DhwYV
zBHE-|lrZmp8RHfID91DLJq_KDwxnp;2JgMIStP7?8NN##zWc2Woxi&v%>nia5R$~8
z<wSes6V-}{<#<@^F^^nxnYs40Q!!4{2$#GEHHjhq4+^-;dTh~y;^7o_JMeX<t5wjY
zr@x5!2Nz=Il)PuSZ7;y_&gVB+I-gCzwA&QR#IbUeM0gT>ABw%uKdRf!LP!xTXm;zv
zsd9XVa5xg-VpO|FVhrxea@#r+L9j(bof6?Q9G=7Bf5(6UR(*M@P%_R$RE2ShDt8@h
zmtiuBbSsO$WHTJTfh<kJ(6jt}4X-#JHv4q5WLzZlQPN5y`*;c!f6L5<Ic{PeclXV0
zCRl_T;^5M5st+sDaT-H=z02uoCDZZfV;f>=1LLGzz;@P12z0SNs&K$BB@oj8q{gPG
zIVlSw0gyGwo7gRHqf{dv6M=mGbdH)D7&c2(i%eIdgqKuK;k{lv*qfkYe{m=h00v@M
zr{VK?+y)F~9GzHcJ36Aln6EWwBUSh)j!IOs1V`*Q21PGzM7t7PQF2DNL(?#9@oRoc
zgTwKo)X0F7gvYViw<j0cn%vKk>7)ezHSO>w*`wi@wAX_;R!s3J!+cM9woy5}4&0@5
zKhC++-5PoZ+||E<WPWyZKUC<K6-QG&|NMi{z@J9aZXdorW`o<xTW3AxYR_G9ICv#L
zmyyv?oy~lyYN%)&>S2Gwzsd8l<vsLh{u`#24S~?S$q}w3?y19Sl9pZ7$!#2iXjzah
zr#kbPPmHS<%fOTz@+V#Uz&#H?pJ%F^9BI=g1~VvWpCA=)LI7)zo!$$GGY0GxK_HBR
zPz}fOwVN|{IQ}|JuhGxG*crx9(r$pE<nKfUg@}yB<2_LFM3ST9&^~;9m2W7lB{I<m
z-Hj<Z+O34H*MH4|eCJ~nK#TQ{-B1wY!+#m>lCt;UN_j-Bn)Bj~$1^Hzt5ATL_m!Ya
zUC}Fm#kT}D<<e-9j-5bFCtU^`tl552J!N`bsIJ^vHO4R^(=Jf_k!XSb$NL}5RLxsx
zjQwKS<?P2k@X0G034ejN1CipK;2}>=!i$e%pK>nqT5akIZ6l9U8-o{xLG}l<IVqc^
zj4sh|xTr4(qs-6Oq2v(ILo5u49n7V2!laM?;)GJ7&uDplQ(_iDY2{u80x`ISJuln#
z7qEoQOY|G!*LBlSFa^QC`i2>s2e$H#l#qB5GxFgvIGE(ZN}Ql`@s&SV=+yrlM{RP6
zY9X#e6|Pfh2>xC0eyI{#ETsL3iL78~x4AT2n%CB-aC>{JcyV=ooZ$ex?!Brr)!(I@
zl^-W*^0-6CcP9`<aY4FIqA8t`bjRakak4NE8Jv9->zR}tRc+CaZc^Xx61?0Sb^`yf
zj0nc9U#BttY0QR|dvxXoWjkH|dDYu8%Z21^xs!h=3-;^$+v$6Yx*``eMP!o@6bh2(
zpu*2-Nfv+Qxv6o3@cbnVAskfY0ApN+T^eKNRMiC8gOY;ctyu+O{f>H9ihJl_7Ha`r
z8f<2&6o*1sN^U2$t^~Uof?iFNVhP0GVWDOq_N%HM@KVq)W@!&qvN&k<J@EjRi5+g%
z&tAqkAs&gld<u(E=HwoOo^`cQ6{G)n@q}4nPdq%qbq1cZc0k6Jko^p5S`w_ARF}ei
zBUJelrUH&u0(%Oi;!oEmg`eTRv+LZH+&Zr4Uv6WbEvwNAex}s>+_>&kx7A&PRt)7;
zpzH?%Eckw>A9o=P*-kAF+6twM$?CVcIyz4HTAY745$gJZEYCha1t5bnK>mPc&X)8r
zRaG*!15;|YJKq$Kr2!rHr@F4LD}u%X`v(s{>=2N=K0_fOJYWn9NTYF`&wU*9m(K7u
z0`w3kW=GD~`Csg22S?GHPoKu-n~kxU=@3?hR;o*7cuQ>8`;bUZ++a43Cdt9{%t<;w
zhy-{xp~9eUm53eLT>{mQO2VWq|A|jxAs9aYun{&CgGPlzQRBO(#f0?rNKaDicj;xt
zjL*b-=tdB;I>$rV^!rC;K$9vAq_XJGV>Y!wlS&c0E#@s@nC{3$b(mQ_NwPRa{8;h4
z>qpX9WyB;(Sv+P6ia23Aizu?Zxs!q@|5jLV=AgQi^dUhI3d=9)CE@z)q8js~uUnY{
zljO{v49GZE(0JEs69<iojOCBCYOGJ}cVm0=YPa?h70x208r*xA?S!?^m+Tva14@?U
zzr&<h=!yuo=m;??OJlvuDQP>k$D9!n!Ak7=;doU83`~*UYIWjZ_$Ch2{~4*&=s_Vo
z9Qrv4CDs)gQdWpqpnzd6h(?)uI@|bgCuaqeJ7oQFZ3_L{6h%KZL^nrEY;E1V6RJ|v
z`{Oh3{(4tUU$GD!*1WpXe5Cf7k_pA1VC~G$FGS4PPQP?!%c?Ybq%wh@fMfzYHd+<q
ztdQV43n5A7g{lFh&J}kMUF?L$gVhNIUC1=B<^`*nXiQi-MHjNOE#5-=IT|&|<1Y@3
zq(Y%$CtRv`;!-!&q?!#V)TDCy5w>I8z33jYcP_JCAx>amAN}3GN8aks%lTT-fJHeK
zrFp=J-H6?6b@HswwyrYTRbHqG9pt)CgzufaxWTx;(Gk`sR!1A(UX3@O`z4KsM*wPj
zcvr&&p48rk4c64~1vpxx>Ql8Mz4Fp{I}hIC-(SI$3daNk?bnHx2c1XcU1Bpw4s)A)
zfFR6SyJ)476C437laXw@^BZy=eIu4L+Xm$R;qe_Vi<{0i#JXk{ID?3s<NCmEIHiej
zY!&G*IRo4yZREyY>4Czk00p`(DGg?Zv47rs0DH7)e>fmz23`fM1E^D?q$$C8IyVdX
z?t}rm!%>1^_Dw!S&yT~B;huo;jZ0A15620w|2BOGmKljcuVhE;cb)6lbNna@>-n?|
z)v?o(pR<rXt@Dh$cLgD>4-HqD2s9me?T4xhD>{h(2TEm>@p12JZN3WTf8h(J;AC=t
zID5eiQ0p^+o*cU!^b2_BLSfx?hi$=G68EJtvSE|`+?41V%%p6`>v-@})KAI;F2V%X
z?g)viV)s2xD1tK;REGV{pIJ*tV?(aC@AIA@?{16r6J<H8ww_;eqTsO|UQR*eRKvW=
zzP5r+Vx<hynw=)QN<_>!x&$7>ePvY7o)<v;dE{kcn#d4;vn=n48sf2=_aIF`d0yG#
zw77_bWvjG~x!XmDVf))tWPsWt9mmG9?GFfHwedVtckS~dkC*Am3%ewa)QCwSyx;PB
z?%@B7w@oVdm(IJ{z);NEG<qe+Y_3he7KFs%7Eb7plu#qwL3>)Hi9X7%dr77kIVR%e
zA&uEaYtQZ$q!gqf=!jFU;dUTWn>v;DsAkNB*=89PXQKV)=2QBgrwB>%{Q({<HzUNC
z0K5sX%qk`t+C+8LQ9ec(F{MX?k0-dn*h%t#VUFgGH%PhNcO_{7c{L=U%pn<Z?CnpZ
zLrh0dAM6;&kkN<~p`^$mSIsM$=QKO~lxuaMT{Ki^$sjn@R_?e4%&nA@Jw@8RembNy
zu}pJapdWV%;lcSJFc^e2HU7?&5X%5nYV-4|IH<^fE)bL5g>p~{a{jqnrh?S%#NhUh
zqMNvBEAEM*X#Y-WmGXB(+0~%EnnT-(uE2#Yj8;EV*2v2-2UXJ~>&JjhaRqWdMx8_#
zg+yu@qeN5Rmo(b88QN_s*b}KA*jR4=-U$~Ent!`bL>`z4WE*PR>^X&(@H9RTlD?xJ
zuVOs>Hdv&vM}_(L1isI(B+7|!=o6lufPTJ%ZPz+^a@<MGziKX5|3-V^hghDtN+~N+
zsUK;w5hi=|WK%ERrcx7H@mt;Ilf?eR_R?4;gwi$H)kHOb&i^bb=Ny9Wx;+3!u~{=&
zRTF!ewz$8^<sbKH><IDUFk;FBx$k6f0$m=6>m2{EcYt&!(YFfe=(84qsXdtTFdZS-
z{Wt-z55YyJ$746M`5pTMrku#4<*gxIQMcQ{)4`BiFnK&Emil(Wb@Ls;k2VXdS>*{R
z1A*j-{Y0tYybKg%ksJNk?Tuj9skENEZOgvKU{A~3CBX!B;%G-R&g+Yoytp~zPO1b*
zRPd$lQ-pm3dy35h1$5<YavgE!v4m1aSIQ5~Du;A-N2O1gM~OZ{eO~g&xIGXBGv_{b
zR*Azhe~QN=7r9Z)71uvtGR!iY6i@o7!`tCu4Iu=!W3Xy+N9{X*gq4MyP~QQ+@{eA0
zI3`{D!yPk$PJsQQOa>)8;#Gab(EAhltK8;GK6_6p$f!K}iIUdbA>AqLcO=l0p4z2x
z@WO5+b|`SfdX-~hGe2xYdnW-s2MroGDoA50LA{orRes8s!c>QYt^)vBvX4KG1&T)s
zWn79M{sgbG$v}_gIZiOZ#V~6ZbLZ$FAY;}#_oamZwn88R=GI)pt;C6r_BE`QDRw!Y
zZjS<PdQz4)M(9+7H+bVn`QK?J0lPJC)9{o6I$yz~Dp|2vl^p0>xpzVMC<H}qZequF
zoH|x!{j+>t@!r;OZ^j2unfK%2M33?>00tW7gNV}gcjd-LoF>{&U0qO$?ai4MxBC^`
zMY2&OW!pu#l--m~pz$pj`U{J62|l@{|A~?kkn_ygE16uWp7+QhUC;Fg$eKPl!s}LY
zA0G8d!w%VFhAo)1$#C040Y}L3`N1jtbI7CM!HX^pL1@@}#`sv2eWW75Sd*O0i=XGu
zrMxT<*%f@Ki7H3ED)qsa)e`I;E)}7qb}Cu-Tai)?^peBooRbDmdn%F6Rm5DN#J4Ez
zY?-sePNNu~c{qEFlrmJ;ol)@^m8^5<RN;3;Zeq%5yvf$HBmH?h;Wo*2mZetJh6glD
zZ2sgk4Bf^P*OgyC-{<+xJnzp(Z?McWJ9x_K0o8Tl3Ylc+ia)2ys5F=l-Yh8@boRpj
z7g<Gw(&7y2#PzYLTLfu`9tS08gofkZ%ZZyiT7)wv(qfc8IG_eQUHGj)rQm8*rn~R2
zV%c0I5DV|4RvvEiUfoVtk59Nw0}=|WBHP#WU$1qDc5-hj7hNxx<rxQNrKG2+2cnB$
z>WFn+W?H^9-yM6Xn62=LI9kleDGvCMg9tBQNq=yECr2bw2}7l_VEANrWG5&Ee+B(;
zQ}H8L`C|Mo{e67X0WMT2s<Q>fT4|le?J0w9b|m*dE!jsSr987ajLCTD^`RW(-DsZM
zC@m8twok-Um0ObbM09*WFGQ=g;+AJ5M@dq{6lEl@>dR2}ZA$_rnvU+j!k>#>c7-fv
z>9=AWtG%HV8g0Y$cGJ+Sr}VL^hDA2^pWyK$9VR#-@6InusZHz=J*nGzScHk_fuq#x
zU@6kkd4s!#Pd6WQjZahW>!v@3!a~bNvN*Q%j}{{B%4$M93P{>v^$9V~vDTA)s$Wr=
zGo+Tw#hzFk^2xN2JtjIf<<y*`b!SfikGt`b_i7AiOr}%C%lj?pzNc5fE1ho<1M!L{
z%zB}blku8~X)N4s<^p*y_6cGrH#B3_;pPjfn8$RC*w)OaDGV?ftYJePC1Q(gti`Fo
zm-w3}`Ocw$NEx2c^Itr$C<DRFF82vAYAT-~#T6po55Hq&>-aTGEVvyDkUY6$vh21?
zY;JKJ;QO?yJjAfldFE3pc!mp|rpJBEia!LS09j-QuQOYkVO3U`1(+(SgO!BZm(bSg
z9q4v!pW)A6FfFdY`kl&J-0L^JkNqs*L*|fpe||l)9i~S#5$wO{cNNaoW-^t><B2>4
zwR}pB(WSj}-$g7|y`8n075pUmN+MU~XmX_;|Li;QozaE1lj&k>d7j%$zOtPS`ec^i
zeQli(&jbZ^r|28#h{$IP*jM0X<_fBG1Z=+b%9sqo|K2;EJ(`#@oMI68-pX?_Ff8n6
z1rapqEl4fux>{Yr8Ird$=obnz>>E#43cEAkTGR25stEC~5Y{WE`kw2~UkBZ%Z;3Wu
zm%yeVtY;HJozR(@@GFkPMF8MfLdy5yxrG3hufIci0HqFO#s<qlK(sJrv^zq|JhQQ0
zuqutEz!rt_(7bL(-s+w$4%@$s+M_Q#k0zaefvL+f6z@rafHH(^#PUJ@k)2A-FO36T
zN;>e5Hgz5s!)PCF5ml7TEdeTS%KI&EY-)Uaj0uI4>_dLTh+8fxZ2PyAR@aWvB5X@r
zFh&FQ!!rau+x*h1!+*qadz>ZlM90&?_7&-fj^}zKcrXk>Pf+d(fg4)81}|>0`j^F+
zr^nNZA@lBfM0)GqFV2UHHAK8v+gJwm0iE|r=0=zzDfrF=Mw)%K$$^0{M2yq%;{K7<
zPNrQ6L;teunvlag#?>sqy0BDLlL3U21xY^+V{S}qssXaZxxH3%ezEYqEs8Q8Y&g9$
zNn%>t4=n4{*J;;oROfN$kKEVvCvj&p<HzI8f@hEVxuu3MjF|f|jHZ|u#Eox^ts)#w
zmEiiGs-opE`!L`OEfEWzL#mb-`|irxCfS-o(C|sB%Ik2u<#e-Ze-2Fq|0nJh2Dd!y
zQ~B!UYJq67VPQ)=Ui(ehvj7E~;LMQ`k+ZsCKH#X=V2o{B6c$cYaq8Hj5RWv+H(<vW
z3s%L3#Gj6>fM!V8GvjK%v~*u9I)@(8lO0EQqo<0Mo`oN(Rho9uE1#W5juWKfdOU9L
zq^HxNxYBq-RyP!oNX4>0HT+0}#p-P)xQD^yAug*M@2MZ0h_wbI+wIA|k*mEhD*twZ
z9|W-4V3St`G{d4U;y|m5DRU+nW&^_h;K?K#BG9=Kar~#N$*a4@@+*@Db*9sp89?~q
zD2_!ZF$1~gr0)2&OGxXd$OPPOfh;&3-pyMT8al(sKkS3EN1ITFn=Asc4`pFGTvKd&
z-=dSqPb9q`+K^jXPJM*-ApWGGuR6$cbnVW?7Uz9F0;I4{)5<4SlL+N;vbvTnE%uB>
zb;Yf*=c<>`>@B>aygVC8x2@d`Ls5p&YLKBt14g>JGX8Ll#du=OV@jJGzr9M9F?-m?
z<`rG<H|eTe^WC>{E?C5f`SIO6E*ugxA$y2q7=|4=XcFgmV}YUsjV{l@<Vvn>!U;`^
z8kR6APC8Kcz%XzuyT27Nv^gB;=D0o)D+@>(6*lEg*@$T<O(T#=Rj$wTISRrn=47{O
zv<@=kpPak-aU&N58R`n=e!!K-0Ytw2F6gqqq9YA&DeeE4SGGznBt=EJ_9HbjID7t~
zUOhpY8J0^!!wDU|&&%NWZ|M>_qIoF80pm09#s|g)y(ze6?CjSX!3$twA9u)JADWj*
zes13#BunIbUN~xbo`v+WO8xQ+5Qe8cUmg#?{2p>i5fR~#a>b=t!YA=3>Fz1Fd&xzS
z8_4*k=&@>#J&zVe0>?`pi#JU5MHt3+Hd{tB6?%N@=SW=s4$8!-+ZOmd+TRs0a{3JA
zw&hTrnVjnDg1BDwftFigd(D%^$qbR#%{)q$x8(7stRj!26$_0ZCGn3-sztF|@W9D3
z0X9`6qlFv&j2nvyLed(dTl;4hD}C-#(duL4-tY4Vb>Gb>1xh;fugI=et3CvF2v(-A
zKM{h`0Goxi{UeQ24=rv}>?*>RLeSQQy(mLK!i~y94}KCnY&Ffvh?YnUK*qW8t*ERV
zM+M$4ALm`SC=MQ5I~7_l1F!bGygB{Wyq);5zjF(Cajne@LF7X8lN$_&Oj1eMZ-+Jx
z0XUGMvrh=q6jyXUYv`J9PgSjo?iLOcGhtvVdsuVB45Ly?K7^`)MLCSt<)633ih$mB
zXb8c`4%R2b8rVA1B;AcRpUYyI5sh4N3YdjO$Ut=5;z+G2S$KN$ks9dAa+s_MwA;L`
zJAdkZJ2oJ`|F9~tapzWX{#1R;v`_F|gD@u034-zTV`R8l@pHhr)D)ma^EYnlt&ke6
zbbj#!RS4GFyn;(z*U~tM7I|e<^Fd2t8k?MaT7j!w$Q;br3RC;*w;Ha3iGOR+_$4(a
zq<JqxLd$+OmJK_miM4l5Sbnb?U1dX9x6Cs<-r>!(DCSv$gerDY0LHkva`lS96Nx?_
zuaqRpZ<b^s^(QlnYCRLbW(Tizwkt?7<XB?JIeV@Rb3i|&ZYi#$!<>p5_6w+#JyS)2
z3qZD`MGgE>DBdp>Q<#|*(k3J)rL4pJ*Ta*gGRVf3#iErc#-Wl*rbY+!Tgm|6LrFRG
zY%;DVLn+3O(+0y~GJ`^OscudDVtrzlvml3Pr)B2la<Z<a485h^X71E6Ri2d?;O!vU
zI_`csQ-`edNT+#7bgo}AjYQzNLhH_ZRv3R1bH3wIKt@uN-2>>TppJQ6JK?yK<vsM}
znw*J9Ivr%^-qkFWK!jVbYw=cco|=-}c_{i&)j|ubV-w)OHC-CXMp)#*w$WDdV0|i2
zR%F)tL{L5Ax-)^at*L`A{VG9~sY?_2$Jx!Kknj#Q^WHzXFRbvMQZbpb<kcK=eSVU}
zpPe{Ufc{A1n!+Bkf07<XYo{y{g9k3IBH`Lc-Uvxowi3H*vQx8gyHY|YwrTX=7yhBE
z5D~rk&`_L#y{A05m9wl@uA;Z;9m4-7HA5+&0yAN@K-#4Kw`r9|p3r<zH~$faHfWg@
zX~>w;l<{Qj4Q$;0$Vb=d<#f{VR(U;Yb89J8WIe)GI!s5OLImBcIU<^LIf_MhF~SG8
zMb*6oli&1&`8QivH7Mkn#-O$y%Q}hM04)4dA{(wq2(F4_ZGN4VDrk6V)c0C!^O}tK
zoT|7UL-Zi|G9<`L<auZ><MvYv-Im7PEWWaArOJE7TX1yaF&lA4DAZ3}&enj|u|2-9
zT4f>Zcb!@63cq`<!w&)4O-d3+!K&*(=h|S2xb!IR#nhR%b(p<RwSqdwF0gH<3f?GD
zqI=#kjD#_zxc^LdnT%I-gGT)?(z}tt5`akG1x9GKS<K2uQjuUi-p|)y@yh`LJM9N>
zUGblNlRJidk5<~^tb*%Oyp9dSfz!~t7%D$|XO|pZxde@o_WJvX5--rIPdX8)HtO;V
zb~xYd<BIfetm4yBU1X=HS*=q*VQo!X2Rp19)3dM!CTh3;Itrk)X}eCsHo?MN#T&US
zbTEm3wmb5q-<4V$Z12G{o5v?iu>P2IMedxBw7;Dv_A{%5L7b97a$Sr3+P2E|c;e#C
zbq;1$y%7XgVo19|aD;xB33N@)s^RJNC*T{)NmTo&!TR_^=oQ({TB5X|sBBqd1d-~j
zar0_?W#&;K10+(u%UZGD47B;S)|aFCPce5&^i03aUhJK{h3`P{yKVzV8;LQbUp_iU
z;<V$&$qX>dqb%~SeOU&-()L9!Q|buQVEn42Oe4KjFBZZ)6J{qJVgCJJLgk3?z<avy
zNgtRKFLp0@OTvZH7R#W7`N;QmX-d3Qiwfq$r&XSwT5DstP*~UNL#rjSExAG^Y4`ZF
zX!A<#a^mE+2h?s2Aq}%bM<I5C%i?6NAOe&{WsU&=;xg+zZS=|=c*2$Uvu1jSW0S|z
z3Ic<Q2$5>09|O#~V1&>y-x)`wTS`-Ya?3ut0eu4cAD_yAzcBxy85%ALu`s|P`Pn>P
zO>&rzb68VDTwnw(vzp4elnK6u9Nv!CU~|ggFGfT(zz%I%G<bmBjxe~^8on7tA-3mt
zQ!jmIJyo>Mu9vJi_^da@?knugFVckwOU@lcb>Sy8<+yl$M!jv^i3*^4F#hD%vjCWB
zq@!=LrV5ejS(*%-O#?=&4K^y0S7>ZC_`N$h<(^S#Rp}YuY#v!0m#Hc=f%kj=Hn|lf
z5))-i4~nP=?x>()uwJ?|a9DCct2+T6b2K`V&CUq7x?rUF;gr?|L&O&@nsLDu5=-u{
z%|*+^fi9fx>o&K5JmRw}uu8?9e?JraDt*ec7*=gd#7JP|^>*4}oxx4bKqGU1rj)do
zdJumi?ZK(JwXhUAyG?Qdfc^TrU{ZgLhcW4XS+XlX+=dk4prHROx#5~gk9~9RRnK8W
z;V`OTG8|PK4WXJ)6D@i|O)Uy(QXo_9+*-ZGWBPX~zn3iv4W!f0F)OpKw1oecAuk2=
zA5LYyH@z=DmS014+|Zpx{ZwHsQgYmR8C>SwR}{F}%o@{tMnPudj_-+cKBPo<9FgVQ
z+rla$y;whJSR_VfiVP`$JkHa*0&}5vTz&=FUAsr--fTCkA>uea;iO(AZOMC<P6;6c
zH{I#`R&Ka06wq#;w1b9{2r)X7u|V|65!A7yFa<@#;;2o(qnR&q%ld&H08rbuwiWw6
zgC*0%yr?9}`n#Gug~$FRZS_Oog%e`yeJ6NxJ>?}L{dCuMv`=Hf8eW(26N|1MIbb4;
zIG};6<BR!j!jvkCa15*-M&PRIkWKl&xXGZ?SB*!zETO=(Ddp8Ptf1Id^cS1buM*m_
zS*KzoPnm`9d3v8Y3p~w@N*jJTkm6vjZ68>80wp&*5MV974I2|}Q%xqYl7+~D=1>Nh
z*GaZz;sBQ;bD1=uU&DeB9$_>)Wvw69IKkvk$iqazaQ0v9xbwu1aL&^kyj1vqrIGbk
z(ZM@OQl(&G_FAy_9NS<PlbW`Cod{7!A?$TrpHY{++)%pY{F7VV@XH-)IK_|0Klm0q
z%;|Fxs@l3IUvA4KW%V+whr2grStj{)Qui@$sGY`CN2qmsbV4)L9Y%Urtukz7C0sgy
z-4=o8Z@_3U<_pQMT_#)zd~tTOuwOu5epsLFl5Bbp6z1XUTP*xjFq6m)r6>=#bs%*t
zYx<SAyt64|@nVHDHdN&Dpyn~G2YbuU`DT87M2h!y{q>IbcOL}|{q<tEGs?G6XW0-$
zOF%lXk$s(@U1a($6R*{1MtT24bxV<RIa+;C4#8iL(Q`*I{rb(Vg{sZNdWR<}R_6K%
z9ONdC+s|{CFN8X8oxA5KGS4Q(qBOtzT$j?#7Gp~}oEgEe)kr5~s7n)sr_zVNmFr0P
z^Wf$3eB%CQBvC}N_}PebzKu|j8I(dNV^~R&Db(*lJq)UXpPYPhEFQs>b_o*>Zvs}o
zX?AkZ68F@Cve3}_U<IaOGNbW@YhVWxj<n?(V>q*-P=GMnyOTx1Pr&}``yl5ZgdM~*
zgNSCGT&e{c)O|C<70-F=q7IhTgq;X$m9%*eC^tv?0Ur*DlIhxUqJv?{`{CEjACx7K
zk*NX<8k9+qftxh|CC5K)7f%pMx3qbTfj9L?WnPADbWs<BynH1c{Q6mt@td)?KcdT=
zXLXbz9fvfa6NZ$EWFU1XvJY|MDQfZf7&QNNV?qi>mzjlA90Q{=cN13N-=+~gwfoaw
zkzF8q%%C?3VXUX|dS$k29Z;_`g9$C(F4m1-b+qN^;TjJBOMf~*>JK26?A+6EuWty$
zhfh%_;ju!^0zS9VVk9#khzxe;?$F7SCJAFPeC<{>MY+oE7vK6DtM^(#kzRhU{+yn=
zY1*1mj9%E^{tSIcJ{+UoJrLzl2=FFbw(N3Iz3eEIz&M-k@bsL*Ayw;}T)rQ?#z}Hj
z4(}^>E&hr3y8u%D$PKYJ@#xVHSi_;XMTDCbixS4-$83=ts`(j(eN)K7V$+(jtz`X|
z!wmPqik%xYj%0x@L&ikBoAUPB>Gd9IkJ@8H&o%QI`hb=laNLWE704~KHnr2%uK+3H
zGzY59X8VUYpI5#QrZR$Jh4*3d#Gm<=f}HoYJa0*ByR-TZ-wqEG?ALiFv5>llc}%mh
z+}3(Fv+9mbo!8(Bw_1_f1TQUulM0$F*CEDY*h^xM7f?^=f{rtbEB#=Z=w|u<7`P<*
zN&as^N9_JDhoP$VB?@l0QxtqFeMe%?s-r=)IjkZu1aOS7;y-byyfqFA1;m0Nu2&aW
z%Pmj-`}CjxSc?!pxoAki29%!V1f`IEwOFa-d3*3onlV0yEm>oUNNspY>ma!LitMbm
z0XdYlp_|qG%emV>ndL&9C~lJ4VQMi(aAi8?cqZyH_!YXGRIgGME(1&I?29!L4fR#E
zKu291LWO356^b~AH2cVJ!KO6FM2_YhZw}^>HWFaC@if53*G>XDek8utcMvs^oVu<9
z4iLQ42jdUPG1*x#Xy`862aiSd&(0CzK*!hiftuI_;kg(WNTlF4Hkfw$q3;us5*hH%
z-t>un96(Q{m0?J7)SI2dmdn5c%y4sL2}nnMUef#~Cg4x5tKl>J_4sL2i0JMvKlTh!
zCqa38+JiUGqR!(kBeY^zbA7IyEeaIZ3MQlXS0pSXRezjHk^D9aBQzG5@_jmK0RYtO
zj~u1|4`Q6C_pCTcAW`;Lhu4E+t!C%@u6LW}`^!jcmbdHbT%|wp9c#0u?Y26R+;c`o
zhz-Owc1?gWAK@ob2TcZ+q(DW&sxm21HHh5N(mFa&BHOPv5UhVmlqA>Jk6XL!%SW>&
z-w@N1<YL>-hR+P`cM2VXQc3-;%R&jFaR!yxdFKsZhQ^6taI0?u*Nkwv_%iHSFWhI+
zzQ931HBDb@2awn(vN^I+1!>Sk{BbpcTq3t7$>vRxyBVF!>q}k@DB*O3`Ge?eGtRyT
z3KJ&<0&etOkO$}(rOqg0;B0kxH8)@_{+<gl%xZT<g`V}K7zlnaNlc)qS^{&Y>A9j2
zPR$F<UKbIQ=MX<puAbBKjDL%uRXMLnxOyVbf|r$^^=kOhYX0S#&La6Id@Q`3w`9A5
z@*qLS;4XX~fBY{Nt&quKo;YnzV}h#+uN23b3yLy-M&R&H*D}$_x1<Er$FL0<@7wts
zHs6YQ>&R&A-YiXxd>rXoQnSpoc*TuR$X*S<;($6Zd9MG>2oA_>1L3Dn;F<<1Amy)T
z#&)<aOm^N1j{I4Bjzq&UDq4K9228C#n^U?OqGrv2#K%M?YmCvFAq=w=y4HNm&f?X@
zn@Lm|+PjL&mj?&jyCiK>U|m2zu?5~ER0}29p#~#)T%_`R<UKfzX>Q_e&!|<-OLv%A
zt3;yobhT%1?lMBvCg)V^Ns7Uy;RFt2L3NjFzU=(btI&4|Uh|+a6%nL&0H2yu%XG_^
zIFtn;%|9*+nU(?km>KbZV|PiIy@d>=F$Q+v_2sDBO+cJL$@*W<ck13DVy8c@ZzWS;
zQG3o_n9zmNcp|VRQDi9}hR<DJ=y3GYT(oFXw_EYj=i;uzIJAF>0S81|;fI%ga3goO
zJH~lrMk9>!lt(u)FW0&RE}B$$Q9suIO_9`shpcN-*_NKL@weub-<FPChL;MGWZm%A
z&3^}2l~jaFy=f4=*>IGY%Cqu+^>+YE$gMv=Qck69Zqg#AU%Et7cZ{tMXaAw#tT$g|
z&-){WckHD*#Ce|b*?CoDO{6o6=#eP*T<^l4>w)aXU9YHQQv@StIzkT6c=$c_tY^)W
zNBEao-@LlI+t#yA+~}Lq{z{$nl=kk>;trFgxXjjN{{X)Jd3Md3bKArA3mf^yWiEXd
zxMPxp-H(n3-x$j~M_%3<FBWwMNcFcF-N%8{_X^w<=UOMEvRM76FFhh%m5KRC=ROcr
zl^q>+tHFeC3fxv$z*<J#Hf2|?)UL%t4J8Q8JICY-Wml)jo8{9U(`|Vs`773!vS^c;
zS>mAePnV9aZm;}R{DeiMd*bN5e8{6C!kRQw0VaxFDOjN_NN9pru%)CcGT%M<vcqit
zZ<Z?|(&olxl?sa7xRC4Eb->0>(|Z4|9|qj#igg%AKbxF_hHoOAMQ|rRVeq(vB8Dt%
z>OMh=4IMYS35kvCuQxslASKw8^HJt9vp-G9eQ5fD`wgC%hwDm-J0H1*v!w2GWHn!-
zRKGS7fyN~Rk|qgW)awDNsU%9e`K<R-lLYmv$?+pyd90tXqXF4k4H^gy^T6MFix@IO
z$d}^Y^vq32LEFrhbbQW_V0F)Nh{Xu<Jl+8_mFEs2XIv#S-|hgOL!5wfkLQau*UN@P
z!Opnr4^Lrv*Ls6l2b;UJzyy_7B`rwNq25cm5fL<71&3TcuQcOlhJ6aA`Nzto6TQd$
zWk;;E9eORJFD{C6U$z0z{>|v$X^1;lLyxtPgO_G5m0^+lqV#h`RIKE^+~d{j6da=d
zBZ20CCLxE)=SH1JiRkdbn|Wx^n*aLe6FY*s)TJ+;M;b4QNxFh@)pe|rHI;&3;Cg-<
zY3k&|hv@_=W`-|}o$!T7UD*De6ob?cMyNy6RS0BOsQu#eA=^$}L(eKWm3ROEI~vjZ
z{lfox>(a$*YHH@v)Me+PEg+ZbYPDssl7`b}X3R#m*jAyf<Y&&3J{cNKAw0bo=S2&8
zxlj^)bMM?{l?2tm+Zcf9CHrH<+FTk!1@)+n3UAvbE^>hg#qG{3AlV`(pYXq#f%Yj!
z+|r@?B__BK?Xgiag%c;23+Y)MQ?jCtH)w;odFNq9EL>+F++a0uVWS|5_r<TUJ`@r-
zxrsR5{C^A=3uL(2UvaDo&-JdjZgwk4aAqZMp0dpJJ-?m_8Z2=FPQ4$_%BeGWi)1T$
zwA$mKyfz)pi#t-G=cr8WB#m;3D=^nr>CwBl|0_^3h|?i=e=E#iVBe1&3KTqKmH$c&
zd2`W1-|H*-$ne$cO{=c8v!IzXOBDrKl5VwnW@st9qSFOW9a+nDyMhUMtd<EGXC#(f
zwd8Rj9Bp!RxfyhJc>8b5YQ<+LooW?Y`EeoJKE4b-Zn;3<B$fMAyz}56>WWEz=MIwf
zw#!_AFGS8Ln2~mF4(Xld$0Bb$jEWw}{qxTqNvlbb9~3coT*c$Js}uqwf8(OeCJ#2F
zLcV#w4~iRm1qxCH3IEdjC&w$X6iheAU3RJpD4K(Q*bUVVFDwDYTt{FAmcro^cuU8J
zI7%{Ck_e3h0LF-tpg{>6v<jr8uGm?i)cil3FdBpDY0&6Wnq|8fWPZ=Ur!4Op$+ez$
zBFd#b$$Or}?G)yP6Kz((YCy?rJS48XArY7Z<okI|8!ka&>)D*$H(N1TH85mkg7jj?
zI$AhRKGdO6Rs_OBv3{~I0EaB{%V=Y4YOGdhjb!{!IMP-l)cPhkwk*Vc1{@CgsHc_h
zdV)b0LAsFAgfe0@WbcI^tVrHXLx-FLQeyk}@b;H&A+VjT8AkB3_oUg=j?E8Kae6c*
zC>Gha6L_$eKT&Yf$Uc)x0f1K#ZTw6)*g|N3XDVKL2MyWT<!WO#579(it~O}J%KLSM
z0id5@7Lg)O1Wkn=<Q$yfEA6H}<xb*6!_;zq-L0^Tb9C5?qv3w6ZYDpw8J$axrS+a2
zknX(n)pjgiu}Mxpi(<zv_YqX7Mfc!!7X9J+Vi`#l`;@B~c9RHu`g?#(9BJ{dcO0rI
zowh*IfoO3vqEF(f`A07F#<3_6BQGooUK*&z!uY1bCeCeqI%ZM-tNF`P*=5(>V;-Lr
z<3JA_2SF^D$Hw357oPlx8jo)qw$TC;|2o4U?L4o-qAV#TI2U|f*lJs-54iiaG~Lcc
zz&M(}cH(o;;q`>w!Gj_HzO8b;%kuD6OptzjKWmfleMmeRY`#f(K9Y4n$&vTBY>;K3
zwq)5oWgKdpT$ic<Sw}A|KV-t>O|?tUeu$%knEW*7_?iyENKHa7zm?qfYnM{I@9}VX
z>JFTH)qD@d>EHMzfDtm*$+|i}130BEyu|>;X`Hy<GQ`U4Tpj6Luhae7##wjKRY@_`
zpG{|m=CblzPl1DPEUaBMTB=u&n-g)~-qa5z)j(XzI}qK2iuTHMeJ+oW&e^v~i%i|s
zyloG;p2d2>f{aEC!p8KKDxRAgqKvj5cbHE4CXfW%+U&^%&yJPL<?akN9u?$`)}eNN
z3FQ05>zYy(wA>jj0AuNE!p)|<C|fK}M{pE|8f!{8yuWh+QwE&2Oc@X7{Kng4BGQ>3
z6>%vvyMYX-p&<b>0=!O5Ta!xcKwJ`8YeXS6wA>@$+mPa)O9D3Yd=po+%P0y>AEq#^
z3xd*d@Ab|iv}W~r)oXU=3?(yW-%sE6-P?^o95<5uy9g^l3)BMK(WP%Y{}g~lK&(WX
z*5=4=8dNb{h0~MD=xCTo1l9WpQf}V;g;Y#1BnHU{=9m8^AJK3REZh6sw1H}_lu4O#
zdiL?;=vr$;c4MZ4V40+xk}{}aFrk1CG!iQ~v#Ay@c?eQoY=)nj0ur?_Z-umI^8X~~
zzrosm>lQC1B+;UGQH2$ZlP6A6w^P@Rr;~+EYEH;9F~L`<_<TAS5U%z&bP8oh5G!3X
z`~{TJMBFM_Ylg1Yh1h183rAN848K~xCe0Z{(j(}|+ddRnUn}W}#O^f*YG73i=c@$?
z0uqmye;<bV3euGd8<hM{A;ij^GFNrzW$+u+7<Nej-?Um{j1F4M;r+n+?ZT7=3-u;w
z)WAO@zFToah}-)}KLgXPrxpdMvAFYsH65&(YudYq<xy=5F!imm&jWdLnBeQFXEv@$
ziyyPKKQB56Q+1>D-UiIj6jLrJ@ss@CWi72A+PD?_*U<d>F;Bv&;OUReR2mu&>ASYL
zEN2*`yQGc)`LB&^Iurkz8t5#u_pdRJAB%9T8tPKI1uRxxeb4KPi<L=O<Qu}r`M!Iz
zeY)&8?h7&Bgypl)j5nvB-OTyjEMrd5WWIUD85Q06sENH}o5E5F&sPK+%d8g`Kv5iG
zFUZhNCn2Y8^N9C1`e82jeHqiH^UgDETC6iY+9<MBFPNp!ThEdo%gj3JRH3Q!wjTtY
zuT-SXDKjtjLip2+MBP^ogB1}$GO}oL6wYNwi%DraB!Z-+Y-})8LJAE_7?^u;vg^pF
z!xr?HTguFdaj!AM`~Q2Xf|Mg>;Ao>dr%AJ<kBS<FL;Qq~1ClrGXn@8iGw-s%YqUW|
z6%kp@M)AA={pY7P;9%uF&C+7|IaZFwW<Q1-EZ5qcO+N-O-IQVPft=3!=&>;97!~A?
zf%=#bXw@HZeDG>!=t(i3Ckf`a`R-7hk+39lCZFET&QH@;IAYn?EB!7a>H#4Pp)OF7
zM%w`rv1TsDIN8g0GAI505+GD{OdmrD{Z3+D53NlwK7f8Pp%e?*f3r8@+#7sl3lrza
zDr?j?*-{FV#>-=KiedH1Pw$IHp9K~EFnZwgi*Lrh^QU<l$bi89L52=4JCg8r5{|3i
z5ePFlw=_3l-M3@87CY!8T#n?zIQTsr=^zp+M33bmY3>W~s%5iax^Px1)2~qCruM;P
zIBWR$S;7GDBqg0CY(S_h<in3z?5rHE>`{9P0a1P^vZ$}hTb=vCr$pYt0S|L{+>ivV
zcE75)bL`JQW0@l(ud+JZqy`?r?&bny;FjtgDRqx?Q)J*W5Z|e;<Zq4g?6!hSRS&kf
zFP|HYSg5*6dreRhO*X6jmhJj5L?4|w<3)8q*m>Jl8ZEC6_BPsJX(*cFx2F23WZ`)>
zRMY#~U}r&1CTTS>j+%jvJx@zLb;*+J)=q(<I<@BmZJhlsVInW|YR!JhtGgrRCZqLK
z6zCaOdq=1D_0wsZK634LFXU|lRV^b0$7Dr0@1a)hgbZI3TKnvMJ$y=~dT9b$pzW7d
zQ{L^SV9^aiJDd9U1bl1$LAY&kt1d1^d`xj#%KLz{%9F|OX889)e^)63swub@`#xJM
z`^1CdN|--5UA<JMP&as{_|_Gv#`$Qu5!>@@qZewHWH>~+840)_dMsr}3WuVMz>Z-d
z0$*j*-I5>4)>w9`Sa4~!=ARQyycC00Zbt^w#m2gF5LKjXsQUmBimBKp9~`;Da}Y})
zhN;y32!Oj@WM{iTu*~sk=TpWtSZ6axXHLaL`-6E#h4<63bgv-Sq3~_o)r8U%*y&PB
zTm`|PX@N{D_TYE-`ml_RTlZ_OAZ1cS;m{_prZ70d8WtqDy-=mkW<0ceAq#iyOmM5%
z)s%9f*-C!W)C`tCrg}5Mq<S@FLKWy0?%Gfhb25S5;`oVS9`H14MDpUQWO_Z#NJrw-
zmGl6?KdW20c@ykEO@t`y-Ag*o!WfktqAUN@H-g=`nhs%-9Ndf-I?6i6F6e}S_v$xI
zRP<+~Us$pQ)BA3qW<ht8XmgN`n(vPwn+`gClMYWmXnJtn3=z69)=vvQ+`oG+n+*7W
zqkF$Ms;{(rV2UPZMwIhbSOugv#J>r(Hk{>u%LoEKUCx^e{8e#@&&g%4c0s>ybmS#k
zTv)T_JH@+})fY33F<7WVK?UkA0D2OKg!xt-$m=Fuf#4wK0h|CUkAV~3<COmsqUTlM
z9rn|?P4n)$O@t<y%Cmsy0~49wf+L1->j=*<;CUKNB??>3k?Rn3)Y?E!3lBJ#w26g{
z&bdssbN|%#k-UE9!0(DX6n|>?Lld9A)ykS=_|9@%%Rt_@blkHyVgoQr?V^bcSUl+=
z%-_eA<2&6rQ=j%l&RVAcKV~$G$H2XUg_swN9+>-^N~m|5*(ev!HuAv_0t}OsBnJC7
zDzmlW2ppvDbPUp{fDr@!@Lmf1jKAktQU^Dib==S)=(~Z0PD^ZRPUdk@il}GVOucYM
zC<LnKyd~(!&fA)Uq`W*d;jzD5@`v|o{*j^{)hV4<Qtn<_T>_L6<w4~8VgW6aTTM1+
z8U(O-{Uk+e)QFOdXeWUyN!K2U^!^mmXbnGm{uwjzzF2?`((lucCmmAQsxg&LxQS`f
z*@F2z-zuo_JU!oee(Y^6en~w4vkj&4nJv)*Vf=1ueT?;!D3<_RA_H$@nBh9&DF&R;
z8I%0D8#ZH2dbuCz&YDz3&+90@qKyZ10;-Obt+`SBM-&quB<}D_lA1sqlwB#i5H|)(
zYo@N1-8M5mI%|L(06o{d)}vH~^7gIhek3eIN0e<KkrUTA4(C+J*}yCo&-5mCpDmH{
zGxu!AAT2jN55A)m#9UEYcL_zZ=8!&L#(BgCH@JJ5lDrPU52w>=wS=~%C2oIKhPAO@
z9XDfh!ACi<F*q;=T(sh^wr|~~6Q&x&ny}J2?OM)L^}pcui+P67)r#_!HRGGBDY3D9
z2lx<!$EuH6=8;&}Z6Wk+jlUu77ym^czS;_i{4T>@F%W)LEO}`CRU-WNa$28bNV16D
ztvhH_<qcZ{uOuyXOC&w8UzGGmz)MyRvkuCjEYNz|)NoekPP9ECxG~l4?k6Wfnj{Wi
z^0Z(r4Q%`6A=0zzlZ^JtzV)BG8XF&N3*~%rrd|qkvRIW=e@b@4U0rilcRJ~1u4!Mt
zoks@ipW3B;;)8#XN)^BoALS#F!nB_-iMD4z1Rb<6m*d;t(!l;p%!WTdz}aIN85qN{
z8vac9iha9+*KAxw7<Jp@oAh*0j%N`_tti}Su!yBD*u`Z@Al?yNr`r;$80Q|s?9sIR
zIP6yY+E9+Et|F_vE=*d`r8mwtJ8c6xb-taB&U8J}dOsK57}uCxx%3KZ!b?IMN@H)R
zv3Sr(u6=mCC#?7j>M;)Lapc*^vC1K~Xqwx(r)o-<?2VdIc%Kt)j6@LzYHv^w88;y@
z*Y0cKT!w?CidOX7VL0l5Fh|j8Ryu~=AuL=`2ci#m$tGQfbd`fE&O=}bc&+XN?)Y`O
zi5Ipg&lufAGuqSVGfFJ8!@v84Itxjc(V7e((@sX2t=Ks%+Gog1ZBEW_=F|Sv+Ystx
zU{3Nrq4sV#{rM9+&+EJXvgI;n$8&S#zAJ-_YXz^)@dA%V6S|HneMRuEqKOkWL|U5p
zsqD-Pdq70Ft}eXP*gozvZAmchoqrJWW^)C4md6*3TUqk9%@E?-BvKBa6+j5_pX0UD
zVPU!D>GiOE34JLo=d8;2oLlF_Fpkjzu0Cj)nLx^re2zuC=h{5dgtbgJ&dO^Kx9k{=
z&jtKO?*C|=ybhsB#F<(Ba|07uo$e5((!}c$q1f!M@M&G!Yj0MN<FDJX>bbU6%nBDS
zX#V*j-?Axl*D<wz644T~2N@G;y^#N4G@ttLEiqyClkmo-KNrWz`s}5$w)B<rC6xPC
z;pydwOayB*LzmDV={PLs$N~)%<W!)jWehj`Ss-jz^YOsm@*Kms(BFTlcLoe{N_SK!
zmVT7!HUXdfR;Lwa%H(~HHG;Cb{_V=B=JED5Ez3ar&d#li=yri&pE@apA)%V3+GtF&
zqOa7@ttl_8sJJ#S{9E-tH3Ys3;YKE>wVvkwkrmc$$8PBe%rJ;js!CjgnEKo4z|JYu
z!i+DEIg_@!Jubt(vR$Cd6dH<Sw666tE8U<l^^W^mDeI-72KTkN>r&MEH=Y;S01!u8
z$oMBbMb-oWJk|epLSk`+VQ@&*8E<BXNV~7*4*KQ7q#6P0vo0ucM7jo-ND%t~qV67q
z!3S3tFwFnQ)K|wv*?ez<bSoW8Nr$A!($W&rDP5xE(%s!6ElW2@cX!81cb9ZY*Sqrk
zzWDyT@ww+dbLO1uT<4mZF2}8ImRLhh@}NfG`%q~VmYljOcIlXzcQ79oyI~k+JHlri
zX~d)j63BM*3Zs|dPoT&9sw$b~ZcQV+sL8V%eQVAn8gUgPitB?oGFaotGoD)$Kof!L
zfU}R7IjSi8I;iDC+`V#Jd917OB8s~ZQm<A)lpiXU%!%56`6Zm0{+-)xJvQb{1HAqo
zFp|mk6+6j*g<A<}dGIY+r6}ZrYWfW)mL|-q_nYUnzSa*@=0E^f16}KD{c+#koG)k*
zF--h1&=WP8^-3`YjkZ`;T5vmg_-MSh!fbS`6|KrKlDVe(xYF_klD+ZbuJWN*CQS2a
zMQKB>g)#e8F)>q0SN7Q!W-SXXrO@N%@cdcn9~*Pl75YX#<n6vWG)b2NECfBbHv!J0
za!|N7=X}Z~-643op10*d`QuK(WN~O?Xrmm-`&31<mKBW-D87%4TMn|zqZf^;cU<9Q
zb>dl1(qN~5{QYySBTRkEe40h>Ro1iLgVE^?o!G@?p?(k6mU^WOX)d_sf!{B3-)}MH
zK#x_h{0(!ySA2Q9Rvth4VkGUR>7j6LJ%d#yn--Jpgb+aIASt`pKW63JlzaHIpIjhB
z$l(RfOlz^hbgq0a=;1(p%HzDvf$N|~VuFT>xe+xwS6ol!R-vkYf*oi)PgU!r4Zx%o
zl6(8|O}FoVulN2f4q9Ln#!Ftg+uf_)w-nc<Sa|~e)T){OX?yovKbI=k=}sEFyzvgW
z!$K~!x*Y@bPpwVeFP488d!^W1T+KyT_M*ssjTQPs{*B?wt6=ua4z_T9o_hugb+MNc
z%q-yVHbQ;(-UPZEN&Tb*lHrQ~13lPPh{5HJgzU7?a8^|!7GAKu1TFq;bVN=KQ90(=
z>y6h|B8n#Qhd!9?rR8n)F<#>pJMPM&p?F)bis6Ug10Q6XvG_kRBY6Gy8eiCP?oz7J
zm9{5+1r8)+(#haP3=*$9BJjYdWHNyfaZ3Jjzg?LxGre7ioCx*sc(ks|7fHR7{b1w}
z{!I=tdcM9BJKo>PLDrT+P=;X01!FCW8BMEcqPHw}7Unlw&ltWfjL&TOX|GB4!E@AB
zk<=bFfAGiqdkhH&PCcO|4c0?1*ZEAYqbchL#z!sBbgz4d`_qw|>!4cOCA+kTKM$oL
z4-u{Rr!ubAkrY4=84qNj#~w?L^{DP&Uwc_mcVR(5sXMr$mrv!|av&e=lelyE`d+9r
zEpAs|6T$6$7UMYggXm+;$5;L@ycbo$+b->QZ1Hv>6n%sc6GB-2Tt3rxk}m-;68|d{
zY~W82VajR=VQ96|srtg@2&s_IwK>G38_Z1Wmy!-js0$-h%QyW(gp<K4o|kXu=5<X|
zL0(Zo(z{WG?p$TATaFN};kh4g)>E*JeK<Ugvb=?xO${F>wV+${bhMnt;uQT{Zyv|*
zrw?^Ve0wxFEE21>N6|4I6SsqXZF(`2Nc>>|`)&1+>|dOL?BUNbC!L)lu(`X74H|RO
zZD`nK1uo6u_99JTaDkHtl$Ct<%Lnlx52b$2`JcEcFM4b=3!Q$4c4&nTW~TfFIXw?Q
zCY4$n%5A<lGV5G4@`am#Iy(4?rip4fllx08jO~{F;P5M<U*kVxwjQ$gl}m<S;w=mU
z%S-(~7i>?w>ActwE1~bAU=rqYln-)Fao`Cunk8c&N0^R?ON8(cxwd5AzS2hf^+Cu}
z0$n|3<Pxg^KQffwXTD0u1Z)4APX}V}1sJUiaK`@Ov$&Jwv*f0#F{GOYSlk&KISBf-
zIRc+}@$g{%0lqUtV;ABrS(d}hJXZiMPf6NaXwi~ucdY#jVU~L;#VOH)j08|4hfjf^
zX5Y<JBnN!4p}M1z#9)31jw6LBOFfVODv0?xB8tqwM4sb!mO~?=$V?oF`FsHemM{FB
z#Q8-4FW6(06tk#Uu^9z*yI)(Cy=6wuV|F@9g#g=4ySV&E?~M~XtaW!x%Qp+(U1I>V
zevU2|BWY<U^o(6!g3}gt5~eK;U#j|vZJ*xnIUiX58?8(W?f3b^(nz0bM>YFC=LZuT
z_-z{j-`)dEPa;4S8*4Z}zDvOHK1KLl2g5438z2cHBY3vEjd9z$YnY2R6f4_oNRuVF
zS}neJcfLIFYB%1@TVBeSg8x<ARJ?}yIKfSfXOW4-T!e<Oli|818RxotdB%?#94&a!
zreacoQUr?UT$`uWQ+V@Z{l!Ry(h*h^nhb+ll`@oQc*nw=t}(yyG3ZX&0r&dV!#aiZ
zxq5WF!SVW*L-}o`P~2=7Rm|gknq(^1qw+B6aFPZ;;PW|hVl|((3FxYWpUz$r?4}^@
z$2VHox4PdAAOt1iJ->mE0ZgT9n1LGf4SZIm6XRSDivfTQde4_SBEYN2`((JVRv|UM
z7S%_Vz{Z^0QTSDNxNGX5hm@u5yXgX7-*oxO)%@T}%;6(vj9C`H7(ny#r?yakg55a#
zc)Ys&I-CP{KdPa^AkLzR#vUxqrkpy)xuU;L!uolwknx@Dns`kyxh}z)jn*TqSnrDb
z;6@v0cNATq^p{snv36nK`-%kiE&w%1WReP5)qqd8M<)u;<Rv?V0AbL!9#>J_eI+m|
z`Fe}O2d6MUcI7`d2L&5WWKv5uABuI5vDL8)C+rG(`ZKB!VTcjYb>x&y!e@M@RloN)
zteTOrN4|j%3!DK2eJJo0GCIq_Wq2B$`B|xOwBsN`ooG(|XzGxXSCe*1TE}F9Oz_@d
z{7azv?knvARt}_+BX%IGLF!&Fb0|2mppgxPM~e(+_p+^C>6u`F_kmU4eX}LqkN+9o
zhpAp^m#5jEkP;lThS0OY$ie&*FP0^;teyT*8J2+8=zz-l4=K+~RxIq=%;&r}-J-=<
zUnf~>;jrJ{?Zj5Qkl%_SaSZjbzD+mqiwJV$gp)Jv!nDn`5K7^k$0YGEY5qEag*YDf
zfHE`ut3bI+u9>k`zX{OWvf3b#qfpLxErY5`(&SV(`@6ISvNA66f)ukr$&1AOx)N7O
zoUa;M+^;YAE>tJ%APNo^d~9WXEo9YK{G#<(yd1svqreO92oW+q-9z?X2<g_WO@Ezo
zi3VW9;4rS^jMP}fZ$0<f{2?ZA3lm!5$x!nLo2aklPS}}=aLNKsRji|$gbsM-YXlfZ
zX&*BRvEuIf-*Own(woIGyj~o*UiGQX>$q1<RRlN1oKb7szV906j#)gurBh5&>d-9A
zO90Jl>G0DweMl<!{3$Qx{E}NpgY|)hV{bSKdfng(#lvvze1egn90BpcO}PM4Wz^kq
zBT&%FC2~WG$ZKT%oA@0{YEtqWag+bDQR2C(qGlpkb(36nJMjA%$4qvT_UR5Q%(+)E
zE815eKVQ6T(4ymrCDGVIhZZ}e-{dXR>ok*Zu$+-bLb{Z=Xqb>^a7~?!v7%|s&MyN^
zt=T##5G6>#`;)J+!j2+MjC;QoILhi+eov*^Vr{>>3751)mN%5WM=ph-ED3vO`2k+?
z)2Z77-OwLeAu{T<Jv-ynad$o1Q18DNP~%xUSrsdm`gT!+n{xz3QFF9VSDw;Rwa-^r
z@7tlwaty&6rZF7^--5}SEpfjCd=EwMj@gBB`|H#-jwk`4u-O5p739zaW?QwFIWLwO
zx(68SHjq(G?Vf=OApH(Dc@HN)uV&wxd{S=5qtV8+8Rz49S#5evT)A4OUZ10>|C<W)
z)}#+tP8)Wu486a9#x`hI_Bh;}n<yUr88X)EPdq<d^r$@@|N7t%Nf?amCOFjmf<b!)
z^eL;!qi!4~oZTwijW?8JBe^$T??LGb|6rma0o{RK5z5vPp>xNx-0t&s*!h#N&5uyk
z_l0oapQ!fOF6*K|HXXZ+vR2)}=HmZL_aUo@+C}p13Dd+@JO|Q_7@UBUg$a<YPo^z#
zLA$0?{&3&hlTS{J?z*%ECg{fez9FJ<>XMxY#Gbymhy>#=t5L?uFlv8F+d1xp+2K)?
z2wt3Y9xP|Usp=LEXBX}aNUkFd2}(3Qy!W)|nrPEQU56U`@_Ya9#6KAcvJ!N_>0f%{
zHivx~xX4(n@tx+MOWpCsTgVY}?jGxTW`9K4l{~Kj_8V`za|Vf%Pg$&adi^B^5_G8~
zB#W-DMTfe?7az^*lu8#KfI6ZShr^BGG=`=g)44IKZdiT;gl;@(LHFZFLvmd<N~dS<
zk>+!N4A4Bqn#3P0Mef?aA^c*3*?-W*01baj4*sXh&>97@2L8?Jz?tDlbS6X))9l$P
zyZqo3#`9)c%mwNI%hZj5F5jH3HiWw~!yxxBoiDO`nu6d;SbibFrE5!cM(d<Z&pV#$
zYO#8{U(z;veRaggR99-w>8Z;Jrhyh?tVwqP1ge)d-lKFdJx!nuLON7@;~H%N=%I}p
zzqiWU@G%KG&ON5V)PudS63?;k${dF62A9gIxHaA=!g!j^OA+GW@ZBs0vWh_+=<Q;>
z{nH`Zar%8u8tTj+0=GCg4|S&ajM7SK$F<|*gZj_6Vfz$UNBag$1aZORAnoW~?#-&4
zU$38r0}gz$##>+Hp|uVSv{cb4-D@FX-LiaSqn`DllNUVk;_Pd0!N_9Io->XpmM*_y
zqRwZ@L-)ZE!;ZKcg%~YUQ)uzg&tqao$>6tA&@!*6->1f%_C2Ypb9h8P4olC5?H~@o
zG1W3Huax${Wk$*;s5g9aW^f?i{_XCYb+-6AR1CMW1Cw(rz^dnU(5=EpReyf`fV3o;
zf?J?u(Es2djyVR9H*EmTxwsm-YXE8p^H-321$7Ww^j`l`2@6Gtcf;&>e5H4{%4K}o
zA-NEWg&Q2*X1<^T+?bL!CX{DRkS&3>(r<yzTR1C31Wc=e_4*wln-h>4&iMM4PTLU|
z{GKFI$*pWMLCn;Q{}p3hTyV!jc~|M?I+XxPs>Z<jK-ZGdq-a&Mh;~b0-9zDb?2ZY!
z?GW{^{$!YWy$xRpG`Ht#l!&af`t&Tx#7pD>()m0Vj>M5>iubwT8r&HXDE~_nGtTyx
zV+Tu^tPZ~Bb4&rZYm#QK4H9By;o13(5eTb&*0hjo+g#Vcea3U(cWs&OFU;%bz785N
zRG24@=WoBvJJ@R}qpg<|f}w6)zG9i5vc)dAKyEZiB0Hwgntn*5^X96ZEa9!W@&-!@
zk}=xwCr|Ew1WUbMX5cl~4yFEYBI2HwWeIg(YKLBZ3&9o$NjuW(wXKE)UvyQjPKh+%
zwu^VT7jV|^c^=d;`^eH@_(~i%ZI^=fiMOQJc-DP?mYz7esJbgTZqQ$(UCBi{y4>e;
z|7jecPk;zt`_!oPyCih)3xJy`g^(uPWC}>2kW81u1*?>PQHu8H)h}tyuFXPv0ems>
zktQIz2L4%Mh<A_;5n^;qvakVpklHiDwco4{Qw-1TtCsI*f@Vk;6d|A6dZX2#6?~Mx
z{oN`c*Y2oO^#@&ZPV{t;pEnvJ=g3c_+q;OF&<kQ?C*PE_+$kip-NbYmdb;hx#+v3W
zp@;_(C(jL`)3dfa0%jA9Uw_Ma>D^-U8U0Z?4h?%|qB;)6xd7JJh)rnO)^?l6U$&Vm
zvMjpQiB?!7!VrO5zRzX}!(>ZXkw`?Fv^sT;e%rM_$)riJTi=RVM7B4Ow|iHdr|el0
zwcz@AeM0dg5U%P*>jno{(wJhuB{etK_Xe#X@K?)^Gp7Uj#&5q!Pm-cq-~b|jjg=*H
zg7ajo@aX)%0Thw?7$-X5BD9fmuyWz^(!iyr3a;RKImt2oU`Ny2sA$;8w115eZ@4?^
zx>uee)qL~b>KybFc3Edf%GPNGia$@A5DE)#d`!{K#cDeyR<@{lUIA7xI5EMjs3Sza
zT%A+IHy|5+p$N=ENB0N5h3u5cmf1VtrHDs-SC3*@tf%l_KUPL=+ev`Q(|h6T8GUBB
z>YPJ0oozzhyFy`FzTP;rTHZ-Y7W(>KRxYeu>+_hX;n9CX?eqt2@^Jqph~|Z;05>;$
zRo)+nq)&UDJKRxP-f7u<b{h=N_Lb*pYA=g!&kVc_5y?|;s-Do)g13Le(6^jHfG+`U
z9uKW)%tW{9R5Kn)(9UIRQ2cnn@r5x(FA>Re^sIAkn}O#xw8(cfZM>5H73gYZXSUt2
zNXjA(nuhU=zai65B(du8J-E%nk0TX(_@!H{c2Mc6ghA4Hmr)exc8z+#f9FHq-Fi)K
zEA~)-8y$(nI>Az2wshwnrP7Z9QVF{2`o(jp^a1H_I+j)Irc8kevVZYn>;#VcER^4v
z3~Mu!d*B6rBa3OkuzEQuXcmTJ1$qg}^Sb`Y>uv8#BFwAO$a&!pO>rzVsWLxXYltFm
zRS5RT>c6Vsx0*4L6|%_Cq1WA8wt7D9*d7sDENsdlDpiw2nqpMn&Pl5l)(aQx3DW+_
z6ZW&*+A+Yn<6bTjN&GBF-^N3E8Y8jT9E&3Yg{CwyjW&Nj%kW<De=#4jVjt9g5?SSp
z**KDEY?fBkJZ0j@J%aKt^ew{4(bv7A6RYOyT~xOfnXn6yt3<o)Ni8x!aA+@7sI|j`
zzeTtZvcv8~{zcQqmO_!U7lnr30!$Y3)XkSnP?CaD+s($O^l~%^z&PBODoTg_c%>vT
zVH=1;Od`qMIiwXp4HQZ>P4M;B-Vm%D&A%sS!7(z_y^8z$<Scb1sXsD<tK|YU*Dp9l
z4#w#EG72g>__>n>IrrpUPtdwU5yjW5y{3=S;f_?tKE_2$zbR6cLv99pddG5AJ3O8w
z*#A=CgPob?g>-CMj%>yDr;^D}0%6)lZ5r`|1`Utryo!?7e||X`a6K9F_EIz@PJ&(G
z$3G{?!rzc_VSaMFZbEP`Du|4U!ucoLiw!@?ArubDkyE&Y6I+^XSRTl|2Dy8Z5&DSH
z^BYk2pgaFuk>JOlJOmTk(L{+0TxJ<&V(O%?_VBU2QRv<)dEK^&M^G69at(DC`VDN3
zP5p0%f<Uf?F|uT@e;4GxG+_xc-I@s)<ZlFNG%<4Gmx!<!wsTsWd?tnir$SFyNcgW8
z9)$Qu1w`c<YUUIfRFa*Szr94p*p%J_A4jZBr`);j(&A1CbBn6r&#n_ihs7pv#F?-^
zp-sw>j9%jL<30#SWx_2}q9O-?_XG*FgY8sOjBP2~74b@N5)1(4%t3p}ifU|!opN?8
z)Agy_H;x8!oa8G2y#KjygbpDlu<%#{fH!%FPVikvRQrR#Ww9Jwu62k*r;6smZPFL5
zDrwajKFe!iIyAWNa2z!q6o~zs1{2CO?ZpJe)w-W7qd|M!@|TZn5Tf1`5}t@%?$s&~
z1ABm@<)RE?UdC9EE(g$(nJCgQtmA~gZx9?{JMvr1R)^R&`P%W&G>NWhEHYdU%?5z_
zT#w6<tSGETfanVsdE^?u`)8)!R)3rbTIlg_*hdmrX`f}<M=cP~cg&FfS~%r(n!wR=
zuL4DFw=+%f6pHTn*Tz1zt&UOjUH$Z@cI{iKt4bWGPwQK^t3UrGU6zP%_-Pge1U&Qk
zbuHYMO{2adA+lOe&cQ4{tF3`<YXFca;5jX@V)o@9OBmx$9s*c(QN*JmnkLn8a<1Pl
z6jN_5z-M=obz;NVS9+bW5d-rm>Lp(6w@5)@`GSg6b4qo{PpE~ZV>R<-P?*RI7E~i{
z^vWjvB$69jgkH)hof<=50$~b^RuCFw|22T+pG$-xf)t&p>Vlyz5mvGh+P6(SUia2?
zznn#$JZzVuL8WT#%xDn+F+p!sSy3o<*qEG3n;TLP87{m4xl|cl8>n7Q$7_D`aJOTL
zWusp~ZJo&36uc}GEcnw9=-$-XwYWv$T`9F88H$-HQ$YQcoo31NzVr4Qd-+PQVX|`Y
zIccue*@}?lH<f#i)G>M!-<l{UmO>2^=l^V&Tde%-V+j>(s9|pPP^hCJ7?^?qBG_|O
z7(Dq_dqI`e7<tLgHPT!dsrZNQbK7_=X{@)p0p<Fi!aHR)^89&S8Jhf|4IUX<$@OEU
z;7%DzSXPu&G**a(TJVq&8AYJtVLWrK0HyO5VtE*|qKz}kvvWj}waKhTtk6K6BeDfs
zH#1enm8@2X&2lcQ6_(sRgh@wx_iNpfW6IT4I4<O*2;f8Drh9~6r1}oHqkn?QX7zK6
zIuDftk*k!h`Xvv?&-HMe^L8b>+nj8irzIo;E5{oE+`+}pj=@1w4_+{EgvS-fwZ$*)
z_+~?QMyciAF2K2iyOxdfzZLXRq}|&d)mn^K@n8f6LH)bjhFvbUUsMy&{?TeLq{U4g
zi}N!kJ@O7@E0$gLcM(v&bJ^?RnoIk{tp?pDI7?ckm!aqlLOfL4;MQ-<1<*jX(PyCc
zrkOq;$PBlP=PN<lSt0F#TQ<lzf-m1L=3wO{_YVY?{hNs*4DXy{iMGEpQKW;ytO%(l
z>D0!9At$i{9>adg$NEABSy8fV{;+&U8Y+c%9A`P3g^4RT)W7KIG$M=fxStw8x|??R
znDP0dGwuH1Kxinw`<i?gE}gkC_VEcP#F*GT&~;s>eOvKb=)f!LvrEE3L^$IIa_P*1
znDXrRHJlglw|>Y`jyyiYgsuv>2fC(LkD|~NP@#S*G-2mOLjA>yE|OPkcGkc;^~MTs
zcWO6Tn8tDsLCH@&L)2+1`iR34InIA4rf-#5&1BHS?(u@Af$(9DP8b*<=D{1AmQeBG
z%k<xj#5wZX;d?&>J`8u;MNLe22u!hJyP7;WYxO%W+>UQVnw!Ote0HEillmD(T)DKp
z4&XM7&Uf6tx|YTdaXnPm0cf>WatpPpdNvUtU5i`X(3CKS+JCVdI_5+=;VPansrp7~
zqGxT+)5U$W)ZCIdy|kEgF>yyQiqH=EihnD0lRZP-@p%Oo_x!8UgPyc-##5F22t=5a
zqJ6}{joscfAnRvv2HPdO<Nzj&)FZdGuObs{rkVIR_zCmU{~_YXFYkrLxiizD5a%jw
zpLoq{mnS7B@KVaGgnyEkYwY?u!<Byu3rSb)PCKZPr=PWIgi;l(!eyRc{l+nh7_B87
zpLHVGYgA)$!|b5=UHMAep66NCIkdygs;9|%bv2!KxO@kn@tcCoye)SApt1e+(*E5^
z5SOjsInNrNNmkB#d??$;N+cU44K1zpZ_15fzIhn%)sR&F^v+(M9r&!s@Q8PtiQY9}
z7hp7!N51+V|Jm_ng<vW&NnkZq8tr7gXugRHOzY;S)qNJKny&S0z;nVE+P_LOWc_)E
z<26RIm=G0@<e->;8^`kYPNsFnsJLeQyv^K^Tuxun`Zv+#8}TwIdUNaF5CpV`g5a56
zzhpkVDaV<6h2sOF;E4mcr%)Kf66n6{stJC5hG^$crSZ%&*et`ehg$jTL)V|pavU=L
z`NF*GvWo4_{FF@TCi1lgc_ibTENvWh-c`0BcaF~R{KcA?Y_i*FJ={)^^rI39#REb!
zGZG)@=*UYPQ62CyOOW006X_d-uBRorVFP#>271r@8iqY>yL=mnX%~RuV!j{ur>@a3
zde{hpDKOv59|>ppJe-p&n3rKz@WF})4+;gtjKH(EBzMxh;jWkr>XqZmYeqU%G#|oZ
zN_fbAXUgA)Ykt(L9|4Z2D*f;}#Sih!V1y56?JKmtf>=)-y<A?E#lMEthnK91?f(y8
ztb=HaVq_z!5}DOwDOo$f2mvG<5QokD-EGQs7g~PSL9sH9ytEJyE!w|$Ny4T%8j;9c
zs554x{z7xYPNKITwqR+OA+Lpy<);#6#IE~=hIO~WN^^~SEZ}WgVNgS}d2f_!*r&?G
zvhSOVDaZKP-Zr1)BebmGf0{c|jwnWxqwaS6g&co5nZJ<Z)rg`vyrimFbZw|~LVz57
zuK;V52EZ81GdfT%Af!91tN-_J&+w`%04|cT;gzI#wM@gYba1HaVMhSSyn3B<Qfed`
ztH$r}CsN95qWB>FnLOTUf-VOi7>$U+5DxYJ<x{^er_%GXq6v?@svjNp_gtbXCLAhF
zc9fO?SUuqmM|4MD_6N+Nx3<ef(>^7(dThxbuK`~}k+Tbe*T!Bc_I0rNx^L*V8)}sR
zsf4hk$!;|P6t@Dvv48PY9rIi6Z;1~$lZOk;p~jDFPS}v7-VY!4sP7dc_};x|aek9v
z|Cm2#5#rM9#*bVry*Zq6ULc@8%JVWPN_aiWff7kY7u7*~L4g~U`BEW~lU@RdE8c8w
zwo``-J+A&Qf1qhY&)AWXAMBlZ*Ad}=6ptSHIZ0g%c3qC*kq#;gaiswd{TL1vReW|S
z_C1);P%C(GsE5DXi!;VO2iwpiD4Fr+#9i=CDfFwf<KO1Ku{J{?G-?%?#)*gfP1hF!
zFW2HXTCG4Lc0)~2#`usY81Z$*BZ`#~@YCa-dJ%<BF7;M`<J%fK?ztL65Q|Crf6lG|
z_6Y?cGQK9vj|}s^F4i{NQXI+zZV$2ebvRj)kH`&Ub`#M*$5o(x+k0_tLul+;P9?rx
ze4BhKeG%enr82r+RaxO0%eMy3scIDYHYiwF7@6C>87`pqnFzbSc`_nZ`0<k^YHh;S
z@L^X7?XH0Gp|<qf|3YXAaCAb7)(KloS@I1Va5FYWXWoRLNhIEcX`Z1I9h2wjAI~GG
zvwQzmocr~Ue8)7q?Ko<jYi&4n{iyAaq+Hc_L3u2-m)Y>yymR}fZseQr7xE5-S^V?U
ztqt*%04K+N;F<@&U3@(*xrp1}>S`9`o*yIond&$r5?>#b&oGQX7asPW&2)1<1IHhf
z`}G}3B-XPF&sdzmkcV3PV?n0`I0$7H6C+&@-Q#CX$tI7mm7w@iUr6nC*#M&;idSAz
zV;fd?h6T9kb)Q|5!wtFpx)2qemd}DsrO|{7c}lT<1%G9mM6z7*=(%Q;Fo=1<w%>Pv
z%(j~vTM`!oP78Q|*Tf(3)}8-Vp0ZqRc55W7JSvT10g@G3i5bD$5_sk-`DNw1xq~i3
z!yk%pkC#X0&IpEO>eI~~cgek`Zjgw<Za*(oYpG<f&`m*oPT`ipJu<HVPYZ<yT@qvn
zXb(Yw&+B_Jk7*gyUs~R~l1a3_@P=@~QnMaZ-Oagd7-9pD^c+|)Nhp9P5ibEyAl5k*
zhm3i?aE%}417=tmzMu!s@w*%@p^juElLi{GsgxE(TQDH{{jCUS(^d&(!;RS3ecGKB
zx8UVomGNK7Y+aAp07A>Uqme_ISr*FJ$oac~i2pdNGz_-HD+xk$D8xzAk?K%@6wK4;
ze54r#vr0M5Dl7p`r3QS@FytH-1bfq_S;l&r$+c`WX{wzW$p3pJ)0(?1UDD4F$LypI
zJutBbWUL}RejO$mdviW%L2dns#ldIn&x@^m%{wZ@x~o^=U_?NT;x_0y+WC<GaFS6m
z`Ulx*kd^tP#wMtS#cQtI3<+p5b9OSi=<c`r3+)<nbaq4OH^Nh;G1ZZgKp3QJ_`)?L
z({|IgR9{ZFZ`OEaE8J9bB$L9{FwNA(f+`Du+58VNeS-T<)AH)iU$W<udI#%--QMDQ
zd{NcDt;IT4gLklfZ`9al>kIeWptl4IU*2MUy)(!73j8I~3~Tm5E3`WO34S;Mr?A&G
zWMuW<q|&dcwg>#tA!|1P_pUMbX%No3K<9b`*#duE1MNA3yK}dFS|c%dqtaOE;Y2ef
zBEUVzMuct5H||n@GrOrj6+bN~Anml7_iot|PKpcZ+M47~NkD3}uJtE?b;go_$y|=}
zUpY2wl5E)e8}`WBF5D&T?ttweaJO6{CnQ1?pP*(~Epp$pt-j3Cm@IVt&9jx+4`8fA
zto>`DR@TJUm8wyIRHGoJE-Dh?^$DisPP<(*HMV@XxRa4TPuPd7P@|ns(Q~rUX#R(i
zCBViZHs5JzKj2e>fmH|LcqK<{tlQcn+MS6ejsQIVu>BdX7-n|4iht$}hx-mSZ$H$$
zz2WNEZ#HC{mic$63OvRfeZ^u30@uF@e<J7S50RF$2`d~VLfLkMT+i-vf~7KCKVDlf
z#Q6T7>&i;gCAmwmF}P@N*~SiP;7c&^{6?S&3ji0yYvPAJaj-u;0y!C;-}7YFTMFt;
z+0geqnT@kRy#@>Bkzgk+nzUAwFh6wF7K+gZ4SH&&bn8r#7LH`wa|aioGO#t09y2wt
z5HbtVoy`^HWdmD9TGZ{gKQpxWKGjTmYgd2AA+^H9gIkFk-I?CRg<DdqS;J@<f5uO5
z&n{!k5xUOwJcd(~I^K1r<0GxB?-mIcG>cr7tUKGpCIHd;*#;^;$eH}XG(qQgw{Nu-
zZ@x@~r^iq4o{oK0Pnt+DMSim^ecK^oS9kc9$M#e$Ffx0YX6?iI3by1Lv=1<rLuCUE
zTROb9uZb>{=0BZ|MJt#JR#5e*yLVSC)T(#b)sqrkDm4aTM0P#%9aINCRMwp>-=JV^
z!{H9?dI3R!_Gc|Qw2g@iy+fsPAj%y=E@t5I(yNMya?;^CcPfEsW5}VSFW->1k(i<~
zKA334Jc1ySwi%Ed;S2|nmz!K4WDe?JYc{R`pmzTG-fycS#l|{x@C!{d`WE&~&8JHH
zi<|9_-R*$lu*;-3&|lX5uSZ@E<}6#V)F-T1Oq$QPe`H%$l=`ajaZXbA;QX@I%rri2
zgf0*xTQ5FlS~A~FQz}`|owx9O%{XssfM+{9%xGNkh?sO0pM%}`FHu%OGSCHmx)nUm
zIHn={AX=hbPrbh8w^?T9ioO#M*0KN_NRIi;7w*`Q|I>sUay#kQ&a<%_H&z}vk`jsv
z<{k9Zu7M`pSndkU=6<|hG?}~mm8NZ9CwmDa)ZeZU1^Q&UD~pjNE??}6)vxTvQ<B^I
zX;~1^8m0EQJ~9`QLJON-Hd;d7H`1CO`01(?bS@M=`<d3--C~WYayTC;A&D^Ot82fp
zVQlUWO-u;N58A%h^2n|FIRyAacA<&liqz^+j=EO?Z``A(XeGW9YyWS5K;jHZ;?=vi
z7_)~KIC_%f-yoDOsZ~;v7n2NN+mw;7_6@MkVAa|pajwP5ewo|YZhpVp_Z0pu_A5p@
z?ExLR@@<ZD)v%&(IOk<;#kcJ%B^8;29`Y5USh{SF<^CdmMchH?fFx0v=`im!>TKFF
z<Gf!S*;Z}3>~jbmcN%UQn|zhCT;Q_!Lm#^Nf9i&le4*ptmSup7#aXgu%t6XDl2zFE
zTUAtF%*$$0<u%)VYZEamZQp2;_x4ZSRN*Pi?XCXOD<E9@`Z~9sK2y{SIsX>FgXd}9
zY{^l#q4VYe55{qxEezI)vYCz<U-*ThLEDjtC%m=I;snPku@Kb3^XxV@dTgL&%ay+m
zKWxMtp-gj|*DOMkGfgP*BRMd9RN2Wq_C9z|`9eq8IM&uugDcAE(eshIx;2Gkaq0`x
zw1qToJLNJ}^=jqI_Vy<{$fXFMmmoVu{SwUlZ9KXou9K40eXHJOWKCn{XRt2?vX0P@
zhjAy8I0*DVX`SIPNPl>q0toe;Vi(dNQ9&ox3D|r4N)<V}`C?MgM;BjN_S>aQ`OB!Z
zF5x>Q+>sm2_nw9Z1>7&lLjkOMGFX_|X<aAF=c`UUYBkB?S%a4jM%06k;}#0IgOtk*
zt{J)l^+U<@(c?0-)|p~*tVvB$FL`WUy4JIz;$J5L-rZ}sa@y<gIPxY9r?8=k8qbJ@
z0G|EDnUmQ0?41}U)L*Q1gEqfGB4~>P-{vOpNS*^P=X-m;>*?@aw8}S}Q(j-CGxoT+
z@OVg%3Yk%O6cVT7%<+d0Q&G3F^Wh`7|At_sY_o{DJ-Lao2JQjWO$<<~f_fck_s2{?
zXkwVT3r0yX1iQr0y)8W2FW5=&#ohkdXvSH8W<Fg2Y9kCc(q&OW?spbOCaN{XyIFnb
zTP#D`8R<V;Z(0;^rW^qR3HiKmu;(=+4soUj`%^K+!;oY_OKF&*pZZk&`|okrD3@Py
z73c(?t~}-0Ao>BQWyrDV<%9Oh`Wz@Ylc_WSGw%ke_y*LP;Jw@SMR7OV{}=Jfu?}Dd
zjFyo%Gv-qEL@T_4u?n___$ne8;U`sk4?$U0Bm7Y(i5u?ZVtG(qqb$ZgsfwKUpzu}P
zxpJ}jRD^oYF5|$)<?S?NPsi&L{(Jr8e9K%M5j?RMB9*!_Io7I~8v~~Q6W6Mq^_Od{
zbA<}#>P0;@zyz3Qnb3oSUl|XPf#ZpFEZ2cApEJL<K%37#$?AJ(=GXC{!4VVS9%#Ip
z+><j4x(rBl=xjr>iCfYb@#dV_I@nddz@x{y&R3&VeVYdrJ04#<OVR{bpyzlF^%lLu
zq*Y9NZSs(#kNpG$hNAqWpr6gcCvJc!wINPK1fbS&2P1qJ#U2&uSAFzr^IHYg5q?t7
z$%*|DMz+Elp7w8T^BAX(eZJroblupg!S>j-wZ1o>`FJgPA3U24>=SF&8pxKhp?#wC
zlW=>JEC8kzC}0LhcY?9&GT&a?rGr3(_4@4!W~|c=mX5^U9+gizof0u?Kpe&=6*Nu^
zCW!V{0tl__EMjy+I29qqm)936M3rCPu+dS=(02>_1vJct;SLg*oc@6=zS0(E7ii1h
zfOoh4kagE{w^AutyB=j=u`iC|C*sDi_GEKfqxE2Ax}@-r6mpRSKlypqKl3wYd_ks0
z$2RCXWnL*s#>3<$n1Jq)BPNjqEBxPnD>rZ8EVl?4%J`7nN_U00$}LW9sqrp}kdaQP
zq58j9+8M5{uYcRuSLL*rIDa6ZwQi2;?_jePa)VC4$3m0#9|qC^yI0tp_S5#!@!?WN
zg(eo)X|T%!^>tR+9HvQ1T(=k8Lwb7p>7FYk4X5{lv)r%KpikA#q=dG@<DCy%jYbyc
z9tQT7V`|wh)-%P#cTY?_yEN%ZOf#Ogk==bLQz(l(_eiMZh|=zJd0k9sf=TkzC^`cd
z`h)+)qP1RFG?V4vfXq3X!nM)+jv?odi^UCJxjmBGiGFpfot;uqkZk|R_f&qTHNf>>
zjrSQiZM?1>^AYs%K)Oo*n`XR=K|9gqLO6z6W}oM)5w7PltLrmdNq@_$X|ZaVxqazW
zC~=qY2}68F<#Z9UyYiWvp0NN%&rXo7?8{zd%C}Avtx6<*M)jCAVRGtC)#5R3+}EY)
z6iZ&89&aDEqe>rT04BZg%gqmZV>jn}%kX!%lSS%}y%vgKi_9fXlhGXK{}^EA(Dje+
zBDrVbmo~yE{IcoLD^lAql(7aD`ZsBe4UpC3x<t<yiX+xPKKpR_Zy4(eYkzLVgYWpw
z*yfq3=E`0>wGLS7(0dMD-n9C8edsLEQMZEbQYo!H_mhi0<y4zG*HNER{m3~DUf%Ol
zH^U3&lv3G-ZgQiE`L7V?0?Y1F$4n!06lll2qvkO1mSBUhxW|i^bfWf^!tCI^=Hqa~
zpo{r83)Qem#>>I7&{=49q=^<2xGVyji%3vJ@FosY6=`LUad}-(_*Si|MS3($82e!6
z>L_mV$#}Aj_1MDBEJ@sJADHdY3w0_9Hm%>{l)emwHI3<ug3p2*Jvy_%T2oP?gNkpI
zrBaMfDTHYpHeSJf^Kk);C3U&9gXu@aUKzKsCkjBnf40a)I%oQKFo~j+N@FZizb7SG
zcB*+VACJQX8Nm3=_2oHond*g~vSiC(;k#%l&p859w#VJq+c8#=KP8&s41d|hzYu*Q
zd)WYt9=~b)R(r-w()j3uVfiWO5>p|DEVlUdR{K?(AHoCeK>Gi-Z3U9Rh>k>fQ$o2e
zkh(9l=gIb)2PUT$f7CB+E)w^Caj4K=839NX`{?#XCOxg#CGQj=1Y&quSNzynp<X)i
z=w^vzTm7YXgo!V>f&BMi=5X1tf%0eWHF&J+a(%e8%GgEWr%o)Ejbm^7ENPIwQ-jAx
zM0c38wGU-=E9}ZNUbYYferWs$FFx;*3&BF#kF=w53^Ggjvl=&qd9H2P{D|Iv@*{08
z1~Bl@P|Vp9XYIe8wxVkq)>6QyZz*@~%4%EhZoZe`)N;4;hx#I-gr=aaNwZcGYqEso
z9p(D1GsR|nL#AVXRHlHW#ifh1BI&%gfe2P@AxKwwXEzoqM@5d&6oBfH++~K_`^k4X
zvjXRGHvVp%V@+a?j1j_=djP^;j~^6pP#`33yMQv@GU7453}Jhr&}Lx+zWX=yZlsMU
zJE~LY(5tTEy0Fdx<%@IJ2alv$B~!iJUiDu0HA@Gc>(HGz=aM!X^OkX~g$>2(dvPX9
zuB5H~<vIx`{3A-KNKbt*$8MKYIgZ)56&K#mL9nD037LwpNn8QiNxTM2w7%T)c-t<|
z&TKdh3t3+X-p-h#IdG-v6&09Pqw_@<hAcbH+UbbZB==n``6FH0@-MZ++*W0O7|pIU
zntx+t1I}T_e0oQVph_U-$QlqnZ2aV1Lz!<vJElTAXRaAjmCNdIO{XT{IV#RrwXFfU
z4Q=urrRH@|))XMaH9AfO`#Y&eM=&G(dy83M+#;?`Pl<p(QtCaqpAaX2GCsurWgt`}
zGXNmp205K}umgmkio3!e?P3zo&Vrg&AcAVC<WyMzN=JMqOLB=}xS*a%4E0PE^%q<d
zc1L*g7%;NQ(|I~#(q5|d(yDGs>*{tJd11p!9=}Glitbfz=Jme8%39RNSzSl($>{H{
zi^jV_^>WQ9{0t$LxIcxTSgS=)Sx<XAanK9%xfmBj$xsDadQ+QMXt^xfogU^8_T>(H
zP}#pxIFfinN6|)HxL8jQoD~{!?6NEHZO${1_!C+xu+vx>xmZyqU&!5@=)<LmoTw!-
z#ae;u>xaWRk?h>#C}TiWr4H5o%wh(a008ke$QrrL-tC$yu9#<`Y`!<b^>=B9FAybj
zBZ18SsGE5VeWGoNGAMOp0X6V2)W8)wOX?qi&}6AGTNBSzyBiJz_`%Xi1D@|3j+FA_
zPbls)r9}BPQni6It?HZFG+1sDg0(_4$YNsk)F3d{1lR9S$C#jO<u*H)e;*&k0|*83
z7$1htuB;(c(1mhxKL?@meeZf3tF8rT?On4Uw~ukYU>8ry#;r|UyNe&pW<u&_nYZKZ
zQSGN3p7}jDa7fGJ`g@oN-RJdHFvj`2RQ4sMUx){jP+dq*r*N_y2T{}u%MJ~^Vq=Bs
z?=H~8waF6L<f}R98|VnawwhcpG3TDih8gEWm?|4<_&Ml<xyWXPx|}EM^z@q?%kxjq
z`f^@VpM2}#wGG?rIIyK&9Mn^&C6A~+54R$50zvP@I;xvr$ce>x>d7nw{_V-E)Rf!L
zZpW|TqnoL7KrTh<{v5H3+svC4YY;DPt;J$IL%M}`=@ttlitnJ1Zqbp(5_;6OBlHfM
zO{atDGqB$xKdV4+vGdp=pJ^vwl^e%>IluKhS!?QBo0GdYCWLzA-dxLRtmtPVcYD-s
zUurl;b`;2mIMsAfchj5yD*gt5`Ri-xkuu)AZ>V+I`qJnKl3Mf^95xot(L<6^R0)tA
z{;l3k*!=Y+<OwL=wcKR#A>FNas5SEsMdI6OlOJQfbu9fuu`#4fBBSa#)ipx*klibF
zyl(KLc>pS|+J1N00NiJ+3mYm{l2<)5GcPdNs;dxDFRS@^p?$>Is)hh#z$w+7IGYQ!
z5pCWvwP?Vt`EMP3w3+GYHXupxw)BtLF4uEr9$4+7g7!~0-Ma@UF5!ei1CEmA`LzKx
z|AN~`q_PM%s+mADr<#wY{#N<hpVIFvb;#^}94$p6GHNaZGtz%`3b*Amd`PI7E>X(g
z%Oic5!5qwTrH$}T@TSc}Ss)LxgE<BcZwpK8r5WTda`^Tghh_0h<oyXRO;F<bQu?=B
z$tAaG|Gj@&B|fEQjhy<ochXzqMy9i14A6PozBzc{-*8HiR3hD|7=xh0DJ{*mg9<@V
z2>)askac@1P%o8PGZ7TVNozUOJ2jRTb9v2cx;hm`nkg*`ym?gZKORjjw~wFHMAU`!
z-;RE!Of)(n23_50M}`kxBJ_%YKBHAyd!66Q0nBvj&?)q<1@{J9eOw2%$~PnGrAx!?
z#3tw-WWzN=UqUw+Uw&thSV4{sqY`8BdFj9)LP!nNC!?N^2|Mz|P;fm<!6%Rmex7P<
zDn#UHH!6RqRKYR44x8q6T9HEsnZS@PS*h;NMu*vJB!qhIDX2C?zcrsPb<A(h*NtBG
zsx4}5`3_6fH2G+S{Z<b15Vh4SrUcJERvPE*Kp%ct3hS=m^VVYN`?Cg)S{|C*uyLsg
z60e>@nRe=@_@jx36r&B0wMAhokm2lD*^f^d-#-7~-ltQkYQy$VC!j{^Ep-^tMqRk*
z<nc<oQnYmAd*8Mhp-B|)?W7dl2oCgAxfb@>vyp+k5Fh*KIKQPJE4kCKqEg=x)*rbu
zVG<)WksNQ|hR$31^;nIxS=O*%@+hVu!{Rr{NYOoIfNKJ}6m77*Ey`FyCnF(XV*q+a
z<&6lY!0JUfe+5ZkjNEe|I)UE$X#1oPP<m*_2E9&eJTBF~-m-l$P<RhLa-qGU%)#T=
zf|c8}Nrf<m@`+bUp~Ub2S_Qqb7wTlxbs_yYn2H_{nJEY}P$GlE@bvImJi2Uc@Hbl&
zkwQ`E!yh>ykyP;~%!Y6^WaUh9AO0ce5;&28=2w)^Ufb-sG+U^933~}q7%bE150r*H
zmcT-qGF_NUw66|ymb^?YUYCcKwM&!c>Oi5wh<*b2E@ZZ<AJ*i&y^K-h6Jpm03;8?T
z^Qo@-S>>k(1w10>!Tl{i>aRMlaEP>$ugd7nS!oLXD^4uI*--Rajq<(F?;RnSixbN>
z(BvDZ#rvz|nCp6=)IWWVIo1cpO9^VcNfwg>CRoPZ`r1Vb#zkX+g7NfD?aEHXgcIq)
zKbkCse)cJD^s$gS#`gnQw%UTIiR@aee<I_)Q&`{CLM9D~TEogo6XMkE5>8d0aAO74
z2=q|F{zzOs)j7|2G)c^25f+PUX|_YjS7=6%6VzUm4&>Rqo@>VcApzp~QIccTrHCuW
zLY<CC<Jy;eW2|UIpRs-{CK&ygt3kNCnit$wPyVur?9`;ktu1ePPNu>wxC^~qhNm-n
z4x6kK;5-*=LoWF_t3f_-SSwWhsnTh;_^bLv|4bqi__erl;Ev)_GZ96vM8qTcM3so0
z+xC7T%9mgCRNM`y`_Cqo7{`o963$RT)&hoJg;(NU@b(nk_eYq5skmOpEMnvVmBpyf
zSkY9tW7wUDKew{2C)yb-`)kuat$Qk|-`lHGFrmg8twsgioTSU-HWOBVC1Vu;=VuC{
z4RpwqGd_8bCSh+OKcMIo`R4$O?fkamh*}0~BHh||@zi0>)a?NB9xFoQtvgAwNY#Ii
z)B*Q%pz)O&)R7hyXl?^E6I@FUFQNo#g%*XYg-+zH92)DPmkCS!63PFuc>gt0x?b}@
z4s>f@ii3-?7hutK^D0%L-|F$=f_&=nLX9a*b1cw}hl}Nq*)7NOm`aGhkA~jMeL>AV
zE$q<`_$ny3uQqU#;w+v+`R@*U|FIZy^SbLQ){hvE1lND^)=$c>qozx1eaSCM9d&5J
z)Loj#h1{Bp!p7C!mNvG=fZHDm9%}V>vqpH_4U)ox(jJ{He|H8w3@5F@wp(v{0(f0k
z%bP$J^<bR<=J-7=wGIqNRwlGswq^NakmtYN`H6m;wF~!JZN6i_Gl-^ET#!2wN#3D^
zGRp1%soKq+%y^QuL&<SE7ZCGM)3u$2$bRcXiXEMV5jn1Gtf%P58j$xSN&e)ABR`Jl
zwb3g-y!UXp@oN&p4{~3&t<__fNOHa;368|kG3qZ<!gt(}aOqcLiAvlC5)C%BnYhH8
zxOCakMGhxy3V?tA6Nrr?i6uBuWrmq0d}7c;u~mdD7LBz`#t6RmUDTc74%`n+yQP}`
zljk_6D<Dg^=Y;=AXMwEsP1LRTvcY$*SI<)wNzBEA-i#AvbCnu*(!|WH88_&uH9bB-
z+?&A<2s%XuFb*0eyID~p{qhxcs05!Nv)l(1rK8*NLF%qgql4BJo`W0v3{23emA|Os
zff8clci+rZWv57qq$*X+oZYjxLHQ4*CHzSbxVl$GlfC<jmIniDdfcpe+}m8;+E~h7
zjPFk9O_!A&KRw(XS$q2K)Xjbeo`^L|4Sbg=|1ZjFV)v%<1KduL_od)#2(A>{Q6X3c
z)q7<#jz;m~k(Q-^YqA%{L!IUSAJbv$E#Si4kqVu(*@L(RoO5t_8&RxR9bn~V&IeSj
z=7Q5BQb(#1{;{^$uBF<arghA5-z!blfro3Vc2n<9YX(H;{Nv4u43j*--(I{k8i9QT
zsCbmhv8U97@>I%v?k1wcG6nPd+N>FxguU;pFF<P?l-ntvvDpCaiq)sgx~%eTRdJAw
z0ROF?pKv|>jjz_BM8=PE={{(a+>SV|_E8G3`Kk9NW3DDA7E!9+U|zah;T&FWEPoYD
z0=GSSKCxAxKmRGA0eC=L+#ylj5cR8OOtFU}zG~d`-d>T^IPZKav1R&pUeZ`CJWFAs
zSFGNZ0rju$Qfj&+z~<9H=U0ZP^c?>q8@fR1yBCMAj-h=SHYW|0jq*Jt&)+|XJ_H1f
zEB%|u2k-b(D=`@;i_z1Hod8u`S~{cX{jdgSw6-EB<R39R>+#7w)O_km?etA5dEfN&
zQqF8cmS8(6-%0e^jsfzQ5R;m|!I4abs=Vb<T^MB`SWV%@(2E6AdlzeD%a}Sck=0rb
ze#A(+08jtvExa(l(H%+j;Y_mZK$w!~cI%^s%=eI%0Lq?sZ$XB&0?ZM0rNa-ZZI51I
z4mMDEK~}6oLWMju%BR>DJJ|3;^|n(q$MoFCYtDGc@iz1V0F)7q<zY=S{0^4aBQBp?
zF4tF`pLb$J6z^dj(?3c$<3clzPK92uLjjcG_s}Y-O%YKCndryDBS|635je+SS&L)R
zOSU)K5(!iy7ldW-_rPLz;#FVME?o_WgJnDgXGXuZ;%59+<zzDn%yU^BThI|f_sg;9
zjbm9Zhp94p(krTpmFeLTj8!J>eeUSDuu8?e1)BT|^AJpWrbmfbXzJUUW!izJKGsVM
z%f-j5TnBZ8>d^DuI#P2U>fV=mt6b!j_aNj@_oDp!_%->b14oMQK_UaaC=6*7*-Z;!
zzRdI*v3NXZYMw*Rx`9Ikuh(iCL$mt8qdm}{{4c@%n6ZBU;hOt(Hnh~e)sgz32+?6T
zKIHhyUdO3SdaCRcVHNu!H~FS;$mZZ$zIen-FomN?2-hqsc*spcFj68q4Ph6O^9A>5
zzwn+s|9Wf`j*Or%bGIiURKyz8tMOw3?cn<f#daHYZ#ndE5LRyauO48He=$o4sq4EJ
zm0<{!1=)`4g3`Q}cP<k%<8qNX4Yb)TC@#7)uT#6e(w^RDrD{uaLU*@7H-V>iRf=B&
zwKi}p6c4+_0m4c)wPi`$yn^csj)@5f9ZYJ%8)$a4gyg1S&xmxbA69E)Irt5f2NQ6i
z(H3j5YGm19jF55b3!R+xMzcOwlb45!`#7-XXOjKa9&R=&Cqbw^Vn&+Az}H8S{HLt+
zyVHa6``RT*-u`m@!-;oym`y@bVv%)(rm=nU=nf}JyeQBPe@ux3J0{yTux$eeMmahR
z7``ZrnNttY<h(AO!6&j4vvLzTet)&KCm@K)_Adr>!+AqbZDzX{$0V2%&{lGJ32{yM
za-i$2-hkfr`F3PiVV<BeIs|{|A}@2{MlLk1E;sS5z-V{_@Z&MZLec%mK4;;hWjs;c
znyWVx3PDCz4M#ad=-_JANi^s}C*#F?9KLw`3hpyUJ?Y^(Nm8yqXGj%kU4rGUvA(A^
zsD*JQ)q<GP*FgGBoOG4dx-zPLcJ4~Jt<6Y`Nq1maWqQ$tAG52C!ao)E6uGz31G9oz
z&3VYwmWG#FP-?YcxAgf`kRMTX?X5-;yd~pw7$Di{hu(zh`-ZA04#aS*uc<OKV&{~?
z#Er@*Ok^%LUr6og@{kxg1LuBYFW1cKPZyl$+nE?^eTb(Vsb>Wa!A;oU;Erk?t-?zI
z^faYJTRz6oerf?<p*MRIjZh!zrwOO&*d`ugkIhat_Kv@0_jr6Mn|9+*5n2*x9_1A8
zU8Lz&z2+nPi7%zI$g0qW@7SyP=++5%_g+@7nEZDsK5w@s>bGm)`zh(^9v(3JnN80S
z9bsj~n-^H;>ghA~zc~(p;A?&bn(tz(NjPU$K%>C_DV$?~-1<Xzn&GqiK*_3ibR)yN
zzbb7azZls6C{AFIv;tbHT_#^WXb8OLh&&__nCUflA~)M>OhM<+!ebxiqB||t_5Luu
zH8T<Hy6h}zlK<;0nsjiU53<gP_l+ulk7;s}Tga<v+=o;!WA5gf)p}`3Q(-RCJ8ULS
zTQ$V!p|Fvs!LK5eBR}O*>WBK&Z=6G+dietz_=|T9QN(L|1Rm+UlGx<g1aE`tO|(;5
zV~fsgN=Ed$Ca;0&+w0mX@*syp)G@dQUt!PpTeC@>Yi+|xFAec}lE@`{1OlUUI(zhk
z>>U2@Xf)qN@1iqP8;43i($P7vK6jBQ1d%T@pcUiD@`5STDRbiLCx@#ZVKvX{>MuZ5
z{(}(NE?tJSW=84KvFw8~!hG(C{>Vg%@B5%1lGk-}+wG1qg&w-(FpXTF*B*QhsdyVT
zQFkNsTr94{({-oI`j3J6-0|p@$rtZxwcGG82|c@=t86uab;FkL_%V0?t(Idr1qd|g
z48P+aoda}2pym(E`}FNF+UilxJy1FNFqtvsp1Nf`aB$=QvG<-)O>JG+s1+<gR8&No
zisG>W0@5KU0xAM3N-u)+-UB2g7K%!V<tQCQlqenPEhq>P=|pOz87To02!T*ixI3Wd
zX!P81zHf|s$NBO8akwAWT6?W$&h^YW*WO8R8f(_1`@byYRTwaQaB^Eh<JWyBUX<cC
zUTN7RH0x}X4su1mTrzv-n?d#5UMwy;OMe;Mzc7bMGCw=!%N?&A&Kr26UX7M{bwo`;
z6`Jy(j(gp1h3)n!mA7{oRr73lpD&;C*T)!dv~a9HBN3x9)--p#qnE3td7{-j>7|MP
z;l1d$MQ16UqkU9xoK{l!@?z5sQ@xq^cW!!ZRf=n1(>bJd4RWFVuvDo2xdD;ua?fAQ
z{drm>`J<s~0iUHUWG*{$;rLfUG#dMChkHJsa>rBEnh@LSJ1$-zLt^ja)C<=hR=#Rc
z-E_F3DyNuNYL8E}TV0h@K+v_<Iib;RCSRTh-~7|iRVPQOa`^ECF?s3Jwfv5Ap|%l*
zpOT;6HGFqP(UZQE>c8vwb6((W408HoF0#{c{@uG?nlBvK5-SQ*z--HoF!W2327gp0
z*%rCyG=|?_gW~<`6Vf|!IDD)n!*vsca?Z&<h%(GqoOP*qZnE!Ahs=Q({O&oar$ZYX
ziSzo~Htib~lqCkAH9xu+yl!LUc=`$TTvt&1oH50rQ)=`6QGVV1Ne$)7;}G!FNxgs%
z$hD@=HfZ;JTw{Oij)sfv&HN{8n+-U2ni9OgUp$)y58ofQ;e2Fk1OIUUny}itlPI4?
zxqIspvi|x+>-p(Dxli65FY@x6-dC@w=-&u<$-6raR-HEX7Ic5+6XtS2%ZX8y_m;77
z^T%s-*9$6f@3um%jY{N@_uIRz`}Hy431w-+%pV@He4N5~<3VZECNI;j)6$3IcswR|
z{&jep;(RlaBR?10lM)`RN@zU=?2u6L=OGlk^wNtZ*?CgX`9A|o=k;a^Kkd))lx@>F
z{Yl%R;){?Orz2QAXvW(~SB1m=blP*FPlB9NQ~TyC=#eCI^NUubvgZ<yn`6{#3O_sN
z{t4ywAe}OLU&$dqzjyGnvzkW^T0rZ-9~+K+Ex%!Lx%;@^n_XMIIFDx6o&+g-UwT_=
z_*Z1#5VCfDZ{rsWd(MqgFNK75+WC(4JX0(1NV+tp)8Yhil2B0B@X9CK%PAbKeNp{U
zE}iR>e{J3_5RAqh@mXxwpi0TDBdOTS&6~#EIcVo0itdohrb`9X<aBGVzS&b9#l6!V
zr^7fE3SXm+9a(&1v@LMs9Dmj$a7UPuvt{u_zPp&jesILNRZax=hGd!2xVvWb-ua`S
zPk-6vun`m##Mw8s>%azvFvGaW;~B%%@Jg7e5;}VOrBkzs37M`LhfAwzJYsjbm-Z4j
zb_rhLcR%%5TK*=<O4z0za^kAs@sRuL1&{LVK3%((XBVgZRl#kSJTC=`x8BK|O-Kl^
zI%p&~EOmCKb>nPZc#uthuzKxZ>Fnl*>tD$)q+dGO(VMWXbkET=6aVGXzz5sEx>wO3
z^$(n`xT)qXXLR#*;MI29wk_*!_IQq*TcRIpF<zI{f;nZ6DqA$6p1qIc<j)truKy}z
zJh#*U)HrKT&{}*g_p<D(<nh=nis9HHGx)b}r8AT0?KQlU!6oHl;Pr9NqcvR0==7N>
zTSFeji<HM)vs$)3F84GU=571(cUtmzz!Z#vB{=2Lf`bcQYJ&|oNxMohvH3fqxTH!O
zqz?1My4n{_DDiKT7}<9R-|+XEq}Ia}7Sb1_fHm#Q-(x9e`U<y0?P#NsM00=WJAU|r
zm)D8b2NU#9Z(A#|-cdm>hX&I6C%j-YV9N>yp$RiDQLgO$p#US8F(%h4EzTKJ%%vnn
z3Y)XGoVqGiuIK9w>sjkz<a4Iqw_#7s`YO8rvPqEJK!(QgXsZX&9abpWOw#ev-eAY*
zEy|C#UYpU_zhCVAbnz5iQN2+rDmpCttfbk;xaG?XHN;hiF_Q}iIprS;9zXDCeZn~&
zj{^$(?%J#&KR+kFzu|MZ?U>i#4qFRJO!G%cv(j7B4=FMU=l=Riqw`~Xx7EKhJoM;w
z=SXmN?OCag+ee=rIN_6t;Dc5M$QYgX;ajsN;u^nWaq`toB?#~3cBgSSY+1wC?D>c%
zu}xNY#~MA}bareE!RKd*Z(qNCrT}YRXv5cg?v=QqU@t+ZoSTOqzxD2;a;Ka}S8EPV
zTsl>XHeJ`CTqwf*^1$`mSNCra>A2yP6L6$NU~teachhHX4-dJw@A_`8f!ylg4KbCx
zd1npRN8_)7`;U2njTE+ni0#0KwBNon|7%aa4_;d$0K4W9?c}O^(TIz5<pjN#YaQ@=
z4d`23`>O*D>mQmHF~a7aGZxFE*Nb!}u5Dr-wvcx$iw>fU2$@yvE<2jnTYH%h@<~(9
zEM2Bg$%!K`<K68pbHjNfbKkvgGcoJm7H)FS-8m#wHPgKmzO6so>hYXsFyuJDfz(a<
zqQ<+=Ue_dB!ZI%C4xKbDx#c=qDq{B`N-Apl@9#!fS|2R8kiJQxqgQZ3Leu~C?soOL
ztFCj;sQc`@8Aq=hW>mkp@9W6X@zlw=2^`m?>$}@4L@1q0*57L5<s`9qj8m>il3<@P
zC=7ce%P)u~>iR@SiO(swt0#)8Rq5#&pjBSJBVbXr?pU~Zin{igjQI{mB06o~sP^-(
zO~*3gmFH-3sSQv2cAix(tlA)Fno;@j@a5#LpxmxEhLHFB^OvLCdlnBLWd!R!OG}gc
zaL|^&MDX~=XiN?`>Z-r7?bW4L?KH`=m+IAK0%XtblMB6&qkJ3sXnVMH@g^y7V}oE%
zVeM<1@AlXmmg1pyD9rN7g*21+?V%&SW2KU3i&_msA7f$Ni92mylAtx2mc|0jiQ?VG
z<dgYK*PsnA#m9$}*L=b5`8b)y`#fXBwcpZKnRYw7h*OavmRS}iZxr7cAF}yX)Dzz@
zJ&z8$RP()&%gw2OMwjnH1ulIo%WfDCKY%F667e_nd**u9l^=oYk2D-bgk=jCnT4oS
zGZq}*S3Pda$s51&LGJLrp3pz$rXLp<)ErCzOYf4ITi25zRu$gOC1JMZ64EkYr(BK3
z8sDzm{RMuH_7_AQS}#2ay>-H+`Q{(iZ+GU&BiD`8-Qu&o1yXx>vLIAmE%L8CwpDS>
ztD2lGm-MrmHfM#ebxPkz*}T&X9X!@OIOOTk{)tHE8c}horJi}^Vq!DvaJ=%?256ai
zoZWG{>at(s&^$N8Et7Acuu95IXlA55dejGooFiDC=-H$oA$Ct@$&`?jIbVK}dHR#n
zql}HthKgoLr5RCNrCV|S$Feu$Tz0Plae@c(X^b0(pxw*dB+cA+i+a)}%OGsGIZY&8
zPOql)7+q)ZY7Te1e&+LJzlkG+T4ht@j-`3qg-5q2iT<Cu>`vY8prqFhN_x!jbq(Bo
zG&(LIX8HAX?<mT#Ks?kkr9P4FSe&~MbfQLB+_qai!3xB8a&mujZkT+H@D460CsgWY
zRm|brw{1i4xw(J1wA35Cg~#IMnsfjDUN|^t4|O_2YVxYH_m_F=&_t&p;xoTL<MvO8
zfyeJ+bqV`q3QHR`qt7mBC><<%RX*nbs`$&+A<p#Zs&)STKG2y$`X`ZeP4ojN2CUv<
z&fw(BkM^7s0zzU{rFRhbgy@#FVL_s(@By`3neNZdy*;?=vv(Mb&lj9@bg^OlkH;C2
z!LlK#bI<M7?YM&Z9L$mr6Jn|Y9W7oyw&a%4J+ZM<UC;=`w{~JbPiB~WuJDexftX~e
zeYtyVJZ@CX3O-e5rv72M_NHx=zI<-fUv`&2wWbrWdnRD_d-~zGeBXrlZPqI%m~l^;
z5ro9l1|nV3-c4gZdJOAS1}hY9@6a}ygSR#8D`srDYydrVqvyW4-=)~ivtLZI2`HUN
zF<f8Xd4abU#`UH5(sEMwsT%T6?oFpD=YswHzu*E(5~fJho$I_Fy=n-)zmZpAa{aWE
zgk{Qr_tmPSy&H-_Pd-|OpFQzq{Xy#PnwMrlcfIF^4rHsoFJ0O;I<9^@W9scCj_Z7s
z`=4)oHr_m<rYQQs&c^<O;MURczf;h14zr+zYo&qdg$jAjCk^!qJ(6xjzIqj#awglg
zDetcTwYwVW_fcjRDp=~<*=_F4@6^O~t;~76vt<*vUrbyun40ztf9IF7scXu@*nMw}
zS=}DythRcmqVLQbY=bn`BH4PT#YCV(R;B5riKFU=dcMw&xoZnW6$6WNM_eVgpW#56
zbX@2Rz(<JGCzd%gK51S3qu}W1?M)js8CkD#i~oEA@-$F2d;c*^{+P&@OxU^H8KLx#
zYqmVr2Y!R=gf>47c!x$#;^t=QFqMQSTHjv|Jl`#lJ2PZxJIo4nm9?459n}hxh0s&P
zwHM3t5ZmcxiSd4l_VlAwD2rWv?`n1%-|3oY-m-6R2a=Ds=#GE7$k+H7;oGlb`Tef8
zedsh%oO@P{eb?K?U`$dPxvL;HJbyH_2Zm{vE^Hh9Qlnu8yX#Hf-&`BEfp1{#3$D9T
zBloIpW2?MkKgtgW?q6d&a`Uz~`R`=okM-iJ^mH?2AlbP2CMFzZBH5gJ{c31qn^xsq
zP%8wEi=2KQ_{!KgqjLE2m)olA&+s&;FP`EfW<8BkacwYtcO>Tn!oH(_$Jbt71+TaA
zlOiAFE|&TqIS{pSP*}D{>%F?*cF^Xt73!+|Z><{hgA`79H0(MC+a9Vrv{t~*?_|{7
zzjo;R+Vy9Z>FIanfoR1iq51yxZVq1s6UrdR=dMm%+10S{PF!bD-|o4sYLf5a9$Q|u
z)b(;-uM|D5WwudeXU+Srpmn#06bw2lWN^{`N)u-a9QUo=DD>RszI+JxjsEEQ+s4(U
z&^!IU0z~2v-^Cpd&eC%-p^Lk%zO+{*?~ol2)AFj(k$fdq*D{Og^zeBNW)Q*<T5H82
zacTUrDz(GSyeZM+La)J}ImsAzdVxyy^NWV6duoK173+6R?AFUX57%f*oO-zcyNjm`
z9e}C6CogWpjH<6oo{~4_*eO6!hSo~8M8=Ac{|IZ;=YPZ@_nsW^J#@vrZ&<4;0>1`J
z0#b<zvxpY`6BX_+s)qf$Hu*-&f`y`%q>_uEeZZSP5Q(b?FE?b~4ocVA)C8S5HB_Nv
zYxEZ45lp&g_IVnNtC*|X_<(fp5LBu!crDMGO`K2u7;o;~e6B8ovcI5Qefg@uDP&mS
z;izlHqh5LBtB`%-FlCP_t$F9^wePgkizy!iK{*TEq~2Fg>~Tr`9M0;cXhcBp)sr9Q
zK4SD!+;-59EYI)LEKar0alcmkRAMP6>}<b5TXn8Mh<da4r;e}}ONwXO`u+XoJ<Qi=
z&N?0>^>X-V3UzGFcol~UM2IQ*tdoYzZ!(%E4Wp1}zdF003f6W%6=4}5_>iy9X>6~o
zh7H}I#;6RYbGV@Ik8nXd+_A6#g%;!ECD)IcZa6Tr@5vu;@<Ilj{`v;}^Jj%WJ8h~O
z&*A_yV|xHOi{nj5QIWtWm-cDG>E;=pYufytu!bab&6;bvJgyrmu={hf2BcD69dD~l
zH)-KPA#yScfcH|)^^z_n^45M53gjT{5vRaE{;{^is4dL;u9!wSwl6eK=xVa-u?96S
z)q_&U%eA+OS87Yb8J;ksKQ~l5ckdLLp5VAam^oG1nit-E&&aJN;)DcjcTcswFvMDz
zuR8KZ@V(j`fxq4zkykx?XM&^6u+mMfP*zm65jbBU-*U1t3b>N^RqtcmJFBuN0iuG@
zXiNAO4@r7)@sq>U<>%0_sn_CQ1W|2QQU+Bq;OXQ<ae8l7!egPY5!N|k0!P)jp#vAo
zBu3#3g}5YQ1OmDy_2V^<Acx0SJu+U~=DO~WQgte9AW*Y!ot(LZICx;@thOVaJb^r*
zS8%s(YOm~B;LWYGz$*reakks-bgzC`1ik{$AJ54Xo{(vChKX%3(D)iS67hb!F8;6m
zdT@rzfj*Yez5qnj11;8jlO1kd*wGPW3$l-Sli1gQ=;!9WcjtLx#+GcM1vi=Kv91js
zlR-DR1t_OGpff7V>82_<8RO66yC?SttVfse+ju#YQ!3}8^p4iNPA#6<aX494$*R`b
z*>p<eD$L+ms#2ds<!9$l!iIg>B_IQ7W=UB~=)}(SGkRrPVve0Ym=RB%*2}K9*(9SE
z|4NT2QL*G=aalwA$m}Lmt7wGivV<8cn|yY5-$*u}t?uBK-8(hjRy=Xfzgs?I>3Nky
zqi(C5)M)TMkN1Lqoe7+Fycwfqx$7j#B%b%r-J&Blhv5r{7@(k1W3z?Da<Yc-xwltO
z4Mbj1drL8Zp4Kcl@}aQZt?wd5-n_dDCaHy{l<9FuS6*y?84{3QLh8ScST2Vb!-B=$
zDdFG{`@;IpwU6Adp1&|ruHtg@UAb!VrP=E{*Ch1SU5<ac%VHKKLbAFrN1@Ryn|*I}
zSi9u@F}XPny>@Kkm~*8>ZP8M`N<sJfp;=eR$sJ3?OhH56PqW1e$w?7Akm)+g&K_xP
zh)Z`UJig0g{^PPey<kg-Z8+pw%(d+|Dn<RWt+>qPFdv;yFE||8Br>!QR<J1;>9I|<
z`t-uxHA4YI<pIJY7rQrpq7Nr{c7bAv0Vi9YKbhJ+(mS%9r}}RPh~rUP7|Xal4LHDa
zg7vnf$>95Go82CH?<8caI^Q`x8APFK`Q8r9{Q5;&ht##Kc1ASx{IVJqX<~TdP)S=h
z@J&u8*r5%OVBXK$PkUf&ck%_qoa}1aKoNA4CIuhbns4-;^)UbjBA~o@r0$_i6U9;k
zn%8;FuKoh~qAt$NX6Vw}vp2>puJw8674hvnZ=0@k;7?Hv8zC1}`i_G`9)T6hoEJ{I
zx-UJbI;cT7&sonYA(%Vne_Oz@=4(vF`TFPKVkL%Egbnkp`IWY9eai1tX1R!rt>~U=
zWgLA`g19RaGvCRKI!07UB4)LR!Ry2pBgn*Y6~@~ETZxvOoYbZUEK)BSiRkVc&5^($
zCM3YFIQNTHNZCVCOOO1vR(R|0G<R#)J6h4t$f>D$NviBk_g?;lzKfNhF3iy9rciAk
z+;v?F?MYEnIE<l>JlsM7?y_{G_kKxG8&Q`lxn=&P6Q`nu#WH;kzj%c}ZRj1MPze3p
zWZl!#g=3ZRkvVQc&n(Dm=El?3j_(3p%JIJ$cuG>OQb}32D}!t^o0}|DC9VSjr4s#$
z_qsyxb4%0Hxx(&5=Y9iawa5Z1uZ#UJzP{q+zLW#Ut{qRYhc;Xu9bx_Fg9OCEsU;c_
zNK%T&Y90cE5kWywvW4NrgKkr1mIYhgsw$n-(ezobZjwX|vS97ilM7|Cbz2GUCw;SD
z=2+^|4&m{RwAT)lDLe#8#E@L5OoGq5iH@hzL$jyAJuiI~gngeQ2m~MOZFhJ-0oqRe
zR6ogMC~7=<8s)z?gV6<ct8!_vbcWAU{Fc2IHzEdvuLF<c5yNs7&$0_ISm>FG7fQTR
zIhs^e<h%TZtN}yI4CBVMra*?^FEqx`+_+Xz)q8^J_^@+FXTo7;L?XUzkuaJw3I!Le
z=Mw?-^_3KLRfWt&S8-hstl27}JU_}1(goKrQ&7=9rS?WKv~qMbU&Y1>$gzcvEYT_8
zF^6TJ%nbU=!}(pviX0BjeiUtv;RcO~@GI|dk`d60PVM;OsnFXuC0v9ItM%t7{%TDA
zpwu2(e=^|lqvD$mUxVi2qbfiuIMe=hZo&Z~fuYP3&njn0v@Ul88=U7nXFB#hVPbKx
zXrQ_+akMSWqNx>9ZaUgVe%T>Z3AsmBUb;WpX1Ja*mcf9_S_*fj`eoY7n5txIW{?-)
zGCi)4@EU5X?p(Ka#Aw??*^5#2@qZrAa}WmZ+MLR|>(lNg%9whKWW{@Q&;%T-m})iT
zHGPOXE8lc9X7wJ4WI@XP(HO(^-i>`WW>CYMWQQV4y<Q0^P%7CCoE!n7_$k&|*ehcq
zR^7%XQNz12W56dWV63PAO|x6l4PpP#6mKj!Adxitv1OE(3nYTOcS^p;J6&nXdmlsG
zhc-H^T8uL+dwnReLU<{aPM@JS3=s-^%^j?nvu_xSsPZpUV1%;xlj!n+O0&T^((-2p
z5rsX(zr3*MF+Z?O>#KqV_Esuase<8)H4}><8e<sY4k;haNv^73YWp{m4>Mr?i!(m{
z3<T4bM#fVHdY5HCcTx2yHQ9`Cdc!hKbvQaYC#->E9L1}PGTrr7LWu87a<#&9YSp8j
z$qEh1a0D-G2V$yqYP>ULU?Le7v{2?aRt&YCn66c?>Y63Cm^F6cYGCNSDw!x^(@Fb@
zHb3|tWF5YqX;lU5?nfS`4uyxozZpOf{XAu$183)ga649CE&^vRUK6h5NXmpMW{pvm
zQi8_z#_^LZLxTqQ`qM||NMWyzRw|n>Un?>_P4knULKUrH(hv2C5~WUI-8}ZVo`RRU
z4Sg!})Aw;5rFkf8nu%ZbSEl>(+XVC@D)(A1*7PA}=fO@OL<@*mXc2v$Nv)d6mG12W
zgCs_+Q&bcx80{UIqj#$1BubOl!X1(P%k-tZEa^!^)-ptQSL>wDA&p`UlR%Zzv<6a9
zvaZ&bs)A@?7fUK6O#j-P7d-<lj9yIaHGWI&)LB;Uds+|Q9DU$$MperUR>INc(!4r)
zk*TL=nVv&UJea-ATf)rr!)>69cW$<WIr?f%sdSS!cx!dObGv>!AkR`L?J?0w#yktB
z)S5M)N}Oaa7!#SEWJ#!*vTmmbI{a|VDuq5lxu#mYjT6P(Tvf#Da<ew-oaHGPkkBLt
zA{M`Yk`l01q716yr&YFKSaH-|Z)=&#bsv$2BBJLc1~pMLKtQi2pGQ$|U^_g;VfURO
z;^3g0&c`~yzPp^ukF*Sta@s`E5|&ZPuB4gKQ9hb>_goINFgJ|3WBpcW(8NtibU|4v
zM0}ETFEXU>VP0-d{hn>`Zk0w7ZtGLK3|gBD&TYO7nh<F)4@j+QkNDFY<&#E~o08vl
zeTWeErknv;B&{w)W!mP>R;UBo-@yu`%tW}AAL1`6DoHR_jSQ^Ulefx(xW7f!4^b07
zfs?_-E#=FBFbS~EV{^AEA=2%j9xp|ev|y|T%}=BY71n_6MkzI0^v^(|^|xV`Jz?BL
zkm7(JbvE|PYno|N_Ly=oZ(mid{WhA~nHzb-gO>0yHLr>H;;gmI3!n3U1!+>RoVb<J
zkHL_sx!vMg69k683{+V;qLW7Um$96rHq_(&!Ajj-YS{s=_`U_oTL<@!n^(DpQX@GZ
z-8w9w{D3PG&m(k>W8S*oLQ@Bs;hB&*sbBxVCI2yc3O5mMcckGRpG*PTO^EV7+5j@!
zKUaGr$yu0U28sw!RV6*eF8YB3VGcR_&HD6u%|(Q@a184*6OvsyZDYk{O3dMJ49@L}
z49Fgky|!34cM4!|!r4L1+aZXX`%+S|1(>VySn<@LNHPM(Ai)d^301-aTDZIdeEbk~
zAt`Vyu4&1KGDpp)f)I;Cv#;=vf|kfAiJY$RLc~{n=*tF7vTlnn-De;v3sJfAuBAm0
zNbB~!rBldA9%kqI@P*F2%PW3s{$5$OY$UI3?rry&7aWY!Nt;itB{ZY(9X<s~?xU$4
zu+kV8NO>*8%T2;sSU{s!QbEl9%A32XKo?w^%s|Oq&LkI)?I4{*o)ce&P9SL9<5WG&
z%Z1+ln^Rr^#<b0HlWJbQ!{alQH^>&tc?hBxu0VICfuQ%=_E{?|#DzZX&XRt#&^{j3
zU;f@-)2m7P(ZntOdh(D}QE!W3Dq$#BKnUz3Y}m!9VK{&TN(QDtSPZnJa3Ie9;NNjT
z(~D8`@V%UP9$-5&Yjx45>e?=Y<c>w<fg$d#lgeu#=BkNdNW4IF1)TATnPJsFm95fJ
z1!m0ixI<*N8}Ok0(Ko$=CKC3d(*Z9MS5MM6r6lwQUe|T4Oo+r_iu2oQzT{OljgX0M
zL3CAllN<vIhKQe(G{@OvI+anO-y#OTrnl2Xab!rPCqIvJ&!CjxUT*=D(Dg`gU)<=M
zsHGjlGfh)ogfr#NOWMVYgV<3NHewX~7%QJM%IAfikv4fn+{iIXeA-gmp^YHF6Cu6v
z+l64vv_~rrXq5Y^fMJBtd$f!{WD$#7kJ}4J2rP+mRTlOu?g^8~B8^o#$8q92mG=}2
z?}@;HNkvE`Mx!G6xSo5~V|<(iQ7gR1tpbtY7L7{`T6_mIeXtrtGYJloZj3aAf-li{
z8t~58-0AEw9O_GG(t!#dBkXz*_?q&F@R-*a!v~vVBR?0vb)&eP_{BQ^$&Ifq(^M`O
zC@>c1qmL)0VhvFzm-?)x4<-2-5kUt~IG#et1|{O&?tXLfFhT0}vN=MhZZS$eT4^!?
zsc+bIJXpv%vuco<O%S`KE0=XjJYo;*x(_6ILCbwkFKT3=X@7Fc@|E|aF{WWVyOdv)
zpdHV7j<tb<7H23E2pW@y3?nv-f@h^oFpxY7n8w6X(3LldG^)A#rzBp5f@CFN%c1b`
zxCyd~hYwx86tU!0ww2}pjcZxz_dg+0E#W9+!<lv<8b`$Yd&$E+fKoZN2meLVr0FTG
z&88|T(-0p<b^{Gq`XAl#O(Rar#@#ooa@<6A<?O*}9SBRZ9@|Gt3iz;u4dBI6;aL(x
z(t0HaC<`q)pac}*YZVh`NrKOJ;oT{{@VZi3F%irofw|F5nrOgABh1p)mb(@_YTH9A
zp(Poj11g=X;EBw|3CE<@jD{G_FOnypkYs!oV2u>4qkT=^kQMDUE_G~Se-1+kgD9y|
zG6zAGJ(R2HL(Pe9^ZrZWL5lFpIQOjbz+|~v`Q^2^_!P?^HDzu=v%ZV_=sY7i9!vVd
zOy(!j#o1#Pbh!Y(I~LIbyn={QY<zQ<9=Qb!qu?dL#*9%<c+nIIt(@Ha5`ASF8HSQD
zC6D)R&4+(Zf)0{YBKt)-I_q1*@TQp4ISA&QK&=k`nK}|q6R34A2fjO)=m%a3G?U0l
ztx^eEbetu4Zk^hq>=LL`r!`fNhfyVskx#?t$mUjM<`G5n7`b~LHidmzsPI~tqkC+@
zh?V{e?#DM~#12huY0D)n>C~jTLk&xUpgk$5J%NUMVE(3#iSE7uy;@_#i;LO|t)H{*
z`eBykf^K($n^YfJlCnBQ4&gTEq};$Ris2=~L@b-TUYHZNd(gl3z~!oF6f(rID7hFc
z+)LcTL!*3M3abH^4KXRld*np-MQ=5#X_+b_qnGv*1ug_Sr@2!_6;-g&qgZjzHms0{
z2bkIAfheYk6ejL2MW3)&Qo@nmFZMFhQ2a62U8SR$MS9B>6RI20E_#rDrP<eo$+aK|
z>T=wI>UM-YlMh;&^LgxQT7vkb>cBL8W<3e`a(gq5!NJ`GVoF7y-u<Zd;-<W8_rx2O
z%*8G(Li~tPn6L`$Pi6pZ7}YgZysRwroHm<eshO<1oEOz>YE;N)839)wnVt!t1wd}9
z%ORUB9($g#Uh-I$w>++yA4Vp(Rwfn7xy9sYWe{dOjI!s$`>N6AHE~+@-!c#1F^j(W
z)O_MHLqMpEGudgORb^r467bJ-gQs*UZ-YBjZ_k)4(<9o|GPy;dAp{a^8Ne4~36<un
zIN37jYMxn~o>C>=--RSmy_fLjb?Yp##&vGtL(%@;6=Rl6>f_}@nbY$D_me383A%@m
zL=CKG!eM3Z;;$EwKrRSrQh1IRc_E}pN1~!7h)+bSKza-2y@+T_u%!wXf&nu}m+65_
zy+M!Y!>FpL<v*C)qm!re5{sFEz4;0}BXc0&`v{nQ@L|iDSxQTnX{+g#S-zza(=N}K
zh&+fv#Bv?#WQY4m9S%$k*fh6*3t}#5mlGe%rOB1p%*FQ;hKef)K+y-sPK*V)2i^fZ
z*zhsQ)!nE676JGi&p_n>13$y;61#!Mg$zvLAmzd6pb#w4=j1>$Bz4%YtN)Q_(Oy>(
zD#Z^=8(#ACGCC1$7u2DWM|Q(}t2z7J1S@fsj!AUaDL=U>S%6#hDL-`qxnj%9y0mCg
zDt2tN8Shis+X1)8xqRMA?<UXkTv_~$gCa9k<^3WkoLOPzu@>y;!bk_BwzjRa&6J$9
zR5KxG`NzVEg_&lr5|{c<=pibOp6s@+)%*dBDGcG)8ko<Y&`X{t&IMvb=OCy`XjE7!
zwQlb~A7f!=Zq(siN?+qEMj;+Dn%pcg-WtRoo>AgHH*ITgfmKRaYleje4!UYx5VW2e
ztJL~<ORI`;E<oP0T_vy^txD8H&9~wQior%j(Z0A-hy`LM{_EQkx|5<MX#|tAHhh?T
zT_Ij1igRMI#;Ks2WSG(80*O(Lp=|HtjmMl9jJ97X#N`$4MLl-k8;!tu&Wv#9awc1k
z$tz4xJ6wES$pj>SX7=<no?`oHh(ICNc;gD;-q~|yAKbuciJ|^_h=hg*zz;{0TP$_w
zd=)o+j^a!{7K~l)5OI#e+$1F@6m`Ji3dviz`9P-07A>H~+#tHd1jv|+c}O;Apdx}g
zb{>Ppa%(jsUUyM+?)wq7KBLA8i$!)$!8a$nl_Ow*_fYW}jB(4E85G?|F-Z^{lV-T1
zxJ$$pL5Hbsrw8s8$1(lOZk?Gwt*~>dYyR36<P_QsMoC*N*S{1-YVnXyyd+O__f$-o
z_F00_X;_BABZ<Qv$Eyf$?qO@(m7e2md4($H@2XCZ74KH<8g2$_VkAzFo4GE8WZqeL
zdx{@KG#_|M32XDKfC@I%&F8oI1tGw3ZuT?+Nz$~L+8IL7nSVcWS}>>n`U;o(R3mx5
zxR;6HT{+3|^L@gw`zgRUH8fWzapL4q#WK~oY%PSAH(wA(6WEi0{@Q+;w9VCs;^lke
zPW_~13#QnCH^CKhU~tw|zTne{Jg#-hhVLk8Hfe|E^(tNoMnmb>#gU|IhVj(1N|c1<
zJ)_}e#i)!cQOUhk2|QSJL_-FpwktX!Ifus;<NZi(J^3_a`VAEBh*too^|?Bf({jQ_
zTZkzo$*&aPYtNxPmU!@=@aDE*RhqN&4jIu@v9ugRlvgkK>qJ180qq<dTPTeR8}K`b
zakf_soO%cwY+FVY?(t95Ju`r=UZh$TC%V|D*1&OYIz=iG2IYN$G6O9J<+U|lD*f?t
zlM_kZ%DH%7#g%gb!EXDuTMV5pLIv?HoYGIaqj%Ehx(Hf#)ayD}#HLqCH&JdlAWHRh
zt@?g{BZav+A}<W;U5>v@USdM(o9NHBwdEwrUUimm_J;+sa#b>(d>El$Q76}>$bBMd
zL}f7hm?0;{wZN*4bVV(`iYSr)j>br2zAUN?(k-UckJDQqRW$GN^&d)isET}{I9M)q
zl~)NOV|y^fiHV_kpVkV3(<_!wIDF~21o*@=1;8iZbmHjla-ng}WH^1+b~cb-@Xn1x
z79LMpizQs32%|~6@I{A0H+M%xOCd0iUNo)ECy2hFq&gL9CvuE@`&im);KY0k@X3T>
zHyXMt8T9*=b`0Xfc>YwcI$zLXmCvBh!M2cF!n(Zcp{0~X@^vHT94E~oluw(RIhpb@
z5Wh>GzLJJtCEtIo)~UF+w+C9090|hKIw<!SDnTVgG&6|!8V3m7qBL2j3;(3D)&THG
z#p+{eF@lffju>l&I|x-0?!PY1O2uVI?}gD@756UbR4Xc?k?m=+10e!$=N_MP4d{+~
zjQAowwxoqi<|B<$rF9X+w~h{u%Pz?4h0@nss+283w|8{}xJ)Q4ZJ33jkG;iU7jadv
zh50UO)Ys%B;0NtV;#Fo>df;cq<_8u(MIuAE@0US8_;_!7n245!D;5-i5$lxDp;$>b
zpL?1mQa1*kI5E=HCBm>hU$M3#4AL1Y=5C5IIpRZP7wiytap{#$!zs(5ds(SFEGPiq
zV2Y<QqFYD|-?k))i?W+17O6ILcoih+*wN~3^2~a$+JL5M9jX`!Upf0qZI@C!%CPH#
zajSL=UM8e%MRSNSr$(XOb;k<LldZBWWUshQ5xo}ZSZ}ClpJmeQ3C!c<07fVR%Nzwf
zzNlcj{W(zk6nHFC)H>VumbBY@ElXNXj)b=r^<`g|6#)V`ro*Nnp&3Hy_%dYmW-m^A
zYtF3Iw>qrApsjtWDSMV5mj3RgFV<G|4hSMroD5nHC`)>yGU4lc<&_e)i+UF$F^nqB
z7!@fGq<rF|8cz8dzBU6djS>kY@6mZzs1Q%ZTOFC3t$uG>`ZkwYE?%jc_(+&;?u!yn
za3g!82h5;$5r~IDUW*M=Xnx6MeI*XhB`sqaPEUwr64|GSIFF(YhRD$<4j-`Oj0RML
zieNTkkStw;l2qzJ^l$EmOOP~caER2ZSPNR)FqR^LlJ*&38X$2fB(c>4R{WXzV2Ox?
zGDqwawk#tt;Qj_Ory13IoU)W66h`Y$WNvi`|BCXvNC$%$o%2Xs-^;|b<po{ulOR`@
zWQpx&h%M#4uH!x@FG26*P+U9o_%<VynTN5=DZ>jx*-GY~d;9ajH@JnkrlmV0qj^|H
zj~sle9ahb2>b}9>Q}0Y&tx7o=rqthud`bj<1DfGaFX(WqFT)W>8|HjU{kz}UAFn70
z`&I`Cyi*JmU1$;~u}GJ@9iKhP4=d4@E4u6VW=wZa5pPzQNXvkgpB^g1sd+v%4;lOA
z8F<=yW`RRCI(4J?V2wF*w7h{(j4cSHsd_5!v8;;0kJjSJwj$<N29ODTLApH0h<K6S
z8(#9D-Oar40H(k4i^<~X2_;ZY4l(OYF)HOr7d7rZ^%w=)Fx1e11%skbKEPU@Qh5`C
zVlD+Hp%+i|50l`K3sW=-jYOGhF@2DLd=E~5%z@?=xp7tkl&?g_y0Z8Tv3OgN=Y-0s
z<^kt&@Qs41w{ink$YqQk6%ju?h~QBdDRHk@IJ~&nh3PRBXKvPW5wa&=NC-wVV#8~E
z=($EDt?=O*a`_}oML4SyQ$t$HElZvnofvLL-+cqMrpSjIeqo&!w9k3^37X%NW)idC
z^9QD<;3r%0oKgAeAjoKon#92IQhnnfv=L6(&H_yC;Ok6DR>+0d6<cWCWR<mv6DX+l
z4Tg_RX0r1V)jk^%#_-SULsIb_)-uqFfvBR#J^lseIbFC~Ct8VFuYD~>8HfB<jx)~Y
zGw`?S$Cegz?o5mn34Ixu*)h3MTIN&G>laAvk-m`GzNsW}Z*8J&1w-y_fflo}a>fIA
zse?~%fV-|(_XR#YT`6!XuEw=vy|J^~bzNAwK(T=G08-cxrF~9>iW#O#3aCVY!WQAB
zXiJrD`;a>2!%^Sv-K63D1%GREXK`jJPF5e$pq<<Gx%JZGM08Pnx4GNl02pN4>2_BG
zN5JU2Vx%F(K|@JlceAx1v)?U!o>&Fx{pf^qyEnfyJDd@4IGt*Nl?al~13!_*94>=}
zRyZ%e(G<uHQl33*lTBDq2=H0(39i8;H=8#!0EfclJ#WB7aa#%KXG+lYl-z76bYfa+
z<#<dS{+Xikpm2e6BpgM-)WTp!ktEDx<MN??uY%sD=+s)6Z%p>?`H7lp=3B*)MeA?n
zSU5ONLKwuQg0>|O6k%zm7Pl)G29$L^i|2lQ>eAOm#6rs4-JciW&~*RGU9^s<nCbf6
z^R^<eEIKoA;_4CfE7qCH$<GggTfgTJQ?U<Y%u1RLAgSdvJZ-`cwnwFLcS9Qt0gla{
z&sc={xl5c(nmzkX;NCw!-$H(S_cL(7?@G(98a~vm?c(sphc@fclQazLxm50KupBy1
zka@RZ>Ox7)(xBdOt=ELi{?&W#{%i`|(<oGvQHQT_!?~p~B~7F3!tu1Wz;g4bx`ttE
zKO<o~N>)&vS7R#toPZeStImbp+A`yE!h5bj8>~w`-%oK%yt6p2u9P<){&M+xx5W-m
z`bS7<`w0t`To-?|``9SuO{wo2kmc3BHfS`r9yK!Hjk~gB&wNQgIFpJ59xeC>(f1UW
zAojQdr}++wxG6qd?d8MNLiCNKN%e1Qba`HnCcmX$rPA@EC<(nPK@!ue8$Agx%S<kx
zMAeY0R8=eCd4}zg>hLP+wVnp2!SiMijnmM68?XL5UQ0QsPUalRCv*_o7s%*aT9(}s
z-9Xq!+tCh`@6-d=p!{FNM(*T9M-OGCx-2|r9kg);{OQ`5>Vm&@xu|Es6H12_i>MqI
znbOMl)9>rZR@t7b0%yjHjDSGLylFF}drh_<QeDoiJaVaV_|sKc(sQoa)*pWrmlJf2
zDkbRuD8p8sL5v=n2cumOrK%wgITw?{1eSJ%_C}eG4o$B-;R%{i{v0zpRJWeu(ZC2q
z`+v^SYUmg*Ick`{=)lN@3ld4FeA=AX8_UR{j6E$i`(0OaisUxs&;Hjpj3iD_>e@;y
zY3Y-53Nn3^r}q{-E~E%amRnRaE>tMNfX9cVtcHi0h>t^t5$=B$H;WFf?A<e8171XB
zhR91IW#Wkt3Z|Z{KhE%xiX%>;Qi;^uy;)NbET*0WSIVEFw5jBkZVM3Jyb{$z_B4q`
za*7@5FWu%YsIyd<^U>n2JO3r8sbQE34>oa>MuJIv@b>jmB|r+1*P*>u?Ye8t{p9rG
z8;FTY70js|y&Rk$Gy^rEJ*X!)A`iz*`sD^h=?XFPRgmXysA3TC(&IkMK0U<o(FSCm
z;-?8u;dE_Blb3>Y0iH_z0mXB7R?hS|HwnKWd{9*5;%c9y&NmPkWc67F9uJ&n8x^Uv
zlKoHiM2SSx7<5Tvb<q1eGOHe3rmA-F`RTa&w|{(~@oZCXQS`aF04zXRjZ3ATu!g)e
z8!+z$vv-rz<AyZfJKUGevt^lB;M{>7WeiQ>C?(WIqgJ<e&%pbBVl<DWh<<Pb$_aFW
z_?R&`4*WtrA7XK0*o`Y0;V8FpGKq{s65N+JkGvaPLVEd1?pcCz3v!7S>uwy<&QJ;*
zefJD%jlbUd&{MKR41aLgtuiLd;Bgx@*Hi?2qR}pO4sY$Nd|VK$E+{M_Oa)P+l6jN1
zoLSuzUXpjyZi}tQ9+^_!^I86nS!c^9L6ZIr%;XjbVqA8M>XgoMm%n=w9Fs`#CsP`j
ztx5Ot+|OI*s3vjk4ZNkEG1a-aZ}osXNLfT?Xz^M7TUe_TTs{-2?J+B#OzOo|>uCYf
z?eAj*yn{pZSzM6M*V-VaEE4=pz~?k5ryt+i{}7T5e1ahqPRw{?IPmr{-4m#6a=-(L
z5bvJq+N*7x_>7j?@`hvGn$W(YsZ0z?5pAB-vM`wppQN61kxPlhgbFu<X)=TXl5>XY
zgMq^3L=nrOQNOoVZx*^*!bVBfQ(crLmn!`P*;M!WFfdwl8QC@3LQT1e3JGPJEQADk
zO(bkvQ8VEU{<;p;-e(@)Qb-xDv4Vk(vo$Hhq=f)j`5vS}SdCACNlS597^cPzT^RLr
zrC7W<8vKBjnk#HN3-n9bpV%ON-QA2X7sbV`f|iFLDr8nK4vMyvR{=>zPR%I(`SS20
z2EL=%^=%S(+20IFxHVYr24U0?RCkVQiF6IPmD66E$Kx2D9f{e>%Ge1khT2D8ob!sb
zDOoBI5$8g*AfSQ%J?I$7Ydv`EL}4J#&hN1)CTdjzYG=CJf-zBI>u+d*K#vKq;tG)_
z5PsO9$U<3oplBYMN_0}fW%<!+-0YC;dj6A}zU5o@BkQ8X)TO~yZngdLw`67)sNxq9
z2{zO?p<Z*+^vv+Wz?Wrapo9Bl0oZ4r3r1g<1CkIt8Vx7rP*sSJs4pw2M4#aql!tRf
zL-AzTm`+vsqhSz)3Mvg0sX~W$balDTcPwf{iKHQ~@W_S23cpl(bkj)*Fx98jOn#a^
zR1rRkcZ^>gJC!KDo4Gi=Sb(sAmPcVXLZ;Uyqq0JoW$Ie@P3^N+Rylv}owOluQfVAl
zqgm4wiqb=H4JuNOuq&_q;)AVf^8!ANAm1-k7hW0UIUQ`D{p}Q9@W}JnjQZBM*c_!R
zT*{`xRJlCRPIdi@<7y|TyPGD=eTr%L;@i}bMu{9(B0RmyQUdbCAqUAIEY6LpJM{PJ
zwHq_R#KKxpV|57!2iHEun2^<H0^ywbV#+b6`1dr%38zsOeUt=<1`Uohab*Elk*KXM
zZ!9P4D40e6H=*PAIrG0i63B9pbe59jo;}vp8M)qA9T^?&JeY@25sxdO5J@lnv%^wN
za~Pz>2}0z2c>`Y`vIVRfq&jeWd?MgZIQ3~MEu*|}nXtHsL559{KH}pCYbX>%4_}Fn
z|54|$4!lsO9<su9`;1ZN*R;IM%}84v|Kq^zo}Nn1HVmsJ=TE_<RNy=NMe0)LX04P>
zCdKd!uS#?9aXadPuX)G6rzDbl8{)XQnDmbt{&@M$R{U}omfSEnU@-;%K=hTLo~|;J
zb(il`oGYL*Q%e(gmKJPjP46+I6SRY_I0OxXK@bXzHH+g1(JBu=Cwepe_})$RB0{AP
zF*vw#odT?##~?z1%N4%XTP;mkkzHKRMaSP7m}XvKNph3H1kq_$K7LXwe|TKdB&RpX
zrKo{WWAi4_byOQln0deZ+w;Ab0y-`_9HGJR;r2?;E6!tNb#2Jt&=9x*%T-67_`2*n
ze@6xB*;_a4m0T1(8iowhi!N`(*hf|Mxxegd8K#F6289<Hih^9YE9og6{uAB1SJJp_
zO<~;l2b0M4H%!BZ{R#(Kic$%Tp#?|3()cK0v58>^Wq8a*zQ=t-9=W534=Wdie3P_O
znm0@z-zrV8EZyra*tIv1-s&Xi?@zl$o%QwfL8GP#Dl)L@J`0d#kMq6538C<XR+BQ{
z>dh+*bnVcS_qEA-d22Ijc*zQFK?J2@`d~q3+K>Cjtcq|*F?<+pcpP5lpHSm?Ey-h5
z#oOmh;xu`6vA6P`S{6SIO>%WO!L5?i@`_7k2Ka5v;r7-(>M#LYQyNrS<~YY(Lh~9H
z!}`<8{eocqg~?}%qftR`qWkAE%1i>)CH$`wblejUSF;|sHoxpr$;+EnlzQ5KieKcY
zh#d$?Bfvk&Cc93Q3S>nsd;4^s*p07u!tG8TX^)>#-u~Sld`-MMVMPmzzS>iD3eQt8
z;V<W(4yBmGK$MACCRWLWX%AgXKG)ic6f#jOj@qyi#irJMdHC!Ia)S=1=Iyflb*Tir
z|3JTq-zgJ4p8U42lI9VZ@;=zyb-tte!kfPZuQxZJ16`VK&>tST@iBHw+N0Oj>Fa|Y
z&n#bG+V)`ybn_MAL&O74#T9M7C%JblrhW4gSjzUIg8sX!Qr9l}?mKoS2^2E}TXO~b
zkbi&jkQVF2?_l*9*Ycmu3Cte{HQqjR4|gQFM8io@O7yFK&PtYcc28npV*BPYwjou)
z^23xn=XA8}f?=Vcl{9Blsx(Yrv67;d7IDP>Xv~GQ`>%OyG(Olzr@{O-zh=#{1+<^_
zz;}n058UCxsb!H^skDUG*N?^?O;dcZYk#tB%#1O|i!@Q`Gpc$wS+AU(4{i&%eZ;p0
zVe>J@EA94coAj7*HG^O?9f*y_xlcYenjeOx9<iSBY}Xu~`SWN!+Z^4_D!n;yaAh&N
zysRl^iza9!jzpwq{nSwO%nQ)1h)oaUqB1vqdkTDZkM9lXqlU~6f1Vt^xKY3U>dB5<
znVU*+v7W_uR_;sW`gUJpV+4->#ZL=fg;>jQv;SrlCwsfk&HH|`iJQIRn*(3{?COYI
z-yCXF>dMuXx<93NT|A^;dzJHhgB8maOMkORp|mtG@K4kguRw88jhjjnPp{hdRbs5C
z(w(2@zXJXLJpVM&V*n4V<*#Jn1jXurPtA?MG=DIuX7D+Yb^O~8oDwqLeqc3OzbENr
zKk_SQEa;R_>~=4uJF5<ISxI`-kK>1(VGR6@1+6$7j{hL53Of+d8>;~D$FJXfRr1Nj
zUHU>F?mxiA0`@LVjP+K!vnpu^s{zh{D|XHRh@G>9Uv18U*lhmam_K1<t*qs*l%!=*
z9@`70xBl!w+xNGJsR35d(J~1BR=Kh`+xRPIEQqz~0XwX2<xkDWOMWt@0q{2#w6gE~
zIKD}PpWQnm7n^IZy2kGBu5pBAbJi8xK4C#@HqRgY#pW!C-RA#|`LFJCVEL>2JX_RE
zli2v^XAe4icXt1S?fZd^zH9#va!~&ZXLc-zCFFn|SVi>NJ%!TRKO1uw@HZC3CI`mA
zo?&zCRo6K5-8EMB3G0e&pRgcyoBzClS8NVI>^A>z%ztH{vzEWQ&nGq+URKKg@{<Pv
z;uEyV=ImWyqifv#TMmqWl~5MME(iC2Hm1f0Vj~M;lLLcaU3=9vYQMY2BUT6iuGsd;
z3dCmfW53#*1+m-wKQaH+ea>3`_YmOwsX6m!5Bi4?(D^H8EQnnWMt(9TD+J^N5W5_l
z`qi~pUE`+^VEk(cU_tCQkNef;EQrnK|Bd;t?sL}iS3|&kkD!5KY2q^X_8;=ZXYQgl
zOWVe9n_}alA~waYzR`77KI*`GztErJtF;pEhx^-r@Y%R2FLC9i_=DBwckVBezWAeV
z01bdtt-Be>((V$uR^G(fuA9p0@k8KeHQ4Y5xC4te7yFfCx_chGHGm%aKc+#z2OEF{
zu}B(-{MJe<pGG(zO!<S=<EJ#JNE*n}@)Chma~qC-<^1)4*;!VPpL8!TaWk;Vi5Gz=
z*4@1F2I7t(DPTeTKjp1J10ZvDu?JFNfPmE~W_X#^<EQZCV!zH9xC3i<0tBoma>>7;
zY+@4zNL_yR+kX%t{$CxE1+hD1%&!i~g4i6g?$-^qDngAvi4btbE<!AbO@wazDncxX
zO@#g%^IsJq*7CoL(D_fz7k^G&{y~Jqe&vh>v5AoM&@Upyg4ji9^FN4CtjG8Gw33Gc
zS3fx|kf;I>yUl}twK)r7v-y8x{;MLyTK@MubZ?=w{?8ut4|(X3UpZqzY&prrpCbw@
zCt*SCImyRgTzl0u(!RUKN*>C(`e~!P*|Q*an-BkLa{ywu`F~^ntNR>S{`WjILF1R|
z^&j$3ph#tx0~W+42mjY)>8fk+e|L?QJd}0yV>|)sH5SBX^TwYyFw5pFh~4J@jrp(E
zn?OqTJr5oIrF#8`5D@!o2w*|%a`1m$mae)+^LN)+$wPrFcAK*xHk*6@yn$J@2Mb~g
z0soEpukQ1a@B17$iqQC_di{qGu=`gzU_oqh@PA*HuI8aXg#hDULjVh6xB2Z~LjVh6
z3jzO)`LFJCR#pBz1n~b-z5YW8`2V;pU3HD8-(6!R1hB5yLI4Y5xB1s!LO?zMv4?>F
z#{5_JIZ%~<4*_OC2w<yT{~-kYe_WQXy2h^WuCWpVSXXQzfCaIIfXrV*01ILd0soEp
zukQ07LO>UA6!EXB0OMan01IN5ga7NYbk#MQzPrXs2mr3wLjVh63jxl*h5#1C76Seo
z^IzTPo!|F4;b=9P5oFntz!ceZ*+}d-pTVYMA=j$M`_WBTy2JX>I{HSujUV*8HDh>3
zT(zZzFtOHFqQ`lkZao(Kr243pue)8E(dSt^yZaqFl1lo=-GddZ`io?+=M#>|%2!KS
zmFAu?I+D4=U><0pqYE_d9^Q~IT`Q}#I$UC1to2Lw;fSo^hIN7AG9llFGX{RrO_^;t
zb3N8@RMv3l@52GJBd`z0WDPf`$C};EZ^LOM94S&`8_x9-YdFr0z;K%9R%d4p%<jZN
zw#9<xfZ;Y?X3g&Ix8bfO9HE|N8!qTFYq&kE;hMh>2h7fseYkzB;dWhN&F<mKa0juT
zpG6}zkikzkH-zk}zF_qvw@mJsegUY`IQIFeca0a@WUCV--A&^he{CkM-?q}V6Ch=m
z%8s}dlSM*b<c&RS{mB+b16Q!P>wam^wa$1~SGYQ+c_L+YtL!lO!37#GY9K$w#=ahV
zSO>JiZTf#}x6+rlvH9xkIS1XC;uB3Wq?KL`!Nb*CtX}3`FzSo{K9ck8p4j`so0~RM
zieARnsk9pbePVOXjP_^lG}xR0l?LX%g0VcRO*CcIqe`^)h6`^#@ssC0U%|3A+u0ut
zJScOx5%<(?@BFzNKp)#`FRPH;D@KPhNllHwoDyS!J31Z@JXjDZ`G3;RM)4l>#XUCq
zZ0}Q3SSAsRi9OQ$ZDRl|vp2H?SY~1DEN}mnWf>O6#-13!IXiobE8Ls~_!6-C&hqct
zu`qU)S-sd<W?^hB$KCyvWfsQHGVgC#W?`q^O#*HcJQ5s$YrlvWc02%Ze$hxgbDP1I
zjNpz+mK|P8vm90DEHb!g`~OM1M;B3mlLC(YqmyP{Y*U@Jv%TNBL0Vel2Oni?#`5Kr
zu52u){f1>0#?Btgui4nUVs8hui~~H`RkZQDFaM@pI}2lH8R*6C%dC;uS!Ve^yDzga
zc9sGEXJ^@wg^9%^0^7IsyI|<B=?cpZzIH4}WwrWSSpH4BM}*^~hjwiAJvq`F)(@B@
z?z&yt4?fD?jHLuDjGg6+zp~uU!r0ln_bYqjjjVkx4RGW7O_ocv;(pVPg|V~D>c!47
z3u9+l>^Cg4FgBK(0MGtWy;&@?Fm_pvWz!Xw9hz4hl~-lQ55n?q+DRp1RNBpcrY~Pg
zgVq}V<OrZFjXQtvQMP6)n!>`^S^kaQ#sL^Rd)~icZ&h!_0dD@*+uyZgVeBlkda)^n
zBMW0^`8U4Y1Yqnem;Q!j7RD~id_U{T-@$JLaMT}!<zKWrpB7%CWx^(;25Al=fq+Sz
zZ^y<y|Jz5|o3S*7g|V}|^*1cDFn0F#|H|H~-k$hbZ-3Lyk%h6b%<9GN%PfqY<&fX7
z%);1MF4*=f%PSb0EbnI16_#ME2EQ|aqy8QI{!P1jAO87s+HCZF+(}e-2TY<PDXss5
zkFqyoX$lKtXZgslEIYC=cJ_YbqpN!R65!@<y*=@pb}WpYWmYftM2>~Av%K>+EVD2+
zmY@EHWfsOR%U6EZ6_#ME20xRZgWtbscPKXdi?HLNpXmcK+n}+gk2?XMx4ZvCPQcb|
zC5K~SY%FK}#z$EgJ9|%l!`_PC7VP**Z-3X0g|V{?^!hOqVJQY{BzBe!e#0^gV`uro
zuPnE-Fg95>`Atw;4SvS}NBu!q{zbckSl`d0S!~Yt55)$1Ggee%VeBjy{)S~1#?Ib9
z78{)aH-GDG!Ef5FU~In3>cyTevoLm+O@6~N3u9;bH^I;3H^I-DO;`RdHckMJ`gidA
z7w!BK2@9&@4||uxq-=j&$-^VKu>OdPJ#p6!(p<htpO2vZN0l9>KNV}GT3hVwJ_0+_
zFYU8v-d}b2{5hAO64znjBS76Ue=e~n)(iQ5HUCC=vby|~0{sbn0pxI>f%K4dr}&jp
zGO?D`<>zofdI-cbFQ86L1jck(DN1~V|J~$(GW_36F8be1&ir3aPUzoE?tfMI|Elnn
zGYqlc$jbk!@c&ie=YZ(<OIG;5D*S&{`2VVK(Wc*Ih5xI<|5t_ouL?&N{Aa6h2I6I(
zskcDalZ}H_)gD(~$3|~&K__6djM6W7Y`!GUbL)juf9$45MroTlf~^l%sqQ<p&fbdJ
zn{>g#<za@-Hs_k>=)SSenLjn8U-rzSj>jEo%0?Q?>&NvS>^WNB>FKA6g(GDSLJ!92
zJaUP%$v+r>xaUCqQ`GSU$2VGgAF1qMHCM*kAkXGsdz6KrgrzZr9nVqE$;2P*k*T*k
zFRS-P<IxE{V|k#-$}r|4`TlA3!uRYl4*oy9y=8P9L6R*j$(Aj$&|<O}EoQcunaN^i
zW@fa=VrFJ$W@ct)rk3=zJhNwK=grL9J#W7KlP4?kM#RmynbqA@)!l0Si;v>ZoKwF}
zqKueCs*IyYqs`LvLJ8H<s;q#JLq=%Bq?4$C_t?pVYD9}{V`GL(=YKJXL`%e&{nooC
zR3luxiuI?LxD)2963SY<r44;|GO81;vQJ4JuURMf@}4Y)FqwFfa&S+iPPl59>_6ik
z>!OS^ED}tb#pxZhu%{ch|7A|ZB1{rhD$%1cW>I>>awua!$e%Ft{gi3Id1w9GOLLR-
zpHq;CE{z8M#>hVX>HS~kL^zly!X#GZ9Q{4o%z3CQk=Qk7{y*z)5&akP$%hN)QGM^l
z`meS5m%<YN6JcZiv9RL*MA-K*|3KJ;e<|!Au74}+KOq07D!Ttz*zkWM?4L0IK-l*=
z{R3hDg!u=;{(DOES7HB5;ctcgWBBL7zH|Mnu-%D63iU!RuU@0EhJUw=4Th@ErBrC-
z(tx!$%HwDjsru_4%uOd-C%80=)|)0wCR*eeL=mau(BBk)#5qjxr{8^FK52gde_8c~
zH$WR<+TU+*AOgGED$gzQCaL!i;IGSa)&pqk`MXv2C#){YSnPR}CUAql1OCcoZX9TH
z`akx!Tcq7cSK<}tlqt#|z+X4)%rnr2IR5uK0YgLp&q{4VE~8t20E!}Y5!Kg;bN@3g
zrT?S498Ua?sN0<w4&4iL{QZd!NSe*yPwg2){{a4SCNofd;*=HnKlc-ZT#~!zP*&p9
z$rDhk+{M3LG(_)bs=pUC<}YEIxePAF-<Qpw%9PW)U*9-aFG^Y7*PpjHzf`S{ouAz&
zul8D8U(&4HIjpvMq@H#MHovUiZQgmbt-d%ludj2uH90*U4{KL%o}Sz?US3B2JYz<E
zZs)dG(|Fal^=x-*YH?awHFtD;ZpX!Wo9Ml>u5Mnngj=8AEB|S6PEE}P09Ze6uI|!D
za^tk!#Xm3K$6r(5<DQ?LGviXVyIwyHp0ByR9JN1?y7c1qJ_|jjpT2HcCa<pcH+x=s
z552t|0@%le9=b_6(t*EI8sFA-RZjgf-|oD^;Rkm??B)*W8s2Ma)0n@W9|`P+zPzt*
zeqFBK$Njd><#~DI{5<`(w&ux-^>k&syS-kw{yL0%-qyO)EVcRyIGuHE=WNO0etEob
z?P)pUPp4*ddF9?%R(f$vA3P7JKR)pE8Xb>p9-W@vZ1>rhi#YvVw)zH$<R05=e;R#x
zt#5y<c{?5c{B|4KO&IyDU#KA~(#jd#!&$MzRv~cf9QKV%PYTs@(ZhMc)BO`#>+h?;
z%~RZf{rI!%fxPC^ZM)~`?rY|otKi-4?f945O||xy8deXRx@B|67ZS_!^Lp-=*Vntv
zz<r^oyOi_uw7Yymg|&89XHJfnqxtr?+7?bgHcq<YBh%J2^Svk6<;`pJcwl)`bGz$9
z=G*Q3I!JtAI&yQpV<3*>Fx>7gqpe5J0yf?z!Z^27WT26o@F8sF1N<TE<pcaFY~dx|
z9QM=}Ukkfl5M1FZp01nladLA=q_@Mii`cqlF!b-X4Mb*2_imyx<);v_mC76J_y)a0
zF)Hifse1LTq}=kx9!|0K>c2M7EfL#kwdX2Z|M%t(?yt=kkM1DXx;De`f7yh-kN&l}
zd+#|sq_UnZKBs;EXAS53z+aojJ5JXX+f&!OhJ7e*u<bO{_3D1k`8LBy*E08UoO|_m
zAP_U(u)lP#{yuCQ?rPya&Un^%`)-_jH(~-*2>$k1?XRHk@5cIf(8^X?VB0>*J;%-a
zaprkrFDIP)`1dnsFYcND=pMLQSda6qU&Ftn;Qpg~_uke0WBvOs0pO7J%=yF>XDhA0
zZJ+i}7gFjeP3Ti>+d&lkZjq%6p>X3-F%G0$*;APiSX^=2Nt86u>`JKI2v!PTrk<$;
zp<Kp8spLngr1hIZmaXC<H|ByA_@7*b*j5iyqE25Ic0<0x@w*)oaX<lV1d2YBw%s7&
zfUnX6-{C~rMQRdiQIZPs_W2kP8c`MqcJ=vK5L!`^3i0;)I1oBf76^6qgLzPX{006|
z1p+TLV^-uoV}KV;r6bCpr^<^EI#Ul+48>;<EQ!)D2Ao3$f)qNa3SJh4Mjx+$GGmBW
zS*0V+zoQDxLR9!(Ynazcg(u$sqRNXJ8q@$(8-;fStdH_zB6zF{1U)oMHM|kZF9W<8
zO07}e3KgDYf2(SivqItfZ)3azDjg~Q8P#5F(AtKejwoQ`U{{oWY2YU+5M0m))$krD
z7lwEs-@i@pLa26R_<yUBUqOsM>&*1$sqx~6&NKoIMe&)GtyGxeRIY~qg)(7)NBDhX
zlvi4nC&j;_#)}o&+t|3looLmU9lFyP)ET8~8tjhpV*&V$3WN;wLp6L33cL}X_;;-d
z-V9ZqOn>QGFFxo_6VPCku35T`vt&CsjPHIW;2f$Ds?b3-@O3CO#&}lWGp2YCR6BD0
zH)?^jH%;GZFTB&Pc&DxNPP^}&_OI^*b)rq5eNlW=K>bj<R6zYvz*Ip4Q1Dej15tQY
zL4#0qRDqd%R6#>fvQ&SBBF;gn#x^K+Wbvv~XvyG}Ay*W@&qFE82bqFXlK0etp&)Om
zf`&p_mwE~K|1;PLKdG|(LZNg;!9+~v1SdN-6biBf?^jCllUUNUVLcLo@iBwwv+*&*
z=(Ec(Vs^%meTHCD@NpBwd8o8`!ZKuzY7un`CyST{#fuZ-f0^mON$B4R8w-1%yfSd|
zJSD&yeNzP12)-CtqaX!fje6c|r1M^*%6~hoqfs81%c>NZt3eT%OPvCktL#13{Ch6b
zcRgx>lr~iH$`syV<nJ)#cNo+=4E!DD^A76-!ixVE7Ho>V?jrVXBYJm5e0K%f)QjI;
z72aLR-(BP0T}A&NVRv~ytxBuvUx49SFHzNtZ%W%II9;!)8x$9pJulsxPrh_KjA`7V
zXt|wJxguRGHam*kKfG#esrEWv0Ex8)#y2QlYP9s!hMaE$*}9QX|J$hjdnfw88tu!w
zR-fLr`tYumH&Cm&4xm=1?~*dUON#L>>0e=t?=TGO(oKcjcd!3A^fnED_Y!>fB6#;g
z0D8>@0liHB7h#pq>YcTHRMz107|jF7>ZT`jN>-(l&>ESp4uuq&*+Wzgy~Xm2yJb$P
z<jot%<?{OREomCXqD}q93cv}LD*@-*q63`%MG~+Y-Nk=q{lCfof1_x=?@Dz7l{$V`
z${xNLVV*5$Hpmpa$E2qgRtG5P=SrZy*~-B{)6u)h9%u?>vo7@&NCkRkNva=f$&i%U
zR}>)4vnkI2VU$1^)dKk;&U*(I<-djhe}H9(1G8Ub1G7I&0<!}SfJr^<fF!x!N#X)Y
zVn5@r{^@i^0@-c|{lQl!vwGvEu8u*TyY^Td_&IXv)Z2Br;#MZJZLUTxn5T}NdG=VG
zd|a(oW8dWbwJ@4`K_z^0C+UPsxTV_9jt4B$KTG$wS^fp9|KDL0?*#v*NkO&WT7nv~
z`xi~f5Mfzqf%w)^2=fY2S*g>w1`v!=+Ea^6sS1pxT!T2TSYZSl(V7%hSNo9|*HGs}
zM`3LauCKVYM81G}hywsF6pDvRAnrmJh}-A~;yNSWak%d|ZXgcIqXZc6e+En$e)ox0
z0S5m|_aE`;%zDogNN#Q34cx1kb)xFaV`&79g9nSYg!SmX`@-tW9m_z7cRi5G2TP@`
zrB7>RJ+)t2G=ONQX2f}>3kRYy^NmxW<9`CX=TZN!=!>;(V4QO<arNbkwXXLr)qD4~
z>%^eX&=HMzb(=F_@k{t6Rrks7KBshT2RYqecKY><pG1@#bpLdjfL#|`U8A_wHMB5w
zARn|wARihVARn!rcRmB}#G~Gc699=b=@jR<{?pM<g74G%uVJv?BRGJ(JA=NDe17--
z?-~i-k>T&|%s}@y6O8vDD?#r;{_D`#JQHw;a1}W8%MLiiGX?bWx~_fqwS4z&c^|rP
zc=uZVhsM)n({(I3SC_Zd?bH0x+tah@)$Zxum%Z)R)!kW7Ztlcpsq~+ot?OKEfTN3*
zx0Y4lXVo^38)w^R?P}N81L@2DQwLAL#^^jXAb<3Ac)QoZvEF&19q=N5PK8_F{Bm|@
z;pu$o<oZDMYIh$w+C1Ft`1WWu!(A8HeU=~TIPSSWZ?wJn`Kf-rW(`oY`f_ol^xXPJ
zA}#je<5v(65C{+%y#?iLJ$NHaCJ+$KUtk~vK&z7(wWFntsjZQ|zMU=gPaAzRTk1at
zv{X*!W>oLTr|zaPn2k}VKNHdVRxG6p7gu9zo0lMa7ho;@T91z}*WjLeK^46T^NOKz
zd6CJE=GVnRZnr2p&weM^nE7$yheqy!N_Py-4|+Z)59w!17&A9jal27nO?f<6PczK6
z69!8#7yY^mFO-KYFA>)m_>?wxoD+Q*qh74{dUuLn*uQ?c-Tt=x!0!3*+$KxAZlp+&
zTC|>A^Id*1<zY+j!@B%_liSl}VEeF3DaKnZN*l9M71jDzw$gCM;ynqI5PlD1)3~p$
z&ty`HjZY=<jfje~Y6>KuUaMzK=G~`%ihtt1f=kC#h^KqI4162l0w});Ioxl<4c>n=
zteZRz|D{%F+c?u`ai^1?98Tp=Nso7Vd~&l(ohSbr&HwS92}+UCoQUaJzm#6vM5e|$
zTOcW!2`SMmr{bAzbtZ4-=L)s8@6J!}%p!%j<C#_-m=Vrq?<o7G$#79jw<-(!PrCja
zm<pl~^ki<V>cubVA}h0Y)KFgWa>X0o*vj0Qbo6n_Jqq8UYw2&1-0DZ}L|{!d<4x;(
zV#HNi1C~KFuL$tFeht*o3XJG+zuIn%Yxf&5<<*9Cv_Ir`o^yTI`Y>|2`<g7Uq^b;E
zgkqyX;m>W4!lg*@P;7;F&7Fu==m-!TS`hqN<%fjXUf-SeASRLrszng%*GXwtXuj<j
zl<27un>SfpK?JqHhmpuM^9>NO{;g%m#`|Z^QPG?tHg(M5ohZ!2^BeXzAGg+*bp(9D
zAY5(@0!Ti^%;+JI@FgKRa}Ubv6SF{bdVg-kVRcU#Fc0~iSlXR1<Lr9T2fmJ(=a0Yl
z6!%R^=|IIQ%_bz#U?X#;z^SI=G`sW38UV`M2rCNE`)sd}iObnay-iH!`T|h()*tSR
zo1-Y?m?5s{Zai_i7RtdA^M;mG6pB^dO=`iLyPzI6c|$G({o%*)B^?1Qdy_5$9jYJ%
z2ojPHu1qej+d@zzbvmVrH2D?gp_ls0QttTGBT(QKLzH2l{t37rIGS$t6@rVH(pR&`
z4(^pm?EnYM2u({nG`?csEA2&>v#}1h7u)LWwO_XvRY2QPN3QwH=#o!%pzdgCM6_hO
zxER3Ms~c2ptLw683HZjhlBketea9asDITD()g6QH_hwDPv*~P9ANfMM`XVhJt7~a;
z17?#qN{GgYl!`y?Lwj$|)hKW?+Zb~{@F}mnFuW0Qq>M8eFnh2+ajXhmXm$BUV0`u1
zff3SDIldX}I$TwK=zQ_z>4Kei+n*2xZ~0vEh_*hLf-Aw!L}+D$8B?Oxvy3pY5o2`{
z1~wS^>&sYwPAMH>0zn$~AmtuFSgsJGWw}R^>7xF)dw-QP!cm`6IN)Z`T&W{UTrGdK
zXLisC%r=JW*0RE5{%LfInSgui#;n+5ERq;}kBUijZ<IKyu?Uj_%b6GH^H^%ciWDG?
zY3!(ZUnnDQzo`Fs0N*TSttpr0a{EVqgHJsR_VTdTmqgB20VoV^41TmjoW@A20Fd>H
zWH4wy0jNlT!8OAAGwK^1BRrsByoW0_It9T13YFV{p6%vCE+keP2>oaHsCoi!99uUo
z5N<IAaLiH2Cc({ZA)_>GV{BfF)<85E<OiLKIjaVP>}1pzBRSRNSr>sbEkFW76L{)A
z97?ap6Xoyo)$47Zm{X$`Fv^7OB0t9V*h8d~AtMI|C$a><LDc6-Z4r$Ua)&vbhp6<*
z?j4p(G7L2CPc^gl(_Naf!pgrv^nD_Hx+8CQ1Pye^Y*)S>A66fTYzb+@5{oRzH`&z^
zvsqkpM7FayQn;wW2``q^igwg*3xF7|iUb>~#w%`1b;B^lu`MX%a6ftD&O1|~9&mzR
zEcZ3CtbI(z*65V)F_`wpBH3hw>E0D45mtTch!hKVe>7DFV`p_j>T!?+-4b%t)IHV_
zc9ayKj!iv6oNF^bnv=;&w0DN5s5dZgrbO;l#|4tVuFPWuP&+W;K2ByRf%OG{DwM5p
z*n(B9&Am2R%<<fjT2X0l?|3TNn9GSs6_WgTSPZt?li0`8-{OAb<aNfWzU`K>Ncb(u
zm_j4Agqd@aO05oMu*zPgq{+;<3@{MvCGneA!9K#I0T#&Pto)#=@C$edQfX678+{yW
zT0-M2M+_?#pH^*D<5P;!IFVaNnCVDGTAq8vyhGA);wp&m2>-o7hG*XQL6{REN%=uI
zUO6$1rXJgv+JuxX?At9XWl}wu!{~I%itAW<7p=A$34rbS?(GbAnQoJIV)QdCiGy8>
z-}pC9O73I@BZw|87_)>T>dl^{G`NQiV*B(49e5Vnl7qNb#l4WCMsO0F+mJZ<X->e<
z%se;=zC-9$6F5nleasV^WJ;K$_o@$4EA(B+AZTR`Ikd>tSeI9EWyBgdNu2|2=0Z_T
z=_CrDXoQ)?UQCbD^Q62Z7IJICb{6jg*Zudb#R0)ss6J@eU%7}5`LwJfoc4n{Rx==a
zx>w3=%~}Ic?J}i<K1eDYAF$5?#REYa+68nh!yQu+HXB8K>J~R7HqfQxU%!RK@ki%q
zyb`D|kNg6-_byd90-QEX6`otR`}ZQ4ZR05nga#X4im*xeRA~omv%Ri$t!KzSL8G=o
z>C*tp`0;jxrZuxK_OZD|Z$oBP&mW>FeAFUMdQuJB$1^R(^*8En&deIL#gHu&O(4*!
zvJ=31GPaO5wyAQtlrDV0%lLo00W*bGjVP;EL%=6?bzUz>ubiXVWF;Jqgiwn#g3A(;
zc>x9{oHixWzV&{nCSp9IPhb^d#G`kTh(nAk>i9%n8c^TSKf$EgRi#+;HOA7`-t=r@
zRWWvX#}ObL`x$|uk*ij@d2YaE08~*25P|2kAD(s?>iE^ogTHwA5sH0o)0RT<YML@G
zccL|uggjRr%BnuSn+wELFyy=2fXajwRN2axS-%HjMk*NRg&aM;Zu5#YhC1%~Cg@4b
zZ+tj{ihllE;SR>rs?Wad#f(GtnV8SEx>In5D2OdLpN9Jl^4}s@oVd$K-g0Mz>2f^Q
z4~4I?6MHPaesjcx_m9L4%o*F^&C@!RX?U3Ixo(ih-dWl~OhX!2yUq@lxi$a1t9fAT
z&?%(RNkWeW<5JtU-~X*0+rgveVp)5?A2J_VM#DVCY7JV!E9(5CC;%QNaI8e}iwo}O
ziyX{-PVP0Kt4%}{A9mmCxpJ6<b8~HXY~+AhFASyxNeQ2QAxQcW?e3*ZRZD#&EsJfW
z?)B?!gLNye$4Ro3aSJMIP1;t_FIAGXalAc|Jl}KeJqj)?Z@PAb5@Dk<Qn3|+tnPo~
ziZzwE_`e0G7B<%doF<NA307Kn`)xF#(YayySj)zp+(dE!=%Hl+AXa&bRil`odB8tn
z(?>yNXmK6>mE@NDxYMtkhHki2Bc@Gp{q<&VN<C)b5#jf>habGpH`>c=O6vZe$QE%L
z)@o*_J?W<Ou5M|v7XTLM_v-4wxRsomBs#v*>ua=Bpy=T%ag$R;X8@y7+Z5*Q9ly2K
zA3FO&Zp70kh7RDwf<(z*f&=gx3k7dixL#Sv#7*2LXj}Y04n)p}fkxmo%ci>Fn%LX8
z;9YIgmVZTR*e(;`I-%k`<%)Twr}{!H<0-{&KnSf^kT+L|tl1F7KbW%Q7gC9bsuz0&
zAFt!mFP-fMHW^=I7h=(Ge^9o#qF3iDMEg<O@KA8Ck$k>DsuoeXvhD8sNs+n)cft{y
z`C-EiHXqUTKCxVs^kY=MEs3mFa5jY^qfz_9qKn}&5o8>zQqmekzM7om+%;tmAiy)A
z)LU}{5HvR&;PY`L(kZn)JH9xqr#r=>)lQD&@_Jj(Ft}zpy%o$_dYnu5Q0D~#GKKX!
zyB|}fiHw)Zl){T6jQ&Lb6>T<0J+iVNt%YU)+dg~TzOS5;e(O|o%wS#WohZb>FOWx>
zytDlK$6r4<a|<hRg^2^Y)K!>?B;wFQ((gB`X7gcu4V|}<vYVUB1!vI^QMol|wrw7{
z%n>}(FA12&`@15mQ+ny9(HBuSBQj-K6H})RCI^KaVQPB=zho`LxPptWABOhyL|S5<
z9{X#~A0&V$?e5-)NCO^vFZs2(#w>gpXNxGv&wkqS!pjCd;u{4*#UkZu(a&IVCy8-X
zc5KKo(jnR4qeF$?BNY}mIM6!6?Do3Ce<40GUVwiN9ugIC89^5f?Jhqnt;Ug0uljbe
zt6VfJqYF4`T-hlg)1^2^!_Rb=iv3{QFMVS3B}Sy0EMjVHn>6By6539ASw606j`&dV
z7*gN3QvTvPwqcB4w*Y)iii-HNVM1H_G?FugVAb3gGqkgLPrLS4INyVga!EU_{B*mk
z%kejY*ARw}D7%!5_5xr}I19pgyG;yrlVq$vC~sSSPS1CW&Oe7?Z&PGy+rk`O9|U|6
z$iNd8&)N|Z(>(Cg&0Tw83wn@=ipSsT=P8&d9;tfO;+m@JK-D*Mfv3Peo5mEYw`Q{8
zjFlgGV!)&INc9_z{MAx$WHV)#XWOY->i`x&dy||geZL8StMIvAS!|G8RA$B(tUHg0
zlfPHu8x&1{p4Gz_o^dOjl>9AXs1B*}gtZ*K5`#Wu8Ho^%)2~lYCqL$aj^pw5K;P*B
zA;YrL@<N}BB@~G^Pt!H{V{hboidqty*@PmcsY)Iu3GFGa#1wM}0~5P^)%V_m>K)Px
zB1Q`nl3J1jgtMN#qPDwmzk&Ekbw8F5V`WB>n0!AD#g3f<We=B{##~yZxhT~>;`sgW
zD<wRUP&uw5x&T*NM))y_9wLeBh!punnLakw0~F1pXAfNKp)v{8Ym?uYErv>^Ypjio
zP}vpdXO!v!Zi&LEaHcykG%e~v;e6~PPA-%QPpSaB4Ehm&yB5ylW#Y9KTV+?Scx9%1
z=646>yDv;D6xN0KF!mWgX}nXMLa3_em?TwjH3QgTUW_hUub)#_ikz)_ReJJnn#`nk
zmK)LN7Y8nHX=2J!VF1q2rL;3XZF#oRk#1X-gg<PzzQ4>w8ZwXIA7PenWCo{8c~BaV
zuZ220Xmpdz<9CtZZ~r8$yd+@Euh_&^DgK0+k}&mIwf@KFo@0g3=JdUGzrbtsCmA72
zAr-WH1oe@IlR+8n(FiC=Wl<vH)AsCpqX6E~af_3=X;M(`xyTPA+-}x!rdUNPYWfKc
ztS;L%6dQ0mMwi=4DMF#R-pBag*@I6<j(~rKFm!gn9)znO3PtgRNE;s&9j5i%$9FMs
zo=<gqKy9774&$GcpC4Er2>r${MZ*`jmuYE8x+ul_^A=28kWz-2)_TkEhkw0wsWZ||
z254ECoTZ)E9(zF1P=B3VK2=JI8qBd2tU2O0Zil;D$@IzJeuJ<v-iRutN`#5}1$7(>
zNogFR>k$vMb-Ci{OXL6oS^waoOQ#3xBA1C$5n^7DhKO<&mWRu9Dkp@nPwd`8TbuoM
zHU#t)E4C|iM~Br9##=&aRL9WgJ5Ua)A6yL$v`ka>0vo?};JG)Ue(xkLj#DGL%PaLh
zFEbPWu?A>H`q{?8q8Qf(j}VysW`mZ4_(?>jaKSb}XH?3Bx{lN(xkLey#Mn;kn3d0c
z?^=t$x=><zr$)IyC6n!%wyb!`a}0fmrX3BD8{=9>7?3a$ig%e!Lmki)*^9+@WYhkn
zBrFdQ9uXr6$+Wl%#dC)PY>En}DEABs<Kklhz7XPgoZ#iLx{b$lnG%Y7gyG9kjHDE|
zwtvPJb02<&PdP`9?WnQ#Sbb30?Prqgu+Qa;Ic}RQ^Y^s<3g5^4OZu_$*EGEvo5)VK
zyaggIiKuJ={$<&qjs{64w@^M{Ry7XfZ0Mj0{r2n|=oJC!OX|M6D<q^hE~axSRxm4t
z_jb(ZG*ewokrASGAy#KJDENEl7>cmhhUmT(VlppAa5KV2k@Vktwk464W73WfW-Z5Z
z#Trgbz2L`tz}v^*W9UU+96{n6RRVHSWj<tcSyzoG-g}OxB8VB=lf!cH!h&*(^7-}W
zJ$|jgHCM18M@6>%4n6Ba-G^%1DtpK^I!pP{OM&=z=@|VJY&-HBt1PWb<I4A9+wf&1
z_@tMq1d?M#5m{jk;<(rbs3i}98%so7&$oV0v-34Q;umrJJt1Ez=nIhe(R)&-X!$0a
z#GpIn!36%%U@Y*fK*vi_mtmrro6asv6TYTp^ddOVP*y$Rv^Fl2fau=-vM62sOX2WC
zR*Fs?1s`)86O-}Ub<Dz&Ab1b4JojLaJIA{~-{}-A6v-AdI!XeK#I^dW&R^ueO?=QL
z`L=ro`X>4ozoh;?grEuzMH*#e*3VutULR34iycW0_geog3%PEqC_7+?_XO+5br`_k
z6Z|E0)kCu8cUKtA{NiZhxh}xo&bE-1B3Dm`D>5QM#c891z}iN{R$nrEuP1HHoF}_q
z$(%QZWlB%5wdSW<UaCaAb{Z6#iIdTYUc`4|aPyHWM5$M{W=aai-EG#Bm_F}g@n{fT
zcgYgJ-{l>FwuysmNa0m>--0tAuAG7+5>3bV1J4#2I3&&XDLS@$>>@V5ghP~$3KSg)
zmajO7Zf*5AY7S><6%=rQ?jk*chOd6`C3}*S-m0ThJH&GB@65{aw$Y(NHIS+s{X{Rs
zhfmJMSo?}7H$rPj+Rf32#+xv|>q8T(!{u!}vs$BwK9&yr0ZwP;-_Oqz-F5~dD=7&h
z{<lXGVd6%CO^cCYd7epcKI@{qyZk0p*l1kx2Qb8iVhZEZ3cFSy>TvN)<Nj0=cdD}&
zkmC_g<B%mK-S8BwbS=Tsa>*!j^{Z&pVaFeIwz{$G(@C&^kDpoLKI@UCs5Uikrer={
z4?f>XYo_+}CclI&`A0tGsDuAvMq<O`=ei#G%$L4E!!g7<CY}B`!mzb#fuT`8J4Sps
zm2OnhayUUTN-7k$SG_kU+q|X0E=L4_{i-rv+F{m1n$tpt;63Ax4jILa%oetIYhGa0
z38i9;h-=A9pXEa3Yr>=svANWC7sWpWe3cVUOjXAiFYD6_DG3*i)+xA8(eI0xYJp7`
zdR9XZVf(3_G+?9Sck>0ii^ppc(KLu=#+xg36w-6;F@eB@4ZVm>3O{~sr&O&(OGT81
z*Mz3DW1%aStHYw`2ShagP%^|VlZbza2-w+76ZmlPH|t7S`-oscsxOI9W1^|fVUQlK
z+`117M8V|wSzAZOEvmmp2;AdJ{E`XwEdtUjK@Y9vvCsRnMln}gbxUE;(vcTGI*ds_
zEFNNKtaSc3O=DNySiaQxc9te(XMB^&ZT3|KZxE5M^Z<#ILTD_8H8=>D#06X<hLw-@
zK&;}a;<|DRHaHe{o3)lOA49Q8eYVOnlB+vnsjEaC6LeiKnSV4ADK*|erTcA5iHaNc
zMsxrz<VU({VSW;b?qINl{#t#?v8|`bM2gYWF4h7prMnSLthYxg<51*A%kNOH%;;-V
z2@GynTS7H2W;F4o{lnL-GM4bO>|&WxxP2Ib#CCK$kDh&U`?_ykxX1bWq_u8yH_>X@
z^mY=|_Q661a$*2*4R&@CKJKuO!6~=|O-6QXC=}2Q;4pJ`A&9umPzxSs)*vY;nT5Bi
zF<cM<<RgYc8N)<SixXCS-IzTVzOQ59MKZi!m!H1{Uu~p1R-B|YoR#l5T@WZ3_7fDu
zmxK=z>muUf7!;hkS-*T3B9q6!<DO#_9kYsjj&`4B5-S-`yD=pMz1r49&9Ar)*PeOC
zctZoel*E(f8JPI53b4&Ce897S)cvr{69LH`;$VFyLsUomid&_<o02(py*moY6>+gL
zpMidEWWtZ-l?igAl9B0(iin_GM@Z)ZI3i*;pN_Cl0egONB)V+jI!x}G<k`f+0^b+D
zHP0|yt<4>z+0rd8u=g03-g_h}&NS7_S8QV|7}dB(HTl_WNDBV~)$MgTA@dB0^~Hto
zA*wn)jNdTRe<A}DY_@0bZk1j>+oMpc%@(9t!dFtT(U4T*Woq_YuV6VdX;lO=nDbs&
zPj|+Im=A8J>)@}FIPd%Y1R8h%(+<eRwioqL3<ycC=IJWc<Zr3m#kj3u)Y#Qf5wu3b
zf=c&b*^MapQhLX6X_MzZx8O|K``$wjP!)rMjTdCjv-^^n*2Bb9tnJFmYS)11^?BbE
z32MWls3bd$75Z4v_N_7O2xC7th0-fdK7k9d0Z@}oIt#ulr`W|VX(&L*qI+gsmnaFq
z<f443_c$#xhb0-s@E)djs9c$p`q;=}TyzvL_p*A14wd<{@~b9+yzMyfgW(kXM=ngU
zTeP7Z$M39;RpM+Ss~N9p!4l0_`$W+f50i~}JV;fTO{z51Ty$l+CkofX34n&>LP}N2
z?-7~_>j(;=eLa!hsY!WMAQ;?AfQ1<{^+0F;*6Yvo(1!klZh{|PwK={=nS6eOV+8@A
zA!%4{X026vzy+A>kRZ6|O3yMT@;Z%+dIP3b8;UEbo06%-v%Bt;%q3)*6-BoKh1P>A
z`Yh;5cDjF-lAfl;xjZ~79EkF1#C%W>o!n@H(~O>ja`zXOYPrJ<4#i~+E>#6X)RlPR
zSDaq0o`QfwOE>e8tVpGzudddSi_#WWOj^%Ju6!2SD%9v2R|*H-)QcgkQ>%;+SG>hE
zFDP@oFJWjF5-Z?!|D<he<EKJq0|(MlaS~N6v{62|lwuYEtYI*_-6!^`cn)hw0mzC>
z)B55lmPhM=YU~L%r9gYR60=u<oIahX4ip(}IE;M4z~ql@JUWKLlptt|BRa?<WnTsS
z?!&Wjm@|}>%%z79a$ZHg!H|8B6e2J+D>EdQ>7p(V%hb(*(XS6oCS>7hmK?0J4bpj?
zvucZmN1qDd@$mWWv?5M>BgXOJ6Ce61Qa^IA4{johnJ!1hktW`cOI^fxG})wj$y;Hy
z7$MrA<X~moTS$NOLIqvxa=}54VgW@{Ghg{xgHQ>%?46l2R#7E($+S#JF2oEH?+d+8
z4fUMJiUq`@e&o|GxYIo^X_>sW*C>ID@NK7PqL@-t1cnu0Rzl5wXygiVQ&}%%5Y<Pb
z#KK{2i`|(U+>rhxz6V;ui82r@qT<|(gm!>0dsuz?TP~d|wqK*q3<()R3*w`1My%yS
z+d8mxEYTwHCqbY!V5oQ|9iJ}9r4D>6tiH$POb2C>-gGL`P^5-o0WLC_b#IqML~bHt
zRwjlp?qP^B;k+GuFqA!`xBIkJRT;L@vcKJcR{Z$-#H@A1;y9+Xe0eva(=nRAZlWcU
zZ52XT>wShk#DkmFkAxxkZTg|rLnj?Bo*L5Hg^CmTuqri6iB?L~CPc$uwri+<&PGFO
zl`1ExICx=nCkwlaxf82*?~cSLB)bDS0fMnag+?j4PBg`lVch?zB(;R~kWf4K8>e`g
zSQ{EaATpL5`miXeOOht~%?;9uuFVcd1)7kChR!K#z|lC1c7Cp%2n`2W#IkDBM;M02
z*5#Spm*Gub77~87BPsJ7qccvv(*2@2wV%xjToP$L)S_wp`zhuK7VL<~QegDbOj0sa
z(MLJJJzMzLDC`uCVE7TwcO?ERSOnC_crtWA)zIo$>q;`|N5DZ>?{z=h2TTZy=8p!1
zc0?Q04~`kzGstT&=OmNYIfxpBtPaTr1%+WWf?NKCU>+$OBfn{e?{X<CxUJVjthL5L
z9_Yu!6?Z>DYN0g11LU-QNP^Qz+^uR)cv+vx6$AV;ztQnV#W^@|H`(#VSk?Gb$PC*^
z<Qvk=a0<#}D}7lb$M__5<+bd-ZvLg(kb#o`W;Q7Oi$6)YQ|4udG|dB}^kp_o;A@;=
zok4>kDcp){R|-Biq!&pj#MvJ2V)!qy>1Z>rOvUnjZjEY34X`ik3=Xkvvl@v0U7902
zk@6C*bLdBRLuSR_wP4;t7^_%DR1|XPBQsgbbt`@C>bx}Y$f3hCG0L0cI8tF{!r?)J
zVzZsK3aXAr2pN>znJ`dxW_H+IwMZkDKU`wlEt_bF(apblXSST?<d*<1XejxhkrPGd
z4w=Mo*}pYKsQW|f=@ku);&?)}!amACSe~GOCsj19B$2orIYoolf3gNXxgd1pGWT=9
zM1)v}gJvd9K%U|;7_bY&`hlwGmmn<y*tg1+5M-D@sJ>MC7zY{shfhSMKD*%MGI+b6
zJ(h|Gw6vDHY8EAmyq5=xIuGb37+=sGsC9KUAmB=Blzb17l1NE1#T|vyB>;6Cq6HF7
zR4oZVVbZU#AzBe7m3A=!{MYrsx0VcVxy>&3a~hd_ftiTKVo#SdocNLZ-kBXH?X}GX
z)!+5?ne}WhJ_k${M)WA=q5FI#geWt^>mgNlCW7?AQwypyB6uNzgSi!N2NMq9&;_%p
znN9a1108vVZq-D8B1%Kf^3W<^UwWi~hRjneqzTD{T16?FfGHJvki4fqz~BEIFqAni
z`N>tQ;Nuamq0~awP*R;_b3h0oV%pcOTsjmum|WJMpHcauH;-MK>`{~Ii22qt#;T0t
znM!L>>ksIfvsLqe)jMiQQ?-`g;)mBn9iLn&4)YA4OBqjyRl5w-x0th37ciE?TtQij
zg=*J*WomRy9yyO$70k!1{O&f5P?5F7fux#)sas*w5kI$85~T?nfssNZldd`q0`okh
znjZ`DljXS1{{q8>mB10g<A&FKbGfH!PQ~fKlQ&FzTt?PbexQ-To&X?&f;6^SkcW=Q
z0~m}g906aYtEBy{X$rGTpMKh@PnzniXRo)^r8wW=I4Rd1L%JbrdY$*XOB+w-LJw+x
zpjfH-N{t0FoWz)Ac(^rFENkn~|NTDoA@=@OC|M<T(E5cIa!9rkfvpxU8kC{VrNhw{
zVesrOMlyP_>~CMm#z_2M7%XtiNMm8$c^H$59#tkZXv5;a4_}>#OW|Vd&caj*xpXbU
ziUvvpGpY6=-l}Sy@Rd=Cr}RUeD%Vz1U28?H>+W?{O|VdJ-!H3kkG>tWeR}m@&*~=a
zq<6X;wVaE66GEA7r=o7LR-s7DwO6AQO2_Yy!rMn*5+W?}lbee@duA*O|K-GDo%V_T
zV})J=%>l!qZ(!h6BO$5ej!;}yZFy^IrR)<&;Ki|}Ny@`aqRc}?9h2l&3yvh}<qZ}Y
zmdK;oI#v(2FQIOIuv>$2>)Cu}8(iZumfxz_w!O1+4!@FE*pp97zztd&Kk%jC49IqQ
z%AW~=vfmWu9rG5~(OKqFBNfoINq0!2-D=UW-D=QOWL43khveXVBj1QM;SG^1q3x9+
zy4@OWq-9r5^u4C^yEb$OA<c^1=^m|-`x$^Cl|aSk?KcqY(yFB+l9Do@kS~!!sgP&^
z6^zdW%XU`McukCxab_RU?1&{>eE7WC1*vF%lNQrs!c=yS_VQ690Krq%wKC3J(h?(u
z6z!ZAw`Ow5z}H1JRW#;l#>5OW*yJPdL4pDsl_Hkh(a!<0wKC7Bg~3l9G8s%@DhJa$
zJKG0~x>8@`>D*=Y1@Sivv@mJa6vAQe^GG^giNj4QZaZXln80i*R?C9ptYSM;@mE2R
zl2}ZHg;Shx&wY!<{7G}Ci+iy%OZmx*7cvdTxlR4ulUvY*vo?F^w$EKE{Qaa}7iz>@
znD_aQb$C>N+BXi(8iprzkLEE+#7rN>!(kyi>O#mbCls{MMIbg?f4){!OV3CwS7(Ef
z-eEB>_#AQ6EH{$5w747BXq<wrk;$_rZgxL=*grxx3ufoU{cT*s(DW^OL_jMel`nOr
znWgBujf2+NfhNIvFsLNQJs%<ZgX7I4Cys_@kIaf=h{cSs%M%o2IFjv_ge=_GaP>fc
zd-Xj$3VZFf?3HkfH|ADR4?REcxGmaqZ&;6@s4@oDh7>2t^UhO@n2!Pr7Bc;;>a0V&
zxD!<6G`?6_!!hk=Gn@Tsx)_K`$ZTVn07fCuH7kv<fKSd2d3AYJ)#9wdS|jFU8!syA
zw4g!~M`UI+85hDe63NB{vL(ePS|BD8&rGaC@=~3TjkaQ#I7KV+TuMKXS(a-OJ7oIU
zy4=WBg=_^uIWSehjuK|TBd%u0`6Tdnds3xHj1L5}D+xv<mxfAr416aEFfd8_T+U!@
zd<I`lv&~r}vgT-qr*W%EGfZS-)S`||knqBKL?4ov4X6DduwA63$-X)~h9e%?>Qh$f
zRb$ld+`iJU2P9y5NXkdtU*Ot-g${V@<zkMxT50>L+j&f;s!F;zmD-g$(2+o5@|oLG
z6!+Ylp<YNU$JBF4u-q|dk=o#B2YoZszoy=*n*HIk-!J7z9{5r#$F7j*ixEZwNwG|<
z@f6)Hfxpu)AS3_@*|u~Dn!#Y?Db`dUz40(9l~P*PTgEw-aFP3+kji5QDG0;?)0#G?
z0*h8<J$D*=wzT2Sc3a9$vQD&+4PSjk+Nf1(PJFINzIG($dY6rmLo$p3{-UylZtH?#
z5t|GSlSM;BJjG~@<(qQRr&dLZa3aS3_yCA+Ps|7GF-V(iwcA+bqA7gL*+{esU<U*g
zGI#4a52b9=3fmiv$Tg(b1bmryrYz%yTR-}pVfWLpK6~64HYL%DET_`*`FaPhLAHiH
zPNtXJwcF(LE>>0G#6ysfLI&ePC-HVAvKctxY>$=6YBM96!b*GkejJXxl9r$Qa0*q^
zE3by6ygpTv+x$~({US)S8{jngamL&2K(GnxuJiJ#T8i@txPXqM(kWjmNvDxj)+3qa
zver)>J{xtU$P<~6KjeY3hzyo{U%a40rav^4#o1!1Tpp)$v$^iIi`oeUUvNFsi{C$W
zWBVs%wgGxo>}LC-B(sD9rmlrHWJlU1b)%zj(4i*Ux74lkITq+)ktpsDdPIFm8gv^8
z+0Hoj^$#9o(vs1LVP;PV7Nytm)RZL@esa;pR=1DZUF-5#Pit6u@v>NwJPr8O6e1VZ
z(SRYEdfNq`B-lZ4(a8^U>jpZea0`-LMrB&OcGhg=n1@C+m@_bV_yt{2-00|7z#3Na
zSPH~p6~uV(+%^t<X)3h+P=~gnS0S>PXVH3%F}4naqguHV*npUuaN|TD_ac~!$$-3!
zSQpDT+uWaH;d?EnxNXIVmO?~qNZ25RN{ZU{xw+bu(<izws5LY&V0@XgB%sStyjMVz
zNQ~xZ%;PHH6wLNI7-4IysfoSOQbmWplE|DX0OO?`EELx@D|<<U3IZ|$*O2#d<NMG_
zmnL-c5tmA45#IaLLTN1aycSJ$;mt&RN#m~}bV))HTd(WzoZM-4eruv9dK<A+phSYX
zu{~w}Q6ig>SjnI*Y<+5#Bxc>(>m88}2YZ(1YebgoM2@z&2X{-w7E(S)C`b~Z<=pC*
z_8T3E68gCu+i!rq%hP9(ItCF2mO8`+2Ma^K>gq$x340S7qC_lk57?sN><!7ygWAzl
z^4X=L%RKgDd<M0Z@YSil;NJQuWy{|5xeJQrT@YHi<(ZvE)#9D`NYCD7x5Tewuhzv2
z-^F6f2YShwn|CZdA0D3D0h<y(*o;{2s2kk6n`)0zS=>$ZJZEr%vIM9P&%JCWv*E+<
z*fW&nYU=C-;wXZtRU7KvcWRaHc`zs70?4l20X!GFYKE;b30JLB7k+{j33{w`RMDEq
zU>?gXpq!#SXHnYme$bCD&EcRZ(=o`1Slm)`6h7NR4Q}PtW!S1_(vb@1U?uQfvaoJm
z-xulaWbE3`K)z_cI;(X1kAD72D@H)+s<;XbODvWzwPv3uHj`G9X{eDBw7EUXhL~cL
z)z<VJs}SgQoUOcF{o{9LQgqKqB%<?Rhxe;iVvt-yJkMuRP9LENjSrH$mcui@4>-Gs
z;ToiM_m0@NXi4VwgUYn57!T~G6~0EoxPqx80AK8~)=OkM3P)>;>_ZL>E_xRZaZY3>
zH;hGmHiYDDW?I)1=86_nyMzMR-pu2^JRR3QgDz-*mk=y!<;}9yphM03d$ymZc;jIo
z=RZ>SpYyzQ7=iUyaCh7ojOgQW1`l5s5d2ag@dA}uz(sOAl5oWor_d8|1K!QH>+`as
zc$m#ax=?p^A|&-_(WetwAQ*PYW9Nb;T1JQ#jfAN^VV^C=wqUAwff>AbNeWxzvFOzi
zY@3UOohiqC3%NwN=La0+Fu0$ey;)p*oriK&A&dJe8$bAFPLy`iZYD1}$3qia?-_2h
zCKQ2jx2UMLLiEy3TIu6b(ZrLFS5$CEv_#0_G18kA*(~oYOm}b>d7u^^XXZ|W7G~b}
z8)W3mkwx<{6KHbhp|zMetDn1|kUlnDY#2!hJ9a$Eg_3;YSvh&6E-C372KsLpqMi0&
zV^?}k=ZC|lA5{u0L`5f~3^{j#wT_OK6E9bNvFHFFx@&u3gHjRRQEC3y0&;!jiVCi2
zEap5a%#NS%Q?f~fz>{5sr*<3BN@m{o<|NoK3dhnGFo%ckv-&Pqzb@P&>uf|#i<PIa
z;b+I|e)bvWRt`ZJ|NT-6`E*GR_ql47mhj}I8Y`^Da9Tn`!vcbI{XU05?t@n@C!A4y
z<-x9>?acQ=WrZ+iKijHwQ^<L@3<t8>$X?GQHNl<J9*ADuE6EXINto<sU|q1TAo?Yl
zJ=s-=$0@lCbB#QxlsM#d9M8UD#aRqG@NJBl;(E4qIqeqEb4hxjfv){|(BWe>?DY3O
zO9B}WAyAt1f$jKv#M0KHz7vuZrIy6hbh!_l!*pL!Lurte$%1fKXEdTKhnW@q>xOXn
zciaW@aDS0~aNWZmm$nCBmVNTbp_I&{lxwtMo2%34f+m#o*r6~{J1^!>!8y*vGIMm#
zId<WNcep8wk*(NSxFoQUQ{3iHbbsPJ!A*FA{6q>MUZ8i=vCQ$<Bj5|Zww-DT_UlC$
z7e_ZqNf)Z~VeNhE$=()T(llIqK%kpfhItMNR|^x^-V|z$2;*_0Df?_4XtIH6y$XVh
zex!q&)zikus`ywe4zoY{ZFScNvUZ3mnnMkp+~8+4nQgGVnwChV>F-R^yG=9THx>hA
z#8)BmKZs_vAoG#S|MXJED8Wc+Z*{dRl<R@plN8g;akHZzJT{c-FGcIC_N3vSf=`DP
z_1W&nq*Bs|_If}FL?ud~R)!Syto54PGMJjOijjZm+nAy9e0iAn1RQRAdI0)=z5y=J
zJptwIFGM1^RgQ<vj`udV-*9Ji>*R-bw=Opw7kNjk184cN&d$%ys#w)M+#K)k&Ng4R
zSC<(C!V>~}ZS31!s*OVchOsImv!4}0-d^Ld;M(-I+@#t4Y@fl;l-jKBYE`G*ol#2k
z@=x<y-oU(8Gpj_DAjqX_s8|+ls!yV&T#Vg*BE6D1qI$`6c~?K6C+-AJ3OsNZ-63pu
zMRtD_``mZnr17wlRW_eL)Wv(Tu=;t^meAmnz}2|$3ZUTySC0JBFx`ykwT!a$el-LU
z-2TDiSuU5l0|a{9|7>&QyV-r&T9Jg7#Exrx5``AG@A&qapic{OxQq7H5aCZE(u&YF
zwyXeJujMEA`0T5*&8W6S%ihKaw2STK`fFFw9y4otjU%~aIIOf%Y}#HdZhG=8dzfMZ
zym|Ov$%oRoqeH9Dz0Z!q&q25&<Ee;=BwPI6Z3CUqv<Je`8IO}$mLN$;6fP(SX$XQv
zv)|E%6g=$*06wDgJMLeo1Q<Sw#Sb6KwTJxD=7j}mUy#$ffxP-GM;!PO7frLZ9DfB7
zIv`}WKXnlwdlh);XF4tIHu|H+;!y!J9oo9o3uZ~A8b5z6Dhy*@q#^A3hAei{!O#*o
zU)&*vfQi+#pG3b1J*&T6!%}gI18N5cEzj(rL|o?DP5r98Wgee9o{V~_d?NTRA2Y_F
zWofT+k&#_yQ(<}lT0X9i07xAZhwY~X!feIRWD$jGmCpc(*~D&p7I|<BJ8+Pp&I=0w
zTM#0wY6W5ej-ximT2ua^Ga-!!ma!MZq#ZVAaD)LBT8Ml)cMR|r=xUk2WoG7T2m`k9
zeVfqf+GA=w4@aG#t0gK?Ta^|O#VIzQP;eJ)2I6v;B%+TiTV@3~fL_iAwS*!6*>KC_
zaserCv&R2TQLsB5W6kL%>3#z90ZjbUU^TYJOJzeM=`AxnuR4u<+G|~lcjm#3a%o=i
z#%JG+$7sgTWMe5@|D+X9&&LPH%geVHHYoBhiH?L{B}ewdpr{S@b*ExnXAIk#DCorn
z*qboo66+pt`19LQ>^xcyZI<pN%X&z^FJN9Tlp$cAPgp&&W(1h+lVzq4mQGr9Yq06y
zdu47=AE?V)u;U2&@Q(%CAPms5XDw>Af}`Cgc7}_`J}jiFzN~D6G-x8^&DAV*`(zf}
zEFyFm=s0nh$BuZrc76F`2?CX+Zq%qa2OX;0=Jh#p&X2O0go-sD3(n)__{2#$PIq!`
zDZz}6nDdSB+%2GM26di0BZW5?;fg>#*N^oBy9derne~2RGBzVcWWo7Qn%Lqt7JrZI
zF|2+pR~F%vlmul<SgJpth~u#FSdlG6<7*i|*87Z3wDN=P_BW3;pcJcGPU0fBuU>2`
z2rWAJpF#baQdfnZ*`k4ATB+!E9W9bliZzB}w(ilo(AD^SeIn7ZRy+xMQu|xj53ryR
z2#+LwN;tMJE2-=2j>T9?O>q626L^{anKjZBLQOylle-D&1GUZB18u7BOV2Kh-)ZH#
zf`~HUVbpHSPNpWjTCC{{oeQf?76Yo(6Y$A#`~3qYBfEHqT;c1aY=_$$kK>3M6dYvT
z;v~Pm$f1<svXJxhYOMkd_W_Y5gAaEA)SoCwIzfb#ZTvf3de}n|e)kz^5L9bXu>)o%
zhR*TArtUagtZXGWWzTt%pyoe`XvJH~KP(MklnjsvU<|<Mm**!><SZD&r(<^k=obx|
z4y7c~579SBgWX+b9S5|S%qyzgTte!3+@gnI*fl|^qp2bV+{^4LTDN59(Ta?5BR;J>
z&v$R}M~<zvXz_u?*oV3a1A;y}Rfhm@R3Ru#KG4VczX-*d^6c1?7ptGe_i<!GS!WN=
z)i|i@o-Un(*dpfHKz^;oFfHhY6Sd#%8xW~@WL6FnjzK4Yv9Bj-1k2WX`o+EJVq)jW
zwRTA;Dk*>5g$Orfq-`H5RcHknH4Ks415N>XX6c)N#K#`m!0z2;joewva%3p={hQ@v
zX46m0Io3qum?U*S)!9T1M&zLo)TJgSZmQ7Op0QLXjlNg;Bn>hUt5EHI<6#q+DhIzA
z4ZMCIB-G}Lws53N+s&!9)9`u*99#U}y0O(HtHf=zNLVtjX;qx3z747VG>z0AX`5$|
z<a@^qa;2a?);;&uO=sS_tB28XnRa!nnVU2-oa~k-4+f3mYf2cB;9t1T$@sCkWcT3F
zDk&W@O?8p4VbBl;bmOD24zS*=7-!bARJN!bm|RC+UtqWOc4(}1Jhc<Z>v5a<?rE?J
zc|k+<*T^f&;>d+sx5_3=Hp@V95GPJPzC2*ZDDke#uQw(7jRgbz>HL4RxC4~KzR4CS
zlX;|TG-UNIPz`bFIjzzrA7}<b2jH*ih9&+!o>I;*pKS5Vq`OCxG5W<^!)^nP8W&>^
zeSQsjiq{$BH~cFAySui?n1XPn&%T-H2kp*J0_n<5w1BDwlhDAWJdGup{!%%;=$^hv
zKv)H<?gTn(<BIOyaDh6T7nNOMXdO>0Ev9u3ZR`-vCbkYm>iS*{sv%P=SEW}gJG0LL
z&CDDZT8P#GTw_Sb;ifE-3+G-!nJ{iRKzKA4{az8E?cGZ`a48{5FEq5$%`Ds9DV^-f
zfTfW*Z3S6yEILb`l@po?dk>)!pB?;jGU^*50yiuJFGCW+=~6TUd6v@tmI3dwkbrTq
zV3zF{7^ql=6CWWi*puUFa<WS*)8?*4t}eaaer~`a?s7A8q6l|P5b){r>FEPi*iMzD
z{aG9_nrEGDQ#DO$3*vojk<1WL9k#enh(CC>M-v3A8x;lhZW*r-VTd}V_|yu;?IG8r
z2-7n0A9_l+^=&uh)4|Ne<~QJ)7aqf*re&i(M>{=E;+SI<o&Btgs^BtIvLrr76Aerc
zU?N5IikdPaL2m)8X)qA^1y~p{{>7!Ziyd~6($gC`?dCtYy+6wO1raneh!HXf*S`|#
ze*7X5?J*!y1v)qam)%*y4gfLiY$ufe19gvB=4zX2U#2NTJPuCArRJ~{3^9ZlAHLrH
zdvSQ^(q^4#dJte>)cOBw<T|68*w%Ik3WVO9p@SktdPkbl6@vxopukazKtgEJ5or+w
zrI#F9XrW6J5J8B5AiaeyO?rn=1iq;2=#lT<weGAnGk@lJX7ByhJ!{@~!_6W)nU(yQ
z%YBTEOY@mp#=Iu9Gn4(P09b&pS~M_E!tB$>`yTwd2Ez5ViA6Y<h8Y?jV~+k0SxnEa
z6pg8>DKk;T(Xj+N<=OPU<?i9@o|@DpMfl|0u}FKZv#%~%aVxyuizVET<B$UbLtaz@
zV+R)Cj(?SCRtCTLP;bSzx0>Vp(2rs-Hc*|^-9AEYDqmwVYRkPCeQt-*u*mFwTAIc6
zhhLkK+3hkc19Bc$L$chfNt1PNNW+yw+#2vh>a8+)LoBM#E(-df;J7Sj+M@&_>a!LC
zu*hG{gQ35`VMaVI0^3L9pPSz~g&i2&U5-nT6DxRTB70YN51Z-3k>k9M1pGZ9pEDM)
zZm1pP$J3#DRgvXc<>|>O!JqYNGQJ}u`Gf#~78wA*{Qv6JepIT7f3H-FFnHoJDouVO
zsJQC*_eg80Rh7NaB-YcYru>~*ufyNApjX3?EFCpynT2vxS!_Aqs(0zRa1Vf@F925G
zGe0p1Xl1{U=MdK)x*8%`;YmSJrCD=c-9qOHYov9OKt&;exkrvh_Ds*?IBC;dYcZU?
z--WnkVEqPB+3aB9i^bP#5YqEIJ#IIfKKGGkO<1=<%S@{AyHj5-vknvUM&T(lT}tb0
zlUYn1H3h$5`9q>lLPqR<)ksgO_cI&>7mlV=-);>WPb$n<Mf35*^J%sAs5(DYY+%t!
z<P!`moxHk`uX%$wA%0z9U$=_{RW;ApS^n)lz2T#_qaX&zmfm#4glS`Cb{=s@Mfpkm
zlf%y~nL&k()2IcqE(JslmOFZ!B$m(W>6YdxTzi*O>A6d!x0uY+rWd1n-D@_B{Cvsm
zK>{(E$BYy{jI*H#6Au8-hAoo2@ok0VWK9v}Tke)lB5)U_ED{=|lMLzDCM=SH1QNs&
z@~F?_ZX52zys1sTMNo|(bpCq$cM~Kn$p3VX;IueuNJrNUL_)Lql>m3k^d6h7!mQV>
zz@E0bv`mI8kTU(-?g$WRc$rt!ZvM6+k$;hekq(tr?G{r)OqSe&i{gR{n7~x0pG!aT
zNKu2PO62{iH2ZsnfsVEsdN~m_{;#FEjuS?#9>GqL0s*d7YeEU8g6E!VzIE)K^Gglr
zZy<C%9aRk)q<XjWob9%i&=MPn+1|3PC3}D<F^h=n0o7wkCi&~E`ng8xP1x1(wRG|0
zZ+(0-1zk&65ni+*B@^R;3Tw2ioYJ_yb}U0mUaFB@WA!w>Ka(PFtRV@+i(ZU{UM#HI
z&&}wj9vKa3O_GOM9U{;6Nf4-qhRkg)KNVS4^Z=Niu4JYB=3!yy`9(x1u|3c1^ZhW)
zw~x3D7x4`jTBrqdli4AW?$+m{Vac_m!BER&Q;eF~_2u0q=BF<cJO^*SL&Z?~Wfo@M
z!}`=2YZj0T2*nM(n`oMXw@lg9#78{{+Ieb43On>WnvEdYl8j)#FDdR{^R<Q6HkwGd
z5E1x3eS1vl^^TQjr*RFlk=@FAY6+0-(lC^Ub$6(g*LdvOCkIZOdF=xp4V@Zt1|@}N
zE+<s$5sY0$yl64BXVRZ2QSf^3Qs{#d?;CrrSt3`I*O2>($vRObyfH!I@)=>4hhFi1
zn&XEu-1ddG+0qK=Y!e~oNBUlI#xs_R7Am!Iwmb{GQ)_jfX=Ms1n1&}Y!R_1Aet+7x
z4HHH4)Hwh^_%Z-M@zcIt;GPaPF5iuM)!69ev@G?Bp#FqAOqI46V0!_ys#TjAU2}hA
zNQK;R8JwJ8o?!7F|4U?=nyi{cCV?wmt?91Mm3XR8FJP6K`>qjUeU&s3+okn?2^|lJ
zZedt8RZlK!Lp%7|c@e;m2<)fUK62s*S7NyBhO-x0^;I7Fh=<Gc2t9mTsU<CTVL7{q
z<#msE7+SzS7tJ~$8(Ol*-d(Ch!Jqi(dIcr7ntT34oD?GHV&X?xwhnx~;K@y?lJJZv
z<Kb|v6zj4<h-j66VotYoe#~nRb?Ezj8TUPgV%mb^-2=OF3Ac*-;Al^^rYivA3Ahud
zl8D3DAYw1QntCQ5`nJ_?h`bx)b3sz|n^J~9O)34ihrX<wLEi#oMBg=byRF*KSd~(i
zr4(CAwbq+@O2lAUqqI{lNw&URkze(NSM&G`xtR?~Tz#}KDFR`?@FapOo<pumlV2D|
zm4yy(<ELP5GE$s5kK(m|X@l7wy)x&478*9%gRB=dwmb_0!lh!H-wb#cbj{k!-*dC8
zkui}v&^;)Kijr+M0Y|#JJ3C4Cd5eV{XG+aC68bOEHO<pCZ3}H~dCw|_2jciSk6@e!
zjX48~ZE7j8bnSz<d#`CQx)*mO%8c8I<FaTkJrD|OzM~a*kCxbOeszF#Y0FY>5Npg%
z&a_+YRf;hYqkn=^VY_E-g~`h#ax#9ko||Dz$R^BQO~;hbd;h`ay3L|?$msYLDObi5
z@F#zI-9(Ss!RJQ^W1DP#=8`zqSObdoB6|iw&(xYFt#?#zx|ePw=;=(*?UjA0N7x)p
z-u$pJL@v^15LeZ{UB@=;9hD8oUEo8@e%Knl?%v$SKfG+a%*!(=n>6fl9k4W_(8+8R
zD*lqe>_~*HSEkMe^`^2tXZ~oD-U&KYLhQD8=grYX2o9V+Li%N=M6JJr>QHKZ&wgUL
zv2JvIX$7ZbG@9KMDARyF061X9ivO}5ckg}5QB$<ShBYL`9OzFcvMG**Ae?6XBDbdw
z;$i4H=UtU5BnsOS=kgWw*8pY1$*suUFRLGDefmK-+E*Oj<jM+lJ_WM4NnsN`UUy|>
z^Tx#uk^}M-%C6L|hQ*DNLqk16I4qM*sZYb?Yp5@*uIs}njC!TUA{LY<&cr8iCnCn!
z2p#4XQhK63rqwqRA9oN8(U@Km>`4E(UQ7Qdrunqr-(KfL8zqtgt=JkIUBA`FFy6*L
zW*{edD}GKuWaL#qLGN3erIG6-6yEJyA(1mYeN{<eZO5EppX{iUZFRyXV%16>Xv;AU
zrGw{6(EU4`=UWzM;g_r;W^oj5k?X3CGSbO6*Snh#31O#-dxoMp)pAbNcA@c&!DUsq
zWe3q;m7!YF(Pov00`vAg`A<)-@s1&C<yZv41=V&5jOv|L8e>A{w`U+(Yn=d^TvU+1
z7Ky4*6j3f}N2P$H)Iw=Ygzp^7VUD^|!CaHE&U)5kfk{rrG|Uj>9Gr!#1!~s)4l}n#
z6LERr+7N@EziL!^H$myS5fsu1<R4ceM|WY0zbcqwcrK3meC^n@Cl}D0A5IMf0-9;%
zr_%gs__P3q-2DLI7MdAy@pCzz2of#`Zy<fB`OtIlT)2#=`4le<90Z7_21<g7>BB&y
z+(26r?zC3@_aITqJqfG#T`U7syq8W1|8#{_n#<u0co)bB1OV{a4&Y}o{*My;)K|KW
zKrwQaVp<!E8+pw@v4Y`}YoTP-VPEk@YtdHCJ9`ns4V;f@bWf2;;bJPuG&iuzD9YiZ
zXtOESK&lW>W`Efd3C%DRkkVBVPM3`8-W{eEn&0MY6>f4Ith(XyO?!tldb!4>+{T@h
zewSdss40m@=bAAV>Mx;t`gyF2v_C1exM1a5j?_kW$M!B~REDOyv(Qd-)(wPPOtBJj
zygq9iW%aP!V{+kiyE~Wu>cRU|QB+v(kUHq1Q^~>kKPL)Xh_lNf000E=c^%bHpZ~oF
z!9yn}`yZ*??NP^3QSxJkTO{2%17YqU+Ge6)MiVmf+6papGHeD9cMUVGS<dmHwp*$k
zGh|0wG0VflBkSg)@$~Y&C~$?i?<(wKSdwefp-$lZNw2h}T4AN03u*W29g`u$#)?8?
zir`)crPCC7NJ=-WNa?17r59Pe6WI9+AHY@$VjCIEkgSgtiN9;mKvl%`2uFLohH7|K
zKHO}H=sxhHpt<;Rq4fH5eAc66&_EkOB&GDM6`R6mKC<>v-n%lmx(1zcPv8*({~bxw
z@HoC6p|<Y1c+>$6(HOq+Xr0N3(_22o?4=vO*1V9(XJsTz#@|ajV7gD-oY(v$Y<_O#
zT9B0dt>ZNFi^U`yTpeJD?w+6k(ET&0UT#$S@!q?nDGmA3OdMR1u5Z+xFI}F0hrSB5
zXd>pI5nw<4+Qf>#+C;2GkEPPIV(QW=R&W)|X?K@9O@olTepc@37hhR{Oc4&f<;_<|
zDmf0`AyD%Tl?-ajjIHVE@*YerHXaMRdUVyqu@~eH4gN5uVt`R*i1a-kc!(?vTrRwQ
zp9|OLU1gd=&Zc~Clj%>HqRnAf%JH&{z$-87PnrJI-+xQ?hc07Y-6VY`O07{$3j=6A
zS<J{qJB~4mP{Y49HV1XYEUgOGK++M8S?G<Mtw-!PUR|=oq_X9%g2Q?i0&Zi)YZU;o
z!mR26uCg666}uXnU>`!g*mri+)1q|&lM>c(D~TBi;1jiS*YVi>lDYP&28)J`%K99}
zXcT{pQ`8+$=ETQy?KI~ljKb@5P+e#(()}uZZ_)5BNp7TMZ}yw{Yo~J^zR1aGgZIs@
z9;WTC(f&>A?Mi>n74_wUAqQT6E%A8^9e%DR*PI;THjZ$MyPnQAE@t0#7<0E>uL=Ld
zZfxt2fZJjKq21GT({y6r2Hxb4;TBttx`#LiT4T^%<9tqN7{mHXheylS)-E-{n@*#b
z&mV_QKf7%xJtg^xy3qwi*=9RES$<DHzHlPYxZ^7>pB&k6NAGHgq3{r7ITf{%H}gcY
zk%>D%J^E^7gE^X7Uc+AJrs;hz3!gh}$_%{jl*|q{npp_1XLst5qc|8MBSgHk+U`a@
zfoD8gWzLpIM^Q3D%;#li#QQ5Qr<2ZgLJ`dgD))y0QEy<psb<j^*~MQ>*0vE5B_YDe
z$Fr!T@8~+$PKd?TE4;jMF03Q=8j?5BYYUWqt1fV<YFhCNE^35}?rxK~Plttz(&nU{
z_2%Ci6Kao74?p10@R9x31X7AZXex*<0g#^XcUO`RftZZf_?2wKpVavCpTi%&$^d}1
zlNAK!<m@8yz}flx;+{oY?e8s;eSZ?Kdo=$*@ppfM#($%&oM1Np30|sBv64uHM|1rY
z=RXYo1V?yMe1jDDW1A;7Kd(Q!qMUs{)7?wfKr0{s$4&iXkNS%s07G)N!^-d8DrZ^F
zc4qm-LU3#k{9pRCoFzQFb^b*dP?&L+@b^agEX&yh{TB;CMD`Ds-|6~U=-Ghw8=8Oy
z{yV&#1)dEMzkvY-zefH~xHt<w>xq7Y?-l(3{};b>mglUM|K?FG2L30Thv=TiYti@E
PO$Hdit73Es{sQ<vmZ%T%

literal 177593
zcmZ6y1yEc~v^7eCySoK<cMl%i-QC?ixVyW<0KwgZySoP)++Fj?ck3qie^os*HK%%}
zd#~=j*4lmQ$V-8Op@D#aK!MB=&8YVV3=|}Od>i?AA$`1z?Tq9d?d+Wx4D9Xc-EFL8
zV#Z)TGr@`a6_0P4djAqS{tl3uNq(tK<PL74vI%;Aa0Mf5&-CJym?u-{@5iX8+zjrp
z5d*e-8uk>~GShGX^vhrKEirBQN7dpW77-GF_7&JHeGg`W;~d{{GngyWiJCmlp$k4Y
zb}5h!8K^aPHk9L6b#$Wqnst)=NGsdZ&HSV$?J+9Fm0H2^&I;o@<;EcY{{#TNjoAVF
z>0{=fK|qlIZvaMijwXL12#(j23uHta=!V(GU;Qj>gN116&6tq(t>CKC;)0#{EwL%&
zY;BFmh=k>;_8{w}y|fjbBgqQ3S{1jZ3l#Irq#AGE6#t@w1C40N?Mu3pun@RYVWlxY
z?->U6VD~bHe27ChsXKX^*&&qlxO5an(Jz)+?=@dAsF*xR=usXK#ehi-MAbF{NHH_n
za~+P-5QA@_-s8byU_Pu2c1BM{N|P)DL{&6BRLws-n(pddk=XJpXVKfHD=glsL5N|b
z00LO*Llg&me(u(}JKTNP5{wdcDpHae)#eT_9>#RQsjp?C%}4Jf7|`^nj&nN!2?0Pi
z%zo6os@{E1pf?NjL+HL+)tQ18LHqls{};JhQTWqzh!5b1KtNDGkaM?Ya5guwG5Mc&
zra#!7X=ufwa-jKE&;Qn+@JjQd5Br`V(QAW=)GmK@n9YfeI>lL+twS87+@qvNtx}+(
zM}1d`sG?FtjDA-v00BKeOE|-lxW?(A?+>ovf=b2G)a~^8l(oB?nC^smUJQqiLPRx{
zk>WL2i!@@mS-MhVv9Wrga*UAxW9BpNE|#&F^zEegX-a@6bgDe42+ZG`d}^m8nUam)
zYK=L>mUilrX++=pr)UH^>%jCmtT&jalBrjWQlpYI3#<tzc;gZzC=Ti#S5+*v{S|LR
zZbkDX1NkxY<4Dptk0JT}j^Vw{Y_PW99uSi&85#8uslEjK=HY3EzqORMzebsHx*==F
zXyssPMT)4TX*gxibHI$A1M@JpLr4}5F(p6{31VSUv72MAJN#s^ZNb*1tQzDOXNXEW
zL^c}(3~(96+|_D&qs+xytuOWV1@}=k&5y04yB8AoQI|n;r3NfxBLw%cX2aag`E46U
zZ{z1umMR6n;_-75V@5Rlw5<AF;ecgo+$Xcts7o=dTgy$nE}@m;Z<!-z$D9tSJMG%H
zAljTbG#Nx}_=%rl1j&1&2%sWd4;lTx;O$099lG+C9z0%V`UUP(UDESQ*-LmXqK`#a
zW#J~&<{2$CRDD;i0Q0yyUAYOB%N2Nidny#4B7Eo0^-?-VnG7*$RTJ>JnL^Yn==OWL
zTG+LlaMu{@e%-G~^?QBdzLPAx+el26%k6l4Kk4@Mwf^1=#!uPzU?EA`CKfX-lhgYd
z9yJd1$`$1Wx+DWk7Q_O?Ri)rlwG0!>_NoZSw#_GvKClkX)(VFWseTa!&`Zk%%bz-v
z8kw-Wj#WUX<W!cC5a7r_QB-^QRldc!`9#mg2v%=yhO!v+jQOViFB@J`Yz0cfT@oQU
zLpREW(>5ui9x_5o=g<Q760yY7IZzXfHW8)Ev3U_B?aCF?2X;#*Q^hT!P;Qhaa8vT+
zAPduuFbbGbu|ZA~lRX60@bJA&<^GJG;?Hu3(7S*&3dIcLs>m|22Wn%i`Zc!|)`fVX
znRw{dKrRLn9&a=<PJCRhIa(?shB4$IN->TW=7e9*2qSC1AhT>-9&9A%*KAI-;{3-y
zCB#YxSx6yOT?|p->KiI<qLiiRXa(RD7V=?R=64E1^@+F0LAAN81RWUJlKYVP|8NXX
zvvvYMsm*9+A%>>5#0xYkn-_A8g?qx_Z=Y-IXBp6l7+{}R67w8(-cDjEnLVK;uqaE4
z@Se+%&`zb|Pg%r;UhJi|lXB{i6}@lrf-^qv3WW2p!v1zT)HK0w+K<Qhf&~Mo)CL|O
zu0gsb8@$|4$uZ4wHVS{Q*_k+d8a*(jxq|AORd*1G&P$<pY%N7~0zS#U?pO2U=$C|R
z;7<uh&4nygw%<eLrfa(Vl_s)Q>2sRE!Ug7v>j8R!E2@T~A<tKqyr{D>DiWSL$^g<m
ze_urINU?nVr#*|TpJ(2d@Em9@E#d(c3;@Y{6y6Z34a1Q9tO^22Rv^kKrB%gw0bFKL
zdxyY@%f>*TEYeTQ1w@nO0>TJ(wv)<5Rk^#A<H$w%6zHJf+1*4+nUcgycv8#vt8Xon
z61C=7>hl{*wKY<@{(&&tuTLIW<5+@+g6<Da0uy_fn|uy(b}S`b)>AbdV)lkPi{FxZ
zWhfM2`oItp?#@x~T?!3c8_kLoD*T}I)-qfDO*~=odvb1s<xzJX=5T%zQnttp<;ejx
zVCxMQ8w}YvZrhDhYU9cSO_&4Gh3oH1m683iWQZ2WZ1q<nGEWw=<WjZ!o^EN)s(I4k
zAV^iUJXK||GO3tix+pm9E}`Q#rJltPzsvN?z=gnA+1mc(Pqws};72e1rK{mUr!&!9
zaF1fzD9VIO;qF_Il=uXvyUuWww5Y(SqnB*MyxmjdhEjT-8N8SPOaU!wVvF=?5$@_A
z<*0{=Zmm*q)Af_=`0X!Wpvs|iGcn(kjZdMDlvGk-TbtRuka^*O^FzE+r<^HraWK=)
z*B+C&8#MVOh>FWg-W5^u%KR$FF$FqeQ`EJ!bXsJ(#AORwOK>k(VW2E@L-H4-Y%xL8
zt0WDaPcv?tZ0Q*vNFjjKrEg`O?{Rmk<R<l1^!H%oyR(98Zn%f#O#yim?Dmdm_X+-m
zs6c^!@rz3J(k1ShW$|{iXL8<Ll^Tvhqt20Xp=Rk)c&}&S!%v}5a8C0l1^Kf@8WoNR
zYQcq(R7E>wOaFt$0L_X`cuhp0D<lnV6|52_-qdf{|DTfexiuh}eg=6WMgqb5A0>0M
zbF^|YH!*Q`V)*alKRG+?gil-(OJILgyF8ArFAAfF-Xbi#>K}QoX*J3$V%u$Xf7ocJ
z1PQiv{}uomXR}i4(EUbT0fO{}hKDGCr`@3zmB59AP`Lnvn9x{-Fa2&vuj2V)A`l7k
z<i@q$>RsON?R49I`S<qS3Aq=N)@Dcfy&*+yL3#7*m)}1w^wdNZOm}>e@tY0Z+|O2B
zAKNf+eJLw+ZsgB1%~n^@v?jVRc-3^4Z5zty7~H1bZ^iFc%A4w_F$JzGAD>q!9{c0v
zU3jfWv*Yxg)@?oB);J86-k$GR4m2Km<o4hC1br@_<^0xfysjkh-rG{)_j0SX#{8a*
zbVp&$jjJm)(ewnoPF@YpT4HRA5T0Any4eG_DuMaWcWZ6q-KnLiOJ)M~2)u8k?8H1_
z+SwNm<*UA<k7D;6O^|-?P?()FguOa)6~`C)j`4xm9tb92&%OJx;#acPdoy+<9umK&
zJ0o+lJrU_byWO&10k)MLlSv#qI*m_S>4XG(61f_!l#dQhoIWYHxo^sE&)Md7>W|d&
zr6c7sh3}2N3!yx-Vy@N*3r#kN950u++NCe!t0_EpBPo98=g)bSCtZ%aKcR&<zD9Fa
zA~&<`=we9>H|ee|^4MiQRtF5<XHiUU=>%=9UQXG#ztapg=e7k+icDufP09?n^UR1W
zXFxGX_g51S$##S_AvdxYIN>UMYl>cLs@;C=!WFqn(n@a-OMoSr>qZzlC!l`Wkt)W0
zklPy|Ig)#)&N>fwrYDdX@<oUACmclWf-m*r%#JKo${^Y(<e1~jog4to@D?;{6Q6JO
z7V9oz*)TfR<~2g?$~wn(s(v)xc+Z6IRNo3;%BVww?>c~dFBMo^s8)rqEOvO@*Qy~|
zd%h0bkrTL?P+<MNi~A5;9Vzg3rI2YJ`zlLF#b9N>=Vm6}m2&@*I2`lIukHH$?xB)m
zp$gPaXXDco*l_F^en&q)z9n>O-9e~;&)&o~1KZTQ?TA{@-Ti|R-48cJ;+K~aYXm=U
zpSXh{&=*_Z!n2-0s<X3O8?aya5FK`(e&an(f9~PBL<a4$VIarakePDk(3#t~&1uQh
z^&8^#Nr;4ff&kq#`00h%?hN<X#D*SIHO--uZ`LOCJDleB?q)|M@IbV?V`10#9mM}G
zubb+9E_P;X)3>3nlmK_*eaCZ)D7Raj|Mz$A_u8|qfwx<k2NuQ+xh-b_8F7007sj@!
zH<=f5c}P!8%xLd-T|WX{ZPx3j=4U6j`F%T~xdHH!NEZComeaMvo!<8yp}n2BsjblA
z0is;L&}EG;xxe!SAX5lH1q^?pfU08Eu!9t~qc$etbz~eH$odJZtkbOxhDGv?jEZR4
zPx-X2T&_+(;?F!L0tokiRWPyo$g#dj7%!+IxI41RvtT`b#d2rJ_(A{h?IhNCicnOC
zz?X&fEydFFS7_l;LU&;oxl2z8gN0zjYktDTrlXp2NYihjhUDr?N44{Fc$wep>@smB
zTZ`Vm^($iw*f&Zq$`<`}IyhKg1UYW3Z!<@Xiww*kNoFo}Oq{=yx$t8l;;vQ#T=!k=
ztXs%&d>>rb%|%chUdR#j_>fx$G6-wzUSE#8#(y-w_}tt^rZV2t?pd@_Ipt(lU2p8k
zrVaa>{{S);8NpW6-Q#vu{LofMRH?`0>c-T1jJ)75A#dHStz*}FlUsV&9KKOeB|i>)
zZC)+sf|Mdy3o|lW*dZLMqe4^xwQ<|g<%mBpr#0|-_O&3+Q=kY%2A_Fp&I}w;=pKmq
zt>8Ksy{U{LuSir)&B68?;bc+>G{*_vqd|;eGu_YDe-H1`7fd^6LW+bSs8!$pY;_#b
zC$(5NrH(dS2zkvSEwnWpy+LEC%U#^)f7giQK&pgO&k^^4WE^RdqZO6>fCQ)d`1p(O
zHYlQ12t9dq#VWp~ExPy3&t!pxovzay1N%<Ry&)Zh+#owwjgjrNtqT0+Tf_x&hD@JE
zn%tIQL};L2Ke+yTC|@1w8{)|%ar(C3$E81Q+t0&z%^{<naRLum+B9T1X++MP>Sci>
z;xH`pp8D~VPf~E|20vFpqFxbA7tA4p3T?Ojlkj`NOWpeR0+mnP7OJS6h;p-bRi9-@
z@Xx;xDj|ByKh3@5(qc<3cHTVo;LfOf(c`o1-gUY%uTUrJQg_yc49;W*dbi2EJu#k7
zO|JlQ3^#%LS5qQx!d?yL@h5myEM7+r_>M=8Mtj#mvMD!|QLuwLJjPvwd$g{6x!?xK
z*YYB^co_uwgqrOTrNZ%K5kKUOZG;A64x}A<55!``m-F%L966$5#2em8f38VBS!*Kw
zy4mo*xQ6*Wvb(sm){vx2ky}-=I(%?H$vyg|o?CP6T9@Bx^o9E5tQ2uEvUwxFt`>(p
z5R}_ane?T}ufD5+fUl5;8^D9|Ccc4ulTvmbc4t0AtkzZ-_+Pte;2Esi?I(s!8}18u
z(!i?kkHsTb<T;QS&z`@DK0nMm4<nL7)5srQ4T{>B$=-`Ok6w?jsb7!GI4N!Rn!?&}
zbaacdm1yv7udWbRAkY^9q!MpN4i$H>9(gC<*?2sjr&<2C`f0Nes4ca(v2)k{z<j<g
zEbqmTt%(3xDJ@>_;o%32S$rtvTslmlKTZ+(?KjPE(ZLF?x78#?vcyBNSS=c<eUwFi
z{HLAIO=3UUqM`BXhu0V#WyR~4We1JN_mp8`_Ci|^9scQpRVNaU9`QqFc$uqHV)6)i
zs@^lCdquhI?nr*&Raadgd`R)t@>afgnZm*E$CK;};OLVVM<tJqT-3V+7Uw|4x+i@P
zBzjRf7uHifwhNMO_;b*xfk)?lcO-sj>&$WM%o$*l2C|9{`&N~$!)59aMm8-%=e}nD
zZVUb`o@8$03K^K(awnX=prV8h2`eJP2tD9rk*c=qn^BTgW{ZONoi0yi9|Un9#0~+{
zo$|jX=k%36l(^O28(16@mCCYYVA0PdH9L)HvlWX<fXnq$m<vQWg|bd4z7ZPR>AOHU
z=&P0^h=KKINa^EACA_a#oDN^fb`9?=H`Ll)Csn*t0v9S_j`zn}yp!Y{<{-y~r;b;8
zhQUNIQ^G2FRuVOH=&QBN+UgOwi!gZ(9Wb*PR2OyM36||<;iW11&?&p(_7cKN;yat}
z6EJ@S!=0UEb9U6Fz<VSYY^K<AUtxQGVlg%Y3)=V`c`+bcizsbiHq<s#>Y--yF!X7R
z%JUHSZ5N6HQ)9)RPX&Q5RgIQ?ziGW}8_v!+jkFBMb3Vz4=W@<(PH+1%BrT^RcF!p|
z`rB)I&_Q9)!4wfMA=#hy+oG4on<Lf`xt7$87<e;mwC=(M>y8y3HbnfOM6&%vxot3v
zBC1MR$4+F_3rmiyYcJJH5+(DcLt?`t;t~o}pyB{^T_%J}TQ2G(yjkIgzKsW!kGmVC
zfu`*e-$ntKb2kC*esc1iH_ef0A)r3f2aCrHg5}EgQta6-1WamPW%n&9D_=N?ZtPfb
zfKSG6=RUBjLRoI>{kAWg+`UCG`EHKGZfiqgbbF{Hskvh>Ar4`sf~N&>2XjO@6lVBZ
zaN-T`JExvTA@2HC3#1S1^w{A!E7BR}h8*8mA3D$ZqaeSoSQm*cBQg-2MT6n1218n(
z=cmy>t!M7X!Afr=vm7HwI3AFvY%F1VEDfnQCV};v;V#$~Vx<o1$-m$iVJT{L-K7>k
zg4gf-6Z{<%=vE^E%p6VW%&eCJKwh%F<JJU9i_{O#L6@}-bK#|j7s>THr1V-%v`r>i
z2+f6(P(>Qz&Emd}E7ZhqrLrJs&4XQ&)=fiYNr>Qf^zgSbX01C#*3lEu@zXZm6r#d^
zE!>>~Heq<ek*jG;=h8d#YWZGW8H`x^tznq25Gt?H>e?GlqhJ_DbdlWn^l654D%SSs
zDX11YN1%*H&V%3N>vO#G%fXIQ6W4vbzw?#&m3F%>b@f6=*S9oXO|AGVofYe1!J}E}
zuBPDIYuD2vF#$$Iof9SXa#&9p)B=c{5&u%sba<pl#&)_H(49v73Fl2Hmre7S8!^Ct
zO^(M--^-uS-~DGS7;SD4t*g-_@lX>i1*&XXW;TaVHs;@K;<+G2&K53f=^FNs5X3#|
zNNl@Fx<P^1j0~B&+$yaUj@T#6;G61Sn!0Z^7kQ)1fhP~Te&37Jfa<0aPww+K3z_7d
z%N`;7G|y-h-&{b_;`5H{0n`MTfA*{}bL}@H>U%jx7=&Js#|5Z48h|-4$c*~?zXx)R
z78|oV-k%d*!vrx{8Y|ic7X=Hi9b6HaeR#d5WDJ>on=qnuDw<Z^>8`msq4XT$@|a_&
z6~wy-nz3)%{g_fnOVSJ5kEbL%8HGHj<2YfkDg-geeeQ+!*I)aQokYJBB5X_SIMzjh
zI~+R+xO^UBkL8d*BZ{C^Fb*cRLS-helK3nVn$Yco?0`H-j<i&C&MT^&^eLfnvbE=%
z{=5clpili1KjkNKj~~p@E<`YtO_Lel$d}a|Sw9a+J=Y_AUK}E2Q{CkRMoGys$yJ%?
zFPM|*$~{Na`#!|SaY3~ya)&>!D`N-_Bu?Vp8JjKsBnJ38Mrr3vKe!{^kQ!CtQZT<>
zIi?f|_B-;x5*04cX%~K<6+};>{9o$kd~!;Nm@PK;(d#8nV#*LLaXEm-$cK}L@hd@s
zb}0BA6ZF1IOmxiS%Z=h_2BSD+M(CKvBObS!-nmzU(7IQ{WEd6{bO1^4ppFqraFaM~
z#tRP$1R4OrM1QqNnC~!Rq8AnXB@l#6(r+$QbbFW%SX6LiT-J(iIXjHKKP`YN&+X2e
zb(V7stH}nnZwY0p$JT@d`(^VuwM<=y0Vpnmk*J%3GvDuZkM0VLoaUwIT&OCCW$kFb
zkV<^kQdqPXaZ|t)oWQ3&0-4En85~AdJ2u)#e^$p_7;1C6t)(xIby4v7A$4d3$`B4-
zWWImho0fZkAhkYkY5?T+NFs$sjQ+3lznQwG6~($xNgQF;f_|_+&mZ<b{b2tAEYFCB
zbppiIT>?=H1QT+tb+t^v&(NHQ^_qjE?N|E7B<D{+?2a)R%CJvdEteP#952T!`lCk(
z(zY}bXr8qXm<T70DszYR{1MUjuXT&OM1k4I-f?7dk+m~4R%C_o0RpOb*^L#e`D^v{
zO2e57n-@v3fu!=!?JzR*2wsKm7YeUcKYrmYyG?r)7Ku$?%rw{e-`Q7It@KDVdsCFj
zV|&u~HOo9vLi$Y+8Cy>~nZKwGx}`6h+f3=dwPAu|iwEwJggfj@x7J0DCU0;#nqVf=
zv;(wP$o57Jw!OZH8wX#Qj>j7IByc8bkB}ge^7^8rkx(gDMG^n6Gih~9&|c{*)=p<;
z_oq1+O{M}R<WGG_km`CF(^Jho|IYQ@@f;$M1z{KS$gUP%S^u7oq?q4lhpMn|?zj!(
zyiB(%1wTGd*64e9p=xocs9xt~iC(zCu+}D8!D1BjE@O6R#bA=BbLp{#@&g+~3&B*Q
z*={t>L^3l}d-a_=JVffW*GjVH4V!@Epa5mAxR~91YDDdXv_V58OyLGsuQ?{VSUZ4m
zl`Lo`4}6>@mt_f~$~be}s4P=t+(B^&b{#E=MXX6Mc;;^gq}h-|7j9_56jB+XE}K>{
zX0XbanV0P2o(znPZTr9zc6C@0?x>!)W~iL2*bPB!0=4i%P9-a8Y|HVtlDcUKeXq`k
zngzVwSIAZL<KyBR4&NU%({YH?4Fm=^YIIM_D<wU>0U3Q`vI?OyXpS?Lp4d3A`!90U
z3pQSbA<f#?L=2LYS<3tY5t(*hkd)vWP=BVD3Yx0gP$y#;c6$BZl^~#d>HxS{l80(E
zF|;TVj_?FKEK66`M_OiYaA}%hE^xO47FWm`Ci6}sjkwxqnFZqU$oop>#~gv&7RaJa
zm=Ql)U=9j2&Cvc=D8>yE8z#@`8Yh!#q4C(&PNcCPyVlDAd-88Or?+5p`bjfn*x!Mw
z*HiiHyp+t3xA${W6=iKywnr8_P6B;D)>ntcMf5^uGT|K2B6|zg#LTool?a;KN>fe+
z$HJ)n3T;7iTqoCey78R!$81^?F(2Du+K=l-obO?xKo<5~=x*m-EK<M}@yW?c%p?PJ
zlu=G6<H6biq|2gYJ@iD-5Ldawomu|FP+(%%k$eJ%9vDGQxHrR8FeF@g3HpDdkVZ%(
z?K!6->-mUck5LWfBMK`P{g89M7gZI6=FQY=6MC87rk&;je!m@m#j6}dh!KC8Y`1Q!
z@A7%k#qm_W>sn1Gz!uu`RK#QElHrn__}+&T)vr%x(|$2q9)c<;M&6=`cRGm%*$&`b
z&L%-{RdA?@j0n^b!lV5vjJ3yg1H)tH3u2*Qd(I;6p1*6Xfm94UGE>I;mnvNP37pHF
z#hhs$sR9a&2&4k7X!EA!&}(FipspY!vZjG`#7Z_7^N`C;?EEEw)tPf#j`tbwm^pYw
zA4?l;s6O5F?wPQPV?*QN&Oxt?YR6af6`?m?8nD!zVGw)-%hu|UPPDmipsPFRKHZZ!
zHy*hRP;rjOCwfpK6B-7QMC<S{ahXvT7-AW{JPkm(S|$KnY1o&&#vOmXB@s%CT`7aR
zizfR)w^cJo;Za<@vwZk{2(M{8L8P69Y=)jX+?7e?raNyqS4a8c6vfjl4&oU>K0b9g
zjTFd4YBoqK(a9?vNJ+zdgT_$qCib_!@@AE|INemdkjBpZDeiPPS@em`<nty;C<tRJ
zRfM8RW?$G>E-qR%9l+7x*!;73r(^LfXgy>cxFz4%-chnu!<=7o|2;ULO{)JhwpQ{h
zCsva*>{yU7z-E<BL$Kh5Y&+bPfrMs%5r3^Lr>m~&q|Q@vPdxKDhX!~a&DvL|VYyJV
z*<^9=_`NCg^wsIOJCSu+U4>|G02=T_1oMV7s#)2OT`ho&m*MFzZLK6njBzuOWEwlg
zLp;qjdph~U-$=pY9*gN4!e;^JpgwHML@e_}^@IVUn}q4uIYtnJg!qpR?0@wgxGXVi
z{g5(iJ-Q4QlT9;G0+)ta^<@{;yspQ?vF7W-1OmJe5nG1WCsZ+1_oCWcQq*w}4)I3I
zR1)6T+l4fbM>-#-#mIv*qCS5TyPWO@O`m|h+2hApRch#Bj>%(>Tdu3>ABbzpzWA1T
zBMa)TT4x|uTLRZHHhRrUx}qwYDlkkHIYz%F7wFf7eWu@OT5v7UWw*xj9znpG*6tA(
zGKUOUVfCPYfHztDRE-{jI^Y-Siflf+<j1B;lVjg@E}v-Y(Cr_C*F5P%U!B4(A&T^{
z+<hNO<V|Tmb(dXxx`gJgfU@7D3mUFg9x5ceEJfiek8wKy?DEt@5Q{Hd{VBe)J(K*y
zqMnGyH8R@iBd^!5Hs&GV)8mH~TzLQDv^j2;z`faC%$>t5hWgZS&MUZ=<S*E2fX`wT
zDPVqXQONtHtZ8)BMB<x$cb9T^Ig+kTf2suqK=vJ-^h}1sUvGrRSC9Rgcl42JK+i=r
zTzQQ;Zi-cpzddlPAH$bAdxZu2D}Q2=4qyGFX!r*cLGaweZ4R6M?2j$xRj2#z$Tn0H
zpHKbzUZ9pD?M|fo?ew`#CiHYcY8NEOn;xlG=%FO-oBHkz0`yoWN$|zEE{bZXHp(Ja
zE3W~Cxk=uhp}c0yRj-={#9i9XI0R8@cnz;IOzdAxgtkgR`v?v#=OfW;fRfu1pl63U
z_Z2@%n?m`8g3}J4hPNAl-g-FKC-YQM#VG*U-tUi*lL5vUzyeA)>X4N%8_kL~D9?4e
z(3gV}u^G4K{#oV~8Y>Ux8A>{=xU@&@62^LfVu(IMt?yo@CFktLY^dX>Vg==$g4v{S
zxDqJ$)<m<z1G0sD#(n6ajntn(z$fwJcRs$~VUFX<D8lG3n|K3Vq15+$%C#5B5pS{<
zqhG%azVhDW&v)q4C#eM-OUhbCwec#~{tHRMI>B(Oz1T4KBcy&H^*t46DZq-fI^!FT
z<FXYg*-p_{Ne_*R`92D1#16u+gMJt`>vf2ircVZdYe^*OtLPl?)4}jFEEL5zT@5>2
zVP~T~L7(H2wM~l(aoduouf_KQ26Ua3UQEO0NS+LROyi@|-!s_ob?D$i*MdX=lw?NR
z?Be;%TM0bLzuuOWXsmI*6bjd8L_L>7y=Rv7KFFhYafk<B<WqYis%(1&!F11cF(ajp
ze4$S%oD@pPqh{VW;W8hKdJQeVR4@)Fra{xljAQyOqqyzWth}u>NPfAcjm~fKtKaV|
zNVZ*bjviFIMxUc|4#ItK=o!>O(K!VX*AHHHiH;V8PUR&MsR|=@p|d081|1c>!r%la
zx?yot$7(>Sv9aR0=u(L`w3Hn?-9(kj(XM1?QyBf>1MbdH>T^D2hYz@4WaCG_rVo0@
zd(pyM$CkmU=MefcP7Komb_hiO_o#tojC7#WO=^J8#QJmnxXQW`L{vO_2Oxj_PEams
ziF?ky1{;c|+;u2Na3iP-L>PiZ{AoCn-Khk%{(fz<Oh;9{wH}O%maR(8J#F}f#HBTe
zX9_L1@J-X*ssDh0n*Txms#QE}iU*zwG#>jV`zr*Du0cI7lENO4-+VmkJSt-9FG#gK
zawxf8&1ktFAhq0RUvZh}*R+2-5pAJ3r#{h90gy?Y=$wRXc;Cay+lOuFpUE?nHO>uq
zzN>cyC7TlyVw{|x5W=N)j{=KlV#6ym_6q2fJxZHMaN^*<sT;Ur5BkgSBy9(7!gDXl
zj5bS|BC&sIhw7-~?};&)_{y#Nv*_KP$c|Ia_4@{b>`r{NL66eb>y4M6_=wSY1BRLT
zv$m@nOtfw}jpEi??tq=Z%`OmRm#x#LPaXF<wh(XJc6v5<?<QO(aS9FS1z_CDBpH8@
zH|Pq5x#1H^+k&>k25hHY@UTnyFc=7q@4`_V6aynV38=@#|H@ZCmqgmdhGLo=cIMYC
zr{Jd~f5hlp=O=ROpwV9wF?WI#2$n<DtIBD<5yB1;IR5*m`OFfI{PLwiD%>htpK|w+
z+ejSO`}{7NR9T~=oyBQa;%~xn;*h_86+*9St8e;z3~^!!cLq1hV99Kzr=~@8RGgjK
znwC}0ZNjjQ|BYz&4QHK@v$!owZ4r`lw<~)^!Dx0dCx_aKOQ+P6AkPp!VWd?6NG-nY
z_GCvVMzxYC-etL!&d@d?Y_cUb5^I13D^*DGydYJ<Jws&YM0IXe)m)40gB;nu_?`Z=
z&~xVez#ApRnP+D4b4Wjr$HT<Dw@FtJ2a8^>@C{i9*Aogs2E%s#$45NFwpa{iY3&%^
zkZXGGRTNnOtSJvMS}o#$>_noTc^BAUW-kFsJfUpT-H=flp#nT?yTB~+HX0D_^JX0v
zahg2nwOUcc4<3$Ap_VI(ZOblYoebKcC(?1oP&OnMzPVu`b=9d>8nzYByJDOuSC<@<
zTFb-j)G?P8!Nz6p^HG3S?wvKbkD09*t=Pqas(?<QG0{l%WTqGY%GZF|%<4TO$Qb^W
z9}Y(lKm1F)Dv`o=oEg%vg%(l$H0=A+x{P}QEQ3T8u@<6?@z=jAEW$(;-_veF4Em94
z3ga@yd2n#ei^`JU>)%%OnRHRVwR<mm91kqIA|W?$&6<f^ib})~h7ky4Pv^1E)3~*z
zrJho2i#>{oSu{p5xl+H%OS7GNJ1u%)!{1lfalc~|^2s-kesWZ4MrUqWP)=~xg8n9_
zclND)!jMrB=?WbgjaBJDfd3^d0C@QNA)+usF7JOtRFt6DHfs!O0G9L$EPu?9gDx$u
z`?)N8D94UA=QN+&@1N}zOmu$Vq;q-yu)S!kY6o&ydF84uv35QQW=-+kuXncUZ+J*&
zeU=oh8Fu2^q5`_#O>S^ZUB*we2mv(j73`ikjw&9Q$ESJDVEmWZ^YP|hH-ny2Q?4CK
zu&x8e@^9;>=`fvj><j0*R}DC<8%MrJ@%n|po^n@OU9E{nTbJgL6P#+HPy;Rzxvv%~
zbM)Aw+ZlU8PG3aV8|>VlR(O{)%IpYp-9_}%MBen|_ona-^(llp&Yv8PLvr*Daze+O
zK|=@D6T8VAkbzWFoy+POgTezRf2*;u>{p2$m)|KnE~8izvU6=WU_9|UkB_MfgwB$U
zEtjVUyV^tmC>8c8ad67K&IR)AuqN9!vDK&Sn_flC7;EiGlIr$jtJ$oB3g-n20;wu5
z4s|&9O}WZgQdxV0%mX)7tuF-g57DbmbDmv+63i`!bCzNZHJ?SzIa=ozqk|LQAFois
zGz5GeZ&T+GhAp$$u^8?p0h=JVcgc;*=!Qz~n^pFwU#ad?QiGu1Ty2(=@Y#IWN|RF*
zER@-1%-}J;KI5{f<0(+dh8l4oFZp`uC}LeSWvZ^RooLk0*-lKmpjsqs5i<+!PbDpX
zxXwLkznK0m7B7hkd`F22qy9YE2~dWyf+%Q;(2Zy=vvpWv;G=Kv+%iJPdP{bDtmNrm
zqGqa;O;~<uPFnsT>gi+caK06A(F&<`9a-;LGHok0P!!*nbFap8Ps;rk=f>BD$L?{w
zaElrN#ZE8J;r*%kkPmfubZXe<FNc3nuxXJq?@J_>y{45+KPV1(qIbh`D+~~|AV#4;
zm)%b9L|h0d{CkLVky!-)U{?lT8YOet)w*gw3Ub<Iui*B!aa}4G$3dglTpDepuV-cC
z;dYERRu9;nja+!r?Wm|IF&Jy>U~s!GVPB|C5%=-@#hB*FMVZT+rsTis?a6ErH{*!H
z&APZHvN{PL8xam9a~9H3Q&1b4lC<)u#e+EUxt5{#A~gmh0WAv^TrfUlo%dfpvT6E?
zpvWPB&%rH#JLq7jRu)YWau*RrLVm3^sQb=RyuwdCaewfw-bXp(tZ>#kH_p_o;4)#^
zK_lbEk#ygLYL_<>dn$_**&>5;Jx%Z6qszZU6G$vtd8aF0`AD=|7PSl+Z1=5mPVken
zwPV)mLYR`%3L_=>(KGmy5VZ-K6VMjjNpU6e&`{0G4izOs^fG?=4NaV9hgBviIfGa)
z(B0T*>QFXHb^1^;?>V}VgW}OTe3h;vwQdKav+<~++#bQ=Rfp{zZ%e3wg$@~Vu~~Y$
zG@SCbUzhL#_Ix`YwFe#>y1%6KHJwOWMo_uuC#<vYAj$LcguljmiY(z%^3+<DE<F93
zZ^g>qaiPzcq1q;%2Wi50a44jQrx%}fZWTC=rukZ3i@X6e^!7$C;n_N--Ai2(FKDfz
z&!05lFFRIj2iIgE#Iutz^~KcI=-SMsDtS;~>J$){z9=;GBt)Nk2};`>L*?1+HPOHr
z8h7gm8!$kw9iLRx4V%82z=eGRr2X?V-LT~0M{imYM;~V@o8V3Zw@LnU?I72$x*V8Y
z&@4L?ql!3-VsqM)6Rfe+8)aQceO>92ZVh^{elfEf;>qXy<<1Y##a>wlzDVIg{=8vN
z4mkD84%R?ZURZF<JOt)voO0)XlHJ8Fadf_=cqEIR`OC^F`8?^<>Jt4HPzet~iP*1*
zTZD66I+%5}I#@uQ=&TUNf>7n#OOQ}o;%ZL{1j5Zte=w8mXcjG^wm4W`9TPWRdECER
z7J);8=xj@oNao|8?VZqPgFabWc(vfnSB{?EwTZNSg2$^9DFTYfN>P+vyL-5F6*Jh?
z=<rNfZSB#mEG-mLsz`MDHUZZ%E(m`h=04yaaWvi)*!mAXyPYgSCf{AH>8k7b+3;<p
zXy~x1IJhqyu06NCjnx0(K1Z0i>5Ar^)141hWc~e|WyiiyeX0E;#@=kx)LuB}H*Om5
zy!gzbx7wJpWiI$$Mrfkgny(2o0rJ+;K+&2DwNspLan^D!6~(;*SFM1!>}jE+Az?D=
zOHdXk914BF7gLL!p7UJaUiU9}Ku+5npu(ul5Zg5tHO0TsdD$goPvvGWx^(D%5I)NC
zuU}sB4HyTt?wg3Rl4L7%YSKxQ&1@;1VK6#|Nd1Hf!#j3evh7SzTJl6N`Lf)dDmxJE
zC_tF_)3>Ni6bzB2xYfKH;~meUDpu0zBNtClXV-Zpy(u2JB4_2rkOZ}BI32x#7!Js0
zP0l0hyv$<7t$!6^`G{P?=}kg&`AAkgE%Vq}xtg)GFsSwNSgAc#&{w5G;P64K;|B%N
z)SUT#MM|enBUgw2>`rxen?Q&EE9qG-5QJdvyKj-F#N#h%8|we|LFQ^Y+vAsV8GMqE
z^~?FmQ%X2>g`bgAu&61^7L&a3ZMx*d6pa(G#Q=8nzZU)F7pYCTfCL=(1|+nTl26<*
zIxsM48g)-8I7&A8f|3Kb`$c(v#kS~E`{c#IwzdG`U95p%Em!JNbFd6UiUCn$G3?!b
z?yn`W+yUcQ!m<itZ`Tq$)U&1DTqWBU7OP7Q<ytN=xY>d)H-Yo_>N~|mHyc7V^Uz8d
zm>MY|ypkwucs~jvWd5?#UVRVgfGMK{G1rP2l@qE@$|?Fzy>h!;-w*Yf!_fqJ9`)CP
zMgOJ+S#GK*<b@KhU%G9)Jr0E@{bNh#J|=t@&M<mMZ#ZqHBp0^HIV$B5IIM-Y8>aFt
z6F>5>^hTxw%dEUt0|V1{zBcGZ>c?=_eB5pC`MBHO^C3})mxdHTiJwAGtHJocy)lFX
z!oto-?}R;0gpI_$eUAYBD^azOaww1xiSzDrd})jv3xQ?21_aU#FIA~)9VeqSI$f+=
zsjs>dYwmVMv1Vr-sgFNYZLF-6HaIq(F9EA9Gsp_rUp&HxqvRNsh{Ep8k;fIFAOJ#)
zU(o|T<s<DW*ba3~XkeJ}--w<v<wQn-V<Q%*7j>QCnpJ@+6NUY)&2{V(gc#FEM>5X?
zl00n-U==%iwd2f}+P-ukZk=oC=rq=2v_qUrooGO^0eFWgRU#jp9DZ5ap%lg%6x7Em
z>xHFmNHgKBR*N!<!(rwbwt%4bfd^sHBcPW4(uHf+1Tt&OpbY8=7zPhtlTLPi!7TBS
z^@EaU!uxBG?;9ixTl5p2t=mc!3aZ0%#O`2jSlc8m)CA+~MBpPa+Rh!??P9#Ii$euD
z%e-kTAcaK>a}5G=V)xMXFY3}!NE*aHR-m8qE1B3QY9<({a0Mi^R@`E$NTD32TnYp!
z76!v>bn+d}Z=z{pVu-?IV*fIyk6a=uKq4dOh=5(oSi}{|iN0LE)B*wBaryQjT~WvP
z`Ie6sn!RSuB6Acm;N~okKv69RitcUcf}_NBadt;G+qV?wq@#9`^Y9Dqaf&yTJTj_B
zJ)=Mlm7b7S0~ByL^|NvpTHbZ>_c#WRaKcrK9A=8|;PJdp*s+BHT*Q-jp{1?~SQJK}
z%3VQ!*W=AS!J8_r2s7h+s2*I}IFwO<e6@0ZurO|LQ+2ro4{=ng;)Pba5#zdGi%~MX
zO|R(*d&9R#tW-EydN0{PmP4sG=+9n=X9NcXQGF$o{zPUVsZAl75C$$vsh6XWP|q1A
zgn>yv6*-I`YU;|Z-1~3nY}<sOkD;+M&YkN;{|sG9B1KmoR7%L*gFveLZA-JG8vxHU
z*^t8D93YVf-$AeyDRxRwF;O@i--;={b{&6A$V8u2)++eY2n95^{jBVSnwOFJeR>^C
z$TKU~F@>y2-<S4x`2O!S3dmrIG;~+Zw4q=C5aKU~@NAM!$k=O5z?;|x?CMZ8=dX4u
zf#08>kR)yG<pm@Xe%%99EFV6@TJ~JkT1%z@X7(w6g|&^whK}+wiv+VPheF9^QZ@WH
zJe196WpmU#q0H|{t7x@Q!~&?}(Kgs><Qn6OYG|}k8<Y}f%OfyG+=ky_Y~=s<1f;f9
z24xkj8GThASTgxjo2nsywJciTWq!xb{oak-)#JqGv*pZrL*9G~nnL7j%UEl90T{|=
zlSjoc(=!ouQ@*F<<F<4y{C~+{J@>((9~ZGnAZlf>LT&XS$0tzfx7_2WPy`%`v^*6o
z*Vb<ee;$Scmj40pvQ1k10YL2s0Of?bR81e_yWf~0pj;0=*RDp)@mw@8^ch8t)vi0Z
z=}JE@J3Fx%Nkq@UDm=k0$o0aSjhapS(gko`r%(Rq`M5Za#pIr!%5575NeiE-jPTeI
zRIETG?&FIS%JqOc#e%^LEB^%dHxI9S?GwDoJ1V_Hm>+8QbiSEg^Ve~NJt&;1{xZAp
zYg77oPT&{Qj~0Xhk34UK#$cRV+^50zv|y_JVh)qydf6gO;FlT&i{<i$C7-8-l@gQ1
z(u=L$OlFDmguUO4tw$|u!W_l)hZY?0W|qbu)9mHKNuN9|&U76v&Wwp4LoEr2r2Muw
z%s5q?>1jJWEA+lAE{eCGL-<(6l*%H)#{4g9Whg9+d)F+DDV>rsb<3jjSLqr~pmmZy
zSx&H0lkK+51^#rZe(7Ab@Mzf-+-B9p^ZX)EzK76>KY-d5HfjveMeX8Lq7A&aLY_n(
z3j(N<iwrOm5v9bF46Z{9=k8P6%Q)s1dz{vi)_4&8zOmU#D?=_Y#QrNRr;&;M%-c2t
z%t>6MnAK<_@@KxPa%4eyj$luhD$Qios~q^Q%66fFL!H#9UHe}M*&>aEl<|b`@ip9_
z%tj5T2|gmPOG8Q?2m;WO7a23PW|roMY2X=OR{}YicKtJ%o)%$S^;#5m(tTi(2lD=w
z6}cItk<fNDk@@2a{4T|KA(oJdOcf6NK?I+G@*$o}<X_(JN-w4;v|w~?spC9_P0mj9
zeR_IM$1hCagM*uF=x<dC+B_IBnV}S};1=w5;5n3p{=*=CItUO%E<(miM3jHUhrDXB
zQ%^auhda4Tzst*zMya?qB^>)w>tOk(%fB_irI0Z1U6VAYbV4mP9o99_m7sQq;6i`%
zon<VrLdes`1wN;6pZFF!`sbTxEb}S%!GD2&>f6FsS~%`29Ia<=BQFol=Z?k5K{SIg
zoTmT4Bp?k5y*~)>g`5<OsrF>qAOVeb(kJ#w5Lnk@kAfjWe2G7mDhO~$t^Vlt50&aH
z(y$Ly!t%#EFLLb)S#+sFh}IglymU%HPJC_#pF+*7LOf+DYPPIJD?_}(3Lq>`{lD3m
zdEW{I0pvrD`K}7Gs8atB#=)=&U=T61uj{GrWC^$DWTQeU92MK9BLz(3e01aO#3ord
zeR;_XiNyqR@WG_79RJmL?cKrKhVyr>uyPVAN&()G%PjE?is~h$Nmq7|d^(8<FMRK~
z1Pc%PV7A&vm%zUakMEa2NzqYB8Okiq`JNnrSH97{ZF*BWvgrDPiDh`d5~_op_x>gD
zAeE;xRt0bmp~7Qy6kSf*x_)D;IDGg9Fb!=3>wPh^bp0=jGP02tPJ;lZ6r`*?7C30S
zNG0QATxf3rj9kb80|xy@Lrrt69HAosQ^>zG`?60uA?vO+fnXAIIYx8Gt=#S_d!Iwt
zU;WxF#zo=<$mpED3!<UKS(A`^v8;n6qdwRe4fEAm;x4^%YTdUvuANjMh;f@RQd8a(
zzRR^AO}{4ia6$Gl9TXz_d_>e2(9j-or(^y!a!MGa@`ztlU=}$IbKv6p7_a)&vCw~f
z^bq`e+9b;*v5C5=x+$DqXqr%!bSHoIUS6S9?vd+zSGNXvt_wNN%r5l=%-?X488j<g
zUO6=dc!nM$ZJV+z@O)V2ZM-{Kv&CN@7tNxu3}=P<J&qxx)@1v=<H`rqb6K`hXQWO|
zz%iR<CgkrB{!*Q5y~J_$Wz#YK=*NS1YUQo~R{?~vOT?2!xTTkiA0*7xutr2xmS*~(
z3Y^quq8|DxA@#*MBf-zA7(W`a=xkNRt@;r4?r^s<`LI<$6qcmjucg6}K3Jbq{L_3o
zn>%wk2o4E^oa`=dRO?hPBj|5%IwU!7Aawj=mz|UVhZL+lIMUy_T<@7De5P!x{2azC
z?#{e|+n-qGN|*t9x<83{=2{S)Blp=Lb`-#j{l>`7?Mz&kIXr5@s+1o1q45(6Kxb2i
zjZ$IyjgR0LC3|~g9H)#5K-j(`TBV7i)H9Brl8y%OPDUlNAeWE-gZ!LDA{})@HT?tf
z^#e&0goVj8E7~oqH1#S%`kZKtwY^<UR+Dy~>Z>#Kd_%nJ&rCy^RDFV84Pn4xdt&7f
z)O_Zwu()kbSLFWuv$|e-6ySkEf5PxSEp#t2n(KB*6VvBtdF=lKc83IW)?pJf-st*V
zJ%h0sV>iiaqeaBCCjVk`N6>?cim<x+Vdv%-DLtH}{JmhFa*CH9z#T?cHg3Z5rF_p9
z=R>Rs<+HpuO%W$$9^~@XaQOvU5rAvKPl+JRF+qL2(phl6Trz{Sx@mY+Y^4xl*>U=?
za@T*F4lAp8Ceo~OCJ#I;60H+X!$mn;m5|?$v@~Ph2pv79;4<)5UzCUH^Sru=-MO4S
z)Bt=AJqFp<U_s~n*kChw;Icu~A94GmBEw|SK7b}e;{}ILyi$IDE^&n^xagnkC9NkZ
zB%l{U=ln;H_2g9c1#8syAN0t3B6$VBP^G8)cs19&7|Bkje)h_AitPQF{~iTTR)yUr
zhAL35Eghq=@%g;#M>41O2U(nZnpdP?d}hzatZqla5l91-Qw|f>f!fYzS@@qhvB?IN
zI}j^Jqas`4t-%XZgz2Psw)VZMzbEb~jMl|b$c~>yc@47eK&kBh<4VNrqQP+6ioyJG
znagP!bS~v~B}K7?WN5;3Qv|P1xsKS8j!ulvI(oe&I$?H&i@vQjae_9Ooxs6|@)bRW
zG6WZmpzg_}<NsEoh&x*&u)BabBMfOKDE>lpJvzOD{b0v-P%(a=c9-|EemObMp_X4r
z^#5pv9!0o$!CJ&0&3L_&B!XW!_vzMC^;z|+sJy9swWxtiRRBTF|BO{Pw!AkceFVE&
zD9S4SjFLZ_3YFX?5_C(3n3#4@!xjSj((;@RCxf3^PYO@WaiEK0Z?tM3B&qjr$vI>a
zx<s0jyX1l7)cqs62K1sTWBwdUneZxinc`L!8Px88ru6w)`(!w_9KVr#)A{Ox_uDV*
zgE|Go${Rv=QSOlw%FX}9IZuaNZW}J|A|(RQvVOuDEBtBdh@?K;tZv#zukc|XhOGrc
zJ;Q+u5Xu_?e+mB0HldBIt+FkcnPcIiO1V}3j9UgU-LqpfQaMlsXvI6huMd39x(YE-
zLBMSm_L&po?UW0qu4Euc^-@{C-6-J(F0N%=s61W7Hr^iodH(0wcx#MN1%a~ix60Yx
zQN6VFUgcNG)7WaGz3zHrmKo_4xDWDS6=(lrIT@%ku}MNa@EH(hKQFE%3caHa5Jlnx
zp2@FS@9Mu?dpn^;jGF#~>bGpd#0OLpACC9=BKaD-e51UoiQ1;NE~W;W*4n@UslCL@
zbDO)E<XxMc(eC-keq8D(W#Nmzzy&pJ${R$~^tYw;Y1=M_2@Sm6$>=P{l+WZDW#2y(
zH4I3p&s`5uDuT{v)X&H|&U-F)t#V8n?_JhrFqlyAixvSk9#S^P-pL^vO6BL@T}o0K
zMM0&%vqr7|u}!iQKC1Sl4|(dId)J}-;TE}cv02fo;?NK=aplB@7MIas<(-o6rf}f5
z+P;(i8T&(p++)6$eAMDPAGNs7pZf;7zc6J@y{<(MTCO`WA!rfYCz;n`URkGLpMugl
zXvDz(kFRVehc@0>gZc24xBajyMB}xGt}^YmGhZ9olkMggkoj?uBMg##?@Ckpuyo+j
z`{enEwQWjBA<mYFb4bF&6(ppiBn=IPP!dDBQXj)1FBm6Z^Dfm<$Q_;4g9Jx|?a!7u
zxuX;${uyr9Mu~*9$EF0V(RDDjc0~-~+@}Tzfhy_p*Xp*)-}#<c<(WahC+7P;He$ci
zEhAHTXt)BOwDh5YHi1~{uGe@i-%(IHozd{HlLpqB1Ip-(uEC}Nr`R3iKOXwc%_n_H
z?K%4CKZ_(||C0usNx9t(Q!9f1r7Y8&X`j<t$|FuT*xp*5W!+?-0K&nWW)(tPqIPQO
zZ9%iM@pWxYuELC2-siMJQAIMK9DjUAp6x3lWPX-Ws^;>AzooO4a+I(R@Ae|gz#nG1
z!ef$+if}MgjzUE>#KSIq)|CevKj23z-NBXuT{7@E<n&E}@UYHl2v=bGKMHXoVVL#U
zWcZ;FVAWlUQNoQ@3ne;@m(4@MDu{021f0%u^x?+k1MU(cT?&W`TLY7tlCX#=FQc|=
z&gY!oMz}htD%<jEUt56E=m;N~z$+e%T1cIRrLx^01VaIJN_jJvb_ED4wgM7S%Huz2
zWsy1TExVeox3G$-{2$V0qbRfASu6iT+S)gg=m-n46tAO0^|`z@CkSTQFs}?-es%69
zWyQnCUBKX5Y4@GuvsTbZn~F*3t<#Ka`Obi7YtB<L1drZO>I!yCz2+Z5jTmWx_~(}p
zM}!ly->dRalhu5D;FpQ2Dw0i9Px}Fep&c$^ZC`TA7XGN~fw_yJas_IkW_H^2aZ4-G
zXQ4yZTB1+^CymbwG4-4ed7o2iP;Ziu%NPDhxh|hX1?rY+g>ZW2uLU(r7l7+BMhr7d
z6*%Wwq^;C<opzI-W4~e6I0gYiVI2x-h*Qc?`FtO{2~CKp94SH}SYDbkC?XA0H|KGD
zM2AuneTDYEPv||7Qv$7}3pZ`37a#=n&oy3>2FrVE1tWbF=ZJb#2nDM>nXTgnDbTky
zGK8=PJ}yghx{k9-6}z8+rK?z8ze?hCRU<bQUYY?jpA>qK7PN@J=1^e?eK5lTREVK6
zBU)iVei{;-Xn5ZoudD`IPld8O0_ivMD9nOk(Y@y~#?g5rWyXJp6C3sk`jlOj`eDo*
zJ@D1@FbZd@wI_d`0n>ezDOz0XEGI21<};!5-OrpD(>2_boQ53oUIWtT8LQ&FA)>#=
zrG|Ebm`VD4)L%PXin$*J@{N4i6c!U$ZB_OYHlhYrfCxK`Qc9b}&%MZ4@mi=zR`zpY
zf<i^Ye}$h%ViErpY1z~_)BB*U4Y5PvbcM`3oX*(wP06otZDq_V>0+@kJ%P7P<;Q%>
zomlzz$1|4@9f_dYod=K|pmJpC`)fCX;r^Cau}09Ks^1LwZRf2~)u8nlZ?vW6aB0>q
z+bR)T`D_vPTf~8upu3T{9yheb^1Mn^K_9j1lmd*4DLj8Pb?{)=wvDBkY+OI|81b_A
z&;)VHYU|LR73+1u7a8p}UPjSmp}zz$T$(5$nQxq+XkH-qaUblN)db?sqI}yNGA^Iz
zc%3#!)dc|=l-!HsF*hD+QXB2@m!p<x;#LfU{$cZcalXo2V)`{ngH)t(%q!r7RO>!S
zwa)1OW9l0N^In>_+t{|%xJhF-w%sImY}<Ak+qP}nYHX`XWBa{N&;QAJzvNSr-|XzQ
z*IY9@yW3B6cKwG8IyZix64V`g4?!}HTUR~?UB;r#bPrd%51N`+;6vThafy4yOT`jO
zJF4|ADJ6Xw-=dS$9M^Ggi@FkS=12p_shY*Yn>#WpehWE9I5T1@5H(4{7{U83?<Wz3
zqU08jG((F0i&JLjaa=YVPKC%0BaB2ZJ&fqnw*PQ=8Y)@w&42K0TPFK0&nWK3JU;=Y
ze{Mk0Ooh6OKaX->PQQ$B(%Yhr?YENKusUO`akc_4RC?Wvbw?O2YM5I-K@dzGS#0$k
zKbo8gT@=V+BX|Sye$<gDO1AMxp?O46n!uA0u&_UF9bi>E4+F-yhwSayE)}-1(Y>Kd
z+5a1=6<Z02ETgy$^ZcpNSOg_(^RxV7%_ikxTwZr0(TVJ4yQgu(+wlH2B8Unvf7b?q
zTu<8%%d!SvC`V@xv{luGVDhrN1ohkEv6~;6%A>Kbs0$@9BM+X?%ZAb|yO44ZIHIx8
zrBo#JNGX^SMx{T2IF98oBPqR9bPp<?(mH?K&T-Xr8i6XukamoZA8x!~1vS^P%jSMD
zTKh)E4=xE!{Nu{w@yro4%g`!cf)RF5ahNg8Zy4Gypy=Rs77U#>=cCe~l1%nPf*d-r
zu(sEt1;y~QF}Ok%nWi1R4(ie<XZ&+1erPIL*Lmss=R26v{V~jX1iXWYY&vm!_Jh_=
z==LVWgq4|W`2#e_?mGbh$`EP5ylArFf(8PWtsbu&OYLWBeUdJsaCjq_<iBG8AunZ^
zfLOod-?=7OXj2<aW7IF5QzyqMTwFxxs_C<Kca4uhlPggY5G%k_6%s~qFOL?~6Nia`
zL${ljG~~xIusUi5o*z%nR-pP=s!}j<`3fUsC38v&$zS7hX}9vf2~!n_=Xl1P_yD@j
z4Y$4?Tb3-S&Of{)+^U>+E_dA%|9~{KE8smU$}TUQF|~KAY>WBTv2-=|joA9DTGvqs
zA!VUbnzL2K&{b#YL=I?aST0?1$fI#-9xw-w<v6A+y`1|baQ@Ya1nTjDG1IqoU>v3R
zhMG8E)eDE5YKrH;HnWfYyAgLdxcwC+T%TAZje`Dm4_JcMe_l^aChL$O7q2R;?YG!Q
z2YMYkcU!LvVjHs!uJJZ@54LkX&RIV*>P$)5gLH_fAsjZcXqzXb_^KA;OT1*<c%8Ik
z$%$8I_tATCVQ4FwN1|n6G0f=<NeXFcE{<#zhR)Zlj3A`-^swTTr#FP-XZKhHIdoNl
z;${#;vxmWSXtv2@!e?yBc4h-pG~iK2G?L+Q2cOdB5246_FQs7nB~A&T_*<tjD6H0J
z_H)OW8n`bHql+BVK6t!$%Gv$JyJ==rXv=V06g;ZYX!GCcWuz;;bQn^d1qHd=FcReu
zGg+$I-}beHwYsxYB1=RfVHmoLTWjJOM8&+q$cb#qS{-l9NEYN*)YV#$k&D6lNR#ib
z#7SxlV#O><lco|w<S}gMDR9i_**Ygx9Up&K^>++c2;)j3pxe@`gb`|)0rP%t*#QxQ
zjPO<kL6}ZOeg93}cX>_phP9*a7cGT8m0;{PJM+v7(OZMLFUURbQp(ss-M}cSEW(m0
z1NP!P0Lrm?zqx5j%lC(CO*7pW0}4ECH<&-&{WGkdayhk~T5LXpJ^qmGb#Fw#x2_j?
zaNG|=3j@Vr8ut=mSb-g{>dh+cB3Z43xq?DeUh-GdrwoTIaL{z2@a<J@&MG)fO(~-p
zZuHu(DR9VM=5_c}Y5RRfrFG62-g{{Zmis>}_kHf_M{wgeOZWun-rLq@ehm{Bheot|
z`3V}8F8xIwH7n4)2psT41YVLSc6>x#iC6p&4f5B~xvX(e)G4^6N%((6pyB-B4#vLu
ze_<Tg$qZ*C!8YIv*Cj(%VhsLBS;YElC`=FLblLKdXK*G+^P%I#h7)12LDm+j1A$vk
zG)W0Hfw~}{gJ3dTwjet+d=pAge&ha7iDq`#qISGaXyE3On$Yf52-pzhsQ!{=utrT?
zpr-l-1<jvX8Rk)kx<c}e>X~#m*2)-+N3rE3p-GuoiP}`_b^w)HoU?80&$*fRU5`vf
zA@eJaIompQ1b;xjou>M_Ra<5)G9)&zaciFe(@|}!6PrS8%IYn8YxsQMG)QscP!4aS
zK^Rg~)UIP&(o_ghlW_{$AVj;iS7tZ8Zdhi1GBMW8L#vuyHnx0tCjfT0x{%3YivUl3
zXBsAWLF6dhn;iPnye`{b*7EI;7^>_A;;-7OQwq|g-A3HZZt6poxqIzfjX|@CcJ6Z1
zIGNehx*^8%{OhYL$HxZ;Me+Lbr$D(39<7oaY;{hTh3%Rtt(LefGxjMB`CA=G&65hD
z6Yt69!mjVAOh{$}WOuH3WY}ROvcoabbfT;>l>R6LfuCj5#n?p}^o*B=;fl48gH_n;
zSp|&8zlqlsBeW4SjngHGq`LTF7bj9Y3Y-i{x5P~mwr}eu|Dtn4NRpV^xQ_iCy1W0p
zg0)FRZ=<vz=9J~;JB7x&qp9IA-4M@LpD6>~Vlw)?{u7+@CmLu>2^`middb_UlmVX!
zWk>fN3GyKArA|OB$7jioVckkx$Vlx6H7z0opHNC$lb?b#c<Q)0OpM9-`AWg-(QroQ
zRN|<z(Vu_WRfIL9quc&^UcxmN4gOhM*7~$2W7`b|tvY}qTSkO*W=+!olADL98S@JV
zsxF%@k8T-45Yp9vDwvLi?5*R74JOD|m@6~7W>f|eH!TUOCc9ShN=2@pQPJzCv*j=T
zMU=4#^yHVDFKloy4U0wdiVNUmP$Su)<4i}jS+3Dsy_m%Q;>t^OlltOFn6yzOi?TCV
z2TBuU{$`B-nH`%#HvW&<21b%h;;7Y0B`NyFG`|&N9I(9~&yJmJ>lHTm7;tSa1skgN
zqPzYyxzrOxmMB~@KOdi)4c1}mQBID`rSoUeEU|(RH$MObSoLaRx^AwEH9Rj4?ZUvn
z6pO{R3x#qSg|b{$e&sw;KTEDyoLlQT`NQwkx9oe`|G7~{ci+SvBY;+}-~iiUnE|<o
zYAV;qS3T_!Iw>j?)kVsjfiDyp7gLL~Po$P_AeFtoH>UxalQc}+Pug(_e#Eajh(b9=
z+BP;DC$hFQb&Lgdf6dG?|9gBIBoy4)o_&U8<Tn=U^^;uu<LRtY(5CMm8;f$w$7f)#
z?N9O$gqqONij#?OG+r-{6=o~@dL`NV^+|OHc~)k33Af?^5oyCF{sUiYMQLaa&o3?1
z>$h)1vQW3#v9eEPq7<S=qdb=~{|sw}|780%`X@4!no;~=4r(jGuGSG#76q%M&|u1i
ze$0U{UY^h(chzKd46>XqIYNbviDkefmToM&BEFNLNb=VyGU=^xKIS=aVRdVd_s%D<
zHyE!%*U!gFp_hPuJ;%hJ91J3%DRLk0`E!pFkB%CzDyNDw#h^AvsuV$V=3<CG)P86A
z7IIfprKN9*4gbQ!?ZRTa5CK>HRt1-7n8Hzg$;XUkiYQL2Pcq}%HDCFJFPTE(1M;3*
zKXjDk=7j#Pg1PaM7)mh!_5YR^8H0Fj32=FdBQ1PSY=>=}fa9-EI@e+1ms6F$9cVX`
z9L(n831=6E&%1YfuI;MZV-N5z%q`_laqVnQDT^rHhR;H!S}}gbMeQ!f@hE-d2I1RJ
z!*}@lIot8UZFnyuU|6A<<bbi<SPO|`9MLa;pMYEu<>YVo*u=)qQriDOdY(?!00ikY
zmvPuvaa2pOS4Br=tEek40YZp*|NM&b0A(m_S;0$F%FvRy$~G5Im+#okWfz|A9DjnV
z0SLG{vDs<OFLQ%yuO``Hw=t^h)U9On(9$h(Uk^FxsayVJn`f{MW?(7{Wb!8+jt3CB
zxu(`KhwYcK*mLZXO#Ilf+Z=0&8<THYc9s81hVa$aBv8<t)Zw5#4lL%l8kh6jLY!<p
zC+mBPr&B9g?Yj8ynGT#&=b^9cj>P!AZl@xrFuC)1iiO&JK|vwBxga97ZL$x$Qnw@<
zWk5<ki88_NB<OwGn3pgq_ipm?jP}Qay~^!+dwQfgu<}1yJQWgoHogWlM(Y=83prJf
zzQ}k<qL_9j5}xLuwU}r%5RU9NMoD>W*e@xSy<1E-zTSv-qAx726IVH1O(Ce44C#GB
zkm<X|`_aj>w|P5Q{aCzxujlOT;&Wg}>*T@^a8`a;mDTm4dbs(7`|Z#8;)4C{-9x@X
zS{B;XivvQk%t}0?O?;s?mdwNa!Nr03ScKLnxhqwN&Z3sh=JbW9m#mlR&p2||ct~2?
z066<AT0`4ywDPT(y=kJGK3XQGFVqkHIbZ$-{GiltDO68RHgr#gg$>x^%&$%&hBsWb
z9GsH;EC8z7vUgirL;>YM>`68CD9wHn-t$F{Nq<ZzD>GYdgdw5|O4KFg?zy5RZj*t7
z5id4=*RB$UN5LVv8Fqk#H%x~P$+@M|w7YeLjKkWftXsq3r4M=oM;k1uUZE8d!<_8_
z4E?WvC`iJoP+eAw#B@=*%}gh_)aq8F{1v9n70Eux%sVh>$pQ{ruZ}hnUpulyfNM1Q
z+yHymsci=5&=sja&=xU!vihg3+z06orjTDdSW#c+mrIx5h^_RL1e-jlvg~0?_Q5{B
z6RsAORQRqPckquv|1@{28|$Ff?pw`jAqfIlGG5KOjPw}95spkMFn?41_0#DeLZ9iL
zK+DMRC`;0CkSsh^B_osw_+-O!h}HThgRsRavl)6UT`34pji7eP_w-2t(@YJDe*0hm
z8B*0gcN*pYRxQ{!>51QKN)zI0c?Uctcg?$sN%9$5zgH}8!}2Xwd<42?rWP2=wmHcI
zYTF6}_K_1x6$Avt^Bi~jY(T&Jda2Wcta`apa2OP+$~8vsyTz)QDE#v8E?n;+!#tG{
zY|C4LFYxoax}>hS?X4-$Wm?_RlRrj~w_sAG4gEWYT6lG+y5LR=vEo62IEcX2A*XUS
zth|Qc2J83)Bt8Wjzk}xWtJW7yuc@cLa?aB2_@~F6f`m76NU7lv^Et3V^+dv@L;Z@P
zVD-6)YT@{n8lPA^-Qkx{)NZaN6EM7RuX7`)n`}HdybeJT?ZL3B^8c>JLHF5!vPtQ{
zvUrx*`;a^KbLl0!=7RFXnmHY)gE%FA&4h$0*{qI>FAYR7aFv(^Zv3`mfDX!)e`L|v
z*Q2*C9tZ#5g*XSAdu+s{1mVha#QGTWgdNWy2-wWPR`NjYQ6i<BX+Uj|0U~)UbF3gm
zOf56;Zb1%4Czvm~1(B}mt3Apkl=b~N=m-@N)7bt}iUpi($^{AwVh}AVu@WqE?!}|i
zMU=XFp0tFnoeHiEhU;e$IPFyZo@oedFa`1L8N90Q6;6d_W|@Ohg3UMaFCyPwlbBQ;
zLY>V13H3;=W44H|Nl;cniffkTAhV<X99Qo{YmFJt1dv<?dE4m^M!+kmu8*plBs>vS
zpOT&^rDCq`_twX9ze$3gF+Tb^r0j;IU;1&4J9#D<N74w|1dQ4IqJ{Y%n++Py3e`<Y
z3)jUrKubErL)&>~Fism?r!OqgtDK2Q9=A%3Xv%6)?;oDFi5Q%ET-t#CHX9G(;sKe%
zRV+={>D=d_txuBXf`o_WoBzD`n(djeB#i%A(-eR5>31Jwu{DuDm22zQag`pll7gV1
zBCBEfJZ|e64lj{<7lg{Zf-`*d$qD7z+`o#<BDBmDA0T~#WVQlWa*Y-u7_;Nm_d4SY
zU$q^_qo)QzHu6#-LKSIF#RyFNKRJ*WYHFr_SZJm`x`I}kU78WA#E<nu(`Y)RBDLBS
zTW67HaXpfJh6WOy7wrZ_L}RBe+=X?1y<|Y%y4!RsHK{``8~u?|eoC03K~Q5tD4u8`
zaN`Jt+}K_r8oBDAW{Nxx$*SA2b#9_p7<>}&lWyf7>Xw9Mi#^hkQRHnQ74+sOpCs;Y
zA-T7pKm-pXRsF^r{Z5v%TTKhAhu!#4f|`u_2_KLiCLoEYzCFDHm0>%{Y+GrsXiH~k
z33Dj-MOl237!K>cdGqJG{~qYCKda4rs#Mt2cl^~=P&)K^epcofyAmy5TCc!QqeNbM
zZ;hmkWV#F5_7?pk+YUmVe*M)T63Lp5jxx1b{wIF;0+?_ov(ez=MDWRvm3sk86R?G&
zG>vJj$v;0Yg6DmZMgKQx%s*>Nm{MwK0&oG)9ymcJP_y5XS~y%)A-7_zZ(g7wtvid^
z>=qP+kz2h!L1{bKe5&i>_4F|2_=&2o*xme)bo`EL+XJ|y|JNlTLMQJ!C`3a2_J__Z
zR68n)52jO0(PRXrFHQJK5L$p^gn0&f`qaBn;o8$5-IS?GeWr!-qIA6H!cpr=ahdFX
z&=krFW#vxJD$cT<6=l0xRMfaEWQkiK^&y5@V_qbTqrdRtIUU9jm;L2nzFjUq@n*em
z(&IgQzn`nVp9xjIT=qULMt^y~J3s4Mx#)XVU43jyf|2>;)cfP@`RY;f#KNnbH|i|f
z)h+blif73Ql6BoycNU*_1Z2>E+|X<@!)XzoX<`?~4(%iPIVhqU&PbykrZSJGi#3T<
z<o-2{b**gBycqRG`BTzZpKwOg<5nyqq`&lUm>s|?(ff4Ea{GeDW%qaPE0IzCLBWMZ
znGh2M8*t9YjvU`@z-P{t5+Hh>Ws)`dofo*asUx1>-#4Lm<KDZ|y6#~fe&sk*fVcbJ
z1W)|adRmh{{m{wbU6J15IA}};b}`3x+%qX&ZLI+DO#UcCFyiZl#n9lWfb7HE*F2>T
z6mU1qp9li~=12Ou&PC8$>uE4sROWN3)bj*}Zl&AVm0Rp?UEvq9{*SB{)|~Sx9(32c
zk5AptS>rL!&7!2S<mVhBGiLz&f2|asQ9Aj}=}^q{W;k;VycJUap1}cl<;c1zIwJ@v
zrPWz2vy9>(Bv%EF=lVdw;RpYvRLRC=wy`B-DlQaCOi^*2dov$GD4aUXNOm>IxA}C>
zx9QurV^yD*p7N=0e5J*UG&4j|Z_FZ^hccv}KcF=m?P8iKWu%*eG-azc`s~QFH^R0<
zkVx^X@A<4F8lL8)Wpu#>99*FQ(-)CPv=9*>W%Cx(?%5xk$E6Az^*0PD{IdA^0!Q5|
ze4&3-t0B{-jO+iT6C0(MWjiIQ#=cZKAtl@lMerYg<eHMW+!vC#jIIQj3XOt|3JA5i
z(vm&J<{CY13;y(It9?ZM;iZ(o?<Rl}nw43}w6!DQbWB23nOtTd+SYiKZQi0Mvb-xe
zF@~StcY|C12f=XwL0Kb!d6T7-mXjB%!TbecHLakF8`T^M#jb1pDZ;gyBJA9dK$3*l
z_)h19jmdlq<^Ka6OQHDidYS|fba9|qy$BNc@v$#@ykC-2P}HF7#QY_4bF03AmC%ZE
zNco<*S>IJJlRk7r;`m_Oop5<o?**QI=ZPQKE?`C|2t&7L7Uh_0*&;JRq+*)kw-;*L
z+F^7&M!95xajq1=Kb_C@uiS?N<ea%RlcGvki3V`r+4cAVT*jT5AX)8i)cyoG&0!F-
zaxqr!iTqE<P2#zx#;$gh#HQ7<F2_J~6_cW#b}GgZKw^>me9Mlhf-Yv%YDh5+W;6$1
zn?GWy;5}irta3y}NEo>-ufY?EUl!?DCzLF(vT%EjZ~~xvFl)lB@kV}$NB(1+%e69m
z>qO;=-^aQj+>Wp6AGb-(S;e3VANe;9az0l`AZartcf%sJ1tfA>G<g{i$>?|y2-Duh
z#Si#b5KdV5nU~0a2sGA|!U8Aj(t^TrX>2JZ^3HAeaf7sxfKqP{f^!=ES0ufD{0R2_
zt=@P+ren7xUs!st3-|s_+j+)$WwRgOR2#zog2|1iQr*dRzE-k0G0?^Z0}Ns8g<Hof
z8J)JF!)KrMzP5XE7fOvE_#2EL@$?{mR%z@^T6rwKfl5aF*aX=A18wNTAZxK%?paW?
zXa(i?y{Wz2tbgBz;oCg&=>7q<-(PjAo&;-~L>k}nu4xob%~VLxfA`qgIQiot&~dQX
z`YRf@v=B}$rGw(Zkgrb77K1&=q(Aq*Qz|JFW^*Ra2b%T!Ox?`x3*F3s(U6r)>gDuQ
zlnE8(ROyP^pw-#|1OrYL0_7;m@e5)7J^B$~OVJevzqI}~++1<w=6Xlh$k9<-_>X;*
z=Y3LFxt90LSbMdgWLrPu4_9n-CDA3UBwa-|f4$unJ&SttFof2`2y3!IE6HNSMhm@`
zCB6m1*zD~cPK%^zUBO=tnPLK$q#QGTslVYu3z>>j>2k@ObD0@YVJiFnLlcx?DgqEq
z2tYIi%0Z!0=Ez~r6j@+n<=1vvDmLWPbe-M{u#<wnjWGm2qE39hmpe7CE=wba?uc}k
z(GWnMJG)w|D!0B#tW$jcw5n3HLu=kuaw8S#OMpz*yT3K(>7iHZSc!-C7wQE$xFbDX
z=|OtwL6jLb$F1C3jFrgMKLu%lm)m4c1YjC#ZIjpRrjGTuHOpXqI5aQElvDS<kW&}v
zP#hAeY-XW)jhi%fF<5xHDS7ES35iDlbx*5DD$WvaseLL_ju;aa-|r^VnbW00Mwtl#
zSVb_>=i4#lT3Ovj$h$_oi*$8{m2Mmd`=h5N6q5YSKD(Jtzs(iX9O1MIzi-Hu{N!2C
z4md8A5ZI@4z~%WR_gx9z&RLC|m88GC64Nb(63jkVD6-a%Ot+-k9%A`Anmelvp;x3i
z8U242<J85lNsk||D~(I2rFDzMLn}>5u)LIQgq+pS&K=t=fwgH>>6HF1^0KF<rUQvn
zR>czYNZhTc*vL|NyWbX|YI{2N$SSoh^-tj#Ok&kTxO(nO?n|Qy7v^d>%BD&2H+v;)
z!&U|!WIw<XOv10*{gE)MBPZ+6FASd;(w&I6BbsvZ95XCHYVXp_{GUqGk2Ib6ab7s{
zV-)9$f6>ZrJ-_B4>1I3;%`VsDn4;t0r&wQs2}CypK}%0}6(iADfxcT8=)|m5q(GV+
z-0_BbPPC=Dg%yd?-<X-%$4j<|2}jy$gpG;DG>SV!jiwdjt&O;R_=`@~XO}<kxT~H&
zLAY3`@?6cD-MQothPEBk3GSc=2mrvj)~6*|+uK1;$77Es=}GgP0Lcl#rA#H0Rb@5%
zYx$H9Hg}%kEs;;9a+PUi?SF@C-ZII5c)>L+Boy$CwSkAX4j;Rhy%A1VAgXQ-HV{wF
z)r-=vI9j_hCB#PeKT$0rG#gN}Astu)Bmv^_2JqYwnqRm^VMQ;95>}_oVayaMQhjVu
zj8@A^_ei!D%`48hbMydF4(-OSLIf`f_NPFwHfipO&*%XPAqyLQw{^gF7EjMgJB+`m
zxV^<51-8MlH0v#pqScke4ba`g9Jp168(sO;vHt{M*lrJ1CJp>F)^fhG8TkKfqL@Xi
z+mJ@Di)SH;N;8vLxX6JEzx(|i9f#IAO3wU3%Z<f?{1>w!rl+rD+4BB%=(z;L>co7#
z;+Or#r1g`>grd0{0=m$GO1~d0R|nMk|FV`0k^0n9pn&9Y;G3J0nqdHz4S1y}rA-IX
zNc%7<tpYef`m`bRy+DIn6W*UsJjpEf1eM*wAK@fKHx*>Dtpp^gRs_K%<c^t1E@`%s
z<knqtq{&ldVY$YFf@|=MK1I)Euh?QSBOxOxq8MSn@kR5iLP>6JD+rMd81I~+TY$aC
z_381XLNKAucs6Ka_}C`F9(|xgxg~vlRdoq!>E4a$`%I}mYlw|d9=)BAi5X2ekB}&r
zW?tuM`0bsdYGv^fp2q3r<FGYz)La22G*qijU#5F;Y-wR3q^fmE25aO5C9kehpkuGv
z?a!6E+?(f^c15(INpv#zW}@Y^FJgu2?@a6%i(lLW=vp-2?XaaJnFz@X^^=nkV)M&>
zo5|SS*l7M2AqHz^9Y!{!9Y^9>s2@@_Hd7dVz_d@z6fX+PuE#56z2C}qrd1+I#k-r!
zuFNUBV8~LhAW(>PtM8-qmmT6ewpqe)wilJu53(tb&p!)fHz%jGa)&Y;gr@vEBZEXh
zYq0#~MDAfG=__+)dDy4g5<%q+!(N4#pS&v$qn_98%SwL<?)?sm+Pu~xrpj7WS>#X(
zdV5_O<@)lHq%fCM{Zi0bS8uylE`n}keBm9>buw^m?V@NjbzXj$g>VtS_;{V98b9o+
zUM}v*e=3nPp(F3}SWO$<Tg#`imkDLjK(2FO322S{$a*gCn18oAEB@v*Jk9t6!8V`o
zF3MWKk;d6n@@WNi?Nw+P&fgS$HqmU6^wykh1OXNv(zQwg%S3ycHT@dX6%~!E6i(%K
zf(S0se0QV@KEp7rEL8L#LNaf`RUL3|QXD{pZhsBJl_K&g2A*`w_4@pxGW@ykpeZS}
zSoa6%ReE10Q}x9B7W)>zXFSYimiID&*j%7UBW`}@c`XUrPrM3DVoCfW9W@joubqHK
zR171l-oU*NQH#wcjT-CDh90Z9khxRX0^Tx06La1y`q{LOQ}0C!{&jNf_dOROzBj#Y
zcd=EvmJByS(1Y30Iy_+nu2^JL6Ez2ts@u&$bJel`k#n|}fXDYE3IVO=`1E#MO4kYW
zn7j;i;BLeo`u3i%NlTYcd#xEHb|mAme7YktII#UI-Z^p5{@pyq+tUYLEB_sihBESA
z*z8N!WErEk>mm=UnB-ChbYz_IQ-NRf8N}S0<Fd_xZWP(Gm#5yAnKP%C!?Jdt@@7WT
z?kR1t`<>_1TG8vp({9(s)fD|x*9y<&xPgqvWgvZSKRgF&3g$2$6I%Fl<d`3~Gs#G<
zDM2cm@0ATQ?}xk*IhYlC*^m}~iD$7xNi>mV;?&KapN?$&(Go(c+l}bZIp*8d%k~X*
zX-w1E<St6WdO<0|hMq2?=t&y>_3-%cUyMRzR%B)I-camaz4P3#A-v`^64E<I+`gQ?
zyLk=R5X$f&JpHUHM1KsFA{hCC*=F~k4SeT9X2~*0e`Be)j|uy~LL6OY;>gxIbDVFj
zi1Y%=gef&S9G24(j#7LpR<5K`0-8$C#d=MJ^{gkTq(OHhwIns9)$F4}<m*b!EwQGl
zRG*3ll<+PG_}r}=8V_6Dr_&W+*ey6(P65BB!jYxN5)7(oq5)BLi6u#=)%QXwqTTiy
zP4Bi1IKL!1ICyFy$kg)rAIKx9db1L>wl<kNd}>AHz~<BQp+@=Iv?-F%<h+7R+x#=p
zl|HKxw``T86%_2TK)$6keK~QG&Izd1#NEC6N-JPoP|8bTrimuV5Ho8#+*jhVAi9C4
z@^UdvhqifMs{R!Pc<AJD%_kM#rz2MPxK?xh?0{+ljk%MG6ejl!lb`=>4GsLSE{pXm
zUU&zCIj)@G;|JzI&M7D4;s=Mc5}=gZmd3Quem;R#+l84I{?kmJ#K2;jG+My_hL9mY
zUC#~vUg!!F&tldu*6{9no0sAi;uO6;M-S~>)_s&+JyoXUSP8SNi*zE!YG%k~M&Td_
z=^TH(Lzud9RlBTO6yb-gSrs+1&l|hQFW(FJ!uz+-CJD`CW}@h5yZ<A+L7PqhLP(%{
z{?_XWInOln!h`#P2@X3;3zPv4S{p&c>g7Hx0YOhlM6)GpC?-khdzc~z?e#idBB!4p
zc;r}Lx9koHvntZ{r4rPCsrpG_fxrWsbYOOQ3_x_BUk4ys4_c`xG#Ae)i~AsBpD~$#
zOykof_j9ev(GeP|aW2b!gZYX=M9W11WS$|k{h*LM`)>hi@0Re#TpBq&H&YJ<BkJA-
z72Gw6ks5MeBpJ7^DK!8Cg2euXQYO8hmhbLz9PH!!<84KT<PU5UQrYD^HPPZM1&|5>
zzOo<zXmXbMaq?J)LUa<3Ss0|NeB`|5iwXDm6CqiV_~lYCrmZt5hPQ#qb?Bbl#=b9&
z)%)V!R*fKk%LJ0B?~ltc-!m(=P?uq1P>oB@g=rfE(^~k`tJx6*4nq5P`7werjp_bu
z?JmRoM^$Q4V=5QcsTF*{`)bg|Q?kYVzfDheDyb|hrNv3;<_D{y(qY;+tUFkwDcWcS
z9mpKAHr)Ddi}EaGfvxVtHIieaMR0KOP2GI|f<VJB^V!(N&~quI@k*%dE7$J{B743K
z7ask(dC)q|5_kj@nz^r^J+Uo10pAlj$8zY>qzIpWyj9jwD`*k2Ax=Z2o%MvJC~702
z6HH7H@%>GfUC()W{kw;lpgc(Yi5fkXr=$3Vc@IQQ`(x)EvE$eLLN#iJJ(<q8vBCZu
z(z)~)5pYQSz#+BDf*1yq^GcX&pOQuK)l4}>9>iBeXW=7WRc%h)19)L0Ck4MsdbdXt
zC$^8dq252MyAk%nxfFg{cK5?RFoOAamd7u$vZ%Ho*_n`VZs+QhBX}UhMaG@i;s>;j
z7%08L=c|Z@hR5NWMezS8syX$8OmQ6F3vnDrR}74jX?_&J9SNL#<?U{JTc;Go^-HaQ
zkY$L=#GxZ(@%`hFlG<iPUl5U4e6rJ9BsEA8*X9WbkkR}kj9_1IWU`0>+zI1As(8oV
zL)zKn3+eZ-huY<qOg@D0d$irFsSnXt>95=k>qY0cT0nnl7Q_26f;8Ba#P+?A#C8;i
z!=6)>N(TFZhT#Fp|5B8f*DmMtdEj23FnRyGEk4`4>gfAnY0JM{`<|tV;?ep3o}?6E
zoQ3(gsLt8htj-x(|3V=)gc;(12exVRI_Slc>qW~{Q(7jPTn&hDr$szd@4_pc#C){j
zfU{a0Sf0GuA6nlQT-TjgJod+|=zKB%=2JeM(Ny2rs+#troteH3c}h7cWs(R!_OX(b
zbd22zD_%6<I3ya})XQ}%*WqKS{Mo;JuepDlu-X-C+)~vY5BpuaskO9YUCV`sPq(_i
z;LswxJU`FScDVyC=C@cLE7U-_UQ0uMS4WRRMj0zWZ7R=n{kD|+v+~3}0Ij$zPV5r}
zQ_;_vj<(PlD)YS^2Gw{OY@Y$p%C%$iS+Q5qjA-=sH6<Gp-bC~W!J(%ekF0ZW%6VCh
zvJ&P-{~1HKz}D*Ea)xHD3^y_}V28e{Xi?+bbcMN;`BF4PKC$8-(WB(L-mgMi#^p%M
zey%lBYGha81N=u^VZz%Nc*|HjoJMHs+j4%uZ9(STb7uTHXH|SA!-)KI05Ox{)-0uV
zi>zRAs@Go0(#74U6u|_&^~xO6fSYNr<<(a7b}Q{9XPA6@Vdo#89!V)PkVki(46myE
zHnJv^>GI;#&5l%R2ieu2moL^io#5*Tl$`q0$+e0(hCg#a3cQ|aO%W>j+@i{|<q}F@
zr+Q>)F9kUaYH9jgA3AehJU6WESFz@@`$hQQ{>i&U6}mE-!zJ8~fXv!-{eFBow~Igk
z;iryW+0)hOy+#vB4iB!Rv*gbFqD=jEqJi(V<6jKl1cG=6y4k%w)kA%<Zd%uJb$lq6
zEE>9e8kl8>ybG{7fYz;}gyq<6A?@pm#>8f$h;?sH#s^j)<F|l?ZumuL@6_b=uCnBe
zT9FFWITyQ(Y&byZH@aNTV(wpUhI1`DvI63>`$N-suwq`y-eAfqgK0B!)#GR$*C|nw
z<ve^{5rcj&4Ibu{KEI4Y5hZFypz&N+p~QlJ(w8q@;Uh%7aDx-U9xd-{@HgZY;;*nK
zlqo9?v@ZS-IvaIxDfLrReoz-5BJx--M3)kHt^5_$BhVt9){Hz_|Ju81Ara~5N$9oZ
zKM?t1rW*#_f+3BPF)PWz#pJSFs$Mc3MoK}*8M_~U9X_bRtR*@?xb7V`tT}|jI1I!E
z%RF&O;pm$jYB-?;wj_W78)Z!PYzs{nU)#(Usm$|-hzDm0f>FBecO}@9%CiFuTAmvk
zLq%5P%ARH)6DoAORAtL-td9XS`k>2{N4%wildGVKdB?-H1yyxXrbFIDS>a3CPxgkV
zM{|idtqB862B*%PeRESrR~Smf9z#)~frK^8bRb8B8Fh0%?J$O5-I3A4#=jz2`<8Y6
zvnK}q&py<!hLocBv$L|d;)0kpe|S*`_!mM#7ub_$!VUGQPI~(SxWKDB+>_wr3tZmf
zB2SvgiK?u735SNCcGB))m4)A5%-y%C+;k_Gt;I0w<QcyutildB+m$2cM2(G>Ko+DA
z0n|7+8w!G~90}@ZHl~~jnw!@s`u78Enlqm0U_+UWwSbKsx1^IKyomec#>CESMjgdb
zVPpT<=PHGo^z4kD1hnsvK~+}<+a*uHKMdf$o>UKynOb<A*SdJ*XmUPUAER762QUSE
z|IJZ?X^Yq#o&GYG?e5<qVCSG93BP`f_4XXN_nnUH9-0`qQCp(_oNm}_pK=()8Wx)E
zW5uQQ15B%((xOhk`yW03zuCengdTZqgBhVRS2R?N$6o=yBeqe$?PHR9;A5p;-@p}3
zz@^+JFk5|llz&1)sH&nES3nZbGHT{v_RlAw-kuZYzgL#uK^rz`1k?;;!XD7BDTzSU
zOzFw*(S}%hZ)1LMg0=sO2>i=DU?UaEKW#!Wq{)Tlcju+$h2_W%+{N3>?^K|&`<EnT
ze*`G!$!Dx(xx_QW7F4H?U{Q#-yPytjCzx6IL$B>wX8(o3_4{k8DdD2jbAZuGk}UwE
z4O|j*(<n3JkXGG*HLk0%?_0#FRC3jzCx9tJfCf+EpFR_j^sK@Z;5So%MbKfAJgFC=
zruVMPiNSGK1?q~>T@&2Aa5+jvn_|`=a+<!v%sh~$R;q`-qt5NMo|klr1y(jpxmZB~
zxgQqkJ$HG<`%P}(@8&#;r($J&q??*#&U~7+S30c=?rcwZL0X3kp<8bNY*tR-E}zvc
zTb<#O{nOcFGsr3h+LAiuP`0+uG0AxIuB%i6Rsf8Dj{aHO;Vz8D2YK4D%%Uy5X`(Ly
z3nrC8Xtvt+EJ`UCg3AE^v$96nGh~TJUaQi0njt|>;`yZWrGuIU{~_Npm5l5aOA+<i
z)&Vr*t@P~Y_*U4j&J!gjdE1o{OfI@#N}a7|y?qw@S{4`b(tE^Zq&e9TKomP09)w|2
z`42i2z*)&*3`sC?FN@DoMH}reex7=aYC6fC@Zj~?z>c5e26H}Pt;D5zI#xI4DnVPH
z9#XhfgyyKqxF2bxJ7H4Usm7{%0On*~UrUZGD~s_nRulxA+-8?^@6<M!`#Y$J#qU~@
z1Y(3ClreHHat-(n*rgH#{3T2td)J}|hQ5sa2T186@z~ckiC7>Y+o?*-IuE3O_8j)%
zctY#nKxVPO=U?4E5~J>aZiUV?*YThI1K5D<jQh3N(~6?wt7x9j0112NH{E7vFLPy$
z2S5cao%6I=Dz&b~b0GeX9S|K-*E2scH+0QI-$f+93eaWZEc<7UnEH?24S4;{i-M!K
z9hUAri}Q!G<4OGWLc`r%`<1X6iv<q$e3z%TR!l!;>56H#9(d5GVHP+`UP1BN+Sg3|
zI>R39d<Y)vfy&Z1MBc=G!GsIe?}aG3^!{u%%&~9Uo$A)_3#_n~cP{-_cJ)8&mBwa|
ze;Cd~v<m;MdtM2XR$MC1z~8hUl|tthe1WFxAb&4DBDbl$!O55ddb1T3;8u~tC06Aa
zLhZlENCUotQd$MNF`w0stnN8a-;c1@^7ARR-R(;k2F0aiL{_nAO$T>mo=Feh@ZPNe
zGJ{nc0W2QDK}^;FLGI$MZ3i7pg$-p7u#XJqsZb|Xi><j#E2);XhfSWm@`>EcChpMt
zw<}7EDz&VJW~T`f(ob?SYzS8Fq|J3R3TGLkA%^tfZrkWA_5*gm7Dko740Oa^uj{`%
zJ?$N}JI%wS1R?k=`ZoC8b`I3wj^y4_zM3RbAA9tHLsGF*XGWe@h#Vv5Fi^x9c}q{@
z!>x9hv;B=dngfkMx1RaUooLx(_HO~7|EO(LuG~QgVPxIc@A}kHtz|9TcFi9dh%<Gi
zt{F8}5q-;cIjr%^D?#9R0-ey`!4p@;>qxJ-3*}hvz|7*8_*WK(valLkO#80hNw((X
z-9!H^(c6j#xqa!%IgOg<rwXee7bs+7`E5}~xRIP0v7<uTQKqa*+OV+r>p9c|gUe5<
zzjHtMD=npP2L7ycrl4HfmMMSwJ~fRPLc1AwWMgj@oy`vM(3i$?WQxF%z@DY?C?6QO
z=3UvFuZh4a-&-a@NBOeM9-WW#7wH=@W%4&gV{J(K`|@o&hhdLuGY$!^Yq|C0$?Oh9
z8~4sg92JH<+HtpliSYk~l^x0KTx*Z!d@ImBG685WTJ|LUI`eL2-wWVm0CVD!*MfOf
zG$+^Kt&<NiIirM1_i87ERqsZxYeyFZw4JEh0SqIWu6WH0I9Y=?lUhoVSsup2-#)#^
zIrnx+8bdsO@)?O(T(u|n&HRai0-bmFxPCN?^;D%%(A@)|`t~oMY15r`LE)dhmvCJ2
zfEK<uDKm!1#9F`IUKXh;X?fh=v>lu9oa_$@-sZ{Mz4+f|Jb4|{|9M=Lpt={w+q>7f
zSvhxw-)MV1y*@Nvd{0><^p3UaD&N;AgR|%P9Y#lRT<}z*Eb+`C-W5%{O6GZ;<)C0M
zc`Lg9y}=u+K2d2#NuzX1R(^q3lH&4stw^&{U}!_)u4@8f#Vc|1_53{Zoj2@#p4nX0
z)4o40{a4MChs5frj9CGfw{f_3$(z8E)KQM5rt72dv2?_X47S!Pv*vHr2tQGjN7;lY
zyle(rCjUmWxvi>&tfIGuOa^W`u+N_M>l}rpW;)C_rL>{O$24S(&%29-`H4?>cF(To
zkD~OmUEUj6A#czSjoK|6YvT-IZtG>L-^L16{JcD`+rp}@9@j%c0&TR{;7RGV0%#)v
zCeo-Y;nyVkH79Le$UiNRQ?A26xFbIOPcKH0B$}Fn^=QsQQJO0Pe{e1KVI0S#dP>kY
z*f?;77oyC0T$45NN4s9w&~@5Gs@YMFSC^GLgT98xmU#p`Pqw<5z-8R>NR$2!!%jB%
zeozcHC6oOfQs4w-d_sorud1&Z`ST}$!+H91W-@SPL+6|x#+)3C!(t*|dx&zTfKMf7
ztYpRo!cNIf;J<-zGkpFq4KP;UAFx&V6FR<Oq%yGDe!W3%=l$yPlP0jqY|~=aLjAZk
zW-R57j0h7$TZbyncGTXpAsr4ZWTxfFH-xa838Pq?zNwUZbTT>SQVTxo5b`2CP)B7D
zgyo5M8F6a_=5tIr(T<M10skm>Cg=Frtk1}1|2RDGS}%SP02=Tg#G%W5=sH9xNfoHG
z)N)`lY)8pRq2`MNci&-C;f^HySWv6Q$&bsG&KJ6XpXkvC6J-n@oki<*_Kl6^(_b>R
z<LsWohthmopTs}FV}uLcQhV*l2tv7?IP&di+IB^tQaF`t^_2JCiqgAxd4cPj_i9EQ
z(L9%IIca#uREe2#81(tmDP{dQYUgMD2UOy90*?Zbn+t;$9`DGtT!E!8{p+9RtsKHO
zc@vdRFc&)T53Y6XHElub(X^+cG#4r*XL)JGB!j3@w>;Y}_W<?nDk$Z|2b(j;-9ree
zxP7x(VQYc1E{$NnI{2mnZ{_9KB6*?{ed)V1rO?Y|g&w{3t(~5CzA$Qg{YX6M%u%bB
z?;D%ir@x_>a~a9GwmFuUDE=h|)sVy<Y*#p%!8(S6mb#hLnT_877P*;3*np}zmhfY0
zo4KV&2-lQHWYzMTxkU$L;Z=SoMd5QLi7P6L53sSk)Sa+hx<l74YbsKE&>$$Msm)1f
zPeFbe>mL^eNXkmb?(6{gdHxFFeZ2sCWYsoAVA=rK<F=cfGm_aJ91nBtQQ!?zBXh<~
zIehM&m}rm#0h~sD2sA)?p%da+sZ&w8JRm*Kp$LL)A92q~`FqHy%Cdm14UsNF(cYJQ
zavILg*VU7(?+y5j?-WRPS&SR6hvIkyZpwqoJPU>3pFD06XJjlH=cYngQ86(q6lH~w
zohu#w)gvgFNtNcqLI44nOjj)oG}xX$-S){tplP;TQp+Sx=>oNEVVZj;pOXAOq$;s(
zpQ*ydMWuqxC=Nfs>_K@)!5?==CDt-(ULKR&AF%Bo?!YS^>A1d;sufk_7Qp-C<!7G=
z>=~Zf%h?X#3@RLEJs2a%(UXs8wUGm`mQjkiK=CWy_WSWD#IdG%f+6Gx!+xS5u7<gy
z)xIG24|x5a^SS*>dFkSD{g#-$BKs6o4gsE}&e62eDZ2**yR3;rygpf*Ex}^MqzmG0
z06N!Sf8P+VRQCj%3~vbrMQ^9}z@Kv4@9mtgrn?e58;V)E(;~rgMcAJOc5)yg+Iq5o
zK=Co!^a(h&C*auj1rJR6N_xCaPjUq&&47)*cXHm3vr$>&{k_Vod&a@|L_zk-tAB%8
zf<m(ySG}zSvbxD4EQxiD$ha0*W_S@OvEXlZ9WArAjb4O|H8y8WINPtxAD@ypOU2-9
zFT+T!6_GcKL`cOc$Dtd&y^;@VuNL25;1yZ{>vUIE0(GjVFfZDhveXULC8unPjF8c(
zGRsDkG}c*P5d^?WPhiR7ARdP1{89tPa~cX;28W}qbh7*bE4(3Ct2Wxk*Kk)aWTvw{
zx@%Ah#A~AKnQ7Xu2)3pSA7<FvrPi~zm(?fNirCskmM7!9K-`s26M$LG!~~x8fUJi<
zfD0V^4-2U~v2+J>>WYu3n3b^BRJHv%k@xG{UnLqJ05;#+%gY}FzJB}b`2zY%a0Jct
zPNfztd9)lTM)DNuJS8?nHR?4#a9?9%nZ(u><Bi`z&65Zp%j}3t+8A>~*;rI9%?4T~
zrCDbC#J_@mb%OAu0{}eU13Tvd_IT9=*Sk1&T1GeNS~;kLHkK^@Gi<APC|`_26)afB
zvLr`C{P%W#Ke`!lj$BwrFFFY(?Sb9m(bwD%U=mLyt$zmjMnc!z5^fYiGxx!lA@Q?l
zX4{(RW<c$bpH3>12Z4xV?_uR`$u}dd=vvvHt>>&*rZP+pfzbxQTM4Y~cr~qbpOKyg
zg&G7tE3&BAGA5JOI5ib~0RQevos;ut$}%)MWwJRj!c8P}(!Rms-{frayNofw1Or8Y
ziS638KEy5&yk@F>{0<9oE!>b;R`6^Ub~~lYR{&rV^s(|CGRc`?&#9U7%B9iM6`U&V
zQ?cO0ZK5FU1CcAeAEwi3H3Xa&d>5@tMFB^Xh#GHgOC_zJJ%-o}*GD&=bK%MO2KUY8
z`T)x-lk;Ucb^p|gHg?<^zID4w4(I;i)^O=OuK}D{Caa=R?P}2`XMxAi>`~)k)9-vY
z=@Z%5sij2wH$!aCAP<8%rw+?4mp(Yf^F(8DDKXEJ)GFY9zOAovXZ%%XklVevw|*oY
zq(r*$4l{pHnmGLzi1Rk{3L#~Q0s;+aE+hb248N9T5*@8Q*hGor8mT?q?MJOdJNtw%
zB-O7u|C5lwTLeoId)rDAff1fW%S_<8<9jy)Y6KQ9l-sXNqy$cx(v`+0=`TBt-xjw^
z{^V*xQ<SQdXsL~@)90ERP&HD=6Wk>Ip4ptLIF%4n=T%zuOu2?s{;cMKJcFquQTi*{
zM+PGd^Y~qhZtJFn;RVW&{d<S1YQ^uu*mtT&VfFTH{%Av-B=s0?lp6(;%3+v)^9uyM
zn>nc%d&w{r&Pk;+G1r%;tEmX!u}8NS23;ZEj1h5UyUI1qC08O63{HW;%SazVYmLE6
zulQq-Q6q}Lv6c^{4U0?1*#|l&*vl^zvQtSU2s<_qXF*vdDp_mxZUf?FAZrFIE4Jx6
z@p3ls9M0?RAX{uzBTd&3s)Xs<wAIda5LS&KJp*$2t^|29J*6&+@Z-Z&(WP-kA?DfK
zR=x8Dt}eEND~&SQY13&C1pn$8gkY>!?P)1d-n5Z*Bob!Im_LwmkvvfX2Q3U_eMO)B
zaYkBBF*{F*RuKUKAHWMbBTpq42s@(|03y$ZEgt$v!_a|gt~(NAox^9@mD#Og5>b<R
z67;_A@G&RMy74glj&5M$4_uHU9y_SnT>w+aL23JR36P8On6gFQlY|JLes_L#pLDx@
zm!Z96EU}8Z9R(QeyD4bWt0FK?1|2A~u|0;e4j^<krnoeX-6sHY&FoXxACwXM)|zV1
z&?j0rFF2IQw}V07pSswn#jRGdRjbOu$!3&;0eIP|V~?k<mNT?3VsDS_HruZ9<7)Mv
z)@^`YU+}x>%epwNCA&6RX=AIR%?F4dWCOTkp3rtsogg%{3?0kNd(MNjjtm|{F-Zdd
z{rjQjt2zk!<$UI?_{)aL^H38fSH4^7%AvaV^P?k8+R|ChMe58OYv47#bqo=lGKqe1
z<kj5Gfr-#0bU>~h`cuu?>&lemrvaPi;!~9*LY=@E#klt>a(b$<lSXT~>rp}IdF2%u
zF%SB!ROnYeClHb|E2739+oR&g)*@e3>~G`#5{6?9iOBmRtxB^36G?n(4wNgIT~xuD
z!0-~w=nnupLzo4H<68HGknT#J=X6j+B$BFG?!Pr=yMWpF)L)tjsX#i5jQ+-N1$;dz
zdnul4TH?&xId<A#0hU<B>@zRF2b)_T@rZSWB<@6lUhdygvfHl0c*wNI+xsng@e@p6
zZsaTt&5N%6%Ph?pbXQF?$Soud-sH8MkDKu}W7Hvb7)bM8H9ng&Pw-G92O?Q7c<q1H
z3Ya2jgS<8v17NiRK&-oCowbq1L&Q?4s@y~w*ub@kb;q{fA<{Sl+B?CoT4Obah~2fc
z|IS@pwA`$aa8-crE=Ttyo`FQPjZzs=koglP>A+0?*FT6V;~i+IK_>Qjh43!LH^t@W
z>7B&<T3)Jsi#&-4|HTIJ>b^>O|6KKzG5=K_G%JO_xLjn!rNeJg3a80hyIiERA}S7o
z1s#n;>dbLdm4-A6VVR6{V#tl-JBQM&QI3Wyi(+u=OdM|opsUq&==fq{3SR&F)p{P*
zoZl;%+JnlUJ#%ftc~fWFFyoG{-LgW5Ht<cbSKF?qGw)3A&xGq+n8$TkZx9DCUB7M(
z+w>azWw%}LE%9H}E4;@vsSgvQ5}&P*-EaTApn1D+zlmq~raOJZDf#wdX<#x4AF2OM
zo!k4?O!r5YHoAu*tie-Z;W}?DZPO_r-wJpZ)7OZn7k1x{7Q;e5|9jFiGS^OwEApV>
z*@xHbp=9G)M4b~_fSt9py#de;$mD}PtU{5(8b2cu%yqtC9P*6#Cxlumrt9AHMjVrB
zmwdkhRBp&l^cE}3-r;)f2|F&?ouu?UozGVy!=IKZYVwFKm;k6{c^Df+rV>W;6gA9_
z7FeESZuP40Op|39Z1BB=jxI=>kAltLK2<(;j7MSJw+zim^Eyb}kzT_C0!}XeE9aU^
z&2Ec2&u;^bbAj&#J7y_{G;Pa8#PwZ}CQh8Ko}4MB*fIf2_oRF$_3kp4@y!aL9>~ss
zJ4o?*%ZA|j-6u;)-qTddHq;`9`+#zrNTf=Af<rAxgaD3tqL>A-FLw}n3xo*Q5sAe+
z8~p2{JFLLi`{nyfBTng1&z4l-tLLkUS<<h`bH(SH;>VYJ$B84tnQ$)SVMxAQ-km56
z<4DkqKiKuP##+hrSco23B`R|j<Gp`|F2UeF$_!V#vnbzk+sJj~778D1fnyk=Kzmf)
zP?d688pUN(N}#tW*u+$ITYRAxYf(ZcZjh^QvPt3GT@F`QT~w*z@H8!)_lE2b+@->u
zgXC|yXmQ2;yVhCA$wc0ZTwS@T$Vg%ZvNd@e%8aKgGhKb->e!n+3-^Bbo)5_T0xoyO
zi9hCgPqOe!ppdgPOisD<<(B~Hxg@0Bx0!u|`GqLU(0Rmet@ViV6B+XL9+7ztBsda2
ztBwtpxsCV+7%J~$t~jl_K|9sHLk$hb1Ol)#0(E8MJe=2=myl*S?%M!2tx?1A310rc
z5robki$`#_#8XrQRK_b0`P}!gMMx-9QVXg@d>Firhs`h(-+;F9I@*??h`)@0(H)U{
z3jBj++lT78la4A~>Eas*B?fexu^HMB^tg{XLu{?7#VzE{ezdY{S8dU)J^09>zCDj?
z(PAw9M9PE~=-?IJZ+Rs8S2>L`UGc}isaw}99m%z7yrys_8fBGj{%|!g!!<Huj(NP4
z&bXhByL<zG;@5=jNOh5kWbqG7`!k3F(9)=RaZ6zn>%acG=CZx4JL$nTm3+9*Ai3VF
zuZGqlv;AZnYEUfdVg&o4gj)(sQ@;MvWYPc%5GGA3u4$L4KUpEZ#_#>l@Y-q9d-87t
zq1S9`R4lYX74%0p2N@S~^_jU7yJZ8=tlu*{s*-dlI=eH==DtwwNu=QunHoYmFW<^H
znZ}J-uREonx6|Oyr{ygx@1)SqiSoCMwxrPh9pt?7#@9G-PT4WSc}Lx}f!vNGYmZ<s
zZWoj>Bu2_yOVI#fJccHy?Dz=G+Tjs<jQ*6YrxaB7$d(4N0E(LI|EZ@O<DW%eYWkg}
z^>WIQ_qU6;iv@Ea8YdFIXU!mMD(91eX8k{=zB(?-?s;3K8>FRNKtMnm>28qD)di)y
zyQRCkmXgM$TSBClZVBm@X6blW{e5}ffA2l}xz9ak&YZbsu9;JvGCp5+FnyjajH%Sx
za#Otmh-g-@RCMM}`tYH(RzP-OUpdEfY^_j!qa83o!pA`+ywMS*LiJ=tdbNp<?eA2_
zqRf6EXGI2Ml2eJN9PYqxXf6^og+KuxhKM6g#kv9)ej<wDHrHDoOubkG;ymhW*ReSe
z=UBIflEIRoH*AHsx5O&q1kXX~!hv{!NNrJ}$D4<ranU)GAmj}SpYKK4;jr#nRiLk;
z!&E|@Fj-mkuHCW_xPkQU<RMpH2A!(pb`hm@AZ;hg6wb1ZPT2_EqQlJj>*JcNA*C3S
znZ5<A#n8sMGZPIG`5C#aZ!*Iizk}#&)@F~X1$0u=qM(<LmMQe-gwgG>uJJ9ryeT9r
z5iN7Et3xtLE4b3LtMB|IZ(o#c*y;VQ)2Z0>M8H9|70c&W8edd+h&hv*ra_Tq4<$0W
z({SlL`KPT_@R0dJTgma_1m<!~Wbyt8ag(={<-_=;R9b!rc@I98#l8N)R{aqoh8624
zFx3Y0`CTZXI|;vDrZl!%8BLGo#iPj9n+i(~)>=vr;3XPjOx%>NA0|8WNdZ2WTP1?%
zSFg4f^}DYy#XqhM^yTp-S))VA-eUCKKbaX*KmFo04x;!MbAZV;Mhm+fGx(RXFCIKi
z)xNYd-YsAzvhNb4ys{?>hM*2@SQ&!6A|6o(D3h)&>X5Mw9>f*W{qlP`GxOzlij+ps
zZiZ4FQX{Y9q)@Ubu50=ERH27ebAUJn=Jv+ut!v*j$`uPNj!N0?4Z7UhO3v38Dj_n&
zP(D#t*TBKX<zx@h@IgnUhJP{|bhF+ind#~Yq?<<j-C^(E_bj`2utws0UMEb47QOd^
zgMLuR5hocw<T194msVtMu-0N>0MFoe%1<Rr%e}+&LSRpO4+Q4xt5`DA9@XdGNd<5=
zkuKW~*TEcA8=i%K%@yzTvn50b&cJ$;%$O^?6uS3KkvZ61R22f&S`D++q^cRCkob`M
zvbXj*J0!M1m|_57P_r-Z&nc&c^Ess^+Is;3*J5B4Z6oiERdSErLhoYianKt3eAsEw
zmRocJAeS3bC<(9Xd-bQ~01XbCq9W;%rlK5>M(7DU<;4^H+C&G^hpy*MB~}gwFY`YV
zKG}gCQvRCkf3p+-Qy{ZtDzynbP-qNFYMKpY6#{w{=xG4&P7qXvzf}7u-3N~nX-lca
zNRGKc7@z+QUX2q~m{6>BcBkU9Z0ZfxbW?xgc=3^qb;y9ISFg)Ko4FBcSaB4~Ku*l^
zpWLjA(1_Ps(1~AL(prZd^IC`bEq$~5QHo`5-F~#+bf=IIgKf%rYhNo{^o=O?8_Nt#
zLOti+ZBB!DudWJnltH&u=ukVvPuY44O{f3E13<TvwTOH>Sfeu1zK#aQt_t}CnZx@#
zx#nlz=3FAna1F(Swl7s<rQ3SHm=X<QU}Q*9HUJN<no>4S4%<aRPa)#}NlcqfF^FVI
zGe{Olqx+Pd(iLgau=t*x+=I$N_nkqStm(`4h641st5{DQtu%}_^Uf_XBr0OSONc5h
zeaO^y*j6e2-xLNDj5^Z;Pf1AJoY*usn>g>2&$h`R#_!1Em(e=7S5>#ZOEFfC^5&6D
z`;Sm8)MFyi<ybe#1@0yDSOkWBiT9LujPg7Iu3ul#%6D^`7ovH_825N;>%)$pSSxL?
z67Es1hwCN^{L&1Y*{AR7hu__9r8hwo2|S>U0YsI=K{1!|`Z<D_8GI_wy-`cYt=zP<
z1Y}vHLZg^=`--H)gtQex{?G?Lgi)+@^#s{S^u6@&UuEc13+b-6<Q&1_jUZ<=@;h4X
zys!dqYzh~%vp7loPqPpV1R~_bd0^Eocp0_Q_!(S&_!;Eaeuq*eC(hWhJlIn+V&x9A
z^?X5j`=?L10dv)dpha0Zi<FctlT_PAvnMlA3`#AkLL-*M+WA{MHEBMRW%kuCghM7S
z|Ii1bCbCu(lw3z&70JZvL&@z!wn~P6v*Dy}@jqRYT4obj1JmEWJjYlAHoUc3=7Lvi
z|4WY9d&E~Nw*HRJ1nUl`aM?#qbd9>g;))DtIP5RA@(xPr=1KH8G)Ac0t~?XIH4wVH
zPj|bDH+pN%?C&^BxV*_#)%+}#r5W3G3nbU5)8lMX1(ID25;U1w%pd)6^qHDetv{fo
z^(mUollN|<g>od%MO#!e(%Adzb2gEk3$2_?Vnvp?%~i%N6xU<@OQ7R5(VNdtLJwpQ
ze$Kre@8WjAmssK{|5lxcO>OkaslqLSzY*S2ppG{)ltTW>+xA*KjP>WHhO5i6PbnFF
zZ{K0XXA4giol>H;)#<+XQRqv3MPIfB)h~mU|3sE{B8l4fU*cz>eNQ3dtNP4Q=JH9#
z;VU-$ZpWbB&RBs6-t*hZg>qH0x8tOQUjO6!oYH<z@%TxxBiJ&?XukR)D=gQyB1sJq
z80~C=_B(rH@4iGi$#Y{fSJc^iH&v%>;N0$)rcl3Gn?G`y1aa&|vYXzF%5yd02k3VT
z+d|G#Qkv}Ngjr>Ar>T(x-CRyg393yxC~2wh`nm;YoLf7ObDCaAE`o;|6C5@Lat{%!
zw%!o+ypMv*sJ|G5`F}D>pzrU7%cyVtXWa`q{FziiF{ZctnHCnhq6KbMi&T=tblLs0
z$-jRl&7Zh#plV!2MpC^LLz=YRwSq37xO3$L0H!-_lSl65lFlFD+>@l@gR+2k<+M&8
zOHfZ$+$wAN0jK_g27)6*gBKI!sK0e27mBap2=&kKf3%+{9X`2>0zDTQtzk%zY<gpl
z{4Q`Vg2u;vbg~+M`a6$<yJA_u?OQ6$3`4iuw^3y~iW62QD;)B*SB6qEGvD?-3;S+$
zguV+n!J5~%^#R?EFqXg-qpIFxmK;8DPQm?kne|0I?=vsw`D^58M4naEDIzj3UL+6I
zKx(OU3HEL`{`%M?>w3mT`nY(q<%eoD?H2+35(<QUIxusb6(zF%$nuW_g<RRXf;tBD
z67;D6a_L(97lg_I9~3oNU2o~Oe5kg}N~Wzp4@m2>-AhP>1l{9>RzpwymP565+3!rC
znsP<$3DD0DR|Us!*HBK##Q4tB9NNZia42rb`97M?uFtCSEunH)Wrp*Hcg~td<Ah{J
zFYq3}#Q90RAx0EZ5^A{g8$N{UajWs2!>@mXRSWQ+|Ln$tuNk=j`&n-xiE2&VF|qGl
zxI|3>J5@x^hjMXQ)2}CvA1c5fMV@IMh&q35J@dU=zZ-K8UqL0XzbdASy_ID+7@0&|
z{d>e6<fnIFbJ%B(BF-ImMlAFh+IhYXXl6E6wQ3nWM}QM!P*YM&;Dbcrb;<u?3#&e}
zG?zj_zF+EIBhtSE(ePd!#7m5pY(F{qcDg}}h@{EbAl)KeSJrs;gvpa59DA6Xdsz~Z
zg|60yZDz0e7D;9D27msO>+@o^7_VpHF`Pl}e=Sf_ObrwlyV|u~s|W%5cIve$pNNCu
zu+0S<T^@e82vzetw3bg0Vzf=d=#kZT2Wt)^c&h0q%x6)G#kKl0W2)U$|91fA$q3~w
zsZYzi&k%R&?BdQ-mq_}CLMeU>Bt((}+-d4$zsO^1vi>O-D9uA&>LC5K)CBazRC$c?
zVuUgW|CN*2^-(6lu2ZOq`ss>LwN`$**h%i|B{p@w(7y)28=;i^_e=aBw2e<B1<{5r
z*a|{s(s;~jJ*^AI?s$Z`&;Yg(T=r+B<bUe?|9J%Hy+Y_q>XfqZ39V#o_??ZuCJ2Ux
zpAqNItLoUk*Zp)6Uk|RV+wk-QGfbLhsko?d4<D<%(7cbsksNa@yvND@!xkCGpL%eP
z4Fd<>v#yCB1%;+zHQ9l)h~W(UPwwQVHY>b>41%0Os(1hC%lL#|=8pN2<~lr<E~-4x
zMd%SPQ8Zekz3gBqloT^1meg0eoY!8knGxgbi-CM^%<b1ZqjSq@(utjID5|rIht@gg
z*zFDX)hL{PZX<=<&xs+w#Rdcn3d5cWR2qNI2!4IKz-yucmG5bx#<E_DGMFhxuC(8v
zd_+-IRjv-kOPXN#`*pPaYbTNe*&O3Z=BLxFuq#~byhlf@RbeG=13cMNBN_E(z8^pa
zI*aF{dvjWQoM&48tZhcPKeSrNqX%lAf6PkY{$``L%(yIA+EoYkzP*QK9AuABNjvDT
zMU$(2)KBrYH((90VE3UBlD4_j^cy^-SH%$yf8UXikI@#jhte<dYDHvo7v*pCXw6?a
zs&Fro$Jt@NVp`#{bm!pd5ht|UN8LN<Fu{JwW{p}Z1NSxZ-)P%r!GXVfXB0`w7-9s?
zyc`9O9j88Xb{Q7g9SMt?<o|K{dNaXPEoIN+;H9oHsunGlK9M9h2hcWt@(;vQ$VU|g
z^w;p)u6HXIW!1GjfAbICi>9j&W5|2j7KAMo^!jT7v=X2rD2FOG%GSTftri+~)s9!$
zmXABKrAa%oZi3c6M=>}zechK+R2GW4HF8nx&F_(Ob{4w?i|jVM0chq))N5i7=b&^>
zeRjIo9li>)or4<cMtQNW+g@|9bhWSe%bzH}yKHFkm;XmgTRPB?i>0a_*-$m=RYejj
zG<vJT_U$dzySYZI2|A;UHdGE)CWlS*kNmtN7t5d2Y;wfoko@+g1-Y^<W*e>WA8|c-
z=Deew>y(MwG@Sr%Y5gyh8ryvNMQ$HF@@NoVc6vlBq_QJu(_ns7o1dp?!~#R+{fN)~
z(XE;vFa@S+h4O+m3q5R6qpk9OTuwpbc50XVWwO9VX_0c7G5d(J4%PMP-nWyziK@91
z3SWYNye^5u5)ZHUr7>G8aX10hnKW-?lAP*<trZ&G@Wx@=4$}EMt|C0U5eeZz#=P^v
zpF>%@ri$0Ila7KMUzPkt98<*4^V?hVGa-Qk^)d5nur`N9!!&Y0u7~vooQ;yj_DPSj
zfO&{Wc&~piQi!omKcA*cvx4C-Ni~W*cg8W$HL3p3w~CiOr(Q*E&&6I{y5LJ8zs~{n
z<dziD(qw$?TfeXPrDe)$xAJ+tf%T^Rv_mstdEgpFw%8|Nd#BgI^?IC8UPdQIL9fI#
zM@K~aB>Zo>3Mi7_;8ycPphSe!^4smotI(<CjLR(=<vnfdjKr^1?iv>wbmRDWb6Or7
zY$7=1n@Fl%tAe0P@Yw)!X`Q|5o5vj&_v<k39x?!glh4Q1lkoAz@qgUc$cmVJ1MPUO
z$dVyBkM#p21fRY?iS=R|z#p8F{fBat+45~Ky_7$fu~~};rAbA+{NRS?=+Bi1_0_AK
zgf3S%=osmdbVb`T_kY166M72i{GZ~Z`Ge^j%O>ODijS`{RGd+IJ}p8(ABT`F*G-Vp
z;=vjnl?-x@r63gfMa5V!wf)S;Q9y^Y&K`}Hn=gFM@m1_UAUIc(A+<+o=HWZ%toW&&
z+t-@5v==G)Euhj0mLwdo%QhHr%|^ca<LoS{@9GUp<$u88{RLw3xh_&NoNZBC7#KV=
zY#UY;KHU7~tZ~{sKW-9fB&f6=k^U>V%t0|OiB$VtJdXINE5zXcU=;Bi<5@8}f4t6~
zw^UrlmA)pFw8h=AIYfO}PAnHAmELdhF^S*)2cf=ubV}bqI;G*V^;flMwM3-pdG`HM
znmn4ECbfB>6*Ci-b4r@a_j-HL3|*pUXacYr*QL?3!Y}EWj1Bh(*|BE;*nl7L(+3Kq
z<<^4%zx_z6QF1OxCxrtFh6Z^-A)$}hJ92LacfVy97hc&<DuZ?eVUPBpZd6d;;j{Jd
z51GkW>z-sbyMfV4OdhOS$NoV0k@4eTGj@SF#*M@U+o!ae4yt@_Nb|X2%6#@West5G
zx}$X|dB>jwrONVC3z|HRSac%uJy^7D8zmHT6YPAtmU1cqLV|?RKF|i1rIv+B{tfv-
zp3O*F^sO_ZDjESCcuw#9kDu&f%H)pljyP@(w5NRNl41dMX)dSBKE_3z2$huacNR49
z;m|i6En%&F>t{t#>zG6=&bWJMk8BJSIHN-DQfB;=n#rufnfYSqoZDJj(DUJVA^_&=
zdu!BM<8ynta}{t#ZtS^b-0W+q?p?S0!~yRM5{*nq4V7J@2b+KXFo=})Z*qCP7!E{=
z;Q=TL@nFxQL>b@;@8BtCqwBzWC-@rRSpDvc&5MvUwxS3AMz!aUHj8&oU7p`nQy#vL
zx07Gv_w8_UzY7{lx&AI@Oq(_6Xg1TH4-v9@sjp3m6|LyAmajEmT4A{8`*Vb9{Tb7e
z=#Gnu77r_8t6I~Imy(qKd9+3T!op=niUCRj;=QO3FTv1ODdFEkhH2>7A_SX-)(I7m
z%OW-?N#4U@fg?fpkjBAtW)0>Stiuzl4ZuMAFZ{GA1ju#N1_0pgUWQ6sT2Y6J<Zz1Q
ztRyE)8?;RkY!Z>H2_*##>0Z97ARo{;0?J7`KW*X&c#8&n?fj+vIb&<37c-8$Mu2;n
zynFnFs;0Gj{b7nCJ3}a?$8JUlr04on>kZ3;sVg&%VoKhxgq`5mpr*=iNh_c<LIz@-
zSn<10-?R7c8W9IAM}?BwV?s(CSfV7jr=my~pQo2)$1c%zvJPwV@iz{Pr4=|#1}pmD
z%~0_N-m`7_9o-2UsqCe>gPObgupNmSm7dgrb0=$lvaViBJnF_tgwP%Q^X}lEw`-1U
zjN%w=WZ!p+bxU9Da-wQvXM9ul2D8LzqWQp(>C1dZ^z+;ReQ!aoIK_|1It{wf1NLT9
z^4KYi7iDj55W#C+&GxwCKRYTg<2wpT)gDF>jyoDdW3H_jN=FEfbN_m^rEAWwC_wsK
zxab1jOFb_M3@8yLUL#6y5Xl=ee4z$#PT2=hJep0_)}l(sgVIWPq7z=gzcp9VMUb?}
zwrPe#=JGYKe$C8TttGyBE|aD2SM*cia0$8r3D5mscZRhBs(W`ZQ8evE)e*@tC&(`L
zzxWIRE7#6)I&TOZdqzNdbG|=2z3tSGTXR6Jo6FU>p&r0ZUrpzIluVwvGX55P)5rj6
zaIkDAI^%Hc4}3K~v}?DRv_hdCtQV{v;;m|aIgaYa5gxtwjA-gs*W8%tAD+~@j+woe
zSXJee_8>0tJ7oxg&SwHo-dfK}@`1cIaaU{l&^Sa+y^;&<c%P(r3RY9lE!4_J2qsq9
zSrn492tURZXa-<iro+13rtrR44jS`%feu}juF9f3O-n;cm4;d&cBL#Q3_R~SIH}(F
z=gB?!{p#ZG_9=jbg_}miDDjh{l*vEh%O|%iA(Rw9zCcXo!D_BSqNk_c^CsW~;!0>@
z#xO54k!qXW;%NDSlN~9^qu}w%=@A?c7!mTz;}G*-{H8|CpERAm@cQAJHp=a{#C68c
zvtL?%am(Pd_Hn98$+dnmseure=X@h`h)%<rcZ#yo8ger^U%0zXv_b=+$fpbm=i0L9
z{hM@VVzS>)4Y2Gb7Z)IMKksC@P5oI#4>a!;UQ=rP)EPzu+3LdZ%L-eYV}D!;17l@@
z%>_*XX<)`T0PXMFH5iVGhnjLiie0%Uj77ocCzWdyWsR`Qt3Jy%_jsnlfxeW(Uzr&f
zp26ELQ$q%G3O~KfI0R}@E>~3cqo?Q5hqFdVNpH?!Q%Wr%#PUgM)4P2rfy`OEHy}dM
z8VpI6>8&1s&TZd=`*X#V?}qA@UXv8DwiZ(pUs$FP@hbfGmim-Qb-TA1mq!0GblW?U
zY+rC(VTfN5bptmsnm#)oYz#s{#mRe{<+$eL0`-T8Pghy(Hpm{udldmb8EPs!iGrWc
zA8}n&e8nO?8xquQnUFM1e`WVz1so{eqv*oc0+i${h5LD8Yv#XI{(AORe`W!Xg7K3e
zWlqeIs_63*yzy!M`fo34k+sriv77@!%6`HtG|-7ROMm{8^qoC-M)12c`bjJOl{b03
zI+e_J&o<qG1DBoAse3`d#E@fZ=#ZKtigwK-!vk=)2u>erElY<_Z3R7x<5>H6>N+j^
zZK1e=ZU30>O#IAh&gvmg_EiGO$Gz=lK9qe@T0+g0H%tMI6c8f?M~dGo^Ek!QKBKcQ
z_J))4bN?i+rQ^+iAjg~ciB<!guE6)5T3EcKPRoIBeb^&t=uJlFaQJVU#Ee)p_E#Oa
z9@m^2s2sidOEVh2=HeWkh+@@frL|xNjkvGUKc_v7+gS#VOq@nl4f31cb4561_3yiT
z&efI4q%?m*c)KDH8>`WrPIX9Pt;ebha*!6{tJ2F8%y?%Ea@ZV>&unU3AAIFxOf|pD
zz=$Ji5Hfd-v)3^45?k13F+#hdO@Q8DSDq0Dy-u9|nY&PyuC{cCa_ha(P&oK?X<*HC
zuLW>_BCw}^xCCu@c#4wV-j~zA+isI4f~j}G18?8Rgn^!O7XnkzJShJN)xEc%2{&}+
z4-bI78)-clne~7T><(RNAH&d!kJRoe(k*X(6?loT-Ls{4J1QXi{P+l4T1pr4yRKb4
zk+>3QM7vwbHX^^4M=m;P9|3>ZnR)G~=0Ch}T`ZF#bzENVS~Rrzv*YL##qyZVt72=h
zw}Us+8>?fO1C(bY4~Z19T-wCRSj)aYa=T417UA(C^rdaL^;#*3hG4#L=3pJ-i_o13
zN=BwUi*OQ}Umzdvc8+{ZZ`2B(IYl1mI!D4ouzLvl{yJ2}J;TlWrHw@4b<bL$bH%z7
zIn%w+jZdsT+OFZBL@$!}=2B`E`*LP7ZwDy5gNQm*Kvh4#iaj;ewBw%NMn>Jv^V6pI
zB8+V@mRi>PkN*;Z4C!^W7XmA6A7>_(30Gh~_ayyt&cV`|Su&@i@`5R5P&<wV()*u9
z^tm{5JJ5x>!RK^K_YU{AkWNL|LG!Y3AlIm<*@roMK=D+_HxMJ*TB1m|DTs!UaJ0_(
z?xozyC~*(?s@RRe9W!uK0F`uJ5P5@-5}AzKp0_^JtW~t#&XG)QKn025`^iv;Hdmc=
zi|^)LO}eX{qT!n*>V;k;k4YIRdtZns&fkN?fr@y$sZn&~6`}|K$851yfla9e6MH<F
zcS(Kz=s>Z+^8H59|Hv$jOZeMOu7ulgR*_vco0wg;N9Nn!ZPzi|NV~CDxI~M(+$>y~
zF`;GRPd0Ft=Nc%NX&y%VNXCbn$jrajKzf-+a=mL8(3Se{o$Ucsurq?JE%d8@`#Z}X
zkR5?>1rqNgUeDbH4CEL*IbEGKRsD99${30Ov#Xv2&CPTNc|ESF<Q6z~q_r$I2Hve_
zI1tT$xNG}gP}qqj4m2g8w&&Ejq-k%HlNkxYinLk12GrqguE+~p<Pn^1?*89PPwj-V
zBlh4g9Vvp^vBiFqP|Zv&Xfu`Q`G|bwo8!jAi8FKhXio4>Jv@XjARfZ-<~y5sbf}wn
z`SbkKm61dnVz)g!WX|1<6>~;x#~W_A^U~@V-PN8KDOsJeGcypSS=rD*zjlGXJf^cW
zt9gW=3uQ$Z2ERNFc~7_hB#k;bn2GeCJ51j5Du9KB)CsLWXINH0HWMm1zo9~?#U`s2
z0OAH0ZO)OxfBg@dU|-M%9O%9ZfNKyrT!YBLYHzW>YEHZbG?%+_mw%c7$<@EEQi;!R
zC>6$BGaj3NX8RR0FlYm^qeFCy=5Om(G3H0sX#g^i72@h%ZF(;87r76>A8fBamq>{v
znbU`G$dMY=v9YdEMg&n+&a#sC+Vj!Yr2-=rF#mHZyM@AXJ+;IBIF%7-_=pi<W46Y(
zH*U|v<;iup(Cr1}kAu~;W_Zf^&Y#B=SWwcHFpc&Q>VA#hE8x;t$+|9%Zl%*2B@zA=
zJJ6M&t^qE)|F@wudZv6|aHyuKJnSrRB0opkB&=sG!7QsL>#|wz%28ocC)IxVZ*h`5
zcSSBByCU$#VZ^6HWyH^)_wjGMm8q`yNGX2TGBwBjU?GL3trTNdN5L%+ZsR!R@(&o=
zG|nkW&^6;(2zaMKm!(79m9}dbLNl0hYps(F3dtb#k2_YP*<GkE%T>FM!r1!RA_M-+
zj<j-)Hu}@KpJ51r?d{NqV#LwA+_(*>^K<!<T7Y#)vJyk!cwKneR45&mhB1VKX-deE
zd49@yXA&==Zj!<)5Q(@WW^Lhf0BAP5QH`=>ig=f+&pollCCQo&o5`mld-49IPu%xQ
z5luau+2W0&{JcZZ<Z8-h*3uNP?rQLRxmkqLS?xP7-{R%CQ-!pN+G_$fRo>BG$?XzN
z<Ygs1i^EgDlY@Or{XXQ~hX;N*+1$nd3mfu3j0a=c$VnhKa0OysOzaC01WZ_O_P^m<
zvrpyFeBSW&+{Q_P5~BQ{rZr4X(0jN}(W^}tHWmP{B`s=q&+gDHx<XIvdE6i<gkQ9$
zKMH$q+mt))^$Uas<JqkGOYEvL*bEbr|3m+O9*p!f$(j8S1S6T_nsCsj+*nmG7!ZXq
z80}E6>(g~|4Gs1FqJ&^QikrsfyjK60Zk;|{y%)ZCEOwS8r=@hsN|>kUvm(_n<XfH%
z;jI0_AoiwW&G4j2?AicLs;eYsGHr?fg_eIFP_k^Dpz@`lNP%(!G00umS@H4K9B76n
zm71rnGhT=Ne|*W%cp<(NS8YCGxDvlY!?%?JxbTe+guYm42_1)bj?LIj{E$7Tl&YmR
zCFA`0E5C_Y*Vhd3fOz>kU)=-Vv#6eAQINQl&z#O`B#*XW(BJG^T5v>>AV_cnZ?yyo
zHBStC|21DNisI@9WqOICQ&}k&Cl;~tfBHM&vHJQDvicgXzlC^o5Y8x)1@`^gx_GRm
z65WpmiOlU|QhGkS&cY;P>Z(Whzhh3(U808S-5CM)cm!86VrYEY_kn+3ixvjW76jd|
z<DJm+Ea(1c4JDKUtdDQK(INK$d^no?2rn4EDdGFD@MA;yKU>-dzU^-*yA6Ze(%8VT
zy+B&z?3A`<fRQ(fw9oI(c}Vae4<7!EY@9E7Vyfem>OW^ZwUK||$CN5%ZZx{Y$T5c8
zySRc%&<WC-ziDKPAcigvl;cYz+>y)wFB6(7<eccL?Mwg{GP^C4n>5y*RQ{pMRU4ym
zc?oJ-i33KwJj}iOgTp<VJ|0AkT0|~U$`K~_?`=|z!u>yBa+JBs4&MZ^)m*<n`_Q*B
z<cQF-&ur-aGF&Rr#Ah22@}^N3?GcCTz_r#LuC?&fs&c!&)MS#)P~xesE@f9>it}j(
zm|~0N8S+>>qw3^`v+z>gOI+;L7c>s{U8GP@6y9I>Z%hqgKe3C7lQECH?Q;%7B^?Qf
zbQe1imoHzqx&rpqXt+_zq=s5X{`ZApLQ!$9+EIA$FT{WSbudZKYjT#y;rb^mSa31d
ztX(R3d=3AkQyT26YZ!WjPmCQ$h5UV_sT1(e^eTgRzX0$>&{krPFc@$&*icw#zOjYs
z{B|Qf-G7OB$BZi|tz=@ig8S%vAJ@>6pBylf!wJ(X^uQ~O*5sGcbc#2?D@+UD6pfeP
z?=%V=%oj9qbf1do21weR45u7#F;45gZ}z%_#7l7evMhdm)#QcoP*xargr`lU8Y6ma
z52;4|>lvKDADH)b$%q4uLO6`-T4M?QSZQXw@M^e*$hF-3w0R+Rh%RgaOc9S?9~<MN
z3|wE*1WLl2y~zw94$D}qPwm|dcsQ2EOlfsIPq|Ci`k3RY{z2|^P>d6)qR1U*i+h=h
z+t}at9)yPVFXEC7kGNz9W8RX%DL-ifZ(}IvO?`SKRL<>*_yj*eJ_eQ;62mW|<~|l?
z$rXFde%!-ox$bpeasBb7^569_#EPU_n70>D6#{qA*>!d%Gl#DXtw%Pri1IyCg-SSD
zTB+Zdl&*x6IM~b{M~Y};1pM7Pa>17RULcG${P(F&E8z={)J;@~b=TCf^FLIAv*Qkt
zR9~0^SJERiuN#SwAC*jYdZP2vb*dB2(~FJdu#Yn8nmzcE5W`4GNOoKRy)v7lI(UCq
z#AUy24kV-08?Q`CEsf|ITNe9DlLXJgu;MBD1(A<IFB|oOZ}W2lv&s_1=<DE39|F6R
zID{dI$7ltS`@NZ_4k;u^Hs1vsvqLk>KSfAwN+QKbw6S?7{2|bHuF8}CAAvq_|F!XL
z3!^cdQWl}0?gA-OC>hH!*qh8wxk?U@Pwp69P#LDRZS#t+%};pgEdFKci}jmbaNDFu
z{hdU+?TY$*1Fi+lzAz8dNr|wt*x{+_Gjr$W^!fcYMv4>GsA?~WJj!39dNsNB&Sj%~
zFTDo;IrYGu6gj8OJm0C{c2lCvYyA2j-gr0Q{g=$Wn*5I@rt1VO-<$nq+#R~1c7`yr
z9)DS9-1H@|&u1~QF3fx>!KEabZAqAwbLBOs?tBe8ft`viKs$+VW5MIN>UI%Fq;=YP
znZEU+Wy}+Yl&69yPDDF0;BQ>pJtV^33lzBqzrYUM<MNxIG$Ml8M9-!uQYLO_q4G#7
z_DwaHv>SZTqnd`g3b99v$VECL9GcV<-=4dtxyz)g)-7CY=skH-eSBLB&2VDr=iU}^
z8`D*(g9STGkfI`Kh?55P>r{wyzOsLceYLzz&8z+SpVst;V%T|sKCj_FBVS<!En#pb
zdx94-!u#~A_N5&HcA1HSvW}VATqRE7e|+4yaaHsk$Mk4+HZRu(djkG^IB7*jRht!$
zZ~28Fe#O19FK*6vyoYhNv#)ON_gm7vVsA=355*}|G^uOr^?YwfHEt|FWJj*9Tx=Yl
zzV`k(T*q!kM-SP{6-Kpa%`7|k$EYOeo)Qv<92}!LD>I`D;7E3XWJJ&F>|ROjM@qRQ
z&UwX|v{^%h*VlF_AF*nlneyVAvf9Oh=vdlUjCOB5lW;vA!@}(hlN)+sX{`upvz%Qj
z^74AIiiPh!&olh*3QA+B8<Mevl4cLq;B4gv`S$l&%bQ=c$)D!Zvs~p0BZh+=Uy1zl
zwZM(*y}hqQgaKE0VCa5mFEf<FY&L_C8B0AQ$o)ls5)>!16ZC!pKIBnvBuBvOz1g%^
zO@81&-FWblAS<WPYdqY6u3e*zqVuimu8eV?7Qo`bkNT_QAef`J!wN$h8o;*ZcWJe_
z_4lAc0uu6r`)~L%Gyy}1J=|iGr>cnHGPHj#!k-5(IPg+O5$yqjB6fUCCw<0XGAN8&
zo`Q(iJ=WA`Wj-1hu)LQ3@=-k0cFOqc%HxQOqMtfh<d$v0DQO*FWYNALZ{VwZwJG~a
zmJbZOt=r$p+r#p@K6ZYX*#{gS%%Yn6oh8&4o?&X*`=1t)I{Df9e!imA$X*@Ohe=fU
zD6~J5*P8yeZ??dnLP0=g75>E4W-o6tr>>b7%Qo{FND>P@_1uEB1NkoVEGuh$4SJkW
z|680#<Oj+L!j+%b2$Z!i+6zK!aXBsF%BAqU04rkwk0tDdI5K-XoXv~3&b-m&B%?n}
zda;mbEJpWRa9vPZ-ub4H7X5!l3~Nz!G(i$6kYP&^)))}nB#zv88|w|;jASTF<h-5+
zlIr3a(~iBd{RDF@m-tcbtxoZPsx9_`DVl24mz&(9j(#%5)%<8KiUGhgwCx?7@S+QO
z(rYZB>Jx<HZ($41xC+_ZQ56Z~7k~Pgoc;E9{2==xxZB@7K7?6~&tf5hxb0|yiz9^u
z)6SUSagU5u7Db|?ejkqFqAic-y6pj`nadKs*qs<{6~X#AFlsO<@ni5ENJ&cQ8D1TV
zqm<@99m{SkX6%sCd<rN<Kb^%17c|i)kkgU|kF0XB=+xV_N|E!s8?g@Fc1dYI>R8tZ
zxR~+f86VF{LZ$r4DVeG9CjBd+T^pNMR8<N&N@b{ccd?zObnjOS77COLXjqb|O(R(n
z9lO>3c_yKaI*c9NYEJ>lCxWxI0;8YjokcqjIfkXWR;4zHl<JrDf|(N=bsnW16*`Nr
zfD{<GDNX%cOOD!St$a|DHj;Lzhg}4VXTa_SQd1F*mJ7UiL31^{FlVdsplG3m-|k&K
z64s>g(kGi&dBNBD<l&detrlQ7i$3ff8lVBIF1LESvTo>#;Q(&bQD3>br*ZF{w0V=w
zHd9F#2vJGFW)IT*f;W*@pF%40ge5Erz-2Z6HUajt86Z;QFyl)nEnpk!Vi0B?v6Mb1
zE0zS2;|?pi4Y5A>rZa5lLi;JCM*Q)-MH!m_A_cB)Nu#i<8^gZVa0sAwhC1LnH$kx-
zjPJ9k$}<~uS-|}4YsDl-RBu!al3PGtD~f!fJ;b6C<i-XsE!!;6K^P>SS<IGuYc0wm
zJEu)W&shfEN2KUqpSiLLAb@VAy!8?}Q<?7n&2sn&u`g2NCDY5Uk2XXodIWrt7_aV6
z1c`{nXczq>0g_LR#Sm&ZJGwtUF6ug_$7;pr(HD!`m?rY=ZO&RIrfgD|n!v*r&Q%F@
z*AiV&w;^}wP=@9dz}Dha%YlM5rdIxT(Tqsqe8^Iocu>>xUy%QN#iHVgwkJ~H9Mefq
z=qn`PN=w=T7gR@xux&{4rQq;lC4*qi8Ar#I-s7vg+Q4)0nM(3h+ZImmeK0jPq0(Q!
zk#0pAv-Vymrm%1ze0T9|O$?M-$H~jn=ANsiWiG!B-TCHaH9r})@1vfUXlRF^k=Szb
zUesnMTB!LUNkxHe!G8uzL|-}AA%A@VydHjQ>s-g#@(iRY?fw2T*c$@I{ChC-KLsfh
zEqhdd9!&@;sU%h+VHX)R5*$XzkP>fX4)<mm7dH~-S#m{b1Y`bh^G9WhDk~G=#uxBt
zde>^*(43i@5vU{Hz4oNPa(=6s>MnszLEy_i0j@m4JE)p3cA-fx?*wVrkW44*XUFt<
z-}R=j@{B`&>si4z_9M#Y+SZT8H+_HBlOCx})-AB5c&WD!Ud3@<VP_QPz{|nk`intC
z;t9`fxQ+pQ?AxvWn`1aL5lA&>29suYE2S}ZXDbId9L+z4+N{>ScLlWDxxPU^w(Ml2
zzLOns`(32k;YcL)OPpmZ2h&+x8+k%?yJ#UA9fc2}x4`s2`LBb|m~(1@O9Ms&zX<7+
z)iSsvD%1J`{j%o|VfvF~YW6L<pU7UjJe{B69NAO9#u%C0`QYk9=Te#{oZKst360Gl
zInxt6Z46WR?hjOBv!1QxT2-qA81X{S*Mjzug`tbGglfzr$~B1_s<{2H<n9ND<|5!l
z%m2Z-To1L%&$z$5ICB|1wNa%orQ{jZe*6;4^D5~|Q+!gw-+qP@#UFpv45=<$oT&L$
zUQ_B*>0(Uxpxxgh$zzbFvzprKX0!QR?;b7a7n2!fiXDYIn?mmwtc=FMz0}~*4Nqh}
zJV$}eayx^jnaI1$Zatz(=E!~CwFvk{fCbafK)r$g%k&0=&^`GJV>K|n$x>uJc~gpW
z*H<M)6ec<pt*O<U(9z_+)_=4>*Gxa_Mjxlavf#I-l-^)zHvY=@<ltK1oS~FjB}v?N
z{g>Sw!a?q+C(_U=rG+QFHC0m)7FlBv0O2Ay*3XkY6h&g#?EoG_gNpYAW!12u`i~~v
z2#-WWEnwImKYz67_7(Jc=yGYJJPt9{u0fs&jPG>kSMi7j(Zm%Si=UfX?#0c>OijF#
zjvzD|0lVyS$#+MK2m4RePo`v_IREM#P>^lVlxu1gFKB*m@PXmu+&p(k!$|->Rt(jf
z!rCzudx93g2x~)5tE;(<NoB)sSZW!lEudNZS6@3NV)I5538>5{S()}Bv%rOh?^feS
zQZ0+Av9T94*GZ%Xd59%r?R8%hn@-BT`9!9uby66@0(HOkNfa-6u2W2Wx`qdBqH6Ne
zS2&$RTemgZF}*L&R^3`LLoJLvr0_)9P(uh;<JX*K^FoLZO`Cfl-pL5scOkB$o%UA^
z;O+=t>-431dWVsZ9rQ&Xti=fv3dv`4^un~7X*SGrsl#f4Gh6b~gUxGA-`%Ax@NY$Y
z%COr@56@Bc-CfwWN`o5Bu>a@*c%&D}euY_#oICyg$avYqXdcpwuK*oFRw7%zfI;!Q
zs_lNIb6!@aMLJ&elqI#hjF`PQM187<>rujb5_%<g0yumVs5bK&AG@ImzfgZUBL+_b
z^f}~zsv>RqPWdx&yjp`T$Pli!)2VVu(+~)IV36_5iqFS7`$g4wv71|v`&#Q|)(`4@
z4PJ?ulXuNnD!&<ea~DfkzGEl`Xi|sOea%6U6tWun$-Dn-mokksX75Dh&pv0T)czGz
zlju5WHgvh<bF<$)v+E>SAYOIHV}^LNRixe0Uj86-b8+D-<jtM+?Y=IfF{~%hi?v=|
zpV+30TD4C_)n-g5ag!2bfjQ~B$F|Jd=Zvc-LXVzVp1pD#alCkw?H6|AL-eSy+`c#z
zzH$tt4C$;PU{6yQOw7#rS7>hOy$-SGUDaz29ZEgXL0WBt{-4mN`~3!-@1#%*a&wBG
z-xkDn7fABsvekPEnH2IuDkO3*(9>n?K?20X<HM@?TP(X+9krC>ZX(w+2gmQCKgaGM
zWkv+OdDcV2Y6?DbOl}q%{w?T|*SG1Co-tx64l4XlzR@}K6Bu%03q1VK;D$*?)LHPG
zT6Q8yL}J4Bux-7aIXw@%M4QV^#YC0W2lZN{F_*2V&$smo{F*45OO=cLzm2WX)IO2?
zptmO6-TbLnn8En<qs=-t`%SvF<U>mv3iqgX;k*qh#!s|menA3{iX3+(gqhi(8ZMW~
z?ItCO`#SY2G3ZxXrj7fnCr$WiI|}DB2c(MNfYGy!w`X-#hD4Y4*l1_MYf_ZeqhYID
z4!Ov|O~D$Wme-Hasn79@%NtMvzL6dg``NO}7n-YsYVS?r-1Ws_<>QvJF;)?l?&3X!
zb@-=lWQ+m4k_Oj~_Q%(3k(XRONZt&8Y^qsg1gsNi(27gE7u2Z3O55de)v3ozIzm!D
zIGA9`8L=@p=+MN4(Zuni)2fh=W%|Ex;Con?2jF$Yjr4ofbI9m!JtTCJ?O4jFC||An
zPjZV2MM!F%L+OFR)gAUhNPov_0NM6S$cQl1we;itG^Y2}m8A!RBi#?H<nSzp0h$CR
z23-4#%dG$gy<=S;-1dHzV>z!O;cOqI{0E6~ZHM)~%jhuH6Nw~N6Xg%)NIqstXYYT^
z6)zA}o(rWpJP$eb%QxzBX;<A-@|;dfiNDTyT^_VzpMiy(8QIzU6i><?_dzg=sU|%O
z={QWpSy;i6Y)aL_`VKW)#?fR<mhsn7zFRrABGN1lb;z$omDVlTcHals8}_V}JGS(}
zQK6wEyuA7pc;6zS6^>5a6ujWT$kCXlqW}iug{T}a2l6T%UhJAh!J!{qy0g(uWn!UF
z)W?8)pAgI_a3#w)@JlPx!A`wPLKoX<scn+8E|v}J@}*MNFJr=mwYRz+dJh|iO9)jX
zu1xK<s$%LErku<3SZ#_*=Vu!QV_2`ZM`Xa$71-I`CL`^__hqNZKJVJKoNv|y2=~u@
z085tbuj67b7Po)A2nICjv1gWPOIowS$@C+~*De4S4otK-{nVZ|9Yp`1!e)8o-+|=4
z*w9Q6VkZ#M$71*p%RUb9cq|-$qvyapWagmV*InT&z>{=S68?_;+{&Seh1hG}YMbY4
zwTkq{S4K_NA5-_@ZBM@{4u@TgG*3Kp9xSq94%%S%HKX7g>@5iSr(nSfI6r{n5*BBH
zEfWX06&ExKzLg2rV$w!i6s_(x(F)`tv3|ooCJ`ha6mC9)-}<nC?*lW#*f1P;VB*;{
zy<Ux7c#p2p_Cf-0uxm1JJY3_h-iFa||32J}R03@WdJ0Yh1${Np85awPl=c#xa=kai
zy4Q!gsXk%3meDo*3J&m`Sry=gEm4VT<?$;?2x5(S(=(Mod$aPu;V?j93dS3%h>k?l
zl3dwE;1e}q|DLa}?SVPREpD*SvlPu>N8_a8{Xc!t@Egn3B<Sv+SHtOqTxb0RewZz%
zna7QGsiB>0k>6epcn7vOmOoODu&&5pMoD8?#z|j<GTSFr0^27ml{Fp7W`0fdOV!E+
z9NP4A$Gy7T#fj+^kz={n@QDFsVJ%sU68y0iKuNJbD@dbStB;_{W%P0YmxHz!(L7l!
z3#}p+P-eRIT0yrzd3L0g0i%YYeyC_1590S<iXiWdD|Rf4I~J~Vl7L_X$=ojqH*}}9
z^^Ka`Blfw564;qT8s7^H|E^K7zd~;waGV`ZBOwG05aOvpn1ke*efpN)g}D3RvJWqY
zZs?I;b=oh>_P&D;2zorAG<M{g@&pu`WIeTuIphXl=6CsN>|NX6lcLlnc|thsyytK8
z%tiTd-CNf))`HA@OE+uow|d-UPfcYpy$f)!;zf@3@0E8u3f<qBC0=cwV<^5dFd_qF
z?-{$`-WJo1Q+i<ZSfa}7OWtiY^HXpfqf7qyaFy{551f97z{2(SB-o;|%LQ^Nm=$7W
z+#*2mB2c4Jg@=vph`I!;P<1SB@bIITZO8@e2#n5g8m0epvTr4nX^0kqG}3b|t5h}<
zp{hT$92B$z929iB59Sqh@(+J!O?KLkJ{SwFWh<B5R@@v?rHnYgwo~bfkf1@sB33k?
zoc@ybuJH@TUxzTwPEMOkVH^(i`vUjMspU<lz-b(m$mHqJPWRF`Is{Es3;mw4d4_cO
z|37TwfH`T6WjSlX*T{%E*uaQ7TlAy5)^y2qohF<#yORL1q%~Aw&_Y*yw(MEPp}fwK
zTy`2qf9$C~;zZIky?ajpOtUM&M{m_0735e^D>6%-lp}i^hn7Mq6?nz~9T&tl4Eb&o
z<L=Pj+qiJZ&eGr+w6Oo(WaJ$k$m7u;l{VUyi-E6U415jyB%M`n_vkq@`l|IiXn3z7
zoPFWdUjPU(ZoS-Q%`6Dha~|hhYQh1ZbIPIl{2&c_M(3qIqR3416m67K3aLP*_`jY-
z6_z%wR1JX~9z-_WPD)LZA)Z5^u4chC^^I4I`$8CLjN|w9&ZIYzseG#7w4cH7fBmn4
zRj9R)l$w*N)N}Jg^m#g1$hY`$MbgWhzz)yQrQO10$ZOY@Bv{D-52i&zlJaUURE6Az
zE&Fb8>J^PR<2N1RzmiZ};ZHY9jt+j|o$Vot$I>5$Di^&~(5YxWoLTufKAoL8u;f$h
zQUWnXicB<+on$4R{LyDwHC2wsUj)WW%(ZkX8!*&<mEXv|(pDF}aOq3{1*Y0*)6Y~H
z<|nOXU>QyJ1=+TwRH%hF_{<$(l-WMhnxO&R@2AHUG=!&DEK!570>lpqxnjOHzMxAl
z2oAI3eivA#Pc4p>umK*3G&D!HrsvRk7KABenBi%|@<WLQH+;o{<Z&i>I?7n^nP9<Z
zBF=7LR)ctNH)lK>_Y0mWBo`{h87hy-8}e7JEACDy+b|2UWurxhn1*fc0#)YWJxJvf
ze|ix89(1Xkh24L@Y%728DzDal*uBkp*Y`jzO-udpa+TOoYP8*jDk2OTNI(b8>pSm6
z!XV0B5S#<{T#6$Oo<9>Aa2$yV<b!c{7O?#X<Tk(rbj>vc!L_bI&;$>m=b*xC#TSjY
z&5DkDnuQ~7=S^Q_zZ|R#)%I-A|1<tkP~|+}3BJV{_xrM?)`ioxt>)I<m8MAA^@jD1
zn5o=?*9bpHb{JB>)HgePr+yFG=Llq>-wCWID~emNpTjU?N!Vm2`WE{@Acp4-Il_x`
z4=mGt)RtJdkGcPR3Aisl_v5uZR+hNxKyX+dnh3c<((`-^(Y~dQu-MxWFZwByLe(sv
z3nluAVyl{WJvB?MmA}H9gTqtfH*q+I_ftx34&S`Qpy1j&*#p+Ss=VvYb}`o4L7$jD
z+_(>_L;NXVW{1q}Oeq>kbJ2EUU9dMBK4dCOS`w1iAkD+{pbirJ)ozbgHklp5A}!)q
zkicIsSAQyGovwHZxpGzaYQYT&;3wNGl}+eNUvAs>0QDmsf7yMu@0<-@$~^&uUR)hG
zI^X9=$4s);xqx%hseG9?%*uu?eV^&ay9cn{D&UaQ{!wgZl(0EHIO7RLE~=1Xy*}Po
zdI#2AYg~^nqv;?+cz}yiBQmLMbQB`dSNQ{n0_EhGl)SrtU*@2ukEo45LSYTmA(uHu
z)zet~UqbFyUwM*X2{<VUH-b3ygf29<fGO;WWgL;CtX(m*{Q^anAO*0=GTYF%E^ej2
z3+fhTnYjvlL2q$3*-@aN^m`S*-g|)(h&8@_a!ClFXUPvoBTW*1W?DstICv@%BBk`c
zvhx&yRd>B=FOA8dyD{>=s9WF91l4ZWWYxHHNUURgWcW*Z<9s!&SuEf_qjElwCI(lw
z7{3W44_rni%*E$4`d-(3U%wy;8VIUrDtIwJW}BPr=4QPJa(XT1YYjWKZJ1I|2=8@r
z#g2v9UP3G~^rq-ZpG`e`c?BMkw6(gBPa6Nh(<|Sw?U``9=#@jYX7T#3M-E2TR_Lyo
zRAYxEhuha_yelpMi3~4v5Hb%s?jZl}&}VnuP!`k+q~7R^8nh@O(N=hjDa4U&mlUiD
zloh}Y=fV?qr+BiQFY2(DpMsqlDW@_9ibmU|srT^&x)#IV>7qe`8}G`t=B_sowQU)>
zLTq@GnzfiLcgV0~Z4(AI<W1Lg-9qTJKNCNDOP8fhlBi;{^;z<;k@w%>;%aZNC8&@|
zxVBnOLTuU{$cwT2$`qIyP|F@4xsho<gOj%J$*ycT?|Rxds0+&c?|5F=535-fh^T?j
zuu%ast4p^uR?9gaQ$7Qo+X3TtQPsvTgGGxQ<l=i_x<^6&vM-zJ6-5(_!S^Q-)N%v|
z9pKs}N<YPY0<B8&JXT;m+Vm|BYF%z;`qunSaqHS&iF;6^j%x$^KK2Kpr|0mKy1<YO
z*d`&$9=+bf_3GEzql%H=-3G^?I^NMw^{@5ES<5e0FPrb1p<r*6xGKy@s<K`Cd~{i#
zi`yXBoSFg2mCV?PcFG4*DN)c%5x;MI;(jN@Kh5(gVRsi>35oBEfBV{aL(&<0j6YB^
z2RuKTu5t%lioW7(Jxe&^tDi~xFh=Q9{G7Z9;kQS+Rksh_Du!i&@T4P_1mqq&?a7;w
z!nqQ#5nJgMRNR|zCy-183sT7^IG{=H$l^FHJSHugteH?Vo2*Ew<i>L=sHfu_GT6(S
zMslb7#u;-eQF0>Nvi+?;yxIY^sE{%Ype0CA8=F`DQAfm;rdR!-ZAkpyJ>67ms(l5J
ze#mue<c6THiE<^^nQN^_p|=hCd~Tb(e^xTC#qx&Cx%3M`Ta*P}i*Y^p*!ulj!ZtFo
z%2^@JjG{uWi|lMybHtcGIV8;%j&95IFs8aSsQ77yG0fCwmh(z@{-oA8ie&Jc$BKpQ
zU;Qm3h6G2NmH-SvSfpzfeW@xEJyHZ)z*G)gf3^`t>z=I2PpU64bhoDd{pEk<eD7O5
zEcz~oEo8@kB~3-__Ayf2j(L0lz*6b4MwqtekWCkMQ%M<{56M`M8S>v<c{A3;+pbH$
z5vl#S(q0l;^>yIw`4df6(Lmp+)ybP733c*pp0KqC+?{q!^Sk=;-0*>qrC%4gg~K;-
z@7#F9&cBhX?PCl4x@JN3&k8aXx}k0D&G1Rs*m^IUtRZ)r&u{fBf<imaa-QYM?s*YE
z&(rH?ldHsSQ-{<a{UvJ}_3-}&TSPiw>Br2iCXsvGhM)>kd=JGpvif!tZ(Q^A`tm;E
zRSynxH0}gP*wp+P_;_Zm<9K)sT@HIFj{hR`6@`Vqy8WKG@>S$gXQv0x>vWdj<4#^+
zG9!mHv?=~`9iax`<()o3w2)4J?)3?w8Bef=Ra%PO!*rxjhiB>8S;8ytAA5IgSkUGD
zK%=`(kNWF9N75Cs3z&TbjG`-k+~@;^iM9<Bs#Lby{0y}=chMXw%5N|Y{p^m##W+{S
zqDIWrPBC}!=yRGI%thhKuPhJ&sXyV2Epod>b3p~yQml+j1Qwzww5npQMz%&nQ+RI(
z=IVVU#}h6bMAqf-#oy$1RSb_njV}bO!_`)!lUVE8&4(*dG38lEC6T?Nr(vYMe>jIg
zV@Ev1$m9!n&_0lKFa-W^&37f|K%VjGajeV!i)M^5A$O7X`=;;AL?l+`fVi8?q1FEG
zPjPg*tTVdxextbKhPazR0*Th<lpj44gLld|q)WgXIk=BRV!#mJB!j)@It0I{b7+{*
zqN?LrQKgdD*w?aFX6mf58F*VkaKAHF=Ol_VV)<a-%w@f0D{FhoH_zWPy<to<ayLaM
zH(Oc{=Sb80V|W#5X^pc4f8A+L`zp9Ntl;8E4P)Yix1gS##)C)5u%Y`5pY-${iTK)n
zj0=uP;o7sJ;{g#N>;J(Xlk>#P<E*4ixJx}q8?2`b?d#n>pjlakO%yfU4Oz3gzBR`V
zds%pUv+34>Q#{Dk*`4*zQwfX^SOcyq!66V0$Qn*)cczrwl=91}9t^U2@A)10BG{kL
z@5mv$rKE4LAB!DQ|M*IT7flg0bI*O+=%dU$8KU}fwap}>71P&&ugJ+8Hr*?c<!V5z
zhAIR4r=-{D=jj!@;t$Ssni+4ZpqDFEdy9=_y}BLEYTvC9UgDxEpwDz{YAIKWaP{7Q
z9Qf+vnBVs4EYUl8^-rW%|FsP~(mSs+N7`m&j-p%bgh)D0BnS{0dTCsbQR*)U1A=A&
z5dlHC263A~wxHi|*r;It=vf!I#1vdiJsCfTR3?&Kqm`Qb5Rk5q`*1rZRpvBaUr+Rg
zi1E(;imM}h*1MM@pZbtmuIF=Wj^rB30lMoHP$C+F0o5hj`+sZxKc>DpI?nfbyKQXS
zYSJW)jV6t4vq^)-c4OPNZEbAZw#`i%zuSJkzxMre_v|@)Ki56HW}cbA*4$nlW!Sp7
zlcMCGMPbN+zX|aNIh^bOP<>8=y4?4b?`}O{z=lj5@0q68O)VEsb!qG(l69Rsu4RSr
zY%yWh&<)XzgEq#XMuSj%Hb_Cb(euU7faz1raFJZ>-kQ5N7IxT~YupfdzB4w?gOK0Y
zuObDL_M(s?DYesh5+#gV_5Ehfksd!N_0F})`j6yE!R7sdrq9-(M>V5iVfxZx{FA=)
zD)+#x|5s4<L_6uwN>w|-Tm8LbS-LE6h|^+sMXEJE!szVz@=9+NWx|rDhzT*!LvE61
z=WDzTWQr;1bA_*Yzu+7S+%v6IP265aVhuw)9vk6RRG<G~E(1K7th3|q-*Wu7*Smaj
z(Ag*Bs<n(MBI5#QCs|1}4A;mC=SrueAn68ti0ke?ajE(Ul0&1iftSygbEpFmg1-OF
zpactWO(i?f%s{yN%aH1GEuW|2LAq(zvX!ZQsNjiEy%lVVaeC3+7{6jU+FZLs)EF1c
zndW}tSL{a|xDcVocn{oK+AWmOR?^`$Ilp*gWh4*|^TDPY|HGkXyvjJ8zSR9U4qTts
zmJ@mTSO!bOn@?@PG&1kdwcF;G14bf=Md`CJ+_O_~IZKAxj)XT3V|$w|zIWJ3vHSQm
z4%4tAh`F;}^F<Q7_|);5*jyhB-Cx%h6#FTVcioCgziZ=j4_Kh2QYtTW$W6t=rKCQS
z2camG&kI5^t*EXLgrc~ZTMmO58VZI~T*gE<fJz<rSDLc?xvFrQVR4&<Z}Q^rA42_J
zQr{pzwiD*s|4;+U`rD1eVzD2~Y*4@R{e*04JcQBdM3rt3!K-gNFD&~`nLBRa8gZAD
zVZ{(C(8tJe>+7?xj!qrHIH~meGl4-Zl>|OoFtONlSXVV6TquX0OB!Zbh|8(ngs&oR
zi*WWfHvWHmoK=1p$lFZh=&0ZePTYqHqX=f!Q(d#&P4ljnptarA7o6A-9=pQ%*X?;G
z96M2$7tL+VYm3II2$MGGBi}3OYY!g(I4y~pDhW{WFOfiJnJAG{4)!k4z$l?UB2HCC
zDM7VE9N!d^;ffX?pH{HE+aBJ@AbPMSHEyI<QuY!2Z|gT~cp3GP`rJr~#Nk6mHMNBD
zb(%8D_qXoswFU88DPfIxrYw0=Qq{2l#FC<6-=DI@F$UI<mw8;Kuw*n4dr7NA!+h}~
zWgTlpmO}ZcKq8d)3qOhl6$SUGK=NZ+gx|-nD2))GYacZ>3(XnAxoBi<KCrnNaYZ_)
zzSX2f9_*#a-BO%wi~bK0Q<I5V9hC?H5F*7OL|9pmYpNjJm{5f4y<;G2o5nZf=<BMh
z<J+ovrQ!4?iafyoD3785kPLL~pwD@}<^@8BqN7`EzO}5F0bfS}Sm3mDH&i99;1Tnu
z1%Ah(*8eTy)y$6mWXP-Ns{R7ayTM!_bR?R=Oi>b|_7Hgk>8Riqe>Yd>axo`jSs+3=
zhjiiLzE(eEw;Y<H<NUMI?(ym2=6ID0x?S0!BBK0Vi-iwV{)c<sH#?rQmkg_pK_?2M
zgd#$SKS!$-0#bpFmO!s$E;YB097eQE9`8!OVX1jJcDBdW%w2=So9)PGyazviy9>!c
zt&ZuI&ovvW#U4n;+cK4FiuD(oAGbQPXWMO6%l>Id?5?I%wzyvrp6X59)JmEG%|iXr
z2T@$Jke?zCdX7j#Ul$}rzJyJiGR`>2zV@?GVoWKy$V~S;$TJapSD5AJK+N3lBGw>n
z@=xCO`W2MthN(V$bq);NIPX-RH#~c|ipE0-*D#kgUM^_&`5s=?2inKE_`x4!rf3`Z
z4|K49kZQ{1zOghgI2q`Lk{G~X)dxPoBQoZPMj3=1WDHER+=m7QS_haI!Xc@yW&O9=
z9i(9mhsBnySSo8#H@rQVvCA+qJ?kr)5Y&QY@#XCNaE`e>KnAMc>V!j35qM>Eq{pL$
zw6o=k9XZ*P^xX}zFmReyAoD6qOzpJLCh8Iz5$Vjx`$X@5`}RQBseXIQunu>kH~5gj
z2v_nzq>tHKrF*;eXvGISnXv}uoG_8!$$dkU&@aVp)>w1#!`c|q!F02q%5K|4#kQ&d
zhfH_V%PPJT2z$NJQ2=!IlYz7CCuMZmkiem#Fw#jxKG?`NdrxfDO<INnIwAkJ`w9bB
z{k!b9owlmZfV2x7v$T&@*@3JL```ApA%N?SaxX#){>yVu2t}K>ffAovx8$x>j7eTX
z$<FPU&v(=<gD=7cVCv<U?N=sWuv#E?m~hY^NiO$?4JMngKtj{id&oE8V}lYQ8e~1H
z{>67k91~J}*qQWAnu1VZU2n8py~#+w6k><;H;Xj63>!`hpzOZVQS%cVzYl|uJw_Bm
zY*`q(xUL*H379)Js8J0N99pqgH&Ncm1utc%2;HSozZI0)GkOy@k0_y?LOAltjYpKm
z#+q@q>ti`wg#(jj)ziOKO|jO@aH;h)xQ-EBPm4I%2LDWZ>KJz7z#~xk9UUAVQD`p}
zyQJGzmm$6YT0JD*7>UjWpab<6pd}mG${iGe#LV{2sVC9*7FnOr3QV`mXZ6U{{MRCi
z`~9dfOEC@Df0#aRsqw+MV=t$hsc6n&LryT^OLNzKIo>*QvTLe-q4tpLIZ&sf8^1CN
zw&T%C+u7R2k3>DlGeLpo(<gP%#<Ufyr7HDO{)%I_)fAnonYx=2T)yucYWJJ6`R$uC
zGdKovn{V9xALKyP^G#Fn%qH``VEDyoAp1BGFeBCP$=6<IY&a^xNA#*lgFh==LqwHG
z1E;>K9N6~Yi_0<5Zk-&#E?Ka%#YBLVc;xISRfzunfWkhV?prQZNSL7weyz}>qyLGB
z4JzrBlvaW7|8^I`hM$&F&Rjvek1Q-=F=CkL_Bv0u7hPdJ)f7HDD9F1%65sK*dG)S)
z+UGeC_%k(FWgI!MX$(!y7ad5qPVJXCOy+-vXPMi!u8#;T1%Y0^6HE*5f?Zt(joMU=
z1~W3U_`RBF_bdL@sN^Xs7?SGAKaC4LDR$tIAhqkrfe%m8<D@DIeUaK&t3hqamS3=v
z1#WbW92QYWc1d?-XO?_BZf*9wzr0+YWmIJKq8Tg$Kz~r`Q&!F@SNR^lix&X~Rp@P4
znJ_bNlJ)tb0Mg$(1HyE>JN^-?`HPE^4+(PY&0Xekouc7ONgdMR4{&kS=0XLs4s>NJ
ze3iKdiJH%6Wi5p9t(xI!`MeOyf>~l!5lACuN6SMN+iym?d<e<Kx(6y2elC)RllIvQ
zyYHq&muKTM@I9&wI2%KxLMJX&l_MKItFCHgq^8eWOQQpQv&1YaEMc{myZIHx!?9mh
zMKoT~+1w5femoKcPXt;ZpfD;gsHVf<tM?$4F^4t2HJ$^m`S#c~E_PMbY|HZQbz4#!
zs;Nm<VZU#D4rS4c(atAQ42sLoCK_?~2@+QN=#or2APcaD`zy%Rrm}!NdDBlR%E366
zM#`=fjw<;T8`EMYrr~K00aBWVl9bun@_2PO-pA2o@p%Ow4hF_vpVd|I-d02`X<nD!
z8Grbt!zBj9`i64QE^SqMKYow=HBe11Q-S_$0kW^QGGY3HbHHxs-hq<#D8Z#Qwtq40
zmrC_{L@Cx_zI}rhj(`k+Da^G3opVe%GFws;`v*1WS`i^$BDyDBT2Bl8oD3a+-yB+f
zykUeKRb54b=rgVQAWauj<!I6+st%_7@yBE{N-Qnnfd3OrgrU9*nBJcPI>NDVtYG!*
z&3X_j3fcV*ZKTR)8V?r>ZP<uFBTxNQUTzD=93WLM&T4>rYR&TA;aAc}wFQXy4-YEr
zX74{^|02|2SU%CQ7I%=_tB}3i_icxWg1fp(+-oc$0BhrLf2@eLW`ELmTjz*Lt(#PG
zNR|u6%zW>K9insJPIGqq+LB2~EKS&3&Rs2k;CJ2ifdV5H75Y5+*YKq{5_ZrdDm3Kv
z0rm7BHHh{e?M>j#^ri)8@}rf<q%Yp49>hjMZ90%_nyBe4RU>bk<=-WR2Jq&t53qj!
z-=@a$$sm5$6vj;INFg-nIpSziWLF5s4<!9Bq#M9yF{-3WeeX0ZPd*~z;x)^fPU3wm
zH$PlyeYiE;u0xV!9g82YHtQ^@Y{DoZ?DgTA`Nq~??zlM}+)|BdeJdE;^lUGYmREk*
z_Y^}SmPdt$M@r5YwG`4iRg@uU|6bW@ez9SFSV>^OELjqum{i#98)D*}dQvd0B}6BA
zO<Dq|TZHFKy|Ed?{of*6kfj>QFd8d_rJOPnALUP>X#3Eju7KL8*P4akBoNwf)Bdy4
z^ibJavAsBdEBK63&Uu6LoAJ{~Y9o5V8QGUYL=*eAz48d(pF0geD~-TS8!%6gWqjGm
zgEQ)1Q)^)#ajD9(EiwS!@?Afh?%2moCqLJG$&4r%>et4*L7CK<C#1KG&1<<Fd7XYh
z)C%S%AoBV305<!^$#uWt3F`Z<T`kq;xgG!}K4o5{2hw-yjf+mf7}{%^Y47u&yWcIi
z6@TSz<34~+FZ(wAJ$*sg{TJy{V;fG8=rdXglnK#^nioS3V|Bs&jXX)dq%4np>fVm2
z@G({}A?br%eb`|RCS=O-`sgH+;}lVO9`X~U&zFa$Xgd}Ju)WY#H!B(4#r&;`x(^R2
zsG^SM9cnG@-2?FvU-Iq4$ml_#L%#fO?IgWje=dW*e6*<L)-WIG5cih~d!hfW_4XIR
zUsvRM^pm-SM5Ht#=1kM^PVXtsNVCw?9@2WVl=0n&l<{rxYO=(OE43cNBxUSDS_cMI
zqRS?x97{;m&yfx^pcWL!lWk7+GU`JahtbGfP_^wTy9XeAkWy1%ZVe+>%gX+)eHe1S
zd0Nb?p_vC^8w_iLJXwywRwOs$dZX6ZH%7>L+qHt9-XO$Vzg!v#j|IOVM-Yb_pEE1+
zw6eA(!@}*(9C1VrWd-j?V#7)WbXOeT)#{^auJiXUxZZ{DJ5-K)76{B_i_FCK+)gd8
zsJ`@9u18D~1h>_^shO(2t%OZ|0u0YmDix$XS!!UWQJ6rd(}pA&R$$fS47Qd9k*8xO
zr}NsxfBGwK`V$$$vxUc{Q>P$ttD$WB!0i_Es5Ub#u8<y+<p6xIq+5iPiB!UbCwJID
zr{u<A9h{O4=E7m=s6F&v*sae+SLanhe?@C;Pu_x?K6u<J53Z=Z^=xnUF(`(pPrfOV
z`ZT{p;ChSe$sw|3++kp9?4{vReQmVhLAD8x8*E!&<Cwe0y|+n0(_S7FaqP9@C}>LS
z2zYjh9#w`m9*9)+TP@D$O*r@5B8pz=ynUDQh?IRMM-*5GzD|wX0bmy>l>nShvE2@6
z`^w31IiX=TbU5^mZNy<Wvk0VaU&10wt>ynO<VTqRDgnMImqhG0C2z0bseC)&)K6Px
zJ7yZ~(XpM(0aQekn9G5BG=d8#QU&m3%gYD(ShugJmMs9UNrpu3PDjE^7aWC$iY$FL
zb{un&qB`Dp>j3F9XF(#CN@9DTQr}|H8-l$1#Rr2525jv)kY{=T$AWwUFf3B~b>(M5
zRU`__3E+<JPKR7^TqS4jdl0(X^q-}BjP|O8_WO7J<_+sX5v9E>_Nik2^^eeuVyJdK
z2*=Qm{q78mrMVuSg6^1T@GY*s8%FBmCAu8V;V+A<QT4&arJJ+bZVb?Kv9qWRiGaDM
zi%~-9c>hEHWja;<{^HU!OYOFFENfn7pjUDDyp}TaA90ESt1!K@QLdFON?9wq=25-&
z`Drs~5e|ndndwFw85?yFO*6cz^K)`QdF-Dd#dj?+$}IUM8rvhqc!NMw6${2{iQe6g
z*x^Kyo!JMoJmJydy~FBm>6zf?L*sMK4>fDX>sDB*lW4p~s|ob3lJVdauqquX)zV<C
zxDX}|2n)?G4!jzL^Qe%){ezfA684L7SIoAec2C560ZspJnpflv<?Yt=GN2`ah?fx6
zvVl37K`X7mWK<UO5_&l(8?c9HDUT&vEK`a;P?uXzKfPZ-3%t+Z2#xZZPb~x8SLC?3
zvNG7CaB!EjK*z69k!FB@0?~2HvifR{z|IObM2}X#G7E4!AP;eGD<{f43brTUn-kUL
zs)HYYXFs+l;?bJevDGFqT3)$bp#j^gTs_mVN(S#u6FIc<l?>L7b>NTjl0c>}=JeRN
zJ~GTH20*(&Yj22d4``)ye3RcTu$A5Jr=`h_GW?1mQQ3pA*1bO8KOj8#4_r)FQUlKh
z=;RddJpbVB@20EME{)D_C_XV@nH~T<7hviwtd1`EhY$qfq^w9QV$-IzG$qOukwZsp
z;`$v2c222Fhg2|by-m|^$09b}Nu^*SSoI8(O5I8F!nXEO<=TPAv=%xr&5Z~%SLv&H
zpD({(iF<HTzij*>&`oUomf;)D1Z`r2-=`BF00Woh{#{M^)5y;SLlk;n(!n0${XrRs
zM9kd(OXmcKp<So9zcth)rFiFrfpjS!-gLFH#Ozpf)F<92KOR``nqgOo|9FVrc=mL~
zDi3y$0r(YsVQYt-3u<uXOO(sPltr=#MZ{QPZk0%{;e}kt^lfekIU7A1QH9`4d(uex
zrC6@4alv;dd%D69dK8JMGEeYsE^#jDX9Na)Z^WB+krYQQxOi11<XKOO-Fg~ZO#dEw
z$7hv@<JJ4iwWrWaab?AluNt?IbkHz3#+z1y8g3R&a{+uI?{5@3u;N^Nn;wnr<wFr`
zim1Q@a9?!uUKwc`CJ&Hnz+IoIFbp?qB>cX>`Bv$h#2C{`l)^{2Dr_y!@x7-j6Zz{+
zZkNzhplbc+X5q=*Wzba=cj!K^SN8G@3z{0bYi!iSrd1JChsqeo=jF-z-KDD7t6!Z_
zzV@rLNL$2^XFL#(u2JfLHhJD^xevGdVj-0;IQek7!?#PXAvTaD%^Kgnx&f|=pg-%$
z*NWgEhV#1f%AG&b<mr6B`J5T?>^U;UL501imH5nL=aX;e^Y+m;KXAKnJC=j=r=M9%
zG5x!P+@=!CKSuQyym-p98F|3?;}Fnw6bM<zNkr^l4WzByf5t7G=25_-L2bTcv0fuh
zEKBOO85dwj0FBONv>Rb6-`rrb+z5mORQ%t@X$;(Iec1)V(fN8s=BP3b`30G9#pdp6
zFD=PurFSid)kgPV4S6}HiN*O%W0)S1xsJR*yn_Qe8Wr2<8=1)Hj~{Z|*>i`_1x5A{
z>fwn;HpmaJ&rwY!_Hx&>n@p!)j#1X+%F4x^s()Im4B)cqMuk4TGpD(DVsHA0T^&_+
zDR)`k#IT`VVRj&*H7f0nz`;I_VV4`K0g8p$+x?POy2G`iG2;dmFSz>eb%&oz*?Qks
z93VpTI-v(v=(-Tnz%~gYxzBwq3sFZAgw!6sp{k}q1=E@c|G$tp98g+#fM|5mRE#5b
zo>FvB(4P$cO83Q48Xb(tv{FIk8+-9ddF(OokN(ccX__Z;i;Zb4#afEIg1Qf9U-xOO
zwfG!Ff%B&cV6h`FPN{brl3h3ojFs_P%ZGUm4{Km$hs}Yl_BWgFi+W#U-gant)zWkA
zcFr>J+69vku=EslQOC{g_7?tFl3{atl8%gedErGF?O(b+Po7sDiEp)9I<G*daSy&h
z&lLYbPi4vIx3mUqfZAo7&SVGpg%#;HEmT6en9Gn*4lIb9o!;+y{d=yV9N%>g_lv2f
znJ&+aQ{U6Ui2jve@YPs9s9K6GkOaS%jq_97NeKU>EO(;i8IP4CRw2Ez0-EcOQRvQm
zi@QN6Oi_H|Y!dbzP*$GClE>C$Hs0uvy|RhzanXx5z2HlycE1)MSQ5fMJ`E}0RdIi>
zVrtXXaxal;XxCIVpTu`BVBM?9*|sO2w4$QUlfb3=qvV^{NN4c{%)w?8ll6bze-nqv
zI!7+ffDVzOIc5EP`8j-9VC4u=H2}(wDGjR{3$|z?trrH)?#OEY6Owv@@K<zjiby+h
zpCFo^e@1-`7`N4BZpgt3Chmk5zcmYxU#>$9tq-2(m90Ki9L+~m(gaiVs8~0{Izuf1
zYqXTZS7d>b|FNcKm=oAQ+si&qK_i;)qj|p-?q!x}K?2IU<L=7#*kBo~P3An@3Tt{u
z(tgFivfH8!3tQaOI4P>m!|J+1iTCOdsCFsxfu%_wgltX;gOc`m>ENk1e>Vp$Um|4O
zpOq3my^>4`A$j`QmmE9ZnhYpcYFrWCsSkJCUGFQp{$0xI(#$4QE$c7Pr8vpVZYu7a
zZ$;Ire6nE`Pz*^z|J2^xAx4u<^neA^&RmxjNlO*tY;h1Ykt#ZdCWm`4tzlE$3~jw^
zXM-2bF+TkeVYP>-eR(JLl76=Vk4Ei19&y1Qc%wo<!RMK7lOE>79(D3UbL+l(x`NfI
z_Z_i;J@TnS>RWE){mqtb9XCwj^qMytW{G=li8j^A>fAy;&*s#S+j-i}SK{0T-TS#7
zT~B3-b{Va4SK4%<{1JnUMHKGM{u#u<4RncKJ2b?}KR5(|a42VL0po!nB~~DIj@kc;
z<4k*rn&_{$SIa|<hAB#TUrS9JGOUBl+NntVm(xRGzgHmkS^9(wLV{gZ$~&w7r6BA*
zcGmmw5QAb<w*=aJiFd4pD&#lfZ*_S?UaDqf?^@h<mY`>wt)DVd!@THBe=~Y7F+<Sb
z8m0Jt{J^NIyq5|$zK)G=ZTa*u+?W7dXx@7ucT!RyQrHB!s%jWiz?Ng^D2rjZ+%AHS
zDyPnH@cL^Rq?!{QkVnV4vW$qOUG?YRv!3g4i?(rfmK-M>vqALvO&mjiSc+OJW*G$g
zMb}(%Kn%pzkh9_|&hW_R_^N*2Mv8cp6|~`U;bTGMb`<>Vv3_FNh`A<>6~djG!myAj
z$OFX_>iv_4s&;ftpZ|~FHgXxFh1?;4oqx<V9|)DT?e|8zav1fYq=U~s$;Z-DKqskF
zzFrOTkJhbX2?HOw?v%bJ4%a8QA?ZZJ`iEidEh?7JQZO6{!&)gRE#d(jNxlXQk;szn
z!=A|d6srnsk-q$jynz>9e4a2>$F++!X8)qzUsbn209E4Dz3DJ2^@}D(rq8fiuDvuZ
z2k^Ktb2dRSHmTfqmS9=)82BS~p~b{+`jQ9k*sbf6g=Gdra}g+6QPAM7rg&QBXJaF=
z#Z_op392RiMt4hqD7;nOT0#t<dj?H?h>#%mfX$fsi!s6y`RN{uU#%T(5e^kw6Nrvr
z1JMy3UFlj64<!;h4(pL)x1=_UcqYBfg#CC2l#BhRd^WMBURP3ZNHd>W_>i293pvl;
z-J(Kn5GoD6at2f_KVDA3o2R>)7L^Cu#lQS9tUpd>58q7h`&I$|)&Ws{?nC}~drjZk
zQ{!pjnN=;9yZtD{aUb=LTtE|ED+#yN-~EfvtX<XLZJpA-Glh(?{%G`GZimj;xu<*N
z#RAT9FcBdXmMj-9;oQy%F|K8`@x2Ok=@-HY3w5W5NNF3Bx{4LvpX;X?OV{uhmV-Dq
z)TM!TtiKMYLHX`5J~PX&)jDIBmA<bV4M-2S{zF!+lUFkZUZ%@2{b#FQW?O-iz-{Uc
zC*B1I^`n4k92=KW=NKE6kHYEz9m0g-wn*0?v#o#jkNvjpa?AWP4=AWbK&!u;1w1ud
z$lkX$daB4zx5=C@1?SRTk>2B68|P~WHkUpyi9JW-eSD}`ezpO^IQUyFx4Wg<I20Fn
zGTCi?nmevAFCFqqB`vZZxy|q3A^-wY7b5lq&)mbuQ&MX4LK`OHmZ2=VPH(HRZx774
zA=t+D#({gYX_>#Ol^)dM11MDICpq@XBVxW*vRhGyw}0WgfvLtC7(hsj`#BW4ZLQ(-
zCHTeq=rU{%vvIdgAa|t84iCmH`d~g|J{}0!P%1mvB8ovXw*j^?FH`Q3^!OAX3FnTr
zxdge3L;xf@Fv83F?fs86Hz{fnUg6(RCODyk(|l=V1ftP58H^a=+Gf9-?6-`Ll`!1a
zQo$o5s0AJ1|7A#XorLHQh||*T_{aF$$v*Dm%k9iJYyQeISS<gt7Ju)o%vr{r>lxA8
zVyz%LtV<*<sBe-emlBehtZ=m^qq%mdw1F`}l10chu4-oo{hz6;{J_$Hv3>k2N?{;W
z4xKZOKsu`?D^rDbET0<(Q$8bzSW3Z?o*aMs*ctu*>VQHRybeD(GznzK_!atu9C%n|
z8q=DljN*QXQaI4B(=@q`d`d5zEUI;0n}+)m+Lxw0lj0F<E6C-T+bg^`d$uLQsj3w5
z$JUA9Y>Nb&0R#nl2;x2Zasl7uM@e2|18Ajbx={IGx=E#W@R=pFdj5qwVKs$Yh{k3B
zP`HzuR<u>nUoWCw@=6hT5bkP-xRGF5ISr(|ki>{yW}%jE_Wb7Y>A}sUvqpG51b~>_
zjIsLe;5h1!r<;5CwsIULs1=Bh%C+0N`SrZXr%4&3Ix5uXsyjC0C(3^QKwCE)b<4{R
zm%-oXHhAMDu;tJUlp5n-eiI^KVm&Xt#%iBR@2t+Sx#x1&p}%i<OkdkV*N{5aJa~`F
z3_fElfxrH%)nc`7DG~3e=)}>TuT;fHtNg(v$#<F#VSIZ<O|aS<w4qGHS0cOP#V<`P
z5Wth@I;+&{QXz)*hbmS-mPI{ke<ul==@2Ei8^RQJLo24X58>lqkyuj}<emVj-f71!
zCWOAI4y(GG^MA<>S;Fxr+n%KmEs*Btf26i8wt*wSj&i%z9&fRQcv?;>RW26j_tY~Z
z=JPwlU*{l7DQJsZe*v>{07CtWxZs<kE)-z5?oot?Os<Bm+^qR_yd~Glq>3L#X903h
ztudRRMR<vLsLiX?5&F@7D0ZRL#(L!C+zxATP0^VutM?(a{P1`Sd;gBpbAALmPBZ8@
z(^ZtmpyL!6z-*hC-;D)Fo{R?@(;`52diFO%?B-Jj-N~$*BJK4IK!pnW%mghz!&g!S
zdZOpwV0qYn>4X{C0z`9vI-6>J{FR8rM|#BD1I1Klx2-Pk_(ioO^w04eUt<*35`je4
z(dWp`I`#^ECREoxhVnz|hoU}v-kFTic^=83)8SeMiN2xs|BTSstx)rpc{Cj;2xCSQ
zZk`1oS#&L(7iEQuvRKSk<EuB;Jp=~chu=UibBU81R^kWzkPZKAA)(~IqT6`Q4(CAj
zcFvP_Oy(IE(JNtoqH?crg6=|2HJ!k+Pzb+MK<OOGvX<yX*^oIaFGA)Bm7N~D{0!U@
z&3ov&TtdJxDd}fRE3Fp(<3{ORgEjW=xNyT?8#*GqthFydk5QazkgQ5U5t>VDsF&PC
z3kN3a%43U%)*_E%?IxiYbmIE=K}g;U^J-hMXf8;O@uN(F7!Oor*7HU^yHmOp4PBnN
zw(PiqdH+vdpJh_-h#l0l3ODqoID<Z`8rr5AB32`4^LOu(7Dw{Tt=z~YS%jGuI3DpM
zq{lTQoybU$U6jOzQ5`q?=GY)FC_@!!6oQxzqZU5|)qF3KiWx(hh*ox&H~&QmYV(Qj
zo*dVOGz*ny+T0avvrM~q2iI9pa|<hMwmlW=1n*NN?2mUBc#=+1B&jncmDxCPg2z=1
z9g<CD6SG&LgLli^EGgHwtc>_uXD47N)_+uN;%Luy^P>eP;=a_^^vV95Sel6-xMiP6
zDKL;-U$CxhQii)nBniF2LZ`qI?uuc8QBO+vv}1W#!-CMJCRWKHd3HuernMdRH#!0|
zQrbiqNv8eIo6@Ol3i{h>>+ARL#?~)qVHfXHer5xe)=r!XZQD{ya}38{?yg#iKoeO^
zl@R+P67S#XSe8EpnKEBhf0lASC@N{CrbQeopXkjsZ>-opxHLUfkU(DUW?h(N_nw*8
zs%QNZU`)?vDqcO`8L79Wm@fdwh7`>An-)1DqD)0~_5)1P7%~7p{uoZ`gen+tLZ`+a
zxcwB<)9l^(%m3W@j;q4ij|QdG6z^R?u!4o@>XRfcb{G4T%GSKeg--Eyxau77#pH3c
zQ&m$u_oCAauGLzg4h`v&_M)VfQRNTB?jwg{-v?j94B|UWbt&Uefkr-_R>Y0u)e8aL
zZ+k4dKnTw_d9D&JW(3EL0@tZ@o1A=_L8WGo6Ldo5YEEU<@;9o=%sg8thfUkuwLS~&
zqR*|ZAG^~5BFT>dHs@)j^8e8{=eJY8Jp4v{$pi>bue#|e-dB^3pizkv)~30Ay767z
z@u4(HTiSU-p+ow|Otj9%LW$Pyb<M(GjDPcYlt?LpFX&$rYy=Z$^YoJE9W2dU>?!_o
z3#MzWJKQgwc6Nwvo6Tx_N4OQDZptWh%9B!>DxBB=;*RjT9coc3Qp2Iw%=bm}Rr4Y2
z+Ni&gBw9VtN<r-KRBD|ow}zc5=aXr%hyIlX^P<AkaHA8WVw{ZH?BE!6)76Rk67Peg
z<C4pa20vaps~-g642=0LrR!@*NEZY7C%2vBPZt-Ky(&djbsq28fp<UK;;~io>1MgV
z#HC`G&<N(stij1RKu}ebis;Tmnw3wC>#mbY?#FXDd_FOSw&pf;)8dPQ)2??nZGmj0
ze0MoW%;IS;^ITiZ+h#>QWrX&QzDt*{)m_fyJ>En1XFl!D24nP%Jqyqhur1-jRX4Q-
zN(5~I_uK{Ovq|Ng*!Bp={AP~<Z2IjS!(*rbc8*BUa@i^6-w7S6&77@YX#$x*eVVi3
zR<rO>H}Orr=6i)K+R>y7OiS|ZZUp2de$X%e+7A?pJEf5+^EoEg9=kXW`6?+LRP(ds
z7cU7yrBwV1!=P)ZiZ<ATx${<Di*f0fM+x>t6x7kOVaJs0wwXG~!9rc`+;El1+X(8s
zHw+<$-C>m$z*0R5!Bh?9LbO>0ndI75rxhO#;_=O3Aoob$03}qt&Qa+(_BQ>;iQ5+u
zOLH0E)ri@gOjc%glilvk8lPo^AZe=ykr-YA`TNgF1Xh97SQWntJm4m(7PN-gn@d2U
zdyT4JEmlQS1oW6g!bfom-jDmD$pZq>`?LrOk-?(~z7la6CnSgj6;1!-?R0KNOSG1C
zVHf_xVXm}8g9ZHhS`9RJD9R4zw<TiPRdKr*kzZFWPflklMI-4fsW~d?W2r`DE(p{E
z8^A9R>7J3{66!2(rtHjG0IAQINW7!*w0~%wlK3`11NBDQW^jv0flRvUwVm_cEX`Sz
z>6|lfRjp)vl;PcyU7h3+cXf3G6u1!vL;UG%=A&%u#*k2|2BK3@029vN0`8KnY%>0s
z%Ewsd)o&wceM7Sx79;pN$55{vwxUW~*JE8u9Ep%)PN^@H4j<}2?NyeH_?-joqC6Kf
zxANNIq7He}Bk0?wr5(1yOuHU>%;H}GXn6IkF*?z%W=?jCL+@1a6rCi674}QQr+%00
z<56{L(5pFPr*yZD;1nyqF&<{;Dt}eQz!)!-4a4#`;czT#bo|hTF^Q7xg_w`D=`Y?Z
z6a^#4-(ub66R#cvVUvbM5#xok1^eS~#3V$_3t`Wq`CfY58q8Y?{j1^*<~{;hT43NF
zfTTgfC&6)@&BT9x-mU$`b{ReV#!@p=a_vInrL;B%(M6fa$!XllLY15HZTe1PGE;Me
zXy*vp*J0+=X{&|JG%uI>{(@xw-R`yZ+e~E8NJMB-v0MJ(_lh8#KY`N`S>KDJmM{;f
z>>4<@*EC?a4=G1OA1aaHf32;Xmz;^wbnublx?(`N_pgB+RC1%<{?QPUl(q$_m`+7r
z(9dgCGRZ*LT#y_#@HO_aCG@=~Qo63jlP@FRb2Ff&>)1M*uHJn3cz@X84}x>YukcOh
zKuPX+dJ7v`ws7!0rzhuK%A41HYjpVSP&QnqQO>H4W*d2sOK;EYj06Nd2kr4dcil(g
zMEXsDR^9rGU9a9mtFqG_3;!SG74Q@JUa0NLT%Mj2Yz&H>wtE<A7VswV1-rtc6Kb{w
z=1b5)i5TeLxekwcAFUuCYr}b8CB9c~u2kbTH(`ZlBaujU%IwNhHG0sBe}`Ulff$ML
zs-+&ZTR<ow6*PSw0QjK)6*wGM*{`@0Dp4^YfjdMK&I2(~l_PXid92UVx0*Kz1!lBP
z1{cSQ7P?3$@+GT>So(HCsD9tI9L3AiYwnu1CGAZ>6|tXBin(u^?JwW8Y;n+HMusQ0
z$uTkP@*f1-;$p5=@AKf0g)P+p!pFvr3Y`>*f58tzca0fwZrF_hfv=EM)STB}PRs&j
zRIYE||LosG(yYjhKbs)CEl*MRthnohwH$Tvn7P4emEIBZoi1x`OY=YvcoRsJFkYHY
z^~+=C@UhnIN)0PjUg|0k%B9$UrfBIKktfIewQ<WQGvxy0-k{^O>0)Oal!ot61>G9g
z!0?$hd?6^vfq)W|oM|qOw~5rjF(vLO75z%_i}(6F-4E3stEYRO`0*`Zl!<3u`%N1Q
zm?h&nXgMkSdcjd76}frs%pvdxC7*s@#o+#9s{yBK+7T1Y%o0aMG@2!ZF94<V-Z7_#
zHH|TQD^Az`*oKga9>yKBUwyEqL;?p(JUNc!R#x&<DA0`KpDmsOvZP&^BT#boAPBL`
zkBEmqZ3x}#3flvA;~&SVa#Cqr{_}d3NQtfefL+jr)JmJ^ePJDcsrrvF-`T&r3~OTs
z(VB3_E^;IF0(LR}-n6`o>^1I0LM!N|`8m<@D`x>Z2EtZV&DwL<uRkAml`PyBM_wgt
zX5L>XNe5W*VS+WwWV5T4$oW2h1H-^#^Q2N#l>*HiVe2LKHhRd&R9brK>O(f`^G}*R
zQ<&#c4G;bkiqD6XGJe+z$3ZidIz&N_x9M}n97&hMv@<C;>20lpRa6#btG`DMv0?rA
zx4K(1pMlGqQQl8(4CvCJEMY3P3Dx1r!$Np3oV})CJw@d3X;@*O`t83SBL(X{-7uOr
zeSwF8ScXqNgN7zJn3EQz-_$#4Fb%#YWATWGAXlSnJp}%B^|bkg&!NUNZ-Y3NRdK<?
ze5R`{8Bi{qHi4)Zz}O%4y}Wvp465(XpA|vUpsEDi+1?U7>247AB6fS{;XANa^daz0
zXF~HqMEh_o(<2kH2LHiOd5{}%0Y#xvM*UoimE=#QQo}M#ldj?>6ee9adRI%xrB6b~
zkXA}R(oh(^milI9R1(D7M4csso;?4hy`uN->^-i`(}_S=oxm-BAR4YHGVk;$J`~1-
z%qq4b&Yw5goGiZDA(ys_^9sMFT*xiWYmty{B^Oh6X<ciH@X!A)6Y7w&^i$X}l0>6r
zM|tEC)q=JN{xsWX9J%2zcIj)QqMxDuTJqKp5JLPb2}?S%q*xOPgV7+JcSEDFz0G&S
z;hxrDljWjBT>sYdg1fr!)B&2?#~xIFNU9_uR>*|RXGQ2g6t7k1tpMeia9Qb3jhFX<
zD^-A_67wFZ@~JCxY;esVcl#rGp1*T%TsX7y8x88DlCAwWGOl(15+5cx-4T<W1~M-B
z79GVd{<Y~Bu)1tC4Fj(yEQ^JB`iR52AvtfU7_AQeg?tK*-ib{kk%a}^y>pLQ;q15%
zx6YhL+i(NYYnYlF-Hwl|X%5F9p9xefbcqH00Pmt7DddGf)9r%(h@Vgp95R9dnSg*7
zwqf!`Q<QO3J{?@?2N^sHJQ0sUGQvK~XkyU_z&n(`V4&#9dSOps68}~UKQxG-Sq_8T
z&o~p7Q~;x>W>iBeJ67L66qqR$4(K~3E9j-WB}<iFo52tCD73digG?xXv@*k^K>dt<
zjP3HBVV=L9@CTK+Y;xkL%6>HSWPoiCX<2}PF77?{vS4EEaQCl_o?_z}&$h;T%+2sR
z6FP!nK=F^9V}jr=nle=i@$<B7Hq_REv&s{0#r2<*5)UzW%Ah$1=OG`Z@z`+YT#(+D
zT96y*b?^D)UtGro;3~ilo29fri|680J}F2dCbaP!GWD7+I@n>%z+)#LP}<R+f!oZo
zsTNI8LIaRcahDAOPHY{kz<-DVCvxqL)W$<QdKCSAev0aSK#wXLbNpG`mL`mt>9_VB
z`&A24NbDsBnpA2(gyN6Si-sQS#Uy2k@`nbIeyrM+*R4FoYEcQ3c8oq%!l<=X=>CaU
zt?+)ln@O9)!hhiq^5fmpXVPpE8>{j|-4JwI9uGj<3!UXq7U$QfruL8d2{-#L-;$)F
zNFqUu`KjyH@HsovX;ndaMwZX<wDcE)M&IP%z6pA46Rz+dr^8x<HAm%GPOheSS^f=p
z6@9S>2Xz-=B{<~f_F5DhO%w@y=mZsA#WcRW`|_(wxjJ@py4Nr2qrgo6EHJy310DOa
z8+<i0ESM_FLtdWWGJEaV#)R~rQF_c^VNCukoo57CI;K2EE4JYp<>P^>+>9?>`=B!$
zSpG$ffj5j!#bbyUQ?^8s_fV}NhDm9$ljBp#GD(oF)cYd6xewfuo7=p{0h1EoL%;R)
zH|Koa18<mF@lKPUKX}OBjHWW;dP!hzp;5GJgx;!gIzJx2`?ctPyL|lCKuf?1#N5PS
zK?>>7W2A1{w);ihB<JZv9);14@{R*&hO$R<m|#P}YjDnXy+$7XniUkz+uff-=A1;V
zJ!88J@-w1gc3&<U-j?y5NnQ`$I0iFee=NKXyg5|nSR+f|TYDptp0`A0do{)yKo+iw
zaR+{mF;#tMC?<sxV*`jQjq3ZRqRf_Eo>CB^DhT2JF!dO|N_INZ`uel@TW^-ZbUJm~
z?xH$`>ae^lvT=M9F6W;jnIQ(KDc6NSg#J?i?Ui!46slHoBJwa#?7=AUL$p8XwR*x0
zzad{i^d-st)Hor43F)soR*U|pGxE%<ql9RCF0%k4DM|$B(7O0jZ%UcZ>imX3l;;ib
zh29@*3B0d#Rq;GX+qK@4_nH$uZ|qY^`d~c&Vfw&(;Cgu+4)8IuSu_o_li}(=+7l~i
zs;)8nCW9_NVm4yu*Imuc4?f04mpT|o^OhwG8R)N@`kj8rU@5)EDip#W*@@$6?m@=2
zm~@jTh>1utRKl8(_^)`724!F~B!7kkiAOT=N9qs7Hus2P_xWe-U^0ihms&3mJAr|^
z6}ZXCq>UCG57Kl?!ncxw3&>99G&6{%tBqHJ&@DOw04^3#MF@A0-V0d|t3t@f4?rE=
ztlf&P$D|q+RPnnoWZ(^lil!BngzVER;D<5s65{`rSogp%j*;*x3?lykvfUaidgV!k
z96<cfpsAb5MkS46k}EK;nwO&~2k&xBrAK2M6Cg?~JJH&UHL!@an|U^U8$>w89-Wjo
ztxfjoanq{zopj`IE$m5slLM{ai@&4b-<#<2-=y%|`MJnv;U}I&NR2LqTF<HIb>rV|
zXU$#~4vV2^wqtbKD<AIO_*gIhk{10$5Dl#o!P$ioGrQpBhHqCN{a?EYDS(Zst3Dbg
zKYWx%$5nisn$KSS@Bm{+C%J~YtXm+6;|_K=>ivSqKkg9q$b>9*X<5uPAXVHThd&1Q
zetcQZkk;@xo|d334v!e>ihDynML)c`mm{BlQAE`?;chuh0QR2G)AQh&TdjcuBWQ2?
zQQ~;rW+c6|Oz02AHj*xn933Qe&PH7iSfk#(HZu$)+r<$?ttshtU+n(4gR%{yi(%AB
zkqJZb5axf;uhZ?r5w1R18f7THUrjycBi62y*Wv^I$!3W1uN36OW$ZF1e}4Ea1qvUJ
zzZBcNIPXRf!L8G{teWY(ck>Z=-6TBO*^e|U<Y$lfR^^_RZU-mjB6S5;jyt8E-C;GU
zI@1%|PkHPsyE}Tc`SE&UMrw?xiPgBeAFMWZNgm7%PcLoxS_%`n(|GPNSdrby0`E+6
z3lefSj`qhZmpzByUJw)t$2?&V+PNE|GZR!f#3uIa<+VD`oHFHzercl@X6{W#i$T++
z<h4T{+dEeLK>d>`aYkUj6fStPIT?}B3Z&q`(u?uZ>&t!i_9r}`y@`ne?Z1Xpju)r~
z=hoYrmilMG)p$*em^4$w$M{({TR>f3IXN2HZyo`IMw;3Dmbth#4R?Nr<Ue-yZ8xsA
zFAjPrlJpw&v?jzWkb!dh)SUmZ@UFTwk2`%Hnw3JlR+<xIHe>shJTP6X1%ii<9zUV2
z1)P~xw#MYZ;XkBF33F(^^;up4`v0XX8b6n3k_u{B3ufWt`ZlUQl=j8$JWh>_z!cWq
zRM-@pCvsjZBI^U}5~c;$VJD^A-^K$UBReVMISAvKyTe7UC);mM+7O+nVG?hu4g&WT
z-EDQ&-fVO`J=-i-j4iX)u8cPLiEtPWf35JQm7uSwP1QkU(KAJZ8U`3|;BkvjE@2ng
zC$-M`E8VfZ=3a(JX)UOZ8Z(>8kslH%uL8Mb*0mkZYHBtvX>h8DfEFl(Qe3LNe*)uR
z{2w11dR5^K^ioI+<jnzJ?n_(szoJSMY{~aIBa4;|N<_NZbh&R3=1JS2{F5;Kl#C$e
z^v~NM33Fh!?~ynS6AYU%u0WoPgLL!zQV(o@E->rJ8?ELV37;x_TpTGkwVRQe8N)r#
z!LS0pA$~G)EbUQFpAC`EBug(n_)inuZmivU_F@GGw@01~qkc_?AH0`U!;Z%oDWx{b
zNCYP>er7;(3>OR;q5PYbM7IHVV~@-q$XUT2j54WG^FSrfuNZX52@%UL%>s$zD^D85
zRAz;X8QJnJpvEG3cKgq>yDMyoi7Z5BY4=1OZWlonxmr%2UJ6zhjn17yYYB29Aia=k
zw*BjFI#MOX6MdCAzCE;h7x~WnW8z)PMCIR}-^V9w3EwXEY`>WKeYNhR1ZvA&oHaGe
z{&D_$(TQb;&Py#nw|h|Q!Y(@E9#k#l6toVLQ3WPQsZcYp=p=clM$iiwC2RR#Q)yaf
zX?Cb!PbI?8v0VR|8Qc>X-kBu<S<?XH6oYkZ8*X3u#M4#lp)Y+ncNE$PI2gnDy`&o%
zo2$ZZhXo`A)+lu`+vWIzmRQGY`$%H4PRBDMZ#0)ah~)`q@gms^#@}&1RV?P6BdKcU
z*-@k(mVgSU641`-J?L1n1%A#kfyt^W!h=kQuh@?|olF~&Nyzc3{_64m)on4RA))^t
z*ur<cAh55<K@L3PS?G$Kvx11L=oeA*?UPN91I)C=is*7{wsJI_*cQ(r^E>OHl!|pJ
zRq10lkFrKy#@U*1>}P<>v;CuzAdj9LWzLZVUC{pWJp)$Y+RKs#j*Xg_zSVQKeASKu
z(>Ana*pwSLLuJzp`*`4IF}AFZ^jz1)ubM2`GVV_0YizzK$L6YYS6<y!&6H>IJadu5
zKt@B8J@@PK=eS!r)7Z@JiF^s;Xhq$*M!86EaOyi_pGj;whI|jGI6G!lqmVx_xmEy{
zyOd43vBV+IO>ek9y^Q*)p&T;JB~D~(6oz5OlcAD<uz_r~tWEkqx!<nI7-vo|zxi!h
zM?N0&6x&2qT1dSv_}+5+-^9+tn?W-0$yZ65s2A4O(Nyt5SKUvTYNFx8@y+5RbIdA~
zx23`82LYE{nh&d#Zsl$V<#cqKJF9#Yuf(a223<z-rO7^qoqQ=?DU@=q_=WbzCQASA
z>U@grfV26gyNkJdeCU@xXO;8ZOaNQ)MH&WZqUKuSNK5k)Qp*st5=XmF0XH)#O%u(3
zrp6t(d93)?NcNKO0!_Fy-6h7XnFFPiGGi80@nCJ_-2@|o5S4V=avYlQ=o*=OObPjh
zJ*{9p7;eEX+z#d<pDAB8u;LGa{d1Xb#cM0KtMR#;o4!TsT7lt@2Mz0`(vc)(J6X7t
z-IRb2ajxhSr{?<-{QnWY5;{3ccK{dvA;G0N%Bc~zH!i|1h@wv<{L;&=S1|(DY5t^+
zIP{9+t2%AY+>x6fl>VKSjQ71Mm!{Y6vqnmxXDRG-j^=A?9KSlW#AF`7KvH$aMXDNg
z%y@#YsKnd;x{`;I*sWwfSdmT9(@74QcS;;Q>#0N{QWA286W$iJwVBEd0Y+A~aIwF9
zS4daha6rYQQ?SaWRfgXaxQ#BS_9WxWityF!fZHP1T9M#Y86HS3wf>LI(03h5*!cb;
z_LS>A`-HU+l?NDQr7)<_S$RnnmdhYRm+zb|qf(nXd9|RV)7lUDo7@MLQrbxyk7yO+
zSbnSsW>Pg>g~G_6EB@TCR-sh3eItIFx=ytFWpK9Bb!U~ED5I-O)dxIXvb7-eVz47K
zBK5h9U0cHi_GIzsWsYw=wM{GTm6f~F<LL-krD0;iwTF$$>W!HP7pZ|oyWo)-c^sxG
zS|n4y{OK4wik$d|rU%To3q<`l@q8-poPAsJLd$z`{V37S0a-)jbRSu^gJ&niLQS<e
zT-7m!4Qh`^URC<gKQ-{M2UORkljaX8s9W4iSUIPPg|G6Zr{0gyLXQqS!KG$_QNm^m
z4LZi0O4KkTwE8aSn6yXrI*m8v6%~I;LJ^)N#f5^}x%ydn_M2Uy_|J^vI<-PB?x3dY
z74tOQZy$yY7i!>p-!wfwNv|gL>j7;F;gBRl1oq=Hy+<hq<#%lvwOzgFY8=PhmQ8+7
z)BY%$%%v^3KNEOeQ0DWTM&1;vpM`dkyd3STVM%RPjZP^Ke_(FN9~fQ$ER=2|_<R!H
zmNI-9ie0nb+FX64RnPc`kFec<udja8Or-)fAMV8J_5}|~61doLWrU(#f)bCzX=+Ed
zp7<WYLstv=6^;zy5?cwi09r}1u4kPcXYSOkVZFb?IcTIV%b7N&f~d&6I&8#V);nx8
z%Rvy&l*+42tw;X_k2$KPudkgm2=j?bf-$Flqyaemb$WIl77SQ85TotvarR!-X>|^b
zt<5IEm?H))3tnyy8&IOky{;BnnLk}p2P+PB0I8|b63O~g4y++NgQSaXNlTml_fveV
zL11033MY?|-GolxyLn=|1LQOg+;~_uWIdB2SS8&S$z=N7b~R{<3tyr<xHCY@n?GRv
znt0jIdL@ymaxlEsjC=B?H>Y$a>j1TBr8aUJ2R7>9g5MoSc%BhP`qu<R`PVFetfKYH
zE0~OAPJmGEo7O>7qcJoDfd4B6$g9Zuq>UvIgC1W>9gSje7LdwTVtu@RqT^r!0p;*<
zj$6J{QhvefWLPl%d*zv}ZBdV__29xAKmzMxy4?xvLVCf|Yr+gk469XH6LwL)bF-$S
z!q{H|r-1b}<EIWfXlUct+&`~qfrd8z09!K8i26zy<%W>Fz-XWos7!6~Wt&2AXu+aA
zcWvJWhvje3Tl0_s&z1Vwx4_7G1A_as;EOzjbhzeG-m$G*&6L`qHVrNKN9($um&0i9
zfQU*8Cg%A{T#5(HuPiD&`$+MHlWapi!-(6?$t(w{6RZ0t#Qs0(`q26#%;JkF1Nz-+
zny3x`q>!vPc*?_(sWXLk6={gT)AeB}7`lK*q`NHGF4p0mUqJGX?HLgkD_K#J_48jw
zZ+EXp8~Mf~9_HF%x_)!0ughx%;p)(awyTa|h8Pq2n3&gZ&dCL|#|~lj%y1P_|H?w6
z(~2LBYvYGz;gx*)K(%v4IL2{jl={`VTVDp(%$Y%oaD?X2(4=KKHS;Ef>eXGtR#(*v
z!~+z`RnCp%-O>9hSrAWM$$jt&*zpW%2%&hc=0N(%SnCDV1oT|Ptf_Vb%`YrPm`$-p
zB<`HI=slOLFfHZSNL{Ap9s3~g4N#Wys6%CCSkZv{#|fF7QVef3OyTwYctc<LeDZ-a
z=X9>2ni;ENa~vAN>9DDlc2}l!RB%YkLyeITi^PshK8`dvWUx{FK-Nf~#%>GN@_+By
zCY2U$jvLVchHwu11wbVP8J$M<0;>^T_%StzR0^n}aQl{4nPL{MQB|T2mN6Hv+NQR}
zJ47I{0Jy8c2%y^fYg(#a=C^FHZi$ms-O$#AXKd_G7f|_)DgH$4&Hdx;y2p?*H%iJW
zrNq(c-qyk_K<iJCDWyRoe=4$&De}(u$D8nJs`KsvtY=8R@!M799aIS23mI{S09tM`
zgC&!dCtvS6FaHdzVd+$8wfU15JxVIAgnw;6&?S^3<3=MjAj^(8D-~x5YB6<aqILU{
zFpg#+q^YTBF0+Ys^xa*V<fLfgVrx?B)lK!InI>OKhQ3pq<&SdnW7C<r47acO(rfWQ
z3qwSUrp|Ddr`~sztzfV@c%Zk{F^LKB60%bavjD79UHQ>xMlme^(}tPWJnPhvHDDqi
zIL)!h`9?_Y=A`qP)|Zf26sGqq%3jG^0_S1KwxZ(uz8b+8tASw;A<XAjY09KDxkdIp
zq*ba#gVrSMf7L}lJtK-c_496lQI>!(8gONn!##=>{hhYIuRQ@QMlS)of>oWs!0yjF
z%2nU3pqCv1Gt)7^Bv&d;orvo1HzQ^S%+8Devz%mk<CaN<q^Kx2KBUHa=TBj()f1!{
zAvx64?9fs7+;k5AL^@$Umdm&{e|#3+;LsqaHyPKMmGwp=a1l)C<1Wq1ulzNV&Xc>t
zB#}JrO9w6Y^PoOvi779?ueUT8E90S8=0WhPgrF*6TiyY6<bO3T1ziOf9;x6To1vcQ
zy7z?rz+RkeN=LLI1Vi*H(DXr5xdK{gaATXzJ#mHWpaaMMN7Xk**V#R9Cykvnwr$&X
zW2>=k+ezc3vDKup(b!32+qU(d_WA$P^?pA0T4(RUwP$9}T$|TE<T(5zcR=F4x#?ZB
z;$>t7xy8$(ATH|ne$cj>z;U^m!aFwka_yg<=XA7U^u<R`0ApLBCj1BrI#<KntW3AR
z>adgRa5jrq#3=j5^V!X2jU&>#+S<6+O6$1J%9J`wd7a)p+-sR$AUAsgd%v+V)KALX
zY;-P%G|i(;)4M36JdbUwxAEIL)Yo5IO_L&Z`|w`&+LlFxD*48N3cPqWRA<fu-A~);
z`PU7qgUhxJ#kT3Pk7L`1%Z&~Lw6amYeIV7fgq7q)9l8;4`(+V-WswA@v|`(Z+6G8h
zzw=BO>KcQMD0b=_D7e$Wm1ThWs9u)c1ciO&X5NI>{W!^bWq84C*|fR<?KzCoBAaxq
zXYm)k^(8V|<Rn3sp5}Ez!o|XwP0>X^s2VEybEfPs0^v2;zR-CwpSAMUyvy=`YYnv_
zzHsB6cYR%OPQ3<Zqlq09S`J8YK^_2bvpIU0s4=OrNB%7s&1G)RMN@13smsF5%jdB0
zmkY569nE8o1m+kCs`mTzwlhSYhOb~&ntcQk;B&Yw=%Umw&pgLurfzF3wi<q8EkpL_
z9x7(zEeyWT7VWlyLBZEKt8;=bcdvm%WJikL-w3{P<GMlZhn$<?4w#L36O-8PKi>bq
z;v4vU`R87F?DNp1o+GU0*^aMJ{IPnUP1!p8=igfKKNlmM*nMT8hz~p-Rfft}%8Ae*
z33pUUpfTkmqmqc^dHIpt4frWpk+mp*Lz6lF8#Yr2n9mPtj!<v_kN8{!B|2nJouFs>
zV@5e|*>%URSh-*WP8$r@$y73lt-=-Q<=*iz+WY{bnGXA{=_j_1D)g!*$H*SnSn*lh
z)cR6^&VD|}3|x?MhlJ|W^1%Gjjj%Yr>+o7kD<diIWktq>6Nv~~UFXa^D`^e?_tpMN
z8!=u)&+jdpHMq@W#XQF|gFc(-V)ybE@|v3AIQS?)s`9&4luN{hzz9Air3%){{;s<^
z`&%Wb%v55>CB!bAu`iDXJdqKGL+g-zwak6h4}aTfYkLp&-R}MjNz}b2^iw6cEDy0|
zu-hVRmH4<k3o$4REwA{wjgOa>5V?Zt(6d5Dltf)cNZP=ut2dL5j0_rAA2+LLgmn*a
zpsMU_eRKfI-Fjwlsl`c;+ih>2(Nb3@P&1zSwi8?&B!{ptDyWu&j}t>Gt6Juif?me=
z`6l(3aQLs>*`aU`^^Pr&Kkx6|3<ZVm&QHXg&c8cnVU~5^3eMjv6=|rLm=C=O4325y
zwM3bA==<yKX&{OtP09U|u`)(d_Kp;$#?jQuMT!LFMN2F1C^RKtwQ2+$I0U^-Nj|NS
zY~7P3Nm161^qns?9?v=0aWjD(#QYZt59IG#JdacR7`J})6kE!7;{<vd%?7@$?;Y7)
z*OIs;{-68sIB{2Jz6qH?Y0X}^iv&Px!LcMs=n5??sZ;?A%2QH;4AWv{TCT}s8_n)f
zbS|FGl{uW+O!p%O4WnMg_b^3iU_t54Q--t|6=AhDTF0Ki`j=_je+*g*2l0lamOGG|
zHZ4x1k~tR+_-}T;KLQV13khAxIR)!W6$r@8?+7^CtVuNrFUd4ISBo0U#_Ol670{QI
zweVya)IweoY#>734WqK07P84|O~jsOth$2`8eZ7MprW{a8JBH6j}L^YK5r0iv8h2z
zOA{K2UNfujM&?+16o##ViM$Kky`Zwj+^x*;P?K(sM{wA`SX!KW7T--DD#Y1|x!Lsc
zN`!n+nk_u&B|X%NG|KWwZ#;uN$2ZOV;(d#eW02@&)LOfuct^Z3c3@Dxj<C`~)^oNn
zf^%mbolQYcc;BG?glX}$-P%i0C1KY^>Fu_TvyRb?pzm50wLnY)d-hX8CtpOJsfGVv
zpG~UMQ-tB+d9kgn-vl9KMkFaLsmiDXF)g-He&-ILF<{S1@=r$}9Z`~8B^uSxO+t-y
zoR_X47-KfzHDyNDD#f0C-}((5I;UzTvZ@f<vVY_|glSWBX8xq-fMbQ^oJEpq_tRV&
zyTT%e1PI6Z7<QsEj+TUK=XSr<J~oUyQ;POf!A7XR-KIW3|7KtwvHw#ym-J7Nvcs^6
zzClK-@WHGaP8#QhjAmW`odyu);rCNh`=`0ht5e7MRs|^DQXVj!&mErF{&VgN);PCJ
z3X+VEqm<p>DJlE^h9un{l9HFwNN7~Jc!FpKe%WH?Nd=>h`5D0~JGDHUn2`>R&^-jw
z-2{!ufKU4W*NGt(gnAEYS?QFT;g86&R`ZEl0co4>q~I~~wAe@O>}tzYh|}ai>AtDL
z@sYlQ&20Y3=QmwVMV*BeWDL^vle!R;8!2r3Xd|U;YKNMhB}<?~TMK|Mz6%g|$byI`
zk?;!=kLb$aEiJh=L5(angD24^#71v@Ps1|t`qNgi`#psQ&AXK0fh0TxH^?t9Ko9*^
zD0rH9u$x)1fa{vcY;0s_fHxWJcSnF4Axaa_V?d_qmrWLU+CQ{r06vkew1NR<$KdH5
z*cta7mQ@zc%I8(zspKV>8dTwJK3%T<mzQPlc`ip~ZROOn)k3;4)+x%xlm`O<Z&y7s
z;Gy6RX4Kygf5zP{_Sva&T(@L<5Qf|C>z%%=KS^%5XVGHZ%-htn8In4UelZ@7t^Ee3
zl2r3e_=J*D7~Hr>rrNc&I*-fbgB{4|hxvs1{!uExD%SdBkXaJ8oy;dXSKm)w=AJ+%
z+9O+u8D?S2lyNz;-5mFMhEw=nOugrPKtW~ijNf;3o}l`QHp%cDFJY9C9&DYKtq>tG
z#6^?>Z&m0Yf!mU0r{6$^+s_Fcy16He=53c2treF<>%{L<n2^LFM+ejAHT#zQAw7@j
zhS-T{U{XtYtNG!NK#!E=nTdmDX52ep?A&pB*Du690%xF;SQ7LYcKb&YS+@VCN9{=Y
z*^Y)co1K)1@A4hz@7xKUakce4a<0s5cf@s5@rPGLl-{bKgmrzFVA9k-6DuPiBa|=7
zC=k`aW~H`2(D`n}<Ahy}8qgQT{49$s3#eP?nHS`#XsMT*E8(}KRxOIP$J@wUFZHX+
zRvd~j(RlSw&OSj`a~`3<9)K_T@n4H=CsUGS3ZWDo25XFV!Wz<2^(o04E`dgfy(#@t
zQ6@B91-s}tbN@=NaAG;gv7fSxNuxO7w$G9-K8xJWCj>jvt)CJUZ*L&@LzVdjcbrJ2
zR|fqQ^Ma~7u;eWLrHm3UgYxY^XTi%*U|DR)42%cSkyU&IM&zru(0W(0#EFT=?yO7^
zb3JC8BVjqHe3{(QMP;VTS+(EWrx|MxDs(7U6SX<(BklfP0*?D}e%BPuPv>~nvL4L9
zHrDLHQCHWH0S1#EBguS>mb3|g@yGPy1>fnS5MT8r$oHceL>-=#I*ty;Pe@spo#729
z?6Em4t^I#$qCar4?~ml}ygwg5$G+numTet#t4zH1@?SSVO?H$fBAYrKF6XP6Ev?xb
zdPaFzWVTE39GPHW!7rAYTueygKg#d7wPv$H)AM6DkLQz2dpQOGJx$_tb=c$ercRz`
z_&5&;Hp$ehC~n?2Ah$O`UzYZzf>)n1()I3a`~b>S`<11Gb4y9G^Ki<Re7~8DADt?C
zHX`l0={Ff`CNMj59+_idYvTg+w|=0=%KB7ZqWR{h+$?U)g=^rdIrno6nt|P#@Q~1m
zJBtRIo%So48(K93Ja4kQ=n&PJ36az%-Mu+6Jd>~3k{<)i#PMgwU~aXwp9V3_P8Z=K
ztFD<D&pJ-o>zbKXgLk5BmDA_FU_6{@2mIK?%BE|_@y$jgU58&|qQuL<W4`mzsgtL~
z1aG!AD?0y|Qa@oT-csk&2jA4+TRG~t(ZpU1FY}jm@akoQ8`&(FTm%`lSL}UfDv|CN
zDv?PRGG;pP0GFM}p-Efaupi?3NNJcJvW!;KX*G%gcjMIQ6dJ|-I(IcKwy`d-cNgfy
z0(vDJ)2fGk7W=Q_zvbbyOP@nyT_XGIcV}wsBD2bA#s6N%MP}vFHa3<r+Mef@tk419
z+Ql`AhxINi`eO#t1<}w*jZcv{U^;CEkZBvE5z<>|lf-<~{7xFkKi``~_5w1)hUIW6
zdyAD&atU&Un6}S+e3uo;Z*W$Pz}qT)&+zqBE5+W=W0Iy}>Zro!{6y!b+IzCJXpMW#
zpKSjMq<$|2#jSJa88gMhGjWESMj4qGT<1ppfQ)qH6aUxW*~5dsPF-T8+dp!dxXk;4
zwKc0!c0g&~g-_u~Hu|}0<Tw&mYj^o>VxUP0hdmwyyt&u`rX+Szsv0$xO!?Ddfj87d
zW)H%ryKA6S##O}3HEO;<f=e^(wJb~L*~n37U$o-qp3P{-b&lWY2;IY6COPOHYh9b!
zb;ll_Yf!~o%kpj9mljWrMNQW8;A3&DW%0)gpHFB)j<ZUC20$~6&hq}3x2BB!=Cuqt
zVhMb))1MVnp=f`aCgoY_KN7iC84aP%<rRX$g`tNQ{e?;4tA0?-ClUg7y}H0$VSV!F
z*N+_{)!rulUb7-)0W>A$hJ+KD0Vd|T-X6TuXN=CF%lMdLzO%igSK?mjBf6q(fDdJF
z=%h4HI(G-AGF^zGC;X;#np%wGUzv_Oo{8P;^9fQ#vP~%q9;YUCt!jiwLV0ZB>}W`U
ztJEmMLlR|kWF7h2S|i0qpQ|y)oeO@XbzeB#cp7BqUn35gIFi`vKlnMBgtD#!rZ9A;
z4=NCx?RRI<;8#moQReC-aXWt|0M)CRb+8!E6f%WpE!gl5Ec?ZvNHi0xjro`l80Gl7
z2;VQRvcrhbs2EBXwN!1o<F>L2#tg1`sZz%u{JwE`adox*VO}1REmc5ClXG`z{(L86
zlBBDr%~Zwx1CK6Zvu4eAnc<bg8tb-L=6GN%E1$W-^D$9izeJIje#!19)<vYVE6U;&
zm2m_c|8FZY?9dtf;itI?e96v}ZQc*g^_o5}yZmdkzHhrd6P<0=Y_@>}ceNCeD-UDE
z(>9jmMA}^^NYHzu+x8?vDZ50D8W_94BV{D|Dg?uAQX@ncNTJ|r4F3>;=!i14eG%Hk
zAp|?jEH5Gr>)tYOXUY;`_c`CmJma2KnUe+cE`qVe1}6FB#Xkp0TJM0TD640hi=DSq
z+#9mti=7`gU#BR>Cv;IIgut(1%~NK7FVu{~QYheg?R1_fUmWIJ6zcg;jQpufc!dP5
z$5k;v9W>OX-h(0RN3ZgBd_FfL4%8=rRp$JwI2cVTeetYCodGD|Tc5}!3o8JnP6LwG
ze`%+*2g_-O7OI>^r+Xr}4V=wTSbRCTE?F9n8i{JN?^vFD=ZJ)p(Fd0VZ|*G6Euq|j
z*V}Oj>B1W}!=x1ntAejoFUq3o<8nm(&s2uFm{CS*rNX^b?7&kv5OR-i(}_vIFHO<V
z%=@Q)45saq8KXQP1!bS!1W9N7Giu&jlJPaGaAtr}->@jG%0z?ciJjS&(Q!=w<SSS>
zEQ5J)H@gc-Y{(-fyVSrHz&s2KpKY^G&Y^KU3S<R-T{&9HX(*6lOHqsGLrPrRwvI{B
z{zZH+jk3nt`$=b5@`V3#ZGDDuQP(zhbZqtTG$Rvhw;=G&M~5SPNqf`5@MuwqgiX!n
zzga4hyLg9f{^(x2zDvZK2lc7w5ZwdV@42-Mw>-&1*<jMV<FerCnSh@eKLD46v9p-t
z&XhW)6f-Pw3L8zIl)+-<T~6*<kC4;)ffimp{wV+|`DUNW`)`dRj<j@=UTLDoaS^fn
z*Re_AO-n_cna#XVB%tixMFb^9xXOX127DuNw=>6lWk|+@_nbvBJf&H`Mb2CujrLD!
zw0A5WZ&uNOF67hY)hbAC)-}b~R$5H5F~4{FxVMy+(iS?Z$8D2$SJOg^yP54kHVO7G
zl$xy#e1**kk>y}hd9?iYD&!ii>aUQ_$IftEjXfC6)1&lJZm!-nzVmcDyf@E}aql`#
zt1v!@p1yuQ6EG^Q+9gCzEt91;Y?&&nx+gvR$SBq-Uf#~d<Q*fdLnn03fTW6~T?H>w
z_HJ6Wmjch$YjpGVj_TNZAhI(X!TS>)-I4=oNh`}YL#IB3D687?<;D2hu9fD4)yLfS
z>teWf9o8mWQ)@kS($1T%kl+A4T1k99V3;quuYiW`bI%9wT@Iobyf?s`5drQ=!>`R(
zwtv0D8~FwE%66JPwAA*N<ggRSFqkI40i5xLFXHFuH1ou-JCB@*RCEQzYXJs&2;))-
z<YZAWQ(cl_9+{Ux>XQgNe6^qt7tWs-mPb09Pz_RI{-S#=LdfxFR;yXR?^FD7qfjP+
zc1fvu`tRGLPuw{~f#5aYQenqX0jXXEy|-53?yD<5FM+Zjb${t?K9-Vi<yV|PGg3;D
z8>D4%jd}K`2bsCvU?pb_aMUWt?JFGquP9aFB7V}N-a=pD`+~jcH+~>O)z#d3C96ty
z<+M~G*)E0yrKEl=jhN^_a`biavm*dqUV6ii94uD8!Tvsz=PH=vKYT$_?Ch8(Y}w9H
z{JEIoLb{&VasApOzCZgM{qmTZ0r6W6Co@*)P2~RPItRY~wWki0fb9JdJ?*nVj(xR5
z*{OzypabVm|K@RDtI@Nh*cP3}YRR=6R`4fwV>mY52!>RxuA)y@%UMm8VAboXTs~63
zc@LMIRK2@*GmYZzqK=~X{~>G`v&emm??{p@Xmgm1Z!`hH^1Nq}$)N>?S3BtX0O<oC
zVOJ=Ynzl`<h9ZC?rstQThIRpLgm$n(R^-Ci2~U{x#Xk#2xFdOZvx4FS-~tbag13D1
z^Xcc~K%JaC8rnWTr-$cI{0z0&fonl&rO@<E|Ltq6h`d4hW1`Nom0t?%J*<WOf|q5V
zLM?owWlA!b>K=3^juq=Z=``$o#t!Yl%EftRPwBpB|IXr}Wy{u7#L%N~dJ$qNkP4kL
zqcoB7wX8Yb<3H>zOQ9k4DNQy<xsl?l;q*3$9eDD3kYb0MpL|Y?>7b1n+Gqkfpwu^~
z;6W?MLLbrt%5YgYgqolHr#O$J!-LmFE)NTEi%vELVfkp!4!feGbv5*DCY;Q5gXLtw
zg}2c2we+dx_N5)JAG4h98|b<z$wy`3IniIewBhAfX**iese}Ft&LUC?gXZNVt1Bi*
z6JYocnB~nV!EY`aD0{PnAL-0|-c(tZ`TLvM^^}niC23BpXNJ~t#s})J_;Qoj&!9mj
zd0;@|s%az@3%|#<a{!OEWm4N!@O*&TRz#NST6RTJu}MzT*F3o_tm5uB=St5pxO?IL
z@`c0zTW867gJq6FeS8-rv=|2ur;JV;w%`|M-Mj~asP&T;U6%=5;4LbrqZo<-gGy-J
zzxO5@24ZQa2HwNC^n62I8+;5o9vflrAPt9}3Q~v-)t<8jpHp*Q6$``(`4tW*s_$q|
z+We&Fy@gtAu8c_N3y@&i>%M9nk;^23`wtV8TBdkDHaY#HlerX<Z#kPtt^_!28-qfF
zTy(<RhVf*hbSuIn+TEnLS@e2NW^jjg8QgMM*MQSEwI@XRbVWtMMsr4M5LkMS`&Mms
z40f#))d`@lutQwf&cEFjB9P~WLfX^v`IJ6^Xm`o+qOUBcmh1c{eciNNop<?bHoNFn
zd9#)FI*IEAYIQ8pDrS4)<bnA87Y_J*i69kq0wECX?SE0RdSS8sy{Y9&Ddt)xwt0t(
zSXzm7alf<6#aPo(%1X)1m|&umyS~RSf9lD8Y_4|$<@$G2#GzvYH^Ujk+LK1Z9v6DC
z{8>sV>=MJEL;)Hw7Nl?Z-{yJByD7&wQxK5RTFjqEbau&(4@ON@9Ii?`NY0!_Rnz0C
zeXU|re71QTj})5?__<c`Ef}zX-@lA0UYxGbGMZ@H$a_z6h>oK!{l|bKI*z#XUaUY;
zS&J`(mg$XyY93#<UH?r|429-;MES`;@*9|aDj4dP+a{OiNBvwRjyJQNU&|CQe9ozh
z%zC%OVV_yU%)_O0Mb%@@iUR04qFL2Z8j>NUd~I6H=3j^7ex<69oy$7wJ#;f5yET9i
zxliv=de~FOdE2gA95TLG%{|OKcAd3LvKkUi1(|PBx{qNV(01nj+o8)e5Lvd&oi<KB
zPNG9mgs8oiUJyoa{N~)Ht3AaRL<5X7zpsJS|0AkR!c}tXcR(Qp$b6C(>kzs`6?#hD
zherx`KzhXA={FQ)X87|(wiqC(j_34OgxQ$lqa)z2`MBNNx#}#sD=T~tWYM-#-qKqR
zkv#;kO7486W_i82JrNMQEyOG=gJzXE0crWI<GIe!Y1c&Nnsb}7$k1KQ{c@>tt@(=k
z=8owIMP%t-cmxB1-rk$`t*1(jpa13JX*}+wX*q-K$Os=i>ptE7#PcUl)%H+R7@8Wg
zl;wG^m^t%+{Fll_sh}QPYk{B{bgAB|fMzC_zi3n-%xuq)^#I_5+{`C5nuH`(z#`S?
z&ZD?eR~G{wxfW^B(x4DI5S2t+8u<d=l#KJyx_hZ0FAZQ_idSOhsqJgs+;YJq>i16c
z%on?zA5XGsu2xsHy!CB<f7Cr!7r=e+VsLX?%q5hieUEzUuw^6Ee#ai2djB47O%`-)
z9r}&*PE%ADai5er5?W?(Ld9O3?Dd@hQAHy-?llQ-!$a%CIE;jN+pQV2Y^BF8GN5E<
zmK3+6pg3DSI{jh6U*pZ0m6L7-+=0Rn1^U9c^EH*Ced`2=q={XEq|Hi=73d3^g*5+e
zx}FTbkxaV|3o&mtK&|kC`4QZ~oz!(!bZDx;E=}uEL$zOUH)6&{w#n?@K#hiyd>z&(
zS_PodR+IiVBxyl55@Y^58YmRIc=P+}ORjUOur$cL(n;sxQd?rmw*q%t!nxpbrqZNM
z+tOwang24-a-c?PZBR@^qQM#Z1Rh#2Y7jT+;1y%@jXfHP;B%?;D|dtQ2h0s3iGLeb
z<3%!J&;pelv#ZsSRTfg*Zc&?a?VkqdxP3PcT`Si`&Eef`W+`ApYZ{l%mU$V}35N2R
z4N}xCpegH{Ch0ABdO5ks-=e5AjJ<Tvtru|aKD8phM1mhPKROr;Om;1goN#};P=R(q
z<qgzna>((&=JL40+Z(SgE8aiN<;iRc3*ynO>(>=*tj<&-dqWMAX`#2VdlYM~?HG)-
z+Wz9SkxUiMTs(gz%vu4-POJTfhIqx!4-?2kr?i*k51}H+)Gr-ZMS^O7Hc*(-cQ>63
zl+u~|Q8Jr88d?unykZCR0n1wE!N*{^8f#i_-M&65pFfyihe`$C*}`jVJh57kCbEvr
z{`^ZgTgKYg#JZVR?S~k>TS~t*SfQTLOA5nlCL0$_S{^|_;f4~?U7IowWjBfOaU|6g
zWtq{W(qiQU3L4+Z$_7g8?|&}|X6t+xF~}slciWNAKk%fMvb~vjYeE{AC+PeF#kyNW
zX+iq3WIfKkKWm%S{@ue5re&}&&+}(<0No$Twic!&-=5q~mv3Vcka5b0WWjo9V93=#
zn10wbGqgl#&%bf!w|VZ6ToKSE|LvFhD7+wGk%-a)TnN~%=hI2QaMUxH+%k>BiFEXu
z!W6|7bT=x`40MUwZ*5$JzwI_10g5Ybc8{ZoHEjVk99J)S@$^|3dEUC+S2Up}A-dXo
zc=w!&o3y`nnLnoP2HiZa()1g=LcaSmWrbg1THv&~i)ej*2jREre1U`B;=aGabz(Zr
zBjm`nJeQ!J5)$Asi7D48Dg2_!qBb4yx1~?jDZeO~F4XsPU-8rLlJ5`U$7Eg1te0b_
z3$Tg5%Z*ghlvOZm;yoP(k_4ac3F3Y>efDq(65VkhT!x!3|DZMz27&YRNV03t4gT)W
z@EefUuzs<~2=9(vx3LZ{o0G>e#!8bre2tA7PvWj#Q8-BJ5$HQtk?VH7FV6<u;b`}E
zYw~?QdqZ!nMwsVga5-v#G(^~^V*5KMHn~tb*}veL$9(HeOL<*!+~V`ys2W{;Y>{T+
z>$vdXUB_7a@1*l(#G~#Y^Dj)}(%FTj$LP6`(DTwi_Hecw5dL}FIB&B!ht`?km_XXK
z$Pff8Jm*i<B)PGGnbKQQ@I{TIR@c-go?cY^nE(pmjPhrJl!gO>kxKaBw<SR~VL}ny
zYQ5bgtwNeBspj&Lpn)b9iR66+4N{)4vKd_w+FnuIe|q`ikr!jvP!b5xOJaC8U`&9%
zOa~{~aCt85MRNY-7c=_?GL`q)>_p`3);_*2@m(M_Z;7+w9kbe@|6irh*I-K*>9h~>
zOgJ<1`#g8O;q|Bx5$1k|%Ih7I%Bm`pkV1=)k{G$s*^3;F>?V;9fMt}|CJp$gtBuwc
ze}*zG7Xc6(U1w0h=l1IqMB+3=cu^>Oab%9jMlWDhKIhO$EiP%_Li{zpC9KLfNc&rH
zi4uOMxLtSk0vRJgic`{2%=>_VJ{3h0(Qgqvb&ucq)50t60?PUSkLA23CF_Yeqv9>c
zB<I99?;sHCUeMSt@(kTgXAPbtGIpSHLD*Ef;u+%o4gXxmnMcC#F*cj+Sr!-pgz_`;
z))9h5b7J9`if_)J+I(5z=20x7nr~3hQ~s6P-ZjrxjU5x3(fpu7dzI>yq;*w9PtLho
zqTX5je`22UIEuAvcnZw$m%C^-KytApre8fi|Bb3=7MuGHK1BN-#9~65yX3mt^Nfnr
zJMIL^I>a?Bb-z!3fH!%5WH(2fy6!KpsdZh&Spa*xjBA;{etp;ErL1Z3Eys(JD0FlR
zSz9+AyU}$@B;r(K_woR*IC%v>h|SIz=5~b=z{6rCm~!`ye9tChv%HXXuV!$nly0fU
zYIT{}R=TQ%w=7u~Lp+?hBez;nQ7rJ;%8@9Xw_wKp>JS}*fHJ=OP&jhZ>U2)K_#F<?
z=s0#Be_X?Ls(!V93sR{K48N@Bc-j!2u;=~-s8nnxWrMY9U%v2RmB+Au5;Io7^n`*w
z;)h+@wkYPcs?Deyq6rPU28lNOu||Pj_avtB(uQJyv{pXLVG8&`R3k<vp=IhMy^iGA
zmt8K4qRN=U7Pb=NYJr^dGC2L_=1z8<scGbZfwDPZ<PCloQ%vV3=<ntHB!O>Irs6>-
zC^eDK+PD>YFGSzDQA2>IevatcPGKi`5}tbPB;15Vb3_x15_m(6-+nodIFe3w;5D0`
z%XG5VV`8RLar6k%N_;)i#L+!}*FTlldv_`ESr2~^tn_y$*1b2NnZ?S$?LCL{VcFSy
z_$Iy~TuyO!`dhb}VGsU#=SS!z&)5RhpzvA64%dqO7%y}TLhclJ%4h8*tU}3HreC3L
zeGiBlJyCeOQVwBMDRu0r`ezPn%y>nOiq(n^lXVImDkTX=b~De$kGhqF-wj8w;qr!}
zTyk1%Oh03r+{EoOB$GpO&iV{ebJCW@aus~CoRKw9K_30FL!UK%F9y^e>`At(u&yYU
zey3h4qicPZ(S?bAzGtTQT&1GJmsn#e*20jHl=sHryS<CfOtVWHT=-kHg8Oi34Q9WT
zC!_cZGHX~ae<qr@s|k{4&z{3722fxHa7x8cKSU5~d2+}HOJQqE*_m4=lC2K=6<?uU
zD;vQvw<J-gQI)N5n-hwLc)7p4*Ltscp|#=`$Xi@1%07j5(cd=95R7ELg~xd0urZEW
zCQVw8b<C+D8X6e;!l2InVwKv*pH(!2h-CH|-hBDdj>BxJ69}R^b1aZ6ZcDio%x1AF
zIscSO5p8qcO3m%Eg|WOgP+e8+^cc>E0MZd(G$De=EFTuox8jJ|n-LiZl&AR}WWt>T
zE#zad-oJoguF(t)0E>O{qn>0aTfuHNqQH-x6&{1}zL|ro??x%fS+6=tD9_f<Xow-=
z7FeLu=_?rqxncBbT7De%sC_OPLrY1KRazA!DC*K3XPKF{`!sdFoq@t|ecgIL7ulE~
z{#)(TC!{VDF-fG5lktbu4e^lXQ=9uY<r~4b9l^J&P4&5C_|MK<12z~YEtb9fJ0u4$
zRbOzYs5gJ%JVFS078aJ^ER{Hu>nu~#LcZUq_-_+n&78@PJ2X25gDGc2{8}mBq*+yG
z(uSq^#E%}Q-vFc4qmf)agJ1|*oMwXQDuf^Yy0b}xOJ!|G*;QDffOT*2<_DlLs&z7g
zbNb1akJPUlP35{+o|Yi_eY)0J#0uLCJsHrLcydF}7VV^*-}COfZnNBQv0BWRz0b+G
z%Xw~B_&nFuO}bBIY0r8R{WK`IZ6n&JiM505Lsws2|MN<)>`}(h*ZuKJm(OoRBA)%E
ztpxNC<8>BS+im`V63_fM#a{4lohV2m=?!NE)ZCn9H}kt>d`7qUvEm1vJ5Fl1rh2Gz
zm7Y?<^K8j<%R|;#Xhh>_=lj%q?r9@U=*u+YirmhQ%g*00IQYg<^FI7&o^1pAwNIN6
z;766GQVrjz?xj5uRZ#1f%-x^U_~EYej?)b*+*@h2FTcR>&JX$hm@;r5Q|%`dE;Bxm
z>C=lq&x_Usz!upX_4M#jKEZ_@Z4BIVJCBczqvRXeo4))@9k)+rsXe#@4dxy-k(?vD
z>>?Ei_*Ag4bsQJ$Suk{0^YOsm@*Ll|z{i@xOCewjI#c~gEK?1Rs5vFdv|FL3MBnF_
zqsgml-|n_eo=2Y9v-P#^96Y-4Zx`tHDO2L;lByM}O~)iF`$oJxn)2gIN^A2YEvxq_
z!EoH>>?YFLfBtZEX^iw*znb0!Ee!cawp&0qS?K$0e|-mHbtI6*l3G#D372wB*(}6!
z7#_woSn2YLiPoEga+QW~B*TMmGVZ020l#f38`2rhki$3br|3&;QB;!%Ec!<smfX#q
zMAkO*LqjUA%cVp74M!tO#1~J;Pi!~@w@`j84qrDR7b`ej4w&d6LBe{ls|XsD=v@d=
z(;qoj27nd+!SymYP-!Oy0Vx2k8+D-K6nEoWJgBfAWf3Q2wUo&UO)Pve3G`jL$YpC?
zYRZv(9S%fu0<LQ+bjIs)tqmmeTUwx8K-wo2WIW)#<EUOk{R}B@{acU@d}3m^D`t*!
zTH*@bsF&*gxJ5LL1e@n`^Jn;lCs6%kju>htBu4BhE6+;Y>ab_LTH%R1;(1y{1ONk}
zAMO8~;QI|Z$gep)*oAo3(F6I)AgfXbTVwg$B7{(ArjfU65^nU<Wwv1#$9eKFu$`i{
z##Y=sSzN6_eDhEDqMl@==o@-B{JNT>9uO%+_g6}UQD%$kLk03&wr6(7Uq4?R+S;yV
z`4*lx!hedXX$`cC`O$8dnBqbCuw+Tu8~GQu?#O*br540}URK)1MH6O?m&RnqW$-+K
zDC7&BpIgpAi^IGFh|p~Ic0>;t=i$BfjOk2yP^rNW@iSF2JTHg6PL~EKzy6c995_mK
zXDSgHK-!twl1NIsYs#-UpYBxnT-KQv;ZVL=mxR3B&OHmisSmAv8qa=edZSu4TrDP5
zM21LpgN;dOAuc*IGUw;fRdSu%iOuTG=JJC&Sy!#HoDMbQc)z1Q?(o{+N_R;oK8i<5
zmJQA-64g_F{Z=<L!@yz0P0;A-g#%BfN4|ta+ZQk?_UGV;F(X5Rwa3mm=D;1^#-D~C
z^3}<P|4mwoLi&<%{?lOAAD2IJ-Wxc%ah-;2$rg2aKVYacv-;%xyOD3E!`;JDwDka#
zj6ov*4gKJZIZ_zoJ>aEw9?sVxLRAq&F`Dtr0DJzy7r%YoowOlbeDNp+^FV1RI_v1E
zf@v&*{<p8asXq+Fik(Tn$|QM`yIl1+Lk~q#4w?<@#D@n$sFl;E#wpM7%Z<e)T~TYE
z&8DGE0e1u=YZNs8y3{-3yjc56`S5>gLWB7{rArey<6f^X|2+A*WWbLZ!=%H(5Ue=B
zI{-Qc8i_0SxOz15(_Z0<fmf2L)$V|cE0E0@s2vqX5?fQ^#?%~zESEnp>Ir>Ozz~*+
z(<e2>F6HJfDEn1emOJa@zKvy&9}!E>A+%!o4wOeDQYnZ2JLt5?#udT>I(wi;whU$I
zk1cM7?M?58){%2<TAh!&Z;f8L>+dx_?xx;PXB8RuE9Cs`?>_my+o9RMa%W?_kaFva
z^uWcouZ1_XOJ#pNB$#HLclj3ar}2JvIk88_v3#6=>fssDt8Y&>>XE*N^PQhqQjzUT
z=v%ccFC-XHYdObAO~#`E&HiV>Z%kQ3HlP=&XBmqtfg3;!{~U+_1ZY7I7AOJWK!TN^
zex(lSgo;zf+#@&RR<5K9);}U}@nv9_HVUp<iznCaxUPeqJ%31-@|WGr{yIuK=G|wp
zbZm%nm8t@RmU~p3kU8z7GxnY=`eQq~hGfUj?<Vi4<RJs`20aD5u_ks^Jv`z&QQR(r
zD+I6``ViyJqnY4xu=yY0U(84l^4izS004ivZK<!R0PqJnjxhy7;g~%otmS@PKTQsQ
z`>Dy3SdotCx!puF%jG3njglgYT@S##=vOrp>DQ6yXyIDJ!<yAq1DZf&w7nspOndJ7
zw3lHqwtHR<eMW5TP?HZkTUh7<`VNOCTx$eZS8dADZDv)L(PF%il`)7Kj3Gj5HgI-`
z_%ol*)Q)DE*o14dg%SChlT3Ib#fd+_5*X`nU?ObOV(RftP_0J+iPSE=VdTU=sdM^K
z24Mh+H$9R(7jvOK3-h2|Ew~ToW@s`~?sTOih|Y!VSKa+Rf2wEIWh>sT{!BLTX;(lY
z4b9*1U@=gku(J$eWa)xk$k@;Jxt3H%{eB^Y&WZ-}PIQ_EUYp)DZC@}83<=P{OHD>J
zaUFy^m?mv<()|f1Mzj!)j<l(cRVsnb3TOa4a#Ot~1XE`r$&N<F#?NmyKU$&PI~U$m
z&ndLW!cy5bpxd2EO(TlFK}qlKk$5(^7f;Rd$6oc5tjsU1%L00m^c=25guN<7dTi7f
zwcCg)=m3PP4i#+by$(=uhthlhds68*?K*{Hxt0d{N9wp07hh-CAN93)T)T_&x5ON=
z+{v&}lAaeM8#%%520PV*Bi1Gm20Qz5!22|NKA`*dA6h8D$Gm9j`ihqV@OFL&(pc#v
zE%x91ZO;#S3>uGz^XwL%ft{#rYnyubZ==P)(hq<~j#>f==&~Oag0r4Zd160(Ejaho
zFJoE^QsEfEytEFaFTomn{WM;qI1zdeBTcFL-y-$Y1*#jm(vMCY-BA{i-ty6cpUMZv
z4KB9#oIBoY`I9)qh!fsl@x`;)-i60-$KupK;h4Zdrq*+78{0i}^N>4fWVnA54dkAr
zn%Fq$TVdQ_p#Jb9Cs>eFR(06gKL-&;WsnBoAlls^5Wm!P0^Z!<zT<{Kd$*&x_bPtN
zL~xZx$cO5F1izAmfAwsic$`pzf)dOgekuv8g&#Y2gVUf7Ou%Vh|K1Z3w11S~l!)3?
z(u98M6-Yd4;m2G)qqH4L)1|15YCYSMP<cvkvQ<_F7#c!9tn_fpj2zIpg+Rm&<flyl
z=_wUwzG)MBUvzOOCE|_`JP{tv1eGfR2hF9j8jx;2u5N=Q+Iu82H783UI*LG8xv*DS
zUy<AhqWZU|&mcmq>M|vN_C!)iqFm|_-akZG4-SL{4yz-lWQ<=8@w1#DL8WJw=j%!%
zA`RA8M;xNUrPrvj6vYCwazM^iG4>7}QKv=s3zupv`pzi%Y1{bd1*Nh>TS!~4G3ZzG
zl;4JwcN~|UcWjqC)U`IhiNa2=%xbWIIfEcZDmQQj^*@W2)BlwO9@(r2u;|QRN!pYu
za`c2^kozR={)|l#CunofQt09f`ibwQelWPzcX8}bF*qj*fLWjgv0~a@;X(xSS^7qh
z&&n^4i4FGn&jJuN>2Z2y0zKf^fOqu3GseSsdu0~A`NSJ=RiB1Erc3Z)i>SS!7RG+(
zD)s7mQ#I<h;oN)oI7dV0eoeYcK`CQ%b7@*U_}L-5X-$ZW3ty_}i|zGTi=y}+5<NGA
zRa?^cz<I?frTgfKbl8MdeCoVV@y3iv2M4vm3g&TX8#Ro{<{Yiv4zMp)ujUx+9;FW2
z=N=3KACUd$7WCK~MO|N45&>?Z=R#^Dm869H-C*Nev4!i-tNFxY!>MFA+oP+oO3D@a
z^ujmJoD$=*FemEmTM%3M;OBCle4i`1@dW)-5Z<hgw3Co^zVIoO&*O@;?Lo_HM>~w0
zqJuK5(_E(&?_SrLw_E(87VVtV^H;zY00M+l-Izy?OtU)6fwPq~@10xQt%s&<%+KVc
zza#++vKON(R+Lnc4Sy21I}Kk-Dwu@Ynuox{g)a`e;OQ(0(tNLAId2G;&N^7|6X2jc
z$9*pS){BMB&5d8P5{A}jV!e`uKu0-ZUfqm~08W<mPs?=HKobDm()fd0OGy_rDss*!
z+2Tk><h|uJF=tZXX!B63OG;;(D`MG~C2*UP_)5Ip<O1mPw`|rakTG>T_b>9Phq69A
zkiGK*gFK;+9k3|CwH4R<RBLD2TKRlnhY5Cf$sVDgQs^{bcK;nyG3LO2&!c(Or(QQ|
z1+CDaO659z*Wk;vPi64Xrj8&1W6_Z`cP}g^)a(Al6uMP|8iMqw4|0U6a&d&>UpUeu
zKeABV8NV?&$QdQAyZKm);+u}urrNdeA}<d0Z_C4}<(sxf?T#(9W#*mVB_3Rjn)Q+l
zos^|AD>b&cUZ0qL-g%ffP#9<5o~?Q}UQHXkIY(g}Ai;ZKc!CKv{o1S(bALXQ17X<n
z0TH(w3KdV$lit(<fSNATPOeBHLc0+YPFH<P%mvOS_-I3|1f4@(qNrC=&1j=qw_`Kz
z<$@JQhUJHlk$d2p=KKQaf3mJPEG1cCnQ-K-%-A{j=Y7R0?b2W`i5_IR)O4lt(j_Z3
zh85un2p3LE67M<1@(Dl$N1sNlhnmKNYy2VQ=yDk8h(=JU``l#re19O2lw!eLYSnTx
zIf28ljX`(2R8rcdh=Fds)RH12Hc;?qkz8HPA#YR>%;NBc0&Z^AIJ!!nyR{TouM8AB
z?-Qe4bDuICKUQg&9||(gT7c0<9W6J@-E&|xjhL^r+b`CbwN}=e65>4#T{%PD$S*gK
z80J|^_ceS$>wPXHLB$gxa1;ZAGduKk+LxKje&rz!dFb9Bu3=L#1I2o#B?T7mue>fc
z)LX0^>9ofkwW=5#iS)+|(I5nWP5nkt%R+aIA@PQ{|APDx`0;Q6u?k0=w$25PT*}s%
zr$U4~5F=2b>3AK6{;DNs-Q&fva}MCc0NQ23ia9C!u~c7vKkRY2-O4`nDqUM^*A#C-
z%h(?*jU-)X4$#;mjC>j17LcI?P?W~mAfwz4jf8cx$LMs}(Bzn*KP?Vj(D8F6r-W)4
zNK{E(S0QLhgP8f&PvBn|icu@|Z<;Zz@v=QHqDjYBBr054J=l=2z}JK08pk|`mHtxv
zyH$tu@KoSW9f~x<*`|^wqOTWYoTkr_b!ac_cU1|IQoZIJl@j&o4oiw=NPkr$*Yig;
zfY($(i|o%rI41}!e!gTAjA$f=GH%-+x%uOa<YCxj$$|b$hNr<r^d&Zo)wr!W$tBp}
z9I^VKu#odK_*dUEy=OKR4Gt7T*SUlOHCqq6jwS0JLBYA1ti4+HLz!?ci1Cp#N$7T;
ze~VRk4jIw%Bzc56IuUkFKHA`k5=Cg(gi<DSX4MRC@);?i62^+274In@5spuO6xqV-
z!EtmX`oP-eG)E4(0IH}Db68g)T@l*xsA>G^07;Z%b60mrqt7_Ydo}&KZR&4j8^l2=
zUhj|fEqTiUPzD6-6fO&mx3{bI8_-0PIu!dTD6$+)u}?#0&CD%svi<lpgWM?x6T~f~
z{RQlY0cbM=O$bFGw9K)N*s}os)w0APIwtCekR_~5PuHy)Y9eBh3zu9QH1W-sY`pR!
z9ivR!Whvt(YeL_8ca$_fdkTX6szq~-GSR<+*N6H41dkd_AAPdm%mi-gj2J<0%oC+L
z3J0wRY93cq%?YFyW~lJb3hIE-P!)kUDxH@c)FZ60_E^erw(5ju$>&J!4<P)E?y=vK
z&!{-Vl|6%2Yh)1I5G#%^Vv&D+Z*|ba)AAA+C&52f#F;Q*^+Yy}A0!twjh2oh`3oY=
zpA-0Q;)jwz7ZaYT=kL2=&-_L%<wf8lt;yr(>LOJPOnG3wT_TWse)(U1)|&)ULr(H5
zrd+2v<DM`*q&c3#RQua4=NjG52>GcPoW4!w^^r-sa=hCRpA^j98k_=rGo_>qSB=rN
zo<-~{-kdcpsa3!eqxbPco^E1?h@q-NpEN12n$&lL2LdQ2Qqe<!r48|zkuDhMx(OVZ
zm?>}o;~yV^iJL7@MG$*{YKez2+*kV0=!v4vC#@EZ)blWhberHJ!}A`M@8s=;aVpNV
z8v$KW%*S1PzQith?cj@<`lfBAH~!zb$PPXY4>cckRQ!BIsC~B!3HHJ-c~54dG0O*p
zEu^<|DpoZVG0jn=AZldL-1nlrey;u()|EJTr%|FViIopjU@LuA3OJ5}|BJYhBjFiR
zF2qt{RL=J<iOj+l%hhV=l$*~(HDaCjl$_t@rYW<_h#S{@-G7Kq+xe;b%KCg7aBfT(
z=aEduZZ;;IMO-p<d~3Wb)=Bw|dr2t1&JiTk0Wp&=eTn>6MbU8_K2wrpAfF$?C4@cu
zR=*jWn=sq%KGO_4W?wGAxg{1Es1g{G#AN6EFPEwY&Ik7Syb8&mdz5J@P~#m2T<Va2
zeXeAiU8?Y7s|~EI=E>jGQ6*2yz{1Y)a|R^*MF<kaI6BxqY}a=KOE?`poC$ePh$L>l
zXE>Xw@v?QZw@Vo8v}})*-hPF;L?1ywnTb>w-A@YNW9T<n6lo6z4tVz^w0Natq(n@Y
zVE@+v*R&qPP;MR+cPlYj;tZb;Q6<pn3v`OG=joMrn7RV15iuw?H|q#^O1*p0Ghn3H
zZoFPA<GG}xVCZk*tjlM)pKKXN$<`%S|NX;+Nc(=WZp`#BeJkjR@ttm$zE3~x(rzLr
zrf4qGMwImE0@NCiQz5P(O|AafY9B~HSqqY(@GSRopIQK$a`S0v=CO-w6H1p3@Po#I
zr@p&!6DCZ<d90?g6XK(=XT4^<@ofPXo6Dnc3f%n_@{;=l2!F)-Bff*k+sv!PJp}y>
zU3Jx(SBrSfju=Ooa0jE+I4*6l(|@R@f-@CvCqYg`fXi>EL_Z<4clm|RBcDaT`q&|P
z*$Z_U7~vBFrk%Y6#0R|m;PP|I!xrRHZfCv=8Y(iNBOSK>alQ;W;9U~w9J|6o6`|LR
zj9`pjhz!2+)}Yt<?$qoG%Xapa9Hev!ZlE?~N!XZ_YG#FC)_I-$rdTl0dhgHx`GuXo
zL?qQj&g@0A|Ewb!IU?CX2w>a*0AwGBa*iKb1tmvWkOM8|hK+G8=wn`RMgvoN);_JL
zt8KNHgZx<A3hzcx9=5%Za=YV-Hz~PD(((aAYnAOuGnVQX^dAn++-ibVdIs;z<cuf4
zEkGDW$OT5P_FdiRrU`@h!5&VONkM=*nKW7Kma<}yk|dHKsd1L}WeaeXgw3xuo;nTf
z1;WU{B*d>t{iU`Y<2akjpZ__zlK`nGdtQ8r$G+Q*6jk_}87EJ}0GpnH*r3i6C?kuC
za_YXxw5iFfB)t!z#w3Ax+uivSF3UzcbW16bVySU`1XOOyGy-BxQOz0uTLvtZ1vyZt
z)PP1)+t^};;^NeHDUK_UozqHX-)0Sl*Bye2W5%pjTa7Lc^M>9|nwSX?N37^;UkTWw
zBHn+1?F~C_D9RCwio~Oe0esa(ya!rJZ2IUw;#M7h?H6V0^8=w{^v^dRr<Ei=^G0<Z
z_N6*Ncu%R+?lfg9u@T{AtuZ0k=fCO%P=B^W0i~#EkIHo)QeL_Lw)ddq{c{;2O@^>}
zqZ~A?gd`|0+DyU3$-_J_uCuq;+_R+;S7V3jfCQ7}LCrjkv3Y~?Pg-UI@&IWS|B=>#
zlt%>BeFNQP5Einsg<Yl$T<rd%1251WY7V4f3!XflzQ>w4-C}t&mk1lC_A|>f0(nV^
zX`Wb3Ar2~_7E7O|9p<QvG_D{DDxTCTryXS9I|W;5D`r04gup$ProHcxb-dinIqDVU
zsQmA2>IN1^T@B06JIdVdrq%%57qN4}rgo6d!6}KlADHG@Pf;ZqoY!sF!=r(dK!{ic
z3&IAB^pq4U258Z1TDI3Mk!;RIW}m&sjAGiWMp&@#))n@m{9Q~&$o7{^K!6e~yxY9(
zj+nv;x0^8;zSF|8!*+c-Dz7B(7L1#g3Ha#WTIzt|QCA^D|E#5sT9Tq{h2A=cZ-<R+
z$N1;1AB5@8D(V8X+@)Zuf>O=*Aw8+bGe_h0hg-wz&we78qDBc|Ynw;BL>W;;>o8pR
z+EQY<f6u8%4$N6eGWyR(iTGd|N4;#wX}Aor%bbzj0#!tGRug*~Sx`o=AqoGE>yth=
z0kJ-IqI>|(xy4ywZHd-os3dY9769IX-7U2pXPod2lAf^wdAH=qQLyLU9KM|pdynFG
z+rclB?F~bt503m@1PGHhh?JjxOM|0FllIU_oP-#B-=%RD)~np$=&hDkleyr53_9Jn
zIm6UJ*|tOaFoz~HAoM==fJlHjG#yA)hSAKY_7`#*#yYz{rKZ#$2u()N$ErB;6f>R(
z`3pD9#i?oeS}+SkvzGJx+MSHq4OQ8^r>!Mee%Q;PF!=Th)u$9@#M{QeS#i@D?$RyP
zzjZ7VXq+tWCknR6cA@fTK;eo$?Ic!7l2MMd4>YM4H>=oXuV%%5H;C<vz2R$=eG(As
zT_g{?o^PZ*71Rf|obczwZ(%D)0^H-om-L%RGB%DEbTCPsIF`egRTTtNOKdszOS2>k
zEFReve;I%01*x^sW5?dx=`D=Vl)=UzE)UAK|KLS@`$93QN173s9x4lpUfMc2a>fvk
zAVgsgji#2D(CrAk+EO>KpQA14BUy{V`z3uD4QOp%<BaL}teZD%?Sa?G&tScj-wBNG
z6;7?AePrIW=92mF5QQ>vS&rk6?x}l@R<6RvQQF`Jfx)io7_S7j2*LW3ycv;`>Bn{y
z^6l5s=2yijsK3FT4zL`Tb9^Z^fdn}@S|wsy&j}<&1jP=GW-#Hl+>vnILx!ix6lK38
z`M=sfG<boM7x7ehnX8<d9qFM+GIJq@*N*$@YwH;K)0qxyR4Qi<K>>fd(y(&g&lesz
z-}l{V%ciY+fMH>XCzXUKscJ#f<jQIRLMjW6DwOSCiZVdbmB*;=NXs;i+6diU+))r6
zJwgD&f(flcT?;<QXnXyCy7<8cl)QxvEDg}b4;RuZkt9p@kY*_$KDHIR4Upeo@PG4U
zbrlYK#I-%jOOPe?s5KbJa(!vaLT-IM!%4$>TTBYZJp#CIrO91S_Upynxyi`Z3&QOu
ziV?b9-@j&Tq>=F+ZvRG3_JGgs+DCPzy%!`n&VwK)tH!o6Oo_vdhSwO(S*#Rw&Hv%Y
zUl)Pjk=MiC0RfERBK0GF*$P4+(CK-vf;crd_sN*j`VZ|@O>gGG0_%1GhYKpFgK@4a
z?=raD00wU~%#6M=vu4|~^$rpA9^XsJFHuSoGt0RzZHb~ne<GKJY<o1yevN`u{kSa}
z>1&FxG-Ob104oCLGF*Frz0H96X21Ihv6co$<UgD7!K;$Ej8-QB*o;p{ylCF=YhHrk
zF}dgUVa3&Ud&w?(^<hdA6{X^8f9j?w{MOI9ujrFPE|j4bYD0t_llN!0eQkGV<8_65
zondm2KJc{*@>AqPWMfuhQA%HCmJ41w69fKR+q*q9RX=4(YEBLhJxr~HT-SEg@+kFA
z4qmGR&wjUSTVkv3S=vOPVMc(^NBsGYKvD7_hJvDUj`OZ3DX6gPl!&zkQQCZ^d^{tu
zZ|eN$_5;sCH}NGSw3Ty+zAlC^DO;J%a<HEEE*1-><AheX1nE7mre<hnNz3|cm;e0h
zo%r#->$zS>jqb(ePyW@;N2r!OO&(Q0%Eo2aKvAA8uZ-cmHR3D<HeG0=+=@Su{0+x9
z076b93#jhEELX3l7IK2V%BitMLO=doKo=!Y&7#I}<axz_sQDL~-GC5KcOZQeo#h_5
zQTwE!+<YhW+RGZ6+unh>Q_)oG*1qo>5m;3-@giyKq=!ap;jB>doK$J~Q2bUkAZ1;A
z>_30Pm+>nP?*Q|jR<sJx?BF@H!-vy#M3V3f2^!hza}wmzD?)$+DMt#SM-Hj+D;OQL
znl=w|QNJIF=EL<IvOBqm)i2Jqnqq&XxZtm{)IJY7*p>?`4Hw#`)3?VH?-;7!tEh`L
zlhHZ<GJwA{3PDn6wXT-ryX*8(fbF4tm9~bsls7YGT=4hweUG%a%WO-|Z69L4d#Tez
z)!VXf1El>eHym`{2ZhqH@+2T8L$wQzIHAqmAx*4zQXVTh)q{K0rlDD<>AY(yRu>#}
z|98dz-E9TW?S;(`L*v}FaOp<?vwUsW&-|W22Z@&N?QdxK<!!Qp-?N>@F9pcGk4#4`
zo`#)!?JEPOUIH5>ZeWrK^}PgDy?glEH9G$vQ&$-l<@2>c8kCUkmJZ3KySsZqQo5ui
zq`Nz%Q@Xo5q@+8RM!Ml$_5aiN>+W3Fb7sz&GxyvlM&xr4i`FHQAUv`fI7LVCU1^eR
zq)18`kcBJKpjubSpBIG{Yujd!cP=5fBr71?toUau8)nxqj#okH{2m~FsQZ631i);)
zafw;WxGit19IATIL405cvUqWyrm!7{u}l~_;^6bO=CLT>Phc9qG;*rKj>zn4-Ihd~
z*f%X%&7t!Xc~>OmPQbUqeg@80KiFGPcZ&9se4Fh^B?35q!5-`!0yQxBkhD{E!*DAt
zveVl0cUZot4(<~gPC@@huynDNa13J#9)<aLg&MyTHvZ%wz|>;e?>;1<tzHg5+W28H
zz*7>JPEKqEx1xo@4X$=Z>8eyvD_{yfgododQ$sf?_w6vL`&g~KBrB5i!kZxHc68wu
zl{4d1W3sQjN?>W!+k6v8h1YUEye?O=&Z3bcsR9-&giH<$o+-bu?I`I2$Pl$~#8IP`
zN3^U)FwM5jgu09bBA~Xs6f~+P6R4;B|3oo+6IMGD8iY~@-Oa?6@|J>{;;7At$VtoM
zE+x2Z<{_Ha6LhDZ+N^RZO=q90uq+aW(|8UYJ<4;8NRY#XcB0f6;Z%X}PP)sAoQU)d
z;}K{WR8buD`()J8nEIyb7@-H0aau~$B}uZTlwYX@T*x<CVEl5mc6XFI8_@?}hFDJg
zfsj-+rZqW=7=ITmd6qc&ibD}Y>(r_SC?OuR6D~p%t-M9^t#+=;SGEAL9>8Ypt|HTk
z^DxGhRY@QyAR<d)cTN~y-n2+EMb+e^b|!FTE(<lm*IuNk6LcWejP9Jyd!u7aB8E$S
zu0#{WX#Dl(FVwQF82<$<p9lhM$rhP`7hO`S7Df&AIG`qs<VJ5Ps79qmL<tr#>A%=2
z0p4o@cYN5;vYX@Lm^HZ?nhK+=L5JLMqQbTW_1t+h5Ow|vrmt+hl8F-=1Ebkd70U?f
z;PJQe%h&fB7AlQxY_`r+(rhskvQ3Vplm496U~6*85e2JlSqfE-u&#4GUPa#7I_ZoJ
zMJu)3st{fUu+7$jPMK==m(a-A=*(y!1*<B{5#&UHu2=qru5#d_ATo6^^u9Rkm`@6_
zIFh5~c2$Dw%aaOWKlQ}*T}8PuJXHiCPoyjICA~_5t|<owF?h}kil2+XIwAj=9f@UN
zS41<0wHO{I$ZWQ=l#T9hS76S8ABwW^-z`04A?M42jUP(P)i~EkD>5<JNX7)q!(i?`
z4QVg60OGZg+wGel(f36cpZuMO)&q`xRi5V*4z%4xZV@OQ2j3}^&kOUy+5X~K3xv<o
zfh;MZosQh_K3z09>Bij1VY*z2O)+ifgf1{a!KNzNuE_rkftD!wfWsA8>+}MbXy5ch
zAlYyP%a2Z_4@PQo*cV=SG3qqy9c@nQOsPo@LUTv60?%caC~SZmO~PRtiR7QS!|UG_
z!fk>XMeTn6BJ;MHF}n6C<9gtssT81=kgbDY&W4TbCd2Jdc3+>=m+3YxZsOWjeZs^i
z3?u{m38+U9nxdc*Jcxsx(rNgIFffi`DOtY53j2~iwDG|ML*6=**TohF^gRL@pVNAq
zxn#Ci(v+#s;14Kf{SAt<z@S*0UOJ<52rALUtBY5kJ5uCrJ>acSW`7g@?yesk{(!;1
z!^RBib$>e=ESLuvFw=--R^@VP$r~xANWGxkXT%#$<4*IZ2du5D4jel^x*d~^^$+13
zbWzhW?il?6Fk<OZRrdV-?{1SLxs4!(nWI3YTS6z*-<^&-Cxq9HN7Z}paQ>btRhvFh
zRkpnYidW-&>Lg1+cQMp1L^rgUMUrwTcOngS-t?>hog{%{%{n}JT;$K6KXI-Z04|03
zNjcJLlZ2Um-_)zIklW?~mxk!yWiT-5l03K^t98fUL2(-K%CTa>#GpU$jv3<P?%3_Y
z{DstI>^{IFd?6;)wwiBFl#jv*I;X@gx&bChM)=;}5k&KNyy7`L9M@X}@|xDgbKNAj
zyl0~Wp%`YM6h#)5%V2(E*Y=*OM0u9G$WCqEn1RxCr2Q6p-yT3zpLujOb9GHTHrXKR
z{Ahm_*5A3Ftw2~-+4|Rk=X$-8poyerQ~QC1V(_})!r`iBq^nG>!qYweWLVz1bqUtj
z0(o<dV^0r>kGyTQ7O*PJ$7iyb?~3&MswW$^#lR8SFpshNwyy~kl-?(w{C*-r1PfF@
zrXFeK)!9^OZA=up#qbXyE<&yvuEE=a5n>HRYphlFa2+IE=86(7<sg4nfd<?i-2=bW
z^`nf!?A+1BIt9|z$9UYNSo+^YFblbS^*mt65S=0nRi0qcdDvmjB{|8S(X9N#s4`Ea
zL#DX%QK}RcK9$x#3krvd?Q2IH5(ZmPxW-$CZ3&k(-hJ|7&mYddg5c!1EmR?GVqV@5
zWqJFH>M&dckjKQ`!Vzn_RJOL<ofS=-FUK#(l(iun8o^4#(UoUxA2X!HXkw1@ZTl-W
z20fNTfp(rby@U78J@Df-?s(o`E-z#PRyNd={9QnaOXNhkvC5#seY%aLv2)T>Xi4oY
z`dTqY3IXH8@h1$I1eYS-xTzJA0+zhaBj?VFy;g(D$MjLlip<!}N5s3bz40;S&oI9t
zA+qhgXPEc{8dk6Lhe%TLg9%{wzmeLvjZLY2s0lX{Dv#45i&G-d|4ZAU>m&cfd=S4y
z1S3p+U`R#u4xR~tNb^DoInTs}!toq-PrL_eL$%z;neeZPa|h>B=K85KNoMd2OHvQr
z!j6q6Y&>tN3<e8D37g_Qg}@0LlyT(t*ZFa>kreYuj7hDZD7I6gj)KoH^{dz}juU?B
z+DHrnX~*0DEdn{*QJ5$B^{+)Buh`Zva=;c$sa*AXG-y+txd4J&zn?>Sqc&X$Jx+@I
ztIqADN$Z<Nv(6!q=f<WS(fN#OlbHf4*!2N;4GvZun~+6A`^q@5zb!to=R>kQi&msG
z!frqcp*!gatAN2OZFC}%wSv6L6McizIe*QL9S-b&+bn_s^x6OiB+mR=?R42%70j)k
z7CCTJ9g{Pm+&}2lvyM!F(0gFJnMQ^V$+z3+^W}*7iD%vIt5qD2(;b(4WA+CN`^5of
zH0XZ6=pNXX?5Q9i%e*x>!$bFy1gnNVh|4S;ArZECteZE2VD09WPV$W|L3+qPRkXZG
z27g`_{CTSuJ%oP6o!XUK`5B2eP<PgF!5GbyUcuPG^L9>;N%N~m3OEtIZu7cgWp?9T
zzB)vH3WejH#?(hc&kMUp4(+EK9!sX{RA`@G@dqywo)=#{i;a%%S#M5>G<&;(z|ToV
zAxTqgzughbd--VqKyC|_O)gqI6V+=Rk!dsqwEaE|{8Bp6G5w9B&MlFIZ1^<WzwNmR
zDYvy8Tmasl)|+(ZcqIgHK~ia-jP(h-X{I;Q#S8I$2DH>#v{k3|2wQ7Wv_@4LQJ{tQ
zWZ?MKDRrr>?jfuSJ(oTdnV8~BF`lN|TvJExL{}hQ?J3j4{kCADzA6H^0SAItBOy=%
zST+QeA1O(?S_rJ&uv$h@9+~yI%$1Tw@Le$R`9h7jivDDA@p5-Mq~m|!0((e4cgjSO
z1pEz1!QEQ&kCv4jSqe(szMNUeH4Y3~gacha?kh2)7Z0;fDpX&evY}1u5=@fnzdC5o
zw?qETcq|9?aDkaAVn`4)uzA>M&S?2+n~n3+tHe-dQ@7~*l#!LrFtnQuJLG?~j4cER
z!0GD<W`tT!r2#=;maaw}C4F384~}!OZ=-ldY6EiVizqaA;UM+)BC{pY>GRXGl!ZXL
zvfkWBx;ZOpg0Ae$nE9XfiDZD^POSP}<T?Q0yM+obk2kn4c{02a4dTC8rZ=*uw@Q={
zLiH~vHf?w78R$YI`0K8#b|Jd#ZT#24?z(<AfdE<U1Xu)hzi(QcE?=+1v!1#M9b<^x
zCYE(VED)ys$U`xHPeH<8RXO9=DHF4`W4Yh;<uVTN44my4s;XY0$J1-Cz$4dsCN}lk
z)I`3@yA5zRqlxhY=LX2Uv)vSp^h4)D7TWF=+B0b%)Y>j|n7=gIAN%gKGryn5;nL0a
zI_3j9mBT*|n+8QT(1aHAi>pu5FyvBgn#`L;?Z0H%Eg}MWJ<V&Lms$=yH>BBkN@5Wk
z_W_ug3iC0Za$%<mt0B3wBYNg}g@5AL7}<9QeYV}>b)i}Oy~E!1Y<`UL%jHA<a{Y5&
zK0vSWwau5ou6Pf6r)ph2D5+^SKN%8J@EDZ8io$XBxdw0wdw>;%e=Xe}M9axxWt4By
zOjnvac)80ss!N(()^X3Ff&RmpfUmHK8wzr^eE3tM+40ejxNl<<Y5dlb5T(=~$cK&u
z2{yBdf>UQ0#oT_wh;0#q9eca@0aC?G<hc(qhl0i&5|w~T>%?DiC09s@FAG6{VZXmT
z6+gjO-th=UqLS4G{?=Gf_Hc@eF@6Gk2~E_>hWKo{8`0MLp*#LyWRJy&WW4!OHCdk#
zq1%Kjm3+q^5gPdiw8Pss4-*q5p58am;1`Ko_?HrJq47HWs!BuVM4H@bko|ujNg7)K
zMXD5CxphIp^PWw5mt^cd8kq|clk4@`nIj7VxPLT*28taCNF0C)_B<N;L(ob);`Z1t
z=dE#z8=g64dhdS<=>~8nvaVy)yR|&Vd%_NL<L?aT#qQR2lp|$Dxu_}*_D3JUaRK|f
zC=M8ucl8n9{b8&g0m(B`?=H{{VtWGY_|{BxJD=p|BDA)}XjDkWNOFR0$-y0>WdDj`
zbkPFEJk*AkEIP|G_h|fpdZDuOjJbP?Y}ECLo)%SM8}<w$c0$XQ8i-<Jp}DH{ms-gO
zp#Q=cxU!+YB31@dRmSs`4xh2R?<&&=99EA5xwcY3)oe)B%i}%C1G|dajFGH=iTn^L
zI6#~Sc{-SztCy<iO(}9X6shM)=>MpVG>Xvm7E#HvQc=SL&G3#)E|dQ&roOaf0US<3
zx)1T|5AkcsNc<k34ma)4uL7x!n8ecmfJrL?dk6d8Axc!L0VMUzbbD4J%xE^~SFj<>
zhFW-bb8?PB<Op@T1onTYjBbR2N_8V1j1FFTBmEG7($0*vwGHJK!}g?*b+I5kMf|F6
zTAGSqxU9!qMAOP@4SRcmpeD9iW|51amJ7|@A4MN-ZpVeiDKHB0FJ!~J#Sd8Z^@X~1
zLmnaq6}PO~&GKyR%CIrY^Z%Q<6Wlg<=I7v<_fz8i3Vnw-yo7Q&T0U4-ct;U`I2thd
z61tpE|A(r746XrF_2=YW!d=`yZuG`O=^aRSLuw7<xveTA#R8Sn1O81%09ljzMw}i)
zjVS>$$_m@G-}2l>O|E5s>Gik|V|{88F=P{9PP8tqdO^AT52wn})ASA-l&b4%X`zwB
z<u_P8isU%n2r96ue9L}{4IcfEspG)6lRJrMd{+XTGSxVjRc*?mW5@WQGUSpq(>3N5
zt*Q*!zUyjWF!{sGgEVM_!wkh$wftS5AHU@Auyla!pqRR_aO+Fu^UYIXRK-gYU^oz=
z-TO&@>VEc6ALj94wp8O~z)C6IDkn3gdQZ9ak9b&pXYa5F(sW<ho{L2be@BN^Qdkcx
zhBH6eK7X6T3{6M1nSB@k13c)TBi@6sb+Gm4RJw}AYI|#$GhCP5acQ*DlaQc5R=Vx-
z6U7`*cR2hlcMy5D-2FSLGXDp2y)`Fuy;(NLvAZ^Y*L?LafH+b1%=1NMmOnB8dxj{m
zsp52fWogv|-h7e8`HD7L<Cv8nb682RNhjzUFc>-dYs_B}&K7-S9c)G4fkgne#7crG
zO)^j_Dw<?2^6ur}0ao#+u`Iq|66?k|qbzy$lw3daB-Oj|SSImBO-6{Nr6T=dPZPo&
z9(v;qK7n*s^8y^*bU8A81aY`#nc_dG1#YN?vAXHf4hXcx<WV?2uSd5~$0^1gc17)J
z&q-h+yN-m?rT-ZP3UU#}jkxMtHKzS8I&+E=U7ppU;@s<XlGHiBB5|K@)x_ywidVb-
zi){5Yses?z92FNar=wM!NoRBm2F@Sybi>Y|C{8wz+$S3u(GUV<5TO86lN=T<R*uhO
z&Hc6p{P(};=4(!fz-4?$5!JT5jdJLKA_wL@E{OaFtVzGD#Yl{&mC<S+6&L_+{EJQl
z&G(5Pttw}}z1UUW%W5w+-~j)@OItlulXk5UD1lIP1?AFY(o_>vNn3+&?;G@)VXw0x
ze&r9&MX`4-jFaW3n9s1$kAo!cYz4ffA9ov79nKncghXL}Ks9sudjie}t@^B-+4P<$
zUMcfaECt*~(>7GCdVg7W9V<Mb2&z7HQ5$wS7jnJEJ#nhvOKXPu(XU#8OcpoNz~Su%
z8p)DZ*!;ey8;dxa=HyY!c(YQ8fVMUOMbj{YS=Y=RdQDKZ0-_OhvoZ=m;9D-~b(1Tu
zQQ=RxLVH)^PB0#Dm$-P_7d|T2#%fq}l^84V8)H-gXg&8R{rU!Czckw3sNzPy8ol6c
zRK&wX#0(b2fuuI5Z48S0f2{o(<lWXv@MHD?C4(2`nMeY8y^c=KlYZ5Xh3DsshKD)Z
z(x+z)uSG(AZw!g{rG$mj>LvF&pw{j;4HS@D5vcH}IUe*U*so`wInd)q6t(WgZ5jkg
zNRpJJgdD>jpqs+|;RmcQ=MpB!?eDtvmP2I@w4hCh%*rfYNk<0J&Y4pA!V68Txp3KK
zh}NeKUa$K5!f_Fue(>?sj?WwH(IPnDqF!P!vH#<cdD8pN?63yNHPa&-CPOe=F`RuI
zGFcLIvLlde>j}p<|6N0lVd*1X$gzS-l4@5HNRZWR>W`acOcZV&?cnU>)sKmH@-)BE
zpg6MRMWwND%(8s#*Fl{5`a3S83Q(MudZ&UWD3=<zfmlu5=|*-D%4VXw&94%IvH11G
zRAoc(&0h?XYymOj%K6Ho$X!ZB4`D`eXO*rVA0nBfT%jd6{+X5)v*bFjzhZY#0Xr@K
z{%dZ7`UAM@us$lJ>``OF(QVA3jKRSb=?GtXc{b526zNR{7|Y-MxG^U|*_mBse{N^$
zwQ*)w3|St+ux9#zZ!yxG-P)q#Xah4JLD~PmYINeAiW|I9JJrQVw<0#>$<fU*I5kg2
zYumI`xIZZ~YM?*zJCI{CHBj4rwVQ}~6($?7zR~;o3Uy-MhKBwR5M0`*3=isIA%YyK
z#bySCAx?Y%5{X9(P{+MY>vgUV&Y%UE{8OYelxBYm8vQQ_=&T{ks@kMgKXPA&0P;_$
zOE{rza-f@l7hL&-#<;OeWaBJLyPZ-dmKZ=H=rJ9upqqlQ*wcl70K;pvkU#ncTsFa!
zLLbJ;Ni@Ff3hg)zY}Fjv-$RTf?s-k-(r0CN_G$sWF9rXvH>^7HX##J(<zLA7DB<Xh
z+6mVPaxy++gpM<kXmWLATm9Up&g|tL8gZbsipcgie$OGX9Q2wqyYWExaI^3Rj9MX`
zU-#NGyYKxyLikayth+TSzZpl@#ky4;G817lE7Yk-HdA4T?KZj*Aus+jsWaHG5iaE4
z1Ht&>tQ^{=$U*-@t8-P+=EYz>8T46nKet2JVehd61>c~)VgqqR)77X=j}m^#@kFCF
zjme)SZrF&Iqe@v8SL9&mW5C%iH_m)C?8*0zq6uA6x9saa;z+Olr__cw)cB|3@nEG|
zHRwq#DejEgq{ZexmOr^?8dau&^6Tb9sE*qm*;<=d;`XC<+;nbkFY-bzK(;hJxAzcb
zcN?ESB!f1ys1}54671!J+}}@Vy3rK<5rl5*t2|XonXC^t14Slla26GIO1r_b)AsV!
z>yR`AH553fzp9=eeukJivxPnYFL)ix0)OwYYLiogg?~7l$A0I;6jP9MMJ<-YZgE6D
zi-4seh}C;)i{iE_Q@o;j)%$LyABcU`?%y)FOna%yPUn)SZ5qi+_X)u=?7Z`;{M<4D
z0+l0fCJ5J>+p9W8t~jXQ`hY3G`u7$vQ2EUsrbSZr1Rok}9f63#SO916MrrxD`c-6u
zkDXD58xOnaD8xb5e`W10fST{`K(qQ~mIWHZoT^P&)ZRLnb@JcK<%-_VT(2@yV7M2-
zgs1v`GWR&9{nF~SxDj<+$vbQ|1%C@)<bc=tWDkIYh?@RPBwG6n&3c@O#)i_tAGxb&
zyN|2Sl<)8-cx9PBd}dEOKvk5^xJ3-T=aa%F+Co<y{KoF8^9cOkKNaeu6cN0LtAe>x
zD}8+_5ZF5);9TY%6ZL(FrdX}CrNb`CN7Qj@a`7lCWA|Rta`&c<vQS=0NPM9+xtYwY
z`jj}U1Ph!9d6*O@O*T41w7We@j|?9H`5KV|Y62D-I_{mB4y36Vq2M+7!NEgL#i&+v
zp4H@<%X@$X`1xqF``~<dwBP&d9-e^o+}?kX3N?pO6y6U4Zq(1f!{IEW22$F#eR^{X
z{$EzYB^s3fU<aBo7`3-VHNK@J8&Tsnh$1p&iqc^EvBG`)=;ynPe^~g?QIj=GsIV_&
z-33MQ?(@3D8PAKz&cdz-wdvYWm)^#WZET%y<XdyYcKq;lkNqzKv!ksKm_<OdU5=n$
z0)dtJl3qUnquG3ex4#7}3-y!AFs`PBeCPB*94CFH+VQrPC<LX+vYr<C-9MzO24@iK
zP0k!ra-)|8J$Lk-u8E>r7bf>eNdo*(K&RX02)O{;JC9YZ1vchr`D*1u&%IrWj>dc1
zy~jNB(6*1;x|`H3f#UWp)`eABtafSN!bId}@JTy`y=nIUVDFdBytt@1d43^oCrubX
zKV7aFVW56+Hq~-w4CiU!9bo?-etjm4mVb_rq$&XpcWAtlH*P|D8BVZ$NA<OgH{6gC
zrwmDFu5Q<Psf97_jYV?k%Y`b3g?eV3RLZ?dk=Lk(REjBq&>et4tPNtgTn2&WciQm+
zCRN_&^yqU0;Sv#A9D)~?iAeIqb2dY$dZH>idC7n4pa<t4?@cZoT9Q<Km|%dRRsOyl
z_X3h`G8G}UkTI}?vJwb!gJkYRWz9|3?tOD&-LN`qsR0lu3Gc#&zC<(l$i7z2Ge8?P
zXOZ*x%4X&=&02x4a#C~QWQKs$qt{q}Ed8--fRy&YMCk`mTKUiIZxJB1vqh1h5UomB
z+qGVn;)cpfACUY3s(X!KbYeh?_Md~k_Q^Z96;)QcQvT8Y_G`{?+cB)t{<}k|4A@!6
zF=Tw*e!Ai*vlME}eeQ<wgo#FJ!C^}-Mq-%J<ZsyS1JY8coX=?>hpJnEwiq9Y$w2<+
zKlx5a!53=$;~IAu`fBrDsR$Ct--H>h?xdMdB+!tICe9oN5W3+P3j6Q=pCDU473a3S
z8el=3Ti=%E2w;(o{zzR(GD=;nhk3kB<KNZ5|F{G1(yGs?t6+Uaq{_*EaC|t;)g80=
zmZ*oobw1u6f54PHRUyTi1{m=B4qmh2sz#MED!#7PR3rUFa-o%ss9!GZnRcdz_MX$>
zX*9~0UTjnB0Ra40q;HD9uJ#=9lNL-4;J0gRs;M?z`D|B^&NQFTd&NTurIb8O9+5iu
z3u_x{ewj_bjNk_3Gu)myS}so<lw{c;ii&;tME_V-PGp(Ea@<!WZ`|4&LVKX6hy@H)
z`=gj{fI2v$kA$w7kYQFoaUA|lSf5#;7bc81t%iQYK_GmES#s<w>N7#<UkGo61P4_{
z+lZzvHY>BDNVycCnMAMQ^dLdZDX=0`FK~up<J8jRP<bT&UAHKG<;gq}u}SMh!S3Pm
zD-;I8VL(~$J(_fpL4!c+Q_EFH+w8DmV(o^Ie8dIM2(Xy=aqtkX33?|gswI|~<;;6j
zo}j^dTl9Rg634hp*%T4X3C4Y=kRqmQy!%8gi}}J-eF@q+tGc_Ht8nq13(|OCjO!~c
zTRhBaTh+KTr%Ih$S(6$!cu{>xW4$V2Mb_7R_t3-S-O5qBAp*__em0=T9k+V|e5zhH
z(mI)U;A%nCqMvIh^T9s?YH!=vv}d8NKVtnwYnO0PUUZFU9pHIi!)Z9^7&qB_|5P=>
zI|qQg6k8-fLh4Us^d>jfgYWlkWj=FRpw<x2lcJ_9tONMO>M_}Gm0f?!U(OCtO69mE
z7x1zH-ndW&mD}L7-rRS(gqtyQ9<)UP2&tN1`R+-BIV>gh%7hW}T`u`yWhOhV!~%1y
zv(XTv3zItts^)*E);?4YSgJ{|RAuo)rXR$qhF3~w+IQmk1$|e5^PGWuf%^C4bK8Z^
zi$H!^szVp77dR_;9aIsI2^4O>#epnuB{)$nHBdr|Kcd~+Pz#p#b;yaEiofp#$=bQU
zcx&A7(4zQ0j+<p&<gZ*oN2a)2Xu9`E8bWBM&WR2eJGl@8+5f~bfFb}J2QpY3+#_kk
zP};&1f(SD6QXJ`>B=grwPx^Z9EKgX#+tS&AOC{^$VViafpuFw4WoQ##;IpdLrqXzO
z;Zg15op<{kLcx})%w{k8RdhUMlA*#MHk2Zg4~Ef3>XpaaFUK%m@iogABAUnC^!4Ce
zlo+EWIthLepKv$8^*=|ONMNAQ6;TOxv<}W5lsBRYtnUDRmncb4x>-D^<v(a`yEWk(
z{LZWPoz?nX5-Ybg79*c*IaT!JBd)CPu%B%A95p=SydEcq(d(kiKLV;r`f;fa_GxMu
zP5#I8sHfW_+V#_r;7~ED*Teg#r!`l$9AOZJ5lSEz%EvDhXY8~aA=9C+hok?sq-3W~
z01T&LIvDrY01>#9cIpe2+#j-fmCBvUPKWi<q|H&|@$0`~AgRf%Q$*m6H@&wb(o?Wb
zN31XXR1!ArrA%j~TKWKQ%|K{E{}AhZUnT=GVZi^^(0|#ssxLrRV@ME?14Q3B$fy3r
z+ED4WVD+09Llow}@=bi(K9GUq`xB{AqO%55rf2knQf6N{Js~$8t1{Yp?Z0eO9B)Ax
z7|xu0u!vjwAu>ukUWCBzq+NW8y;EDr?E@a9)w#&Hj&F%oAe$~(4HDoF52}PaS<X(k
zcL(Ow-i$jb;5!%3zP9(~po$N<0%QO$W&jmjd;GWad6Ue66%M&dx^7++_4eabKM5GX
z`9F0%6Oe$_6%AI`RF(#df@)KY0No+aDgnCJBd?ud10Q{aYtiVlTIWkgZ!_RQl#kkE
zCI9Fb??<I)sYeinXva%S@{^kL=cX$re4>LS9|6L+^4gdt)^7JW`M8@!`wjZK>%UoQ
zy7)-IaCU?9H>D1NLlR0mj4qx!<qa9aNp>a%7|?JCu<}%{aRDx5Q1Rp-z2@*tE&uO*
z(L}j{opx>}?IE0A$yJWUH-1EK7{rRex#8dmPi)46eLSy>qPo||2Vj}-nMh~}ukTX{
zASqK$j}ueg!qJ#JTt)qF0A+Il(gbrkxH{*6lFx%uPb}fVeM0@mQ<SZ?OG0$1W<}&u
zRicR9YkNH4#rq|cps#}xV#f^_-ooJMTAt-`5V|rL_Yez7x}{*lm`B%8kFoB4drUqn
zgHK@+?X`Bnl!)QVk@G=U{`)<v4m&}~08X;JB6pgHm}B81a00O5;Bw)Vp`BSlS&fQI
zgbjvdLE3%Ep#AZkLjJfnf0lBo0ER_W@TiCQR$$blR6EjW)`l|MA76H9rcu?Em0|o7
zq}lv9I*+o&3%~snM<&iaTaTH@m>_u@aQ*ao$7GkrIv8E%uMnFPkX0C~!J6PnKe<s>
zi6*o}2t?s|ERIyEg8XM_NGFhVdgB0NqWl5}L-}mzzpJJXrFgYfgKNY{yRb}v=>urc
zm@bZKZsl97<JLiL<|M73F-6;%C43R=>;I8Iyj%uh-S|~vVDg8m!ar<q!g?-1H^AN;
zMXQPz-)`gE;{Lw**BmLW&z0fvfi@)fRhQ>xjc7V0B(luR2Yv}s!{Xp~kzam1NK$eA
z=+0OST>ElE^<@wZdn^3yUB4nWQ-0hZrDJbFs02gFl0q`?qy+cO%k3zp4#lu1yo6fE
zut*r!Q$eHn+qSQwZ$kWY0gbK@%mL7^FQm3j$d4B#M?yrdgAzQk7HnIpxl+ekn9-NZ
zc9V}~;va>g94hZr!dm5|mbF!yuO<#UTjC3CcZvXSj&t~L6Y9Fe=uWRaTPiI-o_@vu
z4ws^s^=9sj1@jdm3uBn4+oBApBdJ40;D-r0P^;r;hp96tD=bR~SbWEBhhGPThgv#n
zS}R$)@`K+0xg?hbyi;`cj<`TiQC4iPUOnB8hdz<(OwilsStz@|1T4@%0hQ$eEVo5?
z%oUt3vsoM{<u@Y}vpg&Jf#{+Gs@UJYhNagY2wi*7UM9FZ<eBv-F&)T!xv`QVWdfJD
zfQ!h@dblc4L7l?BP)MJt&NE0%GaICLUh<-^RxqtF-7?W(o2ZiRcQfCBI{zLhd1m-_
z2BbpBp4Jofs4uCr1dbEpkOnJtI5GhqHp9EF$cAqGiU(VjNpNlQr`#Q8Jgp4|`gO^J
zPKdHAFd0S`b%h$Vv6Pnt9xJCa`RQq$h2~Lnp&xN|8|TmbZYA*F+2X|Jp4O{IsSh?E
zdbK;1IkfdpMocp6AY-Rn*3JGLmJS?BSU1_WsK0JRAGk<sWbG&{IqrArwThU`s0byH
zF_CUOpKasKuEzY4Z)4BsQNR0GPj%X@9CNdjMA>{K@9-G_6ekvT=Sq*sZ71oC(Qk~8
z5&7M~<$;?Z7s)=Hk%GCItwyBIY5zhELJCdfod;LaU47*iuZu}k(CDUJIP!l%X}SAm
zNOA19yt8xHPDuMrT4V2ToJ5E8Q=Ne(KO+vP7<Zjfa@;>EAgt3ZOZ34#B(bwBO%wgF
zm6JCzn5vzotLa)U<=*aJ*uF%6kUtHF-7_EOv{rn{SojIxmuRCL{wZ_D1-?kgH~#?t
zfW3LEE4krlz6Xfes*Yabzc?B-<Gq5uK;)_B<3tRIlC`n>{7<mg0-Ye?SKsfodzkWe
zP1y&mTywVV98{2;80=d28ZTX@;}yP545(!6^3Lt6YxZ+Zq`76yWWJ1OUz2SGz4Z+*
zw#Xb7ab6svk@TAS5<bJOT+0y1v8)9r>9u^##ry4ULugX8r2h;iz5epZ6k81;CGCZj
ztp=hAZg}7%m*@(HIM&Zclhtr0TH^=L$E7}%Q0M-l=WH?pm(%BT)4k7Hd+FwqqaLZc
z;71agay|_IILH1WAJ2_gsw?{AaR{|suR*5W$5Y^?_OkYrw~tp}U(tFWH2K7<*<K<d
zZ{4=>mGbJU(EU9BE9LKlW+`s#t4Xk5A}OTyIklrNy?n}{U6bt9bb5Y@Ze73K&m*L{
zH{`|#fqsd9J>FCtir|PH)<-uKe$UEPUVe^=lMJRjy5e&`(_{}vTK13RBL}4`3RBY7
zP9S7Ornc+mG!YhrgGY()F+bZ&S{&0QG1s@UqLZ-i-^UD_7|rPi!_8I<jx!PW=vS2K
zKLliIyQtGx84M-zs&iwLp4xIeBcz}k6wsJCvI|&v^VjNSa1o|8ODpvlpG{07-<w}l
zWOz$l@i=S*PvA%_1>9H@#146FY^RKq`hL#~UHP!JbamKpIwJy1w;U9hZ5cZ}9oa&m
zQt|n56IapMSfdkI5GXUL`rBISYkDSUP$g7EUdg>VmmKs$&I#&6HjW&|4O-#yP=hYk
zfDS-U<4OaM_*eE`ga5U7gPzUF#;hS)B7Zn8gYb&EpKEQ0+?U5mb-C;f2!>FcvoLx5
zrdiNy?CXP{lsx+h=-#!_$q6G=5DswV0f6;s$#O`gyvl;31bS<XsMTGSmsl8M`Nfsa
zq<sx<i`W0tBq<`|qBO&pg`=wi%RJGYF0*PrOnr0<a?}tpO00Cy`Ew9lwl(q)?&jma
zo(MP|ofUyKx3f+CK=^OUJ5omIJKlI15yke^d>1W#`8_qP>8po57>WnsvKd<$4N1mo
z77VW%{qIj)2D@q%_UEV_LhZ^%E-&TqpDxlraamTqYP0BxgwWSIO)Hpiy-FGt8YM&+
zUstxxJdjL`Z3M$waOXM+-?+vM;{!?fw++-*jIW5Q=k*pw=|mCDr>%G4w1~I^GCaBo
z6e)Y9bpPIzPb707L-5DQ?9H4hR83SRgcAz6-<GsWQ!fnQv;dOP{YY1NPw=1EpJ!q^
zieS;6Lla|be}62$qdD}=^8tllM}O>)zSiD7ubEh?w6_>tP=2Nkb0(Y(hAFTfaTLnQ
zKd$z#0fXz4rNAFE2i;qe^2;PpJ&DD?6p<eyTBru1eb(S(bD=G$XY(PDV6Ah~EPWck
z)&<w^#vDVI)T}OdDCOswj08;#m|FdC9I6h`Rppp(_J5;}*@}JJnOdkUeEpi7pqVl&
zmHABh5(}KJ6IaguK5|tY;Es>BXT4X^I%=;$ui0dGkKROo-84Za@R}ggq>Gjf?q|5&
zCDvc(D9bBoo2#{Vtc%XHZC!kx7ZP&5f}n_xJBli!qo5GwlSo){QnhwcqO!U&%Axa`
z%CMM22}@_VFGo%X+)NCsr)eG@WJvBCRws5K)<pbXBRG6Ws_@estzOl#l!hDQvS9-0
z7R7kqzbffISY0bNy2>@(Forxs@CW;LtE+0eF8AkLFA!jbBR;7evsdiqjSF8iue~}o
zN+anZ9Jf=B7(kB~mm!s}Rr}>=0|C9b8>nWYg6Z~q3-tu!ns^vo7rI=_eGYtso7Cq>
zK-cbwv6~!nf=$uCWdQidB;y~|nLC;|bc5}{_KE*?$6IMGy)J4zjd~>m<xPT2MTmAe
zvdg_L;;Xx3MnfZxW>Rj&`Oc!~&K#?8(8(32C$gxRyY}q9W)`PYV0LwBE#JW+%I)>o
z6Q7|OfqEYB6?-jX0Os%B3EB!<m4^O3p=gkFyJG!e!l?ikVfI??scEJ0S4=e*-8-Zb
zjE>@fvf#hz44Fiop_66F-ltjHw?<EP(pgSyO0#V~AzRsPjV2uIN@8osz0(wxMUgtC
z`)UaL+u+21J-hEzEY`QtR&yq1zE_)DRqjP@?|U0zm?NWRi}zXa<jcKN-rRj={l@gL
z(!m+Ui~h3J(bdMHBoOj)Ex>tj1v*~K!6VRjiheWOtMTIrHAh|P7V@)K+0`z~cEu#q
z=E>`opXbp%>KdLWh0O{|?jDk35w_7f#4QjP4(uqNIBQOX8jKJ8f-ptCD`pRCk^HFw
zFGEjjCkZCE=$|FLR5DWr=y%x3)91pm&QewP@0$1wW{mt^L)-z8ZS1yEhW3qt-7Ay)
zFg{%8-u_TIXpq5y>Dcw;+r2dEnjc9tw*$Bw&*wwPF|{$ZI@W!t|6T(>RYM7~rDE#a
z1F2+G*$d++OTg`TKw)Vf6?M{yaCRi3L?`Lhb1Io4G~WCtfLYAwEbrC^;3Iuj!56N`
zEAkhSnQD{~c_+8WEfeB?Ir$dGMheFc54jOeJ5OV#nF;(p)~>Yo&b@r^XAQ%wv7vnm
z9zD9>2*U_<@ui&PDe>h#Sy0x&GEY>OEQPUhx2*#iXB^tZ7Q&ya@AGmpSo!1Q5DYz_
z>?<{<1^mv?K7}ta?TBc3%WW||XA<t^JMwh(6bpfBiM`qzZ*Q;TvL4*`7Ejg}(bDrd
z=84-;cVYylxxE01D92(&HnKha!6tx@wHR;_b_8tN{(j2&AQTM2W#MP+%$m4MnI12u
zsH}zd^}!;ao&q$;v|afPk7D#1=HQ*8^>d%I1Of^&s!gpU*e}GXMq3g9tI)sZmfH=%
z5n<X@a3KzZh?()87FA6#_mvhweeF!Tiat(B>A}20DvyNV%&`{h9!OwpIj&)&eWHy5
z6{xzFcPdws9*3y$%^76EJ<5wI`Xa?YBH^`;vI)GVCG*ZT6({Z`Ua5l~i`63`VQ5?R
zZujNC-4-zrR3evQ9d?-=bAkIXxFNmU$gO1n?t`i4K<Ql}w)F)oWx2473xek7!oAdz
z$L7jTd1{ik_6mJv;8WP-lTvcnp=EsZRQ=kfD`iL3y(5=O8cn6FZ`b))%QM-%kse<N
zmQS3m1pi1MCDh)qz|--VPFWJLze-$&>jykYGgpj&PR-rsT?M0<#>-r(MZJc;y87<V
z?x_5a^L~#!GjM}(!Jk$D++f#Pc3e=}jRJ0XR)5rNG-0%SVT9F`jfzT0hcvq3Oh%CL
zw-HBNxrfiVc+K|(H$6_6_VK;u5Za>hH0sssw5WswA2u6j&NFW4QKb*nx715X&%RDw
z<o8!ii-^a|z#cBr>V~sn_Yr(2s^Ts4onU6!d<ae`14r@glJk`vz8UNr+wEHWTm0n%
z{QRorLgkK?14_0XYqc3^H>3wdzkN?|TaA-iV$3R%-W~KcA#WR^l1%TG-E72<JI}N1
zelBzAOaZfFACI#&#c>QQoQegnhq>L(_L7*)p7lg)PM+fZxJ?B3C~2;_>qh$$5C@m<
zH*=rShp=BUZ&sLi`lk^y!ErIadsth`K+a7)*&Y#i+{){C)$Pv7^&BgJ=Oy}p5RC^{
zKdgr8dqG^_X7ZGibxgOGcmLUQ?G=73tnHrR>?|yA@-D)ctNC?8I@v2<d<`v+=3p4w
zLKKcY2BX&8{BUsKY`|}otUryG&)a;;EZ?(iq|kwiNOU#A#k+Qk_|YVK5*ai!FlB<I
zcLK|Q!-{oIZ<6_wtbcmh444>XzY$FRI_8)zol4?A4<9#a(-|jG<9hCvONbkqOmrMf
zTQnI-T|N$P(2l@(8a25TOm`4i^2p(YJ+?hD4z8nzly2jzD`XV-#4^+|jsLLX6@>>?
zN@&%CLFw;Wl}f92tFts&I@0hI1LJKf>p87UPyLg$kx<JYZ{x<IGhiJ-E8k{os32ZX
z9HuSO(*E*sv^*(@;N);9^Il$$CUIr?*`A8$Aqac}^uaI|W9PlL`()!c8*1~OV>z@%
zweLME;TJE7mp7H)RVI~#Js*d*G9A!*<r6a3R6?1~E0jd00t!Zx@kDkW_*@bP1c+ej
z$D+2*!TsAjV-AB-n35ocsCi^2u&ZmXr-Na5qsS&k{L{!jLr0GMZ5n4UfQw>x=ZeKB
zP@0ujk~*oNtcLnTq4wE_rt1m6sah4iOYiEtn1`!xQ4>ni7o>jt1!g&PPvm;6w<jl<
z0z|XdR~XQ+yqdP8Mcx??cnff!1U3o@ET$x~pLRY>AE{yAb%w3UGM)3?z2g`YWBq#5
zdp~_1eJp=3$F2^OO{j_-=J4G)nOa-n>8Spp%3_nw@~2x3akXcH$86SM$o}QK_sasC
zD0;0-FiB@{cP@Mi@edI<78ntm>0E_+HoC7<nP!NkKUD}7K?NYHs~iYst6mssy6Mr&
zk9u-lfk<}S&!#NVw<d_M_RexF(N*`G@cFmKG6a%!q4_-2m-wQy(TQb}<fK=qBZLJ^
zmd6oy7wDqST<Z)OZyY$$fqOdzVf(}_p>i33e<#bP9}n(X84vCSw>?WGU?l`yO)&$Y
z^l04?Gj%eKNQk2Pa5;kJ+f!7GBkM5%sS!UnONM>8{mB)NaQJg2E+p1P`|K0GAmI66
z=~H2aibXP%de0MM9j+O9=1^;PY|;CC34_y2^Lr)R^CJIuIZHcQR6W<-Unkf0e=v#Y
zAM75eho;vNt8vP;jZC_o-3~Xl6C%2f8#B9_<}e<Vm8fwmtBIRHO?b(aLVfB3*QGN;
z6kv?Ip@<xBMLaw28NFVGvue|PbzXoR<*+Ws!Ht#IM5XWS@($?kV)}TumHByc1-Im~
z<0E#i2fxaI{POgfTdIAKhwS#UDR3MnteW1`>qJZ|I<P9j|7*mV2lrnTJ5_~pvfo>C
zvOjt_U#!Ey%I%zkSYlLox?fA!a$-E(j5MtB#?(TD8v0m$+<d67QN`-3M*K7Y)B8T;
z)Bvsq-0Ec&n)<5_v&;HK!^-j(I+8`&VeQ9p7oNKzZ2SuLUI<zgh}e%GmClI#Am%hd
zFb}PsojGMIJ{<hVahz_z?IeSn`qaP+w-&FPA@?%`GM_z$4=a5grT2ssjjw4QMjLom
z*)}PEm@~G#!DMQCgSpj^y(!j^T{Pub*kNX)<V9Yhl7Ud~Jx{DP?Q0~dAEMtF8iJ(p
znbLO@=`&VeG{S1s_NVzbj=TL1_m)fbafQ1VV>lgl|H4V0JL}zQyocSht?dpQPIM)_
zvr5VeIq=YJQD-s4^7rsceFu-G7*Y2vS!>B2tdG?gR}1lKNvp}f@~-kMzlE+Pho0f9
zytg+Ru5+Bgvgx$q3EMVgk=5!Ai#Ku5OYyL=l8_AkhSTx>-zWL;mXkxxR+3XexdAu%
zMd$HRMO6Eqy=Sdhv_j*q5rrHm55eQ6L3}ThyLY~Ifn4KvCqBN3=fmL!kWlJ;YDTC>
zPbhdxC9td{$#OFi3lg1o$4^1}_eUfyKUx^|TGL6>w@#0EK9`{=&QRTMu0URrR0Zj>
zo~TjJbF_C@`T5$zX|M%uyj&HezGprlX^wWo6MEvSLXUCX&#1uZxWHs;zQEjaX*YZv
z*N|PlqqPzk^Eax|bWL}ogFi$UCk^8p7$KyBC-(=2p7H4aGbFk<C!hPgS2CDNXsb1}
zoj1a0%OkN;V^q4b+BBR#yDgX<?YvsAc|6tTKS*(4aglJPb}iwW@#(m<K>I^hGw@=3
z4qv+r2}$E0r@itUMZpQOgUPfVpr<7Z3MkLIQ;IH-H%|K&uy*+`Bf#>F&3&);iX3qX
z?UeRN`JG}PdInoTy=ee7u>>OV3Vy5PNWSA#ZOqneqxCiEWak)!pby_dlh#h5T-zZ>
z;Y2alX&KytJ;7otn;lD_fFys@^ZDj0<`*Jn_^aFoDCF+9fq1j#OEL*og~Uhfc*?{1
zVVRS%0(Jx{ZCR(6_Y@Y*vuj4mDoLJKdGdRVStaW`$X_=c!4V^Qme0CQXSfzU-c<TP
z27#{;pij>pZIA>fPC4z6v(%zqIv=`foL%r9&S@Cm1qdu<A9PQln0?6osKQOB43*wi
z_Dwa(UoCdvexWRO7GjlkqN->dBEyKGjT>W2BWP1hBd9r44hqt%iK>9{#uyx@wCWS?
z6l`sbu3>;5N;PRB?zh3o!(|!hX1e*Cax)~z+_;SX;*{i3R5JL*U}21?#FgcZ)%#%M
zNwbe1%lurwTPByOHdx>}%8PquL!VxT^tbwLm5Q5LoVbUXO?9_F7}pKha$~2_#N?zi
z9W0xOysqrQMUJz987}-zl@(X&1oEea`4->Y`%#XZq%p`>9j`GCUS_u%YoPg2h3(^b
zL|0pyO74DIhhcmTu&86zlJ7*F$qD}L3VO$+($fv|CZVwcmn@o#eS%~Bx&sEi&g;E4
zp0@I1;1)@HXCI#W^H$AW%N^mJ)7N*)GECsU5#GxajLnbJYE}nkXK4VV{c~2RjYV_R
zU3z$xro=0wG_k59XCt(4kGfbB(K7Mxz0m(Ppt)b@l1sm>XbBNf6T7Y%Dc=B_4j)_z
z6a5@zVr(GmO$tug3*lW#ym#U%x!~{3{)E2q+_mrwZqlA&|IUGDoonQn+5lL!8P1bA
z=1MTY8|;b}I9LoAzy5nlhj_zUdCNvm9v+xYaUzlTPJHxTV8)nPv5}G)(QPBOZll(*
zK`1}V)bN@1+)gqDZFJ2J_2*jp<%@FvVfeXt%iO`S6A8Ob-Wt-*i%`s%X5rM`DVyQ}
zWgU0{lr6P*vO-}1Rpfu*Upx~@-Ata~x$V27F{VFgm#u4?t9toi7v2M1YatNA{NCEP
z;7xR4SHnuMga^vDrgtc5yP#s*$eK!a8Nk2Sa(HVfIYhdU`o!hkxlpQMvWWIi(>E=U
zt*9WVlqw3)knB-DiF4K!P==v!A}ZPjBS$91O2AD@WGU|S^bS%3Q{T`FT=*^DJpSm}
zm$ZADFLR+l(Gydt58ci{R$ons^6Dgje)usO#*1Q^TC<OgSzfax^v&+Te>e~QVhQR3
z{reWd1yk51e<6bD#Y90!mqA>-)r!LdnTCnWT&@>RkRh>HFWa~k)f+tgi0;OiGc`<I
z)A#YT$9a|vf#SxelyQCV;FlDd=vrO-&R@T^19!WdK@#2t(G5gg4BoUQEErPnhsgZb
z^B>C*7K<FUi3>{yE67tGeH1HqP#IWY?TY1T4WDD00oU3_mK?2w5K$@bMQf87z(%_I
ztDn6k7F)eLQ_84twpTp^3v$<t3X?IAWFR;BB6{Hijw=~P=0pTlqF$eP&DSF0KkaGJ
zYZ{?yP@@+KYUo8C!HTiMqJ8_YKo1Hb)eVW3X}>O5`py?@t=Jy*_<5NFX^6k|S9stD
z2lc|7%)2F2V|_G`c|0~v&9SEZmap1y<DlcNyBpC@!IH?ca$9f#Hh5sr{|c}<Ry#Rr
z2HQK-Bo2Z4MI1b4xHA%oK@+y$C%h#RJ8UN?n;{GX$>SLz+_3GcZ7Zc;-iOD>9o|e5
zwxzBF_R~@=Ni$?%Ias>>qT#-Q6m7mG$!3x_*8S>O{f+FMC_I9tUT`xeEd7qW>bBO#
z0NobQ1T26fbwl9)1aN%rbgXG)pK=_DX0PVm=gN6(9uq?tl+q@2D*LKEm@tbfc{)z!
zqE=82<9k!m+_o}h{UMbh@Z8dPnmUYOd+z7&KxtU^qc%8`QT(SR*-u9_gtR8H^!H3M
zj#zLpJ-&h~nMkc<9BoBW;57yh#QWbGhrvLFjcv|JhB1iD4TAY6Nw%Y=FU3p8r#<#v
zlJ!CJsRzO75z2z#-sV~;EwlkVW^Iroy9u-66Qwi#*^4+|Vq2<lv&K;>YBCleBgltf
ziNs(*I5~mLX0ydnM(T8p2g~rCMVX%U*V&AK+k@8NbW_~7)F$lDa;qCBt<T{1CJ^BP
z?>Ann4g{D?+jIq=L0x&KG>^Yl=>Dd^+Vga5MqD!z5}j2*(_&(K--ynAy!K*ps^?14
zP{q4ek#pR#qy|G#difPNO|7ds*F*SmDci1TB`kxGjXGvHmJls8kqpdqS7trM#^cb?
zxSbc}jW)S3!Y11<-JvMOlRXDj5TmGxQ>v{$$f#s#5`SbE4cJuzI=Lxa-K=hSt4$N5
zJq{dlWnY`^m6m%GKL{Zoe&_@4bLNlRe55jaQ14M0a%xJy+E<v_c$0%Um$$w`==0@u
zufM0@lW*TsLL;7TT|`V`zbC3ji*$Ws)Vc*QHHmB|JC!`HCxwh!GS!`iCOPS0`Jycv
zvSx~;99Bk0bJ)P#Ea9EK08y`JdTDIekD=6i$9xu+67-0Bto5#xFHU=S?rkaQu1TJ?
zoX{VEM{SDJ9}QiN7Ym#D5Xzl@D9AspxWvIW&{AXN?AM6y9;H5Na%l&)*B?w%h9`64
zN(gwh)ajsi2lIbbfS7n+W}LPzZ5>`a6Hl`ADZ#2hbiRP>CU<!P_XEuY!kZ?Ew*n3b
z3Sp8MMEUO(jtig{-f1p&E5pk0l(M}yVPU2e2GO(caE~Lj5wTMubMK37ld5o60+;fI
zjd$tw8O4$6^~m{c5@yXXUTwlhLsvb#r6~L!<m1^Co8n7X_kK!Q-*<FIt@`fmhl1hY
z3qXX?rkj`GN8CJ$LMh?lncV7Z*^le5{3xPReDfLTO)6_^q|x;Yp!CU(#+CKUw~D?W
zD(REWy$mp&`rcw_Ys`DmozXNZ<C8Pg5eF;iQKmgrvZcw|Y41|n$8}Opxk5@!#iOs?
zq+lznPtAuar1*ZjhB~A9v*7*L7qGYSLCkDO$3d833n(o_HN?(O5*hj(%H)?8%wqE<
zbVfm~BIPCZtA~UZ?v9;(T&fLYS6^c|iPv~0){>*nAB^@m=ic1}Tr4=p?>tDcOBD2G
zLa>301T0_unyRo$sxLzUTWnvv(NOhTNK-yOw6J||xdl3TUAU~2P_92{G`HQ7Phtkc
zij|Vu`U8z$eui3VvV#x18@z4JOuS^((!-GC@ou`5-k058yBs0B6dPD+{-4)*paTm~
z+CdrOX~F9Rw<}w%v6Z%!R`&;a>n2stRUN(#NBhw7nvv3_5Sk3z)8;N`$8JH4Yv@6O
zs0OUCSEcn}ErfMz#={vY5&4RVd6h+;CT6MzIZrQ}P=MTIyJJ}wtfp9KkMe@RBfi!K
z<iAdIRyQ}Cgv8nzllHmUoq1V4$bEcss^)Q#cF_iS(dO)soL<xmjptp;$8nk+jLEtv
zFUN0@nymdiy=6N~FaMHjeWesWcOk@me|rMIE)2>#1WxL)kMj3#y!W#peJs}mEx7oJ
zpk)=aR^9I0NV|0uFXqTJaqFS(nU$n0_71wg*8WlY%$t(LuZyn!hPamq*Wez>!&=i=
zbHwM1+7gbrxv>u}Gm2>^uRkQ6o(3tMZ?6r(71H4Wam?2bdn1LiFsQf&u&?9mE91MS
z#%blqdVC-+O!GZ-FmRbgk;dXfG)_J_w0|%=qk9+wS6dx=Pj$%G!8H>0!!696{3w<!
z3DwSznWU5TyZOF0e`mFow5o8z=e$y~Z5PvkMGEzMMdwI0CdRftj$^fXEcxGba9bh{
z9HI;Lv+tAWfYvhf1@@<Vym$~mSC*g!J%-4Y)4SRA`i2#kW&XIieNl|Qh2mSehFHxZ
z`(*G7i%)sNl^^x%J9L315##4?xF)hvR1IEkj|5umGoPNu;I3?$`o;8Qs(I%c_8bE~
zpuWrIMrFrlJmc*`pi7a^&AKo9`FYOi_)`Ylw9{V&zKw?cl))KRu7eTHylMS^L|tQe
zU0u@-8rwD-H%%Jbwrw_PY&5oQ+qTizc4OQ6&eMKx`s@5S``UZf@Sa&SYYFr6hdeYG
zuReZVDeXo5838Tdvl`WBFN(dx%%a$n&y1$4#fTNJDJ<2^CAs0k;1Q^V1*2kd$Wdhu
zFg7?929JHBpfwe+xb_#No!3YZc(TgO%wvz&Qqzo7hAaNWg*&~S<nOtMjiyq?kUfm_
z0>2rzP*Qfd#kTn!^?C>)LA&kFmMFHkFu_0l&(32Jzjy<;t1)cmApVTwq!1(&8ihm>
zg~~<Dwlk9aYFCOXWuC>Km*=D(VYLijD_k<iSb*YKblrR-zGSzD>&G5z<Sze1gf!S<
ztLB7m&19~l%76kt3`c(=s6Vd0iAeR2TSmoXxzSyn6!_5_2kyD!7Dmcf@-5TPb~Bok
z8|s=EDwh-82xJtyr-|sFJvw{ixYqvY6(ScF&oIz0vt8^0E%&i3p!E$_jv#-Uxm)fw
z<T<Z7u1icS+U8=Xd&rXpeVNAUXlXwPyT^!s)NXtlZmo1Tzb6ax)k7O}Z$^jst1vpm
zDm-hGpNNJ}xPlid_YoxfFwjEhDg``$^zKIOXf{4^`tAExi+S~vyII)k7uzm-IlQ0l
z{`iy&<Dzys#IRd&<K^U8F?X>?eYBRTJM+F@2QeGJ+R>o`qja_P6-h_><jHxy6OO>!
zhR$N%cp10FcD@j^jYJ{HeJ^!gF=Mv6X3XRjD-&(oJQb!=N9!I!O;#ykqV!HRGcxh@
z%|$1<)m-cRQU9sl>Hbj}*LosT(SHYFcU6ZzFrzY~{Xyk?L;Dx&*9Yw9<3NF>{e+&k
zCZ6}h`fUXfM+D1z*Hb}7r9hR_X7+LHS^dwzBgFP2q~v_RTl}8t2+a`p1uv>@VnqA=
zF_v*SlB)mdz<^bks%x!02%Y(f>?o4;N!74kIG(V%V|kJ~!B;!u?fi1;7FryhB|ne%
znbd|%9D2bydn|)Wh$x2@w)~lnmw9VW6rGCeJ+H^h!IQ^9jI}MAePNUBRNP#$_dK`e
zkaI=0_mYOWHWQu+9_|E<`kW`rQqPyQ=ttLfY51O>+VpqqcmoJ?a(JmOJQA6%72+ln
z3dhh|wO-WN?Gqv$1)ZIbS#LRZ(-?{E%jiGSF(*ydlPoWFN<eW6KP$cG;|DsOZx=|I
zcyTVUtf7>2k?mY;>Pnk)1Stc*e%HWD-g|7#9X=CxKWv+$ciG5fw@$@XQYjKA5FxwW
z(6CVs1U>%hB3aOPsxy~W5Ldlt#U>mniRyGS*lJlDQqQGkSLM#z2~>tqn~-s<>pHI?
zG@-A;qeTF2Y{%s{mM?}c#2pEF-y=`<bO)u-o5=K;L>rnXs9bW)sX*6)A#h1k_Ak=t
zcJJDA#e8q(Od=thfZ9{tt<sIqteie_Vv9q)y{~vHip`_)?BF5M0w1(dRM@AuEBxhn
zm~=Lw5;lRt2_K1s)qfzz3z|beda558(C=S=L-*IXz;=!*!(axFBjbK)e50~B$&a$p
z0O|$?_Zy5c;+nHl*op`K{F{lQ?uJs#olZ0^(4XE5Kd#l0f65nFPxgNx0}39Lcd_?i
zcDGxPj3jIxHWZeXq--$0WN4qtrcJ;7>H4hT8Cpq2LI^2d`+d~`xI$zLuZ4Ep{9fDP
z#FYha*qRIV=`~N=V30&<0Jjqz6a0^N9wY%UN(M+TBHJPQ-Iu1$)6R?AfQbPQKID90
z@k(V5-I88d0h>O}DlFVxvLk+5!%<(z;ce`3yBvSVbC(s}1w$KgkIV?{^KC=kFKRJ-
z5w=TzQK8Mf44uUp3l|12IPw37aRXCh1Q!e30grSMR;oj)_5v0Gf-EPlu_?f~2e=(p
zUQ-XAxkdg;V8QBd>N(hD%LAe?x#*6!u|l-hg74=-w2v#Yg^fkO`ceX3?;_hXxW9U-
zTn=7#(7os)><U{U<s*@0X9oI_GlEw$4v8T{raW^(ftqii9rot2eYh;YOklG!1IoLr
z3*R_SgB^dgpNM6PyHA|8Zm8ys$cpC>&&4<H5-dvdM*OCV*nye!nwiOV`D1}In&!(V
zbAuMhFw9fEwvSEbqhR@#P2<Z;ZbsaF?q0l^sG-&tHuir)K)7}3gs09|_^**hSb^dB
z&uAz%!|kk*Vo}fB*))cv;X;zC#H?eWDxZS6^x_au&i{oWD)7G6cf&po<*PK=YIsMH
z%<?nDdsj@#Pm?x>$T|~{2zVD(!OVkO9@^|)>kEwDiU{j6UoM;3F$Z@7ks9k~<{@g?
zzRPBCwRDMc+}Tzg)S#O|{3qk-gDcU%Jo+#?2Ig~;S$Ekdv)_-ln<#?7+5S=6g!Iy4
z_ywOaD%jlz;42>(m=XRbF!CuQ-mzyH;V}cU+-<_0CjuPhVVz3$i?lTmAZ%sf1+>S#
z7T(<2(|6XotET5KVPx~%0U_)Ta_4infIb2Fnn}7Vpf5n+CsUOW%i%|rLdV^I!1Zfn
z=)70?^VX*-Zl5BIH1ySb+u!8DBBqFmq-fE@$tqX8espkVmQFljMZVMM35=@CYWcy>
z5J4^PhC%EA)^vb5F1D)I)UV*TH|H+=rZ*PMlA$=49*ZM4rqG+W+!1Y23VND+c*Sxk
zAKpkvo_i+xM3^?lF?Y9t_jK7Yax1T5Uaz{JDO=jjK9<Iwd%b96bevfF{@~?ec2Ou?
zMTdEtOzwH4@|xNCc(@jN9JTx20D+46b5MIMQ|%Tk2rwt%RHY0E_2HDi=9~rDW?yPB
zPO0sNa|lnIUS+sbQm4wm5mh!x8@YSxA)0ZMgGh<O0zPN^1o}OCiV=$g+Di3)w|;xN
z<WQ($uISR_p!@^nW1AQ^mtQHim#bs;`_N9B99b&}RgBkyx=zBm97DSyrtAg7dKB$d
zKbHze5Z<{hStCAK?*&Z&12F-4F)>)^CjL(85)KbH*GP+=GI=m>#hgn=t_%>q=g$mt
zsTaSS7im>)=THA~ZJVHU;0UxLKscHC)6C@rPTwG<zK-*+lOo(XYHr5{6Nh1T#Rbnu
zC}LAvl01Q;o=voeli_9Xd2}b(y4I@HwUKir4HFQjyk#3w%ZMd4k;8o^rU7}Dk3_hB
z{HM!d;O-sohVI+|f$91gVF{DVMvYYV<v<hWVj-aER$Q0*E}_MeKd2S_YTpj>b^(9D
zE4Y|)LWt0rzq;4W|0b+{WY3CM+8GoDakqR}E~e>8)*0fC2qU>d)HzyG)EC6J;Prg!
z=7?B{R{3M*U9VS1<)z^HJ`w;7Q?*=JBFZ-D4Yal3N=mM+liw~H#XF);5l8NQyf|xX
zF+H2;<<cgm2~S712CZfz53&)c)pB>Z#40Qpb-P7woy+GE(E_;%an|jgTMYUK#RtO>
zfNxvM?)W>9*<|CaZwOqGj$In#=7y>J>?EdGBHXs4Hv8-AI8fhj>-(nQf9>Zc-aRcn
zpYdcmP@7ELuDGnZNqUq|Xt!Z@9-P4~FN{QGVxe$LO_P$jWJ&kRQ;-%Om8sB~{tnHu
zmspUddSY;d|1iNX?%wIoG6CrZWD~(#sy@1;0l6Y8Dq3d=ZR|(Q7lC`FXSR77^NZdW
za1>`kIvkiC3ps;-*oWP*)z{7q3-Jtzdm_w@5X%d{;Y>)oKfI-(%_y$PbIBQ9$Vci;
zW{wFD{y&(BG6J`$`#!X(TeicNAP~|;!{Q59aoYjxVAaECjkb4-b}|$Ac~zt9j9tw^
zVJ)OrV&Bb0ZN=nw!fBseJ)Bm_lpMQzIzh3`)yQ{hdLEU@DCmHnQ|C}O2kNkxWwQgK
z5?m==`2JXH)%Nch*_8PxB*L03lu%>sexyc3gDi0riVZRTnJWrm4-C059}K|9V`zDc
z{nDa3bS_8@PhkT%xB`45C(+=o?|eO7zk<ScBIi^^ZMLoN`;1=G`^h-XqoU4@3*lN?
zMT+ey?(#lv`*%7DE{>V^_z5d!Jynd-S5Uh$3pTAkCR|UNwzwdA(K2L%o<PoXUve(l
zSUI~u<drJr!Iu1v*<<GVBd-Iu9kii+=X)cV^7rs~t=pqt{fRBJ?~j&>2`45S@zYQn
zlzN_Q9!Rd|RdtcL8hDXc5O?mk2HdsElHq%XbM}k{rEkIYUPzW+Z*j~H6^7JGFNbF&
z#;atdbiQ3)8!&3oLo=O@Z>=xAg?22X=JbJ}79|`0c5S$}Q<kkJiH%f8BbP5P{;}`h
zJiT0HY&DqX#K5p`H+<<2jpcV!-6BnQ;dceNGFRX0w-1SCo7yguB(>RESbPYGJ9StP
z)S{aFEg6T?CRyo4&n}ZLa!`#B!Dy~*-CBWXCO)in)#?-I6Pq*R6Bad=#;r)DSJPG(
zT_*=MS!HAig5!w{TQpCH@D0U8@u%|=vE&9ya^TxKj~{0-!(T<PyK1n|TPB*ikv*If
z-yNGcbc11*9O1^tX1a33t3yu-aXQ1~Q2g5|4Dq>DC5(Ol%SrV(jG!Cp6ohN+@djh^
zk1>U-B~bVTDZ^zvScuJ#0!R_S3W@GRL0AJBy`c>M!5?5y5CDxJ02&Y3^%D({biq9=
z&l$v3UUy$pop=*8eV>#2+mS97zEcuJfJJ6fJ4zV_a-bQ9Rqy}gh|TgfPDLFE^;L4N
z{=8@`|LMYGRD1rn^iHW9y={w}{wmD#f=PnaVyze8m*O^%!0+X-Zl7Qml=Ha}gX-&$
z+B&axOWmjXge=egT(u($IO|!z+s*3oSE3VYU2WL`Ppn^n3MPk;n4lPTNK~JmHn>gl
zK5^qdJiP7z_D6Q@v*le4pAl9)ATInY@axtYnY+xd)4{twJEha>dRrIyk<g&;9RA!<
zk_oSUa`z$Pz0W~ALJq7Y$O-XTh6=o-Jj98@tTdM0aO>^?LSgbi1ysr!%;M3c>c2V<
zoYxQWb0DIqPGXh0cFpvKA7q2pD<h8(LY(dRr(4)zc*i4bi3B@O3bIu=X!-n+&ki`9
zRfSRpdx>enq&dwJoZ5^rgWQQ8m88M)DZ-o$`!dkF>;Gsc9`kMl(B3#8p5f*RtPDT@
zp7K+Z$65bp`}15TTh@S1e?Hej#8ZAv4u_J;C~J^+=tTTp61fSYrdg?8zPC2^s9CNK
zHD><2?ebp-l@G!yo}G8&Bc1Z5j?l(kg{I)K&EHXw=(yh4+c9^$@B=+}TrF|o;h0Vl
zVNFSr2^8xrCw#y1Bpc-sS~WR9h{}L0@;2B%E}ALYV1e}RwX2XnKuM!}15nD!MhTeX
z`&%^f8wW1K=fo<Di09<6C*IY~MrnRYrz|CzDGdWx%#dbwU>l|h#axqH@fAo0z^bnz
z{IGBAoZVW5jInwm`OuS}m&CEG@7Kn^?G+KSb2AE)39!An%c;q?Y)dM6$p!4atmZeT
z7AWYq9sOoO{H_;-=O(v!GN&Gc_aA_jFrZ5t<N{PwfPhEaNzrJ+-I4R;O292$4+cbk
zIsXRSK_55E{S&Xt`yWE>^8wZc(5nle7gV|{q^k$W)&+v1$V!2yc68QJ<+W3G<M0fb
z!>j^9<3J{uk*f-6iD7xDgoi;F@8r&(=*P_nD2If_rS%_`V5Uo>;quly0s2|(fz(7}
z!UkoQhIrHuCf25zErh?V_yaIRI35KQP|arsBY{P8S~lI+1d7Sw%!r9Y?Gj<L(7m|0
zn+}81T`Ek^fBU(Ac7Ad^@o0nFhkQL@!O*t^C95I!0F1&wV@<e}#<0;<X7HA-CYpkL
zzw9@Gx)gjSg;wC%I(s{of_szIKCne^8_OMZRe}rcEu8XqgS>q3z~Xa4AGnC9mW&Zh
zI5n|0N-C&)FtTEHQRYZzN{(~MhOs*mDUhUDu#X7kiy*qTIV7qDh*01<B1ig(@4L`s
zd}|kp<}CASFPvKF@={kz54G2#3c+;WDHTv&yixS*F<$YzgdJ&HV3f@PU&Z&ES_2Yx
z0{ygh8_S7Cd?|K@@g>^Ikd%JfPf%0PD2b5;?q@V(*qP4<_Jn{qu(~ijpi{oWMW_&P
znlgEQoaWx?@|05!&u*>l^Rqj<SJm0ayk#F$L%pYfl4wwA9+h#>I82Z7rqxr&DCagE
zsjs6`Ed~_7myrt`!VPQ5_>Z58kFWD6gA%E4LJ9yis;Jmsg*1_CjN>kbjbxI?|2|F&
zQ3v>V-G3j~s338y9)XZD$h}jkcL>y}qp-1tE-gxp7^=Tl<Z%!x)*2c-ED$bQs$W4B
zcAlz)t~*rs!T1w-zeA(63D+#4O2Falk6xQebMox@J-G-@cioFck#df{a?*=?hxu%Y
zemL8P&v;$YH$$7EWjk2k`a^gvL$ux!ft9U|?N++&&n}Xroom!0luR@$)EB=h?8onD
z<uE^<dswT4|D+ema=_#1{nc=w0<n}(0fzkt^-new=!Sj|H>^HYZSj&xsbTv3nij;r
zFD9uUBTr9?biKOj;DQ=(7w-TK8vYTM^jCl<MKfVd`vB#o6$e=o$Hy#(`m*jtncB^e
zpWHkLzgYxMM7$QAmES~Gh-R<o5~1s;MwxSTFihv_RZ0FZTpeuyyBI<Pt^1S{`z!rs
z+`}k6l$5);D&@OefEeapc4p!1I#L0H6~qVNP{!MIycznz0Z=hzt;A{6R!u38NDS%Q
zw(?<;<wDqcwg<gf#(1o<r&s)0ecEGJ9XlnN`(lBnmVPZR{`Js_BiRbyjO6LXaB1-A
zUD%_FxfunBsSR}YIiDU&g1d^SCH<C!i$8U)X;B~)&)Gl{V4vR0B#gFS3cs(I;sx{{
zt=SCN^n`E+DmICwPiy;82ex?sXP%_Uus>Lz3|Vmjuv)Y#!cQQxe49Wqx4jZxsd3|A
zw1Xj#%kciJ_x>L9kXlOS$x2C-;HA)!<kz@^oXw-i{8!vtA!{#IM?~R!7A&F&O&z0%
zTC-NHnr`DjtL-w}-jOO>WGR*><<Gu19mTy+i`%?<uJCROs<^5nlYgtpxZYUo*j+Y2
zdaYMXS8Ie&!74xaiW1{UZ+8&W$l{viQXa?{_6itQz&`kCqub>;MPbld1xRduI;djU
zHec^ny(ixFL0>*06bjenJkq>PW=flYfUaadEB4v4uDzDGyS`<QcQ-m^rVk{wTh8_G
zi{I{9ps*ad8E=GYd~J6uvQ{)as?j&iEtSpsEs;s^sEcE)iO~SK6RGukR9WEAoyoJk
z&O*4H(?N_;odeyoSXp#C+WY~Vd-|11-Tq!q#J2n4A_;<IjGhiHy32fwq3#?Y<G^;&
zjS1@^#S#*&3Bur0^y9YSVgt!G`YcMND)z#Qno%j;w(a=miH~}MU<R<5aAp{3uXqNE
z%Y3w<GaPu+{?v=%Is9+5au6LfQuYuiD&eHDp<G`@D<KaH?jm@l19)}H(pR-~4^Cyc
z=xHH*M{9|E^2gT6nc*CWdXB@Bp-EHFf$^$F;PbpZi{`I?fhyZ*x?B=RE~FDWDHKc-
zb<l_@uPI_bse@hSr?h9uU!nxiZXj&Xb|(L9=Ni}vKp6*sGJ|V}RV>FxH?!m%3F@o?
zY=`W?vvSL1o}o?&C!Tkm_hWza<$49R8MgTN0FYGmTF}`pZjr>wv!mmoB2d$vz*pG$
zlpU`5ua1@3oAz?kd<2bJvo$JN@TJ>mEY*8wP~NJ*c9x6O{ZC*PY~TJ?!7&*Ih4muB
ziE&epYkVkZ$mFmCZ3X!yVkT!vJn3?}q+*$VoepluCmDeL&$Y*Tf7x6-h_$g)9kK%f
zS7zG@6FqtI<l<`_)@jX}90aS)bhiEG1BH2<h^~7B=fSZ#-J^a3_t&|><XWR{t#nWw
zUJy=Qe7^_#y%dO$DVEviROR)MC9`|jfPnD6oy*#ot0~2DC6SPcv|pj@%lP(%W}6_E
zQTy9kXAzfUf|O^*@-7RND)$+)%p1>}X6Cbj@6#2zn1^)$8C<L$oD&lMV&c9N!3<P2
z)w40z3H8;8AZf-gG2$FSBZP3#7&o%uHO8^Es<6=M46e8yNa7DA@tXkl0k|<ffEz>M
zt{&FgLTP^EL3eazod%ggAxE7`1QnjB_apw}uY_fiWSL^hXM7Puf^~y`u*GZP5ox7D
z0PFee`W5hDffXkzc+2K7WJ7+~R|Oto$juO>5Wrtm^iu^kqqlnU!;^3&y#qx!Yi?Id
zB!Yz4(`G^biG6hbz(OQTnjt_TVYV59oP>I6j7tsVU_-gT$b^ViSvRea`2|ogWj~6}
z28jWnykFcId6B4H0MkjsM0EWXnJziOufOKO0#n0|zg`hO6-7bx*4GjJM?JdhB&y|Q
zR`lEPkJxwi)g34VmTpgDwpic%uFznDyf4{lB?i(>BAVK$+JIqH>64Xu{v^$h;2!JD
zO{mgKL89_s3B<0<R+V$GB9pJ1kR<KBO;Qr_x_Z$~z&NY7K91&3x#HUw1~QzUILjc}
z8YaqQ$eAconhU7gnYb!Sv_4wU&Mcz%scvq6<eoU1e}eD_Cd1*zA`6Y@q@dA_@9pX7
zUEm=`^#zN3=QmU&^dZtZNgV*0QWwSe1KvQ9U=ITr@^FZwDkQkJ7&D?+?+pn<<i(Rx
z2d@Zv5d1I9P7>~TKMAya7#(sDc$C$HVH6-*r}6qJ!NUleqP=+y{_<l84sC}^iiTR?
zZ_+LQuef1{*#oBs$s$O&$|U8xC?PMOK*geP^fjgsj6}N!Md#HEzt1tV7m@CR_6K*M
ztpFMDEq$_yOEzV;(fwbyGSEZ19#QX1za$}Z>lR@Ko}et`)c=+s2^hq2dMLjKWz_*o
zC1arDL%qfzV>^Eq)4~$-A%%0n9_H4B8a3#mr2Tk*UnH<NfH&g*@x~Lto8N<BWnt8J
zx7iA~?*tpW7(J`BcY9S`Rp=dHe@cp7K)sDbup0r8?l@@L!xH$&=q~;~)-YI@nlg@G
z+BnBR&z?Fwx~crOG(Io|6fEe&H+RMdbZQr?J>$9nRr{_AmfEy?6c(KYzkFb;_(#)=
z!aEv{_gCnzE7YM!u;tHB4O#*oehe2OTtLRt^<C6|B%gu`t}TG+42QH?FIluNJWA0a
z3YN`H4Y|!p%$cQ48X|weP?ZXJ<{zld1KnhHXWT@ic4-h>FtQdTxVYqe>Pp~j{i2tI
zR?2KVS}*$d)z~P)>b;oX$bICe`5BG^=z<lnk%kqAcN7Ilojm9xeTgAGvNYgw<31#=
zKME|41z=lnJm(7Fwkq+Hr~AQ)_#}1<_zWcumA!?>qWPRi5Z3Ryn*P<G(aU=9nxR5I
z|K-5Npn5dZqTe8hRSl0skZ6e$CsjZB1r!(R?xm4(!Wt}*2UAuXL=%Mx{eyy_5UPd`
zhN`5>SC$YJBkMt0R?JykwMQzd@C7*4Pr3;jBdmX4y{kJgCHifID9nJrmysraYPu&8
zw4buTuisO&ho7`K)vw}0s}=AN(*F|Ea9RvF%)x^pOp&sk<^%zYASTzvTOGS)glY7*
zLXKyX7c1dxV7Kq0ra|*LiGN}xCbndE!lW*#gej)PH_dT0vojG=WI75(R46h2Bcufc
z=mjG(1iNQOrBB<oAIw6=25-{5F>C^$my^k=nB?9H6}vH#n`Y*d>)S4624nloXHx8O
zR?t-l1vAw#hWqmT>8_Ih`Y}8h;?cVm)%|46@-ae*e;6So4b%wGoC;%(z{oq3(SwD%
z$SvaRK^9DZ0Hr<;P%2tiMk+XJmjPk~b+%FG1GBMbJ3H&*MCz2ARZ*UyglY#{<rn_G
z==+O+0I9jhrtb^0>}7~^%^J2?89n(aPiag!98^m+ZhT1R;UpbFy=FQV_$!ZZ+bmtK
zlAl1e76tV2wPEc4z@p+ny)0^<pB0e6Ev#rR$U<K}#}ZT2ZKmZZ3ii>@P>w5M@Ah@z
zqjd9PeAt__GmyQI47j}>z@9H!%0d@+ty@7=^Qpy3<z#kcmWHfaXHFv4V!l^QUc|DN
z@N9f_6H#*fq<TZ)V0HPDybftxS(ReYp$Vh=mjHS_AZj1rGDzSmef*1QrQFpxFu&n}
zxGMfP6WIWpgDb+Fp4w+*@Tz|dN(2R>c4Y*D0VI0#Dj=$hw>(-9nVRki2J;2%>CDmg
znQlyzjXgcobY5;+=+PZ(U||rk5(lw-&ks5EqsV{3HN0^GagtgHqH(a0++hMIk!Lq$
zb_cy^&xrQ}-@#Ph^|sHW<4E@?^2e%Gt-5H0WCmyetFB%ZH->8U)NhucE_Y;O^}={O
z2<EwIWdt_p-a%0JnpCw&Cit7gqL01^GF+n&jmmV{q5IdkC4Y(=X^>P80|O(W(I2I6
zX9%`)>uHBH_WZXvRnR>OSH?XEz~ZWve{%yCx0>FuEIHv+p9)ECSLLR+)>Cf?|HqrC
zLy_ANCyfRpG7iRDeGcU$w$d)Dk0MPdxRQ`ZwL$VT+j_<|&DCXu_@A*zl`#?8<xr5=
zRmGUdI9H5{1Zusr%rT-lyh`LdO){DLRxEGim<T=z8m0GxceL{Sm?<m`X~2^V&|V(F
zJ71>PbzHfZ+^=~)E-r>~F>*4jUF%`!_2t4h-l~U1_)8L|u`_YfRxn}!#Y8TXG_iPF
z8Wl)Fyr4{1o|T;7X9J(WJ6e0B(F^a76xAOBR_4YK76A}<=6{fN_-c7c1(KhBE+4V#
z=Tn;)^>S2Jj8`Q1$>ubrR<p72yNHS5x5-$&Mc`3*OL*I$So!zW)}JYKTtNcsbrBEp
z_4{-vK#9Avx1Ox-b*VT5zLSj*j<yRve18fz<`$T+j4@;LkeG@Ie3(V))!M3ievHvk
zbu|1vF;QSh2*l`%6KSEk43Hljv*ZHu&7lDG1#ql!lsdLRZ=v%$m063zLcqH6pw(x2
zrtop!sS>g`&ucN0X?i7X<`yD!ogIi0tCyv*Y-x?{ty@Qxo=-^1*3Kjrb?EpY7XP(N
zY4lt~MO!uqZe|k)7pt^D&nd*RYa{>CGojPM&g%)^CX})5N?_pp^gpCD&=3Z3A^T!@
zfv9{HHjiG8`x}5T@7sLt!;Y$pEV0zqLD{Hu^t|{j+)7ry9=n&=WO4)7<v6u?R_3N$
z)Sf`q(q)>du>>CC&59Rs2i8b5<Pv6Cs4ScRzPt{T4CA7jwvJe+;r`<t4-6Hm`iF#T
zSY2qAzUBMT70QVXM-BSzX-nFsp!)R(Q*%jc5vU>s>&^eusx(erkKYsq9#t_L!OFPO
zzaNI~;5z!L1DY|L-@ZqlQ$DW>SWe9GeG5UcmY$hjJv-JsT{m>)R*CPejLds#&uvi7
z4rsw}Kgr6O&_A!knB%41={mF_UW-(Ls=8@<o}}pgtX5ySOU>eRLTyu0R^iIya#Ovv
zuqAY<-Uj&x@4z8!3w;U0=!euM#iR$3fsgxaC&54GIYmmt^}Cwz4kqy`1~ee>lK3N_
ze|Z6-56Oh3?-3t>?L?;SsaR0ZoaR1Jg~eUlM^_dLKnP2v=@nU0WHDI@>3SaW7&udh
zc<Zz1CinwV957(t`WPNiNH!xgOX6b8K0_2y+5JHBBfUh4d?>~lu)!p?G2ht6>fJ>6
z@E=VUKyQ6A;BUHQ6Ni|UqdR_D)+w`Qy~V}>w)4>Oc&d&86I4(;)!e46K?{Kue4HtV
zTN4YywGNB%_13Mz$|gTwa>utE6<Y<YyN^0D6`d?+9Y|%{5<dNH{mShjm4%Jv{lX9O
zXcLzwwuPh|;4>+hFOL*VNGAoebbG6sv3&17zyS53Q{=*UQM{M2(Y%1HC9EapQ%{9g
zso8QnyLEm?#oa1%FkY9+!EI(FLFcLEQc>7*e99X$7Gi7KixZ|?KW_F{cDVN(41Ys}
z1~$$8M2?Ju?xjsk<KQZj-m=yN%D*%n_Xx_tq6mHANA=H#%wdQWO)C1zq~C31p%F)V
zlfxTf?Ar$xl!Hkg^3VCTfaXwoGUh-6oS%aVve4pf3x>r+`$lGBwp+z`^-8vJg7O4l
zm$p^-#z5<Zczn9VyyPhUbi|9NxPQ?r6yY&!fl=fSN;T(7VhhpRqZCfcjS*rhOp7I?
zap%{<Mp5<y%O;|~W*pMWSoumm$YA%6AM-d2BA1$bzaEQ-J&4i>`u4?N%$;x?Dfidx
zgVxNyV&-;WH{_=}nF81FtZ3i4s>L(Ew<(%rBflKkYdN{`Dm5xP{7`y!-VxB(V(nZQ
zq#Lqntc+Em!rEMWiNv)U*6`F{`)z6=Pjx_>Zq8Mhxqo<<IYh4Fm>g-YkbG*kE|Xz=
zqPD|FaB-sE1XVWo-<}gpuhbV<mVU_9IEao5%xgso7D6Ulj~LQ?!jv{C`N}+QhAq%u
zsSk_-I6Y_;b;3W@*adwA(a*&ZeDJ2qL@r8<1b)p@`q(g>Rj~$?DlO84d~D_-ar}9H
z=W33-Oudj!DAz79bzY$%*Udq^fICn@RHGywYtEoOZ71u-wgO@LrLz~x+W=Fk2OsFT
zvqC8TFR+PXC_(Klk`K!g_u2cYA{h2SObNA{FJdV2jlv9x0iBUY+Itk{OBmJ94^K}7
zQ6$fap_F1In#V93^>s2Y5H1*fayC<FE?T67?_|ckxS*<q&grJv!J&1z-nHbXqD%XE
z1eD8qke9aNjOm_vcr(wlx$vRgMbDW~5)J<`d^ErV)Ik2pq_rSpg@kLG5s5-oY21;D
zwaY9)plGq;b47V5vd?W;=zUh5e#((bqW>cY2EtH|Gm$1`m!F0MajyppajKV25Lz~{
z1<Hto&6SB~?D-*+J$b+3XUU_dZDMu&JQ-@p0wdoaFKJGh1O*5rvXCe{k2aK)5@Km1
z4dLKIysGLykfF1$Rtn92d1EOhL4o|QMqnU721-tuJo0Jm3#u}vF=ZWNQg#){*+2jS
z+$`*!D;pa&5PPlLBfl%@+jdl2y$M#0x~=9!G})9BP`%ZVdKtuji-Z|7g>Fci5=H+S
zK{m2i6_u}zWXq2gX-M!@Y2UAv?6c|UwW8oE${i{<RM_pm2#W=wD#M6zoNOcv;Ct9t
z*^I!kAXEm+HT-Yeel=UvVGsh}4z7I$G(s1=<Cg*O{!+J%{O4uLr(TPkyv+(qNNO0f
zHqF!Fo9&oBu^q+?#>D+QD<hC?<`2cwZv)nj9qqR;#zGiN@Wr$Sm%pyMtb(rcZR4>(
zr75iOC<>NMhdIx3sUOi}Rd}jeYH_@<otFrIVlA9%h!0igu~c&lIDu4PTNLQ3%^XrE
zg!rTXuaKZ@P_R3skWsOAnPhURh%8Y2{Kbh;oCqk)r!lUQ4KXgd8yE>)yzn1R_Q3{d
zht%$8nwn=H<G!wE8t^9PiAWg;I?w!q+Sv2yhK<lO#0>L+fzRoNdIk6&#d!s{V}=@?
zBZX8^0AHo&;tM`8kY9T14--xF7krpD_e6^42I?YXPyzj4FedlJ`N2G-Sz(;85!EBx
zIkstve}|JGFY=D-;6uIjvX#r4HrxC8`bF=D&sL$88~L^e^}R7~z1W~f6Yih@zm2Te
zLC8pZ=diHs_u;bh?{m1cV#}w{D9noj#0o4!>N((lBAOHo3Nw`CEGeX%LZ6H35$IGe
zC0QMy)pDeZ!ar3+G0$Ja?@o~z@Wekkn?VRlF(wuz8>s{2T=x|+B~U69FHnh~)UKRz
z&L*N6{V-d*C2oAAPzEKbgzq@a`3J2!=%4Kjz{Wz#Ct(ZZPvv@i(k`mPr0}u)t_-`R
zX!s<YbUB>pV#zhDXMC9D!2eTc6a@Iml$|eA*kuf}z7~KVZw`bSH;bRHET|mCU)gVQ
z$8?YL)QH;ztdBxxO8WcP(@d6*ppT)qNq3L;7L^+_#~tIyf68IsbR*_g?3(@cC`Al1
zv0a=}J{L?vqo7C$pY^n<!c#s0i$S9!MPf7`KL%g8bATpxal(Cw8`Gg{hBR_$M%O=E
zSZicP7wo33_%42qSEZ`pcm*GSY0=TE#~JR96G8H>jLf1-{lA1Pg+VR0%TUTEikS_K
z@37Q>L4f&j*nlrabN3S3g-SmmuA-{H>Rhs0*`mh~?r(<+iUs^Hz-ouE%c`&#Sk(z;
z(?x;XIX32va$j%mP@ZX?Bnivdsy6!N2vVI^Ahkii<GI4<HTOQCR<&xpUiXwJE3oes
zkb~a*+N6jVC^MqRGjXdtsIiL3nf%&u66M4OuYOzM;OGZK0GoHtlk@Uxt%)O1V6Q@^
zqCyuzhDYaKV<fWux%4U1tlv;jzEqSaNS?__O-X%4gaB7`F{&Hk!5S=$Nn?aK{G1bT
zkcKL$LKUr5H_bF)yJCVgt4ws)d*vRK&y)z+;U!rHgyl|Ev^~i6&YlWtl=#CNimhT-
zi4Gamh^p$@{hn9Hg`(yiq}{V@V(*l60`K_32J!qt`8`pqY!Ykm3~LmBXfo9i3L0Z$
z4wex=1kuT62TB0!?$$e7pVo-E<C;~mET>GeyFnIMLD^skoeHEIWFT1Q;mEQ;HG;d1
zl2oWGL^CdKm$xI~Q$g8B@Ml%b10AOFkQ|1lwiGVnJ@)m7E(3CVH<*4|=#?rRkKFLA
zGk7#LY6a<ky^1RC-fqWUP7hTEvbAbKAHv>n*;%zmiveuTvo46D?*shfuxgKQ-A>pf
zYs75ZPj=U->!4v6xd$JAJ?ZjsDLqn{4}_n_!CNyuC|Fa~v&ZU08}E-+Wp><tlv1jh
z1+nx{EZ4<6LLap%St(<;My_(FjNf|Ppk*VHUhtkZKc6N(r~UoHCap|j@vimFLSy5X
zr}q!Wdc;6ltY7fmsh+UD9(779VX7>C(GKQD>GoD75-YUl_1_%~&EK=nj90%UDzG%9
zSZ-9#Dw8{K5CWBtyvJ35&B|lSN~i#ve}*l}XUIw*_Ezs>l`2X_B+}Oz$ni!N-j3QC
zl@QNJ)H_1IWB3GW{^5s_1Hir2pOU<>l^4?(>JsF7p_|^AlFind8<rLy%;nn6LzkBp
zz*bgB5Nt`XT<np`>2j&Bv$=hX7nn7kHU%^2;3)%Fj$9M9*956&(BuiYOL{L17hN;f
z(v9!w$6LJ~H{PE$ZY^t8-!HeFmfoF#1%n*e%BJgoX+o3O9a0(6`A0XS3h&8(N=A|U
zB}A-=99PWVMz>EIj+`loGy=0HQYU#@Tl6_>^q<=KVG`OM8W7t7)Q-4M-5j2J)B3fV
z)3q>%J&Lz{cS8!f=sQmHjiQ{^J{~<)>thtKY^SB$B=1@IGx`jZ%EDECdh2>Xnbx<W
zHC<={DO-5J=oWC3vF9D2X-*6CWg+vmk?|X>qftp|YA9JPpBG|g6w&whLo1)WOu6qj
z@#Rf!7FXODT&fm=HfAkWBRI#Yu4M0;EWNNddr`-g>CoNU^yuaDAc3D@aSKYldr`sR
z6);&Pkv17_r+u26WuRr!4G0Q+Nb$$Sus^lI8c>CR987d|{p&LqECv3N#7+Jq2<;n%
zdbtsNHOQ<n2B0fNUw5q8{E1X!VGemsqv<TCAu!*C1*v!YIQnfAw4RN{m1bA6bbgQu
z&9yXE)?qTc(W^`B2jV!#rHh-nLtiUL&cK&a0s8cC+%$(m#T#nr-r>?tO%7=zEx6-+
z^6&Xmm3UviRJ8}Yjn!+vtk)jp1wb@VP<_L{J!Hj&R+Wh4mt4?K_#CEIP|7fZIzXd<
zSu2S&Dt}vOXdQyQlo|pVzxKH&>4{}2`%0eNS$#3lMIN*Eqp}_=%iKjXGuTH{-LvOc
zQlCer+{H0<cTfwhe5V~7>$H^>@57}y))WlOt3Qv&&f@j(#f|L!J(sEF#Ht;|*866q
zG}5{=7LNo^;Gurqd`Vr3V9vw35YJ}8Jd8Y-pC{3tMa?cIJ3loYNoSl&Oek?$BVVw+
z+?h+2I}wjji^O77VPw0xB~y)WAusiato;>mktWcJgO%Y;83*BNbbHsHJDC!U!+dk{
zVoNItVp0M=S#pJuj6xEZluC8s=h2J;2DcRA6SH4h>JLJ^^5JzuXQ*O^P9e@UEW1PF
zaYqtMpeUmmAEiq%UF@pDLxY+^fQEw1sK206Z&EL0js<}yMGF(CTEk4mPStbcRF1sQ
zho5xlbG5Y3g9ec?>bj%4Mz}7{nH4m)OZ#aRCqEynL^RiO_v2~9Kw!-Nr1bTu)s0hw
z882X9O|1YiQNT=-();mEs7viDHVNk#TQ=XgsP+$GAI?1Dd!aLaIdE{3kCHIyFl^V-
z&6jSqvMM$?V_J?-v<vNTZ)N5;qPe-eI}j<=PT<#)3t!+S5qct!xg713;@4f)*0R~F
zG;A!-3j&kxo)8%A>ufJ_PdQ6gnNwB|Dqu=6^+MYt+I1$6EyPw)$!%toNUfk_n?6ha
zE`SUkQP>L%CP1Oz;?7PR!S}~`CJoC~45Ae00;h58CH+_CclO}@T@WeuTi<`|@<|;T
zgL?DzvX;HjT4&?P^Ifgs(SZf1sWIA48voP&%G11yo#FGw&JXYdN8QLgak^52{MaG%
zJ<EXSm3ilWtH?FU;4pkJ`EH#3>swhjt~127*i4HhGrg;BCGrG2g)hgkNke88Aainh
z-`G*w#lCC=lG(`8%RBOoT7k4Tt;t-Z3EIhS6V7F}l#0KLaY4t;wVg4jz6jmeDLla_
zCD&M2Y@F&gyq!hbJ~$eu&^Os=cYFdNz6#fiowMNExO^Sdvq3wsfNt;?!o0zgxIZtR
z%p|>_{LD$ONGL0sM2{(V5~-Hd7zp_H-zHEME0D*`;3tp&?4rLui(a{llm@=+QIrpn
zgX`9HIQ6J)6~V{Y{81bB1YY6PyfU||=;<_Nvw^*2&PfgENz5{RNWi2c2H}VN{+QOn
zCVE+Mxx{W#g@4%KJwafxQWT*33%x-1motqTBoNZG4X+(mHowDBjd)7$bqwXVUz5Oh
z3}6BSAJG7{K>r?|QThGNR1caK7D2(;BZ|Qvy^6WE?TCWPqmW$s_KD@VK<cLZM`kPA
ze5(VAh9JN7?L2G4z&RVH)6is$%HZ?QQk`&u_q81<WrBx8H=7Qu3!l>i2d7kq+x5}T
z_UA3NQYXW3>E<@>M()XxvOq2P@q3>3<{EH<65*HOyXWHzxrFNmk|HBsg|DKTunhs`
zf=9|STFKPq*^nN|2!X^Nk14WD&F>7TSY~RJE$Hq%s9O2Y*`~y5jv8(q8UEzv*eR2Q
zo1_Q^;<JJ=DI(Ce#$y|R7!TNS{Fp2dS|>#1B4!Rp|3-mYo>wph(xFGSmCoI>wq)qk
zilxMD|DDUMd1NZZ%Mg+6=`2(~sM10y1Se)Hhb^R*%a(}w*^Kk-_}(lfB;uT>#F1bi
ziAyyZ@}}8*93z}!806XRHSK)k#rYgG<m>d-e)fS~rNSKTQfUsfjl5owN-})qv-l}L
z0ls2WG)ad~J@n{XGTV{ZEv~B*<Ce40*<Lrj@V>5vNPCqd!<ZvAcI@UGyUBa;M%VJ%
zEqlW5@4QZVhueeJIUdw~Li?i^(e$uiPvfSJTEXr-s=;yZEQhGr5sIElX=cthW9wyf
zSMaVPDlDZFc%H+;Ui)j*6Qyt7*T5N<avrUc^@V$7_9C#2?<JWM*U6{1S_Ch_?REKY
z@7`}Y-G)Gb%fe|PAX{+E%tnBH&QylxZ3(m7x|6ll2+hrY%Bs}ke!dP)Nl>hfN!y=K
zw*`!r{P)=ZPu8i!drjJM5+6jMe=FQog=)zK<4srPf__cGr?DldgRrn-&3%6I^^qxk
zmRd@!&@~LO(zcI1^?&tMBdF14Kd)FZwoh=>2!9e$lG4GT8k7RDfLkl@gfvgj&m_VO
zAEscFCYOYmgc$H->0%7&_@M<0D(4PpQr9C4@rt+n0?T)~wzxn|E=Ze<cvLJP4l*1h
zj-F);hDuxw-zU{Qj|rah@c)GBt1<-XMF#!O^&bn?qn2~81M>a-4j8SQi>6FH+iVN$
z@#YH9TWrT3dmC-RZKl$cf@ohL{MOHYp0k{_!Ish%H{JmsHnx;@-vEYfx-CFreco1j
zY<w4`)`3GPPczzDO0S9WnHP3lRDuL7s9T3jBafHiVfEUf0WoLVzld`oI}G(FA(e`^
zI2z&at`w(rRLgKwLU4q?{b{7~lYDv3g0T3smeP5u!QHuFZSR)Cj>|}E4CO6c^Kgrm
zd@}tRP3ILC$G=X*)l)dw9y<~;kFR|&l@%jq3=zB?v>k9`T@2OeO|5uDbk}g*CRHKx
zj$szS;1ESwrl+%jK@L@h(3ubk*FyQzS^SFni2U|?NL+eAbEZ*~^2OaIfqvTmvm5L!
zLQ_uSD1b~UOv^q^Pl2ps5%OcZY>bgoYHFH1u-d<Sl(FZ|N8C@lvfj0&RxRDjzT%qd
zU6o>-PY&yS-J{k!8+siq&<3^BfoVv_9zl0!uV1SahCe%!Ao1cF@8sz8l!rne?@af*
zetKt}fLEHD{jQav^G0>0Vy-yfanzAu0=RoH^aR-UHht)R!Z7l*{`zHhmSWB@=x*0(
z?sCxMIo4EtN$h1CaP)NLF2*yz_8@gVs%Bbx$c83;1LsELfdC~WKN$}Z)iYGKp0wC7
zD_MvSgGAKb1*rah)&C}3kv((x9$W-ZZ~<I@Pzz4a1v{7mobg!O4o&rBioo#Dyu&r?
zEr6Qn*2omQP4=ucA$4z8{evxhGk$nM)oJBgkw|N)ps8`eo-Ci;B(HVBp+(h8Te&la
z?m^BIw46OmaJ{mLY3`9_|51ng?cvftmqLjy7thT$j%n4T&~PceWeV-guGy6G?H6~b
z2391h8pk5VjHA$+l-uF>lJ2Jkr44)`4E>|09*0YmzS;0PCQqNFCnX<#8H~@FrLvDt
z^|Z3wb~`W*8SnB#ULBsNoUy?7$qFpv7YHmhvm=Qn<DnSNtgrUmnaig(?<>a(`+LM4
zj8VigxeRde9sWfxw0;Fvd{>k^f;QO3Gud2GK89R0|C>twH0_KiN)TNp0+Wg&suFW+
z3T$n3!n)3AL4{iHr*uD4Y2C;JM1<blJy&5KDy?@`AQR+O)L3xlMDpyRv~t>mMaN6U
z+n_{gwWf#{SNS`75`qcN_uLLkEcI!XHo4)u!({BQ+v38RlIvS(`dPI*3an%$&MCS3
zy_O=gfGnp*oLD1%?V@>J3(xSdu{?5KQ%%uZfIj;RM;!t5c@k3oRb}X#wqTKGy|o(I
zPa-Oqu=NJXm^i4MZ*-|#es`>(@~{8oY!btl<|0@^0FZN<n%HeF*o|9gtL5Eq`-!V?
zR?)&`5?JL%2x#2E`ikqElI~<|nql3pLDFZ2ohnVE-2^R~T~F;pwPQMrxycoCHXQ{d
z3=hi^_qID?Q2wQGnNV^2ChFKs7q&G&PFUp@b%YMw`p>Q0RkcuZjEuL@quIgN#a5V1
zU;Nv7879kib|{?iAySyrUg~u<viNi#3JH4OvO4H4rFRlnG?rG|d1~D0?eEJCpYJR<
z^nPt)Vuw>+cu#WXkxqE<%{B<v;tk{D@-+}7{BN|`$ABF&BJ$TAz^_3?P%nAbd3S2s
zam<c$$T^zEEL*)e>gY5H40z$Lj^oqsuSvmL2V|sM4YW+mnP(hCB*yDq5<bcHFJoN!
z)Gq73B6ctXAAVbESK@2$K8ls@%0KvAPnKnVyLGXEQdBte%>3ZlQrr!%avbwxNIUJQ
zB0LnRXOGHNN2i0%+2^JsIssfJYQ0muK^vR@9H%Lm($#yCRa}fNC#Z-kaW4<pjS%F}
z<HOCs3$A;w-{Z%w4??FR1x-Hb{)D8~#SD@TWATk=PN&dYrFFTtdX{s@6_z~Q*l@2B
zCOes5@x<DY4NZ8yb?<I<x)s@<C@Y8l8m5TWbU4GG^g>%$z&@M8A#1ara>nPM(vCfF
z8<=|7QvpGL7_nL`S1p*Jc?_?6kKH0`r>J10)JX3j$`+Jid_<y~+X`N?UnD2xpn`{D
z#JeJWwwR(7B^@~NmbJbsv)0;n=$cvMha+;*56N+SSab|t$ydPp>JS!%@NF%Wjk|j+
z3rz)g5g(!28ZkI<eVO*t_H*R#>_&5#pPv_z5yB0F0}T$}xZo&-P)YcTaNGp(O894s
zsrFdGEI4mAX+M47GGqh@4al~^Reo<kQixx%2KWWqOP6&yi_;3sp1{AWqMBdp=^@!o
zteTVXuoY%AX4EN%H)X)voNn#i?+R`OPI^2!KYxF*x!!*EGW2@BTk*2&aJwFR_OkSH
zeedP*e0qD0obV>Br7CafaMz0ZX=Z1Q_Wi88t{Gxx51${fDH=jq;4|rs<`*1;?0_H2
z_SlVYsJo2&Q4sMN_5KDB**Ad5Pz>j%_f&y-AldpJ+jE&)XNcmL`sC7ZIBBo8<11QV
z(_IF=-jsG+OAY3va!YBW%?}E{@^dPtk@HwDO}y?|wyvn;i!LNq+Hs5;xs^6qBJ9<0
zC5_x6(yio`5}WG>PBL8X9#CxwMz*?|uADh0jr^PFX+&tUJpa;c3CMD+bViH}z*fod
z@GB<0jGqiux_)1W;1*)y??cR!;KY|MteU1JtH5hrNoX8Mjb_rjEzvgNC#+a672(8#
zD@5ceQsfdmrQM!2(WPIA$XUvC2|_D-jqX|`n<E&Pv@1#0LwudXA60aNRQPUtg<Rht
zG<$?Dra(`|zTw>YW$DZ|srVmRi3myN=U<Y|0c6qXj3^p_QA$73MMn=?DdJhvw}g7-
z7JfU*SwAjo%pcaivRHc|ets)yq+2oH^j=b9i4Qorws!i8?%Klt9fuhOpSS$!GyYN?
z!NBQ5UdsXryn6k3egOq*-HBg^q3P0)#)yC$1Hx(f?`*E5z&l<1<zD9l?gd)8Vya+q
zWid<{yPO3Fz*wwfZ!ag)znZ9Lmw+22=L#7QC*ZPzRhMTm)Xt*vZO1{9d?J(9+=Wh+
z>k!9G5*0@is*GcuKDm|?I}f*o-{JzN7E8d65B5o%!#Hk-l?hTmx<h21ES=saB=Sve
z*^A5XTwU@`7d$G}fI7aG#*N>4cxvpzS$NhCA_P&sd2>_D3s(B4cmHX6sb)Ai@vkyK
z@?)KNC8W_$^y>+QlFE(Q@k#U}3qu#{7UC-}^h)w6kMKv*|Nrsj2t2|*d=PWbe1qs|
z*+Kn9Q>V9xwOY&@i?#Gw_T9Iu{FQ4vGkRl|D^rNvWh@8Gbi@Mo@v?_qTie;TRwi>N
z{;iQ`9K_Ro(^Wmg=~?oHUuxeKP8il56%*$VEsKV6RvToyhL|tfPHbc2poMVe#qQUi
zzv3#5bryXhmz4q4H{r>$#t22VsMh}5hK9;8e=PJPj~8=k5{@4m13#Nd*`!PaN$kZh
zdXai<n%WP;Mi&jp*zjLkE)R>ThOmX+$tX{l-;Pqwn$~w2d#d3Us{N*$)pf<&DD4%O
zw9Gr2!f(=Iro>%Uk;tuU#4~p)_5%fF7WHMtX=9}wtUHll5?XIveZ>E7J5-}C-K=l3
zEW#E)D3YIE7v<*|R@w5Zl=}qmYZpalJuFvG?4@=vyX+6=^1B=u<A|teUBwmVGu(Io
zFF!7b?1&cLD5b7lCTo&=&s*e<2$P?$pK@^4Q{Of>Jv=n<91IF<@avfhjkCeqw{Z4T
zTRPT4arS*JKV7%H^(V|8yyk@%P!QJ#UgK>MavJj|CEqB2i7n7gg+f{MgY?1#HzOuq
zy5IFAZ0*r>CWW(&6!bs8WHmCw2liD-;`yi=p`gG&2p|A=c1-(;niWAsAHP?i8+(3F
zXE{IN?t2&%hnEu>VdwDxlvbK~zJirx92ppy7tQBIdNDy{Q7#P0@SGzYa~0?R9@!e$
z3dv4rn2VM1uq$FT(;n=+vhG|EnWvB<*w{MT{N7cMh<*?3p<MQ=DRJ_*!^lBTe?s)z
zF>#;vj(kcU4H4NbTec0cXbLJ_uo~`8#{?zJ=|L3)irWVlEw#LOPaYw2Zye_P#e2&_
zwIWq9T3?=OE&I$W15)0{TxMRM?cr1mY=m;<e~dVO+Xxj%oR>XSE{dpG;#}w9S7xh5
z+PCT|Nii+O8FavHMk?k0E$l^05B}e7i@y~Un8vCpX($e0g5HM37-~N*x(ls_1qTCo
z=#_~)Bk`GU2ZMjHRwvcxyVXDbvA{cjA^7RiF&z%zA5Qe~7Z&2g_r-JCk|Euhhx)*k
z`l@)f#A-Jv{YdUCmch2V{~ZcL->n*lU?9isBh+t(UjT)XN7JL|Iz%rj4I}MN@3h?q
zm%~^`pZ&yu{;%&{8(SCf{IGj|V$`%OJ<&ohHPvFg^;5cIxI$F{`wscSle58a>r)C)
z0e(90u<$p#S!~H{*K8-8hm(0<-Yf)D|1ZboMsa_4bzB*8cY4EOA{oTxq_1Nj(u$I0
zn2*(>1m9wVh(kDe^vr+HSaBuEee9H?9K&If5o}v`jJpCBdK-02P_>>G7cJ!R@~9t^
z$-HK*aZmXy2z2gQg#)Q?$(_~M4_k-+4*cgp0MPD-NQ7-3ZlCugC1B*Z4BU8sVxnSt
z%1a?c7i~E|F{@13OTCwWjVrKBU0yFP4-+~(+<vdR{#hN}RF^6mKA}zr4g~#7g&vuG
z8O)7b6f0F}r#udD@$SDma$UCVQ}G5lVBX{#_y3Q%w+?H%`~QITHb7Crpd=I!R6108
ziXftdiqa|F(lNFvAu7s5l#tl164ITMO+e`oCOJYnM>7~>?D-754d8n{_w`)g?{oeB
z@p6Z=cb(U}&N-jY()1Hf#9y1f?c5PdRVKvwHKigqa$Rrl=INyx6}P1Pv+pa^eiic~
z)TLrvmyd{8NUOJS9phQHesSaC$hUmgMPS0O^Skl=)FB|@)2Hr9uT`%EX^noBz7%&Q
z`$VbIT;@z)=`ESDdfoI@^KzlS;4cvO_l)IBjjX_P)IL^mJ-0;o{O?ZfR!&zk-#p~H
zCBijW@%S11q*%R%fzhi|w}LzwQsxzgpUj%4hBKZMz4K}n|3!-Ps`<~;m(REMC{`jO
zEa;q%-LA&3<K2+?S+$qi6vQXTKku6Q#<%Z`u5-_k`UET-F-aO-r#_M|kipdRs6zac
zrpPV7*0J3h>47Sn%r!++2P#CKz(4UoU-2+38@^P&bxJ>3l21TYZXm%s>T&!bi_x#s
zXPJ3_9VcoWHaP+_DnI{O^V%uvcKX!4L#KzN51Y%lpM4{aY5Js|FFma9gjrj`oj_`u
z$nQ<(Q@lg8tD)b#WOq>Y(F*mtb3~5Ss~flW>`oEyu_Ac8n<#tmdu5~ZtO(j?9%>Nl
zhKGxfJQol!I}XFU+xTSFR&pf8v6V423HnSXJ{$S`KCaH@#Uqu2I!u;#e;K7@kJgu}
zu@|~+hEG2H{rW*#utEEhNHp}Q3Zn8Y=yZ;aP}1BzU4-l1kao6a#Bq7G+uXu9PiQ|_
zy6W|bpa)+}o}w95cT=u>wJ`7UKYKOjd^mOFZ7=A{q05)K7%Kx9EiT`_e)fP|fA#|^
zi9-)gu^&qO1&6`?CQm`aqKpGYuVoMFJt-_;DW~9arqbDys=}bjXF80o+d!O-TCUYe
zce0J;W=5I{JZG^QZy2|4ydzUT+CTZ|V&H@HdA;7f8wcI&2Nrm*=13jsSM%cv@sl`s
zt-k!lP2jZ?-f!91N{m<^T|N^06=hc*<bCw#Eh!Ikk?(4M1vp0zUrT#Ym@`<;n#$5l
z+|$76Vd&XdD-xxQHvU`V<YL`vCZ(P@r$gtom~3&Ew7&5iLRA!1>NBTJvuaxn38f|8
z_h(AmcWnb5UyXpLsY;)jXSeI*2(a-$L;1M)RQkmfq9j-st`MATm=9DQF}ex%XZp13
zz|Wed!*17$y$eTZPvI2~dRH5DkWPV5wJ$A11iguVW;iI3M^gV=*ropV`OG3~us=I7
zAk*V$*$TB5f=V?noNdGYw~v+$UE3ALy;~vVCdaIpm5W>W>Z`9jv(&*y)UO+r$l`CX
z67Uz!J*Z*$sk~_O1GWPrr@viR4PdueeefiUc!gIX18e9e?3}aW@&0Io_-OQ$laB^c
zdg-0KR+WA%_TJaw)R3O+s%AupQfor|Ma{h-rPpWp?y~CJv-2KF`=YoR5v@dck9>-}
z_P~TICzq)vl$qQ6ZR0L86#+=)joU>G@4cCkTvWdM&A5K1qk-JryhrM9Sop6TIy-a<
zVY(dT`^d5(TQJKo!(*KG4rltIk1fe>rTL-8uA!|<M#CTN8#CqOCc}F4MK1fb&ORKm
z6O{d{jq(IxfnR^<u1Cs$?d6zT=&*8pc{IXD=<PoEwTZ;t434j|vd)lnI+9rSFmwEJ
zP5r~)L%)lDXGnX&B4zf~=Mr8aw_xlFLryb;r*`};&%NYx%K8nrK4iaIpV2442Xzss
zq{J%|l`&?zCp5a)_lI%moX&2u6BPPu<EFs{f9KF$rV1S1khiw*C4yJyOpx+Ek;X~0
zwr>{s+T;Y(yry7PH@fsI)#V1l(2eF;;jEzmzNzE!``$l!aoFw1LB!2II&-k#k(ZvM
z>x=>da$w1a*~~xJ>;T^$0bZ{|0{i*R)g^TwSAH)HKcz65TNM4VS!%v@z@NimLZWNQ
z$nC%>^SU%`zWT2&Z^#38`C)1UCZIQ`AE>aT#px*O2G>2<c>kE<L+7YnruVcIkFgwp
zGR7t}WS{PnSQ>V7HK%fZkN(nLVf|JtCe<k73G*P=qSBzt9R?+cRGe{cqA8kWCLB^Y
zs?p?L^Zl~x2&;1Jw{fq6!_j^3oKBxB6=CRk+n;<$EKtLRfo8ySbT6MMKkk#=t}un4
zOMb+BfBel^=6HIo>X?(c^hXpjCp|Pjq%l_wgh|WZ&V+GTXd9Dw?-Y$!Tx~a%YH!F6
zK4YGFk3Ptk2z8lszNUNV;6A&{r#4^q!7Fm+*r&g5K6s!YU}+Rp4TZgNO}t?GnMdt<
zryo-sQ*y2oWVh<RiofZ9`kRjJu7msFyAPTM)@OfH(4t1F)9n%9kBfZ>{NNxIH$Q!d
zYV!Idu_nEeQ7^)jSEr6)v(AE>gq(S7%6aOWI`fFcy|bsEO!5YZF@(u7z8abs!+f~r
z5*OjYS@!L>>pIq#aC_mGaVCNFa|~K^ySOi9PSQPNl^!WutMs5L+e@ppyI#Rglx?FV
z&!>OZ&s<}9YH!5>O{sfR>iaB(-d>KXO*|7$`go@Q*5?790S{W)2cm30(UARhSH%I2
zJr!jKqs&gFaop4lFj!XKWB=U#>AH9FH_>7eqXBUKYUc3hef_AdL33OrTX|&0_f#mo
zS<|psMoow1jpR2bf_L|9Jb<*{Kbe)g^U$N4=MC^<lFLU1Mr}LMvle!*lUghU-rb7Y
zt5Q3qYw%ZO%1_rZ^KagL_X?+f3c%k~B#+}k+1JVa<1l^qqO06@20oeLKBm`QO`?Gi
zpFpM?FHCW0HMCwspZ8(88mmWg9`rq?#NC*_aEmr`O8IgKzt}vJmU2AHd%J$t4QseX
zo$VM9<JL8}5H8RVN$thL`|7d699H)E0h;;8LxxaCZT1FJcb33@)}Q8Z?%b8}7QVY3
zu(orjLiK+1(y=q=rS{Dvy&BVKo;;CyBJ8R0C`S03soqnD4|=c3xhaIDy(6POJRXiI
z{<XnP_|;5&Vo13g?do5DCx&DMx_;VtDNcY$%oS6~Ag=o%@|Z}an1BP?*F0ao3|NTq
za;$Idyr`;(NAU#q|5_E%{#}iL7^8p~qWucjsL)H0OF>bc74MSOt=vZxbw!n9XfpH)
z##ui1oq2YrWTs>|%Z?St>rY@yd#3{~3~$=3^-{}xX#)vtPiLjL8g<#S9u&QOLpXCZ
zg2(aB%dc>6j-o*NOOA#I7o>i=)V=)O2w*juC}_wJjG={261Dgz%=DAF3)$Tp&CzR~
zl7_s<7bS+r4fzXaSg%k&d@qvdf0sTEkz^;zzTrylOwYz|GGpFSCvrbkym=Wiu>aMO
ziD99duroZ#qf}ff6_2U#?(PT8q<=CU$k?5Dg>w%EU^<u)7)k5VgG~<OO=?7!3Jr8Q
z?8&{@5t|)uBM9ESht>PA^Tc)2nUkv5L!U|r+_=ouD5ns`6c$f?W5C<-Mf|=SuAH;9
z_3^)I1ke4d2O)=e_wk#DcruEe?Qr*Tm=sC?Pj=%W(!I{@h%YlFQGR@X6i^|8{p6`6
z|JJ(^yLrhk!ek;qp56Ukp#1ciu=U!s<e>=fd;2eV>yB|-T`=g$Oh>u!$>Amaz|gex
znL5j`tHr`3&IBGDuk4=l{Wi;>XTiUuAX61lLk=121*9M|4RCe1Ph5JZ@BV=S8S}a(
zN#CP&C{g;x0Aa~IHwAfbEgSh^w`%sMF>0+VY0nMo;G3b=-~oZ*=_M}s38pD8{y~W9
zN-gt)J96QWQH9}D_+69_YxZNF`sHgW%hFeqyC$vSyG8o``gtKw)Z|m)*Q)ROSqdYc
z9|Zc+c=QyuzHQ?AvUtG!DT~?KO?G1GXIpLb!kSi$%EdmPaPH=|Q;M+tvoiI?Ci!J+
zsBqU!NTDlYXac2}p57O#7Y^jC3%|3Xl7=4?f4TSVfXF`KL5U=ld!U48<uNor1Lca%
zr(%G!0l<0XKq}P`-%yEZwBE(#5GN6}2|5_mOa?JdieJn2ZetK~6YSs2fg=wOFmZR*
z`_l_49Fusy=6CFJqebSoIu(wp({tPmPtVYqyU|QhCjInW(WVFY-@-2!QCy};p?n_@
zkFRBBT}P*;+_Lj(oh!Kg{M9?*RLJrbbh<5$JO2`_@Oa(yIcDq2h<$9pg(AI8N7WGd
zdXFa>A@X-1@bJUueRF>S4~WsczVZ$J<T|_YLE%wHYKf~NUw@jl5_*v8(v217OEg;5
zhd^(acC7^%M!46FE{9L_x*5tX$t1ug=#r;B&K=}SE$&POG4`f>E1fWgvW+xcppum(
z8|3>qK)b(pf*%k1z^5L|9cif!v?DNWL@$YivmN)YbL*-~g$pDu2G(8SIQqK!#fLkO
zc$N%0M*^MISsLzgTuD89B@*^CoF3JrU5S_#U13UlA(d!QjW%hw(VW1D>6aok$miVG
z%aLjibEX;tZ0Xx#(+KWBxMocAi7ac&5!}47D-!8&z_j4BVn_Jx3vL#`i`wh<Xw#P6
zQ;)2@a`g29Gv|T%2c6*1Q}qSEa9y_F9?;(&(4Wm;&|E)jviFIWRI-eO61xHxasC^j
zcAAO#X4&*3f`#DUn@bCQxcfEz+naHY<9^!dUFXT^Yn6DXgQZXM4RicCz<%9o<=y;{
zBVKXRPXzGSZpS|x@>WS6JsrnC<?W~t`Tm!x`gD?SW<@1g0aXi(s+&#POL5}Qaz?JQ
z3pvA+SsG2=9Fqjqkx#XT#-#ekex^0G-=9kNtRcWIn`I+TEy)5OL@pfV>QJT6mi6>j
zKRC{&a6|8fgbHvc>!E&PJ@9^)D>kQ|HT=>wYJZ373UkLHKv!|W&z4z}meDGei|dc&
zOCbgghVs>K14VB7w~p_=l5SzM+2-98xpA~yK<#n1#H*?nC59)Mk314XLZ<bHRZhLk
zd0eXFbxI_~U-wt~5&iZc;Q*(90ww-_2oyN%5=(iSo=MJ*KzW${1MQ2I3hlVd9&%$^
zhu5d)ZQ2`go}7J>9))FDhw*>Y6*&kx?AfSc9sO;hMFM&rh4ROZQV9rA)A&8O8LC+>
zYfOs|puP?|{4{UxBQKHSpE%}qJn@3R-|Pjy&MDXKf)@s585q|y=UU&^M7iDE^D##{
zq+{Yn1kzL@G@0=ren9qt)>Nfm)bTXOjtBPzb2pcD+Ar$0h+j{j$SEThFh}s&1MfN_
zxCJlrdB5ZfAaJO8DH?Jld3ctoQvVDLMRuP80^nr<CV?iSa+J<7Fy{;g=k0{*{8(BX
zopNW7)9X@CvdZW?n5#5o!Sl=Gl%6cor9Q{A%rs>a0lKz=jGLUp{jy)sS1Ks%r8(;o
zmsM^R@Z{skS2eI3XRSUDdb7+bBvcnz9X)I+u=nTgy}<cT3guOw6tWa<-Viib$ePRm
zT{-_gGp=74v>qu1`WBH}3nM*p&5`rKkoK2kEXqFecr6_<MRdB*M{c?t*6JkFu4yt*
zlG6Uo%DJ%8Gh)|3LQjZ@wI7PgT1D0%IC3+6FqnS+e2wf(xXP(|VRhVBz9zB@;=Pnj
ze*N+O#C~-dTl9#~9-A6Gu3i0aE+-`mqkCK<Jd6_B$@L25@3>B#TY6a|Xa>J5V)*M;
zwW#%__5k>0pgK9pxA4yWfdajY;Uij^hIeGTcYF5Y-|d#E5>fMS-D6kNE_QyyrCBeT
zBvxK42xkNKkYbL@Hfr83f}YWze|4161+j7pKF<|@x%OeBX#KA%(%Hf9c55D$+pp<=
z+%JE~`t+_7rtR)YvnT?-sqx8N<r*)d&Jro#>Tq5!N_&#t`{Eo%YhTt)5URiW`k45o
z^!s_?4|i|81o~){pCGST3+yJpZ^rUc<~x=P70S-*`HoQ0=mh-vL6{}jLqKt1E~1Xc
z8>_{h{pn4noc}R!Ud)%6FU2QqSZf(vCT^Ac1-yKbWMeRNd14>xJhh@o#V=!AHu*HG
z2rruj0)8Y+VRHAEhnbD0nleu4K7%Jk;M|+I(|opMMH$%#YEAp1T_vadN2vFEXGwFZ
zIpi@8Z6vdnGrRp|84k@WQdbWWErgD^&t6qGR4}{s^4pSZ=eLpKs&WzYTaKPAhvt99
zfV%xBH5Qpq(g86bLU6Bl)}#b&T<gfQzGdUa=VS11)g=NS)BThcJL#S+yS#GSE%btX
zvBBg$xCC_fdF|O&M8t<S+gJKjh;OGYo<Tl`%sn=FL=C=KpJK<twOPQQtEX3zx4*l$
z@vI-$wP1-;x8f#;I^<Q#UokYjFIHKxEIfB;^p`YusqU*UGT*1wqVD21x;6sDK&N0I
zvP$R()hVji&t1EW9aY??nr<E|v6-5;Nd5fOe=VU2IjZHuZ7zHrj~Q}e9y?d@fp*oz
zMB7_1d9#LZ^izqYE_03xX^eIYZGhD}A*E}<;}|DYf$KBbL#}nzG<Rt^godc4RIhhR
zY0;?Igzk+SCCC;wi7Scd|9Vm=+vF3Y61<GjH1Ontsx>>%T5+i@%T#K^`>Oi_^Sn~S
z>hqaAaK|SJ6Ym_oAh?Um?I}>@vGwtjtSkm4Ws4CLe@D+~Hdru~pyE)rbgUvF0jR%3
ztkV)gH}bTE^(TqjdokA-6u7^f=9e@6{8`Ngc$xY>p0_Q2@>Wp2m16B($>rRUSAT7p
z($HGRkBM6Iq|w*=(WvlDNq_e1aauqyoe#Be{+8OSCN@oHS@ai^b(rZoHAMESk=-2k
z#@1Or(=$#b5$Lf~E1_(Wk0h2gU)DiSyxncav#hA_^dy54tKzL=*tz%AmGEC%Vn%z`
z&iEW!qvkhn{N#2D8qnusn?3h<4qMj!R;-OzysFYIRp6-#YaV2^<MfCunu~GIT`h*J
zUN%KruY(VI?|GzQPrQ~bc697?E{b^e2sUx#!BXc-_VBvwT-OYXFO{vgg1?n;8f!gY
zd5v4f-LQJ!p6aT`kN=)EPV_t*gGKsJH3C=W2YdXv9nHT=dHQ=ou+fvF?hEp3Qw#XF
zpYQ_-Y<;Pd7ovK{#a9om)|r19CO<buMLkD4ca?zeyDMg_l_=iIPaFR$e)WXiolN{4
zPUPSvP%tS!#n32SNN~-hv!~Oj(UvSt?D5U)c@O-)we5tSQOeQdPbcY=*KdY|74{hQ
z?{=rY<!m#AJnm37Br|QvA{>-5j(R~1T=LK8chY3HC4((Eo{i_=+nophRx$BEKzBl6
zb~ouj`D2?rM!#SaY9YOSWlAD@nab!50xsXb++SjP?C7~GNH*lx7b2{QVwF`7AMb;I
zq>da2IwkqD2z)ZPhg!(z5H&6T-q>ax>N3;zQsjxGMX)PK9HJ2S#Vl+L#9Sxa&fJ8m
z%i7B_-DrL(CMa8KalA~ZP0xgOV+#;Rwa1m=P`whhi1HpOYiAo(UqtGA0gNAyONWA&
zxwLVy+(py9dt85ZFZa;9MVRFFiv%4POA5|^5mn(ty5#5M{$V(IT>2PaX{v(8<z(oC
zo+~1gk6H&GUa%LO+P{&adHqZ;a(Ai*&>Ne^M4*@=cm|Xdthq>GUgdnwM=EoU->{&u
z0=WtMJrM@9Yav(kmY%;D5<4D8KKCa00G2^XpQmh3;(Os*Nr|?2Q=y{n9#NvDAD>0C
zjQDH)+if1id-6p3SGxq#eaUopUU?`RyL}Gn%~(AidQ)ES<lOhu-=kQ=-YFeZ^%d+h
z8?dwIHaq_*@Tjp_ra!iE+4!6-h+Y1*9TLOWhRjm2bNZmzHv=YAp$x8bgL%SR^s7+!
zGYym@gido1C#v<XbDJ60IHIr(*xNF?G2yped^E4agT~FXjr#;FCl`HC0W=1(_`p2V
zdDZ7C!VxX!n2CC&RUPdeS1aXdL#FqpC1kg|(>;W&mo$$T&aM+GJ4WZG7IfR@oNxyZ
zY7}{5g9Zt#OXIJmjp4}IkS>^Agwe}9xFJ-M&Q)1EW+sEf35}9{a$b9|jvbcGS_MrE
zwQEc*qz&!QC=L-ac-iyl`RUHkY#!s6q5<cPjWa#R8_Z>T`eNj{jQGNE{XWuBPMA(#
zn5tGy83&#296e*pqZ;w^yh=C3n9Bh<>DxN4UX2(EJgQ@sDI;8iOoesHbCBEdpp5mk
zL1SatS2NQS)7Zi3X>3G=F?n#(^+2n!uQYmoj__=1WM$5`5uXJ)=V3D9{l#C$3|Tt^
zPAzOS={EvIGc=d=&mUk(Ypp)i21V=FhYi}kRE?;@voHkJtVTBS1ryfxVkAn9gr}4$
z#dWTo;BERAc}y_JWWU`Khq#W}2^K?hCR&r{rPCj)3vjrwcX2EC!P6-b<XOTZk}!M6
z8Pp^m2dzyas&I13_sY@sDf`%7FF&OMj-5N!+R+<Q`o7ft=|Rs1cen9-gJ)BYYurk|
zn)sou%B;k&z)TZ~zhbE`n@AjXdzltqHNNO0V`x+%!>V!XltZMfrrGVh4!^T0tzgw#
z&mD%2Csd6=zxteD|Gv8DB`-C2F)2yr8o6|>9kfO;hT02redfM9YLyoNDjUa);Ht31
zK`U_S+@01j4V9&ViFD1oMVcA!Z)me>+)ZCkRlOU?X`l}KR)~4jq_Hl~5r=MH=I2YR
zgl2hzc}vui!djit(L7b=a-Fy?-BgmPdr=g7yUZD7ZCTSF5Nmekip&C5E}*sJs*!6<
z(fwN6HF!v7K%BZdx>pX3;V=%7Baih2CyoY9hjft(@-r_L<eoB~p-sZH;=XdmHr~Mv
zQqk!=Cml1JX?J4JEjM&!H}pByFPhp~Ezl~%sg&k)6jtg$)dOD!O=A~J-q&J0A2yjS
zz=0R9`)RHv478*3$m(<Bg>-SEW={4*+}tR>n7Yb;0oDm6c=@jMWXi@o@0GF3juT=W
zA3y0Kop`#A0Q^{XthQ=FRfP|NhdAhKWo&CWm&f`8ib1(1dJan*7+bRw-VOaz<xldn
z+w=QUrl1()<tVDj+~?~&6}i^$WkL|<z0$#tWQL_n7MVZiTBn9S%)Q9wA7`{`*M@|2
zvyfC5Q)!jjaHg48L%7VA_hM(3gWO)Lk06ILNN4h5<B?yMhKi!ukyWu+Wd@GgD_tVq
ziIwqVXO0{iPVY54<7CgBDfQGq^3}z8X(Fw!e4M-;4E5azoI7db<1R~r<#u`t34z#+
zy1>eyMPvH9f~JTn+R@^|1-=YCArde8*y+RtycrzA>NENI*z}vpu@-Iy4b}9kmG9Px
z*A|nS(eFvl?&5Yc>XJ7!$b7oEh%gKl5oeD4SghOB9@OJ<AoeUg<OlxTcn)5z(wY&K
zzEBX_&h|tohT{a-(B09F6X7K9wY)U!aH_FMhp_l<G_R?93N8^eD|%HM4UwK*>tBm7
zg+EI7lCWP?uF#NmVn19F>jJEAOn-A$YxP<?tepFNf2y-*(joGocHH-8Ya+o*ruoK6
zxi$S+(eiSkT!w-e%z;LisOdt$OD`E$RM`J;O?G-e(}Gs;p<KWv&Qk@@1a(##d7?sG
zs6l$&F!Xl>>fw5NsY#2G`xE_ctVf5*JJf@97hxj~+DfR1EZax->cgJ3fHU?#2<n#3
z5qk6NP;oj_Rj2(0P(fi=Z$6WnW!Pd#>G|0K%aV^#LTy#W?ma2f7wm<EI9#q!B5U)&
z!AISIMTRIA5y+sS>ZvqpKRmiN2|wLuNVNHDw2(Z-(WS4rHrBJ}W5T=_c5HnRSP8ci
z)31P)IR6>rz^-d&ZC>JlZLFWN3aW8-kI9c%WeUTf^)$4w(dNi5b*HvuQeeSxjl#`E
zXsJ7&N1KRkn-T2+cxtD;Z6-Z9FM%&vV69z1A~K*psH(d%dH8|-XC>%YT`<C0^&JRl
zms%urlA4vW{N?T#hYp>K?9Br!b#wjGSP1bxW||GZmc2+OzUI84fsiHRyjCT=$sdbh
zC1@gkDG1-34Dxkw;$4FGvrJWCl%L`mHG4=38kyv^x}lZAOb2h+dXvAPye~FZ9$r)d
zlJAYpJOWw65zs3n;UpLl6E=(nd;bMpTU(j~L9wM-UtmZ(gbo$RZiQiu;5yF<^<EVO
zuU9dF2FCZ~&S}cW!bXFT_-AW#i+w%4kOLmxE92?pSx=BGZYmg^I0{=D5Vl(JL_?jR
zE9*}4-mYl0+}gCKwx{tbdU9;-`)k-PH>MHTDxB=K6kQOr@_eaaIjOm?%gwWcHz{|m
zX4Nu0&vPg$u2D)WxCZLcEyRd4FIK}n96qn1%(WS4-LBCka<|WjvP)5b-XhHQf{pzC
z3zKyh)!9B04ix982wA=FrdO6^EDfG_ZU}>$5kG~&Ckxf(2PjEKu3%wk(8v7a92$-z
zL+r`IUiO@Xbi?VeVWHT9LT#jx+DmiDY7taNh;L!s2O8thPV8(!mDarpatXbl8ka13
zR=R-dO7Y|}b1gfz+Aajg)HobcDm3XN)FrR^-QaAY+QO&<n5kf4m&q(-XhCYOiV41}
zZ@pz^xqoc}BivaiTu8)usx4t`p>w!nL^Z!Ek1A+ncJ7115ZnMIK|_+hXZM_k<1&;h
zJ>cU$*^&l)VR)g(IETiT8joVEnk8}EzT{dVPK_QnTy2K@Ck<Aa*n5&V%#da$I%7hX
znj=d}d4*$o*ug!sieFN3Nf>Nn0jamWf&gVr>YK)Z6=lxApsKCw(4v)v`%BmbIazr*
zj?8YGTd+04T))j_sJA^ib%?Wzj;6_zwKE?sftv|inYYTHOgpc!9I`HVGd3SO=_b74
zD*I|MrIS*^)uDur;R(xpHF!|Xy^9F-m(c{DoY=m4zHuLEY{Sc8Uzize#=Bu5`yY|3
zP2@dD91Gb%5MT29c>kKmlsmblZ)|FPQJrK1CcA+V(>LycIH1LlB5*@XiBA!@B=;5=
zyW4%YWkYV3nGAp9t6u5-!C)Y|yA{tdPf7O=Ul2n}Au?Zn@s&YLE!W{mGmEemoQr5w
zLjlpo$G})vb49XtA^INy3QeG{fB?}H0bG#xAG=PuSA4A~fE>BIc*_MyQ`3aD+Zy6@
zp4vow_tf}uc%4PuI2)ET`(3Z}w<jBHmF8}a`jqk8nuj~1dNMMY>L&3%^(lt8CTpf8
zL8{@oOL$9EM+06N9PZqZ`|Jnb^baQC&Loc9XB56qOYZ;eJmn6PgAxd9uP~X*o*K*F
zz))^5$8qZ$ud!$Zr%<*7%z`NMC6@6Un#y%wlJN)<&*-l)14GL}j*+^dyUmLRd&doD
zR|*G5GZE9!<tt$CMJ(a$#h!+dE~2g+`PO?o)^^b*rI2-8|LE63b;SX7O0`uf%TR1I
zFUG;LS601!92%M!R?)Cz`cj}ERmDd#rtv6z0aM)XBNv-F737!cO;2xAF+{16E!YnI
zmC<KLe;-JGMwLwJdqPSxNFEhv1T>_g&f)~@{c1-aB&ifUjEiuBA*EwE;-F7v@EUx6
z6-RZjGI!Ro1;mMn?3#?yV$w&F*BYBW)+k2ys^qGtU+_Y@S-?i=!^8(?$k6^Msr+a@
z{9-C3$EkhT*;!geH5`Y#Vp(I}+}rJZJ~q?Sj;OC}_cJY9JMX{ZP4UYU*y>cK(ZDco
zvrO<3cnaTda~>kq7t5!U(!>|gSK1)YhP@%v22Lxb_V#jGw5n2CY3rBkKHJ`$5d0!&
zSvrTYzk0Se4`N$?57I+hjZkN|s>7KB&*bqDqsQ;LUvmntv9%CZ;OPBP4p=knuK)vl
zdpG#@2Ojk`%RC`u<@*uxk+>>*5DeB6z$WQ-d{5L%f+zJDPN87v$+mmor1bTiWq+su
zp)M9&JS&8H+q0U^4J*>7RDK-rHFxv$kD;OH$?>Ie0hf{(Hu%D%ikO@bA9Bg(f|QVD
zmAO<j2ki~wlOa0}!Vf_r_=OK&U2j=tCIFJyY4?sbegdv#_INTKX`(w0f~DERa<Iba
zZW57@Jk$q~Yc~LX6SRoQ&c<HDOEAHSeb47oAnzB2mmEG}m&^_PbZYzzxxT`-_zljg
zuEy3|&Mvd6Py>YJ4YSFKOz*N{7Geau3MR<f{ZnP?9kfhuS&qzS1<c>x61Yd(EOSA_
z6D=Kwkncdb$2K<8;szP<eZo0w>m9vjOG*!2pj5<MNsSxc^mg`rpC^1KPclxw22yV;
z&>4)s(r&NLtMm2IaVW(0nCI){^VzCMcTTHwvM?=FNXunlD%>oLjWoQw_Wi(R>v2_N
z{ER4049L8h88pg9K(_ByA}l&CCYO#jv=iUD`%*jYU0+Ox!#$J8V|B9)$w|8-F=WEL
z7Z`>@Hbh`_jb%h~NsC_3Kv(7ST5CyjzFqCT*rkr%clqo*b~CF!zSc9(yJJbDVIY^E
zkbgUr_Z22T?S$x6oXLQ?uC~gPYG4FDSCQ1m(4mM)?<uEHbwW#_dfoR8cWaat44cnW
zmA)Y8T7;6a*S;9m=~iNg27W~{&9iPWUQkhcA=)tKO-1x+jk=RRdWsl-o2W&(M2pG`
z^Ap3q{dx5rlj{WEC;fFjqh|UsvfU7GJ*Ux&Rrn_z@9pZIrwMZSvS82884=oQn7a8X
zcn;<>ZV8<WCqG}#ml<A(xZk}rLAK_6zqm4scI1SiR@GujX!N|ghZ(5W78Tu85R8jw
z?~LNXE=qO^dMwl|TB3TJoJMe;Lm(pGRoLSXhgsRGKBe7X7O%d_5hhKEUuECRRbsQ-
zm+F#AXFH%5#n&wtN#kTB+F_=oMGic*i1h-y`g-}6=&q6%%t(AhkxxgZ%w*1sg}*_$
z3s7xzTiFk)TyAsJsVG;vl&BP{fLUB#PBA4lH3UUZ)|h4+HqZs(QMOqHUIJ7<mOB6V
zvteMV!^J5}olaBbQfZ{^gr0&q&Q!5=@3AQ&hn8A<jag1<9G!`EVlOG9;JU=fYm9gJ
zZM2*DSR#@OWRrO)u2FosJ<QO>KsB*OOqWv~P0i0-qT)Ta{|A?)BZqnbE^ZrKB4~mf
zf$CLH7(Qy}r;+5{q~RkAs+xBuFSPcreGIvOfykVZlp2KLiy|V0H4qk9{qyMVdP8(n
zDq@BsO+!j4FGx6|?+cxQYM-=#|3>a0%w?(8R)~#PXQ_HNKw6BVBufq1lfo9gVi4<d
zMY0*~x%l#c(lsxge*_w4I#dS;BtQ{J7)=vo0jTXOg<EY+Lc){aUbq)s42^$r#;NaV
zBKKqDLSW0XH6+<yLj+_0U=IXbI=dE6Kx*`%kOnLBH*N)uf|eI;7Dm==Fh;T5pa&pQ
z6arp2+F;RV_+iQlGLOYoO_Nr-Nzf;B$7HRILZ$;GX+OFP@eLQpEULLmooyP9myHMu
zsUH^b2p-12NaL$nTD5%1rk$%It<gms6ZFJ(uC8XGvuENW<_&0n^leoSO@#O$@Zy;4
z=jMG~n(p9nW67uDc<D)+N!)>cTm&W~rq9``4z}XrD?Mn348+?t;aP`u-(<(q^N*%i
zNNh$&S~`rId3sE!=^G1|NXPaX7nhjy!m#+#!;U4fP1qSzfze=+TXw7(?sY|l#6LMV
z#w3y#0ylk={rux9`(ioppZ3EMiwG16bO;tF9}6u7e+HW`4JOc43DfoHH{&W=@zW`#
zG!Gy|as+t6CD~9`E)3=FvwxY=lH48~j|xdkxF9B%Yi!Si?7Vj&iX+VYr9Ia1v|K&!
zf<zBrP^)9Hd`DQ%S&gPmXKo2jC_r%}T6K|0BMBEuLbZkR=VG%Xy2d8U$D^j-d>5|3
z<-}EWbR`ABP!M@Ddyu1%oH1(cAVTy#=%T@$_sD?YiM857fpfipV_O8L^vx~@rzDZ%
zgPHKSc)B2@a1ZV-6y4JocMk-)DHUrFleCE7csRF8UMD1;rXpH4&;M0DW?Ti$*AWQM
zjjpkeVB=HC(NS+PbcsyUuJL#c1fc{-8`hyi@`cEcLi=RYeyW$A%<QZ^)v0tm5zlF#
zqoxVwOC513m4%0>EA<eo@oB_i4oBu$EJk;_rw}7UsAwJkwzTf6fP}~^p^(xfA*j6k
zy6>80AJ54yWJFMOHYf84eWS21wt0WmQ=log_BT_KgOC|HLYGMJCEr*_?Xc*jDL0Q|
zeNH~?(z;KM97LzLkrB&d7}=)>G<O-YZ2b2&n!DQQef%@*l~1o;oS%5@*{RdKGC2)$
zB16|)K1v(q_q7$_IHWPhZ#e1s0Hu{Q^kZM|+S`>p2mLri2$o1{%A$5=wqCRPq_k3L
zda`#T_tOVG^jXbZ2!|~b`hBDGLp@igL14^@wT>c;2U3123^%l>>nf$9g(UD8CZ^W7
zWk+W)=Jw2aNi-cRIUF6t!sfXtnW-fQn`N(Qw~ZTjrhL7@g=vY^lF^GR3k?h?xn5S|
zwr(Sfb%ciUTMT){cWup0%o&E1Grm93*oWIgr7rz^<~5tMBznyuh>p#3VyvZtDnw?<
zyfg^@jLzNoPE_9LVAAsJpnZ-VXSRr8LwKr%&qrM$O|WzS3O#0XpDvjH0Ast%GrH%F
zL#@G+IdgBD+aY9$`f0A4c&p`#*3s#TCHw?=D(((M64XC08%4$~5L|8(_o>aD9=GN*
z63V@(b|lt#y};s8m?982>+iq(z-JfrT=j@rVT})}W17!KEL!a)-joJAxayM=-8j-d
zIqngv+Tdj4apFP*i~12!$|i|*l%Sslo;FPJJ&+{CkoGUF7v1~89phKNHWUg6jat<^
zW~w6|G+vC8g|u`cth_kYIlV(hgE(V7N=ip(@tD?#=E9t8IrO>pSxs=lopn)-)O3=%
zrzcg|_eWq)G#WTS<j)KxAxos#>EwH$D2P3k6v`e8A_S#k@iYUtu<sf2>@aU1akB5a
zq_=0E-1vGyY1q7QA>`ruco1G}VPW}GX5-!O5euT{RyfKk=IRI+Vu%`8y#9V|7z(^r
z=L}w<o9vqLQsq{TzSwB01Y56r-=IH|wR%`z`9w^`(`qkGgizZ8!C5BCiEcrqMLzsq
z;hQEt%<w%>-?V3y9nk~$dFY1shZ{{d>@jAYdnn|>j7ZRV!1p;FgrX~0Aw3#ZOv^F{
z`g$~|qA>*g!gDo_0u6qg8@+8)Gi(h^$b_vdpx2mDI7DAJHf$b2*<j6tu3<Pc3lP)z
z(I81^563iue2n-wAXn!-=u?NZ@8BiI8OlbI`{O;ja=MfE%}-7)+N?^;)njTJOrv8O
z4YX5hE<~LUt8gnZNM|B;Hng#Q9s~U93S0FidZi8aP0q6K&!PC0yI1F>wv|Z^4s~*(
zp`!70oMZbkNkkL;WO5Kf{zMop>>0&M?!DL$kM&oQnRAJHKGoMD1|Ix)bVCG-M+@q5
zx^?#Ey*BPXK{6cLbv5^*rg?!_qh1i)>g*!P;n*@h?Q;QJAtlf#Bl@G{sc$P20|$90
zH9!C86J>Z|4RD_C)6H}^ac(EhL3a<|RY@P;lJv#7{z+#ip{fO{JK)#-I^R~{fyWn4
zB)#)W0=D5Zgkzpg)aV&=Yu-XCxj^@>#6$M4*gzac!z5zUc`-}Q9<o!34%+6Kz`T2#
zTYA=zgtAqipyUq}wh+S$$Iq`yx5vGYl|Lo#0q;B1_pU4Hehh+*HYq`JP-3+zq*SKV
z`RkL7>Sdzra#CDctGL+MxBL%b1$*A`EPV0EQ48yghYXCY7oi;aPlA`e|9y1RJ4+4Z
zFeYDZRyq9Df$9l2!P3K`BM0;gjtT4c<8Dbp*kmE+y5-|~GrKxJEtE);h#27sT=9rx
zW=c}kRCh1P@TLQmN7J4sBS*l+dxXO~#+nqJ)G&p#vi+1I)4%}O-2c)Vnq6envJA6q
zk5%ug9n350GIB@Bsg4jk`-|Q*VJj;P3^X~`FaOZod0zzxv&_8Cg1rW|3T-lm8$%1q
zYb%!@wtcIfY=n3FmQa1IKtb+R6HaiixjnS@7jCca@C}8Y017yr%>wRvziI4vwPGWz
zHs;gWkBG*8IgQ<G)9r@SoJ5wENs@E1Bpcu4pqspkV++X~DZ>+HA+0Y|h$MLwNN^%M
z96AhIWbX!SG?%B@RgbInnWb0*2QW8Q%T3>9w-fr+d2#u>OEiXWt|9vP(43g0H|DkC
z3TDVk*D^r!1Dj_DYqC5Nq)ZW>Mci8%H{+sJW$5E2-x5T+c5V$cDo%^+7^hw^xn!GT
zD3FB2nMTLUcwHGa<@{06YQaRN#DVGnk^THx`Z|r3Z>7<)+l}|Lq_yeVKK6_hBoT`)
zM0+7J)<+AIZoq`mBbJ%&9Fr{A&}>g)VaU>V%Epc1tZbY3aCY2ywN6umhm4x%#VQpa
z9RXeyqID_G7opl>Q_`pInOpH~olC#a)RkpUhwde%oDRPw(grZkjsutrzNbm@t~9#n
zn>>OYO|8O>Q<D}9SKI;|z|<(T9LZ%}#NgE08V)}<JuyhK@n*+n`hrLc?Std5mT1y4
zwY$T{)-2b&!C=%(-yjK(A`f=KJiC&og~x2IUqQWCNpc!zWDVGz;!yYnf>+-<W*lvc
zNX!92ZJqdvNd0+lgHmyY3-$NWbI4R84zpaPVf7U;y_!^#hdGXLLi-|d<T@OI&v8bp
z&loI4;;X{+_4Py~Iq!A#Gm(&zeGi?CZ+XS{I??IPoj3EF|K$$59*lFAzTttbk(KIJ
zefh;lv=c{1tP$;DA3^pkt!L#<rkvF{_s=f&5H;`X#2L|KiGt8<?yA5&*Ud7C<1354
z4Hz*U17l-!<ggSpq|Y6J>@y=;LZEKC$be_jOL6ckW&7%<Pfh4AAV-_kQNDes#SxWJ
zZIna*+}FlMwJS2399>cKUmM-bt*uZ-#>Six*c!Z-Tr5vJwv(r{Ggci655_Ic7hMY%
zUl>sV;&x!w6`5<4-9A09GJt~IBag}pVg<88F|91XmRdOJ8%<%UR&y^k5uxs+szILg
z&X46}VT`34>=bJ1eTI9XqvFJl+-y8vdQDl@nq9<%W=Fea$IWCqg@+9<t-8@lfk>G+
zkK$-HM=c!piI&OnMh;l?e8=G*wKD%%W@Hqqs-poo7Sw79#9RQ5+xo7oPZLw+G%oV3
z&O3wMS28rDOY=*8gM0|Q9&0%>s0fegxVY(?PMMM%6)afi?15hChnvmDm$|)-ulVjK
zavzl>epzz!)|ufW4$H^#0O=}6y|Ajr<vgg@ps%}IRnu!`-~ih{eqkW;5P;?Zpk9BL
zUPMFXRB2?@<8G}Z-`5o^fs0-3I_@P&4vAB?kAn^*^*?NG3$Jpl^iWSrDQxWdPT6fW
zyesR83C&NrI^u}0aYnsq91V*e_aV4}(73r5aq^7no(r7~^ImGFX`6cfX?j!qilfKD
z^*zrV%<b<QN;--I8|Yuua`ynw<(LYy#UWXGoYF*krJem{C>wu0v!B(J$tN;Ad`r>9
z!a>ZJr^Hz;94K#J3*G1qO)|65f;IYkcdutUv2DTTC<5mFX3-1vVqamP6K>g)j)1E`
zlb39igEK*#phDy4Qhod6J3{gB^{SvMA_+fNINGz)FmzD^IZwoM!hq_j&ajlVxL$0&
zupRo^CtrqLFWiQx82QCfT7@aMC!Qp<B-A6=Ht7$+ygEyF`kzyQD|G_Q*WZ*@-E0Al
zPH6?-6L$rLXSc_KxImnGkDML{R7ECX_m?~;Cqq8f6?;O~XOKcnC@H+#p62g2Ot47&
z+gPF#?h19&YZv0(mlYM9ab$mdc3dG{QeP#RfLp9Vl5)${SG=hw2*dpg)K~|DSSL^k
z1a<ryhQu3UJUtEKY`O>^3xZ%xzaXntj?5FZ5}KAHTl!4A3GIY|lhSYK*%hsvV$;eg
z2R~l)xC{1diZWvIz8`r854J3=OCp3Ec`@T@kdl5EDXCIRDV4D3&UH(a8f`oNqL!7c
z?ms&~3|x_EfSTsOIb&rAJ(Ic?a2D$uV6Bb!47Mb?6-M+wLWBC^!pT{dh!8e%H?(vr
z1(GBU!ab31Z}Q@>v!^4tlBUw%>uj`n5sdJA4T&G~Dmkjcr^A+9VD<=ZXK|H`h+ItP
zys2nZh9~k%gXwD_S`X0q!2^6h5F4%~(k}sqA4sAE({viX7@$X90}kMAIZ-WIYNNuI
zjtEq3H^{qC-wfAYjtv`*Mq>0<ac~$pnKZFdHAt7FIf{4#BHe%8Bj@YbmjZ`_iI1*{
zb9k^~>q2)w?$qatyWdW!F+}6M-ZXeUe_qd!a4}UWr%Qt`)!f~hv&Y4UsFzU~)+(Vg
z65M0@hGXigZKbQ?KV4|HNr*L`!&MPDtkySUYGim`+K7r(@s`J~j?XO$7c2)w9Cu1u
zUtb~Mf$%@bIgK(Tt&Gn5YKAp=YS1;xH&H$2{P5UgYWOJ_TiraB&aGTzN7*lAgR?bw
z4Ow3hbCJ05QrD+Doj130)$O{JajaJNJv2f<3uzubl{jg0PhKDyn^ipEHAKB}q|YzJ
zECnoBbu%T#bO&-P1JM@xWw@!ewG~b_8v|D;wWHdXjBTU@(}dy6O}T$zQ_%=@UPR-1
z+_dI=5_-)|K7kkkY%0ielD&w-_ld)15T7~nQYIE#H9w8|SPJv1Z(QcGML7C!97Lgs
z!+6;$S5Am6X?~50&2a`^2*-MKjbpv%XUFM?oG@?H%xsn?wugkTt6Gq|x|;hHSK-Z%
zFLbt)NYo5jzZ=3%-79@L067A5j+Z_iRTPgq`R2JQefsG5y;8#&zFZ69x4a(T3!T%9
zsWt1CXjR4<7inW1*e&-$(*?@>jessqzxSwOuC^Ne>ps*Jrv@4|Z!MCOFkgVE%ci43
z+iIj4FZsHi0I`GEu^t}`O>p9+h(^{K4ipDn5BoJo6vW&6T`{N^BrmsSQz(~SKOGwA
zpysC60@s-NVjRMWxE@c!5iTuY5Et-zL*DP25uC*6!jPjI<(Xlith&UY^SjP!$y;L4
znNBY!-Na-ZGc}y5kb~yn(rz_NtVHY#X34`2w15QG>7aMa<~pT{F!Q}BwT&6On|j~;
z#{1M+ZQOyh@@$7Zryv}%hlD}4Eu>eXdLhL)e0p?xAC%;Vg!x3+amKsB*1V=Y5RT|2
zEJ_6G;|>eU7#)vKCE;C(UuW=@=+VMK8Oe*o&GF5g`<RCH`NHl~3TUD0ajI|T%v<cu
z#cZN8GTSkez(!nD4CAmG_{!h-Z*D%_#=@CE9!uTldv&CS=ZEVtT8KnRfLqO5QW=M<
z!>=+8XLcRcdBu&Trdq;EbyX2@gP0^Vu*G!x6?r&?WZ)|+Tn>HtgadT6J030{KJV4i
zfeL{LKqj9Z**FT%uM)p59(U`_^ZGM_EfzjSah!ZrIFy57m@as^q1F6+pD<$;;a+~x
zLwJJh`+&{MG|gQ!mai-`-`w(P?K;ufGS)@B3;xT_$=5bn#;g=LDiMOnq6u=(|8fM)
z#5q>nC*EHkUz3YkI51F{+EmDiOisX@#c6zLb%IT;V=%!m+oZj5@-=aw;q?wwm?L(6
z%u^e!)8~5TU5{@uSJgV>EMzu4Ol{-DqMb|Q0<dNOCA22dJioNp5uUVMwuA}7jPn>K
zU}{8T`GN+WQF=W1LRl->&VQuUJH#6eNNexYs>cRMtG7mx*4g}ouw%%4G$I6d*d!Aw
zn;wl39&_rlSoM8E9$m<Y6ON3D_&#U|h72u|9|d|ql?4VDYA`ACaE6a-g-M#X$ZiTL
z;Tfg&-dVPb!iOSo`c$c#i>l9&23$@m;MTl?X|<QvN3@MMNIP%}l=P^#Oh%8JqoVnc
z(RWMaIi`rZjb66Yo4cS!LRfE+^AfPuZ(r@gaUJ26;kZofQE+F7!}}Fqy}&9B5CYwo
zk7Ih)Gu91}@57Hxk~FO_Q1ap$^DNF&b05&CPZAF2gD@XK@}SxN_3`6$eRN#1vA!tT
zgP)1B6?cgykMWGHxX_UfqiHF2y%2H%$=BT#OeU<j`5}AyAP#-=IJ&RG<m*Oh#B6kW
zDBahELiN3ySD8pax6|4en!RfLaxM{48r#H3>@?3u%d5X!>@d15m&Qlzv_;*ZC3d=5
z!5+jdDANBZtx`de)NjzXT!1@~W8(_&lX&Wozs#^+j^QCBaqjs+;pj{{T-7jewW$P>
zhQh_om|>w`<;e#N!|0-jSHg|iv6B+;DtHw!3EM5t&Q4p%*)&rNLP>u3>@<l#I2`pZ
z8)0rAh;q-O-slhy4wt=?qGN1O-XH9NG%qkP07BIl?=e$PIo&2pY>k_IY-2le$=TZs
zbk?TPU+JG*@zo^DTHTBfW?mcVlIWLgo)T%G(U-6W6Nik|tnNFRA|u8<RD7I=atTU_
zxjwz#CZr#(%A(nLN948Y@vzC7r!T6`jL2Snc*oQHYPCQ8M(}$o!W<BZIX(swvrv`N
zEW0CiS2cr=UjemCew60>HFssp0N(>AHc|t_{)ntmH^TfDl9_Rhgo(4adqP=G8Iu($
zJ8`!H%9fg>45wDPH7j3<A6GrC`DMr_hik~r!4=i^XoI<S-3!VUsbi-1^X=8!RoAOu
zi4Lpo)2z88S{#=~O?cT5Biwnil|71KUWw_4J_c@4nyu@~iO<ejor}Dl__SupT&Y?O
zrmPj9NRhI;m7B83bf*08RD>pOb<4bTr=Rn%T$Fhc47`_}qHlWQ|Cp%wc=0VCw?cdg
zH^0J<7{+y|wlJXf^%nC?dmNeecrg)DPhA{)c~j@hGGX^+{QuCSI98=7_VUKEc<ldS
zL!4?k?$GT&?BbCKuyeFJ;%N0^^FF~-5$lalVu>-yCg-Bg@wSH@KUFAxpiq2cLAo1H
z{!n#;{%>H=3g~X+0sc&}oQsVAMgvXl@4?&evHz@DZPdZUm&x~B<aB|*QDog%3EZKL
zmXqsHS5yF&CH@cVZpunoS%5R8_4yBivHwGHGv?k3*wGf_)lXkwH<)Z38u_sFb6Hz4
z0@D5lJizvJax4s7tpLd%w>yrRer*&0%(z8O%Fq_e*86Q!U}LC+TO2U&55Vn6%ng7N
zZe#A|c^1VQ`v9H)@Ez>N&<56iEr9O!HKz=1HSPbJSV$TGL<-|yE0Ftr+oEGaDKMh>
z2WR6J0d;@J>H<Ld4YkjxL**CE6(0i{C_Vm-+R!#?xxi5JboH|rSe73ynkRk(puGjP
zl%Xw-Liy$vJZ_3cnfuEH!vDku#YZSZTfl8uv(2A2hPJ@=e@#pp2yh-0#y>I&!+u=-
z%WZg61;S8wqW};zHuu^h7&81kEWiArff$$K>en!aQ$R>Pe(E=BPq$I4rwnaDciMJW
zp$u(xmF>hfMWf8!6b*=^vAWKGU}FPhz|dB7AK&gOl%cJz@;@fF8DA)jH}3%}G3SZ%
zZ^z?Cu*x0q_;H46bhU`KE9(588a$>SzoKz90MI}y;5TY^+o@58wxWAv8@h9Wp{=g6
z1F=offVn@;n}N`6+3*K8Hb6!h+Jf%3?XE%@+UhF*V`7_mjKX+x>z)$2(*Ue*3Ei8~
z_6>mDABn(}HBbEPzgmGUvnUDW)pj3<-)@cD+t(@V&%j3k_a=lW6o2Ib%BL+^v3C0c
zQ0Q+7d=y!?xPZ!bV^Cz>vP`_g+W<t7b*tCyAlOE9p-}u~{~c_x5vnLmeiZbIkw$bl
zRU-P7!f(aZA|ybS(`Qv)A+dy;TOsj>J!1AV+>@#JEnTEhXUC4$Jf+7*0ku$e?8XBO
zw*qocD%e{^{$Y;-aXDS!yBMIDC=lPcHTm>DhvH-0p+9QG&mM_D@o8@*Eyn%XWApG5
zDAWQv8by995-1aZdJ>omBzAz$MkU$L^_U*Z@|yxc`ogJdXaV1KGrtP(*|?~}W$^D5
zNd0#Tu>UIs690t)Ep^mMmu1BNTzQ}n0xJ8*^g!r%`p;!MN=%^O@6QTyV`xiENZjrP
zl%XwP+kx1o8&l@~f|2TW<Wh#Vrj_lOtfvfZ$x;7nVw(Ym!uXdP?+`gQil!*Qvo^~d
zVeXiHxcX;*y8DhDL01&ZpV5jEhbTi^+&yZ0#-j{vb>tn0ZHflW{Z)a94{nPJl%cI@
zMSOc8q6}@xQU7aVo8=sZ@vm~uayuS3i>Atdil)+M_c`*!UH{a8;Z#dd98i@`05<t?
z-<r~fjBKYy8QO~O#_g^`8QS71I}qCx4Ve2|1s3xsHYhy<WoQe!>$kfKWoWCb{Evxk
zmU9%wzsk8N*KOt8X2z2Ou)9$-EsB-%Z0kM$!wOLP)jvY~f44*3gwTP1Bm;Id@-{l)
zEj<~fY2C5_Jlml`k#&m;{D1D&Dc$r|ucL^$MX(JQru6^6>`(c$Q!PZ<64-<p-~kMI
z8y(tjmi-U*XWXtPWoWAhlx_C_%Fq@M*n!xl2LN+_^ML=)9rk~<UH^B)e)L*@tiTTK
z`lbg^8uWiWzyjDK_|u1hR)Et7=*v=Ma<~+Kt>>23d80krp-?-$9UPRQEy-dBVw<8-
z=KktvZfy5D%Fq^Y@6ciYSKIY}No=#B0lNL)8k+6x`ewZm4q$hq-T+D=?aMNh4(+!+
zg8x(s{n<Kiv`3VoE$G(T?kbd_t*)}2*rsTdxxY#wN{hV3iz!1}<NNjw`@h<*|4U+<
zr4U7yU!~9v?fOQrqICQJltKnnxOz&5_FL!kA4;Jutuv(*q6}?C_x9AI3k+>7g?1pe
zDH<^MS1Ckkr+>o+W%u!4cG&;bcKzQG+stE>xxY%Gw(WS_jJ807{!bzhIo!3;+y1|=
z!1khB^}pGnZa|1a@mC($p#NtFLg^>BX2l(9?j5>;9Xiy1*R4~!=`CKjgJ7F3OriM8
z{*+I@C0NR?=tiibwAnvAfGftxm~N?_z<E;9G%CwL=TzD;tpl$95JW;29q=#k8?zU=
zHB3*K8tDMfU5rcAAEP<(`@E>Ad(PsKQD?O-mUc$n^X9Inv9k{rj}45v=g%#0G@OP%
z;C1;qQ%4bTO?#L9;^JR~k}k?<+PemLn?84NPFxVtOmhpcD0eXp%(|^}y8f`G<<r(i
z6U#)M=|xMcr%NFs!fDxpjS>gMzl133@Cq<#QS%4hE$;?qbSxbLCOc?2c_el$Q!kXW
zVh2>2OcQlhsp|rU%MY3+WL=LuQD1+o4pCOGn!P^W(0GjI<PR;x>W}H4+@i$^2|x?{
zWr`NuJeyh=0$K?2{HaA+5Jd~W4}cbFkAG+}DWW;`WQ!J%W{Ql=OMn)!p+B@ZEdFKS
z+MinJoTR9H{5GJ44%Y#S7VlJ(OyLs8<&Nn6rmj|^HRt|ZF{M<nxVRGbhqe_QHs^eJ
z@>F$%(&)7grUn!PiYje>wI@0@c`Wqn$E?Z%NlcdVo2MKH1pio!W^Oelc!1Wjr4>Lz
zV$;Y|p^5L575=c^oyBXhQBhAf89o1@#?JFJo4Mb%0@edqHEdwuFgTtfgP3V?mV(aN
zv?C*c;f~9-03@y50d)aZn~U~;OO37S*19p`uZaV?{SH!#r+8Ble$Bj+i{hGjzszE}
zgZU_5-D;Mo9n7M-gIRdDukN>~D8Q%`M!%t8hj|i50RU}9!ISMMXi(gag8xHmY*qK2
z>L}nGO#jX~gtnV+<EvZE61;<1c5sf79aeV}Efhw-P_WZH*Bww$yaNghc0j@ZAvLzD
zTPtw@9Ipt-{9EGCjd}-RuCG0oKHX4%%;85q0Aj(GX_TmPmSH<cuLFP#KTsEVy!^W9
zYmtkQ6u2MR!FoH8OBNRgg3#$dd}D*fZ-LY@@trb-#n#A2Vez|%Tb}dTka$a^`u~C4
zM14IFBA)=@xKRF2{NBkZ(v)a=o9id^YTX#{*J!q=@gD*e;|@@!e06J}3fuvr3Ohjb
z)OJtX^jr#~-vZSR^YZAoV?gimc8?U?VbT5%sj*evcdEdvMe>gQyFhhzyZJW0x+PHQ
z?U2O<cL-GBJFM=e=TaE`3RFAIyRicb5_Ukr?Hy3?e@Kn3>ejj)$6w?Bcg~@;gZU_5
z-Rc~#cQDKK9n5li`|56@g~I4J=h$Ih-jN-gV}~rBzJqi8A5vqhy6;rm{~z|=GOUhm
zOBV(LArK_EyIXMA00DwK1PSi$?(QBOf?IHxAi+JjySw`W?poQWPjAWj?!LGCK7D?C
ze<oG4-Z6*IQKMGz6fil^|6X#?{ndOwN&lQ2zo_D+zetYhUwHSoXaO<$&*b<O&g>Ua
zQ2UE0Q2Rv`{2Qt9XLScyfaMu<TmCny_@7`ut2n4v`I9%qftLSs6_@{o^?tG3Z&f_+
z54l10r*`OP75{~EK`j1U#X&6oT*d$2FZWv&2lYR{tKz>f%5PO1)W-b`y(5GCiGweq
zrq4c12ET8_`r?l|wMFvH9juh|&Hu9(k9Q-j`$PNJD7rs96z`Thawyp-s{31iWu%k8
zNK*L+vkdUcTNwgp9Sn^Ic#%^vrf1QOxDc7Q@I(ICB_7APG6QFen7I{>V`hK58zBX*
z|2Mb-Tk*fcwF&O;aaBs9x)C$~U4SMh+eS^MCIe^F=YWS@+X1X~-N|L0AiaNYIgmA$
zhk&#DLnA=J*?wzv;r|X-$_bO%pKbE*BRPR;KB(iX<k&uN(Xs#Z?SG}i2Hv#(rMQ41
z=TDupyb&nuL5zNPSN#jz|5S(l->k-8)MZK!;2j6G$-j$&f7NXK7dq^}+c`TJf_elH
zqu)irFKYAuP>22Bt;V0#rJQh?B^mzHj`pvT;}^9VMEd6@?7z@C|07y}jDD9K|3)45
z-+Tb@ch&d{j!EkKZ|(H&dfk8V(D2`=hy9z4{eSawg1@`mpF8XkmcyTqBK}ZHfqTFR
z=&@@&uxI^8=rL*f^Nxes<iD{|{TDjyzuP(gmboBC|G8298+F+K-D><<UCIfASrSm2
z{5Pujf2G6zo1OD-nG0g{yN&AqvcrCQ9zQN@EZyi^zg3Z|DVjVU44q(}u*;e)69-#d
z{rp;juxQ?iJX`;>NlaGZY<~gbht~~u$Jd<8;-4HX9+Bh@^XVS3A#slt7h^OQV~iIv
z)ms#7M6-_w=NT;r)32RKF`P)}r?V}D7ed)W>rgCG)Ej`;ZGjLAFUvFOZoH5>KjYp8
zI;Z)Sp9`pm)gf8X%u~)w*O*wY0k8LiAdijR+-Sgs5VG+$>K0ABep`TUUZkefILDZK
zEWa@Tcs*C)wG;KR*xO^V8qHA0H%FNDThb5Qv0>cE7G`5?*%t3{-Y<l(4bv?aHISsM
z{f8V!@-;staGbyAmPh%sv^5Izt?BB(@p=dSIKEC|?4Kf-u15+lsMSOmtB;9{Ic7`Q
z{bVlnD<kBR14Sx*zYtu9W`Sx!G0#$OU9cWG+4U>Ue!Xk~I>^E)4J2cZRP*m@^cFvJ
zADxJSnEl0IMIk_aAMC<Frl`Ra=I*g*oOt?;S*<b7SY38R_K|Sv_CFV_<F9uHN+Z1R
zKeFuJ<oEQ@-|YVOJ$JBU_=0W0Bi>IP{)Nwe8Ys^gdMwgL{m_2*M9dFpl{$0_l6mDC
zxtet2iN);n@#`bd2vp6w;P<gGPWUTFumu0gVn1j9A_F|gQcsKPK%tQ>e#&rM(?;@h
z_AjyUo6}x`(%~O528wdfxy4^X_uVh!1~mH@2b;VB1}QKcPk<3&{7;kpoc&9pVgEA5
ze$M_S7=8-&m!$l)xW8o@$nw9B$G><2<lFJ0pScNAr5W|-z7UpPcF#R7{%76Bq)i?i
zErBC&6KPPG|6Mqkkp0SSHORlT!+#lTZwlIXe)9a?Hu6__|A{&prCSDWDP#ZKa{hg>
zzopwx`TpSy&?cRm@aGizo#Q~){^4Zn0>`nXn2hJZqxkwigwJ7oz10pnaC~fh&%O1}
zXivFMKj%ia`ePDNwUML){p%^pRqI>;i0t~uzEkV@^W=|7G;ksY+IClBr0JG{bZ7st
zuw5IFeEm;JwB?iw+=77=1?VS03g>@hM&1gD@DKaLcc4_`z={E+PzVE2wESb6oc~Gq
zr-Zx1+gtoeQPd5jAYJ~g02JN)Jo!_?0hI#oIDkld(=+KiypZ~Tl(zo^GvNInU^TD)
zwhWFbz~TnVmp=&nuZx@bFN@m;V9NfX!t<Y84i}u1l@qY5M5(N}J6zqJS++EKw0JsS
zSwB9RG#(vQJ_0TlJ=~oxob7JT_8nW?ZrAqD&bBv#R5G9L&nu2j9o_CzoS%C~>u1XG
zpFO=EuMXNYR+gnRKeaV^H8i?4xBwm|dc9J*mmaS=r#6-*$`9_#Gs`Wt+FWlY9`=@I
z$}?R6PkTF0?rvAZ2WJ;Y52*_a2TtW}u6Fkw<;ws-_4B%DKL#LY@+k)}y0lT!rpdq9
z(sqZzFMI#&#q~V0qX+2Jzja>*9BbX*F+bmxKHt%wl=BA?tV-QpoxRp#bMtb$+?p9`
zE}-vP(c-;qYdHtt^d%B_UF|hD6FlGSUtdfJX?be7Jl8kVKMxXEwz~H_@!MZbB$h8P
z0Eza1-=w>D>e_Wl&(t!#1jw`}W?rp4N_w)l@QOTxX*}CMTR-kiOgzK#W!h(0?&m*b
zKA-g--IlB@@;zO%6X1J2oU=b)g$<Gtbc_(J`Fi@#ly_!kz^}R}%J{Xp+&{}4O_a1P
zdOY3UUKn}rvBdMkSv@oGc<u3(n_pNvwKYDRZCudrZb9cq-DDEn$h2LSAkOR%Eb{Rz
z@?P>gJGi;sY@Aq?^Lai4Vp`ot>e(~#cSfl_F0KY=It#QO?{C`b>SciL$yC0tTED}%
z@$y`qVAt}vxvb_}Ty_VvJ|AR0LvipvemXn7-ZqIuoM^s0XRUVcDt7Y^h;n{<yaYt!
z@{>9sQk@BXbrXvqh;0sX21JkZ=5`|%EeQqQ5-s!Uqw(in#We>5zu6ekn|gnj@7z9(
z$kB~b=lPuqzw(Mi`YgOO(<U^?{4rXA$KaqKZJkk_e;ajl?jB2x$H=dI%z30SGppNf
z<PnZ8!|vF~_$<wiUnp!R?E!dwXL0n$I_HjOAo?ihjaCV0v>Q1~dkyfzA8ov39y&{t
z;P1r!|2%v>#E@aP*QPANvok;1*kxCCYBlLRQk!WPvZL|9nfSjuoN*pm9&PNgyY?Jm
z&8Y6Q(mYH1mT4EUbNHBM#$$A{qp`v1#=nC-I`_c&J19`PE4ypwk<!fSUOUUjG~Nt5
zKYo&~e;gj{9G<1A^BYC&EZ%dv@$5{G&TVkkdydd$T>Kbq?6$+d=d5=g5#rxLA9dN?
zSzPBtJPoS+<HTc{I?qm4rd`+$&!rvyI%oMkC*o$*@MBt#^GJ#3h!D??68{cS#zk@F
z#hXzVD6jp9otFI_o-VsjSN{P&OH+AFQ`sCH#d!RpvWfTu<1tqyobs_y1(FKm@vDkI
zaI8>)q{euxQSqn7_yXsf5azi|^Bp*@(m;HE9o++k#i@O4P`8#NfP<mGE6|j<7Z?R$
zqY+*C;_%Zp4j=5K&AXR~EpExyx0I;(SiIOLzC-v4y$!)5dfLK!NKE84`0w-tkC52N
zFY$f!1kaGT$XN(F^q7)(*Yub!S(CqIRrDWr1ceYX`Mg2V(T5-*hv<hCm-LT?NlSV~
zjv~g0Bu!qSOZ-LhOSiCCa(h_F7bb%wUL6B!=M}<g=#S)rgOGKSkclw%$*<^9Zkdp@
z$=?_fcS&jw2}dUjB!@6C`!J*U7($qk3l2k0OG2g=tviGa;kP8e;y?*zMzSSmFe2WS
z{4yduo7|or($4I|gOX(g;YRK|3VAQ-p9up<ekFkNiUrA+ymtXVnU|6UDUjUSnD~tp
z;g~RGN_%#QHj9r4%9=4m6gk8=B(ao#E{tT#D{+)U7NpPQ)+WRZQt<R8`q$bM!qzDQ
z1tF&_J~AlarVv@=f|HOUQjkS3@hPtqP&inT3dy5Qi4~=^r-Um~1WH1zS>c^$$g80v
z$OWe%@ueV3VT4m&sZV$-kX1t`kPFU0zLkP3htW@YrG+xfg49m_!-UvhipIUwdkEh@
z<&_=^CM!}OxvVL1ywvKXFoPM`lrV=G;gm3snZT5=fEkdBu$lLiu$bAGDPc*o_9<am
zv(+hKMKiEzVO29q<#n|eVc0gMKJOzMrrWbcG|aT+NXl3%3Xx{8RVRbZ;Au^}YG0zW
z{wr8zfnY~=PX-)R7`6u&s^MtH8{m<fIBI5rzD(%bj3UzN-W}>Wl$=|0GB;Dy%yQB)
zR`;IRhUrsIiFLJ3Bf1bX_{@6H<Th~f|APPD6!YH*)=^ymv@)SG(8_O0fN}*-0j=Bx
zva&A7%9S8zr~;iK@b!NKvv>)_{+|tjJHVCM{LGkvbTfwQ^KfOuUA0&msUc>}4Qwbg
zhSnD3Wy7oUk{YQUwaI?~>Vkk>DL`N_D-ig`3<xBg1_IxG1p!q-D^`M5L<a&nHxz-1
zo(;P2p7|kPtHRiD<@z=H@F9*DaMtsHUNXVsf?k!S+UmLcq~2f!tmQURoyiT5p?)pZ
zeydpzWYu=^xq)rNX&HIO5U{MiJ|Di~A)%3a_Fx5+K$Qh3L4`3;0_`!7sQ+LDlpyRs
zB*3BtiTWqtyJVn5+#_K_%Qm0%uUC6Pv{4`-2|&{GgJ?a6fV=@oK-ybIAd^!)kUjow
zfZ!k*AwV)hfn<CQk`WywBOORa^>&~#b>1Lleh1XD{-B}$BMM0JDE7O9_NV|5_B9BL
z4qB8Jw5Vz@aM8*)Gw9BrYJj7xAyFCKmmxt7b%A6MoCyRs0Ko@9@c55FIA!%e;T6U}
zxb_$j-kuGDzX!p?KyY-rKfr&kyV?r^{!<Jp4tk~s-wWbuXnyqTbLCS#9eV3-73-?R
zhIKQJxiF10rL;qXvalJODvYM@hjS8|XSHdE-DS6?($}^s?z|Lk9W<@kaSe5=W?Uf4
z{8ZvCNVcEMPBlQP{A<~G6obuZq!SwI))hm{XgnjkYSH*b*XNsVapxqW&g@9(`CeLK
ztk2I|BX2_WtsVg-?^pn;=vxm|5ejq#cKI!krbQFDjC1pw8D+pdaarl#0iHS%{dWKn
zK>Yu2hO(~ONGm&Gjf2%A@&A$GbkT~e%t6-W4}<e@J@O3K?6?01Ln{f2P3eXk6VeP<
zD-DX98-=?T`SnYg+Y!k_x(xJ_VPV6llaa3FZJ3qJkZ)rstwJasB@{`#Zq*dl76w)~
zkY%NZ@R{wk2@TU7|2{*Vj~R`P#fur`_4$`&rCqh~8tNftI1P2kGi=rtWMvks^Wqu{
zAff*XJOH6V!%9aY=yLl1Km5@KYt4u#Gi>h9I_vX+Cjvvu1DGp*N#BwgTVFG}aqGDg
z=w1i*ggFtDSNGl!8(Nu$pNI@CPh+k`CAC&E4rR2~0*7ynj1AKuhy1@9psh<$W)N1@
zD9Z5KYo#@~y@4t?g3WN*9D$WNtj~jk9Q*>r{jWeA5XJ&@xejRt;g+C)2((57h@1^X
zxeyE_vLN|ym^=zITS+6h-b*b%F6YxYDaYqqbO&7SU*A7&%#_nVJ>11L-kmP(l@pvC
zYd!7n**#w@ZEP$d7PLJa-|sJ7bzZFSM%+FwEp6Oc0UsowJn!9~T|AaF13#=06-ECX
zP+YFHvI6|_lg1KHtEYq4)n&=;#4vwZo9E+Y$@B4^+;fAQ>+I3?)An84eJyoK!OD*|
zfW*OYloR4g8=&{G^^QVT;sqos7#P?qunD3uRqstr`3zPtuusttU?jj<XLEWdD_b)=
zV*>+wJ9;f!19Ln2pC^oOoh{7Yg3gaTOyWoyW45$nSW9<sLKB8c%#2*;2h?IshH~*r
z)v5`$!{EZfK2VZC$oaf7G<>{w=tY927d5O3&CoL=cZlgAxdVed1-L$0c_{>#*A^X$
z%v?Lk7|6|Kdd=2YJhpAyrCKOb9YHIUz<&CeoF7leV=;Z9W{7B8x*ZlpaI!so%k6o4
z<Avk3bMo}0Q4(*(Qj#z-c_KBPP;83me&+sSWfHZ?^>)q4D{)w@_Q{OS-6~68!GqFa
z8q-YqC}=3&?ylBsvW3Ac9p+=_PHEY60CH)u{uFGr(y(%gDELXKLC$*OQ}^bn+w<vU
zaeiz!V%tL$V22>(xv$*wb}5aXX)3e~T}vuYIOn`<z#xJ5bz?$Pw1npF_1rgOFO#kD
zCv$a}6XWxbc^PUt>QL2=*pI%<_Xg0+C0_%Qzp80E1hdU3LsYyBB<W1{L_d(;C@j=c
zi+coYtVbQ2t!mxUafKuC_+jt^CQ|mb^gliyoOj_QM#Q>I+i%%kQt6_W&qWZ2XI3~9
z=$n=mms(10wQ8wY=)GcL5C2gUF^RUgd@;VMnRUpc;-IsNAP}!RrIh@z&k4Tw8Hu!{
zs?4XBO{<uCA->Axm0evtx-v2CZKH+Mi`0r>E3`8*h;2NQBzy${rXZTUB3EsPocbyy
zK_wRpZ7KPMNnUPkYl+%)T4Ac{h}3HNa-5qyVw&9AiXhg3l(K%*mI8<$QeI5Mfj21$
z!Ft5iL-v=lfG$f)$L-mblt#6VO^DrBh}WkHpPV*b03md(20EXut-gnOm&sPRpNaFA
zppM?&E_;KgtD%#6toLR{b_(Ky@AU5~=l(d`5T)83H;g1Oo16Op8^_yaQMn>TrI<E5
zn1wZAFjotF6f~05gw7e06j$Ju(`w%Ya|v}=C8F$@hYd@hb&Y&n>m2KFT8P?6wPuNu
zK-<sSAJvMR%vn(yn@HkCJYI`4v0E-6qEBN(0<In_*q!K^mQ<`c!QKL0`cb2iM98sD
zu@35<uEWxI?M)Pp5)4cA%xyq?wKqzD&&3xgW|dxWnCUV+sfQd(_V1SZIksnCGN|kq
zlfy|2Z0>cafS<J?f9rSAI@U9ypLkHm&u9}_ugxppaA%vAPDbF<p)s$m=+c(R&S^SP
zQ<Y>8AvhtwzTod#?7&cKs<0c53wNFS>f`|<XI(fna=Ag93Bt{R2G>%xO_O518I=_~
zx>Top?=wM-kIO*kbWSlVnEWw$>Fc`|mTet;_vHL)L6uV2NHDOr_pPMi7x&+>EjwYI
z+KT0p%a-2MQkw;M`Jpkf$M2YRL@D)?FBo_E$SA{~7Kl#pz<E|`eEe2+pN??i2un)g
z>!9m_VR}?Y-d5AwtI*)zZXm(^0X?m6#tD2VBoPk^H!8zgdMtcD1to{e_`(^*GB2zn
z^2NQew@ixQY*~+xlc9<Q-Ktf>yc$ouxPZFskH(48i5~>i7pgGr3sjq$bf?DJlTVVL
z(Y~Iv3ofCVQgSd>poA^7!@o{imBn#iaOU2)BWIdWMN;wi&ZN|q6ihP=Ho85@?(yS?
zNrmu@<1@=Rh%egi>Ov5_ScX^K&+y#LuxMKx=Xqni<aJTvTk8I(?YV)8?zan#avf1R
z(rGLYb|+UyCGatMzft&Q*aSw@IbZvRMU{3$e>Ou@g;_)UH#ZHZ!SC;T1Ebb0iJV^O
zOj6pcyEE>V_2zoqD;DO1C*g45!WzB#qLZ`tEgEHl`xT0vBI-RJF){!1t&m~5(pyJ5
zZ<wZc#u4o|ZY9!%rL;|NURl_V3%L)6K;q+udA|-%VdX0zzX>FGTmXlp@HKrA781k_
z6-rRa?V)EmL_#Z}QJhf<IWzxtha=!)9CLrj_dLHI79vd_q`IsbYJU0aVv{^=TVi9F
zB0=siH%x(!FbkKD)@xug3vQ$DQrHF+C-%{>c})Q*?OdlXBA;eT4`FRPSA}<-5gQ3q
z_l5^!y0M7M8ujGg&MRS5$(t~i<9NC=o1DaQLLGjS6Go(Uj+u_w>jNy|TwhvKRYNOn
zk-oWJJYLoC(Nx)B!~A%{f&6|ew~E3G8Yu{J5&7By{$V8L+GVkd!XJlFATHMx7Kx&+
z_n|8kzX}%2atw0_ze!EMN*dSX`fIhE#YGx=e#=%D-NcDAgIBw}(`YkUZPbb_u^kmA
z9qo}|h*DMti{VynYEKPalQCuPNj#fFX=O6$gpkz=g^O*ZGKRlzsRa~<#p@c(oam_7
z7XG=oqOwoyOe$}`Z<5>8IR$*b<#U+^pJqf6h-RFJJ%L^gc)yeF^#Psu$H-*#1fCGn
zcHyQaQolQoJYU1hRNHA|0_)&ji!6zy`MD9*`;tjn>uj^P+-FHEE+<dY!<yeVx>gW;
z)mdL|)39S=CbtL@ZFD6%Gf${?C>5b!MD@(6P7>O!+q6J)B3M4Nr>l@K##;A=NSx#E
ztUA3iNYGR4?fH!2w#8eA*(fqd2wAofD}7$Nd}cJJjTpZic39qe+P>DCT>agibGye?
zoMnI^BILY`r!|n@zs-<75T`6`tdFpHWNLcS5xq)5&hv}^&Cb(|d`?$}gWs5cP?klr
z2F{vo(gMP3I5GZhUZH)S?ro!yQZwg5ScL}-NTqd+xVjEr3c)l>riAny_8iJ|nVNps
z^yn1p(G21O-+XUd-Ju{m2Ky3C>{^%jI>*6=CGGHF|DKQnd~WwZ+PTf~PB-b6Qz$dw
zmrNJ~W<w=saHgWGZ=aLZs1+viZee)IEpn=-w+KoK=2dfh3<GSYaP_t;_&KbS>9ey$
zGEsasc<&i?RGZ~2_ZEBHq!(juX1{McW2AqHG7Sk)e=qr@x+lUr;Jax8;MkSRkJLNm
zp<iX|R{W^Q5vHVr{3*qay<*0#)0gYDL>Y`x-(c{a4507e<4c1I%|h^1QOi*#FsN-7
zOG%?5?>-qo@Ua<mJGam0CTp1OM|MP|SGG%(^`k8#p^qU1N|usq%tO5fujn+=DQx>Q
zF>N=8^29eQN{zIA__?F&_`hhF5}2+J1Ku^e;!8Q8BH4XRaw(#L*Y7L%)L;cJPpU3Q
zg-NfSD?xUcV+o$+w!f&RO$4E@7pnh`DbU>A2~wpnEyPO@-SK29+63d`_*3-vD-;S-
zPe`ss#70XG*~t~+{`!{``)-g+EQshGhQ*fe8)J>_O?HaNFc>JXT_Gu4uN|^PF7I8|
zt04y|l(bJMJbA27BH`x6J&sJ)Lm#`MhL5baVe8Skk*)VsEKtpDpeX2z)o#0@y5$Nm
zX*F)C3k=hc#qPSI^6}nrD5+*^pXDe%xY53pz`oeTzfvw}7R=fZEqi4N?<LM!F{idw
zU9`<OKa(=wZgF?0A!^;JOf99kha%+2GOcAYDb8w*195_-*<<yIjVr1{dNFTO0iIqp
z(f+;9c5m4EqUw&Tk~E|1jZ5*t9g2{2JX5;Mox>*!AJh-9g#1h_pPb_;DnIoUQZU$E
z%WoN;rl<&B-QzVmVEGy2(Cd7pQ3~m==bS@u+O;$rus9DP2stN=W-2m#%A1(;voM%I
zXps$HsVw-+=5iM5?R6DHFfrf1Gw)&9E$*3YP=(x7e<_SN*|;8vfCHW{7DngZm;A#T
zu51x+Du1d;!$ZHXt4G)tf6!w`XgRel`mO$Obm%u;m1)kCDB8SqmJ(i_oAjHFP;v3v
zZ})xCPv2&;HhWn^@QM&$JxB#Z_C<Y=r?8`9uDB7?2F$M8XcwOa#zadvOABs@V!*th
z?0Q4aMw{QI^wvpi=CmJIl*FLpJSTPqiHG0!_OTuKT~hEm*%fAL*G2D(FC;<<+9%ED
zMEoy1=a|h<>l87wD0sP4;J9_8Co$h2E`8Ln_q1paw~{!JB*xHv5j(3JM~BVJZ=0lo
z{=8z;%bm7>!2+%`OSR!PLdmZiz>IB#VuW6e_k-u6QhHuYZ&qB7s`Nr4z-wZLod3M$
zHPn%11-iCLtoH3#o?gGQUE@IMgUr3+*@jT>Sm~PAUf*p@Ix~^p)H(5RoJSXwB=MGv
zx;<UbFodj{q&L#bK-C0_Iwzgk!*%sx3jXo)f%b`fby)S(AVS(yw3M!qs4CnWO8+Ft
zkPreR7jAOTO#|Qlk8K?iiC7Zn7|I@$g`5y-hDLET0sVdP^)$+*6qMm3AL<VjB2AGl
z(FdZYTY7?+N0fKdaZw!u)2YZO4vie4$VKQD;6nn58jDIA-sr7Fe@MNVh9;Vb4=Yox
zjh=<(aHW+sFLy>Tb%W6qzdK8^dk>At=EpIgO7-KI<WAtWz#%1j1+DW5zL&y&(y&}n
zRoOUzR#7O31dGik>C0l0=$fsOu5BMB6fxb-WvC8xAdIlqhOa_B>>~xOz^)%ymgs_W
zou3RNq`uLd2zo&A^nmVN;YsXXXt*qc^?8RR`^UsLxrVdDYqfJqq>7%Kd$S>^s_VO<
zN_6w|j&+_jOR>HK6%m~wI65+ij?W@V0l2HDqZO>tuhVocg6iR+V3G*VxI9JaRpRyU
z(K^`>jg}@q0010wa>Pg1Mzh6DT+y+5pWmX#N4F<WRB0NclsGQ!;rb<$ig|v8E1`k-
zhF@t`DbLhDJXq1&kwYEYQB-nn%-ir${@pOMQtfJ}PLSX2#KUGE;m{AZbOjPTY6pV}
zWfmpf*@rKPiKVTZm^?IUnUr`Zt@$*&wfz;H@1h0`9_<azJ$foaIu0sNH)usGhwP=<
z-ZkpZl6g!1*gL<3Bn^ys5eQFg8HirTzr#MDfSs?&XpUM@U!I5!<%7m09*fPR!FUK$
z!7rB-b<xm4Y=%}6{xFlq<d3RrL*YIUS#eMEp#<|9b~aUlr?P!j0iFrPmH4g-LDElb
zAKsx`_Mi<Ksr!9UUZP6uWfF7zUXa$3x)E<7p8@#8GO2>5^1#Dn<03jGlb+cLCUMp`
ziUFTSJxaW$!2aAhRGR+B7jn2)o7{`SR~s%Gr5l$GyOgTbw=Uu>L&AD_L2b;9N%(1c
z$X@ScHuEt1)#@vB8nmA09`E_#s3F@p(R@W8zwBf_16J0{vwF{InWdy4ToKJlXKXdG
z7WTt42t8RgT3QhTb@$yI!^^{u)eUZ!k6MXYN~cE9Bp5H*IoDLhzqG+4@l&5G3j;7;
zp}8j9{g^YBS%lDvFWP$t_kP5Q{d0p&oh@&?;?O+{5u<0i|6o*fOVO?E*W0;f?NT-F
z_noNs!?KJXPES$xu-|#mmO@eS+Gv!;_f`<d_|ffO4!=TX1^#qTS<+e?9-S~+S-Q)c
zOaPBfg3T*EXsAz__sGTrp!~6LdP*X&qO+o1_>niGJA_SvzFXLLz1J#|P703AnC5fD
z*Q$t#wCgDHJsfT9RMGgl(yra=P0CX;R!dWgT8dqy$bCBptp^do%|T;n!8C9qm73m&
ztnZga4uIhKz4@jdrf;@<wCa%foA3Nf$quDlcB;rup;Q)P1jew6Wy{ClN*Kybk2^Dq
zxQ0~VSo5_I1G9=RaoSJySgpW1L&k9}2o(*{uc6J9xMR&T`{ikcjS?7?&cfxP;J-*8
zt9W+Ha@@mT^hJ&0LZc+SPGmwk?ar%1e~yoP?NFYZ7s`Md=-CNryH3?Kz`ej#<l&5U
z%y600ar3r}U`v_Kmu7^REpJ8%_+7=3?xaEG$nv1%!w0vRoc5@ZmfQr{DED<M(sy?2
zbdQr!M(jhxu=wSxSsyZGJZTM!x58W;D__JPV6CCVoY5oCqQgO@A?kE;SIN;i@^r8b
zVHz*J#Ct=pO;_fr0l>z8Yq%?l_YKcLXHnFeaifYtG=P<xnoPS$QLARJmCGUO6GOa(
zr$a$~77PhMl^<dDY9`(x%cjs!GhJ_edpBZ&&8Lk-G>o8aoktDuN+Z06NBq!g`jC%6
z#gSs=9e`3@UUe)nxG_Bb?p581Fk}?Kb6-B{DOU0Rn>OVf4==Afuf{EfhwmLyLspCt
z<y__iAEb5lH0x)|xFn9V>Mz}|nIUn8ae0lsX?TtjWW*LsI%G9mRvbgIJ1-o9bRPS&
zq`>tlzW|P;Gsiyr_anslAiLzKkR}^YHu6lRX7ETXM`D^%(HmU<m|7!<p^{XT>g|kD
zVD+;cb|;4PKHzv<)h>*|^~2~eu0U}n#rKpfU|@nC{MJsFlguZPN$y#*RnvN!qtPL4
zrhPI5ZyqrLU`T}E$d$RtCc`wSwJqtY-osvPrb(5Lu6K4?A1r|GEgrxiUbnu~Lhw`U
zAf%#3bL)`(diRbuj4pI}WTx0Rj-|2p$~TMe!iFJxi6!6Swc1y`4%u`Uf|;;;pSPF;
z3~gA*{MZ+UVt}NfRHCyS2CG2e&Cj7wXrtC64JoxJ>Gm*6ca&=j*0|d$BE5fC$a~!I
zOQP=`D*|gels0MObgerd)>x6r`9)$%&<sadmsk8E^LFV_h&WbgD1A&e08M+<15p;Z
z-Us4t<TD;Sny;VHDG9@^2(!-hh=PpjY-9V}iWW)vq~miHw-%ep2OXFZA33wnRg9)^
zt!G43jtZTiVWJ7%?Va$PETqQ0xvh+;-V&=o=HPQ)ZEW4H?b0~kA*DbR0$=B|vJDs`
zP#IU9b$O{R1%vZJrz$AVMg01VaT1RY`{aJy1S4bEx}&L4BgWL{b)ab{(rOjMU~~<$
zsrDp=^fl+j(@7(<E>-DB*NA8z(W<CP@aZf|Cd744DYfKLwr-h8mKuN9S+`)h;&mFD
zDLO<uHO8Pc2B%AqmSnWEOt=1)ZT;7`ES53?#u<q{JgW8L+j)~yEuWE9-p!N;KS`}$
zoIKw~9Zdx->dTPoda~@+fFWAXtz$vSY}b})l4mceFp<mI5sUf&)-+pUmu+EKJt|HY
zdZLdV1NS>u^boLO3r@UKP)fPBvFB9KWhRq8F`&}c!4|LrNJJP<<}x7oLL!O2aS?C@
zhIaRk9c|Hg+i2!U1Pk{^@!^Tiv1^1R$f+9Zp<(hSRW&IaF7>&-z#ZS|jsXN`-JaQ;
zUN;V~!K+qj2|0vz$*5PdQ<9o`;_h*nehs}4;gQt?Y{+4?JJB*pmC>y9J-*JL9$USW
z%iCCGtQFT5g*Klo`%&fFL5WLx2|uBo%v=;582-8eN*UbCu$RqNrP@diLZHguy+hXK
zZYnvJgB<vkf#@5FNHBgbhtEiqvaou3+RTKa-UJ)2N3S697&KAK=2SE5CYw7qo8(%(
zIo!>Aiv%Ol_@4sP9eQgiz&-kKGlC*RVG-I|CKDW=kZ;4Pe<am2m451mV`O3P03!?X
z$%?*o`5ca&t9SExz&?j8D40M(pIsQxK-x^SF3O{&x!tNwY42g*+IbwJ(;|XyEO5Dn
zahc1w8Qq+WG&?PYVH!~-$4P!wx3L)IQaYH`NEMPu5VF|G9TIueij6H8{6mauUshX*
zCFIcy!Q*hoXQ-XDuDVI?ZBO77JKsEMfqb!GOQbO4<leG6Qe(#(i4#Jxm5p1Zu8_xB
zvx1N_g9Vu<jqOG>SZg2fBWNGrA-Pt!n`_algC<6qi8}aWSePh+n1xY0W~iaH!E+=m
zYFDia?SQPVn}&vw2Rfl6+nhimTPw1TGm=kmlj4}gt{ZP?angBJIl3!x3@7+s*_)RK
z({VI0jb$e(Cv0Bm7G8d{Qu23we6h9SQxHRWCs!SV+mT@`#?-A{xb+A>DTul6HsLy$
zWHHm$abJ3n`MH${E7YrPdB~^`fcL(fT^#+0d_Sd+@(WzAOnDgZb<n&pNpvaOZCOUx
zD5a#SSA#a?qetDOejw~BMl7*zAp~Egij!*-+?Nm90FIH=?qEz<&rFqupsY}Kqc!|M
zuC<*v$2x_Wd~<O<W`x^DqEZBzPO+c+`(-5oQV{RIUUrRA%XZ1W1)ad5b&e7NPf*>B
zQvACEYx*|Eg<!u<cJNZ~1iq&~MBuk;3_3k>MjEtn*tMSDS-DkU3`);~F+@Kq^xSD$
z)sz46fUsI0VdvQLo^7Gox4&ujZFlwahf{bzd#H2Rl#S|fOvIf%&x^w>Ca-2fq%#se
zquI7H&f-vlq(Ul%DKuKI1-5h&QRV|%GG)uTdCQMfq1~UD72)~ugVj2p$9Ligh`2DA
zJpBvZ>$F1eie+WE*jfT`7_r{)i`ZlT@N|fDo;(r>5=%nFJXZK*i+d|asf*hpV}8+M
zZjZ22On>}Jkg}ERgBH|!A`e2G*LxY=qRk(t8#>C<7uvZULON1ojaHIc*C)a1-Av*K
z+BE9!-M%~MUa^=OW|nt5re<P@H>^SyC!$KILWYq8c#}we;pbrB>><$vGF<A)ovcC$
zR%vt^C1TI3G}n&1xpYZcxb?2ZmAoW%1>rBH?A4D|?wcMR05CrN`R#aSdB{9BGjI;g
zqpGX!!?HaO0s&ZM`cAov=IxYZjAwc>%la=bUMM^(V_$4s)59-C%klWPGT+7I>_t|$
zQQIIah2Q^J%_+0J5PPvD?C?a@&3}OBq$b8N=V4hnMhkQ7VV7ZGG`3=<S^2q)E3q;n
zZ6`nwc?OQPsh|YwJz$X&1@>ahio=oj$6yk{;~m=#jS$%h-j~5~R}JE{FQlZNw8pS7
zMy8o-F5yv*2{6szJ;%oq)M!^JSv~CU4R~c2zE6|j47Fr%@H9JyG%0#y-utH}WKrHy
zWgd&bmeb)#9ci_gJ?|u<b!sr9B6vv{pWW*guSG>gaT~X%DJFEQ?Jnv&M#ix`)4gfs
zCs{+u)N{y3YkRz_t~PqA7Stq1S~l|X+57bD{yuwKI0@Mhi6pvz<Wu1Ny4xy~pM2s6
zPoBW}b)z(z<9KMZGW)%*qSwiH+D4<cRQ7PJy`v$K1Y3>4I^Sjecw*pn?){?pRny}b
z?vOGDCE593#<MLAzohiPaLkU96ifZ+gMHcfSyk=}jec*9P;^fCoenpTttW+w<o9*a
z5XXEp3Jdi}f4tbNGZNu=tt^=`8#@jOC|9cDO#!^i7sUll47>Sn;bwKY=O~<?woiYA
zZrKIX$RPt}Fcf&Kl<M9oRF-H<%yrB!kEFikXw&B%nFaHk*zzB?iF(U8*K<X6*=jNA
zYdfpQ!{WZo*J(;Qre-C}xS$<aUbquh(%s8V>&MG0h)XtsxZLlMBfbPKof<}GQq36u
zj{h~S=V3^sY46*Yq#T}Udo`1iq|$3IHTQbzjz1qxDcesKJIK2Xu?mfypM+!($jl2_
z$;A>lnw{YH6voG@D}Fkv7!SI3wToxr=kAfHEFe=3@$@D*`a#F{X=#*yd9)mz?+3gQ
znPK8u#%7+5b@_P^O>1QT3|n07dHC~Q=TWar9E)SDF@qwT*V*ETs~iKP$BQOu_=-q)
zPFMi0Vu5H!`u8HU)EtO=e+3S??_>GgVMr+!Lxc_}VOAuSpF;T~)bcoj8|Mx41sI#}
ztTLamadN*rZYWo(fA%h>?J8!7x@db`16K0$AVjjgFFJ(|(u)<ArLGjxnb@3tO&tuY
zozZ%UEx9Y;TiK#SSV!DnR26FK>})++ZQzvQ?)qqOwbdh_RE=NUcL49*)A-&1W~b|m
znuwu&iO9G!%5NGN1F-vGVIngr4#HP&k;>@PO*$5@o=KsvREr|@R00~mvhuadhvRCZ
zj?LhG=@@LI#c8Ox!y*?qg!#-X^x@32N;Z19al}4gT(AAhqJ+u50MO+S{F}nO%@3En
zA<hKBx)Gx<u_XM(h5(duZ!CBBq7;z35~zI;qREor5*iV=tp<mbcX_|(J2%KGZ13Zp
zCA~PX6INkpNcrkzKP(&n03|oINqFCVS&wK@=8(fYqvu&GxFua70VPiK!;O+Zo2e%1
zLm8Pqr3Ww4ocSVRUo!-yM8x;_Z`x`tZvhV$_AdkNzY<`y9k+GvIp-q43xyo+4XgIa
zyCSQgeh?)TQZg5we2u?eL_zNAGXeV%nSfu7Ih~PkNjmS_jH*xK2U&pgU?VABIhLu$
zN%1;D|LJ3j<g&oqZr$s7`RD7qa!djnnJ%l3IcAFTP^RZvbQ$Z|&T0#kTilAznbPb1
zPX{6f`tXoKa{JZs7q;<PBlYv^Z}*<jK1ImyBBuwMF3Q9}_C_@dcRxq#zqyIJRF5Et
z;GA9`&U+Z@Fci=XSJoXMI%MXeI*88NWRY9kYp7AcD5=`PNa(du%;ggbBomt3JJFs0
zB$<ru*<=}Go=|9_eU3O0Jr6ylsp%nbGYGA)b^5w^afT?Fb?*I6N*3wWC#8W3Z5<E8
zfE2_zuqWT>&y%E$N$Zz57j$a~teR+MTnuHn_Tt2jx1GoJx^`p%{F5-9zInSGv7-%;
z&Fj~&h*G-Yn6_Cc-&<pb*DV&=^8GgYEW?R7xrKNSc-Yy<pT9h~?YJ<7Im?JoLtk${
z^|99a91W^ChAX@m1HgTpyy+U1?M%s5d6z-q62cr`&evTm#*sFwxZr(v*u;Tj&pm&~
zv56F!&fyhRmC{yqo0e5}<yq!z-hnwy6)CP!W%Fv$<!ED+p5YT#v9?SsfrvNzlKkvE
zPy5$Sdl^^uSjrVSF!RL&{elbV<)M+$BA<*c&d@NjB-pPt)i;*=N&1K95lTg+RoqA}
znK4)?ZIYO?W+%>`@dw;xFFkW<rSfT20tBzNgx?zkp3i<*aMdDPCk^p3k-EN!3gd4o
zIkjp*KwL{eoK-pc?f2c;=Fbh@RrxfDIZ<!)oH}Lw+y+c16)e8Wv;{rBP~h(X3s`}4
z3zRvOnjCGpBPeP1xG1x)udJneqQJuw9e2!d*%0jul*Y)J?(BEIl`H2Zd4nH*@XkHc
zX_Wmtf>icqS0zHuVX8r)2Hegt;nJ2bOvC_tESI_!CbeN^ER|h|qPq5nezVU6qVws)
z#*f|EI+=YZ*-1?frI~xIZd8Ga#jRkKOscF6x4>8T!&uo0ycpan59%oimNX>K@24hg
zr~=RS35KFratr)oS8vY(CzKLN2|c^kq+qt$ze47<eH1v@)*T<Wj+=b!S)F|A^#GXh
z0_<HpKLMiJp6)JIo^La~9tL@u`%kJL9?Tk>V%YbAKT>a<A75`50Ho>8Q>TVCG_^D}
zw_Z26yLnxm?Qc&UP4&_WMI@y*Z|%EY=}dg?rl+h{EzDFRdpcmZ<++Uw*?4#KX5<LN
z**I|T(5!Zvg~*VMJK~$&ItJKb@W6;3QK7(C)2cqr5EFUk<@jwYIY0sl`{Wge^|9wW
z^1F*&VgP~F*~G?o**q>)E(Vc@gYP@&-DShnh_5^JoCy3!W0J5?``d_ZE-tRyD*IP6
zJ*pCJo2xdLofzQ{z96hvc@>{SVb03oXzE*Ue`aefsW;uJAP+T4Org={_Z!_f7V&LC
zjd0aFA0X8tqpS#P<;wP9^j^4E7?NvjYs|CSmar+~ed!MTKZ^AfWX9&kq_<aD!_Ww$
zBaunEKABi(V_bn~ANnL-^>y19-WYD}Pb?L<+2^D1CuMSzG0Jp>KzJnhVd(ydA$@m|
z^L_=Kg+lp~`UfwGq+&_44yDTDFww<p>TjecX4X{MM5>J%(wX;4fp93cV7J{F5ILD7
zUJO(2iK{O<fj_FE)<X()?>~;17e!hIR!wANT*X3GnmdTaXZoEz{s7*4H@p{DOwH=K
zd>UHA(I^&5)%fVvDQnR5E(Uv%#cn2-mom3=>eCj>C$NhyFr@<aDJO~8k=mkj63Irj
zB5K5eAWN3*=R?{a`S&FfXa%0wx@n%T(7|WtPlvFyV<XixC5uxAxmF8>J#MY>5R`my
zG-1498Cula5MurPELC9?qna6xt(GP(d5|&rBUuDejGH1eaz&Z3LKO-4<36XqT`UW*
z%F5CVWjQjr@f18-?oLP)SgaRuv%(;2we1vFp63p{Mh?IeAgjwuCxyJR7u0!utCA17
zQZb%(oEdV^ypX{FUqA<_XTyG)Jni{5(-O4Yj-kyY7Q;V2MZk`MlJ|rl7|afrP|(I~
zwJMs{W6E0TO91CPBQd?GA?fByKe_qzaIn)BHu`*1FDGl#*FutIt;;8>=*-AX5SOu-
z!*?;InXE%SzdThlRC7bf^;r7lVneE6qK;roJbc{u8)MWFcI6oYd}8Jc(>})x<oo1B
z>?5|tJmCKoV8TB6?q=IAoG~Di+DgZV2}I5z9lboDYcCvyx75%6-g`W`zk?6meih0P
zkw1lRi5V(RfCp|)9@sk}(ht!<vH0Wk<rl(%fX_Gv-zqq^Upt=~OZ8Fn+4MJVI-llf
ziS~9DLxf#V_iV;7?%h#%>|AW<QOxjvNfXRNIw#Rc@aKHN{UpcN+&jk1zF?-DA-m$$
zDO+~GiFzNw<%DZ@xJGEhq^}!EY=rz&agoCY>sZ+6g&#j8n*?93M_(LzU0yw2fxi=&
z=HHac!0X4aSKA#<H%_RVr~T;KHMT%q4R@?fF--c22^N5<`hEQq&5J}gX>s38(K_=Z
ze-Vw>D6{s=0Y$-s*$M*as9ytPOtoC6>4Z8CLZB&<kR5$J0g?SQ@4y$rPUC*uRTdaV
zuVM0|lLP}F57F+me@DZ+$7i&m?>%URax6AIf)^S-WbDxxbTFX(5xi+C8!10SBCLam
z=YNoP(BcTiwdS$Rid9GqlSshN1vXP$SE8w)U7#-QyWSOa{Vs1ikRiTVS)FH+ZD~BR
z2BjLoSu&)%$tRbe(sk)9=Pil3wXw={-U7xsmUje-7R0W+O4FhESKLY%(Zz1ain!Bk
zghG=FET`bI`3UnsRhs=|37&PMiGwq}4u#O;PRQ&|SxPq}N?+1_ZHFFwf4+w-fzCJ{
zY^;65%oH1$MJLUzYFSlQn5rli^gt`pAU^^eY<N*PRro~jrZUAi-2g_^MSLPZJEJfO
ztTy6ULRcgrizB4$F<cW0hN)u6sjbwo5aW{o43*L@TvZ0j3Xal15<`<AzlaDe2iEdR
zp>5c7S0bETuee)45dWi|+Z7S}97;$M0X!E^gftJr$oO(zqn6~!gvh7)mep-t`GpYF
z;;(BwXr(Wa-wEmrCy7*tJf*j|e8^tyCau+iwaBwYQyM`2z#~L;7^2>bA<$XG2Q{xG
zU5s`m_9znIBHs7nLkqw-iVZ;tpkhw?b##t~4aF06o1uoN9xgmyxq1Br?MpYSgzsjr
zA%b7m&D^TC{|@TgK;P+|OrF5l>7aMSgz+SV;5OL|8yusI&!@3vHil$sygiU@ylStG
z8Pz<J60v!^pFYLCS4*73Q9hpxv8%5xF{Ytw$M$z<hs1|wi$3^@^U+Go3xfvj;7nWF
zE|C_}(S4>*S;=<NN*waDIPs>ieI$`$>F)m0={<Ne@#R!kVX!&qeJ_Uig558OG#>jT
zITeSr)LpmOu)x>7T)m3)df2wfPX;ifj*}+DdnVXh#fOp-R<B5hv}PWai+;Yv^%QDm
zCy>1^Tp6ioe)~rI^c;Q~4E*SG*8OFF4e`l9gtWWXbOX+?^Sh=oIw7fjn|rGvf`gmu
zBVXaJ5T7yE$`HdlIw7Qeg^KkLm$n$Qbif-%AqggtX~2{TMo4nEK)}a4;q7>Ih<doZ
zl2H;S&p}|WYV>i~6l~C3wb$~og6jcL96!)2N~0RB@KLjhw^Ao!qjr$vVy9t_e4L>a
z!aHED1vGz43cjk(Wbwq^=AO!3VwxO&vixy}lxd|J=`<*7_wW$EvBZSB^VGWKT#qqv
zwEYn@UH`C<u(4D%e(;12oQ6xNA61KVa$`(BI#CDxjX7dY?{9WXRx_C`Sd@-9N#kN9
zb)EgN_jw`A#J0`$7>zA~;VIKM!^V^L@NyfHK-BrzOyf>%<A@S@mwR1Ht^z9f6|Fil
z7Qg4!=hV6*k$T#Ybb@Lw6I6mzsWoGkeTkr)Roo(|>&B{TXA2WsIP(QAoAiqfWvh?y
zYs%i~xKkIx6KIr@B5`j6ZC8yjUrIh;Zn`cRN0W5Ok^$&QkmzdOVA~6Qxqm~%iw#Ix
zR2LE2ZZvj(1T)9BPkE#hdOWQ!d$~t*vmoUsMH{+^QFr4fNDt!)c|s@Td$-iOPke9D
z2fo@1zQP3NEWbZhy+GEqpT!iFaC@($tydZUB0lT$9hJC`=y%}%V0C<>D7)3XMHV`{
zh?{tPSv4fP4N!Mo#2QG>OquIv%)sT=qx|?}8(qD(rBN$CQTAH-ev7`<E=UiXs7-7Y
z@Hwmfj%pLE);{9Y{rFSL+;`b6095sZ2+fu**RBzGlt{nueD}$WG?lPr(8U0(q9#S}
zI`3H}OW093@CCKo#ZTs?19+0c{HV$w73~W9S{Li#-cPOQ*SFZPETc3psKXk;OfgLA
z@UuetjONRK3xlbcSSlkhn4&pwW5rKsw*4;mi5U18FdYYig{YYb7XI!&M=qgX*6-c-
z&E6#hgE2MrT>2p=;i*{QgBk6he5#iM6FZ><sa*bM?Bx|sPuhlSUs)PQjobOd3&`Y;
zR-cKWy$STP59l-|xu;G#WDfy^f>v<F`B@6Du&7fAT5$;0>|cF=O%j3H&e+9{ZDNdP
zCWvfB(ve!y$1G0F%%P0PQN8m~+NEAK3y(XvlrE_MDm)-_h#g@&eD0k=8iKJ@6-(^(
zaSAya)2s@*DJ3%D$89cx8?C`4&2>l-?NyQp^fFr}y2-b)i$yvblXJbTJ&)3pmw19x
z*tMI;Uu<+4d%L)Mx=l>R1M9!$_C!g2RLq$~n|?GL=rK3Bwa7Ibp`!s7fH#`4F#_;}
zT<Mt!1Gi&GMw2fXj3c;x+R7p{k$P@L2a^Ox#beTvMtQMfK02?q=PbX<Ptfs!4oN}5
z5SK%A?I7<G&vb8d>nFU4@w>|8gks`hF{}cc_P*jI6_8HbT{x`z3ORJM!%(*^T*f>W
zE|z!j6>?C^yIf_Uy@B$B9j0kaRN`(@<27C@w1Fu$K1JOH{Hl#E*TZR`A-J(r<Up>N
zM%wL2BQ0!T_Bx7et->`F%QY6J<XoojxWm5M9<lgVoB$_dB1$#;zWu7;mkmP%QW0r5
zLjpZndbf|`C_<&DFOozoRIs<^<@<Cgi$95nQG3NDliAqmGEqz)tQq1if4JFLR{<y^
zQ&Y&>?YF<Ge9e-STc*fN)fDl<+o!0B1~yBg=9@CS`}gXcCp+na$vSuwOPhEqf(Xfl
zB!ubuCCrJ)>Qs68Buwg98BW?Xsx`jrc}k92u<)+#)JHgMzXU<L1Le}xn#W-F2XL0%
z&3BbUF)!OCz?kBR`Qc>0#+yCp8)bcX!()z<{yFHoY#5-AC9-x{BQwT0j+Dl_B9`je
zk$E7MP-?g|ugq4`FsTUE6Izm7Tq!qSv^w^!7o+@*0jcn^qA|PSjH9*ucceY^uhF&S
zXJ_OrB*jMJgb>wh-_^ivUgQ?-aeO81^&`zvqcW#CfJ&$&*t;Bec1+iITqc_uuN;5D
zUw%(aBX^3CN?w(MNkp8+VMEw%{DDRI7?V1<H+S(4wi@cRB&K+VQZ?UPPzr!2s&x7R
zky63lveMUps<MbZN%<3`=j&N1i*!gF&q(2c)K^z*AC3mPSEVhuDq6&`F(~$5tc>@$
zoIn+>m7JaoOS~=!9BQ@4wo-s;6RX*N7h}H@nIn7~DORZZwrUw_+v&@!m2x{1E9qLJ
zUf!$Y0&5C4DmJxFCcIfioUDvhiOLVTuw1B&-Wer=&E$AGnPioA#6lBWIGq*7X}7lr
zlu?7|^6gH|nL<vw-<p%W8`P`084?3Nj=l)$%x89^nMcZc5uqaTDBR_{-(cg!_;@Oz
z+ls2vL};k|eS^E+`bXu_M24##-C{Fz`%c8$!pV7V<<QNQ*UUmMue5iZpLq7E*`t)r
zO~ucEVjtd0TPi$@@z_h;-of^@ILkJYR%(XQZB<$F84FpVr6r9R!%X$noJmrETW8a}
z0Lvt<P*I^fozb45Egsm7%#ytE%sp)<n;CDE^8g1AiOWpw;mq<Mk~)H0k}I<;q^`3J
zO`vOq7_2Mo{q|n5Pf$}5j2*_^r)%U#)Qk2CPI%Z6e&y`k*Gnguu$CmD4od+~sf;FZ
zkl#ZD!}D_z;2q;xY718rXL_P-g`MDPtAkQWjp2uc%2jb{p`!r^J2WscL>8|$Df9#K
zhEavQ2F$ciH;|wsX^^4#nUL@XAV%<S8%Y$;(2!C2$!$W34BqcZ5?M&abP>KKXZjXc
z-Kx%|nz^CDT3p+plA|(Z%Cb@MCC_q5Sx<nbpK(O??Y!MN?(1EVB7f93fu^H2R&JD~
zvKF6TD;W&irB{t$7PB^ssVBj&z3yZ9U|@^I>4)ac&D!GJEBiSa7Wt-`c&J!`f`akf
z0I|6!l@v7tj`({t69v*K31To9hLT>W_K1!oH(kkdWLCu)0}0Vl{YUX}=3d#zTU0x-
zR-M~M+&Ab=m}%%@1f^H32fKb1)^u^X6Tw*nrz6S?B^tekw`)Y#I#=@!76*6~0a>ZD
zON@%x%TU;Zw6gnnLPyDayN5rx1G&C8w+CKkctI%iHrln$_bmuj6{e2L4rVmt2gI6p
zy7bCQIAic;{9u4+>^ZqYd2nrT{}61JKC2Lu<dxVG>LMR2bV#i)G1)3MFjd~HDOO8Q
zu8V;JeVw(f9cgMO+h&B?0D+R_!y4wZTb99nVl4OSDp%7NdyiCy@**rQ>?Eb{vIAE7
zLxUdWB2I#&P|pbNO%enrB5jYHr)M#5uWUF5g?X_Xy4l$W1|F)&1-0yHtdzxNi+$9(
zEo-7Ql<bnrM1($>`mbW|OSuEpnt|`mw@L|KF}TFGP-0OZW>nE3$L(;y?z>8`$=1nU
ze3WBFa)NWP*9!Bez_Jl}!_=qyfmr*1z~xNibQ7V$jXqNf8N$<kZSzhq-3K1BULArN
zxv3|Y`5D1JjVt0|?UB?qLy=e{Hm=?zgH%_MM3P9m(9}&|B57+hfmY5WJ6Q9?|6_+>
z&4{G()Jqs`{DwCGg&fHjA(<2&))qPbw%1C!y`9{Vy7h>K{>AA_QE$@;Z+z>l>99YR
z?p?w~%GY~S+fJ>PX6u}iA~r1DIM`*?1^9oDd*1>JD}#L|vf-1ke0V2&mIK%Pl%O)b
zwp=-$vUKJTo<<S-z9KdZ&w$6($qx9h9esIwVr=c=VAs*+QDxqNR%+bhE1`+PMY2jS
zc4JJ9N4aP?XT4cgOvBDop0p}O(1SQjLhZLJ$36d7BUc?2Mcek5MUbVtK~j;BkOmh-
zX@vy^X^?o3uBD`rUg?&2Bo@%6TR^0imhNuphL!$SJ<sDS-}{~O%{epk&-{Kf_kHC(
zGuOpXGWO70t)Va~F0fT;(HY9+F3yli%M6I(uyJft8g(|ko$+bCtiPBkS5eDc^28r=
zp@O*P^|XTcXnK~yMm3-IgN^~`Gn{zR19&GLx@5qoKd#{tQOxM&Cwxi%nqfbScxH@8
zS@5NEg%Hu<&>kC}Ex|&*QGdkH*ZeP0A~7m0b9qC!d7ArpCtWm-*m}>I!;J@=U@eY!
zHTmc{sa<=XQf77T5-90lb>SJXKI%MQdLG@_P#I`ZmhuF%Dq2WMaaelvkZjYS^>!_>
zmPHQs;2i~2&!gn+D6m9KMEDD!uKfve_ij<zHkO7-yxlGt5BSmo{kCV+?Pxu#RwjZ-
zHGzcvifrFa6gRWAU|KfKhTW=`Kbrxmc1f;iZ8O2F@X&v*lTzkwQ~Zk<ChF2aQ<(6u
zPm|iz;W-n{{##Iczori$=LTP|VaHLY+VG(>vt>{xyx&k;iLZh)Pz_&Wy$~As*Q*Eh
z(x{Luy){H^qbP1HSkxIX#OUk=d;_5f4Y(8NR`wR_QDgtXoUwv{r@pG5E7;=`sAFTB
z7pp5rcOt*vV2b50m)Zs)MW`5VWPO~@H2Nc>GgF;<M%E`@{>vRP&Y*fv^?S%$keIDE
z2o4*%H<L}lO7pJV;GQCI57p>FTX>JKF<x-NC9X(sD^&JgdAo3{(XuaZ0a81wjvkdC
z@Gv;^bRe11Xe_u#9Dd__llBy4lhx|-lL_W+n$9;Lc|NWb(4_?jU*2J(K1St3rBQfd
zi8&U5Qk|qtVyOJM2e}}oOH*1M1>-6{S|U~3JzApe3uLyKp^@{_M3d%dlWYI8=2(t7
z^^LGf2hx<otzISh*xN-0Tb*|EY=Y_8^BlaWpnIWVxm3mjQ1aT2N$s&+BZ{!kFUXvX
zcC<m}>6QeN?dIb5L^t5WUpYVATDm}*3VxANS9!|{k9Uq7lMgue{VwNm|GcpMF43zg
z7KEM)WiRChP^D&lRbbLXGwkm+TDiy@Dc=gMK%rq|$tT!e^=MwNbRc!w$6^*W7uKka
zz5O2C2W52QM#D00PR3^E54bv1rEqyx+>Pd4E&7gzgMD4w0{tnW(%($1k7uuL{aM~6
z;yr=$5fcDVzykoN|5tg}&%!Q&ABA1vnl?_8!uXfyKZtDqo@g&Isj}jp9e3BRDgUfL
zVEwlRC}s?jtt8`6YA6*|8eh)7<ymqg%ncyv4REaQUzr&Jv@_Cuuud2X*$Nh{a3>(B
zlCQy%HB_>pjWB)3Sy6yt;Fc?wv)KPCL0B)(lpkf~Lzl1ttlz~hT^cEPyB50*!Nof4
zcX`_Ubr3gu#<atsRJWQ$Bix%=zgyR!k!Ma{nb0&xcL`ZXOu)faZj9Z@t<C6Do$gNb
zW$_jU-PuCgr~MI~S&2oHXm-{_c7^u-hxV@}8)y`g*}42nW*@A6lz(zFDRD>QyK*lM
zylREAr~Lc{xt4jySpWrOUu7YDMz66l=flnJit@`uo71mtSpfx&3-DFEUI|#uI7{?2
zPCUEG>wWnvsNxY5IM6A=lV9X@^V><4zHPHL4)zqr0M59q3rYen%B2vPt{Z@L*CL&z
z@l%E1Y)v8ICziGzZ2De8(R7CZr4&f_0cN2H#2+IblT~&FrLJ`tS5}*%ict;2wEuST
zcQfRDfbZ2Z##K?&sFJci2!~|v8wN^MPlLfiV#(u(^H|Y9SR~UKNSJYcGyzQ4y359A
zxuPzK?OTYpY$B7|eX69mY_U}*$yFzM3_YbGX0?bjNjZ`#-Y-|ej9(;%yE|&g#du{n
zzLn(J&S=xR1=&S#`Z-r^b0_I>-3XNbWIM3zljb+nfa!cS`7mIF=<{J9gSrX#Is=H>
z%BZ6)XBay<8=Lth(JMhJ@yE1kdD^ng<6G0)83GsQgY1j>z3bz=YzQqvD#{aS+GtTR
z@U)s@JVok<G;Pbq>IHINDoM6@EgXmkIX?|Ke`vLji}q6$JQCcRcW(N1un!hC0ib>o
zJeTE<Y3ZefFM$~uU=yh_<ANTnHCV_^E7qmJ@1e-^R@APOz^)UigQ3G7wRJL?>esU|
z!R>b=Ax0^BNE!Xd8%OKZuOpM(N1lF$#}WEu6=Z3Qd)4X4=i_s7CyaicX`X|&%~{qY
zM!gI;d~Jg3c<OVu6pphm7|!@YP{6n5TN|lGG&WBG%>PTq!4x?5(1fo?r-oYFa&srG
z7|3vE%z=dVXtab)XX;U>HIvzj;t8vqQVl)@SfYj54&Hv|$S5sPxE9hs>x-St^*Crf
z<mIL3lVj&>-g{Ep>EDx6l%k5+;sON3(VbRKJraH7r%y##tO_i0ge4F;y4=*}Y90wX
zi$;=$(zOW|tgCEu+jU<_Me+%##%7U0T?Y$3f7-Vh6+z3~4FG`WE&xFA%f6kU?$%~b
zKa6@yM>}#sl=zZMZN}B{A!!l7f)2E$P@5H9^I~FD8eeOJJ|)Q@$?ywUhVZ?NsLcH=
z3}>=hy(6!CiA0@m9V@fGJBRZRR+5Atl+^#leKE|pkEE4<czIXRp_{#n4F+t5jd!*W
z;@^CEFOJ1>EN6{YP1@K?AWWp6+xSzZf-pbbMouA3Y`;J#g3~GwK|3QFQhdzVR{|#B
zNH%|5LC7NG`f(;f2o`WVxmA>*`^Ze=@~Kd9SmvD0SeQbpY3T@rugW($w@>(ET&$a{
z!<X+OuE!Kbr1=*|Czj>+T`FGCN4v{3-viv7f!Z;Fd99~LV8<EN#ETytKDGOd;`brF
z=ma00gEM_eO32TRy=j>O&izFAJ~#HcY*{Uuln|Dt78wb(*Xz08j~l0rQcS%g*dDnl
zzU2+AX7w6%(I374z<hO<7s5zq6V9A?ORP$sg9k;FjR@=DAfRs6mR!Vwvsp!&ArB_+
zExRGO$Fz?jJB5vHZvuc&q4<`vVbA>DB`a|a7t0zEU7-`@ll-VC(H33$2xnJ&JHbIu
z{@{x&p_N8V-*vL)6|&|7?!A4_CCM;<6bI9pBhyJ^?yzKsOlmw?*9b}@mISGM`|y6L
zPS?$ZY|=X~xkFo?DfnxU-n3lV8m3*}Hxe5e*I~q`I;!?4LF)38+n}TwG)zs9AF{CR
zbYgb$GIcN+co?h6sFDU=yxiL{TT=|4oW3XIOnFJ)=}WGh?6x!#cm~rk%i*9dPH>Lb
zB<L!%qTq5*t65k0Oyr_`=Sh-^(hS*g>3luR>}2+7)9xrfZ--_=Ro6is!<c7O4irVl
zju36ypM31v(!nvdVX?u+IxG5a%;_;;eL|v#T02A_l0yHC7jHnM&J12w*_FF;wnuK~
zFjsuj<@j0I*-S8sK4SuR{;*hPsGI0iXy@2!W}~rga%X)L1=gO-Y4#Us7(W46kMkG(
zWijnK@cLFw;U>el7B2EcZ6TRKaw-^Rx8xIXFn5yZh*-8ilCDaJkGCZ_eFOb9OxSR#
z8gVqg)kNww1VWL<-15YilBn~_7e&qT=&G=}N=X?suI=KS;HMJyru8<g?G~SEsbE4K
zvlzgGa=PC_ydCR$n<gEJH){;zK_3LD*zZ3JkJHgcgn9&*T*^)<3{E5_oCHDS7S_4C
zGg^0Q$<5<hu7-TAlr9zFyr~Wq`y-P(svQ*59UN1dVuGrP%bdIuF@E_2pUl=L9^(*r
zcI^j8EV2$(y$kKQU<&QDBu=qV3Z03UDSoLaMmd^6zg&zMI^4r*TU&zOF$rHn5x7L`
zJhT-NPI<c1*9=Pvy^=iE;>)cTv#YiYNo))%tx^{qL41>PP!NvRuRP^kvFiW$`tlLm
z6s%T^hKoMG+A@h!wx>#NirYYa5t6;#10czR2ly)BJmikT&VwIH=ie$Z1W)m@-=I0o
zl?CT7H|r?vWWVB^WuknK9EIF~(lEC<==Xg_E^m{B-(7t)O5x-CFe;-DqvXZ}JlziD
zn@}u9MmNV%6+|$$oIs3KJGJ1>4D{rH5(9yN7E<xK_r4_T3IHvZAplPs$s)eMja+va
z4l{(!pFG51G?0EdOoY#1j?Ixi01!<K6r{gN9txUd0b1a&yl+?g0^%b)zHjoSmu8rV
z?ameEpRTY<ej}^_?E)!*0027M0sN|6|5>q~7Ncwn<j0pTA~iF7@}ULDpFdXoC<L!M
z^jlVPOSDPL;c@s_1Jf%K<*W2`o+2W__b&8KlW^-+z81Z4O`!rnsnuPhbcakWP9bG!
zo(#dLzN0Z>?v(@fcAjS2k*X(7=Zc58(Hk{R<z}w9<VP6a3!C4uDm~H}cksQheD!sz
z7kB7gT2cPyd9KiIPWQnPQ&gtBtUdQ(boLXN3;OSc^y&KS1GtHCx!dgO)j?k#`Gb=$
zX?*a|fl*n|ZM)(VtUm|pxSC*@iva*|qVqbUUq1gw$-c3joz>4&PJPmLk`MoaLKUYk
zcR17)MB0KKM5&91Ut6KTh&P_e%2Gp3s-Jsts_2p?Mh!Vsl+1Q>bIX2eKAlm197SIt
z;JxK|JM^9NyHh3qmCFHPBbkCq6(`)jt!KKUT8$M2Is`!j*5IpDaY$+(EpN%5wUGy2
zq8+{cJUhTb2x1WtM3JI4&YSpLvw^6P*&IcBu?=sCDIaSwg7uyF5RlxCTrGJVh|YSz
znhm7k*h1hp?c=HJ1{2$@;+~a3)isDz4Nh}dMlqJW)<t4HOlHS@?X24&SZ?f|`3{vf
zlc#vFexwVB!V0(USE+PI5nm5QzlA{o12%)p(3R!QM*%|Osu%AKZWrO)V(zAgC?9ii
z0$sm?>cu97UmbsbHzy}vl7)gwk_}F}vS)~M9FkXo)^z!;<@~G`Vs%Y8s&)B`RcI>p
zD(3ENjdN{{Gg&@oc`t{_Qokhjdfr=<GmH0@%En&InRKqTXRw38u5>1`QRe=_LU}*3
zc06(1@xj>xUE2YWt3y!Jl(Z&NiXy`MV%Rvnz<;Aa{RJ~>(6dS}6`w&$V~^@jnIa4v
z@0Fuv8ID$7+FvsLrN93v*`K<MjCqRthL2dTh}01vZ?l$}hp?TZ<RyllH?{<H$E|O1
z)j%>}w%Lf?r|oBqPh##^BGVZ1w&+9qSN+t-1!^S#@jSG$e$JxZA{9q+d-PtID)FB!
zi5K|l{ATZ)CTu2WCedHYlsiwye=lC{nrkp@*sZM3rHqDi#MwnX17*#$-smF1y00Bp
zrv&dsDBymtQuE{s>lI{47aYhbTX}S~-0ht{yP)}{#n}!0JvG|5d8Z5f=UCzMbXvF2
z`fG&FTgcF3)qP}V3pKNa8a{WoH*?bep~J}MT`J9d#OLwtqns{lewdc8GxRcUdN;78
zw1ye(+bW-;tVwl1&viaBIfPQ|Y<9b~?e8BEW0du1M+UwMS$LzaB|InCN!;iJC+x6T
zm@U^(ODvf2*XjO-`iP(2@J!`FuollKWFrl}`C-vUu#t+zPd55NM1ui>SX|CZ>8aie
z4@0kK9a0o*u7uRqPg-a&ALsNa;lpoHM1=EtD0DoJvVmrrZ&BxnBccc?AqFd=ivmLx
zcQbI8dmLabNzyOI08wR*Y-#$@w;2WA&enEdW50ui;ZJ81M?X`xubtsfsF#R*awD`m
z{!uzxvd2CsL$%I-y=p;n9u+mgO!mB4z^mKP3A{IJX}b5f+>FettJ5YF0y^<M7DGsq
z8$kq7#sHFI{%+#Y<d4jZMbBghdM8Hj|7^bKSq1=1?Mxt!cJ@xZFYWDrOzw3wXr8JL
z@5hyB-6Q!2iaz^dH2x>r#Lm&|zrjmn2{x0l(P-vh;{1of7vl^~itZ-@ePw22_Urhw
ziOBW)mo&SU6aNJSoUjo8T%-O=;D^My-jL*XE0XIh*BhDq%YuPt2mJrEHMvfBed+u!
zq2GG;b;92Z>FX@l6ZC&sFgo*oviwfhuS2f~wBOL-0^om!x9h;`0pd5XzVP2C|0i5r
x2VeI@zriuZKf(WpU%Jk7-O7LSc$WbGo6SR%vCvxdBX;8fhS93nQ;I$S{s)pgxPJfu

diff --git a/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx
index 71d02a2af365fdae7ef1099482eb74cdae84cde6..d7f1828d4532d13afe37131d78c494a94aa23d9a 100644
GIT binary patch
literal 181339
zcmY&<1yGw^ur|dVio3fz6!!wbwYa;xySux)6?ZAL#ogVdxE8nYr{A61-hbvzGD+Ud
zp51-+Sve<)00>A7FfcG!FeQ`aFF%6@ijqO^MnDf#(8I*uSkcMe!I|06!GX!c)<!OF
z3?7^nQNq7;eACQlTl6HL0x*;M(vZv>+DdC1^8DZiN!*p~%_BWesnp+()kL!y+HEU&
z(EefAOMJ^*)3Kso@wdPd>qcNq10G5VF%d*xk?m4IC@Uh*_^!L*T%~Tz<VhZ5=!J=E
zk!;vNgN2Kcf}pySGmUW0Y3d_`{EuF?Ck<K8QNXA4YHlD0yx){Nv*Q1!z*BM^E!+pt
z%E7_FKK@??jP0FF|7Z}Js1N94!5HY3Irh$?I*$seMWGXnfcg=%t1WfWYIGA$F?+t2
zy->U6ux&i~>A_v0y`^3j2c~ZFi$fty{@Fr-0J>Z5g=jsZF|%7i`;?LBXJ_M_T~fgf
zEN!NqM=X|!8+dwHo!{TDKSrF1%9@v8Ak6x88G=g%8iGObddRW`O|5{*KV?HCH&HzF
z=qvB>m>IMFG9nKWT1{`O<UeUa(Ls>P)`F)ZxH8bWvEiq%wW*eiWxn;&d#4YO-9^Jf
z##%fc@nj|<>MCz8{6tAZ9Z}1x++Z{?+BHRfY6V18mAuae3K>QIhM#F9Pr)<|(L+@T
zD2q$SZ$~+2SSPOSy;;g@J~ieR`v2|LAc1t22@NtEDHs?!$Zj4s%q|wDwx<8{%=*W2
z=bGB_=-e27b@T5A6W$r#Oc4P|(m!pnQM(kck8*i%(WiJCb9Ko=RDY=G)2S7y>C@fS
zps1;pkYV1H3PHoo&l1nDC$I518U#WqxuVmuxAr=}KIQD~C1*NgUz8#eqLI>0Wu<u!
zHlU6eZI-XpTW+jgs-0jZ!JGSzdq`$2rbwOse3}yC3!kbADS-_1p_<w)OQqoyv|eKi
zvtyXLVjVHC`7RNK$uTf}f#3t_rDEnCr_!P#%Z^~m1J$ww1A&LW|EV^f&f%KBIlsDX
zl9}p+?QtY!oX?2re%I*Ub~aSUfByjcQ|d?bBh;ocsGEnU8NrTnhW>h0mg(l4UE`I*
zsTBZeS?h4xzSn>`6F2rze7C4PB1&422rBf#qH-_yTyNy*V&{ULYh@kSHcyyZ7j!Ns
zGyK6anuVM7^hTwtk49hm?F;^+dWJt|ckfRa{6{@zt(AJntc@`I$NCKmcbB&vc>Rs<
zOF8P)6_$_SDJ)sBT+{Mj?urMj(i1+Ir^j4L;@nzo67-0!luBifn4j=Crtfy?+=A)w
z;L&H1auOzgh!dgu8AAjc<#xmpNJ6j|12}TyFF$;|%JvW5t-WFr1UN{0En<$v*5=?R
zH53>xG}i{GS3`PUpRL@4E948kzC9Ixo+1YF=6kDLpiPFEc4!Fs-b|tB7xntTTrcd|
zPk3k!_P+kAPWOL(;=Pk8zS~GnSIF;v1fKT#`Pl@tK?>6JJy^<6bV|le%jNw9M?z14
zxOPK(fh)^`ln1i}b5kq&P$$RAzOyRMy<_`9vk$VHr=!|&1JEz71aW1RWc6KlQZpN2
z&#CsnIW?VqB<x^hpd_X%^19IS!eZjb#t6>O{47;TxEYI0gKb-W3S1=`;yrRvL?d^a
zg|kk8@efL38kg`Qt}@BwvpEP;tWI&2tFd`;RGpd?vj;9KXEWt3(r{k1Rwy&7)DTOv
z?g(o5a>+p+Q`3E9^~lKmP1XLaAEn?5C~$ifYt+hFCbiL(k`HtyI8AHrD;x`nqBDtb
z9l@WN$@zRRD0v9+Kg}`F8Z(c5455+aZf8r{enuWy+lI-pb$zgvnP0O#)lLW;|Bw_f
z8)6ASt-Tzg#Wyfg-bAZR)71{bD=rqmwJQ832HW?!T>-Y!btUA`*pAAVGVrTYWQL71
z)M-Oj8#@^sofSc_apk<ITRh?umSERhOF#R7X4C-J#FC`fu**&gd)e$M1CeEAN|euB
zmb6Yftzg<BKHTC@I(vX~x4guCt2d&_MNcrIr!}tB*--0*pjkfw%L@)XqDm)JVx%U;
zmVD@PKMnUZ_xUK&z1Fwn*|XSzDXkTBznsRyU`&2${SzAi?J3kG*SdfG*W+zzx8U#6
zPFf2&>YVRGRc32?f;Fb{)|qo!2gM6))xQUrgsy3uONP8&*$ZOMD{0C38fk(k_5=M;
zc%vl?4W9NbbH1PZSRrv^w6}i_s%EZ`xkuv<qunqHE6k}TlHoW&8>O+Xz9>S>F6rtP
zI(6L`=#xkNZnc17x?DsY#l?AAv#73cmv$1psF(&95<0t=Oe0s8e1$||1-zDOpOkK}
z!1*%2vD8ox&<hNP-+6uV#2LpCITG=Ba2A@_$KDihRIq0+>#>=t@0N5h%3G95`6)-O
z1m6dVoOE}Ae(zdr=+<IhqEzh<tG|}r5oqd#K=>o?MobZX&v6d#J26eW+)#nSfhIze
z;bOB9C--faNm@ffRj?^rFs4}3UAgMVKpZ*J#W6dBm8k5~g&c)+oxZ1A2J<?;Ohjl3
zb!{(oIh<@-*0>&O9{Ve}giXNn=c53*emTT2cxyYm?}DjTmJ@=QrQ3R%j*Pk!ZAJHJ
zW-St|_|zVLMJdToh<fYH$0>_SEV}xswro2;>fO=GFS0`ylMd1#N?JLiecQ!)`bW8&
z;A1;#mE86GWxC%36^qolRc<EcTXPAizo4d+RogXWw=HB}dg6WkT%%jX8ofA}ZSUuR
zP1XyMdKyCe$y?D4MdsS#I?pK$E^1T4t)qNee7eka3r<^PKU8U;GJHd38%DmAsP$Eb
z9?`cAzf->aTmY=Ng2J_LWnJKLZ>sDj{Z-<9FdFEh<dz@lX?0UX)rzpQE75yOcqt)N
zWKjB|R=0G8e{NN})8>_0FjuRAr_`c*tXiy9z7+Y>tN7u&XgCy)#gmfa`69g<cNCq-
z!brNZy{c8<VM~x!^(K-Q%7GgUJwq*m3O2#iJHr2;$sX!@d6iwj!Ki9Kg5ms6CUduU
zvUavGHFa@j{_o|#bawX5wrQ`mh3Qel#o3zIQEghT8)C?@YW2<Nw7-?2EqQ!AU3**m
zL2&ciLQ~snoQldrn|=ZqP0~*^lE_c4W+#49tJ?9fOo~2OSOMmYug6Pods7O;SqJsc
zLqjj&<^JBUC+@_^;R^5fy8|kBg-;fFd6z<*C|K4H@x&89fKQLWfgan-s)M_p=hp^L
zo^BEeQaygIhXaQ;e~)K}hvQ@S+LoNwJV61jvJ1IKkISrQiwh#ZheM&ed|P6Tg&sRU
z7UJwWzlYivNNtPvCkOwB=`UBuH$(9U*KKv#FK>1FZ^-XVK397iFDT)_U~GTj9Q93)
z=Mn+%c|_0P-DgJ|c$0s^w-!ikeRtAe+55Z!c(vz~t?#OMpWV91($ANC|K{~v|9+P}
z)b-5g?Y-8!>s}p9yT$n+=W1~R^m|{w6zZuS|JI^`SuEs##Or%0c$VkYvGu;r*-_hN
zb|&yF$*Udnc9?#k=4{{lro77ZCN#<W)CEcyseA9pl0E0dHRtA*d084SFTGm};VAcI
zz1j<M)`DBaarwtPO~enqert~~RCzZ*t_2{l^8J0G?&5U0Rms<n_e|*dv@6{AvF4Qe
zY2##XL+pLz^G*EK{O2XK-#IjK9V7%ckS~%E_8~bOMafIb{*1Z$)ho_S2vJk(LM}m1
zT+7`^qj|>aIj5o)K`&H~-Ec21?AfS2aE`MfUQCXKm9lN5zW7d?VHhLUslDnF7gMn5
zbcae-TM>em6z_-MB|Ivll8HHeudgKYx|0}Q%D?Z#_EXnUFy+xtW-8+LLL)O%3wrX|
zvP*j*PJ}$5=XV!8gB$;(k5bs00mQ)7(F%GFvH9g(#U;}FX|laG2GKoG=<%d4bp2R5
zFaW-m553h@4_#QTc{~trxtuRsXTBA@-E57&9UdI_`pN-si{5VX{T$^U?fp)BEW0?L
z589gSd+N_oxEsP;fyv9|-281nDxo3t(98pTA<l-}Q8q~KFRm<h_^h9HrtBx?cFI4i
zymdE<?VtP-5)$I7)*#M0Ieh6V@5|RCI1}h%MmF<1Up>{6UE2)yjv>5)2iNlsm<Z%1
z+IHS%g!I|t>!Vgk9?YYP6p-^eu$<kARB}&Fj`KnKP)D-O8QO{bVe7H1za*StQ4H^t
zly6S#U=y3+^JO%C_sfzm5ZtxqW~Z?Jrfz0SzeiW?P!HezP1;}oLw+x`pg)8UaB<E3
zH^1hY=kMhklZHdwmxJf|un}h>qSdADcQS!vj;kl@hYp@UuiO{TY^+b#A5RJ5U77AD
z?ka7QCnF1;!H)<)_k3_cetgv~$mP6xdbqfm1SkX&lNdmJ(1u->2pE}5+@!oY>_F`6
zgE-%_^R5A>aa*LPu020`I=%pI@=G%LrM5rn-aJO<`Uprc`R2CY4wbF?H>2lu=2uAI
zc_dqGyWXe@Z2E%N`eir2rXO5iTxsvm+AF6Mjqf;r9os7NE9>cNAhyhH|NZif(EE~T
z)pvi@UqQz@{HiOwEBql5@V?8u@V#`4KTCmFy=!X1`0SH!dgpW9=~CiYk9+zI_^T-$
zzNI+RE2-m7wQmYo_WWDtlf!<e?MY`>e0~x31sb;Bi<8$(zZ{JaTJ)hgIQOqti1C=X
zl<M<6V0xFGzz^Uf{nY$IJeIXz>{Fz8@f48nhwKP*{+qj%v6s<1rK|zabljREOY72K
z%lD;2=i6pa^ryIHQc;?9-0zs`8@;0R8*kClJ3!1B-wv;b4Kvf4UnNJq43uWMclTpo
zd%v6j$C8eb%R`yO-<eG%9_kpPdfG%CHvM}GnqM@mH}3MBMqf_PCYoQeqksn))5|KJ
z?8i$y!qRRTR))4w9aYXKkvl!aS$muEOzkl(*Ni4hs~<4*_fmX{sg1Ao`3nxeyQ6R4
z+Nnv4OUneu)B^fFViU=Vgj;IGRSXABYK%7rIRR104aDGFsP&-%x{w(OT89Z*@AOi+
z7Pn~1)LAkKytYz1j~I^<ECX-7A;)?Cp-y2|XV-E2L&%6rcZ3nTQ#hBNBnVkQ?7f9#
zbzg!8SNF1R&uJ%z{DN5)+r&~^yQ7~zAUy@{vj@F_^=AQI!AzF4wzgq7_WxYBo<h@6
zooQM!^G}-nT2)FTDWWxlh|a}0jI!e>7Q-mQ-=V=<QR}0@(1oUJ@X8299%_CGh*T{A
zbVRCZLYSqpMZ0D?xkZ{bF-qG{<cf=k`%BMYbbrFHCim9&IVc<y(GXNRzJFr+B1EGy
zxN(?Lfs>i)Tl#ztl~{Y4^oi{u5o)0OJsS%u9_3<AFjg~nMmu2<CyJDLhtpzpm3)bn
zkHcH$JRrx(J1S>WF|*9fcBM#k23%81rKGv`BWb_Er0iHpRN`72z9Dynjj#y<Sr-nQ
zDbJ)44=|mDf96C2QK322$YT|w=*1xiR-T|3VS_ybmW<!|Wk>bKFQYtTCa+RUdPwI7
zpV{h|FV7?`kPS`piyMaE*=4w?Yy?4@5b-^ft8+9<dd9l_!j@tsvwn~F9&pa@9wC+&
z5|KA#zwgr?DoK^zJ}SxFB2mXIsloK0Yx@SdkW0eazW{pS3+9Fea{^abVHBKNIyC!>
z_h&+IXhQIi|6Q#sEX5dUf`6o#RP*Xo0fJymzS8Fe3-VvEvsBxxAKti<&o2+==IEx~
z?<O`1yQDws(-QhdHs|+h^?KZOzGM;J52%R<UJSk4{jS^H<NaWnbD^bVaOm6~ArIAa
zt!>0Ti_7MCo=ATzE6j_YFuBj4YwHr)K*QkQlH1$V$WrkY5b2?f&)40guF4~04nB)3
z%0<!$m8grDIh$!VlSw6|!i^H%)n}jAb?C09606Jcm3r0d#=#?IB2Uj8hZWzWlFV+C
zp+egn;l_o@7k299LwB)(g07r6E73HZqiX4V&C*1Vd&%o#Pxa+x)zI5qkARDwh|x~v
z-k^h|4x(Z9@2P0lrVr|{J4T5?9hxwA4bX>vks=A`=tY}BL7QZIAE>@TH4k_twgt%Q
zc<;;Di-`PpO?gK*Huq{!BJ|@ke4HziFjZ+Ars<<oTaX*5s%R@HXbVU{im(we!4@mq
z3^MgZXf0`z;&4lBlWM;E{p)mLX<uz#pJD>`gZCGA;xIct(T9A1h{Dr(8njn0Ny`-g
zZ2bvh=T$-kHt!MUSD2rO?*4Z9?LBMzbO6@H3r^F8J)h9@KzhCJP^9P%6;<Xv@@a5#
z0z@mZb<O;;{bU*iG#{-akCNRxnQTc&w!sP<O7?pG%rUQJ;7e)Rg{y&M`Jixln%~N-
zd@SS6JPG;|2s)Ll(|@jp8~F*zf}D|2Ng-LT2sKd>i4+mEHi_tJ=;+QkUQTFUPS}-z
zVJvYsR+E!?k2IA%0B?)9@le}J!>5yRG}|0!vynAzw9Y$eJES9N`ep(sdR2`18Y&A)
z$(w{Hs-jp=mZ#qfr^H@BfPu_U5y7&2m8^IlI6+aWS^+0Y;!ne$k$)%VAClYhDr_;*
z(nxoa1e2<0DJQK?N_dR1&XA3QzW?|aBfphQu9X-@hQy7rp>QKxC$HITq0_VCVEl{f
z@ohHB-bWAvoz3k;N{Ns*?Plt>xE+$Sp6JMvNpb3f&m7TaQRdv*fo8q_{#zlvn^{%I
zXiS~7@O^d|2kl!&8K2SZB3VzMAdjGC<4f!9*e3lNAYVxTL|M`sxJfVA3Nu<U>q6B>
zH+dy=t8yII;KVXY$s)4$wACZ!dYTugVZXnI8uiN@@av#>L66n#2a0R^_j*@6^a|GK
z4W^jX&84}F0qta_Y?`~D*B<0Q?qh<778GN`@U6ILqqrIU_~~xTbJ0c~K_oF_7Yf9!
z5QIf0_hD`}F81RFV#&m{F`rp5&o8s)R$#xj3yhPcXjj2*J**Kd&fHmrY#$Z8xDtWI
zo3U=#^lhZ?MP`wz=sFH6NKY%2ZWX&Ulcis2Bt%-r>m1in9R0cWJ^dHnbY$>DwIr?j
zORN&q)dEWrn<@HP`b_8brKj~phM~n<NgAU`Rs2&a9r|gZb|ipSBBsV5F7B1lLi4~;
zjZVR4Lfr|ydR1$f3MUF#K*Yb=z77$4IahcAMqFEk9(tDtxzJHBD5zGPs1q0YK%2(k
zPJNm<q=bwuh_v>JE@9=s-(jb*${{P~wkc6^oj@#-Fg7P{EUKXBMCVQofmh~~QxShc
z9K{ncfgsaHT^UHA&2MUs<)I|%j+jD-!c(!Oe9UPr@dgZ`$E&FAxwtmcbn^#dyaG7h
zNo1rH6*3I<vJwC^2qNf9k65;b7F?oIin=@!^7b^YBP~_<^XfX<qDk<nU#mX;FeOzJ
zkr*@1dcS0?V1`Wm-*~Rf*TfS`Qohm^9ac3?M`c^UY8T5iggkd6`1W(#lo=nEAt%}|
z%=E*_xY}~Vy!>MBeLJiY&x3a|U6m#>o++`d`)=7$_shimGixOKb1DU^rl=%rRy$SO
zFsxWpIR)}CZDhF=g$$GC%3`zRhLLyMv>vJHJ27V}Y6i_*P0Ns!tS~O=-)uwam==>z
zBJPEq=pk}vP{o+hZ%JN}j<oz#tG!~pJc9IfjYvWDCGz}~xYz`u)D!nXA=wr#lE`8=
zYn^O{yg)oY08Jn%;V4v&UR>Lzyrf%6DmjdFRx!{~%~4G<eHxZ#2I8;gCSyrQiL#^w
z3`2kxhmU=;i{ekNg#^rvVEf_ih7vwyd$}lqs*ko_{@=7|@E8-|ezoq|D!fFNZ%I2}
z+X<2W+OvJAXMtko`KZ{Cej&inO$ng66P{b#$0{ZIkm?1gdXgBTJf+&+s-zUCMG0wS
zs!3i92$Nao=uYcYG*yjM5H2P9tGB6ZnsR(eikGE2GtJakJ=N$*30yF*9^Ef-lBki&
zFSTo)Cva5jCy({u{8P?1BW)s5mo7BuD}>if!WM0Cc5sEdfJS|5Bat6_i}hW(b^>}$
zWCRbj0kof=w#lNHn(kL*oB8$T26z0J#J2^tE)N&)R|r4b|7_PDY*i}6UTOFJCjEQU
z1D8MXmD`)fFi03-kox7#@TGtzXE#A{Hz^ioPQu1>Ltww64FWS9m)VRrO;gnIKR44L
z!&UH56znEYV1%c%1sUW2Sk{OoU2I0Hi~>-!TUDTi+KIc|D+mw#bMl>+W)ui=1ZCeg
zgV_2It&8-S8ChT7b+AZ3l)B-53pGxsq;M;+w04T_j|)KK1D83I5;Ypi%Hop6uBe5_
z@4{Ixm<3`)EI}1^UYyJhl)o4BBa8oUqHW{>7=2bo>*9!>^J?(HDzAxb<f*Bl7oU>1
z3ilMqbHr%A3guqMIf208J9`Q76$&1PHz=}!40Xd*@3YYnHGs)#rD}scgQck_FZdou
z0qF+4SH@OqYCJ+=^fRt<6(_PjC5W@pa9!Nl4|LBzG}(-!EhnaYXPOv<Qgg*!6ko~U
zARQPaeN>Pbj`1}8nqK*0;O|G+fK)Yu;}up@K*Ch4!J?gx+8<a}Gr}0e0}j6nOA|p3
zC!$k*s=Qzu$+E}=jwKN(JI8p@(1|7aB_)AITSSE5A7HH0Na84(Kl>#gF<(wzyNVF%
z%;xoq&snp}W_+Ex6M*+#J^sD~-5A%c7t1!@+*f3f;i%wz)w3Z)*c$&*<#}RnRC!)@
z=O!G-j-3)=dW(|Mm_%7(_@C7|VghDaz-9WRMDff<nKBD7hvn^M+mQ9ibsh1ajU)jK
zXGi$VF=E1&IRBPom&Or8p(?34E=Ql5^h6=e2R2w{FHjdl%0b8+t~rYt=h7dW!z<OM
z)9o#L%d2p4lgbYKeQ-BMqapI7AvtAG%S8GDE~lNWZK7Ye0;?givV;-okXlhxs}<*>
z#Oapui<3?*_@k|>S}G@cmUyx}EX@n}-$>S(Nb*e#0i%tsw*08l7$Gr>98isoRipil
zE1yUqO7*s(+ASt;RJMXlFJ)yyr`QIfMOU*`#70|m4(gA$EjmS;KDGvC)zUh7iIJtC
zandT%ikp6xv^3VLW&PP{qgJe?cm1e`RdM`JB-Bw8hb~7U#;BooRV=`0wM4*i(KLg_
zbffE1?>^P289l_|f-6mzPJL;^{4=gge)^M<`~c2fnORI_Iu~l5e2_#Sb0Lw%YSv~^
zKm0_VGBXM455KqRWjB;wU#p(ylLz8H_3az0cL$dH>Uf1()tTt{gCE`YCnuXdKknzY
z>VR8nH}PUOigi_QLkbV>2Rrr8R(Ij$`Jm2yoio0*p{AqS|2_0g&-cNl-Ma$0y6ZW<
zFP;3`Ba>-$KW85jCM<TUJM=0G-&Tu4ui5<$J)tW!#(Y@d-;8LUP>NIxN2!v={zVZj
ztr^Av8aH(RHE7Nx>&a$XFApOPA)BWkI}us?=S|AwRfobx8Q1g08$1@q6;8odhGOh(
z10<&>viJ|9BS(x*Z1AHaG&I!3aGx|oBb6y@5?FM|)LSrTV_5qggOO^^>pmCHeF5Dg
z{5J^-HSL>l6iSTl9tH(9mI%}tDUUAUQjJ3yIp?jkwc@<VeY&#-jM}EL$x*o$it1u9
zXF6n^%uOsOBUX0siW}5TU|sl$<<cIDhHh&d(C*EQk5>qRg<2e!yHN#w5siS(YAtJn
zouQ!-FD^ihr3$fVPFmc7k1E+AU{!WDVQEV~sEw0<sO8|-f{Y3h<v{&gBce2hSa1|B
zj{JtP96%WgB{we5ihB-BA^gtc>*(9=`K`#)a<KBd%iYakW97X<cyW*m#SPwFWmn=w
z>h@=tK!kiFLIuY-ESo4aym>8CS7N;F^yx1k3OHuOqldTpN>kBL1Q)ATEu~gfCSFB{
zXf&w2hHCc?aGt>_K8YHD@lZ5|BEv^r2^wY!lZDGIZ78bTwfqz!U;TA9M1JK1DsOS~
zQVw_X)rhj4aOyI)#mxdn1Emge^i|Q(;dbHIBKQ?m_FbcyXf;hz6Q8|^Ag4-(8&Xjw
z(sWSh&1vr|W269-6qzJcoGP;xZ7t9Ezql8DmSANQU8ty8D@rSA=~ea#f%>IP()b~f
zG2+Z<I3+>Ti8hN4EKO{<*?>-NIE4_5bS|lQ#jYmS!Q1g>L{fox<vEoVU+|&mEJ5hk
zXq-g2H8ylO8LdP`$iDR2z>I!v&kB%JMpaQd^;$fc&a^Y62%f`H&R$7XNl{5cL;_Qe
zrpjh~tuh6P?p)FGvmzy<;VG6{D9hLVMvGA%L(mO>DTvZ0tthIDF8CKJSF!k)q<UID
zu%Bi2xy#477bvdeWn|xKQrJ(H>Z$exdP}>W4fVO#-hh607Y0Nq%$tPw`9&sBp{lsL
zL7x{WLsUUD=oOs+ay=b9e5Hk`l!T15Y@v+m@+7JH0{F40%KR50OOFM#mHwqn5z_y&
z1k1F9C?=8;nU)#m)#u%Ix*mq#be1r}vjl-N9OJo^9G&8O3;JiTx7UTAI25Y)HdVGB
z&Vj(%=bCpH^<$4gJ-+XWiphs(MjQC>@MTWV$prH0sPchSwa1J<Y2o3^Ekuc0u80;k
z=K6qFS5H77N<Ps;e%4T*?#=D`{2kEnrQQDWqN}$v|6S$%)W3nPH896s(4I)vb8BAT
z*VW^7U8nUX)dRefO_r0(NU@tVVufWI8Z}nbH1d32PCcwmiIfWp%IL3m=gCds`j5cD
z8&vT%iH>;#zYNwWxK$Y;d|~E|vTnnWuP=Y~5Z#!V)?Jw0lUY5BP|@e*AKwmF-dk_*
zAC5L!W^8$&?EmZ>B<L5(%c3ZeHuqKnp)D#0oz-5}RxtwNT$r@!n2qi4U-zEk2R##p
z4lLiF8mxLe*ZqOFLohcDPkYq(Xo9|+Zt|De;bPb{&@h~~MZFfQ@=M|^@2?Jzqx^zd
zTfiaTn=9be4vO!XJ{XZpyV>2@+s+s!knCg*4Mn249WY^&P$;RLul`Y$t5F0JK~IT~
zoz1rS5fUoY<)5bIrf|nc;G&%%O$E<+Np%NnY|r*)#n^NgyUCK@a^icrHOj(e<dQcA
zE3CmO-EqGKm<s`<E<okpE!K#x1=ntp@W=*6B&<&9kDA6gLfyr(>hBbZ>NT;vbTOeR
z-DGk;iNq=Ef9VxnuaRMdP+Qn3-HJRsU7ByVd%UBCS&C(gvDXpX|BIkYm$#$qkL*fc
zV<xjNd5GxCXj=T!{hVDA(b!o6zf6SXKYaq#_`{wfAv1`TMT!xbl10i~h^ex_l~t?0
zj&Ti2L(^^jBU9?86nmQwzd(tKLB8xPg5HYFZsHu};HN`e@%pWC{`Q6b1)4;JQ4efP
z*>$oXPKCi(J>5hbWr_``hjEKeiVc+Ef~H&fB04hIlB?%lNf^rpWz@XjhM2-7gIR_3
zQ;PD$A_)c})#k4`Q|vWmxLN~}7#Ae5wv^q#j14Ah%A;nI#l-tumS|<e-?(YLHwjTt
zK8nBG3AFXfb*!Pb1s7!34Fzpr7h{U{8o^=<85bNdY$$wj9!#6g0TJX1V-`EK)g(^E
zCu6t?O<Uvn&O!LZix6e?k9=lntFue6R9X_LTr+epi1Rsr&8%`@W;wYGp49|$>-aZ$
z=QPLDW8hM?`zcUWaW_olq^Z&D=Tx%K=nCC(y;hn9wN29l$~E(ZeRXf<)I+!$4sG!n
z6qMN~U%9wm0PKV?`qCLzAudFy86rkjL&$Utce7oGQAK5^Y`hl0#DZ2)bKzcJkApH2
z>&B>H8u9;Dq!xo%s9B|}!$#MxqD?W{Q<(d~LEh>uYw4qx^FMb@!kLWQ*5hx6(4!F!
zc8`8yVi~QLx;lj}q$i?PBz2wAxQ;qV9z7|SBF@*9=8tC1c)`8lfl7ysB7Nfmzu3TM
z&a~;eRHzzja;tu|4bvE!SXJG0SnS3FWsA88j~t|vrGHqMYPz+y`S7L%!a|;Yx&B!D
zoenaDDlzUOuQo(kQYU+73bP9;^1^&02{q7YfuPEZQ%mF`{F(+Ja;+tqKU@48ZI|;u
zBz6x9U*kaxSTm67S({i=aAII~Ylm8?1*(#2^+$dMXsODf3)v?J?sEQ3o}-Hl*Ld2(
z-Dy_j(KSnvOKf(&q}mEmjt9q9-7=i}R^vt&7u~wozdA}}p`%vVI$`Y&>nZzfKwRt=
zoe>*o#0C2Fi|F{GYLy`p`7jU}kyQt)qPdrQHe*`SlF14$HI7Ab9Qtp1l+LC!Ge(G5
zQMNTnyys=reqKD3Zui<~o)FvMuU&oHJ6RxMi1-bkQees-a9hwG0*S=oIANDqz^WKD
zNHJU&!cjdNdtkdpqO{ar{bg+_*G|cOIC3_1hBER7A;s(;#{5jBo0h?6zk)FK+9{uv
z>UjE8z$LWh>$cha%eZ%!Z=dQ}g=JE~w%7*}Q_Zq^N|rKRQTaba%T!I<goMBIQmUyA
zyQs=P(YM9BqbzJtqeH4rRljtBYP#C47l933^=XQQ?6N`ed%NIe!_3H}FI%J>vvw_6
zZq*A)TOVW!{(86aayUu20g6JglB>~Y$Q7+3N4v|E(Td#M9NaOf0`5l;yz`%V-3*%Q
z&r8H|<0q5!1Tld({u2%1PpXpfvwN>-jWqu`7Yj2h_Ax!=(NgmrO(QFN^(Af0NBZOz
zfWN1)Q8?Skr<w&vp1=l4zCmq{ut915*%yvx?Qd;N)e~Yq()tMASfh&nsfWVy^Ll!T
zy&R_V;VUAw1`qDiND@w(c=#?n%K65N+7<0(HbfOsHV{(8`Mp_mc%Jx@DCiVtVx*?d
zv1{RNW`>oRt;PLJjE%@>HvEdxL<hu4e$g@X9Ns5l;7+_68Dt+VDJ}8I&S|!m9Si7#
zjS`Bw=LEQ2>0L)ss*DMK6~rL?4MZmnz~BIOf+HvpcaK~{$DHg48=3euC{I6m5^QM*
z`Mv#KpfgW7C~%<fi{t1^L$w2C-Y3SNjL7h9JT&XOa69UAs<H^mg;8lONY##!GPK&_
z;(ho^%BKvLDTW0O{{*oy0NMwzQSJUj{IcuMniy?9s6h%&bcP3a^&C!OB^Wa&e;aR_
zh%INHQANd!)C(AXp+f*{6DXa$Vi{t=glZCCm|dr^M7L~^*P)illBjFwLfMijxfeOF
zZ8tJ`_?$t6YW`!}OwFGRJpnBAAhu<%LpS@i&Rc?co6W!G`wb7d+E4Qi=CjY1LY&|#
zO0p}`Aa!SXoKrUAcch`|u#>zT*d?}|!_+i_c`H*FA%T6S!Ub?Sog3|DEzl>9iq!+?
zS~Xc55);;uoxi&)=%=GOn9g9wO-B&vyH2{5jDoco|Ax2B8AA=0zHoIaD7=@KEL)uH
z1V~%AzNsa>l<>Ei63Ck&cn(0_Q3`x>7>oY_x9Z-s`11C`Li;UgumF<2xXBWanRMVk
z*(F~HQj8oGqXy8Gzb+z=)J#MDq+~o>S6v)-NgWWcj!CSlsEqtPS%C4+;Ilk{D3E83
zKn5?mc2)j*TSGfIa6NygC@zGtd>f919=1U`O2AHX1eL0S`%NL)8txYcXlArkl(Spl
z6h(cj^xip9`Fv4H&-i<zhwXuD_(b_Kzm|qQ=|otQMsGKb<OR*LzocJEZMC4$Cezm#
zgDK0xl?@rb`(Nmx45N8mLqY2O3BB*G;B_(D`gB)W82fr}UA}fl7as^O1i2D<gK?_|
z3!Lct+!Q+o(iQDMH1NbY%7{$Y#!~?T*e@*1GKT0*@zhcxBgX0k^(x`!Qi*D$%4{~e
zw*3O9fBH7E0y+k;75@X+p6e(GVCIc8xsF8Om$a1nowSV!z-<J7Kb@?|f<^j1yNpPH
zMfZQ$ip7TE)FYVpxK0_2UYMO#AgLU~V%5VQ&Il^5QnICNuwjW;a1@Ef{##U=8l??J
zGZ$RTv?LDnpK|Eow&mqj;K{4pvHnh_t^yA}db!+^P%zBV`ebMlCy8XVk7mU@-OSl5
zaSmb-7UjSgS=w?Is`+7fTp3y;xsik){gc|+VXfkGGHur@bQL*&Nuw-gTv`4aDn$ik
zKOE0oC%V1Gw~VDa=1*$D2er%S#`5P37374AwcrA@%hwU@=G1p*O!B%J)ipX#Q+8X&
zJ;!W*<w><Pg(8`1k`Ht2zbH-A|6_`AIu3kNt}nh;pe--dHZ)^$+#*plJ}5>R)hcDu
zx%0V&Ak3C|5RloZ{sLLlCXvz@4PiJ#*_OX+8?h49+6S3uINT#vE{xeP){#{YWZWKi
zsVcTn@zWR0e4-Pu+Mg@82ND$@%y+YLvLh-et1uMmfuJ0%Jr5{cQL%#FPsviDK!Zwe
zVZ&q{<}eM-Xm~Hxv_-8QOIuWPhm>e$Xa!pU{EO!-%@fLo0595wL5cZp`GFKJQWGXb
z3462oW`WoH^8D5}5*#=0C}4J9noVKFX-MA1^W%C1DK*(qF?I3zNx1!@&})9RG5dYy
zuw}!lxYC+zlg(#|OF_sV{AiE{rzN}P^RS9Jseaw{w_*&WqoCF=T3cKb9K$p+<ksqm
zZo?el;?F}Ms5#{CuaVie0o)mSJM7!&dtp|8`P}}+{WZ&Y<6?1LNVl~p&x=O)o8a6q
z-bh%gE~{KzOa;aX{Cy~yu~I(V$;`jlm>Qogj)c0ksN@QYKYJDX7(bv-c@E}d8irxl
z_=!jzdA1t*ko#voAw3B!X4Rn#=VNPy0{AZr+zlxhPQdUisPNjw(#!%gwFFNojSOLs
zODn4~tyEG&wF}16CGWEif~}L#bd+=@%(aJAO#4>>z-3Va&=H1bm2Gt}=5?qQ##js|
znd|V#qjoQJ;xBuMq~!}R<bQ5-G{4n8U1vR_b%8CISXxi@!vZRXLE*BCg_#MaW<pko
zsm&wFb9VXA%N4&zvQzl!wbTFglZpN2rQBOf2RDk^&Ev)4l>YLXAmO-}EfF(+w%|h3
z?C|PvqllJsP)6=8nHZ*6_o9|M<w8bM1@Q+phrh0#k2k5@?gyu92W3ixB+$_8-O+QP
zF+=Ze0p&ENbWqTQCvP1y(_MIIRr!Q#{pAbEiL>yrwj|0N>vyzS?&<!Pc8O;y;p1$u
zQhPE|U-A-0{Ds`#YK`EmE6q~aIBPfs3=KOu_)3x;2r~btA8>Cfu{Zi~{HGtd(4+Pp
zYj>?`6rc^+Q)8uF<m-pXGQ#$@=9F)ty4Stb_d2MCaFU3B<*yYR2M7s2oN{pwj%7L;
zPFPvT%w5E4$9h31R;S;LCv6(Q)qv*kTI)p%=mqKu4%7G);trTK6}8QxMGP-0%&?8U
z@gg`)Z1a?VegX;ew@&*ek_Ic!KoSIKah!?S=4I7c4f$^Nv-BQH>(#2DP77=Dj6R3U
zO%Gz-9&VM@AG45O>B2yG@_FzOkRp}}Bl*o}Xp<9DT^JonQ7!!%bvtqpt%`TL8DtqX
zYGJipDT_m(tMd8^B>Ai7`_tP-@HY*AqU}(XXmNen8Le3t%C(a)@<BE0a;%MmirTXh
zEMw*LYff=R7}&oHBvejAR%9rEkZnn93G>KBX4zZRP+*LJ9l~z^Js{Sx8)Vs=&j!a5
z78&C1x(N7q;&j(3*&NLaKRDo#9t!zB)DZ2}OhMh0sI=!>%rqM170L~cL0m?>h#TG#
z@`%b|%V_tJ7+%qbM)<l=DgwpST1yr$5`KclsHQ-Q72vOoUqr9GOXr6b2{sV^7dR<E
z&0VpEfJYWk&VQ>zCpKGu_Id{FMoERJ1f~_dTW%7j3gqU(XJVO)eN^nv@IyAw_!biJ
z@jqd#VP@px&=N5!6rC5}HKjS|<TgkoV?`+KFsdr7=;T6C+31Wg3L-xKt((~R0R1#r
zsH|nH!&>g`^8Fc(r%mH|bz)!JsxKw0XUoT+M;QB78V7v>1be@IoS#gL2CF?x>BYB=
z<9(A5!c7Xz6UW)yE|x8EU}xPOQ-Uk?btAh5j@4A$4+!TWQ3opjQt(z(=EcRi4#$20
zCnW%AJQnlydti**0%z~vn_uL?XR`}@7UbQB4Ot8~_Z#Rm=I<sCBj-wUuMML@vxUMu
zorIV~9&VWU^?K-?sw5_*=G?hm{HYR%d&{fu78wn@MjGBLZ_?`Hg(jx$&+_Ze+nBGI
zeKFIH_yklfX)9uK-34CPsGHq-qnA)VmkRoNU${Ta7O<qOPDKL+L+TrXEbG0W19o-r
z7U$PTf874~sBzEFVY6j((*At|fg%dn)-2>r^T6Y4P<X341yyjqa!gB2Y54}Q^`v+c
zbNy9)aGE&7WAti_`b*Ev-50i2SYTldQ6IdFCxS9%S_Oh?<_Dw9(X<T(FIeid3Pn*!
znVQmaC8iM<O?|TOV4|VU+L7?ABv;FKvYujCy28I(h0-o0O)1k(A1Ga_V$HF?icy_M
zeulF|Ke#zh_PoE1Nv3J)+6nvgQ1X~jnB4J50}0!wiE1zz1qg~!U?GUZDw{IoXCL+u
z-5wWaB5i?|(;m|<Sp?;)3z+?s7nS|nu$Wa#zaJE2C5sU&o`TA5Me$Z24-ie8S(+hB
z7ylvgMN`?jBVe9)L2`1O#1iKF(`}7CKXxR`@uX1GPT-m(&7h@>ox<)bk$6f;!Pig4
zfNe0w^aRe}vYKCvjb?D8S(MPyS-ccq(rRKKwJ1(xNXr<6FzsNIq5yp2)_gvnQGTTr
zv||4SV-g2ojUIdYzHHSat$`)I8G^)8vStK9`a}W7wZT8)j(Vkc>i5#oSC!w+W{dI9
zN<BeITQQqId~`)m5VBg++N69bY3@=B<~68FdcKyJN_Y8k3^M9x5^B1t828gJxLwPN
zNVpj52Py0SEeJ-J7%J;@gio@q_KE_Yc`NP1;BH(SH1THmxie6EzwXm=f2~1u(l0-^
zAH8lc-Co5kAk3?6kyTgZ6@2=YR|~e}5+=aMVP-~VD(+>Ewq>1M0RQPwq>Mw@367Hu
zM46jKl4%8an#$8^CG*{?m{s$PZ0%OIuevNIC*b5(9EEDe#f`jGuqg#u|IE-C#lQ(#
z(*$TuWEzgSRos0c%kW1i%>F0zI%wx;?i~2kzaM?;-wwq(-d`2pZ`aBP0Uiq;qT?-V
ziOkJt##`jM?G=2>7$gidI}<0!9A(U;8&Lm2pbIVKLPoKZ9({JBitdwXtT<wH8J};B
zWYr9YqYR@#u5+PBN=1RozonpY0y^oj6E4bD+aoHLq&+}8P^hlo2$`irN1Ik_rm<HU
zHJ`qF8<b7kQT8gjDe~F5wL@`^Nn*!gZ)6Flq!(mx4L$D*cZOtOaX2#Cf1Hz1l%*G8
zt&xqeRGYIP=e@I88Cc(tX|08nl#PPk`)Q!m52LIoi}079pE4=SQV}97RcuWdO?0V?
zCfe_O0FFj7;v9T0e45a}^DX_?tG0APu?83Oa;TMyU*z-^$#M@j<7l^Nyqcg?(Jetu
zFOvK9wXP_ca7gK1J>RykE_-pa=w9<N-O^0ut!P7h%Ob`^B{hOmwy^PRzDbSoG>xMQ
z5^Gvyg5htee8;DmrP&c+#<d`sw$&lep6z&=(rni0bMJI2{w#Po7!7t{ZBL!)eM7z!
zw!uuSrFf$A(JUy&Z0`!_H_sSowHz~)fXtAlI1oft`-`#a3tW|vspv~*y>}EQ=9A0A
zB-bo|XA>Z(%ZXB?HQv29L+oah(_2}a;(fNTIii7TKp`}S+f0yH@QnBpxH5lw9)Gao
zdviNr>c^(JlH#r{zv}h*lp(VKiOp>?L{_Cbs-ddTRMmt;#F6!%3dx$gMjZj|JRlYF
zyXAFqK(h>@LAmQMhZgm)%B0+s1R4g>o!p9OIjun1`IZn098f~BPlOCNBe!EDef{>M
zrUSt2Nb0DO7PH0l+pZxQR{fArW%nben%aVvl{i4j%`jV}b05k|W;W%|xT;860c~C~
z`0u9EP)ccR8iGYJ$djMSPMc>wwZ&n{pNLj7S^X?}X{N8mJIRA+Se2IL$`uB6Y3>Vx
zNd=bVRL6}x2*?bN0e9N$Ug>dTX^M>hW5I!GoBqJJ)3_1fdn^Qizo;sa@t95(-S$0x
zM219#8ya_}HL9u;gRF-QX_WgfsYXJmX#SRK3GiWGkc@)>tbTMiz-=3hil0=;%8~Ng
zTp?Jh*C8F<39vi-s&^ZIkdx+QwZ6<=IuRyD*AkM3#$j7yH=`V8rXZj!40JY&QhI<i
z@w+^ae_E4BZdBE8uQDy=5OLKta>vL{6J3+eMEx_2XXx}O6~3eX>jzgt%@c)|fM?JW
z(oWmu-!dIfEn}P#Pf2pRIuiuq57Fz*#o`uxNQu^)yo-fr%sZ*gyGPK96hK(+l(?-F
zo+$^H$fqNHR_!JYnJ(jdDLvzAhMkpgM~1R*uwd0dvMpMNl*s=_;n|u+AaO?^aai1S
z=)MQ*onsMS-rjz#Ei`HVOwkB1Rds7Ie$w}ba?>ZN()JbP%L%5NZ0<0JZ4Ze;|D&;z
zBc0+vr7&i>Oa+fz`Hw28SiF@4`THM<Z&IX|T4p6bYG!9jETO7+{+gNgLvU2GQ2HTG
zdqB(|xe#^9_Gar|48`(k>IjwJ=1A}EPJNkw=3#ioI-#U|Hp9uv*{`PDPXsk}uF?F;
zfxo3vQAL2u{O3YKs~tBi)|Y*!@1BMpw&X|e7B;G{N7*k2j_*%%#Khx62l4s$FE8bF
zgU<I46Mco%X}B`2Yo|iMpe%o%6E6AZx_B+0XPs3CD_wurWg$YMOQOy9!uP=&{j>5*
zg8S#_<0P@0>$#map%4VVE1`RLlxiU`UqS^+pYHeF^sb>kbLY$V9G4krV4_|pX86)w
zk9IK6^5w=ku_P6-H}T6Zw!h1uJW=wy#czkWd|kT<Vukz?`->;tw*l<xx4x^d<~KRx
z_+ZtXGj)D<3nvd7PUDxo5tF%S%r#8beI*!DEg`N8FZH>6(s6XNIFkUXn7F7{%!+lW
zzuVt^Vrfnqj0Nj*Es31GI_1kC0<6h&7QqR~#L^E7mhD_HZp$Fw17GEaPx)oGj5zAF
zfYzw<A6C+;g*9tsBJAHEz^;2?BHq0q#CJ<EG0{s0bp@70$p%w$h2}*`qA+bElrTTe
zI9b7~#{7-exesIj)><sZnDW(OJd#?KsB-&U-j(ZSoF?W;G95T5x^*zI%-Q5nF69Kj
zz}S^A<MR+Q2`J~vW#IlWyBK^0&6LOY<BlP;C?`-K(<z};D=g6gj`@qOkjB1wx0?y)
z<b=bWQ<0Och~Z-;%MYFGT3P3m-hv{6zm>pmZh#U<eoFc3QTZAa@nU<?>o<9&yq-Hn
z`-EpBz2Mmh_$fXOg7J4-r6G3zFrADW;%Gy-a&&4Pd6@!4bD72-x**#rwdKZs_aHff
zQ9<t{)cp4IQ0N`;RT5y1nv-DDCd|n+dmeK4W?Kj{;eU}`NUs=P3pxA{lB7MXj<+!%
zk&Z#Ws2qxDOFIjnoWvqh&81~35-4N$uXcD~pls6;9?1nw#V(g<JJ{`f_dA&TE}}Bs
zOzk{|=T6v5HgIE`L_M2PFJy;=r!u?1=yBza@JeYb#wL$2`1iC$<B_sj)!U95Fe`@C
z(Ml{urDQ8ja`2+6WL)|h--K)-KZj(%pGsohUw^iQhmZUhVRB6&{Z=1H9YJkgmL4_5
zWc!`!#jeJo*b`}f@bTssZpjx$)(Zt=Y{$fn+d=fCQn?`M)(~D0rGw%b21Mx;DkLCM
z`C=8r&`#6&jd>*zl>7=g(Zn;;ekZBQsbW+MEB(uUl$vQY>Wm~&APh=0o{Bes21T)<
zVmpgLon-lb*UqTDVMe0!mr1OmeLo~FV9}%QSlo5r__4BF1{`&ND1{9{$^I;qOjOBN
zfD`%_sBL<#38iN3#qJA>{*#(`Ds$T%j+4=1RcoWD3~53V7G)7Emn?CFNxieNSD<RG
zNHPXL(nWWz!(Qy%M}t<@^dlud4cXuLpbA;iBvbwt5W%q^iM*5S)(@BOc<PB)TzAT?
zijtLd1=<Qex+wPCN+-y4WKNWMYw}g~O*|TTUOegQ3ZHt9I65t_8Oq>4-^ds__Un^f
z1XL)B%q>1+VOm+-r;L2~WcnK;Qr1{ov!ROIvG1HCEwZ)<)iA<6)rYdIN_9q@56O!6
zpHq^XIC8x{$eDwjLZx4RJl=lSBF2q1&@c(4tyVawbIyZ5L(dK6Js=XoxBBHirr~SB
z)XW^PiTNS+H|~63nYVw~6yQksKly|e(5?k|^MNNJ$QbVCkgH4efRp+gT{1*Exk9A{
zBPQz&cq-GBsRCq-e<AY;08@oM9SG{=c5hsHr*CVf?8$33w?O;f&n&$28~F<mImD0L
zIhee2)>Eg!VNI-^y}IJMAu^kS3=ghi$&qb%DXC`s9u8JD=?SSpWi@w<jmk))GMqH@
z3vim2fe3uwgW#M<jHrFF!llZPoH-n_s5(oc5}*@~GXHFl-xL*m0;O6C8udN;<W_O`
zT3>NoIE0OlWPYD>T$0=eBE}ClFC*_#oFRQ;O=8~J@~4%NS9H(1#xQhZD&z*0si)ev
zWq9-1R`5yeq$ky-2_<CU(n<;PO*4ce);K?7&{uLdCOk1IscBCB9njhzN4q<Q688m3
z9rnzvVBTA73NE5~fLSz<je|M3ef`Y|lxo(JFq#Jbkk8j(2Ax%}UWz}sARPrL9;DA8
zWTXRzUqMr$XROS8Xj8wez;0QKN}AeI)-v&=F+1fk4z|+R$WJw?b}6+DF;=V`6{Y`X
zo89BH%EwU6svyxGp1EmszNd<2tG}lRB{2o;in7P)yi%s_ecX~Y>K1tNtPX-VM7x}p
z(k{x&OKbdI%{cs9=d>S~FPo|{99uelZSB^QkU!@sU5d0@|L{YPr(R6%YdeT<=?Xj>
zx-#Cma2U?P9}6b>dLz(N;LgJ_M!Z$b%F+Pss)ySP#^0bPx&=D&wAgmk#ZhrNThIe2
zztwe}S(I!YMus=l;1(fMi-L9?+em7qOy&?=41Q+%OJpZ1jkmg9AAB`H$jx`k?V;aW
zyopl&QT_<Uf$vd0x9ek>U+-r@ESK^K)aIJhxE7#Af^Tf>gg|-*z&8G8H<2`GC{13{
zu4im4=$4t4cw@E4lU@PB@x7hnrLMm4h09+5J0T`|sH~I75=zQ2{CV0DRQ660N@m)h
zjB1#+medr{ycmkY|K@vyGHC&_%p@d$mc(C*wde_@_P!WSXc`q;zv6-V%)Rfm*;({w
zWmsS4Ml|c4HF@Y?pTChMyMk$qIja`${Bk37B`eTj*gK|NSoeZk!2va5TV(ii1vaw5
zjjXu|u~1OdCvKe|tJ`x$=4}J5>?mqZYr#x&atdtzZS5wp1Gvht6JkO84rGU}jSVr{
zfRXj_Jb*954HxldaR_*+A#Pjf=U@MGvd%Y}g8?*+Mx#N>2Au~+v_hS?<yfoqP%B8{
zBrv4PsDeAa&ny-P{pMd~CZ##c@-2Xa0aPI+)+UFUu6GjGNkV2F(k^#2J6Icr3Zc1m
zesE2(z<lFh8r<k{FxrVrNa`PxWU{6n-+?Q?(D&bUcQ@i@A%><j(2V~;c8`Vz`qz3(
zj|4bYRxB!hN`PGA7ho`Yc!6E`Xj}r4WT$1tThqr_<&w36C^XR5f44c&jrPa@5R3lj
z>Q>bFBRg)ZNjx3Sc7i#Z7b7(A?s4qqh94N&ZUoX=+@T^$3WmmuXR2})1tBk5lYAuy
z9$r9ydH_1oD9<+p8~H27Ra*%)8D>rMjJ7At(ksCqU`-apM8&{-Y@~td7}Wu?Js63l
zVY_PT6&=lq{q!nWQ;)~F;X2g#kSphZJ+WzK_H%gy@`%@;ox|tE0s3fuZ@gg6`*#w8
z3VZ06Laly0>4aQWR|#1O%LuxYs@OCpB&5$i$cVNE76@WpG#od4no%u4>$aC%#EGoZ
zU+Gib$b1*>wdgg!)?a6>@XEdBYmY?rF=Jm|QBQ?F+y{d<5dfwf9N{8yZ8ms?mz+MT
zW+ExZM8oA~8gOz&!Of$ZqMk+-T8mkxYf#eEv2a5Ub-=<;7+64vY2&O)6yjnx&6~X~
z*&XhJdo?vvqGB^^<b-AjBWO5$=Zivzs&L7=wru!$UDnB*Sr)+u7H{3AIh2xN6OmhE
zjbqM1!#d`<Y>x9SWEip4j<CQQ7wKdinr84QWcKTBSb7M02>u`{`$kfFEnJb7#@Dn`
zMOTh;at;Dhjtb7;LPo^%qUo3!O|K@9y6j#b1~gaEB4#WnR&r*X!=7225WF_Hc#ujF
zjx5e`D?&1KgtIkyN)M6fnt;1dM{p<O;4X{;BBd)}Z`9{@0}AXFr*C33DtGIu?sfMl
zC~~IM#=cB(d<b;!FFlVcghJKZXULkr9aU$03WAy=Qof4BI0m|mSd~z)Csis(JmQI2
z@SOZVroJ)0&ZT?1apT5l%*M7F+qT)*P8+AO?PSNc-PpG6?8bWc>GMB5@0Z;9Fuy%>
zuUT`gYhl(M_caI~0aT`r6=X(FC2hLsckY^8|9yhq26iuwp6}{O)xAdjG^FU_2XEv8
zuFkd5^MQ{w5@Fh;?R*xzUuY$buabc%MNPmcDk$E^2)gBZVW3yxtyE8b(f?IcPt48m
zQO55YTn+(!AL>Yp5_;qY`U|FU!OsjA@dyi2#j?=MrsPsVF;ysL*BOJ495O%)w%{rI
zgsB`><lsie`fwo@A@gD2Q`NfM5fr4Sr8JR{zB{8UQm&uXMf!a-z~}m4W9dhp=VHp>
zNgu`@K~xuQfk2r0g9@t~I0s65@<MiuZ*4U;CEu6SQFpRKiLO8kq(7S`iF|SZebgnl
zSNr}jr@k%&NxS`xV}OdvCWooCGDR>@@ka_RRc*Xk7$ZZ?UV(KQbPD&6ov+v{-BXys
zu8I~13$^I}APsW+25$j5oAlL|PWRB7fO8C!?`7_2{;sMle>ays&7PbVE_tUiNS-w1
z-~eUZ^o2Gd)l_*fJ{L-6*!@Wi)BbA?HRIPsZXyLN&aXAaq`CF*9*)J@JJpKf!V1fo
z27#s=Bu4-Yp}}KVsq_D|m#^-(D`@VbL-3z%AnoO|<Mmy&W9ob|#Fw1D?r)SKkLP`e
zS>)DVR|#V1qQ0#u-?eJ1T7O*WgU%^@AbW_(Gx#tlSg0pA$->zgsD|9=2vTA$q>)>Y
z5?==zAb$pY;Q-Zve(G<HkCDlTQ!x^P4?;BOOuHw*jdH|GIP3YJ2!37DF6+HFta5dJ
zw`Z_{?Z4g|Ka}A!JRr+816Ioay3YP`%qd%sMbNww30G&FTFS|RW@htLIJN8}WLtTU
zc#4&-+I2o{mpyjcuT=Gk=;z%k)zTAlvLfp$9N+5tqus2Jew(O{e`fd6a7-qX@ExOB
zC2r{CNfX)^)rT%hHt)cj7WfNiZFTw6WhSa&?x;6_ZexFPenH`tPhprBiBNPTL0n40
zj+LhXUnMRx`ZBqwU-sjxTrU$~-N&ZSHs~`?s+eE)Jo0m2bYzKN_$edvT!v+KTVT19
z*~r}C2FV#7Zq%cW!U|Uai37&L&zWCDR#rbX+#Xb^s6;icex{XL|8yTdowA=h^gofq
zUg@2pha2~{P3o<CUpeP@1B*0YK^-~-*zr3FK~z0==zLc1czq5he7kdGi*9~u9%Sfs
zHg)2u9NI93WK-ux`b?PE;Q6?|SZ2(~hEC;xbhi$Q8)|VCZA)d_C&Nl&e|Z5X&*nlV
z4|tOf6)>b(1Zz!t%XxG9ZuDFJ%hz+>(kV7jJt(5Ej8qr`DZ)H9e2KfL7Q|4^SJ*Fq
zLAFp}0#y4$Zjw_XR(q6P51HflbfCKqfraVZaMbsUL7~T!U`PWnE16ddux(ML4i-0V
z4~NZT&D7$|wfq$?J&Vqemj+p(19K#m7932<il`6>Q2r8UZUJ)uhy{1ZmF|z28?s-{
zX)V!?9QBW(?tJ=TI8XNRUx?4Q%(6md$W4=BixZ!vQH{spaLe^+g1$b}FhGW9lVjwi
zI>R7KP--RSr`3`Jd~nd}?H#VKF?SWdBI%W!YIXTuSx8Eo(O+$kN*NeWZZ0dChKf;N
zNr#Up%I+Wcu`HO?C9F+!m=oV{`~REMILjWDfjHxzIR|NiKy#X_-24!n3_c;P#2l(K
zcB#z$^kF~B!=%0d8%F^mAQ4*5F%^fy)GYV|GoJxHN#LK?)e7zvl0bkbb`biA(+H{1
z1PDE29U#ib5nR7MQO*BpE6FsWpz#q_==1+60d^W?V88T7V&%v^rr%P;CQk>Hx4sk(
z7mAvUcpD_4#?Hwd0%k{nv9_pZn9n{@BnOpz7s!tVZ}ut0CfpMi8Z4>PlPt#PBx(P9
zZByp*)P8g`M<D@h%s0g*CDYV38#o1JQmxq5*aTO2RR@Z`C&5qu0@JTO-d7?$A%PUD
zg3lL$@SM3Un0keDKT^DNeHod#GP6Gl7ngnf)gVouVS+Y@^AY~d@k~0pB>dz1*FQQH
zR(*v`Ip_0Eg_|=O^4d1C#u2Tz4ID64%2FW&)%^P}A}S#QLK|9z0OdHSX&((oMwT|e
zTre91k^J3gCmatr(e^+grg@31(PpLGlunQKZgq_{@VL}q6u-`C)>PHOSD14AF?S{V
z1qeM6o{w5hNK*~I5DQ2<?{F(UQQ-1ToKYf_=mQvvaXC^Jr<_uyv5Hb8#xVXfbHT@`
zp=<_-ME}i(=YjjRJrJ4^G}~^o5=2VpBQFjY8S_NH*yhDQQP+;r``4d3>YIxl<_?!1
z;9r;t#KoLzLc5Xc|AD;@NZPBu>TYC8NZ$%3jbxhu=W#Bhb*iyoH3Z9YngD4fV<H@!
zK5&8m<lDjfgHTUsE7^)H+DjeoWricWh+Zi-NcxCM>}hrAK^8sNw@)joF|$wXuG{pP
zkLk^q(}mu9L!Z#x{%JTUuD#P?YAMEWoDnH%fSkVhG$emB1mXCa!BM9-JIj-U-i?><
zxhOoae<(Kds8H-2N;N7Oz2y>K-T!!r-ywB7p{0}wYWD3xR=;(L(C2)$&WtlLT4@4F
zW_?4zm|nU43miwP@r=3u^YE%S7kP2e2mHm=434ugtzi;yDFpa0*Rp>eOtd-uuwdjI
zk(r;9p%vAdLLCMaHRmy`oHb`_X-iun)%Xm-$p6Y1nCk&9)gJhr86;!m4yCWD4!{<P
zm2e=fjVhDgXIQa`9ek@IPPv+;$1RMeGaWvNpqb>%peyU7eT;eB{&j|eSg&-T#Dq*0
zrsCC)g$f8~x?@8q{qIHv@?Rc`l|-jM2FNHI^ur0q*p8084a*YaPC$mKnIj;IOCr-e
zeElCoB=yPiM`p;~k_H{+CmIaz<MeDuIc3Sobp5oDK8|R&hUcmx)iyuK$pvx+!;lgj
zWuy%SA(Vj2V^h39Q|AW?99;{}UxFH996=;BQ99G57Eq``d7+BW`oBU^=PS-8-e#ca
zcd4}yMvuP!%Mz(zB(ox-Xo>Sda}M+rkbi)g<!DlL%%zNv)T=^Eo<$snaNQ9c?D0^5
z88dZZS@-i?%goYbl{g`v{m@awmode&JKXo1B7Erb>*)emYurZe_Qwtg^xS)N?hf+-
zcv>q}Q29D86D_CG3af;~O1<c6qsCx}2KeaZ-zDI50QcNXU>|i$V|hLGsk%m+AA>~U
zcZ24=<96!e<KN}rNaRb|Mepf$XoFR~aC~_Cc0^UYa$HV7=#Cm`G>99_6G#@{Q7<Tj
zQHj#2^{Vo)%U0ObM@UO)O`~_ik^WHiBC7xKf1Gr{qm-{U(28MRf*`y~<=k|Q*AZ#T
z!QqTGlW~Gc!!NmUYYYxuQ^XDC&vC^IaB(9eu52@`x}4p86Tod!z31dFI*dj>Fa{3F
zKfk`ts_)`=Ri22e<FhA#*T{Om6h00Xb?Qjm+Z@T{AbEBAdHUS{2Fg!Nab)we5~hng
zZ4!d9G8eSns>_EAj^MpbrC)pf_A(y<UQ9B)HK(Pua(4}<czWvkplE7wkU6_m6EiT)
zWF!>RFe;tI(Wnl>=b>n%ef$f;YYJJcv9!dpAm~2~u1ugXTl4n)T^uJ@7^6`}xUlv5
z*h4uRIP9^$KCu@*1RZGiQZQC4Kgl;PnDsce5m2#^e%_{tlkjjiNS(&*a|UfVa5P~k
zy=@{pV;7cT9c1q|ru4w`%K2**+jcc~mGownVdh@xv4dEh*sBs1QF6kk;@%z|*lyMF
z=|YEcLbpL1<3!}@ctg%zBTkI^Y7mA{gF4OkasrV*TtZavAMJ3x`caq%ne;O*P^F%(
zG}vf^#F|ogomG~|)O<vuE=h%st(<=6mh>Yn22?KM|Izg<HhF3((Cr2Q?l7=iT}qV2
zmjAxokO#t%xX#g$*lBqNFS;oXhLTHfK8$dZzqLew!|3FF<AP9~&^qwCx%M5@--i9D
zBrWlEoWSO)cEyi-?VM08J3DP&{}MUcY#xeCp5|HcCAU45FQG)ddHdlA<b&{n(`u4)
zNUFht9td|ION0wt1`>+XF2<TLmx*JD3cp2FQ%i3wC;_=U>7@<Gzx)RxA3dZLY6DSO
zK_DXDtOT3Z*<xCMcTA9i1kW@Xl{zBxT&R>yq4a=eDipz{-HPZ~?m@&<KiW{mT$a&k
ztXDnL^li|$$SWoY3FfGnLH`Yy=>+K$iCx%+?7A5wpm&}PY7s#0psPC8to<FM1gA?w
z%SjAV5#X;@3E^Df^*ym9u<wF6_kONoPeu(}lH&9tP~tP=N7I=82t~aGjm7R(`tp0o
zzoNY$mcNutn(_jP)(Khtgpb8Gi<<hrQD4;EjS;!QBSVJBne%0MaX$OBJ_ShQ8|Rd&
zV$^(nSM%t8|G3LI>v>I^Fz55wx5{~KSY!EXcZleX#7KE+1jJ&<`Dxk7tCteU`T>DV
zdFe`dwsK)9_}no&szJ@PsfOfgDWcKAAn!N~Ib2ro|FF+DYbk-2m|YfxeJ?Zv0343V
z5(*DF`ePSW!+hvALq16$<IC<RXh!wQN(Fx8b_Tt>_2`<Q_+v1q*h1XwAxG47ndiHv
z*Vn`7@kKY}TTtED<-N<SuHZSxyX^&%tLM$##r5%()%%r6*F50@mUWUI)B(%45YveG
zPIpSw1u5^hF<x}sF$8X%Ch<Ez@n?R4!9chb4u0J|E;i`7?cU>NNK}W;agQoy-XjvF
z|GnpJPW4<uw~}&POxns~I!!*ch=^OWt0XKld2+E8O;7VJWI}o~Oi&@<F9MAP97xJa
z3MD>Ry}yBCX7|!{H;Gr7q`DnXQz`<Rn|uSVaGi3EPu42oiZ}UVEEie~tV|c?PIJlY
zIK3upfG_kJCqdgeaD0_DmG!=r@6is4y7V2R&LNPK1B{fF*eAgB)D~qkN-sy-TW1t}
zDvN(22h6w&v44E`sDy2LsG{Q&fkr5!^#}>oLP2(-87Mn<&C+J~jBakF{|LYlFFuu|
z1zwejvlf>JSUzYG6Gv;xJ;xOhzSGeU=$jIj8cAuhiN6gxLU}R%kc<+<QDq49d{?0?
z>Tlzs+TX}j-KL6+@Q#(5icfsM(n;DFS8_HOdQks8D~0Ui@kKL%o!8t}MOq!9E6Hit
zg{~`kkCID}UIZbTk&g<zy7Aa3D{|&0b4(A`O^?Ue)5j_aSF?IDAG4<g-4TkyKdSzL
zmAE62(V2!oCw@Zz8L?en=`Jm00{1zlt~F;UMT}TirJh{XPy>UokBV01KU@)+L@S*M
zguIc;D+)@)`t&M<wksm9&ALh%Nh{77&bClvir7T<RSe~;{ReUUkNi#Sj28UOM4d-G
zw=hW0Mz_SoP;K0k5l{QLC*c$EB;wM{=yeAfUNCz}O2PXOCqE~@Y4$Ieeqnf-ktTNT
z-{`RwTP~>F<gF2VupuwW5r&~EUmt%EoQ*{|a;JB)uMSS$DA+CpJ$iBV(q^s}f(n8%
zv(atBQD_Q9Ry6#?5o}F$fx$=3e+K;Brh}~;)^^rhfsUD;LYD?C&SrSo2%hHp3D=}3
z2zsoE7fJOh7LyT9{3U0e`+k(HIg0cr2%+FUy7v02oT8O_Wgfs_I4@5nvNC|;_^szs
zF4^7B8+cJPKYH#t@5Rr6sp8LIe`qPclZBurVcsr{lVy!k$ZD|<QYlYn4JujKvtd+b
z1FhvHRVsg(*?si+2;y}(Q=c@%t+YnkQ)WHklwM|o{}wxZW75q^Y}P&#Us%|J<z5R~
ztXFLY%e3)lWs#?yFM2#u=PEMM5UE@4)dGv_tzdkvIzEzDoIZw;mQgL1PxN_gQ2#h)
zT2H-N%5dLgErq_7y3bmS8qPUt5d+R-%B(rXA}v}yw`y%Pbq3@OE2#deTE1P@LIOoX
zi24jig?an;POLQSBD>&TrRKyaf0>he=T_FPInAMIUl#MugV?L<!N<p6_Hj$?Gr^Ji
zy_hwd8?L}o@MjxE-DZ!t_=?Pay7=BO@jBRDU(w>L>&bSnix{TQq7TAtzmGT@=eq>X
z2|W)*(f7O!xV}9ZW@~R~icG-$p%Zd2Np(sZ6H;i7YMSiL)yi`HJkz)=;H2}c=v3pf
z%8jxEvfi_ay^d=C$;|m?ubfqSVr8*g1JoCZmr_rXZ62+^>w)@hq(h3GS>p!%p3c&S
zMxp$QOkP5AA)e1d_Yikpp)8!4k6&)DzeJ;G3)#h-4Aluw8lX)1U0rlLIbOW<iSxY9
zx6Pa~5fNG$XYlRp;Fx<dNH;{zEW$LZ)fL{YmvriOyQo|As_W+WbY&;9WNg_>5qJ6a
zc&kZvBhAyNnH)1+-jcn8ke@jct`CWr4n8w2FZUE0oSt?Qcm1y#vG>O|NI$mcU|K^P
zQ+rp;JmVX=Ty8`9wr6L%I@}%Xc9TL5cfD7mFY2%e?{5#E4~_?lynx>?_<dXL__fpn
zWnQl@wkt<FMCadfJ5QAq$M~34=Xv=$LYHombK`4zsE7eczv@$1Q4`bHLL2e~OVLnb
zw9qQ-!^&_|rh1L6{>qP?b3d%aGAV`I&R%NNodvo`gtVlGst@`wOKu`ZDl<d*BUUUN
zu{YSz*C)knA&V}!R5Ssfd-^@$hy>_unPml4M{KG9CT^28X8SIt(~wc@)T>9dAJ$!K
zQsi!_fB+y~21R@kO%%=QC5G<?)^Q)bNwzv_=3R{+yK^lOw$QVE0mY*24}12?z})MC
z8O0MA{KmlQ^y`lt<TxI$$H=2Cgr4iSgT$-}%m|J%j4Nw*TZbV4#IPyKOQ{LunXcv~
zQDfhd``?dlCDZH3ZqLyUxJ7FZjB-LFR6n*R`i(N<QzWy!h=rvF9QIQU2<6a=q}5-M
zLns-*73Zp!?+<-4;E|Jt0&~JmgcLZ@{5KL{V_UfeWZbQ&Pj_RO*q&bIc=>bnFOdkR
z1{Xdsfn}HrqIqDlS#r^YiLHC+gesE8P+5oOgfb^y+?<eCOF<uMexHK=U&OL5g@|F&
z-)vuVZvfKL&{Iq%#)1q3t>BblGM?!b(q*a8e1j%Pw=MT$qjMdFU%7RYxC{5R``RV)
z<Wuj8xBcujG2d(TL2ZCG%>CooT5>vPEG*=sP-#bt&zl#&&z|@*S?6W=ar?6YLHd&^
zVb6QvqYZ6uzfP-R^VS@n(<a7YM+l0UhGd4XpB_&B=iCe|<g}?Vv`>feJ)hnKxAkh@
zfIS48rl(4}oIM2$=ojKY3@*zB`f_&%xhZE6(YDpODK95mtZwwEdW)1Ak1dt+)%Ts1
z&d{k9y1WOPldIJ8!##hToeWm#cjCS$Ed07AIdh)#aBcm<%yPZ<wMC>CUYBe;s27&u
zHy|*1ZvObkO+1&kyQksXa&(+8>Z=9Pv-qBrR&Lvh=R{kj2!?0Zd!dK-(NF#l`IH&P
z!f0IVDM_NEL0`-JU4PF-5cf5U{Tu<rwqhoR7Evm54nhaAGu8*?>Y}GbW_fV2v&Pmq
z3?HS+84qLgp+y#mP1YlRwYiTcB~l`w+5$dgv~|HueyO?2aL(!wICf0r+0LxmC~QaP
zER0pEoBkS~Y;-(+_N)ER)j~bk-FoI+Pk;QH(5hF~`42%+_Q!Wyy&pLk_Pgr|AE9kx
zlt8Vq9_i=4g|eT!o;GBvgUNn?!oShGH!q@uLzcuU(RX9-h&o1EGhk&&V>Am$-^HZJ
zw;he9Ssd&H99Js<n=XYp#G^~D%*&AK){Z~pbz<3hvM#Lhw?J9ymy?bGC=ZdkyB^y8
zmp=JX;OtK--`7ZC^>JPYEy|IXFu#rm7bdk3_-TpWtz@r=WlG8U&Y*KxHgWIkbm#06
zwjo(WLYH?k`vrZcrc!~`$KU=%IHd1KKQk<0DkIJvP6jR~n<~c5K@JY6oX|)8ScCNR
z+x>oY-3QoNA{+xuNA_%`gCgqx5sy@)AOdB6R%YcMR8S(-j|*tc=jJj}rE`(SB`2@8
z{6LBC|5wpJQ8FCInBnWiV(k>fZ!-&JfH33}B}<b%>n4|`Z-H&r8UFdOD}A5g>LT}x
zZx%YC49g9D5sS5j7F^OSLR;NbsYCQ3jI#J5Kfb0Mz?J(baIKTWZG(b#f(It0!yJWo
z<LF{KgwgF;gt`jcah|Qi3y{$glJnwztSUBWihK@l`Xq%01e;KwtLq?+KZ{<@H5b9~
zH9G5~Bk|de5PFz*N^Ef1YGM{@PV&*UI`0$DISkJKUBY1AFBeW$At#%HB+Nlx0TKvd
zFsSaRwW&#{(4)01ri%2{8856gZFXvcErWn3$f$v~x!js4Ah4bkWj7KZ)}thbu|X+9
z6_IXt{`;2<0{DNuPFWb@q-26oRLw*z1fdc@Ep)C5X_(-bzTo(B^^+*E1m77~1lyvU
zgk>?a7@gIy@+=v9W0tbZdt|o|AAQ>pmP1}vw|Gp#@sKZX8jc=XF4(+ajt3%#i-_@M
z9*=wWzbno=PJ_#GSh_Zr>z=|b{n%eMIrQ3R1uBk?((lD|`E9rxBAN@W<kqEn+s8iq
zCNrBId(=#+BM?u6t!q3bIC_B^!Yi~1?ddxZQaNRZjWVj~AEp99q+ao3mdlV}+NI{?
z8B*OFaT<}~+&zv|MsS?xMN5!hOD296AsvfEW>$NRD06oaKt@c~RT<j-<YdkC<T&oP
z-4O4bIk{f0aO@99xXd&aCDoPW3K3{^y4vU%;{0%Mm%;|idB)-Ij;#oC3^0FvEC^FQ
zPp(mJ7%ID*v7s$F<b*IWB?!}*;4@<Z^CJA9-J#x6rQ%_B7l~!3{CG#V!CjR8dglzc
z-347)fLV}$l{=%|$;F{B>Th8?=B(87GJ}ofwntO%Z>uiUetGPx5s13A?<Wk4t8W~z
zt4S&%1S^cH@ab^zg@d<!xgOpYNK<`7?~#YhO=C58{x~#F4KPJ*W0c2^joS3ZCwNaH
zeta1N1Jyq>1Njgxe`4(--q@d(L_IAZ`vwzAlZ5O>`LaB~W(}41?s?v6t?Dz%sKN5h
zZnPM>gtbCg$F@Q!D+BsYWL;pC)ZZy9!h+uh#Fj-OA#6uRKJ_Ume~!?w!7V72BGqG2
z4O6nxQNLEitaSMBuO5wyEw|&s(4J=0wkxt{Mr1LKP~b{N)*dTCZ+)ThugZoCc|LD8
zA8eTMjiqCU#^Vt2iOX@(ErQVNyyR;;!60N{;H|AVg;F(~R(Kkz4wS#q`kHB<<%c-?
z6w`|>B^W3=nu{)@QUANEFXm>6fw{7&i}5I|O0Poyoik0J>b&u=K3f0f<Uk?7j1yyF
zkkobP?)lZXwKVJ*#|Oz=-<Tr8$3gf&;IT!}AS@2iIyMdwfquE$mU=m+mD|nMWvmcZ
zygN7gQh-3ADyO0E!`Ab5=_gu6j9&D}Vhz7e>pqm-k%@-la+G;j+aM+i7o6l5#%5~B
zzmydC>Y+-kv9N9L(djp=^r_^RlJVDIy4~0F`PFQ_J8lH-(x}HX4W2Ru)S*f<d&>|6
zQf7-z2}_ti?sXxT&dQITLVS(9dWeBPO;vWKh=WbT5-g=vmXQ|kIC`bZIAOMDkp8-z
z5dj{c;R{Sg9(X#nS;D0?=rAnS!zG$rxC`=oo^>;hb^Bo~D^&=)2T-rxpDc`FxHf$G
zmlp_7_ghU0=hN-fOE@oBJG?vf!4tP&zJX0lYWxoSX4vGm<dR94hQE;6_bW6{*Z%f`
z!4H2K`$T&z=*}s<kBq>WGV>-)3Ja@c(5SCpL$W%5$QqMivI}b_vwguzLcg}^cLAAU
z9%Qap#<jwE5*&_oEF2C(WlWE4X-v=7|NceAVAdKNEhWZ24#w&K2@uhu4m(2+pAY=_
zSqkDBO@|obudRH%Xb1g53mi@ffF8Ksq&hNGP3{?bK0Od|f)%YJb10=Y83kLhpfB&d
z_~wn4HzeYl%DZ?lKDJ|t*Vun-4VoJ|C-I-4qUnP(J2V!$L6|>y!Ize!2@@8!CI{?6
z+!8euGODU(R8vWn_65oSc(}i8h=u+T1KnU016_g*w9|Gpv@wRG!>uj)RrkU?rdqOZ
zS^I8;XnilO?uyMq5V`2paVvzv=l5WNzlkxhvrT!sHQTq#tdPWXP5Lb}W(KU#P$V9D
zUNmL5-AC8T+dbGfUx*1Bzz!E7Lzd`rhdz(wjYl=Zebed7JGe5YL?z>L8T3Fc6(tLW
za~UcA#D9d_&*o8cX<xr!%_Hrwn4NRmJa@rAc;MJ}pj9xvLw+slAF3_AN8hz+&a<N6
zlorHEJR7dep4sl6cU6Z^*bsbzCKMQ-9FVu!v9$eTEbi8a_=jNyP8v<d715mZ6#tN#
zNxLLwLUA8%S(P0ldf^ssG{<xfr2p|VA#!KD+?LK&hXfrM^dhPO$2{ss#6f6l&eiO~
z+E<z}#7a0a9$50(3dBBm<=oQJwmBNA5x9??+tz;nQFenv)91SV+E-;+U3P=bq}y!6
zQEwZe2Wy6GA5jdKxQ|q+oA>r<w~&;Ri#vK9<xeM>Z`lZNUBkztV}M-wjjq6s<XkQG
z-Hpp9e(D{T$()9meiESvy%_$du<+Y^PaTMXmRZ|mOMb^_sL#9lru0}T@XB&C^rFSf
z-OebV4Fjw(<ozn*d7qSV`e~VOta?6^78v)(VQ-5KhfU9v-d&?l=Q<LEy6Q(@`lYCM
zd}KR3yzIAMuqbs*$VNt0*N$=2bSECEpYdvpvbyWY?F6+JENn?_hrO<G466mVj;#ep
zpr--h2+b$lsK`|NC;{ochw$JXr6F9{<;({2KCFUzd?A;7I6ZAUMKBCU?2KLHzliy3
ztR2s<Q76i;v}E+x*s9~}Y$F1Y=pqQhu+H$x_QL(zxT4%?EehFHA?bKE!#q)NQq<8<
z@K4Sw3l2b;k<A?>cUe*f_|-dC{7Z^x0TUYM^8}GG3^HkgWg%p}hQ059;hB7MJzr{R
zvXa-OIXC&F1bMf6w{hXy)lzQlO}_axQ}po~x`~N;oXW8{Ab(ZF`F!cRK&6gbHaSQC
zLD9F!cxKWHhx7Z)m$+Zv=iKN+cz3y>={F&aJX>`p6A7vYTPdxTv)H%yw_LB)1fxMr
z!1$I|72o1PPHUD{MoW#A4~;lQhVvGp#IArZcwvOQChA3&8a;5e`lk*ZOY5R`b$APk
zZU7pFe2hj569JXlJ8jf%cAz(feJ%4oOF#&7&c?>$B#Zv_XQ}uPlcyO^`268)<0Vev
zq~Qg1{{LiW&LzOJdvJ4>B;q8P&jG}1j@V3U33u-!(8p=)#mY>mR90$2rFxvh=zrlQ
zij0?GIDrzinI2D4X<U~z&SV)AUy^xDB7)5Dbh>CObFMU#2Sq?kgYxS>tYtRh%(UT*
z!2LY%E~k~2pFHWRmyQRfXghOexF%u{7Z^`<ymn8h452$>-K5Sk;lUT&=NsF5s5O>(
z*3PO{+_XgJ`CG1;XR)7axsEE{(8fSR?|O8!Z;R35dxsNWiCf=`lcJ$@8trU<bTUuW
z%e6jG<r-g#2ni!+UDx{C1wHjq>*SjiWd|X9eNjkf1_E0h%IjXmbvj)UR6U>&GhWqm
zV+@-O$B20-DXacU)bZ;dHE}G4MHCNC`yd*eMujdpTVAc=$|<;p?mDA{6Lv-<j53J0
z;39keJwIO<F=Uoi@ZTiTvO;_^U>HqOHW`Ucn&3U%RNK3FSYkfS(%=BTw2qU1T&=0l
zde!h@>=SfG4p)DZp@d|L6T)ec!?7uwzw!0k1HVHNMD|!ZaA{V~JQjiLkCAiXz8Y@F
zo6y<~D{lZKxT2GxO9pTmHSY{1yb2O&7@D=rT)BIXZkMzDg^mN~o7x3;lCT4%qPo4<
zcFo3tOu3Z^1sjiA3kR2Wue|eAuE<A<xi1%d&mB2Ed<5E{>a2C=^s3RHcP+*vJXFbI
zyaLcZsD}q`ZbNFWE_A~4m4=t&l&0G1XRX`heJY<u<i@}T(3j=ORcH{kT`1*AD>dY7
z#_`=20P@IM%iO7jV}z^aGG?XvMTwS)(aDd$6&{K5kV)b+YZ?sU*?1`pEQ1`6)vHrd
z%IBu59V(t42qMZ39XtRjmbQ~E&A9xvTmgGH!fPatet!%RPk)a%yAvl@bWt2oMO36v
zS|p4LW!E%vM9QKdu_u8eK?<sW-rkYmFRA#va}x)2C;4&K_WImrb$c^gR5Z8MXkw+;
zsd|k<ZzIjgVIToaDb@A{3wPVJQ6rVdjjFz;By}wW^ld}Q1s|KF560iYHLX)ZW+z-h
zOS#D}O7292D1*&r^4DpMVo8EQR%n9)aDYCl?|5=xdnM@IO1ShV(AWOxp|D~Kl4Yo>
z3l1EmUqlfLV(mGhKK(s9OneMbF_beAH>sT_;0B$l4ghn!eeYozN7ga(OWsG=hQ-SQ
z2?1K>m1<Dm>j2lR6dJ2({6V<ABKt4lr#8QwxDW9#hnXP$On&&`FvWp$FoM!?%)-V`
z!W70&(Y1&%8A@~nJ1FfZww5D(VrX{n*ft)^e|mv;<2dF{;zzZ~1xh|7*{QB^6-*js
zshh*1ZMHNgJ~nuF*~o};o~kulPi>=%`h9p#bSgh~kadXbleEBj<rBUUjhp<F-b~uF
zzrhKKpL8dAL{M*t6>1oYu|>?h#-)1xOhT_^C_);B>Yz&i8t`9oa~K#08oo%Jy(bOG
z+SkUQ^jJyKl<LCI)pbQdF{zy{Y|$p_8N;ZV9Whl#aceyH*ne`sDM=@24r3#BTzd<H
z^Ks1@-t+C7reWCZz?m3&4f^E+o*;O`zI&Ykgbm+o`u-1`Rmgt_YIA06_M(B>I>>dY
zC_Bu}<%yP~!dX%<S&iheuakV0)Lf(Nex&<L3CAe+_M5H(0X&<OCMJdvG#G<Ef{knr
z`Z2MFEL6k03tIXdUDo`3h~}~toh>}hwR=%LGuatmP4qvU4U{dGO-pSK<O<xSap-<A
za1L=kw{zl7uE}c(eIodi4!}VyyW}eGJcPaNFcG;~urEj#(i9toPIUeFb?Mi&N(177
zDDOZ<--*}XUHWyzd&@VewCUF&P`=R;kG12hr{tb(RnBq%%X;7v%rx5$*d>r!iX&dK
zlQ*6)621%@VP9x6r!3t#zRq?K>+^q&Fwf{Y5`}#JAB#JBAJ|yEldv_`?DZq(KTELb
zb`HDT!@cb}uWf@ccKg!GyWTy9gzHIn=&ELBW0tf|fN<9&kRU-#25lEpqJU&}{o7#0
zbv`VovY<I6d9UTZ*WU+ufR~$i2}^Ypon>Mz6&s&PG9)WiDW{dB)GmFaoni|c7xOG&
z3M^O(n_DcmJ0A%7%v+YLGLzplcU%N5?dhzgi6?e!SYxf8VyToBIA|kGeY2={#Jsr(
z54`mzgitr=UHkzn?}CMn>gJ*$nR$K1qT_=m%4V^@A^c4jUroj9%fSh(s0*e0Y6%kQ
z%IPne4VUnG1xQ#XOa;vH#cqDQ@?z**2!upN=LjKbbu5pcR<SX{2Q8jf3Fe?b)d^*X
z>oY6|CseufrB0J*b`UVgoqkfC>6CAIR}6ZxK9WVjt8(d>uAyA8EY=|yXcsix@YI0v
zOU8W8a$DjsJrzJ)FD&$uqu+Kp%+n2YfUU!%Pq`i>8o$_NUFU9FJh3uR!+IQ(vNCpH
z=VH?80cBO+GR`5;J?~(cj2gKMW>~eC8#-<|BGrHS5S%Z&fAWjP?bTY*Svir?>SPNa
zMYgyfg%&Kiv|io?%^T!`kcVi|HLB%Ru9j(%S!F)?&%9-a*ul#VHF!7Itoto9@VUY}
zLewOBf}vC3W>r-MU)Y?t;UF+-WK^bR3%Zywe6;F3>AmF6gq2@|d7FfP$l%P`n}|KO
zCqV6jub!Fz3POAb0$Fq?fE<0fchP0@IEi!vbF3exUU20FT2XmBt$qp8Mb#T#znj_p
z6L+@)tnlC$^nMr*X7||nilg*sLOZ*(ljDOo+xy10j>kf;2b=rBi{r)TkgoN$j_5%I
zOIc^ncY3y=dt}ge+uEA$K|Q_{h;4*5vKGV7$2`{xp<9A0M!9A%N}rBH+<4x13As!(
z(_HtyG<n!FvvmNgK04s=Rz_$DuIp!e+xT+rlxi+xjFqq<I#m$stm^3FtSR59U_{Q4
zu-nE^u)#ZHI((dW1+cS}gRbQ)OqjRlBLG%Jc#ySP?x(Z>{tZCzg^BP$*G`6?Qb&!#
zwK2UmS_to-@LA%Wlp9*Z?S$bpc#wr)u&E7?u!Fz>BeN6X<xvb}DOTaojFLcp-?i6H
z&lBGY-*9EsR){gpKy(5uil2*AM(es36kQvyLczU_4t7DN-8hrfecBwcV1H!1pv_?g
z!QA+Kq~P)-nYZvtwu}E&L`d?iEsXc#&FTJhGP5Nlx9<94Jbm4qlIG$p`t|m#_VWDl
z;+h565siHR-u5lamE$~_$GG}Y#uQM<(YNV$Mv!IOI#@;Ues^5fcG7nh=$h?!cTv*%
ztt{lOsw-x)bIs>2*{+lD?KFH}VOApc`H9#=-wbo_r#iT*i#kz68>XsHkfI=V2`+Cr
z*G^^vRC&zbGXoa8PgNkQ_8g}wl9WVc{z+4bTDPHXQ?+SccNR=hU5gV>DK)xv!s_Aj
zy9G5#D(;2N1B+7w?;w;x#-_ov(=XDottQ$2$(%$l<cfU`jTc%}xI=TMsfx$Kxr-2R
zr^)om><ha~zjFfq`*z>}=SKc+=45B6lT@$Lg5t&^pSb8eO23M1Oj2Z6qD=Lu<>CTe
zlpPRGBOLMX#>frN8ikj;(w1?O=O0U?DaYlVkrfr({sJr7yY8#Tbv!mmk;Jo$Ih+BH
zCy!ox8d^;G&E_A>=kRRT#=ukP7q~0?^QuMEkZOc8zenmk0xPA*BK=FFAk962)~H3b
zk#_e_n^*<wZ|rCL+i+B+<VODKw~0!S*R6^=bG4_cGW_@Xgq%{u)kdEK|6tsAp&Rs7
zk}{ehYB)*hW|l8xrg~OBiR?Ser$w`F6G+K}Hjl9~?JQ{49Fk&`>F4^{jzO?|qFhz5
ztK+UZ#XMfFvY{1&zfwOWIhphNBTy`fEFk{TR|*O5=lum+SW|aiM^7My-~PhuYf0NT
zx9DsuV2{tY1#9{HXnEvcr~KJ;8*3bQ`%U+5uj9}1$h(};?`kj4>Ok@h&LMRUo9ZZ@
z$hYjacOQZB_bkJE1`cHT>{9LfLB^drQh`pcIwS1IK8E7w=RvF1j-$<SyBsTR<7MN=
zsap;|!pQKAfis*(!7)BROMYH&<j=fpjqkL>pj0&Ls-J_W%N@hmR}P=|$MN0u*V*-=
z)z!&NCdxX%H(!)aSFcRM*0y_j0c7Y@!jbsrPR;bLx3h4+zW2AF+=JzB&YRg)w*t`!
zcPDqpryM+e-1o@S-#V6I*;8gWc=^}YOe>zy2&V5489d2RR7HPa8zRoAEEIq9h)z5*
z3Gndt400m>dh|h<905OHfwALYUn;a*jIRu^=-eyx>vtM616v1R793M~Pg1ePYT;It
ziAxWClhvu1Pmb8Eb?x<fa&v6LqfhBoxrf*aewjwjh#3laq=Q?S2c%kRGR#UmYsyZK
z3b0{=LF;FEy}dvdcvX2y>}jKV-NDdtHi`>`NpJ5&vg|pttQF`)D%@4(o7~^+s1KIt
z>@A^(D`dYOQ0-@gw?eJQ-?_^PYrC)UW>@C-vM+Y^RIfB|vHQVC-|g!6c<_w>vaig5
z^-MM%-*DPFhdj34ucA4^VT7Q^sxijsPI|ChoN<a;$4GY|FqBh$?o3^D!2MnQkTPk~
zF-N@<^@m?dC29eUI?u3R=yTkTims<JMQfpx9h~pPwyX>oV8>JO;w~+nlL2_Ncq+X=
zpn{8i;h5D^h(mlsp(zJG0lKhb%2n9;>PXC-Axw_Sr6Myg6r+}d3G}r%5m#U<A8a@g
zU3Ci_!Te;}&80%*{5=;nI7;zLD8`Lrv4~o9j%tmNSbCOoc?>fH2F>0*oYb_C(G9<J
z-^T$xVI0$YJN(UOZC5nU=R03???AzB?3krX7+^I`4>OrT(cRUSN<{=^lAv^Yfz^+H
ztWi=D>ZUIR-MVbl_c3xp>N+@3ZVm@>i-PmB3|VcDr_K@5Jvy7xqVTp*FuElVnbigY
zkmOsq`>q?9dBBf<8OQhZo7x@`HTETH+ZASET1&H^`OHcs{z9c@hP$|*Lz{bDH7h3$
zlQS?l5S)h++;5X?LhZu@x8|xdo+Vj^C`t_f02ioSs7ar`TGAw0un6$Zk-Pfv`gpNv
z^x3>K$ay99>9_Oyl1kIM5yVw^=6bA@_ZV+tn_XG7suS?{>c#xCgY;2q8-JMj52`9J
zHMZi#3Pb51UMkXxq%$t9`J$1M%Kgiz6ZH`PvJ^1w1JjkTa+x+&>lV{H-I+0TZ9v^6
z0G!=JwR!?cC9C0UL>*~{Z1OcD%aTL9HTTp=N6130@y;s4U{qLOd$Rf9dvn(*0Ud-I
zGV;8gUk5%%!|Nt8Z&Tl7K})|ZMxI3=CW3>KQ-8vCYpFV$QoS*oB}Ngg-f!h@&ES9c
z)I!pUnPF7HtZ=U)w`Fcf6MkWiD2&!0?=$r4O6ru~p&P`j?P?zGBGvEob7Kaf5k~Qm
zm-JSFwk$1r;aEd$m$4>TWUSmQZ{yoy(lwsrmqXatUCg^vw^+Joc$DLtX*y1h-4Xzo
zx@}x8<Ui;pH6iQsY`R$g)=2Vgg&bWnE~#~(HYs!=kVx$s&T?5&rKHl7jgGr?=k^m>
z1|-y9?0*`O_K#yof=tBaitenG_8+M>Y#DAKstz;GY7_R0jW=M1jZZ5=FS!mRuD0R!
z(q1B@T&1FslG>lJaX$;B^)N=mfnTH@A#g!B1@_|P16;frKg+NY)nh<Oa%bV|8Yyr(
zQ6GXTubkt@sQ$<q)FWh-VJyeqaRHT^BjQekMrN#cVXQNhEmQN*s6=tR!M4rlXc`X-
zS&EYjJ`jmfrFV)64hkVHIfGoEmWzh%rf#97q{r8@_~{L>{Hn38dI?7E7%aG*>a%rj
zPPwQThPOAjT5ThinB}3<)~0F2oynrb>+7Yr25tVm@bX;<Ork~d0Lx+>#D15}R>!Ii
zYZ2Fsg(#Sd(~{Wedf2EFdP5bLN!P=2+hsRrqOc-ZaLhk*2EhGYiFJIkAZR54)NGD=
z?Mc{sZEZy%8W+Q>8KWU5(O2mH&2Q$x=z{_<Trk3Q5~Dbk^r2<QJNK(f(^K_inXH%@
zkEir-`l}e%(V))`?#f=?*|Cu6A1al43`8h{YvhcP2+18|TB}{$P1+rL(o9DB!*O*b
z*{gOGpt2wO3#nd{XYeImzx~pA;pDK5V}sUe0ueD=8E>BPNWzO%`KI;V(_fjK&c#pB
z*V*Sr9M`*jubV$AL?jJ^W$q3bPZ#8<RG2DJPPL+_g*;8vIBfJeyo+Pe%_TSq5&pg*
zLTWNHg+47IEt?~OFa>l=cg!&_<4K`8{iu{-184Fr`6C$dA(bb$szR-(d-4o>?>YEl
zIr99Amr9FEVO%3~97QDw+H7a<OkR4r_Er|tk)vW8V*HaAmX-!$;W#6NIZE~XGSDni
znPBv#$dE1hLYMJ)VM$GF$c9;Fn>vfu-R`bDVEIf*1m1ke^re7hVLIJp=zoCLfwnmj
zX>G^v-G0vR>?ZFt;w#ekINGP{5?%^8CLp9Vg0aAx7>*CiXb0y=wDyc>PTfN>E)aE5
zU6hzljEQq@&%NF?hCST-58ZwN9dGu+_xB3LCi1WQiAo}e>k;MDB4Ax|GaEDM@duIo
z?DE-jYIm3qiE6Rj9O@Y5$n5=fpMvS>A~__>Au3kAEa-l8zbfsO&T-^ed=+TVUue(M
zZ}SvmdL0+O|K{TLe7*59F54tQ|M~r*NkEOTl|%UPJHxvE*(wK!gx+;+zMjv1*4Nt_
z&1AZ=8x^TH?C=Ht*5>kk2myO@TwGVZwOQ=+D$Qzr3|S9dpN)5@9IQGZe0DT9T9YOu
z*kTeND-4ZH8jEYkbZy6(uCmoSf-t?k`u*^W;s+f{Is*G7Z`-AvEe}wFAe&$e?e)|h
z>8*ti(T{cWh(8+Pb-(h#G2{qq)}jcnjbk=6TnQ<gfnX(lva`<bWsIQHkDou2BRdg!
zoxu!_sp__lp;Lq3;u$hu`~vi$m3b6E{Y)`H_!7U8X+{Hf&ee=+ZMyR)yje`A_tE5E
z9Q=}kdvh}kl5jjo!s)oE0R@0yXYSOg6_@b_^RGbC2lKO*6_L25;f^W+c)SVyG?J}5
zE*uV5!=FoJHIVhTm$?nfkZb(ny(NUqu}_L0XB^QsKurpE7lJhF7JUX33^84s%h)h<
zbtFl*=aBz;RLw4WCn4T7bJ24{9=4g-Wcv%2pU;@=`U#5yEJO#b7K9^;jJ_@UFY|s)
zmUrVO?`h<!97WC7L1osCM$T@M5u790oWNqvYOPtFlzsGHqM*s@=QU)<O_Y1@C<jQw
zv9C;y`TKPO5KEo)cW^k3$zBT>uE!`+Npf8NVd*%{CDDPioF*iZ0d5_JXo|UcIebQJ
zY7)1RntHWrOlY#K1yNYJ@%FedAMp)}19Oeh;oK=0B859OaK)|m)Qh69^F#VQD3~OE
zn#ZxH1ZC0g@a{egJQQgZ6t|*bWb+&Vor_+O?mJk(;D52FE(4Vn&a<04Nkm$`Q6_8-
zn#xxEhTpfnqa&K^x5<p+d6B1DK?d%r%l}m%)@Q2TP1DgB*s^FF1bldU+dk-cY!F!U
zdpde&#KMoJS=b(AS@`VnqSEG1Dol)8=iA!yt*vYGewR={JHixGph%JS>KSZ^a1fD6
z&58-h60_aSZN2XTSY`*TD>m#yT}@$MfX=+iE*lhZo<E<R-0$<@>z*!8$d)I(4mUJz
z%}soFSj7?cZ}Y1IrFI}pmm4m3i;xLRL(<=mT-~zy=hpjrHriTLoZgQwj)4rWw|1k4
z9BSV^tO;!Sk>=Q5JnrH;5oF$O&M@;m9i5c3VHW-B`gU7gxi%bgtvg$q?@Tp4PVTkm
z+Ve^+#$M(YLx)=h*=)(J(mPK}auT~;yyN`q%>U!LlKZBULs+9(l94Ybnx%RD1|`GP
zHlr_FUM&(BE7UzL_2Z;pTy8)A&f^$&qRceBsry{yiZTXAEMJI5kEiu$M%NjwyVE-5
zGLdlEnHagnT~-W}a%I!@T|qHoGLkw{8C-_b=F9H5DIT6p9Qz+by)ukx+q<8uQJpCf
zy}j0M4&a`1=+m>dNUHcep*Y@_be+VCIAtf_d(8Cj5waLIre@$1>(KC&vDzy);9-;S
z?_##D_Hy!jxJYkm!_YBNwlF%oUwcUnLf<;$3~hyD@0}<3iKzgdN})f~;cWmfHte2c
zzf{RC84UIhV3Ef^{2-Ot$;E<SZTh&V&#-gLIB$=0`L=2v`~AMo@4ab~AIa~!=;Gb`
zgdp3Ond54?%a2KA&5Id}QD2v**FJ&WeQ_totoCYjyWPxnb$W>97LHoROVabF%B1W=
z38ZkE8=j=zy~>@-`uw#SDcr<I@W0f|_|O!x1Z(u8ROCzf5DS||Yo%*2mo$D{2T;Hl
zID0X#X@#I6Mc0JxmYZk;Hk1-?FAG&;88OLrSSgzAtX<)H>W1=qv7z}*e!n}kLhBIz
z+t<nawyk5@RPM(udh6;^**M#;r*|O7bI!hvBvHc4L#$<~?(PFxU7F}Cs8lc;y5=Zd
zwD-<hc>8Tu*@k~9D%;=PgK4fiZU9)@uIyH3D*BWJOQxYqw04J4N^U7jTb6JQOQ(gy
zU|70EM)((BVvO|SqCIQKvgd}X96bjLp(TTAaCCF5lTk<LNLN@)b70n<iZQG<4|dJ+
z&IOY+S6dOy7n@fIV_Luy%`t<{H}JHpz5!jidV^*|W}+Wa?QG-tA^#Zj4KhYM3N&{$
zk>&;E)o0{+44#=$!7Q{L{&oHdh*`6TXJ7kQTa@LM1NzD59sAjZ>I*~YzUy<xbT+wz
zFm;97G>(;OHyT*ca&wHC(nN{j+<BT)gy})(w`pWNawpCZxc_sq$AFH-bD(Gj2$o5K
z{X|sElS8{dlh5our*gimCTK}o1CNw}dS_B**p3-aO$ryAOib^O_kf`!Np%EH3*0jj
zZ8Sl&(E*_rel&g;XNRF9p5Uy&n^6hR(yq_-NSPyYFtKd-fiAnZ{&TZAGed=3U~=gr
z?%KybDh-lP=zpS*htSQ(N&a<dDkNpFH0!EbpG<r|d1@p^p90~oOI3rcBxdU#JYqlt
z{+`!vO%F}klY!baCDN`D6mgK)9n^vm=|9|B^4Lbtye-4zsl#OT{M<yOvEDhZ|Mo3K
za2&_nDuK6&PVWtz-cvxb*cxu$JyHSs;Lfx|1_B$1iq=!|_1MjxihG?5>f;}Cg8<1f
ztYj|~B}KLu6NRa&J0F_v7KELIsMJirn$~Qkxwumqd8kUwNeuHJV@gPl$=9PLrUWr2
z2;JnEc;f)R;m6}5$D4s`c~VgcsRvq(n{z^T4LF!>6%A515;5ZHwmdzR-VYLRwVdrt
z`T-JBXYm&{PVTzRtiw!^Ox92iVF6pTc@a%9D2O(3vVV|6i{8I33_YafODvdwc&SnQ
z2?}POcmx~5aTc6Pcv5<huIWy$`=mUS`S<UCowx8C=C5<%rr!(1CU)~qnZGiFnj+uS
zAB0uz9WaeM=I&r=DP(5=Wvup9b9TY4PG*eW`sm8fz{9`Y+o_Vxt-?*9N^ZUsGMdEG
zqWm!;t^66}d0Vt7i9@Kwr3<=6A4?@kV~Kyj%}1(9)Mp;GRKkt_82`*E4f$6#mD$PU
zd3v<cWNeOEr~1j{ag9A=t7C_t&yTb~CC&yb?RD40%nZOQ&fmvT`}?EtqXc}S$I_~=
z|Ek>si;KhI(KEmyIrZTm*s2KcgT;lDn^FjaL<A;CmZd>&dw%L>9#@=Kr$Y@?ZJ_nk
zY$CbXvG<4mYgKi483ctpH2lS^_IR<n=mkmpf(Opt;A9ZO4==Oh*pu=z?t}wE^;*f0
zE^4KOJ1k>(U55|13nG5&>fb!d#xehal2f3)QgDb7fA&<Hv8Fl&YFRAt1tyacd;t}4
zDE0hJ+MLVmpi3UyLfd~)`a|IFi<5!h7bUSk?>FvDuVBREP+t}N780TisZ}Ey-^T4j
zC$*0~XT0=ArFqA+WGRcUnnMcKB0N#mZE<Q9tPug(I5&M-H@|0F`VrGDh6MjW8e(<u
znlO{CgvC&5W&Md{WUE=ZVkOxOf)g3F&Yb8p+yvM)VmUF)zgR16JLQ4v_-cfE1M)xD
zVsOcN5OLT|9QqOp_^9BR%wzZcezN2^^j>B<h{d=$&Fl@CTIw0Rz^~PKi@;w<2z0=&
z<#H%S1}vQO)yMI?bfa8cDFpH)DUekf)b`e!hN={Z%b)~P+rCXZ0cpy(O4!1y$XUzH
z{)>CM?Ukh7hL@x&lO8$@y1XJXTYsF#@?V)d50V0p;9zb*D_Y~+0_tU+ReDk*Y$Fju
zHc+PY9QMvmGagO=YFAI`nnPCN8vD`)FvX3RZ2SvwVXZXoGl2E+MQEOAuPlEcgbQXt
z;2VOIoDl8WNTX%CR({?*E|b|?S!F4%Y9wo&(xR)<pgbijE#`mAI@}8jx(yEt`e#`a
zE=Jo3pMT|xFv=+|iLopl6d}Q6u(xi{u;Uw6KB)BcFOCLGNoNBy92?D;@QmeYArgZx
zS8c!an_4gBHUE4#(Nc37Lr-ras78#|&%Ck1_e~Nt2Pa)U{@F^xy{zeoyYR`J_Z0zY
zMMN6mPYe>tzo9>^8!ut1c|i+-Y6@=~a2}J2>{-CXf>)qnYKAQ8X&@llhpYbA(AX<v
z{Zj2p`Nal;78u<khw&OiP6DvqH1y=apoU*;{a0L4=V?FdL}fojQ~pBi64-Bp!g!tF
z919oG344o?25=5zyxr)S?Ep&1{a?5p-O(}6Zti89ZH9C#y!<+ea>^VSO<PdXk+%oP
zX1C*``@oTSSG|zJtq;Fhv6YvMKe(9K?@^>_{c+tL$;wOSs{v}1tPOcK#TJ}`Q0z29
z3-|aly7Qz$ZP4+#4PKuY=d3i8;s1sgqQ++DPOxU@03iGsI%RFZVGl%9&0sXSu~n16
z(zIl_y0UiNxHzBp7(l6-x(^c1HB0}HE^CcaX&B%@m852UNYg9BBR$a>BMZ?MV!i7T
zc5cZgW$gt4tVBrf%+kevp1NL!`ov1xJ??I34+hy0_5te;h&w~U+q2Pj&%=VztCr^3
zOy}kqp)*mF&4|i=ve8y@(Ve}f*Spi`1K0U0=qc5#59(bhA2>jQ*43r#9<L@&iuCJj
z|D7wV0mX%WT_gc%_5YZ<>Zqu@r>_VqCDILoba#i8bl1`)-CY9GUDDmXz#`qTgw!J4
zAT2H3@UHlK@crw1&YpYr#>}1hOy1sY7JYdwbx89No?oUW<K1pMgohE?+frI!HokQH
zD+kp&AA{t@#y0+@t(8AzK~Iag@{SFJruzB|6JV$iW|&F8x!Vc^<lI^;eDO{8Q|n*X
z7#Cow%s``3?z=~Lu7#$mIa$rR$>@MbesXWfL<Uo5<5-QFeUQI#>wkEVO22_mqtcsM
z!xk#lf}~R}j@Aw?CY3KN&$QB4r?x%x_^ag)DYksEUvlxjK7~)~@O@_{VfUe7Q~&K0
zY7y~yfq$p0Q}<s>1rHz&L^oV9WhYBvCvms+ncjww5qk?&boK!a`-7`Wfb;;C2XOPj
zw!I?D>EI&xcgjJ(COiIG<q7jWUc}L)|6Mdmu)x>u=wQ10o{mkIq6$NwyT!Y>U60*f
zL_F`$+{EU(an8ErKSj<iM&ya{cfT!l#~mqGhMblvH<ZQh1mKn4Bj#Hyyw^BwVsK+j
z6VN@=1AEv!QN_+XGgGTQIg=Mkm93&7X?yRv5M=I$_E;<x@b%#-Yoq9J+OPIU@hCkE
zy4M0<+h+XmDXUP@8D&Agbq+$akW!pfWj9Pc_p{Ju{qRt3aL4(i9jHj;AIkM)9x|Z5
zFEpji0xA;vz$MZ?Bjmsq35xH>-bpfcku=)2xd^Ww&3yEZQahBM<aap;m4JDgQKjyi
zHkM9b3k7;n-_$}{GHb-195@mn!jt@cj=o;f1r>l@P)WlqG|+;9o*&7z3$q<|B=hRi
z$TrNCwp8-E!N>tdV@q|xh+f|LR9bQC<5qT0Ky&jV55F+3qUB;4XQ)}uSj%XuoALpq
z!nLA6W08^XSb4eDcyyY^FrjYWKtZgp{zFJV4DXqCQ`4`EZfC-Wi2Gw5H=}FZleVG>
z-ft?k)Z&Leyxk+0bN0t(&N^^dQas)>B3R!shc+@f%yAxHf<8E3!zr|tWAjYxYr2`9
zv$kVCjnrG#b`2Hy#hl!te1mk{-mnAzE8q7ja3cRj^-2e%RB!~(g;i>Wa)swwFjS3k
zn3ea+7ay*JD-Iv*b@YCVXee#Jyux04hp#}L?6Z<ntAenpC!-J{g?@z%2i8%nMd-)F
zr(tLCFU?KdBqm(Z5l^PO=1TCp!e;u<L7qJZybV7xViYaFU)ReYmR2;M3-Nh<b6*zd
z)v2X%to9M|l57vZz2&){ZzCQQ{HyC%^uqRB(!`b-c%ztDXS40x<a{fnz$|rECIM=S
z1wBlv^j;whO@8@LS3cJ>-mr)u_9SVWd#C>1S~skcW&IM>czJGeNAT1q@%w%FnNO#s
zF51tR@VL;8yd_DFfo??fHN_|BMqZ=C<Hm0zoV<K5=MjX{gSXwKkef2<R^~pf;^ou~
zf#PmqCXyF_1NdKFSEI4?Mz_92wTX#|<zN&G;D&j)wYsadTz^>JIDLiUEh&q8NG2<*
zMW)yB=)_O$SPzE}Q&c9s5@rL`dkrd*+d*B1Y(c3AR=MojyQy`7DMqUkuoQY7PpB{T
z+gHXvbFdfm9Q9{1o1Z96#B-4H!TnTmuXoAlw31|5=IG^Qv(pl!h+(#$OqdW`;E2ai
zA=4%r`uM$Z8Yv0dJM8%%rl@5=F?lbeFtmX_`?{6Im4e1kqKLO!Vlunb8qR_moNIYq
zvB7q5tj__1^q(U`TYwhd;C2SF@iPzVJMcy&4NImGIFZOF)9(RE@1^QJw`=UmpjPpn
z!JqKp?qK$ukDp;%x<X2IVHuzk5&Eu7h^oj5+9JFPHth6Q4vM`OYFOC=1VR5fg4^g!
z-`prE9j||Pf8&`E&({~?Zd4z+IpgMdxfsu1<;fYMa?mtC$beMZ>1aa>4y;!Q1phh4
zsX!ssOV}Q5t{jAE(brQU&{qW%yBm5%awQ^F1{*Q7oi-DCbZ}Gx!T%j%N8sd8pq|uq
z1_Ad-Ai974<^s~yRl!t*$)@T#PQsN-t=1()@d$*O3(Q&n!~E|YoI)ArusxqybH>#o
zE?PK=O7IP*x`kO(B)d>;c?yQL=y;U6z0fDj|4qVqHpHnX74c^hXtP?QEu5;J(;dG}
z^Q1lEMb*l^3cQvEa-V`_^Oru>Io!eJ3s7&Pk8kP;eAtn?5~a3N69r6Yg&FEDULb}k
z4rTy{nBp0Ir7t=_ffDJz3z~Qv7>@3<f{p&72-<I=GT$Bket^l)eF#r}CtEb?D@c--
z6tvIy>l#6`@1=*B-tVyjcSOeFD!%OkH}p`tKOl>?bpnOpNC`!(#R*=FV;!`Ir<vT4
zC0UKcWD{CiYNOzPQ+Jqbl}15itPddlr}`N)_M29)$2*~_pXY^4YSQsoKB}oOY;X7F
z?iq{QA>z19N$<LXKdWavikXD`yyFb}y|&XHSs-YYVOnga{)QLZpPw->LV?B_AvJE7
zl9xo;Q-{$|3p7Q%e0R?>+;Kb_agim&n)Y4%G14r}3i^xzK2}VRiLL{dCA>vDD=k5_
zoWnAof*19m|HNNIs(6$qfHWvB^k0zk1M8=ctc-=IvXSZHtm>1$ARq$(afn9xzGs*`
zo&HU<I3Bdq(pywV!86p>6-2a^ENKXWB?W7yVNkVAZU*chVw6{R%}F9zQrZjiQftkf
z_kbp|X~Tvr*_efl?j<}K+((s`T(}N^AQ!YJdk7+B3b{6f>4!QdAsz)ESirB_JzO0b
zH-;+iGiF9@Veu-BY4BLzZm{uK=o%u9acA`-E}~|;<M5EY=msG%d1cvca(1SDfB0*f
z41#V^z{i5=F%PQ3r((-AqN!mdA0>iS=9ND!@tPo@&#I6e{2B8!ecO;p+pQs9J9PTC
z&jr1V;Md=i{3qSjP4}6btVPMKa}zW&iU=^Uzy*=*>)B}`KmX2?4SM|sOv;u1wsREP
zyPQ*~Di_EeS8hKU#(`NXsv1k=NWN<ZXDDblA!L9`@cJ=V$k+ck#lJ0ij2>$E`RkTA
z4Kf=pY(9YH1rwUpl@Zo!3<OOk<V~%?MN2(*NNU-}Gcl+OHn|^OJf3TNCjuK1?GHO)
zUp1VhoixqtT$>;xcJj!rSR(dFE2?Q^5_%?*E(EqGpm3R%d^I25Kcw`2%UW7b{gk6G
zgo&CLC=?L5ICGrBqXzr1e|NWR)0A;Bee!OK!QlNGx_R`^u2PGz`B1>|2I^whnx1U`
z48W2W670A8E`(#DQ0@YC3kk5DctS9qUKKiqT=PdDraz}$WCA*Y;S02M5a|>2Ur$@T
zEmh~o<E(ZXWfN9coj!IuW(`WPc>-%cBT~kY+aHf%iNLF1j2`@24>73umMfy)P<i1d
z*S-gU7A7y3V$l}>r{q6u4#r*EGBdEfrwi@rTVaTX(Dfxm(03Og-&67;8_!ySNvb_A
za&8n*Jgt5ZHRcc`bpRu9?GbzvT(<i>s9Tmr4WMmCpfRDHFPJVkYBMVVT@{DJC|1R3
zU)=THt2rZVx2+T_wdCd&<mQeF%zOW&a_&Ijefu{-XD69@?{_%$9`p<Y@u{IoBbEbZ
ztt&yQX1tmaOTV}qUT>piwIroRXCG^OXNxy!I<SC1yJ3#8!sS?HDf4>|QJVUX%WrCP
z@K)lLp*JkRp}_|EhQf{lTYhkoff!MnRP5HPs4EuWcP-(qX{-284U8{y_CQHNnCxYz
za}6AmItHX&nv-7`!C`#==z1&@8>}Z2n}o;Bh}57Io5bPwhNad%6T{>>GjY#=J-1{O
zHYXh2Dl~9B`zV}pgE}%D@gsz9LH_#wx<j}V_8<b{7h4_ZZ<ppJra07>S0qZX!{*P?
zu%i88^f@qL&}{=3F+#S+;V%@&0?=;d;8c^<IJB;c4T?s4EJ<}+&?ye9_|udifVqM1
zeuUx!6P^Oi(k3LV<pl1`<=PhO28LL9^RuhQiYAh&N&1O3sM5ysd$6CO<sI>>ERe<<
zPXXq&vJx7!l{qYBR%v8$%J;}P$M3dO7fhEqEn)cyU#DkGJYUEr2*w$+FUYhSct$N+
zgSJ#d&Ej*(dT@-nA%h`WI3mVva%G225O;JuP9Vaec>Nd^`)UL=&ZCYL0*n%WT(LKo
zS_efkRllb8=njha?D34S6C*cAm^!ykH+l^`eOmhSzM**U^`3ZdsEdMYQ>s8O2-S4X
z%b=i6IAnCI*bdIs-vtF}9uomyjl!Ndz}Sx4rNGM$9hczI>h^k@*og{wDUQa%l^aYt
z+r&BekaHm{!mT7~AnMdvupWfx%y*a3!NT>Aj6Y>witEa}gp$z`E|!gP!{7Y<0+~$1
zx5-aoU6?*D!@rp71-8N^Zu%D<T1TckJ*p7j5*Z>P<8JP#8+vo~oL()A-+!=aPrqFg
zeI~ufLL~PR)rz$0QCQHUc0k`%m;Upvx_CbPk&3_K<jEUmc9o4CmEfUfE199_GR;26
zEqJ=Bf4fH=B6C^qA#;K5KIErVsLosnwY~NA@Q6I2>*3NJ=tR%}UlzNH&_CN!sp3sE
z5^tWP%j;7YWfj|sB2yn*z{gphAuy_0`ZIlg-QKkRcVA?k+#flJ{23rgTwjMs^4GE3
za>@)4E2J!kIBic89i5GTb*2R%vReAg$sKlT<6i{wnMo7hv0+mSR3gLL6)-S@LzwV<
zTrvj%?Mp-JhX-lx&hos6b!&C&mMr(P{Z6gl-qFP!#2I`2?mSDrwGb%6__+j1W!z27
zc@Og~G!^C1{Ix+YyLt`Wd=JmArw6ZAT_+aL30vhSslwhO6jATBSk`2=>(&PkQ+D;A
z-JtMuij|$XU-=~ACd1nICa2kR?ylr!qwt3PU`R`)Od3!1z$e1f{(8roQDEkC+Ic6a
zjA*+WAZl<j1XgYj1Z=6sP~f{l+xsOMxc164hyH|i3Ht*d;Suj&(_OxY@6@AZ2SZ<h
z1B%%aD4t134!zx0txWaXEj6}J3V`!@l9qP;DL<pv;qQ-i91v6V#;AUfk9$plRjS1}
zeUCnhJm4iYxp+l}?thAC)D!0&U2K4~d0jVE5H(L%E(vNB)zj~XszO^2cA^8!laBaU
z)1A=^2p>5%15<4d6<{uoCe@tFkSdH2b)7koL$;?--o!C(u8uzEgf=b4Cm-J-#rwpv
zT)Q&n;>YnWSCA$#^2U6{>}rz<O+-jwSJY}M09qX050ep9=<e1yVw~Z1OuVccg6(q5
z?pS4)W_e=BWcraVY_t0gKe2OzFQCT9mNfXUUh@GvaKQ|&NC>}CKMFc(%9c>BJ~z%k
zREQLdR9R-LEzX~U1MLNF*gYM{@52;=sP+Dp<2z48RBh;iw2!O5(tMEtZ;l;2zhqma
za%h<2mjTP^H-Bed?SN;ah&ml_cvZXc&E*y+Q+|Izsh`b*#L5@3{c0n8HEq<&k$E0C
zbPf!ueomJ^==KTM3KW|C=8;xb&k%R`FpT`;v!iH$G{dn><99J;kQgOve;(CesiAci
zVwk2c01B_3d^;S;@H-Nj*$i38byQYKYzUwHPbWoYJ#9iwvmDSd@(Ip6tcoiWw5+qP
zRd3yVTu(6Q0Y^IeJ7YqXzpw?o-Cy(toSCiD@TU@UZ6<?=tl`B9&1c^<6JuJafZy)E
zEU=ts58=d2DlJP1?OBb2-yQvrSAUE#Z_7k~JUKO+jY`2|9Au9BC=``qe->!OP`7yD
z8ZA<C-M2VI2u7pR1r6Xj?i$q5wdPwBl!wq?8x~s6Q@eA)M)Uj{TMzU%S&;R3S&$ae
z^x=;&vR&-`GbGQ0YPDGU*KMkl*@C(XNpJI%GZ)8m+@0paNejA3C2_)pu3UzHJhCG*
zA$B6Fa}|}UMr+JvF+lZ0aeQ*F3(~A>TJo!SC0FU2820;R0f^;@h~%q_IR}P3!Q(@i
zyu^y+I_ykZp=q~F#I95ZkA%W-=m){F$xL{>$9)-1V_G7tR0ueRGl`twAD^cjHl6Wo
zCtV3J{x5L{JKem=EVGby8LnQzfjkmM=l5*EP@!;OxDM%uP9X&IJ8LVo)r)fN?(307
z+h#%aESoG7Pc{9o5&(evk&LcvKdFd>H965hg>GvH&ya#nylDjbbKw4fn+0}=KDzAR
z44KepQ%;J2aWV8%hSC(Oow|<{AGc90@%?DXJp*_r^|dDhr;b`Jq3iySHVPkLS!J<@
z$DKCNJF%oH@)h5q0xjR)49_n{;Aykl7fmuvAKz($-(5~h8t)$qSaVL#${bA0Dc?<s
zO=&C`7|^R-A24w5QQ*-%h8uY3fStLZm*Es_fDDRFIP*|9#-Sm4=WvW9n37BtYevLT
z_AlTrJi31b*^}`XJ7EJ{y=e}FzE+O$3p5h1J$#+`+4bU7VgEdD_gV@?cjuQhp`7{D
z*9NIK4w;{~w|1$SP~uoezS415$#)%mq$J#I{`oTLphZkeu_^Q=;^XbGLAC@@K^Fs$
zjCB|xSluKX$?(#;_9~d=A-GuMt>x&c*y0OILxBH30@Y`lgMRhm0VmwtZCcg*6YS4G
zU4C}l;T6?~HOR(=3VPZ7kdE^{zCFBoT@r6>jRqs~$|x68NczkOxG@A{>XY$;cu=@a
zZa>T;B8D;u9fIXIGvT<&vMA{(r;uV2Y(-9l$^6||CJf-N@JeCymXIPK?%x8iGt9sJ
z>P`K#fO$1bb`4y0lpcsdE==zN=X{-YsMUV8(BgqZTsfizP`(e``EIbayuqi71(=>D
zakE9iLigzNy{4oC=YpWGCVc`3!*?M@NtDsD21*67jn6dDCO9jq#P_=upd$=|o*3X~
z7Ar2+A|NOMk8wnBdH}>yL3B-7S0G+k1NNIQ`C+RCZMxBpxRJN1z`c>Ts<6pU%T-6E
z#->Yo&;;tD*}5OAXb$Z{cs%n8L|Pyf5R?las48SB<2I;B?_`ZttCFXAZel!WK|U8|
zF12<RKn(;vg_nJIAsA{-MuDmpE$UabG;Ol@ubS-U!nQ?=_4jt`eNwFn*WOi|EzG8D
zP&KqXDCeL`#fNWJ&7;+A3kguVS5y)7Ud&1Bxrs8X%Xb{8^mmysq_}GgRj_V|Mu@@J
z-b?NJ98df{2)13Ndq!KvLZtW-(JB}CNFRE{jsY5!9>BXCU}<w{oOarV?K~b9(;@t1
z>(#5c*01!&>61sjZ5V25|1>|G$pB4L)i)aUr4xXDc^3^hOhZ5^^RNm2bL!>YMe8Sz
z?dFNwKE5?KG{sbVZB>!7afWW0Z{{uTbe#I*DD)3|KyY6xL87TKG|icDS+o%DF~q<a
zY^+HX=I$<BXgoDckL8!+f;8?tsIW*A#>QB>bSubu@^N9%AO-6`H>joucUphVOfO6M
zgxkpRalU;_Qc*dVv^}138suAoocMThLr-A#iLB|e^57<(xQ@N~P!}faUcgAq3<b>N
zHC1cMCgxi8BMNKyi5B)6q&YT~i|;YdVdBvP$O(&knX;{}0;E(LZ$M-LeEEOunGO${
z>4kx^=ZIrxtuPRYRw+~(K})QFu{^f4w|-`5?rt#4I~na-FVb0j+v+L<_=06>mxys-
z(|CY-3osJV76baOKdBA@OUiXxp`T$tD*8KOH6LccT@Tt0<40b_iBu8|&dDEmU$RRr
zJSWbaJ2i!93s-rKk<@&i$k6d%y2Dskbxq5zJ0+(9)v$-->L_Tb#b|OjG6;N*lI`E$
zAZiB%K8I*7!%@GX$gUHruGwe?6BOsf6!OPAs0tx!&k*vi&doLva`l!IZg;^TO}QKM
z5jXU{nit)Id$h)qf}M4tzg7i6q*JizYYt*9W)%=yNF>ex?-_U@OvV(j(XKBHK#+e4
zj|_t2?p2Y_x+O=#lwr-cni=Z7li&fqFltW*tC7eN&Q{+O<9=)Ox9Au2W0BzNl{^-@
zgH%v1?V13K$%bsa&LbLi9__C8@%FgBycE=HZ`&^oZmtw?^BPefz6+j~N0}U69A3Pc
z{x5G3S{fm*a}rP*%^Cgc-sY0?n(0noPaNrTYa3!H8uKICz;CxL2k$Hah)P@Yp|+5{
z)Pey|n^SDDC;XBbAo%hL7LX=y_s#TPS3$*&C`e5(vF%#pSQOM!7=Xnv<=Vrq<8~n5
z*VWb3O|Eyz?gygZ4RtDL|4a$e7r6tHpTl*1VK>5+=k;ge7>)Rw^T(t=jN{L4M3;kG
zX1SEsT!Ly{M#Rh=aMZLLgZ53Sfoi7-uFDO;`fma1ndZGSy{Uf|P|>2snrMIKzSP5Y
z2KBmRoMRPh<cq6qRRsOWN72gk$*?$R@+QpHSIcs!OFCGEHOvag3#`^`!&ch{Ezzyv
zermX&@L+uugiV}4P9xA#1o^2+SPHp^>U79%&YlE6O>2VaME7o23wlmd!&q9U2kVnA
zYPgWG?d6zCE9muHVp!B%)Cj_?uzTjT&QItW8N9icm4JA*KSXf8hh*|wx&mH$m}L)Q
zH!PcP@|Se70E=Gz5?pDCVY}s$Iuim_xWo`-Ve83=3{ddb-kR;QijZasI`$`%#@7;(
zZ(?OsqG8dp)wrqI51q}Rr$RxDv}%6P#0AqU@omb?7Zlq4V9G^?`((LZ+@1=6uT!lU
zoil9N$;lfoF*bzPlO;*TFo|`>e0@lzGoo`ZALU8umjY{~#JZ}08szCx%u+*%5R-Qy
zLhEYgL1xqDy#Rv{G6o9+Pz~~vi%Eq!uC6Mwz`EopQykN>z#3Og!kBX*ndSKr(+|4u
zg<a0$E@=*S4!y_1(wx$BcH2~*=)*XV3Au}iQxWb|o4WABIOtv^T2hMBC>CfO1Qr*X
zBqV9VgF*GB&+Dq8?C_uHLRhdY#5KaV>{VLhA8DPk=p9r00*8#YJ7&i(ji4_2oj!LM
z$;?vIh=WKn!=q(oy$K8Ji}At;ocf~Z<==~`9vG-c6xL`Vd>I&?NvrsF0=xAiFagb6
zk|w|Lmzesg$<YhgVbJfVdr7a8FcP5m*=R-Gq6N5Lny(lWZldjll(;{{Nkqjnrf=#C
znjhm~k693dB>TpAZvRm1(@t%&8;WR_2rm7Mu7UGMNYN5P9jf*UC}IRo@ELl_4nW@0
zAc4bDjyF=cW5N^PTi~n>0i)D}t_p7kyZ-6bY*r1NWdK$p-l3}88waSI5*k;(5a)}y
zCU`w>oiX#C&_dYj=nRtdaCt)9OsThOq?pZ<tmw5&A%k#tHh-|Te`niVl-0awbn$yo
zc6{Hv)&2Tv(?)&&{`1N2(~_pMR{LD+FkUv`$w0#{Qt;9r(e<awD>%qmmte~MC;(Ds
zj!V1?FOh@TO-3vQz&?vn%?bbbt1!ksgAyv<o-7u-Un!7qTi}UQWYX3TOJ`kfb=P^p
zCEvw5d4TC47H0D8e)OTY;K?ql&$*{q`~Wv^fCoguVD+NdtaEP(o$`~eO7~PdGFGq9
z)+XX8M=+coE((qR3l3E8zvAG9{t9+*pdKH|Elr39hrO7BtX4!a%fpXypyGR)NL5uf
z%t&?mpZ||!a0E=~-bayvdL>84T>9m|X}!)^FWB25?sea6ZRCPKGHosc-&Vw3D_yMk
ztS2g`r+q9j;2fH6jzbGDG*`_NZf@B%Mg?tganlhFx}o68wS_t%J;D>YH`s7%pyF^!
zQ5|6x8rs~q%!lw*VQj?*saWi)JsNo-&)1~hz6t+_jeoAQDq=4KCjLO9{^_u$G4&!7
z3muF-n)ty+JB9|TY+P4*z^4RzFSq(ITha=c$D|kO&Q+Q>;bm^Z+LL&tWpg><aiK+T
zjUwUG>=j9L93|%l7VIz?B|8l4F`sUQwgpASDt>sG(pu|4f2;%^T$4%=$gJwU>e9m;
zf6Gl{bL(P;CB<;Nbu2^Jb_-=m%2j^)TKN5Ud(MC!1#XTa(+1gYg}+ir9Dvkgz>Fau
zk|QGl*6c_8G*#Z3vXW|O7DA;s?kw9mmlI%pn;r}{r1~fJ)?|=+II%<udIuf*YDtSv
zCzDzef<W=}lSVn#M}(c$p86VqBXpN<hUmST1^x`ZDRv}2bp}9WE<L#NWS8ZoB_9jd
z<(kR9s^IPml*wSozO-x<M}@MhZL{7R;=WBZgEVqVhr+dGl*%>nvc?*7`LMX+oi53e
zU{9h4J{P{|aX2V+b<4wbstWz^7rZ+?N37wZ`>_h|t7fDtvxwq{xR~Z6K_1g3;yheY
zZaHNqiTm~~7>5374?lWjvY~r0gYF?OytWG%QHG6_#e(kY)8<aVk+{t7Wnp{Zy1Z1M
zanV!FBdA=kQ^2xIr!`x|%LKV1D}1xFFZX8XbszywqU^?k@tiMbtn4H6PWc+lVgws2
z^O2;XA(w}+RkygSo3v5p3N;<l=8G=Z64W=rSUk4}aQs6_uQK}!FMGe0K$Y2>7Bz+h
zd*}9jjF6-|lTo0`8IZCuBSfz;^+mJoMP<7ezAG=_V}gNJ(7ZKi(O;`!zS9AUN*5SN
zigMG>8mNm?=$V=0ihfEQm5RwKN~qOa+b)?e?CW#?W1a;YilSBg!4jpl4QsOU1Vv+Q
zeqau++LsGs3;#r>B-+lAPZ~z7p)0;Ui)e{58#9?MgR=R`f4M~(z_XE)tVNNpT&u6b
zDjOUM5{|gQz<tABwygWRX@}=T`h{9M$myw=f__nHC|}voXj{dig|1!(53bR;ck)4c
z;ds(rayQWB{mwV(HEf17M?J|T%(Re_zgGG;sFgklwbH-+vC{L=zV$@p=Il@#${HA|
zOTwd-DrhESn(K8}U%=88{<8}PA>As5M$AyVfG<ghws4@qqouOG($5&*@$e0_Y)ofc
zx-)oj<YVOe8*C$SY-7TdCN}LIn#0SDQd|7a9yii7GZdR!NNK@~_g>SX)$zj1M+*n8
za3$ct-GPrOFdm_Zfb4`LGFAygbYHAT94ZNeWd;w(CP#yzM^|AT@QecV1POmu^|z2?
zvViLambjOFv8I8t<&%8>fX3>ZI0O9~JjQ6UDTErR-2~ZPFfSyl7US|uL|gG43yi;C
zTuGCc7d-r~9%$)dRi=U->;9HppI;T?RiNX7&X4&xvkumjGCV+@9L<9Uf;bD(%#k`D
zXt1Jv8Oz4;P=HrX#t=raWUSrcLG#4z4SO>3<Q!AVe{Sq-tw(7@*-fP0z^V4IXyDru
zP3NM6w{W%84e?RRRe%BVqKSnVgj>b0yVg4`*G0rj`yT~eBIWmmss%goY7)**2RA;+
zwp2|7%M_Wl0iw%B%~#>@4_W6~z}T?qs_;3VuuNnk0nkK}A}ee%ZJ0#60^)nPjL;d;
zroReVz_&mPCebD|z$v^&XBt^LKoeUeAv)+CKSryqigd7_mrl+auMKp>6Mp|9Z!$(-
zRpkW5??hR^1e=0NZ?%_NXoIgH1%+y5TuZ~f^#J}|i<1WhWs~QYBP>Ke;pApSJ^z-@
z$bG3bg_+6>4LAp?tIBH)zqRRC$dkvCU>;5LF*_0FHVAm(`3iLYuQ(>1X*@GDvexvE
zGBGGWr}J_)!xN;%?%K~PvePwO@gAzHEURo)r%EyoodoJ9qsWG^VBcO(YJ_csomapl
zRvPo2MyP@*j@chUr3V|G9y;i=EZMrH(pssFYGgiv$yL-U$-YKj>EU%<T)?CbAEHRd
zG5Zs(+)icMC^!-;p|m>rReM|;QTFO;Snf00C!wqj<p43ys<M)P?W@e}<W7|uSNGa>
zr!xjqCKF62DXC`84-tyWN;7(GSNDc*3cn<nZTC5vzgZUb{d*MA!I)++YT2OyFp)92
z2D0QaZ~eWs!|*2aH@^=pCa7fmvLs(4LZSWf#IZk*Sm9E?D`$J%Hh69w`!P1&B%XDC
zP0WDS-8B2mrIwIUVp_E|MDK{cPkWI(ON0|P2ftXRH{8uvs_B*ET`T}7X40w49frO-
zQg)#XEYF`Zj?n10PRG!9*6J1UFZ&%Xt783_r9=(~n558GO_L~|vykF}8p1>rg(1j2
z3h_I<qMwv;HGBErcNh|@)&64%43koh*dmKTvcMX<UEKVbZ*-CfxGdk^r3UYKUI*5O
zAILTwurSjLSl_2Kc1f*)cxf@(ETj1swiXV^UY99lxFC_alp#+SQ;yp0j%^arl?}QR
zZU6Q`*ZAvAz9UMUgyPf-cnzICi!gjelCe>us=7W2XA|~pd`;CBQl(foW6bA+JO9q=
zf>k5qd)%b)^<5(Qz}H0bI{|R&2A`)|ClyzKpmp1p?16V5)80<?deS1}r}UHHT%=~b
zUkBaTNq(OJSxIe&(n9wXO?-a~IoN@NCkjKA=uItBF8S!g+3`KSl{aBIQn7gUe)G9D
zX4Xr}3zY^sME?N-&Fk9q?c-0G42&a{%KrR=m2rs$w>;p~Kn$;i9M@p;?g|L`sLTDv
zkB^tfq=*j#4c;F2@o6F3f90(yRNiK}Q>~i*k+;bbOI1?uHBheA=M+@73&mP?K^6%b
zLn`)nWdS`-PZ;obbxJZc9etbS&T7ymL2~e`cVZ1i8<jw9=j+5OY2;n)I;_*!vz5vp
z2UhcHw|rV<*bAASl9;a5hkl-bCj0C2pXN$7q>hi}RpmEbES&Iz3!j8HKe`v#gSEO#
z)sla!PgC5|drUCRPBo#^AFO&Bpd~gw(Z9pXl!Y^e(s9sfxdv|+_aN;X-F6$dSpOcI
zd9HTiVck(0U@H?;LvMXgez71r_Lu)J0?4h=5^MSc^2^an&BH5%R0V7NE3^WKzSf9u
z9$~ANmF1SNDFUIRp0;T>l9DgGDLKco$SR_kc$i5&`1K&A?jyEKLVvz2=(N=k(c<n0
zr3uaUz%Bf0q2xS{5~}qXZQZ&4SmlUoMrit>fNVMS43#S4JeX0v-QFjd+!S}@#Zq8m
zngrx;-2D)=F4OguH6<o}lD;JVCo&DjMhG)dLC2AOPug5NrLn2-NEd{bnEr3;%cjub
zl-z@-7d1<Jxc8aRtsk0OV%=v7624+lxAV}o66jk*SMw<tZf7I3&AtDNGCjL?7~#v>
zKS|w*X^pK#k)Y$SvJws=;1;bHzwc$0eD9IFrilt2@Q<N0S<jM&lzohwOf>^fkuGF3
z5}ihnr~&U#R0oJ4m*!lxa~ttZ=fJg`m=pmWYJF?tZQWh=@~~QdQM~!8kG*{rf<ZSY
z$y4XU`<0Wn(aqotX}<7gZaU;aH)>o@tuzVnBlqndfY@ZZ#+XuKg4i9**5(XVko=gY
z>iwUkqfKDc>Sx%51@$2!O9Alyng6a?lHgC7Y;@y`^?OIjHFVntBNL$+%_Ro5yNOE7
zpX-WlcYqBp4tRP_22nTkbbAAhSvAWxq`&_HrsXaeMtH=QPr^S{M^kHCuq7NOaoQ*8
z#|SGFXz>*X<<6Q)*SrxCTmBtHJ*#ihg3`|fyghes&+-mhaO#KUtE07jS>;IQ7tnA7
z=b?``-rx&i%7!q&a}Lwf7EytBBhVfnH+b#IRXz6{ZrXe6WE24ktYH9`x-jMEbXx=N
zqUJQvwgrC;Fq$vMI%tW`{Q<zTSo(dpO2xq192hZbCI3_OdRZO)TppQK?i}cVCl>gE
zVDgQju>eTRK66t1Q&U4dh}~V~ZCK;IUd}VXO2V00M{CU=57D1eHD@otEEKZsQpW4B
z@0!VL+9du0FS*n5=39*A1=TmjCG3P(gf$C5O9KAOl=IykiPv$EHdeO)sdH-(N``-B
zco-@*7pg0e?o01ZJUN9lg!5l`R1u8)EQL3(CqdJ)pONk@TzuxYZ<95Di}F>u9K*@o
zyj{rtsJ9PU=s;6nTAkk{)`TZNcfQc5ZgeyLn}7-gSDi%|6WT=N8@Fxu=2~!pO(I;r
zDMh>I%}Cr^hFX2iCF(q@Dz&`sZ`KyWJ;|~$>?4qj;+X)=o_)=zwbfI*_kyv9tlp$a
z=VF|w^YpR+rF~UHUO~GE3xldfG@katT%ZLT`FFnkH&rHPXIe&nW+e7KDJgI5TL4i3
zJud%Ua5KqT3yL~rt+0J1e`7`Kv0RKv6Ts0B#!Tn_zBh#{i(i%4=z8D7@k}EI*rnbU
zS_+(2wCo~((Y$$oP+^%F^pGxqZ@int%<W$?)R&)$zJ@uJ;3k3HNOkv&!7g@AG^T;g
zpi^vzMktq<t4oY1%x)Ad%pP^0Mzc1AEnf^6C(@(csVGubc;KN11p=|+oqnQEK)`NP
zCZ@O!gRJo7;99O_U<j_-dXQIzg*+hRM3__-^8Wj%`ZM*HVS(KP0oup6mNgL;==6Dh
zwGlfsj~|37mePR4Ds}ovFD(*^0-SRXrZME+5b1vWG1c_xqs&t10KcbPxD!*&kF^Df
z%<O>7Exj@W87%{0=S?Lmt0jiK9Tj<KBXsL&RhdQxHW#BHrkqV33b~RRoELqJxV=^m
zN3#qHc8)f&oLX~|b-zNNCo+Lkqv-OkfF5QZz8IMrTjj$niC;wLN_&UIWPDqd&sc|!
zK4bFD7-5?++{}sVhtq^rYU3{s#y5&>i`IrhR62Q-of95EaJw?9!lpE(iMUDX#k*w8
zx01M}$?L@xpq=@qttPY83HV)^f7xCctQjS9N~WoJbkRJOlSzf;zvVWo(d6xAIyB>+
ziA9pXStS`PD}i0D30E?sl&KzkPwN({Y<V3^j$^7c?q(v5!^%F293~+rli>CmUBtcl
zOE6lYUmx*6#9R@LW1wZ)rb@e?vPg#QozHFM!x`91c`-^n#V9zz=X$&EI7?3K7X$M$
z)}8w#MVJ;Gt<9wB;|CMipbFn({ipd-#fO?{c0<`kQhE#_VHIcPl$!(R+xQQiVOmc#
zXIhrAFRN2ofYRKk%`%}5S1n)#mG&~%h1W&gTX|!~_^Q^f?-nR9c(yU`KvZyb{{2(n
zAydmtro3~yow3yk4TS84Oug~}`w%*Eu=DRON>i9lWB4KN-Nuu6+ojCowW9Vb!Ydb|
zx4|j5_c%SyJi#za)oa)!dnqB7hTIus4Ig;VHiON(CU3we9iI`>M>4fYpS542>9tEu
zQMa?9e7cnMAc8s$%k|Cco1`8;eg%s(B>PhUPE|$piJv+0ywikA$&(VwbLZOMD$KvU
z#z}N}Dx1+KN|tP%OdLCy(04!SsQr3?M2q7nRzK_Db?`<j2YuMsxr58cln(~m=9QQI
zNW|)t*Ddp&V`L!AKs7sS0Y~H@VUXN3Vw68vuGyeORIq|E@YnmX>aSq}8FZMl!D0zy
zi45DH6$#zHW4V&6?Nfvm5pyyICCuG967D6dD+ulmtuF_YXf~VXXovRsH5j7R1>0Q`
z6vo|b+_ZLo-zEz{oNq`gKEMPvsjHVfen30A<SG{;?`*p4f@E+Q-m=<rm6oow%aBDm
zPu4bt5>wCuod5MdqR1>cm`p6af$mP`bNQTrwb%?+XOikEq=~}MdsEDH`9Y<P<H6Ha
zQ#ox0+V<(_{Jwtru<g!%$#h#|YPf466ijd-kCptJMXmo17^B@0X{wWtlOUi9eS$SD
z+>Ymyv(oE9-MV-(+5ji<<-r1(4u>MG6WSLgRv&iE95lJp!`$h@=fD&!)>?a)UX(VW
z%jYgjjp}Hx85pZ}*?Vj!DH>4`Adw2{8y~5-IE6bKQE6iFJLmn_^K&Gk{mjshNsWbd
z17y3yWjlDgo9$f!9p67G!H$aRh1a#lHlh|FK9^PwN>Xr`Y(7t=AIq8jlq~+*AP$a+
zKCAF=+NlXOuvErqI=}?=v}Ma=hU&Zen&3W5Kp`zX!PczLO&I0)$+y#eT5>lf{${au
zjMoV%SF2yDQ@+f5ZI(}HB&D!ljWIIsQj}02$gwM`7o<{gO^SAwP|(C$th&N0l<i_M
zYpNI9%pr`XR##By=zJJLC`$cT4X0sRLSZqe5(lNgkcV}cWDw@a{)<&lSX=~$J~@tT
zd{Uk-isK&xYA_H>x-28>nj~Z-@mI|av4M$7!i$&NX2`75wzBl3EeQdH0&yqVuI{bU
zqVb>Al0wYlx|0gvrAeD;j(SiC-ji}28ACn0)sqRKm7$`5TG*;Ob`o6@_*JD}73dV#
zmCpz<(l25DMNCr3+luMY^_2WKP)BP+8M)QgG2MBjjV`=iiRD<)bqDZ@7eR1)N-oDy
zE)HFn7gX!p`4`!krP~KVPSmADYVkG?5Fk}`l&GBMyN%{F?(#9W`1QUN(%fnWi+jn&
zIG<%yVKV{U>5Yd#%6nY-Pxevl2uTz<YL{-vlyhm=PE}VpD#%>cq&#va1oOk9CfJuz
z(j&AZ^TPuxISr~D-0~)$d%;2897^*FbCa)MK#uNzkIQcy+*0F|VJf)OaV5NH>jUuz
z=81lrQ6?HGXBff3rPkdR0m&Y_B^J_|MwK1A-F8%^ynw7}KokE60;<CdgYY7*-sNo+
zlj;P%+yEwp^q9Wkihe4nq&I!TKe#rkwRx2Paxj(qD^`I?6ag*E;ER_PZIcnPbxfbm
ztv0g~C)Ks?mqTV3kEVx+Ry|@cMvbbrSiC`3s0a30@cUgxY$N>@ahjLE8SU(QZP|x=
zJmUBY3#btprqnl>p+yYZdpWPM8FNCI%Hu?p)bQ~(H;E?|5WbarvPsytn$ZvR;6aR@
zV9#^xk>ljkM0c5z&f|v5Ile+9+7`zkIaM>`ktrPwc%L1T^q*GtHW)>-rWA^;2s@1j
z_qTmEGj<W{AIp*@t6mf;`=2bfx7>~Ieb|T9oSm2uI4a#@T5e3JiwjSo`p(Dt`Pxts
z<6d|Z(dYJr6JB<XHd}h_R+Nqk=U2+iG6q|RdDaHq4qOWB+D2iDV;mn7@|N#**>MM3
z`m4efKBkQCFYqz6!RA<aQPnY5{dL8gUvmr`U1rh>oG}@5%b+9vDUmHY6dBu;SBX$X
z$Xz-7LR!my(@M8NL*LU|Ry(TBC?Y2+Xc4IvSMH=V4Kc{R8I!U$p{!}!6`84^f|FOU
zB=6if-M<<i_F2)|vsd!L0<rQBM`>BTwy<~R<*8FA>6jiHNAnY#_uZquWE|(BU6jr9
zNz6K;4c062c@4c$Xx2?FZy9d7_J?7S>k=>Rs73bbetxZ9-IEeoy5M>~BhzT515QEm
zyj{uQSnNbj*f`uFi?j0?*`v6N&qrS}Fz91nX)+w&7*<})c&L*n{Y0!oH}Z1CDxl__
z4X-gzp;Ps-`$3qxG`cDsQnJ(rgI?K{<oDvz1-^O1bJOpj?bqBf&#nVAuI`I*nA_g+
zQtMpZ5PA~;sMOn}3$QqGuY&Yt8CoSXbAnEg&Q#rl@F1)cc9}VH>$n`&>_ox2D|{GL
zhRLbUVn6J(nbXy3tO*$**(-b^Psb}WT+JuaYMg0c0ct6^n&Sf_(RPSM<~j&WRsbf}
z*&^L^yTpn+lo{GryPaJM2iAwEkKV@(WVVxfKt%YgDd~&oi%SiPZEGy+8;%+HY>zxL
zt5XJTL*TXqupQczZDH3J)<@R5>_JOpU_~%))O9J6IP{HS3ofuCB?|$fWN(}v8^IlE
zP_SHbys8=14Ew~c1rMARStoAPf2fw~=YmF1-VzHK3g?KnbkkOn4a7{8Vb(+qtF)T6
zg>E;}4%b?4hA;*f+Rm{P35qbKAY7x9QC{QAf(y(1`%6p9f<q3<3xP#$2Xxa${ohtx
z#;z<3N}0YNea2oIyZEiW<#23jb*eocBxd`ytY}4>-%GV3Gsy9bExoJ=z0rf6!pK;N
zEgp-YiOe2sRwE)ZTbZ+?ZmMgLKKfIe|LGu^=IGSrZBxpUpnN)7F+2(7)4DoV)FB`T
z@pqMx!(Btts!`(tl}~kVYEYGbHW}ElzzH#!5B=~*R)Z<{-FW7RX3xCBca8|_Jl|W~
z_S)Gb!Xq@RqF;YJ?GwnH%U@P6p|fxWi38abv@QA)AL}!aBP7VdKV*{dW32@>URa!a
zs91W|Pb7|~1^phU^Ov<v>HKqXvMPr42dlb5k>zw05Ls03zzb4V;f52*fnjj86f-N8
zhRUO^-0CCN!kA(EE!X<^yNr%tEPjhq3U>e=1U#m`VPMXMB2D?Vyfm7acwhc^j%Ulm
zslInu^TWd3b@kQS!FGN0;=%C4qSyIKp?iZ*%VAdAb#0lR;1Zv6bY<F2^Zn+X=_Yt_
zIjgDJWqQHq(#=yjh3aDX-~<}RCvFZdN;^0zBep&8Zt}Wyy!h?r=yS1iH$H7UM0?Zq
zxw6&$GqkP8V;98nr1uvWBF7Xj>1Py#P?5<oP}kT+nk;bfy7hJQ-<q;=8U6EpT5$~G
zjBA-h6hPr;wIypW3(!tT0ThAnlzzC1kzj9>g0K;jTgY+_lB~)j6Dk-i|0WcHD{rj5
z^wCDQiihs^CEx4r^dTphm7bzotqlvNOFv=lUt%RSpiO_B?75lacprP0Jfk;wbt3Tf
zD)id22qXc>tBFmB^X8v;(yzeHSxXsHt<}m!JtAprbAdn9(DxD497s2*$-uf<<%BD9
z38G8G3}~QD%Kbtg^(2@9S*1a?bj`v_Df)3cixj!_=vniX69Zkh6ABL6&vj)(GQY2u
zZH5GwTV}mXOp-=iE>N1U^gf$^ygR)Zanbu6o5}0_CwaoHq4{oqIISpHev#EQvU?G!
zv^K|$46jt2v@rbTq+h*RO!*Z8%8|wkNYGO>z7xni7z8~lF!Zd_*eiyEq_vo>S6DY2
zlSafa&})sRckNbx9=%<i2WNfhC%+jOC-EPSC;Yge6XG%A!PmRbm!XF~SYjjPXN)*F
zfmT_7?9QYF5gL|$cD49IQ$l@AJXOQ2iMIXK3I_OoWDqT;lA=G1M2coJ&p~S9_Mi}+
zqXC~{|NI%Pm2gD13pA-m(2SDhz-I11J72X=;~|w#pjDD+c`Sf@S1+Ltnv`E9klt4x
z0IB4jXvZy8$jw380NlT%)^RqY`m#32)lH27S$o>r^FYY)B~%lBhH65p(>cDj8cdZ@
z<_P?-^ce}6@J7*Irqc3rc9){?YU5*4Q@(xhm?EXogY}iWhLqLnaQ4}$@q5<G@xC2p
z@)bAxWn(y;K`V}zy#urf*q;dxx>Cu%(3;v@rC8D;tPLc7a4gbShKQ9GBAe1R1pyXD
zqDnG!f@gYB<i40mc(w#-=u=(jXz@-+P8XUwUCrtmj#_#sZ_7H&B~s97oR+3@Kuvxz
z^iWI2_R-^_1Mr>lMO~R-tB;T4#eH*gY1@7;sJYUHI18VT(x$I0el$Bt7`TZv$-ezV
zLAcA*wJ(Jj0)E;z;$~3~HHz)!;c&7bH{i`l5xo?XPZTDi(qikr#|io_kxQ#at(T|g
zL&;*!h90B>H|<qL%evL+_k*x#m6FxKXl85~nQ{f!5Y*a8)K;_!<EloR?Y7y{B+F*0
zq48eu>N{_YW0<ae1qEK(xwZP<gyDNf_|MAsjo2uc{reLgIu4gPLmU=`9UL?Jz9rmS
zi)0sFeL@w5zdGW%#XQXj#pGXPDWAe-ylQ%m!OiG6AkQX|@HS33uL&InIgsYFWhc%e
z6!bW~`mZnyrU}g2G|x0i&kZ12)JfS%GzyH245F7$nq(4le@@%VA3=`mZ>Td^H*60x
z<WX^=qakgW6LgH>4M|w-1>KB-vT;6{QK<xz0{w+xtN1-;ez+Ur@$bnIPF%d%W%aOb
zf4HeuV86U~Zvti86irXPh#MMU&=%+_0eQwKnC{igZ!z4Bl<kV-a{3H!uDLhsG+1(@
zH(ZfmO^q|IO;T_9%@V?k9N7dLUBQe@5eo=*mQ}}>eO`~o>tgl$K<<jR{nBv$ohu$q
zYl~7lhw-jxv?NuU<mhS~<fVomv_w;eM?Wz;cuEfX`3c)Yks+Fxoz#{qBpU=EVaC&(
z%*|0RKP17;a_XQH!uhWcuME#8j%}-C@?-)!+p$I#X(n)3^_&R&s+)IXUAp+ua<le4
z#(*iM9`_kQ!opWd6xHZJukB{B`A&ZMuJ$&G*!yz#zR%YCVNnmo=l($6=kA2K{l@(E
z`|2t4S>o$z{IT=z=d&mb^#|$hN+ovQ{w5C4g)-45uW#hk4k1vu%PK@@piAoN`h~wF
zBrvS8P?$VJLe6mYiiU7i`$_6PmBZ?*@fb}Z$F+R*-(cQNkkrLhOYg}UIL|w3ttz@i
zS*V9Js>)f1a_Dd+@Z+yRy=Hbi22D;!%ndyiKcek+>J{hGlJb88d0S=h@tq9uU(J5u
z=-?wqDK9`~k~jA=tcl&}-n3ZHH3&v$u6R8Ls5M)_vy+supL=!^um4m$hi~-}AAggY
z{MBGyB<)E&3y{k)6^(;AoP*vI^L6p6)A3$7W7$h2LYpP$NNWd?VpSN0qG*0gG*&nv
znI=ABd==_Vxfm-A-+u4xP<ij_<aG6PAtJ4OShzyE{<YNjZ1bNu?q8^do@2}kJ4G7&
zuw#k}%CpaBpEBFq-azQ;?tdWz@Asci^11tOTz9Kvw0Hu#Xub*=_<<@??MAnwCaPb#
z-MR`CPBa=lDGptj->7KAbY?>&Pq))OM+unZc+~L;>q>ZxkSY+9WDjeEJB9-d!u6sW
z6PKnJZ;efwNa4+Hk6%W>QapDzqkr!!`2iinC|?CF#<I{asO_2AFQhM}YSU(XGtSOT
ztA9py{^u|I65AaSi#AIncz=Fy>2H*?STE>0yli6&eY@soyY!p09Tmq9lFcH5VVP?!
z@d@c{n%G4JNJf5e0bf5U(l)-c$iZs_rNC~Ke9kfw?>%i7<3P6h)2%xLd8jZYJGq+N
zL8Vv;dH=O|1`R@Y=@gJ~E;Bc?E_cVSGn|Je8QOswI#AK~Z);II4sOS~0I7R!NTS@j
zTTr#}21MJg4#}u1FV%f?;N*SYtdj*N9QJZJFG>Exg8;ZqnspIt79RBI92Q{WHSjZp
zB*k3U6PA}^xqiRQ#xvoGta%F~8D_4Gq5a*>FPWHY=X3T1@&DSBUrh{Mp&4#$ap`IP
zdO+G5loD$A`59N^l|X^zEKTPYnXECZn}LyvZuf|7V5E@97NG^lTpH$iObWc#Ru*#+
ze#XG_9XH~opA?CZw6^vLTqndT?!SA-!AO%=7z#x<bX+j+rRj~eDHe@zfxbZAA@NpI
zxsx`M9Q5U7&*sw=u`}d%T&1hJLYdU@biDAssJw7ZQvYFIdnFu+b+O$2Zh4WPzZ>##
zX;WJO5P1E@IUi@8sM-D(^9g=)g<bM+Sq#0Wc$QR9<}R@|td*+Y3-j4UUcKriOp^Bl
zlfFm{TPLQlF7yf3B~fv&dsN4N-(0oLr2ep>-wkhS1iqs_>KTeV^b@aN4@cGvjPSSW
zz|IEFiCA92#H-3HL@=VE8Edd5r>Xnlai5w{M6QJA7KDH_mHI8Mb>-6;KZLUUS52*X
z43{YxZ=Wd2oy4e=XM7}P@iv)pEJ={|E7<)<CHFz6fs6lDJ>4ej#RNC26rG?4W}8v|
z-8`#On8(p^5SDKGQE?{^a4o6wLibPTP|c$fnyA}K6y|n_7M7owl2q9Uj3sSgsrCw2
zEZ2(sw0sJ{%ul3i)9nSVVm;;aE%7QZtkM~q)m@mJI!k!k8pa?lr9q2GWA_SoiEWl1
zZck6{io|&xUj@&_2r}NX9(cyo9NrK}GhQxHbcy^8SrXClb%TDtr3?sGa&{}0h)SO7
zy>Oc*ojgNRRqbn3@fu|xJ%{!FS$x>pCGx*&#N{-26#K;AO!F6G1GIW%K70zHH@eWd
z+b;HcVXJd(>Y_0eE1X`&#^T*G>*-wTFMWO;+SNAV{$;xu%a&B<Z@rCe*BCpJ^t7FD
zQ?Hg7&*-_tsmcDJg!~ZFEUG9oIsItO!76|HU5DawK!N4EzpX~wxZ^5T=(aWMY;AIM
zq>&vuImeSOHatEvTNfSU<c_<eqn5%tx<g#N%B<0P;!i)!T+W}Dndw=6ho&g`TrYAi
zACP8c@-)vbR<gG1I>~&atarhbEti=xC4rTFU5KuQUKhF6B;$)%ri)b4-ZtVEhF#Zi
zL@~$qcu>c}tMf*qX%AP|XV&Wc3trAr@HPj6Gwq&tRUX$@M`y#q(e;bL2M6$15r(HL
zcfpjWGwfMJHksa@gpJpN^7WW`nE|)M0p>dLTq4M^^o9{m#ihFgz{<w%^xe{_BRKY;
z4cjL>Fgr8l7TL6a`CEx8;+>X74B|vw&agv|+AS6Uz|w06oAqjGZbO;-n2S+oP3ja|
zPJ|d?%kL0HHMX3iFx!DBO6Cp$$0e1EsM_@M{%d#QhPyx0W=#xAaM%ed8P$!z+Nkbo
zp6t5K-%cZW-Sy+2PgmORoaXu44({)drnC_zC)Z^CwHy7#oyPILvIGPK@w|$DM&H@R
zla4kOD|fD`IDx2%qxqGB)I!VG32eE9<o=F7dK`@o_yo$H(+>wYb4de|WTmyJc9s0K
zvkQ=%HG$t(>9CHhCH!U#OEEX1Ckrrp<k^e;(kTU(t~5W+8+rQas4w{4j7=S^>*r@E
zEA8k1bUm}wL1VDLgS0Lp%%>abT^ZxqHZ1oX<lgian8BkZd1ajijF*+jlG#0`IvJOA
z*E{AFLZ!=D8?XJ>BN7$%pu%^CerL{HIh97WKb$9(*g{Z(tT6&<a(Du?r~`0nUO8*)
z1siw~{uh-;2r)0L1Z(irSsBh{54bqQAa=(q>(2K|#wldV6(nv3RMQE&4!|SPXvk8A
zC~Hx<uDaQa;Rr^*6Q-&6|39X#GOEsG*#-;l?(P~05S-vna3>ss1b26LcXtTxZo%E%
z-Q6ADndA=h7XN^?zUuChT~)ifeSRpt#_v>bg@PVEGZT#X@k~iyyZzZ{{pjxctF5$%
z`Wbvq`mUneE+ET$OX1El*<}kvmi^9Q=0xA#3j+8)7u9x+Len?&!$4ysg_5tyv!FBb
z=tZ+`eYl=lI$w$3rJUENpz2oZY&ErC$UL+IN_iZukfMGLKTk$hP)#Kvk*t@ra1c_=
z>*i#IX^5s;ljx3@p!_W*5aaKiRa8M1dn|(u4pUjg+V^_1vJv}pDFqo50d1iBVDUnm
zzGRcnP_`!V8^0z6t%CfSbJaA6P^pTFkmF82*n#_#NByU)5lLhyhT@3T2c&|5iTM%T
zM40=eZV#+-KKZv|^9s`YTax6yj1&r|9@nfoz1d=A(lzDW{z<e%q^9CJ!pE0l-|$b&
zq3M=n#QCo5iN^P~z`<b|SqOgik{F?GkpE#$1yNm`xRMmT{@BjKaC2>V*x9XfS*tBz
zjnNW>|AfddS<!C;E&MYGx=ei#S*2BtMO-{`wpPFZI!t^Cb-|8b5iErJzjl)(OBCg*
z;&u`aeMG!+2saA@p?OooG~d-n`k96%>XE4t#+B2P5y3g`6~1S-+0Qnh#}yT3Su1iZ
z^)0$fI*yH0*R>Vfa67|hD5wX@-#d2itQC@jI}b(ueqYg98t>0smKNWG25q#%rq4!)
z*NxkGn_qKtdfTPl(`XqUE<M=Vs_VTxYrI&pY-NA9I9+`DPT04ydkV5nsw&jvJ1Tum
zOZ~Z9GB7C++6eU%u`wux(Pkd8CeU)}NFe@&Rg%0UEXdRgibBaa^dS-QKEGXKZ5{wI
z7>hz`xBNWlzFPV0vNL5^go}#}c=1ooxLumfaz<rZdFN^oUgrvi_z24bjlh92^<BRk
zEil{yAE&wH86mfB;M`b#7u}%<!di6?kxaIWX1~)sR{!2uig?rHx;tvxmnZKd#|7`8
zS(t>Qd`&Yk4Pq%H?s6zL;h11R^D&uq8_jL)!B{%jT>ScTR|Ys#8H&M1Fo>))OZCqE
z5aEn>9gDk#(IQ0(l=Gj9A;f`G?tzvAg2)tF0#W^C2O;XU=+VMFzaWRz6{?Fwi)NY*
zQnD<BTsy>dzB0b6eWESJK6wg^vqH|!rvu}!7Na|0St!JQV;`^aaWG3&p9|Y8GS_hj
ze<r9Fpa-R01`IQ??#D}kU9S6~87X`HC^S&Lo(*&1r6ZN$%YemI)kDSp^oQck!+UY^
zmTi~Q-j3BwMmA(%UN|f?PDE{FI2$JD%!5H8Q=BUa-)%L(>_tBGuKPL(NqR}9G-@(o
z@qG-%<U<ET8AeW?T{m9`>F{vJ0}~)mS~mx{QyUPx75Nlu#B}6<uSSdp!m}Z>{&_JY
zo*HFs)G)ZtrNzm^fdrCKLnvaGmB;Q3<b}j5Z;FgKjSavSm-ek6ywiYwPAA;>s&|6P
zOlP(_{{$r5GjHl$jP<}I+hkLkw131vF3y|6PC&eik6qWrSo&VZ3|9hz8prNt#m$J}
ztxo3EXTHH{I*Hb>VyS}2q~ACF?7MU%rEyah@w?{q(qx93-f191f!cwP+^<yQ<&l{#
zIC0Wh=BPv;%`r$40OHtdLF^;Rj_mED{OWPs3Lmk}7Ek`DvI+2_o9i@{MB^jF@^d@2
zZ>F?gMDQEha++Uo0&`pB(27&*AFf*R>3zKw4bJt>cC<^1s&YAJn(t|#l?4|T@92`e
zOm&GsXo{C~!1QJ(<ZWp_!J+4NBx}-~?h^Lo*ZleMoTdb}AdsPD&yBa@D^jbItm*=0
z?q*Y25zL+1OuX|M?`Uxa1D>x8lVaC62Mk2Z;X&s?S(9Z+?PqOaoQWH$&6?ovJW__A
zF);@;Q5?)^srEv$g{SQ2YXljNl~L|?R-?La?Kdd&4-`aHCrJ8nzA!@h&}T=!?)eC!
zuSl;U+GI*|-JIJcBx%(Z!p;U$a-V@8E()_C++OZyniL-OBwGn;0WX%`I++^hiE7?B
z*aN-{gJd@lAmZl<Wc{;te<<_r*+fGQLDXMjOWPLWQidu{j{nTT7&swsM6HC)_dT~l
z^*`}7cY=Bj%5<$tYE#fmXlJ2@l^jvV#utjPY@&?KSo6J%`#4zDRvMj`GYDVr=MWK%
zqn~eIx2Cr3;f*&Ex%1ZM)`XZ)nY1P+8di$rlO4;m^Q-(q`q)YvhOD`478;WR!8Utn
zg67A{Audk)r{YOqwhU`A*bVExrsWHt9(E<HCE}=64o5E?Lz^t1x`W^@nKu8N?^wmh
zx1~4fG}5G|V<`w6*1T=)hoBcz*e4m5j*Bwh$6>Cp{^?Q{U(0+7m0vOZ-)dra2Zj&I
zm~BdGYtCVf!1HTt<2aPT1UmAOKGkypzHT<1Z!@8N`PKY`MZb4Y{o|3o29g<muMx%6
znuF$E(ddX#dUfaz6Fybf^z&{M&|g|Y`#OyOC<}}>od7#XEPCkTzId2_%?FtHGzB61
z^y=&pVU?elk~s_c<i<GDZOv82gP{{`p|B)WbX<^GsBkk(w&4OGOO91GO~uD}CMV3r
z6nazLI0_R2skWB2cB=lM14t-pL)dY#&Swc-y!dTWO)ys*ap01}<m<HD7?-!hcr3g6
zmA@d3?m9pFfEIqCrW2QSRDkBL4*86Kyfg82?h-ClHlcIVDmbtYk~20;T@+dPnFElj
zB9!truq}=~RCK1tox$MOvqfa<orU8+Dn~^GBFin~fFALqG|vw&(Q#R$x?AnT8AMf<
zJGFdD-4^O;CY@lkWt_f>%<n3iA*m$#8;34vdsGQ6XSE+}O>-Ut2#4MUbk)<B$1^Z=
zG_sDJ6|&){BovS?4z}a9({i2DAh0b7<B!QJzlA31>5ZDJCiE?FCgIFPX%;K8EiT)z
zH{)uk>CQjCZ;zcLs6|upZ(I}lFwP1Fw<oqytg(0p$gWYillmAec4iUj0j@Veg`{F#
zWL<D+cafcL^g5g>`r|@gP2DXF<?ocsd%X=S!glbtr$7toqfeEd`#KKaAS4hG(2no^
zYV}QJf|_f!#mP?1b3U%ukZ*;T+s$-!!GpI=e(nC;^6gCU&bHx%&+U1hX8R)SaVlVA
z<G|kWIqfCparr5u{~S1i^aYQ><EqW%?NR#5{Y#4#;loPWV}Z|M0HEci7}7bx=uunt
z(=Dk7*S<o<gT!vR2f?Yk<D;C%OIPz!fvoHPR9EqscI#`x^Y=Z-b%))NjhX8y*7oIk
z)XPI__*ymvcs2*wq61kH%oeA+>xUGuxbhj5$ECi4B`%k)D@@X}tFe8_;>)^2{W0-4
zL>jE4=J?njywR0W!6uD5*+-k9Fp|?>_rV2O;nH%(qvc>_v$c<D<oeXF5d8BWujNE~
za6s-nP|A3pJYPD&F~8m$rxa|%E>+x|B-0&^1<uIJZqWeP>~`s>^U+x17RZi!CAk>8
zuO7eR&u*;rjF{>}mBqr;^_UT+t7S`T%=E@m9XCx6^mn4rkM^Ltr(eM>G^w{u^t42u
zS6z_nSB7xo{iB&Gqm1+QF=MYK1RZ43jz7~+2}=ZG=LdSsOh5)um+?ii$H~!x1e&X+
zoA61P7m(wRCJmF6m}1?=oH%-E8!;-d@ZVi*>Os&%h*r<OstG&wLSCha&Zw05LJL_^
zMT4Z6t^r7s^(mdyXO<nB{OZ*NRa$n;kp$`e&u`5%re^mvg0{I3xjU~k2d7pj3&K`^
zy{NbzJMg*Is8JHC0y0O7)vCu@uxpUwk%aLk2PyeQl^PPQ)uPDaBM9oNDAZZ`v<oAu
zA`16y<=@6ONSqzt;05=n(8dD_*ck1VQht>3n4sdBz~x7Qk2HrNlzdp8;poW@XHsv_
zv#+j1V8xvo<E;o_8?7}NL4wUmz=8>K3yzLsh)8SDvsqWOkHXTlUPPbOG+PTX?#iE^
zR)KRkZ9uL+Bpnd;YUcN{Q>#sxY5GJx$}><csj^82U3`M7Z4N4Vnq3F!;smreI_Lr<
zMx;s?S8BdeATGN)^QbbhwJ<Z|yA69#<$+7qyn!I#Yx7v+UViPfyw`c1U-3wd@0jx7
zb8`FXAqT6alh<+|tW8RYHP*>`d5ePWg0(=zrH;TU7?0#@l}1wYlZBa?ST*IYsX{fi
z9I(R&m8SE{Kg$LU=6+G(6|<S<t#UTKZ%*t7)Aud4c1-SHbD7KM6<SaJ%`XtezdUpr
zI=A2kT>Y0}Hg!N;I#H!F3$(zG|GLz4n8b9Xk$V<<9K!3=tLYk=d7nU|$NuQRe7=_r
z?9bb70Fo>L?gZb8>w{Jj0%3l=U+RUkse+P=?s!4!+%<=0mn9=xl!Op;G5<MQXeZ_e
zU6my6*~Kfdef37})ew%Cb6d11oKU~4l_IR{p)i8{pve6A3Ynq3x0Kyfb?KhY0AIgE
zhJZ)9s*F<-8H<X3o(<{_<`G>?E3WzG9G|j0){j#-B#dv;IY5$Q_eZ(M)J`tjhx&Vm
z6Tl!dj9~jVVO5KZ!`szeNQB#`q|oa$_q%f|M|?xE?E^b`TY3vBqeZW1ZbIkDP-z+F
z!Jkt*#+}0-{C#^K-u<zTm~86zW17)EbxBU#UYxJ`<j}3E>FW#_5foc<@nWXp<=;In
z0{XH-wnGL&v46^xmFcz$M?2skKBTU91<SU%KlSmM<B3wSF&-;b8v%;VB6n$&*%BuF
zQkZp)8s#AjfyDW@bZ0gF-t1UIi0TuCj1@upay|Q`ww9&Rbu^5Hf|jq`Usi-o5&s|z
zH9U+Z%!>Io{_fkC$eWgEhy&+Y<k_jz&uVJXEs>;zLVZoh^AA2fx9<zcq>?oSE}#y$
zfE+5i0xk);gKQVWQfgY{S^w5=iKN7g)N=xRY|X*U%^?O#%;7bcgD~GQOGO;5T0cSV
zFKuRX=*`KjT#>wSV^lGqv=D^XI)9{CNs3$*uKxn1{6N`4qUx=1oPGK?!Yo(EG<mrF
zs?=I8_OyF}$UY);uBF@W;g=AH>}+`CGv?pUJ#sA6WuD#THs55>(fUti14pKAFq;n_
zD`zJI;Uy^}P;eQJ5#gg_d@+?{hQ$+nK6B0DY+u_0JkbnmQY3Hh>53V+EP}ZZ64=sK
ze)YqS?y_xxgAU!H67=+<*kUg5{?QNeNKC_6kD&G@&omH-O}Ozv=(Ibp{cc3xLd&?=
z8p46th6Uxr;3=qMxDW3EFU)b&Q&+|C!>l?^7*W{o6b)+Uo4g8LWEQ+|2hPGkB}>2E
zj!e!u68g24`qvW`k1yLw+6*XzjGCZwW%Dr1I&SWhFWz5!86I6L97G|thLHQ~J@mu*
zZC@EzpsO{ml}Dd$1*eQy&!^nphO}~U?)B&&(s-|&Z)Vi!Lfst-@d*gNKjB)3gqOVW
z9)+#sr!MGDY1o{dN{gh+BAzBaA8fpC1&9wn&+{z1kFU!Od0IR{&dBn2w9J>L@IJOV
z9l9$b-UEO?M;mYMH*fCIhHp<EZ>JWGxrcli+ixUdH{~8VZ_x*DXm8OwZ;#I2wD83p
zg|BBvD&>eBGMldWQ(5;S1ecevTETLdy17kAq{W;vIID8ZGrBeU6Pwi^OfTQ}s)KGl
zi91+JngHng#iR9dksUGk%iG{cekfn)AKM2(!YU`lBI_Gq$?Hwa-f?@3atvQ`U(F@k
zXkzE)C#tN<sBK!q5%=L=#64_OYc@ddM>s@0&hWg<b0@v!>=JT)M2wiSY<J^cUg0~)
z;lFtcSX~*;YHxSBvE3)|7ojibTYV`weI5%Q4_M3Gixqbi+-~HFkiDxYrQ8T;tt6Z8
znFad;ItrdJF%=vqY(3&^_TS#7UM@GkvqyL&xe13vxI15<3-8*z9kKIqySeuZe~yJB
z^(V?y)kdyF2UygMD@odoOv=pB={qrsllzh>EKEk3Y$&#rSc5DD^Zy&vtq}~<O9M}g
zX*<<j;x$1`;8KS!w1rS;Q_?In62HDVeBIz+!LH3u%VKN~BNBJvz4!%4DsuawRNqnw
zF+#b_B6Veo=>Y#nVRN01mkv&Gw5oQ2)D{PYD7Osqn$ua;3TrItxp4EsqwQ~#@n({?
zWjtxd<;IH*S^gdVIPX!f!q4y*pc%)wV%A(9j#ZWPyE|&V9i=8WH-f^nel?6Jia<%o
z43y1kUUf&}4`W=B-D%+`WpI6zHcc90Mw4U;3OgvaJSl>v3d9XoMo@1$4a(+Z0mYbV
zfg-2Vs~edIn=@oiR66Pr-i%=j<MCCV!i{3cvulSGAH<k6=Ki=VrNNY5+1mw%RpN>S
zpyo?PG2SAydXfO9#!=KAXzS5af@D~V9INzlse|L8%5`m0fqz1Jk6BccEbx_D(t@fc
z;u>43q(s8`j(+iMC!RPebtm^7i{-*`v_`I>oMyeF{E!t*dXbKnA;CI6GXKP_Y%Ms>
zzi}&A`y0a6K~`hy)M<BP|HjHx7mrg@ebVAnb6;Vw%++V4)^QieS#~`%3i593E>rxU
z^7}>pCHpY);<GWs#bEf9<n!3TQ2?wWz&@TIsQhK>CsP$exLI}eW&h8h(J1DD&|56H
z%f1IMFtq|H-pKKlA=+|RAPp*aC*y>#Sx%g(yl@T{9xeDhW|Mv~njA*v$KhhoGaM0X
zG{QngY%#?o^|h>0rN0{!AS3c}V?V*qVn}xIrup8%W*}8*J#*-sg#+`MG#w8FTAe|D
zSGotH<f?th&ZjJ*Q2WL*;xVzL5UE9VB&$JBH@g2kJlt4cr~OT(PHCRp$4MwLY-kFc
z6g~rdtl=WVJ`9c#)2|;>AX{QXaIzQ}9q%86v7Me%e;|Mh%v!%dx5<*zU$XL{i6qmT
zwIwIz9`mX&geq!4=(syQ(yw~LGu_*)F8VC?eE4fgPCv>I5$5PB))x`rDkGpYxYK_k
zqX1fCbM=%YCCVLLQxkQbpx#e3aG*M(LhFQ7)x-#vE;nk8J>t=kL`KHZ`fabo;5ZKf
z(Eie+%q`oshz4o%!8AwAF&&yVRm&9Z?@_|);6nJAp}|$k!3nO~rtanb;GvYVB{iDC
zrEr@?!ykK;2L(m`xJ31@8Gd6@<iUklni27;jb~Gg5@8FVSp`YJb&P7eI>$y=@J3Q`
zD_du%uE&NN0wYp^urP78K$M*aL|Vc^ciCVTfXoj80R?_KC_#GQ=39HTo9+N_!S}2e
zWbKp_1#Xrl%G=rQ@tT=&7!n9GXxaz<!7OU=(G>qXvzS_*3IN#C=XW`Nr>4vLoE%R5
zR+s!ClN;snx>@|igd!F#5NSmP@$S&!dgmoJW)w$Zh8zKvMZ6j{`huix0Iz{V(@Oq^
zS|iq`S}!!gu9_)j{L%OA9C6J}#lv89+WVfG&HzX6$TlBU1<4?!0bnRPsL&ncf*An$
zM{x4fG(3X34^lRT&*G08D<`sDVC%>~DjI!=cM-HM^9s@Km<r?Vnl@o4$iD}cJuvqd
zjp@^FErX?S{U<k1dZW*Y@hMR5ErML+NSE}3llk@ZB<+e|MZn0%_@$P_M%LIzTg$At
z3N0#heu035*{Cl@qZF>xk|ybU3pWnX1|<Ey1M|!=`ueCWnBlQb*sUQa#~@aZzS4~1
zeBhRnE|^oWe}UUbniS($!3ave^f3H{{NlNYpQ#T+k`e+>;UWpCpqzb=STS?Kg)s-5
zy`bkfw7)SHr)ZWZ8xK49(hNNCfJIWoNQulglP~mVB)dLcU9|Bu$?NGfkQ?Tg{gNK5
zp&?|nPO<vTx>*Iym&&w;f3G%}IMA=pOpjHYi$=ZRq*j{~1=x&t`&DEeWjG(f#N6_$
zLZUc7Gf!MJ4>jwaw@b3JoLqWONgt&Z$~cv|Bh5UD(v(>2p2PI`=uDUR!=G$=`@x|W
zsbMMj6IHfw!J*0={1(5pTA?swIn5-3nyf7aMp|HA0mtvm3XJz;i5@%FMcuZo7z5vg
zKIm(u2tT}Y=S+@nZs}$AC`5}Myo!z@MB+3ww8ZCg*ItlZ6~9e+8uWhc%uSxBHR=E=
zg$+XasGkp+7%e`0UGS?L%|93a6l2KGbk<(&LeiR+g3m{RzLt)5h`JJWA}K9!^hBu0
z%P`n0@tEp|^}bN7!<Q1{{}B0^W08GZaS^`B$u0*0R>`MCk8|yYYM6u_*D{!`%ep1<
zWK=v=(IHb8+diyiV@Ojrw1l<iDocHg0+Et~Y$1B><i!oPdaZuGS)VODwhjTyB-FD>
zbJx7$vQb1-Y8qWmMTIgRHxV1Essj&0@;g%Ys3g48$ouS)pGFNT7*TD9?I}=`1UthV
zH;vblHku^D8-sF;C}~Zxj#pJ&KOG+6HlJZ&w=UNDG1^Z_0{<e+=VYG%e(rz)#EIhi
z!xsm&GVd~Og|7)zIFlH<--c$rgS>{KCL2H^yPWOb17l=Hfy!R<;S3O4dY74mXpm{P
z4mV~HD-<{Q;-AN{XEIW!U-rmL_i*f%u$7Qzun1-YBGKW~b=mlHzNBroL)QiLm?&#%
z>rnHhZHa0O6o1P~Lte&pSJ31xMXcZaq}m$Jw@TkOFI<c82X8!VLKNNL1AkvSid^fQ
z;y`W|9QD%)5%4k}Srr}IZ=hqGeL7eaNa${@T8i)<Y$PtH4_#GiIcFE8CA5)CkUxv#
zuZAc^bH-c6P$cZRr`E)Y-5bOwG0O5V=4BZ2GE<8&h@|acEIo5z7Rf~HUjC|s0>_A_
zY=L=3ia8@;`kR3YdAmMAD7Az_8Za@s7L9zUfTq*i3yf@CS1K_0?bS~$DaSxnm@M#8
zo<BG}C}Sg`$v6lg=6d(w^WCUbS6Y6@swQI^E5u<NCEj-iJNvb9a(;AI=q_lnyGL%6
zXBuVcH1XJ|gFgtYm!pT=-wKQr3Xyt)4IBLp^08<~3Pbf7Gg>*nVxNw4<h(MNIVq^$
zvkxR%Cix*<xI8YkgNF}k@!F(Uwpgn6xo8jg?-4}nyPF3M$z(tm&J;~6R_aSJfPb?8
zO4!8Ug{nM^MsO!xx;B)m#9I~hlMU^96UX&H;|}8iLWaFDeNSFCqFn+<@_xG}B*d$W
z;o~a_CfM!Cny$6?2prxgmU$b1#PtLu;PE_XI)JdHNE6|)K_j)x;N!chNXeupd7T*>
z0G%ML-FJ0Zu(KXx9HdS?^{qUBX{~qCtJb^(s`-%R#FON8Q5do*f-`2!qTxmEd9jh)
zqOMV$p*_dTE#aGy3$JGw67(5~myG=<0nb)$&V6;xuWc_H<ItN$iRde1qaC+`SD&Ak
zpD*tR-KJ30G>)4KOW$l9Z>9p8RRW$M&q)uhUn4GON)na%n2N7%<2F4WfK4!%*He2(
z)viMiZdYffFff&{qAD$)x4Dy*jTn`73j&K~l?(#yRyTRLDemiX?e9^#W*RMFtwb)0
zX~=G6LW#U;#y11<?6*C?s}EGEWezJ&Al~aZxu*--_hogMCAHKNV+=;Do4K!(hs2JI
zvz4tJQ{Of+ZEx5IIpl48SxeD>DYaTQ*Cx|P`)*T!^_ix&rgqR#22~{DjrBN(S+S_F
zCLL+Y+&Huj7#gp65FOb~%*K95u|P@R=zTq4$jAMY7jdEg&c|)bIOxqlY+4EcUVk%1
zy3Oa*<N?gq&(DMMhbo;so=y|y{O<xN?ZVnD(vyR#U&f5oSu-ZFi`H75wQD7hMP|+t
z>O<w2gR@9Vupx}DT*<V0?Cy!HG()Y5eB5aM14x`>1)UBzh5rDg70II@vTKrMBdC3V
zwwrE`Z>JfmhOrj?{m>1GitOsuBt}iMW^jUGons>-vZmSna8C+}N;3Kf^6G*qKY-4@
zJ=pH5uK4_cH{UCL{Bq9*=pTz$lkcPp!jew!h+cVFNef<AtYM4VqH%6rzu5m=LHc@r
zW%jmv@OmLW*YXTr()mD%>b%?DeDeK>`vH{;Y;8J^<7RI<?)61GAe(C#q--dP_K8RS
z^V_b#4UiQx#%TT&)^;S@1p`**caZerlup7x9=|u%?zHxN6Z7!BZrIv&mS6k1|D&4R
zL}V6i159KOKMrdf)Y+5fuHR1=<nj-LfB@uon>K(S19UssVF5~cEF=kx;4*m5SBE=k
zi?N|p35gx4J`F$G<TW19L?C-q5LflgRFqO|7@)Fo*jLW|RpU|jO5p3$DR_Y?yX|Zo
z*(rFOai%sdcaDxXJ#Wr-J-tBcRa2{13r=w$IvL}jNG1D-7{@L?w)Ms!Y;TB%)%-sA
zyUV-14V7_K$w8e}UrcA6gc@Chwx=bVIY5i$e2z2>;HxDhcmW6A+2F^ep+#XnT0M4Y
z`dUSCCA?W?7d1og@UtfQ5M!o`BGZ>Lmj9+X(d)N10kAPK(>@P(ZCw<A|5cKzs+Av7
zCO|+=dezSNqKaIpOFg<6lCvUvLmzdFeGDM_o_(mxhn?en)m0HinpH=c(Fw~`j2REH
zbOFSTPnUGrxluJ&<D9yxpZxlKc)gdFged^kED5k@JYIO{F;|-qe#wE@68>V8q<K-i
zdr@d^%a$lvCe-7VfHD$AzrfD~Al*I^T-@POJ=g3!>Tr@d*5w8Lr#=|R9pLuFzRuxb
zft;=(aI|XIMDw-JnM9-P$XE}*@XMaicvM}_?*^)5sxjz!um83!{R&S^R|OJfcCi|x
zTlEL9%hPSdkaZ|v$yD9y34w5FXc$&l<E$pN7mi!7U(}yuyL@2L*jr7EBjcN=Up;uV
zxz&;T1Jt_7HSYSC<={e31lXV267?Pg1WiTBxiLWEI2nluw|mycZn56!0dL6w9<y)l
z=;rEHO-aw~c~PU6?X8kCN+7;qKCQYfR+t={TBBA(zh+KU-j$5IAZ)#aMig0=lUhd*
z^<C>4rdd7*X~9baBgvNh@I1H`^(u6IK?BCFzuFFIDrYm6@CLUq#Y5{S=tQ*H3_p+a
z_=*k4z2JgdAL?hQr*IT=J}*Lt3qr3yp49yrz1U#=8EPp4T$fLNNQ(Hel59owP{L4J
zc+oyn=sZh7!MxDj(5lPR^F;LB4G<xXxs%z~5&}xe(~N$Et%u08U;+YTDq^l%oVkh>
z4EB9V+gdaR<^;>Vxk^WcjkZsewIX;{`98`T4)8Qs!19J+G^@t_{?q;1dwwaE0Ij2e
z?k*y`sxna{7EcKZ{idy)OV>zb`zzSrLEwdM6WS6;O#^)|EL}M&lUEiiL7SXV^n`@5
zdb1#Eqjf@qcbSzjZ3qq|Mdi$cjqQJY%x7X!cePw)OHmt~b*YgYd~p71HDB>KZ@MJs
zr4xVdgo$Q$w&7yeZ<Fq_XxrVigTg&3-nT5kAqCr=dtgVj2A9Ehe3=xHH*z<$ER@(8
zi!m|B0&Al&Cbk;`k#>luj|!5k`1R0PwTK90LAOofp_I}$usPA;ukmQTy^L^yvYkP7
zw<s8x4hBiu%4>G&(TdN=OW0zFrGZ!BIb#%<%(wiPBRAa+bLpyFA^Zbdg2+mcQ_E0I
zX^YAAH<~dMu5Fo~ZCe!D8wfLoov5lCO{rFp$UbtJRx^&Pd0i4|nfH)q4`WoQQSOvk
zJ<j)({MEyQtuu>RWW0RDZi-2ag;?D9pQuD~QLd5_tmw#TpmK)%(*(c2xcz2Beh=E?
z0fwl^&5J@6vy=N<d2CU>+P>zSO1scN=9K~FMN#Zc?9H1&9MK+1foc5_c~GrfR&7Ru
zUd?#8dL+WK0ngMP3P&ej1q<0u<;HV$h#>gi-W}rQ$(pwZ_%L6fgHL@9)l(S>#15F8
zjl$Q(O1c5nq9kLigWpdLFe<-S;ol`WkJwv5YIbI?m`$&jdzD8N6|hhSgl0s!w;no|
zC6JoM<;M^u*Jk}Pb!W2ha8HrZffXKH*|Mz)i39!f(aC|35WkjGnO6mMwx)K1C-&ZY
ztCq!j5Z5dAb2B`UHGg}J{ilfABP+-IgF4*9fTs-er;RM&Q(12FZcnuq4_|Iy0Y&bb
z#l;Z2;Smn99<G-2TPX*K8LBpYxGNtl+i=~lEU&s0p^xmI$1xtX8Z|M6TneCb8iW0Y
zm?=5w%SQ)`OQ$Xxq3nI%vo0NmOFUwrXM_UQ?RT>iI0aCgQG2@?^6d&Ox=_;c`Mo(>
zwG3Rr=B8S*?KQ?ss}^H%Y5KJ&UOGBAI26pNRtsTRybgqL_G=95_3HE4=k1~|`7aL4
zFz2BEB(7<zrd`MdnLfI5bekgky}EedXZ>Gnu>t57VjS1_g}yi+)z~KUA(ba8a6#U&
z%J4=ba(9_IcuDQvr#?w7Xy{gGS+fFwbA?S4_4t0AuR3E}LdpXK%cM59MGDX5x(EQT
z=(5wkzL&$4<F|#!(Xkz7G02}p6n_n!yA3(*&0JU_!M<Ps<0iT(Pse8Q*$#T?**m|S
zFRioVEcte29nw9jDL(;m@xy2JblZzAkDbox_T|+Zi&glo81t=-^MU#aN+_(|d|18%
zSjP0VJie(D>H6jdY<%zHb@{iWJ3iOMkB#AyDTGp3M=Lnbh1BXd8d|&;!lBUh*%rse
zyDM9nD=zgB4uos1OZV3%L{!2nluo_PWn|JUpMBv4Wd>!~at~^gzq9?A>yFWYns)>J
zH;Tq9gj_FETC3ba1LHwHM#(2zWAT0ICL*e6I})@b--6yU%Q#rZwCqTwq-%RC2*%-V
zRCQf}1vYxvqdbEU6wTA?C9Sa;!tGlr_wW+0SPUoSho?^)c6$o;DubbM6lyHhv$$$9
z?yW6F+nXide?bB|&s`_lIfmKRY@k(C?r=@HQd%yxznD+)<)Dm8R>>N(XIA}=)t<*D
zjB+%Wx)@qp)D7<Q@W)kXS?<yQQ%0gKaGbN$3wHQM=KEdX$mF(V7#Ce1S&lW9Nev@c
z*Oo|$uZR$pmg;EJUl+Rh`+xO`>hvcdE5W@(-GyL`By58_WKLDBdv<<sK{opc)fcBn
ze+M~=6iy|G_S8m=Frz2>=5a14B&w!_(x%bNRQDk--!+6l$55)Xxm)GY8q*N&kN)Ka
zVSf2xzu0eohmk{CLV~cflXwwbGeZT1swJzgew$mwj1Cj3rV{!AzvCmyyPc0m84^V`
z<A?$6TvSx-#~1t!a?Q@Xwh%EzJRMtC4vkz!OZ_t~@R$VQSftKU|45>uK?A3|l}`5R
zGA6n^rC2uWDq;OSc<CAVn27`&L7l?W?JJ)ckJr~?#+YL&l)4<UmI-kA#h!4`KcQLt
zpl8QYTSlUST9_n1)+$qa_0l`A@&x+GmyDhfSN>AFh}9?`Bge|9!B?94zko+R7E9v5
znx|9B6A`OzEF-=@LZ;md_x3IH>Im<|rE)@1vMZ-sI4sN#&Oyy)0S7rXMOTl(5AFv=
z{E%85Ra;Jz9~oO@MGS<;poV0rRw~`!@?_cTs|*G-mm1lo9&)zvj725!%5Rv?X(`b`
zxzMJ5qL>^VCAM9wChxTWSE8gH8z6D8tI{c5$^D62DPo!2>4MDXEeu0n{*x}$)*HtU
z@Tq;lq0{dnl{fC|Pf&Y#vSob%+v<>*|GCAUwKZ{K0HvQ$Dq0U!an=}fw)=5uusMxP
z5#TuJmv#C@6#E0#*cBOo65<_l?04G8_iLr0{nMCsO0N*HZ2CQv88~RRDk5Vzk(TL4
z^q3ivJ=&AL+-?j0<H-J#X$M#{DN4E_DEaYb_=i6Y+}QIw2T`$kd}3q=aFyb#G8&Od
zm~_<mJ09w42Fk;+##pmB2SLp_Vt@nq`)8>-Y()FDR*?VsthQ=N6mWpaKO@EAY}58!
z%CMW9USl9MttQqWCoj8KtT6wjC%k;=UdQ<1{9(iK?lU*mjcDRGEb5XnvCdeubk~vq
z;3Lw_kJa^4cY^}XYZ{F8C9IN6)yEr+9VZAQgJUU@%{D&{ue|J@e^P`_b&*eMKKhQB
z%cM^03_-l|*2N1ptJ42PEJ>~N#uw4Ly(so-V%_>1)5St6uf$Eah(^<ANmA6db|1CG
zw|YX!kE`ChJ0KBG46u#GL!dzFM_;5!ofBQhUKB2`j_~Mi`m$<)BWSsm5!?YbV~bXF
z<k_wPda+`Z{>)%HVY(?jLF}t5AX;XT^hpVOm}4qcskiC+!<9At*l}-z3JyW*$^wXP
zHOd!ZFW40+nPFHb1(_Ezh{L5k>OnQd;byMZR&#K;-n3$|#pyA{i;Ye5UuvJVqv^=n
z&{-w1QP^T;UGK8A7+eRZ8SEu%i?q0Rta&k*ESC0zlxQj7zdE|zL`$Jb<vA_+EqtId
zeaqp{H-FVoWwxXx@rP%F_8}rBS?$sJi!~^tFmX+_KL?39qI^9@ZUK~zI!W11{z!vt
zB$gJXPKx$FOwDq`D5s(Xxcqm*6v$%)#16Hhz<g4gM2vJP25J?I3@Vq7#gzVdS3Nhg
zU_qh2FCf@Zs)AOZF6uFF)iRQxCr@x=azD#^odeEWWk55OXo)ARYi>mAs_T5+sH*Fv
z?WBr`J;B*=^e&6y!<0f%djE#mlvIavfAei<2mV~s^0>w`Bo`CP>RN0L=cr5b7skKG
zdPcnV8s~(_=0KO#|H<3AhZB-{LOe1^#zzWgHbGC~yzt6pQoH+~e|Qh*o_E|f0n0PX
zz%pvD3sC%)gl|H`>y^SS4)=%8JM8X7x93z}OKY@*ok)8tBrk`9X{4kcci1h=ZtYGX
zraRa`(4e)+O58o2ZIC^`ScuCc4e%14ExE$LUZ$>$RUm6MXz4g`syyLghAT@M>vm0(
zoO{4&k4Il=Z;C`UH^}`DKzEp<L7uFOV4sZNTfUvvHRJytOlxD^JiRzMzs?o8+dA{-
zI#K;ac>4AjV*i<n06$$N1GPCW_2!UW&A|6?7(ohw-00F9`77>1LQ6504j{6^?;Rh|
zL)To>!R?e`d@QLY1MR_CARG53;I_e>F=kM71@dXXG3Z{%tHsU!jC^RCQ%XhOEri+Z
zgFjVUUGjE0Us_#Hx5iB3{sRxT3Fa()UGT2&HV9O_O)vds5WAk1BF-|@kg=M*7{;8_
z5lOLU%9Z>~TPV$z^n|RW*=z+Vuw&$UsR5t<>uqE8p<X342R{Jok64gKdMQ>Y&P+j5
z=V83no70A)upyCgCf|}m1|t$W?XqgGw~L51_;?~+u;P+`5ZrN~^C!DW80(Rq+R&n_
z_ek?46~-bnui7NSDPM0z*n|w&%U$}kaslg06hi=trE<_7bgA3xt*&wI1F?sdxx3a+
zP3|1aFPEBZg66uvnyk0;U=p3vNF_1osh`4Q@{fut&64BcFIvdRk0Jgu{S+r{Piqy%
zf12Pa#9^k@Y66HT^T(FYRq64OW7{QPF!9r6MH2F~IjK8>-Jc6hqb3<7-2c>dBqe~o
zH6f9=qv&V``HKtSEh(o%8w0s@k1J2;91nK=$kqbp`K6B~grYKwZHB&fZsLR1`_POx
zG8VIw@x8JT67#4Z{)IN6)|cEMJ7wt~fb>mk0h|Sj0yM(k*-%H^zlj{S1e{&&_ZS&c
z46Aj_?dVLyy;f!yY0xDO6zg{rF(tE@S=0>>=;+&>my~I>LLbjAsiqDMy{*H(rE;iv
zz}<cn#J=qGL@$t<m-cKgrXO7Hk^b<fltW$ZNsStH`DQpWvdM}xRLxAj*cDTo=;8LX
zf=kCY<a+0DCmSH!f=AD3s1upH10;_fP@eqSxZD$ec(ixCH*$pHeR|rJlf}9%FaQ4C
zAcZic&!Sy{W#lBM={okH+s;{u!|d@_^9gnBAi3J`uQsEYp6>5P@^&`|d2Me4ZCFfT
zKg_Jrc(qSAZ!cVWlq`0eEF+9JT`nocJVMxYV2j!x>s89%$e-rs6bK3Z@9t!~WQ#;)
z@A%wJ&3L<wtXrQAviYbzPFe9Er)OopzeTo`WwjUf8%k$!@y%to<z>B{x;rDBrL?>2
zI_ucbGpr`B$=(^x{cvmMJUvfIVUH*{=A7_fT@K%(oRa<N__lF?853yjjNtaV*!;Hs
z<MgcjCA{G+ul=Wowf5R3VDh?=-NKepdX(VK>8gH4_Q9H!OiW<Em|Cxpr6N*d1lhOn
zJpJ>?e3ZnHYp?Zw6|;FN9e@($Jy?2^jRh&59tw4;H;Y@50K!Zm#i1E;m+@{Jp~%k>
z8-v#9CugH1zIpW0uL=ak#bk1Pmsis>-=e-Fp}A2Z<%kiH-yq3d0BED-!E2_Irqb#e
z#Om3qWm43Ln$bf8a1}d$^rCC;FtAbm=}6=5wakCKLCF(@=E{`l1|hduO%R?yrKpZ(
zl0gUPON(Bz8P>#LZ<)1#+5-RM9eDC9q=OYL&w%&=`%Vf#hxs{fy<<}8-~u2McA$2K
zrA9m_Ao3ypr+ta;l}bY@qB^gRKYcB9>9PDLx%(zz$_hUi4?Oc3L+~Oi&V?QUh(Cz#
zV7mvS2y+7ZIGqOhZu(o0>9LTc>XdxvqcYM>LNHqNg=P=W%ok8w(B^{w<e*G<0m{Jx
zl%tOI8s$z=0`YqGTPO9hwF_k=tgDFMC%Ir@aoXerF|#HVdz=lowMCkR9wYESdfnIJ
zSucT9K4z{#&bWZ7wjIH9KO_eU^k<GwDu~w%Q`fDxwu=$Nk{oX#{}LqK)H|Od)qi>9
zV;nxT3k;b4SR(oD{mFiS9g-$pje)?$F!uIPR0Td4on}|}MUN+eM~*h2GOC3}0$W8a
zu7VHtJzbMJc&HxKdQtla63yC_M49DFSq5Ss$u@zQGzzw%Bv~sjXcnHHO^g*%59@7L
zf!b3Zv~QQszqTCp4JPWdcoasmvBwFUjn0KCxic&%UD~Kn+SA};8QRT*#-695Vgxp;
zdj73nG)pF~06b)Z?rkL0?FB_4CquJI>5izV`}~V$Qk)~Yh=Q{qgk&rDAm3#p+kCJA
z%Ekd~Qj=Yxc*qDKV)z`Wx^y{ldQ5tFb^cl~`5_5$G+xSVHeZ^Bj;>jh*dL<tiB}IW
zCo!nCA!v_z2lFS7z^@|b)&rOfps0UmIZCPexs*Cy`3p$yj;d)X7AsU1#ouzJdUW(J
zLaB>?kHk9t&a=_hDkjjt0%)XLP%Zdb2hB=o2v}-VSCGTyLew!j#^YrQW1GuSShrEN
zO2opD?Qw$A+ZnsI|F`7k&(0ciDY#YW18G^g>!I{E$y|c<Bch+|#P4K1`X-~7a_Uw>
z6(CG+#T+xB6)Qsy!2VPi<RMHSEx(1*AfXEPsZ#cu644ap__C5vN;7CgE5(KfGd2}{
zU{laReaF%2^1?ewR7G0SKp-uy=*3zkj_!ykV39zZZc+t>w^~%mwnL&*?O?y5X0xhZ
z43mmFXlZbzDJRaymnfpVaOOQ#=wyeqOU^(Gh%r$=7_;}P=79dCaU<4h3~eFohn~MG
z(A!e86Sbm$=LD>W!Ak8KcO7oBr3o0#iI{d+F;rL?0!RvUPo?KWIIxSQ!Hd)l-D{z4
zIIf178KSHuhaB41TYL#AMxACD3{d}A`G8Z|2Gkx0Ri~3A74Vj|{HnGb8tzRe!9-J-
z+PVR3WWo4)r8TC3E!t$5I;;1y@Vw&26|F4}0|TPnD{b8^vHcE`i~EgcK3uQr5t1?i
z1f34K4g<*NY+SB(;HMz}HZh`gss-b^NTDl{(4^!vX5)n}NEKk=KmB4AA%`-tLEqkq
zzU9_7X!fQDf6vOW#MAvU7iR=Kfi#6^ZCzsEhc2adG6IyxjM$I^Mp5;0?u0utoNAF&
z!3_p1e(_d91l6$U0B{jeZNY;g>vl!vi6d>NzIBEeV+MTqTf-Qr5X{Uz7ZbU@^>cnu
zi^0qtbP~lPq@5gZBhnn#zRmto8hUg>t7?JxZ(#L~IzBil*1EX`YCY)#x$~1R0i6kK
z-){F%|4{K@?tWz_T>_C=UZ%q*n{<U3B3)u|wVfy^45;efwK!|o?JJwM24VMQyZZXT
z53{WW+$`K;tHN)8*}Kpnv+XJnQc$Y#PXN3fBF^mIHkjxT?Pz-{5t3<qhZ>WR^d9z)
zG^!df{|W;ta9)!)Q?@Ao&y+(P#B4ts@j8#{$ALgeq<)raCg@&BBD!Iz{U4nlmW30c
z|9DSGA|FVilH?Mk8NHrfU93kh#W3~EsuDVJ;h8t%r6M`@B&8pyvM5>|MdI%%I~>0(
ztJ+CXa<{r9t|z0M^d^t0nGbXVBMW!UcLU0_v1RY`rv5}^t>!S=<dkz)wv3)s+bL7^
zdlHKmA<ZfkoA|w=-ETz&Pxnj#5HY~c9w70IBoX{in%I@v)rF_bq8yl9x$mf8pfAfQ
zXVux18YO~;f1o!t=)bq{d(+Sky~F_g-(qkF)7^CFOqsFBKWn!7JllWEBrC^~zl}x>
zbAx$TS$=kAo^eWukZvu~YR0F(RFVj7d<;N0sCnueUd~n}8?wbYl3MgNVK|W65iqOf
zgAe*NRf>aNQZD6~jB9eGbshINRVUGL(<j#n=GSv|TBBav3%wR(M`8=7H&SIqS`Dhg
zQY89z%TI+cbpKz7K~4`XUsUQ10ERkb#;6PO>)!+cKFdhJ+s3o4q85TzJA0Www>6*l
zWugv!O(62{fm~szV*hIk`#K965JRgpLbnw2MCfk_x%<ptRR<s^i@u6AWhIbqm6)VB
z+NZ+Aw|f0c=+GH=s;W0uS-=GntnS0?4!Qz-ZZi7%@E3!Wz!@ZqjjOHEN|sYH3~K8Z
zl7#`Z^75#DW6t$NCVWGAv?H4|iVTNbjj2V(N;<i`6e9MhE}F&F_s#7#887CK9vS)p
zDN5-f93#HjgfXg1MV?U%<yBgVeHSB3eE74ewdhE{Ioo|58mx}%LfR0ISAf$R)~J^!
ziZL^J+;MhFkpuR2PuD|+Z(aAyt5Sp!&ZWyMJ*r4@D7VIP^C4Me(Fn$N0+4R}k;OC6
zj2a0Ie52kK(Ma!6g>Ii3x>zgD7ieE}fuFrG%DY@DCEiLz1b54+6<vvsMSNblhJ1Mf
zrc8V*8no`sYRJxP4J@l^*sHitmM9j~mViNLxQe_s@l!^1Q3^kMW7Ad7Y##}+og+9P
zF2oNBl$y876-3f`NiaqABwPBg8h#FNePXBT+dHKfu@3wwPr1G)fJt~DDXz$!iE3Qq
zy$|>7HY!?6^Kn+C;v>qxqSA|n>tn*_zOFq*;Vr7e3}l7vgMa^IE!ogSLfdiN+fAZU
zTneAJNq5kvz;K#e466oMWzOpv8FVXJqW*!)EC$yYj0sZZ2TcJ4z8$$O_^~?qBHB_+
zmj6uVgzJo3ykS^PyE=?j_Y<r>XLL_1h(B~ASZp3-)TLFY6Du!CB#fjiJ6mYh{o2?l
zSTeug(t6u?y)|#r>6XNGKb*?zxVfE>+^v1+ndAH+e|0|od}(n;L20^}u-d|*w@B~u
zHjaqMIW)a<Ir2lQ@Y3-5=2Kz3zWz)k^OXF38=W|9ar$;uoUo)(SIW<?7{IC{j_11x
zevWjR`kh|&t){ldXdR+zJeGhip}XuuNHTO)k2ja>AP6sgGUA%+TMy0E_J%59r(iYi
zuYK{wT@d+?<ik%jioI)&$@WLZc0s@Od+zse7w^Xrkjmgp;m#<EzoDLOnzw%kUU(^-
zPW2-4Eb>L;bH0H<3NJ-0ZZavniqve2??|42D*?n#yEq?%E5VB3N4UFxM#%Q$wwKyR
zxM5(z!Kg@92=x>Ycu38n;As>Yx#YuYNc3eiiaJZpv3}5Qmuq#&g@1(T``@G+o-|MR
zs)A)`U3~9^80oybkN{(_cW_A3{L)vb9UoOtENBYPpa_p|pHnA|ED5b2FA=r~(BQfD
z7p)M3{SEiqQQ9?A?)8(1*m-t_Mw$!8*6@D0YR_U``-RmQIdlBXQ&mQqy~d~Z<Lw$W
zn!pTYQzEEkZ}iW>gO+Fn{2e;@Qg!~tT9%r9Q5{E=B+T{dR@TZ`h_P)ktzXJkA+SUf
z(lp=<v(b-qVm!5fYCzzbH1z>%_<?aSSRFp-g37;d67&0RCpC7y?HWu6f1~|iia1oq
zZKO%ppOzoZ$DKu%8ZdM&ggUteMCUBT-Fo|sM`eo+5#}hqU+o^BW?UV&41I3fYcrQ*
z>@KVxm0v7f%K2ihTM=)&rr6tET_qmn`F?Ji+U~WT8@U^Ap9m&Q2RfA;oy{TM8MS_U
zyE<rV_AqQJi?2A4Eq2IYQ)%&VymdP|b6r|~VWN|_Zg(>#Xu~_5He9p4BRoqt?~`r0
zyYEFi`Lh4r+hy58`{izk@H$818Q_dD)V>d-HZ^=+vl%__QE=pWQ^)j3&mY~=Dt?@W
zjOyfmYkk<Z#{7qI%xm`G+A_8F5v7&Sf+_Kg-aaD}aPc^jLdRU&j-BEV0XF_JckzIW
zz2mfsXeM_f<kyJ~0E;oEAY_gXqqmsGp=3;9=JoIyg~j@J@@05!IHmp0Ry(saZ)8o3
zbp1I^=cnrMm<&xvwdAg6iV`{5jkXcC+SzckV81!ih}nYHT=<OD{z{TCmv`a%I*Z%J
zva;%T*5fuE*k6{$M^B468V0lth9woSb*{}h<QPbvw^6wTVUXZ1^P=nj^xMt&D-^WP
z!g!MI+2Ho2p)>6gB<LY0bdj=ph)TA|jU2oBb0M)+C(fCjbq{gE<<a(~z5Y(RWm28W
zO{cG-)zp3t7Qg|arXfzdx4*EEIAM?)fX$Jr&-i|V4r#hGcqvn6CF)kqiO~4-TZ+Tz
zx4rG7;K|`8ih7b5PXW1J=J?A-zM9YB(*jnp>Y{F~((;)P<U3B3k<$dbm<<Vi*y^QR
zuLVBtE*}M2KCQj(F^+wn8B{wKU1;ZfMWSuid%BzDjW6W$Xg`#E{ivksCBE_jsf~oO
z^w2iAAUsODE|qD)Fc&%XND7p+RzBr^`2$X}&i{zt-<a5;EX?Pp#(nGJ+1QD~JZ%Jn
zpA7KZMwPQnIF`-M_!4piAFQY*ew3)ICXyvo=5`h91#bxL#?EnqWpQ0-rR{!9TS%to
ze^Z#m{cRY+<NEE7*JR5TZhI+~rpg?k@toB%uDO?$d`paf{q)sE{)U4x=26yCIgT{*
z^@FrB)4x-Lne+z}v*{GHz`a}q?xhiI`#tlF7cHi7fay=I)Y3S%!lF7A*%o<hURojQ
z=k5KY5^~9*ZO(;8t@s2En-&9M6pBL7dLtzKwMH_!a6_#Py}P^f$J;dxH1MVl`E&zN
zh?5N%pFda!%@@chi`MHCJ`3|vfhX_`<G)k;Anb~{#SgoHNM<N3smj19ztc)4tx($u
zGqY(5-Zb{UU%y52`b1os#>QvO8QeYPab6~3)2T-##C{ObZj6%Cj3mdYU3qQWFSDRW
z&|&m@78pB?+gsw=Hj-4-jIfS7#$Cdp{?tJP!&v@@s+;G9iB&;y<fWk&z0L#(7wWf7
z<#%s+OIqfQGP=Pw1nV}wDe0_T5ArWha!d@rS|v-j;NMxQb?m6gy@3g!8S=Cvw)Rky
z)2B<|*$`es?tKid>FF0!iHE?4)vmn|!YtdM%JWiY{vQ=wqL^D^X-dMs&OT;cR}^<5
z&S*>1U!z}BpdoUqQ-FSg=Ctv%z-X#OJB{;xozg{w+<Nl1Lb09Z{;nN$T+SSvN$Xhh
z$CQb(VY5gT^x^N|i!8|xx~Vn^eGBGdICqPAzJ*rV&~iNrd*HGT1D#y=UHKyRI)HJ)
z-AofTM|O|-la(o-$BZfHsvCa}@7KmguuZ0M91MPBS$-Kv4rOv`k*pZYPvR1bcS4Hz
z7ET2>{u40jz!eyI%`*L6L40nU%WQ?KiU}65Q!k({Rf8N^gHlFdeoY5f!4aZgfyjzE
z7JM-{j2bHIz-BlMH+9a{+)gUO_@K=8{kYTbL%;;e>0XPwogwy=*~XJ;mgdmKekz(`
zB9$#^g(mM4L|$GCM(pIJ7M{@``gZiBW*0Jcf)9ynweRfQb_u%D(seEs&WY#_m=UL3
z^jG><U!<!3ke|X1bC#hN@A&gKdpacb+Ki7cur|#uM#{9dj=kw;hxKX8ow^Xm<7yvX
z;;Pgk?l{Q604&%@k)X3YAy&Q1g`zcXvx$j&XhpSsd~(Bty*U|U#81t<u5Z^y)1XD@
z0^v)PxT*y2a@zM@uApkD<34f68J*GWgCVX8$m6bo@7rBg@O|@O_I=xdT=|Nc6N-W&
zmtU!FsY23gS_s9yatR;D7CN$rR6`zzgZv90KwKP86J1ptfWrZk1Z=?3YyxPN`h}~R
z;7$S)r-h3bO>`nV)lc1;0hC|5V5(ilX7AS58A7d=MQZBip@uoI2@fi+C^kCCx?!8Y
zSpF$qoCJyj?LJ;3!@`6wW-NkmN%Z%Tbri~dw&nM_^X4UjWs6{Q2Ea=K&)Jn1ywJ83
zQtwc@Vrqikah@Wvg~p^~I?0@6?1Ro2EY#n@<}0W41Xq<YSYTWDcBryf=cAAdviUji
z8ciBN+AMGqUsZ)UPR*&X(yydY;7o#H_@PZ*_<_W?v<LARAnrH`tydQk0P&}05RH8d
z7=Zoa+98234}kz6ofADTA)omc=gUf7&Pg5eRfHwI*+0hz3!}~F@BAg4uIzpK8I9}z
zF?E$;Q9fUr?(PNw>F!jzyQRBBSh^b|q`RcMyOdgx?naRAl91+I@&Cj3>+W3Fb7tnm
zJ@+|t26X9c=}kXD0PHDy(y8i%k-}Q1Oc2tN`Ugtw%XkWawcpN8-^whP+H=v_SoQMP
z!8GSZWZY-hfm2<XjKLNTVopyDPP2u=r06`g<!Qe{j^*hp`_jfaJ6320dqs~gJgP_J
z_J0dq<-q48QgiWC$?gDjPQsBA7~L5WHM%GTM2HeYMr!94l4j$1E(5x~%0>QHyJUZx
z1IVrKk6-9r?Sg8OGEU<94g0$eDO%VIfen5<Tz)*kHlL;1W-5Dgh9?Hu-)qiStgI*L
z(U>tk4sDzoRn2*<s}WGd_}YIh>nveApnucLK~p9u%9_TQA58D=q~(--=8IWkf;-6j
zH_MDtv)Y3MEP;%pmZejtVcjaIyhO24m6|e5jLX#U>8HtWfYd;!5y1ZsmP6014<=mb
zZ4ZKk%SS0-P36ljSAE)GEG5iRTmQyb{zbfrt;b}&?7OT(WC2aNw^42W%$!p5G4_b{
znHo>MLbSD$gpYxrNyQD7o-%DTy(046vDjdDG&AfY$<Vqt?l#L`*6Pv_Is`ug*;8y~
zxxQ?_P7bZH=R2HDdxRP`y|e++2UQMiLj0OKe_-c7{^Bybg?mkXC9?6lLpX*52Gz3x
z<T-GsHiE=G*dO02JT?wx3Q{oJ83EkFZQ>yh-}Y@>zWr|5RMv-8gT9romo?Fru$uWv
zd?in!trXX2s^3l-u>wxP{TY6yE|MJYFG+={MQt2vJQGOcGV6tHH;A7bq8-A*yHj8)
zui)A5HFtGDoeDk!LGSY4#cCxX#%vXkRHY!P1gwP#f=Z!JL+B?0Q5MWfn?#fns+ETa
zcfc!T%dkC+<e*(G$FbfZn20D*%%)-%*(T;pZoo*HH3?Q2g)sZh6Vi@0WzVvQvR539
z8WbG4AP<BB;888a3bkG0e{Zs2FhzbYAvKmHz{bVMwQ+XzDT*D)I_9lVf&R}mbbq{7
zE4!_tQwKFVpinD_yL<X!hg*3Q@8px6K>?wuGl?LgI|<I&CxDtSJI1FsNtn;HP_4H2
z&Sz2Kchf{3L5?{yc}Wfi^Qcoj-AzkbnE)YWnjY%{@xYl^IRSJMJ=&)kQ^f3*c<PVm
zr!a~~d4kX{_Ynk?y9K}zMM2rTl3De_J#Cq?j_;p5Es$wx6U2}z2zZAxs$%A3-H;_c
zAaFthUktTj3;qCJbib-c36v<y?jl(H`6=;mIeZBRt(C{20+zXX8|}whR?W!vcES{u
z%Gl_xx|i|i5!?=^aI`Sm3N}(TCv62>`iPL+MR9z>O;3;FNXM)*w6mJ*6Y{>7GilQ1
zGA9xK8cIae>07KtRvN;kOFIRpMZ}&N9g0yJnsvS2g)VX6zzsZPNJ#2G6<f<jOE{tH
z`$N@$K&;Lt;kT~|T&+1R$i1a36fBqNBdrKpMnwy{IUL5Dcq)3KR+GD<aN2n10cJ_V
zpcnCiYxM1*cHttQ`rskvw5SAtP=O2LHh-xj&@b95ASM&Nvd}X}o;#7)YSwFFdvR7I
zz=Ai<WNcB1qcUP<0}9-R@t<y?fqM9ylr@6Hp@1uhV+`!7CRGzjjYM34e{upd{M1*q
zEYIK_$6d0ZyJSkOe_amOO(wpUdx)RLzWQ$ay2SBa9tSMGPAw$Ekes_O{7g+G4d!1p
zhs?yuQb{F1W6jI9gvs*f$Mq;RhE<L)8^nvNo2<?}=hClU<RmJD(Tai-`O`l@NeDR`
zFYbg+0whX43`i7fsn|V6RNNpuGKO>lrt8wm_b@;(>vIPfOJR971v0D;(e5c(I&Bp>
zQ(L=$?k@5xH}AgQAz;A(1U}OqQ-t_m=4Q$WNFIV6iKWa?Mrze9G32bQ)+uAiYh}5N
zrtr2n&zNC&qtuhOLhB!WCG{IC(peKo4kE6lBncJ?_V=zDvnNQ)`?;D(rU6AH&8(zy
zJLN829fJlc?9y#=Rt+pWitU6ScDD1-hD5q~E45_+3RbT4O;i9a>(nz645|ygg3uS_
z;2PemB8ni3OiRvb3%fWRu<wy6(<5dOUv$dW<FOn~UL9KZ=`e(bf%Bg<Xuk_Woi$6}
zfTThDBhALmm7aheHvaFFkx#NGvlGp-uAIB+Jp2v9p^m;|Bj|p@$iRg&A-^?y0jBGx
zxz^5<ZHZdSD8LMvY(nCs1h&ph06phCbO9sjBOj_!<EgOx4#&}3eP=x3BeVN<J|%cu
z<%80;D4U*kdv_MhBB|`*L$i=civ?g|N_XEdi^qfgkDjvFY}Gak-9AqQm`@j<RlGx;
zfM_{cP<MHjw77~R+haOnjqdMtmCst=Gx53NSi9tI`|!;-j6Un)+>#?BDqU%IdR%zV
zSo_4$tC8;B{m$Ui{VKDb8NBa|d&?NI-FzwjO9x@tftKN0VfaH6UU^+2Hg)2mk4xEH
zfArql!6gajB-^mEjq`o1<h8(8zK!o{tJzuemJzg2&Ji4SoLPDEsK<bm<FaGWJ9%w-
zX2@sJLMfbXJhaPB#pQJ+MnwjeYs5$LEaTuA*5&%JZk?QqJs4}j%{f90?NZ*|FZI^7
zT^I%kvfi}h=cDCONe9K!mxCP<)9uM6-0Emosp-1K^>}zSq^Ppq|Lln&yD#Mg^b`Zg
zo^U`)Y}{Q<szJqsz%TYgm}FGmTOaR-uGaa28GGEw+eJO18PVJ~iOYtKdZ!0USX0|D
zIKJL**vu~~85H)Ce}uC`RE)^G+rmfHM6%(&SQT4OB;bn4iQ>WO`8>e+^yK|@0qFXG
zy95-1tS>G3?RHz>PHc>r<Fn9$6mKaXo%HygQj^`ZGzoK!w9z2*YihEjKjC3Y@9j4b
zg{Kz8Q76s`KaYx82{i-0rFfwMh#aS<8+x2A1fYX%!9@Pj>E0!06FS*7nLZI-J2f=P
zuP&DBUT<S=c+W#T&0Zi@lgP84Ms+s96mR^JqZk&gDOeC@Z4;sd*4fThfB8~i)~1#G
zU3;qLE7_yg=Q_*aBYq(nDA|aAi-wzBka|K#+Yhq*$iufl+Ic^Gy^%t<!kTP|`ce+F
zu*llMU*5G!nw(xL=DQ{eU@79<S|Y-EokMdiVTIlBsMJO)r{w4`FNe5Il4Ll38m<%c
zPao%zL=%v)2OGboZa+#9D8No>s%u6iav7VRJEF=4|M&R`rxo06v6cmO@~FmSj+0sm
zu701PD+9KZ=QB`m7LT;MYNA8j90N3?3RsT@q}`6vj1OssV+Cur=1ptd-;HilakgU5
zpd6iOTqkjZIt9j*3Vsp8J#He2OFUsjq=su#%`B_Z2Wm70W2=ihTT3(w;c2H`<W)qp
zfR*?Id;bN7+iZ7`5CTz+t_krVoYJ?07J>ShxRN(~@ysjT5&1pEBfMm81+Pp?gTOeg
z^1-AYLo0%&A@>O2=MS~3)a37=tkfzXnU}On2zNZR&bs6c*NbR{H<azjWNE=fZ=C*k
z{oCNdNLja_!@M16DiZGFkhbk=7mctKuqp;j`E0u<4Y@07FF8M}y_6@UC7kt3wukm3
zE;Q#0n2L(2ao7}BlPmJoVcD;D`~7~zEa~!@>hWy-$0KuFi;8n~k-ymzH2E}+Q>;Ai
zWpJao#DY>{fpRx)=}=}<1DZH@ALb2ijU3@C2vj>7Y>3n|Tl%AeQ5<#B!0|b&>d02;
zU<@>=H#Ci~@_gW~3aFT!3IoFB-Yxc!R2>oub^$U8ac)Mx+FEVZE$TWx4i>iZx+JNl
zIa*or-(;&wwg@~#=#-9L7%Zq(iri%${d!s+FLed90~zz0R8yGP-CPcnSK8{TLstYH
zfRGWIDR|?h>^m5=T+zkDPOQ%<%kgwv+vaDP4e)F4eE?qC<>O{MzAlMTlnb<mgI+y~
ztO3JraUGyd29=~Rt<j=7UQ9f?-*Y%C3O^a;u|ILO2@IQfZ+7~JTtSmp>;~;=abFkU
zwU7h)(^lOzZESd*MYhBjzuzcmgCidPr+!L8JJ~f~7u2<4KzWHBE!VZ`O@Sv7<wv$J
z?=n|OR#@6?T?U5hEbml1oIe@6(7IuElGx9|`?66(<?CawU3EWecQw(lSbIJL2a4~1
zgQ~8A&d+eTxNBKhuV>1oP@S2kKVgNu-CUVTahfubv^MI#-$iH&^lw2+OFDq3H$pSl
zR|7<kvN<dbRtDQ)yEEUnir3W)lWn^NCLA%@L%x`_Y~6PdXZ5`B){^?v&;2=AO_<40
zR5SpOpkg5noii7)=dSLpU5ewzr>srjGUCF-zbcndP#0-nRVb)fi6a!K!UBnOKLRz9
zvNu!oMoribeVT4kcWQ_NA>jekwA1Nkce(xPX?LKN;9-5d*^Tts^XAEhdA%;O7eQPd
z*Z6Ci8+S7eq$_j53XcMQdkgO0w741BTL1h4>HEvk1oChzKF^z@r{Z<t=cwla)#-O%
zYYTs^4%j5%)V$9VdO+70mxe!uersK;7GIWve}0+i=qCn#4|+@JZwn)(F1+mbc?+|o
zf6B-3v=GewSuvc4(ED#Ta`{^t%O9uT%fGMco!=R7ISULdonG}VFlc$u+(qIMbsDPN
z%&d(RBYg4FPB6cY4N}+*(cJ^WyZEmN_t`Ws=(J1oqI@YC4;zGxNBF43#XSTpjKL$j
zUe%xrKO3%NK^^Kd=-c>G6l<x0@521-v)f2v4FM-<R;dni&^kQW*O_bvBvLA>#@$)u
zTO9T96Un=Dks_LoIQ~~Nw2uQH3~>ej8mt-k*782krTxDB{2I2p1M7D2fy>_orecl>
zt+5H)29P&hf?kAK%E=d(PCW<Hv~ASL^%@@Vx>Rj&+shjN)O3ManF4g)3A+)&6L<75
z&YW=ZjH&`#rOS7U?#+x+K2(*k(<wgh)QJ`OX>nyu`FQ_4CC~Wlh#^T8EOomMb|93w
zmm8oNC%wRftquW&mE(EL%U_47)&Sm?JqPCha+vapKXi}E>_I_*FkOlwLzG=OqFs=q
zb@41COj|u|!%AR$WY8xzi0tNJE;bmukM>7@*cKDQ-<ZQsX#`yxWGsrIjMnbLF*!|T
zw6v{em6D(!RCW<_@PYju=zrGN`Gpn~lQFrfqk$TcAxjs;jlTIrJ)x&zlr1j-y<Ld=
zRQ61eg)%HpAe>#l5OCO0Xn`uQyI4OGZ9Exas)lFZW8W=j@8X3<nC%tjf@{(Fg)t&e
z;wz)1;V_k>K2sF3k&&lGGFt|m-`D5$GoaqZNeU?WvxE%Rzz67V>>Jo9qa4{?8m~6_
z=ItWeza)CEdz9z%cg3QhZE}dQOc=!O1yFn@9pA-E?3KY4ZWUPFWn;-NW0`PXi-NP@
zRQSAhFq7>!&c04NF7xTvZqJ0EQWNhYxc8ZU+};eMaeR9T$)ox`ILTax9YTyjJA~b3
zji_8dkx<}wjC1dG1RZ;DLD<9YiRo{}wXZH4DbH8OIu1I@&p+UCa(m<f*Btuad!DQL
zQ#c1m4hWR<wBD6LD;EfeC(<l1@man&1!*i$ErK!+jR+Q~7UAatml?N;4BqKwfJt#+
zX0ohEyS-&(Q~VFKaoBFdQjXWP5AR8ksn;u<`cp4M1z&;w^M-7F$<awmlTi!m{q*&>
z^q-Xh!dPr<+hMN#B9B|R*k2&kLo7x)`T`ak0QU~mAwg3^3>BHzd*m(G67Jn($|suA
zF}N1ddIi0Idn<7M+!{vGxMCBVJ)~oZ&5cjeMw6DFd9RbV>b~00U<K$h>^4;Y2ZgkH
zRj=yw)H^|8s3L#^q87&UcuyM+BM`q%>yk@-2Aeci8g=O~I#O{Yum}x5CZdfDeg5sU
z7TKNCiEX*Ai-Loc7!DLY6-isbMRbT458WBt;JQ<BY-81DJLSbfj_W$KF}j8H`ea7j
z`0|dAOwSp}{WBtS6+cB}T<CeS7FNHZl$m`HbZaDQ`bKUl1E-j$`RPgp@Zg=q28P+<
zgG<XARM>YUu3`+L5|@qQm_^0D`cS}(c}Y9Nqx2AnADS_Fk<XwCr~I72=Gj<5iTsB|
zyN<KJrySG$0wK|*qaK2Q7Qr`w=3)X5uloXr!s)g^1MkW2TN>>ZZ&S=8TH5CGH&h79
zXhL}T%zLzq@#!nwf)+(clN|b6D0gaw=@VS*2UVKNe-`^%Q(@?xSkY>;Bn#MEUmD#l
zRZ7Fn4NwVeK<zAulOn#9Fo2%h>K`>crxWcfKlz!uw-?JoOxncvPHo+&Jg=9QCyE`G
zLI0Ie00+2ls5h0nV}puQctNGuTp3lkHEit?^;0z;FKCgzR$R?M5#k!x^6IK{e1O51
zK_mpEUa&}#t!F3lmnEy1lTG%)3RKw3d(hqZuZjOa_*+CFkeQLuy`&myr6|wQ70&cs
z9FLTi)@l+>FGVtCdvFK^@2ut;>lKSYu1;sy=`|LE2&rYWuL?ow6R;L^NMp%6N~_|?
zRk0R4%t01PT-$ZupuVRJXU*8yBHL*NN37jT=*c%l-eA3C*io!_-m?T1<|4&~CaXDj
zm}E9ot}af7t;(mVvSA%BeC||>^yhk4U}Qz}Y73za)W~M-GNPbXX50mF{a@Zh@4~^<
zoiWv0roJh)(5tUkNki(WYN%8#R0B0M3H(T?5l*!-+>iD{93SDO@GXoc(<-HVNj}t)
z+ibqEZWwBkRtzrxu>^O|x>J9UmEH?j%~rK)UgL`SI#tn`X?xIAGeA=%%#$*iK$CCF
zzaq=?EOsFX*3jITT536#skj!i5-iCx_8lzeRSuBN!L&szYfWd2aIUicxNx`31>Qr{
z2J3WDsOz19Wq4)TLnsF~=%ySK_=1a^{Acr#G-BAq1hvZuhb8snI*cQTenljN4n-j~
zs5!`WMuPLD1<dBZ0$(y%MZqCg^%&#I!piPAiKpAh>WvD2gN~8tVZF){yPcsayXK6}
zY9V$<S}&WXiQQnT>lRbK*+%-aYLb)FY!ri4Me><1VAp_8z(N=y`E%>crO)Y~8D+M3
z$$3ktaV9GardmKPbx&$Uasn1G7^ik%bxk8bsGr5nP~O+AO_vF__ogwLI%Iy>j=<h&
zJ56#n9%SSS3TeL4SwnDiMPCVgsX)dFf^J5MsKq01VJxrO42rN%54{R@31OmAx-=!y
zzM`M*0SB+aV`%xO*O4B9Iv|t50qHd`Rze6zc5uEN_07l^eTyx2moWVyq6_#V=U;d9
zN}2q|vmYcX7t~ueWwW4Gcw12%!rG~?kXAi{vC#%1K4wbw`zal?QB8k(oXX6bScG6I
zl^Rv9`Or7ojGKwpj%F3vV0diTBdY+{?K-*ocNcyIHiE>B!_DhVq8J{MF)hGUL+fu#
z<~X31L!fG}OHrS@a)d+;YHa>*8!V;uSEg5g=`}Y0@yr`|6>)w<zP#RR-rl&wmN#ZH
zxW?3P0Qm`E^94~E6ijYhdCB%82DPkSC9H)XBT;(I9B_KkPWL2^y4;i-URG>qeV5=f
z(tB9(&^1uqV1h*}5nwD_dw*~1TON55xoaMM;9=m;2;k<dFi(Z$>#B91U0_vuYl_o@
zj`3%r1j3;PBDiup4oX#@p;7HG#l2a-#!#>N@~mJEWtw^H*j}1vnMW~e&sx)k!HO^2
zg4Nu$54)4pz$Z$&n>g*({Nh}{-Av$L6TkiI78ap3zB-Am-c`z9U%_I_av^xR3p^a3
zUBm>ntxPkMhH^XT>*+o)u`X;{fN~TAC+pX}iC*WkYbd1YVUn}oK$qQ*r(?o2WgqG_
z!<tvW#Tb;0zh8O2pAaN|7$?40#Lc-c@_0|Q3QDE>J-OcezF%(dHLyRu<30^N-v{-s
zJ^Ogmcl9`VdcHoI5j4O14e8rMf!|z?{IlCZdFORyTekhf^cUP})ZcF1IS+@V`YQng
zF{f+XsLjv0X~TjKF?8{MfW6DVEfl5qr_bh#*Q?%pAAa@W|D3b(Zq>*8_ep|yZ}odY
z(;TMiD^Fjfg4@<xGx#w^x8JAlJKF7v`rp^4wEpSzIf|;7L;7nzE@vZWa!n_Jm6k9)
zuFN>IrpZA{9V>*%4(M!lAGm$ac1@J58uUuB4E@@g@z&(!1no^?2uGmYhnBLX#SGI9
z+Xi-}J&KR*9XeYxE_0KuQ)ZSMQkm%u*weJhh3^ZsWcLs5lGO1mW{Pa|HRh0}`NyAk
z*hJ@2h~mHcCjFAZEc&7c)%KSlLkNU!Bf{Bp68j>%9I84<JDElvK87uvE_`h&LsWVp
zac%Yxp4|(f_X-<pLZ~OU+Yy{WSakuy3d#tv0Z~cNjjoVCmfqC1q0PUBLub4GJ(!kn
z`r2cI7Zpwuojs(YrXV?zSf!O}z2r`PDxz4H-iR4Naob%@Gwt<2dvVy##|Nh&w_1h>
zRxdTZLPvA!hl6+8iom+Lj`CTPAgf*JAI2nFKQqoQqztq5puYaa9Ug`O%wf=9iO_G_
zF4@J3^WIk2I;ljfOBX>U@;w*O1n@xP+`O_?{vHAW%xmgDBSBzaK#BtHLO^xXrmg45
zuN==LQQaslUn|_-jB7tgqm{g5lw+3;5O!QiB$`}mY1Fjlq0E38kWu((4WBKWQ8Khu
z<SqgI5v4ppHJfw{rM)EJFLlM=Wo-!hkv9(pr*p)4?nB=6HkyWdW(n=*INHg~G4}b!
z^8+v<4anEs^(PkKWLZ;329Y5BC?Jvef9e^Ae0s8D^JLsA?Qn;Tq7P;%M;rs1HDVaS
zrbtuK#5Qwk8wEJ@JW@u@=>`8?1=ofi5d#!NA71iH7mxCA*W*170JatHaAQn6D7|I3
z^eIL|YY*|i>d3&!19+d?DiH%vGGQ`;BQQ#%0}&ud)=uRHAj=Q=@s8W#cwJx23YxPp
z(R{4HyVe?x!Jj_OpkyOAjU|WO<BJy62#p)(UXMD|+3l>pgi;n@br?=Vc;eBZ-VVhk
z33F8vV)-cV!(VW13u%+gTk&Bh+<bBIIa~onSWBOSPxw)&VN&ZpD&uSPZvIA%`M(^M
z?WR@oZB@D%=-}EUOd!0llZJ2Mpux#z(Tlpti#n}ORs01JlT*r`!%yP4jwjIV7E%`l
zhWl=%1l1U~Sren5=>o;JC9F>7&caQIxfNdsCjdA~JC1J=r`I?7S7F2r9ofTxqeST3
zyLCBrXlQl<lod93r7%oVK*=)m9*KLDO$La_jDH72^6ZwhQ@TF~Bop)k^kDHbrjm8j
z`CCvMcKh0&FqSoM@DvWqiPSQ%$7`G^jSvze$0toIoGc#3ze_ZF^T}#=k?KM)9_8Wu
zU5^H^@(^OId}uMoql$hpSwA>JK$WGiB;L}b#*_@b-^QQ+U%xGcn5~_9T88t7p@Rl}
z8%KqsSL1eL{5SVLe0<L-w3F5uAOj)y%JFb+FLb*B{&x;bn_JxUODtNNL>{&x#v=R?
zo;e3k7XI!xrCjGbm53oC@1`bweQ)PpC++{Nxq;|MPr`JB-gW~hi;+)gW9sEh?fj<X
z&9SxE_;L`#`0)20-|WeYk&qh=Zt7!K6Z;Em!dlVPlWP?)-i4Z25Bn^k;Y`?gyO|~3
z0XU{YX=NPa+-cSGl0ios)#Q)%r)%EK<V!5ZKIM|SK$5rh@Yie?D?OKXOyJEvUsEz=
zhac7t*36eVhqpF(cua){`s;b12XC>w{apM`EK`yjv}$-5Z8tt{0vIo*K52|dd>)0N
zqpKho{3Y39xE8!dJ@(ZYm-FxO+tdJbxypwa%V-VstYOB2iC&(f8=MWHaJo#BX<3+I
zIh^>SW|y_~e-p>5sV*+UX)i1N<HmlATOTAcEldh*`(*eYn`5=RBqG$>^12h41hJIz
zSbwImCH8D4wQ00@K64!c-?YZm-Ttz$1EzJ6d6tO5V~9J-{zBPpgMMLfN`*x8ptIqd
zL|80^R?pw4a;%WzO^k0yvo+=Z-gLYvDGrfb{Ld{x3V4()sAorjd;qu<MM5^+yC=+o
z#K?03Y^xBLZyLNm0zr+eR%N$J%v)nJ^fl$W>LwGtfRg7-b;>ViLjDM&#S(wBe2BPc
zwyXmAV#{g%!eAFs>2$7Q(<Q#zqS70hP_uu~4-c4at9C?32s)z>0;MPnP&Pl#L(aa#
z^!%xowq7@2RW#H?WqLX8^+UY)>_?e=%5BFi*5Q%tG}b*5W0HST^39`dDlU)-LH2L1
zN6ILq&>uS)LRrgv2|VwS)b^Jj3#V>5-S}Vwq;bgFxiA7f!>dZONC}1%E~p!Q0@bQZ
z#Yr^5(yj*a=4@P(WdZT+l`JHv1W(mLowQ=RqbSW0kqMcAo$2ee<eeBbN*I19Ize8z
z0hE6$)K_YRRJtIf1K=nTC#9BZ;-fZsO7K(73gYGBE37=IQnhs(&nu`PaHL+B+3=$m
zgmi7W5QYt--A9UOThtQ^N?D(=pYPmnSCc*FaZK)i^10pENpLe%^pW<>?X8L{!N1^r
zNp6M`teP(>WPviY_}lpeKSbvbZrcZ?*g1%;B8n2kCtZkR>!rE^WnT3v%3e{4))iX~
z1g@h`4%v#RbiD}X!%U{-%#Qs_d8&%lhWDO&A3+s3xxOua1blW9t0e9<{b;BAb6v~g
zI&d#vg(azA#HwjhB3lv}x|3-Tmk@hbVwHp)$l);`r;lW!(L|hrw2&Rx81f&Mq``B~
zZc;ibWBilkbf4cA238X@N;E3>uWntYQx7To9H9P5U6c>0a|8BUTD=1j2qK2|z=G1{
zj2?3>)EY5rR+-n&sck<T=lzC!A@wN;=kDRPPN`WsNtq*!@hGi4C()_yM0UlM%8gbB
zi)>)~2@FkpJ>UPEx2@tSwd?G?5oq4F1#y*a%e2HbCNvCB1aof@#hk0^IJO1KkDBT}
zRokg_e6Xo76VkMfZieBgn2~MS4+igyR6%{A@=z?bN_W33_)8>uLXx_`bi^t7`1Tdh
zNQ-}vbZ08q%EC)WSXd2A^87dTiEI_cqq3P^(9|cSC<v*g_vt!uvniK9E-PZh?z(pE
zRw=oxv{A~Ke86Z`-C&rCw2!vZ%1QaS3vc3y>qGLlbYZ&Y-MDZqYxLfQQ|ZP@rZgKu
zRnO_Wa;at4#3;F%I2=ggFM5nxIk5jl(qt2D&pUzE@^`2<j8<|c(Oo8d+rOSt-*wE+
zLWC`op5VB(3{1>Q|2o=F;0HPtD{~F%B`r=<2i({syEWns!E;BUnzcqQApV)NCW;xT
zn3#s2hAr_=H+{j;jEJf1v#L04>*d&Zu0SmBM8?s94&u!x0{F<zSL&1{QLr{;Mg0hL
zfr~3KPGYqTuIbh&9M!x7Qh|x|bLUy#JkBLeFk0l+6aXBYe$2RaRJU@#+MA&#kG|s@
zVfzOs+*<6v_7qgJAk$+^|0%q3sRGYaLbh>b);w9RWVTwZ+o`lSqv@cnHryg6xn=?3
z^-yavfvGd72h;$OI3{Qy!V+nNI2B-F7hSlAr+369iVvx|aiA21Y<iagT<vzTw66y*
zky<i`V6y?-w^n-KC0nnLTiG0)l21asR2!I(CR<8t<-JA!q%l@rv_JE!1q&#Z`c96{
ziaVa+(2|!c$+m7m@t4i~N9Utn3`Vq<j;evRr_v2uRTzw*YY&NaxLOp;#)rX748UYW
zzeAaI+r!w9#R5ICG5Q4iproEPj%kaIrm<*Eh)wgtL{}cQNiQleNg*Mj6FMV*m^<Fl
zfuT-S?fF6SLd&=$b9SZWcO8ee=*SH0y#|9glSkz2kS~IYK@N{lGO#Cvk1&i6Wm~9=
zrwg3Io3yQ37&MuFx9SaxsLzD>Gv;-dggCNC<fsNmzCPdWN<8i!Keor*#a^FnpOxUY
z=_J;N{X{xm`R%Z28e~&3^PN>vz3C|>p_qZr)eF1D4vGw5<To`%u%B|L+$@ruc7C90
z6n*On?RT>=%v`MMWPyWNxQ1ET7skp!BiphVZPXF@1?lLAW2gq?xnIx3`!OZkC}V3@
zJ{CT#z%7qr4aio4Y_o*Mf=v&un!Lf`qKFt}Ek>CCG&+#=pcH5tuYDB3+7@PybWFq{
z;aI4~BOyOY%^$uqqs_}6Z?o&E&98wAYpNfpuX8e3edD%C>}%nRUa|OvAoJU3u9$*6
zI-UN+t<81PitbT`3c*F#a5zO@AEy2wgBP~KD4-a#nqlDQC{T&YY^+0)W0!!tuxSTF
z^YbiKvt_2Cp}bDdIHi%vM_fC?h2c#kU^om;m9$n173(^|_)u9!8LBBAUP%e1UAAMM
zuYqoa^5Zj8cC%_v59g~FLW`!>O_1(sqz^Yog(qC%4Y&Mgwh(BE^8V4N#Vfs`z+RNh
zx8xnGvZ>~ql`Ji^2$VU*1g~*V!CmsKbz|~{tBJMY1YYuY-;Ex1dsLUg$z3PM13LLZ
z3;D5kg9koxlal=NVOXBkoi|zCv{!_vW}FP1u=Ze~XSDis;s@_PgI+~JvR5RcPUv&g
zL^=^Pb+X+3(j9%c)k9-Um%oqtYuHeK<f1zk6|fYt3(-3IOE7vT2odS&VH@{Khx^;W
z0A+>0ta}|i<|z{bPYtN<I3ikJYn95#BSUP<POqB8ocmI&!L$6EgKQpNiWM=vU8wMY
z#CZY$et7v+^H{h9Ju>9toAp?^extSJW(D<A{Q|W-jq&k0^Btnv?k<pj%=7c}atkK{
zGwnH=ABEkT+Y~P4rLpLVSa~=d4XX3OOaB&2y2=?7vn+}^2fC5C5S-f@nT&k2?HFn-
ziiuOkOT)#1o~x~M6>^mExh8LRXu678yG0_sO#PH{dY7SVA~?kQpPNq4R+6WJ2R$K`
z?j<!hF(xdE+3Ajk>34Dc{KkOWZ4|ZNL|rMtE<Bm4JaPF1K}3bq!-@Z0VNSzpgkpZe
zR`+z70xjl-C}wiO+m&Sr%JxVs<Ugto%0SGefdrvM&%$TEt0NkUxNNnBPiUhOu;Z}`
zCNfn;7IfJBK=QVN9rC}5s^K>uJo)O`q%E!=-h67z;Gmow0~cjm-yrAa*Wh(Sk@V8d
zvS8Z9y?;16KK*vnyKb(2X{Db{fS>Ne_rCLy1v{f-L~~e(o9`xBPY>y9aC_G-&<PhE
z|BuFs!@PM(M8m9u8mD&P*X73k5Q5PzjpZEInZn78ud+(l(6G}_@^MB>t`R|c^`=1+
zs^Lk}2(|Pu>m=H&4S)$Uv9A^bbGqbH*`nhibD7~I*q??kp<EYh$ASg1n}9^7R-<v|
z1542kDV2+MNYJv1S>?505>yPdvhG#z6aZYS7ioYJR278uMnAMZ?e(WOjg$wv77(<{
zFjCEax1F(h6M}b3wp43ZeiLU8f7t&|ZP)~VXr&bpwi}zC<dTW<!$yx3WH`Ow*v<Y{
zp{s6=9)axEj^x7M271!@3Z`ng)<seQ;G`l81wet)5&flNqM{KJ<ACI@B^mmyDw?Nd
zMO+f*`h-WcHUK5EPezMUgPgop-;v#-j)K_48i7PcrYtkrx?$IZYe#Py-Vh;F-1wiy
z>}5+;$YFfaW1aZ@eJ{ing<!9Rj&@}dSv5jTwqmtnsB}!Hvz5h3wK22N1>QCk%`29@
zk?=?g8ko1aZL}$hqhb1X<-R}mhj<+HiwJKJhbxJ&2<yUEtdGiB4<#kU7Tto?Rbrd0
z>Da<0H1e_D9&a=aU?l7OyHobv)2aNIX1tEkak}8-{=DFJVHD~j{k8@?E^10uinq7K
zmk%1=tWhGx(`Nbe2z)8~trlU496)#?aR%#e&!E?=Y!WuPl7HW-W3jR>GIRYTX9B&J
zH94tl*IqU|Yp=`{Q*1%K1MN@;;4iPs9${#=F@FC5(I-w8P9cQB$xhfliGEymCrc)E
zK(yk!o5^kt*}XV!OH0gcojNY_K1)@i6Cnrs+TNxRkyRFjLYGLQ#T{ZDV-p;8`+J;m
zYiwTYmQu7=AM0sE(;n6kcC#1WIz%Bc17}S`j7-1}FF4$9=sii+znQ|06kJj2?k~`*
z3~3L|#{z(i?D44rBA)}`F87swGl6BDh@cF$1f4#e?^}8MKCPc$3^$mj(j1K{jv8<q
zDQ+~O<g4H-ZUt9X2TBEWF7wfH`S*rng`v}C3l;QN^^42e%(w|kRM5!wh2@G>eo-H8
zuR1~P0z;ut`O*+n2$OuROv_@58n?kMQlN6Yga0ceT<vZHQ8fFQR|irTB8<w=IPGh7
zi>WS54=b5D<S+8bh`svptYvzS!=iWm<>x)ETQ``gLqj*}rnXC!A{GIiD}1y&nudIl
zz0Np_6Ca%3vS1`_HCLkQDxj&IJFBROX$xyl&25rxL~)1hGbk-}t3b-$mtfss$Bb=o
z=hcH`xJ^RbuebzWJPbJ*KKmtz)>f^bq(%)s2oCUexoh>8kAnE0pGJnv%?c5`uz0AO
zEF}Gy?h66yz7<Ol>PJH83GeM^uGBx3$lwYPA;{4gPJwS4z0UO`3JFQSLvUE((kK80
zcf$xD7ZvrZ9JWiV`NaK!(#EMwSZMIJ+Xl@Z{;@Un#gF&Csbtv3T!>KY?IAm{U6jFa
zg2@-O7m<t8@3qm5jo)FHhZYJPvmYQMBM)^v8SzPS3_x?)jzqGB<O%JLd!C5LSFg{+
zn_&ln9Oj%f>nS*<tww}L3{<y<MuUl{0ma;$oM%jxN-L%g$Im9T7VGi|a8<-qL&#T6
z`F#e*<x3IBIBUPk+8qL=(+|uQltk`o5d>E__^=Q{$o{B8a!5qOG)|_gC#IY>wXgcc
z^1}J~@Ui#ig2%S0_vU>2X?s{=(~Wd%?X$843Nc&^1yAV+d>-2Bw=n8d>YwwsklF1~
zHgNo35sYB3?GFo5hyCIC>4CZufi>kU>jzlqr6ytpWxlxzQLr4xM(H1CTK)|9Z{s-J
z@OvnZ`l8|5)!IKWQ7rOynVIUY{NndL50J}P<5)iBriE0*YogsoNqLUYK6v<Qo}B)5
z8#9?sqx-CD)h-LGR!zxsw;;T5tWatTj&QrDPUVca5{=M0st<f#N)5>KS)96!ExSa%
z3y*~6*swI9&_@k{VYc_IFPf!8t=%Kp^G#@q<M|gRr&s|hlLvuLHn{vwByAy?gy;{X
zlpW7c1N~~pnc9HXxghx{%Xb4GsJ@%DZZEp@bfuWxnuHEtP*dZ?#tswsG;`rsN;{}d
zmh!OE$^w?GRYq}>c#<W~r?$>yZ~;xgQq1}o%z6}X$SC~x5tpuETF{12Uac-FBgNfd
z`TpP%abS2hRsKcE6e=!IrNNRVf>=)1lg&P~m&(>Fpdl2m!h5H~vP2MqN0qu>crS&3
znT!F8A8@EC)-v<qnk51S15E51hRA|1zPET_PqonYSQ_2wE6CGp2qSj?SuS>AJVq=Q
zZ5j;AH>CZd%odp8KLf}^VFSe+_muQzj%oUvOoX0z!Sh32HJ(Knl@W_u1X1;PC+%m5
zrBOfdYSkZ?$UfgV@QvUY9!bFZEx949ZBR;WIW(^^;bjfmpfw%wnY9QcLqH}~!Vb3}
z_hwY4_ddD{_7U3AHb{#Bp|zs)z!Ba6VwA*iQAVBvPi%v+cJRhRKE=Ilx*XPhcUU5B
z3p{?PS1soCTF7ldcTKhC9?xX%Lt$sKZw7<JxJiW^5?fgKWUapcO%ZcVzFJ~qE~?M7
z&PHwyQKQkLxM%7c)VvsxiSF~=lfzR=U~s}fFL-X)Ev*ul{WyzN>bVfxkq7q1U!lB0
z9Yw%5gULfMQ6P<?;5b|xGv8n`X+F9{Du24KJ6!mVk~(mV-w!Wr1uKipaGbAVI8LHK
zV;_uJv@}}3i|E)B70GPgS(_)}#w3`ZiHr&O`YuK^2g3ScyR&p?gB016x!7(I#;SvF
zxMFzDdgp+eK8_FdeEN5>W<QHds_)0*qRn!pFvHU(g@{FdIbwuVJ}mfynl1G;^nl5Q
zO@vw;)bRP)aFh*yeEa)c(g18$IpV-6lw<;}CCS3BRlx(Lm2f_}#te&7T$M18Q;Ioj
z@F_FJdY_%nxoqhlk=8}3Y5|?X$0*K7mqie-aIde1GJ6N7FOJ<;iE4hyW=~-<qZcv>
z`J#~sMiPo$QQ1-~o{e8zeq2EwSn3UlJC^^dafK#W&MlMBMR7KCqz}dy{LhH7v~mab
zJ`u8df^@RtOhn?eB7@I_WrX12;isE6VVwc$EYoaW-QuXmXxsbG%zT#$iY>hBPxhBR
zWz=0e;grkug8Xi&+j$>;3Gi9m$6>J0L+c;XSqJXLqf!O6bJ$tS^31N9NCO~*Lw~2y
z^Hnj0>&jW8)L{uZNrEQ??vpN*!uQYxlP$DYCKy-2Q$c~64n#n`S%`Pt`=~f6RHBQf
zb`0*Qa$RC(+m}Rx+KYw?jl=Q=PKIC0+R%zL31WT=J#a%J*s$z}z`XODH>m(e^|N(b
z<23?xhFQQ9t#(luzx^Vh%z}^(Q~^ARvzXa?EB76$MQ#29<MRdJdrN}9aM$JZyKPDh
zaPSu!17NVgSr(=yNcsDlEXP!wvJmutep3WzygChez)CpKq#7w`I1dH`{;EnpDFx7!
zR^XsO`?pKU1O*OYvM=iyVe8B}=CG|yel{+CQ-q;~UW^Vy3%X2w8C+({fWy`r{sHc{
zoNY9ypW_|<tl22u(6jZ=4`a=jli_)A8>=wpaP0az{bg3z$$#~`8nQkZ6gsk?WTpC~
z25PC{0OB-`>N0gDHZ$>6SQSU1$-oaH;Pt`(*}c_{%h1MmjI#G@J%^Obqvw44W57;@
zG2o^bZlux{seW45CQG*ekdf}=kC|2;JtEhO<K~!C`MLK#J;GPxYZW?{A8^khLw;&_
zQ;fC_7sM$<>)I831O;7f0$PSnz|@o!=&5!`nMETWxG2wCMAf(EaMp$V;*FPGfwg%i
zdY2t*TtuuYTK~m&JlgB1OD;U4x*q}*ok$cTtvBT5ULQuSS)q210k%|ZQHMrL_WRt`
z&$Eg)Ug}~2t1%yUWA3W`e4d*}SsAPKac!S2qwfb=x`U$h<}hUm9|)p|SB60f1B1%u
zst|$i9ax(WNxVItK(3-$c9KC3fl#r5fC?2E*XVw<@n=lUE8212z<;pAYd3B8fbqjO
zNdcTAet)u2yh%1`(w8c)?VJF(TDu~arg<&@c&E@ouDZ7NTQO!lCJgtM0A+JPc<EvN
zT>2t#)my)fOi+<#c7NmW_gW^O1`^5Q3VuP3c__P9&~?y@9pd{p<Rlo6kqO^_`g#hZ
z4^Qbw%xLVxT)fB0|D_3-$FIa1&erB-N%)x$GWPm^SnMOr3;?D%_c0#yl0(q2<+sd8
z=8ecJ_#OyEu#EtVMWFsOi`kFtfj2_8N>b7d`G)4`q&tj=MtRRLEZv*;`QzJll`*%|
zd1iu$CJpPKc0@q2C7jc|^QK`<8`38DMJ$H^t^5RIU-|$}wz+x1lyaQOX1v;<%t5$Y
zFeU!vU>8O+$Vg-KruC9Fh+2vN+1NLrz&97d3f4vY?6o!|n~@fGrHsvf>V_r``#o{n
z<d8z#w~b7t!{@fc^;nIoQnMoz-Bfnvw7#7*Lw3zJ<#`;eV|RBUEFpm{?;?<wSj)fs
zzW-+H`*7XPA{YqCyY_9aovAUKkyUx7wjYUBrWO7n9#IIvndFxmSxwpnKfR?u4Cpzf
zVS0BOv>9iW5z&AzMG3|vbl}#%ocf?t1KNa>==Kq!ZiJtt6E|}S5G5orDoIQUKYN0P
z2mi&mXG(>;x%QCORLi3mN+|*9ytt^p)xmW1QwdXBfh$phiK+1mtHhBvp~tDuDpfxC
zxoVqO;-lps-(A^1)ZLaoKAdgD*0m4^ftjyDf*-phgJGWh0d)K@;BwT!BOY+WrUtBn
zexm4EDYYd@-d!^F=rUJRC$t`l-APfT<&QI;g~2fY=j=bzkAHT6Gz3Xfzc~yx5*5jR
zuWA`cLY4M|y3=^aai2?OPhCbn5M6tc%<Hm)t2o-C3PCTw9+at`R&hEphuUSbsNr=0
z7COCM>wHeJ%F@j6W`HU#f+kZ=zsUct)m0&!*z<zIHH7kJq*<He$z+C`Qog+tK_jk}
zISNJG*RTxWv4`&E?0vfh8iJMVS~Jr%^^OkOzVLcw$S!=!w0%`-=x_=KMpE(oo3tB-
z6Z5Wx9~76VrSi;bXk=FVGLh_*{2t|*?pl18eTImMdI#T*(*1hlSc?)y7RnlyACFln
znN}Jgl8l|x#{(J>x?6@C$bbb!pM_OF0i`89Ao>HvC8jK3PKwWn_bkOHdg&`6{$X1!
zUEbidZLjj5@&8jh#O>^mRhSC7Ca>%eeHblsXJf0}3o#R?I0w3HcypKn?OlF)8F|fR
zf{>6=9i^Yu6zG$gR)B^K*a~x7qjUQ^`=Sf3^KcmI&3;6P7+yEO9`|`LlJyrHrH|$g
z(j<4xuFbA(+fSr4WzvjcnsWfkvMTZ5^1-M~HX{vSG%gg0(JNl)=wV-728$VV9cN!1
z?iz?vV7SP_fq_ZC=%4sZT!~EZ9oP`Gqp_{jzD^gQMxftt>(9_UVl!=Dc!5$|#x<DT
zI)+<t0hh&Q6U#8-!9+dciJXV_qD1vDpG2sEBYeVGD7r-7zuTzI>td@KL1Jhz^?NL8
zhG`^bmH5kZ#?l1;ho=Db{Upla4q{kEOP#|~VVNgHhGYAYVdj#E^+%2L>YX&tCy#3<
zor%V8>aYe$Y$c4VDAIM63K!Yfm!Bgmxr=ZYr+6&^EgTSZ^*JA1H-Ao!W(xPy%QF|A
z(?L-zfV?WX0(jyoFYN}_j*2O*pwheKOMk2p|Aj94nIT+q>H{BHYgZ)((HUC9RKtHD
zPxTB=!kZ$Hb=E#xwI$Y2&cK@&=kQa#EYwZ}+;XaA#+y`)Bb#mdljPgyBPKoyXB-F9
zdW?uVCZB0!sz=EbmA$X<2`Gd8)FI~z<^~FtKy|N*l8)`CAFMu*OdMe>g*KnsAyVx|
z+~e@846&QgU!bTaSba2}IiX{qUBmbI^z&g(uW{&&JO}i5YC+!eg*}iPRbb|X|Kc=)
zKoj~}xSd>Mxo@df3PqZGP78fYteu>}10O>dK6{~vsDj98*{D5jAk|`x4Xz@w&bh<H
z4o?V=IdgQc3UxIew^yq1h`SZO`8Nb0+_e+vw6xfZMG;CXk@*FW@jPfIw_O*<Fk;ER
zM0p-NmFPert94+MqzLa-0>f((AZX)QL7<cU9+9@cBjXoXQcr3lGAswSD(<=zVt*~y
zx_E&;6<#OL2<w&MS48`d_HDdS)Xo*3HNkIQPE70{@P5{-jF@7A<%k=`@)@L1>6pxX
zo(-2$-bhz#<kOGIU_d$xc*T~cg8ry$a6e@my;1-b*+)dCb-Zet{sRk*+&jf3M#H2g
zd12<^$?(6|{T;dBT<g$*YIeUM`w{AGdEK%|EHsUly7cWq=ML>ut6rArP)xauZM|5&
z&SZeC2wJgIUy?%|&Gs)DV*P<=9P=fiS7T`)nGSX6Ybac5Y~OREwoWbPhs8g>ZH$ub
z&0NfUtmre>Y|oT0=~WTpoXf$a>YD$&V4q*v7n(fT>Q{_mC|Qn-=W#E$g)}xpXwpM@
z6(+@nlwgY=1HLLSP#$ahg0ep_%hegBn)brS+wIZa*0BgD(cr1Xb(Yxe`>XL73afLF
zMZ!LT2K+lqUwKjzenlTlw&r&D-Wh8;+;Srx;0Lf*_jMTh;iXWswxc$qzrtt4!m!E3
z-oK#U#Zr@^Lk+CJg6U;J3SEc7>vxx=V^b?R9fpjzPyM2i1c~Ea5vqXHK(ZmJiwD#D
zZ}NpCc%cqZp&*W-ehM+5CMq%v)1*0#qn;L1^m^vL5b%Ypvpnx)+zrezBNV+ZGc3Mo
zUtNjq<!iPC5`!#J@#|1B<^c)?scd~qxe|7qN@}XN6T@FMq&}<^86_em{^zl|j&n_K
zBxpXA{b;YiEJH-Ei;6VBZf}FjVy10oXkHz!vrz2^EI{#C?Diwto7or4e=#o39tE9(
z@{Khj@TsFBKG2$H!mCAHhzjd)kxijGY3ojsH0sS$=sS`RH6233!06&(|64#u&l0?^
z=yae39Oq#c>tkbj2d(tDeZD(-7<1g4l5+p_A!j_%{<|8N>Ykn+@9@+cR3K~o{Wou#
zkiqJx<xxBt%{N^y+ElNR3I<YPZA>UULRe*_W17mw-GkJWH<RkbWxOZt*DM->V6Mig
zV6UGB*t{hHm#`P}2d!z{oaru@jl2O76tj&rs?Qk8@Q}_7lZ>u*1Efr+ftoqCaCmO-
zj&4h3I-t%$8J5LQjvY4k{B8=xze2?8g`e606WY&8AV)D|61QY#g3*{`#3(pH&(D)E
z?!v<^a0n~2lZ@H~SV2td|A(e&KZ21Qi`$ENfxfRzO3e?;>(72Mo3)~|q`QMs6*GmT
zx^xIO$dBu|&2?@8Z?##3GOf!yPG@&eKB4=<RHgCB0nk%-$l=p%h_(xmH&Kv()soLO
zS7xToL%3+2<sS3ka47s4@sA`d_2R&7MITK9t@aFaK`R>*2?Qb4tT2cQOM7c*&Sk)v
z1X(*q8+H}AR3tZ%a9iJ83Lm9wwxSzqR~4xHGEegi7AJATtq984a(yCC-V@i7a*sD*
z>j(aQG`s6zRhXMfGV@~xEp|QMv0v#4+iB6N@6oa4Aa13}<Be02<GG0pB{7BaoH0&|
zvtC|<VXL5QCJygjqem)4*c(5E1-b4+lf1olagw52UgwoLBMJJ)8ik{%ICVV68aI&r
z*b<pHRAAMgL*>tw8y`_nm-L8LH7*n6SMeCmH2ZMw86S125t=vrvz|?od~y3e%Rkn0
zj)-3gvL5punjFV*;fDlS0~`_U$)$v9a?-7kZE@#EI-LS1jm_KCaa&g5pIRxcC0o>2
z0;{f;8a8v_l!mmWKlewD1+%hFf;+1N-CpQX^HY{pal?*C$}=W~!SCOt3OhITw<*_4
z7?&Vid_Z01Cvh%r6nFy8nO+aa3+-WUafIu7pu_Reqeut+=7zX>h9`BSfd>$LYT|)_
zJ&RXKJFBY2@Qj%s7miF`#hN|3KrMdfVf6Q@fTl<qld7IE4r1roFXGX<EM8RBoX`?V
z1nNy1_>qupfp3?IzS!@OUV_<0*ewghg%M?U*dV@FjEzQqE;D^!giN|$bXw+0%A>!_
z`hLr8uQ%T7UX846_I{7PsR8Yk&LQqE5Sclk71I-yew5ESn{YnV0v@TJzED_$6j?di
zFXJtJHrv6I;KVlYbHAmwCspgtUNL&|50m<bv%sf~3PZ<3rGOV0LF$FL3QA9i^cB;a
zHBv(*PN`?#ACNRuMC$*4F0O!tM8f`sMrEHuJg>O~R`c$*A?`WykN8eM4DX!mrc`^J
zk2jS?+|kUnhRh~z9d4fE(js;?GtRJT-3VqCN<HaRK8=3vX<J#zDox<}5IrcYJ?A?o
zLL66VUuVt-4pF#-nPeX1aFVObuSKn#(@gjqpCvT;{7msCO8t!eMYX(PqH@sj-c!Io
zR2=XS4mb(HYM_S436qVr>W*ys(!dHNS3v(6^Dh`$xZmKnqWk{wU>3UJIfcw$dDu~5
zJp)IpG8$CJqiC3-Zqq2GK=F_w^x;i=l&R~ag0)^(H&%{5!&tG9I5&3nu-~-?l==2g
zr)bR;ou6J$$Ei|2$zPpMXf{Go^X>2z&w|&h1DpP;+6~K+d12~0^#qr4l5wJ2lsoI3
zlQ6Rdk{vURN+&786fufW5)?$f-K&>j@kX_y;1*f_!^A&@Sn7b7_}<?XLdnYxk-uQf
zbuwpGwpi0qmp>bpwoDAlm_jDNvOI|#_nM&$vrHvBW>8lEuoM3>&4<CtT=c*S_JBI|
z3VIk}eCur+kqRp8gMRHVxd%hpO=^r&8*}jaw*P(F%06pGba5|QsR_j6&ZQj@8D`<*
z<}|gB=~KhvrPB`>)e|kgY4|b|%yB5_n4{IHvxTnCe^}T&S!5%a5##s!5JWU9=CqGu
z*rnybi`jWSQJObpoySgjSvzBEgVL6B(&&V+g>DKF3pcvjt{vq|Rm3GkZp*o1QP+YP
z#(kDQ)zxPkD(>077E2guBmWC<CzIBf5)IlQZinz&tj2IlOXU`YMVoJ%elzD-tvsFW
zuiy9Z$j28qSC7R8{l&_oDOSopS*{pNLF-N^B&K?)bkxsxy$kPFo_AXoeF$>2ueNgZ
z7-u!da9b1~UA%9P&-YI=jwNqheLXy~??M8C00@vEoPnxfFQN%P{{pw_J@It&Sz078
zf2NmM&!ueoyDtvLbz)5&*vM?3De$etx0N5>d{;2~_)lt$(*T=GiJyO@F8_w6D{J5#
zSCpvS3D9?n{+wY;^=W1moaICYiXdMfYYTzy!JijC2-sBCAw`};ZI(MuURmE&1ksQ-
zXVWEUf60QMa(?-9UqCM;9MY>9#5eC5k$>(HBa%mRtnB&`j*3<4&&E5`jO0>4S`=Pa
zb?Aw$h{Nrf8vYtO117!1h&s{HQ$RYu$4t2a>dwZ{G>SSUcQK0hwUuAvDIQ?y^B_Oc
zls=If-N;PLY26WIHnpj7<Q-0YruSJjON1x;(_8y?mi^>&7`CFrax{mRh_=Wg*8zeL
zz3>~ODt6(jdGX=#=${ZwW&k7Yd4e<;RQA0r=P<7%9pQC2w<pC0D36hiY#`MEGQ5f_
z^uCW~)Q^Y=KB2(h6@vqjzrZmetaSOl(X0bmNpF4#bUZMrSmE20Bb0~EHI7=@a!u3H
zkGK9GQ{NmPXY;+?uyGn2ZR}0b*lyg|wrwYk-PmcY#<p$SwvBh&=l4zDzxLDJJH2Pl
zoH@9zb7r7fTaf(^8p5=A0}xgGv;KoT1KUyY{3+OzGxw<}0tI<Kb=U8IXOYM2Tt)I&
z{`1?r$#f4AnV7(lvHyd<_xq!2JZ|Pwxw-_a$y*ORT^!6^9I#bZ<oU{9@4912vcoBU
zd9W&pu{=9mrjcw4G-mDE>I~QyM8C!DlqctwDG2L)*6bZ4?Yb!GJo}IMa@O{Y?0m+T
zJa@~%6FIn}Fcm?=mM-MA9i9J0krq2hO5){d(+76t_P=dMVa<u(CSuin2K07zoEVpG
z2cbr6=_={4bpuA-X9PT}ZQq_WCY|5#G)XMi0apnZt_*PQXt%&}Eg<*+7P!CzQ|0xw
z;}x2%OwMF|d>p2M{nw56V!8~F0OMKzh5kE;%sL0~^znTe!0zUGT#0V!fXm>c)&FXs
zzMLn57Ds_**{SNg*&6x?J~|9new1-y;J$(nr2cLpD0JSk-9d-14LGOaGRk3=KK@O5
zq`eooVX8d7cHAQ6<*BM?#uLa3eT`GKEMYrrD$1?K`35UbkqcP*_uh>43Xf}Hb1mSG
z$guvr1Y~UH3D-Eem+!QgL(_c5D`}3JFi$Lm8!|(jZ!5ClOERRG#sXu<?mhsP6Rx19
z@U_wU|C=-72LVqY4C)QO9e7k>`9S!6A_78}NCsb<*jOy>7lYBY1*d6bXB5Hvf^&L*
ze3-!D^DJ}};0Si}hW*@j-ScK-{-K^z{q}6}dTg|izHP06q%3+Vq7)R|_YZJlH~{zr
z#D7W1ym@Op>BJYa1jY)*EJ(r=oxoj=oV2L}eR%&D9DJ?Q-v#kG7Ul(_&rNnA=wuww
z%Jz*Yg>q0IK~p)o?&&xHscYlI`i%I_i~0+c?gW3cYf@OTvs6_2g$C3l&m*)4Z+Sz<
z?!#X~G}(BUirW`lERa_o?+OA?i9FL|*?f{cNjIv*u=T`BgJK+`K15s?X5{OMwZ}V;
z>AKAtEqGb3+%+)>xEs8dvm%*SEsQI*I^_pZ7u}q`LA$>@JM+4Koyq9Kc#!D5?J9n=
zb9Z%dznLm{eV$R$dJ$PRYggCq-5Nc|E<X49ySZK96A|?R1pUbF+H8txVzK`6dDLiH
zWAZ1u4em+{jzzxbwGn!daJyjdne93gCwCOk9!b==rO(wzp-4D&k}Q6629ZVPIxuYH
zT(B9xm3|zF^;)VuyJ^S&9frOFaQ1p*7~EUnd1dGJ2u`7r04muroE`9%(*O3fx=v+e
zhdzOLlt<vEx56k@&N*TC`S+{{IbX;)YLT76jl{kYG}5PkfnzEDLZ7AJZSEr1m^vNt
zGXuNMl{DnW@ep5%=`e;K|IMD{gqCm5oTf@u`*F<PwwwaL)j5LkD-p7GEzz+6<HW1&
z`J6*IY-!zrn7Ygxx5V2uG2tnsHY?!eS<1V`9F6?bUlR8!@E0$T{^9|FP(4SasQg%=
znA?N=;thqd!YZEz>bALy2*fAf(Pl417=0FBP&wf8y<&9w0GH3t2x?|0ZhKJGC;?^B
z-Bc=j2P!`nuaBl$uiQ<jnuFd!O|}Z8!+}{mt`z|wm)JJcFm`R+0^{}H)@$f|#`AmN
zh+jXW)(b>MBqEzD5zNAK>!v{KmRAZ*p&DNM7wxEXy+*7AwE<KA^ajoT4Fmg5G!zYa
zh#6=LR-|ZX`lNO>QbQbzJp95XIF@+2w_-hOdYYuUZ5stk%E%OQUcA=8(6YR@md+WZ
z_6}cnf2z|Lx9@4V$3w@ro2wrJHYX!5rZZb$;QphHF}!tHA-k-pLAn;;?Q$})y1@ye
zF;#u?9)r2ELz05sKrjRT`6P^UZB|DjOxl@K7tM8ka@w1ge+3Rz>T9hY&c}-%U8F7E
zLffwJFq5wlx1R;fLL@^}>moJj-^e|<`^#os*M}mSZVj_Dsq;@b>lmV_ya$(ft&=z?
zb!urU*dTJgqSx>9!=D8Ic=kp>YHuvBdeM|YT}1M=>41ZLVDMDMl8aT~<^G#>r=q}J
z(qnGxK}U_@!xIXf5t17D6<9pzbUNKD+d-UlrvZQeCssBWLV_lw{shxI&OQ6j;|UYN
z;?nS=aN>^ywqoTEuQvp1ZI8PbU4a>kV~BKRtpr+&fq_r2#cpn@<qwpnRNC!yTc3^Y
zLli#n{C&AQ1l&D6=D8kp`xw9bHyiGt8u#y_4I=VkIj55Tsr6;vAUyvwH>me8i067N
zpwB>Sut!A;{sPo-W`Z#UQ8+54#ZJ7bylqt!B-Qdtu~MlL`rdF{!+VBwsetIR&h!8B
z!EHd7QEp;187BA8!NH?qiJV%Pz|yb6?l_7X6c*dWjeiRi?FI*&W7nTK617F`4DJ6Q
zabAo>X(`@vPlNubVC~DQMX3QcmkyGG2ga3z$kncbPi$EX$W5?`!K!V9$^B1Re|N^F
z$LZE4XI?i-ajPqwiKT54IqtJhM+gMx{Zz`+ms(cT5kvf6v^Qc=b4}iIDIBX=v{Gfx
zv>@89$jFYgJIerGB37;B5@Y6cPP=zItmT(dgys6%z1lR!NiAZG9Y?x)v&W`e(a3kY
z%9Z7E))j#c4<<W5Ve`r@O~tNP&s)wuuGrh{Z<?b_Pu^lD+a0ne3%<;l2rnD>R8*@U
z*-a??HTUiN0uN@e$Uy?2{-58Xx@`vzXdO79rquc*{XN2?kpdkvgstOJEo*dqgk($T
z5iyO;I9QK+3`Kv0_(L69^*RDpGak!$z~=-TFS21<GzNsfR-@|2Ks_?))*v{RQPzTL
zH)0qe^Rzlz;_=Sgf^jV~HxjK51H%6V0bzI$ZL<^JUk^;|3|&4W0o^6+$Rt8#^iSEU
z&11V%jT$98f;5}L(}o4C;v|4*Gc9=?h~?7IQZmV+Vd?>>s%vM4JH#49r0pp#gEQwm
zTS@1}-;87zR~w=12U{~k$3_xw9sg(@tV5;N9c6YNuV$v2`%?1{HqLidWBnM}MP=2!
z@h37tz_@e*lG3SNzFl4V3|%=fP#E2YOKLSdR3cy*jV6r0DLsg-j`Sc0fIZwEVwRnz
z3P0ECRl3|Ydau}YW{b}q{t7>dX?PA8G0sx7mZHlEIpv5o5|IKgC}J&mU_F(0Flm^L
zFdCxKY5o7iaB|_W6Mo<LM+_dHm4IUSp^`tmaAIu7RwV6(;p(Jaab_^Nx4~Z)=I7rq
z6k{|cjpq8*NzR!zvs#X1c*$V-4Z2Fhzv{oh*<5F|^aooLL&riAW;{}%=~+-*iQ<AW
zX0opGd38N^_Xzs#@jqu$3&cKGgQ~=Vlzc75r2`g5+oU;$Xr%x;1m=p-f>}foZRe!*
zF7IGm>`?0c(CR*ni%uG>9kHc=W5kj<<gNdaRxH3X;UZR=HBjN4<8Qi}3Kq5&2k=xP
zJ?B87XC#dKu2i};gj5sTFZx8UOFBB70Py^$d3);{PCMb}z_J>b(GC7%+O19Y{^usI
z=S=geY5E;o`rmcsW@7fBZfOFYG?NyZ#h_-Xiis|@G;@}9?IV>>&i&@M+uQd((u?-F
zWmFO#9BeCdZnhBg&<#dHIV<eEt_52UDU?AvQG5z{2v8w(I?Xg&2Wfyug>vS<V-3Ua
zT@=GKqe4+$`u3<93ntL4M5b5MUU0MoidUq$`T;{vrB}Ka_{2YxG2y1H=0a5RC&Zu7
z3aZMb^DMz303X!;Rm>Rjb0ng`_tCC2qB%8lst0cK_^T{-Nyg`Prv{yhvtGIsXxY%*
zjarwQ@FwepN>COSCo&s45I+m7v&SC^$`Ho?EueTiuNpL%g#oB>l|qq1JY|jLcW5(2
zE)h*<DYQFe!1%vxgKh)FVkg`in9I6oZt_Rbc-XM`A&Bc}#MX&*5tnH%3Vl8@w8Eo9
zS)|7E<)|eyw4;MV9A8<kT{AzPnJMy99`oNbLwn;}15t4xO*_Kt@=bx8Xa4O-?KHM9
zR!}7Ay;)*vnRwMl`do+Ro|eJ<l(x#fdt7Rd=UeaR_p3E5;{f_&9nA25e$mfQhnuPg
zR~>Y>s<1Ii4B<zj*!+@%F0bac4CjZ6A3EIsb{s3>E|nGd)t?<_jlu7Zg%Oy?BPYMH
z+xK(<y)ja)Rmc^meq)TdlL2G-3M`4)?;GfY`ZZ)9$8_V-uiHjK2tO+Nf#D{PxdKw+
z#ja{aqOUN<C@}#)rSaC|sp7@OU6vqBjXMm=kc)r(Qi%`jZ?Qv_J0^U!?C>RuapuUq
zKWeXcgo%rWvh>Pi{Z5xL;s3(uWHry7Up_P8<L&ZIPLL4IjBIpS@fkpr-~kJR?n02@
zTYh%nT{{YO?N>8hDPl2Q1mqU5P83pe3<*eKc0=Uz7^iees(NGmhx0rWkQw)K+}A=U
z2USreeM5OzYPL7i1G%^du#ASNFsJCeuwsRK!9Si+NFDmGwT>Ik{Wc%zlNRNRzfG+B
zDX93lmB>Mc=K_8jW*6mO04m1GUD1e?@u$crPQ9PZQ2kj#i65FqVu8>z{-|69nV)z7
z6#{<mF;rk0!rGw`s!;7jGO*O9DzKq1Y%gBtw)i~qKd6>#m`4%trc81#5=#FWLWnQ`
zLPTT9X1fOj#1Qc+@?U7@7U@-D+0FAGm-EmE1S%Q5$DgT}2<NUJof&I`E0yh<-)@&u
zPhbl8%f*!y8MAoCSZyMW4>*_iB=O^>H4YASiZo*Adf1zUdP!OW^_Fs*QS)?7EmGx}
zsN5`z%W#Ywv#gaNu41vQXu1wcIu-t=C%g9ArIo%7gOnW#s{Jq&Ibig0iPdt!qAlKe
z&d6IZyOjS#V$WGx*@&c+1Qf}EdcQ&*U8@9#_U)4)PyfO4bPfkH{}`JDcW2}HdYl8@
zhI-FMED6(T$21Ltx58;>_o$7;Fa7aw@TXMTx2)i4_8my=SB5PT!+IYDR*Aon%kqa|
z9aV~5NLk!nkOU1LWVQuNEL{uwEJbcd`JpvroS^GrPEUYb2QKOV^ay6zyH7`vWfK6b
zMr-haWdpL`1dL$a9aLtkhKhhO0p~hSwu-&1u)`Nn3{1Aj0oE4SOG=}Z?(?M|NAAV9
zoO+Gg%cDBlj9YvL^AD8kq<_*WT}K4J6f`(XMQCd~LLntZkKjW~YNRa^VGEn}AY0X2
zlCnnxaz@#X^?#!{UIt?+#_>rhbnJ?zvfRV)O#ym0y)20vIyUuW0%H1NP{x#6dYO$q
zexB&`ow3SK{wE8>x<#(@!(N|Cuh3#U1sOg%V=x=Q<HezgFr8d~xU_Or1^o6bNEb#$
z?N^ZP_-535HD*mvoSF7lr5X@1PfE0_tHd(XocC=OHu2FM*uF4_fNjFn6`Vc&DpBy+
zqfJ+-@STu)HwN{Hh$khMKOBJ+F9+EhUu8@b&VUc<i(U7blNXo2(u_Ld0Q2O;HgshM
zA|jneyk9uWO9uSWZ2H^v$l9`z1lcaZ@-qij2)t}sv4yWeNaPY;eR*XP_ovP<gNFfx
zx2@|&kY27S=}W<o8B?@n6kv=ZhPsII@+$M{e8z*1PXzzQ_Hd%5smaatR;E;j-+Ozo
zr9@y(UtjjvhxoXr>EVpa%@Z~T{8uFK?&92z%v+xPH-hg^2UA@hYm~)&8R__M7dr|$
zh-b?qJ*l#wTqoi(F`n851W>{yRHnpA5oqiM#55%waP~ocQ3?Q8n0JUGfBRQH(9lfD
zH|??I!XizFNo})|h%@5W(T#M9JmROJDV+G3=jff=@&y*kL@Ed5@zHoOXM`8vcjG}y
zc;=m5#&#+DKZCo~)lB9h5M7*9cim67K3_f`zINpYUH}VXd+w0OjGz04?yoC6crDf<
z$HqnzKBR;7$`pe~EQa6nx_I$ISg`5-urJU<6Y`jI;IeXixZMiYro<G1_#XrBvv+Pi
zeJIRoTC~!v5eaKE9TvL82zr1A7jobhm62>BjI=EmAsA@Gl{=S97++yY%C%XYQ_m3}
zL4MN_{Dm&A>i$CO*(C^CgvUo|)XM5qh~a$jnq41l82JyfQ{ey=rlLw=SPwm1c?4mJ
zg}2SiQ(bgw6RBDX+JBVAKFxL7#EkEy+L1`|zOmrux~PkBbmD=)7Tg{GFvHfS&a;Vj
zw&|@^1#y!ydFbZT>C_c!OrBqhs8Edo`lES=B`EHK(aYJ;>|U^>T(GgPGJ1{agOY}K
zO~FWW2XR^AZ}v?^#Oye%NSdxgB|hqoKQu5946Oiqi$j#49c3NGICow!Dzlm=-l%r@
z%!uN8oyj@@2)H?bF7*Fab5~KzEy%!wsGDKtR0ZWlpA6(k+DTW2D2d)en3<voN5^61
zQty?Ck*jVQ^{cJOz}}XF`ljCS*L;Up2iCi}F9_>UtklC|Z^uNl2<2q-UO|j3(HB3b
zEVDErGX9p|c1wCsa*zovcmF|^@nAU>vs1_A9D4Z>;Gp@p)qT$Ko$3j;If5F4v3tq>
z*+o)L_sUiz?j&G#!(#JUIB6nSxx7oO52L|!xw*j$^G3d%r>;IWSyM0=l;c-4oC9eY
z2VK%pAs5rdqmDpt5x+EV=Mg<W@UHT9pTb<Iiv)&Lg*<?yXv9>W$=*%(V0OUgk<_}M
zj<m(R$-w=u*l10V9l$n<y~}z8-p3YSLc%|jf~^3jyo6Cu?B;tv9(q74iX>8Gnz;3^
zn&Rz(b@Wjf*QjXa>Uqqc)2I<8)Fh<F@qs-wTMNc_8Y5aK6my!8-o2AWJ!+#Rz@<M-
zBtvJd_&n<G3#VIk^eY3R2iW~3@DWN%lmkQfzIQ8&N3Y}Yq2V3r6oep8Ia3Z|3zNRf
zM0*XNL1hgp=?{M6p%o;R$5BykHKavGJsY69G#wpU9$ca#GHBI3MtmyKl0TAi`;cp*
z<r&QJA@RqsGYb}iHX8CD-4#n<|9}}^qN7|X)&8?um;Y5;c)A8mfp3-OP;4=~6<?V1
zyw;-0xxfg%>*u>C1(K`Oz<0<0c{f=7r{v-N?tv}8CJKTyP5e)m>)+D!I)2dRRBjI3
znzo!7OCbRANtL=d6Z{4^%5FazvN<C6<j^Hyw;$_2x}>o-mMH0v0z;eM_Jtze6@%El
zlt<u-6!}vmC~^~|3O0`GrgE}ylSKBhjzkC6uo4eCCCKl27k)<<<q?ifT%qIG6%@v1
z99CL=jR^VBPv`Uw35eCVof|`J>)_vAyGoYVluUV@bY_Vb5^K*CSDOAN{~4TJc)dub
zFs@nX<LH|(B@HIRRd_C4A&T!y1g7#4L{=5<HK~0uOEZAmf90!Jx8;40!t;8-g&uz5
zKc>${VIeqg!16YWNMLm5KQH063wJmi+TSqRUef?KW=mU6U)=DE?!A^{-}$J>hyCA7
z3A|&}X8|V4WZwjUOl<)r+c4|_oN_o~!S6>!2stR3c!3UA?M=j(fOnangW;PfuLXVm
zBXffKsINeozkTERP;$M-&FOg3CI9eRJ<=tw`xu;B`JhlB2uup7G)%9o2M4hY!H<Ad
zLX7lKrGq2mAVk8V!Hei9-HoRD0x}o2VMg}FI>MjcCCYq8?|T!D*#WfX3(x)~+QMX=
zKO<{&{K8N8Z<g>l!mt>le?Cf#(vHGk>23H3wKytmeCfZ{9>vrUGz2VZO`9RYPU0T5
z;&94HRQbu_gOValjh)2?D*J!^PvH2V0Z6}5uRcLz+U$$Sz%CA$@X{GUq&>&9>jn1D
z>oG@IFvVXa4q^u&y=(gVXHLwDQD3At^1kemr-Z)z+r5h%t^UjpNfd^|TRgw57@G85
zQSRUdEP3;v62Hf6a?h_Jim{EI@?*Idc4ZC&#za%go@w`>7t*@)cFEJ=btZB%bpxOa
zE8$*up}6=~YJ3zdpVl6KO%8|W90;?Zt!*!h^d@yuu5UI|*^zxIwfzEE0^-XkqUGUW
zzYedxKQC^;RHSPw+*Jx?6`N~FXorIQD_WXd4z`Z8*j6#uD@75liQf^tY_uN?&S?V4
z;$u`^KTUid*w)e!Qg~|Qw!cmdwc3}V`+1tu9B>OmGR1VE{F{D9l}>J2CfiyL!|C9Y
zEamWJw|=@J;_`D-DyBt>36=qh%7pTGeP_~jbY2qTXc43ZPtkqGg^+ZiJsf$)I22bd
z+m^~;+alrj6}cFJCEG-u-)-xzK7PQ1aU2eD(?+eLKe%tmFtwTzM3q`VHp{lLSNxKL
ze<n#tC$+Dwj#DhUJUVZ%I@Y`Lwb+r6=ONI<@E#hy=j*!SYK7rsKkFP;z&YSovcQR`
zH>DC%zfo7!ylS_X(o)DN7cTitVG3;`v!Ey!H)*4N!Rdj!EB<d0i?~{2jV^K*O4+k5
zofZ|091e1dr5yECnoBC#=(|fem9+~ftJMiMwNExjthkoBexh)<nEXh(h}nU=uOxvt
zllwLOqonJqJB*A<<0m9<mzZfooi2J`m72>-*WH1oK!W-<QR?Nrh3Ea&krip==*WIS
zF^d8k-SYGJ60)9<3Fno$*>D6@s1jBVkE7bI!|$OM+`iHUWyjN|%gg%E>#K0Lb*67>
ztuQ7-I+O8QLW{PE)jI%_A(R{%8hJ5&_AhZLSoF(C#FUHKHn^dx_POf<oP<GLIW+Gc
zowGt@@sfIyc?rcR)>PVUvxGM7y8FO#zJ(5~o%Kqhp_ou=jmEAG4{@tc$NlkCZ;31H
zv@E4-Ybwvfd7cxWSqq<s$0B`1!2Id;;;JuUuYPHyJ@#eCC5K=tN5V+nwmc&38Qp)>
zTOKy8aKPZ}WKxW=hKXS2^n-L4HPt%zT1r?%M)LA+&^ueq(;cOb7Tf?gHsIY>;LC1+
z1;K4(cf!G3)Pfxdp_&9q;!|1edW`o?Pul~$Vg`LV<wTYNra50jOff;KG1i{NJ}y^k
zWzKe0JKylq$*eL*W|yWyN}^-(EB$z0F{=?Hc|hpYheJD+csK{#S|jxQ!=5xpP&4mV
zceL?@u1vZ%nCl(D{*cai0vYdGW#S~^P$5LI$N^Fj%mA8usHu9vmpY<S$abvuOuBa&
zruuw*yrdpyS;Eqf^_S-G1Io}I(nMRKRI=H{*9OM%(zAi_n-(SvX7v%gz~j%#*%(lq
z3(lkRM|YE-*?Rnunj`ppMQna`*cBhq$MGoeytph*lGINE{8&q8Kxw~ldbX1$Q8Bv2
zN_>VHgb1eXD<42MvFi$KouE0><vy*S%8PfXV)x>E6a8F25`y*n(!^F{-XOm@!V`X;
z`pBFgT0parI(gTvw7yVfDBZTnOh0p{czhZ+ukb<PD^s9}DZ<n=C!gFD82(`NTu@kU
zs$aN#qsH=G!8V?m3YnH92=$S6GWNUNE$6ZeUC<@dP8=C4yYf~n|HysCp5?fb_FV30
zq}MiGa9YT>s#<Rb=EWsJGeR$8Q`z0hCNwt!8rI06V~<zbP)>)~&?kD5I{-dS>n=9G
z5fW;z_`?P+WaondFKeKWH3HZMC&Z7b+U?)_(b&S<-QNwe4hON}g|rHh`?h&EKW73T
z{kKPdaT2B)fov?`Q%Y(ZIT!p<;O{2gY{2hMH*FE)PCMUtgr46HQR#`e>|8_YVS>kW
zkTbM|HtiC-_W;3TD8$@&6jUbSGGkOBiMZ+CmlR082+Zhd__Ar1{pcd*eqUwWa*@p|
zYGj@zko<`|xR0qbxiJW=e(fw*h22s-s1O7Un3G1A`+Q4ISZPUi<W56bWIB?>y7ySd
zvY68<@@k%(w+-X@k}Mnk7}grGLU?KDY%!g%QlHC$;ns@<A+1>%ytUA<+Bf<?Ac#Po
z3+nTVLJ$<|2!efP((Uq&Ce-jLN-xkI=dVT!eIjIK`0&0Q-2I_&>nhP83*6-4n@0DU
zf9B6;lEt;{VNpxt#;-K%$pyw#6~d8t9k>3hqu`QS)x(C2fj}LO{lu8hFY+WEGrk4h
z<2j_;;t#9>>%?S5;_moRjUMmmKwG%!%B6OMTqnq`iwFOi^4Q6CH#v{vx-e3E!hBD$
zu%lg;fL8}5foN627K3h@`tXMMZWL`QIxQ6vgJr&+A0uvb@0$xv<<dw!lFJ%1ea^@Y
z^21KU8ibw#QUlkQIakB7&h6y9UHxF8p@)DLYaWnc*eTdF$<e&%^0P^y(SDNC>(a;p
z7kK;wMwWcT);YnXbA>F4U5&&@W+kDd`2f9acw7U9g!s7<gfL1dTs+JJq~eDl@UtD`
zsag4rK#AD)FpLNWkpHDq9mZQi!2cmzLiYDgIJ1&SQce?nU<8ZT<3-<YOPzYnkQPU-
zx_(gDSSUslh^=v9>+1OzZdnan*s5g!J;1g!vZ5sC`tvk_<6tAJaEgTV4jNsxQWE__
zXs6DkNSvn#{||DBNrip>z-k6+cT6cGIpgG)4^|~v%m;Jyjy5h}q2)XxW+;}AOlwgp
z@}J2aHoQCG+WB5)<usXI6s4VK6gn+|b90+1?zA-TqA!C9Tp7;YVL~h8x-JpQ!3@4G
z;u69`V(P5#n&jpXLhfy$#B~IFPk}TQoOM`qXUbFL%~Uj*%Ea@VO@&#cX31`vskK~(
zL~q1C`tFPc(V`RMed9_&h_i!RR(Up=YnhiUCxP!mE|GKa4L^Bd@$z_iaq3%5hq@YZ
zHr<P0(DAQ}(YOs^!|<0<-^C<v!E!$#LhPL+c)NU^xz5X{1%H}icCanCW<zMcVtf7~
z;TE#R5VK;{npVU;4{Y0aQ|@!AT}6=9IX|uzmu~Asq17lsPG<x<<lNBWPCN51qy)>{
zAn^?GAv4PJlq(&<z;x(?$zZXSam1kY)9*u{8?lF2xd_+KasMF}_H>*gCD`dPrZi)@
zT6pO(Q}7A$8f5C^<y;#{A_qEl;M{Czdt_^Eo>q9n!qOOIDX2M<q4FA<KjRI}X0u@A
zf->>x(3!F~HJOP<3lakzRlT$arG`KH7OsV!j-D=nnClGg`{Uf8^!Q`gvK-_M&d1JH
zi|E}#0Ce&uU14ZM!0eC<%^n+xSbufV%|s`;^gixO<c>_pX|<GT4_>5Rx|xCZ1S$CH
zg5#nRmBNG|0dG(C_R|&oLM|+GxW)T1XJ0|6^fpNDZ{1x3xQUs2&|ELF^>?^;JM)}@
zfl8zZ9|DZS_TEYnLI(DQOOAVvUUy#SY_3jTrsjuc+gP29wymTenipiJ*rJnwHS6{E
zS}V}XfY3_0^r`6GvbJ#hIV6bM`gks`s?&i8SjSg)TlJu(Br{O`Zb}daP=qKXC5V0~
zR$k$D5QZ;Egp8D@Ex3?^h&|rQg`1fJ?Vs>X{B70}958rpkgdJ{jcqv;gAh2js6S)V
zEJXl*mRq#3)M~jIikm7Xjug9`CTMSy`kGE9a}(TQVU6)g(`{4xAN3HU1&kwI_2h|K
zL!`EH$cl`vNPPO7{(u<t%@;jQCmzZv3^~UM5UP6cWq35RP+3zu4I!)DwXaOu^#WTF
zB8GNS`go_(Ybh>Y{0_%U^c0nvywLKF0Nwb<T>2T=uY)yT_Hq%oJ~{f6z$65H+c(-L
z9^knd$L;CKx4)5!i4}ttkgZF8dS`{d!ifWGBJ3K2d5MKuh9bnhs5l}pts2DGI->XY
zzdIPL5Io**M0$fozf&~p_AR``6{du;MKzrHZVrU9!YsRX><zP_vCR3t$<3L`&-Q!G
zgr3CL-G%51OiZqvU{dk?)z02(S0qv;BNb3P{sjKUrNFzZ(;xJuR+fFE>h(==sZCZ)
zkeRuqMIw`n8-|Sx6BsuV6R@!NL<DKWCsgXpr$jcz+6WImJOgYTEOTQL61^epoUK@}
zb~cyKYrA7>8R?eOMI^Jwdry<+k;EeV9Td8GI9fsp@uqbX?Q3jePT!ITQFP;!DM0$f
zf{S%?!Evcb)|DxugW_Z-Af3BuWCf{ZC8&|P%A#DQnq$sv3LfwKKlF*clh4}v=eoJw
zMHRAzvzNjF#d^7uEB!pyJY#%*dpnNt9L0Q96XF;BznVnn4O2(3h-60j6ne$QaDPw7
z20dul#n@E=&KzqMKDjTqTb{Cp=;%CXcyRE|W)iB&?7KxWUWuJG*>=3FAU)A;H>W0>
z686%?O^&rDr=OV%Bm~LMq19|Foc~lf%{_QX=^Xe4b{9lzH;Un|MXO=|NyKClXQ6X{
zS-*CY?WaMX1CN;bK0FtW(;OozA$Tud-L)U*QT*2`@v6nl2xg;LyprR_sjzOc_#e9v
z$pkLHKGLQ+FTVDp<Oto@n)@24Dm?ZPWfVd~6Z?DFZCK5`t~7I6FA|D;+gMAbc(Z;a
z-2yvc`s|?_7sU+{cpY5K{|JsdNwyxv9SwC*B}4R0XC)|n#=FtylRTo|H9+H6!Rb9O
zOyKoDITGIRKXw;=_5jKea<W+9adPDY*3o?O##3M9-KA+tkn|YbH?}+x+6(Fy*sdC{
zejdc>a6~_>3vHh@I6Gm{w^AkSJp5}=&+Nz8s#!IzNl!Br4&#qGi_1AaJ$r0BjHCot
z4Q)Q#zJS3fK9;Vsm3}+FS}b#G$?jn3Bn|4WpK36x!}7~$dthNK>qjo(zi7u&)f;~I
z^-Of7Cf6On#n}B~VdFVRDRqm}<^}l(7E<gB0)Y!hzOKz14Fy@<!TgPW@>}kp@QDx7
zbTResW;)a_cup(UfOp0QM!gOLj$9EQQUYiY8p{wMhxdi|S4Y2!7>jt(qkecG^HuPH
z1uH2CQencqNo$<}OrI~C5yS}189tFItAfvbLx;^9*P|)biZfI$-c|Tuzrn8>L$Onv
zVnWy1vE^nMdQNnw)c~IKSlHEk^0FkqVLNDER2u6lq^~nnRL;thvE}Z6yKg&?M|KA>
zk*?fF)N@938qMfgcOVd~z)uW;`-P$uCK}Z`D92lXSm=x3BxD|8j|vg<HC#;&CX$Sb
zn!=>wGDwUmtKdI)CVc@m8nrm!Tb}CB)v!|Fx4fo``M6}Cc0;oJ>ah@x!R|OaY=pFM
z4h0(!LVaeLx`#q>4S%kk=xU?>qo8RjuMFr_{Wa&9<0P}&NZHefeZuMu(v@saP-n+p
zw_OM$Ca~SekrmVZ0_eFWvRib&zT}g0KYBMCQ%k&hjpX^P#M}js4p&~*o%Sik_>Fd@
zVD?legVXl15cX>LK3rB@2iAlyF3b{eaI*3>sj62X4j&JC@^Krg2~g$noYt+UKfgN?
z+<FWLa>a09!*~2%dszg#gcFfwd@q}&B-_#>MPFK<_D9C$fnn=&EJX4OjYjL+tI37Z
zR}GaT@76{0u3mM*`n$tQr~@LWL4Ww~Nq8A*kiGQmwu|P>n)WOH?F3|c-tjmvnHXx>
z_3_FigI23?4H!+7gJaCNSGv}*Yw96Cek7J7=FA&+_xfa&Qj;hDe3Dh9`pSOVvrhhA
zYV!3;SHULiQqD_rER;lT=t4J1gMFiip%DcCC!~!D#q}9xutAIiw1-s9ed>7sMQ0c^
zO<M$R>7p}})V2Namwt%3hPSj7XiC>1#}k*u<J6nymv8G~OwRSI(r1#RN7AnGh0(=a
zu)rSPINB@f(v4gro5{&4@X5<$=1fouYHWJ-!3QKRRAchKMp7_2dHdn2`2eDHi1%j2
zbO^U}gAwg2eKVKzoki`cFw4~bVZAP4X*Kix&v_{Jc7xZJ&zEvf4;uz{)x=Jh+R}?%
z&1}q`DzxM`m11-s3a{Zv-5nf#V~~tHwkGh{&c02%hV-yX&B04Ft?B8Dlov@Z=a5!L
zLR|YAd8$zQH|?w%+|!0s-sbl(|CpCWt6kQ%UBY^lOmt}ABDsuTU4^^7UlO&78QT!X
zxJkc<Cy>)nw}mmhqq(=e^r+L{A=2RV0L1Hct#`~{@1O~j0Z_-q5+bCu$unbgv*o^^
zj`wa6_CykqTA?_E!N_06-yI4$T<9{_ZtU-a2Y`0|cS=f_R5woAEF6SHZ9EIR1`bT(
z6g*#0hD#{2Y5eb+(Q6W=UwtjZC3r3O-=pyMF<Lesnj&bYR9TVbapy|QhQjBpl_pLS
zd>8PBLEh}swmcmqx!Np^4s1^~hYjyy5026N+2lHh!KoLP&kf;>^6qOrsM^sB1kimk
zVz}_>2c;g~P{YeviHeg{dJ=6;SwBwLp`zeev2d6xH{6YnxvI#{sdaB)8DsYAGn+*4
z{2bJOBR9wI9VyH&QNbusaB-S$4R>8o<sB_><4N<R=yH~V|852z1F4aS_<asMrZGSd
z3>8xX``eJ27*%fb7Pu%P->0J`{NM^a8J|AWZHbw;AWOQXfb2g{0q+(2bBF_gSH{X)
zl`-+_g6irA2Md6SBFiv?=%Y%@1(IMPI2EXeDe;Q6JEoYHm7+O%NOtAbc_(LflrS@p
z^^-Mq(g=bUETi-s9<!?p8v02vMeXw|8{?+k!i_H+fya;%D+BG+QSD1479E*K%?_6#
z_uICx(-+Mn$x)pCd1O_hPmKG6%lR5|Uq_j6uS~Q{3<+t<226cFvZZI^7mGUa#0G6u
z2$qm!p>>f5b{h*uSg;;WwJS^hUvFzhFK0%rVToa74QGa<MTwy>3t=77+LvVN!ILw{
z)3Fi00s>9vx*#L#sz~F!Obf;bpUz=66I>#x)g+sE9eaVO5Y|=yk=lhHY3F(O9c^^N
zARHSGCXiny%KMhB*iDd7dugqBttgX{7AdT1`DtnkqtTkNFtv<x#an<M`#Fg$;@ued
z0gXiNQCAEPs!{5zpSnezc(b30jzWCo(0|+iX`p5Vw0`=(w&j$#bQU$nR=|R4I!hCC
zD<B&upM~VJ8={5$7*6MnvIT#L#Yh#QnclsNF%Yo6rnK?u&4+;9>6t{V?^{MV6w*Ha
zyomS1n#58uJT@T?k)t85ypWnO&5G;ljkZ-Xkh>t<8ZV)*yzO@dl!~9GZer2bZwnR9
z+3|&dsDzeCz`QPfcI{k6#A>zGl`np=bVn<@#dkU6<oZZWB72(s&SepS4kNFCKP?7q
z>w@aZ?&E3h$wWl~zxYeY={ITOypW&2!)tJS$CorR0e0ML18Cv@Z(<-y>0p|Sv^2np
zfweLNKRcgT*n0ppMgDq=<n+i6c(bNe6D_pssBmyhQ-CdC;kvMF%ozWwdaSj^p@)q1
z+NC`D>W)Y1<&jZfbJ`OizD7X8CTw9>?-^~MU}GYU;||~aYyF}3a;(v0;Y$8}6v6BL
zV~PoeJ3hYg+{0)3<CDV2m8YYWEyc&(z_Zo2`e0lqeArGAPYGBhuAOUdPglznkVTk6
z3AC2VbFnR4FYLY;?GiIz2?}18976lSR^OAcjQcK?TaL8S%|}Z}HaEDVL=!a!GoX*s
z;vF7JqmBqYp{V9~G0e*;X77nW)KmgLlho4GIS2K-E3rQS1%q3)lQnl22S2M35PfPr
zod^oVuBf$;p)wNsMtdr_bdi+<78z-!eU4B4zY}<R>lSg=X5m)FfrhA61E)E`yn|rv
zLzBH)$|!!JROr_siE0zavpO$3GWwLcwdb8{C{TaFmH`)gtf5yX(7JU^OCUX?;OnC%
z6{2GB#abM<9`mtL07%K`=JXVh+<?raVM3e=yJvd;dFK7-hH|k}m7QcCwSn2olFP;R
z-(i*oRf>#GUDG3Er_Z=+*y?qAP>YAH3on3^9uknZ5;CN9!K*NVLs{-@L8csS%5T)8
z@)EY+Q{Yy81vdEFaHe+#laJ*0rt<bUWg?Y`=M_EXjC%7*d*~x2O^Vu5G!OEx%eKC9
zNObh-K)a|hcXGQf)vv6>MI7Ow12dx9GN@tQA~4QY7kAg!jjOJEPD#BzlGkNg`>2&0
z`_75`Zn75vPWlTKqH0Q@e)edhsP14#G$;eADWl@&j{CskcxZhaeFk<oPdKJ)xkN1J
zyzKSnpqGWK(B}iPY0=?+`~G)!fptZvU4>bIBG3)nRm=q_8rXL!Fw~_u&JxszY>_4@
zeOC#)T>Q}-`bDwuII$ZBr-~SI4bG9|<QK{WG<w<_G&8)kWEMlwY}#o_XeObM!B5?!
zL4Mu^#wJEAPSm|<nizd?T({#HbF7rbR?T=jM#P(DPnrcE?~a-S&u#3P51*=fvfV^^
zv)BhEV=D)i)@3IeeioE$S3M1x@hlTt-(@^Bqq~ss8y1&PaL;H`ob4-jTz_qE@y0Vu
zbJ<DqX8N@=Royb)6|e#*?|CxU%<3)+DAG+?ozmb$OA(>Syp9CV7*I3v?7<ghJqk?G
znt!&R++sL;_`yi#rjqb|*8FLyQnl8N^klLS<S9heXDUGnv%G_xpGt#W+fU|)R0#Zh
zFgZVaP?nX5?_;`MH{dr?83NN`Xsa2bp1(@-YMlk^-v|FY<zVEa`LPhvrb0H9+;0Q;
zc^3_KChhzt5QO<((tS)^rJprdXd)*v=^*|1+&_gxbYHEG)iN@qTe)(8l_BQ=t6G8Q
zy-Cgik2cYu5|VJD1seQ7pST<HC{QV+Ej$r*gik@&7Fyva1<q3i2fC~h@3pNEc}M;S
z8wy?5K!hvlbVkSZz;b!jek@s}R}wP>*)`@Wl~KYuPMH)~R|DkPI<2Wu0`!uszr+u0
zt`}ty37dZs{2j~j<B3m-qEB`s&gRdr?}@N>rzSOuCR04cjA}Zx7T!?oX|HdZXew#(
zDgKa0PjP%&;zOV#fo^22a@ki@uAW|EGL-!<G;WG?(k|iGPhGFv+0QhbJf5D1eIrZx
zw^MYUOyBAvF;lgYNltBwXWpK7-&UV*hsf7XhZ3Z>cJJEOo=>|x-mdSTot+;JRoc##
zcH1o0csyV4FP}N?(xjy$GkWtAo-Q8Nyymz$IbZWUYex1?H(I?`?zXP3&RzwW9xkt4
zu0vmwvsx#;N3!kiy@8jD&0Dt4t`l*6kqdTjIaej$Vu3C5Kd1EJz(iQ?P=YwsX0`s<
z<-@^>R8O>~&Jj-{k`^^Y$PDmVwC#q{W3U%kshJGfTm?S-jw$-E+=4n;E5;7jorpKN
zOdUQlEaF(TJ{TOoy;{FLBi{{SRZtt6nTSbQDV^E8xjT|=NwH^3Giq%y6L)IxDDDS|
z3UgNLUhVeHq3m?jf0hnen8oT%1~>_U*Q=BCq<uksx**-dXULN+7A){?Synxe-SQ`r
z2jKqlMM0vpAS=(z5!oDvHEFg*pRtWV`i;1wTzCS9BmzT^`wR4c*dXZE%@=uVMb>_Z
z-V_8})-LC<Q~hP<DUZsg6p;JvU2e;0eccAUPX@)F`*Ko%weC$jbsn&Xrpvp$8GM^*
zec<T;x|Z`ws6NT9&AxnHeAxFzgz#`5O|)6Rfsy%s6;?P@L372&jLE*}hel4cou0jf
z$1h*p4%%~Rw~m5*&qm-DVJF*FkdQDi?UQMFx-$O^BGWF&iAU;i>0)jr-zcrFf*W$#
zYIU{k`Le;yfcA*HTU<vf0*+5+f@rrMNSMh(%?g`Jf*UUDf2MquoW;xO+f<nM_)nJ`
z0jrTZ%>-oUp7i+V-@|cbvUCLpzU3Zl;tw1s1TJMA?ZEd*V)Q<}(+1j&_^Xjs%8#%T
zEa4#;I*mq743>=#GsefgxonMBFnMzUUm4&c3acT)da9|b2NJL?Yjb|83Yuvab&_rx
z8{SL`?E_E25iPu`eZKZsp8XtjFF9(~Uw)(T-RQp&9RUu*bf&S$zVH3%_EpUEB(z<n
zc?3H=M96mCuV;TK?FUi*+Eu{#E+F$2fixR*C3m0S`2#DA<}b%my%t;=Q$z+w-Qbd+
zP_Cj)wk)L?pPl5MwxB*FIj4#F1x5&K=Uzbj4(|u5uQ5v3UQG2}^o+$a7IR@bkpZ&P
zF7kj09%UFauzoF$)&clUxQ;Lm8Rm(jJl}k^P@s>T0+zZIp0mhzp#anUd|SthadSAv
z#dq@FnhZZXyvlnYc3Cu8hPx{*b!DKQL-dY90*qM;q8X>{*%bL(fZvNRL_nL#WXJPP
zO<~b*rwhuo-}94-8?7MM)~y^*rJ7z(q|0<rO;m18Nel+U$O#Y&^TF;Pszjyu$|+ci
z@RXy1`V9Q5th{!$TVTzk4`2E8=5jN@rb)xJascqiI)`fatN6bY*-03&o5nk=U?D9A
z`7wCfzwtP*8a__fjasJzJi^Pe$}GC*_n@cd>`YuFWe-1?=6oqYDh@=i33Dtcb43f9
zt<3`4)dhIKzwe2?gNZp-zH5)G`{&9957&k_>$i-Pp_i?`*eQvtIY$u??1wf{W`^QU
zth<=K>U9$309)3A{m@P|LYXS-Np1r_U@zyx^>dqMi!0_*exw%O81GXbVwtJ~&CA=q
zU+ZS^#e>W9y)CfLp$$7{Oyp&&t82b^FEkxk&$fRtcLB{>{YG2g@X!tQb5(J@?2$9n
z|3cgy%`@q-)}wRE4leyXKmY0Vb!)6Fz1QerJ}=|os<>Zawc)fcjEB#*HtX1V1|i5!
zk+63r54JEDXMcNtZGdUf2i0aPQ1rdL?<<SvW^^iX2V}b0bKz}e7|%=)i2CB|Sq6`g
z1y42xUlEoP`ZxmwGd(O(p0|a<&qO7t81WHi(X)t5r(cF}GHU5gj)p^-*R@}Y&lA@n
zY84yD<1M<PC+5VEz<^gfm{rPtBh!fcW<bXmHUVbZ)G7d0##%`Eu*b~(h@9B>ugVC-
zm6KF7%EJgpI~jEt&@M<cvC?K`S87pYJjf?cwq-3t3E5eJ_3KzVF{L`Q8&_FyXxhbC
z_VX}dDbLv<bqXGW$#9AN8~%tW3ta<loigS$cy3)xwQo=7JxK#h8!^CBRQvfS@%c~)
zo?xg@D1zX1P_Qkp?+x0anUByKdSDUV7CP)!!n<CVD<ifMLmwWQhf0FEW1*+?{Yb}T
z7~7+>5O!*EE0DF?S7=4hEXS0Fnol~eH66-1$5`r(Pa9bpY$1iCZ(^2X1;^;QW=ja~
z-|kF!nW9&VJ@iTtze$R$=)jbCh^;5`-fv<lzjpkoXblc{5Gnog1|{)|l=w_UaVcGZ
zW=E4SBtT&_?4gydSehuKp`ai+)R@4N4*au$cUT0K6*Tgh2>R!-xkwc06ay|F`hk<_
zM(RZP!nR9S$jAkpcKU<%RYG3|OBqisqL$|A6Gfai#9IW13F)$vWzH(4Isr1O?kQ)v
z6c?${8g^H0bl6nhJftLFRPwl^XK%bRY92*772jq#VM5o$7`O_O`s}G3&c{ZxDnF!|
zr%6;!@;vuC=HFT3caA?sjdZeUC9{g{^oQD#W<q|~6mtVSq|WS$XpyJlw5#qh$+PKd
z3O-sfa*{S4*Zw?_7&8d?njO###zjPBE_n1DPsO2^!b7Rlnh=Y9%WShcw0v?^^;M1I
z%gm~~8kuaNbnEeDw+HSPNaD-qDV5h~3Xf!^zG8sdz?9p3&}N3m_zEZ373}5Vx1=v)
zajc||K`kSI$K@ex9)ck-wamo$VFE^R#<F;&(rHAao|V#s{M)Uojf(@n)tZO=HT;a%
z*XP2MK3+Zn0z2h32m~{37=g(pQB@t(03=OYw9b@A$47{3+j~BO#mJMft&b1KGEQ&j
znYI1XZ9Hv{&o-DD=~|1CV6up~Tz9~TV{bnK%O_grCvU)xL^)NTPj=-_E<c7TG5N{(
zH`PB)+Qkf>v){D!G2iLg?AAcI7;r<^+k%W<TSnm*YQg*Mf{ath?9wRL>+vu>##QV{
zD`Ch3Q3>JPO#CXmL7HIVy|+dW-Qvw8vA_-}v~CwX#5;5()!ag3dia3q(qYhy{pCS9
z(}4lTt$FsHX~+)}pZ)$!sbi}>jJ_d+Udm(1HFeGN>7<x0GDC~oX=~fU(@g78>-GHT
zjOW$l&FZDC#pCWl{CIdX?Z|mJoS4@jg&pDIf)E4I_a?{*OaSeqsr1B*Z3+|}5l{g4
zZZTOleFlkrTGLO2C&?`Wa74d?o;>B2;hEP3KG}yVk6NR{EV!@ZbW*Z1TiMp1K`BW1
zm2Q!UOjR-2Nn{p?f{6`R9#A7s*KdI-o$KOb(Hj-ZEFZNKGLg5W<)Aeqgo(rypYKoC
zm8I<&gVbbb;op2^I8D(;P9gqwTr}fC_<d->d!9AUwiNO!+SNvV&&r2m>rP_kckk&Q
zBcdAvUgTD5C6?WW)k+aZ{vv4Y(g+p`A(P0rC?#v&fv1*8s7$*k8pt6Hw*-<Eagwvm
z3SBAQ(%?4{L2L$M=vSuje05bE_|!G;bwD7zCeO|Fr*(K+_jqgL)#xFue#s}v^1CaC
zC{;aP;xwsJ^kSiv){$dxqy<^VjrbE|<J<kvy*-_hs>ks|tKA*u6&EyvdpnUH4f;2P
zVn2R1@oD@3?3p5Ay8ICM$dA@YiEtnP$4vX2UG!W3Tz4J2<uZ|C?Ybkz_SqFOxpb=)
zuQ3VKI?Eu#4xS~oNMCWR%9XcR^inVSxz6L!CVFz&V}T7>%y)1?{9AhpKr30=nF}2z
zj)Iv$3a#$?9VelvvjBS^DMo+`*|tE$5BETXZM@iq+fok*OS~^D&Xu*v&vx#y+KR8j
z$vS$$!h|?O9|A4ps|LEi&R{M+AHDQ#T+|s^@LS%o1vzG+%56NR(eJ;yzFl87ctn8-
zyoDYQTotcf8)&{<=DIZ!jPLCsIc)V^Sikvh&vSUX$LsYHr1y56Ek$-s-KV5xzp{HC
zcs)Ej&Fu3GL_Yv~;UQ`WChid*?sozw$_VtS4iQ}gXTF-_aB*^fwv){HUVlN+Ix^<Z
z{Y*T)t9UNJ6oE)qS=CCdSAa-T#D7+uZ|9Y-rJ6`P?H0U>IIyHxCf0&Sx3)bE?IPgH
zXTU!(B$h8qV)$7Zd$9|Bv9bm{r=o8#b1^JQM|Jw4lNm;3%*yffyAoeP2dp^|ED-QV
zG6lBLn1cRFmu;7C7NFU&o$Le`(Ip1gVbAqGfPq7`A_egO6JFrq=V^U|AM7)l=>n2p
zLD{CSYq|tTQKW>Gb!LT`rNwCq?CQ%UU3PK}WzaT+ODUU%pV=nlL$t3RrQa_5#5t>)
zE5_cO(Hyd3t^*Tl-Ckd&=(f7@Z->U-BwA&>j$1joQ+PaCBrjULqUIj2tr3T>+F<dI
z-A5r9m-NvLahltKrLc`qtOliVy0l+FROiyj`?9c+XwmjWd(jJT7!L;kirJLR^F4OU
zD45ld|5G<R3_h;$<We}*{KX+#q(b2j7|}K-)=PeKjqD;c)xjx(Q?*|j!+k4_xcexL
zemDnHVp4KVcSqdV4yR*t<Z)xv{Ep;X-aLddO`NaEuz!VV3olq1J##dy%LID8(mJ(s
zP+)p#TvupilzP^Lr*Iaz|8TK!b^Vb|oXavo@Q&-aMd-OpJ>)*HvM*bk<WQO7(^j?c
z$}h_a<+~YP4#flu_p!K6T-Nu!{p{E0GZn{nF7M{@y1{_JxwUxl)uuGjN2thf0%g@E
zg68s5?2d}Q?{tlMb?(^Ws&-pyCT--t5~h79zEHYXi;3pjlA4B7J6h|sIBwpSNaXji
zV{+9}N_#AI)AO4sRaiwvvPpN@M7EE)b!f(GdoG_7+47a>_fQQ-DTY(0!0lG&EY`v$
zGD~r&8rm@-r$fN_h{}$Vt3nV-*73A=ao>&oYKPwF!Qik<Q48l;lri`v0v5Cx78zp|
z0;IJYxo)w<5+{0<+|J0^nWv{r!0Xlvfe(rT%+=B#u_*#56W8*TE|ySt>nMh;roh`)
z6gAfBas-YEjke$r@eT{Bsbvtt?i}dItS_=5|NPZ^_cvwaS{~KaQsM1o807?%zWjjM
zm^4IuKBTQVV>=DK%TMuPp9&~Q+W+hXGr(H343riaFIV}1d`td7_=G@k_^Tv(@rK{F
zwq0gPHUg5=nGHFMxn<K33@qy3TW}D)bEv?gfNvQlh4prCdlO%Fozzh7hW*$s`#oYQ
zPE49N=4#}!aP<d8CKuA&Lh8-cn`e-v!3$sRr~8+j{>bGT0&Wj33$ueUPgi$W69QVE
zqx4LjYXGn_zxgnu_txMrh;1HI=IPn}?Mmb(e2-^8^{UMa+o1ST3liR~Zv|FD$@j0L
zYiYM9X$dI>@?p!caKe+|m?n2a3O*~y6%_^F1H~hR8EWNUk!J!_mRs7jfv)-g&huUl
z{U|&c*U=BuqSGA)0E34`QD*qSas%x-a}T}6Yvf2UQ9<K)H1+L%@mHp;ZD*Q<B1e?p
zFFST*OTXT3yJjuJE%L7DJjzg{%L_xjZW${_R6~|XhY9~16SEFvv}O<CVt`&Pw4cvc
z2*~7c)9Kl`RC<EM#qM6B&D0P_<0KgOuq9GB$bUyNGjjo=O5q^$7Kf@v1c{<7GzY*f
zJs)3R+~^*#HipejVpIe95|?!=qg5=KWUo}9ML1#-VKnjYejcYQL5>LM@FT{qN=?ED
zL!-D}Q}P43H%76<#B6BY(z7PM=_06D^|3FcO4S8%RI1a15GQ=4Ml-g|mazc(e;uIN
z*FkKJ4D<=6bYtXl4RUKOk!l9Qs$)rLg8|G#m|w);XwAg(=xiaht18SRg5=4gA{YVC
zNCMn#3^<d!PnxYr8Ea<vfg|+J?W(P-z^~=VK%>Zq&wTza)TWMSq-M{VOyXKLpiKnj
zSu?V!a27|lXEloQE<lw&>>EO-2mLJ9h5$jGbK=^+CeI$XXMByM|3}m{#@Dqq{Wfge
z*iECRv8^_?Pi)(EV>>5iW81cEHn#2e+}`)e{j|UA{o8BS;6F2K*37ziZGzE7uuu%P
z2!pH6&#156pD2q|=l>uQKaI3ijus9M=!1qg64Fi4DbFl}8ydYZ>akl?eExj{1^j1I
zpx~}_t|@q^ZcZFfZWmAc&3S(%)6a$1bW;=E{34!%VV-azmaFvZ&dQ`FvvEx5D!_gh
z74voe(fy$U6_6e;OEYE1;5c3Szj4=XTv-Sae7%js$YU~y+WRV}tg^THRUpBs)Y$-z
z>Ir(llGGg4T;h&Lr-DV_deUF}@DJi|4EdPsDx>*+P_vk7Z&CWc{sS9aBHC}IXx+Mv
zg?+?WT|07yCM0uMFd>cc9inEX-%sC-Zo%rq5N#FLBfR~)bKYBVC9APriO|<EkONI=
zhr8s%_a|RQ_aeD#%AYKxgbjDuejUM1+#cmp(5ce~4ufHt?ae18A^qcD9gRZ&0~MIb
z(ud0lR-5BO+Gn%{FZOTGfeHPucW)AF5|RUNVBsQyp6A7HN7zB-wUMN{8+PP%x_fxl
zO+Ns#!|0r+ZZjBq{&dAdg*==DTa|C{hOPhQ1~<MO^(q>+%AM?}I4h#x`uQ8hkz+<o
zmPkNR;12z?e|7B|k|Rhu;PNP2u?Bc!Aa%?BwRsiJSP{BPow9{i8CCZOp!;5?TAnT}
z{XQq>8?V2gKXTX7MoRbjL=(;NwukKx#`!@R{((2FRQBm5V$RFnvb_n1^I4cc5D7c^
z`RY)Dm?{fM=C*953x#}lZjNr0sp=R)<3ZBxT7BvDt%P+oI_PHUm^~4<7%;6tJW94<
zTbX;3qB4;)!`{0~@07X_RI@m<GTKgA_9V0A3WUw+;J7UQ>>n{hYmtQ@e<Xv+X1Bvo
zK^MG;CfW8d{v@5U72!RM#4tRzYq7a31(8KTc<wTi^3A-^_9ae2B#d~$94q;wz)3_v
zi>OAaB+Zu=jzKR=FN=(){3mJJl=Iw?M;<M3m?C+QNI-G83q7#(N#^lx(rQPrZ%AaU
z{)FCzDl0WT;|};SdC}XGkp(+AO=y29>30`5aO0|b(W9OBuLaQiIC5QCoY*!~Kdsjp
z*uQb*Yky8N5B|v3CXuwB_bj=E`sYzcH;Odqry^>$ZRXcnaLNQj{$Mu6UJ5lL4*D=t
zaF$ch3;$iIC|f6nS{&-p2C2Y&M*Icy#v>zaGcC}tOhThDwusi)T}o0)@qxEPStsW6
zUmMg18|!yW5kq%#vJ$-f5-5%28gH;?wBJ2WpgD21;N{um^#G<!1y5N8QDPj)9~I?G
zs%s$mnQZkVzOqVX8P>Kp_W0a@wleZNm|`4thL{^D(}R4gUc=51m{3V4{b)UNp1V(1
zIQ(u|h1GzRTu0<*-Bs^WdB>L164M;D^+h=fpMwgW6j&2rJ>jK`FfC*T=b}|>BSbz^
zqA(u#V$uqpTwJwJvR}%vWDdr+FTu&e5)yJcvCm5K*`Y_cpA;}loTl5XlD!staDC@`
z=|o|~tjJ6t?_gu&K(xhll92j}iUGfpn~=M*OXJIO!%y99gnXTpd&pNryIH6u-m&@n
z(z_vX&k&ZYiWeOMVNM(EqzLd#TrVDCc`1;C^rtpssIFBfj%np<0eu7^9t(AF@vbs5
zZixA%JWlo$1QpHa&rUCye@J#+B}e>uOjzc%?iKUK+ZCSeM<%I4mqtDGoip<10CW%k
zE>R0CHshG$GPZM@%y&>4_>~tB9NJb6?XP2Z@N)^Hwx$G`CdrudmpI3H1MROt>Gyid
zdz8p$eahGj5Ujh4W=B(L#mpiT?AtphEQ-Vc6^$PSFe74E3h($wS_XC}lrpA`rj?<Q
zl>Czvg2eVx@|F;f*J6r`@bAH5ae@c-bSX&p2SbW6zW5~$utPEOh~)FZhAb|LicEMF
zWf$h(S{QudhIz;zNRPdtWr+l?+Q&9^q!Y;P97-;IJN2S%Q>roXGCR{^;jJ6@dIP0}
zvtD$Kq?8>OeU~Jk>t5~OtZ5S@=HgrNwKRFX9u}6ZUZtqp%)dSqEAjI3ygt+AR=%zx
zpV@GRH_Sxa0&;)3U1gFZyD|<T(mZx%jxO^`VUt#@N--YvQF3dL<|foadHP-Mb&V2F
zESs}PHo4)KguJw<*WsB5avAQ%bnYEi&GGv_s4N~OGacB9Ow43Y98Af7-=>eRq7Krz
zGa7Zkc$t~!&U2jW=Pr^7Sj(F+P_=L0j=MWeWbTn_KN-*w=3LarciAp8bG$}~sda5%
za=~}IqnxP~j9ARsQppEhe-y4!vx-7<6h>dDtPPIqx}0$wUQ%^7XtSa)EZqA&4VS1P
zS3;00*x$W6-D}=IhQfzrXb7j^xL(q7O>=Yc+LiHVq}rc1-1^pb#iZ;;I(HX-yhWG}
z4lc@-$Sc&<EW->u{>;hsO@a|DVw&-r!*j3=Dwx_L)y4uIDTrJ3MxJe64?A|OCqok8
zFs|!G2uXWN(43i>uMY{g2dIzNOr8yIATxY-(v4Lv+odf)@K@8T$*?Akln5W;g|4x~
z_NyVXX%W@oJyr<?&j^J$!&K!6KA-g%!+q>AlBUZ>`kyKGS&R+buZ~B40jWZDz5uaR
z`WN0d^EM9%*Z_SGkEr!IPU^aX3?{*oB?%S`c}=mVuP3SvJanA9Zt&{fY6B!8A8CdZ
zO)&S=8^+)nv2WWWRx=2i_pHt`0DSel+@4sxwY-rjBE%fVr#lB%piA8~ZbDN=o8>9}
zhB4Rh7TJh9`<o}vSeRaT2-v($U!6aSh76heJV>rfLi_JF0&CBfB$2D+;W*iVAO6x<
z1`|Q5t<;M`#|HH7tc0LK7S|5u%gH3^p({o%55c)<I75%iNz7?5^U;HOhrvI|Ey`eZ
zwp2g=F`9A4Bs<BrZJzd$@udW+`!|b~L}`ORF%wlAlu#4TZKRD}&&G79)Teb>jOV;I
zs3gG=1!f>GH2g}*85&2zuMNw2C8>Nh>}=GRw%Ds0GQyt|L$TLduM`1?uSSjcBgdkZ
z(+1nG=DZjgu}7c4^%e5dmF~ZM{lj1O@v!SDy?A-3pfuSiTVTYTLxRi{lY*sUirRd{
zye`KTsEX^o?RVt&o8!kniGx2J8wH4t0EIvcwq1@5nXty1mOMe`XrivqsGy_9SIy7Z
zO<6e0zF=LOWvGa~AO06Z{yMtmqhA=x!U7o%b))QPc>}pAd}Ta^#dwnjusZCfuu-=i
z^}Slz?xr(&m)M5V&Y#HtLOwIwcOMOOw2QZjyE^WOE#<jCTJ#l(_f>!VzDLLTb?HU}
zRMJlJHO-9_oM;^@vG!}HrlXNRE+?(Bcf8(_3d#|YYsLZrS0gk~SQ3uCmE>X=NVJ1?
zr?Uu8eK_VJ6<H6=S2W!S!)iStdBT1Gcy#o>0uoXKYRap+i~MoY3UV+%N4lE8EMLs3
zejH{AWP1a7fr8e8N(@to0j|$B7OcxrY8(9QAr2~)2j8{Cp8F07*Ls|<Zu<Z*7`R%v
zA=RUSTNOzMp0c#IeN`j6{YKT}d01d?j?Zf=DUcBj<@v-{4Bjs*R8SwXkihME!M!mT
zOpOV__XD`$GYOHv7ozqcC{C7`%H?M^eF&$vVA07XWmoGg`a?p51w2pi{UuSq*7#;|
z!{fI^b$<vj@hLM;{#1+E|KXQV*=XGc;*ZllnM#IM>?n*RHcS^+R{}BKs>NaIkpsFN
z+VO-~>EoN<(^hU+U50Q?A&X!w9g6(ofrP2Sz^+qh9BbYh4Sv`Fvl)G&<xf%+3VSYr
za&yr@MU_=%PbVV(RiyVnGr}X>fom+jd^V-E#Dc<U<bdzS|4h3*@zKF{Z{`$rSC>?Q
zc()6WLXh`Mal!UowTe32t{fm)lX~SrKgAe5nd?>tdO*k(EMBRnSaG_aV#_9hMhq72
zw&0L;uJ6|mO%&MBv!DCjA4)qAD(=(QNZaNSo*F&^`=`CR+6Xno7!-+9VUkqT<P~n&
zgh|Dl%ES-r@;lHFhPQqiL-V^~aX1qO;=;RdX{dZ5Fr|&a1q<iGr(NCEn{V+vky?L-
zM?MYc{hZ<?O_0^SIokhnda-52Nk4h$>ya$tiz1oGKr#3mrPeF2^{1unleR{gwgMg8
z`HLRT+`jKb;73&*iEbPZ*90Lg)??i13h#6%h-=BE8w3lx9&2%dm}9hfQMupA+W<vF
z^gW&S<>)Rj*Uw9x6JG)lH3zV#1H9AAs4|giF<JA#!`0Kyy751aoi)MwSBueBGAtap
z0N~I2>2qGsZ3Zw!3gT=-4$!e|D$H^Hc;F{si4lPo)6M$JXg~{j<vL05suRVa%FC)B
z%zcnVkXo0DHAF$o8j>)P_11we|Geuvff#U0XMfH&7R0E(Y;UmWSkT&lTu=4U@_tEb
zG+^V$m}oI`)7L2ygV$g)j@hKNv4aw@5vteiBzz<6*O{+@cpZW?8Z}~N-(C&cN?Go%
z$vfqI1q!EX$SH%Z9KS@~Dp*d)`f#`rd4Bmty8QK8$6N6avT~K=S&X?n=%F*nf*?{i
zTr>JfR6LHEJ+g1wCySx{dv-&X10TnfUi*GfSB%B`)@&g2S4k=X%>$Q0x1xU#ORsAd
z)icuB1#)TwDw!38RDFvr9ytgzIm9xQ;%8^I({2k?qw{AFJ2i@v$~1?GU6}`RC5dIX
zglEHX0J4QBKO&Y7lO^Kp)x=wGVt&T=PG^jZ6(Wqmx-fa}3?z5)34DH}`$1_9MkSEr
z1cOWtdQ^OlhVl!FvyM44_HDw*530x$6a*?3<U1^}hN1Gv7)1Q@(f=5^0l^<6qJ%*d
z09viz4`L;D!j)ea14Gzbr?N~^;-+D(HoAx<P(o5Rl>C%u1#CoDn&XA)9u^~Au-t!t
z9Hye2C445gFAI9;_<unlzcx-VaFHdlfr=36wpFOk{>fdetg1s5(ea{(p}7C+os)^o
zXs-4K{+b|8(&HL$A0{F=ekgk7IgJ|M{#Hk-F5W1Y*TNKRe>uXFFTW(ij@U=R?f!#A
z?<w1SA`16=z2w?OFYXCv9W-4D>hI$Ho(?#3<{JAC-5m4?4^Y-W$ntK;Meua4esGn`
zPG076AKCcJCx@V#zkLXB(EU&Qy%Ex|G*rkiK-&Ky&|Y^Q%DMrZ12<7qBhvP+M&?zI
zJxZ|Wd3ASHZPxveMcQii;4Izz^_0$$5r74`ojWIxU@-gbV=eR_3afrP)oDRK(eLg7
z0OP*`gf&<J8@`syH;wQl#8ARl4KmlYV-Uge)+A${va|Zkrq*%}E^ER3)^8&JeDXh2
z$Q_fE#ivJEJi&J&7``n-JTGJ`0G&!|os3~CF6KgNq@u50n9S7AL99NW``e$zAV6r1
z^YXY%l^E$C&3Yk5`o|K&38z~wFkUikW4o|yFQO?;p^%IvA`@csqmO|);3rRg+1m_S
z<h;Zxc?HYDhd<HT|Kpz;ZB)>{FmzZh<7PuloAcVla!Dk&!|}6hZA3Si<F3}uBh1T)
z0eYuk)KJA_kVhfdj+?>2Kw@!LXIw??dRFKrk*r#zs<35c8p-RTVK(oD`S)0(U9c1F
z>{b16CA*bnNES8~CpZWyYP#+N4UCRy7FG6_D+@OR;;iwD*4EM^!$;Ou9mj<UP0o#i
z^(qR&Aq6Z{Q+;|&ShaMgF)sd;;YT!^#LR3~ERWMv6d?Q$+iVwlKi5{q3tD8|ZY~(8
zxZDJp9pTg05A^PKav)ZZ$`488DNS&=1c?b|Mh@p~llsIdq+AixJ(L41Z5MRJ4Vu8>
zzbX?1hc~aWbcUDw4w51m3~xT<8i>jYm1_R_G}2CsTDKq8LA+%k7u3y3#Rxep5ALx9
zoSG7gO1U@^*HcYT5f0<f8enGdb+G-*_^*u0Wc{a8gZ^zV{n6MZU3wqU(-n8V5|aGM
zlGDsC>cc`8Ok=4b;uHQu#;EKM&Buwg)IHG&$F6T!aK11^(E?(CeqBk4M^7!FlFK8G
z^(tN&dz^$&a%?hl&#!Zn^{?8&D=0trouahUgC5!!xNt%1H7iiT)%HAbA|XX3gUF~{
z$w~@%xle&8RG#4PJkHV&T3;C2tOxyqpM2sIQyh`K6~7cbyAgN<V;Y~Rz&!(x$kl^P
z^6v5E^XOJU<LFUmboYJW*OGvL8TZ+5*7}%+S$%)mYegN#>_qv8S-u0E2woU*j1w9_
zBUE-M8Ti%|&xU!2WUXxWA8Ft#6HArxwT>VjLESTyYTPf~uI%IPGn6;eOhgyx=gQ4W
zjmlkgC4aj*&M8zf*OUW5E{_?q_8#YQefsLR*!yj!NtexIJ!)I)IrRf2XfE(SfC^Jl
z6~3Bl4(IU{xdoxj+7H&mUh4aE^ACPB6|GGC)f@Buxc^Hk;I#%3es1*L?jVw3HL=%K
zS<=jC;*n8N+7j4Uq_vXHqA)UNL8F+DV%(S_Q)3Q?s4)<+Vu>UVGJ>a>%&dGtTc@5e
z`4CI;+4T!A2dg3K2P!?i;(>*~MknqA*m_&^2Zdh=Tf=8TT9*oGwE487f^lHi)gMaY
z^giaMD$aeiaUCZHm*vYA<79H4@P};e?*M)+iF@Y^9tK^UEftBFTRl?v(<h76q~Lkp
z)9%%Cr00&i86a1C@Hx+1!(D%ZlRd{r=ezFd*rffRxf(d~S(v0_H*0U*1(ADj;A5DP
zNU;z<8dX*=kr}dOH1M#08vdCMKeX?bKUL4|#I?WJNaJnfC$sEv0#Aj3tHn3jg`9rF
zcQqH1(kl`Wm-ElGs58luk_c?kIOQHi)a=)gsa8*Zg?Xsg4~L`jqQDnAD3!gryI3=1
zZhJ-=04PfIPAlwPSB)+5;g@!E#9B~f%+_2H#S$8cnxOIDj!-P5`(NMmIbJi!TNxZJ
z5sW$1(93h{Ib82}Ic^PahxD{U9z0j0QZ0mOLsH_F=f5EF6H|`pRn)|;lAgeOJS}lK
zvIF`tWr2#AR7bB5x6c$^i-gct)2-@Fs2oaG`_GThf*7SQ>jn-vZznSs7(7n27LYq`
zZze4!>r|K%KosCN3;FE=N*Jv-7L8x9F$^<C_(#Sm^A;b?tvi?G-XSn)2i}4lZji0J
zTHP<1iEG%uc_U*7Y#o=3;G{USCK1Kt&E5UsQhJmyr5#^uY2GU}yeF6uJ2_rit6Dfc
zj-ee{JfEL{m&Ht`e@UVmGuLqKd{H6?bGqp=`g0vZy`WgiXzrsWPj1oHgG&YgRt+HO
zSLE0?bESN^YfMA(!BosK##rk&zw#^2#iPK)1_hrAsH_TsI=8!{KFe<_(r2fLHer4o
zJmcX2UU6wD%Ba0<)I<qLtxIl#T=<9>-#{%JcvWO^pE)|*BW+YMh4F3~_eW%ws-g;*
zC5(`#6yvFL2Mh-I?~NgisaNoMOZ_>s>=JcV1b(LbSm^5pSN;eVi$%h~ww=0*6g28@
zb;BjNduG>IfYAor!p*~)p`QYmKiGX~okHreZS?5iz1O&gCfG%nv-ej`9&|;pghZqA
zhrTRqdwWgDhh`*?gztB7R2xq2@cN0JBUVo+*&<3K>{6);R;cX&&t#W};vIyy?g`~@
z(2q<j4&hryBm?EvI6EN+<qtW8bBV0|BXec5#mGZ3JA@YJGkFnOJoYJQdN9k;A<ZyF
z`(8pPn87>uzICj8{=P>@Z5{Q2pL#{W8+r8tMO%O@gh{rycy^8`7Oq!72}ucWSH@SI
zkZ~tF*3COmfZ_o$8cr@v9Y;R?gVJu_kaF^LG+)oU-J)iv{UBO#Q~1|ozL((<&q}$|
zM(vn_Qkmw0T&GId&u{TjBc5FtSpr<obXnWQ`(>aePQu1QFmK=io;ZX^Y6}xBTL^`r
zh@lV~DsrLj8q`Ig7V0gQ##%N+<iEJb@Gt=Ho-CpoR`wxRjuv9IpmMJ}xSC({mQm=w
z)QDV1F;}A=gs%e(b9PGy%;3nU0nu3lvJ>Y-7k@HG(Lii3iQMw~59N9L$@Q#{=xOb~
z(Lh915yc{343)2x<Z&^w-^i2DGdIU6nV;CdDP3STH9fI&9CP3HkGAXs%i*0%R?$qZ
za%hL((ywrzEs2TRf0lDpClqS<W_?ey_T_QNFJCpeI(;CRt-mt7W7v^I*V`RG^YqwT
zR<=J?E#5o9UwzmM%O|{MSM1_wb><Bwa+0T&D!(zidc3vJYq=_-Nqrh&3pV1I7@e&K
z8qm(bv=xCTTo8zkD;M6t2bKa_r3u)WXJl{UlVIi^0->9@Jg&z@irGGbh66Cy(DfjA
zaGH)Qe0g)AHL3)tda+-zj2X?ew5dnXYDFYi8B>t2e;J=uG0#n(N!jK_8=>dYfpQ09
zM#V;{f<lkW3(Bzwrx5#|Eh!oMZNm$~9gO`L^}{>-!AzgSY-e#*Z@@5?jJ4}@!8`Ty
z>I87=An(`*<?qRI-v+k1+-uG{;wd$${zURvrzR}7-G&*Ct$|K1q}FTfJ7P`;LjB2s
z@fc6*>0_*sIDs!%%AeTIbu{Rg(d0$jdzxMZzR2W{=t<!((VP4tayD|}CzG8RH>%sN
zoI-sYcWn?O_-2@NAakvwP7uCZ>!MG%r)Y%O%F@}f7Ml1AS@W@EbLzuCiZB(ti<r=N
zY;Bn=&4cgt=2uicd(l`FIj&oFptZxEHj&BIu6UyIWn<M|HKBVfg6q$50R_*Wr93{D
zp908n0a*;45X_Rn!vW=M%X!z*ycN~p?^Yp?pnEYoP!2mVKjRaqUBor&X@u7!jH9k1
zktC&@LrYmK$043%lk2ufu<0Ec89DwNkEGt%?udEp03mkm;N=$Yx)fLX<Nf0fL(r$h
z5{4AH<ohCoqr=Vs#GWaAHoKDLM`b<MX}$-!@o%<~`P#cs7;%uUrNT+{K#Cpc<~P|_
zhd0W5h?g9MCu<_je9B@UKq?2Qoh^>4*xWBGEn>65x-|Dvsm)r~XWP>WcJANhR<s2i
zzne^7Uw16NnqKMcpV&XEYBbfCaoSYfp)ww$4uSJzHHlq*6SehwV)#jNB&GmJ&Bo49
zfhmULp?YTV!Mla|5B=$Jd9t|TA~_^RbezTzdhkvoG7^2$29$x1T@@;bZmk|;i{b~(
z3JCoQppiKS6;js4ubh-|uMz+v%*HeEt+OV-zJgJl?jaRy4a&Y*QYxX*HS5+pf^vws
zAH7Xxc#yd9M4oG%<{NtjfD(znWDUt$>z?7U;O=~^mQ9&UO1u=%waSwE?y7KM4U;RF
zHV08%1xBH~Q?dBzokhxBbfDLLr69!pP6Syi1R6L!K^MpQO5OWqk4LWb!Zs|$^B+G;
zxWOx6VSZxZI|+-%jv8JjUq^2DIMRwNwoq+Fe)jyHgV_Ywi@wOCqbEp19OsMVs}F@q
zf~aS8+{Nkd>?;nsBhtNS2@!-l-T|df8WE*<(!0MEacO6Z8IR}xl(Hk2yq9A>uvN%M
z7h-<1C{F&Sq4s3=Ww#<2_I;fVV|21RSzPNnWuXJN_~Q;6r}vFCD=@_^<7|&RkNfkd
zmr`?^b2k>k;{F^H)6gz$-DpaA?1Sv6dDn#!8BOuuK8EKz_^VSCDOkMLF8Inz{?RGY
z%Jv{AL+v!hYypr-Uoy-68dXQ;?TGI%L2t$cO|%UF#th;+mM==FUme^4N=}=m=k=zu
z_D;?2N|>%_S94vrhFgf=@E)({62~U4^g<#m?rhm_*9Efswp11bQ>HJv<~`fCl0fxs
z8^lfC(j_}raAi+~WCH%5%>1{RtYnv2xrT;K6;a!_nF2lj3l#b71Ei_imqCHz21~Zu
zK4$2?9}jYaYXIWe^Z3}a2}LAXP>6L+-A~GFTRFq^mxnaubarvZeX;pOD3)EnjE-81
z8~{A~zw*FjhGScnN?2aKhs0@r>CI0jt<vj~!|$FYdoHNgC9^2!GgLyx6|qTZzf}$u
z-;Id>4s{!t-C42gClfHW*0}9d_J;!YM5eNAP10{e;E3HGMRV-D=IdT7SfVEAMuW%9
zy3Np_z-G>{R6i%qLDA;hyuPYrywRn?uW7^{#)>V{XOgmu5eg|xP%AP7>YXH!d~v@Z
z!2p^UOeu69v!XplB<V3Oy24uY3J&HB=R^j!C5IKe6igXjXo6{o5k~jH$S0re@2LK2
zqU)Fi+g5bhfD~pGNe0D_;w%eX;O|k5gkGZ2W%DRw7KWu>vj1*UkkkUS6)@fMw~{qd
zDCy_wAHsQ6(Q%s-k+yIg+;jqe>Z~Fud||pxv+`U`v9H6w9PmxLr+pumoUEE)KW}Nh
zmd#n?#;t}%7}s0ibkgUnPNO@>zo;z?e+m&3)~ZK|8JZsI%xqj#lDuntbaS$`>X9+z
z!*zQ+w;!Onoj=ixy`R22%jbvbmtAkMReZdivQ~6GV4Vi00?jnxXmwJg?rU3wo{AUj
zKyV~Hke`Rd=JaX=gQ~M0iQrPV>})()tK#z*krSk!BP^(y5QO1DK1LEs^U*K3;tcwK
zdQsKbOy|zqyV{l^1IKFPB;eGtf`96#1j80fv4<_oc_9`-BcB-Q`BQc1Ls@1_xlnJK
zRyrF)rj#Yu6>5MX?4AVu1OY$2?!=OHHJ8+jni9-OBhMG?*XL`InZn+E!f{jpBWY)w
zK{KpF?xHM1mht}To!l!~is#*R_w=sU>iHW1us$pnBWE;l<lrjhSxw1mjbJ>LDOuX*
zww$i)rB68w_ky7_Os!;73(T#4cB1PC=k*D%dQSpTT7uqd+CyE(!|?L*(LpxYok~i5
z&+%iltMhumE>i9vxVpUEmJCKk;utiDS*|EP(PfO*do6>Vb^Pzz(3qc2w2hJYp=r0z
z+cy4CoH|<jt2Tt+VRAGOap(|C@+48^l6`!$)E4>5I$hK(%CR!&GbqQLx;^cVp^nQ%
zKFu*Y9WsD;&`wD<c`~20!vy2LevlAWx~j>JTrcZ`Qw8H<yviVM;Ut~%asViq7A)$?
zr|lPKeX;jCk?I$BSTkpz<Yu0=WA$GgJ{{*3?Eq$<r#M-}DEG=i+*%fA<;M2l0Exy)
zWD$<3tKbl$KNV@V)!s<r(mnz`NWNI3%f6cBaQ79M93n>B7oaUL&d_b_&=w`{da5{m
zY!3PHo{sH7P?EK&FaAE$WkJ$50YH09kNzWNF~$MzzVKm=l)t4&FZd$ZZ7C2-GR1NV
zVV;N+-*K3^tKc*`x7wlQ*y$`xNmh6(R#x=vAqQ*S8eQj_dKA4YPO(D@`p+Q+c<f4I
z{&@H;;L*`I)?>!NHRCCM96aDpl1&nAy#7$E!0wY>QJ<jK8SG$pUHbWXgV1I1g3Djm
zDQ<hd;%cRq8~pQ|^@i8r+Kc!j*{fIj@KyV(oB!)e_**e&*W2C%`s-QMSWu{eR}B7R
z!m-DUI)qwSNK|h@IftSX!e$n>P)>=n7p@|aL`>6ua`sO58ZTxi2JyQIN(zM!1(DzT
z5BYYJe4(H=7ZW*IkohpcMWq0QYhk?%jx3IOGeSWGfhCmMeUm;dMN1{8p_HjOh9upY
zmnQoweppKMrXzB=RAougC4S{lL(OZQGDO_+Q}@v-)&m$j799lXdmB}yhCq5-9ZV5%
z+$Xyq(?hi;5G*+U>&Ir(0~A8Ue@#}J&?y}bq+FftW$EGJN?N!i@k{;0SX4%(&Y3Lo
z`4<2}cMfXskR6a%?rN4_LjmIAyJXz7Ii=!L{VUvp8^pVX3bSyI3~6o^{>MTc`>*}J
zms${Y=fb6;SywrN{0W=86rM0>g?DmNvq#;YQqaSsh;mvpvb`Hsrgbc0vLOK7hVqNp
zWDO|LyUy-Z$S`L`T?l`o!M~sVQc51nLRh2;N7-#RL15>rKt@Jnn0`xd;0@$mZ|d9~
zLI7{KSQ(n)J?I##Ja1@VIVjo019fHxd4HmN5k$&f=TPY8>Xcx8%qx2;5mzYa8f(N;
z8?XSCsmut)Fj{1`r<~W27)W#V_bfsxc^_RFx)bg^AN2}LFBMZ+?@FJXZE}$=d|<9T
z0G`%h6jmk=vTii5UKZVJL!k{%*xSyGGx@OOBz@G;nMO2Ekb9BIL2?+PzMxFx8xIqy
z(K7vHC{RD9q@sw@Pp&zdD}mE!%6;?fF!TJv(VmAO40S_USR;2u;WpVunkHW?v#c$j
z0O;uqG#u2JbS}ev$jQrbpK>Ht=V@zgRhjznnlj8SKt95{eJMMSFKwObxYgF~@_0Zi
zt6B)=h!U{4xs+NT;tLuJ1M*1rS~x>mUh?zT$+e~Rkk6SEU1W_c0%QZOAdsi>3-T-?
zuzCTiw>c)RUX@{Bw@g0oiDf2ZXPnSx?r;!4Q=l+iak|qg7=5_I0=kTMam29-!;F#(
zQK%Z*L=?DaBNpo0EMNESr*{L-@zpm10TRFd#b_k6WU$@_VTT*_R;Fy&mEj{eoVLh&
zvZvPtsw{|w7bS=luZC=hJqThRfKkvj^G`qm^LLA<)Nz|I7VL@#u;#b_>;($^ot91g
z6D>$#;wmOyFeiiQ^{V8jzSV4Opgktz`xWJcxV~uvE0qLGwh&ukQ5hANI9nL4s<Y|R
z&}5<Q>PhSH^jc+C3dT*gP;@TO1{WmrZ*LUgF0Tm80q}3?^Y>Qh#YBHSqs#SVMZv5;
zystEl!1gcF3AD3}kLn=o4pl6$$9?NO?IHRjWiGPDlrt_9i5l`r5?A5#QdZSiOv`RL
z4){ti<T0qI=l`?8c(05r!M&@eJu-0h7wddZx&maWOh{X>%SCUQcdTh1!-IL*ECqre
z%d_a0^BD~XAAMuWrKXyWPWS;h7ME*WFVB|gab1$DoQ9mK<!7ZvIWXM0jYVjp1!d;j
z`%YzNU5CLs-+4Kj1ik3fExnKUGp@FG5Xu~MIF0XToBMW(7k+~Jurk-g4FkH<&Dn7-
zCyhH?RnB`!C{y4`UHVOG%;<`qG*fpSOf;_y4AwvDkeIjrw{{%nl7!yXxna=SC-?b|
z3>r}NKEksCMyW=xZs<7}ObEr9v5bD4uBDVR{w}02k5(aV_$pK@PV0x|t~V8y;a3`|
zzNb^_sDO=x>R?*{ZbL0k7ObNm>0#>$^jQtv(7MGDFWuAx^-BdMEP$%rf9{2aQY)q>
z1GtclR!M8hID6K|Fp%ZGfpjS1vISH@LvPsF-lg)96aW28FNH$9`#^c^#2&uZ8WkX9
z-!C4&A+>MnlZ|SZHDi7JHMIK@vg(>GK^b3sAX9SIED4MWP$>azTEtW@MRFoGt1Hf3
zFj9Ow#Nw*sL26t@5G^Q-%&WsTtKAsV3!3W%IsgE56gjaz+_Ss6WjlT4ZA;U9b9ttc
zf?7-WZx>F*NliJ;<-pf^>G^Fn%Fo5Zbf%sW(z-_SlNxCYS(GB6sHH?Eh1DYVPjU_9
z6^b;B+R1<7><nM5;Zi?K0}|(+>IqZKX&ACqt?${^)jzy@>lm<?5BRMd7N~nt8?ieJ
z@Wz^`4hNX@RF)*ttcFsNE#LBHi=Q>=o{CdCWd)TPUu5(p4o@#er|2kNmJ-4FbH6_B
zM0)wT66-Qu6w-v_f^R|jlo_fl+``{YM#g%NtOC(<CVC-qFcQBhwsNmZC8-9!>2Y(A
zX4yKx=}DXzj?Qj0MAX)*RB9{WYmoI^H5S@OQaEeIEu^rx7bLNm;0fh^07hz!dnkHb
zAA}Rb=oN{OSJS|?Zm7Nz&UzQ-^ZU^?7VAo{aY$PCVbb_N@J~)f1wG}fEZ|}9hEU3S
zHHNUG{IyN_^UR~sUO#5atyWkcpr~R<heZ=uiAHF#i5faY%=@x(j$x1)Cg4A_CsYWc
z{Ld}4{ifATq_Soa4PyH8cJl-g_GGXPKZ*5M<`jK*6P|CoA?j2ku$Ao1b+<hiZ_y`~
zr4ft_i9@4g8i}Ke?jfGaz_&i>vI=tgXBu_ld4NRlzfp4;dBcTTmt!-7e*KZi{7g29
z0L@fRzF=fXGA)G&|53}Zh^E487d@$Y{X0(JX)+!=?yNdC|D)YYe9amHWK_txBPul>
z?MZ<RjJ5jP+IV(M2XAwnqk6r`126E)FNWQ(^oX2&UE@1TSX#aGP=7rtJucsVHuDJz
za471fJP$z?-|xje5e7eHWUujurn!g_$dwVoZ5A>i-=S7-h0ZwM3Ag4SeCor*sR7mF
zO&_xPi>&%kn6htwnZioyJf1DDw5H*{@S8)CM9Wspb@UX*uUUy<ym}--YIf>EI>Gr^
zvbpy0ukwN2(;lsn>)c6UTc6EH#?P`H$V}a#MHiXL%xbrVn2M}!!m_d*y*z_AJN+lX
zUhsEPF7<9?AOU`^o@hmVT;mho<TSXR;Yl0K2wal3taLkLzcEaw8MY$Aqh&pQ$#I1w
zeWM0&&{EYGsW<1%wX&7PnkX^G$6v=WOiFkZ*TGgg(3CjE^r2dWB_UgdXAn41T5Szx
z;@S-q{~oXFhWoxiigKYSga=l-iShAonls|XcZG=3n#vr39DFXSjI@NN8ZVyh=(DKx
zuc3h4f`OruqFAak<J~>w1st&V-NQ3e<{xS<B?JN6)`I_BRFIUwsdV@OcXnj76{Fg?
zX_q>;{bUg?XQ&mC;{|}lem-h2g|$9Roq3aM9cbHB;K3l$$~G*v>kM5^Pk0;{e7{JP
zXpOD~54toP0AwKaO-QLA&4pK%a}`oaKn;n>D@V>sjSL|nm*JbvE|*)0!~P*yK??aU
z&IJP%IdM*Eav)|33Bpm6XPx~dkB<x6(VMq?Ro7tQZBuWWUOsR>?F-Adb$i^(@OoZ6
zH;D|aoKu~Qn`L+FA;hj~cAo(@NTjjJ#czn5>8J_N%^u+q%OmIWs8$|E66EHp=avKV
zm*=q{9ODF@w~^tiLaHJDrYo?wBguVgg{UCi#D=`{NzPP$HZ}buwV)J`Tgu`P7oXV?
zT$<BJnSf9(?@C8`cU}qUy5;58PRRd>pMOzb#|hZ;6%(bxn_<U4X;uw9>>eDvp!+00
zP~6+f;pd^ZN!A}F@pUTLsVa9a7BV#-?#f+$Q+2Zzi$6{0T8BW~%iPS7@xP1P?vbN5
zX~|JQ7Xu!&*YXho1lxo}gNV+lL`TC4wp^2)s-G<@+SGrmE}SEK(w14kl<D4o_$$95
z2<}f2RJMD=M}?0sEag>g(gfvD65m8MfeqtoJ@?PyB5L0XNU(PaiL?r<{OVM8q_t$a
zzM;O;1L}XEFSlmF@DDxZG)zeX_PRMJK-}O>g`^Lqy*L5=@$o8!_p&qeuZWxL;n6co
zXjcdKqebcQ<h{VSfoPxYZ;=<L6*d44swh&uCQpvm4^BL1mxaw$HCLCs5<)_4Ep*j?
z!Yx^}+b+tp_vTY(2W;$q>Z@)l7yMAhZH8+k{1e1wczL(j@+ZUP+C3A0#WIBC`@Db3
z8dJj$>#CwL#AbUaOYQ^8U|ry#s^$DL!F1uF2W0No78b}(%k=ZlO)QY5o4bE?d5U}=
zku_49<*m@QaAJOZ|76C4$MYd<Y!Abumvxk{!mB@kYtmz`1~AX`-OA2KWD=u5OvER|
zM|<v~qMZuojSAxFKOHy27>XTiCw{&2sFtblS2N5?JiRx}3X<}^F<g<i<$N*L2iu;k
zH?EH3G;1uuTdJdrb!!5Uzd)M^B?BB}1PX^D6Lu7}Po%6Z%gpw)O=9-)L$pP)?clD0
zMOxuGGWXy}U&>cD<544v`Me8fA1)+K!(C{9nBup&v(|RCE}I%-*Fv?w1S%o3UJ8$k
zhxtzlMUEScbt7)el5Q{%LJrHuli?G2#Aha7a}RNRD}nc`ZA=Js=>GC0;NAcF(g%gK
zZe|2qXN`+QTg@nF4@SkDJw-eu_YEqX-Q;AiMt`n8nRGTIFpEn9$`K%OPMDbQ%5cEu
zm*;3J^t&KJdo_)al{FeD$SJ^q4qF}U#6)JGaGKcg<@HCE>;<?4=QaO}cD}G4{Bcgf
z7o*x9iKB5X7-<JqE4DMrpYY>K6g^)eU%jW8?3g*(w7fA=g6{5?+$#fmp-%t$=5X-%
zi{Vj`q2Q+&>dYp?qL|DEX`x`+@U!SNGRd<IhZL_{acjh!s}%{MKb_$ItuVl&kwTzp
zn_opS-_V)DM5x)@`(scB3<@1LrO2y_YseaKf9%`48c)d=cWBDYA3o}cZ909ZKz`NU
zg=IP2d7J=8z@i_ga^7WTs_Oa-5srnU$^r3{xbM?LfObbvr%PL}$7CkN9X1g<Qka;W
zeL>M7PocF|?TFf)2<tJvPbM<>|CbPb9tk6KE=ML_;9L2uZrBmj*l=W97pm`9H@$ru
z??O{LuOf4prlL!C_XBDGlmkvv4Ae?j<yT#_AVshX{uM|v^|Q~{$&AJ+VYH>3Vb-ba
z2<Bnf{)6uD#BSO0I8nS?O0^sQ*Tw-LwB@Vx>%)uNLr30t^JFm4i38E-)r>T@wGWNg
zB8;(=eBZ9vec1q+V7H5`ufn#>u4v7iz=_||dB@ifGB(->n7j%7un|bO<-M{)$2#3=
zlsKeq%=y^=X@MPFa+oNAwYvaYRJwe>R%yDmu#oq8wokr|i(h{?BjiVh%*Z)D%}IvO
z+&N6=KLUAx2Jz@8G{6c8>CVS)nL=WsDp19+Bbyl&3Cs~NnIfstLx^1c_5JfTOy_$X
zg(eV2zOR`9(x3)%<0RhiyPJys4eV;;0gG`CJ_j2I%Nr@cZLuaE#O3U-^xYaa{n7+m
z?$8ZkFQ@vwC8y6!C~4#jQKYEZd!RN9a?rju&>=;<W49I6Nf%p&V-{OwzIiCG*Ov!b
zZ25&%KN-cW8QhGWgn+|u=`Sp*#xX^<1eQRGeATD#Gx5!P&Ou)jB?5dZ0S`_rf*jSO
z%!g3;nl|O!BCBR>Er0%o3QaH)tC_t+zqpD6iN>G83`LY(kPkv|(B1bl%OphRoT$An
zyl26UD}CN|>@W|?Vco0}w(gvcLb#VD>yG(_Fb~)BFruLW{%Iw?VWSOLh+zyAt(ODp
zUY#X#0r=7fwRUo>Ct%z}fRq?SBY3y&iPL8+1npjTzN(aQ#Ay%0H2VZ04M%2bR%Z7B
zf7fNdUABQ61IWtvO_nE<Zk^m)=hd2MG;2#0P{e)Hfip(3{TlhLz0_Lm4%;*(hG;4V
z3_z43Imq8eaiG$jk)J{E!|gNtdtwco@qR<o4a5>QPh~^6kjDGj3kr_h!?7a>tzh-w
zi;nO0fWo@u*g$Jr`Sii=s}gO2V!!RX9hIH}47p)VLKFbG$@XPplzT~eAudeb&v|I9
zXFXFgezWGhOlC>OW>a9U+md;)DHZe{+4qS#)T;$zmhbZwHyy1jrpDy5r7EXF8HfaG
zQc6VAJB^$k+$@SaI)&fTat|JDAN-2)CgXRd%f~%c!Ape@nc7jie&c`Pke@LyAS)3H
zZqW8!VxWCUQDiOUt@gKE5I4)5{q(O!B9`tzm9CmG!`6KkHXEiAqQ`U!jeWbk5{i*#
zh>2NhbiZ3;+JY}ebt&tF`I=pnQ;mYU?tUl7?bVEza<v<{H&0uNm=_R8@mjIStCaA1
zbFD(W4mvpGWXoW^sULkhb$@>8eIEPOewGkxEETBH4e<QRi<MM0BlTzc^wIVc6N(`B
zG@VhY4vEiS=WJ|f!vJ}I+ve+d1cqc0juP``v~{S6sG0)Gms=*mB%ow?Yzt)9mx)1e
z{{NNkJj-A`TbIX@E%4#-QrVsNsILqoZGCB^$k6@%<at8lg{!VRUH7!!<ciJvd~ol|
zvE-{#bF)FKrZ?ZG$qEV0VyqVIiUk@e8Q=kV`p;<$^eusoRuVKZB$7~*yd9U_`Oegf
zXAuntO=0rzMR8PpTGQ@jk-o+6+6jUf?{ApU$?MX<siNQHf)4S>l~cL}*%~2osQ}4@
zd1f!ba~ycGy7qhe(pJpZ_LR91LM`Zbs=+QWG4$;%-1bKb-%R%>`7s<v$cBVv<YYnc
zH-3IEri=<u1_!e}J45_Ou@AV5qeF9YOr2@;LII}18Lq;vivMFtSuDv>%9PfM6zlO0
z%0$tJe`{7##4B_F9ZqWKeAEIqq5`Zf>L@lB#d~WkF6TBaNfAcylYv}Q;&8cwl6E^~
zO%w$(hp4j!Zh4F+)$k*>{@llIH4DU>x829Tlw`Mk|B*eN4wT1RuR(7?UIe7Ug(xGl
z#C9U~BiA@<4rKNRRfSpdU0JwX7?YSh5pmi<ZRJ3ucc+;|Z~y#amE&0k&W5B~#*4tt
zMxH)L_y$d&Ks!fUZf2~oW9Xt3$%0-d0N*x<!VuK8X#3&_DU#PAziEs1Wo!C%o`Cl_
zFY{Y>BTDbEy;~P)<`jguXf#c8o)|~Lk*D+KOG4VbTNg$B!ylqVmJXx6B~^*?S|kpH
zuiZ)Ur`o%ka?tuef`c2s48tP5MSA6mHYVwEjjh|h;SE!LdR);Ip^E9)stq@H#a(f&
z-PUZRu!uGpY@>C0$|1we=%ynK!mrkm`!xDh=u){^EHpOkb!q$K@FlV4QP7|sx(m<3
z@X03^KIs-i7dU6b@2!l!R#I$NP#K&gj--=Ep<cS)k{{W$VgLA+cK`%GkBNqSiX@g<
zyn`%iY8h1{8XDev4gSai>HTi=d$be5&R6riLA!<8%_sk3r1#BD_x>z+qkX&QLy8cn
zSz}PJ4*K+`zac{zh4%EP07+stZ5$m*Syl(>37M$4iW~t4S<>%EL+Z1{H$aFP1UGUV
zmT>QXtA?|TyP15>Si=2OgMRP(=S2sFF6UIb-R)eOOt+^S;)b4f=8K|EpYjnhmdO~P
zcQDEKJ#n!@R{_0Er<H{Y;`|PKU_LHFS@Fukt2eo2Hs8(WE@9Q6I$G%}*ArYpbemU%
zcoO`L4;DYno#`pJM}j|k$hsufl?Vd{@5S2m(T#k4h}5rhuuMJB)`ohTbZBuq9z8z)
zTYqP+y?=MH`uGB(-Mm7k9V97EQC20R9E1<IkzbX0@NH&;kZVH1aQ^;4_%qe-zKSp$
zX#E+0)aAF|Fchj&K}%~06xBt-DoM2t@;fg4-pCNc1@Ac@BM58;Q}_BXjv2m{PpaR4
zM>IC*G~uD~yNe83YXYC28$2Fu^ho*W7=B5~HpJ0`?bz2S$*>XY8=sM|$;^e=<Ytz-
z3FZ~Yqa=9{5>DwChUCe$Z9k3~iO6OsC7(^Y?kk2wVaQ$W=IdXGekTcZSV4~D_Tf{U
zwEL?-<o+^=eA>Cph~G<7TFN+7??97`P@+?H6j<W2G~@Pq1(OueFXTU!)Ihz%BP@N~
z+`VP4LxDdVtV%%*XuYjvcLL2&=zfv+)WWG!<XhiFQ<XNGX!hn_%{BN^-`=SB;JkIH
z?R$KKv9^nivp~f$ppsnB^*2P2=P>}@v=w2`l`VyB$|2^QD#NHSUn1n7rK4IenDJCx
zx*yQ$i#Lbw`~TJD+X1Io>!qBCwVzoBFb^Y$X->bHStA_$W>j<)IJw}6>QFqHwdzUM
zcpf(tk!^H|QM=Q__d98x%&4dY3p?{#cAFb4;>wd_4!qqgJ4541OmfN1VV^MLZwB>L
z2CTN1hzx@ULYK?;H7Sj?RcaszrEt18gCof!@{w6r*0XG1dEMoR5f8(E40iu9)Wv03
z6&yBesIvSqBUDmLD6B7|`FhcXn)*>kwHDK&yiRR+(Sx{FYo2-W5DkeHGWT`yqhgwH
zSV7RD4*D$nUsV}HtT@E$F0#XuNt1uQ+7P%u9wPdgW966VBaNKuM4>7RWMa=O@CNL?
z*8wwfVinoB*B^3$#O1g`#^H<I#nBU8YU2y|Cq*Y=btc^prP-%{i>9VNDs+H<nv+?M
zvcmmFj@$QX$a;;?htp?>hB#=)B1u~jy##trrXm36J#vSN%F60<GArPx?m@`($2klN
zT}RU#tnR1vWj~jWmtjgJCc@Qnq-;Fc*zE#0l#4$1TJV&GZWr40==NagB_XHY87az1
z(nIQ>AeM)@F$wWtWyY)1OB#han#l@=MZHwm#gjEDOd83BF;s}QNyGnrz;u7Rsz%vE
zX#?4*9B)J>Khz$6&<qe)j<@X{1s>X;V3s;Bo_{t)t5fB6gbkH!?1ohl`PM1;s8P~x
zMe*Bp?_~_Q$$_G91L6DuSUluY^u3PjbdJa1)hdrj1RML37wy&QS(OT^_?9?8t4E<K
z#PnY?kdGpA^)~(KAuq<;kEfHn&tdI%iLsmPu()~u4t#W-nYGHS#oR~E#|pnM|J$6Z
z{Fs@jiF_yVeST^#HiO+(`G4?BUbLszfL%{Rt#8Z|Wh5jM^2`<b%RpHdv>46R7c!<R
zB$4L)Iq$HB;B#*YCFHKZD!1Vcs$pbl+)`#lNlQ6w<S)-(FHYF<f>%S1gzzZSELt}Z
zi(8j2*IJu+5cjZ@>Sz6>MsPcXcf)^9=ZE0J#N-f<kvf5lEk~vk6RKS;fIsStw!}n~
z;GIAyr~HQa4sh@~`|H!qH)mNGn^?M8uiTrPu0B%J0x-*B<SVgB%nmIW%|^V-ZgP-w
ztFXBg-DDjSrajF#__Cy;!8;YOd<JN_9Gr&R`bCVQL`a`%a3&4tlD8>1MDq__J)wMO
z7d8UjN#*66LSS+KW<HaS5VPt^LMDUK<P~bmW4s>aZyHhK>Apy7%zC=HmuaewS?=>{
zYBlvciopG%K;(`%NM+MgLEELxi0(Q(X389!JCKYTu<;fNr&J(Kty_wzi(_gOvH6ov
zt(=DNPE(CRLG^U=>>`LJW3wy{&dtq*tSoHb1>7E$B006oB+;_|98cGn)uJ>r)d2(@
zDZ--Xh$d0FU5xGp><u3{%jCfpaj7z`db$=jg1&(IcyZ^YOC`0ZM0x<BXr9<dTLiO}
z*XE21?IfG~yT(4};(^eAj~gyPmAvGNW|~@$TW9>gWMVrl$x%7h3L_W!K+{xoF-YXd
zzfMh}#XH0!G@`*S<r2mEWGrgSGQJ;t)1?raN}XXa2dW0?)%j=dp7&;jMA9%e;9Bb;
za^OdW3+qbYI~2kKAFn7JeX8Q6!$1wvSDLu=fEOFyF@-tp3h^o9`V88tyRpMP;~W*K
z?3;@kI%xp?k$+F6IDT0LZc&*yr^jd`7I#c<)!-;(R4Domkq4$nW<+9odupRQ;K;}x
zkx&<mr^L|0KKYeH)9(nx0RTb|PjL5H^2&n$?eVo<LBVu0U<S0u`$kzI9PTzLUs#5i
z^Zf9}Hcz%9rQ3t0ogJ4-i=sERin_?M>r&m}stSh!ibrQ;6S_6zsp&j)vrU5!ih9Jp
zIxgD`bnl-wRrRKJWnTnoVU0DWl@Vb;|4nkG`}A&-Q(;Jh>t5s$djRseiB$Tw;()+{
zY(Q`oFz~@7L0{v9Ry(mv*XBL3MF`7JmA*!efmHih7!9s>6B*Nq(t(pQ$z-cv>(gv$
z8Kx42)!0W9(VbtI(Q^}V6y(a;iq1u48RqK+-$651o-w?qe1CI%GBTAl$>?RT$}>UE
zAK$hAlpAxQD>kB9{##ROI-S*`u?0Q<i;th@!kYo3pjx#nOLY4H^R4gA=?3ebYFu5&
z82(?8UqqT~%&!>ZMmShGYBROb{LMoOLu9i08@3+uP*gg(Ob?#*)wdRHuJOOx&L?b+
zyKBodHxP8*sukEFX}R}FbxfqeDD=|@<vIu{i8>Tzo2GT7#vIcRk&{w#>pecUO*U)2
z>6=3~Qhma&e%a^3bXy1{Sd7<c54rqz8G$eODjnb{e=;KZ<xpx_ikq(>ThjyrP@>zm
zuM+l#FHTfS4m~lK`B_hJI%A%hNCu5GlIc>3Wj`ZC7m*c=h=)C9j~LG?a*2T7cI$}p
zyvyu)G~uB18E_jUvs=IYW1fRT)t)xwR|V>=2Mg@Rm_|if$7K$#bu_c+$i-C%L@gru
zA!V=k;z&Tfu<4U8&OE%_Jzq~|7gFbP6muE@gyQ*Ul%(u=68_Fxh8}qdcCHWkd>t+y
zTQ@nKuQ<1K5@+&cOAi&jq~QzzBXa8we(4_OTBP2xUbwtlsgcR+<mK*`c>~!lNgk}!
zCJ2xmZ?CV{k7pWo5Ao9jH>*s_abGT^1ovqak#qlbYiyv~UIOQnM0F0_aH85`5w9jb
z%9F$h6Z#ax#<P(HA;HGnco5nOKd4{<+y3JZ9PSi|KL;TGkbg#j)}G$%8}EZ7Jx5Oa
z5YqpRs(Prcp_8!F7A6$H4xmhuFPK`d-NB(MMOq)JZLmNW<^Frxiul%1Z^bc`^65vf
zDd5V9u&ih;Drh@htN8YqcHMT%hJfm}KI`EnM>j*`xT;zwA<Z5e<>}aX!B|N)ErUV3
zlJ}hhG696Q(q|Y?fuM3328@tbVvdcFSA#xC`rVtH_ANNyJxe*?_BWnZKIq#aS(}OS
z)t%L4ndbC2M4nZ!9`#?wf&}pTL~t>UxdH_W#|gpanv~Z74MS|vi{TctbkOCqaKf<p
zFBT<!n_@|AiqbQD&P^2)KvBq`#-w^|g8w7xDg&bYo~{Urv`DvfceiwRx3qNk!YWE5
zh;$1AOLwOd(k$IwD;-PMzAL_ef8U=E&%Jl%%$Yl9=H7VCx4GAU)4NEL(a4J5l_stM
zu?1M)iAX{yk5oqpci-4J0;0cwn&*E0s!$=Ud@r`H6BACNhduhZ|2y3XXuo+kzeC=?
z7gHK%I@lw(7F;_s9wXNQc)d@n?!mKBNi6umh|Ka0`G369(SHOTA<(<wz1XDWWV28%
ziK!u`8K50(>%DEBwDpTYbPa)wzR`U1E49v1_ZkZ)vw|5>;RTsKBJcY4Y9E`Cj5^kz
z;!_BsHvc}+H{w%tb&^w-rg6SOt@ioiY9_f)^`gbMS(MSx(!qd{-<f7?i9c_={viv|
zx6mNb7NZVw`?Z2A#$4ft55)VQvWR*!I232ZMp6`k<RzBbWy2X{<$KK+VH(Kbu9rFx
zW7SA4GOv!s0U*VZcn~aTJ}}){*mdjGNF7K_%Q1vTb!F*j=LMDa?Y(~v=5HdW3!RC;
z@&`60*za=t+xMt2<DT}y&75jr(Pz2n)RWnt*#SHPiZW@peFgTCJzw5f-7ZfsT4G^s
zTF%nF<owe40jDpy;e^YPpzp96?NfW3YtMaAHJZ=2-7O=dmD<t~4iQ$QI|P;KO`Rng
zhF&Tn21Y`rfoNDoUKjjrW30P-u6pzf<o|NI+P7DT)h+i3Ir!umHApbe%2A4!?Y^$O
zzczJ&X`{xr&8hZvBvNsSTrJ;(URTAwAny?pRnaz-EE;pQXip76QL=MPdTGP7Hcq3*
z`8JJy8zCkz@bdjOG2YLc`)~>@-9qb<-<N;mXYlITDp6@3_^IMeq#C=^%1dn<9;r`q
zzYCS!Vw%g<6g4ks%^y%P;h+372U1LqgtNIN#T$6q<<JnKcoQDgg33$J+rv`d_d=)l
zOSgJ$NnOVBgNAJcm&xxtCFh+gnN)!wv4@A9)1C9drgXmI{f?4N6WvaCdXha6{xoqA
zUhNhr_Ptlg3x1iTh1QX~-+_@>9*}sCGtvP(KAjl#L;_E8JtlGf=2?%g`s*TOg)QQ^
zST9wwk@Qb2<nvBAgnlf(O-2smDx8Y)O&b)cYvP(VB;o*NJ2=|zAEgMZ&~cBENA_jA
z;iB!PN}j{!(Gdbzsbuw}E1M%BPam^GTT}rr!1HwS>i0W2BRCIl^gj^BBE4M8i)MNl
z$SEk>tIb!LQwRRaN9Pm$@0^s)Q^>1ZRIuOy*(NfiAS^uUmf@J)1t2=+6ci^*>}NwY
zQ!p^Jy5LDc%hDw@{)=v|%HeBY;Xn%|QAvWJ`xS27rtS+yqRvdoPa^t)tu!BtBXL_z
zQXjZ9nrQ64Rz0EqQ68ECBDDFWvxotI)R@?C;Kc`*m0G}kz)V|?3m`;D7)#bHRIjAX
z2?1?^x%z!uaIG)HyASiV6)$rDct+L5GI_5R#(bI>-mQUXW=#?Pv9$!NS?21N13dVT
zGuY*{QLV2#Qy$!JLw55;`KQviX{va+3J7nTZt}Ufw&n->?NWCL%R>RtQ`f$HNoj_G
zw)@)if<N^86{Fg}GH#UN@kWU`SuK`P5x^A$hK8NVZ!nfg9Ksl59~cHF420fwvY?n~
zzO9=o&LB55%KQRwBoK&dk`1nGqTKaCBp4}4A^9tZyL-A~svWP<qAA{CDn!ja<}`$C
z1YcDhm7aB*z|Ise6`7Ly6h59}bhT;F_Qx{3f0<VoAheFEWx){Jo-*bd-;kM#?J$dc
zR^&VP^PYq`t-Q0ry}^@HAyRG{X}q;pUMjL9#As<L%nu4BxiS7ku^pj6B3*MLh>3|o
z-?x%A?J1mXj9!a$PzO4%whc1*?&{TXO<3vv$FSeSpZer@g)KDBN;_pTX#jOAYeLtZ
z`0*)v^rRokEqMP{ieI&N*}qC)2}%N+<rx{8)TjImif38n|4C(%A&)O7Q!Ow)hK^@F
z@r}|fLvdu2-fq_Azj`r^)0GO`@#)~_BJZEGLIXINYYG=<;Mr^Y{j56vZNGuGn%}2n
zzTcrGG|Y+aa^rKA*@C}@f%n$BX6xoc`!lANJ`Ph$Xj7mm?>dsYU49TL^(!CdZKejc
zBYHlpC7HI8N$5A(sgQj2aSuJK_7w$;9B%mI(5RZcg7Y|2h=eX8y#o9$##<^eS5w_c
zQd&*i#z_%Hobbn=9O9829U^?aDhji7t7_gqRwy<rLo=<j(iE$Km#0PkcFofnw9P=%
z=49xqK0q`=aHF0Pfv>{~0jk8Lc@iNFsFUxOoBx`d_VqbN)0MU^Gc4gry4k-fzpWz2
z5c}NHb}}4Qv^pgxl)8HY(+h8BAeK<44Z%aV7#W*hfej1OEsFf2aW`hs28L}~H>vNN
z#*?DV3OFoMi*L3!IBVRBN3=QOtu1}SD;%zDp8Kc?x73#ecwZeADwtH=_=Z|qYm<{_
zi6E}WrwWF>(`cDBkAo#uzx*Dg??0kW72=S9YV^q>=*D%iEmG&jBQO-5W0s5_^IPMT
zs)~5Gdk#N4QOYcaZk^>fz3>kV+*AF^e6K1IXe(BYJ{wfncS!GkJ4V?+VTZzmHlIV;
zmOb!ui(YB=;y-n@mECMmb&HcY{D}M9bC&4W*B_*O+E<fFu!TNwLTHI_G>m1t-41p4
zSgs}=0s<(y;{*gSljEF%C9Dng2i~7pM3O1MyN@eW2M)fuD^`4GDmBAlP!15XXwkRn
z<@C`+%B0a`ii}sbsjbgGC>6f*KCky=c=&X{$tfO~!lGBz3!l^uuM8MGZ!hcr3SFhg
zrVCmVpW^2y&yNMMv$OlN=lTZ(=uVxDg!iT=tC7X3XJ-q>N5*Qiv)ac(8X&vrSK#E0
zg<~}z>;S^wP3z|NP>jICVs0RRcTDefRr%-wH5MBeaQr&^SMP@9;`{h8RJD3nE1b1H
zI!0!V)N@f{<vBkk_XqoHA_DKze^AP|@v5s|>d^ZXe$QyJ81C###J|2S1WZZipIXfE
zBmhY<Fjx!talH_i(_7Lukh-qE=C5j_{o40h6|~}xe_XRV${O?gs8F%8_zsxD#F&oy
zHtgN?e0%*N%U}Yoczj0osPR@jU*oJ&(8c%qKK6C^Flh>d9)F|@cQ`NE1d&`6hVpEh
z<C2_`YDX9gQ%zvvq<YJnxyt6~M1@)jGvR$o)_CD4`mgnxRF<<;Zqs>Bqwtwe_5hdx
zja3ew@YtJx1gHE-a;}Lig<j|1zH1_168PZwX+X4(pv>`=v1&J7>Xb_XgHP9MxzWR-
zpOiD5JnRsoz#H#vT&sn#OtPOeO09trV0ro1N`u){LH*1|!B%)(7?0ewS|e|5`*LGz
zBH2H@HPmc74)%m<g!lnb6ays(ER}MeJa}^LE9edB9W2@-7uV}e?)5Q)foGC2?@QN9
zSA>q<-`lmSP#`>4=5thMs6#*3>3?Z=1uL1)eS=FN%J@kVMLt;mZ9K+5hWqlHc{Qa^
zx}zj3A?S(uk+rnXoirie!Vp8q@Ac3K7W;QcQz~^7CLVRg*n<8HN2pV^AhkVeztPmx
zn;d2$GMYmcLJ-eeZ*05kOVCFC0$@LFrebMl!P81y$)v0Sy(}C<M9@uJryBjbrJnfo
zh4Vum^aW-_U*4{kBkejfLHn<qN=t@ymFVz&T{p}Rk0zU3u5m5pgos&t6MJ|~^jSFA
z#9=e=Y=VAYjS2zy3h1x1aLnssgrl0xxTDcS9Q<mY*C}}-v>-EE%pCaY-@-;gYid+J
zxABs!BHfeMpMQsD^HG!HYIG{@^#w4Y-%hp}`^JN@sWJ@AdzIIz?304rWXPnlIQ6fK
z9IiuU#M_r-MhS}m>>~yt!bHmbuM_)4)m{<Ba`{iN<tz3H(9U?<{}9B25Sw*Aq^6jO
z4<(me+5Y%*tD3-mRA|5@91|2!ZaR8J<f-ezZ{N}YnQ{3TzB3KAeVXno|D#*0P%}yX
zUHr?RDaTvB$vNW;);l1r+3x?)!_z*+w{M9q3l5Sb05lbmoTJYYIq_@wrSiG>N6vH$
zbAokB+%+Pvg{YnBd|-rQ*QQ&SOOfj%Y&qp9tK}DR{@Ns7hAb7(;8~f~&)^ohW&e0d
zdVIYmr{2ZJn4Cpk#)$7$jGWd2wMb#ZQrH!$NMz*}<WC=qY(mBpBHC@*;FX8(Qp0<x
z6@%$oy~)dk591HZCbh;|Z<J`yk@#@p-lv9dTQl*b78Ys7(G*pvhm;VXo6Kp>)8+Nw
z84SH}r2Ef_?0JTyH=VgP3PTz*2SRLe!=oHtrDXm{+GVI!?+@3$h+0)}iT-tJuI#yO
zIwP9YF3VI&M8Do{&W&l%6OH(&XR~^$M@(5s7K*gbfl?F|<BhvkT7+FRfvY2`gk2U{
zzLTB>+kK;txM2QYoY^P#CUkEgql2r-(jC#9II%O2i(Z$i&}Yx;?|EpkJagcR_binc
z_y%EcPek~TugH^8qNp6gj?hD+=~j<cw<5?c|9c<XJFHver)zjsr0`#PlYzO4Pq@>V
zu$ifv$k#^J$oHZYG^^M0?jusH!|+<b!9yvldYlj5x`t;a#7U-P{^<I3CFH*rzm&dX
zz?T+L3V2k=4G+nRO^L!04A?u!MPlYh(yFV|ag%FD;`DfT(vhtAE%9pT`L{#mt-=e4
zK5vqD`EjQTN?AkAqPv4oe02PrHIL}=LlJJYa{gVFrebXNM5;+-b!8^WKt4$G*@w%b
zWc#$(D&;+fb~-SnRdL_WtTZvrFDHS^Ykd8D{E2Hu(ztJ$$g#yXf#L}-6OH0<Wr01{
z5t+}&lbhWKRLi-%pddQkT5$5wNbkkk<)Dv4n?!o=%$gw#-1N#1w|I~Hxg%bL?*_F^
zv<?gPBWV?~+;k;HS>Trck)<)kTXIt^VI9X8&Lb)-Gd;tgG}yjtwCI&^Jx5Y+`!5_|
z29R8!yElkZPfC&ou-DptVkaL6XYeFDHBr;ykxQ|1FfwHhUZv5Gwu;8S9#^-X0#7iL
z7B&Tnl(a<zkY`Y19;l4a9BpSvbabJ_+8R_#NO_|tlCb>DK=@1w(`Y+}qVH#i`*N0-
zYU!P*Jdzp44qT3oA2H8K(#&cU#*MYpr9>6N3j?)tg$4~15?Ph(dgw8>)%2y_$|3%P
zlH;hgcdvbfi6vRPPX;CBq^{OqccA;-M00LChcn}a=;{a%+1EyIEXCVRW*%(c9^fvw
zVg`Xr#w2X%ALhS>1wO&<(3N(rio|;I$TX0Fd04MyImUvvVSeqN^fLnagJqe5uV;!I
z$~4RqJ1~Y@RvL87HnMU{_k`MI^O1C9v~uf9&@#47mfobH>Tmt4pw6*KV<d{V8EsM6
zQ$~hRHLqFcghvUd83$DK6K>WgII7|b)vBWyaFurAdnxkyf7Y&_IjL1<{Yj{swxqnJ
z*^ipJUJ-37c{9uPB?111L;sb%#aKrmkHO^F)-Zk_=HR@KxyX=TCQgRmp*<>UqQi%Z
zo39Q($$RW0)zLfytovcY{4~8-s^c=?F8AG_U8D$0QT$u$HLOAC7n|lpPPI~@KCiPe
zc#LfCOUBYFLY<P4A~z3Q&ET@97=7hc-wAwINAkKx%4WCMRb)`FfHOefU_!q;98JyA
z6HgBLPjv=g)iTG$EdAF*n<VU^AX22oUA#`^LyV4B5MWRBes8BnzUqB*yEva5W&VY#
z!Huk_RuX*s(yTF@?3Sp-ysX2|6ry&M=)!3Qb`}a8G~W*7R(?kMUp>LSfTc@T@~A%U
zlc8_;SedkEm$<cz_Wjk-M=}WK9Ij_<;Ky={mA`txU4t6afrTBfK9S>_;APb%$cA5d
zYT4Txirzu`z}2o54o^*&Sry8<AY!o~)JBo{-2H{>cN%G40CTf=BpvJd92TcNF3SW-
z+GB?O(|>Kxq(NN9<Y&&wa)lvbgsJY*{C9V_-ab}L$v^bt2KI*>xeve{_w_))Y31m-
z=6CbyR|xUweoEw-&g}*1j4#rksWg7m8tEKfS-!X9{$RK*vejKzQ)c{~ah4MMgjrTv
zu|$C8Z%itmc9oBwLos8ce-I~;;E^Yxv**TnvKtFJq?m%%tguO#w;*B6(n=TLj=u_p
zU!PZJMD-;EOBdss$jpJIDoy^)D|7elt5h0oId}yJu=TtU?+Eyv0N&S}k5M_RVH&;N
zrkgu%JT^<9eA2}Cp~ILld`G}QuJJo?`zOXEoviUr!^Jgea--i;c*@dl=2I!#Id3eR
z*CR4FWqJXseu>vP6$AUA={_iLOQ|S(j8ExDyq?P3%B-P))dY<(BE(+e0_onQ>b6hF
zA=D1y0?%qg_cZ-dvYFW<O;oM#<_ZlTcFl+?TbeG-H{(5*Uqw2xTYL=wYUnr^-D{4p
zueVAyPfUPSaSVDm68Ui$UI;T`zA~^1SM$v;H@31?2NA_%J+n>HUtD@U#%)R^!n&a%
zZyD8|TJ+^J6G<G7*QAY)g(ob*euG-2Xi>*J2Ox;cHy|B-8*b-;_x-O@S2f*%*xGR}
zN$~@<*qbk*ro~|QmAmVx6xsWDddHX?1P^7iM5m-lj83ng^x&Au!ovmfs<hZPF6P~8
zX!e8FEa`s)ARc5MljD<a3CA3jEVN-xIPDB}0%lIeQSR5G`PZ1=wJd+FePucX`BqhE
zU(S?h{)^>f9XEk8FuDC`?0c?#`R7h{$dR+ZXBD2(=O(*FX?m2@3uZpxeO=4!Gv@6u
z;P(P1R)L*BTUoLYHdTqzQgVH~uL+>YABbKFHX9W=6E`n;!MM?BI*t_@ERO9Fe!`u&
zEs@vH9}$evTLn67h>Mo)`0j_5R{k^Ao7Oi1IlNS&DjJ!3w7Fj6IOI8-G$r?czW5iA
z!z?i3G1?ZaaO{5)>Y3*R!I`Eu$>ArqjFf?zj-t+zd3GZCH#OkjQlz2FFF%{pZ`KUn
z3+AkD;v`J29e%Q6Q37>Nr<Hszl~DEmR$^5+^D3i4XN}A&>=0lcR_E%icz(&%#T3ve
zQav7YN=cNOefZW$y_+3Z!lz{R<6kd0oGzW>wtfm5Xu@ps%9MWyTu9>BSI9+B(@fM5
zTL97Srp!hv5XxH94bba~V)u`J!W>fbs-#Ex2N;DT$24Otq6+Z)x?F91v^M#*sMr%!
z)-6@0e6G>>rVc8#9POU;y(Zfa-;0TQhQ8+K>xUMk&Qf2WR~+5(JiU$RR9l;`nqU&6
zdTf)+kCmqwgB+THrxtz?vsb{od+kOxjP@6Z@9p->ViBJ@zmAjTwWgIYSRn}4wxH*8
zL3!n;?S;ZFj{L*<^}l=5wI^K|(nsEiA%@{b8f>13GRA-*Q1LW_5a-XAuI~|k5n?oH
zyrL-7$9Su>Z6Tww-r;rq?iawwQp*&{MEj-udXHaEtq8bUYEQEK=7yFzP~oR+*@TYL
z*|y73P$r&4%GUrtJP?%c95aKAf{632#=s)ME<KTwG4n}^N&OR5p~LASG73M112Anw
z*<1Je$R)+O=12reo2BHrrGTiaqFQo0%FN9f-OkDl`t`Dy7Z`eOcYkx!h7}DO+1(UR
zvPz&f`!-Bg=l-TA`!cRmmx{RZm0MaxdaH^?JhnzU-+}trMp78iWE$6GiXY?U!%tnR
zf6LDa>Qa<Gs(%Gv{`ZFvT{yX<S3WE$;*KX$v(qUZH$g2=bXefAmExe&(qFKp)o#Y8
z1Zuj*?Xc;Z=z3s!^AMe;ubJ-_e%Z=|Ix;lN#Tr_d+!oMt8yG1!n3LV_q|9Zq+g{RQ
zWt?5S_hDqM;2?KusydqLJxbrzY(iF^)Mi5TfPs06`QOpibpoD!n<Ndw+526ue)K|D
zJS_bHz|r67@hY3k3IW~kwC;6F{=Mk}RI;0yB8x!R&Hgdp*=c=wbx~&YJb7Xds{i2w
z@Xb3z4cOfc79*GNNz?kTS6^?Y18d}ea3t}V7;R+b6kB4fYiNFsB!(2q6CT=WT24Q$
zdErR-uY)ARpqnFltOdgoj?gx7A)!^rJ@?qBrG#ZeC&Gp=Tg`|CWl7dOsDlA1BPF2+
zk$aQ7OXi7dr8p)nGCypXpO~~iR~&K(8B2%lvBO_#S@~XTWjQPrn)RgQr2$=tM-Qq$
zrzArbKK%xUl6mw)g|Q9E)D~kwNPIDR4!%4$T^7End;9bjYb}-}8LAB-!5u+v|Mo{0
zswpqJDT(AX^hAj4?OFK|m+&B(oE%wGhgiHWI@XSPt;Y+U?<461vrygJ!)k{6M)Q0f
z9GRkcg+4Dk39D**o#4ay?q@CN)S<rJ-F1<JFCSruzMR)M)PMcvET6o3F?+=nCPsds
zQt;VmDdeUgP)oPZM4wkhlLy^PM*({ci#V~-PQ#4WS`J!j?*NQYLTy3&Cjbf<un2AW
zvUI?PUU&SGIwa<IsLueZ8DR0!+e=q5m0l=6_GaLy{?=|cbzR%w!+5<SdQjJwI+s$I
zM<UC9dSxFK0I26(JI6%M_UP9%5u*(*R1x*U6hNRvFTZx(L6LB_OckdF!ln0ZRl7Ns
z1biCJVDWF657KNF($akEl2+9C`QtMAo^g@0N-xnb-2a=3Awg)$=G~CYJSnNIOfrTc
zF7YW-e%jp=dbqQZNLvd8SwbH+ULxb<Bh}$%ESR%vJ0(KFw#&kIV>?B|PcLVSW|_R1
z9)HUEgYdrg15>$>WM!aska%!A>xw?sRj#(;$t$<&3T(T1)CeA7`N<#nw3Q2AZ$2VC
zzs>yz-L|D9?F`-x>`ZXQi@w?KC{(iywKdK2KI)*R5v?L*Qm^&K_nn`V7aWen{a^Y#
zEAj}UR}ehN@2~94dmm;rw2WTQA+rd@v)Auw{@d_9Sy|v^H~a*FkF)AaL<EmtSC^bN
zAFnJ;zmfJS!Se{i(fQR)dW_lb|5}0b%u`Zkm*@)M32|Q4Xg6-VuP#Ruf@VU9A5w`<
zfY9gE0MFfRyecj;LSaLuqvvo4X;Mzz>RCmiW>uxtDoQT>_+jS_KWi_s_T8(a<>k=N
z)QL$Gni^^|Ne|haH4z@#xeetOw@)d45>8>+2Bv4qBdEQe0KFQ;8Er4qwq=Nu!M0V?
zFT&8ws9H3BSrB4eHvSc<G#~w<Pr7wt&4j!@QtoePyuQYajka3SC^Knm%Xtvc)=0Ux
z6RPqJ3<wOmzn{%?v2d8>?Rr{HG;OZfTq-Gf94>E|w_cemW!IUETzpfKU1mOm{x9*U
ztXoSn_i3?#lYoOu7SCa6<Hc-UXU_q=CJ`u$mXMmsC5Im=3gt7iR`}qpiKrbxA{osA
zd;aIaBg=PI(Q!@ua#4Yreab&}1E9nE8jiHF<P5s>t=eB}0-nEzYST(GC7@{U2sxcj
z^|(}PlUWPc&Yv!Js(DnZ(QaS9m{?>I!}~k$s)-lC<R0gLNW75sszE+Pg^}g0qFoeI
ze>0bypJ{mU<)_~Clr8xLCp;aa^sm<*_1v=w|J`+?+oWjDE)^uePY%6)H2PKh6~kB)
zW7DtEIcZi=58BRKBfVSgrFeaHNQ{;R4hy*FOyW@a(8Dq;kKx(x?)|}_VDFC_moJ_7
zGqzhugo~Jd#$ZLseb6tN!vSAnID8454d0^7`68+4(Z*K!j@~plrcy@C%df9rTa-fQ
z4vl`!D)JJ_?N}P&J4Jovhi8fLsQNnf$gA4cy1e7F-&mO0zPmb0z7M)QX#n1uU+%ex
zKin*ATwkSFv#{DJ;9OK>vt?)B1JH$S^?wLztw)Z<&=ejHAYmKY7VbmQ&kbg#1IPFb
zP^A+pJ)Zxg3RknPBb6<g@ZlQkSH3wObnENw;iqb#ndHIk`@KCoZtSHm)qN@|xUXiI
zF@EX0QN1?gkiL*573@idw&JL|{Y({D8L9OAZ2K0XGNgqL9b&>HeLRb;R9>cQeYbC^
z{6z;@u~LTo;#)st;g9t0{`Qcg!DM-9=f|OcqVRl5#V8-(L^Z+;*BFy{{d43ncl7U=
zEenM>@B)fEKCu@S8@Ym@Qn0i~V^`{mjX72x<FD<@R?)g@;w2)C8)$pP6ujXtOtI1D
z)^aSEhcP~Twx-*VtwKKye|aHey>U+LNgt?kk9Hdm1-ipjPVn~+CxngJeXI*w>@Hu{
z_gB7Gk)?P_?e_blyjDUXLpt#qjmx#+he&P;@smzIqJLqW(zJ`N>#)8belJYD9Kx3h
z*PnI=K*n{9R7e%&Q`bkS)I1SLEe?2NQs>UD&k_n3i#-qUSJDOw`g2Xb|JJAH_IQ;U
z+wVZfnbA6;{V=4e!yc5ecEjYCR`0DgqQo2(`$97xQA<!dhd$(F6d3rFccHsAam1@!
z{H=yqlKCK1g!3VbixG2@>QLd*Nsp8wn^~!<qVbS-JdBl<v%)szOs}f;FKgMUu(P}F
zlBe*loBcvRUp^n%kwDc;Jo1u}LzWhVpuJi=p5!OK(^ZcD-`WDZraBM3>;B}K3ZJpz
zD83WM{;*Pi1*`9Y>DBfuRFsSAm99~lmo&;hGF8uV{Rx?;bm3hn)m5e}d+LM9UJv~U
z7qRfL(PffVM~3x)y~j<bsShd4Wt1W-_kBIa>$GsA6v#0v{?G5`;-#Fg<W5`esdMmi
zb&;@_j#V+&qFRd1Y#Dv*7}0D-pDMANF!Jkby8=Z+9(bCL5t35!O4^*)wU2}^iIn3%
zzn1KG4Jp<Pu^tg@pZpS6$JD+v4RfWMkGLMP$Se+65%0j<dks=g%y|DxcvPsIIosdN
zq<9!SwbC*iUux2RJ=&I6le8#TY{Dm9j#|sE&P9KPBsj;tf%5g!7E?*BcEt`asxCle
znzq)v&-0hY!XCLVu2j&|6BnjBqWM0;K>XheQq}&atCLENYY+4jzjH^z`L#slI?Yzi
zcn+K`sL+MiQ{CT|5KmC;mAXXl)ad%Gl@iP*g$)|Z?-5-M&^Tzl=k1qO*Yf>3tmkI_
zNVV2zNNz5u;?CjqjhKomw!ibLu7>7$mae1ODw@Bl_}utAIxF*i%l=@yU6*rhVudlR
zpXl{srn7VmPmsw@i&D9zo=y;pouq@4Iqb8+zrrLpl=xTaowKEGVMw910X&cAcA1^X
z6V-FhNqI(uwgQ9=x(>u~dJ&?sc-5Lse2XCh({*Cnm!c-Bew?5>cU|V){y=7it%h9h
zwOJz2{<li%HqG!YU)hZ7Ev(Z{YE<PMAe#}KHc>VGv(*mAtWT&?W++s|TYdiI$?FpJ
ziLDGT`;6RNFbR#~)H|oDY_GRbg#U$+7<25wqxx_-MUJ{8FzoImKsJz@?j}#Zi4)!^
zFqV?lu#fto61ZhUN2HX{j4ng-aR*VcknJ_|rVZ|qK4<;_{GGM2cqS!Ci|Y-?VP^}v
zK8?Fx&}{VFAqc<M1BtwmS?w8fpby3ES%$WTx0g}!)WJbgSW$Gza@*L-bWPeqbGaFJ
zl0%{}kH|R2^SDYW_VvKn7gTy~yMHhI^H<g;<G1u}b2gz4Q@PFl<)*|r@j-rp5>m{T
z%f$<U0fPGrgNW^-ahvtKr}$f}{n%^l&zTIgUdL@EjW!?ZYu==iUL5?#nc_*>+wPoK
zOyL?YI<wykQH@tqR#MnG-)pw0$Z)kx4nbHpCeDfPk9NAgQR?;vf5$sW3fJi^RNu5u
z&UWY4X;O0bS&?@!e%m=I5}X(l);B)Om2VlTB;|eQ+*roRj-&4F<SkT&Q^c^>U+P%D
z@g;-y)x==XB{?q8Y{POkmEdGu`uK!tMC30VZt#}qsnk8M#di6^PR_nEdIXwbci|76
zs3c>@nmf_9L!iMlc!pwI_?k>s<aEuU5<QArR~)6wTjW3dFz<><UUBM0t9#iHZuYJh
z&5V>q_;uHgOaeoDo?Tp0HF^Z*TJ(N-zt3}PiK0!<M7omtB)B*&{fxKy1DX4poTn3Q
zM<h4qqh`)-8`CxeeI*Uvo5NZ>Kf_-%EpX!1`Yol`W1>wPw6S-6V%#R`4S~R1oqnu@
z=DB8Mm|pEZTqRD#WxKqE8k2K?cYa`^5Rg$B=;d;OqkhWvatww<jDYzo{V@NFe!n=t
zTR!QKKR2esl2GHT^_qbhg>vtcagm6vbT@>Z=UOAd94Ta|$5asgqF&Ud8!vg~UZt5A
z$n^l3yEoV;!%Ru+kK0F^C2Y?)hXNJX8>WA-#@_k{(PJdOHCw(ahUPm6`U09<$>A00
z501;K6)=$?{0~?#X=*hAs~4Lf@>%*MWPrtd`d|_0Tli|OoORsxyFNDhuY-6IX2Ka=
zVx0drIETE8K569u2fo2_qG*8@*aWu9I-h8SoCXpjm9RXPQlgy;q^uw!(~9DP9CIxS
zzZ?B_Rn1!Bn>5cVD6WGOi5zN*rmIUoGfwL>MPwS94IH_RR1X^22W>fU+pv9AN=&5H
z=w$nCV?AKCVe^p_e_sp@#y4Y8s$*>XcT#|tPvgkLgaylNW)kwEUE{mRv^Dt5#7JHf
zNsVEF^V6Tw3<vUR#2qwDVM})ZKnFhgOqjJ}Ars%;oKUPkPxKsTNz%vgYCR{RS>3$R
zpd7EH_Qq58Cy_&YO~I>Z;i*{=&#4=;e5Q!~{y@U|fS%Eu0YdZX=t(0rbrIK0qO5sz
z$j%Tb`gu_+e;_WBBZ4a3v&?vHx{)-QigJveqIV*?)ie3&UYgRGI;KFd|7Emgo&jwD
z@N5s?3&E;yLv3&KnwZ&WZ>c9ZQd!i&vD`F0@NI>u?+@ejK;4tyA0DLy`yM{l#jsCv
z$o0RsD5J=~tHcp>&51|=s&~{=>z~Codyx0JM)vu?9tvgk|F=-?TS9!eLr1|Kx{)Iw
zM}~cU9a<XfKOG^gMc#J}*%(X)Vh*wPf3oP$+-0yV?dn#vL-K%-d3iccI#rJ(*%Ysc
zByK4avi3%SQ?PJyxv(PBi~u}$dnX6X*E34c3zy^#$RVIetRs_xZic*|+sB!mK6+Cq
z`zK%Rv6|~=ux?fM<KHu8m)VPxSjS{Dbt^coR+O&~a;O@w%-_^|V9$EkNM!{M(3A}X
zb4+R~TMKS0;#xZywxcqmwma{C`18T@f2tf78{d)B7E#+j*GQNk0{;;Uw(^WN&3>vw
z$i~G^Z!ZPV_mnU~R>)1wR4VbeSBPI3k<U(y+$SxkY&%|4{HAD{eA9sFeGZNDPtGi;
zYRas6jWZPkkWyAp-434OOVVzGx{6Yb)%Op2x9^wxJrM1|PJRJa=q}mEB`r_UtU!6S
z`{pA}O^3n1xxRcI3;OAJW7<WORI!eZ_*eiW*2A!M?h=PL5z8T7lv0774G)r{@QYHx
z3tT1;5non?8Ej=}^cD9Fq*4^^e=c9`SIe<)(6e+=s*a`+fDNY`r|-IZ!rm*Yf9d=5
z4a*srdRiALd<ShYTQOnPcUkZ%|D@s_R_aD@xR+R2q~AmH^ievvp#ql<x)7g6^TSK@
z?q|5RrOp})XBMsb=U<R1PV8s~o7)di&U;y(IS%~0Mb9{~N#TlYQ6YkJ?OzL$TC&|e
zWhWP_Ozyp0@4H5YO`C`1$ZsQCZJ5rh5;15r){s=BLf)eFMIVDw#KIsg7I=e5k2yh%
zIC`x3Y}Q*Tr~{wQinm=qePiA(c2PP$o?ra8JV=NAV71r|D(vdx0m^@-`G6iE>DC}h
zIoT<t%o!Q(eAR1qwLWrH)BA;YLC^@l=G$`7A;9VE=kA4TY{jsDN#XpX9?x?!|G4mD
z{-(?uMbkVdQv#>3dF3JhJVo_5THb-k7#tnFJe`SKIWiX7e{#GG4O{vCsFwUq_%dae
zBpLnS!WoV2$|!nE75d(_Lv3F05(YL%yetRE(mAjlejA>GqNl<4R|}dlw91LX92NDx
zx{-0bw66v=-)rXecphG{frNTUdU;_p)!JAgP`Pu!;vXgw#fMfmHX0d_+EY3!vuWeY
z887nFc@>~0CP}oAO@7#)ShFpQSHKyHF3mg)dZ<Hq;SfkIM8^3<Z|pAkPZ@vb3C;17
zPx<vSZ|u{PXi5x>UN73{Z>lnDOnD0qM8!-oI=J=UA-g?eseAT6{b>fmJ9#Jg3hUu3
ze7-7K<ka1>R+dbubl8<rHkftDXQst%R=ziIdPsCDN5vBS`FCKqys-=t+8=R8K6P9t
zHMVXRKEjrrNgmmEg;@O&L+Q#wb^WjS=PF6Oc(f)T?@`dv^!-r(`62a~dKSJ9vl_hF
z=5u$*zy!ROLFX3uO}!9tJx_bhF0RCq((hP3Pjii%uoaj(9nGj(nJCUa(O+UUhQPlQ
zB4(6~%nt0)8&trn{K5?=nbD0ec_9ctUb%OCs}IQN_dJsARfI3)Y-n7@>+RHgg>p0$
zUNC(PrAor*9dXmC!hNA+?nd*ErA5m~ks2(r#-P`|q*aUf9SUR#WjD>Mjsfd?k7onk
zCaLg<&AmZz7^Au&;5;hJRd{sPaX<F3USgJK%#xawUr$CmcCH<JyKNXoG)$(SS@7C8
zeJ-he`sxzD5*Ph{j_Up^jq(}uVNx)h4U#yZ<-f%ym>JO5VOHuVoMZ%O(lGtjo>SDu
zkEdiH6Fal?@_)E!*c}JVw+0-lChvX6)K!)_<FS}5%guOH3yf<J6lI|5%{6-tgJv3_
z>h{cPUqxCp?UhzyT;3pSYgn&r2d=!D)J<V$9L&mL8oWlIkBkh@TZ?^_B4VzC`)~2+
z@1*c_7Rw@0;caE#2#Ry5*qoJqA;-ceLSA%u64*H@?tH1{rl!T>hfktVJ0b`AUM|?w
z<A28eh}aY_&4$jr2Xnl{?`!f5SblvQH=9=-8Uxao=|z0BjJ#K=Yu6t9ngfG-`NHCK
zC@_rEuWLhUB$Y4vLIG}XJ}Y!?JfV8k5J%;pp;O1m6iMSGpUjIga$k!O_5NSxoX)2x
zg`~aA`V{_$G9++#8;8S;iAJyrwfG%Jqev~2`8<+$OJF?B&%-2MPilWs^5!k3udgfN
zJ-eqYwi3TV*r({MBxybw`GHIHfgc#0uifkSIf}1d%6h3Rh*faS6FktA(w1H#{BwpJ
z>)(L`E$3ozX9%5^Y*T}y+Sa}b8?zUWy+B#0ID^}vcgOwIG~{V{{Ts|s2Wnh=44FmW
z?iVI9Jb&d*@eaQiRyQL#V|_F)uD<&?vzq_ZAbLrPa^N+mE4Z89DwDS-EOs%0ly4Hj
z*uN*jjPUgRGr51rCiNtAwXoI56&HS0@B|+<hKfxrwiNlp*u<7n0D$c45~tsEaWK>Y
z@zpf8j3<r7oAO-xzZQXjvKOJKucrO{Oxjv+n%53>GLdNQW8`FEr@=@4Y<|CZJQEdw
z#3_5T`O&xFbLrQQ?;yE9Pt2ibI-17$W0l%y=hD~&4T##D-yRN-6K!0M!|xZ^dy_4x
zoljV1+GZ8*bEJd#sE8A6c6jvcL|9hV&VQnyMOipAhzRIm<Nv)?U;Pv!L(9U#gxHx&
zu4ipHg`3F3h+SkCgF1a#s9Ib<NLZfZ?h60lpG+m=r`?OFftC;%cv!Y5^@ATV*2r;>
z$;YZQZ;YGg-*?mabB4PTYI%N!FfoBjy<_flV+n=Jz$-EA2YccpTC1fxp`n&4wux<N
zE8YVQtC5_c%I{>63;a2>b*K}!wr%G0b%v27d()CbE<I+-CJwy{78Hv-#chlD_Z+CW
zr)>ZyKSiQq944PD)l-><y|6cuseblozmwiRX}@*{x6Yv)oT5Q~4l)wS;3=i^+qXeM
zxEC=My@wPJQ%_4#m=V)BjB5i|&WIEh#$JE5qAk{6{#Nf0$yU<sjPN6~lI}kUXq*`R
zl<4Eo38&|75J?sN$(|xA9P2k12ZKhUi~CujOM;5pdBLoMHJQ)k8op^xxgHMCKnia<
zgf_$#xDDi);`4c-8Tz!mCXmW?T#cCqp8nQu#i{Sr);PHW!`oS7*$28WbwYQlP)YJ5
zKjJ0tR65}f>@4!>VsHTuzdL+FX5OF*>Uz;>BtwM!xWZ2aspO}3TL%Z{o<t4e&B?vs
zl`l7Y8!Kj}u#?5Q4xhsEk)@54Gyho{3HBxNk>e(76tv@k_fOavui^*Yf={azvDen9
zi|3mqP#mDJ<i-F8cT&L#5txoUk7e}|n&C5v<Gh_iUOdcT7tFN7vSsp`HiIZcDaAc)
zYZcw3$uzYNt1pMH{;jaEp}xh;bX~m%D*5MG?~#vxkTq5uZ4dfizr_j=LBO)>-AoNu
z=&4Lr`LPfLMQU}Za9yap{DtD%(0aYKM0%=(UP19RodSvrPRz{iO^2R?@4QTxf(t|r
z(<nyHO@HNG-`&lw+^k;}6Uv|4*8WQOjjeUBU#k`)Tf=wBI7Gvzr~sUFwcQ>2fJn|A
z)h;OmHn0fOH#Xedf?zy=uWBb>Zj4qgebY1V+U=&A+tbO3FK+r^Q{KhX4ttIFQ`91B
zr`5zqeu`Td9j!i5!X9KN6sGOh!qHHXeD_<G%U_G9rGu>C=0(#~FG1j}2uuBWkavgK
zRL#wUfUQ-F{tzZGnj&e+0tocMV&w%lOV4xq6};8td}3R}*03V7cRJ6!$oHhfZF=jR
zzk}51VFLn#oUp5P-1)&yESq<RdURI0o}8Wv-;Up#0M55+$|IwCdbCQ*vvx-GKnQ!4
z-z!ePx3ygF{PwCbRR!x`A9!Ld`vNQUz|IE0KKurNm)6mPYDBOKAqYMJK0z6~?txBE
z))@2o9RXSKZTD<i3MUgy@-Ad=oLk%0N|dakr1HYdu$!fSO{h2M738oT&6M1B84T~c
z!D=(7ZttOv0cPwry+&)!dL<k89S65-&VIy9<1zi*&*CG0(x-<u-*4L$&X}&%|Ac&=
zP<Qc#LhZx5!e(vwkNGf*%a_BS)8(~g;S=1#W+i{!;+p~zHaInTW2Iux`#Or}7frI9
zJT6nkaq6z#*d?@Hv_g|5*vch}RI#qv$S(q$I5z+vfKDw@{ZFU;s?RMTw^3!7y*41J
zsi_^x1CVWEGXGg%V4-i5>g}-?2zqsMsO^E9ZuGfQB=G9SC570$W3blz&XaB2NN$z{
zgaL$NSjAqN-Cc<v*{WTd9mYcTb|`f&UJOGc+57dGA6gB?4)|~90B)^$(5owf0R8fY
zUg0Eh5wT^xJ=#Slw?SxRoVRioV~Te4=v?di0Y8|z{Q|Y&^QcRP9-u3I0qt3JSX0)o
zjp22kxgrrnWt@*-{tMxZ&N8qq020=aMN#hR&#`OnBTDwo#Lv^SO0kVpWngT__vyo_
zmSa6A{Uv$({Un!ZmOf~szw0v7c|XwSW;Uz~Jbe8L$`hHXCJ!cviv4~&O)N8UZ^JHb
zCUOXv;^-D<gMf*Q#wK&wz&@Lzq|&V5?}vh!*DCxTu}=0vaeV9mlZ96M%5A$j{=4d>
z(d?jPySXbyle`AZd4AQw_8qpS+iY@i*gb^3_vC621ZLlW>MarSKO{`62U@dT-rqf}
z`E>-Qu_mke)HDYf4;}6u0O|t)DdH?y+fk^_91UAdi}J#BU|i*9!eV}(3FE^J7|coP
zd`hp;y0CrAQeWzv)y4T>=;#s%ymYzj2)eU4m_8ZhCqMmV+3p`uyk{!Q>A=q}rqZ6i
zax8J3vcHwy;di;M2BB(mx@^B$GOG*7W<#R5JOtmecMLsTtPN(X#oA=u-##4GbdXEk
zrY(uyPgeL`21irZ++VEOog8zt1c;2Vn~{Q+_9=?zPLiJ8-rwI_H1WDny)v7fT}u6X
zhWm$5M<3Yq^_HI5TK&?!6LiqU4|<wIdE%#WLYG`s%zPLg*s1{@tQzuf6NG7)EuUa7
zmB?YajLZ~ag)xElrn~?)13P`r1}-B(b0@w1%n+%RqUMDxv4=!kRZzdcmSwscnZ(Ui
z&;1Wo$dC1fWYGHCD*bNiUX=&m^e%<|9rwHIBGcaICxF1#0r~~KsZ)UM$ic;({^Z1U
zP@8`C5t>H!k+5kd<d}3Me&xQw1p07Q6su>UN&*D{yv2;!;BR#!oA$5|ZH3>F73_Dk
z_W2N|x(x*7HN*_@tIl=USv{P)z5)<Oh##pT9{Wv?Kq^SSxU~Z%D#Q;9<_}Bm%~{H~
z_j*cA%k+AYaY}7U4(@W6*<xbd_-v263HXq$GLFEHK>gm>8u7GY<g()iwE?5gCH)B4
zl@5yU_LQp~^qB22uMjvIih_#T9G-e?Ts^tII@(hA<{Z!8Xr7@ybGv@<D-<I8)uXgu
z<j=ee3?M%p8N4?WkA5)5`-O~yKb1qA;5ygIYQD_D5EyHXcK2wPihAw0z=Jg^whV^f
z=a6ztAlYT??XcqmM+IhB6m;0pqodRo>LqICj2{IFn->v|W_OHHZFCKO#H2C1xX-F9
z&93XaaF`Wpb6V?Wbs^8LA}%S4LQYY}If}uu5c3fMX;A7~@2GEz7-k+_raXu)XWIJB
zudE}ei9Bg(MY`*9nRu4q3-E83<_t(SQ4aT@0&iKS(G<qQVF~$`UHqZlPmdfj_Yse6
zqtP5%>@j~-1^6hQ8Fe--u{+?i!XtkVfNg<0?v86=TPM)4FyCXIVb84l9f7IqEw@oK
ze%ZB~xL{M@{{4EDzrX2BP0w1zZfTJ5BKVNv!lz~<ey616U}9~*r!_(WVD1s!c~1Qo
zb~L>BWCQnZ;!5BllkmL$oEjc7duralos;7PTSa$#IhwzRt~J=fu9u)7@KJMiR?x%Q
z8Yp>w4*+i8X_D!QfS!8N1qhKVs@3N;SrN<>d>(-PLIa%?DcCu`1*}f`*$<j)i<$_u
zH6Bxm>9vXlo=lL6+Xf1q7=yvdV#QFL0=5RlG-yL)Y@ulTNG&fu1dSAeh7KLhZFN&>
zSDE6ZWMgbv<Cn&$S+Qh90SXc9ly&WYR#J$$^cBL4?tuTy;L6~d_jMP<3@C)z$c{DK
zl1*;$Ft|UVR>KZlhJ9%_zwlfpv$=(qbKDM21bNT$4;|ev*qu*eVO`c_1N9xTuFFd4
z^;^|Q`iQ?)uqZWE%<P>Ph>>!NksUGD8M@dkfOh@7JB&ry^e)xT&HJjttc;U7Yb{Te
zf96@po7za7Hn1r*{W0Wz7o#Ni!E`-{zjK>OX0~p&3PQnHgW!mWZ*qeP#7F}d$NRi{
zl_#Cp25&`wr>N?MUch3d-K74RsIK2J$Rlo92!E+@V50y!o;*i&J7)%ScT-K928fVj
z!rJTkyJ%lOBWjz22APx*obOjHm)e|n1@g9Z1o&qxu{J;j?z_n?Tv1+3{EefOHi;OV
zE6qroe{8n9)d{5!!zJi?v2R5+mNtu>075^M{XD`K2z7UN0qouY62+z3y*gl0X-Gbc
z^1!Q(#mS>=RTo&kOTl?3@C>$iZ+^)YgaNy$2x>l=+G}8ODf75q?B6kgHT4%Plg0Ga
zL;8u6^>i)7eHw(sWBlrhYY<I^#sO0kCPU+uy~4%^u7m6-<=(#6+eaMBYxZGqws2Gq
zxI8cNbQ8E;yPoM9^%BW%gQd{DBc-3|$!~=T!WtmSf+RIqVNx~VOY!^DpYx(CAc_Uz
z!*bR}{Y57V3W{u-!Sf4O{W?R@p+gER%Vjq@lZ;MtET6{J;Q!}?t_>rhEiNXmZs&N;
zB!|oOtLp{)V7=D1{q3p2%EW?pJe)Z8B;!qHn<zoM<O%Tt>Y5oj^@$oId=Pcf@D9T9
zR&7%)X|8?-2^Pdu^h2(%JXf1b+H;>EGp|pfgUrrzll;aKSLA~%S6a>R1vNPv+njW4
zqdsMuX6Snd8Hrc4=|#(|X`UA!KEwiQ*+xzId$o@GwT{?f88_;G{QrOaQP=;x+{L8y
z@gEzP>-9GZ_{Fh|dlJGO;#EP+C_R^W&nSXS{5pVwV3k<9#)Q?-Y_rUxz}S4GyB%XV
zGE=QoCal74HIN8!anEi%dQ)H4Y&`2XXamAsAA$v)TLVwq1a*|g&QKrx`G(^lMMR6E
zh)||}j^VTn4Yj<z)9HKP0zU5I@pc&JnsYjZ67CGz#3bl+*1SecRV%=tO=o$R(eAmP
zZc2gFw^Ic1tuZ~f!mqpc7Kf##tuh}c_XL}F+<&+Sm?qaPIu?XDSoFVX%cuZ{g;bs%
z_)1+R2aJ*vptas^P=xtZ0NW>W#+5o6A}3DP$L!nPB{8ZSkyew;usHjIVvAspE5fW^
z@z{lJTqlKwAsm1}(2z+N5^FcsHxjZ=uw!2V-lA-qSg$}p`CO22iy7OY&8>>b%<c8A
zE6wG**y=|7_kTAw`TM?z5gG?<yY2~`N)~8bgvOf3RP(o9@95H6NF1DebOHxX+7<fo
z*5Tcp3rz8{#xUJn@YE*xKpF{mv=qEEzQr|IRnTvmj)<E&H9(MyGoK$O*Mkc;4|gX7
z9a`gbnl+mQhqc7i#G5jb9Wmb}r{7w<Y03ITIJ&)JU4<9~2ddAA^L0l-gF3;326d3{
zy<n`%STo*~9*Q}_A-4XMX78*UPGQsNjHx{p(S=Dh=p3MKnI*dzvQa1R!I2JCM9w3N
zw?(DH`)E)<ZvHULOjh33>GW}qL{Dh(bh{Vr>CyZNENkEf_|UM@p`-)57BV+(a&0G9
zUp9GHm6?q>Hm)MCy0LO%5DS8tm@JC3k8FstW%Loqkze$*+<E$VHB0=+6<Xrn)QQkF
zEf-k1I6Jo<hQ@7eaWIA*5B3mWtoH0ZEqC$b^$koue{%K5)-X+1D#=#?kP&b!@Zs1R
zcC~dyk$nli1>a`J(5K9a!%n*<%pPo;pWIBq0r+?Y)|-4AX7+I6OVJtt#q`;+t(UD}
z9(=ma5;1oo1Su__j+(ou5)-pOdN_vc@0|FiPLQ|x8a(;`RA7wR2p@ia)(C%6fw8^M
zgHOvl{L=KjG7N6rpSZUV`AuL*o)UMY&48}U&h3JMA_);_XybTDjlI3*%o!tFN$C?a
zJsz{roXL~rwCTNGM$4jaB_$r54I&ioct;d+)u;8&Q4@ljCyKv%L}iY4Cz$Sfb||IS
z7u`qDP@S)MSJ6_SN7Y}RJO<&h{a+zS?9_UkX`+C;GZ01Ag*fo;>~f>K>NdL_a5Z?}
z+p$DJZwI)!a!5n)7UH?x3j>=4wZVJ^wnWf9#K~j@0$yy?AwroQkT0OcL5*gUH6X~8
zjV}A8T1{AQ7vt98&BVs(L{HZ^d8hBe|F(dV#Yp&%2_yd50?Pf*4#?#l*Civ)Eg}cA
zUTs+rh`L+V#u~1(Thm7~bm@xij3g=Q&mXpN%|zcG=RJ_{H4}2Q59S3u<}1k2N1R3C
zSuKHAgJ24^iK_|i@oaIR5IG{5tsp6ZQhS!yjTgj2WEdD^od$D<sgvmyfn)S=ZO<*5
zGM)IQyf5H2|3+W;I@7r>6g8;a|EHiCRugxS6_H`spA<Bs)h!Kn&JW~WEAbVR^vgKi
zm9VkPot$puA9FF=F3w6KW;M0ZwZbWjfyD8PMX;J0T+Pd+W~nMHxlM1ZMZZ2j=m<Pt
zjMDq8<3`>*ORBn8-PL3_S-Mg?H!vLJ#hqPoS)laP2MWCzg`yl?17jO(R<hLe)xHOg
zG2>UH>oOS!+?RAbKdBgS1GKs40%pBI4ugAI^hE5orK)>)7E!*76eD5fy%7L|NNb^8
z7t9LRMsvtZ(Bg`9$fLuS0X^E+%!w+F0?#PI5T~^X$*BaE8xOCZnVtKD%rFgAl<Lfu
z9yRFP>w}B8EO|>H3y`_Ma{&KBIr&WNIkeqW*EMCp0q@J-Y~aqMf0}8i!>_EfPOtIc
zXn<sf3GTSb+<R=vnkM^0c8X;W)L-x`+7}n0)+{^XfSWt>G&#U|(#}@(0`rkRTbBy0
zH4C*KWUsbl>Tca-0U!w0Gt9d*W7~x`d2xQcJ_PWmOf>llGJu?}xKM7FZt|~;dz3bk
zL$>|4*q73>ow@W@%0|@07dO>(gzf|lvee)yuhLsJWZ>n>B^Li3ubNNUT&Y^}b;A@_
zi`*^{76|0zC6)6wWq0qY012dDvF*tmKPL8b9ee(98#~=$kPfhF1HEX50_om_MWU;r
z#NGAErCHE}FD!8{6w(@O6=eNPp)FH<8H|MpTQ6!)pPJe*9|F#^*kbhx&rt-mU?THg
z40Q`uyq5TX`#H8{mfv1!4c`1?KgS(z&-&r^Go{v@&fnwL4+)D}^kzs|F@Ae@HW9|2
zt=dr8kVHX(xYwik^5n<Ysf$`npC&P|H_NtW#kzg{#>0bqR#h{=kURs3YbIWXrix`H
z^m(AFWG=(jJgFpi@BCW+svev#t77Wq-o-wBF1QGH@EauYd^pP<gOccGhqG;qNM;2|
zY<yka&^YZ?yHx8?&%D+7&cLpmYG#m99T>DYJs5Vd?`%NEUb7+&<_n|2lG-r``Yx~N
zfMZ=#GYJY_|1ZAQgfK#x2QgF;Wnp`2>~*s(z`3sY`=Hhv#fi6WBEe<jlu4q+K~ufe
z!Okw%Z???${XA0+4}H>X{765k!U7C6FIT*eOerSXiEpMM0ehLTnG;d?%w{qCQDRGV
z*PdG<qQjPA74LR2*(sVHq)N0-j;bAz9<hoNa@ScwarA%Wy?0nt+0!m+07XHOETAAs
zM55%}N|Yc$B<HL|0m;}%P67fVAW4EKIp>@u3rNnf$yqY=-5cijDGl?D=iKL;bMABh
zm}jQfu2pN*`&QMeTAS$(`qrPAPSgK2xpum+Y@jvi;9zK#F2<uer?{&+rD((i&wrrh
z;DF$|uTA@<zfx`_r*h7Na>jW$wbk7GJY|{Im%}7~WUimrh-cQ~6IGs@^-9VQ?8o0<
z41w{7jqi>3nMYKsKpmA<^9s45UD70b0@^4)e8FO{hfKQ>_Bcx95<7;t5gwf#OZ9}q
z{<eKJ!2e)vmmgl-vcJ-^{lb#F)>bWDf6KqA%c#t;M0se4C;fVP^d_{q>F!@qv{2ud
z<+T&+HKm?Otgg<xinF&W|C*-PKfNuCo<2G%x=)I?IyY$<7sfZe@jN_M?BkNOebh>^
z(lbJBm9MPx>#1+#yJnwh<?^au=S|Q3wp_2b+*Tqq>VD3Iono8L5P1cx-G<WhOVrl|
z4#XJK+=$!<z7*F&^U56^qPnatS?oiJub21u)K8h0D|D>Oj-!U}u}J<92Fw4ZgQCW}
zbMo@j@*`#H>h_=0`_s#pwEOk|yuRAR|Cr~pjixU!4uPd@?l(_rX-?%{7ONE<vr&Qe
zrzaUimP4h}5*kT}7Sv1B@5?&E>t`!v992WBE2dZrZUQwS(W-vwE*;bS(dF9U!2~K{
zu_L+mRyp~^io<J1YsYfPzT!y4^)^`c;@COEyb-#&F9*;}weC$0>spzCzpj-Q4*Py=
z&NZS<rS~4Bw=u%Khv3P)xC@6pl<FZNfgN$78%s8}N)f6z)Qu(ChB!y)^@>pBhBa3l
z=%Sa{WTNh>uzm`k%Nb?heOth(+9T45*Q#E|!Hd#Lglyxzdrev7?S&CtZ%(k<NsX(B
z5I!G8s-_x7%BwE#5tmnO0x#(!x_-egJ2ua{ZM|<?QyRjZo*#Y?^m?ploND~|is!zN
zlaaTLrLNwx{M!pXFcinydn>ZUs6tMJ(`oc=`H(JqT~?Q=oPLV5VXj-3)x`7s(BWR_
z7w<=1iCR)~EW5$YgSq%Bl1w5=lyV1VzP!C0B572-W^207-MMJey2bQbarVGG(46xz
zhkBdBEuk16;gs5+uj#iE^XhL$i9`A6dL;RhmKhUo9i@TQFXO8oFl&HQ>mKVZpAZhF
z`TF96l;I`$?3TF~O!g_=J|4TXnI9p&lq5K9%R+ypu|u8p;$&(pw{orhLf$ExLJsu=
zuBf<yiB|d7w{BXeIll8TUvc2b8G>7Gt<!h%ARVrZHLc87H{DL?h7sDz%~zMREqNsH
zs4|zbyNXDLms)w6tvc}A!=}83*!EwtEtHJtI<rAV0hGCxovqcPo~WvZJvmsBB5oa9
zBGT_NKVVKKCSKC>cs&JWRd0s*v{dVr+vP2PS6($T_^XWMGGz@fDq@^i+weK4kM<9d
z8aX(GRh#DbJElvf9C}Z97-FS-Y13J*RzC<j_z-=~Vlhf0J?cs}$H?_~=uWb_99Ac3
zZvhfbYt&b^ox-}Yds?{-!&|bo7%*J={B@i3wsly4%>X7$rnJ+@gWZ0tU#9jtF`Qf2
z)>6L&o-8a@Lr4%E9hKReA`v`01pK644Ta^ZdwqE4)52HSmQx4UVG>_dIwtB{t&K-$
zBp{9vE+HR!WxvFw*&MLg<(00BvAo!u;jnwL&kGTW8#;LBzS~qT)#o%lwy~bGt<O=;
z-cquSv6vY_DL#@>Kg96CF~qC$=uXmaip775+oiCG(Pii5_gwX7Tj71Heh;(lN_mFY
zN0&5N%k9;8ezYaSs&|TbKCGkZ{e_pdEh{*wer>*PZ61rYT#KfhHF2k30lMxXVsCVd
zB&o%g_vR4oGB@T!`whFHru~xEDR$xo;0vwEuRB|R`64pWndej42W8(zKY&R>UfcFS
zIiF<Pvpk_2Zk^f}FtMn}7siQ7v9F#k(|oo=7i6`1)J4jE;7(fE=$&ia=!JRIdsI^m
zPZ%kiF6sR|m@9DDDvY|Feoww>4r;mWqU(R3n+Nx=Hu7uW6aUn-=12QQ(o?&xb?G-{
z(^^7HS(8-Y46`wrt5z01>)D6n&(Q6eITqKZN2Qi3rZ6OKd8n1HP3I`KTE7q}Z8NYa
zo2}T<L-M#7+u2Fn%C<m#DQ+TQs&*)OTvJ3P*h*fNmo7h|88cdYbC=Q)pR$Rp=oP$F
zE2|$45jNkfs9!fW-S#ce9NnW^H$JvyTaJ5W^=<cD<J)c+Z07)KSsrDKXT7d?P~sSB
z?C+ncm_`)c-L<}-I1CxMNZj^Z@IOU?E|XGnc!J+B=gR9gk<=cwg}DmrJ=I=y7Rep2
z@7!Ezoc{Xh(Qw(4idq|;<!ElIpYG_;>cbt?yI;n?yb2gDa$KAI;Z6BPPX6u}UI--3
z-}+({4}|;HW?PFYi~U!;w(PwxU1NAlna~pDN~bH55`Qh6>8KYZlN_$+1ZaS^?IeN=
zAKD&Nmnd18@35D?qK{pVSlNKF&<?0aT*s38Iolp%ZK<NpG1N@E7m7!H$3I&E3Z(H%
z7Cmhr{Ujgps9)nsRsEu08X+0b=x@z_nAEy;j(tdk0vCp-uU-C{$IY~?u-J;AMn>P%
zYi#%Vx@yArqy2OCuVD8-?tX5edv(#yRvsefQ`|SVV$Ycj3$HaQE>Uk~ZTgv1<mjL>
zlsa~wOETs^xb^GEJWmdvP8#OycW6`00k{9$;-ET$nA^@Srn7VY@FiRqp1)VFF9shE
zl9OO_b$IQa`4!h17HKOXpK3Eae=T~=J#w|U*}hhCmbBDTf6_KRASH6Ov7~3`FlLyW
zmMyy$3TNlK<w3kzUF=cZC-d{=)<%vx_Xtl_G&E|<`}kI@Dbg&U#a?xgxpJc}a<$**
zbyus+Vr|;uTQ-N#-Ww|11|94!bm>zO)RnJ<RENLjhT?e$uhj0dmWDT#mxe$VYL}qZ
zR-=2!G-XZua$xU5XuZB&RcAuf(AxsMRgo!5gRNH+clTA#?Yyw!UioN@{$&(61GlDj
z4hx6r^ER`Bk=soFLut7Fx-uTy6Y^3^Hh7ebN_uH;*U<hh@ZCr&J{M93Rn26ZR9VUu
z?39*T@wTwM2-oW+qv=eLETB=A1|xJt<pGhmN_M|b(Moha&9ewc>4~9V`m}8V{H(l(
zQMjoAIt{n(<_B8GpX?W`_tObAY~~im!xLKRfPXuGX{AdOk9=(hEpdeMzP%^ewL8Tg
z%ZbJi{-rMo8Uf*<U+UTN?`Cv=P?o__vGPNa9C+Pv|5B(CF!e6_;kO?Qx#G8F+L##%
z1=61$Lc)eAv!Lfa>mKX5a_`+Zx|T-C?(;zX$hS!*Q~iU{Qk<u=ViHpk_-lqd<Ted{
z0<tiSwOh<bN=ciiKhZv){^l=!O{VF`gP-CTgT!<MzhTMaa+@K)c&j7yO-Aw^cq!z`
z5N?<Csc8ek$RbWFQ~!hMnmAnm4oMrP!V1m#_y>XbB<irE!iThKffMdb$9`g)a;^@g
z7L`3*0pKPbYBB%XB=rZ>qPss4Hc63*td4oSNkQ7bHc4kd`*j8$kf>=8#+eZHLc`oE
z1!aempPZU6_GoFUhhWVGEG=5;JU2!hMv(9!QF|`z(%q16-tPuxAIrH4Xp=MXErkRC
zw#+hCan6SrCLKa`3__I>{1WvELRCn~_~N&`-l70Ilym*7`XFsCs{Ys*jG(SK@?-Js
zBa8Ey9)qvv1VVF}Sb+aNf#9Ne%OYCG&4#z{2JrtfqCf280DioCqV8O%U4l~sMHcC#
z)!jfGlKi9DNAI-mlQy3vl`w5}>4=O)v_SCM2Se{j{nOvcHRqDC;BsLWVkDciy7U*m
zR^Y@FpcO_Y7Dhe-J;0pH1$^Hk=&E=$@i(86a~*8`G1z*?H=r2>5I#mW<!It>cv172
z=#we}YQSZWgPXMKPo$bqLKL~OfldClF#z{rN=8xv0y0Gm(&H}4lfh8`1F(w|?v~Fa
zW}^QNbRysh_?{a>v%8fB*d)Tnz=;UkR|E`3Fj4?yK(7Jd>G)zCCHv?T0<7Rx5x{Q_
zJVoS@8U(s2PC3QVM9^b@a~;s4ll~e8P6YiGcyb(jXF?H>0?-4R^$Y!fHj<7^MR&2;
z`^5eM;O(NndENl56!iQ}nb|4CQVLEvPxkl;CXe<6Ohj-*z1l@I1YEHifY1!X0Zjen
z`rxONVRW=r1jMLMBL+@HKuqqm^MDf(oCmZB!Fj-mh|Y5wieu*i%=*oF{?W*yw=W}e
znG8?v-}A=oYcTyh0CK@^%7FZVfLQkFG|+rHrRbfJc+N;qK<+fr?*>f$6>i`sgm445
ziip_ha04eIA_imygm6naoq0fueoF&K&T~48ffgY^aqK*xS-+g;AB_YO|C8=kqmzuE
znfLp{uATNocOYmGJdyAulb}O`6A?U-^)#+WvD^3Z_t*tLAs_~B6(Lt=kDWpcoQN21
z)u#{xCnBaX(4v#)ksdG+@zgpEh4_*4fM)%2o_{v72_+v${8K0P|2K(0?=)h{r#;c=
zv?qcS5j?T)?-GC0iP!}`A@~@$RYb%-oJI^(gOK=XPdg7d5y5#tix3h&I1#~l&Vb_B
zc}^t$e>Reiba42|V)H881Le2!XvWf2d>O0M?;T*Mz_<V8ep_6UJf;&Bq35DFDK(#w
zK4}<+7FYFg;UN1*Qa&`mw9wz}yfF|aAm`fKD!@oqW95Eas?7h9REQ!ljp0O!%3}gb
z!OTc69U;#}w4--o7-?C+faZy$Zln*Czgk>a4R3D@;DdiWbe~j3AGG8|!1cD0XOY$b
zH5oo={!wXH&;Sg$pGZ-eks`n`xhM{t&wyb^=kv>OU;ynzt*yls^vxTv^syeeWuR2)
z&~;r;i3~fL7KL0NFJs|jkop3Y{&gz{R+AQ|J%i)4XH1_C5^y3yx^6xlBu8Z%6AbX~
zqrZ&=OF;0`2`dYawu+cmT2BSZks7d1_*I%VN1P54U?O6WfEFQ~_25K=AUOjHpg<pN
z1<g9X5&%oUe>O4%Lk=i(PaflcgFaYGoZOf=c+4Zj_{kCqtRxeFN(doefD;k2%JIns
z&OUyH3)b?drNEscfDfuipeXV5`G8;|2-UOGIT4(AB0x;^@1J%ZaN>zz%V#=DJ>cwL
z*#Dyx;Q2l&k%}jex4*$2^|a?BpZ0v*(;EXPB6vQ{X(Nw3KYR3d&j&vtzzS{^0erp6
zQ$!xALGXO%)1D7ZM06d{qLU8R3{FJw{4=09@_f*&U+Dj{ks%n}r&_$fLH~>j>WpIY
zbjkT={pqpigR_5m{^`o@-|u1#PP-1+{+{XiC$i2zN&%kV1bF_*0_1P77d!3wf7S+q
z6A?ZCZ*u-oEBjwLAE5{TPdAC^`9Ob+kiz~Cbi~J=e*%4)e>5@#C<Uw#I#1xREtS*}
z@MIRsBK_-c<-r3a<#eu)JDoNaPo5uOas?+MmguJwwHI)wcHDLUm+K?+;73;xXB;!9
z52ODB9r1D61dq30&hw8(stOgf_J<*)6ami--T({|AR~I;_)XdWZX5V#9r5ucn;{S<
z$A5hRmRR7Y--}Y9a|5@EP<(fv&I8~?gm6na?TO$-gg!*^Wa)S0JitUm=Q$0<vGbhB
zn`gBB2u8lbAG>R)&w6tI0PuSPK>pDN`nO+6xcPs#4Lq8NaB7{=5g)~_(TP(F{De?{
zfLldC?Ei|6_!w8vtY6Oak46HCe;_3ip(*>D#Q(qD27(h2JkjX1CmzQx*vkHj-IF~y
znE1i1A}0R-D>~w1=K;+6Rr36^k$4!b%S#D%(^HT;0-C-Vatf3wc&sQEL8Yxvd-odD
zzEBy7>rGM_Q8uHZ<^_kfu8U`8V05Dxx>;7)X}U15g@sY!vIT{OX;}s}w_-ODYN{z@
zq&DX?GSyxZRv=5k>Ao`WcCBhqM=zmwQe00D_$E_EE*T>WS6j`>JjPDJC@MM5Dgw>a
z3<(8#qZ`wAnV4z~^ck6CXsiSK!n8`sj#urrP3T=kF?7wX;?yk7coZ7m+>Biu)zB=S
zxhSHi@BP}Jfu5#UPOqq$skQ@QRfR)v)t{2Usx)u@T2(fRD(@k}s;tj}RTo^qRmsSY
zS4{(K#l<{nYd1e=>!bI8t<<E)w!R9|_vQ)65K^E{!RkgObS(t;MgI}lB4M14RYEWR
zmGvrTW8H)SZW$UsSC%Rz&BzS3-aE}tfPEo%0Kh1aP-HXJVv2;~;TlmhM#6YHR5l(z
z|BVX8u-MY*=0<E|(3Cu^X*cA7M)7r`7j$;yIVYAC^k>H7!R!xhZhZ!5IAVf%Ibb?g
znC}F3z(b36vKZfn1#v-t*Z)o(c1!bL!i#@lS0en;hv-TwM)%cu*Pm6FG)(~5+R0h~
zJ*;=LnQ(Y8KY~^;wb;iO&IEiv!7R?PVcGx{!0N{i@UN&7WCAvJ1S;1tWq$)odozH?
z5rPuOT%@iMC1UbmD*fiiatY6uDYF>`2?0Nd{RK*rfWPYrPf45!xPKaBL~VKrvBKa~
zMC?RQIzU*MHxbpxu)lQvo2!BwM)W7pt`ly2ANXPiV8aN+o&`xPXvvYzV}wCJ`2$-?
zI|YZyXb~U|rt05oND*(Z148KeFJf`e@OISGOuQgD9XvTVP8)lcx+6b168>d{+Zo=@
zcN!EW&(pyJ8iwcq|MTjeGJ}B&uKim^IRljA6aXT4?02M{oXY_Q2ri)Oy$NNcmdSYl
z90&csKv6pF#)-J6F-Fv;2RIZs715!9B!d`Z#|{PR{5MwxH;j-yLA!p>6GxGKMpirn
zlH<q*b^aFFe_$)4>NHQs(~}VY-BCexhPPv%X5zyc!6SCs*cWH0JN6S$_?Hz*-e-9G
z8K8VVBX~f=5FFrNP<MP(fNTHCC})9koB}`ukNu8Ob&970A(Q<b7Zhi3aYmYzJA(`A
zGq^ZI-7y!S@NZmro#rC-jLZ{!1{Y^!ccuS%b;n$QYyaZnEKrWQ01^BT7eEPx5NChK
z1??GJoROir&)~xF3@*-4cgzJS{2Lc%lu)T>#6|8IT%3^@mHy||9diM${fmpUKsn~(
zS3YJOn&jya0;c^zIZJj17Z|5=6zdsW5T3!s8S0L?0EK^X(SOE?Y<xys_@2Q9Xc$6{
z`WMt4a{;dXi;J^BIpzXH@UOTS0?rG$KjVV>3@(7;9<db6JA(`5Gq^ZI-7y!S@NZn4
zab6go5f`avZ~+>I$i@G>x??WDwSRGO7AVJDfCwIOQQZ6r8uIgTJ^Yh+-|syVqpm$9
zEP!etw7K!U@voM<P+03k1NYuO9w>ST$po{Rrii>+jyiKWTVNpbL|xv<^AzaLmI7k?
z!p!|^j{7{kKNFkh2IlqtzBOPaDxkXCdfdJs4(#W+r)~N(vE)A!`@==U|4bXuZ~wCi
zf(h%VTTq~o-3kIu3}2v=Z?~!{$<R;^dog^}<RaFeU~f$r)CY7mSB_}_LJXmM2V0(_
zR{cR(B+$Wq|L@ctm9s~}k;hjWAGeNL^%JxL)iKyx*8!Ic!0N|D*dFz*hy^Ivsson>
z`uFX~nU8Kr{vCDC!Q%I5?Y~_3Y*3EtUJ${7qbm}@1leISS%i$zh`o5A12o;*fG6kt
z0_BV<<tbPQAz+NC4ZO_&ry^kY?2KaOD6)@q{+p|U8%FS_qdg#8^MD&hB=#&wj(R*$
z=P|;%3AX-!VyjNkH~V;m78JPi0CE%1bcX^rTmQ*T0I^_```h7u<n3S^iNFNdXd(s=
z?rCGsQg`eppztp%!0sE-+ri!%5foJ5d_fEz&@coC_!rc9>w#@8xc0A%auz7ZDF8(9
z*za_dU_4I|>Pq0&V^~s8*P9i%FBSX+%Cj@-z^>C6BWeS0y}+r6*qu>*9$y-OI{(#G
zLGuy(3EabpGZBbvaKi}1o(0KqWP>_?MfM-qDwxnzB8=FA{>@QAdq(^I;WQJ7-TP7S
zfW0+>v1h3}_7hO}mla}XcstlzBY=_v^sT3Y2ROkH9pGP3cXU*Mp#GLo5Uw;pP>xdo
zh~Tl`2__^1Tp(oazu^LGauG9++!<UTbni!8oN=U_rS6yuQ1}-Y)Ms!3rf5Vi5bl@3
zqZ2d?k&Ayp-7y#7+P{wNGe9}!0z~jXT+9PpAf%qZ<Km3C=strBgzo)_i!+h{*fS$i
zd(6ej=r%lqi!+i%&KY-jpkaty{0r)ixd7Mx#l;z*9CHC8_#ZC9ON0?y(7)lr_>8z<
zJ%bB`?)``hu(w9YQD><;<^mM{6&GOljd&u1y)|N70DUWBjsgus<l<jYcf`ff+P}Cs
z1C(PfKm`B8#Q?wsLJRtLT%6&^d1r8e(7hjV0ru92T%4iqm<v$&7Z+gnjmQPqTO)D-
z^sT43IODwd7t|edaq_%41C(PfKm?Du2nmz3R`h?hkKXwH_g9x>GI?7;_+eSTz<Z>=
zzsj;%?zZ>#<as9w?m}TvJw2eCX66E0%HswuSig}6Q~9?ygJ45W!34I+A0vS_+34u?
z>#Kl263b}?8~NY22KMcNVL;!G-O>u|hxI=%xc^A3@z1pV;i3(Hrmf{q#B?~@PQ4la
zyUyaD`{)6xPGacJIus6k=b1TN68;iCA0m0+;jg|KJ@R@OLR_T^r%RDcU!VQ*1znxj
zVR!aW8$P?PzEtk8v(gzoe6R*lD@z&JPxC3qYJ;!M*B=zqJHl<@{^hoVj{7sv9pF3g
zAdcG`JJliO#KZ6mTHb>aIPmp>onsb@@cQ&EVn^U->L5`=osh$68@qi6n?-fVFuc=r
zR~^FZxV>!#-w1cyCOMpd?7y`8nY^4;Fk!7Yy}Z^IT~@L;f4J@eLpODZ+gXIP=I?Xk
zl(&qJ!*<5DOzjSk%b~&LhfA;n$!WrUjYFu)PA<NDIcoBn_4MqD&-TOtY=5Gw9&!f;
zd~Ih_G~{4$WC?O;x7`s^PTl5s@anL&+<_h5s1JVyCx(p-`$u0d?{KtZe~WQo&`#qg
z=Idu)u_IgllXB-^+Pbp;{3d*L9d<xpeyePL92WK^m8&gp3BDN(|2z+v0)g(NmmhS7
zz<1Y(;d@;SW4Dtwu3K+kFW>RqS<5-^7e1FU2Dx>(rBPmDzrQgrsV)Jjq^R{>^JrN<
z%-}ejBLaTN)^WG+U?V@;k9cN^cu*1o-__-I*w}+Cc0#NGcy}Y<69@JF(TAH8^?T8W
z2ip>`=$#1<^)hit*M9Wj>eSX)2z)~wx=-J=d>yVI3{BbL7@w^!-37i8YnJ%X!KSN?
z7_z^yyaRV6I5#wAS_>O_&2CiRw)Em~jY|ev%ev>?xbHnN(z!u_x+gZ>7xH5><XK+`
z%_6;`j(S#Bd3<Y`j<I6{<6fZe0Y&nHSl(tx$~vvJzGF*mcP`s9_ehzA{YCkmOHl*L
z1&#SDgTpnlWnQpN*0eQa?tC`$VAILM(%@tV>bAuem8o!B6I0mzk=EeS$YcjD`Aw@d
zI;j8RV#&9B3tdx~U|A%!Js17jqDtR@ZGb7Pak$mzNJ?#TpfD?co%CoT-j0=8@6mI&
z(#Ycvg=IGx78X@t1Gbu`FwT)yRC}(TBdNmH{Pn8gR?D(TJYcQ$#gdGCi%3&g|Iv`)
zkyIM6d~?2qu_<h-_M4F@Ot&l&ctF3ts4_5M8+Ihy<iORlX{9zjP?(p$&N$L4cJ#a?
z=RY6d<(5M&-l}~8569%G=FS%}Lak~FzfVa^+D}rx%T%G*CnHIIvC^3@Y8;+jqnItu
zjxyvXHEpfETwt;65XIG2x^BC~y^XOwXuA~IW&ta-=533F4exMUN7=*H!9iHz`XJZQ
zlPFlL{W5o3<kqll6xVX;I=8jje%k7w?J_7c49b*RAIX#)$wY%Pyw+t)kz0l9mdn6k
zx;^amlEV<!vIPva{09%hqj^xu;b=4+)(Xf11M|Z>c1!z3)@4y#<x7$OHH=!$1F?n<
zajCaOs&BO(4~MKw4)5qbEcAe0kse<9tnU0i-+nHHVQO)BmqN<6xE^{%c6cdQ-8q=;
zxnRMXP&$gj@SP8ABu#|PYj@i#t4yB|MLR1GlXJb?PHmi!$!H39y^K+AY3pzmY8$li
zW;~zHUoxgtbCru$)ZR|I;wE<7y9dvO9%)PYR@HqXMD}~carL%~6*l*!pZ6TlwjUt9
zJO9Z224kRH$flGI3fV<JG$);hfh6zI6c~|$&OdQ~$vE0@L+X+MK40S-Dt;+^DP0um
zi)m<1y38X~0h<}RD0CN#(8hEtLP#pmP?%gp&uhEiVfxg3L+?@q{)Lt|%=};RGxShc
zFZQF2>D?-mq*x?ry<vW-8Q;0}4JUsu{!4un?u%<^G5QrzB->~+Os>)A9o^3{-}!#S
z`4Sp|^Y@!&V)quuzTfb?L{7lh{zj0Wf#Cad6yb|R*UrCq7*9feEtDDQ^Z8)+4Cc{}
z8=;qU2>3b`%7m#GV>)j{U2-6}@Z*gXzb65M0m{>hqSrJHDiTSgu03XPO*)_KuEFxD
z>qgq85`qie1>4sPb37FJzY|Cqq9|W9x#nc}FpcEZwO$sa^z)_eD=ecuH!3b65%TrE
z(d55DC}o7AebMillhMO0lK0mXSdp^Nx46G#9qqgE{q93T(tg+H{Ex%$7<<0JO1SpO
z_(Cp8(vz>OuDMsb-3wU9`muZNs)UdCyBf-<gugWQHpEJMVrE>GOO^JdfVDRFN>9Sy
z2obtg<-UlMDqyv|>AlH%-OaG`QtV6P{>Rv9PYAt%N7~Y@g2oJu4PSkQ%ENs{?Inb3
za~pQP7O--V;Pl+pk00-!eE&=(JR->3FevEhA1(R+cOg`eno58gT96uKfSSBffInQ2
zKWBhH<(I}@hNx+@pb$kGEztxH@JtzeCWiQ|Ag=~c@BvhS`M)mI7o%Q~x6n(kqHMK-
zmqyF8>$7RK4g3e!A!^Tu+vnU3oBYnLqh;K_FioYwb*b5+V!VHMi990*rl?_Nyvm$W
zkY_`rprXu;L6b%sbp^KvR}$Ihw~hb5+uZLE{9mt$739Yq;Aa5jju7Oo8sN^@Gq)!9
zNv5|Up_Z|kF@FjzI8vM2Qv3ywR!~+MxMApn@a$S<UO^s7H*ODWP5=M05H7Gvbu6%o
zLQZY&H6K8eW;>vX2Gk@7ELWS<LG+u<qBAv3zf~;`u5t0?Ri8Xn3pYV!`l8rURm-W{
zvc(IH%1Ks3!CTK3tEf$r`h$Cxmy$&7hvjg3SeKK%4a3>w086-%$NQ&KW&itSGoAxh
z{<iL!dpjv)^R+hDL-zO|SaHuiyz+8;U#p*l>C!6pql>sbL^j2>xtE7c%od&UmH+!8
z4|rM4ABtWM1Qo^u3h&GUYdkIj*7(m5*Sl9fhDV<scF?BX2A^FNAvRll*deUK^=<>B
z=Q{c88pI(y4liI1?|A<ex!}#e6FOtwe>bGDX%DPp3M^eQ04%+-2`pU#F8yx}4Pxn{
zMio#s%5j^?zo)ew&%39*Uh`TyZ)UdGSGpsLEACYvR{uZ|<&tlfo8;gvUFzsN)nsY6
zZT373FAoD)I5GMcSbb^+hVHEcLyg?y{fctAvdUlY|2E=83<!<Z147%YfDjZA`mdo#
zAKA}5`!;~d5F!8te-MQU0EPb=(oh2-(ghwq3<DlYO#=_#+x|9G3=YwOL#Ut>A0Soy
zETO>4?D~$UVF)fx4;>BXc)yz<Ff29gX^02CWwvOJmr-CfRu9bEX9u1U1J5eeI(U1<
z`m6oP(p0z20A&zAM3I$=zou9He^tnQ3$VNJwSr3VAcQ7O)#MIt51sXm0Y+^Tl03`0
zkwuaZn}Y&I)V_s2y&niH2s2Yz+!^a}3Hig~l6~9NLI~qZQ`y`>Br|3JC~$9^Emp+>
zcqzOB!3Xe)X~yVT0y7f`@*kmu48XkU3=m*n34mHU3UHzZ;!F>6fCsYU1I6x9+lVXJ
ztfH|1hJvZmN*S6|%odS-(tw$Q@+$VLaW8-eG)3e6sJN=XKd6kQPAk=D$LUeanDI8G
zS9n$XzaR#GwI~UPE-aVtwMi~RZQ&!!yzsR#Q%Cq1{W5%G3PwC~IFXOHJ{F=5|M@e-
zKf3Jo&!4&Qv563RV&I$Cm!YrWOa99c_~uYgjpOe2YEyan&MX{0I#Lc_gG58Ow|A=d
z%3tqn?mUCQw`V6{^uS%h_Syt`^ziEg<^98IpvB*x=qW!)SC8JUuTS?sm@4Oey}ig(
zu6D4yd+{I|{^DSxoEQS%84%t(Sc0FE61#|meeT>jlylNLy$WdQHDupd&Ye?xci|iv
zFlu8&Z*6LBXz^TE_mu^`y1A~A1^v;72Xr>ZMs(oksn>=<69oZ_>Sk}X_OGRWm}7Ze
zT8edBo2vw4GcCQ|9<qRUS%42S;j#0Rce0-kf3jhr^KN`~741^(+Y)MiC4wyo{D$sJ
z#sJ&3k;9m)eFidpscDPLQH`-##E!jr#s}ro7U9OSREu0P$ya$5!xP@qmKd|HE9q^S
z$4xhFEt|qxwh18nd*#0AJH?Jm2Epcn*=qCR2kknliAkH^++fNDPi1E24n0N=WLOEi
zcAJz6Ok#9oN~tZoZyI(l7B|1Qko9V9oeD{lUavBGbyw$_d}dKUwrEaLpe%K>ivdxN
z9rlW^66<}nUDLZB#fP0T$sa{=A^S^^HGc>*Jb)g$Jru#k+vS~xt1kXoAZ{(KQ8#$e
z)!|*yJ8IP#D;RGMB;Q;Y(l1wq|AaUBhYYn*@~6wurY;n4Rt3xNO^r%3T}fTC9-$V-
z6cvV_q!|}}M)tlU7!W!b{J1dT-vlXcs!%T=yRCF}xYA=8nw_v)N;3~hiQ+Kpx)-MZ
zL_SSugtULn`-L(e^;I89p@h+G7ZdR*sGz*DHi~%90z<Cv4;=2z^^Qr^m<4WmOU==+
zhbdY^vSE8p9OoC@aTw0A^l<FgR;pHiUfG)d9PIY44<>OjOT6l~SNCADx7}A$d`(pT
z8=O;*Dz#DD3=K!kRB5w&%@p;OWxV^bIXfG@Rd{Zi4;N`8wOdCUWu=;&CmJ_??-qu{
zdn2h)^GB8V=cv)xm-l3tZ0O^|TUXxRx=Y07CY$t{xrN7RpVI2vM1>n=R>$|^m6zVB
zfr7<u$?38#p>DMCZw!kEoVJj@p_?Lg_;&NWqgL>FNn(P5M^krM8y|YRX#J%KK})Wd
zNQ<z~799QvN_}C|{hjS<YC~suIHp|pH*AfV#T7+&oO|4P!Wl4Mx~o?i>6JE~+_BJl
z0zKcIfHPo%1NWvyo6@s-E-dwpy*&Z;?x+6MJ3gr&QX6XtDzqq{-rQ;bGI4X28<ouB
zBA&+<HjTvlSwqX)l;#_^gle(_@oRtLn%25RX|8PnzeV;_TE5UWM@w1%z0X)`XbaPw
zO{3bw;DTkjms?55T$5^3fzF$9Xm>*_*ChzOO=vjUecQJal~p-|-V`}X3~ClQZs!VJ
zkhwvvt1Qj-4abQWrG#)pM5^;gATi{jHul$d+MI;O1A5kz?|ScDG&NxOF|;hruoK{x
z!k|j0V`5P9PJu1!*>j8P)UTqf{R%ymjkxL+ydJGXqe(I`wO5(ciY?bKLLWYY)sx%^
zY0){)>T8=KaD`36X|(?4jhcidfj*qnOVBshO*_IeChM=N=;vfTqAX1mL}pVXlzBI7
z2X)Y}c{ttb0-N>~?@GP49682Kll&e%l0*^ZZT(UOrT~OuNK!r`?}M73GqF8;mbmnt
zZE2L`th7fygx$9a1~9&EUvcvSepb~FS62|`aIgO(sT-S0DUNAx#nqA2TS=0cUkJLC
zBI3<1*BQKmS2$cAZFXrLbK{pB8xy%y#Cdr@=^P*IdeDYLMG*REij}%jOg{}?QsYO}
zNXBp50T)6qcXMvIp=!>2$LHaBD_(i^&Cq2oDfS&{ca>CGH*|Eyi}l~OuGj9|*v$z{
zcD5@^+c9^4DrX*Nj=|H4jTu!!68nzv%ej>}G?a6~&$PWYN-HOFFc@7vdwpC@+X?W9
zf$-JvX9vE&ytKPFj+%&$3fa04%V*7}Il0p8^VF2UT32&S;V#wIcNWPqhL6a4IB(h?
zt5vfmb`f$jY(Hjz`Y1W4+pc*%kQju!AV0>wYZ1d9Hk<Szf@NFU=d}tHvu1XJZFIWV
zqLqv=tSI`{YtvoDOLf^P=Hx`!Hc$s`Vs5(T@8=5Z=66kAQ}q*;{m||VO<TJ1xOZIQ
zb`=}9*S80vII)RybzzJq`QM*BOyUW7Jye2YySjR>a`(rji>z@zsz&G9;|6`%5-RRJ
z*Qn6S5tVO?#LBtnYS+=-hl(v46>+HzQ+t%b0pq%xJ8`b<_a_4}iPP0P)9j_#-(G2u
zyKCRne*e6DXhny^Z!AT}$!|ocroiGVs-)J09?qcDSIy7D7YFQx^%*@VG}v$8qO{BI
zT3mkrMfs8GQ_mggh@y7%nXSs@C&T3akE1rG-?IeZ%Gy^4<)Lx6U<IXgJX>Is6k5A*
zhnvbX+wL6;F7?%O%Ie<=c`Ab*jOLW~hhd-Fe_WM4?`Jv9{IcH!`PJhYf(hvZ{2Ah*
zur&NgNhg@dopCy|@qLG;AkJr5zG#sbD*UfRgkICzNeiUV8^M{`e5o^-qKU1fkDYAb
z6HkwhgmU;J_r*QZS4~08*hN25rCOsfjmcI+?vZncIj7_@t+m^C<|=p2&_Cbljt%H?
zM=LIvXdocvxdx@eM3!uPv+fW&wM)Zx^@`-u3MM&sL$z*q)on>WGm?8y0nL%%Kv<pD
z0&;?4kuFt>R_TNYQA88!cW&vyF+WOc6yB+)eW~xLJEd=p`jK3I8BaNx8cQu}nwNT8
zP^XqZ_L=bndw{{?<(=F7-tQpKQEybMXFi&CKmXO+y#Jskh(PB%x}9&U7KH}iV=wAG
zFG?O1B+dn8Bw~oT5ib3cN8=4x5oU7}O$?tCVlLxLei(f@gXuzBWY_taQRk4-y+$KN
z>{FDE*RXr&5`%hT$%DSv`#yOtR6}xZ^7<9ZB$r7b<D*XovIJaY<<Y037TBY(E3Z9V
zz!EPGC<^;|+5G*Zn1`#A*9>>Uip<=_&kH|8@%NMniWh{X7F1+}j(#vV$tuu9lb7na
ze^Yq{KUaC*X=u(r2l*}yn$wUT0g7*mG9@;J=mFCDhs?w!XY`2ehYXe*c-CIFkJE4S
zY1-#Tj6EJjQCm#u;`JRtb*fz$9K}#7gEy_!PtmW=jF)opv7k$uV0^RVd)a!qF22h6
z-hgPgmEpbO*^B&7ol0_97c;Is(j0BXsG@UidK=HcFp1KzX&9S4d6B<yW$q?^md};C
z_FIlfpOI*a=_fUGXIyOBm)6I5xUP2WQHWj1ll}ZMjxV@~S~d2jlFzKDzRy;K!Z)|`
zYCc=s92Wy?g%mqk!mf6_BFBuH9D6$JRcjxmGj6VecE!D|&1<4nn2e1Cd+6XP!}Frx
z7J@|zDy>g>17UZk3Wk~D$zdHywf6227a!TEKCOS*mbs0$jKAiy&NY>~eevppG7H5R
zW9^qpHu6*@b!!I>tI)ENj}Q~fJRJ0l-Z}b}6{9EelYBl#hG=>hwigr@Sd<(CiL)#G
zb_c_7HG22xl8XBjBXFzqXL`iLNruIB)|rKVzEKJb7lMs_E_XxnfmVt_))`1FbU(^%
zf2Pq~*Q*pIuppQklTT2YGV!3rQ`W|+Bak#%#mrxHj_H_k>IyJKl~G0Qi7j@gl&*;B
z#xb67wZtNFj1nKiw*7fu7J8L3W|jOJrEMYGE0Jg1r8hi^^0OJnD(`Wpqy^lZDAM@)
z>IKdc+#SMzy+?qTojPnpDJAl1KeWa$cA}m}BF=sXWvZTCB5uKgES5L_rP5Gtjf&`x
z*g@v3OWMHiW@2(f?92&DhGhHl9^mw|7aBR;wl9Ra2$4vylQDjgM*qQtG$EYs_59ij
zTjykvIfnY2#TU$*RQ$JFJ4dB&^am52n@E#Zvk=F<j_GamU1KMc%yh)KxT|-4`8M_U
zFApGawf0UXh#hm)C70YRcDOg+k`O0U>zwMGXoxEQ#l6QR`<|UBrqP<1xl9XktY6bG
zhG(y#DQ>qK*>OW#hC~c5R656y&#1|KDsn{?7{ZHKsl18o{wPq4iNEDL%#Iu7^Mb6%
z6=u7x*{Z}w=7cx81Hlqz#Ax#5;V#6)ge<~neE8SB%6?#Yy(PX(ND_YU0+Qb&(sAJw
zAy1*#@rIe*1+g7fq^P|2;|(<&Ge0ThC2M*q;$M_oNMcClz|9Ejc{(oRK1DJl>3K-L
zIxFc2{HD^ls!0|l<^xF9s}jNq6Z^MY>^Ymxa`k;v#y3SHB<{VZHoUL&<T4xG&8rba
z%TH+Tzhi?Y3S6gXSQABKdE(EnoXov|9A9^rmfbtdj|s&=;Dyt!jP|G3RKYQ8nrZJY
z2iokkN8JdUoHHi1Jbx*9Y|LUge;VUSd#Q5?`C|zky{8159AEc>=2C<PYV)YbJ%Y{W
znlS2Z((Z)A%FHCFSIC5}xa^hOr$=??Oi7m`iHO0T&ri8trg5)*mq+fB`pfsOrJwF^
zI|nz;Q_CW$XJA^~PFIXO&km)P)0z9`9Q<znCf1-mWPgRF=&d<%ypyznrsNk%Pf{~;
zU4^!dA+_^uE?#2tK`749dY|}kGzzsIhSHqE2Q3Z+k4LQ>N?e$W>Rw;-Jm7JbE`zAX
ze;`@pe7_O7r8DUyTC2?P%qfx_W#KbwJV7xUvSzdk&Xpgix5UugH2kkMh<M%-e>i_>
zIzFLkU+;PmyhSNzK;Y*9GJj&PaPG%%;^~$bzxim<v8|}@ewz|_qlSYoe7=v2>}RMD
z=NzfVORh#k$+x8DpBS;jZ)06ne<Yx}wW%>H=n`{o(a={Kili_3apCh*T~v3a-1M#&
z`|QB)6Xr5`N0JWcK+S~pW^Qw_-<JyUQ#s&B>VZ<v?0dG&u9mbe?n|e+Wy>Lbq$b7A
z%uT8_z-Cr~zJ<llQV_pwZO1AyUkY-0$Mu$<P{~=K)gOb$@D(R6wHS?uul-DHRZrSo
zn~|;Fa}q`a%pd9Wb2aY8+GinaX;Md{`JyvN+#$+Os&aoZnw#hy`4DreGLDT;Zq=8X
zP9X0x<f&yAPs)7_B5XqKHIZ->*{R(29F%_N7@g(p31TUUm=2Vk%(Q^RBKsj>*U&Uo
zO>VSZEb4d-^eY_a&~#r%FILR}KXq;Y!SQWO$Fic~+M!B9H^DR&o6JO*3~(+jk~}Ri
ztCS+!?kn@Ky|QI6M4WZ0#yQ4$WjzSX;r3WzQvuIh-GDUt_hnDVo$)$9&x#C+fYk~4
z5bhjfHai`v1vD1VXclk(?Su>#zHV<kx|P|zY#Sq8^TE|j%YJtKueuHm&r$p@G*4zx
zE49C(tMt07iuTiAJqG_J<du|{S?Z&FB#60{h?oE>t<kljyHdtUG@H&b*Vidhoq|ya
ziG$IDg!ooC`9-G1gk3hqY!`9gcBWF96PI?gUF9L)#wZc{h~%>2K*z5&6pPHyG9yNC
zPF}QhxKJ@Rd5L;m!HZs9fJRX;?-C?-`_|_Q3eDapcPd{?s;q{uP(V4m+pM>cb;5#E
ze)en?FuhNNrs-2Q*{luY^Ha^QKWa_zu;>zfQcQO<Nj-XX@_G|9@Vh0CN#RkC2lcK?
zjlr^wJ%_}Yly4dsM7I~?DN&)-=Cz&k7ZOREN?^pjzOl|yw3y;>vzr<<f<}`79<{CT
zv3Aqjcm4Hhp-U;tvt(wX*N(K$vBdkOp5?&;V-B|jt(x3YS9vmvU1C-Ulv%{wNhjJ^
z9*t&uJu_{Pvf;ie$=hf^MD1bgOZe>4qTED*045QHlg;S6>x}!ok%`V}A+M+Wj2Ksf
zh^@JB1r3b@cp1vcl0LlkBEHDg{lx4db7}f^W}<e%=EPNd7`hN{t7y=k=cRp371{uU
z%W(9*bNe^3B2CAvO0f=z#Qesm>TlR-OR-$T=PS_pDhu6z;o#auf<&cp6DQO@*6{IM
zom7c~!mf}ji)EnZJ@vz@A}_@J?oSH~jom@=)_#CLxK$~ZB@~l>V^$=P{Ci+rnXOhg
z=DVAQS@w+KCJoXDCEZ#oZF+0nlDk^e$%CJDD6aC-afrr9n#Bg8-%}jmU;A)j*mM0#
z8oAI6P8rVkskr`v)EFY2_MP(@A0tu>b0)uj;x&GI&S>b{wKB@$kQmWjqS%gSNxqDq
zUo`fMxzEkCK_V(jHFd5#H$Cbw@9s$!eJM_dpOo<BlTZ+Ew+uPSnl=ahoB}2#Wj_`V
z!+LO1mN8ZM-aWz#Oon6L(F-w46d@D%d*+bN^|1<!&(SUxe%=SoLYbQr$`xq%J>y#j
zltc{g0*ovqjNV#@UoIU}d5aWcW+&wMMhHUg?!pnXPp}PrPj#2;4VkfcXgRs8mqmjV
z8ZWZqokP0vw@W;m0vHqrvca8?d$UX8N@dv;h`%mg$#8t!NyF-%wM6yKC9fC%bL0oK
z;GwN|QOdOX4Wf~eTU9vuehwJuPE36AKH}YpPg<fJS(A*dD$6L^UuuQTO7isb&E}$h
zFui*l{`4KLkabK=k(6Zrmw1*0V^q#|jRq+uUayD9pYJeszlpiyFkZF)DKeC(+0;<J
z6ziV(I4%$W)HYAEYUvA|w1|f;^L2fd7?_h=4F!JR{lm^>E!4y?(@+bJ<%z~QB%q)%
z=c@Du#vPVu2jg`~M=!GIJ#G9R7|ePgP~$Li`}N9ON>h}~zyt`;Z+~OladoZp;#j?#
z_@FBJDQ%q^ifXRGL>%Tfx#^l2n|yPlp+mOFa575|r{GrJW%uh)PiZRZEHjQ(g<)U9
z&vA1m$hhhd-FOZad|d3_FRB^@?}zgj{G*EJR<zp`HH%cf4cZvwnCK*CwC!rB&3C~^
zJyuMvv)WXfJuo1c>?^cmV5xhh9Z5{7tX8!XgM{BFzOch~Q>uWxKd&j*%xN~(?b37R
z#Q_~zk<okXBi1I*tHoqP`|Iz2&7#93kN=P|cQrm-QWy5TRe`3dsiinjmf2uahXaSj
z>phk=FHwAqvTvOqgMUZ233(i=tN4td#M_@g2$-=Oa~tw*Ro_1^Qr$_Pea}>b(M8Fs
zXt)FCdPqvr<&|lpB5X+E$8q0QB|PEuC<E;Pif|T_q9W&724Qx1nDfOe{uq?^>x*}`
z=J+UU9%dy)R1}+OI+yrD+hwji(y_46io=o|DcICg*HU_mK43<b-g{yF#eqw7>GH-z
z7<r^Dt!LuJSNGJqL)ssqfAwLa)49MbfwcLo@~hd9M~>2<n4BQ7gry=)bQ(2HV$k_3
z=zKLVP4Q=wHDwRR$OR+~_N^dZo>*i&90zarFKIG0$i^@A7YH)dK?v%|?Id!7XWCru
z8)vUnIn{H%FW8T<;`I86W&b2m!Mc^a#*2VR4t`sdZ~DIV=F25q-!K}Ysq3GYMczcr
z^vQqJ?Ry$)_KfR7lw@P(XM(1bB$f!Lbb3CIKz{NTO$8TCZh`vdT>p=FJZ+!H%(S@F
z&l6E5SfJ4BrSA!}1lR}E)OszKd=RY6NUB1@c2MVJwz`a#ups|v_Wn@1Wxz+~%8X}K
z?ZX32*kSClB5xyZHj~tiF0qSAzHG=~t-=tmj%O^O@URo4ev!Gm7q2fe7!lgcG-25$
zc5~9hfwk7ZNqr>=`<c5NrXT&yN4QAW?j}-qiO==bT&j3jS44d^Ml7ea`<g>_cHE&o
z-S_sqYcEV5(1bFWgylWB{noUYCE+&e<plCEMjB^^sf>&SS6FYz?V2=X4RX5S1^s&?
zs)?Hso*eGASLzD*9-=e2nc1dhpIg)8yZA6uuA}g~e$>u}vJO?NnL9GF#H)z{qm?+5
z{L&|ZN`od18CDfNGt$FIFAPjlUj@fW^oq;AB>o<zfJ`TCYtxYNumb<_Q0+ZWG#t2O
z;iZ>tbnYJt&-=8~kn;|^>IwW5SB!nm=cp0)ra)6iHMZk6zZ+a7RdWexch;p|JVX-R
z*B)=Wr*2YJG|ZcVKN7xgc{Q9Ke{MTk^W!%IE!Pd{wiuF%=OQcuH<Na^R&N`=#jOw{
zlTFXW&B(ekmGA*gcAt_fq#HYuFhxUAl!1?cA+@5n>YhS{pHqf(v710+ILc2}k;VHD
zDuVi7Y1jrc(?NfH8SHDTEol=G@=Owu+tj@m2Iv0N=Y--iG1p(;FIEx}34Ke#`(xa;
zR*EP3`Q=Z@s<e5<vT+vY4HMfee{!HnjMgtD84ZNqzn{YqRQEde!L=CwL(*_}Vi(S^
zM5h4LVq22iSXMj`bXz=3-ZiaH49fDDCYR*sP_b08Vm;b?c8avVror#0GLomiqpk3F
zEfqz@{%W1i@=*U9?r43NTK|P%tSd|jL3eJ?8QXmDFyjgrDm>R2Lcyr|;MuO}+Yu^h
z+un8y9bCVJv?zJB+`~xN&5IdQC?m{V9vz#5U5o8<-|Lym?K6gbISG|2&!Mj|)6-kJ
ziK`aP7bbgJQ7eybG<H2xul$H)c=gUJ)7xzxmMC`!Wj1<9!{3p}44PJ585w~ydu9lV
z<T2%xrm=q@?ybM>FOYU{Xl*0f5q%vxxOQ&%l@E5iUXqDm;fGMmxX7QPewuzPmo}ZW
zKIGH=&>49dQIgc8DHc}K<c~qb9n6t&b7($19$m@3>+<z4uiVysd<i`YtT8Sx*-U(o
z`fOxhn;~&NH?*?XO-#0rj+Pwet=-~0aii_3V&S+#+NefC?T?*0?k8ObLl{8W@lkNa
zXq&35;=N&TNT0W|>BIL17yYMOZK+3NQlHsqG_Y!X3wj!u=Io-C(~=ZruwB8)LWju$
zao-U2JEZo*L4C@}4E!p1^5sv$fqdUGoGWb>o(v19>c&MefA~5iBOP9;pJX0msevIY
zmoM?86_474I5??h(x4S@7I(zs<Ewav6t7Wfq>u@ig#K1u@Dna?&RfwK&5?@CP6@<x
zkN5ZQ^+bK|IkczlUR$TB9!eWt!pdFiN}fo$ZgF1pd0hdeP4IlKeL_F8;3Tyl3(j2(
z!%X%XhZ_Rxmjm@5$xUIaJrQpIY!-b})P7ERubgbNwH_mwyxOKVNwms(`29W#<pZ*x
zb9bPar03VPgMM_VG@>o=V%~&Q*${*p@RdF-blxIohPno1I9DZ9)w~xB%V|W0&k&S_
zX&aKGDY)z2C?m0fBCQfS!|JcAQZ<D35viJnqF>XHy&_cJ`C-$TA%!PfNHhKi3eRG%
zrb5@7_&OXk<a}HY4bp{Gj}Ff8Z^nf`y}HTmppy*sM%#^>v5D7V{C0gmsNDt8%XIzM
z$mDwCGTAcqADkmaqPpw$h=JyHMqqbgLe<DdW`jTXBLAae!W1`enu`GG=9N@^sf8-A
z?t`E~S+sfd2%&r@ct^l08CSa7TjHRYh(5}Q3i79iIf6aa!!OgiCCo0oWnidD;x=Oo
z2#$yMEJ{M-r`*CN2TUl8jF*Dj2->dRcbf4Ip5&R5MhV9xzYC3+G8f<f)`S$44Rr~j
zWBM>jj}|;4xrOnakt_TbmAKI5iU-(lAinJ!vzxCQA83X~@ZsODEU)okx~@1Ad5hc%
zTBG05Ql{Udq4gtcDDe5s!0;mPi)KWdWM8WCpjeEl8ACYyV_Od@+6|o=9@f&u@4f3<
zNV|Ezyu5qq9Ch#(v+NJ72aoih$Esyw%75W}h0=rlnJ*WaS|^6Ujw>*@aR=kQ^7=iM
zmF9O%!yXUGFGXiP#f4mGrz~ZkLhHQMIIufeBw~6wTC4Y6q^`0ec2fU6pU+5~^Frqn
zZfgqmHQ+G~>8MuSWufj`ZK_Is{B{3ZXCe+&MooLb*Aa#R?tT+NKHb*f1oWy^oxuj1
zD7VL>E5NsS&zx`df3Dh%O|Aj0ncu)FRf3TdO~0D&5Q(g5^ACz7?=XRGa!f_NkH~t3
zMLwIRa3!30cKh{ntYoXs*;{N(BJcJU@JTiWfxC+;B3WrP3DscX`O2SxS<;ETsn8Z2
z>IW9+48wNBx9~Sq2NEpYl00fu`*Lue1mC<Lwl$zT-^O7Qg_DZ@-cM4!6KA7W=bq;9
zgt;_CHEciP!4GOj4qSjV@(*FHB9BU_-FGK--bjRexqRordkW&ap6vKap@$J8_ap;0
zOSSItLmATRNoDVK8(obID5G`fob<Tuw#x3WES@j-V5k7zd`0jv$%p(Zj|G(E@^?Aj
zF=#uF)W^M%FGU-?3ww9FLCUyf`LXKdgR7WG+G_1S&YQP`<pVcDnSNX(z9NGDY4;tn
z6Y-a)s_sdnUwU+ZOm+pQ%6jj@aQHP>I=?emp&6DMePVjSS}Tp|P~sB@+^=3Y3{M1J
z!!%DkzwJ>kC|oI8xkzOe<y9v|SF)^vhTi(Xv-}g+TI$UPp?n6-f@1jO(xIdac4fMR
z_o(#9{LYv1L;r2AjvF`MXE!rHYj{iT9y{V;r1KT!k@XG8$JL^;>+V&<m#v!B1X0qj
zEHd#`-+kZ}NK9M!{Yt%5-QH7y{jc9Xdu~6tVK6T{ZClPj{8f3>gOP>XGlp^Num+Q|
zRnElyy|*IqUGlo<pqD!sfj)us^_ZVZQM;3TJK4lzM$mFgxAq+0;6%V$>uM<<&B&3z
z*aZ%pLxOudnV;mpzr7=+&V;?^_j>PMvMqC(Yl_2LW5Je&9yFGsdQYMBpjiBL{3Jtl
zcMoFZA~bZ!g$>&2Yh}%s?ag9aeuzB?__VzmF2j$-Mwo+>EF{<0Eh4oiAGC6f!MBAh
zX;4mULp2L$JCL9!H)s%R14VeJu&C`d8OfS1a~og8d42i#`o)hi{Tmh&+ZdmJu!trl
zKN2N&r@er_cBiTvb2_2Kq8)SFscG>O)h-MFqq%DzHF4@>TMjn$lStQD_;Y7bD^|!@
z@!pKp8_=Dr_UhR9TqnnnZ7O!9JE~q@4|n>qp)A)^)98k$G|1iROtP8$iO!d#V2Khx
z4Bgk-@ixdHycPuF&*)Sd#4Fsyj8#=T%376_zJ6ojH=9A_e1|33E<3DQ$XDVWxZ)Z^
zd@ZfG#O^)10ltbEZYEV}qSE_AD>@-{XG3-(yN<4Kr)bJP0)E>W3j@@j-zX1-t};{C
z&Xmp9mlE1xAp7^MbdYaR@&~{YKhW3p)dotX*|?$$)Txtau9C6TXN+O>eZ}>O4sA5e
z;YGTAgI<Fc7eeQFg+7F7BhF7kSn=i-&aGzlg$6mz7C+G|3irDxjf=!6+uG4|!_`&x
zQol%FFzL>}xB*cqpkrq3N=ddr8@v_CPJ4TsD=T+<mAW;x*1w`Q@`Er9Uh>C-t%>HP
zNlH&*U9o<-4Js`<Qe9r>MKR1uYDjd^_qcM3&ro%y_eN1^M7+dw`y$I4P$ZMDi}+7B
zVP)6PbEjBFN@*Q_jJcZaM&#_J=SRd`fit|>NSU)(Bc-zQ-O8Jwdi{yVz;2LWIMO%&
z$k(M^`pguX8P)MI0>d*bB6|3ubdo<4D3=4jkhv>0Qily$TW*svx;Z7y+H9L8>3vTP
zBbK`(DO~3duW9koVD7!bjfoCPkhvM=GNm^9zFmCevo#i^f32i!B~GPU+)!hw`I@+I
z=Qac01$I}-tyqeJCW9##Os-Cr3hN$L3X<jBVk~uNnORDb11Tx1u%p@Y_^SjW(lNa~
zXtf`gyCk?j%`7^^-B%C^GE`G%`k~KzO(<ueF30$hkEIIJGkx9~OF6~whVG2bc>LqS
z+H~$U{tYT<Uc_#NH!&f&7ARD8(4W!ozHSGE`fzy@|17}9<PV$lAu-d!5VqdEF*a&?
zXLUszol1AYJ_?(cOmj^eyHH7cQf1<RXGXz$m=S{&W{*t4U>u>&Rw}=f=}Y!f)u3&%
zAiczJ%+%>ZmCc1K!NjN>!`Z<>0=y_wcUR3~$v@wR4YMeke6;=Ah7nxOnLPcbn6=12
zIG5}3n|%~f_@wQ~aD;1xzi)}sTO?|yi8$0KY9lqVw-h539JV*F-q<n=G8{ZGqw;l&
z)IZn#o*@AHZn1jU7ad|^{-Lp;J=JKg#XNncTN!EeJ@HDTK!}Z@yp#=<Md`=KVVJu}
zxff~+w>R-s5J_gr+``GavMo)ZWp6|vd49d!<-Yi$Rjo=pUv8h*Y9(K~Y+ln<7F5ED
z`*_I`cpL|=<v4H-sRw58!?oGy@lN;-j^2H@^WsGWQ%gZoKnl6&?3aYZ@G?5VoO8+3
zM~I94<NHbb7Ag1b@JBFV@78_~l(7UeHh0%1|A!n5p1Nh_V;dT;{FJw-7s(4Wr>nR;
zy~626&7WVv<e;<@yi+f5O?)p)L5_`$Jzxj3*d%RvkBG2hvB)X0tbLNRPI_Sb8S1AW
zoR=C*gK7F{dB4AOwi!(Ne;WA;pt!Pb>xKY98kgYi?ry;?Sa5d_?k>TDYw*T{6WrYi
z?k)j>yW8J0Q{T)t`QNL0U3KrRuIjb=$iC~yK6}IC6?Xk_lrwoB43E4<A*OO3HO)i3
z90cC^S|sd}U&l^RSP~QCi}k+X8733rdV$!%ppA+pQotMG*gDM0xCs^;_&P)`>^oLy
z-ZG&u(<FS}FUL`?w;i865tos=FeKKJI&bKOUV3YmU+B%Oq9tf3(EqTvKaD7)=Yo>=
z6FMc%$TYat0_P-B6o`CeU!fVfK+8I^K_YJf^ewZl%x-&EdRrvn@6*MIMk3_O;ey_1
zpMkHYL@)P7GG2fmSoamqM6e^aw=d>7qaS*^3L4E@;*3D_co)Mx+-D$W|L6zRFUhEB
zW1-UcDsX#SX77JL(yBzprX2jaIT$|WjVQz-s=C{@$G~VgHY-$LB5m<hJR06!!zvJ#
z0n)h?q}pF%Sh&;|Dd8Wb9FA9s1X($WnE!pGg{gDh9;wwa=-o><+#hFJ(mov1pQ4@j
ziEIX{99G49hnRvgN3;g8_D5cj2u=?U7t4EDnQkN4V{xnm6sSlB#<u|2rljKUCHWF`
zE0%qC62r3~LgFW=Bz(kR+AM>TcF;xg(%^RI#zn#%_qQ-+Kb8j_CsDd~E6RIzaBM6J
z5n)kzI$vx;<Dsd(Ib+5Go4G4(X9KD9o7$@KV#F&I!d)WOPk^{eDfM@b4XnF_4I0|I
zE`>G5KAtO9;=AO)C*r41l(cg8qF*a?@iymb&Zsn21}Mn%u_NTN%hm|-%}9Whg7<g5
z3Di7F<>n#oAWmD~i#)GZnPAbd6`H<;FrLXOyP#BbQND2Q3Sq;h+@@JX(I3AA5C*lK
zt#yHBnFv8FUuixcTj_Y4yROcW6|fl4@O<rX?NQWyz(2Z8@+gA>oY*hpEKn652d}zO
z9iqd2lY@QNY*--oJbK4@HW6|>wRRj8!_MeL$`*y`AlEoSvl4^!zV6voGTwayQPlGA
zBc&#amzwI_k#b;&9rm!!so|k0*nN~?ytapz)sbTQ9E$010lz)|y^u~l&o2Jc;5^qZ
zRg58bSUZQ3@W(w6kM!rK!DS3knOq%R+^Espeu}pBXB^p_9~s`9qxg`<>??=O+L*SN
zHg_eZ)3qH65}fGi@fOxpQ06WmmN}kyU%QUS#%?VcvBm4nf@kTiX`<Js%Fw=+6%z$=
zBl)9K*ixb5-M3Cs)jbE6m$>ve4bR8@0ph07)I1`&yS)HWN;psK`KeIckUo?Tt^Khp
zp`gSYu3w@dY0K-798|V$wBr|mBy{5hX9$115XaR7dBj{t02Y!eny(qt)GEOb*EI{0
z6jQapwRZ=4hUsAw)Ikw=i;z#n^QE=I0l^>YJI#NQjK`$4)k3$r)K5W2eElM3;W<Xj
z6?NfwwrTA}!)l`Ka4{BK&+2+)81*X%X=SAd8I}UXBdcqf@(kI*eVH9O{5eN#;FtxT
zj4ZFoR%0lpV>ebwlw>0a#F}X_M7cF^*2sZMN8wcXp*P03z0slzQ55bf;hDfpL2ejE
zBpmO&EtPWB63Fw@mk~#T?N9{71(YzJH5$FKNUxYPb^LjVC<?lK)0&_I4#e~M{sq%v
zz_=D!!RXa5RPbiIldsCmB~OPO-|Cx$+gv_#1qu_H60mOsSwajp`j87DevjK1%E3tJ
zCh4sAuIiZ2kMR=!4V#vV(^ZtP$gU*JxO67P<~f;TXo+~CzaYP??m-Ah{(gBVW{p{e
z+fG7x$hVS}dXme^g4B%`E}H1v^Kprd3n)HX4W|}0cEV7$Mc~Q&_%0xtKnm@xq&lS*
zP@_2BTMy_mhFl(@=(8D?>bGG@F5^36qoT8w10~1WXHe|(@=&L5i%pyR$aC0qu*kSa
zm1Xcell1*{T#@Q|$4pRE_Y!+{D`DR_DGggIx)y}&jq@n_DHnB6vE|9#g|HHNr(72e
zLrCIEOT>u_=rX!qST%zvdVd+-##_KgHbKtpi@!HDrOX9XozSlXP9utbaPBuvwZ%Rt
z?-0Q$#0v>Lq(T!20W@iV;C@WZDB_0D9;GCvHycuSt+mQDeZy0eIZ8<Ze=qKRf!`?v
z7qs%!C86poJ${Vry0QUv)l1o~Y5=5qxv+yvgVEMfJyC#P2-X~;=<Ib$eBhcJ;FdFb
z@f>UMXaiQ}0a24G;Rn}BK3%N(1b%i>nU{uwq~1$0()_%pyGDH29cs4v*A8s7Y%&54
z(~{=EO*`-s>ZgU7ZdvbAq?>E0OdNf3(g9x`YF)r<{9^*>?$MfLTQaPyY%idyTh{Qy
zWD^}_Wew0}O`(FVO)Dg*+~yp*#!jo1f~65BgCoB5t*F-{Hf^g=NiKFShRR7!wAwVa
zH<5h;?EPf%{PL!0@k(@CurX$eNaN=<n?4Y<#MYLi?#xF-_Ay8yYqF+D#*Cg?^vW!j
z2Z=<~^0qXX@NA+<j~_O8AzDY0-#^)tw@~bOB0y#K_Qs64UqTdPhr9;?`~@6~*CFVt
z=wa?nSQC}A$GAiD&>knQi`OYVW>jqnEpsx8$Ly4!)J~hQy3HQ{+&N)`J9*sYr%Uuf
z@K`Dq|Cy^EcbSnsJE+L*!<$ykpQ&vgNE|#|ga>oQyesL~K6N>q3BOZ1<*7qjmP1bN
zOK$-W=XDUf>G37THB%hyv^Qp@j{({6ikk{3E_ct6;e8Rw<o3Hc#Lwq1dvc$2dMPi*
zXt%Pe{I<24K{PH0G@u6gPI8W<!xae$3Z8%<oRn3I<9NqEnC&e{U+TZve56AYJf|@$
z(L6uY7vk~S?V!bgL)qkiWOKgV-3}D{5zb6;MS9Xt&ex6|Q9|TD0>pBVgKspT&U=aQ
z>C3z@cnN3JUEC2d^W82oZzAVC;ooC*exe>v$EL(jnx9^XrStoVK~pv+o%#ejzU<5;
z1d}+o`U8vl^QCKUjGR=uX29&M69Y@Lmil0{WhgP7%Z>T*+2DO<D;``V5yjG>+EHz&
zW8%*&U=$Ha?i0LEPQYQ0ChbH+t_;$Ql2DFk2||$VLAO6ceFJ*Tp&b%axyEsKI~ql`
z&!ySJLHTgK1+6Ql9F3R8a=OPf^j=EYK+C)aB>Ee~U2e$~Z1)YT0MB*KgDvhO2O)Ov
z^%Dd3M2m7R4TL3w+Pvbuk-m#(hKJ}dtgW%;tppvek{N=H+9r46Pn;o32bGYKL|(aW
zb$OorVCgXT)N>_6D?0P9a52`tmAV;5&*OyzZ!F2}FM~Qvi)(%T*K!5vN9WcAzO*RI
zbPv-lA=MB{Ro*g)ieJwU+^HQ|2IDxLZWIzU?>zRcK0U8`S6|_+R;d{!vW`jXQTAXS
z+DFp)Mh6sgCb$$MU0j{)K8H$6F^RL=;=t!-uQt@^5lhP{2+x0e-{lQneDV}$*+DnJ
zQ^kBbQ5k}(jiOv#Y(#URK7$~LEQ-@uj}VG-ZXxK^5iltfHmtm_%zh!9ZJvB_$Xh^^
z6;{PE(oG$>7katckMVn)Zi#oCSZV*td>=`q!KK!QUW6QlPhL@o$rvAc<tE(pOHE4R
zkwCGGMr)a8pS98`dJ)}sZ&sDI(*&ay!pAtZWPySUO4R4FG9f^O6G~LZl~?c7!5W?;
z784C$NMVjHa9grb(5(>KY5rAub*9C%Kx1tl%SuO+Bq=YF^r86;``z81>YKOqM4&tq
z3GJH(Aji<-n1}=I9`7{fFf&AuBT)fO0l0i~cPvx~)-4KlJS9Qd)sY-}cqU0|hlj}^
z40kD`)BTu_sy%VE0Z5Ab77f7QmY9CKkx{i@0^RTo+=}QA2VQ6^f~<m)&d^-y33Udx
zI3*U@)un08;l7V%4@(1-^UaeuA?aPgN_{A$-9}p6JfW-@<AgGn`MYRqtckr@ut=OI
zFc%eoVdXq2eI`Q87zDresIg9z=<Dr^lpeN>!uO8TXJlN{q1CYkSL7Ac@yWs=o^xTv
z@BDgH736BC3vs@a3;NcYEg1_pXBxRwazPL!fcF@Z=i?h%OsO^7Dp7c$dTxzbT_8Q!
zHV=Yu!#jK*_)cOPxwhuZCOJxEAUW<&vD6(9`O7~gUhJT~x=}fpzM7V@(!SkF2H{>?
z=U=WlV&sky)%Iyly<+NpRrrOL83Oic6<H)~+_9t-`w|8Mx1Qo&iqG>{iiUNY?6Y|m
zfOKVc3@krUc5yP%T--+#Y0{)loOPCH7*rQeGOil6Lk=b@Q4Bps6d51VQ|s*t@evy;
zbTzNgI1uGtY?}*i<Xs~B_?$ah*;J9-6n6xXhinETNE?8d`N-duLm&{g+304x!(h(d
zey&ZV96C;ilhntygHtHpFG-yacpQFTL~ayH<a!$sY=*H`j6MV<JLy19<ly1b(5h)r
zNH!?}Y?@#rEsFcGWxT>!7_>8J8%4syCn|lw&&3Jzn)B#&>cbjoP|V^pwz9(1RLIHf
zb3YpGPz)QMO%nM~c-JB1iTTrGD)jEQuSAMFV?kxv|Ne+}3D=o#>E3;WjGnLhmC%&K
zPxIoQL3DP%N8?;0n(@m=n<Q=%WAw)BrBk77!&cUr+$<=eF95riq^i26P`%KTteNUO
zMOKw!`I5&fb!Z48v%S3;;qeRnzCJWLXf@Kgx5zF)R@d|Xk{PwdHUbZ#I2?FGIqU_5
zZ1)h_g>`%OGcr?4R?{Y04BE-UZzF50D&z8LbC2|>RO1g$*56}<7+;T~yVu?E^}4A}
ztNLe7O*LN)T@K1Hk#frRhi8A$nJk}^*?v^Z1A9Szzz%34><2g)>Xnc5j!bCRY<4&@
zCLPhrrwpRsj`l{pw}ke8amUxs?{oQnwo!a0N;3S=*Q1E=*a`dj-L^N1{^inT6tgIJ
z>hDmtP5synLHn-9lTFI4>Bnb@9c}4~av)|+b^?u4fC_SFeEa~tP;~8j`s72TbdO-{
z`mxc$TvAuTz>zjfzVbC(SW;J67g*M!=(a>wnBBA-!!IU})1~z~8u`{D3|sF)?&CtP
z>=nU!uy*D>M*$rMnz%BB*e!!9=vWJxOP7}I5mmlL5Bk{hbUnTPdYz*1dcUvl_j*|5
z_j2Fya^B$Knz?T3=BDoG!%#W<p<TIj_V~xO!hN~c?)>3lQ?nL5);${1`U=AuQ-#n9
z{hB$BRj<x^#hm(~+j2d<uf*3r5g(PLyHow4n+;h?c{{7n;}u{3&~E>+b~U^Y=tgSa
zr*E7l^#KNwDz1d+@1Y~+psBPC)mZNGQ~GatHnS1j0N51t+zmox2~XU-u&>5x=#${U
zD!D4>oG7G$;24GoOdC}~n81OPcGz_?7B;DPzxNxvMWL@<f!2Q4U20p|!&6S{+Df@O
zNb3rIB^Pkm8oJoJCRMx1oLRHlbxzpmePhA9@anWHKWxbd8*-K2!Bom^sRlx}{Hh_t
zwRq!RCe(|a)N+XTVCYLX=F;hJx7MMrr$lPjU{@&XV{;MES5re)sIlQDAzd47D30cc
z1mVF(a1f-Y>D~Bj9~%Fm7xB`mh`c|XTPcUh@k|8B8&7WGTl)*of44V6531SxbGVgD
z18}FLgV)42U1qP>2a!>n9g6PV$i8TY5uDd|h`VC}XbB<77lV>}!LGL<^G6354N#(e
z2R*|!-=b|pzE5XmUB^SQd~$(J%nmyDS<g0jZWkY};1rG8@5$;x*C`fF&(a)GG;Mw#
zhnvCfq+Z2Ko!>L5x5G{dxa<X}Qc<afcuudoD*J$oZ4TKttEK9pDCk_y@>*U~UaD6i
zi`nAa+{gWl2867t+stI^ByY36HdCIp>4y*!aWQfrz)}rB*M;+kXKvLNLYn#<qyeWA
zQ_4&zzdC)!5B4@ivkRwLG)J%HpPI2^d=qS=Ea%m2)I?AKf!Z)Fc_&Vu{g>KCf>VU~
zYbCtw-chtW4#=o2@r58k1``NV5X$hu!Jh1Y?nXOf0>ZT$7x1ihpsP1<2^iw4Y2P()
z;`&-~pKq|8g1GD<fG{){lDv=GCqKl#bp)Vn5s2>W+YRHLU`NQu%vu@22w_7prIa-p
z7YGR4*oRh~R9plL?>*C1=CU7JPp5LgAX5<Uh<#~iRF;>s{NkKw#^Ebqa4R;?6;{;3
z)|!mi93N`hy+Y=bUyQvdma#Br!aU=0Ro!*|b~SbQIYM@aOv&LwUVy9DDT&YXsJ6cJ
z&*KD(@1SFo+OM1ddE#%$rn+(Q?{?hX&4aUojmFPSh!+b>wJz?>C>VVLy*&{Ls@EC8
z{<ts0bBtY!(nX?fX7HlKYT`vua}X60R>u32f^I<7LaI@gpJoei59c@u3V|1e+4<7H
zo-Ag+xmZHQiS>m`X5u&Iilz_D>JMzUUzwF?t*xe8Di;}!)~%@Y*YnE$5NR?l78Q`d
zAfJQj!Z-gu&&bT3vG;*g?(#E5;^&d@>x|FVs>`z#*r4qWa%%bfJrtF#tQp<djI0=k
z1;5vhe+Po4A0no2y#WA-fB*pY{}%}MX9yVUA0c2#>Pk-AlqfHBxT~XW93sRdPSpbF
zR3DtKuXiaem(1yn(<RUtbGY{_PXlfGj!F1#w`NIijBmG%g9rEuvPUIg@!DoojVaIj
zmyV0bS#~65R&<KXEjE70?5AnlU-PnPGu%zRomCA)&6WOPimou=dz2n6Q-`7N!9aN)
zgx7T@Q&%4!<)2bmZe5{oo~zs<ozWi};MKIIArvb&pxusz+%0HJ0$4GL;U{1+Wxyp<
zMYpU@>s8+`;<-lk?I%(`8l80dIjl{6{WD{HMEZ+PaxPkd3kv>dO(T{nN4Pn__~j<2
z28m_gFghFgtRV|k%C0M_QEfKc(UL2{9Ya#Kdh3(v>FkO8k@c{E!8h7%zdT(o9&v|S
zl>W8hinH$=YO`MCXV!~yM!@6__rv%DVQ+Y@m5Y6iQr-MjXMa~@^=Rd@E<lM5{xPyz
zk2PF?>jQCCaPo~yhK9eBv2+u1W+p=2N<AftyAS1Ans&7sZ|&}nuM=L?Xj<$AVZw1c
zA1R`)6D4DA^&#zrvIAQ7Il<vnYNRNBUX(9xO18MF-|8?(NPT(GUxK*~v1$n-+PvO9
z5;J|YYI1=@0zEyfLF(ltm5D)xdQj*?3SYV<Pj#ibUK7YcP90r`d--fZbjA?D=HWC0
z;n3Zha=H}dYA|$p!}vdB{;<^hoMRi3>=rdHyf^LbR-NoR&8S7@{0)~5*Gs8{x9Op1
zmUMCpXQ@-64L9o4cPNf1erKX2CdZ@&Rq3f|jrLO>ygWR0t7H(&q!vQkaES$??$VFd
z@c`o^Jdl<+|G{_9NQ8asRCgT{pgwQp;-F?)O}A$JyUg`!FKjAmx(k$+OAv>clL%h^
zJPeLJDk!nBU>ZDKj6$i5Gr}fOKwyeOC5%JqUJak6q0!l-F`hvWWZkWXCG^OJfh8vs
zVKX<xz3hz}MgJP3c;X->^UR+Nv%^a?ywBttI8jE$&i9`BJ-3v}Za6-oWITRLK1&`w
z0-A@>EJ=YW_3d6tw1&B6NCzJ{x6cH=+d1qB!D`4CetD&;ql-^@4^i)_$*4FX=cH@4
zqk^9Xkv~l+mMa|e!t8`1rtO#yx<b2_6f`N24^S7sws@yreYqnI5R-@*>@O2;>@hhK
z`e~#<`M&t<Qdw+K2}$@Sp!Rl$lW6#pwL+|zS9~#5cqSFxfpI%?f8bJko>15(M(}rH
z93C1eb2vmSf!ev(ju+j@p~=iKT|d8VPX;`6RU>HXUy!)zClv`VizVfLkY?}T+flB&
zmOFQJEcV_XYS5T^?H%i_+L9Gec+WSsNXQx8?oaA0okT3YQl-8i{96}H-y!yHKmh;@
zGynkNU%KGr>|tZ-^oJN6YiY)8af8J`Y0b^?Jz6Ee5)bZJswFS3S$%0<7^rcGpPs6h
zs^1|ff|Mh|Ey9)u;ey_xbM3>Jf;{}iu|Dt4C5mOb9yRK+y4{Tad6xO24_EU23yrkH
zD8&eQBxHZ&;_%=!@U0<ZBB|9v;XbaCu#pdI1lJ_JQB%DXCkx(TVFgaYBx`snt#xrJ
z?izPk)eYf9wICumQc|oAiB!a`WG$H^@-yYver|%%Yg5&i4;)nyxf@yw5mFf@-{%yW
z8~nc(O>mYZCb)|`blh>d-C$Otl|5hITh+3;)~Vyid5H8d0^Y7U+Yt*g*{sY(-hdiW
zwo4qE2L0xN6Ma5-?C+lhbNx}PF`kTkafv@a1#mI9bxpV)TW=dzBYn@PG~gI)*YRLW
zT*Qr)&Y)r+j5*>x_H}L~^O<+moo5p;|FzDfNQn0-iX?@Ir$LgM;TAc+G-8Mv5xYl|
ze;c}h+&adz?{b-O$Gwz(LGwoOw4!Su=rg1<M^bOitasV?PitOPSF2_&ZH{}{`?A<r
z?p|&DXcsqoJN9XBmeA)sj@_;|{s-tiyXZZa^ye4eKlvj9Z>fnN9f|L|ie~wTL^6`l
zN9Jx-6HxnPDX-YRYmK~3&PSs%qz~`?C>5xR_SS0mcoz5I!hmOPQHv1x?z+*dx=))0
z<I}A$fvSmd-?uy%JFWQB;#{pa1Pp|Y=<iae)D6#1P4}fkmsc4%T(Dm7hy5{Rzq<dN
z3x15$GA*RWu1a=EQbQc6u*RhG$ZS54YD0FFrIJgPmsvx<`M%j6X?nl@q5Ete$TXyu
z+%R(4O0eJ^Tj+d?M^Vb%eX%U&);mPKaA<i*PPWdSw%{ZNI9TEv!`2LAjltA?WI~wY
zYBepWsUIoYeLTmobJ(bQ>w5FC=5a0b79X?(zj;+9GBb+&z;SwGy>{5ux_o+YbStR2
zT-X!H)wy^NuvuiOG_zcFoAM-Tt~erC)PV21SK9hYz`qh2Y4_7F`f}qw#j$k9{#v*p
zt6*^;*=Y~XY!<2WMIrin^SB$$X9n&TEuP35D8$$5Q^tL}&Y&$%?j|Ip*R_8Jdk@S&
z8qXZ>+&`;&(2#%Q?3hO&I4z;Q7v}5OI^MnPh;r1dp9J@f^&JJ<$EZXt&C+nM(CQcQ
z6{+c^l;rymMTxBgx=~R7X$yvVV(;sWzqQPZbOBR_L*2#P@~OfQ=IRjjiW(2QLdp&;
z(^7mu*;JG1!IBs(qW8!}X!JJObVFMB&@*xPuoX(WrA+u*l1P=IG!NE12!E%lbmr<D
zdSL&jGnH}F&s#*-=+pPMT%742PA7UIQ^Q~RZ#0;T8hPv*t-?~eLcTXBbI+CT2{}k{
z#_85S(C%7KmUzC1lCMOz@Ziwlmo-|YVu_D6NUYH7DQ_$0pNs)eiwi#cOToUUkA*2N
zxDqZSs@4}=VWNP-c_<PWEZgbPk~z({pj{`%%ITX|gmT6q8F0{@XzSZKL5-sMB|4Ak
z=l?zyGyzc!wN#L02j`z$#e<HwLER97xUiFq0^PE*<v{}JP3?>V2?^*$<K4*dN2QPg
zXpqhT7zR+cfviwP9+9vlisXS9VS4ky_&X6?%z7K-j`*JeaVU`N_-`@7;g(4uEn!J>
z29-MCn2~PSj6240W|7IMUf=v%3L7L3BRatnhy@7%Ab_8LMaTac6Q3C`YYWK&6s|-w
z)tCF$3&~QpP$e3M&=|g#_q8|9xcBNNYN3<Z0#)`kD~q8LnLWo9-)XtPrk}Z2XHku#
z9Pr(m#vscfSA&*AR+s_A9y@WpfI`1}NioRK19siZIXy{V!N(moJJp)H!DC!Q+*S0X
zk;#Z^EjswK$-e$r8Hb-q%d9LrdMe^LD;&MNCXUUO6t}0pip!UabWN-j%vx>Fzbr5|
zs&!xg^?Er`j3IE}k;z;TJ~b~6M`>4e5B=|oI{r$wDuMt2Xu<PA<i9lkkE8%bc6Qc(
zsD704vh6Z6@EKD9cA{uD+zk$`7bXNt8v)o-Cq;;`m`g_5jE$yS^!y<0n#qH$cqPrB
z@9yrN|G|6}RC^PPU&rcu>_{1&=92ax6S(^_#c3c?UN7$iKXLp~dtRffu3QT-WXeYH
zHG@|%V*;0{`rO9A3n9f0-+q$<V9B9q86AR|uC&OMqN3J`TtQ-fi}rj{&>3I5&}$Gm
zaqowSN*VL3S}gb~u|`m>6D<mcLojG?F@r*H>7<|6yFR3`ximwS);tna1ud!ZoYEdC
za_X`FIO-58vA}44`c9MBn>SQ9#+6!XmtOmaP?jT?zn65t)-<agx!z0o?#_|uXAWM4
z=NvuCN?0P2QG7+&8#-D@w;yorJj<LGH*IMf61>%Ux6b_N)5~rYAYSS#j0U)UZ5A7e
z0PC#;ZDZ<2ZI&u|oO+$Q4XWcsy5mJ+D;3fli8rL}KY2VieYt7#n26*L&*LA3i)_3@
z9rVtGb5RU(FSfR7C;M6!Qx+Ws9tE^*r{LTiLb_Lk)%t`mqkW%ejk3xE56hL+Np7dT
z8+0;&1VXCk@BZDVrFxExwcx&t0vj*xUw!(Q{r-2){%Om7@gLxWm{BAu(HsGipZ0T$
zOKn%Mm{6Rbx_Up4CLSEqH7kN5ZSzadJ`6q*%EePz^<@$iALEBl{t8fDWNqOCBr)KM
z2e@#La@Ac+oa6hvkxy!~LfK+&4OnM0Nk00Tn~MJ;QtPssbXT=AveBvEc~;+EgcVmn
zooE;P5iW17A8G^@noTpJRi<FPR0{sCLCKprVw{~ci+!rFW>@reXVf=qeM_yQ*Tr3D
z#3jzZ=X6By-*qk6#M2-G+pht5-hvLUtG1|}t+T1Ev%ZRly{VJ#A2!^lG9ur@jPjH;
zI8W=kAMnP?6Ql!r>)T15-XEcVVJrJ^YlEf*r=nFt>=2H5dNk@jaB*>s0#P%j853*~
zwiTqT!MVXcjMC*)fHY*ewO*^Llv2JHs5QEGTLR4L{3tIFs=+X?c$ism^lkeSd)GVC
z0P#41=uW*-6kZ8ynGZVZUiv;ChlDW6-H@<t<a%-5h!u{>01JpPqobI-q=r;tKRM@`
zA7dBtmc}AsDeCQVZ?n$S(SYE0#vCGhQ-#$R0I@ZW<e9p0l!UBb)?0>PVA3KZfUEf^
zaUW&vTh>^T+xcSTpu$I!M6<}hdR@SQ6j}oh8n*a1Z)2B8&{cX^eMa@21kcy4OwO|<
z)<i5`AG&W#otN$sAUMFW{>X~55Re#e{z((k9oUzf0B*@4@Pz`t{`2t%w=w`=VrQ)A
zXlL)lWN2^yN8|pEzE7y6f&1f^VB16e4;1|Lhv@omw6UF|>Hh?;7Dqh#3Ij%y{MDWR
zVep5z2a|#`mN;9Oelq>*{%4w!-~a!%vV&LI84^HQf%@m#_HTlK9@yVgp8S*S<ad_e
zQ>FaP0wL=I`F}~A@;l-0OYXl315|2$C;Vpt{yWR>6ZF4XAZ!}`Wcg>h{yX&d0qq~C
zTPx&$4{yH%e;*+J0UEUZUGo177r%plSE7Hw>>YoC{})~Qo#*$r{2w0TPRRf1omZ5F
V23ye|V>bd|7Ho?4UEmww{{f>7EHVH9

literal 181244
zcmY(q18`+qv^5-dI<{@AW2=*nopfy5NrxTVwoYu@wylnB<0N11egA*^y{e5mRjX>R
zIp-LY>&Q!iL!g0xfP4j+Bc4&~^&7~G|NJ%bc_V$^Mz)6X4z_lVjQVzV3~ts|GErkN
zV9ao$J_X~OCZ2zUPkt9m%_P3o#B&EWQd<YSJi0&-wxxS;O3afh^!H=bQEdjcTZ<hu
zgATiY-!fIVFYcGW;ag(f@QtX!K?D#IfcNEDFZ~W=hT|OHan+wI(T<or$)XRuFmle5
z4jQO2b25<QS9Nft63jSFe4>->>H7BkQ~KAa6jyQ?$2%*G_mnH6{QnUEdK<GH7W8xH
zU?3pK|62e<TL<HRBnXVvmGfsp8|Z@B#$N>!vBpBQ@MMZh5zo7>Fu!Cc0me55ov*DC
z8<MhI*BoZNwiUIYb0k>8R;l7vcY<S{8&~1&o8VuzbD$9qxe}#Hi3meF=2sZ;^PXd1
z4|XkM$OqYnlDSc&m>zwV9+!@w1pHx{^<49Y_!^Z11wG31UD0n+9Z|Ja07}eM_ClMZ
zC`eyC*mFEk48n_*(bn)8pft%cKwL@NL*3Nf-gsZ<g2a|vF^k?hU1kof0wIBsDi**}
z8=^eq^KrAv-r?@UmSB>oRgscRt1`2H{bfXdFeO+b+I0L*iUG}l>M*zC7w322irJ5v
zQ`x)ke&ERh{TRIOT6wOZNznEV`hPW7BMN_(`sGt`#2_H3pPF;CVstVywl@BsC-XnL
zJ6G3?M&&^BuA2YQoA5~SU<mmgC(&z-iPR>4eU!<GjXK3yo2g9_pxmRROQVvfqDymM
zfvBPaAVI$`5cmQ;KT9~n62Hc2ujdP?;EYPm(%9wr_MEZ18=vZkc~Jm|k3vj6m6qf&
zSc5cTuvxTHZN9O3sd9o52V?3r?k1MDm>_=I`#dGU6FgNK0D$oIq?p<%Or&Dtw_N)c
zWJ5P~#XO>C)h!x^&N?uC0qY6ju4Lj7rPQD#%>rx83E8j&1&)Kd$5k0kV|UG4pIz28
z$w+bX?P(-ooX3FTVaMRXdNxqYXYT-$D-jv>2&t|R^7iq0hQFnVuD@EDX}UgR$8hCv
zYDJ2;uyHtP&wap@fdlg>x?NZn4l&732<gkhqGA`vTvzDnV(Ws9b4eA*AI>0^wlA4%
zj4%hwC}u8}(;Fquo<IAN?_P1AR8xG|+Piw8aG!J-HCC!2(l&x{pQ<;^T%Ca1FuEJv
zOBt$^#pX|72~25`?9;Mp_xS@B$uXd&$q`p#Sa%kic%8y41>)%=rYD^C$vbUYcOY7v
zIJ9ZRZ20k@Q9=~G5d>euT#lH0iSTwKq>fy8iw>Wz(tZ4QDz6y$rR*f!7tzNeD>HE8
zYH|!0>MMV%mO=cwK3lmBmdh4+13u^fm?C`V&h}8cK$#3OZuu$TbvuQqo7d&@dcCk~
zJK?52*!8wwmhAKP%zZDJf4>o*ESKH>^nTjq?QQkD34))h@6lY6tW_*(S|+O(3?4NG
z{MrTO6}m7DLKegv#6=|!v`U7VWqb8I$F?=7dLKkPXG@v=hE)G|1@J42IE!xWN%eHt
zU5Cm8$HZiok)VT-0YF4s=yk67h1o>U#t2q#cAByn^o-f2-XCjTGHeAZ!d+5fI0ILz
zg|k*E!ya-%DyQH)_Cm4vvpH~MjMnc;S7Y<vk+dpSOdi=S98DCrh=aLN8X-+65(CUl
z+CwN|io^yvjg9vZR6|4eHkJF+dJ4eg5TSRA*C-X!j4H!R#2#sku<F)aS6CNfg=b=+
zTl~2gNqIcc$T{(Gx#sAo4H?If1E|C}n!m;Uc|jOi`va9>?fhshIlpFosu|-u4jLCN
z9bhhnRCzf>jjLy%xQSAdq^;?Plb_FrZIRm{^0n_rv)tEK=aqm%LmLV&a^G@?&=f02
z$kUp%CKeKC8Vfvs!;*PnmuR?W4F0ychJKa-^{@f<i6t@jVW;f`mcrRnIs)^OgfP#!
zGzqO_YW}1}T<FDK8e1vHc3IJfMh`fni%x&IUzXV7XG4t>{3iW)Os`lla7wL^v7zc@
zTe5-6{Zt&&9Ot9(4;mfuvuBY5QyMF%-Wj!r{^-1vx+hjr)TfY>?CU<&<;Q;{T>QHw
z95fa(RM|d;N=?>u_$!QMEmP+-4)PbimE8<52wYRw1BTq+SaKrHOQ=bCYN`Cl_I$k&
zxx>YB^`7_4GrG?`E#NuOnwx+4l`$4eKA`XhQEwOo<z|!-NU|QFj8a*aUF5-~1KQdJ
zPMtRf`ec#1Efx@sm-7h2*x61i7FFf$lTN}H<&&TT0%v#QsbmV{ui(in-mk@*Cnajk
zu+-)^mTIb{bbS3`w%?wAVU1%69SONTItoneVQ%u-%h|FNc3MqUw~N^sWG#v(^vX~w
z!1O^N#NA(@J~-#=yEK>r6v}+Q>aL}?_!_&z;`e0TipZnx+Rx#16H+zH4CTljsKeIj
zFV-8daon{TCDp`~`Wt`qM;EEPFH%PK#gZXj9JA3|2}?g+$dF6c>U+MUGp*uDh5JIL
zs_CvOgOyIr9Mwt5X?q17vnloR<LI|czYJUujHQiDH-Dmq`2;_D!5<xUdwT7Oro0Cf
zlLk>{TuL|ZyoC5?IGuII<Ag;8CT-nB>u=jV)vhQ-7wLhEaR*7@fJU}(uV#_X{!xxP
zn8=n&1y>y($@ULl`8-t)rQ3=5#!P%lHKc^XGMk$8riJv&UpVDIDzr<P!xsnBZN2R<
zNxHxjPXnmAJmg&vC9ln{vmBD3!!|`-T8gH>PZv6GL2C-_1u6`b1aC<Gfs!pCXnd2T
zh4X5{ZIvxL=L5+vCUfpvS?7D&ohrOdeiQu|41af0aLEq+WpSHF(FnV}BieO}e<>=E
zr&sW*Qnhr2du~y%-Q=E_GgtW&N1;LcSUF##XeqSUJ^!&=I2e-C>{&tne34d#BaB99
zVI*16R@uV$u)$BGY!hAs@xTR&maY<32@`MX1NQ$$vUP#JdmTqG5Q<7<5Ul@+WUjUj
zmX2n|#!ilm|GxeWXJ;L-@$2kK6fZv=Ja&@GBZEZSzv``@cvz3Q9M+$Y*YjqDWM*dm
zp)FWtP%*Dl^p=)Bv+W`RWr9Yc^eqRpqvE1&=u7+>7P<08gzA3Gye-ltK=ASKTyq{;
zsJgtkApCg0x<Ry!9(wfo*cmXqZS?rb=lyck*|yXO?Az9Mp8w!&|8-rxwZ*<s7JSgx
zcJcn?hbH>GGrgfQv=;n2)YNoI_@URn|K#rJb5!bL*4xIjd!p^^@ewTWVg6+8p~i-2
z{pfXH>G2%A1Y}f8C*a4sw7KN5_I$g#&~|=055KtBPEPje_OTOqvwJ-_w}09m$o{zN
zbf4?Ei28Wa$<FzB?sb2^&0f{?0*`K8C=+S&c@Cbs-nwM!IRI?uWZSgq5>Wc+@^yMW
z?WgxyzgBd%cXsU{mKmyaU0k#tEI0Jszn^b!Z=4pk&YdR?>}78~a(J0~pJlrPudbRl
z_gl|5jx6D1UmBHPqO;o=+jzY04u!X7KfYC<`fxUM3OK&FE)7=&|0uhxt0ZV+B)oV(
zZshA+zy$V{o<A%Ex9uKtu)RO@^)dP!pMlc~?DrX`1-A`tca`amZ>znU@$(W8Zm!(E
z27A3#bjjTWFSM<_ZYR4gR9%$FO_J{^k#HT5Z|9&|Wg?vhjAs<@wajNp^*N%yCWQO#
zuq?T9^pqoFyyToIjfXil{n4^J^$TXWo11V_(7@au4}4SpBdienKwOT9{DNeBqh&so
z7<<an8#w+eVU$~eh4Q%y9P=Wd#)Og0>*h&xl3yYTNK^eva(x!xKTs6ss5%<a<hwBx
zYN}i05`RXJkNfDgvjSDhU>5QE{rU~J1HgR2GEiqrx4YkL8^OCh5qCY2q?|^1-7B~V
z;$Ky2cz-B>PvEVN|5Dd*`_8y^=Y7{A{ZajKE4Q!_d~x07DfE74@Np;rw9;B8{V<4{
zZ(`%RVeE-ztpB(sY1QZRMgiUp9<uwDT6Q1yvkLlvz8tQ-dLwyw@tWOM*gRiP>Hdr!
zB1BZVZAv5{`I-H(7A(^Aa$~*pc7E}2{Zxec!)xNbyCzi^%Lf=-0^CR+TE^`RfU7F^
z4Gj8x1P4_S_i;R!G(WPMpP9!k&jC!cDDbnf*f3K!hB0HdrG~G<gqsksJ8LQ>FA>zw
z5X{dIR#JJ44m^4cZaPwWJf7D35Q`rthk|=2eZ)TQo|noF)=dp3vo|i2yDzJLZ*_rr
zf2=mzKJcoa{kmDcHL5wp=5gS&^?%G53VwhjL;%#KfARJ)_GUEYfPZ_Be9m-}dC!a3
zz>D6{Ivc)kx89sc+?`15o&fFYqVY`!_x^zWWBR!;^SR@P`PLPm(XwC=z0tBL+~yoI
zM%;5z3m;rGqEkrQeGAHwfvEzQz0DTi*4E~RO7QTAE`_Z32EO-VeAUo!Nfk=b`!pNk
z<y}A#K7|D`lrA}5`w2mM-?_)1v#NOdj~1SF0-x}V7nzfJL+3Z7w*4-E&YWFeO>(_#
z#`A_hfrstoBVw%M2eEx6L9gwl?d8^YSzsBT3TTnHWASE}_Bp>(@Ur6zyYquUrLL&#
z>tu!)?9~J-_iRYUlh;l^BViuCUVN*L0AW-{lT4=T>xI`{zxGalm*++HUQa+hsr~bD
zYPSrICrDS)md<6THgFoaUWJ@75EPJ~-bI=salJCJrGP(#3Z&F0Kgb@4A=w@ch!z<$
z(2Jdk@tf@gm83Sn`EK-Kn>)Jw=r^3}%MCUJ%!Y_3S)8tFmy+2HaKa4(dtAzM=l3)0
z?Ba5?8L^wmF5|pd`|)c;bbLrR=b<9fcc(}%z?mBt=feV?hSl>F``~B3B6~e4o^ve~
zQkjOIa$Av^+*<94T~D}1KX;eCRM?6<95#E5J}kBivj5VMvMiyJ)O}4rzSN6auS#CD
zF>C*&A%qg|n?%Zv7r2y4sW~AX6)iu{#%~{;@=NOCOY$`_m61H)Gwu;=2VhF*T%(Nk
zCByIEi+k&EHA+<_oCnaB^}XB@P0?7LM2Ois%rDt*p@zRGhac+ihYw#M>zs;CqcsYb
z3V5|=&lNjSfDHN63Aee1_T;16a-qRJ6;u<KfdCPuU&IN|bEhEyIxJjnDmH(EY5P#L
z(RB-nfEJaWAc0inhd2FcI%mXa7p)J1LOzb&i?}|DAmIY37pCR@h6dgWOrEA&n=`sw
z?=#H<%>GP+as#}QAeeqLO8Jc>ti*uD`n|+n5)3tOQ=pjpH?x)BN%Uqb19aZDgX$gF
z*&nQ(o^FmlYnKcaI<5=3ztWd#P-PiUmND6xR@>&zsi}stD~3xyXq7~M^tl%U$2~Xt
zo$MxM?r8c=X$$yOKBi7syA>J6^-~i2|A;W->Bwshe$hLM>blW9z2DvQ>K0)Na$gh$
zVp^=OYGf_@F#mg9KfjM%b(Y#K<!PKbUyXe)3*Kv;)n`(IymZr+!a484I_rut2G?lJ
zF~+QW0wx>X>)tTG*!CWa0v~(7h`rjj@)dr}TE1R}>*o|bwIWD&BV^c<j`*g~&BW$X
zR95VV;-~)p_sX~&&Qob$Z-RlQc799*#%PuCS-fBtL70;><o&Y%yVgo@45R+c0Hcd^
zt~^RwK<tMsXGbxq?sB);581}xBt>)+g0XQs3y+HQsh~bO24}SmS54puBC7V1mo+bc
zFzBev8@?>Sk#hK5#%+Vg%j4<^?tDUfz9P4<;&UGxX@37+6oaOV?4EKK%IFD1ix_As
zDwMG_IIWa23N;k`{7TiDB1!OOD}G7ZpG^zPq=kx=p`%6UB24E~SX`|0#p8#&turGG
z-gF?wZ2iye+{eU><qI1Rmg8v3_?ZpoM@0_;gqVXZmLU^fa>X>8sWJT*88!r_-Jx<B
zLjy67bC(nwmarA43XQb|fc|&goRpUWtCU8=g7NDNM_3LMu5Ovv(9RnWmb{S4t-vuT
zA&(&!7H&GIh;3MMjKwpr=6x{YUHkr@?^3sVbU^Mo1sF}R$((=HY&R&#X-Je&b8EL)
zAD9!EWsdgBCsvLDRw9{?TXLmSPk$NGtMJbXq5tIT!=CbEd1wAZw|z&#*;ehVz$w)j
zd~#v#PEB3C)J6}(l>jsCuV-_B;#UId>^IPleFpzof!v|qdDr=~3-u@>7Gj@IQ<3jM
z@V)3sV58wi;VMk#mM=vuAnJC!+uuLCbl}+8bTi^NVgK&B8GX<EZXfR7ocJC!+dPom
zO<x>pY59x9#vZAOGeq-^*JeiS2S5=;`Cb#f+!(IJi<-^v_)q!TlCx&A!uk%8&EIYB
zs-^~N?hkcW1k8oooqmGQo_2$vi!fa#HeKJ}`!|bFFj3HnL}J<(Y6KIe0*tKcwB7_H
zZnZF%MU=C0>_{1xMTgKy7&d!rdbzW5@?~|Y>bj&up0YjdBBy9k4_VxPKo-ja{!lS3
zkE)9D*&|&irGj53`d@U`g_Tdz@Qazse4?{X=M$Z#GEGHPB?S{mybR88Qlz5{;ut&g
zq12{@sHdUe6DeGJ!t<V195v9)L`11Inhyx<ED6HsCWD6T-%XjJjXjTk0TSj+PzTQ?
zW%UiyuO7mPNv4s7x#~4P2F8bBfH<ljS5I~Vg6Odz^IwrH;-X*1Ya`Ua408TOH4>>{
z2r^NB$So4-2?D13Y)G@&9d98GbDZ{%SmpMU6R)MK(lFr&5aKWY2|#F2yZnn&i0n1j
z(w2~|l6P}+!{u?p_HgBz+7?q^N_H&ocbrXswd%GqNn&S#5Szipy-DMInnpe|2$=is
zXnC7MBvf__1A8|l_H=kshV-^j-*5G1`Jl@`XACe{q0)z%qLA#oFp6<Xv@DaP{oTj~
zUmn)o?eyOw-=c*bOtxzt$HElROlX4l_gYN`PFVLHtJyWLY984b@Zg8Ch3k$gmCjto
z4RLIjDt{oG%O^_eVAT%=YA1hVQE2iGT==~czlN<7%x{|#9U1K-=2LTO8IkVNf^F!;
z<>k<xwe{=NTvP$8%VcBRi=nb(`!uz2h(K;zoBL5KZ}*EhyUb%T%kCfwt5UVOr6>H%
zd`n~mF44k#(>P=CR{mb=CCOlz#z)abjD>kH%*b7^T4T9Q`cX4zoQ%-emwGFqF$R<C
zp-8$xYS|bfMm!FTy-bq^I&K>PZY&lD6-S5-_yCfxX^j34h>iV{6z7>vOUyuZnA(UI
zq*M`~i$~#M2fy|NrQ2~gX1e`oBz<DD#spjNEjwu1?=SWv9k#=E_<kKv8A`CCDe}8h
z!s&=5yKM!KHB!305Yz2=L`~5-@Bjy?bW9S5j|6J-CV~Wgm{I*kegsH_9sGooXa5ai
zHhJk(FNWF3?}Lc3XgUDi$lL3tl8)2@1slzY0PMr_JHf5Umaqqt%DnW{>qQgS%P)R<
z?##Gqe%Brk3(LntXRbjT-GhbT%c-D{M)Iak4R>inC|VZPp`Xf1Uu}tmqa(^*{Zy73
zhnhH_8<7q=xq%FM41prmPIF(WbqRrvvXdSt_Cn5oA%pvpPL)kU-iZ-cO>vU}Tdh_D
z16S=E4zi8yQROI{A8H%dpMj&}&XIAg{38y5ZBW={XKcft9KXrZ9AQ>~DYp<3!f-L<
z0Cjr>Nvy9hs#=q>G6qPy0;|;hd%SmO{W0Xln|i2AdpM;{jy%Cwrl}$kwyC<+Wq|~z
zUq$nJ@tD``lo!fHtfI+HT7#W<aoSK~PT)1zbBtj%T$sZVnbnnT<Ma@9zcRx*wAX21
z1g1EVT3zij3h;6zIoBlRs|O$<&vH;OpReqOc(b~A%rkh$>8CqY62y)&v`WHCn9Q&N
z2Hcpf-p{%BPy$-nRvi3dqB4tom)3(e9t+8tExUCbDZ;V%yNv}B^N84c8SL)Nd1a&=
zHC`UF3F^hz(tQJ>>51qIFQf=f4Kz3K9@S*%#=YW@4NdB_eBexK`Y6#O%V{1nev8I&
zn%|fVCPEk<FdZOl#YbkEtFJ!#O5vF!;<2F0-^R=g%z>|>tU`TS$|3T>_xCCkm<6G@
z@T>etP(oxWGPz15R+XkQM}e@UYRXNNB5^)53upu4Ups+oBt7_&E#H0dei@f7t13Hq
zvU{SpEMnS!$csJSp%4phiNKIq8K?XMpDdY@4mh>9hX`3%67cTi&dp!>nNcpKH$L9#
zUm%I0*x&T$E0yPPv%eFgj_?x*yS+>$GCz|1lc3->xWre&QjMXH1Xl5LC<}y21#)sR
z<+EQu*+rGgj%)-#1OL~CIyj}C1W^FbMGrfW1&GNU%&XyZ^bQ_kyPMd_CcKfhh20(o
zE){2ap$8MgugAM7W{=NdzgL6rHhR*@^>k{(-Pw!1h?dL<zka@QK1HiX#9v|z3jNZ+
z-7Qic4?!(WUK-%-=&`OWvm)m4xfX;Tce)mmzAa_oaz%X=D(+9LK!Yh`v3GNO=uB3o
zP|9P7YgKDD$K@+@O4M86sr}2NtxdG8z&zub%8)<VPZ!c0rn+)!N0a+!#H|V&S*J{)
zL$vcYqHTd9;K<A`=w5;4ezumND>=bl0Z`}<GNGrR8w5?pl+F<w_Wj~NoCycvXMI&8
z%kpgQI>cU?#Gj!4?x#;Zz$fmHvOohOqxf^z=YIGzD1e%cmU6#Y>U`=}Jq_GbR$hkh
zumXp#XMQ!({2}Ab(2E}}>OX*f+R!x|5X`hIgZfTLA)pDo)2^TMw|b8F8FO(bRlVOs
zQ8~h9^$V<aA9^^661vfI$SlyfKz<GdKd#Iq+CssQY*phSoP~TP-mC~}<>oJ1GWo;l
z<xtkoid<eGpKty#&T%}wq>FnV-EsH9#^~9ZO|HvB+XjU|EL^oZ*u2QQ({cTwW-4XD
zu+tO`ZUArQ?n%+>1*b&NpYX!`W-ydjmQ4qopGiay{xVwemLWh0vIo?dWjU1o_tH}=
zM)Saj3P6ZLfj_i5s&ZW8nei-MJk@E^?|$#;T2Ok;>Dq90PpuJ>hj<9&*OKO1qK1zf
z3Nd@~4U)X_&J<Mk^wO&LRp5i8t{Eu`Fnj5%yJ^}&$I=!;nFsqN=t4YHTTz~}l{Kie
zrNgm|*Zaw-odmH}h0WPXQD;MZ2b5Ndide}wfgfE(_nJkN*1Qsu6~`QW%*1Si+KQjY
zJ;AgrgB6nVo4zy4Rz&=$9zBOO;l6@`^^<GU#P;^JzAdl1<dS$#Ev|5cq?{gGwKFLq
z@H8U0l28yWzl&JP4D)NT_9smLedV}(!W1@uh5XSt{G@b&ie?o?C1SCdIvt@YuT&X7
zdQ$Kl?7yOcKg`4&Q`|4fis)qRq_d;Lr|!iT@i9|$hRUT-1zcw+%)q2~=;z~*h}DyO
zqW!fV<Q$@<s{f(>HTW95@(+kwy+dehIYnwIe#*F)7z>FTAd`Z0>uK|ph3kT8vg7zT
zO1uLKT~^~<LC-gyIv(<>Y7Hn@qFw&SoFd*fU6{B<$1L-2ZyJ8>2>%eAxQeF<`47m*
zX(u^}I}J|clcL-y1T`{gq@Z&yaX__(e2*o*!O)U};0^a*0ql%omn2kecC`M8JF3rh
z$6kSg|KP^7=hWS8zv`C}{F$|{(9?gU-|k66)SL0e2VCa#CyP^<i)qZajO&!`Yai%R
zrseuiPSKpLi?uR~qd(9i!-shvhlS%v_|fu(TQHZZWOLeVoz>8Z)2p#=ae<cf{zb58
zL~U^|tI&0OF>X=DzSC|3Vl}R*7Vn_tQ=<=wEg?T|TFv^QqA&j1X>pD0QIp9kG|MWq
zi*R*+KY1pS)oPlKNTIXMVdk{@LFRPR_d&&#Z5^qQ6vbB5n@Z8zwQ&9x+(Y4u@XD1T
zZeqxh`oG`JWD1v-LanbK<JM2xJ!pK-fox$^;{PL?B1?l8RgluA9JYL*!}2}XFT|mf
z1o^aH$S?NptAvoB-e8~9mv+6!mg0Cn2qAZPp_tDX3<`v~AJMR;L~HFvzJsm-{?$b&
z0Sk{GRUv>pY!N>a1&K-=3F5CK0jNU=r44kBode8aaE)Dbbp}HjbPGMZGg-at3r%TE
zfD!5!3^k$k5fnivZ4esY%D`A1^#Wx~(U+|R@AA@)cal|zR|onDJD=XhRQAk<j$8t+
zs{P}8OSj~3Bv|GO`=tzz)ZlQGp7z}M1PCyM@CgaCu$5x`Q@n$iL_!&Q_#o073zzH=
zl_(#{8$Nre1L19z-0MCslN0j%)&!fWTRQDkQMQD-a1FIDJElj|eEgoAtoZJa2OG$I
z4+EVx(On%OT5nZo0FGIR4h1NyjV!w$91@LwtYdkVrNk_MM_;a=d_d+fA)*fC`v1S2
zB=oO6iewGvNeLG+htbFJN8#6llhkde3QVa?4jkPVtoo6-fUSm>dJHNhTS)Eq#=tH>
zh-wk1#hF$ID?hkCJ^t3ldKi3uJoPw3ColQx8`(5_*%AhZDxN7Vu*}k358;gRFCH?b
zGc&#vx+0zjw_RL|KAyhvc#$jrjBbkjLZ&o>veAfB!TK$C*Y@&WLBSJDB8^pOwjY4%
zK~BAz>_kPBYY1qhkF{`{NY_DZJp6aTU(7ruh|U7k;fA$5N5vsB`-=h)v9iCZMPOtf
zn5&#u`c1$Se#bRL0B`z9qqe<|0mJT?+4ami1Yn(Gj+RMNO7Z%V?2*It#IgqK%uScv
zw|P9O)kc1hG_UVS!{q}6x=Y1AM6g_=4x>!`>KqAOM4?moOd{OjrC6OEZ1C<YTdOvm
zDD7sop;RIVX+d%YVQ6IJ<<+%I^~>rQxt16k#FZ0kMVir#)gRCgEigo>V*FtKOR%El
z)zOsG1}?`%i&;;ZBjuq9nS_nC)~UI{UHrpy=x**pjAHWTvOQ-#sHx!uQ}Ud4zW~<m
z?QoM!DZ{U|;S^!afBs@hXVX8r>t$Mkk=>mJb5LL*fNSq=g@8i;N9%n;GMO2KpdDRh
z7c=HTstuoAa$Caa4Nx}3m%d9{tDml>`d`R8W+9Ff=VVKTRf|b$r?|&(0A|{G8pFbi
z7F*X82rNX$=zqatQY&7?8m^EA%VLgVgk$mvmXwj^X4)Zp{PF-Qw(v45u!R2A`DRnn
z;*l6<mrcw-jF_l2Z!A-apHkEEJ%ts=Y^?M1BhS;{$}gRYqlx*CN)||8_8*=wI@W&L
z<AF+4vI;pYFzPmxSKa1+6)n$&qh7=ihl;GV7?pIkPlAM$sQhbp&Nxwr0(H1qEj)?2
zk6F&RE6`o>mmRrKQZ%;L5d_EH$qN>mpp}?}Z0n`1)UML0FYIL#qZVU#M<0sunpJo>
z!sN^>l<CGc808==t@a%)02?t*u-&&ODimMyVip2Z_xE~;0#vJ=PiJ=g3EpV&g)aEt
z^LdZKYuUD!tsL4OX|k!uDuj>&*U*6ISqLw*y120<hyHyXxuO6f@e&OZzOq5U2I`FS
zH767x+V8){!mbjAR|10sp$ykpZ&A_g4;BUjhVg(Bu3!kBvZ-`p^^dYO5mRL-4$4ev
zwVon*29@Z7<VPubQe<>)da`q+$+NI;$SwvL<q5B}%k^|H>H0(RGaKHigX-Yzjh+a@
zn~#J^!BVhHV#g>E{{vOSPpI-UWFF|+`jjCyp~`<M{GY*wy;|A@g1sKtaY?7~rXa_N
zuouL_(h+scEHhdjcK`~v-wAjz6_f9s^4~N<Z#1uHmi)Mc+El&!PTAdJa^MwR+bp-B
zI@K<9%{SSlNm4Dddc@?QK&L6b;gaCOmMuWkNo39mSd?#K?tVVVvp`Qr!P3nH>oYxQ
zuiI5^k3}hXaY*E!D#PQmbH6Jr4L<TaS70pUVD_~I-F0WS7iu4q{<LSGeU?Sp{96-s
zJoSX6r!4lgl_z!Tf&nUXCX<qcOi<GmmtCNBs~4LWgSW{nw6`hCJJ5Et?-H^WW{$kL
z_p<=H!zrzH#3dH=Ro34^3B6DAQW$F#&MWq~@y!aNQ9X~fO0;;0R93;v4);^m|4&?A
zabtC5{YEks&V4#4MJ0Yg@rf2UK{pbBou3#^Dp(W%Br5PYt~bD7lp<0&u3sFC_`AG0
zY8q@I$WF}<b8cfOgkdCM@iNFg`>$8oJ!oLFa!@*Z22w}~pF~(;gV>)R>6%KI-B`yn
z@f>USa<?nF6Q3p`Hd~@adHpU|5VcODa3hJxg&!4{i!C1X<-a%;oJ#kNRWlAQ(;*3x
zMUGsgh>^c43u!AoJJB89G0~&N3UnKZayBHcxHSUucq<qR9d^241;xqy(`~uHYjb~M
z!Ki*?_dNX-Rg#l{%zd8mXt^U4m1M(Ow3|d|bP<#TU7I=<A@rWLst0f3MJC^Sz1wOk
z&4myOHYVYJ6^9t=0INnaYMy;MSh_69(aC1F=69ob?B;5L*fC;$zC9%g<t-WLx^%0A
zwdQ^*d}|v}4pABv^Bq)*orZ#Q6Z{mTRff#)-h^!F`aZg~t?@dF<`WnjNp=hu`#dv3
z@rkq#GMgKnBcl@u>9kd5XxA`aZrPr<<}0{jzxkU8Mq>C<Df#iw6n%va?RI`7S!ulN
z@$%9pz4VZtH}7J}(3SHVGX{2X2L$%pq`IH|<_(5xIjut1Y;=khwW8LALK(PEp~VX0
z-49R<qYVH5$O&$Rv713Z!YRi!2DTg!o!xn9@XJfbSPS<R>-$&AIWSN_bpYg#X1G%H
z*(^#^|7Pk~-tksZty(;W_LKW<d%mRQ7K+S8nXk#Qz4m(RHfLioa4z~N$FRmO*j5Vk
zN3HqX9duAu{Qmkxuzb7bMa)*v?A)KFPg_uA7B?4W-;3X5(@-T>-s{EFSl_m-xbC(5
zan6;9<2)ZNf(8+MCb`*BX8CC;GTwb2R==`JK8#}+9A#ON(a2FH8Myh;U+0*UC@Nwq
zH9M^|Y4h!_o|=%zjJ%33e$L{LvJMf3%f*UL-UN(nb47KT|JcIMu1<lYp4;GH#33OA
z+E5y6PNTyx?uZxjSFe5(;bJ9syrw+zz)%o$X7by?)yl)WuChy?mp8NqF3DHuSa1lF
z`R`>~2q9c;&()RZSPE^Cis?|y5yf(%vmM_$8QjldUyd3(U*7Ml+w>1scH=4B6or^!
z@`<GQcY%FU_EOcm|MKC??a-wYW=ar@M+#|KbS<fw3{9opC`6@Hu+)-fo_S?~eu+f~
zIgywprW@gJ1hrO&aA_p-<=dyDC6amqsiDvA%1XgI5gfcCBBMN{!O9rrg?bC=th@@z
zJUxdn3n_4ez+TejYu6b7Ya^I_xy3(HU<fn+x-_?fIwu^nn04JgOT2(`=khOEI`}?g
zytpxTF?-f*CJ`+F4Emf-$ZRNLvDwOuF`>kLxg?eV$|EvcIgt*_+&Dq5M^KpOZvua2
zguJ>E7x0i!Hz%GxS(A2C03Jg10!Uro{F4QvoHxhY*Jw~lpc#$eC1_ad7iQit9XqPB
zN|Q5w_F-)FgIOWbU!3l^zMQq@)VL7N3C&Kh)?-jp5_}Q`;QH_GjyGB&A&80SKS6Pf
ze{57xq*h!N7mRfXb6)~AP2{m6wZNVil?N&=^|x03;ZLW*tr?f}dAtEV0AO|;|16D$
zz%W_EtLbddHOKNZuvY~`KpdJ<&qWb(ygAG-HITr-74=*=vC~N`?of$D2~!q5a3DpB
z@*9yh-|n+t8gC<n4E|@Pp)I21YD0<zrZ}YT$Gz!P4zSkFZ;j>7GZPOit+a_DLC?1i
zTq_MXAuu6w#`~L2h}0JET1lL^jjCe=0dVg6PN|%<r1216vX6JGplWRabqMi9mpQqM
z4EKIf-TSa4U#6=Y^t3wk@$t#HnTAg%o28n;8G8=Dq&J!@UA1Jci9^XEm1yha4=r?6
zdH-5Fw!8}!(dqPbNlRPi8V=94MI1t0$OInlvUm-?_Vs<7rR|<H0(W<VH8cryPqH^%
zgLkbTpGtrdgpU`d^S~D!SHFehrjeG1rOPtcjgtbNy*Uq{oarh-EAYGub$9QZ%G!f}
z1mE7)PvGK;8~N>N(*`hockTV|(Y0wvuCP#`GONSw;Vt{RD*{n(H6^*sw2#A*e`U#k
zf8`j*eX$T<_3_8~OZ+gT?L|~}hZgd+R`%>BKY{J#Ieavw*yce~iEE)<g~p5nz^<sT
zuCXL`eV1?br?5W*qx#DC@H&>5x4%q4tWe)`Z6tf<+qbICWu1466t?VzY8FfA^J3g6
zTqp_SP@~hz7kI26)iJ+?&1+ic<5fuu%w|>(r*B{g^Zn+{&kDO%calA4L2#8xHlH-0
zcgfyDU_+Rd+68~Q>ZXC^4akR-vqyso99oOpHT{AW<Cb+@I#)MA9&-2@V9#)Nex2-{
z;fqL_GEw6qEL?BvQ5Ov(u-F{aX0`Tg=#VkUOs}Vljb>f=j|#JfY!?ct=tCpbT5~18
zni1Q5nO*<eKkkk<omqd5V|`4hOOJ?HrY1ykGtuJtjvFn8BgDeOks0dGn>iWMfpb&d
zPI0h*(2rjST{!4Ni@Ih}O+AUK1mwxclbGx%nhs#>F@{QSK3K9_QKHn9mBt@YjtaS&
zY}W<G{;==gSjPMD8Fj6tk!ES~<ozx21K6xX$u=GPEoMz~PKrzOaGmk?YW~KBU2%-)
zOvVvIIj%ON0p5Ms{&+Zsjz~<phV?`OxdCGRH#<o#(|ke$)dt4R%V5<NkH8F}lur5D
z@KTf+q(tdf2#<a0WC+GERFUljD@H1;La$}A93Xn%0-w!tEl{lRXBeNJLng(Y35hL4
ztf7>hy@ezigAjqwV3|zcJ_@h*C*!^0qqkZzr*3}v{UFTVN1R(L|MlLMeSYWl?YuGA
z%NAkHMH{ge2uUE&?(q}f=A%NhgF}EFkuV7R=IW4g>gT<!I|7_^UWd}l@om^ONd|v*
zCSOsO=uBwPaOKppN>a!*e<*bYY`v-Rh{Zb1U|t|OS26Y9wjb05oeZe1qEd{53$h)h
zr*C)Wq{;=TfdJqBmzeW<&UKueakMaek(OzKU`h7CQ5JoC@yIE+H1iA%KO97M`-!UD
z!Otd0hUD}Nqgo{IUH)WEsq-Ba@w{C~w0NJKuFmft@u*)|^Y#PH5+t8DEg)va1GrUS
z`S8yzl$&1pX6HgQy2N$nIa_6Vg~0g#I$0cJ<g4d6h_{5g@adz_?{7}HgVG~?ouW2w
z7+*Z<ETS2*JyHO|DF$m^o!!S>&<FjB-*`)uXpWqIZT)z8x5HG(06)IPp8C4ybwh4;
zt2ej!hO^r4h}+Wy;Rtk%>?_2jV=q79V58t+{lF1ex@dp0SHA%qM~!c6^f3zj3ije3
zPI=)0USH*U5Co3)_gQ{lnQtd4F6HrKy3kNQr;UK=6<^TfGr_PghA{v58=mD;MPCo4
zX5W=29b6KW_!Y|&BG{i^J2%^Bjfi-Du;1E0v`uw+o~4Peru8004hCFtzucnC#k(OL
zJ&`1}-E5pzb#m9a=IUpzmSOZ|G$m`Lm8rdG3-RuofUFs&!cR(nE&JfBS40<s41^sm
z_xTq19D_%flG*d>>Or9edHl+C$%tLaAhi20L8hO$#CH#gBC{#Y-mHJtYe9#lC9#Dx
zK;)Okpy<;)wA11)p6!<T6GamK_1tB(W^bMnI6j}ATeaY3x~Q5ad-8IgM=?<!eH}H4
zi#3f5`u52o->#&Z);h^(cN&&<3~=8r2IA1^26eT!v)9%?n$>B_XzEQ9a<4dDxu^+*
zlYVJXlxA@M5+Mi_9E1hK=JkZ$0QqcTb%}Ara6db6wXA`1X_iI!hk<6v!#P!C5!D+9
z1Bmbqv_5{gLPVqmN#PgN;M^8FWPGmpFNgOG7*mA1B1Z@RELpxLOZsLDH`f~xp&24%
z=%qw_I|xRo1*+Z0?w$t{E8(r$$YNiH3umexvWAq)@@M9S8jP+Sv4oN3FcIwvb=S?2
zLxBE^5Fx>ny=a<~gPeokl&nyE*LhRizAyEtA;;b560;XGF@~!c1mQc-#aw^sGZarZ
z@kt-Y7>A@lN@&7AU}^}Mn}^133jG#dTc(^f($(_CSZKJnH;_@V*8-lveHdE04zj1L
zcOn=Z(_Vy_=WORD`Q;jjTf)z1tK0V`m-%MjLqbg4?9wn^d8p}qb^53>Hy0j_cy9Zc
z=yElZA;ODy>*;bb%rBdD8Xwy>bT}u<Q$>8c^#iO<vzcYg4tTS%;XeX<H<ai>v4uy#
z-%hwZ6Fss0;AN}z*uJy&kh2CYpVxuju|4g&Q1h#d@Dt&4z}A<KEMT;p-SyVTYtcs(
z<cyD}-$%>$6W#aBH^-R|p^ujCj~h>>vdwajg7?c?)2W|57Q1fvb2&!_x;q<lo&83-
zdU1D<6sZ=RrEVhA@`kgjzrqoqay%jaLzWNca9s2i`93MNDF-&*VFIEZr?}1<BCX+z
zlRz4eXh;Hee6=vf7y2<jX%?mEAueRx!2u^6Zm~2Wg9v-Yix6st1qB0JGJbR2j_v~7
z(9Tw$v#qsjYiHJv8SvQi__Cqg*De0a3&JQMf8M*#Qfs<;1LEUURN29_iu(a@`(40k
z*JtKw6No@hDcx;Jp4`aGec|ty8!?5GMMg)A1(x1;u=F)Zk<w?~{zD=S@bNn2^|7<1
z677SFF14BK!%Lk+0{(h;m(DRXrP>@Zh^Bvp^c~|JeF`>7kul+6LG4weTt+uMaa)y0
zB?%0EU+uB|P+Rm=%u&7?;=im`AjK3q=_$^y;M1##BgmmK6s#dh0IgJqteHdK<q*f1
zSwcI4MDu?Ne5X?%6S}_YnWFJA$$~m@{dR#h_)6}?^Djy_WKZ@yH)M6~4@pX*+VY3v
z<b_M?ilkjUdOhx&kHX)Ol*d}dye_)<@3Tu!ij{-?74iS04ev5l9e{g3PBHT{3d5Di
zjt-Sw=A+z1NCkVC;`CT;eul%aUj>=7R#EpYX5$Bq@N~@f*IoPasZK0Kic{Vdi{sKL
zJ?@Dk;h2rY?FXSQ@@Tginj+H{D8^s;z`WUYWxDPNa^b&Ah+nVd)XsT5y%&2pZY2kA
zS<7}qcrEy(D@BaEO-b+zwgk{XTkW*AizOy-Ka(01wB>WDz9jw1ucnuXe0eLvVImhn
zFJPmgBrh>kQ}=Tq`%eJR^6@y*M5)nO#Yu;xDJ6cQ@^J;?=eR2nQd5-cCx-Q*-f`?D
z{-9j;M6+&!6zy-~0d8O71&`$hZ>0@qQDzCNLr-sTj^$4F98;Wlm75+rKpe_f+<bU>
zb9Vh@Xtp*55XgU*8V0{e{J~eQoY~NX$V5rQHG$P8UBxsvs?QaNUd%I4JmL<M%{llS
zjQ@W}cL+0USvmIO($W*^%EcMB!G(+J=P4qVt(s8_aRKf(>;aVJdX$@nh;V=0Hxael
zUZkA0tT$aBtF|^TDCY}NIa}OU)~RSv3-pKD{p#A$X6ZO-!>sv`lwRzt_AS7E3Ws0?
zp2BJQ!sJA_!rD+KNm2Q97gmf}CJ2xhzfnVn;6n$(U5rZ3Hj1>LQyBny#QndDpd<%Y
z-_zzTgVGoY{x`y}A(bLlVkn7``0P+c1t5Oq`PR?H?lHlujAcHLz|KT%g$$ius|8c_
zP$H#IKyV3jy6h*=LcL&mwZDp*AqSD`hJZG2*AY08#FCe&4ck|+?R^?!_2ep{Vu0{P
z(sEV~Tc?O7IcD*<jArtZxaB98##=DeqVuG`DoMuk1m$J*1*p+N#7Qrh6=#X8ddcaB
zk)TmYgZ|e5`B6-#FWCZMBHyR8yhyyd7QJ7#wfU|<qaF7rE;OoRmd5Jdi2y?mfq7}e
zR}Tb+^;?#)`%PVdAo#yX%2DtGi$p;)OMvzjTiPz&#>)?Cz^kcU$=B#opT|JAcAJqz
zK1@!?5d{CwZe3F*(5$26kT{<~#EX4<S1Vgachi{h;U=t7C&ocsZYS(m;UX?3oqyXF
zw<XW}ko#rD8^!|jn+?&1T=F#2ZyBxRB{QsyHE{u%5a@RnSaTZK<E!VDs>>2{@v*Vl
zm_i+m6_tjQ6O_=n`4EXs;uRGXeI1qdiqCQ9Za8-i*kA8RC|rj|v>yi(lTb(ZRp#lb
zXsRo!*Hnx+;OmZ;m)rE#LRm2Jk1X__6Wa1GF`uXB0e@H<N$`)pYt5*5CD60GH*QXl
z;Zw2EF7gTK-6s?Jtamc;*b99}$1sPV4dLbrFEerc(jzn>KFK0Y@`SRA{4Wj8#ZUHN
z%a)Xj!U~JeFKm21yN1{r(4%6b0ak#jpGws5!qP|2I=Yo#?(Z$+b*l?eO9%2W6p+A-
zN&hB1L<!`$)X52vfDB__`CcdpVa!so$=}l<EG4ZP`kBx{*1fV;17%8DoZC`In4<zQ
zGkUrSC_knYo*4t`!@P8Ofebx&P@?8H0};g~RwrgB)2U-e+8J`{NCOJ;vhnxWf~Q+j
z!{-0OeUG&yUI542&zO5OVKR>bu#<?e)7p8Je5L`g(8!4z4Y~-8OZhGZOvsr8`_IIL
z0(DLp`*GaipNf5xe)@gIGV$ZF>=#Zo_6n#=pH#jdDE7E?hjKc3=?_?bb&jPJQ>EO4
zK|S`3ko>ncYvFKwQkoXDvIOLC*;qwD5wzDg)p4yY#1(Z04EQzV!7xhp<a#4G5*gKU
ze)uuvQ8ya(gIzY&Q9vqnsKOrzSNAWXLiWOgLm;+bbi}eC>5U9k$dmxt_u?H0S2<)V
znd<e>_ti9;En>QaEJViw`3-dXliTh)b3F~eU3r+=|5ZKZvWD;LFpM~S_OJYADQnkQ
zD)GtLGHKIK(1!Run|n*R_sF7xiQ;pQAlH)ON3n}gss%?O@IhAvg7*rgp#l!asGp}s
zz;kGqZ}w5FepQ=)dcj7|&umAde_=xj;x~%tv+yW!7upG`bT0n@nj$_UD;o0*(%|={
z1O*VV=f5*>HxRPgryB!_PS4Sm3CM5h35;JuzODXYXV(&br~yPuG25EjMpfyFvgG&A
zp8v9w;;U{^)1rBp%Sck^VLp??<ai(}?m=v7c@QS5{YFT+1AP$U9n~4X^+cwon_2b6
zY5r@2qR2&;w}`1|`1WPs-ke$`opkH3kTzoU*e?N)k@XE98~q6`Tc*+<Qv>xG!_+Qx
z+8x%6;AK)X9FxP~UGFR*pcNnZ(!T7#z-~d>q?}cM8O?CZ;)ls|&!J)U1FECXBdX>1
z9=0&$eN0+MOyvOdQuCE#Y<gqkp@FQJ;$`{Y(r$mF4cfRtZ#a4C6}2gszS<~Mi1)Fj
z)Ob+|j|aP&xkqQ(-I-D$_1VOZ)1IM=+s4^^qD<d-jyaZ#XkSUn-n6`0aEKk#8vOwm
z?+fPDbGhMn^V3)b{4;EtE>Ldx(Y|@)sA-7r+#lRPyD5+%6i>I$!&&z5g#6AoKO(2s
z`9!O!d;F{HNhL%di%lVk7cXeZ5{bl>@#jdLNzo&1Qek4C5dTXpqGi;1-D=1X`S;H#
zNXsNff6$ogw8GZ`ewF{Bh-Dm_8$Q-5-A#|}zPL=xve1m~HbTkCs26<yw(gbzs~rsG
z=q_&>0|6*EZ4cU8EK>7p{hV*pSLRk0$#&*pq{gl|9jG8elJ8W5Dej5-k;t`J+#xL!
zGm}a6k_(mQz1Sww+ySbflBqydexv>Rt39=myy0+i>KkfPOqn;7&bX^Mn=xrIE85N^
z;T`M<dEqNhYYT^@GSqa*73cyj#GXm02F6Zoj4U&ABOeSWas9Ay6zT7DGcQz7Feeeg
zJ9xmhYGY04%uO=G0x3JEEY<9f6S-JG7n0cn|J!Mh^XL$lP4f>DHD(zrdkr{N<i@P3
zw4L?{=xABPqL<um)a4`@=$X%>e9xBHpZW44&V-_f!1<T0=N6A}&)<DAlS6Im^oLcB
z?urfx8p4Fcf?fg5VuZ2W&#qVnf~f)G!(?YR--Lkt&;~%+&@)%bW<>^VZ{<7&!BmL<
z>ehFvMDlnfsZlb;$y&cH+EZ7+8WS$!=&X_V?yO)_)*jqPVIy~trt00QcbKWi2qbQw
zo~@Gy@|3OsE@2@3vx%mO>1x%-OSCD}7kPu&Yl7M4+JJsAs~rt3(i-v1H=aL|!qv=*
z{fv{)kA>VWUCLd2{EnuwYHN!RyMIo7s<MD@@9!%o+aLsaj2u9m>_{{#pt1VSQ-b?@
z6JnA;<%GbdOK^+&$Ntq&qCJ8Zo8+wv!pGP-@Fd<;S2?<AqVAv07Qcm73Bq~Zp`7@$
zOA>sRyMT*-n;?(^%>c-*ykRTC_L}6<j`fg}cZ2|A@i(`a;ggalO+uRoWWdLI*h`)w
zi$2oQW_^ku{V?$*Bnm0844Y)=&xG$1lLt`}Yv1{e<#qv855>n2)hwU&@>9O38cOu8
z1OI6=Hf>FWF;8%7Z@hxpm4Fw)ZR%`l4QRr>5wDP2q%$-Z;&OdMv)Cl5AXl`S>?8|5
zX4;y_?e@ddS8B~DL|4Qvr(ikv_4S{hBT;V;n=ijFimPTC7iw_2J>0dTs}73!gC92P
z!oyq(FO+<m+D#&IyjH0DOT9uZA|8ts+M@+V!IEF84t!y-{=#^COtCwJ9G&SiOGt4w
zhW{+-1HzF&Wg}STl*s{hq63R@lo?~s5Y2=OL*|TB04^0%Ml0tB>IJ(-3|7^wFfH>v
zcyW`*`VwD*BNy<m0^rFxK@`BNsqTH0RqTH#AL%mK64`Am+~)wQ#g6#+$Xz&hz4kk<
z&h5b{dZ^5I=X!#%>3nRrZ?}eV`x#nI`3@H~Vn@z)?a)i|1GLbW<yA5tX#XPlahr=M
zi-`rN6;Jvzt5JLxIEH#4u$~?DX!C09v*ZI8PRxne$MWieM=M*9KeVgcS>_EidP}A!
z#K-4Hx%8Ui&J|bBt<2R59yboA*{DLY)udyhKW&V_U`5Yyf&MR|`aBKKGK7*hNPV)J
zevQ(TJUG@#Q*1NI7zg4iThN_~e&UVO+(vzS`72U+Vg{(Se098i+3|fec>vF6LvaUZ
z`?Gx6(g%_@VNLo}`baMcyzDhDoC9}HRt`VTS5OyuUtj^M{3y1A-z=p9O3GOy;=xAv
zY~+Kbev&b3v`GI(q4{eWtf@HpP;zqRPs^OHLK8|nO~%-hJ5(e1mey6-)w~pXe{fD1
zVlWstN2&=lurlcUG2m_a;mqi>+-`El1!_^xd4@d>wJ(Z2MH%@lH5}1RQ8~c&E&p?V
z2Y%qMLAr&a{)-5o5`Q7ZKm7|cgC&4Qm9#wDc*tzP7+ofkQLqB}Ki=~n7@0@*$7$q$
zrWxZBPvQo$t?=8UeROlBsd<kB6=x@w&D<7T#l6!TjB6G}#_Fq(aCO!CP3v-DvZC!f
zG6Z*`-6L`jPtNyl>#AOoX-XGj@IghhbFs#2zfJWG4~n2#ax$oQ_W_``pNGLd|8&tT
zw)j~%xq|S@ukC3bSX;jILc?3e7XQ+P1(?O`WaP)4NyzXFN@<9KBF?k>{x<~!%^II&
zA0cm$p*Bq(PgLskUiBvIYm1-=XyZIQZ0vscC|+R>G?crwIumpVX`(Xe^*wS@XV1!<
z`As@5jjL`z87S}f>p&oi`eBc^80}%0Jc0kyrZ+eRp9PgA%JQiMZSCy<)k(9a2Jh=S
zXI&KiK+x?$_DjkAb7aNv{PVL>kS1`=>h<JpoXvT+JkgJ)C#L-VE-|)ot82%jpSeVG
zGGRS=hAagoLGtgW{VkG|B^js_CAr$ZDl5fNgDB6**quf>`q`#{2!K`Q%hv*AD~xXL
za2I?fYJntg`rq2%5%FM~SHW3+qbRc)uY2N9CCjt>%4mI-OfsK2B#pdZFU1y$5DLRs
z?S|C+nXztFg<^3fkDufwoBMd;%WD`75*d{h*x$k=j!r*bOK~~DA*l{E>n1iW+N7Qs
z&i$KeIs+{R>soqHqsR_R7dA0Jnm{w3jh3WHN|PsWz7HtrXHa}+=>J%~k3vHA$@E{5
zUum3ghO&tz<sryXNvM2{l~`!xwG$vov}nl48Ih0CD%_M#rijzLfB2D5{e}5g2NJ6H
z63$>DsnQ(9&%s~77B!&+oa9oiophfaJ)JZQF&B#yMw=XtwvE6TQv`+*-qNC2d+j~#
zxszkNj{H44T^_rnpOcZA5#Hqv;Fk71Uh*_$7kZ5^7se5ra%j)g1_j@Q+@QCf`;Tvs
z9Ih%-WZTMtXQ<4ydYU^G@O~Vyp=yZYHr*D_|8w<s5QS1~rw)lyY`}L8T~p7)<6?Vg
zZKO|3wu@o@i%A=KOfu9~BK2xwO~#YCdlCu@UuBuECv%Dq>eR+dwN!TgtwjHis&@{r
zvwOaW<3^3q*tTsnwr$%^8rx=L+qP}HX>2xp&(nTC?eG2TT-Q0dvge*XYu1|Cxc@!d
z&eR<ED2cPce{CV~Yz5x<maN>cG-<YDCBozVg)yMT=l5D)CljosRVB{AOnp{}al8Dd
znbJtR*b!BG`|ML10UWt09x{6)D4ah=eEQFb9>ki02q|(o3k_IxOL;nGVa}53xCKMR
z6Gz4e3JlLIeUz{K;L!iz8*M}(_ah!U5ddH8R)ufzv%zxh+~ckcgJBu+_1u86N{PHB
z?ck6@g!b@FW^Q?neU?&FD_zTMm1acEroQ^V{mT<K!neGH%#dWTJdy#j->A422V^?n
zP<BXRD0Rr{$3iQtAo5+Dxd3F5dmV{}6pxaVhk||U#APZ0b;y6FAQ+Dd{)n#wRDu!7
zi`9uCMh(VjD^m4`(_}^|W5PG2cHSzYOxDy%lZveBlY9|W-#Lj6w-Nw4K>|<*Yv|<9
z{niO%zG5t5x2J91=EMZ2WRik@OunDQM=)ap?*yaY-}BEs&fxd}$8;aAu5PW@ahiN0
z?t3rJ4i#BO+p;ctA7U(B8u{67cHf^CdslIF;rP4^oQdc>KlL=(x&1u(IVm@M>h4s{
zcCFqDi&cVdK_pre9bGt3BKu|I5az;pZB_sZCByG;)`6E$H$ZMJSRp<*%M&=3s1+C0
z>?2<lX{DvGRdZNCaiq`a^7+YOS2l@SE9q-OutfSiqhFolM2?Cd!{H=!6O(5`d^+z+
zJj~Z_<!O=$3Qofj!^AN~LtqA+(UQCjsgb$fiYX6GUnLERlg_j0N@6?HWeGiiQXPA?
z22rZu`zlgPri_)N7a;iQU)Vv8B5{t81i=AFOkgC*KP0j#Fr!n*S9`U0YauHWr6GNK
z{4L3M3|5^zi*M>8#;#u-?$|qbn+XS3iK)Q$eIofBi4x*Bq{Dk#qnz#ngY|0j%DW0I
zVs*3?Lr|TTVJ2k0Z8Y$o-txf#@5Ly4FG~ycie)X$e`6(%O4hvZdNQT8ds{#Eez~by
z$MeJsStR2V&cVkY!=m*%qdVj2R`d*B$Ff;&Pva$D-ZlBCrrYYk<8;L<Rk4-Q<7#Dj
zDk1R6^0?1wL3i%cdB%EaYx6ww2--Q{e+y}EXZp$)6H+R!4@2uVFQ%ld9i+CbPmCp>
zTXyaYoVUiN%v=}@7DV%}h&Pl<t`VW7uoCBJH;Zgl*omJ__7apQUKSC1fO<^VUZp{|
z<Fp`D3`(uIOU_J3Bv)Dw6t*KQMYUn7_Dfx7a$R;bMrqv~#WS?VkAt9Ha4IG3xM*R!
zgsx>UpA%y$KS6Yu0W&BJ97Z6&51{|X@vz1QvGtQX1=z)<yLYZZ+?x+-#@gV782v8M
zCvl~*lu)imk?W4ECC_xoLvAGD9dbJIUJ}v`&;&SO0l__FWn2pA!`x=<)*C0Oa!L)7
zP(~aGED&P=Ebw34e;pv#msaYe7SIQrXZyc{hPXRr)cR2x3Tg=sE>Jr~UWGtxn`nG%
zGSX$mzr2gZa@*^bkcAyac27bFNtkato78Z3kDd3lin39aS{8&^A3LWNLhSo|1r;+#
z++s#WfEojjAOKL)CTbJUdc8((-;A2HA8i(PxrIu3@t0I8_YPBAZ73nF6OlmWL|Z}s
zy!q8${M#DJzu?mvn=2|IX`}!I->yQRDpJZ^l4+kZ5PJU6NY528!)-h%ic*QWQ~*g7
zp->AnB4LmME8?3{x);+8a=(GG(wf>B+9(b>k28~0mA-*+h{E=$Db-h^x4lzU4heMd
zQL(Nmw+wS94Z&j&R{P2-`8Ghu0cQqkq5Ub@ef<Ha)NYc3^3gd$O%YnjQJr8^Gq<=r
zD7#p6^e6N}`#;p?D<*G=(3H9Yf&wzDYM~R5hxCMs=V1Ber-uo^r1A=LFNVReIz8}j
zOD>pk>cMH)*$Nl5AOP!hP9f^M%CK{joH;TA-w4z0n1W69Eui9H0m8jalsMtP^h_g1
zoR379R;SeX4neix6iHYV!b$vi&{dr@GSFpIwz5xd^NkSWpT{=F%1{cD7e)#)H;wFw
z6?x;`l5B*$_F3fxJOKav3^`E)))FZ?98D*E|CuK9)(zN#nel=F=aM>i7AT`dW!a2b
zf$RgW1@N_!V7|bkptH3+{#)2G=axKnsm*qtg1*ibPxTdVx~;@F%+LSNup@J3B_u3>
z{vaF1ucH6RDXwZ$fwFlHYjs|_3e6q%R9Sc5xkCBieQ}t%>Ew&#L=gX`$WXnMVLwtE
z3}9{7IqHJY`R3B^^Y;ru5+`&m*%d56HBZYS3foK*FA@;<jsYW2wE;Mx9}41({tu8V
zv4!n&k|(tPk-bwh1)lCUZkujddpkL;R!J-SL0H0sm}((?1Vi|j*&;ZwjsyK>_P)D`
zy?OvyuHeAB6HmBjlH*j*_AN-@GS`=Pzdr3h44&?Cix2+j_$4(_)-7RTB8-jIu05D$
z9#UIV&Q&yluNEDPQaBsif|Aokx?1rhJo_2Nv0!^BEo}~o5Dt*&oTEaC0F8;txeETb
zV2L9(Y#g+E=Lk97R!HS%E>WT6ZQjvp{8`FL=mpz<F$6eX<0C{<x-ACSb=43UQ}36Y
zi`NVB<;$Rz)o@f&u_+KXx+u7=9jCfD)HhqF@?8-T6RrA8pk1HT$JFQjQt=RT*H=?#
zp5X=8WQ$V=q(~+Xtrcab`XUttg1Kfc3rQ<Vu&-ivy_us+?t=Dxqs&bHyqf8h`AW5;
zoA;L2!5?~wJ(!i!0&+ME9<D+YUN?!W1h<t(yJO#LF*=9Z;Zfap6-ixisqX`qJ;xk2
zgy?P85fU5G6JGE;x_rb*X-WG!tSwX^O00dE3nwSHgOcE<2S&a-k>$e_82%tB_^+Nh
z!8``kGcjE0i92TT2s&5ci{2V03x~!RiY%%n7LWo$ob$XH=9<DV`xJ6+z<=8{eCb9|
zbPMr)fVO1CEb;FCnOVI2>b{qnn3}#`djpJJ97v%F@RkjyMGwPnH9~E{WwFGVfCE}e
zWDrb$IdtDKJ#}_rJOixlBfZMD^5bI01wDa#h@}6aW!gsO*fWPn7%r5QWS9?O`LZ%g
z;3Waj`e&%-(bGBA9AH7Y^|<SYVB$4-AT7apU{>qOs#zyMf@lGP91~R%WK}p(T`x8l
z_0Bd~FtrdxwIsn*h<Ql+Dy}ICjF1@h|4gl3vXw9m1r}f}0i*{owLqy|K9FWQU@gxc
zk0&qY8o%te1!ViAqtR6Rr>2%*#z*PpPs%TK*QKt#kPJRiLCRUV?G4BXEoC744wS0U
z>ys+_bXf0i(LlPnl=cs~?MnD-f6k)$mf52rR2GKjc)H<x(2WQGS~b&JLgGXVSO`18
z%!+X2I_%;c2jNWVJV(03yRgYvhpQ0gMAhEl>$-^kx>=0JcYfhXGXPLIr?#Ccg8SyK
z@}08_S$az+w(@A9cgMu3N5p0H#wEl_W+b*K5fMZv<kA1ucE8S1+XreWV8;R0b_<~J
zOyijIO9qUoDwFGSiDWX~zFje*35b(a2IgLkK?TLBrqWV{l27{~i1o;B-(etV`1`^C
z=Usvw!2SpXiJ3D#TF6!ji-0>T&!eqPA2(O^(tV{DEUgA?SI>rJ-BP$cw}_KA%2<f3
zJj*sgdeXcZ&@r%o{gv;Z(A7D=?bZzTkR8)}@{X68>XlW2fhf}S5Sf_}dzrM54L72|
z6W&pf?k}<1GAk5P<Ek^>104&^?cl(67(Q;9qc%el;;|o|B)1OFaA8#3Cjwlvpaqk?
zin79pOBQL>KdLH(wb9nd#PfMWblA}eOZvlf=ltnmMtPXmuj}O^mjz^9b@R<OML_F@
zlyh-}CxtWH;-y2|e@U$A^H=5h5^rr~meV{6h0J}(k=~-uR%?Al+6yQ^+R0aX>{bHb
zB@-5z{AhQ7aL*Vw;Da8ioT{$t&$$z14(eMtbI4?ohWv5^w}52K9^>fH5aa=BwmFxQ
z9i)QYSN8Azu)i*&Yro#Te%O6ic4hw6%<Ik8Uull>0A@pCQ>0=&d+~_9Xg!W#sS#Fi
zrZHgLEvB_lKst*9amXI7`5hY&<offp7SMK7lJWG|P53s(kic^-Np=pn%?<^SIv8uU
zmjdyUF?a3H#nZA>_C!LqO{Z2aX`7sz)P@mGUb^)WnPYd1{@VHvLNs?WOFbs9SZ~GM
ziWcsi0$CE|oH*k;5HL{$z-!0>gR>|~%tjsMj%ICvMZh+jYiZfxMPQ=yfn_^<7Nlum
z0ct9#1oC>Ejgh~W;rY6xj1w>}-`{szo{i$=i>BSb6eRuv^g*t~xy;z#xaF*MT|;u(
zh3wAI7Y+H6S9Eju_&y8UmJj3kECkG)=Xc%3rVO%psL<Q6FKj-<LjFu#GpU|#D7D_J
zW-i})y;9hIv(kl46>zY0pytiK*n7Api&CZ=c5sXFkm8mZTJ(+LssUV@@pf8&_@VVW
zew!N=a<SQ8`=Z`_^mO$gWPQs4w|{Y*5$2;XufNKC6w{Rc`YM#pO!G@xB%0;^t*Djo
zMe}404=?!es_OY3c^)K#YR=Pg-lZ)^JK|;iTqwS@-Cn?B1RTZr?#8A2!{{ln&Gj;-
zJ54yf-_h*)cJ%F2Nb7cvEY{xpQjQs4tN8jJ;)31Ac#1cbbTENy$1m##ikzzC&>W;I
zWqE>^S9-By1`r0EU-@NgY-0D+d7WqJf}(?&Q})b0Aja}F<}ev9@`?z2#^U+G{b-Rn
zXb4|P0Gs=B7z^ZAtSH-dNDx?BQ+uS(e+o#+*$hkn5_Cu*>gK3TEC|vZ?Mu*;{ID3Y
z>9b?kx?+ajrAT5eY7MOWDx%MBHBdc_Y|%6&O)OxqGG!=JHx5At6UhIacRVc{6GXdm
zrp;fEVQVQ<A2IdkXXMo8_&GENd9eZZSv3`<&wVT=1&HAL&JCPRj@Tmfa^Jx-nrh6^
zS->HaN#-!&G!c5y$O{vk9B_LX0}Z66E#@HkBQ@G}{p$)CV@83{>RkK`ne19BP<aA+
z@5~GmoK~SsNU<KV=lm3^BZqf?h6l4?eN87B(6OUhp1M;iXw|rMMxFE1sO~}0B%+J(
zR$K~IW)Y~Ulq~R-4}~78jZR+hfye(`^58FxwbBqI-Cjb$pH4lxY`5YsR_}L2b^L>S
z&ZyzLuI1PY?A>w%2wXpm0w#vpancK+S~lGdI`d3O5S6e(|0qlkFnNMQQE?w|$g&QS
zLE+$%PL;aZ_1s}q(XHnHe;ehRlII9JTW0o?wd=>vrzSpcHRROvyNQpW>|gu7-yD7o
zEvfrqn4QJbsTO2P^B^Nn4R8?^EaGLI$Z4O5MKuPb>okZ>vppp3gi9bE*mDfaBY=~b
z{NH2)<*75)@790|FjqQ=mz^ZYOa+()FHDxC-ZUD$Tf9c%jHlJ98*X0C?w9-^MNTW+
z;gav8kR1NCugztG$&_&|^{H<~$)s`B7N)33-P!clj&{~&?w$eml>mq0l;c#YJuQKm
zzh<jTQ89=w6ewQ_JG9iTr37I{6#-7!gK>b`ECTT(>g>G08*Y15fi@0_CBQr{V3Du?
zXPzIOdS5=kylWB~+|iyCs)nx|G*{279$d%A{j6#qFeqM8f`pnut?*BY*ZL{BCgk>%
z?}Rex6K=K;EF9{tNf(onC5}5PRawWSofy<@jOhlQ9Jx6ZYZ7y9L!oD-f>O$!O1Gi}
zrNx?`_dD{fnE~e)vCk*J`$PO+y7O>M4mV-9>fOp*sx`X%NfpS9L6d5{V?P@(U&;Ox
z5f^a2RYAJC>*IBJIYEZAg5z=X7jvj=#OlX#hB&XXzjjrx<1!Y`D(969pAd(kkBnQf
zS#ugkFzNmI>2z)ALGqY2(>^&!xTeFFDMUCmf#bK|uF8Wfal(*hKoK|liaC_-pz9<y
z><?C3Hc--+CmKX(RGnKOkD}HBJV;by4*Gv+AdfG^#{i%~WDYYL7Nu2CIDXb&?%<~d
zdIl_DdAbb?&K+}woa|x2Q^v+>HQI0qXUa;2o^ZsJYTqcCnSO;2s~Ah)-?UUBBXi*<
zc}g__E1{&#Jn^VlV7Kx}Zy>Rbe1#a%%P4LgXPSbBY<EKKOkH=QC_UDtZjk%QaW{6o
zl8S+1cqy>*i{k2<aM>DH2HM`taGI%#oqbn<^3{bm`vd}d;jSH2@8^v%06n6@2~19!
zh4<<UP7~gdFS81NQpQ#d4GTXRMKUQlgVri<GVljgB$k^2$zc5x3JLHb?6M2~=%|ea
z9mc)-W25Tq6K3C1HoWimn}g@AnHo>|!BcymvOA}eyN=Sp%{oHwK&}2GkCoBPeK9h}
zA~CXC>03*MBKhhPlDV1DyNSZHy8@A<&_%V7V71ufuQ0h>!?iLH>HjyL;>_p`7^<7R
zfXJAp4q3aXT-+>(@A6?zTN@sfwP*tGZG0A-8%5&K@mKuRFX~eS<wGi=C(cOOXS@?m
zNCnB9OnC-sbaBq}{1>siKfpOTDpGn>k4fkOA73thK-~i`(sh^6i$LE(Fm$Pw5YmWr
z5LcRw2QLy<@%Gd_12J3c&7-lN=M{ZVI4p&~$~y^2Z0?ZpiF(G*2lp{PS`qU&NmQdq
zfEaa{)naW+%kBZ+Z38BK4E}1DR(J$yf}OwDo3sft0A}dGOUHBFv3f`kq5}MbyWVIa
z3SA!5uTqO^Ua=NL1ym2jP^9dYzj-^N$|^P(9LITH<$GJcr_u?RjhNzm@*p|^{X_%!
z-&EHV&Rs;KlW3lC<C4&iE6%|YgL;hiB=0I{4rTOs9hiLG1vRh4w3a%{hMrsM|9g}d
z(x4a834%c=xKabpHD~J(r9!g)idZCyybqP-vN<;O5^q%L{d4TE|NRxXwB|}fM7n=h
z+AzUjgoBvk*3I)z7VJ4E7?X1QLP>MXc*Iw*y8U2%gz9;J43{=dKBAR@mwZ3EB2nxi
zJx=5PN7;dceHN^^swYGO?^uMdK&iax*R+fXdWg^DE58E|_)8=ZeKRsyOIE{f617o8
zx`O=x=7gN`90W^VnaH61Z0(aMQE+S4_rK7Bj2%87h;ZOi+_G^{`$0i=h=?Duo|bSF
zr0^EOb=Ds8vcBK1&q4rm46mQAV@nJLet@D_7~o-_gmEc(V$AMrbSJp-!;O|M$)UDg
zT_B{S^p^uVY`rv7_RlnDKarIpz0)NC^W6EZ7Nzzd#o@E;HO&%%n3kNU!_~fZiJ~gv
z>`7CY7x#Z!1*zqcvH<%#8T>Ka3Pd`I3#m8BA-K!2m`oaa&A$XzAjKnS1H9B%BrXf1
z{KULS_RGH``uI-ZgZ91IBO>9i{HIPE`TB_YVH1Gt{lV1gWX#Mi5Uj(I7)H62PT#}Q
zt57|M)D=~)twg_&0{j0Jp?AaFNccL5V1VJ!r;F3?-rvSZ!9!g~jfhMLI%AXfO)=O@
zPkiTv+cYy$+Y6c$C>ZqLM&4m4S?H;?v~g8i7s_uA>VBS>2kWz?eP0g(wfBgBd~veP
zeR6u*jxca$lH_Il`93pZ<WQp7=9D*Dk3#&@-s|HzV-b65DhQGOlwltydzDEm@Eo$~
zKUo`888jD{Bax(T42`K|-8{Ul^V%)Ce&fK-O=;XuUyVfOmQ<N-++<7^ho6;w5nHw0
z*W=OFZ+srkIslCHQ~BR>0U6;|BhihOOSzAOjszws+4o1POgQ+SMk`2>QE*aHoac#t
za8XILhpotR_ML?6u8vYp^;Zo|Ry;>`E4$<Re&tM{`NF{1cy~5}Z5k#D9O2}0xWyQe
z62-kiT+1z^k$mt=gSi*xD$W+F=x1v^9Y23+X;`&^MbXszlQPz@XT+|qKjK=7;f}Fx
zLQxXPv0SdKpF&DW_3(^A*YdoTULORLpuqh92<eJ01~DAnIIyVWU{|+KJg1x{+H<tr
z5}PVb8|*s%evQ(AlM{KKd_u(15QkDy@lG*zW5TJs6Awf4Ra`i`o*cPn*Kq}Oo{(uv
z2I7HQFaqp1;TXv7oo$mndnhd3E{=a>rHN2ev22_eb0;jjPu>WJZ@_qXKaxuCNv1rN
zbG>@4JLzr$ZlScf41p0<n%I^1y(=7Sj!EdSGL`k(BI_=L3pr`_?ZjdpaVP8aYNhnZ
zy6Mk7hx6{MnLj8W{sMZq{^Qh8Q1)j*SuC~3BtI2NS&#)HTH|*X0@UifB+tzKBS_!`
zBZ1%fkJL91-<?>!j$EAefW|UVjDw@SAO(<!qt7iKjs)_qOs?3e_+IH@biF_359?p^
z%I{rJZB94&ogHpeh>(&T`%rYc0(VRV-<!itQiyfPhxoXN2qB%3cfI;V-)*pA20>{x
za+=0<>#h`h?rn`u0-2`MaEYzka$@z(T~xHp4Q`R9Wa#sRDn7v7g{-EAldug&2@A|>
zk}OR<_7E~SUtBQ^HaA5;ytYwh*`4y@wa4Y8BV;~3)d^V0qQs{z2!Az@ZjPBO?{<tf
zy!!l?TY$FR?=0)c-#8Cw;Jc7z;$g6lRpcbb5+Xh8h!Gh{6`?%AQftWIKGO$r=FeWG
zlc@&^e*P2nV5x%ANZiLCQVR(Z3;U*GQ?j#;j;^m~2jQVG^>+n2E7?lQRBhS7s&WHm
zO#*di&2#j*G{yxA?6inP^tCvDc?F2~HuT&`-oSHA6W5D0^FN@mTaeQ6YF>~_NePb&
zPW5*z%Ia(#i@~y(I5=k}AIr?OU>ychDj-VwF(A#@?Y|Ox-UpWGw|zK%!;;dOc4NZ$
zwodrN`L|~%CHj9j$Lp2o`pv;*TT?$4>2d%$=CtSg9Hn>?sh_|<KTd}z5YQE;^%a}C
zi)|c{^1_)~!#BgfF{mGQHh+RQ?egF@$y#vXDN^y?=go-*3P@NEAsr8MueiN!4hiW{
zIqJs6OAq0icjCF8^wp^3TGP7TwY&CyJbabg>^|;rI<Jmd+*Nk1j`3dQ_G;nVy5LLe
z7)~i#8ZY}m+SvE`b=IBjbA*@m*ndU+s{7pZ(A|P^WytG(Nx_ZRt#Wy&ucW=b+-7Z!
zARH;QKQ1fdYJdClX|*Q!ZnujMiyXvG-IV^&eOz6x+3o$t7!l)M_oBRg7|!hd_Gu>j
z=-^AUwzP7DQ(^_eY3fXXm+E%|-CK$2$eIcxFS8J5@_)o4<e3c@L|rB%?mmvShAh*Q
z%OkY4`*|~ZqBlZuDmX*kn&xdREOH`#=%8re2C28{uKw0Ajr7eS=CIg^)5dL9_e(~t
z*TqVf-sy#%fu+<sj*-cOa=5=d*JS@87A1h+sf$M4*N)Zn5g9)JCO;MxHS)ukG?8q;
zb$b;H1W<+1XHZl;+J$Gwloh*3${hw~dKFHQDq2HqHc%A{!2g)0n!6BAU8ytyz%)8g
zWcVJ&1?hac8QBQ!6+|2?MqZw;R@$6EjH=Wg2nSqB*rncK5fG^P!$twowbipz6Tvlw
zy<kV_U`+Wdc<Vw1^7jg#bv+*LH{D<T3;8joxj?(o;y}JtYQ+?-S{>kJ9zT964pcY_
z`FH~F4nC3G0!ev$yOyqqO|jm#d{GMqoEa-WWYNBcw)8m00`lJ)kW`e;aV^&`L1p<W
z)c{^5G4&$++0$T@|5_h3+4b9B{({AFzoD%w>7Y8Gv0V{k2M&qCrkUeD!U<B84RUQx
zvZL?{X*h}19Z9_b)Ao;0TRK+PnXrp=jJ)AZD_D2Swx;|P#laTaV^NdI7K<x}CLaW_
z7@(p+cL!GStSi2em=Y6klzaR%nASAnv5iYA5GfnP{=6_454e-X-Uk}+`@e|~O(x?Y
zijbI6*t$WW*##4BxEp+vLaMT=JfF-Ra$NYnw$R!s?Cpnb{5?9kE|YXB=P=^BvG7*-
z$t9bP!7<j<9Glb>ycvTA2c_+f4bETN+V;`Y&HLrj@d(UvpE276f|DjM4)jkcp}2QO
zRk8$Ew1rVxf58nT*Q>!DKeN~P5-m6D0?DL76g&<=u>q~5Tt-VXP79}0g9iUEN0i(&
zxEaaQ=!~sTih~dY5y*b#sNeHTvV#Co(HIs9Oao&oZ${V<1euqQWZQ>8F?sjd9;1OU
zh_ZHvaj$`;*~c)!A0TvK{*w~~wFtgqEuh(yh5PeFG584dS3!8ZT*0*Q<mq!_eF_h}
zI?G!d+Zh^5T(tk<f~sp`Qx8Vwc?Z2;YN}MBBoBl<sniQn1|2LC!ETK;pjIv?{RqpV
zpioz=waAZ)2m*7;|Cb|YXl2#DqM<Goc5MDI0ukdlKBXMir==-zgnAWhfsy=h1Bq4E
z_47#0#PBckc^(Xu#~zD!UNA}>Bqdt0GWar<tu1qY!~$A-73QqZgdkxhBqXxxq+;G2
zJ``a;rA=tt{$$?ZRZQ6~nxdKvEvE5<PaE%hirjdd$by63?=FI$juefnr!V(WH=O5&
z3dLc~OUemu=$2k?rfv8LKK=24j=1onaSlcl6tVbvo&rn9PifiY$P`PW8acRs-k-h+
zbTE?7)f!uumI<CuME)|(7^v5q7mwEz1tlK9QeCT{3F{yVsqfWN&+yA!Ew8sw$}W{-
zG*l%LovW7^$X2-T9Gh&wM$)*Y@-AIxgvAko>!&M?^qB`OcF?^$M>R>5OT^J_&+p>c
z>{AMjUC|d55)}2!#lo_3G<l8tKJBgCG76HDJF7ZsNdbn+eK|0yy1!n&$qoHUQFoLV
zUXj>LO)kL!oJ;O~?=!j<s3ZzQ9CndzI1DEtJf&K5mTjruADi1>)i+N<z-rD<K&m*s
z%9-M_r?(TRR(`pWYQ+t>F~cf(Zz#*eBvJVqf;|}4S$#KHQ0`V5gfB}9MemjD1XyaQ
zJh)zDRzyksw^|m~vyUd~*^@%lyOu_j2@8&sa0c(wF8wAlhql;pjzAJM<kjbts3rU@
zs854nrs3P4vI0bJbRK$Eq*0K<R$cO#f{eb#NNZC?WkwOD{hGBjlU^DeBrn|9Au=h;
zU%QFE^CguRe?<e9h^QHN3nqFjaex^Pqy~;+zqcSCwkAOb0-^>tOsDXxL{?V2IU6;C
zv(15|@12<LjT{dyya!<0L6pd$(nV8p0(a+|93RM74l=yKSU`>gEpMlFZ)4?=pi0?W
z-T}>pT8PAi#6XKx+@4mRH&q~9qNTVWtUQVe(7)8>XOImNN?Qgb;ofex%6k9{F>FND
zH(0Q0kVsjnp`Df%r|g0(KcXnmJU~pNbh9%Ti+tB$HTIpIDI>2Yk8EGubZ3Jw9QO|l
zr+UM2C3e1(DM$BBr6R1~X7lw}6mXItmJ_Q+Av7RgCqAMi1N;5Wns=An7(m)e5V1GO
zjdEEIAdjao&OkyX1|^^g;VG~hz1K*FG75T*2A+Pa7p^R<_uWt(K<CNf^vJYWg^#ww
zI6HzXUW;?g3vzDv{Dy}XtPgWtA$&pf<v*$#suuCHK@n3=a&GzO@#`QL@vII2<vKK>
z-6kw_{k6G&l&pjnk_MF0jRZlkNXU<DM&kC)Xbmhv4KzB3ullUKW@|k~G*)XO(!ilV
zYOjy;tX>nF$Nd8XnZ8KPH8O2frJz$+EG?##+aV#3dU@J-o-CBxF-U)BWsGmBW2){W
z>ALoTpTCG^VlYRMeRIrkcrB$INqog1{XY8+`;5{=ubQ4FtPkQd^fJkxBm(*L2ii*C
zEbZkW@+JH$XhLUz#X{sOpM$o-p_Nbr38a)X>H8qf{YpPcEkXR_&Lr+SR_(-!tQ!}M
zGUCkM5(f&)m)m7C&HH2O_bIwobahs!#|G3vhdOMb!oF;&I0R7KDLmt3my&?*?#Y@7
zBd5jZkEHY8MhQrQ<XJ7a#R~e1=wmn!(+aNj5OG=l6t(a>CzvQjobzCdt;S^*;d#Oy
zV+!~xY|s>g#1`hNN(~BD(|)DUQqKR(>IvX3W71AM$pn~%3oy$q)@o2hUQ|bEcX94i
zcF&0O7shR}UIO-W1E{qE|Dz+4tuOfqKU?`ZDiA8MVzxD1yS2rH1l`&!zMe%`DzopQ
z+^3&kO*=kd7t{msJ~uf4Dl`$CmSD&r_i^T4&85r63KG*$Ii5;=gP1rYR8g9J8cU5g
zC^Vpxo(|)G09_c}r<oUVAE&TQ$(8BDh~zw0X=&pf?K)cqFCbwkW%GpCTxouJ_Ev%i
zvzj~odPiO=Z+RqRrGzbHFpD0z1yp)C_2`y*nb~#9L~(RP$ZcBV3=rxTvgmfQArbmB
zV5X`p{>?8oF)iOe&*2#aP~u4E)m1+ay=cQ@PgC&gPtpF3DFNB({j)g{j&=%L_m^%c
zvh|Smby6L2^8IJ*3~5-^{dpv9Edl7w7g8ko6o1#2y@Hpv)qpw2Z@WfV#4G+eZKvtZ
zG2hQ*I`XC`E3S?zNS{jhj9s7&(0TiBP41}@sg%+wfsXh%@C4_Sj+hYYAd%63H>;ot
zkb)6XNl!BfHyT7o>q?;%QVj~W)q{xjL6UG3J*Vsz8)}(<Yy+C4kl)PfzW-_10};40
ztGAI$14<-#K_r<e0kNTb>rk81smujQmAz1Fb(zQZ{kc|@2*DMpwH55@w<N=oOMxj$
ze~Kd9>6Y=aFl<`UQZf?P+R;{8_<02;T)`o3eMAk)-?7zr+TWmL8t(iCM$?#tTDpcw
zM7@T@@U|q^NC&kiJ*YM;Ir!Lv3n?Y}w@Wm7`Ai*?Jcd?SSkz(c{Fa!&q|LYg96fo^
z<%6}HFy}NSSItBktG56<(Xve{?Q9<!fLSzwht3PhQUDFZUhKWZ-fF<>3+2Mu@gQ8=
z@2iCCV#Gbj>{26=TKpS>!e@5TL@T>eh-X*QaV!vm<wXgf%kDk-D`tGl-M+=G7*26&
zEOK^57<>vyEB+_CR^o=ajUyOk0X?M}qTL_ZE(O(iC^KIy6;^6?8btINhN=)#cb<jU
zXL`G8M$JjXCJ0xMrQrH>;I*f(dgtGvnqLa`-^*4lIFRk>Q}fcVUm4{L5ySsD36*6h
z@fU1=N!)jn2Sd4KGSgv_WX?Tu5(VYnSOn#dF^uYO7W=S8CjYt)-$ij*0QVkF0=f=D
zQGp4LC2<03cdnuVBLo$vShUm#nrCp~*zAQxmkI`TwIIL~u&`P`U3TZXpc8^-gAjBy
zp4h+ia8FeXgM_K95WY(Pj&n-Lo>yszTQ+t7?ovL5v4_BWXU`Y&PyHo?&Oz*mnTg@G
zd7;JjCiK3@|3n7Z%~OVz{JROD41^@k%mn@R<KENdpaBa@d8?y6Mm%L>NdN(4f)s6^
zHIUfE%=y<9BukxUJ2_?Toy4h|*OERa@g!-vItB+iNYB7{<YO!%2(@6xpQgftPpaFf
z-X4i00^O-hL!RN=kt~>jF_ruxEBIcA%>#)_R>d9)1q3qPzwU;IFYa|bjYJ2)E2nQz
zWQQKU&(E~{str5y$L>Gxe1f4}-1%b`NbTUkOLhkYn(dFA6TjTm3W)f2X@A@$;~!G&
zzJ<4xQfC@g5EP7#nH$DAmc;+8oEp#3EO};!*KZmUl=A6VkmSCW^behEa&0<5o*KJT
zbauZV8+Gol%%}H$Q2SZ?J=oR2v^*h_DFG$_6z>q%1RN)e`1_7=MWLP<N0rXtCpy){
z+dZ&dvZCm_?9}ntqrtvomzMYkLr*QK^MTW6!FO-Y&bG<Vv=k3>KY@Zu?=#q@zsi1e
z8r8n(+}-&&wvR7!q$V)T(F%&1&|{=&i~RoRH8M)ZCz|h!S0Imuyi9ov%eGQArjnCa
zHO?2_q!`>MqLC8)m%hK4-;Rt}$ul~PX>N&S*g4n~NbB$^k!2?jP0?Kn5nWR!^(#p^
zrw@eeH&%{tm2Y5~d<#zg=v@L6!msgTvvjswJ{;0dy~@0PV4^og>|^>vBaV7~OaV~S
z)B<ipWqJy}=_SReM@L<yaXyMD$HPjyyu)I{e%8RLSFnE@8Gan@fu>F5yBvVj;|NGS
z`ZCYY`r6hK)|bwjQD7M**_dT|YSrt;IfxS^dJk$4a{N#vnW^WPEn}ogEgiE5%#;)`
zCb#=;o}oTWdwRgPiA=bf5NgzYiV(l67yrRU_sq^f)NURx_U}J0c7-C=PSghHmFQD}
zCXv9*w$R<ruW*m`bA_yA*%dw`mKYZ#IBT=`4_o#yrULzIxA+OVgPApv1OL}<2?AJ|
zD>roCKfn%L2BdyNIxlqT7Ny|EsqO3lBLVp^)&o8)k{aWc?p%#-DicJ&n)hroLWm<n
zER+?xZ+f6u@I|U(%B=_kp%Jnd^N(VYr|(Vg1+z@XSA$VMtp@CuuJ1C_R9`4Dpb<IO
zxd5+}m}RvOM+tyh`j?Ev;=k6IL?BfFl2PoBW3bcAQ{50^!(B6Zjq4!w9!v+IA-|z*
z;KJuJleh7Tx=8c)@FN46k=_PXj!#hZ@|^p-M*Mw*f#!cC9dS>fxoNn7pg;YllC~;p
zmSBsj3)9Ah{GfP<Mj_yW`U1*FYB(r*eawHbN4kNWx03I30>GY_JBvQc@y!x{cO38i
zdXYlUjSx1|C{aL*@$zGqux@|NK|d|d!!NasW`eedW5aKC2}711lnqT^GvL3HUCdr|
z=5Bcw1vCgONn^2M!B$q5!9t!$G)d6gMuunq=;R}(t$8<Yf2a=pLjoiqxxIE$CAN3k
z8uIgMe7U2QtEhy{<HR0tz>`GlP+^&eGD$njmor;kMln%Qdbfm%iJA3BdLCNkEGY;g
z#>?I1)<ftCiBbvv6)?$C0kcm+sIcexGnpuA*@@|ul!Y>l4}`-Bl#8MD0pWFmqMrn>
z`_x=|WUmjC6$Z@0s3Rt*bY}aMzdNWPM)OD{R6ib?pMjAXS1~%PBQfwD6I#UUA(DoN
zeDdCBK%@#Hp>u`iGAyVKj<SB(T(0g;Q?83Uv^rPw3}1Qq2{$r+SN9#~C_&CD8wQ@o
zd<SgYmii@Kmu$uU-8rq+aEgs$G};Q4hht^DGGr=Kxo|71YQ@l!ucc3$&h~;g@}P5~
zTYh<ad&8Smq$}@5@O_AonkOV#dp{4o@r+A2qmI9Uj->29@iRr3xR8WSlXnL(Sb)eW
zenUVmbnt^bx!y7NET^V&L$(D?Od)bqrqQu!`BKU~1ZWjhOW}{emVEmCjObAly{+9I
zi`}F%HqSmwy}hw=jpm=~c^eV?(e4C4;!L6^qiBtEc!mRw?{>U()^@45%+^S%9E6Xj
zHYFGeEp^5FI%S$8Hf6YCOzu6pmChuorp#UAaIoi|-3Wm~y*l4=Q<5X^-7;g!n{hFG
z8CAQ7-K!v`M_2Hqra!&CukJYqb?P!T%X}eZU<bzEFHaS?Ehh%@>)h}-(n{AI&2RHD
z^X>9ESugI%z{FrXT3Z0|h`jt@VxROQnS)iE)?CBoRC<uQ<u+b8`#2qJJJOu8r?5oa
zZZxz@2ZlV?EAh|uMuB$YrJMAtOgD)IIO0%oYMO6=;=K<g;1{!3y=V6|qT7aj%rX$;
zL<z+y`{Ud3C%(hY4mC_hRGl4B(u2~JvY<kGTNT{phxdE3x7wxV`%f8!+ML@KHl{y?
zstI}MO`1S;9fs#umN;%LET>&PcJ+K+Jz=I%^T6ki;?ZUNN3!1i*9jEig{s)US%2a(
z-!f?9y*#9N4|1e+=pr+J*Cu%cIXhSqI=r#n+nlC5JNJH@9frrtK|1Kf$lU5hI>wRN
zmX5<c<;csjlAA|^mA>0F&h*;7gF{&Bl>--gAxDX|)$#bG$<j%*sDb;d=&Tj^#=D5)
z(O%|sg7jXgCDObG5=~f|eSmWgj3t=$qowQo!pC#tsdfG5%jvr8$Hwbj|3KvW^p?b=
z!PhAthKqu117!9TqQjwit2znVPrswnIANfDKH@?4QTwf+)$j}8D)z0nHNMp9Yu)UV
zpVvu%3%wb1)Khv_38~{~_J}LMYNL@0Qq+)2Wl+or^`lH9=-D;F0$u2pdS`f{!Hwcm
zX!=wp(Zm~*zmigT+W1K^Dy<_jy1&iXyc(>$9bfi8+S~@bZCR5lhULyDbjr5dn<k;?
zX3FS2o@Hvv&W}?1JJ+OW!e>d6g}M3ywri1GQxk;Q-n$miln4j12~JD5fm)bZF5raZ
z75Y>4?M<b^CJzM6zy(u&S^JvnCv!u5ZKW*kRo2MODb9Surm1Fe8}nTH*7}JRB*%RA
z%|IO|6!Ahv;rewXaU~DuogOry&wX_=#?=ITc@GS@eBALlhcr}q;XseB8J9B!AL(+c
z8gp}N6Ss;_YAiE%`^*(ot)*wpIeDgv>zGq$2oYX>KTH)%wj<05haJbS@gG9*L%7cY
z2yOolq1Z@KncO%da{6CMu@fi-2F|VAXi^L&IDh;S@9PMkDVbrmS?|A;8W|`6MvFUi
z;+upj4;|^%vEgx|CF?O+hF$Wg4_sQu5M>@Y<HEOK98VghKFqReYx*)bwl5E3+4;Xr
zD2LGKu3_6$w#2olp|e1W$$`;`(f4Cse*CO!|4Wd>>a!0lx{3=z3m;fDA8KVyHfQnr
zv6;4r?B@rE(_F`V)FnkGHQ7ld4~uS-uO>Aj3r699Yb8yv&7y!SF)a6Ip-=zjTseeF
zcMprEvTRPkNDcpuR5=O<mNYypTp3T#ktTbZqv9)E%MxLfIwTV@oF(F_!4=(#q#0L)
z{Bh*onKkTaLGx>q!okf9PvtWXNqiMZ3@NzkPG8ccfz%Wue`aVX!U^0j?Y^|lny2@R
z{-5{O-nYMw+i+ZPfj-ZvA=BU1KDA-(=XP*uJ%)UcG><kEkHD(<n|f6;j##0Ru>THg
z5+*gMi`*}1B#ApAT~wMwa3w#Brh-vm7oC@L>ugSLzQbwjf*3(i_5Sr9zlpnqT~iqn
z_u|?$BvbyBXjyIb=|hSv0B++mOvAD~&=-Lxw3eWI*!i@WZMM^aG2tk|#fP){o`sau
zsu-+K^?b=)9*<iQ9`8A>mt^f3KQDFip->U9qOQ~^#*SruORV5c?pXG)LCX6avklUP
zROEvKey2mYZ$bOG;r3#J>|1P&R`7xNV;YVcYbT}h{a}RF>udlGxIQe+`Gp$$Q!Wmy
zGJQjgpd;L_d!Kz*nH|8`h)k<^C88eSuS1Rd9kmq!3>l1{KcRSN>@f1UQ4k^r(Q7s=
z%+i;8;FgGxrd1~^DnQ+=yj?8%#(timR$RiV0$b)~ph)BE$H@J`y+xdRr5w2MJNy&m
zy!sIZujK;ee##js>{+;c*MTZjRTIR2vkbT+i#`or_zb})&t72<@jt78a{;e${8ff|
zsATCL7;gqfnE0bHKY~i^#l+ocX<Z9PlUt=8_pX4=N5xQ8jD${2X&B;oDO$zh+tlRY
zAQw*cbZv-}V=v0^RGv=HlKrkvTy~Xu4&T{*AMM*gL-d6joR5yPIfDq+=cAug^Ff0-
z%{PvU?468Fl6|q(Z}Bq=La91rrL*eXuAO}@+j#?Kh`9N5+(?c*X<d_0J+N!KB5FLB
zW0?<hNGdPEh7ItN+3tcj8;c#L704qf&H@cfk#x032+O))iVK4aPGR%B)b9Tt?fg(Y
z`&U^!;L+5vEK5c4*QV{9b4v8LbotUW&7*YoZk1q}j9ziji*G9uT9(}V<`mS>;x@89
z6>XTJDUxVMgWBd8EYcetm=zopwJA4-k_{bojTC%g&R?Coe2Xypi&z*nMHvfOd0BXS
zEp{WnW(rW2mjwOE0;N4N=h(?NH-U-EIUYnz#li~{lvqsV3khSQ(-a{T#+gcb6m)+%
zQH(@(Y+N<zrbuI)C`p)zjJ1ie3VzhRRP&C5MXO~NRc2Moq&h1Pn`1cb>4c*MmfAv+
zO|h2DC0n!ajm~$9HjtbjF5D5g;(pSd(wtUJ<P_$2erN@Hus*CoN-0ikae)(vqks(|
z=RzPBS0_>g8(Z+BG=i}Mt{4FS8w%(@DC~cgNo*)tPOqKGus}#N-*m1A%val6?;K)w
z!CJGY2NWAkMSHdt_1xYoUa-iB@KBFRZ@+|<)p(&&(5|!tgj1Bu3Ril+pn5jKm_(oE
zl0tC$&>3MG@{5Ln|8pG&bBN55vIugFiyAqMAlH{NJu|!@f3s=iu^Z)}y3(a=^z*Qx
z?`E<uUqRs}9W9ZuDorYy+S$k2m|oH+b*%HX>R!NaUDfC^?CHqzTv4;A{|u?K5|q|2
zp^`0E7v5wotZ8TDrHw$c*=q#>xj<o0Zd6>VI$(T(ty1UzKhnYXxJ|6^QYNu1YdjRO
z&0`?<sJ}47&>gUPg1bJxW84ZJxlAuAOA||Z8%NDb*1_5&>e!U8;VS*=#!1D{UUIT$
zF~y}CZcl@7baUADJnsc;Y0kvk8_DrbsiE<k3dgZ(l9T&2G_q&rB)koudQkepEw*~X
zbJIgX?uAcerF_wNoLs;x&HpB{9xQhajjpm})<umi55CzEJ{?~yvdFtZlBOk4kNb-X
z$wEGa8cn-zXg}1ZS8Z-$Aeb-sP1)mJ%HM1OJHT^TZ7(3iZRGCWS~K_GFym#wIRmx7
zS`V8jWAhAK-62PWzQi<fE%^-L6{jj<s=|x0qmQJuPv>a?UW?T{**Oh~x+!YOp!m#i
zg2EwF1lU+G%KyDM6fT*dnD1T@IbZq5u-;`8fLwR<eldg`4099kC6`&NS04&HOLGaY
z&m|U<b2%Mhz0ok0eS$;4rsn$x!QO+>m|tZ#`+)2MmSP4*+;TT~&JY&$Sa_LN>FZ2U
z8aX`NUwe(N$LGsyWo43em-14tx{q^-e8777vQG8}YeTAqW;f;^(eY&Z{Qb_kk}1k_
z-c0!TmMmJQ;Q@QS3VL`QCc61;-~=V7SK>z`Jcr?4Q#caF9|eb5A^ad0xr`)XWdA)#
zse_+}3|oGUwPZ<GUrAwhOr|97d{0~sTZQnS7+Jna90A0ILs=ubdR~q&(e`}~8{cA%
zjX`p<twS3ES2+e2&X19$FLs&5zvi(z(F*2C@STTg1LSqN1@*IR+wzM|u*;7;d$+84
zoNSExo^{{{37K*)jlt1AO_0w?k{QBIqAH}{%F}u9h#8bZ@#=&J_do0WPdYNkNW~Rj
zqL!a{Dpnecn3ToM$ED4KTYiB*c~(?}!%L0Z$TO!^>UfKVVx+uAZMoWlaM?9Y2#FkW
zed4L0Ix6}c(e0W4>Su-@bBwI$|4S$vQD*2?Ru*c2l2h+@Sc-FZ?LuC=K^mmEPR*TT
z@qkvcJY2Q>x}3D-dwh0~&AEJ01zg3aLFM++Je(4flRo^g`|Lx%{d&^P_ITf)f1%s_
z>-_ona8lLr^*}Y_F=4ye_U;t$zR!Bw9M<_|>vp~=oyX>9!*2J+)<wQ|&)Xc=<>n0C
zD%*Bdwzu8mi+RP5nqQrlFZ&I{8LHK+3A`V3zVC}(mAY^rIL{|l-j&s+m>-5S5qwq`
zHUWIn)!nTvpfNeTJ{5RXALH~XzE3%KuOEv=EPTEnA=0-T#j<aFInV1hw^Q9O&vs95
z_xtC?85!HtnD6~~Y=d}*%g_B!U*z62-`wG%X_{T}E^Vt$bFa7C$2(fwpKl}JWqr4H
z_=LN{x5>I~odtqQ#J?rx!Oj+y$5D>YC92Jzf=oz;8#^&0*R){&70dbR*)3WXl(e#q
z$!zH)nBtKp=25M(h{)F-N4)a`ncMC6dlR;+raz;dHTtbmCgjJB+C1KxQlnXE4PEWM
z5AK%0?NzpJ+iG&}AD_68MGSf=@d>V)Iq=MfjvB(X{={vxOpTU$kArbsELB30i7>r?
zr1vLA2;7njkr0SOIYaEV(UvZL!0-PH8x#cbY%TQ)N>v$vf+r3WMG}rb>&x@2e;h~e
z!^21>L>uwJq&Sa$OBDmIFtrwg<#P5)P9NHET3jZADz2s_TSAazAYte8zNc{A`ktLy
zx0dj^rMX!a{@&!pgq|QRMIA%YuQj7iQL|(1Zk8lx1&2d<?M*@V%b0Yp_t+(cg8#u3
zhHeb3f`-Ti>~Go;hf3yxQM;f<axk?;4~&#%$g3L?!$}kl04-&}KR`;|>~S#tYkaIi
z_6ERs*Z+){02p6zCpB1q4(-gR94S>miBp=$B;G&{u{qz@6Tr?Vpc}<&WgF*wAQqYU
zfZ~^QumRXAf=az~r^Y_bVEN@Hvg{FLN%WAro7ui1FABo5^?s&x0N64gydnw>%9{C7
zSRXqqu9i(ui6Z#!=<BQ=nb`&yV3ojDuxHKeuSE!7vspDN%A)?W2peG0K->ig&ACHg
z5*s}T2}@d`Up?Z~xkC_xkJh_zXg}8n7z?&6I3u;|R7*}IzmCYmA18ofB=f+iJy0Xn
znc4~jOZ`k>KvpWzN6CPFUivYgF;MJ=-(UC73t$e}X8<pF0>(ri0gU-A^P*2JWvue!
zZA4uB*yXxX4u9h@R)(B7sD_9}zus6ZR=-t_HTZ;B!S03A@>m4M2C64T95#id=M?>g
zRKR-Gew$cLMc~nQ>Vl_YW9o^UG1Lqdob8XyCRFRC(F1Q5BX99`Az_Th3Eit>C4u)a
zQs|HlcHLyLw`2gOYWYh|{KD?gHnnB`fC>c{5fJhSvrL<zy3~{%(c+4U`e@JDCRm??
zFEISo)AE(CC+<ME7J9J&ly?`1FyZ#vCB?pv!RFupmLAlYzaGkiY2pV4D%t6n?U=5o
z66f(pOZ$H-+yY7VhzMN3im<5(<|nO2o^2`;yN@IqgcF93Zxla`M24ll|9@EJhj`~;
znZo6Ntdd|xEI@xudnD%Q2~CZ9>T|zq$hMLKO9l$VRhuC4OW}bb*Lad4Y9T$w{aYVX
z<RDl@+LW6eMr3Wc3+8W{V1%g1LaTAnAa0oF9mT>BN6z~+!EBi79ySV{D2ySZn8~1b
z&iq%YeIb(NqET6tDb^S_j1(q<8XA$8;}V&6O1>i8KBe^1#fO8?byfJ)z)i)A`c%`x
zzW>ey;)`m}@Z0mBz0|bMa@BUo1_pIjzD?xP<UQ{T#Z!4&thZRiT=#?w4*qQyLB4X^
z*QzONWm?eCUC|+-n>rDcWL%u)#k41)7-Fmne>nthxw3>HLq)M!M&{yjq1uD2jExcL
z4wyvzRy$sljwKK2kr#Rfcn2SinS}aH8ne8tUFAn@eX9P%X1BMlaHK&!W+s>;gJIml
zDmmIiYY?gTR`Vv$cE0!0hKtUJjjL~j;KWp&kpG=9Pq+=zgLdx=`s3krVHoj2<c|39
z>rZRU+JU(U`?I3B`hWvU<!6(3l1$`V%&l1iRO>%IG!hdvO+Y!vK-O^ZE`^zPOD3F=
zp05!G@fnp>i=~{Mp?}Tcf0$z?Gf69^Nh!A&2QVL^BY^n^GUvh3j{@4a5g=K6-uk3u
zC#ZMnk%+=)B6!n84A3Knt@X*4Urt|o>xWg_*{K$P5c5pn4MyTJW-FxQ{-A`m`$Kr}
z0K(&OBNv2sG;^2MXztj}Tcm2xm|lYW6l6pPZUHSH(S$BNKL}q>Ouh6^2=n|1b3Q0D
z*aXDaU96c=Z0ukufsh&}%s~k)4YhQ$-33gzanK8QTz|nY7YCnXE~p4I#|svmo$^q#
z-|FASub)r@@TIY!uw)c!4#OT3R#RwGr?7JX6lRmT)}A_dk3J&J-<Sg7mKCN_MV$qx
zf0!#_BHL#n-*sSPD<+Q}ma<*WvGD<;V{DG%kj3}Bevck=+e6kX54{Hpz5bq8*k7rE
z&c%QmaO1EjRcAB&JJ&sqHlBj+i;$Kw#saq*=+&7?LxSNrn3cZPDSXM-Zyu!hv40J7
zD*YGT2;J@;imhc^%z&=IE1)ZY(|wE^8Ju3c?~0Q3<VIJK?X`i9VcmgbpIx&Jlc3`@
z3&ul-57n3!Xq<n1Xh(UW8W-_r)RvHgJf!4^u|TbcAC34dNk?|<cODx>;0pfGN(-N<
z*cZziNiPJ6^jpdQKKCB4EG?yKQUu_+BVL4wiud0!MBAprUM2??Z7-_WU|ymwH-7p`
z@ANay-vzLvK9!G1{!vyt{Wl6w<C4aLI+S1}XWv1)ZLye6mch$j+C-eyoAapGo50VC
ziK*%S&Zxl7;i%+6+07haM!)%HXV?rihQw}LoqCXuLBj6XJD2Lzxjq8KifqQo?nSAs
zbnw%0Y9MOLadvk2sB&WRZ}rPYs$W<bn3T+z+d$l)*g*j^U|;>oP{ToKzexn=5<bXE
zgOt2R5`v26pKlY~B_vzR<`@CKmC8Ph%jj}x&{->R^4ftq&Riebz5lLzKRLNsY$LCA
zKB)F&SCO<El%l1sY$V4@O&xb1*=LEQ!e_$$9+_3Iyb$xdz-K$szt0a`jA1PFF{-0}
z(fQuCPm|X{6%`Yt<6f__U_Gy>0V)7rj`z=oJNJ{Xt!2*)02^k=FgcWid5b}5JNo>G
z^_4sM6^>vkk%yoUSi8;xH(Lp#^Q`i{I29AUDVOv&4Thvm2c9Y0M1CU)>$Jv3zOPLr
zZHDIIOph7?J~XwTj<Q8Kd<KnSB1n(s(h~fvuD4C(e~3mI@W{52uPW1&0x;TXn5YbP
zz=0(i9XEmN?PF;v=uk9FP4znNH0=JINud4zN7OS$*VQ%Mrm@-Bwynl$Y}>YN+qR9y
zwrw;?V>kA9+xKgpA6e(Fdr#J$J)YS!vrh*^7*AH@w_(ds7|*!~*Og@{{r+TG)@_0p
z!f?U@-T5m+0<(toDW-iHxw9`I1JjC#55KW<$JCK>H?)A3qx`qsb5}E=mNK<J+ieDH
z7vUT|IXmcizk}Sr6nFIO6m}`ZY&Y&OYVrjkgIC<1Cb-N-#F#6#lc}rRHK7{cGrnAO
ztNTwH&nlsBmKAOwj|<=P1iT6bA6w6oI)bD{IBp&*@e~ik53ZTLe=eDb%Ja*=@cEid
z*>#q+vFwI=K}{*47{j%?xc@eo2jc)8`;r_?S0#varK;xp2z&NQV)Oz<hC-y?L7-JH
z8%EK!)I=}S#uie#nHkCv`rnWiT6)Wdh>IH;Vu~Gk1chR>Ghgtyuo3X7S<4iP`#H%-
zZoZ_6JHeLM4n$(=+y9@c$iQd0&N2c3paN{(<xhq$>j*Yt-?X@w3Zt|B)n-`I4qpZi
z<je=^7g-8il|YTX^|ZYG!M(x#=k*h*h)u|^RfXAe<Z3EHHK2D^fb^p2=dTsyDm6uj
ze$3+vnm^pgX<S{u&1VFN&Em+&HVERF5g!xWCBF2qVikg@)PVB;Iogr=2IcC<+*qbV
z{U^)yo3d0`3TlzDl}@>EGA;_0!d6*`_J;Ic-lM3(9x~CR)!BHmN|U@uj64Yys<CBA
zz&NQEHw%-C^)sV~b}R@J7aF$u*AdxS;@j~IlQI5PZn1bp#+FHPSU(}>qv&7AV3h=|
zU)+BHygV%6@N;CUR(XgSY#M_h$U>P&+h8(gW-HE>9Gv*H+c4ShpZ@&QhkgB-!!?sR
zin!6y*|pVvf$P;_B`q(bc9o=!!MIYdpN+F?k#HWlw9)+175ZL=`DWRvbM)3Jn%py=
z*yzBa?tEM<uykw`Jk7D`Smx4L#P;lf%yRk=-8oVUUwC@;>q>Nn7zq|9!M4+9zzrSF
zlCC)NdVoTYyT%!iCm%ztQIYP^<4%M>VJ1GZ)zmL24lC4}LIxIdJw!mTtVGAbB@5-G
zCs(Ne`<EjD>KsNoDW$5_qS3BUz2jM_C(<@(CYa<7^YA!{saJn?>tJZKWcHfqJ25;e
z`t+4||6bf!+}hA-_qng#NXi0dGDRkM<2;x#8ES(7>U_~Vpdg91#)J02m53F0fr5eO
zuZT-P)I>=4Fz_VCT-`R1+m4wFy46P<!7dXmGK)4EYSyQLi-oZfcQf#O$hZuDR)n<S
z$b%g@er16>C~<*XQb9n(=D5g#jp#l3bFQbyd4i5cp{P|QWczJzgd0m&T%@+Cg%>re
z2t{pqgv((cMbC|Awi<Iq9wP8xGUCIP1EW+RDnKOaP`k}uC*hTecnHEV3pEnK=m9$m
z%_T*?W$gTU=|748?MlIySco_d^VlGMhK`?otjh3<ktp0A6@h!dl>#<^#++wJ0B-Tr
zP=i;0UQ?(Z>~D-B0Ka%ju2Nqtm&Q$?B5fWh*ca*2NiAEs3R~MbR2T2&sNj4BAHeMX
z!7$)GToYNNv!{DOI%-^Z5%Aw{snGq7>h@+p*i;nQwVpiLrEw1C*3}4)_rp`)Bezh=
zQtb7UufRPp*Za77X-h||lw=Qm{~GAwAQU%9rNhzy{%V89Ug{J0O3tc-xw4t-qa7bL
zidNy<_CC*c;W9rIw~y6BPPqcJM&%Cogq_q#?;?h!0IRRCyK!?iADdo>G92j&4q5NC
z4+jFo;ygQSU9sQke>Tfbw>C3aFE$;1?N*~nbLK}0Ps94We}X8jH=HQ%Ti&^Xro*>w
zB#`j4|CC6Js~%?}ano4jdc)lbdTcrXpLTN{vVod2a=KGTFD>e_tMIpC)w$@ItUdAl
zS=W#JHl;Dz=ix}&KbF@Z+7g?Xvu%q!Y?Wu&P`XFkBMxl!vOQ3QaQ^DGLLimcgIqKe
zB4k%d5wj81a7a}K!ANbBIXcs(A>^uC@U3rgxGJ$9d~c+XgR0H0K-X?TO(Dv1heaWJ
zPsInq-jOQH_lAd)fcy#UcID26%FdrhijXz``4W$({c&eF@DD4w#&WW>N30{L30r-l
zu68BkwCm;;ax0R&#iKDR*iFpMI?N%a=7mRLzPp1FAwUiKcN`X*PP~Yz)ui>SsL*aI
zWL;q@E;jvZ0m>-*ow`7X>@X{b5|Pqku5Cd46eiSz>UN(kh}E^OqbL-PIWIi8IDZ&#
zSLb8p+e`Dx25i?*@l{X9B)SfWKuc~cO3J7C1J^?hl25m;gvk1S0X)?xFmo0@vOUfG
zH`53Ou*7_pGd8Q`O(v=en7f!!44+G;{+%8BQF(4&*4?JyRYtmlA_2tAz|WZCHVL7E
zeM`6^rb%kbV(EE+fslv!VahD3UjQSa#c)HKqhKkft>>>DjRD=WB1DEd3RthC!CbBV
zBH}lq^rv|K*fx@5=C|<8@0^{~^UiG(QGYwu|If<COvbgr(5llGC?~WPx+g&&87r}}
zIJ??!EDlN<)pvL@O__;G1WOeW+mh7GFK}gnvf(LR?=01>;}<zJeSyRA=LCt&av6qj
zkC<#wsXqRk^l89SHJWS!(L7}R=ih@e2_J$V2w}B?{J$2%s!msWLi7@iAXJk?o0vtK
z&C`L9R`m0Bs6L0S>-@8C-H56LKei1|YWu?oemG3UQC)qH#T-V=Z8&>JcKUQ{<r)pT
zJd3&64n*n0!3xl`kU5i<0eTfN(=E&mv~UIbB}PWhT}a$<Fzh)=j%BEgT*#hGiJPog
zh9EKrpnnS!WV#_$IsPuu3u)ze1n3sV%YUQEsIjjb7vOrza_=w%2^&yE`t5R2%MN)s
zm<i^0R+P_~1wI>HVdUg>G~>l8yX8l}|Gg_<j39%UIGuryr4LL#d0S9_L1m~4)N!`=
zcbISVO6}OimIv!7kUVA0W9Dq!<X3OvTEPspepz*y5iU;WeF394(W;nFWTI~@yOefj
z?oKdAy3>K|P}&6CSeQ|@bY$GnIeW~8Vkb(8{$t+Ons0@UkEqQ?3ekzS$=+Kw34we^
z`2Ra}`V3_(1{a)MIn+z}fK=q3V6bhB>JK}1`LL4mCI_`#e2TW??S0D1JOAT0xO2^-
z?d|ReaHGopk=5Mh#^&8w{Nq9C_o*M+C1dDB`x^<ulkGn9h;T<tl7$<@($n)8zsGZ+
z?9*BWv)Ea%^2ueg(7(~AQ9QR+a0;r;;;%w=1oUU*HZcW-fvK^2GD(jD90kBj5dTB<
zH+j8YAxbm4_{crmnZVVt46R?2;H<n}?_Sq>v2ZY?gofOHShnCcdx4mNj^1foz8mlC
zD37Satii0+@Q*nja{>p#JY-u~xhlU%f2D)1Bp&OGrhxZM>>~)54WQBMSBpNS)sm<M
zO|xP}ddPJC|Elnhc8HIZW=w!ph28>J$0M{3Rk<8nL|LfQlI+yJk~tXA1rIwZcAvc^
z(N=RX@<uW8wKA4#c+@!~uV<*gODcI*HJ=`(g$DV}|6~_H&Y#Pxo8sn}Qg1S>fc4L7
z)%EtAQS(F3qKQEjDtLjWA_FZ{b}9Cx>Y8};Gd^vr&dr8tWhkDMxT)9gqdx||t^eH6
zPEyTTCZLtqi7I$)EG8=nA|M&Lmun9D9Yq$C6F^K3zE`UMC#GW=gku$1oFq$<NG58S
zKBL>V|9G)A&H?>r^GFV~(0ouet>9hHy;o3)+zf|Fn&^si5~<1~ktCfA*?GpK1D*|Z
z+^nMZU-Nv%24(#MXy~K&P%dP;9G)+^-%C6jz%iJ>XoW`@j0=k<S>JHqcfCElmlj$3
zRt{x=eme8M$-G+azkFfXf&|SHAf%+jB}2WNZW#v~4HO|8^nhrwnNnRE>-@II#~jim
z8H}6^Y^%j;S$XlC<5LeJLjx`F|HnQ1<H6yC*W1j@J*9(nDYPs3$k&E91Q|H4<~(X@
zYm}$3kgp8_A`4Wcw9DVMm$w4$RC}J|W3O0FWG6NI`!b*BP;Xh2O%LNUbXp}Hs_Sq}
z*_LJ1x!Ac8sEm>N$xmAHla{Qbgn<B)UP-pTllJHC`SR*+i)W=>(nuMx{TL$7fY}PU
zis_MTkk4*MCkaV!mLlEX?RULeM?|`e$K8>b`{Xz&zR1Z#mF%I1H5?lMi_J$FA$zKg
z0Tb*}Xvcob#sKS5#sDitV9cDNVzt!-+>E{_gkga&)Kq`8)&Y#fWUJ{4oi1qL;KO#K
zfsu%yxkv`Omesb~{**Ix6{aO~6h3z7<Z(WznbtKXhcryCHPXa6xQGz>S+oYy6z+Xc
z+I*NmX>u-YlD(#C!r!98m|Qr)XMa$zd+Qgk$7<Dn<h`+hxiImfi?znQ8}o48FVEnz
zkph*Rwh}z300fn6Y+btYct!)j%WJc(EK)5u*d3*RjZC|A1Ki-q)%CQX`8`#ErFF%s
zuJkJElrGnNws&VS+9Qzt=Jo_79X-|C5NhcApGVCDE@}U}5kXb)Hu8}vn~1_xpR8uO
z_faaFlH*n>i`Qg??iKGxM4yuKJq55+@3LAhl1_z{>~o>gViCr<vmB)jcE&?vEr;u~
z=mm+__lszAGj3L|xj*GpUXO3-xGeE8UP>1vbMvu%9+k9PU${FQp3{3#CYnNFa?!QB
zBey%tvVz>K?M6}OCRQ9c3>@Wb#<Uho=a#qH@-H6cNOW3uD<2bmW1RSpP3$z-v0f#N
z8a(sDec9`>1fT#R1RI>yx(MPhlXUF~NK;>5y0VTk8{8M|gkaxoE@<cj-JgOupeK;4
zaZQ3|GAbwJv~g~u;Wb%TdfeO0*BfkYy{>2<<kVTR>#Z^;Q7^z4(_fN^r($rc4O2J}
zk_n@mY(1KEfdid@W|VgPp(km{oKeb{hB#&b%3V&!11OrKq``4U@2!#;z&=>X-W)OX
z&`Rp;nD8fE7@&SC{6@AqjtWL43}kelx+G_uX|(t&*egs`c|^0v<{Yw<%o(Jwg%WL2
zvnO;NrAxwxW5FRLNis66sa$r2Zk4sb8Ztz6dmZJ&HK(J@q&rE2peP;uopL+dpAezN
z6`v8J4vh(EHzXCGM{6rA=}b^ixST-IzBsMSiWJ`~b(KI(vkf%}8uxp52Ez$3@+k~3
zrw=xJ#BP?eYm=NnoTpq~utB^PI%v-DQs{^QO)9y^rWIPMV9cRx@!FgKJ_(zz;p7In
z8XlOwM{&!Z`?-3TgABTO%;(>+t53*sK*-{Fs2FpSh+y)5|F0W@sa&&IhN-hB@`_L9
zX49=YzeEnoR9g<&)C=W_jq;9B!`&8Jgj0h$GxjR0YxPeI+nff`Wt)FuWhZbx-h;3<
z>-9NmF6y}KWM2sy9jG*UHKCdXMl0Lrb+~FxvfzFR_S+@NqurUP+4x@I<a^QVaI|U7
zN;x55TW(SJ-PdEVFQ}7+f2Fj6k?qUm)!Wl<^n%eNvWIKlO)1tTPuLl`hL}ZZ<0U!V
zfl{$ZM8s+J4gN9(IS-oDRS#<6gAUsOSRXkLTkMX0Kz&_5aw8feVZLDriDzVl-J(SQ
z4k1{^&X<1?oL{WJv~U#jwToQjUL;oX{uN;Jb8B?qw+q4%4vXU5rz_*UH08ACkMF|c
z=TTiGulQ9_5(wO1-Dv>VTH$Wv-1D2D;^ezZCG{p%LgT!V(`fY=d6^i1&;(tlTnf2<
zN1N2|wZTD>`bCdUTt#M@Z<=!SK0i2AXAV0oYTIE#JvjjQ^+QgZUE+oUmd5qPnUjVF
zlK1HiZ+gLu(G&vX?kqM^Wgq0>&Vh~V?ep0tco;*Eg>;159*?X$R%{{)B*#>e^}xQ{
z{py?8+G<b7D#7NXOlQ!HMdb}XnyjoLw!ZnsS0uK(iy5AGi8^cjuqIuNl*V+8r{SqZ
zUXiDQz_LaS>j}k;^qlU8!FFCxWz>OZZ{*Qzy01YD2i@nY^N`0y2YukH%LWHc`nx;A
zZ!E(I-##PoM!87<1_?QJLbaY%oyBqf^D@9|lLEXH@V_E5c2ZXzmkF*K1%20XS5q97
zR@88v>)r{VwQKVoy9R81v~ZX<bTh_`qWx^fAlo(+k;X*E_nS7*W-7p)+Av0IlTBgv
zHcz@)JlJ4tE?hUE?N8R#-dLM_r?nkOhV0Ch2Q6Z<J49Ws+)DxZU&Jg<Lj$Cp>MQkH
zLu}T1vxVscv58k5TqiZ}0@u<ZC}JmU?a3ui7mG%2^=ygb@42BrvB=Y?FV)28!fChf
z7I8M`GQ4YH8zP=x%v;Syi*amYe{Is_)=YM2Z}%!o-*bK@<G-s9e_Z*Q7ajAp-?BJj
zD8WiWYro2+ktued;!D2%#f$!eHUxrV;)${PcduX$(8RqvD9+b6KKeX;d?z`#{re>k
zcDm%r8;PQ?fEkWKIq^%S&fNMYLD$e%Lasrb+so6?2k4Wz!_(^veYRu_2e~0%jZBo7
z`SzQ8Gn5=OkywqpZL;t`*d=IREDK+Yaf)t1WpmoYG)q^Qwp%EYYQUj{TVFO_{%Xe+
z0yP&%y7eWDaA_r$BA#)mKl(d`JD>)d9qy_*lL@y8kG5ZC%Vf#Qc2Cn~bLW;TJa)`F
z1mu8+)UH!L8+^EBq<W}y_opHQ)`4b<{kaf&ROdF@K`(j~AZ<Uv517Y-nwqaISWAws
zHj9ByORK-PaEG`o>c@!nFAXrAVLw9D7h93Konl56ZXeGrZfhk>%V17;h__R}vHA$P
zgInDd`P)hu%rB^}4qBR;J&H0R!zr&E`&rEU*~a;~!PVaRo^C|a78U2fK3pT3eJp5A
zY;2*|glG8D0d;fshijEQyX%{<^ixl^4pW_Y)n+>sqc9=r-tl7)VZ?qec>YB09y8{5
z&^bN>4KT@2(jxTA)7aWqhAQojH}L!j;h!4Z|0(BHBIW3c)beCAs^}S-i3N#!z1pTZ
z#*|Q2++l?&TH1VLJ%M3J{1F3e6XWlEhe7f2wuryt2AQ~*N5pfGweGyc39O{pGM_>G
zS{)BcHd{IDquj!>X-0Gi%MEG}*!&|k5_*JxLbCuF*Tf2fV(wemU<wXe!Os*8mBea>
zMzE(QtMorYOzM2(E<f{1GAs|Lp<4jV#lz7obW?^FTWwEmt2v+W67P6Le-jyKq-u#u
zjh-LOo4f^?Te|)2x|&Mv@?<&O;?b+Al}bJitST{Fc(<#{uRJa)pab1l!8%1x?{||f
zKe*T3jbgA@#r2o_{U6!4)#=4k_pkd4?`@CAyN=H`_b$#ZPjl9u*T1ixO1(W+{#I^!
z6l$-(Uzc{Bv7BuTJ*S_jP1$K%dU?OwIB)TCY2HVBKW#tV4W$odKLrn+w5_4yX1%?L
zdmDI9Uz}9oW>;CS6;C+c4_!^fK0ougA_+qoVIjxX$_OSfBbT=34~O)$i{eij*$kq6
zaQL!C9KG=3IGO}NAsQtcMF13{q@SN*#*A%ew7kM#q#;FuKo|!0`8Lf!RGbUBhE-x_
z|KXj%;NIEz1f|jhP_!heZ%S;a6khv7iZ^8@m_IABp2kGQEdLZ(+qXvhG5xoJ9pPXs
zCX4hPt5P*KX~@Zz%>D^S)Fz%07q;uAd)`joDtFRisrq0Rvj(WD3X)ZHC5GN&aw5QR
zJ2#PL0@BziBc#-tebTd{F6Cm9gz|zU1h&QqjRZB}pYsfH!?^W*y%!VBm&b}03J+%T
zC$T^8yEIPTJKY)|#iMDoEzfaS=6GLZe>@#!Yg@iu2Hz}SUC+(E?w;T6UzaOO!(~4i
zM`47v(U&pn<Ag@I6Xlhe$o8oQM_5d7a`lVAuwlafR{}9egc((l3IkwX>-lCTOqz{w
zTc~WgsSXQ@JhW2mw$?C0Ft}j&t<%lV{t|bILjs`b<mPJY87a3k$6|xeu3TLtN%9*p
zz++$cONq54Fn{axPx47o`@Eb3CW0Fu5#Eq7Z6<E{+l1-9Kd%G*9w1Yl5mfzcT3$h9
z=jOco33D9=#mU|0D+_*5veV`70_z4ObZ1s8KtW5{ZiTlP4z4P3bac0?2Y?TGfDWz@
z*rKC}em_LKN808J4hGrPbn(e8a5I3iZ4Tl~<=Wujey{+UL)?(a;`lCr1w?WI2D;E)
zcGNCq5Ir7=6G`5KB6cRiY@;(M&B?auyOu%EoR=EMp~0#2*pxkGZ7i!l<Z>}*YEQOT
z6%Pl*(1hm!EM3ydDHfVUwL;dFV>48F@~6qk_1}#0O2~r+jo<8xb@V5NM(2WLF*F6n
z&y5B42CD=tw!uih%@=TM2+-0MxL4o8I?gs;p=WwE6|3CD)hQYzX0QMqG{lD6t%7IF
z2_uG@YkTGIX}({bmwL~!W&<un>U_PtYqGL>(p~i|vBt^fbd_3<QYI(NPv&pXMP`OM
zimi>gT-mVQ55B(qNcVNW#B*`g8R2LFT=xAgCOF!BR7Sat_9M6_%0*raSht0{zb91w
z``#HEj6AR!4kKbGu^TA7^3=qXFIe`2{e>vUY3zA*_JY;Gj;a<_3~jVC$9t=jp|0yL
zDcJpR{950du_4V!i@3eaHC9h~le<~>v)!+JaMz;-c0l}bM-B3gGL}KxxQk0%BNbTd
z#LF;!<u`_fO09sU90_g8FvSX5UH3>C<cI}9luM4-MFvZHm9Zn{urrQ9|M^xxt?31=
zvCQ%t0N-k6qp;Kpy`#pSuzv5T4r5SNt6SXK$)8wXXOWrq4vVzA;(%i#v61Mj8Cmq)
zRH>YX^QqOLiVi5c6Y}p|a8EjL(k5Xz=0wuL#lEyf-!A9Fsl&$Cw~O#nv&%QbRyx`Z
zsp{J=Nb{pK8a%x-%iN+RbFU3+2Q;r!<tGApOWs9ucOG3E4oh|<HrGZp6@%7;;rf#x
zjhu*SI~%Y=FJCk&cs;!Ql#Rs>Jbp!E^fLN=BX&kU0@Yi?bH=FC;*sxSF**^978B=)
z%^LvAWUd1qp-}Y$o<t-<HH1K9lZfe7^&^TUJ}j&rE*XKR1{N*~qh>I)@Prw8$oXOn
z@loKYGo5Mx5yxB)EFZZC!;x$RQRH5Gi6ag_gzjXC9=+pj-PUAFk)7$WH?NOh3POP(
z=HUE(b$4>VhP(A9a(jQ#^&Wi&S6#jNHgsP6<Kk_%xU1vU)@9`MhW?fu!Hl)wEcUD(
zSEK48!%MF8$V1ppIZahr?01^8;ba9WvFl@y{x~G5>qIViJqH900|%Sn7~o*mJ7-v7
z^Ol)o_s?&>A2ER{shF0*1X1-L*Uil|P8s03xt28Cns`{A+P*pKZE+CBS2TRJEVH3-
z=NM0aIq$g&IGP^_9-(#;=3Ot{0yVYPitDXEzhSbhkPVHjh%06S)C;rFjLQFp88Z1Y
zDW4{Q(1&>t8$J$8n)e;CpyqVChWTe)%1*=Q1M&|j*ew&{xeDzjxC#~YRU2YYWy4rz
zJ5-P*A;MFH!jn3{ffZyqT;B!`sy-L>PCR!u3R#JoCVncM8=?v8kBG;k(8!9;R1iCs
zim9mVUiQujnPLnZF!1O%{Y|DU1_3~eFwUM3IUk@F!4*)8fMZWq7kCKShi6Y0H9o^8
z2T92^e`6O!C;OXhI|1**Nr)LDA}-NjBqm!>!Ex0{Lrj<nx7phnIB6#{{_5^4d1#_K
zP~y;w!cdPgFv+5a?AiJ=3k579esUlac1(d9&A+tQaE`MQ-o}2rVSsi>L+oPA>Wzs}
zGY%M-Vc;4KLJEk2Rvd_8n<xhn@KIjuTU81qgX8CzQfQxJDP|M4Wk((~TVcO=pZ`>a
zXgpC4L+shr#K!KNk@LI5>(x`&aWTODPO$RcpV6`|Mc3+IR>z-pu(jgD#3GRvR*V+_
zs#B}8&vAAtZZf{=83*XnTUz_>Qf2N-#KT}X{CK|~OJ?<awRtYir^xMieyC$vs(Tm0
zJwwsHi;jLhn{)KMeyA(YHk;qvSih-s?L6F`lZ-z1V$Q%Me*4igA<6S%t$S$ZqZFdT
zMqJ!ZMofBZ^&Sv>fX21`9DH*3bk{c)yh$b;RDHBNHmul**@g@Crmz#O7x~LExB%xn
zLZW9VGJ^0ZekM&?KR2p4n=$BzmFwXhNhL=rdo>30=4c}#e5gls?W|hU=Ghq1=iPwv
zUfp8?)=zZBUT9j3Eq4_Qm1x`53Slt@p+&<<=4{XSnsPmc;9i3qZAfOmt&Y};k%OX#
zKAA#BJDNha9T8d=@P#hXE2mgN#T(JBIgvZBfh(ug^!AXlqpT@P0#cmq_0tC+pV`EC
z$&i4Kjlpy{zTgvnLW+F35#TzVT^bD3)O2T_HEI2IYz#qgM1&<0Tge)T6)nEw=Fx%S
z?BDF^dFWd1pIUcyAq&TIk!c)ly^8=vKG_wRTmD%MUr)Eu-8FW#BVgg2xWb86-ppBf
z3k5rb{CkN?FtR1PSs?X<=g)5|ONdHsAN8?#dZcFe4ET$lPW?q77w8D-#67&s21Uff
zf-03vjtpp|gAn$>5PMC7V1-oyW-^#lYhhx#OO;+C6UNyODX6_o#i)}`^|ZAca4<bW
zx>GnrvgcHO?h`F2%j09Fv@C=r+X-w4-|~+BM^ro@l^RVgqGcN09;Xo<0@0A{7PI3j
z<VGzTMs9s8b>CwgXHlC;p%KCIE-qUFpMj~56b+tV=tIkQQGskpVAE1lPy_?=I%%4W
zxs4RbEY^mavM&6v{e2(6xTYxli&ipCt7huS?aC8>yv&N;Gm<ptFL%FuTO^wE7qMqJ
zH((*KF@ODLTTU?U%|NfAy!PZBKEFKtdQlNI6dx#$3D#upwz$jW;?#(rvT(`nU0drA
zd=JH;)Ngl`Vii7B*b)KqB<zj%Lk&OfL0|rvBRx*9Ra8S6D00lC?$?woKU6Fb9ALm8
zP4rHptn>Nife4Hzn3J#(s#>`E-3n_@{;cy3MFm6pH5wbLd+m6ykw=A@XKTl0|6_{%
zk!NS=fbaA4lx*|K6Kx$z_}9_Fh@Yg$!I+9KR(T!wQ{CxixaA9zac^g^)~9p85_duR
zuJBOAH0YU8srf33$HgUGY?S9t+}!g&qJ!Ilqn(!awY}QhANH;~t)4&eX<`yq{P?Up
zA)*WZhku22RpPa^3Pz+mIA1?ExIOUUo~%6yyvy>s&ueV0r%*Fo-w!2ce=qCbmG@l3
zzwVyVcX!6+-g>lZA6hQS9{xPd*b{V{DOiy-Nc%1Nsf-G9J|1I9kjbyU*`y@E{?mt+
zp*xng`!pKBa=()AC0v<$Q<6=b!^?hL+_p_E-=0fv`xu$u4%&9LNdHzhxHX<(hBfNn
zF8(^Vw3+1|`h-AHLoSsV4SnKax=E6R6gqKDg&b8WFJ<}ZTi)USxJn00B?iD%!%`h<
zjFZ+~uXn{$&e>T!%&*-nT?^7@Q{Ioa3uoH*@0)MW3(na*Lz7gUn4CEIu>oc3x`Yf=
z#Br~Dv^dC?u@)R*E-NgO8<5;{Kwsf%$}m49mWe^uF&P5?xZaeA+F~LnR*-PIQ~PPP
z$H~1}y4aY5#TuKjoCMN1S7sb+oo;eL(>)`xDN|?5)?t14SCXt><(IjvqcwfMIQ!Fr
zm4WYH;6>Y`hrq15?D6-q&Q&dBG92-GE`QKDFn^=0fu&NSp+%%D-t;`;8UiYLyKyis
zj<vP&bDXg!V;Cqs>FnkfX)M6b<35p*{|&n>b#w)_)O_TFEv14A^Wi;Nr5)yt1+3n#
ztS986O4-Zj#ooIa<?|k~@f9l0Z2OThVf~Ir);15avDQb1OvvOWjRbuXh3_%wlNOJP
z$LpF;M~Wbhs{mQf_r#-3PjB15+MBq|wdVc7`pTqmeqmL$HZ{CTe0bk)3WkW~4JDxb
zr2*)yTkqgEL9PAqM)Ir_FPm6S@za;q&es<2=0(a%le>54UGBkVQv9lO8)?%>l-a(r
zeVo^CvYv;)h;I9<qOXbuTv=yIy*p<Aj3v_n4hMqrT!6}5%X+*SZMeH!<frSro5q7S
zh4j|v+b3HYLcYy3eZ8}vY@Lrs!IEalv>0>OSrd8~0ac)fzf(YIYi_4g>CZ5uuryrA
z5cTZ=e@44?mFfndZi2Tm(Fr)mvc)2Ra{e2mjOanMK<42OT@z9p3Ytn{kUbSu+mOUU
zIEWbejXtUK&V-WT_G#^9_o=Dv`D`X=y7_rrk$q#1OhTiqb_?DAym|>vI{O%to34TP
zB#W!_WkPFzZz?-I_ypF|?NoMd>n`|&v|woS?M^lt-P`pLuKIZGJojC4O4j>~_Xn@{
z(*V;Gt((DHqqhtHE%os`I~s!Lw=S>w$`tQqY^9|d>l>SUpLOQg*xp;XD@(7^07~nh
z>mWsIJMqCtE2?nC;%_p3s7}S6O;bq4*%1VYz6ZTm0vRZrxIY$JD!XL>GI$u!nVYH%
zz1we;*BY3Es?4bzAcx|WE9&7$PrssoF{jp>QMb~|LQz)~)B6Z8!FUQP{F1bBGV*|j
zE(EirXh~|B`=Fu!vD~p3lp<nj7JR^1)sf&Fa!Nncqnrx=fBeUvDOz$gig>Kx?i!E=
z=s=r~Km_f<pPO--uZ*l=?1Nv#7*+lWqGu*|Fjtl96S<y$5}uBv%DB4Z{rbFgKzAK^
zrQn55JoEW!On!r_)9s<9tEHOP`vLoL@TLCI<Nol?bYh3Z`|{kzXACuvc@6K6<j4S5
ztQ4V|HhK2Zhxr69GT}FTjnwn(aSuqHagFN~HhPWt4#{y58S930FIreLjqxGe$n*$m
zbBTeArFXx{2xh<q5zrMO{4C+fL%3g+So*=LpLN+1tvLL!QJ{@^@+BIg9GIoPuprll
z&i6;(cIw@@SnyQ1zhE2<@R#V`>zwvmZwhl+>3Xt&Yr;%J+CrVw9|=93&bKj6-Vb3f
zjPTCvZcG$!<GLletz(6ryUVD6Ng;9A^r)><j>-t6@+%|(F@wqGYc;e}Vp6DJZ`l{t
z!2Z{(@Ip7^JD2GA69DSNHW#+bVB?j-7<;Kf^(obcM48bFQv5EKHPlzPg214|zVRNR
zr;0NeoPHA(9L2+QyWhpOGy38E%GK|$W;!^!k_?(+(Q?%;7T&_LQ|)zC6d{crHotFW
z8oyQ;bt_E#=wZyPhp%8SE;pI%fwBN}!9w+<*+ZI7n)2IkhP7I{mC4NA6vY@U<*H$W
z9~Z*&%h7Ox)_kd8|LBhV%=w+^z`=0BwXB27Nt6kwR^VwhT#vcu(>a{b`rturXYY-I
z>-DI@<gD-8?(I@{C`I7y|40d_7uqU9J^Dcoc+_~MliaK^Tdy{ez~q5(V-`1?%g7%O
z%T?spp;Tsd4@6^-Rcw9Kk@Lw&-mEzozB-k4wC9L30f8v~UcHw0-7EFQS<CpD#P)+N
z=yTs!NGKY<KRzZnrizUiEuzL#kiPC0C_GdCPb(}BcpM}#E4Tb^O?a}J$%u{$Vv9(6
zEFC+4Uig=ql!0eK`b?y$`YF|nme!&UIOgJhYbc*|BT%T*22TYN#=4{2il2#ni^`kb
zB58$uFQ<8OQI+>?D*aGtQ9B~AyZrMEt*fke`}=iGrJ=UF_x+{9R)+T?cSz8T<h!}|
zb)DzoNpUXWxlX>w?e6Yvu=;h>P}lMkOf`<%M%kN$@xZ37o9{y6U$&oys;DYJEu{po
zy_;`fEE9gj&GX*yX$t--Di(8!*nE5^%`NMUMasYt$XDTyXwpZEq*t`Hj*ekL3#TK4
zG~&B9r^EL~*YD}?=Jq?_qp7)(BHH7wh9_5QSSKQjyxwLGoO@keYfqK*>b2{e<(0rx
zVOx^N@e}G{LnIY^z<=FO7F`&E4pIL@%%}kpD(DOW1l^pq65+<5Zi5zKL6m{+M24lu
zRYfFM^f>7?bnqYISIdq7I-3~i3*c!z#u;$rbW}4SR^Hdk%_L5;N(LFZABB<ulKwxf
ztVPFPUo}I^Wy-kJids8}x(*Wa_k95cReyvZn7Cp(AC>&Zqpvn60L30)DsipTr67c2
zRHq2alp9JGDb*BCK+bv+boIV{mWQO=|L2@cbCInG(hn&qjTf$tL5?aAR(FM?z<b8q
zUv&q(w&nI3sia4;wNzvYt*z&GQ+6*gJBkRBpbYP$tJqf;-e<4H6zOL|Ua&GOTqrtk
z?5A-3B=lzD_A)A#BEp-%ouk_M!)G+nE|)-nDnazC&TY|tcQV8)fHAsi?y(#K@8!-9
zSrp7wbL5`&w^6^zBd#;gN0`!i#reo#5qRZo=~JHE%bo2Bc_h^yL4d_YXu05v{-oQ1
z!lGh)UhkyepG*x{)<f`JgHJI<qdF!XST-D2e^BV=$Ef_Dg9NUkf;&hv8(g^A5v7ak
zUuZ;y&z#?IGzPj965=n|AZwIk?Pg#H(Iz0f7}wv}2A!1l5k}+Pk;*YP)y-2aXlb32
zVz|olE=0a{dxv6z7e9Y8l^*L|!35(03%^R&I~m{;Jvv@l-BHqwrRhSv1I6s?fMZy$
zowryH)H$ZZ5vDF8YN7~dZ{sl?duDOLv9I$<)U!Y-M04>4G?@}ZsgMuq6rxFx4Xj4N
ziglNm8d_rY-X3nAq;`-qs5rSPY2SYf=o6>^=N}*oJ_wQzDk+5l=oWrSB{6BuyU{e=
zd7hpTHQs9rUxn#=*Y4NY(8(BqGOYpy)%5MJz~ida4A3B26mELHk-S*|XTA6xKc5VB
zacwkKdx>;nr%m(v3Nz(tKNP=v0RJ{euejBNs8n7P4=p8wrw!1m)!%K_yus2PO+Dop
zHNc&EHLh8N`e0-Po*B2=#6~RuBNK4Vh$;mXbIO&-=8t54NtE8hE3CW|O0A^eP<pm&
z#BlvA%taLi^jB<lbZwE_M6nXx?n^^(-|l{QdObbPU_&i#44tUIg1D6cLTwFT!hDtY
zoB90Ob`H8P!Hp_ZxdQ}1$z`!_w~<hOCQA;Yx3_%ntJnSohEqNUaG>V3|JYjwz5|K+
ztGa4<B0y8Q)xYo}&7_};61jD_M^%GxeRsxY$_{{Y1kr9L@adyWrS#z(Yq4(x=_`F?
zd%qia2mZ=P8Iyw-y+uV=>Z!y(2^RXO!ts^Tc-(0ISNeNv=N6VTu&{Sb4$f(F=mjUj
z*F6~EY~5Jx_+ADs;$%cdie(RsG^CIyVoc3it$G(W8XA^&wRbh%Cb*@0>GVs1)LYL^
zP`Sd!ua~#{9+I0mox?Nl^X|PZJkem-Djc@dsPR+u$jI2dDG!WH<gP4%Qr?K$+{Eo#
z($rZxlDL2EtN!PTBYjlUC%Fr$Xb{|sR%zC>pCZ*@4r{zHlh*#;^6#Hycq`BhAO`SI
z0?^=)4V-jtXDjqYcd}sAYa)-`>OW%^d#TWae>l#^*<_$AqhUP&$7Mcy?;$Pc%|Rqd
zg0ZWktZ(ZLdf}nYA*<r)-A5-dG2nlChq8jm0F@j<{$et-S<}0{tG1kqmsbFn*TaK9
z+VlBn`{{@gzP3gsmbgFcjSZNbTZLd0m@keA%poUYuITW_2i@7+phgAZKPKWtpsY(A
z2>ZiCED{wdA<GenS7UZFb1fo==Fn$>MUzS$5@!UD19ROvBV27&mHGQ~4=+!X$#Syu
zMKJD^1*z5ozi#v0$Xzx@yw)a&muGddY@wSOBke^84l5{UTUZftHF)HXaOiD|dM96&
z$^=oDoC##qJuNftJmp_Kk*uNBQ2WHi;r|4PhbT&Nb>RsK&`NR)Dq<su;-hh;N>lRg
zM6FWxxck7Rt@H0?iug}O=Mw13f8K!jz~gy38Trbn_$UC6>&YfW;m@;m;ydeu9h&O!
zjNy9LJs4)SZ}4bCL|B_i{q|}jq0&N5ZwXSeM~Gih5o4~NI?F6nn->~1kt7VI(>88V
z*Tv5slSi_n5GLwMHZlnNp1B&U{1UVOlE4O{;srngUVs6l@lDLOCyS$8sI9XUGB#M2
zV-(fQZ#4kY6;|9J8y}S#YynpC`p*VRkc>(<)%|7!*uZ2WjFFwVim2}(nfdKwmPALQ
zloe0?U!!K}P45NP+lSo`)0bB2O)cVsUAIY4!qmHtW(R$@)a|bGK~UMuiSn|;%M)}+
zDK`nozthjyLm#sZtKpCIo*gW^W@iTgztT#w+)j5^L+g^_zay^L|9;u=Y<MY3A4JKz
zj45q8vq=AS<9XGQC;6)G`P%SU>-DlHZT*z~RG-bRyRjEqvax5qru>6-$!+9U>1mm_
z+v~$))9uB}C{?Ei!Q)sm?)f>-IyB3oHufI(t`wmWi+q$lWwSF}E77Qx@MF&a4_ZUZ
zlbcOKw-@KcN~ArfCNbdF$1lA6ua2?j2*aj5zjueWN1?#9t7oXep7EnwTMRBadIHM9
zHKoR|UDF-7iBuNy>YR?q$$!m=ub}o{KG&afgnO-?;8bRw*+!Em=>8zLO#Qk>%f07m
z>i}~#XU%K(FeAlEP7v*JnuhE7rG9bbhf@;)yBCzDWo&-B!@45|lPkA)+Zm|XwzGmS
zwz_oz(E@yEe!#l5>NEJk`D>M4k}FTW_-qwJLvmDbTXFcxWW~!%K+n2G?)-)`C2gC8
zXM5KrC7XWJWjVs6Rutz%ua{y#fy*FH4;59+JkqOXgZlF<Xvv#L@Km;1WOvD&J-*{h
zm{>B<Sce3glL*99%fneJ+>$iFu?f;l)y3nxFt5kIe)#<p40)dCO@ntm|2Y`olNLuG
z)>c|SxkSc2(lKUp_aJ&Ug$d%ecLQb#O=jtYb_VO!7Y7JxV;3B&&EVy43N%>Im4&k5
zt(0t{0)<Qg-r)IX#?z*<9t88Il#>pNSI5%03o#z=w$JZOulHfe(Bf|Iq`KD58y@n!
zIFP9u*;&6TYl+Lp6n-^@8;|me{tOZUl`2TzEwn-*VM`dOZk&Q&^FG7+?zY6$+2X|%
zWaZuQyu7u9`y^R_kj`{}b6FalA@amcIFb4=wV=uT%_)eb1orljVdc>l*&7R{luHi2
z-G>OoIbCP2NE;d~@VteAzR*cI;IzNj>Wy!*1maKpY-a}aH-4V~g&8FiA51XM6ikpV
zC?y*bK?WiF9VD(DzGT4CTu@9n9=VVN_5ks}f}k{#7GRG(4ZlAcG{J;ONRr)}R}Sg^
zRsgDvhf}G*9>;;NB+#9i4;=U2Vc#1ULZ44Ed?iQyJ+PjM(gsf)*+3kjvuOBRD&~Yy
z^#vHUzqY;D_{$ZR>iU#$m&G{xrYEbaV(N3Y>s8B2{ESrn@av-&l~(Z*f>cb8G~nt>
zdmmt2HyFIIk>|nI%7z=oYmKCkbje_+Jg?jxB+8+{$n=T2*-5!Tq?n8xDYo)2fX$kK
z90$~MJP4^`11c08drQ%{V#Brz(}u}<;T0nV<-E1wkJ6&<Z+pOdcjh6A_5Rx`2Wcsq
z$DTsOpRJ~v{8C6wZ~*%Xrs!peQRUMikR1Lf#=higIbU=BEVD_3V{Rh{{MTmHf|3ed
zhQ|@GWgz!#7l3DphQWJ=s?%`v8@hi>Si%~?&@U*_Yu^=juw3U!?h`}!FE7z3CI_s|
zPEG*u#VRt5v(s(QrY*@TF1H!NJXLFVWjhleA{PYm23^MP1{EP#Ftss*#wHeSYf{lW
zXK3vP>&A_SjO7!D*n!`!o=%Q7sciZ^SEHyVKiO!3{RIsA(}Ck<_-_u6K6+4}coG)^
z(>xMS5kUc&U}BLQA9ErI!jhxbs)M>k#=Pdcs6H{I56E<U#AX4InF1ig`9g%j&b~^*
z`N@#AC@k@D;uC>{J<ad8*Yt$f;i5YAl%c+at}QO^{(dcMf3K-Nc&VnJ<wWW}sLO!n
zFuH(D6ZVYPZlo1B%`LeRTmRMB=E$FU!jbUY1ntGx<zq$GyDOnslU|?xwP^97N!8&#
zjIO`|3}!Fg%<u@^cjs;o{9xGT__iFUY%v-qer68M6oJCSA$=5MuP(HK4xOmx*&D0v
zDzLTQ^6AssV9sw@%Sde6u_bB~xaAQ;nw@0iRLlBRTg#-dL>^*nRGnad{4`%ooh$Ax
zQI8AEDBCYo(FYK&9un^S5}SA$7^$jDbOo>~cmv^`7vV*mbUGnHdsiR0`56?-l~qj@
zE!~(r1QRL@7*%td?(FG)Z~lJCJ_&zhHIAlt{q)LtSmSbCwc6ovzdH%t@TQZE!onAd
zvQA8~l8^Yqd*9xl-~QP^v+7rc4t-Db5L3m>U!d@dbR&7XMDqba4KPvV96)^blz0*t
z<M3rWFQFeH5k(R5$DlZtOKjZVc4;CE2D$lwD&#2C2LM$L04mfuKrdg^{ShqDkh69m
zfl49eDdOo%vl-CK9$R6j8|wpzoKazhkqZa`Y?7t_^unh~c-tC_bZw%weZZry&N3^;
z(pflyI6)9*5K*=?xt+P3e8+N&uIxa)dFU#{-*D}}RhvUC(yOV~qyVehh6?9YRyD}E
zYt`$r#Xwm!4pM>3!Q<dIM-_8~&#_-nbQcd~6XfsqZcl-*Cw!&~oXB&uW4?|bYFh1`
zD+W@B0ZhG~+m{p5%fEJMIB4e+fjHg??RN!EviJ*QH(`wd0LGO&m?0OycT>3`hanEc
zg@U<tC~hoLL?Ytz(DdtdMLFEuKbsFj`r<4<0*lLG!MX|MBnyD1-UVcOFL<{W@1whi
zGtav#!p;N@e=#@nNN!;QwdUU#DynM3u$V-*ps?#+le?st?Uyedqjx~rr5DLIKiE3v
z3o9bq0u9@$Z^VbjTe+A1&}L|^b9uWhtXuslx0-(?FS1wzkMLIoN%;hZyb$2$S+fm7
z)WF-qQdf_ZkUVBJmR!*BCH%mSBQBlsW&Sm7C;9L#ksTHa;a@6ZIs>U+FoaC$D?!of
z*iL`~VKEzi{+HcYMflxqStgP&Nj+<<6r^(BSoz-3X&UEwtXQFHRD~)Yg!=3Bi~*`Y
za=%9prKNL{%c#G|iWRB~C#2^DJ21=kT!$=&Zx0$}G6rJSY%$}zlrfK%PIzfD4yls+
z(ahtQl1X;cKML6aP=WO6Ccg~Evov2l*YUN7CHKj<wMK=S#|p_UNTzliH)n%Z*wD&v
z4t>Z5?<7}pdN4)D<J+&pSs_(OLHPj*Wd2Wm9Q3xaQs28d=s%zI3-Xih-;xhw>7Il(
zo5Y;n%x2-*L_!em19ReZ*GNHs_{*QUW<o;~9rXa>55!i8#EH^<1na^|*VT%%cP`la
zqK`RjH288baq`^y+OpN&RgLQv+WZ)-i^ZY%9dcN`GL&}gI39Q%=UYiTcJWLW4WuyA
zobl)K>A%rph=EEV35{GX1mK~Ak|tU*-98DNDsN*j*(1A=1Y>3^d(VHf56^`&QUeL|
z0Z}ZMY;I_xqRAf*o*kf&L?>&10WN@rh;@<}-4mzLFyJpulZ=8PSdT8$hos&{iuB<6
zt#ga|R|Cg_m3Q?E9n*d;?*guPLxi|ZPENwJAB-TQW-qf<CD>$+z^<Va8NV9#U(o(f
zsM<rHBq}Q2!~sI(N`AXkIy_c03PaN3#TbryzV3W}OaGRs4mT>BJ|V#z@7auaz{6l^
z_<e0bcWR~hur2a<hE)FRUTypOv-KO!h!W>{wd8RISh9<!`j&@Rs}(NmRJuT49pm4C
zU<WrTGc?@5xYYSTZ2%_8hP&(nFoH$>WOL(|bxC*@-Z>PhrbLoR&{8YIZ`|~UmR>#V
z(TFB1mUDfc$+)g_hNg}z=0BGRa@ml;42d#)6_DAe9dq4VV5~ZG?(Zc)O-HTYt#SRG
zAVG3XX<`jHX9j<<U72a`kBKw4cLg@`o*b2g<+SKuMPc*T@g`z9cbkH+GQbvbcoVf+
zS6qq*3`4nUf@+$2dR?p;-~@_}P*%f_I<IkrY$^tQYlx&{W*nxzy|vU!gP$W5zCg7L
z8`sIi`ip%7(34;NLL4pgZCzNYJrrEAGTW|-unhb_+=_^h3owJCqd^T7MZzNRq>L(o
zA2I;MkX~}xKT6RKkO2cHE!F1;^EN%#H!|y3Wd?h$`T&P<EXn;0aFv(;v3XAK4y$eK
zgJky(>*w$-LH?KhJ(l5&!V{T1-~~fUcvdb7Goz^4-CW@Ct^a~}aipts71fs{KoFk*
zIE~0n$aTl$qCZW6G01R*B4+ISas7oLDc1q3e(0Aqx3x-<YX|r*IzY4Ig3aF$DFCk`
z2nn@xTkhh`PM^4<5ecF)bE)S~u|mlqdf789VeguhcWWa%YBU&IMdL>aA)k+QgOi?N
zr6wSm`iWQCJh}7E!y*Et_15togagu8$xQLgLXBdxphz_vn?Fy_en11|v?YDRcCzY}
z?^B_NmPKzRWzgI`47C^P0kF!--~9uTc8{{y#@12ap3@FN)L2=;Qa}H4q#MR+CsczB
zHOqZx{*|46W3M%2i49zl{sGEo((exTdWIVsfLyW^TlKK#U}J|n)D<ElYYr)N)7Nmf
zA0bWQhC|fEjhN6033ub&oRLyLz$V-aIbnV#0n1J8TH5H_1Nj(Q=%Juv{x9L=)8CdY
z_Nl6S?Dh<-fc8;_mxtTKEc-ioHyc#9cnf>OX^Qe9p1oVOF=$bMprjkqubgz`n=hbE
zz`BK4|9Cj9-Y0`>&wyXW=)M6^!1!a;!g6cF10&_9<h#r3w$pXh`)%tx^(bhmQ*a4+
zCLd*_6|QIe`MUH)zC%ps1A($*1D0bMd+z&B=NnQ=Q)}L0QiL~)Udw^l(sye>56K1|
zn{AeoTUf2@>;6OxhCoT;&p^8j-*iAlbyq$*oWc5Ow_>bQbr7reBr>2ml(0d?|D6)r
zla)UfEmI&ilV(<aHW^EI9pi#y1y2<f#*BI8uA!o~V%L$0xFX^Mw|o&&3APO7zh2Pk
z(_}+=u=7hN`RLP>h63r2+o>$!k9_J`j8axNE_TJ&vFF=PZ7&cQ8GmGCz_MAclMSXm
zD$}CjB`ji78)`VRDaBn`o)d~$=RSWK+*M2|H`fUVrjZNOpgBE+KgE$%ZFV}V>vi_h
za$}OBt8t*+HD_Q{ib9&8AmFV@UPA~&fT{QyU*jiDg6!dkBG*{(O&kR~FARMCryu_7
ztDYb3&HJZ0C<w}j55f4xganfP9ei_=B&{Ka#@|FP(?5jd?2d&nZK8VX=7;oaUyXna
zo$&-4`Jg8>?S!C&Y&Sm=8rse?2PDbLgxip8w(fx^O(hx|{LklBNLMTbI6IYv<f{a!
zaRQ~8S3qlTlnhm~u55OIkS7EF@ySzN73VskJUQ%4r=qCsq%2{|G;V&GxoW>Z=GWW*
zQl`zMc|56#t8WoMrOZzl08@6@$(rL)wZ{p9G`mb=aQ$6bCc*G=tzIV1j|No2yM?dG
zaG%~LPL5y2DA6HKUKz412D{tB7~oI$oC5S}A;#W_sGj2?R<zfSf>-XacVNB_$_f)q
zG$Y%t$G2Wgtdn&@CfA(8eHfrx_Sn~vio6@+ej_!{WQ248Icrm0vf+9xl_f1QJRdXD
z+oU(l<;Okiu^>A*Uuu8l%eTYpIsYdAL6NocJeXsF^Ynyzvt8un!G)bxgG{^IV-&DY
zk;na)M1dq0z@)kp8Q)FzF%}Z@%GKp3^BhYHGH23CguO}9d<%j2krv1Q!vzy*8hfgu
z?OVk3_;hul03!ewO!262`~BYT@79OGPfc%h(5d;f<&;=VR?Z;uvw=GnO)WUMM8O0Y
z<3$m$&%0OC0fC0-_fC2wZDBXiryBs2;6prDi>W*kBaPC^2T0$^<-(?`G3Hss5HSld
zqjr=iZq<@l#Zl?*q5cz7NPfG#mpIkL?kVsQ=r0WpqD35lVKGlTo0qtZKfX1T&$%9t
z?*ADty|P?sW)3ZIRbiDzo&7Uwvijn}`}_<iR=IPMr1k2j|9~F4b1Xeg6#?ZJ_ZIA2
z75LsXdI<AD1Aa!Odm-(xCJ}B~x6v?L|Fk%S`9;SK@C6;>-IXlF#fbk90#2GnpQ^b2
z9Dz4JZC&V32S5lo(uIBPUM0j(pDtgxDhjEvB}|{5Ohz>4A_(C6=V*20^kGV<3jvIJ
zn>rebtKk4<1N13oLI!2obl;A30EaT@>N7)xcNp-WDzYM$$2Evzs}-Wgb1;~{*5&|u
zuL1UZuEYg4HDEyNKc8VdbXkG~Sk73)NbM#OAr-(Qv8j&oZxS!-*U6U(L)858+viES
z`i2_#M5(~%DiBM`)3*!t*a#2D^MwWR-<bt)dsoR_Uj)1RfNF1s9L;dr!vg+C9bZ_!
ztw<TFX(Y%hDSO8JJR#~rH}G>}K1d|O-QM6GpS9M#Zg^<Q<_{r;KSTma9xsFP6wWy)
zDUI{ZI>tgi90?cT+0}1;h+oG$Qj7O#pfM^;!^nuhu<pokR1~UVBrvkDU|o)d{2msa
zdm{YiOR$3vCDF=o{wg?JMeqdV{sTar;od<5z^D-mek;er`P@TTWZRX-5Q-kze6v6|
zEhtBL4Me;-{$4xEf1W=RoGNpydMPc@5AjCxd%<AqdmR!)m=%KqpO}eemu81s0_Y&i
zKr`h@duT%JR=d`1_w~cZ>U(048_}a#y0Z|f3U&YD5Y_X0Mx!r1D^nKa*f7VBgef47
zPe&QxW{qJyP^TM<0>%{Vo_(>+_cBE12h+dP%6NZ9-6En>qcWJ${2x<S9Tj!+_34&Q
zN$KuRX`~xOVwV)8yGv49KpLbwC8T5Nl<qF+?s`|ApZNa8Im`E)xpU)lWA5A$QeVe?
z$C#4E{F-9(OLwzBmF_=*-Gv6odA&i@D$+Zn`sU2Vmm1T#{wR;Ab-Nap$*<iX$+1ng
zhHH+eSmQPE7UrkYW+GymegHqMG`!7|+tV)*;g-g`^9fQ0$OrWYE38XOlD!Ib`t{J%
zkP8h;)jz%io1jhfcO%9ZSbH(@NggOXCpzW%YWz`uHp<4xOr7|qZweH1;+_y%6%t4<
zNaH6MBLikvjBHH`Uay&K&KRBnjQz(1V+|bS_EoZM{jzd1yCf0j@v)selfL{?=;T)+
zlDOQ=Kc<E1w1jI0X82ZM>o<-OOZxk-HFJ0lCg^t=pF!pXsbpBSf?tkm;=Mc7FD!R5
z_Y?1EcmK8zIS33Gg*b)pm~IujxR#JK&0g%vSBrX=@gi{IeWCN2>!!Su=IxqWQx(z7
zlM*?$(yNw)o@Iw#$Zx?Wp49{!6<-8Vp0RZUVgMwFO%WU*xc}B}{;c6`Dv7MbMFJrg
zlUYFtp{8Rn6c(yHKfvwZrGj1{IhvY*49PbOo+zT>xL^}qPoR&b1N%jCrmvo+LAY>!
zA5>tZZq<AZ<=JJ%5nK$CT?*`%hD9+KnU(tq@$T1rCf;m5x7!LjrFiFXpIm3mstI3f
z(w?~&lx##Hd(I^)k?^g8asX5xZjE?rjNePPgXgvgh_PMz;#eYSRul&KN1Rk;>M@{~
z2HH7T@v54<&qkdN>}c9bg;GP-ZvWRmeVIr*Gl8dCkvliUPc7q&Y8Z9il_@06;7f1?
zLwN!xtN3BJXVCm0&IuJe!3<sE3HY7zNW~0GvN(9ppxovb&8u$K8QiUTF}@uUzw9;9
zO8jFuQtG7LE`V|&jf|e_#>3U$P3*o15U6)Mn~@c+f&FJX1qF6CiZ(DG5SS)QyU$BK
zmP$_U5MJPx&DDeb0Qt%zk(roFk)WdE-^GJCHkFw|mYfQ?niOdQGx~jY=EDmCXbnM@
zEuP8CU<LX%EWhT;@;d#4DS?gzz!+oRHvNfA;HK-&2VtDT;@;!7B`axK+`<YJ@Q@S1
z_~_M$nh?SdVcIKhOoo#XH6b{Rpnp+Lj-s*aE^^<o>cN)eZW4P_c-TnMt6;gn)RVLG
zet-(sXha6br-`9EQty%y;a>L+gu}F=?G${VQ~~kE@{+L7M9M)*VXK5KalyvzsNqx`
zqtE3AWr={wPpCcXJ0r%BLkpfDlcjwzBh`?_gipqu!(x~}qSSt%YPThx<o3=SYD=~u
zT-t+WsrVT-90`}TD8N@mhT>xp6?xN}ynBhzUGYpaQmaLFlPJ~oR5)b(zZt%An>iL_
z_N^FHw|b*ns&k$%+xFV$)~>!mo`RB3KWSK*ol_;)2E#etm>aOj(P9J5fw%gK3JjVt
zxZo*XVDA6}G|vn+e3KZB+g~P9?au9oz#UmpOLUtlnuYFEe%p}wmKX_E4*6v{bbl=K
z%v-Us4)AhsT=S|~*VmkF0AGm?e;9Tk6{<w6s;~+gz%T|`9kYAae3!PQ5!x6o>7MJo
zoq#BRJFHCIZVw9Ij$z9xBNu>qc9OiHDsi-~4!$=6oVYu|nN#kcP6tfJlXUiA*Gly_
z)rvyv!lre=kJP=i1Ppc5Ge%a4pB=Ga4EH%Zbnq?KyYg=9F4#cA$*yF>#|>1RU}+2=
z9DzDr#*<@yI#X1p?KecHQ5HvP5O(Mc%&5EJFJISPJ#l+sX;`P*gyoQ+!CStONuebS
z+g>TlKS@1%`}IVS)80-H1oof5*wcYv;M3`LfRLPk(vuEK-u9vhDRhfe7;>=ul+I&2
z1im3onGXCrvI2d?6?4QuN-@!rhb4U^7Hdn_lWor_bj|zPF|TwfU1cOl@8P)OG_+Wp
zMAI*c<drc?ex>RmzRD~=eHr^Hua?OB1QX+s3~$~VcGUD?!9x~hVpJRbH%p?Es|a0d
z#OlOgnJr-ziBr4HqX()i8%BPN5TJxT8WkmG?Q)v0@p6>hCyeYCDBusse13%@#DzWd
ziY1$0zBUE#XuA;AftiG4b@rOm6k8-cnd{CHLQ!uGO|y*PliVBZx~XWYN|S{ECuPDa
zq_t6ai*tKx3h)RW@oe}juxeJ)!f?4$V25=CNGTPlhU6V6t0Cp#b=8~zt&k?BiMNGJ
z^=2gpvTlR2RS+!B|M&PqRz<4BYQpGms`;U?jx$d8k;XzZl%V&YmpN~mu@z@WbTi}D
z@PDL~COIu%Dsf*7EB@5$gKZ^j4%rn2IK)xXgfEE;MOka2bxFtjexQ?iv(K2ps--pz
zM`M~>ykJdpd03g_1a(Pdl*%z!@cU;2nL8WMDO$d3i1;&_y`qXa@m45e$7>|fpDy48
zLItY;ohTEZiwfJHtFRHSj%rt?5D%tFnCzW)n1!szAdUb;&9oOt#R3Y)|9@{KOi0j7
zoSR_#_c@;x><9(|rn(4x9&e`c)!B--@71d1g9NN+2gZiE!+{rZqqx??tDe*oFyWfh
zfePBD6Sqi%!*A9pA(0?C(l6=0YKtQvT>XLTuMmO06xbA@>NnF32j=sDiHlc~6SN^F
zA4rtL%$KJl-tR*;!hJ_ae;H9j*-lM)ViMpBrb1>-@Xa48u7Yo+^RLWeg9vw?v|@w4
z3M#$^emy<?-KJQ8pIaH%Cpj$k(`*fO?}Afyokby`v|IV9+TToQxk{QsN)p|SP+2_j
ztkR?;dFmHt$Dc4U-03Y7Si`hwGN~wwSUl9mNaV7Wzh+5Qp+imP0KZh_6`QNeftz=#
zPz$L3r&<7FVPG0dHWgU4dib}^5y7gp+^C&H-s-V~83pq6S4CUja?#rEU@3uM8%^PH
zIZE5h5L%@@m|iaZAWMz(`z>S~+SY=JRCL)JihyS<i1ugi0LK{SVp7`Q&VLbOOO-wb
zC1G;FOeQPF{6Z<AWqLg)F>>bx8YP1@3HYCcMCqwTZ%vE?z`XH47bE}<cj1*ChL2dV
z!E7Hm%*q?%*MX{+$IA7ej4VERs7U!OM&XZ;9+dw{FjBIa%JuLpA8&`QdtBQ-ziup{
z`G$JU#p!IzQU@NM<Em`LBUb6F^l`txZ2w~VhlIp2s)_|RBrLaEAiTeZ(kG(w^h3f(
zIKhI-|BdZIaOFe1X34IU0~^~h_~jaVX78Y?r!lOS%|t7_F;h#H{nTd1#=zVZkGn<T
zchr)3-p7IH7d^JWZ3KwVf*awB@lpr3xnO7Apg8iw%9ni{ZnZJgZ#D&oP}sG_51x&X
zjU8gr8>~E^1Ll-!tj6D!ML#-Egw&R%XCb@4b&Ak%pw-C7ukb)9dI0=|q_=PuVsHjh
z2MLxuQ7FS|cbmGNF$R`O=(tr7WTdWJ%$K)|D-A*;;=cFF2o&FF3qEuPx0qxm{(gc7
zc1SFfdNFTXc@1W0_H{BwjONocAg8S{DNiL{wCB5hdi9=SVc-Cv%N03}3#>zRm{n4;
zA4X-HEmW)`Fob?5g^!^@ObSs{7s}14yv2p=fBhFHf2GzPOH75dMwhTnTI1SK3BVtN
zV=_^zNET1AJ-PKD#x*_MZ;Y}5Ooa?5mIJYLKpxf7tr&pW{BDt1R6M7bMZ$8~CaeSB
z@a1iweV~7i(3e+pcE#VX?v8jwTHFZdD8j{tugVX~!YY1H6(M1K8l;ny+rex-hpK?#
zM`NA5KTBoP=)NkUT^Fv>0;RB+(N_Ec2v%$aaCrnHC|Nv45NXQDUoJ3tIF8;NDSSip
zNv`s-?au$3P^cyv_@WX1zc3et3&UcKg>pi^CZ$K&42g?_ndGn-qOu8r=U08#Vz@{g
zzPzOYQP_3R!Ox7`YF(-Rv3@$FH*UNcw`EUFH-(RmXPmPAYj!BetUpK)@Oz38Siv(d
z!EsAZ1q2odN<I}GFh!*%0SI+p!ZNxm*d_`<?%Ye?6-BsG?M7o`Wo(0aIqV`*f=Rqa
zMr2hx*y=h-f*L&U>bd3^gAtHdZB=q_A6#Fsii_4r)bNk_n&9Vg-o%|hVzw1nI@+fW
z9H?fc>mg`&NZ^=Bt1~n$*f_XrMcWfxz1K!iR6qtuns+CVH~Y31)5?O!ol4V6F;rw>
zgTAPyD#ukdOfCzHDbE@i?FS(%FqrsJmf>{y8^VnumC(LS<Af}g$IiV*rju1WP?S=o
zOH@LMOkeYfJ*1Ri8FBG};WqBiLXUlgC*pENB9}~Eg4k4Dmvj760cfJ}l~ibAskt^1
zIb2)7Q|o?JJ*T6iKm0=gmzpaMkZPt8tb63xxSH;?xS3C+9!GPOeO9^VkMT2Tv6w?J
z-_}tXBS?$h$)4u*9xLyRH5wTi9TO&%8k)X0#igo^IIuBrg*bMUUV(|$Pk-%&|LIdq
z2@i7Qaqrd2<w`1w_Pbz}WPN9ub9HjUfP=OXfl&Er)bN@EvLfTt>R+~FnXKA~vacA^
zzN&8gg4GT+Kr9)oxnmEuhG9HQ`|0?be>72V<L--D@(tv>22V2_7e}W8745(#Se!?4
zI|>~(vz`jKHcBJB$c+3WZ+=qDC|+B3D}8)d#_Myf!A9g`gv+w@+&DMj3I?c+Vi+Q-
zx#|ZMmnvmwHHcvkdn}79q`;irC|^D?wEE9Cagh}hZDVwFl3RKZQP=UlJ-Ur797j^e
zY|Ehop84^?ep5|s)ke~}($Mk3N8g8v?F$xN<KG5+#uFF*-p0hRGmpc3gpM^v<DtoH
z5IsQQI5frjUi(<TY{nfg3w>WtNRI9UNa9UUs95S7B#&HacG}P!bu~7eDT;^#L){a_
zaH%s*WPsW$Y9!Ge1i5FX81KQVgcyX<4%T?6MWga9^YsqjsC&g6eB4ZE2IlVKZZ0?7
zMa@gfR^q>xHAcInsI=!v-ja*=9vHNFGO%oBtLv?8Z=VJ3y(;MN?wF0p)~Z8=^FR-G
z#q-D5HxZI6{0@N?j!%tm7X;W4(tysVNCv=lx>H408ib@3xCF^?D>91n)3(7-&=La+
z{c_b*zxa3f13JqkShwbwkdX)xyYE3PJ%&7X=~#Y4k^!K!-_dUpkuJNi8LXMlo&xn8
zrGD?WsPxJf)Njb`NyR>HN2}Jim}j8UEhv3C61efIH)j&A>7lRGK3o>ew`q%CM<3qN
z8Oww)B}8uN^;fPyo=3Q>O3ziN^_`VM`4Pbj;)XLePd=IF^2p~@ZQwwN%BnNK$~g9Q
z{PTe_e}^ixTz(FApg-(9m}ypnH3AQLhFXyugLgUN?NYUDPsd6iC{qr#BI1pl#j?3w
z3aVc@wg>JlN@+SLq`y|(kWNyYIbX@?c^S@KvUX`7=i<zG<9&JN6x}=s+bCMKc0@Vc
z?^<*`vr!Kh@I`)JZlV^4I@>az<Er`q_~oAh)fy;=U&qsS>o%IyF3Yfe^D2P-uIlz7
zc+a=RaJS1T2f172c2815pBjJBbBOKAuq9M@Wv+n=hQ_s|1-T9WS!+#zzAQ3y1Evry
zzHQ%kJQsB|4UOU0$W-kZL!-w}+~=xT+u&uTwJiWUadA`MsE~c5nlRfEK3(N)Xba8r
zwN=5QwYC{`%n=rUny_7oVzU$HkQnH^vu)!g)N@AS`La{pm%+Vvn_W7nb6WUgopCnM
z9NOdkh-ydm_wxfrD*485n0XgX$jOT32Sh38IR(Ua2R!fX8k>?)%VYDXSjXZ1u1!A9
zoXCADEB~Qvu_DadAvega#Ua|<Kz|_7V~cTP-;C%^&#EO^xhL0`(pe<`0d|?yaD>o`
z$U~=l^HC@P!o%6Bvo{$07Nu>=68^Ywp@>8kMxrr;>#O4}zS%%yXb-Is)&6GIJ}JQ0
z2xFPr7M#n04j4o|HqOO;$?jhy3e%7b{EKkLJ7GRB)U$8@8qUTNY@d{VsPRC}2ks4P
z%2_0mmYucb<PSAIN2!fhR0$8L)7A&Mi-@0ru%tf#;ft^+&ztYhWyO~Qu!bAAvF7QJ
z%djX<pJ2?g%10;lLw@24X_*v?_qq)UYXjiF7=&&E1gMw64_NO!pxc0fz~JgC$d=9%
ztC@c4(o51{vP1Oy>k`dkgO3}8jK^!KURizFrSZn^#sHSR_p)xUrTYBiP95Q>kl)fI
zC$e|Sv&3KsNq(J67#84rV`8oZq9u4)NU-^BUoS(ZalNyRtYSe`+GoKupKF>$z2=|%
zBZWweb@L-gW@^Ir0WiEQBN5U7b;c*Ua)mG#(XO_o$scj-G~r(`@Np;z)a45+vw|){
z9GlZ{k>}ow*AlCWVGJqEo1>uoWTpQnR0n2dwo};x?XpF72WyE=BognIw->>8q^LGW
zgLek$){W9G!l3Op4yW>)&Q1r61A1-+={ELH<H4$l_w?64Va0ctVen@L+`p+>2O_dU
zVF4(`eJeAkHEiJarW6%=noxE$t7YgHYD|eF;C<6zsN4RDZVDC>EIJ6V=(eUJV6-1s
z$z18odC%QWYD%gk4<thee4XDGUNNj{VFbAHTMh*V7x8J`eM5y{J<vG5z=84A`^Zv}
zaKV@h1tIT&k$6eYHz&7~Zf71%T_qlF5$YJlRwQHQ4jlAlV@(J$XL*4QSYOx!N&V2v
z{+bW9!b>t9ID(#DUmdJ$b}E>NJa3tXcypT@$=o=We<t&sXd#-9YX+N_eRYYiyJhCY
zd)_Gc2WF^oT}p9>SD(|WfeTqnEt;MDM*D-h788c0?&I_&=E+;+tV6IbmQ&2~k@-}X
zQwz-GVw;?LBoY#6Lg7i#)Nu1!D!`BE^5i+cnawzmwJ5PF_0PWhfx1HAM$rlg$JGIE
z1L+Td)7f<NYDB9p4U%c4kq8JJ))vGURe>t-V@UP|JuN>7oi7AAQ;#nN#4x;U)6Kz8
zH%3dW%>Lk;n*)Wt#_{oXoXlY)OoF?U-Oe~>uH?Xh##(i!s7)^j8y4kmFW>=NSD5BY
zOMNe>S~ytIgV?nClx1&jc!oI~ccu|6Uy@*gQnFmZbYOKuA^zQW1kA*ln%Wrrn#m9q
zGyc&=!~HgOLeuKM;vJh?cWnPSs%2Phe}L;I2nMQkShOgsjshLKk<o{IKCkyE=2V}Q
zTHf7%FM?uO+tmsrk1u{bGIBG>OpSol$d1?Xn3K{Ij9O|jGz@{LD{JxKtm!?{`jf#s
zzi~wmaJ2hg_L?}ZB`r5#d0N$wCiSadjGs>Hx^@4%tms1dz`4kE3%~>*ehD$3b?KiV
zT3L>nZ)IKo2%^=dvk{3zA8}_dt=D8To*+7CYdW!h&~M7AY|X!?wL_Q8pA*rATOmii
z%K34((FQLwfL$vu+2~t?du6Xnb-y#WbjSs#v22#@1qoGPeZ|+SgtW17y=&HIo!mz|
z17dH1J_e!v;J8GUqgGkA^V6m(d7v_NwjXIEY3vv`zXN&xgO~l*70_>n6EM7l)lU6L
z`@Emw!`p3*Z8~8_8b6`X9f$@ES$yu2u*S}q$xXQKI<Q&nWS2+RD`=3en1a*Yd75!K
zhu@4$0{84u-T?)}J6!RHR)F64Qw4kZeD#NL6JKyCX6yQghb@Un$2<(NyFq^?rD{9|
zOCn`}hz2%9)3FFwupwsH4?AIvt^*Svif+zUw}SIo)GwCBG~#!pD+iba72dVD3O|xJ
z*?Y{p^TUNbr4OhYKglcl;7S3ttPi`V-w8B!Z<B4>C)NB~>`fQWF=mE@%4Np1Yi+NK
zRCW-Up;9rZONj)J0n|J`E$<B1JLafx0h_TQTzCd79S#Tkb<#&1Lb#>um_8D=u}?X1
zRbg%m7fn6TW^f?{tllrsm6cf8Hu9Tc)eH>DhTT&4j8Dg59A~cIX=aWZ-e)jdO4w~4
zY{!z_yqSx{zr=GJmchk6kZ6EHZMi=0TD$jDu}l9V_qdG90M%-r=n#QiqrJkiHt#@w
zp>aFr^j(IKRB9e+X$5Ef$iLRFx!8=(#1r2tn{`f#<6{c0F4`p)g~qEf=HCb5?T*P=
zg;!pZb9OLAl*;&4(76<hTosP8vN0!k9|^svs+p#(lTLWDtZsr0@O|8%H|*~YvYPys
zacNX<1f}+X9@N?aW6bYEtyYL2J)06QSCN8E@XZ;n6SWrVk^BD>r~oi7qJx%j=)0wV
zjYc`0c(=Dg$UAan0htK*(bLG+{7hqGhXE?wFScLr;8!)OB{mDT{dxzAe$C_KGw12B
z={}4g?u2!O_mLgwIx4&6oQ*;!RF&=yG1886@3+GuxV83XpRRdC&|H*SpJqsyN55Sp
zy`7t9E!8~!igY>QoH^O1KlLN-lvlo3B~de*K&KQZk4va#y=;fiuzD|g3R<ceQ%t7c
zq{mN)D^c?wAA0brUwcvM{NY0n&zJ=)8d|*PzPw9Pnak2^EnZ5T%bU9d#8;rZ>zl=3
z(%@iVGRwHEXAByq0~~08&o$0zRhRE(TLg9M;lSrr@OtoSyS&Y#U0Lp}X(a5Kl9!0!
z!^7jMP4Mlow*a{DApI`T@3R9Ev?XjgnxeIs3*_{(U$hrODO17M%_gu_K<?ugK9@O}
zirm-zFfAv0aIC0f8Dg0WBjt>*`;X{7ycICfwttA;<MICl7G4gW$;3gb!{#r$j3LU{
zIRU8dZA`zV2|U>PEF=+tV#miyAq{=X&<vU;d$X7~+5iK{Ii)?~m2_?)`EH!1W`^+_
zy%64KO_xW*vJ;g}5*F_yh?s|r!dAfR-&eN5w|F<5VG~zlHLq~hH<lM1%KIYEByZ8q
zQ7!T{usoBzDKNl~J#`t*KZ)I%w~&I+ct+w|_lf3+eXv?f^N3Bc?l-L?ZhxaEo>zx$
z<72|z^Ys+Uy-6MJ{CdeO-+<!@4Lg3J7sB(5Qi3R0Hlng_yy8u;MX%^&^C+{7-|7Iu
z`2#gRB-xPz$4G)gdHxbneaZR(-DW>Nq)xX{l4RH!_1N}tHK9g0OF*~l-BXrWhTTas
z;Kor!7$621+B^-z)DYT+ZhddS()vzar+Zk#Zc>>}T+ygCNs+*(FW7gSp>+A2J_!3B
zZo>#+J}~P!EF%x{9jp5h7xL!QPSv_!oOr_?qM>YE!GUDh@mh#5fjGYWsNWdIx7XVI
zRJpW4jI{ihve<fMi&gklF<Ap5_wJJAl55{~?E4y5SGQMJ*(xi!^;GRr&IFSj@k=C5
zTPqdauhm%=$51>%(m6c!XV4RR$y3Fzk-D^y;@J|H8Ln&S5Cj{KJ)VO$SdzqLBi7a)
z_InaG5MW(c(loKGd)^JI%Ap%KZTy|WY|ehU0snE^J;_Vx1~uZpY*gNPv<Xg{1PO1N
z??GWuBlII(O?}&4N8roe86`d}=1ot;DpXdsi8l<_?no#t$anC6QlGeX;AK?%KIuS(
z&)o1{9;a;q&s>>e!G6pRzN8gR1Id*tVVdGfFW?gGC3%H2sPNg3pJ@f>9&pROk2r#Y
zInt9I2}oDdI$3Kico&GKDQ*B4w_2^^X%G;K+S?!+^O6Mz3y@d7l8f6Jpf>{^Z2t##
zp$0F(u#3fRNeUcSmoqn>;MI^wQ5|@tnpuVuG*(LkSD@MtsQtGt8?gPdQp@lTtc+a&
z5tat+Ahpk)4o{D@cbm4A9Owc96)kw#UcIz<8W=3X&M0_$Bl*cJ!Epv8kbs}%8#r4O
zZOqZ6&w&&MM9@7x%1tH8M(`$C#4cCSpz<5;XgVkqm^3vr`6Leh*p`|eK<~e$F#wP^
zm0JGy_6Oa<@1%Vrq75EbpI#F}IFOVbFAv|c3>UTo&?{CvXl+lK-;zDAp%~=%77p5v
z5gJBu&t<q!)F}UV++2UMb`1>E)KQx@Dzx8s$ADb8Z;J2e>`$Q(jLTtQw&t4M-i@wV
z(!7yw73|S-L}L340iFW(XbvBQvUP`~@9JmbvU>N7g;k7$S8Rz#Mg%P*<-H!9CZ^Kz
zmv979AF8!upgpWvmtPV$@&V>+;Y(RhgR;eh_s$gCTE9Yh&juwQGNaw7ixR(<Lwh^T
zv=nf>_CBoIDm(@?9zQsKK+M!Evb`AEE{1S;x3+Lbb9~g=dbjRk^XTPTb!5yc(tP6+
z9Grj0<3o_=^K^eU@+8e~(WVP%-(wDW-FWQxti_VA648uVNqgBn$w(yxsQSg!@=A8R
zg;Ff=<~Q%+tfbW?2$H%{@CV`jU+l_)@%k;8QUI7z$%u$lKns>bR)jn@S?bSsJPw<E
z>F@`e?^-iXr@NaRpgpSCb?iYaiwEO?Wiywjv*TmAxiZ#Kt>Y@>{RZUO|5RHKSOrdS
z8%=v#Dqo+(ogpc>q8t9)F3^bk?k)R`W3yjHJNE!7*6T$MReS#XM&%Nhn{!@CdOVok
zuxSW4G}(Lm37@&05?Q(f8ZxdVeGsP%82ghYYe&*!Gm0^p;f_MKe59c6oh4k&A8T8Q
z@AdT7W$Uf@BVqNtQI|z{5M_cP@lgj`TNwZ>^RP%T&)Mc9D>i;k+yjR)0OIMF#3h+&
zUbS|^9)?N-vHPeZKxq#Ae}um={M6+(GHrA#CU)YdE6K|dXUqy8QJS>@j(~<!S!a`j
zssVE|(!!5bM5}xzJ!iOcXC^M9y1XY&AMAfXmg;g3(0S?2<?W&Us50-{9*msw#Ct^j
z6W1d)`u_pEiani%eOJK#uTIcRAJ@7}N~ZW1RRvF{njAg8!Q~go>n%fmjBLg90Vn?^
z&WpXPIF5$Q)b1)c6I9hI5;WAE8z@Wc&2t~mE@ZZcY>zzelw9EP)P`{tgv<NAHtl?n
zf9WlQCbzerJU(}E_<rWPAwsUXJ}cnon@O1Lk&}kT|1!|p&G4Cf88+xS8>dHVV<id(
z@}~Q(b_DSye<$dyejR-nA+>!QN}P?w5gQ4`it?i1S+o_ttJe(ew)M^ixUk$}cJ-}S
zLn6Y0C{a=1+u0wd>smd0mXoh8Ig$>0Hiun|ISEO72hd9CF6k_`y&T)WN$>25de=>5
zYhN~fI^sd%6|vbKVt{UhLJxZtz~>PB%X=R4PVKF%8Xn$uanPzn$D?l}xvw5@`}nG;
z$ledV32zV>UB04K4ER!o-21F|>bCx(!l<7;1))y^vmrT01wv+L$=IbL%si!EsVW>R
z^7FQnk-lKJ|2WjfdO6G~Sn1x|&LNzGdAnEGj$BUl5SEHb)Z%exbF}2?^fa#I!$!Ic
zHa%-s_M_!x=Zxi`aevVEjy5E;H!Mp%ndUy!wO@0I866G-pp8YQP&)?l9;!2#dKjK9
z`<9OG%D2d`cUY_UT@Moe@k_9wQlbsveIE}2hH{oL9754nf5q#e9z270;S5?q9mLxT
zea+P5)rPvpS~Tt9=CL3YgZ6nk)*EJ&|6r6lm_Qhn!&4A+468UYS!Z}q-8GYfn<l4w
zqbl&{>wlY+Zvk9iGq8DrWn_99!Dt{#1J!PHIDB5#xGnI3x5yuB@hq2{lNOJlVwuf0
z_J$X#iPk@-8A;6@mb9v^xKY{tzj6jn-Z`)Q&IwBHbnWG);ze1WnrCNst)%I1KK_KJ
zQ!0ls{XjaQzi|V$o0I6yiB{IR{XxrMF(F;EzhY;7jUc1|)f`q>--YL~_4cJ@J=~QB
z$AZqy?4<BfEpdh(ce-&`*fxd-KUNO%^aw?{qk}7<GX4-_7tptSg{zIO;hK2`{AdO^
zD`gI97ef8)AqaoyHVCH>e5YpBhq|MW_B-{_sQ<BD=JuO#aQi=6>RllZPqd(}><^aW
z7E=10QSEI+Uw!bw$8&zj`f=>~D>dO)cq3-HY$K@kC%t2}dX&TJ@SR`r<#=rXV!i)}
zOV_u?XuId+a~6|&omam51chMR<_AHJloa}2ZZeX*^QBLR6*she0FWK^#Z%YnM%&%T
z_x}7-C0vl{1Q#5#nLuRVd!04(!!6yj`Ik95SsV^U9-A)Rl;gso(?RxxE49rJ+Qky{
z@@!gf2NbS<7_{?@7VE+XLy@4NqBh#PKGOgTp9n%$rRO!~74#V`tvWlf;Ga!cj8jp|
z?vmsI%oA-LzvOt>M7TsGK2)eI)7I~8XL^^x(E<`G9uWz(8KLQCi6*kk`6acxVtdZx
z!jvC{=!Y`G6FuQy@APxdSNjc$)4ty4S-m=Qf<4;)QtGn0_Z(4IaScwx(wXcL8PHtR
zX9*<BHc;fziAqI{dlJ>DIhi+3DVhyzvKqVq#8fRVa*JXUra{7|y56bTVaQr$SJ&<-
zK7kQ|x&FxA?WZYgmleb1f&39r{09PQ<TE}ceHjsr`ccpH4u)5`X*xc=@m9#fB9<R2
zk<FefrvX-?JM-^lXPlYzoEMgX1i#b|h}niW;v#}F&xmn7^>w4(%_AlLcrmjWE4<V+
zSE^xVa7=H-bLs?(_9QW{PuUmw9vk3jU{dZj?1+&NbOx{L@UFfiwDlmOI2v!d{#bf#
zwSV}GJ0;j_^%f7R`v__2G=8N5+54FWbz9#P0myY1^3TgRgd9T2n7eaMf~3)zor-fA
zHiJ1yZs7mDI5s3y<a;m&yuln`<hATPL?St4PVza65>Z^*I8?0HlW%0Q1W!u?9NEhZ
zhMh-G7j>ZKPkN^l_tyk7*|zR`3mad0*gN01X$dhcIMkHenC0JDE0vK8zqu+3Id4L(
zz}UUHx1tYOjcG5GC$^>2Z*%?7KHq3~t5?DOzr4f93aWcf0`3!`%(VFuM^3|zvAjk2
z+_3sb?6e06S+vxArEZw;ntu-G9JxfH33KY(r@Fy&Lc7{~P{v-jG@eO?^CSV6SusUX
z!Q+Ci^pfJQoi3EMF7q5B?N%{g8`<(MZ-IMzUU7>;&V@JSwP<(_wI#HJrJ#5GvTcA5
z?Jizavinfg&sjAN72rFQOd)N|fcAE=y3+fiJSR|Gh4VhPj_wG?4lN|K)eHB&U?P79
z6Y~p945O?i%<L&zhS@JWx)KGqVj}rdxI8^-<He)W^??BH1W2H8EseJWOAE<L!~2wS
z)YYBwqR#=nfzzMjH^W*Wt9DbJHl0xzHaP&n)pLalLM-0WVz<a&ii_&)hBKm%MbwYe
z)~lC~boY(QgyW0Fqfu>HC$x?~xl^?rK%M<Z_X;3Usf{(G7koob126e2^c!xfeX9?P
z*<C}~=dcoxAkP=Nk!+C@m6|XI|46;fD&QK41XaOjxDE-;r-7IRT{!iMK`*DOm;^8L
zTfTqr(eeZQ?Kofe$Af-HyLSm}8-}e^<gfI<LToG$?i{_Y*ojKHwG~zrk`8j(sdSib
z;c(dsUIpH^SDyhTDt_bm4==;M`Y*V-VSP;t;8ZsL)fRn%tbh;gt~elIuon}Qmxh-8
z|6<-ps8`tK0dU}$_k?yOV#F=R`B93pVr7*mV+Wehap9Om(m#wz;oW^G49z2%o!wj4
zt`1=P1~6w^9%^7CjU^9fYhLhjGc6x>;-uaAIzKFbzN=!xTgu6gDnX=lMICkv6S*Z!
z(1g)>6|4PE^#F;AHG>u)tYUoK2_cY)=w1;UqEErKc}4u&a}R#zZQzZ>i{l9V3Y$Tz
zAF4E1^8r_u`!p05%?C)E8KBu>8SSp}8{s{sA!Q#PY{d30UT^_k+vEj#&Y8uL=kMfN
zp+O<sraGwkqYe@OKfc(+Bhd$&^@*1K-l#3{7mOrXP>oorIgZW(G?XRUS=5W9svi7(
zu**9|z=vKx9;6;CS5{9@$Z8D$g!{=$#5Q@{D$G+vM=g&H#*I)#=z=tivEe^6%)Shk
z|7Ld`6gfI8*Z?aF33tujS#AKpCC0ArU^T$GaBWUYK3<qNRAcr`*=rI02SXre%3z59
zH}-Md&G#S3T8PglU%&k7`^j?s6@!XVqH&U=Q9JWGa}MGX9qlsd(mJ)<bgBLYD#QN8
zU?MgCoXqhP*7t)?=EhO4A6h0^Hf|Os@&(4`hWI>%#oqHB(+4EDma(73rQRN|?BTk#
z6*&Siw|HBW+3}^ayoULnvRVtBm{8j8P1+N*(ZR1}v;HR_Xx3nY9CiF&yF`jDD;{)#
zS$urMyw}l{<;3sq8av$$DSkkqngUR<{<^nPkgu+7;%PkZAh<99B%9|WL%|lj=i_+$
zx(Vs>@`t|@Nk_^+Y^*JFf5ALUB8ybnk+JSFteaYu!rF~hmTt?WZMvN|U~GG@uJY8a
zJ*@vu_YlhZS#GNi%D2wnFog}|Lb>1yb(r}hjRkBwv3q*ev&Ga^mh7k+aA`TnfwnKC
zND3SHrkuvN4e2(X^u}M_NZI}X%P@`B;9&qY;SulawT54YLa>0!$w-$SxyXQl$(t|p
z$nQGyc7es$qHzOSZ8fcZM5}r;3E;;mN;r!M^5B&{9mf67c7q$tB_#cHsW7GZk(Yc#
zuV-KnVE!DU(R;Ri%nuk<OcE8aTLxO&2GjS!cftvgcU6e$O<(9L!lutVno1&Or@iPH
z5-D=ES_|e}(x<B}svESbw15s7#GIdk()Wkg4_r;M^gNWoDUrfT%GWp7$M(baw%YPf
zS|Io1v!mAAs2ej+nkf<2>!Xq))Q`KVD2U(ayq6B!G@>8Q{m{44YUG`-Mas$uDZ@Rs
zmN(+Di|z3iu=e$cDUo1Pj}8x5jt&-GGd^A~|M0o%$<IfNdb&#CIf6g4y}D7##9!E6
zd{8<ZS-N*z_VE-EY}q+H>YgVp0Y=}HpFLgndR`wt)^fyt`V|~}=W~BbJsNDYjh28U
zOK@JjuJg6btY8mOs-%>%ib2}1o9-R*r=Il79RXuZDW#V)ZtOVR--Vu3=bY1r1O8)D
zFg4$?s6^?0p^VHYc&{26MGbu6Kln^!3DDl~k5tPRHX?|Gdv!nS&dq*7M$8I0<p7^^
z!G`PgDpj~RMc2ZG4=xYGhof!n^z`u5iFmn++;c7nF=cmByna046kJHU>UCT^zUJ-0
zB(rbh-PMuZcSmu}DI!#nj1UWt#;uW8o&Xox=*DMlMA8tXI(X?{?2EhyN;<wgARBC7
z^A|HA*|>s&sTecAS5yW~U~c3b(p4mG;;`yKaVcYss^|$Wi=OVCXJ6O0>K$QR;Aybj
z_+Z0C9^Al_{ijFESK=|d8IXnD+WC#~1~H!x;++t}-^=3vh$9%RI^g6EzjXe7G^Bp@
zQ(Q^`uh)c1YIe1ZYv(Q>vzzgSZN>|*rgR2~Kfowxx)70Q(hgd`%a4)HpY>_`+F|IY
zHR*B?+;f)3=`x#wu$%h6{zqU1;_;wxqe!czSK16`LI`!k0DGy<<1SK#=GX|K=joTp
zB8mfd{8C0&E7-DS*ve-`?!RC)qyu)UnxYSg0;qrPs*L<hbtXj^OSG6M+F4@Vk!SH;
zeJ%Bms*PJ%Loij9;4Y4;&_}5W_T|v9*L~r9gn>B)X9#<{-$b?z&c@H$6htXpzIu9l
z52s$^bM%-u-}A{bO_Ou9Vc2OWo@~xa7ZHC{g6gJ0ZrSi>twa|74-6B1Pu?M}$FhG`
zO3v)~jK3d{u4qPNY%GIixQ!&?^s`IPruDPqpO5~zicnZ#FgY22$YHI-$Y%U4v0DYY
z0>$cak$8LDdE0^qm(_P^THLOEqpiS7?p5ACYhW1ON)J+tl@#fSXH%(1l(`p_`fWiD
z1yf;8C-zN_peuky9@KYMz0-8&ZnX(1o=mkYEBtdG${Y+$pR1inp|^Oc2JQM$diZQj
zL(+E@UX2s8j%yUe6N?rdo!_W^rH@d5m$(k|_cTD|{=ID~7$k@P<ai>4Zo{55%z1R}
z2bX&#>FcVF?;h4nXS#?dXxTiexh;E-TOL1t@;Pc3@7HscsYn1T{4Jpr_2;-#7t|yo
z>2BChDwChS;B#P`PhwL3CcD#DCmMI8mqnzAeZiU2E2yNn@&NfQa1o`ICoA?wQTJNl
zc$%OmsCep)(?(ZKXx4jaX6u|0N^8&Ne2~r1x|&hCw>&&VVgTc{H4;=CGbQEB0Kd!!
zXb2QJI652%_6kZI`FVpx$eO(TaVne7I*I}leco-&?A_Hn#p#$qRDU&gj31%^ma$MD
z@f%ngSrE|&l;{vh{B{@DD_f~i!%S!)r?xo*l`G}U8&zwwmpSv`3w!X|DjCJVw1M{R
zw2Vu5O+IJ#t{fiuS5qt|I0UChd;O!ibAd_Vum;}TNCM#%4Y^n}CI*m6PdHX?Fi9BC
zDw%%x(qb-dqB#PADfi&5j^&t|H>^?o3opJPAeX2%V`_pi*8~Gdq5u9@=yW7PszX%>
ziZ}i7A({=^He^BozvV!GM3`(u{ayl+Dd8FEV{)?#@OAsrr0AT54Zepu>tzA^48>j|
zX6f%3i#ycHFQ1GXRLF%<`T=*7^zn+;`GEa@jUku%fT-R0ia(u2Kdz+qE5Bov3$HMU
zK*$BMm|X{~X!x0i>g^6}teUNjY!iOJ_q6vg307*CF?wXu3xjSXivZ_$WL6Q-wqNC7
zV}t0$Ut2Icu>=rr)x3g}U&A06P1<1(oJzgI*&D<10e|psr_jh_%FUSO;3AcY9e~1I
z`&Xz>A1_47xzE*O3)j&|{870FNgn2z%|`OJOD5*?=62n9O>+GSMB{-l0(l;#dG;LD
zJs~O`F>HxsQ(ycp;*~vR%pBENDPBrp<RdKjq8GB^e=3A--V_YrMSgB%pIcU3F{`(F
znFg~NJ?7;I#3F||jNHSxu4L)o>8_IZU#^VcZxbesT0Ujzd+0`Q)gLzYU|qO5+cJr@
zbpjtB^uo{^ql5n2H#%#00RUgc1kl++SUpi)GwwS)jHGjC^BRqbTs(M|6`$?+JWUoB
z6!LH5=*ajgIPD=v!h#D+54Ns%tDyDCiVCyIEnTB9;am_XOk~y#y}Uys>+F~)QL=Bb
z+EX!l&E+b+oK;HdA{H{k7q&!^fXttD=qgl4EN_~ZZ9p<KwL-qauZ>iRewoGPJN}pc
zTa-#>WkL9KKDDP*H<5lAVB--KF>ax(o?UIhPxdwmz4~{UE?Ohv^oO<)@-b)INDuu&
zHpAhBkycrRh5<+|C3Af7gIfb_ug|;g^hsuhkG6L`_&haQZ+7>@T?bbWrh9l=8@+BH
zdZtF{_OLrn4ki)s8E6@c0N&MYb~o9?HOL}JmsO}^Q`)E$c}P<78gOhl&97<M#sggy
z^4Q^o*h?%h%A`iCRKg{o1%y})k^UAhv$R{@%4=X4>bxGf+K_dKFfnqoGc)ZOb~~M-
zD=<X8Cx0hJH0#A@eb;*UdbY@V^bKD~0GW3EzV^w!EqRkVId4xqs1KXH#r14H_^vS@
zG<|i27CaEeS57k`*_Y{?5lPQ#t#jOfoYl|#lkOQcvXSI-=o4i$2*{l*8^39&CE4ZC
zcZUB~nU6pzlm&K#VmP<SO5-HTz`o$4`g`=kq7WIT2zn30g8J?%6{_VVbjhvp54&o%
z0kTp%AJ-T&P*5xV)(I3t#POIIu5>u32B@~x$9lW6ZB-0@?gTzK-i8eTIENTx``&h3
z%=EvZ8wo|6=E$)Pq&?{)P#FBZ)s!RruGcg8DuX>%4qg~Pkm)*t7QwUedj+_zMP~KN
zlNG5LfURkwJY&~siY`U2zz{z3QLC$=2j6b=;%oR%Gx6K>bbl4?7q<i30*h4qMR{hd
zt&Zj?`4c1I^=TR+^72RiYJG&&uBQH;AN3`2A<=fw#jbIeG~rdaj!kVDjo(Y2m%9M}
z07thug3`|)nU=F~{?YQoo{|Q}1Uo<ZIPx9xbY&T4TPKXv`@guVx-kOVU-U(JO4aAE
zuYBwE!0nG5$Lrg3S@m5(w$(%D5aP!L*1m_4z|~2#{3%cCWU_^WuhH`Z4YARkRi<p;
zGeWOH^DbtdRK~l5CCPc%CIf?+tIA9{=#4U5xK1O(tqa1*Ymb*U1)TL|<Z_9PlRP#p
z0FBLWqO3e0PPsO+hnN=_|C8;j!6C3muwq{**}&ODD2=XY%?|-e#%u*qbmfxe?MYCL
zhq_}A4!s;HI8~1#TWjLk{RkYTo}LNIQYfp`t)}}OUYxl_c)R=X(DQgKaK?GRcwg14
zN|N!#j|y#g$2Zng*Tux7+h2ccsK7;36P%lf&VB6uW!n)hDw}8r27fFxCN&|g5LEHt
zeZhs>3JZpb*xKDYzetS)l3T9ul9$zc!;y_O@ZJ>Xnl8ku4RL+rGHT%f27f>O9U{We
zpe@>C#^)_(tFKaCR-JYr_mC+2&1rzy^w{opxR|?@|Iz|qkI5Cyc8IMRxdG|240TL1
z1@yZpXjCIjRIA1qf8GzL#&Ca>^F(Zpxjm+~l_i^C_N`O0{4{IBi}jJGu>8`{3n=?G
z=c%O6HLX3h#UelLRu73g?^H&Yx1V!k>9V7UMem;=-xrvs<?8O5^yKXGR4uc~w`_>m
zXftZ{&CSksbjP+OVzIt<xh7@%?iXM6*21!T%yk&(WU&$Y{FfuZ@BPeIo{S9X{f^G(
z0EMfqO}->3NjnW_cvs1>{*gjfX~T^~6#SyD5M~MJK_-F|0;?EEjr%u?lY}&F@7zV9
zys3FbvuOK~<j|+ZtEss)rR2ogmG^12M)?N~X3D3MmZx!`7+Q<<SfZ||SpW+JI&+;A
zesT}d(!;9j&rs`}g+aU-goH;!oz9uS6vnEeh0xrU!ZgWU7y1sm-~27PdZ^>&H)vjg
zR^yGo%AdjBiATQGBGG%2@3w|2i>g#q>Way5;Z_#|sD;>og|*aeoMAf8Dc|}}oQue}
z8fFkZrH4yc-e7S$xxCXjEND8pi0yLoQuaLEhH&lAWe`YaYw!X;)8s(&)y`v7e_0S7
z7~X&-6%h+M<ry8&h7VBk)4O1<V3=wA6XHOjG+N+;Yg#i-*j_9(aUYS|LL$^|h4Qdp
zbD1U*c72Rj^v(p%;QZqi5VCO>g{h8<Y(KOaY>99ImS)TaE+041ZSum3>|G`TS{pHU
zp>O!b{J&B*L^qDL_{)rU2O;+Qk9c&=G)6}~@0^QUUf3ehbAsShB`MR)NC1qUyU{hA
zlCpaw7-A?}gW>XdebTRD|J5hhFa5z^1FVWGuZ+pSC?1h^B=6XD;LmiLAb+qsM+{|X
z@Qa2X#aRV~GF|jqx5>_Wp#H(N6HmR=f}lLz1)+~?x#f;}qet*QRp*^IR`X{kqTYP6
zW=wczAkK3r@ERVVsRAm=8m{=#Tqt!X`Kq7?tC&~SubK_TNxq<kD{=Nnh#36Mzc|MZ
z&`!UL(ptlXiXHbfjEgY9_4UFBlE3~uO{BAq^yX*pcdtYidS%AN`gXpUi?g&K+v>+P
zb0KF*se=Ym{>9Jjjs9p_6%2LAuHZ8puyNsmR?>pn1=1jo_ERn9F6(O3xbNP7Aegu;
zmGIn;ARe5hZE!@@ef9ZYQPutgs%czuWpUnSS?^*$y-lxHdKoHx$i<M$G(%*<z~<=o
zt~G-xCCRVnN^aZgVsAPD{8ZMpvG|I*-KM8ryMeWk0gntJ9`z}b@M^q6gPx4wbAtIA
zm-@s%j@>e-ljERzobO8^X1-`Rn$Q?Asq!Z?BPQGjM;|gP?ZnQ1)ny<aWjZtYiG9#w
z_HXA}nrM|Xv?!Wsv2l&HD<rMqPn`#0pYjSb&dbVBj0L^CP9F|<3|bXFV0X_T3D4t%
z9r~Ap3yYttC$m^vaC71$Ij)o66zw*~Q0O^98~R@rXh2IjPUuZv%727H=U{Dl>4MV4
zHJRjS;eNQI`M^0Z(<jKg99u0ZN76#F)xu3m!n{?#ZACMLS*%(Va=L)5ki42wfGigq
ze}T$6d&A;W)wl8|yfv+=UzLj;8q4h?-#JZ^prvwG&D0DTj{ICD8T2W<!djZEz^+I&
zjs5*cULd>n-}dVy6c%~SfZR>_T8hYTM;OMnnD-Xu+zG?1Qk<S;pdGAbK^m$yu}1zA
z2KYQ;cuYfBy#OB1VIMd69=`zX=vsbM%1%?ns>x*^BFh1#R!{tv`%|p}|8N(j?#JJt
z?D<32v)FnL5frbh$MyBthj9bq$7x_ux9c=%!(E1OQ!AH?QZNfztM~nU&q#)KF#No>
zk@cN{m#I%#tCwd(^Ike?-Gj{*siJ43h_L{J-N^A<*ba?tBVX<k$r*20p&!e>vIZUC
zmz0eldP~~>Ybfu6s0x9U9MoZk+wU#f^nmH|^<Vh%m}6EG04}Jt%=n_xNOnTgte$Sc
za&J8?OutK1<^1U>?=R*DMcE=N+!LSahBk(Ls7IVr3jU?pl#YvYdzaBDOI=QYa!}p7
zlraBpKm1K3yyZum)-K1z&){nj-^g}g|91mGuA#z2<r0+2<g(FlDs;OWW&Xk2y$B?C
zI&XtV=Yl@K=~h<v*n}Ms*3tvt9H+$$Vk-~Ow-yN`r-!<0T<8#Dq0c(5N+sT5g&+sQ
z9v#ei0?{Z@o{0fMNOYLe;lQ!W;2-2f)cKQ}U#shvZubJL@jAyfpUwq1j+u$!-cq7`
z`+F|}=*!gcRz<8+7r&Q7>rp?u*gCP+r;O%T!M**;Ue>q1+YRbCZb#tyab48GuSIaz
z)wE{XL*uPFkHc`t_Rp0utYNA_)}FnupGG6F$*DGsqBrP0AXjW#;QL^&{<u)m&y>@Q
zxt^&M_1HT)T-7p8@kw9Dl#LPUp7QGP!&SU`d{>Dm>j5uK-bO9Qb}II*sZnPOnto9Z
zLVljQ(e+HVVXfM^6-an3_nT%J$^Ezcf>$dVPWlE$)C&g3x>EaEjKhVI@2QM$H)z0*
zZUs}3LY%LXtl%vCfqX9ne=Tq;8xXF^Q0Sm%YKE(f8ih@gja}^G<9?5Y>{r89CV(Jp
zJHv~%-zYPBYRB0#Z-WG9)mK2eN@S#4^>4_+j=J7OG*TUKH?EzpI+&Law9jq}d^zQW
zEmw@)WI=8H^q6`{gCG&#G|8xHXKf6h;SW#;C-c}a*`{=x<0$whG_@VfPOmHu+CKKk
zQI#s)VK~LJmTXqN)@jQp!-tjoU*A7@Mt`7E*w>$%o;tpwn_kI#h#TYn##YlxAE)63
z$FB=yHv6sEb-td8%$+_ywvZ;@-CYH{C~d9o3^nH8p_xbd&#3hUH?RjC`U$i@qf83f
zAt$)2*wmJ0OxBQoGOOQPtg}I%Owara93l0qBPnutKo5Rr+CLE})EsZ2{#2`tIom4!
zaH&DxJaD4XLKDp+NA~?fSM#S}?p{Mmu+72T*{ZcG|MU%Nu=IA+@<MCtfj8fR?!;n<
zg2#Im<Qcy^>fOt^L~vbS#P!gRr~OYUW%4`O5~ti#j(FaDPvc#FW7N^|(=7<}5WKp&
z<Lr9Ba1NeTer7A8Xaa8I7`JH;K4WP&gEu0iz3CeX78q|Ky=7_jbid|pI{r<6hU93L
z_<H~T?TH_mDUFYF11s%B?M&IYvDtOv2D3P*?=6g>?*H!o_{p$9jiTaf)y7o4t$wvm
z?{?j#qGqAAJGAlXfV&3qQrLj`TmEDnin+QgeR+o@QZ=7OvctWn#}{Cod0CE9{0hzE
z_N*+wwO@(WC~|L4sZb)z&p(BlZl>s)<Xo+g58O-l+bd8#pkvpklT1SIE8C|Nkj>$s
z639k)#%*OiVIc7wWP8OqgetD9!(;a-x96Nk-EbG>qGXU941YH8<SDZ7aD2XAKEmV!
z2Qz$gL}cyldb{Q;A{SgW_yL1r%i=pU`@~1Wet!QsQPdDXyMRT4h^g_8GTfSV#s6BG
z%!&Jtp<F;7E7tW=U&P+m(!8Z*aQ&IK^D`VVFh&-5s5aC1<K5l1=Zym!6Uo=Ql1SuO
z4D-cV4GH>dqGL?>BdG3YpTve47=#r=D-%jJtRwp?e{4l%mMg;A<1>CNra9LfpHy&V
z^j8;S8JlS%{P2JNkQfg@v;-YKz@=*16Y*BJ59HOqaUFMurL??FEb1bd&<)iR%Kx(#
z06CbDhP|Q}!uMR~(!rqKVht)yTpj1NNn&*`T2`j(93)d=fDh84c4Oe5ytHC3cKgU{
zE}5tV{a@Qw)tbK&$m7_&UaG$&aSsuq4O=jE{-|fDhEGvvEXvWp(Z}A!>@%&D7Y<Hx
zSuL@Ur_~Q)_OLX<*>+P_n;?-;9uW8sa0$iC6+AX=%&ozMjaKcAl(dz!pm~0l*o7E=
zp+rWL4aRH5Ih3uTxBp#_vaDShIwom)Ulzljvgr;L;Yx*Ou%3#i<quMw(h3Vx4IWxS
z#O+Mjah!h5ws}bAQABkLmpt0?-tzWF;jMH@P6To+@J7i!5Czm24g4<{WRwpACZd1{
z*h}iLMq7H2Vs={C_Cko?e6Z5{1cQ~GB}<sZ4gTie*=z+eJIax0(B^A8j(sWil9g2z
z0+7pvBNN4han7T@x`c_ou5ma+R^Y1&d4W~e`+JgBVsF0tE>F)V&TTZM6x{AMSz#;h
z>P1+1aPK9&d9fRi2nEE8KfD6){Ql63BQDOP*YLYWBB&OsM$hJ{uQ-!Re6EQV^(FEk
zKV!CKZGuPr_9<tuiO{aXKe$KzN?t>H)~TpJ9&4h5>X$BYB~GgSoyubE9;W+RzXmQA
zjuX7a++zOutl0GR?;(d$U0LGNA%s$PBM$kb&E<ibN;kZI6!3{fPU&S39S4e<DX(}^
z4bH(`;W3%kgQJ_cdCsjjy(PT|b0D{P!<Z6S4{Q?I|LVb&KRd`n*%Yh?`^_=z;2S#f
z<q-8krYTa5^=j@uE|D8&h@F!XTEI0{L8k{`C7vfq_4wBRQFWDJRdvByY3c5i?k)i-
zLAp!&kkZ}VNF&`L4bt7+-Q6J|4Tpw%#QWjBzjz+pxYwR|=Up?iX8EI3`N}FYL7n&}
zg8FtqXq3aG7YOKvH%6`!tQA!dmhZ_A&y`meQ`Y;G+TWV1%n6UnL>-p+PYpS6-S8(q
ziGS3vFWL=K10&nMNYMxjd@pIv#^NWo3dE#}vgN>TCR>$LlCspk-@d7TiC!_2Z6IJ9
z-Z-i%OA#CoTM&4!8@y2~^z(5wy4N33!fs-UZQlp<!0WC<TZ`D(8EKntPAo~4^Sv>s
zCHZ=F;}C#<e7CW|w91d)n*7$gI!#xuWStxx-lxf1?<LJpg8?4`>eDEO7ns=>ys*KK
z`jy}904168;p6)-+9G>nd&xH%9d9sR>mTMdZwgKc-zbAjTf+jP0CZLb2_U}`C>J>R
zlr4dzly+^oC+P!*MW->v;op$&-d0AB=CqLpY6$_QN%<3<U?=&%O=+G=KUr}g)j6#k
zL8CF{k2PJ_b*(6_$d0)+djJ}vmiusArM9`%k$GTPCs6TN{6!a!c&1F&xCvNv<=*}G
zy+4JazIcO9JIYbdiOKi(10i5=$dR0Qloih?=iY6$=f)L+y?1fG2Ojp6Do`ww(F_y~
z@yiCrIP|G*<gByqe0HdWYlir<spu_7#g*}oBYw2&lt_N!XhEW8gd=GvmE?&&$-#|M
zT0s{I6BtAeyS!zo9-lJ&WdK9Mr1^SeBpbQXySSgw8YGWO<Vuv%LH<;lJeoF~BbImE
z^9OnfaFW@=h<;6Hz##6X2c#~v1H!=72${Ow$E~*{Q_uEpoW`kM+E%g-=E4&^x*pQH
z^F`|-nEnx3y0kBF7l?>m`<}^Mgrz)=WJ@52U<#TCUP@dPULjVN?tDB_LAJ;Eu9_V%
z5Br}~L}oSHRSb~kX+T!M&Pnl>*2TI0%?3Tq7ZH^ow;PeqKwz=(LL&T@G9({0(=3BC
z#!Jd39CAw;qPJKKsth+U!bI@H^h9l)o$+$E${-2~^QmC<bnl=+RuG7gsxfIp{ynE_
zPy(qf0&Fj~4Ufe!Bh^+uwT6}|IsW8}b5Z(U>FkCZ@B97a1c}bWLZgX(=Z(@+jOG`&
z7_C$4zq=>Y-h7xa*=YQaJ-z!gPB4lT$cIhTQ*6=wV!RRHmiHmxqy%BI|C}fa&OPL}
zkL({O+7@*$+TQRv<<FR8yME02I7XS_$=!T3x`W=zQ|9bh>6Iu=w7%9q2kAh#$yZa(
zm42aTyD8CT*2#)Z=JTz{7fX(*{a8rpuQQJ^$&2V_hZqDGrNb+axqZuXul+jsHI%LN
zxATzU5WHEweXR+9*QbBh|Ikca)KB>7kM;9gkrhc0ww_n<J1Bp@U$Q<fnA4BE;9Cv3
zGe{&XJ14d5J(>yukrO09N5f1D6P5C*4cu}Q924ZrM)tb19o@%=`up2FQJy!ELaH!z
zihSJ?z<#MOjok%d(M1P^Z}a+?m|pGd{WXI(btN=Y90*NY@O%m%x~O|c6Fs>cxOat3
zC4{snK;zXX^dfNBsse8Fd^zRT3$<=2UQEapb~i-~O3$@rD)$L!Be8rIbU)f$$6CA}
zc)t}-M%W-bt`bt`OxFLzV$z+{E#|P8Sxb=gI3iz<JDJo969)LFg*!O-(BD1)kQS<*
zMB$4;P}Wnf@~s%@+0qMX;)uYt@zF#q=YV$MIpDU)ceTqMV<Dgn>`zt3ti=142JAwa
ztV>lMuvmMbG5w{FgrgGCB$wvXXZ7&KD9^7`bYwoaG_RS{B<l{<Xug{wO;SUO<$hHR
z-sW-t(q`vGt+KS6S$eO4%N=6({c14q&QB_WV`bRZSg3F>VFAityo5LxK9RISjq&Fp
z#P>!5lr4{dutKf_D0WBGp|^Irx3Dp4uVn$2b>HsyZc%EWm;hfN-A&_s(`f&d3h#ij
z6HhV-On4V*twnN{Agr;0W0P{4fcJTaAPk1}%XUm+$+-1ku<lBSm<0Z`u2exZ0ZXhx
zcVIk;-#4uoL~w#{d1-_`aa6;cufnTA+4r@|b~}{@F|Dw~qj$R9zCjtE>o4M?{gBz5
zzQthMK~!drnyEEG9OdYZ%}iJ_D0H^mU<wX@YUoay>X^6(Gy<BS%D#Wp_8N?fgwq!A
z#E^3G$pUqm3oicJ1EoF31SM`<{-ix4QT0i2vV~BanoHEDi&RKh3F@zWm0PC8`4zD_
z!2ZjpM`vJ_qpW~)46@r^eE%S^Kq%Nc>a=M}klVGiHlsrh^kC-JNyznWTv?$K=|RuB
z%#KDP^1Pm_CI$2sWFA6BEC(=yz0d;CFM>P6P)3+UwU%h7Q2d6+9fNW1t&*>xHd+Zx
z)}#Y)Cij0(4`aVdqCXn0H~6>%dk5DgiIlTa^j5}S62gumsXrPh{PZO2WjZRX%~e`B
z%Fj)ds}j-}nKjqP@s!-@&PT#DR9ta&`gn41^1OAr9Ogl5o3_Fp16f<H0rU&8n?{DX
z=#GlCFb9*UmBY>&Y+I+zfm(q~`)h&C-V@Zx8$W<!Mjq^OSCO)^MCS8eUQ0>&OZQFu
zt6rdt!2L#5*CTl9^oK{M^b3th5JJOU_u5$*O1Kz9Es%1TJ4y%-M5Ck$DULQpmD3W?
z08Iad-Yi?e@Cm+x3QbZHHW|Sz3E8@~!D|TEXvqG>138}Gu-i@$r9`@*j0Y|<O-@Rj
zDWb`~9E7kwBvFnoY!w_Y)E`Kgje_XXM-S}#3Pl+6bKiBrbXwVei8|~!dV^2U|2q4K
z>qjFrCI%DlKZ2#hu+H2F%^PpFZK#+Sj{HTCQcuIBHk2wP-xSO1rVf$>Y$c6s8AF#Z
z!;$})K({Kjb6B;tZO#aysa*SoRMrp;yH3E5*Ib0H?>{|0t_20{#I9R9-`ziUt##H6
zTwmusb6%`2J9Kq5wRt=Ye*~TlEMM(z<dV<X5&dMZ<g6r!noT7(QmyZo>p?!LiPw^3
z&m$xFsH=kT8jd#fJBlXw)M`ME>=uUirN%eN82Ema=&bnU(08Tl0%D`VRawvG?Tl6K
zG(l{}=O_CDpSLx>V`@yBCtw9HAkDtr?u{GpmOc6HGz`v?pmbcRx(W$J5XwHRKF?+y
zJx8h?>0-4ZK;Yjy<F($H+9L_jgF>JoCm85J*%-MeWt_ERk;;O_-h__gZ;E+!`Z5l*
z`+JWk5#x^?gsPVd@ndfAHi3}8T&9?NY=c-vI`DDz@d0(_>;w?H*`?b*cl_EJJ`ubG
zOTRZ#)ADbjec+2`Cn64HXvr3VnsC0v_k1}1%x1!(WA@12^6alj2I&J?Bzi3{V;kOV
zzSxHHWytA$Vxo1S#~oT*#~!P9fUQFuxayYX!jsfk#A%TKlt+M5=R(7o^PG)LUV8zw
zxj$xuI7EH2_d=cToV6i)1>8O8%pWL6qT2NvZ{&?-S>J$Yaqwxz3ICI|n{kE%L%{Xq
zmGEv?qG>fSX)@yq{Bv0GL@80;l=R9123>ECm5+sB;_T}#Odel-+|?dQopDZVp>|zV
zy=;9WWe(|+|L-S;wUgAfI=#h=u#!Bq3)7CzTzIK44s|<uqSYz-N@1ZpF7Ms}BK0}@
zCcbOZabt#O;5pb88IavjxKbW+#d&DWZB8=;6Tjrox6s32ps3mJ`-y#R*+?n;KE)ZK
zSIEodBs%czBTNvO*gz}&%4B-~uYf$qh%DF${XP*C>#p!nI(&nyoLa~jRE4RctAY+0
zty<+>94mzVO&mNn-~I@^<+K?YZ_4~z8fIq;!-b+Y`~`0+*5Cg{lFd|_pI9_pke(3z
zpaA!SbO16-IIaRV`)k{UnQ#@PX+KZ^!7d#Ah}ysn47+iCLluGGgn4>o11U6oXNcbC
zcal!EAqrC891;y!Na~HGcaP-i)4B7M5857iWXYwe(1zQ?u#=Kyi-`Mo%B<=(Vlnq+
z+oqho96V0DGsz-%b_nv^uG(P6sY5gyYdS68@IuWKy-nMQ7$Bskr)QsKYE!2BuB7TZ
zqdke`Irp40%XV*Z$5rb{Wt8rY$~OR?J7IL@-tBmrOh{b8og7PND!=8;4N7b4g9zVr
z_)@&1r0%nFf`uf%7yHFt@6+Sr*b(c7WX2KMtt6kZaAARzvSa$QORM4s4@SZZX_gOr
zz~$@Xq;w|#MgFqUF%p0Ji60GXhgh*3Q_WhtK<HV<i26?(S%CW#=`^hRdq~uo+oozA
zxBj$xPXI~P)B>EqlDtE7Xm#mR!s4CSUBW@7a8FA3z-`z05b@w+Wm6kbo-#4a)zWue
zur+?&rqjVgh7t<M-!aZR<JNi#$T{6Py7c7EhKtH^T5=>tdti<tV_Ym@W<1nU_EEx&
z<zg8KEQzX6|AncE9NiAuDn92OO;S$A1^r<lOfvp<44G)?L1@oqBZS!G*c5S>rksNN
z{?LrC8}oUPAl>PA`E1egJscgK6tZ?*`wkx8xwqz6#JDf~AU??FD-`$y9r!0!)46ku
znBXYSqQ_F6oZqH|SMN)Z7wshsLI3>94=NwPf{onXOn~^o>{~p+U%o+JdNstIn$pgu
zdtk=~nd;gEwtet(kr<P!{u^7qNDhWvtB@a|{&1dRPQXnf%6v*gWql>V5u4Sg>=Sgo
z!9|4)AL7FLYVgWhKZnLUHote8uSnryC%9h82eS<NRPq$dg>->cy8fjbA*;L2L`zSi
z-HYP;I?kPYD-PUS2WFngGn14~UCWNWCcP;wZ_O80y@(EFivz!12_H42zF2Gj0Y!g#
zF?PX535id%S#gUkw6H)dW0)1Y|Fx(dEsZ6>ums*e!hT-)<wBIWE)(r6UDdvZvNcUI
zc#Zj7CZ$f=h-%K~TDYlX1JY9Rt^bKDo?#6)i%b8>w$%R5+0ea$Jc((M!Qe|l2rhPg
zCR)vNnyTN3O941gf5?HEzjqR#cO52L-?Fessra*jHRqzZV^7pRZCJsCzoTDT=#`0g
zWXCZ5>+bS>w{L@?8&h3_s5T~uA=W{ri5;1EJ_BX<%%eXw4Y4KDGtS+h{k)HqJ$meG
zdiqlr;Qd-09|}6<8SR=Irxu96pP5;hN4c$tT}^){unyA-rwjLjmtLLT^nPzO;@_G#
zmF~nMpfb}17NUQNoX(`)j8*UG-IX}2<_EO@t9L$WzNs}wYUh~iA9`p&siyzcJ(%H8
zwQLAGpi#4AT2{Rja9(w|5GB+^e=D)@_V?{{=TY<*v_@_x_MbOXj{ebe-=Fq^Mzo?-
zUr6{Os;D+jSaT)(c~PJs9y4?45nDw%Fvo$CNlyVDTNNr47MlaG{jY*pt4UmDj<n4V
zg5}j|(dnA?4Xl8Jgf#KYpA%lj7kSUXGOO0-p{0RDwMHSmx1}pg5uI#iPchm{QmX+*
zkT3QJ03^pf7LS(<4a9g%e_jHe^889PaesKiNTy*&6ebhu{Db+s@Z5V2rhr99J<TR<
zAZREEoJByF0qv_cI!AoX4c(%Cg3P~jM6?pL3T`r^7E)lX4Ma;D+}7Cf)=_n+q`l2!
z#qG_YEE$yp3Jj|tCauMd+DC$LU89<H5p*e1M}X=}aUM5L*O6W9Ij102V)JYRm}X(%
zY@Pd2DAtymD>-N>V`S<y&J6fI;q$FdnxYH#Qm(yWx4r)E)>Py*Qr$EArNhN%yX&sg
zn+3Qo{apm7FxeonMJN$G(j-ut(-Gi5JYF18VVOz)2D%-F>E8!zfxR_yBX0lm0b8OF
z^`LHFlWxk9*1TW7B5&N52d$FU=m=(XtvS~~w{ezewQIfjkti$nGQuS7C)R6K9aQc~
z6gnOaH+eb9++%)&O?iedrgIK0@wgKz)l+06#4G2p2=q9MA;1=t{ZKJ@ip2lgF(y9{
zo<VjDUlW6d2cY--FqidqRysd5@XR)O&pr}ep7>-hp@hp42+mp+iZkyTcN6F0wX{Nc
zEU~x{ZI4Ami)g-E!rx7!jp5$<Ko@q>2^uj9%04k$f-<c(v|`VcmK`><*Ab0^5e5?H
zQq_+{6g)ms{MZKFTr@>@D#4dVtU)A_ugKE#6VhPd+MCWUJhta&xHYIpv|=;VR=Bt*
zbxwcy;wg6Mm@6U2k@;Zc_DGYQkXwp(m&el(tjCFj@Nd~SSa&npxV+a(D8P07_^Rbm
z#>-`4koFo-e_)u;Cg`!Ir<y4xnRPTM3A2Ke2Nl1XxXJY6-D`7EaD^`0En%1uC_@rl
z5j{cYeB&y5o*gX6<urgfwi~Ych4Z2&-`R?Q*9(;WKm8EwE}^Z~3YYxukK4`?gZ)Ut
z7iD#U8c}j5_8$inMNi6nR)p9$rCDzOOeZ=#BM?+g4q*G&;vKJ<ndFYd#tI^T<eb?_
z<VYEo)c8+#z`CH6UkBfzYhf#M7NhUSjCt=;gG?6XT0c5>l^C{m&AHdXnZ3MHWv!!x
zJm`yLI)Hw}U&<lpvmbuHznQhcvlxkqs8J5+TKRpmA$%kH{}ipT-2`biaIH%ZlI|^N
z#^;yQQ}WH!5sml~8?T$Y!+TcZmcfK%NBm(XO#2$$$5yy5&@d|yf!phVCmr(+@xmuO
z;r}>qc-BnJFPrt;h9#4AM0d*%&2!;#I`VkD@w64Rww#m^xaMBp1}aSN*m6JpDGQKi
z!#9i`tv&A>vpsBe*@M|Wor#1-5^3-R6x}ms91~>_TAp~`T-{QBd|r6k=gIeYTyO<N
zr2Vcb#x_JR8`S5EC*bj^*?JX20-UGJ^X}eKP=4fY%k$XG=jxdI?tJ@{cRJVCQ^3xc
z#|F?ANhBeI-{Sz9|33Wi_W}DYzj{mR9>1H5m8ab;g@;|n8Zg7dvA!*3&7nG;+Wk#A
zO3cFqV;k>->7vQ)jPd@J{BE5}T?;?~Hb=BGZ`ygjG?MHy0S^2gJ(_6#TX)2*n%9Vn
zi;n3`zXo15!mhwUW!`NHNBC6eG~e0r(Ma7L1=dUIzQZy@G!JLaD!cS&Uyv-o_?F=}
z-3!a?gG@}@!4UvHhrvA?Yu;etW3jZ=Wb0?oI1fgvi+3khh6ZTEe5%L>XD%XrpH>~#
zrN;S+6TJbDvm@8-jUW|<!{ON+KXlpcATnOy-YZdc<}ze<hSSDUw=4>iVsM|NF)vvc
zrA46@=p8duGv+&6koi=c_$FwUPtHT$zeK&mU@-kP{N7d<sC&Zd&E_)fWCcQ57ZG-r
zYzvfqrVh;%>MfhaS|%XEe;)FFiJ{!86&jdkw%wdvdeiI@S9>J-n+J4jRT9w^PL+{B
zFsv14g3r)%opM@>dq7Qjxz{KcIsUM8y`~|45*&S{9S7J_x}?70<MF8kJ`0tbKC+kH
zq90h+2QvZoA36PVwdcBO&Fhbv3xi9Ln9wiLVFaL-DmlN4v#j1PkIQ!%T!&7|p%4I1
zKs^Z?6VD{r#GJO`-Br*2Dk1aM_Mf+e^$ve38dlvuL25C#%IIGvhe`Y1e`@V;;4ZR&
z!4UR+d_tmLD5xV&KK9K8<WJ3HM@o2EEcX)Hp+>DtlNWGpL<`LGi?uZl1m-HS$RLPl
zQRWHGKSgr*k_t%$U1ieTv*)b5n`(VE2-`hh;EvmPD+t1u8=`^q&Ns;lXL!dX1CebA
z`<{|3!N139>&t{0h{+H|o#8$>^k_5@H^1y|uQ0<-K@D_2;Tt5vqcN~%?1RZEt*ECF
zt3Ufvu_~;7w-k#h#-~vI&yOb;HS`2aL-_h<G)YBP2Z0c$Dji)vqOD|n)a4TxrcR7U
z{Y}Ldgdbh7NZF>ZZOHklW-l5qPwU8uSaOpb3VCp}cj4aEc%cSFGJ3RndM|PD@w^)h
zxs<-dRQWj8mPyO1Spj$c(jq3B5fq5_5lNwQ&y2bvsz<^J==A1Fe}=R-{8Qt}QKMs~
zBYiP?UZupHW_u3hs|MU#iTQd6bBsY6$gm>ggCiu=p}K51-^J%MJ6Tz|25)>Ec(5Kl
zMft*DmvCzZv`DL>E2}L*^r~;UzlnsnZ?)vJ(8b0W@j5qyT7|^;%MpA4N=mx(?Kr0j
zVU_wT+bcdx<TPlCtAw4%8MYe|Qp&}Xs;dz2+W(rX+Tl(We!tb;1tnrnMNcc&H#DG4
z>5BFst`dw|)lzza=<{oAm<PA#CnKr)o{P~R#@Yga-@5YMlTGlt%8i~bbgIr6$|+v_
z)dIdN87z=p1ZuWhafA0Bj(er5-0aJHcvI<Ic}_hBH$GSj!^K{vlGi};9*<F1x&pc+
z3A8Qj#RH5ybd_a*6L{8pG(KCW(+06!$w#!*!>(#_vg#FXDWzn^c3-YpE@}p#&wCyp
zDO&GZwZbMo(mCIrR(|>2>FN7Y=k8^?r`8238qANusyZ5mLE=KGlLSKhsOQ4qa^aMC
zSg*mw)iMuz{u4ki98mFhhbKq?RcE3=)@SQ-M2CWETX{?;zQIM4x-$D{wev-i6#p)Q
zKE&JD>pda~H`F{~xYcb8*<+!Azb}np!l1$aJpk`ICrKjy8RC2Pdo(>}<y>}nK<~HI
zA{D#UT)uZd{&g^&Z-cd<xn(+mJb<?Wr3F;DQWE)Qt1|+rf37LLYfhWN8A%o+Y!LXX
zu=io(s4xG%YYu4_$YAjqyO;I`U-frATo~vqDk$RcbTXx{mlLpdqxH0~^;V17a?`6N
ziRRUy>BzX{Lg%{CP5tus{zmyq8y0K?dB5=m=Yw)Lj>}@aJ4A%%tQt!VVA2Cc@KZv{
z6UMby=K6I^S6_SVavAx5{Hz{Av(WPVBKZ5XZ;gJo*Kz;gX<+O+72QU>)I-5+={urf
zdjS&ua*eJRDkIiNv9HouXc{5$7%9-M_fXDxBz)OtF<B^L%%1>O{C1NAS2)xtv6tos
zv6L>^DXaXYf`luf3oF@<9^Wso=D`jWjp&bfcNCi^@O~!btu)@;_XzqJbnFEHEZl4Q
zDa$|*@QshE1oR162BZO?DQ8?-iZJA!vcsdLGlrc_?o<UQz0fh2P0!RkNvh*nsA19=
z9>mtcYmg}~dBb8xfVqUhe1Yn4g-O1Fm*)4ypy$K00bX9dr$^v^UsqY{{ef32Q?b$U
z53xlBy?Q~klYqnta8nma6vD!TUt*NYv;?1ZhyN|e#=ytr8y`~{XhAjxq`PrmH>`%@
zntE<deizR!_bWtshIO5mkKXKB%EICD7Am)C&LS#i?g^N7(Wo01iuwA`@D3Qw9lQW~
zN1vvb<S(wUZauA7VFe$!6J#^0H05-#!!iTfU4;-I=Xc;^>=4Q+8NAcK<ZBFEz2xt=
zPM{qA#kOcYD2K1WQfIoSz@IM@3Vl%>sq0<5-l5vNuJwlD1+DL(q3S`S31y+yVNaow
z5rdCdnu_Iypdy&iq^|s>_qt4;+uvaQ2T|(xpBdgTG(fk5iWL3)3+Zp3sGV<I?A325
zT3K}G20AUQlv}Y6?jZJYa*9ByZk`4pHw>++syM2wOLIwD`A5psMz1^AImG}|-JeZQ
z)wKLrEinCKwpem6x&3fYL<GtQ{2c#`IfVlnUw!Uz`)-52uD7Io@Y7Fw#8A2Y_MNep
zRsMqXuLgYU^44^KPv9p=*q*B}rl5oMrLxCIlr*YUiB;tU@oM8AjlG?|dE{h{&3R(F
zSqt4#AKTv@p0K++c{$zNKQmE2Ck+c!lo4;Cwtx0e(|NDC>=rf2N{V5(q`Te{_z()i
ziDg_)2Bo}N&#qIEeH;?U2tnj{y)5pW&DutPt5OP)phe8`PT1f)=H&-!V7~#>`z?B`
zJY(1jiSS^A@5D`ClUck%W|5VzRuV_AsR6<Na>^ZsZ=(nJh$}TojU$yu711El5E<}D
zDt&|6*m!!#F+LbFa^<6MJ;?+jeE04FEEi|ytHRg89YemjdRIq%g1-%8Qb!BKVTHU@
zrVo|hd@O+`o<x4Jr0+SRov`(yHPi9G>QWcIHDd$xF-URdY-_=8J4Bu~@%W-n^vez&
zL<kH8lKZE>9X_<};MB=7<^>m@_15rw(w8VfEGjj6l3c><ZGzPXVk{l|I{htO*D|e=
z1DYj`PD>;3R#9b;39*HTrBW0cDT7T{Dzs~buJ)HuQG1(Srw<q`L9UWtw>N=mi3^UT
zt01Qcu+Yc5o3Kj$(a8E0xAb<ZM};X0m#M9S9FSVPKB9HD&cKEB5=Ho6wlrC~%#Ymb
zV`UcBuCJX)?56henjR0HjxB%vUfg%D>xtu}d3MP_DwL(%Zu1m~b0bKrZp-uy3$8X7
z2($6AA9BqhV+Gx|4fFL3iPZd+cZBf3`AZ-Bl!H7alm`!`);H+$)yGb&ldM*^=Ese`
z{Jx&MHS&X+Hf??cS$;&Km3VHf*3IG}C<TCsO4S>u=sOn;?+HWpn^6DdVmgX_F~}Ip
z+ekM^+32Py%NKeQuEexY0hp9F660i^85|eQmPcudx18|~JD@T6jlYI$nYg?E0D(%e
z@+zk7MaX@MYvL7<m>L{O_d#RZu$q9fUH2P7(5$VuyDb$YZEl>2LC1Xvi0P7SDw9~>
zFrI4Ti{Dvb-5C=;b}keXv{Y9CPU)T{O1a&zPX9Jij0SeFCS?sh-P%RnXAq82ld~#D
zp6X|?ZS`k4^cJ-0L!pR5>Q(0Um)ekbHurpwam0qw%?1DA@J~=$aMd!$KC^!WrG+=q
z2s&___hv%WUuVF5=Hd1fU#kF=N9;z3Yufl3KzTHmFcZ9sO0`S^a4%gC-$B7{fD?Ub
z?VY6p*SA;bya<Ai$7Bf0GFj>vC4%x@ENn!KSDc^gqVkt<L++jYCyNfqc#7-xNsugD
ztV!cRvMBCJf23YfU7Pz>OtacD8)4wE&$GN6R)?XyQxz!jm>PdNzI<JpeBmBw<k6fg
zDkjg|-p@3oaykGP)(kiFQi4$-?V{6&QV<<2H=kz`Y1of4@+an)*=F`Dk_&zJ6P+V<
z<8sIHUDZD$VLA6TjBzVB2ZiRa=4itqe%{)xfJc=%v51pVRk?=@s{Js@YW_^8Bq$7{
zF_ZX7sA2m<=T*P3bhP7)K!szgh@gwC&RgsEGDZ@Q;veKM-PL?7+HJ4DW>0k&6LCIS
z=4H%TUdQS}FMhzEb1-Tp2~8TZ+F&f{6FJ<AqKf@|t@Tbh0qJ1(mL?(`aW6<F0kTz1
zbLJg?8JmsOr(cHod&N8wHZ`8<+PfWztR3GE9#U^yu+V7pR_rXgEX{CuQa2t_yRNTg
zz3`=;C6iUDyzwr49I*OrR^l9VAIbWe*-~Lkn6~TVQCZ1`F>?I`r!Ubf3V$ikQj4ga
zMkJRK&=4b3`ICJ94{xgxOHAK#7x5AIff%$8`w|*)Ip}n32wRoQSYMW7;N?<V>+KVx
z71G)AKCj;y9;qV5+yL@9J|@^=Y=%5NEi1w5)5aR&*i<(6KwxP0Nvqd=zF#Ojg9Efv
z!UK#SRlyadj&wRKXmakBDb^`y95X>qI3cJ*mzOZdzi&=q^L@K+TSmGm8!(WhX*H^!
zsZ%bpA}RzlO2~vmykq^}>}uZDH$*dp>-r!f9ccwYbb*vndf4>VQ^JFARK{m`;4HR#
zF{zYc(ewbwovY`}tll)icO=3!pxKc^d%DSx3Yr@RY7lLKvGax9g-{Meiv^vmfucsn
zY7`k33x`htKM3-iuKx+MKgoj%df>m^g~E0ZBxM0`9Rjq)bg?0&R6DiiM9Tm|TBfr$
z1G3_;HyIS9Aiv5<aH<8Zbk2nF9r0mf3_Ae_zxXXeV!Rw}EZ);qlItkQ9L)5kHx`x*
z#8j?6`MC!#;>bXTq5_U{hbi0SV=~rJK>S}g4&kj6fSe&L&;@<yn8hbZIKt6_?J8-@
zU0!Sk+MW?Rm4aK#4?CmU1{Dbj*tmYuae)%vRM@w)znnV8>)`JGHr(TN{>t#3;Exl0
z?hNEf=D3K`QpPr516`(5zJgGc3_PFY@SouS&j8RDtbLve`NrEo0hePr_z4t7qP30K
z={-LBWSF_bY?||E5$P;i8}igKIcV%ZE#mK%@*Tr{RL~J769>z;fK&8^%(xgVXn-RJ
z4QvMy)~3$bOucd~)^5#tmCsX{(KUzFJ2KLdUq9aoDttIX28{(nvwOuM&{(iUMK@%-
z2GKkp$@*K8SfA%&cUj`5)~G~DI_xbL68}azMa?E!%VLcZla!8N4e{smA6pCscrW@q
zg8E@e(^d7T=$#lTdwufZ!qfS*e#n?{OWig@P<4ganV*<lH)Otm$6zs?B<mY;-ci_N
z#H7tzqw`ltLdU|CN?-IF0ChBCVsWsz+y><<ehSbcU#}hEb?h@{FOIYPAl6<DvLoMb
z9yM_EFQj~S{mqo^fsRjnmDk?WnPRr^t}s;yPd1rg+BnCDY9-Piv7dTH?`JOq_c0UM
z+o$nfm7Cq=>#FD`X9a?u>@Lv*`sdS|RkL~-tZ2@*Hm~}}vi<9`M;BUiiMs>Oq)C!D
zqKmNFpFzA4D+l3^<NVA5{RTa(x)6Sn1J}=i2T|-gm6StyoV{9KOn(Ju`8y%_wKhgr
z^*`dM3zs8(<WmhodDeN+oIkGvBfwCv$D^D9qm>Tp{)BRX<hZlx%z=M18d$?m8P887
z5gfqJ|NK}jePP95V0abomxhqwg40Xl%JpmY@v%Yl+8xK~Hk{Wgs!TGGo^`cUvPsGg
zw<1^t>vTN3#k;_{wfC{vI>|MCiSihg#gJh}tf!hW>sQs>onB8X-x5MlGu6(WPazMf
z@vxReY0==%mc+}1h(~qW)lHaR@Nd{3YqvRn4?guU^shI<9SYov_v?P;!k_{eSpPX0
zoYKKysNqL-__@1&v*73s5#i76F)CVXU`ydlEU%TwY=H&=s2Re3kPB4`G@#(nIXe$O
zx#EwwDk={>hKvt<-4!|t>1K9S%;d8+>*zx0e{Q9ld6c$Cpmw3ih^VmEYxPyNHDs@b
ztNL5CHSQW#k5U*NRaQ|hDuMz;;n0Ms8Ny8JFD*Q8=b?fd`{tlsP$zzQEzg=6A3|2;
zUF*);hNE-yETOe8fV%pmd}iH;{*GaFt3O(4<0I_7hc4fy_CbX#X{umR?>O`c&vSa)
z_p)R93c6jP^Q)i)wgo+T?OlDg7CS5%jUm>>^iv9Rw#Xw@K8<u^rv)zJ3=`MC#)2R8
z?aVFETz@(@zv6XNJair9)J_)Hbl_-<gB!5kSkAq(=T1P(|HUkZ$$WT=Vy~rX)Z3B!
zxcdgFYyC?{O55g!mN#f<FR0tu6&q@l4L)@r-g@>7HdNc804+@v9xfu5103}`qCR^B
z>Fj=oLRb6$8E@YFX7rM<{ZHpCk`=@#Ea6jUxBY&z`cu*Jh{$bCsAg@k`^N!ApK4`*
z%+GaJ?TQ12RNNOP_!HL76nA&pK2Y&+UVuCgJzVWwLgp-dOKptCvI0v;7FaEiZMg8C
zK^MWvNS|~Rf(*LqKos<UZG6+C8*5TXNLZW{_5D`mj#O&?_)AOd?|0z7qZqM=qP+Lt
zszgG%e&(*9Dh)D>i~WC@+4FI82@K}kTlia2b2R=(UQk|^yRZ9lN=_tR{QlwT>~N{C
z?Qy{2G6jhrkskqR_p#y4P&Vn*k2ZIA*I&a^Wn(Kh7<X}pgL_k6p1_o@M$iRud-e@=
zoaDJtKf~FDWZAc!L!)<dL=;s*RO&PfKc*o`b}{{%E~+;I);s0a?hFD1y%AAtP$l0+
z{4@EAiKh{z`|1X8M~%_ws<^0cYGXB}8`x^~@SeJ~?VYR33Oj7r9+N{s<VcgqaoFWX
zCy9&X^{qa#3Vk|0$8Sas@JFAn9zk%YIEzlNJ)OSusCJ73SxTlSYvDWD!iRy-A!B^I
z=#7s@+>ee0=6IB-Se<c`8_T)$$|NUmbTU%?6Ua^8Q@gtQ`)u?-oUGKK7-4atzLa7~
z;o(1<Vn<BlaM_kL`sjh$O$U^6)nRgecVe1we7DRAyi)!^<P*3d_8MIR#vt(vuf0h@
zAv9nt+}Z#%>f#g!5iXMp#SjfH!Qf}Y**TkIg#S=lyuJ8gkFZDUlS9<~(PP)fXC75&
zuK8!86QbXjxp;^mfJbt~wXJ_XwRiJ!y1C)Pe|mV@@4(M1?AhvglE2G!M{9|#IpWVf
zFI|P4{2P3a0Ah-E^T39|rbc}U`z|G6vrmqxq+<K&q$P{-kuB5B&>Wutz<&qdYIVvZ
zU6Fvypfbb}XJzDVkj9d!m-5>w7rX7<TLro)&&Wv~n*#TS2qujXpcHrty6n4M#|GfO
zP}~;rW{!WW7EcJzM*)=&N|d+H3vNpkoR$XCmu072+6xg(C7nFwh+gAjv+z#lG1bki
zc*dLEpIR1MNF5Fx>wceo3%_5&QhpOcg)E*qaDe8dzt@fb<sc}0ut<*rwf(}Ns7&Xv
zkLU165rC50M}*&c@$BqzeY(L=Vqr>4l;=UTtBcuO!TVOStg{E==d$asN$fXv%r)Nn
z0)ZO^&;v>4%-^LP^)>idui%tPzv297-Y-A)Mo>=NfDz)sUhEntc_+e5tjl%4jvdh;
zIH=bi0N>{ux@Q{FlBNPYAsoqWZPnSnU#uIm$sN_7M6K%R`YE0+N}b5q+;+mh?0(0@
z7^dBNS|hLXc*=3K!qif^ZiDW8O>-$RKKL_;;mR^myAa@-J33DLPXE(&_@^yYWM)==
z;+`c;n}zaZb~Qk}Wisdia?pjeUy+1^$k1J!1j?q(#%b;RVqLBSE(d)>6O`b2KO@_d
zk$S=V9zmpC8S+Q#^JlSY{47zBvE`j9y*uukHtMZJ0?n}P{>CIz8Mf2%xO4oNkMu}n
zY1x#rl+o69cz4EGaJ#K@nDV(Q+1bqw6b<i=fgSFq2PV4~@e!yymuVNXodYfPVjI_t
zsX$U0QzKTsi|KTMM~(B<ttS+vag)=X-l0Nf;tO=l0ERZ+A*Q5fZ4Cbb<^H(LI1MB%
zTnd0~Zjb_iMYxnr$EwtH=KcHL)lLNR0?YbON8_-)(qx&<GC|^rn(tnP4qzcxJ%C5D
zTDq!><cw@<qH1t?lw5n-dK?ipeSSn*n9zoB0Fv>e;!fGHvd-7lMP3*7J?3?XIXmg?
z`p6N)Bavw~;s&=8kfzVl_3rn)KVm)$VCd{Rw-Z3WUnN=(Lm7<2#-lz24j^lMZ#ajw
z<#upo8)ekw6m8P93s?QNyDZ`$C?h2X{Vp-%%Q?)2pdLm##n+u#;RL96iTV3kN>Tl%
zY$?6Xbt)>s*FVBEL*KG{aAvB{lqg%w)zSTgoMMti16_Ao9h4=Est)l^o4_S`Yi$k=
zbzveMm8{aQ#r4YQ0{Z*|1_dlUcRYAlk)YD_(=xjnUtGoz^#IA_fz~kY0HL)~XW+Mx
zdK%P^bab-PQXh|t6IDWK^02GU)><!V4A#W6<-eY!A|%astkfTbJzkhZAtgwOVb1d}
z?Wc%;*5Fs-5)X}8BO+%}3bJ?7kL*5%i<WWDPQdA{{LZM!5ijkhNid{KTSwSP7e4}?
z(OZf0A>0rpRxT#-WT5)6EAcmqSw47%$((Tk)G|;l$I0WN{hJz;@PBSm0S{e4*Olw8
zN2lR~mO`*?4o|z@qmJ7^nVvF}p*2uHZNPw@yApv^w}Mx2c*o}ClCC0Gw)U_-<~(T$
zQ>iAIuIz(X+F=y%$0-#!Ar?wlV{N<OQ{sU7nPoVpaXI=D9m9=XH}Cg9h2FL^PYftn
zdamc-`I@WzuUlG*fpHF>l4bk~beY{jQwYItxk}~1M7NJk4pj7L21X{lO|`4@F};>u
zR`M`^b26P(VH6tBLl;4d;FW#e*VL4;HWoy0by#b4eEh^*W8dpIx|10F>G(}X^Czb^
z`zKoGiYdmj^-E$#kkUW!^@pZq#ZDPJSEQQGz*SlQf?+=lF6|SWf+C$jT^83mq|mbI
zMM|}IjlzNxcEkQames#+vVMspvxk=UaZKLBcgh&*{&2*?>3XSacP6EJZEvBdbB4zF
z2bjS{!inGaA_!GIo5};Tk1|JDE5-y?o$j;eR1fKyls4Td4GbrzHhL;ql($%L-&*7V
zyuKWwd%3>!KY6`Yt^5h!S<VWQD5Ti9;nOKcAmDImTaM?QFxH-EI)g3rlCS0ZE*l`s
zGMoRg-9YLn2VUVqrns!>h%)JY^(>!gMCL-*oIazt%J^!M93ysF+s=pf0VYTVQ@~%q
z382RGFN9}4{RW_swek>39E6XDQ~aW_35yr2dOV+pI%=VOu&3LG(N<*5D{tD$@P7H5
zwdKe3p?TLtAiPOQ!aI6q0SV)QDhBH<_JXwXKWK2!OI%|Ys9>3z<p``)(dsk(RJ=;Z
zY#=Ew+}j#nPoflsd9d^gTBea%?8rZh51!z=+;%Uo^%nfZ$v4Z?e1wl3;jDf;%k`<}
z`>I&^pKFE?K9_~1RPRzf2`(ZDMi_qcf%L40nnSI%J<O7PMBY{(l^aB2)s!s6D^;HR
zk+rjULt-M|wTOtatfZg}0?$IZGjPg3&vlLy1|o`6oeQJf00Ql=Kk*MM-lVSwC3Uou
z_M);1(H|6ZrnKKeI8ZZGr1|WUw;kpel{?7jSPxwB^6Wzq@LVllE#ysGrw#T$<erqa
zN2fx4>2MN^$N}NJRun0>F!kDqHJM0Pa@G$5+`5rI`U_0z3(5lx5+?bpdb4yO=$Ut~
z&eci_zBVFvkp8R5#dj6Wos)GQXKf^9gL=e>-i-5bKHKZ=-2G@I(u4>+DTEvo{bn9l
zN@V^eq%cPnatTut4Pp4&=gR~m&eL(altoeS3FqX4ZPo4+y>;vn$a@d}Up%=@gmo_o
zE399$Y|Z%8LKHTXMnZ4Y=O#b?g~V#w^WI~z0ah*4a<M2@@rpZMqq+;j=_9kGXx+8}
za6DPwO{~<=Fv(wYk>DgGKgCU?mtM;jQe~N~AC}==<tDFvp`>p~J&r_!K_JGQ_{eF!
zeQbE51R|oCxVfgSoS!Le=^>)EcoYWo>sK=rf+x_?a;qJGr)8rX#e-}#5bWCw=I_+n
z<)%l<#|wWn%kI{z`?Ose_l-QC&M9h*-*aUe>2U~)pI<${jP9{6d&=>m8(Ex(wqJ(U
zB^`3K5sC-l#SYRi4Dv_h2EVZWt}ZHElz@#01n??n3z2HE8+|y!6I#+vHq4Xw^Jjjb
zJM)eJzoPu(M?=6JaYyCb(|?sToQ0&ao1t%)K&nO#XhiFvO8-8Wx0MvS;C3j1<~=wQ
zT4-|s>O1jEIM=V4?QUAH0mY;v!_?R`#qO@pWw4&K&XFsh!c_t0J}Q=c_E}!{K4?!z
zS^i#(SyN`S&4$f|znoR*kV%Cjap`b#0&6Wk(btrImmuV~9&8f?-PQOPPujqHF&SvJ
zLAQ$0vbB%kLEbq%9aI$cv2t@ce5ROJ={OxRw;0jct7C;*uB?}-zVmI;o~cEteP3(g
zacSmn)^xh#{((=0b!|%KXgTn^%jIC)CCBqDhm|$;o0{dy5T1?@3Ae+#3A-<%e(b^e
z&KR56FY!(kJdrC9u!%j2+^1etUc~;nQ|fvv0$o@le5PGF7muQ`5ly@!goq0VL3a~$
z-}N8SWq(CR?z8@a(|!K6TnKKpSzecoinz2P2A6-y?jWFnEjRzdHrfS_wy1_R9ezP+
zjbK<NWymt+?!IX$rLW0AC#HWo*H3#Q)#+{r10RjTX`{Gb3!B0TkhmPcx?QU7xOMzF
zTz!V6+f_t<<%)jOVkGwf&&al-TEBCf0dyz(UpKZL_FfJc3L%W=*@g9Ry%6<@_#(gn
zM__kxu+?|XX~Bn4w6OYd`Qc$`tBb<APc3aH#m~BT*)@@#XUQz(Gp*jCDSe1p4gq=|
zC&sdL2Ye%J%e(47h(dso#|cPW^=G}LAZH^qE$aQbJGwok{$r8M;Onm?nc|4^QrX#7
z5TyKh(C2^GGVQ(UKSTo+&vO8q=Kg0b$z_`qg@#n4hUMnA5*QAPG6O=Q<Tjl_w`#zg
zj+Vn9;d&`ftdKDE#!U?6y*wT54oHA0YHLWcKj=qbp*WYY^rri-U~^nDk(Ku<W?{+k
z5(atw+SIF;+2XA5%u>=||C#Z7EcgQP`jP|91~^P)P)g~z@G{}hVU=nevPzYILN;&7
zw$<%=rPs^uXU3ujwJQIhS+Q0_!#>Vq!?VXl!rjz;pYGU!7`>yNRS&-MJm<_Awe5{m
zo{#vBf~jP(?G@c-a$4uH79*ZfF8JHwXc}izW3UdIWvcN;5WPi!VB&=BTBb_f5S1VK
zG-Hpz!aeA%HixQ2%T2sojJefVSS@p+rJslg`AYkIh}T6oDnHoo_+)y=$09*+|7aJG
zo7@Ce3x$(^z8!Bj+|hVGGf|}-|ImZ6i(Q*C8ACU3_bhDTYpskIyOeI5qN|`MAQ}eH
zQ+hfc<^E0M|92%0YKh1J03q~I<ZM^zVYo@uGr`0pjRQpLkF)W(Vk-!hs2*@!bW*|p
z#1@1ABVS+gRkNWB(>nSbF@+V@ejbbvRj%A1Th*f0%6Cyh38n8We|n_Na)kD$fjA1K
zNp~rQW<X@A=kjK9Tu|!=?_yc$aIc^l=t{&33wu9FCv88!0M!lM7Yr!W=)$Liw=1^}
z^y_ik8q<#)P*LU68+^zbekL)+>{hQ9o`G*q#@^Nab5T8z$zDt-S_2xNu9*dzmQy=P
zLuasqrv5{3yz6j*19Jg$S&|SIpGCtXOJq~8_N=~BbO4WvdeN0=zz=0UFy2usQvC#m
zMkva|Wh?#;5r7P4Ye>uvv`hol@PN9|yX2gM1_O)8;3BD_5{&@dNhGmE<dPJL4M(wB
zpDS=mE%aT3|IB#8J0?JN*I=iYcB!^8Hb&X{3Qdr|>goeiOeyAgwpO*v)T|*!S*m(_
zV`lH2GcP_u<?@omJ*89^O~bcluTr5duotrT>~Eq*C~<2X5l9|O+`JiV-^ig@U?9dC
z9^Ry|prkCFv~BX|5#nmUm+(J6$uBO@^`3UB+;$7&)_9hxpC7K2@SYMgzSews@)&ku
zmz>gY{E;DcELndyb}U3cdCr|>dogcJ`pEf%&kaZ8w}8X=Wt~}v0UCJPmwlJL7Qc0;
z17EE53VE!x)}n4FPXuljUR6OZF1sxgt;Q_X#Eg_;vdS-%M8H4OEX89g=^unIUUp_o
z&%PMIg>JN74H40g<>ZIb=u3yL`MQbz6}`9SYxxYX>UlsBz<}l<S<a{~v5-{Z7R<#+
zTRRp<TM267j`rs>5fSdH$2AQBq^^;22PsW3STR$vz#k&c2HQSN1IAh`7Wif6(t)vo
zV`#0ERldEMavFXYi2|COXOPQmlDq+Cxa8GRv#F4oiu(tLi<X^bL%|YQN?=Q1F2xL6
zQy5Y_bEFtO5+cHtmO18>(5GUkM!5QBzcTJ_CeO}=b6RN+&$MZxaUY(VFb3^^fsD*-
zA5zUS`D>mDU2ODVQ`KUDd4{ti1em^AmJ(AAeR5OOA#7y_9S@O7E~H00Oww@w?Quey
zc{5F-<4n{W&eC^x5+-ZTRZ_)LHFrYmS7+SW_%K?zTz4uA%6`@vOU~wLp-|{y%)iSZ
ziB^VD%XIid34NK~hPFe{eJ9m*$T9m=)*DD><l3W_l^lbaw68jCPOPBV4haCmeBB2(
z=nAyIr$qx<1m6fGBe@=iS~MC%j{{?U?ILLpy{ZC?h8rx}ds)YBj_1d|6JMxe8<8h8
zh2Tz_)VLA4lQ^VMh3Qy3eBdz`sTvv6Ve$6HcK*8Zyw1yR_28N5KD7Ne<9C1;^I~Yx
z1pGiAyCT!icSVPm0*~WLC1}+~G%bpvx<IVg<=lF;KfR}|YO~#nJBrmBe4?p$CHoq3
zk1<BT;O&`1nalXYZX?FAvou0Ru7YDK1-?l%xO;KmX&t-HaT^W}IdM<<)O~%h&Hy7F
z>+1@Ls5kNsU%Y1;3pH@oHZ2J%y7E@)qta_87ei1ZWpEp1GNgbcnq)w_Xcl;72Rq>D
zSYML%;_w(9v#W=61}{MP5D6SZR|IO#r{iT<x`OWweV6qWGCgk%Sa$B%cHKw>n9TX(
zXhB}fGtriH{{HKlSR)TW#>hw_qNl^5gp>QbCtxvB`r3uE+x5oImWPL(o8A4z5R%hM
z{`F(mP~^2!q{n^mK_n;AuVcpt#yci2fDQ%x&4s&hp+M9|B)~T%D;F1`#vHl0S|B`c
zWZqt~y56KXPqr?Dn8^$N)po!H+lfeNFZw{zgY=cW)xRyy2&T;5VJEM)ZD`H4zq?${
zi1=1inXlcMUW7u~dTIu7v9*7lb3`mW9C@_6Vk_*i%H=e4ZTA*@Hw=UK$k)39))@XJ
zSc5|i<B&2LhZ%6`>*rhBaUx`|%nNHqm^2@|<@lFilosXfd$SSlhW$fXTIf{fN)}@}
z5X#c(4C2t%yB0Jh=4p@khO@QR35>kwtN7r=?(glGaxs<$(ZyLO`8&6Xw?k$08sI~-
zi6;SxP&s*wa4`a#F6iS{*2xL}0(jSfw?>2#4Niepd5K@L=cN7W35O!s(55uRKS{ST
z4D+BA$+EV*8|DOmjoR0UH%11AtzRsg^N%LA26<@9J24QwBbv8XZCfkvr63LC(rofu
z0;g~uQq4M*s=%7yH0>~oa9$W&BZU<Eh1?)Js}d{kWsw>7X9srR5BzV7MTP`=VTo!I
zOIc7fO=yXxQ2#|;daW2JCDulk89L6@7)@3){Ox2&m2QkCJ<M<2mW(L?d~*ZH7L`$}
z_9g`27ahne%`?iaFg?{0fyTx69QL1z?P6>dd4^QubXF*jBIgT@g?i2b^g<#XcEdri
zjj%Nce^db{96-c{Lc<#igCR+ULW4W=PMMYL6Ax5y^tOsw;MX;?UNu87@#JYCfGOUq
zTLpx8FN&(>)$a7VsTb78E~@ATC^>e8Q^z1jf<uaPU^p59Q*6t*{5qE_nh}g6Dm%&^
zr<UP%!zPNk^wD?2<P%v%SyP!Q0wo+{vpumF$jo`C39E&KYUASRPn1$tN3)rX|5@QO
z?RwZm9Jl@-1k+Bi?LAlVhD2aFoOI@M`?9rHUEB##?t9O@RaA`JCU96w*f^~W*u)C>
zro$%u&^gl{R{(=sBuF|d{;isfeNq!Xy9}!8Mx1g4ox<~<aTP;#Gd8lEfkOC%qw*}(
zxX6WS#&<)W3u)*OhOgx@pXM!0T3XszogQ|Nk3D0!^q~}vbA|H>(DM8+mPG`M8e!@G
znl*@(2FNF3in3NS4OAQ#vJ|W5;%;TelF)zh8`c=72*PNY^!DqlX8K2l$GtH@f(!r&
zQa)R76c_Tt*QbN0;2`-jpUl~~-_eNVQXyrWtq*-Vp1+7ZzD0`o9DEhkVpDaU@^bgO
zzTZ7d@Vppbdv=`yrmR^KdNnkxOsBLhFY|jAtyvA%x2>!^le%P83wQCB`8F|F|5A3=
z{)?pJAPno|WlY|1sUg@><a<kPACS1M|L(8|M;W8hG{BNJY1c&|aqnM{MI<<F{x!&3
zw(M+(=s`VJynSGK-^WwF1pIbrzK{)8)%JLL9O<KzaZ|NMo2?W$L9%Pt3y;?JS%lW;
zI-QFIAdjN)%%P4gsR}8m@O`Kj(5c$tM-%+^kIr7=D^z<oBP?3m*T5TPlq&Phkjy|w
zY-Yo!@icQeTGMc4tr~V|Rr*Y(vwwk2Pe9-yn-=X4wD)*Re$xSgQ+?U3W1#8I#5KLP
z^zk4K!0bq*8R?n4j=877goVw#_tw?Uz*mlr-c0Fhev>xlTepyyuIUQjYq|C9V!6JT
zg-j1@Wb2|+I84A7N{WdZN~6Eu<s(svB#^nU6}Hf_o2AifXG8Pv%=th2nRD-H5mgEY
z5c#q@mlW5!EmmZ$VSsg19yDP{g=2vInx_Rv@dZQkdDwD>W}D`PfICnpYKj1CF-D?_
zKcF2PSpMELIH&GbGn+KhoDt*H{9ekzshKZ{DwnAFPXi1XQN_Oow?TA*QGyNi%MXDB
z8e&X(#~h$j+tu}n=l)vTTB<F@h?hk)Lx_ck`dS*gB(*R;oTGVEqN8vkyt1C1XP`y^
zJfwQV)p+hPOiUJUEa*@f&R`B(Nldel(aMKJoYJ4Yfx)OX9&0Kkc#`vAd%R3Iu&=>j
znVDF4B5pvg;cRgEOaWEt>0oG8LSKFG=%8Y<_9kL|xfGjL(z7!{#e7n2$bNi=4UOT~
z7)N-`yS>l?jH%tL`zG0yU1e3TR9CU)mNNcJOC3|kYLm1^m#OE*doK2b;3Ycl@2qK_
zA6p|%==UZE)6pr#X9IpHL|*egx`nX{)O){EhqS6D)+`Yke~F2c)^E|Od1GO*aC}wF
zw53?X{NeZ#`EyXkHYys8*4Pou8gk&pf&sp-<fIxNi;nnfMcg|O84BqXnWduAMAvN5
zyD5-be%RRsEUS55-xM}AEH$?tx}JnmI(Y6%%t#u|ep6o<BEa5rr%?QS<!B6T<PV0}
z+#DAGp0I2<>$5;pP5qa;>Vl}N4~V+1lgFw})K*hW4xjI8CEcb6W9|bAqEUs{Y?k+N
z3n0677tvpFl-pV$MUQqW4`jpKr@8ipzQy+z`N7S<IYWIFW&~wzc~IJ{*`Ybg>KJv}
z#G44De$bTvY(G-TQv6E>mpbfepr#7d0%b(F@vJrESvB<ZC}caLHywf&i@ulaH+D2n
zRsVVDAKo;1%k-$^DT0i3QEU(wvQbNLrLZ8-Nb~J#LSeXiXKEP)(RgK^5$YDWWD~hm
z5={l)Nqn(f{$Jmq2OOaL6)MsRr<p?hNH+N(<Ik?=p4s0mS9M1KVRg{TxmJC7kkBzr
z{qKE4-XB2kllkKuLz0DxkgCtJHbYqX<Ug^N!>j*?sH=>Mvg_K?Ee(=NcMhE*f^^By
z-QC^YA<fX;-QC?GA}uW~-SEwW--|z3d#&M~H8VS|v-^zp7?i}`kF*}r8qmHl(NQ&7
zs$Yi{d-Pke7=uADo{0Y3*S^J(t%_I-a>e{QX1bYdiPGzLQU$MGHfa*dkfMblE6}Qq
zHK{#b3LN@4Xj^N;jB@O(9zNaeudF8dMYm>36Aq(P6htwO@US|vYV6aV+-#Rv6Lj}G
zkfxfVT0KnE<dczk&WB=(XP>xOUAL0%*=)De$QSr%Z6H&cVDk<8eW*qhLV9ss{Gp|$
z^q7Uh4dK-&i;dz@39C~g18??m*wb{rBSfe!{gHuKQUt&2^>mT{1`n@hVd$r1)mHPt
zmPV-b*ZyhS1d*`>t9k&L84db->hzckYo|&9{-+ueZD7S-b-9A{=XD`0|64_h>jdWo
z;Em#6)UIL94D0rwO<ezKt2La+jyPv0H(<!i5}Q|jn`%}c+f=gXkYo#cUi{DdG=vhs
zRtL!@5LAvCGHrjw)>yHAP$&@Qz{LI(P`@9wLPBds0d8shTCFleVQgwei1;8MdtkZW
zc2{_^YDp>R6e)WoR4dqx-<)uDF=|?~(^S0`JXUDZp%Ps>ZF&ZidIDHt?Zt&gE(wss
z$iuTIQ@Un;pjpC0#Pz4qxDECWGVW2zw(|X9$?ssw=Uc3fTwqm=>=^FgxfU%MAgZjN
z5S{peAE(_K_+`+~(=*?fh%>q6AL5;oXIWJz6sv;~XJa`3d-=nh?1+w}-lng8aq}Fl
zjC1WNgOY5^;=}vz@u2SIT0b}!O3JbxeyH*#a5XXcjs4`iF@Al#<Atn!U#Aq3<(O*G
z%(8EKdd%J?=byNB1EAdDn6Ll28G4_(`1R@RC;vN70wkM_Z%c(|Z^WC?te*J`&oPj$
z4I4Z)J&)QYxDzOpgu0nCQ_u_<Z!W_zL$_g$G?T6yF1FZzn_FPt;lKELZfsK8U|%m6
zaKT<|yW&tHq!3l>A$v;g{-cQaF8hE&S2|NkmpQrP)z=dtCYqZ6IdV}CK4FPHX*|n+
z?Z<R1#K@9jUxa3mGA@Q|N=xsITz~FI-pOenEq$!F=AiIr8O{2tu-Fcv7m*^O>+N}Y
zRR(K+i=3E|X?&dy>Q&awdSQL>U@tNoYCfMp??<vcGgWmY^1h+>NjX9&rd+J{&I~}N
zAkpEv|DO4u*_!N~^66xqlEN;&UtMEQb&htv9@w3{b+@V`^=1MLtHwDzwBgBxx=WcP
zn2GK=|MZlejN4k8)*6rCbGxgX%)A)%qr!rNme7ET`bloo3PnxpC+wrYdy9?{K|YW8
zLnBVNDN1v69DM^LSw22->s>oTbF{}|m$Gg*gS09%x)(Om1Zo;QDX|1}3`IOzHX3a!
zG2k<S#Y|A5&i5fVtZaCWj00-TLR?5fqwarZhK8VG(-s1wO!yh`PJYK<EJobeU#!DQ
zdHH?sUQ2j=TKHz$ho*q2j3`por7?C3#b0B@M69N%yW&f2sOJ3nm`<&_9d&E@$<iSs
zjNA}QH`<SvPJ-KP4T{;f2_jH3&hgw<nn4s8Nq)XZNBZ90yooU(jSNO--qnms3k>qd
z4A{qF0~PffTC}H^Id255kd~g1dU~c)kil0UV0&S1zjMj&{;D^Y@aNl=56!XkF+n9`
z#{Ga`!=F0kCQoxi9I}r?9R+Aa+JW4|x;x~ZVJ{>Y6vx+_M)+<|N{cGycp$c_KCg%}
zPqYoECaHd(_eY*E`&b(E|ALboIU;5%S9JRtF2&03RC>UkMUj^q5f4e#f!=Q!6OZ9R
zlh#CC?coH5t*hz8Nhz{!tNucZx=`gP`Sk^WtKQS_U8F_?9l<)$eBO;x)$Dz6<Jtb8
zB7|>~7NgBDcNqw^<^0Sx`+oDiR(l3%%h?89=>S$q%6ac;&d<5t%BJu!K0ZQT;sTM%
znE*2a01ZO;?SSL;X7ge3iJ1U*o|h5NwZ|;F3rY>Wb|C$zZVi2B*b50BuHh3-%m>OE
zO1gipBb?kO@T<#Wz@J>mvuaY(RBIjwKl*xNifs7MkA@G`^vAfMlvseojmd0Rk@GcR
z<kpf0nvEGX7<z=N#yn?HA1&wCyxr9~PwsCsQ`e8ZzIJ+dHWP4ku6ees@ihgjG#;%K
zE)51d{ABn&L%=wR=_Dl%`dTh+(evT9oc2hv^rt^GlcIAwSN^xe_$~`pTy_}9$&)pl
zcV3Lm>VadUx~xo{VJ{?jxQ$PEhe)l00&hFd^2@+Cg={q-*0Aq&j_&x>G~07VuYuP8
z?1~zZ1_G3X8{---Jc6&d${IHj6yJvTRcwK6(=&YsMSvZ!rhZ^<M2woKVysYg7?{ms
zT;o$&jl(1Z`j*&vQ1VW;e{fJy7)Z*Jp`I4SbnJnq;$JtaOmbwGTsK-t`a*PP7$?6u
zHH-U!ETql44XjE1(1yx>nX}nF|5q$__{i)d-uk};o*Wi3<P0Md=@AZ`KRb1+A!RxW
ztSTTejpsd<$C;Na^N{wt{gi`wf{qFNBo3NC0qIR*@zvw7C{n*!N~GzZa4UZIod!Ml
z!Z>^(i?SqAQFiTR#}lZSOOy__-;Dvl$(zP%MCq!3v8%X19~^LXO$xJRk_iC`$tDIq
zHZX37=i-o(n%w3rdM%h%=xakcjq<Fe!q}^04FU5q-5Z-m&b%1h84oLj+IC9OD!HZF
zc9hXy2=i%*amc(w7tu+==e%8mJh=!8{zV+yIdEgf&YWUb&09(>|NmuY<$t1t%(sQO
zXc9WjXK5yZ95@bl#{Z1AP|K7jMJDit8iYXCvUQ#Un?D}zX?$KM0|HLnsTzkYaf`T0
z!v)|(S)Jj(jY1|Ry!VT&_}#KgI>)YP)q$9h+N)^gh5bU_er<LQ8W}ek2bQa|$&gX9
z<gF+&pg98Rq&`s&ecX2l@GD;a$M9@OT27`MJKQft>><lwhDXZDG7TUEgpZObt_FDL
zhdehHgqXAS?Uer6;T}ufRX%+o%+?vkF6VWH5wj^dN(ekkmAXY%&|mT}8Fu_#0X&*)
zVZCjx|CFo?!a4)@bSE6@4}RG#Sjk|2wc!b5jvQV@f5%D?Ba(GFRiOPyk;=J~XG4)I
zz}3Rg8Zs+O=nX3YzD1x}Wd~8WSR!8lcd%}c5^^QG@Ls}57SCRM9j5TxZLmEhf=1w8
zCz~#we}&%Nz3*2Rc%wU}?7rg<b0xT%(LA5X^;Ujb`?6tUFm$JbN*ozx_?5ZFF5q4v
z>KzvIqbvGsCl_pa_c;?7qL4=bi~1dv%0KQfc^Jh%91sCY9ejqh5k@X4CFav=^IgdW
zHa`p$+a_}Z8zw?Z$u=;tp4Bscs5iIuJG;q!X4>l6o8Dj?v=_sW;Kqw<$HWXNe5SRG
zJQrpBH0uydazLiWcE3!^iRbcTaG93-aNdn=hN_v0={v)|W$gWi%ANA5sU3)l;JtBm
z6}CiiY>UgX9|6m?rTZ6sD_%v)PS^A69^khS>u8()6|KN;-InqbD#OceiV>wFs_WZ_
z7N?B--0-Os#}^f)$;5beRuhID^F>lOw6t;g2%`%-v<ac_x!9MwXyYgx+@x8Ud1AY!
zyTo{Za39Agm4htJ#J}8;%n}Z{=q4ci58~?5EI((lqL-FP+2vx7bAWXu)$+`UUVJcB
z@bO~yNwZ4ha#TB0VPMPr1Czi43iH?S8@F5qPr^=yYK-J!8BQreyk@ommx{bl61Fra
z4InS)V3h23eu;&ms!fd$O&ce90h+C4qexQ?L5)1hw>YhQ`SEW$6*)bT&KBt&ZctQ)
ztws$T@)H%?L1S?NZN|A~-Rgn4B`P9LwQRcRz<yv2fuId(i5oRKFllO!{Y!__d<}j~
z2^D2Y0~Y&d$pBmbNN*0ZIA%N`41FuatKf_9hphTaYEqX?4COD)7NmXgP8B@m&3Qs<
z_Sw{AOyts`O76%)8%$#u`kbYLZ(?Bu+#hbIJZn;a@y^M$E*5@n5@TsdN$zj2^me&?
zZ2V$A8Gl0KVkVnzNP4{P8t3mv4KzFm8zZD{#q&5Ki{6>Z1lP~(+-Bntrl0EW=Umq9
z(p+*`rD8aS_M0?n?(fD?<0RCVX!31P50Z_U^0#(B-Lan$R)_I@={h5{O?V*?qxPRg
zGXNN!3HxqrbyBI{1e}I)Era2$U`-25rq9{jKZ2kAXLozPd|%3FCx;`IaAqnKcjJ@0
zJx|2dS@L_H0*s4idXM2f5NYkxJg)awayA_mfzys{`OB8$ZY4eB=ym7)1IO@7U*EsQ
z22QMnsOB@}r^{3P-u}$I;Hh`Kkzov(y7qtrOn95i=ma9nNY^mw80H2J{476TnNIeG
zkZM(2ESNIlu%U_xV;tEvrRyY&9$N-9d@(js`;$<iIUG*gtHE^Rv=u$jN1O8wB3!Qz
z_(GuR!_e{M$A%P6co(x{+Id)&)$^$1ip-@+#T6M&ne#T^(}(?&;SFwxUSCO0GFXPE
zCuZ_ezIgIP`07T5o^7}FYi-TVC+dK^6Z<CnKdJUC*45wB!0y+YiEsHif=ax|ID6$J
z?YMTkcrq^lk=E2%|8Wn5D(j`irSy{rz?9cJ#tw;B9rjVQ3lh&Z;e|jT8GIJ~FdN<G
zyy_V878v~Qz2j7#KK!+!&T@kW$KF>a@B^=r4s{ze`28gxDLK_tU7FQC#1ZJKd!Kk{
z!&>pq*F>3jeg<$(e{cD5aqBQf?ednRomn-kCR}{K<if07!(xNBS<9*L1n_lm%Sz^R
z2<|DA9=Y$FXD%)JIg5niYBz(KbchYFf5iuvz*2pf&eP5@N8{Zqtl<;36f{%Z+B~~4
z(himHcXfy^;^4k&Nkji~RNd`Ebav8rOc8N%cg{ULf4;a6er1`r=|TkUWD?vb1<oY#
zR_)Gou-8fGVVB4H)Js4r5Il0eyE{kD_p=fWVXIk<T&G;c??wMwk1r`hoky@38Z_!;
zG8-%ii9`C&=bb_c5Yq#aC|K3iWVzR)6?a7#${7D}Oa1&|#=#D2@*!=~Rp>6}N5@)5
zGAw@v#H4<U9_u+m?V9-cg^%la5_k30TrUv21Z{<Vy?ltOQQ61(IDo`f+>DUHG`jqg
zr*6ME|9%CBvVeVS8mP;|E)R<cecUi2!(o)Mw?O45t^wpnYRu>**_+<`X03duU3nw)
zp&r~06N38FR!Xm+8bA#e@UC{YHDp96T`G>zbC8_i>D;Xauy;eNMgw7<-v@jl&}9i2
zc;(-VIJ)>NriVgA$f$7kln~eisOFNde};1K1G?1yr4&-|Aj{)bfOH82<rYRwYIF&l
zxer~BrV#jiOxLQ6^9|{QyJi;d0u23_!N(m{{Jbk-e1ez>go@a0d1KRIc@2X<PAd{h
zn^l{gTYu7q2pkVto!esdE}lCd9eoD+=a`Au9`YOQ^c=U+miMfnKQj(2u3s^FXlzhU
zbfjgR=m{s8ScUt!?*K1i2Nxx0&z<>2H{K94w=8pOU)&q*>4^|7Cvcu=9w(Gq^w(+P
z>zcz2Mzy0~QrXad40-3gJQGb&#8m*&P7(j&c)_0gV6Z)(Zbd0jOYXol<vC2pYa1Cy
z0_xmq4hpxmhnc7MMO<3x?o(N7_f=dU?_UExTVJ1b)pd`3<7wm8pjb*}vS#Iv(IVT!
zEET(hrr*O<7JngCd9nuNo?7gFqH3Ia?Z4$_(fthOLGZJRWTm|PF+H&Yub`D81|^=U
z0-Q+#bCa}PZ6=8mYD=Z?2lCq5%4%|{B?e2o+&4S==&{qBHl$uwzOBgyljnvl^g&xd
z1)kwXtEMUQnj|Y}XLHWE?RjWX<5pYX&V8@V5l@qGT(sfwiI`nX1nW-L{o7<KGV6@G
z6$5{YX=4Fwr#ilxUz!E1+P2)?(3l<L=7a}lp~G`+mo9b}RR-htc0mgozb%JxAEbV3
zi6B$!uw*q!ybzy$A5t>d3q1lhyS!-?T7o$!vLd3=x{?Nbnwh;RlyHdGwj62)IK7Y6
zCGVKQfbhFR4OvA;lyEiUchpqW)3D;3@0lS=FoP5BiiK_XN}jvc?1}gSmy3gX(=(RO
zpCyqnV+w{glijG03b^#rHMDIw%R>!u-&mp2kb@+wCP7!BgnaGBPNae<&*q6A;?k9N
zj!xE+5IJc8_JMjwVMB2YBHMe*X5zc07N0pKIZ~IE`$Y9hzeuco;UUHKus#pQC>0}5
zDxfDj2V#f|+R(E0VhmHnb2ZxZV6mN*p&zIPnJHX`L;%$XbIO|_V$D=Y|MlO-aDNjE
z15(5`PmhqE&tVL=;Ze0JAdyxrAqc#$o$+P0-;VX&)B$9cj6tH+h<(q!I%p0tAQJ|W
z=*V7e4K&Nv;AV64Nx0hPz5PUBMaj2F<%4V7CfoKa$GGdPdb|-I&TMVl%Zj(tqpTl7
zFr`*jX5915wIpUEonD2$J){LyfIUQ8*0!>MPh}2|MoJCxFXiI5k6p!Y-j=>ilFOM0
zn(fMp0a_}U&t)4i%X^f>NG@5C0}G+J%6MMm)I<mk*b?F9l6|mj<llguK#ez(sWDcP
z0642ryQ{~qQM}R9Z;jgGK&XExP^oJ*-7pR<cZ@#eIMmrlqHfF}-sLR?Ne6zkIdQBY
zHHcm=p3%yx;S#teOa|rZ&lokH>fJMbKIJNf;8~IL$x-Q!8~ei295!NYIzk#YT&n2h
z_3Ja%xg2R2Lv{dp->|^cP^4(t3ALGv$h6{e5-YbtZk)VS53S&<iG=C-j>uM&oQ;Cd
z_5KQ_+wJi;sN!UrY7O2yWqoJ;Ep_~bJhy2L@tc^Ol=0r_TpE{d>>?ICJ2XQHHTBQC
z%$Oq*hfPm>mbMdj7ms4UBY>Y+D;g;(J3rKvk#fA$A!mjl!^g?#IpXlDLAZ)pF*uR$
zb|?jNgadh2CB=C-YI0^{U~p3Zp}qk^pOGD~S{01?Lw5B)>8%GqBYavMZmas6@GR+B
ztzQcSuREXfpDvzk?Jx3fx4JXy1|99&ycX!Gk81Wk?*Bk$!+b|+`bA`F`jx)Gro&oC
z;DI=SDCt5>kYg%5<JK@AODpYIbKoRrgH<ZLJ>X|8tw(G3VFTbI-R8i~TLO!|-5>et
zW@Xqqj%hfucAx*8NFcGLX$x!YM7?Ns>%N~xSwL5BN2jbSc-<e&dn~ygg^#WYF9bmn
z!cY|P_a&FfRy3KB6()OxSs$=`@l=HUBY*(>&sPIBaYD@Vu>;cRfPdw}o*9jfFJ8*G
zsxusl?+ohs<rjuZ*@Nw4IYjLjigNT9l3J&Gtx@**^)8fXh@%TXW+Ufalx<g;U`lzL
zpq}=41|QAD{hN+!9pYM*!w)l9)!TFIj3tt}yJIU+PIhc|QmpSAAuW6-;sby8V@-aE
zsIfm492Di^CW{*@*IVXu9uu;N+NeAAs_h*e@eh8=OER=+6(P*@9r#4qC~p4{3$Of`
zd*=9#b2p=AyX9kUN^9<u<<RUj>CTwT3Fu7Hb(fn{sGO8Cp(<HXi{gd!=qZ5E<M5gC
zOXQ(J@Iq+j2RM5j$MS*h({vnH&tle0k}6V&|0@KGU@Cr~OehT#x6e(GmQxNFmmISh
zCC4;A8u*f@5UK=y^?fK{{emsNb2VpyJ}>vo)nz+FeoWM9B!QdevX!w9VLDK5@Q#m3
z#zA#QKT-16&uOa1u16R7=qNcr!klq`>q<t<phi5PdhwhehvoTD)LFFhvSAAa%L1XC
zv@gC2?W@)tn@o?IG=e$1p=jwaIXJkRln)=wYdzvpXxa^#`#j%rFdm<*v?Zoe`VXsE
z7^cidfb}V0tkPSYQyT{-4S$MRqe~OBpPY!UTTcj?P&0Yh<`^f}MjPa39eIU8C5&>@
zd?cG#0U;$;w~)|^q;crhu2}1l`C$p(-44_L!dz`0`}hgPz3kB_97l-N$sWq->#(8O
zZq5RJ`_C=fyH5xQNZY^{LQ%#PkLS5QH5^nlv1PbZ|Dm>xL@dVWWBV<gd5MgC;;{p{
zt|!U=qAo0v+K<}Q%5%6oqIBU#$_Gg2MrmvD0T29F@~NDC2P}K!{T;iiiuEi{e02jn
z&Ta|Kg1ECefoH=rs7-?kP)DT9muQb~Keb^vmx`7&!4J!vOZ;@iVeVFD+;}dtuAK?C
zC0pJ<d-t}HU54CzN-{z+L6m}5X0>Qnkt;T-Gg`&MHdg-r;O67Wz_p`L^h)6`m2~H#
zVt8pD(MnRyxGD$fPaCz*u)^LM*@|x_e$R~gTaC>g#{A~-Rq1C@U}yK9HAB<<>a3VQ
zsw$z9^e?Fl!8MgX40JRFO91lETua?D{K@JfMsFPkm9Htl4`I%6xpchL-ME{E8rjh_
z8A*H99W#FzH?~ogg1&hL7v`E_61dLa9&K;?I2_wpC=fBbN>af+pm)ylh<KRv=iS8a
zA7V?ku@#5}^GO5AR@u96@1OtdU)CXY#KYY=dX2q%d!;B0o^f?wmRNhZIcm-12;H2}
z7rp`CNkOhC%g&!wx!N}V#xf9oUL;ys$UJRRdD8_W!cz8IG4$^s#Q>Q(<*MhqI2#^1
zufkcN(b5X}ZnUoPMBPbCeUS|s<A=l}8JVc?N16+dyKxQ4`BN-jepgMh)wt4-YjXP4
zIOWh6Qsp9R)aULvXu33lbJ-LZGUpg+7Kcqz+cfK#ODn^hkg=w7O8lw^<JP_|vK6$e
zV6^Ax)MNltv<Yh;?FseNT0sSM98-CaN$pzu(o^&;xzYLlrSq;anivMyR;ID(@0HQ5
z{ubtxdwLj9^V?X-mS_BDH0cOFo6eGnnnjqA!jTiKm@i+rWcmE}$m<bvHuABFLK)j?
zTa@m6q%=_76);e%l+>!rvx~{pgTI#8bUcY(Hs8Mb$aU0@jrM?)@%b~Ani3&C6SiG^
z5d}@tTMQ~=+6t~BCfJiu;Zvb!zT(t``kMTSLg`7v?2Ih&s*^jb$p}sDaD5_z<Cad|
z(!;NJ=7NU7+%>k#pH>?q|3t5%9&>W#Zr*`#s^l2%m7$eb>LH`&ov%>^z1-FWrA!ZN
z`q$c!h=9)g+BR(IHyX23(iNoTYAIF7)ym?f4_(D*NRp+A;C#T6SJuv`h}<koZCatF
z|9%Uw$Z9;P!WuvFz+ny&L9+BUVlxZ@`qoL5)0U4!Dq-o3O7Y<8og0m%k3ANoN5k0<
z+A5FH?bC}UIK(<@=JO;Fg{$c9CiYEp=4y(2|Nd;@+t2;<IW@>Qw#YAa>>V#1wHSql
zJpH^XyovjcGi7ct>lcGb@iT@fsN*?3yws%*0n6PT;{Dk}p6$1v2{p8j2g~G%AoQwT
z(zG$;ilS%>6`ULib`%`!B^3weHl9WXqB#+E?wLHas2nNuCUBClG6|wnd3l_e`DK3z
zknqw+xZ*YWIA_lm?v+=~2CXsw8Nc_?%o%G8iW=weFLXas^dQO)$@ez+)7;{CtWL;`
zfa^4N8(1kzRbq?4CYZ@(f0mSvG}2<}y{0spx;w&{4yr=pBhILrqowW1M+iqy*UTrq
zfTE(bK&7BOq=^3+dg3tmgI~z96iY8zBCqd*yn4Mf{{<u<Ypu}_81R~2WYdMC{ZwBP
z26n6#0zB)(n5|*CbO%|8B;7QG+dORDB48i&*zoeGvM;2NM=uaFti5=J%SmVdHbcz^
z8oD7S?iEK!$vP5k*36rbr;!%m2gZXwpqU;hT{sG!NzYawjb6M;aL5q~l%WPJ0LKnv
zj+Kdf+v6@?^PURCASYchii?IVZrr9nv}%-7|BXL5>Z*)_SMtV<n1J|*JPv<{pdYZ|
zDUYD^SQ;ygWJF(#)FJh%QN9|4-TKGTJf%5SutC_bm)1+U0%V#1pxLeIW&PGlhxr-+
z$oue`<!GAofIUj@tA&&Vt#3xWAydtn#`mF4LBeA|%1KY}O5uIO+QVtb(~aa$6uZ?g
z5fe-+7}rg6_+DP;ogAHyGpUXDH}`{H=i{8IlLE_i*UqTUy_?FYSAm@l&*e*3$FoP9
zy~gJ!9&MfXKi33TFHpVj%e<bSjvG(aTc5wTb((6|TR#8!v(OnWEU@am-&@dGQCw-O
zbN$=s&S%9d@27Q##Ge>qny(<YcH<wP=HZ>c)AkU-AUS^rz7Q<>WqG{yC|7&O$>vXy
z9HSq8utb`z>IbmwrO0s9pXNBQ1qJfH$`&gUYCVcpVYuz?X4<3hU@*0HX*~7malG>J
z@g(*A-Qe2s@w2V{y*&@>Zar4>;#6g=KltX%R?p?O=GIo(;O#b)>fbgMM%p!}Yz?cc
z&;%HMVf~D=4vSk?>`?^;Zj}tP)y*D&%SWW5`%}LwF71hM1%_zy-`{qY-ZUx5yU25-
zVw9xY#3~irj-v)>PKLtx_aU8Wl528wNe8=%jh{7a5n+=Dmzr4pZRjEFP9cCXw^9_f
z2Pgs=9OlVX#dTRfkI3;qk+=;st8O{A$j;*dt9D>t8%%oSvzp~aAd|v-rt$Am%Us_J
zT0N-<UUklO7H-P>-VKyrENkr!e`0XnFA2fKGdHRU)*jwj$$WNSq#zL=Sc)|U{)#Py
z|MIt0fdbI^IJ&tx82o&9wte5x(fPQajMd=${%}&utL(kEtIO?F;|^Wu{-!d9<1yVW
ztL?hrq%*YZWxJ%!`-%L5#;egM)~3VBD|gQPLQ0m$OwaqK=Dm*PcmCtXW`JuCO!6{q
z{)f$3<;Kh4Qv^$a=ff3!&!xHRl{IgQOwZ=q!^+ClDDQhc?(cjG8yy{^t4W~!F=I2|
z{enuVk?+n$#AXq+Jt3;IQHL5IT>aSD|4F$VQaX|rqe=s-{KwS%7VPbD#W9C>(b{~Y
zCF+)}tEV(!rN`5j**g&M$IuG9kO|b5$ZXgcu682~_JBLV^SH)+q$y0&TfJ{a>z2c0
z^zeG6)O3FZ64JealpwFdM>E#OxfVa*DgW!u`S@<Mvl068n)k8)DDJEaDr1w!l?acG
z0lgvrwlKg(F>+8Yml@i0A*F0EuRQI_XghFLj}OLN=oJE}ZJ^cAfaGmW)HY?=NW&-!
zXk2Fzf2eKZVSI4`?L;%M!S31}si}sQAc6)BSg;0v91{8U1CpYgmU}fOe9(SyTrxb2
z=b0v?{Hb9J1}C5#$aVR5GPOZRrrnSGlD4;a-lEJu%sj6sF$BRXQCI@KFICBQddN%8
z)C>fE;2-CxAZ6NVNvpK6sDAvKHy$5l2tE_#b8WVNAflxU2U+*Wq_T@3pH%lD+U+0)
zWDp%Ld<oZkPE863%#Wq6X9aAe0A;K|PR_|?+JE2?mp!p-1panyy6-e*S{Em*-xu0v
zS$EKAn_ND799p-I_ZAL#*ero4er&GvZnmGcO#0U+-bWriU9KG2oSzroo2CVK0-v9N
zO{A%?xBCU*iJF7c&+|LptC6GiR6idN#veBe@7nK;(^?l|-gj_U>k;1eRu(<)4!U);
zZ%y_P6tzyMTvc_R1gCn-3{aeqx`=wA*-vVxphkBFqht^)c_(6dG-#(BdE0t9Ucnh<
zrRv^1?5tlMpI*)0UuW{_M;VRJKahGIUGc14HVO(pvEmzaP)8qMk1O158*4wHJm2F|
zvcXkOKYBH>J@c{r48M-n_O4}--#r#^Ew|?Ii`;SGM2+Tb6bZkG_~IZuS}G*YrhtS_
zW<l>uLh#+$qf6qVrk{^LxCimwD{iL<L%~GQ#-?hp1y^JT4W}ff3ZG*H^z*qGsA{p*
zw}hg%iuPC3&2z~w+9T`j^o^r>yJ8bc4@&!b&`8_6s+aq<_IZJ{Qok6_T2z>DO)9LH
z&`cWoRzIc*o?MFTeqqQ@=(-{Fwi+d3d;SCTl~vrJnhWw|mzvKC<~16Vl1P}V(O*70
z%}_@%&|arM$adh#KQo*ar5Vo&M>Fb3iE)2FYK)0xrj}+zw3a|O7C>hg-)0T&5;}r?
z+SYGWyeHpnNp5C(CwI@_HC=0q-pb`gwzE(adw@~fSJuOnhe<k)y6`@jrp3hEYw_TO
z=Iuq#Tz~3&qivjoQ9ZXE$|EM4<7ADl)H4yOc1{uP-5bgs@O_Kre%{)Sm^wu9aX}{w
zcT_Odbstc*MC9w)3_)<(`9&j-SLfT^Ra)i<6dY@cWYBxi`^@jr0J`tzHb=lWZ?awl
zj4*13h;+NXx{D?twBH{q^TYe(lgOc)W5O}~%3MJKS$*(do<<tOxp{>riMeH6tt2iC
zzu|0EZ7HqPV63KcI%B4jX6zM~^*(vAE!ZjBR@NNJO-j{_4%Vpn<MLH|98Q;p2){rD
z^VOEueQ5QrlM}Q7qpNo6<#OTG^oPASTh?^wK8bRETRwFBh$r%Nj{ZM=@D%b0Qq@kK
z(jHWl^Vx6le`NZ+mR{c=UQo4&9oovj88N4Lh%e8(oHNDbB?_@K+JTh!wIQQ*03?i7
zLrAoC`SxxN9Zb+F|M04~s5|uEc07cb9!Ae{sMyE|3Z$mEjzh&Pg_r+}V^RiQ_X`SG
z>C-hI2NRyPgRoBrXUALmD<qpX?Uz5^UASCN{W!Vr_gcXvX!VW1O?IVitUQQzbU(kj
z-|3&6eLFGBVQM!C`E?b!%xXG|7ZU@9SdL7@Uu^9lLkWe_GU07#RR!GZq4Y^F>tI@h
zG$s6#o|gMrz_(-o02kw2;=ML}A5*rGWxAk6gp>G&a1>Sf?hFYU&KVZpm>*hG*f+SB
zUNK=EFm^CO8`XWBd=L4&dEDS#rCZU_S?T?Je{Y(*@a%zXMDWn3lGt1<p;$iUM<P?8
zG)kE@=Wq5chu>VRkjv22H!cW9<{!q5Li)xrDqw12js8I6-G&{O+n2ORmiW_Gb{)Bv
zea@?6i|M*YS2O888ou=>Z?6b}?Rd>>+R0CsNz=jdFo%6p!%Vz+|484?br~lb>QKt<
znjLE(Q+8>DX^o;`dU8AQ+v2w6@K*--vQiVfzwE9u^125lWmO%1F*Xov|4x(``MHh+
zx;kZEY*Z^p?UKmcWbSLiv1PXI0_tlF)nD}SDmPR5DvqF;UR0Cno~BB-`Lr%XVepAv
zb{Sugz~xs6L?UagCm^YT!d({<-SG#6c=56?f-I4=p|wR+QxCh9eI%Q7?8(6#@#vrk
z$y%_iDbkY>L6|2&d%Iz>hA>^8@-*U0sAZZw_HYFV7FUVN1K5%Ce5<ZWRSiy|!KrTG
z995uaH*5N#sqLsS%JwYNYe)VHQ;2cCgyMp!gfyIIvx)hjZm*Wg;PrwP5AC%df>04F
zkp3H(r$hN9>y8?$Ba}Kqd>8Beb9}rwB?WBA>U&a$rg-nlTu0WP@!0FML=K?U8o?d4
zB!-&hvtNY~mxI3;vk6-cE=K)=1xo1l6%l?r7BTl5otn;2jsSq((o`A2|I;psEWDY?
z0=$t(jYL;N*xReCQ-S;jm#=oW$sZx+ny({`04O*f`mmjFiKFIGmshzn1j7?XsVD94
zEecXsE!MEA3S<_<qDa`W)A=PbNbNAu?S2qf#bg*DNLD_bQRdMT@e&~6X-PKqG*moC
z|I&vEb$AnSsQ`0=di*h0d0PB$XWpB!2Pc6yUQGuBc0Ek$jdN?ccY+0it^IG;2Jc(F
zKP|c2a1y4=f1Dnm2e{|UjW>bQrCcQlc;8eD9fW7?3={G9nBnQN{`myRu!z);7Kla5
zLx#G{fFTfbva*1@?6h4AY2e((_u1=oSor8cz9HvwyMVzENYN(E=#=d=MDJ+YwMh9z
zyWA9;oiiHcB6l7j{~i@V@bEUiL%Pl0iKa<)ktC8dw(XvxtflM5cQl6&NFDfzslQhP
zkA80-bPh;=&51HNuVt(Z$kUZp=~iyhS!fNT{M(o>?6A`)Y5zSH_5IrQ`@5w<W=6rR
z(_foU4PMdv#muvW?Y=4~rBe=~flBKQiAO%@oB(dU2#2ELRM_GI9EI47Ml7zhK%mJ#
zLo9{DPVwTvR<qiwQAx)mZ&Xcg?6$S=M6GBxsYlAQ-(=BtU4}`hZr6DiKnNjNE$HL~
z#YDuQBd+=sG*ND#925JO_3<`PRPnjQY9fCGB2J0`mA@N15H^Nv?AM-^z-!n~Cmyy6
zw1<idG9RCWAG4p0;yb+eysC~mz^-VWxA%3l?3#<|LlS}hFTuo_Qd?I~FvfY^{c$FH
z*e>WSPrdfMKCbpU>_u%wzaRXvse!5;`2OBbzh=(<J@L9Y_V#D_I11k~Q{6#M%)2>h
zI8PnzH9-LneM4DE@Ff(V%I8*W&O11xx7JTr`KCK%3&%2-YIoqy2_APtvpbg+wXM(|
z^@xv(Xzz`PZRLZ0o%ajh@6=i!2@2MJS;~}^-A$dmx_+!Q%3!X%tYzv@5iq%jo`qWk
zRjRIF7SzoYWhZ>3)E*Smr;wXZ6|s~JHY=J5Fh!v&`lm-vaEP>EJt_g~(WxLnjPXgZ
z88o%wbB}PJrNk4%gG-eVW&o5w|KdXI(}!p+X>~ZpR}~fyS!V^F2Hu5e;*JbfXjT_J
zltY-YjVmJi5!r4;SKDV5l#)F{KW(#SLhI%e0U1v8`gwsTVf)lh@1CFdI#P+6`<!e2
z)2>%A2o6cidiHkowUjxpej@XznJJBpETu^uy6{z7l(2KwUoq$v+?CHNd}S~&0E*zO
z&@JyqNjH|ko(u(tiYO`auwK;gkQHl`;?I*CSVfXr;EbqJCV!3wAXCD~;=iSwWzr^+
z()n*}g+6%<Dibyij|YVk9o#Fjib`n^f)B(dLNl-WWM(pM_RTR2)RsjdU9$=T59~<k
z{BOdHI{DX!WWFRD65g|L&>QoW4@6R|{#$<HLU57Q{Z_2WHyg8g7)Y-9yd!^Ni<;-_
zl-X{cyjbAKOKL3@&{{LM@9@wq!=usmurSip=gyk2(`@bJ*5%G{y2yO?l9X-i<Q9Hq
zOQsWARI>>Gq1m!Tzy9HIoUi_kudS`M^LD{w>EuMf^WqsEuW1(2{^3jthJ{#wy@GT=
zg{GI@8NA5mDbu<4Vsa8kA5=eLi-q)H3q3MuD=d}&IYKz)a_`8}yYu#8f9ZkV^k)+(
zM}c%brSU`3-MXyj<I`yp_{wEKk2ui)(_r*XeJRUIK*IA`2WQY{=jZXA&gAzGXC_G{
zsF?yDMJLuzxogW_cT*SFyzVDE3SY6WCp&+#buwkHDductw|Cxh1y!7`bxYo{vfhry
zsY}I{j!SzIYd)u<WF%&fo+cisou`JIXKt$)cXk4M%}YvtNPQCaPqt9|9${J7>hv3q
z)`Y<(E+h0~JN)a4hVjqj$)OpNOtD0_{g@%#3*C0$b?=FPR9u@2uol^q;ubj!b1J%g
zDtcfcWz$tX3WYn3(w8*cYe*c_$mzCaG%Soe#vHQ`(x$p7s$o!e8W01i_^I@^t8iE9
zhQlW@v2*8Z)5Mk0Mx^}9m~;I;;h}2s<oXd=8&M~47(<h!rCyIIM!Q*k!UC*8=BZD}
z_ufaHM%7s+kgMPO#&siN1$6zLaYs~QgIAiQfFF+1NaWC_fTyYMK2CbvTT-^>z=bBH
z!xs;1Dx?*~fjgqwW&S=Vk6r-@-bIA^PA2Sjd>TqUC=wD6KFz0+<k{z?t=a~n!2pzP
zEZH?L)~3zKdZHrKIHvJ@rAq4fc)0d_wJ>-JCwTRIQuwrfN@Wj~`FM}3Z`=6A9^$+-
zDT+BmH*&R}iwMN<V8=&|V8xp*Y@{U=x%XlCV+?+iIC+AO*m(xoaH{V}w&@+^f_V>W
z8uDlsEbQMoYk3tTAr&u16e*{z!tHOM?wbB&$uU(0*TZyh%DHen9FqlJrM|Sz%RawQ
z6xhJG)aRE{N<FJM^<%jvE?FP))=WQ~&*^+Z&Ap6I#KM<N`xe5jV@*`n7%!?8^?12p
z7oQdL=gV;XppIk;o?5oWzWDkLw?_*5&GGDJG+FUkYT!>UmFG22H;Xa2*1fNCe>9QV
zgL?MG5w{Ol%v9sD^&t^{D8f4nN8*d~#3j%gdVC6(p_J6S^Nou^jj#WIX@q(3g?LO-
zm=8xi<YetBJAKpmq&BrT$WffN9K`Rghs1W?!uK3-XLF03Y~t=`keFkI`Sa=|MYcer
zyB9NjqeGLCT>D4mfky=*q7fqTdGoKPARX9-{}9igEZARPsm4yIV$sXZrR{!d#j~jL
zCxzDAvv`Bc(?{WCy@t)n;OWbIktj2FcfKRs!PJJJ%WDW^<C4+xNr%3PHb1wiwmHhr
z&arZRuu5d*JfZPy;t0C!p*zLCo!3xQWE@5Ket-AAU{#BtRcA`F#}hTv>lwoiiyT63
zE3^~@Y)Xq>b{h3(h5BE`kJpUwFL@mD=k&Z`h`+ZETkyJbw~rdhEB!#=IPb_^G8`C+
z()6kMEwmPT^I^`x9WSx!=4hG=<03x0Tbeoc7j9M}1e4iIQV~N%#7&J~aDksFtV?yQ
z?NPeXUUuflywTCm$CEg+G;-im+3Wb>_u)KnYLnDWO=do1KD|Uya?uw8jwLG!F6jT)
zJ%vHWAw$mE@43{Fby9EO8p0046hIPa(C!7&TCGhzEfvNq7k-<DTtT5L%dlG&XFsm&
zsbamZK(UmZH})CLo}?$I!%wL|2NW-B6;lbl(a%8Q%(}_{MU*xQm`7{xdKq#^h9Dpr
zm!lmsAg9hN1g?BX+1Sw}2{H`FvJzz^tKj|N+;kFaCnRXYI_86c_5b^lbVXrwcbdtm
z7h*<x#()^{qy&fPBeH@=#=)si?EMhp2&gl}+K=9W3Fh(d`U8Qxzp0>|l)r~7pnN3v
zqmQy4Q|^huaPMxi94V(Od`kW9YD?u~?+g2VJiaZ^ugwVM5&4B(u!M4g0O4YvxM{v$
zB^7v;Z~=ku(DWIE-LfFrb2g2Llv2ki7qX|pCdZYv1M&YR*EKEF<;plN?6g(mW1p~-
z-3MECV;dT);S#toY^S+CFCxbj{}sFH%wpKI9pJpd>}`ASp_O=J@lhGbO$#Urr*68n
zN9f0Ifq${AOKUk?7Gav_iQl9lW)5p~e)uyI27K+J(xuoKnoO`22NL!=!Z6=Oy8ahI
zN<I(xGC~TbGLmxI#dz<+4&OMh!UCWGm84bUQgpPt(iwfWS`_)Iw{cj%4f#T7@m=;H
zNHiF^z}Hiroyp*MY1qV7z25|qBfQMA{~q-E74Y7jdVNq5{MSO7Zl)fP8iO*z_Flcp
zSqx2yvj*Q_HZ<?OzDn$y*TSn8p%})WT5$|JvZUKn$JhW!0-W;;B)OA#oaFb0h@<jR
z1TpfEjOiA>ydnlt9T9BuyMzRZBwHtUY5J9<!f*b=OohQ9L-=>SQRxTpA5s^$6j4~G
zn}s9TAWbFUb0i$wNTg@qn$D01;jO-Ums>v}dI<yxdU-kRK>FH)hm2JunLe_Igvw!l
zUrh-}^JU*YjE&KfB&WxSgn0ro***j61Wn&bYMJ1|A39|jUPf&GDm484&PaAQbE5f8
z6{0!*i%$ggW-MiZ*&N?kWmall4JA*=lQ*GA3Bxpq8-u+frDPv^*EAL}NOku0dtkkR
z{K4kM@xuY^<-V~YGH>Y$%6Y?F8e;55v_oG_J_!SBl6G?~11U^S#cij&RbxWO{M7sg
z;ymwM_C&)+C6Ef`B{YJ7+!5DDgbP9T#s#SAFS2|#WBpJ7FU-#AjlAqJiZ6pd?(_Zq
z&WYdu#4hgxf75!iaMRixGYZ)UWIvR&2vJ4!Q?oqvlYV3LHjvOiw*u*=ZFjS!lz0@g
zsoYcOh(zb2`NoIkN4RQvefuhDmz?^cgNEKuJ$2;P$WSTk#@{iFP$P(e+l4|(@bt`^
zxZ3?U{a^y%sxtUpoqo7jVaZm)Q;x2`V=b-8S!9(Da=WWY;%UE*)^+<gdjON@LmZwN
zNt_A}YpXQAL^D+B@<c)b-UeD~`IY<F@sZWJA|^GsL)-U9&{B42Wl&_?r=b#3Ng`v4
z9cF9y871EjjgBCoTQn<*c+^vl))<BbZg1}rUuoU!{lSDu7Pqy~Cf(n!$D(Uv9!p_x
zxr6aF!oH$^NkYQnC-aAM6PmD=O^Ale=Z>OVwGxA}1V2QA5ZJ=zjKbs$e6F~3l&D@q
zaF`UIxzNnWIS}}}PH7D8(^u>AdAtF{YjlMmu}jlD-*8JDVT8bG?n3batRC)bmFQ@p
zoH2^{Ks^b%(NF_vr%j&}1av^iCXDV(oic>ueK1)Mo|smxD@u#2nU$ow@mIB<!c|f_
zsWivF@CxLHL9PrJSZnAvr-_8=;+S?f=6*n{=plu9S?u@`zE+H7jI<vQr}(!Tt(uHn
z;5cLyig2`pHfqRJN56qZ)Jnc;-aDh1e;V)sStajgK_%}$4On-ipMfOUn0OcUk)@Tn
zG;cJfj_T9RH^)WagML$6Bw4;|3Yu)n;EzKo!k^l<A_nqR)OJ8j0<0%jT=yH_@D}(-
zbbAp;&o^RzVqAeIGQZujHZfm`|B5rbc~_8z)5fe46s??{=J$f%Qhqdr;8!=0x8rGn
zvlaXDKtR|#Y>d4Uk`O1N;`@#x*UU1v12~xh@?<;2PcQqQs3~FMzdl&R&w|4gmOY*k
zQ(qJs>6<;XDJmLU^yTE#jBqSD%+FNQd{$K4xU4jS{2U{<jowIiTM-kclJKhBQ?@Yp
zbEoM_-<BRvImcuzc!~2xe#%ohb5gPMdYa*u^V`$tr@5sgX*0*vZ>{WnEd_>@{Y{Y%
z=#Z9zmp9T28<dx{94VH^OvR?MQxbgB!zY`$=*e4<m=(?MeJ5oA^V)>XjDx0nT8pk~
zPnHx|o%UaaMFZ;Gfv`1V_--Q<+*rbG$qVQjW=U1Xf*iEWBAGs2q8PMdw&!@Rnj~s1
z?@5Ds@d14x0ml4w62_rfseRxINxC)5>ALb34?A=}i-6QPpQUBQpZ6zsgTW#!!%Upl
zo5puv%z?}UYrQN_#F3|S?T@2HTQXw9r$rRn$QD-4#}Jp-g3J6ZR=HMfMfSZ(>ted~
z6LO_b*-yK>gVEC1yw)?Zf0pS;{r9nt3G&>s2S$z|i(yg4l>Dt|1%{l&l$^l62^8;`
z4(#8hG^|x|KHX9ok=<zo&D2%kIso()B$*QO;j<vAD5JFpy7&3ymed19DRYL<e_<E%
z)15Eo>AY}gfE7Zz*4NAW{n989TLq`rnq1g^hZWka1DfJy5JZGABp~CpH)-euY5?HM
zF<@`C#o9RuN;<#iyLCp{>!GmSP=$UAy(5In7X~=)Kt%luyemXILYT>L(yV;HQykMV
zh(tWznE}R2ao9g87Fpg)%v2~4s&t|!!=bz$JIBO-vW9C<v%rFCcAscVYu%0H+UwX2
zYaJVumEG&OR_x3)Rg^uN!d+RIsjgh-j04_`|6SPflerUQAU5{AKXqOC)^pzZ_o&x+
z$|5~1O=5@~1Ny<wpQV+(Mf;05;W8i#l5!&oW@X~nbQEQ%51njABwZ#!vqkI>C@Ga3
zap(-f@Mvbd-5Y($&bR=&U<<b`_aPffH82JBWsuySKx&+dnLX2>=r-c5<0Si+k^*R!
z^K_B=DgF{z3AF(bg5+L14dmDJSKd(*!+iHRv-tk-Usz9Vti?!-{SKXZiE$<F4)^)!
z+2M)67aI;{E!)qfIc($2OB!{PqKxZ9)rOA&794i3C(s#j7&g_#R0DPnNH+eSf8A3y
zxh%+`EdU$t-^s-U)eqsy(Jur(xm-X1CS0a-(TDIi*O@XtWK|N`zXH3VxoX0AAYRTz
ze~dDj4^=$A2H(Lof1MhS{AuP0c3k#i`P?OZ-8mZ8CvRax9_sFW=zsY`311#xzEmC(
zPCHe(5l|A61Pt^AG}Q4-|8}Q~9f#VZ@%a`!y%6;+?AF&RAUXVBdp*)Yfb^w+Cnpoi
zlA2F$d}qtb+(-RGOquc+WE$?Aa&5`~M%|<e8sb$RIhr4YK1@;y4Ml3;9NFz`=V&72
zw`<6F?ZsX_3rutS8p2YXkiYj<iXrg%Z-1TXgYPyhbRxmGh~<xUD$c@#@(eb-BPeQ^
z-n15HjLW}+oDx7{GpBHg1pjjM4+vYZTMJvT%`w{X4mU$7N#TO7WE)4$G6~n3^JT+{
zO=r>q9)@m>MEVLCaU_~}nITK~v3_9@+Px3=e(nr^4uCh;e}|LjnV(mMX*wtVoWL0#
zOMQoq(Yg+aX%TUpNBAxuB(nC_bI^3LQum4f^@zH4?CPYN9O#^k)YzGy$Bt#J(v@x$
zm<ti?*45Q=@7BcPI;4GY`rAFAlDu}D9p7u@GFNtFu5^khJ`SyS`P1yvH6%NBcVu3<
z_%ENpH)Ex+|3kXOw~|m=?4BH2j#gWw!Q&}Opb(@8cz4TkwwQt?b8DmauAP;k^QNP<
zOvm;7BP3kLrt&tVSs?Yy%WwJJ1NIb=z@B1{Bz3jDcz{lM5n3F-NQ60`1Q~uF&qV&O
z9L`Gmy&kLrvDZPf7$i6>(>n{SJ+N9cdT7f3h9sD98U+9<Yj%^y8WA*mIdzHceY;^g
znh`VcUbNa1a|iG>c~T1CVbp)q1-BW~LSf`cM=o4XPI%g&yx7)XLIqsp)D-~y<CsyG
zalzz(@dTJ-smf;{qzDy#H%IaFwzbR3prm<@wmfFd)?ev3eU(6yrN27Ysk6vIVe>Ge
zU|Fig`T4`NGLfEV>9-B!+_0&JlKt#W={v>v9!2$6%?{Ism`fBOnBxFz_CrgonYvEj
znIc<x_#cL0<ENmm2Kh8|G-DzHlQs7VNnJ>@&}~;H%|IW-7c9_1#FV3v`k0Rgx$k4R
zHZ!vID3xO9V=JjRFCDJN=O8?3FyHVo5du^06$^$Wp&)5JIUvofwsL0M%3Qgb#_?@?
z2y~>R*0f|<uREA0<IOPS@zWOKoPF9{mos`R{5NwhNs9w0G@3IiJMx!kgbqw;=|2_M
z(K3Dsn!GB{ziP=)X$VmhY`fpQWrjNEKw9+{N>&YQ1n+zRC+T%zcPtf>8^r-_<58E9
z7@u;4>QVG8=Sjxhe220EEe4*jX+2H8=&n+}vOEyv(<q)9+4!FyHKw6V!(-jsB!DKA
zam4#^QohS6T*e`bz4Qa=C&5d+_E21Mbngjnx-orvmoV^-OT<j{7eS|E?*J5%C&d6B
zq6^bjMFZuqnqLjHa)%Mr&SiOQhX314IB04dcpLEwUt47mnK1$cnJnM{pjK<xn4Y<(
za&=`{lDoFldr<m<z<0nLB(a11nY$qpF<e4uc@vW(ix-j&RoGa?9n0uw`{X>rC8eV0
z$IB?Zf_Bh?8<x?*G_ranj$Toa49Uz7WR_2Ec`d%A=c_DVlZP58P5*o5-^Y(as7DJB
zs55~-o=JQ72OTry*|v$}DyN8hgcX6jc&QC*>3JG>kxfI}=`NuIHV?teax5NdDdSw`
z^hl%M7Io%k-O>tW)CXe*<{I?{mXT)i^9EfS!<3r*Nj(l6uj*zu<uf6g899+i&^#to
znOB?ej>Yo)d9N_@Diyc(%4W4H^J4#8b?K(q*;LTq)Ch(Hi@dRPYV4&n^?gkz1r)6C
zl$Z?y4&(<lpck1fo~lTTZ@L<Mw4_rXag-E;lL}!T|2N|Qz>o!+HqHfYi!v@HcGQfS
z`=VFl^Du7u2d?})>%o^a_V#qXj!yO3e7s}}t(W}Sck_9Xtf}cPdBce`(Zls~<DVPc
zT10$vOVcYkJ0gl{%7)@i&pdtbbvtyfQMbv}h_f#%l_dXr<y?-|$ROEDnygOIk7T(j
z#!d^>WN~Z;xP+)V?>RVIqK^nzc}+bVj_E+mM)DKPGH}{W6Q;8>VFC~%{v;?h#ntLc
z;iPV?;zrUHY>{gju__ydmIjKZ&QcmlW#%Td-(qryP4=cAj?)h&NHO%~OFtR&N)Od+
zbjcsJ-A;L%4DfT9L@x&rQqd|6L>R!U3bcyA4-5VP?D4Ay>cagOodst1f@kfCh$RA|
zz#|CS1Y@`s^eR5LQy-MB5%;pUi<H_5a&mJD_IAdQjeh=XLH`Z^&gpRBofEkHJQG>w
z+B_A*3As4}B&eIM#r=~iw-HjwT83;!X{pR6(h_z$vF&Im{I)`48e3V+h4Ht{mR|HY
zz{F#k`Ut)uZa&Ww&u9mGnX2sExRm+q?+&LVT~T6xJXiYOA@c+Smm<-e!=|JlZ1&QN
zfhLYQPeaxoQFb4u-Uz-|O*-55i5bj@j7b6;DoRsqOcJMG6kEM%2A0uXM$(}zURHBG
zWOg{FMQGq=)@d!(Hg{B-q^Jzvvh3Z{UDu~>^5Y2D;i2Ikp{DVUl9Ha&-|`{CM8;E;
zoM}kZygto#FqM3rT{@*U+kdN~HC-Cqu=d+3L3EtdT8>i4Ccn}@mvv*XOVt-8mawt}
z1EINW^_i95z8>YIl3fY<lLHB(k$f^^dUm|(?DRyc6<Z_Qkt(c9ewcr<e7;Ea8>ZP`
z+Y5Xdz_rgO?Wr%<GfKo~Oq0^>f=0DdJL0?XtQDO)_w5=MCqg5L4=17g-E=0Y#QKpo
zhF*x%IxGNHFy#N3ddKKGyYFi_wr$%s8rwOsou+Zp*mh&vC$^JDjcqqc<Hq)zU+@3Z
zzTeJ=J<b?=FU>Xg-0RZsPRbk!9DZqYi4I8jg=Fp_`BB+-^GDt{iv!O7iZgy=id$l6
z=yuwQYJo+%;J-|hqv`z}W=TDv*<@oHloiV2>7R|GVbgqnucY~YG+`fe3*>vi$Q4_k
z`&4a1P!gw9wntYaZBcQW=`pyf<!6Op=6=fl9)12v$HDWbV&96SK@Az<5sXd$3@18~
zKj~$7A0mQe+>=HPL7l-&O~{-so5OR1n)~@T28N-*@d&)Q@bo?)8|Far9z1-sLn6!e
z=we7You<x8lVSh*Qx@~gZ))dv=bEKn&pLP%Vv}e=MA18XR>Q2%Z{A1Ne&Q{Lif>1s
zK-7N25h;q0XoZ+S|H=CSASKJJX(mH#82n@kk)=A(#{u`@<sTn`sqr-1G`Df`)#K)?
z%C=+~{AVyQkxzA|Q<8OKAJ_|~x@dVXCN0F~+D%Bnb-nY?VAc>@F8$)K2nA=N#R39s
zXVD)suXffZw7c4JkbLb5qU#~Q4Utc~fcQVUL)w>+fK>L4{bvUdkn1a)@i9|e10rJ2
z#7s^wM@}y4L?271z^|VOGO=v}TY(@3L_r=Nf79^?4P!v$#bsddhlZhKuK6C$gYQ>A
zX--FAZ*k@3b}IZd6yvsLt$Rh8{&s5Bo}-PjM160fo$Ku&7-2YZkOa1lZ*h&e!R9Vr
z3zv!f2lH;=SzNQGO$@Pp>CVThG}aHJv4=ImOf0kWh{8D!wNO@A;5_n0La@00>kc1t
zPQM6g4D5S7A2nxtKMlPtWxlmE;vdM^6nlx+<XSC?trlNH4UPy#DQ<<J=X$01-!8dr
zoqib{qZ5!wyLH$5Y`DFs3U;H~M#PCwT-{xxM3a&f(x}!y-}|DF%inJp!Upq)E>c8P
zgAz<~Iz}-6h6;qzuoi!67mel;1k%rtsM;v#RvqhbS(k>=2K_ysU-O{m-!N66qO#ia
zV7=PZghv>@m%}6IOpZ|_f(CDp#^JwDCNmdoHS9IT1>Qg0N0j|WYOTK!R)W0haBik?
zTa7d3Gkg=8dc36L5c)Hp>((^w$3cD)v89!FlSXnMAcXH)4+Z}h2QPf^b2A!%6XyC=
z{+U&N_wQW56yI@hJYwd8%j5?~yCUkx%eiscXUEOF*1(UqmW7du9b4+M9UxPjuy+c{
z-jswQw&1ZeOemCu03{yJ+HZ=6!jzz6qBt^s2AlJJx$p*`d>JP+x0nAY9P$l6rc(QU
zOr<vbcxSJ(8oX9rAb4!k5XdFNErLjeCbR0asmAoEO#PbCPr&~#9iI4`4n^^NmGIU7
zWJ!O2LY)rz;JTStMmjBnZKzbZv`)2~rXtq`n0=}c{1}#W;mChwYGC&|N?7=OS$O*l
zOX=>|)i(8`!fk6ZhRauh@W2~iFvuLIwd9i9FeK$q<tRQwp1b0aAKS&%Axd-wEOn(X
zCM!&_&QkS?c9m3~c+v6N%>8f4zX*Q?*CApq*u!k|%SpV2xc5uY_J2O0^`H)+RImRc
z|2vj7(NBm4eKlcS0C%$V+A+6wv}&&{rQBkhwcil6<+}Rx+PM>_r|?YJP6#Ti(lJd|
z^CD?dJODuB@~8L3gEWF845M`s5X<jRNUNM^ea&l>0efnfY{z3MKs28qX*%xU;7#qv
z;QM<_kzk-9vDhkykp-Vb(D$xrE+`uOX_TjRR;{nt40un>=my2ux@DeL>SN%WGVPNa
z=XFCFIhWLIeRSzGQB0Xqk8b#!S@C*?-7>uz+TBWin*C;Mv{W>}Xo<pHB4lA|mr%ff
zLw+hdhY@U=kR2jSGtj&+fWsoKm_GThj=X)p;X|4`aSt^Z0<L<a>I9nU-iF77TqGZ2
ze2yqWJkbfnH$nxQJNbKtG;a_$d<Nn*^pV0IKeP;%uQ{CkTNAm>>Ua-FHM@@dHhjF7
zA1M3xKfcZ3_cSlx#9TZ<NcH1%|MqV0gj>z6>vMeH1770_hN+4d_h~1~$A=X5;j-K?
z4T%2GjC{=FW4kQOahC2L3jO1F)t^zf>%}T<>C9%E@r)x`0Wrse->L&gj1B(1m*BPk
zKDH~-*(tmpL%DhG*JZ6HA^G-=aL+nI%%XNC4SG6_8}dgqy+;Q*Po!0xYxAr114F7K
zSckg^G4>Dn&9$hX>e;K9k=S5P`H8(JYr}WNYt_94yA`#E|A9PPV=TfjZ5M(50(93Q
zj0%inFBz1?r2Gt-fQ*c?d>iQN4F6=|@q)jRNY;X=<<c20k?Oi8z<dI0mx;@8((JLX
z*V(JtmfUQZ?xiuNr@E<>d#9fBS(Bu>z6vicA<+tat0^H{Zqf_sU2lL1lX~_IA#n$e
z$TvW^Ml|wI+E(=om2o7X8oWfHt;X&=0oY@m2H6c+w~Fb|1O}I7HgnwzT9Jf(tofIf
zra)<9vEz5@-?FGp1bcJYgUnys4pVYiPCPGdD!&GG@@(E`j%o4lbUpIE;|&VCvzEJN
z+xhV^<8Z@N=~%Rhxa&Rf*Jn2$fN$FRJh!(Jx15J7B-a*;Qq%<-Nzi%4)>Xo@<O+-L
zMeN`=-s!z)bt#hgMmx4R8Y+AjNTH?4xHk?mX=;7;2pSXyIO9j1F5pZ>U<tDGzI7eC
zEc7I|Wwu)aq^VASz&U5w{(Lm+mb_y$cuC5}6#x9p>juTSsNr_2nIf)mZQf$3TD=ec
zy7jy3Ic}Gyp6Q_mM{E7XyjMn$CSmo5iOR-;;4c4$ZAZPOMP1ZjNDe?KF*&_fpHmIG
z_5E3OM~q^S#ai2k2pgJ*hcnw)Es4Pw6~WgK0&B$PY}Gp}DT12GEv4ad-0juz?dm{+
z%ur}%(_O>w$3#1|Jcw+%PL#>r17nQ!OVHesTf+s?h(+Y!1oRb;pWjC89j}6#&8Mmn
zYzF^wrC1+u-jOmR&^_|!Gg;Dcu#!nhlCR<@wQwO=S$i7kDNvv+A<h1@jS~K%nJKPY
z$+iKJT)jb()gqLB&?;)hu8SoCP8BbZtng`~@EKogt&ua43=+{Ha4=TMKDDiPzcu4t
z$t<y1**IB}@9*Bfpe8y@jaRGfuNS_dU@8$*C~Zx_n$BWY5V1F-J61T!aI}fGHQ3J@
z%-<_pMghtie*SJAZFFJnpVv0OV%!IDZT>u)0`3>+DGAfZ8FyGw|D#N?quR<ky>@l$
zKHtB*A<r5*^RD*jCns;zO5P+E=%)F&i9sSeJ}dFN3DUKcD<%OInaFr3my4S7Fs=B$
z;@qYTbfD0-`b4}7$zWG4rN5e&55t(8GAd8`PoHpn@y_kwd^lXRUZ`4R9DzQ5*G;QI
z@|SIe9KQY#dHmt}JYWxEid1kV#@G^m{eXC10&&*QJ^{k%rWf}^Y7;rs$5yG7v)gJ3
zCYBnWoxSLAJ&kSbpoVq2In~;r$HCEG;2j`6Jj|Y|MTBB6$-D7#OKJldfn-Q5gj?uT
z=2HH{ko(v{C4^sA`%8kB%z_A69|kEt$;N<mOrvlI=nr^z8e!)Q_=&RB`KT?D#kLyq
zsFGHE3-4XAO}5_N0f2j9)v$SB)!1HTZMoTQZnKHlCL(P7o<mxAp~n46s%_9rP+#{B
z^X)r@$#i3og4eRkMMl=3&9`tFe_6Z+_a!rAsqvv6_x_~i;Bcg`vKvCKzH0N|$43tl
z*=(FMQ823?uu0`V5Z-;VL@Qh}cGkv+yD)uxQ$@~*ju}?jqk`i!1Gpbm`vb$cPtZym
zfKi-;wmyS|o!ldd8BpH&|FhI|-c<rfBD)1@^~iQiTAUxM<i*z-W>LcJus$QeRi7>C
zp0^VAZX?>jn*<!YE&18WD4BkUHT<Mqg}fX#?RX<4%UlXXTC>l};s?)_R6>dDETdWo
z#HToKwUv=*<-8s{gc)yyRN!B33{!xv8PP6+`dDujC*0#Jz$JDRd0p~2&*|qUl*9a1
z+)g#a<*V_AiJucy@iD`0{x`1znu=vYxO$dcc$fZ$q7j(QLrD$e0U*5MKiA~#9{_-T
zOc3yI%~)!rlU~aw8$s*Ng1*(;oG+uLJ<?K5OnHz~K}~Cg`x_k%S%^DyuqdRvsm>7k
z9KO6#Q=>gu_BBvPcD&i-f-P(nZ#e~R6W#U=+G6yXhDyIC)N>e;kkvfc>2vp`K++)b
zeHE8bj4<!$c{-}t7$rc`US*B$=wWLOuT$Q?RobEA>Y6Ob#A*Rp=Q*{Lmn1}RFX!xF
z#(n=CfCxy?t1MX7s5^vKA_%@Py)antW6e8kq81A)*N$&Z<u3qC-G95I><`ugLpPD}
zN6F-}m4H1_Nk)`m&}$68+(N-DI*9j>Vuv!zgOv~e_utwhP^2jk%So5?9tw(IUMgSc
zc?DA6_c$*gET%(=r<y`~;GD7ka~1D2UOA(E23QtL+%3ksYFg!`1fuOw7Il-1f@;N8
zpcz2tV7ceQc%Q*)wYNm@3!l5fWFL201I72eNW%wXIt?vvEMffjz&MhNx7hXuha#f+
zY}B+9EJx>UbklmcCB#4Zi%B=_MAE1lAJ$=mW-@e#1Cp*I_|jaCU)?!NiWa%UdC|=}
z9^}z3?F8zdeZC<6Z++1~)a&lj*&f=sSJ;uoc7090$c?;z2!4sTOmoX*TwA5Xf>nYF
z!|Z}N*>Ue0S&H_c#UP)fAXnUo1TVq@`RLO6oiRp96jU-@GxlS<vF541ps?iIS8}~@
zUFrJy3?SJs&#zy)_WI5-`d{<boS>$kI$EmzA~{ea!YPWcrEJhM$#Q}Fo2>~H_ZNL_
zgAu+-$q9o@TUex9*moi93FFu1=M(C<dOh5l=MVy4A89Q>`)`9r=)7gT;F`r+qnL4@
z?n=k@PG9^4goNA{j`omq7my#r_HP>=)^-n;?#7(me7(J@4W=)z*PQRu#ZZB(Q$yH9
zV=mP5o!yN?BI5>vg+S}}>&F@PRN<4%8;?8?kwgtZt_7ilYXpC=*DPtMbyR)xuY4b!
zYeLFPFOsx8*uO`(8-Nf<6+uUacM#C0*9wD-fkW{tfNY<H#cHt$<)HCla(o}7K2ej5
zlIYD&<W8{Mr*?DgL(!kOxrSRyx)v0HDJaae<3ROHZCb`8vyP0t?W;OtuHvdSGS~U7
z3(3q6kTTppIzQ^wp^t5Q|NY!6@r@L>qIT@~1X#7(itl=U*=sb!W<tAa#%^)Op_-cm
zfS-0+;nxuyn??qDs#{vqzA2`Cyq|wHjuQQtW%W9u#Fv13s(R*iVRw(4os-o?&ng@)
ztr_`E?(SEPu%B=4F0$Ku94oTqnKw>D>x{vti-`xY3~eKI1257rK8nQ%_#S9n_F?Qv
zNwlhBRp!2BL2qvjQ>h>u*6(;OCiQUH%Q=yR@aq!PNIv{RSUhfsLp&ePyPllR6fJM!
zcK6Vq);0Zi!$wA%t%XXtPT=({DGQ2z#R}KJ0MUq`Yoh@QycBRW-{?X|M*n8bmDpT7
zGjlwWuFanhVqy}!Z_^~8L&Q1Y$P>w8=+opa89>Pu5Q%yJv?G7aX;m#2Cr_U)0Up<p
zPG9~VV_w3!^ShsCM7oimEUuV0bQxK4_=PLD*Y?5v(0bIF7lzJ`)Lf5O-AozY4$d-B
z-<PHIk=0^gVP{rjhGTM`AGIgoDIqk#w!iVuTst(oh7?v5^VHpRYMf?3Z)}T-b!F5z
z3%~T(5(}Z%$=RVQFHKeza@T>^a8I-)V6m39=RD(`TV9`Sq){(;Op$JPJYKwZ5Rd03
zOsVLRp}%r7EM2iE+4HD%?jVw<$S&j00v;ak)EVrh&vy>Ox(V+>?HBgu9_yZ#W-v!j
zFUs3HbEXd*F$+w`;uFuKJJ_Edo|^c()R`3y+~SY91es>JJQUTg`HrGgTGEgxUoVsm
z%4kr>te0l$DG|R%7t~UKaGV;=5pfZAQVmJqC4k@ozVlB?gcgIMGO@8p4@+$7$?4@@
zj&Aa);Rb^Irs=@9=KnpI|07(_y*?IvNTCo-`}<|vNHYpXKqk7Z+!uHBdmML34BQz_
zMQ4XEepTH9hBv*5frT@Suv9S0e6~hG`z839$-IokUg#b4@v82g_Z*v1^G;KtSTUpK
z0ccw&{we%tuEazQm4|&-1M4hdejD1hu<WKJ{F^aEL+Opv-;VDCYcOOYOxqX;`~9f1
zogPn^6L0i|OFl8m-15Fphl-^F99^Deo0wA|T_3wv2&p$rJd8X}rz897yAc)xB9$jb
zBWZh!P2Mf|tVPpaG`m-4FSj1mqWJpvmGE>j+x=rJ`SwMjlWfx^Zt2jR4N2XskAkSk
z>|QpBrG4LZc+h`rg*#Ya7NdtGE8Z{_s~xUgW_n>x=e5jTo?Ny)FE`O8JW`QoZbN{C
zn;HQy5zByAkv%}b42cdWXCI+O8E_43yQJ7W*EL$zFE+OiNcRtZ@cd8)%#<lYI6BH}
z>0_b}K|sL{vTpOXu4QXCv!rrPLS#(FYB>U9O?ZKE{6sxN(bE|#UglOoM`tsxiYnP@
zqA~_Ekeqxb85e6`i5nC$tZF7zw6i3z!Bo|mHfZayWR-c6O?tzAns`Y{<+A+toyfuR
zW@aV=OH@?3bqmSp?=Xl~QlAB5?`YR#LK~nHQfE92k1l76hsDd#95&;Qa_m0-B{FC>
zvjuO?YL@0Paj;IlTv!2fN5imO=mvWyx)poRxgorj^H{8`pB;youtzYJ*wN<gb>cr~
z1}6t@{RwaQDv(P+M<h5_!Jhx@EHZ;swJF+o-NoZH6-reL59VJAwMMWei8=m?dSFeK
zVGt~+VD#-<X#@%lA7z8Pk-(eW-klAcnyo>&bL;S>K^AR%L1QzpTX2@ShIwf0#CqMq
zBml*nw3(QVN%OLGGY6$x7<E{tQoT0Fok_KQYi^B#T2|xC<`bVIzBoz4wNH8ci}S*J
z*J|`9IxY6yxvP%lGVbF$#A$B}ZPJRQs4RaqP*`uY$xzlQ)fFk3Gx*>9cL;@dhGRr!
z&tT&1JKCfp6{z2sjnXi~O~&s<+YW}=#Mt<yzV27uo%5LuC)sF9lsi-TVO_4z_ekU@
zO)Z?GEgi0kYNGb2YQ4ywqxFP#6J`RM*@w53Z)XkmG*q;-<-kW*J*@~uqVNDm)2Rv2
z8D(^d5PO(**CqWJEpOd37#fR#{|_4fau*ZRmMiqE9q{O{&Ef3Bhk}Cr_@#j%n>HDn
z3zv{)pynEsC_|Ek!nai-e(q$k=Le{^T>PwK!Z}3IL66zLoRJfA#Drr|UX1E%@nR6N
z`i;DOnf56zGdprjB+Cs+dV%rMZ|uDJ`I1{jDuVY?fTQb3)e=Ob#NpZLNRfF1(i7*h
zr*4cn%B76^w_x2jsWs{zT+H*pV|A|el<+L5`R3(`b{-DJkaJgyBA?bTLM1CBAD?HJ
zdo=caAtC(nC0VNn_XWc8g{n#6tAS0+FgeF2=T@8K97TKNm#n^eN6*wR0yn3A6&O?u
zDy5(io~&H{Wh}?5bP}yqd;=LJ;u2BXVxM(Ns(R+&Lnx2`775<!`EO-&Wl#!^)f^0}
zaSp`+BBCF^7NPWMRs8MdoB-*7<W&M^6QMkAJlb${)L13w8Z6{m%|vzIQk<Fok>I{<
zCZ`f7Z}r-m(aPE)QWAJ>B=H5P><+=Yx*Zaxm(XEWpdyGGsrMy+*;G{4&#&*8VoKiE
z{dcd>rlmzshDmJF@gvgu<GQ>Im@W=I3{yY%el&axH=7lw;HM=|47yetcpa%BeZ})>
zKBO~;q|wvx-vnro+?+1!&r(S7x*jYsmzId-3j22F#pjOJ5rMe3I)NgpGnFO8a-?B|
zC+i0|^gdM6mNJgYb<4@laoE`S+kk5_f&7K~pzeiEpfR8KFrhDO7MWlWvA~|f+q6{o
zbA7$I(MX&+TEEftrnA7^EEhP0_=n4gSMCAmApQT>pv^WRXu{<=6ocTEVSFoPRP4yg
z<FLi)qpd=%c*5g+3DteWFRr}N{8jp~<X`#<u~3K0Q$Z}>!CK9TX%-C%!CH;s1dk3k
zUa-S|Yr@URTBDH;bryij+iyGnEualQ3Z*i&KO}4`in^j_bDCp3ZifM!t{EBpS}g+G
zInP=lbmqba#)n;rM6V?jETiQ27R4%s`y)gr`B2a;1I{GDj3E+6N&t)KLIyXsuv7zs
ziF(>qxYSG}VWh}h2$%_{d^d7RNl8>Hd<fS~y`*TPSq>|*oq=*woq>W;{pTl#GJ1hh
zRQpjqMlxYFiefuna+1mbw_NK4TVId~30k0ysQ=$618G!253JTiC*zp61@SSo4G(W?
z{bCF)#bKbu!}fD<-&obnNx8XfOkULipes^!9KRtim3L9dRTTP8du-8%x<HrV<B+0j
zuG4OW+i7GB+hv<!$S!vr$N?z=(7gx;O3Mv+rjTY}EA&e1TaFtJg!G|#{ySSp8|lL%
zPqe3L<rc=}=b{@_=XA=-Y^KOovqeAt$bA_~O7vO9v78e~^j90M9Z<gbpx?aZ)UI<B
z`=~=GuG$#zw?S=;<m8l}s~abL!skYwZw0br`@o90HjEpG_qIw;!iUwU@NVM>mElL5
z&plG2GQ1Ueik^8;$@-}k^dq87Trrss2qG|dd@&Mt7Cqv0lGYCP*nFacO|Z5E`}O7H
zt`|7GE~Uxt8G+nd)l4L^n-?A^*Ml0!1M#JDN1c=JqAKrS2+QC=ixE<_EpilT*$yht
zYv}sF_gLl_h=_YVzut$<Y+KlB_8kJ|ukSFv)Oe?Q8X*3@9<A-(;PSXRRnSqlP9)*0
zMR8oY_U9|do98$sQ7I_0^Jl?ZZ23nMc$r%quB~`J-AyZVd+bdcfz}YPVsj_|yrE4?
z<|Yy!LWMu~bex~)*mrtaE%zf^Jc?tzXQMBpJC_Lz=err^S(QcXfzb4bV@PCUpm9ZA
zzV1*M-@^(H^0ZF5LrLQ$IBz|}J%$iGX+4}4vcMBB0Al=PyKGY#e33sjv?(FTO+?7L
z7}^rLTx79=lLNCGS3dT@sp;Rk9ymeXuyTILYgrG_JqS=rdf0^3|0%4FB6IeeO$A#i
z8F8U%7l0UOm6CAHtIs7l$vj|Hw+T@r7OiEqeM+Y*A#JZT=oI~%iL?uEc^4;nWEaPF
z?j@sWY%XIO3spzcyF;fWJb7Iyg-|XsrBDJK!`HYLNca!hvEl*0Hs=5ZKYTa#QpnZI
zoyk+G&})Af90bu=YyNe?HK&@<s7EU3c}+r~BAl}|@(KM<16eK7Iz<?Sna+?m%#c~F
zAhS@wWe%||RIWT|ily#|tb(d>oAh)fkDy`puN+m1h{cb9)mN6fJx?HOp16cbx`&s~
z5waq_>qMa?A#q=_aJCjEjV98GG*Z;hM>hdWG9H8l(nHV}NTW*DqFp^o6+Y9-Hac!i
z6ebOYrN8+qqT>}H@JbLZz$%2(7!^SgrnQVCM5L{+RCv4OF^6NwT;X4Ce9DkHtHW>t
za)iH}Pn)u12!uqRKoClsgS&IEIerYc=cw7HXb?(4l6Vb%(M@;&0%0TS0G#BHZa(&W
zL%y$|6RJEqJ+#!NbeMd{>e+0{<-zg-^gbJv-|D_-D+X&^52X^Y-ivD)*z;W^q2}|c
zDMM#Xx{AvSV=AD)V!Ss5(J4J5GrcN8olW5cz@aKyV6IT}jD0W^u550@Ld>Pd4^G~X
zJZiphK)a6{|F169o70cCk7LU64=)dXu(C_<9>)(bxgDv^c<*O>F05LJqhOzv<?D-V
zaU}F3!jA6<#SknZZat*h3yNLG;CfPn7V`cTI)h2&pnCsVy1ucHCLL4*CIQ5r)Tm@4
ztYQi*3`wxNgWa)IKRSe!m(z#Y?zi1eR;;`+tKnd<c}auP_?S<SJ+_MR!$k+mhk#+e
zPJe2XmF0O0)e%cHA4luLHl9zQ^!4Kh3`fNED*B{DDojJGQuL|6UH03c!W{g@!k4JQ
zkTm0;0{-xNJkd!{J^}_pKIKvv1cvKFpnE{()TJr%oX2g1l<PYGtT=LwnPkc>9?MpV
z)?<G465ELOBn{hsY(~ac!W~?O1Mt7aD}Y^WatLfE6^2K*LCj*n<)s!YCwO+OI6;jy
z(vF+h_xfuyB#_L;F<V~Ex+^uMXzgoiW;I%(BqRn^5GPg8h#ph~Tf)Q@Z>&LjSn~Ji
zx1T{+eV2@7!_lEhyR;J}-kZ<oejc9FgS)Og)%a2AWc+XNktBd3;^Ou%l5&X$nf0<w
za2lnt*y1J7(4kqxBHM3ysLXN@fz@OWV3uuwl42ORdsy>Ym?%hbEn8Wy*@M0B<E1bS
zbYkW?cV&k_uJdE2DSBbov|ciXzge6BghO15ArCeJ<U1#Ru%!GDvj4UWO}$otbAT-c
zchr(Kf-|xR0Sv3^3mJ!#&F&~$XMcQv4CS6bJ%56Ub|)En6~cVHzcWrD{Q`Y-5&?$K
zeEz<~sH%mKxeaLtT(DmQ9LRgqHv~I1yvqx65OYj@)DIWrnjqQk=`RtsNknD@i_C#q
zs+3b3WhE;|wL8HA=*N@je2g7%B%xLF(=>*n_xv=6#C2*s*K6Z6-KTt0>wioE#<+-a
zB`!Y{hc%NpZB2<Oq{1jc@rJa$gmgtjVDQpk8C<-EDMx$@#K`lS$H%dM=&Vtv!m%#T
z8wC8OW<a<8Bw3ZH4`9d^t{KlN6*_cz=-~@&yXNIPL?j%U`n=Q1sh>Sezs#rs2W955
zN_vI=sQz8#k%oIkfY5hSz_qky!}|K{k$9oy+TxzAsgYoDJa_Z;X);yI<xJ;9d?T=A
z@*ujDRo&Nz&!BxGtQr?C#7`~re(rHij(uY1MyH3X#(s<I2Y*e*3(r(^kb5<lK3#58
z9y>;%lp5tF)m=Wr`)5=kmmDGGAb`YzrT}_n0zC5#eI;viBp=crrY^KKz+P%kK4iJc
zix;_k_Gv6V&QS>2c8O^ym03(CNCtY1Xlh|O>6BuNq6Z?ScT@mNd4Iu7S$q%CL?WIv
ztBDf`r<Yey9#tgsKur6S#n_zaFQXUR&ynQ8koOkhkY)pSMOL!wmWGOGCn#}>APijW
zM(b&JKbIDC5o0}kW+Ij5^fXo#u}{_tAIzX=fcLSa!_PyS1u2E~K?bS?IWIV6=^!@i
z9YBU(te=aS2%V0vOX{|JWk9%7cjUu`RUELdU1>Gm`_+VH!cL~sy|K^|557q|H-cv5
zoru-&;<R2nkN3gY`)H^<{ujzp=nr=vL-`YhA6;G^U;%~|yUqaOTxi3&o=E3*zs{Vu
zw-=ozOUK|35dmQ(zZvL;G2jw%i3_s;;T|S2G>=V&^>YRrBYwA+edg@Buh9nSzg<7G
zx`Z+0Sw}et+l(TTf9zVgSEh9oi!oUFvb~^FRyNeGJfBp>!mp@6?8V2)RHUR*$)M};
zGS{A(NXf_j)d@8lTZ@+7nOY<5%+^O>`%*pk$5q|gp(L?tlPh3z;1?i_FTe7Z#x{PU
zEAFc1*|3-T5ZYGj2=|gte+9F$-~z(3<s*KL2p{e^Yq6}>B9@LhIyK@9Ckgp1EpKj5
zApw@^niE?+oiU$meZMe-YUsDORP#I5-h;DOGB+vY_=qG=Q_0ZCKC_ANoXe^M2nt~D
zE7Rtqnc@9ZY@tr%ME-`5|H^b~y?+)hSlUuj^8dnp+!&zo1rjn@=-`m@Q6CJ+tbu6Z
ziw{~fzrw2d#)~$)JMF~$Is>5wuuwXm&CyivtxKIRuzr3Cf1bqXlXW=%!Kw2r4kYcU
zZ{(xL_T=Rk%r5*tH25Hm)_IA%P!i0YbJcb4UOt}!^jEMG6$z_QHVsQoMHy|8BonRk
ze<W`VT5-M`Jvd$*i)^rDD=g)Q>q$g}%alQ#ea7VXH5kHC2{G#zk+dQZYc)$2;+9>;
z;lIV7ZFzfbm7fEOUp$`+BF<Q}91E}sB{AGH6KBIsiN=Y>WSR(|+SzA~V@5aldBg9L
zZAM+}x9LgrK}<ST$ivquBL42>Gruy*{vYtA^*n>(9XFSlMW%G30XEP{aK77Cv`h1q
zX&J%FrTxo7wUggil0g|2AQr32^&-<^iBIh8hpn3ro|`&4y}Z_<9piXv=MvyN@=B4e
zyu)aj6y~bPvYmtYT<H}+W=mZ~%lMk~?lciI0hjS%96I-`Ctq!2;WvSEG>>>?-!m%1
zi9wLEMgfgle;9uZ`Ln|T?y&*RTm!?fjqJnd;GB+{jfP+2Jua!oG4|K7FV2T^x<L<q
zg2edoU%kf7dQaZ)KX>fA@B4{Q9Jz0M32$AF=iXjlfa-suUUYg-SQM0?FvaXEBBUv8
zl(5~ppkc0&iFr+$LtBgp_}5ru=cCh~FGhq&wjv&49S@RGfw~|xPfc%+zw068M(n~e
zkP{5rDo2;qbzbLg;%=v}6(P0Gaux-I@NQE(P{ycNlMRFZacSv>5|V>a+$%cXcQlQ|
zB+w9~3F$${A~Em6-iH!a(y}k`(W9M10<k-!F1yV78hvnt|4NfLD+b@*23+<uOw0C|
zXtCk|MFCfc8vK!A*dmpV58XYl80dYBinQqM3Qi_r+@SEwbD?qL3Joul1aAsQYF8g+
zX5@Z)<vr34LZv&baD)v{L*y*vp9H!yPN+~tfEER#|HMo{2US^~GbJFvd;PsgL-qUd
zy!Vc=tTXPLm}_t+qP5YbJTA)A1*6|8yS&QgB4nS>l=8@yk-EC=<}c1k8OSdyMwbYG
z6A98R&QAK3-KD%$@Y*+ve0M4nw7cHS!O}GW`2~F}Rg#yzYc4QVf`|CeB9<SV$ok?b
zrmB&sYMY80AxG8|du*fcGIgx-Xk>z8?Xx-f#4L1tyGO!je_o+DR=2Ze@vrR0qDs5?
zYOwc|NuTvw0GZYpR(5xQIiKpc&Fppj0581b?0P-{MmW3olVuxoh|ALREwL&#?g@IS
zVtZypsp3>$_Tpc^*`$4!!_4`%m#*-B*N{zpSZaX^IkUU7aAo#fTAsmpLkV~Kl|rEL
za8*FWCyYJVd7WJH1P!y2IgDLqk<!=11op)D{}&Hy)2~TxC%&TO>!BO)uEN_g?&<#Q
zK(>jx@c}u$_Cv1f+d#VjrHR(-IrLJjTKR<|=bK<srR^+QsQumZSN=_gIJNgh0QkKg
zVO+GIujjzkyr|8vHCeD^du&czdk?CKR6ub5r}J*?8{w6{^P{lRiTCd9cVT(^8AbS=
zeX*UJM}@bl3hwhbOC-FBQqa2^Ql?7NNcZ$=k~6v|N{6o>4KAM5)(o~aCYoWWx_<1V
z+rD+cb!tn?(wqd;Sp)0Gt6pPBO<ZLM)^1~)&#})*-|)7Bjn%I|!BN_dJ#G6XV}2v_
z$JF}=Zd>hXT1PuD_3}~e`d>rfs>5ZLr5cr}WNE2?PC<pjII&l^>lTqKBd*5Ca4JUD
zD_+-=nTQ^rtID`MyIOE6m{e#)c|<I)W+$UN+K9}6)1Y5{Z>LOIJ<H*Go;#^kI<WD)
zzS(m>D#<;o**J19pUh;0ZZ9qIJd38=k2;$=r!bOHdHCoTDKz3S0vgsnF0ZNULW_oX
zDS)V5hV5g*Kcpc5%v-BZ%>(e2baddrg1~n??c9<w>tm$t$`O_1TL@0G>8l1HQ(5k!
zejkwRU&Ntst4r){01G}MF5p2FpmOLX8Ni>O<%;!?27<K$>+j0&rCzB_ev4+NMAxN1
zc~~)Qqkg8u<UX9Kkj~()!tDm|YvzGMU6nVNLBYOtl;nnSg0N3r<2w`d&nr4`MZ3>U
zKgFL-!CpY+>un55?%NC>1xR3WU{k}0(6`Ey9y@29Z|<x81sG0Xnd59odLpx+|AcGc
z3!YO>$1FR@MI82<{bR>_%Im=Ul(Wa%l3)3BPv@oIg80KbL22K+K3Dp-$)l2q=sTky
z@m`csgbHo~&MiRdxLQPjLk^XRUT7;ciDpn{qCK?9d*#^&m4OxPFTB5$2puTv)HT7t
z+vYNCR5rnQBKpO#E*WGB_Bu1HMjZmYrQ>%pUEz~V$gy}ZU-;^(zo}l56pmJSwiJ><
zY@#(Xt^e^#u`VO2F^mO!qVupni?F2T%zGk%n>LKsS!);FH|q}b%s6^^8FF;?#~Z;n
z-L`#6qx=t3cJE7SpyK^!N^YmHX&UAF<RE*1=E2z)ikSH=(R5N_lm1omwO=B?LyKDJ
z;Ro(#F}5?#i9Tx>4-_`$?|bXU<4M1MtoUci0j@@=y^Ynv4@;8XiJq#wQ2Ztn%7KWA
za$EE@1_@EM*p;}%5A)*R`*=gp2<-K*=FX1#^=*E=LtUqJIzXRX@0<(5YEwgeP?*=P
zq5uiMzW(BCjBd(S2A#F3iZ@Ae)932vysZN$ct93Rrt7Nf2#ADVH)rquEFyT1?fT^G
zxr@=Bmb<>5GhYSG(D(ldAj;=py`Q&OMIhmqzRY>gS}Qqc%%auB-odz8hX4hvl{M9a
z?NNE2%$l|azxQ$e-3bG>SfWfT*UR~{p1eb_uAcn3i#HS1F;`09+&reK07G`Wi94xH
z<g>N~XUXhy{92wYCtohAgB_uiNOtns%9o*ogkO>KiAvQrt5iIso?IB{#9;{v<bZr^
ziID-`hIaa3*$&=~r580qT%pZ~$=86=m2c}eupTj!BQv6C^LzL6{i?`QN7URlar*|`
zS279`kHNn!lpi0Qyc!AuUbwM&#YM)s53f{~7N~h9TOGHEGkk^|inA81o;qO~{e3nc
z_Bwos1pcQCxc2C^f0v@`Da`F#N93cLQjDtSv%kjJqg6op;S+jXP#lh7ot!Lam$A9V
zAcpwcF{t*hc*c%}bNy#m#*d#cEp5H#89%~h#_^0RoXYEli*<3@Vmj3VZW-b)UmOOy
zZxybkEHk)-g3o`#300E91^+3-549yU4qEqR)j1WZq3^g|o!xnt&*6Uc=W!Eg(jW_d
zu_NfXnvjaLil}Z2ynQ|~DhqpvqpLYi#8Qz|_f&@S-wpn^>i^V4;IQeSu=l|CK=O4c
z*s*y(*2HPd#OxHV{NS*;Lz}NCbWwD`m)=T~nrJQ8P=nA2u?Btme*QTwIT$qwQ~-;c
zuCW~9iM3N9Uug_|@KJNdy&L@1E-?)t`k}3Qdkarh!u@|KJJQca784rk{c`u4_M4}G
zez*G6q4R?G4!KVLtnC9d5S?(&`xvoAA?TUl)>@TB&kWI|^-x*+0JiF}Lh|KUoU<1D
z{gW%%e_EYiKMn1EZgm|Gd>r8R7MrWdI7Jp4vS*m>t)KFv0=2!h%W8@v+L*bmuv}?j
zh1sj(peFU_joZt7rWh`F`y5|iZf4o-l(U5eq=RR#6I|L)Q*d<r5<8-<Tuu-COAWQ7
ztkI`ZO*%K&yGKy9LN~lh`kOxuu#<u$J3W_by%Bk7{y4y(6YoW*PAu1>5eG?^nK!%4
zD3uiKDNpoQg^x#?#ERGL(Tm=?D{h}~U}c$&|3Y>n415;Pnj1ErK3kS{c~4wc*bR_=
zMgTkgwYN{qXA1KIK#(KUul>z0Iok0fKd{;s0^vo~J8nf`dbz2_A4Ha)hFu9XzDQ|b
zvcyw|(V=K^xMtyq-YrufNYN^H;arXxh?R5BM_v3+*o9HNh{E%hgGycI;v%0D-f)&s
zP|ZKEHHl@cM^#qMB9X+Fwaujfd;66~4csdqO`WgrKOG2?Iu?}rW`zqvtOLF}lNz6-
zyr?TW0TnB?Y|Ic+0WZTA34Dxm`lu-^YU7A6qnbYze@gi$h30*YkRpAc&X)>kZI6Y`
z6-oQb8c2n_M&^BLgcLjiXl>AxPZ7Cnj3LGR6u!xyiJ!|F-s9{`m;8u?k*UG$r-HgI
zc{q8vH{@LTy1~AK%bpU<c{}-V{qjtNXcCB);wgs#T50E}aM>mnaoXWtf+N#31^vzT
zphPAhQ(dYZ9}WRJ#a6CAPm$&1mml6&1qRBsHY)L@6sc>^`2N#=kp%>~4NpaL8J@L^
z?y6pnePjme*-Obr#e+fZQ-yA?ili3%o3few@&1E_IS!?t!qWF|l;OUQuf+MX;#R1+
zSqX{=hY*3s79(FgLZ1(t&{3M!oI=w-Q<1cOmoT|qQ`=2ScYUaNo{@n|9@Cv>ZPMk`
z4B4ey)G(2dg!6F8HkvvpSrn|_=A~D&U%9BWTpe(nmJd)D@ZEc^d^?=O4?`C<OH?({
z$MWpQd=;w&WuFRWp(3j=;kO4+@f_e|Tf8YtSSt^_+F@ZxNg53{mH8n$QvC5o*BYBh
za=*AT;v{Ll55<+7sH0RS={PfNAFbTXw`eh$6;pxfPtL+4+K9hhyYs}+{*Q#oV&=>`
z??M~-I5^%dbF`5(nZsb|pPxSOn|YfHQT>WsXBfw;<JHz(b9|weaijm5rP8ZTk*jXX
zMg55JTFdYnL#!vFVlvR-fT*{GLfQ8Rzc>^->|iIY@lqidm-XwbAv2O5DpLuX3Yu_k
zssH={E~%!YboRSAA0fT;sqO#dcfWq(u{)d^wCOtpuQ}MJuQOSoVMVCUGpu%Rjf<`0
z>asbp9^)w-_W(+?-6|u-EtikE*M1xB=9w_;wCU;Y+R*&?`M<JsglBny2MwtcJEFFk
zKk)=4L8O!BG-JS(jJ_o-z@2am!Y$9|M1pHH`Wugn?$(u;UXVJysCK%$V-Py5iD{0m
zS&~I|Vwi1&PRQ2LqegdUOUpc|Iqss45mYeo9jYDOg>X7{<>?+9BSFX6;bC79K^B$I
zzyH}g$U_`(bEf5Yf3Cl0sU5IWF%gN<$B;zN6%m+`bY6g`*J7Q_Wxe@)39Wwq{r`1n
zX1hwC%iLx=7Wh9fXkTvlk^3d}O;<?dfSc-JxeH&Wa7<V3y2bsb^YKKdUW%c388i33
zFI!U(+IvcUmL{DlpjuDu(tu!LBxzw>oLX>1o<nYHRNeS<HhhJAg3yejn#q9f(>0&2
z2fiZILYk>Qp=&eY`lpqi_K+%6d-Der8hr^yus=OCE7!+8sBko(<#(^v8b_|nl8I_6
zuY`Gq8w@qAn7J6+z!h7~F-56<yca81NHOU@5RGFaEjHUxO!_|%y&N+8p>h=8FLm*V
zJ2d^ZHn7-`!=j0-k8$#&dM6V>+glrP1Jmqkdm<@*OfqX}EkPDLojPbassU&g`}G13
zt<N(pJeLs+R&!?X&t;)1g?#U+MMj@8#<!xIA`-$uNZE{T$=09l0|~+TMZ;Q#=GJQa
zAQ-&~7=LjF0Sy}k?a@X;(g$J^nGuzdJ@itRp_DOwoNme#2Bc2JF{hs0eC5mG*S}OR
zDiwY?8p=h?ZWfAex{IW$njAq5vl>3TQ<2$m^4QTDhLfTTvjy#)uThgK5zBhA8Uzaa
zq9izJcWdO>8H%B3si0jZN|6lHjiUXzev2gOQ9`feG@;c}OMv2_Y@|kTa}63Ts6v^H
zL|X9BD2T1Etm@#RMSJ(<4B@2wcZ47oR<g4loRl9&2woeKkq|CJqY<oT%*ZUhDaXOP
zB_P<<1E$Qb54oi{+Rw2s*REfK0hf}YHUJl^Sj-D(Nl9p#UJaT9y4?SIq;lYa=A;hc
z>$FTWiE1kPZLTsbIa2V_Vj^u;KayG!EDbW1I9?eJyr1*V*mEnq*~6Rf3yiz)a-^h8
z`{18J{-6w$4#{_BKg_o4y<2skPKAoBKC(m(5;hqt?Giy-)a^I??Phu9i0h=VaPLyt
zgn|irzsEoftn_~unm>W0Y%=Fq=^qRbq9%5vJQ-Dfez0<(a@H60yjHE<tJZpUdP*TA
zpXi>T3pZ1YCaw{0I^TwN%e{m;N*bp$<Ig)dxkxh|vyMRwD02&Q<%q4<9@t77*~R*)
z@5X3s2?=R{i^dGZ3+^}ln-|XpB3?Vja6J`*bcEpK+RTVxf3d5ynJr7--gA#6VP!bG
z7I8H7lRid!ymb;D0KhU#9|+ds^psGLc2JPIc6;f{3rN=dhR|oj1fy{soI1^k-58ni
zU&qp($3HJ1wE9wdTr6rRT-c&^|M;-S&X=ou!`U?g-}{u!k++raF{hzFN3yCK&0>QK
zM9U)i;ULRLbeH;(Tu8Ng!2bzPLJ(dRJzIRKIr?l3tnz)S1z>BpqP=A8Qi)?2{3~6f
zxMbT5#w7NXSNj;wj=mP(5EtQ^YwU@rs0=^3^EQFmEcLcERc8kkN95$n_z#+oGmaC+
zd*iBqn&Or{HjLlFj2$v3)eF+lO2@b~&<j`uV95MOJ?Z%6mY81Z55zppTw|H$*Uvn)
zJvi`?Skle1^+qeJ&lHKZ)}X2Hc1w9kLD7O!F+w`vq_F=Zk$%>aTFRcMu>X%l3d0^v
z?@I*HjTycQFG!96HC5Dp=4D8Kt+J4~Jus$0P7J7wwDyKsEYA_=L&_VGkHv}v!Yoc8
zv^7OwFs_2mmaC*8cIsp$VUwBee0~5Qlnf&_8l8@N4a&wn!da$Osp`@(Nx40!2`=r(
z<j%TpA_;v>MyR`;A)d~#n6!X?g=DCM?de&18KgtQ|3e5IGsAeBL09O``nOY7WmN9v
zMP<~Nh=H>N9@ClAjGZ(d)4lB`eUB%sv;+MM8G22`HWD_g>|kRqST3U^m#<APL;-RS
zI}JIJ=~k3>ENr>mj(%?**DmFX*f%a7gpR7Wg2d?C$QD&by9U+Ff?EElm*ZrUof@bn
z|4AAsVc=O+wZh|}f^i5A)*3AlWoLz?T6Y3eBDBMRz_UcU(~1=LXQJ|eE;$q|6aW9y
z+@f&=;~Z^>Mo+^y$~okNknikNkFMAypvsm;+$4K2Ro!VTA7yJBv)q4zDjTo@WT%7~
z<`{@YuGnHCItK)VQHYBC2yz=s?O3xA(o{Ll1p11;aS?*7uqCa#9*nTXuVrnVSfOQp
zas0Xe{wsI02OIgzQzw2ljb~}0!+wtj+lY<))!YxBxr{)ema&!%tV?4>Z!(JHQCFme
z%+p=FN<?PY>0ne;kNtERUld|r9D1a1hOl(``y6B0fc&b%CDdAHsEp+3$V}1@Tp6XB
z!zRtSu5xRkmj%UAPY<Y(@$*QdY~_I~LgrI9k&46M|9VIGKv&VxU(O<+*(eHYR5BS@
z+nwX?7(CNba(V>})(HjVh;bVMG$@O(|J<*YM2tFVvkDz92IU|S>o|yv$<8%Av+(vy
zx&nYYTqma+VXKicb>6k>3vNH_nEvDtGV$sbD4l5!pEg;=NiN59ItBO)8|ms0O;e%(
zPBg!A(zWAkzarc2&;-Gn%c6(~te>ZgC(Wca5NA3XEo+oWHalMJa;srW5><h1<*dI-
zb<f3SNnAf(P-zGzFx-U3`m^g>cANCjnqH8d);8wtYS467WFPz=hC|d1R*ajWu3jN$
z1H7<tDvAJ6)gYK(gZxJ-((x$7fzQ$vHuAFIcQpFH_3F#vBtit>Ys&x~M_-UdERwb8
zxy_T<I7jC+p|d0ET^qlnm=B{YBZddlysSq`hM(q7TKFsZC%V$$AiCusXF3%abmx_8
za|7>|KWfik2Kn<2`}%EnRoe92-b<RQ_A7Mlq<=!C)k$otJD>i>McMgypq%^Z<?<Rb
zyJLUMy6p3=;1?CQ{a)y`U)#T00IQ2Wv8yEvD0Zx33(6BEzeo*}Z;H03=Aw{s8Ib?+
zEWOZTL`fTr$RCCYLxwjOLB;NAHwcp%>AnVj*ChLDBEV9>MZaL-e1)P&u@}K3FooM2
zNlDSoJW0l(D{bcmolwRgL*6`uqqbqFhKR-xRE@;)Fl0t0=Gak^$2sQIVUsfGwfdz(
zwk7Bq9E0H`!u|I)gn4shCG;Qp0N6stsonh1MctkQr+T}9TWQVEk7EIb<)Q{QeM6>P
z<pmDl+{@AJ3bIY@{4m$VImES9SlA@w@l`#3k>rR&FH{pH<71`<H>2_jSx~X$zhYc#
zAstiSQ7oB{x?^OUKR~myW9NKj=(`DXA;Up4GQQVwUxH(~o*nLthy;SFPnn&)d@<q1
zyl~wzR>y1a>+btH3pD!dUDi*`^?YzV+mj<iKXz|8`GPcgpzvyY-OW!d+?}??dvX8j
zgcqu2yyTute1R-k%#aT2y{f-~WM2D?W<NcY)drLFe>bdbjDwX3>saQs3Doek9+5@B
zIiREfnjI=r6jpLtm>?p3Lw)&NaPy~SaC(n_OzuUm@|Bqzy@x3Iz;?eVq|(4(*F&E3
zuX>-z-rpa$8!xu%5enA#J+8NG-Va9)o_woO9ylj)ek*v|_+DEWddsz6DEEznvG3@v
zF#nSk)%qbnjtbxy3*a0nPF#-1d|;^E^7gXUqR&i2HQ-&R^PH)gGB$IwqJGj~QF`_M
z!<18zK>B*H1wd?AHkJrr#+*j(8hB)-f2}!)%v(DQ`By#y?Sv37_qAo1l0%f>7XwC%
zxZaB&=Wu{I94j(80&m4I=67woCTlFj7dP{#uFK%{aO&3!`lmXG6go4|a?zCqNV^Iw
z#E7T-Q=cH&49&8s6F!-%ZrXtTuec0=e{!{6G%?_}4MqUWhpSS;Q^I|?s^^()5VYY?
z=8^jk5}$DLu4oyi&yvOM$8`Ck^-90;&eA87EOF!a@I1fEzl5*FeToC%JpN>88Exb+
z(oT$jx5ujeF7U$ez5o1?UQ}kOFt~q2Ik83pkX<bBnKlxFTc*E$7MYC&nfTvM%@Bxu
zzj7lBf9!Oa;n&uX-ntn=IY1B+l?}&O{M#xoh8Ab{LcVQe1ZfySVdTn4E4s(aQ~z#m
zhuX$v>f5FD`-h3v6+{$rRAnNu_wJyQ{Ta|1Xe5BA8DEY_YMzIvh5T4OlF?I|CZsTX
zlR$E_ZRpv$c7)2<{3#}?oS@ln69h=Wb>zn%wKUux{ND4WM<+0L9bd2>uhrE>ln?H}
z2gzUs40MM}W`8bLP&)0^H%U~}Ja@02qUXvBhs}^8;5N+A1`C9%2rQn>?qC%5><bv_
z_zu_*ZVPDSAAG#N`kcsoqu0;{`5RZZ#`5AZn4S2dO-xJ!t*iTi5S#&S7_0!K`$0<w
zfK!ZN33JT@mi%!AvoMp=>~6)Z^co9_1^Ev^@<54Ud>9Pw!(azESdm~ROmBv<+dTyR
ze$qoAQIcc^Con^`kya3YQo$LW(Tp@ylw`fXRWL`T-7!&N9Vso9OvGmmN}6+7y65;O
zT`-GUD~NxlC_tQ%{@P+i@nH&aW{endy>+OVjSl8irOdZm4mpN)=v*p!`4vbix@rtn
zx^Gx*7@KOJnam_W0R?pg*nwz3IBEzheD4==GKZu6Pj2TGa!ss8)Rmi!#ECIbs7fr+
zP!$*Vz1nuk*0gxvUwq83@<sf6gk6Z3bY=^I6yDT^36X`M^va{2<39|D$G6gXf*zm$
zB_J!Ki~EL-$LEg(G;KucC%nINMz*Cj(jIViYAC|u!?y!OrMJSw<NT8z^hH==bke=)
zX+9NJ)08L}P=q(N;(B^<myK5t?U`>bDo9ud1z<wVmHoXsuGdtyn=ZTVu%6FHEznRN
z;OL~M+2090bTUJ@q@?Wgn7R7UnH~+r0APB{AowJ<1Ao9Y&Z+41ir|updX;_;NYXgW
z4oo<!({rUCEO-(P3>jACQeb>YIpNPGk?=Ke>TbH3KE)uVDB7P;8r(_zByA_G3olAW
z<b@-81$bEh6GJGX^WTYJRH%@HmrEWw@pUxyRqo5Gp3sbCRn@s5MP8?KxXsN~0n6~D
zyyJ~fe}P*7N|1H-)<h#x3<@+UeEK3QcFX;3j@6QX;00<=akv_#`8rv|wW8kA(YkDI
zl}`Bed#;oNs8bp|;iVB7)+3#s)qm-1cpD3vcbtC`ymJ@HO`u>B=5ssPHBbHrH6{~t
z+$|f`ZY~JfUiFLR9OtjgSjOXb?!MS<I$8y{N_2m7BXD$V(F&rMUK-WPM{Qa<fdSJ^
zuh>HHy4&{SGL0CWNR-|<5rSEB)5)!^1B*WQTl2absTV9U;|z0hTw)JFwlFsku|^tS
z{mGPBX|r<AY^lw=6b|%>JoDQ76?1CGBD=mlh9n@*36uSOP|-I0;QdUdSrQ8q4DHgt
zC|FywJ|cR-0<Z>}9ffEp8T})-V|vAdlJVGBrwiM*s(Ec}#fLoEU<q>th=$A!S?qfb
z(lAM`p&sm}72=BYzjj})3w)e!%6QR($S528<v=b`#8R^!V!Io67-L<+VZA&ONFpQl
z8XZYsk^NTy`O6(T$Teqcf)Dv4C<(FZCrz1r1(EyX*LwVozPb%akYi2L{kHq>g#De|
zL3;^~1-|E3Td8sd8zq%Cit(JX&~*@yi>|TB$P7v&|IRl;;{1EzItj+cGyk|jaQuOW
z;jKO%|Lp8=hiLBnz8s@LdMU@lK|BZ_{-L=cOCh+f<L*yQ2=^9ugza%*gR#jyZ>c7q
zfLVM|nUGO#Stb^zhc*BIG4+*UQFdM1A|Q%{bc3`YA>E*aN_R<jcjqWIgn)E|gv8Jw
zIWTmW(v7s_07DH7@QwI<x9^WR_`x;DTzju|u63^3o3m!pOMTtMj};{J4diZ3*M*iI
zkxpO3#)ntO+Y!l1S5a%mtNCaJ;%5i+W~^wpVO^+QFWFe>om?7ZFJo(3(~|cnJdZMM
zvG;!bEuwt-b5^gZ`oSwE@&N{xAxPBJg`$H7v}I*ZOJ63aCg%Zed+|Qoiwx7Kb;ob&
zTX$RBL4<L%cc`$o^%+yH)H<4K1fBi>YuVox-Ceooqjx!V1KV;B39lFqCcYPn4eBo7
zwzh=1Q!+koFi1$&T-wT#$j|8_{MVyPscowA8wO@M&Bde6<c9@n*L;zradG)Ms&kfH
zU7CYdO824@JlKvprFkitn|J7<w$UCG5^;nlfLHxoo3`_QGIkuji51WA;<NNNvI6;I
zZ^!J+6*0p_bR7P3d-vPb3%NXh(bhm8scp`)CLyYoN8mFP&Jivk9P0D&PHC6bjPeH_
zwLJ5;RGbdWh-SKNRqF|?IyA&%6xhmtmc{j1=dZSHFW8C{eK&2l<gH(KPg3w`jWqrO
z@=z#(BtFd+;*8py&1~~vj|QodvZE)@6ZDTc-dX*QXBcoT!IG3AWMnRV>54Cu#(;-`
z78(7UPA5)<EX!QoOH3lD!+!rr3ZhoRViX#ReLtZZw}+Eg|2y(0R+_p-UFAc-mHJr|
zg|LZeb~EVa{8GR5JLS@kHVDK$_CSaDq2}Ug@sN;9cg^$R6>)mt+?>zHtn$H(uerS_
zogN=@Sy!v3l4bOMh2b#bAga)7YyU0Ec*xjl+pD$~xu}k5Nl(x29(9Z`%g3h7;V^~d
z`i*Sa{XR5+Z{E`2ut$fqWU5rSeH*<Ke#)dIDVR>*xyxW9?=W6{Z^i)&x(tjvs<(Zj
z%mPT8SAG&l6)#;v_;tFfW&v<PPp!a%b0<FY%!$aC>+kq!OM8P;<W%}h%I&3#{WDv-
zSw#m)x75i@jQ1m;S5L|1Se`Euk+JTv(%7+7<qd_&VFsE9%Z~hWBmI_N(qUlP5u_XW
z;y_y><nL0vo*#wf_)ux)t2#=WI6nPJvAk!MMovmKfkwH%Brm{z>wNR4W^W&=99`5c
zam|uHM<fafW0nR};N+*BVZ5<J%-u3cvq$$SqGEzePr*_ApzV^!Ta8ae#gxEr;7{xX
zUL?8xhF`+HQGQ`qsxC0$ev&7)c_Zc^2VvPKfY2yB#gX>W+(ZWeP{iDEYXA8p*I#|c
zs>n?){<FzrlEfaDYy6`21-1(KLYX5AK$@ID3h~u}?|KIGK)_Qnag#LH6Nmmn4hjwd
zbr}O3PsP^u$%u%3#=>TN`Jh>cK3d!lOCIb!SP8xKfhLVxo)Ao3%D??0gbKvkOf)KJ
z{cDQAYtX1~2rRRY#X&U>R4kX+AUZtO%mB3opmtF*Mg3>?%u&(#``0cVYrL&PUVIHt
z4I_C$$8qSn>*>j@zSg($c<P{nWQNr#21Qpl9F>!;AXk^R#5iJcbpR4*>YtxK?2if4
zd+-6*)>9>YNby?$@%E4OLd8ts40YN>w%!cl+5IyR+!gb@#bT(ZT=3>u$PVzvh+q9X
z-<}l#JWBtK#PwO#4^G6Ee#H0@tEks~Bo`iNYm9rvl7MkzkNoUHY}G&Hi+4Tg)LqJF
zbs*byiOr~>XK+AZ*pY5E{kM*duQ?rVeO|Cd<R0g)NM`$8uJO1(Og{Yl6*ObaTEGL6
z2Tc%Z9;0o2F|Sm`Ve#3~otS~Wg$CXXyhm?(@tCUi=C>$`-yD!;F3F+|6GnBvp&ZvD
zppO{wzj9*DRPmbxO2IJn)~qm0Mk#pwm{B%oU&FSE_JzxP+@*NF&R2{yz!&g>A^dnX
zUS4Ub#$7H}o3y;_Bp=l}BHVEV+!;&#<R9#g`oC_hgIVB6^*yqtWt3Q3(-QaJ&G^mF
z@l$kLzvJ_->(5zAG+R`d2{nW_apu01w&8i=%q%FZCDM_Z0O<8P4CYk%*7d_D@}c4>
zTKOdCOLRd?=`e3$-JH^c%=z1aXU@y7V*@al+uW$bo;ZHU)mb`$k|n71h{6o4e%0<B
zTcD7_1#ZZ;{U;GhKAUblZ?)bGA;32BcCUWGFD{VPtDW?rO3JqtmJ_cO<YK*xI$NH$
zV6ssC4Nkp&EwuUNkYTB>xO}{d0Ve`+Y(9mpsXi{!3>{1~?IuAVz0St2%SXIGKJjnO
zDzjf9>);Y-E?(hlYrzK@`~rczhVMVcrlS22<)>|$I`6^8abc~mDzPuJC33^`xB}N3
z1ectxW;78uluMRi+#_=cFcP#w@StC(-1b)dODRZzSK4)~Qq%9e!Kvw>5x2`6K>7UI
zN-8^`zb1ieC<aW4?c>SIG;g7?4a7>_$Neu|iAwfpj%G#i95>pT!kmra=AA+(<4siL
z)2?)FB|x9Rqp_v#M}WHkPjsC9to-h;M&KcEL$#OKNNQ}u16u9pA5<|=;VS3@3M{LV
zug-_0u_{TgYB+1d3ob2|`II@Q7J8rezKr%{jaZ9MgG?)Iy!CEAYG)_Fdd8F1@Duk&
zc;8S+PesH}KJUe-tR`*roH|J@cVPCXZQ4U6Z!DkZ`4}^JCzApqf|q<i6oTLMhMVDy
zE<_K-?n$u+<*QHBU1+|P&wp&oYFPv<<!74WjA{PNkA&i=sMp&h#TO28-?3nXJvsen
zFOTe>{XSkoyFwC>>)lYatD~N6A8|Ks+*($Fw|h@wf2syiNODxGX)<w)5Y#4|)`emc
z?9n?O%9%G{=2HI!!;goCUta;JFfR85?cCCjm$Z_!30LzDRF^K$zOjsm%)3cL5$-Hl
zu$g}%Cob+VLV|Keihhw;f_<YJ$eb&hU-5+A=V0DU?$(DbHlSX>jaz@l=KwbyW321h
z+_t`8Pf2WZj^k!q>;(-3AYrj$IfbL&9O8ChGb&>n$}qaP1TA??H+g;In~(FG%;9fa
z8OMja;u2Q)N31*j-rFAoQd)QM5q-Rjy=E8yM|Nkz&%76Lic2B0I<L*Imw8y|ff#FC
zYy{yt@9{oOu)3oBt!@n2O?%{cF6OX;T`)j~kh(L61zR1OkEmB4nVhUO1)k*Xs9+KD
z1nH!~?vmVD<n=mH0TR*JU046+xF{Qpf1@5PU48uV7<W`RXoZSx5+j6@dNCR=Zg(s`
z2qY(<Ug>GZ60fE~l8C`@j@PkXr96hOo2=r@o0;mwWFm*o$FKZ~E6rI~(gG{>XSZm3
zbtRPghkh_!Y8%b*dIuI?3nqZ(Zzk@UJ~d^Rf-j}<xb|Y}_kdv4G!mgsQOS1}$!e1x
z0cvYCoLt9V&h4)fsQ)AR7^qlGVvr138gg1kX#E#iB*jX}-AXJ>?I9N8*x+K|Cp~cG
zEE<<MVN*?fngtke5UVf7?;Goj&Ed!~Y|8|*s9M|^5JPJ)lSQU<w(EW(_{zT~<_JI3
zqM}>G*F8J}o#bDzhz}<zkN$Kk)|#CZlJqoG@z8&IEL3h<Bv{?=!>Zy1ctQO<UHD1W
zdXLWg^*1lu7mZUefON&08J9tk!gU&$cIB9<6Jy`{e!`~eCZxFtzU77^$oO<sd@zOX
z?5H13e~>P#2sid18bQB@!WkjfIbqfB4*ro!-H8y1XPwVh;~sSKj;Zt*2~B?Y$f}c3
z=MQaL!w-|e{Rf5Y&Szr3z%sZ<+bh~5`BSR9C*av-iU1_%H-Fn>+Gs%@JU?|7%Ol1m
zzEF$Bck}fTp8JsuCz8`k&%!k$$%PhW7$z}k(Ip!>%)esDho-z%nTrdGeK}~vRFiBT
zx54o7aTSPmizN)tgvbN+{w-xfkYr~ba@)GM{6hdDm6e5&&$(VYwOs!xbd#ulAOYEF
zRGo`%TMLnF`~{wk*I@6&VlIRJ{_&#|SGKC<;eP_8h{u#NR9$4RMCJ|9W$`ACB-Ofm
zmfp@^kBm*p`#FLHLS?0FrBg_+o36fbvu@5W4A^AsJg(^V{X7Nt=C4nW46rh1Js>wO
zVEBe^G@x-j9hnXka*$qRrzgSd=r{Zj%#r)bS@{AdfjmHQNL^DnGDL^4IpiDn6l)T7
zq+XUWs1JSAwBqB}n{}P%q-Wqa6x*gmE~xi>4z2A+1Id}W2554uGG(+_!JXiwMCAN=
zjzjub+F-pQ<>@Z@Y79fMt!^lOet8NB98>25%73;v*gx!hUZdUzJaSqbII-MIBmv2$
zo)yezebn=PF5&Cx(B9DTi7+(}gAV^H`Bl30@Hn>OFx6eRX572hkUpdJHije<vOa?;
z-TsfI#~M=vThV={8AWZM#WXB2s84=f9@S!$?FR#Yn@euwr&CqG_fB5TW5tKeL!GJo
zO(JB6O9?)|j?ye(x)0t7L!e*M(O9B#dSEnz?Bz;&Y-*$hsJ;pAFGvIkqh5xYx-`CY
z?H(+AW7aCDn>m0xUbXyxQZEJAt+Fl+%YRZY?>Q$kLO8`mNRBZ=E!#-y-gsiN31#e-
z#2k&IEIAWxe=|RPEJy)M6L!4a<E*{K$DJ@~8z%>sXbO;klu8dA1zcyGnknh=y+pR;
z>Ns+&Y^j@ZZz{OQg2&6AM&%axYn!*OL}2H#vX(x?4B{)<j5tC0O;KbcH$su(kw70<
z*U>?k){m89Vd|=IKy#9w@X>-DuaaZfmsKmS_Tzm`f4eFy)50)a?knKpq{P>zdHNK8
zNrH1}$VY<>lKm*hB}4vW52ws)L_GGl%P>j*GnH`M28&O-4+X5tdYDT;Ap7vy0{_*W
zT%Lqoerwc2;FHsiGO`i2BGXPO(o1dPG#O45V=l37Y}_KfKQnxE0pI%>V)ag%fR=`x
zj?RghQO#D2y77_E1XSQU+Wey%X>xMX3#8O*rPPq7PfO~SGg=;FICoV1CGuJ`R)ShG
zo5!mWJkJk@6=?F_A4rACAoL>Ne%>`<$)T0SoOw=^{I~~ky4vVRRPyW|e4*1K1(NG4
z1qxNd$FuNpK9X)u5721JM9LO-``(_O7rxGpHYRb^e$nIpz{uR@6_tfbQoHL_;{13b
zD)OQ00doDost^l_f9Av32KgY^LIP<%+Ff%Onb+2CrMw`kBoU7_+f&!$!y_WUe-2+?
z)YxOY)bR5Y!Ch0KqzsLEn_;Yy#uY{Om6Pcw-gXJr!KQ2zm4?!$hdJ=f4lR_Wh^HV*
z#)Fb4fxBInt~k#oJ}Pqhyf#Y_xKbe}4_s5$p(cP$06ScXe6a49g+A2YK&0bJiQo;1
zFuGJe8;O1w)i;rnLXs3!yu6%kA<)XRcD%Kz-bX*VZ530{^$wImT-S#@v*pa;ax7(i
z;ZoU)%$4+a)0&Ab3_IWu!~+lr``ibwuK2M)kIUf-_z9QT>syyv{1{(E$~zZKM}dnR
zDUZWX@>$7OO;prVfR}E*)7KgJSN{!e42v&n)Egi`g4l(G)rXFwVi(xtp+1834J<?@
z_2x}i?!bG*B&fNhHf+)Y=2Yk@$AI@HleKNr{+Crp?gHgc2~}NV&E30kNwqoi2O@8W
zW=`g9YZy{A5c<Y}YAU+Q^X;Y*mmTr>;YPF%5n6H7f5&Z(g1@~(XA@(6I8HA-IZwuV
z@FjN~=aB4OVxH|!9s765K}YnMY-0cFI&TQ2d^Hx?#W16PZIvLxYgAkbU0jN0Jl;O-
zX&@7n5H3WOYqlGx(^^LZ;mMsnU-=#%;VgurZLZlymcNJ{OeqO2!T`=bCHbCNbTxS}
zOxvHFFGAMApxojXQTbk{y))y8(}$h0G4j`=dq<t8TJURY{rF@@UhJ*mIw!0j@R4?u
z{0>zt8a;Q+EcGm9=os!T<hk89RI*1cq1~6#=Vf%4Gn0aI!?s?wA`A_>sf8%gJa{C{
zZ*Kmg4(&`+_L<}5UFnBjmAD$}+E2M?gm2i4<FNnBG~qlTr^{G#j8n8mTPJ*8*7_Ma
z`SG~RG=r?bcxv$#o+9>v{?g<%@@(KC>bMV5KH9~FyaACk1Hq$<8@L7~zn|}qhPkk!
zS_;Gw0|0*q!+dV$vmlD^&TGe~SS_q&?0*eJbb;_4`d8|vbly3`5<v8V#B>B@W3)-B
zhD}F&SfNBxcuuC$<_(dqkMF|;(;f0G33GDikST!s*w}k3H1Krs^>3iEPL2lJsVrhg
z)1m94#UWbA-?H%?k<BZ)$O;>g54<wd@Ku6o=6{va_M%*6*28J$P~=qX4vc~eTf+YB
zix+v}Nz-u`lceV*eoaTTIrQ%ZYkOmws&G|ne?-auCf)noF|0f_B%pA0Y(etIq+qgD
z(2A&nCpGeoT%3p^K3;76S|QsvwthjP8BgDKA>3_p!_KR;R3nMcDW$)ykkuJvlH2eR
zBw)hj6bYT6Q>!1kkfq{-<!qz2XokX!u^bb;Sci1wtO2cL>t9T?nT4rNePGI@w=d--
zkZmQ@|J6Y$1^J{!dzR?3k^K7!Boz7g!d>OJMkBgNeE$eoZ@|-2>7aAC3@02Eo)NWA
z(*as8y@V{NE)L*>vL75e8g=C>OtRFpfS#HPd=e0cQu~xLgtD@6*e&eNH^zKjBx1pS
zHxOhhH~xc|k{DN}MHtVyG1B|*_IIwPujTH3^SwQ<q_Q;}^EX<~6o#C=Jxe(^^HOym
z>G+<ih8q=OpRm0joIKY)Ag!2$Efar*scEB`4|%zeXHBrUam#9n&c^f)Lt$@C!z22a
zOpzV<s%eAaHr}~hYipQjmdsV(L@_ODNaM-^@kDo`S9QdHOIjUzESc@R{A#+AiO!05
zfgR=2&uU6}ALu`3vNaxK3Fh{huJ|+A)WNqGS@GItdGhg$ZWt)rytr6r=2USE-~rH)
zG8Xzby)rt_xAAJjQ3yG`k`Zr@H*s9KN@2mp&1KG*<!^4*Gd803Mu#A&z)ZFiMI0l)
z=HbHu2AkADC52(_kEV1bf;*Dmyb7@}Mya0^fG=5gpFEPnLf%gCx7L!^nZEl>FV73o
zlI_jlqE485I02MK8F?ougi|LIbK?2_Vw+v+vnSD-s=K0%9+Bq3jQ=wo*#BWN(qUV{
zi{)@6K_ii2oAmG2r+f-6AD5A3oq8sHKAk*51t;z<%k8-{lnc^YBcS-$!lRo%Z)7$#
zJKxm(w1EM6(M!|8v<4$tQB4%F*b#gH|Fd*5qFPRFZ>(gHqs+YCRSI-!Uh@1%d`e4k
z)rECX7{`cU`&pjGhPyo-8on_0wzyI9;J7JBJX8ulao>2vR_j9Dn9c5`spYVjphWf1
z>nk~JrKtgnZ;rQ<VN?gOO)#uF;L;oJST0}<yA(Fu17w%x#z-PX)~*&8E+F1%Rz^pL
zazD09O&`4eUMKs_!;{aT3fZX?Y*yXr=ZmK-rangbqA#yOP7@U`!)aPgd>;KXM!pm$
zSgsAC^hi47%b93}42D4Af=9yL;Oqfw9D+~N{H>mkgA$B+@Ture%5%#=%C#>^i>nNB
zrj|p*a7Xcg<4oHRy;$D;fR2as)iTU|triX|!%i-sM2RN9Q>{H($12MS_vWhDSJ(cj
z_?Of8519CWBEn|)YHc0=8E0urC6+++RGd{cYny#=DA`=5C+pEMNf~Wb9?E~T8p8-n
z2DM4==QE_|G9qRr?<B!EwkVshD&rEM<<KRJ)LhjlR^^THQZ7{SN*=iwVrlW9LZoY(
z1t~Gz&gTI=9^kcUNjq0Z;yk!FcO19xsa|85<lPM4!TfiWDxBr&^hDf(XG@ps--YVl
zGPIvS7eJL0kk>vl9{#Z(j5VqYr5&_udGigH9%N!ZtVR3_pH=#e;R#^fTO`#`v8EkD
zW{Gf^XGZzRq81C|M?Oi064yMJ&mOFj$&R-vk1IO|DGzNBe=dlx%^3Q?Dx}VMJNTQu
z0GAzA#zx;UJ-m{M@MZynK!(b2**<vxYgqtEZ&&7pkgVI7f#RE74fZ1gBUkp>mufq7
z8;_Qjbx-aJA8lTCur&Yn(NS7a)_ksdVODKKd|M@oYtyUu)5CQ0O+{Di^ybG)CL>XW
z0oFtkY@3j&Pi}89uRjtG)e_xG4cUJz#z`BZ>H5iL<YrctM{n9A(^#!ZNOjM%C!^6J
z0VB~j@}akziu^vFJAvGapJFsU0{!=tZuWLyDyAqN0Ra0L)TDW6jWOAiC;jhFT3F`u
z4)MGUkiGxodClzj(($}I3x#&v{T3bE`2TEeibenX{w3~sWEjrXk`!)pX`m%N6MH8-
z>q4D?{pO-ypr7>w``!X!irJmZ`-rs0Bw-jD{a7fu_7{!iswGmmTla<+;P_usgeje1
zgV_thG^rWBo>=S7H89$#CVTmt8LgvfT1@AP+U;>O%b?V?(^n0m{!^$NtR##ky-hsw
zRobvZN~EU}51pcFDr5XAqL!AB#yD|%y5NMYXyalUIPsCcEvGfcr*#_0pBS03=Rr5A
z{mNp|qfzS&Yw(hAV9L)EQs#3xuzfjWjH&fr8WD*XH_nRr<UVDAscrXy!QG=XWhmlq
z%<=(w0UAM_?vn>+ed-snyYM;Al;>6YL1-KJQr`#{O@nlPTI6L7sj#49e?ul9EF^F`
zT%Y{gGfM6a{0+w@X=DLV&?Z-(4%rt1H2?j})c(@sl&f06$ChdbbS=Z8#n^6A8=OCK
zZIttw`>vMrn+$8SsKxO7;<pIFdKDlm3w8R_p$<YE^hfGc%KLPjtXppLrNg)Z78Vjs
z@3NtDGEn%ccb~9M++z{mX#x-2Onz37>DNP(NKJc|UU_eoV%6&oo3DI^4bOmZ4O`WH
zPu44|mmBBWH-jG+M_O_7vkPF!geB!N3dI*BNv-vpoSO)`QIP^Bv73Dvx@J<#HOq(C
zCVcD9@f5=vyIyK;)0GDK#t|H=j4#qffuG=S9>>3#$a9i>tT#EL5N&V1@Hlc)HAC!4
z`7MjZ8vPJvoF;9quh98g{n8e>Bw0<Q%A<QoH;?dza`QXLC%2P{e~ja9)yR=qM!<)D
zy}cPFAnu!GQZ{U1T@WpyNSyvGGKMo#e7HazmtNV*ZRIhCQgl}(_~<{?=<^|8BXw;M
zWa5>~gz3MCiD+yju)n@8unnmi;wUx`z6Hz4en98k5`QnC`K?A>S1z2f%G1B&)GPOT
znw)6PO_882vkkoY6R2Tta><k>-S;H>gear!cHUq=j0n~xF;X%}iqQ%kE)Fi)BAf;7
z#tpuWU(>+z{)#i9a7PX*!%Yqhi|gDs^}{wbIaVBAzzdtz>=yVN_?pfTu9TrySM~Su
z`#jbnd#R&LCYO-+wvm%t139}alXaT<?gim?9gV5U|KXeb-D*<iQc&W#khia<HB*ae
zxTrWMk%JX{O2gfAE0e35Tk>z8sr=6O2wxwk$giG!0^j!pD7_HeK|^<MO#70#F*iB;
z!K6-=ufGJxod|2nFlfEbzJ(t8<BY^p=c#s4B7hU7p@mEGPD@T%oR}WgnRUaX<4kh=
zG;}qlf)4loM2S#mlB@GhxnD*?)42^56p?_HM0_oQ-A}>`8=sn6el3f?RDBnwp&+TI
zu_blg4eFEP`u+)HD^wWMF8*Iv(bv%*3_rnqvd9{wsSYtRxgw>1v?grGA{Qsij*0g>
zV%{jONTp_d<ZQmSU3Ch})Us#1MkAyU{)HZXRtZJCdbk(Ssk}N^O<*AN4(+~zw@R<}
z?zHK;tI3x_b$#=!GnX!36rvbV@>61O?&{U^uaC$Fi!BSfUqJoBocYX6ZK8gvywj{Z
zIx%}t_UIqi>Ubc9Ee+K|4SgFvuliP@D;8xnYR?zs8k>hn@EHYz)cCh`e{}q%q~hko
zdTS1?NnS*QEsbJ0Cm;WmjEW-qCptq)ZG{0?necbp4N!$q{J1uuf?HOFT%G{H?_#g)
zNvFo*(2!tOYzeosr@wjk$1=h?&JE=}J$?C;)TR0d9Kwg^B~!62Z2M!35hKQ~YCVoc
z_ES9%%xa-S`-iO~v*x<7pPw+old@ig5=r1Wc}QC~My~yBVl%y_QZz-2l|4hbes^Yi
z>!dMNX@u~gVPRv;Lt()K!kcp)!qO>mTWxA_s>L0AE@w8e_dpPvk4L!4`2TqS>o!`(
zJTLhOWV_d!J4qJR?j8cV6Wfzv^Dy;DqL)4?sMC?H4sQoYKS$tCpX<ufYD9ezXK5U8
z7bxWb31Ns}V!=m_UTN}}!#6~q$XxtZt+t<9OynVG?U^K<{+Sb*W&jWZbGrO07)M<$
z|K1oRKJRL_QX0Fmy~`bk+B=>U*}izkV{`sC?rFuV6_oe<K%;KZ6!8g_?B>|2mI#eZ
zO_lN*hZJx7GiIZwAU!pmTq4*Y@TQYhj{V+7?~)w;c3zh!(^sk-Yeq%AYj3xaxq<CT
zpbhMI2lPa<GqA9c=A(4zjJrEzoug?|**uGlx9#3dq)YztoikpTk^Ps9aR=#tj4FnN
z3(f4*u|vl?M3A#a<rOicQ9?4CFQ14nunw)`nlYM7?wNA*;}a9%O7aP!ncS%i6Qb2J
z0t2vOyQRp3Daa$%VY|?u8Fv?)PzeMe{X<PP;!6kfdy8<k$j&Bn^g6N*8DR&dQ|zav
zpRYJsLD8Ud!iip4&#*5P1!VZj6r8KbQp?kC!C!zuKIz=IPl*P$V#VKqt`r7?Id-tV
zZN1$&t*}bVItcB`j~T8UD<)c(^8Mi&^J%JhcMIKhnH$QHKE4-{WU5%DMwIaES}jbb
z+IBAJFnv8pGYn5&w9}<Lj~nftZN}JPC*`{8=RhXSlCEJ3dn;!@ml@_8H4WaIc+g^(
zJS{Dh)sa%sPD1ZQyvgTw_%Nw0J4eJ@IX}O$7T>um`OmSXSQJ0qS=#OVLk2W{-;)6(
zuAv7fWehw{sfoh7FWVLlnP+%<O7c*@u_uw9h0)sN9NxK6u^F>#U*1+&eAoWz{CDW}
zOQTd5A8JJXpC-qz>lC2*^U16+soLsX)Wd@lGfcZC>(@h!8HTTTC+XfIuhAI}v+b5D
zJ<V0WQi+_!eO8tH^glO%@f?etq*ZT-h@6(A(4cq|(`a!y#&KCJps^<O+)9`qD)HIn
zRkDIgR7Vq)TQ0Zes6>t*^yr;cAwT9KeNkR%e@XkFsUQ~2McSehFBeU`pz{2aJ-ioX
zQF$l^iEJ!}bU5dHor-$7xx+Z*zQ(xhRSPu_f>3lw(Em%i)=py^5Vq=(AYZ|;oO4np
zlylUe(OB#x+-M(WzJmhHDi%;-=~eeVxWS0+S$YFXUy)T)YU0JyN_}?Z95tKKiC-A*
z2YHBH`ab3FyYQB=7<}M){ZU4Nm%+3X+rj%Xe6UanPsut;?zZ!5F3ER%LHHX~Vy=J4
z{uoAUn&%ajibVFOUP(Ol%QYc-I+RX1OX?2R>1<ZBE$Xah51Fz-lDBW=r<dL{M!dCG
zxAfo=Y=0b~E^EHSxMyrE{9{CJDLB$-ZE0a4RWRN{h@JS%-68kxXOd!OK7LYjWY$xE
zG&6UJ%n=7qI&{%b`dM<Xm0$1Fb8F^G^U7q3nGEpvk7ug5Nu_dC>#@sGeo3B(#zYU<
zS)2c6B`5n^7#j1kHb>jFt@k`T54&2Ql`%Ol+UZ_9J2-=%tyhbzgiKf2_VSN7eRQ|^
z1a6T;UBz4dY|&*R1FQ*g!Zp9pmiW*GBKxP0-}yCoP93L^!E2-cnB<f~ch8N*=6AIi
zRhKPY%bphZrLF>(Zc-kIk6)8}5sA86o~)XhZ4v4lW&w#OX3__W?A6Mt#b|780?L+l
zHA#ZLFVuWG^&UHWjy+IIACP>n5c!(1a^jKE6oP4NLp98;kbRUL@d{&4!!$7V)o^*9
z`rlygRYRDPjJ?{Jf!UDy8h=UEiynS>q?d;5auT6SDrxhw8MRYkNM5eP-jBLEmWVb>
zkx&_y|5BiHk9)CHF~NF?$W$+82VLQ+Ow~~jpUigQ8u_|8LDN}5e8@#Z#d&ozGxDT+
zD&_&E5<wDmj3%Duv1kJP0zzZ_TFz^fdF;1KQi5Vap<V(?YMwz;xKZyum6+BtXG1B*
zpI=vT5dlL`iPXaPG=pWpNBHg`Vw375z)b0LSlme4I75!~v7vvx5zEsYdc(6<;<cI~
ze1BW-a->$YE)gYuffI|D=XF97;x`s;D*=}W07TXGSpyB==HS@hf7mTPNk*4p0~cA@
z%4zj3JM0ebL)Kw<6<(^j3%>EtW_nEG5i^**RXhf+Kh#~=NR!AjuX6pz;xJ;dH?hEa
zLVt3du_UZk$bv=G3xIGdM4umOWTc$&<ackpjH6B7vnE5=SMGfg4{SP~&r!H+5E_l{
zDG83CTW$D*JIDDlKP3rpDRX`1DShGmH`O#+_H&>w5_P0m*5SgRa;O<ji$T1L<d=i0
z*&=zX?GIOzF@lM_xQiX<S=ap%R$Dre?Zzq?|ICUjRxS=$ulUb<xe{Y~&~Z>d5t0v*
zc5CWNTCp_2?PgILf%;h4YVtMnke|*3P<VD}SmQ9dK+pT~9@_*lN#t6ku{O6z?*#cc
zxkav9`aF21Y%(Q3{1U%+LQ{kDFHKa2s<bX@rX42l(*|2`vpr8x1-4rYp1x@`VKlW+
z&*#l$UwKK`l@?3mZGybg`2U~5j&nrLP3GC4fF!<@M;wU*f0|O4MH(vPY}Z~(zGVpG
zPA`5WI6KI<J7~Y_@5`#;=+W$%;iTv=Aw9vND6G{poGH28>^&kKMlh2$pELJu7f55(
z0%6N8ELci783(QLpp{5|Vj;@=ksvqWa=VLWo7~+(G^$xHVXR)UP^BtIunr}|+juRr
zmhHXb+2?YjFPnUozGsLUpfipS^9_3gAd-FhH?e-h$H?AB@w*E|OsrBzsHu0H;#ypt
zy!E)2SB4RY(mf7Ri}#WE^Y4F{{vn{jzVE0hZyf?m9VbO{$Kb%rwL8YBJ5F5$Kw4Kc
zSd#(Cj6y1PWMuBg5#<AV(pmAVUhAhnUzo;S5S~17$XXF<zrrK_5$n$DBtng#AKx~A
zVWOz2X^!S$(}NmOVY4v3vK!oSh4=4Qw~c?ln_aq!L#7l(f<mw2j(V2Vu4?1KGA!hl
zglt3~n$;L|%$)(PA-5a)mk;F?erSGZSk-`vT#zY@T0W5c<gDOXA}2E<1etmkS7#5|
zIlptJn|}fyw#;(%U6E*uxqe=xn&kZY3WqRuZ?I@tJH-~}c6Q+iWAIIJx}9w`uZ>%L
z2h!lz*~d)eP<hULi6%5lu>NE%L`7HgL)FYAHDi)@*){$LGHy+m$?0Yc>K>gO<4Xa8
zMJz`1&*D!{H@}pni3;A}J2u|Q@-|y@cV)2T&~I@babkK3aN&hf9V_rvS;X$-?v^=4
zm(*%`t(Wo7CWj3zzJH19KQhp{Tl&~K(z&LzxauA{B?&iT8ag>E*&>j>=08VD+j*>J
z*C7w0Co?eAWX?D|J)2$BvH#f7$wvIla#JxbffcIq0oOD-Mpc7YF?2l7&Q8I{d+st+
z7mL{PpNH}`luGS6B(_A7?}cP`Ld#Ij3O;Se{8V(Jrz?QFA@9LB0v}RLdyhoJiH|X4
zqfEh+le0u}*^hudoxwgcUof=%WkjiTraQD${r^&kZr%J($%FwBA8(!lqfs0|+dON}
zCNpE|Ft-%bE+r>FF`BYH$D<IQI(kqhsrXK4chV+IN11~6J4kiWRARRspX;CaC%G6*
z_Z=gUOt8@#kSopR@AAw;TG_sJDt7pDhC4Q%%mCphy{o};g*?5)=EtGvK_#ei#hlMg
z=*W7QdkfWcp*iB-auy}NB%_q>#LF_Tlf%mpsh{T#i}22b9^x*3D-246fMWxEl}cWK
z!R1lAp3R#kw(Fo8f!&3{(x&{<TfSz4(*7Su?*&MuJ26|sFU07=^<_#h?i+AvZ*ab4
zTlWb+Wy~=uC7zmcI~&Im-AS1t;f=}L(^{%nFspKmMR)g;idz8Xv*)oFK8BH?CKZ@i
z7rRD9H6OlLyNaWnKKLhy=S{f_W?p;eNUA^!ms~RJ?x`fEh<r?yl^CU>q7cxOb8CIR
znT&p!eJki1zFGY>Id2KS8bnGIsef>;?)Z(>Yv^DrT4Rl_NBSyG<HWnlI+|Th*wV)4
zN6boe!?!(d6o(nhq6yHK$i(d7c}o$@0bN?Ix&trho3#r*(Xb>RJWeGv>dL%f)O&L3
z?GNOJ%2lE;c2n#`^$iJ}9-m%q9`rhsC$G;j#ZoHQ6Tj}F-Fwg}WZEc?7wdmX&87_G
z(UN%F<tqA5e$V(fy!Rc243Y9vL`Vu5UalE0px`NS26eB>V-iQHeWz8W%~W0DgO7e>
zD^ASZ9XCIlj#q`yCqNzvR7r9m!Yd9ov{ifm>Q!o!6d7}8!xsEZJ_>YxrdY+N<WD2<
zdU(BQ#}G7ee1`C@Sf&QUU~SFZznsie1#y%({k;H)!PWj)fhzA&{*j`}ha$Yizn_hQ
z@skp3RNuZ+lf=NwqH!`lru@%_^Difcc~`XPiIO1wz7x{#_hcOPSY=fbu-1B$DViR?
zb$Y&JJUI94QK=Nl2lI5fb5a7Z5k|L0i#xjWK86X3Qa3JPjMJbdgVA4K?TtM5oHO;V
z$yWTB6IT_-H;|~H`tBeaDs0r8OcBdT5+lW_C=fKVuydBvHzxI~OX6oZ0S?|npWJs#
z5DZ`Y3B;pB{uC+Pm(P@RW95=nd9_j~B8RHG$EY|=vi^lkIH#n-)hCWwe?q3;y2S)h
zje@i_^bA@S>J{$#zNxTYX?GqfI+5*aE%*T5z_Oxr--x=`)qK`)RvzH4U!bgeHbb#B
zS;lGDB$hF1cHrjQC3PPgxb<77Hbj7ai>WD5Qx{)$KgdxlQGwr)pU`Yh;v=@t#c2Sm
zwrbX2;S__VJkFhn%t|sYkms9aCD(*aF*rPX8EK-NLRid1=?gdQl=-<zEf6TD@uYO(
zUrOTRs7g_iSLuW#{pTU(w8o;quX@EwPmM%1)JSZx1WM~n>$Gx4UkI9x@YvO~H%>$c
zu+q~s1Z(u<pK281YeSX?M{$091MaTJP+F<!Ym-NF5hwHHu#%gvEl;XG`|>bT8WY4+
z@*<Nj%Fuu;a^k0sSB-XghNh~trlw)QnD51BvjSaaKfvi8zXytS|5cI4uK&*HG%L72
zGFNSkd|=9M8Dn}klw_C>S{wNm_rBWcn*$b6zoGD^(aF;eWAH7oCbd|f6Mefl=UzPg
zp*P=g5S0uE&j&YTu1XsBKi1NBO^V-o;u!G<39tNer8(EuV4$GEz3wcQ*k1_P@#c`k
zyA5JvwStEto2p@lUD9&2Xl^$#qQd-F{JK{1Jky*b(jo+EiC1ep8}eMqNf^LvJ%2vL
z>g74n-RgMDP3+LIn-@eQXJr&O!IqP~3c6@0_<2J(yMz1tk+L)Pm{wfQUpa~DX$BVB
z#N@Dczp?MGtXNxkg`<x=psLU<4u3i`31x&#sRm@8`nCT3)1NU-<mom1>?@&My%*7~
zclre(d{+PQW1$z8)}w=9KC3^uB%C7p!qs=x;ZgDymBuw#7ci6S)AjXO2~nRAX>z5-
zgc%iP-zgJAmtKR$b-dNd1*`e!l+Tgx)sE^s%u`I~lz;aY9?fn@;#^#5?q(*1jHaj5
zfHJ$BwGQm;2nE01O^JW?+Fks(=$5feP1d!*j5w)ie>6wN!S0jl=2%hqN`dUffKKON
zRk#-?-5ofR8|yxy+1W@b=!J1x%MW+veLiOT-58yng?#e#af3|EZu-fux^4sDM9|i(
z(a*M!P2GR%6145F9RzRcBI^;ZcuzNV@knS;K`23Ca*ua^ou`x-?l}Viz88DoQtUm4
zrqQ~pC&W=9+rI4fA7mIF-lxQ7^iV1VbP`n`Ns|Q_6$q8+P4eGVE!X&#1;;j048SU!
z{PZ8VJY^gFH`}J`6!s#&MK2NA8|2u^PH2JTjUSwFIq0<;P$*NDkH;Ovk7m7!?U>|g
z^rl|N-{mx3J2+AfRQlg(*;)xO9f})&e;;&b>9CTj^dMNDeOMv3lB!ynGEsU&qp=y(
z0P^jvt-Ot=i+f)fxFS^#;y;h*GoXnma1J4K{_-RfmzlWM4mW7&NG*aw9EJ^mLWbg>
zAQA(=HXH)vm+!oNI=2Q-Li(0q6M^+Yh)>`JF=Y_2uV}#c%v+$zPrTsjd#1$7!OZz>
z-w?r<dWBCc=^Fchxs#9)0Z!${bIdm6*)4<u{#br@;M=X9TdyWu14P|R)+lX^v!02p
zspY=fg-U?wnKl$WY}=>2jp4gz*s#_bQxxx1p}=S~maT=mS9G&s6No6)J~(9BgD-WN
zLzZbCfo^>3{ru}MgtO&hzFS}_{46l794d@=g7~n)>$DpkD*e_qPAHZag$Mm@j+Oe-
zd&F=Wa=c<`&fC_)Cm`jyt(+&rTNHsY6u0<+DQP2@EH|&6mY8Q+luw4&<hgJ0E39B=
zwvdcr>hsuyU6=X{QMQ>WbAf=xO0Vm)rB&<6Wo92suJL4+S278a0o)n7E%2?ho*Bc{
z`hb&Yo+u}8H@h6lLk$-Qdso%`s{fnw*kb?|%-qsz!oqWAv}R0O<oVcH>#EdB6>4CL
zP}|?1M-ga2J<(W@_r1xkRpbNch?g@@6v0ouq2EW$FTNWoYVF;enAH2HJ0?5R#uUxd
zIix*Q=iM>I&|isGcZj{aYdH9*ZM2$9b(9=ya`3UCMM#^I(`(?yp;>QcGY9MiNZY&^
zV%N4v%c`zpCZ^$9A#j49YF~6CJJq(t;v~M&{C4m&^<ACuGtEPO-t;mapV_zRFN!HA
zmu^lJq*LdpG?rvDjm5&?>yD}iG(}t3SU?i~bLm2Mb>m1TBEL1>1%ft@t(__4_AC1@
z3{U7Sx9Bs7>#OMGa6Vgc7zGyXO~Gq^>~wbddZw?!YTCgxV`Nqn;GLcu*jCp_sS+;L
z3nyPLeLV>SZ+J?HZ>GjEO#iTc<y9PPGo!8RFp@xspml!rR%9Z8&d#WXTgcV0oZ3n`
zHa6kL6_A<ls;xNf6&p3+S|6BNQ3zggwWLnQ;j}-D5)_L6D<+rZgQyi@p_AR0i`-(H
z$W4Mq&8+x~iHP+vi+PSi;O(X0h-LrUPis>8hp$&wA;+AYCsdvcnF;(q^zIHvyp6g_
zjM2#e7yLtAxp(WZ)ykz4oiHWs1mH-QZ;gK{M-Fu%cy1Kp0zK;7f`qAeq$0&rGCQ+1
z2RScS@2G%uI$X~$6b3DwY;_IK!fI<qCrC%NSE18h+rgu-CAm>AE+3&60q{J_3wYPc
zt;faL@fbAl&g2eWy1eJyJIS7N8rFK~H=Mbqyz>VpUhBgpd&+ZH%>V?fD5tGO)Yi_!
zt05hhUq2pecJM>nQpO=WM{8_Md1}K(KrB<uF*_w;$=~Dh>6N=bo#~nPY~oQLft3u`
zy&9Fw=9bz6Z>M!tkt$SAb>&c-=ja0)Vp-?3%M3&W{Jt<!md~(^O40KiEge~PhArU&
z5bIEYbKBjvSLLXTQzjP9g_7{{)AhBAyUKaJ#_jP+h?7dSEC)ss^i}NkrVOO(YY@!)
zk?-DD*LA9Fz<d$y=6X@(HK)Yl5*4?OL-ItEnEfw?uR&$&AAvR=UV=EqF#?XI)3Ble
z#|z$!GF*T^P3aBd*s-|=h@FYn{Xfjl>X>)+HYh!8zQSz4rf|wYb05k`Nx<g-;%ysh
z`C!%J_u@AqX4@>~B#)~(yq2KOE3-&-#{qLFJ&`ld8eQ|xk)E#buz-xYo+FO@FIuwM
z3YCEqb0dMmb5x$I16^HfJ3e(8oY^y5iaJPT_hQe4b`hrL$@Wy#4SSY5WkKD}h#VK{
zmibq<lLguYvu-p?%SKb))+T9j-Z^Jy?giiV4Z)kLKnH_jq?6Q<31N=#4yReEw!Q+|
z+dn4u)}{4WytMMRQK<;Ho;7y@?7dxxB#6P}zAEe4b%cG_Q_QB(R!*?JYmwN$t_2U+
zx217_rn+n)pHLn!Q~pnMqz|;_9vqbu#Qae))b<4?N~DTa#+Df|k=`8daVkS4S{L^n
zeVV6z#RauR7)I%vH-i_eqyl5%(ujMzN9!W4N@rKp%$;LhyCN#85xX}K$Ww_UqIvde
zPH{UnVH39Nawcd5rD5HB-b7<KyIA5Zj&~1wktyMY5{QTR&p)6q@?G%H(_2QIJUDBV
zy2%h(v4mPg&$gXGB_IIN+i)YL?beC4X_{@>z!X>ijtSG9xm|yX*eDO6?{;^DjKIz7
z8Lv?&S9SOwQ&cX(ti&c~evqlnL@cK4l`(f{!ZpWs$e*xlQk`CwGB%a~1TRelLNdkM
z*MEf}C8Lz7(|s?Q(WU{<QKu{&_cNkEzpn8XJ@K$sH$wo-_0zG9!^{vOY`?^A3)>-3
zWcmB4W3#w~#$n53MQWhPK37V^8GPn~CP)0{Y{>hU=rH%NRvETeQqn~O6|_M`sn@%S
z;KMme?{){<s4~5nnB(EplFrzeLNW19T8bTP?{s|UB%qhZu3oS_Fneqm3|Y=P)De-$
z^k<7sz~TG8npmzENaaX659v!}zZX7^!-{`K?-Hkx#Lejma0h4<7$_|MW3y<fZz;!+
zSmMrEfB87&;<|0#>Zu@e+1D8wyXHXOz(D_OWy`567qz7kfrKU3GeMtuiHZx@QZ@U>
zYJ%;MzdEtwx}Rz3)>*hB%Dg}Sa*@|_`G{+{8dfM^l!=i5duU#o(smgFtq1tqY!gqx
z-&^=rZ@^DD1iM~lI%&F*g13sewh@Sx)tI{}`#|3>lZaF6kttBKcY$S->!m32B8xrn
z00wO2RJ3&4zhNIF9E&^_O!-5Of%u!#7Gq(tP={*4*pBULdqI17g3U0$1%1)rVaP=s
z=@Cb8GwG3I|IyV)fg28<^&|DGPs@V846YAN+OJQB#v}k&2)-$r>sSfIX~O{A2yl53
zn{#_*a(9a4045g}cT&weXY#V#@W#765{RP^!n(K0OSTeeL$0bewI;v=wzV0Gpsv+*
z^NZ6X!6rTNa?hzHcU5-kVH2l8f}{V@6D+?uw3ZzK<#zBn(rWlQWq$M;$}n0Up>69v
zx}vRub15I|&+YiM2pQcC8*NXqTMw>R?5yfTEfms~#$s>EIbtd!KWPBo+O?1!#%Yc6
z>uVIzFRn#T1ayS;y);5Nb4nnVcHW9*Oa$~VU!vlS93M9dwgJe+2a3Gk-;_iBT1J!t
zSH91Inki_=&#(ILraaTjwWeLJOW%2SZd&jy!x9H60)3!cUR%Oz5-t8PFVbxvxy@6(
z!{{`_SwX9uld_?mB;Aw=;8~Zy`T;ZerY2njyq+01;x8_Q;0n|k-nw2|8g(ow65YeM
z8M+6>gUpfU%s^P#kX@zo!UIIFZpzFG!qpxgn{#(?TvWsfSO#2vaTIoQnYwuOu>~;-
zaR-nX1;EQn*GyfG2}?_@nkP1G+J*Oj4<W3fj=sXa29?C?JX%N)1$#BN&6HX-u!Vj4
z?LW4(h85T<h+Djk;)T3JF>}|{!{Nay%Qpdg|Lg>@8xD2Z;|chuW#NyD-hN%$Dg9f(
z_qc6z&Jp&56Dmd8g}EG_rJIM&T0B0B$gYs7z&p{oeGq)Z`{m+@t53^agO9}GYUoG@
zuqc-fz0g{X>(U(gwG~n9Go*_1U$(fA?_xUz8e+R#KFipDwA}k<YKr1#d&u{hiM6m>
z0CFPvn%K}kah+@2UKmSkn*PqR_H1c$j^8T>&Z8QIoA`FXZcGF~wh_knqIN<G5(Nw}
zavU~+v`fs4^q8aUiO%^}!)|(#fo8Q6xw|K)U(P3L2Zt!GAmSP=`b7bk%@aQU9$p}!
z$dU55I@#j>Hv$ULRVx<ruL6Z7e(1fMb!uE)t8D(Xe|#H7b9>=<^8LD5B)hT*s4+*+
zJN7c$FijhA*`hCcFmpZN9@tU<ySx<i(JABa6G@g36+g5r4Gn1ML9QMzeVd5>e)W=8
zut?<UD=+`7Ub4-_@EF_4k(02WddrtQb_O<KUUY)>N)bzZWftm;*&v*AoJF(j8`#*n
z(@_juI&=T%x%u;F59^sLFUz~4^(U7@%GJx6j*{M&=jub=KBieQ%(yFF&D9r6J7zRE
z5;NNbqZ2PY#c9Qi*u-NFDeMRpFEUyY{#`EHrC}zQ>#nz%QZLg#O!mNIT7bdDJwB6S
zMLexLmWNUq=}HA7PmN~yE6K}zKAdB>*$bQ&typ~E50pdh3&sIOk;RI8%HmC5-x%N;
zzULx(d$j`_x<uGHe$EJ#vnz&hr}zmhiHSl5loNW^b{y3-V_^do^9sxveZZYAgpF{{
zoIomt;VdP{heJT^4-=L0;7{?p8gXl?Z0&TAI-}TjT{+sC9`$d#TL1&*ZcbK9>-2De
zkS<!N^RTvqlE>1}3rpyhXz2A7hGw7nip4Jfy~w<vFIR3#J)sk!zt)#;eD2PMHY%ZQ
zxA0Tzt${Y^9Y1`C>$_0{7=}36NrG?2UXOH5AXZIWFT692#3hu#a}vW$eR{<E7vLrT
zYAz=_?v|=1<ioB7?SzV~o)`9k@Y9U#6eGXT1<wnCQO>s2ks)9h)>ss|qpOgHM-NqX
ztiZ01P_l0M^tQxql!$nq-`VfgGq~{Cs>-H&YcqLvnyYY)p2l9Sktd>SBMC-3th3~x
zL~}RDQ#4_oc~U)66!Sa)u@-1t<Ys()5T)+&DrXEx-{*1bozW#bu;Yq=ml*avI`$9n
zPgbta86n;ladYI~?#s&_y(oq6`WuDs`mY?%`QVJLio%!fW}C0qi^L5hgdB!p$8&J!
zCU44m;iEN{YXJnulJl=KgTnpwqEpmX4|9mi;H@G(j1!pfYvMh^2SEODtkzTft{Ek5
z`&zkj_`+z6|9bBB74cYMDZJoAMRFeo0UPts$Z78UaBQqgz15L|4@BaBkrj$i22|o^
z3x4}2vO<AJ!)_|ue1v5cyrjXRz$}{cNZ6>T#ERJ#hlBt%^>Yb?pHQN~XZM}P!?VW$
z`Vas$ND1iD#dxmKN(5~a!u8qSyse~p3#h;ZVh|8d<&r0Q&vjy(EWdgYkYe%lJ_e&o
ztnk0MTk4WA6y$2HaW?h5+-n3ZRx(cjclMnd1r3y^!7_Yl6`&ncu^b5r4QJ2(r_BHJ
zDxa0+IwN)jI5Uw!Z$q?_lfIx!R|f8w4i%^*3M2J10W=2JRNPCnNY$ixa6Gr)=ezI<
zl<Vf&*(<xp20(%19fn#pB;PK9;5T?p7Nb0t@`4Fk6ZNDkv)>J#%JgK{3=-AXaXS&)
z<^>&G7xk-Jv!I+2s1z=`;TRG)x;Lut4d90vk4kcoz4eGqV9`xV-x!o8EV#&}5VoP*
zS2D^O8+_|wMp#MHR4_y1CjrP56RQLbAda*>)Wk-;5|+Ad9bNsoZ}uHw?t*^RPNv+O
zXY}v&3je5UZ?XMN|7pfdtUgj*dy54sXqr|>IJ42whQuR%m~M`q!Yh^~XaY0Nb5_KV
zF1!MMc?v7KpfR$ogo$1EZW9wRk48<T?eBQM5SxqNiZ{^D;Ag#~;LOBPR+Mu?1!5>=
z71dL|otg-ph<eJo=7v2}#2J{rzFnrooL#yDAMe{ogp>@G$8RCnf$t`%jjR^QVKDR<
z7<$-_ui<hd<4WOf>X(#6{X1;cu6-|ExuBd;+|y~3^WJX^eSV@;7`;Z~kh`k}*G2=x
z5j-Wf59MMr*9Uw|yJf_bBd!Fw^|_O}3LBX4@k-qv19xr|A<0ISQ|ij~%*1X94Yg-N
z4j|PD2hLv3tg~2zZH_&lo&0SdG-X>?f%EROa^JNayY}9|md&~79D8zX)aGG{FqY8y
zm*F9`znbAL#4uK4!BXpFnCyB$<VYUxbV<7P#lI_KZ1il=wpLW4Ts-5ULVl&lsHk^J
zgTc0*Dj|XAS@$pA4021N6`h@k>fa~ZZKP2ZPUKv~Bak6hT!eezSAiIr8OXJERtjX8
zcux8DWTHpN<^$~5TM%)b)H-+MMj<uKNY*+B3*^%qDIGAYGgJZrm+Wi6e!iKD?EDiZ
zR}n(p!`@FG{|{-jOnMKwueTVV|3Mn<R<!)<iZ=MB8$CcoJlVTBH7Dm4fSe)h8W~*q
z0gEb>Q{X%sc6Zkj1+vb4(Wk&WBrUq#IX%z$AW%VaYj)YUg}ab)Tzb6?z*&#3G;Fi*
zvCA6TR*HdM#d2i$dI{1kWHQ_78|so>HGwzbF2h3>NmNJUaa*O?ho;G4V#~+2K#D+F
z@4BviaG7WOeOAcZYZF|l{EZ^4mL?k@gk{jDKEDLyeX}mu<ft=vodW~-1*X+<`2YlY
zuUoD!H(TrcmWyZ>$PX*n8&g*tsA*_&n4+e(oOSB-#T7hbfm~3*1jp1)6I`#BUl0FB
zlAKeJ&j!GPqW+L1=Zju+l7<!^$l8I0Ku#-`p3SZv7arVnKn7x3pPJw)bYmvU?H7Q?
zCl0m<6psIpL;b)=DMNmUHnOLwYjv@dS%nZ+w(vr6;@2p&H0Fo5PY-s+)fG|5oR_ZU
zr~k*^TZdJ(KK;WAiliVQAtH?+NOw!Cbc=LKcb6jF9a7RE-Q7rcw@7z){no~FzDGBl
z-|>B}_j#`8z25W3@j7d*nOQTR&)jp*thL!Yt`Er1z}2ssXqU3txE<DcU)S2yd{re{
z=d9z+Bsvd7gC}Q<Ry3*=p8KP-_zyF$fAB`v!~HR+W0dAMJpz&`(*#H+tkNmq%Q(Xr
zIT00_LOk?>MViTAnhqb{#c@=$sc~ZN7WOBu4Ec7_ozrz#-7WzEN}Liu{OR0~Z<l8z
z^>DCSvS_IAw0OkLa6!P3SsJ&Ng4o|W(>-Kc{#L4aHSho=^Jjg-A9Z#fWuzpzs&Dv4
z3S!3Rorvo7lf;~1B-!XG>7w&_4Yn51DF^wsUn&PB`{1)Psf69R<{=&15_7(b5e=R;
zO}weH_J&FyHZ$*^f8VrFNuigg<PSI881zAxS}_I@PIZ2K+ii>T@H0CFn)P8br{$*7
zrF|+7@LL&1%tFmrelokED7pdjM7J2vY&~8aR0y5_cw~rs%AR_`8Ed3tjnTuw5kr~e
zI8M^8cUx<C2!f66iHLAUYOA_5cAQ@Ew2-Cu@uWsgc7`se;uF8QC+p&2!w`QWt65NV
z3qTgm7=*0mbSc_5H%89M3|{gycE{Y#GJh5X`ka(v?ivmu3t{g>uWELLtocc13jPzR
zAnd2_=AMtP!jy&Y`iDn#9)HkH{cxJRPW!B^V#U0RWuoPoV!A@y0%=@ooI=;@;(K&T
zYsTy_^q(EVo9-VipK%#s_f#*cx$jClx4$V`Ol<B(tY}tdjM#qVJ{lT&zhS_?bz5yN
zNj~dKYq{+wk(Bm9+if~K4khoxd$dZ+@BerjLe(zA(ot=b+yHt4N@X|u${m=-tzUdo
zoV@JL%e-uMIzF$E+K<aYxle}PH4NES0oTdc-;XC>4%4c0#>%m}y;sxjeY%LSYwZvB
zbf+oM-C>)8b5b$Z5Q!=-W&?94gO`j_HrmMU<RpLLxMjyQB82B?UJb!+>$}D6;gZTn
zmDTOGx2|&RzS4B=lW+EmUETgpj+YjfNBc)OafjWf-KYM|C>?8YHD_CU{g)!>T$~#<
zBKI%PFC8b@?T=4q9kwhFus5_S$yF>h-_%mQRx_>aVoulka;&i{hmBKI!g|JRXUnFv
zP$)pDg!X6Hdu?HNfw14yg2LXjoy~v0Y7|Q>gRMPO{rG(}rP-AE$AHSOal&8v&xTg$
z>YSKDFwxMG$e@k={TpPMV%nb%rRHFDsdl?dG~4OP=Wq&PzP_tS&x&s5y^ANiebFE&
zGc{!3$l}hX)LL4ax}<0!@5;%^?jjiTcE{Nn%MqdRZpUVRz%9-g;IT#Gs4pCh5`VTD
zo!!yavM49py3@thvQe|AdWFC8^kw1c*6^fB(AQMNnj}n>RGxyG%FDC;@JaUu(nZyX
zQ)`TwH9Vi;`yJVt*dwCagAImC!m+X8t1pX2IE9})K}-#yTov_i7hObzvxA;3g8XB9
zcFWaYuU(58z7N`--EtYTu}d!&a#$)lzZa^@4(fi2<3aGoMocx{ZO1-S!?mSfEPVV(
z2c9nVXyx|Dr~A{nz*jYID-!R|rtSg_T<y`5;1hSVl0(k(vl%*HPGO?+<K5I*>K>D@
z29vzG)i<d%8}@#w$I3w_yoF8?*s|%OezK@f2krABGlvU0=QQ`{Ot$AtiwfOQVi)}X
z$V{fzl;iGdn@^V@ikNI>=`L4|E_CZ<x9weanC1sRcJ%S4`<fUfOjmbEvp=W*RMU~!
zLM)HnO<-h?JZ`KxGtAMpXZ~u%zu*a?_MLR2%k?jdN|m~qUb{WVGlyCcBPPs}HMad)
zWQ?bSo%YpJQ4}x}!riMp-A^kQFWIL)Ihb*%vilzJ<;YbU%BLHz@8?`Rf_IYkn_Ue>
znQtg&ReY-y!_qoq`gNyJN%h?W|I>!!o_(f3%GY^90_UAG5AQRsJ^mhYT9Ik|V>6nL
zHnNucx@w1W-aPZ3{-K*Yv>#(Ot7BcxNkzThLyFc2!OAfMtwDAA$mdVAgLTVoV%M~~
zt%5suO!np2H@`H&-<Pz>g7~rZQe0+t6coYk8Yz7N)t!?H(}rfM%j}7rg>c$cif{?V
zwGN$ESr-HWXgSpr6T6z^I@3Ul<rpnszaO?dpFd8vDM!&DOf)aXPtiTB6W+euG+n%`
z_9>@OaI+>tcF}BA4QhAt*pMpKY}-^!WPD2#`JiI(^>*1~3SVWkPm7^7=6a6htqK+;
zY@FxDF`UxNTZ<Yd958b8&p)tZpH0?m;20k1#cs$KD8*3h8fkg2JxRYjIXzI*W%6AM
zula~haEee9YtKM^NwLaz)rd0XE1zyCTM;c;vus}+8wK~TzeLnVZayiLBZ`(ma=JJ?
zACBW(bDS@qQGJa8c}euf%qzveVp;WD9H+EZu<n61#%|n@cWcA8$N}(&!3{5b*=bF>
z$OQj<cyl%i8+6Q=gIflAcynf?@WS-GQ+Xeyp)<<OrghQXd%}_=Vp`$z<=*!BuxRSr
zk+<#sz9070NIk4oT20O5-7Dl`v{}*2(!(2ci)Sw`Ok?vZ?d6|DJE1CbX2XdfYOwgW
z@yHf%bk~#1^2vVL4csz_d+qzFa%Ij<Idj#l)I{OLBJpVsN2F8#O0eGa`B#bsHttx*
z7w$xL&56K=?JPx=)4I;36G<qAfIgeEf8p3f^7#{n;EJX->qv(~wl_FIZ1BnM=QB1=
zjCPKNlm*>3s<3}FVd8XeBWO~YFF0wKQ$D4u>PE5<$1M%+DqX$uSVe!IhSTB`kh*j=
z{y$J<;Byi|$#l{%6{44H7@)Bb;s|_**Xw{!#+~4ZOUoUL;|qH9!{;)3w!|zveHPeC
zJt%}A**-vh%q!!<d+3=7?RoN{1KMVX=xS<ypcPEHNT<3kK-?@vOE2_XvUv{W%>(4g
zr}_AVEB9y!=18>#K`-}sBZQfw`U_)lA|Fe34p0>dVF!z9@Clm7wRi<wIk-593wk~Q
zIJl`LV)oGSZymIH|A&K>ADI=|FaFNKV|mIy92~Y?G^bwpTL;^pfgCi)R1H;>Nl&vl
z|JfkFi{PQB4>a&oq?yoxKi*REMm$V<D9!mZ*gyzzJMtza9|sUM_*>TD|G4kEP}4em
zka|Ysqm;08^&J4YvY7PJm={;DSVCRBU4kyKO!;mJ^$W-oUGN%wEmzuqFnqI=)I=BV
zK4jzrQ`V0^5P8EYX~Oz(E<!iOEnRaZ!XDt%Q2Uvob^wU5vX~d3_nr9lnO9EyLVpSE
z!xCD-b1p3xz~m1WhPpuJ|4Jwz#_>q6am*x8k^m+_FR47J^sdbR%xKGc2bT<B2BiI?
z^ZYHTWtw`vp)PU&ou3?gfY;}MPrwb_l8ig)$LqoeTI(Io<Cug$Cz~m2!8c2&bWoN9
z{(%Nh{Eo56yFf&K=~}uG@+p3;KsL@<YSjVMa0X!F0at#cWDzYK5Xw#NgFG3d`4b8-
zza9b>K#E|nzA?TAKH7DPK)!;}4Kfdw6d+&0QU_!nEWvJof;Qk!@BU2J-w3i#)1^H#
z<_(ZYKP3+U{3$Q60L}qE|L7P%xDs8*we>o#udm}8bUk^(uBRBV(8{hn`OyM^(iO}v
zP*Q^w!BW3q?mDhO&V%C$_zI3I5H>ijfUn>w2ABs=u^XTOGWCadf93u^2iXoS`-ZjP
z*D`Qp<td^iyN>G(i&Ew~t~V_3%wJa<C~qL&0M!KK$&cBV&*hq5ptTKB1jqGyse1#|
zB5+&*U%_z&ZU&Ak$XBqX3z!FAx;H>^Re3<({k3%eImqw_*#(wboxkJ-Q1UlWFdyLW
z1AzSaz{FLt8@i4wJ>V-?;micm?x!jS!d35vYGL-vY6ImB)K!%NJo&5agZXu}H~>X(
zTt8jMb>TX$AYZ|71#Sk8E67){k_eawulqMZ@nh)%-u<+6|1n4kf(ecF4!2+Y2Y{b^
zN`ue4axWjB_b)2-ujeb)bzDcUS7C-5s>RH;YH_vcf;{<YtNGQhtHl8*g6Av3bzB>+
z;|lT>3|G+2!1hy+uVA|_$UInz-2lapr3-lX)6)INAQgE_%do~HXD<;S{M<ZRxCkA3
zDhadzX~x^~C!0EGc*V3rKj%-QB{9%D7SjSfh#KqF2ORiZ3dp(jwIhCx(_>u-Xhih2
zp=byiE!}=}J&SK#M!KkejuUA-66h~SfYyiKV;%nLQvwfUeoKlXA385a^_K-#Obawy
zc`=wRK1k!3SC69c6|_J;{<OV;Tta>WoTLRh0wA!fj-a#+AMo*)?Rlh&FdsOn1++at
zU{`IAaSR{eWAM+NU0%#f4d7%4&_V%$UG)t!#NNQ&e`$-=Sc6-<fJlLM3~(9Lj<rLl
zzG0=E|0Nm!ru0i*&!3R%`IB-ze@L(AkI?lJb(KFLPyWguFuy>hAEXFg`rCdfouCpG
zdBc_p_zG6~LFU1i63Ew|Qw-?Z0Q2A_>INvTN<YZEzv{(52O0jLE8kM<>o5NQP3hOV
zjw|MMTsy9pDB9~KD)M@l{-g8*p8Qn$fA#AM*BiD}pX<2JUdI*WD;TbTd2n1ozW%&)
zfo2{s4_=~ffa0q3gTnf=SY*chbC47S(c0@B(ZBfrH>JPhdcK<7fa~?$X5o72r(OJI
zwSltwN9hMV`Kk2(>KCZ=gA~E@mH9fZUDt61`3i<B=w@K0ALQ%LB@r07K<2?p{|!+5
zSh|3BKP}yV3{sI_P7{1W{hQnejgY^(51MSjljnNZ2AXWa0lVG-{+L)m+CSbJf`*Li
zQlQBetn2wNkJtZi4$fEDgPi*-^FcHIFWb={ef3{b?a=5zWBuzO_%~G_?i%)>p$|ND
z(5|NrX#NFD9rC|%4CKjQsRQO0XnlYb!K?m%bwCA~2TzLs=2`tmYxJKW!yixp4gar$
z;NN6^*mYb%LmxP<*Q?X(>(%LoG4@B*2R!+y>i_E3pVKf{>UaE?2UNg3_`(JG`s?xr
znFmj?8=&~TSsg4$3IYYq^^RW`_}^6h%<K6|b_1@!;`^nqGt`#3UiHDo>%Xc#;K@%_
z|5v~MoQA>k^?Iq(x}hL~d<DZ5bThE35AqeP>VwRKrPvKn{K)Emn$>@7ZT|^Uk-xNS
zERr6$!C&0~Flm*GYVdjhImYMlR~dVAeK#Gt0aswo{H0$89uM5mBmO#GgR&a)>WL!A
zlfTOTuYUbG4TI;a-gR7mZ$Jf^2gmjL(gm3Zf3kNSir<^n!GbLJF%B-G1seo;J%ESc
z9!Nlrc_IB&g|E+U`ZrWzV9o@4oCTVH!K=mfG4{u%3-aWz$An;h0gs@sreUyrWw@TN
zzc-+Q%!A?j-#n{>1!?|ZW^cnVQ(Nf*k{flwWw8E{YF4gD1kSoeSp9~8T}(<YM`U1X
zZdNWX`Iw9rODAnpJ%0p>44j@zQ9X;QBOR?IxgkF-ZPN;IWDIE-W4&|kySI_c<lU%P
zk5xtFo@YK7f?ahv?(GoDYsKvBK&^<@uuK_QfQGA2FwjidWs}S_cVSj7%H@|M%S2fa
z01WABgKSy_jYg_f5s*WB7l%g5*rbeXLz~s>s`}>2$UW`w*V6J*?0%<}GIBszK-*L;
zAcurzKt`)L7pb;P&;j$smA+nHHHM1wQzU5^XJTZe+IetC7b+aC>I=ETtPb-?ZLjA6
zR8KR}hM@IaE$YuehM;@_n+{?$tdjaJE_YRXi)s3$V@Zd&>!Wk!<p?q#4#Dh#46)Mz
zHqm%n*M#!$k<ncE#@mF30q0O)es#{F7i1HI2ym`T@P~7gfO95<zdDB|2(sxK0yy`Y
z@XEOs^G}C@lD!1+KVecp!&iaR*@l`W3b<JO@W)+upXfZZC8YZ$hy;O8UQb{EF>T;d
z;T2!kt<lmxWbc#O6MW|Y#0uQ#N34}ss+~VWm%bDT^&jE4KcJ)A3`|K7;Ql4pXSPXz
zXwM12D{$!tuQvX45807F{gNiV1j2m&E<;ZX00)reuL$e3yHfoHVy~;f3OOQUKvu7^
zNoVRx^{3?Q>;NJFdA|=Z0a*RNVe+WsPhkVs|0lt=n1>w-(*7P5#5Yjkd7TO{YggzB
z-9QDPdNUOu;lHTRx`B$w8>m3JPDLm0bt*ur;8XyCfl~oe1*ZZO7&sL-VDf_sknm4b
z{6?@X=COx@X1_-T#SK(=U#9}h+7%TFH&6kn-b@8Z_%A9JZlI#<1}e~RpyGyA0a690
z0toCH6@V%@6`;Vtski}?A5?&Zf1=_yf^8{mvrBpf#Qsxl&lKw25CE#wYH(y^!e8bx
zZb+2S>zGL0kO0rF2a%3^9XbRpEui{<y!nd>km^sx6GW^8(RJvgZy*e02&^jpuZf{g
zMGGjeAa{Q30A51qHvWZ3zhXirS$NtDuyLZHmGToLXg9>_dYuSxYqXNR1kZ1%6ChRa
z<fQsj_^15|@A^uV_qe_i;jR<b$9<g%kSh2}1O>JlJQ@k?de5&Kg$4F2)t_>+1K1uw
zfyu{pbb)rgs}2Cz#%{u-?oZ({nIC&Lus{7quwFvp02QdeMMc;RR3zU(1(>xfbZ@8=
zAk~|x0EB;{g7gL|ZfF%=-#~@L4O9TC;8cJD1E&I{3Qh$O7&sL-Ve*3tK=>yrej`{f
zAz6S5uuAbat3u`mDsCuG;MPD?WZkeTK&m%V0TTX+3ZNE&cWv@Fv<hT5P;o<j0;z&i
z0SXM93b2ZOmFNIW;8fg%$qy<3;h(7ZjbOci#@N3Q?YCCN&<#`+-LNXatX)xY!>RzO
z-b}@>tK#_$RNT-i=-oht{0*z(hTRhs7&sLmRq#~-1O`sUO_=<k0ucU*ir)y<ONbGm
z;=ylG!Egf=zBf<-W(`Dz!40bdq<SM2AmN`@1;KSH#%|avux_A&|2h>QRq#~-3JjbI
zkSaJ8Kw#ih+=R&wDgfc1sQ8UwDQIJ+G}-&MIY}fLewy9*Q}hoLF(dQ$TQh}5i~pFR
z>AFMg2!EE+N|_)aqNSaGqC>?hxe++>=cxT#Vr;)<O(#^ljU74am%(i#Feoz8)SoUQ
zhV)QS|HlX&_<LfJzbE#aH;wr{Yr(%G_V1wm@1QO4>4x3&$1{(A2krknlKZ>IPd5ye
zpKjPaK_e#EJl6N`pnZLR`jK~kJyrO3&=v%BnP86<|N9>n{5xph&^)2t&^&==bnxcs
z-$DC&A1nXwpnd&~!3|6M-$DD&sr;vr0)*3z^V45X75*Kxffq$XHx#IU2kk$n^8bGh
z+LQkd+TdgR|K|s7%eFmt;0v}kYlbRvDx8igKwtP)w8?2d>Ew85b7>E4wO>)nQq`5}
zFS=P%eYt0H7=ONZoH{w2v&ng}JQ;quzoXfCV%53Dx_u^EV?R=JdQuX1=yVy?eD02T
z(QY(#es+AG+6{a&(fZbfyTSJI;`!p_u&8@?(WP?D8pqkfWWN*JX==@7=l0&w@zxk%
z;=I9VOqqkN=5h=8X0@oAQ`Mv9n$wxR71?P`$L7uamg#vMP6vm>@bksP?#<~V{{C^N
zXrp5rtuuyQ@3=+x>6+#J#j}%wv;7jzP0mk7TOW^4P3DJFlrJbK+NUE^8z{f~S9BjY
zfAMqT>bktxXpiGO-&eN8ab&h%Zl4Zatg&ZtS`^*vuGtyoT)&t-8$X@tpOHNgMRcc5
zQ0$sKD;-!Wy%(*#|JEsJI>!k;3tQz9hZFdQvSZVuZ0|VjPsJN_<K>s#P8X>u=b|;|
zTl+QV2cpWC<Lypo!(UYESv&ezCuUgB78n=W`=OW&GaB5SoQ|eHI@lZ@Er<Ini*nWx
zAz;lTu1=q;I-Cu%^UFA0?3tY}=ivC`EY0JbHODy}kKu5fY>1xj`FAdM$8juPmY#0S
z^ecmYU*l-A*^1?|0|#)2<wC08>F6|k+MV)px#sLhS*wQiEKc(zFJ;lA8S!uhr~0g6
z`uun+BaXB3@@Vt;(&^Ey^BJS2#px<e{pRiqos%6_NyjGQQ?JP5hs`yq%dZy>!i5Sb
z)7K~?HI?&oYcygVTKg`7o}C7To)dYmy&gIUCoiBJ9Z}A2E18Hnr$>J~JXP6me=4$$
zzy^E^(7;rEfjyk)x-f9CJuvmPz#dC<-4{668JKD-uqP8;?*tBZ2d26T>{+|l*4f%i
zb~}Ir?`d^A*6!VPwt|vfw&^a~-#ak-Ay#sw102YrL%LPPd;u)4uPe-t+ZY-xKAY|W
zT{yOk9Um`iE7_fx>XNRGSv;`J-dR@|1)Va}ypjs7ia|fN%wAisEX9aiU$1Pry1-W*
zLuSWHc_nKTXtdZi)#Yu^Dtln5G&gReYP1MkNB_@(=8uDgt1I(Oaa@4r?s{cz$u7-w
z7u*d8g;!Tz|F{Ai0L}sjIXml>e;rWx(E~mKp7%|40g+JxuKnlW^3q~*(o13Z0oRNy
zwe9=TFP7)gZX>c~ouP4Dc=^x2Tf4B~eM|Mv97zdZvS5U~M_q-~XRl}{ySdwSI${%N
zHPzg8TDiLq`rqm&tiah}^+kuNW81aLZdT=^<PDp})x2GfO?!6Bsl}L_=C0u@iPfvq
z`<1)rdAt9Yf3a)WIXCT{*6i7@{&ku<z8E>CV6$1XXZ+0ORt+a^=%2jl95SxHQb9F;
zFmgg6R>uCd8cy2Kzi87r6sr(lp{$n-A`Gk16eWK`B`k{f9vmm5%?av+Y4BR@%;GcA
zIA=ve<R`pm6Z6ZGTkXPqkX~^WY!0yN2;R!?#K-!*A-;abaP@gX3;XD!E-C}mB#AM6
zhS(B@dHgr(An9aweGG^e!Dk9%4eodz@X*vQfwu|VxM)5%BE5o&#&B+ZkIKV@nX3j(
z0x1uVr&;Tbmj>@a?Gh?(kH|a5<BL}aUrK!^{5G@O7L7_Xk_yxw26xAM9G(D7Bn@a<
zNH_QoT3jA@13n9Oult_7f}hc<^~C!IFG%eYeVfefGwtUlBul7D42bS`GNA`l>d+jJ
zy6`jFwZ3?_d}mng`kq+Azj(*xj|Y!%M13dW_6s*LI+YeAA1GAJ`rh{hJY0_gG@xHX
zhQYtk;R?nh_nkk@=zEd?AFopzg2#lAM&putTh{FsJ#ITv0+c?c^T2xwo`^?Vn$S{^
z_3-h!wGnu7zTTU<ukDy<?_}QAaSNbV=|n1oD#WZGde6x7?GchTv?AmJe4QRw44yqg
zDeaxy+cs`U3@Y77jZk}-^&{^&d2q3i-a%_ZLLt=YL&W1n3zN{@DTHxz^I(|iLFyyM
zeWW(#!pkET_4%ELZZO)zA>!xHvW4a7nu=h&Q%V_Bdr^mp$v=G`bK#Rzh{}EErH6th
zY+_KKKzg%KKU93~yD<_}G+}JFgeqSiyrIGmB#oaKkmt$!-4c|AXp_&;cZGDiJyU%7
znfn3TsetV{1;BQ+zL#Eb0btv-9I)*{4>*tqIDj_<2sMHnkOPE}^Z*Cc03q(o8-*Gt
zXaT)pKyPLY&{K#4^z;BdV*@}h8{~KqpjXQ9KPDtYn$4d1?8krhzTd|hhDoy7l`Hv~
z1I)MS+X4wk*qe$L)nJ&z?o_0f9@K6C;<<KSdWdVW-^U<-J$32mdE@yTL_w#VCnXi$
zf^5NAikcYIZ3qBIrw@kF)*Ks)?pEM{pK6+I0_pgd7ONZ*WIrD{_W%?*|0hmi-*KDt
z$G*ETs=*51(cfzO7-M~(i%OK_wOy=uF;5*^vVOC(jmYSIsNJM|Y=nh3nkEL@h57&U
ze*SSsl3f6qHnwZXWU~XO^Z@+6jRE+T9spARZKn)C=CMHL-9UGo8ABdsP<RVEdaW>S
zY~Tr8dv0RTP(+k%P+HtrgfJXdT5Mw`^S9T2%fNrLP{khXaG0XqJi9{0QCn20<$kD@
z$@&hN(d^2;>{N5;L1mzxtcuOkVT!sPnQX<6^HmBa2D@6>zY%>N5Ix=y08yhn0FfL3
z5t1GNks1IIPbL77M^R%@Ri>_NjZL@0*wq=iLI5;xKuxt5P$LJa@d0YN?*KJ4KutOG
z+4|pHYDfSq{*(THgdl;NSgHUwxevNYJYQ20kGGfJJv0N8_1c8z+1PT0O+}F2#UL3p
zKxXXw*ayD13akoqgnxT2_nr4Y8~9%)G!skmcB@fXy!g9kMS^}SN(tZSr>7g<`Fx_v
z`aVGi6PU^Eu{~2m>?TGb&+Wf2ki0#<lLvr;I|P8z2m(b800l`82wV+7jw=&D&Z7uG
z4kSdS4g#|XI8|B<oEipBeH#Px6vhEPJwVUc0MN_6ruR3-LA1oMetBj03pErVYFq(o
zDnQ7hgZQfl1Qq3_6e<eSN-b4;9}H8Fvw&m-0GTBZKn5EmLy)bw@eu8AugRG=7QuP@
zfg2E8@X%u%eLeQn?xo$42_V7=h|Dwt_c&t$?tuf`V`~<;hvQ@59{#{R{`UxlSGYG7
zwXZjPADh2WHCZ=>%qz7l`#2JYX$F^<MSG!!m{+(+toBx?L$R@VAY$CZAdC8psdxm#
z@v)+T&q4VF#=1cja0Wa|H3|^8G(g}WY|z_)z_}xVz)8#ibTk2U;yVCzLYTjgH7VST
zDTowG5Z>q@DL9aYyMW?>Gk~UDumATkZ%5Q&rM<+`g9MzWBJ{ITK*&)65aP@(J@_ur
z4`?5mT)W_mBdcIn=TDYh^{x5gu+rA7*B@e9k-)jn9l*H=O~8ONA4o0%IH%GJoXcGT
z<mAkqtk#E}I1buNoX)on+^w9PPPg3;IWKnxMK`OR&KEk@DQl`C4mr<`nul{JaX6gz
zmy0feUsc|ppLVi8oUJIiv_IS~+2kO)xR{^c?>4HwxWqY|tQfwuKU$feJ+<PjalEk4
zFq*QrK0Z3xUOydXRCcgFT~0mPIM3Ovw%J`yz1;4Xtf{uQT}!QTu)ZAEcAQ+jSmxZD
zzU)0YsiDNV+&@k{uRg~SdkuL9_13Lh(6<KgdgW|ol%Bk0xOGb@0OA$_aMoI%(#ptG
z&+MJ1rnwoVvZ<!N8RgXhHHEc-J_YD_-C;avmMLgHr!X}05TO;mDa+JKx2-Ru!r*JB
zT}sIpZJdQ<1bjT0hlF*6f}|nJH5<3A`#a-3T0#UiKS^r}hVU+bvz?f6JX5|%F&%v;
zIaZXtwi)YPS;%>wYxrr!iP%$kI3wWTW4aVf4!N*m3smgTm!zQOV1;yzi|tt+3IEOQ
zhMJ4^qu83$(`*T9E4ub%kwF}xF|-VQzX_%{4KXVU;i8;p8=Lt`>0hUZ>K)98R(E*f
z`^V%8^f{7J1m}i}WnShLDDP-Qe$lRK3C+!zN@Jnk>gNAqV3k@E0q;166Ne=oPIEb9
zbs2lU$8)|p+KE{6dI}|aR6b{j+c2qX9{4H8QO_*Hp>ovx4wuI9(dBk!;dJs|*xkb+
zSQ&Z)BH){ZvuIUy#S3i``94K4phW5?<yO!r4yOz#Pg0ur&MALL$&e0R9jM}>>v&$_
zmbdk){Jztzm)Sf5IDYUD<CC1!#iv#->ng>t<1(S?SP-)fto2I^+7F3o?2DRo-boYb
zjgsU^Xi2y0W=S6Pz&b(RKHtWEfg^)IkN!DV5Qh%t!*R2fOIgvY(nF7wu%r2e0HOd-
zc{={2uLF@3d9!-^$<oE~pPg(4deFI|?yL!yVh_LX<RWO9xUIYAwl*K-zm|LACq!hQ
z_dW+wDzezqshZ*Knna0i-F|V0Mx=!IF2d8k<X6387)htBJ@D0Eb;r|aq)}Bw&Q|8%
zn@}|ny4@wGHyAAyRp@~}E0t<&am!kUD7Q9yE>Z+xJ5KSqu>1ZPGQ%S|$Ir8$^(>_+
ztl-pR_48Xg@kx^?>Z*g$#AZV*l<`g&J-eNb`Z*aGacF`$B;OxDc&-p=k=O?nm!|!u
zl$}93IkV`c3RatyuZV%fGHjSZuJ0Z5au+<G^SA`p7um{Z5#a=AuOsW>Cy9m%EnsKI
zLWB)WVc|I`_OWdPa3W9ce?IO_ds>8o1;fkqCS78XM)W?Hr}URVDY5bPXdIKB4d}?o
zwldtXBJzQu0a0V4$n~JdBncF<er!aTnS);>1g%N8yWmG8iOw)0nq;(l7#st?YLR}E
zb>oZDMHLZRMZn@K_9azgm}7pru<wQt0LiR31hqz<ar-DQJDlOYwq7ltnSEJJf#6%*
zl)L1ZrqX1toEB&tmNObNi%1{Wv5;PW=_!hOrdJ`%K2*i7-O?>l_)+!HdCJ86?hARU
z<o;rQM2w!Ee3vJ&bs4e@wq;lr7P)NEhk{zJ6m@%PF^bP86nP86d`TV_q8lIH)&Kl<
z@)q|YYBR=(*X?}Z%XBF-?j8qLeMD2h_iWAyC}X#l&eZLfp)ysuPapFZYSKF>!OhHV
zz!-<6!(C`rSo2AW;NE~r%k9J7I*yXBFTeSU-igY{c+ez~;E;j!xNq*(g23s0W0|6<
zC50@Ngp)UjtM3mn$~UvjKfp~(<b3NN@I>HzVogOr`w`80^T-!FujFiGVn!|7SSK%m
zD%lM#*Y7ZKs0!VVfsqVrD1M6pmWdNhU|o&Mct%FE9PSIUYXFWg>j&d_eS(Zf%E{g2
zhR5O=4fMqsxBP7^{aHBUYPjQP1+t+H5tNg4<@BGIqiJLZNtChQSrXS&k>8leyDKyz
z;oAC&{x**#on_L1Zo00yi1)T;Wr6o&=q-~_iSCD$Dj&$`=g=Db(KRFUn6w_?(zsSF
z;#<0_ws@+Q(~?ya&qE0YCf(X0;F<lvXyc69jUAq$O=Z>-wRv7XLt+7ylP;lV4nM+`
zJh+8+gfaFN4rAz5sG2DwI?f!!q%dEZ@WxRf2_k;uZ3i8T6Ai34jF6P5vsQN?wTCd-
z`_YX^j?O%W_=knz7)0dq4&vVCg(z#Kle=ypu#1zr-pN$%R>gi#P0$3zF-QJx<Ziej
zH$C2lvo5+Do4ybM3PQh1k)eJ~js?0JdM&FPTL<1m+<9vY+s<b0dVNaK0hSZhbKY#Y
z$&om$;0tp#+`88|js+>v*q2Z84jmthUZhC9rb%+#EF?Pa6;h*z4XC*5QQz#(BVlKX
zCz-oPqHy-^yN*J}0a{=HoV5tvtN;p3!_#PNA^qVy?41-FJhEG@@K^+Dg*)m2(+H>R
zobpHKxx2G2T*uN*B2#6f?^iw_az9j=d)s`dfC3-Yl_`T@i*s))32QMHXOrOA7zVO#
zz0PJ;0BY|L`13vr6#v2Zj~FmyxttdTU<&%aUqVbSaQL99B&edanr<GO6l{*foh_jr
zXb*>v<X}v_hl=E!AneSybG)OAm$l2|TGI;|jH5Xw;B3i&0Zm0gN`5BTC-b~<q_yf!
zTS=%*Y>TGWBxf&nlmFcqs1oN(wGZrDiA+X!d~lrNqlcbWR-uYrXxvScbvlSjCxYUF
z%`Hd6@WHlHI;sr_v5%UX6OdN2t}Qe~ua{YPc|OtNdQRF&e>Vn4oOzuSS^yE1&{1f9
zFyKf$42Dp94a!MDmpoFc&A%vm1Mi!fB|}+IR0zDD-M3~%5gzl6QitI@xev*?p{z8*
zVK|XCzz<bF_V2NyBUw6I>PiZBsG+D!OVcPwsijJylOFZ0Cw$B#62yh&)P^y|Ju};^
z_4SC~Ur|P*8crvWnHlytFPxDD!g@|Xgt$^)PR=&P0e|FPjeK+ZE4J#VCp5e&UflFW
zB3S`t8LhKl1r}V02^a30;3RIjl^XX6EIe-3&QWQO58kCB=+YS#I$>c#Y_M4+S8QjK
zoqzR4H7udX5Z>GrB^WWKT;%Nu^vO26c*?G-<efg8WAPNpx8k4O63Jxf-{p;r>gtW(
zbq!(W`PAh+n=cz&#|9T)HPf9-9?<seY-w;+-nqWr-!LY&(_53jPE{mdsUli(>zFz(
zcy2VSL#d+EEKoA+`GSX7X=HGog9Zv215Nt5fTIF@KM_Ro6KdVOJ1A83F{cEaD@D>a
z985;iLzwW{{!(IX%ZQ33_GcavhwZ1<%|g;;qn;^-s@QFf0oG)zDTFY6PaW^1b0WQU
zY~8YkA1nrbJeW4e(9BfD@q4qItsKRt)aPo8BTpU87n;P5s6&Irv{=3fvYn;DVp{iW
z^_uX-9f=338Z3pqfP;(MeV|G4Ak?|hU-L2flB*IkrtmkJ&{q2NnnO>VFHCF1J_V!M
z)Uxsxt@Y=6BHv!XQad4WpbE&Hhklm;%=mwdZH$41XOkwt!K(<Q9Il1FN6Gp^rS!NZ
zLWB;(EmigT+9@d+(L6@Yaf|=U+MJE`yeCpP{<vH7f{u2(+t`8LZ-Nsge6lLBJX{W9
zTcDs^lY5fMmO7xt-#AvzR!%80$~T)B#ptQThlxlXB3G;}5UA@q<JDk7%`ch@D0%xm
zhW5EI2|zv?d<mn!A1uOgd0f+^9Qd*Jb98b_wjkH$2X77e>{sgIPJxXL{+gBPA7>W`
zIEPGB>W|K}<R0sdF2cGDbTMV^WBJic<d{}Y<|0ozV)34(wdg(AR>vKn{?d`}sLmml
zR*SBw0pHU(SXeNN9%eYBKd0Lg60u*$rFO;w6OMytBTX?cS6pydDPLro??Sy76`yh7
zc!`+n+&(c{D)LN;5ue{@(=C4DpoFW{|8CWXBS_Crl=Ne5G|N6@c&~Bz-v;T?@QANd
zC-lyyeQv^XvmME4Xz+)qx{t^Sv4=f`;8x#1s}wCrzVG#lki_w9VW6im5z3$`AxyK}
zvcC7CmrxB-NWFm1VNAk@<8?8Fvczn;WssutlNk~2>=l%8K@WS(&Nm*k-`2biN~uFU
zIT-y)NZx0QLn|We98&2&unssyDh|qJ(9D7hszq0T5V*sqO+r+~O`F*$meCmJz>n^z
zNrHL~OLgYaNmje1PM>qD!L!etSTX;7sDq+l?g3jheo-!m+?P**8z(|&Y81I)iKM&O
zx<~`>S-dS1Xr!DR`8aoGX;bUWkzL?`Kg+G=e(S9~&&xSUCT@by2tOF3-1{Ng+KZxK
zh(UxBN68J-&5^Ej^URWrQTK_030fX$)ibP+4ND4s<q6x;C$@bLJ?rvSG|09RX~PE~
zR{}-Pd<ox)R3>kpm~6T!@eY0`Vx#LlZxu_odDiMpZK;U)RQ9OO9cPv?XyhpHlln*!
zS<$G<D6-_q$01>)<E>`{-xm&dmFpXh;m^|&OA^0(pF-c)dVHYqC09$p^$vORN<Zyn
zR^sqGx1DxMis7MtlG~g^C6IfZ6QynR41<|jG(KaGt4!oqH?1`Ewr6Fd-+JSGSQU{k
zM)nRFJne2Ko#>_Yz|r((k=c8xN`X&=S$8n+@-0wVRB@?SIU%Uh2&0Ws)Cw`~Hu^=Q
z6%{80qtq;X>#=7J@vY#Z3@V(+#zxP$y9SeA2U$dWK0=k2_bqPIZ(!;Y;f#sIXc_10
zZp%64>jd9A&MPn~IrRx6gtv^K3u)1<B5Wn+L6}c>+?#u|XWA%+ZG+dJS`6#Nn?WT;
z{{)d!L>lpgu9a{Tr`hD}Yn|9(DQhJ(|HqhGg6%DJma;%hxeaCt%>BJL_Ke$!&lfd6
zmYBkjWql~3rOl-inQc&j{)WUcNfz>r^h+ofk!4EOhfN9tA)2Yqihe1MX(pLa4wwf~
zi8ai05-`3=En@m^_#L9UPZ`p*qcWvnSar<fSFqgb+f(a2v=pOKT6HY^u-wYq-AgH+
zt=Ke(sU8E{PH%)P&-Z2xB?M0#R~vdlNAd+E3G~y!8t#Pe0%}T=;%8~iU+}8#T^M5$
z%6K&kh@K$Ld^5rYoJXW4nzoBYRU%N`QAdrGSDRB<KWAT(TY(#OZ#Y(Bgb~789QNIm
zcGRDRRtO)XE!${cls}3}6rrmA;L_&r`gn7+j}!;T#WeVcNj!-Ap{JEF+7}j>B1V>~
zoS}?6#<Kk3ooN*JU;=PnENjOet`ia7anzsdR3ntr!Ni%|QZU(hrAB^C(bn1^reEqG
zrSN^(|FuqsK@fzTWG#14)SixNY@&lbJfE9rtd)aK5o@flNo{$xLeQfRjPOOStna-i
z$hmvE(wM|?m`0mBPB+c$8oA|TysG>Iglql#keb!|tzqT-8J;nQvOY9(g&x#>`W4-*
zN@|&+bCCS;tuI34@-f<T@Y+ONnXg73QIf9Hz1l&qJB<?3Q$AY@ZgL#M64EFz{{AXh
z3$yjn-hiX;6Ne5|2sA;SS>E8UJzw4RV*I9{DLlPVSXl-&69?Fp@uV|DJEDr-Plp9<
zyJgaOh;r}U%|45y^z=Z{W+^*+oUY=08z$R2K;2*c%)%TY7)u7ZiP!0gM{;*P<h>^h
znO~dqLzq23h3apo-+i}t6vXEdYPp>xP?azBHU&GmWh(;J8p7}qZKOH^?F%zf8LzL?
zTA`ZB=Jq4*4juT$F)!g?WwtiFIzEE19|@1lr0peneM*f9i|g;c6j62%dk{}WhTxAf
zehjt6L><Fp&C^7tXBL=I-ut>FI;fOsJEkO`1S11Sl<SyDf=k`1R>jK^J)|_VBaB7X
zBs6vr{$Y^+L9BihJrsp26N$a9?m0bin01#Jt&I=0bq^(rS2V5ED-LHJDgGQ8%!9a&
zb$A;_tti{>;X>_~6VVYJk=rZ6K0@!@%SU}_4;(o!?{2>0p6Au=GQgOUT!$x4e=Xfj
zmF`q?TjBgYL$@nM&w>2V7EHI_NjHqp8W$qxC{3lOm}C^%*AhjnexC+O0>7sVvcW2T
z?846ML>=l*GX9FM!}~wcN~v+M7#$8eyi}+h?M{2PE|_wO|GqM^=K=Oaq&7!dhMTL7
zdi3nBRbtB;@cWTVx~CQlFRe~Q)aQlWr!oX=P?FNiih3xlfIrlPsez<-G$W(JAciG1
zdc})t!AO9&lfr$fZRzk3^>Hq@%%{fYs2-m$s<XE*^h=Q-NKXf_kV!cm%?Q=>Om!wI
za;t}k_0+qT7U7#B3OYu_L+UPe<(yWd6Cunhb@1CgAM~wyy1U&<BpO0eO>4Dhi-4}4
zI*wQlNnqxYUTAGirngyzB9jY4_6c|-L`GFim2f9FO1B4(AaIA6yGmFhUd8==q<o2r
z%|kj0w*l>mk1yO4JF!ZoULAd^`i5&oKl!0EviDJjnOlArWf*KN!-IHns2RBYyGOl=
zj5;447kwUv8qx<2AEbpBbCI~jn{`}1o?k!M{tV2dIiE2(EZ^XcM91rz>#oT?D&)a|
zphu2Fzz=a*AU97}ti`pTCBI`DLi|`pm8YVLBe_$>t*y_9R%1YnbzLP*2wgtk^Qf22
zQn=Cowy9o%6EW!;GY{!n@Hw`OXovc36h$ZLj~7UjI`GVMj=H!$UA|p|b0IoX%!z$X
z#<yO6pBKPK+!7%#KbPg<)5s~#vBlG3Ga}5p-0f+0d~EH%otY8(n&!nZX`CTmYEh$$
zHKwN;$%q3LJ`EL)xiZDquQ?`X&}vdEyu-(y9W-R9-<}opKoe>>YHX>TBpQ9r=-e$d
z%&Xw8pB0$9k5YwTYeM1etV&enV9=Dp%u}>sa>iV(%ZId?IoQK1-c^1{IqXm<ebh^*
z@64Cg{}ism+WYw7`A4qi`%)9miDVBEWP(W&?Umr0DiO21aOLcHFX^`Ekcl{T8Tw|~
z#X9{`FfK(~G`lg|G*9VQ73y9HF>X$)ocHZV`9=hskqoqV+PkrgOg<>=K3#UHYNob6
zC*2>x(IxQZa(gz~e7E!bWl@PGsTjOw{`9LT^@|JC{F*?t%jo!{{YIrpGF^`M#2>b2
znR29O<7h)_9VO>an0biwzqak0xp9vheOBPqCMk5lzr;y<GP0N!H{dyzh&gtf*kp&`
zRgU;l9IaGU_B3z2Q<oUTDLw4DnOonm(dQmO$Ej*qxIU$}DX_T-hm=aH*3wXJuYO~j
z79Ahfs@WUw&h(~%;+b&xC_`Hy@f$>*vbFFa=P9dOH3p9hW}oMe);)x8ZnT|=Jr}({
zy%j(qp!CAb-tGH@I;B%f3+8-a=S$u*kM5{UWq8l-K)+8k(u(z4CBl;|rgQ}qGHT0i
zSqA9I_;1L0&Nuq+iIW{sR&yRdNMPi)q^I8uH5^*6zin!G|8kQu?vjGzGEO--MJ7!w
zxm}$2F^nq?dimVZ81_eO1&ezsb6ss>6Q>m~76mdWSkCWjrmIUfV|Y2l%>|gMo4ff1
zxl#mf&=oZ*_r#Piq1e5HL1yOMF$-g_a6nnoK>r~1UA>w5w7MC}c(6<;OV-@}K2OY6
z@bjM5s5>7RB6_x<@)XIMKkCtqw%b1qxMjCRp_;xH%QPfZe2+8CBA?wk_OdNPzmIqu
zb2U?=h2Sga=V<Qa2RrI-2&$kDOVRTf3<{_WJlmtb=zZ(LA$<?e*V=8Vsy(NUe?jEN
zAz-l6cD$(iw)nixO>Qm=8Dm)4&+joSks<bnV7&E5rzMaN@=*5rjeC2^>QiHm6UmWT
zILD;p0&K8f5Q=ZB%L+hczoULW-KteyX@7?0q|x>2=^4^&Qc$}8DDi{sSw3~%3lD2T
zNXE8ju$#MvExEk`#>c&}1jY_7kg*}GqRcQ}I2D*5y)065r7yZVVKt#9wQi-ok38M`
z9@|?AY4Fk=w?O*%34v5Dzl@p$HH7|JgBcHwRzD0<_p5!M@tOoi*kapni86A9Xx%7T
zuc3xCz0(i}rWE0kSxTG?g--f67oAK?KGY;)qsG>G<4|2}JGCU7D0|ZyDSWGYDPPj0
zwnv&z&%B)``F%EH;vH`L#@lF!`<`AXd^>6HM_FWrBqB2RZSh1B%$50KUB3E1ZG9T`
zxif!IQ>$1e^GgVCoj=UF74M}WTM^vRF)Zy-tQ7G}{o(Jtk(n!qV?8_`INl~aY1}55
zs%GV`$JA(dzNrt~@5{Jz@hEyXDK0dA<uIOUBk;9aatBkQSFKIE*xsoIowM+V%)v3a
z;ik3)Wmic!OlO8Fcw!3VBM8qJ6bH<&+5YJt<}1uI1PEb83RSuCGRD5WT3!hW;9{b7
z6}O_x=jYIWCSFgO<AZ0BW{A0B5$CCY-`xmflx{7Dkk_pcFCb0~8ZSHb$VOP{&PN=7
zrhLUflA}P+bL3jcjE#rLsGP(mes~tgWn-V%yj~~>Q=Z~lLfIzC_%;<i+ULmnS_qjr
zBQvP=5uZ<ddA{T^Umo^TE6n1=6-+{;*p6Gn#i{kMgGrHMn(~`!u%D-C28u1a)_SnI
z%tqAq+V*Hnp~!Ao=~In8=W*40g<huoFkbexk2Nm!jwa&i;448AHcZ}oJZ(O_wf=0l
z5RavbT0b%`4&W!izL_))N!qX@w8mU@O=2@EfhS7trgk5JX%Lrwq!RC4*HnfGVakHa
z|A53K;#HfDdAm5DZ8>VkEA;R8IoWtq$~EpQ-uFXcW5GLA^ULqE<ErSXm`KWnYp7S1
zXQ^BZi+{hzkvnteoKa<kA{ok|2-^s8UtGcIBpJ%B&^r(}(ZdMSOJFmx8T*kuZojqi
zbRMO9d$>z!OLwf7x!RN7#E7Rv%wMzZA3}}rNd>%UJA0P&$=h>eP%0X`9<lE6;DTIG
z@6k6{A(uyA^}nm}ATMHfn#IQ!eQD)ld5Q6iT7B_*1@ZO;l{0~^&;*T?@J5gVPoHq#
zB5}RS<Ip6pqD2g^C+hCPW+&xKh{*7wUbA6nYzAqj^FoH33^A?b4H*=ZuDPNf#RJM?
zEiTn>-A<ZGtbDp~&nD(xo_(HsX)ZE~raBgwW{n*2A>YO;C`<}7_pM(-Jtc2_un!Xf
zG^R#1?t|QYe}xHjwlc`<Deo9h?pl9}=t-wc+1E(Y6}Pkq&56EYow4?qtn5s=9ZD`?
zww<^IE=j(`57+U7sJ^8hvcQY~tr<py9Hu~Dwhbat)y&+LN!Kup3Mq>=Sh|cKBH}K^
z9j9lg(*)bQNr+_><^&-HIpw@>kzqx<aLLx!9L<*tJI4l2$j0hJ(=^Kx8fY;xR`4_Y
zzF3;}5W>gK-3~vkmLlZu?$I$Vf#)+(hIf7HYn{AZD}HdWpN6qAwQ(w&A08T8rAcBp
zZdb3SYcgRf^`*%}VAGHyL=mox>Uk>^lUKh;VW@>po?{ZWtC2-GZ+vb*<<_S@LJ2nw
zyzzJ52_qLda(Lbi5z>4tyBI6|ENHBRqi}K$6B2qbbeqf5=a$Wx2BGiWdhsgYi9Q?V
zM_O42x<|xw0}p0>o+=x2*&lBf%MS+m6={>eum-Y-b?0*-@`jTJl1s@%?WLcRIct?X
zN^J|C4Tx9BWVG~#5SCLk>_8c{fTveGrS_<De#t5^TyViH)8Eu)i214!KO^~!`@+;M
zdPb*)O+32mbbXLe(Ovj%cMNT?Won!8J)$h<nY%fG0&Qog(t&lg`L3!3t5T39fzl|z
zTuGa$^p(E?NzU^NRKI|eMTsEyrwt^I@nn4eZ1egCk;u=z9L*D{YgTWn>qO};kBoMw
zyPcM^r|ivTTMlMgX&@~8J!e(ZO2;VIHwH$-^7Hk0#>C<8%3ynD3DG{55W~$*Nq%I*
z|A3&;6j)~TV+p?damE9$9qa<&ZNA=_dza1$Aqf#NDQjCvv-i4k&Er#i?eYr)uM8Pi
zL%8sFZbJkU{pUU&gxYQ^$&`pt>LlzdeqFI^VnaQ8MnQts5+1{CauYPDC=MtJ@btVq
zO5KsBpX%~;&>6Cd&`Xx^D<<pcUz%e+^HLJYVrp~6hnDSc>YwoTadLa~nQ|#aZ`+;E
zPzFbVUq=#40gWRBc9Z%tV!~c%p`_I^tG{TZR?9n-sn$z(SLj_}wr^d>?KpYwDt=pL
zj8~3o0uDODkW_1u<I=nWG5R&+F2g<Tm}T5siRikC3b%1%T-`68HewvW({nU?M#D+^
zXW;d{vo?hfe?M!PBBZ&|^BhG_o#5*uQNwL~L<%zYZWI}Tl;`9Y2ov6Gk7Vkj`{Rce
zgrB=Ma3_3gMHLAghI45!dXuikzh!E)6qIIdi+BH_k+y2xM{(;kcPuQ(_E$_O8xrkF
zqKY}+WR4tOswxJph07$K-VH-0dbFFgG`XVN7rEUO(x?`DaE~~)+UkK%ZnyzFsfvC3
zE60ATnK`x^vX*h^yQoNE-STPLrKCek(s&kVF>XhGLi1xfm;z8x`4St^_oq#$tv72v
zR8UI$riq8_A-j(cy0AIOY@rg%v%VxTbsd|yNASpud+ve5O5j?4gk)IP<RCA5j_0v_
z$l|96<_Aetq>on|EC$JfQkq~8qQoOA1ZuU5y3%KxSY@8YPs7pjC`s#3TN;SO!b%TQ
z)eh%(m`2|Yw7F~bn4T|{DK7;=u2mSZ^`6={M3eDt?t0E=hgsiNoy?062Kg7V_HJ)j
z@RyfvGCd0x!Ak7+z1xpV?6>6?FSz^!{~LA&OdWHeRxLJ9Z{KdPnL#lX&Ak#)+_wc6
zOAri{<&>B#PWWQ#q~06)G0xWXs{M=`a>!4gYKy04M3KK=%YpOUA-m6#omsZ~aXo(H
zp>2iL+OTnCH4epN(rMGJ*u;klTC*K4y`r@VG1*OV10wnwQNi9&WI8fa1{`U&MV*g4
zWl|}Vq9qB;6j*|Nc~b?_ztiDwVq~=PXDKIrTEyl#9>LI1I&X)I>#b^zC85wbNow=q
zuaBL_UeC(lmo@1}QQ>?UNb$1o(+mkC)@^2{N0eJT(<Z11G5Cs*D4(orUkXNB<81nV
zVQr*LHoN%d)gyx+Dy<=DHqaX57b~yYgl7a5^o}X7<LC`yaln=;+^Xe^?1je`Cf&}3
z9LmPP+h<?hvd(e_;o$yqU#rKVrs~jA8l*$4e)6RzSiAghapWT?6>;6YveNCE#gVMM
znCF(uJxGRq3qFz&wj8#W`t|rn_RHN}+H&NIeLK@9xJ?x4UCX7uDln}m%yAgyHqdqO
zi1wM!hF|E{jY8DbSk@C2zh>gE6V#|vlRPDv2(fxtY-CZD+%MFVOWUK8HgvX2$8LQ|
zizs82k*KYFTc$U8!CF;qHwObrc3W)<0s9PzfKMaegn3(T%6B|;09rm}^0S{=scDGT
zRHC91)?H>^^cjcI>;`}K=8(Ru3_N+`%lC{5=!q#WV%I;eYDJoUFUDvWt3549qdH>s
zv+a=_QQ?{idl$vf&z}_WV1Umw;2TEJ5-HQPmEpSvp3tba=4WXTcEIa%rdNUj5u$vn
z@4A+5b-SrqvJjhpNL<@%7n2lZekHVdS7(VoF^`}_W~|M3PRln{fQ~`LXMf<yT$1Ct
zL81Y(pXmT~L%&f0$+?b1@Y}!@UE$X!6L}JG3!S6pc#gb?u(}HM&uU~axD3hjH3}X-
z4Bo$>RptuUcNCHGv)bJp%=Pm4pg}azSz)63!G7s1;cZcbRGj>Zya5rmeETaEwuCa)
z*1(UJ#2<FlQ*L{sn9^w?W))1;C8YWI;cCOrw;%>Fy2~f%`0>5ygDkPE8SQpEtVf<K
zdZn>m!|L{I!R~y52+RGX7rR!8%!9i{thbV<w51bbfuz!7Sq>J8TFEoT1paO(jE4AN
z^(Mwjblg{Z4`V(ntfwrG5GnIFnF6a4S6^<p_@3{K<YW+%i_opg#VtelSS=c^qqQu}
zw0QPKPcHL7=RBo_g*ynbe5w7FYJhJ#%4jldAvlOfUXB#bR&FPe=IKdSoAu!xp3yxA
zk-kv5oxnL0fk*Hby#y?J)3|V(FUa8TZI0BANq!gsKB)ttwO5DGIyA$p)dT6AqC1T5
z;I+`RolTdi_*#h6T0$cem1ll`8Gr8R4dX3-nEmtKZlU6c){*sS3IS$(^3ZtWQ%~_}
zypL0bb!{v@GI6erkjp_<17^t|*B_z}+0ri`9u2)Ob7CeJ*;|^MyNe|e9*bL-wC`<6
zUaJ?FbbCyUY6_dWd|x1xj4Nq^H_No_EynJg#s`bhPeXnUW?O`ak-=0CGcFPrEgwb2
zth5z9@bWazR%C-C*1XH~tlnQ*oWFS_rh)u1pA{{RHk)S<${-7EquKoZiu$D|n-Vj~
z_~F7Xvo4{PXI3vdUU^>-emA@aJ1%{vM2$qWM*Fsnw_*BjUFK@{ad~M;q#{H16Vv!C
zxHpuyD3<fI)8w6C4pRH{U*CTJHUuv!rSLoE#N3?-eK-+?wT>eODxKS?YX%?3u~O*_
z&G6}q9!^FWzreH>!o;sQo%JilwRB@SN)^gSO37|3oRSug>GTZ7Zdy3UrW&hI7j3Sj
zWMuPy4D+P=cqtNh)Xm;O-EkYk?c>th{`ozPc;=TbXD#EX@#Ml~WImFtVdr5}aTnHb
z&quW6fWHu-s!@J>$<!F@2fR2dJn-Sjk7UZ@oED;(yj_4Dls?@A16MXunL>uW%rktT
zJx-*m^cW7($8VE|=5=2dwi?f1Ub(s)vWkSXdd^q=%*~Mag-d2R#pM8=H`1nprsVL(
z8iFF`$#uB*^adC#R)zW_QPLS-H>>DZkUT6yq9(^NeilX?2n_I!b33zYMy@_MD69+;
z{tBzRae+3hdFoVO-bUo@`L*U2-kRWcCnCNxLXx^Q_`!FC?kF$0<Wb@ov`84{D!gi_
z?Y)IP8#X$}iFscZUsX(Jhh_OVDygW&<&*E(9YeJ}h}p2_gFzLX%|Umk;aE7oo7u8a
z(njgeOZWs8e7ygzhc#tpN1g4dFl8AvOG94;oZ|Pe(E((q7dQo;Pb%Vx1n15$dfz1W
z=gGZEGr8k!Y~#YC#z9xxRcK+n8Th=`pE*YV1I6SZS<kGClKBgy9x8e^2F+>|!31X`
z6boQF^?bceJpK_Uon`ci%)E6_DGhN{;Y<6^3|~y)9?UxVDy6(U42C|=%a&lM;(PCZ
zN@dp100%jN<6xBR<#SOg&+LkBsk(@zM^!;S#cAnOgbZs`_;fQzlS86DYv8CW9fe0e
zd|s#+hSSTkcvJj5jru}V<Pi9zgr%d2vp)fw6&Bqrws3NH;KmziG2Hhj7#0G&DkDKH
zN84Y9g~n2_h2J2va%x!&k#KyEsvoKiFxJ1jD2RZpG+E@@YMC~r#OG(`II%*Xh$nPc
zu2oz`Vc>ZRRL^MnA^aDL$``cc9ZX}LMNpH-XDy?8@(Be!^}V0<AO>+B^kvogw^pV6
zpGLkiDz0RWwt<8ojk~)$!GpU5clSVWm*6CLaM#d41Hpm@4ek=$-Ggh>IFFfGcjivs
zeQUj5>zwnWd++X3^_^W`b=9}IEm9&DqJ%-BFBnWdj8?XE*~)yxRvIOkW<OlmG9nDH
z#&(gdEO~KuORLN9QB_CBk>T3DAAYS5#&{CYpuWHTvmDcYk7~5lAE!~yJa6cjU`Cct
zhQUbzUkOXr=_G>5AFs8$vbb~p*#D*OJ016Rq7O?a1X>1svo(qKf>(!!Ii^)1Lt;M*
zQ(sTZDmJs~;8-?z?Vv7liRZM+QdsFwtrNQhA{l?FXdYgpuL&{T{)GGinyiJ?6^Vow
zD3eb;>7q%9jCTuJ&<st=G;OQq;D#O(q!@UW_gsZWU$kB?b<FFf^QVQkw&B$xzI%-4
z=YRr{d0Pe@ye(~8=sY~xu~)W=LrpotTouu;?U<*{HFHcEuj`U6*(!+L6ginmxMCEj
z*U$1@yI>T<9e!~-N{9;u9$;pq*zXN1y7au$1h2bcm)Ch;wp(ao2Bmq7r(JVYnlDe0
z1olF4M0nhRv;GFAC-)uwow}x+WaELxpPOmaj@F(ihyuyX^DbDHzIv9eegsiIseW3)
z*Kk)1MPI4W7!~0ms;_+WiTow-`OjwMT5h>z{QX@t{nhYFX*SOLv_T?j@N!L3mk4o4
zg%05iZ!I6Lc}JB-yGXT-*EB)_ovOR%iEhbipCt=SL=~+cWzF8PF5<c}QawNa#~dQM
zhkTXZN@X{01?|49rA3|hYXSNNSzd$qdwdUemtO7u8uq|CcHemE)M<w^FG7W1qBVyG
zd=IcRSK>;7`@-X@jnFd5%_0brPZxT{$9Ow=C`*%_jYQr?xBE|&GoT&XXU3mPfjI-j
zGt9%N<S;H~Z*~DOTutThtaNCho*4(a=<l0Us_t`=eVZLa3R75D>0s`V(3lfcEKS-B
zWv#Qk)P^VO*tc+>6K=oHh?^o!b?{_tdfEByg1`k0O+{k@UM2m#oMe0-i&fRdC|0_c
zpL*oeHCalz8#~xFoMwBcElwUI>#%i&nsq!jazG#MoUOaW5XuyzJ?=&@$INCE$oZX%
zUCE2!(t3L$u6=8MZgzkC86+vH<B|2EI|Axv6rZd#K8|GZipPJLUlq*!%9E28Mmr%X
ztHr8#O}Mv^a9m4$JJ!upvaHXwS!u*dtHf%~fJk$Eh=Fd<HSj6i-rXY8ppI~HJJ(~{
zx?bp;7O&r?Lel;*LF7=|V46A2t0%4d91udwf{8G&Y~Z^HziOD8b8Y*BkVG~V<Jqcf
z|AmBWqr`Gm1?d8yDUg+QArG0G>g+sUma0V}J6H+srh)R@?t@<*?Lk-Q9^ofw+0<$*
zj}-a{$$7IxP!D?S+D8<*w0p1VMp9_hWGlTQy?1OctBZnareG4!6&ui#I`bnL6A`ye
zu?a^f+#N)1x`aAPXt^fggNW$N^qX#dw>zeYaIzsn3PMPHMd+LZ($w_Sf&>kG_xb#n
z8y?J%5^mgA%AST4@W$#iVhmXY37A&8i<&=9O1X8;ZepLVVn;^8h6_fi&6Em$8SrY=
zF>)P({c?g8xU$kvl!~5QpvV&ZP{a@y=`Yq?hAFo>$%J=}E8U-?%1D`56328B^D%0{
z`!RHRqjv=RCCY=@Ybk(w01`XQ0ujTqcnA$?{Hp}7n{iU6QtA*Q%J@_hi;Nb?T;5$A
znWvoV<U1Y5zS73n$Qien4a9bq7vCDZxvmql1Z^=We+&Ty+{~?0ktJ9z$_HJ?W6hHJ
zi$StzWks0G4v0Q>VVRQsvB#g4O=*=5^ia;2j?1z6LOZwT^!c<n1b`0Cm9sKOhrr~a
z>DTB4wziWzj6j)TeuGdXICZvMwtntgN$vC&HC4A1P!4}e!(y)Q+iEqM!$fbFg&Vof
z%{~v>McR#1s(E_`Pg`AiOe~R%&GKtC?q7aA8RA#{VBs6eSD~W2$gii^zEtpq<zwEB
zL5i))^$p*>Q-Ir+boWo(sJCG=L=YHv4*sz#da{LwxpcQ9*cW3)ygPs5Q%!O`{$<a)
zH<!JB^b?^rV<s(Ryep0D;fCiT8T5EVIwoZ*#ERjef{7`D%N6oT$i4qmu(#Z>a9IxS
zlEb@lRAnG5ubR}_`1?CHGBaaJUbAY>Bwmr!^Qsh9E^m#(k=fll#3C0M5vnNte0-Zs
z&rBPNAlww$ENK$ujYeFV1&4Yc>-H=S8fh?fx}1G*cG5i|!s?g!(}>YhJ$?#FCjW;E
zE346at8{ZhZ?7*81Wi7WNtB2TEYrweQg2^=_PFFoA`=0mW>|akgz9ZN&S@_(pv^!<
z(+f!is?@%TFVq;oF2hN<pVdqD#hx2<v3r{o(~}N_X1TN?W7i8jFMm@B&h9z*1L-T8
z54cqjc8?^<(&KpQU@z)kv$)oXzZ{_Lq_}QZ3A+D8vf}KYS|r)IAro=cg!9H;9pU<M
zO*uTYHx^yhKSY>#5wgyV`>U=v0nU92tvIK2DK}Gq*Cgs_8l&fd_hXnAv&XtYM5L5o
zLq?8g{sebMq&=d-pnvX>pIUv#4NYlP9O8~lo}OH=ty_?(gVGtJ1s35!mFF&K{leo_
zK1kH|N3WBcIt?<rapKL${U#jg<`+kb(8$$3D;GR_b9-8zq>-z3mAX4clQVPW%dZ}I
zp>KmX`_fTMNLV=<P};<IJjS??DbAau$KR(V7_PCDnMCVNbEF)=NgN%WMC6bu3y3;$
zw2WH;VdMpq)m%Ob+*Xp#W?X&{VaJ~H_xU_)ri`4_dk+v<0A&WWc)t}ErsZ`F7(1$&
zUCP)RirdiJ=GFEk;d6SYuFEib{Y7Lc;GXO2XK757=hY}Y=#iZ)R(dOpVG+E<$$-|{
zZmz&8k^^20$s*9bt|%*SMk^X`dA=bWM7A(jb<Kl$P<K5^f4C$zJVndxU7^Kz1GzA6
zHgT;DSfcmn!aS(jF-y<1Kd%?@f9x`TyathzZ~?h%BM=XIOFTC&LGce-Zw8;lc9kyU
z{9h$SIfPi(o&=gHjxWrB`B`XMtxX;761C^rc?d6{WAK;J>x0MAye~w)yHC7{@a}AW
z;c5LMN-V|v02c1Y@_1R`Di5pw4kJpUk#}gxoYe;8yKQ1=P+8pCwRiOjI<ZJ61k8<+
z*8He^2wH(-GPO-pRHS5zMq}@yl)#hPJwP2>+x~*bZJ_h?f`n!gVJHVw;=ZaY;CEi}
z+A!|}H9I|2Ez5taYr4BUmS1&s$!}0)=QcsT>}-X6h%ch_RVd~hJ=vrd+(QRf{L2^(
zM7O}fU;b<K@BNtl^$WjCo?swZt%*kOm3nrY$9x{eFzo1>jvG<5QWa#!ZfRZ9;J!tF
zu<4xb!<{XeVF=Cah}MkWpeG9YfOJVX7+btG_GV<ER;y<RQ<xpQ-l5bEy}5W9O>~*C
zGNv*E-%T^l7HKvlpzSCth=TawdGinIYEVYY_=^}2*OeRRPIX*P_qO*GZodjP5k?4v
z!@1dr&;1uRJ1s#qwXlEfy9IO6CY<~Ii6)lrE-JCJO_oGf@g9!F^y7+{<k{5D=T+Ua
ze0B;3IXma7plvIJ(33ukOIQ~cTvzh5vxD8Xjhk>EN`FOL!=T2%sjW7`rJg$RXa;c0
zLf?}E&GBJd84iQPb-R4s?a_ocnNEaem|UuTZI9-}6OIm35r;V5FD}WTE@7$67k#mf
zZqvu&aborU-OAklT<~2VdQ$+GiZOzdA$Qa!ubEXm)y?`T%3cdF?#Cq)yKA@<ZBA5>
z+N2+|%EkJa(8xV_V59(hz->|QeYm&ZU+*=ERcq!J1`P<mjhzxMzS`M=Ycdv2<NRo>
z@=h3Spo~kdn1E4{%mNIA!|k=oD2-PuY$GoKbIFlb&<Z^adMTuV3R#-7PzAM71!zb-
zuFatO>q6q|XzrBOCJX{GTU4x$WV=w_;x`ht7!s_Xz`0FM8+$c5BO6=}Hj|wm7PFzu
z5vT1cqXI*pkAefn9)3UtGo;v)YFaJqkLwN833OV0-}UineCi&Jlk!u(2U-?0e8AcA
z&I{vXvb4$2jCbOz`U(d+I*XT?^XLU98mIU^wyTuhvTF%in0X#!+a){ndnm45*#<oN
z2AvJ6G=9LmXNUb<M`>r7lRFD)?zy(79`tkr?7(>kb6ym*G-nR~9Q_)UV@VJhC6$I$
zR#1XQ>yBq}xDl-hDzEmTI~OCF;qFfg`r+1lk#Df-%ymj->C9=FJ~%z7$zqR3qdRgD
z1R8Xos$Q{*Xpld+)0AvF*i{JsyaGwMr9jihnvAjJ-f!fb30v*DUB^B~sbw0DRchl^
z5_yJ&Uum(>N-Z}3d`k_C@p?C?LUhMfO>@cch!q<{_1-7be^aL4NWJGi2qb<Lgn@w8
zdqbX&gujfWn77qk6_ejBPtO1Drt~fFZiIY!8x_kYxtyl4o>OC3m`;5M_A5_&LS7%U
zNKEZ&W;SGYmenQb{uo=Gw{tHrf&N=h9MUu$c?x_D{4SZ}u_4RIg-F_uIY?<zYz3|N
z!^Uv~ZkN{?+Kvq2MwghJ)4f;MO_>5Fy2!?96Tnp~cw+Tf^uT6ff?ck}-_*$_^|{#R
zK;-f0BEa{t&-m&7<|N>DwC#aL?xec!^6X5D^<*o%X%yF{%B!L6j>AXg;?Ti6wRkZz
zGt&+=^@Pk(cxB12sqH4Muo%M?TB)<bDpHn7`9xre>k3I^><M^~|NhFD)A?5A4e{<3
z+)}LX`k`%I-Vi{zG9mlB@%bY>pjpB)krhKD*V@pjdi&k@%P*G`*TQu73aq|DBrrrj
zyGHw|0|*U2J*hTr_%^d^d__$`tsP%)IIWVBi&In6#YZ4*z9aXI=^iGRdwdy``Gxl>
z8XWU<__4fub+052O?$Eub^r9?yh#2_APjEKo2D?K`pV_z52ZXo9PuXx))j#epm1y{
z5#qTX*M4#bQ=(ULZaeGkVL0Iepb%2TD!qMnoRc#=yJ7GOc>TE9cf-P9=D}^aZytqa
zms3u{(L*fqT0YMmSV~2aiXK<Gr$Tl)I8qd*99ulAaBt#&oYc>UL5FmyiE0!sCX?`D
zBo^22)mWC!c$6sgGrL;(aXiQX!W%YxqOzCJ@T~(J9%`~@#_#t_8-w!g^Muv&3L9St
z*D^$iW}fc4{dC_DXFbKsqFBdIC!J+t{GngPV_~w!C?Qutp9FRri@o*BEw4_11BP?S
z^IPV(mAj`XtW%(fpJjd)#hlT}TQ6BNbhU#>aVFMnzPT(I0xr4%nnifio(c&oHmch)
zX`FQ$mbgi1hPKpgb-1HyQu)Z!?hlvY&bJi!FHCH^URwpqolotb*{Dq$^uox{>~Cfs
zRDMM=_=N;W`nbMqpdxr5pDYS#K-yfN5JDNHdfp=<3s(?Pc<@W^^8F5#MEw4w&qUsI
zqki2f3s<ded?DP?igNMto3=B|@UR){lcT(DZBpF<d7r*9vD`|y;_kxA#K5&2C3<F<
zr_Q)F8Lf=Thu6+`PODgjru88KO!@1jp}eFmJ3^Q64uKuy-rvDBBBbAF<sV2sp_36X
zDhF7tw8!#APunyB{n-(WSamP(Yl{*&<nO*c;r+WdE%N{+a{~?lAOivb`2SaJ+MiWv
zoPSiMC2Om?ZqlMZG7&Bh|KJuUr*N$j!lF}jg+O*_-!E7(n`cU6vgY#beLD%Z>p7x$
z1KpUWyfTMwnuqkg0e=~mMj-kzrD;xk*1K?2M9r}+J+)*|TyDKKBEOfR?*tLx&}X@x
zcr~pVjFBfdVu_{P=YN<PBVUJY?9D=Z_K~RLRKD(eLUdqiVYzLEu~nX0vs_khSddTS
zijGL!+dlnPT(nMM2MWNFMXVqRn<Wb&l_u8vs*G;!y&`@HhJP=a+TrlH>(-z?J!C6u
zbV%;AK}sGb*d3jCxTXPDlRLr+VE%ZOTZ786XBzVb?X*4zL)Nh)x<PCDi_3f7L@#U^
zg{lpE%aiG2r9<06A(O9+n*sTTy!=wmwdlPogB7RM+*;E<)Tg%dZ_R)yZC(cn`=Y)`
zyi4bMI;DmM%Wi=lXxcGqryYP2JK`fWtu9-{Adg$}oRE|&_bi=2S97^WwCrr;x~1>5
z=w5!bry2THS^~8@Bk5y4RhW8Q;Be9SZFQPxNRmt})EL%D<V#TV9uHmhgcc=wfDi4X
zr>X;?=GQuG3QB)|tj7@E1Ke7Y$R9p<cjRp9HjVDEsG$4X6<DME<TA+@Vcs;xu%Z{9
zDH9!O9uShZuoH)n2p_)<nD$sQgnWV~AR?A$V{V7a+Zt>`fp9^^?2-3IpK={SQ#_+b
zMRzBCJ*!eYCRz2U+`bYr5&Ec>2sGXnO;e6<5G=GS{~(M$@gImMOV}POiOscW#!$U)
zTw%1&M^ZwfZ;|;3Kdy)TW3a>;#c*L{c{IrUkO-tFCAeSxAqsiVHqFbx0%$A{HQ%qB
zQPZiLfS0{m<%3U0&vcI7d;#K?bQLEmn1v@$!T=>TfG4vG#iG%_#hc+%C?m5)W01z9
zcP>XvGcXveGnh|d1#|9HA&`3K!6Q&piNCfoCA{d4AI3_LRXKK+m46USf!`J&8{A{_
z4<0L{<9Z`TFUBWpu@gazB9lPeT)>gfjEw1RHcbJxq=)XN#^_k-hPJ&KB@-DV_B=y4
zCRq;sEU2Vfd3bK0e;X}EPesQAJ0n-K869%pk7hrnQm(w;4Zj_RlCf>o@A1;31l*`h
z-A7;i)a;vf`T3eMNK!hszqd@Zq08b>WXnvMR;>8+LQQgB6;<>qs1~}-LpEq{s~jik
zlTb_-kxhrVZ{Et@8@$k(FA~0v9a2qBz|SCSg@}SHR6Fz3_GmahFrNL>Fd$&_0}BzB
zrrAsSU$BIk#}$c>^Cjg0u<!7YTG1gLi|yM6*1KW{It-RRyGKUL4pd+o-`R#{>9=Ok
zy>Wwu<H-3Zy0k~+f9rxJ9!mGx3jlzH0RTYxOBY<-yzMMq{}6*CJ>A$1zGpE|UGa1g
z!~6z#PlR|R+ngWYq`fdJ3e-6u&P+2(Gj0<WN6i)I6Mvl#<BrvA0P$l@MH~F=@;(3B
zJ(^?kJ4W<HRqH$EhiUfn9zq$hM+Q0PVVWW8XX~4&`N954;44$sBubmP!aYJ&Q8Pcz
zNZxT~v&QeTJRC#^g%t#e<D3ztjJCz4ge!dEl~<%=Rl+Fr=~j|;sFdQKB`Yc1QJ-kj
zd-+I)A(ontirkfvd24!ek+NA9)iWyW^?~U{V>~5EiC$99ZP&b>S2*7=%N`&%Hnp!k
z>a>aDy~Vp&0k2lv9La^*?3QMtu0Rdwn<dVT{Q<MUu^vAnF0p&zyg-a9?0YkRLh?`d
zLA>lgI>tPXY&XrTP^+`PnQ-^F8hF1>nkS5t%cA4zk3AGP@^@>X@|*QAoP8~1^=p+)
zg_OuXnj)2qzg~u(1&UTs8aY6Zg5RYpxcL%HZ5wOZbFs*}?N!P=r+cMxQqj@(@e`~Y
zcXD^lv~StymaTxMhfNc&KKG5nO<7zVU$;JSjJv0kBiE!aN7zF?_f7{~;67H@4p!F%
z^VzxYmSAKsl%D*~h5V+YXj*VUJS!P%Xa=g8h|!}!d-=LrZ|GG@0VbU(b40hgY_KNg
zE1R98X~O+;6aJZbJyIYZq`{}EN1p@R9x6(rX<^>;H6PwlFX5y(PY;fSg|q<+FKt5G
z^z6iPPcCe6nU&ie_mOxo5L+SLYilOtE=td`kRHD>#XVUIWvIdyhsis;X<zmSnuh}2
z+cYKl6|Af3_0}lMn^ncm(^(+ffL2QV&_xT$oNrvA8<dEql&|xAQPQ(}fPU`a{Q))A
zDqqH&t0Z85;muEc-EhuW9K$;{<O$vuOK{Eip`x9;Gi*oawaQl>SL!u)D`8M#&;ru>
zWu^GkFxoBm$(8NOK}XBt$^Ic!Sa-3oE10)^{sv$-&++Zu`(@9G4`fXhha~elNIf^I
z8|fs1OJPxtTLCc_Yd5JbrQ1#r(fS<ld|!&|F5<gs)b>Z^7|8ljC#K&NA`~-$%oix~
zrp2#}54y^tuSD%BB4X6BcZzTW%t9T_9&O({t-RGyf^&1pClQ{M*53{HcWD{zTy#M{
zY%)$p{K|<(^IAPRNl&*l!Y8ciQEEwcav?S4CR9awW1ndl)O*s5ZI#shG!<wo|0oA$
z%W|$epIJOn9>7^1pkLDB=Tc7HW@KAP2r8RswA^2iL_qN!IuDE4q?)YHh!}Vvj~KK;
z&wMW*v63uaX)4E$I}0M-t}LCpJbT%<x8+7>9=!!c@rXGQbKvF4R6H5$ib{)k61>u3
zFKXa-Y_JJW?Fg-|SL2&0-4$_`<%u`^e#^LHJ6`hPQG$9Ys+pgFiMXu6CJk5WXT9_i
zvys}SO2P3@07fzRQ=lw@7;_waG5AunjI7F7c!`bX1;K5RlyKR0m!AAdfi>eQIc{#x
ztjY^F0*XFo!?7Pd+s7Eu48J61aRLIx;y`0CRWBC6IgW^dDV6+KL~Hc*p(u0PDd;bo
zmo~g9V14P`&|zT#-IxMvxq%oovH%^*DF90!#wL*SMUi(D0)+~7Fm|}nYzXmoBrm(s
z8np}YCqO(pEEn-B><Gj~O4#=Zl)3$?ZHVlsSFg?6o|jS3sOg^I{w;;|G6#|E&k~3W
z3jiQLU;irD|FcX#J3+w#mIEmI4b#&2?bmKtj<UH*iE!kGh~513?s)U=%d6<Qc5-VB
zg{PbxmTzcWxgNx>i(tE6_HKiDE$(tawJn25j&q(4Be#Mm3y3Rj3^Iq#ymLX*&(h^E
zQ~%cWUhWbp{-DXV*3uIR8v=7((Un0ZFQGT@9Qaz{X=G^>X(}W8TiM}#5%+1~@CAfC
zE>A|viTN_V;BAyg(l_Cp<<^1=u(?^S*Xpn5-Q304LN{&M?BIxrSt&$X$I6?R|GrU|
zUnw?4FaQAKb3Tanm*)TBQ()%kX#0oiN2@J5EV2V1aFh|oil!qx5iz^rLvi(yfz5TY
zq{#DmRFqBln1)3Uw{jlY{P-%Da)Je3US0)?R?DE;t2p91PX8kp+K3GIj9dBOoyQ3t
z6Y=uzO0Gy_N9y{sIvsW8dMKe2cEV3t0xDT!gltu3b|yZ^sgA@>>okD(+$!&5LUA%x
z=h;#<wA#@sD6F8E569s4gxa}olc=$q02B<`*k4tWA(u%t!dmT^(eT{DAN%LCXp9z)
zdj)*Ihc+~oW@$27MS&_`J{Jk5wnmAcc<<c}JBLZnv09zr>5}^jgc-(q(97;H>yL=!
zxbO!0$OUaoavD(^Jx1(oA4+`U7Epf3HKP57Kt?f4tfFwm#0cv-g4oKx$YXu=BV$ck
zpei5gCWtk;=t%<-pufbfN8Horu#*n5-AL3or*F{bs8k~OZcw*IcQns*G*51$L76KJ
zN7=f?|6$#qk1?N(OzGe(;ZC&3&Ns~2=u|Wh-6ZdPW21Jwr+Geg-bLt6NZ(-s(bGA!
zb4gUIM+7Iv|6$rJr#$$eTuqw-I_X<)kOd?W(LDPtzb`d%VXb}c%joCeCH$*T|BB!L
z?%6+MxhFvp=_5P3^fycwfQ<cKUU8|z5-uCM+kHp(r{SdiBc>)5P?SSK>8WD>9qHQy
zI-8zslHw!ci1A-RYV(}UZve?Ggi=B7e8aqT5a}~wKRBi2A2#S4>@7j7uPssz)AQ1Z
zAH{3kmy@q6w};l+joVMZw-({XgXxnT<J1xJS9)IzVZ3~;8`&Zc9xatcx~^CCWse-?
zqRio%D6H9$c-kKJ&sp8jYU_6QG8l4?59~S_68?Amg4c<3$e!cZ<T-D_dcIeE2}cJv
zO9wY&4R0q)SHnMIxJP41sf!)`KDmFE(PJ+N&gKKi0QAbgojS8O()ip#;TCF#sfVbc
zS3>R_fpc;=?A3RE4nc>h`KcQlVjaHmQB8+ujcX9S!xfA=@P1>pR#P>#d?i?Kco$j%
z%xPCw5(?8{nN>N+1|NRiwCC!;qYRRY7m8^&Dn%ENwv|^j(DpI*Qy&n)q4q?@w|m=7
z04G`aQyvH=!-<Jz^N}6Uh_iRgvpT{r6ex{D#Z@ud;oIb#s$&2lZU1zR>P{2Yo&&_y
zxKL*s#?z8=eqL=JfQQeBiUckfpvS8#I5n?uq_n<?efuI}I9VcxI^E|S5v1G_ykEZ|
zxDJh5pup1T;`AFfb`?HbwXrz+BE2GR{dC(2Ep=PCPK4nWWG+QhQGkKPhWpF8Wb)a$
zq%*iDFY&o02c8e~=i@)Gz~@#504yBMRa_jMT-i*Woc?Is-_eNccrD0(eDXQ=F#ZF5
zz6Qc{{5RU%(Z%wA!K<WD4%6YE(G-7m=YJRiVeXzupG{QUtS#*=|2qHaobvnkFNt(P
zj9g&>v=tbC&TaoD2<k!j-G${J|CRq{`CslWf3v{o`ojMIc)9#e`1_RmZ^9r*_3woL
zOu&C<`8`4Zn*|1?{!f;F()Hh=zYl2tK=E5(|9g1*9r*hI@edH@$KSvFKf}fE;NO+#
uAMkYRpWy$8F8$8)`&0f8Pe&W<|9a+C6ka|@(H~<sGGO|TQ0#a<0sar@2A#(M

diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook.json b/workbooks/appdelivery_checklist.en_network_counters_workbook.json
index 741cf6ba2..29d33b9f2 100644
--- a/workbooks/appdelivery_checklist.en_network_counters_workbook.json
+++ b/workbooks/appdelivery_checklist.en_network_counters_workbook.json
@@ -413,7 +413,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
+                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}"
                                 }
                             }
                         ]
@@ -432,7 +432,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
+                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}"
                                 }
                             }
                         ]
@@ -470,7 +470,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}"
+                                    "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}"
                                 }
                             }
                         ]
@@ -489,7 +489,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}"
+                                    "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}"
                                 }
                             }
                         ]
@@ -527,7 +527,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}"
+                                    "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
                                 }
                             }
                         ]
@@ -546,7 +546,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}"
+                                    "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
                                 }
                             }
                         ]
@@ -584,7 +584,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}"
+                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
                                 }
                             }
                         ]
@@ -603,7 +603,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}"
+                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
                                 }
                             }
                         ]
@@ -677,30 +677,30 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "2ea9ccf6-02c7-4979-9ccf-be39e99bc34c",
+                        "id": "ccf6040e-2ec3-415f-b814-a6840f062131",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "App Gateway ({Tab0Success:value}/{Tab0Total:value})",
+                        "linkLabel": "Front Door ({Tab0Success:value}/{Tab0Total:value})",
                         "subTarget": "tab0",
-                        "preText": "App Gateway",
+                        "preText": "Front Door",
                         "style": "primary"
                     },
                     {
-                        "id": "cd32e304-28aa-457e-8760-4c853d0db664",
+                        "id": "9cdd582a-9908-4160-9fc3-7fde42482e59",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Front Door ({Tab1Success:value}/{Tab1Total:value})",
+                        "linkLabel": "Load Balancer ({Tab1Success:value}/{Tab1Total:value})",
                         "subTarget": "tab1",
-                        "preText": "Front Door",
+                        "preText": "Load Balancer",
                         "style": "primary"
                     },
                     {
-                        "id": "64bf69d0-ded6-4a7e-b691-3e19da71fd9d",
+                        "id": "11b9f6e6-11b0-4a3f-925d-45cf1e55209c",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Load Balancer ({Tab2Success:value}/{Tab2Total:value})",
+                        "linkLabel": "App Gateway ({Tab2Success:value}/{Tab2Total:value})",
                         "subTarget": "tab2",
-                        "preText": "Load Balancer",
+                        "preText": "App Gateway",
                         "style": "primary"
                     }
                 ]
@@ -716,22 +716,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## App Gateway"
+                            "json": "## Front Door"
                         },
                         "name": "tab0title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext0"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -780,20 +780,20 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query5"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
                         },
-                        "name": "querytext2"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -842,20 +842,20 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query6"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
                         },
-                        "name": "querytext3"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -904,20 +904,20 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -966,20 +966,42 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query9"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab0"
+            },
+            "name": "tab0"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Load Balancer"
+                        },
+                        "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
+                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
                         },
-                        "name": "querytext10"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1028,20 +1050,20 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
                         },
-                        "name": "querytext11"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1090,16 +1112,16 @@
                                 ]
                             }
                         },
-                        "name": "query11"
+                        "name": "query8"
                     }
                 ]
             },
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab0"
+                "value": "tab1"
             },
-            "name": "tab0"
+            "name": "tab1"
         },
         {
             "type": 12,
@@ -1110,22 +1132,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Front Door"
+                            "json": "## App Gateway"
                         },
-                        "name": "tab1title"
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext5"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1174,20 +1196,20 @@
                                 ]
                             }
                         },
-                        "name": "query5"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
+                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext6"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1236,20 +1258,20 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
+                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext7"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1298,20 +1320,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query3"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
+                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext9"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1360,42 +1382,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab1"
-            },
-            "name": "tab1"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Load Balancer"
-                        },
-                        "name": "tab2title"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
+                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
                         },
-                        "name": "querytext1"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1444,20 +1444,20 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query10"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
+                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext11"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1506,7 +1506,7 @@
                                 ]
                             }
                         },
-                        "name": "query8"
+                        "name": "query11"
                     }
                 ]
             },
diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
index 83eab99a3..fa1a09ab3 100644
--- a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
+++ b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"2ea9ccf6-02c7-4979-9ccf-be39e99bc34c\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"cd32e304-28aa-457e-8760-4c853d0db664\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"64bf69d0-ded6-4a7e-b691-3e19da71fd9d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"ccf6040e-2ec3-415f-b814-a6840f062131\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"9cdd582a-9908-4160-9fc3-7fde42482e59\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"11b9f6e6-11b0-4a3f-925d-45cf1e55209c\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"
diff --git a/workbooks/appdelivery_checklist.en_network_workbook.json b/workbooks/appdelivery_checklist.en_network_workbook.json
index defb91c31..1994900b1 100644
--- a/workbooks/appdelivery_checklist.en_network_workbook.json
+++ b/workbooks/appdelivery_checklist.en_network_workbook.json
@@ -70,30 +70,30 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "7b56bafd-9ab5-4d20-a130-90198ed66c57",
+                        "id": "2d9f5e3a-e697-40ee-93ec-2d27c0f401e1",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Front Door",
+                        "linkLabel": "App Gateway",
                         "subTarget": "tab0",
-                        "preText": "Front Door",
+                        "preText": "App Gateway",
                         "style": "primary"
                     },
                     {
-                        "id": "8c96e4bb-62b0-4701-8eef-94b3fec44f10",
+                        "id": "9a0e7f88-8d64-4124-a2be-fdad2bc4cd6d",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Load Balancer",
+                        "linkLabel": "Front Door",
                         "subTarget": "tab1",
-                        "preText": "Load Balancer",
+                        "preText": "Front Door",
                         "style": "primary"
                     },
                     {
-                        "id": "b30d0ed7-77cb-4910-89eb-159009ce7607",
+                        "id": "fe8e44dc-4e98-4dc6-a2f1-86c998362b9b",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "App Gateway",
+                        "linkLabel": "Load Balancer",
                         "subTarget": "tab2",
-                        "preText": "App Gateway",
+                        "preText": "Load Balancer",
                         "style": "primary"
                     }
                 ]
@@ -109,22 +109,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Front Door"
+                            "json": "## App Gateway"
                         },
                         "name": "tab0title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext5"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -173,20 +173,20 @@
                                 ]
                             }
                         },
-                        "name": "query5"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
+                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext6"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -235,20 +235,20 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
+                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext7"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -297,20 +297,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query3"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
+                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext9"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -359,42 +359,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab0"
-            },
-            "name": "tab0"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Load Balancer"
-                        },
-                        "name": "tab1title"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
+                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
                         },
-                        "name": "querytext1"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -443,20 +421,20 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query10"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
+                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext11"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -505,16 +483,16 @@
                                 ]
                             }
                         },
-                        "name": "query8"
+                        "name": "query11"
                     }
                 ]
             },
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab1"
+                "value": "tab0"
             },
-            "name": "tab1"
+            "name": "tab0"
         },
         {
             "type": 12,
@@ -525,22 +503,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## App Gateway"
+                            "json": "## Front Door"
                         },
-                        "name": "tab2title"
+                        "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext0"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -589,20 +567,20 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query5"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
                         },
-                        "name": "querytext2"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -651,20 +629,20 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query6"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
                         },
-                        "name": "querytext3"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -713,20 +691,20 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -775,20 +753,42 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query9"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Load Balancer"
+                        },
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
+                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
                         },
-                        "name": "querytext10"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -837,20 +837,20 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
                         },
-                        "name": "querytext11"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -899,7 +899,7 @@
                                 ]
                             }
                         },
-                        "name": "query11"
+                        "name": "query8"
                     }
                 ]
             },
diff --git a/workbooks/appdelivery_checklist.en_network_workbook_template.json b/workbooks/appdelivery_checklist.en_network_workbook_template.json
index f1f6bde28..281da5323 100644
--- a/workbooks/appdelivery_checklist.en_network_workbook_template.json
+++ b/workbooks/appdelivery_checklist.en_network_workbook_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"7b56bafd-9ab5-4d20-a130-90198ed66c57\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"8c96e4bb-62b0-4701-8eef-94b3fec44f10\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b30d0ed7-77cb-4910-89eb-159009ce7607\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"2d9f5e3a-e697-40ee-93ec-2d27c0f401e1\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"9a0e7f88-8d64-4124-a2be-fdad2bc4cd6d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"fe8e44dc-4e98-4dc6-a2f1-86c998362b9b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"